From: Laurent Vivier Date: Thu, 7 Aug 2025 11:08:06 +0000 (+0200) Subject: e1000e: Prevent crash from legacy interrupt firing after MSI-X enable X-Git-Tag: v7.2.20~8 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=ee2a2c7d5449c427b9d45cfbbfb65810664a1492;p=thirdparty%2Fqemu.git e1000e: Prevent crash from legacy interrupt firing after MSI-X enable A race condition between guest driver actions and QEMU timers can lead to an assertion failure when the guest switches the e1000e from legacy interrupt mode to MSI-X. If a legacy interrupt delay timer (TIDV or RDTR) is active, but the guest enables MSI-X before the timer fires, the pending interrupt cause can trigger an assert in e1000e_intmgr_collect_delayed_causes(). This patch removes the assertion and executes the code that clears the pending legacy causes. This change is safe and introduces no unintended behavioral side effects, as it only alters a state that previously led to termination. - when core->delayed_causes == 0 the function was already a no-op and remains so. - when core->delayed_causes != 0 the function would previously crash due to the assertion failure. The patch now defines a safe outcome by clearing the cause and returning. Since behavior after the assertion never existed, this simply corrects the crash. Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1863 Suggested-by: Akihiko Odaki Signed-off-by: Laurent Vivier Acked-by: Jason Wang Reviewed-by: Akihiko Odaki Message-ID: <20250807110806.409065-1-lvivier@redhat.com> Signed-off-by: Philippe Mathieu-Daudé (cherry picked from commit 8e4649cac9bcddc050d2df07908075e9e69bccc7) Signed-off-by: Michael Tokarev --- diff --git a/hw/net/e1000e_core.c b/hw/net/e1000e_core.c index 742f5ec8001..5def4cfc1ce 100644 --- a/hw/net/e1000e_core.c +++ b/hw/net/e1000e_core.c @@ -336,11 +336,6 @@ e1000e_intmgr_collect_delayed_causes(E1000ECore *core) { uint32_t res; - if (msix_enabled(core->owner)) { - assert(core->delayed_causes == 0); - return 0; - } - res = core->delayed_causes; core->delayed_causes = 0;