|
|
1b1995 |
From 985b7cfbd45960bb74a13ad8044765a8e35f2251 Mon Sep 17 00:00:00 2001
|
|
|
1b1995 |
From: Gerd Hoffmann <kraxel@redhat.com>
|
|
|
1b1995 |
Date: Sun, 4 Mar 2012 12:41:11 +0100
|
|
|
1b1995 |
Subject: [PATCH 140/140] usb-ehci: sanity-check iso xfers
|
|
|
1b1995 |
|
|
|
1b1995 |
This patch adds a sanity check to itd processing to make sure the
|
|
|
1b1995 |
endpoint addressed by the guest is actually an iso endpoint. Also
|
|
|
1b1995 |
verify that usb drivers don't return USB_RET_ASYNC which is illegal for
|
|
|
1b1995 |
iso xfers.
|
|
|
1b1995 |
|
|
|
1b1995 |
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
|
|
1b1995 |
(Cherry picked from: aa0568ff2559d7717f4684af6a83d0bd1a125f56)
|
|
|
1b1995 |
|
|
|
1b1995 |
[qemu-kvm-1.0: we don't track ep types on RHEL-6 like we do upstream, so we
|
|
|
1b1995 |
cannot check if an itd is pointing to a non iso ep in advance, but we do still
|
|
|
1b1995 |
need to make sure that we never handle an iso xfer async. So check if the
|
|
|
1b1995 |
device does want to handle it async, and if so cancel the xfer and treat it as
|
|
|
1b1995 |
a NAK, like upstream does when the ep type check fails.]
|
|
|
1b1995 |
|
|
|
1b1995 |
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
|
|
|
1b1995 |
---
|
|
|
1b1995 |
hw/usb-ehci.c | 4 ++++
|
|
|
1b1995 |
1 file changed, 4 insertions(+)
|
|
|
1b1995 |
|
|
|
1b1995 |
diff --git a/hw/usb-ehci.c b/hw/usb-ehci.c
|
|
|
1b1995 |
index ad0f6e1..b5d7037 100644
|
|
|
1b1995 |
--- a/hw/usb-ehci.c
|
|
|
1b1995 |
+++ b/hw/usb-ehci.c
|
|
|
1b1995 |
@@ -1485,6 +1485,10 @@ static int ehci_process_itd(EHCIState *ehci,
|
|
|
1b1995 |
itd->transact[i] |= ITD_XACT_BABBLE;
|
|
|
1b1995 |
ehci_record_interrupt(ehci, USBSTS_ERRINT);
|
|
|
1b1995 |
break;
|
|
|
1b1995 |
+ case USB_RET_ASYNC:
|
|
|
1b1995 |
+ /* ISO endpoints are never ASYNC, not an iso endpoint? */
|
|
|
1b1995 |
+ usb_cancel_packet(&ehci->ipacket);
|
|
|
1b1995 |
+ /* Treat this as a NAK (fall through) */
|
|
|
1b1995 |
case USB_RET_NAK:
|
|
|
1b1995 |
/* no data for us, so do a zero-length transfer */
|
|
|
1b1995 |
ret = 0;
|
|
|
1b1995 |
--
|
|
|
1b1995 |
1.7.9.3
|
|
|
1b1995 |
|