Accepting request 664459 from home:bfrogers:branches:Virtualization
Include security fixes and other recent "stable" fixes OBS-URL: https://build.opensuse.org/request/show/664459 OBS-URL: https://build.opensuse.org/package/show/Virtualization/qemu?expand=0&rev=445
This commit is contained in:
parent
dea6cd408e
commit
b69ad9167a
@ -14,14 +14,14 @@ Since the ioreqs themselves are re-used via a free list, this
|
||||
should actually improve memory usage.
|
||||
|
||||
Signed-off-by: Tim Smith <tim.smith@citrix.com>
|
||||
[BSC#1100408]
|
||||
[BR: BSC#1100408]
|
||||
Signed-off-by: Bruce Rogers <brogers@suse.com>
|
||||
---
|
||||
hw/block/xen_disk.c | 7 ++-----
|
||||
1 file changed, 2 insertions(+), 5 deletions(-)
|
||||
hw/block/xen_disk.c | 9 ++++-----
|
||||
1 file changed, 4 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/hw/block/xen_disk.c b/hw/block/xen_disk.c
|
||||
index d9a55faf27..e9501ee34c 100644
|
||||
index d9a55faf27..df99162520 100644
|
||||
--- a/hw/block/xen_disk.c
|
||||
+++ b/hw/block/xen_disk.c
|
||||
@@ -110,7 +110,6 @@ static void ioreq_reset(struct ioreq *ioreq)
|
||||
@ -32,15 +32,17 @@ index d9a55faf27..e9501ee34c 100644
|
||||
ioreq->size = 0;
|
||||
ioreq->presync = 0;
|
||||
|
||||
@@ -135,6 +134,7 @@ static struct ioreq *ioreq_start(struct XenBlkDev *blkdev)
|
||||
@@ -135,6 +134,9 @@ static struct ioreq *ioreq_start(struct XenBlkDev *blkdev)
|
||||
/* allocate new struct */
|
||||
ioreq = g_malloc0(sizeof(*ioreq));
|
||||
ioreq->blkdev = blkdev;
|
||||
+ ioreq->buf = qemu_memalign(XC_PAGE_SIZE, BLKIF_MAX_SEGMENTS_PER_REQUEST * XC_PAGE_SIZE);
|
||||
+ ioreq->buf = qemu_memalign(XC_PAGE_SIZE,
|
||||
+ BLKIF_MAX_SEGMENTS_PER_REQUEST *
|
||||
+ XC_PAGE_SIZE);
|
||||
blkdev->requests_total++;
|
||||
qemu_iovec_init(&ioreq->v, 1);
|
||||
} else {
|
||||
@@ -317,14 +317,12 @@ static void qemu_aio_complete(void *opaque, int ret)
|
||||
@@ -317,14 +319,12 @@ static void qemu_aio_complete(void *opaque, int ret)
|
||||
if (ret == 0) {
|
||||
ioreq_grant_copy(ioreq);
|
||||
}
|
||||
@ -55,7 +57,7 @@ index d9a55faf27..e9501ee34c 100644
|
||||
break;
|
||||
default:
|
||||
break;
|
||||
@@ -392,12 +390,10 @@ static int ioreq_runio_qemu_aio(struct ioreq *ioreq)
|
||||
@@ -392,12 +392,10 @@ static int ioreq_runio_qemu_aio(struct ioreq *ioreq)
|
||||
{
|
||||
struct XenBlkDev *blkdev = ioreq->blkdev;
|
||||
|
||||
@ -68,7 +70,7 @@ index d9a55faf27..e9501ee34c 100644
|
||||
goto err;
|
||||
}
|
||||
|
||||
@@ -1007,6 +1003,7 @@ static int blk_free(struct XenDevice *xendev)
|
||||
@@ -1007,6 +1005,7 @@ static int blk_free(struct XenDevice *xendev)
|
||||
ioreq = QLIST_FIRST(&blkdev->freelist);
|
||||
QLIST_REMOVE(ioreq, list);
|
||||
qemu_iovec_destroy(&ioreq->v);
|
||||
|
40
0041-vfio-ap-flag-as-compatible-with-bal.patch
Normal file
40
0041-vfio-ap-flag-as-compatible-with-bal.patch
Normal file
@ -0,0 +1,40 @@
|
||||
From: Cornelia Huck <cohuck@redhat.com>
|
||||
Date: Wed, 5 Dec 2018 15:35:03 +0100
|
||||
Subject: vfio-ap: flag as compatible with balloon
|
||||
|
||||
vfio-ap devices do not pin any pages in the host. Therefore, they
|
||||
are compatible with memory ballooning.
|
||||
|
||||
Flag them as compatible, so both vfio-ap and a balloon can be
|
||||
used simultaneously.
|
||||
|
||||
Cc: qemu-stable@nongnu.org
|
||||
Acked-by: Christian Borntraeger <borntraeger@de.ibm.com>
|
||||
Tested-by: Tony Krowiak <akrowiak@linux.ibm.com>
|
||||
Reviewed-by: Halil Pasic <pasic@linux.ibm.com>
|
||||
Signed-off-by: Cornelia Huck <cohuck@redhat.com>
|
||||
(cherry picked from commit 1883e8fc8005e9ef452890a075bae98e8c432968)
|
||||
Signed-off-by: Bruce Rogers <brogers@suse.com>
|
||||
---
|
||||
hw/vfio/ap.c | 8 ++++++++
|
||||
1 file changed, 8 insertions(+)
|
||||
|
||||
diff --git a/hw/vfio/ap.c b/hw/vfio/ap.c
|
||||
index 65de952f44..0a25f5e096 100644
|
||||
--- a/hw/vfio/ap.c
|
||||
+++ b/hw/vfio/ap.c
|
||||
@@ -104,6 +104,14 @@ static void vfio_ap_realize(DeviceState *dev, Error **errp)
|
||||
vapdev->vdev.name = g_strdup_printf("%s", mdevid);
|
||||
vapdev->vdev.dev = dev;
|
||||
|
||||
+ /*
|
||||
+ * vfio-ap devices operate in a way compatible with
|
||||
+ * memory ballooning, as no pages are pinned in the host.
|
||||
+ * This needs to be set before vfio_get_device() for vfio common to
|
||||
+ * handle the balloon inhibitor.
|
||||
+ */
|
||||
+ vapdev->vdev.balloon_allowed = true;
|
||||
+
|
||||
ret = vfio_get_device(vfio_group, mdevid, &vapdev->vdev, &local_err);
|
||||
if (ret) {
|
||||
goto out_get_dev_err;
|
35
0042-hw-s390x-Fix-bad-mask-in-time2tod.patch
Normal file
35
0042-hw-s390x-Fix-bad-mask-in-time2tod.patch
Normal file
@ -0,0 +1,35 @@
|
||||
From: Thomas Huth <thuth@redhat.com>
|
||||
Date: Fri, 14 Dec 2018 14:08:07 +0100
|
||||
Subject: hw/s390x: Fix bad mask in time2tod()
|
||||
|
||||
Since "s390x/tcg: avoid overflows in time2tod/tod2time", the
|
||||
time2tod() function tries to deal with the 9 uppermost bits in the
|
||||
time value, but uses the wrong mask for this: 0xff80000000000000 should
|
||||
be used instead of 0xff10000000000000 here.
|
||||
|
||||
Fixes: 14055ce53c2d901d826ffad7fb7d6bb8ab46bdfd
|
||||
Cc: qemu-stable@nongnu.org
|
||||
Signed-off-by: Thomas Huth <thuth@redhat.com>
|
||||
Message-Id: <1544792887-14575-1-git-send-email-thuth@redhat.com>
|
||||
Reviewed-by: David Hildenbrand <david@redhat.com>
|
||||
[CH: tweaked commit message]
|
||||
(cherry picked from commit aba7a5a2de3dba5917024df25441f715b9249e31)
|
||||
Signed-off-by: Cornelia Huck <cohuck@redhat.com>
|
||||
Signed-off-by: Bruce Rogers <brogers@suse.com>
|
||||
---
|
||||
include/hw/s390x/tod.h | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/include/hw/s390x/tod.h b/include/hw/s390x/tod.h
|
||||
index 413c0d7c02..442f45b2f5 100644
|
||||
--- a/include/hw/s390x/tod.h
|
||||
+++ b/include/hw/s390x/tod.h
|
||||
@@ -50,7 +50,7 @@ typedef struct S390TODClass {
|
||||
/* Converts ns to s390's clock format */
|
||||
static inline uint64_t time2tod(uint64_t ns)
|
||||
{
|
||||
- return (ns << 9) / 125 + (((ns & 0xff10000000000000ull) / 125) << 9);
|
||||
+ return (ns << 9) / 125 + (((ns & 0xff80000000000000ull) / 125) << 9);
|
||||
}
|
||||
|
||||
/* Converts s390's clock format to ns */
|
102
0043-pcie-set-link-state-inactive-active.patch
Normal file
102
0043-pcie-set-link-state-inactive-active.patch
Normal file
@ -0,0 +1,102 @@
|
||||
From: Zheng Xiang <zhengxiang9@huawei.com>
|
||||
Date: Mon, 3 Dec 2018 15:05:17 +0800
|
||||
Subject: pcie: set link state inactive/active after hot unplug/plug
|
||||
|
||||
When VM boots from the latest version of linux kernel, after
|
||||
hot-unpluging virtio-blk disks which are hotplugged into
|
||||
pcie-root-port, the VM's dmesg log shows:
|
||||
|
||||
[ 151.046242] pciehp 0000:00:05.0:pcie004: pending interrupts 0x0001 from Slot Status
|
||||
[ 151.046365] pciehp 0000:00:05.0:pcie004: Slot(0-3): Attention button pressed
|
||||
[ 151.046369] pciehp 0000:00:05.0:pcie004: Slot(0-3): Powering off due to button press
|
||||
[ 151.046420] pciehp 0000:00:05.0:pcie004: pending interrupts 0x0010 from Slot Status
|
||||
[ 151.046425] pciehp 0000:00:05.0:pcie004: pciehp_green_led_blink: SLOTCTRL a8 write cmd 200
|
||||
[ 151.046464] pciehp 0000:00:05.0:pcie004: pending interrupts 0x0010 from Slot Status
|
||||
[ 151.046468] pciehp 0000:00:05.0:pcie004: pciehp_set_attention_status: SLOTCTRL a8 write cmd c0
|
||||
[ 156.163421] pciehp 0000:00:05.0:pcie004: pciehp_get_power_status: SLOTCTRL a8 value read 2f1
|
||||
[ 156.163427] pciehp 0000:00:05.0:pcie004: pciehp_unconfigure_device: domain:bus:dev = 0000:06:00
|
||||
[ 156.198736] pciehp 0000:00:05.0:pcie004: pending interrupts 0x0010 from Slot Status
|
||||
[ 156.198772] pciehp 0000:00:05.0:pcie004: pciehp_power_off_slot: SLOTCTRL a8 write cmd 400
|
||||
[ 157.224124] pciehp 0000:00:05.0:pcie004: pending interrupts 0x0018 from Slot Status
|
||||
[ 157.224194] pciehp 0000:00:05.0:pcie004: pciehp_green_led_off: SLOTCTRL a8 write cmd 300
|
||||
[ 157.224220] pciehp 0000:00:05.0:pcie004: pciehp_check_link_active: lnk_status = 2011
|
||||
[ 157.224223] pciehp 0000:00:05.0:pcie004: Slot(0-3): Link Up
|
||||
[ 157.224233] pciehp 0000:00:05.0:pcie004: pciehp_get_power_status: SLOTCTRL a8 value read 7f1
|
||||
[ 157.224281] pciehp 0000:00:05.0:pcie004: pending interrupts 0x0010 from Slot Status
|
||||
[ 157.224285] pciehp 0000:00:05.0:pcie004: pciehp_power_on_slot: SLOTCTRL a8 write cmd 0
|
||||
[ 157.224300] pciehp 0000:00:05.0:pcie004: __pciehp_link_set: lnk_ctrl = 0
|
||||
[ 157.224336] pciehp 0000:00:05.0:pcie004: pending interrupts 0x0010 from Slot Status
|
||||
[ 157.224339] pciehp 0000:00:05.0:pcie004: pciehp_green_led_blink: SLOTCTRL a8 write cmd 200
|
||||
[ 159.739294] pci 0000:06:00.0 id reading try 50 times with interval 20 ms to get ffffffff
|
||||
[ 159.739315] pciehp 0000:00:05.0:pcie004: pciehp_check_link_status: lnk_status = 2011
|
||||
[ 159.739318] pciehp 0000:00:05.0:pcie004: Failed to check link status
|
||||
[ 159.739371] pciehp 0000:00:05.0:pcie004: pending interrupts 0x0010 from Slot Status
|
||||
[ 159.739394] pciehp 0000:00:05.0:pcie004: pciehp_power_off_slot: SLOTCTRL a8 write cmd 400
|
||||
[ 160.771426] pciehp 0000:00:05.0:pcie004: pending interrupts 0x0010 from Slot Status
|
||||
[ 160.771452] pciehp 0000:00:05.0:pcie004: pciehp_green_led_off: SLOTCTRL a8 write cmd 300
|
||||
[ 160.771495] pciehp 0000:00:05.0:pcie004: pending interrupts 0x0010 from Slot Status
|
||||
[ 160.771499] pciehp 0000:00:05.0:pcie004: pciehp_set_attention_status: SLOTCTRL a8 write cmd 40
|
||||
[ 160.771535] pciehp 0000:00:05.0:pcie004: pending interrupts 0x0010 from Slot Status
|
||||
[ 160.771539] pciehp 0000:00:05.0:pcie004: pciehp_green_led_off: SLOTCTRL a8 write cmd 300
|
||||
|
||||
After analyzing the log information, it seems that qemu doesn't
|
||||
change the Link Status from active to inactive after hot-unplug.
