Commit Graph

1195 Commits

Author SHA1 Message Date
Gerd Hoffmann
bfe4489884 usb-host: avoid libusb_set_configuration calls
Seems some devices become confused when we call
libusb_set_configuration().  So before calling the function check
whenever the device has multiple configurations in the first place, and
in case it hasn't (which is the case for the majority of devices) simply
skip the call as it will have no effect anyway.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 20190522094702.17619-4-kraxel@redhat.com
2019-05-29 07:03:56 +02:00
Gerd Hoffmann
65f14ab98d usb-host: skip reset for untouched devices
If the guest didn't talk to the device yet, skip the reset.
Without this usb-host devices get resetted a number of times
at boot time for no good reason.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 20190522094702.17619-3-kraxel@redhat.com
2019-05-29 07:03:56 +02:00
Gerd Hoffmann
7ed4657396 usb: call reset handler before updating state
That way the device reset handler can see what
the before-reset state of the device is.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 20190522094702.17619-2-kraxel@redhat.com
2019-05-29 07:03:56 +02:00
Daniel P. Berrangé
ccb799313a hw/usb: avoid format truncation warning when formatting port name
hw/usb/hcd-xhci.c: In function ‘usb_xhci_realize’:
hw/usb/hcd-xhci.c:3339:66: warning: ‘%d’ directive output may be truncated writing between 1 and 10 bytes into a region of size 5 [-Wformat-trunca\
tion=]
 3339 |             snprintf(port->name, sizeof(port->name), "usb2 port #%d", i+1);
      |                                                                  ^~
hw/usb/hcd-xhci.c:3339:54: note: directive argument in the range [1, 2147483647]
 3339 |             snprintf(port->name, sizeof(port->name), "usb2 port #%d", i+1);
      |                                                      ^~~~~~~~~~~~~~~

The xhci code formats the port name into a fixed length
buffer which is only large enough to hold port numbers
upto 5 digits in decimal representation. We're never
going to have a port number that large, so aserting the
port number is sensible is sufficient to tell GCC the
formatted string won't be truncated.

Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Message-Id: <20190412121626.19829-5-berrange@redhat.com>

[ kraxel: also s/int/unsigned int/ to tell gcc they can't
          go negative. ]

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2019-05-03 08:56:58 +02:00
Thomas Huth
34d97308f6 hw/usb/hcd-ohci: Move PCI-related code into a separate file
Some machines (like the pxa2xx-based ARM machines) only have a sysbus
OHCI controller, but no PCI. With the new Kconfig-style build system,
it will soon be possible to create QEMU binaries that only contain
such PCI-less machines. However, the two OHCI controllers, for sysbus
and for PCI, are currently both located in one file, so the PCI code
is still required for linking here. Move the OHCI-PCI device code
into a separate file, so that it is possible to use the sysbus OHCI
device also without the PCI dependency.

Signed-off-by: Thomas Huth <thuth@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Tested-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-id: 20190419075625.24251-3-thuth@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2019-05-02 08:42:17 +02:00
Thomas Huth
72e0c127bd hw/usb/hcd-ohci: Do not use PCI functions with sysbus devices in ohci_die()
The ohci_die() function always assumes to be running with a PCI OHCI
controller and calls the PCI-specific functions pci_set_word(). However,
this function might also get called for the sysbus OHCI devices, so it
likely fails in that case. To fix this issue, change the code now, so that
there are two implementations now, one for sysbus and one for PCI, and
use the right function via a function pointer in the OHCIState structure.

Signed-off-by: Thomas Huth <thuth@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Tested-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-id: 20190419075625.24251-2-thuth@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2019-05-02 08:42:17 +02:00
Longpeng
0a076730ad usb/xhci: avoid trigger assertion if guest write wrong epid
we found the following core in our environment:
0  0x00007fc6b06c2237 in raise ()
1  0x00007fc6b06c3928 in abort ()
2  0x00007fc6b06bb056 in __assert_fail_base ()
3  0x00007fc6b06bb102 in __assert_fail ()
4  0x0000000000702e36 in xhci_kick_ep (...)
5  0x000000000047897a in memory_region_write_accessor (...)
6  0x000000000047767f in access_with_adjusted_size (...)
7  0x000000000047944d in memory_region_dispatch_write (...)
(mr=mr@entry=0x7fc6a0138df0, addr=addr@entry=156, data=1648892416,
size=size@entry=4, attrs=attrs@entry=...)
8  0x000000000042df17 in address_space_write_continue (...)
10 0x000000000043084d in address_space_rw (...)
11 0x000000000047451b in kvm_cpu_exec (cpu=cpu@entry=0x1ab11b0)
12 0x000000000045dcf5 in qemu_kvm_cpu_thread_fn (arg=0x1ab11b0)
13 0x0000000000870631 in qemu_thread_start (args=args@entry=0x1acfb50)
14 0x00000000008959a7 in thread_entry_for_hotfix (pthread_cb=<optimized out>)
15 0x00007fc6b0a60dd5 in start_thread ()
16 0x00007fc6b078a59d in clone ()

(gdb) f 5
5  0x000000000047897a in memory_region_write_accessor (...)
529	    mr->ops->write(mr->opaque, addr, tmp, size);
(gdb) p /x tmp
$9 = 0x62481a00 <-- last byte 0x00 is @epid

xhci_doorbell_write() already check the upper bound of @slotid an @epid,
it also need to check the lower bound.

Cc: Gonglei <arei.gonglei@huawei.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Longpeng <longpeng2@huawei.com>
Tested-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-id: 1556605301-44112-1-git-send-email-longpeng2@huawei.com

[ kraxel: fixed typo in subject line ]

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2019-05-02 08:40:00 +02:00
Bandan Das
83c44b44d4 usb-mtp: change default to success for usb_mtp_update_object
Commit c5ead51f90 (usb-mtp: return incomplete transfer on a lstat
failure) checks if lstat succeeded when updating attributes of a
file. However, it also changed behavior to return an error by
default. This is incorrect because for smaller file sizes, Qemu
will attempt to write the file in one go and there won't be
an object for it.

Fixes: c5ead51f90
Signed-off-by: Bandan Das <bsd@redhat.com>
Message-id: jpgwojv9pwv.fsf@linux.bootlegged.copy
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2019-05-02 08:29:33 +02:00
Daniel P. Berrangé
1259f27ec2 usb-mtp: fix alignment of access of ObjectInfo filename field
The ObjectInfo struct's "filename" field is following a uint8_t
field in a packed struct and thus has bad alignment for a 16-bit
field. Switch the field to to uint8_t and use the helper function
for accessing unaligned 16-bit data.

Note that although the MTP spec specifies big endian, when transported
over the USB protocol, data is little endian.

Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Message-id: 20190415154503.6758-4-berrange@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2019-05-02 08:29:33 +02:00
Daniel P. Berrangé
3541cd48f3 usb-mtp: fix string length for filename when writing metadata
The ObjectInfo 'length' field provides the length of the
wide character string filename. This is then converted to
a multi-byte character string. This may have a different
byte count to the wide character string. We should use the
C string length of the multi-byte string instead.

Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Message-id: 20190415154503.6758-2-berrange@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2019-05-02 08:29:33 +02:00
Daniel P. Berrangé
375cb86d9f usb-mtp: fix bounds check for guest provided filename
The ObjectInfo struct has a variable length array containing the UTF-16
encoded filename. The number of characters of trailing data is given by
the 'length' field in the struct and this must be validated against the
size of the data packet received from the guest.

Since the data is UTF-16, we must convert the byte count we have to a
character count before validating. This must take care to truncate if
a malicious guest sent an odd number of bytes.

Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Bandan Das <bsd@redhat.com>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2019-04-16 20:43:39 +01:00
Daniel P. Berrangé
b4682a63f8 filemon: fix watch IDs to avoid potential wraparound issues
Watch IDs are allocated from incrementing a int counter against
the QFileMonitor object. In very long life QEMU processes with
a huge amount of USB MTP activity creating & deleting directories
it is just about conceivable that the int counter can wrap
around. This would result in incorrect behaviour of the file
monitor watch APIs due to clashing watch IDs.

Instead of trying to detect this situation, this patch changes
the way watch IDs are allocated. It is turned into an int64_t
variable where the high 32 bits are set from the underlying
inotify "int" ID. This gives an ID that is guaranteed unique
for the directory as a whole, and we can rely on the kernel
to enforce this. QFileMonitor then sets the low 32 bits from
a per-directory counter.

The USB MTP device only sets watches on the directory as a
whole, not files within, so there is no risk of guest
triggered wrap around on the low 32 bits.

Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2019-04-02 13:52:02 +01:00
Bandan Das
b396733df3 usb-mtp: remove usb_mtp_object_free_one
This function is used in the delete path only and can
be replaced by a call to usb_mtp_object_free.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Bandan Das <bsd@redhat.com>
Message-Id: <20190401211712.19012-3-bsd@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2019-04-02 07:22:49 +02:00
Bandan Das
4bc1591681 usb-mtp: fix return status of delete
Spotted by Coverity: CID 1399414

mtp delete allows the return status of delete succeeded,
partial_delete or readonly - when none of the objects could be
deleted. Give more meaningful names to return values of the
delete function.

Some initiators recurse over the objects themselves. In that case,
only READ_ONLY can be returned.

Signed-off-by: Bandan Das <bsd@redhat.com>
Message-Id: <20190401211712.19012-2-bsd@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2019-04-02 07:22:40 +02:00
Peter Maydell
5189e30b14 hw/usb/bus.c: Handle "no speed matched" case in usb_mask_to_str()
In usb_mask_to_str() we convert a mask of USB speeds into
a human-readable string (like "full+high") for use in
tracing and error messages. However the conversion code
doesn't do anything to the string buffer if the passed in
speedmask doesn't match any of the recognized speeds,
which means that the tracing and error messages will
end up with random garbage in them. This can happen if
we're doing USB device passthrough.

Handle the "unrecognized speed" case by using the
string "unknown".

Fixes: https://bugs.launchpad.net/qemu/+bug/1603785
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-id: 20190328133503.6490-1-peter.maydell@linaro.org
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2019-04-01 08:53:44 +02:00
Laurent Vivier
ab8789987f ohci: don't die on ED_LINK_LIMIT overflow
Stop processing the descriptor list instead. The next frame timer tick will
resume the work

Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1686705
Suggested-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Laurent Vivier <lvivier@redhat.com>
Message-id: 20190321085212.10796-1-lvivier@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2019-03-26 12:01:45 +01:00
Markus Armbruster
500016e5db trace-events: Shorten file names in comments
We spell out sub/dir/ in sub/dir/trace-events' comments pointing to
source files.  That's because when trace-events got split up, the
comments were moved verbatim.

