All of lore.kernel.org
 help / color / mirror / Atom feed
From: Markus Armbruster <armbru@redhat.com>
To: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
Cc: "qemu-devel@nongnu.org" <qemu-devel@nongnu.org>
Subject: Re: [PATCH 10/21] hw/core: Fix latent fit_load_fdt() error handling bug
Date: Fri, 06 Dec 2019 08:46:38 +0100	[thread overview]
Message-ID: <87tv6dnbfl.fsf@dusky.pond.sub.org> (raw)
In-Reply-To: <b42438de-3f05-a949-9304-29c051bc4444@virtuozzo.com> (Vladimir Sementsov-Ogievskiy's message of "Thu, 5 Dec 2019 16:23:48 +0000")

Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com> writes:

> 30.11.2019 22:42, Markus Armbruster wrote:
>> fit_load_fdt() recovers from fit_image_addr() failing with ENOENT.
>> Except it doesn't when its @errp argument is &error_fatal or
>> &error_abort, because it blindly passes @errp to fit_image_addr().
>> Messed up in commit 3eb99edb48 "loader-fit: Wean off error_printf()".
>> 
>> The bug can't bite as no caller actually passes &error_fatal or
>> &error_abort.  Fix it anyway.
>> 
>> Signed-off-by: Markus Armbruster <armbru@redhat.com>
>
> Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
>
> Hmm, actually it makes my
> "[PATCH v7 01/21] hw/core/loader-fit: fix freeing errp in fit_load_fdt"
> unnecessary. If you want you may drop my 01 (as it covers less problems),

Yes.

> and in this case you may note in your cover letter, that
> errp = NULL is broken here too (may be nobady pass it?),

You're right, null @errp is wrong, too.

> and normal errp is handled wrong, as *errp doesn't set to NULL after
> error_free(*errp)

Yes, that's wrong, too.  fit_load_fdt() itself doesn't use *errp after
freeing it, but it sets a trap for its callers.  

>                   (still, the only caller rely on return value more than on
> err, so the problem can't be triggered with current code)

True.

New commit message (based on v2's):

    hw/core: Fix fit_load_fdt() error API violations

    fit_load_fdt() passes @errp to fit_image_addr(), then recovers from
    ENOENT failures.  Passing @errp is wrong, because it works only as
    long as @errp is neither @error_fatal nor @error_abort.  Error
    recovery dereferences @errp.  That's also wrong; see the big comment
    in error.h.  Error recovery can leave *errp pointing to a freed
    Error object.  Wrong, it must be null on success.  Messed up in
    commit 3eb99edb48 "loader-fit: Wean off error_printf()".

    No caller actually passes such values, or uses *errp on success.

    Fix anyway: splice in a local Error *err, and error_propagate().

    Signed-off-by: Markus Armbruster <armbru@redhat.com>

Okay?

