block/nbd.c | 26 ++++++++++++++++---------- 1 file changed, 16 insertions(+), 10 deletions(-)
From: PanNengyuan <pannengyuan@huawei.com>
In currently implementation there will be a memory leak when
nbd_client_connect() returns error status. Here is an easy way to
reproduce:
1. run qemu-iotests as follow and check the result with asan:
./check -raw 143
Following is the asan output backtrack:
Direct leak of 40 byte(s) in 1 object(s) allocated from:
#0 0x7f629688a560 in calloc (/usr/lib64/libasan.so.3+0xc7560)
#1 0x7f6295e7e015 in g_malloc0 (/usr/lib64/libglib-2.0.so.0+0x50015)
#2 0x56281dab4642 in qobject_input_start_struct /mnt/sdb/qemu-4.2.0-rc0/qapi/qobject-input-visitor.c:295
#3 0x56281dab1a04 in visit_start_struct /mnt/sdb/qemu-4.2.0-rc0/qapi/qapi-visit-core.c:49
#4 0x56281dad1827 in visit_type_SocketAddress qapi/qapi-visit-sockets.c:386
#5 0x56281da8062f in nbd_config /mnt/sdb/qemu-4.2.0-rc0/block/nbd.c:1716
#6 0x56281da8062f in nbd_process_options /mnt/sdb/qemu-4.2.0-rc0/block/nbd.c:1829
#7 0x56281da8062f in nbd_open /mnt/sdb/qemu-4.2.0-rc0/block/nbd.c:1873
Direct leak of 15 byte(s) in 1 object(s) allocated from:
#0 0x7f629688a3a0 in malloc (/usr/lib64/libasan.so.3+0xc73a0)
#1 0x7f6295e7dfbd in g_malloc (/usr/lib64/libglib-2.0.so.0+0x4ffbd)
#2 0x7f6295e96ace in g_strdup (/usr/lib64/libglib-2.0.so.0+0x68ace)
#3 0x56281da804ac in nbd_process_options /mnt/sdb/qemu-4.2.0-rc0/block/nbd.c:1834
#4 0x56281da804ac in nbd_open /mnt/sdb/qemu-4.2.0-rc0/block/nbd.c:1873
Indirect leak of 24 byte(s) in 1 object(s) allocated from:
#0 0x7f629688a3a0 in malloc (/usr/lib64/libasan.so.3+0xc73a0)
#1 0x7f6295e7dfbd in g_malloc (/usr/lib64/libglib-2.0.so.0+0x4ffbd)
#2 0x7f6295e96ace in g_strdup (/usr/lib64/libglib-2.0.so.0+0x68ace)
#3 0x56281dab41a3 in qobject_input_type_str_keyval /mnt/sdb/qemu-4.2.0-rc0/qapi/qobject-input-visitor.c:536
#4 0x56281dab2ee9 in visit_type_str /mnt/sdb/qemu-4.2.0-rc0/qapi/qapi-visit-core.c:297
#5 0x56281dad0fa1 in visit_type_UnixSocketAddress_members qapi/qapi-visit-sockets.c:141
#6 0x56281dad17b6 in visit_type_SocketAddress_members qapi/qapi-visit-sockets.c:366
#7 0x56281dad186a in visit_type_SocketAddress qapi/qapi-visit-sockets.c:393
#8 0x56281da8062f in nbd_config /mnt/sdb/qemu-4.2.0-rc0/block/nbd.c:1716
#9 0x56281da8062f in nbd_process_options /mnt/sdb/qemu-4.2.0-rc0/block/nbd.c:1829
#10 0x56281da8062f in nbd_open /mnt/sdb/qemu-4.2.0-rc0/block/nbd.c:1873
Reported-by: Euler Robot <euler.robot@huawei.com>
Signed-off-by: PanNengyuan <pannengyuan@huawei.com>
---
Changes v2 to v1:
- add a new function to do the common cleanups (suggested by Stefano Garzarella).