Delete the sub/dir/ part from these comments.  Gets rid of several
misspellings.

Signed-off-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-id: 20190314180929.27722-3-armbru@redhat.com
Message-Id: <20190314180929.27722-3-armbru@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2019-03-22 16:18:07 +00:00
Kővágó, Zoltán
85bc58520c audio: use qapi AudioFormat instead of audfmt_e
I had to include an enum for audio sampling formats into qapi, but that
meant duplicating the audfmt_e enum.  This patch replaces audfmt_e and
associated values with the qapi generated AudioFormat enum.

This patch is mostly a search-and-replace, except for switches where the
qapi generated AUDIO_FORMAT_MAX caused problems.

Signed-off-by: Kővágó, Zoltán <DirtY.iCE.hu@gmail.com>
Reviewed-by: Thomas Huth <thuth@redhat.com>
Message-id: 01251b2758a1679c66842120b77c0fb46d7d0eaf.1552083282.git.DirtY.iCE.hu@gmail.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2019-03-11 10:29:26 +01:00
Peter Maydell
234afe7828 - qtest fixes
- Some generic clean-ups by Philippe
 - macOS CI testing via cirrus-ci.com
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.22 (GNU/Linux)
 
 iQIcBAABAgAGBQJcgi7HAAoJEC7Z13T+cC21Y00P/1/m7FcVVfMlDw85+rYjkUri
 QWPvWUORhGbAkv87AfsFezCzoO/n3KX+AefPDWbnIM1Ixt8MvS/8zPOWAXwHUKVy
 ira5jP7CNJDPGr13qoO0lNrvU5cmxRWdmLOMbMsqW3Aparc5RBgDPn0bvcm5l2vX
 i90fdxpXvpQ/FgoX0J1j//awa3JXf94pijBb3pL985qXI670ZkRq13JIlmVZ1+Gw
 Fmx4XvpIwajo2HM1G+CcG8ElAxTgYmjC9bkKJW1fddOkwP7wRnZtAdLZpRTzojCb
 CUNBaTSM/xjinVzOhwgiHFtak/ZMOdUZrGjrbin1e/p+Xppw75P7FdUoiSnJNhga
 BJr8LbGcJwcIXfpMdEw7ZGlWACd+D0+G7363jNWOPyff3by6xx4gdCrBsYc4qwSR
 MJ8Wyb5o4oSisUg06VxghGyPTE/xBgog/YgLb4Bu6FXjCPKsl0mKQMxG0ROZLvT+
 dFiaHeeCKEn7Yw6OkdqW9Sa1uGfna7gRCC7hZErDA3URe+02dUBb4VCtnjAaCLx3
 0Jq8jpb2T57N8roP23QFQBxA+Y859qlZPrWzwRqbgdADZCnFsSJlmBxjDmhbYuF0
 4qAQtGFTgdmhjdG/FjJkcMQkCcx4h6V62kqi8HtP+vCd43SFwLPqHH/HKq5cU/Zt
 YIXF2oo6z5k7iqx1H26G
 =DEp5
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/huth-gitlab/tags/pull-request-2019-03-08' into staging

- qtest fixes
- Some generic clean-ups by Philippe
- macOS CI testing via cirrus-ci.com

# gpg: Signature made Fri 08 Mar 2019 08:58:47 GMT
# gpg:                using RSA key 2ED9D774FE702DB5
# gpg: Good signature from "Thomas Huth <th.huth@gmx.de>" [full]
# gpg:                 aka "Thomas Huth <thuth@redhat.com>" [full]
# gpg:                 aka "Thomas Huth <huth@tuxfamily.org>" [full]
# gpg:                 aka "Thomas Huth <th.huth@posteo.de>" [unknown]
# Primary key fingerprint: 27B8 8847 EEE0 2501 18F3  EAB9 2ED9 D774 FE70 2DB5

* remotes/huth-gitlab/tags/pull-request-2019-03-08:
  cirrus.yml: Add macOS continuous integration task
  tests/bios-tables: Improve portability by searching bash in the $PATH
  vhost-user-test: fix leaks
  tests: Do not use "\n" in g_test_message() strings
  hw/devices: Remove unused TC6393XB_RAM definition
  hw: Remove unused 'hw/devices.h' include
  tests: Move qdict-test-data.txt to tests/data/qobject/

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

# Conflicts:
#	tests/vhost-user-test.c
2019-03-08 16:31:34 +00:00
Philippe Mathieu-Daudé
04f3c0084d hw: Remove unused 'hw/devices.h' include
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: BALATON Zoltan <balaton@eik.bme.hu>
Tested-by: Thomas Huth <thuth@redhat.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>
2019-03-07 22:16:11 +01:00
Paolo Bonzini
03b348bdcb scsi: express dependencies with Kconfig
This automatically removes the SCSI subsystem from the
binary altogether if no controllers are selected.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Yang Zhong <yang.zhong@intel.com>
Message-Id: <20190123065618.3520-34-yang.zhong@intel.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2019-03-07 21:45:53 +01:00
Paolo Bonzini
d6e9c470fc build: convert usb.mak to Kconfig
Instead of including the same list of devices for each target,
let the host controllers select CONFIG_USB and make the devices
default to present whenever USB is available.

Done with the following script:
  while read i; do
     i=${i%=y}; i=${i#CONFIG_}
     sed -i -e'/^config '$i'$/!b' -en \
            -e'a\' -e'    default y\' -e'    depends on USB' \
          `grep -lw $i hw/*/Kconfig`
  done < default-configs/usb.mak

followed by adding "select USB" on the host controllers.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Yang Zhong <yang.zhong@intel.com>
Reviewed-by: Thomas Huth <thuth@redhat.com>
Message-Id: <20190123065618.3520-33-yang.zhong@intel.com>
Acked-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2019-03-07 21:45:53 +01:00
Paolo Bonzini
7c28b925b7 build: convert pci.mak to Kconfig
Instead of including the same list of devices for each target,
set CONFIG_PCI to true, and make the devices default to present
whenever PCI is available.  However, s390x does not want all the
PCI devices, so there is a separate symbol to enable them.

Done mostly with the following script:

  while read i; do
     i=${i%=y}; i=${i#CONFIG_}
     sed -i -e'/^config '$i'$/!b' -en \
            -e'a\' -e'    default y if PCI_DEVICES\' -e'    depends on PCI' \
          `grep -lw $i hw/*/Kconfig`
  done < default-configs/pci.mak

followed by replacing a few "depends on" clauses with "select"
whenever the symbol is not really related to PCI.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Yang Zhong <yang.zhong@intel.com>
Cc: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Thomas Huth <thuth@redhat.com>
Message-Id: <20190123065618.3520-31-yang.zhong@intel.com>
Acked-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2019-03-07 21:45:53 +01:00
Paolo Bonzini
82f5181777 kconfig: introduce kconfig files
The Kconfig files were generated mostly with this script:

  for i in `grep -ho CONFIG_[A-Z0-9_]* default-configs/* | sort -u`; do
    set fnord `git grep -lw $i -- 'hw/*/Makefile.objs' `
    shift
    if test $# = 1; then
      cat >> $(dirname $1)/Kconfig << EOF
config ${i#CONFIG_}
    bool

EOF
      git add $(dirname $1)/Kconfig
    else
      echo $i $*
    fi
  done
  sed -i '$d' hw/*/Kconfig
  for i in hw/*; do
    if test -d $i && ! test -f $i/Kconfig; then
      touch $i/Kconfig
      git add $i/Kconfig
    fi
  done

Whenever a symbol is referenced from multiple subdirectories, the
script prints the list of directories that reference the symbol.
These symbols have to be added manually to the Kconfig files.

Kconfig.host and hw/Kconfig were created manually.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Yang Zhong <yang.zhong@intel.com>
Message-Id: <20190123065618.3520-27-yang.zhong@intel.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2019-03-07 21:45:53 +01:00
Alexander Kappner
ba4c735b4f Introduce new "no_guest_reset" parameter for usb-host device
With certain USB devices passed through via usb-host, a guest attempting to
reset a usb-host device can trigger a reset loop that renders the USB device
unusable. In my use case, the device was an iPhone XR that was passed through to
a Mac OS X Mojave guest. Upon connecting the device, the following happens:

1) Guest recognizes new device, sends reset to emulated USB host
2) QEMU's USB host sends reset to host kernel
3) Host kernel resets device
4) After reset, host kernel determines that some part of the device descriptor
has changed ("device firmware changed" in dmesg), so host kernel decides to
re-enumerate the device.
5) Re-enumeration causes QEMU to disconnect and reconnect the device in the
guest.
6) goto 1)

Here's from the host kernel (note the "device firmware changed" lines")

[3677704.473050] usb 1-1.3: new high-speed USB device number 53 using ehci-pci
[3677704.555594] usb 1-1.3: New USB device found, idVendor=05ac, idProduct=12a8, bcdDevice=11.08
[3677704.555599] usb 1-1.3: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[3677704.555602] usb 1-1.3: Product: iPhone
[3677704.555605] usb 1-1.3: Manufacturer: Apple Inc.
[3677704.555607] usb 1-1.3: SerialNumber: [[removed]]
[3677709.401040] usb 1-1.3: reset high-speed USB device number 53 using ehci-pci
[3677709.479486] usb 1-1.3: device firmware changed
[3677709.479842] usb 1-1.3: USB disconnect, device number 53
[3677709.546039] usb 1-1.3: new high-speed USB device number 54 using ehci-pci
[3677709.627471] usb 1-1.3: New USB device found, idVendor=05ac, idProduct=12a8, bcdDevice=11.08
[3677709.627476] usb 1-1.3: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[3677709.627479] usb 1-1.3: Product: iPhone
[3677709.627481] usb 1-1.3: Manufacturer: Apple Inc.
[3677709.627483] usb 1-1.3: SerialNumber: [[removed]]
[3677762.320044] usb 1-1.3: reset high-speed USB device number 54 using ehci-pci
[3677762.615630] usb 1-1.3: USB disconnect, device number 54
[3677762.787043] usb 1-1.3: new high-speed USB device number 55 using ehci-pci
[3677762.869016] usb 1-1.3: New USB device found, idVendor=05ac, idProduct=12a8, bcdDevice=11.08
[3677762.869024] usb 1-1.3: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[3677762.869028] usb 1-1.3: Product: iPhone
[3677762.869032] usb 1-1.3: Manufacturer: Apple Inc.
[3677762.869035] usb 1-1.3: SerialNumber: [[removed]]
[3677815.662036] usb 1-1.3: reset high-speed USB device number 55 using ehci-pci

