summaryrefslogtreecommitdiffstats
path: root/hw/usb
Commit message (Collapse)AuthorAgeFilesLines
* usb: check USB configuration descriptor objectPrasad J Pandit2016-03-221-1/+2
| | | | | | | | | | | | | | When processing remote NDIS control message packets, the USB Net device emulator checks to see if the USB configuration descriptor object is of RNDIS type(2). But it does not check if it is null, which leads to a null dereference error. Add check to avoid it. Reported-by: Qinghao Tang <luodalongde@gmail.com> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> Message-id: 1455188480-14688-1-git-send-email-ppandit@redhat.com Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> (cherry picked from commit 80eecda8e5d09c442c24307f340840a5b70ea3b9) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
* usb: check RNDIS message lengthPrasad J Pandit2016-03-221-9/+9
| | | | | | | | | | | | When processing remote NDIS control message packets, the USB Net device emulator uses a fixed length(4096) data buffer. The incoming packet length could exceed this limit. Add a check to avoid it. Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> Message-id: 1455648821-17340-2-git-send-email-ppandit@redhat.com Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> (cherry picked from commit 64c9bc181fc78275596649f591302d72df2d3071) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
* usb: check RNDIS buffer offsets & lengthPrasad J Pandit2016-03-221-3/+6
| | | | | | | | | | | | | | | When processing remote NDIS control message packets, the USB Net device emulator uses a fixed length(4096) data buffer. The incoming informationBufferOffset & Length combination could overflow and cross that range. Check control message buffer offsets and length to avoid it. Reported-by: Qinghao Tang <luodalongde@gmail.com> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> Message-id: 1455648821-17340-3-git-send-email-ppandit@redhat.com Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> (cherry picked from commit fe3c546c5ff2a6210f9a4d8561cc64051ca8603e) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
* usb: check page select value while processing iTDPrasad J Pandit2016-03-221-4/+6
| | | | | | | | | | | | | While processing isochronous transfer descriptors(iTD), the page select(PG) field value could lead to an OOB read access. Add check to avoid it. Reported-by: Qinghao Tang <luodalongde@gmail.com> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> Message-id: 1453233406-12165-1-git-send-email-ppandit@redhat.com Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> (cherry picked from commit 49d925ce50383a286278143c05511d30ec41a36e) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
* ehci: update irq on resetGerd Hoffmann2016-03-171-0/+1
| | | | | | | | | | | | | | | | After clearing the status register we also have to update the irq line status. Otherwise a irq which happends to be pending at reset time causes a interrupt storm. And the guest can't stop as the status register doesn't indicate any pending interrupt. Both NetBSD and FreeBSD hang on shutdown because of that. Cc: qemu-stable@nongnu.org Reported-by: Andrey Korolyov <andrey@xdel.ru> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Message-id: 1453203884-4125-1-git-send-email-kraxel@redhat.com (cherry picked from commit 5a8660741a8aa19fbf8a5e8a2b3aac88664f4e66) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
* ehci: make idt processing more robustGerd Hoffmann2016-03-151-2/+3
| | | | | | | | | | | | | | | | Make ehci_process_itd return an error in case we didn't do any actual iso transfer because we've found no active transaction. That'll avoid ehci happily run in circles forever if the guest builds a loop out of idts. This is CVE-2015-8558. Cc: qemu-stable@nongnu.org Reported-by: Qinghao Tang <luodalongde@gmail.com> Tested-by: P J P <ppandit@redhat.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> (cherry picked from commit 156a2e4dbffa85997636a7a39ef12da6f1b40254) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
