From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:51961)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <groug@kaod.org>) id 1bonWu-0006Xm-DD
	for qemu-devel@nongnu.org; Tue, 27 Sep 2016 04:14:21 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <groug@kaod.org>) id 1bonWq-00004s-55
	for qemu-devel@nongnu.org; Tue, 27 Sep 2016 04:14:19 -0400
Received: from 7.mo179.mail-out.ovh.net ([46.105.61.94]:53584)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <groug@kaod.org>) id 1bonWp-0008WG-UX
	for qemu-devel@nongnu.org; Tue, 27 Sep 2016 04:14:16 -0400
Received: from player698.ha.ovh.net (b7.ovh.net [213.186.33.57])
	by mo179.mail-out.ovh.net (Postfix) with ESMTP id 158A5FF8351
	for <qemu-devel@nongnu.org>; Tue, 27 Sep 2016 10:14:15 +0200 (CEST)
Date: Tue, 27 Sep 2016 10:14:10 +0200
From: Greg Kurz <groug@kaod.org>
Message-ID: <20160927101410.45b331d7@bahia.lab.toulouse-stg.fr.ibm.com>
In-Reply-To: <57e9f8d8.a8059d0a.58e91.0d98@mx.google.com>
References: <57e9f8d8.a8059d0a.58e91.0d98@mx.google.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Subject: Re: [Qemu-devel] [PATCH] 9pfs: fix potential host memory leak in
 v9fs_read
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel/>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Li Qiang <liq3ea@gmail.com>
Cc: aneesh.kumar@linux.vnet.ibm.com, qemu-devel@nongnu.org, Li Qiang <liqiang6-s@360.cn>

On Mon, 26 Sep 2016 21:42:26 -0700
Li Qiang <liq3ea@gmail.com> wrote:

> From: Li Qiang <liqiang6-s@360.cn>
> 
> In 9pfs read dispatch function, it doesn't free two QEMUIOVector
> object thus causing potential memory leak. This patch avoid this.
> 

Good catch for the leak, but I'd prefer another fix. See below.

> Signed-off-by: Li Qiang <liqiang6-s@360.cn>
> ---
>  hw/9pfs/9p.c | 4 ++++
>  1 file changed, 4 insertions(+)
> 
> diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
> index d960a2e..b1ff8e7 100644
> --- a/hw/9pfs/9p.c
> +++ b/hw/9pfs/9p.c
> @@ -1830,12 +1830,16 @@ static void v9fs_read(void *opaque)
>              } while (len == -EINTR && !pdu->cancelled);
>              if (len < 0) {
>                  /* IO error return the error */
> +                qemu_iovec_destroy(&qiov);
> +                qemu_iovec_destroy(&qiov_full);

We already have these lines at the end of the code block for
type P9_FID_FILE.

Let's introduce an out_free_iovec: label and...

>                  err = len;
>                  goto out;

goto out_free_iovec;

>              }
>          } while (count < max_count && len > 0);
>          err = pdu_marshal(pdu, offset, "d", count);
>          if (err < 0) {
> +            qemu_iovec_destroy(&qiov);
> +            qemu_iovec_destroy(&qiov_full);
>              goto out;

Same here.

>          }
>          err += offset + count;

As a valuable side effect, the error will be traced :)

Cheers.

--
Greg