aboutsummaryrefslogtreecommitdiff
AgeCommit message (Collapse)AuthorFilesLines
2012-07-12target-arm: Implement privileged-execute-never (PXN)Peter Maydell3-12/+26
Implement the privileged-execute-never (PXN) translation table bit. It is implementation-defined whether this is implemented, so we give it its own ARM_FEATURE_ flag. LPAE requires PXN, so add also an LPAE feature flag and the implication logic, as a placeholder for actually implementing LPAE at a later date. Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2012-07-12ARM: Make target_phys_addr_t 64 bits and physaddrs 40 bitsPeter Maydell2-2/+2
Make target_phys_addr_t 64 bits for ARM targets, and set TARGET_PHYS_ADDR_SPACE_BITS to 40. This should have no effect for ARM boards where physical addresses really are 32 bits (except perhaps a slight performance hit on 32 bit hosts for system emulation) but allows us to implement the Large Physical Address Extensions for Cortex-A15, which mean 40 bit physical addresses. Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2012-07-12hw/imx_avic.c: Avoid format error when target_phys_addr_t is 64 bitsPeter Maydell1-1/+1
Add a missing cast to avoid gcc complaining about format string errors when printing an expression based on a target_phys_addr_t. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Peter Chubb <peter.chubb@nicta.com.au>
2012-07-12target-arm: Fix TCG temp handling in 64 bit cp writesPeter Maydell1-0/+2
Fix errors in the TCG temp handling in the 64 bit coprocessor write path: we were reusing a 32 bit temp after it had been freed by store_reg(), and failing to free a 64 bit temp. This bug has no visible effect at this point because there aren't any non-NOP 64 bit registers yet; it needs to be fixed as a prerequisite for the 64 bit registers in LPAE support. Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2012-07-12target-arm: Fix some copy-and-paste errors in cp register namesPeter Maydell1-3/+3
Fix a couple of cases where cp register names were copy-and-pasted. These are harmless since we don't use the name for anything (except debugging convenience) but could be confusing. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Igor Mitsyanko <i.mitsyanko@samsung.com>
2012-07-12target-arm: Fix typo that meant TTBR1 accesses went to TTBR0Peter Maydell1-1/+1
Fix a copy-and-paste error in the register description for TTBR1 that meant it was a duplicate of TTBR0 rather than affecting the correct bit of CPU state. Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2012-07-12target-arm: Fix CP15 based WFIPaul Brook1-1/+1
The coprocessor register rework broke cp15 based WFI instructions. We incorrectly fall through the normal register write case, which incorrectly adds a forced block termination. We've already done a special version of this (DISAS_WFI), so return immediately. Signed-off-by: Paul Brook <paul@codesourcery.com> Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2012-07-09megasas: disable due to build breakageAnthony Liguori1-1/+0
The Buildbot has detected a new failure on builder default_i386_rhel61 while building qemu. Full details are available at: http://buildbot.b1-systems.de/qemu/builders/default_i386_rhel61/builds/304 The proper fix is non-trivial so let's disable the build by default until it's fixed properly. Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
2012-07-09Merge remote-tracking branch 'mjt/mjt-iov2' into stagingAnthony Liguori27-420/+623
* mjt/mjt-iov2: rewrite iov_send_recv() and move it to iov.c cleanup qemu_co_sendv(), qemu_co_recvv() and friends export iov_send_recv() and use it in iov_send() and iov_recv() rename qemu_sendv to iov_send, change proto and move declarations to iov.h change qemu_iovec_to_buf() to match other to,from_buf functions consolidate qemu_iovec_copy() and qemu_iovec_concat() and make them consistent allow qemu_iovec_from_buffer() to specify offset from which to start copying consolidate qemu_iovec_memset{,_skip}() into single function and use existing iov_memset() rewrite iov_* functions change iov_* function prototypes to be more appropriate virtio-serial-bus: use correct lengths in control_out() message Conflicts: tests/Makefile Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
