pool/qemu
SHA256
4
0
Fork 1
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Accepting request 788690 from home:bfrogers:branches:Virtualization

Browse Source 
- Include upstream patches targeted for the next stable release
  (bug fixes only)
  block-Avoid-memleak-on-qcow2-image-info-.patch
  block-bdrv_set_backing_bs-fix-use-after-.patch
  hmp-vnc-Fix-info-vnc-list-leak.patch
  migration-colo-fix-use-after-free-of-loc.patch
  migration-ram-fix-use-after-free-of-loca.patch
  ppc-ppc405_boards-Remove-unnecessary-NUL.patch
  qcow2-List-autoclear-bit-names-in-header.patch
  scsi-qemu-pr-helper-Fix-out-of-bounds-ac.patch
  sheepdog-Consistently-set-bdrv_has_zero_.patch

OBS-URL: https://build.opensuse.org/request/show/788690
OBS-URL: https://build.opensuse.org/package/show/Virtualization/qemu?expand=0&rev=541
This commit is contained in:
Bruce Rogers 2020-03-26 22:01:41 +00:00 committed by Git OBS Bridge
parent 392cb30c5d
commit a9015c1f40
12 changed files with 754 additions and 72 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
block-Avoid-memleak-on-qcow2-image-info-.patch Normal file
View File

@ -0,0 +1,33 @@
From: Eric Blake <eblake@redhat.com>
Date: Fri, 20 Mar 2020 13:36:20 -0500
Subject: block: Avoid memleak on qcow2 image info failure
Git-commit: 71eaec2e8c7c8d266137b5c5f42da0bd6d6b5eb7
If we fail to get bitmap info, we must not leak the encryption info.
Fixes: b8968c875f403
Fixes: Coverity CID 1421894
Signed-off-by: Eric Blake <eblake@redhat.com>
Message-Id: <20200320183620.1112123-1-eblake@redhat.com>
Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
Reviewed-by: Andrey Shinkevich <andrey.shinkevich@virtuozzo.com>
Tested-by: Andrey Shinkevich <andrey.shinkevich@virtuozzo.com>
Signed-off-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
block/qcow2.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/block/qcow2.c b/block/qcow2.c
index 7c18721741eacfb7f6c2c1f0efe6..13e118e16f02f371c0f23c7aaa8d 100644
--- a/block/qcow2.c
+++ b/block/qcow2.c
@@ -4800,6 +4800,7 @@ static ImageInfoSpecific *qcow2_get_specific_info(BlockDriverState *bs,
if (local_err) {
error_propagate(errp, local_err);
qapi_free_ImageInfoSpecific(spec_info);
+ qapi_free_QCryptoBlockInfo(encrypt_info);
return NULL;
}
*spec_info->u.qcow2.data = (ImageInfoSpecificQCow2){

