- 01 9月, 2017 13 次提交
-
-
由 Greg Kurz 提交于
When using the mapped-file security mode, we shouldn't let the client mess with the metadata. The current code already tries to hide the metadata dir from the client by skipping it in local_readdir(). But the client can still access or modify it through several other operations. This can be used to escalate privileges in the guest. Affected backend operations are: - local_mknod() - local_mkdir() - local_open2() - local_symlink() - local_link() - local_unlinkat() - local_renameat() - local_rename() - local_name_to_path() Other operations are safe because they are only passed a fid path, which is computed internally in local_name_to_path(). This patch converts all the functions listed above to fail and return EINVAL when being passed the name of the metadata dir. This may look like a poor choice for errno, but there's no such thing as an illegal path name on Linux and I could not think of anything better. This fixes CVE-2017-7493. Reported-by: NLeo Gaspard <leo@gaspard.io> Signed-off-by: NGreg Kurz <groug@kaod.org> Reviewed-by: NEric Blake <eblake@redhat.com> (cherry picked from commit 7a95434e) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Prasad J Pandit 提交于
While reading magic sequence(MFI_SEQ) in megasas_mmio_write, an off-by-one error could occur as 's->adp_reset' index is not reset after reading the last sequence. Reported-by: NYY Z <bigbird475958471@gmail.com> Signed-off-by: NPrasad J Pandit <pjp@fedoraproject.org> Message-Id: <20170424120634.12268-1-ppandit@redhat.com> Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com> (cherry picked from commit 24dfa9fa) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Gerd Hoffmann 提交于
AUD_add_capture() allocates two buffers which are never released. Add the missing calls to AUD_del_capture(). Impact: Allows vnc clients to exhaust host memory by repeatedly starting and stopping audio capture. Fixes: CVE-2017-8309 Cc: P J P <ppandit@redhat.com> Cc: Huawei PSIRT <PSIRT@huawei.com> Reported-by: N"Jiangxin (hunter, SCC)" <jiangxin1@huawei.com> Signed-off-by: NGerd Hoffmann <kraxel@redhat.com> Reviewed-by: NPrasad J Pandit <pjp@fedoraproject.org> Message-id: 20170428075612.9997-1-kraxel@redhat.com (cherry picked from commit 3268a845) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 P J P 提交于
A guest could set the message ring page count to zero, resulting in infinite loop. Add check to avoid it. Reported-by: NYY Z <bigbird475958471@gmail.com> Signed-off-by: NP J P <ppandit@redhat.com> Message-Id: <20170425130623.3649-1-ppandit@redhat.com> Reviewed-by: NDmitry Fleytman <dmitry@daynix.com> Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com> (cherry picked from commit f6882698) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Thomas Huth 提交于
QEMU currently aborts unexpectedly when the user tries to add and remove a "spapr-tce-table" device: $ qemu-system-ppc64 -nographic -S -nodefaults -monitor stdio QEMU 2.9.92 monitor - type 'help' for more information (qemu) device_add spapr-tce-table,id=x (qemu) device_del x ** ERROR:qemu/qdev-monitor.c:872:qdev_unplug: assertion failed: (hotplug_ctrl) Aborted (core dumped) The device should not be accessable for the users at all, it's just used internally, so mark it with user_creatable = false. Signed-off-by: NThomas Huth <thuth@redhat.com> Signed-off-by: NDavid Gibson <david@gibson.dropbear.id.au> (cherry picked from commit 1f98e553) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Thomas Huth 提交于
QEMU currently aborts unexpectedly when a user tries to do something like this: $ qemu-system-ppc64 -nographic -S -nodefaults -monitor stdio QEMU 2.9.92 monitor - type 'help' for more information (qemu) device_add spapr-rtc,id=spapr-rtc (qemu) device_del spapr-rtc ** ERROR:qemu/qdev-monitor.c:872:qdev_unplug: assertion failed: (hotplug_ctrl) Aborted (core dumped) The RTC device is not meant to be hot-pluggable - it's an internal device only and it even should not be possible to create it a second time with the "-device" parameter, so let's mark this with "user_creatable = false". Signed-off-by: NThomas Huth <thuth@redhat.com> Signed-off-by: NDavid Gibson <david@gibson.dropbear.id.au> (cherry picked from commit 8ccccff9) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Eduardo Habkost 提交于
