On 06/07/2016 08:19 AM, Daniel P. Berrange wrote:
> The QTask struct is just a standalone struct, not a QOM Object,
> so calling object_ref() on it is not appropriate. This results
> in mangling the 'destroy' field in the QTask struct, causing
> the later call to qtask_free() to try to call the function
> at address 0x1, with predictably segfault happy results.
> 
> There is in fact no need for ref counting with QTask, as the
> call to qtask_abort() or qtask_complete() will automatically
> free associated memory.
> 
> This fixes the crash shown in
> 
>   https://bugs.launchpad.net/qemu/+bug/1589923
> 
> Reported-by: Ben Aitchison <ben@meh.net.nz>
> Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
> ---
>  io/channel-websock.c | 3 +--
>  1 file changed, 1 insertion(+), 2 deletions(-)
> 

Reviewed-by: Eric Blake <eblake@redhat.com>

-- 
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org