From 7774b8c0dd85ce2bb311d8bbe1c25deb73970b6e Mon Sep 17 00:00:00 2001
From: Fabiano Fidêncio <fidencio@redhat.com>
Date: Mon, 21 Mar 2016 03:53:08 +0100
Subject: channel-usbredir: Fix crash due to a Task returning earlier than
 expected
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

g_task_return_error() has been completing the task immediately, not
cleaning up/setting up the device state to STATE_DISCONNECTED. It's been
causing a double free when trying to redirect a device without having
the ACL permissions for doing it. See the backtrace:

 #0  0x00007ffff24dc07d in g_type_check_instance_is_fundamentally_a (type_instance=type_instance@entry=0x14779d0, fundamental_type=fundamental_type@entry=80) at gtype.c:4032
 #1  0x00007ffff24bc447 in g_object_unref (_object=0x14779d0) at gobject.c:3076
 #2  0x00007ffff7bafc2a in connect_cb (gobject=0x87d9a0 [SpiceUsbDeviceManager], res=0x96f830, user_data=0x143e0e0)
     at usb-device-widget.c:485
 #3  0x00007ffff277f5a3 in g_task_return_now (task=0x96f830 [GTask]) at gtask.c:1106
 #4  0x00007ffff277fc4e in g_task_return (task=0x96f830 [GTask], type=<optimized out>) at gtask.c:1164
 #5  0x00007ffff786c277 in spice_usb_device_manager_channel_connect_cb (gobject=0x917940 [SpiceUsbredirChannel], channel_res=0x96f900, user_data=0x96f830) at usb-device-manager.c:1094
 #6  0x00007ffff277f5a3 in g_task_return_now (task=0x96f900 [GTask]) at gtask.c:1106
 #7  0x00007ffff277fc4e in g_task_return (task=0x96f900 [GTask], type=<optimized out>) at gtask.c:1164
 #8  0x00007ffff786699c in spice_usbredir_channel_open_acl_cb (gobject=0xa73b00 [SpiceUsbAclHelper], acl_res=0x96f9d0, user_data=0x917940) at channel-usbredir.c:300
 #9  0x00007ffff277f5a3 in g_task_return_now (task=0x96f9d0 [GTask]) at gtask.c:1106
 #10 0x00007ffff277fc4e in g_task_return (task=0x96f9d0 [GTask], type=<optimized out>) at gtask.c:1164
 #11 0x00007ffff27804d0 in g_task_return_new_error (task=0x96f9d0 [GTask], domain=<optimized out>, code=<optimized out>, format=<optimized out>) at gtask.c:1744
 #12 0x00007ffff786eade in cb_out_watch (channel=0x1488740, cond=G_IO_IN, user_data=0xa73b00) at usb-acl-helper.c:128
 #13 0x00007ffff21b8e3a in g_main_context_dispatch (context=0x647390) at gmain.c:3154
 #14 0x00007ffff21b8e3a in g_main_context_dispatch (context=context@entry=0x647390) at gmain.c:3769
 #15 0x00007ffff21b91d0 in g_main_context_iterate (context=0x647390, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at gmain.c:3840
 #16 0x00007ffff21b94f2 in g_main_loop_run (loop=0x13d1ae0) at gmain.c:4034
 #17 0x00007ffff3ca5440 in gtk_dialog_run () at /lib64/libgtk-3.so.0
 #18 0x0000000000406a18 in menu_cb_select_usb_devices (action=0x9d62f0 [GtkAction], data=0x69aef0) at spicy.c:394
 #22 0x00007ffff24d28ff in <emit signal ??? on instance 0x9d62f0 [GtkAction]> (instance=<optimized out>, signal_id=<optimized out>, detail=<optimized out>) at gsignal.c:3439
     #19 0x00007ffff24b77a5 in g_closure_invoke (closure=0xa0d0c0, return_value=return_value@entry=0x0, n_param_values=1, param_values=param_values@entry=0x7fffffffcf70, invocation_hint=invocation_hint@entry=0x7fffffffcef0) at gclosure.c:801
     #20 0x00007ffff24c9851 in signal_emit_unlocked_R (node=node@entry=0x63fc10, detail=detail@entry=0, instance=instance@entry=0x9d62f0, emission_return=emission_return@entry=0x0, instance_and_params=instance_and_params@entry=0x7fffffffcf70) at gsignal.c:3627
     #21 0x00007ffff24d2530 in g_signal_emit_valist (instance=<optimized out>, signal_id=<optimized out>, detail=<optimized out>, var_args=var_args@entry=0x7fffffffd130) at gsignal.c:3383
