platform/upstream/qemu.git
2 years agohw/sd: sdhci: Don't write to SDHC_SYSAD register when transfer is in progress
Bin Meng [Wed, 3 Mar 2021 12:26:36 +0000 (20:26 +0800)]
hw/sd: sdhci: Don't write to SDHC_SYSAD register when transfer is in progress

Git-commit: 8be45cc947832b3c02144c9d52921f499f2d77fe
References: bsc#1175144, CVE-2020-17380, bsc#1176681, CVE-2020-25085
References: bsc#1182282, CVE-2021-3409

Per "SD Host Controller Standard Specification Version 7.00"
chapter 2.2.1 SDMA System Address Register:

This register can be accessed only if no transaction is executing
(i.e., after a transaction has stopped).

With this fix, the following reproducer:

outl 0xcf8 0x80001010
outl 0xcfc 0xfbefff00
outl 0xcf8 0x80001001
outl 0xcfc 0x06000000
write 0xfbefff2c 0x1 0x05
write 0xfbefff0f 0x1 0x37
write 0xfbefff0a 0x1 0x01
write 0xfbefff0f 0x1 0x29
write 0xfbefff0f 0x1 0x02
write 0xfbefff0f 0x1 0x03
write 0xfbefff04 0x1 0x01
write 0xfbefff05 0x1 0x01
write 0xfbefff07 0x1 0x02
write 0xfbefff0c 0x1 0x33
write 0xfbefff0e 0x1 0x20
write 0xfbefff0f 0x1 0x00
write 0xfbefff2a 0x1 0x01
write 0xfbefff0c 0x1 0x00
write 0xfbefff03 0x1 0x00
write 0xfbefff05 0x1 0x00
write 0xfbefff2a 0x1 0x02
write 0xfbefff0c 0x1 0x32
write 0xfbefff01 0x1 0x01
write 0xfbefff02 0x1 0x01
write 0xfbefff03 0x1 0x01

cannot be reproduced with the following QEMU command line:

$ qemu-system-x86_64 -nographic -machine accel=qtest -m 512M \
       -nodefaults -device sdhci-pci,sd-spec-version=3 \
       -drive if=sd,index=0,file=null-co://,format=raw,id=mydrive \
       -device sd-card,drive=mydrive -qtest stdio

Cc: qemu-stable@nongnu.org
Fixes: CVE-2020-17380
Fixes: CVE-2020-25085
Fixes: CVE-2021-3409
Fixes: d7dfca0807a0 ("hw/sdhci: introduce standard SD host controller")
Reported-by: Alexander Bulekov <alxndr@bu.edu>
Reported-by: Cornelius Aschermann (Ruhr-Universität Bochum)
Reported-by: Sergej Schumilo (Ruhr-Universität Bochum)
Reported-by: Simon Wörner (Ruhr-Universität Bochum)
Buglink: https://bugs.launchpad.net/qemu/+bug/1892960
Buglink: https://bugs.launchpad.net/qemu/+bug/1909418
Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1928146
Tested-by: Alexander Bulekov <alxndr@bu.edu>
Signed-off-by: Bin Meng <bmeng.cn@gmail.com>
Message-Id: <20210303122639.20004-3-bmeng.cn@gmail.com>
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Bruce Rogers <brogers@suse.com>
2 years agohw/sd: sdhci: Don't transfer any data when command time out
Bin Meng [Wed, 3 Mar 2021 12:26:35 +0000 (20:26 +0800)]
hw/sd: sdhci: Don't transfer any data when command time out

Git-commit: b263d8f928001b5cfa2a993ea43b7a5b3a1811e8
References: bsc#1175144, CVE-2020-17380, bsc#1176681, CVE-2020-25085
References: bsc#1182282, CVE-2021-3409

At the end of sdhci_send_command(), it starts a data transfer if the
command register indicates data is associated. But the data transfer
should only be initiated when the command execution has succeeded.

With this fix, the following reproducer:

outl 0xcf8 0x80001810
outl 0xcfc 0xe1068000
outl 0xcf8 0x80001804
outw 0xcfc 0x7
write 0xe106802c 0x1 0x0f
write 0xe1068004 0xc 0x2801d10101fffffbff28a384
write 0xe106800c 0x1f 0x9dacbbcad9e8f7061524334251606f7e8d9cabbac9d8e7f60514233241505f
write 0xe1068003 0x28 0x80d000251480d000252280d000253080d000253e80d000254c80d000255a80d000256880d0002576
write 0xe1068003 0x1 0xfe

cannot be reproduced with the following QEMU command line:

$ qemu-system-x86_64 -nographic -M pc-q35-5.0 \
      -device sdhci-pci,sd-spec-version=3 \
      -drive if=sd,index=0,file=null-co://,format=raw,id=mydrive \
      -device sd-card,drive=mydrive \
      -monitor none -serial none -qtest stdio

Cc: qemu-stable@nongnu.org
Fixes: CVE-2020-17380
Fixes: CVE-2020-25085
Fixes: CVE-2021-3409
Fixes: d7dfca0807a0 ("hw/sdhci: introduce standard SD host controller")
Reported-by: Alexander Bulekov <alxndr@bu.edu>
Reported-by: Cornelius Aschermann (Ruhr-Universität Bochum)
Reported-by: Sergej Schumilo (Ruhr-Universität Bochum)
Reported-by: Simon Wörner (Ruhr-Universität Bochum)
Buglink: https://bugs.launchpad.net/qemu/+bug/1892960
Buglink: https://bugs.launchpad.net/qemu/+bug/1909418
Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1928146
Acked-by: Alistair Francis <alistair.francis@wdc.com>
Tested-by: Alexander Bulekov <alxndr@bu.edu>
Tested-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Bin Meng <bmeng.cn@gmail.com>
Message-Id: <20210303122639.20004-2-bmeng.cn@gmail.com>
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Bruce Rogers <brogers@suse.com>
2 years agohw/sd: sd: Actually perform the erase operation
Bin Meng [Sat, 20 Feb 2021 08:58:13 +0000 (16:58 +0800)]
hw/sd: sd: Actually perform the erase operation

Git-commit: 818a5cdcfcf0a55d60b59b2cb74482ef4ba6b205
References: bsc#1175144, CVE-2020-17380, bsc#1176681, CVE-2020-25085
References: bsc#1182282, CVE-2021-3409

At present the sd_erase() does not erase the requested range of card
data to 0xFFs. Let's make the erase operation actually happen.

Signed-off-by: Bin Meng <bin.meng@windriver.com>
Message-Id: <1613811493-58815-1-git-send-email-bmeng.cn@gmail.com>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Bruce Rogers <brogers@suse.com>
2 years agohw/sd: sd: Fix build error when DEBUG_SD is on
Bin Meng [Sun, 28 Feb 2021 05:06:09 +0000 (13:06 +0800)]
hw/sd: sd: Fix build error when DEBUG_SD is on

Git-commit: a78d9f27b73de3c42f376540bd1d1d0570eb1fa3
References: bsc#1175144, CVE-2020-17380, bsc#1176681, CVE-2020-25085
References: bsc#1182282, CVE-2021-3409

"qemu-common.h" should be included to provide the forward declaration
of qemu_hexdump() when DEBUG_SD is on.

