chardev/wctable: don't free the instance in wctablet_chr_finalize

d-tatianin · mdroth · commit 4658dfcbc09d · 2021-12-14T14:54:14.000-06:00
Object is supposed to be freed by invoking obj->free, and not obj->instance_finalize. This would lead to use-after-free followed by double free in object_unref/object_finalize. Signed-off-by: Daniil Tatianin <d-tatianin@yandex-team.ru> Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> Message-Id: <20211117142349.836279-1-d-tatianin@yandex-team.ru> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> (cherry picked from commit fdc6e16) Signed-off-by: Michael Roth <michael.roth@amd.com>
diff --git a/chardev/wctablet.c b/chardev/wctablet.c
@@ -320,7 +320,6 @@ static void wctablet_chr_finalize(Object *obj)
     TabletChardev *tablet = WCTABLET_CHARDEV(obj);
 
     qemu_input_handler_unregister(tablet->hs);
-    g_free(tablet);
 }
 
 static void wctablet_chr_open(Chardev *chr,

Original file line number	Diff line number	Diff line change
`@@ -320,7 +320,6 @@ static void wctablet_chr_finalize(Object *obj)`
`320`	`320`	`TabletChardev *tablet = WCTABLET_CHARDEV(obj);`
`321`	`321`
`322`	`322`	`qemu_input_handler_unregister(tablet->hs);`
`323`		`- g_free(tablet);`
`324`	`323`	`}`
`325`	`324`
`326`	`325`	`static void wctablet_chr_open(Chardev *chr,`