diff --git a/0039-xen_disk-Avoid-repeated-memory-allo.patch b/0039-xen_disk-Avoid-repeated-memory-allo.patch index d5527c4b..2a6f702e 100644 --- a/0039-xen_disk-Avoid-repeated-memory-allo.patch +++ b/0039-xen_disk-Avoid-repeated-memory-allo.patch @@ -14,14 +14,14 @@ Since the ioreqs themselves are re-used via a free list, this should actually improve memory usage. Signed-off-by: Tim Smith -[BSC#1100408] +[BR: BSC#1100408] Signed-off-by: Bruce Rogers --- - hw/block/xen_disk.c | 7 ++----- - 1 file changed, 2 insertions(+), 5 deletions(-) + hw/block/xen_disk.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/hw/block/xen_disk.c b/hw/block/xen_disk.c -index d9a55faf27..e9501ee34c 100644 +index d9a55faf27..df99162520 100644 --- a/hw/block/xen_disk.c +++ b/hw/block/xen_disk.c @@ -110,7 +110,6 @@ static void ioreq_reset(struct ioreq *ioreq) @@ -32,15 +32,17 @@ index d9a55faf27..e9501ee34c 100644 ioreq->size = 0; ioreq->presync = 0; -@@ -135,6 +134,7 @@ static struct ioreq *ioreq_start(struct XenBlkDev *blkdev) +@@ -135,6 +134,9 @@ static struct ioreq *ioreq_start(struct XenBlkDev *blkdev) /* allocate new struct */ ioreq = g_malloc0(sizeof(*ioreq)); ioreq->blkdev = blkdev; -+ ioreq->buf = qemu_memalign(XC_PAGE_SIZE, BLKIF_MAX_SEGMENTS_PER_REQUEST * XC_PAGE_SIZE); ++ ioreq->buf = qemu_memalign(XC_PAGE_SIZE, ++ BLKIF_MAX_SEGMENTS_PER_REQUEST * ++ XC_PAGE_SIZE); blkdev->requests_total++; qemu_iovec_init(&ioreq->v, 1); } else { -@@ -317,14 +317,12 @@ static void qemu_aio_complete(void *opaque, int ret) +@@ -317,14 +319,12 @@ static void qemu_aio_complete(void *opaque, int ret) if (ret == 0) { ioreq_grant_copy(ioreq); } @@ -55,7 +57,7 @@ index d9a55faf27..e9501ee34c 100644 break; default: break; -@@ -392,12 +390,10 @@ static int ioreq_runio_qemu_aio(struct ioreq *ioreq) +@@ -392,12 +392,10 @@ static int ioreq_runio_qemu_aio(struct ioreq *ioreq) { struct XenBlkDev *blkdev = ioreq->blkdev; @@ -68,7 +70,7 @@ index d9a55faf27..e9501ee34c 100644 goto err; } -@@ -1007,6 +1003,7 @@ static int blk_free(struct XenDevice *xendev) +@@ -1007,6 +1005,7 @@ static int blk_free(struct XenDevice *xendev) ioreq = QLIST_FIRST(&blkdev->freelist); QLIST_REMOVE(ioreq, list); qemu_iovec_destroy(&ioreq->v); diff --git a/0041-vfio-ap-flag-as-compatible-with-bal.patch b/0041-vfio-ap-flag-as-compatible-with-bal.patch new file mode 100644 index 00000000..15650fc8 --- /dev/null +++ b/0041-vfio-ap-flag-as-compatible-with-bal.patch @@ -0,0 +1,40 @@ +From: Cornelia Huck +Date: Wed, 5 Dec 2018 15:35:03 +0100 +Subject: vfio-ap: flag as compatible with balloon + +vfio-ap devices do not pin any pages in the host. Therefore, they +are compatible with memory ballooning. + +Flag them as compatible, so both vfio-ap and a balloon can be +used simultaneously. + +Cc: qemu-stable@nongnu.org +Acked-by: Christian Borntraeger +Tested-by: Tony Krowiak +Reviewed-by: Halil Pasic +Signed-off-by: Cornelia Huck +(cherry picked from commit 1883e8fc8005e9ef452890a075bae98e8c432968) +Signed-off-by: Bruce Rogers +--- + hw/vfio/ap.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/hw/vfio/ap.c b/hw/vfio/ap.c +index 65de952f44..0a25f5e096 100644 +--- a/hw/vfio/ap.c ++++ b/hw/vfio/ap.c +@@ -104,6 +104,14 @@ static void vfio_ap_realize(DeviceState *dev, Error **errp) + vapdev->vdev.name = g_strdup_printf("%s", mdevid); + vapdev->vdev.dev = dev; + ++ /* ++ * vfio-ap devices operate in a way compatible with ++ * memory ballooning, as no pages are pinned in the host. ++ * This needs to be set before vfio_get_device() for vfio common to ++ * handle the balloon inhibitor. ++ */ ++ vapdev->vdev.balloon_allowed = true; ++ + ret = vfio_get_device(vfio_group, mdevid, &vapdev->vdev, &local_err); + if (ret) { + goto out_get_dev_err; diff --git a/0042-hw-s390x-Fix-bad-mask-in-time2tod.patch b/0042-hw-s390x-Fix-bad-mask-in-time2tod.patch new file mode 100644 index 00000000..edd0ec56 --- /dev/null +++ b/0042-hw-s390x-Fix-bad-mask-in-time2tod.patch @@ -0,0 +1,35 @@ +From: Thomas Huth +Date: Fri, 14 Dec 2018 14:08:07 +0100 +Subject: hw/s390x: Fix bad mask in time2tod() + +Since "s390x/tcg: avoid overflows in time2tod/tod2time", the +time2tod() function tries to deal with the 9 uppermost bits in the +time value, but uses the wrong mask for this: 0xff80000000000000 should +be used instead of 0xff10000000000000 here. + +Fixes: 14055ce53c2d901d826ffad7fb7d6bb8ab46bdfd +Cc: qemu-stable@nongnu.org +Signed-off-by: Thomas Huth +Message-Id: <1544792887-14575-1-git-send-email-thuth@redhat.com> +Reviewed-by: David Hildenbrand +[CH: tweaked commit message] +(cherry picked from commit aba7a5a2de3dba5917024df25441f715b9249e31) +Signed-off-by: Cornelia Huck +Signed-off-by: Bruce Rogers +--- + include/hw/s390x/tod.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/hw/s390x/tod.h b/include/hw/s390x/tod.h +index 413c0d7c02..442f45b2f5 100644 +--- a/include/hw/s390x/tod.h ++++ b/include/hw/s390x/tod.h +@@ -50,7 +50,7 @@ typedef struct S390TODClass { + /* Converts ns to s390's clock format */ + static inline uint64_t time2tod(uint64_t ns) + { +- return (ns << 9) / 125 + (((ns & 0xff10000000000000ull) / 125) << 9); ++ return (ns << 9) / 125 + (((ns & 0xff80000000000000ull) / 125) << 9); + } + + /* Converts s390's clock format to ns */ diff --git a/0043-pcie-set-link-state-inactive-active.patch b/0043-pcie-set-link-state-inactive-active.patch new file mode 100644 index 00000000..0958310d --- /dev/null +++ b/0043-pcie-set-link-state-inactive-active.patch @@ -0,0 +1,102 @@ +From: Zheng Xiang +Date: Mon, 3 Dec 2018 15:05:17 +0800 +Subject: pcie: set link state inactive/active after hot unplug/plug + +When VM boots from the latest version of linux kernel, after +hot-unpluging virtio-blk disks which are hotplugged into +pcie-root-port, the VM's dmesg log shows: + +[ 151.046242] pciehp 0000:00:05.0:pcie004: pending interrupts 0x0001 from Slot Status +[ 151.046365] pciehp 0000:00:05.0:pcie004: Slot(0-3): Attention button pressed +[ 151.046369] pciehp 0000:00:05.0:pcie004: Slot(0-3): Powering off due to button press +[ 151.046420] pciehp 0000:00:05.0:pcie004: pending interrupts 0x0010 from Slot Status +[ 151.046425] pciehp 0000:00:05.0:pcie004: pciehp_green_led_blink: SLOTCTRL a8 write cmd 200 +[ 151.046464] pciehp 0000:00:05.0:pcie004: pending interrupts 0x0010 from Slot Status +[ 151.046468] pciehp 0000:00:05.0:pcie004: pciehp_set_attention_status: SLOTCTRL a8 write cmd c0 +[ 156.163421] pciehp 0000:00:05.0:pcie004: pciehp_get_power_status: SLOTCTRL a8 value read 2f1 +[ 156.163427] pciehp 0000:00:05.0:pcie004: pciehp_unconfigure_device: domain:bus:dev = 0000:06:00 +[ 156.198736] pciehp 0000:00:05.0:pcie004: pending interrupts 0x0010 from Slot Status +[ 156.198772] pciehp 0000:00:05.0:pcie004: pciehp_power_off_slot: SLOTCTRL a8 write cmd 400 +[ 157.224124] pciehp 0000:00:05.0:pcie004: pending interrupts 0x0018 from Slot Status +[ 157.224194] pciehp 0000:00:05.0:pcie004: pciehp_green_led_off: SLOTCTRL a8 write cmd 300 +[ 157.224220] pciehp 0000:00:05.0:pcie004: pciehp_check_link_active: lnk_status = 2011 +[ 157.224223] pciehp 0000:00:05.0:pcie004: Slot(0-3): Link Up +[ 157.224233] pciehp 0000:00:05.0:pcie004: pciehp_get_power_status: SLOTCTRL a8 value read 7f1 +[ 157.224281] pciehp 0000:00:05.0:pcie004: pending interrupts 0x0010 from Slot Status +[ 157.224285] pciehp 0000:00:05.0:pcie004: pciehp_power_on_slot: SLOTCTRL a8 write cmd 0 +[ 157.224300] pciehp 0000:00:05.0:pcie004: __pciehp_link_set: lnk_ctrl = 0 +[ 157.224336] pciehp 0000:00:05.0:pcie004: pending interrupts 0x0010 from Slot Status +[ 157.224339] pciehp 0000:00:05.0:pcie004: pciehp_green_led_blink: SLOTCTRL a8 write cmd 200 +[ 159.739294] pci 0000:06:00.0 id reading try 50 times with interval 20 ms to get ffffffff +[ 159.739315] pciehp 0000:00:05.0:pcie004: pciehp_check_link_status: lnk_status = 2011 +[ 159.739318] pciehp 0000:00:05.0:pcie004: Failed to check link status +[ 159.739371] pciehp 0000:00:05.0:pcie004: pending interrupts 0x0010 from Slot Status +[ 159.739394] pciehp 0000:00:05.0:pcie004: pciehp_power_off_slot: SLOTCTRL a8 write cmd 400 +[ 160.771426] pciehp 0000:00:05.0:pcie004: pending interrupts 0x0010 from Slot Status +[ 160.771452] pciehp 0000:00:05.0:pcie004: pciehp_green_led_off: SLOTCTRL a8 write cmd 300 +[ 160.771495] pciehp 0000:00:05.0:pcie004: pending interrupts 0x0010 from Slot Status +[ 160.771499] pciehp 0000:00:05.0:pcie004: pciehp_set_attention_status: SLOTCTRL a8 write cmd 40 +[ 160.771535] pciehp 0000:00:05.0:pcie004: pending interrupts 0x0010 from Slot Status +[ 160.771539] pciehp 0000:00:05.0:pcie004: pciehp_green_led_off: SLOTCTRL a8 write cmd 300 + +After analyzing the log information, it seems that qemu doesn't +change the Link Status from active to inactive after hot-unplug. +This results in the abnormal log after the linux kernel commit +d331710ea78fea merged. + +Furthermore, If I hotplug the same virtio-blk disk after hot-unplug, +the virtio-blk would turn on and then back off. + +So this patch set the Link Status inactive after hot-unplug and +active after hot-plug. + +Signed-off-by: Zheng Xiang +Signed-off-by: Zheng Xiang +Cc: Wang Haibin +Cc: qemu-stable@nongnu.org +Reviewed-by: Marcel Apfelbaum +Reviewed-by: Michael S. Tsirkin +Signed-off-by: Michael S. Tsirkin +(cherry picked from commit 2f2b18f60bf17453b4c01197a9316615a3c1f1de) +Signed-off-by: Bruce Rogers +--- + hw/pci/pcie.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/hw/pci/pcie.c b/hw/pci/pcie.c +index 6c91bd44a0..66b73b87c8 100644 +--- a/hw/pci/pcie.c ++++ b/hw/pci/pcie.c +@@ -345,6 +345,10 @@ void pcie_cap_slot_hotplug_cb(HotplugHandler *hotplug_dev, DeviceState *dev, + if (!dev->hotplugged) { + pci_word_test_and_set_mask(exp_cap + PCI_EXP_SLTSTA, + PCI_EXP_SLTSTA_PDS); ++ if (pci_dev->cap_present & QEMU_PCIE_LNKSTA_DLLLA) { ++ pci_word_test_and_set_mask(exp_cap + PCI_EXP_LNKSTA, ++ PCI_EXP_LNKSTA_DLLLA); ++ } + return; + } + +@@ -355,6 +359,10 @@ void pcie_cap_slot_hotplug_cb(HotplugHandler *hotplug_dev, DeviceState *dev, + if (pci_get_function_0(pci_dev)) { + pci_word_test_and_set_mask(exp_cap + PCI_EXP_SLTSTA, + PCI_EXP_SLTSTA_PDS); ++ if (pci_dev->cap_present & QEMU_PCIE_LNKSTA_DLLLA) { ++ pci_word_test_and_set_mask(exp_cap + PCI_EXP_LNKSTA, ++ PCI_EXP_LNKSTA_DLLLA); ++ } + pcie_cap_slot_event(PCI_DEVICE(hotplug_dev), + PCI_EXP_HP_EV_PDC | PCI_EXP_HP_EV_ABP); + } +@@ -531,6 +539,10 @@ void pcie_cap_slot_write_config(PCIDevice *dev, + + pci_word_test_and_clear_mask(exp_cap + PCI_EXP_SLTSTA, + PCI_EXP_SLTSTA_PDS); ++ if (dev->cap_present & QEMU_PCIE_LNKSTA_DLLLA) { ++ pci_word_test_and_clear_mask(exp_cap + PCI_EXP_LNKSTA, ++ PCI_EXP_LNKSTA_DLLLA); ++ } + pci_word_test_and_set_mask(exp_cap + PCI_EXP_SLTSTA, + PCI_EXP_SLTSTA_PDC); + } diff --git a/0044-pc-piix4-Update-smbus-I-O-space-aft.patch b/0044-pc-piix4-Update-smbus-I-O-space-aft.patch new file mode 100644 index 00000000..bac34937 --- /dev/null +++ b/0044-pc-piix4-Update-smbus-I-O-space-aft.patch @@ -0,0 +1,30 @@ +From: Corey Minyard +Date: Mon, 26 Nov 2018 12:28:44 -0600 +Subject: pc:piix4: Update smbus I/O space after a migration + +Otherwise it won't be set up correctly and won't work after +miigration. + +Signed-off-by: Corey Minyard +Cc: Igor Mammedov +Cc: qemu-stable@nongnu.org +Reviewed-by: Michael S. Tsirkin +Signed-off-by: Michael S. Tsirkin +(cherry picked from commit 2b4e573c7c7b9a698ba6931ba456bbd8d3d8c84c) +Signed-off-by: Bruce Rogers +--- + hw/acpi/piix4.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/hw/acpi/piix4.c b/hw/acpi/piix4.c +index b0bd10b3f9..fb3620e6c0 100644 +--- a/hw/acpi/piix4.c ++++ b/hw/acpi/piix4.c +@@ -173,6 +173,7 @@ static int vmstate_acpi_post_load(void *opaque, int version_id) + PIIX4PMState *s = opaque; + + pm_io_space_update(s); ++ smbus_io_space_update(s); + return 0; + } + diff --git a/0045-hw-usb-fix-mistaken-de-initializati.patch b/0045-hw-usb-fix-mistaken-de-initializati.patch new file mode 100644 index 00000000..940e5bae --- /dev/null +++ b/0045-hw-usb-fix-mistaken-de-initializati.patch @@ -0,0 +1,54 @@ +From: Gerd Hoffmann +Date: Wed, 9 Jan 2019 11:07:15 -0700 +Subject: hw/usb: fix mistaken de-initialization of CCID state +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Daniel P. Berrangé + +In previous commit: + + commit 7dea29e4af17fc1d27478de9f8ea38144deac54a + Author: Li Qiang + Date: Fri Oct 19 03:50:36 2018 -0700 + + hw: ccid-card-emulated: cleanup resource when realize in error path + +The emulated_realize method was changed so that it jumps to a cleanup +label to de-initialize state upon error. This change failed to ensure +the success path exited the method before this point though. So the +mutexes are always destroyed even in normal operation. The result is +as crashtastic as expected: + +$ qemu-system-x86_64 -usb -device usb-ccid,id=ccid0 -device ccid-card-emulated,backend=nss-emulated,id=smartcard0,bus=ccid0.0 +qemu-system-x86_64: util/qemu-thread-posix.c:64: qemu_mutex_lock_impl: Assertion `mutex->initialized' failed. +Aborted (core dumped) + +Fixes: 7dea29e4af1 +Reported-by: Michael Tokarev +Signed-off-by: Daniel P. Berrangé +Reviewed-by: Michael Tokarev +Reviewed-by: Philippe Mathieu-Daudé +Tested-by: Philippe Mathieu-Daudé +Message-id: 20181221134115.27973-1-berrange@redhat.com +Signed-off-by: Gerd Hoffmann +(cherry picked from commit 3fd2092fd11b9e4220a08eca0663cc59178a6c3f) +Signed-off-by: Bruce Rogers +--- + hw/usb/ccid-card-emulated.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/hw/usb/ccid-card-emulated.c b/hw/usb/ccid-card-emulated.c +index 25976ed84f..e0457d305b 100644 +--- a/hw/usb/ccid-card-emulated.c ++++ b/hw/usb/ccid-card-emulated.c +@@ -549,6 +549,8 @@ static void emulated_realize(CCIDCardState *base, Error **errp) + qemu_thread_create(&card->apdu_thread_id, "ccid/apdu", handle_apdu_thread, + card, QEMU_THREAD_JOINABLE); + ++ return; ++ + out2: + clean_event_notifier(card); + out1: diff --git a/0046-usb-mtp-use-O_NOFOLLOW-and-O_CLOEXE.patch b/0046-usb-mtp-use-O_NOFOLLOW-and-O_CLOEXE.patch new file mode 100644 index 00000000..6bbdb537 --- /dev/null +++ b/0046-usb-mtp-use-O_NOFOLLOW-and-O_CLOEXE.patch @@ -0,0 +1,79 @@ +From: Gerd Hoffmann +Date: Thu, 13 Dec 2018 13:25:11 +0100 +Subject: usb-mtp: use O_NOFOLLOW and O_CLOEXEC. + +Open files and directories with O_NOFOLLOW to avoid symlinks attacks. +While being at it also add O_CLOEXEC. + +usb-mtp only handles regular files and directories and ignores +everything else, so users should not see a difference. + +Because qemu ignores symlinks, carrying out a successful symlink attack +requires swapping an existing file or directory below rootdir for a +symlink and winning the race against the inotify notification to qemu. + +Fixes: CVE-2018-16872 +Cc: Prasad J Pandit +Cc: Bandan Das +Reported-by: Michael Hanselmann +Signed-off-by: Gerd Hoffmann +Reviewed-by: Michael Hanselmann +Message-id: 20181213122511.13853-1-kraxel@redhat.com +(cherry picked from commit bab9df35ce73d1c8e19a37e2737717ea1c984dc1) +[BR: BSC#1119493] +Signed-off-by: Bruce Rogers +--- + hw/usb/dev-mtp.