---
block/nbd.c | 26 ++++++++++++++++----------
1 file changed, 16 insertions(+), 10 deletions(-)
diff --git a/block/nbd.c b/block/nbd.c
index 1239761..f8aa2a8 100644
--- a/block/nbd.c
+++ b/block/nbd.c
@@ -94,6 +94,8 @@ typedef struct BDRVNBDState {
static int nbd_client_connect(BlockDriverState *bs, Error **errp);
+static void nbd_free_bdrvstate_prop(BDRVNBDState *s);
+
static void nbd_channel_error(BDRVNBDState *s, int ret)
{
if (ret == -EIO) {
@@ -1486,6 +1488,17 @@ static int nbd_client_connect(BlockDriverState *bs, Error **errp)
}
}
+static void nbd_free_bdrvstate_prop(BDRVNBDState *s)
+{
+ object_unref(OBJECT(s->tlscreds));
+ qapi_free_SocketAddress(s->saddr);
+ g_free(s->export);
+ g_free(s->tlscredsid);
+ if (s->x_dirty_bitmap) {
+ g_free(s->x_dirty_bitmap);
+ }
+}
+
/*
* Parse nbd_open options
*/
@@ -1855,10 +1868,7 @@ static int nbd_process_options(BlockDriverState *bs, QDict *options,
error:
if (ret < 0) {
- object_unref(OBJECT(s->tlscreds));
- qapi_free_SocketAddress(s->saddr);
- g_free(s->export);
- g_free(s->tlscredsid);
+ nbd_free_bdrvstate_prop(s);
}
qemu_opts_del(opts);
return ret;
@@ -1881,6 +1891,7 @@ static int nbd_open(BlockDriverState *bs, QDict *options, int flags,
ret = nbd_client_connect(bs, errp);
if (ret < 0) {
+ nbd_free_bdrvstate_prop(s);
return ret;
}
/* successfully connected */
@@ -1937,12 +1948,7 @@ static void nbd_close(BlockDriverState *bs)
BDRVNBDState *s = bs->opaque;
nbd_client_close(bs);
-
- object_unref(OBJECT(s->tlscreds));
- qapi_free_SocketAddress(s->saddr);
- g_free(s->export);
- g_free(s->tlscredsid);
- g_free(s->x_dirty_bitmap);
+ nbd_free_bdrvstate_prop(s);
}
static int64_t nbd_getlength(BlockDriverState *bs)
--
2.7.2.windows.1
On Thu, Nov 28, 2019 at 08:09:31PM +0800, pannengyuan@huawei.com wrote: > From: PanNengyuan <pannengyuan@huawei.com> > > In currently implementation there will be a memory leak when > nbd_client_connect() returns error status. Here is an easy way to > reproduce: > > 1. run qemu-iotests as follow and check the result with asan: > ./check -raw 143 > > Following is the asan output backtrack: > Direct leak of 40 byte(s) in 1 object(s) allocated from: > #0 0x7f629688a560 in calloc (/usr/lib64/libasan.so.3+0xc7560) > #1 0x7f6295e7e015 in g_malloc0 (/usr/lib64/libglib-2.0.so.0+0x50015) > #2 0x56281dab4642 in qobject_input_start_struct /mnt/sdb/qemu-4.2.0-rc0/qapi/qobject-input-visitor.c:295 > #3 0x56281dab1a04 in visit_start_struct /mnt/sdb/qemu-4.2.0-rc0/qapi/qapi-visit-core.c:49 > #4 0x56281dad1827 in visit_type_SocketAddress qapi/qapi-visit-sockets.c:386 > #5 0x56281da8062f in nbd_config /mnt/sdb/qemu-4.2.0-rc0/block/nbd.c:1716 > #6 0x56281da8062f in nbd_process_options /mnt/sdb/qemu-4.2.0-rc0/block/nbd.c:1829 > #7 0x56281da8062f in nbd_open /mnt/sdb/qemu-4.2.0-rc0/block/nbd.c:1873 > > Direct leak of 15 byte(s) in 1 object(s) allocated from: > #0 0x7f629688a3a0 in malloc (/usr/lib64/libasan.so.3+0xc73a0) > #1 0x7f6295e7dfbd in g_malloc (/usr/lib64/libglib-2.0.so.0+0x4ffbd) > #2 0x7f6295e96ace in g_strdup (/usr/lib64/libglib-2.0.so.0+0x68ace) > #3 0x56281da804ac in nbd_process_options /mnt/sdb/qemu-4.2.0-rc0/block/nbd.c:1834 > #4 0x56281da804ac in nbd_open /mnt/sdb/qemu-4.2.0-rc0/block/nbd.c:1873 > > Indirect leak of 24 byte(s) in 1 object(s) allocated from: > #0 0x7f629688a3a0 in malloc (/usr/lib64/libasan.so.3+0xc73a0) > #1 0x7f6295e7dfbd in g_malloc (/usr/lib64/libglib-2.0.so.0+0x4ffbd) > #2 0x7f6295e96ace in g_strdup (/usr/lib64/libglib-2.0.so.0+0x68ace) > #3 0x56281dab41a3 in qobject_input_type_str_keyval /mnt/sdb/qemu-4.2.0-rc0/qapi/qobject-input-visitor.c:536 > #4 0x56281dab2ee9 in visit_type_str /mnt/sdb/qemu-4.2.0-rc0/qapi/qapi-visit-core.c:297 > #5 0x56281dad0fa1 in visit_type_UnixSocketAddress_members qapi/qapi-visit-sockets.c:141 > #6 0x56281dad17b6 in visit_type_SocketAddress_members qapi/qapi-visit-sockets.c:366 > #7 0x56281dad186a in visit_type_SocketAddress qapi/qapi-visit-sockets.c:393 > #8 0x56281da8062f in nbd_config /mnt/sdb/qemu-4.2.0-rc0/block/nbd.c:1716 > #9 0x56281da8062f in nbd_process_options /mnt/sdb/qemu-4.2.0-rc0/block/nbd.c:1829 > #10 0x56281da8062f in nbd_open /mnt/sdb/qemu-4.2.0-rc0/block/nbd.c:1873 > > Reported-by: Euler Robot <euler.robot@huawei.com> > Signed-off-by: PanNengyuan <pannengyuan@huawei.com> > --- > Changes v2 to v1: > - add a new function to do the common cleanups (suggested by Stefano Garzarella). > --- > block/nbd.c | 26 ++++++++++++++++---------- > 1 file changed, 16 insertions(+), 10 deletions(-) > > diff --git a/block/nbd.c b/block/nbd.c > index 1239761..f8aa2a8 100644 > --- a/block/nbd.c > +++ b/block/nbd.c > @@ -94,6 +94,8 @@ typedef struct BDRVNBDState { > > static int nbd_client_connect(BlockDriverState *bs, Error **errp); > > +static void nbd_free_bdrvstate_prop(BDRVNBDState *s); > + > static void nbd_channel_error(BDRVNBDState *s, int ret) > { > if (ret == -EIO) { > @@ -1486,6 +1488,17 @@ static int nbd_client_connect(BlockDriverState *bs, Error **errp) > } > } > > +static void nbd_free_bdrvstate_prop(BDRVNBDState *s) > +{ > + object_unref(OBJECT(s->tlscreds)); > + qapi_free_SocketAddress(s->saddr); > + g_free(s->export); > + g_free(s->tlscredsid); > + if (s->x_dirty_bitmap) { ^ it is not needed, g_free() handles NULL pointers. > + g_free(s->x_dirty_bitmap); > + } > +} > + Please, split this patch in two patches: - the first patch where you add this function and use it in nbd_process_options() and nbd_close() - the second patch where you fix the leak in nbd_open() Thanks, Stefano > /* > * Parse nbd_open options > */ > @@ -1855,10 +1868,7 @@ static int nbd_process_options(BlockDriverState *bs, QDict *options, > > error: > if (ret < 0) { > - object_unref(OBJECT(s->tlscreds)); > - qapi_free_SocketAddress(s->saddr); > - g_free(s->export); > - g_free(s->tlscredsid); > + nbd_free_bdrvstate_prop(s); > } > qemu_opts_del(opts); > return