[Spice-devel] [PATCHv2 22/22] usb: keep USB context alive as long as channels exist

Marc-André Lureau marcandre.lureau at redhat.com
Wed Nov 26 09:56:13 PST 2014 

It was assumed the session would remain alive as long as channel
existed, so USB context would be valid too. Now that channels
are removed from session, USB context may be destroyed before
channels. This produces invalid read/write on USB context.
Make sure the context is alive as long as USB channels are by
adding a reference on USB manager.

==6939== Invalid write of size 4
==6939==    at 0x394B604482: libusb_set_debug (core.c:1850)
==6939==    by 0x3953A063D5: usbredirhost_open_full (usbredirhost.c:741)
==6939==    by 0x4EC7E2F:
spice_usbredir_channel_set_context (channel-usbredir.c:212)
==6939==    by 0x4EC7AB6:
spice_usbredir_channel_reset (channel-usbredir.c:125)
==6939==    by 0x4EACCDC: spice_channel_reset (spice-channel.c:2621)
==6939==    by 0x4EACDB4: channel_disconnect (spice-channel.c:2640)
==6939==    by 0x4EAC28F: spice_channel_coroutine (spice-channel.c:2423)
==6939==    by 0x4EE8B1C: coroutine_trampoline (coroutine_ucontext.c:63)
==6939==    by 0x4EE87D6: continuation_trampoline (continuation.c:55)
==6939==    by 0x3928247FEF: ??? (in /usr/lib64/libc-2.20.so)
==6939==    by 0x51E36FF: ??? (in
/usr/local/stow/spice-gtk/lib/libspice-client-glib-2.0.so.8.5.0)
==6939==    by 0xCF0C18F: ???
==6939==  Address 0xff15f90 is 0 bytes inside a block of size 536 free'd
==6939==    at 0x4A07CE9: free (in
/usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==6939==    by 0x394B606466: libusb_exit (core.c:2041)
==6939==    by 0x4ECC590: spice_usb_device_manager_finalize (usb-device-manager.c:371)
---
 gtk/usb-device-manager.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/gtk/usb-device-manager.c b/gtk/usb-device-manager.c
index 7b27516..7a9fdc7 100644
--- a/gtk/usb-device-manager.c
+++ b/gtk/usb-device-manager.c
@@ -767,6 +767,14 @@ static void channel_new(SpiceSession *session, SpiceChannel *channel,
     g_ptr_array_add(self->priv->channels, channel);
 
     spice_usb_device_manager_check_redir_on_connect(self, channel);
+
+    /*
+     * add a reference to ourself, to make sure the context is alive
+     * as long as channel is.
+     * TODO: moving to Gusb could help here too.
+     */
+    g_object_ref(self);
+    g_object_weak_ref(G_OBJECT(channel), (GWeakNotify)g_object_unref, self);
 }
 
 static void channel_destroy(SpiceSession *session, SpiceChannel *channel,
-- 
2.1.0

More information about the Spice-devel mailing list