9290838132
Fix segfault with zero length virtio-scsi disk (bz #847549)
50 lines
1.9 KiB
Diff
50 lines
1.9 KiB
Diff
From c7251f2557d09ce4b8466eeccd0f3264c297c515 Mon Sep 17 00:00:00 2001
|
|
From: Hans de Goede <hdegoede@redhat.com>
|
|
Date: Thu, 30 Aug 2012 15:18:24 +0200
|
|
Subject: [PATCH] ehci: Properly report completed but not yet processed packets
|
|
to the guest
|
|
|
|
Reported packets which have completed before being cancelled as such to the
|
|
host. Note that the new code path this patch adds is untested since it I've
|
|
been unable to actually trigger the race which needs this code path.
|
|
|
|
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
|
|
(cherry picked from commit 4b63a0df3bda8a2c278e45d9d94d9ba6d5791d8d)
|
|
|
|
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
|
|
---
|
|
hw/usb/hcd-ehci.c | 13 +++++++++++++
|
|
1 file changed, 13 insertions(+)
|
|
|
|
diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c
|
|
index 4fe85c8..0a6c9ef 100644
|
|
--- a/hw/usb/hcd-ehci.c
|
|
+++ b/hw/usb/hcd-ehci.c
|
|
@@ -489,6 +489,9 @@ static const char *ehci_mmio_names[] = {
|
|
[CONFIGFLAG] = "CONFIGFLAG",
|
|
};
|
|
|
|
+static int ehci_state_executing(EHCIQueue *q);
|
|
+static int ehci_state_writeback(EHCIQueue *q);
|
|
+
|
|
static const char *nr2str(const char **n, size_t len, uint32_t nr)
|
|
{
|
|
if (nr < len && n[nr] != NULL) {
|
|
@@ -750,6 +753,16 @@ static void ehci_free_packet(EHCIPacket *p)
|
|
usb_packet_unmap(&p->packet, &p->sgl);
|
|
qemu_sglist_destroy(&p->sgl);
|
|
}
|
|
+ if (p->async == EHCI_ASYNC_FINISHED) {
|
|
+ int state = ehci_get_state(p->queue->ehci, p->queue->async);
|
|
+ /* This is a normal, but rare condition (cancel racing completion) */
|
|
+ fprintf(stderr, "EHCI: Warning packet completed but not processed\n");
|
|
+ ehci_state_executing(p->queue);
|
|
+ ehci_state_writeback(p->queue);
|
|
+ ehci_set_state(p->queue->ehci, p->queue->async, state);
|
|
+ /* state_writeback recurses into us with async == EHCI_ASYNC_NONE!! */
|
|
+ return;
|
|
+ }
|
|
QTAILQ_REMOVE(&p->queue->packets, p, next);
|
|
usb_packet_cleanup(&p->packet);
|
|
g_free(p);
|