From 649ae1040db656d5775f711e0dbea4c09c6c8fe9 Mon Sep 17 00:00:00 2001 From: Gerd Hoffmann Date: Tue, 5 Jun 2018 15:29:15 +0200 Subject: [PATCH 1/8] usb: update docs xhci is rock solid meanwhile. So move it up in the docs and feature it as prefered usb host adapter, instead of the old shy version saying "you might want try ...". While being at it rework the text on ehci and companion controllers too. Signed-off-by: Gerd Hoffmann Reviewed-by: Markus Armbruster Message-id: 20180605132915.3640-1-kraxel@redhat.com --- docs/usb2.txt | 99 ++++++++++++++++++++++++++++----------------------- 1 file changed, 55 insertions(+), 44 deletions(-) diff --git a/docs/usb2.txt b/docs/usb2.txt index 09df45b5b1..e2fa2cfde0 100644 --- a/docs/usb2.txt +++ b/docs/usb2.txt @@ -1,16 +1,42 @@ -USB 2.0 Quick Start -=================== +USB Quick Start +=============== -The QEMU EHCI Adapter can be used with and without companion -controllers. See below for the companion controller mode. +XHCI controller support +----------------------- -When not running in companion controller mode there are two completely -separate USB busses: One USB 1.1 bus driven by the UHCI controller and -one USB 2.0 bus driven by the EHCI controller. Devices must be -attached to the correct controller manually. +QEMU has XHCI host adapter support. The XHCI hardware design is much +more virtualization-friendly when compared to EHCI and UHCI, thus XHCI +emulation uses less resources (especially cpu). So if your guest +supports XHCI (which should be the case for any operating system +released around 2010 or later) we recommend using it: -The '-usb' switch will make qemu create the UHCI controller as part of + qemu -device qemu-xhci + +XHCI supports USB 1.1, USB 2.0 and USB 3.0 devices, so this is the +only controller you need. With only a single USB controller (and +therefore only a single USB bus) present in the system there is no +need to use the bus= parameter when adding USB devices. + + +EHCI controller support +----------------------- + +The QEMU EHCI Adapter supports USB 2.0 devices. It can be used either +standalone or with companion controllers (UHCI, OHCI) for USB 1.1 +devices. The companion controller setup is more convenient to use +because it provides a single USB bus supporting both USB 2.0 and USB +1.1 devices. See next section for details. + +When running EHCI in standalone mode you can add UHCI or OHCI +controllers for USB 1.1 devices too. Each controller creates its own +bus though, so there are two completely separate USB buses: One USB +1.1 bus driven by the UHCI controller and one USB 2.0 bus driven by +the EHCI controller. Devices must be attached to the correct +controller manually. + +The easiest way to add a UHCI controller to a 'pc' machine is the +'-usb' switch. QEMU will create the UHCI controller as function of the PIIX3 chipset. The USB 1.1 bus will carry the name "usb-bus.0". You can use the standard -device switch to add a EHCI controller to @@ -19,9 +45,8 @@ the controller so the USB 2.0 bus gets a individual name, for example '-device usb-ehci,id=ehci". This will give you a USB 2.0 bus named "ehci.0". -I strongly recommend to also use -device to attach usb devices because -you can specify the bus they should be attached to this way. Here is -a complete example: +When adding USB devices using the -device switch you can specify the +bus they should be attached to. Here is a complete example: qemu -M pc ${otheroptions} \ -drive if=none,id=usbstick,file=/path/to/image \ @@ -30,58 +55,44 @@ a complete example: -device usb-tablet,bus=usb-bus.0 \ -device usb-storage,bus=ehci.0,drive=usbstick -This attaches a usb tablet to the