* [PULL 0/2] Fixes 20200716 patches
@ 2020-07-16 9:31 Gerd Hoffmann
2020-07-16 9:31 ` [PULL 1/2] vfio: fix use-after-free in display Gerd Hoffmann
` (2 more replies)
0 siblings, 3 replies; 5+ messages in thread
From: Gerd Hoffmann @ 2020-07-16 9:31 UTC (permalink / raw)
To: qemu-devel; +Cc: Alex Williamson, Gerd Hoffmann
The following changes since commit 8746309137ba470d1b2e8f5ce86ac228625db940:
Update version for v5.1.0-rc0 release (2020-07-15 19:08:07 +0100)
are available in the Git repository at:
git://git.kraxel.org/qemu tags/fixes-20200716-pull-request
for you to fetch changes up to 4084e35068772cf4f81bbae5174019f277c61084:
usb: fix storage regression (2020-07-16 10:20:27 +0200)
----------------------------------------------------------------
fixes: usb storage regression, vfio display ramfb bug
----------------------------------------------------------------
Gerd Hoffmann (2):
vfio: fix use-after-free in display
usb: fix storage regression
hw/usb/dev-storage.c | 3 +--
hw/vfio/display.c | 1 +
2 files changed, 2 insertions(+), 2 deletions(-)
--
2.18.4
^ permalink raw reply [flat|nested] 5+ messages in thread
* [PULL 1/2] vfio: fix use-after-free in display
2020-07-16 9:31 [PULL 0/2] Fixes 20200716 patches Gerd Hoffmann
@ 2020-07-16 9:31 ` Gerd Hoffmann
2020-07-16 9:31 ` [PULL 2/2] usb: fix storage regression Gerd Hoffmann
2020-07-16 20:12 ` [PULL 0/2] Fixes 20200716 patches Peter Maydell
2 siblings, 0 replies; 5+ messages in thread
From: Gerd Hoffmann @ 2020-07-16 9:31 UTC (permalink / raw)
To: qemu-devel; +Cc: Alex Williamson, Gerd Hoffmann
Calling ramfb_display_update() might replace the DisplaySurface with the
boot display, which in turn will free the currently active
DisplaySurface.
So clear our DisplaySurface pinter (dpy->region.surface pointer) to (a)
avoid use-after-free and (b) force replacing the boot display with the
real display when switching back.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Alex Williamson <alex.williamson@redhat.com>
Acked-by: Alex Williamson <alex.williamson@redhat.com>
Message-id: 20200713124520.23266-1-kraxel@redhat.com
---
hw/vfio/display.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/hw/vfio/display.c b/hw/vfio/display.c
index a57a22674d62..342054193b3c 100644
--- a/hw/vfio/display.c
+++ b/hw/vfio/display.c
@@ -405,6 +405,7 @@ static void vfio_display_region_update(void *opaque)
if (!plane.drm_format || !plane.size) {
if (dpy->ramfb) {
ramfb_display_update(dpy->con, dpy->ramfb);
+ dpy->region.surface = NULL;
}
return;
}
--
2.18.4
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PULL 2/2] usb: fix storage regression
2020-07-16 9:31 [PULL 0/2] Fixes 20200716 patches Gerd Hoffmann
2020-07-16 9:31 ` [PULL 1/2] vfio: fix use-after-free in display Gerd Hoffmann
@ 2020-07-16 9:31 ` Gerd Hoffmann
2020-07-16 9:57 ` BALATON Zoltan
2020-07-16 20:12 ` [PULL 0/2] Fixes 20200716 patches Peter Maydell
2 siblings, 1 reply; 5+ messages in thread
From: Gerd Hoffmann @ 2020-07-16 9:31 UTC (permalink / raw)
To: qemu-devel; +Cc: Alex Williamson, Gerd Hoffmann
Fix the contition to figure whenever we need to wait for more data or
not. Simply check the mode, if we are not in DATAIN state any more we
are done already and don't need to go ASYNC.
