Cc: qemu-devel Hi Manos,
it's easy to trigger a segmentation fault with the virtio-sound device. The basic problem is that in function virtio_snd_realize() there is no code in the errror paths to undo the previous steps. To reproduce the segmentation fault start QEMU with an empty PCIe root port. The necessary command line options are -device pcie-root-port,port=224,chassis=1,id=pcie.1,addr=0x1c,multifunction=on -audiodev pipewire,id=audio0 Then hotplug a virtio-sound device with the compat monitor. Please note the missing audiodev argument so that AUD_register_card() in virtio_snd_realize() fails. It's also necessary to apply your "virtio-snd: check AUD_register_card return value" patch, otherwise the device_add command fails immediately with a segmentation fault. QEMU 8.1.90 monitor - type 'help' for more information (qemu) device_add virtio-sound,bus=pcie.1 Error: no default audio driver available Perhaps you wanted to use -audio or set audiodev=audio0? (qemu) device_add virtio-sound,bus=pcie.1,audiodev=audio0 (qemu) Now shutdown the guest. Most of the time QEMU will dump core because there is no qemu_del_vm_change_state_handler() in the virtio_snd_realize() error path. Core was generated by `./qemu-system-x86_64 -machine q35,usb=off,vmport=off,hpet=off,dump-guest-core=o'. Program terminated with signal SIGSEGV, Segmentation fault. (gdb) bt #0 0x00005649d3aa70d2 in object_dynamic_cast_assert (obj=obj@entry=0x5649d6da73d0, typename=typename@entry=0x5649d3d944a5 "device", file=file@entry=0x5649d3c9b8e0 "/home/ruemelin/rpmbuild/BUILD/qemu-master/include/hw/qdev-core.h", line=line@entry=77, func=func@entry=0x5649d3e89d45 <__func__.16> "DEVICE") at ../qemu-master/qom/object.c:887 #1 0x00005649d3a1521f in DEVICE (obj=0x5649d6da73d0) at /home/ruemelin/rpmbuild/BUILD/qemu-master/include/hw/qdev-core.h:77 #2 virtio_vmstate_change (opaque=0x5649d6da73d0, running=<optimized out>, state=<optimized out>) at ../qemu-master/hw/virtio/virtio.c:3188 #3 0x00005649d387fdc0 in vm_state_notify (running=running@entry=false, state=state@entry=RUN_STATE_SHUTDOWN) at ../qemu-master/system/runstate.c:381 #4 0x00005649d3876de0 in do_vm_stop (send_stop=false, state=RUN_STATE_SHUTDOWN) at ../qemu-master/system/cpus.c:270 #5 vm_shutdown () at ../qemu-master/system/cpus.c:288 #6 0x00005649d3880908 in qemu_cleanup (status=status@entry=0) at ../qemu-master/system/runstate.c:857 #7 0x00005649d366dc91 in qemu_default_main () at ../qemu-master/system/main.c:38 #8 0x00007f1bc4e3e24d in __libc_start_main () at /lib64/libc.so.6 #9 0x00005649d366dbba in _start () at ../sysdeps/x86_64/start.S:120 With best regards, Volker
