[Spice-devel] [spice-gtk] channel-usbredir: Fix crash due to a Task returning earlier than expected

Fabiano FidĂȘncio fidencio at redhat.com
Mon Mar 21 11:25:58 UTC 2016


On Mon, Mar 21, 2016 at 8:05 AM, Pavel Grunt <pgrunt at redhat.com> wrote:
> On Mon, 2016-03-21 at 04:02 +0100, Fabiano FidĂȘncio wrote:
>> g_task_return_error() has been completing the task immediately, not
>> cleaning up/setting up the device state to STATE_DISCONNECTED. It's
>> been
>> causing a double free when trying to redirect a device without having
>> the ACL permissions for doing it. See the backtrace:
>>
>>  #0  0x00007ffff24dc07d in g_type_check_instance_is_fundamentally_a (
>> type_instance=type_instance at entry=0x14779d0, fundamental_type=fundame
>> ntal_type at entry=80) at gtype.c:4032
>>  #1  0x00007ffff24bc447 in g_object_unref (_object=0x14779d0) at
>> gobject.c:3076
>>  #2  0x00007ffff7bafc2a in connect_cb (gobject=0x87d9a0
>> [SpiceUsbDeviceManager], res=0x96f830, user_data=0x143e0e0)
>>      at usb-device-widget.c:485
>>  #3  0x00007ffff277f5a3 in g_task_return_now (task=0x96f830 [GTask])
>> at gtask.c:1106
>>  #4  0x00007ffff277fc4e in g_task_return (task=0x96f830 [GTask],
>> type=<optimized out>) at gtask.c:1164
>>  #5  0x00007ffff786c277 in
>> spice_usb_device_manager_channel_connect_cb (gobject=0x917940
>> [SpiceUsbredirChannel], channel_res=0x96f900, user_data=0x96f830) at
>> usb-device-manager.c:1094
>>  #6  0x00007ffff277f5a3 in g_task_return_now (task=0x96f900 [GTask])
>> at gtask.c:1106
>>  #7  0x00007ffff277fc4e in g_task_return (task=0x96f900 [GTask],
>> type=<optimized out>) at gtask.c:1164
>>  #8  0x00007ffff786699c in spice_usbredir_channel_open_acl_cb
>> (gobject=0xa73b00 [SpiceUsbAclHelper], acl_res=0x96f9d0,
>> user_data=0x917940) at channel-usbredir.c:300
>>  #9  0x00007ffff277f5a3 in g_task_return_now (task=0x96f9d0 [GTask])
>> at gtask.c:1106
>>  #10 0x00007ffff277fc4e in g_task_return (task=0x96f9d0 [GTask],
>> type=<optimized out>) at gtask.c:1164
>>  #11 0x00007ffff27804d0 in g_task_return_new_error (task=0x96f9d0
>> [GTask], domain=<optimized out>, code=<optimized out>,
>> format=<optimized out>) at gtask.c:1744
>>  #12 0x00007ffff786eade in cb_out_watch (channel=0x1488740,
>> cond=G_IO_IN, user_data=0xa73b00) at usb-acl-helper.c:128
>>  #13 0x00007ffff21b8e3a in g_main_context_dispatch (context=0x647390)
>> at gmain.c:3154
>>  #14 0x00007ffff21b8e3a in g_main_context_dispatch (context=context at e
>> ntry=0x647390) at gmain.c:3769
>>  #15 0x00007ffff21b91d0 in g_main_context_iterate (context=0x647390,
>> block=block at entry=1, dispatch=dispatch at entry=1, self=<optimized out>)
>> at gmain.c:3840
>>  #16 0x00007ffff21b94f2 in g_main_loop_run (loop=0x13d1ae0) at
>> gmain.c:4034
>>  #17 0x00007ffff3ca5440 in gtk_dialog_run () at /lib64/libgtk-3.so.0
>>  #18 0x0000000000406a18 in menu_cb_select_usb_devices
>> (action=0x9d62f0 [GtkAction], data=0x69aef0) at spicy.c:394
>>  #22 0x00007ffff24d28ff in <emit signal ??? on instance 0x9d62f0
>> [GtkAction]> (instance=<optimized out>, signal_id=<optimized out>,
>> detail=<optimized out>) at gsignal.c:3439
>>      #19 0x00007ffff24b77a5 in g_closure_invoke (closure=0xa0d0c0, re
>> turn_value=return_value at entry=0x0, n_param_values=1, param_values=par
>> am_values at entry=0x7fffffffcf70, invocation_hint=invocation_hint at entry
>> =0x7fffffffcef0) at gclosure.c:801
>>      #20 0x00007ffff24c9851 in signal_emit_unlocked_R (node=node at entr
>> y=0x63fc10, detail=detail at entry=0, instance=instance at entry=0x9d62f0,
>> emission_return=emission_return at entry=0x0, instance_and_params=instan
>> ce_and_params at entry=0x7fffffffcf70) at gsignal.c:3627
>>      #21 0x00007ffff24d2530 in g_signal_emit_valist
>> (instance=<optimized out>, signal_id=<optimized out>,
>> detail=<optimized out>, var_args=var_args at entry=0x7fffffffd130) at
>> gsignal.c:3383
>>  #23 0x00007ffff3bc23b0 in _gtk_action_emit_activate () at
