[Qemu-devel] [PULL 0/3] Usb 20190829 patches

[Qemu-devel] [PULL 0/3] Usb 20190829 patches

[Gerd Hoffmann]

The following changes since commit 23919ddfd56135cad3cb468a8f54d5a595f024f4:

  Merge remote-tracking branch 'remotes/aperard/tags/pull-xen-20190827' into staging (2019-08-27 15:52:36 +0100)

are available in the Git repository at:

  git://git.kraxel.org/qemu tags/usb-20190829-pull-request

for you to fetch changes up to e4c1c64112565a9be50008e6f28dbc41b53da740:

  usb-mtp: add sanity checks on rootdir (2019-08-29 07:31:12 +0200)

----------------------------------------------------------------
usb: bugfixes for xhci and mtp.

----------------------------------------------------------------

Bandan Das (1):
  usb-mtp: add sanity checks on rootdir

Ying Fang (1):
  xhci: Fix memory leak in xhci_address_slot

fangying (1):
  xhci: Fix memory leak in xhci_kick_epctx

 hw/usb/dev-mtp.c  | 38 ++++++++++++++++++++++++--------------
 hw/usb/hcd-xhci.c |  2 ++
 2 files changed, 26 insertions(+), 14 deletions(-)

-- 
2.18.1

[Qemu-devel] [PULL 1/3] xhci: Fix memory leak in xhci_address_slot

[Gerd Hoffmann]

From: Ying Fang <fangying1@huawei.com>

Address Sanitizer shows memory leak in xhci_address_slot
hw/usb/hcd-xhci.c:2156 and the stack is as bellow:

Direct leak of 64 byte(s) in 4 object(s) allocated from:
    #0 0xffff91c6f5ab in realloc (/lib64/libasan.so.4+0xd35ab)
    #1 0xffff91987243 in g_realloc (/lib64/libglib-2.0.so.0+0x57243)
    #2 0xaaaab0b26a1f in qemu_iovec_add util/iov.c:296
    #3 0xaaaab07e5ce3 in xhci_address_slot hw/usb/hcd-xhci.c:2156
    #4 0xaaaab07e5ce3 in xhci_process_commands hw/usb/hcd-xhci.c:2493
    #5 0xaaaab00058d7 in memory_region_write_accessor qemu/memory.c:507
    #6 0xaaaab0000d87 in access_with_adjusted_size memory.c:573
    #7 0xaaaab000abcf in memory_region_dispatch_write memory.c:1516
    #8 0xaaaaaff59947 in flatview_write_continue exec.c:3367
    #9 0xaaaaaff59c33 in flatview_write exec.c:3406
    #10 0xaaaaaff63b3b in address_space_write exec.c:3496
    #11 0xaaaab002f263 in kvm_cpu_exec accel/kvm/kvm-all.c:2288
    #12 0xaaaaaffee427 in qemu_kvm_cpu_thread_fn cpus.c:1290
    #13 0xaaaab0b1a943 in qemu_thread_start util/qemu-thread-posix.c:502
    #14 0xffff908ce8bb in start_thread (/lib64/libpthread.so.0+0x78bb)
    #15 0xffff908165cb in thread_start (/lib64/libc.so.6+0xd55cb)

Cc: zhanghailiang <zhang.zhanghailiang@huawei.com>
Signed-off-by: Ying Fang <fangying1@huawei.com>
Reviewed-by: Li Qiang <liq3ea@gmail.com>
Message-id: 20190827080209.2365-1-fangying1@huawei.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
 hw/usb/hcd-xhci.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c
index f5782649482b..471759cd4cc0 100644
--- a/hw/usb/hcd-xhci.c
+++ b/hw/usb/hcd-xhci.c
@@ -2161,6 +2161,7 @@ static TRBCCode xhci_address_slot(XHCIState *xhci, unsigned int slotid,
                                   DeviceOutRequest | USB_REQ_SET_ADDRESS,
                                   slotid, 0, 0, NULL);
         assert(p.status != USB_RET_ASYNC);
+        usb_packet_cleanup(&p);
     }
 
     res = xhci_enable_ep(xhci, slotid, 1, octx+32, ep0_ctx);
-- 
2.18.1

[Qemu-devel] [PULL 2/3] xhci: Fix memory leak in xhci_kick_epctx

[Gerd Hoffmann]

From: fangying <fangying1@huawei.com>

Address Sanitizer shows memory leak in xhci_kick_epctx hw/usb/hcd-xhci.c:1912.
A sglist is leaked when a packet is retired and returns USB_RET_NAK status.
The leak stack is as bellow:

Direct leak of 2688 byte(s) in 168 object(s) allocated from:
    #0 0xffffae8b11db in __interceptor_malloc (/lib64/libasan.so.4+0xd31db)
    #1 0xffffae5c9163 in g_malloc (/lib64/libglib-2.0.so.0+0x57163)
    #2 0xaaaabb6fb3f7 in qemu_sglist_init dma-helpers.c:43
    #3 0xaaaabba705a7 in pci_dma_sglist_init include/hw/pci/pci.h:837
    #4 0xaaaabba705a7 in xhci_xfer_create_sgl hw/usb/hcd-xhci.c:1443
    #5 0xaaaabba705a7 in xhci_setup_packet hw/usb/hcd-xhci.c:1615
    #6 0xaaaabba77a6f in xhci_kick_epctx hw/usb/hcd-xhci.c:1912
    #7 0xaaaabbdaad27 in timerlist_run_timers util/qemu-timer.c:592
    #8 0xaaaabbdab19f in qemu_clock_run_timers util/qemu-timer.c:606
    #9 0xaaaabbdab19f in qemu_clock_run_all_timers util/qemu-timer.c:692
    #10 0xaaaabbdab9a3 in main_loop_wait util/main-loop.c:524
    #11 0xaaaabb6ff5e7 in main_loop vl.c:1806
    #12 0xaaaabb1e1453 in main vl.c:4488