* usb: Use g_new() & friends where that makes obvious senseMarkus Armbruster2015-11-064-8/+7
| | | | | | | | | | | | | | | g_new(T, n) is neater than g_malloc(sizeof(T) * n). It's also safer, for two reasons. One, it catches multiplication overflowing size_t. Two, it returns T * rather than void *, which lets the compiler catch more type errors. This commit only touches allocations with size arguments of the form sizeof(T). Same Coccinelle semantic patch as in commit b45c03f. Signed-off-by: Markus Armbruster <armbru@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com> Reviewed-by: Gerd Hoffmann <kraxel@redhat.com> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
* usb-host: fix usb3ep0quirk testGerd Hoffmann2015-11-031-1/+1
| | | | | | | | | | | | | usb->speed is the usb speed the device is actually running on in the qemu emulation (i.e. from the guests point of view). So when plugging usb3 devices into ehci hostadapter this is HIGH not SUPER. To figure whenever the host talks to the device with superspeed we have to check speedmask instead and see whenever the superspeed bit is set there. Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Message-id: 1445603230-11840-1-git-send-email-kraxel@redhat.com
* ehci: clear suspend bit on detachGerd Hoffmann2015-11-031-1/+1
| | | | | | | | | | | | | | | | | | When a device is detached, clear the suspend bit (PORTSC_SUSPEND) in the port status register. The specs are not *that* clear what is supposed to happen in case a suspended device is unplugged. But the enable bit (PORTSC_PED) is cleared, and the specs mention setting suspend with enable being unset is undefined behavior. So clearing them both looks reasonable, and it actually fixes the reported bug. https://bugzilla.redhat.com/show_bug.cgi?id=1268879 Cc: Hans de Goede <hdegoede@redhat.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Reviewed-by: Hans de Goede <hdegoede@redhat.com> Message-id: 1445413462-18004-1-git-send-email-kraxel@redhat.com
* hw/usb-storage: Check whether BB is insertedMax Reitz2015-10-231-14/+16
| | | | | | | | | | Only call bdrv_add_key() on the BlockDriverState if it is not NULL. Signed-off-by: Max Reitz <mreitz@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com> Reviewed-by: Alberto Garcia <berto@igalia.com> Reviewed-by: Kevin Wolf <kwolf@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
* usb-audio: increate default buffer sizeGerd Hoffmann2015-10-201-1/+1
| | | | Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
* usb: print device id in "info usb" monitor commandGerd Hoffmann2015-10-201-3/+6
| | | | Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
* usb-host: add wakeup call for iso xfersGerd Hoffmann2015-10-201-0/+1
| | | | Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
* libcacard: use the standalone projectMarc-André Lureau2015-09-232-4/+3
| | | | | | | | | | | | libcacard is now a standalone project hosted with the Spice project (see the 2.5.0 release announcement), remove it from qemu tree. Use the library if found during configure or if --enable-smartcard. Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com> Reviewed-by: Michael Tokarev <mjt@tls.msk.ru> Reviewed-by: Paolo Bonzini <pbonzini@redhat.com> Tested-by: Paolo Bonzini <pbonzini@redhat.com>
* maint: avoid useless "if (foo) free(foo)" patternMarkus Armbruster2015-09-111-4/+2
| | | | | | | | | | | | | | | | My Coccinelle semantic patch finds a few more, because it also fixes up the equally pointless conditional if (foo) { free(foo); foo = NULL; } Result (feel free to squash it into your patch): Signed-off-by: Markus Armbruster <armbru@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
* maint: avoid useless "if (foo) free(foo)" patternDaniel P. Berrange2015-09-111-3/+1
| | | | | | | | | | | | The free() and g_free() functions both happily accept NULL on any platform QEMU builds on. As such putting a conditional 'if (foo)' check before calls to 'free(foo)' merely serves to bloat the lines of code. Signed-off-by: Daniel P. Berrange <berrange@redhat.com> Reviewed-by: Markus Armbruster <armbru@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
