From patchwork Mon Sep 19 02:48:35 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Li Qiang <liq3ea@gmail.com>
X-Patchwork-Id: 671535
Return-Path: <qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from lists.gnu.org (lists.gnu.org [208.118.235.17])
	(using TLSv1 with cipher AES256-SHA (256/256 bits))
	(No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 3scr3n24kGz9s5g
	for <incoming@patchwork.ozlabs.org>;
	Mon, 19 Sep 2016 12:50:44 +1000 (AEST)
Authentication-Results: ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
	unprotected) header.d=gmail.com header.i=@gmail.com header.b=Wh4fOer2;
	dkim-atps=neutral
Received: from localhost ([::1]:52444 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71) (envelope-from
	<qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>)
	id 1blofH-0004Zw-Tc
	for incoming@patchwork.ozlabs.org; Sun, 18 Sep 2016 22:50:39 -0400
Received: from eggs.gnu.org ([2001:4830:134:3::10]:45605)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <liq3ea@gmail.com>) id 1bloea-0004Cg-BM
	for qemu-devel@nongnu.org; Sun, 18 Sep 2016 22:49:57 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <liq3ea@gmail.com>) id 1bloeW-0005e1-9A
	for qemu-devel@nongnu.org; Sun, 18 Sep 2016 22:49:55 -0400
Received: from mail-wm0-f68.google.com ([74.125.82.68]:32831)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <liq3ea@gmail.com>) id 1bloeW-0005dJ-2M
	for qemu-devel@nongnu.org; Sun, 18 Sep 2016 22:49:52 -0400
Received: by mail-wm0-f68.google.com with SMTP id w84so5536146wmg.0
	for <qemu-devel@nongnu.org>; Sun, 18 Sep 2016 19:49:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
	h=message-id:from:to:cc:subject:date;
	bh=e5QIOnl0YRl9YTBNm/1KYMzpq/Dd1Et1tQPdiTQF7Tw=;
	b=Wh4fOer2Nomzj55IWwwAaVlB0JBwS5FWcVxNVBpw67LZeNsbc1M2QyMT9ziIG4baoj
	qL0SrsqW67dSZL/I/Unxm/pn2eAe2Koq5d17qDD6ck2GoEnCOwzi1UTCSA6QQt5JYEB0
	BsHCdA4XX/4kpj2ZxvQrdgxnEcPpOvai7g1S/L27TnYAOAtI6JjXxc6uPjmFwGTZbEvX
	NuWAKFI1lIJCnshLLCGB8h9w7YjD0RFk1fdCpvKbi947AhIeizCIauF3mIPgWWs4R4Ck
	GdC3jnBfAsNr1xhmg3ZJmPoeX+zeY1RNFiGb+QG5Sd4bDeKJ47wAn7peUp2NWZh/tehD
	XuZg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20130820;
	h=x-gm-message-state:message-id:from:to:cc:subject:date;
	bh=e5QIOnl0YRl9YTBNm/1KYMzpq/Dd1Et1tQPdiTQF7Tw=;
	b=C19cuEpbokJb/Z9OjJWjOp8k456FkjLIaEunOAlZHcbg4sDslbbSY5t66iLeVjNcKQ
	3CnFzEhi4uBintTviDMxIsd0nfaFti+errjJRYwBcGkECzART9CXiaEj1hxxBNU0ULeB
	xS4LhH6/5qLff1L6/hTTc0ArmXVFuLfdOUrgGtC4qffOKQfiO49Re2OpFdm695sR69jl
	5tti0AUVXqJZ+JHssboIEfodf5AWGipLsRtEyyuG8L1SakXuEzmjtgwtZF0cf/1NJu2S
	n9YZZZL7LOKGUAZc7rBp+5D3KM4kXVfAU/Gcg1MbKQQT9Oksrsbjs6KqLikj9PALYTsX
	DEWQ==
X-Gm-Message-State: 
 AE9vXwOUQYgmbOcfROemtJQ/mogbg6ADSKYugIh8S6bIRMo2iBAHZtAP5CTvWzlLjBuPMw==
X-Received: by 10.194.95.36 with SMTP id dh4mr21205811wjb.156.1474253331127;
	Sun, 18 Sep 2016 19:48:51 -0700 (PDT)
Received: from localhost.localdomain.localdomain ([104.192.110.250])
	by smtp.gmail.com with ESMTPSA id
	bk7sm20641462wjc.36.2016.09.18.19.48.48
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Sun, 18 Sep 2016 19:48:50 -0700 (PDT)
Message-ID: <57df5212.87adc20a.7f06f.fda3@mx.google.com>
X-Google-Original-Message-ID: 
 <1474253315-6312-1-git-send-email-Qiang(liqiang6-s@360.cn)>
From: Li Qiang <liq3ea@gmail.com>
X-Google-Original-From: Li Qiang(liqiang6-s@360.cn)
To: kraxel@redhat.com,
	qemu-devel@nongnu.org
Date: Sun, 18 Sep 2016 19:48:35 -0700
X-Mailer: git-send-email 1.8.3.1
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
	[fuzzy]
X-Received-From: 74.125.82.68
Subject: [Qemu-devel] [PATCH] usb: ehci: fix memory leak in ehci_process_itd
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel/>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Cc: Li Qiang <liqiang6-s@360.cn>
Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org
Sender: "Qemu-devel"
	<qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>

From: Li Qiang <liqiang6-s@360.cn>

While processing isochronous transfer descriptors(iTD), if the page
select(PG) field value is out of bands it will return. In this
situation the ehci's sg list doesn't be freed thus leading a memory
leak issue. This patch avoid this.

Signed-off-by: Li Qiang <liqiang6-s@360.cn>
Reviewed-by: Thomas Huth <thuth@redhat.com>
---
 hw/usb/hcd-ehci.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c
index b093db7..f4ece9a 100644
--- a/hw/usb/hcd-ehci.c
+++ b/hw/usb/hcd-ehci.c
@@ -1426,6 +1426,7 @@ static int ehci_process_itd(EHCIState *ehci,
             if (off + len > 4096) {
                 /* transfer crosses page border */
                 if (pg == 6) {
+                    qemu_sglist_destroy(&ehci->isgl);
                     return -1;  /* avoid page pg + 1 */
                 }
                 ptr2 = (itd->bufptr[pg + 1] & ITD_BUFPTR_MASK);