CVE# CVE-2021-23905
Add Null pointer check in init vq ring and add vq ring descriptor
check in case cause Nullpointer exception.
Tracked-On: #5355
Signed-off-by: Liu Long <long.liu@intel.com>
Signed-off-by: Yonghua Huang <yonghua.huang@intel.com>
Reviewed-by: Wang, Yu1 <yu1.wang@intel.com>
The trb pointer may be NULL when get the address from user space, add
the pointer check before use the trb.
Tracked-On: #6172
Signed-off-by: Liu Long <long.liu@intel.com>
Reviewed-by: Shuo A Liu <shuo.a.liu@intel.com>
Acked-by: Yu Wang <yu1.wang@intel.com>
With virtio polling mode enabled, a timer is running in the virtio
backend service. And the timer will also be triggered if its frondend
driver didn't do the device reset in shutdown. A freed virtio device
will be accessed in the polling timer handler.
Do the virtio reset() callback specifically to clear the polling timer
before the free.
Tracked-On: #6147
Signed-off-by: Shuo A Liu <shuo.a.liu@intel.com>
Signed-off-by: Yonghua Huang <yonghua.huang@intel.com>
int snprintf(char *str, size_t size, const char *format, ...)
The functions snprintf() write at most size bytes (including the
terminating null byte('\0')) to str.
only when returned value of snprintf is non-negative and less than size,
the string has been completely written.
Tracked-On: #4109
Signed-off-by: Gao Junhao <junhao.gao@intel.com>
Reviewed-by: Yonghua Huang <yonghua.huang@intel.com>
Acked-by: Yu Wang <yu1.wang@intel.com>
In function crb_reg_write() in tpm_rbc.c
'tpm_vdev->request_mutex' will potentially kept
in locked state after crb_reg_write() returns.
Tracked-On: #4108
Signed-off-by: Yonghua Huang <yonghua.huang@intel.com>
Reviewed-by: Yadong Qi <yadong.qi@intel.com>
Acked-by: Yu Wang <yu1.wang@intel.com>
va_end() was not getting called under certain condition
after the va_start() function call taking the va_list.
Tracked-On: #3406
Signed-off-by: Tianhua Sun <tianhuax.s.sun@intel.com>
Reviewed-by: Yonghua Huang <yonghua.huang@intel.com>
This patch is to fix some potential memory leak issues
1, free mrp if the mmio_rb_lookup() function return 0;
2, free memory allocated by strdup in some error case handling.
Tracked-On: #3333
Signed-off-by: Tianhua Sun <tianhuax.s.sun@intel.com>
Acked-by: Anthony Xu <anthony.xu@intel.com>
Map SIGINT(2) to watchdog reset.
NOTE:
We required guest to do a full reset after detect the recent last
reset type is watchdog. This is used to resume the passthru devices
in UOS.
Tracked-On: #3103
Signed-off-by: Yin Fengwei <fengwei.yin@intel.com>
The old logic to process control transfer failure is not complete, this
patch is used to fix this issue.
Tracked-On: #2824
Signed-off-by: Xiaoguang Wu <xiaoguang.wu@intel.com>
Acked-by: Yu Wang <yu1.wang@intel.com>
On some platforms, the VBus will drop after suspending is done, hence
a disconnect and re-connect for device connected before suspending will
be triggered in DM. But during the stress test, when the free memory is
limited to very low level, and put huge workload to SOS, under certain
possibility, the DM will receive re-connect event first and disconnect
event later, this behavior will result of failing to emulate USB device
to UOS.
The reason is due to a timing issue from libusb. Before we could upstream
fixing patch to libusb or find some other better solution, this workaround
patch will be used to avoid errors happen.
Tracked-On: #2823
Signed-off-by: Xiaoguang Wu <xiaoguang.wu@intel.com>
Acked-by: Yu Wang <yu1.wang@intel.com>
When disable slot cmd is received by device model, the operation
should be: release the pci_xhci_dev_emu variable first, and signal
xhci_vbdp_thread to wakeup later. Tho old implementation is not
right, this patch is used to fix it.
Tracked-On: #2823
Signed-off-by: Xiaoguang Wu <xiaoguang.wu@intel.com>
Acked-by: Yu Wang <yu1.wang@intel.com>
Dynamic memory stored in 'net' allocated through function 'calloc'
should be freed correspondingly when return fail.
