usb: fix u2f build
usb: fix ohci oob access and loop issues -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAABCgAGBQJfaGseAAoJEEy22O7T6HE4ZcUP/idasy/vHdsB2qqV7S3Qz579 VzHD1D9PLc3gJ3dKW9u8JEyIMRH+elkpriv/YaYsZS0mZtaIlZiyhJ0aNzEDkZ4r UDW4VlD9f3Se5YMf4PAWIFgMqUOsqplTRIwwqWjJ5R4hQARu6YoERBx5yOZ3Z9sr FBHjZkPTvs5VEc/lvQ5SiK1FDotks83+6llYx45xaNI4CaYDjZWdMD9nsiKwRATp uJ1D/2Tg3pQXlobh0zUk0yU2SqQtGUhkBNSeX0Urc4uRPi+3eCZF8aWW0EjfMcas NH+NeFzlc6rWk2XFJUhqgcaa9681q7DaXSWk8upiL6gff5V8CDVe8/hoPJ2ttB01 PaG8RDG9pD3GEgwj+YzwnsCSUpBKrF0Bqj5XIQ5GEtmhKbgiTuZ5iIDCP17yRx8x LufTW1FDXxgjHjMT6qkqsiCR6jKAvKsdHvyHcgvfWV0uMhllETCCM9KxCu1xtM3Y xwP4GH0vtrvq/J9mVYLcb2qPzMoWCwBQHcho24SlFi4ZTLSpdpRuMG2gRGUfy+3Y B+l90AUzW9OVw/2KPrxj8T1koIf7NJv6qUd1W1CEx1hZBWgpzDAKa7RtfukD9QNn eGt8dJcILvqTdU1xU//yzUExR7/AC98VIVbyq5J+e8vBd8pDT1uXu1uglBK+If0U 7+YGxB6Y4QCdu1sEvC3K =c3+E -----END PGP SIGNATURE----- Merge remote-tracking branch 'remotes/kraxel/tags/usb-20200921-pull-request' into staging usb: fix u2f build usb: fix ohci oob access and loop issues # gpg: Signature made Mon 21 Sep 2020 09:58:06 BST # gpg: using RSA key 4CB6D8EED3E87138 # gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>" [full] # gpg: aka "Gerd Hoffmann <gerd@kraxel.org>" [full] # gpg: aka "Gerd Hoffmann (private) <kraxel@gmail.com>" [full] # Primary key fingerprint: A032 8CFF B93A 17A7 9901 FE7D 4CB6 D8EE D3E8 7138 * remotes/kraxel/tags/usb-20200921-pull-request: hw: usb: hcd-ohci: check for processed TD before retire hw: usb: hcd-ohci: check len and frame_number variables usb: fix u2f build Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
This commit is contained in:
commit
edf6ea6fbe
@ -691,6 +691,10 @@ static int ohci_service_iso_td(OHCIState *ohci, struct ohci_ed *ed,
|
||||
the next ISO TD of the same ED */
|
||||
trace_usb_ohci_iso_td_relative_frame_number_big(relative_frame_number,
|
||||
frame_count);
|
||||
if (OHCI_CC_DATAOVERRUN == OHCI_BM(iso_td.flags, TD_CC)) {
|
||||
/* avoid infinite loop */
|
||||
return 1;
|
||||
}
|
||||
OHCI_SET_BM(iso_td.flags, TD_CC, OHCI_CC_DATAOVERRUN);
|
||||
ed->head &= ~OHCI_DPTR_MASK;
|
||||
ed->head |= (iso_td.next & OHCI_DPTR_MASK);
|
||||
@ -731,7 +735,11 @@ static int ohci_service_iso_td(OHCIState *ohci, struct ohci_ed *ed,
|
||||
}
|
||||
|
||||
start_offset = iso_td.offset[relative_frame_number];
|
||||
if (relative_frame_number < frame_count) {
|
||||
next_offset = iso_td.offset[relative_frame_number + 1];
|
||||
} else {
|
||||
next_offset = iso_td.be;
|
||||
}
|
||||
|
||||
if (!(OHCI_BM(start_offset, TD_PSW_CC) & 0xe) ||
|
||||
((relative_frame_number < frame_count) &&
|
||||
@ -764,7 +772,12 @@ static int ohci_service_iso_td(OHCIState *ohci, struct ohci_ed *ed,
|
||||
}
|
||||
} else {
|
||||
/* Last packet in the ISO TD */
|
||||
end_addr = iso_td.be;
|
||||
end_addr = next_offset;
|
||||
}
|
||||
|
||||
if (start_addr > end_addr) {
|
||||
trace_usb_ohci_iso_td_bad_cc_overrun(start_addr, end_addr);
|
||||
return 1;
|
||||
}
|
||||
|
||||
if ((start_addr & OHCI_PAGE_MASK) != (end_addr & OHCI_PAGE_MASK)) {
|
||||
@ -773,6 +786,9 @@ static int ohci_service_iso_td(OHCIState *ohci, struct ohci_ed *ed,
|
||||
} else {
|
||||
len = end_addr - start_addr + 1;
|
||||
}
|
||||
if (len > sizeof(ohci->usb_buf)) {
|
||||
len = sizeof(ohci->usb_buf);
|
||||
}
|
||||
|
||||
if (len && dir != OHCI_TD_DIR_IN) {
|
||||
if (ohci_copy_iso_td(ohci, start_addr, end_addr, ohci->usb_buf, len,
|
||||
@ -975,8 +991,16 @@ static int ohci_service_td(OHCIState *ohci, struct ohci_ed *ed)
|
||||
if ((td.cbp & 0xfffff000) != (td.be & 0xfffff000)) {
|
||||
len = (td.be & 0xfff) + 0x1001 - (td.cbp & 0xfff);
|
||||
} else {
|
||||
if (td.cbp > td.be) {
|
||||
trace_usb_ohci_iso_td_bad_cc_overrun(td.cbp, td.be);
|
||||
ohci_die(ohci);
|
||||
return 1;
|
||||
}
|
||||
len = (td.be - td.cbp) + 1;
|
||||
}
|
||||
if (len > sizeof(ohci->usb_buf)) {
|
||||
len = sizeof(ohci->usb_buf);
|
||||
}
|
||||
|
||||
pktlen = len;
|
||||
if (len && dir != OHCI_TD_DIR_IN) {
|
||||
|
@ -200,7 +200,7 @@ static ssize_t u2f_emulated_read(const char *path, char *buffer,
|
||||
int fd;
|
||||
ssize_t ret;
|
||||
|
||||
fd = qemu_open(path, O_RDONLY);
|
||||
fd = qemu_open_old(path, O_RDONLY);
|
||||
if (fd < 0) {
|
||||
return -1;
|
||||
}
|
||||
@ -217,7 +217,7 @@ static bool u2f_emulated_setup_counter(const char *path,
|
||||
int fd, ret;
|
||||
FILE *fp;
|
||||
|
||||
fd = qemu_open(path, O_RDWR);
|
||||
fd = qemu_open_old(path, O_RDWR);
|
||||
if (fd < 0) {
|
||||
return false;
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user