From 90905dca56de07f7c394ef8cbe480a0d08e0d8cd Mon Sep 17 00:00:00 2001

From: Hans de Goede <hdegoede@redhat.com>

Date: Mon, 3 Sep 2012 11:35:58 +0200

Subject: [PATCH] ehci: Handle USB_RET_PROCERR in ehci_fill_queue

USB_RET_PROCERR can be triggered by the guest (by for example requesting more

then BUFFSIZE bytes), so don't assert on it.

Signed-off-by: Hans de Goede <hdegoede@redhat.com>

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>

(cherry picked from commit eff6dce79bd7ad3c16d75c5e55b5a2a137ba6a60)

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>

---

 hw/usb/hcd-ehci.c | 9 ++++++---

 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c

index d87aca8..2534394 100644

--- a/hw/usb/hcd-ehci.c

+++ b/hw/usb/hcd-ehci.c

@@ -2076,7 +2076,7 @@ static int ehci_state_horizqh(EHCIQueue *q)

     return again;

 }

-static void ehci_fill_queue(EHCIPacket *p)

+static int ehci_fill_queue(EHCIPacket *p)

 {

     EHCIQueue *q = p->queue;

     EHCIqtd qtd = p->qtd;

@@ -2100,9 +2100,13 @@ static void ehci_fill_queue(EHCIPacket *p)

         p->qtdaddr = qtdaddr;

         p->qtd = qtd;

         p->usb_status = ehci_execute(p, "queue");

+        if (p->usb_status == USB_RET_PROCERR) {

+            break;

+        }

         assert(p->usb_status == USB_RET_ASYNC);

         p->async = EHCI_ASYNC_INFLIGHT;

     }

+    return p->usb_status;

 }

 static int ehci_state_execute(EHCIQueue *q)

@@ -2144,8 +2148,7 @@ static int ehci_state_execute(EHCIQueue *q)

         trace_usb_ehci_packet_action(p->queue, p, "async");

         p->async = EHCI_ASYNC_INFLIGHT;

         ehci_set_state(q->ehci, q->async, EST_HORIZONTALQH);

-        again = 1;

-        ehci_fill_queue(p);

+        again = (ehci_fill_queue(p) == USB_RET_PROCERR) ? -1 : 1;

         goto out;

     }