Here's from QEMU:

libusb: error [_get_usbfs_fd] libusb couldn't open USB device /dev/bus/usb/005/022: No such file or directory
libusb: error [udev_hotplug_event] ignoring udev action bind
libusb: error [udev_hotplug_event] ignoring udev action bind
libusb: error [_open_sysfs_attr] open /sys/bus/usb/devices/5-1/bConfigurationValue failed ret=-1 errno=2
libusb: error [_get_usbfs_fd] File doesn't exist, wait 10 ms and try again

libusb: error [_get_usbfs_fd] libusb couldn't open USB device /dev/bus/usb/005/024: No such file or directory
libusb: error [udev_hotplug_event] ignoring udev action bind
libusb: error [udev_hotplug_event] ignoring udev action bind
libusb: error [_open_sysfs_attr] open /sys/bus/usb/devices/5-1/bConfigurationValue failed ret=-1 errno=2
libusb: error [_get_usbfs_fd] File doesn't exist, wait 10 ms and try again

libusb: error [_get_usbfs_fd] libusb couldn't open USB device /dev/bus/usb/005/026: No such file or directory

The result of this is that the device remains permanently unusable in the guest.
The same problem has been previously reported for an iPad:
https://stackoverflow.com/questions/52617634/how-do-i-get-qemu-usb-passthrough-to-work-for-ipad-iphone

This problem can be elegantly solved by interrupting step 2) above. Instead of
passing through the reset, QEMU simply ignores it. To allow this to be
configured on a per-device level,  a new parameter "no_guest_reset" is
introduced for the usb-host device. I can confirm that the configuration
described above (iPhone XS + Mojave guest) works flawlessly with
no_guest_reset=True specified.

Working command line for my scenario:
device_add usb-host,vendorid=0x05ac,productid=0x12a8,no_guest_reset=True,id=iphone

Best regards
Alexander

Signed-off-by: Alexander Kappner <agk@godking.net>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 20190128140027.9448-1-kraxel@redhat.com

[ kraxel: rename parameter to "guest-reset" ]

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2019-03-07 10:03:54 +01:00
Bandan Das
7ddf837465 usb-mtp: prevent null dereference while deleting objects
Spotted by Coverity: CID 1399144

Signed-off-by: Bandan Das <bsd@redhat.com>
Message-id: 20190306210409.14842-4-bsd@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2019-03-07 10:02:48 +01:00
Bandan Das
298ac63c44 usb-mtp: fix some usb_mtp_write_data return paths
During a write, free up the "path" before getting more data.
Also, while we at it, remove the confusing usage of d->fd for
storing mkdir status

Spotted by Coverity: CID 1398642

Signed-off-by: Bandan Das <bsd@redhat.com>
Message-id: 20190306210409.14842-3-bsd@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2019-03-07 10:02:48 +01:00
Bandan Das
c5ead51f90 usb-mtp: return incomplete transfer on a lstat failure
MTP writes objects in small chunks and at the end gets the
real file size to update the object metadata. If this fails for
any reason, return an INCOMPLETE_TRANSFER to the initiator

Spotted by Coverity: CID 1398651

Signed-off-by: Bandan Das <bsd@redhat.com>
Message-id: 20190306210409.14842-2-bsd@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2019-03-07 10:02:48 +01:00
Daniel P. Berrangé
47287c27d0 hw/usb: switch MTP to use new inotify APIs
The internal inotify APIs allow a lot of conditional statements to be
cleared out, and provide a simpler callback for handling events.

Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2019-02-26 15:25:58 +00:00
Daniel P. Berrangé
888e0359bf hw/usb: fix const-ness for string params in MTP driver
Various functions accepting 'char *' string parameters were missing
'const' qualifiers.

Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2019-02-26 15:25:58 +00:00
Daniel P. Berrangé
3c48baf1d4 hw/usb: don't set IN_ISDIR for inotify watch in MTP driver
IN_ISDIR is not a bit that one can request when registering a
watch with inotify_add_watch. Rather it is a bit that is set
automatically when reading events from the kernel.

Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2019-02-26 15:25:58 +00:00
Liam Merwick
7011baece2 usb: remove unnecessary NULL device check from usb_ep_get()
No caller of usb_ep_get() calls it with a NULL device (previous commits
have addressed the few remaining cases which didn't explicitly check).
Replace check for 'dev == NULL' with an assert instead.

Signed-off-by: Liam Merwick <liam.merwick@oracle.com>
Message-id: 1549460216-25808-10-git-send-email-liam.merwick@oracle.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2019-02-20 09:41:23 +01:00
Liam Merwick
4fc12aa1fc usb: add device checks before redirector calls to usb_ep_get()
Add an assert and an explicit check before the two callers to
usb_ep_get() in the USB redirector code to ensure the device
passed in is not NULL.

Signed-off-by: Liam Merwick <liam.merwick@oracle.com>
Message-id: 1549460216-25808-9-git-send-email-liam.merwick@oracle.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2019-02-20 09:41:23 +01:00
Liam Merwick
e87fd1e6e5 usb: check device is not NULL before calling usb_ep_get()
In musb_packet(), the call to usb_find_device() can return NULL
if it doesn't find a device matching 'addr' so explicitly check
the return value before passing it to usb_ep_get().  This then
allows the subsequent calculation of 'id' to be streamlined.

Signed-off-by: Liam Merwick <liam.merwick@oracle.com>
Message-id: 1549460216-25808-8-git-send-email-liam.merwick@oracle.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2019-02-20 09:41:23 +01:00
Liam Merwick
ff668537b6 uhci: check device is not NULL before calling usb_ep_get()
In uhci_handle_td(), the call to ehci_find_device() can return NULL
if it doesn't find a device matching 'addr' so explicitly check
the return value before passing it to usb_ep_get().

Signed-off-by: Liam Merwick <liam.merwick@oracle.com>
Message-id: 1549460216-25808-7-git-send-email-liam.merwick@oracle.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2019-02-20 09:41:23 +01:00
Liam Merwick
42340fc31f ohci: check device is not NULL before calling usb_ep_get()
A call to ohci_find_device() can return NULL if it doesn't find a
device matching 'addr' so for the two callers, explicitly check
the return value before passing it to usb_ep_get().

Signed-off-by: Liam Merwick <liam.merwick@oracle.com>
Message-id: 1549460216-25808-6-git-send-email-liam.merwick@oracle.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2019-02-20 09:41:23 +01:00
Liam Merwick
e94682f1fe ehci: check device is not NULL before calling usb_ep_get()
In ehci_process_itd(), the call to ehci_find_device() can return NULL
if it doesn't find a device matching 'devaddr' so explicitly check
the return value before passing it to usb_ep_get().

Signed-off-by: Liam Merwick <liam.merwick@oracle.com>
Message-id: 1549460216-25808-5-git-send-email-liam.merwick@oracle.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2019-02-20 09:41:23 +01:00
Liam Merwick
7cb513aa34 xhci: check device is not NULL before calling usb_ep_get()
Signed-off-by: Liam Merwick <liam.merwick@oracle.com>
Message-id: 1549460216-25808-4-git-send-email-liam.merwick@oracle.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2019-02-20 09:41:23 +01:00
Liam Merwick
92cf34279c xhci: add asserts to help with static code analysis
Most callers of xhci_port_update() and xhci_wakeup() pass in a pointer
to an array entry and can never be NULL but add two defensive asserts
to protect against future changes (e.g. adding a new port speed, etc.)
adding a path through xhci_lookup_port() that could result in the
return of a NULL XHCIPort.

Signed-off-by: Liam Merwick <liam.merwick@oracle.com>
Message-id: 1549460216-25808-3-git-send-email-liam.merwick@oracle.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2019-02-20 09:41:23 +01:00
Liam Merwick
56090d78a7 usb: rearrange usb_ep_get()
There is no need to calculate the 'eps' variable in usb_ep_get()
if 'ep' is the control endpoint.  Instead the calculation should
be done after validating the input before returning an entry
indexed by the endpoint 'ep'.

Signed-off-by: Liam Merwick <liam.merwick@oracle.com>
Reviewed-by: Darren Kenny <Darren.Kenny@oracle.com>
Reviewed-by: Mark Kanda <Mark.Kanda@oracle.com>
Reviewed-by: Ameya More <ameya.more@oracle.com>
Message-id: 1549460216-25808-2-git-send-email-liam.merwick@oracle.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2019-02-20 09:41:23 +01:00
Michael Roth
94d1cc5f03 qdev: pass an Object * to qbus_set_hotplug_handler()
Certain devices types, like memory/CPU, are now being handled using a
hotplug interface provided by a top-level MachineClass. Hotpluggable
host bridges are another such device where it makes sense to use a
machine-level hotplug handler. However, unlike those devices,
host-bridges have a parent bus (the main system bus), and devices with
a parent bus use a different mechanism for registering their hotplug
handlers: qbus_set_hotplug_handler(). This interface currently expects
a handler to be a subclass of DeviceClass, but this is not the case
for MachineClass, which derives directly from ObjectClass.

Internally, the interface only requires an ObjectClass, so expose that
in qbus_set_hotplug_handler().

Cc: Michael S. Tsirkin <mst@redhat.com>
Cc: Eduardo Habkost <ehabkost@redhat.com>
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Signed-off-by: Greg Kurz <groug@kaod.org>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
Reviewed-by: Cornelia Huck <cohuck@redhat.com>
Acked-by: Halil Pasic <pasic@linux.ibm.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <154999589921.690774.3640149277362188566.stgit@bahia.lan>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2019-02-17 21:54:02 +11:00
Paolo Bonzini
4ad6f6cb14 char: allow specifying a GMainContext at opening time
This will be needed by vhost-user-test, when each test switches to
its own GMainLoop and GMainContext.  Otherwise, for a reconnecting
socket the initial connection will happen on the default GMainContext,
and no one will be listening on it.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Message-Id: <20190202110834.24880-1-pbonzini@redhat.com>
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
2019-02-13 14:23:39 +01:00
Bandan Das
49f9e8d660 usb-mtp: replace the homebrew write with qemu_write_full
qemu_write_full takes care of partial blocking writes,
as in cases of larger file sizes

Suggested-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Bandan Das <bsd@redhat.com>
Message-id: 20190129131908.27924-4-bsd@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2019-01-30 06:47:52 +01:00
Bandan Das
c1ef0f2519 usb-mtp: breakup MTP write into smaller chunks
For every MTP_WRITE_BUF_SZ copied, this patch writes it to file before
getting the next block of data. The file is kept opened for the
duration of the operation but the sanity checks on the write operation
are performed only once when the write operation starts. Additionally,
we also update the file size in the object metadata once the file has
completely been written.

