aboutsummaryrefslogtreecommitdiffstats
path: root/drivers
diff options
context:
space:
mode:
authorDavid Brownell <david-b@pacbell.net>2005-05-28 13:46:18 -0400
committerGreg Kroah-Hartman <gregkh@suse.de>2005-06-27 17:44:00 -0400
commit77078570abe0848c3076b4f7d42f79b1407f3e8f (patch)
tree47b421662c3c2e18cfe0bdf95c0a1ef42d89abb2 /drivers
parente07fefa6b212f43c40fdbc1a62de690d91a4b617 (diff)
[PATCH] USB: ehci-hcd - fix page pointer allocation in itd_patch()
The itd_patch() function is responsible for allocating entries in the buffer page pointer list of the iTD. Particularly, a new page pointer is needed every time when buffer data crosses a page boundary. However, there is a bug in the allocation logic: the function does not allocate a new entry when the current transaction is the first transaction in the iTD (as indicated by first!=0). The consequence is that, when the data of the first transaction begins somewhere at the end of a page so that it actually does cross the page boundary, no new page pointer is allocated. This means that the data at the end of the first transaction (beyond the page boundary) will be accessed by the HC using the second page pointer, which is zero. Furthermore, the first page pointer will be later overwritten by the page pointers of the other transactions, which will garble it because the value is or-ed into the iTD field. All this particular check (for !first) does is cause incorrect behaviour, so it should be entirely removed (and with it the variable first that is not used for anything else). Signed-off-by: Clemens Ladisch <clemens@ladisch.de> Signed-off-by: David Brownell <dbrownell@users.sourceforge.net> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Diffstat (limited to 'drivers')
-rw-r--r--drivers/usb/host/ehci-sched.c17
1 files changed, 7 insertions, 10 deletions
diff --git a/drivers/usb/host/ehci-sched.c b/drivers/usb/host/ehci-sched.c
index 2fa1ffee5ff3..c2104cad4033 100644
--- a/drivers/usb/host/ehci-sched.c
+++ b/drivers/usb/host/ehci-sched.c
@@ -637,9 +637,8 @@ iso_stream_alloc (int mem_flags)
637{ 637{
638 struct ehci_iso_stream *stream; 638 struct ehci_iso_stream *stream;
639 639
640 stream = kmalloc(sizeof *stream, mem_flags); 640 stream = kcalloc(1, sizeof *stream, mem_flags);
641 if (likely (stream != NULL)) { 641 if (likely (stream != NULL)) {
642 memset (stream, 0, sizeof(*stream));
643 INIT_LIST_HEAD(&stream->td_list); 642 INIT_LIST_HEAD(&stream->td_list);
644 INIT_LIST_HEAD(&stream->free_list); 643 INIT_LIST_HEAD(&stream->free_list);
645 stream->next_uframe = -1; 644 stream->next_uframe = -1;
@@ -894,7 +893,7 @@ itd_sched_init (
894 trans |= length << 16; 893 trans |= length << 16;
895 uframe->transaction = cpu_to_le32 (trans); 894 uframe->transaction = cpu_to_le32 (trans);
896 895
897 /* might need to cross a buffer page within a td */ 896 /* might need to cross a buffer page within a uframe */
898 uframe->bufp = (buf & ~(u64)0x0fff); 897 uframe->bufp = (buf & ~(u64)0x0fff);
899 buf += length; 898 buf += length;
900 if (unlikely ((uframe->bufp != (buf & ~(u64)0x0fff)))) 899 if (unlikely ((uframe->bufp != (buf & ~(u64)0x0fff))))
@@ -1194,6 +1193,7 @@ itd_init (struct ehci_iso_stream *stream, struct ehci_itd *itd)
1194{ 1193{
1195 int i; 1194 int i;
1196 1195
1196 /* it's been recently zeroed */
1197 itd->hw_next = EHCI_LIST_END; 1197 itd->hw_next = EHCI_LIST_END;
1198 itd->hw_bufp [0] = stream->buf0; 1198 itd->hw_bufp [0] = stream->buf0;
1199 itd->hw_bufp [1] = stream->buf1; 1199 itd->hw_bufp [1] = stream->buf1;
@@ -1210,8 +1210,7 @@ itd_patch (
1210 struct ehci_itd *itd, 1210 struct ehci_itd *itd,
1211 struct ehci_iso_sched *iso_sched, 1211 struct ehci_iso_sched *iso_sched,
1212 unsigned index, 1212 unsigned index,
1213 u16 uframe, 1213 u16 uframe
1214 int first
1215) 1214)
1216{ 1215{
1217 struct ehci_iso_packet *uf = &iso_sched->packet [index]; 1216 struct ehci_iso_packet *uf = &iso_sched->packet [index];
@@ -1228,7 +1227,7 @@ itd_patch (
1228 itd->hw_bufp_hi [pg] |= cpu_to_le32 ((u32)(uf->bufp >> 32)); 1227 itd->hw_bufp_hi [pg] |= cpu_to_le32 ((u32)(uf->bufp >> 32));
1229 1228
1230 /* iso_frame_desc[].offset must be strictly increasing */ 1229 /* iso_frame_desc[].offset must be strictly increasing */
1231 if (unlikely (!first && uf->cross)) { 1230 if (unlikely (uf->cross)) {
1232 u64 bufp = uf->bufp + 4096; 1231 u64 bufp = uf->bufp + 4096;
1233 itd->pg = ++pg; 1232 itd->pg = ++pg;
1234 itd->hw_bufp [pg] |= cpu_to_le32 (bufp & ~(u32)0); 1233 itd->hw_bufp [pg] |= cpu_to_le32 (bufp & ~(u32)0);
@@ -1257,7 +1256,7 @@ itd_link_urb (
1257 struct ehci_iso_stream *stream 1256 struct ehci_iso_stream *stream
1258) 1257)
1259{ 1258{
1260 int packet, first = 1; 1259 int packet;
1261 unsigned next_uframe, uframe, frame; 1260 unsigned next_uframe, uframe, frame;
1262 struct ehci_iso_sched *iso_sched = urb->hcpriv; 1261 struct ehci_iso_sched *iso_sched = urb->hcpriv;
1263 struct ehci_itd *itd; 1262 struct ehci_itd *itd;
@@ -1290,7 +1289,6 @@ itd_link_urb (
1290 list_move_tail (&itd->itd_list, &stream->td_list); 1289 list_move_tail (&itd->itd_list, &stream->td_list);
1291 itd->stream = iso_stream_get (stream); 1290 itd->stream = iso_stream_get (stream);
1292 itd->urb = usb_get_urb (urb); 1291 itd->urb = usb_get_urb (urb);
1293 first = 1;
1294 itd_init (stream, itd); 1292 itd_init (stream, itd);
1295 } 1293 }
1296 1294
@@ -1298,8 +1296,7 @@ itd_link_urb (
1298 frame = next_uframe >> 3; 1296 frame = next_uframe >> 3;
1299 1297
1300 itd->usecs [uframe] = stream->usecs; 1298 itd->usecs [uframe] = stream->usecs;
1301 itd_patch (itd, iso_sched, packet, uframe, first); 1299 itd_patch (itd, iso_sched, packet, uframe);
1302 first = 0;
1303 1300
1304 next_uframe += stream->interval; 1301 next_uframe += stream->interval;
1305 stream->depth += stream->interval; 1302 stream->depth += stream->interval;