|
||||
This results in the abnormal log after the linux kernel commit
|
||||
d331710ea78fea merged.
|
||||
|
||||
Furthermore, If I hotplug the same virtio-blk disk after hot-unplug,
|
||||
the virtio-blk would turn on and then back off.
|
||||
|
||||
So this patch set the Link Status inactive after hot-unplug and
|
||||
active after hot-plug.
|
||||
|
||||
Signed-off-by: Zheng Xiang <zhengxiang9@huawei.com>
|
||||
Signed-off-by: Zheng Xiang <xiang.zheng@linaro.org>
|
||||
Cc: Wang Haibin <wanghaibin.wang@huawei.com>
|
||||
Cc: qemu-stable@nongnu.org
|
||||
Reviewed-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
|
||||
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
|
||||
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
|
||||
(cherry picked from commit 2f2b18f60bf17453b4c01197a9316615a3c1f1de)
|
||||
Signed-off-by: Bruce Rogers <brogers@suse.com>
|
||||
---
|
||||
hw/pci/pcie.c | 12 ++++++++++++
|
||||
1 file changed, 12 insertions(+)
|
||||
|
||||
diff --git a/hw/pci/pcie.c b/hw/pci/pcie.c
|
||||
index 6c91bd44a0..66b73b87c8 100644
|
||||
--- a/hw/pci/pcie.c
|
||||
+++ b/hw/pci/pcie.c
|
||||
@@ -345,6 +345,10 @@ void pcie_cap_slot_hotplug_cb(HotplugHandler *hotplug_dev, DeviceState *dev,
|
||||
if (!dev->hotplugged) {
|
||||
pci_word_test_and_set_mask(exp_cap + PCI_EXP_SLTSTA,
|
||||
PCI_EXP_SLTSTA_PDS);
|
||||
+ if (pci_dev->cap_present & QEMU_PCIE_LNKSTA_DLLLA) {
|
||||
+ pci_word_test_and_set_mask(exp_cap + PCI_EXP_LNKSTA,
|
||||
+ PCI_EXP_LNKSTA_DLLLA);
|
||||
+ }
|
||||
return;
|
||||
}
|
||||
|
||||
@@ -355,6 +359,10 @@ void pcie_cap_slot_hotplug_cb(HotplugHandler *hotplug_dev, DeviceState *dev,
|
||||
if (pci_get_function_0(pci_dev)) {
|
||||
pci_word_test_and_set_mask(exp_cap + PCI_EXP_SLTSTA,
|
||||
PCI_EXP_SLTSTA_PDS);
|
||||
+ if (pci_dev->cap_present & QEMU_PCIE_LNKSTA_DLLLA) {
|
||||
+ pci_word_test_and_set_mask(exp_cap + PCI_EXP_LNKSTA,
|
||||
+ PCI_EXP_LNKSTA_DLLLA);
|
||||
+ }
|
||||
pcie_cap_slot_event(PCI_DEVICE(hotplug_dev),
|
||||
PCI_EXP_HP_EV_PDC | PCI_EXP_HP_EV_ABP);
|
||||
}
|
||||
@@ -531,6 +539,10 @@ void pcie_cap_slot_write_config(PCIDevice *dev,
|
||||
|
||||
pci_word_test_and_clear_mask(exp_cap + PCI_EXP_SLTSTA,
|
||||
PCI_EXP_SLTSTA_PDS);
|
||||
+ if (dev->cap_present & QEMU_PCIE_LNKSTA_DLLLA) {
|
||||
+ pci_word_test_and_clear_mask(exp_cap + PCI_EXP_LNKSTA,
|
||||
+ PCI_EXP_LNKSTA_DLLLA);
|
||||
+ }
|
||||
pci_word_test_and_set_mask(exp_cap + PCI_EXP_SLTSTA,
|
||||
PCI_EXP_SLTSTA_PDC);
|
||||
}
|
30
0044-pc-piix4-Update-smbus-I-O-space-aft.patch
Normal file
30
0044-pc-piix4-Update-smbus-I-O-space-aft.patch
Normal file
@ -0,0 +1,30 @@
|
||||
From: Corey Minyard <cminyard@mvista.com>
|
||||
Date: Mon, 26 Nov 2018 12:28:44 -0600
|
||||
Subject: pc:piix4: Update smbus I/O space after a migration
|
||||
|
||||
Otherwise it won't be set up correctly and won't work after
|
||||
miigration.
|
||||
|
||||
Signed-off-by: Corey Minyard <cminyard@mvista.com>
|
||||
Cc: Igor Mammedov <imammedo@redhat.com>
|
||||
Cc: qemu-stable@nongnu.org
|
||||
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
|
||||
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
|
||||
(cherry picked from commit 2b4e573c7c7b9a698ba6931ba456bbd8d3d8c84c)
|
||||
Signed-off-by: Bruce Rogers <brogers@suse.com>
|
||||
---
|
||||
hw/acpi/piix4.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/hw/acpi/piix4.c b/hw/acpi/piix4.c
|
||||
index b0bd10b3f9..fb3620e6c0 100644
|
||||
--- a/hw/acpi/piix4.c
|
||||
+++ b/hw/acpi/piix4.c
|
||||
@@ -173,6 +173,7 @@ static int vmstate_acpi_post_load(void *opaque, int version_id)
|
||||
PIIX4PMState *s = opaque;
|
||||
|
||||
pm_io_space_update(s);
|
||||
+ smbus_io_space_update(s);
|
||||
return 0;
|
||||
}
|
||||
|
54
0045-hw-usb-fix-mistaken-de-initializati.patch
Normal file
54
0045-hw-usb-fix-mistaken-de-initializati.patch
Normal file
@ -0,0 +1,54 @@
|
||||
From: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Date: Wed, 9 Jan 2019 11:07:15 -0700
|
||||
Subject: hw/usb: fix mistaken de-initialization of CCID state
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
From: Daniel P. Berrangé <berrange@redhat.com>
|
||||
|
||||
In previous commit:
|
||||
|
||||
commit 7dea29e4af17fc1d27478de9f8ea38144deac54a
|
||||
Author: Li Qiang <liq3ea@gmail.com>
|
||||
Date: Fri Oct 19 03:50:36 2018 -0700
|
||||
|
||||
hw: ccid-card-emulated: cleanup resource when realize in error path
|
||||
|
||||
The emulated_realize method was changed so that it jumps to a cleanup
|
||||
label to de-initialize state upon error. This change failed to ensure
|
||||
the success path exited the method before this point though. So the
|
||||
mutexes are always destroyed even in normal operation. The result is
|
||||
as crashtastic as expected:
|
||||
|
||||
$ qemu-system-x86_64 -usb -device usb-ccid,id=ccid0 -device ccid-card-emulated,backend=nss-emulated,id=smartcard0,bus=ccid0.0
|
||||
qemu-system-x86_64: util/qemu-thread-posix.c:64: qemu_mutex_lock_impl: Assertion `mutex->initialized' failed.
|
||||
Aborted (core dumped)
|
||||
|
||||
Fixes: 7dea29e4af1
|
||||
Reported-by: Michael Tokarev <mjt@tls.msk.ru>
|
||||
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
|
||||
Reviewed-by: Michael Tokarev <mjt@tls.msk.ru>
|
||||
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
|
||||
Tested-by: Philippe Mathieu-Daudé <philmd@redhat.com>
|
||||
Message-id: 20181221134115.27973-1-berrange@redhat.com
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
(cherry picked from commit 3fd2092fd11b9e4220a08eca0663cc59178a6c3f)
|
||||
Signed-off-by: Bruce Rogers <brogers@suse.com>
|
||||
---
|
||||
hw/usb/ccid-card-emulated.c | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/hw/usb/ccid-card-emulated.c b/hw/usb/ccid-card-emulated.c
|
||||
index 25976ed84f..e0457d305b 100644
|
||||
--- a/hw/usb/ccid-card-emulated.c
|
||||
+++ b/hw/usb/ccid-card-emulated.c
|
||||
@@ -549,6 +549,8 @@ static void emulated_realize(CCIDCardState *base, Error **errp)
|
||||
qemu_thread_create(&card->apdu_thread_id, "ccid/apdu", handle_apdu_thread,
|
||||
card, QEMU_THREAD_JOINABLE);
|
||||
|
||||
+ return;
|
||||
+
|
||||
out2:
|
||||
clean_event_notifier(card);
|
||||
out1:
|
79
0046-usb-mtp-use-O_NOFOLLOW-and-O_CLOEXE.patch
Normal file
79
0046-usb-mtp-use-O_NOFOLLOW-and-O_CLOEXE.patch
Normal file
@ -0,0 +1,79 @@
|
||||
From: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Date: Thu, 13 Dec 2018 13:25:11 +0100
|
||||
Subject: usb-mtp: use O_NOFOLLOW and O_CLOEXEC.
|
||||
|
||||
Open files and directories with O_NOFOLLOW to avoid symlinks attacks.
|
||||
While being at it also add O_CLOEXEC.
|
||||
|
||||
usb-mtp only handles regular files and directories and ignores
|
||||
everything else, so users should not see a difference.
|
||||
|
||||
Because qemu ignores symlinks, carrying out a successful symlink attack
|
||||
requires swapping an existing file or directory below rootdir for a
|
||||
symlink and winning the race against the inotify notification to qemu.
