From nobody Fri Apr 19 20:24:35 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1487661982209559.6123221478424; Mon, 20 Feb 2017 23:26:22 -0800 (PST) Received: from localhost ([::1]:42704 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cg4q4-0002ak-Qs for importer@patchew.org; Tue, 21 Feb 2017 02:26:20 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:59255) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cg4gc-0002ye-4M for qemu-devel@nongnu.org; Tue, 21 Feb 2017 02:16:35 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cg4ga-00087v-L9 for qemu-devel@nongnu.org; Tue, 21 Feb 2017 02:16:34 -0500 Received: from mx1.redhat.com ([209.132.183.28]:41234) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1cg4ga-000879-GV for qemu-devel@nongnu.org; Tue, 21 Feb 2017 02:16:32 -0500 Received: from int-mx14.intmail.prod.int.phx2.redhat.com (int-mx14.intmail.prod.int.phx2.redhat.com [10.5.11.27]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 8F57280487; Tue, 21 Feb 2017 07:16:32 +0000 (UTC) Received: from nilsson.home.kraxel.org (ovpn-116-47.ams2.redhat.com [10.36.116.47]) by int-mx14.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id v1L7GTcJ010598; Tue, 21 Feb 2017 02:16:32 -0500 Received: by nilsson.home.kraxel.org (Postfix, from userid 500) id AA0DB81834; Tue, 21 Feb 2017 08:16:27 +0100 (CET) From: Gerd Hoffmann To: qemu-devel@nongnu.org Date: Tue, 21 Feb 2017 08:16:15 +0100 Message-Id: <1487661385-7720-2-git-send-email-kraxel@redhat.com> In-Reply-To: <1487661385-7720-1-git-send-email-kraxel@redhat.com> References: <1487661385-7720-1-git-send-email-kraxel@redhat.com> X-Scanned-By: MIMEDefang 2.68 on 10.5.11.27 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.28]); Tue, 21 Feb 2017 07:16:32 +0000 (UTC) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 209.132.183.28 Subject: [Qemu-devel] [PULL 01/11] usb: ehci: fix memory leak in ehci X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Li Qiang , Gerd Hoffmann Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" From: Li Qiang In usb_ehci_init function, it initializes 's->ipacket', but there is no corresponding function to free this. As the ehci can be hotplug and unplug, this will leak host memory leak. In order to make the hierarchy clean, we should add a ehci pci finalize function, then call the clean function in ehci device. Signed-off-by: Li Qiang Message-id: 589a85b8.3c2b9d0a.b8e6.1434@mx.google.com Signed-off-by: Gerd Hoffmann --- hw/usb/hcd-ehci-pci.c | 9 +++++++++ hw/usb/hcd-ehci.c | 5 +++++ hw/usb/hcd-ehci.h | 1 + 3 files changed, 15 insertions(+) diff --git a/hw/usb/hcd-ehci-pci.c b/hw/usb/hcd-ehci-pci.c index 5657705..6dedcb8 100644 --- a/hw/usb/hcd-ehci-pci.c +++ b/hw/usb/hcd-ehci-pci.c @@ -89,6 +89,14 @@ static void usb_ehci_pci_init(Object *obj) usb_ehci_init(s, DEVICE(obj)); } =20 +static void usb_ehci_pci_finalize(Object *obj) +{ + EHCIPCIState *i =3D PCI_EHCI(obj); + EHCIState *s =3D &i->ehci; + + usb_ehci_finalize(s); +} + static void usb_ehci_pci_exit(PCIDevice *dev) { EHCIPCIState *i =3D PCI_EHCI(dev); @@ -159,6 +167,7 @@ static const TypeInfo ehci_pci_type_info =3D { .parent =3D TYPE_PCI_DEVICE, .instance_size =3D sizeof(EHCIPCIState), .instance_init =3D usb_ehci_pci_init, + .instance_finalize =3D usb_ehci_pci_finalize, .abstract =3D true, .class_init =3D ehci_class_init, }; diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c index 7622a3a..50ef817 100644 --- a/hw/usb/hcd-ehci.c +++ b/hw/usb/hcd-ehci.c @@ -2545,6 +2545,11 @@ void usb_ehci_init(EHCIState *s, DeviceState *dev) &s->mem_ports); } =20 +void usb_ehci_finalize(EHCIState *s) +{ + usb_packet_cleanup(&s->ipacket); +} + /* * vim: expandtab ts=3D4 */ diff --git a/hw/usb/hcd-ehci.h b/hw/usb/hcd-ehci.h index 3fd7038..938d8aa 100644 --- a/hw/usb/hcd-ehci.h +++ b/hw/usb/hcd-ehci.h @@ -323,6 +323,7 @@ struct EHCIState { extern const VMStateDescription vmstate_ehci; =20 void usb_ehci_init(EHCIState *s, DeviceState *dev); +void usb_ehci_finalize(EHCIState *s); void usb_ehci_realize(EHCIState *s, DeviceState *dev, Error **errp); void usb_ehci_unrealize(EHCIState *s, DeviceState *dev, Error **errp); void ehci_reset(void *opaque); --=20 1.8.3.1 From nobody Fri Apr 19 20:24:35 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1487661548594366.9758880044409; Mon, 20 Feb 2017 23:19:08 -0800 (PST) Received: from localhost ([::1]:42664 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cg4j4-0004if-90 for importer@patchew.org; Tue, 21 Feb 2017 02:19:06 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:59258) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cg4gc-0002yh-5U for qemu-devel@nongnu.org; Tue, 21 Feb 2017 02:16:35 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cg4ga-00087q-Ks for qemu-devel@nongnu.org; Tue, 21 Feb 2017 02:16:34 -0500 Received: from mx1.redhat.com ([209.132.183.28]:36980) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1cg4ga-000877-FZ for qemu-devel@nongnu.org; Tue, 21 Feb 2017 02:16:32 -0500 Received: from int-mx14.intmail.prod.int.phx2.redhat.com (int-mx14.intmail.prod.int.phx2.redhat.com [10.5.11.27]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 7F9614E024; Tue, 21 Feb 2017 07:16:32 +0000 (UTC) Received: from nilsson.home.kraxel.org (ovpn-116-47.ams2.redhat.com [10.36.116.47]) by int-mx14.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id v1L7GT0E010597; Tue, 21 Feb 2017 02:16:32 -0500 Received: by nilsson.home.kraxel.org (Postfix, from userid 500) id BAC238183D; Tue, 21 Feb 2017 08:16:27 +0100 (CET) From: Gerd Hoffmann To: qemu-devel@nongnu.org Date: Tue, 21 Feb 2017 08:16:16 +0100 Message-Id: <1487661385-7720-3-git-send-email-kraxel@redhat.com> In-Reply-To: <1487661385-7720-1-git-send-email-kraxel@redhat.com> References: <1487661385-7720-1-git-send-email-kraxel@redhat.com> X-Scanned-By: MIMEDefang 2.68 on 10.5.11.27 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.38]); Tue, 21 Feb 2017 07:16:32 +0000 (UTC) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 209.132.183.28 Subject: [Qemu-devel] [PULL 02/11] usb: ohci: fix error return code in servicing iso td X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Li Qiang , Gerd Hoffmann Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" From: Li Qiang It should return 1 if an error occurs when reading iso td. This will avoid an infinite loop issue in ohci_service_ed_list. Signed-off-by: Li Qiang Message-id: 5899ac3e.1033240a.944d5.9a2d@mx.google.com Signed-off-by: Gerd Hoffmann --- hw/usb/hcd-ohci.