[Qemu-devel] [PATCH 0/3] fix memory leaks when using object_property_get_str()

[Qemu-devel] [PATCH 0/3] fix memory leaks when using object_property_get_str()

[Greg Kurz]

According to include/qom/object.h:

/**
 * object_property_get_str:
 * @obj: the object
 * @name: the name of the property
 * @errp: returns an error if this function fails
 *
 * Returns: the value of the property, converted to a C string, or NULL if
 * an error occurs (including when the property value is not a string).
 * The caller should free the string.
 */

So I've checked all the call sites and found three places where the
string is obviously [*] leaked. Patch 2 and 3 fix very recent 2.12
commits, while patch 1 fixes a 2.4 commit (backported to 2.3.1).

Another potential candidate sits in query_memdev(), called during
the "info memdev" HMP and the "query-memdev" QMP commands, but
both take care of freeing the string eventually. Nothing to fix
there.

[*] allocated string is put in a local variable and not freed before
    returning

--
Greg

---

Greg Kurz (3):
      exec: fix memory leak in find_max_supported_pagesize()
      hw/s390x: fix memory leak in s390_init_ipl_dev()
      sev/i386: fix memory leak in sev_guest_init()


 exec.c                     |    1 +
 hw/s390x/s390-virtio-ccw.c |    5 ++++-
 target/i386/sev.c          |    4 +++-
 3 files changed, 8 insertions(+), 2 deletions(-)

[Qemu-devel] [PATCH 1/3] exec: fix memory leak in find_max_supported_pagesize()

[Greg Kurz]

The string returned by object_property_get_str() is dynamically allocated.

Signed-off-by: Greg Kurz <groug@kaod.org>
---
 exec.c |    1 +
 1 file changed, 1 insertion(+)

diff --git a/exec.c b/exec.c
index c09bd93df31e..02b1efebb7c3 100644
--- a/exec.c
+++ b/exec.c
@@ -1495,6 +1495,7 @@ static int find_max_supported_pagesize(Object *obj, void *opaque)
         mem_path = object_property_get_str(obj, "mem-path", NULL);
         if (mem_path) {
             long hpsize = qemu_mempath_getpagesize(mem_path);
+            g_free(mem_path);
             if (hpsize < *hpsize_min) {
                 *hpsize_min = hpsize;
             }

Re: [Qemu-devel] [PATCH 1/3] exec: fix memory leak in find_max_supported_pagesize()

[Cornelia Huck]

On Thu, 29 Mar 2018 11:09:46 +0200
Greg Kurz <groug@kaod.org> wrote:

> The string returned by object_property_get_str() is dynamically allocated.
> 
> Signed-off-by: Greg Kurz <groug@kaod.org>
> ---
>  exec.c |    1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/exec.c b/exec.c
> index c09bd93df31e..02b1efebb7c3 100644
> --- a/exec.c
> +++ b/exec.c
> @@ -1495,6 +1495,7 @@ static int find_max_supported_pagesize(Object *obj, void *opaque)
>          mem_path = object_property_get_str(obj, "mem-path", NULL);
>          if (mem_path) {
>              long hpsize = qemu_mempath_getpagesize(mem_path);
> +            g_free(mem_path);
>              if (hpsize < *hpsize_min) {
>                  *hpsize_min = hpsize;
>              }
> 

Personally, I'd probably do the g_free() at the end of the if
(mem_path) branch, but this works as well.

Reviewed-by: Cornelia Huck <cohuck@redhat.com>

Re: [Qemu-devel] [PATCH 1/3] exec: fix memory leak in find_max_supported_pagesize()

[Greg Kurz]

On Thu, 29 Mar 2018 11:18:31 +0200
Cornelia Huck <cohuck@redhat.com> wrote:

> On Thu, 29 Mar 2018 11:09:46 +0200
> Greg Kurz <groug@kaod.org> wrote:
> 
> > The string returned by object_property_get_str() is dynamically allocated.
> > 
> > Signed-off-by: Greg Kurz <groug@kaod.org>
> > ---
> >  exec.c |    1 +
> >  1 file changed, 1 insertion(+)
> > 
> > diff --git a/exec.c b/exec.c
> > index c09bd93df31e..02b1efebb7c3 100644
> > --- a/exec.c
> > +++ b/exec.c
> > @@ -1495,6 +1495,7 @@ static int find_max_supported_pagesize(Object *obj, void *opaque)
> >          mem_path = object_property_get_str(obj, "mem-path", NULL);
> >          if (mem_path) {
> >              long hpsize = qemu_mempath_getpagesize(mem_path);
> > +            g_free(mem_path);
> >              if (hpsize < *hpsize_min) {
> >                  *hpsize_min = hpsize;
> >              }
> >   
> 
> Personally, I'd probably do the g_free() at the end of the if
> (mem_path) branch, but this works as well.
> 

I usually prefer to free the string as soon as it isn't needed
anymore... matter of taste :)

> Reviewed-by: Cornelia Huck <cohuck@redhat.com>

Re: [Qemu-devel] [qemu-s390x] [PATCH 1/3] exec: fix memory leak in find_max_supported_pagesize()

[Thomas Huth]

On 29.03.2018 11:09, Greg Kurz wrote:
> The string returned by object_property_get_str() is dynamically allocated.
> 
> Signed-off-by: Greg Kurz <groug@kaod.org>
> ---
>  exec.c |    1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/exec.c b/exec.c
> index c09bd93df31e..02b1efebb7c3 100644
> --- a/exec.c
> +++ b/exec.c
> @@ -1495,6 +1495,7 @@ static int find_max_supported_pagesize(Object *obj, void *opaque)
>          mem_path = object_property_get_str(obj, "mem-path", NULL);
>          if (mem_path) {
>              long hpsize = qemu_mempath_getpagesize(mem_path);
> +            g_free(mem_path);
>              if (hpsize < *hpsize_min) {
>                  *hpsize_min = hpsize;
>              }
> 
> 

