* [Qemu-devel] [PATCH] spapr: fix write-past-end-of-array error in cpu core device init code @ 2016-06-27 16:28 Greg Kurz 2016-06-28 2:55 ` David Gibson 0 siblings, 1 reply; 5+ messages in thread From: Greg Kurz @ 2016-06-27 16:28 UTC (permalink / raw) To: David Gibson; +Cc: qemu-devel, qemu-ppc, Alexander Graf, bharata This fixes a potential QEMU crash introduced by commit 3b542549661. Signed-off-by: Greg Kurz <groug@kaod.org> --- hw/ppc/spapr_cpu_core.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/hw/ppc/spapr_cpu_core.c b/hw/ppc/spapr_cpu_core.c index 3a5da09b9902..8b802a6fcf0b 100644 --- a/hw/ppc/spapr_cpu_core.c +++ b/hw/ppc/spapr_cpu_core.c @@ -309,10 +309,9 @@ static void spapr_cpu_core_realize(DeviceState *dev, Error **errp) } err: - while (i >= 0) { + while (--i >= 0) { obj = sc->threads + i * size; object_unparent(obj); - i--; } g_free(sc->threads); error_propagate(errp, local_err); ^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [Qemu-devel] [PATCH] spapr: fix write-past-end-of-array error in cpu core device init code 2016-06-27 16:28 [Qemu-devel] [PATCH] spapr: fix write-past-end-of-array error in cpu core device init code Greg Kurz @ 2016-06-28 2:55 ` David Gibson 2016-06-28 5:24 ` Greg Kurz 0 siblings, 1 reply; 5+ messages in thread From: David Gibson @ 2016-06-28 2:55 UTC (permalink / raw) To: Greg Kurz; +Cc: qemu-devel, qemu-ppc, Alexander Graf, bharata [-- Attachment #1: Type: text/plain, Size: 1207 bytes --] On Mon, Jun 27, 2016 at 06:28:15PM +0200, Greg Kurz wrote: > This fixes a potential QEMU crash introduced by commit 3b542549661. > > Signed-off-by: Greg Kurz <groug@kaod.org> > --- > hw/ppc/spapr_cpu_core.c | 3 +-- > 1 file changed, 1 insertion(+), 2 deletions(-) Ugh. The existing code is wrong in the case where the failure happens after the loop. But this version is wrong in the case it happens during the loop - it will fail to clean up the last object created. > diff --git a/hw/ppc/spapr_cpu_core.c b/hw/ppc/spapr_cpu_core.c > index 3a5da09b9902..8b802a6fcf0b 100644 > --- a/hw/ppc/spapr_cpu_core.c > +++ b/hw/ppc/spapr_cpu_core.c > @@ -309,10 +309,9 @@ static void spapr_cpu_core_realize(DeviceState *dev, Error **errp) > } > > err: > - while (i >= 0) { > + while (--i >= 0) { > obj = sc->threads + i * size; > object_unparent(obj); > - i--; > } > g_free(sc->threads); > error_propagate(errp, local_err); > -- David Gibson | I'll have my music baroque, and my code david AT gibson.dropbear.id.au | minimalist, thank you. NOT _the_ _other_ | _way_ _around_! http://www.ozlabs.org/~dgibson [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 819 bytes --] ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [Qemu-devel] [PATCH] spapr: fix write-past-end-of-array error in cpu core device init code 2016-06-28 2:55 ` David Gibson @ 2016-06-28 5:24 ` Greg Kurz 2016-06-28 6:24 ` David Gibson 0 siblings, 1 reply; 5+ messages in thread From: Greg Kurz @ 2016-06-28 5:24 UTC (permalink / raw) To: David Gibson; +Cc: qemu-devel, qemu-ppc, Alexander Graf, bharata [-- Attachment #1: Type: text/plain, Size: 1498 bytes --] On Tue, 28 Jun 2016 12:55:07 +1000 David Gibson <david@gibson.dropbear.id.au> wrote: > On Mon, Jun 27, 2016 at 06:28:15PM +0200, Greg Kurz wrote: > > This fixes a potential QEMU crash introduced by commit 3b542549661. > > > > Signed-off-by: Greg Kurz <groug@kaod.org> > > --- > > hw/ppc/spapr_cpu_core.c | 3 +-- > > 1 file changed, 1 insertion(+), 2 deletions(-) > > Ugh. The existing code is wrong in the case where the failure happens > after the loop. > > But this version is wrong in the case it happens during the loop - it > will fail to clean up the last object created. > Hmm... unless I'm missing something, if object_property_add_child() fails to add object i, we don't want to unparent it, and we should start rollback at index i-1. Another weirdness is that I see no rollback for the object_child_foreach() loop: in case of failure, we will unparent realized objects... is it okay ? > > diff --git a/hw/ppc/spapr_cpu_core.c b/hw/ppc/spapr_cpu_core.c > > index 3a5da09b9902..8b802a6fcf0b 100644 > > --- a/hw/ppc/spapr_cpu_core.c > > +++ b/hw/ppc/spapr_cpu_core.c > > @@ -309,10 +309,9 @@ static void spapr_cpu_core_realize(DeviceState *dev, Error **errp) > > } > > > > err: > > - while (i >= 0) { > > + while (--i >= 0) { > > obj = sc->threads + i * size; > > object_unparent(obj); > > - i--; > > } > > g_free(sc->threads); > > error_propagate(errp, local_err); > > > [-- Attachment #2: OpenPGP digital signature --] [-- Type: application/pgp-signature, Size: 181 bytes --] ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [Qemu-devel] [PATCH] spapr: fix write-past-end-of-array error in cpu core device init code 2016-06-28 5:24 ` Greg Kurz @ 2016-06-28 6:24 ` David Gibson 2016-06-28 8:00 ` Bharata B Rao 0 siblings, 1 reply; 5+ messages in thread From: David Gibson @ 2016-06-28 6:24 UTC (permalink / raw) To: Greg Kurz; +Cc: qemu-devel, qemu-ppc, Alexander Graf, bharata [-- Attachment #1: Type: text/plain, Size: 1942 bytes --] On Tue, Jun 28, 2016 at 07:24:16AM +0200, Greg Kurz wrote: > On Tue, 28 Jun 2016 12:55:07 +1000 > David Gibson <david@gibson.dropbear.id.au> wrote: > > > On Mon, Jun 27, 2016 at 06:28:15PM +0200, Greg Kurz wrote: > > > This fixes a potential QEMU crash introduced by commit 3b542549661. > > > > > > Signed-off-by: Greg Kurz <groug@kaod.org> > > > --- > > > hw/ppc/spapr_cpu_core.c | 3 +-- > > > 1 file changed, 1 insertion(+), 2 deletions(-) > > > > Ugh. The existing code is wrong in the case where the failure happens > > after the loop. > > > > But this version is wrong in the case it happens during the loop - it > > will fail to clean up the last object created. > > > > Hmm... unless I'm missing something, if object_property_add_child() fails to > add object i, we don't want to unparent it, and we should start rollback > at index i-1. Good point, my mistake. I'll apply this fix. > > Another weirdness is that I see no rollback for the object_child_foreach() > loop: in case of failure, we will unparent realized objects... is it > okay ? Um.. I have no idea. Bharata? Alex? > > > > diff --git a/hw/ppc/spapr_cpu_core.c b/hw/ppc/spapr_cpu_core.c > > > index 3a5da09b9902..8b802a6fcf0b 100644 > > > --- a/hw/ppc/spapr_cpu_core.c > > > +++ b/hw/ppc/spapr_cpu_core.c > > > @@ -309,10 +309,9 @@ static void spapr_cpu_core_realize(DeviceState *dev, Error **errp) > > > } > > > > > > err: > > > - while (i >= 0) { > > > + while (--i >= 0) { > > > obj = sc->threads + i * size; > > > object_unparent(obj); > > > - i--; > > > } > > > g_free(sc->threads); > > > error_propagate(errp, local_err); > > > > > > -- David Gibson | I'll have my music baroque, and my code david AT gibson.dropbear.id.au | minimalist, thank you. NOT _the_ _other_ | _way_ _around_! http://www.ozlabs.org/~dgibson [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 819 bytes --] ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [Qemu-devel] [PATCH] spapr: fix write-past-end-of-array error in cpu core device init code 2016-06-28 6:24 ` David Gibson @ 2016-06-28 8:00 ` Bharata B Rao 0 siblings, 0 replies; 5+ messages in thread From: Bharata B Rao @ 2016-06-28 8:00 UTC (permalink / raw) To: David Gibson; +Cc: Greg Kurz, qemu-devel, qemu-ppc, Alexander Graf On Tue, Jun 28, 2016 at 04:24:22PM +1000, David Gibson wrote: > On Tue, Jun 28, 2016 at 07:24:16AM +0200, Greg Kurz wrote: > > On Tue, 28 Jun 2016 12:55:07 +1000 > > David Gibson <david@gibson.dropbear.id.au> wrote: > > > > > On Mon, Jun 27, 2016 at 06:28:15PM +0200, Greg Kurz wrote: > > > > This fixes a potential QEMU crash introduced by commit 3b542549661. > > > > > > > > Signed-off-by: Greg Kurz <groug@kaod.org> > > > > --- > > > > hw/ppc/spapr_cpu_core.c | 3 +-- > > > > 1 file changed, 1 insertion(+), 2 deletions(-) > > > > > > Ugh. The existing code is wrong in the case where the failure happens > > > after the loop. > > > > > > But this version is wrong in the case it happens during the loop - it > > > will fail to clean up the last object created. > > > > > > > Hmm... unless I'm missing something, if object_property_add_child() fails to > > add object i, we don't want to unparent it, and we should start rollback > > at index i-1. > > Good point, my mistake. I'll apply this fix. > > > > > Another weirdness is that I see no rollback for the object_child_foreach() > > loop: in case of failure, we will unparent realized objects... is it > > okay ? > > Um.. I have no idea. Bharata? Alex? This is similar to how device_add code recovers when there is failure during realize. So I think object_unparent() should be fine. Only other thing I need to verify is whether an additional object_unref() is needed after unparenting. Regards, Bharata. ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2016-06-28 8:01 UTC | newest] Thread overview: 5+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2016-06-27 16:28 [Qemu-devel] [PATCH] spapr: fix write-past-end-of-array error in cpu core device init code Greg Kurz 2016-06-28 2:55 ` David Gibson 2016-06-28 5:24 ` Greg Kurz 2016-06-28 6:24 ` David Gibson 2016-06-28 8:00 ` Bharata B Rao
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).