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hw/usb/hcd-ohci.c b/hw/usb/hcd-ohci.c index c82a92f..2cba3e3 100644 --- a/hw/usb/hcd-ohci.c +++ b/hw/usb/hcd-ohci.c @@ -725,7 +725,7 @@ static int ohci_service_iso_td(OHCIState *ohci, struct = ohci_ed *ed, if (ohci_read_iso_td(ohci, addr, &iso_td)) { trace_usb_ohci_iso_td_read_failed(addr); ohci_die(ohci); - return 0; + return 1; } =20 starting_frame =3D OHCI_BM(iso_td.flags, TD_SF); --=20 1.8.3.1 From nobody Fri Apr 19 20:24:35 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1487661533223105.86612424875159; Mon, 20 Feb 2017 23:18:53 -0800 (PST) Received: from localhost ([::1]:42661 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cg4ip-0004Xs-54 for importer@patchew.org; Tue, 21 Feb 2017 02:18:51 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:59250) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cg4gc-0002yZ-4L for qemu-devel@nongnu.org; Tue, 21 Feb 2017 02:16:35 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cg4ga-000880-MH for qemu-devel@nongnu.org; Tue, 21 Feb 2017 02:16:34 -0500 Received: from mx1.redhat.com ([209.132.183.28]:41232) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1cg4ga-000878-GW for qemu-devel@nongnu.org; Tue, 21 Feb 2017 02:16:32 -0500 Received: from int-mx10.intmail.prod.int.phx2.redhat.com (int-mx10.intmail.prod.int.phx2.redhat.com [10.5.11.23]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 7B3A88047A; Tue, 21 Feb 2017 07:16:32 +0000 (UTC) Received: from nilsson.home.kraxel.org (ovpn-116-47.ams2.redhat.com [10.36.116.47]) by int-mx10.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id v1L7GTVE013033; Tue, 21 Feb 2017 02:16:32 -0500 Received: by nilsson.home.kraxel.org (Postfix, from userid 500) id CC22D8183F; Tue, 21 Feb 2017 08:16:27 +0100 (CET) From: Gerd Hoffmann To: qemu-devel@nongnu.org Date: Tue, 21 Feb 2017 08:16:17 +0100 Message-Id: <1487661385-7720-4-git-send-email-kraxel@redhat.com> In-Reply-To: <1487661385-7720-1-git-send-email-kraxel@redhat.com> References: <1487661385-7720-1-git-send-email-kraxel@redhat.com> X-Scanned-By: MIMEDefang 2.68 on 10.5.11.23 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.28]); Tue, 21 Feb 2017 07:16:32 +0000 (UTC) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 209.132.183.28 Subject: [Qemu-devel] [PULL 03/11] usb: ohci: limit the number of link eds X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Li Qiang , Gerd Hoffmann Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" From: Li Qiang The guest may builds an infinite loop with link eds. This patch limit the number of linked ed to avoid this. Signed-off-by: Li Qiang Message-id: 5899a02e.45ca240a.6c373.93c1@mx.google.com Signed-off-by: Gerd Hoffmann --- hw/usb/hcd-ohci.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/hw/usb/hcd-ohci.c b/hw/usb/hcd-ohci.c index 2cba3e3..21c93e0 100644 --- a/hw/usb/hcd-ohci.c +++ b/hw/usb/hcd-ohci.c @@ -42,6 +42,8 @@ =20 #define OHCI_MAX_PORTS 15 =20 +#define ED_LINK_LIMIT 4 + static int64_t usb_frame_time; static int64_t usb_bit_time; =20 @@ -1184,7 +1186,7 @@ static int ohci_service_ed_list(OHCIState *ohci, uint= 32_t head, int completion) uint32_t next_ed; uint32_t cur; int active; - + uint32_t link_cnt =3D 0; active =3D 0; =20 if (head =3D=3D 0) @@ -1199,6 +1201,11 @@ static int ohci_service_ed_list(OHCIState *ohci, uin= t32_t head, int completion) =20 next_ed =3D ed.next & OHCI_DPTR_MASK; =20 + if (++link_cnt > ED_LINK_LIMIT) { + ohci_die(ohci); + return 0; + } + if ((ed.head & OHCI_ED_H) || (ed.flags & OHCI_ED_K)) { uint32_t addr; /* Cancel pending packets for ED that have been paused. */ --=20 1.8.3.1 From nobody Fri Apr 19 20:24:35 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1487661538413363.57550934182063; Mon, 20 Feb 2017 23:18:58 -0800 (PST) Received: from localhost ([::1]:42662 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cg4iv-0004cw-2O for importer@patchew.org; Tue, 21 Feb 2017 02:18:57 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:59254) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cg4gc-0002yd-4M for qemu-devel@nongnu.org; Tue, 21 Feb 2017 02:16:35 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cg4gY-00086k-VL for qemu-devel@nongnu.org; Tue, 21 Feb 2017 02:16:34 -0500 Received: from mx1.redhat.com ([209.132.183.28]:36978) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1cg4gY-00086N-NC for qemu-devel@nongnu.org; Tue, 21 Feb 2017 02:16:30 -0500 Received: from int-mx09.intmail.prod.int.phx2.redhat.com (int-mx09.intmail.prod.int.phx2.redhat.com [10.5.11.22]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id BAED24E024 for ; Tue, 21 Feb 2017 07:16:30 +0000 (UTC) Received: from nilsson.home.kraxel.org (ovpn-116-47.ams2.redhat.com [10.36.116.47]) by int-mx09.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id v1L7GTnB016667; Tue, 21 Feb 2017 02:16:30 -0500 Received: by nilsson.home.kraxel.org (Postfix, from userid 500) id DEA5481843; Tue, 21 Feb 2017 08:16:27 +0100 (CET) From: Gerd Hoffmann To: qemu-devel@nongnu.org Date: Tue, 21 Feb 2017 08:16:18 +0100 Message-Id: <1487661385-7720-5-git-send-email-kraxel@redhat.com> In-Reply-To: <1487661385-7720-1-git-send-email-kraxel@redhat.com> References: <1487661385-7720-1-git-send-email-kraxel@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.68 on 10.5.11.22 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.38]); Tue, 21 Feb 2017 07:16:30 +0000 (UTC) Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 209.132.183.28 Subject: [Qemu-devel] [PULL 04/11] xhci: apply limits to loops X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Gerd Hoffmann Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" Limits should be big enough that normal guest should not hit it. Add a tracepoint to log them, just in case. Also, while being at it, log the existing link trb limit too. Reported-by: =E6=9D=8E=E5=BC=BA Signed-off-by: Gerd Hoffmann Message-id: 1486383669-6421-1-git-send-email-kraxel@redhat.com --- hw/usb/hcd-xhci.c | 15 ++++++++++++++- hw/usb/trace-events | 1 + 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c index 54b3901..f3f9579 100644 --- a/hw/usb/hcd-xhci.c +++ b/hw/usb/hcd-xhci.c @@ -54,6 +54,8 @@ #define ER_FULL_HACK =20 #define TRB_LINK_LIMIT 4 +#define COMMAND_LIMIT 256 +#define TRANSFER_LIMIT 256 =20 #define LEN_CAP 0x40 #define LEN_OPER (0x400 + 0x10 * MAXPORTS) @@ -1032,6 +1034,7 @@ static TRBType xhci_ring_fetch(XHCIState *xhci, XHCIR= ing *ring, XHCITRB *trb, return type; } else { if (++link_cnt > TRB_LINK_LIMIT) { + trace_usb_xhci_enforced_limit("trb-link"); return 