From: Marc-André Lureau <[email protected]> This commit removes the QemuConsole from the global "consoles" list when it is finalized, fixing use-after-free on throw-away objects.
Reproducer: QMP command qom-list-properties with typename "qemu-text-console", "qemu-fixed-text-console" or "qemu-graphic-console". The assertions added ensure that `dcls`, `gl_block`, and the `dump_queue` are empty before removal, confirming the console is in a clean state. This is left to handle correctly in a future series for hot-unplug case. Reported-by: Markus Armbruster <[email protected]> Signed-off-by: Marc-André Lureau <[email protected]> --- ui/console.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/ui/console.c b/ui/console.c index 6f6330d61f1..eaa41086743 100644 --- a/ui/console.c +++ b/ui/console.c @@ -392,10 +392,13 @@ qemu_console_finalize(Object *obj) { QemuConsole *c = QEMU_CONSOLE(obj); - /* TODO: check this code path, and unregister from consoles */ + /* TODO: fix hot-unplug support of consoles */ + assert(c->gl_block == 0); + assert(qemu_co_queue_empty(&c->dump_queue)); g_clear_pointer(&c->surface, qemu_free_displaysurface); g_clear_pointer(&c->gl_unblock_timer, timer_free); g_clear_pointer(&c->ui_timer, timer_free); + QTAILQ_REMOVE(&consoles, c, next); } static void -- 2.54.0