Suggested-by: Gerd Hoffman <kraxel@redhat.com>
Signed-off-by: Bandan Das <bsd@redhat.com>
Message-id: 20190129131908.27924-3-bsd@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2019-01-30 06:47:52 +01:00
Bandan Das
179fcf8a83 usb-mtp: Reallocate buffer in multiples of MTP_WRITE_BUF_SZ
This is a "pre-patch" to breaking up the write buffer for
MTP writes. Instead of allocating a mtp buffer equal to size
sent by the initiator, we start with a small size and reallocate
multiples (of that small size) as needed.

Signed-off-by: Bandan Das <bsd@redhat.com>
Message-id: 20190129131908.27924-2-bsd@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2019-01-30 06:47:52 +01:00
Yuri Benditovich
b4329d1a2a usb: implement XHCI underrun/overrun events
Implement underrun/overrun events of isochronous endpoints
according to XHCI spec (4.10.3.1)
Guest software restarts data streaming when receives these events.
The XHCI reports these events using interrupter assigned
to the slot (as these events do not have TRB), so current
commit adds the field of assigned interrupter to the
XHCISlot structure. Guest software assigns interrupter to the
slot on 'Address Device' and 'Evaluate Context' commands.

Signed-off-by: Yuri Benditovich <yuri.benditovich@janustech.com>
Message-id: 20190128200444.5128-3-yuri.benditovich@janustech.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2019-01-30 06:47:52 +01:00
Yuri Benditovich
a587c832a3 usb: XHCI shall not halt isochronous endpoints
According to the XHCI spec (4.10.2) the controller
never halts isochronous endpoints. This commit prevent
stop of isochronous streaming when sporadic errors
status received from backends.

Signed-off-by: Yuri Benditovich <yuri.benditovich@janustech.com>
Message-id: 20190128200444.5128-2-yuri.benditovich@janustech.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2019-01-30 06:47:52 +01:00
Thomas Huth
75a49fc61a hw/usb: Fix LGPL information in the file headers
It's either "GNU *Library* General Public version 2" or "GNU Lesser
General Public version *2.1*", but there was no "version 2.0" of the
"Lesser" library. So assume that version 2.1 is meant here.
Additionally, suggest that the user should have received a copy of
the LGPL, and not the GPL here.

Signed-off-by: Thomas Huth <thuth@redhat.com>
Message-id: 1548254454-7659-1-git-send-email-thuth@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2019-01-30 06:47:52 +01:00
Li Qiang
6e3c1a68f9 usb: dev-mtp: close fd in usb_mtp_object_readdir()
Spotted by Coverity: CID 1397070

Signed-off-by: Li Qiang <liq3ea@163.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-id: 20190103133113.49599-1-liq3ea@163.com

[ kraxel: dropped chunk which adds close() after successful
          fdopendir() call, that is not needed according to
          POSIX even though Coverity flags it as bug ]

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2019-01-30 06:47:52 +01:00
Gerd Hoffmann
b63e10508b usb: assign unique serial numbers to hid devices
Windows guests have trouble dealing with usb devices having identical
serial numbers.  So, assign unique serial numbers to usb hid devices.
All other usb devices have this already.

In the past the fixed serial number has been used to indicate working
remote setup to linux guests.  Here is a bit of history:

 * First there was nothing.
 * Then I added a rule to udev checking for serial == 42.
   (this is in rhel-6).
 * Then systemd + udev merged.
 * Then I changed the rule to check for serial != 1 instead, so we can
   use any serial but "1" which is the one the old broken devices had
   (this is in rhel-7).  March 2014 in upstream systemd.
 * Then all usb power management rules where dropped from systemd (June
   2015).  Which I figured today (Sept 2018), after wondering that the
   rules are gone in fedora 28.

So, three years ago the serial number check was dropped upstream, yet I
hav't seen a single report about autosuspend issues (or cpu usage for
usb emulation going up, which is the typical symtom).

So I figured I can stop worring that changing the serial number will
break things and just do it.

And even if it turns out autosuspend is still an issue:  I think
meanwhile we can really stop worrying about guests running in old qemu
versions with broken usb suspend (fixed in 0.13 !).  If needed we can
enable autosuspend unconditionally in guests.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 20190110125108.22834-1-kraxel@redhat.com
2019-01-30 06:47:52 +01:00
Paul Durrant
2d0ed5e642 xen: re-name XenDevice to XenLegacyDevice...
...and xen_backend.h to xen-legacy-backend.h

Rather than attempting to convert the existing backend infrastructure to
be QOM compliant (which would be hard to do in an incremental fashion),
subsequent patches will introduce a completely new framework for Xen PV
backends. Hence it is necessary to re-name parts of existing code to avoid
name clashes. The re-named 'legacy' infrastructure will be removed once all
backends have been ported to the new framework.

This patch is purely cosmetic. No functional change.

Signed-off-by: Paul Durrant <paul.durrant@citrix.com>
Acked-by: Anthony Perard <anthony.perard@citrix.com>
Signed-off-by: Anthony PERARD <anthony.perard@citrix.com>
2019-01-14 13:45:40 +00:00
Peter Maydell
15bede5541 * HAX support for Linux hosts (Alejandro)
* esp bugfixes (Guenter)
 * Windows build cleanup (Marc-André)
 * checkpatch logic improvements (Paolo)
 * coalesced range bugfix (Paolo)
 * switch testsuite to TAP (Paolo)
 * QTAILQ rewrite (Paolo)
 * block/iscsi.c cancellation fixes (Stefan)
 * improve selection of the default accelerator (Thomas)
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.22 (GNU/Linux)
 
 iQEcBAABAgAGBQJcOKyMAAoJEL/70l94x66DxKEH/1ho2Xl8ezxCecA6q3HqTgMT
 NJ/ntdqQwVwekKOWzsywnM3/LkEDLH55MxbTeQ8M/Vb1seS8eROz24/gPTzvFrfR
 n/d11rDV1EJfWe0H7nGLLFiRv0MSjxLpG9c3dlOKWhwOYHm25tr48PsdfVFP9Slz
 BK3rwrMeDgArfptHAIsAXt2h1S0EzrG9pMwGDpErCDzziXxBhUESE0Iqfw8LsH1K
 VjMn6rn7Ts1XKlxxwsm+BzHlTJghbj3tWPIfk+6uK2isP4iM3gFCoav3SG9XVXof
 V9+vFyMxdtZKT/0HvajhUS4/1S/uGBNNchZRnCxXlpbueWc5ROtvarhM6Hb0eck=
 =i8E5
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/bonzini/tags/for-upstream' into staging

* HAX support for Linux hosts (Alejandro)
* esp bugfixes (Guenter)
* Windows build cleanup (Marc-André)
* checkpatch logic improvements (Paolo)
* coalesced range bugfix (Paolo)
* switch testsuite to TAP (Paolo)
* QTAILQ rewrite (Paolo)
* block/iscsi.c cancellation fixes (Stefan)
* improve selection of the default accelerator (Thomas)

# gpg: Signature made Fri 11 Jan 2019 14:47:40 GMT
# gpg:                using RSA key BFFBD25F78C7AE83
# gpg: Good signature from "Paolo Bonzini <bonzini@gnu.org>"
# gpg:                 aka "Paolo Bonzini <pbonzini@redhat.com>"
# Primary key fingerprint: 46F5 9FBD 57D6 12E7 BFD4  E2F7 7E15 100C CD36 69B1
#      Subkey fingerprint: F133 3857 4B66 2389 866C  7682 BFFB D25F 78C7 AE83

* remotes/bonzini/tags/for-upstream: (34 commits)
  avoid TABs in files that only contain a few
  remove space-tab sequences
  scripts: add script to convert multiline comments into 4-line format
  hw/watchdog/wdt_i6300esb: remove a unnecessary comment
  checkpatch: warn about qemu/queue.h head structs that are not typedef-ed
  qemu/queue.h: simplify reverse access to QTAILQ
  qemu/queue.h: reimplement QTAILQ without pointer-to-pointers
  qemu/queue.h: remove Q_TAILQ_{HEAD,ENTRY}
  qemu/queue.h: typedef QTAILQ heads
  qemu/queue.h: leave head structs anonymous unless necessary
  vfio: make vfio_address_spaces static
  qemu/queue.h: do not access tqe_prev directly
  test: replace gtester with a TAP driver
  test: execute g_test_run when tests are skipped
  qga: drop < Vista compatibility
  build-sys: build with Vista API by default
  build-sys: move windows defines in osdep.h header
  build-sys: don't include windows.h, osdep.h does it
  scsi: esp: Defer command completion until previous interrupts have been handled
  esp-pci: Fix status register write erase control
  ...

