"vmstate_xhci_event" was introduced in commit 37352df3 ("xhci: add live
migration support"), and first released in v1.6.0. The field list in this
VMSD is not terminated with the VMSTATE_END_OF_LIST() macro.
During normal use (ie. migration), the issue is practically invisible,
because the "vmstate_xhci_event" object (with the unterminated field list)
is only ever referenced -- via "vmstate_xhci_intr" -- if xhci_er_full()
returns true, for the "ev_buffer" test. Since that field_exists() check
(apparently) almost always returns false, we almost never traverse
"vmstate_xhci_event" during migration, which hides the bug.
However, Amit's vmstate checker forces recursion into this VMSD as well,
and the lack of VMSTATE_END_OF_LIST() breaks the field list terminator
check (field->name != NULL) in dump_vmstate_vmsd(). The result is
undefined behavior, which in my case translates to infinite recursion
(because the loop happens to overflow into "vmstate_xhci_intr", which then
links back to "vmstate_xhci_event").
Add the missing terminator.
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Amit Shah <amit.shah@redhat.com>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Cc: qemu-stable@nongnu.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Attach a name to the MTP interface (android phones have this too).
With this patch recent linux guests such as fedora 20 happily detect and
use the device. It shows up in nautilus file manager automatically, and
simple-mtpfs can mount it.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Shut up Coverity's complaint about unchecked fcntl return values,
and especially make the code simpler and more efficient.
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
If libusb_get_device_list() fails, the uninitialized local variable
libusb_device would be passed to libusb_free_device_list(), that
will cause a crash, like:
(gdb) bt
#0 0x00007fbbb4bafc10 in pthread_mutex_lock () from /lib64/libpthread.so.0
#1 0x00007fbbb233e653 in libusb_unref_device (dev=0x6275682d627375)
at core.c:902
#2 0x00007fbbb233e739 in libusb_free_device_list (list=0x7fbbb6e8436e,
unref_devices=<optimized out>) at core.c:653
#3 0x00007fbbb6cd80a4 in usb_host_auto_check (unused=unused@entry=0x0)
at hw/usb/host-libusb.c:1446
#4 0x00007fbbb6cd8525 in usb_host_initfn (udev=0x7fbbbd3c5670)
at hw/usb/host-libusb.c:912
#5 0x00007fbbb6cc123b in usb_device_init (dev=0x7fbbbd3c5670)
at hw/usb/bus.c:106
...
So initialize libusb_device at the begin time.
Signed-off-by: Jincheng Miao <jmiao@redhat.com>
Reviewed-by: Gonglei <arei.gonglei@huawei.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Due to an incomplete initialization, adding a usb-bt-dongle device through HMP
or QMP will cause a segmentation fault.
Signed-off-by: Hani Benhabiles <hani@linux.com>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
On FreeBSD polling a master pty while the other end is not connected
with G_IO_OUT only results in an endless wait. This is different from
the Linux behaviour, that returns immediately. In order to demonstrate
this, I have the following example code:
http://xenbits.xen.org/people/royger/test_poll.c
When executed on Linux:
$ ./test_poll
In callback
On FreeBSD instead, the callback never gets called:
$ ./test_poll
So, in order to workaround this, poll the source with G_IO_HUP (which
makes the code behave the same way on both Linux and FreeBSD).
Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
Cc: Peter Crosthwaite <peter.crosthwaite@xilinx.com>
Cc: Michael Tokarev <mjt@tls.msk.ru>
Cc: "Andreas Färber" <afaerber@suse.de>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: xen-devel@lists.xenproject.org
[Add hw/char/cadence_uart.c too. - Paolo]
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
"Init" and "uninit" suggest the functions don't allocate / free
storage. But they do.
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Benoit Canet <benoit@irqsave.net>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
We can pick the usb port speed in generic code, by looking at the port
and device speed masks and looking for the fastest match. So add a
function to do exactly that, and drop the speed setting code from
usb_desc_attach as it isn't needed any more.
