From: Laurent Vivier <laurent@vivier.eu>
To: qemu-devel@nongnu.org
Cc: "Paolo Bonzini" <pbonzini@redhat.com>,
"Riku Voipio" <riku.voipio@iki.fi>,
"Zhang Chen" <zhangckid@gmail.com>,
zhanghailiang <zhang.zhanghailiang@huawei.com>,
"Christian Borntraeger" <borntraeger@de.ibm.com>,
"Cornelia Huck" <cohuck@redhat.com>,
"Kevin Wolf" <kwolf@redhat.com>,
"Richard Henderson" <rth@twiddle.net>,
"Thomas Huth" <thuth@redhat.com>,
"Igor Mammedov" <imammedo@redhat.com>,
"Li Zhijian" <lizhijian@cn.fujitsu.com>,
"John Snow" <jsnow@redhat.com>,
"Halil Pasic" <pasic@linux.ibm.com>,
"Pavel Dovgalyuk" <pavel.dovgaluk@ispras.ru>,
"Laurent Vivier" <laurent@vivier.eu>,
"Eduardo Habkost" <ehabkost@redhat.com>,
qemu-block@nongnu.org,
"Marcel Apfelbaum" <marcel.apfelbaum@gmail.com>,
"Tony Krowiak" <akrowiak@linux.ibm.com>,
"Max Reitz" <mreitz@redhat.com>,
"Michael S. Tsirkin" <mst@redhat.com>,
qemu-trivial@nongnu.org, "Laurent Vivier" <lvivier@redhat.com>,
"Michael Tokarev" <mjt@tls.msk.ru>,
qemu-s390x@nongnu.org, "Corey Minyard" <minyard@acm.org>,
"Pierre Morel" <pmorel@linux.ibm.com>,
"Stephen Checkoway" <stephen.checkoway@oberlin.edu>,
"Philippe Mathieu-Daudé" <philmd@redhat.com>,
"Wei Yang" <richardw.yang@linux.intel.com>
Subject: [Qemu-devel] [PULL 05/10] block/pflash_cfi02: Fix memory leak and potential use-after-free
Date: Wed, 6 Mar 2019 12:07:06 +0100 [thread overview]
Message-ID: <20190306110711.309-6-laurent@vivier.eu> (raw)
In-Reply-To: <20190306110711.309-1-laurent@vivier.eu>
From: Stephen Checkoway <stephen.checkoway@oberlin.edu>
Don't dynamically allocate the pflash's timer. But do use timer_del in
an unrealize function to make sure that the timer can't fire after the
pflash_t has been freed.
Signed-off-by: Stephen Checkoway <stephen.checkoway@oberlin.edu>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Wei Yang <richardw.yang@linux.intel.com>
Message-Id: <20190219153727.62279-1-stephen.checkoway@oberlin.edu>
Signed-off-by: Laurent Vivier <laurent@vivier.eu>
---
hw/block/pflash_cfi02.c | 15 +++++++++++----
1 file changed, 11 insertions(+), 4 deletions(-)
diff --git a/hw/block/pflash_cfi02.c b/hw/block/pflash_cfi02.c
index 0f8b7b8c7b36..1588aeff5a95 100644
--- a/hw/block/pflash_cfi02.c
+++ b/hw/block/pflash_cfi02.c
@@ -84,7 +84,7 @@ struct pflash_t {
uint16_t unlock_addr0;
uint16_t unlock_addr1;
uint8_t cfi_table[0x52];
- QEMUTimer *timer;
+ QEMUTimer timer;
/* The device replicates the flash memory across its memory space. Emulate
* that by having a container (.mem) filled with an array of aliases
* (.mem_mappings) pointing to the flash memory (.orig_mem).
