From nobody Mon May  6 15:24:20 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as
 permitted sender) client-ip=208.118.235.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Authentication-Results: mx.zoho.com;
	spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted
 sender)  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org;
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by
 mx.zohomail.com
	with SMTPS id 1493189251916603.1592972335172;
 Tue, 25 Apr 2017 23:47:31 -0700 (PDT)
Received: from localhost ([::1]:52959 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <qemu-devel-bounces+importer=patchew.org@nongnu.org>)
	id 1d3Gja-0002zq-TZ
	for importer@patchew.org; Wed, 26 Apr 2017 02:47:30 -0400
Received: from eggs.gnu.org ([2001:4830:134:3::10]:54804)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <wangyunjian@huawei.com>) id 1d3Gio-0002cV-K3
	for qemu-devel@nongnu.org; Wed, 26 Apr 2017 02:46:43 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <wangyunjian@huawei.com>) id 1d3Gij-00025P-Rw
	for qemu-devel@nongnu.org; Wed, 26 Apr 2017 02:46:42 -0400
Received: from szxga03-in.huawei.com ([45.249.212.189]:3857
	helo=dggrg03-dlp.huawei.com)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_ARCFOUR_SHA1:16) (Exim 4.71)
	(envelope-from <wangyunjian@huawei.com>) id 1d3Gij-00020o-DT
	for qemu-devel@nongnu.org; Wed, 26 Apr 2017 02:46:37 -0400
Received: from 172.30.72.55 (EHLO DGGEML401-HUB.china.huawei.com)
	([172.30.72.55])
	by dggrg03-dlp.huawei.com (MOS 4.4.6-GA FastPath queued)
	with ESMTP id AMN12975; Wed, 26 Apr 2017 14:46:31 +0800 (CST)
Received: from localhost (10.177.24.66) by DGGEML401-HUB.china.huawei.com
	(10.3.17.32) with Microsoft SMTP Server id 14.3.301.0; Wed, 26 Apr 2017
	14:46:23 +0800
From: Yunjian Wang <wangyunjian@huawei.com>
To: <jasowang@redhat.com>, <mst@redhat.com>, <qemu-devel@nongnu.org>
Date: Wed, 26 Apr 2017 14:45:56 +0800
Message-ID: <1493189156-14656-1-git-send-email-wangyunjian@huawei.com>
X-Mailer: git-send-email 1.9.5.msysgit.1
MIME-Version: 1.0
X-Originating-IP: [10.177.24.66]
X-CFilter-Loop: Reflected
X-Mirapoint-Virus-RAPID-Raw: score=unknown(0),
	refid=str=0001.0A090203.59004248.0032, ss=1, re=0.000, recu=0.000,
	reip=0.000, cl=1, cld=1, fgs=0, ip=0.0.0.0,
	so=2014-11-16 11:51:01, dmn=2013-03-21 17:37:32
X-Mirapoint-Loop-Id: 09a2e40c1ae597fb12734d7b9876fff7
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.4.x-2.6.x [generic]
	[fuzzy]
X-Received-From: 45.249.212.189
Subject: [Qemu-devel] [PATCH] virtio-net: fix wild pointer when remove
 virtio-net queues
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel/>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Cc: caihe@huawei.com, Yunjian Wang <wangyunjian@huawei.com>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: "Qemu-devel" <qemu-devel-bounces+importer=patchew.org@nongnu.org>
X-ZohoMail: RSF_0  Z_629925259 SPT_0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

The tx_bh or tx_timer will free in virtio_net_del_queue() function, when
removing virtio-net queues if the guest doesn't support multiqueue. But
it might be still referenced by virtio_net_set_status(), which needs to
be set NULL. And also the tx_waiting needs to be set zero to prevent
virtio_net_set_status() accessing tx_bh or tx_timer.

Signed-off-by: Yunjian Wang <wangyunjian@huawei.com>
---
 hw/net/virtio-net.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c
index 7d091c9..98bd683 100644
--- a/hw/net/virtio-net.c
+++ b/hw/net/virtio-net.c
@@ -1522,9 +1522,12 @@ static void virtio_net_del_queue(VirtIONet *n, int i=
ndex)
     if (q->tx_timer) {
         timer_del(q->tx_timer);
         timer_free(q->tx_timer);
+        q->tx_timer =3D NULL;
     } else {
         qemu_bh_delete(q->tx_bh);
+        q->tx_bh =3D NULL;
     }
+    q->tx_waiting =3D 0;
     virtio_del_queue(vdev, index * 2 + 1);
 }
=20
--=20
1.8.3.1