From patchwork Fri Dec 14 10:38:50 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gerd Hoffmann X-Patchwork-Id: 10730839 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id E47733E9D for ; Fri, 14 Dec 2018 10:40:23 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id CF8DB2CBEA for ; Fri, 14 Dec 2018 10:40:23 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id C37B72CC65; Fri, 14 Dec 2018 10:40:23 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 6F1D72CBD0 for ; Fri, 14 Dec 2018 10:40:23 +0000 (UTC) Received: from localhost ([::1]:60818 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gXktJ-0008Tt-E7 for patchwork-qemu-devel@patchwork.kernel.org; Fri, 14 Dec 2018 05:40:21 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:34517) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gXks3-0008TX-9a for qemu-devel@nongnu.org; Fri, 14 Dec 2018 05:39:04 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1gXks0-000565-4m for qemu-devel@nongnu.org; Fri, 14 Dec 2018 05:39:03 -0500 Received: from mx1.redhat.com ([209.132.183.28]:46512) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1gXkrz-00055X-RA for qemu-devel@nongnu.org; Fri, 14 Dec 2018 05:38:59 -0500 Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com [10.5.11.23]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 8213087633; Fri, 14 Dec 2018 10:38:58 +0000 (UTC) Received: from sirius.home.kraxel.org (ovpn-117-174.ams2.redhat.com [10.36.117.174]) by smtp.corp.redhat.com (Postfix) with ESMTP id AEEE126577; Fri, 14 Dec 2018 10:38:55 +0000 (UTC) Received: by sirius.home.kraxel.org (Postfix, from userid 1000) id B60859D3F; Fri, 14 Dec 2018 11:38:54 +0100 (CET) From: Gerd Hoffmann To: qemu-devel@nongnu.org Date: Fri, 14 Dec 2018 11:38:50 +0100 Message-Id: <20181214103854.13820-2-kraxel@redhat.com> In-Reply-To: <20181214103854.13820-1-kraxel@redhat.com> References: <20181214103854.13820-1-kraxel@redhat.com> X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.26]); Fri, 14 Dec 2018 10:38:58 +0000 (UTC) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 209.132.183.28 Subject: [Qemu-devel] [PULL 1/5] pvusb: set max grants only in initialise X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Juergen Gross , Gerd Hoffmann Errors-To: qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org Sender: "Qemu-devel" X-Virus-Scanned: ClamAV using ClamSMTP From: Juergen Gross Don't call xen_be_set_max_grant_refs() in usbback_alloc(), as the gnttabdev pointer won't be initialised yet. The call can easily be moved to usbback_connect(). Signed-off-by: Juergen Gross Message-id: 20181206133923.30105-1-jgross@suse.com Signed-off-by: Gerd Hoffmann --- hw/usb/xen-usb.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/hw/usb/xen-usb.c b/hw/usb/xen-usb.c index 5b2e21ed18..f5d5c91094 100644 --- a/hw/usb/xen-usb.c +++ b/hw/usb/xen-usb.c @@ -860,10 +860,14 @@ static int usbback_connect(struct XenDevice *xendev) struct usbif_conn_sring *conn_sring; int urb_ring_ref; int conn_ring_ref; - unsigned int i; + unsigned int i, max_grants; TR_BUS(xendev, "start\n"); + /* max_grants: for each request and for the rings (request and connect). */ + max_grants = USBIF_MAX_SEGMENTS_PER_REQUEST * USB_URB_RING_SIZE + 2; + xen_be_set_max_grant_refs(xendev, max_grants); + usbif = container_of(xendev, struct usbback_info, xendev); if (xenstore_read_fe_int(xendev, "urb-ring-ref", &urb_ring_ref)) { @@ -1005,7 +1009,7 @@ static void usbback_alloc(struct XenDevice *xendev) { struct usbback_info *usbif; USBPort *p; - unsigned int i, max_grants; + unsigned int i; usbif = container_of(xendev, struct usbback_info, xendev); @@ -1021,10 +1025,6 @@ static void usbback_alloc(struct XenDevice *xendev) QTAILQ_INIT(&usbif->req_free_q); QSIMPLEQ_INIT(&usbif->hotplug_q); usbif->bh = qemu_bh_new(usbback_bh, usbif); - - /* max_grants: for each request and for the rings (request