From 04c9b45704f42bd398407acc3e2d3749ac5c00b7 Mon Sep 17 00:00:00 2001 From: luowei Date: Wed, 6 Aug 2025 10:26:27 +0800 Subject: [PATCH] hw/usb/hcd-xhci: Unmap canceled packet cheery-pick from aca4967567aaa168ce51d54145ba970aafb135de MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit When the Stop Endpoint Command is received, packets running asynchronously are canceled and then all packets are cleaned up. Packets running asynchronously hold the DMA mapping so cleaning the packets leak the mapping. Remove the mapping after canceling packets to fix the leak. Fixes: 62c6ae04 ("xhci: Initial xHCI implementation") Signed-off-by: default avatarAkihiko Odaki Reviewed-by: default avatarPhilippe Mathieu-Daudé Message-ID: <20250418-xhc-v1-1-bb32dab6a67e@daynix.com> Signed-off-by: default avatarPhilippe Mathieu-Daudé --- hw/usb/hcd-xhci.c | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c index 4b60114207..3413a36ebe 100644 --- a/hw/usb/hcd-xhci.c +++ b/hw/usb/hcd-xhci.c @@ -1190,6 +1190,12 @@ static void xhci_ep_free_xfer(XHCITransfer *xfer) g_free(xfer); } +static void xhci_xfer_unmap(XHCITransfer *xfer) +{ + usb_packet_unmap(&xfer->packet, &xfer->sgl); + qemu_sglist_destroy(&xfer->sgl); +} + static int xhci_ep_nuke_one_xfer(XHCITransfer *t, TRBCCode report) { int killed = 0; @@ -1201,6 +1207,7 @@ static int xhci_ep_nuke_one_xfer(XHCITransfer *t, TRBCCode report) if (t->running_async) { usb_cancel_packet(&t->packet); + xhci_xfer_unmap(t); t->running_async = 0; killed = 1; } @@ -1483,12 +1490,6 @@ err: return -1; } -static void xhci_xfer_unmap(XHCITransfer *xfer) -{ - usb_packet_unmap(&xfer->packet, &xfer->sgl); - qemu_sglist_destroy(&xfer->sgl); -} - static void xhci_xfer_report(XHCITransfer *xfer) { uint32_t edtla = 0; -- Gitee