{"id":2215579,"url":"http://patchwork.ozlabs.org/api/patches/2215579/?format=json","web_url":"http://patchwork.ozlabs.org/project/qemu-devel/patch/20260324193530.375628-1-peter.maydell@linaro.org/","project":{"id":14,"url":"http://patchwork.ozlabs.org/api/projects/14/?format=json","name":"QEMU Development","link_name":"qemu-devel","list_id":"qemu-devel.nongnu.org","list_email":"qemu-devel@nongnu.org","web_url":"","scm_url":"","webscm_url":"","list_archive_url":"","list_archive_url_format":"","commit_url_format":""},"msgid":"<20260324193530.375628-1-peter.maydell@linaro.org>","list_archive_url":null,"date":"2026-03-24T19:35:30","name":"hw/net/rocker: Avoid double-free of l2_flood.group_ids","commit_ref":null,"pull_url":null,"state":"accepted","archived":false,"hash":"1d2d3d12dc56ce2933488022700ed58e2a721d7b","submitter":{"id":5111,"url":"http://patchwork.ozlabs.org/api/people/5111/?format=json","name":"Peter Maydell","email":"peter.maydell@linaro.org"},"delegate":null,"mbox":"http://patchwork.ozlabs.org/project/qemu-devel/patch/20260324193530.375628-1-peter.maydell@linaro.org/mbox/","series":[{"id":497337,"url":"http://patchwork.ozlabs.org/api/series/497337/?format=json","web_url":"http://patchwork.ozlabs.org/project/qemu-devel/list/?series=497337","date":"2026-03-24T19:35:30","name":"hw/net/rocker: Avoid double-free of l2_flood.group_ids","version":1,"mbox":"http://patchwork.ozlabs.org/series/497337/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/2215579/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/2215579/checks/","tags":{},"related":[],"headers":{"Return-Path":"<qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=linaro.org header.i=@linaro.org header.a=rsa-sha256\n header.s=google header.b=qylblbRj;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=nongnu.org\n (client-ip=209.51.188.17; helo=lists.gnu.org;\n envelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org;\n receiver=patchwork.ozlabs.org)"],"Received":["from lists.gnu.org (lists.gnu.org [209.51.188.17])\n\t(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fgKyr6QdRz1y1G\n\tfor <incoming@patchwork.ozlabs.org>; Wed, 25 Mar 2026 06:36:03 +1100 (AEDT)","from localhost ([::1] helo=lists1p.gnu.org)\n\tby lists.gnu.org with esmtp (Exim 4.90_1)\n\t(envelope-from <qemu-devel-bounces@nongnu.org>)\n\tid 1w57XO-0000sk-RG; Tue, 24 Mar 2026 15:35:38 -0400","from eggs.gnu.org ([2001:470:142:3::10])\n by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)\n (Exim 4.90_1) (envelope-from <peter.maydell@linaro.org>)\n id 1w57XM-0000sL-8I\n for qemu-devel@nongnu.org; Tue, 24 Mar 2026 15:35:36 -0400","from mail-wm1-x329.google.com ([2a00:1450:4864:20::329])\n by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)\n (Exim 4.90_1) (envelope-from <peter.maydell@linaro.org>)\n id 1w57XK-0006nr-DS\n for