On Sun, 1 Nov 2020 at 21:02, Alex Williamson <[email protected]> wrote:
>
> From: Kirti Wankhede <[email protected]>
>
> Whether the VFIO device supports migration or not is decided based of
> migration region query. If migration region query is successful and migration
> region initialization is successful then migration is supported else
> migration is blocked.
>
> Signed-off-by: Kirti Wankhede <[email protected]>
> Reviewed-by: Neo Jia <[email protected]>
> Acked-by: Dr. David Alan Gilbert <[email protected]>
> Reviewed-by: Cornelia Huck <[email protected]>
> Signed-off-by: Alex Williamson <[email protected]>
Hi; Coverity points out (CID 1436126) that this code has a
use-after-free:
> +int vfio_migration_probe(VFIODevice *vbasedev, Error **errp)
> +{
> + struct vfio_region_info *info = NULL;
> + Error *local_err = NULL;
> + int ret;
> +
> + ret = vfio_get_dev_region_info(vbasedev, VFIO_REGION_TYPE_MIGRATION,
> + VFIO_REGION_SUBTYPE_MIGRATION, &info);
> + if (ret) {
> + goto add_blocker;
> + }
> +
> + ret = vfio_migration_init(vbasedev, info);
> + if (ret) {
> + goto add_blocker;
> + }
> +
> + g_free(info);
> + trace_vfio_migration_probe(vbasedev->name, info->index);
We free info, and then access info->index. Switching the
order of the g_free() and the tracepoint seems the obvious fix.
thanks
-- PMM