and connect). */ - max_grants = USBIF_MAX_SEGMENTS_PER_REQUEST * USB_URB_RING_SIZE + 2; - xen_be_set_max_grant_refs(xendev, max_grants); } static int usbback_free(struct XenDevice *xendev) From patchwork Fri Dec 14 10:38:51 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gerd Hoffmann X-Patchwork-Id: 10730845 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 9C2F214DE for ; Fri, 14 Dec 2018 10:42:34 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 8A1D82D0AA for ; Fri, 14 Dec 2018 10:42:34 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 7E2B62D143; Fri, 14 Dec 2018 10:42:34 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 239BE2D0AA for ; Fri, 14 Dec 2018 10:42:34 +0000 (UTC) Received: from localhost ([::1]:60839 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gXkvR-0002R6-EE for patchwork-qemu-devel@patchwork.kernel.org; Fri, 14 Dec 2018 05:42:33 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:34521) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gXks3-0008TZ-A2 for qemu-devel@nongnu.org; Fri, 14 Dec 2018 05:39:05 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1gXks0-00056b-Jj for qemu-devel@nongnu.org; Fri, 14 Dec 2018 05:39:03 -0500 Received: from mx1.redhat.com ([209.132.183.28]:46996) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1gXks0-00055l-DE for qemu-devel@nongnu.org; Fri, 14 Dec 2018 05:39:00 -0500 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 43A5F394D4C; Fri, 14 Dec 2018 10:38:59 +0000 (UTC) Received: from sirius.home.kraxel.org (ovpn-117-174.ams2.redhat.com [10.36.117.174]) by smtp.corp.redhat.com (Postfix) with ESMTP id 9731A1868C; Fri, 14 Dec 2018 10:38:55 +0000 (UTC) Received: by sirius.home.kraxel.org (Postfix, from userid 1000) id BF1F69014; Fri, 14 Dec 2018 11:38:54 +0100 (CET) From: Gerd Hoffmann To: qemu-devel@nongnu.org Date: Fri, 14 Dec 2018 11:38:51 +0100 Message-Id: <20181214103854.13820-3-kraxel@redhat.com> In-Reply-To: <20181214103854.13820-1-kraxel@redhat.com> References: <20181214103854.13820-1-kraxel@redhat.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.38]); Fri, 14 Dec 2018 10:38:59 +0000 (UTC) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 209.132.183.28 Subject: [Qemu-devel] [PULL 2/5] usb-host: reset and close libusb_device_handle before qemu exit X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: linzhecheng , Gerd Hoffmann Errors-To: qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org Sender: "Qemu-devel" X-Virus-Scanned: ClamAV using ClamSMTP From: linzhecheng we should perform these things as same as usb_host_close. Signed-off-by: linzhecheng Message-id: 20181130064700.5984-1-linzhecheng@huawei.com [ kraxel: whitespace fixup ] Signed-off-by: Gerd Hoffmann --- hw/usb/host-libusb.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/hw/usb/host-libusb.c b/hw/usb/host-libusb.c index b6602ded4e..833250a886 100644 --- a/hw/usb/host-libusb.c +++ b/hw/usb/host-libusb.c @@ -988,7 +988,9 @@ static void usb_host_exit_notifier(struct Notifier *n, void *data) if (s->dh) { usb_host_release_interfaces(s); + libusb_reset_device(s->dh); usb_host_attach_kernel(s); + libusb_close(s->dh); } } From patchwork Fri Dec 14 10:38:52 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gerd Hoffmann X-Patchwork-Id: 10730841 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 40E221751 for ; Fri, 14 Dec 2018 10:40:24 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 3194F2CBD0 for ; Fri, 14 Dec 2018 10:40:24 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 258802CC65; Fri, 14 Dec 2018 10:40:24 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id C95162CBD0 for ; Fri, 14 Dec 2018 10:40:23 +0000 (UTC) Received: from localhost ([::1]:60819 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gXktK-0008US-Qo for patchwork-qemu-devel@patchwork.kernel.org; Fri, 14 Dec 2018 05:40:22 