cannot_instantiate_with_device_add_yet was introduced by commit efec3dd6 to replace no_user. It was supposed to be a temporary measure. When it was introduced, we had 54 cannot_instantiate_with_device_add_yet=true lines in the code. Today (3 years later) this number has not shrunk: we now have 57 cannot_instantiate_with_device_add_yet=true lines. I think it is safe to say it is not a temporary measure, and we won't see the flag go away soon. Instead of a long field name that misleads people to believe it is temporary, replace it a shorter and less misleading field: user_creatable. Except for code comments, changes were generated using the following Coccinelle patch: @@ expression DC; @@ ( -DC->cannot_instantiate_with_device_add_yet = false; +DC->user_creatable = true; | -DC->cannot_instantiate_with_device_add_yet = true; +DC->user_creatable = false; ) @@ typedef ObjectClass; expression dc; identifier class, data; @@ static void device_class_init(ObjectClass *class, void *data) { ... dc->hotpluggable = true; +dc->user_creatable = true; ... } @@ @@ struct DeviceClass { ... -bool cannot_instantiate_with_device_add_yet; +bool user_creatable; ... } @@ expression DC; @@ ( -!DC->cannot_instantiate_with_device_add_yet +DC->user_creatable | -DC->cannot_instantiate_with_device_add_yet +!DC->user_creatable ) Cc: Alistair Francis <alistair.francis@xilinx.com> Cc: Laszlo Ersek <lersek@redhat.com> Cc: Marcel Apfelbaum <marcel@redhat.com> Cc: Markus Armbruster <armbru@redhat.com> Cc: Peter Maydell <peter.maydell@linaro.org> Cc: Thomas Huth <thuth@redhat.com> Acked-by: NAlistair Francis <alistair.francis@xilinx.com> Reviewed-by: NThomas Huth <thuth@redhat.com> Reviewed-by: NMarcel Apfelbaum <marcel@redhat.com> Acked-by: NMarcel Apfelbaum <marcel@redhat.com> Signed-off-by: NEduardo Habkost <ehabkost@redhat.com> Message-Id: <20170503203604.31462-2-ehabkost@redhat.com> [ehabkost: kept "TODO remove once we're there" comment] Reviewed-by: NMarkus Armbruster <armbru@redhat.com> Signed-off-by: NEduardo Habkost <ehabkost@redhat.com> (cherry picked from commit e90f2a8c) Conflicts: include/hw/qdev-core.h * remove context dep on 08f00df4Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Eduardo Otubo 提交于
Starting qemu-system-unicore32 without the -kernel parameter results in an assert() returns false and aborts qemu. This patch replaces it with a proper error message followed by exit(1). Signed-off-by: NEduardo Otubo <otubo@redhat.com> Tested-by: NThomas Huth <thuth@redhat.com> Signed-off-by: NMichael Tokarev <mjt@tls.msk.ru> (cherry picked from commit 36bed541) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Thomas Huth 提交于
qemu-system-s390x currently crashes when it is started with a virtio-scsi-pci device, e.g.: qemu-system-s390x -nographic -enable-kvm -device virtio-scsi-pci \ -drive file=/tmp/disk.dat,if=none,id=d1,format=raw \ -device scsi-cd,drive=d1,bootindex=1 The problem is that the code in s390_gen_initial_iplb() currently assumes that all SCSI devices are also CCW devices, which is not the case for virtio-scsi-pci of course. Fix it by adding an appropriate check for TYPE_CCW_DEVICE here. Signed-off-by: NThomas Huth <thuth@redhat.com> Signed-off-by: NChristian Borntraeger <borntraeger@de.ibm.com> Message-Id: <1493126327-13162-1-git-send-email-thuth@redhat.com> Reviewed-by: NChristian Borntraeger <borntraeger@de.ibm.com> Signed-off-by: NCornelia Huck <cornelia.huck@de.ibm.com> (cherry picked from commit 99efaa26) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Samuel Thibault 提交于
The if_fastq and if_batchq contain not only packets, but queues of packets for the same socket. When sofree frees a socket, it thus has to clear ifq_so from all the packets from the queues, not only the first. Signed-off-by: NSamuel Thibault <samuel.thibault@ens-lyon.org> Reviewed-by: NPhilippe Mathieu-Daudé <f4bug@amsat.org> Cc: qemu-stable@nongnu.org Signed-off-by: NPeter Maydell <peter.maydell@linaro.org> (cherry picked from commit 1201d308) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Marc-André Lureau 提交于
