1. 20 11月, 2018 11 次提交
  2. 19 11月, 2018 13 次提交
    • P
      Merge remote-tracking branch 'remotes/kevin/tags/for-upstream' into staging · e6ebbd46
      Peter Maydell 提交于
      Block layer patches:
      
      - file-posix: Fix shared permission locks after reopen
      - block: Fix error path for failed .bdrv_reopen_prepare
      - qcow2: Catch invalid allocations when the image becomes too large
      - vvfat/fdc/nvme: Fix segfaults and leaks
      
      # gpg: Signature made Mon 19 Nov 2018 14:28:18 GMT
      # gpg:                using RSA key 7F09B272C88F2FD6
      # gpg: Good signature from "Kevin Wolf <kwolf@redhat.com>"
      # Primary key fingerprint: DC3D EB15 9A9A F95D 3D74  56FE 7F09 B272 C88F 2FD6
      
      * remotes/kevin/tags/for-upstream:
        iotests: Test file-posix locking and reopen
        file-posix: Fix shared locks on reopen commit
        block: Always abort reopen after prepare succeeded
        iotests: Add new test 220 for max compressed cluster offset
        qcow2: Don't allow overflow during cluster allocation
        qcow2: Document some maximum size constraints
        vvfat: Fix memory leak
        fdc: fix segfault in fdctrl_stop_transfer() when DMA is disabled
        nvme: fix oob access issue(CVE-2018-16847)
      Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
      e6ebbd46
    • M
      iotests: Test file-posix locking and reopen · 6d0a4a0f
      Max Reitz 提交于
      Signed-off-by: NMax Reitz <mreitz@redhat.com>
      Reviewed-by: NAlberto Garcia <berto@igalia.com>
      Signed-off-by: NKevin Wolf <kwolf@redhat.com>
      6d0a4a0f
    • M
      file-posix: Fix shared locks on reopen commit · 577a1339
      Max Reitz 提交于
      s->locked_shared_perm is the set of bits locked in the file, which is
      the inverse of the permissions actually shared.  So we need to pass them
      as they are to raw_apply_lock_bytes() instead of inverting them again.
      Reported-by: NAlberto Garcia <berto@igalia.com>
      Signed-off-by: NMax Reitz <mreitz@redhat.com>
      Reviewed-by: NAlberto Garcia <berto@igalia.com>
      Signed-off-by: NKevin Wolf <kwolf@redhat.com>
      577a1339
    • M
      block: Always abort reopen after prepare succeeded · 9ad08c44
      Max Reitz 提交于
      bdrv_reopen_multiple() does not invoke bdrv_reopen_abort() for the
      element of the reopen queue for which bdrv_reopen_prepare() failed,
      because it assumes that the prepare function will have rolled back all
      changes already.
      
      However, bdrv_reopen_prepare() does not do this in every case: It may
      notice an error after BlockDriver.bdrv_reopen_prepare() succeeded, and
      it will not invoke BlockDriver.bdrv_reopen_abort() then; and neither
      will bdrv_reopen_multiple(), as explained above.
      
      This is wrong because we must always call .bdrv_reopen_commit() or
      .bdrv_reopen_abort() after .bdrv_reopen_prepare() has succeeded.
      Otherwise, the block driver has no chance to undo what it has done in
      its implementation of .bdrv_reopen_prepare().
      
      To fix this, bdrv_reopen_prepare() has to call .bdrv_reopen_abort() if
      it wants to return an error after .bdrv_reopen_prepare() has succeeded.
      Signed-off-by: NMax Reitz <mreitz@redhat.com>
      Reviewed-by: NAlberto Garcia <berto@igalia.com>
      Signed-off-by: NKevin Wolf <kwolf@redhat.com>
      9ad08c44
    • E
      iotests: Add new test 220 for max compressed cluster offset · 3b94c343
      Eric Blake 提交于
      If you have a capable file system (tmpfs is good, ext4 not so much;
      run ./check with TEST_DIR pointing to a good location so as not
      to skip the test), it's actually possible to create a qcow2 file
      that expands to a sparse 512T image with just over 38M of content.
      The test is not the world's fastest (qemu crawling through 256M
      bits of refcount table to find the next cluster to allocate takes
      several seconds, as does qemu-img check reporting millions of
      leaked clusters); but it DOES catch the problem that the previous
      patch just fixed where writing a compressed cluster to a full
      image ended up overwriting the wrong cluster.
      Suggested-by: NMax Reitz <mreitz@redhat.com>
      Signed-off-by: NEric Blake <eblake@redhat.com>
      Reviewed-by: NAlberto Garcia <berto@igalia.com>
      Signed-off-by: NKevin Wolf <kwolf@redhat.com>
      3b94c343
    • E
      qcow2: Don't allow overflow during cluster allocation · 77d6a215
      Eric Blake 提交于
      Our code was already checking that we did not attempt to
      allocate more clusters than what would fit in an INT64 (the
      physical maximimum if we can access a full off_t's worth of
      data).  But this does not catch smaller limits enforced by
      various spots in the qcow2 image description: L1 and normal
      clusters of L2 are documented as having bits 63-56 reserved
      for other purposes, capping our maximum offset at 64PB (bit
      55 is the maximum bit set).  And for compressed images with
      2M clusters, the cap drops the maximum offset to bit 48, or
      a maximum offset of 512TB.  If we overflow that offset, we
      would write compressed data into one place, but try to
      decompress from another, which won't work.
      
