fridtjof/qemu-cr16
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

hw/nvme: Fix bootindex suffix use-after-free

Browse source 
The bootindex suffix can be used as long as the property is alive.

Signed-off-by: Akihiko Odaki <odaki@rsg.ci.i.u-tokyo.ac.jp>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20260125-nvme-v1-5-0658c31fade9@rsg.ci.i.u-tokyo.ac.jp>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
(cherry picked from commit eda9baa17a2854494709a8094419ba6a6901721d)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
This commit is contained in:
Akihiko Odaki 2026-01-25 15:42:47 +09:00 committed by Michael Tokarev
parent a2fbfefbb7
commit 89f7d4fb13
2 changed files with 4 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

7
hw/nvme/ns.c
View file

@ -944,12 +944,11 @@ static void nvme_ns_class_init(ObjectClass *oc, const void *data)
static void nvme_ns_instance_init(Object *obj)
{
NvmeNamespace *ns = NVME_NS(obj);
char *bootindex = g_strdup_printf("/namespace@%d,0", ns->params.nsid);
sprintf(ns->bootindex_suffix, "/namespace@%" PRIu32 ",0", ns->params.nsid);
device_add_bootindex_property(obj, &ns->bootindex, "bootindex",
bootindex, DEVICE(obj));
g_free(bootindex);
ns->bootindex_suffix, DEVICE(obj));
}
static const TypeInfo nvme_ns_info = {

1
hw/nvme/nvme.h
View file

@ -239,6 +239,7 @@ typedef struct NvmeNamespace {
DeviceState parent_obj;
BlockConf blkconf;
int32_t bootindex;
char bootindex_suffix[24];
int64_t size;
int64_t moff;
NvmeIdNs id_ns;