| Message ID | 57df5212.87adc20a.7f06f.fda3@mx.google.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
Ping! 2016-09-19 10:48 GMT+08:00 Li Qiang <liq3ea@gmail.com>: > From: Li Qiang <liqiang6-s@360.cn> > > While processing isochronous transfer descriptors(iTD), if the page > select(PG) field value is out of bands it will return. In this > situation the ehci's sg list doesn't be freed thus leading a memory > leak issue. This patch avoid this. > > Signed-off-by: Li Qiang <liqiang6-s@360.cn> > --- > hw/usb/hcd-ehci.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c > index b093db7..f4ece9a 100644 > --- a/hw/usb/hcd-ehci.c > +++ b/hw/usb/hcd-ehci.c > @@ -1426,6 +1426,7 @@ static int ehci_process_itd(EHCIState *ehci, > if (off + len > 4096) { > /* transfer crosses page border */ > if (pg == 6) { > + qemu_sglist_destroy(&ehci->isgl); > return -1; /* avoid page pg + 1 */ > } > ptr2 = (itd->bufptr[pg + 1] & ITD_BUFPTR_MASK); > -- > 1.8.3.1 > >
On 19.09.2016 04:48, Li Qiang wrote: > From: Li Qiang <liqiang6-s@360.cn> > > While processing isochronous transfer descriptors(iTD), if the page > select(PG) field value is out of bands it will return. In this > situation the ehci's sg list doesn't be freed thus leading a memory s/doesn't be/is not/ > leak issue. This patch avoid this. > > Signed-off-by: Li Qiang <liqiang6-s@360.cn> > --- > hw/usb/hcd-ehci.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c > index b093db7..f4ece9a 100644 > --- a/hw/usb/hcd-ehci.c > +++ b/hw/usb/hcd-ehci.c > @@ -1426,6 +1426,7 @@ static int ehci_process_itd(EHCIState *ehci, > if (off + len > 4096) { > /* transfer crosses page border */ > if (pg == 6) { > + qemu_sglist_destroy(&ehci->isgl); > return -1; /* avoid page pg + 1 */ > } > ptr2 = (itd->bufptr[pg + 1] & ITD_BUFPTR_MASK); > Looks right to me. Reviewed-by: Thomas Huth <thuth@redhat.com>
Applied to -trivial with comment fix, thanks! /mjt
diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c index b093db7..f4ece9a 100644 --- a/hw/usb/hcd-ehci.c +++ b/hw/usb/hcd-ehci.c @@ -1426,6 +1426,7 @@ static int ehci_process_itd(EHCIState *ehci, if (off + len > 4096) { /* transfer crosses page border */ if (pg == 6) { + qemu_sglist_destroy(&ehci->isgl); return -1; /* avoid page pg + 1 */ } ptr2 = (itd->bufptr[pg + 1] & ITD_BUFPTR_MASK);