Bug 1235499 - leaked_storage: Variable "local_err" going out of scope leaks the storage it points to
Summary: leaked_storage: Variable "local_err" going out of scope leaks the storage it ...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: qemu-kvm-rhev
Version: 7.2
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: rc
: ---
Assignee: Markus Armbruster
QA Contact: FuXiangChun
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-06-25 02:11 UTC by mazhang
Modified: 2016-11-07 20:25 UTC (History)
10 users (show)

Fixed In Version: QEMU 2.6
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-11-07 20:25:03 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:2673 normal SHIPPED_LIVE qemu-kvm-rhev bug fix and enhancement update 2016-11-08 01:06:13 UTC

Comment 2 Markus Armbruster 2015-09-08 14:55:13 UTC
This is a number of independent memory leak bugs rolled into one BZ.

Quick triage based on local scan of qemu-kvm-rhev-2.3.0-22.el7 and
latest upstream (commit 8611280).

= Genuine errors =

> qemu-2.3.0/block/qapi.c:374: leaked_storage: Variable "info" going out of scope leaks the storage it points to.

Leak on error path of QMP command query-block, present upstream,
probably introduced in commit 553a7e8.  Also present in RHEL-7
qemu-kvm, because we backported said commit.

> qemu-2.3.0/migration/rdma.c:3262: leaked_storage: Variable "r" going out of scope leaks the storage it points to.

Has since been fixed in commit 9681e2e for bug 1210715.

> qemu-2.3.0/numa.c:494: leaked_storage: Variable "err" going out of scope leaks the storage it points to.
> qemu-2.3.0/numa.c:494: leaked_storage: Variable "err" going out of scope leaks the storage it points to.
> qemu-2.3.0/numa.c:494: leaked_storage: Variable "err" going out of scope leaks the storage it points to.
> qemu-2.3.0/numa.c:494: leaked_storage: Variable "err" going out of scope leaks the storage it points to.

Now reported at line 588.  Leak on error path of QMP command
query-memdev, present upstream, probably introduced in commit 76b5d85.
Not present in RHEL-7.


= Unsupported code =

> qemu-2.3.0/hw/bt/sdp.c:747: leaked_storage: Variable "data" going out of scope leaks the storage it points to.

WONTFIX, Bluetooth is unsupported.  We compile it only because cutting
it out isn't trivial.


= False positives =

> qemu-2.3.0/block/raw-posix.c:2137: leaked_storage: Variable "local_err" going out of scope leaks the storage it points to.
> qemu-2.3.0/block/raw-posix.c:2141: leaked_storage: Variable "local_err" going out of scope leaks the storage it points to.

local_err can become non-null only when raw_open_common() returns a
negative value, and then local_err gets propagated.

> qemu-2.3.0/block/raw-posix.c:2400: leaked_storage: Variable "local_err" going out of scope leaks the storage it points to.

Likewise.

> qemu-2.3.0/hw/i2c/smbus_eeprom.c:158: leaked_storage: Variable "eeprom_buf" going out of scope leaks the storage it points to.
> qemu-2.3.0/hw/i2c/smbus_eeprom.c:158: leaked_storage: Variable "eeprom_buf" going out of scope leaks the storage it points to.

eeprom_buf must not be freed, because we store pointers into
eeprom_buf in the "smbus-eeprom" devices.

> qemu-2.3.0/migration/rdma.c:3374: leaked_storage: Variable "local_err" going out of scope leaks the storage it points to.

Now reported at line 3511.  local_err can become non-null only when
the functions that take it as argument fail, and then local_err gets
propagated.

> qemu-2.3.0/monitor.c:3798: leaked_storage: Ignoring storage allocated by "qemu_opts_to_qdict(opts, qdict)" leaks it.

Now reported at line 3799.  qemu_opts_to_qdict() allocates storage
only when its last argument is null, and it isn't here.

> qemu-2.3.0/savevm.c:1289: leaked_storage: Variable "local_err" going out of scope leaks the storage it points to.

Now reported at line 1393.  local_err can become non-null only when
qemu_savevm_state() returns fails, and then local_err gets freed.

Comment 5 Markus Armbruster 2015-11-20 14:16:14 UTC
Proposed upstream fixes for the remaining two genuine leaks:
block/qapi.c http://lists.gnu.org/archive/html/qemu-devel/2015-11/msg04654.html
numa.c       http://lists.gnu.org/archive/html/qemu-devel/2015-11/msg04667.html

Comment 6 Markus Armbruster 2015-11-30 09:35:11 UTC
Correction: the numa.c leak is only theoretical, because errors can't actually happen here.  Revised upstream patch to simplify things:
http://lists.nongnu.org/archive/html/qemu-devel/2015-11/msg04858.html
This is expected to go into 2.6.

The block/qapi.c leak is fixed in 2.5 (commit 903c341).

Comment 7 Markus Armbruster 2016-07-22 07:20:39 UTC
The patch for the numa.c leak mentioned in comment#6 went upstream in commit 2f6f826.

Comment 9 FuXiangChun 2016-09-13 11:34:34 UTC
Markus,

QE can not find covscan source code or rpm for rhel7.  I installed covscan on RHEL6.8 guest.  It doesn't support --profile=errata.  so I can not reproduce this bug as comment0.  Do you provide a covscan soruce code or rpm package of rhel7 to QE?  Do you have other way to verify this bug? 


# covscan mock-build --config=rhel-7-x86_64 ./qemu-kvm-rhev-2.6.0-24.el7.src.rpm 
XML-RPC connection to releng-test1.englab.brq.redhat.com failed: Connection timed out, 5 retries left
XML-RPC connection to releng-test1.englab.brq.redhat.com failed: Connection timed out, 4 retries left
XML-RPC connection to releng-test1.englab.brq.redhat.com failed: Connection timed out, 3 retries left

# covscan --help
Usage: covscan <command> [args] [--help]

Options:
  -h, --help           show this help message and exit
  --username=USERNAME  specify user
  --password=PASSWORD  specify password

commands:
  cancel-tasks                   cancel free, assigned or open tasks
  diff-build                     analyze a SRPM without and with pathes, return diff
  help                           show this help message and exit
  help-admin                     show help message about administrative commands and exit
  list-mock-configs              command description
  list-workers                   list workers
  mock-build                     analyze a SRPM
  resubmit-tasks                 resubmit failed tasks
  watch-tasks                    track progress of particular tasks

Comment 10 Markus Armbruster 2016-09-13 13:36:04 UTC
Are you aware of
http://cov01.lab.eng.brq.redhat.com/coverity/install/covscan/
?

Comment 14 errata-xmlrpc 2016-11-07 20:25:03 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2673.html


Note You need to log in before you can comment on or make changes to this bug.