From c9e385926232f30b7ea84e10725df57795ad0eb7 Mon Sep 17 00:00:00 2001 From: Ying Fang Date: Tue, 27 Aug 2019 16:02:09 +0800 Subject: [PATCH 1/3] xhci: Fix memory leak in xhci_address_slot Address Sanitizer shows memory leak in xhci_address_slot hw/usb/hcd-xhci.c:2156 and the stack is as bellow: Direct leak of 64 byte(s) in 4 object(s) allocated from: #0 0xffff91c6f5ab in realloc (/lib64/libasan.so.4+0xd35ab) #1 0xffff91987243 in g_realloc (/lib64/libglib-2.0.so.0+0x57243) #2 0xaaaab0b26a1f in qemu_iovec_add util/iov.c:296 #3 0xaaaab07e5ce3 in xhci_address_slot hw/usb/hcd-xhci.c:2156 #4 0xaaaab07e5ce3 in xhci_process_commands hw/usb/hcd-xhci.c:2493 #5 0xaaaab00058d7 in memory_region_write_accessor qemu/memory.c:507 #6 0xaaaab0000d87 in access_with_adjusted_size memory.c:573 #7 0xaaaab000abcf in memory_region_dispatch_write memory.c:1516 #8 0xaaaaaff59947 in flatview_write_continue exec.c:3367 #9 0xaaaaaff59c33 in flatview_write exec.c:3406 #10 0xaaaaaff63b3b in address_space_write exec.c:3496 #11 0xaaaab002f263 in kvm_cpu_exec accel/kvm/kvm-all.c:2288 #12 0xaaaaaffee427 in qemu_kvm_cpu_thread_fn cpus.c:1290 #13 0xaaaab0b1a943 in qemu_thread_start util/qemu-thread-posix.c:502 #14 0xffff908ce8bb in start_thread (/lib64/libpthread.so.0+0x78bb) #15 0xffff908165cb in thread_start (/lib64/libc.so.6+0xd55cb) Cc: zhanghailiang Signed-off-by: Ying Fang Reviewed-by: Li Qiang Message-id: 20190827080209.2365-1-fangying1@huawei.com Signed-off-by: Gerd Hoffmann --- hw/usb/hcd-xhci.c | 1 + 1 file changed, 1 insertion(+) diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c index f578264948..471759cd4c 100644 --- a/hw/usb/hcd-xhci.c +++ b/hw/usb/hcd-xhci.c @@ -2161,6 +2161,7 @@ static TRBCCode xhci_address_slot(XHCIState *xhci, unsigned int slotid, DeviceOutRequest | USB_REQ_SET_ADDRESS, slotid, 0, 0, NULL); assert(p.status != USB_RET_ASYNC); + usb_packet_cleanup(&p); } res = xhci_enable_ep(xhci, slotid, 1, octx+32, ep0_ctx); From 7cec2ed9d7aeeb6f873188b96c9f8ae17ab88da1 Mon Sep 17 00:00:00 2001 From: fangying Date: Wed, 28 Aug 2019 14:25:35 +0800 Subject: [PATCH 2/3] xhci: Fix memory leak in xhci_kick_epctx Address Sanitizer shows memory leak in xhci_kick_epctx hw/usb/hcd-xhci.c:1912. A sglist is leaked when a packet is retired and returns USB_RET_NAK status. The leak stack is as bellow: Direct leak of 2688 byte(s) in 168 object(s) allocated from: #0 0xffffae8b11db in __interceptor_malloc (/lib64/libasan.so.4+0xd31db) #1 0xffffae5c9163 in g_malloc (/lib64/libglib-2.0.so.0+0x57163) #2 0xaaaabb6fb3f7 in qemu_sglist_init dma-helpers.c:43 #3 0xaaaabba705a7 in pci_dma_sglist_init include/hw/pci/pci.h:837 #4 0xaaaabba705a7 in xhci_xfer_create_sgl hw/usb/hcd-xhci.c:1443 #5 0xaaaabba705a7 in xhci_setup_packet hw/usb/hcd-xhci.c:1615 #6 0xaaaabba77a6f in xhci_kick_epctx hw/usb/hcd-xhci.c:1912 #7 0xaaaabbdaad27 in timerlist_run_timers util/qemu-timer.c:592 #8 0xaaaabbdab19f in