- 14 12月, 2018 2 次提交
-
-
由 Michael Hanselmann 提交于
The filename length in MTP metadata is specified by the guest. By trusting it directly it'd theoretically be possible to get the host to write memory parts outside the filename buffer into a filename. In practice though there are usually NUL bytes stopping the string operations. Also use the opportunity to not assign the filename member twice. Signed-off-by: NMichael Hanselmann <public@hansmi.ch> Message-id: ab70659d8d5c580bdf150a5f7d5cc60c8e374ffc.1544740018.git.public@hansmi.ch [ kraxel: codestyle fix: break a long line ] Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
-
由 Gerd Hoffmann 提交于
Open files and directories with O_NOFOLLOW to avoid symlinks attacks. While being at it also add O_CLOEXEC. usb-mtp only handles regular files and directories and ignores everything else, so users should not see a difference. Because qemu ignores symlinks, carrying out a successful symlink attack requires swapping an existing file or directory below rootdir for a symlink and winning the race against the inotify notification to qemu. Fixes: CVE-2018-16872 Cc: Prasad J Pandit <ppandit@redhat.com> Cc: Bandan Das <bsd@redhat.com> Reported-by: NMichael Hanselmann <public@hansmi.ch> Signed-off-by: NGerd Hoffmann <kraxel@redhat.com> Reviewed-by: NMichael Hanselmann <public@hansmi.ch> Message-id: 20181213122511.13853-1-kraxel@redhat.com
-
- 13 12月, 2018 1 次提交
-
-
由 Mao Zhongyi 提交于
Use DeviceClass rather than SysBusDeviceClass in tusb6010_class_init(). Cc: kraxel@redhat.com Signed-off-by: NMao Zhongyi <maozhongyi@cmss.chinamobile.com> Signed-off-by: NZhang Shengju <zhangshengju@cmss.chinamobile.com> Message-id: 20181130093852.20739-20-maozhongyi@cmss.chinamobile.com Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
-
- 10 12月, 2018 3 次提交
-
-
由 Gerd Hoffmann 提交于
The token field contains the (guest-filled) state of the qtd, which indicates whenever the other fields are valid or not. So make sure we read the token first, otherwise we may end up with an stale next pointer: (1) ehci reads next (2) guest writes next (3) guest writes token (4) ehci reads token (5) ehci operates with stale next. Typical effect is that qemu doesn't notice that the guest appends new qtds to the end of the queue. Looks like the usb device stopped responding. Linux can recover from that, but leaves a message in the kernel log that it did reset the usb device in question. Signed-off-by: NGerd Hoffmann <kraxel@redhat.com> Message-id: 20181126100836.8805-1-kraxel@redhat.com
-
由 linzhecheng 提交于
we should perform these things as same as usb_host_close. Signed-off-by: Nlinzhecheng <linzhecheng@huawei.com> Message-id: 20181130064700.5984-1-linzhecheng@huawei.com [ kraxel: whitespace fixup ] Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
-
由 Juergen Gross 提交于
Don't call xen_be_set_max_grant_refs() in usbback_alloc(), as the gnttabdev pointer won't be initialised yet. The call can easily be moved to usbback_connect(). Signed-off-by: NJuergen Gross <jgross@suse.com> Message-id: 20181206133923.30105-1-jgross@suse.com Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
-
- 04 12月, 2018 2 次提交
-
-
由 Gerd Hoffmann 提交于
Slash is unix directory separator, so they are not allowed in filenames. Note this also stops the classic escape via "../". Fixes: CVE-2018-16867 Reported-by: NMichael Hanselmann <public@hansmi.ch> Signed-off-by: NGerd Hoffmann <kraxel@redhat.com> Reviewed-by: NPhilippe Mathieu-Daudé <philmd@redhat.com> Message-id: 20181203101045.27976-3-kraxel@redhat.com
-
由 Gerd Hoffmann 提交于