|
||||
|
||||
Fixes: CVE-2018-16872
|
||||
Cc: Prasad J Pandit <ppandit@redhat.com>
|
||||
Cc: Bandan Das <bsd@redhat.com>
|
||||
Reported-by: Michael Hanselmann <public@hansmi.ch>
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Reviewed-by: Michael Hanselmann <public@hansmi.ch>
|
||||
Message-id: 20181213122511.13853-1-kraxel@redhat.com
|
||||
(cherry picked from commit bab9df35ce73d1c8e19a37e2737717ea1c984dc1)
|
||||
[BR: BSC#1119493]
|
||||
Signed-off-by: Bruce Rogers <brogers@suse.com>
|
||||
---
|
||||
hw/usb/dev-mtp.c | 13 +++++++++----
|
||||
1 file changed, 9 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/hw/usb/dev-mtp.c b/hw/usb/dev-mtp.c
|
||||
index 100b7171f4..36c43b8c20 100644
|
||||
--- a/hw/usb/dev-mtp.c
|
||||
+++ b/hw/usb/dev-mtp.c
|
||||
@@ -653,13 +653,18 @@ static void usb_mtp_object_readdir(MTPState *s, MTPObject *o)
|
||||
{
|
||||
struct dirent *entry;
|
||||
DIR *dir;
|
||||
+ int fd;
|
||||
|
||||
if (o->have_children) {
|
||||
return;
|
||||
}
|
||||
o->have_children = true;
|
||||
|
||||
- dir = opendir(o->path);
|
||||
+ fd = open(o->path, O_DIRECTORY | O_CLOEXEC | O_NOFOLLOW);
|
||||
+ if (fd < 0) {
|
||||
+ return;
|
||||
+ }
|
||||
+ dir = fdopendir(fd);
|
||||
if (!dir) {
|
||||
return;
|
||||
}
|
||||
@@ -1007,7 +1012,7 @@ static MTPData *usb_mtp_get_object(MTPState *s, MTPControl *c,
|
||||
|
||||
trace_usb_mtp_op_get_object(s->dev.addr, o->handle, o->path);
|
||||
|
||||
- d->fd = open(o->path, O_RDONLY);
|
||||
+ d->fd = open(o->path, O_RDONLY | O_CLOEXEC | O_NOFOLLOW);
|
||||
if (d->fd == -1) {
|
||||
usb_mtp_data_free(d);
|
||||
return NULL;
|
||||
@@ -1031,7 +1036,7 @@ static MTPData *usb_mtp_get_partial_object(MTPState *s, MTPControl *c,
|
||||
c->argv[1], c->argv[2]);
|
||||
|
||||
d = usb_mtp_data_alloc(c);
|
||||
- d->fd = open(o->path, O_RDONLY);
|
||||
+ d->fd = open(o->path, O_RDONLY | O_CLOEXEC | O_NOFOLLOW);
|
||||
if (d->fd == -1) {
|
||||
usb_mtp_data_free(d);
|
||||
return NULL;
|
||||
@@ -1658,7 +1663,7 @@ static void usb_mtp_write_data(MTPState *s)
|
||||
0, 0, 0, 0);
|
||||
goto done;
|
||||
}
|
||||
- d->fd = open(path, O_CREAT | O_WRONLY, mask);
|
||||
+ d->fd = open(path, O_CREAT | O_WRONLY | O_CLOEXEC | O_NOFOLLOW, mask);
|
||||
if (d->fd == -1) {
|
||||
usb_mtp_queue_result(s, RES_STORE_FULL, d->trans,
|
||||
0, 0, 0, 0);
|
41
0047-pvrdma-release-device-resources-in-.patch
Normal file
41
0047-pvrdma-release-device-resources-in-.patch
Normal file
@ -0,0 +1,41 @@
|
||||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Wed, 12 Dec 2018 23:28:17 +0530
|
||||
Subject: pvrdma: release device resources in case of an error
|
||||
|
||||
If during pvrdma device initialisation an error occurs,
|
||||
pvrdma_realize() does not release memory resources, leading
|
||||
to memory leakage.
|
||||
|
||||
Reported-by: Li Qiang <liq3ea@163.com>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Message-Id: <20181212175817.815-1-ppandit@redhat.com>
|
||||
Reviewed-by: Yuval Shaia <yuval.shaia@oracle.com>
|
||||
Signed-off-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
|
||||
(cherry picked from commit cce648613bc802be1b894227f7fd94d88476ea07)
|
||||
[BR: BSC#1119437]
|
||||
Signed-off-by: Bruce Rogers <brogers@suse.com>
|
||||
---
|
||||
hw/rdma/vmw/pvrdma_main.c | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/hw/rdma/vmw/pvrdma_main.c b/hw/rdma/vmw/pvrdma_main.c
|
||||
index ca5fa8d981..34d8cc4694 100644
|
||||
--- a/hw/rdma/vmw/pvrdma_main.c
|
||||
+++ b/hw/rdma/vmw/pvrdma_main.c
|
||||
@@ -572,7 +572,7 @@ static int pvrdma_check_ram_shared(Object *obj, void *opaque)
|
||||
|
||||
static void pvrdma_realize(PCIDevice *pdev, Error **errp)
|
||||
{
|
||||
- int rc;
|
||||
+ int rc = 0;
|
||||
PVRDMADev *dev = PVRDMA_DEV(pdev);
|
||||
Object *memdev_root;
|
||||
bool ram_shared = false;
|
||||
@@ -632,6 +632,7 @@ static void pvrdma_realize(PCIDevice *pdev, Error **errp)
|
||||
|
||||
out:
|
||||
if (rc) {
|
||||
+ pvrdma_fini(pdev);
|
||||
error_append_hint(errp, "Device fail to load\n");
|
||||
}
|
||||
}
|
46
0048-rdma-check-num_sge-does-not-exceed-.patch
Normal file
46
0048-rdma-check-num_sge-does-not-exceed-.patch
Normal file
@ -0,0 +1,46 @@
|
||||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Thu, 13 Dec 2018 01:00:34 +0530
|
||||
Subject: rdma: check num_sge does not exceed MAX_SGE
|
||||
|
||||
rdma back-end has scatter/gather array ibv_sge[MAX_SGE=4] set
|
||||
to have 4 elements. A guest could send a 'PvrdmaSqWqe' ring element
|
||||
with 'num_sge' set to > MAX_SGE, which may lead to OOB access issue.
|
||||
Add check to avoid it.
|
||||
|
||||
Reported-by: Saar Amar <saaramar5@gmail.com>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Reviewed-by: Yuval Shaia <yuval.shaia@oracle.com>
|
||||
Signed-off-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
|
||||
(cherry picked from commit 0e68373cc2b3a063ce067bc0cc3edaf370752890)
|
||||
[BR: BSC#1119840, modified complete_work() calls to be comp_handler()]
|
||||
Signed-off-by: Bruce Rogers <brogers@suse.com>
|
||||
---
|
||||
hw/rdma/rdma_backend.c | 8 ++++----
|
||||
1 file changed, 4 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/hw/rdma/rdma_backend.c b/hw/rdma/rdma_backend.c
|
||||
index d7a4bbd91f..0b3b98a94c 100644
|
||||
--- a/hw/rdma/rdma_backend.c
|
||||
+++ b/hw/rdma/rdma_backend.c
|
||||
@@ -311,8 +311,8 @@ void rdma_backend_post_send(RdmaBackendDev *backend_dev,
|
||||
}
|
||||
|
||||
pr_dbg("num_sge=%d\n", num_sge);
|
||||
- if (!num_sge) {
|
||||
- pr_dbg("num_sge=0\n");
|
||||
+ if (!num_sge || num_sge > MAX_SGE) {
|
||||
+ pr_dbg("invalid num_sge=%d\n", num_sge);
|
||||
comp_handler(IBV_WC_GENERAL_ERR, VENDOR_ERR_NO_SGE, ctx);
|
||||
return;
|
||||
}
|
||||
@@ -390,8 +390,8 @@ void rdma_backend_post_recv(RdmaBackendDev *backend_dev,
|
||||
}
|
||||
|
||||
pr_dbg("num_sge=%d\n", num_sge);
|
||||
- if (!num_sge) {
|
||||
- pr_dbg("num_sge=0\n");
|
||||
+ if (!num_sge || num_sge > MAX_SGE) {
|
||||
+ pr_dbg("invalid num_sge=%d\n", num_sge);
|
||||
comp_handler(IBV_WC_GENERAL_ERR, VENDOR_ERR_NO_SGE, ctx);
|
||||
return;
|
||||
}
|
41
0049-pvrdma-add-uar_read-routine.patch
Normal file
41
0049-pvrdma-add-uar_read-routine.patch
Normal file
@ -0,0 +1,41 @@
|
||||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Thu, 13 Dec 2018 01:00:35 +0530
|
||||
Subject: pvrdma: add uar_read routine
|
||||
|
||||
Define skeleton 'uar_read' routine. Avoid NULL dereference.
|
||||
|
||||
Reported-by: Li Qiang <liq3ea@163.com>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Reviewed-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
|
||||
Signed-off-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
|
||||
(cherry picked from commit 2aa86456fb938a11f2b7bd57c8643c213218681c)
|
||||
[BR: BSC#1119979 CVE-2018-20191]
|
||||
Signed-off-by: Bruce Rogers <brogers@suse.com>
|
||||
---
|
||||
hw/rdma/vmw/pvrdma_main.c | 6 ++++++
|
||||
1 file changed, 6 insertions(+)
|
||||
|
||||
diff --git a/hw/rdma/vmw/pvrdma_main.c b/hw/rdma/vmw/pvrdma_main.c
|
||||
index 34d8cc4694..c9d9631769 100644
|
||||
--- a/hw/rdma/vmw/pvrdma_main.c
|
||||
+++ b/hw/rdma/vmw/pvrdma_main.c
|
||||
@@ -455,6 +455,11 @@ static const MemoryRegionOps regs_ops = {
|
||||
},
|
||||
};
|
||||
|
||||
+static uint64_t uar_read(void *opaque, hwaddr addr, unsigned size)
|
||||
+{
|
||||
+ return 0xffffffff;
|
||||
+}
|
||||
+
|
||||
static void uar_write(void *opaque, hwaddr addr, uint64_t val, unsigned size)
|
||||
{
|
||||
PVRDMADev *dev = opaque;
|
||||
@@ -496,6 +501,7 @@ static void uar_write(void *opaque, hwaddr addr, uint64_t val, unsigned size)
|
||||
}
|
||||
|
||||
static const MemoryRegionOps uar_ops = {
|
||||
+ .read = uar_read,
|
||||
.write = uar_write,
|
||||
.endianness = DEVICE_LITTLE_ENDIAN,
|
||||
.impl = {
|
48
0050-pvrdma-check-number-of-pages-when-c.patch
Normal file
48
0050-pvrdma-check-number-of-pages-when-c.patch
Normal file
@ -0,0 +1,48 @@
|
||||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Thu, 13 Dec 2018 01:00:36 +0530
|
||||
Subject: pvrdma: check number of pages when creating rings
|
||||
|
||||
When creating CQ/QP rings, an object can have up to
|
||||
PVRDMA_MAX_FAST_REG_PAGES 8 pages. Check 'npages' parameter
|
||||
to avoid excessive memory allocation or a null dereference.
