qemu-commits
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Qemu-commits] [qemu/qemu] 3541cd: usb-mtp: fix string length for filena

From: Peter Maydell
Subject: [Qemu-commits] [qemu/qemu] 3541cd: usb-mtp: fix string length for filename when writi...
Date: Fri, 03 May 2019 06:56:24 -0700 
  Branch: refs/heads/master
  Home:   https://github.com/qemu/qemu
  Commit: 3541cd48f32233dd0c0766a3f342e3fd64b04381
      
https://github.com/qemu/qemu/commit/3541cd48f32233dd0c0766a3f342e3fd64b04381
  Author: Daniel P. Berrangé <address@hidden>
  Date:   2019-05-02 (Thu, 02 May 2019)

  Changed paths:
    M hw/usb/dev-mtp.c

  Log Message:
  -----------
  usb-mtp: fix string length for filename when writing metadata

The ObjectInfo 'length' field provides the length of the
wide character string filename. This is then converted to
a multi-byte character string. This may have a different
byte count to the wide character string. We should use the
C string length of the multi-byte string instead.

Signed-off-by: Daniel P. Berrangé <address@hidden>
Message-id: address@hidden
Signed-off-by: Gerd Hoffmann <address@hidden>


  Commit: 1259f27ec2113d34e54ee731aac5990d9606d9fa
      
https://github.com/qemu/qemu/commit/1259f27ec2113d34e54ee731aac5990d9606d9fa
  Author: Daniel P. Berrangé <address@hidden>
  Date:   2019-05-02 (Thu, 02 May 2019)

  Changed paths:
    M hw/usb/dev-mtp.c

  Log Message:
  -----------
  usb-mtp: fix alignment of access of ObjectInfo filename field

The ObjectInfo struct's "filename" field is following a uint8_t
field in a packed struct and thus has bad alignment for a 16-bit
field. Switch the field to to uint8_t and use the helper function
for accessing unaligned 16-bit data.

Note that although the MTP spec specifies big endian, when transported
over the USB protocol, data is little endian.

Signed-off-by: Daniel P. Berrangé <address@hidden>
Message-id: address@hidden
Signed-off-by: Gerd Hoffmann <address@hidden>


  Commit: 83c44b44d406326117ca2f040bae8d7de97b9c8e
      
https://github.com/qemu/qemu/commit/83c44b44d406326117ca2f040bae8d7de97b9c8e
  Author: Bandan Das <address@hidden>
  Date:   2019-05-02 (Thu, 02 May 2019)

  Changed paths:
    M hw/usb/dev-mtp.c

  Log Message:
  -----------
  usb-mtp: change default to success for usb_mtp_update_object

Commit c5ead51f90cf (usb-mtp: return incomplete transfer on a lstat
failure) checks if lstat succeeded when updating attributes of a
file. However, it also changed behavior to return an error by
default. This is incorrect because for smaller file sizes, Qemu
will attempt to write the file in one go and there won't be
an object for it.

Fixes: c5ead51f90cf
Signed-off-by: Bandan Das <address@hidden>
Message-id: address@hidden
Signed-off-by: Gerd Hoffmann <address@hidden>


  Commit: 0a076730adf469918d5d1cfdf9d740c6928208a4
      
https://github.com/qemu/qemu/commit/0a076730adf469918d5d1cfdf9d740c6928208a4
  Author: Longpeng <address@hidden>
  Date:   2019-05-02 (Thu, 02 May 2019)

