[{"id":1767263,"web_url":"http://patchwork.ozlabs.org/comment/1767263/","msgid":"<CAFEAcA_geEmuB5mdTZ2BrvpwOve5w9++eAfRXmNTZh+36__VqA@mail.gmail.com>","list_archive_url":null,"date":"2017-09-12T17:28:04","subject":"Re: [Qemu-devel] [PULL 02/40] hw/ppc: clear pending_events on\n\tmachine reset","submitter":{"id":5111,"url":"http://patchwork.ozlabs.org/api/people/5111/","name":"Peter Maydell","email":"peter.maydell@linaro.org"},"content":"On 8 September 2017 at 11:35, David Gibson <david@gibson.dropbear.id.au> wrote:\n> From: Daniel Henrique Barboza <danielhb@linux.vnet.ibm.com>\n>\n> The sPAPR machine isn't clearing up the pending events QTAILQ on\n> machine reboot. This allows for unprocessed hotplug/epow events\n> to persist in the queue after reset and, when reasserting the IRQs in\n> check_exception later on, these will be being processed by the OS.\n>\n> This patch implements a new function called 'spapr_clear_pending_events'\n> that clears up the pending_events QTAILQ. This helper is then called\n> inside ppc_spapr_reset to clear up the events queue, preventing\n> old/deprecated events from persisting after a reset.\n>\n> Signed-off-by: Daniel Henrique Barboza <danielhb@linux.vnet.ibm.com>\n> Signed-off-by: David Gibson <david@gibson.dropbear.id.au>\n\n> +void spapr_clear_pending_events(sPAPRMachineState *spapr)\n> +{\n> +    sPAPREventLogEntry *entry = NULL;\n> +\n> +    QTAILQ_FOREACH(entry, &spapr->pending_events, next) {\n> +        QTAILQ_REMOVE(&spapr->pending_events, entry, next);\n> +        g_free(entry->extended_log);\n> +        g_free(entry);\n> +    }\n> +}\n\nCoverity points out that this is a use-after-free error,\nbecause QTAILQ_FOREACH will access the list pointers of\nentry after the loop body has freed it. You want\nQTAILQ_FOREACH_SAFE, I think. (CID 1381017)\n\nthanks\n-- PMM","headers":{"Return-Path":"<qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@bilbo.ozlabs.org","Authentication-Results":["ozlabs.org;\n\tspf=pass (mailfrom) smtp.mailfrom=nongnu.org\n\t(client-ip=2001:4830:134:3::11; helo=lists.gnu.org;\n\tenvelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org;\n\treceiver=<UNKNOWN>)","ozlabs.org;\n\tdkim=fail reason=\"signature verification failed\" (1024-bit key;\n\tunprotected) header.d=linaro.org header.i=@linaro.org\n\theader.b=\"i9YEycxy\"; dkim-atps=neutral"],"Received":["from lists.gnu.org (lists.gnu.org [IPv6:2001:4830:134:3::11])\n\t(using TLSv1 with cipher AES256-SHA (256/256 bits))\n\t(No client certificate requested)\n\tby ozlabs.org (Postfix) with ESMTPS id 3xsBbr1Y8Jz9s82\n\tfor <incoming@patchwork.ozlabs.org>;\n\tWed, 13 Sep 2017 03:28:56 +1000 (AEST)","from localhost ([::1]:37789 helo=lists.gnu.org)\n\tby lists.gnu.org with esmtp (Exim 4.71) (envelope-from\n\t<qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>)\n\tid 1drozW-0006v6-BB\n\tfor incoming@patchwork.ozlabs.org; Tue, 12 Sep 2017 13:28:54 -0400","from eggs.gnu.org ([2001:4830:134:3::10]:52042)\n\tby lists.gnu.org with esmtp (Exim 4.71)\n\t(envelope-from <peter.maydell@linaro.org>) id 1droz5-0006uR-82\n\tfor qemu-devel@nongnu.org; Tue, 12 Sep 2017 13:28:28 -0400","from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)\n\t(envelope-from <peter.maydell@linaro.org>) id 1droz4-0006fo-CZ\n\tfor qemu-devel@nongnu.org; Tue, 12 Sep 2017 13:28:27 -0400","from