[Spice-devel] [PATCH spice-server] reds: Do not free wrong agent device
Christophe Fergeau
cfergeau at redhat.com
Tue Feb 28 12:39:21 UTC 2017
I think I'd adjust the shortlog a little bit "Check that we do not free
...", as I initially thought this was fixing an actual bug rather than
being a robustness improvement.
Hopefully we don't hit this situation, as this would be fairly bad ;)
Acked-by: Christophe Fergeau <cfergeau at redhat.com>
Christophe
On Tue, Feb 28, 2017 at 10:26:10AM +0000, Frediano Ziglio wrote:
> Do not assume the device passed is the one currently working
> but check for it and refuse to free the current one avoiding
> possible double free of the device.
>
> Signed-off-by: Frediano Ziglio <fziglio at redhat.com>
> ---
> server/reds.c | 6 ++++--
> 1 file changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/server/reds.c b/server/reds.c
> index 39a7a31..88ee7d1 100644
> --- a/server/reds.c
> +++ b/server/reds.c
> @@ -3201,13 +3201,14 @@ static int spice_server_char_device_add_interface(SpiceServer *reds,
> return 0;
> }
>
> -static void spice_server_char_device_remove_interface(RedsState *reds, SpiceBaseInstance *sin)
> +static int spice_server_char_device_remove_interface(RedsState *reds, SpiceBaseInstance *sin)
> {
> SpiceCharDeviceInstance* char_device =
> SPICE_CONTAINEROF(sin, SpiceCharDeviceInstance, base);
>
> spice_info("remove CHAR_DEVICE %s", char_device->subtype);
> if (strcmp(char_device->subtype, SUBTYPE_VDAGENT) == 0) {
> + g_return_val_if_fail(char_device == reds->vdagent, -1);
> if (reds->vdagent) {
> reds_agent_remove(reds);
> red_char_device_reset_dev_instance(RED_CHAR_DEVICE(reds->agent_dev), NULL);
> @@ -3226,6 +3227,7 @@ static void spice_server_char_device_remove_interface(RedsState *reds, SpiceBase
> }
>
> char_device->st = NULL;
> + return 0;
> }
>
> SPICE_GNUC_VISIBLE int spice_server_add_interface(SpiceServer *reds,
> @@ -3360,7 +3362,7 @@ SPICE_GNUC_VISIBLE int spice_server_remove_interface(SpiceBaseInstance *sin)
> SpiceCharDeviceInstance *char_device = SPICE_CONTAINEROF(sin, SpiceCharDeviceInstance, base);
> g_return_val_if_fail(char_device->st != NULL, -1);
> reds = red_char_device_get_server(char_device->st);
> - spice_server_char_device_remove_interface(reds, sin);
> + return spice_server_char_device_remove_interface(reds, sin);
> } else if (strcmp(interface->type, SPICE_INTERFACE_QXL) == 0) {
> QXLInstance *qxl;
>
> --
> 2.9.3
>
> _______________________________________________
> Spice-devel mailing list
> Spice-devel at lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/spice-devel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
URL: <https://lists.freedesktop.org/archives/spice-devel/attachments/20170228/fa030898/attachment.sig>
More information about the Spice-devel
mailing list