qemu_clock_run_timers util/qemu-timer.c:606 #9 0xaaaabbdab19f in qemu_clock_run_all_timers util/qemu-timer.c:692 #10 0xaaaabbdab9a3 in main_loop_wait util/main-loop.c:524 #11 0xaaaabb6ff5e7 in main_loop vl.c:1806 #12 0xaaaabb1e1453 in main vl.c:4488 Signed-off-by: Ying Fang Message-id: 20190828062535.1573-1-fangying1@huawei.com Signed-off-by: Gerd Hoffmann --- hw/usb/hcd-xhci.c | 1 + 1 file changed, 1 insertion(+) diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c index 471759cd4c..80988bb305 100644 --- a/hw/usb/hcd-xhci.c +++ b/hw/usb/hcd-xhci.c @@ -1914,6 +1914,7 @@ static void xhci_kick_epctx(XHCIEPContext *epctx, unsigned int streamid) } usb_handle_packet(xfer->packet.ep->dev, &xfer->packet); if (xfer->packet.status == USB_RET_NAK) { + xhci_xfer_unmap(xfer); return; } xhci_try_complete_packet(xfer); From e4c1c64112565a9be50008e6f28dbc41b53da740 Mon Sep 17 00:00:00 2001 From: Bandan Das Date: Wed, 28 Aug 2019 08:49:28 -0400 Subject: [PATCH 3/3] usb-mtp: add sanity checks on rootdir Currently, we don't check if rootdir exists and is accessible. Furthermore, a trailing slash results in a null "desc" string which ends up in the share not visible in the guest. Add some simple sanity checks for appropriate permissions. Also, bail out if the user does not supply an absolute path. Signed-off-by: Bandan Das Message-id: jpga7bto3on.fsf@linux.bootlegged.copy Signed-off-by: Gerd Hoffmann --- hw/usb/dev-mtp.c | 38 ++++++++++++++++++++++++-------------- 1 file changed, 24 insertions(+), 14 deletions(-) diff --git a/hw/usb/dev-mtp.c b/hw/usb/dev-mtp.c index 9846e4b513..7c07295519 100644 --- a/hw/usb/dev-mtp.c +++ b/hw/usb/dev-mtp.c @@ -2038,26 +2038,36 @@ static void usb_mtp_realize(USBDevice *dev, Error **errp) { MTPState *s = USB_MTP(dev); - usb_desc_create_serial(dev); - usb_desc_init(dev); - QTAILQ_INIT(&s->objects); - if (s->desc == NULL) { - if (s->root == NULL) { - error_setg(errp, "usb-mtp: rootdir property must be configured"); - return; - } - s->desc = strrchr(s->root, '/'); - if (s->desc && s->desc[0]) { - s->desc = g_strdup(s->desc + 1); - } else { - s->desc = g_strdup("none"); - } + if ((s->root == NULL) || !g_path_is_absolute(s->root)) { + error_setg(errp, "usb-mtp: rootdir must be configured and be an absolute path"); + return; } + + if (access(s->root, R_OK) != 0) { + error_setg(errp, "usb-mtp: rootdir does not exist/not readable"); + return; + } else if (!s->readonly && access(s->root, W_OK) != 0) { + error_setg(errp, "usb-mtp: rootdir does not have write permissions"); + return; + } + /* Mark store as RW */ if (!s->readonly) { s->flags |= (1 << MTP_FLAG_WRITABLE); } + if (s->desc == NULL) { + /* + * This does not check if path exists + * but we have the checks above + */ + s->desc = g_path_get_basename(s->root); + } + + usb_desc_create_serial(dev); + usb_desc_init(dev); + QTAILQ_INIT(&s->objects); + } static const VMStateDescription vmstate_usb_mtp = {