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/hw/usb/dev-mtp.c b/hw/usb/dev-mtp.c +index 100b7171f4..36c43b8c20 100644 +--- a/hw/usb/dev-mtp.c ++++ b/hw/usb/dev-mtp.c +@@ -653,13 +653,18 @@ static void usb_mtp_object_readdir(MTPState *s, MTPObject *o) + { + struct dirent *entry; + DIR *dir; ++ int fd; + + if (o->have_children) { + return; + } + o->have_children = true; + +- dir = opendir(o->path); ++ fd = open(o->path, O_DIRECTORY | O_CLOEXEC | O_NOFOLLOW); ++ if (fd < 0) { ++ return; ++ } ++ dir = fdopendir(fd); + if (!dir) { + return; + } +@@ -1007,7 +1012,7 @@ static MTPData *usb_mtp_get_object(MTPState *s, MTPControl *c, + + trace_usb_mtp_op_get_object(s->dev.addr, o->handle, o->path); + +- d->fd = open(o->path, O_RDONLY); ++ d->fd = open(o->path, O_RDONLY | O_CLOEXEC | O_NOFOLLOW); + if (d->fd == -1) { + usb_mtp_data_free(d); + return NULL; +@@ -1031,7 +1036,7 @@ static MTPData *usb_mtp_get_partial_object(MTPState *s, MTPControl *c, + c->argv[1], c->argv[2]); + + d = usb_mtp_data_alloc(c); +- d->fd = open(o->path, O_RDONLY); ++ d->fd = open(o->path, O_RDONLY | O_CLOEXEC | O_NOFOLLOW); + if (d->fd == -1) { + usb_mtp_data_free(d); + return NULL; +@@ -1658,7 +1663,7 @@ static void usb_mtp_write_data(MTPState *s) + 0, 0, 0, 0); + goto done; + } +- d->fd = open(path, O_CREAT | O_WRONLY, mask); ++ d->fd = open(path, O_CREAT | O_WRONLY | O_CLOEXEC | O_NOFOLLOW, mask); + if (d->fd == -1) { + usb_mtp_queue_result(s, RES_STORE_FULL, d->trans, + 0, 0, 0, 0); diff --git a/0047-pvrdma-release-device-resources-in-.patch b/0047-pvrdma-release-device-resources-in-.patch new file mode 100644 index 00000000..a9006703 --- /dev/null +++ b/0047-pvrdma-release-device-resources-in-.patch @@ -0,0 +1,41 @@ +From: Prasad J Pandit +Date: Wed, 12 Dec 2018 23:28:17 +0530 +Subject: pvrdma: release device resources in case of an error + +If during pvrdma device initialisation an error occurs, +pvrdma_realize() does not release memory resources, leading +to memory leakage. + +Reported-by: Li Qiang +Signed-off-by: Prasad J Pandit +Message-Id: <20181212175817.815-1-ppandit@redhat.com> +Reviewed-by: Yuval Shaia +Signed-off-by: Marcel Apfelbaum +(cherry picked from commit cce648613bc802be1b894227f7fd94d88476ea07) +[BR: BSC#1119437] +Signed-off-by: Bruce Rogers +--- + hw/rdma/vmw/pvrdma_main.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/hw/rdma/vmw/pvrdma_main.c b/hw/rdma/vmw/pvrdma_main.c +index ca5fa8d981..34d8cc4694 100644 +--- a/hw/rdma/vmw/pvrdma_main.c ++++ b/hw/rdma/vmw/pvrdma_main.c +@@ -572,7 +572,7 @@ static int pvrdma_check_ram_shared(Object *obj, void *opaque) + + static void pvrdma_realize(PCIDevice *pdev, Error **errp) + { +- int rc; ++ int rc = 0; + PVRDMADev *dev = PVRDMA_DEV(pdev); + Object *memdev_root; + bool ram_shared = false; +@@ -632,6 +632,7 @@ static void pvrdma_realize(PCIDevice *pdev, Error **errp) + + out: + if (rc) { ++ pvrdma_fini(pdev); + error_append_hint(errp, "Device fail to load\n"); + } + } diff --git a/0048-rdma-check-num_sge-does-not-exceed-.patch b/0048-rdma-check-num_sge-does-not-exceed-.patch new file mode 100644 index 00000000..85498a25 --- /dev/null +++ b/0048-rdma-check-num_sge-does-not-exceed-.patch @@ -0,0 +1,46 @@ +From: Prasad J Pandit +Date: Thu, 13 Dec 2018 01:00:34 +0530 +Subject: rdma: check num_sge does not exceed MAX_SGE + +rdma back-end has scatter/gather array ibv_sge[MAX_SGE=4] set +to have 4 elements. A guest could send a 'PvrdmaSqWqe' ring element +with 'num_sge' set to > MAX_SGE, which may lead to OOB access issue. +Add check to avoid it. + +Reported-by: Saar Amar +Signed-off-by: Prasad J Pandit +Reviewed-by: Yuval Shaia +Signed-off-by: Marcel Apfelbaum +(cherry picked from commit 0e68373cc2b3a063ce067bc0cc3edaf370752890) +[BR: BSC#1119840, modified complete_work() calls to be comp_handler()] +Signed-off-by: Bruce Rogers +--- + hw/rdma/rdma_backend.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/hw/rdma/rdma_backend.c b/hw/rdma/rdma_backend.c +index d7a4bbd91f..0b3b98a94c 100644 +--- a/hw/rdma/rdma_backend.c ++++ b/hw/rdma/rdma_backend.c +@@ -311,8 +311,8 @@ void rdma_backend_post_send(RdmaBackendDev *backend_dev, + } + + pr_dbg("num_sge=%d\n", num_sge); +- if (!num_sge) { +- pr_dbg("num_sge=0\n"); ++ if (!num_sge || num_sge > MAX_SGE) { ++ pr_dbg("invalid num_sge=%d\n", num_sge); + comp_handler(IBV_WC_GENERAL_ERR, VENDOR_ERR_NO_SGE, ctx); + return; + } +@@ -390,8 +390,8 @@ void rdma_backend_post_recv(RdmaBackendDev *backend_dev, + } + + pr_dbg("num_sge=%d\n", num_sge); +- if (!num_sge) { +- pr_dbg("num_sge=0\n"); ++ if (!num_sge || num_sge > MAX_SGE) { ++ pr_dbg("invalid num_sge=%d\n", num_sge); + comp_handler(IBV_WC_GENERAL_ERR, VENDOR_ERR_NO_SGE, ctx); + return; + } diff --git a/0049-pvrdma-add-uar_read-routine.patch b/0049-pvrdma-add-uar_read-routine.patch new file mode 100644 index 00000000..c6746a21 --- /dev/null +++ b/0049-pvrdma-add-uar_read-routine.patch @@ -0,0 +1,41 @@ +From: Prasad J Pandit +Date: Thu, 13 Dec 2018 01:00:35 +0530 +Subject: pvrdma: add uar_read routine + +Define skeleton 'uar_read' routine. Avoid NULL dereference. + +Reported-by: Li Qiang +Signed-off-by: Prasad J Pandit +Reviewed-by: Marcel Apfelbaum +Signed-off-by: Marcel Apfelbaum +(cherry picked from commit 2aa86456fb938a11f2b7bd57c8643c213218681c) +[BR: BSC#1119979 CVE-2018-20191] +Signed-off-by: Bruce Rogers +--- + hw/rdma/vmw/pvrdma_main.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/hw/rdma/vmw/pvrdma_main.c b/hw/rdma/vmw/pvrdma_main.c +index 34d8cc4694..c9d9631769 100644 +--- a/hw/rdma/vmw/pvrdma_main.c ++++ b/hw/rdma/vmw/pvrdma_main.c +@@ -455,6 +455,11 @@ static const MemoryRegionOps regs_ops = { + }, + }; + ++static uint64_t uar_read(void *opaque, hwaddr addr, unsigned size) ++{ ++ return 0xffffffff; ++} ++ + static void uar_write(void *opaque, hwaddr addr, uint64_t val, unsigned size) + { + PVRDMADev *dev = opaque; +@@ -496,6 +501,7 @@ static void uar_write(void *opaque, hwaddr addr, uint64_t val, unsigned size) + } + + static const MemoryRegionOps uar_ops = { ++ .read = uar_read, + .write = uar_write, + .endianness = DEVICE_LITTLE_ENDIAN, + .impl = { diff --git a/0050-pvrdma-check-number-of-pages-when-c.patch b/0050-pvrdma-check-number-of-pages-when-c.patch new file mode 100644 index 00000000..44ab75e9 --- /dev/null +++ b/0050-pvrdma-check-number-of-pages-when-c.patch @@ -0,0 +1,48 @@ +From: Prasad J Pandit +Date: Thu, 13 Dec 2018 01:00:36 +0530 +Subject: pvrdma: check number of pages when creating rings + +When creating CQ/QP rings, an object can have up to +PVRDMA_MAX_FAST_REG_PAGES 8 pages. Check 'npages' parameter +to avoid excessive memory allocation or a null dereference. + +Reported-by: Li Qiang +Signed-off-by: Prasad J Pandit +Reviewed-by: Yuval Shaia +Signed-off-by: Marcel Apfelbaum +(cherry picked from commit 2c858ce5da8ae6689c75182b73bc455a291cad41) +[BR: BSC#1119989 CVE-2018-20125] +Signed-off-by: Bruce Rogers +--- + hw/rdma/vmw/pvrdma_cmd.