[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PATCH 06/54] ehci: Validate qh is not changed unexpectedly
From: |
Gerd Hoffmann |
Subject: |
[Qemu-devel] [PATCH 06/54] ehci: Validate qh is not changed unexpectedly by the guest |
Date: |
Thu, 6 Sep 2012 09:12:07 +0200 |
From: Hans de Goede <address@hidden>
-combine the qh check with the check for devaddr changes
-also ensure that p gets set to NULL when the queue gets cancelled on
devaddr change, which was not done properly before this patch
Signed-off-by: Hans de Goede <address@hidden>
---
hw/usb/hcd-ehci.c | 41 +++++++++++++++++++++++++++++------------
1 files changed, 29 insertions(+), 12 deletions(-)
diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c
index e7c36f4..35eb441 100644
--- a/hw/usb/hcd-ehci.c
+++ b/hw/usb/hcd-ehci.c
@@ -780,6 +780,14 @@ static void ehci_cancel_queue(EHCIQueue *q)
} while ((p = QTAILQ_FIRST(&q->packets)) != NULL);
}
+static void ehci_reset_queue(EHCIQueue *q)
+{
+ trace_usb_ehci_queue_action(q, "reset");
+ ehci_cancel_queue(q);
+ q->dev = NULL;
+ q->qtdaddr = 0;
+}
+
static void ehci_free_queue(EHCIQueue *q)
{
EHCIQueueHead *head = q->async ? &q->ehci->aqueues : &q->ehci->pqueues;
@@ -1755,8 +1763,9 @@ out:
static EHCIQueue *ehci_state_fetchqh(EHCIState *ehci, int async)
{
EHCIPacket *p;
- uint32_t entry, devaddr;
+ uint32_t entry, devaddr, endp;
EHCIQueue *q;
+ EHCIqh qh;
entry = ehci_get_fetch_addr(ehci, async);
q = ehci_find_queue_by_qh(ehci, entry, async);
@@ -1774,17 +1783,25 @@ static EHCIQueue *ehci_state_fetchqh(EHCIState *ehci,
int async)
}
get_dwords(ehci, NLPTR_GET(q->qhaddr),
- (uint32_t *) &q->qh, sizeof(EHCIqh) >> 2);
- ehci_trace_qh(q, NLPTR_GET(q->qhaddr), &q->qh);
+ (uint32_t *) &qh, sizeof(EHCIqh) >> 2);
+ ehci_trace_qh(q, NLPTR_GET(q->qhaddr), &qh);
+
+ /*
+ * The overlay area of the qh should never be changed by the guest,
+ * except when idle, in which case the reset is a nop.
+ */
+ devaddr = get_field(qh.epchar, QH_EPCHAR_DEVADDR);
+ endp = get_field(qh.epchar, QH_EPCHAR_EP);
+ if ((devaddr != get_field(q->qh.epchar, QH_EPCHAR_DEVADDR)) ||
+ (endp != get_field(q->qh.epchar, QH_EPCHAR_EP)) ||
+ (memcmp(&qh.current_qtd, &q->qh.current_qtd,
+ 9 * sizeof(uint32_t)) != 0) ||
+ (q->dev != NULL && q->dev->addr != devaddr)) {
+ ehci_reset_queue(q);
+ p = NULL;
+ }
+ q->qh = qh;
- devaddr = get_field(q->qh.epchar, QH_EPCHAR_DEVADDR);
- if (q->dev != NULL && q->dev->addr != devaddr) {
- if (!QTAILQ_EMPTY(&q->packets)) {
- /* should not happen (guest bug) */
- ehci_cancel_queue(q);
- }
- q->dev = NULL;
- }
if (q->dev == NULL) {
q->dev = ehci_find_device(q->ehci, devaddr);
}
--
1.7.1
- [Qemu-devel] [PATCH 01/54] usb: controllers do not need to check for babble themselves, (continued)
- [Qemu-devel] [PATCH 01/54] usb: controllers do not need to check for babble themselves, Gerd Hoffmann, 2012/09/06
- [Qemu-devel] [PATCH 04/54] usb-core: Allow the first packet of a pipelined ep to complete immediately, Gerd Hoffmann, 2012/09/06
- [Qemu-devel] [PATCH 05/54] Revert "ehci: don't flush cache on doorbell rings.", Gerd Hoffmann, 2012/09/06
- [Qemu-devel] [PATCH 26/54] usb-redir: Add a usbredir_reject_device helper function, Gerd Hoffmann, 2012/09/06
- [Qemu-devel] [PATCH 16/54] ehci: Correct a comment in fetchqtd packet processing, Gerd Hoffmann, 2012/09/06
- [Qemu-devel] [PATCH 08/54] ehci: Properly cleanup packets on cancel, Gerd Hoffmann, 2012/09/06
- [Qemu-devel] [PATCH 10/54] ehci: check for EHCI_ASYNC_FINISHED first in ehci_free_packet, Gerd Hoffmann, 2012/09/06
- [Qemu-devel] [PATCH 02/54] usb-core: Don't set packet state to complete on a nak, Gerd Hoffmann, 2012/09/06
- [Qemu-devel] [PATCH 14/54] ehci: Fix memory leak in handling of NAK-ed packets, Gerd Hoffmann, 2012/09/06
- [Qemu-devel] [PATCH 07/54] ehci: Update copyright headers to reflect recent work, Gerd Hoffmann, 2012/09/06
- [Qemu-devel] [PATCH 06/54] ehci: Validate qh is not changed unexpectedly by the guest,
Gerd Hoffmann <=
- [Qemu-devel] [PATCH 11/54] ehci: trace guest bugs, Gerd Hoffmann, 2012/09/06
- [Qemu-devel] [PATCH 19/54] usb-redir: Get rid of async-struct get member, Gerd Hoffmann, 2012/09/06
- [Qemu-devel] [PATCH 13/54] ehci: Add some additional ehci_trace_guest_bug() calls, Gerd Hoffmann, 2012/09/06
- [Qemu-devel] [PATCH 17/54] usb-redir: Never return USB_RET_NAK for async handled packets, Gerd Hoffmann, 2012/09/06
- [Qemu-devel] [PATCH 40/54] xhci: update port handling, Gerd Hoffmann, 2012/09/06
- [Qemu-devel] [PATCH 39/54] xhci: update register layout, Gerd Hoffmann, 2012/09/06
- [Qemu-devel] [PATCH 28/54] usb-redir: Enable pipelining for bulk endpoints, Gerd Hoffmann, 2012/09/06
- [Qemu-devel] [PATCH 41/54] usb3: superspeed descriptors, Gerd Hoffmann, 2012/09/06
- [Qemu-devel] [PATCH 44/54] usb-storage: usb3 support, Gerd Hoffmann, 2012/09/06
- [Qemu-devel] [PATCH 25/54] usb-redir: Set ep max_packet_size if available, Gerd Hoffmann, 2012/09/06