[Qemu-devel] [PATCH] msmouse: Fix segfault caused by free the chr before chardev cleanup.

qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed

* [Qemu-devel] [PATCH] msmouse: Fix segfault caused by free the chr before chardev cleanup.
@ 2016-09-15 14:31 Lin Ma
  2016-09-15 14:59 ` Marc-André Lureau
  2016-09-15 16:52 ` Paolo Bonzini
  0 siblings, 2 replies; 3+ messages in thread
From: Lin Ma @ 2016-09-15 14:31 UTC (permalink / raw)
  To: qemu-devel, pbonzini; +Cc: marcandre.lureau

Segfault happens when leaving qemu with msmouse backend:

 #0  0x00007fa8526ac975 in raise () at /lib64/libc.so.6
 #1  0x00007fa8526add8a in abort () at /lib64/libc.so.6
 #2  0x0000558be78846ab in error_exit (err=16, msg=0x558be799da10 ...
 #3  0x0000558be7884717 in qemu_mutex_destroy (mutex=0x558be93be750) at ...
 #4  0x0000558be7549951 in qemu_chr_free_common (chr=0x558be93be750) at ...
 #5  0x0000558be754999c in qemu_chr_free (chr=0x558be93be750) at ...
 #6  0x0000558be7549a20 in qemu_chr_delete (chr=0x558be93be750) at ...
 #7  0x0000558be754a8ef in qemu_chr_cleanup () at qemu-char.c:4643
 #8  0x0000558be755843e in main (argc=5, argv=0x7ffe925d7118, ...

The chr was freed by msmouse close callback before chardev cleanup,
Then qemu_mutex_destroy triggered raise().

Because freeing chr is handled by qemu_chr_free_common, Remove the free from
msmouse_chr_close to avoid double free.

Signed-off-by: Lin Ma <lma@suse.com>
---
 backends/msmouse.c | 1 -
 1 file changed, 1 deletion(-)

diff --git a/backends/msmouse.c b/backends/msmouse.c
index aeb9055..7690c42 100644
--- a/backends/msmouse.c
+++ b/backends/msmouse.c
@@ -139,7 +139,6 @@ static void msmouse_chr_close (struct CharDriverState *chr)
 
     qemu_input_handler_unregister(mouse->hs);
     g_free(mouse);
-    g_free(chr);
 }
 
 static QemuInputHandler msmouse_handler = {
-- 
2.9.2

^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [Qemu-devel] [PATCH] msmouse: Fix segfault caused by free the chr before chardev cleanup.
  2016-09-15 14:31 [Qemu-devel] [PATCH] msmouse: Fix segfault caused by free the chr before chardev cleanup Lin Ma
@ 2016-09-15 14:59 ` Marc-André Lureau
  2016-09-15 16:52 ` Paolo Bonzini
  1 sibling, 0 replies; 3+ messages in thread
From: Marc-André Lureau @ 2016-09-15 14:59 UTC (permalink / raw)
  To: Lin Ma; +Cc: qemu-devel, pbonzini, marcandre lureau

Hi

----- Original Message -----
> Segfault happens when leaving qemu with msmouse backend:
> 
>  #0  0x00007fa8526ac975 in raise () at /lib64/libc.so.6
>  #1  0x00007fa8526add8a in abort () at /lib64/libc.so.6
>  #2  0x0000558be78846ab in error_exit (err=16, msg=0x558be799da10 ...
>  #3  0x0000558be7884717 in qemu_mutex_destroy (mutex=0x558be93be750) at ...
>  #4  0x0000558be7549951 in qemu_chr_free_common (chr=0x558be93be750) at ...
>  #5  0x0000558be754999c in qemu_chr_free (chr=0x558be93be750) at ...
>  #6  0x0000558be7549a20 in qemu_chr_delete (chr=0x558be93be750) at ...
>  #7  0x0000558be754a8ef in qemu_chr_cleanup () at qemu-char.c:4643
>  #8  0x0000558be755843e in main (argc=5, argv=0x7ffe925d7118, ...
> 
> The chr was freed by msmouse close callback before chardev cleanup,
> Then qemu_mutex_destroy triggered raise().
> 
> Because freeing chr is handled by qemu_chr_free_common, Remove the free from
> msmouse_chr_close to avoid double free.
> 
> Signed-off-by: Lin Ma <lma@suse.com>

Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>

> ---
>  backends/msmouse.c | 1 -
>  1 file changed, 1 deletion(-)
> 
> diff --git a/backends/msmouse.c b/backends/msmouse.c
> index aeb9055..7690c42 100644
> --- a/backends/msmouse.c
> +++ b/backends/msmouse.c
> @@ -139,7 +139,6 @@ static void msmouse_chr_close (struct CharDriverState
> *chr)
>  
>      qemu_input_handler_unregister(mouse->hs);
>      g_free(mouse);
> -    g_free(chr);
>  }

Ooch, chr_close is not supposed to free chr! There might be other cases where memory corruption could occur.
 
>  
>  static QemuInputHandler msmouse_handler = {
> --
> 2.9.2
> 
> 

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [Qemu-devel] [PATCH] msmouse: Fix segfault caused by free the chr before chardev cleanup.
  2016-09-15 14:31 [Qemu-devel] [PATCH] msmouse: Fix segfault caused by free the chr before chardev cleanup Lin Ma
  2016-09-15 14:59 ` Marc-André Lureau
@ 2016-09-15 16:52 ` Paolo Bonzini
  1 sibling, 0 replies; 3+ messages in thread
From: Paolo Bonzini @ 2016-09-15 16:52 UTC (permalink / raw)
  To: Lin Ma, qemu-devel; +Cc: marcandre.lureau, qemu-stable



On 15/09/2016 16:31, Lin Ma wrote:
> Segfault happens when leaving qemu with msmouse backend:
> 
>  #0  0x00007fa8526ac975 in raise () at /lib64/libc.so.6
>  #1  0x00007fa8526add8a in abort () at /lib64/libc.so.6
>  #2  0x0000558be78846ab in error_exit (err=16, msg=0x558be799da10 ...
>  #3  0x0000558be7884717 in qemu_mutex_destroy (mutex=0x558be93be750) at ...
>  #4  0x0000558be7549951 in qemu_chr_free_common (chr=0x558be93be750) at ...
>  #5  0x0000558be754999c in qemu_chr_free (chr=0x558be93be750) at ...
>  #6  0x0000558be7549a20 in qemu_chr_delete (chr=0x558be93be750) at ...
>  #7  0x0000558be754a8ef in qemu_chr_cleanup () at qemu-char.c:4643
>  #8  0x0000558be755843e in main (argc=5, argv=0x7ffe925d7118, ...
> 
> The chr was freed by msmouse close callback before chardev cleanup,
> Then qemu_mutex_destroy triggered raise().
> 
> Because freeing chr is handled by qemu_chr_free_common, Remove the free from
> msmouse_chr_close to avoid double free.
> 
> Signed-off-by: Lin Ma <lma@suse.com>
> ---
>  backends/msmouse.c | 1 -
>  1 file changed, 1 deletion(-)
> 
> diff --git a/backends/msmouse.c b/backends/msmouse.c
> index aeb9055..7690c42 100644
> --- a/backends/msmouse.c
> +++ b/backends/msmouse.c
> @@ -139,7 +139,6 @@ static void msmouse_chr_close (struct CharDriverState *chr)
>  
>      qemu_input_handler_unregister(mouse->hs);
>      g_free(mouse);
> -    g_free(chr);
>  }
>  
>  static QemuInputHandler msmouse_handler = {
> 

Fixes: c1111a24a3358ecd2f17be7c8b117cfe8bc5e5f8
Cc: qemu-stable@nongnu.org

Queued for 2.8, thanks.

Paolo

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2016-09-15 16:52 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-09-15 14:31 [Qemu-devel] [PATCH] msmouse: Fix segfault caused by free the chr before chardev cleanup Lin Ma
2016-09-15 14:59 ` Marc-André Lureau
2016-09-15 16:52 ` Paolo Bonzini

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).