usb-ehci: fix offset writeback in ehci_buffer_rw

Two bugs at once:

First the mask is backwards, so the it used to keeps the offset and
clears the page address, which is not what we need when we update the
offset.

Second the offset calculation is wrong in case head isn't page aligned.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>

diff --git a/hw/usb-ehci.c b/hw/usb-ehci.c
index da22d10f7f7aa8ced78c6a41e43db66a646d7af6..5de0cdad9e34536637c0070aa3b889ac00eb664f 100644 (file)
--- a/hw/usb-ehci.c
+++ b/hw/usb-ehci.c
@@ -1066,6 +1066,7 @@ static int ehci_buffer_rw(EHCIQueue *q, int bytes, int rw)
         cpu_physical_memory_rw(head, q->buffer + bufpos, tail - head, rw);
 
         bufpos += (tail - head);
+        offset += (tail - head);
         bytes -= (tail - head);
 
         if (bytes > 0) {
@@ -1078,8 +1079,7 @@ static int ehci_buffer_rw(EHCIQueue *q, int bytes, int rw)
     set_field(&q->qh.token, cpage, QTD_TOKEN_CPAGE);
 
     /* save offset into cpage */
-    offset = tail - head;
-    q->qh.bufptr[0] &= ~QTD_BUFPTR_MASK;
+    q->qh.bufptr[0] &= QTD_BUFPTR_MASK;
     q->qh.bufptr[0] |= offset;
 
     return 0;