Looks like this line got wrapped: "@@ -1805,13 +1805,7 @@ PCIDevice *pci_nic_init_nofail(NICInfo *nd, PCIBus *rootbus," Sorry about that. Could you unwrap it or use the attached text file?
Thanks, -Alex On Sun, Jan 8, 2017 at 8:06 PM, Jason Wang <[email protected]> wrote: > > > On 2017年01月07日 07:48, Alex Kompel wrote: >> >> object_property_set_bool(OBJECT(dev), true, "realized", &err) in >> pci_nic_init_nofail may release the object if device fails to >> initialize which leads to use-after-free in error handling block. >> qdev_init_nofail does the same thing while holding the reference. >> >> (gdb) run -net nic >> qemu-system-x86_64: failed to find romfile "efi-e1000.rom" >> >> Program received signal SIGSEGV, Segmentation fault. >> object_unparent (obj=0x7fffe96a0010) at qom/object.c:440 >> 440 in qom/object.c >> (gdb) bt >> #0 object_unparent (obj=0x7fffe96a0010) at qom/object.c:440 >> #1 0x000055555598c30d in pci_nic_init_nofail (nd=0x55555616b460 >> <nd_table>, rootbus=0x5555567ed990, default_model=<optimized out>, >> default_devaddr=<optimized out>) at hw/pci/pci.c:1812 >> #2 0x00005555557ff52c in pc_nic_init (isa_bus=0x55555733c610, >> pci_bus=0x5555567ed990) at hw/i386/pc.c:1634 >> #3 0x00005555558021ad in pc_init1 (machine=0x55555661ee10, >> pci_type=0x555555c1a523 "i440FX", host_type=0x555555ba564e >> "i440FX-pcihost") at hw/i386/pc_piix.c:241 >> #4 0x00005555557519cb in main (argc=<optimized out>, argv=<optimized >> out>, envp=<optimized out>) at vl.c:4481 >> >> Signed-off-by: Alex Kompel <[email protected]> >> --- >> hw/pci/pci.c | 8 +------- >> 1 file changed, 1 insertion(+), 7 deletions(-) >> >> diff --git a/hw/pci/pci.c b/hw/pci/pci.c >> index 24fae16..2fd1b9e 100644 >> --- a/hw/pci/pci.c >> +++ b/hw/pci/pci.c >> @@ -1805,13 +1805,7 @@ PCIDevice *pci_nic_init_nofail(NICInfo *nd, >> PCIBus *rootbus, > > > Hello, looks like the patch were corrupted possibly by your email client. > Please check, we usually send patch through git send-email. > > Thanks > > >> pci_dev = pci_create(bus, devfn, pci_nic_names[i]); >> dev = &pci_dev->qdev; >> qdev_set_nic_properties(dev, nd); >> - >> - object_property_set_bool(OBJECT(dev), true, "realized", &err); >> - if (err) { >> - error_report_err(err); >> - object_unparent(OBJECT(dev)); >> - exit(1); >> - } >> + qdev_init_nofail(dev); >> >> return pci_dev; >> } >> -- >> 2.8.3 >> >
Signed-off-by: Alex Kompel <[email protected]> --- hw/pci/pci.c | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/hw/pci/pci.c b/hw/pci/pci.c index 24fae16..2fd1b9e 100644 --- a/hw/pci/pci.c +++ b/hw/pci/pci.c @@ -1805,13 +1805,7 @@ PCIDevice *pci_nic_init_nofail(NICInfo *nd, PCIBus *rootbus, pci_dev = pci_create(bus, devfn, pci_nic_names[i]); dev = &pci_dev->qdev; qdev_set_nic_properties(dev, nd); - - object_property_set_bool(OBJECT(dev), true, "realized", &err); - if (err) { - error_report_err(err); - object_unparent(OBJECT(dev)); - exit(1); - } + qdev_init_nofail(dev); return pci_dev; } -- 2.8.3
