From patchwork Fri Nov 29 10:17:24 2013
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Paolo Bonzini <pbonzini@redhat.com>
X-Patchwork-Id: 295271
Return-Path: <qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from lists.gnu.org (lists.gnu.org [IPv6:2001:4830:134:3::11])
	(using TLSv1 with cipher AES256-SHA (256/256 bits))
	(Client did not present a certificate)
	by ozlabs.org (Postfix) with ESMTPS id 98D682C008A
	for <incoming@patchwork.ozlabs.org>;
	Fri, 29 Nov 2013 22:19:06 +1100 (EST)
Received: from localhost ([::1]:46619 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71) (envelope-from
	<qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>)
	id 1VmLIT-0003F4-LJ
	for incoming@patchwork.ozlabs.org; Fri, 29 Nov 2013 05:27:41 -0500
Received: from eggs.gnu.org ([2001:4830:134:3::10]:53595)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <paolo.bonzini@gmail.com>) id 1VmL9U-000695-1F
	for qemu-devel@nongnu.org; Fri, 29 Nov 2013 05:18:30 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <paolo.bonzini@gmail.com>) id 1VmL9N-0004Fk-Qy
	for qemu-devel@nongnu.org; Fri, 29 Nov 2013 05:18:23 -0500
Received: from mail-ea0-x22b.google.com ([2a00:1450:4013:c01::22b]:56886)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <paolo.bonzini@gmail.com>)
	id 1VmL9N-0004FQ-Ih; Fri, 29 Nov 2013 05:18:17 -0500
Received: by mail-ea0-f171.google.com with SMTP id h10so6653353eak.16
	for <multiple recipients>; Fri, 29 Nov 2013 02:18:16 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
	h=sender:from:to:cc:subject:date:message-id:in-reply-to:references;
	bh=Tfy52jnYMOjuiL55k4rlXfR3acJoOMQfuMzLFYQKkjE=;
	b=x8+RFbdBnzODdbl0nISBQnXe13Qn8WCyzgb/ZlIJ73ECAuMmPaKcgQYOTHA4oOtxsR
	0TenrZUYv0SBqIlokLhMHbWBorhZCLUSDSGVbP0K+B0H4b5yfnU5T9eNPeygvwO6bGu9
	ZEz6XiePU2aUeQqONdAxD/ZkkeII6wAvOk84CledC03xzssjK+RXdpzP+t+bafuOnrKC
	I7+Tf1hNjt81rLtdUBzhpy+rV4b6T3LfiN/aSh5vZqMbCz9lfWkVVjKlR91LsbvVxhnF
	r2yZS2uZh2sHURbBjsdGXP4vpYdAM/d402UVXCGuWxpKPfYEFzsbaNi3RbQ/WFUWhyDl
	s/Nw==
X-Received: by 10.15.33.139 with SMTP id c11mr1439367eev.110.1385720296772;
	Fri, 29 Nov 2013 02:18:16 -0800 (PST)
Received: from playground.lan (net-37-117-137-113.cust.dsl.vodafone.it.
	[37.117.137.113]) by mx.google.com with ESMTPSA id
	b42sm39055362eem.9.2013.11.29.02.18.14 for <multiple recipients>
	(version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Fri, 29 Nov 2013 02:18:15 -0800 (PST)
From: Paolo Bonzini <pbonzini@redhat.com>
To: qemu-devel@nongnu.org
Date: Fri, 29 Nov 2013 11:17:24 +0100
Message-Id: <1385720262-14107-13-git-send-email-pbonzini@redhat.com>
X-Mailer: git-send-email 1.8.3.1
In-Reply-To: <1385720262-14107-1-git-send-email-pbonzini@redhat.com>
References: <1385720262-14107-1-git-send-email-pbonzini@redhat.com>
X-detected-operating-system: by eggs.gnu.org: Error: Malformed IPv6 address
	(bad octet value).
X-Received-From: 2a00:1450:4013:c01::22b
Cc: qemu-stable@nongnu.org, afaerber@suse.de, mst@redhat.com
Subject: [Qemu-devel] [PATCH 12/30] virtio-pci: add device_unplugged callback
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org
Sender: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org

This fixes a crash in hot-unplug of virtio-pci devices behind a PCIe
switch.  The crash happens because the ioeventfd is still set whent the
child is destroyed (destruction happens in postorder).  Then the proxy
tries to unset to ioeventfd, but the virtqueue structure that holds the
EventNotifier has been trashed in the meanwhile.  kvm_set_ioeventfd_pio
does not expect failure and aborts.

The fix is simply to move parts of uninitialization to a new
device_unplugged callback, which is called before the child is destroyed.

Cc: qemu-stable@nongnu.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
 hw/virtio/virtio-pci.c | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/hw/virtio/virtio-pci.c b/hw/virtio/virtio-pci.c
index 15b92e9..30c9f2b 100644
--- a/hw/virtio/virtio-pci.c
+++ b/hw/virtio/virtio-pci.c
@@ -1002,6 +1002,15 @@ static void virtio_pci_device_plugged(DeviceState *d)
                                                       proxy->host_features);
 }
 
+static void virtio_pci_device_unplugged(DeviceState *d)
+{
+    PCIDevice *pci_dev = PCI_DEVICE(d);
+    VirtIOPCIProxy *proxy = VIRTIO_PCI(d);
+
+    virtio_pci_stop_ioeventfd(proxy);
+    msix_uninit_exclusive_bar(pci_dev);
+}
+
 static int virtio_pci_init(PCIDevice *pci_dev)
 {
     VirtIOPCIProxy *dev = VIRTIO_PCI(pci_dev);
@@ -1016,9 +1025,7 @@ static int virtio_pci_init(PCIDevice *pci_dev)
 static void virtio_pci_exit(PCIDevice *pci_dev)
 {
     VirtIOPCIProxy *proxy = VIRTIO_PCI(pci_dev);
-    virtio_pci_stop_ioeventfd(proxy);
     memory_region_destroy(&proxy->bar);
-    msix_uninit_exclusive_bar(pci_dev);
 }
 
 static void virtio_pci_reset(DeviceState *qdev)
@@ -1553,6 +1560,7 @@ static void virtio_pci_bus_class_init(ObjectClass *klass, void *data)
     k->set_guest_notifiers = virtio_pci_set_guest_notifiers;
     k->vmstate_change = virtio_pci_vmstate_change;
     k->device_plugged = virtio_pci_device_plugged;
+    k->device_unplugged = virtio_pci_device_unplugged;
 }
 
 static const TypeInfo virtio_pci_bus_info = {