[PATCH 0/4] system: Forbid alloca()

[PATCH 0/4] system: Forbid alloca()

[Philippe Mathieu-Daudé]

Eradicate alloca() uses on system code, then enable
-Walloca to prevent new ones to creep back in.

Philippe Mathieu-Daudé (4):
  hw/gpio/pca9552: Avoid using g_newa()
  backends/tpmL Avoid using g_alloca()
  tests/unit/test-char: Avoid using g_alloca()
  buildsys: Prohibit alloca() use on system code

 meson.build                 | 4 ++++
 backends/tpm/tpm_emulator.c | 4 ++--
 hw/gpio/pca9552.c           | 2 +-
 tests/unit/test-char.c      | 3 +--
 4 files changed, 8 insertions(+), 5 deletions(-)

-- 
2.49.0

[PATCH 1/4] hw/gpio/pca9552: Avoid using g_newa()

[Philippe Mathieu-Daudé]

We have pin_count <= PCA955X_PIN_COUNT_MAX. Having
PCA955X_PIN_COUNT_MAX = 16, it is safe to explicitly
allocate the char buffer on the stack, without g_newa().

Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
---
 hw/gpio/pca9552.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/gpio/pca9552.c b/hw/gpio/pca9552.c
index d65c0a2e90f..1e10238b2e0 100644
--- a/hw/gpio/pca9552.c
+++ b/hw/gpio/pca9552.c
@@ -76,7 +76,7 @@ static void pca955x_display_pins_status(PCA955xState *s,
         return;
     }
     if (trace_event_get_state_backends(TRACE_PCA955X_GPIO_STATUS)) {
-        char *buf = g_newa(char, k->pin_count + 1);
+        char buf[PCA955X_PIN_COUNT_MAX + 1];
 
         for (i = 0; i < k->pin_count; i++) {
             if (extract32(pins_status, i, 1)) {
-- 
2.49.0

[PATCH 2/4] backends/tpmL Avoid using g_alloca()

[Philippe Mathieu-Daudé]

tpm_emulator_ctrlcmd() is not in hot path.
Use the heap instead of the stack, removing
the g_alloca() call.

Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
---
 backends/tpm/tpm_emulator.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/backends/tpm/tpm_emulator.c b/backends/tpm/tpm_emulator.c
index 43d350e895d..4a234ab2c0b 100644
--- a/backends/tpm/tpm_emulator.c
+++ b/backends/tpm/tpm_emulator.c
@@ -129,11 +129,11 @@ static int tpm_emulator_ctrlcmd(TPMEmulator *tpm, unsigned long cmd, void *msg,
     CharBackend *dev = &tpm->ctrl_chr;
     uint32_t cmd_no = cpu_to_be32(cmd);
     ssize_t n = sizeof(uint32_t) + msg_len_in;
-    uint8_t *buf = NULL;
     ptm_res res;
 
     WITH_QEMU_LOCK_GUARD(&tpm->mutex) {
-        buf = g_alloca(n);
+        g_autofree uint8_t *buf = g_malloc(n);
+
         memcpy(buf, &cmd_no, sizeof(cmd_no));
         memcpy(buf + sizeof(cmd_no), msg, msg_len_in);
 
-- 
2.49.0

[PATCH 3/4] tests/unit/test-char: Avoid using g_alloca()

[Philippe Mathieu-Daudé]

Do not use g_alloca(), simply allocate the CharBackend
structure on the stack.

Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
---
 tests/unit/test-char.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/tests/unit/test-char.c b/tests/unit/test-char.c
index 60a843b79d9..f30a39f61ff 100644
--- a/tests/unit/test-char.c
+++ b/tests/unit/test-char.c
@@ -993,7 +993,7 @@ static void char_udp_test_internal(Chardev *reuse_chr, int sock)
     struct sockaddr_in other;
     SocketIdleData d = { 0, };
     Chardev *chr;
-    CharBackend *be;
+    CharBackend stack_be, *be = &stack_be;
     socklen_t alen = sizeof(other);
     int ret;
     char buf[10];
@@ -1009,7 +1009,6 @@ static void char_udp_test_internal(Chardev *reuse_chr, int sock)
         chr = qemu_chr_new("client", tmp, NULL);
         g_assert_nonnull(chr);
 
-        be = g_alloca(sizeof(CharBackend));
         qemu_chr_fe_init(be, chr, &error_abort);
     }
 
-- 
2.49.0

[RFC PATCH 4/4] buildsys: Prohibit alloca() use on system code

[Philippe Mathieu-Daudé]

Similarly to commit 64c1a544352 ("meson: Enable -Wvla") with
variable length arrays, forbid alloca() uses on system code.

