From 22b3f26e048d6bb46d01c1ced44151732f961b6d0c527d10c83ea0c912a91b8c Mon Sep 17 00:00:00 2001 From: Bruce Rogers Date: Thu, 26 Mar 2020 22:01:41 +0000 Subject: [PATCH] Accepting request 788690 from home:bfrogers:branches:Virtualization - Include upstream patches targeted for the next stable release (bug fixes only) block-Avoid-memleak-on-qcow2-image-info-.patch block-bdrv_set_backing_bs-fix-use-after-.patch hmp-vnc-Fix-info-vnc-list-leak.patch migration-colo-fix-use-after-free-of-loc.patch migration-ram-fix-use-after-free-of-loca.patch ppc-ppc405_boards-Remove-unnecessary-NUL.patch qcow2-List-autoclear-bit-names-in-header.patch scsi-qemu-pr-helper-Fix-out-of-bounds-ac.patch sheepdog-Consistently-set-bdrv_has_zero_.patch OBS-URL: https://build.opensuse.org/request/show/788690 OBS-URL: https://build.opensuse.org/package/show/Virtualization/qemu?expand=0&rev=541 --- ...k-Avoid-memleak-on-qcow2-image-info-.patch | 33 +++ ...k-bdrv_set_backing_bs-fix-use-after-.patch | 114 ++++++++++ bundles.tar.xz | 4 +- hmp-vnc-Fix-info-vnc-list-leak.patch | 46 ++++ ...ation-colo-fix-use-after-free-of-loc.patch | 31 +++ ...ation-ram-fix-use-after-free-of-loca.patch | 31 +++ ...ppc405_boards-Remove-unnecessary-NUL.patch | 55 +++++ ...2-List-autoclear-bit-names-in-header.patch | 200 ++++++++++++++++++ qemu.changes | 15 ++ qemu.spec | 158 ++++++++------ ...-qemu-pr-helper-Fix-out-of-bounds-ac.patch | 93 ++++++++ ...pdog-Consistently-set-bdrv_has_zero_.patch | 46 ++++ 12 files changed, 754 insertions(+), 72 deletions(-) create mode 100644 block-Avoid-memleak-on-qcow2-image-info-.patch create mode 100644 block-bdrv_set_backing_bs-fix-use-after-.patch create mode 100644 hmp-vnc-Fix-info-vnc-list-leak.patch create mode 100644 migration-colo-fix-use-after-free-of-loc.patch create mode 100644 migration-ram-fix-use-after-free-of-loca.patch create mode 100644 ppc-ppc405_boards-Remove-unnecessary-NUL.patch create mode 100644 qcow2-List-autoclear-bit-names-in-header.patch create mode 100644 scsi-qemu-pr-helper-Fix-out-of-bounds-ac.patch create mode 100644 sheepdog-Consistently-set-bdrv_has_zero_.patch diff --git a/block-Avoid-memleak-on-qcow2-image-info-.patch b/block-Avoid-memleak-on-qcow2-image-info-.patch new file mode 100644 index 0000000..4264609 --- /dev/null +++ b/block-Avoid-memleak-on-qcow2-image-info-.patch @@ -0,0 +1,33 @@ +From: Eric Blake +Date: Fri, 20 Mar 2020 13:36:20 -0500 +Subject: block: Avoid memleak on qcow2 image info failure + +Git-commit: 71eaec2e8c7c8d266137b5c5f42da0bd6d6b5eb7 + +If we fail to get bitmap info, we must not leak the encryption info. + +Fixes: b8968c875f403 +Fixes: Coverity CID 1421894 +Signed-off-by: Eric Blake +Message-Id: <20200320183620.1112123-1-eblake@redhat.com> +Reviewed-by: Vladimir Sementsov-Ogievskiy +Reviewed-by: Andrey Shinkevich +Tested-by: Andrey Shinkevich +Signed-off-by: Max Reitz +Signed-off-by: Bruce Rogers +--- + block/qcow2.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/block/qcow2.c b/block/qcow2.c +index 7c18721741eacfb7f6c2c1f0efe6..13e118e16f02f371c0f23c7aaa8d 100644 +--- a/block/qcow2.c ++++ b/block/qcow2.c +@@ -4800,6 +4800,7 @@ static ImageInfoSpecific *qcow2_get_specific_info(BlockDriverState *bs, + if (local_err) { + error_propagate(errp, local_err); + qapi_free_ImageInfoSpecific(spec_info); ++ qapi_free_QCryptoBlockInfo(encrypt_info); + return NULL; + } + *spec_info->u.qcow2.data = (ImageInfoSpecificQCow2){ diff --git a/block-bdrv_set_backing_bs-fix-use-after-.patch b/block-bdrv_set_backing_bs-fix-use-after-.patch new file mode 100644 index 0000000..b53637f --- /dev/null +++ b/block-bdrv_set_backing_bs-fix-use-after-.patch @@ -0,0 +1,114 @@ +From: Vladimir Sementsov-Ogievskiy +Date: Mon, 16 Mar 2020 09:06:30 +0300 +Subject: block: bdrv_set_backing_bs: fix use-after-free +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Git-commit: 6e57963a77df1e275a73dab4c6a7ec9a9d3468d4 + +There is a use-after-free possible: bdrv_unref_child() leaves +bs->backing freed but not NULL. bdrv_attach_child may produce nested +polling loop due to drain, than access of freed pointer is possible. + +I've produced the following crash on 30 iotest with modified code. It +does not reproduce on master, but still seems possible: + + #0 __strcmp_avx2 () at /lib64/libc.so.6 + #1 bdrv_backing_overridden (bs=0x55c9d3cc2060) at block.c:6350 + #2 bdrv_refresh_filename (bs=0x55c9d3cc2060) at block.c:6404 + #3 bdrv_backing_attach (c=0x55c9d48e5520) at block.c:1063 + #4 bdrv_replace_child_noperm + (child=child@entry=0x55c9d48e5520, + new_bs=new_bs@entry=0x55c9d3cc2060) at block.c:2290 + #5 bdrv_replace_child + (child=child@entry=0x55c9d48e5520, + new_bs=new_bs@entry=0x55c9d3cc2060) at block.c:2320 + #6 bdrv_root_attach_child + (child_bs=child_bs@entry=0x55c9d3cc2060, + child_name=child_name@entry=0x55c9d241d478 "backing", + child_role=child_role@entry=0x55c9d26ecee0 , + ctx=, perm=, shared_perm=21, + opaque=0x55c9d3c5a3d0, errp=0x7ffd117108e0) at block.c:2424 + #7 bdrv_attach_child + (parent_bs=parent_bs@entry=0x55c9d3c5a3d0, + child_bs=child_bs@entry=0x55c9d3cc2060, + child_name=child_name@entry=0x55c9d241d478 "backing", + child_role=child_role@entry=0x55c9d26ecee0 , + errp=errp@entry=0x7ffd117108e0) at block.c:5876 + #8 in bdrv_set_backing_hd + (bs=bs@entry=0x55c9d3c5a3d0, + backing_hd=backing_hd@entry=0x55c9d3cc2060, + errp=errp@entry=0x7ffd117108e0) + at block.c:2576 + #9 stream_prepare (job=0x55c9d49d84a0) at block/stream.c:150 + #10 job_prepare (job=0x55c9d49d84a0) at job.c:761 + #11 job_txn_apply (txn=, fn=) at + job.c:145 + #12 job_do_finalize (job=0x55c9d49d84a0) at job.c:778 + #13 job_completed_txn_success (job=0x55c9d49d84a0) at job.c:832 + #14 job_completed (job=0x55c9d49d84a0) at job.c:845 + #15 job_completed (job=0x55c9d49d84a0) at job.c:836 + #16 job_exit (opaque=0x55c9d49d84a0) at job.c:864 + #17 aio_bh_call (bh=0x55c9d471a160) at util/async.c:117 + #18 aio_bh_poll (ctx=ctx@entry=0x55c9d3c46720) at util/async.c:117 + #19 aio_poll (ctx=ctx@entry=0x55c9d3c46720, + blocking=blocking@entry=true) + at util/aio-posix.c:728 + #20 bdrv_parent_drained_begin_single (poll=true, c=0x55c9d3d558f0) + at block/io.c:121 + #21 bdrv_parent_drained_begin_single (c=c@entry=0x55c9d3d558f0, + poll=poll@entry=true) + at block/io.c:114 + #22 bdrv_replace_child_noperm + (child=child@entry=0x55c9d3d558f0, + new_bs=new_bs@entry=0x55c9d3d27300) at block.c:2258 + #23 bdrv_replace_child + (child=child@entry=0x55c9d3d558f0, + new_bs=new_bs@entry=0x55c9d3d27300) at block.c:2320 + #24 bdrv_root_attach_child + (child_bs=child_bs@entry=0x55c9d3d27300, + child_name=child_name@entry=0x55c9d241d478 "backing", + child_role=child_role@entry=0x55c9d26ecee0 , + ctx=, perm=, shared_perm=21, + opaque=0x55c9d3cc2060, errp=0x7ffd11710c60) at block.c:2424 + #25 bdrv_attach_child + (parent_bs=parent_bs@entry=0x55c9d3cc2060, + child_bs=child_bs@entry=0x55c9d3d27300, + child_name=child_name@entry=0x55c9d241d478 "backing", + child_role=child_role@entry=0x55c9d26ecee0 , + errp=errp@entry=0x7ffd11710c60) at block.c:5876 + #26 bdrv_set_backing_hd + (bs=bs@entry=0x55c9d3cc2060, + backing_hd=backing_hd@entry=0x55c9d3d27300, + errp=errp@entry=0x7ffd11710c60) + at block.c:2576 + #27 stream_prepare (job=0x55c9d495ead0) at block/stream.c:150 + ... + +Signed-off-by: Vladimir Sementsov-Ogievskiy +Message-Id: <20200316060631.30052-2-vsementsov@virtuozzo.com> +Reviewed-by: Philippe Mathieu-Daudé +Reviewed-by: John Snow +Signed-off-by: Max Reitz +Signed-off-by: Bruce Rogers +--- + block.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/block.c b/block.c +index 8539f99ac47cdbf0e9b823751074..3d0134f00b55e0400efc70058d00 100644 +--- a/block.c ++++ b/block.c +@@ -2577,10 +2577,10 @@ void bdrv_set_backing_hd(BlockDriverState *bs, BlockDriverState *backing_hd, + + if (bs->backing) { + bdrv_unref_child(bs, bs->backing); ++ bs->backing = NULL; + } + + if (!backing_hd) { +- bs->backing = NULL; + goto out; + } + diff --git a/bundles.tar.xz b/bundles.tar.xz index 27dfa69..d89ea92 100644 --- a/bundles.tar.xz +++ b/bundles.tar.xz @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:d7bed3704998a1c71915ce16de258559a687e4ec8d8c2deb4c934899cc3708a5 -size 121832 +oid sha256:01029bd0e2cbba3484407c43afb4238a48cc7c66473832fa566be57c0439681e +size 129648 diff --git a/hmp-vnc-Fix-info-vnc-list-leak.patch b/hmp-vnc-Fix-info-vnc-list-leak.patch new file mode 100644 index 0000000..2921f74 --- /dev/null +++ b/hmp-vnc-Fix-info-vnc-list-leak.patch @@ -0,0 +1,46 @@ +From: "Dr. David Alan Gilbert" +Date: Mon, 23 Mar 2020 12:08:22 +0000 +Subject: hmp/vnc: Fix info vnc list leak + +Git-commit: d4ff109373ce871928c7e9ef648973eba642b484 + +We're iterating the list, and then freeing the iteration pointer rather +than the list head. + +Fixes: 0a9667ecdb6d ("hmp: Update info vnc") +Reported-by: Coverity (CID 1421932) +Signed-off-by: Dr. David Alan Gilbert +Message-Id: <20200323120822.51266-1-dgilbert@redhat.com> +Reviewed-by: Peter Maydell +Signed-off-by: Dr. David Alan Gilbert +Signed-off-by: Bruce Rogers +--- + monitor/hmp-cmds.