Re: [PULL 27/32] hw/ppc: Preserve memory regions registered for fadump

Mon, 27 Oct 2025 06:08:21 -0700 

On Thu, 23 Oct 2025 at 13:25, Harsh Prateek Bora <[email protected]> wrote:
>
> From: Aditya Gupta <[email protected]>
>
> While the first kernel boots, it registers memory regions for fadump
> such as:
>     * CPU state data  (has to be populated by the platform)
>     * HPTE state data (has to be populated by the platform)
>     * Real Mode Regions (platform should copy it to requested
>       destination addresses)
>     * OS defined regions (such as parameter save area)
>
> Platform is also expected to modify the 'bytes_dumped' to the length of
> data preserved/copied by platform (ideally same as the source length
> passed by kernel).
>
> The kernel passes source address and length for the memory regions, and
> a destination address to where the memory is to be copied.
>
> Implement the preserving/copying of the Real Mode Regions and the
> Parameter Save Area in QEMU Pseries
>
> The regions are copied in chunks instead of copying all at once.

Hi; Coverity notes a bug in this code (CID 1642026):

> +static bool do_preserve_region(FadumpSection *region)
> +{
> +    AddressSpace *default_as = &address_space_memory;
> +    MemTxResult io_result;
> +    MemTxAttrs attrs;
> +    uint64_t src_addr, src_len, dest_addr;
> +    uint64_t num_chunks;
> +    g_autofree void *copy_buffer = NULL;
> +
> +    src_addr  = be64_to_cpu(region->source_address);
> +    src_len   = be64_to_cpu(region->source_len);
> +    dest_addr = be64_to_cpu(region->destination_address);
> +
> +    /* Mark the memory transaction as privileged memory access */
> +    attrs.user = 0;
> +    attrs.memory = 1;
> +
> +    /*
> +     * Optimisation: Skip copy if source and destination are same
> +     * (eg. param area)
> +     */
> +    if (src_addr == dest_addr) {
> +        region->bytes_dumped = cpu_to_be64(src_len);
> +        return true;
> +    }
> +
> +#define FADUMP_CHUNK_SIZE  ((size_t)(32 * MiB))
> +    copy_buffer = g_try_malloc(FADUMP_CHUNK_SIZE);
> +    if (copy_buffer == NULL) {
> +        qemu_log_mask(LOG_GUEST_ERROR,
> +            "FADump: Failed allocating memory (size: %zu) for copying"
> +            " reserved memory regions\n", FADUMP_CHUNK_SIZE);
> +    }

Here we do a might-fail malloc, and check for error. But the
error case doesn't return, so after logging the error
execution will keep going in the function and segfault
when we try to use the NULL pointer as a destination buffer.

thanks
-- PMM

Reply via email to