aboutsummaryrefslogtreecommitdiff
path: root/hw/usb
AgeCommit message (Collapse)AuthorFilesLines
2023-02-27hw/usb/xhci-nec: Replace container_of() by NEC_XHCI() QOM cast macroPhilippe Mathieu-Daudé1-1/+1
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Message-Id: <20230220150515.32549-8-philmd@linaro.org>
2023-02-27hw/usb/xhci-nec: Declare QOM macros for NEC_XHCIPhilippe Mathieu-Daudé1-2/+4
NEC_XHCI is a QOM object type. Declare its macros / typedefs using OBJECT_DECLARE_SIMPLE_TYPE(). Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Message-Id: <20230220150515.32549-7-philmd@linaro.org>
2023-02-27hw/usb/uhci: Replace container_of() by UHCI_GET_CLASS() QOM macroPhilippe Mathieu-Daudé1-3/+2
By using the QOM UHCI_GET_CLASS() cast macro we don't to use the intermediate PCIDeviceClass variable. Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Message-Id: <20230220150515.32549-6-philmd@linaro.org>
2023-02-27hw/usb/uhci: Declare QOM macros using OBJECT_DECLARE_TYPE()Philippe Mathieu-Daudé2-3/+1
The automatic conversion done during commit a489d1951c ("Use OBJECT_DECLARE_TYPE when possible") missed this model because the typedefs are in a different file unit (hcd-uhci.c) than where the DECLARE_INSTANCE_CHECKER() is (hcd-uhci.h). Manually convert to OBJECT_DECLARE_TYPE(). Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Message-Id: <20230220150515.32549-5-philmd@linaro.org>
2023-02-27hw/usb/ohci: Fix typoPhilippe Mathieu-Daudé1-6/+6
Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Message-Id: <03599fd4db313ac4f651cceb43340109ad6a14b8.1676916640.git.balaton@eik.bme.hu>
2023-02-27hw/usb/ohci: Add trace points for register accessBALATON Zoltan2-0/+31
To help debugging add trace points that print values read from or written to the device's registers. Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu> Message-Id: <1bb4985e5dfc1df5a290e77f76fd827ae3592ab7.1676916640.git.balaton@eik.bme.hu> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
2023-02-27hw/usb/ohci: Move a function next to where it is usedBALATON Zoltan1-30/+30
The ohci_port_set_if_connected() function is only used by ohci_port_set_status(), move next to it to have them at the same place. Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu> Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Message-Id: <46411d4980ab0fba61ab0d2209a939fdc41eb573.1676916640.git.balaton@eik.bme.hu> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
2023-02-27hw/usb/ohci: Code style fix missing braces and extra parenthesisBALATON Zoltan1-46/+60
Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu> Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Message-Id: <aaa3ddee99c7677d6cc137f637982e94267b99b6.1676916640.git.balaton@eik.bme.hu> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
2023-02-27hw/usb/ohci: Code style fix white space errorsBALATON Zoltan1-81/+79
Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu> Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Message-Id: <c9b99b3555dcd03194a8950b810f5e1b4b4bd5d3.1676916640.git.balaton@eik.bme.hu> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
2023-02-27hw/usb/ohci: Code style fix commentsBALATON Zoltan1-50/+49
Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu> Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Message-Id: <9b0aadedc7c4780fefdc27f14f72ac9003032fbf.1676916639.git.balaton@eik.bme.hu> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
2023-02-27hw/usb/ohci: Use OHCIState type definitionPhilippe Mathieu-Daudé2-5/+7
Forward-define the type first, then use it for the ohci_die() handler. Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Message-Id: <20230220150515.32549-3-philmd@linaro.org>
