* [Qemu-devel] usb-ohci: td.cbp incorrectly updated near page end
@ 2011-12-22 9:34 Andriy Gapon
2011-12-30 11:07 ` Stefan Hajnoczi
2012-01-06 9:47 ` Gerd Hoffmann
0 siblings, 2 replies; 3+ messages in thread
From: Andriy Gapon @ 2011-12-22 9:34 UTC (permalink / raw)
To: qemu-devel
The current code that updates the cbp value after a transfer looks like this:
td.cbp += ret;
if ((td.cbp & 0xfff) + ret > 0xfff) {
<handle page overflow>
because the 'ret' value is effectively added twice the check may fire too early
when the overflow hasn't happened yet.
Below is one of the possible changes that correct the behavior:
--- hw/usb-ohci.c.orig 2011-12-22 02:44:49.650537164 +0200
+++ hw/usb-ohci.c 2011-12-22 03:50:37.545642734 +0200
@@ -1025,10 +1031,10 @@ static int ohci_service_td(OHCIState *oh
if (ret == len) {
td.cbp = 0;
} else {
- td.cbp += ret;
if ((td.cbp & 0xfff) + ret > 0xfff) {
- td.cbp &= 0xfff;
- td.cbp |= td.be & ~0xfff;
+ td.cbp = (td.be & ~0xfff) + ((td.cbp + ret) & 0xfff);
+ } else {
+ td.cbp += ret;
}
}
td.flags |= OHCI_TD_T1;
--
Andriy Gapon
^ permalink raw reply [flat|nested] 3+ messages in thread* Re: [Qemu-devel] usb-ohci: td.cbp incorrectly updated near page end 2011-12-22 9:34 [Qemu-devel] usb-ohci: td.cbp incorrectly updated near page end Andriy Gapon @ 2011-12-30 11:07 ` Stefan Hajnoczi 2012-01-06 9:47 ` Gerd Hoffmann 1 sibling, 0 replies; 3+ messages in thread From: Stefan Hajnoczi @ 2011-12-30 11:07 UTC (permalink / raw) To: Andriy Gapon; +Cc: qemu-devel, Gerd Hoffmann On Thu, Dec 22, 2011 at 11:34:30AM +0200, Andriy Gapon wrote: > > The current code that updates the cbp value after a transfer looks like this: > td.cbp += ret; > if ((td.cbp & 0xfff) + ret > 0xfff) { > <handle page overflow> > because the 'ret' value is effectively added twice the check may fire too early > when the overflow hasn't happened yet. Reviewed-by: Stefan Hajnoczi <stefanha@linux.vnet.ibm.com> ^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [Qemu-devel] usb-ohci: td.cbp incorrectly updated near page end 2011-12-22 9:34 [Qemu-devel] usb-ohci: td.cbp incorrectly updated near page end Andriy Gapon 2011-12-30 11:07 ` Stefan Hajnoczi @ 2012-01-06 9:47 ` Gerd Hoffmann 1 sibling, 0 replies; 3+ messages in thread From: Gerd Hoffmann @ 2012-01-06 9:47 UTC (permalink / raw) To: Andriy Gapon; +Cc: qemu-devel On 12/22/11 10:34, Andriy Gapon wrote: > The current code that updates the cbp value after a transfer looks like this: > td.cbp += ret; > if ((td.cbp & 0xfff) + ret > 0xfff) { > <handle page overflow> > because the 'ret' value is effectively added twice the check may fire too early > when the overflow hasn't happened yet. Patch added to usb patch queue. thanks, Gerd ^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2012-01-06 9:47 UTC | newest] Thread overview: 3+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2011-12-22 9:34 [Qemu-devel] usb-ohci: td.cbp incorrectly updated near page end Andriy Gapon 2011-12-30 11:07 ` Stefan Hajnoczi 2012-01-06 9:47 ` Gerd Hoffmann
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).