diff options
| author | Anthony Liguori <aliguori@us.ibm.com> | 2013-08-05 08:01:25 -0500 |
|---|---|---|
| committer | Anthony Liguori <aliguori@us.ibm.com> | 2013-08-05 08:01:25 -0500 |
| commit | d94c426d46e01ad45fc5e3b8e5b485ca1b0158fe (patch) | |
| tree | 5be32e452260ee9f64736685d5c525507328325e /hw | |
| parent | b9ac5d923b820a0f0152a2df56067e55ce34f487 (diff) | |
| parent | a14ff8a650b5943ee6221b952494661f7cb3b5e2 (diff) | |
Merge remote-tracking branch 'kraxel/usb.86' into staging
# By Gerd Hoffmann
# Via Gerd Hoffmann
* kraxel/usb.86:
usb-redir: fix use-after-free
xhci: fix segfault
Message-id: 1375362669-14815-1-git-send-email-kraxel@redhat.com
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
Diffstat (limited to 'hw')
| -rw-r--r-- | hw/usb/hcd-xhci.c | 5 | ||||
| -rw-r--r-- | hw/usb/redirect.c | 1 |
2 files changed, 3 insertions, 3 deletions
diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c index 7cbf813696..ff5f68135c 100644 --- a/hw/usb/hcd-xhci.c +++ b/hw/usb/hcd-xhci.c @@ -1429,7 +1429,6 @@ static TRBCCode xhci_reset_ep(XHCIState *xhci, unsigned int slotid, { XHCISlot *slot; XHCIEPContext *epctx; - USBDevice *dev; trace_usb_xhci_ep_reset(slotid, epid); assert(slotid >= 1 && slotid <= xhci->numslots); @@ -1465,8 +1464,8 @@ static TRBCCode xhci_reset_ep(XHCIState *xhci, unsigned int slotid, ep |= 0x80; } - dev = xhci->slots[slotid-1].uport->dev; - if (!dev) { + if (!xhci->slots[slotid-1].uport || + !xhci->slots[slotid-1].uport->dev) { return CC_USB_TRANSACTION_ERROR; } diff --git a/hw/usb/redirect.c b/hw/usb/redirect.c index 8b8c010d94..e3b9f324b3 100644 --- a/hw/usb/redirect.c +++ b/hw/usb/redirect.c @@ -1334,6 +1334,7 @@ static void usbredir_handle_destroy(USBDevice *udev) USBRedirDevice *dev = DO_UPCAST(USBRedirDevice, dev, udev); qemu_chr_delete(dev->cs); + dev->cs = NULL; /* Note must be done after qemu_chr_close, as that causes a close event */ qemu_bh_delete(dev->chardev_close_bh); |