mirrors/qemu
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
491d68d938
qemu/hw
History
Roman Kagan 491d68d938 usb:xhci: no DMA on HC reset 
This patch is a rough fix to a memory corruption we are observing when
running VMs with xhci USB controller and OVMF firmware.

Specifically, on the following call chain

xhci_reset
  xhci_disable_slot
    xhci_disable_ep
      xhci_set_ep_state

QEMU overwrites guest memory using stale guest addresses.

This doesn't happen when the guest (firmware) driver sets up xhci for
the first time as there are no slots configured yet.  However when the
firmware hands over the control to the OS some slots and endpoints are
already set up with their context in the guest RAM.  Now the OS' driver
resets the controller again and xhci_set_ep_state then reads and writes
that memory which is now owned by the OS.

As a quick fix, skip calling xhci_set_ep_state in xhci_disable_ep if the
device context base address array pointer is zero (indicating we're in
the HC reset and no DMA is possible).

Cc: qemu-stable@nongnu.org
Signed-off-by: Roman Kagan <rkagan@virtuozzo.com>
Message-id: 1462384435-1034-1-git-send-email-rkagan@virtuozzo.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2016-05-11 10:29:28 +02:00
..
9pfs util: move declarations out of qemu-common.h 2016-03-22 22:20:17 +01:00
acpi Revert "acpi: mark PMTIMER as unlocked" 2016-05-02 17:19:13 +01:00
alpha util: move declarations out of qemu-common.h 2016-03-22 22:20:17 +01:00
arm hw/arm/boot: always clear r0 when booting kernels 2016-04-21 12:10:17 +01:00
audio Replaced get_tick_per_sec() by NANOSECONDS_PER_SECOND 2016-03-22 22:20:17 +01:00
block Fix pflash migration 2016-04-15 17:27:34 +02:00
bt util: move declarations out of qemu-common.h 2016-03-22 22:20:17 +01:00
char cadence_uart: bounds check write offset 2016-04-19 11:13:59 +01:00
core Sort the fw_cfg file list 2016-04-07 19:57:33 +03:00
cpu include/qemu/osdep.h: Don't include qapi/error.h 2016-03-22 22:20:15 +01:00
cris util: move declarations out of qemu-common.h 2016-03-22 22:20:17 +01:00
display vga: make sure vga register setup for vbe stays intact (CVE-2016-3712). 2016-05-02 16:02:59 +02:00
dma Replaced get_tick_per_sec() by NANOSECONDS_PER_SECOND 2016-03-22 22:20:17 +01:00
gpio hw/gpio: Add the emulation of gpio_key 2016-03-30 17:27:22 +01:00
i2c i.MX: Add missing descriptions in devices. 2016-03-16 17:42:18 +00:00
i386 tpm: acpi: remove IRQ from TPM's CRS to make Windows not see conflict 2016-04-13 19:52:34 +03:00
ide ide: really restart pending and in-flight atapi dma 2016-04-12 18:48:15 -04:00
input virtio-input: support absolute axis config in pass-through 2016-04-13 17:26:12 +02:00
intc Replaced get_tick_per_sec() by NANOSECONDS_PER_SECOND 2016-03-22 22:20:17 +01:00
ipack include/qemu/osdep.h: Don't include qapi/error.h 2016-03-22 22:20:15 +01:00
ipmi include/qemu/osdep.h: Don't include qapi/error.h 2016-03-22 22:20:15 +01:00
isa hw: explicitly include qemu-common.h and cpu.h 2016-03-22 22:20:17 +01:00
lm32 util: move declarations out of qemu-common.h 2016-03-22 22:20:17 +01:00
m68k hw: explicitly include qemu-common.h and cpu.h 2016-03-22 22:20:17 +01:00
mem include/qemu/osdep.h: Don't include qapi/error.h 2016-03-22 22:20:15 +01:00
microblaze util: move declarations out of qemu-common.h 2016-03-22 22:20:17 +01:00
mips hw/mips/cps: enable ITU for multithreading processors 2016-03-30 09:14:00 +01:00
misc cuda: fix off-by-one error in SET_TIME command 2016-04-19 11:39:23 +10:00
moxie hw: explicitly include qemu-common.h and cpu.h 2016-03-22 22:20:17 +01:00
net net: stellaris_enet: check packet length against receive buffer 2016-04-11 14:22:33 +01:00
nvram Sort the fw_cfg file list 2016-04-07 19:57:33 +03:00
openrisc hw: explicitly include qemu-common.h and cpu.h 2016-03-22 22:20:17 +01:00
pci util: move declarations out of qemu-common.h 2016-03-22 22:20:17 +01:00
pci-bridge hw/pci-bridge: Add missing unref in case register-bus fails 2016-04-07 19:57:33 +03:00
pci-host include/qemu/osdep.h: Don't include qapi/error.h 2016-03-22 22:20:15 +01:00
pcmcia hw: Clean up includes 2016-01-29 15:07:25 +00:00
ppc spapr_drc: fix aborts during DRC-count based hotplug 2016-04-26 11:16:08 +10:00
s390x hw: explicitly include qemu-common.h and cpu.h 2016-03-22 22:20:17 +01:00
scsi virtio: merge virtio_queue_aio_set_host_notifier_handler with virtio_queue_set_aio 2016-04-07 19:57:33 +03:00
sd Replaced get_tick_per_sec() by NANOSECONDS_PER_SECOND 2016-03-22 22:20:17 +01:00
sh4 hw: explicitly include qemu-common.h and cpu.h 2016-03-22 22:20:17 +01:00
smbios include/qemu/osdep.h: Don't include qapi/error.h 2016-03-22 22:20:15 +01:00
sparc util: move declarations out of qemu-common.h 2016-03-22 22:20:17 +01:00
sparc64 util: move declarations out of qemu-common.h 2016-03-22 22:20:17 +01:00
ssi hw: Clean up includes 2016-01-29 15:07:25 +00:00
timer hw/timer: Revert "hpet: inverse polarity when pin above ISA_NUM_IRQS" 2016-04-08 00:07:43 +02:00
tpm tpm: Fix write to file descriptor function 2016-04-13 19:52:34 +03:00
tricore hw: explicitly include qemu-common.h and cpu.h 2016-03-22 22:20:17 +01:00
unicore32 hw: explicitly include qemu-common.h and cpu.h 2016-03-22 22:20:17 +01:00
usb usb:xhci: no DMA on HC reset 2016-05-11 10:29:28 +02:00
vfio VFIO updates 2016-03-28 2016-03-29 17:39:41 +01:00
virtio virtio: Mark host notifiers as external 2016-04-22 16:43:58 +02:00
watchdog util: move declarations out of qemu-common.h 2016-03-22 22:20:17 +01:00
xen util: move declarations out of qemu-common.h 2016-03-22 22:20:17 +01:00
xenpv xen: Clean up includes 2016-01-29 15:07:23 +00:00
xtensa hw: explicitly include qemu-common.h and cpu.h 2016-03-22 22:20:17 +01:00
Makefile.objs Add a base IPMI interface 2015-12-22 18:39:19 +02:00