 #23 0x00007ffff3bc23b0 in _gtk_action_emit_activate () at /lib64/libgtk-3.so.0
 #27 0x00007ffff24d28ff in <emit signal ??? on instance 0x9a8730 [GtkImageMenuItem]> (instance=<optimized out>, signal_id=<optimized out>, detail=<optimized out>) at gsignal.c:3439
     #24 0x00007ffff24b77a5 in g_closure_invoke (closure=closure@entry=0x6607d0, return_value=return_value@entry=0x0, n_param_values=1, param_values=param_values@entry=0x7fffffffd3f0, invocation_hint=invocation_hint@entry=0x7fffffffd370) at gclosure.c:801
     #25 0x00007ffff24c938c in signal_emit_unlocked_R (node=node@entry=0x661050, detail=detail@entry=0, instance=instance@entry=0x9a8730, emission_return=emission_return@entry=0x0, instance_and_params=instance_and_params@entry=0x7fffffffd3f0) at gsignal.c:3557
     #26 0x00007ffff24d2530 in g_signal_emit_valist (instance=<optimized out>, signal_id=<optimized out>, detail=<optimized out>, var_args=var_args@entry=0x7fffffffd5b0) at gsignal.c:3383
 #28 0x00007ffff3e7094e in gtk_widget_activate () at /lib64/libgtk-3.so.0
 #29 0x00007ffff3d4e4f6 in gtk_menu_shell_activate_item () at /lib64/libgtk-3.so.0
 #30 0x00007ffff3d4e824 in gtk_menu_shell_button_release () at /lib64/libgtk-3.so.0
 #31 0x00007ffff3d30fda in _gtk_marshal_BOOLEAN__BOXEDv () at /lib64/libgtk-3.so.0
 #32 0x00007ffff24b79d4 in _g_closure_invoke_va (closure=closure@entry=0x644d10, return_value=return_value@entry=0x7fffffffd900, instance=instance@entry=0x80faa0, args=args@entry=0x7fffffffd9d0, n_params=<optimized out>, param_types=0x644d40) at gclosure.c:864
 #33 0x00007ffff24d1dd3 in g_signal_emit_valist (instance=0x80faa0, signal_id=<optimized out>, detail=0, var_args=var_args@entry=0x7fffffffd9d0) at gsignal.c:3292
 #34 0x00007ffff24d28ff in g_signal_emit (instance=<optimized out>, signal_id=<optimized out>, detail=<optimized out>) at gsignal.c:3439
 #35 0x00007ffff3e6e4bc in gtk_widget_event_internal () at /lib64/libgtk-3.so.0
 #36 0x00007ffff3d2e34e in propagate_event () at /lib64/libgtk-3.so.0
 #37 0x00007ffff3d300fc in gtk_main_do_event () at /lib64/libgtk-3.so.0
 #38 0x00007ffff38a8e92 in gdk_event_source_dispatch () at /lib64/libgdk-3.so.0
 #39 0x00007ffff21b8e3a in g_main_context_dispatch (context=0x647390) at gmain.c:3154
 #40 0x00007ffff21b8e3a in g_main_context_dispatch (context=context@entry=0x647390) at gmain.c:3769
 #41 0x00007ffff21b91d0 in g_main_context_iterate (context=0x647390, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at gmain.c:3840
 #42 0x00007ffff21b94f2 in g_main_loop_run (loop=0x6e2730) at gmain.c:4034
 #43 0x000000000040b2f9 in main (argc=1, argv=0x7fffffffde48) at spicy.c:1920

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Acked-by: Pavel Grunt <pgrunt@redhat.com>
---
 src/channel-usbredir.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/channel-usbredir.c b/src/channel-usbredir.c
index d04267f..dc96d09 100644
--- a/src/channel-usbredir.c
+++ b/src/channel-usbredir.c
@@ -296,12 +296,12 @@ static void spice_usbredir_channel_open_acl_cb(
         spice_usbredir_channel_open_device(channel, &err);
     }
     if (err) {
-        g_task_return_error(priv->task, err);
         libusb_unref_device(priv->device);
         priv->device = NULL;
         g_boxed_free(spice_usb_device_get_type(), priv->spice_device);
         priv->spice_device = NULL;
         priv->state  = STATE_DISCONNECTED;
+        g_task_return_error(priv->task, err);
     } else {
         g_task_return_boolean(priv->task, TRUE);
     }
-- 
cgit