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:34520) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gXks3-0008TY-A0 for qemu-devel@nongnu.org; Fri, 14 Dec 2018 05:39:09 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1gXks0-00056N-EG for qemu-devel@nongnu.org; Fri, 14 Dec 2018 05:39:03 -0500 Received: from mx1.redhat.com ([209.132.183.28]:32820) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1gXks0-00055f-54 for qemu-devel@nongnu.org; Fri, 14 Dec 2018 05:39:00 -0500 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 2F56231256B2 for ; Fri, 14 Dec 2018 10:38:59 +0000 (UTC) Received: from sirius.home.kraxel.org (ovpn-117-174.ams2.redhat.com [10.36.117.174]) by smtp.corp.redhat.com (Postfix) with ESMTP id A21AB608E0; Fri, 14 Dec 2018 10:38:55 +0000 (UTC) Received: by sirius.home.kraxel.org (Postfix, from userid 1000) id C88261FCD9; Fri, 14 Dec 2018 11:38:54 +0100 (CET) From: Gerd Hoffmann To: qemu-devel@nongnu.org Date: Fri, 14 Dec 2018 11:38:52 +0100 Message-Id: <20181214103854.13820-4-kraxel@redhat.com> In-Reply-To: <20181214103854.13820-1-kraxel@redhat.com> References: <20181214103854.13820-1-kraxel@redhat.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.46]); Fri, 14 Dec 2018 10:38:59 +0000 (UTC) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 209.132.183.28 Subject: [Qemu-devel] [PULL 3/5] ehci: fix fetch qtd race X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Gerd Hoffmann Errors-To: qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org Sender: "Qemu-devel" X-Virus-Scanned: ClamAV using ClamSMTP The token field contains the (guest-filled) state of the qtd, which indicates whenever the other fields are valid or not. So make sure we read the token first, otherwise we may end up with an stale next pointer: (1) ehci reads next (2) guest writes next (3) guest writes token (4) ehci reads token (5) ehci operates with stale next. Typical effect is that qemu doesn't notice that the guest appends new qtds to the end of the queue. Looks like the usb device stopped responding. Linux can recover from that, but leaves a message in the kernel log that it did reset the usb device in question. Signed-off-by: Gerd Hoffmann Message-id: 20181126100836.8805-1-kraxel@redhat.com --- hw/usb/hcd-ehci.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c index e5acfc5ba5..8d44d483df 100644 --- a/hw/usb/hcd-ehci.c +++ b/hw/usb/hcd-ehci.c @@ -1783,9 +1783,17 @@ static int ehci_state_fetchqtd(EHCIQueue *q) EHCIqtd qtd; EHCIPacket *p; int again = 1; + uint32_t addr; - if (get_dwords(q->ehci, NLPTR_GET(q->qtdaddr), (uint32_t *) &qtd, - sizeof(EHCIqtd) >> 2) < 0) { + addr = NLPTR_GET(q->qtdaddr); + if (get_dwords(q->ehci, addr + 8, &qtd.token, 1) < 0) { + return 0; + } + barrier(); + if (get_dwords(q->ehci, addr + 0, &qtd.next, 1) < 0 || + get_dwords(q->ehci, addr + 4, &qtd.altnext, 1) < 0 || + get_dwords(q->ehci, addr + 12, qtd.bufptr, + ARRAY_SIZE(qtd.bufptr)) < 0) { return 0; } ehci_trace_qtd(q, NLPTR_GET(q->qtdaddr), &qtd); From patchwork Fri Dec 14 10:38:53 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gerd Hoffmann X-Patchwork-Id: 10730843 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id DF3EF69B1 for ; Fri, 14 Dec 2018 10:40:24 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id CFCF72CBD0 for ; Fri, 14 Dec 2018 10:40:24 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id C3F202CBEA; Fri, 14 Dec 2018 10:40:24 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 3FD3C2CCF6 for ; Fri, 14 Dec 2018 10:40:24 +0000 (UTC) Received: from localhost ([::1]:60825 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gXktL-0000uV-CO for patchwork-qemu-devel@patchwork.kernel.org; Fri, 14 Dec 2018 05:40:23 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:34522) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gXks3-0008Ta-A6 for qemu-devel@nongnu.org; Fri, 14 Dec 2018 05:39:05 