diff mbox

[6/7] usb: fix use after free

Message ID 1314957674-30133-7-git-send-email-kraxel@redhat.com
State New
Headers show

Commit Message

Gerd Hoffmann Sept. 2, 2011, 10:01 a.m. UTC 
The ->complete() callback might have released the USBPacket (uhci
actually does), so we must not touch it after the callback returns.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
(cherry picked from commit 722d89396b6ccb49cd9d3aafd991ae01c8a30744)
---
 hw/usb.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)
diff mbox

Patch

diff --git a/hw/usb.c b/hw/usb.c
index 27a983c..b44e997 100644
--- a/hw/usb.c
+++ b/hw/usb.c
@@ -334,8 +334,8 @@  void usb_packet_complete(USBDevice *dev, USBPacket *p)
 {
     /* Note: p->owner != dev is possible in case dev is a hub */
     assert(p->owner != NULL);
-    dev->port->ops->complete(dev->port, p);
     p->owner = NULL;
+    dev->port->ops->complete(dev->port, p);
 }
 
 /* Cancel an active packet.  The packed must have been deferred by