falso
/
qemu-irix
mirror of https://github.com/n64decomp/qemu-irix.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

usb-ohci: td.cbp incorrectly updated near page end 

The current code that updates the cbp value after a transfer looks like this:
td.cbp += ret;
if ((td.cbp & 0xfff) + ret > 0xfff) {
	<handle page overflow>
because the 'ret' value is effectively added twice the check may fire too early
when the overflow hasn't happened yet.

Below is one of the possible changes that correct the behavior:

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
This commit is contained in:
Andriy Gapon 2011-12-22 11:34:30 +02:00 committed by Justin M. Forbes
parent c936f649d4
commit 23201c64a7
1 changed files with 3 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
hw/usb-ohci.c
View File

@ -1025,10 +1025,10 @@ static int ohci_service_td(OHCIState *ohci, struct ohci_ed *ed)
if (ret == len) {
td.cbp = 0;
} else {
td.cbp += ret;
if ((td.cbp & 0xfff) + ret > 0xfff) {
td.cbp &= 0xfff;
td.cbp |= td.be & ~0xfff;
td.cbp = (td.be & ~0xfff) + ((td.cbp + ret) & 0xfff);
} else {
td.cbp += ret;
}
}
td.flags |= OHCI_TD_T1;