[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PATCH] hw/usb/redirect.c: crash in QOM cleanup
From: |
Martin Cerveny |
Subject: |
[Qemu-devel] [PATCH] hw/usb/redirect.c: crash in QOM cleanup |
Date: |
Sun, 28 Jul 2013 17:47:37 +0200 (CEST) |
User-agent: |
Alpine 2.00 (GSO 1167 2008-08-23) |
Hello.
Qemu crashes during remote usb device removal.
The associated chardev is destroyed "qemu_chr_delete()" in
"usbredir_handle_destroy()" but pointer is not
cleared. QOM cleanup is using pointer to previously freed
memory.
Example cmds:
chardev-add socket,id=usbredirchardev1,port=4000,host=192.168.1.166
device_add usb-redir,chardev=usbredirchardev1,id=usbredirdev1,bus=ehci.0,debug=4
device_del usbredirdev1
core_backtrace:
0x2693a2 qemu_chr_add_handlers - -
0x1366bf release_chr - -
0x2808d8 object_property_del_all - -
0x280b35 object_finalize - -
0x281654 object_unref - -
0x280a4b object_unparent - -
0x13ad93 qdev_free - -
0x13acde qdev_simple_unplug_cb - -
0x13aac8 qdev_unplug - -
0x268b56 qmp_device_del - -
....
Signed-off-by: Martin Cerveny <address@hidden>
---
diff --git a/hw/usb/redirect.c b/hw/usb/redirect.c
index a594e95..1c62263 100644
--- a/hw/usb/redirect.c
+++ b/hw/usb/redirect.c
@@ -1334,6 +1334,7 @@ static void usbredir_handle_destroy(USBDevice *udev)
USBRedirDevice *dev = DO_UPCAST(USBRedirDevice, dev, udev);
qemu_chr_delete(dev->cs);
+ dev->cs = NULL;
/* Note must be done after qemu_chr_close, as that causes a close
event */
qemu_bh_delete(dev->chardev_close_bh);
---
- [Qemu-devel] [PATCH] hw/usb/redirect.c: crash in QOM cleanup,
Martin Cerveny <=