> > Hi, > > > diff --git a/hw/usb/core.c b/hw/usb/core.c > > index bea5e1e..6fbcf00 100644 > > --- a/hw/usb/core.c > > +++ b/hw/usb/core.c > > @@ -716,7 +716,6 @@ struct USBEndpoint *usb_ep_get(USBDevice *dev, > int pid, int ep) > > if (ep == 0) { > > return &dev->ep_ctl; > > } > > - assert(pid == USB_TOKEN_IN || pid == USB_TOKEN_OUT); > > Please keep this. > > > assert(ep > 0 && ep <= USB_MAX_ENDPOINTS); > > return eps + ep - 1; > > } > > diff --git a/hw/usb/hcd-uhci.c b/hw/usb/hcd-uhci.c > > index 5ccfb83..ff66397 100644 > > --- a/hw/usb/hcd-uhci.c > > +++ b/hw/usb/hcd-uhci.c > > @@ -883,6 +883,7 @@ static int uhci_handle_td(UHCIState *s, UHCIQueue > *q, uint32_t qh_addr, > > /* invalid pid : frame interrupted */ > > uhci_async_free(async); > > s->status |= UHCI_STS_HCPERR; > > + s->cmd &= ~UHCI_CMD_RS; > > When clearing RS in cmd we should also set HALTED in status I think. > Actually, uhci_frame_timer() had done this work.
if (!(s->cmd & UHCI_CMD_RS)) { /* Full stop */ trace_usb_uhci_schedule_stop(); qemu_del_timer(s->frame_timer); uhci_async_cancel_all(s); /* set hchalted bit in status - UHCI11D 2.1.2 */ s->status |= UHCI_STS_HCHALTED; return; } > How do we reach the assert above? Maybe it is enough to move this pid > check to the start of the uhci_handle_td function to avoid triggering > the assert? > If Qemu read a wrong td, and then get a wrong pid, assertion will be reached. I thought that method, but I gave up as more complicated. Regards, -Gonglei