mail-wr0-x22f.google.com ([2a00:1450:400c:c0c::22f]:37352)\n\tby eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)\n\t(Exim 4.71) (envelope-from <peter.maydell@linaro.org>)\n\tid 1droz4-0006fM-62\n\tfor qemu-devel@nongnu.org; Tue, 12 Sep 2017 13:28:26 -0400","by mail-wr0-x22f.google.com with SMTP id k20so24183513wre.4\n\tfor <qemu-devel@nongnu.org>; Tue, 12 Sep 2017 10:28:26 -0700 (PDT)","by 10.223.139.215 with HTTP; Tue, 12 Sep 2017 10:28:04 -0700 (PDT)"],"DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google;\n\th=mime-version:in-reply-to:references:from:date:message-id:subject:to\n\t:cc; bh=XARdH7MXYb+jIjFIJBnnQZGJR7C+S08vBBZ1zaTdJZI=;\n\tb=i9YEycxyLXoMrYHziEgTWsVjwKnu4zzstZVDk8CvWlL/ScdNXJqc09joWld8osH+xH\n\tL/GEAfqur/+YxiDk0fu5v8PCX7KQ6M+Vrn0gOz0l8He5i/wO6KNW11zBO9+N2OWWfdM+\n\tD6wzcpLqIuksX5EzYWabr6HTo6SOQE79y7CFk=","X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n\td=1e100.net; s=20161025;\n\th=x-gm-message-state:mime-version:in-reply-to:references:from:date\n\t:message-id:subject:to:cc;\n\tbh=XARdH7MXYb+jIjFIJBnnQZGJR7C+S08vBBZ1zaTdJZI=;\n\tb=nm72rW9EL5zUbYOqLBbG0tVzcc1qU2VEYfGvvDFi3b4cMrgZrwtvSsipmaEVHIQYp4\n\tuFiTdR5ExrlqK4xrzJSfTFMwE2R09oFGGhjPG7IW6EeiK/LeX7j0GD8Yf5tqO1lSJhBN\n\tmMW+vOCWGMvhU/LrblJVRwXDlykcSsfTVq/vU85J4qPjN83hwY+5CNt66DTqNUeyuUDg\n\tlSO2aBwFzbHaOYcG3zQEIp3jcemVmAR/84TrPp8UsbGOlptZvwW989qthpOrexfFvw14\n\t5hAaKfoDG4F/MCANOGWHFUrXKcOX4YtbVlwpaahlUR4WHhOMA4pQyTeK55sSMXrCOs2t\n\t236Q==","X-Gm-Message-State":"AHPjjUhcOZwDk4f7fsQulSIflLEUE9V81a/g51h1Ki91FnN6GuCMgGtJ\n\t8yzrdliQMva/8hL0Z+qqKSBOE9txXgto","X-Google-Smtp-Source":"ADKCNb6HrCeUgaL8chvA104AdNOly7OQc+FFVMTojb5wyOywHO7onEcQ4V22k2pyqIdgBb+yp+NXd3h1eizbOIMR9A0=","X-Received":"by 10.223.198.202 with SMTP id\n\tc10mr13008205wrh.230.1505237305147; \n\tTue, 12 Sep 2017 10:28:25 -0700 (PDT)","MIME-Version":"1.0","In-Reply-To":"<20170908103558.31632-3-david@gibson.dropbear.id.au>","References":"<20170908103558.31632-1-david@gibson.dropbear.id.au>\n\t<20170908103558.31632-3-david@gibson.dropbear.id.au>","From":"Peter Maydell <peter.maydell@linaro.org>","Date":"Tue, 12 Sep 2017 18:28:04 +0100","Message-ID":"<CAFEAcA_geEmuB5mdTZ2BrvpwOve5w9++eAfRXmNTZh+36__VqA@mail.gmail.com>","To":"David Gibson <david@gibson.dropbear.id.au>","Content-Type":"text/plain; charset=\"UTF-8\"","X-detected-operating-system":"by eggs.gnu.org: Genre and OS details not\n\trecognized.","X-Received-From":"2a00:1450:400c:c0c::22f","Subject":"Re: [Qemu-devel] [PULL 02/40] hw/ppc: clear pending_events on\n\tmachine reset","X-BeenThere":"qemu-devel@nongnu.org","X-Mailman-Version":"2.1.21","Precedence":"list","List-Id":"<qemu-devel.nongnu.org>","List-Unsubscribe":"<https://lists.nongnu.org/mailman/options/qemu-devel>,\n\t<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>","List-Archive":"<http://lists.nongnu.org/archive/html/qemu-devel/>","List-Post":"<mailto:qemu-devel@nongnu.org>","List-Help":"<mailto:qemu-devel-request@nongnu.org?subject=help>","List-Subscribe":"<https://lists.nongnu.org/mailman/listinfo/qemu-devel>,\n\t<mailto:qemu-devel-request@nongnu.org?subject=subscribe>","Cc":"QEMU Developers <qemu-devel@nongnu.org>,\n\tAlexey Kardashevskiy <aik@ozlabs.ru>, Alexander Graf <agraf@suse.de>, \n\tMichael Roth <mdroth@linux.vnet.ibm.com>,\n\t\"qemu-ppc@nongnu.org\" <qemu-ppc@nongnu.org>,\n\tIgor Mammedov <imammedo@redhat.com>,\n\tDaniel Henrique Barboza <danielhb@linux.vnet.ibm.com>,\n\tSam Bobroff <sam.bobroff@au1.ibm.com>","Errors-To":"qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org","Sender":"\"Qemu-devel\"\n\t<qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>"}},{"id":1767284,"web_url":"http://patchwork.ozlabs.org/comment/1767284/","msgid":"<20170912202742.6e16b5d0@bahia.lab.toulouse-stg.fr.ibm.com>","list_archive_url":null,"date":"2017-09-12T18:27:42","subject":"Re: [Qemu-devel] [Qemu-ppc] [PULL 02/40] hw/ppc: clear\n\tpending_events on machine reset","submitter":{"id":69178,"url":"http://patchwork.ozlabs.org/api/people/69178/","name":"Greg Kurz","email":"groug@kaod.org"},"content":"On Tue, 12 Sep 2017 18:28:04 +0100\nPeter Maydell <peter.maydell@linaro.org> wrote:\n\n> On 8 September 2017 at 11:35, David Gibson <david@gibson.dropbear.id.au> wrote:\n> > From: Daniel Henrique Barboza <danielhb@linux.vnet.ibm.com>\n> >\n> > The sPAPR machine isn't clearing up the pending events QTAILQ on\n> > machine reboot. This allows for unprocessed hotplug/epow events\n> > to persist in the queue after reset and, when reasserting the IRQs in\n> > check_exception later on, these will be being processed by the OS.\n> >\n> > This patch implements a new function called 'spapr_clear_pending_events'\n> > that clears up the pending_events QTAILQ. This helper is then called\n> > inside ppc_spapr_reset to clear up the events queue, preventing\n> > old/deprecated events from persisting after a reset.\n> >\n> > Signed-off-by: Daniel Henrique Barboza <danielhb@linux.vnet.ibm.com>\n> > Signed-off-by: David Gibson <david@gibson.dropbear.id.au>  \n> \n> > +void spapr_clear_pending_events(sPAPRMachineState *spapr)\n> > +{\n> > +    sPAPREventLogEntry *entry = NULL;\n> > +\n> > +    QTAILQ_FOREACH(entry, &spapr->pending_events, next) {\n> > +        QTAILQ_REMOVE(&spapr->pending_events, entry, next);\n> > +        g_free(entry->extended_log);\n> > +        g_free(entry);\n> > +    }\n> > +}  \n> \n> Coverity points out that this is a use-after-free error,\n> because QTAILQ_FOREACH will access the list pointers of\n> entry after the loop body has freed it. You want\n> QTAILQ_FOREACH_SAFE, I think. (CID 1381017)\n> \n\nYes indeed, QTAILQ_FOREACH_SAFE() is needed when removing\nthe current element from the list. I'll send a patch.\n\n> thanks\n> -- PMM\n>","headers":{"Return-Path":"<qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@bilbo.ozlabs.org","Authentication-Results":"ozlabs.org;\n\tspf=pass (mailfrom) smtp.mailfrom=nongnu.org\n\t(client-ip=2001:4830:134:3::11; helo=lists.gnu.org;\n\tenvelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org;\n\treceiver=<UNKNOWN>)","Received":["from lists.gnu.org (lists.gnu.org [IPv6:2001:4830:134:3::11])\n\t(using TLSv1 with cipher AES256-SHA (256/256 bits))\n\t(No client certificate requested)\n\tby ozlabs.org (Postfix) with ESMTPS id 3xsCyr6DRgz9s81\n\tfor <incoming@patchwork.ozlabs.org>;\n\tWed, 13 Sep 2017 04:30:28 +1000 (AEST)","from localhost ([::1]:38031 helo=lists.gnu.org)\n\tby lists.gnu.org with esmtp (Exim 4.71) (envelope-from\n\t<qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>)\n\tid 1drpx4-0002hz-SX\n\tfor incoming@patchwork.ozlabs.org; Tue, 12 Sep 2017 14:30:26 -0400","from eggs.gnu.org ([2001:4830:134:3::10]:49406)\n\tby