There are few uses on ancient linux-user code, do not bother
there.

Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
---
 meson.build | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/meson.build b/meson.build
index ef994676fe9..8c6ccb03c71 100644
--- a/meson.build
+++ b/meson.build
@@ -774,6 +774,10 @@ if host_os != 'darwin'
   endif
 endif
 
+if have_system
+  warn_flags += ['-Walloca']
+endif
+
 # Set up C++ compiler flags
 qemu_cxxflags = []
 if 'cpp' in all_languages
-- 
2.49.0

Re: [PATCH 3/4] tests/unit/test-char: Avoid using g_alloca()

[Pierrick Bouvier]

On 6/5/25 12:35 PM, Philippe Mathieu-Daudé wrote:
> Do not use g_alloca(), simply allocate the CharBackend
> structure on the stack.
> 
> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
> ---
>   tests/unit/test-char.c | 3 +--
>   1 file changed, 1 insertion(+), 2 deletions(-)
> 
> diff --git a/tests/unit/test-char.c b/tests/unit/test-char.c
> index 60a843b79d9..f30a39f61ff 100644
> --- a/tests/unit/test-char.c
> +++ b/tests/unit/test-char.c
> @@ -993,7 +993,7 @@ static void char_udp_test_internal(Chardev *reuse_chr, int sock)
>       struct sockaddr_in other;
>       SocketIdleData d = { 0, };
>       Chardev *chr;
> -    CharBackend *be;
> +    CharBackend stack_be, *be = &stack_be;
>       socklen_t alen = sizeof(other);
>       int ret;
>       char buf[10];
> @@ -1009,7 +1009,6 @@ static void char_udp_test_internal(Chardev *reuse_chr, int sock)
>           chr = qemu_chr_new("client", tmp, NULL);
>           g_assert_nonnull(chr);
>   
> -        be = g_alloca(sizeof(CharBackend));
>           qemu_chr_fe_init(be, chr, &error_abort);
>       }
>   

Would that be more simple to declare the variable, and use &be in the 
function code?

Re: [PATCH 0/4] system: Forbid alloca()

[Pierrick Bouvier]

On 6/5/25 12:35 PM, Philippe Mathieu-Daudé wrote:
> Eradicate alloca() uses on system code, then enable
> -Walloca to prevent new ones to creep back in.
> 
> Philippe Mathieu-Daudé (4):
>    hw/gpio/pca9552: Avoid using g_newa()
>    backends/tpmL Avoid using g_alloca()
>    tests/unit/test-char: Avoid using g_alloca()
>    buildsys: Prohibit alloca() use on system code
> 
>   meson.build                 | 4 ++++
>   backends/tpm/tpm_emulator.c | 4 ++--
>   hw/gpio/pca9552.c           | 2 +-
>   tests/unit/test-char.c      | 3 +--
>   4 files changed, 8 insertions(+), 5 deletions(-)
> 

Good idea!

For the series:
Reviewed-by: Pierrick Bouvier <pierrick.bouvier@linaro.org>

Re: [PATCH 1/4] hw/gpio/pca9552: Avoid using g_newa()

[Miles Glenn]

Reviewed-by: Glenn Miles <milesg@linux.ibm.com>

Thanks!

Glenn

On Thu, 2025-06-05 at 21:35 +0200, Philippe Mathieu-Daudé wrote:
> We have pin_count <= PCA955X_PIN_COUNT_MAX. Having
> PCA955X_PIN_COUNT_MAX = 16, it is safe to explicitly
> allocate the char buffer on the stack, without g_newa().
> 
> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
> ---
>  hw/gpio/pca9552.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/hw/gpio/pca9552.c b/hw/gpio/pca9552.c
> index d65c0a2e90f..1e10238b2e0 100644
> --- a/hw/gpio/pca9552.c
> +++ b/hw/gpio/pca9552.c
> @@ -76,7 +76,7 @@ static void pca955x_display_pins_status(PCA955xState *s,
>          return;
>      }
>      if (trace_event_get_state_backends(TRACE_PCA955X_GPIO_STATUS)) {
> -        char *buf = g_newa(char, k->pin_count + 1);
> +        char buf[PCA955X_PIN_COUNT_MAX + 1];
>  
>          for (i = 0; i < k->pin_count; i++) {
>              if (extract32(pins_status, i, 1)) {

Re: [PATCH 2/4] backends/tpmL Avoid using g_alloca()

[BALATON Zoltan]

[-- Attachment #1: Type: text/plain, Size: 1077 bytes --]

On Thu, 5 Jun 2025, Philippe Mathieu-Daudé wrote:
> tpm_emulator_ctrlcmd() is not in hot path.
> Use the heap instead of the stack, removing
> the g_alloca() call.

