diff mbox series

qom-qmp-cmds: remove unnecessary alloc in qmp_object_add to fix memleak

Message ID 20200313075858.15860-1-pannengyuan@huawei.com (mailing list archive)
State New, archived
Headers show
Series qom-qmp-cmds: remove unnecessary alloc in qmp_object_add to fix memleak | expand

Commit Message

Pan Nengyuan March 13, 2020, 7:58 a.m. UTC 
In qmp_object_add(), user_creatable_add_type() may set errp with some error message and
return NULL. In this case, qmp_object_add() still alloc memory to *ret_data which return
to the caller and causes a memory leak.

This patch do this alloc() action only if obj is not NULL to fix it. And initialize ret_data
in xen-block to avoid a possible uninitialized error.

The Leak stack:
Direct leak of 4120 byte(s) in 1 object(s) allocated from:
    #0 0x7f6106ce5970 in __interceptor_calloc (/lib64/libasan.so.5+0xef970)
    #1 0x7f6105e6a49d in g_malloc0 (/lib64/libglib-2.0.so.0+0x5249d)
    #2 0x55d2c58c17fd in qdict_new /mnt/sdb/qemu-new/qemu_test/qemu/qobject/qdict.c:29
    #3 0x55d2c53a0051 in qmp_object_add /mnt/sdb/qemu-new/qemu_test/qemu/qom/qom-qmp-cmds.c:291
    #4 0x55d2c57b47da in do_qmp_dispatch /mnt/sdb/qemu-new/qemu_test/qemu/qapi/qmp-dispatch.c:132
    #5 0x55d2c57b47da in qmp_dispatch /mnt/sdb/qemu-new/qemu_test/qemu/qapi/qmp-dispatch.c:175
    #6 0x55d2c52f1430 in monitor_qmp_dispatch /mnt/sdb/qemu-new/qemu_test/qemu/monitor/qmp.c:145
    #7 0x55d2c52f3087 in monitor_qmp_bh_dispatcher /mnt/sdb/qemu-new/qemu_test/qemu/monitor/qmp.c:234
    #8 0x55d2c58e6153 in aio_bh_call /mnt/sdb/qemu-new/qemu_test/qemu/util/async.c:136

Fixes: 5f07c4d60d091320186e7b0edaf9ed2cc16b2d1e
Reported-by: Euler Robot <euler.robot@huawei.com>
Signed-off-by: Pan Nengyuan <pannengyuan@huawei.com>
---
Cc: Kevin Wolf <kwolf@redhat.com>
---
 hw/block/xen-block.c | 2 +-
 qom/qom-qmp-cmds.c   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

Comments

Markus Armbruster March 17, 2020, 10:49 a.m. UTC | #1 
Pan Nengyuan <pannengyuan@huawei.com> writes:

> In qmp_object_add(), user_creatable_add_type() may set errp with some error message and
> return NULL. In this case, qmp_object_add() still alloc memory to *ret_data which return
> to the caller and causes a memory leak.
>
> This patch do this alloc() action only if obj is not NULL to fix it. And initialize ret_data
> in xen-block to avoid a possible uninitialized error.
>
> The Leak stack:
> Direct leak of 4120 byte(s) in 1 object(s) allocated from:
>     #0 0x7f6106ce5970 in __interceptor_calloc (/lib64/libasan.so.5+0xef970)
>     #1 0x7f6105e6a49d in g_malloc0 (/lib64/libglib-2.0.so.0+0x5249d)
>     #2 0x55d2c58c17fd in qdict_new /mnt/sdb/qemu-new/qemu_test/qemu/qobject/qdict.c:29
>     #3 0x55d2c53a0051 in qmp_object_add /mnt/sdb/qemu-new/qemu_test/qemu/qom/qom-qmp-cmds.c:291
>     #4 0x55d2c57b47da in do_qmp_dispatch /mnt/sdb/qemu-new/qemu_test/qemu/qapi/qmp-dispatch.c:132
>     #5 0x55d2c57b47da in qmp_dispatch /mnt/sdb/qemu-new/qemu_test/qemu/qapi/qmp-dispatch.c:175
>     #6 0x55d2c52f1430 in monitor_qmp_dispatch /mnt/sdb/qemu-new/qemu_test/qemu/monitor/qmp.c:145
>     #7 0x55d2c52f3087 in monitor_qmp_bh_dispatcher /mnt/sdb/qemu-new/qemu_test/qemu/monitor/qmp.c:234
>     #8 0x55d2c58e6153 in aio_bh_call /mnt/sdb/qemu-new/qemu_test/qemu/util/async.c:136
>
> Fixes: 5f07c4d60d091320186e7b0edaf9ed2cc16b2d1e
> Reported-by: Euler Robot <euler.robot@huawei.com>
> Signed-off-by: Pan Nengyuan <pannengyuan@huawei.com>

Reviewed-by: Markus Armbruster <armbru@redhat.com>
Markus Armbruster April 6, 2020, 6:34 a.m. UTC | #2 
Paolo, looks like this has fallen through the cracks.  If you'd prefer
me to take it, let me know.

