From: "Philippe Mathieu-Daudé" <philmd@linaro.org>
To: qemu-devel@nongnu.org
Cc: "Zheng Huang" <hz1624917200@gmail.com>,
"Zheng Huang" <hz1624917200@outlook.com>,
"Philippe Mathieu-Daudé" <philmd@linaro.org>
Subject: [PULL 13/23] hw/scsi/lsi53c895a: fix memory leak in lsi_scsi_realize()
Date: Mon, 31 Mar 2025 21:48:11 +0200 [thread overview]
Message-ID: <20250331194822.77309-14-philmd@linaro.org> (raw)
In-Reply-To: <20250331194822.77309-1-philmd@linaro.org>
From: Zheng Huang <hz1624917200@gmail.com>
Address a memory leak bug in the usages of timer_del().
The issue arises from the incorrect use of the ambiguous timer API
timer_del(), which does not free the timer object. The LeakSanitizer
report this issue during fuzzing. The correct API timer_free() freed
the timer object instead.
=================================================================
==2586273==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 48 byte(s) in 1 object(s) allocated from:
#0 0x55f2afd89879 in calloc /llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:75:3
#1 0x7f443b93ac50 in g_malloc0 (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x5ec50)
#2 0x55f2b053962e in timer_new include/qemu/timer.h:542:12
#3 0x55f2b0514771 in timer_new_us include/qemu/timer.h:582:12
#4 0x55f2b0514288 in lsi_scsi_realize hw/scsi/lsi53c895a.c:2350:24
#5 0x55f2b0452d26 in pci_qdev_realize hw/pci/pci.c:2174:9
Signed-off-by: Zheng Huang <hz1624917200@outlook.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <73cd69f9-ff9b-4cd4-b8aa-265f9d6067b9@gmail.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
---
hw/scsi/lsi53c895a.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c
index d85e384ad63..6689ebba25b 100644
--- a/hw/scsi/lsi53c895a.c
+++ b/hw/scsi/lsi53c895a.c
@@ -2372,7 +2372,7 @@ static void lsi_scsi_exit(PCIDevice *dev)
LSIState *s = LSI53C895A(dev);
address_space_destroy(&s->pci_io_as);
- timer_del(s->scripts_timer);
+ timer_free(s->scripts_timer);
}
static void lsi_class_init(ObjectClass *klass, void *data)
--
2.47.1
next prev parent reply other threads:[~2025-03-31 19:55 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-03-31 19:47 [PULL 00/23] Misc HW fixes for 2025-03-31 Philippe Mathieu-Daudé
2025-03-31 19:47 ` [PULL 01/23] hw/arm/armv7m: Expose and access System Control Space as little endian Philippe Mathieu-Daudé
2025-03-31 19:48 ` [PULL 02/23] hw/arm/imx8mp-evk: Fix reference count of SoC object Philippe Mathieu-Daudé
2025-03-31 19:48 ` [PULL 03/23] hw/arm/fsl-imx8mp: Derive struct FslImx8mpState from TYPE_SYS_BUS_DEVICE Philippe Mathieu-Daudé
2025-03-31 19:48 ` [PULL 04/23] hw/arm/fsl-imx8mp: Remove unused define Philippe Mathieu-Daudé
2025-03-31 19:48 ` [PULL 05/23] hw/core/cpu: Use size_t for memory_rw_debug len argument Philippe Mathieu-Daudé
2025-03-31 19:48 ` [PULL 06/23] hw/block/m25p80: Categorize and add description Philippe Mathieu-Daudé
2025-03-31 19:48 ` [PULL 07/23] hw/display/dm163: Add description Philippe Mathieu-Daudé
2025-03-31 19:48 ` [PULL 08/23] hw/dma/i82374: Categorize and add description Philippe Mathieu-Daudé
2025-03-31 19:48 ` [PULL 09/23] hw/mips: Mark the "mipssim" machine as deprecated Philippe Mathieu-Daudé
2025-03-31 19:48 ` [PULL 10/23] hw/rtc/goldfish: keep time offset when resetting Philippe Mathieu-Daudé
2025-03-31 19:48 ` [PULL 11/23] hw/misc/pll: Do not expose as user-creatable Philippe Mathieu-Daudé
2025-03-31 19:48 ` [PULL 12/23] hw/nvram/xlnx-efuse: " Philippe Mathieu-Daudé
2025-03-31 19:48 ` Philippe Mathieu-Daudé [this message]
2025-03-31 19:48 ` [PULL 14/23] hw/sd/sdhci: free irq on exit Philippe Mathieu-Daudé
2025-03-31 19:48 ` [PULL 15/23] hw/char/bcm2835_aux: Fix incorrect interrupt ID when RX disabled Philippe Mathieu-Daudé
2025-03-31 19:48 ` [PULL 16/23] hw/ufs: free irq on exit Philippe Mathieu-Daudé
2025-03-31 19:48 ` [PULL 17/23] hw/pci-host/designware: Fix ATU_UPPER_TARGET register access Philippe Mathieu-Daudé
2025-03-31 19:48 ` [PULL 18/23] target/hppa: Remove duplicated CPU_RESOLVING_TYPE definition Philippe Mathieu-Daudé
2025-03-31 19:48 ` [PULL 19/23] target/avr: Fix buffer read in avr_print_insn Philippe Mathieu-Daudé
2025-03-31 19:48 ` [PULL 20/23] target/sparc: Log unimplemented ASI load/store accesses Philippe Mathieu-Daudé
2025-03-31 19:48 ` [PULL 21/23] target/mips: Revert TARGET_PAGE_BITS_VARY Philippe Mathieu-Daudé
2025-03-31 19:48 ` [PULL 22/23] target/mips: Require even maskbits in update_pagemask Philippe Mathieu-Daudé
2025-03-31 19:48 ` [PULL 23/23] target/mips: Simplify and fix update_pagemask Philippe Mathieu-Daudé
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250331194822.77309-14-philmd@linaro.org \
--to=philmd@linaro.org \
--cc=hz1624917200@gmail.com \
--cc=hz1624917200@outlook.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).