diff options
| author | Jia Jia <physicalmtea@gmail.com> | 2026-05-07 15:08:01 +0300 |
|---|---|---|
| committer | Michael S. Tsirkin <mst@redhat.com> | 2026-06-10 09:14:02 +0300 |
| commit | 548d2208455f14e6121404c6e30e997bfe0cd264 (patch) | |
| tree | 78490eaa14421f9e359b5d9fa6933cd99de27678 /include/uapi | |
| parent | c687bc35694698ec4c7f92bf929c3d659f0cecb8 (diff) | |
| download | linux-548d2208455f14e6121404c6e30e997bfe0cd264.tar.xz | |
virtio: rtc: tear down old virtqueues before restore
virtio_device_restore() resets the device and restores the negotiated
features before calling ->restore(). viortc_freeze() intentionally
leaves the existing virtqueues in place so the alarm queue can still
wake the system, but viortc_restore() immediately calls
viortc_init_vqs() without first deleting those old queues.
If virtqueue reinitialization fails on virtio-pci, the transport error
path can run vp_del_vqs() against a newly allocated vp_dev->vqs array
while vdev->vqs still contains the old virtqueues. vp_del_vqs() then
looks up queue state through the new array and can dereference a NULL
info pointer in vp_del_vq(), crashing the guest kernel during restore.
This can also happen during a non-faulty reinitialization, when one of
the vp_find_vqs_msix() attempts is unsuccessful before a later attempt
would succeed.
Delete the stale virtqueues before rebuilding them. If restore fails
before virtio_device_ready(), reuse the remove path to stop the device.
Once the device is ready, return errors directly instead of deleting the
virtqueues again.
Fixes: 0623c7592768 ("virtio_rtc: Add module and driver core")
Signed-off-by: Jia Jia <physicalmtea@gmail.com>
Reviewed-by: Peter Hilber <peter.hilber@oss.qualcomm.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-ID: <20260507120801.3677552-1-physicalmtea@gmail.com>
Diffstat (limited to 'include/uapi')
0 files changed, 0 insertions, 0 deletions