diff --git a/Fixed-integer-overflow-in-e1000e.patch b/Fixed-integer-overflow-in-e1000e.patch new file mode 100644 index 0000000000000000000000000000000000000000..004390fc5a3d60d2aaf4912d0679c4fa471d28a2 --- /dev/null +++ b/Fixed-integer-overflow-in-e1000e.patch @@ -0,0 +1,40 @@ +From 41077af2c4283c15c0a822017ea51612d15b68f8 Mon Sep 17 00:00:00 2001 +From: Andrew Melnychenko +Date: Wed, 4 Mar 2020 16:20:58 +0200 +Subject: [PATCH 1/5] Fixed integer overflow in e1000e +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1737400 +Fixed setting max_queue_num if there are no peers in +NICConf. qemu_new_nic() creates NICState with 1 NetClientState(index +0) without peers, set max_queue_num to 0 - It prevents undefined +behavior and possible crashes, especially during pcie hotplug. + +Fixes: 6f3fbe4ed06 ("net: Introduce e1000e device emulation") +Signed-off-by: Andrew Melnychenko +Reviewed-by: Philippe Mathieu-Daudé +Reviewed-by: Dmitry Fleytman +Signed-off-by: Jason Wang +Signed-off-by: Zhenyu Ye +--- + hw/net/e1000e.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/net/e1000e.c b/hw/net/e1000e.c +index 581f7d03..1e827c4f 100644 +--- a/hw/net/e1000e.c ++++ b/hw/net/e1000e.c +@@ -325,7 +325,7 @@ e1000e_init_net_peer(E1000EState *s, PCIDevice *pci_dev, uint8_t *macaddr) + s->nic = qemu_new_nic(&net_e1000e_info, &s->conf, + object_get_typename(OBJECT(s)), dev->id, s); + +- s->core.max_queue_num = s->conf.peers.queues - 1; ++ s->core.max_queue_num = s->conf.peers.queues ? s->conf.peers.queues - 1 : 0; + + trace_e1000e_mac_set_permanent(MAC_ARG(macaddr)); + memcpy(s->core.permanent_mac, macaddr, sizeof(s->core.permanent_mac)); +-- +2.22.0.windows.1 + diff --git a/cris-do-not-leak-struct-cris_disasm_data.patch b/cris-do-not-leak-struct-cris_disasm_data.patch new file mode 100644 index 0000000000000000000000000000000000000000..fa7623fe1878eca815805e853d64ff9b2d8a88a3 --- /dev/null +++ b/cris-do-not-leak-struct-cris_disasm_data.patch @@ -0,0 +1,139 @@ +From d0586065e67b5df2611f4cf61eb791d48b78ff77 Mon Sep 17 00:00:00 2001 +From: lizhengui +Date: Wed, 9 Sep 2020 14:42:59 +0800 +Subject: [PATCH] cris: do not leak struct cris_disasm_data + +Use a stack-allocated struct to avoid a memory leak. + +Signed-off-by: Paolo Bonzini +--- + disas/cris.c | 65 ++++++++++++++++++++++++++++------------------------ + 1 file changed, 35 insertions(+), 30 deletions(-) + +diff --git a/disas/cris.c b/disas/cris.c +index 2f43c9b2..f3ff44ba 100644 +--- a/disas/cris.c ++++ b/disas/cris.c +@@ -1294,24 +1294,17 @@ static int cris_constraint + /* Parse disassembler options and store state in info. FIXME: For the + time being, we abuse static variables. */ + +-static bfd_boolean +-cris_parse_disassembler_options (disassemble_info *info, ++static void ++cris_parse_disassembler_options (struct cris_disasm_data *disdata, ++ char *disassembler_options, + enum cris_disass_family distype) + { +- struct cris_disasm_data *disdata; +- +- info->private_data = calloc (1, sizeof (struct cris_disasm_data)); +- disdata = (struct cris_disasm_data *) info->private_data; +- if (disdata == NULL) +- return false; +- + /* Default true. */ + disdata->trace_case +- = (info->disassembler_options == NULL +- || (strcmp (info->disassembler_options, "nocase") != 0)); ++ = (disassembler_options == NULL ++ || (strcmp (disassembler_options, "nocase") != 0)); + + disdata->distype = distype; +- return true; + } + + static const struct cris_spec_reg * +@@ -2736,9 +2729,11 @@ static int + print_insn_cris_with_register_prefix (bfd_vma vma, + disassemble_info *info) + { +- if (info->private_data == NULL +- && !cris_parse_disassembler_options (info, cris_dis_v0_v10)) +- return -1; ++ struct cris_disasm_data disdata; ++ info->private_data = &disdata; ++ cris_parse_disassembler_options (&disdata, info->disassembler_options, ++ cris_dis_v0_v10); ++ + return print_insn_cris_generic (vma, info, true); + } + /* Disassemble, prefixing register names with `$'. CRIS v32. */ +@@ -2747,9 +2742,11 @@ static int + print_insn_crisv32_with_register_prefix (bfd_vma vma, + disassemble_info *info) + { +- if (info->private_data == NULL +- && !cris_parse_disassembler_options (info, cris_dis_v32)) +- return -1; ++ struct cris_disasm_data disdata; ++ info->private_data = &disdata; ++ cris_parse_disassembler_options (&disdata, info->disassembler_options, ++ cris_dis_v32); ++ + return print_insn_cris_generic (vma, info, true); + } + +@@ -2761,9 +2758,11 @@ static int + print_insn_crisv10_v32_with_register_prefix (bfd_vma vma, + disassemble_info *info) + { +- if (info->private_data == NULL +- && !cris_parse_disassembler_options (info, cris_dis_common_v10_v32)) +- return -1; ++ struct cris_disasm_data disdata; ++ info->private_data = &disdata; ++ cris_parse_disassembler_options (&disdata, info->disassembler_options, ++ cris_dis_common_v10_v32); ++ + return print_insn_cris_generic (vma, info, true); + } + +@@ -2773,9 +2772,11 @@ static int + print_insn_cris_without_register_prefix (bfd_vma vma, + disassemble_info *info) + { +- if (info->private_data == NULL +- && !cris_parse_disassembler_options (info, cris_dis_v0_v10)) +- return -1; ++ struct cris_disasm_data disdata; ++ info->private_data = &disdata; ++ cris_parse_disassembler_options (&disdata, info->disassembler_options, ++ cris_dis_v0_v10); ++ + return print_insn_cris_generic (vma, info, false); + } + +@@ -2785,9 +2786,11 @@ static int + print_insn_crisv32_without_register_prefix (bfd_vma vma, + disassemble_info *info) + { +- if (info->private_data == NULL +- && !cris_parse_disassembler_options (info, cris_dis_v32)) +- return -1; ++ struct cris_disasm_data disdata; ++ info->private_data = &disdata; ++ cris_parse_disassembler_options (&disdata, info->disassembler_options, ++ cris_dis_v32); ++ + return print_insn_cris_generic (vma, info, false); + } + +@@ -2798,9 +2801,11 @@ static int + print_insn_crisv10_v32_without_register_prefix (bfd_vma vma, + disassemble_info *info) + { +- if (info->private_data == NULL +- && !cris_parse_disassembler_options (info, cris_dis_common_v10_v32)) +- return -1; ++ struct cris_disasm_data disdata; ++ info->private_data = &disdata; ++ cris_parse_disassembler_options (&disdata, info->disassembler_options, ++ cris_dis_common_v10_v32); ++ + return print_insn_cris_generic (vma, info, false); + } + #endif +-- +2.19.1 + diff --git a/file-posix-Fix-leaked-fd-in-raw_open_common-error-pa.patch b/file-posix-Fix-leaked-fd-in-raw_open_common-error-pa.patch new file mode 100644 index 0000000000000000000000000000000000000000..28c1e3bc6837063888bb8c862fb1e629f70de8be --- /dev/null +++ b/file-posix-Fix-leaked-fd-in-raw_open_common-error-pa.patch @@ -0,0 +1,31 @@ +From 94be73a20d42482cdf30115e672c36af2fe9068d Mon Sep 17 00:00:00 2001 +From: Kevin Wolf +Date: Fri, 17 Jul 2020 12:54:26 +0200 +Subject: [PATCH 5/5] file-posix: Fix leaked fd in raw_open_common() error path + +Signed-off-by: Kevin Wolf +Message-Id: <20200717105426.51134-4-kwolf@redhat.com> +Reviewed-by: Max Reitz +Signed-off-by: Kevin Wolf +Signed-off-by: Zhenyu Ye +--- + block/file-posix.