1b1995
From 985b7cfbd45960bb74a13ad8044765a8e35f2251 Mon Sep 17 00:00:00 2001
1b1995
From: Gerd Hoffmann <kraxel@redhat.com>
1b1995
Date: Sun, 4 Mar 2012 12:41:11 +0100
1b1995
Subject: [PATCH 140/140] usb-ehci: sanity-check iso xfers
1b1995
1b1995
This patch adds a sanity check to itd processing to make sure the
1b1995
endpoint addressed by the guest is actually an iso endpoint.  Also
1b1995
verify that usb drivers don't return USB_RET_ASYNC which is illegal for
1b1995
iso xfers.
1b1995
1b1995
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
1b1995
(Cherry picked from: aa0568ff2559d7717f4684af6a83d0bd1a125f56)
1b1995
1b1995
[qemu-kvm-1.0: we don't track ep types on RHEL-6 like we do upstream, so we
1b1995
cannot check if an itd is pointing to a non iso ep in advance, but we do still
1b1995
need to make sure that we never handle an iso xfer async. So check if the
1b1995
device does want to handle it async, and if so cancel the xfer and treat it as
1b1995
a NAK, like upstream does when the ep type check fails.]
1b1995
1b1995
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
1b1995
---
1b1995
 hw/usb-ehci.c |    4 ++++
1b1995
 1 file changed, 4 insertions(+)
1b1995
1b1995
diff --git a/hw/usb-ehci.c b/hw/usb-ehci.c
1b1995
index ad0f6e1..b5d7037 100644
1b1995
--- a/hw/usb-ehci.c
1b1995
+++ b/hw/usb-ehci.c
1b1995
@@ -1485,6 +1485,10 @@ static int ehci_process_itd(EHCIState *ehci,
1b1995
                     itd->transact[i] |= ITD_XACT_BABBLE;
1b1995
                     ehci_record_interrupt(ehci, USBSTS_ERRINT);
1b1995
                     break;
1b1995
+                case USB_RET_ASYNC:
1b1995
+                    /* ISO endpoints are never ASYNC, not an iso endpoint? */
1b1995
+                    usb_cancel_packet(&ehci->ipacket);
1b1995
+                    /* Treat this as a NAK (fall through) */
1b1995
                 case USB_RET_NAK:
1b1995
                     /* no data for us, so do a zero-length transfer */
1b1995
                     ret = 0;
1b1995
-- 
1b1995
1.7.9.3
1b1995