[Qemu-devel] usb-ohci: td.cbp incorrectly updated near page end

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Qemu-devel] usb-ohci: td.cbp incorrectly updated near page end

From:	Andriy Gapon
Subject:	[Qemu-devel] usb-ohci: td.cbp incorrectly updated near page end
Date:	Thu, 22 Dec 2011 11:34:30 +0200
User-agent:	Mozilla/5.0 (X11; FreeBSD amd64; rv:8.0) Gecko/20111206 Thunderbird/8.0

The current code that updates the cbp value after a transfer looks like this:
td.cbp += ret;
if ((td.cbp & 0xfff) + ret > 0xfff) {
        <handle page overflow>
because the 'ret' value is effectively added twice the check may fire too early
when the overflow hasn't happened yet.

Below is one of the possible changes that correct the behavior:

--- hw/usb-ohci.c.orig  2011-12-22 02:44:49.650537164 +0200
+++ hw/usb-ohci.c       2011-12-22 03:50:37.545642734 +0200
@@ -1025,10 +1031,10 @@ static int ohci_service_td(OHCIState *oh
         if (ret == len) {
             td.cbp = 0;
         } else {
-            td.cbp += ret;
             if ((td.cbp & 0xfff) + ret > 0xfff) {
-                td.cbp &= 0xfff;
-                td.cbp |= td.be & ~0xfff;
+                td.cbp = (td.be & ~0xfff) + ((td.cbp + ret) & 0xfff);
+            } else {
+                td.cbp += ret;
             }
         }
         td.flags |= OHCI_TD_T1;

-- 
Andriy Gapon

[Prev in Thread]

Current Thread

[Next in Thread]

[Qemu-devel] usb-ohci: td.cbp incorrectly updated near page end, Andriy Gapon <=
- Re: [Qemu-devel] usb-ohci: td.cbp incorrectly updated near page end, Stefan Hajnoczi, 2011/12/30

Prev by Date: Re: [Qemu-devel] Seem thread Competition
Next by Date: Re: [Qemu-devel] [Bug 883136] Re: qemu on ARM hosts aborts on startup because makecontext() always fails
Previous by thread: [Qemu-devel] Seem thread Competition
Next by thread: Re: [Qemu-devel] usb-ohci: td.cbp incorrectly updated near page end
Index(es):
- Date
- Thread