114
block-bdrv_set_backing_bs-fix-use-after-.patch Normal file
View File

@ -0,0 +1,114 @@
From: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
Date: Mon, 16 Mar 2020 09:06:30 +0300
Subject: block: bdrv_set_backing_bs: fix use-after-free
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Git-commit: 6e57963a77df1e275a73dab4c6a7ec9a9d3468d4
There is a use-after-free possible: bdrv_unref_child() leaves
bs->backing freed but not NULL. bdrv_attach_child may produce nested
polling loop due to drain, than access of freed pointer is possible.
I've produced the following crash on 30 iotest with modified code. It
does not reproduce on master, but still seems possible:
#0 __strcmp_avx2 () at /lib64/libc.so.6
#1 bdrv_backing_overridden (bs=0x55c9d3cc2060) at block.c:6350
#2 bdrv_refresh_filename (bs=0x55c9d3cc2060) at block.c:6404
#3 bdrv_backing_attach (c=0x55c9d48e5520) at block.c:1063
#4 bdrv_replace_child_noperm
(child=child@entry=0x55c9d48e5520,
new_bs=new_bs@entry=0x55c9d3cc2060) at block.c:2290
#5 bdrv_replace_child
(child=child@entry=0x55c9d48e5520,
new_bs=new_bs@entry=0x55c9d3cc2060) at block.c:2320
#6 bdrv_root_attach_child
(child_bs=child_bs@entry=0x55c9d3cc2060,
child_name=child_name@entry=0x55c9d241d478 "backing",
child_role=child_role@entry=0x55c9d26ecee0 <child_backing>,
ctx=<optimized out>, perm=<optimized out>, shared_perm=21,
opaque=0x55c9d3c5a3d0, errp=0x7ffd117108e0) at block.c:2424
#7 bdrv_attach_child
(parent_bs=parent_bs@entry=0x55c9d3c5a3d0,
child_bs=child_bs@entry=0x55c9d3cc2060,
child_name=child_name@entry=0x55c9d241d478 "backing",
child_role=child_role@entry=0x55c9d26ecee0 <child_backing>,
errp=errp@entry=0x7ffd117108e0) at block.c:5876
#8 in bdrv_set_backing_hd
(bs=bs@entry=0x55c9d3c5a3d0,
backing_hd=backing_hd@entry=0x55c9d3cc2060,
errp=errp@entry=0x7ffd117108e0)
at block.c:2576
#9 stream_prepare (job=0x55c9d49d84a0) at block/stream.c:150
#10 job_prepare (job=0x55c9d49d84a0) at job.c:761
#11 job_txn_apply (txn=<optimized out>, fn=<optimized out>) at
job.c:145
#12 job_do_finalize (job=0x55c9d49d84a0) at job.c:778
#13 job_completed_txn_success (job=0x55c9d49d84a0) at job.c:832
#14 job_completed (job=0x55c9d49d84a0) at job.c:845
#15 job_completed (job=0x55c9d49d84a0) at job.c:836
#16 job_exit (opaque=0x55c9d49d84a0) at job.c:864
#17 aio_bh_call (bh=0x55c9d471a160) at util/async.c:117
#18 aio_bh_poll (ctx=ctx@entry=0x55c9d3c46720) at util/async.c:117
#19 aio_poll (ctx=ctx@entry=0x55c9d3c46720,
blocking=blocking@entry=true)
at util/aio-posix.c:728
#20 bdrv_parent_drained_begin_single (poll=true, c=0x55c9d3d558f0)
at block/io.c:121
#21 bdrv_parent_drained_begin_single (c=c@entry=0x55c9d3d558f0,
poll=poll@entry=true)
at block/io.c:114
#22 bdrv_replace_child_noperm
(child=child@entry=0x55c9d3d558f0,
new_bs=new_bs@entry=0x55c9d3d27300) at block.c:2258
#23 bdrv_replace_child
(child=child@entry=0x55c9d3d558f0,
new_bs=new_bs@entry=0x55c9d3d27300) at block.c:2320
#24 bdrv_root_attach_child
(child_bs=child_bs@entry=0x55c9d3d27300,
child_name=child_name@entry=0x55c9d241d478 "backing",
child_role=child_role@entry=0x55c9d26ecee0 <child_backing>,
ctx=<optimized out>, perm=<optimized out>, shared_perm=21,
opaque=0x55c9d3cc2060, errp=0x7ffd11710c60) at block.c:2424
#25 bdrv_attach_child
(parent_bs=parent_bs@entry=0x55c9d3cc2060,
child_bs=child_bs@entry=0x55c9d3d27300,
child_name=child_name@entry=0x55c9d241d478 "backing",
child_role=child_role@entry=0x55c9d26ecee0 <child_backing>,
errp=errp@entry=0x7ffd11710c60) at block.c:5876
#26 bdrv_set_backing_hd
(bs=bs@entry=0x55c9d3cc2060,
backing_hd=backing_hd@entry=0x55c9d3d27300,
errp=errp@entry=0x7ffd11710c60)
at block.c:2576
#27 stream_prepare (job=0x55c9d495ead0) at block/stream.c:150
...
Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
Message-Id: <20200316060631.30052-2-vsementsov@virtuozzo.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: John Snow <jsnow@redhat.com>
Signed-off-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
block.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/block.c b/block.c
index 8539f99ac47cdbf0e9b823751074..3d0134f00b55e0400efc70058d00 100644
--- a/block.c
+++ b/block.c
@@ -2577,10 +2577,10 @@ void bdrv_set_backing_hd(BlockDriverState *bs, BlockDriverState *backing_hd,
if (bs->backing) {
bdrv_unref_child(bs, bs->backing);
+ bs->backing = NULL;
}
if (!backing_hd) {
- bs->backing = NULL;
goto out;
}

4
bundles.tar.xz
View File

@ -1,3 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:d7bed3704998a1c71915ce16de258559a687e4ec8d8c2deb4c934899cc3708a5
size 121832
oid sha256:01029bd0e2cbba3484407c43afb4238a48cc7c66473832fa566be57c0439681e
size 129648

46
hmp-vnc-Fix-info-vnc-list-leak.patch Normal file
View File

@ -0,0 +1,46 @@
From: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
Date: Mon, 23 Mar 2020 12:08:22 +0000
Subject: hmp/vnc: Fix info vnc list leak
Git-commit: d4ff109373ce871928c7e9ef648973eba642b484
We're iterating the list, and then freeing the iteration pointer rather
than the list head.
Fixes: 0a9667ecdb6d ("hmp: Update info vnc")
Reported-by: Coverity (CID 1421932)
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Message-Id: <20200323120822.51266-1-dgilbert@redhat.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
monitor/hmp-cmds.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/monitor/hmp-cmds.c b/monitor/hmp-cmds.c
index b2551c16d129291068ce64b5f1fd..2fdc84ec995449b5139a89575e18 100644
--- a/monitor/hmp-cmds.c
+++ b/monitor/hmp-cmds.c
@@ -729,10 +729,11 @@ static void hmp_info_vnc_servers(Monitor *mon, VncServerInfo2List *server)
void hmp_info_vnc(Monitor *mon, const QDict *qdict)
{
- VncInfo2List *info2l;
+ VncInfo2List *info2l, *info2l_head;
Error *err = NULL;
info2l = qmp_query_vnc_servers(&err);
+ info2l_head = info2l;
if (err) {
hmp_handle_error(mon, &err);
return;
@@ -761,7 +762,7 @@ void hmp_info_vnc(Monitor *mon, const QDict *qdict)
info2l = info2l->next;
}
- qapi_free_VncInfo2List(info2l);
+ qapi_free_VncInfo2List(info2l_head);
}
#endif