lists.gnu.org with esmtp (Exim 4.71)\n\t(envelope-from <groug@kaod.org>) id 1drpuj-0000lT-MP\n\tfor qemu-devel@nongnu.org; Tue, 12 Sep 2017 14:28:02 -0400","from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)\n\t(envelope-from <groug@kaod.org>) id 1drpuf-0004Sb-OS\n\tfor qemu-devel@nongnu.org; Tue, 12 Sep 2017 14:28:01 -0400","from 4.mo2.mail-out.ovh.net ([87.98.172.75]:41091)\n\tby eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)\n\t(Exim 4.71) (envelope-from <groug@kaod.org>) id 1drpuf-0004S6-He\n\tfor qemu-devel@nongnu.org; Tue, 12 Sep 2017 14:27:57 -0400","from player770.ha.ovh.net (b6.ovh.net [213.186.33.56])\n\tby mo2.mail-out.ovh.net (Postfix) with ESMTP id 16E8CAA8F7\n\tfor <qemu-devel@nongnu.org>; Tue, 12 Sep 2017 20:27:55 +0200 (CEST)","from bahia.lab.toulouse-stg.fr.ibm.com\n\t(gar31-1-82-66-74-139.fbx.proxad.net [82.66.74.139])\n\t(Authenticated sender: groug@kaod.org)\n\tby player770.ha.ovh.net (Postfix) with ESMTPSA id 1D29F3C007D;\n\tTue, 12 Sep 2017 20:27:43 +0200 (CEST)"],"Date":"Tue, 12 Sep 2017 20:27:42 +0200","From":"Greg Kurz <groug@kaod.org>","To":"Peter Maydell <peter.maydell@linaro.org>","Message-ID":"<20170912202742.6e16b5d0@bahia.lab.toulouse-stg.fr.ibm.com>","In-Reply-To":"<CAFEAcA_geEmuB5mdTZ2BrvpwOve5w9++eAfRXmNTZh+36__VqA@mail.gmail.com>","References":"<20170908103558.31632-1-david@gibson.dropbear.id.au>\n\t<20170908103558.31632-3-david@gibson.dropbear.id.au>\n\t<CAFEAcA_geEmuB5mdTZ2BrvpwOve5w9++eAfRXmNTZh+36__VqA@mail.gmail.com>","X-Mailer":"Claws Mail 3.14.1 (GTK+ 2.24.31; x86_64-redhat-linux-gnu)","MIME-Version":"1.0","Content-Type":"multipart/signed; micalg=pgp-sha1;\n\tboundary=\"Sig_/qIdKMWqFS1GOFc4M5K_cn8v\";\n\tprotocol=\"application/pgp-signature\"","X-Ovh-Tracer-Id":"2822068119801469201","X-VR-SPAMSTATE":"OK","X-VR-SPAMSCORE":"-100","X-VR-SPAMCAUSE":"gggruggvucftvghtrhhoucdtuddrfeelledrgedvgdduvddtucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuqfggjfdpvefjgfevmfevgfenuceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddm","X-detected-operating-system":"by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]\n\t[fuzzy]","X-Received-From":"87.98.172.75","Subject":"Re: [Qemu-devel] [Qemu-ppc] [PULL 02/40] hw/ppc: clear\n\tpending_events on machine reset","X-BeenThere":"qemu-devel@nongnu.org","X-Mailman-Version":"2.1.21","Precedence":"list","List-Id":"<qemu-devel.nongnu.org>","List-Unsubscribe":"<https://lists.nongnu.org/mailman/options/qemu-devel>,\n\t<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>","List-Archive":"<http://lists.nongnu.org/archive/html/qemu-devel/>","List-Post":"<mailto:qemu-devel@nongnu.org>","List-Help":"<mailto:qemu-devel-request@nongnu.org?subject=help>","List-Subscribe":"<https://lists.nongnu.org/mailman/listinfo/qemu-devel>,\n\t<mailto:qemu-devel-request@nongnu.org?subject=subscribe>","Cc":"Michael Roth <mdroth@linux.vnet.ibm.com>,\n\tQEMU Developers <qemu-devel@nongnu.org>,\n\t\"qemu-ppc@nongnu.org\" <qemu-ppc@nongnu.org>,\n\tIgor Mammedov <imammedo@redhat.com>,\n\tDaniel Henrique Barboza <danielhb@linux.vnet.ibm.com>,\n\tSam Bobroff <sam.bobroff@au1.ibm.com>,\n\tDavid Gibson <david@gibson.dropbear.id.au>","Errors-To":"qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org","Sender":"\"Qemu-devel\"\n\t<qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>"}}]