From: Akihiko Odaki <akihiko.odaki@daynix.com>
Date: Fri, 18 Apr 2025 05:51:48 +0000 (+0900)
Subject: hw/usb/hcd-xhci: Unmap canceled packet
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=aca4967567aaa168ce51d54145ba970aafb135de;p=thirdparty%2Fqemu.git

hw/usb/hcd-xhci: Unmap canceled packet

When the Stop Endpoint Command is received, packets running
asynchronously are canceled and then all packets are cleaned up. Packets
running asynchronously hold the DMA mapping so cleaning the packets leak
the mapping. Remove the mapping after canceling packets to fix the leak.

Fixes: 62c6ae04cf43 ("xhci: Initial xHCI implementation")
Signed-off-by: Akihiko Odaki <akihiko.odaki@daynix.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20250418-xhc-v1-1-bb32dab6a67e@daynix.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
---

diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c
index b3785b8ba6..292c378bfc 100644
--- a/hw/usb/hcd-xhci.c
+++ b/hw/usb/hcd-xhci.c
@@ -1187,6 +1187,12 @@ static void xhci_ep_free_xfer(XHCITransfer *xfer)
     g_free(xfer);
 }
 
+static void xhci_xfer_unmap(XHCITransfer *xfer)
+{
+    usb_packet_unmap(&xfer->packet, &xfer->sgl);
+    qemu_sglist_destroy(&xfer->sgl);
+}
+
 static int xhci_ep_nuke_one_xfer(XHCITransfer *t, TRBCCode report)
 {
     int killed = 0;
@@ -1198,6 +1204,7 @@ static int xhci_ep_nuke_one_xfer(XHCITransfer *t, TRBCCode report)
 
     if (t->running_async) {
         usb_cancel_packet(&t->packet);
+        xhci_xfer_unmap(t);
         t->running_async = 0;
         killed = 1;
     }
@@ -1480,12 +1487,6 @@ err:
     return -1;
 }
 
-static void xhci_xfer_unmap(XHCITransfer *xfer)
-{
-    usb_packet_unmap(&xfer->packet, &xfer->sgl);
-    qemu_sglist_destroy(&xfer->sgl);
-}
-
 static void xhci_xfer_report(XHCITransfer *xfer)
 {
     uint32_t edtla = 0;