2012-07-09Merge remote-tracking branch 'quintela/migration-anthony-v2' into stagingAnthony Liguori14-88/+198
* quintela/migration-anthony-v2: Maintain the number of dirty pages dirty bitmap: abstract its use Exit loop if we have been there too long Only calculate expected_time for stage 2 Only TCG needs TLB handling No need to iterate if we already are over the limit Add tracepoints for savevm section start/end Add spent time for migration Add migration_end function Add debugging infrastructure Add save_block_hdr function Add MigrationParams structure Add missing check for host_from_stream_offset return value for RAM_SAVE_FLAG_PAGE
2012-07-09Merge remote-tracking branch 'kiszka/queues/slirp' into stagingAnthony Liguori2-20/+72
* kiszka/queues/slirp: slirp: Improve error reporting of inaccessible smb directories slirp: Ensure smbd and shared directory exist when enable smb slirp: add 'cmd:' target for guestfwd slirp: Enforce host-side user of smb share
2012-07-09slirp: Improve error reporting of inaccessible smb directoriesJan Kiszka1-2/+2
Instead of guessing, print the error code returned by access. Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
2012-07-09slirp: Ensure smbd and shared directory exist when enable smbDunrong Huang1-0/+12
Users may pass the following parameters to qemu: $ qemu-kvm -net nic -net user,smb= ... $ qemu-kvm -net nic -net user,smb ... $ qemu-kvm -net nic -net user,smb=bad_directory ... In these cases, qemu started successfully while samba server failed to start. Users will confuse since samba server failed silently without any indication of what it did wrong. To avoid it, we check whether the shared directory exist and if users have permission to access this directory when QEMU's "built-in" SMB server is enabled. Signed-off-by: Dunrong Huang <riegamaths@gmail.com> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
2012-07-09slirp: add 'cmd:' target for guestfwdAlexander Graf2-18/+48
When using guestfwd=, Qemu only connects the virtual server's TCP port to a single chardev. This is useless in most cases, as we usually want to have more than a single connection from the guest to the outside world. This patch adds a new cmd: target to guestfwd= that allows for execution of a command on every TCP connection. This leverages the same code as the -smb parameter, just that here the command is user defined. Reported-by: Sascha Wilde <wilde@intevation.de> Signed-off-by: Alexander Graf <agraf@suse.de> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
2012-07-09slirp: Enforce host-side user of smb shareJan Kiszka1-2/+12
Windows 7 (and possibly other versions) cannot connect to the samba share if the exported host directory is not world-readable. This can be resolved by forcing the username used for access checks to the one under which QEMU and smbd are running. Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
2012-07-09Merge remote-tracking branch 'kwolf/for-anthony' into stagingAnthony Liguori13-295/+426
* kwolf/for-anthony: (24 commits) block: Factor bdrv_read_unthrottled() out of guess_disk_lchs() qtest: Tidy up temporary files properly fdc: Drop broken code for user-defined floppy geometry fdc_test: introduce test_sense_interrupt fdc_test: update media_change test fdc: fix interrupt handling fdc: rewrite seek and DSKCHG bit handling block: introduce bdrv_swap, implement bdrv_append on top of it block: copy over job and dirty bitmap fields in bdrv_append raw: hook into blkdebug blkdebug: optionally tie errors to a specific sector blkdebug: store list of active rules blkdebug: pass getlength to underlying file blkdebug: tiny cleanup blkdebug: remove sync i/o events sheepdog: traverse pending_list from the first for each time sheepdog: split outstanding list into inflight and pending sheepdog: make sure we don't free aiocb before sending all requests sheepdog: use coroutine based socket functions in coroutine context sheepdog: restart I/O when socket becomes ready in do_co_req() ...
