[Qemu-devel] [PATCH] hw/usb/redirect.c: crash in QOM cleanup

qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed

* [Qemu-devel] [PATCH] hw/usb/redirect.c: crash in QOM cleanup
@ 2013-07-28 15:47 Martin Cerveny
  2013-07-31  9:21 ` Gerd Hoffmann
  0 siblings, 1 reply; 2+ messages in thread
From: Martin Cerveny @ 2013-07-28 15:47 UTC (permalink / raw)
  To: qemu-devel; +Cc: Gerd Hoffmann

Hello.

Qemu crashes during remote usb device removal.
The associated chardev is destroyed "qemu_chr_delete()" in 
"usbredir_handle_destroy()" but pointer is not 
cleared. QOM cleanup is using pointer to previously freed 
memory.

Example cmds:

chardev-add socket,id=usbredirchardev1,port=4000,host=192.168.1.166
device_add usb-redir,chardev=usbredirchardev1,id=usbredirdev1,bus=ehci.0,debug=4
device_del usbredirdev1

core_backtrace:

0x2693a2 qemu_chr_add_handlers - -
0x1366bf release_chr - -
0x2808d8 object_property_del_all - -
0x280b35 object_finalize - -
0x281654 object_unref - -
0x280a4b object_unparent - -
0x13ad93 qdev_free - -
0x13acde qdev_simple_unplug_cb - -
0x13aac8 qdev_unplug - -
0x268b56 qmp_device_del - -
....

Signed-off-by: Martin Cerveny <M.Cerveny@computer.org>
---
diff --git a/hw/usb/redirect.c b/hw/usb/redirect.c
index a594e95..1c62263 100644
--- a/hw/usb/redirect.c
+++ b/hw/usb/redirect.c
@@ -1334,6 +1334,7 @@ static void usbredir_handle_destroy(USBDevice *udev)
      USBRedirDevice *dev = DO_UPCAST(USBRedirDevice, dev, udev);

      qemu_chr_delete(dev->cs);
+    dev->cs = NULL;
      /* Note must be done after qemu_chr_close, as that causes a close 
event */
      qemu_bh_delete(dev->chardev_close_bh);

---

^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [Qemu-devel] [PATCH] hw/usb/redirect.c: crash in QOM cleanup
  2013-07-28 15:47 [Qemu-devel] [PATCH] hw/usb/redirect.c: crash in QOM cleanup Martin Cerveny
@ 2013-07-31  9:21 ` Gerd Hoffmann
  0 siblings, 0 replies; 2+ messages in thread
From: Gerd Hoffmann @ 2013-07-31  9:21 UTC (permalink / raw)
  To: Martin Cerveny; +Cc: qemu-devel, Martin Cerveny

  Hi,

> diff --git a/hw/usb/redirect.c b/hw/usb/redirect.c
> index a594e95..1c62263 100644
> --- a/hw/usb/redirect.c
> +++ b/hw/usb/redirect.c
> @@ -1334,6 +1334,7 @@ static void usbredir_handle_destroy(USBDevice *udev)
>      USBRedirDevice *dev = DO_UPCAST(USBRedirDevice, dev, udev);
> 
>      qemu_chr_delete(dev->cs);
> +    dev->cs = NULL;
>      /* Note must be done after qemu_chr_close, as that causes a close
> event */
>      qemu_bh_delete(dev->chardev_close_bh);

Patch doesn't apply, probably because it is whitespace-mangled.  Redid
it.  Please use 'git send-email' to send patches in the future, it is
more robust.

cheers,
  Gerd

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2013-07-31  9:22 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-07-28 15:47 [Qemu-devel] [PATCH] hw/usb/redirect.c: crash in QOM cleanup Martin Cerveny
2013-07-31  9:21 ` Gerd Hoffmann

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).