From bba21b64c47889ee3a11b3f011fab73b84697e16 Mon Sep 17 00:00:00 2001

From: Gerd Hoffmann <kraxel@redhat.com>

Date: Fri, 11 Jul 2014 14:20:37 +0200

Subject: [PATCH 04/43] usb-redir: fix use-after-free

Message-id: <1405088470-24115-5-git-send-email-kraxel@redhat.com>

Patchwork-id: 59819

O-Subject: [RHEL-7.1 qemu-kvm PATCH 04/37] usb-redir: fix use-after-free

Bugzilla: 1046574 1088116

RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>

RH-Acked-by: Hans de Goede <hdegoede@redhat.com>

RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>

RH-Acked-by: Markus Armbruster <armbru@redhat.com>

RH-Acked-by: Laszlo Ersek <lersek@redhat.com>

Reinitialize dev->cs to NULL after deleting it, to make sure it isn't

used afterwards.

Reported-by: Martin Cerveny <M.Cerveny@computer.org>

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>

(cherry picked from commit a14ff8a650b5943ee6221b952494661f7cb3b5e2)

---

 hw/usb/redirect.c | 1 +

 1 file changed, 1 insertion(+)

Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>

---

 hw/usb/redirect.c | 1 +

 1 file changed, 1 insertion(+)

diff --git a/hw/usb/redirect.c b/hw/usb/redirect.c

index 8b8c010..e3b9f32 100644

--- a/hw/usb/redirect.c

+++ b/hw/usb/redirect.c

@@ -1334,6 +1334,7 @@ static void usbredir_handle_destroy(USBDevice *udev)

     USBRedirDevice *dev = DO_UPCAST(USBRedirDevice, dev, udev);

     qemu_chr_delete(dev->cs);

+    dev->cs = NULL;

     /* Note must be done after qemu_chr_close, as that causes a close event */

     qemu_bh_delete(dev->chardev_close_bh);

-- 

1.8.3.1