Reviewed-by: Thomas Huth <thuth@redhat.com>

Re: [Qemu-devel] [PATCH 1/3] exec: fix memory leak in find_max_supported_pagesize()

[Eduardo Habkost]

On Thu, Mar 29, 2018 at 11:09:46AM +0200, Greg Kurz wrote:
> The string returned by object_property_get_str() is dynamically allocated.
> 
> Signed-off-by: Greg Kurz <groug@kaod.org>

Queued, thanks.

-- 
Eduardo

[Qemu-devel] [PATCH 2/3] hw/s390x: fix memory leak in s390_init_ipl_dev()

[Greg Kurz]

The string returned by object_property_get_str() is dynamically allocated.

Fixes: 3c4e9baacf4d9
Signed-off-by: Greg Kurz <groug@kaod.org>
---
 hw/s390x/s390-virtio-ccw.c |    5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/hw/s390x/s390-virtio-ccw.c b/hw/s390x/s390-virtio-ccw.c
index 864145a7c6f3..435f7c99e77c 100644
--- a/hw/s390x/s390-virtio-ccw.c
+++ b/hw/s390x/s390-virtio-ccw.c
@@ -246,6 +246,7 @@ static void s390_init_ipl_dev(const char *kernel_filename,
 {
     Object *new = object_new(TYPE_S390_IPL);
     DeviceState *dev = DEVICE(new);
+    char *netboot_fw_prop;
 
     if (kernel_filename) {
         qdev_prop_set_string(dev, "kernel", kernel_filename);
@@ -256,9 +257,11 @@ static void s390_init_ipl_dev(const char *kernel_filename,
     qdev_prop_set_string(dev, "cmdline", kernel_cmdline);
     qdev_prop_set_string(dev, "firmware", firmware);
     qdev_prop_set_bit(dev, "enforce_bios", enforce_bios);
-    if (!strlen(object_property_get_str(new, "netboot_fw", &error_abort))) {
+    netboot_fw_prop = object_property_get_str(new, "netboot_fw", &error_abort);
+    if (!strlen(netboot_fw_prop)) {
         qdev_prop_set_string(dev, "netboot_fw", netboot_fw);
     }
+    g_free(netboot_fw_prop);
     object_property_add_child(qdev_get_machine(), TYPE_S390_IPL,
                               new, NULL);
     object_unref(new);

Re: [Qemu-devel] [PATCH 2/3] hw/s390x: fix memory leak in s390_init_ipl_dev()

[Cornelia Huck]

On Thu, 29 Mar 2018 11:10:06 +0200
Greg Kurz <groug@kaod.org> wrote:

> The string returned by object_property_get_str() is dynamically allocated.
> 
> Fixes: 3c4e9baacf4d9
> Signed-off-by: Greg Kurz <groug@kaod.org>
> ---
>  hw/s390x/s390-virtio-ccw.c |    5 ++++-
>  1 file changed, 4 insertions(+), 1 deletion(-)
> 
> diff --git a/hw/s390x/s390-virtio-ccw.c b/hw/s390x/s390-virtio-ccw.c
> index 864145a7c6f3..435f7c99e77c 100644
> --- a/hw/s390x/s390-virtio-ccw.c
> +++ b/hw/s390x/s390-virtio-ccw.c
> @@ -246,6 +246,7 @@ static void s390_init_ipl_dev(const char *kernel_filename,
>  {
>      Object *new = object_new(TYPE_S390_IPL);
>      DeviceState *dev = DEVICE(new);
> +    char *netboot_fw_prop;
>  
>      if (kernel_filename) {
>          qdev_prop_set_string(dev, "kernel", kernel_filename);
> @@ -256,9 +257,11 @@ static void s390_init_ipl_dev(const char *kernel_filename,
>      qdev_prop_set_string(dev, "cmdline", kernel_cmdline);
>      qdev_prop_set_string(dev, "firmware", firmware);
>      qdev_prop_set_bit(dev, "enforce_bios", enforce_bios);
> -    if (!strlen(object_property_get_str(new, "netboot_fw", &error_abort))) {
> +    netboot_fw_prop = object_property_get_str(new, "netboot_fw", &error_abort);
> +    if (!strlen(netboot_fw_prop)) {
>          qdev_prop_set_string(dev, "netboot_fw", netboot_fw);
>      }
> +    g_free(netboot_fw_prop);
>      object_property_add_child(qdev_get_machine(), TYPE_S390_IPL,
>                                new, NULL);
>      object_unref(new);
> 

It's a bit ugly that we need a new variable for this, but it can't be
helped.

I'll queue this to s390-fixes unless there are any complaints.

