This is a number of independent memory leak bugs rolled into one BZ.

Quick triage based on local scan of qemu-kvm-rhev-2.3.0-22.el7 and
latest upstream (commit 8611280).

= Genuine errors =

> qemu-2.3.0/block/qapi.c:374: leaked_storage: Variable "info" going out of scope leaks the storage it points to.

Leak on error path of QMP command query-block, present upstream,
probably introduced in commit 553a7e8.  Also present in RHEL-7
qemu-kvm, because we backported said commit.

> qemu-2.3.0/migration/rdma.c:3262: leaked_storage: Variable "r" going out of scope leaks the storage it points to.

Has since been fixed in commit 9681e2e for bug 1210715.

> qemu-2.3.0/numa.c:494: leaked_storage: Variable "err" going out of scope leaks the storage it points to.
> qemu-2.3.0/numa.c:494: leaked_storage: Variable "err" going out of scope leaks the storage it points to.
> qemu-2.3.0/numa.c:494: leaked_storage: Variable "err" going out of scope leaks the storage it points to.
> qemu-2.3.0/numa.c:494: leaked_storage: Variable "err" going out of scope leaks the storage it points to.

Now reported at line 588.  Leak on error path of QMP command
query-memdev, present upstream, probably introduced in commit 76b5d85.
Not present in RHEL-7.


= Unsupported code =

> qemu-2.3.0/hw/bt/sdp.c:747: leaked_storage: Variable "data" going out of scope leaks the storage it points to.

WONTFIX, Bluetooth is unsupported.  We compile it only because cutting
it out isn't trivial.


= False positives =

> qemu-2.3.0/block/raw-posix.c:2137: leaked_storage: Variable "local_err" going out of scope leaks the storage it points to.
> qemu-2.3.0/block/raw-posix.c:2141: leaked_storage: Variable "local_err" going out of scope leaks the storage it points to.

local_err can become non-null only when raw_open_common() returns a
negative value, and then local_err gets propagated.

> qemu-2.3.0/block/raw-posix.c:2400: leaked_storage: Variable "local_err" going out of scope leaks the storage it points to.

Likewise.

> qemu-2.3.0/hw/i2c/smbus_eeprom.c:158: leaked_storage: Variable "eeprom_buf" going out of scope leaks the storage it points to.
> qemu-2.3.0/hw/i2c/smbus_eeprom.c:158: leaked_storage: Variable "eeprom_buf" going out of scope leaks the storage it points to.

eeprom_buf must not be freed, because we store pointers into
eeprom_buf in the "smbus-eeprom" devices.

> qemu-2.3.0/migration/rdma.c:3374: leaked_storage: Variable "local_err" going out of scope leaks the storage it points to.

Now reported at line 3511.  local_err can become non-null only when
the functions that take it as argument fail, and then local_err gets
propagated.

> qemu-2.3.0/monitor.c:3798: leaked_storage: Ignoring storage allocated by "qemu_opts_to_qdict(opts, qdict)" leaks it.

Now reported at line 3799.  qemu_opts_to_qdict() allocates storage
only when its last argument is null, and it isn't here.

> qemu-2.3.0/savevm.c:1289: leaked_storage: Variable "local_err" going out of scope leaks the storage it points to.

Now reported at line 1393.  local_err can become non-null only when
qemu_savevm_state() returns fails, and then local_err gets freed.

Proposed upstream fixes for the remaining two genuine leaks:
block/qapi.c http://lists.gnu.org/archive/html/qemu-devel/2015-11/msg04654.html
numa.c       http://lists.gnu.org/archive/html/qemu-devel/2015-11/msg04667.html

Correction: the numa.c leak is only theoretical, because errors can't actually happen here.  Revised upstream patch to simplify things:
http://lists.nongnu.org/archive/html/qemu-devel/2015-11/msg04858.html
This is expected to go into 2.6.

The block/qapi.c leak is fixed in 2.5 (commit 903c341).

The patch for the numa.c leak mentioned in comment#6 went upstream in commit 2f6f826.

Markus,

QE can not find covscan source code or rpm for rhel7.  I installed covscan on RHEL6.8 guest.  It doesn't support --profile=errata.  so I can not reproduce this bug as comment0.  Do you provide a covscan soruce code or rpm package of rhel7 to QE?  Do you have other way to verify this bug? 


# covscan mock-build --config=rhel-7-x86_64 ./qemu-kvm-rhev-2.6.0-24.el7.src.rpm 
XML-RPC connection to releng-test1.englab.brq.redhat.com failed: Connection timed out, 5 retries left
XML-RPC connection to releng-test1.englab.brq.redhat.com failed: Connection timed out, 4 retries left
XML-RPC connection to releng-test1.englab.brq.redhat.com failed: Connection timed out, 3 retries left

# covscan --help
Usage: covscan <command> [args] [--help]

Options:
  -h, --help           show this help message and exit
  --username=USERNAME  specify user
  --password=PASSWORD  specify password

commands:
  cancel-tasks                   cancel free, assigned or open tasks
  diff-build                     analyze a SRPM without and with pathes, return diff
  help                           show this help message and exit
  help-admin                     show help message about administrative commands and exit
  list-mock-configs              command description
  list-workers                   list workers
  mock-build                     analyze a SRPM
  resubmit-tasks                 resubmit failed tasks
  watch-tasks                    track progress of particular tasks

Are you aware of
http://cov01.lab.eng.brq.redhat.com/coverity/install/covscan/
?

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2673.html