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c +index 4faeb21631..ce2514aacb 100644 +--- a/hw/rdma/vmw/pvrdma_cmd.c ++++ b/hw/rdma/vmw/pvrdma_cmd.c +@@ -261,6 +261,11 @@ static int create_cq_ring(PCIDevice *pci_dev , PvrdmaRing **ring, + int rc = -EINVAL; + char ring_name[MAX_RING_NAME_SZ]; + ++ if (!nchunks || nchunks > PVRDMA_MAX_FAST_REG_PAGES) { ++ pr_dbg("invalid nchunks: %d\n", nchunks); ++ return rc; ++ } ++ + pr_dbg("pdir_dma=0x%llx\n", (long long unsigned int)pdir_dma); + dir = rdma_pci_dma_map(pci_dev, pdir_dma, TARGET_PAGE_SIZE); + if (!dir) { +@@ -377,6 +382,12 @@ static int create_qp_rings(PCIDevice *pci_dev, uint64_t pdir_dma, + char ring_name[MAX_RING_NAME_SZ]; + uint32_t wqe_sz; + ++ if (!spages || spages > PVRDMA_MAX_FAST_REG_PAGES ++ || !rpages || rpages > PVRDMA_MAX_FAST_REG_PAGES) { ++ pr_dbg("invalid pages: %d, %d\n", spages, rpages); ++ return rc; ++ } ++ + pr_dbg("pdir_dma=0x%llx\n", (long long unsigned int)pdir_dma); + dir = rdma_pci_dma_map(pci_dev, pdir_dma, TARGET_PAGE_SIZE); + if (!dir) { diff --git a/0051-pvrdma-check-return-value-from-pvrd.patch b/0051-pvrdma-check-return-value-from-pvrd.patch new file mode 100644 index 00000000..85914f93 --- /dev/null +++ b/0051-pvrdma-check-return-value-from-pvrd.patch @@ -0,0 +1,79 @@ +From: Prasad J Pandit +Date: Thu, 13 Dec 2018 01:00:39 +0530 +Subject: pvrdma: check return value from pvrdma_idx_ring_has_ routines + +pvrdma_idx_ring_has_[data/space] routines also return invalid +index PVRDMA_INVALID_IDX[=-1], if ring has no data/space. Check +return value from these routines to avoid plausible infinite loops. + +Reported-by: Li Qiang +Signed-off-by: Prasad J Pandit +Reviewed-by: Yuval Shaia +Signed-off-by: Marcel Apfelbaum +(cherry picked from commit f1e2e38ee0136b7710a2caa347049818afd57a1b) +[BR: BSC#1119984 CVE-2018-20216] +Signed-off-by: Bruce Rogers +--- + hw/rdma/vmw/pvrdma_dev_ring.c | 29 +++++++++++------------------ + 1 file changed, 11 insertions(+), 18 deletions(-) + +diff --git a/hw/rdma/vmw/pvrdma_dev_ring.c b/hw/rdma/vmw/pvrdma_dev_ring.c +index 01247fc041..e8e5b502f6 100644 +--- a/hw/rdma/vmw/pvrdma_dev_ring.c ++++ b/hw/rdma/vmw/pvrdma_dev_ring.c +@@ -73,23 +73,16 @@ out: + + void *pvrdma_ring_next_elem_read(PvrdmaRing *ring) + { ++ int e; + unsigned int idx = 0, offset; + +- /* +- pr_dbg("%s: t=%d, h=%d\n", ring->name, ring->ring_state->prod_tail, +- ring->ring_state->cons_head); +- */ +- +- if (!pvrdma_idx_ring_has_data(ring->ring_state, ring->max_elems, &idx)) { ++ e = pvrdma_idx_ring_has_data(ring->ring_state, ring->max_elems, &idx); ++ if (e <= 0) { + pr_dbg("No more data in ring\n"); + return NULL; + } + + offset = idx * ring->elem_sz; +- /* +- pr_dbg("idx=%d\n", idx); +- pr_dbg("offset=%d\n", offset); +- */ + return ring->pages[offset / TARGET_PAGE_SIZE] + (offset % TARGET_PAGE_SIZE); + } + +@@ -105,20 +98,20 @@ void pvrdma_ring_read_inc(PvrdmaRing *ring) + + void *pvrdma_ring_next_elem_write(PvrdmaRing *ring) + { +- unsigned int idx, offset, tail; ++ int idx; ++ unsigned int offset, tail; + +- /* +- pr_dbg("%s: t=%d, h=%d\n", ring->name, ring->ring_state->prod_tail, +- ring->ring_state->cons_head); +- */ +- +- if (!pvrdma_idx_ring_has_space(ring->ring_state, ring->max_elems, &tail)) { ++ idx = pvrdma_idx_ring_has_space(ring->ring_state, ring->max_elems, &tail); ++ if (idx <= 0) { + pr_dbg("CQ is full\n"); + return NULL; + } + + idx = pvrdma_idx(&ring->ring_state->prod_tail, ring->max_elems); +- /* TODO: tail == idx */ ++ if (idx < 0 || tail != idx) { ++ pr_dbg("invalid idx\n"); ++ return NULL; ++ } + + offset = idx * ring->elem_sz; + return ring->pages[offset / TARGET_PAGE_SIZE] + (offset % TARGET_PAGE_SIZE); diff --git a/0052-pvrdma-release-ring-object-in-case-.patch b/0052-pvrdma-release-ring-object-in-case-.patch new file mode 100644 index 00000000..681fe58b --- /dev/null +++ b/0052-pvrdma-release-ring-object-in-case-.patch @@ -0,0 +1,103 @@ +From: Prasad J Pandit +Date: Thu, 13 Dec 2018 01:00:37 +0530 +Subject: pvrdma: release ring object in case of an error + +create_cq and create_qp routines allocate ring object, but it's +not released in case of an error, leading to memory leakage. + +Reported-by: Li Qiang +Signed-off-by: Prasad J Pandit +Reviewed-by: Yuval Shaia +Signed-off-by: Marcel Apfelbaum +(cherry picked from commit 509f57c98e7536905bb4902363d0cba66ce7e089) +[BR: BSC#1119991 CVE-2018-20126] +Signed-off-by: Bruce Rogers +--- + hw/rdma/vmw/pvrdma_cmd.c | 39 ++++++++++++++++++++++++++++----------- + 1 file changed, 28 insertions(+), 11 deletions(-) + +diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c +index ce2514aacb..51da4a1c40 100644 +--- a/hw/rdma/vmw/pvrdma_cmd.c ++++ b/hw/rdma/vmw/pvrdma_cmd.c +@@ -315,6 +315,14 @@ out: + return rc; + } + ++static void destroy_cq_ring(PvrdmaRing *ring) ++{ ++ pvrdma_ring_free(ring); ++ /* ring_state was in slot 1, not 0 so need to jump back */ ++ rdma_pci_dma_unmap(ring->dev, --ring->ring_state, TARGET_PAGE_SIZE); ++ g_free(ring); ++} ++ + static int create_cq(PVRDMADev *dev, union pvrdma_cmd_req *req, + union pvrdma_cmd_resp *rsp) + { +@@ -338,6 +346,9 @@ static int create_cq(PVRDMADev *dev, union pvrdma_cmd_req *req, + + resp->hdr.err = rdma_rm_alloc_cq(&dev->rdma_dev_res, &dev->backend_dev, + cmd->cqe, &resp->cq_handle, ring); ++ if (resp->hdr.err) { ++ destroy_cq_ring(ring); ++ } + resp->cqe = cmd->cqe; + + out: +@@ -361,10 +372,7 @@ static int destroy_cq(PVRDMADev *dev, union pvrdma_cmd_req *req, + } + + ring = (PvrdmaRing *)cq->opaque; +- pvrdma_ring_free(ring); +- /* ring_state was in slot 1, not 0 so need to jump back */ +- rdma_pci_dma_unmap(PCI_DEVICE(dev), --ring->ring_state, TARGET_PAGE_SIZE); +- g_free(ring); ++ destroy_cq_ring(ring); + + rdma_rm_dealloc_cq(&dev->rdma_dev_res, cmd->cq_handle); + +@@ -462,6 +470,17 @@ out: + return rc; + } + ++static void destroy_qp_rings(PvrdmaRing *ring) ++{ ++ pr_dbg("sring=%p\n", &ring[0]); ++ pvrdma_ring_free(&ring[0]); ++ pr_dbg("rring=%p\n", &ring[1]); ++ pvrdma_ring_free(&ring[1]); ++ ++ rdma_pci_dma_unmap(ring->dev, ring->ring_state, TARGET_PAGE_SIZE); ++ g_free(ring); ++} ++ + static int create_qp(PVRDMADev *dev, union pvrdma_cmd_req *req, + union pvrdma_cmd_resp *rsp) + { +@@ -492,6 +511,10 @@ static int create_qp(PVRDMADev *dev, union pvrdma_cmd_req *req, + cmd->max_send_sge, cmd->send_cq_handle, + cmd->max_recv_wr, cmd->max_recv_sge, + cmd->recv_cq_handle, rings, &resp->qpn); ++ if (resp->hdr.err) { ++ destroy_qp_rings(rings); ++ return resp->hdr.err; ++ } + + resp->max_send_wr = cmd->max_send_wr; + resp->max_recv_wr = cmd->max_recv_wr; +@@ -566,13 +589,7 @@ static int destroy_qp(PVRDMADev *dev, union pvrdma_cmd_req *req, + rdma_rm_dealloc_qp(&dev->rdma_dev_res, cmd->qp_handle); + + ring = (PvrdmaRing *)qp->opaque; +- pr_dbg("sring=%p\n", &ring[0]); +- pvrdma_ring_free(&ring[0]); +- pr_dbg("rring=%p\n", &ring[1]); +- pvrdma_ring_free(&ring[1]); +- +- rdma_pci_dma_unmap(PCI_DEVICE(dev), ring->ring_state, TARGET_PAGE_SIZE); +- g_free(ring); ++ destroy_qp_rings(ring); + + return 0; + } diff --git a/0053-block-Fix-hangs-in-synchronous-APIs.patch b/0053-block-Fix-hangs-in-synchronous-APIs.patch new file mode 100644 index 00000000..af1ff763 --- /dev/null +++ b/0053-block-Fix-hangs-in-synchronous-APIs.patch @@ -0,0 +1,637 @@ +From: Kevin Wolf +Date: Wed, 9 Jan 2019 11:10:07 -0700 +Subject: block: Fix hangs in synchronous APIs with iothreads + +In the block layer, synchronous APIs are often