Signed-off-by: Bin Meng <bin.meng@windriver.com>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-Id: <20210228050609.24779-1-bmeng.cn@gmail.com>
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Bruce Rogers <brogers@suse.com>
2 years agohw/sd: sd: Skip write protect groups check in sd_erase() for high capacity cards
Bin Meng [Tue, 16 Feb 2021 15:02:22 +0000 (23:02 +0800)]
hw/sd: sd: Skip write protect groups check in sd_erase() for high capacity cards

Git-commit: 2473dc4022458dcc05ec367ce97edbef29d7e50c
References: bsc#1175144, CVE-2020-17380, bsc#1176681, CVE-2020-25085
References: bsc#1182282, CVE-2021-3409

High capacity cards don't support write protection hence we should
not perform the write protect groups check in sd_erase() for them.

Signed-off-by: Bin Meng <bin.meng@windriver.com>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-Id: <20210216150225.27996-6-bmeng.cn@gmail.com>
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Bruce Rogers <brogers@suse.com>
2 years agohw/sd: sd: Move the sd_block_{read, write} and macros ahead
Bin Meng [Tue, 16 Feb 2021 15:02:21 +0000 (23:02 +0800)]
hw/sd: sd: Move the sd_block_{read, write} and macros ahead

Git-commit: ce6ea2efc5fb308ebf11339276f60215fe0ec44c
References: bsc#1175144, CVE-2020-17380, bsc#1176681, CVE-2020-25085
References: bsc#1182282, CVE-2021-3409

These APIs and macros may be referenced by functions that are
currently before them. Move them ahead a little bit.

Signed-off-by: Bin Meng <bin.meng@windriver.com>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-Id: <20210216150225.27996-5-bmeng.cn@gmail.com>
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Bruce Rogers <brogers@suse.com>
2 years agolan9118: switch to use qemu_receive_packet() for loopback
Alexander Bulekov [Mon, 1 Mar 2021 19:35:30 +0000 (14:35 -0500)]
lan9118: switch to use qemu_receive_packet() for loopback

Git-commit: 37cee01784ff0df13e5209517e1b3594a5e792d1

This patch switches to use qemu_receive_packet() which can detect
reentrancy and return early.

This is intended to address CVE-2021-3416.

Cc: Prasad J Pandit <ppandit@redhat.com>
Cc: qemu-stable@nongnu.org
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com
Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
Signed-off-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: Bruce Rogers <brogers@suse.com>
2 years agocadence_gem: switch to use qemu_receive_packet() for loopback
Alexander Bulekov [Mon, 1 Mar 2021 19:33:43 +0000 (14:33 -0500)]
cadence_gem: switch to use qemu_receive_packet() for loopback

Git-commit: e73adfbeec9d4e008630c814759052ed945c3fed

This patch switches to use qemu_receive_packet() which can detect
reentrancy and return early.

This is intended to address CVE-2021-3416.

Cc: Prasad J Pandit <ppandit@redhat.com>
Cc: qemu-stable@nongnu.org
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
Signed-off-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: Bruce Rogers <brogers@suse.com>
2 years agopcnet: switch to use qemu_receive_packet() for loopback
Alexander Bulekov [Mon, 1 Mar 2021 15:33:34 +0000 (10:33 -0500)]
pcnet: switch to use qemu_receive_packet() for loopback

Git-commit: 99ccfaa1edafd79f7a3a0ff7b58ae4da7c514928

This patch switches to use qemu_receive_packet() which can detect
reentrancy and return early.

This is intended to address CVE-2021-3416.

Cc: Prasad J Pandit <ppandit@redhat.com>
Cc: qemu-stable@nongnu.org
Buglink: https://bugs.launchpad.net/qemu/+bug/1917085
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com
Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
Signed-off-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: Bruce Rogers <brogers@suse.com>
2 years agortl8139: switch to use qemu_receive_packet() for loopback
Alexander Bulekov [Fri, 26 Feb 2021 18:47:53 +0000 (13:47 -0500)]
rtl8139: switch to use qemu_receive_packet() for loopback

Git-commit: 5311fb805a4403bba024e83886fa0e7572265de4
References: bsc#1182968, CVE-2021-3416

This patch switches to use qemu_receive_packet() which can detect
reentrancy and return early.

This is intended to address CVE-2021-3416.

Cc: Prasad J Pandit <ppandit@redhat.com>
Cc: qemu-stable@nongnu.org
Buglink: https://bugs.launchpad.net/qemu/+bug/1910826
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com
Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
Signed-off-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: Bruce Rogers <brogers@suse.com>
2 years agotx_pkt: switch to use qemu_receive_packet_iov() for loopback
Jason Wang [Wed, 24 Feb 2021 05:27:52 +0000 (13:27 +0800)]
tx_pkt: switch to use qemu_receive_packet_iov() for loopback

Git-commit: 8c552542b81e56ff532dd27ec6e5328954bdda73

This patch switches to use qemu_receive_receive_iov() which can detect
reentrancy and return early.

This is intended to address CVE-2021-3416.

Cc: Prasad J Pandit <ppandit@redhat.com>
Cc: qemu-stable@nongnu.org
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: Bruce Rogers <brogers@suse.com>
2 years agosungem: switch to use qemu_receive_packet() for loopback
Jason Wang [Wed, 24 Feb 2021 05:14:35 +0000 (13:14 +0800)]
sungem: switch to use qemu_receive_packet() for loopback

Git-commit: 8c92060d3c0248bd4d515719a35922cd2391b9b4

This patch switches to use qemu_receive_packet() which can detect
reentrancy and return early.

This is intended to address CVE-2021-3416.

Cc: Prasad J Pandit <ppandit@redhat.com>
Cc: qemu-stable@nongnu.org
Reviewed-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: Bruce Rogers <brogers@suse.com>
2 years agomsf2-mac: switch to use qemu_receive_packet() for loopback
Jason Wang [Wed, 24 Feb 2021 05:00:01 +0000 (13:00 +0800)]
msf2-mac: switch to use qemu_receive_packet() for loopback

Git-commit: 26194a58f4eb83c5bdf4061a1628508084450ba1

This patch switches to use qemu_receive_packet() which can detect
reentrancy and return early.

This is intended to address CVE-2021-3416.

Cc: Prasad J Pandit <ppandit@redhat.com>
Cc: qemu-stable@nongnu.org
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: Bruce Rogers <brogers@suse.com>
2 years agodp8393x: switch to use qemu_receive_packet() for loopback packet
Jason Wang [Wed, 24 Feb 2021 04:57:40 +0000 (12:57 +0800)]
dp8393x: switch to use qemu_receive_packet() for loopback packet

Git-commit: 331d2ac9ea307c990dc86e6493e8f0c48d14bb33

This patch switches to use qemu_receive_packet() which can detect
reentrancy and return early.