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/monitor/hmp-cmds.c b/monitor/hmp-cmds.c +index b2551c16d129291068ce64b5f1fd..2fdc84ec995449b5139a89575e18 100644 +--- a/monitor/hmp-cmds.c ++++ b/monitor/hmp-cmds.c +@@ -729,10 +729,11 @@ static void hmp_info_vnc_servers(Monitor *mon, VncServerInfo2List *server) + + void hmp_info_vnc(Monitor *mon, const QDict *qdict) + { +- VncInfo2List *info2l; ++ VncInfo2List *info2l, *info2l_head; + Error *err = NULL; + + info2l = qmp_query_vnc_servers(&err); ++ info2l_head = info2l; + if (err) { + hmp_handle_error(mon, &err); + return; +@@ -761,7 +762,7 @@ void hmp_info_vnc(Monitor *mon, const QDict *qdict) + info2l = info2l->next; + } + +- qapi_free_VncInfo2List(info2l); ++ qapi_free_VncInfo2List(info2l_head); + + } + #endif diff --git a/migration-colo-fix-use-after-free-of-loc.patch b/migration-colo-fix-use-after-free-of-loc.patch new file mode 100644 index 0000000..1eb189a --- /dev/null +++ b/migration-colo-fix-use-after-free-of-loc.patch @@ -0,0 +1,31 @@ +From: Vladimir Sementsov-Ogievskiy +Date: Tue, 24 Mar 2020 18:36:28 +0300 +Subject: migration/colo: fix use after free of local_err + +Git-commit: 27d07fcfa70c3afa0664288cbce5334ed9595a3a + +local_err is used again in secondary_vm_do_failover() after +replication_stop_all(), so we must zero it. Otherwise try to set +non-NULL local_err will crash. + +Signed-off-by: Vladimir Sementsov-Ogievskiy +Message-Id: <20200324153630.11882-5-vsementsov@virtuozzo.com> +Reviewed-by: Dr. David Alan Gilbert +Signed-off-by: Dr. David Alan Gilbert +Signed-off-by: Bruce Rogers +--- + migration/colo.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/migration/colo.c b/migration/colo.c +index 2c88aa57a29307963a15fc017b1d..6d46800aa6a2617521a36cc0dc33 100644 +--- a/migration/colo.c ++++ b/migration/colo.c +@@ -92,6 +92,7 @@ static void secondary_vm_do_failover(void) + replication_stop_all(true, &local_err); + if (local_err) { + error_report_err(local_err); ++ local_err = NULL; + } + + /* Notify all filters of all NIC to do checkpoint */ diff --git a/migration-ram-fix-use-after-free-of-loca.patch b/migration-ram-fix-use-after-free-of-loca.patch new file mode 100644 index 0000000..604cc3e --- /dev/null +++ b/migration-ram-fix-use-after-free-of-loca.patch @@ -0,0 +1,31 @@ +From: Vladimir Sementsov-Ogievskiy +Date: Tue, 24 Mar 2020 18:36:29 +0300 +Subject: migration/ram: fix use after free of local_err + +Git-commit: b4a1733c5e6827c72b0dcfa295e07ef7b1ebccff + +local_err is used again in migration_bitmap_sync_precopy() after +precopy_notify(), so we must zero it. Otherwise try to set +non-NULL local_err will crash. + +Signed-off-by: Vladimir Sementsov-Ogievskiy +Message-Id: <20200324153630.11882-6-vsementsov@virtuozzo.com> +Reviewed-by: Dr. David Alan Gilbert +Signed-off-by: Dr. David Alan Gilbert +Signed-off-by: Bruce Rogers +--- + migration/ram.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/migration/ram.c b/migration/ram.c +index b6de7d1d5552a0aa39b0d232c2d6..c44542175da044c78ef8dc0ce612 100644 +--- a/migration/ram.c ++++ b/migration/ram.c +@@ -1906,6 +1906,7 @@ static void migration_bitmap_sync_precopy(RAMState *rs) + */ + if (precopy_notify(PRECOPY_NOTIFY_BEFORE_BITMAP_SYNC, &local_err)) { + error_report_err(local_err); ++ local_err = NULL; + } + + migration_bitmap_sync(rs); diff --git a/ppc-ppc405_boards-Remove-unnecessary-NUL.patch b/ppc-ppc405_boards-Remove-unnecessary-NUL.patch new file mode 100644 index 0000000..0a9f319 --- /dev/null +++ b/ppc-ppc405_boards-Remove-unnecessary-NUL.patch @@ -0,0 +1,55 @@ +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= +Date: Fri, 20 Mar 2020 16:57:40 +0100 +Subject: ppc/ppc405_boards: Remove unnecessary NULL check +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Git-commit: 1583794b9b36911df116cc726750dadbeeac506a + +This code is inside the "if (dinfo)" condition, so testing +again here whether it is NULL is unnecessary. + +Fixes: dd59bcae7 (Don't size flash memory to match backing image) +Reported-by: Coverity (CID 1421917) +Suggested-by: Peter Maydell +Signed-off-by: Philippe Mathieu-Daudé +Message-Id: <20200320155740.5342-1-philmd@redhat.com> +Reviewed-by: Markus Armbruster +Signed-off-by: David Gibson +Signed-off-by: Bruce Rogers +--- + hw/ppc/ppc405_boards.