From: Gregory Price <gregory.price@memverge.com>
To: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Cc: qemu-devel@nongnu.org, Michael Tsirkin <mst@redhat.com>,
Ben Widawsky <bwidawsk@kernel.org>,
linux-cxl@vger.kernel.org,
Huai-Cheng Kuo <hchkuo@avery-design.com.tw>,
Chris Browy <cbrowy@avery-design.com>,
linuxarm@huawei.com, ira.weiny@intel.com
Subject: Re: [PATCH v7 4/5] hw/mem/cxl-type3: Add CXL CDAT Data Object Exchange
Date: Wed, 12 Oct 2022 12:01:54 -0400 [thread overview]
Message-ID: <Y0bk8g2zn2tpUS3a@memverge.com> (raw)
In-Reply-To: <20221007152156.24883-5-Jonathan.Cameron@huawei.com>
This code contains heap corruption on free, and I think should be
refactored to pre-allocate all the entries we're interested in putting
into the table. This would flatten the code and simplify the error
handling steps.
Also, should we consider making a union with all the possible entries to
make entry allocation easier? It may eat a few extra bytes of memory,
but it would simplify the allocation/cleanup code here further.
Given that every allocation has to be checked, i'm also not convinced
the use of g_autofree is worth the potential footguns associated with
it.
> diff --git a/hw/mem/cxl_type3.c b/hw/mem/cxl_type3.c
> index 568c9d62f5..3fa5d70662 100644
> --- a/hw/mem/cxl_type3.c
> +++ b/hw/mem/cxl_type3.c
> @@ -12,9 +12,218 @@
> +static int ct3_build_cdat_table(CDATSubHeader ***cdat_table,
> + void *priv)
> +{
(snip)
> + /* For now, no memory side cache, plausiblish numbers */
> + dslbis_nonvolatile = g_malloc(sizeof(*dslbis_nonvolatile) * dslbis_nonvolatile_num);
> + if (!dslbis_nonvolatile)
> + return -ENOMEM;
this allocation creates a table of entries, which is later freed
incorrectly
> +
> + *cdat_table = g_malloc0(len * sizeof(*cdat_table));
this allocation needs to be checked
> + /* Header always at start of structure */
> + if (dsmas_nonvolatile) {
> + (*cdat_table)[i++] = g_steal_pointer(&dsmas_nonvolatile);
> + }
> + if (dslbis_nonvolatile) {
> + CDATDslbis *dslbis = g_steal_pointer(&dslbis_nonvolatile);
using a local reference used to avoid a g_autofree footgun suggests
we should not use g_autofree here, and possibly reconsider the overall
strategy for allocation and cleanup
> + int j;
> +
> + for (j = 0; j < dslbis_nonvolatile_num; j++) {
> + (*cdat_table)[i++] = (CDATSubHeader *)&dslbis[j];
> + }
this fills the CDAT table with sub-references to the table allocated
above, which leads to heap corruption with the current code, or
complicated cleanup if we decide to keep it
> +
> + return len;
> +}
> +
> +static void ct3_free_cdat_table(CDATSubHeader **cdat_table, int num, void *priv)
> +{
> + int i;
> +
And here we free every entry of the table, which can/will cause heap
corruption when the sub-table entries are freed
> + for (i = 0; i < num; i++) {
> + g_free(cdat_table[i]);
> + }
> + g_free(cdat_table);
> +}
next prev parent reply other threads:[~2022-10-12 16:02 UTC|newest]
Thread overview: 58+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-10-07 15:21 [PATCH v7 0/5] QEMU PCIe DOE for PCIe 4.0/5.0 and CXL 2.0 Jonathan Cameron
2022-10-07 15:21 ` Jonathan Cameron via
2022-10-07 15:21 ` [PATCH v7 1/5] hw/pci: PCIe Data Object Exchange emulation Jonathan Cameron
2022-10-07 15:21 ` Jonathan Cameron via
2022-10-07 15:21 ` [PATCH v7 2/5] hw/mem/cxl-type3: Add MSIX support Jonathan Cameron
2022-10-07 15:21 ` Jonathan Cameron via
2022-10-07 15:21 ` [PATCH v7 3/5] hw/cxl/cdat: CXL CDAT Data Object Exchange implementation Jonathan Cameron
