Merge tag 'for-upstream' of https://gitlab.com/bonzini/qemu into staging

* move Coverity builds to Gitlab CI * fix two memory leaks * bug fixes # -----BEGIN PGP SIGNATURE----- # # iQFIBAABCAAyFiEE8TM4V0tmI4mGbHaCv/vSX3jHroMFAmXrVMMUHHBib256aW5p # QHJlZGhhdC5jb20ACgkQv/vSX3jHroPWywgAqobH+9HsUdwzAqvtjZ6Qw8cQZ8jM # egGn9SF6he3cArFem8d2sDVuvI3XZrpiwd3Zxi8HVW9l2ePzD6lIJjkKfRpK+srd # API5F3isfcfWcfWLvsjWrzV7MYjpW2+aPGDJ9heazjye3tuEtDEeq/rkgbvfvwyj # HfEZQLPsw2QbaviuZutklhYqiRWOXsb46+Y+5+PlfnVkYe7VQlAKgkbTXvbN6Xd9 # 1yX4OyKRa1aDHNYVvaNsnyppDUhniEPRF5rNcRvynMxPTFrXIhcD9p6bzhMp+Ot7 # lVAEI87TdnS+sbrIEKzHU8PkfW/Lz8WLdcKo48jj2///g0FxATWMuLG25w== # =PzGZ # -----END PGP SIGNATURE----- # gpg: Signature made Fri 08 Mar 2024 18:11:15 GMT # gpg: using RSA key F13338574B662389866C7682BFFBD25F78C7AE83 # gpg: issuer "pbonzini@redhat.com" # gpg: Good signature from "Paolo Bonzini <bonzini@gnu.org>" [full] # gpg: aka "Paolo Bonzini <pbonzini@redhat.com>" [full] # Primary key fingerprint: 46F5 9FBD 57D6 12E7 BFD4 E2F7 7E15 100C CD36 69B1 # Subkey fingerprint: F133 3857 4B66 2389 866C 7682 BFFB D25F 78C7 AE83 * tag 'for-upstream' of https://gitlab.com/bonzini/qemu: gitlab-ci: add manual job to run Coverity run-coverity-scan: add --check-upload-only option mips: do not list individual devices from configs/ oslib-posix: fix memory leak in touch_all_pages hw/intc/apic: fix memory leak hw/scsi/lsi53c895a: stop script on phase mismatch meson: Remove --warn-common ldflag system/qdev-monitor: move drain_call_rcu call under if (!dev) in qmp_device_add() hw/scsi/lsi53c895a: add timer to scripts processing Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2025-08-22 23:25:48 +00:00 · 2024-03-09 15:01:47 +00:00
parent 256f016658 83aa1baa06
commit f901bf11b3
14 changed files with 176 additions and 84 deletions
--- a/.gitlab-ci.d/base.yml
+++ b/.gitlab-ci.d/base.yml
@ -41,6 +41,10 @@ variables:
    - if: '$CI_PROJECT_NAMESPACE == $QEMU_CI_UPSTREAM && $CI_COMMIT_TAG'
      when: never
    # Scheduled runs on mainline don't get pipelines except for the special Coverity job
    - if: '$CI_PROJECT_NAMESPACE == $QEMU_CI_UPSTREAM && $CI_PIPELINE_SOURCE == "schedule"'
      when: never
    # Cirrus jobs can't run unless the creds / target repo are set
    - if: '$QEMU_JOB_CIRRUS && ($CIRRUS_GITHUB_REPO == null || $CIRRUS_API_TOKEN == null)'
      when: never
--- a/.gitlab-ci.d/buildtest.yml
+++ b/.gitlab-ci.d/buildtest.yml
@ -659,7 +659,7 @@ build-without-defaults:
      --disable-pie
      --disable-qom-cast-debug
      --disable-strip
-    TARGETS: avr-softmmu mips64-softmmu s390x-softmmu sh4-softmmu
+    TARGETS: avr-softmmu s390x-softmmu sh4-softmmu
      sparc64-softmmu hexagon-linux-user i386-linux-user s390x-linux-user
    MAKE_CHECK_ARGS: check
@ -729,3 +729,40 @@ pages:
      - public
  variables:
    QEMU_JOB_PUBLISH: 1
 coverity:
  image: $CI_REGISTRY_IMAGE/qemu/fedora:$QEMU_CI_CONTAINER_TAG
  stage: build
  allow_failure: true
  timeout: 3h
  needs:
    - job: amd64-fedora-container
      optional: true
  before_script:
    - dnf install -y curl wget
  script:
    # would be nice to cancel the job if over quota (https://gitlab.com/gitlab-org/gitlab/-/issues/256089)
    # for example:
    #   curl --request POST --header "PRIVATE-TOKEN: $CI_JOB_TOKEN" "${CI_SERVER_URL}/api/v4/projects/${CI_PROJECT_ID}/jobs/${CI_JOB_ID}/cancel
    - 'scripts/coverity-scan/run-coverity-scan --check-upload-only || { exitcode=$?; if test $exitcode = 1; then
        exit 0;
      else
        exit $exitcode;
      fi; };
      scripts/coverity-scan/run-coverity-scan --update-tools-only > update-tools.log 2>&1 || { cat update-tools.log; exit 1; };
      scripts/coverity-scan/run-coverity-scan --no-update-tools'
  rules:
    - if: '$COVERITY_TOKEN == null'
      when: never
    - if: '$COVERITY_EMAIL == null'
      when: never
    # Never included on upstream pipelines, except for schedules
    - if: '$CI_PROJECT_NAMESPACE == $QEMU_CI_UPSTREAM && $CI_PIPELINE_SOURCE == "schedule"'
      when: on_success
    - if: '$CI_PROJECT_NAMESPACE == $QEMU_CI_UPSTREAM'
      when: never
    # Forks don't get any pipeline unless QEMU_CI=1 or QEMU_CI=2 is set
    - if: '$QEMU_CI != "1" && $QEMU_CI != "2"'
      when: never
    # Always manual on forks even if $QEMU_CI == "2"
    - when: manual
--- a/.gitlab-ci.d/opensbi.yml
+++ b/.gitlab-ci.d/opensbi.yml
@ -24,6 +24,10 @@
    - if: '$QEMU_CI == "1" && $CI_PROJECT_NAMESPACE != "qemu-project" && $CI_COMMIT_MESSAGE =~ /opensbi/i'
      when: manual
    # Scheduled runs on mainline don't get pipelines except for the special Coverity job
    - if: '$CI_PROJECT_NAMESPACE == $QEMU_CI_UPSTREAM && $CI_PIPELINE_SOURCE == "schedule"'
      when: never
    # Run if any files affecting the build output are touched
    - changes:
        - .gitlab-ci.d/opensbi.yml
--- a/configs/devices/mips-softmmu/common.mak
+++ b/configs/devices/mips-softmmu/common.mak
@ -1,28 +1,8 @@
 # Common mips*-softmmu CONFIG defines
-CONFIG_ISA_BUS=y
+# Uncomment the following lines to disable these optional devices:
-CONFIG_PCI=y
+# CONFIG_PCI_DEVICES=n
-CONFIG_PCI_DEVICES=y
+# CONFIG_TEST_DEVICES=n
-CONFIG_VGA_ISA=y
+
 CONFIG_VGA_MMIO=y
 CONFIG_VGA_CIRRUS=y
 CONFIG_VMWARE_VGA=y
 CONFIG_SERIAL=y
 CONFIG_SERIAL_ISA=y
 CONFIG_PARALLEL=y
 CONFIG_I8254=y
 CONFIG_PCSPK=y
 CONFIG_PCKBD=y
 CONFIG_FDC=y
 CONFIG_I8257=y
 CONFIG_IDE_ISA=y
 CONFIG_PFLASH_CFI01=y
 CONFIG_I8259=y
 CONFIG_MC146818RTC=y
 CONFIG_MIPS_CPS=y
 CONFIG_MIPS_ITU=y
 CONFIG_MALTA=y
 CONFIG_PCNET_PCI=y
 CONFIG_MIPSSIM=y
 CONFIG_SMBUS_EEPROM=y
 CONFIG_TEST_DEVICES=y
--- a/configs/devices/mips64el-softmmu/default.mak
+++ b/configs/devices/mips64el-softmmu/default.mak
@ -3,8 +3,5 @@
 include ../mips-softmmu/common.mak