2023-02-27hw/usb/ohci: Include missing 'sysbus.h' headerPhilippe Mathieu-Daudé1-0/+1
Avoid when including "hw/usb/hcd-ohci.h": hw/usb/hcd-ohci.h:100:5: error: unknown type name 'SysBusDevice' SysBusDevice parent_obj; ^ Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Markus Armbruster <armbru@redhat.com> Message-Id: <20230203113650.78146-6-philmd@linaro.org>
2023-02-27hw/usb/u2f: Declare QOM macros using OBJECT_DECLARE_TYPE()Philippe Mathieu-Daudé1-11/+5
hw/usb/u2f.h was added by commit 80e267f1d1 ("hw/usb: Add U2F key base class"), almost the same time of the automatic conversion done by commit c821774a3b ("Use OBJECT_DECLARE_TYPE where posible"). Manually convert to OBJECT_DECLARE_TYPE(). Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Message-Id: <20230220150515.32549-9-philmd@linaro.org>
2023-02-27hw/usb/dev-smartcard-reader: Avoid forward-declaring CCIDBusPhilippe Mathieu-Daudé1-4/+3
To avoid forward-declaring CCIDBus, declare CCID_BUS QOM definitions before its use in the USBCCIDState structure. Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Message-Id: <20230220150515.32549-2-philmd@linaro.org>
2023-02-08Don't include headers already included by qemu/osdep.hMarkus Armbruster2-2/+0
This commit was created with scripts/clean-includes. Signed-off-by: Markus Armbruster <armbru@redhat.com> Acked-by: Christian Schoenebeck <qemu_oss@crudebyte.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Message-Id: <20230202133830.2152150-19-armbru@redhat.com>
2023-01-16ccid-card-emulated: fix cast warning/errorMarc-André Lureau1-1/+1
../hw/usb/ccid-card-emulated.c: In function 'handle_apdu_thread': ../hw/usb/ccid-card-emulated.c:251:24: error: cast from pointer to integer of different size [-Werror=pointer-to-int-cast] 251 | assert((unsigned long)event > 1000); Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com> Reviewed-by: Thomas Huth <thuth@redhat.com> Message-Id: <20230103110814.3726795-2-marcandre.lureau@redhat.com> Signed-off-by: Laurent Vivier <laurent@vivier.eu>
2023-01-16hw/usb: Mark the XLNX_VERSAL-related files as target-independentThomas Huth1-2/+2
Seems like there is nothing target-specific in here, so these files can be moved to softmmu_ss to avoid that they get compiled twice (once for qemu-system-arm and once for qemu-system-aarch64). Signed-off-by: Thomas Huth <thuth@redhat.com> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Message-Id: <20230112134928.1026006-8-thuth@redhat.com> Signed-off-by: Laurent Vivier <laurent@vivier.eu>
2023-01-13hw/usb/hcd-uhci: Introduce TYPE_ defines for device modelsBernhard Beschow2-8/+12
Suggested-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk> Signed-off-by: Bernhard Beschow <shentey@gmail.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Message-Id: <20221204190553.3274-7-shentey@gmail.com> Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
2023-01-08include/hw/pci: Split pci_device.h off pci.hMarkus Armbruster4-3/+4
PCIDeviceClass and PCIDevice are defined in pci.h. Many users of the header don't actually need them. Similar structs live in their own headers: PCIBusClass and PCIBus in pci_bus.h, PCIBridge in pci_bridge.h, PCIHostBridgeClass and PCIHostState in pci_host.h, PCIExpressHost in pcie_host.h, and PCIERootPortClass, PCIEPort, and PCIESlot in pcie_port.h. Move PCIDeviceClass and PCIDeviceClass to new pci_device.h, along with the code that needs them. Adjust include directives. This also enables the next commit. Signed-off-by: Markus Armbruster <armbru@redhat.com> Message-Id: <20221222100330.380143-6-armbru@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2023-01-08include/hw/pci: Break inclusion loop pci_bridge.h and cxl.hMarkus Armbruster1-1/+0
