[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PULL 1/9] qemu/queue.h: clear linked list pointers on remove
From: |
Stefan Hajnoczi |
Subject: |
[PULL 1/9] qemu/queue.h: clear linked list pointers on remove |
Date: |
Wed, 11 Mar 2020 12:40:37 +0000 |
Do not leave stale linked list pointers around after removal. It's
safer to set them to NULL so that use-after-removal results in an
immediate segfault.
The RCU queue removal macros are unchanged since nodes may still be
traversed after removal.
Suggested-by: Paolo Bonzini <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
Link: https://lore.kernel.org/r/address@hidden
Message-Id: <address@hidden>
---
include/qemu/queue.h | 19 +++++++++++++++----
1 file changed, 15 insertions(+), 4 deletions(-)
diff --git a/include/qemu/queue.h b/include/qemu/queue.h
index 294db54eb1..456a5b01ee 100644
--- a/include/qemu/queue.h
+++ b/include/qemu/queue.h
@@ -142,6 +142,8 @@ struct {
\
(elm)->field.le_next->field.le_prev = \
(elm)->field.le_prev; \
*(elm)->field.le_prev = (elm)->field.le_next; \
+ (elm)->field.le_next = NULL; \
+ (elm)->field.le_prev = NULL; \
} while (/*CONSTCOND*/0)
/*
@@ -225,12 +227,15 @@ struct {
\
} while (/*CONSTCOND*/0)
#define QSLIST_REMOVE_HEAD(head, field) do { \
- (head)->slh_first = (head)->slh_first->field.sle_next; \
+ typeof((head)->slh_first) elm = (head)->slh_first; \
+ (head)->slh_first = elm->field.sle_next; \
+ elm->field.sle_next = NULL; \
} while (/*CONSTCOND*/0)
#define QSLIST_REMOVE_AFTER(slistelm, field) do { \
- (slistelm)->field.sle_next = \
- QSLIST_NEXT(QSLIST_NEXT((slistelm), field), field); \
+ typeof(slistelm) next = (slistelm)->field.sle_next; \
+ (slistelm)->field.sle_next = next->field.sle_next; \
+ next->field.sle_next = NULL; \
} while (/*CONSTCOND*/0)
#define QSLIST_REMOVE(head, elm, type, field) do { \
@@ -241,6 +246,7 @@ struct {
\
while (curelm->field.sle_next != (elm)) \
curelm = curelm->field.sle_next; \
curelm->field.sle_next = curelm->field.sle_next->field.sle_next; \
+ (elm)->field.sle_next = NULL; \
} \
} while (/*CONSTCOND*/0)
@@ -304,8 +310,10 @@ struct {
\
} while (/*CONSTCOND*/0)
#define QSIMPLEQ_REMOVE_HEAD(head, field) do { \
- if (((head)->sqh_first = (head)->sqh_first->field.sqe_next) == NULL)\
+ typeof((head)->sqh_first) elm = (head)->sqh_first; \
+ if (((head)->sqh_first = elm->field.sqe_next) == NULL) \
(head)->sqh_last = &(head)->sqh_first; \
+ elm->field.sqe_next = NULL; \
} while (/*CONSTCOND*/0)
#define QSIMPLEQ_SPLIT_AFTER(head, elm, field, removed) do { \
@@ -329,6 +337,7 @@ struct {
\
if ((curelm->field.sqe_next = \
curelm->field.sqe_next->field.sqe_next) == NULL) \
(head)->sqh_last = &(curelm)->field.sqe_next; \
+ (elm)->field.sqe_next = NULL; \
} \
} while (/*CONSTCOND*/0)
@@ -446,6 +455,8 @@ union {
\
(head)->tqh_circ.tql_prev = (elm)->field.tqe_circ.tql_prev; \
(elm)->field.tqe_circ.tql_prev->tql_next = (elm)->field.tqe_next; \
(elm)->field.tqe_circ.tql_prev = NULL; \
+ (elm)->field.tqe_circ.tql_next = NULL; \
+ (elm)->field.tqe_next = NULL; \
} while (/*CONSTCOND*/0)
/* remove @left, @right and all elements in between from @head */
--
2.24.1
- [PULL 0/9] Block patches, Stefan Hajnoczi, 2020/03/11
- [PULL 1/9] qemu/queue.h: clear linked list pointers on remove,
Stefan Hajnoczi <=
- [PULL 2/9] aio-posix: remove confusing QLIST_SAFE_REMOVE(), Stefan Hajnoczi, 2020/03/11
- [PULL 3/9] aio-posix: completely stop polling when disabled, Stefan Hajnoczi, 2020/03/11
- [PULL 4/9] aio-posix: move RCU_READ_LOCK() into run_poll_handlers(), Stefan Hajnoczi, 2020/03/11
- [PULL 6/9] aio-posix: simplify FDMonOps->update() prototype, Stefan Hajnoczi, 2020/03/11
- [PULL 7/9] aio-posix: add io_uring fd monitoring implementation, Stefan Hajnoczi, 2020/03/11
- [PULL 9/9] aio-posix: remove idle poll handlers to improve scalability, Stefan Hajnoczi, 2020/03/11
- [PULL 8/9] aio-posix: support userspace polling of fd monitoring, Stefan Hajnoczi, 2020/03/11
- [PULL 5/9] aio-posix: extract ppoll(2) and epoll(7) fd monitoring, Stefan Hajnoczi, 2020/03/11
- Re: [PULL 0/9] Block patches, no-reply, 2020/03/11