Bin Meng [Wed, 3 Mar 2021 12:26:39 +0000 (20:26 +0800)]
hw/sd: sdhci: Reset the data pointer of s->fifo_buffer[] when a different block size is programmed
Git-commit:
cffb446e8fd19a14e1634c7a3a8b07be3f01d5c9
References: bsc#1175144, CVE-2020-17380, bsc#1176681, CVE-2020-25085
References: bsc#1182282, CVE-2021-3409
If the block size is programmed to a different value from the
previous one, reset the data pointer of s->fifo_buffer[] so that
s->fifo_buffer[] can be filled in using the new block size in
the next transfer.
With this fix, the following reproducer:
outl 0xcf8 0x80001010
outl 0xcfc 0xe0000000
outl 0xcf8 0x80001001
outl 0xcfc 0x06000000
write 0xe000002c 0x1 0x05
write 0xe0000005 0x1 0x02
write 0xe0000007 0x1 0x01
write 0xe0000028 0x1 0x10
write 0x0 0x1 0x23
write 0x2 0x1 0x08
write 0xe000000c 0x1 0x01
write 0xe000000e 0x1 0x20
write 0xe000000f 0x1 0x00
write 0xe000000c 0x1 0x32
write 0xe0000004 0x2 0x0200
write 0xe0000028 0x1 0x00
write 0xe0000003 0x1 0x40
cannot be reproduced with the following QEMU command line:
$ qemu-system-x86_64 -nographic -machine accel=qtest -m 512M \
-nodefaults -device sdhci-pci,sd-spec-version=3 \
-drive if=sd,index=0,file=null-co://,format=raw,id=mydrive \
-device sd-card,drive=mydrive -qtest stdio
Cc: qemu-stable@nongnu.org
Fixes: CVE-2020-17380
Fixes: CVE-2020-25085
Fixes: CVE-2021-3409
Fixes:
d7dfca0807a0 ("hw/sdhci: introduce standard SD host controller")
Reported-by: Alexander Bulekov <alxndr@bu.edu>
Reported-by: Cornelius Aschermann (Ruhr-Universität Bochum)
Reported-by: Sergej Schumilo (Ruhr-Universität Bochum)
Reported-by: Simon Wörner (Ruhr-Universität Bochum)
Buglink: https://bugs.launchpad.net/qemu/+bug/1892960
Buglink: https://bugs.launchpad.net/qemu/+bug/1909418
Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1928146
Tested-by: Alexander Bulekov <alxndr@bu.edu>
Signed-off-by: Bin Meng <bmeng.cn@gmail.com>
Message-Id: <
20210303122639.20004-6-bmeng.cn@gmail.com>
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Bruce Rogers <brogers@suse.com>
Bin Meng [Wed, 3 Mar 2021 12:26:38 +0000 (20:26 +0800)]
hw/sd: sdhci: Limit block size only when SDHC_BLKSIZE register is writable
Git-commit:
5cd7aa3451b76bb19c0f6adc2b931f091e5d7fcd
References: bsc#1175144, CVE-2020-17380, bsc#1176681, CVE-2020-25085
References: bsc#1182282, CVE-2021-3409
The codes to limit the maximum block size is only necessary when
SDHC_BLKSIZE register is writable.
Tested-by: Alexander Bulekov <alxndr@bu.edu>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Bin Meng <bmeng.cn@gmail.com>
Message-Id: <
20210303122639.20004-5-bmeng.cn@gmail.com>
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Bruce Rogers <brogers@suse.com>
Bin Meng [Wed, 3 Mar 2021 12:26:37 +0000 (20:26 +0800)]
hw/sd: sdhci: Correctly set the controller status for ADMA
Git-commit:
bc6f28995ff88f5d82c38afcfd65406f0ae375aa
References: bsc#1175144, CVE-2020-17380, bsc#1176681, CVE-2020-25085
References: bsc#1182282, CVE-2021-3409
When an ADMA transfer is started, the codes forget to set the
controller status to indicate a transfer is in progress.
With this fix, the following 2 reproducers:
https://paste.debian.net/plain/1185136
https://paste.debian.net/plain/1185141
cannot be reproduced with the following QEMU command line:
$ qemu-system-x86_64 -nographic -machine accel=qtest -m 512M \
-nodefaults -device sdhci-pci,sd-spec-version=3 \
-drive if=sd,index=0,file=null-co://,format=raw,id=mydrive \
-device sd-card,drive=mydrive -qtest stdio
Cc: qemu-stable@nongnu.org
Fixes: CVE-2020-17380
Fixes: CVE-2020-25085
Fixes: CVE-2021-3409
Fixes:
d7dfca0807a0 ("hw/sdhci: introduce standard SD host controller")
Reported-by: Alexander Bulekov <alxndr@bu.edu>
Reported-by: Cornelius Aschermann (Ruhr-Universität Bochum)
Reported-by: Sergej Schumilo (Ruhr-Universität Bochum)
Reported-by: Simon Wörner (Ruhr-Universität Bochum)
Buglink: https://bugs.launchpad.net/qemu/+bug/1892960
Buglink: https://bugs.launchpad.net/qemu/+bug/1909418
Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1928146
Tested-by: Alexander Bulekov <alxndr@bu.edu>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Bin Meng <bmeng.cn@gmail.com>
Message-Id: <
20210303122639.20004-4-bmeng.cn@gmail.com>
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Bruce Rogers <brogers@suse.com>
Bin Meng [Wed, 3 Mar 2021 12:26:36 +0000 (20:26 +0800)]
hw/sd: sdhci: Don't write to SDHC_SYSAD register when transfer is in progress
Git-commit:
8be45cc947832b3c02144c9d52921f499f2d77fe
References: bsc#1175144, CVE-2020-17380, bsc#1176681, CVE-2020-25085
References: bsc#1182282, CVE-2021-3409
Per "SD Host Controller Standard Specification Version 7.00"
chapter 2.2.1 SDMA System Address Register:
This register can be accessed only if no transaction is executing
(i.e., after a transaction has stopped).
With this fix, the following reproducer:
outl 0xcf8 0x80001010
outl 0xcfc 0xfbefff00
outl 0xcf8 0x80001001
outl 0xcfc 0x06000000
write 0xfbefff2c 0x1 0x05
write 0xfbefff0f 0x1 0x37
write 0xfbefff0a 0x1 0x01
write 0xfbefff0f 0x1 0x29
write 0xfbefff0f 0x1 0x02
write 0xfbefff0f 0x1 0x03
write 0xfbefff04 0x1 0x01
write 0xfbefff05 0x1 0x01
write 0xfbefff07 0x1 0x02
write 0xfbefff0c 0x1 0x33
write 0xfbefff0e 0x1 0x20
write 0xfbefff0f 0x1 0x00
write 0xfbefff2a 0x1 0x01
write 0xfbefff0c 0x1 0x00
write 0xfbefff03 0x1 0x00
write 0xfbefff05 0x1 0x00
write 0xfbefff2a 0x1 0x02
write 0xfbefff0c 0x1 0x32
write 0xfbefff01 0x1 0x01
write 0xfbefff02 0x1 0x01
write 0xfbefff03 0x1 0x01
cannot be reproduced with the following QEMU command line:
$ qemu-system-x86_64 -nographic -machine accel=qtest -m 512M \
-nodefaults -device sdhci-pci,sd-spec-version=3 \
-drive if=sd,index=0,file=null-co://,format=raw,id=mydrive \
-device sd-card,drive=mydrive -qtest stdio
Cc: qemu-stable@nongnu.org
Fixes: CVE-2020-17380
Fixes: CVE-2020-25085
Fixes: CVE-2021-3409
Fixes:
d7dfca0807a0 ("hw/sdhci: introduce standard SD host controller")
Reported-by: Alexander Bulekov <alxndr@bu.edu>
Reported-by: Cornelius Aschermann (Ruhr-Universität Bochum)
Reported-by: Sergej Schumilo (Ruhr-Universität Bochum)
Reported-by: Simon Wörner (Ruhr-Universität Bochum)
Buglink: https://bugs.launchpad.net/qemu/+bug/1892960
Buglink: https://bugs.launchpad.net/qemu/+bug/1909418
Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1928146
Tested-by: Alexander Bulekov <alxndr@bu.edu>
Signed-off-by: Bin Meng <bmeng.cn@gmail.com>
Message-Id: <
20210303122639.20004-3-bmeng.cn@gmail.com>
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Bruce Rogers <brogers@suse.com>
Bin Meng [Wed, 3 Mar 2021 12:26:35 +0000 (20:26 +0800)]
hw/sd: sdhci: Don't transfer any data when command time out
Git-commit:
b263d8f928001b5cfa2a993ea43b7a5b3a1811e8
References: bsc#1175144, CVE-2020-17380, bsc#1176681, CVE-2020-25085
References: bsc#1182282, CVE-2021-3409
At the end of sdhci_send_command(), it starts a data transfer if the
command register indicates data is associated. But the data transfer
should only be initiated when the command execution has succeeded.
With this fix, the following reproducer:
outl 0xcf8 0x80001810
outl 0xcfc 0xe1068000
outl 0xcf8 0x80001804
outw 0xcfc 0x7
write 0xe106802c 0x1 0x0f
write 0xe1068004 0xc 0x2801d10101fffffbff28a384
write 0xe106800c 0x1f 0x9dacbbcad9e8f7061524334251606f7e8d9cabbac9d8e7f60514233241505f
write 0xe1068003 0x28 0x80d000251480d000252280d000253080d000253e80d000254c80d000255a80d000256880d0002576
write 0xe1068003 0x1 0xfe
cannot be reproduced with the following QEMU command line:
$ qemu-system-x86_64 -nographic -M pc-q35-5.0 \
-device sdhci-pci,sd-spec-version=3 \
-drive if=sd,index=0,file=null-co://,format=raw,id=mydrive \
-device sd-card,drive=mydrive \
-monitor none -serial none -qtest stdio
Cc: qemu-stable@nongnu.org
Fixes: CVE-2020-17380
Fixes: CVE-2020-25085
Fixes: CVE-2021-3409
Fixes:
d7dfca0807a0 ("hw/sdhci: introduce standard SD host controller")
Reported-by: Alexander Bulekov <alxndr@bu.edu>
Reported-by: Cornelius Aschermann (Ruhr-Universität Bochum)
Reported-by: Sergej Schumilo (Ruhr-Universität Bochum)
Reported-by: Simon Wörner (Ruhr-Universität Bochum)
Buglink: https://bugs.launchpad.net/qemu/+bug/1892960
Buglink: https://bugs.launchpad.net/qemu/+bug/1909418
Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1928146
Acked-by: Alistair Francis <alistair.francis@wdc.com>
Tested-by: Alexander Bulekov <alxndr@bu.edu>
Tested-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Bin Meng <bmeng.cn@gmail.com>
Message-Id: <
20210303122639.20004-2-bmeng.cn@gmail.com>
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Bruce Rogers <brogers@suse.com>
Bin Meng [Sat, 20 Feb 2021 08:58:13 +0000 (16:58 +0800)]
hw/sd: sd: Actually perform the erase operation
Git-commit:
818a5cdcfcf0a55d60b59b2cb74482ef4ba6b205
References: bsc#1175144, CVE-2020-17380, bsc#1176681, CVE-2020-25085
References: bsc#1182282, CVE-2021-3409
At present the sd_erase() does not erase the requested range of card
data to 0xFFs. Let's make the erase operation actually happen.
