From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:47013)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <ppandit@redhat.com>) id 1c9UUE-0006un-Sy
	for qemu-devel@nongnu.org; Wed, 23 Nov 2016 05:09:07 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <ppandit@redhat.com>) id 1c9UUB-0004JL-OO
	for qemu-devel@nongnu.org; Wed, 23 Nov 2016 05:09:06 -0500
Received: from mx1.redhat.com ([209.132.183.28]:46582)
	by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
	(Exim 4.71) (envelope-from <ppandit@redhat.com>) id 1c9UUB-0004J7-Ij
	for qemu-devel@nongnu.org; Wed, 23 Nov 2016 05:09:03 -0500
From: P J P <ppandit@redhat.com>
Date: Wed, 23 Nov 2016 15:38:55 +0530
Message-Id: <1479895735-5539-1-git-send-email-ppandit@redhat.com>
Subject: [Qemu-devel] [PATCH v2] audio: es1370: unregister reset call on exit
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel/>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Qemu Developers <qemu-devel@nongnu.org>
Cc: Gerd Hoffmann <kraxel@redhat.com>, Huawei PSIRT <PSIRT@huawei.com>, Prasad J Pandit <pjp@fedoraproject.org>

From: Prasad J Pandit <pjp@fedoraproject.org>

ES1370 audio device emulator registers a device reset call with
Qemu during initialisation. But the same is not unregistered when
audio device is unplugged. This leads to a use-after-free error
during reboot, as Qemu resets the machine. Add 'es1370_exit'
PCIDeviceClass method to unregister reset call.

Reported-by: Huawei PSIRT <PSIRT@huawei.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
---
 hw/audio/es1370.c | 7 +++++++
 1 file changed, 7 insertions(+)

Update: remove space between function name and parenthesis
  -> https://lists.gnu.org/archive/html/qemu-devel/2016-11/msg04257.html

diff --git a/hw/audio/es1370.c b/hw/audio/es1370.c
index 8449b5f..97f6f41 100644
--- a/hw/audio/es1370.c
+++ b/hw/audio/es1370.c
@@ -1047,12 +1047,19 @@ static int es1370_init (PCIBus *bus)
     return 0;
 }
 
+static void es1370_exit(PCIDevice *dev)
+{
+    ES1370State *s = ES1370(dev);
+    qemu_unregister_reset(es1370_on_reset, s);
+}
+
 static void es1370_class_init (ObjectClass *klass, void *data)
 {
     DeviceClass *dc = DEVICE_CLASS (klass);
     PCIDeviceClass *k = PCI_DEVICE_CLASS (klass);
 
     k->realize = es1370_realize;
+    k->exit = es1370_exit;
     k->vendor_id = PCI_VENDOR_ID_ENSONIQ;
     k->device_id = PCI_DEVICE_ID_ENSONIQ_ES1370;
     k->class_id = PCI_CLASS_MULTIMEDIA_AUDIO;
-- 
2.7.4