This is intended to address CVE-2021-3416.

Cc: Prasad J Pandit <ppandit@redhat.com>
Cc: qemu-stable@nongnu.org
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com
Signed-off-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: Bruce Rogers <brogers@suse.com>
2 years agoe1000: switch to use qemu_receive_packet() for loopback
Jason Wang [Wed, 24 Feb 2021 04:13:22 +0000 (12:13 +0800)]
e1000: switch to use qemu_receive_packet() for loopback

Git-commit: 1caff0340f49c93d535c6558a5138d20d475315c

This patch switches to use qemu_receive_packet() which can detect
reentrancy and return early.

This is intended to address CVE-2021-3416.

Cc: Prasad J Pandit <ppandit@redhat.com>
Cc: qemu-stable@nongnu.org
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: Bruce Rogers <brogers@suse.com>
2 years agonet: introduce qemu_receive_packet()
Jason Wang [Wed, 24 Feb 2021 03:44:36 +0000 (11:44 +0800)]
net: introduce qemu_receive_packet()

Git-commit: 705df5466c98f3efdd2b68d3b31dad86858acad7
References: bsc#1182968, CVE-2021-3416
Some NIC supports loopback mode and this is done by calling
nc->info->receive() directly which in fact suppresses the effort of
reentrancy check that is done in qemu_net_queue_send().

Unfortunately we can't use qemu_net_queue_send() here since for
loopback there's no sender as peer, so this patch introduce a
qemu_receive_packet() which is used for implementing loopback mode
for a NIC with this check.

NIC that supports loopback mode will be converted to this helper.

This is intended to address CVE-2021-3416.

Cc: Prasad J Pandit <ppandit@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Cc: qemu-stable@nongnu.org
Signed-off-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: Bruce Rogers <brogers@suse.com>
2 years agoe1000: fail early for evil descriptor
Jason Wang [Wed, 24 Feb 2021 05:45:28 +0000 (13:45 +0800)]
e1000: fail early for evil descriptor

Git-commit: 3de46e6fc489c52c9431a8a832ad8170a7569bd8
References: bsc#1182577, CVE-2021-20257

During procss_tx_desc(), driver can try to chain data descriptor with
legacy descriptor, when will lead underflow for the following
calculation in process_tx_desc() for bytes:

            if (tp->size + bytes > msh)
                bytes = msh - tp->size;

This will lead a infinite loop. So check and fail early if tp->size if
greater or equal to msh.

Reported-by: Alexander Bulekov <alxndr@bu.edu>
Reported-by: Cheolwoo Myung <cwmyung@snu.ac.kr>
Reported-by: Ruhr-University Bochum <bugs-syssec@rub.de>
Cc: Prasad J Pandit <ppandit@redhat.com>
Cc: qemu-stable@nongnu.org
Signed-off-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: Bruce Rogers <brogers@suse.com>
2 years agovhost-user-blk: fix blkcfg->num_queues endianness
Stefan Hajnoczi [Tue, 23 Feb 2021 14:46:42 +0000 (14:46 +0000)]
vhost-user-blk: fix blkcfg->num_queues endianness

Git-commit: 535255b43898d2e96744057eb86f8497d4d7a461

Treat the num_queues field as virtio-endian. On big-endian hosts the
vhost-user-blk num_queues field was in the wrong endianness.

Move the blkcfg.num_queues store operation from realize to
vhost_user_blk_update_config() so feature negotiation has finished and
we know the endianness of the device. VIRTIO 1.0 devices are
little-endian, but in case someone wants to use legacy VIRTIO we support
all endianness cases.

Cc: qemu-stable@nongnu.org
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Raphael Norwitz <raphael.norwitz@nutanix.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20210223144653.811468-2-stefanha@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Bruce Rogers <brogers@suse.com>
2 years agolsilogic: Use PCIDevice::exit instead of DeviceState::unrealize
Peng Liang [Tue, 2 Mar 2021 13:30:16 +0000 (21:30 +0800)]
lsilogic: Use PCIDevice::exit instead of DeviceState::unrealize

Git-commit: faabca42cc4ff51110116dfe44d420c668b4d8d8

PCI_DEVICE has overwritten DeviceState::unrealize (pci_qdev_unrealize).
However, LSI53C895A, which is a subclass of PCI_DEVICE, overwrites it
again and doesn't save the parent's implementation so the PCI_DEVICE's
implementation of DeviceState::unrealize will never be called when
unrealize a LSI53C895A device.  And it will lead to memory leak and
unplug failure.

For a PCI device, it's better to implement PCIDevice::exit instead of
DeviceState::unrealize.  So let's change to use PCIDevice::exit.

Fixes: a8632434c7e9 ("lsi: implement I/O memory space for Memory Move instructions")
Cc: qemu-stable@nongnu.org
Signed-off-by: Peng Liang <liangpeng10@huawei.com>
Message-Id: <20210302133016.1221081-1-liangpeng10@huawei.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Bruce Rogers <brogers@suse.com>
2 years agos390x/pci: restore missing Query PCI Function CLP data
Matthew Rosato [Thu, 18 Feb 2021 20:53:29 +0000 (15:53 -0500)]
s390x/pci: restore missing Query PCI Function CLP data

Git-commit: 403af209db8c030ed1e000640cd3cd80c6882883
References: bsc#1183372

Some CLP response data was accidentally dropped when fixing endianness
issues with the Query PCI Function CLP response.  All of these values are
sent as 0s to the guest for emulated devices, so the impact is only
observed on passthrough devices.

Fixes: a4e2fff1b104 ("s390x/pci: fix endianness issues")
Signed-off-by: Matthew Rosato <mjrosato@linux.ibm.com>
Message-Id: <1613681609-9349-1-git-send-email-mjrosato@linux.ibm.com>
Signed-off-by: Cornelia Huck <cohuck@redhat.com>
Signed-off-by: Bruce Rogers <brogers@suse.com>
2 years agohw/s390x: fix build for virtio-9p-ccw
Halil Pasic [Thu, 18 Feb 2021 03:40:59 +0000 (04:40 +0100)]
hw/s390x: fix build for virtio-9p-ccw

Git-commit: 24056cbfd577fd219d55c03f69df66e6351456e7
References: bsc#1182496

Commit  2c44220d05 ("meson: convert hw/arch*"), which migrated the old
Makefile.objs to meson.build  accidentally excluded virtio-ccw-9p.c and
thus the virtio-9p-ccw device from the build (and potentially also
included the file virtio-ccw-blk.c twice in the source set). And since
CONFIG_VIRTFS can't be used the way it was used here (see commit
2c9dce0196 ("meson: do not use CONFIG_VIRTFS")), the preconditions have
to be written differently.

Let's fix this!

