Re: [Qemu-devel] [PATCH] block/pflash_cfi02: Fix memory leak and potential use-after-free

qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed

From: Wei Yang <richardw.yang@linux.intel.com>
To: Stephen Checkoway <stephen.checkoway@oberlin.edu>
Cc: qemu-devel@nongnu.org, qemu-trivial@nongnu.org,
	Kevin Wolf <kwolf@redhat.com>,
	"open list:Block layer core" <qemu-block@nongnu.org>,
	Max Reitz <mreitz@redhat.com>
Subject: Re: [Qemu-devel] [PATCH] block/pflash_cfi02: Fix memory leak and potential use-after-free
Date: Wed, 20 Feb 2019 14:40:34 +0800	[thread overview]
Message-ID: <20190220064034.GB28876@richard> (raw)
In-Reply-To: <20190219153727.62279-1-stephen.checkoway@oberlin.edu>

On Tue, Feb 19, 2019 at 10:37:27AM -0500, Stephen Checkoway wrote:
>Don't dynamically allocate the pflash's timer. But do use timer_del in
>an unrealize function to make sure that the timer can't fire after the
>pflash_t has been freed.
>
>Signed-off-by: Stephen Checkoway <stephen.checkoway@oberlin.edu>

Reviewed-by: Wei Yang <richardw.yang@linux.intel.com>

>---
> hw/block/pflash_cfi02.c | 15 +++++++++++----
> 1 file changed, 11 insertions(+), 4 deletions(-)
>
>diff --git a/hw/block/pflash_cfi02.c b/hw/block/pflash_cfi02.c
>index 0f8b7b8c7b..1588aeff5a 100644
>--- a/hw/block/pflash_cfi02.c
>+++ b/hw/block/pflash_cfi02.c
>@@ -84,7 +84,7 @@ struct pflash_t {
>     uint16_t unlock_addr0;
>     uint16_t unlock_addr1;
>     uint8_t cfi_table[0x52];
>-    QEMUTimer *timer;
>+    QEMUTimer timer;
>     /* The device replicates the flash memory across its memory space.  Emulate
>      * that by having a container (.mem) filled with an array of aliases
>      * (.mem_mappings) pointing to the flash memory (.orig_mem).
>@@ -429,7 +429,7 @@ static void pflash_write (pflash_t *pfl, hwaddr offset,
>             }
>             pfl->status = 0x00;
>             /* Let's wait 5 seconds before chip erase is done */
>-            timer_mod(pfl->timer, qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL) +
>+            timer_mod(&pfl->timer, qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL) +
>                       (NANOSECONDS_PER_SECOND * 5));
>             break;
>         case 0x30:
>@@ -444,7 +444,7 @@ static void pflash_write (pflash_t *pfl, hwaddr offset,
>             }
>             pfl->status = 0x00;
>             /* Let's wait 1/2 second before sector erase is done */
>-            timer_mod(pfl->timer, qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL) +
>+            timer_mod(&pfl->timer, qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL) +
>                       (NANOSECONDS_PER_SECOND / 2));
>             break;
>         default:
>@@ -596,7 +596,7 @@ static void pflash_cfi02_realize(DeviceState *dev, Error **errp)
>     pfl->rom_mode = 1;
>     sysbus_init_mmio(SYS_BUS_DEVICE(dev), &pfl->mem);
> 
>-    pfl->timer = timer_new_ns(QEMU_CLOCK_VIRTUAL, pflash_timer, pfl);
>+    timer_init_ns(&pfl->timer, QEMU_CLOCK_VIRTUAL, pflash_timer, pfl);
>     pfl->wcycle = 0;
>     pfl->cmd = 0;
>     pfl->status = 0;
>@@ -695,11 +695,18 @@ static Property pflash_cfi02_properties[] = {
>     DEFINE_PROP_END_OF_LIST(),
> };
> 
>+static void pflash_cfi02_unrealize(DeviceState *dev, Error **errp)
>+{
>+    pflash_t *pfl = CFI_PFLASH02(dev);
>+    timer_del(&pfl->timer);
>+}
>+
> static void pflash_cfi02_class_init(ObjectClass *klass, void *data)
> {
>     DeviceClass *dc = DEVICE_CLASS(klass);
> 
>     dc->realize = pflash_cfi02_realize;
>+    dc->unrealize = pflash_cfi02_unrealize;
>     dc->props = pflash_cfi02_properties;
>     set_bit(DEVICE_CATEGORY_STORAGE, dc->categories);
> }
>-- 
>2.17.2 (Apple Git-113)
>

-- 
Wei Yang
Help you, Help me

next prev parent reply	other threads:[~2019-02-20  6:41 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-02-19 15:37 [Qemu-devel] [PATCH] block/pflash_cfi02: Fix memory leak and potential use-after-free Stephen Checkoway
2019-02-19 17:22 ` Philippe Mathieu-Daudé
2019-02-20  6:40 ` Wei Yang [this message]
2019-03-06  9:38 ` [Qemu-devel] [Qemu-trivial] " Laurent Vivier
2019-03-06 14:30   ` Stephen Checkoway

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20190220064034.GB28876@richard \
    --to=richardw.yang@linux.intel.com \
    --cc=kwolf@redhat.com \
    --cc=mreitz@redhat.com \
    --cc=qemu-block@nongnu.org \
    --cc=qemu-devel@nongnu.org \
    --cc=qemu-trivial@nongnu.org \
    --cc=stephen.checkoway@oberlin.edu \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).