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/block/file-posix.c b/block/file-posix.c +index 2184aa98..1259bf58 100644 +--- a/block/file-posix.c ++++ b/block/file-posix.c +@@ -671,6 +671,9 @@ static int raw_open_common(BlockDriverState *bs, QDict *options, + bs->supported_zero_flags = BDRV_REQ_MAY_UNMAP | BDRV_REQ_NO_FALLBACK; + ret = 0; + fail: ++ if (ret < 0 && s->fd != -1) { ++ qemu_close(s->fd); ++ } + if (filename && (bdrv_flags & BDRV_O_TEMPORARY)) { + unlink(filename); + } +-- +2.22.0.windows.1 + diff --git a/hppa-fix-leak-from-g_strdup_printf.patch b/hppa-fix-leak-from-g_strdup_printf.patch new file mode 100644 index 0000000000000000000000000000000000000000..b04193e380fe58ef14e91cb56d162abc264dce9b --- /dev/null +++ b/hppa-fix-leak-from-g_strdup_printf.patch @@ -0,0 +1,54 @@ +From b7ef7e6fb5a2b08268f4b19c07c07abd4fbb2064 Mon Sep 17 00:00:00 2001 +From: lizhengui +Date: Wed, 9 Sep 2020 14:48:49 +0800 +Subject: [PATCH] hppa: fix leak from g_strdup_printf +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +memory_region_init_* takes care of copying the name into memory it owns. +Free it in the caller. + +Signed-off-by: Paolo Bonzini +Reviewed-by: Philippe Mathieu-Daudé +--- + hw/hppa/dino.c | 1 + + hw/hppa/machine.c | 4 +++- + 2 files changed, 4 insertions(+), 1 deletion(-) + +diff --git a/hw/hppa/dino.c b/hw/hppa/dino.c +index e94614ab..ef923b49 100644 +--- a/hw/hppa/dino.c ++++ b/hw/hppa/dino.c +@@ -485,6 +485,7 @@ PCIBus *dino_init(MemoryRegion *addr_space, + memory_region_init_alias(&s->pci_mem_alias[i], OBJECT(s), + name, &s->pci_mem, addr, + DINO_MEM_CHUNK_SIZE); ++ g_free(name); + } + + /* Set up PCI view of memory: Bus master address space. */ +diff --git a/hw/hppa/machine.c b/hw/hppa/machine.c +index 662838d8..9e25660e 100644 +--- a/hw/hppa/machine.c ++++ b/hw/hppa/machine.c +@@ -78,13 +78,15 @@ static void machine_hppa_init(MachineState *machine) + + /* Create CPUs. */ + for (i = 0; i < smp_cpus; i++) { ++ char *name = g_strdup_printf("cpu%ld-io-eir", i); + cpu[i] = HPPA_CPU(cpu_create(machine->cpu_type)); + + cpu_region = g_new(MemoryRegion, 1); + memory_region_init_io(cpu_region, OBJECT(cpu[i]), &hppa_io_eir_ops, +- cpu[i], g_strdup_printf("cpu%ld-io-eir", i), 4); ++ cpu[i], name, 4); + memory_region_add_subregion(addr_space, CPU_HPA + i * 0x1000, + cpu_region); ++ g_free(name); + } + + /* Limit main memory. */ +-- +2.19.1 + diff --git a/ide-fix-leak-from-qemu_allocate_irqs.patch b/ide-fix-leak-from-qemu_allocate_irqs.patch new file mode 100644 index 0000000000000000000000000000000000000000..dce6e906ce92e7e303d2198d7a612905ca0632c1 --- /dev/null +++ b/ide-fix-leak-from-qemu_allocate_irqs.patch @@ -0,0 +1,28 @@ +From df35f8fe2687df32cb65f6a03b8dd80314cc4c53 Mon Sep 17 00:00:00 2001 +From: lizhengui +Date: Wed, 9 Sep 2020 15:00:08 +0800 +Subject: [PATCH] ide: fix leak from qemu_allocate_irqs + +The array returned by qemu_allocate_irqs is malloced, free it. + +Signed-off-by: Paolo Bonzini +Reviewed-by: Thomas Huth +--- + hw/ide/cmd646.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/hw/ide/cmd646.c b/hw/ide/cmd646.c +index ed23aabf..a149cd6c 100644 +--- a/hw/ide/cmd646.c ++++ b/hw/ide/cmd646.c +@@ -299,6 +299,7 @@ static void pci_cmd646_ide_realize(PCIDevice *dev, Error **errp) + d->bmdma[i].bus = &d->bus[i]; + ide_register_restart_cb(&d->bus[i]); + } ++ g_free(irq); + + vmstate_register(DEVICE(dev), 0, &vmstate_ide_pci, d); + qemu_register_reset(cmd646_reset, d); +-- +2.19.1 + diff --git a/lm32-do-not-leak-memory-on-object_new-object_unref.patch b/lm32-do-not-leak-memory-on-object_new-object_unref.patch new file mode 100644 index 