* [Qemu-devel] [PATCH 0/6] fix some coverity complains
@ 2016-03-03 9:43 Gonglei
2016-03-03 9:43 ` [Qemu-devel] [PATCH 1/6] egl-helpers: fix possible resource leak Gonglei
` (6 more replies)
0 siblings, 7 replies; 22+ messages in thread
From: Gonglei @ 2016-03-03 9:43 UTC (permalink / raw)
To: qemu-devel; +Cc: qemu-trivial, pbonzini, Gonglei
Gonglei (6):
egl-helpers: fix possible resource leak
sheepdog: fix possible resouce leak and out-of-bounds access
spice: fix coverity complains
hostmem-file: fix memory leak
spapr: fix possible Negative array index read
smbus: fix memory leak
backends/hostmem-file.c | 5 ++++-
block/sheepdog.c | 9 ++++++---
hw/i2c/smbus_eeprom.c | 2 ++
hw/ppc/spapr.c | 4 ++++
ui/egl-helpers.c | 9 +++------
ui/spice-display.c | 4 +---
6 files changed, 20 insertions(+), 13 deletions(-)
--
1.8.5.2
^ permalink raw reply [flat|nested] 22+ messages in thread
* [Qemu-devel] [PATCH 1/6] egl-helpers: fix possible resource leak
2016-03-03 9:43 [Qemu-devel] [PATCH 0/6] fix some coverity complains Gonglei
@ 2016-03-03 9:43 ` Gonglei
2016-03-03 11:19 ` Paolo Bonzini
2016-03-03 9:43 ` [Qemu-devel] [PATCH 2/6] sheepdog: fix possible resouce leak and out-of-bounds access Gonglei
` (5 subsequent siblings)
6 siblings, 1 reply; 22+ messages in thread
From: Gonglei @ 2016-03-03 9:43 UTC (permalink / raw)
To: qemu-devel; +Cc: qemu-trivial, pbonzini, Gonglei
CID 1352419, using g_strdup_printf instead of asprintf.
Signed-off-by: Gonglei <arei.gonglei@huawei.com>
---
ui/egl-helpers.c | 9 +++------
1 file changed, 3 insertions(+), 6 deletions(-)
diff --git a/ui/egl-helpers.c b/ui/egl-helpers.c
index 54be44c..2da1930 100644
--- a/ui/egl-helpers.c
+++ b/ui/egl-helpers.c
@@ -50,18 +50,15 @@ int qemu_egl_rendernode_open(void)
continue;
}
- r = asprintf(&p, "/dev/dri/%s", e->d_name);
- if (r < 0) {
- return -1;
- }
+ p = g_strdup_printf("/dev/dri/%s", e->d_name);
r = open(p, O_RDWR | O_CLOEXEC | O_NOCTTY | O_NONBLOCK);
if (r < 0) {
- free(p);
+ g_free(p);
continue;
}
fd = r;
- free(p);
+ g_free(p);
break;
}
--
1.8.5.2
^ permalink raw reply related [flat|nested] 22+ messages in thread
* [Qemu-devel] [PATCH 2/6] sheepdog: fix possible resouce leak and out-of-bounds access
2016-03-03 9:43 [Qemu-devel] [PATCH 0/6] fix some coverity complains Gonglei
2016-03-03 9:43 ` [Qemu-devel] [PATCH 1/6] egl-helpers: fix possible resource leak Gonglei
@ 2016-03-03 9:43 ` Gonglei
2016-03-03 11:17 ` Paolo Bonzini
2016-03-03 9:43 ` [Qemu-devel] [PATCH 3/6] spice: fix coverity complains Gonglei
` (4 subsequent siblings)
6 siblings, 1 reply; 22+ messages in thread
From: Gonglei @ 2016-03-03 9:43 UTC (permalink / raw)
To: qemu-devel; +Cc: qemu-trivial, pbonzini, Gonglei
CID 1352418 (#1 of 1): Out-of-bounds access (INCOMPATIBLE_CAST)
incompatible_cast: Pointer &snap_id points to an object whose effective
type is unsigned int (32 bits, unsigned) but is dereferenced as a wider
unsigned long (64 bits, unsigned). This may lead to memory corruption.
We also need to free local_err when ret is not equals to 0.
