[Spice-devel] [PATCHv2 22/22] usb: keep USB context alive as long as channels exist

Wed, 26 Nov 2014 09:57:37 -0800 

It was assumed the session would remain alive as long as channel
existed, so USB context would be valid too. Now that channels
are removed from session, USB context may be destroyed before
channels. This produces invalid read/write on USB context.
Make sure the context is alive as long as USB channels are by
adding a reference on USB manager.

==6939== Invalid write of size 4
==6939==    at 0x394B604482: libusb_set_debug (core.c:1850)
==6939==    by 0x3953A063D5: usbredirhost_open_full (usbredirhost.c:741)
==6939==    by 0x4EC7E2F:
spice_usbredir_channel_set_context (channel-usbredir.c:212)
==6939==    by 0x4EC7AB6:
spice_usbredir_channel_reset (channel-usbredir.c:125)
==6939==    by 0x4EACCDC: spice_channel_reset (spice-channel.c:2621)
==6939==    by 0x4EACDB4: channel_disconnect (spice-channel.c:2640)
==6939==    by 0x4EAC28F: spice_channel_coroutine (spice-channel.c:2423)
==6939==    by 0x4EE8B1C: coroutine_trampoline (coroutine_ucontext.c:63)
==6939==    by 0x4EE87D6: continuation_trampoline (continuation.c:55)
==6939==    by 0x3928247FEF: ??? (in /usr/lib64/libc-2.20.so)
==6939==    by 0x51E36FF: ??? (in
/usr/local/stow/spice-gtk/lib/libspice-client-glib-2.0.so.8.5.0)
==6939==    by 0xCF0C18F: ???
==6939==  Address 0xff15f90 is 0 bytes inside a block of size 536 free'd
==6939==    at 0x4A07CE9: free (in
/usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==6939==    by 0x394B606466: libusb_exit (core.c:2041)
==6939==    by 0x4ECC590: spice_usb_device_manager_finalize 
(usb-device-manager.c:371)
---
 gtk/usb-device-manager.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/gtk/usb-device-manager.c b/gtk/usb-device-manager.c
index 7b27516..7a9fdc7 100644
--- a/gtk/usb-device-manager.c
+++ b/gtk/usb-device-manager.c
@@ -767,6 +767,14 @@ static void channel_new(SpiceSession *session, 
SpiceChannel *channel,
     g_ptr_array_add(self->priv->channels, channel);
 
     spice_usb_device_manager_check_redir_on_connect(self, channel);
+
+    /*
+     * add a reference to ourself, to make sure the context is alive
+     * as long as channel is.
+     * TODO: moving to Gusb could help here too.
+     */
+    g_object_ref(self);
+    g_object_weak_ref(G_OBJECT(channel), (GWeakNotify)g_object_unref, self);
 }
 
 static void channel_destroy(SpiceSession *session, SpiceChannel *channel,
-- 
2.1.0

_______________________________________________
Spice-devel mailing list
[email protected]
http://lists.freedesktop.org/mailman/listinfo/spice-devel

Reply via email to