Markus Armbruster <armbru@redhat.com> writes:

> Pan Nengyuan <pannengyuan@huawei.com> writes:
>
>> In qmp_object_add(), user_creatable_add_type() may set errp with some error message and
>> return NULL. In this case, qmp_object_add() still alloc memory to *ret_data which return
>> to the caller and causes a memory leak.
>>
>> This patch do this alloc() action only if obj is not NULL to fix it. And initialize ret_data
>> in xen-block to avoid a possible uninitialized error.
>>
>> The Leak stack:
>> Direct leak of 4120 byte(s) in 1 object(s) allocated from:
>>     #0 0x7f6106ce5970 in __interceptor_calloc (/lib64/libasan.so.5+0xef970)
>>     #1 0x7f6105e6a49d in g_malloc0 (/lib64/libglib-2.0.so.0+0x5249d)
>>     #2 0x55d2c58c17fd in qdict_new /mnt/sdb/qemu-new/qemu_test/qemu/qobject/qdict.c:29
>>     #3 0x55d2c53a0051 in qmp_object_add /mnt/sdb/qemu-new/qemu_test/qemu/qom/qom-qmp-cmds.c:291
>>     #4 0x55d2c57b47da in do_qmp_dispatch /mnt/sdb/qemu-new/qemu_test/qemu/qapi/qmp-dispatch.c:132
>>     #5 0x55d2c57b47da in qmp_dispatch /mnt/sdb/qemu-new/qemu_test/qemu/qapi/qmp-dispatch.c:175
>>     #6 0x55d2c52f1430 in monitor_qmp_dispatch /mnt/sdb/qemu-new/qemu_test/qemu/monitor/qmp.c:145
>>     #7 0x55d2c52f3087 in monitor_qmp_bh_dispatcher /mnt/sdb/qemu-new/qemu_test/qemu/monitor/qmp.c:234
>>     #8 0x55d2c58e6153 in aio_bh_call /mnt/sdb/qemu-new/qemu_test/qemu/util/async.c:136
>>
>> Fixes: 5f07c4d60d091320186e7b0edaf9ed2cc16b2d1e
>> Reported-by: Euler Robot <euler.robot@huawei.com>
>> Signed-off-by: Pan Nengyuan <pannengyuan@huawei.com>
>
> Reviewed-by: Markus Armbruster <armbru@redhat.com>
Paolo Bonzini April 6, 2020, 9:46 a.m. UTC | #3 
On 06/04/20 08:34, Markus Armbruster wrote:
> Paolo, looks like this has fallen through the cracks.  If you'd prefer
> me to take it, let me know.
> 
> Markus Armbruster <armbru@redhat.com> writes:

Actually it was in my latest pull request, but between this version, 
Marc-André and mine you might have missed it:

commit 7f5d9b206d1e86425faa5b84b551068bf044b823
Author: Paolo Bonzini <pbonzini@redhat.com>
Date:   Thu Mar 26 10:41:21 2020 +0100

    object-add: don't create return value if failed
    
    No need to return an empty value from object-add (it would also leak
    if the command failed).  While at it, remove the "if" around object_unref
    since object_unref handles NULL arguments just fine.
    
    Reported-by: Marc-André Lureau <marcandre.lureau@redhat.com>
    Message-Id: <20200325184723.2029630-4-marcandre.lureau@redhat.com>
    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

Thanks,

Paolo
diff mbox series

Patch

diff --git a/hw/block/xen-block.c b/hw/block/xen-block.c
index 3885464513..041866b846 100644
--- a/hw/block/xen-block.c
+++ b/hw/block/xen-block.c
@@ -860,7 +860,7 @@  static XenBlockIOThread *xen_block_iothread_create(const char *id,
     XenBlockIOThread *iothread = g_new(XenBlockIOThread, 1);
     Error *local_err = NULL;
     QDict *opts;
-    QObject *ret_data;
+    QObject *ret_data = NULL;
 
     iothread->id = g_strdup(id);
 
diff --git a/qom/qom-qmp-cmds.c b/qom/qom-qmp-cmds.c
index 435193b036..6bd137ccbf 100644
--- a/qom/qom-qmp-cmds.c
+++ b/qom/qom-qmp-cmds.c
@@ -287,8 +287,8 @@  void qmp_object_add(QDict *qdict, QObject **ret_data, Error **errp)
     visit_free(v);
     if (obj) {
         object_unref(obj);
+        *ret_data = QOBJECT(qdict_new());
     }
-    *ret_data = QOBJECT(qdict_new());
 }
 
 void qmp_object_del(const char *id, Error **errp)