From bf78fb1c1b61a819a47f7a1dbecf9934b9f32a0d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= Date: Mon, 4 Jun 2018 12:14:19 -0300 Subject: usb: correctly handle Zero Length Packets MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit USB Specification Revision 2.0, §5.5.3: The Data stage of a control transfer from an endpoint to the host is complete when the endpoint does one of the following: • Has transferred exactly the amount of data specified during the Setup stage • Transfers a packet with a payload size less than wMaxPacketSize or transfers a zero-length packet" hw/usb/redirect.c:802:9: warning: Declared variable-length array (VLA) has zero size uint8_t buf[size]; ^~~~~~~~~~~ ~~~~ Reported-by: Clang Static Analyzer Signed-off-by: Philippe Mathieu-Daudé Message-id: 20180604151421.23385-2-f4bug@amsat.org Signed-off-by: Gerd Hoffmann --- hw/usb/redirect.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'hw') diff --git a/hw/usb/redirect.c b/hw/usb/redirect.c index 65a9196..58e8f7f 100644 --- a/hw/usb/redirect.c +++ b/hw/usb/redirect.c @@ -795,7 +795,7 @@ static void usbredir_handle_bulk_data(USBRedirDevice *dev, USBPacket *p, usbredirparser_peer_has_cap(dev->parser, usb_redir_cap_32bits_bulk_length)); - if (ep & USB_DIR_IN) { + if (ep & USB_DIR_IN || size == 0) { usbredirparser_send_bulk_packet(dev->parser, p->id, &bulk_packet, NULL, 0); } else { -- cgit v1.1 From 62713a2e50f653162387451034f1a2490e87be88 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= Date: Mon, 4 Jun 2018 12:14:20 -0300 Subject: usb/dev-mtp: Fix use of uninitialized values MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This fixes: hw/usb/dev-mtp.c:971:5: warning: 4th function call argument is an uninitialized value trace_usb_mtp_op_get_partial_object(s->dev.addr, o->handle, o->path, c->argv[1], c->argv[2]); ^~~~~~~~~~ and: hw/usb/dev-mtp.c:981:12: warning: Assigned value is garbage or undefined offset = c->argv[1]; ^ ~~~~~~~~~~ Reported-by: Clang Static Analyzer Signed-off-by: Philippe Mathieu-Daudé Message-id: 20180604151421.23385-3-f4bug@amsat.org Signed-off-by: Gerd Hoffmann --- hw/usb/dev-mtp.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) (limited to 'hw') diff --git a/hw/usb/dev-mtp.c b/hw/usb/dev-mtp.c index 560c61c..b0ab6a7 100644 --- a/hw/usb/dev-mtp.c +++ b/hw/usb/dev-mtp.c @@ -1017,12 +1017,16 @@ static MTPData *usb_mtp_get_object(MTPState *s, MTPControl *c, static MTPData *usb_mtp_get_partial_object(MTPState *s, MTPControl *c, MTPObject *o) { - MTPData *d = usb_mtp_data_alloc(c); + MTPData *d; off_t offset; + if (c->argc <= 2) { + return NULL; + } trace_usb_mtp_op_get_partial_object(s->dev.addr, o->handle, o->path, c->argv[1], c->argv[2]); + d = usb_mtp_data_alloc(c); d->fd = open(o->path, O_RDONLY); if (d->fd == -1) { usb_mtp_data_free(d); -- cgit v1.1 From f3d58385a6d3d82f65db602c5506e2d3d8c82394 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= Date: Thu, 31 May 2018 21:51:16 +0200 Subject: bus: do not unref the added child bus on realize MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit When the