From: Markus Armbruster <armbru@redhat.com>
To: "Marc-André Lureau" <marcandre.lureau@redhat.com>
Cc: qemu-devel@nongnu.org
Subject: Re: [PATCH] ui/console: remove console from global list on finalization
Date: Thu, 23 Apr 2026 08:59:44 +0200 [thread overview]
Message-ID: <87y0ieqhzz.fsf@pond.sub.org> (raw)
In-Reply-To: <CAMxuvaxCkJ7PeMxOXqDXPvWRdTst93ufwEOA8hqd40XKVCWGJA@mail.gmail.com> ("Marc-André Lureau"'s message of "Thu, 23 Apr 2026 10:28:00 +0400")
Marc-André Lureau <marcandre.lureau@redhat.com> writes:
> Hi
>
> On Thu, Apr 23, 2026 at 9:02 AM Markus Armbruster <armbru@redhat.com> wrote:
>>
>> marcandre.lureau@redhat.com writes:
>>
>> > From: Marc-André Lureau <marcandre.lureau@redhat.com>
>> >
>> > This commit removes the QemuConsole from the global "consoles" list when
>> > it is finalized.
>> >
>> > Previously, there was a TODO comment indicating this path needed
>> > checking. The assertions added ensure that `dcls`, `gl_block`, and the
>> > `dump_queue` are empty before removal, confirming the console is in a
>> > clean state.
>> >
>> > Fix potential use-after-free crashes when a display console is removed.
>> >
>> > Reported-by: Markus Armbruster <armbru@redhat.com>
>> > Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
>> > ---
>> > ui/console.c | 5 ++++-
>> > 1 file changed, 4 insertions(+), 1 deletion(-)
>> >
>> > diff --git a/ui/console.c b/ui/console.c
>> > index f445db11389..b64e2122f34 100644
>> > --- a/ui/console.c
>> > +++ b/ui/console.c
>> > @@ -394,10 +394,13 @@ qemu_console_finalize(Object *obj)
>> > {
>> > QemuConsole *c = QEMU_CONSOLE(obj);
>> >
>> > - /* TODO: check this code path, and unregister from consoles */
>> > + assert(c->dcls == 0);
>> > + assert(c->gl_block == 0);
>> > + assert(qemu_co_queue_empty(&c->dump_queue));
>>
>> Help me out: what ensures this?
>
> - No display change listener left
> - No GL lock left
> - No pending screendump
Yes, but what ensures none of these are left / pending by the time we
finalize?
>> > g_clear_pointer(&c->surface, qemu_free_displaysurface);
>> > g_clear_pointer(&c->gl_unblock_timer, timer_free);
>> > g_clear_pointer(&c->ui_timer, timer_free);
>> > + QTAILQ_REMOVE(&consoles, c, next);
>>
>> Is @consoles only accessed from the main thread?
>
> Yes, the UI code is main thread only.
Good, thanks!
next prev parent reply other threads:[~2026-04-23 7:00 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-22 20:26 [PATCH] ui/console: remove console from global list on finalization marcandre.lureau
2026-04-23 5:02 ` Markus Armbruster
2026-04-23 6:28 ` Marc-André Lureau
2026-04-23 6:59 ` Markus Armbruster [this message]
2026-04-23 8:02 ` Marc-André Lureau
2026-04-23 10:57 ` Markus Armbruster
2026-04-27 8:13 ` Marc-André Lureau
2026-04-24 6:50 ` Markus Armbruster
2026-04-27 8:17 ` Marc-André Lureau
2026-04-27 9:20 ` Markus Armbruster
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87y0ieqhzz.fsf@pond.sub.org \
--to=armbru@redhat.com \
--cc=marcandre.lureau@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.