peterdelevoryas / rpms / qemu

Forked from rpms/qemu 2 years ago
Clone

Blame 0012-usb-ehci-fix-memory-leak-in-ehci_process_itd.patch

3a13dd
From: Li Qiang <liqiang6-s@360.cn>
3a13dd
Date: Sun, 18 Sep 2016 19:48:35 -0700
3a13dd
Subject: [PATCH] usb: ehci: fix memory leak in ehci_process_itd
3a13dd
3a13dd
While processing isochronous transfer descriptors(iTD), if the page
3a13dd
select(PG) field value is out of bands it will return. In this
3a13dd
situation the ehci's sg list is not freed thus leading to a memory
3a13dd
leak issue. This patch avoid this.
3a13dd
3a13dd
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
3a13dd
Reviewed-by: Thomas Huth <thuth@redhat.com>
3a13dd
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
3a13dd
(cherry picked from commit b16c129daf0fed91febbb88de23dae8271c8898a)
3a13dd
---
3a13dd
 hw/usb/hcd-ehci.c | 1 +
3a13dd
 1 file changed, 1 insertion(+)
3a13dd
3a13dd
diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c
3a13dd
index b093db7..f4ece9a 100644
3a13dd
--- a/hw/usb/hcd-ehci.c
3a13dd
+++ b/hw/usb/hcd-ehci.c
3a13dd
@@ -1426,6 +1426,7 @@ static int ehci_process_itd(EHCIState *ehci,
3a13dd
             if (off + len > 4096) {
3a13dd
                 /* transfer crosses page border */
3a13dd
                 if (pg == 6) {
3a13dd
+                    qemu_sglist_destroy(&ehci->isgl);
3a13dd
                     return -1;  /* avoid page pg + 1 */
3a13dd
                 }
3a13dd
                 ptr2 = (itd->bufptr[pg + 1] & ITD_BUFPTR_MASK);