[Qemu-commits] [qemu/qemu] d710e1: usb: ehci: fix memory leak in ehci

qemu-commits
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-commits] [qemu/qemu] d710e1: usb: ehci: fix memory leak in ehci

From:	GitHub
Subject:	[Qemu-commits] [qemu/qemu] d710e1: usb: ehci: fix memory leak in ehci
Date:	Tue, 21 Feb 2017 02:30:11 -0800
  Branch: refs/heads/master
  Home:   https://github.com/qemu/qemu
  Commit: d710e1e7bd3d5bfc26b631f02ae87901ebe646b0
      
https://github.com/qemu/qemu/commit/d710e1e7bd3d5bfc26b631f02ae87901ebe646b0
  Author: Li Qiang <address@hidden>
  Date:   2017-02-21 (Tue, 21 Feb 2017)

  Changed paths:
    M hw/usb/hcd-ehci-pci.c
    M hw/usb/hcd-ehci.c
    M hw/usb/hcd-ehci.h

  Log Message:
  -----------
  usb: ehci: fix memory leak in ehci

In usb_ehci_init function, it initializes 's->ipacket', but there
is no corresponding function to free this. As the ehci can be hotplug
and unplug, this will leak host memory leak. In order to make the
hierarchy clean, we should add a ehci pci finalize function, then call
the clean function in ehci device.

Signed-off-by: Li Qiang <address@hidden>
Message-id: address@hidden
Signed-off-by: Gerd Hoffmann <address@hidden>


  Commit: 26f670a244982335cc08943fb1ec099a2c81e42d
      
https://github.com/qemu/qemu/commit/26f670a244982335cc08943fb1ec099a2c81e42d
  Author: Li Qiang <address@hidden>
  Date:   2017-02-21 (Tue, 21 Feb 2017)

  Changed paths:
    M hw/usb/hcd-ohci.c

  Log Message:
  -----------
  usb: ohci: fix error return code in servicing iso td

It should return 1 if an error occurs when reading iso td.
This will avoid an infinite loop issue in ohci_service_ed_list.

Signed-off-by: Li Qiang <address@hidden>
Message-id: address@hidden
Signed-off-by: Gerd Hoffmann <address@hidden>


  Commit: 95ed56939eb2eaa4e2f349fe6dcd13ca4edfd8fb
      
https://github.com/qemu/qemu/commit/95ed56939eb2eaa4e2f349fe6dcd13ca4edfd8fb
  Author: Li Qiang <address@hidden>
  Date:   2017-02-21 (Tue, 21 Feb 2017)

  Changed paths:
    M hw/usb/hcd-ohci.c

  Log Message:
  -----------
  usb: ohci: limit the number of link eds

The guest may builds an infinite loop with link eds. This patch
limit the number of linked ed to avoid this.

Signed-off-by: Li Qiang <address@hidden>
Message-id: address@hidden
Signed-off-by: Gerd Hoffmann <address@hidden>


  Commit: f89b60f6e5fee3923bedf80e82b4e5efc1bb156b
      
https://github.com/qemu/qemu/commit/f89b60f6e5fee3923bedf80e82b4e5efc1bb156b
  Author: Gerd Hoffmann <address@hidden>
  Date:   2017-02-21 (Tue, 21 Feb 2017)

  Changed paths:
    M hw/usb/hcd-xhci.c
    M hw/usb/trace-events

  Log Message:
  -----------
  xhci: apply limits to loops

Limits should be big enough that normal guest should not hit it.
Add a tracepoint to log them, just in case.  Also, while being
at it, log the existing link trb limit too.

Reported-by: 李强 <address@hidden>
Signed-off-by: Gerd Hoffmann <address@hidden>
Message-id: address@hidden


  Commit: 898248a32915024a4f01ce4f0c3519509fb703cb
      
https://github.com/qemu/qemu/commit/898248a32915024a4f01ce4f0c3519509fb703cb
  Author: Gerd Hoffmann <address@hidden>
  Date:   2017-02-21 (Tue, 21 Feb 2017)

  Changed paths:
    M hw/usb/hcd-xhci.c

  Log Message:
  -----------
  xhci: drop ER_FULL_HACK workaround

The nec/renesas driver problems have finally been debugged and root
caused, see commit "7da76e1 xhci: fix event queue IRQ handling".