|
||||
|
||||
Reported-by: Li Qiang <liq3ea@163.com>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Reviewed-by: Yuval Shaia <yuval.shaia@oracle.com>
|
||||
Signed-off-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
|
||||
(cherry picked from commit 2c858ce5da8ae6689c75182b73bc455a291cad41)
|
||||
[BR: BSC#1119989 CVE-2018-20125]
|
||||
Signed-off-by: Bruce Rogers <brogers@suse.com>
|
||||
---
|
||||
hw/rdma/vmw/pvrdma_cmd.c | 11 +++++++++++
|
||||
1 file changed, 11 insertions(+)
|
||||
|
||||
diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c
|
||||
index 4faeb21631..ce2514aacb 100644
|
||||
--- a/hw/rdma/vmw/pvrdma_cmd.c
|
||||
+++ b/hw/rdma/vmw/pvrdma_cmd.c
|
||||
@@ -261,6 +261,11 @@ static int create_cq_ring(PCIDevice *pci_dev , PvrdmaRing **ring,
|
||||
int rc = -EINVAL;
|
||||
char ring_name[MAX_RING_NAME_SZ];
|
||||
|
||||
+ if (!nchunks || nchunks > PVRDMA_MAX_FAST_REG_PAGES) {
|
||||
+ pr_dbg("invalid nchunks: %d\n", nchunks);
|
||||
+ return rc;
|
||||
+ }
|
||||
+
|
||||
pr_dbg("pdir_dma=0x%llx\n", (long long unsigned int)pdir_dma);
|
||||
dir = rdma_pci_dma_map(pci_dev, pdir_dma, TARGET_PAGE_SIZE);
|
||||
if (!dir) {
|
||||
@@ -377,6 +382,12 @@ static int create_qp_rings(PCIDevice *pci_dev, uint64_t pdir_dma,
|
||||
char ring_name[MAX_RING_NAME_SZ];
|
||||
uint32_t wqe_sz;
|
||||
|
||||
+ if (!spages || spages > PVRDMA_MAX_FAST_REG_PAGES
|
||||
+ || !rpages || rpages > PVRDMA_MAX_FAST_REG_PAGES) {
|
||||
+ pr_dbg("invalid pages: %d, %d\n", spages, rpages);
|
||||
+ return rc;
|
||||
+ }
|
||||
+
|
||||
pr_dbg("pdir_dma=0x%llx\n", (long long unsigned int)pdir_dma);
|
||||
dir = rdma_pci_dma_map(pci_dev, pdir_dma, TARGET_PAGE_SIZE);
|
||||
if (!dir) {
|
79
0051-pvrdma-check-return-value-from-pvrd.patch
Normal file
79
0051-pvrdma-check-return-value-from-pvrd.patch
Normal file
@ -0,0 +1,79 @@
|
||||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Thu, 13 Dec 2018 01:00:39 +0530
|
||||
Subject: pvrdma: check return value from pvrdma_idx_ring_has_ routines
|
||||
|
||||
pvrdma_idx_ring_has_[data/space] routines also return invalid
|
||||
index PVRDMA_INVALID_IDX[=-1], if ring has no data/space. Check
|
||||
return value from these routines to avoid plausible infinite loops.
|
||||
|
||||
Reported-by: Li Qiang <liq3ea@163.com>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Reviewed-by: Yuval Shaia <yuval.shaia@oracle.com>
|
||||
Signed-off-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
|
||||
(cherry picked from commit f1e2e38ee0136b7710a2caa347049818afd57a1b)
|
||||
[BR: BSC#1119984 CVE-2018-20216]
|
||||
Signed-off-by: Bruce Rogers <brogers@suse.com>
|
||||
---
|
||||
hw/rdma/vmw/pvrdma_dev_ring.c | 29 +++++++++++------------------
|
||||
1 file changed, 11 insertions(+), 18 deletions(-)
|
||||
|
||||
diff --git a/hw/rdma/vmw/pvrdma_dev_ring.c b/hw/rdma/vmw/pvrdma_dev_ring.c
|
||||
index 01247fc041..e8e5b502f6 100644
|
||||
--- a/hw/rdma/vmw/pvrdma_dev_ring.c
|
||||
+++ b/hw/rdma/vmw/pvrdma_dev_ring.c
|
||||
@@ -73,23 +73,16 @@ out:
|
||||
|
||||
void *pvrdma_ring_next_elem_read(PvrdmaRing *ring)
|
||||
{
|
||||
+ int e;
|
||||
unsigned int idx = 0, offset;
|
||||
|
||||
- /*
|
||||
- pr_dbg("%s: t=%d, h=%d\n", ring->name, ring->ring_state->prod_tail,
|
||||
- ring->ring_state->cons_head);
|
||||
- */
|
||||
-
|
||||
- if (!pvrdma_idx_ring_has_data(ring->ring_state, ring->max_elems, &idx)) {
|
||||
+ e = pvrdma_idx_ring_has_data(ring->ring_state, ring->max_elems, &idx);
|
||||
+ if (e <= 0) {
|
||||
pr_dbg("No more data in ring\n");
|
||||
return NULL;
|
||||
}
|
||||
|
||||
offset = idx * ring->elem_sz;
|
||||
- /*
|
||||
- pr_dbg("idx=%d\n", idx);
|
||||
- pr_dbg("offset=%d\n", offset);
|
||||
- */
|
||||
return ring->pages[offset / TARGET_PAGE_SIZE] + (offset % TARGET_PAGE_SIZE);
|
||||
}
|
||||
|
||||
@@ -105,20 +98,20 @@ void pvrdma_ring_read_inc(PvrdmaRing *ring)
|
||||
|
||||
void *pvrdma_ring_next_elem_write(PvrdmaRing *ring)
|
||||
{
|
||||
- unsigned int idx, offset, tail;
|
||||
+ int idx;
|
||||
+ unsigned int offset, tail;
|
||||
|
||||
- /*
|
||||
- pr_dbg("%s: t=%d, h=%d\n", ring->name, ring->ring_state->prod_tail,
|
||||
- ring->ring_state->cons_head);
|
||||
- */
|
||||
-
|
||||
- if (!pvrdma_idx_ring_has_space(ring->ring_state, ring->max_elems, &tail)) {
|
||||
+ idx = pvrdma_idx_ring_has_space(ring->ring_state, ring->max_elems, &tail);
|
||||
+ if (idx <= 0) {
|
||||
pr_dbg("CQ is full\n");
|
||||
return NULL;
|
||||
}
|
||||
|
||||
idx = pvrdma_idx(&ring->ring_state->prod_tail, ring->max_elems);
|
||||
- /* TODO: tail == idx */
|
||||
+ if (idx < 0 || tail != idx) {
|
||||
+ pr_dbg("invalid idx\n");
|
||||
+ return NULL;
|
||||
+ }
|
||||
|
||||
offset = idx * ring->elem_sz;
|
||||
return ring->pages[offset / TARGET_PAGE_SIZE] + (offset % TARGET_PAGE_SIZE);
|
103
0052-pvrdma-release-ring-object-in-case-.patch
Normal file
103
0052-pvrdma-release-ring-object-in-case-.patch
Normal file
@ -0,0 +1,103 @@
|
||||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Thu, 13 Dec 2018 01:00:37 +0530
|
||||
Subject: pvrdma: release ring object in case of an error
|
||||
|
||||
create_cq and create_qp routines allocate ring object, but it's
|
||||
not released in case of an error, leading to memory leakage.
|
||||
|
||||
Reported-by: Li Qiang <liq3ea@163.com>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Reviewed-by: Yuval Shaia <yuval.shaia@oracle.com>
|
||||
Signed-off-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
|
||||
(cherry picked from commit 509f57c98e7536905bb4902363d0cba66ce7e089)
|
||||
[BR: BSC#1119991 CVE-2018-20126]
|
||||
Signed-off-by: Bruce Rogers <brogers@suse.com>
|
||||
---
|
||||
hw/rdma/vmw/pvrdma_cmd.c | 39 ++++++++++++++++++++++++++++-----------
|
||||
1 file changed, 28 insertions(+), 11 deletions(-)
|
||||
|
||||
diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c
|
||||
index ce2514aacb..51da4a1c40 100644
|
||||
--- a/hw/rdma/vmw/pvrdma_cmd.c
|
||||
+++ b/hw/rdma/vmw/pvrdma_cmd.c
|
||||
@@ -315,6 +315,14 @@ out:
|
||||
return rc;
|
||||
}
|
||||
|
||||
+static void destroy_cq_ring(PvrdmaRing *ring)
|
||||
+{
|
||||
+ pvrdma_ring_free(ring);
|
||||
+ /* ring_state was in slot 1, not 0 so need to jump back */
|
||||
+ rdma_pci_dma_unmap(ring->dev, --ring->ring_state, TARGET_PAGE_SIZE);
|
||||
+ g_free(ring);
|
||||
+}
|
||||
+
|
||||
static int create_cq(PVRDMADev *dev, union pvrdma_cmd_req *req,
|
||||
union pvrdma_cmd_resp *rsp)
|
||||
{
|
||||
@@ -338,6 +346,9 @@ static int create_cq(PVRDMADev *dev, union pvrdma_cmd_req *req,
|
||||
|
||||
resp->hdr.err = rdma_rm_alloc_cq(&dev->rdma_dev_res, &dev->backend_dev,
|
||||
cmd->cqe, &resp->cq_handle, ring);
|
||||
+ if (resp->hdr.err) {
|
||||
+ destroy_cq_ring(ring);
|
||||
+ }
|
||||
resp->cqe = cmd->cqe;
|
||||
|
||||
out:
|
||||
@@ -361,10 +372,7 @@ static int destroy_cq(PVRDMADev *dev, union pvrdma_cmd_req *req,
|
||||
}
|
||||
|
||||
ring = (PvrdmaRing *)cq->opaque;
|
||||
- pvrdma_ring_free(ring);
|
||||
- /* ring_state was in slot 1, not 0 so need to jump back */
|
||||
- rdma_pci_dma_unmap(PCI_DEVICE(dev), --ring->ring_state, TARGET_PAGE_SIZE);
|
||||
- g_free(ring);
|
||||
+ destroy_cq_ring(ring);
|
||||
|
||||
rdma_rm_dealloc_cq(&dev->rdma_dev_res, cmd->cq_handle);
|
||||
|
||||
@@ -462,6 +470,17 @@ out:
|
||||
return rc;
|
||||
}
|
||||
|
||||
+static void destroy_qp_rings(PvrdmaRing *ring)
|
||||
+{
|
||||
+ pr_dbg("sring=%p\n", &ring[0]);
|
||||
+ pvrdma_ring_free(&ring[0]);
|
||||
+ pr_dbg("rring=%p\n", &ring[1]);
|
||||
+ pvrdma_ring_free(&ring[1]);
|
||||
+
|
||||
+ rdma_pci_dma_unmap(ring->dev, ring->ring_state, TARGET_PAGE_SIZE);
|
||||
+ g_free(ring);
|
||||
+}
|
||||
+
|
||||
static int create_qp(PVRDMADev *dev, union pvrdma_cmd_req *req,
|
||||
union pvrdma_cmd_resp *rsp)
|
||||
{
|
||||
@@ -492,6 +511,10 @@ static int create_qp(PVRDMADev *dev, union pvrdma_cmd_req *req,
|
||||
cmd->max_send_sge, cmd->send_cq_handle,
|
||||
cmd->max_recv_wr, cmd->max_recv_sge,
|
||||
cmd->recv_cq_handle, rings, &resp->qpn);
|
||||
+ if (resp->hdr.err) {
|
||||
+ destroy_qp_rings(rings);
|
||||
+ return resp->hdr.err;
|
||||
+ }
|
||||
|
||||
resp->max_send_wr = cmd->max_send_wr;
|
||||
resp->max_recv_wr = cmd->max_recv_wr;
|
||||
@@ -566,13 +589,7 @@ static int destroy_qp(PVRDMADev *dev, union pvrdma_cmd_req *req,
|
||||
rdma_rm_dealloc_qp(&dev->rdma_dev_res, cmd->qp_handle);
|
||||
|
||||
ring = (PvrdmaRing *)qp->opaque;
|
||||
- pr_dbg("sring=%p\n", &ring[0]);
|
||||
- pvrdma_ring_free(&ring[0]);
|
||||
- pr_dbg("rring=%p\n", &ring[1]);
|
||||
- pvrdma_ring_free(&ring[1]);
|
||||
-
|
||||
- rdma_pci_dma_unmap(PCI_DEVICE(dev), ring->ring_state, TARGET_PAGE_SIZE);
|
||||
- g_free(ring);
|
||||
+ destroy_qp_rings(ring);
|
||||
|
||||
return 0;
|
||||
}
|
637
0053-block-Fix-hangs-in-synchronous-APIs.patch
Normal file
637
0053-block-Fix-hangs-in-synchronous-APIs.patch
Normal file
@ -0,0 +1,637 @@
|
||||
From: Kevin Wolf <kwolf@redhat.com>
|
||||
Date: Wed, 9 Jan 2019 11:10:07 -0700
|
||||
Subject: block: Fix hangs in synchronous APIs with iothreads
|
||||
|
||||
In the block layer, synchronous APIs are often implemented by creating a
|
||||
coroutine that calls the asynchronous coroutine-based implementation and
|
||||
then waiting for completion with BDRV_POLL_WHILE().
