[Qemu-devel] [PULL 0/5] Trivial patches for 2 to 7 November 2011

[Qemu-devel] [PULL 0/5] Trivial patches for 2 to 7 November 2011

[Stefan Hajnoczi]

Anthony: These patches fix bugs and are small.  I think we should consider
including them in 1.0.

The following changes since commit 932eacc158c064935c7bab920c88a93a629e1ca4:

  Merge branch 'xtensa' of git://jcmvbkbc.spb.ru/dumb/qemu-xtensa (2011-11-02 20:52:23 +0000)

are available in the git repository at:

  ssh://repo.or.cz/srv/git/qemu/stefanha.git trivial-patches

Anthony PERARD (1):
      xen-platform: Fix IO port read/write functions

Markus Armbruster (1):
      readline: Fix buffer overrun on re-add to history

Pavel Borzenkov (3):
      cmd: Fix coding style in cmd.c
      cmd: Fix potential NULL pointer dereference
      cmd: Fix potential memory leak

 cmd.c             |  168 ++++++++++++++++++++++++++---------------------------
 hw/xen_platform.c |   18 +++---
 readline.c        |    2 +-
 3 files changed, 92 insertions(+), 96 deletions(-)

-- 
1.7.7.1

[Qemu-devel] [PATCH 1/5] cmd: Fix coding style in cmd.c

[Stefan Hajnoczi]

From: Pavel Borzenkov <pavel.borzenkov@gmail.com>

Before the next patches, fix coding style of the affected functions.

Signed-off-by: Pavel Borzenkov <pavel.borzenkov@gmail.com>
Signed-off-by: Stefan Hajnoczi <stefanha@linux.vnet.ibm.com>
---
 cmd.c |  168 ++++++++++++++++++++++++++++++++---------------------------------
 1 files changed, 82 insertions(+), 86 deletions(-)

diff --git a/cmd.c b/cmd.c
index f77897e..a6e3ef4 100644
--- a/cmd.c
+++ b/cmd.c
@@ -45,13 +45,11 @@ compare(const void *a, const void *b)
 		      ((const cmdinfo_t *)b)->name);
 }
 
-void
-add_command(
-	const cmdinfo_t	*ci)
+void add_command(const cmdinfo_t *ci)
 {
-	cmdtab = realloc((void *)cmdtab, ++ncmds * sizeof(*cmdtab));
-	cmdtab[ncmds - 1] = *ci;
-	qsort(cmdtab, ncmds, sizeof(*cmdtab), compare);
+    cmdtab = realloc((void *)cmdtab, ++ncmds * sizeof(*cmdtab));
+    cmdtab[ncmds - 1] = *ci;
+    qsort(cmdtab, ncmds, sizeof(*cmdtab), compare);
 }
 
 static int
@@ -122,16 +120,15 @@ find_command(
 	return NULL;
 }
 
-void
-add_user_command(char *optarg)
+void add_user_command(char *optarg)
 {
-	ncmdline++;
-	cmdline = realloc(cmdline, sizeof(char*) * (ncmdline));
-	if (!cmdline) {
-		perror("realloc");
-		exit(1);
-	}
-	cmdline[ncmdline-1] = optarg;
+    ncmdline++;
+    cmdline = realloc(cmdline, ncmdline * sizeof(char *));
+    if (!cmdline) {
+        perror("realloc");
+        exit(1);
+    }
+    cmdline[ncmdline-1] = optarg;
 }
 
 static int
@@ -160,45 +157,44 @@ static void prep_fetchline(void *opaque)
 
 static char *get_prompt(void);
 