Signed-off-by: Gonglei <arei.gonglei@huawei.com>
---
block/sheepdog.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/block/sheepdog.c b/block/sheepdog.c
index 8739acc..3d81bba 100644
--- a/block/sheepdog.c
+++ b/block/sheepdog.c
@@ -2543,7 +2543,7 @@ static int sd_snapshot_delete(BlockDriverState *bs,
const char *name,
Error **errp)
{
- uint32_t snap_id = 0;
+ unsigned long snap_id = 0;
char snap_tag[SD_MAX_VDI_TAG_LEN];
Error *local_err = NULL;
int fd, ret;
@@ -2565,20 +2565,23 @@ static int sd_snapshot_delete(BlockDriverState *bs,
memset(buf, 0, sizeof(buf));
memset(snap_tag, 0, sizeof(snap_tag));
pstrcpy(buf, SD_MAX_VDI_LEN, s->name);
- if (qemu_strtoul(snapshot_id, NULL, 10, (unsigned long *)&snap_id)) {
+ if (qemu_strtoul(snapshot_id, NULL, 10, &snap_id)) {
return -1;
}
if (snap_id) {
+ assert(snap_id <= UINT_MAX);
+
hdr.snapid = snap_id;
} else {
pstrcpy(snap_tag, sizeof(snap_tag), snapshot_id);
pstrcpy(buf + SD_MAX_VDI_LEN, SD_MAX_VDI_TAG_LEN, snap_tag);
}
- ret = find_vdi_name(s, s->name, snap_id, snap_tag, &vid, true,
+ ret = find_vdi_name(s, s->name, hdr.snapid, snap_tag, &vid, true,
&local_err);
if (ret) {
+ error_report_err(local_err);
return ret;
}
--
1.8.5.2
^ permalink raw reply related [flat|nested] 22+ messages in thread
* [Qemu-devel] [PATCH 3/6] spice: fix coverity complains
2016-03-03 9:43 [Qemu-devel] [PATCH 0/6] fix some coverity complains Gonglei
2016-03-03 9:43 ` [Qemu-devel] [PATCH 1/6] egl-helpers: fix possible resource leak Gonglei
2016-03-03 9:43 ` [Qemu-devel] [PATCH 2/6] sheepdog: fix possible resouce leak and out-of-bounds access Gonglei
@ 2016-03-03 9:43 ` Gonglei
2016-03-03 11:19 ` Paolo Bonzini
2016-03-03 9:43 ` [Qemu-devel] [PATCH 4/6] hostmem-file: fix memory leak Gonglei
` (3 subsequent siblings)
6 siblings, 1 reply; 22+ messages in thread
From: Gonglei @ 2016-03-03 9:43 UTC (permalink / raw)
To: qemu-devel; +Cc: qemu-trivial, pbonzini, Gonglei
Remove the unnecessary NULL check.
Signed-off-by: Gonglei <arei.gonglei@huawei.com>
---
ui/spice-display.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/ui/spice-display.c b/ui/spice-display.c
index 242ab5f..1ffbec1 100644
--- a/ui/spice-display.c
+++ b/ui/spice-display.c
@@ -769,9 +769,7 @@ static void display_mouse_define(DisplayChangeListener *dcl,
SimpleSpiceDisplay *ssd = container_of(dcl, SimpleSpiceDisplay, dcl);
qemu_mutex_lock(&ssd->lock);
- if (c) {
- cursor_get(c);
- }
+ cursor_get(c);
cursor_put(ssd->cursor);
ssd->cursor = c;
ssd->hot_x = c->hot_x;
--
1.8.5.2
^ permalink raw reply related [flat|nested] 22+ messages in thread
* [Qemu-devel] [PATCH 4/6] hostmem-file: fix memory leak
2016-03-03 9:43 [Qemu-devel] [PATCH 0/6] fix some coverity complains Gonglei
` (2 preceding siblings ...)
2016-03-03 9:43 ` [Qemu-devel] [PATCH 3/6] spice: fix coverity complains Gonglei
@ 2016-03-03 9:43 ` Gonglei
2016-03-03 11:19 ` Paolo Bonzini
2016-03-03 9:43 ` [Qemu-devel] [PATCH 5/6] spapr: fix possible Negative array index read Gonglei
` (2 subsequent siblings)
6 siblings, 1 reply; 22+ messages in thread
From: Gonglei @ 2016-03-03 9:43 UTC (permalink / raw)
To: qemu-devel; +Cc: qemu-trivial, pbonzini, Gonglei
Signed-off-by: Gonglei <arei.gonglei@huawei.com>
---
backends/hostmem-file.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/backends/hostmem-file.c b/backends/hostmem-file.c
index fd59482..217f858 100644
--- a/backends/hostmem-file.c
+++ b/backends/hostmem-file.c
@@ -51,11 +51,14 @@ file_backend_memory_alloc(HostMemoryBackend *backend, Error **errp)
error_setg(errp, "-mem-path not supported on this host");
#else
if (!memory_region_size(&backend->mr)) {
+ gchar *path;
backend->force_prealloc = mem_prealloc;
+ path = object_get_canonical_path(OBJECT(backend));
memory_region_init_ram_from_file(&backend->mr, OBJECT(backend),
- object_get_canonical_path(OBJECT(backend)),
+ path,
backend->size, fb->share,
fb->mem_path, errp);
+ g_free(path);
}
#endif
}
--
1.8.5.2
^ permalink raw reply related [flat|nested] 22+ messages in thread
* [Qemu-devel] [PATCH 5/6] spapr: fix possible Negative array index read
2016-03-03 9:43 [Qemu-devel] [PATCH 0/6] fix some coverity complains Gonglei
` (3 preceding siblings ...)
2016-03-03 9:43 ` [Qemu-devel] [PATCH 4/6] hostmem-file: fix memory leak Gonglei
@ 2016-03-03 9:43 ` Gonglei
2016-03-03 11:19 ` Paolo Bonzini
2016-03-03 9:43 ` [Qemu-devel] [PATCH 6/6] smbus: fix memory leak Gonglei
2016-04-06 2:12 ` [Qemu-devel] [PATCH 0/6] fix some coverity complains Gonglei (Arei)
6 siblings, 1 reply; 22+ messages in thread
From: Gonglei @ 2016-03-03 9:43 UTC (permalink / raw)
To: qemu-devel; +Cc: qemu-trivial, pbonzini, Gonglei
fix CID 1351391.
Signed-off-by: Gonglei <arei.gonglei@huawei.com>
---
hw/ppc/spapr.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/hw/ppc/spapr.c b/hw/ppc/spapr.c
index e9d4abf..57d19ab 100644
--- a/hw/ppc/spapr.c
+++ b/hw/ppc/spapr.c
@@ -2221,6 +2221,10 @@ static void spapr_machine_device_plug(HotplugHandler *hotplug_dev,
if (*errp) {
return;
}
+ if (node < 0 || node >= MAX_NODES) {
+ error_setg(errp, "Invaild node %d", node);
+ return;
+ }
/*
* Currently PowerPC kernel doesn't allow hot-adding memory to
--
1.8.5.2
^ permalink raw reply related [flat|nested] 22+ messages in thread
* [Qemu-devel] [PATCH 6/6] smbus: fix memory leak
2016-03-03 9:43 [Qemu-devel] [PATCH 0/6] fix some coverity complains Gonglei
` (4 preceding siblings ...)
