From 3ae7eb88c472799f17beb653f4bc3fb8b124c72e Mon Sep 17 00:00:00 2001 From: Gerd Hoffmann Date: Mon, 15 May 2017 12:45:43 +0200 Subject: ehci: fix overflow in frame timer code MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit In case the frame timer doesn't run for a while due to the host being busy skipped_uframes can become big enough that UFRAME_TIMER_NS * skipped_uframes overflows. Which in turn throws off all subsequent ehci frame timer calculations. Reported-by: 李林 <8610_28@163.com> Signed-off-by: Gerd Hoffmann Reviewed-by: Philippe Mathieu-Daudé Message-id: 20170515104543.32044-1-kraxel@redhat.com --- hw/usb/hcd-ehci.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'hw/usb/hcd-ehci.c') diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c index 50ef817f93..d7361e570f 100644 --- a/hw/usb/hcd-ehci.c +++ b/hw/usb/hcd-ehci.c @@ -2238,7 +2238,7 @@ static void ehci_frame_timer(void *opaque) int need_timer = 0; int64_t expire_time, t_now; uint64_t ns_elapsed; - int uframes, skipped_uframes; + uint64_t uframes, skipped_uframes; int i; t_now = qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL); -- cgit 1.4.1 From 3bfecee2cb71f21cd39d6183f18b446c01917573 Mon Sep 17 00:00:00 2001 From: Gerd Hoffmann Date: Fri, 19 May 2017 14:04:28 +0200 Subject: ehci: fix frame timer invocation. ehci registers ehci_frame_timer as both timer and bottom half, which turned out to be a bad idea as it can be called as bottom half then while it is running as timer, and it isn't prepared to handle recursive calls. Change the timer func to just schedule the bottom half to avoid this. Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1449609 Signed-off-by: Gerd Hoffmann Message-id: 20170519120428.25981-1-kraxel@redhat.com --- hw/usb/hcd-ehci.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) (limited to 'hw/usb/hcd-ehci.c') diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c index d7361e570f..17c572c55f 100644 --- a/hw/usb/hcd-ehci.c +++ b/hw/usb/hcd-ehci.c @@ -2232,7 +2232,7 @@ static void ehci_update_frindex(EHCIState *ehci, int uframes) ehci->frindex = (ehci->frindex + uframes) % 0x4000; } -static void ehci_frame_timer(void *opaque) +static void ehci_work_bh(void *opaque) { EHCIState *ehci = opaque; int need_timer = 0; @@ -2324,6 +2324,13 @@ static void ehci_frame_timer(void *opaque) } } +static void ehci_work_timer(void *opaque) +{ + EHCIState *ehci = opaque; + + qemu_bh_schedule(ehci->async_bh); +} + static const MemoryRegionOps ehci_mmio_caps_ops = { .read = ehci_caps_read, .write = ehci_caps_write, @@ -2478,8 +2485,8 @@ void usb_ehci_realize(EHCIState *s, DeviceState *dev, Error **errp) s->ports[i].dev = 0; } - s->frame_timer = timer_new_ns(QEMU_CLOCK_VIRTUAL, ehci_frame_timer, s); - s->async_bh = qemu_bh_new(ehci_frame_timer, s); + s->frame_timer = timer_new_ns(QEMU_CLOCK_VIRTUAL, ehci_work_timer, s); + s->async_bh = qemu_bh_new(ehci_work_bh, s); s->device = dev; s->vmstate = qemu_add_vm_change_state_handler(usb_ehci_vm_state_change, s); -- cgit 1.4.1