Re: [Qemu-devel] [PATCH 2/2] linux-user: Don't use alloca() for epoll_wait's epoll event array

From: Riku Voipio <riku.voipio@iki.fi>
To: Peter Maydell <peter.maydell@linaro.org>
Cc: QEMU Developers <qemu-devel@nongnu.org>,
	Patch Tracking <patches@linaro.org>
Subject: Re: [Qemu-devel] [PATCH 2/2] linux-user: Don't use alloca() for epoll_wait's epoll event array
Date: Wed, 5 Oct 2016 21:42:50 +0300	[thread overview]
Message-ID: <20161005184250.GA22568@beaming.home> (raw)
In-Reply-To: <CAFEAcA-8V5LRnVn5HFgMSPrm+49tPJ3ZYtQrYTFWQF8Tbbibzw@mail.gmail.com>

On Tue, Oct 04, 2016 at 02:09:33PM +0100, Peter Maydell wrote:
> Ping? It looks like patch 1/2 of this series got into the
> recent linux-user pullreq, but this one (2/2) didn't. Do
> you want a resend as a standalone patch?

No need, I've pulled it from patchwork, for some reason this didn't get to
my mailbox... 

> On 18 July 2016 at 15:36, Peter Maydell <peter.maydell@linaro.org> wrote:
> > The epoll event array which epoll_wait() allocates has a size
> > determined by the guest which could potentially be quite large.
> > Use g_try_new() rather than alloca() so that we can fail more
> > cleanly if the guest hands us an oversize value. (ENOMEM is
> > not a documented return value for epoll_wait() but in practice
> > some kernel configurations can return it -- see for instance
> > sys_oabi_epoll_wait() on ARM.)
> >
> > This rearrangement includes fixing a bug where we were
> > incorrectly passing a negative length to unlock_user() in
> > the error-exit codepath.
> >
> > Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
> > ---
> >  linux-user/syscall.c | 17 +++++++++++++----
> >  1 file changed, 13 insertions(+), 4 deletions(-)
> >
> > diff --git a/linux-user/syscall.c b/linux-user/syscall.c
> > index 3552295..721d7b1 100644
> > --- a/linux-user/syscall.c
> > +++ b/linux-user/syscall.c
> > @@ -11035,7 +11035,12 @@ abi_long do_syscall(void *cpu_env, int num, abi_long arg1,
> >              goto efault;
> >          }
> >
> > -        ep = alloca(maxevents * sizeof(struct epoll_event));
> > +        ep = g_try_new(struct epoll_event, maxevents);
> > +        if (!ep) {
> > +            unlock_user(target_ep, arg2, 0);
> > +            ret = -TARGET_ENOMEM;
> > +            break;
> > +        }
> >
> >          switch (num) {
> >  #if defined(TARGET_NR_epoll_pwait)
> > @@ -11053,8 +11058,8 @@ abi_long do_syscall(void *cpu_env, int num, abi_long arg1,
> >                  target_set = lock_user(VERIFY_READ, arg5,
> >                                         sizeof(target_sigset_t), 1);
> >                  if (!target_set) {
> > -                    unlock_user(target_ep, arg2, 0);
> > -                    goto efault;
> > +                    ret = -TARGET_EFAULT;
> > +                    break;
> >                  }
> >                  target_to_host_sigset(set, target_set);
> >                  unlock_user(target_set, arg5, 0);
> > @@ -11082,8 +11087,12 @@ abi_long do_syscall(void *cpu_env, int num, abi_long arg1,
> >                  target_ep[i].events = tswap32(ep[i].events);
> >                  target_ep[i].data.u64 = tswap64(ep[i].data.u64);
> >              }
> > +            unlock_user(target_ep, arg2,
> > +                        ret * sizeof(struct target_epoll_event));
> > +        } else {
> > +            unlock_user(target_ep, arg2, 0);
> >          }
> > -        unlock_user(target_ep, arg2, ret * sizeof(struct target_epoll_event));
> > +        g_free(ep);
> >          break;
> >      }
> >  #endif
> > --
> > 1.9.1