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2019-01-11 15:46:09 +00:00
Paolo Bonzini
7d37435bd5 avoid TABs in files that only contain a few
Most files that have TABs only contain a handful of them.  Change
them to spaces so that we don't confuse people.

disas, standard-headers, linux-headers and libdecnumber are imported
from other projects and probably should be exempted from the check.
Outside those, after this patch the following files still contain both
8-space and TAB sequences at the beginning of the line.  Many of them
have a majority of TABs, or were initially committed with all tabs.

    bsd-user/i386/target_syscall.h
    bsd-user/x86_64/target_syscall.h
    crypto/aes.c
    hw/audio/fmopl.c
    hw/audio/fmopl.h
    hw/block/tc58128.c
    hw/display/cirrus_vga.c
    hw/display/xenfb.c
    hw/dma/etraxfs_dma.c
    hw/intc/sh_intc.c
    hw/misc/mst_fpga.c
    hw/net/pcnet.c
    hw/sh4/sh7750.c
    hw/timer/m48t59.c
    hw/timer/sh_timer.c
    include/crypto/aes.h
    include/disas/bfd.h
    include/hw/sh4/sh.h
    libdecnumber/decNumber.c
    linux-headers/asm-generic/unistd.h
    linux-headers/linux/kvm.h
    linux-user/alpha/target_syscall.h
    linux-user/arm/nwfpe/double_cpdo.c
    linux-user/arm/nwfpe/fpa11_cpdt.c
    linux-user/arm/nwfpe/fpa11_cprt.c
    linux-user/arm/nwfpe/fpa11.h
    linux-user/flat.h
    linux-user/flatload.c
    linux-user/i386/target_syscall.h
    linux-user/ppc/target_syscall.h
    linux-user/sparc/target_syscall.h
    linux-user/syscall.c
    linux-user/syscall_defs.h
    linux-user/x86_64/target_syscall.h
    slirp/cksum.c
    slirp/if.c
    slirp/ip.h
    slirp/ip_icmp.c
    slirp/ip_icmp.h
    slirp/ip_input.c
    slirp/ip_output.c
    slirp/mbuf.c
    slirp/misc.c
    slirp/sbuf.c
    slirp/socket.c
    slirp/socket.h
    slirp/tcp_input.c
    slirp/tcpip.h
    slirp/tcp_output.c
    slirp/tcp_subr.c
    slirp/tcp_timer.c
    slirp/tftp.c
    slirp/udp.c
    slirp/udp.h
    target/cris/cpu.h
    target/cris/mmu.c
    target/cris/op_helper.c
    target/sh4/helper.c
    target/sh4/op_helper.c
    target/sh4/translate.c
    tcg/sparc/tcg-target.inc.c
    tests/tcg/cris/check_addo.c
    tests/tcg/cris/check_moveq.c
    tests/tcg/cris/check_swap.c
    tests/tcg/multiarch/test-mmap.c
    ui/vnc-enc-hextile-template.h
    ui/vnc-enc-zywrle.h
    util/envlist.c
    util/readline.c

The following have only TABs:

    bsd-user/i386/target_signal.h
    bsd-user/sparc64/target_signal.h
    bsd-user/sparc64/target_syscall.h
    bsd-user/sparc/target_signal.h
    bsd-user/sparc/target_syscall.h
    bsd-user/x86_64/target_signal.h
    crypto/desrfb.c
    hw/audio/intel-hda-defs.h
    hw/core/uboot_image.h
    hw/sh4/sh7750_regnames.c
    hw/sh4/sh7750_regs.h
    include/hw/cris/etraxfs_dma.h
    linux-user/alpha/termbits.h
    linux-user/arm/nwfpe/fpopcode.h
    linux-user/arm/nwfpe/fpsr.h
    linux-user/arm/syscall_nr.h
    linux-user/arm/target_signal.h
    linux-user/cris/target_signal.h
    linux-user/i386/target_signal.h
    linux-user/linux_loop.h
    linux-user/m68k/target_signal.h
    linux-user/microblaze/target_signal.h
    linux-user/mips64/target_signal.h
    linux-user/mips/target_signal.h
    linux-user/mips/target_syscall.h
    linux-user/mips/termbits.h
    linux-user/ppc/target_signal.h
    linux-user/sh4/target_signal.h
    linux-user/sh4/termbits.h
    linux-user/sparc64/target_syscall.h
    linux-user/sparc/target_signal.h
    linux-user/x86_64/target_signal.h
    linux-user/x86_64/termbits.h
    pc-bios/optionrom/optionrom.h
    slirp/mbuf.h
    slirp/misc.h
    slirp/sbuf.h
    slirp/tcp.h
    slirp/tcp_timer.h
    slirp/tcp_var.h
    target/i386/svm.h
    target/sparc/asi.h
    target/xtensa/core-dc232b/xtensa-modules.inc.c
    target/xtensa/core-dc233c/xtensa-modules.inc.c
    target/xtensa/core-de212/core-isa.h
    target/xtensa/core-de212/xtensa-modules.inc.c
    target/xtensa/core-fsf/xtensa-modules.inc.c
    target/xtensa/core-sample_controller/core-isa.h
    target/xtensa/core-sample_controller/xtensa-modules.inc.c
    target/xtensa/core-test_kc705_be/core-isa.h
    target/xtensa/core-test_kc705_be/xtensa-modules.inc.c
    tests/tcg/cris/check_abs.c
    tests/tcg/cris/check_addc.c
    tests/tcg/cris/check_addcm.c
    tests/tcg/cris/check_addoq.c
    tests/tcg/cris/check_bound.c
    tests/tcg/cris/check_ftag.c
    tests/tcg/cris/check_int64.c
    tests/tcg/cris/check_lz.c
    tests/tcg/cris/check_openpf5.c
    tests/tcg/cris/check_sigalrm.c
    tests/tcg/cris/crisutils.h
    tests/tcg/cris/sys.c
    tests/tcg/i386/test-i386-ssse3.c
    ui/vgafont.h

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Message-Id: <20181213223737.11793-3-pbonzini@redhat.com>
Reviewed-by: Aleksandar Markovic <amarkovic@wavecomp.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
Acked-by: Richard Henderson <richard.henderson@linaro.org>
Acked-by: Eric Blake <eblake@redhat.com>
Acked-by: David Gibson <david@gibson.dropbear.id.au>
Reviewed-by: Stefan Markovic <smarkovic@wavecomp.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2019-01-11 15:46:56 +01:00
Paolo Bonzini
72e21db7ea remove space-tab sequences
There are not many, and they are all simple mistakes that ended up
being committed.  Remove them.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Message-Id: <20181213223737.11793-2-pbonzini@redhat.com>
Reviewed-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
Acked-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2019-01-11 15:46:55 +01:00
Paolo Bonzini
eae3eb3e18 qemu/queue.h: simplify reverse access to QTAILQ
The new definition of QTAILQ does not require passing the headname,
remove it.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2019-01-11 15:46:55 +01:00
Paolo Bonzini
b58deb344d qemu/queue.h: leave head structs anonymous unless necessary
Most list head structs need not be given a name.  In most cases the
name is given just in case one is going to use QTAILQ_LAST, QTAILQ_PREV
or reverse iteration, but this does not apply to lists of other kinds,
and even for QTAILQ in practice this is only rarely needed.  In addition,
we will soon reimplement those macros completely so that they do not
need a name for the head struct.  So clean up everything, not giving a
name except in the rare case where it is necessary.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2019-01-11 15:46:55 +01:00
Peter Maydell
291741033f audio: two fixes.
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.22 (GNU/Linux)
 
 iQIcBAABAgAGBQJcNw8MAAoJEEy22O7T6HE4cYwP/1tgDp80mGhQeu2ZXb/2a+iV
 rX7ueEofG19rlXeSqpgwrCso2LM4SgY1wSzcPoHTV+ipCVWCQUT1HjPZamIXOq5x
 vt81scPZl+SBwBJRMS8CrArddMcmOh/288upbQy4xXZmwW2M6r9j5O5bRCfgExF6
 khQM7QOqopalmmEB0pbsdyQMbeszvfKXqAL+cch+VZSyULiVB4yFP9J6xroEtqz/
 ka8cVZcFLPwUY2CpXy9GUwQgCMwgYVviPyHU3E8bl3qcdQMqr9AR2QuI89s+kt1M
 9/7KVkmIAK7grim3SkWasHns8cXo8uxaWebmXZsk4yDofEKL5FfsrGrfng9W/OyS
 Ixg9JHwC7OfNq5YY4T/ghA56EVHzhu8eg1iGsnmA8ReoSyRR3/TFf0+oQypgONK3
 BbfMEBr2kr9XyWpThck26NLg0KXsGXgWk/KUPqGDg+QA1LbRw98vyXrPy/stkfbt
 77JwJgIOXviH6rEUA0U8REcg5KrI+tcq/JURiq9NVU+hew46OcGPXNWWlWxLcNJt
 olwnB0hOrXsddrIKSLTwav8FjVsLOT7LJSYmE7S70pWaEyQ6v8ctWc9LICptrLXD
 joVyN4Ktdyrx/zBi38XyPXuQuC7jCTFbuAEfe9rcTz0PjlKz0cN4SGvWPLQdaN3C
 f3AaRAlQj5RPqGPgazTN
 =UooZ
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/kraxel/tags/audio-20190110-pull-request' into staging

audio: two fixes.

# gpg: Signature made Thu 10 Jan 2019 09:23:24 GMT
# gpg:                using RSA key 4CB6D8EED3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>"
# gpg:                 aka "Gerd Hoffmann <gerd@kraxel.org>"
# gpg:                 aka "Gerd Hoffmann (private) <kraxel@gmail.com>"
# Primary key fingerprint: A032 8CFF B93A 17A7 9901  FE7D 4CB6 D8EE D3E8 7138

* remotes/kraxel/tags/audio-20190110-pull-request:
  usb-audio: ignore usb packages with wrong size
  hw/audio/marvell: Don't include unnecessary i2c.h header file

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2019-01-10 18:45:23 +00:00
Gerd Hoffmann
a7fde1c170 usb-audio: ignore usb packages with wrong size
usb packets with no payload (zero length) seem to happen in practice for
whatever reason.  Add a check and skip the packet then, otherwise we'll
trigger an assert.

Reported-by: Leonardo Soares Müller <leozinho29_eu@hotmail.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-id: 20181211072649.20700-1-kraxel@redhat.com
2019-01-10 09:56:19 +01:00
Paolo Bonzini
efce3175fd usb: move ehci_create_ich9_with_companions to hw/i386
This function is only needed when Q35 is in use.  Moving it to
the same file that uses it lets you disable the entire USB
subsystem in x86_64-softmmu.mak; of course doing that will
cause -usb to break horribly, but one thing at a time.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Message-id: 1545064358-4601-1-git-send-email-pbonzini@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2019-01-08 12:43:41 +01:00
Hongbo Zhang
114529f79e hw/usb: Add generic sys-bus EHCI controller
This patch introduces a new system bus generic EHCI controller.
For the system bus EHCI controller, we've already had "xlnx",
"exynos4210", "tegra2", "ppc4xx" and "fusbh200", they are specific and
only suitable for their own platforms, platforms such as an Arm server,
may need a generic system bus EHCI controller, this patch creates it,
and the kernel driver ehci_platform.c works well on it.

Signed-off-by: Hongbo Zhang <hongbo.zhang@linaro.org>
Message-id: 1546077657-22637-1-git-send-email-hongbo.zhang@linaro.org
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2019-01-08 12:41:32 +01:00
Li Qiang
8e3759ef04 usb: dev-mtp: fix memory leak in error path
Spotted by Coverity: CID 1397074

Fixes: c52d46e041
Signed-off-by: Li Qiang <liq3ea@163.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-id: 20190103132605.49476-1-liq3ea@163.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2019-01-08 12:40:35 +01:00
Jonathan Davies
f30815390a usb: drop unnecessary usb_device_post_load checks
In usb_device_post_load, certain values of dev->setup_len or
dev->setup_index can cause -EINVAL to be returned. One example is when
setup_len exceeds 4096, the hard-coded value of sizeof(dev->data_buf).
This can happen through legitimate guest activity and will cause all
subsequent attempts to migrate the guest to fail in vmstate_load_state.