* maint: remove unused include for signal.hDaniel P. Berrange2015-09-111-1/+0
| | | | | | | | | A number of files were including signal.h but not using any of the functions it provides Signed-off-by: Daniel P. Berrange <berrange@redhat.com> Reviewed-by: Markus Armbruster <armbru@redhat.com> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
* maint: remove unused include for dirent.hDaniel P. Berrange2015-09-111-1/+0
| | | | | | | | | A number of files were including dirent.h but not using any of the functions it provides Signed-off-by: Daniel P. Berrange <berrange@redhat.com> Reviewed-by: Markus Armbruster <armbru@redhat.com> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
* maint: remove / fix many doubled wordsDaniel P. Berrange2015-09-111-1/+1
| | | | | | | | | | | | Many source files have doubled words (eg "the the", "to to", and so on). Most of these can simply be removed, but a couple were actual mis-spellings (eg "to to" instead of "to do"). There was even one triple word score "to to to" :-) Signed-off-by: Daniel P. Berrange <berrange@redhat.com> Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> Reviewed-by: Markus Armbruster <armbru@redhat.com> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
* usbnet: Drop usbnet_can_receiveFam Zheng2015-07-271-16/+4
| | | | | | | | | | | | | | | | usbnet_receive already drops packet if rndis_state is not RNDIS_DATA_INITIALIZED, and queues packet if in buffer is not available. The only difference is s->dev.config but that is similar to rndis_state. Drop usbnet_can_receive and move these checks to usbnet_receive, so that we don't need to explicitly flush the queue when s->dev.config changes value. Signed-off-by: Fam Zheng <famz@redhat.com> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Jason Wang <jasowang@redhat.com> Message-id: 1436955553-22791-5-git-send-email-famz@redhat.com Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
* timer: rename NSEC_PER_SEC due to Mac OS X header clashStefan Hajnoczi2015-07-201-1/+1
| | | | | | | | | | | | | | | Commit e0cf11f31c24cfb17f44ed46c254d84c78e7f6e9 ("timer: Use a single definition of NSEC_PER_SEC for the whole codebase") renamed NANOSECONDS_PER_SECOND to NSEC_PER_SEC. On Mac OS X there is a <dispatch/time.h> system header which also defines NSEC_PER_SEC. This causes compiler warnings. Let's use the old name instead. It's longer but it doesn't clash. Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Message-id: 1436364609-7929-1-git-send-email-stefanha@redhat.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
* Revert "xhci: set timer to retry xfers"Gerd Hoffmann2015-07-171-2/+0
| | | | | | | | | This reverts commit 4e8cfbe1143d8384387595b500212d7a7f11aeae. We should not poll via timer, and with ccid being fixed to properly notify us about pending transfers we don't have to. Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
* usb-ccid: add missing wakeup callsGerd Hoffmann2015-07-171-0/+5
| | | | | | | Properly notify the host adapter that we have data pending, so it doesn't has to poll us. Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
* usb-ccid: fix 61b4887b41b270bc837ead57bc502d904af023bbGerd Hoffmann2015-07-171-8/+8
| | | | | | QOMification dropped the parent device lookup, fix it. Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
* Re-attach usb device to kernel while usb_host_open failsLin Ma2015-07-161-0/+3
| | | | | | Signed-off-by: Lin Ma <lma@suse.com> Reviewed-by: Gonglei <arei.gonglei@huawei.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
* timer: Use a single definition of NSEC_PER_SEC for the whole codebaseAlberto Garcia2015-07-021-1/+1
| | | | | | Signed-off-by: Alberto Garcia <berto@igalia.com> Message-id: c6e55468856ba0b8f95913c4da111cc0ef266541.1434113783.git.berto@igalia.com Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
* Include monitor/monitor.h exactly where neededMarkus Armbruster2015-06-226-6/+0