0; } ring->dequeue =3D xhci_mask64(trb->parameter); @@ -2150,6 +2153,7 @@ static void xhci_kick_epctx(XHCIEPContext *epctx, uns= igned int streamid) XHCIRing *ring; USBEndpoint *ep =3D NULL; uint64_t mfindex; + unsigned int count =3D 0; int length; int i; =20 @@ -2262,6 +2266,10 @@ static void xhci_kick_epctx(XHCIEPContext *epctx, un= signed int streamid) epctx->retry =3D xfer; break; } + if (count++ > TRANSFER_LIMIT) { + trace_usb_xhci_enforced_limit("transfers"); + break; + } } epctx->kick_active--; =20 @@ -2734,7 +2742,7 @@ static void xhci_process_commands(XHCIState *xhci) TRBType type; XHCIEvent event =3D {ER_COMMAND_COMPLETE, CC_SUCCESS}; dma_addr_t addr; - unsigned int i, slotid =3D 0; + unsigned int i, slotid =3D 0, count =3D 0; =20 DPRINTF("xhci_process_commands()\n"); if (!xhci_running(xhci)) { @@ -2848,6 +2856,11 @@ static void xhci_process_commands(XHCIState *xhci) } event.slotid =3D slotid; xhci_event(xhci, &event, 0); + + if (count++ > COMMAND_LIMIT) { + trace_usb_xhci_enforced_limit("commands"); + return; + } } } =20 diff --git a/hw/usb/trace-events b/hw/usb/trace-events index fdd1d29..0c323d4 100644 --- a/hw/usb/trace-events +++ b/hw/usb/trace-events @@ -174,6 +174,7 @@ usb_xhci_xfer_retry(void *xfer) "%p" usb_xhci_xfer_success(void *xfer, uint32_t bytes) "%p: len %d" usb_xhci_xfer_error(void *xfer, uint32_t ret) "%p: ret %d" usb_xhci_unimplemented(const char *item, int nr) "%s (0x%x)" +usb_xhci_enforced_limit(const char *item) "%s" =20 # hw/usb/desc.c usb_desc_device(int addr, int len, int ret) "dev %d query device, len %d, = ret %d" --=20 1.8.3.1 From nobody Fri Apr 19 20:24:35 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1487662370621538.0765189602432; Mon, 20 Feb 2017 23:32:50 -0800 (PST) Received: from localhost ([::1]:42729 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cg4wL-0007Nf-5u for importer@patchew.org; Tue, 21 Feb 2017 02:32:49 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:59251) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cg4gc-0002ya-4K for qemu-devel@nongnu.org; Tue, 21 Feb 2017 02:16:35 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cg4ga-00087a-C4 for qemu-devel@nongnu.org; Tue, 21 Feb 2017 02:16:34 -0500 Received: from mx1.redhat.com ([209.132.183.28]:44450) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1cg4ga-000871-3z for qemu-devel@nongnu.org; Tue, 21 Feb 2017 02:16:32 -0500 Received: from int-mx10.intmail.prod.int.phx2.redhat.com (int-mx10.intmail.prod.int.phx2.redhat.com [10.5.11.23]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 51E77C05166B for ; Tue, 21 Feb 2017 07:16:32 +0000 (UTC) Received: from nilsson.home.kraxel.org (ovpn-116-47.ams2.redhat.com [10.36.116.47]) by int-mx10.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id v1L7GVfB013038; Tue, 21 Feb 2017 02:16:31 -0500 Received: by nilsson.home.kraxel.org (Postfix, from userid 500) id F1C9B817E9; Tue, 21 Feb 2017 08:16:27 +0100 (CET) From: Gerd Hoffmann To: qemu-devel@nongnu.org Date: Tue, 21 Feb 2017 08:16:19 +0100 Message-Id: <1487661385-7720-6-git-send-email-kraxel@redhat.com> In-Reply-To: <1487661385-7720-1-git-send-email-kraxel@redhat.com> References: <1487661385-7720-1-git-send-email-kraxel@redhat.com> X-Scanned-By: MIMEDefang 2.68 on 10.5.11.23 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.31]); Tue, 21 Feb 2017 07:16:32 +0000 (UTC) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 209.132.183.28 Subject: [Qemu-devel] [PULL 05/11] xhci: drop ER_FULL_HACK workaround X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Gerd Hoffmann Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" The nec/renesas driver problems have finally been debugged and root caused, see commit "7da76e1 xhci: fix event queue IRQ handling". It's pretty clear now that (a) The whole "driver can't handle ring full" story is most likely wrong. (b) The ER_FULL_HACK workaround based on the false assumtion doesn't much. It avoids the driver crashing (without commit 7da76e1), but it doesn't make usb work. (c) With 7da76e1 applied it doesn't trigger any more. So, lets kill it. Or, to be exact, lets almost kill it. Some data fields are kept unused in the state struct, for live migration backward compatibility. Signed-off-by: Gerd Hoffmann Message-id: 1486382139-30630-2-git-send-email-kraxel@redhat.com --- hw/usb/hcd-xhci.c | 117 +++++---------------------------------------------= ---- 1 file changed, 11 insertions(+), 106 deletions(-) diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c index f3f9579..cfb5f74 100644 --- a/hw/usb/hcd-xhci.c +++ b/hw/usb/hcd-xhci.c @@ -49,9 +49,6 @@ =20 /* Very pessimistic, let's hope it's enough for all cases */ #define EV_QUEUE (((3 * 24) + 16) * MAXSLOTS) -/* Do not deliver ER Full events. NEC's driver does some things not bound - * to the specs when it gets them */ -#define ER_FULL_HACK =20 #define TRB_LINK_LIMIT 4 #define COMMAND_LIMIT 256 @@ -433,12 +430,14 @@ typedef struct XHCIInterrupter { uint32_t erdp_low; uint32_t erdp_high; =20 - bool msix_used, er_pcs, er_full; + bool msix_used, er_pcs; =20 dma_addr_t er_start; uint32_t er_size; unsigned int er_ep_idx; =20 + /* kept for live migration compat only */ + bool er_full_unused; XHCIEvent ev_buffer[EV_QUEUE]; unsigned int ev_buffer_put; unsigned int ev_buffer_get; @@ -828,7 +827,7 @@ static void xhci_intr_raise(XHCIState *xhci, int v) =20 static inline int xhci_running(XHCIState *xhci) { - return !(xhci->usbsts & USBSTS_HCH) && !xhci->intr[0].er_full; + return !(xhci->usbsts & USBSTS_HCH); } =20 static void xhci_die(XHCIState *xhci) @@ -867,74 +866,6 @@ static void xhci_write_event(XHCIState *xhci, XHCIEven= t *event, int v) } } =20 -static void xhci_events_update(XHCIState *xhci, int v) -{ - XHCIInterrupter *intr =3D &xhci->intr[v]; - dma_addr_t erdp; - unsigned int dp_idx; - bool do_irq =3D 0; - - if (xhci->usbsts & USBSTS_HCH) { - return; - } - - erdp =3D xhci_addr64(intr->erdp_low, intr->erdp_high); - if (erdp < intr->er_start || - erdp >=3D (intr->er_start + TRB_SIZE*intr->er_size)) { - DPRINTF("xhci: ERDP out of bounds: "DMA_ADDR_FMT"\n", erdp); - DPRINTF("xhci: ER[%d] at "DMA_ADDR_FMT" len %d\n", - v, intr->er_start, intr->er_size); - xhci_die(xhci); - return; - } - dp_idx =3D (erdp - intr->er_start) / TRB_SIZE; - assert(dp_idx < intr->er_size); - - /* NEC didn't read section 4.9.4 of the spec (v1.0 p139 top Note) and = thus - * deadlocks when the ER is full. Hack it by holding off events until - * the driver decides to free at least half of the ring */ - if (intr->er_full) { - int er_free =3D dp_idx - intr->er_ep_idx; - if (er_free <=3D 0) { - er_free +=3D intr->er_size; - } - if (er_free < (intr->er_size/2)) { - DPRINTF("xhci_events_update(): event ring still " - "more than half full (hack)\n"); - return; - } - } - - while (intr->ev_buffer_put !