From c5ead51f90cf33ccf07974eba5154be2af2c7fc3 Mon Sep 17 00:00:00 2001 From: Bandan Das Date: Wed, 6 Mar 2019 16:04:07 -0500 Subject: [PATCH 1/4] usb-mtp: return incomplete transfer on a lstat failure MTP writes objects in small chunks and at the end gets the real file size to update the object metadata. If this fails for any reason, return an INCOMPLETE_TRANSFER to the initiator Spotted by Coverity: CID 1398651 Signed-off-by: Bandan Das Message-id: 20190306210409.14842-2-bsd@redhat.com Signed-off-by: Gerd Hoffmann --- hw/usb/dev-mtp.c | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/hw/usb/dev-mtp.c b/hw/usb/dev-mtp.c index 4ee4fc5a89..4dde14fc78 100644 --- a/hw/usb/dev-mtp.c +++ b/hw/usb/dev-mtp.c @@ -1591,14 +1591,18 @@ done: return ret; } -static void usb_mtp_update_object(MTPObject *parent, char *name) +static int usb_mtp_update_object(MTPObject *parent, char *name) { + int ret = -1; + MTPObject *o = usb_mtp_object_lookup_name(parent, name, strlen(name)); if (o) { - lstat(o->path, &o->stat); + ret = lstat(o->path, &o->stat); } + + return ret; } static void usb_mtp_write_data(MTPState *s) @@ -1655,13 +1659,18 @@ static void usb_mtp_write_data(MTPState *s) if (d->write_status != WRITE_END) { return; } else { - /* Only for < 4G file sizes */ - if (s->dataset.size != 0xFFFFFFFF && d->offset != s->dataset.size) { + /* + * Return an incomplete transfer if file size doesn't match + * for < 4G file or if lstat fails which will result in an incorrect + * file size + */ + if ((s->dataset.size != 0xFFFFFFFF && + d->offset != s->dataset.size) || + usb_mtp_update_object(parent, s->dataset.filename)) { usb_mtp_queue_result(s, RES_INCOMPLETE_TRANSFER, d->trans, 0, 0, 0, 0); goto done; } - usb_mtp_update_object(parent, s->dataset.filename); } } From 298ac63c4428e05b09f9d0959f89fd5436c4a0ec Mon Sep 17 00:00:00 2001 From: Bandan Das Date: Wed, 6 Mar 2019 16:04:08 -0500 Subject: [PATCH 2/4] usb-mtp: fix some usb_mtp_write_data return paths During a write, free up the "path" before getting more data. Also, while we at it, remove the confusing usage of d->fd for storing mkdir status Spotted by Coverity: CID 1398642 Signed-off-by: Bandan Das Message-id: 20190306210409.14842-3-bsd@redhat.com Signed-off-by: Gerd Hoffmann --- hw/usb/dev-mtp.c | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/hw/usb/dev-mtp.c b/hw/usb/dev-mtp.c index 4dde14fc78..1f22284949 100644 --- a/hw/usb/dev-mtp.c +++ b/hw/usb/dev-mtp.c @@ -1605,7 +1605,7 @@ static int usb_mtp_update_object(MTPObject *parent, char *name) return ret; } -static void usb_mtp_write_data(MTPState *s) +static int usb_mtp_write_data(MTPState *s) { MTPData *d = s->data_out; MTPObject *parent = @@ -1613,6 +1613,7 @@ static void usb_mtp_write_data(MTPState *s) char *path = NULL; uint64_t rc; mode_t mask = 0644; + int ret = 0; assert(d != NULL); @@ -1621,13 +1622,13 @@ static void usb_mtp_write_data(MTPState *s) if (!parent || !s->write_pending) { usb_mtp_queue_result(s, RES_INVALID_OBJECTINFO, d->trans, 0, 0, 0, 0); - return; + return 1; } if (s->dataset.filename) { path = g_strdup_printf("%s/%s", parent->path, s->dataset.filename); if (s->dataset.format == FMT_ASSOCIATION) { - d->fd = mkdir(path, mask); + ret = mkdir(path, mask); goto free; } d->fd = open(path, O_CREAT | O_WRONLY | @@ -1657,7 +1658,8 @@ static void usb_mtp_write_data(MTPState *s) goto done; } if (d->write_status != WRITE_END) { - return; + g_free(path); + return ret; } else { /* * Return an incomplete transfer if file size doesn't match @@ -1685,12 +1687,14 @@ done: */ if (d->fd != -1) { close(d->fd); + d->fd = -1; } free: g_free(s->dataset.filename); s->dataset.size = 0; g_free(path); s->write_pending = false; + return ret; } static void usb_mtp_write_metadata(MTPState *s, uint64_t dlen) @@ -1727,14 +1731,12 @@ static void usb_mtp_write_metadata(MTPState *s, uint64_t dlen) s->write_pending = true; if (s->dataset.format == FMT_ASSOCIATION) { - usb_mtp_write_data(s); - /* next_handle will be allocated to the newly created dir */ - if (d->fd == -1) { + if (usb_mtp_write_data(s)) { + /* next_handle will be allocated to the newly created dir */ usb_mtp_queue_result(s, RES_STORE_FULL, d->trans, 0, 0, 0, 0); return; } - d->fd = -1; } usb_mtp_queue_result(s, RES_OK, d->trans, 3, QEMU_STORAGE_ID, From 7ddf837465e6110fb46b85cfd169ad50d71aa152 Mon Sep 17 00:00:00 2001 From: Bandan Das Date: Wed, 6 Mar 2019 16:04:09 -0500 Subject: [PATCH 3/4] usb-mtp: prevent null dereference while deleting objects Spotted by Coverity: CID 1399144 Signed-off-by: Bandan Das Message-id: 20190306210409.14842-4-bsd@redhat.com Signed-off-by: Gerd Hoffmann --- hw/usb/dev-mtp.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/hw/usb/dev-mtp.c b/hw/usb/dev-mtp.c index 1f22284949..06e376bcd2 100644 --- a/hw/usb/dev-mtp.c +++ b/hw/usb/dev-mtp.c @@ -1177,9 +1177,7 @@ static int usb_mtp_deletefn(MTPState *s, MTPObject *o, uint32_t trans) usb_mtp_object_free_one(s, o); success = true; } - } - - if (o->format == FMT_ASSOCIATION) { + } else if (o->format == FMT_ASSOCIATION) { if (rmdir(o->path)) { partial_delete = true; } else { From ba4c735b4fc74e309ce4b2551d258e442ef513a5 Mon Sep 17 00:00:00 2001 From: Alexander Kappner Date: Mon, 28 Jan 2019 15:00:27 +0100 Subject: [PATCH 4/4] Introduce new "no_guest_reset" parameter for usb-host device With certain USB devices passed through via usb-host, a guest attempting to reset a usb-host device can trigger a reset loop that renders the USB device unusable. In my use case, the device was an iPhone XR that was passed through to a Mac OS X Mojave guest. Upon connecting the device, the following happens: 1) Guest recognizes new device, sends reset to emulated USB host 2) QEMU's USB host sends reset to host kernel 3) Host kernel resets device 4) After reset, host kernel determines that some part of the device descriptor has changed ("device firmware changed" in dmesg), so host kernel decides to re-enumerate the device. 5) Re-enumeration causes QEMU to disconnect and reconnect the device in the guest. 6) goto 1) Here's from the host kernel (note the "device firmware changed" lines") [3677704.473050] usb 1-1.3: new high-speed USB device number 53 using ehci-pci [3677704.555594] usb 1-1.3: New USB device found, idVendor=05ac, idProduct=12a8, bcdDevice=11.08 [3677704.555599] usb 1-1.3: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [3677704.555602] usb 1-1.3: Product: iPhone [3677704.555605] usb 1-1.3: Manufacturer: Apple Inc. [3677704.555607] usb 1-1.3: SerialNumber: [[removed]] [3677709.401040] usb 1-1.3: reset high-speed USB device number 53 using ehci-pci [3677709.479486] usb 1-1.3: device firmware changed [3677709.479842] usb 1-1.3: USB disconnect, device number 53 [3677709.546039] usb 1-1.3: new high-speed USB device number 54 using ehci-pci [3677709.627471] usb 1-1.3: New USB device found, idVendor=05ac, idProduct=12a8, bcdDevice=11.08 [3677709.627476] usb 1-1.3: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [3677709.627479] usb 1-1.3: Product: iPhone [3677709.627481] usb 1-1.3: Manufacturer: Apple Inc. [3677709.627483] usb 1-1.3: SerialNumber: [[removed]] [3677762.320044] usb 1-1.3: reset high-speed USB device number 54 using ehci-pci [3677762.615630] usb 1-1.3: USB disconnect, device number 54 [3677762.787043] usb 1-1.3: new high-speed USB device number 55 using ehci-pci [3677762.869016] usb 1-1.3: New USB device found, idVendor=05ac, idProduct=12a8, bcdDevice=11.08 [3677762.869024] usb 1-1.3: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [3677762.869028] usb 1-1.3: Product: iPhone [3677762.869032] usb 1-1.3: Manufacturer: Apple Inc. [3677762.869035] usb 1-1.3: SerialNumber: [[removed]] [3677815.662036] usb 1-1.3: reset high-speed USB device number 55 using ehci-pci Here's from QEMU: libusb: error [_get_usbfs_fd] libusb couldn't open USB device /dev/bus/usb/005/022: No such file or directory libusb: error [udev_hotplug_event] ignoring udev action bind libusb: error [udev_hotplug_event] ignoring udev action bind libusb: error [_open_sysfs_attr] open /sys/bus/usb/devices/5-1/bConfigurationValue failed ret=-1 errno=2 libusb: error [_get_usbfs_fd] File doesn't exist, wait 10 ms and try again libusb: error [_get_usbfs_fd] libusb couldn't open USB device /dev/bus/usb/005/024: No such file or directory libusb: error [udev_hotplug_event] ignoring udev action bind libusb: error [udev_hotplug_event] ignoring udev action bind libusb: error [_open_sysfs_attr] open /sys/bus/usb/devices/5-1/bConfigurationValue failed ret=-1 errno=2 libusb: error [_get_usbfs_fd] File doesn't exist, wait 10 ms and try again libusb: error [_get_usbfs_fd] libusb couldn't open USB device /dev/bus/usb/005/026: No such file or directory The result of this is that the device remains permanently unusable in the guest. The same problem has been previously reported for an iPad: https://stackoverflow.com/questions/52617634/how-do-i-get-qemu-usb-passthrough-to-work-for-ipad-iphone This problem can be elegantly solved by interrupting step 2) above. Instead of passing through the reset, QEMU simply ignores it. To allow this to be configured on a per-device level, a new parameter "no_guest_reset" is introduced for the usb-host device. I can confirm that the configuration described above (iPhone XS + Mojave guest) works flawlessly with no_guest_reset=True specified. Working command line for my scenario: device_add usb-host,vendorid=0x05ac,productid=0x12a8,no_guest_reset=True,id=iphone Best regards Alexander Signed-off-by: Alexander Kappner Signed-off-by: Gerd Hoffmann Message-id: 20190128140027.9448-1-kraxel@redhat.com [ kraxel: rename parameter to "guest-reset" ] Signed-off-by: Gerd Hoffmann --- hw/usb/host-libusb.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/hw/usb/host-libusb.c b/hw/usb/host-libusb.c index 833250a886..67b7465915 100644 --- a/hw/usb/host-libusb.c +++ b/hw/usb/host-libusb.c @@ -82,7 +82,7 @@ struct USBHostDevice { uint32_t options; uint32_t loglevel; bool needs_autoscan; - + bool allow_guest_reset; /* state */ QTAILQ_ENTRY(USBHostDevice) next; int seen, errcount; @@ -1456,6 +1456,10 @@ static void usb_host_handle_reset(USBDevice *udev) USBHostDevice *s = USB_HOST_DEVICE(udev); int rc; + if (!s->allow_guest_reset) { + return; + } + trace_usb_host_reset(s->bus_num, s->addr); rc = libusb_reset_device(s->dh); @@ -1573,6 +1577,7 @@ static Property usb_host_dev_properties[] = { DEFINE_PROP_UINT32("productid", USBHostDevice, match.product_id, 0), DEFINE_PROP_UINT32("isobufs", USBHostDevice, iso_urb_count, 4), DEFINE_PROP_UINT32("isobsize", USBHostDevice, iso_urb_frames, 32), + DEFINE_PROP_BOOL("guest-reset", USBHostDevice, allow_guest_reset, true), DEFINE_PROP_UINT32("loglevel", USBHostDevice, loglevel, LIBUSB_LOG_LEVEL_WARNING), DEFINE_PROP_BIT("pipeline", USBHostDevice, options,