31
migration-colo-fix-use-after-free-of-loc.patch Normal file
View File

@ -0,0 +1,31 @@
From: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
Date: Tue, 24 Mar 2020 18:36:28 +0300
Subject: migration/colo: fix use after free of local_err
Git-commit: 27d07fcfa70c3afa0664288cbce5334ed9595a3a
local_err is used again in secondary_vm_do_failover() after
replication_stop_all(), so we must zero it. Otherwise try to set
non-NULL local_err will crash.
Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
Message-Id: <20200324153630.11882-5-vsementsov@virtuozzo.com>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
migration/colo.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/migration/colo.c b/migration/colo.c
index 2c88aa57a29307963a15fc017b1d..6d46800aa6a2617521a36cc0dc33 100644
--- a/migration/colo.c
+++ b/migration/colo.c
@@ -92,6 +92,7 @@ static void secondary_vm_do_failover(void)
replication_stop_all(true, &local_err);
if (local_err) {
error_report_err(local_err);
+ local_err = NULL;
}
/* Notify all filters of all NIC to do checkpoint */

31
migration-ram-fix-use-after-free-of-loca.patch Normal file
View File

@ -0,0 +1,31 @@
From: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
Date: Tue, 24 Mar 2020 18:36:29 +0300
Subject: migration/ram: fix use after free of local_err
Git-commit: b4a1733c5e6827c72b0dcfa295e07ef7b1ebccff
local_err is used again in migration_bitmap_sync_precopy() after
precopy_notify(), so we must zero it. Otherwise try to set
non-NULL local_err will crash.
Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
Message-Id: <20200324153630.11882-6-vsementsov@virtuozzo.com>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
migration/ram.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/migration/ram.c b/migration/ram.c
index b6de7d1d5552a0aa39b0d232c2d6..c44542175da044c78ef8dc0ce612 100644
--- a/migration/ram.c
+++ b/migration/ram.c
@@ -1906,6 +1906,7 @@ static void migration_bitmap_sync_precopy(RAMState *rs)
*/
if (precopy_notify(PRECOPY_NOTIFY_BEFORE_BITMAP_SYNC, &local_err)) {
error_report_err(local_err);
+ local_err = NULL;
}
migration_bitmap_sync(rs);

55
ppc-ppc405_boards-Remove-unnecessary-NUL.patch Normal file
View File

@ -0,0 +1,55 @@
From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
Date: Fri, 20 Mar 2020 16:57:40 +0100
Subject: ppc/ppc405_boards: Remove unnecessary NULL check
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Git-commit: 1583794b9b36911df116cc726750dadbeeac506a
This code is inside the "if (dinfo)" condition, so testing
again here whether it is NULL is unnecessary.
Fixes: dd59bcae7 (Don't size flash memory to match backing image)
Reported-by: Coverity (CID 1421917)
Suggested-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-Id: <20200320155740.5342-1-philmd@redhat.com>
Reviewed-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/ppc/ppc405_boards.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/hw/ppc/ppc405_boards.c b/hw/ppc/ppc405_boards.c
index 1f721feed6a4bfc128187aefb5d9..556f3a80ec1ddbc018e00941c5c5 100644
--- a/hw/ppc/ppc405_boards.c
+++ b/hw/ppc/ppc405_boards.c
@@ -184,7 +184,7 @@ static void ref405ep_init(MachineState *machine)
bios_size = 8 * MiB;
pflash_cfi02_register((uint32_t)(-bios_size),
"ef405ep.bios", bios_size,
- dinfo ? blk_by_legacy_dinfo(dinfo) : NULL,
+ blk_by_legacy_dinfo(dinfo),
64 * KiB, 1,
2, 0x0001, 0x22DA, 0x0000, 0x0000, 0x555, 0x2AA,
1);
@@ -450,7 +450,7 @@ static void taihu_405ep_init(MachineState *machine)
bios_size = 2 * MiB;
pflash_cfi02_register(0xFFE00000,
"taihu_405ep.bios", bios_size,
- dinfo ? blk_by_legacy_dinfo(dinfo) : NULL,
+ blk_by_legacy_dinfo(dinfo),
64 * KiB, 1,
4, 0x0001, 0x22DA, 0x0000, 0x0000, 0x555, 0x2AA,
1);
@@ -486,7 +486,7 @@ static void taihu_405ep_init(MachineState *machine)
if (dinfo) {
bios_size = 32 * MiB;
pflash_cfi02_register(0xfc000000, "taihu_405ep.flash", bios_size,
- dinfo ? blk_by_legacy_dinfo(dinfo) : NULL,
+ blk_by_legacy_dinfo(dinfo),
64 * KiB, 1,
4, 0x0001, 0x22DA, 0x0000, 0x0000, 0x555, 0x2AA,
1);