| | | | | | | | | In particular, don't include it into headers. Signed-off-by: Markus Armbruster <armbru@redhat.com> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com> Reviewed-by: Luiz Capitulino <lcapitulino@redhat.com>
* Include qapi/qmp/qerror.h exactly where neededMarkus Armbruster2015-06-221-0/+1
| | | | | | | | | In particular, don't include it into headers. Signed-off-by: Markus Armbruster <armbru@redhat.com> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com> Reviewed-by: Luiz Capitulino <lcapitulino@redhat.com>
* qerror: Move #include out of qerror.hMarkus Armbruster2015-06-226-0/+6
| | | | | | | Signed-off-by: Markus Armbruster <armbru@redhat.com> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com> Reviewed-by: Luiz Capitulino <lcapitulino@redhat.com>
* qerror: Clean up QERR_ macros to expand into a single stringMarkus Armbruster2015-06-221-3/+3
| | | | | | | | | | | | | | | | | | | | | These macros expand into error class enumeration constant, comma, string. Unclean. Has been that way since commit 13f59ae. The error class is always ERROR_CLASS_GENERIC_ERROR since the previous commit. Clean up as follows: * Prepend every use of a QERR_ macro by ERROR_CLASS_GENERIC_ERROR, and delete it from the QERR_ macro. No change after preprocessing. * Rewrite error_set(ERROR_CLASS_GENERIC_ERROR, ...) into error_setg(...). Again, no change after preprocessing. Signed-off-by: Markus Armbruster <armbru@redhat.com> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com> Reviewed-by: Luiz Capitulino <lcapitulino@redhat.com>
* QemuOpts: Wean off qerror_report_err()Markus Armbruster2015-06-221-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | qerror_report_err() is a transitional interface to help with converting existing monitor commands to QMP. It should not be used elsewhere. The only remaining user in qemu-option.c is qemu_opts_parse(). Is it used in QMP context? If not, we can simply replace qerror_report_err() by error_report_err(). The uses in qemu-img.c, qemu-io.c, qemu-nbd.c and under tests/ are clearly not in QMP context. The uses in vl.c aren't either, because the only QMP command handlers there are qmp_query_status() and qmp_query_machines(), and they don't call it. Remaining uses: * drive_def(): Command line -drive and such, HMP drive_add and pci_add * hmp_chardev_add(): HMP chardev-add * monitor_parse_command(): HMP core * tmp_config_parse(): Command line -tpmdev * net_host_device_add(): HMP host_net_add * net_client_parse(): Command line -net and -netdev * qemu_global_option(): Command line -global * vnc_parse_func(): Command line -display, -vnc, default display, HMP change, QMP change. Bummer. * qemu_pci_hot_add_nic(): HMP pci_add * usb_net_init(): Command line -usbdevice, HMP usb_add Propagate errors through qemu_opts_parse(). Create a convenience function qemu_opts_parse_noisily() that passes errors to error_report_err(). Switch all non-QMP users outside tests to it. That leaves vnc_parse_func(). Propagate errors through it. Since I'm touching it anyway, rename it to vnc_parse(). Signed-off-by: Markus Armbruster <armbru@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Luiz Capitulino <lcapitulino@redhat.com>
* migration: Use normal VMStateDescriptions for SubsectionsJuan Quintela2015-06-122-26/+19
| | | | | | | | | | | | | | | | We create optional sections with this patch. But we already have optional subsections. Instead of having two mechanism that do the same, we can just generalize it. For subsections we just change: - Add a needed function to VMStateDescription - Remove VMStateSubsection (after removal of the needed function it is just a VMStateDescription) - Adjust the whole tree, moving the needed function to the corresponding VMStateDescription Signed-off-by: Juan Quintela <quintela@redhat.com>
* Merge remote-tracking branch ↵Peter Maydell2015-05-111-1/+0