Signed-off-by: Halil Pasic <pasic@linux.ibm.com>
Fixes: 2c44220d05 ("meson: convert hw/arch*")
Reported-by: Jakob Naucke <jakob.naucke@ibm.com>
Cc: qemu-stable@nongnu.org
[BR: back out the part which depends on the have_virtfs change]
Signed-off-by: Bruce Rogers <brogers@suse.com>
2 years agovirtiofs: drop remapped security.capability xattr as needed
Dr. David Alan Gilbert [Wed, 24 Feb 2021 19:56:25 +0000 (19:56 +0000)]
virtiofs: drop remapped security.capability xattr as needed

Git-commit: e586edcb410543768ef009eaa22a2d9dd4a53846
References: bsc#1183373, CVE-2021-20263

On Linux, the 'security.capability' xattr holds a set of
capabilities that can change when an executable is run, giving
a limited form of privilege escalation to those programs that
the writer of the file deemed worthy.

Any write causes the 'security.capability' xattr to be dropped,
stopping anyone from gaining privilege by modifying a blessed
file.

Fuse relies on the daemon to do this dropping, and in turn the
daemon relies on the host kernel to drop the xattr for it.  However,
with the addition of -o xattrmap, the xattr that the guest
stores its capabilities in is now not the same as the one that
the host kernel automatically clears.

Where the mapping changes 'security.capability', explicitly clear
the remapped name to preserve the same behaviour.

This bug is assigned CVE-2021-20263.

Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Reviewed-by: Vivek Goyal <vgoyal@redhat.com>
Signed-off-by: Bruce Rogers <brogers@suse.com>
2 years agoi386/acpi: restore device paths for pre-5.1 vms
Vitaly Cheptsov [Mon, 1 Mar 2021 19:59:18 +0000 (22:59 +0300)]
i386/acpi: restore device paths for pre-5.1 vms

Git-commit: 0a343a5add75f9f90c65e932863d57ddbcb28f5c

After fixing the _UID value for the primary PCI root bridge in
af1b80ae it was discovered that this change updates Windows
configuration in an incompatible way causing network configuration
failure unless DHCP is used. More details provided on the list:

https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg08484.html

This change reverts the _UID update from 1 to 0 for q35 and i440fx
VMs before version 5.2 to maintain the original behaviour when
upgrading.

Cc: qemu-stable@nongnu.org
Cc: qemu-devel@nongnu.org
Reported-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Suggested-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Vitaly Cheptsov <cheptsov@ispras.ru>
Message-Id: <20210301195919.9333-1-cheptsov@ispras.ru>
Tested-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Reviewed-by: Igor Mammedov <imammedo@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Fixes: af1b80ae56c9 ("i386/acpi: fix inconsistent QEMU/OVMF device paths")
Signed-off-by: Bruce Rogers <brogers@suse.com>
2 years agospice-app: avoid crash when core spice module doesn't loaded
Bruce Rogers [Sat, 13 Feb 2021 03:23:18 +0000 (20:23 -0700)]
spice-app: avoid crash when core spice module doesn't loaded

git-commit: 122e4ef6dea14a078a860ca253852e18ddebb8e2

When qemu is built with modules, but a given module doesn't load
qemu should handle that gracefully. When ui-spice-core.so isn't
able to be loaded and qemu is invoked with -display spice-app or
-spice, qemu will dereference a null pointer. With this change we
check the pointer before dereferencing and error out in a normal
way.

Signed-off-by: Bruce Rogers <brogers@suse.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-Id: <20210213032318.346093-1-brogers@suse.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2 years agoviriofsd: Add support for FUSE_HANDLE_KILLPRIV_V2
Vivek Goyal [Mon, 8 Feb 2021 22:40:24 +0000 (17:40 -0500)]
viriofsd: Add support for FUSE_HANDLE_KILLPRIV_V2

Git-commit: d64907acbf6e436099fd26fbb6312fd56f9fb29d
References: bsc#1183373, CVE-2021-20263

This patch adds basic support for FUSE_HANDLE_KILLPRIV_V2. virtiofsd
can enable/disable this by specifying option "-o killpriv_v2/no_killpriv_v2".
By default this is enabled as long as client supports it

Enabling this option helps with performance in write path. Without this
option, currently every write is first preceeded with a getxattr() operation
to find out if security.capability is set. (Write is supposed to clear
security.capability). With this option enabled, server is signing up for
clearing security.capability on every WRITE and also clearing suid/sgid
subject to certain rules. This gets rid of extra getxattr() call for every
WRITE and improves performance. This is true when virtiofsd is run with
option -o xattr.

What does enabling FUSE_HANDLE_KILLPRIV_V2 mean for file server implementation.
It needs to adhere to following rules. Thanks to Miklos for this summary.

- clear "security.capability" on write, truncate and chown unconditionally
- clear suid/sgid in case of following. Note, sgid is cleared only if
  group executable bit is set.
    o setattr has FATTR_SIZE and FATTR_KILL_SUIDGID set.
    o setattr has FATTR_UID or FATTR_GID
    o open has O_TRUNC and FUSE_OPEN_KILL_SUIDGID
    o create has O_TRUNC and FUSE_OPEN_KILL_SUIDGID flag set.
    o write has FUSE_WRITE_KILL_SUIDGID

>From Linux VFS client perspective, here are the requirements.

- caps are always cleared on chown/write/truncate
- suid is always cleared on chown, while for truncate/write it is cleared
  only if caller does not have CAP_FSETID.
- sgid is always cleared on chown, while for truncate/write it is cleared
  only if caller does not have CAP_FSETID as well as file has group execute
  permission.

virtiofsd implementation has not changed much to adhere to above ruls. And
reason being that current assumption is that we are running on Linux
and on top of filesystems like ext4/xfs which already follow above rules.
On write, truncate, chown, seucurity.capability is cleared. And virtiofsd
drops CAP_FSETID if need be and that will lead to clearing of suid/sgid.

But if virtiofsd is running on top a filesystem which breaks above assumptions,
then it will have to take extra actions to emulate above. That's a TODO
for later when need arises.

Note: create normally is supposed to be called only when file does not
      exist. So generally there should not be any question of clearing
      setuid/setgid. But it is possible that after client checks that
      file is not present, some other client creates file on server
      and this race can trigger sending FUSE_CREATE. In that case, if
      O_TRUNC is set, we should clear suid/sgid if FUSE_OPEN_KILL_SUIDGID
      is also set.

v3:
  - Resolved conflicts due to lo_inode_open() changes.
  - Moved capability code in lo_do_open() so that both lo_open() and
    lo_create() can benefit from common code.
  - Dropped changes to kernel headers as these are part of qemu already.

Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Message-Id: <20210208224024.43555-3-vgoyal@redhat.com>
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Signed-off-by: Bruce Rogers <brogers@suse.com>
2 years agovirtiofsd: Save error code early at the failure callsite
Vivek Goyal [Mon, 8 Feb 2021 22:40:23 +0000 (17:40 -0500)]
virtiofsd: Save error code early at the failure callsite

Git-commit: 1e08f164e9fdc9528ad6990012301b9a04b0bc90
References: bsc#1183373, CVE-2021-20263

Change error code handling slightly in lo_setattr(). Right now we seem
to jump to out_err and assume that "errno" is valid and use that to
send reply.

