From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([140.186.70.92]:47298)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <avg@FreeBSD.org>) id 1RdfCp-0004Hf-DJ
	for qemu-devel@nongnu.org; Thu, 22 Dec 2011 04:45:00 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <avg@FreeBSD.org>) id 1RdfCn-0004K5-0Z
	for qemu-devel@nongnu.org; Thu, 22 Dec 2011 04:44:55 -0500
Received: from citadel.icyb.net.ua ([212.40.38.140]:2716)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <avg@FreeBSD.org>) id 1RdfCm-0004Il-KB
	for qemu-devel@nongnu.org; Thu, 22 Dec 2011 04:44:52 -0500
Received: from porto.starpoint.kiev.ua (porto-e.starpoint.kiev.ua
	[212.40.38.100])
	by citadel.icyb.net.ua (8.8.8p3/ICyb-2.3exp) with ESMTP id LAA09850
	for <qemu-devel@nongnu.org>; Thu, 22 Dec 2011 11:34:31 +0200 (EET)
	(envelope-from avg@FreeBSD.org)
Received: from localhost ([127.0.0.1])
	by porto.starpoint.kiev.ua with esmtp (Exim 4.34 (FreeBSD))
	id 1Rdf2l-000PkP-3N
	for qemu-devel@nongnu.org; Thu, 22 Dec 2011 11:34:31 +0200
Message-ID: <4EF2F9A6.3020601@FreeBSD.org>
Date: Thu, 22 Dec 2011 11:34:30 +0200
From: Andriy Gapon <avg@FreeBSD.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=X-VIET-VPS
Content-Transfer-Encoding: 7bit
Subject: [Qemu-devel] usb-ohci: td.cbp incorrectly updated near page end
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: qemu-devel@nongnu.org


The current code that updates the cbp value after a transfer looks like this:
td.cbp += ret;
if ((td.cbp & 0xfff) + ret > 0xfff) {
	<handle page overflow>
because the 'ret' value is effectively added twice the check may fire too early
when the overflow hasn't happened yet.

Below is one of the possible changes that correct the behavior:

--- hw/usb-ohci.c.orig	2011-12-22 02:44:49.650537164 +0200
+++ hw/usb-ohci.c	2011-12-22 03:50:37.545642734 +0200
@@ -1025,10 +1031,10 @@ static int ohci_service_td(OHCIState *oh
         if (ret == len) {
             td.cbp = 0;
         } else {
-            td.cbp += ret;
             if ((td.cbp & 0xfff) + ret > 0xfff) {
-                td.cbp &= 0xfff;
-                td.cbp |= td.be & ~0xfff;
+                td.cbp = (td.be & ~0xfff) + ((td.cbp + ret) & 0xfff);
+            } else {
+                td.cbp += ret;
             }
         }
         td.flags |= OHCI_TD_T1;

-- 
Andriy Gapon