From 538a30f8dba32ffe3b527cfd0cad8ab0decec0aa Mon Sep 17 00:00:00 2001 From: Augustin Cavalier Date: Sat, 27 Jul 2019 13:17:35 -0400 Subject: [PATCH] XHCI: Fix use-after-free in FreeDevice. Spotted by PVS-Studio. --- src/add-ons/kernel/busses/usb/xhci.cpp | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/src/add-ons/kernel/busses/usb/xhci.cpp b/src/add-ons/kernel/busses/usb/xhci.cpp index 6df84746e2..e2d072deb7 100644 --- a/src/add-ons/kernel/busses/usb/xhci.cpp +++ b/src/add-ons/kernel/busses/usb/xhci.cpp @@ -1651,8 +1651,9 @@ XHCI::AllocateDevice(Hub *parent, int8 hubAddress, uint8 hubPort, void XHCI::FreeDevice(Device *device) { - uint8 slot = fPortSlots[device->HubPort()]; - TRACE("FreeDevice() port %d slot %d\n", device->HubPort(), slot); + uint8 hubPort = device->HubPort(); + uint8 slot = fPortSlots[hubPort]; + TRACE("FreeDevice() port %d slot %d\n", hubPort, slot); // Delete the device first, so it cleans up its pipes and tells us // what we need to destroy before we tear down our internal state. @@ -1660,7 +1661,7 @@ XHCI::FreeDevice(Device *device) DisableSlot(slot); fDcba->baseAddress[slot] = 0; - fPortSlots[device->HubPort()] = 0; + fPortSlots[hubPort] = 0; delete_area(fDevices[slot].trb_area); delete_area(fDevices[slot].input_ctx_area); delete_area(fDevices[slot].device_ctx_area);