From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([140.186.70.92]:35112) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1R8rWK-00009s-9A for qemu-devel@nongnu.org; Wed, 28 Sep 2011 06:37:45 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1R8rWJ-0007zE-6t for qemu-devel@nongnu.org; Wed, 28 Sep 2011 06:37:44 -0400 Received: from mx1.redhat.com ([209.132.183.28]:61309) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1R8rWI-0007z7-TT for qemu-devel@nongnu.org; Wed, 28 Sep 2011 06:37:43 -0400 Received: from int-mx01.intmail.prod.int.phx2.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id p8SAbfQF024960 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for ; Wed, 28 Sep 2011 06:37:41 -0400 Received: from localhost.localdomain ([10.66.4.201]) by int-mx01.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id p8SAbc4o013822 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Wed, 28 Sep 2011 06:37:41 -0400 Message-ID: <4E82F8FF.3050809@redhat.com> Date: Wed, 28 Sep 2011 18:37:51 +0800 From: Alex Jia MIME-Version: 1.0 References: <1317198281-14922-1-git-send-email-ajia@redhat.com> In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: [Qemu-devel] [PATCH v2] linux-user: fix memory leak in failure path List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: qemu-devel@nongnu.org On 09/28/2011 05:43 PM, Peter Maydell wrote: > On 28 September 2011 09:24, wrote: >> From: Alex Jia >> >> Haven't released memory of 'host_mb' in failure path, and calling malloc allocate >> memory to 'host_array', however, memory hasn't been freed before the function >> target_to_host_semarray returns. >> >> Signed-off-by: Alex Jia >> --- >> linux-user/syscall.c | 3 ++- >> 1 files changed, 2 insertions(+), 1 deletions(-) >> >> diff --git a/linux-user/syscall.c b/linux-user/syscall.c >> index 7735008..22d4fcc 100644 >> --- a/linux-user/syscall.c >> +++ b/linux-user/syscall.c >> @@ -2466,6 +2466,7 @@ static inline abi_long target_to_host_semarray(int semid, unsigned short **host_ >> for(i=0; i> __get_user((*host_array)[i],&array[i]); >> } >> + free(*host_array); >> unlock_user(array, target_addr, 0); >> >> return 0; > This is wrong -- you're freeing the array in the exit-success > path, not the error path. And you're still not checking the > return value from malloc(). > > In fact, on closer examination, this code is pretty nasty: > we allocate the array in target_to_host_semarray and then > free it in host_to_target_semarray, and in both functions > we make a syscall purely to figure out the length of the > array -- so we end up doing that twice when we only need > do it once. And the error exit cases in host_to_target_semarray > don't free the host array either. It could probably be > refactored to make it less ugly: have the code at the > top level do the "find out size of array, malloc it, free" Hi Peter, You mean caller should free these allocated memory, right? if so, is v1 patch okay? Thanks for your nice comment. Regards, Alex > work, and have host_to_target_semarray and > target_to_host_semarray only do the copying work (this > would match other target_to_host* helpers.) > > -- PMM >