Typo in subject L -> :

Regards,
BALATON Zoltan

> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
> ---
> backends/tpm/tpm_emulator.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/backends/tpm/tpm_emulator.c b/backends/tpm/tpm_emulator.c
> index 43d350e895d..4a234ab2c0b 100644
> --- a/backends/tpm/tpm_emulator.c
> +++ b/backends/tpm/tpm_emulator.c
> @@ -129,11 +129,11 @@ static int tpm_emulator_ctrlcmd(TPMEmulator *tpm, unsigned long cmd, void *msg,
>     CharBackend *dev = &tpm->ctrl_chr;
>     uint32_t cmd_no = cpu_to_be32(cmd);
>     ssize_t n = sizeof(uint32_t) + msg_len_in;
> -    uint8_t *buf = NULL;
>     ptm_res res;
>
>     WITH_QEMU_LOCK_GUARD(&tpm->mutex) {
> -        buf = g_alloca(n);
> +        g_autofree uint8_t *buf = g_malloc(n);
> +
>         memcpy(buf, &cmd_no, sizeof(cmd_no));
>         memcpy(buf + sizeof(cmd_no), msg, msg_len_in);
>
>

Re: [PATCH 3/4] tests/unit/test-char: Avoid using g_alloca()

[Philippe Mathieu-Daudé]

On 5/6/25 22:53, Pierrick Bouvier wrote:
> On 6/5/25 12:35 PM, Philippe Mathieu-Daudé wrote:
>> Do not use g_alloca(), simply allocate the CharBackend
>> structure on the stack.
>>
>> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
>> ---
>>   tests/unit/test-char.c | 3 +--
>>   1 file changed, 1 insertion(+), 2 deletions(-)
>>
>> diff --git a/tests/unit/test-char.c b/tests/unit/test-char.c
>> index 60a843b79d9..f30a39f61ff 100644
>> --- a/tests/unit/test-char.c
>> +++ b/tests/unit/test-char.c
>> @@ -993,7 +993,7 @@ static void char_udp_test_internal(Chardev 
>> *reuse_chr, int sock)
>>       struct sockaddr_in other;
>>       SocketIdleData d = { 0, };
>>       Chardev *chr;
>> -    CharBackend *be;
>> +    CharBackend stack_be, *be = &stack_be;
>>       socklen_t alen = sizeof(other);
>>       int ret;
>>       char buf[10];
>> @@ -1009,7 +1009,6 @@ static void char_udp_test_internal(Chardev 
>> *reuse_chr, int sock)
>>           chr = qemu_chr_new("client", tmp, NULL);
>>           g_assert_nonnull(chr);
>> -        be = g_alloca(sizeof(CharBackend));
>>           qemu_chr_fe_init(be, chr, &error_abort);
>>       }
> 
> Would that be more simple to declare the variable, and use &be in the 
> function code?

More context (see reuse_chr ladder):

-- >8 --
@@ -991,45 +991,44 @@ static int make_udp_socket(int *port)
  static void char_udp_test_internal(Chardev *reuse_chr, int sock)
  {
      struct sockaddr_in other;
      SocketIdleData d = { 0, };
      Chardev *chr;
-    CharBackend *be;
+    CharBackend stack_be, *be = &stack_be;
      socklen_t alen = sizeof(other);
      int ret;
      char buf[10];
      char *tmp = NULL;

      if (reuse_chr) {
          chr = reuse_chr;
          be = chr->be;
      } else {
          int port;
          sock = make_udp_socket(&port);
          tmp = g_strdup_printf("udp:127.0.0.1:%d", port);
          chr = qemu_chr_new("client", tmp, NULL);
          g_assert_nonnull(chr);

-        be = g_alloca(sizeof(CharBackend));
          qemu_chr_fe_init(be, chr, &error_abort);
      }
---

Re: [PATCH 2/4] backends/tpmL Avoid using g_alloca()