But if caller has to do some other operations before jumping to out_err,
then it does the dance of first saving errno to saverr and the restore
errno before jumping to out_err. This makes it more confusing.

I am about to make more changes where caller will have to do some
work after error before jumping to out_err. I found it easier to
change the convention a bit. That is caller saves error in "saverr"
before jumping to out_err. And out_err uses "saverr" to send error
back and does not rely on "errno" having actual error.

v3: Resolved conflicts in lo_setattr() due to lo_inode_open() changes.

Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Message-Id: <20210208224024.43555-2-vgoyal@redhat.com>
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Signed-off-by: Bruce Rogers <brogers@suse.com>
2 years agotools/virtiofsd: Replace the word 'whitelist'
Philippe Mathieu-Daudé [Fri, 5 Feb 2021 17:18:11 +0000 (18:18 +0100)]
tools/virtiofsd: Replace the word 'whitelist'

Git-commit: a65963efa3a8533e8c9fc62e899147612d913058
References: bsc#1183373, CVE-2021-20263

Follow the inclusive terminology from the "Conscious Language in your
Open Source Projects" guidelines [*] and replace the words "whitelist"
appropriately.

[*] https://github.com/conscious-lang/conscious-lang-docs/blob/main/faq.md

Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-Id: <20210205171817.2108907-3-philmd@redhat.com>
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Signed-off-by: Bruce Rogers <brogers@suse.com>
2 years agomonitor: Fix assertion failure on shutdown
Kevin Wolf [Fri, 12 Feb 2021 17:20:27 +0000 (18:20 +0100)]
monitor: Fix assertion failure on shutdown

Git-commit: c81219a7dd36a815bd85beed9932fc973d4f5d51

Commit 357bda95 already tried to fix the order in monitor_cleanup() by
moving shutdown of the dispatcher coroutine further to the start.
However, it didn't go far enough:

iothread_stop() makes sure that all pending work (bottom halves) in the
AioContext of the monitor iothread is completed. iothread_destroy()
depends on this and fails an assertion if there is still a pending BH.

While the dispatcher coroutine is running, it will try to resume the
monitor after taking a request out of the queue, which involves a BH.
The dispatcher is run until it terminates in the AIO_WAIT_WHILE() loop.
However, adding new BHs between iothread_stop() and iothread_destroy()
is forbidden.

Fix this by stopping the dispatcher first before shutting down the other
parts of the monitor. This means we can now receive requests that aren't
handled any more when QEMU is shutting down, but this is unlikely to be
a problem for QMP clients.

Fixes: 357bda9590784ff75803d52de43150d4107ed98e
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Message-Id: <20210212172028.288825-2-kwolf@redhat.com>
Tested-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Bruce Rogers <brogers@suse.com>
2 years agoblockjob: Fix crash with IOthread when block commit after snapshot
Michael Qiu [Wed, 3 Feb 2021 02:40:59 +0000 (10:40 +0800)]
blockjob: Fix crash with IOthread when block commit after snapshot

Git-commit: 076d467aacdf6dc5d01e2e61740b1795f2aec2f6

Currently, if guest has workloads, IO thread will acquire aio_context
lock before do io_submit, it leads to segmentfault when do block commit
after snapshot. Just like below:

Program received signal SIGSEGV, Segmentation fault.

[Switching to Thread 0x7f7c7d91f700 (LWP 99907)]
0x00005576d0f65aab in bdrv_mirror_top_pwritev at ../block/mirror.c:1437
1437    ../block/mirror.c: No such file or directory.
(gdb) p s->job
$17 = (MirrorBlockJob *) 0x0
(gdb) p s->stop
$18 = false

Call trace of IO thread:
0  0x00005576d0f65aab in bdrv_mirror_top_pwritev at ../block/mirror.c:1437
1  0x00005576d0f7f3ab in bdrv_driver_pwritev at ../block/io.c:1174
2  0x00005576d0f8139d in bdrv_aligned_pwritev at ../block/io.c:1988
3  0x00005576d0f81b65 in bdrv_co_pwritev_part at ../block/io.c:2156
4  0x00005576d0f8e6b7 in blk_do_pwritev_part at ../block/block-backend.c:1260
5  0x00005576d0f8e84d in blk_aio_write_entry at ../block/block-backend.c:1476
...

Switch to qemu main thread:
0  0x00007f903be704ed in __lll_lock_wait at
/lib/../lib64/libpthread.so.0
1  0x00007f903be6bde6 in _L_lock_941 at /lib/../lib64/libpthread.so.0
2  0x00007f903be6bcdf in pthread_mutex_lock at
/lib/../lib64/libpthread.so.0
3  0x0000564b21456889 in qemu_mutex_lock_impl at
../util/qemu-thread-posix.c:79
4  0x0000564b213af8a5 in block_job_add_bdrv at ../blockjob.c:224
5  0x0000564b213b00ad in block_job_create at ../blockjob.c:440
6  0x0000564b21357c0a in mirror_start_job at ../block/mirror.c:1622
7  0x0000564b2135a9af in commit_active_start at ../block/mirror.c:1867
8  0x0000564b2133d132 in qmp_block_commit at ../blockdev.c:2768
9  0x0000564b2141fef3 in qmp_marshal_block_commit at
qapi/qapi-commands-block-core.c:346
10 0x0000564b214503c9 in do_qmp_dispatch_bh at
../qapi/qmp-dispatch.c:110
11 0x0000564b21451996 in aio_bh_poll at ../util/async.c:164
12 0x0000564b2146018e in aio_dispatch at ../util/aio-posix.c:381
13 0x0000564b2145187e in aio_ctx_dispatch at ../util/async.c:306
14 0x00007f9040239049 in g_main_context_dispatch at
/lib/../lib64/libglib-2.0.so.0
15 0x0000564b21447368 in main_loop_wait at ../util/main-loop.c:232
16 0x0000564b21447368 in main_loop_wait at ../util/main-loop.c:255
17 0x0000564b21447368 in main_loop_wait at ../util/main-loop.c:531
18 0x0000564b212304e1 in qemu_main_loop at ../softmmu/runstate.c:721
19 0x0000564b20f7975e in main at ../softmmu/main.c:50

In IO thread when do bdrv_mirror_top_pwritev, the job is NULL, and stop field
is false, this means the MirrorBDSOpaque "s" object has not been initialized
yet, and this object is initialized by block_job_create(), but the initialize
process is stuck in acquiring the lock.

In this situation, IO thread come to bdrv_mirror_top_pwritev(),which means that
mirror-top node is already inserted into block graph, but its bs->opaque->job
is not initialized.

The root cause is that qemu main thread do release/acquire when hold the lock,
at the same time, IO thread get the lock after release stage, and the crash
occured.

Actually, in this situation, job->job.aio_context will not equal to
qemu_get_aio_context(), and will be the same as bs->aio_context,
thus, no need to release the lock, becasue bdrv_root_attach_child()
will not change the context.