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1gXks0-00056V-En for qemu-devel@nongnu.org; Fri, 14 Dec 2018 05:39:03 -0500 Received: from mx1.redhat.com ([209.132.183.28]:36988) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1gXks0-00055h-5b for qemu-devel@nongnu.org; Fri, 14 Dec 2018 05:39:00 -0500 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 3E369307EAA0 for ; Fri, 14 Dec 2018 10:38:59 +0000 (UTC) Received: from sirius.home.kraxel.org (ovpn-117-174.ams2.redhat.com [10.36.117.174]) by smtp.corp.redhat.com (Postfix) with ESMTP id AEA2060627; Fri, 14 Dec 2018 10:38:55 +0000 (UTC) Received: by sirius.home.kraxel.org (Postfix, from userid 1000) id D1CE141C84; Fri, 14 Dec 2018 11:38:54 +0100 (CET) From: Gerd Hoffmann To: qemu-devel@nongnu.org Date: Fri, 14 Dec 2018 11:38:53 +0100 Message-Id: <20181214103854.13820-5-kraxel@redhat.com> In-Reply-To: <20181214103854.13820-1-kraxel@redhat.com> References: <20181214103854.13820-1-kraxel@redhat.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.44]); Fri, 14 Dec 2018 10:38:59 +0000 (UTC) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 209.132.183.28 Subject: [Qemu-devel] [PULL 4/5] usb-mtp: use O_NOFOLLOW and O_CLOEXEC. X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Bandan Das , Gerd Hoffmann , Prasad J Pandit Errors-To: qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org Sender: "Qemu-devel" X-Virus-Scanned: ClamAV using ClamSMTP Open files and directories with O_NOFOLLOW to avoid symlinks attacks. While being at it also add O_CLOEXEC. usb-mtp only handles regular files and directories and ignores everything else, so users should not see a difference. Because qemu ignores symlinks, carrying out a successful symlink attack requires swapping an existing file or directory below rootdir for a symlink and winning the race against the inotify notification to qemu. Fixes: CVE-2018-16872 Cc: Prasad J Pandit Cc: Bandan Das Reported-by: Michael Hanselmann Signed-off-by: Gerd Hoffmann Reviewed-by: Michael Hanselmann Message-id: 20181213122511.13853-1-kraxel@redhat.com --- hw/usb/dev-mtp.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/hw/usb/dev-mtp.c b/hw/usb/dev-mtp.c index 100b7171f4..36c43b8c20 100644 --- a/hw/usb/dev-mtp.c +++ b/hw/usb/dev-mtp.c @@ -653,13 +653,18 @@ static void usb_mtp_object_readdir(MTPState *s, MTPObject *o) { struct dirent *entry; DIR *dir; + int fd; if (o->have_children) { return; } o->have_children = true; - dir = opendir(o->path); + fd = open(o->path, O_DIRECTORY | O_CLOEXEC | O_NOFOLLOW); + if (fd < 0) { + return; + } + dir = fdopendir(fd); if (!dir) { return; } @@ -1007,7 +1012,7 @@ static MTPData *usb_mtp_get_object(MTPState *s, MTPControl *c, trace_usb_mtp_op_get_object(s->dev.addr, o->handle, o->path); - d->fd = open(o->path, O_RDONLY); + d->fd = open(o->path, O_RDONLY | O_CLOEXEC | O_NOFOLLOW); if (d->fd == -1) { usb_mtp_data_free(d); return NULL; @@ -1031,7 +1036,7 @@ static MTPData *usb_mtp_get_partial_object(MTPState *s, MTPControl *c, c->argv[1], c->argv[2]); d = usb_mtp_data_alloc(c); - d->fd = open(o->path, O_RDONLY); + d->fd = open(o->path, O_RDONLY | O_CLOEXEC | O_NOFOLLOW); if (d->fd == -1) { usb_mtp_data_free(d); return NULL; @@ -1658,7 +1663,7 @@ static void usb_mtp_write_data(MTPState *s) 0, 0, 0, 0); goto done; } - d->fd = open(path, O_CREAT | O_WRONLY, mask); + d->fd = open(path, O_CREAT | O_WRONLY | O_CLOEXEC | O_NOFOLLOW, mask); if (d->fd == -1) { usb_mtp_queue_result(s, RES_STORE_FULL, d->trans, 0, 0, 0, 0); From patchwork Fri Dec 14 10:38:54 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gerd Hoffmann X-Patchwork-Id: 10730847 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 2BBC9174F for ; Fri, 14 Dec 2018 10:42:35 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 17EFA2D0AA for ; Fri, 14 Dec 2018 10:42:35 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 0C6502D143; Fri, 