Add an extra patch to really fix (bz #890320)
This commit is contained in:
parent
6a0fe9263d
commit
4a0d0c08f7
@ -0,0 +1,80 @@
|
|||||||
|
From 2d608503da16560546ed6c0f04cac87601856412 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Hans de Goede <hdegoede@redhat.com>
|
||||||
|
Date: Fri, 5 Apr 2013 12:05:49 +0200
|
||||||
|
Subject: [PATCH] ehci_free_packet: Discard finished packets when the queue is
|
||||||
|
halted
|
||||||
|
|
||||||
|
With pipelining it is possible to encounter a finished packet when cleaning
|
||||||
|
the queue due to a halt. This happens when a non stall error happens while
|
||||||
|
talking to a real device. In this case the queue on the usb-host side will
|
||||||
|
continue processing packets, and we can have completed packets waiting in
|
||||||
|
the queue after an error condition packet causing a halt.
|
||||||
|
|
||||||
|
There are 2 reasons to discard the completed packets at this point, rather
|
||||||
|
then writing them back to the guest:
|
||||||
|
|
||||||
|
1) The guest expect to be able to cancel and/or change packets after the
|
||||||
|
packet with the error without doing an unlink, so writing them back may
|
||||||
|
confuse the guest.
|
||||||
|
|
||||||
|
2) Since the queue does not advance when halted, the writing back of these
|
||||||
|
packets will trigger an assert because p->qtdaddr != q->qtdaddr, causing qemu
|
||||||
|
to abort.
|
||||||
|
|
||||||
|
Note that discarding these packets means that the guest driver and the device
|
||||||
|
will get out of sync! This is unfortunate, but should not be a problem since
|
||||||
|
with a non stall error (iow an io-error) the 2 are out of sync already anyways.
|
||||||
|
Still this patch adds a warning printf to signal this happening.
|
||||||
|
|
||||||
|
Note that sofar this has only been seen with a DVB-T receiver, which gives
|
||||||
|
of a MPEG-2 stream, which allows for recovering from lost packets, see:
|
||||||
|
https://bugzilla.redhat.com/show_bug.cgi?id=890320
|
||||||
|
|
||||||
|
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
|
||||||
|
---
|
||||||
|
hw/usb/hcd-ehci.c | 18 +++++++++++-------
|
||||||
|
1 file changed, 11 insertions(+), 7 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c
|
||||||
|
index 6be11c5..6a787aa 100644
|
||||||
|
--- a/hw/usb/hcd-ehci.c
|
||||||
|
+++ b/hw/usb/hcd-ehci.c
|
||||||
|
@@ -752,11 +752,10 @@ static EHCIPacket *ehci_alloc_packet(EHCIQueue *q)
|
||||||
|
|
||||||
|
static void ehci_free_packet(EHCIPacket *p)
|
||||||
|
{
|
||||||
|
- if (p->async == EHCI_ASYNC_FINISHED) {
|
||||||
|
+ if (p->async == EHCI_ASYNC_FINISHED &&
|
||||||
|
+ !(p->queue->qh.token & QTD_TOKEN_HALT)) {
|
||||||
|
EHCIQueue *q = p->queue;
|
||||||
|
int state = ehci_get_state(q->ehci, q->async);
|
||||||
|
- /* This is a normal, but rare condition (cancel racing completion) */
|
||||||
|
- fprintf(stderr, "EHCI: Warning packet completed but not processed\n");
|
||||||
|
ehci_state_executing(q);
|
||||||
|
ehci_state_writeback(q);
|
||||||
|
if (!(q->qh.token & QTD_TOKEN_HALT)) {
|
||||||
|