 CONFIG_FULOONG=y
 CONFIG_LOONGSON3V=y
 CONFIG_ATI_VGA=y
 CONFIG_RTL8139_PCI=y
 CONFIG_JAZZ=y
 CONFIG_VT82C686=y
 CONFIG_MIPS_BOSTON=y
--- a/hw/display/Kconfig
+++ b/hw/display/Kconfig
@ -55,7 +55,7 @@ config VGA_MMIO
 config VMWARE_VGA
    bool
-    default y if PCI_DEVICES && PC_PCI
+    default y if PCI_DEVICES && (PC_PCI || MIPS)
    depends on PCI
    select VGA
--- a/hw/intc/apic.c
+++ b/hw/intc/apic.c
@ -291,14 +291,13 @@ static void apic_deliver_irq(uint32_t dest, uint8_t dest_mode,
                             uint8_t delivery_mode, uint8_t vector_num,
                             uint8_t trigger_mode)
 {
-    uint32_t *deliver_bitmask = g_malloc(max_apic_words * sizeof(uint32_t));
+    g_autofree uint32_t *deliver_bitmask = g_new(uint32_t, max_apic_words);
    trace_apic_deliver_irq(dest, dest_mode, delivery_mode, vector_num,
                           trigger_mode);
    apic_get_delivery_bitmask(deliver_bitmask, dest, dest_mode);
    apic_bus_deliver(deliver_bitmask, delivery_mode, vector_num, trigger_mode);
    g_free(deliver_bitmask);
 }
 bool is_x2apic_mode(DeviceState *dev)
@ -662,7 +661,7 @@ static void apic_deliver(DeviceState *dev, uint32_t dest, uint8_t dest_mode,
    APICCommonState *s = APIC(dev);
    APICCommonState *apic_iter;
    uint32_t deliver_bitmask_size = max_apic_words * sizeof(uint32_t);
-    uint32_t *deliver_bitmask = g_malloc(deliver_bitmask_size);
+    g_autofree uint32_t *deliver_bitmask = g_new(uint32_t, max_apic_words);
    uint32_t current_apic_id;
    if (is_x2apic_mode(dev)) {
@ -708,7 +707,6 @@ static void apic_deliver(DeviceState *dev, uint32_t dest, uint8_t dest_mode,
    }
    apic_bus_deliver(deliver_bitmask, delivery_mode, vector_num, trigger_mode);
    g_free(deliver_bitmask);
 }
 static bool apic_check_pic(APICCommonState *s)
--- a/hw/mips/Kconfig
+++ b/hw/mips/Kconfig
@ -1,8 +1,15 @@
 config MALTA
    bool
    imply PCNET_PCI
    imply PCI_DEVICES
    imply TEST_DEVICES
    select FDC37M81X
    select GT64120
    select MIPS_CPS
    select PIIX
    select PFLASH_CFI01
    select SERIAL
    select SMBUS_EEPROM
 config MIPSSIM
    bool
@ -31,17 +38,26 @@ config JAZZ
 config FULOONG
    bool
    imply PCI_DEVICES
    imply TEST_DEVICES
    imply ATI_VGA
    imply RTL8139_PCI
    select PCI_BONITO
    select SMBUS_EEPROM
    select VT82C686
 config LOONGSON3V
    bool
    imply PCI_DEVICES
    imply TEST_DEVICES
    imply VIRTIO_PCI
    imply VIRTIO_NET
    imply VIRTIO_VGA
    imply QXL if SPICE
    imply USB_OHCI_PCI
    select SERIAL
    select GOLDFISH_RTC
    select LOONGSON_LIOINTC
    select PCI_DEVICES
    select PCI_EXPRESS_GENERIC_BRIDGE
    select MSI_NONBROKEN
    select FW_CFG_MIPS
@ -53,6 +69,8 @@ config MIPS_CPS
 config MIPS_BOSTON
    bool
    imply PCI_DEVICES
    imply TEST_DEVICES
    select FITLOADER
    select MIPS_CPS