qemu-devel@nongnu.org; Tue, 24 Mar 2026 15:35:35 -0400","by mail-wm1-x329.google.com with SMTP id\n 5b1f17b1804b1-48538c5956bso1973855e9.0\n for <qemu-devel@nongnu.org>; Tue, 24 Mar 2026 12:35:33 -0700 (PDT)","from lanath.. (wildly.archaic.org.uk. [81.2.115.145])\n by smtp.gmail.com with ESMTPSA id\n 5b1f17b1804b1-4871664ad92sm4318255e9.4.2026.03.24.12.35.31\n (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);\n Tue, 24 Mar 2026 12:35:31 -0700 (PDT)"],"DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=linaro.org; s=google; t=1774380933; x=1774985733; darn=nongnu.org;\n h=content-transfer-encoding:mime-version:message-id:date:subject:cc\n :to:from:from:to:cc:subject:date:message-id:reply-to;\n bh=GDxBD2slxa/qr05PqNswk0PG2IQH7R7Cd9XrepJdiD8=;\n b=qylblbRjEOxEdh2ru7zklYHND23xru2y/YSNwflap1bKlTKAQPvjNAcKOPKastkkVI\n uG09/g+blA6g93EcE9Nr5npEoFy4AXkCu3Ez2cHih76a/qGQcC2D/3LAZ62v7Klrveyg\n 3Rg/LKrYdVClPBIvxlKhKsNtFTZ9rPpB7qRueFffD+hlkQotuEMk5/npfSKjaYCPMdL6\n vc7G44A88yYJtO/f7uuzvu4MNC0VvDuRvef6wnn3VH0BlFcyMlDL0EiDxa/MocwbJ2LN\n rR4kxySPcC7f47EEDwj4KhYCsUB+T1wHgCdTiaPsG32+Uf1qbdKGgY0lDh0Aul4uSIP2\n jrpg==","X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20251104; t=1774380933; x=1774985733;\n h=content-transfer-encoding:mime-version:message-id:date:subject:cc\n :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date\n :message-id:reply-to;\n bh=GDxBD2slxa/qr05PqNswk0PG2IQH7R7Cd9XrepJdiD8=;\n b=Y/8C+12LBghc7irmimRFLlkqlM/zjpmxxvHyrVFC/p7oDOz3uQl58g9TpP4jpyUem3\n qWynJPZv7J/MNOA8UynJOaxtM4bHfBcmBx12ITgmM86RqJxISs+2atL3Mv+1d04x7gwp\n zKsYIhEkZJLFLHpW/sx2Fcat+iMJZVawdNXMqw5ZXeDj5RIcq+ez3DcTn7/X0QyXPtMW\n K95xg9gfyx4z9lS997M5Ijx7qjlKgUtWvk8urjGmB9DASPba58MpyJM5ZC3J5BjRmH8H\n Ua+EBGcCOvyxApWa9eMDO9YThKZGzf9n83vBCnIEa8LA59dDOlLVIWoTZdtX8MLN4aQT\n feGA==","X-Gm-Message-State":"AOJu0YzkzwTaoA7KPhnrbcjhnnU5efEvUObaE3mBg0ROnjbQ8Vz+5ZWm\n D0b9Q6dsUMmgbmas3UB0ayzHkn6o8BRs1NI3AnCDhHdQfl40ovWOw+S87UsCF1TxRqAew4zDuxm\n ouGHRHe0=","X-Gm-Gg":"ATEYQzwck+R0mGTUEjYlqf+oc/e9U/RIDjiMxk7zSntfzF44VmzsMXL6+zEIjUoDD5w\n n8g8Df1U3gYEW4ipyp2bwUmxzUf2RO0xTbs1gSez9nKKlA0etXb5r4INeAhZ117TMFLz/wEhj2I\n CfC4Z0B+rHry9x/gM22S+75q3ce8FVKj7X+mQihbYq5OlpIayxgJqlYI0Wge2xQV1Ean0C5V1Zm\n iKWSskHHbdzD/YDNeLO69jJ8cqrcFCXjDNvL5oX9Hr8buAXiCWaKd8c76yANWPvpo7GcuDzhWOm\n rZ9xI6u6DhqnT32YvloTnjJX/n1z8tfV4xhfB8E97z7vhhgJzIjEeezVVY9B7eeS3veg1gnMk2c\n irA+1ZkoGjaPLVXLpshVaPuonOI8waN7W2yK9kmV4dbBDJMIG68Dt1BbLB3LXAnRD9L2bVUzGPT\n QZiMR+BNHnQbHaKP6Ab2IuOezkDyq5HZZa3zWT7gFzrceJOpfG6CDUPaFnZOeaioKjeOOFVz5LC\n xaYEUEqe39Wq5+uUVFHJEUW0y7K+fk=","X-Received":"by 2002:a05:600c:5288:b0:485:3e00:944a with SMTP id\n 5b1f17b1804b1-48716075f66mr13447065e9.9.1774380932230;\n Tue, 24 Mar 2026 12:35:32 -0700 (PDT)","From":"Peter Maydell <peter.maydell@linaro.org>","To":"qemu-devel@nongnu.org","Cc":"Jiri Pirko <jiri@resnulli.us>,\n\tJason Wang <jasowang@redhat.com>","Subject":"[PATCH] hw/net/rocker: Avoid double-free of l2_flood.group_ids","Date":"Tue, 24 Mar 2026 19:35:30 +0000","Message-ID":"<20260324193530.375628-1-peter.maydell@linaro.org>","X-Mailer":"git-send-email 2.43.0","MIME-Version":"1.0","Content-Transfer-Encoding":"8bit","Received-SPF":"pass client-ip=2a00:1450:4864:20::329;\n envelope-from=peter.maydell@linaro.org; helo=mail-wm1-x329.google.com","X-Spam_score_int":"-20","X-Spam_score":"-2.1","X-Spam_bar":"--","X-Spam_report":"(-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,\n DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,\n RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001,\n SPF_PASS=-0.001 autolearn=ham autolearn_force=no","X-Spam_action":"no action","X-BeenThere":"qemu-devel@nongnu.org","X-Mailman-Version":"2.1.29","Precedence":"list","List-Id":"qemu development <qemu-devel.nongnu.org>","List-Unsubscribe":"<https://lists.nongnu.org/mailman/options/qemu-devel>,\n <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>","List-Archive":"<https://lists.nongnu.org/archive/html/qemu-devel>","List-Post":"<mailto:qemu-devel@nongnu.org>","List-Help":"<mailto:qemu-devel-request@nongnu.org?subject=help>","List-Subscribe":"<https://lists.nongnu.org/mailman/listinfo/qemu-devel>,\n <mailto:qemu-devel-request@nongnu.org?subject=subscribe>","Errors-To":"qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org","Sender":"qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org"},"content":"In of_dpa_cmd_add_l2_flood(), we allocate memory for the\ngroup->l2_flood.group_ids array, freeing any previous array.\nHowever, in the error-exit path we free the group_ids memory but do\nnot clear the pointer to NULL.  This means that if the guest causes\nus to take the error-exit path and then later call the function\nagain, we will try again to free the memory we already freed.\n\nFix this by clearing the group_ids pointer in the error exit\npath, so we maintain the invariant of \"either it points at\nallocated memory, or it is NULL\" (both being valid to g_free()).\n\nCc: qemu-stable@nongnu.org\nFixes: dc488f88806 (\"rocker: add new rocker switch device\")\nResolves: https://gitlab.com/qemu-project/qemu/-/work_items/3253\nSigned-off-by: Peter Maydell <peter.maydell@linaro.org>\n---\n hw/net/rocker/rocker_of_dpa.c | 1 +\n 1 file changed, 1 insertion(+)","diff":"diff --git a/hw/net/rocker/rocker_of_dpa.c b/hw/net/rocker/rocker_of_dpa.c\nindex 814f19afc5..3190a0e75c 100644\n--- a/hw/net/rocker/rocker_of_dpa.c\n+++ b/hw/net/rocker/rocker_of_dpa.c\n@@ -2059,6 +2059,7 @@ static int of_dpa_cmd_add_l2_flood(OfDpa *of_dpa, OfDpaGroup *group,\n err_out:\n     group->l2_flood.group_count = 0;\n     g_free(group->l2_flood.group_ids);\n+    group->l2_flood.group_ids = NULL;\n     g_free(tlvs);\n \n     return err;\n","prefixes":[]}