=3D intr->ev_buffer_get) { - assert(intr->er_full); - if (((intr->er_ep_idx+1) % intr->er_size) =3D=3D dp_idx) { - DPRINTF("xhci_events_update(): event ring full again\n"); -#ifndef ER_FULL_HACK - XHCIEvent full =3D {ER_HOST_CONTROLLER, CC_EVENT_RING_FULL_ERR= OR}; - xhci_write_event(xhci, &full, v); -#endif - do_irq =3D 1; - break; - } - XHCIEvent *event =3D &intr->ev_buffer[intr->ev_buffer_get]; - xhci_write_event(xhci, event, v); - intr->ev_buffer_get++; - do_irq =3D 1; - if (intr->ev_buffer_get =3D=3D EV_QUEUE) { - intr->ev_buffer_get =3D 0; - } - } - - if (do_irq) { - xhci_intr_raise(xhci, v); - } - - if (intr->er_full && intr->ev_buffer_put =3D=3D intr->ev_buffer_get) { - DPRINTF("xhci_events_update(): event ring no longer full\n"); - intr->er_full =3D 0; - } -} - static void xhci_event(XHCIState *xhci, XHCIEvent *event, int v) { XHCIInterrupter *intr; @@ -947,19 +878,6 @@ static void xhci_event(XHCIState *xhci, XHCIEvent *eve= nt, int v) } intr =3D &xhci->intr[v]; =20 - if (intr->er_full) { - DPRINTF("xhci_event(): ER full, queueing\n"); - if (((intr->ev_buffer_put+1) % EV_QUEUE) =3D=3D intr->ev_buffer_ge= t) { - DPRINTF("xhci: event queue full, dropping event!\n"); - return; - } - intr->ev_buffer[intr->ev_buffer_put++] =3D *event; - if (intr->ev_buffer_put =3D=3D EV_QUEUE) { - intr->ev_buffer_put =3D 0; - } - return; - } - erdp =3D xhci_addr64(intr->erdp_low, intr->erdp_high); if (erdp < intr->er_start || erdp >=3D (intr->er_start + TRB_SIZE*intr->er_size)) { @@ -973,21 +891,12 @@ static void xhci_event(XHCIState *xhci, XHCIEvent *ev= ent, int v) dp_idx =3D (erdp - intr->er_start) / TRB_SIZE; assert(dp_idx < intr->er_size); =20 - if ((intr->er_ep_idx+1) % intr->er_size =3D=3D dp_idx) { - DPRINTF("xhci_event(): ER full, queueing\n"); -#ifndef ER_FULL_HACK + if ((intr->er_ep_idx + 2) % intr->er_size =3D=3D dp_idx) { + DPRINTF("xhci: ER %d full, send ring full error\n", v); XHCIEvent full =3D {ER_HOST_CONTROLLER, CC_EVENT_RING_FULL_ERROR}; - xhci_write_event(xhci, &full); -#endif - intr->er_full =3D 1; - if (((intr->ev_buffer_put+1) % EV_QUEUE) =3D=3D intr->ev_buffer_ge= t) { - DPRINTF("xhci: event queue full, dropping event!\n"); - return; - } - intr->ev_buffer[intr->ev_buffer_put++] =3D *event; - if (intr->ev_buffer_put =3D=3D EV_QUEUE) { - intr->ev_buffer_put =3D 0; - } + xhci_write_event(xhci, &full, v); + } else if ((intr->er_ep_idx + 1) % intr->er_size =3D=3D dp_idx) { + DPRINTF("xhci: ER %d full, drop event\n", v); } else { xhci_write_event(xhci, event, v); } @@ -1127,7 +1036,6 @@ static void xhci_er_reset(XHCIState *xhci, int v) =20 intr->er_ep_idx =3D 0; intr->er_pcs =3D 1; - intr->er_full =3D 0; =20 DPRINTF("xhci: event ring[%d]:" DMA_ADDR_FMT " [%d]\n", v, intr->er_start, intr->er_size); @@ -2991,7 +2899,6 @@ static void xhci_reset(DeviceState *dev) =20 xhci->intr[i].er_ep_idx =3D 0; xhci->intr[i].er_pcs =3D 1; - xhci->intr[i].er_full =3D 0; xhci->intr[i].ev_buffer_put =3D 0; xhci->intr[i].ev_buffer_get =3D 0; } @@ -3381,7 +3288,6 @@ static void xhci_runtime_write(void *ptr, hwaddr reg, break; case 0x1c: /* ERDP high */ intr->erdp_high =3D val; - xhci_events_update(xhci, v); break; default: trace_usb_xhci_unimplemented("oper write", reg); @@ -3879,8 +3785,7 @@ static const VMStateDescription vmstate_xhci_event = =3D { =20 static bool xhci_er_full(void *opaque, int version_id) { - struct XHCIInterrupter *intr =3D opaque; - return intr->er_full; + return false; } =20 static const VMStateDescription vmstate_xhci_intr =3D { @@ -3904,7 +3809,7 @@ static const VMStateDescription vmstate_xhci_intr =3D= { VMSTATE_UINT32(er_ep_idx, XHCIInterrupter), =20 /* event queue (used if ring is full) */ - VMSTATE_BOOL(er_full, XHCIInterrupter), + VMSTATE_BOOL(er_full_unused, XHCIInterrupter), VMSTATE_UINT32_TEST(ev_buffer_put, XHCIInterrupter, xhci_er_full), VMSTATE_UINT32_TEST(ev_buffer_get, XHCIInterrupter, xhci_er_full), VMSTATE_STRUCT_ARRAY_TEST(ev_buffer, XHCIInterrupter, EV_QUEUE, --=20 1.8.3.1 From nobody Fri Apr 19 20:24:35 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1487662249155894.7887140607423; Mon, 20 Feb 2017 23:30:49 -0800 (PST) Received: from localhost ([::1]:42725 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cg4uN-0005x7-Ue for importer@patchew.org; Tue, 21 Feb 2017 02:30:47 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:59252) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cg4gc-0002yb-4L for qemu-devel@nongnu.org; Tue, 21 Feb 2017 02:16:35 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cg4ga-00087g-F6 for qemu-devel@nongnu.org; Tue, 21 Feb 2017 02:16:34 -0500 Received: from mx1.redhat.com ([209.132.183.28]:41808) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1cg4ga-000874-7S for qemu-devel@nongnu.org; Tue, 21 Feb 2017 02:16:32 -0500 Received: from int-mx11.intmail.prod.int.phx2.redhat.com (int-mx11.intmail.prod.int.phx2.redhat.com [10.5.11.24]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 687C581241 for ; Tue, 21 Feb 2017 07:16:32 +0000 (UTC) Received: from nilsson.home.kraxel.org (ovpn-116-47.ams2.redhat.com [10.36.116.47]) by int-mx11.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id v1L7GVSS027382; Tue, 21 Feb 2017 02:16:31 -0500 Received: by nilsson.home.kraxel.org (Postfix, from userid 500) id 1281B81849; Tue, 21 Feb 2017 08:16:28 +0100 (CET) From: Gerd Hoffmann To: qemu-devel@nongnu.org Date: Tue, 21 Feb 2017 08:16:20 +0100 Message-Id: <1487661385-7720-7-git-send-email-kraxel@redhat.com> In-Reply-To: <1487661385-7720-1-git-send-email-kraxel@redhat.com> References: <1487661385-7720-1-git-send-email-kraxel@redhat.com> X-Scanned-By: MIMEDefang 2.68 on 10.5.11.24 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.25]); Tue, 21 Feb 2017 07:16:32 +0000 (UTC) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 209.132.183.28 Subject: [Qemu-devel] [PULL 06/11] xhci: add qemu xhci controller X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Marcel Apfelbaum , Gerd Hoffmann , "Michael S. Tsirkin" Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Turn existing TYPE_XHCI into an abstract base class. Create two child classes, TYPE_NEC_XHCI (same name as old xhci controller) and TYPE_QEMU_XHCI (using an ID