File CVE-2016-2391-qemuu-usb-null-pointer-dereference-in-ohci-module.patch of Package xen.11298

References: bsc#967101 CVE-2016-2391

From d1b07becc481e09225cfe905ec357807ae07f095 Mon Sep 17 00:00:00 2001
From: Gerd Hoffmann <address@hidden>
Date: Tue, 16 Feb 2016 15:15:04 +0100
Subject: [PATCH] ohci timer fix

Signed-off-by: Gerd Hoffmann <address@hidden>
---
 hw/usb/hcd-ohci.c | 31 +++++--------------------------
 1 file changed, 5 insertions(+), 26 deletions(-)

Index: xen-4.5.2-testing/tools/qemu-xen-dir-remote/hw/usb/hcd-ohci.c
===================================================================
--- xen-4.5.2-testing.orig/tools/qemu-xen-dir-remote/hw/usb/hcd-ohci.c
+++ xen-4.5.2-testing/tools/qemu-xen-dir-remote/hw/usb/hcd-ohci.c
@@ -1351,16 +1351,6 @@ static void ohci_frame_boundary(void *op
  */
 static int ohci_bus_start(OHCIState *ohci)
 {
-    ohci->eof_timer = timer_new_ns(QEMU_CLOCK_VIRTUAL,
-                    ohci_frame_boundary,
-                    ohci);
-
-    if (ohci->eof_timer == NULL) {
-        fprintf(stderr, "usb-ohci: %s: timer_new_ns failed\n", ohci->name);
-        ohci_die(ohci);
-        return 0;
-    }
-
     DPRINTF("usb-ohci: %s: USB Operational\n", ohci->name);
 
     ohci_sof(ohci);
@@ -1371,9 +1361,7 @@ static int ohci_bus_start(OHCIState *ohc
 /* Stop sending SOF tokens on the bus */
 static void ohci_bus_stop(OHCIState *ohci)
 {
-    if (ohci->eof_timer)
-        timer_del(ohci->eof_timer);
-    ohci->eof_timer = NULL;
+    timer_del(ohci->eof_timer);
 }
 
 /* Sets a flag in a port status register but only set it if the port is
@@ -1901,6 +1889,8 @@ static int usb_ohci_init(OHCIState *ohci
     ohci->async_td = 0;
     qemu_register_reset(ohci_reset, ohci);
 
+    ohci->eof_timer = timer_new_ns(QEMU_CLOCK_VIRTUAL,
+                                   ohci_frame_boundary, ohci);
     return 0;
 }