Il 17/09/2013 11:27, Michael S. Tsirkin ha scritto:
>> > static void
>> > -pci_e1000_uninit(PCIDevice *dev)
>> > +pci_e1000_instance_finalize(Object *obj)
>> > {
>> > - E1000State *d = E1000(dev);
>> > + E1000State *d = E1000(obj);
>> >
>> > timer_del(d->autoneg_timer);
>> > timer_free(d->autoneg_timer);
> So this looks wrong.
> This cancels timers after pci device has been destroyed,
> so meanwhile timers can run and send interrupts.
There are definitely cases where the timer deals with pending I/O and
has to run after the device has been removed from guest access. This is
_not_ yet the point of destruction; the connection to the host backend
still exists in particular (it is only dropped by
object_property_del_all, which is called right after instance_finalize).
It should not be a problem for a device to raise an interrupt after
pci_do_unregister_device; it should go nowhere. If it is passed to the
guest, it's a bug that we have to fix.
Paolo