200
qcow2-List-autoclear-bit-names-in-header.patch Normal file
View File

@ -0,0 +1,200 @@
From: Eric Blake <eblake@redhat.com>
Date: Tue, 24 Mar 2020 12:42:31 -0500
Subject: qcow2: List autoclear bit names in header
Git-commit bb40ebce2cb0bd4bf37968074d43d5a864fb6dee
The feature table is supposed to advertise the name of all feature
bits that we support; however, we forgot to update the table for
autoclear bits. While at it, move the table to read-only memory in
code, and tweak the qcow2 spec to name the second autoclear bit.
Update iotests that are affected by the longer header length.
Fixes: 88ddffae
Fixes: 93c24936
Signed-off-by: Eric Blake <eblake@redhat.com>
Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
Message-Id: <20200324174233.1622067-3-eblake@redhat.com>
Signed-off-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
block/qcow2.c | 12 +++++++++++-
docs/interop/qcow2.txt | 3 ++-
tests/qemu-iotests/031.out | 8 ++++----
tests/qemu-iotests/036.out | 4 ++--
tests/qemu-iotests/061.out | 14 +++++++-------
5 files changed, 26 insertions(+), 15 deletions(-)
diff --git a/block/qcow2.c b/block/qcow2.c
index 13e118e16f02f371c0f23c7aaa8d..77edd98be6fbaf0949dcb7755e48 100644
--- a/block/qcow2.c
+++ b/block/qcow2.c
@@ -2822,7 +2822,7 @@ int qcow2_update_header(BlockDriverState *bs)
/* Feature table */
if (s->qcow_version >= 3) {
- Qcow2Feature features[] = {
+ static const Qcow2Feature features[] = {
{
.type = QCOW2_FEAT_TYPE_INCOMPATIBLE,
.bit = QCOW2_INCOMPAT_DIRTY_BITNR,
@@ -2843,6 +2843,16 @@ int qcow2_update_header(BlockDriverState *bs)
.bit = QCOW2_COMPAT_LAZY_REFCOUNTS_BITNR,
.name = "lazy refcounts",
},
+ {
+ .type = QCOW2_FEAT_TYPE_AUTOCLEAR,
+ .bit = QCOW2_AUTOCLEAR_BITMAPS_BITNR,
+ .name = "bitmaps",
+ },
+ {
+ .type = QCOW2_FEAT_TYPE_AUTOCLEAR,
+ .bit = QCOW2_AUTOCLEAR_DATA_FILE_RAW_BITNR,
+ .name = "raw external data",
+ },
};
ret = header_ext_add(buf, QCOW2_EXT_MAGIC_FEATURE_TABLE,
diff --git a/docs/interop/qcow2.txt b/docs/interop/qcow2.txt
index af5711e5337191d2c01932b0b3d0..8510d74c807927b86cf76a0f6cb8 100644
--- a/docs/interop/qcow2.txt
+++ b/docs/interop/qcow2.txt
@@ -138,7 +138,8 @@ in the description of a field.
bit is unset, the bitmaps extension data must be
considered inconsistent.
- Bit 1: If this bit is set, the external data file can
+ Bit 1: Raw external data bit
+ If this bit is set, the external data file can
be read as a consistent standalone raw image
without looking at the qcow2 metadata.
diff --git a/tests/qemu-iotests/031.out b/tests/qemu-iotests/031.out
index 68a74d03b9971ea8946e8fce41d6..f1941300d817ef1026046891c4df 100644
--- a/tests/qemu-iotests/031.out
+++ b/tests/qemu-iotests/031.out
@@ -117,7 +117,7 @@ header_length 104
Header extension:
magic 0x6803f857
-length 192
+length 288
data <binary>
Header extension:
@@ -150,7 +150,7 @@ header_length 104
Header extension:
magic 0x6803f857
-length 192
+length 288
data <binary>
Header extension:
@@ -164,7 +164,7 @@ No errors were found on the image.
magic 0x514649fb
version 3
-backing_file_offset 0x178
+backing_file_offset 0x1d8
backing_file_size 0x17
cluster_bits 16
size 67108864
@@ -188,7 +188,7 @@ data 'host_device'
Header extension:
magic 0x6803f857
-length 192
+length 288
data <binary>
Header extension:
diff --git a/tests/qemu-iotests/036.out b/tests/qemu-iotests/036.out
index e489b443866c515b42be344a9b85..3c19fa1edee7aeee1589a1c68366 100644
--- a/tests/qemu-iotests/036.out
+++ b/tests/qemu-iotests/036.out
@@ -58,7 +58,7 @@ header_length 104
Header extension:
magic 0x6803f857
-length 192
+length 288
data <binary>
@@ -86,7 +86,7 @@ header_length 104
Header extension:
magic 0x6803f857
-length 192
+length 288
data <binary>
*** done
diff --git a/tests/qemu-iotests/061.out b/tests/qemu-iotests/061.out
index d6a7c2af95f2dcff314f425fd6a3..f98c098b5431072d4e54de1475cc 100644
--- a/tests/qemu-iotests/061.out
+++ b/tests/qemu-iotests/061.out
@@ -26,7 +26,7 @@ header_length 104
Header extension:
magic 0x6803f857
-length 192
+length 288
data <binary>
magic 0x514649fb
@@ -84,7 +84,7 @@ header_length 104
Header extension:
magic 0x6803f857
-length 192
+length 288
data <binary>
magic 0x514649fb
@@ -140,7 +140,7 @@ header_length 104
Header extension:
magic 0x6803f857
-length 192
+length 288
data <binary>
ERROR cluster 5 refcount=0 reference=1
@@ -195,7 +195,7 @@ header_length 104
Header extension:
magic 0x6803f857
-length 192
+length 288
data <binary>
magic 0x514649fb
@@ -264,7 +264,7 @@ header_length 104
Header extension:
magic 0x6803f857
-length 192
+length 288
data <binary>
read 65536/65536 bytes at offset 44040192
@@ -298,7 +298,7 @@ header_length 104
Header extension:
magic 0x6803f857
-length 192
+length 288
data <binary>
ERROR cluster 5 refcount=0 reference=1
@@ -327,7 +327,7 @@ header_length 104
Header extension:
magic 0x6803f857
-length 192
+length 288
data <binary>
read 131072/131072 bytes at offset 0

