render / rpms / qemu

Forked from rpms/qemu 10 months ago
Clone

Blame 0018-usb-ohci-td.cbp-incorrectly-updated-near-page-end.patch

Justin M. Forbes 45e84a
From 23201c64a789cf948fedcea221a4b6e197fcd628 Mon Sep 17 00:00:00 2001
Justin M. Forbes 45e84a
From: Andriy Gapon <avg@FreeBSD.org>
Justin M. Forbes 45e84a
Date: Thu, 22 Dec 2011 11:34:30 +0200
Justin M. Forbes 45e84a
Subject: [PATCH 18/25] usb-ohci: td.cbp incorrectly updated near page end
Justin M. Forbes 45e84a
Justin M. Forbes 45e84a
The current code that updates the cbp value after a transfer looks like this:
Justin M. Forbes 45e84a
td.cbp += ret;
Justin M. Forbes 45e84a
if ((td.cbp & 0xfff) + ret > 0xfff) {
Justin M. Forbes 45e84a
	<handle page overflow>
Justin M. Forbes 45e84a
because the 'ret' value is effectively added twice the check may fire too early
Justin M. Forbes 45e84a
when the overflow hasn't happened yet.
Justin M. Forbes 45e84a
Justin M. Forbes 45e84a
Below is one of the possible changes that correct the behavior:
Justin M. Forbes 45e84a
Justin M. Forbes 45e84a
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Justin M. Forbes 45e84a
---
Justin M. Forbes 45e84a
 hw/usb-ohci.c |    6 +++---
Justin M. Forbes 45e84a
 1 files changed, 3 insertions(+), 3 deletions(-)
Justin M. Forbes 45e84a
Justin M. Forbes 45e84a
diff --git a/hw/usb-ohci.c b/hw/usb-ohci.c
Justin M. Forbes 45e84a
index c2981c5..c27014a 100644
Justin M. Forbes 45e84a
--- a/hw/usb-ohci.c
Justin M. Forbes 45e84a
+++ b/hw/usb-ohci.c
Justin M. Forbes 45e84a
@@ -1025,10 +1025,10 @@ static int ohci_service_td(OHCIState *ohci, struct ohci_ed *ed)
Justin M. Forbes 45e84a
         if (ret == len) {
Justin M. Forbes 45e84a
             td.cbp = 0;
Justin M. Forbes 45e84a
         } else {
Justin M. Forbes 45e84a
-            td.cbp += ret;
Justin M. Forbes 45e84a
             if ((td.cbp & 0xfff) + ret > 0xfff) {
Justin M. Forbes 45e84a
-                td.cbp &= 0xfff;
Justin M. Forbes 45e84a
-                td.cbp |= td.be & ~0xfff;
Justin M. Forbes 45e84a
+                td.cbp = (td.be & ~0xfff) + ((td.cbp + ret) & 0xfff);
Justin M. Forbes 45e84a
+            } else {
Justin M. Forbes 45e84a
+                td.cbp += ret;
Justin M. Forbes 45e84a
             }
Justin M. Forbes 45e84a
         }
Justin M. Forbes 45e84a
         td.flags |= OHCI_TD_T1;
Justin M. Forbes 45e84a
-- 
Justin M. Forbes 45e84a
1.7.7.5
Justin M. Forbes 45e84a