From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([140.186.70.92]:47727)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <ajia@redhat.com>) id 1R8pUL-0006wB-5z
	for qemu-devel@nongnu.org; Wed, 28 Sep 2011 04:27:37 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <ajia@redhat.com>) id 1R8pUG-0005tL-FL
	for qemu-devel@nongnu.org; Wed, 28 Sep 2011 04:27:33 -0400
Received: from mx1.redhat.com ([209.132.183.28]:33450)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <ajia@redhat.com>) id 1R8pUF-0005tF-Vx
	for qemu-devel@nongnu.org; Wed, 28 Sep 2011 04:27:28 -0400
Message-ID: <4E82DA78.6030001@redhat.com>
Date: Wed, 28 Sep 2011 16:27:36 +0800
From: Alex Jia <ajia@redhat.com>
MIME-Version: 1.0
References: <1317193022-13504-1-git-send-email-ajia@redhat.com>	<1317193022-13504-2-git-send-email-ajia@redhat.com>
	<CAFEAcA8wxisK3sR5E2nS4zndvuEwmibk6czjF0CWjfJB-9fU1A@mail.gmail.com>
In-Reply-To: <CAFEAcA8wxisK3sR5E2nS4zndvuEwmibk6czjF0CWjfJB-9fU1A@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [Qemu-devel] [PATCH] linux-user: fix memory leak in failure path
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Peter Maydell <peter.maydell@linaro.org>
Cc: qemu-devel@nongnu.org

On 09/28/2011 03:55 PM, Peter Maydell wrote:
> On 28 September 2011 07:57,<ajia@redhat.com>  wrote:
>> From: Alex Jia<ajia@redhat.com>
>>
>> Haven't released memory of 'array' and 'host_mb' in failure paths.
>>
>> Signed-off-by: Alex Jia<ajia@redhat.com>
>> ---
>>   linux-user/syscall.c |    6 ++++--
>>   1 files changed, 4 insertions(+), 2 deletions(-)
>>
>> diff --git a/linux-user/syscall.c b/linux-user/syscall.c
>> index 7735008..922c2a0 100644
>> --- a/linux-user/syscall.c
>> +++ b/linux-user/syscall.c
>> @@ -2523,8 +2523,10 @@ static inline abi_long do_semctl(int semid, int semnum, int cmd,
>>         case GETALL:
>>         case SETALL:
>>              err = target_to_host_semarray(semid,&array, target_su.array);
>> -            if (err)
>> +            if (err) {
>> +                free(array);
>>                  return err;
>> +            }
>>              arg.array = array;
>>              ret = get_errno(semctl(semid, semnum, cmd, arg));
>>              err = host_to_target_semarray(semid, target_su.array,&array);
> This is the wrong place to try to fix this. If target_to_host_semarray
> fails it should free() the buffer it malloc()ed itself, not rely on
> its caller to do the cleanup.
>
Yeah, caller shouldn't do this.
>> @@ -2779,9 +2781,9 @@ static inline abi_long do_msgrcv(int msqid, abi_long msgp,
>>      }
>>
>>      target_mb->mtype = tswapl(host_mb->mtype);
>> -    free(host_mb);
>>
>>   end:
>> +    free(host_mb);
>>      if (target_mb)
>>          unlock_user_struct(target_mb, msgp, 1);
>>      return ret;
> This change is OK.
>
> Also I note that target_to_host_semarray is doing a plain malloc()
> and not checking the return value. You should fix that while you're
> doing fixes in this area.
Yeah, for return value check of malloc(), it seems many places haven't
do it.

Thanks,
Alex
> -- PMM