UHCI adapter and a usb mass storage +This attaches a USB tablet to the UHCI adapter and a USB mass storage device to the EHCI adapter. Companion controller support ---------------------------- -Companion controller support has been added recently. The operational -model described above with two completely separate busses still works -fine. Additionally the UHCI and OHCI controllers got the ability to -attach to a usb bus created by EHCI as companion controllers. This is -done by specifying the masterbus and firstport properties. masterbus -specifies the bus name the controller should attach to. firstport -specifies the first port the controller should attach to, which is -needed as usually one ehci controller with six ports has three uhci -companion controllers with two ports each. +The UHCI and OHCI controllers can attach to a USB bus created by EHCI +as companion controllers. This is done by specifying the masterbus +and firstport properties. masterbus specifies the bus name the +controller should attach to. firstport specifies the first port the +controller should attach to, which is needed as usually one EHCI +controller with six ports has three UHCI companion controllers with +two ports each. -There is a config file in docs which will do all this for you, just -try ... +There is a config file in docs which will do all this for +you, just try ... qemu -readconfig docs/config/ich9-ehci-uhci.cfg -... then use "bus=ehci.0" to assign your usb devices to that bus. +... then use "bus=ehci.0" to assign your USB devices to that bus. - -xhci controller support ------------------------ - -There is also xhci host controller support available. It got a lot -less testing than ehci and there are a bunch of known limitations, so -ehci may work better for you. On the other hand the xhci hardware -design is much more virtualization-friendly, thus xhci emulation uses -less resources (especially cpu). If you want to give xhci a try -use this to add the host controller ... - - qemu -device nec-usb-xhci,id=xhci - -... then use "bus=xhci.0" when assigning usb devices. +Using the '-usb' switch for 'q35' machines will create a similar +USB controller configuration. More USB tips & tricks ====================== -Recently the usb pass through driver (also known as usb-host) and the -qemu usb subsystem gained a few capabilities which are available only +Recently the USB pass through driver (also known as usb-host) and the +QEMU USB subsystem gained a few capabilities which are available only via qdev properties, i,e. when using '-device'. physical port addressing ------------------------ -First you can (for all usb devices) specify the physical port where +First you can (for all USB devices) specify the physical port where the device will show up in the guest. This can be done using the "port" property. UHCI has two root ports (1,2). EHCI has four root ports (1-4), the emulated (1.1) USB hub has eight ports. @@ -94,7 +105,7 @@ Plugging a hub into UHCI port 2 works like this: -device usb-hub,bus=usb-bus.0,port=2 -Plugging a virtual usb stick into port 4 of the hub just plugged works +Plugging a virtual USB stick into port 4 of the hub just plugged works this way: -device usb-storage,bus=usb-bus.0,port=2.4,drive=... @@ -143,7 +154,7 @@ practice only a few combinations are useful: Note that USB 1.1 devices are handled by UHCI/OHCI and USB 2.0 by EHCI. That means a device plugged into the very same physical port -may show up on different busses depending on the speed. The port I'm +may show up on different buses depending on the speed. The port I'm using for testing is bus 1 + port 1 for 2.0 devices and bus 3 + port 1 for 1.1 