>
>> ---
>>   hw/core/loader-fit.c | 15 ++++++++-------
>>   1 file changed, 8 insertions(+), 7 deletions(-)
>> 
>> diff --git a/hw/core/loader-fit.c b/hw/core/loader-fit.c
>> index 953b16bc82..c465921b8f 100644
>> --- a/hw/core/loader-fit.c
>> +++ b/hw/core/loader-fit.c
>> @@ -178,11 +178,12 @@ static int fit_load_fdt(const struct fit_loader *ldr, const void *itb,
>>                           int cfg, void *opaque, const void *match_data,
>>                           hwaddr kernel_end, Error **errp)
>>   {
>> +    Error *err = NULL;
>>       const char *name;
>>       const void *data;
>>       const void *load_data;
>>       hwaddr load_addr;
>> -    int img_off, err;
>> +    int img_off;
>>       size_t sz;
>>       int ret;
>>   
>> @@ -197,13 +198,13 @@ static int fit_load_fdt(const struct fit_loader *ldr, const void *itb,
>>           return -EINVAL;
>>       }
>>   
>> -    err = fit_image_addr(itb, img_off, "load", &load_addr, errp);
>> -    if (err == -ENOENT) {
>> +    ret = fit_image_addr(itb, img_off, "load", &load_addr, &err);
>> +    if (ret == -ENOENT) {
>>           load_addr = ROUND_UP(kernel_end, 64 * KiB) + (10 * MiB);
>> -        error_free(*errp);
>> -    } else if (err) {
>> -        error_prepend(errp, "unable to read FDT load address from FIT: ");
>> -        ret = err;
>> +        error_free(err);
>> +    } else if (ret) {
>> +        error_propagate_prepend(errp, err,
>> +                                "unable to read FDT load address from FIT: ");
>>           goto out;
>>       }
>>   
>> 
>
> So much attention to that function :)
>
> I'd also propose the following:
>
> diff --git a/hw/core/loader-fit.c b/hw/core/loader-fit.c
> index c465921b8f..2c9efeef7a 100644
> --- a/hw/core/loader-fit.c
> +++ b/hw/core/loader-fit.c
> @@ -180,8 +180,8 @@ static int fit_load_fdt(const struct fit_loader *ldr, const void *itb,
>   {
>       Error *err = NULL;
>       const char *name;
> -    const void *data;
> -    const void *load_data;
> +    void *data;
> +    void *load_data;
>       hwaddr load_addr;
>       int img_off;
>       size_t sz;
> @@ -218,9 +218,9 @@ static int fit_load_fdt(const struct fit_loader *ldr, const void *itb,
>
>       ret = 0;
>   out:
> -    g_free((void *) data);
> +    g_free(data);
>       if (data != load_data) {
> -        g_free((void *) load_data);
> +        g_free(load_data);
>       }
>       return ret;
>   }
>
>
> Or, even better:
>
> --- a/hw/core/loader-fit.c
> +++ b/hw/core/loader-fit.c
> @@ -180,7 +180,8 @@ static int fit_load_fdt(const struct fit_loader *ldr, const void *itb,
>   {
>       Error *err = NULL;
>       const char *name;
> -    const void *data;
> +    g_autofree void *data = NULL;
> +    g_autofree void *fdt_filter_data = NULL;
>       const void *load_data;
>       hwaddr load_addr;
>       int img_off;
> @@ -202,27 +203,23 @@ static int fit_load_fdt(const struct fit_loader *ldr, const void *itb,
>       if (ret == -ENOENT) {
>           load_addr = ROUND_UP(kernel_end, 64 * KiB) + (10 * MiB);
>           error_free(err);
> +        return 0;
>       } else if (ret) {
>           error_propagate_prepend(errp, err,
>                                   "unable to read FDT load address from FIT: ");
> -        goto out;
> +        return ret;
>       }
>
>       if (ldr->fdt_filter) {
> -        load_data = ldr->fdt_filter(opaque, data, match_data, &load_addr);
> +        load_data = fdt_filter_data =
> +                ldr->fdt_filter(opaque, data, match_data, &load_addr);
>       }
>
>       load_addr = ldr->addr_to_phys(opaque, load_addr);
>       sz = fdt_totalsize(load_data);
>       rom_add_blob_fixed(name, load_data, sz, load_addr);
>
> -    ret = 0;
> -out:
> -    g_free((void *) data);
> -    if (data != load_data) {
> -        g_free((void *) load_data);
> -    }
> -    return ret;
> +    return 0;
>   }

Looks like a sensible separate cleanup patch to me.  Care to post it?

Thanks!



  reply	other threads:[~2019-12-06 15:46 UTC|newest]