Make utf16_to_str return an allocated string. Remove the assumtion that the number of string bytes equals the number of utf16 chars (which is only true for ascii chars). Instead call wcstombs twice, once to figure the storage size and once for the actual conversion (as suggested by the wcstombs manpage). FIXME: surrogate pairs are not working correctly. Pre-existing bug, fixing that is left for another day. Reported-by: NMichael Hanselmann <public@hansmi.ch> Signed-off-by: NGerd Hoffmann <kraxel@redhat.com> Reviewed-by: NPeter Maydell <peter.maydell@linaro.org> Reviewed-by: NPhilippe Mathieu-Daudé <philmd@redhat.com> Reviewed-by: NMarkus Armbruster <armbru@redhat.com> Message-id: 20181203101045.27976-2-kraxel@redhat.com
-
- 27 11月, 2018 2 次提交
-
-
由 Marc-André Lureau 提交于
Because they are supposed to remain const. Signed-off-by: NMarc-André Lureau <marcandre.lureau@redhat.com> Message-Id: <20181114132931.22624-1-marcandre.lureau@redhat.com> Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
-
由 linzhecheng 提交于
If no kernel driver is active, we can already claim and perform I/O on it without detaching it. Signed-off-by: Nlinzhecheng <linzhecheng@huawei.com> Message-id: 20181120083419.17716-1-linzhecheng@huawei.com Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
-
- 29 10月, 2018 3 次提交
-
-
由 Li Qiang 提交于
Signed-off-by: NLi Qiang <liq3ea@gmail.com> Message-id: 1539946236-18028-3-git-send-email-liq3ea@gmail.com Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
-
由 Li Qiang 提交于
Call it in device unrealize function. Signed-off-by: NLi Qiang <liq3ea@gmail.com> Message-id: 1539946236-18028-2-git-send-email-liq3ea@gmail.com Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
-
由 Li Qiang 提交于
This can avoid setting OCHIState.num_ports to a negative num. Signed-off-by: NLi Qiang <liq3ea@gmail.com> Message-id: 1540263618-18344-1-git-send-email-liq3ea@gmail.com Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
-
- 19 10月, 2018 1 次提交
-
-
由 Markus Armbruster 提交于
From include/qapi/error.h: * Pass an existing error to the caller with the message modified: * error_propagate(errp, err); * error_prepend(errp, "Could not frobnicate '%s': ", name); Fei Li pointed out that doing error_propagate() first doesn't work well when @errp is &error_fatal or &error_abort: the error_prepend() is never reached. Since I doubt fixing the documentation will stop people from getting it wrong, introduce error_propagate_prepend(), in the hope that it lures people away from using its constituents in the wrong order. Update the instructions in error.h accordingly. Convert existing error_prepend() next to error_propagate to error_propagate_prepend(). If any of these get reached with &error_fatal or &error_abort, the error messages improve. I didn't check whether that's the case anywhere. Cc: Fei Li <fli@suse.com> Signed-off-by: NMarkus Armbruster <armbru@redhat.com> Reviewed-by: NPhilippe Mathieu-Daudé <philmd@redhat.com> Reviewed-by: NEric Blake <eblake@redhat.com> Message-Id: <20181017082702.5581-2-armbru@redhat.com>
-
- 01 10月, 2018 4 次提交
-
-
由 Miguel GAIO 提交于
USB frame rate is slightly lower than 1kHz: ie. ~950Hz. Thus usb-audio device is not able to perform a simple audio playback without underruns on audio backend. eg. "-device pci-ohci,id=ohci -device usb-audio,bus=ohci.0" vs PulseAudio backend. more than 50 underruns are observed per second. Update ohci_sof_time computation, using QEMU_CLOCK_VIRTUAL in ohci_usb_start(), and increment by usb_frame_time in ohci_sof() makes USB frame rate close to 1kHz. This way, no audio underrun are observed during audio playback. Signed-off-by: NMiguel GAIO <mgaio35@gmail.com> Message-Id: <20180927151936.3647-1-mgaio35@gmail.com> Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
-
由 Gerd Hoffmann 提交于