devices. Passing through any device plugged into that port and also assign them to the correct bus can be done this way: From bf78fb1c1b61a819a47f7a1dbecf9934b9f32a0d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= Date: Mon, 4 Jun 2018 12:14:19 -0300 Subject: [PATCH 2/8] usb: correctly handle Zero Length Packets MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit USB Specification Revision 2.0, §5.5.3: The Data stage of a control transfer from an endpoint to the host is complete when the endpoint does one of the following: • Has transferred exactly the amount of data specified during the Setup stage • Transfers a packet with a payload size less than wMaxPacketSize or transfers a zero-length packet" hw/usb/redirect.c:802:9: warning: Declared variable-length array (VLA) has zero size uint8_t buf[size]; ^~~~~~~~~~~ ~~~~ Reported-by: Clang Static Analyzer Signed-off-by: Philippe Mathieu-Daudé Message-id: 20180604151421.23385-2-f4bug@amsat.org Signed-off-by: Gerd Hoffmann --- hw/usb/redirect.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hw/usb/redirect.c b/hw/usb/redirect.c index 65a9196c1a..58e8f7f5bd 100644 --- a/hw/usb/redirect.c +++ b/hw/usb/redirect.c @@ -795,7 +795,7 @@ static void usbredir_handle_bulk_data(USBRedirDevice *dev, USBPacket *p, usbredirparser_peer_has_cap(dev->parser, usb_redir_cap_32bits_bulk_length)); - if (ep & USB_DIR_IN) { + if (ep & USB_DIR_IN || size == 0) { usbredirparser_send_bulk_packet(dev->parser, p->id, &bulk_packet, NULL, 0); } else { From 62713a2e50f653162387451034f1a2490e87be88 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= Date: Mon, 4 Jun 2018 12:14:20 -0300 Subject: [PATCH 3/8] usb/dev-mtp: Fix use of uninitialized values MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This fixes: hw/usb/dev-mtp.c:971:5: warning: 4th function call argument is an uninitialized value trace_usb_mtp_op_get_partial_object(s->dev.addr, o->handle, o->path, c->argv[1], c->argv[2]); ^~~~~~~~~~ and: hw/usb/dev-mtp.c:981:12: warning: Assigned value is garbage or undefined offset = c->argv[1]; ^ ~~~~~~~~~~ Reported-by: Clang Static Analyzer Signed-off-by: Philippe Mathieu-Daudé Message-id: 20180604151421.23385-3-f4bug@amsat.org Signed-off-by: Gerd Hoffmann --- hw/usb/dev-mtp.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/hw/usb/dev-mtp.c b/hw/usb/dev-mtp.c index 560c61c7c1..b0ab6a7912 100644 --- a/hw/usb/dev-mtp.c +++ b/hw/usb/dev-mtp.c @@ -1017,12 +1017,16 @@ static MTPData *usb_mtp_get_object(MTPState *s, MTPControl *c, static MTPData *usb_mtp_get_partial_object(MTPState *s, MTPControl *c, MTPObject *o) { - MTPData *d = usb_mtp_data_alloc(c); + MTPData *d; off_t offset; + if (c->argc <= 2) { + return NULL; + } trace_usb_mtp_op_get_partial_object(s->dev.addr, o->handle, o->path, c->argv[1], c->argv[2]); + d = usb_mtp_data_alloc(c); d->fd = open(o->path, O_RDONLY); if (d->fd == -1) { usb_mtp_data_free(d); From f3d58385a6d3d82f65db602c5506e2d3d8c82394 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= Date: Thu, 31 May 2018 21:51:16 +0200 Subject: [PATCH 4/8] bus: do not unref the added child bus on realize MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit When the parent bus removes the child property, it takes care of removing the added reference, in object_finalize_child_property(). Signed-off-by: Marc-André Lureau Message-id: 20180531195119.22021-2-marcandre.lureau@redhat.com Signed-off-by: Gerd Hoffmann --- hw/core/bus.c | 1 - 1 file changed, 1 deletion(-) diff --git a/hw/core/bus.c b/hw/core/bus.c index 4651f24486..ad0c9df335 100644 --- a/hw/core/bus.c +++ b/hw/core/bus.c @@ -102,7 +102,6 @@ static void qbus_realize(BusState *bus, DeviceState *parent, const char *name) QLIST_INSERT_HEAD(&bus->parent->child_bus, bus, sibling); bus->parent->num_child_bus++; object_property_add_child(OBJECT(bus->parent), bus->name, OBJECT(bus), NULL); - object_unref(OBJECT(bus)); } else if (bus != sysbus_get_default()) { /* TODO: once all bus devices are qdevified, only reset handler for main_system_bus should be registered here. */ From 265b578c584b1a86c7028790deaa2f4392dd0a65 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= Date: Thu, 31 May 2018 21:51:17 +0200 Subject: [PATCH 5/8] object: fix OBJ_PROP_LINK_UNREF_ON_RELEASE ambivalence MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit A link property can be set during creation, with object_property_add_link() and later with object_property_set_link(). add_link() doesn't add a reference to the target object, while set_link() does. Furthemore, OBJ_PROP_LINK_UNREF_ON_RELEASE flags, set during add_link, says whether a reference must be released when the property is destroyed. This can lead to leaks if the property was later set_link(), as the added reference is never released. Instead, rename OBJ_PROP_LINK_UNREF_ON_RELEASE to OBJ_PROP_LINK_STRONG and use that has an indication on how the link handle reference management in set_link(). Signed-off-by: Marc-André Lureau Message-id: 20180531195119.22021-3-marcandre.lureau@redhat.com Signed-off-by: Gerd Hoffmann --- hw/core/qdev-properties.c | 2 +- hw/core/qdev.c | 2 +- hw/display/xlnx_dp.c | 2 +- hw/dma/xilinx_axidma.c | 4 ++-- hw/dma/xlnx-zdma.c | 2 +- hw/i386/pc.c | 2 +- hw/i386/pc_piix.c | 2 +- hw/i386/pc_q35.c | 2 +- hw/ipmi/ipmi.c | 2 +- hw/net/xilinx_axienet.c | 4 ++-- hw/ssi/xilinx_spips.c | 2 +- include/qom/object.h | 12 +++++++++--- net/can/can_host.c | 2 +- net/colo-compare.c | 2 +- qom/object.c | 8 +++++--- target/arm/cpu.c | 4 ++-- ui/console.c | 2 +- 17 files changed, 32 insertions(+), 24 deletions(-) diff --git a/hw/core/qdev-properties.c b/hw/core/qdev-properties.c index 989778ab7f..35072dec1e 100644 --- a/hw/core/qdev-properties.c +++ b/hw/core/qdev-properties.c @@ -1308,7 +1308,7 @@ static void create_link_property(Object *obj, Property *prop, Error **errp) object_property_add_link(obj, prop->name, prop->link_type, child, qdev_prop_allow_set_link_before_realize, - OBJ_PROP_LINK_UNREF_ON_RELEASE, + OBJ_PROP_LINK_STRONG, errp); } diff --git a/hw/core/qdev.c b/hw/core/qdev.c index ffec461791..cf0db4b6da 100644 --- a/hw/core/qdev.c +++ b/hw/core/qdev.c @@ -409,7 +409,7 @@ void qdev_init_gpio_out_named(DeviceState *dev, qemu_irq *pins, object_property_add_link(OBJECT(dev), propname, TYPE_IRQ, (Object **)&pins[i], object_property_allow_set_link, - OBJ_PROP_LINK_UNREF_ON_RELEASE, + OBJ_PROP_LINK_STRONG, &error_abort); g_free(propname); } diff --git a/hw/display/xlnx_dp.c b/hw/display/xlnx_dp.c index c32ab083f8..51301220e8 100644 --- a/hw/display/xlnx_dp.c +++ b/hw/display/xlnx_dp.c @@ -1223,7 +1223,7 @@ static void xlnx_dp_init(Object *obj) object_property_add_link(obj, "dpdma", TYPE_XLNX_DPDMA, (Object **) &s->dpdma, xlnx_dp_set_dpdma, - OBJ_PROP_LINK_UNREF_ON_RELEASE, + OBJ_PROP_LINK_STRONG, &error_abort); /* diff --git a/hw/dma/xilinx_axidma.c b/hw/dma/xilinx_axidma.c index 9b48103574..401a328e27 100644 --- a/hw/dma/xilinx_axidma.c +++ b/hw/dma/xilinx_axidma.c @@ -525,12 +525,12 @@ static void xilinx_axidma_realize(DeviceState *dev, Error **errp) object_property_add_link(OBJECT(ds), "dma", TYPE_XILINX_AXI_DMA, (Object **)&ds->dma, object_property_allow_set_link, - OBJ_PROP_LINK_UNREF_ON_RELEASE, + OBJ_PROP_LINK_STRONG, &local_err); object_property_add_link(OBJECT(cs), "dma", TYPE_XILINX_AXI_DMA, (Object **)&cs->dma, object_property_allow_set_link, - OBJ_PROP_LINK_UNREF_ON_RELEASE, + OBJ_PROP_LINK_STRONG, &local_err); if (local_err) { goto xilinx_axidma_realize_fail; diff --git a/hw/dma/xlnx-zdma.c b/hw/dma/xlnx-zdma.c index 8eea757aff..b6745f5bcf 100644 --- a/hw/dma/xlnx-zdma.c +++ b/hw/dma/xlnx-zdma.c @@ -787,7 +787,7 @@ static void zdma_init(Object *obj) object_property_add_link(obj, "dma", TYPE_MEMORY_REGION, (Object **)&s->dma_mr, qdev_prop_allow_set_link_before_realize, - OBJ_PROP_LINK_UNREF_ON_RELEASE, + OBJ_PROP_LINK_STRONG, &error_abort); } diff --git a/hw/i386/pc.c b/hw/i386/pc.c index f3befe6721..ea57a46f81 100644 --- a/hw/i386/pc.c +++ b/hw/i386/pc.c @@ -483,7 +483,7 @@ void pc_cmos_init(PCMachineState *pcms, TYPE_ISA_DEVICE, (Object **)&pcms->rtc, object_property_allow_set_link, - OBJ_PROP_LINK_UNREF_ON_RELEASE, &error_abort); + OBJ_PROP_LINK_STRONG, &error_abort); object_property_set_link(OBJECT(pcms), OBJECT(s), "rtc_state", &error_abort); diff --git a/hw/i386/pc_piix.c b/hw/i386/pc_piix.c index 3d81136065..d2f0d60361 100644 --- a/hw/i386/pc_piix.c +++ b/hw/i386/pc_piix.c @@ -289,7 +289,7 @@ static void pc_init1(MachineState *machine, TYPE_HOTPLUG_HANDLER, (Object **)&pcms->acpi_dev, object_property_allow_set_link, - OBJ_PROP_LINK_UNREF_ON_RELEASE, &error_abort); + OBJ_PROP_LINK_STRONG, &error_abort); object_property_set_link(OBJECT(machine), OBJECT(piix4_pm), PC_MACHINE_ACPI_DEVICE_PROP, &error_abort); } diff --git a/hw/i386/pc_q35.c b/hw/i386/pc_q35.c index b60cbb9266..5be6ef73bb 100644 --- a/hw/i386/pc_q35.c +++ b/hw/i386/pc_q35.c @@ -194,7 +194,7 @@ static void pc_q35_init(MachineState *machine) TYPE_HOTPLUG_HANDLER, (Object **)&pcms->acpi_dev, object_property_allow_set_link, - OBJ_PROP_LINK_UNREF_ON_RELEASE, &error_abort); + OBJ_PROP_LINK_STRONG, &error_abort); object_property_set_link(OBJECT(machine), OBJECT(lpc), PC_MACHINE_ACPI_DEVICE_PROP, &error_abort); diff --git a/hw/ipmi/ipmi.c b/hw/ipmi/ipmi.c index 9be281fd87..63c031703d 100644 --- a/hw/ipmi/ipmi.c +++ b/hw/ipmi/ipmi.c @@ -104,7 +104,7 @@ void ipmi_bmc_find_and_link(Object *obj, Object **bmc) { object_property_add_link(obj, "bmc", TYPE_IPMI_BMC, bmc, isa_ipmi_bmc_check, - OBJ_PROP_LINK_UNREF_ON_RELEASE, + OBJ_PROP_LINK_STRONG, &error_abort); } diff --git a/hw/net/xilinx_axienet.c b/hw/net/xilinx_axienet.c index d4c2c89dc1..cc880a3d08 100644 --- a/hw/net/xilinx_axienet.c +++ b/hw/net/xilinx_axienet.c @@ -951,12 +951,12 @@ static void xilinx_enet_realize(DeviceState *dev, Error **errp) object_property_add_link(OBJECT(ds), "enet", "xlnx.axi-ethernet", (Object **) &ds->enet, object_property_allow_set_link, - OBJ_PROP_LINK_UNREF_ON_RELEASE, + OBJ_PROP_LINK_STRONG, &local_err); object_property_add_link(OBJECT(cs), "enet", "xlnx.axi-ethernet", (Object **) &cs->enet, object_property_allow_set_link, - OBJ_PROP_LINK_UNREF_ON_RELEASE, + OBJ_PROP_LINK_STRONG, &local_err); if (local_err) { goto xilinx_enet_realize_fail; diff --git a/hw/ssi/xilinx_spips.c b/hw/ssi/xilinx_spips.c index 03f5faee4b..f599025956 100644 --- a/hw/ssi/xilinx_spips.c +++ b/hw/ssi/xilinx_spips.c @@ -1346,7 +1346,7 @@ static void xlnx_zynqmp_qspips_init(Object *obj) object_property_add_link(obj, "stream-connected-dma", TYPE_STREAM_SLAVE, (Object **)&rq->dma, object_property_allow_set_link, - OBJ_PROP_LINK_UNREF_ON_RELEASE, + OBJ_PROP_LINK_STRONG, NULL); } diff --git a/include/qom/object.h b/include/qom/object.h index a0c78c76f7..f3d2308d56 100644 --- a/include/qom/object.h +++ b/include/qom/object.h @@ -1103,6 +1103,11 @@ char *object_property_get_str(Object *obj, const char *name, * @errp: returns an error if this function fails * * Writes an object's canonical path to a property. + * + * If