diff mbox

ehci: Fix crash with isoc usb packets

Message ID 1378714842-20500-1-git-send-email-hdegoede@redhat.com
State New
Headers show

Commit Message

Hans de Goede Sept. 9, 2013, 8:20 a.m. UTC 
The isoc packet path in the ehci code has a bad qobject cast, causing an
abort, this patch fixes this.

Note this problem is backported in 1.6.0 too, and this patch should be
backported to the 1.6.0 stable tree.

Signed-off-by: Hans de Goede <hdegoede@redhat.com>
---
 hw/usb/hcd-ehci.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

Comments

Paolo Bonzini Sept. 9, 2013, 10:08 a.m. UTC | #1 
Il 09/09/2013 10:20, Hans de Goede ha scritto:
> The isoc packet path in the ehci code has a bad qobject cast, causing an
> abort, this patch fixes this.
> 
> Note this problem is backported in 1.6.0 too, and this patch should be
> backported to the 1.6.0 stable tree.
> 
> Signed-off-by: Hans de Goede <hdegoede@redhat.com>
> ---
>  hw/usb/hcd-ehci.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c
> index 010a0d0..77c4872 100644
> --- a/hw/usb/hcd-ehci.c
> +++ b/hw/usb/hcd-ehci.c
> @@ -1486,7 +1486,8 @@ static int ehci_process_itd(EHCIState *ehci,
>                  return -1;
>              }
>  
> -            qemu_sglist_init(&ehci->isgl, DEVICE(ehci), 2, ehci->as);
> +            qemu_sglist_init(&ehci->isgl, BUS(&ehci->bus)->parent,
> +                             2, ehci->as);
>              if (off + len > 4096) {
>                  /* transfer crosses page border */
>                  uint32_t len2 = off + len - 4096;
> 

... then qemu-stable should be CCed.

Paolo
Doug Goldstein Sept. 25, 2013, 9:22 p.m. UTC | #2 
On Mon, Sep 9, 2013 at 3:20 AM, Hans de Goede <hdegoede@redhat.com> wrote:
> The isoc packet path in the ehci code has a bad qobject cast, causing an
> abort, this patch fixes this.
>
> Note this problem is backported in 1.6.0 too, and this patch should be
> backported to the 1.6.0 stable tree.
>
> Signed-off-by: Hans de Goede <hdegoede@redhat.com>
> ---
>  hw/usb/hcd-ehci.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c
> index 010a0d0..77c4872 100644
> --- a/hw/usb/hcd-ehci.c
> +++ b/hw/usb/hcd-ehci.c
> @@ -1486,7 +1486,8 @@ static int ehci_process_itd(EHCIState *ehci,
>                  return -1;
>              }
>
> -            qemu_sglist_init(&ehci->isgl, DEVICE(ehci), 2, ehci->as);
> +            qemu_sglist_init(&ehci->isgl, BUS(&ehci->bus)->parent,
> +                             2, ehci->as);
>              if (off + len > 4096) {
>                  /* transfer crosses page border */
>                  uint32_t len2 = off + len - 4096;
> --
> 1.8.3.1
>
>

Ping. Don't see this in master (and as such its missing from mdroth's
1.6.1 patch set).
Gerd Hoffmann Sept. 26, 2013, 5:42 a.m. UTC | #3 
Hi,

> Ping. Don't see this in master (and as such its missing from mdroth's
> 1.6.1 patch set).

Different patch is in master: adbecc89731cf3e0ae656d50ea9fa58c589c4bdc
Yes, that one should be cherry-picked into stable.

thanks,
  Gerd
diff mbox

Patch

diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c
index 010a0d0..77c4872 100644
--- a/hw/usb/hcd-ehci.c
+++ b/hw/usb/hcd-ehci.c
@@ -1486,7 +1486,8 @@  static int ehci_process_itd(EHCIState *ehci,
                 return -1;
             }
 
-            qemu_sglist_init(&ehci->isgl, DEVICE(ehci), 2, ehci->as);
+            qemu_sglist_init(&ehci->isgl, BUS(&ehci->bus)->parent,
+                             2, ehci->as);
             if (off + len > 4096) {
                 /* transfer crosses page border */
                 uint32_t len2 = off + len - 4096;