  Changed paths:
    M hw/usb/hcd-xhci.c

  Log Message:
  -----------
  usb/xhci: avoid trigger assertion if guest write wrong epid

we found the following core in our environment:
0  0x00007fc6b06c2237 in raise ()
1  0x00007fc6b06c3928 in abort ()
2  0x00007fc6b06bb056 in __assert_fail_base ()
3  0x00007fc6b06bb102 in __assert_fail ()
4  0x0000000000702e36 in xhci_kick_ep (...)
5  0x000000000047897a in memory_region_write_accessor (...)
6  0x000000000047767f in access_with_adjusted_size (...)
7  0x000000000047944d in memory_region_dispatch_write (...)
(address@hidden, address@hidden, data=1648892416,
address@hidden, address@hidden)
8  0x000000000042df17 in address_space_write_continue (...)
10 0x000000000043084d in address_space_rw (...)
11 0x000000000047451b in kvm_cpu_exec (address@hidden)
12 0x000000000045dcf5 in qemu_kvm_cpu_thread_fn (arg=0x1ab11b0)
13 0x0000000000870631 in qemu_thread_start (address@hidden)
14 0x00000000008959a7 in thread_entry_for_hotfix (pthread_cb=<optimized out>)
15 0x00007fc6b0a60dd5 in start_thread ()
16 0x00007fc6b078a59d in clone ()

(gdb) f 5
5  0x000000000047897a in memory_region_write_accessor (...)
529         mr->ops->write(mr->opaque, addr, tmp, size);
(gdb) p /x tmp
$9 = 0x62481a00 <-- last byte 0x00 is @epid

xhci_doorbell_write() already check the upper bound of @slotid an @epid,
it also need to check the lower bound.

Cc: Gonglei <address@hidden>
Reviewed-by: Philippe Mathieu-Daudé <address@hidden>
Signed-off-by: Longpeng <address@hidden>
Tested-by: Philippe Mathieu-Daudé <address@hidden>
Message-id: address@hidden

[ kraxel: fixed typo in subject line ]

Signed-off-by: Gerd Hoffmann <address@hidden>


  Commit: 72e0c127bd692660c087ba7fcbe9d50032c8debd
      
https://github.com/qemu/qemu/commit/72e0c127bd692660c087ba7fcbe9d50032c8debd
  Author: Thomas Huth <address@hidden>
  Date:   2019-05-02 (Thu, 02 May 2019)

  Changed paths:
    M hw/usb/hcd-ohci.c

  Log Message:
  -----------
  hw/usb/hcd-ohci: Do not use PCI functions with sysbus devices in ohci_die()

The ohci_die() function always assumes to be running with a PCI OHCI
controller and calls the PCI-specific functions pci_set_word(). However,
this function might also get called for the sysbus OHCI devices, so it
likely fails in that case. To fix this issue, change the code now, so that
there are two implementations now, one for sysbus and one for PCI, and
use the right function via a function pointer in the OHCIState structure.

Signed-off-by: Thomas Huth <address@hidden>
Reviewed-by: Philippe Mathieu-Daudé <address@hidden>
Tested-by: Philippe Mathieu-Daudé <address@hidden>
Message-id: address@hidden
Signed-off-by: Gerd Hoffmann <address@hidden>


  Commit: 34d97308f6d54d1f329267952533d25e6c8928ff
      
https://github.com/qemu/qemu/commit/34d97308f6d54d1f329267952533d25e6c8928ff
  Author: Thomas Huth <address@hidden>
  Date:   2019-05-02 (Thu, 02 May 2019)

  Changed paths:
    M hw/sh4/Kconfig
    M hw/usb/Kconfig
    M hw/usb/Makefile.objs
    A hw/usb/hcd-ohci-pci.c
    M hw/usb/hcd-ohci.c
    A hw/usb/hcd-ohci.h

  Log Message:
  -----------
  hw/usb/hcd-ohci: Move PCI-related code into a separate file

Some machines (like the pxa2xx-based ARM machines) only have a sysbus
OHCI controller, but no PCI. With the new Kconfig-style build system,
it will soon be possible to create QEMU binaries that only contain
such PCI-less machines. However, the two OHCI controllers, for sysbus
and for PCI, are currently both located in one file, so the PCI code
is still required for linking here. Move the OHCI-PCI device code
into a separate file, so that it is possible to use the sysbus OHCI
device also without the PCI dependency.