@@ -429,7 +429,7 @@ static void pflash_write (pflash_t *pfl, hwaddr offset,
}
pfl->status = 0x00;
/* Let's wait 5 seconds before chip erase is done */
- timer_mod(pfl->timer, qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL) +
+ timer_mod(&pfl->timer, qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL) +
(NANOSECONDS_PER_SECOND * 5));
break;
case 0x30:
@@ -444,7 +444,7 @@ static void pflash_write (pflash_t *pfl, hwaddr offset,
}
pfl->status = 0x00;
/* Let's wait 1/2 second before sector erase is done */
- timer_mod(pfl->timer, qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL) +
+ timer_mod(&pfl->timer, qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL) +
(NANOSECONDS_PER_SECOND / 2));
break;
default:
@@ -596,7 +596,7 @@ static void pflash_cfi02_realize(DeviceState *dev, Error **errp)
pfl->rom_mode = 1;
sysbus_init_mmio(SYS_BUS_DEVICE(dev), &pfl->mem);
- pfl->timer = timer_new_ns(QEMU_CLOCK_VIRTUAL, pflash_timer, pfl);
+ timer_init_ns(&pfl->timer, QEMU_CLOCK_VIRTUAL, pflash_timer, pfl);
pfl->wcycle = 0;
pfl->cmd = 0;
pfl->status = 0;
@@ -695,11 +695,18 @@ static Property pflash_cfi02_properties[] = {
DEFINE_PROP_END_OF_LIST(),
};
+static void pflash_cfi02_unrealize(DeviceState *dev, Error **errp)
+{
+ pflash_t *pfl = CFI_PFLASH02(dev);
+ timer_del(&pfl->timer);
+}
+
static void pflash_cfi02_class_init(ObjectClass *klass, void *data)
{
DeviceClass *dc = DEVICE_CLASS(klass);
dc->realize = pflash_cfi02_realize;
+ dc->unrealize = pflash_cfi02_unrealize;
dc->props = pflash_cfi02_properties;
set_bit(DEVICE_CATEGORY_STORAGE, dc->categories);
}
--
2.20.1
next prev parent reply other threads:[~2019-03-06 11:08 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-03-06 11:07 [Qemu-devel] [PULL 00/10] Trivial branch patches Laurent Vivier
2019-03-06 11:07 ` [Qemu-devel] [PULL 01/10] tests: Remove (mostly) useless architecture checks Laurent Vivier
2019-03-06 11:07 ` [Qemu-devel] [PULL 02/10] hw/i386/pc.c: remove unused function pc_acpi_init() Laurent Vivier
2019-03-06 11:07 ` [Qemu-devel] [PULL 03/10] hw/acpi: remove unused function acpi_table_add_builtin() Laurent Vivier
2019-03-06 11:07 ` [Qemu-devel] [PULL 04/10] hw/acpi: remove unnecessary variable acpi_table_builtin Laurent Vivier
2019-03-06 11:07 ` Laurent Vivier [this message]
2019-03-06 11:07 ` [Qemu-devel] [PULL 06/10] doc: fix typos for documents in tree Laurent Vivier
2019-03-06 11:07 ` [Qemu-devel] [PULL 07/10] bswap: Fix accessors syntax in comment Laurent Vivier
2019-03-06 11:07 ` [Qemu-devel] [PULL 08/10] build: Correct explanation of unnest-vars example Laurent Vivier
2019-03-06 11:07 ` [Qemu-devel] [PULL 09/10] hostmem-file: simplify ifdef-s in file_backend_memory_alloc() Laurent Vivier
2019-03-06 11:07 ` [Qemu-devel] [PULL 10/10] thunk: fix of malloc to g_new Laurent Vivier
2019-03-06 14:50 ` [Qemu-devel] [PULL 00/10] Trivial branch patches Peter Maydell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190306110711.309-6-laurent@vivier.eu \
--to=laurent@vivier.eu \
--cc=akrowiak@linux.ibm.com \
--cc=borntraeger@de.ibm.com \
--cc=cohuck@redhat.com \
--cc=ehabkost@redhat.com \
--cc=imammedo@redhat.com \
--cc=jsnow@redhat.com \
--cc=kwolf@redhat.com \
--cc=lizhijian@cn.fujitsu.com \
--cc=lvivier@redhat.com \
--cc=marcel.apfelbaum@gmail.com \
--cc=minyard@acm.org \
--cc=mjt@tls.msk.ru \
--cc=mreitz@redhat.com \
--cc=mst@redhat.com \
--cc=pasic@linux.ibm.com \
--cc=pavel.dovgaluk@ispras.ru \
--cc=pbonzini@redhat.com \
--cc=philmd@redhat.com \
--cc=pmorel@linux.ibm.com \
--cc=qemu-block@nongnu.org \
--cc=qemu-devel@nongnu.org \
--cc=qemu-s390x@nongnu.org \
--cc=qemu-trivial@nongnu.org \
--cc=richardw.yang@linux.intel.com \
--cc=riku.voipio@iki.fi \
--cc=rth@twiddle.net \
--cc=stephen.checkoway@oberlin.edu \
--cc=thuth@redhat.com \
--cc=zhang.zhanghailiang@huawei.com \
--cc=zhangckid@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).