2016-03-03 9:43 ` [Qemu-devel] [PATCH 5/6] spapr: fix possible Negative array index read Gonglei
@ 2016-03-03 9:43 ` Gonglei
2016-03-03 11:19 ` Paolo Bonzini
2016-04-06 2:12 ` [Qemu-devel] [PATCH 0/6] fix some coverity complains Gonglei (Arei)
6 siblings, 1 reply; 22+ messages in thread
From: Gonglei @ 2016-03-03 9:43 UTC (permalink / raw)
To: qemu-devel; +Cc: qemu-trivial, pbonzini, Gonglei
Signed-off-by: Gonglei <arei.gonglei@huawei.com>
---
hw/i2c/smbus_eeprom.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/hw/i2c/smbus_eeprom.c b/hw/i2c/smbus_eeprom.c
index 5b7bd89..83c6b27 100644
--- a/hw/i2c/smbus_eeprom.c
+++ b/hw/i2c/smbus_eeprom.c
@@ -156,4 +156,6 @@ void smbus_eeprom_init(I2CBus *smbus, int nb_eeprom,
qdev_prop_set_ptr(eeprom, "data", eeprom_buf + (i * 256));
qdev_init_nofail(eeprom);
}
+
+ g_free(eeprom_buf);
}
--
1.8.5.2
^ permalink raw reply related [flat|nested] 22+ messages in thread
* Re: [Qemu-devel] [PATCH 2/6] sheepdog: fix possible resouce leak and out-of-bounds access
2016-03-03 9:43 ` [Qemu-devel] [PATCH 2/6] sheepdog: fix possible resouce leak and out-of-bounds access Gonglei
@ 2016-03-03 11:17 ` Paolo Bonzini
2016-03-03 12:00 ` Gonglei (Arei)
0 siblings, 1 reply; 22+ messages in thread
From: Paolo Bonzini @ 2016-03-03 11:17 UTC (permalink / raw)
To: Gonglei, qemu-devel; +Cc: qemu-trivial
On 03/03/2016 10:43, Gonglei wrote:
> CID 1352418 (#1 of 1): Out-of-bounds access (INCOMPATIBLE_CAST)
> incompatible_cast: Pointer &snap_id points to an object whose effective
> type is unsigned int (32 bits, unsigned) but is dereferenced as a wider
> unsigned long (64 bits, unsigned). This may lead to memory corruption.
>
> We also need to free local_err when ret is not equals to 0.
>
> Signed-off-by: Gonglei <arei.gonglei@huawei.com>
> ---
> block/sheepdog.c | 9 ++++++---
> 1 file changed, 6 insertions(+), 3 deletions(-)
>
> diff --git a/block/sheepdog.c b/block/sheepdog.c
> index 8739acc..3d81bba 100644
> --- a/block/sheepdog.c
> +++ b/block/sheepdog.c
> @@ -2543,7 +2543,7 @@ static int sd_snapshot_delete(BlockDriverState *bs,
> const char *name,
> Error **errp)
> {
> - uint32_t snap_id = 0;
> + unsigned long snap_id = 0;
> char snap_tag[SD_MAX_VDI_TAG_LEN];
> Error *local_err = NULL;
> int fd, ret;
> @@ -2565,20 +2565,23 @@ static int sd_snapshot_delete(BlockDriverState *bs,
> memset(buf, 0, sizeof(buf));
> memset(snap_tag, 0, sizeof(snap_tag));
> pstrcpy(buf, SD_MAX_VDI_LEN, s->name);
> - if (qemu_strtoul(snapshot_id, NULL, 10, (unsigned long *)&snap_id)) {
> + if (qemu_strtoul(snapshot_id, NULL, 10, &snap_id)) {
> return -1;
> }
>
> if (snap_id) {
> + assert(snap_id <= UINT_MAX);
> +
> hdr.snapid = snap_id;
> } else {
> pstrcpy(snap_tag, sizeof(snap_tag), snapshot_id);
> pstrcpy(buf + SD_MAX_VDI_LEN, SD_MAX_VDI_TAG_LEN, snap_tag);
> }
>
> - ret = find_vdi_name(s, s->name, snap_id, snap_tag, &vid, true,
> + ret = find_vdi_name(s, s->name, hdr.snapid, snap_tag, &vid, true,
> &local_err);
> if (ret) {
> + error_report_err(local_err);
> return ret;
> }
>
>
A patch for this has been posted yesterday by Jeff Cody.
Paolo
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [Qemu-devel] [PATCH 6/6] smbus: fix memory leak
2016-03-03 9:43 ` [Qemu-devel] [PATCH 6/6] smbus: fix memory leak Gonglei
@ 2016-03-03 11:19 ` Paolo Bonzini
2016-03-03 12:05 ` Gonglei (Arei)
0 siblings, 1 reply; 22+ messages in thread
From: Paolo Bonzini @ 2016-03-03 11:19 UTC (permalink / raw)
To: Gonglei, qemu-devel; +Cc: qemu-trivial
On 03/03/2016 10:43, Gonglei wrote:
> Signed-off-by: Gonglei <arei.gonglei@huawei.com>
> ---
> hw/i2c/smbus_eeprom.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/hw/i2c/smbus_eeprom.c b/hw/i2c/smbus_eeprom.c
> index 5b7bd89..83c6b27 100644
> --- a/hw/i2c/smbus_eeprom.c
> +++ b/hw/i2c/smbus_eeprom.c
> @@ -156,4 +156,6 @@ void smbus_eeprom_init(I2CBus *smbus, int nb_eeprom,
> qdev_prop_set_ptr(eeprom, "data", eeprom_buf + (i * 256));
> qdev_init_nofail(eeprom);
> }
> +
> + g_free(eeprom_buf);
> }
>
This is wrong, eeprom_buf is passed to the device through qdev_prop_set_ptr.