Fixes: 7ad3d51ebb8a ("usb: add short-packet handling to usb-storage driver")
Reported-by: Sai Pavan Boddu <saipava@xilinx.com>
Tested-by: Paul Zimmerman <pauldzim@gmail.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 20200713062712.1476-1-kraxel@redhat.com
---
hw/usb/dev-storage.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/hw/usb/dev-storage.c b/hw/usb/dev-storage.c
index 2ed6a8df2413..405a4ccfe700 100644
--- a/hw/usb/dev-storage.c
+++ b/hw/usb/dev-storage.c
@@ -546,8 +546,7 @@ static void usb_msd_handle_data(USBDevice *dev, USBPacket *p)
}
}
}
- if (p->actual_length < p->iov.size && (p->short_not_ok ||
- s->scsi_len >= p->ep->max_packet_size)) {
+ if (p->actual_length < p->iov.size && s->mode == USB_MSDM_DATAIN) {
DPRINTF("Deferring packet %p [wait data-in]\n", p);
s->packet = p;
p->status = USB_RET_ASYNC;
--
2.18.4
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PULL 2/2] usb: fix storage regression
2020-07-16 9:31 ` [PULL 2/2] usb: fix storage regression Gerd Hoffmann
@ 2020-07-16 9:57 ` BALATON Zoltan
0 siblings, 0 replies; 5+ messages in thread
From: BALATON Zoltan @ 2020-07-16 9:57 UTC (permalink / raw)
To: Gerd Hoffmann; +Cc: Alex Williamson, qemu-devel
On Thu, 16 Jul 2020, Gerd Hoffmann wrote:
> Fix the contition to figure whenever we need to wait for more data or
Typo: contition -> condition
Regards,
BALATON Zoltan
> not. Simply check the mode, if we are not in DATAIN state any more we
> are done already and don't need to go ASYNC.
>
> Fixes: 7ad3d51ebb8a ("usb: add short-packet handling to usb-storage driver")
> Reported-by: Sai Pavan Boddu <saipava@xilinx.com>
> Tested-by: Paul Zimmerman <pauldzim@gmail.com>
> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
> Message-id: 20200713062712.1476-1-kraxel@redhat.com
> ---
> hw/usb/dev-storage.c | 3 +--
> 1 file changed, 1 insertion(+), 2 deletions(-)
>
> diff --git a/hw/usb/dev-storage.c b/hw/usb/dev-storage.c
> index 2ed6a8df2413..405a4ccfe700 100644
> --- a/hw/usb/dev-storage.c
> +++ b/hw/usb/dev-storage.c
> @@ -546,8 +546,7 @@ static void usb_msd_handle_data(USBDevice *dev, USBPacket *p)
> }
> }
> }
> - if (p->actual_length < p->iov.size && (p->short_not_ok ||
> - s->scsi_len >= p->ep->max_packet_size)) {
> + if (p->actual_length < p->iov.size && s->mode == USB_MSDM_DATAIN) {
> DPRINTF("Deferring packet %p [wait data-in]\n", p);
> s->packet = p;
> p->status = USB_RET_ASYNC;
>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PULL 0/2] Fixes 20200716 patches
2020-07-16 9:31 [PULL 0/2] Fixes 20200716 patches Gerd Hoffmann
2020-07-16 9:31 ` [PULL 1/2] vfio: fix use-after-free in display Gerd Hoffmann
2020-07-16 9:31 ` [PULL 2/2] usb: fix storage regression Gerd Hoffmann
@ 2020-07-16 20:12 ` Peter Maydell
2 siblings, 0 replies; 5+ messages in thread
From: Peter Maydell @ 2020-07-16 20:12 UTC (permalink / raw)
To: Gerd Hoffmann; +Cc: Alex Williamson, QEMU Developers
On Thu, 16 Jul 2020 at 10:34, Gerd Hoffmann <kraxel@redhat.com> wrote:
>
> The following changes since commit 8746309137ba470d1b2e8f5ce86ac228625db940:
>
> Update version for v5.1.0-rc0 release (2020-07-15 19:08:07 +0100)
>
> are available in the Git repository at:
>
> git://git.kraxel.org/qemu tags/fixes-20200716-pull-request
>
> for you to fetch changes up to 4084e35068772cf4f81bbae5174019f277c61084:
>
> usb: fix storage regression (2020-07-16 10:20:27 +0200)
>
> ----------------------------------------------------------------
> fixes: usb storage regression, vfio display ramfb bug
>
Applied, thanks.
Please update the changelog at https://wiki.qemu.org/ChangeLog/5.1
for any user-visible changes.
-- PMM
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2020-07-16 20:14 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-07-16 9:31 [PULL 0/2] Fixes 20200716 patches Gerd Hoffmann
2020-07-16 9:31 ` [PULL 1/2] vfio: fix use-after-free in display Gerd Hoffmann
2020-07-16 9:31 ` [PULL 2/2] usb: fix storage regression Gerd Hoffmann
2020-07-16 9:57 ` BALATON Zoltan
2020-07-16 20:12 ` [PULL 0/2] Fixes 20200716 patches Peter Maydell
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.