diff mbox

[7/7] usb: fix use after free

Message ID 1314284817-9034-8-git-send-email-kraxel@redhat.com
State New
Headers show

Commit Message

Gerd Hoffmann Aug. 25, 2011, 3:06 p.m. UTC 
The ->complete() callback might have released the USBPacket (uhci
actually does), so we must not touch it after the callback returns.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
 hw/usb.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)
diff mbox

Patch

diff --git a/hw/usb.c b/hw/usb.c
index 685e775..a091e4e 100644
--- a/hw/usb.c
+++ b/hw/usb.c
@@ -338,8 +338,8 @@  void usb_packet_complete(USBDevice *dev, USBPacket *p)
 {
     /* Note: p->owner != dev is possible in case dev is a hub */
     assert(p->owner != NULL);
-    dev->port->ops->complete(dev->port, p);
     p->owner = NULL;
+    dev->port->ops->complete(dev->port, p);
 }
 
 /* Cancel an active packet.  The packed must have been deferred by