[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PATCH] spapr: fix core unplug crash
From: |
Greg Kurz |
Subject: |
[Qemu-devel] [PATCH] spapr: fix core unplug crash |
Date: |
Fri, 08 Jul 2016 15:12:07 +0200 |
User-agent: |
StGit/0.17.1-dirty |
If the host has 8 threads/core and the guest is started with:
-smp cores=1,threads=4,maxcpus=12
It is possible to crash QEMU by doing:
(qemu) device_add host-spapr-cpu-core,core-id=16,id=foo
(qemu) device_del foo
Segmentation fault
This is caused because spapr_core_unplug() assumes cpu_dt_id == core_id.
Even if it happens to be the case when the host and guest have the same
number of threads per core, it is conceptually wrong and we may pass a
bogus id to spapr_dr_connector_by_id() and spapr_core_release() crashes.
Let's use cc->core_id, which is the id that was used to create th DR
connector.
Signed-off-by: Greg Kurz <address@hidden>
---
hw/ppc/spapr_cpu_core.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/hw/ppc/spapr_cpu_core.c b/hw/ppc/spapr_cpu_core.c
index 70b6b0b5ee17..106eaf45b399 100644
--- a/hw/ppc/spapr_cpu_core.c
+++ b/hw/ppc/spapr_cpu_core.c
@@ -126,11 +126,9 @@ static void spapr_core_release(DeviceState *dev, void
*opaque)
void spapr_core_unplug(HotplugHandler *hotplug_dev, DeviceState *dev,
Error **errp)
{
- sPAPRCPUCore *core = SPAPR_CPU_CORE(OBJECT(dev));
- PowerPCCPU *cpu = POWERPC_CPU(core->threads);
- int id = ppc_get_vcpu_dt_id(cpu);
+ CPUCore *cc = CPU_CORE(dev);
sPAPRDRConnector *drc =
- spapr_dr_connector_by_id(SPAPR_DR_CONNECTOR_TYPE_CPU, id);
+ spapr_dr_connector_by_id(SPAPR_DR_CONNECTOR_TYPE_CPU, cc->core_id);
sPAPRDRConnectorClass *drck;
Error *local_err = NULL;
- [Qemu-devel] [PATCH] spapr: fix core unplug crash,
Greg Kurz <=