hw/pci/pci_bridge.h and hw/cxl/cxl.h include each other. Fortunately, breaking the loop is merely a matter of deleting unnecessary includes from headers, and adding them back in places where they are now missing. Signed-off-by: Markus Armbruster <armbru@redhat.com> Message-Id: <20221222100330.380143-2-armbru@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2022-12-16Replace use of qdev_reset_all() with device_cold_reset()Peter Maydell1-1/+1
The legacy function qdev_reset_all() performs a recursive reset, starting from a qdev. However, it does not permit any of the devices in the tree to use three-phase reset, because device reset goes through the device_legacy_reset() function that only calls the single DeviceClass::reset method. Switch to using the device_cold_reset() function instead. This also performs a recursive reset, where first the children are reset and then finally the parent, but it uses the new (...in 2020...) Resettable mechanism, which supports both the old style single-reset method and also the new 3-phase reset handling. This commit changes the five remaining uses of this function. Commit created with: sed -i -e 's/qdev_reset_all/device_cold_reset/g' hw/i386/xen/xen_platform.c hw/input/adb.c hw/remote/vfio-user-obj.c hw/s390x/s390-virtio-ccw.c hw/usb/dev-uas.c Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2022-11-23hw/usb/hcd-xhci: Reset the XHCIState with device_cold_reset()Peter Maydell2-2/+2
Currently the hcd-xhci-pci and hcd-xhci-sysbus devices, which are mostly wrappers around the TYPE_XHCI device, which is a direct subclass of TYPE_DEVICE. Since TYPE_DEVICE devices are not on any qbus and do not get automatically reset, the wrapper devices both reset the TYPE_XHCI device in their own reset functions. However, they do this using device_legacy_reset(), which will reset the device itself but not any bus it has. Switch to device_cold_reset(), which avoids using a deprecated function and also propagates reset along any child buses. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Message-Id: <20221014145423.2102706-1-peter.maydell@linaro.org> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2022-11-23hw/usb/hcd-xhci.c: spelling: tranferMichael Tokarev1-1/+1
Fixes: effaf5a240e03020f4ae953e10b764622c3e87cc Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> Reviewed-by: Thomas Huth <thuth@redhat.com> Reviewed-by: Stefan Weil <sw@weilnetz.de> Message-Id: <20221105114851.306206-1-mjt@msgid.tls.msk.ru> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2022-11-23Revert "usbredir: avoid queuing hello packet on snapshot restore"Joelle van Dyne1-2/+1
Run state is also in RUN_STATE_PRELAUNCH while "-S" is used. This reverts commit 0631d4b448454ae8a1ab091c447e3f71ab6e088a Signed-off-by: Joelle van Dyne <j@getutm.app> Reviewed-by: Ján Tomko <jtomko@redhat.com> The original commit broke the usage of usbredir with libvirt, which starts every domain with "-S". This workaround is no longer needed because the usbredir behavior has been fixed in the meantime: https://gitlab.freedesktop.org/spice/usbredir/-/merge_requests/61 Signed-off-by: Ján Tomko <jtomko@redhat.com> Message-Id: <1689cec3eadcea87255e390cb236033aca72e168.1669193161.git.jtomko@redhat.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2022-11-11host-libusb: Remove unused variableMiroslav Rezanina1-15/+0
