From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([140.186.70.92]:35724) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Rj9Fq-0007xd-Bm for qemu-devel@nongnu.org; Fri, 06 Jan 2012 07:50:46 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1Rj9Fm-0002rJ-6U for qemu-devel@nongnu.org; Fri, 06 Jan 2012 07:50:42 -0500 Received: from mx1.redhat.com ([209.132.183.28]:63976) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Rj9Fl-0002qy-Vh for qemu-devel@nongnu.org; Fri, 06 Jan 2012 07:50:38 -0500 From: Gerd Hoffmann Date: Fri, 6 Jan 2012 13:50:32 +0100 Message-Id: <1325854232-17478-5-git-send-email-kraxel@redhat.com> In-Reply-To: <1325854232-17478-1-git-send-email-kraxel@redhat.com> References: <1325854232-17478-1-git-send-email-kraxel@redhat.com> Subject: [Qemu-devel] [PATCH 4/4] usb-ohci: td.cbp incorrectly updated near page end List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: qemu-devel@nongnu.org Cc: Gerd Hoffmann , Andriy Gapon From: Andriy Gapon The current code that updates the cbp value after a transfer looks like this: td.cbp += ret; if ((td.cbp & 0xfff) + ret > 0xfff) { because the 'ret' value is effectively added twice the check may fire too early when the overflow hasn't happened yet. Below is one of the possible changes that correct the behavior: Signed-off-by: Gerd Hoffmann --- hw/usb-ohci.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) diff --git a/hw/usb-ohci.c b/hw/usb-ohci.c index e68be70..81488c4 100644 --- a/hw/usb-ohci.c +++ b/hw/usb-ohci.c @@ -1025,10 +1025,10 @@ static int ohci_service_td(OHCIState *ohci, struct ohci_ed *ed) if (ret == len) { td.cbp = 0; } else { - td.cbp += ret; if ((td.cbp & 0xfff) + ret > 0xfff) { - td.cbp &= 0xfff; - td.cbp |= td.be & ~0xfff; + td.cbp = (td.be & ~0xfff) + ((td.cbp + ret) & 0xfff); + } else { + td.cbp += ret; } } td.flags |= OHCI_TD_T1; -- 1.7.1