9ae3a8
From bba21b64c47889ee3a11b3f011fab73b84697e16 Mon Sep 17 00:00:00 2001
9ae3a8
From: Gerd Hoffmann <kraxel@redhat.com>
9ae3a8
Date: Fri, 11 Jul 2014 14:20:37 +0200
9ae3a8
Subject: [PATCH 04/43] usb-redir: fix use-after-free
9ae3a8
9ae3a8
Message-id: <1405088470-24115-5-git-send-email-kraxel@redhat.com>
9ae3a8
Patchwork-id: 59819
9ae3a8
O-Subject: [RHEL-7.1 qemu-kvm PATCH 04/37] usb-redir: fix use-after-free
9ae3a8
Bugzilla: 1046574 1088116
9ae3a8
RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
9ae3a8
RH-Acked-by: Hans de Goede <hdegoede@redhat.com>
9ae3a8
RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
9ae3a8
RH-Acked-by: Markus Armbruster <armbru@redhat.com>
9ae3a8
RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
9ae3a8
9ae3a8
Reinitialize dev->cs to NULL after deleting it, to make sure it isn't
9ae3a8
used afterwards.
9ae3a8
9ae3a8
Reported-by: Martin Cerveny <M.Cerveny@computer.org>
9ae3a8
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
9ae3a8
(cherry picked from commit a14ff8a650b5943ee6221b952494661f7cb3b5e2)
9ae3a8
---
9ae3a8
 hw/usb/redirect.c | 1 +
9ae3a8
 1 file changed, 1 insertion(+)
9ae3a8
9ae3a8
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
9ae3a8
---
9ae3a8
 hw/usb/redirect.c | 1 +
9ae3a8
 1 file changed, 1 insertion(+)
9ae3a8
9ae3a8
diff --git a/hw/usb/redirect.c b/hw/usb/redirect.c
9ae3a8
index 8b8c010..e3b9f32 100644
9ae3a8
--- a/hw/usb/redirect.c
9ae3a8
+++ b/hw/usb/redirect.c
9ae3a8
@@ -1334,6 +1334,7 @@ static void usbredir_handle_destroy(USBDevice *udev)
9ae3a8
     USBRedirDevice *dev = DO_UPCAST(USBRedirDevice, dev, udev);
9ae3a8
 
9ae3a8
     qemu_chr_delete(dev->cs);
9ae3a8
+    dev->cs = NULL;
9ae3a8
     /* Note must be done after qemu_chr_close, as that causes a close event */
9ae3a8
     qemu_bh_delete(dev->chardev_close_bh);
9ae3a8
 
9ae3a8
-- 
9ae3a8
1.8.3.1
9ae3a8