From 3491d5efb416c4951dc0b68339b615ad9cb4f473 Mon Sep 17 00:00:00 2001
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Fri, 16 Mar 2012 13:25:19 +0100
Subject: [PATCH 2/2] usb: fix use after free

RH-Author: Gerd Hoffmann <kraxel@redhat.com>
Message-id: <1331904319-960-1-git-send-email-kraxel@redhat.com>
Patchwork-id: 38591
O-Subject: [RHEL-6.3 qemu-kvm PATCH] usb: fix use after free
Bugzilla: 796118
RH-Acked-by: Hans de Goede <hdegoede@redhat.com>
RH-Acked-by: Kevin Wolf <kwolf@redhat.com>
RH-Acked-by: Alex Williamson <alex.williamson@redhat.com>

The ->complete() callback might have released the USBPacket (uhci
actually does), so we must not touch it after the callback returns.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
(cherry picked from commit 4d8debba766265d70cb7bf11570e3622512641d6)

bugzilla: 796118 -- qemu hits core dump when boot guest with 2
                    pass-though usb devices under 1.1 controller
---
 hw/usb.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

Signed-off-by: Michal Novotny <minovotn@redhat.com>
---
 hw/usb.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/hw/usb.c b/hw/usb.c
index 056f6c5..271a67b 100644
--- a/hw/usb.c
+++ b/hw/usb.c
@@ -343,8 +343,8 @@ void usb_packet_complete(USBDevice *dev, USBPacket *p)
 {
     /* Note: p->owner != dev is possible in case dev is a hub */
     assert(p->owner != NULL);
-    dev->port->ops->complete(dev->port, p);
     p->owner = NULL;
+    dev->port->ops->complete(dev->port, p);
 }
 
 /* Cancel an active packet.  The packed must have been deferred by
-- 
1.7.7.6