Signed-off-by: Bin Meng <bin.meng@windriver.com>
Message-Id: <
1613811493-58815-1-git-send-email-bmeng.cn@gmail.com>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Bruce Rogers <brogers@suse.com>
Bin Meng [Sun, 28 Feb 2021 05:06:09 +0000 (13:06 +0800)]
hw/sd: sd: Fix build error when DEBUG_SD is on
Git-commit:
a78d9f27b73de3c42f376540bd1d1d0570eb1fa3
References: bsc#1175144, CVE-2020-17380, bsc#1176681, CVE-2020-25085
References: bsc#1182282, CVE-2021-3409
"qemu-common.h" should be included to provide the forward declaration
of qemu_hexdump() when DEBUG_SD is on.
Signed-off-by: Bin Meng <bin.meng@windriver.com>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-Id: <
20210228050609.24779-1-bmeng.cn@gmail.com>
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Bruce Rogers <brogers@suse.com>
Bin Meng [Tue, 16 Feb 2021 15:02:22 +0000 (23:02 +0800)]
hw/sd: sd: Skip write protect groups check in sd_erase() for high capacity cards
Git-commit:
2473dc4022458dcc05ec367ce97edbef29d7e50c
References: bsc#1175144, CVE-2020-17380, bsc#1176681, CVE-2020-25085
References: bsc#1182282, CVE-2021-3409
High capacity cards don't support write protection hence we should
not perform the write protect groups check in sd_erase() for them.
Signed-off-by: Bin Meng <bin.meng@windriver.com>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-Id: <
20210216150225.27996-6-bmeng.cn@gmail.com>
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Bruce Rogers <brogers@suse.com>
Bin Meng [Tue, 16 Feb 2021 15:02:21 +0000 (23:02 +0800)]
hw/sd: sd: Move the sd_block_{read, write} and macros ahead
Git-commit:
ce6ea2efc5fb308ebf11339276f60215fe0ec44c
References: bsc#1175144, CVE-2020-17380, bsc#1176681, CVE-2020-25085
References: bsc#1182282, CVE-2021-3409
These APIs and macros may be referenced by functions that are
currently before them. Move them ahead a little bit.
Signed-off-by: Bin Meng <bin.meng@windriver.com>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-Id: <
20210216150225.27996-5-bmeng.cn@gmail.com>
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Bruce Rogers <brogers@suse.com>
Alexander Bulekov [Mon, 1 Mar 2021 19:35:30 +0000 (14:35 -0500)]
lan9118: switch to use qemu_receive_packet() for loopback
Git-commit:
37cee01784ff0df13e5209517e1b3594a5e792d1
This patch switches to use qemu_receive_packet() which can detect
reentrancy and return early.
This is intended to address CVE-2021-3416.
Cc: Prasad J Pandit <ppandit@redhat.com>
Cc: qemu-stable@nongnu.org
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com
Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
Signed-off-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: Bruce Rogers <brogers@suse.com>
Alexander Bulekov [Mon, 1 Mar 2021 19:33:43 +0000 (14:33 -0500)]
cadence_gem: switch to use qemu_receive_packet() for loopback
Git-commit:
e73adfbeec9d4e008630c814759052ed945c3fed
This patch switches to use qemu_receive_packet() which can detect
reentrancy and return early.
This is intended to address CVE-2021-3416.
Cc: Prasad J Pandit <ppandit@redhat.com>
Cc: qemu-stable@nongnu.org
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
Signed-off-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: Bruce Rogers <brogers@suse.com>
Alexander Bulekov [Mon, 1 Mar 2021 15:33:34 +0000 (10:33 -0500)]
pcnet: switch to use qemu_receive_packet() for loopback
Git-commit:
99ccfaa1edafd79f7a3a0ff7b58ae4da7c514928
This patch switches to use qemu_receive_packet() which can detect
reentrancy and return early.
This is intended to address CVE-2021-3416.
Cc: Prasad J Pandit <ppandit@redhat.com>
Cc: qemu-stable@nongnu.org
Buglink: https://bugs.launchpad.net/qemu/+bug/1917085
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com
Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
Signed-off-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: Bruce Rogers <brogers@suse.com>
Alexander Bulekov [Fri, 26 Feb 2021 18:47:53 +0000 (13:47 -0500)]
rtl8139: switch to use qemu_receive_packet() for loopback
Git-commit:
5311fb805a4403bba024e83886fa0e7572265de4
References: bsc#1182968, CVE-2021-3416
This patch switches to use qemu_receive_packet() which can detect
reentrancy and return early.
This is intended to address CVE-2021-3416.
Cc: Prasad J Pandit <ppandit@redhat.com>
Cc: qemu-stable@nongnu.org
Buglink: https://bugs.launchpad.net/qemu/+bug/1910826
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com
Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
Signed-off-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: Bruce Rogers <brogers@suse.com>
Jason Wang [Wed, 24 Feb 2021 05:27:52 +0000 (13:27 +0800)]
tx_pkt: switch to use qemu_receive_packet_iov() for loopback
Git-commit:
8c552542b81e56ff532dd27ec6e5328954bdda73
This patch switches to use qemu_receive_receive_iov() which can detect
reentrancy and return early.
This is intended to address CVE-2021-3416.
Cc: Prasad J Pandit <ppandit@redhat.com>
Cc: qemu-stable@nongnu.org
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: Bruce Rogers <brogers@suse.com>
Jason Wang [Wed, 24 Feb 2021 05:14:35 +0000 (13:14 +0800)]
sungem: switch to use qemu_receive_packet() for loopback
Git-commit:
8c92060d3c0248bd4d515719a35922cd2391b9b4
This patch switches to use qemu_receive_packet() which can detect
reentrancy and return early.
This is intended to address CVE-2021-3416.
Cc: Prasad J Pandit <ppandit@redhat.com>
Cc: qemu-stable@nongnu.org
Reviewed-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: Bruce Rogers <brogers@suse.com>
Jason Wang [Wed, 24 Feb 2021 05:00:01 +0000 (13:00 +0800)]
msf2-mac: switch to use qemu_receive_packet() for loopback
Git-commit:
26194a58f4eb83c5bdf4061a1628508084450ba1
This patch switches to use qemu_receive_packet() which can detect
reentrancy and return early.
This is intended to address CVE-2021-3416.
Cc: Prasad J Pandit <ppandit@redhat.com>
Cc: qemu-stable@nongnu.org
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: Bruce Rogers <brogers@suse.com>
Jason Wang [Wed, 24 Feb 2021 04:57:40 +0000 (12:57 +0800)]
dp8393x: switch to use qemu_receive_packet() for loopback packet
Git-commit:
331d2ac9ea307c990dc86e6493e8f0c48d14bb33
This patch switches to use qemu_receive_packet() which can detect
reentrancy and return early.
This is intended to address CVE-2021-3416.
Cc: Prasad J Pandit <ppandit@redhat.com>
Cc: qemu-stable@nongnu.org
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com
Signed-off-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: Bruce Rogers <brogers@suse.com>
Jason Wang [Wed, 24 Feb 2021 04:13:22 +0000 (12:13 +0800)]
e1000: switch to use qemu_receive_packet() for loopback
Git-commit:
1caff0340f49c93d535c6558a5138d20d475315c
This patch switches to use qemu_receive_packet() which can detect
reentrancy and return early.
This is intended to address CVE-2021-3416.
Cc: Prasad J Pandit <ppandit@redhat.com>
Cc: qemu-stable@nongnu.org
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: Bruce Rogers <brogers@suse.com>
Jason Wang [Wed, 24 Feb 2021 03:44:36 +0000 (11:44 +0800)]
net: introduce qemu_receive_packet()
Git-commit:
705df5466c98f3efdd2b68d3b31dad86858acad7
References: bsc#1182968, CVE-2021-3416
Some NIC supports loopback mode and this is done by calling
nc->info->receive() directly which in fact suppresses the effort of
reentrancy check that is done in qemu_net_queue_send().
Unfortunately we can't use qemu_net_queue_send() here since for
loopback there's no sender as peer, so this patch introduce a
qemu_receive_packet() which is used for implementing loopback mode
for a NIC with this check.
NIC that supports loopback mode will be converted to this helper.
This is intended to address CVE-2021-3416.
Cc: Prasad J Pandit <ppandit@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Cc: qemu-stable@nongnu.org
Signed-off-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: Bruce Rogers <brogers@suse.com>
Jason Wang [Wed, 24 Feb 2021 05:45:28 +0000 (13:45 +0800)]
e1000: fail early for evil descriptor
Git-commit:
3de46e6fc489c52c9431a8a832ad8170a7569bd8
References: bsc#1182577, CVE-2021-20257
During procss_tx_desc(), driver can try to chain data descriptor with
legacy descriptor, when will lead underflow for the following
calculation in process_tx_desc() for bytes:
if (tp->size + bytes > msh)
bytes = msh - tp->size;
This will lead a infinite loop. So check and fail early if tp->size if
greater or equal to msh.
Reported-by: Alexander Bulekov <alxndr@bu.edu>
Reported-by: Cheolwoo Myung <cwmyung@snu.ac.kr>
Reported-by: Ruhr-University Bochum <bugs-syssec@rub.de>
Cc: Prasad J Pandit <ppandit@redhat.com>
Cc: qemu-stable@nongnu.org
Signed-off-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: Bruce Rogers <brogers@suse.com>
Stefan Hajnoczi [Tue, 23 Feb 2021 14:46:42 +0000 (14:46 +0000)]
vhost-user-blk: fix blkcfg->num_queues endianness
Git-commit:
535255b43898d2e96744057eb86f8497d4d7a461
Treat the num_queues field as virtio-endian. On big-endian hosts the
vhost-user-blk num_queues field was in the wrong endianness.
Move the blkcfg.num_queues store operation from realize to
vhost_user_blk_update_config() so feature negotiation has finished and
we know the endianness of the device. VIRTIO 1.0 devices are
little-endian, but in case someone wants to use legacy VIRTIO we support
all endianness cases.
Cc: qemu-stable@nongnu.org
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Raphael Norwitz <raphael.norwitz@nutanix.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <
20210223144653.811468-2-stefanha@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Bruce Rogers <brogers@suse.com>
Peng Liang [Tue, 2 Mar 2021 13:30:16 +0000 (21:30 +0800)]
lsilogic: Use PCIDevice::exit instead of DeviceState::unrealize
Git-commit:
faabca42cc4ff51110116dfe44d420c668b4d8d8
PCI_DEVICE has overwritten DeviceState::unrealize (pci_qdev_unrealize).