|
||||
|
||||
For this to work with iothreads (more specifically, when the synchronous
|
||||
API is called in a thread that is not the home thread of the block
|
||||
device, so that the coroutine will run in a different thread), we must
|
||||
make sure to call aio_wait_kick() at the end of the operation. Many
|
||||
places are missing this, so that BDRV_POLL_WHILE() keeps hanging even if
|
||||
the condition has long become false.
|
||||
|
||||
Note that bdrv_dec_in_flight() involves an aio_wait_kick() call. This
|
||||
corresponds to the BDRV_POLL_WHILE() in the drain functions, but it is
|
||||
generally not enough for most other operations because they haven't set
|
||||
the return value in the coroutine entry stub yet. To avoid race
|
||||
conditions there, we need to kick after setting the return value.
|
||||
|
||||
The race window is small enough that the problem doesn't usually surface
|
||||
in the common path. However, it does surface and causes easily
|
||||
reproducible hangs if the operation can return early before even calling
|
||||
bdrv_inc/dec_in_flight, which many of them do (trivial error or no-op
|
||||
success paths).
|
||||
|
||||
The bug in bdrv_truncate(), bdrv_check() and bdrv_invalidate_cache() is
|
||||
slightly different: These functions even neglected to schedule the
|
||||
coroutine in the home thread of the node. This avoids the hang, but is
|
||||
obviously wrong, too. Fix those to schedule the coroutine in the right
|
||||
AioContext in addition to adding aio_wait_kick() calls.
|
||||
|
||||
Cc: qemu-stable@nongnu.org
|
||||
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
|
||||
Signed-off-by: Bruce Rogers <brogers@suse.com>
|
||||
---
|
||||
block.c | 6 +-
|
||||
block/block-backend.c | 5 +
|
||||
block/io.c | 8 +-
|
||||
block/nbd-client.c | 1 +
|
||||
block/nvme.c | 1 +
|
||||
block/qcow2.c | 1 +
|
||||
block/qed.c | 1 +
|
||||
tests/Makefile.include | 2 +
|
||||
tests/test-block-iothread.c | 372 ++++++++++++++++++++++++++++++++++++
|
||||
9 files changed, 394 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/block.c b/block.c
|
||||
index 811239ca23..79d48d7d78 100644
|
||||
--- a/block.c
|
||||
+++ b/block.c
|
||||
@@ -3736,6 +3736,7 @@ static void bdrv_check_co_entry(void *opaque)
|
||||
{
|
||||
CheckCo *cco = opaque;
|
||||
cco->ret = bdrv_co_check(cco->bs, cco->res, cco->fix);
|
||||
+ aio_wait_kick();
|
||||
}
|
||||
|
||||
int bdrv_check(BlockDriverState *bs,
|
||||
@@ -3754,7 +3755,7 @@ int bdrv_check(BlockDriverState *bs,
|
||||
bdrv_check_co_entry(&cco);
|
||||
} else {
|
||||
co = qemu_coroutine_create(bdrv_check_co_entry, &cco);
|
||||
- qemu_coroutine_enter(co);
|
||||
+ bdrv_coroutine_enter(bs, co);
|
||||
BDRV_POLL_WHILE(bs, cco.ret == -EINPROGRESS);
|
||||
}
|
||||
|
||||
@@ -4571,6 +4572,7 @@ static void coroutine_fn bdrv_invalidate_cache_co_entry(void *opaque)
|
||||
InvalidateCacheCo *ico = opaque;
|
||||
bdrv_co_invalidate_cache(ico->bs, ico->errp);
|
||||
ico->done = true;
|
||||
+ aio_wait_kick();
|
||||
}
|
||||
|
||||
void bdrv_invalidate_cache(BlockDriverState *bs, Error **errp)
|
||||
@@ -4587,7 +4589,7 @@ void bdrv_invalidate_cache(BlockDriverState *bs, Error **errp)
|
||||
bdrv_invalidate_cache_co_entry(&ico);
|
||||
} else {
|
||||
co = qemu_coroutine_create(bdrv_invalidate_cache_co_entry, &ico);
|
||||
- qemu_coroutine_enter(co);
|
||||
+ bdrv_coroutine_enter(bs, co);
|
||||
BDRV_POLL_WHILE(bs, !ico.done);
|
||||
}
|
||||
}
|
||||
diff --git a/block/block-backend.c b/block/block-backend.c
|
||||
index 1d41622942..35e3edb861 100644
|
||||
--- a/block/block-backend.c
|
||||
+++ b/block/block-backend.c
|
||||
@@ -1223,6 +1223,7 @@ static void blk_read_entry(void *opaque)
|
||||
|
||||
rwco->ret = blk_co_preadv(rwco->blk, rwco->offset, qiov->size,
|
||||
qiov, rwco->flags);
|
||||
+ aio_wait_kick();
|
||||
}
|
||||
|
||||
static void blk_write_entry(void *opaque)
|
||||
@@ -1232,6 +1233,7 @@ static void blk_write_entry(void *opaque)
|
||||
|
||||
rwco->ret = blk_co_pwritev(rwco->blk, rwco->offset, qiov->size,
|
||||
qiov, rwco->flags);
|
||||
+ aio_wait_kick();
|
||||
}
|
||||
|
||||
static int blk_prw(BlockBackend *blk, int64_t offset, uint8_t *buf,
|
||||
@@ -1543,6 +1545,7 @@ static void blk_ioctl_entry(void *opaque)
|
||||
|
||||
rwco->ret = blk_co_ioctl(rwco->blk, rwco->offset,
|
||||
qiov->iov[0].iov_base);
|
||||
+ aio_wait_kick();
|
||||
}
|
||||
|
||||
int blk_ioctl(BlockBackend *blk, unsigned long int req, void *buf)
|
||||
@@ -1589,6 +1592,7 @@ static void blk_flush_entry(void *opaque)
|
||||
{
|
||||
BlkRwCo *rwco = opaque;
|
||||
rwco->ret = blk_co_flush(rwco->blk);
|
||||
+ aio_wait_kick();
|
||||
}
|
||||
|
||||
int blk_flush(BlockBackend *blk)
|
||||
@@ -2028,6 +2032,7 @@ static void blk_pdiscard_entry(void *opaque)
|
||||
QEMUIOVector *qiov = rwco->iobuf;
|
||||
|
||||
rwco->ret = blk_co_pdiscard(rwco->blk, rwco->offset, qiov->size);
|
||||
+ aio_wait_kick();
|
||||
}
|
||||
|
||||
int blk_pdiscard(BlockBackend *blk, int64_t offset, int bytes)
|
||||
diff --git a/block/io.c b/block/io.c
|
||||
index bd9d688f8b..213ca03d8d 100644
|
||||
--- a/block/io.c
|
||||
+++ b/block/io.c
|
||||
@@ -806,6 +806,7 @@ static void coroutine_fn bdrv_rw_co_entry(void *opaque)
|
||||
rwco->qiov->size, rwco->qiov,
|
||||
rwco->flags);
|
||||
}
|
||||
+ aio_wait_kick();
|
||||
}
|
||||
|
||||
/*
|
||||
@@ -2279,6 +2280,7 @@ static void coroutine_fn bdrv_block_status_above_co_entry(void *opaque)
|
||||
data->offset, data->bytes,
|
||||
data->pnum, data->map, data->file);
|
||||
data->done = true;
|
||||
+ aio_wait_kick();
|
||||
}
|
||||
|
||||
/*
|
||||
@@ -2438,6 +2440,7 @@ static void coroutine_fn bdrv_co_rw_vmstate_entry(void *opaque)
|
||||
{
|
||||
BdrvVmstateCo *co = opaque;
|
||||
co->ret = bdrv_co_rw_vmstate(co->bs, co->qiov, co->pos, co->is_read);
|
||||
+ aio_wait_kick();
|
||||
}
|
||||
|
||||
static inline int
|
||||
@@ -2559,6 +2562,7 @@ static void coroutine_fn bdrv_flush_co_entry(void *opaque)
|
||||
FlushCo *rwco = opaque;
|
||||
|
||||
rwco->ret = bdrv_co_flush(rwco->bs);
|
||||
+ aio_wait_kick();
|
||||
}
|
||||
|
||||
int coroutine_fn bdrv_co_flush(BlockDriverState *bs)
|
||||
@@ -2704,6 +2708,7 @@ static void coroutine_fn bdrv_pdiscard_co_entry(void *opaque)
|
||||
DiscardCo *rwco = opaque;
|
||||
|
||||
rwco->ret = bdrv_co_pdiscard(rwco->child, rwco->offset, rwco->bytes);
|
||||
+ aio_wait_kick();
|
||||
}
|
||||
|
||||
int coroutine_fn bdrv_co_pdiscard(BdrvChild *child, int64_t offset, int bytes)
|
||||
@@ -3217,6 +3222,7 @@ static void coroutine_fn bdrv_truncate_co_entry(void *opaque)
|
||||
TruncateCo *tco = opaque;
|
||||
tco->ret = bdrv_co_truncate(tco->child, tco->offset, tco->prealloc,
|
||||
tco->errp);
|
||||
+ aio_wait_kick();
|
||||
}
|
||||
|
||||
int bdrv_truncate(BdrvChild *child, int64_t offset, PreallocMode prealloc,
|
||||
@@ -3236,7 +3242,7 @@ int bdrv_truncate(BdrvChild *child, int64_t offset, PreallocMode prealloc,
|
||||
bdrv_truncate_co_entry(&tco);
|
||||
} else {
|
||||
co = qemu_coroutine_create(bdrv_truncate_co_entry, &tco);
|
||||
- qemu_coroutine_enter(co);
|
||||
+ bdrv_coroutine_enter(child->bs, co);
|
||||
BDRV_POLL_WHILE(child->bs, tco.ret == NOT_DONE);
|
||||
}
|
||||
|
||||
diff --git a/block/nbd-client.c b/block/nbd-client.c
|
||||
index fc5b7eda8e..a6b5605c0b 100644
|
||||
--- a/block/nbd-client.c
|
||||
+++ b/block/nbd-client.c
|
||||
@@ -116,6 +116,7 @@ static coroutine_fn void nbd_read_reply_entry(void *opaque)
|
||||
s->quit = true;
|
||||
nbd_recv_coroutines_wake_all(s);
|
||||
s->read_reply_co = NULL;
|
||||
+ aio_wait_kick();
|
||||
}
|
||||
|
||||
static int nbd_co_send_request(BlockDriverState *bs,
|
||||
diff --git a/block/nvme.c b/block/nvme.c
|
||||
index 29294038fc..36779fdd3d 100644
|
||||
--- a/block/nvme.c
|
||||
+++ b/block/nvme.c
|
||||
@@ -390,6 +390,7 @@ static void nvme_cmd_sync_cb(void *opaque, int ret)
|
||||
{
|
||||
int *pret = opaque;
|
||||
*pret = ret;
|
||||
+ aio_wait_kick();
|
||||
}
|
||||
|
||||
static int nvme_cmd_sync(BlockDriverState *bs, NVMeQueuePair *q,
|
||||
diff --git a/block/qcow2.c b/block/qcow2.c
|
||||
index 991d6ac91b..9334414513 100644
|
||||
--- a/block/qcow2.c
|
||||
+++ b/block/qcow2.c
|
||||
@@ -1665,6 +1665,7 @@ static int qcow2_open(BlockDriverState *bs, QDict *options, int flags,
