From 2675121a5ff1ee361e9f5d33b9e8a97e4d65114f Mon Sep 17 00:00:00 2001
Message-Id: <2675121a5ff1ee361e9f5d33b9e8a97e4d65114f.1369821827.git.minovotn@redhat.com>
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Mon, 13 May 2013 15:21:43 +0200
Subject: [PATCH 1/2] usb-hub: limit chain length

RH-Author: Gerd Hoffmann <kraxel@redhat.com>
Message-id: <1368458504-16570-2-git-send-email-kraxel@redhat.com>
Patchwork-id: 51333
O-Subject: [RHEL-6.5 qemu-kvm PATCH 1/2] usb-hub: limit chain length
Bugzilla: 905851
RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
RH-Acked-by: Hans de Goede <hdegoede@redhat.com>

USB supports up to 5 hubs chained.
Catch attempts to chain more.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
(cherry picked from commit c24e4aac3bd7dd6591e26b77985e5d3915ecbe4b)

Conflicts:

	hw/usb-hub.c
---
 hw/usb-bus.c |    2 ++
 hw/usb-hub.c |    5 +++++
 hw/usb.h     |    1 +
 3 files changed, 8 insertions(+)

Signed-off-by: Michal Novotny <minovotn@redhat.com>
---
 hw/usb-bus.c | 2 ++
 hw/usb-hub.c | 5 +++++
 hw/usb.h     | 1 +
 3 files changed, 8 insertions(+)

diff --git a/hw/usb-bus.c b/hw/usb-bus.c
index 832dd63..f1f52d1 100644
--- a/hw/usb-bus.c
+++ b/hw/usb-bus.c
@@ -231,8 +231,10 @@ void usb_port_location(USBPort *downstream, USBPort *upstream, int portnr)
     if (upstream) {
         snprintf(downstream->path, sizeof(downstream->path), "%s.%d",
                  upstream->path, portnr);
+        downstream->hubcount = upstream->hubcount + 1;
     } else {
         snprintf(downstream->path, sizeof(downstream->path), "%d", portnr);
+        downstream->hubcount = 0;
     }
 }
 
diff --git a/hw/usb-hub.c b/hw/usb-hub.c
index 0320551..cf5f401 100644
--- a/hw/usb-hub.c
+++ b/hw/usb-hub.c
@@ -503,6 +503,11 @@ static int usb_hub_initfn(USBDevice *dev)
     USBHubPort *port;
     int i;
 
+    if (dev->port->hubcount == 5) {
+        error_report("usb hub chain too deep");
+        return -1;
+    }
+
     usb_desc_create_serial(dev);
     usb_desc_init(dev);
     for (i = 0; i < NUM_PORTS; i++) {
diff --git a/hw/usb.h b/hw/usb.h
index 5728208..d080a9c 100644
--- a/hw/usb.h
+++ b/hw/usb.h
@@ -266,6 +266,7 @@ typedef struct USBPortOps {
 struct USBPort {
     USBDevice *dev;
     int speedmask;
+    int hubcount;
     char path[16];
     USBPortOps *ops;
     void *opaque;
-- 
1.7.11.7