However, LSI53C895A, which is a subclass of PCI_DEVICE, overwrites it
again and doesn't save the parent's implementation so the PCI_DEVICE's
implementation of DeviceState::unrealize will never be called when
unrealize a LSI53C895A device. And it will lead to memory leak and
unplug failure.
For a PCI device, it's better to implement PCIDevice::exit instead of
DeviceState::unrealize. So let's change to use PCIDevice::exit.
Fixes:
a8632434c7e9 ("lsi: implement I/O memory space for Memory Move instructions")
Cc: qemu-stable@nongnu.org
Signed-off-by: Peng Liang <liangpeng10@huawei.com>
Message-Id: <
20210302133016.1221081-1-liangpeng10@huawei.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Bruce Rogers <brogers@suse.com>
Matthew Rosato [Thu, 18 Feb 2021 20:53:29 +0000 (15:53 -0500)]
s390x/pci: restore missing Query PCI Function CLP data
Git-commit:
403af209db8c030ed1e000640cd3cd80c6882883
References: bsc#1183372
Some CLP response data was accidentally dropped when fixing endianness
issues with the Query PCI Function CLP response. All of these values are
sent as 0s to the guest for emulated devices, so the impact is only
observed on passthrough devices.
Fixes:
a4e2fff1b104 ("s390x/pci: fix endianness issues")
Signed-off-by: Matthew Rosato <mjrosato@linux.ibm.com>
Message-Id: <
1613681609-9349-1-git-send-email-mjrosato@linux.ibm.com>
Signed-off-by: Cornelia Huck <cohuck@redhat.com>
Signed-off-by: Bruce Rogers <brogers@suse.com>
Halil Pasic [Thu, 18 Feb 2021 03:40:59 +0000 (04:40 +0100)]
hw/s390x: fix build for virtio-9p-ccw
Git-commit:
24056cbfd577fd219d55c03f69df66e6351456e7
References: bsc#1182496
Commit
2c44220d05 ("meson: convert hw/arch*"), which migrated the old
Makefile.objs to meson.build accidentally excluded virtio-ccw-9p.c and
thus the virtio-9p-ccw device from the build (and potentially also
included the file virtio-ccw-blk.c twice in the source set). And since
CONFIG_VIRTFS can't be used the way it was used here (see commit
2c9dce0196 ("meson: do not use CONFIG_VIRTFS")), the preconditions have
to be written differently.
Let's fix this!
Signed-off-by: Halil Pasic <pasic@linux.ibm.com>
Fixes:
2c44220d05 ("meson: convert hw/arch*")
Reported-by: Jakob Naucke <jakob.naucke@ibm.com>
Cc: qemu-stable@nongnu.org
[BR: back out the part which depends on the have_virtfs change]
Signed-off-by: Bruce Rogers <brogers@suse.com>
Dr. David Alan Gilbert [Wed, 24 Feb 2021 19:56:25 +0000 (19:56 +0000)]
virtiofs: drop remapped security.capability xattr as needed
Git-commit:
e586edcb410543768ef009eaa22a2d9dd4a53846
References: bsc#1183373, CVE-2021-20263
On Linux, the 'security.capability' xattr holds a set of
capabilities that can change when an executable is run, giving
a limited form of privilege escalation to those programs that
the writer of the file deemed worthy.
Any write causes the 'security.capability' xattr to be dropped,
stopping anyone from gaining privilege by modifying a blessed
file.
Fuse relies on the daemon to do this dropping, and in turn the
daemon relies on the host kernel to drop the xattr for it. However,
with the addition of -o xattrmap, the xattr that the guest
stores its capabilities in is now not the same as the one that
the host kernel automatically clears.
Where the mapping changes 'security.capability', explicitly clear
the remapped name to preserve the same behaviour.
This bug is assigned CVE-2021-20263.
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Reviewed-by: Vivek Goyal <vgoyal@redhat.com>
Signed-off-by: Bruce Rogers <brogers@suse.com>
Vitaly Cheptsov [Mon, 1 Mar 2021 19:59:18 +0000 (22:59 +0300)]
i386/acpi: restore device paths for pre-5.1 vms
Git-commit:
0a343a5add75f9f90c65e932863d57ddbcb28f5c
After fixing the _UID value for the primary PCI root bridge in
af1b80ae it was discovered that this change updates Windows
configuration in an incompatible way causing network configuration
failure unless DHCP is used. More details provided on the list:
https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg08484.html
This change reverts the _UID update from 1 to 0 for q35 and i440fx
VMs before version 5.2 to maintain the original behaviour when
upgrading.
Cc: qemu-stable@nongnu.org
Cc: qemu-devel@nongnu.org
Reported-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Suggested-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Vitaly Cheptsov <cheptsov@ispras.ru>
Message-Id: <
20210301195919.9333-1-cheptsov@ispras.ru>
Tested-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Reviewed-by: Igor Mammedov <imammedo@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Fixes:
af1b80ae56c9 ("i386/acpi: fix inconsistent QEMU/OVMF device paths")
Signed-off-by: Bruce Rogers <brogers@suse.com>
Bruce Rogers [Sat, 13 Feb 2021 03:23:18 +0000 (20:23 -0700)]
spice-app: avoid crash when core spice module doesn't loaded
git-commit:
122e4ef6dea14a078a860ca253852e18ddebb8e2
When qemu is built with modules, but a given module doesn't load
qemu should handle that gracefully. When ui-spice-core.so isn't
able to be loaded and qemu is invoked with -display spice-app or
-spice, qemu will dereference a null pointer. With this change we
check the pointer before dereferencing and error out in a normal
way.
Signed-off-by: Bruce Rogers <brogers@suse.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-Id: <
20210213032318.346093-1-brogers@suse.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Vivek Goyal [Mon, 8 Feb 2021 22:40:24 +0000 (17:40 -0500)]
viriofsd: Add support for FUSE_HANDLE_KILLPRIV_V2
Git-commit:
d64907acbf6e436099fd26fbb6312fd56f9fb29d
References: bsc#1183373, CVE-2021-20263
This patch adds basic support for FUSE_HANDLE_KILLPRIV_V2. virtiofsd
can enable/disable this by specifying option "-o killpriv_v2/no_killpriv_v2".
By default this is enabled as long as client supports it
Enabling this option helps with performance in write path. Without this
option, currently every write is first preceeded with a getxattr() operation
to find out if security.capability is set. (Write is supposed to clear
security.capability). With this option enabled, server is signing up for
clearing security.capability on every WRITE and also clearing suid/sgid
subject to certain rules. This gets rid of extra getxattr() call for every
WRITE and improves performance. This is true when virtiofsd is run with
option -o xattr.
What does enabling FUSE_HANDLE_KILLPRIV_V2 mean for file server implementation.
It needs to adhere to following rules. Thanks to Miklos for this summary.
- clear "security.capability" on write, truncate and chown unconditionally
- clear suid/sgid in case of following. Note, sgid is cleared only if
group executable bit is set.
o setattr has FATTR_SIZE and FATTR_KILL_SUIDGID set.
o setattr has FATTR_UID or FATTR_GID
o open has O_TRUNC and FUSE_OPEN_KILL_SUIDGID
o create has O_TRUNC and FUSE_OPEN_KILL_SUIDGID flag set.
o write has FUSE_WRITE_KILL_SUIDGID
>From Linux VFS client perspective, here are the requirements.
- caps are always cleared on chown/write/truncate
- suid is always cleared on chown, while for truncate/write it is cleared
only if caller does not have CAP_FSETID.
- sgid is always cleared on chown, while for truncate/write it is cleared
only if caller does not have CAP_FSETID as well as file has group execute
permission.
virtiofsd implementation has not changed much to adhere to above ruls. And
reason being that current assumption is that we are running on Linux
and on top of filesystems like ext4/xfs which already follow above rules.
On write, truncate, chown, seucurity.capability is cleared. And virtiofsd
drops CAP_FSETID if need be and that will lead to clearing of suid/sgid.
But if virtiofsd is running on top a filesystem which breaks above assumptions,
then it will have to take extra actions to emulate above. That's a TODO
for later when need arises.
Note: create normally is supposed to be called only when file does not
exist. So generally there should not be any question of clearing
setuid/setgid. But it is possible that after client checks that
file is not present, some other client creates file on server
and this race can trigger sending FUSE_CREATE. In that case, if
O_TRUNC is set, we should clear suid/sgid if FUSE_OPEN_KILL_SUIDGID
is also set.
v3:
- Resolved conflicts due to lo_inode_open() changes.
- Moved capability code in lo_do_open() so that both lo_open() and
lo_create() can benefit from common code.
- Dropped changes to kernel headers as these are part of qemu already.
Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Message-Id: <
20210208224024.43555-3-vgoyal@redhat.com>
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Signed-off-by: Bruce Rogers <brogers@suse.com>
Vivek Goyal [Mon, 8 Feb 2021 22:40:23 +0000 (17:40 -0500)]
virtiofsd: Save error code early at the failure callsite
Git-commit:
1e08f164e9fdc9528ad6990012301b9a04b0bc90
References: bsc#1183373, CVE-2021-20263
Change error code handling slightly in lo_setattr(). Right now we seem
to jump to out_err and assume that "errno" is valid and use that to
send reply.
But if caller has to do some other operations before jumping to out_err,
then it does the dance of first saving errno to saverr and the restore
errno before jumping to out_err. This makes it more confusing.
I am about to make more changes where caller will have to do some
work after error before jumping to out_err. I found it easier to
change the convention a bit. That is caller saves error in "saverr"
before jumping to out_err. And out_err uses "saverr" to send error
back and does not rely on "errno" having actual error.
v3: Resolved conflicts in lo_setattr() due to lo_inode_open() changes.
Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Message-Id: <
20210208224024.43555-2-vgoyal@redhat.com>
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Signed-off-by: Bruce Rogers <brogers@suse.com>
Philippe Mathieu-Daudé [Fri, 5 Feb 2021 17:18:11 +0000 (18:18 +0100)]
tools/virtiofsd: Replace the word 'whitelist'
Git-commit:
a65963efa3a8533e8c9fc62e899147612d913058
References: bsc#1183373, CVE-2021-20263
Follow the inclusive terminology from the "Conscious Language in your
Open Source Projects" guidelines [*] and replace the words "whitelist"
appropriately.
[*] https://github.com/conscious-lang/conscious-lang-docs/blob/main/faq.md
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-Id: <
20210205171817.2108907-3-philmd@redhat.com>
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Signed-off-by: Bruce Rogers <brogers@suse.com>
Kevin Wolf [Fri, 12 Feb 2021 17:20:27 +0000 (18:20 +0100)]
monitor: Fix assertion failure on shutdown
Git-commit:
c81219a7dd36a815bd85beed9932fc973d4f5d51
Commit
357bda95 already tried to fix the order in monitor_cleanup() by
moving shutdown of the dispatcher coroutine further to the start.