2022-10-07 15:21 ` Jonathan Cameron via
2022-10-13 11:04 ` Jonathan Cameron
2022-10-13 11:04 ` Jonathan Cameron via
2022-10-07 15:21 ` [PATCH v7 4/5] hw/mem/cxl-type3: Add CXL CDAT Data Object Exchange Jonathan Cameron
2022-10-07 15:21 ` Jonathan Cameron via
2022-10-12 16:01 ` Gregory Price [this message]
2022-10-13 10:40 ` Jonathan Cameron
2022-10-13 10:40 ` Jonathan Cameron via
2022-10-13 10:56 ` Jonathan Cameron
2022-10-13 10:56 ` Jonathan Cameron via
2022-10-12 18:21 ` Gregory Price
2022-10-12 18:21 ` [PATCH 1/5] hw/mem/cxl_type3: fix checkpatch errors Gregory Price
2022-10-12 18:21 ` [PATCH 2/5] hw/mem/cxl_type3: Pull validation checks ahead of functional code Gregory Price
2022-10-13 9:07 ` Jonathan Cameron
2022-10-13 9:07 ` Jonathan Cameron via
2022-10-13 10:42 ` Jonathan Cameron
2022-10-13 10:42 ` Jonathan Cameron via
2022-10-12 18:21 ` [PATCH 3/5] hw/mem/cxl_type3: CDAT pre-allocate and check resources prior to work Gregory Price
2022-10-13 10:44 ` Jonathan Cameron
2022-10-13 10:44 ` Jonathan Cameron via
2022-10-12 18:21 ` [PATCH 4/5] hw/mem/cxl_type3: Change the CDAT allocation/free strategy Gregory Price
2022-10-13 10:45 ` Jonathan Cameron
2022-10-13 10:45 ` Jonathan Cameron via
2022-10-12 18:21 ` [PATCH 5/5] hw/mem/cxl_type3: Refactor CDAT sub-table entry initialization into a function Gregory Price
2022-10-13 10:47 ` Jonathan Cameron
2022-10-13 10:47 ` Jonathan Cameron via
2022-10-13 19:40 ` Gregory Price
2022-10-14 15:29 ` Jonathan Cameron
2022-10-14 15:29 ` Jonathan Cameron via
2022-10-13 8:57 ` [PATCH v7 4/5] hw/mem/cxl-type3: Add CXL CDAT Data Object Exchange Jonathan Cameron
2022-10-13 8:57 ` Jonathan Cameron via
2022-10-13 11:36 ` Gregory Price
2022-10-13 11:53 ` Jonathan Cameron
2022-10-13 11:53 ` Jonathan Cameron via
2022-10-13 12:35 ` Gregory Price
2022-10-13 14:40 ` Jonathan Cameron
2022-10-13 14:40 ` Jonathan Cameron via
2022-10-07 15:21 ` [PATCH v7 5/5] hw/pci-bridge/cxl-upstream: Add a CDAT table access DOE Jonathan Cameron
2022-10-07 15:21 ` Jonathan Cameron via
2022-10-10 10:30 ` [PATCH v7 0/5] QEMU PCIe DOE for PCIe 4.0/5.0 and CXL 2.0 Jonathan Cameron
2022-10-10 10:30 ` Jonathan Cameron via
2022-10-11 9:45 ` Huai-Cheng
2022-10-11 21:19 ` [PATCH 0/5] Multi-Region and Volatile Memory support for CXL Type-3 Devices Gregory Price
2022-10-11 21:19 ` [PATCH 1/5] hw/cxl: set cxl-type3 device type to PCI_CLASS_MEMORY_CXL Gregory Price
2022-10-11 21:19 ` [PATCH 2/5] hw/cxl: Add CXL_CAPACITY_MULTIPLIER definition Gregory Price
2022-10-11 21:19 ` [PATCH 3/5] hw/mem/cxl_type: Generalize CDATDsmas initialization for Memory Regions Gregory Price
2022-10-12 14:10 ` Jonathan Cameron
2022-10-12 14:10 ` Jonathan Cameron via
2022-10-11 21:19 ` [PATCH 4/5] hw/cxl: Multi-Region CXL Type-3 Devices (Volatile and Persistent) Gregory Price
2022-10-11 21:19 ` [PATCH 5/5] cxl: update tests and documentation for new cxl properties Gregory Price
2022-10-11 22:20 ` [PATCH 0/5] Multi-Region and Volatile Memory support for CXL Type-3 Devices Michael S. Tsirkin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Y0bk8g2zn2tpUS3a@memverge.com \
--to=gregory.price@memverge.com \
--cc=Jonathan.Cameron@huawei.com \
--cc=bwidawsk@kernel.org \
--cc=cbrowy@avery-design.com \
--cc=hchkuo@avery-design.com.tw \
--cc=ira.weiny@intel.com \
--cc=linux-cxl@vger.kernel.org \
--cc=linuxarm@huawei.com \
--cc=mst@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.