>> /lib64/libgtk-3.so.0
>>  #27 0x00007ffff24d28ff in <emit signal ??? on instance 0x9a8730
>> [GtkImageMenuItem]> (instance=<optimized out>, signal_id=<optimized
>> out>, detail=<optimized out>) at gsignal.c:3439
>>      #24 0x00007ffff24b77a5 in g_closure_invoke (closure=closure at entr
>> y=0x6607d0, return_value=return_value at entry=0x0, n_param_values=1, pa
>> ram_values=param_values at entry=0x7fffffffd3f0, invocation_hint=invocat
>> ion_hint at entry=0x7fffffffd370) at gclosure.c:801
>>      #25 0x00007ffff24c938c in signal_emit_unlocked_R (node=node at entr
>> y=0x661050, detail=detail at entry=0, instance=instance at entry=0x9a8730,
>> emission_return=emission_return at entry=0x0, instance_and_params=instan
>> ce_and_params at entry=0x7fffffffd3f0) at gsignal.c:3557
>>      #26 0x00007ffff24d2530 in g_signal_emit_valist
>> (instance=<optimized out>, signal_id=<optimized out>,
>> detail=<optimized out>, var_args=var_args at entry=0x7fffffffd5b0) at
>> gsignal.c:3383
>>  #28 0x00007ffff3e7094e in gtk_widget_activate () at /lib64/libgtk-
>> 3.so.0
>>  #29 0x00007ffff3d4e4f6 in gtk_menu_shell_activate_item () at
>> /lib64/libgtk-3.so.0
>>  #30 0x00007ffff3d4e824 in gtk_menu_shell_button_release () at
>> /lib64/libgtk-3.so.0
>>  #31 0x00007ffff3d30fda in _gtk_marshal_BOOLEAN__BOXEDv () at
>> /lib64/libgtk-3.so.0
>>  #32 0x00007ffff24b79d4 in _g_closure_invoke_va (closure=closure at entr
>> y=0x644d10, return_value=return_value at entry=0x7fffffffd900, instance=
>> instance at entry=0x80faa0, args=args at entry=0x7fffffffd9d0,
>> n_params=<optimized out>, param_types=0x644d40) at gclosure.c:864
>>  #33 0x00007ffff24d1dd3 in g_signal_emit_valist (instance=0x80faa0,
>> signal_id=<optimized out>, detail=0, var_args=var_args at entry=0x7fffff
>> ffd9d0) at gsignal.c:3292
>>  #34 0x00007ffff24d28ff in g_signal_emit (instance=<optimized out>,
>> signal_id=<optimized out>, detail=<optimized out>) at gsignal.c:3439
>>  #35 0x00007ffff3e6e4bc in gtk_widget_event_internal () at
>> /lib64/libgtk-3.so.0
>>  #36 0x00007ffff3d2e34e in propagate_event () at /lib64/libgtk-3.so.0
>>  #37 0x00007ffff3d300fc in gtk_main_do_event () at /lib64/libgtk-
>> 3.so.0
>>  #38 0x00007ffff38a8e92 in gdk_event_source_dispatch () at
>> /lib64/libgdk-3.so.0
>>  #39 0x00007ffff21b8e3a in g_main_context_dispatch (context=0x647390)
>> at gmain.c:3154
>>  #40 0x00007ffff21b8e3a in g_main_context_dispatch (context=context at e
>> ntry=0x647390) at gmain.c:3769
>>  #41 0x00007ffff21b91d0 in g_main_context_iterate (context=0x647390,
>> block=block at entry=1, dispatch=dispatch at entry=1, self=<optimized out>)
>> at gmain.c:3840
>>  #42 0x00007ffff21b94f2 in g_main_loop_run (loop=0x6e2730) at
>> gmain.c:4034
>>  #43 0x000000000040b2f9 in main (argc=1, argv=0x7fffffffde48) at
>> spicy.c:1920
>>
>> Signed-off-by: Fabiano FidĂȘncio <fidencio at redhat.com>
>
> Tested-by: Pavel Grunt <pgrunt at redhat.com>
> Acked-by: Pavel Grunt <pgrunt at redhat.com>
>
> Thanks,
> Pavel
>
>> ---
>>  src/channel-usbredir.c | 2 +-
>>  1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/src/channel-usbredir.c b/src/channel-usbredir.c
>> index d95a6c5..dca8455 100644
>> --- a/src/channel-usbredir.c
>> +++ b/src/channel-usbredir.c
>> @@ -297,12 +297,12 @@ static void spice_usbredir_channel_open_acl_cb(
>>          spice_usbredir_channel_open_device(channel, &err);
>>      }
>>      if (err) {
>> -        g_task_return_error(priv->task, err);
>>          libusb_unref_device(priv->device);
>>          priv->device = NULL;
>>          g_boxed_free(spice_usb_device_get_type(), priv-
>> >spice_device);
>>          priv->spice_device = NULL;
>>          priv->state  = STATE_DISCONNECTED;
>> +        g_task_return_error(priv->task, err);
>>      } else {
>>          g_task_return_boolean(priv->task, TRUE);
>>      }


Pushed, thanks!


More information about the Spice-devel mailing list