@@ -767,12 +766,17 @@ static void ehci_free_packet(EHCIPacket *p)
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
trace_usb_ehci_packet_action(p->queue, p, "free");
|
||||||
|
- if (p->async == EHCI_ASYNC_INITIALIZED) {
|
||||||
|
- usb_packet_unmap(&p->packet, &p->sgl);
|
||||||
|
- qemu_sglist_destroy(&p->sgl);
|
||||||
|
- }
|
||||||
|
if (p->async == EHCI_ASYNC_INFLIGHT) {
|
||||||
|
usb_cancel_packet(&p->packet);
|
||||||
|
+ }
|
||||||
|
+ if (p->async == EHCI_ASYNC_FINISHED) {
|
||||||
|
+ fprintf(stderr,
|
||||||
|
+ "EHCI: Dropping completed packet from halted %s ep %02X\n",
|
||||||
|
+ (p->pid == USB_TOKEN_IN) ? "in" : "out",
|
||||||
|
+ get_field(p->queue->qh.epchar, QH_EPCHAR_EP));
|
||||||
|
+
|
||||||
|
+ }
|
||||||
|
+ if (p->async != EHCI_ASYNC_NONE) {
|
||||||
|
usb_packet_unmap(&p->packet, &p->sgl);
|
||||||
|
qemu_sglist_destroy(&p->sgl);
|
||||||
|
}
|
||||||
|
--
|
||||||
|
1.8.2
|
||||||
|
|
17
qemu.spec
17
qemu.spec
@ -109,7 +109,7 @@
|
|||||||
Summary: QEMU is a FAST! processor emulator
|
Summary: QEMU is a FAST! processor emulator
|
||||||
Name: qemu
|
Name: qemu
|
||||||
Version: 1.2.2
|
Version: 1.2.2
|
||||||
Release: 9%{?dist}
|
Release: 10%{?dist}
|
||||||
# Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped
|
# Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped
|
||||||
Epoch: 2
|
Epoch: 2
|
||||||
License: GPLv2+ and LGPLv2+ and BSD
|
License: GPLv2+ and LGPLv2+ and BSD
|
||||||
@ -548,6 +548,7 @@ Patch0717: 0717-qxl-Add-rom_size-compat-property-fix-migration-from-.patch
|
|||||||
# Fix use after free + assert in ehci (bz #890320)
|
# Fix use after free + assert in ehci (bz #890320)
|
||||||
Patch0718: 0718-ehci-Don-t-access-packet-after-freeing-it.patch
|
Patch0718: 0718-ehci-Don-t-access-packet-after-freeing-it.patch
|
||||||
Patch0719: 0719-ehci-Fixup-q-qtdaddr-after-cancelling-an-already-com.patch
|
Patch0719: 0719-ehci-Fixup-q-qtdaddr-after-cancelling-an-already-com.patch
|
||||||
|
Patch0720: 0720-ehci_free_packet-Discard-finished-packets-when-the-q.patch
|
||||||
|
|
||||||
|
|
||||||
BuildRequires: SDL-devel
|
BuildRequires: SDL-devel
|
||||||
@ -1383,6 +1384,7 @@ CAC emulation development files.
|
|||||||
# Fix use after free + assert in ehci (bz #890320)
|
# Fix use after free + assert in ehci (bz #890320)
|
||||||
%patch0718 -p1
|
%patch0718 -p1
|
||||||
%patch0719 -p1
|
%patch0719 -p1
|
||||||
|
%patch0720 -p1
|
||||||
|
|
||||||
|
|
||||||
%build
|
%build
|
||||||
@ -1992,6 +1994,9 @@ getent passwd qemu >/dev/null || \
|
|||||||
%{_libdir}/pkgconfig/libcacard.pc
|
%{_libdir}/pkgconfig/libcacard.pc
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Mon Apr 08 2013 Hans de Goede <hdegoede@redhat.com> - 2:1.2.2-10
|
||||||
|
- Add an extra patch to really fix (bz #890320)
|
||||||
|
|
||||||
* Wed Apr 03 2013 Hans de Goede <hdegoede@redhat.com> - 2:1.2.2-9
|
* Wed Apr 03 2013 Hans de Goede <hdegoede@redhat.com> - 2:1.2.2-9
|
||||||
- Fix use after free in ehci code (bz #890320)
|
- Fix use after free in ehci code (bz #890320)
|
||||||
|
|
||||||
@ -2394,7 +2399,7 @@ getent passwd qemu >/dev/null || \
