All of lore.kernel.org
 help / color / mirror / Atom feed
From: Markus Armbruster <armbru@redhat.com>
To: Paolo Bonzini <pbonzini@redhat.com>
Cc: Xiao Guangrong <guangrong.xiao@linux.intel.com>,
	ehabkost@redhat.com, kvm@vger.kernel.org, mst@redhat.com,
	gleb@kernel.org, mtosatti@redhat.com, qemu-devel@nongnu.org,
	stefanha@redhat.com, imammedo@redhat.com, rth@twiddle.net
Subject: Re: [PATCH 1/2] hostmem: fix QEMU crash by 'info memdev'
Date: Wed, 13 Jul 2016 13:29:34 +0200	[thread overview]
Message-ID: <87r3ax6ajl.fsf@dusky.pond.sub.org> (raw)
In-Reply-To: <945b233e-286f-fc22-8837-761e1ac2e522@redhat.com> (Paolo Bonzini's message of "Wed, 13 Jul 2016 12:45:26 +0200")

Paolo Bonzini <pbonzini@redhat.com> writes:

> On 13/07/2016 06:18, Xiao Guangrong wrote:
>> 
>> Return MAX_NODES under this case to fix this bug
>> 
>> Signed-off-by: Xiao Guangrong <guangrong.xiao@linux.intel.com>
>> ---
>>  backends/hostmem.c | 22 ++++++++++++++--------
>>  1 file changed, 14 insertions(+), 8 deletions(-)
>> 
>> diff --git a/backends/hostmem.c b/backends/hostmem.c
>> index 6e28be1..8dede4d 100644
>> --- a/backends/hostmem.c
>> +++ b/backends/hostmem.c
>> @@ -64,6 +64,14 @@ out:
>>      error_propagate(errp, local_err);
>>  }
>>  
>> +static uint16List **host_memory_append_node(uint16List **node,
>> +                                            unsigned long value)
>> +{
>> +     *node = g_malloc0(sizeof(**node));
>> +     (*node)->value = value;
>> +     return &(*node)->next;
>> +}
>> +
>>  static void
>>  host_memory_backend_get_host_nodes(Object *obj, Visitor *v, const char *name,
>>                                     void *opaque, Error **errp)
>> @@ -74,25 +82,23 @@ host_memory_backend_get_host_nodes(Object *obj, Visitor *v, const char *name,
>>      unsigned long value;
>>  
>>      value = find_first_bit(backend->host_nodes, MAX_NODES);
>> +
>> +    node = host_memory_append_node(node, value);
>> +
>>      if (value == MAX_NODES) {
>> -        return;
>> +        goto out;
>>      }
>>  
>> -    *node = g_malloc0(sizeof(**node));
>> -    (*node)->value = value;
>> -    node = &(*node)->next;
>> -
>>      do {
>>          value = find_next_bit(backend->host_nodes, MAX_NODES, value + 1);
>>          if (value == MAX_NODES) {
>>              break;
>>          }
>>  
>> -        *node = g_malloc0(sizeof(**node));
>> -        (*node)->value = value;
>> -        node = &(*node)->next;
>> +        node = host_memory_append_node(node, value);
>>      } while (true);
>>  
>> +out:
>>      visit_type_uint16List(v, name, &host_nodes, errp);
>
> This function is leaking host_nodes, so you need a
>
> qapi_free_uint16List(head);
>
> here (and saving the head pointer on the first call to
> host_memory_append_node).  The bug is preexisting.
>
> I'm curious about one thing.  Eric/Markus, it would be nice to open code
> the visit of the list with
>
>     visit_start_list(v, name, NULL, 0, &err);
>     if (err) {
>         goto out;
>     }
>     ...
>     visit_type_uint16(v, name, &value, &err);
>     visit_next_list(v, NULL, 0);
>     ...
>     visit_end_list(v, NULL);
>
> We know here that on the other side there is an output visitor.
> However, it doesn't work because visit_next_list asserts that tail ==
> NULL.  Would it be easy to support this idiom, and would it make sense
> to extend it to other kinds of visitor?

visit_next_list() asserts tail != NULL because to protect the
next_list() method.  qmp_output_next_list() dereferences tail.

Note that you don't have to call visit_next_list() in a virtual visit.
For an example, see prop_get_fdt().  Good enough already?

WARNING: multiple messages have this Message-ID (diff)
From: Markus Armbruster <armbru@redhat.com>
To: Paolo Bonzini <pbonzini@redhat.com>
Cc: Xiao Guangrong <guangrong.xiao@linux.intel.com>,
	imammedo@redhat.com, ehabkost@redhat.com, kvm@vger.kernel.org,
	mst@redhat.com, gleb@kernel.org, mtosatti@redhat.com,
	qemu-devel@nongnu.org, stefanha@redhat.com, rth@twiddle.net
Subject: Re: [Qemu-devel] [PATCH 1/2] hostmem: fix QEMU crash by 'info memdev'
Date: Wed, 13 Jul 2016 13:29:34 +0200	[thread overview]
Message-ID: <87r3ax6ajl.fsf@dusky.pond.sub.org> (raw)
In-Reply-To: <945b233e-286f-fc22-8837-761e1ac2e522@redhat.com> (Paolo Bonzini's message of "Wed, 13 Jul 2016 12:45:26 +0200")

