diff options
author | Gerd Hoffmann <kraxel@redhat.com> | 2011-08-25 16:43:15 +0200 |
---|---|---|
committer | Gerd Hoffmann <kraxel@redhat.com> | 2011-09-07 09:58:26 +0200 |
commit | 4d8debba766265d70cb7bf11570e3622512641d6 (patch) | |
tree | 91fb3dc80d1ece52056ddfcc0f80a1c15fb2c361 /hw/usb.c | |
parent | 0c402e5abb8c2755390eee864b43a98280fc2453 (diff) | |
download | qemu-4d8debba766265d70cb7bf11570e3622512641d6.zip qemu-4d8debba766265d70cb7bf11570e3622512641d6.tar.gz qemu-4d8debba766265d70cb7bf11570e3622512641d6.tar.bz2 |
usb: fix use after free
The ->complete() callback might have released the USBPacket (uhci
actually does), so we must not touch it after the callback returns.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Diffstat (limited to 'hw/usb.c')
-rw-r--r-- | hw/usb.c | 2 |
1 files changed, 1 insertions, 1 deletions
@@ -338,8 +338,8 @@ void usb_packet_complete(USBDevice *dev, USBPacket *p) { /* Note: p->owner != dev is possible in case dev is a hub */ assert(p->owner != NULL); - dev->port->ops->complete(dev->port, p); p->owner = NULL; + dev->port->ops->complete(dev->port, p); } /* Cancel an active packet. The packed must have been deferred by |