ret; > @@ -1881,6 +1891,7 @@ static int nbd_open(BlockDriverState *bs, QDict *options, int flags, > > ret = nbd_client_connect(bs, errp); > if (ret < 0) { > + nbd_free_bdrvstate_prop(s); > return ret; > } > /* successfully connected */ > @@ -1937,12 +1948,7 @@ static void nbd_close(BlockDriverState *bs) > BDRVNBDState *s = bs->opaque; > > nbd_client_close(bs); > - > - object_unref(OBJECT(s->tlscreds)); > - qapi_free_SocketAddress(s->saddr); > - g_free(s->export); > - g_free(s->tlscredsid); > - g_free(s->x_dirty_bitmap); > + nbd_free_bdrvstate_prop(s); > } > > static int64_t nbd_getlength(BlockDriverState *bs) > -- > 2.7.2.windows.1 > > > --
On 2019/11/28 21:36, Stefano Garzarella wrote: > On Thu, Nov 28, 2019 at 08:09:31PM +0800, pannengyuan@huawei.com wrote: >> From: PanNengyuan <pannengyuan@huawei.com> >> >> In currently implementation there will be a memory leak when >> nbd_client_connect() returns error status. Here is an easy way to >> reproduce: >> >> 1. run qemu-iotests as follow and check the result with asan: >> ./check -raw 143 >> >> Following is the asan output backtrack: >> Direct leak of 40 byte(s) in 1 object(s) allocated from: >> #0 0x7f629688a560 in calloc (/usr/lib64/libasan.so.3+0xc7560) >> #1 0x7f6295e7e015 in g_malloc0 (/usr/lib64/libglib-2.0.so.0+0x50015) >> #2 0x56281dab4642 in qobject_input_start_struct /mnt/sdb/qemu-4.2.0-rc0/qapi/qobject-input-visitor.c:295 >> #3 0x56281dab1a04 in visit_start_struct /mnt/sdb/qemu-4.2.0-rc0/qapi/qapi-visit-core.c:49 >> #4 0x56281dad1827 in visit_type_SocketAddress qapi/qapi-visit-sockets.c:386 >> #5 0x56281da8062f in nbd_config /mnt/sdb/qemu-4.2.0-rc0/block/nbd.c:1716 >> #6 0x56281da8062f in nbd_process_options /mnt/sdb/qemu-4.2.0-rc0/block/nbd.c:1829 >> #7 0x56281da8062f in nbd_open /mnt/sdb/qemu-4.2.0-rc0/block/nbd.c:1873 >> >> Direct leak of 15 byte(s) in 1 object(s) allocated from: >> #0 0x7f629688a3a0 in malloc (/usr/lib64/libasan.so.3+0xc73a0) >> #1 0x7f6295e7dfbd in g_malloc (/usr/lib64/libglib-2.0.so.0+0x4ffbd) >> #2 0x7f6295e96ace in g_strdup (/usr/lib64/libglib-2.0.so.0+0x68ace) >> #3 0x56281da804ac in nbd_process_options /mnt/sdb/qemu-4.2.0-rc0/block/nbd.c:1834 >> #4 0x56281da804ac in nbd_open /mnt/sdb/qemu-4.2.0-rc0/block/nbd.c:1873 >> >> Indirect leak of 24 byte(s) in 1 object(s) allocated from: >> #0 0x7f629688a3a0 in malloc (/usr/lib64/libasan.so.3+0xc73a0) >> #1 0x7f6295e7dfbd in g_malloc (/usr/lib64/libglib-2.0.so.0+0x4ffbd) >> #2 0x7f6295e96ace in g_strdup (/usr/lib64/libglib-2.0.so.0+0x68ace) >> #3 0x56281dab41a3 in qobject_input_type_str_keyval /mnt/sdb/qemu-4.2.0-rc0/qapi/qobject-input-visitor.c:536 >> #4 0x56281dab2ee9 in visit_type_str /mnt/sdb/qemu-4.2.0-rc0/qapi/qapi-visit-core.c:297 >> #5 0x56281dad0fa1 in visit_type_UnixSocketAddress_members qapi/qapi-visit-sockets.c:141 >> #6 0x56281dad17b6 