      It's actually possible to prove that overflow can cause image
      corruption without this patch; I'll add the iotests separately
      in the next commit.
      Signed-off-by: NEric Blake <eblake@redhat.com>
      Reviewed-by: NAlberto Garcia <berto@igalia.com>
      Signed-off-by: NKevin Wolf <kwolf@redhat.com>
      77d6a215
    • E
      qcow2: Document some maximum size constraints · d3e1a7eb
      Eric Blake 提交于
      Although off_t permits up to 63 bits (8EB) of file offsets, in
      practice, we're going to hit other limits first.  Document some
      of those limits in the qcow2 spec (some are inherent, others are
      implementation choices of qemu), and how choice of cluster size
      can influence some of the limits.
      
      While we cannot map any uncompressed virtual cluster to any
      address higher than 64 PB (56 bits) (due to the current L1/L2
      field encoding stopping at bit 55), qemu's cap of 8M for the
      refcount table can still access larger host addresses for some
      combinations of large clusters and small refcount_order.  For
      comparison, ext4 with 4k blocks caps files at 16PB.
      
      Another interesting limit: for compressed clusters, the L2 layout
      requires an ever-smaller maximum host offset as cluster size gets
      larger, down to a 512 TB maximum with 2M clusters.  In particular,
      note that with a cluster size of 8k or smaller, the L2 entry for
      a compressed cluster could technically point beyond the 64PB mark,
      but when you consider that with 8k clusters and refcount_order = 0,
      you cannot access beyond 512T without exceeding qemu's limit of an
      8M cap on the refcount table, it is unlikely that any image in the
      wild has attempted to do so.  To be safe, let's document that bits
      beyond 55 in a compressed cluster must be 0.
      Signed-off-by: NEric Blake <eblake@redhat.com>
      Signed-off-by: NKevin Wolf <kwolf@redhat.com>
      d3e1a7eb
    • K
      vvfat: Fix memory leak · 443ba6be
      Kevin Wolf 提交于
      Don't leak 'cluster' in the mapping == NULL case. Found by Coverity
      (CID 1055918).
      
      Fixes: 8d9401c2Signed-off-by: NKevin Wolf <kwolf@redhat.com>
      Reviewed-by: NPhilippe Mathieu-Daudé <philmd@redhat.com>
      Reviewed-by: NLiam Merwick <liam.merwick@oracle.com>
      Tested-by: NPhilippe Mathieu-Daudé <philmd@redhat.com>
      443ba6be
    • M
      fdc: fix segfault in fdctrl_stop_transfer() when DMA is disabled · 441f6692
      Mark Cave-Ayland 提交于
      Commit c8a35f1c "fdc: use IsaDma interface instead of global DMA_*
      functions" accidentally introduced a segfault in fdctrl_stop_transfer() for
      non-DMA transfers.
      
      If fdctrl->dma_chann has not been configured then the fdctrl->dma interface
      reference isn't initialised during isabus_fdc_realize(). Unfortunately
      fdctrl_stop_transfer() unconditionally references the DMA interface when
      finishing the transfer causing a NULL pointer dereference.
      
      Fix the issue by adding a check in fdctrl_stop_transfer() so that the DMA
      interface reference and release method is only invoked if fdctrl->dma_chann
      has been set.
      
      (This issue was discovered by Martin testing a recent change in the NetBSD
      installer under qemu-system-sparc)
      
      Cc: qemu-stable@nongnu.org
      Reported-by: NMartin Husemann <martin@duskware.de>
      Signed-off-by: NMark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
      Reviewed-by: NPhilippe Mathieu-Daudé <f4bug@amsat.org>
      Reviewed-by: NHervé Poussineau <hpoussin@reactos.org>
      Reviewed-by: NJohn Snow <jsnow@redhat.com>
      Signed-off-by: NKevin Wolf <kwolf@redhat.com>
      441f6692
    • L
      nvme: fix oob access issue(CVE-2018-16847) · 5e3c0220
      Li Qiang 提交于
      Currently, the nvme_cmb_ops mr doesn't check the addr and size.
      This can lead an oob access issue. This is triggerable in the guest.
      Add check to avoid this issue.
      
