From 7bacaf5fea5729d400201106359f6803b15621af Mon Sep 17 00:00:00 2001 From: Yuri Benditovich Date: Wed, 8 Jan 2020 11:10:43 +0200 Subject: [PATCH 1/5] usb-host: remove 'remote wakeup' flag from configuration descriptor If the redirected device has this capability, Windows guest may place the device into D2 and expect it to wake when the device becomes active, but this will never happen. For example, when internal Bluetooth adapter is redirected, keyboards and mice connected to it do not work. Current commit removes this capability (starting from machine 5.0) Set 'usb-host.suppress-remote-wake' property to 'off' to keep 'remote wake' as is or to 'on' to remove 'remote wake' on 4.2 or earlier. Signed-off-by: Yuri Benditovich Message-id: 20200108091044.18055-2-yuri.benditovich@daynix.com Signed-off-by: Gerd Hoffmann --- hw/core/machine.c | 1 + hw/usb/host-libusb.c | 20 ++++++++++++++++++++ hw/usb/trace-events | 1 + 3 files changed, 22 insertions(+) diff --git a/hw/core/machine.c b/hw/core/machine.c index 4f30fb5646..c5d32f56db 100644 --- a/hw/core/machine.c +++ b/hw/core/machine.c @@ -32,6 +32,7 @@ GlobalProperty hw_compat_4_2[] = { { "virtio-blk-device", "seg-max-adjust", "off"}, { "virtio-scsi-device", "seg_max_adjust", "off"}, { "vhost-blk-device", "seg_max_adjust", "off"}, + { "usb-host", "suppress-remote-wake", "off" }, }; const size_t hw_compat_4_2_len = G_N_ELEMENTS(hw_compat_4_2); diff --git a/hw/usb/host-libusb.c b/hw/usb/host-libusb.c index fcf48c0193..00e0e36369 100644 --- a/hw/usb/host-libusb.c +++ b/hw/usb/host-libusb.c @@ -88,6 +88,7 @@ struct USBHostDevice { bool needs_autoscan; bool allow_one_guest_reset; bool allow_all_guest_resets; + bool suppress_remote_wake; /* state */ QTAILQ_ENTRY(USBHostDevice) next; @@ -386,6 +387,8 @@ static void LIBUSB_CALL usb_host_req_complete_ctrl(struct libusb_transfer *xfer) r->p->status = status_map[xfer->status]; r->p->actual_length = xfer->actual_length; if (r->in && xfer->actual_length) { + USBDevice *udev = USB_DEVICE(s); + struct libusb_config_descriptor *conf = (void *)r->cbuf; memcpy(r->cbuf, r->buffer + 8, xfer->actual_length); /* Fix up USB-3 ep0 maxpacket size to allow superspeed connected devices @@ -394,6 +397,21 @@ static void LIBUSB_CALL usb_host_req_complete_ctrl(struct libusb_transfer *xfer) r->cbuf[7] == 9) { r->cbuf[7] = 64; } + /* + *If this is GET_DESCRIPTOR request for configuration descriptor, + * remove 'remote wakeup' flag from it to prevent idle power down + * in Windows guest + */ + if (s->suppress_remote_wake && + udev->setup_buf[0] == USB_DIR_IN && + udev->setup_buf[1] == USB_REQ_GET_DESCRIPTOR && + udev->setup_buf[3] == USB_DT_CONFIG && udev->setup_buf[2] == 0 && + xfer->actual_length > + offsetof(struct libusb_config_descriptor, bmAttributes) && + (conf->bmAttributes & USB_CFG_ATT_WAKEUP)) { + trace_usb_host_remote_wakeup_removed(s->bus_num, s->addr); + conf->bmAttributes &= ~USB_CFG_ATT_WAKEUP; + } } trace_usb_host_req_complete(s->bus_num, s->addr, r->p, r->p->status, r->p->actual_length); @@ -1596,6 +1614,8 @@ static Property usb_host_dev_properties[] = { LIBUSB_LOG_LEVEL_WARNING), DEFINE_PROP_BIT("pipeline", USBHostDevice, options, USB_HOST_OPT_PIPELINE, true), + DEFINE_PROP_BOOL("suppress-remote-wake", USBHostDevice, + suppress_remote_wake, true), DEFINE_PROP_END_OF_LIST(), }; diff --git a/hw/usb/trace-events b/hw/usb/trace-events index 2d3713351c..1c24d82c09 100644 --- a/hw/usb/trace-events +++ b/hw/usb/trace-events @@ -266,3 +266,4 @@ usb_host_parse_config(int bus, int addr, int value, int active) "dev %d:%d, valu usb_host_parse_interface(int bus, int addr, int num, int alt, int active) "dev %d:%d, num %d, alt %d, active %d" usb_host_parse_endpoint(int bus, int addr, int ep, const char *dir, const char *type, int active) "dev %d:%d, ep %d, %s, %s, active %d" usb_host_parse_error(int bus, int addr, const char *errmsg) "dev %d:%d, msg %s" +usb_host_remote_wakeup_removed(int bus, int addr) "dev %d:%d" From 32187f3d902afdfa9f4d861d9612739d3391fdc3 Mon Sep 17 00:00:00 2001 From: Yuri Benditovich Date: Wed, 8 Jan 2020 11:10:44 +0200 Subject: [PATCH 2/5] usb-redir: remove 'remote wakeup' flag from configuration descriptor If the redirected device has this capability, Windows guest may place the device into D2 and expect it to wake when the device becomes active, but this will never happen. For example, when internal Bluetooth adapter is redirected, keyboards and mice connected to it do not work. Current commit removes this capability (starting from machine 5.0) Set 'usb-redir.suppress-remote-wake' property to 'off' to keep 'remote wake' as is or to 'on' to remove 'remote wake' on 4.2 or earlier. Signed-off-by: Yuri Benditovich Message-id: 20200108091044.18055-3-yuri.benditovich@daynix.com Signed-off-by: Gerd Hoffmann --- hw/core/machine.c | 1 + hw/usb/redirect.c | 20 ++++++++++++++++++++ 2 files changed, 21 insertions(+) diff --git a/hw/core/machine.c b/hw/core/machine.c index c5d32f56db..3e288bfceb 100644 --- a/hw/core/machine.c +++ b/hw/core/machine.c @@ -33,6 +33,7 @@ GlobalProperty hw_compat_4_2[] = { { "virtio-scsi-device", "seg_max_adjust", "off"}, { "vhost-blk-device", "seg_max_adjust", "off"}, { "usb-host", "suppress-remote-wake", "off" }, + { "usb-redir", "suppress-remote-wake", "off" }, }; const size_t hw_compat_4_2_len = G_N_ELEMENTS(hw_compat_4_2); diff --git a/hw/usb/redirect.c b/hw/usb/redirect.c index e0f5ca6f81..b5c1558687 100644 --- a/hw/usb/redirect.c +++ b/hw/usb/redirect.c @@ -113,6 +113,7 @@ struct USBRedirDevice { /* Properties */ CharBackend cs; bool enable_streams; + bool suppress_remote_wake; uint8_t debug; int32_t bootindex; char *filter_str; @@ -1989,6 +1990,23 @@ static void usbredir_control_packet(void *priv, uint64_t id, memcpy(dev->dev.data_buf, data, data_len); } p->actual_length = len; + /* + * If this is GET_DESCRIPTOR request for configuration descriptor, + * remove 'remote wakeup' flag from it to prevent idle power down + * in Windows guest + */ + if (dev->suppress_remote_wake && + control_packet->requesttype == USB_DIR_IN && + control_packet->request == USB_REQ_GET_DESCRIPTOR && + control_packet->value == (USB_DT_CONFIG << 8) && + control_packet->index == 0 && + /* bmAttributes field of config descriptor */ + len > 7 && (dev->dev.data_buf[7] & USB_CFG_ATT_WAKEUP)) { + DPRINTF("Removed remote wake %04X:%04X\n", + dev->device_info.vendor_id, + dev->device_info.product_id); + dev->dev.data_buf[7] &= ~USB_CFG_ATT_WAKEUP; + } usb_generic_async_ctrl_complete(&dev->dev, p); } free(data); @@ -2530,6 +2548,8 @@ static Property usbredir_properties[] = { DEFINE_PROP_UINT8("debug", USBRedirDevice, debug, usbredirparser_warning), DEFINE_PROP_STRING("filter", USBRedirDevice, filter_str), DEFINE_PROP_BOOL("streams", USBRedirDevice, enable_streams, true), + DEFINE_PROP_BOOL("suppress-remote-wake", USBRedirDevice, + suppress_remote_wake, true), DEFINE_PROP_END_OF_LIST(), }; From 