|\ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | 'remotes/mjt/tags/pull-trivial-patches-2015-05-09' into staging trivial patches for 2015-05-09 # gpg: Signature made Fri May 8 22:58:42 2015 BST using RSA key ID A4C3D7DB # gpg: Good signature from "Michael Tokarev <mjt@tls.msk.ru>" # gpg: aka "Michael Tokarev <mjt@corpit.ru>" # gpg: aka "Michael Tokarev <mjt@debian.org>" * remotes/mjt/tags/pull-trivial-patches-2015-05-09: docs: update BLOCK_IMAGE_CORRUPTED documentation glib-compat.h: change assert to g_assert Remove various unused functions sheepdog: fix resource leak with sd_snapshot_create xhci: remove unused code Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
| * xhci: remove unused codeGonglei2015-05-081-1/+0
| | | | | | | | | | | | | | | | | | Value from xfer->packet.ep is assigned to ep here, but that stored value is not used before it is overwritten. Remove it. Cc: Gerd Hoffmann <kraxel@redhat.com> Signed-off-by: Gonglei <arei.gonglei@huawei.com> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
* | uhci: controller is halted after resetGerd Hoffmann2015-05-081-1/+1
| | | | | | | | | | | | | | | | ... and the status register should say so. Fixes "usbus0: controller did not stop" error printed by freebsd. Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
* | usb: usb-serial QOMifyGonglei2015-05-081-16/+27
| | | | | | | | | | Signed-off-by: Gonglei <arei.gonglei@huawei.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
* | usb: usb-redir QOMifyGonglei2015-05-081-11/+14
| | | | | | | | | | Signed-off-by: Gonglei <arei.gonglei@huawei.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
* | usb: usb-wacom-tablet QOMifyGonglei2015-05-081-3/+6
| | | | | | | | | | Signed-off-by: Gonglei <arei.gonglei@huawei.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
* | usb: usb-uas QOMifyGonglei2015-05-081-6/+9
| | | | | | | | | | Signed-off-by: Gonglei <arei.gonglei@huawei.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
* | usb: usb-storage QOMifyGonglei2015-05-081-12/+20
| | | | | | | | | | Signed-off-by: Gonglei <arei.gonglei@huawei.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
* | usb: usb-ccid QOMifyGonglei2015-05-081-22/+28
| | | | | | | | | | Signed-off-by: Gonglei <arei.gonglei@huawei.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
* | usb: usb-net QOMifyGonglei2015-05-081-4/+7
| | | | | | | | | | Signed-off-by: Gonglei <arei.gonglei@huawei.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
* | usb-mtp: fix segmentation faultGonglei2015-05-081-0/+4
| | | | | | | | | | | | | | | | | | When x-root property not be configured, will cause segfault because of null pointer accessing. Add a check for s->root property avoid segfault. Signed-off-by: Gonglei <arei.gonglei@huawei.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
* | usb: usb-mtp QOMifyGonglei2015-05-081-4/+7
| | | | | | | | | | Signed-off-by: Gonglei <arei.gonglei@huawei.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
* | usb: usb-hub QOMifyGonglei2015-05-081-4/+7
| | | | | | | | | | Signed-off-by: Gonglei <arei.gonglei@huawei.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
* | usb: usb-hid QOMifyGonglei2015-05-081-14/+20
| | | | | | | | | | Signed-off-by: Gonglei <arei.gonglei@huawei.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
* | usb: usb-bt QOMifyGonglei2015-05-081-5/+8
| | | | | | | | | | Signed-off-by: Gonglei <arei.gonglei@huawei.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
* | usb: usb-audio QOMifyGonglei2015-05-081-10/+13
| | | | | | | | | | Signed-off-by: Gonglei <arei.gonglei@huawei.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
* | uhci: QOMifyGonglei2015-05-081-12/+31
| | | | | | | | | | | | Cc: Gerd Hoffmann <kraxel@redhat.com> Signed-off-by: Gonglei <arei.gonglei@huawei.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
* | xhci: fix events for setup trb.Gerd Hoffmann2015-05-081-0/+8
| | | | | | | | | | | | | | | | When we find a IOC bit set on a setup trb and therefore queue an event, that should not stop events being generated for following data trbs. So clear the 'reported' flag. Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
OpenPOWER on IntegriCloud