|
|||||||
* Thu Apr 15 2010 Justin M. Forbes <jforbes@redhat.com> - 2:0.12.3-5
|
* Thu Apr 15 2010 Justin M. Forbes <jforbes@redhat.com> - 2:0.12.3-5
|
||||||
- Update virtio console patches from upstream
|
- Update virtio console patches from upstream
|
||||||
|
|
||||||
* Mon Mar 11 2010 Justin M. Forbes <jforbes@redhat.com> - 2:0.12.3-4
|
* Thu Mar 11 2010 Justin M. Forbes <jforbes@redhat.com> - 2:0.12.3-4
|
||||||
- Detect cdrom via ioctl (#473154)
|
- Detect cdrom via ioctl (#473154)
|
||||||
- re add increased buffer for USB control requests (#546483)
|
- re add increased buffer for USB control requests (#546483)
|
||||||
|
|
||||||
@ -2431,7 +2436,7 @@ getent passwd qemu >/dev/null || \
|
|||||||
* Mon Jan 25 2010 Justin M. Forbes <jforbes@redhat.com> - 2:0.12.2-1
|
* Mon Jan 25 2010 Justin M. Forbes <jforbes@redhat.com> - 2:0.12.2-1
|
||||||
- Update to 0.12.2 upstream
|
- Update to 0.12.2 upstream
|
||||||
|
|
||||||
* Fri Jan 10 2010 Justin M. Forbes <jforbes@redhat.com> - 2:0.12.1.2-3
|
* Sun Jan 10 2010 Justin M. Forbes <jforbes@redhat.com> - 2:0.12.1.2-3
|
||||||
- Point to seabios instead of bochs, and add a requires for seabios
|
- Point to seabios instead of bochs, and add a requires for seabios
|
||||||
|
|
||||||
* Mon Jan 4 2010 Justin M. Forbes <jforbes@redhat.com> - 2:0.12.1.2-2
|
* Mon Jan 4 2010 Justin M. Forbes <jforbes@redhat.com> - 2:0.12.1.2-2
|
||||||
@ -2879,7 +2884,7 @@ getent passwd qemu >/dev/null || \
|
|||||||
- Update to 0.7.0
|
- Update to 0.7.0
|
||||||
- Fix dyngen for PPC functions which end in unconditional branch
|
- Fix dyngen for PPC functions which end in unconditional branch
|
||||||
|
|
||||||
* Fri Apr 7 2005 Michael Schwendt <mschwendt[AT]users.sf.net>
|
* Thu Apr 7 2005 Michael Schwendt <mschwendt[AT]users.sf.net>
|
||||||
- rebuilt
|
- rebuilt
|
||||||
|
|
||||||
* Sun Feb 13 2005 David Woodhouse <dwmw2@infradead.org> 0.6.1-2
|
* Sun Feb 13 2005 David Woodhouse <dwmw2@infradead.org> 0.6.1-2
|
||||||
@ -2891,13 +2896,13 @@ getent passwd qemu >/dev/null || \
|
|||||||
* Tue Jul 20 2004 David Woodhouse <dwmw2@redhat.com> 0.6.0-2
|
* Tue Jul 20 2004 David Woodhouse <dwmw2@redhat.com> 0.6.0-2
|
||||||
- Compile fix from qemu CVS, add x86_64 host support
|
- Compile fix from qemu CVS, add x86_64 host support
|
||||||
|
|
||||||
* Mon May 12 2004 David Woodhouse <dwmw2@redhat.com> 0.6.0-1
|
* Wed May 12 2004 David Woodhouse <dwmw2@redhat.com> 0.6.0-1
|
||||||
- Update to 0.6.0.
|
- Update to 0.6.0.
|
||||||
|
|
||||||
* Sat May 8 2004 David Woodhouse <dwmw2@redhat.com> 0.5.5-1
|
* Sat May 8 2004 David Woodhouse <dwmw2@redhat.com> 0.5.5-1
|
||||||
- Update to 0.5.5.
|
- Update to 0.5.5.
|
||||||
|
|
||||||
* Thu May 2 2004 David Woodhouse <dwmw2@redhat.com> 0.5.4-1
|
* Sun May 2 2004 David Woodhouse <dwmw2@redhat.com> 0.5.4-1
|
||||||
- Update to 0.5.4.
|
- Update to 0.5.4.
|
||||||
|
|
||||||
* Thu Apr 22 2004 David Woodhouse <dwmw2@redhat.com> 0.5.3-1
|
* Thu Apr 22 2004 David Woodhouse <dwmw2@redhat.com> 0.5.3-1
|
||||||
|
Loading…
Reference in New Issue
Block a user