usb-ohci: td.cbp incorrectly updated near page end

The current code that updates the cbp value after a transfer looks like this: td.cbp += ret; if ((td.cbp & 0xfff) + ret > 0xfff) { <handle page overflow> because the 'ret' value is effectively added twice the check may fire too early when the overflow hasn't happened yet. Below is one of the possible changes that correct the behavior: Signed-off-by: N Gerd Hoffmann <kraxel@redhat.com>

usb-ohci: td.cbp incorrectly updated near page end
The current code that updates the cbp value after a transfer looks like this: td.cbp += ret; if ((td.cbp & 0xfff) + ret > 0xfff) { <handle page overflow> because the 'ret' value is effectively added twice the check may fire too early when the overflow hasn't happened yet. Below is one of the possible changes that correct the behavior: Signed-off-by: N Gerd Hoffmann <kraxel@redhat.com>
fd891c93 · Andriy Gapon · Gerd Hoffmann · c75fead6 · fd891c93
隐藏空白更改
内联并排

Showing with 3 addition and 3 deletion

hw/usb-ohci.c hw/usb-ohci.c +3 -3

未找到文件。
--- a/hw/usb-ohci.c
+++ b/hw/usb-ohci.c
@@ -1025,10 +1025,10 @@ static int ohci_service_td(OHCIState *ohci, struct ohci_ed *ed)
        if (ret == len) {
            td.cbp = 0;
        } else {
-            td.cbp += ret;
            if ((td.cbp & 0xfff) + ret > 0xfff) {
-                td.cbp &= 0xfff;
-                td.cbp |= td.be & ~0xfff;
+                td.cbp = (td.be & ~0xfff) + ((td.cbp + ret) & 0xfff);
+            } else {
+                td.cbp += ret;
            }
        }
        td.flags |= OHCI_TD_T1;