Paolo
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [Qemu-devel] [PATCH 1/6] egl-helpers: fix possible resource leak
2016-03-03 9:43 ` [Qemu-devel] [PATCH 1/6] egl-helpers: fix possible resource leak Gonglei
@ 2016-03-03 11:19 ` Paolo Bonzini
2016-05-10 6:02 ` Gonglei (Arei)
0 siblings, 1 reply; 22+ messages in thread
From: Paolo Bonzini @ 2016-03-03 11:19 UTC (permalink / raw)
To: Gonglei, qemu-devel; +Cc: qemu-trivial
On 03/03/2016 10:43, Gonglei wrote:
> CID 1352419, using g_strdup_printf instead of asprintf.
>
> Signed-off-by: Gonglei <arei.gonglei@huawei.com>
> ---
> ui/egl-helpers.c | 9 +++------
> 1 file changed, 3 insertions(+), 6 deletions(-)
>
> diff --git a/ui/egl-helpers.c b/ui/egl-helpers.c
> index 54be44c..2da1930 100644
> --- a/ui/egl-helpers.c
> +++ b/ui/egl-helpers.c
> @@ -50,18 +50,15 @@ int qemu_egl_rendernode_open(void)
> continue;
> }
>
> - r = asprintf(&p, "/dev/dri/%s", e->d_name);
> - if (r < 0) {
> - return -1;
> - }
> + p = g_strdup_printf("/dev/dri/%s", e->d_name);
>
> r = open(p, O_RDWR | O_CLOEXEC | O_NOCTTY | O_NONBLOCK);
> if (r < 0) {
> - free(p);
> + g_free(p);
> continue;
> }
> fd = r;
> - free(p);
> + g_free(p);
> break;
> }
>
>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [Qemu-devel] [PATCH 3/6] spice: fix coverity complains
2016-03-03 9:43 ` [Qemu-devel] [PATCH 3/6] spice: fix coverity complains Gonglei
@ 2016-03-03 11:19 ` Paolo Bonzini
2016-05-10 5:59 ` Gonglei (Arei)
0 siblings, 1 reply; 22+ messages in thread
From: Paolo Bonzini @ 2016-03-03 11:19 UTC (permalink / raw)
To: Gonglei, qemu-devel; +Cc: qemu-trivial
On 03/03/2016 10:43, Gonglei wrote:
> Remove the unnecessary NULL check.
>
> Signed-off-by: Gonglei <arei.gonglei@huawei.com>
> ---
> ui/spice-display.c | 4 +---
> 1 file changed, 1 insertion(+), 3 deletions(-)
>
> diff --git a/ui/spice-display.c b/ui/spice-display.c
> index 242ab5f..1ffbec1 100644
> --- a/ui/spice-display.c
> +++ b/ui/spice-display.c
> @@ -769,9 +769,7 @@ static void display_mouse_define(DisplayChangeListener *dcl,
> SimpleSpiceDisplay *ssd = container_of(dcl, SimpleSpiceDisplay, dcl);
>
> qemu_mutex_lock(&ssd->lock);
> - if (c) {
> - cursor_get(c);
> - }
> + cursor_get(c);
> cursor_put(ssd->cursor);
> ssd->cursor = c;
> ssd->hot_x = c->hot_x;
>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [Qemu-devel] [PATCH 4/6] hostmem-file: fix memory leak
2016-03-03 9:43 ` [Qemu-devel] [PATCH 4/6] hostmem-file: fix memory leak Gonglei
@ 2016-03-03 11:19 ` Paolo Bonzini
0 siblings, 0 replies; 22+ messages in thread
From: Paolo Bonzini @ 2016-03-03 11:19 UTC (permalink / raw)
To: Gonglei, qemu-devel; +Cc: qemu-trivial
On 03/03/2016 10:43, Gonglei wrote:
> Signed-off-by: Gonglei <arei.gonglei@huawei.com>
> ---
> backends/hostmem-file.c | 5 ++++-
> 1 file changed, 4 insertions(+), 1 deletion(-)
>
> diff --git a/backends/hostmem-file.c b/backends/hostmem-file.c
> index fd59482..217f858 100644
> --- a/backends/hostmem-file.c
> +++ b/backends/hostmem-file.c
> @@ -51,11 +51,14 @@ file_backend_memory_alloc(HostMemoryBackend *backend, Error **errp)
> error_setg(errp, "-mem-path not supported on this host");
> #else
> if (!memory_region_size(&backend->mr)) {
> + gchar *path;
> backend->force_prealloc = mem_prealloc;
> + path = object_get_canonical_path(OBJECT(backend));
> memory_region_init_ram_from_file(&backend->mr, OBJECT(backend),
> - object_get_canonical_path(OBJECT(backend)),
> + path,
> backend->size, fb->share,
> fb->mem_path, errp);
> + g_free(path);
> }
> #endif
> }
>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [Qemu-devel] [PATCH 5/6] spapr: fix possible Negative array index read
2016-03-03 9:43 ` [Qemu-devel] [PATCH 5/6] spapr: fix possible Negative array index read Gonglei
@ 2016-03-03 11:19 ` Paolo Bonzini
0 siblings, 0 replies; 22+ messages in thread
From: Paolo Bonzini @ 2016-03-03 11:19 UTC (permalink / raw)
To: Gonglei, qemu-devel; +Cc: qemu-trivial
On 03/03/2016 10:43, Gonglei wrote:
> fix CID 1351391.
