hw/timer/hpet: fix memory leak in hpet_del_timer()

Commit Message

Zheng Huang March 27, 2025, 10:31 a.m. UTC

Hi,
This patch addresses a memory leak bug in the function `hpet_del_timer()`.
The issue arisesfrom the incorrect use of the ambiguous timer API 
`timer_del()`, which does not free the timer object. The leak sanitizer
report this issue during fuzzing. The correct API, `timer_free()`, was 
introduced 4 years ago, but the usage in isue dates back 12 years, which
led to this problem. 

Also I'd like to ask for a way to fix all 100+ wrong usages. In my
opinion, the best way to fix this is to hide to `timer_del()` API and
eliminate all usages of it.

Signed-off-by: Zheng Huang <hz1624917200@outlook.com>

---
 hw/timer/hpet.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Patch

diff --git a/hw/timer/hpet.c b/hw/timer/hpet.c
index dcff18a987..0162f4cc32 100644
--- a/hw/timer/hpet.c
+++ b/hw/timer/hpet.c
@@ -428,7 +428,7 @@  static void hpet_set_timer(HPETTimer *t)
 static void hpet_del_timer(HPETTimer *t)
 {
     HPETState *s = t->state;
-    timer_del(t->qemu_timer);
+    timer_free(t->qemu_timer);
 
     if (s->isr & (1 << t->tn)) {
         /* For level-triggered interrupt, this leaves ISR set but lowers irq.  */