usb-hub: limit chain length

USB supports up to 5 hubs chained.
Catch attempts to chain more.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>

3 files changed, 9 insertions, 0 deletions

diff --git a/hw/usb.h b/hw/usb.h
index 1b10684dde..4d9d05e9bc 100644
--- a/hw/usb.h
+++ b/hw/usb.h
@@ -337,6 +337,7 @@ typedef struct USBPortOps {
 struct USBPort {
     USBDevice *dev;
     int speedmask;
+    int hubcount;
     char path[16];
     USBPortOps *ops;
     void *opaque;
diff --git a/hw/usb/bus.c b/hw/usb/bus.c
index e58cd9ade2..b10c290cf4 100644
--- a/hw/usb/bus.c
+++ b/hw/usb/bus.c
@@ -341,8 +341,10 @@ void usb_port_location(USBPort *downstream, USBPort *upstream, int portnr)
     if (upstream) {
         snprintf(downstream->path, sizeof(downstream->path), "%s.%d",
                  upstream->path, portnr);
+        downstream->hubcount = upstream->hubcount + 1;
     } else {
         snprintf(downstream->path, sizeof(downstream->path), "%d", portnr);
+        downstream->hubcount = 0;
     }
 }
 
diff --git a/hw/usb/dev-hub.c b/hw/usb/dev-hub.c
index 504c98c350..a5f092bfee 100644
--- a/hw/usb/dev-hub.c
+++ b/hw/usb/dev-hub.c
@@ -25,6 +25,7 @@
 #include "trace.h"
 #include "hw/usb.h"
 #include "hw/usb/desc.h"
+#include "qemu/error-report.h"
 
 #define NUM_PORTS 8
 
@@ -514,6 +515,11 @@ static int usb_hub_initfn(USBDevice *dev)
     USBHubPort *port;
     int i;
 
+    if (dev->port->hubcount == 5) {
+        error_report("usb hub chain too deep");
+        return -1;
+    }
+
     usb_desc_create_serial(dev);
     usb_desc_init(dev);
     s->intr = usb_ep_get(dev, USB_TOKEN_IN, 1);