>
> Signed-off-by: Gonglei <arei.gonglei@huawei.com>
> ---
> hw/ppc/spapr.c | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/hw/ppc/spapr.c b/hw/ppc/spapr.c
> index e9d4abf..57d19ab 100644
> --- a/hw/ppc/spapr.c
> +++ b/hw/ppc/spapr.c
> @@ -2221,6 +2221,10 @@ static void spapr_machine_device_plug(HotplugHandler *hotplug_dev,
> if (*errp) {
> return;
> }
> + if (node < 0 || node >= MAX_NODES) {
> + error_setg(errp, "Invaild node %d", node);
> + return;
> + }
>
> /*
> * Currently PowerPC kernel doesn't allow hot-adding memory to
>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [Qemu-devel] [PATCH 2/6] sheepdog: fix possible resouce leak and out-of-bounds access
2016-03-03 11:17 ` Paolo Bonzini
@ 2016-03-03 12:00 ` Gonglei (Arei)
2016-03-03 12:12 ` Paolo Bonzini
0 siblings, 1 reply; 22+ messages in thread
From: Gonglei (Arei) @ 2016-03-03 12:00 UTC (permalink / raw)
To: Paolo Bonzini, qemu-devel; +Cc: qemu-trivial
Regards,
-Gonglei
> -----Original Message-----
> From: Paolo Bonzini [mailto:pbonzini@redhat.com]
> Sent: Thursday, March 03, 2016 7:18 PM
> To: Gonglei (Arei); qemu-devel@nongnu.org
> Cc: qemu-trivial@nongnu.org
> Subject: Re: [PATCH 2/6] sheepdog: fix possible resouce leak and out-of-bounds
> access
>
>
>
> On 03/03/2016 10:43, Gonglei wrote:
> > CID 1352418 (#1 of 1): Out-of-bounds access (INCOMPATIBLE_CAST)
> > incompatible_cast: Pointer &snap_id points to an object whose effective
> > type is unsigned int (32 bits, unsigned) but is dereferenced as a wider
> > unsigned long (64 bits, unsigned). This may lead to memory corruption.
> >
> > We also need to free local_err when ret is not equals to 0.
> >
> > Signed-off-by: Gonglei <arei.gonglei@huawei.com>
> > ---
> > block/sheepdog.c | 9 ++++++---
> > 1 file changed, 6 insertions(+), 3 deletions(-)
> >
> > diff --git a/block/sheepdog.c b/block/sheepdog.c
> > index 8739acc..3d81bba 100644
> > --- a/block/sheepdog.c
> > +++ b/block/sheepdog.c
> > @@ -2543,7 +2543,7 @@ static int sd_snapshot_delete(BlockDriverState
> *bs,
> > const char *name,
> > Error **errp)
> > {
> > - uint32_t snap_id = 0;
> > + unsigned long snap_id = 0;
> > char snap_tag[SD_MAX_VDI_TAG_LEN];
> > Error *local_err = NULL;
> > int fd, ret;
> > @@ -2565,20 +2565,23 @@ static int sd_snapshot_delete(BlockDriverState
> *bs,
> > memset(buf, 0, sizeof(buf));
> > memset(snap_tag, 0, sizeof(snap_tag));
> > pstrcpy(buf, SD_MAX_VDI_LEN, s->name);
> > - if (qemu_strtoul(snapshot_id, NULL, 10, (unsigned long *)&snap_id)) {
> > + if (qemu_strtoul(snapshot_id, NULL, 10, &snap_id)) {
> > return -1;
> > }
> >
> > if (snap_id) {
> > + assert(snap_id <= UINT_MAX);
> > +
> > hdr.snapid = snap_id;
> > } else {
> > pstrcpy(snap_tag, sizeof(snap_tag), snapshot_id);
> > pstrcpy(buf + SD_MAX_VDI_LEN, SD_MAX_VDI_TAG_LEN,
> snap_tag);
> > }
> >
> > - ret = find_vdi_name(s, s->name, snap_id, snap_tag, &vid, true,
> > + ret = find_vdi_name(s, s->name, hdr.snapid, snap_tag, &vid, true,
> > &local_err);
> > if (ret) {
> > + error_report_err(local_err);
> > return ret;
> > }
> >
> >
>
> A patch for this has been posted yesterday by Jeff Cody.
>
OK, I found it. And Max's comments is right, Jef can use hdr.snapid instead of snap_tag
to invoke find_vdi_name().
But, except that fix, My patch also fixed a memory leak, did you see that? Do I need
post an separate patch to fix memory leak?
