[PATCH] migration: Free argv

qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed

* [PATCH] migration: Free argv
@ 2024-02-25  5:54 Akihiko Odaki
  2024-02-26  3:49 ` Peter Xu
  0 siblings, 1 reply; 3+ messages in thread
From: Akihiko Odaki @ 2024-02-25  5:54 UTC (permalink / raw)
  To: Peter Xu, Fabiano Rosas; +Cc: qemu-devel, Akihiko Odaki

exec_start_outgoing_migration() and exec_start_incoming_migration()
leak argv because it uses g_steal_pointer() is used to pass argv
qio_channel_command_new_spawn() while it does not free argv either.

Removing g_steal_pointer() is not sufficient though because argv is
typed g_auto(GStrv), which means the array of strings *and strings* will
be freed. The strings are only borrowed from the caller of
exec_start_outgoing_migration() and exec_start_incoming_migration() so
freeing them result in double-free.

Instead, type argv as g_autofree char **. This ensures only the array
of strings will be freed and the strings won't be freed. Also, remove
unnecessary casts according to the new type.

Fixes: cbab4face57b ("migration: convert exec backend to accept MigrateAddress.")
Signed-off-by: Akihiko Odaki <akihiko.odaki@daynix.com>
---
 migration/exec.c | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/migration/exec.c b/migration/exec.c
index 47d2f3b8fb02..205675265ea1 100644
--- a/migration/exec.c
+++ b/migration/exec.c
@@ -73,15 +73,15 @@ void exec_start_outgoing_migration(MigrationState *s, strList *command,
     QIOChannel *ioc;
 
     int length = str_list_length(command);
-    g_auto(GStrv) argv = (char **) g_new0(const char *, length + 1);
+    g_autofree char **argv = g_new0(char *, length + 1);
 
     init_exec_array(command, argv, errp);
-    g_autofree char *new_command = g_strjoinv(" ", (char **)argv);
+    g_autofree char *new_command = g_strjoinv(" ", argv);
 
     trace_migration_exec_outgoing(new_command);
     ioc = QIO_CHANNEL(
         qio_channel_command_new_spawn(
-                            (const char * const *) g_steal_pointer(&argv),
+                            (const char * const *) argv,
                             O_RDWR,
                             errp));
     if (!ioc) {
@@ -107,15 +107,15 @@ void exec_start_incoming_migration(strList *command, Error **errp)
     QIOChannel *ioc;
 
     int length = str_list_length(command);
-    g_auto(GStrv) argv = (char **) g_new0(const char *, length + 1);
+    g_autofree char **argv = g_new0(char *, length + 1);
 
     init_exec_array(command, argv, errp);
-    g_autofree char *new_command = g_strjoinv(" ", (char **)argv);
+    g_autofree char *new_command = g_strjoinv(" ", argv);
 
     trace_migration_exec_incoming(new_command);
     ioc = QIO_CHANNEL(
         qio_channel_command_new_spawn(
-                            (const char * const *) g_steal_pointer(&argv),
+                            (const char * const *) argv,
                             O_RDWR,
                             errp));
     if (!ioc) {

---
base-commit: 5005aed8a7e728d028efb40e243ecfc2b4f3df3a
change-id: 20240219-argv-518065e20e87

Best regards,
-- 
Akihiko Odaki <akihiko.odaki@daynix.com>



^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [PATCH] migration: Free argv
  2024-02-25  5:54 [PATCH] migration: Free argv Akihiko Odaki
@ 2024-02-26  3:49 ` Peter Xu
  2024-02-26  7:45   ` Akihiko Odaki
  0 siblings, 1 reply; 3+ messages in thread
From: Peter Xu @ 2024-02-26  3:49 UTC (permalink / raw)
  To: Akihiko Odaki; +Cc: Fabiano Rosas, qemu-devel, Steve Sistare, Markus Armbruster