Signed-off-by: Thomas Huth <address@hidden>
Reviewed-by: Philippe Mathieu-Daudé <address@hidden>
Tested-by: Philippe Mathieu-Daudé <address@hidden>
Message-id: address@hidden
Signed-off-by: Gerd Hoffmann <address@hidden>


  Commit: ccb799313a5926a6aa49018bbc67fe6165fad7f3
      
https://github.com/qemu/qemu/commit/ccb799313a5926a6aa49018bbc67fe6165fad7f3
  Author: Daniel P. Berrangé <address@hidden>
  Date:   2019-05-03 (Fri, 03 May 2019)

  Changed paths:
    M hw/usb/hcd-xhci.c

  Log Message:
  -----------
  hw/usb: avoid format truncation warning when formatting port name

hw/usb/hcd-xhci.c: In function ‘usb_xhci_realize’:
hw/usb/hcd-xhci.c:3339:66: warning: ‘%d’ directive output may be truncated 
writing between 1 and 10 bytes into a region of size 5 [-Wformat-trunca\
tion=]
 3339 |             snprintf(port->name, sizeof(port->name), "usb2 port #%d", 
i+1);
      |                                                                  ^~
hw/usb/hcd-xhci.c:3339:54: note: directive argument in the range [1, 2147483647]
 3339 |             snprintf(port->name, sizeof(port->name), "usb2 port #%d", 
i+1);
      |                                                      ^~~~~~~~~~~~~~~

The xhci code formats the port name into a fixed length
buffer which is only large enough to hold port numbers
upto 5 digits in decimal representation. We're never
going to have a port number that large, so aserting the
port number is sensible is sufficient to tell GCC the
formatted string won't be truncated.

Signed-off-by: Daniel P. Berrangé <address@hidden>
Message-Id: <address@hidden>

[ kraxel: also s/int/unsigned int/ to tell gcc they can't
          go negative. ]

Signed-off-by: Gerd Hoffmann <address@hidden>


  Commit: c58f3911b282e14991d540394e82a4be547466e5
      
https://github.com/qemu/qemu/commit/c58f3911b282e14991d540394e82a4be547466e5
  Author: Peter Maydell <address@hidden>
  Date:   2019-05-03 (Fri, 03 May 2019)

  Changed paths:
    M hw/sh4/Kconfig
    M hw/usb/Kconfig
    M hw/usb/Makefile.objs
    M hw/usb/dev-mtp.c
    A hw/usb/hcd-ohci-pci.c
    M hw/usb/hcd-ohci.c
    A hw/usb/hcd-ohci.h
    M hw/usb/hcd-xhci.c

  Log Message:
  -----------
  Merge remote-tracking branch 
'remotes/kraxel/tags/usb-20190503-v2-pull-request' into staging

usb: bugfixes for mtp and xhci, split ohci-pci.

# gpg: Signature made Fri 03 May 2019 07:59:39 BST
# gpg:                using RSA key 4CB6D8EED3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <address@hidden>" [full]
# gpg:                 aka "Gerd Hoffmann <address@hidden>" [full]
# gpg:                 aka "Gerd Hoffmann (private) <address@hidden>" [full]
# Primary key fingerprint: A032 8CFF B93A 17A7 9901  FE7D 4CB6 D8EE D3E8 7138

* remotes/kraxel/tags/usb-20190503-v2-pull-request:
  hw/usb: avoid format truncation warning when formatting port name
  hw/usb/hcd-ohci: Move PCI-related code into a separate file
  hw/usb/hcd-ohci: Do not use PCI functions with sysbus devices in ohci_die()
  usb/xhci: avoid trigger assertion if guest write wrong epid
  usb-mtp: change default to success for usb_mtp_update_object
  usb-mtp: fix alignment of access of ObjectInfo filename field
  usb-mtp: fix string length for filename when writing metadata

Signed-off-by: Peter Maydell <address@hidden>


Compare: https://github.com/qemu/qemu/compare/51138751827f...c58f3911b282
reply via email to
[Prev in Thread] Current Thread [Next in Thread]