From nobody Thu Nov 13 16:38:47 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1581909817223620.0711394637716; Sun, 16 Feb 2020 19:23:37 -0800 (PST) Received: from localhost ([::1]:39752 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1j3X0R-00071h-Tm for importer@patchew.org; Sun, 16 Feb 2020 22:23:35 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:46562) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1j3Wz9-0005KG-Qf for qemu-devel@nongnu.org; Sun, 16 Feb 2020 22:22:16 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1j3Wz8-0003jz-Kl for qemu-devel@nongnu.org; Sun, 16 Feb 2020 22:22:15 -0500 Received: from szxga06-in.huawei.com ([45.249.212.32]:42702 helo=huawei.com) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1j3Wz5-0003WL-Ui; Sun, 16 Feb 2020 22:22:12 -0500 Received: from DGGEMS412-HUB.china.huawei.com (unknown [172.30.72.59]) by Forcepoint Email with ESMTP id 312C0782262440C76FEF; Mon, 17 Feb 2020 11:22:03 +0800 (CST) Received: from DESKTOP-9NTIQGG.china.huawei.com (10.173.221.136) by DGGEMS412-HUB.china.huawei.com (10.3.19.212) with Microsoft SMTP Server id 14.3.439.0; Mon, 17 Feb 2020 11:21:56 +0800 From: To: , , , , , Subject: [PATCH v2 1/2] s390x: fix memleaks in cpu_finalize Date: Mon, 17 Feb 2020 11:21:26 +0800 Message-ID: <20200217032127.46508-2-pannengyuan@huawei.com> X-Mailer: git-send-email 2.21.0.windows.1 In-Reply-To: <20200217032127.46508-1-pannengyuan@huawei.com> References: <20200217032127.46508-1-pannengyuan@huawei.com> MIME-Version: 1.0 X-Originating-IP: [10.173.221.136] X-CFilter-Loop: Reflected Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 45.249.212.32 X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: zhang.zhanghailiang@huawei.com, Cornelia Huck , Pan Nengyuan , qemu-devel@nongnu.org, qemu-arm@nongnu.org, qemu-ppc@nongnu.org, euler.robot@huawei.com, Richard Henderson Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" Content-Type: text/plain; charset="utf-8" From: Pan Nengyuan This patch fix memleaks when we call tests/qtest/cpu-plug-test on s390x. Th= e leak stack is as follow: Direct leak of 48 byte(s) in 1 object(s) allocated from: #0 0x7fb43c7cd970 in __interceptor_calloc (/lib64/libasan.so.5+0xef970) #1 0x7fb43be2149d in g_malloc0 (/lib64/libglib-2.0.so.0+0x5249d) #2 0x558ba96da716 in timer_new_full /mnt/sdb/qemu-new/qemu/include/qemu= /timer.h:530 #3 0x558ba96da716 in timer_new /mnt/sdb/qemu-new/qemu/include/qemu/time= r.h:551 #4 0x558ba96da716 in timer_new_ns /mnt/sdb/qemu-new/qemu/include/qemu/t= imer.h:569 #5 0x558ba96da716 in s390_cpu_initfn /mnt/sdb/qemu-new/qemu/target/s390= x/cpu.c:285 #6 0x558ba9c969ab in object_init_with_type /mnt/sdb/qemu-new/qemu/qom/o= bject.c:372 #7 0x558ba9c9eb5f in object_initialize_with_type /mnt/sdb/qemu-new/qemu= /qom/object.c:516 #8 0x558ba9c9f053 in object_new_with_type /mnt/sdb/qemu-new/qemu/qom/ob= ject.c:684 #9 0x558ba967ede6 in s390x_new_cpu /mnt/sdb/qemu-new/qemu/hw/s390x/s390= -virtio-ccw.c:64 #10 0x558ba99764b3 in hmp_cpu_add /mnt/sdb/qemu-new/qemu/hw/core/machin= e-hmp-cmds.c:57 #11 0x558ba9b1c27f in handle_hmp_command /mnt/sdb/qemu-new/qemu/monitor= /hmp.c:1082 #12 0x558ba96c1b02 in qmp_human_monitor_command /mnt/sdb/qemu-new/qemu/= monitor/misc.c:142 Reported-by: Euler Robot Signed-off-by: Pan Nengyuan Cc: Richard Henderson Cc: Cornelia Huck Reviewed-by: Philippe Mathieu-Daud=C3=A9 --- Changes v2 to v1: - Similarly to other cleanups, move timer_new into realize, then do timer_del in unrealize. --- target/s390x/cpu.c | 22 ++++++++++++++++++---- 1 file changed, 18 insertions(+), 4 deletions(-) diff --git a/target/s390x/cpu.c b/target/s390x/cpu.c index cf84d307c6..f18dbc6fe4 100644 --- a/target/s390x/cpu.c +++ b/target/s390x/cpu.c @@ -170,7 +170,12 @@ static void s390_cpu_realizefn(DeviceState *dev, Error= **errp) S390CPUClass *scc =3D S390_CPU_GET_CLASS(dev); #if !defined(CONFIG_USER_ONLY) S390CPU *cpu =3D S390_CPU(dev); + cpu->env.tod_timer =3D + timer_new_ns(QEMU_CLOCK_VIRTUAL, s390x_tod_timer, cpu); + cpu->env.cpu_timer =3D + timer_new_ns(QEMU_CLOCK_VIRTUAL, s390x_cpu_timer, cpu); #endif + Error *err =3D NULL; =20 /* the model has to be realized before qemu_init_vcpu() due to kvm */ @@ -227,6 +232,16 @@ out: error_propagate(errp, err); } =20 +static void s390_cpu_unrealizefn(DeviceState *dev, Error **errp) +{ +#if !defined(CONFIG_USER_ONLY) + S390CPU *cpu =3D S390_CPU(dev); + + timer_del(cpu->env.tod_timer); + timer_del(cpu->env.cpu_timer); +#endif +} + static GuestPanicInformation *s390_cpu_get_crash_info(CPUState *cs) { GuestPanicInformation *panic_info; @@ -279,10 +294,6 @@ static void s390_cpu_initfn(Object *obj) s390_cpu_get_crash_info_qom, NULL, NULL, NULL, NUL= L); s390_cpu_model_register_props(obj); #if !defined(CONFIG_USER_ONLY) - cpu->env.tod_timer =3D - timer_new_ns(QEMU_CLOCK_VIRTUAL, s390x_tod_timer, cpu); - cpu->env.cpu_timer =3D - timer_new_ns(QEMU_CLOCK_VIRTUAL, s390x_cpu_timer, cpu); s390_cpu_set_state(S390_CPU_STATE_STOPPED, cpu); #endif } @@ -294,6 +305,8 @@ static void s390_cpu_finalize(Object *obj) =20 qemu_unregister_reset(s390_cpu_machine_reset_cb, cpu); g_free(cpu->irqstate); + timer_free(cpu->env.tod_timer); + timer_free(cpu->env.cpu_timer); #endif } =20 @@ -453,6 +466,7 @@ static void s390_cpu_class_init(ObjectClass *oc, void *= data) =20 device_class_set_parent_realize(dc, s390_cpu_realizefn, &scc->parent_realize); + dc->unrealize =3D s390_cpu_unrealizefn; device_class_set_props(dc, s390x_cpu_properties); dc->user_creatable =3D true; =20 --=20 2.21.0.windows.1 From nobody Thu Nov 13 16:38:47 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1581909816400247.4357109246946; Sun, 16 Feb 2020 19:23:36 -0800 (PST) Received: from localhost ([::1]:39750 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1j3X0Q-0006uU-Q4 for importer@patchew.org; Sun, 16 Feb 2020 22:23:34 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:46581) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1j3WzB-0005MZ-77 for qemu-devel@nongnu.org; Sun, 16 Feb 2020 22:22:18 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1j3Wz9-0003lU-Jy