[Spice-commits] 2 commits - server/char_device.c server/spicevmc.c

Victor Toso de Carvalho victortoso at kemper.freedesktop.org
Fri Nov 13 03:03:53 PST 2015 

 server/char_device.c |    2 ++
 server/spicevmc.c    |    1 +
 2 files changed, 3 insertions(+)

New commits:
commit 08230ee1715ff07bb0bdc8e6661b53a6752854d5
Author: Victor Toso <victortoso at redhat.com>
Date:   Fri Nov 13 10:46:43 2015 +0100

    spicevmc: set state of DeviceInstance to NULL
    
    After spice_char_device_state_destroy is called spicevmc should not keep
    reference to that memory. state->chardev_st and sin->st point to the
    same SpiceCharDeviceState and both should be set to NULL when it is
    destroyed.

diff --git a/server/spicevmc.c b/server/spicevmc.c
index 6ac1561..d37b1ec 100644
--- a/server/spicevmc.c
+++ b/server/spicevmc.c
@@ -559,6 +559,7 @@ void spicevmc_device_disconnect(SpiceCharDeviceInstance *sin)
     }
     spice_char_device_state_destroy(sin->st);
     state->chardev_st = NULL;
+    sin->st = NULL;
 
     reds_unregister_channel(&state->channel);
     free(state->pipe_item);
commit c429574bb6aebcbbddcc9714f994afd6b0ae7186
Author: Victor Toso <victortoso at redhat.com>
Date:   Fri Nov 13 10:44:55 2015 +0100

    char-device: set to NULL freed pointers on destroy
    
    As SpiceCharDeviceState is only unref'ed on
    spice_char_device_state_destroy the same device could be destroyed more
    then once so the pointers that are freed should be set to NULL.
    
    Related: https://bugzilla.redhat.com/show_bug.cgi?id=1281455

diff --git a/server/char_device.c b/server/char_device.c
index fe38385..ae7cb98 100644
--- a/server/char_device.c
+++ b/server/char_device.c
@@ -742,11 +742,13 @@ void spice_char_device_state_destroy(SpiceCharDeviceState *char_dev)
     reds_on_char_device_state_destroy(char_dev);
     if (char_dev->write_to_dev_timer) {
         core->timer_remove(char_dev->write_to_dev_timer);
+        char_dev->write_to_dev_timer = NULL;
     }
     write_buffers_queue_free(&char_dev->write_queue);
     write_buffers_queue_free(&char_dev->write_bufs_pool);
     char_dev->cur_pool_size = 0;
     spice_char_device_write_buffer_free(char_dev->cur_write_buf);
+    char_dev->cur_write_buf = NULL;
 
     while (!ring_is_empty(&char_dev->clients)) {
         RingItem *item = ring_get_tail(&char_dev->clients);

More information about the Spice-commits mailing list