This way we can set the device speed before calling port->ops->attach,
which fixes some xhci hotplug issues.
https://bugzilla.redhat.com/show_bug.cgi?id=1046873
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Extend compatibility test function to also figure whenever usb3
devices can be supported on ehci. Tweak ep0 maxpacketsize field
due to usb2 <-> usb3 difference.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
usb: xhci and mtp bugfixes.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
iQIcBAABAgAGBQJTgv7ZAAoJEEy22O7T6HE4FPgP/3eTqypKijaSwPAN7s0OqpKo
DuI9bXPRlludn1zWGi/Da7iYDy0OwlfDksJddU3I8Qdxo+Y5DG/ERh0yxaKoE8Cw
bT/eAtTmtAuCI0Spu0TdojPUDmjCIpAoO1Ta3WTi0IqR8LhMUyWwyMeQafMujeCn
QvXax+Xw5wl7a6ogk1mBa8IfHBtmQIcscT7oc9pg59/zlcN7omW/g5pkz8pLjzmu
LQYiSkUGt6LEViaKG2rTZ/dEOzqLe5Ot8SZ4Y2r+C6yOjsdG9J1kOhU5wGs1WuVU
i57Zj/VRlZ3jLxCeU3dBT+kgJvi3mCnPZFni67iBtAlDDreSchVJJwY42SNZxea0
yLZSMFyMF+LBNrlbA9RFqlrnzr1sSfcjaOhQOajP6IVfjCsAiv0zivUJ4u6ijZ4R
cGk1oJYsN888LUzgaszA3MTy593e7MI1cpPL79gt3lhh/Fu+mqTkFxcEUvrHqwSi
0LepENhE3tIgqSZH7MEtos+Avf8Uo2x/RULYZV3D0qRLLkhGcafJYIhb6mQsJug3
8D45yQ8YnsAmxpah0WopshlNxOi2hc/e5ADOCh4H+fNTmX5J9oN2IM4bQqqE+ci4
IkcYyyruNW5RGgHjlOZfAceC/CJ8Er/ocSuwvF9uTEiZ+unGotD4Xhaxyfrr3B+G
BHkkzcySLzGfkbUuebSL
=y+dq
-----END PGP SIGNATURE-----
Merge remote-tracking branch 'remotes/kraxel/tags/pull-usb-7' into staging
usb: usb3 streams support for usb-host and usb-redir
usb: xhci and mtp bugfixes.
# gpg: Signature made Mon 26 May 2014 09:44:09 BST using RSA key ID D3E87138
# gpg: Can't check signature: public key not found
* remotes/kraxel/tags/pull-usb-7:
usb-host-libusb: Set stream id when submitting bulk-stream transfers
usb-host-libusb: Add alloc / free streams ops
usb-host-libusb: Fill in endpoint max_streams when available
usb-redir: Add support for bulk streams
usb-mtp: handle usb_mtp_get_object failure
usb-mtp: handle lseek failure
usb-mtp: use bool to track MTPObject init status
xhci: add xhci_get_flag
xhci: add endpoint cap on express bus only
xhci: child detach fix
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Add display property to the keyboard.
Add display and head properties to the tablet.
If properties are set bind device to the display specified to
setup input routing.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Stop setting nchildren to -1. Use separate bool variable to track
whenever we've already fetched the child objects instead.
Also make nchildren unsigned.
Cc: Dr. David Alan Gilbert <dgilbert@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
xhci_child_detach() zaps the wrong slot when unplugging a device
connected via usb-hub: Instead of the device's slot the slot of the
usb-hub is used. Fix it.
https://bugzilla.redhat.com/show_bug.cgi?id=1075846
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Gonglei <arei.gonglei@huawei.com>
Correct post load checks:
1. dev->setup_len == sizeof(dev->data_buf)
seems fine, no need to fail migration
2. When state is DATA, passing index > len
will cause memcpy with negative length,
resulting in heap overflow
First of the issues was reported by dgilbert.
Reported-by: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
After previous Peter patch, they are redundant. This way we don't
assign them except when needed. Once there, there were lots of case
where the ".fields" indentation was wrong:
.fields = (VMStateField []) {
and
.fields = (VMStateField []) {
Change all the combinations to:
.fields = (VMStateField[]){
The biggest problem (appart from aesthetics) was that checkpatch complained
when we copy&pasted the code from one place to another.
