msmouse: Fix segfault caused by free the chr before chardev cleanup.

morecache · mdroth · commit 7f7ac2141e3c · 2016-12-14T16:34:09.000-06:00
Segfault happens when leaving qemu with msmouse backend: #0 0x00007fa8526ac975 in raise () at /lib64/libc.so.6 #1 0x00007fa8526add8a in abort () at /lib64/libc.so.6 #2 0x0000558be78846ab in error_exit (err=16, msg=0x558be799da10 ... #3 0x0000558be7884717 in qemu_mutex_destroy (mutex=0x558be93be750) at ... #4 0x0000558be7549951 in qemu_chr_free_common (chr=0x558be93be750) at ... #5 0x0000558be754999c in qemu_chr_free (chr=0x558be93be750) at ... #6 0x0000558be7549a20 in qemu_chr_delete (chr=0x558be93be750) at ... #7 0x0000558be754a8ef in qemu_chr_cleanup () at qemu-char.c:4643 #8 0x0000558be755843e in main (argc=5, argv=0x7ffe925d7118, ... The chr was freed by msmouse close callback before chardev cleanup, Then qemu_mutex_destroy triggered raise(). Because freeing chr is handled by qemu_chr_free_common, Remove the free from msmouse_chr_close to avoid double free. Fixes: c1111a2 Cc: qemu-stable@nongnu.org Signed-off-by: Lin Ma <lma@suse.com> Message-Id: <20160915143158.4796-1-lma@suse.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> (cherry picked from commit 9e14037) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
diff --git a/backends/msmouse.c b/backends/msmouse.c
@@ -139,7 +139,6 @@ static void msmouse_chr_close (struct CharDriverState *chr)
 
     qemu_input_handler_unregister(mouse->hs);
     g_free(mouse);
-    g_free(chr);
 }
 
 static QemuInputHandler msmouse_handler = {

Original file line number	Diff line number	Diff line change
`@@ -139,7 +139,6 @@ static void msmouse_chr_close (struct CharDriverState *chr)`
`139`	`139`
`140`	`140`	`qemu_input_handler_unregister(mouse->hs);`
`141`	`141`	`g_free(mouse);`
`142`		`- g_free(chr);`
`143`	`142`	`}`
`144`	`143`
`145`	`144`	`static QemuInputHandler msmouse_handler = {`