--- /dev/null
+From f2575bbcfe89deabe1f8eab306854d35d7418537 Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Tue, 16 Feb 2016 15:34:14 +0530
+Subject: [PATCH] usb: ohci avoid multiple eof timers
+
+When transitioning an OHCI controller to the OHCI_USB_OPERATIONAL
+state, it creates an eof timer object in 'ohci_bus_start'.
+It does not check if one already exists. This results in memory
+leakage and null dereference issue. Add a check to avoid it.
+
+Reported-by: Zuozhi Fzz <zuozhi.fzz@alibaba-inc.com>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+---
+ hw/usb/hcd-ohci.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/hw/usb/hcd-ohci.c b/hw/usb/hcd-ohci.c
+index 7d65818..15f0b44 100644
+--- a/hw/usb/hcd-ohci.c
++++ b/hw/usb/hcd-ohci.c
+@@ -1331,11 +1331,11 @@ static void ohci_frame_boundary(void *opaque)
+ */
+ static int ohci_bus_start(OHCIState *ohci)
+ {
+- ohci->eof_timer = timer_new_ns(QEMU_CLOCK_VIRTUAL,
+- ohci_frame_boundary,
+- ohci);
+-
+- if (ohci->eof_timer == NULL) {
++ if (!ohci->eof_timer) {
++ ohci->eof_timer = timer_new_ns(QEMU_CLOCK_VIRTUAL,
++ ohci_frame_boundary, ohci);
++ }
++ if (!ohci->eof_timer) {
+ trace_usb_ohci_bus_eof_timer_failed(ohci->name);
+ ohci_die(ohci);
+ return 0;
+--
+2.1.4
+