from our namespace). Signed-off-by: Gerd Hoffmann Reviewed-by: Marcel Apfelbaum Message-id: 1486382139-30630-3-git-send-email-kraxel@redhat.com --- docs/specs/pci-ids.txt | 1 + hw/usb/hcd-xhci.c | 40 ++++++++++++++++++++++++++++++++++++---- include/hw/pci/pci.h | 1 + 3 files changed, 38 insertions(+), 4 deletions(-) diff --git a/docs/specs/pci-ids.txt b/docs/specs/pci-ids.txt index 16fdb0c..95adee0 100644 --- a/docs/specs/pci-ids.txt +++ b/docs/specs/pci-ids.txt @@ -61,6 +61,7 @@ PCI devices (other than virtio): 1b36:0009 PCI Expander Bridge (-device pxb) 1b36:000a PCI-PCI bridge (multiseat) 1b36:000b PCIe Expander Bridge (-device pxb-pcie) +1b36:000d PCI xhci usb host adapter =20 All these devices are documented in docs/specs. =20 diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c index cfb5f74..c534b43 100644 --- a/hw/usb/hcd-xhci.c +++ b/hw/usb/hcd-xhci.c @@ -489,7 +489,9 @@ struct XHCIState { XHCIRing cmd_ring; }; =20 -#define TYPE_XHCI "nec-usb-xhci" +#define TYPE_XHCI "base-xhci" +#define TYPE_NEC_XHCI "nec-usb-xhci" +#define TYPE_QEMU_XHCI "qemu-xhci" =20 #define XHCI(obj) \ OBJECT_CHECK(XHCIState, (obj), TYPE_XHCI) @@ -3881,10 +3883,7 @@ static void xhci_class_init(ObjectClass *klass, void= *data) set_bit(DEVICE_CATEGORY_USB, dc->categories); k->realize =3D usb_xhci_realize; k->exit =3D usb_xhci_exit; - k->vendor_id =3D PCI_VENDOR_ID_NEC; - k->device_id =3D PCI_DEVICE_ID_NEC_UPD720200; k->class_id =3D PCI_CLASS_SERIAL_USB; - k->revision =3D 0x03; k->is_express =3D 1; } =20 @@ -3893,11 +3892,44 @@ static const TypeInfo xhci_info =3D { .parent =3D TYPE_PCI_DEVICE, .instance_size =3D sizeof(XHCIState), .class_init =3D xhci_class_init, + .abstract =3D true, +}; + +static void nec_xhci_class_init(ObjectClass *klass, void *data) +{ + PCIDeviceClass *k =3D PCI_DEVICE_CLASS(klass); + + k->vendor_id =3D PCI_VENDOR_ID_NEC; + k->device_id =3D PCI_DEVICE_ID_NEC_UPD720200; + k->revision =3D 0x03; +} + +static const TypeInfo nec_xhci_info =3D { + .name =3D TYPE_NEC_XHCI, + .parent =3D TYPE_XHCI, + .class_init =3D nec_xhci_class_init, +}; + +static void qemu_xhci_class_init(ObjectClass *klass, void *data) +{ + PCIDeviceClass *k =3D PCI_DEVICE_CLASS(klass); + + k->vendor_id =3D PCI_VENDOR_ID_REDHAT; + k->device_id =3D PCI_DEVICE_ID_REDHAT_XHCI; + k->revision =3D 0x01; +} + +static const TypeInfo qemu_xhci_info =3D { + .name =3D TYPE_QEMU_XHCI, + .parent =3D TYPE_XHCI, + .class_init =3D qemu_xhci_class_init, }; =20 static void xhci_register_types(void) { type_register_static(&xhci_info); + type_register_static(&nec_xhci_info); + type_register_static(&qemu_xhci_info); } =20 type_init(xhci_register_types) diff --git a/include/hw/pci/pci.h b/include/hw/pci/pci.h index cbc1fdf..05ef14b 100644 --- a/include/hw/pci/pci.h +++ b/include/hw/pci/pci.h @@ -97,6 +97,7 @@ #define PCI_DEVICE_ID_REDHAT_BRIDGE_SEAT 0x000a #define PCI_DEVICE_ID_REDHAT_PXB_PCIE 0x000b #define PCI_DEVICE_ID_REDHAT_PCIE_RP 0x000c +#define PCI_DEVICE_ID_REDHAT_XHCI 0x000d #define PCI_DEVICE_ID_REDHAT_QXL 0x0100 =20 #define FMT_PCIBUS PRIx64 --=20 1.8.3.1 From nobody Fri Apr 19 20:24:35 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1487662112421237.2369588456355; Mon, 20 Feb 2017 23:28:32 -0800 (PST) Received: from localhost ([::1]:42713 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cg4sB-0004UP-5i for importer@patchew.org; Tue, 21 Feb 2017 02:28:31 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:59257) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cg4gc-0002yg-4R for qemu-devel@nongnu.org; Tue, 21 Feb 2017 02:16:35 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cg4gZ-00087J-VP for qemu-devel@nongnu.org; Tue, 21 Feb 2017 02:16:34 -0500 Received: from mx1.redhat.com ([209.132.183.28]:44446) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1cg4gZ-00086x-NL for qemu-devel@nongnu.org; Tue, 21 Feb 2017 02:16:31 -0500 Received: from smtp.corp.redhat.com (int-mx16.intmail.prod.int.phx2.redhat.com [10.5.11.28]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id EF1F5C04BD40 for ; Tue, 21 Feb 2017 07:16:31 +0000 (UTC) Received: from nilsson.home.kraxel.org (ovpn-116-47.ams2.redhat.com [10.36.116.47]) by smtp.corp.redhat.com (Postfix) with ESMTP id 75CF81CDD91; Tue, 21 Feb 2017 07:16:31 +0000 (UTC) Received: by nilsson.home.kraxel.org (Postfix, from userid 500) id 256798184A; Tue, 21 Feb 2017 08:16:28 +0100 (CET) From: Gerd Hoffmann To: qemu-devel@nongnu.org Date: Tue, 21 Feb 2017 08:16:21 +0100 Message-Id: <1487661385-7720-8-git-send-email-kraxel@redhat.com> In-Reply-To: <1487661385-7720-1-git-send-email-kraxel@redhat.com> References: <1487661385-7720-1-git-send-email-kraxel@redhat.com> X-Scanned-By: MIMEDefang 2.74 on 10.5.11.28 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.31]); Tue, 21 Feb 2017 07:16:31 +0000 (UTC) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 209.132.183.28 Subject: [Qemu-devel] [PULL 07/11] xhci: fix nec vendor quirk handling X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Gerd Hoffmann Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Only the TYPE_NEC_XHCI controller will have the nec vendor quirks. Signed-off-by: Gerd Hoffmann Message-id: 1486382139-30630-4-git-send-email-kraxel@redhat.com --- hw/usb/hcd-xhci.c | 44 +++++++++++++++++++++++++++++--------------- 1 file changed, 29 insertions(+), 15 deletions(-) diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c index c534b43..4ac67ae 100644 --- a/hw/usb/hcd-xhci.c +++ b/hw/usb/hcd-xhci.c @@ -487,6 +487,8 @@ struct XHCIState { XHCIInterrupter intr[MAXINTRS]; =20 XHCIRing cmd_ring; + + bool nec_quirks; }; =20 #define TYPE_XHCI "base-xhci" @@ -2745,20 +2747,26 @@ static void xhci_process_commands(XHCIState *xhci) xhci_via_challenge(xhci, trb.parameter); break; case CR_VENDOR_NEC_FIRMWARE_REVISION: - event.type =3D 48; /* NEC reply */ - event.length =3D 0x3025; + if (xhci->nec_quirks) { + event.type =3D 48; /* NEC reply */ + event.length =3D 0x3025; + } else { + event.ccode =3D CC_TRB_ERROR; + } break; case CR_VENDOR_NEC_CHALLENGE_RESPONSE: - { - uint32_t chi =3D trb.parameter >> 32; - uint32_t clo =3D trb.parameter; - uint32_t val =3D xhci_nec_challenge(chi, clo); - event.length =3D val & 0xFFFF; - event.epid =3D val >> 16; - slotid =3D val >> 24; - event.type =3D 48; /* NEC reply */ - } - break; + if (xhci->nec_quirks) { + uint32_t chi =3D trb.parameter >> 32; + uint32_t clo =3D trb.parameter; + uint32_t val =3D xhci_nec_challenge(chi, clo); + event.length =3D val & 0xFFFF; + event.epid =3D val >> 16; + slotid =3D val >> 24; + event.type =3D 48; /* NEC reply */ + } else { + event.ccode =3D CC_TRB_ERROR; + } + break; default: trace_usb_xhci_unimplemented("command", type); event.ccode =3D CC_TRB_ERROR; @@ -3265,9 +3273,12 @@ static void xhci_runtime_write(void *ptr, hwaddr reg, intr->erstsz =3D val & 0xffff; break; case 0x10: /* ERSTBA low */ - /* XXX NEC driver bug: it doesn't align this to 64 bytes - intr->erstba_low =3D val & 0xffffffc0; */ - intr->erstba_low =3D val & 0xfffffff0; + if (xhci->nec_quirks) { + /* NEC driver bug: it doesn't align this to 64 bytes */ + intr->erstba_low =3D val & 0xfffffff0; + } else { + intr->erstba_low =3D val & 0xffffffc0; + } break; case 0x14: /* ERSTBA high */ intr->erstba_high =3D val; @@ -3562,6 +3573,9 @@ static void usb_xhci_realize(struct PCIDevice *dev, E= rror **errp) dev->config[PCI_CACHE_LINE_SIZE] =3D 0x10; dev->config[0x60] =3D 0x30; /* release number */ =20 + if (strcmp(object_get_typename(OBJECT(dev)), TYPE_NEC_XHCI) =3D=3D 0) { + xhci->nec_quirks =3D true; + } if (xhci->numintrs > MAXINTRS) { xhci->numintrs =3D MAXINTRS; } --=20 1.8.3.1 From nobody Fri Apr 19 20:24:35 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1487661791489385.9778878423168; Mon, 20 Feb 2017 23:23:11 -0800 (PST) Received: from localhost ([::1]:42683 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cg4n0-00005c-3Q for importer@patchew.org; Tue, 21 Feb 2017 02:23:10 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:59256) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cg4gc-0002yf-4c for qemu-devel@nongnu.org; Tue, 21 Feb 2017 02:16:35 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cg4gZ-00087L-VK for qemu-devel@nongnu.org; Tue, 21 Feb 2017 02:16:34 -0500 Received: from mx1.redhat.com ([209.132.183.28]:58472) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1cg4gZ-00086z-Pn for qemu-devel@nongnu.org; Tue, 21 Feb 2017 02:16:31 -0500 Received: from smtp.corp.redhat.com (int-mx16.intmail.prod.int.phx2.redhat.com [10.5.11.28]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 0E98912B24 for ; Tue, 21 Feb 2017 07:16:32 +0000 (UTC) Received: from nilsson.home.kraxel.org (ovpn-116-47.ams2.redhat.com [10.36.116.47]) by smtp.corp.redhat.com (Postfix) with ESMTP id 82278749F7; Tue, 21 Feb 2017 07:16:31 +0000 (UTC) Received: by nilsson.home.kraxel.org (Postfix, from userid 500) id 4011D81847; Tue, 21 Feb 2017 08:16:28 +0100 (CET) From: Gerd Hoffmann To: qemu-devel@nongnu.org Date: Tue, 21 Feb 2017 08:16:22 +0100 Message-Id: <1487661385-7720-9-git-send-email-kraxel@redhat.com> In-Reply-To: <1487661385-7720-1-git-send-email-kraxel@redhat.com> References: <1487661385-7720-1-git-send-email-kraxel@redhat.com> X-Scanned-By: MIMEDefang 2.74 on 10.5.11.28 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.30]); Tue, 21 Feb 2017 07:16:32 +0000 (UTC) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 209.132.183.28 Subject: [Qemu-devel] [PULL 08/11] xhci: drop via vendor command handling X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Gerd Hoffmann Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Seems pretty pointless, we don't emulate an via xhci controller. Signed-off-by: Gerd Hoffmann Message-id: 1486382139-30630-5-git-send-email-kraxel@redhat.com --- hw/usb/hcd-xhci.c | 31 ------------------------------- 1 file changed, 31 deletions(-) diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c index 4ac67ae..28dd2f2 100644 --- a/hw/usb/hcd-xhci.c +++ b/hw/usb/hcd-xhci.c @@ -198,7 +198,6 @@ typedef enum TRBType { ER_DEVICE_NOTIFICATION, ER_MFINDEX_WRAP, /* vendor specific bits */ - CR_VENDOR_VIA_CHALLENGE_RESPONSE =3D 48, CR_VENDOR_NEC_FIRMWARE_REVISION =3D 49, CR_VENDOR_NEC_CHALLENGE_RESPONSE =3D 50, } TRBType; @@ -554,7 +553,6 @@ static const char *TRBType_names[] =3D { [ER_HOST_CONTROLLER] =3D "ER_HOST_CONTROLLER", [ER_DEVICE_NOTIFICATION] =3D "ER_DEVICE_NOTIFICATION", [ER_MFINDEX_WRAP] =3D "ER_MFINDEX_WRAP", - [CR_VENDOR_VIA_CHALLENGE_RESPONSE] =3D "CR_VENDOR_VIA_CHALLENGE_RESPON= SE", [CR_VENDOR_NEC_FIRMWARE_REVISION] =3D "CR_VENDOR_NEC_FIRMWARE_REVISIO= N", [CR_VENDOR_NEC_CHALLENGE_RESPONSE] =3D "CR_VENDOR_NEC_CHALLENGE_RESPON= SE", }; @@ -2622,32 +2620,6 @@ static uint32_t xhci_nec_challenge(uint32_t hi, uint= 32_t lo) return ~val; } =20 -static void xhci_via_challenge(XHCIState *xhci, uint64_t addr) -{ - PCIDevice *pci_dev =3D PCI_DEVICE(xhci); - uint32_t buf[8]; - uint32_t obuf[8]; - dma_addr_t paddr =3D xhci_mask64(addr); - - pci_dma_read(pci_dev, paddr, &buf, 32); - - memcpy(obuf, buf, sizeof(obuf)); - - if ((buf[0] & 0xff) =3D=3D 2) { - obuf[0] =3D 0x49932000 + 0x54dc200 * buf[2] + 0x7429b578 * buf[3]; - obuf[0] |=3D (buf[2] * buf[3]) & 0xff; - obuf[1] =3D 0x0132bb37 + 0xe89 * buf[2] + 0xf09 * buf[3]; - obuf[2] =3D 0x0066c2e9 + 0x2091 * buf[2] + 0x19bd * buf[3]; - obuf[3] =3D 0xd5281342 + 0x2cc9691 * buf[2] + 0x2367662 * buf[3]; - obuf[4] =3D 0x0123c75c + 0x1595 * buf[2] + 0x19ec * buf[3]; - obuf[5] =3D 0x00f695de + 0x26fd * buf[2] + 0x3e9 * buf[3]; - obuf[6] =3D obuf[2] ^ obuf[3] ^ 0x29472956; - obuf[7] =3D obuf[2] ^ obuf[3] ^ 0x65866593; - } - - pci_dma_write(pci_dev, paddr, &obuf, 32); -} - static void xhci_process_commands(XHCIState *xhci) { XHCITRB trb; @@ -2743,9 +2715,6 @@ static void xhci_process_commands(XHCIState *xhci) case CR_GET_PORT_BANDWIDTH: event.ccode =3D xhci_get_port_bandwidth(xhci, trb.parameter); break; - case CR_VENDOR_VIA_CHALLENGE_RESPONSE: - xhci_via_challenge(xhci, trb.parameter); - break; case CR_VENDOR_NEC_FIRMWARE_REVISION: if (xhci->nec_quirks) { event.type =3D 48; /* NEC reply */ --=20 1.8.3.1 From nobody Fri Apr 19 20:24:35 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 148766248501568.65539574307707; Mon, 20 Feb 2017 23:34:45 -0800 (PST) Received: from localhost ([::1]:42733 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cg4yB-0008Hq-4L for importer@patchew.org; Tue, 21 Feb 2017 02:34:43 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:59327) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cg4gd-0002z9-PA for qemu-devel@nongnu.org; Tue, 21 Feb 2017 02:16:36 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cg4gb-00088D-1j for qemu-devel@nongnu.org; Tue, 21 Feb 2017 02:16:35 -0500 Received: from mx1.redhat.com ([209.132.183.28]:36984) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1cg4ga-00087U-Oi for qemu-devel@nongnu.org; Tue, 21 Feb 2017 02:16:32 -0500 Received: from smtp.corp.redhat.com (int-mx16.intmail.prod.int.phx2.redhat.com [10.5.11.28]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 