However, it didn't go far enough:
iothread_stop() makes sure that all pending work (bottom halves) in the
AioContext of the monitor iothread is completed. iothread_destroy()
depends on this and fails an assertion if there is still a pending BH.
While the dispatcher coroutine is running, it will try to resume the
monitor after taking a request out of the queue, which involves a BH.
The dispatcher is run until it terminates in the AIO_WAIT_WHILE() loop.
However, adding new BHs between iothread_stop() and iothread_destroy()
is forbidden.
Fix this by stopping the dispatcher first before shutting down the other
parts of the monitor. This means we can now receive requests that aren't
handled any more when QEMU is shutting down, but this is unlikely to be
a problem for QMP clients.
Fixes:
357bda9590784ff75803d52de43150d4107ed98e
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Message-Id: <
20210212172028.288825-2-kwolf@redhat.com>
Tested-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Bruce Rogers <brogers@suse.com>
Michael Qiu [Wed, 3 Feb 2021 02:40:59 +0000 (10:40 +0800)]
blockjob: Fix crash with IOthread when block commit after snapshot
Git-commit:
076d467aacdf6dc5d01e2e61740b1795f2aec2f6
Currently, if guest has workloads, IO thread will acquire aio_context
lock before do io_submit, it leads to segmentfault when do block commit
after snapshot. Just like below:
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7f7c7d91f700 (LWP 99907)]
0x00005576d0f65aab in bdrv_mirror_top_pwritev at ../block/mirror.c:1437
1437 ../block/mirror.c: No such file or directory.
(gdb) p s->job
$17 = (MirrorBlockJob *) 0x0
(gdb) p s->stop
$18 = false
Call trace of IO thread:
0 0x00005576d0f65aab in bdrv_mirror_top_pwritev at ../block/mirror.c:1437
1 0x00005576d0f7f3ab in bdrv_driver_pwritev at ../block/io.c:1174
2 0x00005576d0f8139d in bdrv_aligned_pwritev at ../block/io.c:1988
3 0x00005576d0f81b65 in bdrv_co_pwritev_part at ../block/io.c:2156
4 0x00005576d0f8e6b7 in blk_do_pwritev_part at ../block/block-backend.c:1260
5 0x00005576d0f8e84d in blk_aio_write_entry at ../block/block-backend.c:1476
...
Switch to qemu main thread:
0 0x00007f903be704ed in __lll_lock_wait at
/lib/../lib64/libpthread.so.0
1 0x00007f903be6bde6 in _L_lock_941 at /lib/../lib64/libpthread.so.0
2 0x00007f903be6bcdf in pthread_mutex_lock at
/lib/../lib64/libpthread.so.0
3 0x0000564b21456889 in qemu_mutex_lock_impl at
../util/qemu-thread-posix.c:79
4 0x0000564b213af8a5 in block_job_add_bdrv at ../blockjob.c:224
5 0x0000564b213b00ad in block_job_create at ../blockjob.c:440
6 0x0000564b21357c0a in mirror_start_job at ../block/mirror.c:1622
7 0x0000564b2135a9af in commit_active_start at ../block/mirror.c:1867
8 0x0000564b2133d132 in qmp_block_commit at ../blockdev.c:2768
9 0x0000564b2141fef3 in qmp_marshal_block_commit at
qapi/qapi-commands-block-core.c:346
10 0x0000564b214503c9 in do_qmp_dispatch_bh at
../qapi/qmp-dispatch.c:110
11 0x0000564b21451996 in aio_bh_poll at ../util/async.c:164
12 0x0000564b2146018e in aio_dispatch at ../util/aio-posix.c:381
13 0x0000564b2145187e in aio_ctx_dispatch at ../util/async.c:306
14 0x00007f9040239049 in g_main_context_dispatch at
/lib/../lib64/libglib-2.0.so.0
15 0x0000564b21447368 in main_loop_wait at ../util/main-loop.c:232
16 0x0000564b21447368 in main_loop_wait at ../util/main-loop.c:255
17 0x0000564b21447368 in main_loop_wait at ../util/main-loop.c:531
18 0x0000564b212304e1 in qemu_main_loop at ../softmmu/runstate.c:721
19 0x0000564b20f7975e in main at ../softmmu/main.c:50
In IO thread when do bdrv_mirror_top_pwritev, the job is NULL, and stop field
is false, this means the MirrorBDSOpaque "s" object has not been initialized
yet, and this object is initialized by block_job_create(), but the initialize
process is stuck in acquiring the lock.
In this situation, IO thread come to bdrv_mirror_top_pwritev(),which means that
mirror-top node is already inserted into block graph, but its bs->opaque->job
is not initialized.
The root cause is that qemu main thread do release/acquire when hold the lock,
at the same time, IO thread get the lock after release stage, and the crash
occured.
Actually, in this situation, job->job.aio_context will not equal to
qemu_get_aio_context(), and will be the same as bs->aio_context,
thus, no need to release the lock, becasue bdrv_root_attach_child()
will not change the context.
This patch fix this issue.
Fixes:
132ada80 "block: Adjust AioContexts when attaching nodes"
Signed-off-by: Michael Qiu <qiudayu@huayun.com>
Message-Id: <
20210203024059.52683-1-
08005325@163.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Bruce Rogers <brogers@suse.com>
Kevin Wolf [Thu, 4 Feb 2021 07:21:37 +0000 (08:21 +0100)]
qemu-storage-daemon: Enable object-add
Git-commit:
15d40e9204eb3d89577187f117a1dde2237bdc4d
As we don't have a fully QAPIfied version of object-add yet and it still
has 'gen': false in the schema, it needs to be registered explicitly in
init_qmp_commands() to be available for users.
Fixes:
2af282ec51a27116d0402cab237b8970800f870c
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Message-Id: <
20210204072137.19663-1-kwolf@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Bruce Rogers <brogers@suse.com>
Eric Blake [Tue, 9 Feb 2021 15:27:58 +0000 (09:27 -0600)]
qemu-nbd: Use SOMAXCONN for socket listen() backlog
Git-commit:
582d4210eb2f2ab5baac328fe4b479cd86da1647
Our default of a backlog of 1 connection is rather puny; it gets in
the way when we are explicitly allowing multiple clients (such as
qemu-nbd -e N [--shared], or nbd-server-start with its default
"max-connections":0 for unlimited), but is even a problem when we
stick to qemu-nbd's default of only 1 active client but use -t
[--persistent] where a second client can start using the server once
the first finishes. While the effects are less noticeable on TCP
sockets (since the client can poll() to learn when the server is ready
again), it is definitely observable on Unix sockets, where on Linux, a
client will fail with EAGAIN and no recourse but to sleep an arbitrary
amount of time before retrying if the server backlog is already full.
Since QMP nbd-server-start is always persistent, it now always
requests a backlog of SOMAXCONN; meanwhile, qemu-nbd will request
SOMAXCONN if persistent, otherwise its backlog should be based on the
expected number of clients.
See https://bugzilla.redhat.com/1925045 for a demonstration of where
our low backlog prevents libnbd from connecting as many parallel
clients as it wants.
Reported-by: Richard W.M. Jones <rjones@redhat.com>
Signed-off-by: Eric Blake <eblake@redhat.com>
CC: qemu-stable@nongnu.org
Message-Id: <
20210209152759.209074-2-eblake@redhat.com>
Tested-by: Richard W.M. Jones <rjones@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Signed-off-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Bruce Rogers <brogers@suse.com>
Stefano Garzarella [Fri, 8 Jan 2021 17:12:52 +0000 (18:12 +0100)]
virtio: move 'use-disabled-flag' property to hw_compat_4_2
Git-commit:
c126b4c57e0164549de606ca35d1512762051083
Commit
9d7bd0826f introduced a new 'use-disabled-flag' property
set to true by default.
To allow the migration, we set this property to false in the hw_compat,
but in the wrong place (hw_compat_4_1).
Since commit
9d7bd0826f was released with QEMU 5.0, we move
'use-disabled-flag' property to hw_compat_4_2, so 4.2 machine types
will have the pre-patch behavior and the migration can work.
The issue was discovered with vhost-vsock device and 4.2 machine
type without running any kernel in the VM:
$ qemu-4.2 -M pc-q35-4.2,accel=kvm \
-device vhost-vsock-pci,guest-cid=4 \
-monitor stdio -incoming tcp:0:3333
$ qemu-5.2 -M pc-q35-4.2,accel=kvm \
-device vhost-vsock-pci,guest-cid=3 \
-monitor stdio
(qemu) migrate -d tcp:0:3333
# qemu-4.2 output
qemu-system-x86_64: Failed to load virtio-vhost_vsock:virtio
qemu-system-x86_64: error while loading state for instance 0x0 of device '0000:00:03.0/virtio-vhost_vsock'
qemu-system-x86_64: load of migration failed: No such file or directory
Reported-by: Jing Zhao <jinzhao@redhat.com>
Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1907255
Fixes:
9d7bd0826f ("virtio-pci: disable vring processing when bus-mastering is disabled")
Cc: mdroth@linux.vnet.ibm.com
CC: qemu-stable@nongnu.org
Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
Message-Id: <
20210108171252.209502-1-sgarzare@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Bruce Rogers <brogers@suse.com>
Stefan Hajnoczi [Thu, 4 Feb 2021 15:02:08 +0000 (15:02 +0000)]
virtiofsd: prevent opening of special files (CVE-2020-35517)
Git-commit:
a3fdbbc7f271bff7d53d0501b29d910ece0b3789
References: bsc#1183373, CVE-2021-20263
A well-behaved FUSE client does not attempt to open special files with
FUSE_OPEN because they are handled on the client side (e.g. device nodes
are handled by client-side device drivers).
The check to prevent virtiofsd from opening special files is missing in
a few cases, most notably FUSE_OPEN. A malicious client can cause
virtiofsd to open a device node, potentially allowing the guest to
escape. This can be exploited by a modified guest device driver. It is
not exploitable from guest userspace since the guest kernel will handle
special files inside the guest instead of sending FUSE requests.
This patch fixes this issue by introducing the lo_inode_open() function
to check the file type before opening it. This is a short-term solution
because it does not prevent a compromised virtiofsd process from opening
device nodes on the host.
Restructure lo_create() to try O_CREAT | O_EXCL first. Note that O_CREAT
| O_EXCL does not follow symlinks, so O_NOFOLLOW masking is not
necessary here. If the file exists and the user did not specify O_EXCL,
open it via lo_do_open().
Reported-by: Alex Xu <alex@alxu.ca>
Fixes: CVE-2020-35517
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Reviewed-by: Vivek Goyal <vgoyal@redhat.com>
Reviewed-by: Greg Kurz <groug@kaod.org>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Message-Id: <
20210204150208.367837-4-stefanha@redhat.com>
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Signed-off-by: Bruce Rogers <brogers@suse.com>
Stefan Hajnoczi [Thu, 4 Feb 2021 15:02:07 +0000 (15:02 +0000)]
virtiofsd: optionally return inode pointer from lo_do_lookup()
Git-commit:
22d2ece71e533310da31f2857ebc4a00d91968b3
References: bsc#1183373, CVE-2021-20263
lo_do_lookup() finds an existing inode or allocates a new one. It
increments nlookup so that the inode stays alive until the client
releases it.