[Philippe Mathieu-Daudé]

On 5/6/25 23:23, BALATON Zoltan wrote:
> On Thu, 5 Jun 2025, Philippe Mathieu-Daudé wrote:
>> tpm_emulator_ctrlcmd() is not in hot path.
>> Use the heap instead of the stack, removing
>> the g_alloca() call.
> 
> Typo in subject L -> :

Oops thanks, I hurt my ring finger and have it now tied with the
middle finger; typing like that is slower and makes me do a lot
of typos ;)

Re: [PATCH 2/4] backends/tpmL Avoid using g_alloca()

[Thomas Huth]

On 05/06/2025 21.35, Philippe Mathieu-Daudé wrote:
> tpm_emulator_ctrlcmd() is not in hot path.
> Use the heap instead of the stack, removing
> the g_alloca() call.
> 
> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
> ---
>   backends/tpm/tpm_emulator.c | 4 ++--
>   1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/backends/tpm/tpm_emulator.c b/backends/tpm/tpm_emulator.c
> index 43d350e895d..4a234ab2c0b 100644
> --- a/backends/tpm/tpm_emulator.c
> +++ b/backends/tpm/tpm_emulator.c
> @@ -129,11 +129,11 @@ static int tpm_emulator_ctrlcmd(TPMEmulator *tpm, unsigned long cmd, void *msg,
>       CharBackend *dev = &tpm->ctrl_chr;
>       uint32_t cmd_no = cpu_to_be32(cmd);
>       ssize_t n = sizeof(uint32_t) + msg_len_in;
> -    uint8_t *buf = NULL;
>       ptm_res res;
>   
>       WITH_QEMU_LOCK_GUARD(&tpm->mutex) {
> -        buf = g_alloca(n);
> +        g_autofree uint8_t *buf = g_malloc(n);
> +
>           memcpy(buf, &cmd_no, sizeof(cmd_no));
>           memcpy(buf + sizeof(cmd_no), msg, msg_len_in);
>   

With the typo fixed:
Reviewed-by: Thomas Huth <thuth@redhat.com>

Re: [PATCH 0/4] system: Forbid alloca()

[Peter Maydell]

On Thu, 5 Jun 2025 at 20:35, Philippe Mathieu-Daudé <philmd@linaro.org> wrote:
>
> Eradicate alloca() uses on system code, then enable
> -Walloca to prevent new ones to creep back in.
>
> Philippe Mathieu-Daudé (4):
>   hw/gpio/pca9552: Avoid using g_newa()
>   backends/tpmL Avoid using g_alloca()
>   tests/unit/test-char: Avoid using g_alloca()
>   buildsys: Prohibit alloca() use on system code
>
>  meson.build                 | 4 ++++
>  backends/tpm/tpm_emulator.c | 4 ++--
>  hw/gpio/pca9552.c           | 2 +-
>  tests/unit/test-char.c      | 3 +--
>  4 files changed, 8 insertions(+), 5 deletions(-)

There is also a use of alloca() in target/ppc/kvm.c
in kvmppc_load_htab_chunk(), so I suspect that patch 4
here will break compilation on PPC hosts with KVM enabled.

thanks
-- PMM

Re: [PATCH 0/4] system: Forbid alloca()

[Alex Bennée]

Philippe Mathieu-Daudé <philmd@linaro.org> writes:

> Eradicate alloca() uses on system code, then enable
> -Walloca to prevent new ones to creep back in.

Should we also mention it in style.rst:

  Use of the ``malloc/free/realloc/calloc/valloc/memalign/posix_memalign``
  APIs is not allowed in the QEMU codebase. Instead of these routines,

>
> Philippe Mathieu-Daudé (4):
>   hw/gpio/pca9552: Avoid using g_newa()
>   backends/tpmL Avoid using g_alloca()
>   tests/unit/test-char: Avoid using g_alloca()
>   buildsys: Prohibit alloca() use on system code
>
>  meson.build                 | 4 ++++
>  backends/tpm/tpm_emulator.c | 4 ++--
>  hw/gpio/pca9552.c           | 2 +-
>  tests/unit/test-char.c      | 3 +--
>  4 files changed, 8 insertions(+), 5 deletions(-)

-- 
Alex Bennée
Virtualisation Tech Lead @ Linaro

Re: [PATCH 0/4] system: Forbid alloca()

[Philippe Mathieu-Daudé]