Tracked-On: #2704
Signed-off-by: Jie Deng <jie.deng@intel.com>
Reviewed-by: Yonghua Huang <yonghua.huang@intel.com>
Without memory barrier, the change of used ring index could not
immediately detected by FE, this would bring some problems.
For virtio-blk FE driver, when it receives an interrupt, and confirms the
used ring index has changed, it will first set ring flags with
VRING_AVAIL_F_NO_INTERRUPT, then get buffer from virtqueue, after
process this request, it will mask VRING_AVAIL_F_NO_INTERRUPT, and get
used ring index again before return. If used ring changes, it will
process it. At the same time, BE will read this flags before each notify,
if VRING_AVAIL_F_NO_INTERRUPT was set, BE will not inject interrupt.
Without memory barrier, before FE mask VRING_AVAIL_F_NO_INTERRUPT, BE
has finished notify without interrupt, then FE mask
VRING_AVAIL_F_NO_INTERRUPT, and get used ring index but failed (index
has changed from BE side). FE will return from interrupt handler
function, and wait for next interrupt which was not injected by BE. Thus,
this will cause kernel hung.
Tracked-On: #2628
Signed-off-by: Conghui Chen <conghui.chen@intel.com>
Signed-off-by: Yin Fengwei <fengwei.yin@intel.com>
During UOS S3 resume, the UOS will handle USB disconnect flow then
re-enumeration flow due to vbus drop be emulted for UOS S3 case. The
re-enumeration flow will impact UOS S3 resume latency, this patch
delayed the re-enumeration 2s as the workaround for this issue. Need to
do performance optimization in future.
This 2s can be tune which is depend on how fast UOS S3 resume, it should
be as short as possible to make virtual USB device ready immediately
after UOS screen turn on.
Tracked-On: #2576
Signed-off-by: Conghui Chen <conghui.chen@intel.com>
Signed-off-by: Xiaoguang Wu <xiaoguang.wu@intel.com>
Acked-by: Yu Wang <yu1.wang@intel.com>
This patch unbinds the kernel driver usbfs with device before suspending
is completed and binds them again during resuming process, this could
avoid a busy loop in SOS due to VBUS drop. This patch could save ~200ms
for resuming process.
Tracked-On: #2576
Signed-off-by: Conghui Chen <conghui.chen@intel.com>
Signed-off-by: Xiaoguang Wu <xiaoguang.wu@intel.com>
Acked-by: Yu Wang <yu1.wang@intel.com>
Add 'full' and 'non-full' de-initialize support for xHCI virtual
device. The non-full de-initialization mainly release usb_dev
structure and unbind the usbfs with native device. And the full
de-initialize will release all the resources allocated for xHCI
virtual device including the unbinding operation mentioned above
Tracked-On: #2576
Signed-off-by: Conghui Chen <conghui.chen@intel.com>
Signed-off-by: Xiaoguang Wu <xiaoguang.wu@intel.com>
Acked-by: Yu Wang <yu1.wang@intel.com>
The disable slot command is used for forcing a device slot to enter into
disconnect state, a typical usage would be to free a Device Slot when an
USB device is disconnected. But it should not impact the portsc value.
Tracked-On: #2576
Signed-off-by: Conghui Chen <conghui.chen@intel.com>
Signed-off-by: Xiaoguang Wu <xiaoguang.wu@intel.com>
Acked-by: Yu Wang <yu1.wang@intel.com>
The function 'pci_xhci_portregs_write' always set CCS bit in
Port Status and Control (PORTSC) register when there is
pci_xhci_dev_emu instance existed. This is not right and this
patch is used to fix it.
Tracked-On: #2576
Signed-off-by: Conghui Chen <conghui.chen@intel.com>
Signed-off-by: Xiaoguang Wu <xiaoguang.wu@intel.com>
Acked-by: Yu Wang <yu1.wang@intel.com>
Port Status and Control (PORTSC) register is one of the most frequently
accessed regiseter according the xHCI spec. This patch implement a pair
of set/get function to access PORTS and it gives a clear code structure
and help a lot for debugging work.
Tracked-On: #2576
Signed-off-by: Conghui Chen <conghui.chen@intel.com>
Signed-off-by: Xiaoguang Wu <xiaoguang.wu@intel.com>
Acked-by: Yu Wang <yu1.wang@intel.com>
When LINK type TRB are received among multiple BULK TRBs, the copying
logic in DM will miss one or more TRBs. This patch is used to fix it.
