Re: [PATCH 1/2] migration/rdma: fix potential nullptr access in rdma_start_incoming_migration

Re: [PATCH 1/2] migration/rdma: fix potential nullptr access in rdma_start_incoming_migration

[Juan Quintela]

Pan Nengyuan <pannengyuan@huawei.com> wrote:
> 'rdma' is NULL when taking the first error branch in rdma_start_incoming_migration.
> And it will cause a null pointer access in label 'err'. Fix that.
>
> Fixes: 59c59c67ee6b0327ae932deb303caa47919aeb1e
> Signed-off-by: Pan Nengyuan <pannengyuan@huawei.com>

Reviewed-by: Juan Quintela <quintela@redhat.com>

good catch.

Re: [PATCH 2/2] migration/rdma: cleanup rdma context before g_free to avoid memleaks

[Juan Quintela]

Pan Nengyuan <pannengyuan@huawei.com> wrote:
> When error happen in initializing 'rdma_return_path', we should cleanup rdma context
> before g_free(rdma) to avoid some memleaks. This patch fix that.
>
> Reported-by: Euler Robot <euler.robot@huawei.com>
> Signed-off-by: Pan Nengyuan <pannengyuan@huawei.com>

Reviewed-by: Juan Quintela <quintela@redhat.com>

Another good catch.

[PATCH 0/2] migration/rdma: fix nullptr-def in rdma_start_incoming_migration

[Pan Nengyuan]

I fix a memleak in rdma_start_incoming_migration some time ago.
https://patchwork.kernel.org/patch/11498191/

I'm sorry that it may cause a null-pointer access, this patch fix that.

Since we are here, rdma_start_outgoing_migration has the similar memleak, fix it together.

Pan Nengyuan (2):
  migration/rdma: fix potential nullptr access in
    rdma_start_incoming_migration
  migration/rdma: cleanup rdma context before g_free to avoid memleaks

 migration/rdma.c | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

-- 
2.18.2

[PATCH 1/2] migration/rdma: fix potential nullptr access in rdma_start_incoming_migration

[Pan Nengyuan]

'rdma' is NULL when taking the first error branch in rdma_start_incoming_migration.
And it will cause a null pointer access in label 'err'. Fix that.

Fixes: 59c59c67ee6b0327ae932deb303caa47919aeb1e
Signed-off-by: Pan Nengyuan <pannengyuan@huawei.com>
---
 migration/rdma.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/migration/rdma.c b/migration/rdma.c
index 967fda5b0c..72e8b1c95b 100644
--- a/migration/rdma.c
+++ b/migration/rdma.c
@@ -4056,7 +4056,9 @@ void rdma_start_incoming_migration(const char *host_port, Error **errp)
     return;
 err:
     error_propagate(errp, local_err);
-    g_free(rdma->host);
+    if (rdma) {
+        g_free(rdma->host);
+    }
     g_free(rdma);
     g_free(rdma_return_path);
 }
-- 
2.18.2

[PATCH 2/2] migration/rdma: cleanup rdma context before g_free to avoid memleaks

[Pan Nengyuan]

When error happen in initializing 'rdma_return_path', we should cleanup rdma context
before g_free(rdma) to avoid some memleaks. This patch fix that.

Reported-by: Euler Robot <euler.robot@huawei.com>
Signed-off-by: Pan Nengyuan <pannengyuan@huawei.com>
---
 migration/rdma.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/migration/rdma.c b/migration/rdma.c
index 72e8b1c95b..ec45d33ba3 100644
--- a/migration/rdma.c
+++ b/migration/rdma.c
@@ -4094,20 +4094,20 @@ void rdma_start_outgoing_migration(void *opaque,
         rdma_return_path = qemu_rdma_data_init(host_port, errp);
 
         if (rdma_return_path == NULL) {
-            goto err;
+            goto return_path_err;
         }
 
         ret = qemu_rdma_source_init(rdma_return_path,
             s->enabled_capabilities[MIGRATION_CAPABILITY_RDMA_PIN_ALL], errp);
 
         if (ret) {
-            goto err;
+            goto return_path_err;
         }
 
         ret = qemu_rdma_connect(rdma_return_path, errp);
 
         if (ret) {
-            goto err;
+            goto return_path_err;
         }
 
         rdma->return_path = rdma_return_path;
@@ -4120,6 +4120,8 @@ void rdma_start_outgoing_migration(void *opaque,
     s->to_dst_file = qemu_fopen_rdma(rdma, "wb");
     migrate_fd_connect(s, NULL);
     return;
+return_path_err:
+    qemu_rdma_cleanup(rdma);
 err:
     g_free(rdma);
     g_free(rdma_return_path);
-- 
2.18.2

