On Tue, 21 May 2024 at 00:26, David Hubbard <dmamf...@gmail.com> wrote: > > From: Cord Amfmgm <dmamf...@gmail.com> > > This changes the way the ohci emulation handles a Transfer Descriptor with > "Current Buffer Pointer" set to "Buffer End" + 1. > > The OHCI spec 4.3.1.2 Table 4-2 allows td.cbp to be one byte more than td.be > to signal the buffer has zero length. Currently qemu only accepts zero-length > Transfer Descriptors if the td.cbp is equal to 0, while actual OHCI hardware > accepts both cases. > > The qemu ohci emulation has a regression in ohci_service_td. Version 4.2 > and earlier matched the spec. (I haven't taken the time to bisect exactly > where the logic was changed.)
Almost certainly this was commit 1328fe0c32d54 ("hw: usb: hcd-ohci: check len and frame_number variables"), which added these bounds checks. Prior to that we did no bounds checking at all, which meant that we permitted cbp=be+1 to mean a zero length, but also that we permitted the guest to overrun host-side buffers by specifying completely bogus cbp and be values. The timeframe is more or less right (2020), at least. -- PMM