From 67f3280c062d622dc077246b483702096d11dcc0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= Date: Thu, 18 Aug 2016 17:44:05 +0400 Subject: [PATCH 1/2] slirp: fix segv when init failed MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Since commit f6c2e66ae8c8a, slirp uses an exit notifier to call slirp_smb_cleanup. However, if init() failed, the notifier isn't added, and removing it will fail: ==18447== Invalid write of size 8 ==18447== at 0x7EF2B5: notifier_remove (notify.c:32) ==18447== by 0x48E80C: qemu_remove_exit_notifier (vl.c:2661) ==18447== by 0x6A2187: net_slirp_cleanup (slirp.c:134) ==18447== by 0x69419D: qemu_cleanup_net_client (net.c:338) ==18447== by 0x69445B: qemu_del_net_client (net.c:401) ==18447== by 0x6A2B81: net_slirp_init (slirp.c:366) ==18447== by 0x6A4241: net_init_slirp (slirp.c:865) ==18447== by 0x695C6D: net_client_init1 (net.c:1051) ==18447== by 0x695F6E: net_client_init (net.c:1108) ==18447== by 0x696DBA: net_init_netdev (net.c:1498) ==18447== by 0x7F1F99: qemu_opts_foreach (qemu-option.c:1116) ==18447== by 0x696E60: net_init_clients (net.c:1516) ==18447== Address 0x0 is not stack'd, malloc'd or (recently) free'd Signed-off-by: Marc-André Lureau Signed-off-by: Jason Wang --- net/slirp.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/net/slirp.c b/net/slirp.c index facc30ed18..b60893f9c5 100644 --- a/net/slirp.c +++ b/net/slirp.c @@ -131,7 +131,9 @@ static void net_slirp_cleanup(NetClientState *nc) SlirpState *s = DO_UPCAST(SlirpState, nc, nc); slirp_cleanup(s->slirp); - qemu_remove_exit_notifier(&s->exit_notifier); + if (s->exit_notifier.notify) { + qemu_remove_exit_notifier(&s->exit_notifier); + } slirp_smb_cleanup(s); QTAILQ_REMOVE(&slirp_stacks, s, entry); } From e0af5a0e8b74c674d29be3224b7ec16ba278e99c Mon Sep 17 00:00:00 2001 From: Cao jin Date: Thu, 18 Aug 2016 22:15:54 +0800 Subject: [PATCH 2/2] e1000e: remove internal interrupt flag Commit 66bf7d58 removed internal msi state flag E1000E_USE_MSI, E1000E_USE_MSIX is not necessary too, remove it now. And interrupt flag field intr_state also can be removed now. CC: Dmitry Fleytman CC: Jason Wang CC: Markus Armbruster CC: Marcel Apfelbaum CC: Michael S. Tsirkin CC: Paolo Bonzini Signed-off-by: Cao jin Reviewed-by: Markus Armbruster Acked-by: Dmitry Fleytman Reviewed-by: Paolo Bonzini Signed-off-by: Jason Wang --- hw/net/e1000e.c | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/hw/net/e1000e.c b/hw/net/e1000e.c index d001c96668..bad43f474e 100644 --- a/hw/net/e1000e.c +++ b/hw/net/e1000e.c @@ -69,7 +69,6 @@ typedef struct E1000EState { uint16_t subsys_ven_used; uint16_t subsys_used; - uint32_t intr_state; bool disable_vnet; E1000ECore core; @@ -89,8 +88,6 @@ typedef struct E1000EState { #define E1000E_MSIX_TABLE (0x0000) #define E1000E_MSIX_PBA (0x2000) -#define E1000E_USE_MSIX BIT(0) - static uint64_t e1000e_mmio_read(void *opaque, hwaddr addr, unsigned size) { @@ -302,8 +299,6 @@ e1000e_init_msix(E1000EState *s) } else { if (!e1000e_use_msix_vectors(s, E1000E_MSIX_VEC_NUM)) { msix_uninit(d, &s->msix, &s->msix); - } else { - s->intr_state |= E1000E_USE_MSIX; } } } @@ -311,7 +306,7 @@ e1000e_init_msix(E1000EState *s) static void e1000e_cleanup_msix(E1000EState *s) { - if (s->intr_state & E1000E_USE_MSIX) { + if (msix_enabled(PCI_DEVICE(s))) { e1000e_unuse_msix_vectors(s, E1000E_MSIX_VEC_NUM); msix_uninit(PCI_DEVICE(s), &s->msix, &s->msix); } @@ -601,7 +596,6 @@ static const VMStateDescription e1000e_vmstate = { VMSTATE_MSIX(parent_obj, E1000EState), VMSTATE_UINT32(ioaddr, E1000EState), - VMSTATE_UINT32(intr_state, E1000EState), VMSTATE_UINT32(core.rxbuf_min_shift, E1000EState), VMSTATE_UINT8(core.rx_desc_len, E1000EState), VMSTATE_UINT32_ARRAY(core.rxbuf_sizes, E1000EState,