Variable unconnected used in usb_host_auto_check function is only incremented but never read as line where it is read was disabled since introducing the code. This causes 'Unused but set variable' warning on Clang 15.0.1 compiler. Removing the variable and disabled code to prevent the warning. Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com> Reviewed-by: Thomas Huth <thuth@redhat.com> Message-Id: <00df0db69ff9167d38bac81f6d03281955bd861a.1668009030.git.mrezanin@redhat.com> Signed-off-by: Thomas Huth <thuth@redhat.com>
2022-11-08hw/usb: fix tab indentationAmarjargal Gundjalam5-440/+440
The TABs should be replaced with spaces, to make sure that we have a consistent coding style with an indentation of 4 spaces everywhere. Resolves: https://gitlab.com/qemu-project/qemu/-/issues/370 Signed-off-by: Amarjargal Gundjalam <amarjargal16@gmail.com> Message-Id: <6c993f57800f8fef7a910074620f6e80e077a3d1.1666707782.git.amarjargal16@gmail.com> Signed-off-by: Thomas Huth <thuth@redhat.com>
2022-10-31hw/usb: dev-mtp: Use g_mkdir()Bin Meng1-2/+2
Use g_mkdir() to create a directory on all platforms. Signed-off-by: Bin Meng <bin.meng@windriver.com> Acked-by: Gerd Hoffmann <kraxel@redhat.com> Signed-off-by: Alex Bennée <alex.bennee@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Message-Id: <20221006151927.2079583-8-bmeng.cn@gmail.com> Message-Id: <20221027183637.2772968-15-alex.bennee@linaro.org>
2022-10-31hw/isa/vt82c686: Introduce TYPE_VT82C686B_USB_UHCI defineBernhard Beschow1-2/+2
Suggested-by: BALATON Zoltan <balaton@eik.bme.hu> Signed-off-by: Bernhard Beschow <shentey@gmail.com> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Acked-by: Daniel Henrique Barboza <danielhb413@gmail.com> Message-Id: <20220901114127.53914-8-shentey@gmail.com> Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
2022-10-22Drop useless casts from g_malloc() & friends to pointerMarkus Armbruster1-1/+1
These memory allocation functions return void *, and casting to another pointer type is useless clutter. Drop these casts. If you really want another pointer type, consider g_new(). Signed-off-by: Markus Armbruster <armbru@redhat.com> Reviewed-by: Laurent Vivier <laurent@vivier.eu> Message-Id: <20220923120025.448759-3-armbru@redhat.com> Signed-off-by: Laurent Vivier <laurent@vivier.eu>
2022-09-27Merge tag 'kraxel-20220927-pull-request' of https://gitlab.com/kraxel/qemu ↵Stefan Hajnoczi5-37/+136
into staging usb: make usbnet work with xhci. audio: add sndio backend. misc bugfixes for console, xhci, audio, ati-vga and virtio-gpu. # -----BEGIN PGP SIGNATURE----- # # iQIzBAABCgAdFiEEoDKM/7k6F6eZAf59TLbY7tPocTgFAmMyse8ACgkQTLbY7tPo # cTiLrRAAltoyd++jsmhg2wXuJsfekfec3kOro7T+eSznDWfBRvm7VxJ+gswYBYga # HbEkHjII0yPbOP9WDMhhHx33g2nYdbhDLPKXHdK8MjHTTPxtYP7XmsWkEVpuuzTx # WqeYvGSmUri6QOUz7fd07IhiBT1aQvUQ/vWQ6OhyRVPy41bR8kIbGx3iV0JDxWvz # n3xUZALGLz3QAM0lXRzXPYT9JB/RqdbpMM35HNTpN9/xaZmgFWsyuQXSSm61pTtb # PS+lILDPjgZeYsfsZRyhZaSZrp2f6WOGm1ZdtSM0rvmRKezOzYnG8fm4fqZQLYSj # nrAqUs38sKaM71a3QbpXhDjbv4cpj0K3iSNLmlUq4pgvPiMgwPlgSwwCGlkNDaRo # IA1KON1pMH2A5vvtXEUt5RTkbXxHAAKPdpl5sS6kgbs7dgoKDqzaIPFQELam259Z # 9nbMBqz/d6gm2CFT5ogrY0q511IC5hWtsmbQZkOZeBd5SvhvyJ59DIabFDcw05fG # ixZVapewXYtzFUde2lb8X5qyneUVeGY5D2OJ2uUykHgR2Qz4d3CjXlhnRkLIkMcd # Uu6N1LTkjyuuB86BoTSZxk0iz94OvmyDiXpqwmRaCGcdnTOTj0dKrbRrtHdC2vCo # cBpUAIdyJvDJSm0X8ZWvvv1sMJCAJ7lofFf/P/jUKlacC2ipgXQ= # =QBLK # -----END PGP SIGNATURE----- # gpg: Signature made Tue 27 Sep 2022 04:18:55 EDT # gpg: using RSA key A0328CFFB93A17A79901FE7D4CB6D8EED3E87138 # gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>" [full] # gpg: aka "Gerd Hoffmann <gerd@kraxel.org>" [full] # gpg: aka "Gerd Hoffmann (private) <kraxel@gmail.com>" [full] # Primary key fingerprint: A032 8CFF B93A 17A7 9901 FE7D 4CB6 D8EE D3E8 7138 * tag 'kraxel-20220927-pull-request' of https://gitlab.com/kraxel/qemu: (24 commits) virtio-gpu: update scanout if