This patch fix this issue.

Fixes: 132ada80 "block: Adjust AioContexts when attaching nodes"

Signed-off-by: Michael Qiu <qiudayu@huayun.com>
Message-Id: <20210203024059.52683-1-08005325@163.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Bruce Rogers <brogers@suse.com>
2 years agoqemu-storage-daemon: Enable object-add
Kevin Wolf [Thu, 4 Feb 2021 07:21:37 +0000 (08:21 +0100)]
qemu-storage-daemon: Enable object-add

Git-commit: 15d40e9204eb3d89577187f117a1dde2237bdc4d

As we don't have a fully QAPIfied version of object-add yet and it still
has 'gen': false in the schema, it needs to be registered explicitly in
init_qmp_commands() to be available for users.

Fixes: 2af282ec51a27116d0402cab237b8970800f870c
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Message-Id: <20210204072137.19663-1-kwolf@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Bruce Rogers <brogers@suse.com>
2 years agoqemu-nbd: Use SOMAXCONN for socket listen() backlog
Eric Blake [Tue, 9 Feb 2021 15:27:58 +0000 (09:27 -0600)]
qemu-nbd: Use SOMAXCONN for socket listen() backlog

Git-commit: 582d4210eb2f2ab5baac328fe4b479cd86da1647

Our default of a backlog of 1 connection is rather puny; it gets in
the way when we are explicitly allowing multiple clients (such as
qemu-nbd -e N [--shared], or nbd-server-start with its default
"max-connections":0 for unlimited), but is even a problem when we
stick to qemu-nbd's default of only 1 active client but use -t
[--persistent] where a second client can start using the server once
the first finishes.  While the effects are less noticeable on TCP
sockets (since the client can poll() to learn when the server is ready
again), it is definitely observable on Unix sockets, where on Linux, a
client will fail with EAGAIN and no recourse but to sleep an arbitrary
amount of time before retrying if the server backlog is already full.

Since QMP nbd-server-start is always persistent, it now always
requests a backlog of SOMAXCONN; meanwhile, qemu-nbd will request
SOMAXCONN if persistent, otherwise its backlog should be based on the
expected number of clients.

See https://bugzilla.redhat.com/1925045 for a demonstration of where
our low backlog prevents libnbd from connecting as many parallel
clients as it wants.

Reported-by: Richard W.M. Jones <rjones@redhat.com>
Signed-off-by: Eric Blake <eblake@redhat.com>
CC: qemu-stable@nongnu.org
Message-Id: <20210209152759.209074-2-eblake@redhat.com>
Tested-by: Richard W.M. Jones <rjones@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Signed-off-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Bruce Rogers <brogers@suse.com>
2 years agovirtio: move 'use-disabled-flag' property to hw_compat_4_2
Stefano Garzarella [Fri, 8 Jan 2021 17:12:52 +0000 (18:12 +0100)]
virtio: move 'use-disabled-flag' property to hw_compat_4_2

Git-commit: c126b4c57e0164549de606ca35d1512762051083

Commit 9d7bd0826f introduced a new 'use-disabled-flag' property
set to true by default.
To allow the migration, we set this property to false in the hw_compat,
but in the wrong place (hw_compat_4_1).

Since commit 9d7bd0826f was released with QEMU 5.0, we move
'use-disabled-flag' property to hw_compat_4_2, so 4.2 machine types
will have the pre-patch behavior and the migration can work.

The issue was discovered with vhost-vsock device and 4.2 machine
type without running any kernel in the VM:
    $ qemu-4.2 -M pc-q35-4.2,accel=kvm \
        -device vhost-vsock-pci,guest-cid=4 \
        -monitor stdio -incoming tcp:0:3333

    $ qemu-5.2 -M pc-q35-4.2,accel=kvm \
        -device vhost-vsock-pci,guest-cid=3 \
        -monitor stdio
    (qemu) migrate -d tcp:0:3333

    # qemu-4.2 output
    qemu-system-x86_64: Failed to load virtio-vhost_vsock:virtio
    qemu-system-x86_64: error while loading state for instance 0x0 of device '0000:00:03.0/virtio-vhost_vsock'
    qemu-system-x86_64: load of migration failed: No such file or directory

Reported-by: Jing Zhao <jinzhao@redhat.com>
Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1907255
Fixes: 9d7bd0826f ("virtio-pci: disable vring processing when bus-mastering is disabled")
Cc: mdroth@linux.vnet.ibm.com
CC: qemu-stable@nongnu.org
Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
Message-Id: <20210108171252.209502-1-sgarzare@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Bruce Rogers <brogers@suse.com>
2 years agovirtiofsd: prevent opening of special files (CVE-2020-35517)
Stefan Hajnoczi [Thu, 4 Feb 2021 15:02:08 +0000 (15:02 +0000)]
virtiofsd: prevent opening of special files (CVE-2020-35517)

Git-commit: a3fdbbc7f271bff7d53d0501b29d910ece0b3789
References: bsc#1183373, CVE-2021-20263

A well-behaved FUSE client does not attempt to open special files with
FUSE_OPEN because they are handled on the client side (e.g. device nodes
are handled by client-side device drivers).

The check to prevent virtiofsd from opening special files is missing in
a few cases, most notably FUSE_OPEN. A malicious client can cause
virtiofsd to open a device node, potentially allowing the guest to
escape. This can be exploited by a modified guest device driver. It is
not exploitable from guest userspace since the guest kernel will handle
special files inside the guest instead of sending FUSE requests.

This patch fixes this issue by introducing the lo_inode_open() function
to check the file type before opening it. This is a short-term solution
because it does not prevent a compromised virtiofsd process from opening
device nodes on the host.

Restructure lo_create() to try O_CREAT | O_EXCL first. Note that O_CREAT
| O_EXCL does not follow symlinks, so O_NOFOLLOW masking is not
necessary here. If the file exists and the user did not specify O_EXCL,
open it via lo_do_open().

Reported-by: Alex Xu <alex@alxu.ca>
Fixes: CVE-2020-35517
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Reviewed-by: Vivek Goyal <vgoyal@redhat.com>
Reviewed-by: Greg Kurz <groug@kaod.org>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Message-Id: <20210204150208.367837-4-stefanha@redhat.com>
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Signed-off-by: Bruce Rogers <brogers@suse.com>
2 years agovirtiofsd: optionally return inode pointer from lo_do_lookup()
Stefan Hajnoczi [Thu, 4 Feb 2021 15:02:07 +0000 (15:02 +0000)]
virtiofsd: optionally return inode pointer from lo_do_lookup()

Git-commit: 22d2ece71e533310da31f2857ebc4a00d91968b3
References: bsc#1183373, CVE-2021-20263

lo_do_lookup() finds an existing inode or allocates a new one. It
increments nlookup so that the inode stays alive until the client
releases it.

Existing callers don't need the struct lo_inode so the function doesn't
return it. Extend the function to optionally return the inode. The next
commit will need it.

Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Greg Kurz <groug@kaod.org>
Message-Id: <20210204150208.367837-3-stefanha@redhat.com>
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Signed-off-by: Bruce Rogers <brogers@suse.com>
2 years agovirtiofsd: extract lo_do_open() from lo_open()
Stefan Hajnoczi [Thu, 4 Feb 2021 15:02:06 +0000 (15:02 +0000)]
virtiofsd: extract lo_do_open() from lo_open()

Git-commit: 8afaaee976965b7fb90ec225a51d60f35c5f173c
References: bsc#1183373, CVE-2021-20263

Both lo_open() and lo_create() have similar code to open a file. Extract
a common lo_do_open() function from lo_open() that will be used by
lo_create() in a later commit.

Since lo_do_open() does not otherwise need fuse_req_t req, convert
lo_add_fd_mapping() to use struct lo_data *lo instead.

Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Message-Id: <20210204150208.367837-2-stefanha@redhat.com>
Reviewed-by: Greg Kurz <groug@kaod.org>
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Signed-off-by: Bruce Rogers <brogers@suse.com>
2 years agohw/intc/arm_gic: Fix interrupt ID in GICD_SGIR register
Philippe Mathieu-Daudé [Sun, 31 Jan 2021 10:34:01 +0000 (11:34 +0100)]
hw/intc/arm_gic: Fix interrupt ID in GICD_SGIR register

Git-commit: edfe2eb4360cde4ed5d95bda7777edcb3510f76a
References: bsc#1181933

Per the ARM Generic Interrupt Controller Architecture specification
(document "ARM IHI 0048B.b (ID072613)"), the SGIINTID field is 4 bit,
not 10:

  - 4.3 Distributor register descriptions
  - 4.3.15 Software Generated Interrupt Register, GICD_SG

    - Table 4-21 GICD_SGIR bit assignments

    The Interrupt ID of the SGI to forward to the specified CPU
    interfaces. The value of this field is the Interrupt ID, in
    the range 0-15, for example a value of 0b0011 specifies
    Interrupt ID 3.

Correct the irq mask to fix an undefined behavior (which eventually
lead to a heap-buffer-overflow, see [Buglink]):

   $ echo 'writel 0x8000f00 0xff4affb0' | qemu-system-aarch64 -M virt,accel=qtest -qtest stdio
   [I 1612088147.116987] OPENED
  [R +0.278293] writel 0x8000f00 0xff4affb0
  ../hw/intc/arm_gic.c:1498:13: runtime error: index 944 out of bounds for type 'uint8_t [16][8]'
  SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../hw/intc/arm_gic.c:1498:13

This fixes a security issue when running with KVM on Arm with
kernel-irqchip=off. (The default is kernel-irqchip=on, which is
unaffected, and which is also the correct choice for performance.)

Cc: qemu-stable@nongnu.org
Fixes: CVE-2021-20221
Fixes: 9ee6e8bb853 ("ARMv7 support.")
Buglink: https://bugs.launchpad.net/qemu/+bug/1913916
Buglink: https://bugs.launchpad.net/qemu/+bug/1913917
Reported-by: Alexander Bulekov <alxndr@bu.edu>
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-id: 20210131103401.217160-1-f4bug@amsat.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Bruce Rogers <brogers@suse.com>
2 years agoblock: Separate blk_is_writable() and blk_supports_write_perm()
Kevin Wolf [Mon, 18 Jan 2021 12:34:47 +0000 (13:34 +0100)]
block: Separate blk_is_writable() and blk_supports_write_perm()

Git-commit: 86b1cf322789b79c8ace977430ac6a443d491cc0

Currently, blk_is_read_only() tells whether a given BlockBackend can
only be used in read-only mode because its root node is read-only. Some
callers actually try to answer a slightly different question: Is the
BlockBackend configured to be writable, by taking write permissions on
the root node?

This can differ, for example, for CD-ROM devices which don't take write
permissions, but may be backed by a writable image file. scsi-cd allows
write requests to the drive if blk_is_read_only() returns false.
However, the write request will immediately run into an assertion
failure because the write permission is missing.

This patch introduces separate functions for both questions.
blk_supports_write_perm() answers the question whether the block
node/image file can support writable devices, whereas blk_is_writable()
tells whether the BlockBackend is currently configured to be writable.

All calls of blk_is_read_only() are converted to one of the two new
functions.

Fixes: https://bugs.launchpad.net/bugs/1906693
Cc: qemu-stable@nongnu.org
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Message-Id: <20210118123448.307825-2-kwolf@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Bruce Rogers <brogers@suse.com>
2 years agonet: Fix handling of id in netdev_add and netdev_del
Markus Armbruster [Wed, 25 Nov 2020 10:02:20 +0000 (11:02 +0100)]
net: Fix handling of id in netdev_add and netdev_del

Git-commit: 831734cce6494032e9233caff4d8442b3a1e7fef

CLI -netdev accumulates in option group "netdev".

Before commit 08712fcb85 "net: Track netdevs in NetClientState rather
than QemuOpt", netdev_add added to the option group, and netdev_del
removed from it, both HMP and QMP.  Thus, every netdev had a
corresponding QemuOpts in this option group.

Commit 08712fcb85 dropped this for QMP netdev_add and both netdev_del.
Now a netdev has a corresponding QemuOpts only when it was created
with CLI or HMP.  Two issues:

* QMP and HMP netdev_del can leave QemuOpts behind, breaking HMP
  netdev_add.  Reproducer:

    $ qemu-system-x86_64 -S -display none -nodefaults -monitor stdio
    QEMU 5.1.92 monitor - type 'help' for more information
    (qemu) netdev_add user,id=net0
    (qemu) info network
    net0: index=0,type=user,net=10.0.2.0,restrict=off
    (qemu) netdev_del net0
    (qemu) info network
    (qemu) netdev_add user,id=net0
    upstream-qemu: Duplicate ID 'net0' for netdev
    Try "help netdev_add" for more information

  Fix by restoring the QemuOpts deletion in qmp_netdev_del(), but with
  a guard, because the QemuOpts need not exist.

* QMP netdev_add loses its "no duplicate ID" check.  Reproducer:

    $ qemu-system-x86_64 -S -display none -qmp stdio
    {"QMP": {"version": {"qemu": {"micro": 92, "minor": 1, "major": 5}, "package": "v5.2.0-rc2-1-g02c1f0142c"}, "capabilities": ["oob"]}}
    {"execute": "qmp_capabilities"}
    {"return": {}}
    {"execute": "netdev_add", "arguments": {"type": "user", "id":"net0"}}
    {"return": {}}
    {"execute": "netdev_add", "arguments": {"type": "user", "id":"net0"}}
    {"return": {}}

  Fix by adding a duplicate ID check to net_client_init1() to replace
  the lost one.  The check is redundant for callers where QemuOpts
  still checks, i.e. for CLI and HMP.

