From: Michael Roth <mdroth@linux.vnet.ibm.com>
To: qemu-devel@nongnu.org
Cc: aliguori@us.ibm.com, qemu-stable@nongnu.org
Subject: [Qemu-devel] [PATCH 44/56] xhci: fix segfault
Date: Tue, 13 Aug 2013 10:11:08 -0500 [thread overview]
Message-ID: <1376406680-16302-45-git-send-email-mdroth@linux.vnet.ibm.com> (raw)
In-Reply-To: <1376406680-16302-1-git-send-email-mdroth@linux.vnet.ibm.com>
From: Gerd Hoffmann <kraxel@redhat.com>
Guest trying to reset a endpoint of a disconnected device resulted in
xhci trying to dereference uport while being NULL, thereby crashing
qemu. Fix that by adding a check. Drop unused dev variable while
touching that code bit.
Cc: qemu-stable@nongnu.org
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
(cherry picked from commit 75cc1c1fcba1987bdf3979c4289ab756c2b15742)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
hw/usb/hcd-xhci.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c
index 632ede8..d88c1ae 100644
--- a/hw/usb/hcd-xhci.c
+++ b/hw/usb/hcd-xhci.c
@@ -1395,7 +1395,6 @@ static TRBCCode xhci_reset_ep(XHCIState *xhci, unsigned int slotid,
{
XHCISlot *slot;
XHCIEPContext *epctx;
- USBDevice *dev;
trace_usb_xhci_ep_reset(slotid, epid);
assert(slotid >= 1 && slotid <= xhci->numslots);
@@ -1431,8 +1430,8 @@ static TRBCCode xhci_reset_ep(XHCIState *xhci, unsigned int slotid,
ep |= 0x80;
}
- dev = xhci->slots[slotid-1].uport->dev;
- if (!dev) {
+ if (!xhci->slots[slotid-1].uport ||
+ !xhci->slots[slotid-1].uport->dev) {
return CC_USB_TRANSACTION_ERROR;
}
--
1.7.9.5
next prev parent reply other threads:[~2013-08-13 15:13 UTC|newest]
Thread overview: 59+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-08-13 15:10 [Qemu-devel] Patch Round-up for stable 1.5.3, freeze on 2013-08-16 Michael Roth
2013-08-13 15:10 ` [Qemu-devel] [PATCH 01/56] s390/virtio-ccw: Fix virtio reset Michael Roth
2013-08-13 15:10 ` [Qemu-devel] [PATCH 02/56] arm/boot: Free dtb blob memory after use Michael Roth
2013-08-13 15:10 ` [Qemu-devel] [PATCH 03/56] ppc: do not register IABR SPR twice for 603e Michael Roth
2013-08-13 15:10 ` [Qemu-devel] [PATCH 04/56] qxl: Fix QXLRam initialisation Michael Roth
2013-08-13 15:10 ` [Qemu-devel] [PATCH 05/56] virtio-scsi: forward scsibus for virtio-scsi-pci Michael Roth
2013-08-13 15:10 ` [Qemu-devel] [PATCH 06/56] acl: acl_add can't insert before last list element, fix Michael Roth
2013-08-13 15:10 ` [Qemu-devel] [PATCH 07/56] usb-host-libusb: set USB_DEV_FLAG_IS_HOST Michael Roth
2013-08-13 15:10 ` [Qemu-devel] [PATCH 08/56] s390/ipl: Fix boot order Michael Roth
2013-08-13 15:10 ` [Qemu-devel] [PATCH 09/56] Fix iSCSI crash on SG_IO with an iovector Michael Roth
2013-08-13 15:10 ` [Qemu-devel] [PATCH 10/56] block/ssh: Set bdrv_has_zero_init according to the file type Michael Roth
2013-08-13 15:10 ` [Qemu-devel] [PATCH 11/56] gluster: Return bdrv_has_zero_init = 0 Michael Roth
2013-08-13 15:10 ` [Qemu-devel] [PATCH 12/56] vmdk: remove wrong calculation of relative path Michael Roth
2013-08-13 15:10 ` [Qemu-devel] [PATCH 13/56] Revert "migration: do not sent zero pages in bulk stage" Michael Roth
2013-08-13 15:10 ` [Qemu-devel] [PATCH 14/56] migration: do not overwrite zero pages Michael Roth
2013-08-13 15:10 ` [Qemu-devel] [PATCH 15/56] raw-posix: Fix /dev/cdrom magic on OS X Michael Roth
2013-08-13 15:10 ` [Qemu-devel] [PATCH 16/56] kvmclock: clock should count only if vm is running Michael Roth
2013-08-13 15:10 ` [Qemu-devel] [PATCH 17/56] qemu-char: Fix ID reuse after chardev-remove for qapi-based init Michael Roth
2013-08-13 15:10 ` [Qemu-devel] [PATCH 18/56] target-cris: gen_intermediate_code_internal() should be inlined Michael Roth
2013-08-13 15:10 ` [Qemu-devel] [PATCH 19/56] target-lm32: " Michael Roth
2013-08-13 15:10 ` [Qemu-devel] [PATCH 20/56] target-microblaze: " Michael Roth
2013-08-13 15:10 ` [Qemu-devel] [PATCH 21/56] target-moxie: " Michael Roth
2013-08-13 15:10 ` [Qemu-devel] [PATCH 22/56] target-xtensa: " Michael Roth