The values of these variables can be set by USB packets originating in
the guest. There are two ways in which they can be set: in
do_token_setup and in do_parameter in hw/usb/core.c.

It is easy to craft a USB packet in a guest that causes do_token_setup
to set setup_len to a value larger than 4096. When this has been done
once, all subsequent attempts to migrate the VM will fail in
usb_device_post_load until the VM is next power-cycled or a
smaller-sized USB packet is sent to the device.

Sample code for achieving this in a VM started with "-device usb-tablet"
running Linux with CONFIG_HIDRAW=y and HID_MAX_BUFFER_SIZE > 4096:

  #include <sys/types.h>
  #include <sys/stat.h>
  #include <fcntl.h>
  #include <unistd.h>

  int main() {
           char buf[4097];
           int fd = open("/dev/hidraw0", O_RDWR|O_NONBLOCK);

           buf[0] = 0x1;
           write(fd, buf, 4097);

           return 0;
  }

When this code is run in the VM, qemu will output:

  usb_generic_handle_packet: ctrl buffer too small (4097 > 4096)

A subsequent attempt to migrate the VM will fail and output the
following on the destination host:

  qemu-kvm: error while loading state for instance 0x0 of device '0000:00:06.7/1/usb-ptr'
  qemu-kvm: load of migration failed: Invalid argument

The idea behind checking the values of setup_len and setup_index before
they are used is correct, but doing it in usb_device_post_load feels
arbitrary, and will cause unnecessary migration failures. Indeed, none
of the commit messages for c60174e8, 9f8e9895 and 719ffe1f justify why
post_load is the right place to do these checks. They correctly point
out that the important thing to protect is the usb_packet_copy.

Instead, the right place to do the checks is in do_token_setup and
do_parameter. Indeed, there are already some checks here. We can examine
each of the disjuncts currently tested in usb_device_post_load to see
whether any need adding to do_token_setup or do_parameter to improve
safety there:

  * dev->setup_index < 0
     - This test is not needed because setup_index is explicitly set to
0 in do_token_setup and do_parameter.

  * dev->setup_len < 0
     - In both do_token_setup and do_parameter, the value of setup_len
is computed by (s->setup_buf[7] << 8) | s->setup_buf[6]. Since
s->setup_buf is a byte array and setup_len is an int32_t, it's
impossible for this arithmetic to set setup_len's top bit, so it can
never be negative.

  * dev->setup_index > dev->setup_len
     - Since setup_index is 0, this is equivalent to the previous test,
so is redundant.

  * dev->setup_len > sizeof(dev->data_buf)
     - This condition is already explicitly checked in both
do_token_setup and do_parameter.

Hence there is no need to bolster the existing checks in do_token_setup
or do_parameter, and we can safely remove these checks from
usb_device_post_load without reducing safety but allowing migrations to
proceed regardless of what USB packets have been generated by the guest.

Signed-off-by: Jonathan Davies <jonathan.davies@nutanix.com>
Message-Id: <20190107175117.23769-1-jonathan.davies@nutanix.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2019-01-08 12:37:52 +01:00
Daniel P. Berrangé
3fd2092fd1 hw/usb: fix mistaken de-initialization of CCID state
In previous commit:

  commit 7dea29e4af
  Author: Li Qiang <liq3ea@gmail.com>
  Date:   Fri Oct 19 03:50:36 2018 -0700

    hw: ccid-card-emulated: cleanup resource when realize in error path

The emulated_realize method was changed so that it jumps to a cleanup
label to de-initialize state upon error. This change failed to ensure
the success path exited the method before this point though. So the
mutexes are always destroyed even in normal operation. The result is
as crashtastic as expected:

$ qemu-system-x86_64 -usb -device usb-ccid,id=ccid0 -device ccid-card-emulated,backend=nss-emulated,id=smartcard0,bus=ccid0.0
qemu-system-x86_64: util/qemu-thread-posix.c:64: qemu_mutex_lock_impl: Assertion `mutex->initialized' failed.
Aborted (core dumped)

Fixes: 7dea29e4af
Reported-by: Michael Tokarev <mjt@tls.msk.ru>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Reviewed-by: Michael Tokarev <mjt@tls.msk.ru>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Tested-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-id: 20181221134115.27973-1-berrange@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2019-01-07 14:12:20 +01:00
Peter Maydell
3866e6bebd usb: fixes for mtp, ehci, usb-host and pvusb (xen).
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.22 (GNU/Linux)
 
 iQIcBAABAgAGBQJcE4gpAAoJEEy22O7T6HE4iooQAIjiQJoz4K5/ClVtU/4y/nb9
 GlqcC3q/KONbjgFGLVORVLx0hsclwApMN8TI7EyD37PpBcZ5sN3OqwNUt+wBTQUx
 hV1dX8ZJoduh23f71qkXPKI77t8g5AsxkCCRPdHTsKro480L1hj58GviT+pSqOvg
 7SW9sJQA6IBYE5mpRkvwNqcC9jJrz5ri239iFpWvPFmYtDikIZkyE9Qp6fhBfW6d
 tuX9oFZCq4gB8aF8uTDjvlkDjltpNEDqJMFLHgy0l2lZnGGyHQNVIxOF5Ainr/0A
 IkWkd9eG6M9AQvAAZYPnptis4V5Cv+6y96ubNv0AyAc2BlY3v8p0lJyscoGno5bq
 E+4wQn7Rvx39uBC5qLYUZ2Q2QIWucRqFefx+AGbCPdmlu+Czp4rkv1exdrvZcqK3
 HIj9MSV5Xzgvi/ChMRczPionhjxe/fe0GNSue0FFrPrePasz3xaEb7CjbU3VdzRW
 tVNg3T6XhTXEfVSs/PkRjoOZdIboKFkJxU8iILaZytsyyLfb6A6mQ50wdCHf8+xf
 iLOkSM5xgMvp39H8ueZHjNuJ46ojTu9+xuXB/8z8crWml5Hfv4sfN3X11whacxNB
 n11WOOTLaWbhalYoxSOawha/3reYNOWq1RN/hCab4dczDZ53BDjmGSdHfIYEpf4S
 Gnu3YL6l4STx/be52YVK
 =I8A+
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/kraxel/tags/usb-20181214-pull-request' into staging

usb: fixes for mtp, ehci, usb-host and pvusb (xen).

# gpg: Signature made Fri 14 Dec 2018 10:38:33 GMT
# gpg:                using RSA key 4CB6D8EED3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>"
# gpg:                 aka "Gerd Hoffmann <gerd@kraxel.org>"
# gpg:                 aka "Gerd Hoffmann (private) <kraxel@gmail.com>"
# Primary key fingerprint: A032 8CFF B93A 17A7 9901  FE7D 4CB6 D8EE D3E8 7138

* remotes/kraxel/tags/usb-20181214-pull-request:
  usb-mtp: Limit filename to object information size
  usb-mtp: use O_NOFOLLOW and O_CLOEXEC.
  ehci: fix fetch qtd race
  usb-host: reset and close libusb_device_handle before qemu exit
  pvusb: set max grants only in initialise

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2018-12-16 12:05:08 +00:00
Michael Hanselmann
90c1a74271 usb-mtp: Limit filename to object information size
The filename length in MTP metadata is specified by the guest. By
trusting it directly it'd theoretically be possible to get the host to
write memory parts outside the filename buffer into a filename. In
practice though there are usually NUL bytes stopping the string
operations.

Also use the opportunity to not assign the filename member twice.

Signed-off-by: Michael Hanselmann <public@hansmi.ch>
Message-id: ab70659d8d5c580bdf150a5f7d5cc60c8e374ffc.1544740018.git.public@hansmi.ch

[ kraxel: codestyle fix: break a long line ]

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2018-12-14 08:57:17 +01:00
Gerd Hoffmann
bab9df35ce usb-mtp: use O_NOFOLLOW and O_CLOEXEC.
Open files and directories with O_NOFOLLOW to avoid symlinks attacks.
While being at it also add O_CLOEXEC.

usb-mtp only handles regular files and directories and ignores
everything else, so users should not see a difference.

Because qemu ignores symlinks, carrying out a successful symlink attack
requires swapping an existing file or directory below rootdir for a
symlink and winning the race against the inotify notification to qemu.

Fixes: CVE-2018-16872
Cc: Prasad J Pandit <ppandit@redhat.com>
Cc: Bandan Das <bsd@redhat.com>
Reported-by: Michael Hanselmann <public@hansmi.ch>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Michael Hanselmann <public@hansmi.ch>
Message-id: 20181213122511.13853-1-kraxel@redhat.com
2018-12-14 08:52:14 +01:00
Mao Zhongyi
f7c5f21eaa usb/tusb6010: Convert sysbus init function to realize function
Use DeviceClass rather than SysBusDeviceClass in
tusb6010_class_init().

Cc: kraxel@redhat.com

Signed-off-by: Mao Zhongyi <maozhongyi@cmss.chinamobile.com>
Signed-off-by: Zhang Shengju <zhangshengju@cmss.chinamobile.com>
Message-id: 20181130093852.20739-20-maozhongyi@cmss.chinamobile.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2018-12-13 13:48:02 +00:00
Gerd Hoffmann
b7d3a7e1a8 ehci: fix fetch qtd race
The token field contains the (guest-filled) state of the qtd, which
indicates whenever the other fields are valid or not.  So make sure
we read the token first, otherwise we may end up with an stale next
pointer:

  (1) ehci reads next
  (2) guest writes next
  (3) guest writes token
  (4) ehci reads token
  (5) ehci operates with stale next.

Typical effect is that qemu doesn't notice that the guest appends new
qtds to the end of the queue.  Looks like the usb device stopped
responding.  Linux can recover from that, but leaves a message in the
kernel log that it did reset the usb device in question.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 20181126100836.8805-1-kraxel@redhat.com
2018-12-10 15:30:18 +01:00
linzhecheng
5621d0453c usb-host: reset and close libusb_device_handle before qemu exit
we should perform these things as same as usb_host_close.