Signed-off-by: NGerd Hoffmann <kraxel@redhat.com> Message-id: 20180912114012.6034-1-kraxel@redhat.com
-
由 Bandan Das 提交于
Stale values in this field may result in qemu expecting more data on the next operation Signed-off-by: NBandan Das <bsd@redhat.com> Message-id: 20180907220851.9658-4-bsd@redhat.com Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
-
由 Bandan 提交于
Return STORE_FULL if we can't write all the bytes but return incomplete transfer if data received is less then what was specified in the metadata. Also, use d->offset as the file size which is valid for all file sizes. Signed-off-by: NBandan <bsd@redhat.com> Message-id: 20180907220851.9658-2-bsd@redhat.com Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
-
- 21 8月, 2018 6 次提交
-
-
由 Bandan Das 提交于
x-root was renamed as such owing to the experimental nature of the property; the underlying filesystem semantics were undecided Signed-off-by: NBandan Das <bsd@redhat.com> Message-id: 20180720214020.22897-6-bsd@redhat.com Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
-
由 Bandan Das 提交于
To support larger file transfers, rely on a short packet to detect end of the data phase and rewrite d->length to the size received Signed-off-by: NBandan Das <bsd@redhat.com> Message-id: 20180720214020.22897-5-bsd@redhat.com Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
-
由 Bandan Das 提交于
For large buffers, write may not copy the full buffer. For example, on Linux, write imposes a limit of 0x7ffff000. Note that this does not fix >4G transfers but ~>2G files will transfer successfully. Signed-off-by: NBandan Das <bsd@redhat.com> Message-id: 20180720214020.22897-4-bsd@redhat.com Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
-
由 Bandan Das 提交于
usb_mtp_realloc() was being incorrectly used when allocating buffer for incoming data. Set d->length only after resizing the buffer. Signed-off-by: NBandan Das <bsd@redhat.com> Message-id: 20180720214020.22897-3-bsd@redhat.com Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
-
由 Bandan Das 提交于
The initiator can choose to cancel an ongoing request which is specified by bRequest=0x64. If such a request arrives, free up any pending state Signed-off-by: NBandan Das <bsd@redhat.com> Message-id: 20180720214020.22897-2-bsd@redhat.com Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
-
由 Sebastian Bauer 提交于
This is mandated by the ohci specification. It tells at 6.4.4 on page 104 that for transfer descriptors that are retired with an error the done queue interrupt counter is cleared as if the interrupt delay field of the descriptions were zero. Before this change, error conditions were handled similarly to the successful condition which is especially troublesome for control transfers. Some drivers (e.g., the AmigaOS-one) as well as the example code in the spec, set the setup stage with an interrupt delay of seven (which means no interrupt). This is fine under normal conditions, because one usually doesn't want to be notified about the completion of this stage. However, if an error occurs in this stage, these drivers will not get notified with the current implementation. The fix addresses this by following the spec more closely. Also, otherwise, the ability to set interrupt delay to seven would be useless. Note that Linux drivers that I looked at don't seem to be affected as they set six as the interrupt delay presumably for the reason that they won't get notified otherwise. Signed-off-by: NSebastian Bauer <mail@sebastianbauer.info> Message-id: 20180729191928.11254-1-mail@sebastianbauer.info Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
-
- 15 8月, 2018 1 次提交
-
-
由 Kevin Wolf 提交于