02EF54E02B for ; Tue, 21 Feb 2017 07:16:33 +0000 (UTC) Received: from nilsson.home.kraxel.org (ovpn-116-47.ams2.redhat.com [10.36.116.47]) by smtp.corp.redhat.com (Postfix) with ESMTP id 6709C685F2; Tue, 21 Feb 2017 07:16:32 +0000 (UTC) Received: by nilsson.home.kraxel.org (Postfix, from userid 500) id 5A0048184D; Tue, 21 Feb 2017 08:16:28 +0100 (CET) From: Gerd Hoffmann To: qemu-devel@nongnu.org Date: Tue, 21 Feb 2017 08:16:23 +0100 Message-Id: <1487661385-7720-10-git-send-email-kraxel@redhat.com> In-Reply-To: <1487661385-7720-1-git-send-email-kraxel@redhat.com> References: <1487661385-7720-1-git-send-email-kraxel@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.74 on 10.5.11.28 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.38]); Tue, 21 Feb 2017 07:16:33 +0000 (UTC) Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 209.132.183.28 Subject: [Qemu-devel] [PULL 09/11] usb-ccid: better bulk_out error handling X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Gerd Hoffmann Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" Add err goto label where we can jump to from all error conditions. STALL request on all errors. Reset position on all errors. Normal request processing is not in a else branch any more, so this code is reintended, there are no code changes in that part of the code though. Signed-off-by: Gerd Hoffmann Reviewed-by: Marc-Andr=C3=A9 Lureau Message-id: 1487250819-23764-2-git-send-email-kraxel@redhat.com --- hw/usb/dev-smartcard-reader.c | 116 ++++++++++++++++++++++----------------= ---- 1 file changed, 61 insertions(+), 55 deletions(-) diff --git a/hw/usb/dev-smartcard-reader.c b/hw/usb/dev-smartcard-reader.c index 1325ea1..badcfcb 100644 --- a/hw/usb/dev-smartcard-reader.c +++ b/hw/usb/dev-smartcard-reader.c @@ -1001,8 +1001,7 @@ static void ccid_handle_bulk_out(USBCCIDState *s, USB= Packet *p) CCID_Header *ccid_header; =20 if (p->iov.size + s->bulk_out_pos > BULK_OUT_DATA_SIZE) { - p->status =3D USB_RET_STALL; - return; + goto err; } ccid_header =3D (CCID_Header *)s->bulk_out_data; usb_packet_copy(p, s->bulk_out_data + s->bulk_out_pos, p->iov.size); @@ -1017,64 +1016,71 @@ static void ccid_handle_bulk_out(USBCCIDState *s, U= SBPacket *p) DPRINTF(s, 1, "%s: bad USB_TOKEN_OUT length, should be at least 10 bytes= \n", __func__); - } else { - DPRINTF(s, D_MORE_INFO, "%s %x %s\n", __func__, - ccid_header->bMessageType, - ccid_message_type_to_str(ccid_header->bMessageType)); - switch (ccid_header->bMessageType) { - case CCID_MESSAGE_TYPE_PC_to_RDR_GetSlotStatus: - ccid_write_slot_status(s, ccid_header); - break; - case CCID_MESSAGE_TYPE_PC_to_RDR_IccPowerOn: - DPRINTF(s, 1, "%s: PowerOn: %d\n", __func__, + goto err; + } + + DPRINTF(s, D_MORE_INFO, "%s %x %s\n", __func__, + ccid_header->bMessageType, + ccid_message_type_to_str(ccid_header->bMessageType)); + switch (ccid_header->bMessageType) { + case CCID_MESSAGE_TYPE_PC_to_RDR_GetSlotStatus: + ccid_write_slot_status(s, ccid_header); + break; + case CCID_MESSAGE_TYPE_PC_to_RDR_IccPowerOn: + DPRINTF(s, 1, "%s: PowerOn: %d\n", __func__, ((CCID_IccPowerOn *)(ccid_header))->bPowerSelect); - s->powered =3D true; - if (!ccid_card_inserted(s)) { - ccid_report_error_failed(s, ERROR_ICC_MUTE); - } - /* atr is written regardless of error. */ - ccid_write_data_block_atr(s, ccid_header); - break; - case CCID_MESSAGE_TYPE_PC_to_RDR_IccPowerOff: - ccid_reset_error_status(s); - s->powered =3D false; - ccid_write_slot_status(s, ccid_header); - break; - case CCID_MESSAGE_TYPE_PC_to_RDR_XfrBlock: - ccid_on_apdu_from_guest(s, (CCID_XferBlock *)s->bulk_out_data); - break; - case CCID_MESSAGE_TYPE_PC_to_RDR_SetParameters: - ccid_reset_error_status(s); - ccid_set_parameters(s, ccid_header); - ccid_write_parameters(s, ccid_header); - break; - case CCID_MESSAGE_TYPE_PC_to_RDR_ResetParameters: - ccid_reset_error_status(s); - ccid_reset_parameters(s); - ccid_write_parameters(s, ccid_header); - break; - case CCID_MESSAGE_TYPE_PC_to_RDR_GetParameters: - ccid_reset_error_status(s); - ccid_write_parameters(s, ccid_header); - break; - case CCID_MESSAGE_TYPE_PC_to_RDR_Mechanical: - ccid_report_error_failed(s, 0); - ccid_write_slot_status(s, ccid_header); - break; - default: - DPRINTF(s, 1, + s->powered =3D true; + if (!ccid_card_inserted(s)) { + ccid_report_error_failed(s, ERROR_ICC_MUTE); + } + /* atr is written regardless of error. */ + ccid_write_data_block_atr(s, ccid_header); + break; + case CCID_MESSAGE_TYPE_PC_to_RDR_IccPowerOff: + ccid_reset_error_status(s); + s->powered =3D false; + ccid_write_slot_status(s, ccid_header); + break; + case CCID_MESSAGE_TYPE_PC_to_RDR_XfrBlock: + ccid_on_apdu_from_guest(s, (CCID_XferBlock *)s->bulk_out_data); + break; + case CCID_MESSAGE_TYPE_PC_to_RDR_SetParameters: + ccid_reset_error_status(s); + ccid_set_parameters(s, ccid_header); + ccid_write_parameters(s, ccid_header); + break; + case CCID_MESSAGE_TYPE_PC_to_RDR_ResetParameters: + ccid_reset_error_status(s); + ccid_reset_parameters(s); + ccid_write_parameters(s, ccid_header); + break; + case CCID_MESSAGE_TYPE_PC_to_RDR_GetParameters: + ccid_reset_error_status(s); + ccid_write_parameters(s, ccid_header); + break; + case CCID_MESSAGE_TYPE_PC_to_RDR_Mechanical: + ccid_report_error_failed(s, 0); + ccid_write_slot_status(s, ccid_header); + break; + default: + DPRINTF(s, 1, "handle_data: ERROR: unhandled message type %Xh\n", ccid_header->bMessageType); - /* - * The caller is expecting the device to respond, tell it we - * don't support the operation. - */ - ccid_report_error_failed(s, ERROR_CMD_NOT_SUPPORTED); - ccid_write_slot_status(s, ccid_header); - break; - } + /* + * The caller is expecting the device to respond, tell it we + * don't support the operation. + */ + ccid_report_error_failed(s, ERROR_CMD_NOT_SUPPORTED); + ccid_write_slot_status(s, ccid_header); + break; } s->bulk_out_pos =3D 0; + return; + +err: + p->status =3D USB_RET_STALL; + s->bulk_out_pos =3D 0; + return; } =20 static void ccid_bulk_in_copy_to_guest(USBCCIDState *s, USBPacket *p) --=20 1.8.3.1 From nobody Fri Apr 19 20:24:35 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1487661538619718.1241755847163; Mon, 20 Feb 2017 23:18:58 -0800 (PST) Received: from localhost ([::1]:42663 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cg4iv-0004dR-D5 for importer@patchew.org; Tue, 21 Feb 2017 02:18:57 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:59321) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cg4gd-0002ys-IS for qemu-devel@nongnu.org; Tue, 21 Feb 2017 02:16:36 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cg4gb-00088M-6n for qemu-devel@nongnu.org; Tue, 21 Feb 2017 02:16:35 -0500 Received: from mx1.redhat.com ([209.132.183.28]:41888) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1cg4gb-00087i-1i for qemu-devel@nongnu.org; Tue, 21 Feb 2017 02:16:33 -0500 Received: from int-mx14.intmail.prod.int.phx2.redhat.com (int-mx14.intmail.prod.int.phx2.redhat.com [10.5.11.27]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 4D1D8C054C59 for ; Tue, 21 Feb 2017 07:16:33 +0000 (UTC) Received: from nilsson.home.kraxel.org (ovpn-116-47.ams2.redhat.com [10.36.116.47]) by int-mx14.