there is any area covered by the rect hw/display/ati_2d: Fix buffer overflow in ati_2d_blt (CVE-2021-3638) audio: remove abort() in audio_bug() Revert "audio: Log context for audio bug" audio: Add sndio backend usbnet: Report link-up via interrupt endpoint in CDC-ECM mode usbnet: Detect short packets as sent by the xHCI controller usbnet: Accept mandatory USB_CDC_SET_ETHERNET_PACKET_FILTER request usbnet: Add missing usb_wakeup() call in usbnet_receive() hcd-xhci: drop operation with secondary stream arrays enabled usb/msd: add usb_msd_fatal_error() and fix guest-triggerable assert usb/msd: move usb_msd_packet_complete() hcd-ohci: Drop ohci_service_iso_td() if ed->head & OHCI_DPTR_MASK is zero hw/usb/hcd-xhci: Check whether DMA accesses fail ui/console: fix three double frees in png_save() ui/vdagent: fix serial reset of guest agent ui/clipboard: reset the serial state on reset ui/vdagent: always reset the clipboard serial on caps ui/clipboard: fix serial priority ui: add some vdagent related traces ... Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2022-09-27usbnet: Report link-up via interrupt endpoint in CDC-ECM modeMichael Brown1-6/+21
Signed-off-by: Michael Brown <mcb30@ipxe.org> Message-Id: <20220906183053.3625472-5-mcb30@ipxe.org> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2022-09-27usbnet: Detect short packets as sent by the xHCI controllerMichael Brown1-1/+1
The xHCI controller will ignore the endpoint MTU and so may deliver packets of any length. Detect short packets as being any packet that has a length of zero or a length that is not a multiple of the MTU. Signed-off-by: Michael Brown <mcb30@ipxe.org> Message-Id: <20220906183053.3625472-4-mcb30@ipxe.org> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2022-09-27usbnet: Accept mandatory USB_CDC_SET_ETHERNET_PACKET_FILTER requestMichael Brown1-0/+6
The USB_CDC_SET_ETHERNET_PACKET_FILTER request is mandatory for CDC-ECM devices. Accept this request, ignoring the actual filter value (to match the existing behaviour for RNDIS). Signed-off-by: Michael Brown <mcb30@ipxe.org> Message-Id: <20220906183053.3625472-3-mcb30@ipxe.org> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2022-09-27usbnet: Add missing usb_wakeup() call in usbnet_receive()Michael Brown1-0/+3
usbnet_receive() does not currently wake up the USB endpoint, leading to a dead RX datapath when used with a host controller such as xHCI that relies on being woken up. Fix by adding a call to usb_wakeup() at the end of usbnet_receive(). Signed-off-by: Michael Brown <mcb30@ipxe.org> Message-Id: <20220906183053.3625472-2-mcb30@ipxe.org> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2022-09-27hcd-xhci: drop operation with secondary stream arrays enabledQiang Liu1-1/+3
The abort() in xhci_find_stream() can be triggered via enabling the secondary stream arrays by setting linear stream array (LSA) bit (in endpoint context) to 0. We may show warnings and drop this operation. Fixes: 024426acc0a2 ("usb-xhci: usb3 streams") Reported-by: Qiang Liu <cyruscyliu@gmail.com> Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1192 Signed-off-by: Qiang Liu <cyruscyliu@gmail.com> Message-Id: <20220904125926.2141607-1-cyruscyliu@gmail.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2022-09-27usb/msd: add usb_msd_fatal_error() and fix guest-triggerable assertGerd Hoffmann2-1/+30
Add handler for fatal errors. Moves device into error state where it stops responding until the guest resets it. Guest can send illegal requests where scsi command and usb packet transfer directions are inconsistent. Use the new usb_msd_fatal_error() function instead of assert() in that case. Reported-by: Qiang Liu <cyruscyliu@gmail.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Tested-by: Qiang Liu <cyruscyliu@gmail.com> Message-Id: <20220830063827.813053-3-kraxel@redhat.com>