-void
-command_loop(void)
+void command_loop(void)
 {
-	int		c, i, j = 0, done = 0, fetchable = 0, prompted = 0;
-	char		*input;
-	char		**v;
-	const cmdinfo_t	*ct;
-
-	for (i = 0; !done && i < ncmdline; i++) {
-		input = strdup(cmdline[i]);
-		if (!input) {
-			fprintf(stderr,
-				_("cannot strdup command '%s': %s\n"),
-				cmdline[i], strerror(errno));
-			exit(1);
-		}
-		v = breakline(input, &c);
-		if (c) {
-			ct = find_command(v[0]);
-			if (ct) {
-				if (ct->flags & CMD_FLAG_GLOBAL)
-					done = command(ct, c, v);
-				else {
-					j = 0;
-					while (!done && (j = args_command(j)))
-						done = command(ct, c, v);
-				}
-			} else
-				fprintf(stderr, _("command \"%s\" not found\n"),
-					v[0]);
-		}
-		doneline(input, v);
-	}
-	if (cmdline) {
-		free(cmdline);
-		return;
+    int c, i, j = 0, done = 0, fetchable = 0, prompted = 0;
+    char *input;
+    char **v;
+    const cmdinfo_t *ct;
+
+    for (i = 0; !done && i < ncmdline; i++) {
+        input = strdup(cmdline[i]);
+        if (!input) {
+            fprintf(stderr, _("cannot strdup command '%s': %s\n"),
+                    cmdline[i], strerror(errno));
+            exit(1);
+        }
+        v = breakline(input, &c);
+        if (c) {
+            ct = find_command(v[0]);
+            if (ct) {
+                if (ct->flags & CMD_FLAG_GLOBAL) {
+                    done = command(ct, c, v);
+                } else {
+                    j = 0;
+                    while (!done && (j = args_command(j))) {
+                        done = command(ct, c, v);
+                    }
+                }
+            } else {
+                fprintf(stderr, _("command \"%s\" not found\n"), v[0]);
+            }
 	}
+        doneline(input, v);
+    }
+    if (cmdline) {
+        free(cmdline);
+        return;
+    }
 
-	while (!done) {
+    while (!done) {
         if (!prompted) {
             printf("%s", get_prompt());
             fflush(stdout);
@@ -212,22 +208,24 @@ command_loop(void)
         if (!fetchable) {
             continue;
         }
-		if ((input = fetchline()) == NULL)
-			break;
-		v = breakline(input, &c);
-		if (c) {
-			ct = find_command(v[0]);
-			if (ct)
-				done = command(ct, c, v);
-			else
-				fprintf(stderr, _("command \"%s\" not found\n"),
-					v[0]);
-		}
-		doneline(input, v);
+        input = fetchline();
+        if (input == NULL) {
+            break;
+        }
+        v = breakline(input, &c);
+        if (c) {
+            ct = find_command(v[0]);
+            if (ct) {
+                done = command(ct, c, v);
+            } else {
+                fprintf(stderr, _("command \"%s\" not found\n"), v[0]);
+            }
+        }
+        doneline(input, v);
 
         prompted = 0;
         fetchable = 0;
-	}
+    }
     qemu_aio_set_fd_handler(STDIN_FILENO, NULL, NULL, NULL, NULL, NULL);
 }
 
@@ -331,29 +329,27 @@ static char *qemu_strsep(char **input, const char *delim)
     return result;
 }
 
-char **
-breakline(
-	char	*input,
-	int	*count)
+char **breakline(char *input, int *count)
 {
-	int	c = 0;
-	char	*p;
-	char	**rval = calloc(sizeof(char *), 1);
-
-	while (rval && (p = qemu_strsep(&input, " ")) != NULL) {
-		if (!*p)
-			continue;
-		c++;
-		rval = realloc(rval, sizeof(*rval) * (c + 1));
-		if (!rval) {
-			c = 0;
-			break;
-		}
-		rval[c - 1] = p;
-		rval[c] = NULL;
-	}
-	*count = c;
-	return rval;
+    int c = 0;
+    char *p;
+    char **rval = calloc(sizeof(char *), 1);
+
+    while (rval && (p = qemu_strsep(&input, " ")) != NULL) {
+        if (!*p) {
+            continue;
+        }
+        c++;
+        rval = realloc(rval, sizeof(*rval) * (c + 1));
+        if (!rval) {
+            c = 0;
+            break;
+        }
+        rval[c - 1] = p;
+        rval[c] = NULL;
+    }
+    *count = c;
+    return rval;
 }
 
 void
-- 
1.7.7.1

[Qemu-devel] [PATCH 2/5] cmd: Fix potential NULL pointer dereference

[Stefan Hajnoczi]

