hw/msmouse.c: Fix deref_after_free and double free

msmouse_chr_close is only pointed by chr->chr_close in qemu_chr_close
function. After calling chr->chr_close, chr will be freed. So we don't
need to free it again here.

Signed-off-by: Yunlei Ding <yunlei.ding@citrix.com>
(defect not identified by Coverity Scan)
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>

diff --git a/hw/msmouse.c b/hw/msmouse.c
index 69356a535730eb95f999268d7f8c1f7fb739cf90..2d2703b5e549241e6a0f289a8b56ef2f7e1b966d 100644 (file)
--- a/hw/msmouse.c
+++ b/hw/msmouse.c
@@ -61,7 +61,6 @@ static int msmouse_chr_write (struct CharDriverState *s, const uint8_t *buf, int
 
 static void msmouse_chr_close (struct CharDriverState *chr)
 {
-    qemu_free (chr);
 }
 
 CharDriverState *qemu_chr_open_msmouse(void)