Fix use after free in ehci code (bz #890320)
This commit is contained in:
parent
4a2d47e464
commit
6a0fe9263d
40
0718-ehci-Don-t-access-packet-after-freeing-it.patch
Normal file
40
0718-ehci-Don-t-access-packet-after-freeing-it.patch
Normal file
@ -0,0 +1,40 @@
|
|||||||
|
From 9c8576aeca2d65e17748dc137f0e9abeb2959604 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Hans de Goede <hdegoede@redhat.com>
|
||||||
|
Date: Wed, 14 Nov 2012 16:21:36 +0000
|
||||||
|
Subject: [PATCH 718/719] ehci: Don't access packet after freeing it
|
||||||
|
|
||||||
|
ehci_state_writeback() will free the packet, so we should not access
|
||||||
|
the packet after calling ehci_state_writeback().
|
||||||
|
|
||||||
|
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
|
||||||
|
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||||
|
(cherry picked from 30d68cf6e156b97fc462e18f38ce83f44702cd7f)
|
||||||
|
---
|
||||||
|
hw/usb/hcd-ehci.c | 9 +++++----
|
||||||
|
1 file changed, 5 insertions(+), 4 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c
|
||||||
|
index 46f6d99..4229061 100644
|
||||||
|
--- a/hw/usb/hcd-ehci.c
|
||||||
|
+++ b/hw/usb/hcd-ehci.c
|
||||||
|
@@ -752,12 +752,13 @@ static EHCIPacket *ehci_alloc_packet(EHCIQueue *q)
|
||||||
|
static void ehci_free_packet(EHCIPacket *p)
|
||||||
|
{
|
||||||
|
if (p->async == EHCI_ASYNC_FINISHED) {
|
||||||
|
- int state = ehci_get_state(p->queue->ehci, p->queue->async);
|
||||||
|
+ EHCIQueue *q = p->queue;
|
||||||
|
+ int state = ehci_get_state(q->ehci, q->async);
|
||||||
|
/* This is a normal, but rare condition (cancel racing completion) */
|
||||||
|
fprintf(stderr, "EHCI: Warning packet completed but not processed\n");
|
||||||
|
- ehci_state_executing(p->queue);
|
||||||
|
- ehci_state_writeback(p->queue);
|
||||||
|
- ehci_set_state(p->queue->ehci, p->queue->async, state);
|
||||||
|
+ ehci_state_executing(q);
|
||||||
|
+ ehci_state_writeback(q);
|
||||||
|
+ ehci_set_state(q->ehci, q->async, state);
|
||||||
|
/* state_writeback recurses into us with async == EHCI_ASYNC_NONE!! */
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
--
|
||||||
|
1.8.1.4
|
||||||
|
|
@ -0,0 +1,49 @@
|
|||||||
|
From f0a3e522543763cc5126283031309fdf6f8787c2 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Hans de Goede <hdegoede@redhat.com>
|
||||||
|
Date: Wed, 14 Nov 2012 16:21:37 +0000
|
||||||
|
Subject: [PATCH 719/719] ehci: Fixup q->qtdaddr after cancelling an already
|
||||||
|
completed packet
|
||||||
|
|
||||||
|
This avoids the q->qtdaddr == p->qtdaddr asserts we have triggering, when
|
||||||
|
a queue contains multiple completed packages when we cancel the queue.
|
||||||
|
|
||||||
|
I triggered this with windows7 + async interrupt endpoint handling (*)
|
||||||
|
+ not detecting circles in ehci_fill_queue() properly, which makes the qtd
|
||||||
|
validation in ehci_fill_queue fail, causing cancellation of the queue on every
|
||||||
|
mouse event ...
|
||||||
|
|
||||||
|
*) Which is not going upstream as it will cause loss of interrupt events on
|
||||||
|
migration.
