From c60b50b5c240b91bc7953b3bde142b1c7551aaf6 Mon Sep 17 00:00:00 2001
Message-Id: <c60b50b5c240b91bc7953b3bde142b1c7551aaf6.1334850509.git.minovotn@redhat.com>
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Thu, 19 Apr 2012 10:11:29 +0200
Subject: [PATCH] usb-storage: fix request canceling

RH-Author: Gerd Hoffmann <kraxel@redhat.com>
Message-id: <1334830289-17772-1-git-send-email-kraxel@redhat.com>
Patchwork-id: 39344
O-Subject: [RHEL-6.3 qemu-kvm PATCH] usb-storage: fix request canceling
Bugzilla: 807313
RH-Acked-by: Hans de Goede <hdegoede@redhat.com>
RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
RH-Acked-by: Markus Armbruster <armbru@redhat.com>

Little fix for usb packet handling on i/o cancelation.  The
usb packet pointer (s->packet) is cleared at the wrong place:
The scsi request cancel handler does it.  When a usb packet
is canceled the usb-storage emulation canceles the scsi request
if present.  In most cases there is one, so usually s->packet
is cleared as needed even with the code sitting at the wrong
place.

If there is no scsi request in flight s->packet is not cleared
though.  The usb-storage emulation will then try to complete an
usb packet which is not in flight any more and thereby trigger
an assert() in the usb core.

Fix this by clearing s->packet at the correct place, which is
the usb packet cancel header.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>

bugzilla: 807313 - qemu-kvm core dumped while booting guest with
                   usb-storage running on uhci
upstream: http://patchwork.ozlabs.org/patch/153715/
brew: http://brewweb.devel.redhat.com/brew/taskinfo?taskID=4314869

---
 hw/usb-msd.c |    4 +++-
 1 files changed, 3 insertions(+), 1 deletions(-)

Signed-off-by: Michal Novotny <minovotn@redhat.com>
---
 hw/usb-msd.c |    4 +++-
 1 files changed, 3 insertions(+), 1 deletions(-)

diff --git a/hw/usb-msd.c b/hw/usb-msd.c
index 7a16de7..2f7e5cb 100644
--- a/hw/usb-msd.c
+++ b/hw/usb-msd.c
@@ -277,7 +277,6 @@ static void usb_msd_request_cancelled(SCSIRequest *req)
     if (req == s->req) {
         scsi_req_unref(s->req);
         s->req = NULL;
-        s->packet = NULL;
         s->scsi_len = 0;
     }
 }
@@ -349,6 +348,9 @@ static void usb_msd_cancel_io(USBDevice *dev, USBPacket *p)
 {
     MSDState *s = DO_UPCAST(MSDState, dev, dev);
 
+    assert(s->packet == p);
+    s->packet = NULL;
+
     if (s->req) {
         scsi_req_cancel(s->req);
     }
-- 
1.7.7.6