Existing callers don't need the struct lo_inode so the function doesn't
return it. Extend the function to optionally return the inode. The next
commit will need it.
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Greg Kurz <groug@kaod.org>
Message-Id: <
20210204150208.367837-3-stefanha@redhat.com>
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Signed-off-by: Bruce Rogers <brogers@suse.com>
Stefan Hajnoczi [Thu, 4 Feb 2021 15:02:06 +0000 (15:02 +0000)]
virtiofsd: extract lo_do_open() from lo_open()
Git-commit:
8afaaee976965b7fb90ec225a51d60f35c5f173c
References: bsc#1183373, CVE-2021-20263
Both lo_open() and lo_create() have similar code to open a file. Extract
a common lo_do_open() function from lo_open() that will be used by
lo_create() in a later commit.
Since lo_do_open() does not otherwise need fuse_req_t req, convert
lo_add_fd_mapping() to use struct lo_data *lo instead.
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Message-Id: <
20210204150208.367837-2-stefanha@redhat.com>
Reviewed-by: Greg Kurz <groug@kaod.org>
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Signed-off-by: Bruce Rogers <brogers@suse.com>
Philippe Mathieu-Daudé [Sun, 31 Jan 2021 10:34:01 +0000 (11:34 +0100)]
hw/intc/arm_gic: Fix interrupt ID in GICD_SGIR register
Git-commit:
edfe2eb4360cde4ed5d95bda7777edcb3510f76a
References: bsc#1181933
Per the ARM Generic Interrupt Controller Architecture specification
(document "ARM IHI 0048B.b (ID072613)"), the SGIINTID field is 4 bit,
not 10:
- 4.3 Distributor register descriptions
- 4.3.15 Software Generated Interrupt Register, GICD_SG
- Table 4-21 GICD_SGIR bit assignments
The Interrupt ID of the SGI to forward to the specified CPU
interfaces. The value of this field is the Interrupt ID, in
the range 0-15, for example a value of 0b0011 specifies
Interrupt ID 3.
Correct the irq mask to fix an undefined behavior (which eventually
lead to a heap-buffer-overflow, see [Buglink]):
$ echo 'writel 0x8000f00 0xff4affb0' | qemu-system-aarch64 -M virt,accel=qtest -qtest stdio
[I
1612088147.116987] OPENED
[R +0.278293] writel 0x8000f00 0xff4affb0
../hw/intc/arm_gic.c:1498:13: runtime error: index 944 out of bounds for type 'uint8_t [16][8]'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../hw/intc/arm_gic.c:1498:13
This fixes a security issue when running with KVM on Arm with
kernel-irqchip=off. (The default is kernel-irqchip=on, which is
unaffected, and which is also the correct choice for performance.)
Cc: qemu-stable@nongnu.org
Fixes: CVE-2021-20221
Fixes:
9ee6e8bb853 ("ARMv7 support.")
Buglink: https://bugs.launchpad.net/qemu/+bug/1913916
Buglink: https://bugs.launchpad.net/qemu/+bug/1913917
Reported-by: Alexander Bulekov <alxndr@bu.edu>
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-id:
20210131103401.217160-1-f4bug@amsat.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Bruce Rogers <brogers@suse.com>
Kevin Wolf [Mon, 18 Jan 2021 12:34:47 +0000 (13:34 +0100)]
block: Separate blk_is_writable() and blk_supports_write_perm()
Git-commit:
86b1cf322789b79c8ace977430ac6a443d491cc0
Currently, blk_is_read_only() tells whether a given BlockBackend can
only be used in read-only mode because its root node is read-only. Some
callers actually try to answer a slightly different question: Is the
BlockBackend configured to be writable, by taking write permissions on
the root node?
This can differ, for example, for CD-ROM devices which don't take write
permissions, but may be backed by a writable image file. scsi-cd allows
write requests to the drive if blk_is_read_only() returns false.
However, the write request will immediately run into an assertion
failure because the write permission is missing.
This patch introduces separate functions for both questions.
blk_supports_write_perm() answers the question whether the block
node/image file can support writable devices, whereas blk_is_writable()
tells whether the BlockBackend is currently configured to be writable.
All calls of blk_is_read_only() are converted to one of the two new
functions.
Fixes: https://bugs.launchpad.net/bugs/1906693
Cc: qemu-stable@nongnu.org
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Message-Id: <
20210118123448.307825-2-kwolf@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Bruce Rogers <brogers@suse.com>
Markus Armbruster [Wed, 25 Nov 2020 10:02:20 +0000 (11:02 +0100)]
net: Fix handling of id in netdev_add and netdev_del
Git-commit:
831734cce6494032e9233caff4d8442b3a1e7fef
CLI -netdev accumulates in option group "netdev".
Before commit
08712fcb85 "net: Track netdevs in NetClientState rather
than QemuOpt", netdev_add added to the option group, and netdev_del
removed from it, both HMP and QMP. Thus, every netdev had a
corresponding QemuOpts in this option group.
Commit
08712fcb85 dropped this for QMP netdev_add and both netdev_del.
Now a netdev has a corresponding QemuOpts only when it was created
with CLI or HMP. Two issues:
* QMP and HMP netdev_del can leave QemuOpts behind, breaking HMP
netdev_add. Reproducer:
$ qemu-system-x86_64 -S -display none -nodefaults -monitor stdio
QEMU 5.1.92 monitor - type 'help' for more information
(qemu) netdev_add user,id=net0
(qemu) info network
net0: index=0,type=user,net=10.0.2.0,restrict=off
(qemu) netdev_del net0
(qemu) info network
(qemu) netdev_add user,id=net0
upstream-qemu: Duplicate ID 'net0' for netdev
Try "help netdev_add" for more information
Fix by restoring the QemuOpts deletion in qmp_netdev_del(), but with
a guard, because the QemuOpts need not exist.
* QMP netdev_add loses its "no duplicate ID" check. Reproducer:
$ qemu-system-x86_64 -S -display none -qmp stdio
{"QMP": {"version": {"qemu": {"micro": 92, "minor": 1, "major": 5}, "package": "v5.2.0-rc2-1-g02c1f0142c"}, "capabilities": ["oob"]}}
{"execute": "qmp_capabilities"}
{"return": {}}
{"execute": "netdev_add", "arguments": {"type": "user", "id":"net0"}}
{"return": {}}
{"execute": "netdev_add", "arguments": {"type": "user", "id":"net0"}}
{"return": {}}
Fix by adding a duplicate ID check to net_client_init1() to replace
the lost one. The check is redundant for callers where QemuOpts
still checks, i.e. for CLI and HMP.
Reported-by: Andrew Melnichenko <andrew@daynix.com>
Fixes:
08712fcb851034228b61f75bd922863a984a4f60
Cc: qemu-stable@nongnu.org
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: Bruce Rogers <brogers@suse.com>
Eric Farman [Mon, 4 Jan 2021 20:20:57 +0000 (21:20 +0100)]
vfio-ccw: Connect the device request notifier
Git-commit:
b2f96f9e4f5fbc8f2770a436191cb328da4d5350
References: 1183634
Now that the vfio-ccw code has a notifier interface to request that
a device be unplugged, let's wire that together.
Signed-off-by: Eric Farman <farman@linux.ibm.com>
Reviewed-by: Cornelia Huck <cohuck@redhat.com>
Message-Id: <
20210104202057.48048-4-farman@linux.ibm.com>
Signed-off-by: Cornelia Huck <cohuck@redhat.com>
Signed-off-by: Bruce Rogers <brogers@suse.com>
Eric Farman [Mon, 4 Jan 2021 20:20:56 +0000 (21:20 +0100)]
Update linux headers to 5.11-rc2
Git-commit:
b3c818a47f419b6e2f5508fe29e7a30843236fee
References: bsc#1183634
Signed-off-by: Eric Farman <farman@linux.ibm.com>
Message-Id: <
20210104202057.48048-3-farman@linux.ibm.com>
[CH: dropped qatomic->atomic changes in pvrdma_ring.h]
Signed-off-by: Cornelia Huck <cohuck@redhat.com>
Signed-off-by: Bruce Rogers <brogers@suse.com>
Eric Farman [Mon, 4 Jan 2021 20:20:55 +0000 (21:20 +0100)]
update-linux-headers: Include const.h
Git-commit:
ab5ec23f9cc25215c1281d575c07c0f35e8e9e26
References: bsc#1183634
Kernel commit
a85cbe6159ff ("uapi: move constants from
<linux/kernel.h> to <linux/const.h>") breaks our script
because of the unrecognized include. Let's add that to
our processing.
Signed-off-by: Eric Farman <farman@linux.ibm.com>
Reviewed-by: Peter Xu <peterx@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-Id: <
20210104202057.48048-2-farman@linux.ibm.com>
Signed-off-by: Cornelia Huck <cohuck@redhat.com>
Signed-off-by: Bruce Rogers <brogers@suse.com>
Richard Henderson [Wed, 13 Jan 2021 06:26:50 +0000 (20:26 -1000)]
target/arm: Update REV, PUNPK for pred_desc
Git-commit:
70acaafef2e053a312d54c09b6721c730690e72c
Update all users of do_perm_pred2 for the new
predicate descriptor field definitions.
Cc: qemu-stable@nongnu.org
Buglink: https://bugs.launchpad.net/bugs/1908551
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id:
20210113062650.593824-5-richard.henderson@linaro.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Bruce Rogers <brogers@suse.com>
Richard Henderson [Wed, 13 Jan 2021 06:26:49 +0000 (20:26 -1000)]
target/arm: Update ZIP, UZP, TRN for pred_desc
Git-commit:
f9b0fcceccfc05cde62ff7577fbf2bc13b842414
Update all users of do_perm_pred3 for the new
predicate descriptor field definitions.
Cc: qemu-stable@nongnu.org
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id:
20210113062650.593824-4-richard.henderson@linaro.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Bruce Rogers <brogers@suse.com>
Richard Henderson [Wed, 13 Jan 2021 06:26:48 +0000 (20:26 -1000)]
target/arm: Update PFIRST, PNEXT for pred_desc
Git-commit:
86300b5d044064046395ae8ed605cc19e63f2a7c
These two were odd, in that do_pfirst_pnext passed the
count of 64-bit words rather than bytes. Change to pass
the standard pred_full_reg_size to avoid confusion.
Cc: qemu-stable@nongnu.org
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id:
20210113062650.593824-3-richard.henderson@linaro.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Bruce Rogers <brogers@suse.com>
Richard Henderson [Wed, 13 Jan 2021 06:26:47 +0000 (20:26 -1000)]
target/arm: Introduce PREDDESC field definitions
Git-commit:
b64ee454a4a086ed459bcda4c0bbb54e197841e4
SVE predicate operations cannot use the "usual" simd_desc
encoding, because the lengths are not a multiple of 8.
