Commit 3d39fd35f6 for qemu.org
commit 3d39fd35f61f79e5dc24bfb8a644b35d3c158984
Author: Peter Maydell <peter.maydell@linaro.org>
Date: Sat Mar 7 12:52:22 2026 +0000
hw/riscv/riscv-iommu: Free instance_init allocations in instance_finalize
The riscv-iommu device makes various allocations in its
instance_init method. These will leak when QMP inits an
object of this type to introspect it, as can be seen if you
run 'make check' with the address sanitizer enabled:
Direct leak of 4096 byte(s) in 1 object(s) allocated from:
#0 0x5d8415b6ed9d in calloc (/home/pm215/qemu/build/san/qemu-system-riscv32+0x1832d9d) (BuildId: fedcc313e48ba803d63837329c37fd609dd50849)
#1 0x75c0502f1771 in g_malloc0 (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x63771) (BuildId: 116e142b9b52c8a4dfd403e759e71ab8f95d8bb3)
#2 0x5d8416d09391 in riscv_iommu_instance_init /home/pm215/qemu/build/san/../../hw/riscv/riscv-iommu.c:2463:18
#3 0x5d841710483f in object_initialize_with_type /home/pm215/qemu/build/san/../../qom/object.c:570:5
#4 0x5d8417104ee9 in object_initialize /home/pm215/qemu/build/san/../../qom/object.c:578:5
#5 0x5d8417104ee9 in object_initialize_child_with_propsv /home/pm215/qemu/build/san/../../qom/object.c:608:5
#6 0x5d8417104db1 in object_initialize_child_with_props /home/pm215/qemu/build/san/../../qom/object.c:591:10
#7 0x5d8417106506 in object_initialize_child_internal /home/pm215/qemu/build/san/../../qom/object.c:645:5
#8 0x5d8416d16a12 in riscv_iommu_sys_init /home/pm215/qemu/build/san/../../hw/riscv/riscv-iommu-sys.c:199:5
#9 0x5d841710483f in object_initialize_with_type /home/pm215/qemu/build/san/../../qom/object.c:570:5
#10 0x5d841710661f in object_new_with_type /home/pm215/qemu/build/san/../../qom/object.c:774:5
#11 0x5d841755d956 in qmp_device_list_properties /home/pm215/qemu/build/san/../../qom/qom-qmp-cmds.c:206:11
(and other similar backtraces).
Fix these by freeing the resources we allocate in instance_init in
instance_finalize. In some cases we were freeing these in unrealize,
and in some cases not at all.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Reviewed-by: Chao Liu <chao.liu.zevorn@gmail.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20260307125222.3656140-1-peter.maydell@linaro.org>
Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
diff --git a/hw/riscv/riscv-iommu.c b/hw/riscv/riscv-iommu.c
index 98345b1280..225394ea83 100644
--- a/hw/riscv/riscv-iommu.c
+++ b/hw/riscv/riscv-iommu.c
@@ -2479,6 +2479,18 @@ static void riscv_iommu_instance_init(Object *obj)
QLIST_INIT(&s->spaces);
}
+static void riscv_iommu_instance_finalize(Object *obj)
+{
+ RISCVIOMMUState *s = RISCV_IOMMU(obj);
+
+ g_free(s->regs_rw);
+ g_free(s->regs_ro);
+ g_free(s->regs_wc);
+
+ g_hash_table_unref(s->ctx_cache);
+ g_hash_table_unref(s->iot_cache);
+}
+
static void riscv_iommu_realize(DeviceState *dev, Error **errp)
{
RISCVIOMMUState *s = RISCV_IOMMU(dev);
@@ -2597,9 +2609,6 @@ static void riscv_iommu_unrealize(DeviceState *dev)
{
RISCVIOMMUState *s = RISCV_IOMMU(dev);
- g_hash_table_unref(s->iot_cache);
- g_hash_table_unref(s->ctx_cache);
-
if (s->cap & RISCV_IOMMU_CAP_HPM) {
g_hash_table_unref(s->hpm_event_ctr_map);
timer_free(s->hpm_timer);
@@ -2675,6 +2684,7 @@ static const TypeInfo riscv_iommu_info = {
.parent = TYPE_DEVICE,
.instance_size = sizeof(RISCVIOMMUState),
.instance_init = riscv_iommu_instance_init,
+ .instance_finalize = riscv_iommu_instance_finalize,
.class_init = riscv_iommu_class_init,
};