Regards,
-Gonglei
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [Qemu-devel] [PATCH 6/6] smbus: fix memory leak
2016-03-03 11:19 ` Paolo Bonzini
@ 2016-03-03 12:05 ` Gonglei (Arei)
0 siblings, 0 replies; 22+ messages in thread
From: Gonglei (Arei) @ 2016-03-03 12:05 UTC (permalink / raw)
To: Paolo Bonzini, qemu-devel; +Cc: qemu-trivial
> Subject: Re: [PATCH 6/6] smbus: fix memory leak
>
>
>
> On 03/03/2016 10:43, Gonglei wrote:
> > Signed-off-by: Gonglei <arei.gonglei@huawei.com>
> > ---
> > hw/i2c/smbus_eeprom.c | 2 ++
> > 1 file changed, 2 insertions(+)
> >
> > diff --git a/hw/i2c/smbus_eeprom.c b/hw/i2c/smbus_eeprom.c
> > index 5b7bd89..83c6b27 100644
> > --- a/hw/i2c/smbus_eeprom.c
> > +++ b/hw/i2c/smbus_eeprom.c
> > @@ -156,4 +156,6 @@ void smbus_eeprom_init(I2CBus *smbus, int
> nb_eeprom,
> > qdev_prop_set_ptr(eeprom, "data", eeprom_buf + (i * 256));
> > qdev_init_nofail(eeprom);
> > }
> > +
> > + g_free(eeprom_buf);
> > }
> >
>
> This is wrong, eeprom_buf is passed to the device through qdev_prop_set_ptr.
>
Oops, right, NACK. Thanks!
Regards,
-Gonglei
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [Qemu-devel] [PATCH 2/6] sheepdog: fix possible resouce leak and out-of-bounds access
2016-03-03 12:00 ` Gonglei (Arei)
@ 2016-03-03 12:12 ` Paolo Bonzini
2016-03-03 12:35 ` Gonglei (Arei)
0 siblings, 1 reply; 22+ messages in thread
From: Paolo Bonzini @ 2016-03-03 12:12 UTC (permalink / raw)
To: Gonglei (Arei), qemu-devel; +Cc: qemu-trivial
On 03/03/2016 13:00, Gonglei (Arei) wrote:
>>> > >
>>> > > - ret = find_vdi_name(s, s->name, snap_id, snap_tag, &vid, true,
>>> > > + ret = find_vdi_name(s, s->name, hdr.snapid, snap_tag, &vid, true,
>>> > > &local_err);
>>> > > if (ret) {
>>> > > + error_report_err(local_err);
>>> > > return ret;
>>> > > }
>>> > >
>>> > >
>> >
>> > A patch for this has been posted yesterday by Jeff Cody.
>> >
> OK, I found it. And Max's comments is right, Jef can use hdr.snapid instead of snap_tag
> to invoke find_vdi_name().
>
> But, except that fix, My patch also fixed a memory leak, did you see that?
No, I didn't notice -- it's not clear that error_report_err also frees
the error.
> Do I need post an separate patch to fix memory leak?
Yes, but the right fix in my opinion is to pass errp to find_vdi_name
instead.
Paolo
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [Qemu-devel] [PATCH 2/6] sheepdog: fix possible resouce leak and out-of-bounds access
2016-03-03 12:12 ` Paolo Bonzini
@ 2016-03-03 12:35 ` Gonglei (Arei)
0 siblings, 0 replies; 22+ messages in thread
From: Gonglei (Arei) @ 2016-03-03 12:35 UTC (permalink / raw)
To: Paolo Bonzini, qemu-devel; +Cc: qemu-trivial
Regards,
-Gonglei
> -----Original Message-----
> From: Paolo Bonzini [mailto:pbonzini@redhat.com]
> Sent: Thursday, March 03, 2016 8:12 PM
> To: Gonglei (Arei); qemu-devel@nongnu.org
> Cc: qemu-trivial@nongnu.org
> Subject: Re: [PATCH 2/6] sheepdog: fix possible resouce leak and out-of-bounds
> access
>
>
>
> On 03/03/2016 13:00, Gonglei (Arei) wrote:
> >>> > >
> >>> > > - ret = find_vdi_name(s, s->name, snap_id, snap_tag, &vid, true,
> >>> > > + ret = find_vdi_name(s, s->name, hdr.snapid, snap_tag, &vid,
> true,
> >>> > > &local_err);
> >>> > > if (ret) {
> >>> > > + error_report_err(local_err);
> >>> > > return ret;
> >>> > > }
> >>> > >
> >>> > >
> >> >
> >> > A patch for this has been posted yesterday by Jeff Cody.
> >> >
> > OK, I found it. And Max's comments is right, Jef can use hdr.snapid instead of
> snap_tag
> > to invoke find_vdi_name().
> >
> > But, except that fix, My patch also fixed a memory leak, did you see that?
>
> No, I didn't notice -- it's not clear that error_report_err also frees
> the error.
>
> > Do I need post an separate patch to fix memory leak?
>
> Yes, but the right fix in my opinion is to pass errp to find_vdi_name
> instead.
>
You are right, we'd better drop local_err in sd_snapshot_delete().
Regards,
-Gonglei
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [Qemu-devel] [PATCH 0/6] fix some coverity complains
2016-03-03 9:43 [Qemu-devel] [PATCH 0/6] fix some coverity complains Gonglei
` (5 preceding siblings ...)
2016-03-03 9:43 ` [Qemu-devel] [PATCH 6/6] smbus: fix memory leak Gonglei
@ 2016-04-06 2:12 ` Gonglei (Arei)
2016-04-06 6:30 ` Paolo Bonzini
6 siblings, 1 reply; 22+ messages in thread
From: Gonglei (Arei) @ 2016-04-06 2:12 UTC (permalink / raw)
To: Gonglei (Arei), qemu-devel; +Cc: qemu-trivial, pbonzini
Hi Paolo,
Would you pls pick patch 1,3,4,5 to qemu-2.6 ?
