From: Yunlei Ding <yunlei.ding@citrix.com>
Date: Mon, 17 Mar 2014 05:37:49 +0000 (+0000)
Subject: hw/msmouse.c: Fix deref_after_free and double free
X-Git-Tag: xen-4.6.1~20
X-Git-Url: http://xenbits.xensource.com/gitweb?a=commitdiff_plain;h=a4d48935c97839337f6aa8b2bb944e92bb9909df;p=qemu-xen-traditional.git

hw/msmouse.c: Fix deref_after_free and double free

msmouse_chr_close is only pointed by chr->chr_close in qemu_chr_close
function. After calling chr->chr_close, chr will be freed. So we don't
need to free it again here.

Signed-off-by: Yunlei Ding <yunlei.ding@citrix.com>
(defect not identified by Coverity Scan)
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
---

diff --git a/hw/msmouse.c b/hw/msmouse.c
index 69356a53..2d2703b5 100644
--- a/hw/msmouse.c
+++ b/hw/msmouse.c
@@ -61,7 +61,6 @@ static int msmouse_chr_write (struct CharDriverState *s, const uint8_t *buf, int
 
 static void msmouse_chr_close (struct CharDriverState *chr)
 {
-    qemu_free (chr);
 }
 
 CharDriverState *qemu_chr_open_msmouse(void)