From: Pavel Borzenkov <pavel.borzenkov@gmail.com>

Signed-off-by: Pavel Borzenkov <pavel.borzenkov@gmail.com>
Signed-off-by: Stefan Hajnoczi <stefanha@linux.vnet.ibm.com>
---
 cmd.c |   11 +++--------
 1 files changed, 3 insertions(+), 8 deletions(-)

diff --git a/cmd.c b/cmd.c
index a6e3ef4..75415d8 100644
--- a/cmd.c
+++ b/cmd.c
@@ -47,7 +47,7 @@ compare(const void *a, const void *b)
 
 void add_command(const cmdinfo_t *ci)
 {
-    cmdtab = realloc((void *)cmdtab, ++ncmds * sizeof(*cmdtab));
+    cmdtab = g_realloc((void *)cmdtab, ++ncmds * sizeof(*cmdtab));
     cmdtab[ncmds - 1] = *ci;
     qsort(cmdtab, ncmds, sizeof(*cmdtab), compare);
 }
@@ -122,12 +122,7 @@ find_command(
 
 void add_user_command(char *optarg)
 {
-    ncmdline++;
-    cmdline = realloc(cmdline, ncmdline * sizeof(char *));
-    if (!cmdline) {
-        perror("realloc");
-        exit(1);
-    }
+    cmdline = g_realloc(cmdline, ++ncmdline * sizeof(char *));
     cmdline[ncmdline-1] = optarg;
 }
 
@@ -190,7 +185,7 @@ void command_loop(void)
         doneline(input, v);
     }
     if (cmdline) {
-        free(cmdline);
+        g_free(cmdline);
         return;
     }
 
-- 
1.7.7.1

[Qemu-devel] [PATCH 3/5] cmd: Fix potential memory leak

[Stefan Hajnoczi]

From: Pavel Borzenkov <pavel.borzenkov@gmail.com>

Signed-off-by: Pavel Borzenkov <pavel.borzenkov@gmail.com>
Signed-off-by: Stefan Hajnoczi <stefanha@linux.vnet.ibm.com>
---
 cmd.c |    9 +++++++--
 1 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/cmd.c b/cmd.c
index 75415d8..0806e18 100644
--- a/cmd.c
+++ b/cmd.c
@@ -329,16 +329,21 @@ char **breakline(char *input, int *count)
     int c = 0;
     char *p;
     char **rval = calloc(sizeof(char *), 1);
+    char **tmp;
 
     while (rval && (p = qemu_strsep(&input, " ")) != NULL) {
         if (!*p) {
             continue;
         }
         c++;
-        rval = realloc(rval, sizeof(*rval) * (c + 1));
-        if (!rval) {
+        tmp = realloc(rval, sizeof(*rval) * (c + 1));
+        if (!tmp) {
+            free(rval);
+            rval = NULL;
             c = 0;
             break;
+        } else {
+            rval = tmp;
         }
         rval[c - 1] = p;
         rval[c] = NULL;
-- 
1.7.7.1

[Qemu-devel] [PATCH 4/5] readline: Fix buffer overrun on re-add to history

[Stefan Hajnoczi]

From: Markus Armbruster <armbru@redhat.com>

readline_hist_add() moves the history entry to the end of history.  It
uses memmove() to move rs->history[idx + 1..] to rs->history[idx..].
However, its size argument is off by two array elements, so it writes
one element beyond rs->history[], and reads two.

On my system, this clobbers rs->hist_entry and the hole right after
it.  Since the function assigns to rs->hist_entry in time, the bug has
no ill effects for me.

Spotted by Coverity.

Signed-off-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@linux.vnet.ibm.com>
---
 readline.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/readline.c b/readline.c
index 6a3160a..a6c0039 100644
--- a/readline.c
+++ b/readline.c
@@ -236,7 +236,7 @@ static void readline_hist_add(ReadLineState *rs, const char *cmdline)
 	    new_entry = hist_entry;
 	    /* Put this entry at the end of history */
 	    memmove(&rs->history[idx], &rs->history[idx + 1],
-		    (READLINE_MAX_CMDS - idx + 1) * sizeof(char *));
+		    (READLINE_MAX_CMDS - (idx + 1)) * sizeof(char *));
 	    rs->history[READLINE_MAX_CMDS - 1] = NULL;
 	    for (; idx < READLINE_MAX_CMDS; idx++) {
 		if (rs->history[idx] == NULL)
-- 
1.7.7.1

[Qemu-devel] [PATCH 5/5] xen-platform: Fix IO port read/write functions

[Stefan Hajnoczi]

From: Anthony PERARD <anthony.perard@citrix.com>

Somehow, the read/write functions handle an offset that does not exist anymore.