15
qemu.changes
View File

@ -1,3 +1,18 @@
-------------------------------------------------------------------
Thu Mar 26 18:28:03 UTC 2020 - Bruce Rogers <brogers@suse.com>
- Include upstream patches targeted for the next stable release
(bug fixes only)
block-Avoid-memleak-on-qcow2-image-info-.patch
block-bdrv_set_backing_bs-fix-use-after-.patch
hmp-vnc-Fix-info-vnc-list-leak.patch
migration-colo-fix-use-after-free-of-loc.patch
migration-ram-fix-use-after-free-of-loca.patch
ppc-ppc405_boards-Remove-unnecessary-NUL.patch
qcow2-List-autoclear-bit-names-in-header.patch
scsi-qemu-pr-helper-Fix-out-of-bounds-ac.patch
sheepdog-Consistently-set-bdrv_has_zero_.patch
-------------------------------------------------------------------
Tue Mar 24 13:22:36 UTC 2020 - Bruce Rogers <brogers@suse.com>

158
qemu.spec
View File

@ -203,76 +203,85 @@ Patch00072: block-qcow2-threads-fix-qcow2_decompress.patch
Patch00073: job-refactor-progress-to-separate-object.patch
Patch00074: block-block-copy-fix-progress-calculatio.patch
Patch00075: block-io-fix-bdrv_co_do_copy_on_readv.patch
Patch00076: target-ppc-Fix-rlwinm-on-ppc64.patch
Patch00077: compat-disable-edid-on-correct-virtio-gp.patch
Patch00078: XXX-dont-dump-core-on-sigabort.patch
Patch00079: qemu-binfmt-conf-Modify-default-path.patch
Patch00080: qemu-cvs-gettimeofday.patch
Patch00081: qemu-cvs-ioctl_debug.patch
Patch00082: qemu-cvs-ioctl_nodirection.patch
Patch00083: linux-user-add-binfmt-wrapper-for-argv-0.patch
Patch00084: PPC-KVM-Disable-mmu-notifier-check.patch
Patch00085: linux-user-binfmt-support-host-binaries.patch
Patch00086: linux-user-Fake-proc-cpuinfo.patch
Patch00087: linux-user-use-target_ulong.patch
Patch00088: Make-char-muxer-more-robust-wrt-small-FI.patch
Patch00089: linux-user-lseek-explicitly-cast-non-set.patch
Patch00090: AIO-Reduce-number-of-threads-for-32bit-h.patch
Patch00091: xen_disk-Add-suse-specific-flush-disable.patch
Patch00092: qemu-bridge-helper-reduce-security-profi.patch
Patch00093: qemu-binfmt-conf-use-qemu-ARCH-binfmt.patch
Patch00094: linux-user-properly-test-for-infinite-ti.patch
Patch00095: roms-Makefile-pass-a-packaging-timestamp.patch
Patch00096: Raise-soft-address-space-limit-to-hard-l.patch
Patch00097: increase-x86_64-physical-bits-to-42.patch
Patch00098: vga-Raise-VRAM-to-16-MiB-for-pc-0.15-and.patch
Patch00099: i8254-Fix-migration-from-SLE11-SP2.patch
Patch00100: acpi_piix4-Fix-migration-from-SLE11-SP2.patch
Patch00101: Switch-order-of-libraries-for-mpath-supp.patch
Patch00102: Make-installed-scripts-explicitly-python.patch
Patch00103: hw-smbios-handle-both-file-formats-regar.patch
Patch00104: xen-add-block-resize-support-for-xen-dis.patch
Patch00105: tests-qemu-iotests-Triple-timeout-of-i-o.patch
Patch00106: tests-Fix-block-tests-to-be-compatible-w.patch
Patch00107: xen-ignore-live-parameter-from-xen-save-.patch
Patch00108: Conditionalize-ui-bitmap-installation-be.patch
Patch00109: tests-change-error-message-in-test-162.patch
Patch00110: hw-usb-hcd-xhci-Fix-GCC-9-build-warning.patch
Patch00111: hw-usb-dev-mtp-Fix-GCC-9-build-warning.patch
Patch00112: hw-intc-exynos4210_gic-provide-more-room.patch
Patch00113: configure-only-populate-roms-if-softmmu.patch
Patch00114: pc-bios-s390-ccw-net-avoid-warning-about.patch
Patch00115: roms-change-cross-compiler-naming-to-be-.patch
