From: Li Qiang <liqiang6-s@360.cn>

Date: Sun, 18 Sep 2016 19:48:35 -0700

Subject: [PATCH] usb: ehci: fix memory leak in ehci_process_itd

While processing isochronous transfer descriptors(iTD), if the page

select(PG) field value is out of bands it will return. In this

situation the ehci's sg list is not freed thus leading to a memory

leak issue. This patch avoid this.

Signed-off-by: Li Qiang <liqiang6-s@360.cn>

Reviewed-by: Thomas Huth <thuth@redhat.com>

Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

(cherry picked from commit b16c129daf0fed91febbb88de23dae8271c8898a)

---

 hw/usb/hcd-ehci.c | 1 +

 1 file changed, 1 insertion(+)

diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c

index 43a8f7a..92241bb 100644

--- a/hw/usb/hcd-ehci.c

+++ b/hw/usb/hcd-ehci.c

@@ -1426,6 +1426,7 @@ static int ehci_process_itd(EHCIState *ehci,

             if (off + len > 4096) {

                 /* transfer crosses page border */

                 if (pg == 6) {

+                    qemu_sglist_destroy(&ehci->isgl);

                     return -1;  /* avoid page pg + 1 */

                 }

                 ptr2 = (itd->bufptr[pg + 1] & ITD_BUFPTR_MASK);