2012-07-09block: Factor bdrv_read_unthrottled() out of guess_disk_lchs()Markus Armbruster2-7/+19
To prepare move of guess_disk_lchs() into hw/, where it poking BlockDriverState member io_limits_enabled directly would be unclean. Signed-off-by: Markus Armbruster <armbru@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2012-07-09qtest: Tidy up temporary files properlyMarkus Armbruster1-13/+16
Each test litters /tmp with several files: a pid file and two sockets. Tidy up. Signed-off-by: Markus Armbruster <armbru@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2012-07-09Merge remote-tracking branch 'kraxel/usb.55' into stagingAnthony Liguori6-41/+86
* kraxel/usb.55: usb-host: add trace events for iso xfers usb: fix interface initialization usb: split endpoint init and reset usb-redir: Correctly handle the usb_redir_babble usbredir status ehci: Kick async schedule on wakeup in the non companion case usb-ehci: Fix an assert whenever isoc transfers are used ehci: don't flush cache on doorbell rings. ehci: fix td writeback ehci: fix ehci_qh_do_overlay
2012-07-09Merge remote-tracking branch 'bonzini/scsi-next' into stagingAnthony Liguori13-37/+3872
* bonzini/scsi-next: scsi: Fix transfer length for READ POSITION commands. scsi: Add basic support for SCSI media changer commands. scsi: Ensure command and transfer lengths are set for all SCSI devices scsi: Fix LOAD_UNLOAD scsi: Fix data length == SCSI_SENSE_BUF_SIZE virtio-scsi: do not crash on adding buffers to the event queue megasas: LSI Megaraid SAS HBA emulation megasas: Add header file ISCSI: force use of sg for SMC and SSC devices ISCSI: Add SCSI passthrough via scsi-generic to libiscsi scsi-disk: implement READ DISC INFORMATION atapi: implement READ DISC INFORMATION scsi: add a qdev property for the disk's WWN scsi: simplify handling of the VPD page length field
2012-07-09Merge remote-tracking branch 'stefanha/trivial-patches' into stagingAnthony Liguori2-6/+0
* stefanha/trivial-patches: configure: Remove help for --disable-vnc-thread, --enable-vnc-thread cpu-common.h: Remove a pointless ifndef CONFIG_USER_ONLY cpu-common.h: Remove unnecessary guard on including targphys.h
2012-07-09fdc: Drop broken code for user-defined floppy geometryMarkus Armbruster2-37/+28
bdrv_get_floppy_geometry_hint() fails to store through its parameter drive when bs has a geometry hint. Makes fd_revalidate() assign random crap to drv->drive. Has been broken that way for ages. Harmless, because: * The only way to set a geometry hint is -drive if=none,cyls=... Since commit c219331e, probably unintentional. * The only use of drv->drive is as argument to another bdrv_get_floppy_geometry_hint(). Which doesn't use it, since the geometry hint is still there. Drop the broken code, ignore -drive parameter cyls, heads and secs for floppies even with if=none, just like before commit c219331e. Matches -help, which explains cyls, heads, secs as "hard disk physical geometry". Signed-off-by: Markus Armbruster <armbru@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2012-07-09fdc_test: introduce test_sense_interruptPavel Hrdina1-1/+24
Calling sense interrupt status while there is no interrupt should return invalid command (0x80). Read command should always returns in st0 seek_end bit set to 1. Signed-off-by: Pavel Hrdina <phrdina@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2012-07-09fdc_test: update media_change testPavel Hrdina1-8/+17
After rewrite DSKCHG bit handling the test has to be updated. Now is needed to seek to different track to clear DSKCHG bit. Signed-off-by: Pavel Hrdina <phrdina@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2012-07-09fdc: fix interrupt handlingPavel Hrdina1-13/+21
If you call the SENSE INTERRUPT STATUS command while there is no interrupt waiting you get as result unknown command. Fixed status0 register handling for read/write/format commands. Signed-off-by: Pavel Hrdina <phrdina@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2012-07-09fdc: rewrite seek and DSKCHG bit handlingPavel Hrdina1-38/+41