On 6/6/25 10:37, Peter Maydell wrote:
> On Thu, 5 Jun 2025 at 20:35, Philippe Mathieu-Daudé <philmd@linaro.org> wrote:
>>
>> Eradicate alloca() uses on system code, then enable
>> -Walloca to prevent new ones to creep back in.
>>
>> Philippe Mathieu-Daudé (4):
>>    hw/gpio/pca9552: Avoid using g_newa()
>>    backends/tpmL Avoid using g_alloca()
>>    tests/unit/test-char: Avoid using g_alloca()
>>    buildsys: Prohibit alloca() use on system code
>>
>>   meson.build                 | 4 ++++
>>   backends/tpm/tpm_emulator.c | 4 ++--
>>   hw/gpio/pca9552.c           | 2 +-
>>   tests/unit/test-char.c      | 3 +--
>>   4 files changed, 8 insertions(+), 5 deletions(-)
> 
> There is also a use of alloca() in target/ppc/kvm.c
> in kvmppc_load_htab_chunk(), so I suspect that patch 4
> here will break compilation on PPC hosts with KVM enabled.

Oops sorry I missed that one :/

Re: [PATCH 3/4] tests/unit/test-char: Avoid using g_alloca()

[Pierrick Bouvier]

On 6/5/25 11:09 PM, Philippe Mathieu-Daudé wrote:
> On 5/6/25 22:53, Pierrick Bouvier wrote:
>> On 6/5/25 12:35 PM, Philippe Mathieu-Daudé wrote:
>>> Do not use g_alloca(), simply allocate the CharBackend
>>> structure on the stack.
>>>
>>> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
>>> ---
>>>    tests/unit/test-char.c | 3 +--
>>>    1 file changed, 1 insertion(+), 2 deletions(-)
>>>
>>> diff --git a/tests/unit/test-char.c b/tests/unit/test-char.c
>>> index 60a843b79d9..f30a39f61ff 100644
>>> --- a/tests/unit/test-char.c
>>> +++ b/tests/unit/test-char.c
>>> @@ -993,7 +993,7 @@ static void char_udp_test_internal(Chardev
>>> *reuse_chr, int sock)
>>>        struct sockaddr_in other;
>>>        SocketIdleData d = { 0, };
>>>        Chardev *chr;
>>> -    CharBackend *be;
>>> +    CharBackend stack_be, *be = &stack_be;
>>>        socklen_t alen = sizeof(other);
>>>        int ret;
>>>        char buf[10];
>>> @@ -1009,7 +1009,6 @@ static void char_udp_test_internal(Chardev
>>> *reuse_chr, int sock)
>>>            chr = qemu_chr_new("client", tmp, NULL);
>>>            g_assert_nonnull(chr);
>>> -        be = g_alloca(sizeof(CharBackend));
>>>            qemu_chr_fe_init(be, chr, &error_abort);
>>>        }
>>
>> Would that be more simple to declare the variable, and use &be in the
>> function code?
> 
> More context (see reuse_chr ladder):
> 
> -- >8 --
> @@ -991,45 +991,44 @@ static int make_udp_socket(int *port)
>    static void char_udp_test_internal(Chardev *reuse_chr, int sock)
>    {
>        struct sockaddr_in other;
>        SocketIdleData d = { 0, };
>        Chardev *chr;
> -    CharBackend *be;
> +    CharBackend stack_be, *be = &stack_be;
>        socklen_t alen = sizeof(other);
>        int ret;
>        char buf[10];
>        char *tmp = NULL;
> 
>        if (reuse_chr) {
>            chr = reuse_chr;
>            be = chr->be;
>        } else {
>            int port;
>            sock = make_udp_socket(&port);
>            tmp = g_strdup_printf("udp:127.0.0.1:%d", port);
>            chr = qemu_chr_new("client", tmp, NULL);
>            g_assert_nonnull(chr);
> 
> -        be = g_alloca(sizeof(CharBackend));
>            qemu_chr_fe_init(be, chr, &error_abort);
>        }
> ---

Ok!