2022-09-27usb/msd: move usb_msd_packet_complete()Gerd Hoffmann1-12/+14
Change ordering to avoid adding forward declarations in following patches. Fix comment code style while being at it. No functional change. Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Message-Id: <20220830063827.813053-2-kraxel@redhat.com>
2022-09-23hcd-ohci: Drop ohci_service_iso_td() if ed->head & OHCI_DPTR_MASK is zeroQiang Liu1-0/+10
An abort happens in ohci_frame_boundary() when ohci->done is 0 [1]. ``` c static void ohci_frame_boundary(void *opaque) { // ... if (ohci->done_count == 0 && !(ohci->intr_status & OHCI_INTR_WD)) { if (!ohci->done) abort(); <----------------------------------------- [1] ``` This was reported in https://bugs.launchpad.net/qemu/+bug/1911216/, https://lists.gnu.org/archive/html/qemu-devel/2021-06/msg03613.html, and https://gitlab.com/qemu-project/qemu/-/issues/545. I can still reproduce it with the latest QEMU. This happends due to crafted ED with putting ISO_TD at physical address 0. Suppose ed->head & OHCI_DPTR_MASK is 0 [2], and we memset 0 to the phyiscal memory from 0 to sizeof(ohci_iso_td). Then, starting_frame [3] and frame_count [4] are both 0. As we can control the value of ohci->frame_number (0 to 0x1f, suppose 1), we then control the value of relative_frame_number to be 1 [6]. The control flow goes to [7] where ohci->done is 0. Have returned from ohci_service_iso_td(), ohci_frame_boundary() will abort() [1]. ``` c static int ohci_service_iso_td(OHCIState *ohci, struct ohci_ed *ed) { // ... addr = ed->head & OHCI_DPTR_MASK; // <--------------------- [2] if (ohci_read_iso_td(ohci, addr, &iso_td)) { // <-------- [3] // ... starting_frame = OHCI_BM(iso_td.flags, TD_SF); // <-------- [4] frame_count = OHCI_BM(iso_td.flags, TD_FC); // <-------- [5] relative_frame_number = USUB(ohci->frame_number, starting_frame); // <-------- [6] if (relative_frame_number < 0) { return 1; } else if (relative_frame_number > frame_count) { // ... ohci->done = addr; // <-------- [7] // ... } ``` As only (afaik) a guest root user can manipulate ED, TD and the physical memory, this assertion failure is not a security bug. The idea to fix this issue is to drop ohci_service_iso_td() if ed->head & OHCI_DPTR_MASK is 0, which is similar to the drop operation for ohci_service_ed_list() when head is 0. Probably, a similar issue is in ohci_service_td(). I drop ohci_service_td() if ed->head & OHCI_DPTR_MASK is 0. Fixes: 7bfe577702 ("OHCI USB isochronous transfers support (Arnon Gilboa)") Reported-by: Gaoning Pan <pgn@zju.edu.cn> Reported-by: Alexander Bulekov <alxndr@bu.edu> Reported-by: Qiang Liu <cyruscyliu@gmail.com> Resolves: https://gitlab.com/qemu-project/qemu/-/issues/545 Buglink: https://lists.gnu.org/archive/html/qemu-devel/2021-06/msg03613.html Buglink: https://bugs.launchpad.net/qemu/+bug/1911216 Signed-off-by: Qiang Liu <cyruscyliu@gmail.com> Message-Id: <20220826051557.119570-1-cyruscyliu@gmail.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2022-09-23hw/usb/hcd-xhci: Check whether DMA accesses failThomas Huth1-16/+48
If a guest sets up bad descriptors, it could force QEMU to access non-existing memory regions. Thus we should check the return value of dma_memory_read/write() to make sure that these errors don't go unnoticed. Signed-off-by: Thomas Huth <thuth@redhat.com> Message-Id: <20220817160016.49752-1-thuth@redhat.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2022-09-22hw/usb/hcd-ohci: Use definition to avoid dynamic stack allocationPhilippe Mathieu-Daudé1-3/+4