This bit is cleared on every successful seek to a different track (cylinder). The seek is also called on revalidate or on read/write/format commands which also clear the DSKCHG bit. Signed-off-by: Pavel Hrdina <phrdina@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2012-07-09block: introduce bdrv_swap, implement bdrv_append on top of itPaolo Bonzini2-85/+100
The new function can be made a bit nicer than bdrv_append. It swaps the whole contents, and then swaps back (using the usual t=a;a=b;b=t idiom) the fields that need to stay on top. Thus, it does not need explicit bdrv_detach_dev, bdrv_iostatus_disable, etc. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2012-07-09block: copy over job and dirty bitmap fields in bdrv_appendPaolo Bonzini1-0/+15
While these should not be in use at the time a transaction is started, a command in the prepare phase of a transaction might have added them, so they need to be brought over. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2012-07-09raw: hook into blkdebugPaolo Bonzini1-0/+2
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2012-07-09blkdebug: optionally tie errors to a specific sectorPaolo Bonzini1-2/+24
This makes blkdebug scripts more powerful, and independent of the exact sequence of operations performed by streaming. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2012-07-09blkdebug: store list of active rulesPaolo Bonzini1-38/+31
This prepares for the next patch, where some active rules may actually not trigger depending on input to readv/writev. Store the active rules in a SIMPLEQ (so that it can be emptied easily with QSIMPLEQ_INIT), and fetch the errno/once/immediately arguments from there. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2012-07-09blkdebug: pass getlength to underlying filePaolo Bonzini1-0/+6
This is required when using blkdebug with raw format. Unlike qcow2/QED, raw asks blkdebug for the length of the file, it doesn't get it from a header. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2012-07-09blkdebug: tiny cleanupPaolo Bonzini1-6/+2
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2012-07-09blkdebug: remove sync i/o eventsPaolo Bonzini3-5/+1
These are unused, except (by mistake more or less) in QED. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2012-07-09sheepdog: traverse pending_list from the first for each timeMORITA Kazutaka1-6/+16
The pending list can be modified in other coroutine context sd_co_rw_vector, so we need to traverse the list from the first again after we send the pending request. Signed-off-by: MORITA Kazutaka <morita.kazutaka@lab.ntt.co.jp> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2012-07-09sheepdog: split outstanding list into inflight and pendingMORITA Kazutaka1-25/+24
outstanding_list_head is used for both pending and inflight requests. This patch splits it and improves readability. Signed-off-by: MORITA Kazutaka <morita.kazutaka@lab.ntt.co.jp> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2012-07-09sheepdog: make sure we don't free aiocb before sending all requestsMORITA Kazutaka1-13/+16
This patch increments the pending counter before sending requests, and make sures that aiocb is not freed while sending them. Signed-off-by: MORITA Kazutaka <morita.kazutaka@lab.ntt.co.jp> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2012-07-09sheepdog: use coroutine based socket functions in coroutine contextMORITA Kazutaka1-2/+8
This removes blocking network I/Os in coroutine context. Signed-off-by: MORITA Kazutaka <morita.kazutaka@lab.ntt.co.jp> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2012-07-09sheepdog: restart I/O when socket becomes ready in do_co_req()MORITA Kazutaka1-0/+14
Currently, no one reenters the yielded coroutine. This fixes it. Signed-off-by: MORITA Kazutaka <morita.kazutaka@lab.ntt.co.jp> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2012-07-09sheepdog: fix dprintf format stringsMORITA Kazutaka1-4/+4
This fixes warnings about dprintf format in debug mode. Signed-off-by: MORITA Kazutaka <morita.kazutaka@lab.ntt.co.jp> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2012-07-09blockdev: warn when copy_on_read=on and readonly=onStefan Hajnoczi1-0/+4