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id v1L7GWi8010612; Tue, 21 Feb 2017 02:16:32 -0500 Received: by nilsson.home.kraxel.org (Postfix, from userid 500) id 73E3F8184E; Tue, 21 Feb 2017 08:16:28 +0100 (CET) From: Gerd Hoffmann To: qemu-devel@nongnu.org Date: Tue, 21 Feb 2017 08:16:24 +0100 Message-Id: <1487661385-7720-11-git-send-email-kraxel@redhat.com> In-Reply-To: <1487661385-7720-1-git-send-email-kraxel@redhat.com> References: <1487661385-7720-1-git-send-email-kraxel@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.68 on 10.5.11.27 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.32]); Tue, 21 Feb 2017 07:16:33 +0000 (UTC) Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 209.132.183.28 Subject: [Qemu-devel] [PULL 10/11] usb-ccid: move header size check X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Gerd Hoffmann Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" Move up header size check, so we can use header fields in sanity checks (in followup patches). Also reword the debug message. Signed-off-by: Gerd Hoffmann Reviewed-by: Marc-Andr=C3=A9 Lureau Message-id: 1487250819-23764-3-git-send-email-kraxel@redhat.com --- hw/usb/dev-smartcard-reader.c | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/hw/usb/dev-smartcard-reader.c b/hw/usb/dev-smartcard-reader.c index badcfcb..1acc1fb 100644 --- a/hw/usb/dev-smartcard-reader.c +++ b/hw/usb/dev-smartcard-reader.c @@ -1003,21 +1003,20 @@ static void ccid_handle_bulk_out(USBCCIDState *s, U= SBPacket *p) if (p->iov.size + s->bulk_out_pos > BULK_OUT_DATA_SIZE) { goto err; } - ccid_header =3D (CCID_Header *)s->bulk_out_data; usb_packet_copy(p, s->bulk_out_data + s->bulk_out_pos, p->iov.size); s->bulk_out_pos +=3D p->iov.size; + if (s->bulk_out_pos < 10) { + DPRINTF(s, 1, "%s: header incomplete\n", __func__); + goto err; + } + + ccid_header =3D (CCID_Header *)s->bulk_out_data; if (p->iov.size =3D=3D CCID_MAX_PACKET_SIZE) { DPRINTF(s, D_VERBOSE, "usb-ccid: bulk_in: expecting more packets (%zd/%d)\n", p->iov.size, ccid_header->dwLength); return; } - if (s->bulk_out_pos < 10) { - DPRINTF(s, 1, - "%s: bad USB_TOKEN_OUT length, should be at least 10 bytes= \n", - __func__); - goto err; - } =20 DPRINTF(s, D_MORE_INFO, "%s %x %s\n", __func__, ccid_header->bMessageType, --=20 1.8.3.1 From nobody Fri Apr 19 20:24:35 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1487661798693317.4009448679948; Mon, 20 Feb 2017 23:23:18 -0800 (PST) Received: from localhost ([::1]:42684 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cg4n6-0000B2-FN for importer@patchew.org; Tue, 21 Feb 2017 02:23:16 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:59308) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cg4gd-0002yj-8Y for qemu-devel@nongnu.org; Tue, 21 Feb 2017 02:16:36 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cg4ga-000886-RH for qemu-devel@nongnu.org; Tue, 21 Feb 2017 02:16:35 -0500 Received: from mx1.redhat.com ([209.132.183.28]:56578) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1cg4ga-00087S-Lf for qemu-devel@nongnu.org; Tue, 21 Feb 2017 02:16:32 -0500 Received: from smtp.corp.redhat.com (int-mx16.intmail.prod.int.phx2.redhat.com [10.5.11.28]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id E653496D6 for ; Tue, 21 Feb 2017 07:16:32 +0000 (UTC) Received: from nilsson.home.kraxel.org (ovpn-116-47.ams2.redhat.com [10.36.116.47]) by smtp.corp.redhat.com (Postfix) with ESMTP id 93BBF1CDD91; Tue, 21 Feb 2017 07:16:32 +0000 (UTC) Received: by nilsson.home.kraxel.org (Postfix, from userid 500) id 9139C81850; Tue, 21 Feb 2017 08:16:28 +0100 (CET) From: Gerd Hoffmann To: qemu-devel@nongnu.org Date: Tue, 21 Feb 2017 08:16:25 +0100 Message-Id: <1487661385-7720-12-git-send-email-kraxel@redhat.com> In-Reply-To: <1487661385-7720-1-git-send-email-kraxel@redhat.com> References: <1487661385-7720-1-git-send-email-kraxel@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.74 on 10.5.11.28 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.26]); Tue, 21 Feb 2017 07:16:32 +0000 (UTC) Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 209.132.183.28 Subject: [Qemu-devel] [PULL 11/11] usb-ccid: add check message size checks X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Gerd Hoffmann Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" Check message size too when figuring whenever we should expect more data. Fix debug message to show useful data, p->iov.size is fixed anyway if we land there, print how much we got meanwhile instead. Also check announced message size against actual message size. That is a more general fix for CVE-2017-5898 than commit "c7dfbf3 usb: ccid: check ccid apdu length". Signed-off-by: Gerd Hoffmann Reviewed-by: Marc-Andr=C3=A9 Lureau Message-id: 1487250819-23764-4-git-send-email-kraxel@redhat.com --- hw/usb/dev-smartcard-reader.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/hw/usb/dev-smartcard-reader.c b/hw/usb/dev-smartcard-reader.c index 1acc1fb..7cd4ed0 100644 --- a/hw/usb/dev-smartcard-reader.c +++ b/hw/usb/dev-smartcard-reader.c @@ -1011,12 +1011,19 @@ static void ccid_handle_bulk_out(USBCCIDState *s, U= SBPacket *p) } =20 ccid_header =3D (CCID_Header *)s->bulk_out_data; - if (p->iov.size =3D=3D CCID_MAX_PACKET_SIZE) { + if ((s->bulk_out_pos - 10 < ccid_header->dwLength) && + (p->iov.size =3D=3D CCID_MAX_PACKET_SIZE)) { DPRINTF(s, D_VERBOSE, - "usb-ccid: bulk_in: expecting more packets (%zd/%d)\n", - p->iov.size, ccid_header->dwLength); + "usb-ccid: bulk_in: expecting more packets (%d/%d)\n", + s->bulk_out_pos - 10, ccid_header->dwLength); return; } + if (s->bulk_out_pos - 10 !=3D ccid_header->dwLength) { + DPRINTF(s, 1, + "usb-ccid: bulk_in: message size mismatch (got %d, expecte= d %d)\n", + s->bulk_out_pos - 10, ccid_header->dwLength); + goto err; + } =20 DPRINTF(s, D_MORE_INFO, "%s %x %s\n", __func__, ccid_header->bMessageType, --=20 1.8.3.1