From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([140.186.70.92]:33335) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1R8ozZ-0008Fc-GN for qemu-devel@nongnu.org; Wed, 28 Sep 2011 03:55:47 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1R8ozT-0008IE-Mo for qemu-devel@nongnu.org; Wed, 28 Sep 2011 03:55:45 -0400 Received: from mail-wy0-f173.google.com ([74.125.82.173]:56624) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1R8ozT-0008I1-IR for qemu-devel@nongnu.org; Wed, 28 Sep 2011 03:55:39 -0400 Received: by wyh22 with SMTP id 22so8966287wyh.4 for ; Wed, 28 Sep 2011 00:55:37 -0700 (PDT) MIME-Version: 1.0 In-Reply-To: <1317193022-13504-2-git-send-email-ajia@redhat.com> References: <1317193022-13504-1-git-send-email-ajia@redhat.com> <1317193022-13504-2-git-send-email-ajia@redhat.com> Date: Wed, 28 Sep 2011 08:55:37 +0100 Message-ID: From: Peter Maydell Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Subject: Re: [Qemu-devel] [PATCH] linux-user: fix memory leak in failure path List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: ajia@redhat.com Cc: qemu-devel@nongnu.org On 28 September 2011 07:57, wrote: > From: Alex Jia > > Haven't released memory of 'array' and 'host_mb' in failure paths. > > Signed-off-by: Alex Jia > --- > =C2=A0linux-user/syscall.c | =C2=A0 =C2=A06 ++++-- > =C2=A01 files changed, 4 insertions(+), 2 deletions(-) > > diff --git a/linux-user/syscall.c b/linux-user/syscall.c > index 7735008..922c2a0 100644 > --- a/linux-user/syscall.c > +++ b/linux-user/syscall.c > @@ -2523,8 +2523,10 @@ static inline abi_long do_semctl(int semid, int se= mnum, int cmd, > =C2=A0 =C2=A0 =C2=A0 =C2=A0case GETALL: > =C2=A0 =C2=A0 =C2=A0 =C2=A0case SETALL: > =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 err =3D target_to_host_semarray= (semid, &array, target_su.array); > - =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0if (err) > + =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0if (err) { > + =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0free(array); > =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 return err; > + =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0} > =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 arg.array =3D array; > =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 ret =3D get_errno(semctl(semid,= semnum, cmd, arg)); > =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 err =3D host_to_target_semarray= (semid, target_su.array, &array); This is the wrong place to try to fix this. If target_to_host_semarray fails it should free() the buffer it malloc()ed itself, not rely on its caller to do the cleanup. > @@ -2779,9 +2781,9 @@ static inline abi_long do_msgrcv(int msqid, abi_lon= g msgp, > =C2=A0 =C2=A0 } > > =C2=A0 =C2=A0 target_mb->mtype =3D tswapl(host_mb->mtype); > - =C2=A0 =C2=A0free(host_mb); > > =C2=A0end: > + =C2=A0 =C2=A0free(host_mb); > =C2=A0 =C2=A0 if (target_mb) > =C2=A0 =C2=A0 =C2=A0 =C2=A0 unlock_user_struct(target_mb, msgp, 1); > =C2=A0 =C2=A0 return ret; This change is OK. Also I note that target_to_host_semarray is doing a plain malloc() and not checking the return value. You should fix that while you're doing fixes in this area. -- PMM