But we were abusing the SIMD_* fields to store values anyway.
This abuse broke when SIMD_OPRSZ_BITS was modified in
e2e7168a214.
Introduce a new set of field definitions for exclusive use
of predicates, so that it is obvious what kind of predicate
we are manipulating. To be used in future patches.
Cc: qemu-stable@nongnu.org
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id:
20210113062650.593824-2-richard.henderson@linaro.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Bruce Rogers <brogers@suse.com>
Greg Kurz [Thu, 14 Jan 2021 16:04:12 +0000 (17:04 +0100)]
9pfs: Fully restart unreclaim loop (CVE-2021-20181)
Git-commit:
89fbea8737e8f7b954745a1ffc4238d377055305
References: bsc#1182137
Depending on the client activity, the server can be asked to open a huge
number of file descriptors and eventually hit RLIMIT_NOFILE. This is
currently mitigated using a reclaim logic : the server closes the file
descriptors of idle fids, based on the assumption that it will be able
to re-open them later. This assumption doesn't hold of course if the
client requests the file to be unlinked. In this case, we loop on the
entire fid list and mark all related fids as unreclaimable (the reclaim
logic will just ignore them) and, of course, we open or re-open their
file descriptors if needed since we're about to unlink the file.
This is the purpose of v9fs_mark_fids_unreclaim(). Since the actual
opening of a file can cause the coroutine to yield, another client
request could possibly add a new fid that we may want to mark as
non-reclaimable as well. The loop is thus restarted if the re-open
request was actually transmitted to the backend. This is achieved
by keeping a reference on the first fid (head) before traversing
the list.
This is wrong in several ways:
- a potential clunk request from the client could tear the first
fid down and cause the reference to be stale. This leads to a
use-after-free error that can be detected with ASAN, using a
custom 9p client
- fids are added at the head of the list : restarting from the
previous head will always miss fids added by a some other
potential request
All these problems could be avoided if fids were being added at the
end of the list. This can be achieved with a QSIMPLEQ, but this is
probably too much change for a bug fix. For now let's keep it
simple and just restart the loop from the current head.
Fixes: CVE-2021-20181
Buglink: https://bugs.launchpad.net/qemu/+bug/1911666
Reported-by: Zero Day Initiative <zdi-disclosures@trendmicro.com>
Reviewed-by: Christian Schoenebeck <qemu_oss@crudebyte.com>
Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
Message-Id: <
161064025265.1838153.
15185571283519390907.stgit@bahia.lan>
Signed-off-by: Greg Kurz <groug@kaod.org>
Signed-off-by: Bruce Rogers <brogers@suse.com>
Peter Maydell [Fri, 8 Jan 2021 18:04:00 +0000 (18:04 +0000)]
hw/net/lan9118: Fix RX Status FIFO PEEK value
Git-commit:
e7e29fdbbe07fb762d85af9c4d8eeff9b0f52a8e
A copy-and-paste error meant that the return value for register offset 0x44
(the RX Status FIFO PEEK register) returned a byte from a bogus offset in
the rx status FIFO. Fix the typo.
Cc: qemu-stable@nongnu.org
Fixes: https://bugs.launchpad.net/qemu/+bug/1904954
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-id:
20210108180401.2263-2-peter.maydell@linaro.org
Signed-off-by: Bruce Rogers <brogers@suse.com>
Peter Maydell [Fri, 8 Jan 2021 19:51:57 +0000 (19:51 +0000)]
target/arm: Don't decode insns in the XScale/iWMMXt space as cp insns
Git-commit:
e4d51ac6921dc861bfb3d20e4c7dcf345840a9da
In commit
cd8be50e58f63413c0 we converted the A32 coprocessor
insns to decodetree. This accidentally broke XScale/iWMMXt insns,
because it moved the handling of "cp insns which are handled
by looking up the cp register in the hashtable" from after the
call to the legacy disas_xscale_insn() decode to before it,
with the result that all XScale/iWMMXt insns now UNDEF.
Update valid_cp() so that it knows that on XScale cp 0 and 1
are not standard coprocessor instructions; this will cause
the decodetree trans_ functions to ignore them, so that
execution will correctly get through to the legacy decode again.
Cc: qemu-stable@nongnu.org
Reported-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Tested-by: Guenter Roeck <linux@roeck-us.net>
Message-id:
20210108195157.32067-1-peter.maydell@linaro.org
Signed-off-by: Bruce Rogers <brogers@suse.com>
Richard Henderson [Mon, 21 Dec 2020 20:44:26 +0000 (12:44 -0800)]
target/arm: Fix MTE0_ACTIVE
Git-commit:
cc97b0019bb590b9b3c2a623e9ebee48831e0ce3
In
50244cc76abc we updated mte_check_fail to match the ARM
pseudocode, using the correct EL to select the TCF field.
But we failed to update MTE0_ACTIVE the same way, which led
to g_assert_not_reached().
Cc: qemu-stable@nongnu.org
Buglink: https://bugs.launchpad.net/bugs/1907137
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id:
20201221204426.88514-1-richard.henderson@linaro.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Bruce Rogers <brogers@suse.com>
Philippe Mathieu-Daudé [Sat, 5 Dec 2020 15:09:03 +0000 (16:09 +0100)]
hw/timer/slavio_timer: Allow 64-bit accesses
Git-commit:
62a9b228b5fefe0f9e364dfeaf3c65022c63cdb9
Per the "NCR89C105 Chip Specification" referenced in the header:
Chip-level Address Map
------------------------------------------------------------------
| 1D0 0000 -> | Counter/Timers | W,D |
| 1DF FFFF | | |
...
The address map indicated the allowed accesses at each address.
[...] W indicates a word access, and D indicates a double-word
access.
The SLAVIO timer controller is implemented expecting 32-bit accesses.
Commit
a3d12d073e1 restricted the memory accesses to 32-bit, while
the device allows 64-bit accesses.
This was not an issue until commit
5d971f9e67 which reverted
("memory: accept mismatching sizes in memory_region_access_valid").
Fix by renaming .valid MemoryRegionOps as .impl, and add the valid
access range (W -> 4, D -> 8).
Since commit
21786c7e598 ("memory: Log invalid memory accesses")
this class of bug can be quickly debugged displaying 'guest_errors'
accesses, as:
$ qemu-system-sparc -M SS-20 -m 256 -bios ss20_v2.25_rom -serial stdio -d guest_errors
Power-ON Reset
Invalid access at addr 0x0, size 8, region 'timer-1', reason: invalid size (min:4 max:4)
$ qemu-system-sparc -M SS-20 -m 256 -bios ss20_v2.25_rom -monitor stdio -S
(qemu) info mtree
address-space: memory
0000000000000000-
ffffffffffffffff (prio 0, i/o): system
...
0000000ff1300000-
0000000ff130000f (prio 0, i/o): timer-1
^^^^^^^^^ ^^^^^^^
\ memory region base address and name /
(qemu) info qtree
bus: main-system-bus
dev: slavio_timer, id "" <-- device type name
gpio-out "sysbus-irq" 17
num_cpus = 1 (0x1)
mmio
0000000ff1310000/
0000000000000014
mmio
0000000ff1300000/
0000000000000010 <--- base address
mmio
0000000ff1301000/
0000000000000010
mmio
0000000ff1302000/
0000000000000010
...
Reported-by: Yap KV <yapkv@yahoo.com>
Buglink: https://bugs.launchpad.net/bugs/1906905
Fixes:
a3d12d073e1 ("slavio_timer: convert to memory API")
CC: qemu-stable@nongnu.org
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-Id: <
20201205150903.3062711-1-f4bug@amsat.org>
Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Signed-off-by: Bruce Rogers <brogers@suse.com>
Richard Henderson [Tue, 15 Dec 2020 17:47:59 +0000 (11:47 -0600)]
tcg: Use memset for large vector byte replication
Git-commit:
6d3ef04893bdea3e7aa08be3cce5141902836a31
In
f47db80cc07, we handled odd-sized tail clearing for
the case of hosts that have vector operations, but did
not handle the case of hosts that do not have vector ops.
This was ok until
e2e7168a214b, which changed the encoding
of simd_desc such that the odd sizes are impossible.
Add memset as a tcg helper, and use that for all out-of-line
byte stores to vectors. This includes, but is not limited to,
the tail clearing operation in question.
Cc: qemu-stable@nongnu.org
Buglink: https://bugs.launchpad.net/bugs/1907817
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Bruce Rogers <brogers@suse.com>
Max Reitz [Thu, 17 Dec 2020 15:38:03 +0000 (16:38 +0100)]
iotests: Fix _send_qemu_cmd with bash 5.1
Git-commit:
0e72078128229bf9efb542e396ab44bf91b91340
References: boo#1181054
With bash 5.1, the output of the following script changes:
a=("double space")
a=${a[@]:0:1}
echo "$a"
from "double space" to "double space", i.e. all white space is
preserved as-is. This is probably what we actually want here (judging
from the "...to accommodate pathnames with spaces" comment), but before
5.1, we would have to quote the ${} slice to get the same behavior.
In any case, without quoting, the reference output of many iotests is
different between bash 5.1 and pre-5.1, which is not very good. The
output of 5.1 is what we want, so whatever we do to get pre-5.1 to the
same result, it means we have to fix the reference output of basically
all tests that invoke _send_qemu_cmd (except the ones that only use
single spaces in the commands they invoke).
Instead of quoting the ${} slice (cmd="${$@: 1:...}"), we can also just
not use array slicing and replace the whole thing with a simple "cmd=$1;
shift", which works because all callers quote the whole $cmd argument
anyway.
Signed-off-by: Max Reitz <mreitz@redhat.com>
Message-Id: <
20201217153803.101231-3-mreitz@redhat.com>
Reviewed-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Bruce Rogers <brogers@suse.com>
Peter Lieven [Wed, 9 Dec 2020 12:17:35 +0000 (13:17 +0100)]
block/nfs: fix int overflow in nfs_client_open_qdict
Git-commit:
182454dc63c66ff5a29eddd60cc987b6a1b45e7f
nfs_client_open returns the file size in sectors. This effectively
makes it impossible to open files larger than 1TB.
Fixes:
c22a03454544c2a08f1107c5cc8481a5574533d5
Cc: qemu-stable@nongnu.org
Signed-off-by: Peter Lieven <pl@kamp.de>
Message-Id: <
20201209121735.16437-1-pl@kamp.de>
Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Bruce Rogers <brogers@suse.com>
Christian Ehrhardt [Mon, 14 Dec 2020 15:09:38 +0000 (16:09 +0100)]
build: -no-pie is no functional linker flag
Git-commit:
bbd2d5a8120771ec59b86a80a1f51884e0a26e53
Recent binutils changes dropping unsupported options [1] caused a build
issue in regard to the optionroms.
ld -m elf_i386 -T /<<PKGBUILDDIR>>/pc-bios/optionrom//flat.lds -no-pie \
-s -o multiboot.img multiboot.o
ld.bfd: Error: unable to disambiguate: -no-pie (did you mean --no-pie ?)