Signed-off-by: Ying Fang <fangying1@huawei.com>
Message-id: 20190828062535.1573-1-fangying1@huawei.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
 hw/usb/hcd-xhci.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c
index 471759cd4cc0..80988bb305a1 100644
--- a/hw/usb/hcd-xhci.c
+++ b/hw/usb/hcd-xhci.c
@@ -1914,6 +1914,7 @@ static void xhci_kick_epctx(XHCIEPContext *epctx, unsigned int streamid)
             }
             usb_handle_packet(xfer->packet.ep->dev, &xfer->packet);
             if (xfer->packet.status == USB_RET_NAK) {
+                xhci_xfer_unmap(xfer);
                 return;
             }
             xhci_try_complete_packet(xfer);
-- 
2.18.1

[Qemu-devel] [PULL 3/3] usb-mtp: add sanity checks on rootdir

[Gerd Hoffmann]

From: Bandan Das <bsd@redhat.com>

Currently, we don't check if rootdir exists and is accessible.
Furthermore, a trailing slash results in a null "desc" string which
ends up in the share not visible in the guest. Add some simple
sanity checks for appropriate permissions. Also, bail out if the
user does not supply an absolute path.

Signed-off-by: Bandan Das <bsd@redhat.com>
Message-id: jpga7bto3on.fsf@linux.bootlegged.copy
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
 hw/usb/dev-mtp.c | 38 ++++++++++++++++++++++++--------------
 1 file changed, 24 insertions(+), 14 deletions(-)

diff --git a/hw/usb/dev-mtp.c b/hw/usb/dev-mtp.c
index 9846e4b5130b..7c07295519d3 100644
--- a/hw/usb/dev-mtp.c
+++ b/hw/usb/dev-mtp.c
@@ -2038,26 +2038,36 @@ static void usb_mtp_realize(USBDevice *dev, Error **errp)
 {
     MTPState *s = USB_MTP(dev);
 
-    usb_desc_create_serial(dev);
-    usb_desc_init(dev);
-    QTAILQ_INIT(&s->objects);
-    if (s->desc == NULL) {
-        if (s->root == NULL) {
-            error_setg(errp, "usb-mtp: rootdir property must be configured");
-            return;
-        }
-        s->desc = strrchr(s->root, '/');
-        if (s->desc && s->desc[0]) {
-            s->desc = g_strdup(s->desc + 1);
-        } else {
-            s->desc = g_strdup("none");
-        }
+    if ((s->root == NULL) || !g_path_is_absolute(s->root)) {
+        error_setg(errp, "usb-mtp: rootdir must be configured and be an absolute path");
+        return;
     }
+
+    if (access(s->root, R_OK) != 0) {
+        error_setg(errp, "usb-mtp: rootdir does not exist/not readable");
+        return;
+    } else if (!s->readonly && access(s->root, W_OK) != 0) {
+        error_setg(errp, "usb-mtp: rootdir does not have write permissions");
+        return;
+    }
+
     /* Mark store as RW */
     if (!s->readonly) {
         s->flags |= (1 << MTP_FLAG_WRITABLE);
     }
 
+    if (s->desc == NULL) {
+        /*
+         * This does not check if path exists
+         * but we have the checks above
+         */
+        s->desc = g_path_get_basename(s->root);
+    }
+
+    usb_desc_create_serial(dev);
+    usb_desc_init(dev);
+    QTAILQ_INIT(&s->objects);
+
 }
 
 static const VMStateDescription vmstate_usb_mtp = {
-- 
2.18.1

Re: [Qemu-devel] [PULL 0/3] Usb 20190829 patches

[Peter Maydell]

On Thu, 29 Aug 2019 at 08:12, Gerd Hoffmann <kraxel@redhat.com> wrote:
>
> The following changes since commit 23919ddfd56135cad3cb468a8f54d5a595f024f4:
>
>   Merge remote-tracking branch 'remotes/aperard/tags/pull-xen-20190827' into staging (2019-08-27 15:52:36 +0100)
>
> are available in the Git repository at:
>
>   git://git.kraxel.org/qemu tags/usb-20190829-pull-request
>
> for you to fetch changes up to e4c1c64112565a9be50008e6f28dbc41b53da740:
>
>   usb-mtp: add sanity checks on rootdir (2019-08-29 07:31:12 +0200)
>
> ----------------------------------------------------------------
> usb: bugfixes for xhci and mtp.
>
> ----------------------------------------------------------------
>
> Bandan Das (1):
>   usb-mtp: add sanity checks on rootdir
>
> Ying Fang (1):
>   xhci: Fix memory leak in xhci_address_slot
>
> fangying (1):
>   xhci: Fix memory leak in xhci_kick_epctx


Applied, thanks.

Please update the changelog at https://wiki.qemu.org/ChangeLog/4.2
for any user-visible changes.

-- PMM