14 Dec 2018 10:42:35 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id A50052D0B9 for ; Fri, 14 Dec 2018 10:42:34 +0000 (UTC) Received: from localhost ([::1]:60837 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gXkvR-0001sI-To for patchwork-qemu-devel@patchwork.kernel.org; Fri, 14 Dec 2018 05:42:33 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:34515) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gXks3-0008TV-9X for qemu-devel@nongnu.org; Fri, 14 Dec 2018 05:39:09 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1gXks0-00056H-DJ for qemu-devel@nongnu.org; Fri, 14 Dec 2018 05:39:03 -0500 Received: from mx1.redhat.com ([209.132.183.28]:49112) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1gXks0-00055d-3x for qemu-devel@nongnu.org; Fri, 14 Dec 2018 05:39:00 -0500 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 28E87A8BB; Fri, 14 Dec 2018 10:38:59 +0000 (UTC) Received: from sirius.home.kraxel.org (ovpn-117-174.ams2.redhat.com [10.36.117.174]) by smtp.corp.redhat.com (Postfix) with ESMTP id A6A4B60639; Fri, 14 Dec 2018 10:38:58 +0000 (UTC) Received: by sirius.home.kraxel.org (Postfix, from userid 1000) id DAE344F268; Fri, 14 Dec 2018 11:38:54 +0100 (CET) From: Gerd Hoffmann To: qemu-devel@nongnu.org Date: Fri, 14 Dec 2018 11:38:54 +0100 Message-Id: <20181214103854.13820-6-kraxel@redhat.com> In-Reply-To: <20181214103854.13820-1-kraxel@redhat.com> References: <20181214103854.13820-1-kraxel@redhat.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.29]); Fri, 14 Dec 2018 10:38:59 +0000 (UTC) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 209.132.183.28 Subject: [Qemu-devel] [PULL 5/5] usb-mtp: Limit filename to object information size X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Michael Hanselmann , Gerd Hoffmann Errors-To: qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org Sender: "Qemu-devel" X-Virus-Scanned: ClamAV using ClamSMTP From: Michael Hanselmann The filename length in MTP metadata is specified by the guest. By trusting it directly it'd theoretically be possible to get the host to write memory parts outside the filename buffer into a filename. In practice though there are usually NUL bytes stopping the string operations. Also use the opportunity to not assign the filename member twice. Signed-off-by: Michael Hanselmann Message-id: ab70659d8d5c580bdf150a5f7d5cc60c8e374ffc.1544740018.git.public@hansmi.ch [ kraxel: codestyle fix: break a long line ] Signed-off-by: Gerd Hoffmann --- hw/usb/dev-mtp.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/hw/usb/dev-mtp.c b/hw/usb/dev-mtp.c index 36c43b8c20..6098005cd4 100644 --- a/hw/usb/dev-mtp.c +++ b/hw/usb/dev-mtp.c @@ -1710,7 +1710,7 @@ free: s->write_pending = false; } -static void usb_mtp_write_metadata(MTPState *s) +static void usb_mtp_write_metadata(MTPState *s, uint64_t dlen) { MTPData *d = s->data_out; ObjectInfo *dataset = (ObjectInfo *)d->data; @@ -1722,7 +1722,9 @@ static void usb_mtp_write_metadata(MTPState *s) assert(!s->write_pending); assert(p != NULL); - filename = utf16_to_str(dataset->length, dataset->filename); + filename = utf16_to_str(MIN(dataset->length, + dlen - offsetof(ObjectInfo, filename)), + dataset->filename); if (strchr(filename, '/')) { usb_mtp_queue_result(s, RES_PARAMETER_NOT_SUPPORTED, d->trans, @@ -1738,7 +1740,6 @@ static void usb_mtp_write_metadata(MTPState *s) s->dataset.filename = filename; s->dataset.format = dataset->format; s->dataset.size = dataset->size; - s->dataset.filename = filename; s->write_pending = true; if (s->dataset.format == FMT_ASSOCIATION) { @@ -1807,7 +1808,7 @@ static void usb_mtp_get_data(MTPState *s, mtp_container *container, if (d->offset == d->length) { /* The operation might have already failed */ if (!s->result) { - usb_mtp_write_metadata(s); + usb_mtp_write_metadata(s, dlen); } usb_mtp_data_free(s->data_out); s->data_out = NULL;