aboutsummaryrefslogtreecommitdiff
path: root/hw/usb.c
diff options
context:
space:
mode:
authorGerd Hoffmann <kraxel@redhat.com>2011-08-25 16:43:15 +0200
committerGerd Hoffmann <kraxel@redhat.com>2011-09-07 09:58:26 +0200
commit4d8debba766265d70cb7bf11570e3622512641d6 (patch)
tree91fb3dc80d1ece52056ddfcc0f80a1c15fb2c361 /hw/usb.c
parent0c402e5abb8c2755390eee864b43a98280fc2453 (diff)
downloadqemu-4d8debba766265d70cb7bf11570e3622512641d6.zip
qemu-4d8debba766265d70cb7bf11570e3622512641d6.tar.gz
qemu-4d8debba766265d70cb7bf11570e3622512641d6.tar.bz2
usb: fix use after free
The ->complete() callback might have released the USBPacket (uhci actually does), so we must not touch it after the callback returns. Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Diffstat (limited to 'hw/usb.c')
-rw-r--r--hw/usb.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/hw/usb.c b/hw/usb.c
index 685e775..a091e4e 100644
--- a/hw/usb.c
+++ b/hw/usb.c
@@ -338,8 +338,8 @@ void usb_packet_complete(USBDevice *dev, USBPacket *p)
{
/* Note: p->owner != dev is possible in case dev is a hub */
assert(p->owner != NULL);
- dev->port->ops->complete(dev->port, p);
p->owner = NULL;
+ dev->port->ops->complete(dev->port, p);
}
/* Cancel an active packet. The packed must have been deferred by