[Qemu-devel] uhci: cancel delay for unregistered queues

[Jan Kiszka]

Hi,

was just debugging a memory corruption of my USB driver inside QEMU -
and so far only there:

I have a queue registered with the UHCI controller on an input endpoint
that continuously generates data. At some point my driver decides to
stop reading and removes the QH (with a lot of TDs attached) from the
schedule. The driver waits for the next frame, then releases the QH and
its TDs.

QEMU apparently takes a "few" more frames to consider this queue dead.
In the meantime, it seems to happily fill the TD buffers with data. But
those buffers are long returned to the guest pool of free memory,
causing corruptions there.

I'm wondering now if I'm (again) using the UHCI in an unorthodox way (at
least I stopped doing multi-queues per endpoint), still must have a
subtle bug in the guest, or if this is a fundamental problem of QEMU's
UHCI model.

Thanks,
Jan

-- 
Siemens AG, Corporate Technology, CT RTC ITP SDP-DE
Corporate Competence Center Embedded Linux