As SpiceCharDeviceState is only unref on spice_char_device_state_destroy the same device could be destroyed more then once so the pointers that are freed should be set to NULL. Related: https://bugzilla.redhat.com/show_bug.cgi?id=1281455 --- server/char_device.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/server/char_device.c b/server/char_device.c index fe38385..ae7cb98 100644 --- a/server/char_device.c +++ b/server/char_device.c @@ -742,11 +742,13 @@ void spice_char_device_state_destroy(SpiceCharDeviceState *char_dev) reds_on_char_device_state_destroy(char_dev); if (char_dev->write_to_dev_timer) { core->timer_remove(char_dev->write_to_dev_timer); + char_dev->write_to_dev_timer = NULL; } write_buffers_queue_free(&char_dev->write_queue); write_buffers_queue_free(&char_dev->write_bufs_pool); char_dev->cur_pool_size = 0; spice_char_device_write_buffer_free(char_dev->cur_write_buf); + char_dev->cur_write_buf = NULL; while (!ring_is_empty(&char_dev->clients)) { RingItem *item = ring_get_tail(&char_dev->clients); -- 2.5.0 _______________________________________________ Spice-devel mailing list Spice-devel@xxxxxxxxxxxxxxxxxxxxx http://lists.freedesktop.org/mailman/listinfo/spice-devel