Re: [Qemu-devel] [PATCH 2/3] hw/s390x: fix memory leak in s390_init_ipl_dev()

[Igor Mammedov]

On Thu, 29 Mar 2018 11:10:06 +0200
Greg Kurz <groug@kaod.org> wrote:

> The string returned by object_property_get_str() is dynamically allocated.
> 
> Fixes: 3c4e9baacf4d9
> Signed-off-by: Greg Kurz <groug@kaod.org>
> ---
>  hw/s390x/s390-virtio-ccw.c |    5 ++++-
>  1 file changed, 4 insertions(+), 1 deletion(-)
> 
> diff --git a/hw/s390x/s390-virtio-ccw.c b/hw/s390x/s390-virtio-ccw.c
> index 864145a7c6f3..435f7c99e77c 100644
> --- a/hw/s390x/s390-virtio-ccw.c
> +++ b/hw/s390x/s390-virtio-ccw.c
> @@ -246,6 +246,7 @@ static void s390_init_ipl_dev(const char *kernel_filename,
>  {
>      Object *new = object_new(TYPE_S390_IPL);
>      DeviceState *dev = DEVICE(new);
> +    char *netboot_fw_prop;
>  
>      if (kernel_filename) {
>          qdev_prop_set_string(dev, "kernel", kernel_filename);
> @@ -256,9 +257,11 @@ static void s390_init_ipl_dev(const char *kernel_filename,
>      qdev_prop_set_string(dev, "cmdline", kernel_cmdline);
>      qdev_prop_set_string(dev, "firmware", firmware);
>      qdev_prop_set_bit(dev, "enforce_bios", enforce_bios);
> -    if (!strlen(object_property_get_str(new, "netboot_fw", &error_abort))) {
> +    netboot_fw_prop = object_property_get_str(new, "netboot_fw", &error_abort);
> +    if (!strlen(netboot_fw_prop)) {
probably not really issue here but,
is strlen really safe in case netboot_fw_prop == NULL?

>          qdev_prop_set_string(dev, "netboot_fw", netboot_fw);
>      }
> +    g_free(netboot_fw_prop);
>      object_property_add_child(qdev_get_machine(), TYPE_S390_IPL,
>                                new, NULL);
>      object_unref(new);
> 
> 

Re: [Qemu-devel] [PATCH 2/3] hw/s390x: fix memory leak in s390_init_ipl_dev()

[Cornelia Huck]

On Thu, 29 Mar 2018 11:27:21 +0200
Igor Mammedov <imammedo@redhat.com> wrote:

> On Thu, 29 Mar 2018 11:10:06 +0200
> Greg Kurz <groug@kaod.org> wrote:
> 
> > The string returned by object_property_get_str() is dynamically allocated.
> > 
> > Fixes: 3c4e9baacf4d9
> > Signed-off-by: Greg Kurz <groug@kaod.org>
> > ---
> >  hw/s390x/s390-virtio-ccw.c |    5 ++++-
> >  1 file changed, 4 insertions(+), 1 deletion(-)
> > 
> > diff --git a/hw/s390x/s390-virtio-ccw.c b/hw/s390x/s390-virtio-ccw.c
> > index 864145a7c6f3..435f7c99e77c 100644
> > --- a/hw/s390x/s390-virtio-ccw.c
> > +++ b/hw/s390x/s390-virtio-ccw.c
> > @@ -246,6 +246,7 @@ static void s390_init_ipl_dev(const char *kernel_filename,
> >  {
> >      Object *new = object_new(TYPE_S390_IPL);
> >      DeviceState *dev = DEVICE(new);
> > +    char *netboot_fw_prop;
> >  
> >      if (kernel_filename) {
> >          qdev_prop_set_string(dev, "kernel", kernel_filename);
> > @@ -256,9 +257,11 @@ static void s390_init_ipl_dev(const char *kernel_filename,
> >      qdev_prop_set_string(dev, "cmdline", kernel_cmdline);
> >      qdev_prop_set_string(dev, "firmware", firmware);
> >      qdev_prop_set_bit(dev, "enforce_bios", enforce_bios);
> > -    if (!strlen(object_property_get_str(new, "netboot_fw", &error_abort))) {
> > +    netboot_fw_prop = object_property_get_str(new, "netboot_fw", &error_abort);
> > +    if (!strlen(netboot_fw_prop)) {  
> probably not really issue here but,
> is strlen really safe in case netboot_fw_prop == NULL?

It will always be != NULL IIUC.

> 
> >          qdev_prop_set_string(dev, "netboot_fw", netboot_fw);
> >      }
> > +    g_free(netboot_fw_prop);
> >      object_property_add_child(qdev_get_machine(), TYPE_S390_IPL,
> >                                new, NULL);
> >      object_unref(new);
> > 
> >   
> 

Re: [Qemu-devel] [PATCH 2/3] hw/s390x: fix memory leak in s390_init_ipl_dev()

[Greg Kurz]

On Thu, 29 Mar 2018 11:27:21 +0200
Igor Mammedov <imammedo@redhat.com> wrote:

> On Thu, 29 Mar 2018 11:10:06 +0200
> Greg Kurz <groug@kaod.org> wrote:
> 
> > The string returned by object_property_get_str() is dynamically allocated.
> > 
> > Fixes: 3c4e9baacf4d9
> > Signed-off-by: Greg Kurz <groug@kaod.org>
> > ---
> >  hw/s390x/s390-virtio-ccw.c |    5 ++++-
> >  1 file changed, 4 insertions(+), 1 deletion(-)
> > 
> > diff --git a/hw/s390x/s390-virtio-ccw.c b/hw/s390x/s390-virtio-ccw.c
> > index 864145a7c6f3..435f7c99e77c 100644
> > --- a/hw/s390x/s390-virtio-ccw.c
> > +++ b/hw/s390x/s390-virtio-ccw.c
> > @@ -246,6 +246,7 @@ static void s390_init_ipl_dev(const char *kernel_filename,
> >  {
> >      Object *new = object_new(TYPE_S390_IPL);
> >      DeviceState *dev = DEVICE(new);
> > +    char *netboot_fw_prop;
> >  
> >      if (kernel_filename) {
> >          qdev_prop_set_string(dev, "kernel", kernel_filename);
> > @@ -256,9 +257,11 @@ static void s390_init_ipl_dev(const char *kernel_filename,
> >      qdev_prop_set_string(dev, "cmdline", kernel_cmdline);
> >      qdev_prop_set_string(dev, "firmware", firmware);
> >      qdev_prop_set_bit(dev, "enforce_bios", enforce_bios);
> > -    if (!strlen(object_property_get_str(new, "netboot_fw", &error_abort))) {
> > +    netboot_fw_prop = object_property_get_str(new, "netboot_fw", &error_abort);
> > +    if (!strlen(netboot_fw_prop)) {  
> probably not really issue here but,
> is strlen really safe in case netboot_fw_prop == NULL?
> 

