On Tue, 12 Sep 2017 18:28:04 +0100
Peter Maydell <peter.maydell@linaro.org> wrote:

> On 8 September 2017 at 11:35, David Gibson <david@gibson.dropbear.id.au> wrote:
> > From: Daniel Henrique Barboza <danielhb@linux.vnet.ibm.com>
> >
> > The sPAPR machine isn't clearing up the pending events QTAILQ on
> > machine reboot. This allows for unprocessed hotplug/epow events
> > to persist in the queue after reset and, when reasserting the IRQs in
> > check_exception later on, these will be being processed by the OS.
> >
> > This patch implements a new function called 'spapr_clear_pending_events'
> > that clears up the pending_events QTAILQ. This helper is then called
> > inside ppc_spapr_reset to clear up the events queue, preventing
> > old/deprecated events from persisting after a reset.
> >
> > Signed-off-by: Daniel Henrique Barboza <danielhb@linux.vnet.ibm.com>
> > Signed-off-by: David Gibson <david@gibson.dropbear.id.au>  
> 
> > +void spapr_clear_pending_events(sPAPRMachineState *spapr)
> > +{
> > +    sPAPREventLogEntry *entry = NULL;
> > +
> > +    QTAILQ_FOREACH(entry, &spapr->pending_events, next) {
> > +        QTAILQ_REMOVE(&spapr->pending_events, entry, next);
> > +        g_free(entry->extended_log);
> > +        g_free(entry);
> > +    }
> > +}  
> 
> Coverity points out that this is a use-after-free error,
> because QTAILQ_FOREACH will access the list pointers of
> entry after the loop body has freed it. You want
> QTAILQ_FOREACH_SAFE, I think. (CID 1381017)
> 

Yes indeed, QTAILQ_FOREACH_SAFE() is needed when removing
the current element from the list. I'll send a patch.

> thanks
> -- PMM
>