From: Li Zhang <[email protected]> When executing the QMP commands "chardev-change" to change the backend device to socket, it will cause a segment fault because it assumes chr->label as non-NULL in function yank_register_instance. The function qmp_chardev_change calls chardev_new, which label is NULL when creating a new chardev. The label will be passed to yank_register_instance which causes a segment fault. The callchain is as the following: chardev_new -> qemu_char_open -> cc->open -> qmp_chardev_open_socket -> yank_register_instance
Signed-off-by: Li Zhang <[email protected]> --- chardev/char-socket.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/chardev/char-socket.c b/chardev/char-socket.c index c8bced76b7..26d5172682 100644 --- a/chardev/char-socket.c +++ b/chardev/char-socket.c @@ -1421,10 +1421,12 @@ static void qmp_chardev_open_socket(Chardev *chr, qemu_chr_set_feature(chr, QEMU_CHAR_FEATURE_FD_PASS); } - if (!yank_register_instance(CHARDEV_YANK_INSTANCE(chr->label), errp)) { - return; + if (chr->label) { + if (!yank_register_instance(CHARDEV_YANK_INSTANCE(chr->label), errp)) { + return; + } + s->registered_yank = true; } - s->registered_yank = true; /* be isn't opened until we get a connection */ *be_opened = false; -- 2.25.1