Patch00116: tests-Disable-some-block-tests-for-now.patch
Patch00117: test-add-mapping-from-arch-of-i686-to-qe.patch
Patch00118: roms-Makefile-enable-cross-compile-for-b.patch
Patch00119: hw-i386-disable-smbus-migration-for-xenf.patch
Patch00120: s390x-Don-t-do-a-normal-reset-on-the-ini.patch
Patch00121: s390x-Move-reset-normal-to-shared-reset-.patch
Patch00122: s390x-Move-initial-reset.patch
Patch00123: s390x-Move-clear-reset.patch
Patch00124: s390x-kvm-Make-kvm_sclp_service_call-voi.patch
Patch00125: s390x-ipl-Consolidate-iplb-validity-chec.patch
Patch00126: s390x-Beautify-diag308-handling.patch
Patch00127: s390x-Add-missing-vcpu-reset-functions.patch
Patch00128: pc-bios-s390x-Save-iplb-location-in-lowc.patch
Patch00129: s390-sclp-improve-special-wait-psw-logic.patch
Patch00130: s390x-Move-diagnose-308-subcodes-and-rcs.patch
Patch00131: vhost-correctly-turn-on-VIRTIO_F_IOMMU_P.patch
Patch00132: Sync-pv.patch
Patch00133: s390x-protvirt-Support-unpack-facility.patch
Patch00134: s390x-protvirt-Add-migration-blocker.patch
Patch00135: s390x-protvirt-Inhibit-balloon-when-swit.patch
Patch00136: s390x-protvirt-KVM-intercept-changes.patch
Patch00137: s390x-Add-SIDA-memory-ops.patch
Patch00138: s390x-protvirt-Move-STSI-data-over-SIDAD.patch
Patch00139: s390x-protvirt-SCLP-interpretation.patch
Patch00140: s390x-protvirt-Set-guest-IPL-PSW.patch
Patch00141: s390x-protvirt-Move-diag-308-data-over-S.patch
Patch00142: s390x-protvirt-Disable-address-checks-fo.patch
Patch00143: s390x-protvirt-Move-IO-control-structure.patch
Patch00144: s390x-protvirt-Handle-SIGP-store-status-.patch
Patch00145: s390x-Add-unpack-facility-feature-to-GA1.patch
Patch00076: scsi-qemu-pr-helper-Fix-out-of-bounds-ac.patch
Patch00077: target-ppc-Fix-rlwinm-on-ppc64.patch
Patch00078: compat-disable-edid-on-correct-virtio-gp.patch
Patch00079: ppc-ppc405_boards-Remove-unnecessary-NUL.patch
Patch00080: block-Avoid-memleak-on-qcow2-image-info-.patch
Patch00081: block-bdrv_set_backing_bs-fix-use-after-.patch
Patch00082: hmp-vnc-Fix-info-vnc-list-leak.patch
Patch00083: migration-colo-fix-use-after-free-of-loc.patch
Patch00084: migration-ram-fix-use-after-free-of-loca.patch
Patch00085: qcow2-List-autoclear-bit-names-in-header.patch
Patch00086: sheepdog-Consistently-set-bdrv_has_zero_.patch
Patch00087: XXX-dont-dump-core-on-sigabort.patch
Patch00088: qemu-binfmt-conf-Modify-default-path.patch
Patch00089: qemu-cvs-gettimeofday.patch
Patch00090: qemu-cvs-ioctl_debug.patch
Patch00091: qemu-cvs-ioctl_nodirection.patch
Patch00092: linux-user-add-binfmt-wrapper-for-argv-0.patch
Patch00093: PPC-KVM-Disable-mmu-notifier-check.patch
Patch00094: linux-user-binfmt-support-host-binaries.patch
Patch00095: linux-user-Fake-proc-cpuinfo.patch
Patch00096: linux-user-use-target_ulong.patch
Patch00097: Make-char-muxer-more-robust-wrt-small-FI.patch
Patch00098: linux-user-lseek-explicitly-cast-non-set.patch
Patch00099: AIO-Reduce-number-of-threads-for-32bit-h.patch
Patch00100: xen_disk-Add-suse-specific-flush-disable.patch
Patch00101: qemu-bridge-helper-reduce-security-profi.patch
Patch00102: qemu-binfmt-conf-use-qemu-ARCH-binfmt.patch
Patch00103: linux-user-properly-test-for-infinite-ti.patch
Patch00104: roms-Makefile-pass-a-packaging-timestamp.patch