0000000000000000000000000000000000000000..7ccc53684bb3d3224757209a4c1710883214fcc8 --- /dev/null +++ b/lm32-do-not-leak-memory-on-object_new-object_unref.patch @@ -0,0 +1,77 @@ +From d50be5295c49be1b6024f5902948b52e683b4c23 Mon Sep 17 00:00:00 2001 +From: lizhengui +Date: Wed, 9 Sep 2020 14:18:35 +0800 +Subject: [PATCH] lm32: do not leak memory on object_new/object_unref +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Bottom halves and ptimers are malloced, but nothing in these +files is freeing memory allocated by instance_init. Since +these are sysctl devices that are never unrealized, just moving +the allocations to realize is enough to avoid the leak in +practice (and also to avoid upsetting asan when running +device-introspect-test). + +Signed-off-by: Paolo Bonzini +Reviewed-by: Philippe Mathieu-Daudé +--- + hw/timer/lm32_timer.c | 6 +++--- + hw/timer/milkymist-sysctl.c | 10 +++++----- + 2 files changed, 8 insertions(+), 8 deletions(-) + +diff --git a/hw/timer/lm32_timer.c b/hw/timer/lm32_timer.c +index 6ce876c6..13f15825 100644 +--- a/hw/timer/lm32_timer.c ++++ b/hw/timer/lm32_timer.c +@@ -184,9 +184,6 @@ static void lm32_timer_init(Object *obj) + + sysbus_init_irq(dev, &s->irq); + +- s->bh = qemu_bh_new(timer_hit, s); +- s->ptimer = ptimer_init(s->bh, PTIMER_POLICY_DEFAULT); +- + memory_region_init_io(&s->iomem, obj, &timer_ops, s, + "timer", R_MAX * 4); + sysbus_init_mmio(dev, &s->iomem); +@@ -196,6 +193,9 @@ static void lm32_timer_realize(DeviceState *dev, Error **errp) + { + LM32TimerState *s = LM32_TIMER(dev); + ++ s->bh = qemu_bh_new(timer_hit, s); ++ s->ptimer = ptimer_init(s->bh, PTIMER_POLICY_DEFAULT); ++ + ptimer_set_freq(s->ptimer, s->freq_hz); + } + +diff --git a/hw/timer/milkymist-sysctl.c b/hw/timer/milkymist-sysctl.c +index a9d25087..2f1ecc6d 100644 +--- a/hw/timer/milkymist-sysctl.c ++++ b/hw/timer/milkymist-sysctl.c +@@ -280,11 +280,6 @@ static void milkymist_sysctl_init(Object *obj) + sysbus_init_irq(dev, &s->timer0_irq); + sysbus_init_irq(dev, &s->timer1_irq); + +- s->bh0 = qemu_bh_new(timer0_hit, s); +- s->bh1 = qemu_bh_new(timer1_hit, s); +- s->ptimer0 = ptimer_init(s->bh0, PTIMER_POLICY_DEFAULT); +- s->ptimer1 = ptimer_init(s->bh1, PTIMER_POLICY_DEFAULT); +- + memory_region_init_io(&s->regs_region, obj, &sysctl_mmio_ops, s, + "milkymist-sysctl", R_MAX * 4); + sysbus_init_mmio(dev, &s->regs_region); +@@ -294,6 +289,11 @@ static void milkymist_sysctl_realize(DeviceState *dev, Error **errp) + { + MilkymistSysctlState *s = MILKYMIST_SYSCTL(dev); + ++ s->bh0 = qemu_bh_new(timer0_hit, s); ++ s->bh1 = qemu_bh_new(timer1_hit, s); ++ s->ptimer0 = ptimer_init(s->bh0, PTIMER_POLICY_DEFAULT); ++ s->ptimer1 = ptimer_init(s->bh1, PTIMER_POLICY_DEFAULT); ++ + ptimer_set_freq(s->ptimer0, s->freq_hz); + ptimer_set_freq(s->ptimer1, s->freq_hz); + } +-- +2.19.1 + diff --git a/make-check-unit-use-after-free-in-test-opts-visitor.patch b/make-check-unit-use-after-free-in-test-opts-visitor.patch new file mode 100644 index 0000000000000000000000000000000000000000..590970004769b464b68977639a0e5e823bb9b9ac --- /dev/null +++ b/make-check-unit-use-after-free-in-test-opts-visitor.patch @@ -0,0 +1,102 @@ +From e3dfb5d2848975e9e947cb894afac87ce386a2bc Mon Sep 17 00:00:00 2001 +From: lizhengui +Date: Wed, 9 Sep 2020 15:18:52 +0800 +Subject: [PATCH] make check-unit: use after free in test-opts-visitor + +In the struct OptsVisitor, the 'repeated_opts' member points to a list +in the 'unprocessed_opts' hash table after the list has been destroyed. +A subsequent call to visit_type_int() references the deleted