    select PCI_EXPRESS_XILINX
--- a/hw/scsi/lsi53c895a.c
+++ b/hw/scsi/lsi53c895a.c
@ -188,7 +188,7 @@ static const char *names[] = {
 #define LSI_TAG_VALID     (1 << 16)
 /* Maximum instructions to process. */
-#define LSI_MAX_INSN    10000
+#define LSI_MAX_INSN    100
 typedef struct lsi_request {
    SCSIRequest *req;
@ -205,6 +205,7 @@ enum {
    LSI_WAIT_RESELECT, /* Wait Reselect instruction has been issued */
    LSI_DMA_SCRIPTS, /* processing DMA from lsi_execute_script */
    LSI_DMA_IN_PROGRESS, /* DMA operation is in progress */
    LSI_WAIT_SCRIPTS, /* SCRIPTS stopped because of instruction count limit */
 };
 enum {
@ -224,6 +225,7 @@ struct LSIState {
    MemoryRegion ram_io;
    MemoryRegion io_io;
    AddressSpace pci_io_as;
    QEMUTimer *scripts_timer;
    int carry; /* ??? Should this be an a visible register somewhere?  */
    int status;
@ -415,6 +417,7 @@ static void lsi_soft_reset(LSIState *s)
    s->sbr = 0;
    assert(QTAILQ_EMPTY(&s->queue));
    assert(!s->current);
    timer_del(s->scripts_timer);
 }
 static int lsi_dma_40bit(LSIState *s)
@ -570,8 +573,9 @@ static inline void lsi_set_phase(LSIState *s, int phase)
    s->sstat1 = (s->sstat1 & ~PHASE_MASK) | phase;
 }
-static void lsi_bad_phase(LSIState *s, int out, int new_phase)
+static int lsi_bad_phase(LSIState *s, int out, int new_phase)
 {
    int ret = 0;
    /* Trigger a phase mismatch.  */
    if (s->ccntl0 & LSI_CCNTL0_ENPMJ) {
        if ((s->ccntl0 & LSI_CCNTL0_PMJCTL)) {
@ -584,8 +588,10 @@ static void lsi_bad_phase(LSIState *s, int out, int new_phase)
        trace_lsi_bad_phase_interrupt();
        lsi_script_scsi_interrupt(s, LSI_SIST0_MA, 0);
        lsi_stop_script(s);
        ret = 1;
    }
    lsi_set_phase(s, new_phase);
    return ret;
 }
@ -789,7 +795,7 @@ static int lsi_queue_req(LSIState *s, SCSIRequest *req, uint32_t len)
 static void lsi_command_complete(SCSIRequest *req, size_t resid)
 {
    LSIState *s = LSI53C895A(req->bus->qbus.parent);
-    int out;
+    int out, stop = 0;
    out = (s->sstat1 & PHASE_MASK) == PHASE_DO;
    trace_lsi_command_complete(req->status);
@ -797,7 +803,10 @@ static void lsi_command_complete(SCSIRequest *req, size_t resid)
    s->command_complete = 2;
    if (s->waiting && s->dbc != 0) {
        /* Raise phase mismatch for short transfers.  */
-        lsi_bad_phase(s, out, PHASE_ST);
+        stop = lsi_bad_phase(s, out, PHASE_ST);
        if (stop) {
            s->waiting = 0;
        }
    } else {
        lsi_set_phase(s, PHASE_ST);
    }
@ -807,7 +816,9 @@ static void lsi_command_complete(SCSIRequest *req, size_t resid)
        lsi_request_free(s, s->current);
        scsi_req_unref(req);
    }
-    lsi_resume_script(s);
+    if (!stop) {
        lsi_resume_script(s);
    }
 }
 /* Callback to indicate that the SCSI layer has completed a transfer.  */