Patch00105: Raise-soft-address-space-limit-to-hard-l.patch
Patch00106: increase-x86_64-physical-bits-to-42.patch
Patch00107: vga-Raise-VRAM-to-16-MiB-for-pc-0.15-and.patch
Patch00108: i8254-Fix-migration-from-SLE11-SP2.patch
Patch00109: acpi_piix4-Fix-migration-from-SLE11-SP2.patch
Patch00110: Switch-order-of-libraries-for-mpath-supp.patch
Patch00111: Make-installed-scripts-explicitly-python.patch
Patch00112: hw-smbios-handle-both-file-formats-regar.patch
Patch00113: xen-add-block-resize-support-for-xen-dis.patch
Patch00114: tests-qemu-iotests-Triple-timeout-of-i-o.patch
Patch00115: tests-Fix-block-tests-to-be-compatible-w.patch
Patch00116: xen-ignore-live-parameter-from-xen-save-.patch
Patch00117: Conditionalize-ui-bitmap-installation-be.patch
Patch00118: tests-change-error-message-in-test-162.patch
Patch00119: hw-usb-hcd-xhci-Fix-GCC-9-build-warning.patch
Patch00120: hw-usb-dev-mtp-Fix-GCC-9-build-warning.patch
Patch00121: hw-intc-exynos4210_gic-provide-more-room.patch
Patch00122: configure-only-populate-roms-if-softmmu.patch
Patch00123: pc-bios-s390-ccw-net-avoid-warning-about.patch
Patch00124: roms-change-cross-compiler-naming-to-be-.patch
Patch00125: tests-Disable-some-block-tests-for-now.patch
Patch00126: test-add-mapping-from-arch-of-i686-to-qe.patch
Patch00127: roms-Makefile-enable-cross-compile-for-b.patch
Patch00128: hw-i386-disable-smbus-migration-for-xenf.patch
Patch00129: s390x-Don-t-do-a-normal-reset-on-the-ini.patch
Patch00130: s390x-Move-reset-normal-to-shared-reset-.patch
Patch00131: s390x-Move-initial-reset.patch
Patch00132: s390x-Move-clear-reset.patch
Patch00133: s390x-kvm-Make-kvm_sclp_service_call-voi.patch
Patch00134: s390x-ipl-Consolidate-iplb-validity-chec.patch
Patch00135: s390x-Beautify-diag308-handling.patch
Patch00136: s390x-Add-missing-vcpu-reset-functions.patch
Patch00137: pc-bios-s390x-Save-iplb-location-in-lowc.patch
Patch00138: s390-sclp-improve-special-wait-psw-logic.patch
Patch00139: s390x-Move-diagnose-308-subcodes-and-rcs.patch
Patch00140: vhost-correctly-turn-on-VIRTIO_F_IOMMU_P.patch
Patch00141: Sync-pv.patch
Patch00142: s390x-protvirt-Support-unpack-facility.patch
Patch00143: s390x-protvirt-Add-migration-blocker.patch
Patch00144: s390x-protvirt-Inhibit-balloon-when-swit.patch
Patch00145: s390x-protvirt-KVM-intercept-changes.patch
Patch00146: s390x-Add-SIDA-memory-ops.patch
Patch00147: s390x-protvirt-Move-STSI-data-over-SIDAD.patch
Patch00148: s390x-protvirt-SCLP-interpretation.patch
Patch00149: s390x-protvirt-Set-guest-IPL-PSW.patch
Patch00150: s390x-protvirt-Move-diag-308-data-over-S.patch
Patch00151: s390x-protvirt-Disable-address-checks-fo.patch
Patch00152: s390x-protvirt-Move-IO-control-structure.patch
Patch00153: s390x-protvirt-Handle-SIGP-store-status-.patch
Patch00154: s390x-Add-unpack-facility-feature-to-GA1.patch
# Patches applied in roms/seabios/:
Patch01000: seabios-use-python2-explicitly-as-needed.patch
Patch01001: seabios-switch-to-python3-as-needed.patch
@ -1134,6 +1143,15 @@ This package provides a service file for starting and stopping KSM.
%patch00143 -p1
%patch00144 -p1
%patch00145 -p1
%patch00146 -p1
%patch00147 -p1
%patch00148 -p1
%patch00149 -p1
%patch00150 -p1
%patch00151 -p1
%patch00152 -p1
%patch00153 -p1
%patch00154 -p1
%patch01000 -p1
%patch01001 -p1
%patch01002 -p1