ASAN detects an "unknown-crash" when running pxe-test: /ppc64/pxe/spapr-vlan: ================================================================= ==7143==ERROR: AddressSanitizer: unknown-crash on address 0x7f6dcd298d30 at pc 0x55e22218830d bp 0x7f6dcd2989e0 sp 0x7f6dcd2989d0 READ of size 128 at 0x7f6dcd298d30 thread T2 #0 0x55e22218830c in tftp_session_allocate /home/elmarco/src/qq/slirp/tftp.c:73 #1 0x55e22218a1f8 in tftp_handle_rrq /home/elmarco/src/qq/slirp/tftp.c:289 #2 0x55e22218b54c in tftp_input /home/elmarco/src/qq/slirp/tftp.c:446 #3 0x55e2221833fe in udp6_input /home/elmarco/src/qq/slirp/udp6.c:82 #4 0x55e222137b17 in ip6_input /home/elmarco/src/qq/slirp/ip6_input.c:67 Address 0x7f6dcd298d30 is located in stack of thread T2 at offset 96 in frame #0 0x55e222182420 in udp6_input /home/elmarco/src/qq/slirp/udp6.c:13 This frame has 3 object(s): [32, 48) '<unknown>' [96, 124) 'lhost' <== Memory access at offset 96 partially overflows this variable [160, 200) 'save_ip' <== Memory access at offset 96 partially underflows this variable The sockaddr_storage pointer is the sockaddr_in6 lhost on the stack. Copy only the source addr size. Signed-off-by: NMarc-André Lureau <marcandre.lureau@redhat.com> Reviewed-by: NThomas Huth <thuth@redhat.com> Reviewed-by: NPhilippe Mathieu-Daudé <f4bug@amsat.org> Signed-off-by: NSamuel Thibault <samuel.thibault@ens-lyon.org> (cherry picked from commit 17eb587a) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Thomas Huth 提交于
The "info jit" command currently aborts on Mac OS X with the message "qemu_mutex_lock: Invalid argument" when running with "-M accel=qtest". We should only call into the TCG code here if TCG has really been enabled and initialized. Signed-off-by: NThomas Huth <thuth@redhat.com> Message-Id: <1493179907-22516-1-git-send-email-thuth@redhat.com> Reviewed-by: NDr. David Alan Gilbert <dgilbert@redhat.com> Tested-by: NPeter Maydell <peter.maydell@linaro.org> Signed-off-by: NDr. David Alan Gilbert <dgilbert@redhat.com> (cherry picked from commit b7da97ee) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Philipp Kern 提交于
According to "CPU Signaling and Response", "Signal-Processor Orders", the order field is bit position 56-63. Without this, the Linux guest kernel is sometimes unable to stop emulation and enters an infinite loop of "XXX unknown sigp: 0xffffffff00000005". Signed-off-by: NPhilipp Kern <phil@philkern.de> Reviewed-by: NThomas Huth <thuth@tuxfamily.org> [agraf: add comment according to email] Signed-off-by: NAlexander Graf <agraf@suse.de> (cherry picked from commit 601b9a90) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
- 25 8月, 2017 27 次提交
-
-
由 Greg Kurz 提交于
This function has to ensure it doesn't follow a symlink that could be used to escape the virtfs directory. This could be easily achieved if fchmodat() on linux honored the AT_SYMLINK_NOFOLLOW flag as described in POSIX, but it doesn't. There was a tentative to implement a new fchmodat2() syscall with the correct semantics: https://patchwork.kernel.org/patch/9596301/ but it didn't gain much momentum. Also it was suggested to look at an O_PATH based solution in the first place. The current implementation covers most use-cases, but it notably fails if: - the target path has access rights equal to 0000 (openat() returns EPERM), => once you've done chmod(0000) on a file, you can never chmod() again - the target path is UNIX domain socket (openat() returns ENXIO) => bind() of UNIX domain sockets fails if the file is on 9pfs The solution is to use O_PATH: openat() now succeeds in both cases, and we can ensure the path isn't a symlink with fstat(). The associated entry in "/proc/self/fd" can hence be safely passed to the regular chmod() syscall. The previous behavior is kept for older systems that don't have O_PATH. Signed-off-by: NGreg Kurz <groug@kaod.org> Reviewed-by: NEric Blake <eblake@redhat.com> Tested-by: NZhi Yong Wu <zhiyong.wu@ucloud.cn> Acked-by: NPhilippe Mathieu-Daudé <f4bug@amsat.org> (cherry picked from commit 4751fd53) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Jeff Cody 提交于
Commit c096358e introduced assertion checks for when qemu_mutex() functions are called without the corresponding qemu_mutex_init() having initialized the mutex. This uncovered a latent bug in qemu's nfs driver - in nfs_client_close(), the NFSClient structure is overwritten with zeros, prior to the mutex being destroyed. Go ahead and destroy the mutex in nfs_client_close(), and change where we call qemu_mutex_init() so that it is correctly balanced. There are also a couple of memory leaks obscured by the memset, so this fixes those as well. Finally, we should be able to get rid of the memset(), as it isn't necessary. Cc: qemu-stable@nongnu.org Signed-off-by: NJeff Cody <jcody@redhat.com> Reviewed-by: NPeter Lieven <pl@kamp.de> Reviewed-by: NStefan Hajnoczi <stefanha@redhat.com> Reviewed-by: NJohn Snow <jsnow@redhat.com> Signed-off-by: NKevin Wolf <kwolf@redhat.com> (cherry picked from commit 113fe792) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Aleksandr Bezzubikov 提交于
