[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PATCH 08/32] ehci: Verify a queue's ep direction does not
From: |
Gerd Hoffmann |
Subject: |
[Qemu-devel] [PATCH 08/32] ehci: Verify a queue's ep direction does not change |
Date: |
Tue, 8 Jan 2013 14:14:30 +0100 |
From: Hans de Goede <address@hidden>
ehci_fill_queue assumes that there is a one on one relationship between an ep
and a qh, this patch adds a check to ensure this.
Note I don't expect this to ever trigger, this is just something I noticed
the guest might do while working on other stuff. The only way this check can
trigger is if a guest mixes in and out qtd-s in a single qh for a non
control ep.
Signed-off-by: Hans de Goede <address@hidden>
Signed-off-by: Gerd Hoffmann <address@hidden>
---
hw/usb/hcd-ehci.c | 19 +++++++++++++++++++
hw/usb/hcd-ehci.h | 1 +
2 files changed, 20 insertions(+), 0 deletions(-)
diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c
index dae414a..5d314a0 100644
--- a/hw/usb/hcd-ehci.c
+++ b/hw/usb/hcd-ehci.c
@@ -527,6 +527,19 @@ static bool ehci_verify_qtd(EHCIPacket *p, EHCIqtd *qtd)
}
}
+static bool ehci_verify_pid(EHCIQueue *q, EHCIqtd *qtd)
+{
+ int ep = get_field(q->qh.epchar, QH_EPCHAR_EP);
+ int pid = ehci_get_pid(qtd);
+
+ /* Note the pid changing is normal for ep 0 (the control ep) */
+ if (q->last_pid && ep != 0 && pid != q->last_pid) {
+ return false;
+ } else {
+ return true;
+ }
+}
+
/* Finish executing and writeback a packet outside of the regular
fetchqh -> fetchqtd -> execute -> writeback cycle */
static void ehci_writeback_async_complete_packet(EHCIPacket *p)
@@ -634,6 +647,7 @@ static int ehci_reset_queue(EHCIQueue *q)
packets = ehci_cancel_queue(q);
q->dev = NULL;
q->qtdaddr = 0;
+ q->last_pid = 0;
return packets;
}
@@ -1368,6 +1382,7 @@ static int ehci_execute(EHCIPacket *p, const char *action)
}
p->pid = ehci_get_pid(&p->qtd);
+ p->queue->last_pid = p->pid;
endp = get_field(p->queue->qh.epchar, QH_EPCHAR_EP);
ep = usb_ep_get(p->queue->dev, p->pid, endp);
@@ -1883,6 +1898,10 @@ static int ehci_fill_queue(EHCIPacket *p)
if (!(qtd.token & QTD_TOKEN_ACTIVE)) {
break;
}
+ if (!ehci_verify_pid(q, &qtd)) {
+ ehci_trace_guest_bug(q->ehci, "guest queued token with wrong pid");
+ break;
+ }
p = ehci_alloc_packet(q);
p->qtdaddr = qtdaddr;
p->qtd = qtd;
diff --git a/hw/usb/hcd-ehci.h b/hw/usb/hcd-ehci.h
index e35144d..14ee3be 100644
--- a/hw/usb/hcd-ehci.h
+++ b/hw/usb/hcd-ehci.h
@@ -248,6 +248,7 @@ struct EHCIQueue {
EHCIqh qh; /* copy of current QH (being worked on) */
uint32_t qhaddr; /* address QH read from */
uint32_t qtdaddr; /* address QTD read from */
+ int last_pid; /* pid of last packet executed */
USBDevice *dev;
QTAILQ_HEAD(pkts_head, EHCIPacket) packets;
};
--
1.7.1
- [Qemu-devel] [PATCH 03/32] ehci: Verify guest does not change the token of inflight qtd-s, (continued)
- [Qemu-devel] [PATCH 03/32] ehci: Verify guest does not change the token of inflight qtd-s, Gerd Hoffmann, 2013/01/08
- [Qemu-devel] [PATCH 05/32] ehci: writeback_async_complete_packet: verify qh and qtd, Gerd Hoffmann, 2013/01/08
- [Qemu-devel] [PATCH 11/32] ehci: Don't call commit_irq after raising PCD, Gerd Hoffmann, 2013/01/08
- [Qemu-devel] [PATCH 12/32] uhci: Fix 1 ms delay in interrupt reporting to the guest, Gerd Hoffmann, 2013/01/08
- [Qemu-devel] [PATCH 14/32] uhci: Add a QH_VALID define, Gerd Hoffmann, 2013/01/08
- [Qemu-devel] [PATCH 21/32] usbredir: Add USBEP2I and I2USBEP helper macros, Gerd Hoffmann, 2013/01/08
- [Qemu-devel] [PATCH 01/32] ehci: Add a ehci_writeback_async_complete_packet helper function, Gerd Hoffmann, 2013/01/08
- [Qemu-devel] [PATCH 17/32] hid: Change idle handling to use a timer, Gerd Hoffmann, 2013/01/08
- [Qemu-devel] [PATCH 25/32] usb-redir: Add debugging to bufpq save / restore, Gerd Hoffmann, 2013/01/08
- [Qemu-devel] [PATCH 10/32] ehci: Further speedup rescanning if async schedule after raising an interrupt, Gerd Hoffmann, 2013/01/08
- [Qemu-devel] [PATCH 08/32] ehci: Verify a queue's ep direction does not change,
Gerd Hoffmann <=
- [Qemu-devel] [PATCH 07/32] ehci: Add an ehci_get_pid helper function, Gerd Hoffmann, 2013/01/08
- [Qemu-devel] [PATCH 02/32] ehci: Add ehci_verify_qh and ehci_verify_qtd helper functions, Gerd Hoffmann, 2013/01/08
- [Qemu-devel] [PATCH 09/32] ehci: Use uframe precision for interrupt threshold checking (v2), Gerd Hoffmann, 2013/01/08
- [Qemu-devel] [PATCH 19/32] usb: Add an usb_device_ep_stopped USBDevice method, Gerd Hoffmann, 2013/01/08
- [Qemu-devel] [PATCH 29/32] usb/ehci: Add SysBus EHCI device for Exynos4210, Gerd Hoffmann, 2013/01/08
- [Qemu-devel] [PATCH 06/32] ehci: Verify qtd for async completed packets, Gerd Hoffmann, 2013/01/08
- [Qemu-devel] [PATCH 26/32] xhci: call set-address with dummy usbpacket, Gerd Hoffmann, 2013/01/08
- [Qemu-devel] [PATCH 13/32] uhci: Fix pending interrupts getting lost on migration, Gerd Hoffmann, 2013/01/08
- [Qemu-devel] [PATCH 15/32] uhci: Limit amount of frames processed in one go, Gerd Hoffmann, 2013/01/08
- [Qemu-devel] [PATCH 23/32] usbredir: Verify we have 32 bits bulk length cap when redirecting to xhci, Gerd Hoffmann, 2013/01/08