It seems the trivial-branch maintainer didn't notice them. :(
Regards,
-Gonglei
> -----Original Message-----
> From: Gonglei (Arei)
> Sent: Thursday, March 03, 2016 5:44 PM
> To: qemu-devel@nongnu.org
> Cc: pbonzini@redhat.com; qemu-trivial@nongnu.org; Gonglei (Arei)
> Subject: [PATCH 0/6] fix some coverity complains
>
>
> Gonglei (6):
> egl-helpers: fix possible resource leak
> sheepdog: fix possible resouce leak and out-of-bounds access
> spice: fix coverity complains
> hostmem-file: fix memory leak
> spapr: fix possible Negative array index read
> smbus: fix memory leak
>
> backends/hostmem-file.c | 5 ++++-
> block/sheepdog.c | 9 ++++++---
> hw/i2c/smbus_eeprom.c | 2 ++
> hw/ppc/spapr.c | 4 ++++
> ui/egl-helpers.c | 9 +++------
> ui/spice-display.c | 4 +---
> 6 files changed, 20 insertions(+), 13 deletions(-)
>
> --
> 1.8.5.2
>
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [Qemu-devel] [PATCH 0/6] fix some coverity complains
2016-04-06 2:12 ` [Qemu-devel] [PATCH 0/6] fix some coverity complains Gonglei (Arei)
@ 2016-04-06 6:30 ` Paolo Bonzini
2016-04-06 6:31 ` Paolo Bonzini
0 siblings, 1 reply; 22+ messages in thread
From: Paolo Bonzini @ 2016-04-06 6:30 UTC (permalink / raw)
To: Gonglei (Arei), qemu-devel; +Cc: qemu-trivial, Gerd Hoffmann
On 06/04/2016 04:12, Gonglei (Arei) wrote:
> Hi Paolo,
>
> Would you pls pick patch 1,3,4,5 to qemu-2.6 ?
Gerd, can you pick up the three spice and egl-helpers patches?
I'll take care of the backends/ one.
Paolo
> It seems the trivial-branch maintainer didn't notice them. :(
>
> Regards,
> -Gonglei
>
>
>> -----Original Message-----
>> From: Gonglei (Arei)
>> Sent: Thursday, March 03, 2016 5:44 PM
>> To: qemu-devel@nongnu.org
>> Cc: pbonzini@redhat.com; qemu-trivial@nongnu.org; Gonglei (Arei)
>> Subject: [PATCH 0/6] fix some coverity complains
>>
>>
>> Gonglei (6):
>> egl-helpers: fix possible resource leak
>> sheepdog: fix possible resouce leak and out-of-bounds access
>> spice: fix coverity complains
>> hostmem-file: fix memory leak
>> spapr: fix possible Negative array index read
>> smbus: fix memory leak
>>
>> backends/hostmem-file.c | 5 ++++-
>> block/sheepdog.c | 9 ++++++---
>> hw/i2c/smbus_eeprom.c | 2 ++
>> hw/ppc/spapr.c | 4 ++++
>> ui/egl-helpers.c | 9 +++------
>> ui/spice-display.c | 4 +---
>> 6 files changed, 20 insertions(+), 13 deletions(-)
>>
>> --
>> 1.8.5.2
>>
>
>
>
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [Qemu-devel] [PATCH 0/6] fix some coverity complains
2016-04-06 6:30 ` Paolo Bonzini
@ 2016-04-06 6:31 ` Paolo Bonzini
0 siblings, 0 replies; 22+ messages in thread
From: Paolo Bonzini @ 2016-04-06 6:31 UTC (permalink / raw)
To: Gonglei (Arei), qemu-devel; +Cc: qemu-trivial, Gerd Hoffmann
On 06/04/2016 08:30, Paolo Bonzini wrote:
>
>
> On 06/04/2016 04:12, Gonglei (Arei) wrote:
>> Hi Paolo,
>>
>> Would you pls pick patch 1,3,4,5 to qemu-2.6 ?
>
> Gerd, can you pick up the three spice and egl-helpers patches?
Hem, two. :)
Paolo
> I'll take care of the backends/ one.
>
> Paolo
>
>> It seems the trivial-branch maintainer didn't notice them. :(
>>
>> Regards,
>> -Gonglei
>>
>>
>>> -----Original Message-----
>>> From: Gonglei (Arei)
>>> Sent: Thursday, March 03, 2016 5:44 PM
>>> To: qemu-devel@nongnu.org
>>> Cc: pbonzini@redhat.com; qemu-trivial@nongnu.org; Gonglei (Arei)
>>> Subject: [PATCH 0/6] fix some coverity complains
>>>
>>>
>>> Gonglei (6):
>>> egl-helpers: fix possible resource leak
>>> sheepdog: fix possible resouce leak and out-of-bounds access
>>> spice: fix coverity complains
>>> hostmem-file: fix memory leak
>>> spapr: fix possible Negative array index read
>>> smbus: fix memory leak
>>>
>>> backends/hostmem-file.c | 5 ++++-
>>> block/sheepdog.c | 9 ++++++---
>>> hw/i2c/smbus_eeprom.c | 2 ++
>>> hw/ppc/spapr.c | 4 ++++
>>> ui/egl-helpers.c | 9 +++------
>>> ui/spice-display.c | 4 +---
>>> 6 files changed, 20 insertions(+), 13 deletions(-)
>>>
>>> --
>>> 1.8.5.2
>>>
>>
>>
>>
>
>
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [Qemu-devel] [PATCH 3/6] spice: fix coverity complains
2016-03-03 11:19 ` Paolo Bonzini
@ 2016-05-10 5:59 ` Gonglei (Arei)
0 siblings, 0 replies; 22+ messages in thread
From: Gonglei (Arei) @ 2016-05-10 5:59 UTC (permalink / raw)
To: Paolo Bonzini, qemu-devel, Gerd Hoffmann; +Cc: qemu-trivial
Hi Gerd,
Pls pick this one, thanks :)
Regards,
-Gonglei
> -----Original Message-----
> From: Paolo Bonzini [mailto:pbonzini@redhat.com]
> Sent: Thursday, March 03, 2016 7:19 PM
> To: Gonglei (Arei); qemu-devel@nongnu.org
> Cc: qemu-trivial@nongnu.org
> Subject: Re: [PATCH 3/6] spice: fix coverity complains
>
>
>
> On 03/03/2016 10:43, Gonglei wrote:
> > Remove the unnecessary NULL check.