Re: [PATCH 2/4] backends/tpmL Avoid using g_alloca()

[Stefan Berger]

On 6/5/25 3:35 PM, Philippe Mathieu-Daudé wrote:
> tpm_emulator_ctrlcmd() is not in hot path.
> Use the heap instead of the stack, removing
> the g_alloca() call.
> 
> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>

Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>

> ---
>   backends/tpm/tpm_emulator.c | 4 ++--
>   1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/backends/tpm/tpm_emulator.c b/backends/tpm/tpm_emulator.c
> index 43d350e895d..4a234ab2c0b 100644
> --- a/backends/tpm/tpm_emulator.c
> +++ b/backends/tpm/tpm_emulator.c
> @@ -129,11 +129,11 @@ static int tpm_emulator_ctrlcmd(TPMEmulator *tpm, unsigned long cmd, void *msg,
>       CharBackend *dev = &tpm->ctrl_chr;
>       uint32_t cmd_no = cpu_to_be32(cmd);
>       ssize_t n = sizeof(uint32_t) + msg_len_in;
> -    uint8_t *buf = NULL;
>       ptm_res res;
>   
>       WITH_QEMU_LOCK_GUARD(&tpm->mutex) {
> -        buf = g_alloca(n);
> +        g_autofree uint8_t *buf = g_malloc(n);
> +
>           memcpy(buf, &cmd_no, sizeof(cmd_no));
>           memcpy(buf + sizeof(cmd_no), msg, msg_len_in);
>   

Re: [PATCH 2/4] backends/tpmL Avoid using g_alloca()

[Stefan Berger]

On 6/6/25 4:14 AM, Thomas Huth wrote:
> On 05/06/2025 21.35, Philippe Mathieu-Daudé wrote:
>> tpm_emulator_ctrlcmd() is not in hot path.
>> Use the heap instead of the stack, removing
>> the g_alloca() call.
>>
>> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
>> ---
>>   backends/tpm/tpm_emulator.c | 4 ++--
>>   1 file changed, 2 insertions(+), 2 deletions(-)
>>
>> diff --git a/backends/tpm/tpm_emulator.c b/backends/tpm/tpm_emulator.c
>> index 43d350e895d..4a234ab2c0b 100644
>> --- a/backends/tpm/tpm_emulator.c
>> +++ b/backends/tpm/tpm_emulator.c
>> @@ -129,11 +129,11 @@ static int tpm_emulator_ctrlcmd(TPMEmulator 
>> *tpm, unsigned long cmd, void *msg,
>>       CharBackend *dev = &tpm->ctrl_chr;
>>       uint32_t cmd_no = cpu_to_be32(cmd);
>>       ssize_t n = sizeof(uint32_t) + msg_len_in;
>> -    uint8_t *buf = NULL;
>>       ptm_res res;
>>       WITH_QEMU_LOCK_GUARD(&tpm->mutex) {
>> -        buf = g_alloca(n);
>> +        g_autofree uint8_t *buf = g_malloc(n);
>> +
>>           memcpy(buf, &cmd_no, sizeof(cmd_no));
>>           memcpy(buf + sizeof(cmd_no), msg, msg_len_in);
> 
> With the typo fixed:
> Reviewed-by: Thomas Huth <thuth@redhat.com>
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>

> 
> 

Re: [PATCH 0/4] system: Forbid alloca()

[Stefan Hajnoczi]

[-- Attachment #1: Type: text/plain, Size: 729 bytes --]

On Thu, Jun 05, 2025 at 09:35:36PM +0200, Philippe Mathieu-Daudé wrote:
> Eradicate alloca() uses on system code, then enable
> -Walloca to prevent new ones to creep back in.
> 
> Philippe Mathieu-Daudé (4):
>   hw/gpio/pca9552: Avoid using g_newa()
>   backends/tpmL Avoid using g_alloca()
>   tests/unit/test-char: Avoid using g_alloca()
>   buildsys: Prohibit alloca() use on system code
> 
>  meson.build                 | 4 ++++
>  backends/tpm/tpm_emulator.c | 4 ++--
>  hw/gpio/pca9552.c           | 2 +-
>  tests/unit/test-char.c      | 3 +--
>  4 files changed, 8 insertions(+), 5 deletions(-)

Modulo the comments that have already been discussed:

Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

Re: [PATCH 0/4] system: Forbid alloca()

[Philippe Mathieu-Daudé]

On 5/6/25 21:35, Philippe Mathieu-Daudé wrote:
> Eradicate alloca() uses on system code, then enable
> -Walloca to prevent new ones to creep back in.
> 
> Philippe Mathieu-Daudé (4):
>    hw/gpio/pca9552: Avoid using g_newa()
>    backends/tpmL Avoid using g_alloca()
>    tests/unit/test-char: Avoid using g_alloca()

Patches 1-3 queued.