958e1b
From bba21b64c47889ee3a11b3f011fab73b84697e16 Mon Sep 17 00:00:00 2001
958e1b
From: Gerd Hoffmann <kraxel@redhat.com>
958e1b
Date: Fri, 11 Jul 2014 14:20:37 +0200
958e1b
Subject: [PATCH 04/43] usb-redir: fix use-after-free
958e1b
958e1b
Message-id: <1405088470-24115-5-git-send-email-kraxel@redhat.com>
958e1b
Patchwork-id: 59819
958e1b
O-Subject: [RHEL-7.1 qemu-kvm PATCH 04/37] usb-redir: fix use-after-free
958e1b
Bugzilla: 1046574 1088116
958e1b
RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
958e1b
RH-Acked-by: Hans de Goede <hdegoede@redhat.com>
958e1b
RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
958e1b
RH-Acked-by: Markus Armbruster <armbru@redhat.com>
958e1b
RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
958e1b
958e1b
Reinitialize dev->cs to NULL after deleting it, to make sure it isn't
958e1b
used afterwards.
958e1b
958e1b
Reported-by: Martin Cerveny <M.Cerveny@computer.org>
958e1b
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
958e1b
(cherry picked from commit a14ff8a650b5943ee6221b952494661f7cb3b5e2)
958e1b
---
958e1b
 hw/usb/redirect.c | 1 +
958e1b
 1 file changed, 1 insertion(+)
958e1b
958e1b
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
958e1b
---
958e1b
 hw/usb/redirect.c | 1 +
958e1b
 1 file changed, 1 insertion(+)
958e1b
958e1b
diff --git a/hw/usb/redirect.c b/hw/usb/redirect.c
958e1b
index 8b8c010..e3b9f32 100644
958e1b
--- a/hw/usb/redirect.c
958e1b
+++ b/hw/usb/redirect.c
958e1b
@@ -1334,6 +1334,7 @@ static void usbredir_handle_destroy(USBDevice *udev)
958e1b
     USBRedirDevice *dev = DO_UPCAST(USBRedirDevice, dev, udev);
958e1b
 
958e1b
     qemu_chr_delete(dev->cs);
958e1b
+    dev->cs = NULL;
958e1b
     /* Note must be done after qemu_chr_close, as that causes a close event */
958e1b
     qemu_bh_delete(dev->chardev_close_bh);
958e1b
 
958e1b
-- 
958e1b
1.8.3.1
958e1b