Paolo Bonzini <pbonzini@redhat.com> writes:

> On 13/07/2016 06:18, Xiao Guangrong wrote:
>> 
>> Return MAX_NODES under this case to fix this bug
>> 
>> Signed-off-by: Xiao Guangrong <guangrong.xiao@linux.intel.com>
>> ---
>>  backends/hostmem.c | 22 ++++++++++++++--------
>>  1 file changed, 14 insertions(+), 8 deletions(-)
>> 
>> diff --git a/backends/hostmem.c b/backends/hostmem.c
>> index 6e28be1..8dede4d 100644
>> --- a/backends/hostmem.c
>> +++ b/backends/hostmem.c
>> @@ -64,6 +64,14 @@ out:
>>      error_propagate(errp, local_err);
>>  }
>>  
>> +static uint16List **host_memory_append_node(uint16List **node,
>> +                                            unsigned long value)
>> +{
>> +     *node = g_malloc0(sizeof(**node));
>> +     (*node)->value = value;
>> +     return &(*node)->next;
>> +}
>> +
>>  static void
>>  host_memory_backend_get_host_nodes(Object *obj, Visitor *v, const char *name,
>>                                     void *opaque, Error **errp)
>> @@ -74,25 +82,23 @@ host_memory_backend_get_host_nodes(Object *obj, Visitor *v, const char *name,
>>      unsigned long value;
>>  
>>      value = find_first_bit(backend->host_nodes, MAX_NODES);
>> +
>> +    node = host_memory_append_node(node, value);
>> +
>>      if (value == MAX_NODES) {
>> -        return;
>> +        goto out;
>>      }
>>  
>> -    *node = g_malloc0(sizeof(**node));
>> -    (*node)->value = value;
>> -    node = &(*node)->next;
>> -
>>      do {
>>          value = find_next_bit(backend->host_nodes, MAX_NODES, value + 1);
>>          if (value == MAX_NODES) {
>>              break;
>>          }
>>  
>> -        *node = g_malloc0(sizeof(**node));
>> -        (*node)->value = value;
>> -        node = &(*node)->next;
>> +        node = host_memory_append_node(node, value);
>>      } while (true);
>>  
>> +out:
>>      visit_type_uint16List(v, name, &host_nodes, errp);
>
> This function is leaking host_nodes, so you need a
>
> qapi_free_uint16List(head);
>
> here (and saving the head pointer on the first call to
> host_memory_append_node).  The bug is preexisting.
>
> I'm curious about one thing.  Eric/Markus, it would be nice to open code
> the visit of the list with
>
>     visit_start_list(v, name, NULL, 0, &err);
>     if (err) {
>         goto out;
>     }
>     ...
>     visit_type_uint16(v, name, &value, &err);
>     visit_next_list(v, NULL, 0);
>     ...
>     visit_end_list(v, NULL);
>
> We know here that on the other side there is an output visitor.
> However, it doesn't work because visit_next_list asserts that tail ==
> NULL.  Would it be easy to support this idiom, and would it make sense
> to extend it to other kinds of visitor?

visit_next_list() asserts tail != NULL because to protect the
next_list() method.  qmp_output_next_list() dereferences tail.

Note that you don't have to call visit_next_list() in a virtual visit.
For an example, see prop_get_fdt().  Good enough already?

  reply	other threads:[~2016-07-13 11:29 UTC|newest]

Thread overview: 17+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-07-13  4:18 [PATCH 1/2] hostmem: fix QEMU crash by 'info memdev' Xiao Guangrong
2016-07-13  4:18 ` [Qemu-devel] " Xiao Guangrong
2016-07-13  4:18 ` [PATCH 2/2] hostmem: detect host backend memory is being used properly Xiao Guangrong
2016-07-13  4:18   ` [Qemu-devel] " Xiao Guangrong
2016-07-13  7:30   ` Igor Mammedov
2016-07-13  7:30     ` [Qemu-devel] " Igor Mammedov
2016-07-13 10:49     ` Paolo Bonzini
2016-07-13 10:49       ` [Qemu-devel] " Paolo Bonzini
2016-07-13 10:45 ` [PATCH 1/2] hostmem: fix QEMU crash by 'info memdev' Paolo Bonzini
2016-07-13 10:45   ` [Qemu-devel] " Paolo Bonzini
2016-07-13 11:29   ` Markus Armbruster [this message]
2016-07-13 11:29     ` Markus Armbruster
2016-07-13 11:37     ` Paolo Bonzini
2016-07-13 11:37       ` [Qemu-devel] " Paolo Bonzini
2016-07-15  6:56       ` Xiao Guangrong
2016-07-15 17:16         ` Eric Blake
2016-07-15 17:16           ` Eric Blake

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=87r3ax6ajl.fsf@dusky.pond.sub.org \
    --to=armbru@redhat.com \
    --cc=ehabkost@redhat.com \
    --cc=gleb@kernel.org \
    --cc=guangrong.xiao@linux.intel.com \
    --cc=imammedo@redhat.com \
    --cc=kvm@vger.kernel.org \
    --cc=mst@redhat.com \
    --cc=mtosatti@redhat.com \
    --cc=pbonzini@redhat.com \
    --cc=qemu-devel@nongnu.org \
    --cc=rth@twiddle.net \
    --cc=stefanha@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.