@ -1127,6 +1138,12 @@ static void lsi_wait_reselect(LSIState *s)
    }
 }
 static void lsi_scripts_timer_start(LSIState *s)
 {
    trace_lsi_scripts_timer_start();
    timer_mod(s->scripts_timer, qemu_clock_get_us(QEMU_CLOCK_VIRTUAL) + 500);
 }
 static void lsi_execute_script(LSIState *s)
 {
    PCIDevice *pci_dev = PCI_DEVICE(s);
@ -1136,6 +1153,11 @@ static void lsi_execute_script(LSIState *s)
    int insn_processed = 0;
    static int reentrancy_level;
    if (s->waiting == LSI_WAIT_SCRIPTS) {
        timer_del(s->scripts_timer);
        s->waiting = LSI_NOWAIT;
    }
    reentrancy_level++;
    s->istat1 |= LSI_ISTAT1_SRUN;
@ -1143,8 +1165,8 @@ again:
    /*
     * Some windows drivers make the device spin waiting for a memory location
     * to change. If we have executed more than LSI_MAX_INSN instructions then
-     * assume this is the case and force an unexpected device disconnect. This
+     * assume this is the case and start a timer. Until the timer fires, the
-     * is apparently sufficient to beat the drivers into submission.
+     * host CPU has a chance to run and change the memory location.
     *
     * Another issue (CVE-2023-0330) can occur if the script is programmed to
     * trigger itself again and again. Avoid this problem by stopping after
@ -1152,13 +1174,8 @@ again:
     * which should be enough for all valid use cases).
     */
    if (++insn_processed > LSI_MAX_INSN || reentrancy_level > 8) {
-        if (!(s->sien0 & LSI_SIST0_UDC)) {
+        s->waiting = LSI_WAIT_SCRIPTS;
-            qemu_log_mask(LOG_GUEST_ERROR,
+        lsi_scripts_timer_start(s);
                          "lsi_scsi: inf. loop with UDC masked");
        }
        lsi_script_scsi_interrupt(s, LSI_SIST0_UDC, 0);
        lsi_disconnect(s);
        trace_lsi_execute_script_stop();
        reentrancy_level--;
        return;
    }
@ -2197,6 +2214,9 @@ static int lsi_post_load(void *opaque, int version_id)
        return -EINVAL;
    }
    if (s->waiting == LSI_WAIT_SCRIPTS) {
        lsi_scripts_timer_start(s);
    }
    return 0;
 }
@ -2294,6 +2314,15 @@ static const struct SCSIBusInfo lsi_scsi_info = {
    .cancel = lsi_request_cancelled
 };
 static void scripts_timer_cb(void *opaque)
 {
    LSIState *s = opaque;
    trace_lsi_scripts_timer_triggered();
    s->waiting = LSI_NOWAIT;
    lsi_execute_script(s);
 }
 static void lsi_scsi_realize(PCIDevice *dev, Error **errp)
 {
    LSIState *s = LSI53C895A(dev);
@ -2313,6 +2342,7 @@ static void lsi_scsi_realize(PCIDevice *dev, Error **errp)
                          "lsi-ram", 0x2000);
    memory_region_init_io(&s->io_io, OBJECT(s), &lsi_io_ops, s,
                          "lsi-io", 256);
    s->scripts_timer = timer_new_us(QEMU_CLOCK_VIRTUAL, scripts_timer_cb, s);
    /*
     * Since we use the address-space API to interact with ram_io, disable the
@ -2337,6 +2367,7 @@ static void lsi_scsi_exit(PCIDevice *dev)