You're right, object_property_get_str() can theoretically return NULL and
strlen() would crash... Not sure how this would happen though. Anyway, the
current code doesn't check if object_property_get_str() returns NULL so
if this needs to be fixed as well, let's do it in a followup patch.

> >          qdev_prop_set_string(dev, "netboot_fw", netboot_fw);
> >      }
> > +    g_free(netboot_fw_prop);
> >      object_property_add_child(qdev_get_machine(), TYPE_S390_IPL,
> >                                new, NULL);
> >      object_unref(new);
> > 
> >   
> 

Re: [Qemu-devel] [PATCH 2/3] hw/s390x: fix memory leak in s390_init_ipl_dev()

[Cornelia Huck]

On Thu, 29 Mar 2018 11:39:41 +0200
Greg Kurz <groug@kaod.org> wrote:

> On Thu, 29 Mar 2018 11:27:21 +0200
> Igor Mammedov <imammedo@redhat.com> wrote:
> 
> > On Thu, 29 Mar 2018 11:10:06 +0200
> > Greg Kurz <groug@kaod.org> wrote:
> >   
> > > The string returned by object_property_get_str() is dynamically allocated.
> > > 
> > > Fixes: 3c4e9baacf4d9
> > > Signed-off-by: Greg Kurz <groug@kaod.org>
> > > ---
> > >  hw/s390x/s390-virtio-ccw.c |    5 ++++-
> > >  1 file changed, 4 insertions(+), 1 deletion(-)
> > > 
> > > diff --git a/hw/s390x/s390-virtio-ccw.c b/hw/s390x/s390-virtio-ccw.c
> > > index 864145a7c6f3..435f7c99e77c 100644
> > > --- a/hw/s390x/s390-virtio-ccw.c
> > > +++ b/hw/s390x/s390-virtio-ccw.c
> > > @@ -246,6 +246,7 @@ static void s390_init_ipl_dev(const char *kernel_filename,
> > >  {
> > >      Object *new = object_new(TYPE_S390_IPL);
> > >      DeviceState *dev = DEVICE(new);
> > > +    char *netboot_fw_prop;
> > >  
> > >      if (kernel_filename) {
> > >          qdev_prop_set_string(dev, "kernel", kernel_filename);
> > > @@ -256,9 +257,11 @@ static void s390_init_ipl_dev(const char *kernel_filename,
> > >      qdev_prop_set_string(dev, "cmdline", kernel_cmdline);
> > >      qdev_prop_set_string(dev, "firmware", firmware);
> > >      qdev_prop_set_bit(dev, "enforce_bios", enforce_bios);
> > > -    if (!strlen(object_property_get_str(new, "netboot_fw", &error_abort))) {
> > > +    netboot_fw_prop = object_property_get_str(new, "netboot_fw", &error_abort);
> > > +    if (!strlen(netboot_fw_prop)) {    
> > probably not really issue here but,
> > is strlen really safe in case netboot_fw_prop == NULL?
> >   
> 
> You're right, object_property_get_str() can theoretically return NULL and
> strlen() would crash... Not sure how this would happen though. Anyway, the
> current code doesn't check if object_property_get_str() returns NULL so
> if this needs to be fixed as well, let's do it in a followup patch.

I don't think so - if the attribute exists, we'll always get != NULL if
I read the code correctly.

> 
> > >          qdev_prop_set_string(dev, "netboot_fw", netboot_fw);
> > >      }
> > > +    g_free(netboot_fw_prop);
> > >      object_property_add_child(qdev_get_machine(), TYPE_S390_IPL,
> > >                                new, NULL);
> > >      object_unref(new);
> > > 
> > >     
> >   
> 

Re: [Qemu-devel] [qemu-s390x] [PATCH 2/3] hw/s390x: fix memory leak in s390_init_ipl_dev()

[Thomas Huth]

