From 6c4befe2095732463ae28bac2a93b3089b8f783a Mon Sep 17 00:00:00 2001
From: Johannes Anderwald <johannes.anderwald@reactos.org>
Date: Fri, 10 Feb 2012 16:28:35 +0000
Subject: [PATCH] [USBEHCI] [USBOHCI] - Don't corrupt memory when a queue head
 / transfer descriptor is freed - How did this work before...

svn path=/branches/usb-bringup-trunk/; revision=55525
---
 drivers/usb/usbehci/memory_manager.cpp | 15 +++++++++++++--
 drivers/usb/usbohci/memory_manager.cpp | 15 +++++++++++++--
 2 files changed, 26 insertions(+), 4 deletions(-)

diff --git a/drivers/usb/usbehci/memory_manager.cpp b/drivers/usb/usbehci/memory_manager.cpp
index 1cfed3e829a..4b60d968b4c 100644
--- a/drivers/usb/usbehci/memory_manager.cpp
+++ b/drivers/usb/usbehci/memory_manager.cpp
@@ -271,7 +271,7 @@ CDMAMemoryManager::Release(
     IN ULONG Size)
 {
     KIRQL OldLevel;
-    ULONG BlockOffset = 0, BlockLength;
+    ULONG BlockOffset = 0, BlockLength, BlockCount;
 
     //
     // sanity checks
@@ -301,15 +301,26 @@ CDMAMemoryManager::Release(
     //
     Size = (Size + m_BlockSize - 1) & ~(m_BlockSize - 1);
 
+    //
+    // convert to blocks
+    //
+    BlockCount = Size / m_BlockSize;
+    ASSERT(BlockCount);
+
     //
     // acquire lock
     //
     KeAcquireSpinLock(m_Lock, &OldLevel);
 
+    //
+    // sanity check
+    //
+    ASSERT(RtlAreBitsSet(&m_Bitmap, BlockOffset, BlockCount));
+
     //
     // release buffer
     //
-    RtlClearBits(&m_Bitmap, BlockOffset, Size);
+    RtlClearBits(&m_Bitmap, BlockOffset, BlockCount);
 
     //
     // release lock
diff --git a/drivers/usb/usbohci/memory_manager.cpp b/drivers/usb/usbohci/memory_manager.cpp
index 0e6ffdddab7..0f2885ab05a 100644
--- a/drivers/usb/usbohci/memory_manager.cpp
+++ b/drivers/usb/usbohci/memory_manager.cpp
@@ -271,7 +271,7 @@ CDMAMemoryManager::Release(
     IN ULONG Size)
 {
     KIRQL OldLevel;
-    ULONG BlockOffset = 0, BlockLength;
+    ULONG BlockOffset = 0, BlockLength, BlockCount;
 
     //
     // sanity checks
@@ -301,15 +301,26 @@ CDMAMemoryManager::Release(
     //
     Size = (Size + m_BlockSize - 1) & ~(m_BlockSize - 1);
 
+    //
+    // convert to blocks
+    //
+    BlockCount = Size / m_BlockSize;
+    ASSERT(BlockCount);
+
     //
     // acquire lock
     //
     KeAcquireSpinLock(m_Lock, &OldLevel);
 
+    //
+    // sanity check
+    //
+    ASSERT(RtlAreBitsSet(&m_Bitmap, BlockOffset, BlockCount));
+
     //
     // release buffer
     //
-    RtlClearBits(&m_Bitmap, BlockOffset, Size);
+    RtlClearBits(&m_Bitmap, BlockOffset, BlockCount);
 
     //
     // release lock