As reported by Zuozhi fzz <zuozhi....@alibaba-inc.com>, there's a problem you can expose in AHCI by rewriting the command list buffer and/or FIS receive buffer addresses, then re-starting the AHCI device before bringing it to a stop. Depending on the success of the remap operations, you may be able to transition the device to a state where it thinks it is "running" but no longer has a guest memory mapping.
When you try to transition it to the stopped state, QEMU crashes. Tighten up the start/stop conditions, and pepper in a paranoia check inside of the unmap function. ________________________________________________________________________________ For convenience, this branch is available at: https://github.com/jnsnow/qemu.git branch ahci-unmap-fixes https://github.com/jnsnow/qemu/tree/ahci-unmap-fixes This version is tagged ahci-unmap-fixes-v1: https://github.com/jnsnow/qemu/releases/tag/ahci-unmap-fixes-v1 John Snow (4): ahci: Do not unmap NULL addresses ahci: handle LIST_ON and FIS_ON in map helpers ahci: explicitly reject bad engine states on post_load ahci: prohibit "restarting" the FIS or CLB engines hw/ide/ahci.c | 96 ++++++++++++++++++++++++++++++++++++----------------------- 1 file changed, 59 insertions(+), 37 deletions(-) -- 2.4.3