implemented by creating a +coroutine that calls the asynchronous coroutine-based implementation and +then waiting for completion with BDRV_POLL_WHILE(). + +For this to work with iothreads (more specifically, when the synchronous +API is called in a thread that is not the home thread of the block +device, so that the coroutine will run in a different thread), we must +make sure to call aio_wait_kick() at the end of the operation. Many +places are missing this, so that BDRV_POLL_WHILE() keeps hanging even if +the condition has long become false. + +Note that bdrv_dec_in_flight() involves an aio_wait_kick() call. This +corresponds to the BDRV_POLL_WHILE() in the drain functions, but it is +generally not enough for most other operations because they haven't set +the return value in the coroutine entry stub yet. To avoid race +conditions there, we need to kick after setting the return value. + +The race window is small enough that the problem doesn't usually surface +in the common path. However, it does surface and causes easily +reproducible hangs if the operation can return early before even calling +bdrv_inc/dec_in_flight, which many of them do (trivial error or no-op +success paths). + +The bug in bdrv_truncate(), bdrv_check() and bdrv_invalidate_cache() is +slightly different: These functions even neglected to schedule the +coroutine in the home thread of the node. This avoids the hang, but is +obviously wrong, too. Fix those to schedule the coroutine in the right +AioContext in addition to adding aio_wait_kick() calls. + +Cc: qemu-stable@nongnu.org +Signed-off-by: Kevin Wolf +Signed-off-by: Bruce Rogers +--- + block.c | 6 +- + block/block-backend.c | 5 + + block/io.c | 8 +- + block/nbd-client.c | 1 + + block/nvme.c | 1 + + block/qcow2.c | 1 + + block/qed.c | 1 + + tests/Makefile.include | 2 + + tests/test-block-iothread.c | 372 ++++++++++++++++++++++++++++++++++++ + 9 files changed, 394 insertions(+), 3 deletions(-) + +diff --git a/block.c b/block.c +index 811239ca23..79d48d7d78 100644 +--- a/block.c ++++ b/block.c +@@ -3736,6 +3736,7 @@ static void bdrv_check_co_entry(void *opaque) + { + CheckCo *cco = opaque; + cco->ret = bdrv_co_check(cco->bs, cco->res, cco->fix); ++ aio_wait_kick(); + } + + int bdrv_check(BlockDriverState *bs, +@@ -3754,7 +3755,7 @@ int bdrv_check(BlockDriverState *bs, + bdrv_check_co_entry(&cco); + } else { + co = qemu_coroutine_create(bdrv_check_co_entry, &cco); +- qemu_coroutine_enter(co); ++ bdrv_coroutine_enter(bs, co); + BDRV_POLL_WHILE(bs, cco.ret == -EINPROGRESS); + } + +@@ -4571,6 +4572,7 @@ static void coroutine_fn bdrv_invalidate_cache_co_entry(void *opaque) + InvalidateCacheCo *ico = opaque; + bdrv_co_invalidate_cache(ico->bs, ico->errp); + ico->done = true; ++ aio_wait_kick(); + } + + void bdrv_invalidate_cache(BlockDriverState *bs, Error **errp) +@@ -4587,7 +4589,7 @@ void bdrv_invalidate_cache(BlockDriverState *bs, Error **errp) + bdrv_invalidate_cache_co_entry(&ico); + } else { + co = qemu_coroutine_create(bdrv_invalidate_cache_co_entry, &ico); +- qemu_coroutine_enter(co); ++ bdrv_coroutine_enter(bs, co); + BDRV_POLL_WHILE(bs, !ico.done); + } + } +diff --git a/block/block-backend.c b/block/block-backend.c +index 1d41622942..35e3edb861 100644 +--- a/block/block-backend.c ++++ b/block/block-backend.c +@@ -1223,6 +1223,7 @@ static void blk_read_entry(void *opaque) + + rwco->ret = blk_co_preadv(rwco->blk, rwco->offset, qiov->size, + qiov, rwco->flags); ++ aio_wait_kick(); + } + + static void blk_write_entry(void *opaque) +@@ -1232,6 +1233,7 @@ static void blk_write_entry(void *opaque) + + rwco->ret = blk_co_pwritev(rwco->blk, rwco->offset, qiov->size, + qiov, rwco->flags); ++ aio_wait_kick(); + } + + static int blk_prw(BlockBackend *blk, int64_t offset, uint8_t *buf, +@@ -1543,6 +1545,7 @@ static void blk_ioctl_entry(void *opaque) + + rwco->ret = blk_co_ioctl(rwco->blk, rwco->offset, + qiov->iov[0].iov_base); ++ aio_wait_kick(); + } + + int blk_ioctl(BlockBackend *blk, unsigned long int req, void *buf) +@@ -1589,6 +1592,7 @@ static void blk_flush_entry(void *opaque) + { + BlkRwCo *rwco = opaque; + rwco->ret = blk_co_flush(rwco->blk); ++ aio_wait_kick(); + } + + int blk_flush(BlockBackend *blk) +@@ -2028,6 +2032,7 @@ static void blk_pdiscard_entry(void *opaque) + QEMUIOVector *qiov = rwco->iobuf; + + rwco->ret = blk_co_pdiscard(rwco->blk, rwco->offset, qiov->size); ++ aio_wait_kick(); + } + + int blk_pdiscard(BlockBackend *blk, int64_t offset, int bytes) +diff --git a/block/io.c b/block/io.c +index bd9d688f8b..213ca03d8d 100644 +--- a/block/io.c ++++ b/block/io.c +@@ -806,6 +806,7 @@ static void coroutine_fn bdrv_rw_co_entry(void *opaque) + rwco->qiov->size, rwco->qiov, + rwco->flags); + } ++ aio_wait_kick(); + } + + /* +@@ -2279,6 +2280,7 @@ static void coroutine_fn bdrv_block_status_above_co_entry(void *opaque) + data->offset, data->bytes, + data->pnum, data->map, data->file); + data->done = true; ++ aio_wait_kick(); + } + + /* +@@ -2438,6 +2440,7 @@ static void coroutine_fn bdrv_co_rw_vmstate_entry(void *opaque) + { + BdrvVmstateCo *co = opaque; + co->ret = bdrv_co_rw_vmstate(co->bs, co->qiov, co->pos, co->is_read); ++ aio_wait_kick(); + } + + static inline int +@@ -2559,6 +2562,7 @@ static void coroutine_fn bdrv_flush_co_entry(void *opaque) + FlushCo *rwco = opaque; + + rwco->ret = bdrv_co_flush(rwco->bs); ++ aio_wait_kick(); + } + + int coroutine_fn bdrv_co_flush(BlockDriverState *bs) +@@ -2704,6 +2708,7 @@ static void coroutine_fn bdrv_pdiscard_co_entry(void *opaque) + DiscardCo *rwco = opaque; + + rwco->ret = bdrv_co_pdiscard(rwco->child, rwco->offset, rwco->bytes); ++ aio_wait_kick(); + } + + int coroutine_fn bdrv_co_pdiscard(BdrvChild *child, int64_t offset, int bytes) +@@ -3217,6 +3222,7 @@ static void coroutine_fn bdrv_truncate_co_entry(void *opaque) + TruncateCo *tco = opaque; + tco->ret = bdrv_co_truncate(tco->child, tco->offset, tco->prealloc, + tco->errp); ++ aio_wait_kick(); + } + + int bdrv_truncate(BdrvChild *child, int64_t offset, PreallocMode prealloc, +@@ -3236,7 +3242,7 @@ int bdrv_truncate(BdrvChild *child, int64_t offset, PreallocMode prealloc, + bdrv_truncate_co_entry(&tco); + } else { + co = qemu_coroutine_create(bdrv_truncate_co_entry, &tco); +- qemu_coroutine_enter(co); ++ bdrv_coroutine_enter(child->bs, co); + BDRV_POLL_WHILE(child->bs, tco.ret == NOT_DONE); + } + +diff --git a/block/nbd-client.c b/block/nbd-client.c +index fc5b7eda8e..a6b5605c0b 100644 +--- a/block/nbd-client.c ++++ b/block/nbd-client.c +@@ -116,6 +116,7 @@ static coroutine_fn void nbd_read_reply_entry(void *opaque) + s->quit = true; + nbd_recv_coroutines_wake_all(s); + s->read_reply_co = NULL; ++ aio_wait_kick(); + } + + static int nbd_co_send_request(BlockDriverState *bs, +diff --git a/block/nvme.c b/block/nvme.c +index 29294038fc..36779fdd3d 100644 +--- a/block/nvme.c ++++ b/block/nvme.c +@@ -390,6 +390,7 @@ static void nvme_cmd_sync_cb(void *opaque, int ret) + { + int *pret = opaque; + *pret = ret; ++ aio_wait_kick(); + } + + static int nvme_cmd_sync(BlockDriverState *bs, NVMeQueuePair *q, +diff --git a/block/qcow2.c b/block/qcow2.c +index 991d6ac91b..9334414513 100644 +--- a/block/qcow2.c ++++ b/block/qcow2.c +@@ -1665,6 +1665,7 @@ static int qcow2_open(BlockDriverState *bs, QDict *options, int flags, + /* From bdrv_co_create. */ + qcow2_open_entry(&qoc); + } else { ++ assert(qemu_get_current_aio_context() == qemu_get_aio_context()); + qemu_coroutine_enter(qemu_coroutine_create(qcow2_open_entry, &qoc)); + BDRV_POLL_WHILE(bs, qoc.ret == -EINPROGRESS); + } +diff --git a/block/qed.c b/block/qed.c +index 9377c0b7ad..1280870024 100644 +--- a/block/qed.c ++++ b/block/qed.c +@@ -559,6 +559,7 @@ static int bdrv_qed_open(BlockDriverState *bs, QDict *options, int flags, + if (qemu_in_coroutine()) { + bdrv_qed_open_entry(&qoc); + } else { ++ assert(qemu_get_current_aio_context() == qemu_get_aio_context()); + qemu_coroutine_enter(qemu_coroutine_create(bdrv_qed_open_entry, &qoc)); + BDRV_POLL_WHILE(bs, qoc.ret == -EINPROGRESS); + } +diff --git a/tests/Makefile.include b/tests/Makefile.include +index d6f67eed85..5682e41384 100644 +--- a/tests/Makefile.include ++++ b/tests/Makefile.include +@@ -70,6 +70,7 @@ check-unit-y += tests/test-bdrv-drain$(EXESUF) + check-unit-y += tests/test-blockjob$(EXESUF) + check-unit-y += tests/test-blockjob-txn$(EXESUF) + check-unit-y += tests/test-block-backend$(EXESUF) ++check-unit-y += tests/test-block-iothread$(EXESUF) + check-unit-y += tests/test-image-locking$(EXESUF) + check-unit-y += tests/test-x86-cpuid$(EXESUF) + # all code tested by test-x86-cpuid is inside topology.h +@@ -541,6 +542,7 @@ tests/test-bdrv-drain$(EXESUF): tests/test-bdrv-drain.o $(test-block-obj-y) $(te + tests/test-blockjob$(EXESUF): tests/test-blockjob.o $(test-block-obj-y) $(test-util-obj-y) + tests/test-blockjob-txn$(EXESUF): tests/test-blockjob-txn.o $(test-block-obj-y) $(test-util-obj-y) + tests/test-block-backend$(EXESUF): tests/test-block-backend.o $(test-block-obj-y) $(test-util-obj-y) ++tests/test-block-iothread$(EXESUF): tests/test-block-iothread.o $(test-block-obj-y) $(test-util-obj-y) + tests/test-image-locking$(EXESUF): tests/test-image-locking.o $(test-block-obj-y) $(test-util-obj-y) + tests/test-thread-pool$(EXESUF): tests/test-thread-pool.o $(test-block-obj-y) + tests/test-iov$(EXESUF): tests/test-iov.o $(test-util-obj-y) +diff --git a/tests/test-block-iothread.c b/tests/test-block-iothread.c +new file mode 100644 +index 0000000000..97ac0b159d +--- /dev/null ++++ b/tests/test-block-iothread.c +@@ -0,0 +1,372 @@ ++/* ++ * Block tests for iothreads ++ * ++ * Copyright (c) 2018 Kevin Wolf ++ * ++ * Permission is hereby granted, free of charge, to any person obtaining a copy ++ * of this software and associated documentation files (the "Software"), to deal ++ * in the Software without restriction, including without limitation the rights ++ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell ++ * copies of the Software, and to permit persons to whom the Software is ++ * furnished to do so, subject to the following conditions: ++ * ++ * The above copyright notice and this permission notice shall be included in ++ * all copies or substantial portions of the Software. ++ * ++ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR ++ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, ++ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL ++ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER ++ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, ++ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN ++ * THE SOFTWARE. ++ */ ++ ++#include "qemu/osdep.h" ++#include "block/block.h" ++#include "block/blockjob_int.h" ++#include "sysemu/block-backend.h" ++#include "qapi/error.h" ++#include "iothread.h" ++ ++static int coroutine_fn bdrv_test_co_prwv(BlockDriverState *bs, ++ uint64_t offset, uint64_t bytes, ++ QEMUIOVector *qiov, int flags) ++{ ++ return 0; ++} ++ ++static int coroutine_fn bdrv_test_co_pdiscard(BlockDriverState *bs, ++ int64_t offset, int bytes) ++{ ++ return 0; ++} ++ ++static int coroutine_fn ++bdrv_test_co_truncate(BlockDriverState *bs, int64_t offset, ++ PreallocMode prealloc, Error **errp) ++{ ++ return 0; ++} ++ ++static int coroutine_fn bdrv_test_co_block_status(BlockDriverState *bs, ++ bool want_zero, ++ int64_t offset, int64_t count, ++ int64_t *pnum, int64_t *map, ++ BlockDriverState **file) ++{ ++ *pnum = count; ++ return 0; ++} ++ ++static BlockDriver bdrv_test = { ++ .format_name = "test", ++ .instance_size = 1, ++ ++ .bdrv_co_preadv = bdrv_test_co_prwv, ++ .bdrv_co_pwritev = bdrv_test_co_prwv, ++ .bdrv_co_pdiscard = bdrv_test_co_pdiscard, ++ .bdrv_co_truncate = bdrv_test_co_truncate, ++ .bdrv_co_block_status = bdrv_test_co_block_status, ++}; ++ ++static void test_sync_op_pread(BdrvChild *c) ++{ ++ uint8_t buf[512]; ++ int ret; ++ ++ /* Success */ ++ ret = bdrv_pread(c, 0, buf, sizeof(buf)); ++ g_assert_cmpint(ret, ==, 512); ++ ++ /* Early error: Negative offset */ ++ ret = bdrv_pread(c, -2, buf, sizeof(buf)); ++ g_assert_cmpint(ret, ==, -EIO); ++} ++ ++static void test_sync_op_pwrite(BdrvChild *c) ++{ ++ uint8_t buf[512]; ++ int ret; ++ ++ /* Success */ ++ ret = bdrv_pwrite(c, 0, buf, sizeof(buf)); ++ g_assert_cmpint(ret, ==, 512); ++ ++ /* Early error: Negative offset */ ++ ret = bdrv_pwrite(c, -2, buf, sizeof(buf)); ++ g_assert_cmpint(ret, ==, -EIO); ++} ++ ++static void test_sync_op_blk_pread(BlockBackend *blk) ++{ ++ uint8_t buf[512]; ++ int ret; ++ ++ /* Success */ ++ ret = blk_pread(blk, 0, buf, sizeof(buf)); ++ g_assert_cmpint(ret, ==, 512); ++ ++ /* Early error: Negative offset */ ++ ret = blk_pread(blk, -2, buf, sizeof(buf)); ++ g_assert_cmpint(ret, ==, -EIO); ++} ++ ++static void test_sync_op_blk_pwrite(BlockBackend *blk) ++{ ++ uint8_t buf[512]; ++ int ret; ++ ++ /* Success */ ++ ret = blk_pwrite(blk, 0, buf, sizeof(buf), 0); ++ g_assert_cmpint(ret, ==, 512); ++ ++ /* Early error: Negative offset */ ++ ret = blk_pwrite(blk, -2, buf, sizeof(buf), 0); ++ g_assert_cmpint(ret, ==, -EIO); ++} ++ ++static void test_sync_op_load_vmstate(BdrvChild *c) ++{ ++ uint8_t buf[512]; ++ int ret; ++ ++ /* Error: Driver does not support snapshots */ ++ ret = bdrv_load_vmstate(c->bs, buf, 0, sizeof(buf)); ++ g_assert_cmpint(ret, ==, -ENOTSUP); ++} ++ ++static void test_sync_op_save_vmstate(BdrvChild *c) ++{ ++ uint8_t buf[512]; ++ int ret; ++ ++ /* Error: Driver does not support snapshots */ ++ ret = bdrv_save_vmstate(c->bs, buf, 0, sizeof(buf)); ++ g_assert_cmpint(ret, ==, -ENOTSUP); ++} ++ ++static void test_sync_op_pdiscard(BdrvChild *c) ++{ ++ int ret; ++ ++ /* Normal success path */ ++ c->bs->open_flags |= BDRV_O_UNMAP; ++ ret = bdrv_pdiscard(c, 0, 512); ++ g_assert_cmpint(ret, ==, 0); ++ ++ /* Early success: UNMAP not supported */ ++ c->bs->open_flags &= ~BDRV_O_UNMAP; ++ ret = bdrv_pdiscard(c, 0, 512); ++ g_assert_cmpint(ret, ==, 0); ++ ++ /* Early error: Negative offset */ ++ ret = bdrv_pdiscard(c, -2, 512); ++ g_assert_cmpint(ret, ==, -EIO); ++} ++ ++static void test_sync_op_blk_pdiscard(BlockBackend *blk) ++{ ++ int ret; ++ ++ /* Early success: UNMAP not supported */ ++ ret = blk_pdiscard(blk, 0, 512); ++ g_assert_cmpint(ret, ==, 0); ++ ++ /* Early error: Negative offset */ ++ ret = blk_pdiscard(blk, -2, 512); ++ g_assert_cmpint(ret, ==, -EIO); ++} ++ ++static void test_sync_op_truncate(BdrvChild *c) ++{ ++ int ret; ++ ++ /* Normal success path */ ++ ret = bdrv_truncate(c, 65536, PREALLOC_MODE_OFF, NULL); ++ g_assert_cmpint(ret, ==, 0); ++ ++ /* Early error: Negative offset */ ++ ret = bdrv_truncate(c, -2, PREALLOC_MODE_OFF, NULL); ++ g_assert_cmpint(ret, ==, -EINVAL); ++ ++ /* Error: Read-only image */ ++ c->bs->read_only = true; ++ c->bs->open_flags &= ~BDRV_O_RDWR; ++ ++ ret = bdrv_truncate(c, 65536, PREALLOC_MODE_OFF, NULL); ++ g_assert_cmpint(ret, ==, -EACCES); ++ ++ c->bs->read_only = false; ++ c->bs->open_flags |= BDRV_O_RDWR; ++} ++ ++static void test_sync_op_block_status(BdrvChild *c) ++{ ++ int ret; ++ int64_t n; ++ ++ /* Normal success path */ ++ ret = bdrv_is_allocated(c->bs, 0, 65536, &n); ++ g_assert_cmpint(ret, ==, 0); ++ ++ /* Early success: No driver support */ ++ bdrv_test.bdrv_co_block_status = NULL; ++ ret = bdrv_is_allocated(c->bs, 0, 65536, &n); ++ g_assert_cmpint(ret, ==, 1); ++ ++ /* Early success: bytes = 0 */ ++ ret = bdrv_is_allocated(c->bs, 0, 0, &n); ++ g_assert_cmpint(ret, ==, 0); ++ ++ /* Early success: Offset > image size*/ ++ ret = bdrv_is_allocated(c->bs, 0x1000000, 0x1000000, &n); ++ g_assert_cmpint(ret, ==, 0); ++} ++ ++static void test_sync_op_flush(BdrvChild *c) ++{ ++ int ret; ++ ++ /* Normal success path */ ++ ret = bdrv_flush(c->bs); ++ g_assert_cmpint(ret, ==, 0); ++ ++ /* Early success: Read-only image */ ++ c->bs->read_only = true; ++ c->bs->open_flags &= ~BDRV_O_RDWR; ++ ++ ret = bdrv_flush(c->bs); ++ g_assert_cmpint(ret, ==, 0); ++ ++ c->bs->read_only = false; ++ c->bs->open_flags |= BDRV_O_RDWR; ++} ++ ++static void test_sync_op_blk_flush(BlockBackend *blk) ++{ ++ BlockDriverState *bs = blk_bs(blk); ++ int ret; ++ ++ /* Normal success path */ ++ ret = blk_flush(blk); ++ g_assert_cmpint(ret, ==, 0); ++ ++ /* Early success: Read-only image */ ++ bs->read_only = true; ++ bs->open_flags &= ~BDRV_O_RDWR; ++ ++ ret = blk_flush(blk); ++ g_assert_cmpint(ret, ==, 0); ++ ++ bs->read_only = false; ++ bs->open_flags |= BDRV_O_RDWR; ++} ++ ++static void test_sync_op_check(BdrvChild *c) ++{ ++ BdrvCheckResult result; ++ int ret; ++ ++ /* Error: Driver does not implement check */ ++ ret = bdrv_check(c->bs, &result, 0); ++ g_assert_cmpint(ret, ==, -ENOTSUP); ++} ++ ++static void test_sync_op_invalidate_cache(BdrvChild *c) ++{ ++ /* Early success: Image is not inactive */ ++ bdrv_invalidate_cache(c->bs, NULL); ++} ++ ++ ++typedef struct SyncOpTest { ++ const char *name; ++ void (*fn)(BdrvChild *c); ++ void (*blkfn)(BlockBackend *blk); ++} SyncOpTest; ++ ++const SyncOpTest sync_op_tests[] = { ++ { ++ .name = "/sync-op/pread", ++ .fn = test_sync_op_pread, ++ .blkfn = test_sync_op_blk_pread, ++ }, { ++ .name = "/sync-op/pwrite", ++ .fn = test_sync_op_pwrite, ++ .blkfn = test_sync_op_blk_pwrite, ++ }, { ++ .name = "/sync-op/load_vmstate", ++ .fn = test_sync_op_load_vmstate, ++ }, { ++ .name = "/sync-op/save_vmstate", ++ .fn = test_sync_op_save_vmstate, ++ }, { ++ .name = "/sync-op/pdiscard", ++ .fn = test_sync_op_pdiscard, ++ .blkfn = test_sync_op_blk_pdiscard, ++ }, { ++ .name = "/sync-op/truncate", ++ .fn = test_sync_op_truncate, ++ }, { ++ .name = "/sync-op/block_status", ++ .fn = test_sync_op_block_status, ++ }, { ++ .name = "/sync-op/flush", ++ .fn = test_sync_op_flush, ++ .blkfn = test_sync_op_blk_flush, ++ }, { ++ .name = "/sync-op/check", ++ .fn = test_sync_op_check, ++ }, { ++ .name = "/sync-op/invalidate_cache", ++ .fn = test_sync_op_invalidate_cache, ++ }, ++}; ++ ++/* Test synchronous operations that run in a different iothread, so we have to ++ * poll for the coroutine there to return. */ ++static void test_sync_op(const void *opaque) ++{ ++ const SyncOpTest *t = opaque; ++ IOThread *iothread = iothread_new(); ++ AioContext *ctx = iothread_get_aio_context(iothread); ++ BlockBackend *blk; ++ BlockDriverState *bs; ++ BdrvChild *c; ++ ++ blk = blk_new(BLK_PERM_ALL, BLK_PERM_ALL); ++ bs = bdrv_new_open_driver(&bdrv_test, "base", BDRV_O_RDWR, &error_abort); ++ bs->total_sectors = 65536 / BDRV_SECTOR_SIZE; ++ blk_insert_bs(blk, bs, &error_abort); ++ c = QLIST_FIRST(&bs->parents); ++ ++ blk_set_aio_context(blk, ctx); ++ aio_context_acquire(ctx); ++ t->fn(c); ++ if (t->blkfn) { ++ t->blkfn(blk); ++ } ++ aio_context_release(ctx); ++ blk_set_aio_context(blk, qemu_get_aio_context()); ++ ++ bdrv_unref(bs); ++ blk_unref(blk); ++} ++ ++int main(int argc, char **argv) ++{ ++ int i; ++ ++ bdrv_init(); ++ qemu_init_main_loop(&error_abort); ++ ++ g_test_init(&argc, &argv, NULL); ++ ++ for (i = 0; i < ARRAY_SIZE(sync_op_tests); i++) { ++ const SyncOpTest *t = &sync_op_tests[i]; ++ g_test_add_data_func(t->name, t, test_sync_op); ++ } ++ ++ return g_test_run(); ++} diff --git a/qemu-linux-user.changes b/qemu-linux-user.changes index 15a7690a..634d0ad9 100644 --- a/qemu-linux-user.changes +++ b/qemu-linux-user.changes @@ -1,3 +1,22 @@ +------------------------------------------------------------------- +Thu Jan 10 18:03:30 UTC 2019 - Bruce Rogers + +- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-3.1 +* Patches added: + 0041-vfio-ap-flag-as-compatible-with-bal.patch + 0042-hw-s390x-Fix-bad-mask-in-time2tod.patch + 0043-pcie-set-link-state-inactive-active.patch + 0044-pc-piix4-Update-smbus-I-O-space-aft.patch + 0045-hw-usb-fix-mistaken-de-initializati.patch + 0046-usb-mtp-use-O_NOFOLLOW-and-O_CLOEXE.patch + 0047-pvrdma-release-device-resources-in-.patch + 0048-rdma-check-num_sge-does-not-exceed-.patch + 0049-pvrdma-add-uar_read-routine.patch + 0050-pvrdma-check-number-of-pages-when-c.patch + 0051-pvrdma-check-return-value-from-pvrd.patch + 0052-pvrdma-release-ring-object-in-case-.patch + 0053-block-Fix-hangs-in-synchronous-APIs.patch + ------------------------------------------------------------------- Tue Jan 8 13:41:35 UTC 2019 - olaf@aepfle.de diff --git a/qemu-linux-user.spec b/qemu-linux-user.spec index 97807e11..cdf750ff 100644 --- a/qemu-linux-user.spec +++ b/qemu-linux-user.spec @@ -72,6 +72,19 @@ Patch0037: 0037-tests-qemu-iotests-Triple-timeout-o.patch Patch0038: 0038-tests-block-io-test-130-needs-some-.patch Patch0039: 0039-xen_disk-Avoid-repeated-memory-allo.patch Patch0040: 0040-xen-ignore-live-parameter-from-xen-.patch +Patch0041: 0041-vfio-ap-flag-as-compatible-with-bal.patch +Patch0042: 0042-hw-s390x-Fix-bad-mask-in-time2tod.patch +Patch0043: 0043-pcie-set-link-state-inactive-active.patch +Patch0044: 0044-pc-piix4-Update-smbus-I-O-space-aft.patch +Patch0045: 0045-hw-usb-fix-mistaken-de-initializati.patch +Patch0046: 0046-usb-mtp-use-O_NOFOLLOW-and-O_CLOEXE.patch +Patch0047: 0047-pvrdma-release-device-resources-in-.patch +Patch0048: 0048-rdma-check-num_sge-does-not-exceed-.patch +Patch0049: 0049-pvrdma-add-uar_read-routine.patch +Patch0050: 0050-pvrdma-check-number-of-pages-when-c.patch +Patch0051: 0051-pvrdma-check-return-value-from-pvrd.patch +Patch0052: 0052-pvrdma-release-ring-object-in-case-.patch +Patch0053: 0053-block-Fix-hangs-in-synchronous-APIs.patch # Please do not add QEMU patches manually here. # Run update_git.sh to regenerate this queue. ExcludeArch: s390 @@ -143,6 +156,19 @@ syscall layer occurs on the native hardware and operating system. %patch0038 -p1 %patch0039 -p1 %patch0040 -p1 +%patch0041 -p1 +%patch0042 -p1 +%patch0043 -p1 +%patch0044 -p1 +%patch0045 -p1 +%patch0046 -p1 +%patch0047 -p1 +%patch0048 -p1 +%patch0049 -p1 +%patch0050 -p1 +%patch0051 -p1 +%patch0052 -p1 +%patch0053 -p1 %build ./configure \ diff --git a/qemu-testsuite.changes b/qemu-testsuite.changes index 5e3fa3f3..4294548c 100644 --- a/qemu-testsuite.changes +++ b/qemu-testsuite.changes @@ -1,3 +1,33 @@ +------------------------------------------------------------------- +Thu Jan 10 18:03:29 UTC 2019 - Bruce