the link property was created with + * OBJ_PROP_LINK_STRONG bit, the old target object is + * unreferenced, and a reference is added to the new target object. + * */ void object_property_set_link(Object *obj, Object *value, const char *name, Error **errp); @@ -1394,7 +1399,7 @@ void object_property_add_child(Object *obj, const char *name, typedef enum { /* Unref the link pointer when the property is deleted */ - OBJ_PROP_LINK_UNREF_ON_RELEASE = 0x1, + OBJ_PROP_LINK_STRONG = 0x1, } ObjectPropertyLinkFlags; /** @@ -1432,8 +1437,9 @@ void object_property_allow_set_link(const Object *, const char *, * link property. The reference count for *@child is * managed by the property from after the function returns till the * property is deleted with object_property_del(). If the - * @flags OBJ_PROP_LINK_UNREF_ON_RELEASE bit is set, - * the reference count is decremented when the property is deleted. + * @flags OBJ_PROP_LINK_STRONG bit is set, + * the reference count is decremented when the property is deleted or + * modified. */ void object_property_add_link(Object *obj, const char *name, const char *type, Object **child, diff --git a/net/can/can_host.c b/net/can/can_host.c index c3d26521cd..c79347abab 100644 --- a/net/can/can_host.c +++ b/net/can/can_host.c @@ -77,7 +77,7 @@ static void can_host_instance_init(Object *obj) object_property_add_link(obj, "canbus", TYPE_CAN_BUS, (Object **)&ch->bus, object_property_allow_set_link, - OBJ_PROP_LINK_UNREF_ON_RELEASE, + OBJ_PROP_LINK_STRONG, &error_abort); } diff --git a/net/colo-compare.c b/net/colo-compare.c index c3a2be4c90..dd745a491b 100644 --- a/net/colo-compare.c +++ b/net/colo-compare.c @@ -980,7 +980,7 @@ static void colo_compare_init(Object *obj) object_property_add_link(obj, "iothread", TYPE_IOTHREAD, (Object **)&s->iothread, object_property_allow_set_link, - OBJ_PROP_LINK_UNREF_ON_RELEASE, NULL); + OBJ_PROP_LINK_STRONG, NULL); s->vnet_hdr = false; object_property_add_bool(obj, "vnet_hdr_support", compare_get_vnet_hdr, diff --git a/qom/object.c b/qom/object.c index cb7a8cd589..e6462f289c 100644 --- a/qom/object.c +++ b/qom/object.c @@ -1564,9 +1564,11 @@ static void object_set_link_property(Object *obj, Visitor *v, return; } - object_ref(new_target); *child = new_target; - object_unref(old_target); + if (prop->flags == OBJ_PROP_LINK_STRONG) { + object_ref(new_target); + object_unref(old_target); + } } static Object *object_resolve_link_property(Object *parent, void *opaque, const gchar *part) @@ -1581,7 +1583,7 @@ static void object_release_link_property(Object *obj, const char *name, { LinkProperty *prop = opaque; - if ((prop->flags & OBJ_PROP_LINK_UNREF_ON_RELEASE) && *prop->child) { + if ((prop->flags & OBJ_PROP_LINK_STRONG) && *prop->child) { object_unref(*prop->child); } g_free(prop); diff --git a/target/arm/cpu.c b/target/arm/cpu.c index 5d60893a07..ab047b9402 100644 --- a/target/arm/cpu.c +++ b/target/arm/cpu.c @@ -690,7 +690,7 @@ static void arm_cpu_post_init(Object *obj) TYPE_MEMORY_REGION, (Object **)&cpu->secure_memory, qdev_prop_allow_set_link_before_realize, - OBJ_PROP_LINK_UNREF_ON_RELEASE, + OBJ_PROP_LINK_STRONG, &error_abort); #endif } @@ -718,7 +718,7 @@ static void arm_cpu_post_init(Object *obj) if (arm_feature(&cpu->env, ARM_FEATURE_M_SECURITY)) { object_property_add_link(obj, "idau", TYPE_IDAU_INTERFACE, &cpu->idau, qdev_prop_allow_set_link_before_realize, - OBJ_PROP_LINK_UNREF_ON_RELEASE, + OBJ_PROP_LINK_STRONG, &error_abort); qdev_property_add_static(DEVICE(obj), &arm_cpu_initsvtor_property, &error_abort); diff --git a/ui/console.c b/ui/console.c index ef1247f872..bc58458ee8 100644 --- a/ui/console.c +++ b/ui/console.c @@ -1287,7 +1287,7 @@ static QemuConsole *new_console(DisplayState *ds, console_type_t console_type, object_property_add_link(obj, "device", TYPE_DEVICE, (Object **)&s->device, object_property_allow_set_link, - OBJ_PROP_LINK_UNREF_ON_RELEASE, + OBJ_PROP_LINK_STRONG, &error_abort); object_property_add_uint32_ptr(obj, "head", &s->head, &error_abort); From 410a096adf991ce437d4d7dabc59b6557e6d488d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= Date: Thu, 31 May 2018 21:51:18 +0200 Subject: [PATCH 6/8] usb-ccid: fix bus leak MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit qbus_create_inplace() creates a new reference in realize(), it must be released in unrealize(). Signed-off-by: Marc-André Lureau Message-id: 20180531195119.22021-4-marcandre.lureau@redhat.com Signed-off-by: Gerd Hoffmann --- hw/usb/dev-smartcard-reader.c | 1 + 1 file changed, 1 insertion(+) diff --git a/hw/usb/dev-smartcard-reader.c b/hw/usb/dev-smartcard-reader.c index 2131e33d27..f7c91230d5 100644 --- a/hw/usb/dev-smartcard-reader.c +++ b/hw/usb/dev-smartcard-reader.c @@ -1147,6 +1147,7 @@ static void ccid_unrealize(USBDevice *dev, Error **errp) USBCCIDState *s = USB_CCID_DEV(dev); ccid_bulk_in_clear(s); + object_unref(OBJECT(&s->bus)); } static void ccid_flush_pending_answers(USBCCIDState *s) From 1a3ff20e67330a15d62b00c2916e3541872103c0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= Date: Thu, 31 May 2018 21:51:19 +0200 Subject: [PATCH 7/8] usb-hcd-xhci-test: add a test for ccid hotplug MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Marc-André Lureau Message-id: 20180531195119.22021-5-marcandre.lureau@redhat.com Signed-off-by: Gerd Hoffmann --- tests/usb-hcd-xhci-test.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/tests/usb-hcd-xhci-test.c b/tests/usb-hcd-xhci-test.c index 9c14e3053a..5b1b681bf2 100644 --- a/tests/usb-hcd-xhci-test.c +++ b/tests/usb-hcd-xhci-test.c @@ -35,6 +35,15 @@ static void test_usb_uas_hotplug(void) qtest_qmp_device_del("uas"); } +static void test_usb_ccid_hotplug(void) +{ + qtest_qmp_device_add("usb-ccid", "ccid", NULL); + qtest_qmp_device_del("ccid"); + /* check the device can be added again */ + qtest_qmp_device_add("usb-ccid", "ccid", NULL); + qtest_qmp_device_del("ccid"); +} + int main(int argc, char **argv) { int ret; @@ -44,6 +53,7 @@ int main(int argc, char **argv) qtest_add_func("/xhci/pci/init", test_xhci_init); qtest_add_func("/xhci/pci/hotplug", test_xhci_hotplug); qtest_add_func("/xhci/pci/hotplug/usb-uas", test_usb_uas_hotplug); + qtest_add_func("/xhci/pci/hotplug/usb-ccid", test_usb_ccid_hotplug); qtest_start("-device nec-usb-xhci,id=xhci" " -drive id=drive0,if=none,file=null-co://,format=raw"); From 3c969a6022438cf59de10d2dc3c58f4807788f98 Mon Sep 17 00:00:00 2001 From: Bandan Das Date: Fri, 18 May 2018 14:49:03 -0400 Subject: [PATCH 8/8] usb-mtp: Return error on suspicious TYPE_DATA packet from initiator CID 1390604 If the initiator sends a packet with TYPE_DATA set without initiating a CMD_GET_OBJECT_INFO first, then usb_mtp_get_data can trip on a null s->data_out. Signed-off-by: Bandan Das Message-Id: Signed-off-by: Gerd Hoffmann --- hw/usb/dev-mtp.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/hw/usb/dev-mtp.c b/hw/usb/dev-mtp.c index b0ab6a7912..1ded7ac9a3 100644 --- a/hw/usb/dev-mtp.c +++ b/hw/usb/dev-mtp.c @@ -1700,6 +1700,11 @@ static void usb_mtp_get_data(MTPState *s, mtp_container *container, uint64_t dlen; uint32_t data_len = p->iov.size; + if (!d) { + usb_mtp_queue_result(s, RES_INVALID_OBJECTINFO, 0, + 0, 0, 0, 0); + return; + } if (d->first) { /* Total length of incoming data */ d->length = cpu_to_le32(container->length) - sizeof(mtp_container);