Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 5807795b authored by Paul Zimmerman's avatar Paul Zimmerman Committed by Sarah Sharp
Browse files

xhci: Fix errors in the running total calculations in the TRB math 



Calculations like

	running_total = TRB_MAX_BUFF_SIZE -
		(sg_dma_address(sg) & (TRB_MAX_BUFF_SIZE - 1));
	if (running_total != 0)
		num_trbs++;

are incorrect, because running_total can never be zero, so the if()
expression will never be true. I think the intention was that
running_total be in the range of 0 to TRB_MAX_BUFF_SIZE-1, not 1
to TRB_MAX_BUFF_SIZE. So adding a

	running_total &= TRB_MAX_BUFF_SIZE - 1;

fixes the problem.

This patch should be queued for stable kernels back to 2.6.31.

Signed-off-by: default avatarPaul Zimmerman <paulz@synopsys.com>
Signed-off-by: default avatarSarah Sharp <sarah.a.sharp@linux.intel.com>
Cc: stable@kernel.org
parent a2490187

drivers/usb/host/xhci-ring.c

+3 −0
Original line number Diff line number Diff line
@@ -2369,6 +2369,7 @@ static unsigned int count_sg_trbs_needed(struct xhci_hcd *xhci, struct urb *urb) 
		/* Scatter gather list entries may cross 64KB boundaries */

		running_total = TRB_MAX_BUFF_SIZE -

			(sg_dma_address(sg) & (TRB_MAX_BUFF_SIZE - 1));

		running_total &= TRB_MAX_BUFF_SIZE - 1;

		if (running_total != 0)

			num_trbs++;
@@ -2661,6 +2662,7 @@ int xhci_queue_bulk_tx(struct xhci_hcd *xhci, gfp_t mem_flags, 
	/* How much data is (potentially) left before the 64KB boundary? */

	running_total = TRB_MAX_BUFF_SIZE -

		(urb->transfer_dma & (TRB_MAX_BUFF_SIZE - 1));

	running_total &= TRB_MAX_BUFF_SIZE - 1;



	/* If there's some data on this 64KB chunk, or we have to send a

	 * zero-length transfer, we need at least one TRB
@@ -2884,6 +2886,7 @@ static int count_isoc_trbs_needed(struct xhci_hcd *xhci, 
	td_len = urb->iso_frame_desc[i].length;



	running_total = TRB_MAX_BUFF_SIZE - (addr & (TRB_MAX_BUFF_SIZE - 1));

	running_total &= TRB_MAX_BUFF_SIZE - 1;

	if (running_total != 0)

		num_trbs++;