| commit | 4e494de66800747446e73b5ec0189ad7f4690908 | |
| author | Lan Tianyu <tianyu.lan@intel.com> | |
| Sun, 11 Oct 2015 15:19:24 +0000 (11 23:19 +0800) | ||
| committer | Stefano Stabellini <stefano.stabellini@eu.citrix.com> | |
| Mon, 26 Oct 2015 11:32:18 +0000 (26 11:32 +0000) | ||
| tree | 2d12bc4ae4b77bcd1275fd0e0bf694a0cfb292ec | treesnapshot (tar.gz zip) |
| parent | af25e7277d3e95a3ea31023f31d8097ab5e2ac84 | commitdiff |
Qemu/Xen: Fix early freeing MSIX MMIO memory region
msix->mmio is added to XenPCIPassthroughState's object as property.
object_finalize_child_property is called for XenPCIPassthroughState's
object, which calls object_property_del_all, which is going to try to
delete msix->mmio. object_finalize_child_property() will access
msix->mmio's obj. But the whole msix struct has already been freed
by xen_pt_msix_delete. This will cause segment fault when msix->mmio
has been overwritten.
This patch is to fix the issue.
Signed-off-by: Lan Tianyu <tianyu.lan@intel.com>
Reviewed-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
msix->mmio is added to XenPCIPassthroughState's object as property.
object_finalize_child_property is called for XenPCIPassthroughState's
object, which calls object_property_del_all, which is going to try to
delete msix->mmio. object_finalize_child_property() will access
msix->mmio's obj. But the whole msix struct has already been freed
by xen_pt_msix_delete. This will cause segment fault when msix->mmio
has been overwritten.
This patch is to fix the issue.
Signed-off-by: Lan Tianyu <tianyu.lan@intel.com>
Reviewed-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
| hw/xen/xen_pt.c | diffblobblamehistory | |
| hw/xen/xen_pt.h | diffblobblamehistory | |
| hw/xen/xen_pt_config_init.c | diffblobblamehistory | |
| hw/xen/xen_pt_msi.c | diffblobblamehistory |