Il 17/09/2013 11:27, Michael S. Tsirkin ha scritto: >> > static void >> > -pci_e1000_uninit(PCIDevice *dev) >> > +pci_e1000_instance_finalize(Object *obj) >> > { >> > - E1000State *d = E1000(dev); >> > + E1000State *d = E1000(obj); >> > >> > timer_del(d->autoneg_timer); >> > timer_free(d->autoneg_timer); > So this looks wrong. > This cancels timers after pci device has been destroyed, > so meanwhile timers can run and send interrupts.
There are definitely cases where the timer deals with pending I/O and has to run after the device has been removed from guest access. This is _not_ yet the point of destruction; the connection to the host backend still exists in particular (it is only dropped by object_property_del_all, which is called right after instance_finalize). It should not be a problem for a device to raise an interrupt after pci_do_unregister_device; it should go nowhere. If it is passed to the guest, it's a bug that we have to fix. Paolo