Signed-off-by: Juan Quintela <quintela@redhat.com>
Acked-by: Gerd Hoffmann <kraxel@redhat.com>
Currently all what's needed for single file libcacard/vcard_emul_nss.c
(libnss cflags) and hw/usb/ccid-card-emulated.c (libcacard includes)
together with the libs is added to global QEMU_CFLAGS and libs_softmmu.
Use the cflags only where really used (for two mentioned files), and
libs only where needed.
While at it, rename variables to better reflect reality: libcacard_*
is really nss_*.
This needs a bit more tweaking: $(NSS_LIBS) should not contain $glib_libs
(ditto for _cflags). But in order to fix it, some more preparations
should be made first. So add a FIXME comment.
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAABCAAGBQJTZ/QsAAoJEPSH7xhYctcjJ4wP/31lNMpPLxdRpxpUoTPK39L0
zEoBTUH5dzG2FG34p8/znNH0Lbmc3GALqP9UzyM0sL3QU0EDwqAP0idLJ/8zHrYN
ZNJnNH6wexlpEypAsyQiayAFYAq6bc3hYtnEurN56dQgPVgb6jCicuOAt26JafLg
xuGIuencgaEFZaIb8iobxloqDX9raoq0+JfnoV8r02+ES+PG+HHfZsAlbDiWpj/Z
o06WBq9Xvf8X/zvuGHb9PCLGK36+kxPJ2G2531TJGZ6BjjewDExF2xlQH+PQ8pQB
d2OKCP0In66JfyLu6JBz21APrks7DJxsuenvoqPhxhtlIcBSm+grZElNLbccDMLQ
3fteWOCcri5WSwKNAkZ138D5SzIArZFBlqD9qW0GQsiaj3tCxfy162JAmzRPa94i
R5OJCTDclwjCH6JvRsOs8NrQyYcXHcEl2rfeymfr68YOH5XBMeRPhcR91tVr03ow
ZVgvwC/TJHntKnW+qtGIOa9Wfq4KghjddD37ayPAqKM/GQ0TV2sAPEr2htDaBZ0l
5O/YGsAZPKax72OnMR2ObqoIMokympeanQLxG3Q8VKQSU2c+aU3rGVQrG1juiVYw
NiC/nzarFzFWU8UYToXIu2QBDTde2vuRLX/myzL7L4OLavOcv8EXZBp60DP/bktE
Pd+jdeLMh9kWu1tFrE8F
=VoYL
-----END PGP SIGNATURE-----
Merge remote-tracking branch 'remotes/juanquintela/tags/migration/20140505' into staging
migration/next for 20140505
# gpg: Signature made Mon 05 May 2014 21:27:24 BST using RSA key ID 5872D723
# gpg: Can't check signature: public key not found
* remotes/juanquintela/tags/migration/20140505: (36 commits)
migration: expose xbzrle cache miss rate
migration: expose the bitmap_sync_count to the end
migration: Add counts of updating the dirty bitmap
XBZRLE: Fix one XBZRLE corruption issues
migration: remove duplicate code
Coverity: Fix failure path for qemu_accept in migration
Init the XBZRLE.lock in ram_mig_init
Provide init function for ram migration
Count used RAMBlock pages for migration_dirty_pages
Make qemu_peek_buffer loop until it gets it's data
Disallow outward migration while awaiting incoming migration
virtio: validate config_len on load
virtio-net: out-of-bounds buffer write on load
openpic: avoid buffer overrun on incoming migration
ssi-sd: fix buffer overrun on invalid state load
savevm: Ignore minimum_version_id_old if there is no load_state_old
usb: sanity check setup_index+setup_len in post_load
vmstate: s/VMSTATE_INT32_LE/VMSTATE_INT32_POSITIVE_LE/
virtio-scsi: fix buffer overrun on invalid state load
zaurus: fix buffer overrun on invalid state load
...
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
CVE-2013-4541
s->setup_len and s->setup_index are fed into usb_packet_copy as
size/offset into s->data_buf, it's possible for invalid state to exploit
this to load arbitrary data.
setup_len and setup_index should be checked to make sure
they are not negative.
Cc: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
This adds migration support for OHCI.
This defines a descriptor for OHCIState.
This changes some OHCIState field types to be migration compatible.
This adds a descriptor for OHCIPort.
This migrates the EOF timer if the USB was started at the time of
migration.