93
scsi-qemu-pr-helper-Fix-out-of-bounds-ac.patch Normal file
View File

@ -0,0 +1,93 @@
From: Christophe de Dinechin <dinechin@redhat.com>
Date: Fri, 28 Feb 2020 16:00:59 +0100
Subject: scsi/qemu-pr-helper: Fix out-of-bounds access to trnptid_list[]
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Git-commit: 4ce1e15fbc7266a108a7c77a3962644b3935346e
Compile error reported by gcc 10.0.1:
scsi/qemu-pr-helper.c: In function multipath_pr_out:
scsi/qemu-pr-helper.c:523:32: error: array subscript <unknown> is outside array bounds of struct transportid *[0] [-Werror=array-bounds]
523 | paramp.trnptid_list[paramp.num_transportid++] = id;
| ~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~
In file included from scsi/qemu-pr-helper.c:36:
/usr/include/mpath_persist.h:168:22: note: while referencing trnptid_list
168 | struct transportid *trnptid_list[];
| ^~~~~~~~~~~~
scsi/qemu-pr-helper.c:424:35: note: defined here paramp
424 | struct prout_param_descriptor paramp;
| ^~~~~~
This highlights an actual implementation issue in function multipath_pr_out.
The variable paramp is declared with type `struct prout_param_descriptor`,
which is a struct terminated by an empty array in mpath_persist.h:
struct transportid *trnptid_list[];
That empty array was filled with code that looked like that:
trnptid_list[paramp.descr.num_transportid++] = id;
This is an actual out-of-bounds access.
The fix is to malloc `paramp`.
Signed-off-by: Christophe de Dinechin <dinechin@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
scsi/qemu-pr-helper.c | 17 ++++++++++-------
1 file changed, 10 insertions(+), 7 deletions(-)
diff --git a/scsi/qemu-pr-helper.c b/scsi/qemu-pr-helper.c
index debb18f4aa5d55a1720587cf82ea..38c273de19573ad8421da6439153 100644
--- a/scsi/qemu-pr-helper.c
+++ b/scsi/qemu-pr-helper.c
@@ -421,10 +421,13 @@ static int multipath_pr_out(int fd, const uint8_t *cdb, uint8_t *sense,
int rq_servact = cdb[1];
int rq_scope = cdb[2] >> 4;
int rq_type = cdb[2] & 0xf;
- struct prout_param_descriptor paramp;
+ g_autofree struct prout_param_descriptor *paramp = NULL;
char transportids[PR_HELPER_DATA_SIZE];
int r;
+ paramp = g_malloc0(sizeof(struct prout_param_descriptor)
+ + sizeof(struct transportid *) * MPATH_MX_TIDS);
+
if (sz < PR_OUT_FIXED_PARAM_SIZE) {
/* Illegal request, Parameter list length error. This isn't fatal;
* we have read the data, send an error without closing the socket.
@@ -454,10 +457,9 @@ static int multipath_pr_out(int fd, const uint8_t *cdb, uint8_t *sense,
* used by libmpathpersist (which, of course, will immediately
* do the opposite).
*/
- memset(&paramp, 0, sizeof(paramp));
- memcpy(&paramp.key, &param[0], 8);
- memcpy(&paramp.sa_key, &param[8], 8);
- paramp.sa_flags = param[20];
+ memcpy(&paramp->key, &param[0], 8);
+ memcpy(&paramp->sa_key, &param[8], 8);
+ paramp->sa_flags = param[20];
if (sz > PR_OUT_FIXED_PARAM_SIZE) {
size_t transportid_len;
int i, j;
@@ -520,12 +522,13 @@ static int multipath_pr_out(int fd, const uint8_t *cdb, uint8_t *sense,
return CHECK_CONDITION;
}
- paramp.trnptid_list[paramp.num_transportid++] = id;
+ assert(paramp->num_transportid < MPATH_MX_TIDS);
+ paramp->trnptid_list[paramp->num_transportid++] = id;
}
}
r = mpath_persistent_reserve_out(fd, rq_servact, rq_scope, rq_type,
- &paramp, noisy, verbose);
+ paramp, noisy, verbose);
return mpath_reconstruct_sense(fd, r, sense);
}
#endif

46
sheepdog-Consistently-set-bdrv_has_zero_.patch Normal file
View File

@ -0,0 +1,46 @@
From: Eric Blake <eblake@redhat.com>
Date: Tue, 24 Mar 2020 12:42:33 -0500
Subject: sheepdog: Consistently set bdrv_has_zero_init_truncate
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Git-commit: ed049910637be991c88cc25c864115bc5b1e4dab
block_int.h claims that .bdrv_has_zero_init must return 0 if
.bdrv_has_zero_init_truncate does likewise; but this is violated if
only the former callback is provided if .bdrv_co_truncate also exists.
When adding the latter callback, it was mistakenly added to only one
of the three possible sheepdog instantiations.
Fixes: 1dcaf527
Signed-off-by: Eric Blake <eblake@redhat.com>
Message-Id: <20200324174233.1622067-5-eblake@redhat.com>
Reviewed-by: John Snow <jsnow@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
block/sheepdog.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/block/sheepdog.c b/block/sheepdog.c
index cfa84338a2d6b653ce243ae53c7a..522c16a936762ff00ee23a5e9ca3 100644
--- a/block/sheepdog.c
+++ b/block/sheepdog.c
@@ -3269,6 +3269,7 @@ static BlockDriver bdrv_sheepdog_tcp = {
.bdrv_co_create = sd_co_create,
.bdrv_co_create_opts = sd_co_create_opts,
.bdrv_has_zero_init = bdrv_has_zero_init_1,
+ .bdrv_has_zero_init_truncate = bdrv_has_zero_init_1,
.bdrv_getlength = sd_getlength,
.bdrv_get_allocated_file_size = sd_get_allocated_file_size,
.bdrv_co_truncate = sd_co_truncate,
@@ -3307,6 +3308,7 @@ static BlockDriver bdrv_sheepdog_unix = {
.bdrv_co_create = sd_co_create,
.bdrv_co_create_opts = sd_co_create_opts,
.bdrv_has_zero_init = bdrv_has_zero_init_1,
+ .bdrv_has_zero_init_truncate = bdrv_has_zero_init_1,
.bdrv_getlength = sd_getlength,
.bdrv_get_allocated_file_size = sd_get_allocated_file_size,
.bdrv_co_truncate = sd_co_truncate,