      Fixes CVE-2018-16847.
      Reported-by: NLi Qiang <liq3ea@gmail.com>
      Reviewed-by: NPaolo Bonzini <pbonzini@redhat.com>
      Signed-off-by: NLi Qiang <liq3ea@gmail.com>
      Signed-off-by: NKevin Wolf <kwolf@redhat.com>
      5e3c0220
    • C
      MAINTAINERS: clarify some of the tags · 9436e082
      Cornelia Huck 提交于
      The MAINTAINERS file is a bit sparse on information about what
      the different designators are. Let's add some more information
      to give contributors a better idea about what the different
      roles are.
      Signed-off-by: NCornelia Huck <cohuck@redhat.com>
      Reviewed-by: NMarkus Armbruster <armbru@redhat.com>
      Message-id: 20181026105711.29605-1-cohuck@redhat.com
      Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
      9436e082
    • P
      Merge remote-tracking branch 'remotes/amarkovic/tags/mips-queue-november-2018-v2' into staging · d1b3b1ee
      Peter Maydell 提交于
      MIPS queue for QEMU 3.1-rc2 - v2
      
      # gpg: Signature made Sat 17 Nov 2018 18:30:46 GMT
      # gpg:                using RSA key D4972A8967F75A65
      # gpg: Good signature from "Aleksandar Markovic <amarkovic@wavecomp.com>"
      # gpg: WARNING: This key is not certified with a trusted signature!
      # gpg:          There is no indication that the signature belongs to the owner.
      # Primary key fingerprint: 8526 FBF1 5DA3 811F 4A01  DD75 D497 2A89 67F7 5A65
      
      * remotes/amarkovic/tags/mips-queue-november-2018-v2:
        MAINTAINERS: Add Stefan Markovic as a MIPS reviewer
        target/mips: Disable R5900 support
        target/mips: Rename MMI-related functions
        target/mips: Rename MMI-related opcodes
        target/mips: Rename MMI-related masks
        target/mips: Guard check_insn with INSN_R5900 check
        target/mips: Guard check_insn_opc_user_only with INSN_R5900 check
        target/mips: Fix decoding mechanism of special R5900 opcodes
        target/mips: Fix decoding mechanism of R5900 DIV1 and DIVU1
        target/mips: Fix decoding mechanism of R5900 MFLO1, MFHI1, MTLO1 and MTHI1
        linux-user: Update MIPS specific prctl() implementation
      Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
      d1b3b1ee
    • P
      Merge remote-tracking branch 'remotes/riscv/tags/riscv-for-master-3.1-rc2' into staging · d0649109
      Peter Maydell 提交于
      RISC-V Patches for 3.1-rc2
      
      This pull request contains four patches that aren't really related to
      each other aside from all being bug fixes that I think should go in for
      3.1.0:
      
      * The second half of Alistair's memory leak patch set that I missed last
        week.
      * A fix to make fclass.d availiable only on RV64IFD systems (without
        this it's availiable on RV32IFD systems, truncating the result).
      * A fix to make sfence.vm availiable only in priv-1.9.1, and sfence.vma
        only availiable in priv-1.10.
      * A change to respect fences in user-mode emulators, which were
        previously treated as NOPs.
      
      As usual, this builds and boot Linux for me.  I don't think I have
      anything else planned for 3.1.0, but I may be wrong as things are a bit
      hectic this week.
      
      # gpg: Signature made Tue 13 Nov 2018 23:48:38 GMT
      # gpg:                using RSA key EF4CA1502CCBAB41
      # gpg: Good signature from "Palmer Dabbelt <palmer@dabbelt.com>"
      # gpg:                 aka "Palmer Dabbelt <palmer@sifive.com>"
      # gpg: WARNING: This key is not certified with a trusted signature!
      # gpg:          There is no indication that the signature belongs to the owner.
      # Primary key fingerprint: 00CE 76D1 8349 60DF CE88  6DF8 EF4C A150 2CCB AB41
      
      * remotes/riscv/tags/riscv-for-master-3.1-rc2:
        RISC-V: Respect fences for user-only emulators
        target/riscv: Fix sfence.vm/a both available in any priv version
        target/riscv: Fix FCLASS_D being treated as RV64 only
        hw/riscv/virt: Free the test device tree node name
      Signed-off-by: NPeter Maydell <peter.maydell@linaro.org>
      d0649109
  3. 18 11月, 2018 11 次提交
  4. 16 11月, 2018 5 次提交