usb-storage: fix request canceling

Little fix for usb packet handling on i/o cancelation.  The
usb packet pointer (s->packet) is cleared at the wrong place:
The scsi request cancel handler does it.  When a usb packet
is canceled the usb-storage emulation canceles the scsi request
if present.  In most cases there is one, so usually s->packet
is cleared as needed even with the code sitting at the wrong
place.

If there is no scsi request in flight s->packet is not cleared
though.  The usb-storage emulation will then try to complete an
usb packet which is not in flight any more and thereby trigger
an assert() in the usb core.

Fix this by clearing s->packet at the correct place, which is
the usb packet cancel header.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>

diff --git a/hw/usb/dev-storage.c b/hw/usb/dev-storage.c
index d865a5e..3d2f244 100644 (file)
--- a/hw/usb/dev-storage.c
+++ b/hw/usb/dev-storage.c
@@ -268,7 +268,6 @@ static void usb_msd_request_cancelled(SCSIRequest *req)
     if (req == s->req) {
         scsi_req_unref(s->req);
         s->req = NULL;
-        s->packet = NULL;
         s->scsi_len = 0;
     }
 }
@@ -330,6 +329,9 @@ static void usb_msd_cancel_io(USBDevice *dev, USBPacket *p)
 {
     MSDState *s = DO_UPCAST(MSDState, dev, dev);
 
+    assert(s->packet == p);
+    s->packet = NULL;
+
     if (s->req) {
         scsi_req_cancel(s->req);
     }