rpms/qemu
3
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
qemu/0013-usb-redir-allocate-buffers-before-waking-up-the-host.patch
Cole Robinson 3a13ddd514 CVE-2016-7155: pvscsi: OOB read and infinite loop (bz #1373463) 
CVE-2016-7156: pvscsi: infinite loop when building SG list (bz #1373480)
CVE-2016-7156: pvscsi: infinite loop when processing IO requests (bz #1373480)
CVE-2016-7170: vmware_vga: OOB stack memory access (bz #1374709)
CVE-2016-7157: mptsas: invalid memory access (bz #1373505)
CVE-2016-7466: usb: xhci memory leakage during device unplug (bz #1377838)
CVE-2016-7423: scsi: mptsas: OOB access (bz #1376777)
CVE-2016-7422: virtio: null pointer dereference (bz #1376756)
CVE-2016-7908: net: Infinite loop in mcf_fec_do_tx (bz #1381193)
CVE-2016-8576: usb: xHCI: infinite loop vulnerability (bz #1382322)
CVE-2016-7995: usb: hcd-ehci: memory leak (bz #1382669)
2016-10-15 22:24:48 -04:00

51 lines
1.8 KiB
Diff
Raw Blame History

From: Hans de Goede <hdegoede@redhat.com>
Date: Mon, 10 Oct 2016 12:45:13 +0200
Subject: [PATCH] usb-redir: allocate buffers before waking up the host adapter
Needed to make sure usb redirection is prepared to actually handle the
callback from the usb host adapter. Without this interrupt endpoints
don't work on xhci.
Note: On ehci the usb_wakeup() call only schedules a BH for the actual
work, which hides this bug because the allocation happens before ehci
calls back even without this patch.
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Message-id: 1476096313-7730-1-git-send-email-kraxel@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
(cherry picked from commit d5c42857d6b0c35028897df8dfc3749eba6f6de3)
---
hw/usb/redirect.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/hw/usb/redirect.c b/hw/usb/redirect.c
index 444672a..d4ca026 100644
--- a/hw/usb/redirect.c
+++ b/hw/usb/redirect.c
@@ -2036,18 +2036,22 @@ static void usbredir_interrupt_packet(void *priv, uint64_t id,
}
if (ep & USB_DIR_IN) {
+ bool q_was_empty;
+
if (dev->endpoint[EP2I(ep)].interrupt_started == 0) {
DPRINTF("received int packet while not started ep %02X\n", ep);
free(data);
return;
}
- if (QTAILQ_EMPTY(&dev->endpoint[EP2I(ep)].bufpq)) {
- usb_wakeup(usb_ep_get(&dev->dev, USB_TOKEN_IN, ep & 0x0f), 0);
- }
+ q_was_empty = QTAILQ_EMPTY(&dev->endpoint[EP2I(ep)].bufpq);
/* bufp_alloc also adds the packet to the ep queue */
bufp_alloc(dev, data, data_len, interrupt_packet->status, ep, data);
+
+ if (q_was_empty) {
+ usb_wakeup(usb_ep_get(&dev->dev, USB_TOKEN_IN, ep & 0x0f), 0);
+ }
} else {
/*
* We report output interrupt packets as completed directly upon
Reference in New Issue View Git Blame Copy Permalink