2013-08-13 15:10 ` [Qemu-devel] [PATCH 23/56] block: fix bdrv_flush() ordering in bdrv_close() Michael Roth
2013-08-13 15:10 ` [Qemu-devel] [PATCH 24/56] target-openrisc: Fix typename in openrisc_cpu_class_by_name() Michael Roth
2013-08-13 15:10 ` [Qemu-devel] [PATCH 25/56] qom: Fix class cast of NULL classes Michael Roth
2013-08-13 15:10 ` [Qemu-devel] [PATCH 26/56] seccomp: add the asynchronous I/O syscalls to the whitelist Michael Roth
2013-08-13 15:10 ` [Qemu-devel] [PATCH 27/56] qapi: qapi-commands: fix possible leaks on visitor dealloc Michael Roth
2013-08-13 15:10 ` [Qemu-devel] [PATCH 28/56] ahci: Fix FLUSH command Michael Roth
2013-08-13 15:10 ` [Qemu-devel] [PATCH 29/56] iscsi: fix -ENOSPC in iscsi_create() Michael Roth
2013-08-13 15:10 ` [Qemu-devel] [PATCH 30/56] iscsi: remove support for misaligned nb_sectors in aio_readv Michael Roth
2013-08-13 15:10 ` [Qemu-devel] [PATCH 31/56] iscsi: assert that sectors are aligned to LUN blocksize Michael Roth
2013-08-13 15:10 ` [Qemu-devel] [PATCH 32/56] block: Add return value for bdrv_flush_all() Michael Roth
2013-08-13 15:10 ` [Qemu-devel] [PATCH 33/56] cpus: Add return value for vm_stop() Michael Roth
2013-08-13 15:10 ` [Qemu-devel] [PATCH 34/56] cpus: Let vm_stop[_force_state]() always flush block devices Michael Roth
2013-08-13 15:10 ` [Qemu-devel] [PATCH 35/56] megasas: Legacy command line handling fix Michael Roth
2013-08-13 15:11 ` [Qemu-devel] [PATCH 36/56] gtk: don't use g_object_unref on GdkCursor Michael Roth
2013-08-13 15:11 ` [Qemu-devel] [PATCH 37/56] gtk: Fix compiler warning (GTK 3 deprecated function) Michael Roth
2013-08-13 15:11 ` [Qemu-devel] [PATCH 38/56] dataplane: refuse to start if device is already in use Michael Roth
2013-08-13 15:11 ` [Qemu-devel] [PATCH 39/56] xhci: handle USB_RET_IOERROR Michael Roth
2013-08-13 15:11 ` [Qemu-devel] [PATCH 40/56] qemu-char: Register ring buffer driver with correct name "ringbuf" Michael Roth
2013-08-13 15:11 ` [Qemu-devel] [PATCH 41/56] qapi: Rename ChardevBackend member "memory" to "ringbuf" Michael Roth
2013-08-13 15:11 ` [Qemu-devel] [PATCH 42/56] virtio-console: Use exitfn for virtserialport, too Michael Roth
2013-08-13 15:11 ` [Qemu-devel] [PATCH 43/56] pci-bridge: update mappings for migration/restore Michael Roth
2013-08-13 15:11 ` Michael Roth [this message]
2013-08-13 15:11 ` [Qemu-devel] [PATCH 45/56] chardev: fix CHR_EVENT_OPENED events for mux chardevs Michael Roth
2013-08-13 15:11 ` [Qemu-devel] [PATCH 46/56] seccomp: add arch_prctl() to the syscall whitelist Michael Roth
2013-08-13 15:11 ` [Qemu-devel] [PATCH 47/56] seccomp: add additional asynchronous I/O syscalls Michael Roth
2013-08-13 15:11 ` [Qemu-devel] [PATCH 48/56] iov: handle EOF in iov_send_recv Michael Roth
2013-08-13 15:11 ` [Qemu-devel] [PATCH 49/56] target-i386: Fix X86CPU error handling Michael Roth
2013-08-13 15:11 ` [Qemu-devel] [PATCH 50/56] ignore SIGPIPE in qemu-img and qemu-io Michael Roth
2013-08-13 15:11 ` [Qemu-devel] [PATCH 51/56] semaphore: fix a hangup problem under load on NetBSD hosts Michael Roth
2013-08-13 15:11 ` [Qemu-devel] [PATCH 52/56] Bugfix for loading multiboot kernels Michael Roth
2013-08-13 15:11 ` [Qemu-devel] [PATCH 53/56] i82801b11: Fix i82801b11 PCI host bridge config space Michael Roth
2013-08-13 15:11 ` [Qemu-devel] [PATCH 54/56] dataplane: sync virtio.c and vring.c virtqueue state Michael Roth
2013-08-13 15:11 ` [Qemu-devel] [PATCH 55/56] virtio: clear signalled_used_valid when switching from dataplane Michael Roth
2013-08-13 15:11 ` [Qemu-devel] [PATCH 56/56] vhost: clear signalled_used_valid on vhost stop Michael Roth
2013-08-14 4:05 ` [Qemu-devel] [Qemu-stable] Patch Round-up for stable 1.5.3, freeze on 2013-08-16 Doug Goldstein
2013-08-14 15:02 ` Michael Roth
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1376406680-16302-45-git-send-email-mdroth@linux.vnet.ibm.com \
--to=mdroth@linux.vnet.ibm.com \
--cc=aliguori@us.ibm.com \
--cc=qemu-devel@nongnu.org \
--cc=qemu-stable@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).