Unmask previously masked SHPC feature in _OSC method. Signed-off-by: NAleksandr Bezzubikov <zuban32s@gmail.com> Reviewed-by: NMarcel Apfelbaum <marcel@redhat.com> Reviewed-by: NMichael S. Tsirkin <mst@redhat.com> Signed-off-by: NMichael S. Tsirkin <mst@redhat.com> (cherry picked from commit a41c78c1) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Laurent Vivier 提交于
With pseries machine type a negative core-id is not managed properly: -1 gives an inaccurate error message ("core -1 already populated"), -2 crashes QEMU (core dump) As it seems a negative value is invalid for any architecture, instead of checking this in spapr_core_pre_plug() I think it's better to check this in the generic part, core_prop_set_core_id() Signed-off-by: NLaurent Vivier <lvivier@redhat.com> Message-Id: <20170802103259.25940-1-lvivier@redhat.com> Reviewed-by: NGreg Kurz <groug@kaod.org> Reviewed-by: NDavid Gibson <david@gibson.dropbear.id.au> Reviewed-by: NEduardo Habkost <ehabkost@redhat.com> Signed-off-by: NEduardo Habkost <ehabkost@redhat.com> (cherry picked from commit be2960ba) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Kevin Wolf 提交于
Commits 0db832f4 and 6cdbceb1 introduced the automatic insertion of filter nodes above the top layer of mirror and commit block jobs. The assumption made there was that since libvirt doesn't do node-level management of the block layer yet, it shouldn't be affected by added nodes. This is true as far as commands issued by libvirt are concerned. It only uses BlockBackend names to address nodes, so any operations it performs still operate on the root of the tree as intended. However, the assumption breaks down when you consider query commands, which return data for the wrong node now. These commands also return information on some child nodes (bs->file and/or bs->backing), which libvirt does make use of, and which refer to the wrong nodes, too. One of the consequences is that oVirt gets wrong information about the image size and stops the VM in response as long as a mirror or commit job is running: https://bugzilla.redhat.com/show_bug.cgi?id=1470634 This patch fixes the problem by hiding the implicit nodes created automatically by the mirror and commit block jobs in the output of query-block and BlockBackend-based query-blockstats as long as the user doesn't indicate that they are aware of those nodes by providing a node name for them in the QMP command to start the block job. The node-based commands query-named-block-nodes and query-blockstats with query-nodes=true still show all nodes, including implicit ones. This ensures that users that are capable of node-level management can still access the full information; users that only know BlockBackends won't use these commands. Cc: qemu-stable@nongnu.org Signed-off-by: NKevin Wolf <kwolf@redhat.com> Reviewed-by: NPeter Krempa <pkrempa@redhat.com> Reviewed-by: NMax Reitz <mreitz@redhat.com> Tested-by: NEric Blake <eblake@redhat.com> (cherry picked from commit d3c8c674) Conflicts: block/qapi.c include/block/block_int.h * fix context deps on 46eade7b and 5a9347c6Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Kevin Wolf 提交于
Signed-off-by: NKevin Wolf <kwolf@redhat.com> Reviewed-by: NJohn Snow <jsnow@redhat.com> (cherry picked from commit c3971b88) *prereq for d3c8c674Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Alexander Graf 提交于
Delays in the input layer are special cased input events. Every input event is accounted for in a global intput queue count. The special cased delays however did not get removed from the queue, leading to queue overruns and thus silent key drops after typing quite a few characters. Signed-off-by: NAlexander Graf <agraf@suse.de> Message-id: 1498117318-162102-1-git-send-email-agraf@suse.de Fixes: be1a7176 ("input: add support for kbd delays") Cc: qemu-stable@nongnu.org Signed-off-by: NGerd Hoffmann <kraxel@redhat.com> (cherry picked from commit 77b0359b) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Gerd Hoffmann 提交于