394642a8d3742c885e397d5bb5ee0ec40743cdc6 Mon Sep 17 00:00:00 2001 From: "Dr. David Alan Gilbert" Date: Wed, 18 Dec 2019 11:30:12 +0000 Subject: [PATCH 3/5] usbredir: Prevent recursion in usbredir_write I've got a case where usbredir_write manages to call back into itself via spice; this patch causes the recursion to fail (0 bytes) the write; this seems to avoid the deadlock I was previously seeing. I can't say I fully understand the interaction of usbredir and spice; but there are a few similar guards in spice and usbredir to catch other cases especially onces also related to spice_server_char_device_wakeup This case seems to be triggered by repeated migration+repeated reconnection of the viewer; but my debugging suggests the migration finished before this hits. The backtrace of the hang looks like: reds_handle_ticket reds_handle_other_links reds_channel_do_link red_channel_connect spicevmc_connect usbredir_create_parser usbredirparser_do_write usbredir_write qemu_chr_fe_write qemu_chr_write qemu_chr_write_buffer spice_chr_write spice_server_char_device_wakeup red_char_device_wakeup red_char_device_write_to_device vmc_write usbredirparser_do_write usbredir_write qemu_chr_fe_write qemu_chr_write qemu_chr_write_buffer qemu_mutex_lock_impl and we fail as we lang through qemu_chr_write_buffer's lock twice. Bug: https://bugzilla.redhat.com/show_bug.cgi?id=1752320 Signed-off-by: Dr. David Alan Gilbert Message-Id: <20191218113012.13331-1-dgilbert@redhat.com> Signed-off-by: Gerd Hoffmann --- hw/usb/redirect.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/hw/usb/redirect.c b/hw/usb/redirect.c index b5c1558687..04614778fe 100644 --- a/hw/usb/redirect.c +++ b/hw/usb/redirect.c @@ -114,6 +114,7 @@ struct USBRedirDevice { CharBackend cs; bool enable_streams; bool suppress_remote_wake; + bool in_write; uint8_t debug; int32_t bootindex; char *filter_str; @@ -291,6 +292,13 @@ static int usbredir_write(void *priv, uint8_t *data, int count) return 0; } + /* Recursion check */ + if (dev->in_write) { + DPRINTF("usbredir_write recursion\n"); + return 0; + } + dev->in_write = true; + r = qemu_chr_fe_write(&dev->cs, data, count); if (r < count) { if (!dev->watch) { @@ -301,6 +309,7 @@ static int usbredir_write(void *priv, uint8_t *data, int count) r = 0; } } + dev->in_write = false; return r; } From 34b9d6a1f8dfa8da08e084a7193a1fa3f669164e Mon Sep 17 00:00:00 2001 From: Chen Qun Date: Fri, 10 Jan 2020 18:58:55 +0800 Subject: [PATCH 4/5] xhci: Fix memory leak in xhci_kick_epctx when poweroff GuestOS MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit start vm with libvirt, when GuestOS running, enter poweroff command using the xhci keyboard, then ASAN shows memory leak stack: Direct leak of 80 byte(s) in 5 object(s) allocated from: #0 0xfffd1e6431cb in __interceptor_malloc (/lib64/libasan.so.4+0xd31cb) #1 0xfffd1e107163 in g_malloc (/lib64/libglib-2.0.so.0+0x57163) #2 0xaaad39051367 in qemu_sglist_init /qemu/dma-helpers.c:43 #3 0xaaad3947c407 in pci_dma_sglist_init /qemu/include/hw/pci/pci.h:842 #4 0xaaad3947c407 in xhci_xfer_create_sgl /qemu/hw/usb/hcd-xhci.c:1446 #5 0xaaad3947c407 in xhci_setup_packet /qemu/hw/usb/hcd-xhci.c:1618 #6 0xaaad3948625f in xhci_submit /qemu/hw/usb/hcd-xhci.c:1827 #7 0xaaad3948625f in xhci_fire_transfer /qemu/hw/usb/hcd-xhci.c:1839 #8 0xaaad3948625f in xhci_kick_epctx /qemu/hw/usb/hcd-xhci.c:1991 #9 0xaaad3948f537 in xhci_doorbell_write /qemu/hw/usb/hcd-xhci.c:3158 #10 0xaaad38bcbfc7 in memory_region_write_accessor /qemu/memory.c:483 #11 0xaaad38bc654f in access_with_adjusted_size /qemu/memory.c:544 #12 0xaaad38bd1877 in memory_region_dispatch_write /qemu/memory.c:1482 #13 0xaaad38b1c77f in flatview_write_continue /qemu/exec.c:3167 #14 0xaaad38b1ca83 in flatview_write /qemu/exec.c:3207 #15 0xaaad38b268db in address_space_write /qemu/exec.c:3297 #16 0xaaad38bf909b in kvm_cpu_exec /qemu/accel/kvm/kvm-all.c:2383 #17 0xaaad38bb063f in qemu_kvm_cpu_thread_fn /qemu/cpus.c:1246 #18 0xaaad39821c93 in qemu_thread_start /qemu/util/qemu-thread-posix.c:519 #19 0xfffd1c8378bb (/lib64/libpthread.so.0+0x78bb) #20 0xfffd1c77616b (/lib64/libc.so.6+0xd616b) Reported-by: Euler Robot Signed-off-by: Chen Qun Message-id: 20200110105855.81144-1-kuhn.chenqun@huawei.com Signed-off-by: Gerd Hoffmann --- hw/usb/hcd-xhci.c | 1 + 1 file changed, 1 insertion(+) diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c index 80988bb305..0d3d96d05a 100644 --- a/hw/usb/hcd-xhci.c +++ b/hw/usb/hcd-xhci.c @@ -2000,6 +2000,7 @@ static void xhci_kick_epctx(XHCIEPContext *epctx, unsigned int streamid) if (xfer != NULL && xfer->running_retry) { DPRINTF("xhci: xfer nacked, stopping schedule\n"); epctx->retry = xfer; + xhci_xfer_unmap(xfer); break; } if (count++ > TRANSFER_LIMIT) { From 236846a019c4f7aa3111026fc9a1fe09684c8978 Mon Sep 17 00:00:00 2001 From: Gerd Hoffmann Date: Tue, 7 Jan 2020 09:36:06 +0100 Subject: [PATCH 5/5] xhci: recheck slot status MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Factor out slot status check into a helper function. Add an additional check after completing transfers. This is needed in case a guest queues multiple transfers in a row and a device unplug happens while qemu processes them. Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1786413 Signed-off-by: Gerd Hoffmann Reviewed-by: Philippe Mathieu-Daudé Message-id: 20200107083606.12393-1-kraxel@redhat.com --- hw/usb/hcd-xhci.c | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c index 0d3d96d05a..fb05de4b05 100644 --- a/hw/usb/hcd-xhci.c +++ b/hw/usb/hcd-xhci.c @@ -1861,6 +1861,13 @@ static void xhci_kick_ep(XHCIState *xhci, unsigned int slotid, xhci_kick_epctx(epctx, streamid); } +static bool xhci_slot_ok(XHCIState *xhci, int slotid) +{ + return (xhci->slots[slotid - 1].uport && + xhci->slots[slotid - 1].uport->dev && + xhci->slots[slotid - 1].uport->dev->attached); +} + static void xhci_kick_epctx(XHCIEPContext *epctx, unsigned int streamid) { XHCIState *xhci = epctx->xhci; @@ -1878,9 +1885,7 @@ static void xhci_kick_epctx(XHCIEPContext *epctx, unsigned int streamid) /* If the device has been detached, but the guest has not noticed this yet the 2 above checks will succeed, but we must NOT continue */ - if (!xhci->slots[epctx->slotid - 1].uport || - !xhci->slots[epctx->slotid - 1].uport->dev || - !xhci->slots[epctx->slotid - 1].uport->dev->attached) { + if (!xhci_slot_ok(xhci, epctx->slotid)) { return; } @@ -1987,6 +1992,10 @@ static void xhci_kick_epctx(XHCIEPContext *epctx, unsigned int streamid) } else { xhci_fire_transfer(xhci, xfer, epctx); } + if (!xhci_slot_ok(xhci, epctx->slotid)) { + /* surprise removal -> stop processing */ + break; + } if (xfer->complete) { /* update ring dequeue ptr */ xhci_set_ep_state(xhci, epctx, stctx, epctx->state);