Signed-off-by: Anthony PERARD <anthony.perard@citrix.com>
Signed-off-by: Stefan Hajnoczi <stefanha@linux.vnet.ibm.com>
---
 hw/xen_platform.c |   18 +++++++++---------
 1 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/hw/xen_platform.c b/hw/xen_platform.c
index 6e3ba8b..5e792f5 100644
--- a/hw/xen_platform.c
+++ b/hw/xen_platform.c
@@ -113,7 +113,7 @@ static void platform_fixed_ioport_writew(void *opaque, uint32_t addr, uint32_t v
 {
     PCIXenPlatformState *s = opaque;
 
-    switch (addr - XEN_PLATFORM_IOPORT) {
+    switch (addr) {
     case 0:
         /* Unplug devices.  Value is a bitmask of which devices to
            unplug, with bit 0 the IDE devices, bit 1 the network
@@ -152,7 +152,7 @@ static void platform_fixed_ioport_writew(void *opaque, uint32_t addr, uint32_t v
 static void platform_fixed_ioport_writel(void *opaque, uint32_t addr,
                                          uint32_t val)
 {
-    switch (addr - XEN_PLATFORM_IOPORT) {
+    switch (addr) {
     case 0:
         /* PV driver version */
         break;
@@ -163,7 +163,7 @@ static void platform_fixed_ioport_writeb(void *opaque, uint32_t addr, uint32_t v
 {
     PCIXenPlatformState *s = opaque;
 
-    switch (addr - XEN_PLATFORM_IOPORT) {
+    switch (addr) {
     case 0: /* Platform flags */ {
         hvmmem_type_t mem_type = (val & PFFLAG_ROM_LOCK) ?
             HVMMEM_ram_ro : HVMMEM_ram_rw;
@@ -186,7 +186,7 @@ static uint32_t platform_fixed_ioport_readw(void *opaque, uint32_t addr)
 {
     PCIXenPlatformState *s = opaque;
 
-    switch (addr - XEN_PLATFORM_IOPORT) {
+    switch (addr) {
     case 0:
         if (s->drivers_blacklisted) {
             /* The drivers will recognise this magic number and refuse
@@ -205,7 +205,7 @@ static uint32_t platform_fixed_ioport_readb(void *opaque, uint32_t addr)
 {
     PCIXenPlatformState *s = opaque;
 
-    switch (addr - XEN_PLATFORM_IOPORT) {
+    switch (addr) {
     case 0:
         /* Platform flags */
         return s->flags;
@@ -221,7 +221,7 @@ static void platform_fixed_ioport_reset(void *opaque)
 {
     PCIXenPlatformState *s = opaque;
 
-    platform_fixed_ioport_writeb(s, XEN_PLATFORM_IOPORT, 0);
+    platform_fixed_ioport_writeb(s, 0, 0);
 }
 
 const MemoryRegionPortio xen_platform_ioport[] = {
@@ -251,7 +251,7 @@ static void platform_fixed_ioport_init(PCIXenPlatformState* s)
 static uint32_t xen_platform_ioport_readb(void *opaque, uint32_t addr)
 {
     if (addr == 0) {
-        return platform_fixed_ioport_readb(opaque, XEN_PLATFORM_IOPORT);
+        return platform_fixed_ioport_readb(opaque, 0);
     } else {
         return ~0u;
     }
@@ -263,7 +263,7 @@ static void xen_platform_ioport_writeb(void *opaque, uint32_t addr, uint32_t val
 
     switch (addr) {
     case 0: /* Platform flags */
-        platform_fixed_ioport_writeb(opaque, XEN_PLATFORM_IOPORT, val);
+        platform_fixed_ioport_writeb(opaque, 0, val);
         break;
     case 8:
         log_writeb(s, val);
@@ -321,7 +321,7 @@ static int xen_platform_post_load(void *opaque, int version_id)
 {
     PCIXenPlatformState *s = opaque;
 
-    platform_fixed_ioport_writeb(s, XEN_PLATFORM_IOPORT, s->flags);
+    platform_fixed_ioport_writeb(s, 0, s->flags);
 
     return 0;
 }
-- 
1.7.7.1