If the image is read-only then it's not possible to copy read data into it. Therefore copy-on-read is automatically disabled for read-only images. Up until now this behavior was silent, add a warning so the user knows why copy-on-read is not working. Signed-off-by: Stefan Hajnoczi <stefanha@linux.vnet.ibm.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2012-07-09qcow2: preserve free_byte_offset when qcow2_alloc_bytes() failsStefan Hajnoczi1-3/+4
When qcow2_alloc_clusters() error handling code was introduced in commit 5d757b563d59142ca81e1073a8e8396750a0ad1a, the value of free_byte_offset was clobbered in the error case. This patch keeps free_byte_offset at 0 so we will try to allocate clusters again next time this function is called. Signed-off-by: Stefan Hajnoczi <stefanha@linux.vnet.ibm.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2012-07-09qcow2: fix #ifdef'd qcow2_check_refcounts() callersStefan Hajnoczi2-4/+4
The DEBUG_ALLOC qcow2.h macro enables additional consistency checks throughout the code. This makes it easier to spot corruptions that are introduced during development. Since consistency check is an expensive operation the DEBUG_ALLOC macro is used to compile checks out in normal builds and qcow2_check_refcounts() calls missed the addition of a new function argument. Signed-off-by: Stefan Hajnoczi <stefanha@linux.vnet.ibm.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2012-07-09usb-host: add trace events for iso xfersGerd Hoffmann2-6/+10
Replace iso transfer fprintf's with trace points. Also rename existing tracepoints so they all match usb_host_iso_*. Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2012-07-09usb: fix interface initializationGerd Hoffmann2-2/+4
zero is a valid interface number, so don't use it when resetting the endpoints. Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2012-07-09usb: split endpoint init and resetGerd Hoffmann3-4/+15
Create a new usb_ep_reset() function to reset endpoint state, without re-initialiting the queues, so we don't unlink in-flight packets just because usb-host has to re-parse the descriptor tables. Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2012-07-09usb-redir: Correctly handle the usb_redir_babble usbredir statusHans de Goede1-0/+2
Signed-off-by: Hans de Goede <hdegoede@redhat.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2012-07-09ehci: Kick async schedule on wakeup in the non companion caseHans de Goede1-2/+3
Commit 0f588df8b3688b00e77aabaa32e26ece5f19bd39, added code to ehci_wakeup to kick the async schedule on wakeup, but the else was positioned wrong making it trigger for devices which are routed to the companion rather then to the ehci controller itself. This patch fixes this. Note that the "programming style" with using the return at the end of the companion block matches how the companion case is handled in the other ports ops, and is done this way for consistency. Signed-off-by: Hans de Goede <hdegoede@redhat.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2012-07-09usb-ehci: Fix an assert whenever isoc transfers are usedHans de Goede1-0/+1
hcd-ehci.c is missing an usb_packet_init() call for the ipacket UsbPacket it uses for isoc transfers, triggering an assert (taking the entire vm down) in usb_packet_setup as soon as any isoc transfers are done by a high speed USB device. Signed-off-by: Hans de Goede <hdegoede@redhat.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2012-07-09ehci: don't flush cache on doorbell rings.Gerd Hoffmann1-6/+29
