On Tue, 12 Sep 2017 18:28:04 +0100 Peter Maydell <peter.mayd...@linaro.org> wrote:
> On 8 September 2017 at 11:35, David Gibson <da...@gibson.dropbear.id.au>
> wrote:
> > From: Daniel Henrique Barboza <danie...@linux.vnet.ibm.com>
> >
> > The sPAPR machine isn't clearing up the pending events QTAILQ on
> > machine reboot. This allows for unprocessed hotplug/epow events
> > to persist in the queue after reset and, when reasserting the IRQs in
> > check_exception later on, these will be being processed by the OS.
> >
> > This patch implements a new function called 'spapr_clear_pending_events'
> > that clears up the pending_events QTAILQ. This helper is then called
> > inside ppc_spapr_reset to clear up the events queue, preventing
> > old/deprecated events from persisting after a reset.
> >
> > Signed-off-by: Daniel Henrique Barboza <danie...@linux.vnet.ibm.com>
> > Signed-off-by: David Gibson <da...@gibson.dropbear.id.au>
>
> > +void spapr_clear_pending_events(sPAPRMachineState *spapr)
> > +{
> > + sPAPREventLogEntry *entry = NULL;
> > +
> > + QTAILQ_FOREACH(entry, &spapr->pending_events, next) {
> > + QTAILQ_REMOVE(&spapr->pending_events, entry, next);
> > + g_free(entry->extended_log);
> > + g_free(entry);
> > + }
> > +}
>
> Coverity points out that this is a use-after-free error,
> because QTAILQ_FOREACH will access the list pointers of
> entry after the loop body has freed it. You want
> QTAILQ_FOREACH_SAFE, I think. (CID 1381017)
>
Yes indeed, QTAILQ_FOREACH_SAFE() is needed when removing
the current element from the list. I'll send a patch.
> thanks
> -- PMM
>
pgpfAn5SxQYGI.pgp
Description: OpenPGP digital signature