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/hw/ppc/ppc405_boards.c b/hw/ppc/ppc405_boards.c +index 1f721feed6a4bfc128187aefb5d9..556f3a80ec1ddbc018e00941c5c5 100644 +--- a/hw/ppc/ppc405_boards.c ++++ b/hw/ppc/ppc405_boards.c +@@ -184,7 +184,7 @@ static void ref405ep_init(MachineState *machine) + bios_size = 8 * MiB; + pflash_cfi02_register((uint32_t)(-bios_size), + "ef405ep.bios", bios_size, +- dinfo ? blk_by_legacy_dinfo(dinfo) : NULL, ++ blk_by_legacy_dinfo(dinfo), + 64 * KiB, 1, + 2, 0x0001, 0x22DA, 0x0000, 0x0000, 0x555, 0x2AA, + 1); +@@ -450,7 +450,7 @@ static void taihu_405ep_init(MachineState *machine) + bios_size = 2 * MiB; + pflash_cfi02_register(0xFFE00000, + "taihu_405ep.bios", bios_size, +- dinfo ? blk_by_legacy_dinfo(dinfo) : NULL, ++ blk_by_legacy_dinfo(dinfo), + 64 * KiB, 1, + 4, 0x0001, 0x22DA, 0x0000, 0x0000, 0x555, 0x2AA, + 1); +@@ -486,7 +486,7 @@ static void taihu_405ep_init(MachineState *machine) + if (dinfo) { + bios_size = 32 * MiB; + pflash_cfi02_register(0xfc000000, "taihu_405ep.flash", bios_size, +- dinfo ? blk_by_legacy_dinfo(dinfo) : NULL, ++ blk_by_legacy_dinfo(dinfo), + 64 * KiB, 1, + 4, 0x0001, 0x22DA, 0x0000, 0x0000, 0x555, 0x2AA, + 1); diff --git a/qcow2-List-autoclear-bit-names-in-header.patch b/qcow2-List-autoclear-bit-names-in-header.patch new file mode 100644 index 0000000..0f2e394 --- /dev/null +++ b/qcow2-List-autoclear-bit-names-in-header.patch @@ -0,0 +1,200 @@ +From: Eric Blake +Date: Tue, 24 Mar 2020 12:42:31 -0500 +Subject: qcow2: List autoclear bit names in header + +Git-commit bb40ebce2cb0bd4bf37968074d43d5a864fb6dee + +The feature table is supposed to advertise the name of all feature +bits that we support; however, we forgot to update the table for +autoclear bits. While at it, move the table to read-only memory in +code, and tweak the qcow2 spec to name the second autoclear bit. +Update iotests that are affected by the longer header length. + +Fixes: 88ddffae +Fixes: 93c24936 +Signed-off-by: Eric Blake +Reviewed-by: Vladimir Sementsov-Ogievskiy +Message-Id: <20200324174233.1622067-3-eblake@redhat.com> +Signed-off-by: Max Reitz +Signed-off-by: Bruce Rogers +--- + block/qcow2.c | 12 +++++++++++- + docs/interop/qcow2.txt | 3 ++- + tests/qemu-iotests/031.out | 8 ++++---- + tests/qemu-iotests/036.out | 4 ++-- + tests/qemu-iotests/061.out | 14 +++++++------- + 5 files changed, 26 insertions(+), 15 deletions(-) + +diff --git a/block/qcow2.c b/block/qcow2.c +index 13e118e16f02f371c0f23c7aaa8d..77edd98be6fbaf0949dcb7755e48 100644 +--- a/block/qcow2.c ++++ b/block/qcow2.c +@@ -2822,7 +2822,7 @@ int qcow2_update_header(BlockDriverState *bs) + + /* Feature table */ + if (s->qcow_version >= 3) { +- Qcow2Feature features[] = { ++ static const Qcow2Feature features[] = { + { + .type = QCOW2_FEAT_TYPE_INCOMPATIBLE, + .bit = QCOW2_INCOMPAT_DIRTY_BITNR, +@@ -2843,6 +2843,16 @@ int qcow2_update_header(BlockDriverState *bs) + .bit = QCOW2_COMPAT_LAZY_REFCOUNTS_BITNR, + .name = "lazy refcounts", + }, ++ { ++ .type = QCOW2_FEAT_TYPE_AUTOCLEAR, ++ .bit = QCOW2_AUTOCLEAR_BITMAPS_BITNR, ++ .name = "bitmaps", ++ }, ++ { ++ .type = QCOW2_FEAT_TYPE_AUTOCLEAR, ++ .bit = QCOW2_AUTOCLEAR_DATA_FILE_RAW_BITNR, ++ .name = "raw external data", ++ }, + }; + + ret = header_ext_add(buf, QCOW2_EXT_MAGIC_FEATURE_TABLE, +diff --git a/docs/interop/qcow2.txt b/docs/interop/qcow2.txt +index af5711e5337191d2c01932b0b3d0..8510d74c807927b86cf76a0f6cb8 100644 +--- a/docs/interop/qcow2.txt ++++ b/docs/interop/qcow2.txt +@@ -138,7 +138,8 @@ in the description of a field. + bit is unset, the bitmaps extension data must be + considered inconsistent. + +- Bit 1: If this bit is set, the external data file can ++ Bit 1: Raw external data bit ++ If this bit is set, the external data file can + be read as a consistent standalone raw image + without looking at the qcow2 metadata. + +diff --git a/tests/qemu-iotests/031.out b/tests/qemu-iotests/031.out +index 68a74d03b9971ea8946e8fce41d6..f1941300d817ef1026046891c4df 100644 +--- a/tests/qemu-iotests/031.out ++++ b/tests/qemu-iotests/031.out +@@ -117,7 +117,7 @@ header_length 104 + + Header extension: + magic 0x6803f857 +-length 192 ++length 288 + data + + Header extension: +@@ -150,7 +150,7 @@ header_length 104 + + Header extension: + magic 0x6803f857 +-length 192 ++length 288 + data + + Header extension: +@@ -164,7 +164,7 @@ No errors were found on the image. + + magic 