list. +It results in use-after-free issue reproduced by running the test case +under the Valgrind: valgrind tests/test-opts-visitor. +A new mode ListMode::LM_TRAVERSED is declared to mark the list +traversal completed. + +Suggested-by: Markus Armbruster +Signed-off-by: Andrey Shinkevich +Message-Id: <1565024586-387112-1-git-send-email-andrey.shinkevich@virtuozzo.com> +--- + qapi/opts-visitor.c | 26 ++++++++++++++++++++++---- + 1 file changed, 22 insertions(+), 4 deletions(-) + +diff --git a/qapi/opts-visitor.c b/qapi/opts-visitor.c +index 324b1974..42d87df6 100644 +--- a/qapi/opts-visitor.c ++++ b/qapi/opts-visitor.c +@@ -24,7 +24,8 @@ enum ListMode + { + LM_NONE, /* not traversing a list of repeated options */ + +- LM_IN_PROGRESS, /* opts_next_list() ready to be called. ++ LM_IN_PROGRESS, /* ++ * opts_next_list() ready to be called. + * + * Generating the next list link will consume the most + * recently parsed QemuOpt instance of the repeated +@@ -36,7 +37,8 @@ enum ListMode + * LM_UNSIGNED_INTERVAL. + */ + +- LM_SIGNED_INTERVAL, /* opts_next_list() has been called. ++ LM_SIGNED_INTERVAL, /* ++ * opts_next_list() has been called. + * + * Generating the next list link will consume the most + * recently stored element from the signed interval, +@@ -48,7 +50,14 @@ enum ListMode + * next element of the signed interval. + */ + +- LM_UNSIGNED_INTERVAL /* Same as above, only for an unsigned interval. */ ++ LM_UNSIGNED_INTERVAL, /* Same as above, only for an unsigned interval. */ ++ ++ LM_TRAVERSED /* ++ * opts_next_list() has been called. ++ * ++ * No more QemuOpt instance in the list. ++ * The traversal has been completed. ++ */ + }; + + typedef enum ListMode ListMode; +@@ -238,6 +247,8 @@ opts_next_list(Visitor *v, GenericList *tail, size_t size) + OptsVisitor *ov = to_ov(v); + + switch (ov->list_mode) { ++ case LM_TRAVERSED: ++ return NULL; + case LM_SIGNED_INTERVAL: + case LM_UNSIGNED_INTERVAL: + if (ov->list_mode == LM_SIGNED_INTERVAL) { +@@ -258,6 +269,8 @@ opts_next_list(Visitor *v, GenericList *tail, size_t size) + opt = g_queue_pop_head(ov->repeated_opts); + if (g_queue_is_empty(ov->repeated_opts)) { + g_hash_table_remove(ov->unprocessed_opts, opt->name); ++ ov->repeated_opts = NULL; ++ ov->list_mode = LM_TRAVERSED; + return NULL; + } + break; +@@ -289,7 +302,8 @@ opts_end_list(Visitor *v, void **obj) + + assert(ov->list_mode == LM_IN_PROGRESS || + ov->list_mode == LM_SIGNED_INTERVAL || +- ov->list_mode == LM_UNSIGNED_INTERVAL); ++ ov->list_mode == LM_UNSIGNED_INTERVAL || ++ ov->list_mode == LM_TRAVERSED); + ov->repeated_opts = NULL; + ov->list_mode = LM_NONE; + } +@@ -306,6 +320,10 @@ lookup_scalar(const OptsVisitor *ov, const char *name, Error **errp) + list = lookup_distinct(ov, name, errp); + return list ? g_queue_peek_tail(list) : NULL; + } ++ if (ov->list_mode == LM_TRAVERSED) { ++ error_setg(errp, "Fewer list elements than expected"); ++ return NULL; ++ } + assert(ov->list_mode == LM_IN_PROGRESS); + return g_queue_peek_head(ov->repeated_opts); + } +-- +2.19.1 + diff --git a/mcf5208-fix-leak-from-qemu_allocate_irqs.patch b/mcf5208-fix-leak-from-qemu_allocate_irqs.patch new file mode 100644 index 0000000000000000000000000000000000000000..7e254f577e4f08bc332bb94dda769ce9a584c623 --- /dev/null +++ b/mcf5208-fix-leak-from-qemu_allocate_irqs.patch @@ -0,0 +1,29 @@ +From 07b7cdb648124748c34be299fbfdfe3b6e38a521 Mon Sep 17 00:00:00 2001 +From: lizhengui +Date: Wed, 9 Sep 2020 14:53:00 +0800 +Subject: [PATCH] mcf5208: fix leak from qemu_allocate_irqs + +The array returned by qemu_allocate_irqs is malloced, free it. + +Signed-off-by: Paolo Bonzini +Reviewed-by: Thomas Huth +--- + hw/m68k/mcf5208.