Apply a limit to the number of items we accept into the keyboard queue. Impact: Without this limit vnc clients can exhaust host memory by sending keyboard events faster than qemu feeds them to the guest. Fixes: CVE-2017-8379 Cc: P J P <ppandit@redhat.com> Cc: Huawei PSIRT <PSIRT@huawei.com> Reported-by: jiangxin1@huawei.com Signed-off-by: NGerd Hoffmann <kraxel@redhat.com> Message-id: 20170428084237.23960-1-kraxel@redhat.com (cherry picked from commit fa18f36a) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Jason Wang 提交于
Spec said offloads should be le64, so use virtio_ldq_p() to guarantee valid endian. Fixes: 644c9858 ("virtio-net: dynamic network offloads configuration") Cc: qemu-stable@nongnu.org Cc: Dmitry Fleytman <dfleytma@redhat.com> Signed-off-by: NJason Wang <jasowang@redhat.com> (cherry picked from commit 189ae6bb) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Greg Kurz 提交于
In case of error, we must ensure the dynamically allocated base_core_type is freed, like it is done everywhere else in this function. This is a regression introduced in QEMU 2.9 by commit 8149e299. Signed-off-by: NGreg Kurz <groug@kaod.org> Signed-off-by: NDavid Gibson <david@gibson.dropbear.id.au> (cherry picked from commit df8658de) Conflicts: hw/ppc/spapr.c * fix context dep on 459264efSigned-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Kevin Wolf 提交于
I can't see how overlay_bs could become NULL with the current code, but other code in this function already checks it and we can make Coverity happy with this check, so let's add it. Cc: qemu-stable@nongnu.org Signed-off-by: NKevin Wolf <kwolf@redhat.com> Reviewed-by: NStefan Hajnoczi <stefanha@redhat.com> (cherry picked from commit b1e1fa0c) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Jason Wang 提交于
After converting to use DMA api for virtio devices, we should use dma_as instead of address_space_memory. Otherwise it won't work if IOMMU is enabled. Fixes: commit 8607f5c3 ("virtio: convert to use DMA api") Cc: qemu-stable@nongnu.org Signed-off-by: NJason Wang <jasowang@redhat.com> Message-Id: <1499170866-9068-1-git-send-email-jasowang@redhat.com> Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com> (cherry picked from commit 025bdeab) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Laurent Vivier 提交于
since commit 5c4537bd ("spapr: Fix 2.7<->2.8 migration of PCI host bridge"), some migration fields are forged from the new ones in spapr_pci_pre_save(). It works well, except when the number of MSI devices is 0, because in this case the function exits immediately. This fix moves the migration code before the exit code. The problem can be reproduced with these commands: source qemu-2.9: qemu-system-ppc64 -monitor stdio -M pseries-2.6 -nodefaults -S destination qemu-2.6: qemu-system-ppc64 -monitor stdio -M pseries-2.6 -nodefaults \ -incoming tcp:0:4444 on the source: migrate tcp:localhost:4444 Destination fails with the following error: qemu-system-ppc64: error while loading state for instance 0x0 of device 'spapr_pci' qemu-system-ppc64: load of migration failed: Invalid argument Signed-off-by: NLaurent Vivier <lvivier@redhat.com> Reviewed-by: NGreg Kurz <groug@kaod.org> Signed-off-by: NDavid Gibson <david@gibson.dropbear.id.au> (cherry picked from commit e806b4db) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Alexander Graf 提交于
When resetting the keyboard, we need to reset not just the pending keystrokes, but also any pending modifiers. Otherwise there's a race when we're getting reset while running an escape sequence (modifier 0x100). Cc: qemu-stable@nongnu.org Signed-off-by: NAlexander Graf <agraf@suse.de> Message-id: 1498117295-162030-1-git-send-email-agraf@suse.de Signed-off-by: NGerd Hoffmann <kraxel@redhat.com> (cherry picked from commit 51dbea77) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Bruce Rogers 提交于
Commit a0e640a8 introduced a path processing error. Pass fstatat the dirpath based path component instead of the entire path. Signed-off-by: NBruce Rogers <brogers@suse.com> Signed-off-by: NGreg Kurz <groug@kaod.org> (cherry picked from commit 790db7ef) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Max Reitz 提交于