Signed-off-by: linzhecheng <linzhecheng@huawei.com>
Message-id: 20181130064700.5984-1-linzhecheng@huawei.com

[ kraxel: whitespace fixup ]

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2018-12-10 14:39:54 +01:00
Juergen Gross
f8224fb0fa pvusb: set max grants only in initialise
Don't call xen_be_set_max_grant_refs() in usbback_alloc(), as the
gnttabdev pointer won't be initialised yet. The call can easily be
moved to usbback_connect().

Signed-off-by: Juergen Gross <jgross@suse.com>
Message-id: 20181206133923.30105-1-jgross@suse.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2018-12-10 14:13:35 +01:00
Peter Maydell
933cc4bb34 usb: mtp fixes.
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.22 (GNU/Linux)
 
 iQIcBAABAgAGBQJcBYkCAAoJEEy22O7T6HE4PHoP/RpxY7q4KXIe2JwKs4j6Ctpf
 X1+xD7mwQA0QnIXJ0BOQ6gfwFp8HvcHPRqK7ugkWoXRYoE8aKk6XF0fq8ArS7xlR
 shdJMkfuZwzS9ENFFxl7KHOrq2FbZP0xtTcvybqQ7/Hi97GhUz04hyY2H20bX/FP
 TsN7athZTwwNTdqOW3HabQlkwlt22Ujvm/8tB1vmA7wBNHN8eIliWFsm9DUDg6Vg
 m7YzTHybV1tzQJ7SebMHg9sUl6DRtgMKy/sHhxN0eAkop2NpY8ZXQU9K3fq55TEs
 hhN74OYUMADTWoKIkXD/HlMzO3kOmmjkCRGsEEIXcgvvbuOXpWft+j2xzncrFBII
 Sr4TVDfGtuk7/YJta6zhty1ZoYdEZBv1tbs4QEF2B/l2Rjcc9HIaX+809yO0IFwx
 iSiwwkKotuwiMZRdMl4lpxHX2bZrr9jnJkXhFZWbb9CKKkwfZGalle34FBzod/Fa
 fojQV75RxSgTZB8You+90t16Csex8nJmDKGtEN8ozNUq1WMoD+aHutysKwSgu0wS
 2TnajZsrbCMKXbAEAgv6IeYUIz1wEk0ICs0L2hR9llaerrWVJd8e+Hkq0N9VIaQl
 AiTlwdn+B6aYqG2kgde/HWdLSTb2qsIO23CtN40/gjE62inViQ3gQBprPDEl4YZP
 0Aeb3N8+lo1XuZ2fwSg7
 =B/En
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/kraxel/tags/fixes-31-20181203-pull-request' into staging

usb: mtp fixes.

# gpg: Signature made Mon 03 Dec 2018 19:50:26 GMT
# gpg:                using RSA key 4CB6D8EED3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>"
# gpg:                 aka "Gerd Hoffmann <gerd@kraxel.org>"
# gpg:                 aka "Gerd Hoffmann (private) <kraxel@gmail.com>"
# Primary key fingerprint: A032 8CFF B93A 17A7 9901  FE7D 4CB6 D8EE D3E8 7138

* remotes/kraxel/tags/fixes-31-20181203-pull-request:
  usb-mtp: outlaw slashes in filenames
  usb-mtp: fix utf16_to_str

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2018-12-03 19:57:59 +00:00
Gerd Hoffmann
c52d46e041 usb-mtp: outlaw slashes in filenames
Slash is unix directory separator, so they are not allowed in filenames.
Note this also stops the classic escape via "../".

Fixes: CVE-2018-16867
Reported-by: Michael Hanselmann <public@hansmi.ch>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-id: 20181203101045.27976-3-kraxel@redhat.com
2018-12-03 19:40:17 +01:00
Gerd Hoffmann
6de02a1323 usb-mtp: fix utf16_to_str
Make utf16_to_str return an allocated string.  Remove the assumtion that
the number of string bytes equals the number of utf16 chars (which is
only true for ascii chars).  Instead call wcstombs twice, once to figure
the storage size and once for the actual conversion (as suggested by the
wcstombs manpage).

FIXME: surrogate pairs are not working correctly.  Pre-existing bug,
fixing that is left for another day.

Reported-by: Michael Hanselmann <public@hansmi.ch>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Markus Armbruster <armbru@redhat.com>
Message-id: 20181203101045.27976-2-kraxel@redhat.com
2018-12-03 19:39:04 +01:00
Marc-André Lureau
03fee66fde vmstate: constify VMStateField
Because they are supposed to remain const.

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-Id: <20181114132931.22624-1-marcandre.lureau@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2018-11-27 15:35:15 +01:00
linzhecheng
933d2d4bf2 usb-host: set ifs.detached as true if kernel driver is not active
If no kernel driver is active, we can already claim and perform I/O on
it without detaching it.

Signed-off-by: linzhecheng <linzhecheng@huawei.com>
Message-id: 20181120083419.17716-1-linzhecheng@huawei.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2018-11-27 07:47:57 +01:00
Peter Maydell
e8b38d7371 usb: fixes for ohci and smart card emulation.
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.22 (GNU/Linux)
 
 iQIcBAABAgAGBQJb12daAAoJEEy22O7T6HE4Y2QP/1zveNh7yw25ZocZYo+R4Lg2
 IzAfIeI5zSyf3yOjAwvrTiDveaPVvbiF1GXe2R3s2KSNFEvSETjZgUgL30q2I2Xu
 4W0JqxrYKI3ZmxrJukRMCx2ZUALZ00q8hjw7P0NFivrn3oNPuS8NTw75RdBBBT48
 EbtK76ejUoLX7vob+qj38euLPXSde8KiskbYq+AJrPYqnoMWabv87B49Q4485lu7
 9jt4JpiS86c0u9fvCinKntf7HxnME/g7tgKNBl6R5OgD8WB8J7f9xk/v57+AACuh
 YqUWmjD7oVznsxEkB4+FO0emexN1fibbK6xeZ//P/FzCQArHngl3KMcRcPutjxOA
 AhSHVHfYclonadrINXyxlLBAAvH81AnBibJehBBxDewmjTrisisnd9BLaMFj+xKC
 lwjXmGKozJJESz9FZdRXKr4G4pxDH8zjdDBo+EQNmOWA4Er1AFF+9nOltdkNCwMA
 fxpVQwFTKH2PlFgEc7nY0JrBV2RfUcAHMVtHydPIoViJ33xnbc35qeuGy4Nj1C9Q
 BpWpatHav0cTfV27Qhy1RiGtdcPbJ4BYUXIGvC92HkNtXlVCFBJ+c3Nk+C1b3z+D
 UUoxU3E+LsttE0Fx8bgz9nmqag4BVguEDs8fsAus7KC1g5HAhSKJZAez7Yy4UH63
 Q87jKFe93lZoahcmQR18
 =PQZI
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/kraxel/tags/usb-20181029-pull-request' into staging

usb: fixes for ohci and smart card emulation.

# gpg: Signature made Mon 29 Oct 2018 20:02:34 GMT
# gpg:                using RSA key 4CB6D8EED3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>"
# gpg:                 aka "Gerd Hoffmann <gerd@kraxel.org>"
# gpg:                 aka "Gerd Hoffmann (private) <kraxel@gmail.com>"
# Primary key fingerprint: A032 8CFF B93A 17A7 9901  FE7D 4CB6 D8EE D3E8 7138

* remotes/kraxel/tags/usb-20181029-pull-request:
  hw: ccid-card-emulated: cleanup resource when realize in error path
  hw: ccid-card-emulated: introduce clean_event_notifier
  usb: ohci: make num_ports to an unsinged integer

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2018-10-30 13:32:38 +00:00
Li Qiang
7dea29e4af hw: ccid-card-emulated: cleanup resource when realize in error path
Signed-off-by: Li Qiang <liq3ea@gmail.com>
Message-id: 1539946236-18028-3-git-send-email-liq3ea@gmail.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2018-10-29 10:46:07 +01:00
Li Qiang
ca1d410285 hw: ccid-card-emulated: introduce clean_event_notifier
Call it in device unrealize function.

Signed-off-by: Li Qiang <liq3ea@gmail.com>
Message-id: 1539946236-18028-2-git-send-email-liq3ea@gmail.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2018-10-29 10:46:07 +01:00
Li Qiang
b9a3a4f206 usb: ohci: make num_ports to an unsinged integer
This can avoid setting OCHIState.num_ports to a negative num.

Signed-off-by: Li Qiang <liq3ea@gmail.com>
Message-id: 1540263618-18344-1-git-send-email-liq3ea@gmail.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2018-10-29 10:25:12 +01:00
Markus Armbruster
4b5766488f error: Fix use of error_prepend() with &error_fatal, &error_abort
From include/qapi/error.h:

  * Pass an existing error to the caller with the message modified:
  *     error_propagate(errp, err);
  *     error_prepend(errp, "Could not frobnicate '%s': ", name);

Fei Li pointed out that doing error_propagate() first doesn't work
well when @errp is &error_fatal or &error_abort: the error_prepend()
is never reached.

Since I doubt fixing the documentation will stop people from getting
it wrong, introduce error_propagate_prepend(), in the hope that it
lures people away from using its constituents in the wrong order.
Update the instructions in error.h accordingly.

Convert existing error_prepend() next to error_propagate to
error_propagate_prepend().  If any of these get reached with
&error_fatal or &error_abort, the error messages improve.  I didn't
check whether that's the case anywhere.

Cc: Fei Li <fli@suse.com>
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Message-Id: <20181017082702.5581-2-armbru@redhat.com>
2018-10-19 14:51:34 +02:00
Miguel GAIO
a60f39a468 ohci: set effectively usb frame rate to 1kHz
USB frame rate is slightly lower than 1kHz: ie. ~950Hz.
Thus usb-audio device is not able to perform a simple audio playback
without underruns on audio backend.
eg. "-device pci-ohci,id=ohci -device usb-audio,bus=ohci.0" vs PulseAudio
backend. more than 50 underruns are observed per second.

Update ohci_sof_time computation, using QEMU_CLOCK_VIRTUAL in
ohci_usb_start(), and increment by usb_frame_time in ohci_sof()
makes USB frame rate close to 1kHz.
This way, no audio underrun are observed during audio playback.