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/hw/m68k/mcf5208.c b/hw/m68k/mcf5208.c +index 6f6efae9..cc765eac 100644 +--- a/hw/m68k/mcf5208.c ++++ b/hw/m68k/mcf5208.c +@@ -270,6 +270,8 @@ static void mcf5208evb_init(MachineState *machine) + 0xfc030000, pic + 36); + } + ++ g_free(pic); ++ + /* 0xfc000000 SCM. */ + /* 0xfc004000 XBS. */ + /* 0xfc008000 FlexBus CS. */ +-- +2.19.1 + diff --git a/microblaze-fix-leak-of-fdevice-tree-blob.patch b/microblaze-fix-leak-of-fdevice-tree-blob.patch new file mode 100644 index 0000000000000000000000000000000000000000..dd845e80cef5f3315e44417f3b7eeaa60ce6b8bb --- /dev/null +++ b/microblaze-fix-leak-of-fdevice-tree-blob.patch @@ -0,0 +1,32 @@ +From 2ff9c28e2b72cd359a0c4e931412e355baee8e1e Mon Sep 17 00:00:00 2001 +From: lizhengui +Date: Wed, 9 Sep 2020 14:55:11 +0800 +Subject: [PATCH] microblaze: fix leak of fdevice tree blob +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The device tree blob returned by load_device_tree is malloced. +Free it before returning. + +Signed-off-by: Paolo Bonzini +Reviewed-by: Philippe Mathieu-Daudé +--- + hw/microblaze/boot.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/hw/microblaze/boot.c b/hw/microblaze/boot.c +index a7af4c07..0fcc4e9d 100644 +--- a/hw/microblaze/boot.c ++++ b/hw/microblaze/boot.c +@@ -99,6 +99,7 @@ static int microblaze_load_dtb(hwaddr addr, + } + + cpu_physical_memory_write(addr, fdt, fdt_size); ++ g_free(fdt); + return fdt_size; + } + +-- +2.19.1 + diff --git a/migration-fix-cleanup_bh-leak-on-resume.patch b/migration-fix-cleanup_bh-leak-on-resume.patch new file mode 100644 index 0000000000000000000000000000000000000000..6b75ed01b8faa4c3d5b9d1e17e6d3d205daa2396 --- /dev/null +++ b/migration-fix-cleanup_bh-leak-on-resume.patch @@ -0,0 +1,64 @@ +From 1d7c227bbb24665cea03f96a984ad6be223ac40c Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= +Date: Wed, 25 Mar 2020 19:47:21 +0100 +Subject: [PATCH 2/5] migration: fix cleanup_bh leak on resume +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Since commit 8c6b0356b53977bcfdea5299db07884915425b0c ("util/async: +make bh_aio_poll() O(1)"), migration-test reveals a leak: + +QTEST_QEMU_BINARY=x86_64-softmmu/qemu-system-x86_64 +tests/qtest/migration-test -p /x86_64/migration/postcopy/recovery +tests/qtest/libqtest.c:140: kill_qemu() tried to terminate QEMU +process but encountered exit status 1 (expected 0) + +================================================================= +==2082571==ERROR: LeakSanitizer: detected memory leaks + +Direct leak of 40 byte(s) in 1 object(s) allocated from: + #0 0x7f25971dfc58 in __interceptor_malloc (/lib64/libasan.so.5+0x10dc58) + #1 0x7f2596d08358 in g_malloc (/lib64/libglib-2.0.so.0+0x57358) + #2 0x560970d006f8 in qemu_bh_new /home/elmarco/src/qemu/util/main-loop.c:532 + #3 0x5609704afa02 in migrate_fd_connect +/home/elmarco/src/qemu/migration/migration.c:3407 + #4 0x5609704b6b6f in migration_channel_connect +/home/elmarco/src/qemu/migration/channel.c:92 + #5 0x5609704b2bfb in socket_outgoing_migration +/home/elmarco/src/qemu/migration/socket.c:108 + #6 0x560970b9bd6c in qio_task_complete /home/elmarco/src/qemu/io/task.c:196 + #7 0x560970b9aa97 in qio_task_thread_result +/home/elmarco/src/qemu/io/task.c:111 + #8 0x7f2596cfee3a (/lib64/libglib-2.0.so.0+0x4de3a) + +Signed-off-by: Marc-André Lureau +Message-Id: <20200325184723.2029630-2-marcandre.lureau@redhat.com> +Reviewed-by: Juan Quintela +Signed-off-by: Paolo Bonzini +Signed-off-by: Zhenyu Ye +--- + migration/migration.