| Message ID | 20170908103558.31632-3-david@gibson.dropbear.id.au |
|---|---|
| State | New |
| Headers | show |
| Series | [PULL,01/40] hw/ppc/spapr_drc.c: change spapr_drc_needed to use drc->dev | expand |
On 8 September 2017 at 11:35, David Gibson <david@gibson.dropbear.id.au> wrote: > From: Daniel Henrique Barboza <danielhb@linux.vnet.ibm.com> > > The sPAPR machine isn't clearing up the pending events QTAILQ on > machine reboot. This allows for unprocessed hotplug/epow events > to persist in the queue after reset and, when reasserting the IRQs in > check_exception later on, these will be being processed by the OS. > > This patch implements a new function called 'spapr_clear_pending_events' > that clears up the pending_events QTAILQ. This helper is then called > inside ppc_spapr_reset to clear up the events queue, preventing > old/deprecated events from persisting after a reset. > > Signed-off-by: Daniel Henrique Barboza <danielhb@linux.vnet.ibm.com> > Signed-off-by: David Gibson <david@gibson.dropbear.id.au> > +void spapr_clear_pending_events(sPAPRMachineState *spapr) > +{ > + sPAPREventLogEntry *entry = NULL; > + > + QTAILQ_FOREACH(entry, &spapr->pending_events, next) { > + QTAILQ_REMOVE(&spapr->pending_events, entry, next); > + g_free(entry->extended_log); > + g_free(entry); > + } > +} Coverity points out that this is a use-after-free error, because QTAILQ_FOREACH will access the list pointers of entry after the loop body has freed it. You want QTAILQ_FOREACH_SAFE, I think. (CID 1381017) thanks -- PMM
On Tue, 12 Sep 2017 18:28:04 +0100 Peter Maydell <peter.maydell@linaro.org> wrote: > On 8 September 2017 at 11:35, David Gibson <david@gibson.dropbear.id.au> wrote: > > From: Daniel Henrique Barboza <danielhb@linux.vnet.ibm.com> > > > > The sPAPR machine isn't clearing up the pending events QTAILQ on > > machine reboot. This allows for unprocessed hotplug/epow events > > to persist in the queue after reset and, when reasserting the IRQs in > > check_exception later on, these will be being processed by the OS. > > > > This patch implements a new function called 'spapr_clear_pending_events' > > that clears up the pending_events QTAILQ. This helper is then called > > inside ppc_spapr_reset to clear up the events queue, preventing > > old/deprecated events from persisting after a reset. > > > > Signed-off-by: Daniel Henrique Barboza <danielhb@linux.vnet.ibm.com> > > Signed-off-by: David Gibson <david@gibson.dropbear.id.au> > > > +void spapr_clear_pending_events(sPAPRMachineState *spapr) > > +{ > > + sPAPREventLogEntry *entry = NULL; > > + > > + QTAILQ_FOREACH(entry, &spapr->pending_events, next) { > > + QTAILQ_REMOVE(&spapr->pending_events, entry, next); > > + g_free(entry->extended_log); > > + g_free(entry); > > + } > > +} > > Coverity points out that this is a use-after-free error, > because QTAILQ_FOREACH will access the list pointers of > entry after the loop body has freed it. You want > QTAILQ_FOREACH_SAFE, I think. (CID 1381017) > Yes indeed, QTAILQ_FOREACH_SAFE() is needed when removing the current element from the list. I'll send a patch. > thanks > -- PMM >
diff --git a/hw/ppc/spapr.c b/hw/ppc/spapr.c index cec441cbf4..0e5f29d348 100644 --- a/hw/ppc/spapr.c +++ b/hw/ppc/spapr.c @@ -1392,6 +1392,7 @@ static void ppc_spapr_reset(void) } qemu_devices_reset(); + spapr_clear_pending_events(spapr); /* * We place the device tree and RTAS just below either the top of the RMA, diff --git a/hw/ppc/spapr_events.c b/hw/ppc/spapr_events.c index f952b78237..66b8164f30 100644 --- a/hw/ppc/spapr_events.c +++ b/hw/ppc/spapr_events.c @@ -700,6 +700,17 @@ static void event_scan(PowerPCCPU *cpu, sPAPRMachineState *spapr, rtas_st(rets, 0, RTAS_OUT_NO_ERRORS_FOUND); } +void spapr_clear_pending_events(sPAPRMachineState *spapr) +{ + sPAPREventLogEntry *entry = NULL; + + QTAILQ_FOREACH(entry, &spapr->pending_events, next) { + QTAILQ_REMOVE(&spapr->pending_events, entry, next); + g_free(entry->extended_log); + g_free(entry); + } +} + void spapr_events_init(sPAPRMachineState *spapr) { QTAILQ_INIT(&spapr->pending_events); diff --git a/include/hw/ppc/spapr.h b/include/hw/ppc/spapr.h index 2a303a705c..5d161ec580 100644 --- a/include/hw/ppc/spapr.h +++ b/include/hw/ppc/spapr.h @@ -662,6 +662,7 @@ void spapr_cpu_parse_features(sPAPRMachineState *spapr); int spapr_hpt_shift_for_ramsize(uint64_t ramsize); void spapr_reallocate_hpt(sPAPRMachineState *spapr, int shift, Error **errp); +void spapr_clear_pending_events(sPAPRMachineState *spapr); /* CPU and LMB DRC release callbacks. */ void spapr_core_release(DeviceState *dev);