* [PATCH] hw/timer/hpet: fix memory leak in hpet_del_timer()
@ 2025-03-27 10:31 Zheng Huang
0 siblings, 0 replies; only message in thread
From: Zheng Huang @ 2025-03-27 10:31 UTC (permalink / raw)
To: qemu-devel; +Cc: mst
Hi,
This patch addresses a memory leak bug in the function `hpet_del_timer()`.
The issue arisesfrom the incorrect use of the ambiguous timer API
`timer_del()`, which does not free the timer object. The leak sanitizer
report this issue during fuzzing. The correct API, `timer_free()`, was
introduced 4 years ago, but the usage in isue dates back 12 years, which
led to this problem.
Also I'd like to ask for a way to fix all 100+ wrong usages. In my
opinion, the best way to fix this is to hide to `timer_del()` API and
eliminate all usages of it.
Signed-off-by: Zheng Huang <hz1624917200@outlook.com>
---
hw/timer/hpet.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/timer/hpet.c b/hw/timer/hpet.c
index dcff18a987..0162f4cc32 100644
--- a/hw/timer/hpet.c
+++ b/hw/timer/hpet.c
@@ -428,7 +428,7 @@ static void hpet_set_timer(HPETTimer *t)
static void hpet_del_timer(HPETTimer *t)
{
HPETState *s = t->state;
- timer_del(t->qemu_timer);
+ timer_free(t->qemu_timer);
if (s->isr & (1 << t->tn)) {
/* For level-triggered interrupt, this leaves ISR set but lowers irq. */
--
2.34.1
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2025-03-27 10:32 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-03-27 10:31 [PATCH] hw/timer/hpet: fix memory leak in hpet_del_timer() Zheng Huang
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.