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/migration/migration.c b/migration/migration.c +index 8f2fc2b4..7949f2a4 100644 +--- a/migration/migration.c ++++ b/migration/migration.c +@@ -3313,7 +3313,12 @@ void migrate_fd_connect(MigrationState *s, Error *error_in) + bool resume = s->state == MIGRATION_STATUS_POSTCOPY_PAUSED; + + s->expected_downtime = s->parameters.downtime_limit; +- s->cleanup_bh = qemu_bh_new(migrate_fd_cleanup_bh, s); ++ if (resume) { ++ assert(s->cleanup_bh); ++ } else { ++ assert(!s->cleanup_bh); ++ s->cleanup_bh = qemu_bh_new(migrate_fd_cleanup_bh, s); ++ } + if (error_in) { + migrate_fd_error(s, error_in); + migrate_fd_cleanup(s); +-- +2.22.0.windows.1 + diff --git a/qemu.spec b/qemu.spec index 74162a1452e2384333f19e7b15cdd56a6b783efa..e16944d582c67906cd271adb9837bbee5070984e 100644 --- a/qemu.spec +++ b/qemu.spec @@ -1,6 +1,6 @@ Name: qemu Version: 4.1.0 -Release: 23 +Release: 24 Epoch: 2 Summary: QEMU is a generic and open source machine emulator and virtualizer License: GPLv2 and BSD and MIT and CC-BY @@ -228,6 +228,18 @@ Patch0215: target-arm-Update-ID-fields.patch Patch0216: target-arm-Add-more-CPU-features.patch Patch0217: hw-usb-core-fix-buffer-overflow.patch Patch0218: target-arm-ignore-evtstrm-and-cpuid-CPU-features.patch +Patch0219: Fixed-integer-overflow-in-e1000e.patch +Patch0220: migration-fix-cleanup_bh-leak-on-resume.patch +Patch0221: qmp-fix-leak-on-callbacks-that-return-both-value-and.patch +Patch0222: qga-commands-posix-fix-use-after-free-of-local_err.patch +Patch0223: file-posix-Fix-leaked-fd-in-raw_open_common-error-pa.patch +Patch0224: lm32-do-not-leak-memory-on-object_new-object_unref.patch +Patch0225: cris-do-not-leak-struct-cris_disasm_data.patch +Patch0226: hppa-fix-leak-from-g_strdup_printf.patch +Patch0227: mcf5208-fix-leak-from-qemu_allocate_irqs.patch +Patch0228: microblaze-fix-leak-of-fdevice-tree-blob.patch +Patch0229: ide-fix-leak-from-qemu_allocate_irqs.patch +Patch0230: make-check-unit-use-after-free-in-test-opts-visitor.patch BuildRequires: flex BuildRequires: bison @@ -574,6 +586,22 @@ getent passwd qemu >/dev/null || \ %endif %changelog +* Wed Sep 9 2020 Huawei Technologies Co., Ltd +- lm32-do-not-leak-memory-on-object_new-object_unref.patch +- cris-do-not-leak-struct-cris_disasm_data.patch +- hppa-fix-leak-from-g_strdup_printf.patch +- mcf5208-fix-leak-from-qemu_allocate_irqs.patch +- microblaze-fix-leak-of-fdevice-tree-blob.patch +- ide-fix-leak-from-qemu_allocate_irqs.patch +- make-check-unit-use-after-free-in-test-opts-visitor.patch + +* Wed Sep 9 2020 Huawei Technologies Co., Ltd +- file-posix: Fix leaked fd in raw_open_common() error path +- qga/commands-posix: fix use after free of local_err +- qmp: fix leak on callbacks that return both value and error +- migration: fix cleanup_bh leak on resume +- Fixed integer overflow in e1000e + * Tue Sep 08 2020 Huawei Technologies Co., Ltd - target/arm: ignore evtstrm and cpuid CPU features diff --git a/qga-commands-posix-fix-use-after-free-of-local_err.patch b/qga-commands-posix-fix-use-after-free-of-local_err.patch new file mode 100644 index 0000000000000000000000000000000000000000..9628d0c59445c9d29ddaa39e6fb271fe73a5c274 --- /dev/null +++ b/qga-commands-posix-fix-use-after-free-of-local_err.patch @@ -0,0 +1,49 @@ +From 15847279f29b0bd67b95daefff395cab8fad80d3 Mon Sep 17 00:00:00 2001 +From: Vladimir Sementsov-Ogievskiy +Date: Tue, 24 Mar 2020 18:36:30 +0300 +Subject: [PATCH 4/5] qga/commands-posix: fix use after free of local_err + +local_err is used several times in guest_suspend(). Setting non-NULL +local_err will crash, so let's zero it after freeing. Also fix possible +leak of local_err in final if(). + +Signed-off-by: Vladimir Sementsov-Ogievskiy +Message-Id: <20200324153630.11882-7-vsementsov@virtuozzo.com> +Reviewed-by: Richard Henderson +Signed-off-by: Markus Armbruster +Signed-off-by: Zhenyu Ye +--- + qga/commands-posix.