Cc: Gerd Hoffmann <kraxel@redhat.com>
Cc: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Implementation of a USB Media Transfer Device device for easy
filesharing. Read-only. No access control inside qemu, it will
happily export any file it is able to open to the guest, i.e.
standard unix access rights for the qemu process apply.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Add U suffix to avoid undefined behaviour. This is only
strictly necessary for the 1<<31 cases, but we add it for the
other constants in these groups for consistency.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
If enabled, set the thread name at creation (on GNU systems with
pthread_set_np)
Fix up all the callers with a thread name
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
* QTest cleanups and test cases for PCI NICs
* NAND fix for "info qtree"
* Cleanup and extension of QOM machine tests
* IndustryPack test cases and conversion to QOM realize
* I2C cleanups
* Cleanups of legacy qdev properties
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
iQIcBAABAgAGBQJTAooJAAoJEPou0S0+fgE/SuQQALW3zvra4ZLRAQV0e8kFoyj1
vVtmLkDhnCe4cYfxxfOX91NA0rH1ts2EO1+UcnaCHJlptNWfA+8qJW69XgYpHE3c
DKQlKPL/9pV5ywY5uUw/t1UJHg2BfrLBDDM4lP+vrpwiQYq4kp24JffnhfY3l9MA
9qdkXu1HrlWoLRVGnMyGDXI8cb+5bTL+FEc6UuHl3P89/gj5BV+LDWn0QOFbAkxq
4wk+Xh6sHKcfOdq6vMCNGlTjlJnpbY43D1a8+q6hFGG8JBlpne7Oer7bse9k4uTK
q/CzyNzC0lnjjcULpa4ptRlycH0ruD9DPY7Lco9XqYd3l/c9742PmTEqN5TZseKD
XD7+hwT1tk7W8rihm8KETCP6sKlXz4w8tJiWe6IT3zwRzvXIolxxK93heQuaX73Z
HFDmvTPVLUiWF8ftKTyWZM3w+jsbSH0QSrMCIHKJrPTRWTKphx0DUP74lWjNsvGs
FFBjpAgrflLihxiuRrcLmekGn0xCTjhQWIo2GoiWTgLSEHNQQQUNO+15/kcU/vlI
hh3DJpiBKeSnUapHHL0OEK6ryeHoG95akiRjImwWVthNLk4KEuWtlhFPYBtulO5A
PA02trE4Ah769effX0ZYdNl23KbW4VxpZ8VZv+kp7RTrDKxw551HoEFJ5ja0nkvB
O1CfsE7x0GH/Rbi/Hxhu
=KRcc
-----END PGP SIGNATURE-----
Merge remote-tracking branch 'remotes/afaerber/tags/qom-devices-for-peter' into staging
QOM infrastructure fixes and device conversions
* QTest cleanups and test cases for PCI NICs
* NAND fix for "info qtree"
* Cleanup and extension of QOM machine tests
* IndustryPack test cases and conversion to QOM realize
* I2C cleanups
* Cleanups of legacy qdev properties
# gpg: Signature made Mon 17 Feb 2014 22:15:37 GMT using RSA key ID 3E7E013F
# gpg: Good signature from "Andreas Färber <afaerber@suse.de>"
# gpg: aka "Andreas Färber <afaerber@suse.com>"
* remotes/afaerber/tags/qom-devices-for-peter: (49 commits)
qtest: Include system headers before user headers
qapi: Refine human printing of sizes
qdev: Use QAPI type names for properties
qdev: Add enum property types to QAPI schema
block: Handle "rechs" and "large" translation options
qdev: Remove hex8/32/64 property types
qdev: Remove most legacy printers
qdev: Use human mode in "info qtree"
qapi: Add human mode to StringOutputVisitor
qdev: Inline qdev_prop_parse()
qdev: Legacy properties are just strings
qdev: Legacy properties are now read-only
qdev: Remove legacy parsers for hex8/32/64
qdev: Sizes are now parsed by StringInputVisitor
qapi: Add size parser to StringInputVisitor
qtest: Don't segfault with invalid -qtest option
ipack: Move IndustryPack out of hw/char/
ipoctal232: QOM parent field cleanup
ipack: QOM parent field cleanup for IPackDevice
ipack: QOM parent field cleanup for IPackBus
...
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>