From patchwork Thu Sep 15 14:31:58 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: Lin Ma <lma@suse.com>
X-Patchwork-Id: 9333975
Return-Path: 
 <qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	43709607FD for <patchwork-qemu-devel@patchwork.kernel.org>;
	Thu, 15 Sep 2016 15:00:47 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 346CF298ED
	for <patchwork-qemu-devel@patchwork.kernel.org>;
	Thu, 15 Sep 2016 15:00:47 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 247D3298F9; Thu, 15 Sep 2016 15:00:47 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI
	autolearn=ham version=3.3.1
Received: from lists.gnu.org (lists.gnu.org [208.118.235.17])
	(using TLSv1 with cipher AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 03DE0298ED
	for <patchwork-qemu-devel@patchwork.kernel.org>;
	Thu, 15 Sep 2016 15:00:43 +0000 (UTC)
Received: from localhost ([::1]:35320 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71) (envelope-from
	<qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org>)
	id 1bkY9a-0003uL-5e for patchwork-qemu-devel@patchwork.kernel.org;
	Thu, 15 Sep 2016 11:00:42 -0400
Received: from eggs.gnu.org ([2001:4830:134:3::10]:47990)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <lma@suse.com>) id 1bkXiL-0005YG-4g
	for qemu-devel@nongnu.org; Thu, 15 Sep 2016 10:32:37 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <lma@suse.com>) id 1bkXiG-0004rn-G1
	for qemu-devel@nongnu.org; Thu, 15 Sep 2016 10:32:33 -0400
Received: from victor.provo.novell.com ([137.65.250.26]:60113
	helo=prv3-mh.provo.novell.com) by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <lma@suse.com>) id 1bkXiG-0004rH-7W
	for qemu-devel@nongnu.org; Thu, 15 Sep 2016 10:32:28 -0400
Received: from localhost.localdomain (prv-ext-foundry1int.gns.novell.com
	[137.65.251.240])
	by prv3-mh.provo.novell.com with ESMTP (NOT encrypted);
	Thu, 15 Sep 2016 08:32:12 -0600
From: Lin Ma <lma@suse.com>
To: qemu-devel@nongnu.org,
	pbonzini@redhat.com
Date: Thu, 15 Sep 2016 22:31:58 +0800
Message-Id: <20160915143158.4796-1-lma@suse.com>
X-Mailer: git-send-email 2.9.2
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x
X-Received-From: 137.65.250.26
Subject: [Qemu-devel] [PATCH] msmouse: Fix segfault caused by free the chr
	before chardev cleanup.
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel/>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Cc: marcandre.lureau@redhat.com
Errors-To: 
 qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org
Sender: "Qemu-devel"
	<qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org>
X-Virus-Scanned: ClamAV using ClamSMTP

Segfault happens when leaving qemu with msmouse backend:

 #0  0x00007fa8526ac975 in raise () at /lib64/libc.so.6
 #1  0x00007fa8526add8a in abort () at /lib64/libc.so.6
 #2  0x0000558be78846ab in error_exit (err=16, msg=0x558be799da10 ...
 #3  0x0000558be7884717 in qemu_mutex_destroy (mutex=0x558be93be750) at ...
 #4  0x0000558be7549951 in qemu_chr_free_common (chr=0x558be93be750) at ...
 #5  0x0000558be754999c in qemu_chr_free (chr=0x558be93be750) at ...
 #6  0x0000558be7549a20 in qemu_chr_delete (chr=0x558be93be750) at ...
 #7  0x0000558be754a8ef in qemu_chr_cleanup () at qemu-char.c:4643
 #8  0x0000558be755843e in main (argc=5, argv=0x7ffe925d7118, ...

The chr was freed by msmouse close callback before chardev cleanup,
Then qemu_mutex_destroy triggered raise().

Because freeing chr is handled by qemu_chr_free_common, Remove the free from
msmouse_chr_close to avoid double free.

Signed-off-by: Lin Ma <lma@suse.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
---
 backends/msmouse.c | 1 -
 1 file changed, 1 deletion(-)

diff --git a/backends/msmouse.c b/backends/msmouse.c
index aeb9055..7690c42 100644
--- a/backends/msmouse.c
+++ b/backends/msmouse.c
@@ -139,7 +139,6 @@ static void msmouse_chr_close (struct CharDriverState *chr)
 
     qemu_input_handler_unregister(mouse->hs);
     g_free(mouse);
-    g_free(chr);
 }
 
 static QemuInputHandler msmouse_handler = {