    LSIState *s = LSI53C895A(dev);
    address_space_destroy(&s->pci_io_as);
    timer_del(s->scripts_timer);
 }
 static void lsi_class_init(ObjectClass *klass, void *data)
--- a/hw/scsi/trace-events
+++ b/hw/scsi/trace-events
@ -302,6 +302,8 @@ lsi_execute_script_stop(void) "SCRIPTS execution stopped"
 lsi_awoken(void) "Woken by SIGP"
 lsi_reg_read(const char *name, int offset, uint8_t ret) "Read reg %s 0x%x = 0x%02x"
 lsi_reg_write(const char *name, int offset, uint8_t val) "Write reg %s 0x%x = 0x%02x"
 lsi_scripts_timer_triggered(void) "SCRIPTS timer triggered"
 lsi_scripts_timer_start(void) "SCRIPTS timer started"
 # virtio-scsi.c
 virtio_scsi_cmd_req(int lun, uint32_t tag, uint8_t cmd) "virtio_scsi_cmd_req lun=%u tag=0x%x cmd=0x%x"
--- a/meson.build
+++ b/meson.build
@ -476,11 +476,6 @@ if host_os == 'windows'
  qemu_ldflags += cc.get_supported_link_arguments('-Wl,--dynamicbase', '-Wl,--high-entropy-va')
 endif
 # Exclude --warn-common with TSan to suppress warnings from the TSan libraries.
 if host_os != 'sunos' and not get_option('tsan')
  qemu_ldflags += cc.get_supported_link_arguments('-Wl,--warn-common')
 endif
 if get_option('fuzzing')
  # Specify a filter to only instrument code that is directly related to
  # virtual-devices.
--- a/scripts/coverity-scan/run-coverity-scan
+++ b/scripts/coverity-scan/run-coverity-scan
@ -28,6 +28,7 @@
 # project settings, if you have maintainer access there.
 # Command line options:
 #   --check-upload-only : return success if upload is possible
 #   --dry-run : run the tools, but don't actually do the upload
 #   --docker : create and work inside a container
 #   --docker-engine : specify the container engine to use (docker/podman/auto);
@ -57,18 +58,18 @@
 # putting it in a file and using --tokenfile. Everything else has
 # a reasonable default if this is run from a git tree.
-check_upload_permissions() {
+upload_permitted() {
-    # Check whether we can do an upload to the server; will exit the script
+    # Check whether we can do an upload to the server; will exit *the script*
-    # with status 1 if the check failed (usually a bad token);
+    # with status 99 if the check failed (usually a bad token);
-    # will exit the script with status 0 if the check indicated that we
+    # will return from the function with status 1 if the check indicated
-    # can't upload yet (ie we are at quota)
+    # that we can't upload yet (ie we are at quota)
-    # Assumes that COVERITY_TOKEN, PROJNAME and DRYRUN have been initialized.
+    # Assumes that COVERITY_TOKEN and PROJNAME have been initialized.
    echo "Checking upload permissions..."
    if ! up_perm="$(wget https://scan.coverity.com/api/upload_permitted --post-data "token=$COVERITY_TOKEN&project=$PROJNAME" -q -O -)"; then
        echo "Coverity Scan API access denied: bad token?"
