From nobody Mon May 20 01:26:33 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of redhat.com designates
 216.205.24.124 as permitted sender) client-ip=216.205.24.124;
 envelope-from=philmd@redhat.com; helo=us-smtp-delivery-124.mimecast.com;
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as
 permitted sender)  smtp.mailfrom=philmd@redhat.com;
	dmarc=pass(p=none dis=none)  header.from=redhat.com
ARC-Seal: i=1; a=rsa-sha256; t=1622456374; cv=none;
	d=zohomail.com; s=zohoarc;
	b=Sp7x7lbkB7SKd09+qnNc6OqC6CAQ+eZvHnxTdt7Mi3YVU745E+Pff8mgIn3x1E2GAhdTpYS6MnvxJ6C3ukibORuHXZvfk7biMRIdyPy+EM6aytNqN6Z/Fn590e+EKodYmJF2TNEGTRu7i4mtVGM1ZgPhPVyrFVRxReJKBC6drFw=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1622456374;
 h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:MIME-Version:Message-ID:Subject:To;
	bh=GjoUfo5Mo0Gb5g3L2a2VLdQ5gJqfOOJ6GqIh+7WE+Jo=;
	b=DDkIXc6kbePfST8Hy+/I8iKQNl7QSio8c+X+5w8hsBJ2BB6oKY2kATve8mEZ0/crcjTvl5igL1gKpct1wlxq1XmKLDYgzmQzpeIOJ6zINBWcJXmGnpId+X/AWm5L2oESuj6UWIr6EfOPh8kbOYbqyuX68BcTCO68IlNmvydje0c=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as
 permitted sender)  smtp.mailfrom=philmd@redhat.com;
	dmarc=pass header.from=<philmd@redhat.com> (p=none dis=none)
 header.from=<philmd@redhat.com>
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [216.205.24.124]) by mx.zohomail.com
	with SMTPS id 1622456374539675.7048734016254;
 Mon, 31 May 2021 03:19:34 -0700 (PDT)
Received: from mail-wm1-f69.google.com (mail-wm1-f69.google.com
 [209.85.128.69]) (Using TLS) by relay.mimecast.com with ESMTP id
 us-mta-163-JFsNqDjBMx6Ol74OZBlvsA-1; Mon, 31 May 2021 06:19:31 -0400
Received: by mail-wm1-f69.google.com with SMTP id
 g9-20020a05600c4ec9b0290198e2707cecso1910043wmq.3
        for <importer@patchew.org>; Mon, 31 May 2021 03:19:31 -0700 (PDT)
Return-Path: <philmd@redhat.com>
Return-Path: <philmd@redhat.com>
Received: from localhost.localdomain
 (235.red-83-57-168.dynamicip.rima-tde.net. [83.57.168.235])
        by smtp.gmail.com with ESMTPSA id
 j101sm17790006wrj.66.2021.05.31.03.19.29
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 31 May 2021 03:19:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1622456373;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=GjoUfo5Mo0Gb5g3L2a2VLdQ5gJqfOOJ6GqIh+7WE+Jo=;
	b=izIJ5SqYz9e+NSj+POKnKLPRvoRG9ZrcOTWJwMw+DsCpPqoYS0q8gLPLKwnkC2UnoqW5C5
	wMpVvMaVBSWpBXtymAi0TbNIt45DoNpIpHk7kw7qKUYNHZkTeeQvRmmpvyzePnh+u5Pu3y
	oaU46sDxX06oTTqos+8RKtYsahGz1+8=
X-MC-Unique: JFsNqDjBMx6Ol74OZBlvsA-1
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version
         :content-transfer-encoding;
        bh=GjoUfo5Mo0Gb5g3L2a2VLdQ5gJqfOOJ6GqIh+7WE+Jo=;
        b=DHDaBwpHL2VRY1abeOiyJKFScNvkeZPBPc/mg+d4LadDb7bQ75kMbxBCT8EpXSDr3j
         v75f74ExjmIigxJhjkZETHUhe+Pzrx96lDzVvXqAGdhNJ5Z2FnJ5WPEnD7fIE9vDDCvP
         OQI5D00VvH2lY9fyDYbJpBt0UkGdZFnBv5S1SfCcW5MaIUUO+CSXCRF8W6zJxE2duMkl
         M83BF5QDojTahcIwso+eJq4XhjwjM7ewBrL6tB2abloLR5qqKTdekvWeWoEpTikjOk2W
         RHvKpgwyDADh1b+b8NkzCDWUSBIrq1ZK3tJvJ3/2jxho79pRLqsFB0AVJkpsb87wFosC
         dJ/Q==
X-Gm-Message-State: AOAM5308+49+2XLZmW4KV3u5dlifH96s/YbuIFiTJj9KaOq9F2IWJGS3
	JhX/f0X+Txu5Luj7q8V3ko4Oxtf+IhDkVCtBJra36Nlr2I6gEYNow6lN78ViDe4rLRcMhk7w905
	CoSpBf4dDmN/1VQ==
X-Received: by 2002:a1c:bdd6:: with SMTP id
 n205mr12735297wmf.74.1622456370568;
        Mon, 31 May 2021 03:19:30 -0700 (PDT)
X-Google-Smtp-Source: 
 ABdhPJyLP0LAKZTIowO2o/NzWBPXabaHeOisaZl2UW9VSebNEmQ0iJvSWf/Wdc32ZEwgOl9RbDVZaA==
X-Received: by 2002:a1c:bdd6:: with SMTP id
 n205mr12735283wmf.74.1622456370392;
        Mon, 31 May 2021 03:19:30 -0700 (PDT)
From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
To: Vivek Kasireddy <vivek.kasireddy@intel.com>,
	qemu-devel@nongnu.org
Cc: Gerd Hoffmann <kraxel@redhat.com>,
	"Michael S. Tsirkin" <mst@redhat.com>,
	=?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>,
	=?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
Subject: [RFC PATCH] hw/display/virtio-gpu: Fix memory leak (CID 1453811)
Date: Mon, 31 May 2021 12:19:28 +0200
Message-Id: <20210531101928.1662732-1-philmd@redhat.com>
X-Mailer: git-send-email 2.26.3
MIME-Version: 1.0
Authentication-Results: relay.mimecast.com;
	auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=philmd@redhat.com
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-ZohoMail-DKIM: pass (identity @redhat.com)

