On Tue, Apr 30, 2019 at 02:21:41PM +0800, Longpeng(Mike) wrote: > From: Longpeng <longpe...@huawei.com> > > we found the following core in our environment: > 0 0x00007fc6b06c2237 in raise () > 1 0x00007fc6b06c3928 in abort () > 2 0x00007fc6b06bb056 in __assert_fail_base () > 3 0x00007fc6b06bb102 in __assert_fail () > 4 0x0000000000702e36 in xhci_kick_ep (...) > 5 0x000000000047897a in memory_region_write_accessor (...) > 6 0x000000000047767f in access_with_adjusted_size (...) > 7 0x000000000047944d in memory_region_dispatch_write (...) > (mr=mr@entry=0x7fc6a0138df0, addr=addr@entry=156, data=1648892416, > size=size@entry=4, attrs=attrs@entry=...) > 8 0x000000000042df17 in address_space_write_continue (...) > 10 0x000000000043084d in address_space_rw (...) > 11 0x000000000047451b in kvm_cpu_exec (cpu=cpu@entry=0x1ab11b0) > 12 0x000000000045dcf5 in qemu_kvm_cpu_thread_fn (arg=0x1ab11b0) > 13 0x0000000000870631 in qemu_thread_start (args=args@entry=0x1acfb50) > 14 0x00000000008959a7 in thread_entry_for_hotfix (pthread_cb=<optimized out>) > 15 0x00007fc6b0a60dd5 in start_thread () > 16 0x00007fc6b078a59d in clone () > > (gdb) f 5 > 5 0x000000000047897a in memory_region_write_accessor (...) > 529 mr->ops->write(mr->opaque, addr, tmp, size); > (gdb) p /x tmp > $9 = 0x62481a00 <-- last byte 0x00 is @epid > > xhci_doorbell_write() already check the upper bound of @slotid an @epid, > it also need to check the lower bound. > > Cc: Gonglei <arei.gong...@huawei.com> > Reviewed-by: Philippe Mathieu-Daudé <phi...@redhat.com> > Signed-off-by: Longpeng <longpe...@huawei.com>
Added to usb queue. thanks, Gerd