|
||||
/* From bdrv_co_create. */
|
||||
qcow2_open_entry(&qoc);
|
||||
} else {
|
||||
+ assert(qemu_get_current_aio_context() == qemu_get_aio_context());
|
||||
qemu_coroutine_enter(qemu_coroutine_create(qcow2_open_entry, &qoc));
|
||||
BDRV_POLL_WHILE(bs, qoc.ret == -EINPROGRESS);
|
||||
}
|
||||
diff --git a/block/qed.c b/block/qed.c
|
||||
index 9377c0b7ad..1280870024 100644
|
||||
--- a/block/qed.c
|
||||
+++ b/block/qed.c
|
||||
@@ -559,6 +559,7 @@ static int bdrv_qed_open(BlockDriverState *bs, QDict *options, int flags,
|
||||
if (qemu_in_coroutine()) {
|
||||
bdrv_qed_open_entry(&qoc);
|
||||
} else {
|
||||
+ assert(qemu_get_current_aio_context() == qemu_get_aio_context());
|
||||
qemu_coroutine_enter(qemu_coroutine_create(bdrv_qed_open_entry, &qoc));
|
||||
BDRV_POLL_WHILE(bs, qoc.ret == -EINPROGRESS);
|
||||
}
|
||||
diff --git a/tests/Makefile.include b/tests/Makefile.include
|
||||
index d6f67eed85..5682e41384 100644
|
||||
--- a/tests/Makefile.include
|
||||
+++ b/tests/Makefile.include
|
||||
@@ -70,6 +70,7 @@ check-unit-y += tests/test-bdrv-drain$(EXESUF)
|
||||
check-unit-y += tests/test-blockjob$(EXESUF)
|
||||
check-unit-y += tests/test-blockjob-txn$(EXESUF)
|
||||
check-unit-y += tests/test-block-backend$(EXESUF)
|
||||
+check-unit-y += tests/test-block-iothread$(EXESUF)
|
||||
check-unit-y += tests/test-image-locking$(EXESUF)
|
||||
check-unit-y += tests/test-x86-cpuid$(EXESUF)
|
||||
# all code tested by test-x86-cpuid is inside topology.h
|
||||
@@ -541,6 +542,7 @@ tests/test-bdrv-drain$(EXESUF): tests/test-bdrv-drain.o $(test-block-obj-y) $(te
|
||||
tests/test-blockjob$(EXESUF): tests/test-blockjob.o $(test-block-obj-y) $(test-util-obj-y)
|
||||
tests/test-blockjob-txn$(EXESUF): tests/test-blockjob-txn.o $(test-block-obj-y) $(test-util-obj-y)
|
||||
tests/test-block-backend$(EXESUF): tests/test-block-backend.o $(test-block-obj-y) $(test-util-obj-y)
|
||||
+tests/test-block-iothread$(EXESUF): tests/test-block-iothread.o $(test-block-obj-y) $(test-util-obj-y)
|
||||
tests/test-image-locking$(EXESUF): tests/test-image-locking.o $(test-block-obj-y) $(test-util-obj-y)
|
||||
tests/test-thread-pool$(EXESUF): tests/test-thread-pool.o $(test-block-obj-y)
|
||||
tests/test-iov$(EXESUF): tests/test-iov.o $(test-util-obj-y)
|
||||
diff --git a/tests/test-block-iothread.c b/tests/test-block-iothread.c
|
||||
new file mode 100644
|
||||
index 0000000000..97ac0b159d
|
||||
--- /dev/null
|
||||
+++ b/tests/test-block-iothread.c
|
||||
@@ -0,0 +1,372 @@
|
||||
+/*
|
||||
+ * Block tests for iothreads
|
||||
+ *
|
||||
+ * Copyright (c) 2018 Kevin Wolf <kwolf@redhat.com>
|
||||
+ *
|
||||
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
|
||||
+ * of this software and associated documentation files (the "Software"), to deal
|
||||
+ * in the Software without restriction, including without limitation the rights
|
||||
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
||||
+ * copies of the Software, and to permit persons to whom the Software is
|
||||
+ * furnished to do so, subject to the following conditions:
|
||||
+ *
|
||||
+ * The above copyright notice and this permission notice shall be included in
|
||||
+ * all copies or substantial portions of the Software.
|
||||
+ *
|
||||
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
||||
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
||||
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
|
||||
+ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
||||
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
||||
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
|
||||
+ * THE SOFTWARE.
|
||||
+ */
|
||||
+
|
||||
+#include "qemu/osdep.h"
|
||||
+#include "block/block.h"
|
||||
+#include "block/blockjob_int.h"
|
||||
+#include "sysemu/block-backend.h"
|
||||
+#include "qapi/error.h"
|
||||
+#include "iothread.h"
|
||||
+
|
||||
+static int coroutine_fn bdrv_test_co_prwv(BlockDriverState *bs,
|
||||
+ uint64_t offset, uint64_t bytes,
|
||||
+ QEMUIOVector *qiov, int flags)
|
||||
+{
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
+static int coroutine_fn bdrv_test_co_pdiscard(BlockDriverState *bs,
|
||||
+ int64_t offset, int bytes)
|
||||
+{
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
+static int coroutine_fn
|
||||
+bdrv_test_co_truncate(BlockDriverState *bs, int64_t offset,
|
||||
+ PreallocMode prealloc, Error **errp)
|
||||
+{
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
+static int coroutine_fn bdrv_test_co_block_status(BlockDriverState *bs,
|
||||
+ bool want_zero,
|
||||
+ int64_t offset, int64_t count,
|
||||
+ int64_t *pnum, int64_t *map,
|
||||
+ BlockDriverState **file)
|
||||
+{
|
||||
+ *pnum = count;
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
+static BlockDriver bdrv_test = {
|
||||
+ .format_name = "test",
|
||||
+ .instance_size = 1,
|
||||
+
|
||||
+ .bdrv_co_preadv = bdrv_test_co_prwv,
|
||||
+ .bdrv_co_pwritev = bdrv_test_co_prwv,
|
||||
+ .bdrv_co_pdiscard = bdrv_test_co_pdiscard,
|
||||
+ .bdrv_co_truncate = bdrv_test_co_truncate,
|
||||
+ .bdrv_co_block_status = bdrv_test_co_block_status,
|
||||
+};
|
||||
+
|
||||
+static void test_sync_op_pread(BdrvChild *c)
|
||||
+{
|
||||
+ uint8_t buf[512];
|
||||
+ int ret;
|
||||
+
|
||||
+ /* Success */
|
||||
+ ret = bdrv_pread(c, 0, buf, sizeof(buf));
|
||||
+ g_assert_cmpint(ret, ==, 512);
|
||||
+
|
||||
+ /* Early error: Negative offset */
|
||||
+ ret = bdrv_pread(c, -2, buf, sizeof(buf));
|
||||
+ g_assert_cmpint(ret, ==, -EIO);
|
||||
+}
|
||||
+
|
||||
+static void test_sync_op_pwrite(BdrvChild *c)
|
||||
+{
|
||||
+ uint8_t buf[512];
|
||||
+ int ret;
|
||||
+
|
||||
+ /* Success */
|
||||
+ ret = bdrv_pwrite(c, 0, buf, sizeof(buf));
|
||||
+ g_assert_cmpint(ret, ==, 512);
|
||||
+
|
||||
+ /* Early error: Negative offset */
|
||||
+ ret = bdrv_pwrite(c, -2, buf, sizeof(buf));
|
||||
+ g_assert_cmpint(ret, ==, -EIO);
|
||||
+}
|
||||
+
|
||||
+static void test_sync_op_blk_pread(BlockBackend *blk)
|
||||
+{
|
||||
+ uint8_t buf[512];
|
||||
+ int ret;
|
||||
+
|
||||
+ /* Success */
|
||||
+ ret = blk_pread(blk, 0, buf, sizeof(buf));
|
||||
+ g_assert_cmpint(ret, ==, 512);
|
||||
+
|
||||
+ /* Early error: Negative offset */
|
||||
+ ret = blk_pread(blk, -2, buf, sizeof(buf));
|
||||
+ g_assert_cmpint(ret, ==, -EIO);
|
||||
+}
|
||||
+
|
||||
+static void test_sync_op_blk_pwrite(BlockBackend *blk)
|
||||
+{
|
||||
+ uint8_t buf[512];
|
||||
+ int ret;
|
||||
+
|
||||
+ /* Success */
|
||||
+ ret = blk_pwrite(blk, 0, buf, sizeof(buf), 0);
|
||||
+ g_assert_cmpint(ret, ==, 512);
|
||||
+
|
||||
+ /* Early error: Negative offset */
|
||||
+ ret = blk_pwrite(blk, -2, buf, sizeof(buf), 0);
|
||||
+ g_assert_cmpint(ret, ==, -EIO);
|
||||
+}
|
||||
+
|
||||
+static void test_sync_op_load_vmstate(BdrvChild *c)
|
||||
+{
|
||||
+ uint8_t buf[512];
|
||||
+ int ret;
|
||||
+
|
||||
+ /* Error: Driver does not support snapshots */
|
||||
+ ret = bdrv_load_vmstate(c->bs, buf, 0, sizeof(buf));
|
||||
+ g_assert_cmpint(ret, ==, -ENOTSUP);
|
||||
+}
|
||||
+
|
||||
+static void test_sync_op_save_vmstate(BdrvChild *c)
|
||||
+{
|
||||
+ uint8_t buf[512];
|
||||
+ int ret;
|
||||
+
|
||||
+ /* Error: Driver does not support snapshots */
|
||||
+ ret = bdrv_save_vmstate(c->bs, buf, 0, sizeof(buf));
|
||||
+ g_assert_cmpint(ret, ==, -ENOTSUP);
|
||||
+}
|
||||
+
|
||||
+static void test_sync_op_pdiscard(BdrvChild *c)
|
||||
+{
|
||||
+ int ret;
|
||||
+
|
||||
+ /* Normal success path */
|
||||
+ c->bs->open_flags |= BDRV_O_UNMAP;
|
||||
+ ret = bdrv_pdiscard(c, 0, 512);
|
||||
+ g_assert_cmpint(ret, ==, 0);
|
||||
+
|
||||
+ /* Early success: UNMAP not supported */
|
||||
+ c->bs->open_flags &= ~BDRV_O_UNMAP;
|
||||
+ ret = bdrv_pdiscard(c, 0, 512);
|
||||
+ g_assert_cmpint(ret, ==, 0);
|
||||
+
|
||||
+ /* Early error: Negative offset */
|
||||
+ ret = bdrv_pdiscard(c, -2, 512);
|
||||
+ g_assert_cmpint(ret, ==, -EIO);
|
||||
+}
|
||||
+
|
||||
+static void test_sync_op_blk_pdiscard(BlockBackend *blk)
|
||||
+{
|
||||
+ int ret;
|
||||
+
|
||||
+ /* Early success: UNMAP not supported */
|
||||
+ ret = blk_pdiscard(blk, 0, 512);
|
||||
+ g_assert_cmpint(ret, ==, 0);
|
||||
+
|
||||
+ /* Early error: Negative offset */
|
||||
+ ret = blk_pdiscard(blk, -2, 512);
|
||||