0x514649fb + version 3 +-backing_file_offset 0x178 ++backing_file_offset 0x1d8 + backing_file_size 0x17 + cluster_bits 16 + size 67108864 +@@ -188,7 +188,7 @@ data 'host_device' + + Header extension: + magic 0x6803f857 +-length 192 ++length 288 + data + + Header extension: +diff --git a/tests/qemu-iotests/036.out b/tests/qemu-iotests/036.out +index e489b443866c515b42be344a9b85..3c19fa1edee7aeee1589a1c68366 100644 +--- a/tests/qemu-iotests/036.out ++++ b/tests/qemu-iotests/036.out +@@ -58,7 +58,7 @@ header_length 104 + + Header extension: + magic 0x6803f857 +-length 192 ++length 288 + data + + +@@ -86,7 +86,7 @@ header_length 104 + + Header extension: + magic 0x6803f857 +-length 192 ++length 288 + data + + *** done +diff --git a/tests/qemu-iotests/061.out b/tests/qemu-iotests/061.out +index d6a7c2af95f2dcff314f425fd6a3..f98c098b5431072d4e54de1475cc 100644 +--- a/tests/qemu-iotests/061.out ++++ b/tests/qemu-iotests/061.out +@@ -26,7 +26,7 @@ header_length 104 + + Header extension: + magic 0x6803f857 +-length 192 ++length 288 + data + + magic 0x514649fb +@@ -84,7 +84,7 @@ header_length 104 + + Header extension: + magic 0x6803f857 +-length 192 ++length 288 + data + + magic 0x514649fb +@@ -140,7 +140,7 @@ header_length 104 + + Header extension: + magic 0x6803f857 +-length 192 ++length 288 + data + + ERROR cluster 5 refcount=0 reference=1 +@@ -195,7 +195,7 @@ header_length 104 + + Header extension: + magic 0x6803f857 +-length 192 ++length 288 + data + + magic 0x514649fb +@@ -264,7 +264,7 @@ header_length 104 + + Header extension: + magic 0x6803f857 +-length 192 ++length 288 + data + + read 65536/65536 bytes at offset 44040192 +@@ -298,7 +298,7 @@ header_length 104 + + Header extension: + magic 0x6803f857 +-length 192 ++length 288 + data + + ERROR cluster 5 refcount=0 reference=1 +@@ -327,7 +327,7 @@ header_length 104 + + Header extension: + magic 0x6803f857 +-length 192 ++length 288 + data + + read 131072/131072 bytes at offset 0 diff --git a/qemu.changes b/qemu.changes index 69ef495..48d7b5f 100644 --- a/qemu.changes +++ b/qemu.changes @@ -1,3 +1,18 @@ +------------------------------------------------------------------- +Thu Mar 26 18:28:03 UTC 2020 - Bruce Rogers + +- Include upstream patches targeted for the next stable release + (bug fixes only) + block-Avoid-memleak-on-qcow2-image-info-.patch + block-bdrv_set_backing_bs-fix-use-after-.patch + hmp-vnc-Fix-info-vnc-list-leak.patch + migration-colo-fix-use-after-free-of-loc.patch + migration-ram-fix-use-after-free-of-loca.patch + ppc-ppc405_boards-Remove-unnecessary-NUL.patch + qcow2-List-autoclear-bit-names-in-header.patch + scsi-qemu-pr-helper-Fix-out-of-bounds-ac.patch + sheepdog-Consistently-set-bdrv_has_zero_.patch + ------------------------------------------------------------------- Tue Mar 24 13:22:36 UTC 2020 - Bruce Rogers diff --git a/qemu.spec b/qemu.spec index 6e0f0eb..5ebe2b2 100644 --- a/qemu.spec +++ b/qemu.spec @@ -203,76 +203,85 @@ Patch00072: block-qcow2-threads-fix-qcow2_decompress.patch Patch00073: job-refactor-progress-to-separate-object.patch Patch00074: block-block-copy-fix-progress-calculatio.patch Patch00075: block-io-fix-bdrv_co_do_copy_on_readv.patch -Patch00076: target-ppc-Fix-rlwinm-on-ppc64.patch -Patch00077: compat-disable-edid-on-correct-virtio-gp.patch -Patch00078: XXX-dont-dump-core-on-sigabort.patch -Patch00079: qemu-binfmt-conf-Modify-default-path.patch -Patch00080: qemu-cvs-gettimeofday.patch -Patch00081: qemu-cvs-ioctl_debug.patch -Patch00082: qemu-cvs-ioctl_nodirection.patch -Patch00083: linux-user-add-binfmt-wrapper-for-argv-0.patch -Patch00084: PPC-KVM-Disable-mmu-notifier-check.patch -Patch00085: linux-user-binfmt-support-host-binaries.patch -Patch00086: linux-user-Fake-proc-cpuinfo.patch -Patch00087: linux-user-use-target_ulong.patch -Patch00088: Make-char-muxer-more-robust-wrt-small-FI.patch -Patch00089: linux-user-lseek-explicitly-cast-non-set.patch -Patch00090: AIO-Reduce-number-of-threads-for-32bit-h.patch -Patch00091: xen_disk-Add-suse-specific-flush-disable.patch -Patch00092: qemu-bridge-helper-reduce-security-profi.patch -Patch00093: qemu-binfmt-conf-use-qemu-ARCH-binfmt.patch -Patch00094: linux-user-properly-test-for-infinite-ti.patch -Patch00095: roms-Makefile-pass-a-packaging-timestamp.patch -Patch00096: Raise-soft-address-space-limit-to-hard-l.patch -Patch00097: increase-x86_64-physical-bits-to-42.patch -Patch00098: vga-Raise-VRAM-to-16-MiB-for-pc-0.15-and.patch -Patch00099: i8254-Fix-migration-from-SLE11-SP2.patch -Patch00100: acpi_piix4-Fix-migration-from-SLE11-SP2.patch -Patch00101: Switch-order-of-libraries-for-mpath-supp.patch -Patch00102: Make-installed-scripts-explicitly-python.patch -Patch00103: hw-smbios-handle-both-file-formats-regar.patch -Patch00104: xen-add-block-resize-support-for-xen-dis.patch -Patch00105: tests-qemu-iotests-Triple-timeout-of-i-o.patch -Patch00106: tests-Fix-block-tests-to-be-compatible-w.patch -Patch00107: xen-ignore-live-parameter-from-xen-save-.patch -Patch00108: Conditionalize-ui-bitmap-installation-be.patch -Patch00109: tests-change-error-message-in-test-162.patch -Patch00110: hw-usb-hcd-xhci-Fix-GCC-9-build-warning.patch -Patch00111: hw-usb-dev-mtp-Fix-GCC-9-build-warning.patch -Patch00112: hw-intc-exynos4210_gic-provide-more-room.patch -Patch00113: configure-only-populate-roms-if-softmmu.patch -Patch00114: pc-bios-s390-ccw-net-avoid-warning-about.patch -Patch00115: roms-change-cross-compiler-naming-to-be-.patch -Patch00116: tests-Disable-some-block-tests-for-now.patch -Patch00117: test-add-mapping-from-arch-of-i686-to-qe.patch -Patch00118: roms-Makefile-enable-cross-compile-for-b.patch -Patch00119: hw-i386-disable-smbus-migration-for-xenf.patch -Patch00120: s390x-Don-t-do-a-normal-reset-on-the-ini.patch -Patch00121: s390x-Move-reset-normal-to-shared-reset-.patch -Patch00122: s390x-Move-initial-reset.patch -Patch00123: s390x-Move-clear-reset.patch -Patch00124: s390x-kvm-Make-kvm_sclp_service_call-voi.patch -Patch00125: s390x-ipl-Consolidate-iplb-validity-chec.patch -Patch00126: s390x-Beautify-diag308-handling.patch -Patch00127: s390x-Add-missing-vcpu-reset-functions.patch -Patch00128: pc-bios-s390x-Save-iplb-location-in-lowc.patch -Patch00129: s390-sclp-improve-special-wait-psw-logic.patch -Patch00130: s390x-Move-diagnose-308-subcodes-and-rcs.patch -Patch00131: vhost-correctly-turn-on-VIRTIO_F_IOMMU_P.patch -Patch00132: Sync-pv.patch -Patch00133: s390x-protvirt-Support-unpack-facility.patch -Patch00134: s390x-protvirt-Add-migration-blocker.patch -Patch00135: s390x-protvirt-Inhibit-balloon-when-swit.patch -Patch00136: s390x-protvirt-KVM-intercept-changes.patch -Patch00137: s390x-Add-SIDA-memory-ops.patch -Patch00138: s390x-protvirt-Move-STSI-data-over-SIDAD.patch -Patch00139: s390x-protvirt-SCLP-interpretation.patch -Patch00140: s390x-protvirt-Set-guest-IPL-PSW.patch -Patch00141: s390x-protvirt-Move-diag-308-data-over-S.patch -Patch00142: s390x-protvirt-Disable-address-checks-fo.patch -Patch00143: s390x-protvirt-Move-IO-control-structure.patch -Patch00144: s390x-protvirt-Handle-SIGP-store-status-.patch -Patch00145: s390x-Add-unpack-facility-feature-to-GA1.patch +Patch00076: scsi-qemu-pr-helper-Fix-out-of-bounds-ac.patch +Patch00077: target-ppc-Fix-rlwinm-on-ppc64.patch +Patch00078: compat-disable-edid-on-correct-virtio-gp.patch +Patch00079: ppc-ppc405_boards-Remove-unnecessary-NUL.patch +Patch00080: block-Avoid-memleak-on-qcow2-image-info-.patch +Patch00081: block-bdrv_set_backing_bs-fix-use-after-.patch +Patch00082: hmp-vnc-Fix-info-vnc-list-leak.patch +Patch00083: migration-colo-fix-use-after-free-of-loc.patch +Patch00084: migration-ram-fix-use-after-free-of-loca.patch +Patch00085: qcow2-List-autoclear-bit-names-in-header.patch +Patch00086: sheepdog-Consistently-set-bdrv_has_zero_.patch +Patch00087: XXX-dont-dump-core-on-sigabort.patch +Patch00088: qemu-binfmt-conf-Modify-default-path.patch +Patch00089: qemu-cvs-gettimeofday.patch +Patch00090: qemu-cvs-ioctl_debug.patch +Patch00091: qemu-cvs-ioctl_nodirection.patch +Patch00092: linux-user-add-binfmt-wrapper-for-argv-0.patch +Patch00093: PPC-KVM-Disable-mmu-notifier-check.patch +Patch00094: linux-user-binfmt-support-host-binaries.patch +Patch00095: linux-user-Fake-proc-cpuinfo.patch +Patch00096: linux-user-use-target_ulong.patch +Patch00097: Make-char-muxer-more-robust-wrt-small-FI.patch +Patch00098: linux-user-lseek-explicitly-cast-non-set.patch +Patch00099: AIO-Reduce-number-of-threads-for-32bit-h.patch +Patch00100: xen_disk-Add-suse-specific-flush-disable.patch +Patch00101: qemu-bridge-helper-reduce-security-profi.patch +Patch00102: qemu-binfmt-conf-use-qemu-ARCH-binfmt.patch +Patch00103: linux-user-properly-test-for-infinite-ti.patch +Patch00104: roms-Makefile-pass-a-packaging-timestamp.patch +Patch00105: Raise-soft-address-space-limit-to-hard-l.patch +Patch00106: increase-x86_64-physical-bits-to-42.patch +Patch00107: vga-Raise-VRAM-to-16-MiB-for-pc-0.15-and.patch +Patch00108: i8254-Fix-migration-from-SLE11-SP2.patch +Patch00109: acpi_piix4-Fix-migration-from-SLE11-SP2.patch +Patch00110: Switch-order-of-libraries-for-mpath-supp.patch +Patch00111: Make-installed-scripts-explicitly-python.patch +Patch00112: hw-smbios-handle-both-file-formats-regar.patch +Patch00113: xen-add-block-resize-support-for-xen-dis.patch +Patch00114: tests-qemu-iotests-Triple-timeout-of-i-o.patch +Patch00115: tests-Fix-block-tests-to-be-compatible-w.patch +Patch00116: xen-ignore-live-parameter-from-xen-save-.patch +Patch00117: Conditionalize-ui-bitmap-installation-be.patch +Patch00118: tests-change-error-message-in-test-162.patch +Patch00119: hw-usb-hcd-xhci-Fix-GCC-9-build-warning.patch +Patch00120: hw-usb-dev-mtp-Fix-GCC-9-build-warning.patch +Patch00121: hw-intc-exynos4210_gic-provide-more-room.patch +Patch00122: configure-only-populate-roms-if-softmmu.patch +Patch00123: pc-bios-s390-ccw-net-avoid-warning-about.patch +Patch00124: roms-change-cross-compiler-naming-to-be-.patch +Patch00125: tests-Disable-some-block-tests-for-now.patch +Patch00126: test-add-mapping-from-arch-of-i686-to-qe.patch +Patch00127: roms-Makefile-enable-cross-compile-for-b.patch +Patch00128: hw-i386-disable-smbus-migration-for-xenf.patch +Patch00129: s390x-Don-t-do-a-normal-reset-on-the-ini.patch +Patch00130: s390x-Move-reset-normal-to-shared-reset-.patch +Patch00131: s390x-Move-initial-reset.patch +Patch00132: s390x-Move-clear-reset.patch +Patch00133: s390x-kvm-Make-kvm_sclp_service_call-voi.patch +Patch00134: s390x-ipl-Consolidate-iplb-validity-chec.patch +Patch00135: s390x-Beautify-diag308-handling.patch +Patch00136: s390x-Add-missing-vcpu-reset-functions.patch +Patch00137: pc-bios-s390x-Save-iplb-location-in-lowc.patch +Patch00138: s390-sclp-improve-special-wait-psw-logic.patch +Patch00139: s390x-Move-diagnose-308-subcodes-and-rcs.patch +Patch00140: vhost-correctly-turn-on-VIRTIO_F_IOMMU_P.patch +Patch00141: Sync-pv.patch +Patch00142: s390x-protvirt-Support-unpack-facility.patch +Patch00143: s390x-protvirt-Add-migration-blocker.patch +Patch00144: s390x-protvirt-Inhibit-balloon-when-swit.patch +Patch00145: s390x-protvirt-KVM-intercept-changes.patch +Patch00146: s390x-Add-SIDA-memory-ops.patch +Patch00147: s390x-protvirt-Move-STSI-data-over-SIDAD.patch +Patch00148: s390x-protvirt-SCLP-interpretation.patch +Patch00149: s390x-protvirt-Set-guest-IPL-PSW.patch +Patch00150: s390x-protvirt-Move-diag-308-data-over-S.patch +Patch00151: s390x-protvirt-Disable-address-checks-fo.patch +Patch00152: s390x-protvirt-Move-IO-control-structure.patch +Patch00153: s390x-protvirt-Handle-SIGP-store-status-.patch +Patch00154: s390x-Add-unpack-facility-feature-to-GA1.patch # Patches applied in roms/seabios/: Patch01000: seabios-use-python2-explicitly-as-needed.patch Patch01001: seabios-switch-to-python3-as-needed.patch @@ -1134,6 +1143,15 @@ This package provides a service file for starting and stopping KSM. %patch00143 -p1 %patch00144 -p1 %patch00145 -p1 +%patch00146 -p1 +%patch00147 -p1 +%patch00148 -p1 +%patch00149 -p1 +%patch00150 -p1 +%patch00151 -p1 +%patch00152 -p1 +%patch00153 -p1 +%patch00154 -p1 %patch01000 -p1 %patch01001 -p1 %patch01002 -p1 diff --git a/scsi-qemu-pr-helper-Fix-out-of-bounds-ac.patch b/scsi-qemu-pr-helper-Fix-out-of-bounds-ac.patch new file mode 100644 index 0000000..3828f4a --- /dev/null +++ b/scsi-qemu-pr-helper-Fix-out-of-bounds-ac.patch @@ -0,0 +1,93 @@ +From: Christophe de Dinechin +Date: Fri, 28 Feb 2020 16:00:59 +0100 +Subject: scsi/qemu-pr-helper: Fix out-of-bounds access to trnptid_list[] +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Git-commit: 4ce1e15fbc7266a108a7c77a3962644b3935346e + +Compile error reported by gcc 10.0.1: + +scsi/qemu-pr-helper.c: In function ‘multipath_pr_out’: +scsi/qemu-pr-helper.c:523:32: error: array subscript is outside array bounds of ‘struct transportid *[0]’ [-Werror=array-bounds] + 523 | paramp.trnptid_list[paramp.num_transportid++] = id; + | ~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~ +In file included from scsi/qemu-pr-helper.c:36: +/usr/include/mpath_persist.h:168:22: note: while referencing ‘trnptid_list’ + 168 | struct transportid *trnptid_list[]; + | ^~~~~~~~~~~~ +scsi/qemu-pr-helper.c:424:35: note: defined here ‘paramp’ + 424 | struct prout_param_descriptor paramp; + | ^~~~~~ + +This highlights an actual