hw/usb/redirect.c: crash in QOM cleanup

Message ID	alpine.GSO.2.00.1307281727010.22152@dmz.c-home.cz
State	New
Headers	show Return-Path: <qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org> Date: Sun, 28 Jul 2013 17:47:37 +0200 (CEST) From: Martin Cerveny <martin@c-home.cz> To: qemu-devel@nongnu.org Message-ID: <alpine.GSO.2.00.1307281727010.22152@dmz.c-home.cz> User-Agent: Alpine 2.00 (GSO 1167 2008-08-23) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII Cc: Gerd Hoffmann <kraxel@redhat.com> Subject: [Qemu-devel] [PATCH] hw/usb/redirect.c: crash in QOM cleanup Precedence: list Reply-To: Martin Cerveny <M.Cerveny@computer.org> Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Sender: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org

Message ID

alpine.GSO.2.00.1307281727010.22152@dmz.c-home.cz

State

New

Headers

Date: Sun, 28 Jul 2013 17:47:37 +0200 (CEST)
From: Martin Cerveny <martin@c-home.cz>
To: qemu-devel@nongnu.org
Message-ID: <alpine.GSO.2.00.1307281727010.22152@dmz.c-home.cz>
User-Agent: Alpine 2.00 (GSO 1167 2008-08-23)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII
Cc: Gerd Hoffmann <kraxel@redhat.com>
Subject: [Qemu-devel] [PATCH] hw/usb/redirect.c: crash in QOM cleanup
Precedence: list
Reply-To: Martin Cerveny <M.Cerveny@computer.org>
Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org
Sender: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org

Commit Message

Martin Cerveny July 28, 2013, 3:47 p.m. UTC

Hello.

Qemu crashes during remote usb device removal.
The associated chardev is destroyed "qemu_chr_delete()" in 
"usbredir_handle_destroy()" but pointer is not 
cleared. QOM cleanup is using pointer to previously freed 
memory.

Example cmds:

chardev-add socket,id=usbredirchardev1,port=4000,host=192.168.1.166
device_add usb-redir,chardev=usbredirchardev1,id=usbredirdev1,bus=ehci.0,debug=4
device_del usbredirdev1

core_backtrace:

0x2693a2 qemu_chr_add_handlers - -
0x1366bf release_chr - -
0x2808d8 object_property_del_all - -
0x280b35 object_finalize - -
0x281654 object_unref - -
0x280a4b object_unparent - -
0x13ad93 qdev_free - -
0x13acde qdev_simple_unplug_cb - -
0x13aac8 qdev_unplug - -
0x268b56 qmp_device_del - -
....

Signed-off-by: Martin Cerveny <M.Cerveny@computer.org>
---

---

Comments

Gerd Hoffmann July 31, 2013, 9:21 a.m. UTC | #1

Hi,

> diff --git a/hw/usb/redirect.c b/hw/usb/redirect.c
> index a594e95..1c62263 100644
> --- a/hw/usb/redirect.c
> +++ b/hw/usb/redirect.c
> @@ -1334,6 +1334,7 @@ static void usbredir_handle_destroy(USBDevice *udev)
>      USBRedirDevice *dev = DO_UPCAST(USBRedirDevice, dev, udev);
> 
>      qemu_chr_delete(dev->cs);
> +    dev->cs = NULL;
>      /* Note must be done after qemu_chr_close, as that causes a close
> event */
>      qemu_bh_delete(dev->chardev_close_bh);

Patch doesn't apply, probably because it is whitespace-mangled.  Redid
it.  Please use 'git send-email' to send patches in the future, it is
more robust.

cheers,
  Gerd

diff --git a/hw/usb/redirect.c b/hw/usb/redirect.c
index a594e95..1c62263 100644
--- a/hw/usb/redirect.c
+++ b/hw/usb/redirect.c
@@ -1334,6 +1334,7 @@  static void usbredir_handle_destroy(USBDevice *udev)
      USBRedirDevice *dev = DO_UPCAST(USBRedirDevice, dev, udev);

      qemu_chr_delete(dev->cs);
+    dev->cs = NULL;
      /* Note must be done after qemu_chr_close, as that causes a close 
event */
      qemu_bh_delete(dev->chardev_close_bh);