+ g_assert_cmpint(ret, ==, -EIO);
|
||||
+}
|
||||
+
|
||||
+static void test_sync_op_truncate(BdrvChild *c)
|
||||
+{
|
||||
+ int ret;
|
||||
+
|
||||
+ /* Normal success path */
|
||||
+ ret = bdrv_truncate(c, 65536, PREALLOC_MODE_OFF, NULL);
|
||||
+ g_assert_cmpint(ret, ==, 0);
|
||||
+
|
||||
+ /* Early error: Negative offset */
|
||||
+ ret = bdrv_truncate(c, -2, PREALLOC_MODE_OFF, NULL);
|
||||
+ g_assert_cmpint(ret, ==, -EINVAL);
|
||||
+
|
||||
+ /* Error: Read-only image */
|
||||
+ c->bs->read_only = true;
|
||||
+ c->bs->open_flags &= ~BDRV_O_RDWR;
|
||||
+
|
||||
+ ret = bdrv_truncate(c, 65536, PREALLOC_MODE_OFF, NULL);
|
||||
+ g_assert_cmpint(ret, ==, -EACCES);
|
||||
+
|
||||
+ c->bs->read_only = false;
|
||||
+ c->bs->open_flags |= BDRV_O_RDWR;
|
||||
+}
|
||||
+
|
||||
+static void test_sync_op_block_status(BdrvChild *c)
|
||||
+{
|
||||
+ int ret;
|
||||
+ int64_t n;
|
||||
+
|
||||
+ /* Normal success path */
|
||||
+ ret = bdrv_is_allocated(c->bs, 0, 65536, &n);
|
||||
+ g_assert_cmpint(ret, ==, 0);
|
||||
+
|
||||
+ /* Early success: No driver support */
|
||||
+ bdrv_test.bdrv_co_block_status = NULL;
|
||||
+ ret = bdrv_is_allocated(c->bs, 0, 65536, &n);
|
||||
+ g_assert_cmpint(ret, ==, 1);
|
||||
+
|
||||
+ /* Early success: bytes = 0 */
|
||||
+ ret = bdrv_is_allocated(c->bs, 0, 0, &n);
|
||||
+ g_assert_cmpint(ret, ==, 0);
|
||||
+
|
||||
+ /* Early success: Offset > image size*/
|
||||
+ ret = bdrv_is_allocated(c->bs, 0x1000000, 0x1000000, &n);
|
||||
+ g_assert_cmpint(ret, ==, 0);
|
||||
+}
|
||||
+
|
||||
+static void test_sync_op_flush(BdrvChild *c)
|
||||
+{
|
||||
+ int ret;
|
||||
+
|
||||
+ /* Normal success path */
|
||||
+ ret = bdrv_flush(c->bs);
|
||||
+ g_assert_cmpint(ret, ==, 0);
|
||||
+
|
||||
+ /* Early success: Read-only image */
|
||||
+ c->bs->read_only = true;
|
||||
+ c->bs->open_flags &= ~BDRV_O_RDWR;
|
||||
+
|
||||
+ ret = bdrv_flush(c->bs);
|
||||
+ g_assert_cmpint(ret, ==, 0);
|
||||
+
|
||||
+ c->bs->read_only = false;
|
||||
+ c->bs->open_flags |= BDRV_O_RDWR;
|
||||
+}
|
||||
+
|
||||
+static void test_sync_op_blk_flush(BlockBackend *blk)
|
||||
+{
|
||||
+ BlockDriverState *bs = blk_bs(blk);
|
||||
+ int ret;
|
||||
+
|
||||
+ /* Normal success path */
|
||||
+ ret = blk_flush(blk);
|
||||
+ g_assert_cmpint(ret, ==, 0);
|
||||
+
|
||||
+ /* Early success: Read-only image */
|
||||
+ bs->read_only = true;
|
||||
+ bs->open_flags &= ~BDRV_O_RDWR;
|
||||
+
|
||||
+ ret = blk_flush(blk);
|
||||
+ g_assert_cmpint(ret, ==, 0);
|
||||
+
|
||||
+ bs->read_only = false;
|
||||
+ bs->open_flags |= BDRV_O_RDWR;
|
||||
+}
|
||||
+
|
||||
+static void test_sync_op_check(BdrvChild *c)
|
||||
+{
|
||||
+ BdrvCheckResult result;
|
||||
+ int ret;
|
||||
+
|
||||
+ /* Error: Driver does not implement check */
|
||||
+ ret = bdrv_check(c->bs, &result, 0);
|
||||
+ g_assert_cmpint(ret, ==, -ENOTSUP);
|
||||
+}
|
||||
+
|
||||
+static void test_sync_op_invalidate_cache(BdrvChild *c)
|
||||
+{
|
||||
+ /* Early success: Image is not inactive */
|
||||
+ bdrv_invalidate_cache(c->bs, NULL);
|
||||
+}
|
||||
+
|
||||
+
|
||||
+typedef struct SyncOpTest {
|
||||
+ const char *name;
|
||||
+ void (*fn)(BdrvChild *c);
|
||||
+ void (*blkfn)(BlockBackend *blk);
|
||||
+} SyncOpTest;
|
||||
+
|
||||
+const SyncOpTest sync_op_tests[] = {
|
||||
+ {
|
||||
+ .name = "/sync-op/pread",
|
||||
+ .fn = test_sync_op_pread,
|
||||
+ .blkfn = test_sync_op_blk_pread,
|
||||
+ }, {
|
||||
+ .name = "/sync-op/pwrite",
|
||||
+ .fn = test_sync_op_pwrite,
|
||||
+ .blkfn = test_sync_op_blk_pwrite,
|
||||
+ }, {
|
||||
+ .name = "/sync-op/load_vmstate",
|
||||
+ .fn = test_sync_op_load_vmstate,
|
||||
+ }, {
|
||||
+ .name = "/sync-op/save_vmstate",
|
||||
+ .fn = test_sync_op_save_vmstate,
|
||||
+ }, {
|
||||
+ .name = "/sync-op/pdiscard",
|
||||
+ .fn = test_sync_op_pdiscard,
|
||||
+ .blkfn = test_sync_op_blk_pdiscard,
|
||||
+ }, {
|
||||
+ .name = "/sync-op/truncate",
|
||||
+ .fn = test_sync_op_truncate,
|
||||
+ }, {
|
||||
+ .name = "/sync-op/block_status",
|
||||
+ .fn = test_sync_op_block_status,
|
||||
+ }, {
|
||||
+ .name = "/sync-op/flush",
|
||||
+ .fn = test_sync_op_flush,
|
||||
+ .blkfn = test_sync_op_blk_flush,
|
||||
+ }, {
|
||||
+ .name = "/sync-op/check",
|
||||
+ .fn = test_sync_op_check,
|
||||
+ }, {
|
||||
+ .name = "/sync-op/invalidate_cache",
|
||||
+ .fn = test_sync_op_invalidate_cache,
|
||||
+ },
|
||||
+};
|
||||
+
|
||||
+/* Test synchronous operations that run in a different iothread, so we have to
|
||||
+ * poll for the coroutine there to return. */
|
||||
+static void test_sync_op(const void *opaque)
|
||||
+{
|
||||
+ const SyncOpTest *t = opaque;
|
||||
+ IOThread *iothread = iothread_new();
|
||||
+ AioContext *ctx = iothread_get_aio_context(iothread);
|
||||
+ BlockBackend *blk;
|
||||
+ BlockDriverState *bs;
|
||||
+ BdrvChild *c;
|
||||
+
|
||||
+ blk = blk_new(BLK_PERM_ALL, BLK_PERM_ALL);
|
||||
+ bs = bdrv_new_open_driver(&bdrv_test, "base", BDRV_O_RDWR, &error_abort);
|
||||
+ bs->total_sectors = 65536 / BDRV_SECTOR_SIZE;
|
||||
+ blk_insert_bs(blk, bs, &error_abort);
|
||||
+ c = QLIST_FIRST(&bs->parents);
|
||||
+
|
||||
+ blk_set_aio_context(blk, ctx);
|
||||
+ aio_context_acquire(ctx);
|
||||
+ t->fn(c);
|
||||
+ if (t->blkfn) {
|
||||
+ t->blkfn(blk);
|
||||
+ }
|
||||
+ aio_context_release(ctx);
|
||||
+ blk_set_aio_context(blk, qemu_get_aio_context());
|
||||
+
|
||||
+ bdrv_unref(bs);
|
||||
+ blk_unref(blk);
|
||||
+}
|
||||
+
|
||||
+int main(int argc, char **argv)
|
||||
+{
|
||||
+ int i;
|
||||
+
|
||||
+ bdrv_init();
|
||||
+ qemu_init_main_loop(&error_abort);
|
||||
+
|
||||
+ g_test_init(&argc, &argv, NULL);
|
||||
+
|
||||
+ for (i = 0; i < ARRAY_SIZE(sync_op_tests); i++) {
|
||||
+ const SyncOpTest *t = &sync_op_tests[i];
|
||||
+ g_test_add_data_func(t->name, t, test_sync_op);
|
||||
+ }
|
||||
+
|
||||
+ return g_test_run();
|
||||
+}
|
@ -1,3 +1,22 @@
|
||||
-------------------------------------------------------------------
|
||||
Thu Jan 10 18:03:30 UTC 2019 - Bruce Rogers <brogers@suse.com>
|
||||
|
||||
- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-3.1
|
||||
* Patches added:
|
||||
0041-vfio-ap-flag-as-compatible-with-bal.patch
|
||||
0042-hw-s390x-Fix-bad-mask-in-time2tod.patch
|
||||
0043-pcie-set-link-state-inactive-active.patch
|
||||
0044-pc-piix4-Update-smbus-I-O-space-aft.patch
|
||||
0045-hw-usb-fix-mistaken-de-initializati.patch
|
||||
0046-usb-mtp-use-O_NOFOLLOW-and-O_CLOEXE.patch
|
||||
0047-pvrdma-release-device-resources-in-.patch
|
||||
0048-rdma-check-num_sge-does-not-exceed-.patch
|
||||
0049-pvrdma-add-uar_read-routine.patch
|
||||
0050-pvrdma-check-number-of-pages-when-c.patch
|
||||
0051-pvrdma-check-return-value-from-pvrd.patch
|
||||
0052-pvrdma-release-ring-object-in-case-.patch
|
||||
0053-block-Fix-hangs-in-synchronous-APIs.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Jan 8 13:41:35 UTC 2019 - olaf@aepfle.de
|
||||
|
||||
|
@ -72,6 +72,19 @@ Patch0037: 0037-tests-qemu-iotests-Triple-timeout-o.patch
|
||||
Patch0038: 0038-tests-block-io-test-130-needs-some-.patch
|
||||
Patch0039: 0039-xen_disk-Avoid-repeated-memory-allo.patch
|
||||
Patch0040: 0040-xen-ignore-live-parameter-from-xen-.patch
|
||||
Patch0041: 0041-vfio-ap-flag-as-compatible-with-bal.patch
|
||||
Patch0042: 0042-hw-s390x-Fix-bad-mask-in-time2tod.patch
|
||||
Patch0043: 0043-pcie-set-link-state-inactive-active.patch
|
||||
Patch0044: 0044-pc-piix4-Update-smbus-I-O-space-aft.patch
|
||||
Patch0045: 0045-hw-usb-fix-mistaken-de-initializati.patch
|
||||
Patch0046: 0046-usb-mtp-use-O_NOFOLLOW-and-O_CLOEXE.patch
|
||||
Patch0047: 0047-pvrdma-release-device-resources-in-.patch
|
||||
Patch0048: 0048-rdma-check-num_sge-does-not-exceed-.patch
|
||||
Patch0049: 0049-pvrdma-add-uar_read-routine.patch
|
||||
Patch0050: 0050-pvrdma-check-number-of-pages-when-c.patch
|
||||
Patch0051: 0051-pvrdma-check-return-value-from-pvrd.patch
|
||||
Patch0052: 0052-pvrdma-release-ring-object-in-case-.patch
|
||||
Patch0053: 0053-block-Fix-hangs-in-synchronous-APIs.patch
|
||||
# Please do not add QEMU patches manually here.
|
||||
# Run update_git.sh to regenerate this queue.
|
||||
ExcludeArch: s390
|
||||
@ -143,6 +156,19 @@ syscall layer occurs on the native hardware and operating system.