The compiler isn't clever enough to figure 'width' is a constant, so help it by using a definitions instead. Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Message-id: 20220819153931.3147384-10-peter.maydell@linaro.org
2022-09-01scsi: Add buf_len parameter to scsi_req_new()John Millikin2-3/+4
When a SCSI command is received from the guest, the CDB length implied by the first byte might exceed the number of bytes the guest sent. In this case scsi_req_new() will read uninitialized data, causing unpredictable behavior. Adds the buf_len parameter to scsi_req_new() and plumbs it through the call stack. Signed-off-by: John Millikin <john@john-millikin.com> Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1127 Message-Id: <20220817053458.698416-1-john@john-millikin.com> [Fill in correct length for adapters other than ESP. - Paolo] Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2022-08-16hw/usb/hcd-xhci: Fix unbounded loop in xhci_ring_chain_length() (CVE-2020-14394)Thomas Huth1-4/+19
The loop condition in xhci_ring_chain_length() is under control of the guest, and additionally the code does not check for failed DMA transfers (e.g. if reaching the end of the RAM), so the loop there could run for a very long time or even forever. Fix it by checking the return value of dma_memory_read() and by introducing a maximum loop length. Resolves: https://gitlab.com/qemu-project/qemu/-/issues/646 Message-Id: <20220804131300.96368-1-thuth@redhat.com> Reviewed-by: Mauro Matteo Cascella <mcascell@redhat.com> Acked-by: Gerd Hoffmann <kraxel@redhat.com> Signed-off-by: Thomas Huth <thuth@redhat.com>
2022-08-01misc: fix commonly doubled up wordsDaniel P. Berrangé1-1/+1
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> Message-Id: <20220707163720.1421716-5-berrange@redhat.com> Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Thomas Huth <thuth@redhat.com>
2022-07-19usb/hcd-xhci: check slotid in xhci_wakeup_endpoint()Mauro Matteo Cascella1-1/+2
This prevents an OOB read (followed by an assertion failure in xhci_kick_ep) when slotid > xhci->numslots. Reported-by: Soul Chen <soulchen8650@gmail.com> Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com> Message-Id: <20220705174734.2348829-1-mcascell@redhat.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2022-07-01hw: canokey: Remove HS support as not compliant to the specMkfsSion1-1/+0
Canokey core currently using 16 bytes as maximum packet size for control endpoint, but to run the device in high-speed a 64 bytes maximum packet size is required according to USB 2.0 specification. Since we don't acutally need to run the device in high-speed, simply don't assign high member in USBDesc. When canokey-qemu is used with xhci, xhci would drive canokey in high speed mode, since the bcdUSB in canokey-core is 2.1, yet canokey-core set bMaxPacketSize0 to be 16, this is out of the spec as the spec said that ``The allowable maximum control transfer data payload sizes...for high-speed devices, it is 64 bytes''. In this case, usb device validation in Windows 10 LTSC 2021 as the guest would fail. It would complain USB\DEVICE_DESCRIPTOR_VALIDATION_FAILURE. Note that bcdUSB only identifies the spec version the device complies, but it has no indication of its speed. So it is allowed for the device to run in FS but comply the 2.1 spec. To solve the issue we decided to just drop the high speed support. This only affects usb-ehci as usb-ehci would complain speed mismatch when FS device is attached to a HS port. That's why the .high member was initialized in the first place. Meanwhile, xhci is not affected as it works well with FS device. Since everyone is now using xhci, it does no harm to most users. Suggested-by: Hongren (Zenithal) Zheng <i@zenithal.me> Signed-off-by: YuanYang Meng <mkfssion@mkfssion.com> Reviewed-by: Hongren (Zenithal) Zheng <i@zenithal.me> Message-Id: <20220625142138.19363-1-mkfssion@mkfssion.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2022-07-01hw/usb/canokey: fix compatibility of qemu-xhciHongren (Zenithal) Zheng1-0/+23