implementation issue in function multipath_pr_out. +The variable paramp is declared with type `struct prout_param_descriptor`, +which is a struct terminated by an empty array in mpath_persist.h: + + struct transportid *trnptid_list[]; + +That empty array was filled with code that looked like that: + + trnptid_list[paramp.descr.num_transportid++] = id; + +This is an actual out-of-bounds access. + +The fix is to malloc `paramp`. + +Signed-off-by: Christophe de Dinechin +Signed-off-by: Paolo Bonzini +Signed-off-by: Bruce Rogers +--- + scsi/qemu-pr-helper.c | 17 ++++++++++------- + 1 file changed, 10 insertions(+), 7 deletions(-) + +diff --git a/scsi/qemu-pr-helper.c b/scsi/qemu-pr-helper.c +index debb18f4aa5d55a1720587cf82ea..38c273de19573ad8421da6439153 100644 +--- a/scsi/qemu-pr-helper.c ++++ b/scsi/qemu-pr-helper.c +@@ -421,10 +421,13 @@ static int multipath_pr_out(int fd, const uint8_t *cdb, uint8_t *sense, + int rq_servact = cdb[1]; + int rq_scope = cdb[2] >> 4; + int rq_type = cdb[2] & 0xf; +- struct prout_param_descriptor paramp; ++ g_autofree struct prout_param_descriptor *paramp = NULL; + char transportids[PR_HELPER_DATA_SIZE]; + int r; + ++ paramp = g_malloc0(sizeof(struct prout_param_descriptor) ++ + sizeof(struct transportid *) * MPATH_MX_TIDS); ++ + if (sz < PR_OUT_FIXED_PARAM_SIZE) { + /* Illegal request, Parameter list length error. This isn't fatal; + * we have read the data, send an error without closing the socket. +@@ -454,10 +457,9 @@ static int multipath_pr_out(int fd, const uint8_t *cdb, uint8_t *sense, + * used by libmpathpersist (which, of course, will immediately + * do the opposite). + */ +- memset(¶mp, 0, sizeof(paramp)); +- memcpy(¶mp.key, ¶m[0], 8); +- memcpy(¶mp.sa_key, ¶m[8], 8); +- paramp.sa_flags = param[20]; ++ memcpy(¶mp->key, ¶m[0], 8); ++ memcpy(¶mp->sa_key, ¶m[8], 8); ++ paramp->sa_flags = param[20]; + if (sz > PR_OUT_FIXED_PARAM_SIZE) { + size_t transportid_len; + int i, j; +@@ -520,12 +522,13 @@ static int multipath_pr_out(int fd, const uint8_t *cdb, uint8_t *sense, + return CHECK_CONDITION; + } + +- paramp.trnptid_list[paramp.num_transportid++] = id; ++ assert(paramp->num_transportid < MPATH_MX_TIDS); ++ paramp->trnptid_list[paramp->num_transportid++] = id; + } + } + + r = mpath_persistent_reserve_out(fd, rq_servact, rq_scope, rq_type, +- ¶mp, noisy, verbose); ++ paramp, noisy, verbose); + return mpath_reconstruct_sense(fd, r, sense); + } + #endif diff --git a/sheepdog-Consistently-set-bdrv_has_zero_.patch b/sheepdog-Consistently-set-bdrv_has_zero_.patch new file mode 100644 index 0000000..f7904f0 --- /dev/null +++ b/sheepdog-Consistently-set-bdrv_has_zero_.patch @@ -0,0 +1,46 @@ +From: Eric Blake +Date: Tue, 24 Mar 2020 12:42:33 -0500 +Subject: sheepdog: Consistently set bdrv_has_zero_init_truncate +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Git-commit: ed049910637be991c88cc25c864115bc5b1e4dab + +block_int.h claims that .bdrv_has_zero_init must return 0 if +.bdrv_has_zero_init_truncate does likewise; but this is violated if +only the former callback is provided if .bdrv_co_truncate also exists. +When adding the latter callback, it was mistakenly added to only one +of the three possible sheepdog instantiations. + +Fixes: 1dcaf527 +Signed-off-by: Eric Blake +Message-Id: <20200324174233.1622067-5-eblake@redhat.com> +Reviewed-by: John Snow +Reviewed-by: Philippe Mathieu-Daudé +Signed-off-by: Max Reitz +Signed-off-by: Bruce Rogers +--- + block/sheepdog.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/block/sheepdog.c b/block/sheepdog.c +index cfa84338a2d6b653ce243ae53c7a..522c16a936762ff00ee23a5e9ca3 100644 +--- a/block/sheepdog.c ++++ b/block/sheepdog.c +@@ -3269,6 +3269,7 @@ static BlockDriver bdrv_sheepdog_tcp = { + .bdrv_co_create = sd_co_create, + .bdrv_co_create_opts = sd_co_create_opts, + .bdrv_has_zero_init = bdrv_has_zero_init_1, ++ .bdrv_has_zero_init_truncate = bdrv_has_zero_init_1, + .bdrv_getlength = sd_getlength, + .bdrv_get_allocated_file_size = sd_get_allocated_file_size, + .bdrv_co_truncate = sd_co_truncate, +@@ -3307,6 +3308,7 @@ static BlockDriver bdrv_sheepdog_unix = { + .bdrv_co_create = sd_co_create, + .bdrv_co_create_opts = sd_co_create_opts, + .bdrv_has_zero_init = bdrv_has_zero_init_1, ++ .bdrv_has_zero_init_truncate = bdrv_has_zero_init_1, + .bdrv_getlength = sd_getlength, + .bdrv_get_allocated_file_size = sd_get_allocated_file_size, + .bdrv_co_truncate = sd_co_truncate,