|
||||
%patch0038 -p1
|
||||
%patch0039 -p1
|
||||
%patch0040 -p1
|
||||
%patch0041 -p1
|
||||
%patch0042 -p1
|
||||
%patch0043 -p1
|
||||
%patch0044 -p1
|
||||
%patch0045 -p1
|
||||
%patch0046 -p1
|
||||
%patch0047 -p1
|
||||
%patch0048 -p1
|
||||
%patch0049 -p1
|
||||
%patch0050 -p1
|
||||
%patch0051 -p1
|
||||
%patch0052 -p1
|
||||
%patch0053 -p1
|
||||
|
||||
%build
|
||||
./configure \
|
||||
|
@ -1,3 +1,33 @@
|
||||
-------------------------------------------------------------------
|
||||
Thu Jan 10 18:03:29 UTC 2019 - Bruce Rogers <brogers@suse.com>
|
||||
|
||||
- include post v3.1.0 patches marked for next stable release:
|
||||
0041-vfio-ap-flag-as-compatible-with-bal.patch
|
||||
0042-hw-s390x-Fix-bad-mask-in-time2tod.patch
|
||||
0043-pcie-set-link-state-inactive-active.patch
|
||||
0044-pc-piix4-Update-smbus-I-O-space-aft.patch
|
||||
0045-hw-usb-fix-mistaken-de-initializati.patch
|
||||
- Address various security/stability issues
|
||||
* Fix host access vulnerability in usb-mtp infrastructure
|
||||
(CVE-2018-16872 bsc#1119493)
|
||||
0046-usb-mtp-use-O_NOFOLLOW-and-O_CLOEXE.patch
|
||||
* Fix DoS in pvrdma interface (CVE-2018-20123 bsc#1119437)
|
||||
0047-pvrdma-release-device-resources-in-.patch
|
||||
* Fix OOB access issue in rdma backend (CVE-2018-20124 bsc#1119840)
|
||||
0048-rdma-check-num_sge-does-not-exceed-.patch
|
||||
* Fix NULL pointer reference in pvrdma emulation (CVE-2018-20191
|
||||
bsc#1119979)
|
||||
0049-pvrdma-add-uar_read-routine.patch
|
||||
* Fix DoS in pvrdma interface (CVE-2018-20125 bsc#1119989)
|
||||
0050-pvrdma-check-number-of-pages-when-c.patch
|
||||
* Fix DoS in pvrdma interface (CVE-2018-20216 bsc#1119984)
|
||||
0051-pvrdma-check-return-value-from-pvrd.patch
|
||||
* Fix DoS in pvrdma interface (CVE-2018-20126 bsc#1119991)
|
||||
0052-pvrdma-release-ring-object-in-case-.patch
|
||||
- one more post v3.1.0 patches marked for next stable release:
|
||||
0053-block-Fix-hangs-in-synchronous-APIs.patch
|
||||
- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-3.1
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Jan 8 13:41:35 UTC 2019 - olaf@aepfle.de
|
||||
|
||||
|
@ -177,6 +177,19 @@ Patch0037: 0037-tests-qemu-iotests-Triple-timeout-o.patch
|
||||
Patch0038: 0038-tests-block-io-test-130-needs-some-.patch
|
||||
Patch0039: 0039-xen_disk-Avoid-repeated-memory-allo.patch
|
||||
Patch0040: 0040-xen-ignore-live-parameter-from-xen-.patch
|
||||
Patch0041: 0041-vfio-ap-flag-as-compatible-with-bal.patch
|
||||
Patch0042: 0042-hw-s390x-Fix-bad-mask-in-time2tod.patch
|
||||
Patch0043: 0043-pcie-set-link-state-inactive-active.patch
|
||||
Patch0044: 0044-pc-piix4-Update-smbus-I-O-space-aft.patch
|
||||
Patch0045: 0045-hw-usb-fix-mistaken-de-initializati.patch
|
||||
Patch0046: 0046-usb-mtp-use-O_NOFOLLOW-and-O_CLOEXE.patch
|
||||
Patch0047: 0047-pvrdma-release-device-resources-in-.patch
|
||||
Patch0048: 0048-rdma-check-num_sge-does-not-exceed-.patch
|
||||
Patch0049: 0049-pvrdma-add-uar_read-routine.patch
|
||||
Patch0050: 0050-pvrdma-check-number-of-pages-when-c.patch
|
||||
Patch0051: 0051-pvrdma-check-return-value-from-pvrd.patch
|
||||
Patch0052: 0052-pvrdma-release-ring-object-in-case-.patch
|
||||
Patch0053: 0053-block-Fix-hangs-in-synchronous-APIs.patch
|
||||
# Please do not add QEMU patches manually here.
|
||||
# Run update_git.sh to regenerate this queue.
|
||||
|
||||
@ -945,6 +958,19 @@ This package provides a service file for starting and stopping KSM.
|
||||
%patch0038 -p1
|
||||
%patch0039 -p1
|
||||
%patch0040 -p1
|
||||
%patch0041 -p1
|
||||
%patch0042 -p1
|
||||
%patch0043 -p1
|
||||
%patch0044 -p1
|
||||
%patch0045 -p1
|
||||
%patch0046 -p1
|
||||
%patch0047 -p1
|
||||
%patch0048 -p1
|
||||
%patch0049 -p1
|
||||
%patch0050 -p1
|
||||
%patch0051 -p1
|
||||
%patch0052 -p1
|
||||
%patch0053 -p1
|
||||
|
||||
pushd roms/seabios
|
||||
%patch1100 -p1
|
||||
|
30
qemu.changes
30
qemu.changes
@ -1,3 +1,33 @@
|
||||
-------------------------------------------------------------------
|
||||
Thu Jan 10 18:03:29 UTC 2019 - Bruce Rogers <brogers@suse.com>
|
||||
|
||||
- include post v3.1.0 patches marked for next stable release:
|
||||
0041-vfio-ap-flag-as-compatible-with-bal.patch
|
||||
0042-hw-s390x-Fix-bad-mask-in-time2tod.patch
|
||||
0043-pcie-set-link-state-inactive-active.patch
|
||||
0044-pc-piix4-Update-smbus-I-O-space-aft.patch
|
||||
0045-hw-usb-fix-mistaken-de-initializati.patch
|
||||
- Address various security/stability issues
|
||||
* Fix host access vulnerability in usb-mtp infrastructure
|
||||
(CVE-2018-16872 bsc#1119493)
|
||||
0046-usb-mtp-use-O_NOFOLLOW-and-O_CLOEXE.patch
|
||||
* Fix DoS in pvrdma interface (CVE-2018-20123 bsc#1119437)
|
||||
0047-pvrdma-release-device-resources-in-.patch
|
||||
* Fix OOB access issue in rdma backend (CVE-2018-20124 bsc#1119840)
|
||||
0048-rdma-check-num_sge-does-not-exceed-.patch
|
||||
* Fix NULL pointer reference in pvrdma emulation (CVE-2018-20191
|
||||
bsc#1119979)
|
||||
0049-pvrdma-add-uar_read-routine.patch
|
||||
* Fix DoS in pvrdma interface (CVE-2018-20125 bsc#1119989)
|
||||
0050-pvrdma-check-number-of-pages-when-c.patch
|
||||
* Fix DoS in pvrdma interface (CVE-2018-20216 bsc#1119984)
|
||||
0051-pvrdma-check-return-value-from-pvrd.patch
|
||||
* Fix DoS in pvrdma interface (CVE-2018-20126 bsc#1119991)
|
||||
0052-pvrdma-release-ring-object-in-case-.patch
|
||||
- one more post v3.1.0 patches marked for next stable release:
|
||||
0053-block-Fix-hangs-in-synchronous-APIs.patch
|
||||
- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-3.1
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Jan 8 13:41:35 UTC 2019 - olaf@aepfle.de
|
||||
|
||||
|
26
qemu.spec
26
qemu.spec
@ -177,6 +177,19 @@ Patch0037: 0037-tests-qemu-iotests-Triple-timeout-o.patch
|
||||
Patch0038: 0038-tests-block-io-test-130-needs-some-.patch
|
||||
Patch0039: 0039-xen_disk-Avoid-repeated-memory-allo.patch
|
||||
Patch0040: 0040-xen-ignore-live-parameter-from-xen-.patch
|
||||
Patch0041: 0041-vfio-ap-flag-as-compatible-with-bal.patch
|
||||
Patch0042: 0042-hw-s390x-Fix-bad-mask-in-time2tod.patch
|
||||
Patch0043: 0043-pcie-set-link-state-inactive-active.patch
|
||||
Patch0044: 0044-pc-piix4-Update-smbus-I-O-space-aft.patch
|
||||
Patch0045: 0045-hw-usb-fix-mistaken-de-initializati.patch
|
||||
Patch0046: 0046-usb-mtp-use-O_NOFOLLOW-and-O_CLOEXE.patch
|
||||
Patch0047: 0047-pvrdma-release-device-resources-in-.patch
|
||||
Patch0048: 0048-rdma-check-num_sge-does-not-exceed-.patch
|
||||
Patch0049: 0049-pvrdma-add-uar_read-routine.patch
|
||||
Patch0050: 0050-pvrdma-check-number-of-pages-when-c.patch
|
||||
Patch0051: 0051-pvrdma-check-return-value-from-pvrd.patch
|
||||
Patch0052: 0052-pvrdma-release-ring-object-in-case-.patch
|
||||
Patch0053: 0053-block-Fix-hangs-in-synchronous-APIs.patch
|
||||
# Please do not add QEMU patches manually here.
|
||||
# Run update_git.sh to regenerate this queue.
|
||||
|
||||
@ -945,6 +958,19 @@ This package provides a service file for starting and stopping KSM.
|
||||
%patch0038 -p1
|
||||
%patch0039 -p1
|
||||
%patch0040 -p1
|
||||
%patch0041 -p1
|
||||
%patch0042 -p1
|
||||
%patch0043 -p1
|
||||
%patch0044 -p1
|
||||
%patch0045 -p1
|
||||
%patch0046 -p1
|
||||
%patch0047 -p1
|
||||
%patch0048 -p1
|
||||
%patch0049 -p1
|
||||
%patch0050 -p1
|
||||
%patch0051 -p1
|
||||
%patch0052 -p1
|
||||
%patch0053 -p1
|
||||
|
||||
pushd roms/seabios
|
||||
%patch1100 -p1
|
||||
|
@ -76,15 +76,14 @@ if [ "$OLD_SOURCE_VERSION_AND_EXTRA" = "" ]; then
|
||||
echo "Warning: No tarball found"
|
||||
fi
|
||||
|
||||
if [[ $QEMU_TARBALL =~ $BASE_RE$EXTRA_RE$SUFFIX_RE ]]; then
|
||||
OLD_COMMIT_ISH=${BASH_REMATCH[3]}
|
||||
else
|
||||
#Assume release (or release candidate) tarball with equivalent tag:
|
||||
OLD_COMMIT_ISH=$(cd $GIT_LOCAL_TREE && git rev-list --abbrev-commit \
|
||||
--abbrev=9 -1 v$OLD_SOURCE_VERSION_AND_EXTRA)
|
||||
fi
|
||||
|
||||
if [ "$GIT_UPSTREAM_COMMIT_ISH" = "LATEST" ]; then
|
||||
if [[ $QEMU_TARBALL =~ $BASE_RE$EXTRA_RE$SUFFIX_RE ]]; then
|
||||
OLD_COMMIT_ISH=${BASH_REMATCH[3]}
|
||||
else
|
||||
#Assume release (or release candidate) tarball with equivalent tag:
|
||||
OLD_COMMIT_ISH=$(cd $GIT_LOCAL_TREE && git rev-list --abbrev-commit \
|
||||
--abbrev=9 -1 v$OLD_SOURCE_VERSION_AND_EXTRA)
|
||||
fi
|
||||
if [ ${#QEMU_TARBALL_SIG[@]} -ne 0 ]; then
|
||||
echo "INFO: Ignoring signature file: $QEMU_TARBALL_SIG"
|
||||
QEMU_TARBALL_SIG=
|
||||
|
Loading…
Reference in New Issue
Block a user