On 29.03.2018 12:31, Cornelia Huck wrote:
> On Thu, 29 Mar 2018 11:39:41 +0200
> Greg Kurz <groug@kaod.org> wrote:
> 
>> On Thu, 29 Mar 2018 11:27:21 +0200
>> Igor Mammedov <imammedo@redhat.com> wrote:
>>
>>> On Thu, 29 Mar 2018 11:10:06 +0200
>>> Greg Kurz <groug@kaod.org> wrote:
>>>   
>>>> The string returned by object_property_get_str() is dynamically allocated.
>>>>
>>>> Fixes: 3c4e9baacf4d9
>>>> Signed-off-by: Greg Kurz <groug@kaod.org>
>>>> ---
>>>>  hw/s390x/s390-virtio-ccw.c |    5 ++++-
>>>>  1 file changed, 4 insertions(+), 1 deletion(-)
>>>>
>>>> diff --git a/hw/s390x/s390-virtio-ccw.c b/hw/s390x/s390-virtio-ccw.c
>>>> index 864145a7c6f3..435f7c99e77c 100644
>>>> --- a/hw/s390x/s390-virtio-ccw.c
>>>> +++ b/hw/s390x/s390-virtio-ccw.c
>>>> @@ -246,6 +246,7 @@ static void s390_init_ipl_dev(const char *kernel_filename,
>>>>  {
>>>>      Object *new = object_new(TYPE_S390_IPL);
>>>>      DeviceState *dev = DEVICE(new);
>>>> +    char *netboot_fw_prop;
>>>>  
>>>>      if (kernel_filename) {
>>>>          qdev_prop_set_string(dev, "kernel", kernel_filename);
>>>> @@ -256,9 +257,11 @@ static void s390_init_ipl_dev(const char *kernel_filename,
>>>>      qdev_prop_set_string(dev, "cmdline", kernel_cmdline);
>>>>      qdev_prop_set_string(dev, "firmware", firmware);
>>>>      qdev_prop_set_bit(dev, "enforce_bios", enforce_bios);
>>>> -    if (!strlen(object_property_get_str(new, "netboot_fw", &error_abort))) {
>>>> +    netboot_fw_prop = object_property_get_str(new, "netboot_fw", &error_abort);
>>>> +    if (!strlen(netboot_fw_prop)) {    
>>> probably not really issue here but,
>>> is strlen really safe in case netboot_fw_prop == NULL?
>>>   
>>
>> You're right, object_property_get_str() can theoretically return NULL and
>> strlen() would crash... Not sure how this would happen though. Anyway, the
>> current code doesn't check if object_property_get_str() returns NULL so
>> if this needs to be fixed as well, let's do it in a followup patch.
> 
> I don't think so - if the attribute exists, we'll always get != NULL if
> I read the code correctly.

Right, the property is always there, so this should never be NULL.

 Thomas

Re: [Qemu-devel] [qemu-s390x] [PATCH 2/3] hw/s390x: fix memory leak in s390_init_ipl_dev()

[Thomas Huth]

On 29.03.2018 11:10, Greg Kurz wrote:
> The string returned by object_property_get_str() is dynamically allocated.
> 
> Fixes: 3c4e9baacf4d9
> Signed-off-by: Greg Kurz <groug@kaod.org>
> ---
>  hw/s390x/s390-virtio-ccw.c |    5 ++++-
>  1 file changed, 4 insertions(+), 1 deletion(-)
> 
> diff --git a/hw/s390x/s390-virtio-ccw.c b/hw/s390x/s390-virtio-ccw.c
> index 864145a7c6f3..435f7c99e77c 100644
> --- a/hw/s390x/s390-virtio-ccw.c
> +++ b/hw/s390x/s390-virtio-ccw.c
> @@ -246,6 +246,7 @@ static void s390_init_ipl_dev(const char *kernel_filename,
>  {
>      Object *new = object_new(TYPE_S390_IPL);
>      DeviceState *dev = DEVICE(new);
> +    char *netboot_fw_prop;
>  
>      if (kernel_filename) {
>          qdev_prop_set_string(dev, "kernel", kernel_filename);
> @@ -256,9 +257,11 @@ static void s390_init_ipl_dev(const char *kernel_filename,
>      qdev_prop_set_string(dev, "cmdline", kernel_cmdline);
>      qdev_prop_set_string(dev, "firmware", firmware);
>      qdev_prop_set_bit(dev, "enforce_bios", enforce_bios);
> -    if (!strlen(object_property_get_str(new, "netboot_fw", &error_abort))) {
> +    netboot_fw_prop = object_property_get_str(new, "netboot_fw", &error_abort);
> +    if (!strlen(netboot_fw_prop)) {
>          qdev_prop_set_string(dev, "netboot_fw", netboot_fw);
>      }
> +    g_free(netboot_fw_prop);
>      object_property_add_child(qdev_get_machine(), TYPE_S390_IPL,
>                                new, NULL);
>      object_unref(new);
> 
> 

Reviewed-by: Thomas Huth <thuth@redhat.com>

Re: [Qemu-devel] [PATCH 2/3] hw/s390x: fix memory leak in s390_init_ipl_dev()

[Cornelia Huck]

On Thu, 29 Mar 2018 11:10:06 +0200
Greg Kurz <groug@kaod.org> wrote:

> The string returned by object_property_get_str() is dynamically allocated.
> 
> Fixes: 3c4e9baacf4d9
> Signed-off-by: Greg Kurz <groug@kaod.org>
> ---
>  hw/s390x/s390-virtio-ccw.c |    5 ++++-
>  1 file changed, 4 insertions(+), 1 deletion(-)

Thanks, queued to s390-fixes.

[Qemu-devel] [PATCH 3/3] sev/i386: fix memory leak in sev_guest_init()

[Greg Kurz]

The string returned by object_property_get_str() is dynamically allocated.