It's pretty clear now that
 (a) The whole "driver can't handle ring full" story is most likely
     wrong.
 (b) The ER_FULL_HACK workaround based on the false assumtion doesn't
     much.  It avoids the driver crashing (without commit 7da76e1), but
     it doesn't make usb work.
 (c) With 7da76e1 applied it doesn't trigger any more.

So, lets kill it.  Or, to be exact, lets almost kill it.  Some data
fields are kept unused in the state struct, for live migration backward
compatibility.

Signed-off-by: Gerd Hoffmann <address@hidden>
Message-id: address@hidden


  Commit: 72a810f411abaabc55f375533220adf69e059c89
      
https://github.com/qemu/qemu/commit/72a810f411abaabc55f375533220adf69e059c89
  Author: Gerd Hoffmann <address@hidden>
  Date:   2017-02-21 (Tue, 21 Feb 2017)

  Changed paths:
    M docs/specs/pci-ids.txt
    M hw/usb/hcd-xhci.c
    M include/hw/pci/pci.h

  Log Message:
  -----------
  xhci: add qemu xhci controller

Turn existing TYPE_XHCI into an abstract base class.
Create two child classes, TYPE_NEC_XHCI (same name as old xhci
controller) and TYPE_QEMU_XHCI (using an ID from our namespace).

Signed-off-by: Gerd Hoffmann <address@hidden>
Reviewed-by: Marcel Apfelbaum <address@hidden>
Message-id: address@hidden


  Commit: 2992d6b49ce7ca2d4c02ff6baf23fc815879eef3
      
https://github.com/qemu/qemu/commit/2992d6b49ce7ca2d4c02ff6baf23fc815879eef3
  Author: Gerd Hoffmann <address@hidden>
  Date:   2017-02-21 (Tue, 21 Feb 2017)

  Changed paths:
    M hw/usb/hcd-xhci.c

  Log Message:
  -----------
  xhci: fix nec vendor quirk handling

Only the TYPE_NEC_XHCI controller will have the nec vendor quirks.

Signed-off-by: Gerd Hoffmann <address@hidden>
Message-id: address@hidden


  Commit: 558ff1b6efcebd7f919bae3e36b97fa6f9139f42
      
https://github.com/qemu/qemu/commit/558ff1b6efcebd7f919bae3e36b97fa6f9139f42
  Author: Gerd Hoffmann <address@hidden>
  Date:   2017-02-21 (Tue, 21 Feb 2017)

  Changed paths:
    M hw/usb/hcd-xhci.c

  Log Message:
  -----------
  xhci: drop via vendor command handling

Seems pretty pointless, we don't emulate an via xhci controller.

Signed-off-by: Gerd Hoffmann <address@hidden>
Message-id: address@hidden


  Commit: 0aeebc73b7976bae5cb7e9768e3d9a0fd9d634e8
      
https://github.com/qemu/qemu/commit/0aeebc73b7976bae5cb7e9768e3d9a0fd9d634e8
  Author: Gerd Hoffmann <address@hidden>
  Date:   2017-02-21 (Tue, 21 Feb 2017)

  Changed paths:
    M hw/usb/dev-smartcard-reader.c

  Log Message:
  -----------
  usb-ccid: better bulk_out error handling

Add err goto label where we can jump to from all error conditions.
STALL request on all errors.  Reset position on all errors.

Normal request processing is not in a else branch any more, so this code
is reintended, there are no code changes in that part of the code
though.

Signed-off-by: Gerd Hoffmann <address@hidden>
Reviewed-by: Marc-André Lureau <address@hidden>
Message-id: address@hidden


  Commit: 7569c54642e8aa9fa03e250c7c578bd4d3747f00
      
https://github.com/qemu/qemu/commit/7569c54642e8aa9fa03e250c7c578bd4d3747f00
  Author: Gerd Hoffmann <address@hidden>
  Date:   2017-02-21 (Tue, 21 Feb 2017)

  Changed paths:
    M hw/usb/dev-smartcard-reader.c

  Log Message:
  -----------
  usb-ccid: move header size check

Move up header size check, so we can use header fields in sanity checks
(in followup patches).  Also reword the debug message.

