hw/timer/hpet: fix memory leak in hpet_del_timer()

[PATCH] hw/timer/hpet: fix memory leak in hpet_del_timer()

Zheng Huang posted 1 patch 4 days, 21 hours ago

Download mbox

hw/timer/hpet.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

Expand all Fold all

[PATCH] hw/timer/hpet: fix memory leak in hpet_del_timer()

Posted by Zheng Huang 4 days, 21 hours ago

Hi,
This patch addresses a memory leak bug in the function `hpet_del_timer()`.
The issue arisesfrom the incorrect use of the ambiguous timer API 
`timer_del()`, which does not free the timer object. The leak sanitizer
report this issue during fuzzing. The correct API, `timer_free()`, was 
introduced 4 years ago, but the usage in isue dates back 12 years, which
led to this problem. 

Also I'd like to ask for a way to fix all 100+ wrong usages. In my
opinion, the best way to fix this is to hide to `timer_del()` API and
eliminate all usages of it.

Signed-off-by: Zheng Huang <hz1624917200@outlook.com>

---
 hw/timer/hpet.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/timer/hpet.c b/hw/timer/hpet.c
index dcff18a987..0162f4cc32 100644
--- a/hw/timer/hpet.c
+++ b/hw/timer/hpet.c
@@ -428,7 +428,7 @@ static void hpet_set_timer(HPETTimer *t)
 static void hpet_del_timer(HPETTimer *t)
 {
     HPETState *s = t->state;
-    timer_del(t->qemu_timer);
+    timer_free(t->qemu_timer);
 
     if (s->isr & (1 << t->tn)) {
         /* For level-triggered interrupt, this leaves ISR set but lowers irq.  */
-- 
2.34.1