Re: [PATCH 1/2] migration/rdma: fix potential nullptr access in rdma_start_incoming_migration

[Peter Maydell]

On Fri, 8 May 2020 at 08:53, Juan Quintela <quintela@redhat.com> wrote:
>
> Pan Nengyuan <pannengyuan@huawei.com> wrote:
> > 'rdma' is NULL when taking the first error branch in rdma_start_incoming_migration.
> > And it will cause a null pointer access in label 'err'. Fix that.
> >
> > Fixes: 59c59c67ee6b0327ae932deb303caa47919aeb1e
> > Signed-off-by: Pan Nengyuan <pannengyuan@huawei.com>
>
> Reviewed-by: Juan Quintela <quintela@redhat.com>

NB: this is CID 1428762.

thanks
-- PMM

Re: [PATCH 1/2] migration/rdma: fix potential nullptr access in rdma_start_incoming_migration

[Dr. David Alan Gilbert]

* Juan Quintela (quintela@redhat.com) wrote:
> Pan Nengyuan <pannengyuan@huawei.com> wrote:
> > 'rdma' is NULL when taking the first error branch in rdma_start_incoming_migration.
> > And it will cause a null pointer access in label 'err'. Fix that.
> >
> > Fixes: 59c59c67ee6b0327ae932deb303caa47919aeb1e
> > Signed-off-by: Pan Nengyuan <pannengyuan@huawei.com>
> 
> Reviewed-by: Juan Quintela <quintela@redhat.com>
> 
> good catch.

Thanks, Queued

> 
--
Dr. David Alan Gilbert / dgilbert@redhat.com / Manchester, UK

Re: [PATCH 2/2] migration/rdma: cleanup rdma context before g_free to avoid memleaks

[Dr. David Alan Gilbert]

* Pan Nengyuan (pannengyuan@huawei.com) wrote:
> When error happen in initializing 'rdma_return_path', we should cleanup rdma context
> before g_free(rdma) to avoid some memleaks. This patch fix that.
> 
> Reported-by: Euler Robot <euler.robot@huawei.com>
> Signed-off-by: Pan Nengyuan <pannengyuan@huawei.com>

Queued.

> ---
>  migration/rdma.c | 8 +++++---
>  1 file changed, 5 insertions(+), 3 deletions(-)
> 
> diff --git a/migration/rdma.c b/migration/rdma.c
> index 72e8b1c95b..ec45d33ba3 100644
> --- a/migration/rdma.c
> +++ b/migration/rdma.c
> @@ -4094,20 +4094,20 @@ void rdma_start_outgoing_migration(void *opaque,
>          rdma_return_path = qemu_rdma_data_init(host_port, errp);
>  
>          if (rdma_return_path == NULL) {
> -            goto err;
> +            goto return_path_err;
>          }
>  
>          ret = qemu_rdma_source_init(rdma_return_path,
>              s->enabled_capabilities[MIGRATION_CAPABILITY_RDMA_PIN_ALL], errp);
>  
>          if (ret) {
> -            goto err;
> +            goto return_path_err;
>          }
>  
>          ret = qemu_rdma_connect(rdma_return_path, errp);
>  
>          if (ret) {
> -            goto err;
> +            goto return_path_err;
>          }
>  
>          rdma->return_path = rdma_return_path;
> @@ -4120,6 +4120,8 @@ void rdma_start_outgoing_migration(void *opaque,
>      s->to_dst_file = qemu_fopen_rdma(rdma, "wb");
>      migrate_fd_connect(s, NULL);
>      return;
> +return_path_err:
> +    qemu_rdma_cleanup(rdma);
>  err:
>      g_free(rdma);
>      g_free(rdma_return_path);
> -- 
> 2.18.2
> 
--
Dr. David Alan Gilbert / dgilbert@redhat.com / Manchester, UK