in visit_type_SocketAddress_members qapi/qapi-visit-sockets.c:366 >> #7 0x56281dad186a in visit_type_SocketAddress qapi/qapi-visit-sockets.c:393 >> #8 0x56281da8062f in nbd_config /mnt/sdb/qemu-4.2.0-rc0/block/nbd.c:1716 >> #9 0x56281da8062f in nbd_process_options /mnt/sdb/qemu-4.2.0-rc0/block/nbd.c:1829 >> #10 0x56281da8062f in nbd_open /mnt/sdb/qemu-4.2.0-rc0/block/nbd.c:1873 >> >> Reported-by: Euler Robot <euler.robot@huawei.com> >> Signed-off-by: PanNengyuan <pannengyuan@huawei.com> >> --- >> Changes v2 to v1: >> - add a new function to do the common cleanups (suggested by Stefano Garzarella). >> --- >> block/nbd.c | 26 ++++++++++++++++---------- >> 1 file changed, 16 insertions(+), 10 deletions(-) >> >> diff --git a/block/nbd.c b/block/nbd.c >> index 1239761..f8aa2a8 100644 >> --- a/block/nbd.c >> +++ b/block/nbd.c >> @@ -94,6 +94,8 @@ typedef struct BDRVNBDState { >> >> static int nbd_client_connect(BlockDriverState *bs, Error **errp); >> >> +static void nbd_free_bdrvstate_prop(BDRVNBDState *s); >> + >> static void nbd_channel_error(BDRVNBDState *s, int ret) >> { >> if (ret == -EIO) { >> @@ -1486,6 +1488,17 @@ static int nbd_client_connect(BlockDriverState *bs, Error **errp) >> } >> } >> >> +static void nbd_free_bdrvstate_prop(BDRVNBDState *s) >> +{ >> + object_unref(OBJECT(s->tlscreds)); >> + qapi_free_SocketAddress(s->saddr); >> + g_free(s->export); >> + g_free(s->tlscredsid); >> + if (s->x_dirty_bitmap) { > ^ it is not needed, g_free() handles NULL pointers. >> + g_free(s->x_dirty_bitmap); >> + } >> +} >> + > > Please, split this patch in two patches: > - the first patch where you add this function and use it in > nbd_process_options() and nbd_close() > - the second patch where you fix the leak in nbd_open() > > Thanks, > Stefano Thanks, I will change and split it in next version. > >> /* >> * Parse nbd_open options >> */ >> @@ -1855,10 +1868,7 @@ static int nbd_process_options(BlockDriverState *bs, QDict *options, >> >> error: >> if (ret < 0) { >> - object_unref(OBJECT(s->tlscreds)); >> - qapi_free_SocketAddress(s->saddr); >> - g_free(s->export); >> - g_free(s->tlscredsid); >> + nbd_free_bdrvstate_prop(s); >> } >> qemu_opts_del(opts); >> return ret; >> @@ -1881,6 +1891,7 @@ static int nbd_open(BlockDriverState *bs, QDict *options, int flags, >> >> ret = nbd_client_connect(bs, errp); >> if (ret < 0) { >> + nbd_free_bdrvstate_prop(s); >> return ret; >> } >> /* successfully connected */ >> @@ -1937,12 +1948,7 @@ static void nbd_close(BlockDriverState *bs) >> BDRVNBDState *s = bs->opaque; >> >> nbd_client_close(bs); >> - >> - object_unref(OBJECT(s->tlscreds)); >> - qapi_free_SocketAddress(s->saddr); >> - g_free(s->export); >> - g_free(s->tlscredsid); >> - g_free(s->x_dirty_bitmap); >> + nbd_free_bdrvstate_prop(s); >> } >> >> static int64_t nbd_getlength(BlockDriverState *bs) >> -- >> 2.7.2.windows.1 >> >> >> >
© 2016 - 2024 Red Hat, Inc.