Re: [PATCH V4 04/43] vfio/pci: vfio_pci_put_device on failure

[Steven Sistare]

On 6/4/2025 11:02 PM, Duan, Zhenzhong wrote:

-----Original Message-----
From: Steven Sistare <steven.sist...@oracle.com>
Subject: Re: [PATCH V4 04/43] vfio/pci: vfio_pci_put_device on failure

On 6/3/2025 11:55 PM, Duan, Zhenzhong wrote:

-----Original Message-----
From: Steven Sistare <steven.sist...@oracle.com>
Subject: Re: [PATCH V4 04/43] vfio/pci: vfio_pci_put_device on failure

On 6/3/2025 6:40 AM, Duan, Zhenzhong wrote:

-----Original Message-----
From: Steve Sistare <steven.sist...@oracle.com>
Subject: [PATCH V4 04/43] vfio/pci: vfio_pci_put_device on failure

If vfio_realize fails after vfio_device_attach, it should call
vfio_device_detach during error recovery.  If it fails after
vfio_device_get_name, it should free vbasedev->name.  If it fails
after vfio_pci_config_setup, it should free vdev->msix.

To fix all, call vfio_pci_put_device().

Signed-off-by: Steve Sistare <steven.sist...@oracle.com>
---
hw/vfio/pci.c | 1 +
1 file changed, 1 insertion(+)

diff --git a/hw/vfio/pci.c b/hw/vfio/pci.c
index a1bfdfe..7d3b9ff 100644
--- a/hw/vfio/pci.c
+++ b/hw/vfio/pci.c
@@ -3296,6 +3296,7 @@ out_teardown:
       vfio_bars_exit(vdev);
error:
       error_prepend(errp, VFIO_MSG_PREFIX, vbasedev->name);
+    vfio_pci_put_device(vdev);

Double free, vfio_pci_put_device() is also called in vfio_instance_finalize().

Agreed, this line must be deleted.
Cedric, this must be fixed in vfio-next.

If vfio_realize fails with an error, vfio_instance_finalize is not called.
I tested that.

Have you tried with hot plugged device?

Not before, but I just tried it now, thanks for the suggestion.
Same result -- vfio_instance_finalize is not called.

That's strange, I tried below change with hotplug a device through qmp, I see 
"vfio_instance_finalize called"

device_add vfio-pci,host=04:10.1,id=vfio0,bus=root0,iommufd=iommufd0

--- a/hw/vfio/pci.c
+++ b/hw/vfio/pci.c
@@ -3167,6 +3167,9 @@ static void vfio_realize(PCIDevice *pdev, Error **errp)

      trace_vfio_mdev(vbasedev->name, vbasedev->mdev);

+error_setg(errp, "faking error in vfio_realize");
+goto error;

Thank you, with this I see finalize being called.

In my test, I had injected an error as late as possible in realize, to verify 
all
state is unwound, and I did it wrong:

    vfio_register_err_notifier(vdev);
    vfio_register_req_notifier(vdev);
    vfio_setup_resetfn_quirk(vdev);

    error_setg(errp, "forced error");
    goto out_deregister;

    return;
  out_deregister:

and finalize is not called.  Probably some reference is taken in those last few
function calls, and is not released.

This is correct, and calls finalize:

    error_setg(errp, "forced error");
    goto out_deregister;

    vfio_register_err_notifier(vdev);
    vfio_register_req_notifier(vdev);
    vfio_setup_resetfn_quirk(vdev);

    return;
  out_deregister:

- Steve