|
||||||
|
|
||||||
|
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
|
||||||
|
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||||
|
(cherry picked from ff80ce599e0465cc6109a38bd3a8ca1890e88891)
|
||||||
|
---
|
||||||
|
hw/usb/hcd-ehci.c | 4 ++++
|
||||||
|
1 file changed, 4 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c
|
||||||
|
index 4229061..6be11c5 100644
|
||||||
|
--- a/hw/usb/hcd-ehci.c
|
||||||
|
+++ b/hw/usb/hcd-ehci.c
|
||||||
|
@@ -488,6 +488,7 @@ static const char *ehci_mmio_names[] = {
|
||||||
|
|
||||||
|
static int ehci_state_executing(EHCIQueue *q);
|
||||||
|
static int ehci_state_writeback(EHCIQueue *q);
|
||||||
|
+static int ehci_state_advqueue(EHCIQueue *q);
|
||||||
|
|
||||||
|
static const char *nr2str(const char **n, size_t len, uint32_t nr)
|
||||||
|
{
|
||||||
|
@@ -758,6 +759,9 @@ static void ehci_free_packet(EHCIPacket *p)
|
||||||
|
fprintf(stderr, "EHCI: Warning packet completed but not processed\n");
|
||||||
|
ehci_state_executing(q);
|
||||||
|
ehci_state_writeback(q);
|
||||||
|
+ if (!(q->qh.token & QTD_TOKEN_HALT)) {
|
||||||
|
+ ehci_state_advqueue(q);
|
||||||
|
+ }
|
||||||
|
ehci_set_state(q->ehci, q->async, state);
|
||||||
|
/* state_writeback recurses into us with async == EHCI_ASYNC_NONE!! */
|
||||||
|
return;
|
||||||
|
--
|
||||||
|
1.8.1.4
|
||||||
|
|
11
qemu.spec
11
qemu.spec
@ -109,7 +109,7 @@
|
|||||||
Summary: QEMU is a FAST! processor emulator
|
Summary: QEMU is a FAST! processor emulator
|
||||||
Name: qemu
|
Name: qemu
|
||||||
Version: 1.2.2
|
Version: 1.2.2
|
||||||
Release: 8%{?dist}
|
Release: 9%{?dist}
|
||||||
# Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped
|
# Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped
|
||||||
Epoch: 2
|
Epoch: 2
|
||||||
License: GPLv2+ and LGPLv2+ and BSD
|
License: GPLv2+ and LGPLv2+ and BSD
|
||||||
@ -545,6 +545,9 @@ Patch0715: 0715-pci-assign-Enable-MSIX-on-device-to-match-guest.patch
|
|||||||
# Fix QXL migration from F17 to F18 (bz #907916)
|
# Fix QXL migration from F17 to F18 (bz #907916)
|
||||||
Patch0716: 0716-qxl-change-rom-size-to-8192.patch
|
Patch0716: 0716-qxl-change-rom-size-to-8192.patch
|
||||||
Patch0717: 0717-qxl-Add-rom_size-compat-property-fix-migration-from-.patch
|
Patch0717: 0717-qxl-Add-rom_size-compat-property-fix-migration-from-.patch
|
||||||
|
# Fix use after free + assert in ehci (bz #890320)
|
||||||
|
Patch0718: 0718-ehci-Don-t-access-packet-after-freeing-it.patch
|
||||||
|
Patch0719: 0719-ehci-Fixup-q-qtdaddr-after-cancelling-an-already-com.patch
|
||||||
|
|
||||||
|
|
||||||
BuildRequires: SDL-devel
|
BuildRequires: SDL-devel
|
||||||
@ -1377,6 +1380,9 @@ CAC emulation development files.
|
|||||||
# Fix QXL migration from F17 to F18 (bz #907916)
|
# Fix QXL migration from F17 to F18 (bz #907916)
|
||||||
%patch0716 -p1
|
%patch0716 -p1
|
||||||
%patch0717 -p1
|
%patch0717 -p1
|
||||||
|
# Fix use after free + assert in ehci (bz #890320)
|
||||||
|
%patch0718 -p1
|
||||||
|
%patch0719 -p1
|
||||||
|
|
||||||
|
|
||||||
%build
|
%build
|
||||||
@ -1986,6 +1992,9 @@ getent passwd qemu >/dev/null || \
|
|||||||
%{_libdir}/pkgconfig/libcacard.pc
|
%{_libdir}/pkgconfig/libcacard.pc
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed Apr 03 2013 Hans de Goede <hdegoede@redhat.com> - 2:1.2.2-9
|
||||||
|
- Fix use after free in ehci code (bz #890320)
|
||||||
|
|
||||||
* Mon Apr 01 2013 Cole Robinson <crobinso@redhat.com> - 2:1.2.2-8
|
* Mon Apr 01 2013 Cole Robinson <crobinso@redhat.com> - 2:1.2.2-8
|
||||||
- Don't use reserved word 'function' in systemtap files (bz #871286)
|
- Don't use reserved word 'function' in systemtap files (bz #871286)
|
||||||
- Fixes for iscsi dep
|
- Fixes for iscsi dep
|
||||||
|
Loading…
Reference in New Issue
Block a user