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/qga/commands-posix.c b/qga/commands-posix.c +index dfc05f5b..66164e6c 100644 +--- a/qga/commands-posix.c ++++ b/qga/commands-posix.c +@@ -1760,6 +1760,7 @@ static void guest_suspend(SuspendMode mode, Error **errp) + } + + error_free(local_err); ++ local_err = NULL; + + if (pmutils_supports_mode(mode, &local_err)) { + mode_supported = true; +@@ -1771,6 +1772,7 @@ static void guest_suspend(SuspendMode mode, Error **errp) + } + + error_free(local_err); ++ local_err = NULL; + + if (linux_sys_state_supports_mode(mode, &local_err)) { + mode_supported = true; +@@ -1778,6 +1780,7 @@ static void guest_suspend(SuspendMode mode, Error **errp) + } + + if (!mode_supported) { ++ error_free(local_err); + error_setg(errp, + "the requested suspend mode is not supported by the guest"); + } else { +-- +2.22.0.windows.1 + diff --git a/qmp-fix-leak-on-callbacks-that-return-both-value-and.patch b/qmp-fix-leak-on-callbacks-that-return-both-value-and.patch new file mode 100644 index 0000000000000000000000000000000000000000..1ceb1e70b84f1e1a9a3f785ff2d4d55b697a7cb4 --- /dev/null +++ b/qmp-fix-leak-on-callbacks-that-return-both-value-and.patch @@ -0,0 +1,47 @@ +From 1f1949368d4ac7a18973aa83a074daf01daf97ad Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= +Date: Wed, 25 Mar 2020 19:47:22 +0100 +Subject: [PATCH 3/5] qmp: fix leak on callbacks that return both value and + error +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Direct leak of 4120 byte(s) in 1 object(s) allocated from: + #0 0x7fa114931887 in __interceptor_calloc (/lib64/libasan.so.6+0xb0887) + #1 0x7fa1144ad8f0 in g_malloc0 (/lib64/libglib-2.0.so.0+0x588f0) + #2 0x561e3c9c8897 in qmp_object_add /home/elmarco/src/qemu/qom/qom-qmp-cmds.c:291 + #3 0x561e3cf48736 in qmp_dispatch /home/elmarco/src/qemu/qapi/qmp-dispatch.c:155 + #4 0x561e3c8efb36 in monitor_qmp_dispatch /home/elmarco/src/qemu/monitor/qmp.c:145 + #5 0x561e3c8f09ed in monitor_qmp_bh_dispatcher /home/elmarco/src/qemu/monitor/qmp.c:234 + #6 0x561e3d08c993 in aio_bh_call /home/elmarco/src/qemu/util/async.c:136 + #7 0x561e3d08d0a5 in aio_bh_poll /home/elmarco/src/qemu/util/async.c:164 + #8 0x561e3d0a535a in aio_dispatch /home/elmarco/src/qemu/util/aio-posix.c:380 + #9 0x561e3d08e3ca in aio_ctx_dispatch /home/elmarco/src/qemu/util/async.c:298 + #10 0x7fa1144a776e in g_main_context_dispatch (/lib64/libglib-2.0.so.0+0x5276e) + +Signed-off-by: Marc-André Lureau +Message-Id: <20200325184723.2029630-3-marcandre.lureau@redhat.com> +Reviewed-by: Markus Armbruster +Signed-off-by: Paolo Bonzini +Signed-off-by: Zhenyu Ye +--- + qapi/qmp-dispatch.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/qapi/qmp-dispatch.c b/qapi/qmp-dispatch.c +index 6dfdad57..a635abb9 100644 +--- a/qapi/qmp-dispatch.c ++++ b/qapi/qmp-dispatch.c +@@ -189,6 +189,8 @@ QDict *qmp_dispatch(QmpCommandList *cmds, QObject *request, + + ret = do_qmp_dispatch(cmds, request, allow_oob, &err); + if (err) { ++ /* or assert(!ret) after reviewing all handlers: */ ++ qobject_unref(ret); + rsp = qmp_error_response(err); + } else if (ret) { + rsp = qdict_new(); +-- +2.22.0.windows.1 +