qemu-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Qemu-devel] [PATCH] hw/usb/redirect.c: crash in QOM cleanup


From: Martin Cerveny
Subject: [Qemu-devel] [PATCH] hw/usb/redirect.c: crash in QOM cleanup
Date: Sun, 28 Jul 2013 17:47:37 +0200 (CEST)
User-agent: Alpine 2.00 (GSO 1167 2008-08-23)

Hello.

Qemu crashes during remote usb device removal.
The associated chardev is destroyed "qemu_chr_delete()" in "usbredir_handle_destroy()" but pointer is not cleared. QOM cleanup is using pointer to previously freed memory.

Example cmds:

chardev-add socket,id=usbredirchardev1,port=4000,host=192.168.1.166
device_add usb-redir,chardev=usbredirchardev1,id=usbredirdev1,bus=ehci.0,debug=4
device_del usbredirdev1

core_backtrace:

0x2693a2 qemu_chr_add_handlers - -
0x1366bf release_chr - -
0x2808d8 object_property_del_all - -
0x280b35 object_finalize - -
0x281654 object_unref - -
0x280a4b object_unparent - -
0x13ad93 qdev_free - -
0x13acde qdev_simple_unplug_cb - -
0x13aac8 qdev_unplug - -
0x268b56 qmp_device_del - -
....

Signed-off-by: Martin Cerveny <address@hidden>
---
diff --git a/hw/usb/redirect.c b/hw/usb/redirect.c
index a594e95..1c62263 100644
--- a/hw/usb/redirect.c
+++ b/hw/usb/redirect.c
@@ -1334,6 +1334,7 @@ static void usbredir_handle_destroy(USBDevice *udev)
     USBRedirDevice *dev = DO_UPCAST(USBRedirDevice, dev, udev);

     qemu_chr_delete(dev->cs);
+    dev->cs = NULL;
/* Note must be done after qemu_chr_close, as that causes a close event */
     qemu_bh_delete(dev->chardev_close_bh);

---



reply via email to

[Prev in Thread] Current Thread [Next in Thread]