XHCI wont poll interrupt IN endpoint if NAKed, and needs wakeup Suggested-by: Gerd Hoffmann <kraxel@redhat.com> Signed-off-by: Hongren (Zenithal) Zheng <i@zenithal.me> Message-Id: <YqcqSHNpI7sXRNpZ@Sun> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2022-07-01hw/usb/canokey: Fix CCID ZLPHongren (Zenithal) Zheng1-4/+3
CCID could send zero-length packet (ZLP) if we invoke two data_in, two packets would be concated and we could not distinguish them. The CANOKEY_EMU_EP_CTAPHID is imported from canokey-qemu.h Reported-by: MkfsSion <myychina28759@gmail.com> Signed-off-by: Hongren (Zenithal) Zheng <i@zenithal.me> Message-Id: <YqcqGz0s3+LE42ms@Sun> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2022-06-14usbredir: avoid queuing hello packet on snapshot restoreJoelle van Dyne1-1/+2
When launching QEMU with "-loadvm", usbredir_create_parser() should avoid setting up the hello packet (just as with "-incoming". On the latest version of libusbredir, usbredirparser_unserialize() will return error if the parser is not "pristine." Signed-off-by: Joelle van Dyne <j@getutm.app> Message-Id: <20220507041850.98716-1-j@getutm.app> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2022-06-14hw/usb/hcd-ehci: fix writeback orderArnout Engelen1-1/+4
The 'active' bit passes control over a qTD between the guest and the controller: set to 1 by guest to enable execution by the controller, and the controller sets it to '0' to hand back control to the guest. ehci_state_writeback write two dwords to main memory using DMA: the third dword of the qTD (containing dt, total bytes to transfer, cpage, cerr and status) and the fourth dword of the qTD (containing the offset). This commit makes sure the fourth dword is written before the third, avoiding a race condition where a new offset written into the qTD by the guest after it observed the status going to go to '0' gets overwritten by a 'late' DMA writeback of the previous offset. This race condition could lead to 'cpage out of range (5)' errors, and reproduced by: ./qemu-system-x86_64 -enable-kvm -bios $SEABIOS/bios.bin -m 4096 -device usb-ehci -blockdev driver=file,read-only=on,filename=/home/aengelen/Downloads/openSUSE-Tumbleweed-DVD-i586-Snapshot20220428-Media.iso,node-name=iso -device usb-storage,drive=iso,bootindex=0 -chardev pipe,id=shell,path=/tmp/pipe -device virtio-serial -device virtconsole,chardev=shell -device virtio-rng-pci -serial mon:stdio -nographic (press a key, select 'Installation' (2), and accept the default values. On my machine the 'cpage out of range' is reproduced while loading the Linux Kernel about once per 7 attempts. With the fix in this commit it no longer fails) This problem was previously reported as a seabios problem in https://mail.coreboot.org/hyperkitty/list/seabios@seabios.org/thread/OUTHT5ISSQJGXPNTUPY3O5E5EPZJCHM3/ and as a nixos CI build failure in https://github.com/NixOS/nixpkgs/issues/170803 Signed-off-by: Arnout Engelen <arnout@bzzt.net> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2022-06-14meson: Add CanoKeyHongren (Zenithal) Zheng2-0/+10
Signed-off-by: Hongren (Zenithal) Zheng <i@zenithal.me> Message-Id: <YoY6YRD6cxH21mms@Sun> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>