Commit 4be23939ab0d7019c7e59a37485b416fbbf0f073 makes ehci instantly zap any unlinked queue heads when the guest rings the doorbell. While hacking up uas support this turned out to be a problem. The linux kernel can unlink and instantly relink the very same queue head, thereby killing any async packets in flight. That alone isn't an issue yet, the packet will canceled and resubmitted and everything is fine. We'll run into trouble though in case the async packet is completed already, so we can't cancel it any more. The transaction is simply lost then. usb_ehci_qh_ptrs q (nil) - QH @ 39c4f000: next 39c4f122 qtds 00000000,00000001,39c50000 usb_ehci_qh_fields QH @ 39c4f000 - rl 0, mplen 0, eps 0, ep 0, dev 0 usb_ehci_qh_ptrs q 0x7f95feba90a0 - QH @ 39c4f000: next 39c4f122 qtds 00000000,00000001,39c50000 usb_ehci_qh_fields QH @ 39c4f000 - rl 0, mplen 0, eps 0, ep 0, dev 0 usb_ehci_qh_ptrs q 0x7f95fe515210 - QH @ 39c4f120: next 39c4f0c2 qtds 29dbce40,29dbc4e0,00000009 usb_ehci_qh_fields QH @ 39c4f120 - rl 4, mplen 512, eps 2, ep 1, dev 2 usb_ehci_packet_action q 0x7f95fe515210 p 0x7f95fdec32a0: alloc usb_packet_state_change bus 0, port 2, ep 1, packet 0x7f95fdec32e0, state undef -> setup usb_ehci_packet_action q 0x7f95fe515210 p 0x7f95fdec32a0: process usb_uas_command dev 2, tag 0x2, lun 0, lun64 00000000-00000000 scsi_req_parsed target 0 lun 0 tag 2 command 42 dir 2 length 16384 scsi_req_parsed_lba target 0 lun 0 tag 2 command 42 lba 5933312 scsi_req_alloc target 0 lun 0 tag 2 scsi_req_continue target 0 lun 0 tag 2 scsi_req_data target 0 lun 0 tag 2 len 16384 usb_uas_scsi_data dev 2, tag 0x2, bytes 16384 usb_uas_write_ready dev 2, tag 0x2 usb_packet_state_change bus 0, port 2, ep 1, packet 0x7f95fdec32e0, state setup -> complete usb_ehci_packet_action q 0x7f95fe515210 p 0x7f95fdec32a0: free usb_ehci_qh_ptrs q 0x7f95fdec3210 - QH @ 39c4f0c0: next 39c4f002 qtds 29dbce40,00000001,00000009 usb_ehci_qh_fields QH @ 39c4f0c0 - rl 4, mplen 512, eps 2, ep 2, dev 2 usb_ehci_queue_action q 0x7f95fe5152a0: free usb_packet_state_change bus 0, port 2, ep 2, packet 0x7f95feba9170, state async -> complete ^^^ async packets completes. usb_ehci_packet_action q 0x7f95fdec3210 p 0x7f95feba9130: wakeup usb_ehci_qh_ptrs q (nil) - QH @ 39c4f000: next 39c4f122 qtds 00000000,00000001,39c50000 usb_ehci_qh_fields QH @ 39c4f000 - rl 0, mplen 0, eps 0, ep 0, dev 0 usb_ehci_qh_ptrs q 0x7f95feba90a0 - QH @ 39c4f000: next 39c4f122 qtds 00000000,00000001,39c50000 usb_ehci_qh_fields QH @ 39c4f000 - rl 0, mplen 0, eps 0, ep 0, dev 0 usb_ehci_qh_ptrs q 0x7f95fe515210 - QH @ 39c4f120: next 39c4f002 qtds 29dbc4e0,29dbc8a0,00000009 usb_ehci_qh_fields QH @ 39c4f120 - rl 4, mplen 512, eps 2, ep 1, dev 2 usb_ehci_queue_action q 0x7f95fdec3210: free usb_ehci_packet_action q 0x7f95fdec3210 p 0x7f95feba9130: free ^^^ endpoint #2 queue head removed from schedule, doorbell makes ehci zap the queue, the (completed) usb packet is freed too and gets lost. usb_ehci_qh_ptrs q (nil) - QH @ 39c4f000: next 39c4f0c2 qtds 00000000,00000001,39c50000 usb_ehci_qh_fields QH @ 39c4f000 - rl 0, mplen 0, eps 0, ep 0, dev 0 usb_ehci_qh_ptrs q 0x7f95feba90a0 - QH @ 39c4f000: next 39c4f0c2 qtds 00000000,00000001,39c50000 usb_ehci_qh_fields QH @ 39c4f000 - rl 0, mplen 0, eps 0, ep 0, dev 0 usb_ehci_queue_action q 0x7f9600dff570: alloc usb_ehci_qh_ptrs q 0x7f9600dff570 - QH @ 39c4f0c0: next 39c4f122 qtds 29dbce40,00000001,00000009 usb_ehci_qh_fields QH @ 39c4f0c0 - rl 4, mplen 512, eps 2, ep 2, dev 2 usb_ehci_packet_action q 0x7f9600dff570 p 0x7f95feba9130: alloc usb_packet_state_change bus 0, port 2, ep 2, packet 0x7f95feba9170, state undef -> setup usb_ehci_packet_action q 0x7f9600dff570 p 0x7f95feba9130: process usb_packet_state_change bus 0, port 2, ep 2, packet 0x7f95feba9170, state setup -> async usb_ehci_packet_action q 0x7f9600dff570 p 0x7f95feba9130: async ^^^ linux kernel relinked the queue head, ehci creates a new usb packet, but we should have delivered the completed one instead. usb_ehci_qh_ptrs q 0x7f95fe515210 - QH @ 39c4f120: next 39c4f002 qtds 29dbc4e0,29dbc8a0,00000009 usb_ehci_qh_fields QH @ 39c4f120 - rl 4, mplen 512, eps 2, ep 1, dev 2 So instead of instantly zapping the queue we'll set a flag that the queue needs revalidation in case we'll see it again in the schedule. ehci then checks that the queue head fields addressing / describing the endpoint and the qtd pointer match the cached content before reusing it. Cc: Hans de Goede <hdegoede@redhat.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>