This reinstates commit b0083267, which was temporarily reverted for the 3.0 release so that libvirt gets some extra time to update their command lines. The -drive option serial was deprecated in QEMU 2.10. It's time to remove it. Tests need to be updated to set the serial number with -global instead of using the -drive option. Signed-off-by: NKevin Wolf <kwolf@redhat.com> Reviewed-by: NMarkus Armbruster <armbru@redhat.com> Reviewed-by: NJeff Cody <jcody@redhat.com>
-
- 10 7月, 2018 1 次提交
-
-
由 Cornelia Huck 提交于
This reverts commit b0083267. Hold off removing this for one more QEMU release (current libvirt release still uses it.) Signed-off-by: NCornelia Huck <cohuck@redhat.com> Signed-off-by: NKevin Wolf <kwolf@redhat.com>
-
- 03 7月, 2018 2 次提交
-
-
由 Gerd Hoffmann 提交于
Set xhci into error state instead of throwing a core dump. Signed-off-by: NGerd Hoffmann <kraxel@redhat.com> Message-id: 20180702162752.29233-1-kraxel@redhat.com
-
由 Sebastian Bauer 提交于
Fetching qtd with the NULL address most likely makes no sense so from now on, we handle it this case similarly as if the terminate (T) bit is not set, which is already an exception as according to section 3.6 of the EHCI spec there is no T bit defined for the current_qtd field. The spec is a bit vague on how an EHCI driver should initialize these fields: "The general operational model is that the host controller can detect whether the overlay area contains a description of an active transfer" (p. 49). QEMU primarily uses the QTD_TOKEN_ACTIVE bit of the queue header to infer the activity state but there are other ways conceivable. This change allows QEMU to boot further into AmigaOS. The public available version of the EHCI driver recycles queue heads in some rare conditions but only clears the current_qtd field but not the status field. This works with many available EHCI PCI cards but e.g., not with the Freescale USB controller's found on the P5040. On the emulated EHCI controller of QEMU the consequence is that some garbage was read in, which resulted in a reset of the controller. This change fixes the problem. Signed-off-by: NSebastian Bauer <mail@sebastianbauer.info> Tested-by: NBALATON Zoltan <balaton@eik.bme.hu> Message-id: 20180625222718.4488-1-mail@sebastianbauer.info Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
-
- 02 7月, 2018 1 次提交
-
-
由 Philippe Mathieu-Daudé 提交于
It eases code review, unit is explicit. Patch generated using: $ git grep -E '(1024|2048|4096|8192|(<<|>>).?(10|20|30))' hw/ include/hw/ and modified manually. Signed-off-by: NPhilippe Mathieu-Daudé <f4bug@amsat.org> Message-Id: <20180625124238.25339-36-f4bug@amsat.org> Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
-
- 29 6月, 2018 1 次提交
-
-
由 Kevin Wolf 提交于
The error handling policy was traditionally set with -drive, but with -blockdev it is no longer possible to set frontend options. scsi-disk (and other block devices) have long supported qdev properties to configure the error handling policy, so let's add these options to usb-storage as well and just forward them to the internal scsi-disk instance. Signed-off-by: NKevin Wolf <kwolf@redhat.com> Reviewed-by: NMarkus Armbruster <armbru@redhat.com>
-
- 18 6月, 2018 2 次提交
-
-
由 Marc-André Lureau 提交于
The USB device don't hold the bus. There is no ASAN related reports anymore. This reverts commit cd7bc878. Signed-off-by: NMarc-André Lureau <marcandre.lureau@redhat.com> Message-id: 20180613172815.32738-3-marcandre.lureau@redhat.com Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
-
由 Marc-André Lureau 提交于
The bus is not owned by the device. This reverts commit 410a096a. Signed-off-by: NMarc-André Lureau <marcandre.lureau@redhat.com> Message-id: 20180613172815.32738-2-marcandre.lureau@redhat.com Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
