Patchwork usb: uhci: Look up queue by address, not token

login
register
mail settings
Submitter Jan Kiszka
Date Nov. 15, 2012, 8:20 a.m.
Message ID <50A4A5D7.8030508@siemens.com>
Download mbox | patch
Permalink /patch/199219/
State New
Headers show

Comments

Jan Kiszka - Nov. 15, 2012, 8:20 a.m.
The queue token is insufficient to identify if a TD belongs to it. What
we need is the QH address.

This fixes the case where the guest issues multiple asynchronous
requests for the same EP.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---

I'm not 100% this still fulfills the aim of "Verify queue has not been
changed by guest". On the other hand, the current code looks quite
wrong to me after studying the spec for a while.

 hw/usb/hcd-uhci.c |    7 +++----
 1 files changed, 3 insertions(+), 4 deletions(-)
Gerd Hoffmann - Nov. 15, 2012, 8:30 a.m.
On 11/15/12 09:20, Jan Kiszka wrote:
> -        if (queue->token == token) {
> +        if (queue->qh_addr == qh_addr) {

Patch added to usb patch queue.

thanks,
  Gerd

Patch

diff --git a/hw/usb/hcd-uhci.c b/hw/usb/hcd-uhci.c
index f4b555a..1434a3a 100644
--- a/hw/usb/hcd-uhci.c
+++ b/hw/usb/hcd-uhci.c
@@ -227,13 +227,12 @@  static void uhci_queue_free(UHCIQueue *queue, const char *reason)
     g_free(queue);
 }
 
-static UHCIQueue *uhci_queue_find(UHCIState *s, UHCI_TD *td)
+static UHCIQueue *uhci_queue_find(UHCIState *s, uint32_t qh_addr)
 {
-    uint32_t token = uhci_queue_token(td);
     UHCIQueue *queue;
 
     QTAILQ_FOREACH(queue, &s->queues, next) {
-        if (queue->token == token) {
+        if (queue->qh_addr == qh_addr) {
             return queue;
         }
     }
@@ -841,7 +840,7 @@  static int uhci_handle_td(UHCIState *s, UHCIQueue *q, uint32_t qh_addr,
     }
 
     if (q == NULL) {
-        q = uhci_queue_find(s, td);
+        q = uhci_queue_find(s, qh_addr);
         if (q && !uhci_queue_verify(q, qh_addr, td, td_addr, queuing)) {
             uhci_queue_free(q, "guest re-used qh");
             q = NULL;