parent bus removes the child property, it takes care of removing the added reference, in object_finalize_child_property(). Signed-off-by: Marc-André Lureau Message-id: 20180531195119.22021-2-marcandre.lureau@redhat.com Signed-off-by: Gerd Hoffmann --- hw/core/bus.c | 1 - 1 file changed, 1 deletion(-) (limited to 'hw') diff --git a/hw/core/bus.c b/hw/core/bus.c index 4651f24..ad0c9df 100644 --- a/hw/core/bus.c +++ b/hw/core/bus.c @@ -102,7 +102,6 @@ static void qbus_realize(BusState *bus, DeviceState *parent, const char *name) QLIST_INSERT_HEAD(&bus->parent->child_bus, bus, sibling); bus->parent->num_child_bus++; object_property_add_child(OBJECT(bus->parent), bus->name, OBJECT(bus), NULL); - object_unref(OBJECT(bus)); } else if (bus != sysbus_get_default()) { /* TODO: once all bus devices are qdevified, only reset handler for main_system_bus should be registered here. */ -- cgit v1.1 From 265b578c584b1a86c7028790deaa2f4392dd0a65 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= Date: Thu, 31 May 2018 21:51:17 +0200 Subject: object: fix OBJ_PROP_LINK_UNREF_ON_RELEASE ambivalence MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit A link property can be set during creation, with object_property_add_link() and later with object_property_set_link(). add_link() doesn't add a reference to the target object, while set_link() does. Furthemore, OBJ_PROP_LINK_UNREF_ON_RELEASE flags, set during add_link, says whether a reference must be released when the property is destroyed. This can lead to leaks if the property was later set_link(), as the added reference is never released. Instead, rename OBJ_PROP_LINK_UNREF_ON_RELEASE to OBJ_PROP_LINK_STRONG and use that has an indication on how the link handle reference management in set_link(). Signed-off-by: Marc-André Lureau Message-id: 20180531195119.22021-3-marcandre.lureau@redhat.com Signed-off-by: Gerd Hoffmann --- hw/core/qdev-properties.c | 2 +- hw/core/qdev.c | 2 +- hw/display/xlnx_dp.c | 2 +- hw/dma/xilinx_axidma.c | 4 ++-- hw/dma/xlnx-zdma.c | 2 +- hw/i386/pc.c | 2 +- hw/i386/pc_piix.c | 2 +- hw/i386/pc_q35.c | 2 +- hw/ipmi/ipmi.c | 2 +- hw/net/xilinx_axienet.c | 4 ++-- hw/ssi/xilinx_spips.c | 2 +- 11 files changed, 13 insertions(+), 13 deletions(-) (limited to 'hw') diff --git a/hw/core/qdev-properties.c b/hw/core/qdev-properties.c index 989778a..35072de 100644 --- a/hw/core/qdev-properties.c +++ b/hw/core/qdev-properties.c @@ -1308,7 +1308,7 @@ static void create_link_property(Object *obj, Property *prop, Error **errp) object_property_add_link(obj, prop->name, prop->link_type, child, qdev_prop_allow_set_link_before_realize, - OBJ_PROP_LINK_UNREF_ON_RELEASE, + OBJ_PROP_LINK_STRONG, errp); } diff --git a/hw/core/qdev.c b/hw/core/qdev.c index ffec461..cf0db4b 100644 --- a/hw/core/qdev.c +++ b/hw/core/qdev.c @@ -409,7 +409,7 @@ void qdev_init_gpio_out_named(DeviceState *dev, qemu_irq *pins, object_property_add_link(OBJECT(dev), propname, TYPE_IRQ, (Object **)&pins[i], object_property_allow_set_link, - OBJ_PROP_LINK_UNREF_ON_RELEASE, + OBJ_PROP_LINK_STRONG, &error_abort); g_free(propname); } diff --git a/hw/display/xlnx_dp.c b/hw/display/xlnx_dp.c index c32ab08..5130122 100644 --- a/hw/display/xlnx_dp.c +++ b/hw/display/xlnx_dp.c @@ -1223,7 +1223,7 @@ static void xlnx_dp_init(Object *obj) object_property_add_link(obj, "dpdma", TYPE_XLNX_DPDMA, (Object **) &s->dpdma, xlnx_dp_set_dpdma, - OBJ_PROP_LINK_UNREF_ON_RELEASE, + OBJ_PROP_LINK_STRONG, &error_abort); /* diff --git a/hw/dma/xilinx_axidma.c b/hw/dma/xilinx_axidma.c index 9b48103..401a328 100644 --- a/hw/dma/xilinx_axidma.c +++ b/hw/dma/xilinx_axidma.c @@ -525,12 +525,12 @@ static void xilinx_axidma_realize(DeviceState *dev, Error **errp) object_property_add_link(OBJECT(ds), "dma", TYPE_XILINX_AXI_DMA, (Object **)&ds->dma, object_property_allow_set_link, - OBJ_PROP_LINK_UNREF_ON_RELEASE, + OBJ_PROP_LINK_STRONG, &local_err); object_property_add_link(OBJECT(cs), "dma", TYPE_XILINX_AXI_DMA, (Object **)&cs->dma, object_property_allow_set_link, - OBJ_PROP_LINK_UNREF_ON_RELEASE, + OBJ_PROP_LINK_STRONG, &local_err); if (local_err) { goto xilinx_axidma_realize_fail; diff --git a/hw/dma/xlnx-zdma.c b/hw/dma/xlnx-zdma.c index 8eea757..b6745f5 100644 --- a/hw/dma/xlnx-zdma.c +++ b/hw/dma/xlnx-zdma.c @@ -787,7 +787,7 @@ static void zdma_init(Object *obj) object_property_add_link(obj, "dma", TYPE_MEMORY_REGION, (Object **)&s->dma_mr, qdev_prop_allow_set_link_before_realize, - OBJ_PROP_LINK_UNREF_ON_RELEASE, + OBJ_PROP_LINK_STRONG, &error_abort); } diff --git a/hw/i386/pc.c b/hw/i386/pc.c index f3befe6..ea57a46 100644 --- a/hw/i386/pc.c +++ b/hw/i386/pc.c @@ -483,7 +483,7 @@ void pc_cmos_init(PCMachineState *pcms, TYPE_ISA_DEVICE, (Object **)&pcms->rtc, object_property_allow_set_link, - OBJ_PROP_LINK_UNREF_ON_RELEASE, &error_abort); + OBJ_PROP_LINK_STRONG, &error_abort); object_property_set_link(OBJECT(pcms), OBJECT(s), "rtc_state", &error_abort); diff --git a/hw/i386/pc_piix.c b/hw/i386/pc_piix.c index 3d81136..d2f0d60 100644 --- a/hw/i386/pc_piix.c +++ b/hw/i386/pc_piix.c @@ -289,7 +289,7 @@ static void pc_init1(MachineState *machine, TYPE_HOTPLUG_HANDLER, (Object **)&pcms->acpi_dev, object_property_allow_set_link, - OBJ_PROP_LINK_UNREF_ON_RELEASE, &error_abort); + OBJ_PROP_LINK_STRONG, &error_abort); object_property_set_link(OBJECT(machine), OBJECT(piix4_pm), PC_MACHINE_ACPI_DEVICE_PROP, &error_abort); } diff --git a/hw/i386/pc_q35.c b/hw/i386/pc_q35.c index b60cbb9..5be6ef7 100644 --- a/hw/i386/pc_q35.c +++ b/hw/i386/pc_q35.c @@ -194,7 +194,7 @@ static void pc_q35_init(MachineState *machine) TYPE_HOTPLUG_HANDLER, (Object **)&pcms->acpi_dev, object_property_allow_set_link, - OBJ_PROP_LINK_UNREF_ON_RELEASE, &error_abort); + OBJ_PROP_LINK_STRONG, &error_abort); object_property_set_link(OBJECT(machine), OBJECT(lpc), PC_MACHINE_ACPI_DEVICE_PROP, &error_abort); diff --git a/hw/ipmi/ipmi.c b/hw/ipmi/ipmi.c index 9be281f..63c0317 100644 --- a/hw/ipmi/ipmi.c +++ b/hw/ipmi/ipmi.c @@ -104,7 +104,7 @@ void ipmi_bmc_find_and_link(Object *obj, Object **bmc) { object_property_add_link(obj, "bmc", TYPE_IPMI_BMC, bmc, isa_ipmi_bmc_check, - OBJ_PROP_LINK_UNREF_ON_RELEASE, + OBJ_PROP_LINK_STRONG, &error_abort); } diff --git a/hw/net/xilinx_axienet.c b/hw/net/xilinx_axienet.c index d4c2c89..cc880a3 100644 --- a/hw/net/xilinx_axienet.c +++ b/hw/net/xilinx_axienet.c @@ -951,12 +951,12 @@ static void xilinx_enet_realize(DeviceState *dev, Error **errp) object_property_add_link(OBJECT(ds), "enet", "xlnx.axi-ethernet", (Object **) &ds->enet, object_property_allow_set_link, - OBJ_PROP_LINK_UNREF_ON_RELEASE, + OBJ_PROP_LINK_STRONG, &local_err); object_property_add_link(OBJECT(cs), "enet", "xlnx.axi-ethernet", (Object **) &cs->enet, object_property_allow_set_link, - OBJ_PROP_LINK_UNREF_ON_RELEASE, + OBJ_PROP_LINK_STRONG, &local_err); if (local_err) { goto xilinx_enet_realize_fail; diff --git a/hw/ssi/xilinx_spips.c b/hw/ssi/xilinx_spips.c index 03f5fae..f599025 100644 --- a/hw/ssi/xilinx_spips.c +++ b/hw/ssi/xilinx_spips.c @@ -1346,7 +1346,7 @@ static void xlnx_zynqmp_qspips_init(Object *obj) object_property_add_link(obj, "stream-connected-dma", TYPE_STREAM_SLAVE, (Object **)&rq->dma, object_property_allow_set_link, - OBJ_PROP_LINK_UNREF_ON_RELEASE, + OBJ_PROP_LINK_STRONG, NULL); } -- cgit v1.1 From 410a096adf991ce437d4d7dabc59b6557e6d488d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= Date: Thu, 31 May 2018 21:51:18 +0200 Subject: usb-ccid: fix bus leak MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit qbus_create_inplace() creates a new reference in realize(), it must be released in unrealize(). Signed-off-by: Marc-André Lureau Message-id: 20180531195119.22021-4-marcandre.lureau@redhat.com Signed-off-by: Gerd Hoffmann --- hw/usb/dev-smartcard-reader.c | 1 + 1 file changed, 1 insertion(+) (limited to 'hw') diff --git a/hw/usb/dev-smartcard-reader.c b/hw/usb/dev-smartcard-reader.c index 2131e33..f7c9123 100644 --- a/hw/usb/dev-smartcard-reader.c +++ b/hw/usb/dev-smartcard-reader.c @@ -1147,6 +1147,7 @@ static void ccid_unrealize(USBDevice *dev, Error **errp) USBCCIDState *s = USB_CCID_DEV(dev); ccid_bulk_in_clear(s); + object_unref(OBJECT(&s->bus)); } static void ccid_flush_pending_answers(USBCCIDState *s) -- cgit v1.1 From 3c969a6022438cf59de10d2dc3c58f4807788f98 Mon Sep 17 00:00:00 2001 From: Bandan Das Date: Fri, 18 May 2018 14:49:03 -0400 Subject: usb-mtp: Return error on suspicious TYPE_DATA packet from initiator CID 1390604 If the initiator sends a packet with TYPE_DATA set without initiating a CMD_GET_OBJECT_INFO first, then usb_mtp_get_data can trip on a null s->data_out. Signed-off-by: Bandan Das Message-Id: Signed-off-by: Gerd Hoffmann --- hw/usb/dev-mtp.c | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'hw') diff --git a/hw/usb/dev-mtp.c b/hw/usb/dev-mtp.c index b0ab6a7..1ded7ac 100644 --- a/hw/usb/dev-mtp.c +++ b/hw/usb/dev-mtp.c @@ -1700,6 +1700,11 @@ static void usb_mtp_get_data(MTPState *s, mtp_container *container, uint64_t dlen; uint32_t data_len = p->iov.size; + if (!d) { + usb_mtp_queue_result(s, RES_INVALID_OBJECTINFO, 0, + 0, 0, 0, 0); + return; + } if (d->first) { /* Total length of incoming data */ d->length = cpu_to_le32(container->length) - sizeof(mtp_container); -- cgit v1.1