> >
> > Signed-off-by: Gonglei <arei.gonglei@huawei.com>
> > ---
> > ui/spice-display.c | 4 +---
> > 1 file changed, 1 insertion(+), 3 deletions(-)
> >
> > diff --git a/ui/spice-display.c b/ui/spice-display.c
> > index 242ab5f..1ffbec1 100644
> > --- a/ui/spice-display.c
> > +++ b/ui/spice-display.c
> > @@ -769,9 +769,7 @@ static void
> display_mouse_define(DisplayChangeListener *dcl,
> > SimpleSpiceDisplay *ssd = container_of(dcl, SimpleSpiceDisplay, dcl);
> >
> > qemu_mutex_lock(&ssd->lock);
> > - if (c) {
> > - cursor_get(c);
> > - }
> > + cursor_get(c);
> > cursor_put(ssd->cursor);
> > ssd->cursor = c;
> > ssd->hot_x = c->hot_x;
> >
>
> Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [Qemu-devel] [PATCH 1/6] egl-helpers: fix possible resource leak
2016-03-03 11:19 ` Paolo Bonzini
@ 2016-05-10 6:02 ` Gonglei (Arei)
0 siblings, 0 replies; 22+ messages in thread
From: Gonglei (Arei) @ 2016-05-10 6:02 UTC (permalink / raw)
To: Paolo Bonzini, qemu-devel, Gerd Hoffmann; +Cc: qemu-trivial
And this one. Thanks :)
Regards,
-Gonglei
> -----Original Message-----
> From: Paolo Bonzini [mailto:pbonzini@redhat.com]
> Sent: Thursday, March 03, 2016 7:19 PM
> To: Gonglei (Arei); qemu-devel@nongnu.org
> Cc: qemu-trivial@nongnu.org
> Subject: Re: [PATCH 1/6] egl-helpers: fix possible resource leak
>
>
>
> On 03/03/2016 10:43, Gonglei wrote:
> > CID 1352419, using g_strdup_printf instead of asprintf.
> >
> > Signed-off-by: Gonglei <arei.gonglei@huawei.com>
> > ---
> > ui/egl-helpers.c | 9 +++------
> > 1 file changed, 3 insertions(+), 6 deletions(-)
> >
> > diff --git a/ui/egl-helpers.c b/ui/egl-helpers.c
> > index 54be44c..2da1930 100644
> > --- a/ui/egl-helpers.c
> > +++ b/ui/egl-helpers.c
> > @@ -50,18 +50,15 @@ int qemu_egl_rendernode_open(void)
> > continue;
> > }
> >
> > - r = asprintf(&p, "/dev/dri/%s", e->d_name);
> > - if (r < 0) {
> > - return -1;
> > - }
> > + p = g_strdup_printf("/dev/dri/%s", e->d_name);
> >
> > r = open(p, O_RDWR | O_CLOEXEC | O_NOCTTY |
> O_NONBLOCK);
> > if (r < 0) {
> > - free(p);
> > + g_free(p);
> > continue;
> > }
> > fd = r;
> > - free(p);
> > + g_free(p);
> > break;
> > }
> >
> >
>
> Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
^ permalink raw reply [flat|nested] 22+ messages in thread
end of thread, other threads:[~2016-05-10 6:03 UTC | newest]
Thread overview: 22+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-03-03 9:43 [Qemu-devel] [PATCH 0/6] fix some coverity complains Gonglei
2016-03-03 9:43 ` [Qemu-devel] [PATCH 1/6] egl-helpers: fix possible resource leak Gonglei
2016-03-03 11:19 ` Paolo Bonzini
2016-05-10 6:02 ` Gonglei (Arei)
2016-03-03 9:43 ` [Qemu-devel] [PATCH 2/6] sheepdog: fix possible resouce leak and out-of-bounds access Gonglei
2016-03-03 11:17 ` Paolo Bonzini
2016-03-03 12:00 ` Gonglei (Arei)
2016-03-03 12:12 ` Paolo Bonzini
2016-03-03 12:35 ` Gonglei (Arei)
2016-03-03 9:43 ` [Qemu-devel] [PATCH 3/6] spice: fix coverity complains Gonglei
2016-03-03 11:19 ` Paolo Bonzini
2016-05-10 5:59 ` Gonglei (Arei)
2016-03-03 9:43 ` [Qemu-devel] [PATCH 4/6] hostmem-file: fix memory leak Gonglei
2016-03-03 11:19 ` Paolo Bonzini
2016-03-03 9:43 ` [Qemu-devel] [PATCH 5/6] spapr: fix possible Negative array index read Gonglei
2016-03-03 11:19 ` Paolo Bonzini
2016-03-03 9:43 ` [Qemu-devel] [PATCH 6/6] smbus: fix memory leak Gonglei
2016-03-03 11:19 ` Paolo Bonzini
2016-03-03 12:05 ` Gonglei (Arei)
2016-04-06 2:12 ` [Qemu-devel] [PATCH 0/6] fix some coverity complains Gonglei (Arei)
2016-04-06 6:30 ` Paolo Bonzini
2016-04-06 6:31 ` Paolo Bonzini
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.