Message ID | 20160915143158.4796-1-lma@suse.com (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
Hi ----- Original Message ----- > Segfault happens when leaving qemu with msmouse backend: > > #0 0x00007fa8526ac975 in raise () at /lib64/libc.so.6 > #1 0x00007fa8526add8a in abort () at /lib64/libc.so.6 > #2 0x0000558be78846ab in error_exit (err=16, msg=0x558be799da10 ... > #3 0x0000558be7884717 in qemu_mutex_destroy (mutex=0x558be93be750) at ... > #4 0x0000558be7549951 in qemu_chr_free_common (chr=0x558be93be750) at ... > #5 0x0000558be754999c in qemu_chr_free (chr=0x558be93be750) at ... > #6 0x0000558be7549a20 in qemu_chr_delete (chr=0x558be93be750) at ... > #7 0x0000558be754a8ef in qemu_chr_cleanup () at qemu-char.c:4643 > #8 0x0000558be755843e in main (argc=5, argv=0x7ffe925d7118, ... > > The chr was freed by msmouse close callback before chardev cleanup, > Then qemu_mutex_destroy triggered raise(). > > Because freeing chr is handled by qemu_chr_free_common, Remove the free from > msmouse_chr_close to avoid double free. > > Signed-off-by: Lin Ma <lma@suse.com> Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> > --- > backends/msmouse.c | 1 - > 1 file changed, 1 deletion(-) > > diff --git a/backends/msmouse.c b/backends/msmouse.c > index aeb9055..7690c42 100644 > --- a/backends/msmouse.c > +++ b/backends/msmouse.c > @@ -139,7 +139,6 @@ static void msmouse_chr_close (struct CharDriverState > *chr) > > qemu_input_handler_unregister(mouse->hs); > g_free(mouse); > - g_free(chr); > } Ooch, chr_close is not supposed to free chr! There might be other cases where memory corruption could occur. > > static QemuInputHandler msmouse_handler = { > -- > 2.9.2 > >
On 15/09/2016 16:31, Lin Ma wrote: > Segfault happens when leaving qemu with msmouse backend: > > #0 0x00007fa8526ac975 in raise () at /lib64/libc.so.6 > #1 0x00007fa8526add8a in abort () at /lib64/libc.so.6 > #2 0x0000558be78846ab in error_exit (err=16, msg=0x558be799da10 ... > #3 0x0000558be7884717 in qemu_mutex_destroy (mutex=0x558be93be750) at ... > #4 0x0000558be7549951 in qemu_chr_free_common (chr=0x558be93be750) at ... > #5 0x0000558be754999c in qemu_chr_free (chr=0x558be93be750) at ... > #6 0x0000558be7549a20 in qemu_chr_delete (chr=0x558be93be750) at ... > #7 0x0000558be754a8ef in qemu_chr_cleanup () at qemu-char.c:4643 > #8 0x0000558be755843e in main (argc=5, argv=0x7ffe925d7118, ... > > The chr was freed by msmouse close callback before chardev cleanup, > Then qemu_mutex_destroy triggered raise(). > > Because freeing chr is handled by qemu_chr_free_common, Remove the free from > msmouse_chr_close to avoid double free. > > Signed-off-by: Lin Ma <lma@suse.com> > --- > backends/msmouse.c | 1 - > 1 file changed, 1 deletion(-) > > diff --git a/backends/msmouse.c b/backends/msmouse.c > index aeb9055..7690c42 100644 > --- a/backends/msmouse.c > +++ b/backends/msmouse.c > @@ -139,7 +139,6 @@ static void msmouse_chr_close (struct CharDriverState *chr) > > qemu_input_handler_unregister(mouse->hs); > g_free(mouse); > - g_free(chr); > } > > static QemuInputHandler msmouse_handler = { > Fixes: c1111a24a3358ecd2f17be7c8b117cfe8bc5e5f8 Cc: qemu-stable@nongnu.org Queued for 2.8, thanks. Paolo
diff --git a/backends/msmouse.c b/backends/msmouse.c index aeb9055..7690c42 100644 --- a/backends/msmouse.c +++ b/backends/msmouse.c @@ -139,7 +139,6 @@ static void msmouse_chr_close (struct CharDriverState *chr) qemu_input_handler_unregister(mouse->hs); g_free(mouse); - g_free(chr); } static QemuInputHandler msmouse_handler = {
Segfault happens when leaving qemu with msmouse backend: #0 0x00007fa8526ac975 in raise () at /lib64/libc.so.6 #1 0x00007fa8526add8a in abort () at /lib64/libc.so.6 #2 0x0000558be78846ab in error_exit (err=16, msg=0x558be799da10 ... #3 0x0000558be7884717 in qemu_mutex_destroy (mutex=0x558be93be750) at ... #4 0x0000558be7549951 in qemu_chr_free_common (chr=0x558be93be750) at ... #5 0x0000558be754999c in qemu_chr_free (chr=0x558be93be750) at ... #6 0x0000558be7549a20 in qemu_chr_delete (chr=0x558be93be750) at ... #7 0x0000558be754a8ef in qemu_chr_cleanup () at qemu-char.c:4643 #8 0x0000558be755843e in main (argc=5, argv=0x7ffe925d7118, ... The chr was freed by msmouse close callback before chardev cleanup, Then qemu_mutex_destroy triggered raise(). Because freeing chr is handled by qemu_chr_free_common, Remove the free from msmouse_chr_close to avoid double free. Signed-off-by: Lin Ma <lma@suse.com> --- backends/msmouse.c | 1 - 1 file changed, 1 deletion(-)