Thread overview: 74+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-11-30 19:42 [PATCH 00/21] Error handling fixes, may contain 4.2 material Markus Armbruster
2019-11-30 19:42 ` [PATCH 01/21] net/virtio: Drop useless n->primary_dev not null checks Markus Armbruster
2019-12-02  9:53   ` Jens Freimann
2019-11-30 19:42 ` [PATCH 02/21] net/virtio: Fix failover error handling crash bugs Markus Armbruster
2019-12-02  9:53   ` Jens Freimann
2019-11-30 19:42 ` [PATCH 03/21] block/file-posix: Fix laio_init() error handling crash bug Markus Armbruster
2019-12-02 10:04   ` Stefan Hajnoczi
2019-12-02 12:22   ` Kevin Wolf
2019-11-30 19:42 ` [PATCH 04/21] crypto: Fix certificate file " Markus Armbruster
2019-12-05 15:24   ` Vladimir Sementsov-Ogievskiy
2019-11-30 19:42 ` [PATCH 05/21] crypto: Fix typo in QCryptoTLSSession's <example> comment Markus Armbruster
2019-12-05 15:26   ` Vladimir Sementsov-Ogievskiy
2019-11-30 19:42 ` [PATCH 06/21] io: Fix Error usage in a comment <example> Markus Armbruster
2019-12-05 15:30   ` Vladimir Sementsov-Ogievskiy
2019-12-06  7:20     ` Markus Armbruster
2019-11-30 19:42 ` [PATCH 07/21] tests: Clean up initialization of Error *err variables Markus Armbruster
2019-12-05 15:33   ` Vladimir Sementsov-Ogievskiy
2019-11-30 19:42 ` [PATCH 08/21] exec: Fix latent file_ram_alloc() error handling bug Markus Armbruster
2019-12-02  7:46   ` Igor Mammedov
2019-11-30 19:42 ` [PATCH 09/21] hw/acpi: Fix latent legacy CPU plug " Markus Armbruster
2019-12-02  7:51   ` Igor Mammedov
2019-11-30 19:42 ` [PATCH 10/21] hw/core: Fix latent fit_load_fdt() " Markus Armbruster
2019-12-05 16:23   ` Vladimir Sementsov-Ogievskiy
2019-12-06  7:46     ` Markus Armbruster [this message]
2019-12-06 10:53       ` Vladimir Sementsov-Ogievskiy
2020-01-10 20:06         ` Vladimir Sementsov-Ogievskiy
2020-01-13 13:01           ` Markus Armbruster
2019-11-30 19:42 ` [PATCH 11/21] hw/ipmi: Fix latent realize() error handling bugs Markus Armbruster
2019-12-01 18:22   ` Corey Minyard
2019-12-16  9:20     ` Markus Armbruster
2019-12-16 14:13       ` Corey Minyard
2019-12-17  6:30         ` Markus Armbruster
2019-11-30 19:42 ` [PATCH 12/21] qga: Fix latent guest-get-fsinfo error handling bug Markus Armbruster
2019-12-05 16:29   ` Vladimir Sementsov-Ogievskiy
2019-12-06  7:58     ` Markus Armbruster
2019-11-30 19:42 ` [PATCH 13/21] memory-device: Fix latent memory pre-plug error handling bugs Markus Armbruster
2019-12-01 14:15   ` David Hildenbrand
2019-12-02  5:07     ` Markus Armbruster
2019-12-03 21:37       ` Eric Blake
2019-11-30 19:42 ` [PATCH 14/21] s390x/event-facility: Fix latent realize() error handling bug Markus Armbruster
2019-12-02  9:56   ` David Hildenbrand
2019-11-30 19:42 ` [PATCH 15/21] s390x/cpu_models: Fix latent feature property error handling bugs Markus Armbruster
2019-12-02  9:57   ` David Hildenbrand
2019-12-03  7:22     ` Markus Armbruster
2019-11-30 19:42 ` [PATCH 16/21] s390/cpu_modules: Fix latent realize() " Markus Armbruster
2019-12-01 14:25   ` David Hildenbrand
2019-12-02  5:02     ` Markus Armbruster
2019-11-30 19:42 ` [PATCH 17/21] s390x: Fix latent query-cpu-model-FOO " Markus Armbruster
2019-11-30 21:22   ` David Hildenbrand
2019-12-01 13:46     ` Aleksandar Markovic
2019-12-01 14:07       ` Aleksandar Markovic
2019-12-01 14:11         ` Aleksandar Markovic
2019-12-01 14:09       ` David Hildenbrand
2019-12-02  5:01         ` Markus Armbruster
2019-12-02  8:34           ` David Hildenbrand
2019-12-03  7:27             ` Markus Armbruster
2019-12-02 16:31   ` Cornelia Huck
2019-12-03  7:49     ` Markus Armbruster
2019-12-03  8:01       ` Cornelia Huck
2019-12-03  9:51         ` David Hildenbrand
2019-11-30 19:42 ` [PATCH 18/21] s390x: Fix latent query-cpu-definitions error handling bug Markus Armbruster
2019-12-02  9:55   ` David Hildenbrand
2019-11-30 19:42 ` [PATCH 19/21] error: Clean up unusual names of Error * variables Markus Armbruster
2019-11-30 20:03   ` Philippe Mathieu-Daudé
2019-11-30 19:42 ` [PATCH 20/21] hw/intc/s390: Simplify error handling in kvm_s390_flic_realize() Markus Armbruster
2019-12-02 16:40   ` Cornelia Huck
2019-12-03 20:03     ` Halil Pasic
2019-12-04  7:28       ` Markus Armbruster
2019-11-30 19:42 ` [PATCH 21/21] tests-blockjob: Use error_free_or_abort() Markus Armbruster
2019-12-03 21:43   ` Eric Blake
2019-12-01 14:44 ` [PATCH 00/21] Error handling fixes, may contain 4.2 material Michael S. Tsirkin
2019-12-04  8:44   ` Markus Armbruster
2019-12-02 10:19 ` Daniel P. Berrangé
2019-12-02 11:24 ` Jens Freimann

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=87tv6dnbfl.fsf@dusky.pond.sub.org \
    --to=armbru@redhat.com \
    --cc=qemu-devel@nongnu.org \
    --cc=vsementsov@virtuozzo.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.