Rogers + +- include post v3.1.0 patches marked for next stable release: + 0041-vfio-ap-flag-as-compatible-with-bal.patch + 0042-hw-s390x-Fix-bad-mask-in-time2tod.patch + 0043-pcie-set-link-state-inactive-active.patch + 0044-pc-piix4-Update-smbus-I-O-space-aft.patch + 0045-hw-usb-fix-mistaken-de-initializati.patch +- Address various security/stability issues +* Fix host access vulnerability in usb-mtp infrastructure + (CVE-2018-16872 bsc#1119493) + 0046-usb-mtp-use-O_NOFOLLOW-and-O_CLOEXE.patch +* Fix DoS in pvrdma interface (CVE-2018-20123 bsc#1119437) + 0047-pvrdma-release-device-resources-in-.patch +* Fix OOB access issue in rdma backend (CVE-2018-20124 bsc#1119840) + 0048-rdma-check-num_sge-does-not-exceed-.patch +* Fix NULL pointer reference in pvrdma emulation (CVE-2018-20191 + bsc#1119979) + 0049-pvrdma-add-uar_read-routine.patch +* Fix DoS in pvrdma interface (CVE-2018-20125 bsc#1119989) + 0050-pvrdma-check-number-of-pages-when-c.patch +* Fix DoS in pvrdma interface (CVE-2018-20216 bsc#1119984) + 0051-pvrdma-check-return-value-from-pvrd.patch +* Fix DoS in pvrdma interface (CVE-2018-20126 bsc#1119991) + 0052-pvrdma-release-ring-object-in-case-.patch +- one more post v3.1.0 patches marked for next stable release: + 0053-block-Fix-hangs-in-synchronous-APIs.patch +- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-3.1 + ------------------------------------------------------------------- Tue Jan 8 13:41:35 UTC 2019 - olaf@aepfle.de diff --git a/qemu-testsuite.spec b/qemu-testsuite.spec index cb5c4536..ba27d068 100644 --- a/qemu-testsuite.spec +++ b/qemu-testsuite.spec @@ -177,6 +177,19 @@ Patch0037: 0037-tests-qemu-iotests-Triple-timeout-o.patch Patch0038: 0038-tests-block-io-test-130-needs-some-.patch Patch0039: 0039-xen_disk-Avoid-repeated-memory-allo.patch Patch0040: 0040-xen-ignore-live-parameter-from-xen-.patch +Patch0041: 0041-vfio-ap-flag-as-compatible-with-bal.patch +Patch0042: 0042-hw-s390x-Fix-bad-mask-in-time2tod.patch +Patch0043: 0043-pcie-set-link-state-inactive-active.patch +Patch0044: 0044-pc-piix4-Update-smbus-I-O-space-aft.patch +Patch0045: 0045-hw-usb-fix-mistaken-de-initializati.patch +Patch0046: 0046-usb-mtp-use-O_NOFOLLOW-and-O_CLOEXE.patch +Patch0047: 0047-pvrdma-release-device-resources-in-.patch +Patch0048: 0048-rdma-check-num_sge-does-not-exceed-.patch +Patch0049: 0049-pvrdma-add-uar_read-routine.patch +Patch0050: 0050-pvrdma-check-number-of-pages-when-c.patch +Patch0051: 0051-pvrdma-check-return-value-from-pvrd.patch +Patch0052: 0052-pvrdma-release-ring-object-in-case-.patch +Patch0053: 0053-block-Fix-hangs-in-synchronous-APIs.patch # Please do not add QEMU patches manually here. # Run update_git.sh to regenerate this queue. @@ -945,6 +958,19 @@ This package provides a service file for starting and stopping KSM. %patch0038 -p1 %patch0039 -p1 %patch0040 -p1 +%patch0041 -p1 +%patch0042 -p1 +%patch0043 -p1 +%patch0044 -p1 +%patch0045 -p1 +%patch0046 -p1 +%patch0047 -p1 +%patch0048 -p1 +%patch0049 -p1 +%patch0050 -p1 +%patch0051 -p1 +%patch0052 -p1 +%patch0053 -p1 pushd roms/seabios %patch1100 -p1 diff --git a/qemu.changes b/qemu.changes index 5e3fa3f3..4294548c 100644 --- a/qemu.changes +++ b/qemu.changes @@ -1,3 +1,33 @@ +------------------------------------------------------------------- +Thu Jan 10 18:03:29 UTC 2019 - Bruce Rogers + +- include post v3.1.0 patches marked for next stable release: + 0041-vfio-ap-flag-as-compatible-with-bal.patch + 0042-hw-s390x-Fix-bad-mask-in-time2tod.patch + 0043-pcie-set-link-state-inactive-active.patch + 0044-pc-piix4-Update-smbus-I-O-space-aft.patch + 0045-hw-usb-fix-mistaken-de-initializati.patch +- Address various security/stability issues +* Fix host access vulnerability in usb-mtp infrastructure + (CVE-2018-16872 bsc#1119493) + 0046-usb-mtp-use-O_NOFOLLOW-and-O_CLOEXE.patch +* Fix DoS in pvrdma interface (CVE-2018-20123 bsc#1119437) + 0047-pvrdma-release-device-resources-in-.patch +* Fix OOB access issue in rdma backend (CVE-2018-20124 bsc#1119840) + 0048-rdma-check-num_sge-does-not-exceed-.patch +* Fix NULL pointer reference in pvrdma emulation (CVE-2018-20191 + bsc#1119979) + 0049-pvrdma-add-uar_read-routine.patch +* Fix DoS in pvrdma interface (CVE-2018-20125 bsc#1119989) + 0050-pvrdma-check-number-of-pages-when-c.patch +* Fix DoS in pvrdma interface (CVE-2018-20216 bsc#1119984) + 0051-pvrdma-check-return-value-from-pvrd.patch +* Fix DoS in pvrdma interface (CVE-2018-20126 bsc#1119991) + 0052-pvrdma-release-ring-object-in-case-.patch +- one more post v3.1.0 patches marked for next stable release: + 0053-block-Fix-hangs-in-synchronous-APIs.patch +- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-3.1 + ------------------------------------------------------------------- Tue Jan 8 13:41:35 UTC 2019 - olaf@aepfle.de diff --git a/qemu.spec b/qemu.spec index fb2e0fa2..22d0482f 100644 --- a/qemu.spec +++ b/qemu.spec @@ -177,6 +177,19 @@ Patch0037: 0037-tests-qemu-iotests-Triple-timeout-o.patch Patch0038: 0038-tests-block-io-test-130-needs-some-.patch Patch0039: 0039-xen_disk-Avoid-repeated-memory-allo.patch Patch0040: 0040-xen-ignore-live-parameter-from-xen-.patch +Patch0041: 0041-vfio-ap-flag-as-compatible-with-bal.patch +Patch0042: 0042-hw-s390x-Fix-bad-mask-in-time2tod.patch +Patch0043: 0043-pcie-set-link-state-inactive-active.patch +Patch0044: 0044-pc-piix4-Update-smbus-I-O-space-aft.patch +Patch0045: 0045-hw-usb-fix-mistaken-de-initializati.patch +Patch0046: 0046-usb-mtp-use-O_NOFOLLOW-and-O_CLOEXE.patch +Patch0047: 0047-pvrdma-release-device-resources-in-.patch +Patch0048: 0048-rdma-check-num_sge-does-not-exceed-.patch +Patch0049: 0049-pvrdma-add-uar_read-routine.patch +Patch0050: 0050-pvrdma-check-number-of-pages-when-c.patch +Patch0051: 0051-pvrdma-check-return-value-from-pvrd.patch +Patch0052: 0052-pvrdma-release-ring-object-in-case-.patch +Patch0053: 0053-block-Fix-hangs-in-synchronous-APIs.patch # Please do not add QEMU patches manually here. # Run update_git.sh to regenerate this queue. @@ -945,6 +958,19 @@ This package provides a service file for starting and stopping KSM. %patch0038 -p1 %patch0039 -p1 %patch0040 -p1 +%patch0041 -p1 +%patch0042 -p1 +%patch0043 -p1 +%patch0044 -p1 +%patch0045 -p1 +%patch0046 -p1 +%patch0047 -p1 +%patch0048 -p1 +%patch0049 -p1 +%patch0050 -p1 +%patch0051 -p1 +%patch0052 -p1 +%patch0053 -p1 pushd roms/seabios %patch1100 -p1 diff --git a/update_git.sh b/update_git.sh index 7cd08e6d..50eaee75 100644 --- a/update_git.sh +++ b/update_git.sh @@ -76,15 +76,14 @@ if [ "$OLD_SOURCE_VERSION_AND_EXTRA" = "" ]; then echo "Warning: No tarball found" fi -if [[ $QEMU_TARBALL =~ $BASE_RE$EXTRA_RE$SUFFIX_RE ]]; then - OLD_COMMIT_ISH=${BASH_REMATCH[3]} -else - #Assume release (or release candidate) tarball with equivalent tag: - OLD_COMMIT_ISH=$(cd $GIT_LOCAL_TREE && git rev-list --abbrev-commit \ - --abbrev=9 -1 v$OLD_SOURCE_VERSION_AND_EXTRA) -fi - if [ "$GIT_UPSTREAM_COMMIT_ISH" = "LATEST" ]; then + if [[ $QEMU_TARBALL =~ $BASE_RE$EXTRA_RE$SUFFIX_RE ]]; then + OLD_COMMIT_ISH=${BASH_REMATCH[3]} + else + #Assume release (or release candidate) tarball with equivalent tag: + OLD_COMMIT_ISH=$(cd $GIT_LOCAL_TREE && git rev-list --abbrev-commit \ + --abbrev=9 -1 v$OLD_SOURCE_VERSION_AND_EXTRA) + fi if [ ${#QEMU_TARBALL_SIG[@]} -ne 0 ]; then echo "INFO: Ignoring signature file: $QEMU_TARBALL_SIG" QEMU_TARBALL_SIG=