On Fri, Apr 24, 2026 at 11:14:53AM +0800, JiaJia wrote: > virtio_device_restore() resets the device and restores the negotiated > features before calling ->restore(). viortc_freeze() intentionally > leaves the existing virtqueues in place so the alarm queue can still > wake the system, but viortc_restore() immediately calls > viortc_init_vqs() without first deleting those old queues. > > If virtqueue reinitialization fails on virtio-pci, the transport error > path can run vp_del_vqs() against a newly allocated vp_dev->vqs array > while vdev->vqs still contains the old virtqueues. vp_del_vqs() then > looks up queue state through the new array and can dereference a NULL > info pointer in vp_del_vq(), crashing the guest kernel during restore. > > Delete the stale virtqueues before rebuilding them. If restore fails > before virtio_device_ready(), reuse the remove path to stop the device. > Once the device is ready, return errors directly instead of deleting the > virtqueues again. > > Signed-off-by: JiaJia <[email protected]>
Reviewed-by: Peter Hilber <[email protected]> What should still be added is the Fixes tag: Fixes: 0623c7592768 ("virtio_rtc: Add module and driver core") Maybe the commit message could also mention that this can happen during a non-faulty reinitialization, when one of the vp_find_vqs_msix() attempts is unsuccessful before a later attempt would succeed (as far as I understand). Thanks! Peter