for qemu-devel@nongnu.org; Sun, 16 Feb 2020 22:22:17 -0500 Received: from szxga05-in.huawei.com ([45.249.212.191]:2789 helo=huawei.com) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1j3Wz5-0003WM-V5; Sun, 16 Feb 2020 22:22:12 -0500 Received: from DGGEMS412-HUB.china.huawei.com (unknown [172.30.72.58]) by Forcepoint Email with ESMTP id 0203EE595ABD767E3683; Mon, 17 Feb 2020 11:22:03 +0800 (CST) Received: from DESKTOP-9NTIQGG.china.huawei.com (10.173.221.136) by DGGEMS412-HUB.china.huawei.com (10.3.19.212) with Microsoft SMTP Server id 14.3.439.0; Mon, 17 Feb 2020 11:21:57 +0800 From: To: , , , , , Subject: [PATCH v2 2/2] hw: move timer_new from init() into realize() to avoid memleaks Date: Mon, 17 Feb 2020 11:21:27 +0800 Message-ID: <20200217032127.46508-3-pannengyuan@huawei.com> X-Mailer: git-send-email 2.21.0.windows.1 In-Reply-To: <20200217032127.46508-1-pannengyuan@huawei.com> References: <20200217032127.46508-1-pannengyuan@huawei.com> MIME-Version: 1.0 X-Originating-IP: [10.173.221.136] X-CFilter-Loop: Reflected Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 45.249.212.191 X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: zhang.zhanghailiang@huawei.com, Pan Nengyuan , qemu-devel@nongnu.org, qemu-arm@nongnu.org, qemu-ppc@nongnu.org, euler.robot@huawei.com, =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" Content-Type: text/plain; charset="utf-8" From: Pan Nengyuan There are some memleaks when we call 'device_list_properties'. This patch m= ove timer_new from init into realize to fix it. Meanwhile, do the null check in mos6522_reset() to avoid null deref if we m= ove timer_new into realize(). Reported-by: Euler Robot Signed-off-by: Pan Nengyuan Reviewed-by: Philippe Mathieu-Daud=C3=A9 --- Changes v2 to v1: - Send this patch in a series instead of a single patch but with wrong subj= ect in v1. --- hw/arm/pxa2xx.c | 17 +++++++++++------ hw/arm/spitz.c | 8 +++++++- hw/arm/strongarm.c | 18 ++++++++++++------ hw/misc/mos6522.c | 14 ++++++++++++-- hw/timer/cadence_ttc.c | 16 +++++++++++----- 5 files changed, 53 insertions(+), 20 deletions(-) diff --git a/hw/arm/pxa2xx.c b/hw/arm/pxa2xx.c index b33f8f1351..56a36202d7 100644 --- a/hw/arm/pxa2xx.c +++ b/hw/arm/pxa2xx.c @@ -1134,18 +1134,22 @@ static void pxa2xx_rtc_init(Object *obj) s->last_rtcpicr =3D 0; s->last_hz =3D s->last_sw =3D s->last_pi =3D qemu_clock_get_ms(rtc_clo= ck); =20 + sysbus_init_irq(dev, &s->rtc_irq); + + memory_region_init_io(&s->iomem, obj, &pxa2xx_rtc_ops, s, + "pxa2xx-rtc", 0x10000); + sysbus_init_mmio(dev, &s->iomem); +} + +static void pxa2xx_rtc_realize(DeviceState *dev, Error **errp) +{ + PXA2xxRTCState *s =3D PXA2XX_RTC(dev); s->rtc_hz =3D timer_new_ms(rtc_clock, pxa2xx_rtc_hz_tick, s); s->rtc_rdal1 =3D timer_new_ms(rtc_clock, pxa2xx_rtc_rdal1_tick, s); s->rtc_rdal2 =3D timer_new_ms(rtc_clock, pxa2xx_rtc_rdal2_tick, s); s->rtc_swal1 =3D timer_new_ms(rtc_clock, pxa2xx_rtc_swal1_tick, s); s->rtc_swal2 =3D timer_new_ms(rtc_clock, pxa2xx_rtc_swal2_tick, s); s->rtc_pi =3D timer_new_ms(rtc_clock, pxa2xx_rtc_pi_tick, s); - - sysbus_init_irq(dev, &s->rtc_irq); - - memory_region_init_io(&s->iomem, obj, &pxa2xx_rtc_ops, s, - "pxa2xx-rtc", 0x10000); - sysbus_init_mmio(dev, &s->iomem); } =20 static int pxa2xx_rtc_pre_save(void *opaque) @@ -1203,6 +1207,7 @@ static void pxa2xx_rtc_sysbus_class_init(ObjectClass = *klass, void *data) =20 dc->desc =3D "PXA2xx RTC Controller"; dc->vmsd =3D &vmstate_pxa2xx_rtc_regs; + dc->realize =3D pxa2xx_rtc_realize; } =20 static const TypeInfo pxa2xx_rtc_sysbus_info =3D { diff --git a/hw/arm/spitz.c b/hw/arm/spitz.c index e001088103..cbfa6934cf 100644 --- a/hw/arm/spitz.c +++ b/hw/arm/spitz.c @@ -524,11 +524,16 @@ static void spitz_keyboard_init(Object *obj) =20 spitz_keyboard_pre_map(s); =20 - s->kbdtimer =3D timer_new_ns(QEMU_CLOCK_VIRTUAL, spitz_keyboard_tick, = s); qdev_init_gpio_in(dev, spitz_keyboard_strobe, SPITZ_KEY_STROBE_NUM); qdev_init_gpio_out(dev, s->sense, SPITZ_KEY_SENSE_NUM); } =20 +static void spitz_keyboard_realize(DeviceState *dev, Error **errp) +{ + SpitzKeyboardState *s =3D SPITZ_KEYBOARD(dev); + s->kbdtimer =3D timer_new_ns(QEMU_CLOCK_VIRTUAL, spitz_keyboard_tick, = s); +} + /* LCD backlight controller */ =20 #define LCDTG_RESCTL 0x00 @@ -1115,6 +1120,7 @@ static void spitz_keyboard_class_init(ObjectClass *kl= ass, void *data) DeviceClass *dc =3D DEVICE_CLASS(klass); =20 dc->vmsd =3D &vmstate_spitz_kbd; + dc->realize =3D spitz_keyboard_realize; } =20 static const TypeInfo spitz_keyboard_info =3D { diff --git a/hw/arm/strongarm.c b/hw/arm/strongarm.c index cd8a99aaf2..3010d765bb 100644 --- a/hw/arm/strongarm.c +++ b/hw/arm/strongarm.c @@ -399,9 +399,6 @@ static void strongarm_rtc_init(Object *obj) s->last_rcnr =3D (uint32_t) mktimegm(&tm); s->last_hz =3D qemu_clock_get_ms(rtc_clock); =20 - s->rtc_alarm =3D timer_new_ms(rtc_clock, strongarm_rtc_alarm_tick, s); - s->rtc_hz =3D timer_new_ms(rtc_clock, strongarm_rtc_hz_tick, s); - sysbus_init_irq(dev, &s->rtc_irq); sysbus_init_irq(dev, &s->rtc_hz_irq); =20 @@ -410,6 +407,13 @@ static void strongarm_rtc_init(Object *obj) sysbus_init_mmio(dev, &s->iomem); } =20 +static void strongarm_rtc_realize(DeviceState *dev, Error **errp) +{ + StrongARMRTCState *s =3D STRONGARM_RTC(dev); + s->rtc_alarm =3D timer_new_ms(rtc_clock, strongarm_rtc_alarm_tick, s); + s->rtc_hz =3D timer_new_ms(rtc_clock, strongarm_rtc_hz_tick, s); +} + static int strongarm_rtc_pre_save(void *opaque) { StrongARMRTCState *s =3D opaque; @@ -451,6 +455,7 @@ static void strongarm_rtc_sysbus_class_init(ObjectClass= *klass, void *data) =20 dc->desc =3D "StrongARM RTC Controller"; dc->vmsd =3D &vmstate_strongarm_rtc_regs; + dc->realize =3D strongarm_rtc_realize; } =20 static const TypeInfo strongarm_rtc_sysbus_info =3D { @@ -1240,15 +1245,16 @@ static void strongarm_uart_init(Object *obj) "uart", 0x10000); sysbus_init_mmio(dev, &s->iomem); sysbus_init_irq(dev, &s->irq); - - s->rx_timeout_timer =3D timer_new_ns(QEMU_CLOCK_VIRTUAL, strongarm_uar= t_rx_to, s); - s->tx_timer =3D timer_new_ns(QEMU_CLOCK_VIRTUAL, strongarm_uart_tx, s); } =20 static void strongarm_uart_realize(DeviceState *dev, Error **errp) { StrongARMUARTState *s =3D STRONGARM_UART(dev); =20 + s->rx_timeout_timer =3D timer_new_ns(QEMU_CLOCK_VIRTUAL, + strongarm_uart_rx_to, + s); + s->tx_timer =3D timer_new_ns(QEMU_CLOCK_VIRTUAL, strongarm_uart_tx, s); qemu_chr_fe_set_handlers(&s->chr, strongarm_uart_can_receive, strongarm_uart_receive, diff --git a/hw/misc/mos6522.c b/hw/misc/mos6522.c index 19e154b870..980eda7599 100644 --- a/hw/misc/mos6522.c +++ b/hw/misc/mos6522.c @@ -465,11 +465,15 @@ static void mos6522_reset(DeviceState *dev) s->timers[0].frequency =3D s->frequency; s->timers[0].latch =3D 0xffff; set_counter(s, &s->timers[0], 0xffff); - timer_del(s->timers[0].timer); + if (s->timers[0].timer) { + timer_del(s->timers[0].timer); + } =20 s->timers[1].frequency =3D s->frequency; s->timers[1].latch =3D 0xffff; - timer_del(s->timers[1].timer); + if (s->timers[1].timer) { + timer_del(s->timers[1].timer); + } } =20 static void mos6522_init(Object *obj) @@ -485,6 +489,11 @@ static void mos6522_init(Object *obj) for (i =3D 0; i < ARRAY_SIZE(s->timers); i++) { s->timers[i].index =3D i; } +} + +static void mos6522_realize(DeviceState *dev, Error **errp) +{ + MOS6522State *s =3D MOS6522(dev); =20 s->timers[0].timer =3D timer_new_ns(QEMU_CLOCK_VIRTUAL, mos6522_timer1= , s); s->timers[1].timer =3D timer_new_ns(QEMU_CLOCK_VIRTUAL, mos6522_timer2= , s); @@ -502,6 +511,7 @@ static void mos6522_class_init(ObjectClass *oc, void *d= ata) =20 dc->reset =3D mos6522_reset; dc->vmsd =3D &vmstate_mos6522; + dc->realize =3D mos6522_realize; device_class_set_props(dc, mos6522_properties); mdc->parent_reset =3D dc->reset; mdc->set_sr_int =3D mos6522_set_sr_int; diff --git a/hw/timer/cadence_ttc.c b/hw/timer/cadence_ttc.c index 5e3128c1e3..b0ba6b2bba 100644 --- a/hw/timer/cadence_ttc.c +++ b/hw/timer/cadence_ttc.c @@ -412,16 +412,21 @@ static void cadence_timer_init(uint32_t freq, Cadence= TimerState *s) static void cadence_ttc_init(Object *obj) { CadenceTTCState *s =3D CADENCE_TTC(obj); + + memory_region_init_io(&s->iomem, obj, &cadence_ttc_ops, s, + "timer", 0x1000); + sysbus_init_mmio(SYS_BUS_DEVICE(obj), &s->iomem); +} + +static void cadence_ttc_realize(DeviceState *dev, Error **errp) +{ + CadenceTTCState *s =3D CADENCE_TTC(dev); int i; =20 for (i =3D 0; i < 3; ++i) { cadence_timer_init(133000000, &s->timer[i]); - sysbus_init_irq(SYS_BUS_DEVICE(obj), &s->timer[i].irq); + sysbus_init_irq(SYS_BUS_DEVICE(dev), &s->timer[i].irq); } - - memory_region_init_io(&s->iomem, obj, &cadence_ttc_ops, s, - "timer", 0x1000); - sysbus_init_mmio(SYS_BUS_DEVICE(obj), &s->iomem); } =20 static int cadence_timer_pre_save(void *opaque) @@ -479,6 +484,7 @@ static void cadence_ttc_class_init(ObjectClass *klass, = void *data) DeviceClass *dc =3D DEVICE_CLASS(klass); =20 dc->vmsd =3D &vmstate_cadence_ttc; + dc->realize =3D cadence_ttc_realize; } =20 static const TypeInfo cadence_ttc_info =3D { --=20 2.21.0.windows.1