2983660f65
CVE-2013-4377: Fix crash when unplugging virtio devices (bz #1012633, bz #1012641) Fix 'new snapshot' slowness after the first snap (bz #988436) Fix 9pfs xattrs on kernel 3.11 (bz #1013676) CVE-2013-4344: buffer overflow in scsi_target_emulate_report_luns (bz #1015274, bz #1007330)
132 lines
4.7 KiB
Diff
132 lines
4.7 KiB
Diff
From dc6fbaa8322ca53f46d9a6cc7e2f82de5362ea83 Mon Sep 17 00:00:00 2001
|
|
From: Gerd Hoffmann <kraxel@redhat.com>
|
|
Date: Wed, 28 Aug 2013 11:38:44 +0200
|
|
Subject: [PATCH] xhci: emulate intr endpoint intervals correctly
|
|
|
|
Respect the interval for interrupt endpoints, so we don't finish
|
|
transfers as fast as possible but at the rate configured by the guest.
|
|
|
|
Fixes guest deadlocks triggered by interrupt storms.
|
|
|
|
Cc:
|
|
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
|
(cherry picked from commit 4d7a81c06f5f17e019a2d3a18300500bd64f6f40)
|
|
|
|
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
|
|
---
|
|
hw/usb/hcd-xhci.c | 44 +++++++++++++++++++++++++++++++++++++-------
|
|
1 file changed, 37 insertions(+), 7 deletions(-)
|
|
|
|
diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c
|
|
index a6f55a1..8010a6d 100644
|
|
--- a/hw/usb/hcd-xhci.c
|
|
+++ b/hw/usb/hcd-xhci.c
|
|
@@ -355,6 +355,7 @@ typedef struct XHCITransfer {
|
|
unsigned int streamid;
|
|
bool in_xfer;
|
|
bool iso_xfer;
|
|
+ bool timed_xfer;
|
|
|
|
unsigned int trb_count;
|
|
unsigned int trb_alloced;
|
|
@@ -1803,6 +1804,7 @@ static int xhci_fire_ctl_transfer(XHCIState *xhci, XHCITransfer *xfer)
|
|
|
|
xfer->in_xfer = bmRequestType & USB_DIR_IN;
|
|
xfer->iso_xfer = false;
|
|
+ xfer->timed_xfer = false;
|
|
|
|
if (xhci_setup_packet(xfer) < 0) {
|
|
return -1;
|
|
@@ -1818,6 +1820,17 @@ static int xhci_fire_ctl_transfer(XHCIState *xhci, XHCITransfer *xfer)
|
|
return 0;
|
|
}
|
|
|
|
+static void xhci_calc_intr_kick(XHCIState *xhci, XHCITransfer *xfer,
|
|
+ XHCIEPContext *epctx, uint64_t mfindex)
|
|
+{
|
|
+ uint64_t asap = ((mfindex + epctx->interval - 1) &
|
|
+ ~(epctx->interval-1));
|
|
+ uint64_t kick = epctx->mfindex_last + epctx->interval;
|
|
+
|
|
+ assert(epctx->interval != 0);
|
|
+ xfer->mfindex_kick = MAX(asap, kick);
|
|
+}
|
|
+
|
|
static void xhci_calc_iso_kick(XHCIState *xhci, XHCITransfer *xfer,
|
|
XHCIEPContext *epctx, uint64_t mfindex)
|
|
{
|
|
@@ -1840,8 +1853,8 @@ static void xhci_calc_iso_kick(XHCIState *xhci, XHCITransfer *xfer,
|
|
}
|
|
}
|
|
|
|
-static void xhci_check_iso_kick(XHCIState *xhci, XHCITransfer *xfer,
|
|
- XHCIEPContext *epctx, uint64_t mfindex)
|
|
+static void xhci_check_intr_iso_kick(XHCIState *xhci, XHCITransfer *xfer,
|
|
+ XHCIEPContext *epctx, uint64_t mfindex)
|
|
{
|
|
if (xfer->mfindex_kick > mfindex) {
|
|
qemu_mod_timer(epctx->kick_timer, qemu_get_clock_ns(vm_clock) +
|
|
@@ -1866,18 +1879,30 @@ static int xhci_submit(XHCIState *xhci, XHCITransfer *xfer, XHCIEPContext *epctx
|
|
switch(epctx->type) {
|
|
case ET_INTR_OUT:
|
|
case ET_INTR_IN:
|
|
+ xfer->pkts = 0;
|
|
+ xfer->iso_xfer = false;
|
|
+ xfer->timed_xfer = true;
|
|
+ mfindex = xhci_mfindex_get(xhci);
|
|
+ xhci_calc_intr_kick(xhci, xfer, epctx, mfindex);
|
|
+ xhci_check_intr_iso_kick(xhci, xfer, epctx, mfindex);
|
|
+ if (xfer->running_retry) {
|
|
+ return -1;
|
|
+ }
|
|
+ break;
|
|
case ET_BULK_OUT:
|
|
case ET_BULK_IN:
|
|
xfer->pkts = 0;
|
|
xfer->iso_xfer = false;
|
|
+ xfer->timed_xfer = false;
|
|
break;
|
|
case ET_ISO_OUT:
|
|
case ET_ISO_IN:
|
|
xfer->pkts = 1;
|
|
xfer->iso_xfer = true;
|
|
+ xfer->timed_xfer = true;
|
|
mfindex = xhci_mfindex_get(xhci);
|
|
xhci_calc_iso_kick(xhci, xfer, epctx, mfindex);
|
|
- xhci_check_iso_kick(xhci, xfer, epctx, mfindex);
|
|
+ xhci_check_intr_iso_kick(xhci, xfer, epctx, mfindex);
|
|
if (xfer->running_retry) {
|
|
return -1;
|
|
}
|
|
@@ -1938,13 +1963,18 @@ static void xhci_kick_ep(XHCIState *xhci, unsigned int slotid,
|
|
|
|
trace_usb_xhci_xfer_retry(xfer);
|
|
assert(xfer->running_retry);
|
|
- if (xfer->iso_xfer) {
|
|
- /* retry delayed iso transfer */
|
|
+ if (xfer->timed_xfer) {
|
|
+ /* time to kick the transfer? */
|
|
mfindex = xhci_mfindex_get(xhci);
|
|
- xhci_check_iso_kick(xhci, xfer, epctx, mfindex);
|
|
+ xhci_check_intr_iso_kick(xhci, xfer, epctx, mfindex);
|
|
if (xfer->running_retry) {
|
|
return;
|
|
}
|
|
+ xfer->timed_xfer = 0;
|
|
+ xfer->running_retry = 1;
|
|
+ }
|
|
+ if (xfer->iso_xfer) {
|
|
+ /* retry iso transfer */
|
|
if (xhci_setup_packet(xfer) < 0) {
|
|
return;
|
|
}
|
|
@@ -2030,7 +2060,7 @@ static void xhci_kick_ep(XHCIState *xhci, unsigned int slotid,
|
|
epctx->next_xfer = (epctx->next_xfer + 1) % TD_QUEUE;
|
|
ep = xfer->packet.ep;
|
|
} else {
|
|
- if (!xfer->iso_xfer) {
|
|
+ if (!xfer->timed_xfer) {
|
|
fprintf(stderr, "xhci: error firing data transfer\n");
|
|
}
|
|
}
|