On Sun, Feb 25, 2024 at 02:54:01PM +0900, Akihiko Odaki wrote:
> exec_start_outgoing_migration() and exec_start_incoming_migration()
> leak argv because it uses g_steal_pointer() is used to pass argv
> qio_channel_command_new_spawn() while it does not free argv either.
> 
> Removing g_steal_pointer() is not sufficient though because argv is
> typed g_auto(GStrv), which means the array of strings *and strings* will
> be freed. The strings are only borrowed from the caller of
> exec_start_outgoing_migration() and exec_start_incoming_migration() so
> freeing them result in double-free.
> 
> Instead, type argv as g_autofree char **. This ensures only the array
> of strings will be freed and the strings won't be freed. Also, remove
> unnecessary casts according to the new type.
> 
> Fixes: cbab4face57b ("migration: convert exec backend to accept MigrateAddress.")
> Signed-off-by: Akihiko Odaki <akihiko.odaki@daynix.com>

Cc: qemu-stable <qemu-stable@nongnu.org>
Reviewed-by: Peter Xu <peterx@redhat.com>

This should conflict with Steve's other series:

https://lore.kernel.org/r/1708638470-114846-1-git-send-email-steven.sistare@oracle.com

Considering this can be stable material, should be easier if we have the
other series rebased on top of this, even if that was sent first..

Steve, do you still plan to repost your series?  Maybe you can review it &
pick this up into your series?  Then whoever pick up your series will pick
up both (Markus will?)?

Thanks,

-- 
Peter Xu



^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH] migration: Free argv
  2024-02-26  3:49 ` Peter Xu
@ 2024-02-26  7:45   ` Akihiko Odaki
  0 siblings, 0 replies; 3+ messages in thread
From: Akihiko Odaki @ 2024-02-26  7:45 UTC (permalink / raw)
  To: Peter Xu; +Cc: Fabiano Rosas, qemu-devel, Steve Sistare, Markus Armbruster

On 2024/02/26 12:49, Peter Xu wrote:
> On Sun, Feb 25, 2024 at 02:54:01PM +0900, Akihiko Odaki wrote:
>> exec_start_outgoing_migration() and exec_start_incoming_migration()
>> leak argv because it uses g_steal_pointer() is used to pass argv
>> qio_channel_command_new_spawn() while it does not free argv either.
>>
>> Removing g_steal_pointer() is not sufficient though because argv is
>> typed g_auto(GStrv), which means the array of strings *and strings* will
>> be freed. The strings are only borrowed from the caller of
>> exec_start_outgoing_migration() and exec_start_incoming_migration() so
>> freeing them result in double-free.
>>
>> Instead, type argv as g_autofree char **. This ensures only the array
>> of strings will be freed and the strings won't be freed. Also, remove
>> unnecessary casts according to the new type.
>>
>> Fixes: cbab4face57b ("migration: convert exec backend to accept MigrateAddress.")
>> Signed-off-by: Akihiko Odaki <akihiko.odaki@daynix.com>
> 
> Cc: qemu-stable <qemu-stable@nongnu.org>
> Reviewed-by: Peter Xu <peterx@redhat.com>
> 
> This should conflict with Steve's other series:
> 
> https://lore.kernel.org/r/1708638470-114846-1-git-send-email-steven.sistare@oracle.com
> 
> Considering this can be stable material, should be easier if we have the
> other series rebased on top of this, even if that was sent first..
> 
> Steve, do you still plan to repost your series?  Maybe you can review it &
> pick this up into your series?  Then whoever pick up your series will pick
> up both (Markus will?)?

Patch "migration: simplify exec migration functions" included in the 
series fixes the identical problem:
https://lore.kernel.org/all/1708638470-114846-6-git-send-email-steven.sistare@oracle.com/

I withdraw my patch as duplicate.

Regards,
Akihiko Odaki


^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2024-02-26  7:46 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-02-25  5:54 [PATCH] migration: Free argv Akihiko Odaki
2024-02-26  3:49 ` Peter Xu
2024-02-26  7:45   ` Akihiko Odaki

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).