uri_parse(...)->scheme may be NULL. In fact, probably every field may be NULL, and the callers do test this for all of the other fields but not for scheme (except for block/gluster.c; block/vxhs.c does not access that field at all). We can easily fix this by using g_strcmp0() instead of strcmp(). Cc: qemu-stable@nongnu.org Signed-off-by: NMax Reitz <mreitz@redhat.com> Message-id: 20170613205726.13544-1-mreitz@redhat.com Reviewed-by: NStefan Hajnoczi <stefanha@redhat.com> Signed-off-by: NMax Reitz <mreitz@redhat.com> (cherry picked from commit f69165a8) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Paolo Bonzini 提交于
When attaching the NBD QIOChannel to an AioContext, the TLS channel should be used, not the underlying socket channel. This is because, trivially, the TLS channel will be the one that we read/write to and thus the one that will get the qio_channel_yield() call. Fixes: ff82911c Cc: qemu-stable@nongnu.org Reviewed-by: NStefan Hajnoczi <stefanha@redhat.com> Reviewed-by: NDaniel P. Berrange <berrange@redhat.com> Tested-by: NDaniel P. Berrange <berrange@redhat.com> Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com> (cherry picked from commit 96d06835) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Max Reitz 提交于
The bs->exact_filename field may not be sufficient to store the full blkverify node filename. In this case, we should not generate a filename at all instead of an unusable one. Cc: qemu-stable@nongnu.org Reported-by: NQu Wenruo <quwenruo@cn.fujitsu.com> Signed-off-by: NMax Reitz <mreitz@redhat.com> Message-id: 20170613172006.19685-3-mreitz@redhat.com Reviewed-by: NAlberto Garcia <berto@igalia.com> Reviewed-by: NStefan Hajnoczi <stefanha@redhat.com> Signed-off-by: NMax Reitz <mreitz@redhat.com> (cherry picked from commit 05cc758a) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Max Reitz 提交于
The bs->exact_filename field may not be sufficient to store the full blkdebug node filename. In this case, we should not generate a filename at all instead of an unusable one. Cc: qemu-stable@nongnu.org Reported-by: NQu Wenruo <quwenruo@cn.fujitsu.com> Signed-off-by: NMax Reitz <mreitz@redhat.com> Message-id: 20170613172006.19685-2-mreitz@redhat.com Reviewed-by: NAlberto Garcia <berto@igalia.com> Reviewed-by: NStefan Hajnoczi <stefanha@redhat.com> Signed-off-by: NMax Reitz <mreitz@redhat.com> (cherry picked from commit de81d72d) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Kevin Wolf 提交于
commit_complete() can't assume that after its block_job_completed() the job is actually immediately freed; someone else may still be holding references. In this case, the op blockers on the intermediate nodes make the graph reconfiguration in the completion code fail. Call block_job_remove_all_bdrv() manually so that we know for sure that any blockers on intermediate nodes are given up. Cc: qemu-stable@nongnu.org Signed-off-by: NKevin Wolf <kwolf@redhat.com> Reviewed-by: NEric Blake <eblake@redhat.com> Reviewed-by: NMax Reitz <mreitz@redhat.com> (cherry picked from commit 4f78a16f) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Eric Blake 提交于
Back in qemu 2.5, qemu-nbd was immune to port probes (a transient server would not quit, regardless of how many probe connections came and went, until a connection actually negotiated). But we broke that in commit ee7d7aab when removing the return value to nbd_client_new(), although that patch also introduced a bug causing an assertion failure on a client that fails negotiation. We then made it worse during refactoring in commit 1a6245a5 (a segfault before we could even assert); the (masked) assertion was cleaned up in d3780c2d (still in 2.6), and just recently we finally fixed the segfault ("nbd: Fully intialize client in case of failed negotiation"). But that still means that ever since we added TLS support to qemu-nbd, we have been vulnerable to an ill-timed port-scan being able to cause a denial of service by taking down qemu-nbd before a real client has a chance to connect. Since negotiation is now handled asynchronously via coroutines, we no longer have a synchronous point of return by re-adding a return value to nbd_client_new(). So this patch instead wires things up to pass the negotiation status through the close_fn callback function. Simple test across two terminals: $ qemu-nbd -f raw -p 30001 file $ nmap 127.0.0.1 -p 30001 && \ qemu-io -c 'r 0 512' -f raw nbd://localhost:30001 Note that this patch does not change what constitutes successful negotiation (thus, a client must enter transmission phase before that client can be considered as a reason to terminate the server when the connection ends). Perhaps we may want to tweak things in a later patch to also treat a client that uses NBD_OPT_ABORT as being a 'successful' negotiation (the client correctly talked the NBD protocol, and informed us it was not going to use our export after all), but that's a discussion for another day. Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1451614Signed-off-by: NEric Blake <eblake@redhat.com> Message-Id: <20170608222617.20376-1-eblake@redhat.com> Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com> (cherry picked from commit 0c9390d9) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Eric Blake 提交于
If a non-NBD client connects to qemu-nbd, we would end up with a SIGSEGV in nbd_client_put() because we were trying to unregister the client's association to the export, even though we skipped inserting the client into that list. Easy trigger in two terminals: $ qemu-nbd -p 30001 --format=raw file $ nmap 127.0.0.1 -p 30001 nmap claims that it thinks it connected to a pago-services1 server (which probably means nmap could be updated to learn the NBD protocol and give a more accurate diagnosis of the open port - but that's not our problem), then terminates immediately, so our call to nbd_negotiate() fails. The fix is to reorder nbd_co_client_start() to ensure that all initialization occurs before we ever try talking to a client in nbd_negotiate(), so that the teardown sequence on negotiation failure doesn't fault while dereferencing a half-initialized object. While debugging this, I also noticed that nbd_update_server_watch() called by nbd_client_closed() was still adding a channel to accept the next client, even when the state was no longer RUNNING. That is fixed by making nbd_can_accept() pay attention to the current state. Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1451614Signed-off-by: NEric Blake <eblake@redhat.com> Message-Id: <20170527030421.28366-1-eblake@redhat.com> Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com> (cherry picked from commit df8ad9f1) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Kevin Wolf 提交于
The final bdrv_set_backing_hd() could be working on already freed nodes because the commit job drops its references (through BlockBackends) to both overlay_bs and top already a bit earlier. One way to trigger the bug is hot unplugging a disk for which blockdev_mark_auto_del() cancels the block job. Fix this by taking BDS-level references while we're still using the nodes. Cc: qemu-stable@nongnu.org Signed-off-by: NKevin Wolf <kwolf@redhat.com> Reviewed-by: NJohn Snow <jsnow@redhat.com> (cherry picked from commit 19ebd13e) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Max Filippov 提交于
Xtensa cores may have registers of types/sizes not supported by the gdbstub accessors. Ignore writes to such registers and return zero on read, but always return correct register size, so that gdb on the other side is able to access all registers in the packet holding unsupported registers in the middle. This fixes gdb interaction with cores that have vector/custom TIE registers. Cc: qemu-stable@nongnu.org Signed-off-by: NMax Filippov <jcmvbkbc@gmail.com> (cherry picked from commit dd7b952b) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Greg Kurz 提交于
The string returned by object_property_get_str() is dynamically allocated. (Spotted by Coverity, CID 1375942) Signed-off-by: NGreg Kurz <groug@kaod.org> Signed-off-by: NDavid Gibson <david@gibson.dropbear.id.au> (cherry picked from commit 8a9e0e7b) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Laurent Vivier 提交于
This allows to manage errors before the memory has started to be hotplugged. We already have the function for the CPU cores. Signed-off-by: NLaurent Vivier <lvivier@redhat.com> Reviewed-by: NGreg Kurz <groug@kaod.org> [dwg: Fixed a couple of style nits] Signed-off-by: NDavid Gibson <david@gibson.dropbear.id.au> (cherry picked from commit c871bc70) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-
由 Greg Kurz 提交于
The string returned by object_property_get_str() is dynamically allocated. Signed-off-by: NGreg Kurz <groug@kaod.org> Reviewed-by: NThomas Huth <thuth@redhat.com> Signed-off-by: NDavid Gibson <david@gibson.dropbear.id.au> (cherry picked from commit 2d3e302e) Signed-off-by: NMichael Roth <mdroth@linux.vnet.ibm.com>
-