[PULL,18/37] PPC: Fix crash on spapr_tce_table_finalize()

Message ID	1420644048-16919-19-git-send-email-agraf@suse.de
State	New
Headers	show Return-Path: <qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org> From: Alexander Graf <agraf@suse.de> To: qemu-ppc@nongnu.org Date: Wed, 7 Jan 2015 16:20:29 +0100 Message-Id: <1420644048-16919-19-git-send-email-agraf@suse.de> In-Reply-To: <1420644048-16919-1-git-send-email-agraf@suse.de> References: <1420644048-16919-1-git-send-email-agraf@suse.de> Cc: peter.maydell@linaro.org, qemu-stable@nongnu.org, qemu-devel@nongnu.org, David Gibson <david@gibson.dropbear.id.au> Subject: [Qemu-devel] [PULL 18/37] PPC: Fix crash on spapr_tce_table_finalize() Precedence: list Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Sender: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org

Message ID

1420644048-16919-19-git-send-email-agraf@suse.de

State

New

Headers

From: Alexander Graf <agraf@suse.de>
To: qemu-ppc@nongnu.org
Date: Wed,  7 Jan 2015 16:20:29 +0100
Message-Id: <1420644048-16919-19-git-send-email-agraf@suse.de>
In-Reply-To: <1420644048-16919-1-git-send-email-agraf@suse.de>
References: <1420644048-16919-1-git-send-email-agraf@suse.de>
Cc: peter.maydell@linaro.org, qemu-stable@nongnu.org, qemu-devel@nongnu.org, 
	David Gibson <david@gibson.dropbear.id.au>
Subject: [Qemu-devel] [PULL 18/37] PPC: Fix crash on
	spapr_tce_table_finalize()
Precedence: list
Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org
Sender: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org

Commit Message

Alexander Graf Jan. 7, 2015, 3:20 p.m. UTC

From: David Gibson <david@gibson.dropbear.id.au>

spapr_tce_table_finalize() can SEGV if the object was not previously
realized.  In particular this can be triggered by running
         qemu-system-ppc -device spapr-tce-table,?

The basic problem is that we have mismatched initialization versus
finalization: spapr_tce_table_finalize() is attempting to undo things that
are done in spapr_tce_table_realize(), not an instance_init function.

Therefore, replace spapr_tce_table_finalize() with
spapr_tce_table_unrealize().

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Cc: qemu-stable@nongnu.org
Signed-off-by: Alexander Graf <agraf@suse.de>
---
 hw/ppc/spapr_iommu.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/hw/ppc/spapr_iommu.c b/hw/ppc/spapr_iommu.c
index 6c91d8e..da47474 100644
--- a/hw/ppc/spapr_iommu.c
+++ b/hw/ppc/spapr_iommu.c
@@ -173,9 +173,9 @@  sPAPRTCETable *spapr_tce_new_table(DeviceState *owner, uint32_t liobn,
     return tcet;
 }
 
-static void spapr_tce_table_finalize(Object *obj)
+static void spapr_tce_table_unrealize(DeviceState *dev, Error **errp)
 {
-    sPAPRTCETable *tcet = SPAPR_TCE_TABLE(obj);
+    sPAPRTCETable *tcet = SPAPR_TCE_TABLE(dev);
 
     QLIST_REMOVE(tcet, list);
 
@@ -420,6 +420,7 @@  static void spapr_tce_table_class_init(ObjectClass *klass, void *data)
     DeviceClass *dc = DEVICE_CLASS(klass);
     dc->init = spapr_tce_table_realize;
     dc->reset = spapr_tce_reset;
+    dc->unrealize = spapr_tce_table_unrealize;
 
     QLIST_INIT(&spapr_tce_tables);
 
@@ -435,7 +436,6 @@  static TypeInfo spapr_tce_table_info = {
     .parent = TYPE_DEVICE,
     .instance_size = sizeof(sPAPRTCETable),
     .class_init = spapr_tce_table_class_init,
-    .instance_finalize = spapr_tce_table_finalize,
 };
 
 static void register_types(void)

[PULL,18/37] PPC: Fix crash on spapr_tce_table_finalize()

Commit Message

Patch