From: Prasad J Pandit <pjp@fedoraproject.org>

xHCI controller emulator loops through the transfer ring to
transfer control/data between host memory and device endpoints.
It continues to do so after processing 'Status Stage' TD which
is the last descriptor in control transfer. Add break to avoid
infinite loop.

Reported-by: Li Qiang <liqiang6-s@360.cn>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
---
 hw/usb/hcd-xhci.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c
index 54b3901..7e2d345 100644
--- a/hw/usb/hcd-xhci.c
+++ b/hw/usb/hcd-xhci.c
@@ -2252,6 +2252,7 @@ static void xhci_kick_epctx(XHCIEPContext *epctx, unsigned int streamid)
         if (xfer->complete) {
             xhci_ep_free_xfer(xfer);
             xfer = NULL;
+            break;
         }
 
         if (epctx->state == EP_HALTED) {
-- 
2.9.3

On Mo, 2017-02-13 at 13:25 +0530, P J P wrote:
> From: Prasad J Pandit <pjp@fedoraproject.org>
> 
> xHCI controller emulator loops through the transfer ring to
> transfer control/data between host memory and device endpoints.
> It continues to do so after processing 'Status Stage' TD which
> is the last descriptor in control transfer.

That is perfectly fine.  The guest is allowed to queue up multiple
requests.

> Add break to avoid
> infinite loop.

It's not that simple.

https://patchwork.ozlabs.org/patch/724484/

cheers,
  Gerd