To avoid leaking memory on the error path, reorder the
code as:
- check the parameters first
- check resource already existing
- finally allocate memory

Reported-by: Coverity (CID 1453811: RESOURCE_LEAK)
Fixes: e0933d91b1c ("virtio-gpu: Add virtio_gpu_resource_create_blob")
Signed-off-by: Philippe Mathieu-Daud=C3=A9 <philmd@redhat.com>
---
RFC because the s->iov check is dubious.
---
 hw/display/virtio-gpu.c | 28 +++++++++++-----------------
 1 file changed, 11 insertions(+), 17 deletions(-)

diff --git a/hw/display/virtio-gpu.c b/hw/display/virtio-gpu.c
index 4d549377cbc..8d047007bbb 100644
--- a/hw/display/virtio-gpu.c
+++ b/hw/display/virtio-gpu.c
@@ -340,8 +340,15 @@ static void virtio_gpu_resource_create_blob(VirtIOGPU =
*g,
         return;
     }
=20
-    res =3D virtio_gpu_find_resource(g, cblob.resource_id);
-    if (res) {
+    if (cblob.blob_mem !=3D VIRTIO_GPU_BLOB_MEM_GUEST &&
+        cblob.blob_flags !=3D VIRTIO_GPU_BLOB_FLAG_USE_SHAREABLE) {
+        qemu_log_mask(LOG_GUEST_ERROR, "%s: invalid memory type\n",
+                      __func__);
+        cmd->error =3D VIRTIO_GPU_RESP_ERR_INVALID_PARAMETER;
+        return;
+    }
+
+    if (virtio_gpu_find_resource(g, cblob.resource_id)) {
         qemu_log_mask(LOG_GUEST_ERROR, "%s: resource already exists %d\n",
                       __func__, cblob.resource_id);
         cmd->error =3D VIRTIO_GPU_RESP_ERR_INVALID_RESOURCE_ID;
@@ -352,25 +359,12 @@ static void virtio_gpu_resource_create_blob(VirtIOGPU=
 *g,
     res->resource_id =3D cblob.resource_id;
     res->blob_size =3D cblob.size;
=20
-    if (cblob.blob_mem !=3D VIRTIO_GPU_BLOB_MEM_GUEST &&
-        cblob.blob_flags !=3D VIRTIO_GPU_BLOB_FLAG_USE_SHAREABLE) {
-        qemu_log_mask(LOG_GUEST_ERROR, "%s: invalid memory type\n",
-                      __func__);
-        cmd->error =3D VIRTIO_GPU_RESP_ERR_INVALID_PARAMETER;
-        g_free(res);
-        return;
-    }
-
-    if (res->iov) {
-        cmd->error =3D VIRTIO_GPU_RESP_ERR_UNSPEC;
-        return;
-    }
-
     ret =3D virtio_gpu_create_mapping_iov(g, cblob.nr_entries, sizeof(cblo=
b),
                                         cmd, &res->addrs, &res->iov,
                                         &res->iov_cnt);
-    if (ret !=3D 0) {
+    if (ret !=3D 0 || res->iov) {
         cmd->error =3D VIRTIO_GPU_RESP_ERR_UNSPEC;
+        g_free(res);
         return;
     }
=20
--=20
2.26.3