From 18fd6695ac06a6f63e75d8a390be3247e234d2cc Mon Sep 17 00:00:00 2001
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Sun, 4 Mar 2012 12:41:11 +0100
Subject: [PATCH] usb-ehci: sanity-check iso xfers

This patch adds a sanity check to itd processing to make sure the
endpoint addressed by the guest is actually an iso endpoint.  Also
verify that usb drivers don't return USB_RET_ASYNC which is illegal for
iso xfers.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
(Cherry picked from: aa0568ff2559d7717f4684af6a83d0bd1a125f56)

[qemu-kvm-1.0: we don't track ep types on RHEL-6 like we do upstream, so we
cannot check if an itd is pointing to a non iso ep in advance, but we do still
need to make sure that we never handle an iso xfer async. So check if the
device does want to handle it async, and if so cancel the xfer and treat it as
a NAK, like upstream does when the ep type check fails.]

Signed-off-by: Hans de Goede <hdegoede@redhat.com>
---
 hw/usb-ehci.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/hw/usb-ehci.c b/hw/usb-ehci.c
index ad0f6e1..b5d7037 100644
--- a/hw/usb-ehci.c
+++ b/hw/usb-ehci.c
@@ -1485,6 +1485,10 @@ static int ehci_process_itd(EHCIState *ehci,
                     itd->transact[i] |= ITD_XACT_BABBLE;
                     ehci_record_interrupt(ehci, USBSTS_ERRINT);
                     break;
+                case USB_RET_ASYNC:
+                    /* ISO endpoints are never ASYNC, not an iso endpoint? */
+                    usb_cancel_packet(&ehci->ipacket);
+                    /* Treat this as a NAK (fall through) */
                 case USB_RET_NAK:
                     /* no data for us, so do a zero-length transfer */
                     ret = 0;