-        exit 1
+        exit 99
    fi
    # Really up_perm is a JSON response with either
@ -76,25 +77,40 @@ check_upload_permissions() {
    # We do some hacky string parsing instead of properly parsing it.
    case "$up_perm" in
        *upload_permitted*true*)
-            echo "Coverity Scan: upload permitted"
+            return 0
            ;;
        *next_upload_permitted_at*)
-            if [ "$DRYRUN" = yes ]; then
+            return 1
                echo "Coverity Scan: upload quota reached, continuing dry run"
            else
                echo "Coverity Scan: upload quota reached; stopping here"
                # Exit success as this isn't a build error.
                exit 0
            fi
            ;;
        *)
            echo "Coverity Scan upload check: unexpected result $up_perm"
-            exit 1
+            exit 99
            ;;
    esac
 }
 check_upload_permissions() {
    # Check whether we can do an upload to the server; will exit the script
    # with status 99 if the check failed (usually a bad token);
    # will exit the script with status 0 if the check indicated that we
    # can't upload yet (ie we are at quota)
    # Assumes that COVERITY_TOKEN, PROJNAME and DRYRUN have been initialized.
    if upload_permitted; then
        echo "Coverity Scan: upload permitted"
    else
        if [ "$DRYRUN" = yes ]; then
            echo "Coverity Scan: upload quota reached, continuing dry run"
        else
            echo "Coverity Scan: upload quota reached; stopping here"
            # Exit success as this isn't a build error.
            exit 0
        fi
    fi
 }
 build_docker_image() {
    # build docker container including the coverity-scan tools
    echo "Building docker container..."
@ -152,9 +168,14 @@ update_coverity_tools () {
 DRYRUN=no
 UPDATE=yes
 DOCKER=no
 PROJNAME=QEMU
 while [ "$#" -ge 1 ]; do
    case "$1" in
        --check-upload-only)
            shift
            DRYRUN=check
            ;;
        --dry-run)
            shift
            DRYRUN=yes
@ -251,6 +272,11 @@ if [ -z "$COVERITY_TOKEN" ]; then
    exit 1
 fi
 if [ "$DRYRUN" = check ]; then
    upload_permitted
    exit $?
 fi
 if [ -z "$COVERITY_BUILD_CMD" ]; then
    NPROC=$(nproc)
    COVERITY_BUILD_CMD="make -j$NPROC"
@ -266,7 +292,6 @@ if [ -z "$SRCDIR" ]; then
    SRCDIR="$PWD"
 fi
 PROJNAME=QEMU
 TARBALL=cov-int.tar.xz
 if [ "$UPDATE" = only ]; then
--- a/system/qdev-monitor.c
+++ b/system/qdev-monitor.c
@ -858,19 +858,18 @@ void qmp_device_add(QDict *qdict, QObject **ret_data, Error **errp)
        return;
    }
    dev = qdev_device_add(opts, errp);
    /*
     * Drain all pending RCU callbacks. This is done because
     * some bus related operations can delay a device removal
     * (in this case this can happen if device is added and then
     * removed due to a configuration error)
     * to a RCU callback, but user might expect that this interface
     * will finish its job completely once qmp command returns result
     * to the user
     */
    drain_call_rcu();
    if (!dev) {
        /*
         * Drain all pending RCU callbacks. This is done because
         * some bus related operations can delay a device removal
         * (in this case this can happen if device is added and then
         * removed due to a configuration error)
         * to a RCU callback, but user might expect that this interface
         * will finish its job completely once qmp command returns result
         * to the user
         */
        drain_call_rcu();
        qemu_opts_del(opts);
        return;
    }
--- a/util/oslib-posix.c
+++ b/util/oslib-posix.c
@ -467,11 +467,13 @@ static int touch_all_pages(char *area, size_t hpagesize, size_t numpages,
         * preallocating synchronously.
         */
        if (context->num_threads == 1 && !async) {
            ret = 0;
            if (qemu_madvise(area, hpagesize * numpages,
                             QEMU_MADV_POPULATE_WRITE)) {
-                return -errno;
+                ret = -errno;
            }
-            return 0;
+            g_free(context);
            return ret;
        }
        touch_fn = do_madv_populate_write_pages;
    } else {