motorhead/qemu
1
0
Fork 0
mirror of https://github.com/Motorhead1991/qemu.git synced 2025-08-09 18:44:58 -06:00
Code Issues Projects Releases Packages Wiki Activity Actions

block/pflash_cfi02: Fix memory leak and potential use-after-free

Browse source 
Don't dynamically allocate the pflash's timer. But do use timer_del in
an unrealize function to make sure that the timer can't fire after the
pflash_t has been freed.

Signed-off-by: Stephen Checkoway <stephen.checkoway@oberlin.edu>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Wei Yang <richardw.yang@linux.intel.com>
Message-Id: <20190219153727.62279-1-stephen.checkoway@oberlin.edu>
Signed-off-by: Laurent Vivier <laurent@vivier.eu>
This commit is contained in:
Stephen Checkoway 2019-02-19 10:37:27 -05:00 committed by Laurent Vivier
parent 7d9b68acb3
commit d80cf1eb2e
1 changed files with 11 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

15
hw/block/pflash_cfi02.c
View file

@ -84,7 +84,7 @@ struct pflash_t {
uint16_t unlock_addr0; uint16_t unlock_addr0;
uint16_t unlock_addr1; uint16_t unlock_addr1;
uint8_t cfi_table[0x52]; uint8_t cfi_table[0x52];
QEMUTimer *timer; QEMUTimer timer;
/* The device replicates the flash memory across its memory space. Emulate /* The device replicates the flash memory across its memory space. Emulate
* that by having a container (.mem) filled with an array of aliases * that by having a container (.mem) filled with an array of aliases
* (.mem_mappings) pointing to the flash memory (.orig_mem). * (.mem_mappings) pointing to the flash memory (.orig_mem).
@ -429,7 +429,7 @@ static void pflash_write (pflash_t *pfl, hwaddr offset,
} }
pfl->status = 0x00; pfl->status = 0x00;
/* Let's wait 5 seconds before chip erase is done */ /* Let's wait 5 seconds before chip erase is done */
timer_mod(pfl->timer, qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL) + timer_mod(&pfl->timer, qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL) +
(NANOSECONDS_PER_SECOND * 5)); (NANOSECONDS_PER_SECOND * 5));
break; break;
case 0x30: case 0x30:
@ -444,7 +444,7 @@ static void pflash_write (pflash_t *pfl, hwaddr offset,
} }
pfl->status = 0x00; pfl->status = 0x00;
/* Let's wait 1/2 second before sector erase is done */ /* Let's wait 1/2 second before sector erase is done */
timer_mod(pfl->timer, qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL) + timer_mod(&pfl->timer, qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL) +
(NANOSECONDS_PER_SECOND / 2)); (NANOSECONDS_PER_SECOND / 2));
break; break;
default: default:
@ -596,7 +596,7 @@ static void pflash_cfi02_realize(DeviceState *dev, Error **errp)
pfl->rom_mode = 1; pfl->rom_mode = 1;
sysbus_init_mmio(SYS_BUS_DEVICE(dev), &pfl->mem); sysbus_init_mmio(SYS_BUS_DEVICE(dev), &pfl->mem);
pfl->timer = timer_new_ns(QEMU_CLOCK_VIRTUAL, pflash_timer, pfl); timer_init_ns(&pfl->timer, QEMU_CLOCK_VIRTUAL, pflash_timer, pfl);
pfl->wcycle = 0; pfl->wcycle = 0;
pfl->cmd = 0; pfl->cmd = 0;
pfl->status = 0; pfl->status = 0;
@ -695,11 +695,18 @@ static Property pflash_cfi02_properties[] = {
DEFINE_PROP_END_OF_LIST(), DEFINE_PROP_END_OF_LIST(),
}; };
static void pflash_cfi02_unrealize(DeviceState *dev, Error **errp)
{
pflash_t *pfl = CFI_PFLASH02(dev);
timer_del(&pfl->timer);
}
static void pflash_cfi02_class_init(ObjectClass *klass, void *data) static void pflash_cfi02_class_init(ObjectClass *klass, void *data)
{ {
DeviceClass *dc = DEVICE_CLASS(klass); DeviceClass *dc = DEVICE_CLASS(klass);
dc->realize = pflash_cfi02_realize; dc->realize = pflash_cfi02_realize;
dc->unrealize = pflash_cfi02_unrealize;
dc->props = pflash_cfi02_properties; dc->props = pflash_cfi02_properties;
set_bit(DEVICE_CATEGORY_STORAGE, dc->categories); set_bit(DEVICE_CATEGORY_STORAGE, dc->categories);
} }