File CVE-2016-2391-qemut-usb-null-pointer-dereference-in-ohci-module.patch of Package xen.openSUSE_Leap_42.2_Update
References: bsc#967101 CVE-2016-2391
From d1b07becc481e09225cfe905ec357807ae07f095 Mon Sep 17 00:00:00 2001
From: Gerd Hoffmann <address@hidden>
Date: Tue, 16 Feb 2016 15:15:04 +0100
Subject: [PATCH] ohci timer fix
Signed-off-by: Gerd Hoffmann <address@hidden>
---
 hw/usb/hcd-ohci.c | 31 +++++--------------------------
 1 file changed, 5 insertions(+), 26 deletions(-)
Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/usb-ohci.c
===================================================================
--- xen-4.6.1-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/usb-ohci.c
+++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/usb-ohci.c
@@ -1139,16 +1139,6 @@ static void ohci_frame_boundary(void *op
  */
 static int ohci_bus_start(OHCIState *ohci)
 {
-    ohci->eof_timer = qemu_new_timer(vm_clock,
-                    ohci_frame_boundary,
-                    ohci);
-
-    if (ohci->eof_timer == NULL) {
-        fprintf(stderr, "usb-ohci: %s: qemu_new_timer failed\n", ohci->name);
-        /* TODO: Signal unrecoverable error */
-        return 0;
-    }
-
     dprintf("usb-ohci: %s: USB Operational\n", ohci->name);
 
     ohci_sof(ohci);
@@ -1159,9 +1149,7 @@ static int ohci_bus_start(OHCIState *ohc
 /* Stop sending SOF tokens on the bus */
 static void ohci_bus_stop(OHCIState *ohci)
 {
-    if (ohci->eof_timer)
-        qemu_del_timer(ohci->eof_timer);
-    ohci->eof_timer = NULL;
+     qemu_del_timer(ohci->eof_timer);
 }
 
 /* Sets a flag in a port status register but only set it if the port is
@@ -1654,6 +1642,9 @@ static void usb_ohci_init(OHCIState *ohc
     ohci->async_td = 0;
     qemu_register_reset(ohci_reset, ohci);
     ohci_reset(ohci);
+
+    ohci->eof_timer = qemu_new_timer(vm_clock,
+                                   ohci_frame_boundary, ohci);
 }
 
 typedef struct {