Fixes: d8575c6c0242b
Signed-off-by: Greg Kurz <groug@kaod.org>
---
 target/i386/sev.c |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/target/i386/sev.c b/target/i386/sev.c
index 019d84cef2c7..c01167143f1c 100644
--- a/target/i386/sev.c
+++ b/target/i386/sev.c
@@ -748,9 +748,11 @@ sev_guest_init(const char *id)
     if (s->sev_fd < 0) {
         error_report("%s: Failed to open %s '%s'", __func__,
                      devname, strerror(errno));
-        goto err;
     }
     g_free(devname);
+    if (s->sev_fd < 0) {
+        goto err;
+    }
 
     ret = sev_platform_ioctl(s->sev_fd, SEV_PLATFORM_STATUS, &status,
                              &fw_error);

Re: [Qemu-devel] [PATCH 3/3] sev/i386: fix memory leak in sev_guest_init()

[Cornelia Huck]

On Thu, 29 Mar 2018 11:10:21 +0200
Greg Kurz <groug@kaod.org> wrote:

> The string returned by object_property_get_str() is dynamically allocated.
> 
> Fixes: d8575c6c0242b
> Signed-off-by: Greg Kurz <groug@kaod.org>
> ---
>  target/i386/sev.c |    4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
> 
> diff --git a/target/i386/sev.c b/target/i386/sev.c
> index 019d84cef2c7..c01167143f1c 100644
> --- a/target/i386/sev.c
> +++ b/target/i386/sev.c
> @@ -748,9 +748,11 @@ sev_guest_init(const char *id)
>      if (s->sev_fd < 0) {
>          error_report("%s: Failed to open %s '%s'", __func__,
>                       devname, strerror(errno));
> -        goto err;
>      }
>      g_free(devname);
> +    if (s->sev_fd < 0) {
> +        goto err;
> +    }
>  
>      ret = sev_platform_ioctl(s->sev_fd, SEV_PLATFORM_STATUS, &status,
>                               &fw_error);
> 

I would probably add an extra g_free(devname) right before the goto
err, but this works as well, obviously.

Reviewed-by: Cornelia Huck <cohuck@redhat.com>

Re: [Qemu-devel] [PATCH 3/3] sev/i386: fix memory leak in sev_guest_init()

[Greg Kurz]

On Thu, 29 Mar 2018 11:24:16 +0200
Cornelia Huck <cohuck@redhat.com> wrote:

> On Thu, 29 Mar 2018 11:10:21 +0200
> Greg Kurz <groug@kaod.org> wrote:
> 
> > The string returned by object_property_get_str() is dynamically allocated.
> > 
> > Fixes: d8575c6c0242b
> > Signed-off-by: Greg Kurz <groug@kaod.org>
> > ---
> >  target/i386/sev.c |    4 +++-
> >  1 file changed, 3 insertions(+), 1 deletion(-)
> > 
> > diff --git a/target/i386/sev.c b/target/i386/sev.c
> > index 019d84cef2c7..c01167143f1c 100644
> > --- a/target/i386/sev.c
> > +++ b/target/i386/sev.c
> > @@ -748,9 +748,11 @@ sev_guest_init(const char *id)
> >      if (s->sev_fd < 0) {
> >          error_report("%s: Failed to open %s '%s'", __func__,
> >                       devname, strerror(errno));
> > -        goto err;
> >      }
> >      g_free(devname);
> > +    if (s->sev_fd < 0) {
> > +        goto err;
> > +    }
> >  
> >      ret = sev_platform_ioctl(s->sev_fd, SEV_PLATFORM_STATUS, &status,
> >                               &fw_error);
> >   
> 
> I would probably add an extra g_free(devname) right before the goto
> err, but this works as well, obviously.
> 

An alternative could have been to use glib's g_autofree macro, which
is especially designed to handle the case where an allocated buffer is
put in a local variable and we want g_free() to be called when the
variable goes out of scope. Unfortunately it requires glib >= 2.44 and
we're still at 2.22 AFAIK.

https://developer.gnome.org/glib/unstable/glib-Miscellaneous-Macros.html#g-autofree

> Reviewed-by: Cornelia Huck <cohuck@redhat.com>

Re: [Qemu-devel] [qemu-s390x] [PATCH 3/3] sev/i386: fix memory leak in sev_guest_init()

[Thomas Huth]

On 29.03.2018 11:24, Cornelia Huck wrote:
> On Thu, 29 Mar 2018 11:10:21 +0200
> Greg Kurz <groug@kaod.org> wrote:
> 
>> The string returned by object_property_get_str() is dynamically allocated.
>>
>> Fixes: d8575c6c0242b
>> Signed-off-by: Greg Kurz <groug@kaod.org>
>> ---
>>  target/i386/sev.c |    4 +++-
>>  1 file changed, 3 insertions(+), 1 deletion(-)
>>
>> diff --git a/target/i386/sev.c b/target/i386/sev.c
>> index 019d84cef2c7..c01167143f1c 100644
>> --- a/target/i386/sev.c
>> +++ b/target/i386/sev.c
>> @@ -748,9 +748,11 @@ sev_guest_init(const char *id)
>>      if (s->sev_fd < 0) {
>>          error_report("%s: Failed to open %s '%s'", __func__,
>>                       devname, strerror(errno));
>> -        goto err;
>>      }
>>      g_free(devname);
>> +    if (s->sev_fd < 0) {
>> +        goto err;
>> +    }
>>  
>>      ret = sev_platform_ioctl(s->sev_fd, SEV_PLATFORM_STATUS, &status,
>>                               &fw_error);
>>
> 
> I would probably add an extra g_free(devname) right before the goto
> err, but this works as well, obviously.

Or maybe remove devname from the error_report ("%s: Failed to open
sev-device '%s', __func__ strerror(errno)) and move the g_free right
before the if-statement?

Anyway:

Reviewed-by: Thomas Huth <thuth@redhat.com>

Re: [Qemu-devel] [PATCH 3/3] sev/i386: fix memory leak in sev_guest_init()

[Eduardo Habkost]

On Thu, Mar 29, 2018 at 11:10:21AM +0200, Greg Kurz wrote:
> The string returned by object_property_get_str() is dynamically allocated.
> 
> Fixes: d8575c6c0242b
> Signed-off-by: Greg Kurz <groug@kaod.org>

Queued, thanks.

