|
From: | Gerd Hoffmann |
Subject: | Re: [Qemu-devel] [PATCH 17/18] usb: move cancel callback to USBDeviceInfo |
Date: | Mon, 23 May 2011 16:34:27 +0200 |
User-agent: | Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.17) Gecko/20110419 Red Hat/3.1.10-1.el6_0 Thunderbird/3.1.10 |
Hi,
The problem is that the USBDevice lifetime may be shorter then the USBPacket lifetime, USBPackets are created by uhci.c (for example), where as the device is managed from the monitor (for example), doing a usb_del in the monitor using the guest bus:addr will call usb_device_delete_addr, which will call qdev_free. At this time the USBDevice struct is gone, and at a later time the uhci code will cancel any still outstanding async packets, who's owner pointer will now point to free-ed memory.
Good spotting, this is indeed a issue which needs fixing. It isn't introduced by this patch though, it exists even without the usb patch queue.
usb-msd.c passes a USBDevice pointer directly as opaque. The usb-linux.c callback function assumes it can dereference aurb->hdev just fine. Both will hit free'ed memory in case the device is unplugged while a async packet is in flight.
cheers, Gerd
[Prev in Thread] | Current Thread | [Next in Thread] |