| Message ID | 20241118083737.174219-4-clg@redhat.com (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | [PULL,1/3] vfio/igd: add pci id for Coffee Lake | expand |
Michael, On 11/18/24 09:37, Cédric Le Goater wrote: > When commit 96b7af4388b3 intoduced a .instance_finalize() handler, > it did not take into account that the container was not necessarily > inserted into the container list of the address space. Hence, if > the container object is destroyed, by calling object_unref() for > example, before vfio_address_space_insert() is called, QEMU may > crash when removing the container from the list as done in > vfio_container_instance_finalize(). This was seen with an SEV-SNP > guest for which discarding of RAM fails. > > To resolve this issue, use the safe version of QLIST_REMOVE(). > > Cc: Zhenzhong Duan <zhenzhong.duan@intel.com> > Cc: Eric Auger <eric.auger@redhat.com> > Fixes: 96b7af4388b3 ("vfio/container: Move vfio_container_destroy() to an instance_finalize() handler") > Reviewed-by: Zhenzhong Duan <zhenzhong.duan@intel.com> > Signed-off-by: Cédric Le Goater <clg@redhat.com> This is 9.1 material. Thanks, C.
18.11.2024 18:02, Cédric Le Goater wrote: > Michael, > > On 11/18/24 09:37, Cédric Le Goater wrote: >> When commit 96b7af4388b3 intoduced a .instance_finalize() handler, >> it did not take into account that the container was not necessarily >> inserted into the container list of the address space. Hence, if >> the container object is destroyed, by calling object_unref() for >> example, before vfio_address_space_insert() is called, QEMU may >> crash when removing the container from the list as done in >> vfio_container_instance_finalize(). This was seen with an SEV-SNP >> guest for which discarding of RAM fails. >> >> To resolve this issue, use the safe version of QLIST_REMOVE(). >> >> Cc: Zhenzhong Duan <zhenzhong.duan@intel.com> >> Cc: Eric Auger <eric.auger@redhat.com> >> Fixes: 96b7af4388b3 ("vfio/container: Move vfio_container_destroy() to an instance_finalize() handler") >> Reviewed-by: Zhenzhong Duan <zhenzhong.duan@intel.com> >> Signed-off-by: Cédric Le Goater <clg@redhat.com> > > This is 9.1 material. Thank you for letting me know, queued up! /mjt
diff --git a/hw/vfio/container-base.c b/hw/vfio/container-base.c index 809b15767425a48f2404b08fc409ee5684af2094..6f86c37d971ec38426dacd471bca837c0d0df806 100644 --- a/hw/vfio/container-base.c +++ b/hw/vfio/container-base.c @@ -103,7 +103,7 @@ static void vfio_container_instance_finalize(Object *obj) VFIOContainerBase *bcontainer = VFIO_IOMMU(obj); VFIOGuestIOMMU *giommu, *tmp; - QLIST_REMOVE(bcontainer, next); + QLIST_SAFE_REMOVE(bcontainer, next); QLIST_FOREACH_SAFE(giommu, &bcontainer->giommu_list, giommu_next, tmp) { memory_region_unregister_iommu_notifier(
When commit 96b7af4388b3 intoduced a .instance_finalize() handler, it did not take into account that the container was not necessarily inserted into the container list of the address space. Hence, if the container object is destroyed, by calling object_unref() for example, before vfio_address_space_insert() is called, QEMU may crash when removing the container from the list as done in vfio_container_instance_finalize(). This was seen with an SEV-SNP guest for which discarding of RAM fails. To resolve this issue, use the safe version of QLIST_REMOVE(). Cc: Zhenzhong Duan <zhenzhong.duan@intel.com> Cc: Eric Auger <eric.auger@redhat.com> Fixes: 96b7af4388b3 ("vfio/container: Move vfio_container_destroy() to an instance_finalize() handler") Reviewed-by: Zhenzhong Duan <zhenzhong.duan@intel.com> Signed-off-by: Cédric Le Goater <clg@redhat.com> --- hw/vfio/container-base.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)