-- 
Eduardo

Re: [Qemu-devel] [PATCH 0/3] fix memory leaks when using object_property_get_str()

[no-reply]

Hi,

This series failed docker-quick@centos6 build test. Please find the testing commands and
their output below. If you have Docker installed, you can probably reproduce it
locally.

Type: series
Message-id: 152231456507.69730.15601462044394150786.stgit@bahia.lan
Subject: [Qemu-devel] [PATCH 0/3] fix memory leaks when using object_property_get_str()

=== TEST SCRIPT BEGIN ===
#!/bin/bash
set -e
git submodule update --init dtc
# Let docker tests dump environment info
export SHOW_ENV=1
export J=8
time make docker-test-quick@centos6
=== TEST SCRIPT END ===

Updating 3c8cf5a9c21ff8782164d1def7f44bd888713384
Switched to a new branch 'test'
15abdd963a sev/i386: fix memory leak in sev_guest_init()
20c477c6c5 hw/s390x: fix memory leak in s390_init_ipl_dev()
1937ef1647 exec: fix memory leak in find_max_supported_pagesize()

=== OUTPUT BEGIN ===
Submodule 'dtc' (git://git.qemu-project.org/dtc.git) registered for path 'dtc'
Cloning into '/var/tmp/patchew-tester-tmp-5hf354ro/src/dtc'...
Submodule path 'dtc': checked out 'e54388015af1fb4bf04d0bca99caba1074d9cc42'
  BUILD   centos6
make[1]: Entering directory '/var/tmp/patchew-tester-tmp-5hf354ro/src'
  GEN     /var/tmp/patchew-tester-tmp-5hf354ro/src/docker-src.2018-03-31-02.38.14.30460/qemu.tar
Cloning into '/var/tmp/patchew-tester-tmp-5hf354ro/src/docker-src.2018-03-31-02.38.14.30460/qemu.tar.vroot'...
done.
Checking out files:  37% (2296/6066)   
Checking out files:  38% (2306/6066)   
Checking out files:  39% (2366/6066)   
Checking out files:  40% (2427/6066)   
Checking out files:  40% (2434/6066)   
Checking out files:  41% (2488/6066)   
Checking out files:  42% (2548/6066)   
Checking out files:  43% (2609/6066)   
Checking out files:  44% (2670/6066)   
Checking out files:  45% (2730/6066)   
Checking out files:  46% (2791/6066)   
Checking out files:  47% (2852/6066)   
Checking out files:  48% (2912/6066)   
Checking out files:  49% (2973/6066)   
Checking out files:  50% (3033/6066)   
Checking out files:  51% (3094/6066)   
Checking out files:  52% (3155/6066)   
Checking out files:  53% (3215/6066)   
Checking out files:  54% (3276/6066)   
Checking out files:  55% (3337/6066)   
Checking out files:  56% (3397/6066)   
Checking out files:  57% (3458/6066)   
Checking out files:  58% (3519/6066)   
Checking out files:  59% (3579/6066)   
Checking out files:  60% (3640/6066)   
Checking out files:  61% (3701/6066)   
Checking out files:  62% (3761/6066)   
Checking out files:  63% (3822/6066)   
Checking out files:  64% (3883/6066)   
Checking out files:  65% (3943/6066)   
Checking out files:  66% (4004/6066)   
Checking out files:  67% (4065/6066)   
Checking out files:  68% (4125/6066)   
Checking out files:  69% (4186/6066)   
Checking out files:  70% (4247/6066)   
Checking out files:  71% (4307/6066)   
Checking out files:  72% (4368/6066)   
Checking out files:  73% (4429/6066)   
Checking out files:  74% (4489/6066)   
Checking out files:  75% (4550/6066)   
Checking out files:  76% (4611/6066)   
Checking out files:  77% (4671/6066)   
Checking out files:  78% (4732/6066)   
Checking out files:  79% (4793/6066)   
Checking out files:  80% (4853/6066)   
Checking out files:  81% (4914/6066)   
Checking out files:  82% (4975/6066)   
Checking out files:  83% (5035/6066)   
Checking out files:  84% (5096/6066)   
Checking out files:  85% (5157/6066)   
Checking out files:  86% (5217/6066)   
Checking out files:  87% (5278/6066)   
Checking out files:  88% (5339/6066)   
Checking out files:  89% (5399/6066)   
Checking out files:  90% (5460/6066)   
Checking out files:  91% (5521/6066)   
Checking out files:  92% (5581/6066)   
Checking out files:  93% (5642/6066)   
Checking out files:  94% (5703/6066)   
Checking out files:  95% (5763/6066)   
Checking out files:  96% (5824/6066)   
Checking out files:  97% (5885/6066)   
Checking out files:  98% (5945/6066)   
Checking out files:  99% (6006/6066)   
Checking out files:  99% (6053/6066)   
Checking out files: 100% (6066/6066)   
Checking out files: 100% (6066/6066), done.
Your branch is up-to-date with 'origin/test'.
Submodule 'dtc' (git://git.qemu-project.org/dtc.git) registered for path 'dtc'
Cloning into '/var/tmp/patchew-tester-tmp-5hf354ro/src/docker-src.2018-03-31-02.38.14.30460/qemu.tar.vroot/dtc'...
Submodule path 'dtc': checked out 'e54388015af1fb4bf04d0bca99caba1074d9cc42'
Submodule 'ui/keycodemapdb' (git://git.qemu.org/keycodemapdb.git) registered for path 'ui/keycodemapdb'
Cloning into '/var/tmp/patchew-tester-tmp-5hf354ro/src/docker-src.2018-03-31-02.38.14.30460/qemu.tar.vroot/ui/keycodemapdb'...
Submodule path 'ui/keycodemapdb': checked out '6b3d716e2b6472eb7189d3220552280ef3d832ce'
tar: /var/tmp/patchew-tester-tmp-5hf354ro/src/docker-src.2018-03-31-02.38.14.30460/qemu.tar: Wrote only 4096 of 10240 bytes
tar: Error is not recoverable: exiting now
failed to create tar file
  COPY    RUNNER
    RUN test-quick in qemu:centos6 
tar: Unexpected EOF in archive
tar: Unexpected EOF in archive
tar: Error is not recoverable: exiting now
/var/tmp/qemu/run: line 32: prep_fail: command not found
Packages installed:
SDL-devel-1.2.14-7.el6_7.1.x86_64
bison-2.4.1-5.el6.x86_64
bzip2-devel-1.0.5-7.el6_0.x86_64
ccache-3.1.6-2.el6.x86_64
csnappy-devel-0-6.20150729gitd7bc683.el6.x86_64
flex-2.5.35-9.el6.x86_64
gcc-4.4.7-18.el6.x86_64
gettext-0.17-18.el6.x86_64
git-1.7.1-9.el6_9.x86_64
glib2-devel-2.28.8-9.el6.x86_64
libepoxy-devel-1.2-3.el6.x86_64
libfdt-devel-1.4.0-1.el6.x86_64
librdmacm-devel-1.0.21-0.el6.x86_64
lzo-devel-2.03-3.1.el6_5.1.x86_64
make-3.81-23.el6.x86_64
mesa-libEGL-devel-11.0.7-4.el6.x86_64
mesa-libgbm-devel-11.0.7-4.el6.x86_64
package g++ is not installed
pixman-devel-0.32.8-1.el6.x86_64
spice-glib-devel-0.26-8.el6.x86_64
spice-server-devel-0.12.4-16.el6.x86_64
tar-1.23-15.el6_8.x86_64
vte-devel-0.25.1-9.el6.x86_64
xen-devel-4.6.6-2.el6.x86_64
zlib-devel-1.2.3-29.el6.x86_64