This isn't really a regression in ld.bfd, filing the bug upstream
revealed that this never worked as a ld flag [2] - in fact it seems we
were by accident setting --nmagic).
Since it never had the wanted effect this usage of LDFLAGS_NOPIE, should be
droppable without any effect. This also is the only use-case of LDFLAGS_NOPIE
in .mak, therefore we can also remove it from being added there.
[1]: https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=
983d925d
[2]: https://sourceware.org/bugzilla/show_bug.cgi?id=27050#c5
Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
Message-Id: <
20201214150938.1297512-1-christian.ehrhardt@canonical.com>
Cc: qemu-stable@nongnu.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Bruce Rogers <brogers@suse.com>
Paolo Bonzini [Tue, 1 Dec 2020 14:29:56 +0000 (09:29 -0500)]
memory: clamp cached translation in case it points to an MMIO region
Git-commit:
4bfb024bc76973d40a359476dc0291f46e435442
References: bsc#1179686, CVE-2020-27821
In using the address_space_translate_internal API, address_space_cache_init
forgot one piece of advice that can be found in the code for
address_space_translate_internal:
/* MMIO registers can be expected to perform full-width accesses based only
* on their address, without considering adjacent registers that could
* decode to completely different MemoryRegions. When such registers
* exist (e.g. I/O ports 0xcf8 and 0xcf9 on most PC chipsets), MMIO
* regions overlap wildly. For this reason we cannot clamp the accesses
* here.
*
* If the length is small (as is the case for address_space_ldl/stl),
* everything works fine. If the incoming length is large, however,
* the caller really has to do the clamping through memory_access_size.
*/
address_space_cache_init is exactly one such case where "the incoming length
is large", therefore we need to clamp the resulting length---not to
memory_access_size though, since we are not doing an access yet, but to
the size of the resulting section. This ensures that subsequent accesses
to the cached MemoryRegionSection will be in range.
With this patch, the enclosed testcase notices that the used ring does
not fit into the MSI-X table and prints a "qemu-system-x86_64: Cannot map used"
error.
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Bruce Rogers <brogers@suse.com>
Gerd Hoffmann [Tue, 15 Dec 2020 08:11:51 +0000 (09:11 +0100)]
audio: add sanity check
Git-commit:
06c8c375389a54d8e4457d967f4f0896caecefb2
References: boo#1180210
Check whenever we actually found the spiceaudio driver
before flipping the can_be_default field.
Fixes:
f0c4555edfdd ("audio: remove qemu_spice_audio_init()")
Buglink: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=977301
Reported-by: dann frazier <dann.frazier@canonical.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-Id: <
20201215081151.20095-1-kraxel@redhat.com>
Signed-off-by: Bruce Rogers <brogers@suse.com>
Kevin Wolf [Thu, 3 Dec 2020 17:23:11 +0000 (18:23 +0100)]
block: Fix deadlock in bdrv_co_yield_to_drain()
Git-commit:
960d5fb3e8ee09bc5f1a5c84f66dce42a6cef920
If bdrv_co_yield_to_drain() is called for draining a block node that
runs in a different AioContext, it keeps that AioContext locked while it
yields and schedules a BH in the AioContext to do the actual drain.
As long as executing the BH is the very next thing that the event loop
of the node's AioContext does, this actually happens to work, but when
it tries to execute something else that wants to take the AioContext
lock, it will deadlock. (In the bug report, this other thing is a
virtio-scsi device running virtio_scsi_data_plane_handle_cmd().)
Instead, always drop the AioContext lock across the yield and reacquire
it only when the coroutine is reentered. The BH needs to unconditionally
take the lock for itself now.
This fixes the 'block_resize' QMP command on a block node that runs in
an iothread.
Cc: qemu-stable@nongnu.org
Fixes:
eb94b81a94bce112e6b206df846c1551aaf6cab6
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1903511
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Message-Id: <
20201203172311.68232-4-kwolf@redhat.com>
Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Bruce Rogers <brogers@suse.com>
Kevin Wolf [Thu, 3 Dec 2020 17:23:10 +0000 (18:23 +0100)]
block: Fix locking in qmp_block_resize()
Git-commit:
8089eab2bd5fb160b038e64e14cf7ffb3f37091e
The drain functions assume that we hold the AioContext lock of the
drained block node. Make sure to actually take the lock.
Cc: qemu-stable@nongnu.org
Fixes:
eb94b81a94bce112e6b206df846c1551aaf6cab6
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Message-Id: <
20201203172311.68232-3-kwolf@redhat.com>
Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Bruce Rogers <brogers@suse.com>
Kevin Wolf [Thu, 3 Dec 2020 17:23:09 +0000 (18:23 +0100)]
block: Simplify qmp_block_resize() error paths
Git-commit:
d9dbf25f9624aac43e4357019bed4422f0b3368d
The only thing that happens after the 'out:' label is blk_unref(blk).
However, blk = NULL in all of the error cases, so instead of jumping to
'out:', we can just return directly.
Cc: qemu-stable@nongnu.org
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Message-Id: <
20201203172311.68232-2-kwolf@redhat.com>
Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Bruce Rogers <brogers@suse.com>
Peng Liang [Mon, 16 Nov 2020 14:13:38 +0000 (22:13 +0800)]
ui/vnc: Add missing lock for send_color_map
Git-commit:
947191b4312a547621566d77d7b922d9e13bb63d
vnc_write() should be locked after the RFB protocol is initialized.
Fixes:
0c426e4534b4 ("vnc: Add support for color map")
Cc: qemu-stable@nongnu.org
Reported-by: Euler Robot <euler.robot@huawei.com>
Signed-off-by: Peng Liang <liangpeng10@huawei.com>
Message-id:
20201116141338.148911-1-liangpeng10@huawei.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Bruce Rogers <brogers@suse.com>
SoonKyu Park [Tue, 23 Nov 2021 04:45:12 +0000 (13:45 +0900)]
Imported vendor release 5.2.0-20.1
SoonKyu Park [Tue, 23 Nov 2021 04:40:00 +0000 (13:40 +0900)]
Imported Upstream version 5.2.0
biao716.wang [Thu, 4 Nov 2021 16:13:17 +0000 (01:13 +0900)]
To support syscall_389
Change-Id: I7e780307e9c64525961fc70ecc7e1fcfb29d8d5e
Signed-off-by: biao716.wang <biao716.wang@samsung.com>
Dongkyun, Son [Fri, 24 Feb 2017 08:47:58 +0000 (17:47 +0900)]
packaging: add armv7hl support
Change-Id: I5e2568eb66be2fd4c10b4b6d6b376269b1e0b56d
Signed-off-by: Dongkyun, Son <dongkyun.s@samsung.com>
(cherry picked from commit
a91f333858752b70d41d1e98a0c75fe4d59ce72a)
hyokeun.jeon [Fri, 28 May 2021 09:14:49 +0000 (18:14 +0900)]
Revert 8f8f75: "linux-user: Run multi-threaded code on a single core"
Approved by Tizen PL team at 2021-05-27
Change-Id: I96f1312f0dd2d1e7aca611486c8df35669e2f722
SoonKyu Park [Fri, 3 Apr 2020 00:31:58 +0000 (09:31 +0900)]
Merge '[Qemu-devel] [PATCH for-4.1] linux-user: Make sigaltstack stacks per-thread' for go language support
patch url : https://patchew.org/QEMU/
20190725131645.19501-1-peter.maydell@linaro.org/
Change-Id: I591a7d1eab277ecdedbe8a886de4fb553f31a264
Maxim Ostapenko [Fri, 8 Jul 2016 12:47:42 +0000 (15:47 +0300)]
ASan-related hack to speedup aarch64 builds.
Switch off memory pages checks in qemu if memory regions are mapped by ASan
Change-Id: I8233802ee35db00c799f5645072b8014f823b5c6
Signed-off-by: Maxim Ostapenko <m.ostapenko@samsung.com>
hyokeun [Tue, 27 Dec 2016 08:29:09 +0000 (17:29 +0900)]
Imported Upstream version 2.6.1
Pavel Kopyl [Tue, 23 Aug 2016 13:42:07 +0000 (13:42 +0000)]
Use different names for qemu-user binary:
1. qemu-linux-user-x86_64-cross for 64-bit.
2. qemu-linux-user-x86-cross for 32-bit.
Also keep binaries with old names.
Change-Id: Ib2487b82c57189942e0925427cb2144dc8817dec
Signed-off-by: Pavel Kopyl <p.kopyl@samsung.com>
Signed-off-by: Chan Lee <chan45.lee@samsung.com>
(cherry picked from commit
4f4fc9b2f8ac86e081b08fb48d77fa860626d148)
Dongkyun, Son [Mon, 29 Aug 2016 06:17:44 +0000 (15:17 +0900)]
removed qemu log (Unsupported syscall)
blocked unexpeced warning message (qemu: Unsupported syscall: 219 or 311)
Change-Id: If17b6d80c0835fcc44822551127eca068b23eec9
Signed-off-by: Dongkyun, Son <dongkyun.s@samsung.com>
(cherry picked from commit
6b4067f8f34ee83f94042551267e951ab0b5e10e)
hyokeun [Wed, 7 Sep 2016 08:54:56 +0000 (17:54 +0900)]
packaging: mic-bootstrap link issue
Julien Isorce [Tue, 10 May 2016 12:18:06 +0000 (13:18 +0100)]
binfmt: translate symbolic links correctly with realpath
Change-Id: Ic0eeac9de40a8e1082c83b442829ac28f68bff04
Signed-off-by: Julien Isorce <j.isorce@samsung.com>
Signed-off-by: Yury Usishchev <y.usishchev@samsung.com>
SoonKyu Park [Fri, 19 Feb 2016 00:05:59 +0000 (09:05 +0900)]
Modify spec file to build qemu package in Tools:qemu project and aggregate it to use it
Change-Id: Id2db3f863d1d3fcdb57f841b69c3acda94e32cef
Yury Usishchev [Wed, 5 Aug 2015 18:03:26 +0000 (21:03 +0300)]
Add compatibility symlinks
Symlinks to qemu binaries placed in directories where they are searched by
common non-Tizen binfmt_misc configurations (eq. in Ubuntu).
Change-Id: I6b8602736926dba24a7ffbc70c91222ec3ba5cc8
hyokeun [Tue, 6 Sep 2016 04:58:06 +0000 (13:58 +0900)]
packaging: ln -sf qemu-arm64, qemu-arm64-binfmt
Yury Usishchev [Wed, 5 Aug 2015 18:01:01 +0000 (21:01 +0300)]
binfmt: use binaries from /emul
This allows removing hardcoded architecture-dependent paths
from qemu-accel package. Also allows using symlinks for qemu-*-binfmt
as path don't depend on binary name now.
Change-Id: I92b9bc6df477ef925c761045d5307aca8cc1b2d4
Junfeng Dong [Tue, 19 Nov 2013 11:14:41 +0000 (19:14 +0800)]
enable 32 bit qemu for Tizen.