-
- 15 6月, 2018 1 次提交
-
-
由 Kevin Wolf 提交于
The -drive option serial was deprecated in QEMU 2.10. It's time to remove it. Tests need to be updated to set the serial number with -global instead of using the -drive option. Signed-off-by: NKevin Wolf <kwolf@redhat.com> Reviewed-by: NMarkus Armbruster <armbru@redhat.com> Reviewed-by: NJeff Cody <jcody@redhat.com>
-
- 13 6月, 2018 1 次提交
-
-
由 Markus Armbruster 提交于
We banned use of certain g_assert_FOO() functions outside tests, and made checkpatch.pl flag them (commit 6e938956). We neglected to purge existing uses. Do that now. Signed-off-by: NMarkus Armbruster <armbru@redhat.com> Message-Id: <20180608170231.27912-1-armbru@redhat.com> Reviewed-by: NEric Blake <eblake@redhat.com> Reviewed-by: NPhilippe Mathieu-Daudé <f4bug@amsat.org> Reviewed-by: NJohn Snow <jsnow@redhat.com>
-
- 12 6月, 2018 4 次提交
-
-
由 Bandan Das 提交于
CID 1390604 If the initiator sends a packet with TYPE_DATA set without initiating a CMD_GET_OBJECT_INFO first, then usb_mtp_get_data can trip on a null s->data_out. Signed-off-by: NBandan Das <bsd@redhat.com> Message-Id: <jpgr2m8ajfk.fsf_-_@linux.bootlegged.copy> Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
-
由 Marc-André Lureau 提交于
qbus_create_inplace() creates a new reference in realize(), it must be released in unrealize(). Signed-off-by: NMarc-André Lureau <marcandre.lureau@redhat.com> Message-id: 20180531195119.22021-4-marcandre.lureau@redhat.com Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
-
由 Philippe Mathieu-Daudé 提交于
This fixes: hw/usb/dev-mtp.c:971:5: warning: 4th function call argument is an uninitialized value trace_usb_mtp_op_get_partial_object(s->dev.addr, o->handle, o->path, c->argv[1], c->argv[2]); ^~~~~~~~~~ and: hw/usb/dev-mtp.c:981:12: warning: Assigned value is garbage or undefined offset = c->argv[1]; ^ ~~~~~~~~~~ Reported-by: Clang Static Analyzer Signed-off-by: NPhilippe Mathieu-Daudé <f4bug@amsat.org> Message-id: 20180604151421.23385-3-f4bug@amsat.org Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
-
由 Philippe Mathieu-Daudé 提交于
USB Specification Revision 2.0, §5.5.3: The Data stage of a control transfer from an endpoint to the host is complete when the endpoint does one of the following: • Has transferred exactly the amount of data specified during the Setup stage • Transfers a packet with a payload size less than wMaxPacketSize or transfers a zero-length packet" hw/usb/redirect.c:802:9: warning: Declared variable-length array (VLA) has zero size uint8_t buf[size]; ^~~~~~~~~~~ ~~~~ Reported-by: Clang Static Analyzer Signed-off-by: NPhilippe Mathieu-Daudé <f4bug@amsat.org> Message-id: 20180604151421.23385-2-f4bug@amsat.org Signed-off-by: NGerd Hoffmann <kraxel@redhat.com>
-
- 02 6月, 2018 1 次提交
-
-
由 Michael S. Tsirkin 提交于
When pulling in headers that are in the same directory as the C file (as opposed to one in include/), we should use its relative path, without a directory. Signed-off-by: NMichael S. Tsirkin <mst@redhat.com> Reviewed-by: NPhilippe Mathieu-Daudé <f4bug@amsat.org> Tested-by: NPhilippe Mathieu-Daudé <f4bug@amsat.org>
-
- 01 6月, 2018 1 次提交
-
-
由 Philippe Mathieu-Daudé 提交于
Remove those unneeded includes to speed up the compilation process a little bit. Code change produced with: $ git grep '#include "sysemu/blockdev.h"' | \ cut -d: -f-1 | \ xargs egrep -L "(BlockInterfaceType|DriveInfo|drive_get|blk_legacy_dinfo|blockdev_mark_auto_del)" | \ xargs sed -i.bak '/#include "sysemu\/blockdev.h"/d' Signed-off-by: NPhilippe Mathieu-Daudé <f4bug@amsat.org> Message-Id: <20180528232719.4721-15-f4bug@amsat.org> Acked-by: NMichael S. Tsirkin <mst@redhat.com> Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
-