Tracked-On: #2581
Signed-off-by: Conghui Chen <conghui.chen@intel.com>
Signed-off-by: Xiaoguang Wu <xiaoguang.wu@intel.com>
Acked-by: Yu Wang <yu1.wang@intel.com>
The patch (commit id: b39524e) didn't achieve its purpose completely.
This patch is used to fix it.
Tracked-On: #2557
Signed-off-by: Xiaoguang Wu <xiaoguang.wu@intel.com>
Acked-by: Yu Wang <yu1.wang@intel.com>
patch is from Alex Du for IASL tool updated to support
ACPI 6.3 version.
Tracked-On: #2565
Signed-off-by: Alek Du <alek.du@intel.com>
Signed-off-by: Minggui Cao <minggui.cao@intel.com>
To reset USB DRD role is one workaround for adb lost issue with xDCI
passthrough which reproduced in S3 stress test.
This workaround will involve the system global reset if xDCI working in
SuperSpeed mode. This is maybe caused by PMC firmware can't graceful
power gate the xDCI during S3 suspend. The current USB DRD driver will
set STATIC switch bits which will cause ungraceful DRD switch, it may
make the xDCI enter a unknown state, then involved this global reset
issue.
BTW, base on latest code base, the adb lost issue can't reproduce even
remove this workaround. So remove the old workaround for above reasons.
Tracked-On: #2557
Signed-off-by: Yu Wang <yu1.wang@intel.com>
Reviewed-by: Xiaoguang Wu <xiaoguang.wu@intel.com>
Acked-by: Yin Fengwei <fengwei.yin@intel.com>
Signed-off-by: Yu Wang <yu1.wang@intel.com>
For virtio-blk, when the backend is a regular file, the discard
and
is implemented by fallocate(), but this function will not wait for
the discard command handled by disk.
So, add fdatasync to make sure the DISCARD is executed
synchronously.
Tracked-On: #2547
Signed-off-by: Conghui Chen <conghui.chen@intel.com>
Acked-by: Wang Yu <yu1.wang@intel.com>
Support DISCARD command is meaningful when eMMC usage is high or
there are lots of remove operations. For example, when Guest
Android is running, there will be lots of files being created and
removed. However, virtio-blk BE does not support DISCARD command,
data remove operation in UOS will not trigger erase in eMMC. After
period of time, the eMMC will be consumed out, and erase must be
done by eMMC firmware before writing any new data. This causes the
eMMC performance decrease in the whole system (SOS and UOS).
To solve the problem, DISCARD should be supported in virtio-blk BE.
Tracked-On: #2547
Signed-off-by: Conghui Chen <conghui.chen@intel.com>
Reviewed-by: Shuo A Liu <shuo.a.liu@intel.com>
Acked-by: Yu Wang <yu1.wang@intel.com>
Per debugging requirement, map the watchdog reset to warm reset.
So the ramconsole could be used to capture the kernel log of UOS
before watchdog is hit.
Tracked-On: #2471
Signed-off-by: Yin Fengwei <fengwei.yin@intel.com>
The current xHCI mediator doesn't well support disable endpoint command.
This patch is one workaround for disable endpoint command to avoid
xHCI mediator to continue handle already dropped data.
Tracked-On: #2325
Signed-off-by: Xiaoguang Wu <xiaoguang.wu@intel.com>
Acked-by: Yu Wang <yu1.wang@intel.com>
This patch is one xDCI passthrough workaround. To support DRD in Guest,
the xDCI does VT-d pass through, and DRD be emulated in xHCI mediator.
With Guest S3 stress test, ramdonly the xDCI can't be emuerated by USB
host even the DRD is already switch to device mode. When this issue
reproduce, does DRD switch to host then switch back can resuce this
issue.
Besides, the virtual drd regiters need to be set to reset value during
Guest warm reset flow.
Tracked-On: #2326
Signed-off-by: Xiaoguang Wu <xiaoguang.wu@intel.com>
Acked-by: Yu Wang <yu1.wang@intel.com>y
During UOS reboot, sometime the wifi firmware status is wrong and can't
handled by UOS driver, this patch add gpio reset for the wifi chip to avoid
such error.
Tracked-On: #2328
Signed-off-by: Binbin Wu <binbin.wu@intel.com>
The issue will result in the loss of wakeup reason and signal
data, because the CBC header was not added when generating the
tx package.
Tracked-On: #2282
Signed-off-by: Yuan Liu <yuan1.liu@intel.com>
Acked-by: Yu Wang <yu1.wang@intel.com>