Signed-off-by: Miguel GAIO <mgaio35@gmail.com>
Message-Id: <20180927151936.3647-1-mgaio35@gmail.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2018-10-01 10:49:54 +02:00
Gerd Hoffmann
3e9191acb7 usb-hub: clear suspend on detach
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 20180912114012.6034-1-kraxel@redhat.com
2018-10-01 10:49:54 +02:00
Bandan Das
f7c36a754c usb-mtp: reset ObjectInfo dataset size on cleanup
Stale values in this field may result in qemu
expecting more data on the next operation

Signed-off-by: Bandan Das <bsd@redhat.com>
Message-id: 20180907220851.9658-4-bsd@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2018-10-01 10:49:54 +02:00
Bandan
44dd419680 usb-mtp: fix error conditions for write operation
Return STORE_FULL if we can't write all the bytes but
return incomplete transfer if data received is less then
what was specified in the metadata. Also, use d->offset
as the file size which is valid for all file sizes.

Signed-off-by: Bandan <bsd@redhat.com>
Message-id: 20180907220851.9658-2-bsd@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2018-10-01 10:49:53 +02:00
Bandan Das
15aa757d05 dev-mtp: rename x-root to rootdir
x-root was renamed as such owing to the experimental nature of the
property; the underlying filesystem semantics were undecided

Signed-off-by: Bandan Das <bsd@redhat.com>
Message-id: 20180720214020.22897-6-bsd@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2018-08-21 10:27:59 +02:00
Bandan Das
3e096650a6 dev-mtp: Add support for > 4GB file transfers
To support larger file transfers, rely on a short packet
to detect end of the data phase and rewrite d->length to
the size received

Signed-off-by: Bandan Das <bsd@redhat.com>
Message-id: 20180720214020.22897-5-bsd@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2018-08-21 10:27:59 +02:00
Bandan Das
d33e3e4bf8 dev-mtp: retry write for incomplete transfers
For large buffers, write may not copy the full buffer. For example,
on Linux, write imposes a limit of 0x7ffff000. Note that this does
not fix >4G transfers but ~>2G files will transfer successfully.

Signed-off-by: Bandan Das <bsd@redhat.com>
Message-id: 20180720214020.22897-4-bsd@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2018-08-21 10:27:59 +02:00
Bandan Das
406f35d7fc dev-mtp: fix buffer allocation for writing file contents
usb_mtp_realloc() was being incorrectly used when allocating
buffer for incoming data. Set d->length only after resizing
the buffer.

Signed-off-by: Bandan Das <bsd@redhat.com>
Message-id: 20180720214020.22897-3-bsd@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2018-08-21 10:27:59 +02:00
Bandan Das
47bff13cea dev-mtp: add support for canceling transaction
The initiator can choose to cancel an ongoing request which
is specified by bRequest=0x64. If such a request arrives,
free up any pending state

Signed-off-by: Bandan Das <bsd@redhat.com>
Message-id: 20180720214020.22897-2-bsd@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2018-08-21 10:27:59 +02:00
Sebastian Bauer
7c48b95df4 ohci: Clear the interrupt counter for erroneous transfers
This is mandated by the ohci specification. It tells at 6.4.4 on page 104
that for transfer descriptors that are retired with an error the done
queue interrupt counter is cleared as if the interrupt delay field of the
descriptions were zero.

Before this change, error conditions were handled similarly to the
successful condition which is especially troublesome for control transfers.
Some drivers (e.g., the AmigaOS-one) as well as the example code in the
spec, set the setup stage with an interrupt delay of seven (which means no
interrupt). This is fine under normal conditions, because one usually
doesn't want to be notified about the completion of this stage. However, if
an error occurs in this stage, these drivers will not get notified with the
current implementation. The fix addresses this by following the spec more
closely. Also, otherwise, the ability to set interrupt delay to seven would
be useless.

Note that Linux drivers that I looked at don't seem to be affected as they
set six as the interrupt delay presumably for the reason that they won't
get notified otherwise.

Signed-off-by: Sebastian Bauer <mail@sebastianbauer.info>
Message-id: 20180729191928.11254-1-mail@sebastianbauer.info
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2018-08-21 10:25:22 +02:00
Kevin Wolf
572023f7b2 block: Remove deprecated -drive option serial
This reinstates commit b008326744,
which was temporarily reverted for the 3.0 release so that libvirt gets
some extra time to update their command lines.

The -drive option serial was deprecated in QEMU 2.10. It's time to
remove it.

Tests need to be updated to set the serial number with -global instead
of using the -drive option.

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Jeff Cody <jcody@redhat.com>
2018-08-15 12:50:39 +02:00
Cornelia Huck
44e8b4689c Revert "block: Remove deprecated -drive option serial"
This reverts commit b008326744.

Hold off removing this for one more QEMU release (current libvirt
release still uses it.)

Signed-off-by: Cornelia Huck <cohuck@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2018-07-10 14:36:11 +02:00
Peter Maydell
ba2dfe6f6f usb: bugfixes for ehci and xhci.
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.22 (GNU/Linux)
 
 iQIcBAABAgAGBQJbOzMsAAoJEEy22O7T6HE43hwP/jvz1w4jDEBRpORJmHcrIHiG
 b666V6/Y3yBqegxVNp9bZXE9eN1j7dwxnOB61/vWYqioSq8WFPi6DU4YdRfphYwn
 HI1Ge/ATN9oyXI61PvqJO2izJ+QPEoikDNc9utPHO5M7uQ1Tu4NKG5ItsJZ3JHZY
 Vg4XdGJgLjEsa0qsS+5plactG//SswV7g9ztzIZv+llOHnHnwDPrpcaPiYNt0iiP
 cEf/aE+jfA1joDq0rXOiUu8pUhqW+/Vmly+DI/YH920+CnMGHArX7L35kN5MztYx
 8oGcnDvB75F9S0VN+ygwDWiU11wQr626mYkTADWrBOgC0EHiaB3qGESNssQTaHuv
 N7EPdKeb0ZX57WvLdYoVZT0W32sGyM1l3xWmuxUeNqapdbOF95TkfmikxX80tS/n
 WrEgDnlknOXLtGUgcwfJ5CaM6t6qNfL9n/aZm9u2bj+pYY83/FEsZ5xXfs7AP58i
 078uWp0HisQWPzmON9zyJgXBGpMMEVir5SnHOwe/PVhNHkNt6Uw5LCbs2gwO+bb3
 SxapuNmdV3Ua/XvDyfjhAgHtFCXDSBb5/3KXxvkIIAFuVGQ88bATWMf6nnXjP0G7
 nIcaGM4zbLqNQ37bZHpqaGbX1ufZVRtLqj1Df/WOe9ebOfDUVOqK/KmqX89DdRAI
 eCxeSFC4csj/BoVpNngX
 =9UH4
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/kraxel/tags/usb-20180703-pull-request' into staging

usb: bugfixes for ehci and xhci.

# gpg: Signature made Tue 03 Jul 2018 09:26:20 BST
# gpg:                using RSA key 4CB6D8EED3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>"
# gpg:                 aka "Gerd Hoffmann <gerd@kraxel.org>"
# gpg:                 aka "Gerd Hoffmann (private) <kraxel@gmail.com>"
# Primary key fingerprint: A032 8CFF B93A 17A7 9901  FE7D 4CB6 D8EE D3E8 7138

* remotes/kraxel/tags/usb-20180703-pull-request:
  xhci: fix guest-triggerable assert
  ehci: Don't fetch a NULL current qtd but advance the queue instead.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2018-07-03 17:10:39 +01:00
Gerd Hoffmann
8f36ec7088 xhci: fix guest-triggerable assert
Set xhci into error state instead of throwing a core dump.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 20180702162752.29233-1-kraxel@redhat.com
2018-07-03 09:50:39 +02:00
Sebastian Bauer
8bb01b257f ehci: Don't fetch a NULL current qtd but advance the queue instead.
Fetching qtd with the NULL address most likely makes no sense so from now
on, we handle it this case similarly as if the terminate (T) bit is not
set, which is already an exception as according to section 3.6 of the EHCI
spec there is no T bit defined for the current_qtd field.

The spec is a bit vague on how an EHCI driver should initialize these
fields: "The general operational model is that the host controller can
detect whether the overlay area contains a description of an active
transfer" (p. 49). QEMU primarily uses the QTD_TOKEN_ACTIVE bit of the
queue header to infer the activity state but there are other ways
conceivable.

This change allows QEMU to boot further into AmigaOS. The public available
version of the EHCI driver recycles queue heads in some rare conditions but
only clears the current_qtd field but not the status field. This works with
many available EHCI PCI cards but e.g., not with the Freescale USB
controller's found on the P5040. On the emulated EHCI controller of QEMU
the consequence is that some garbage was read in, which resulted in a
reset of the controller. This change fixes the problem.

Signed-off-by: Sebastian Bauer <mail@sebastianbauer.info>
Tested-by: BALATON Zoltan <balaton@eik.bme.hu>
Message-id: 20180625222718.4488-1-mail@sebastianbauer.info
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2018-07-03 09:49:44 +02:00
Philippe Mathieu-Daudé
246e195b52 hw/usb: Use the IEC binary prefix definitions
It eases code review, unit is explicit.

Patch generated using:

  $ git grep -E '(1024|2048|4096|8192|(<<|>>).?(10|20|30))' hw/ include/hw/

and modified manually.

Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-Id: <20180625124238.25339-36-f4bug@amsat.org>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2018-07-02 15:41:16 +02:00
Kevin Wolf
b8efb36b9e usb-storage: Add rerror/werror properties
The error handling policy was traditionally set with -drive, but with
-blockdev it is no longer possible to set frontend options. scsi-disk
(and other block devices) have long supported qdev properties to
configure the error handling policy, so let's add these options to
usb-storage as well and just forward them to the internal scsi-disk
instance.

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Markus Armbruster <armbru@redhat.com>
2018-06-29 14:20:56 +02:00
Marc-André Lureau
9b5c2fd53f Revert "usb: release the created buses"
The USB device don't hold the bus. There is no ASAN related reports
anymore.

This reverts commit cd7bc87868.

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-id: 20180613172815.32738-3-marcandre.lureau@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2018-06-18 09:15:51 +02:00
Marc-André Lureau
a1738cd8c5 Revert "usb-ccid: fix bus leak"
The bus is not owned by the device.

This reverts commit 410a096adf.

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-id: 20180613172815.32738-2-marcandre.lureau@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2018-06-18 09:15:51 +02:00
Kevin Wolf
b008326744 block: Remove deprecated -drive option serial
The -drive option serial was deprecated in QEMU 2.10. It's time to
remove it.

Tests need to be updated to set the serial number with -global instead
of using the -drive option.

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Jeff Cody <jcody@redhat.com>
2018-06-15 14:49:44 +02:00