From: Kevin Wolf <kwolf@redhat.com>
To: Paul Durrant <Paul.Durrant@citrix.com>
Cc: Anthony Perard <anthony.perard@citrix.com>,
'Peter Maydell' <peter.maydell@linaro.org>,
QEMU Developers <qemu-devel@nongnu.org>
Subject: Re: [Qemu-devel] QEMU xen coverity issues
Date: Mon, 18 Feb 2019 11:58:55 +0100 [thread overview]
Message-ID: <20190218105855.GC5303@dhcp-200-176.str.redhat.com> (raw)
In-Reply-To: <1dd9342a7ee149f2beaaebc27c72fd15@AMSPEX02CL03.citrite.net>
Am 18.02.2019 um 11:28 hat Paul Durrant geschrieben:
> > -----Original Message-----
> > From: Kevin Wolf [mailto:kwolf@redhat.com]
> > Sent: 18 February 2019 10:09
> > To: Paul Durrant <Paul.Durrant@citrix.com>
> > Cc: 'Peter Maydell' <peter.maydell@linaro.org>; QEMU Developers <qemu-
> > devel@nongnu.org>; Anthony Perard <anthony.perard@citrix.com>
> > Subject: Re: [Qemu-devel] QEMU xen coverity issues
> >
> > Am 15.02.2019 um 17:20 hat Paul Durrant geschrieben:
> > > > -----Original Message-----
> > > [snip]
> > > > >
> > > > > (5) CID 1398649: resource leak in xen_block_drive_create():
> > > > >
> > > > > In hw/block/xen-block.c xen_block_drive_create() Coverity
> > > > > complains that the call "driver_layer = qdict_new()" allocates
> > > > > memory that's leaked because we don't save the pointer anywhere
> > > > > but don't deallocate it before the end of the function either.
> > > > > Coverity is not great at understanding our refcounting objects,
> > > > > but this does look like either we're missing a qobject_unref()
> > > > > or something should be keeping hold of the dictionary. Probably
> > > > > best to ask a block layer expert.
> > > >
> > > > AFAICT nothing will consume the dictionary so it does appear that
> > we're
> > > > missing an unref here.
> > >
> > > Testing proves me wrong... This one is a false positive.
> >
> > Hm, but where is it freed?
> >
> > xen_block_blockdev_add() only feeds it to an input visitor, which
> > doesn't take ownership of the QDict (and in the first error path, it
> > hasn't even done that yet).
>
> Agreed that error path does not free things... that's definitely a
> leak... but attempting to free the QDict's on return from
> xen_block_blockdev_add() certainly causes a seg fault. My assumption
> was that, having been fed through the input visitor and then through
> the output visitor in qmp_blockdev_add() that the BlockDriverState
> eventually takes ownership... but maybe that's not true?
qmp_blockdev_add() only ever sees the QAPI object, not the original
QDict, so it should be able to take ownership of it. If anything, the
visitor could do so, but I don't think it does (it takes an extra
reference, which it frees at the end, but it doesn't free the reference
it was originally passed).
Maybe worth having another look at that segfault? It could point to a
related, but separate bug.
Kevin
next prev parent reply other threads:[~2019-02-18 10:59 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-02-14 18:29 [Qemu-devel] QEMU xen coverity issues Peter Maydell
2019-02-15 9:21 ` Paul Durrant
2019-02-15 15:36 ` Paul Durrant
2019-02-15 16:20 ` Paul Durrant
2019-02-18 10:09 ` Kevin Wolf
2019-02-18 10:28 ` Paul Durrant
2019-02-18 10:58 ` Kevin Wolf [this message]
2019-02-19 16:17 ` Paul Durrant
2019-02-19 16:34 ` Kevin Wolf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190218105855.GC5303@dhcp-200-176.str.redhat.com \
--to=kwolf@redhat.com \
--cc=Paul.Durrant@citrix.com \
--cc=anthony.perard@citrix.com \
--cc=peter.maydell@linaro.org \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).