Environment variables:
PACKAGES=bison     bzip2-devel     ccache     csnappy-devel     flex     g++     gcc     gettext     git     glib2-devel     libepoxy-devel     libfdt-devel     librdmacm-devel     lzo-devel     make     mesa-libEGL-devel     mesa-libgbm-devel     pixman-devel     SDL-devel     spice-glib-devel     spice-server-devel     tar     vte-devel     xen-devel     zlib-devel
HOSTNAME=aaf309766531
MAKEFLAGS= -j8
J=8
CCACHE_DIR=/var/tmp/ccache
EXTRA_CONFIGURE_OPTS=
V=
SHOW_ENV=1
PATH=/usr/lib/ccache:/usr/lib64/ccache:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
PWD=/
TARGET_LIST=
SHLVL=1
HOME=/root
TEST_DIR=/tmp/qemu-test
FEATURES= dtc
DEBUG=
_=/usr/bin/env

Configure options:
--enable-werror --target-list=x86_64-softmmu,aarch64-softmmu --prefix=/tmp/qemu-test/install

ERROR: DTC (libfdt) version >= 1.4.2 not present.
       Please install the DTC (libfdt) devel package

Traceback (most recent call last):
  File "./tests/docker/docker.py", line 407, in <module>
    sys.exit(main())
  File "./tests/docker/docker.py", line 404, in main
    return args.cmdobj.run(args, argv)
  File "./tests/docker/docker.py", line 261, in run
    return Docker().run(argv, args.keep, quiet=args.quiet)
  File "./tests/docker/docker.py", line 229, in run
    quiet=quiet)
  File "./tests/docker/docker.py", line 147, in _do_check
    return subprocess.check_call(self._command + cmd, **kwargs)
  File "/usr/lib64/python2.7/subprocess.py", line 186, in check_call
    raise CalledProcessError(retcode, cmd)
subprocess.CalledProcessError: Command '['docker', 'run', '--label', 'com.qemu.instance.uuid=27d925ee34ae11e8a8ee52540069c830', '-u', '0', '--security-opt', 'seccomp=unconfined', '--rm', '--net=none', '-e', 'TARGET_LIST=', '-e', 'EXTRA_CONFIGURE_OPTS=', '-e', 'V=', '-e', 'J=8', '-e', 'DEBUG=', '-e', 'SHOW_ENV=1', '-e', 'CCACHE_DIR=/var/tmp/ccache', '-v', '/root/.cache/qemu-docker-ccache:/var/tmp/ccache:z', '-v', '/var/tmp/patchew-tester-tmp-5hf354ro/src/docker-src.2018-03-31-02.38.14.30460:/var/tmp/qemu:z,ro', 'qemu:centos6', '/var/tmp/qemu/run', 'test-quick']' returned non-zero exit status 1
make[1]: *** [tests/docker/Makefile.include:129: docker-run] Error 1
make[1]: Leaving directory '/var/tmp/patchew-tester-tmp-5hf354ro/src'
make: *** [tests/docker/Makefile.include:163: docker-run-test-quick@centos6] Error 2

real	1m0.928s
user	0m9.519s
sys	0m6.815s
=== OUTPUT END ===

Test command exited with code: 2


---
Email generated automatically by Patchew [http://patchew.org/].
Please send your feedback to patchew-devel@redhat.com