Change-Id: I75ecb5ef6952d1083c030f5e48ba2a24e4d6f4a1
Signed-off-by: Junfeng Dong <junfeng.dong@intel.com>
hyokeun [Tue, 6 Sep 2016 01:18:07 +0000 (10:18 +0900)]
packaging: Adding permissions-file-setuid-bit
hyokeun [Mon, 5 Sep 2016 11:12:59 +0000 (20:12 +0900)]
packaging: BuildRequires: -post-build-checks
Change-Id: I27b7123c2637e7af82d59ca5e7d5bd139d727647
hyokeun [Tue, 6 Sep 2016 05:29:28 +0000 (14:29 +0900)]
packaging: Disable libseccomp
Change-Id: I177741ece64572b63c7fbad8267324449735ca97
hyokeun [Mon, 5 Sep 2016 04:22:58 +0000 (13:22 +0900)]
packaging: add packaging directory
Change-Id: I7eb77abf7c4e5afdc9606c723c125910280c65e6
markkp [Thu, 11 Aug 2016 20:28:39 +0000 (16:28 -0400)]
configure: Fix detection of seccomp on s390x
Signed-off-by: Mark Post <mpost@suse.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>
Andreas Schwab [Fri, 12 Aug 2016 16:20:49 +0000 (18:20 +0200)]
qemu-binfmt-conf: use qemu-ARCH-binfmt
Signed-off-by: Andreas Schwab <schwab@suse.de>
Signed-off-by: Andreas Färber <afaerber@suse.de>
Bruce Rogers [Tue, 2 Aug 2016 17:36:02 +0000 (11:36 -0600)]
qemu-bridge-helper: reduce security profile
Change from using glib alloc and free routines to those
from libc. Also perform safety measure of dropping privs
to user if configured no-caps.
[BR: BOO#988279]
Signed-off-by: Bruce Rogers <brogers@suse.com>
[AF: Rebased for v2.7.0-rc2]
Signed-off-by: Andreas Färber <afaerber@suse.de>
Olaf Hering [Tue, 21 Jun 2016 16:42:45 +0000 (18:42 +0200)]
xen: SUSE xenlinux unplug for emulated PCI
Implement SUSE specific unplug protocol for emulated PCI devices
in PVonHVM guests
(bsc#953339, bsc#953362, bsc#953518, bsc#984981)
Signed-off-by: Olaf Hering <ohering@suse.de>
Olaf Hering [Fri, 1 Apr 2016 10:27:16 +0000 (12:27 +0200)]
build: link with libatomic on powerpc-linux
Building on powerpc-linux fails with undefined reference to
__atomic_load_8 in icount_warp_rt(). Force linking to -latomic.
Fixes a0aa44b ("include/qemu/atomic.h: default to __atomic functions")
Signed-off-by: Olaf Hering <olaf@aepfle.de>
Bruce Rogers [Wed, 9 Mar 2016 22:18:11 +0000 (15:18 -0700)]
xen_disk: Add suse specific flush disable handling and map to QEMU equiv
Add code to read the suse specific suse-diskcache-disable-flush flag out
of xenstore, and set the equivalent flag within QEMU.
Patch taken from Xen's patch queue, Olaf Hering being the original author.
[bsc#879425]
Signed-off-by: Bruce Rogers <brogers@suse.com>
Signed-off-by: Olaf Hering <olaf@aepfle.de>
Alexander Graf [Mon, 15 Jun 2015 15:36:32 +0000 (17:36 +0200)]
dictzip: Fix on big endian systems
The dictzip code in SLE11 received some treatment over time to support
running on big endian hosts. Somewhere in the transition to SLE12 this
support got lost. Add it back in again from the SLE11 code base.
Furthermore while at it, fix up the debug prints to not emit warnings.
[AG: BSC#937572]
Signed-off-by: Alexander Graf <agraf@suse.de>
[AF: Rebased for v2.7.0-rc2]
Signed-off-by: Andreas Färber <afaerber@suse.de>
Alexander Graf [Wed, 14 Jan 2015 00:32:11 +0000 (01:32 +0100)]
AIO: Reduce number of threads for 32bit hosts
On hosts with limited virtual address space (32bit pointers), we can very
easily run out of virtual memory with big thread pools.
Instead, we should limit ourselves to small pools to keep memory footprint
low on those systems.
This patch fixes random VM stalls like
(process:25114): GLib-ERROR **: gmem.c:103: failed to allocate 1048576 bytes
on 32bit ARM systems for me.
Signed-off-by: Alexander Graf <agraf@suse.de>
Dinar Valeev [Wed, 2 Oct 2013 15:56:03 +0000 (17:56 +0200)]
configure: Enable PIE for ppc and ppc64 hosts
Signed-off-by: Dinar Valeev <dvaleev@suse.com>
[AF: Rebased for v1.7]
Signed-off-by: Andreas Färber <afaerber@suse.de>
Bruce Rogers [Thu, 16 May 2013 10:39:10 +0000 (12:39 +0200)]
virtfs-proxy-helper: Provide __u64 for broken sys/capability.h
Fixes the build on SLE 11 SP2.
[AF: Extend to ppc64]
Alexander Graf [Thu, 13 Dec 2012 13:29:22 +0000 (14:29 +0100)]
linux-user: lseek: explicitly cast non-set offsets to signed
When doing lseek, SEEK_SET indicates that the offset is an unsigned variable.
Other seek types have parameters that can be negative.
When converting from 32bit to 64bit parameters, we need to take this into
account and enable SEEK_END and SEEK_CUR to be negative, while SEEK_SET stays
absolute positioned which we need to maintain as unsigned.
Signed-off-by: Alexander Graf <agraf@suse.de>
Alexander Graf [Thu, 1 Apr 2010 15:36:23 +0000 (17:36 +0200)]
Make char muxer more robust wrt small FIFOs
Virtio-Console can only process one character at a time. Using it on S390
gave me strage "lags" where I got the character I pressed before when
pressing one. So I typed in "abc" and only received "a", then pressed "d"
but the guest received "b" and so on.
While the stdio driver calls a poll function that just processes on its
queue in case virtio-console can't take multiple characters at once, the
muxer does not have such callbacks, so it can't empty its queue.
To work around that limitation, I introduced a new timer that only gets
active when the guest can not receive any more characters. In that case
it polls again after a while to check if the guest is now receiving input.
This patch fixes input when using -nographic on s390 for me.
[AF: Rebased for v2.7.0-rc2]
Alexander Graf [Mon, 6 Jun 2011 04:53:52 +0000 (06:53 +0200)]
console: add question-mark escape operator
Some termcaps (found using SLES11SP1) use [? sequences. According to man
console_codes (http://linux.die.net/man/4/console_codes) the question mark
is a nop and should simply be ignored.
This patch does exactly that, rendering screen output readable when
outputting guest serial consoles to the graphical console emulator.
Signed-off-by: Alexander Graf <agraf@suse.de>
Alexander Graf [Wed, 12 Dec 2012 18:11:30 +0000 (19:11 +0100)]
Legacy Patch kvm-qemu-preXX-dictzip3.patch
Alexander Graf [Wed, 5 Aug 2009 15:28:38 +0000 (17:28 +0200)]
block: Add tar container format
Tar is a very widely used format to store data in. Sometimes people even put
virtual machine images in there.
So it makes sense for qemu to be able to read from tar files. I implemented a
written from scratch reader that also knows about the GNU sparse format, which
is what pigz creates.
This version checks for filenames that end on well-known extensions. The logic
could be changed to search for filenames given on the command line, but that
would require changes to more parts of qemu.
The tar reader in conjunctiuon with dzip gives us the chance to download
tar'ed up virtual machine images (even via http) and instantly make use of
them.
Signed-off-by: Alexander Graf <agraf@suse.de>
Signed-off-by: Bruce Rogers <brogers@novell.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>
[TH: Use bdrv_open options instead of filename]
Signed-off-by: Tim Hardeck <thardeck@suse.de>
[AF: bdrv_file_open got an Error **errp argument, bdrv_delete -> brd_unref]
[AF: qemu_opts_create_nofail() -> qemu_opts_create(),
bdrv_file_open() -> bdrv_open(), based on work by brogers]
[AF: error_is_set() dropped for v2.1.0-rc0]
[AF: BlockDriverAIOCB -> BlockAIOCB,
BlockDriverCompletionFunc -> BlockCompletionFunc,
qemu_aio_release() -> qemu_aio_unref(),
drop tar_aio_cancel()]
[AF: common-obj-y -> block-obj-y, drop probe hook (bsc#945778)]
[AF: Drop bdrv_open() drv parameter for 2.5]
Signed-off-by: Andreas Färber <afaerber@suse.de>
Signed-off-by: Bruce Rogers <brogers@suse.com>
[AF: Changed bdrv_open() bs parameter and return value for v2.7.0-rc2,
for bdrv_pread() and bdrv_aio_readv() s/s->hd/s->hd->file/]
Signed-off-by: Andreas Färber <afaerber@suse.de>
Alexander Graf [Wed, 5 Aug 2009 07:49:37 +0000 (09:49 +0200)]
block: Add support for DictZip enabled gzip files
DictZip is an extension to the gzip format that allows random seeks in gzip
compressed files by cutting the file into pieces and storing the piece offsets
in the "extra" header of the gzip format.
Thanks to that extension, we can use gzip compressed files as block backend,
though only in read mode.
This makes a lot of sense when stacked with tar files that can then be shipped
to VM users. If a VM image is inside a tar file that is inside a DictZip
enabled gzip file, the user can run the tar.gz file as is without having to
extract the image first.
Tar patch follows.
Signed-off-by: Alexander Graf <agraf@suse.de>
Signed-off-by: Bruce Rogers <brogers@novell.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>
[TH: Use bdrv_open options instead of filename]
Signed-off-by: Tim Hardeck <thardeck@suse.de>
[AF: Error **errp added for bdrv_file_open, bdrv_delete -> bdrv_unref]
[AF: qemu_opts_create_nofail() -> qemu_opts_create(),
bdrv_file_open() -> bdrv_open(), based on work by brogers]
[AF: error_is_set() dropped for v2.1.0-rc0]
[AF: BlockDriverAIOCB -> BlockAIOCB,
BlockDriverCompletionFunc -> BlockCompletionFunc,
qemu_aio_release() -> qemu_aio_unref(),
drop dictzip_aio_cancel()]
[AF: common-obj-y -> block-obj-y, drop probe hook (bsc#945778)]
[AF: Drop bdrv_open() drv parameter for 2.5]
Signed-off-by: Andreas Färber <afaerber@suse.de>
Signed-off-by: Bruce Rogers <brogers@suse.com>
[AF: Drop bdrv_open() bs parameter and change return value for v2.7.0-rc2,
for bdrv_pread() and bdrv_aio_readv() do s/s->hd/s->hd->file/]
Signed-off-by: Andreas Färber <afaerber@suse.de>
projects / platform / upstream / qemu.git / log