Signed-off-by: Gerd Hoffmann <address@hidden>
Reviewed-by: Marc-André Lureau <address@hidden>
Message-id: address@hidden


  Commit: 31fb4444a485a348f8e2699d7c3dd15e1819ad2c
      
https://github.com/qemu/qemu/commit/31fb4444a485a348f8e2699d7c3dd15e1819ad2c
  Author: Gerd Hoffmann <address@hidden>
  Date:   2017-02-21 (Tue, 21 Feb 2017)

  Changed paths:
    M hw/usb/dev-smartcard-reader.c

  Log Message:
  -----------
  usb-ccid: add check message size checks

Check message size too when figuring whenever we should expect more data.
Fix debug message to show useful data, p->iov.size is fixed anyway if we
land there, print how much we got meanwhile instead.

Also check announced message size against actual message size.  That
is a more general fix for CVE-2017-5898 than commit "c7dfbf3 usb: ccid:
check ccid apdu length".

Signed-off-by: Gerd Hoffmann <address@hidden>
Reviewed-by: Marc-André Lureau <address@hidden>
Message-id: address@hidden


  Commit: b856256179f14c33a513d0b9cc3e4be355b95f43
      
https://github.com/qemu/qemu/commit/b856256179f14c33a513d0b9cc3e4be355b95f43
  Author: Peter Maydell <address@hidden>
  Date:   2017-02-21 (Tue, 21 Feb 2017)

  Changed paths:
    M docs/specs/pci-ids.txt
    M hw/usb/dev-smartcard-reader.c
    M hw/usb/hcd-ehci-pci.c
    M hw/usb/hcd-ehci.c
    M hw/usb/hcd-ehci.h
    M hw/usb/hcd-ohci.c
    M hw/usb/hcd-xhci.c
    M hw/usb/trace-events
    M include/hw/pci/pci.h

  Log Message:
  -----------
  Merge remote-tracking branch 'remotes/kraxel/tags/pull-usb-20170221-1' into 
staging

xhci: add qemu-xhci device, some followup cleanups.
ccid: better sanity checking.
ehci: fix memory leak
ohci: bugfixes.

# gpg: Signature made Tue 21 Feb 2017 07:14:35 GMT
# gpg:                using RSA key 0x4CB6D8EED3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <address@hidden>"
# gpg:                 aka "Gerd Hoffmann <address@hidden>"
# gpg:                 aka "Gerd Hoffmann (private) <address@hidden>"
# Primary key fingerprint: A032 8CFF B93A 17A7 9901  FE7D 4CB6 D8EE D3E8 7138

* remotes/kraxel/tags/pull-usb-20170221-1:
  usb-ccid: add check message size checks
  usb-ccid: move header size check
  usb-ccid: better bulk_out error handling
  xhci: drop via vendor command handling
  xhci: fix nec vendor quirk handling
  xhci: add qemu xhci controller
  xhci: drop ER_FULL_HACK workaround
  xhci: apply limits to loops
  usb: ohci: limit the number of link eds
  usb: ohci: fix error return code in servicing iso td
  usb: ehci: fix memory leak in ehci

Signed-off-by: Peter Maydell <address@hidden>


Compare: https://github.com/qemu/qemu/compare/56f9e46b841c...b856256179f1
[Prev in Thread]
Current Thread
[Next in Thread]
[Qemu-commits] [qemu/qemu] d710e1: usb: ehci: fix memory leak in ehci, GitHub <=
Prev by Date: [Qemu-commits] [qemu/qemu] 1ede77: qapi2texi: replace quotation by bold section name
Next by Date: [Qemu-commits] [qemu/qemu] c2b38b: block: move AioContext, QEMUTimer, main-loop to li...
Previous by thread: [Qemu-commits] [qemu/qemu] 1ede77: qapi2texi: replace quotation by bold section name
Next by thread: [Qemu-commits] [qemu/qemu] c2b38b: block: move AioContext, QEMUTimer, main-loop to li...
Index(es):
- Date
- Thread