Reported-by: Andrew Melnichenko <andrew@daynix.com>
Fixes: 08712fcb851034228b61f75bd922863a984a4f60
Cc: qemu-stable@nongnu.org
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: Bruce Rogers <brogers@suse.com>
2 years agovfio-ccw: Connect the device request notifier
Eric Farman [Mon, 4 Jan 2021 20:20:57 +0000 (21:20 +0100)]
vfio-ccw: Connect the device request notifier

Git-commit: b2f96f9e4f5fbc8f2770a436191cb328da4d5350
References: 1183634

Now that the vfio-ccw code has a notifier interface to request that
a device be unplugged, let's wire that together.

Signed-off-by: Eric Farman <farman@linux.ibm.com>
Reviewed-by: Cornelia Huck <cohuck@redhat.com>
Message-Id: <20210104202057.48048-4-farman@linux.ibm.com>
Signed-off-by: Cornelia Huck <cohuck@redhat.com>
Signed-off-by: Bruce Rogers <brogers@suse.com>
2 years agoUpdate linux headers to 5.11-rc2
Eric Farman [Mon, 4 Jan 2021 20:20:56 +0000 (21:20 +0100)]
Update linux headers to 5.11-rc2

Git-commit: b3c818a47f419b6e2f5508fe29e7a30843236fee
References: bsc#1183634

Signed-off-by: Eric Farman <farman@linux.ibm.com>
Message-Id: <20210104202057.48048-3-farman@linux.ibm.com>
[CH: dropped qatomic->atomic changes in pvrdma_ring.h]
Signed-off-by: Cornelia Huck <cohuck@redhat.com>
Signed-off-by: Bruce Rogers <brogers@suse.com>
2 years agoupdate-linux-headers: Include const.h
Eric Farman [Mon, 4 Jan 2021 20:20:55 +0000 (21:20 +0100)]
update-linux-headers: Include const.h

Git-commit: ab5ec23f9cc25215c1281d575c07c0f35e8e9e26
References: bsc#1183634

Kernel commit a85cbe6159ff ("uapi: move constants from
<linux/kernel.h> to <linux/const.h>") breaks our script
because of the unrecognized include. Let's add that to
our processing.

Signed-off-by: Eric Farman <farman@linux.ibm.com>
Reviewed-by: Peter Xu <peterx@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-Id: <20210104202057.48048-2-farman@linux.ibm.com>
Signed-off-by: Cornelia Huck <cohuck@redhat.com>
Signed-off-by: Bruce Rogers <brogers@suse.com>
2 years agotarget/arm: Update REV, PUNPK for pred_desc
Richard Henderson [Wed, 13 Jan 2021 06:26:50 +0000 (20:26 -1000)]
target/arm: Update REV, PUNPK for pred_desc

Git-commit: 70acaafef2e053a312d54c09b6721c730690e72c

Update all users of do_perm_pred2 for the new
predicate descriptor field definitions.

Cc: qemu-stable@nongnu.org
Buglink: https://bugs.launchpad.net/bugs/1908551
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20210113062650.593824-5-richard.henderson@linaro.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Bruce Rogers <brogers@suse.com>
2 years agotarget/arm: Update ZIP, UZP, TRN for pred_desc
Richard Henderson [Wed, 13 Jan 2021 06:26:49 +0000 (20:26 -1000)]
target/arm: Update ZIP, UZP, TRN for pred_desc

Git-commit: f9b0fcceccfc05cde62ff7577fbf2bc13b842414

Update all users of do_perm_pred3 for the new
predicate descriptor field definitions.

Cc: qemu-stable@nongnu.org
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20210113062650.593824-4-richard.henderson@linaro.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Bruce Rogers <brogers@suse.com>
2 years agotarget/arm: Update PFIRST, PNEXT for pred_desc
Richard Henderson [Wed, 13 Jan 2021 06:26:48 +0000 (20:26 -1000)]
target/arm: Update PFIRST, PNEXT for pred_desc

Git-commit: 86300b5d044064046395ae8ed605cc19e63f2a7c

These two were odd, in that do_pfirst_pnext passed the
count of 64-bit words rather than bytes.  Change to pass
the standard pred_full_reg_size to avoid confusion.

Cc: qemu-stable@nongnu.org
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20210113062650.593824-3-richard.henderson@linaro.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Bruce Rogers <brogers@suse.com>
2 years agotarget/arm: Introduce PREDDESC field definitions
Richard Henderson [Wed, 13 Jan 2021 06:26:47 +0000 (20:26 -1000)]
target/arm: Introduce PREDDESC field definitions

Git-commit: b64ee454a4a086ed459bcda4c0bbb54e197841e4

SVE predicate operations cannot use the "usual" simd_desc
encoding, because the lengths are not a multiple of 8.
But we were abusing the SIMD_* fields to store values anyway.
This abuse broke when SIMD_OPRSZ_BITS was modified in e2e7168a214.

Introduce a new set of field definitions for exclusive use
of predicates, so that it is obvious what kind of predicate
we are manipulating.  To be used in future patches.

Cc: qemu-stable@nongnu.org
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20210113062650.593824-2-richard.henderson@linaro.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Bruce Rogers <brogers@suse.com>
2 years ago9pfs: Fully restart unreclaim loop (CVE-2021-20181)
Greg Kurz [Thu, 14 Jan 2021 16:04:12 +0000 (17:04 +0100)]
9pfs: Fully restart unreclaim loop (CVE-2021-20181)

Git-commit: 89fbea8737e8f7b954745a1ffc4238d377055305
References: bsc#1182137

Depending on the client activity, the server can be asked to open a huge
number of file descriptors and eventually hit RLIMIT_NOFILE. This is
currently mitigated using a reclaim logic : the server closes the file
descriptors of idle fids, based on the assumption that it will be able
to re-open them later. This assumption doesn't hold of course if the
client requests the file to be unlinked. In this case, we loop on the
entire fid list and mark all related fids as unreclaimable (the reclaim
logic will just ignore them) and, of course, we open or re-open their
file descriptors if needed since we're about to unlink the file.

This is the purpose of v9fs_mark_fids_unreclaim(). Since the actual
opening of a file can cause the coroutine to yield, another client
request could possibly add a new fid that we may want to mark as
non-reclaimable as well. The loop is thus restarted if the re-open
request was actually transmitted to the backend. This is achieved
by keeping a reference on the first fid (head) before traversing
the list.

This is wrong in several ways:
- a potential clunk request from the client could tear the first
  fid down and cause the reference to be stale. This leads to a
  use-after-free error that can be detected with ASAN, using a
  custom 9p client
- fids are added at the head of the list : restarting from the
  previous head will always miss fids added by a some other
  potential request

All these problems could be avoided if fids were being added at the
end of the list. This can be achieved with a QSIMPLEQ, but this is
probably too much change for a bug fix. For now let's keep it
simple and just restart the loop from the current head.

Fixes: CVE-2021-20181
Buglink: https://bugs.launchpad.net/qemu/+bug/1911666
Reported-by: Zero Day Initiative <zdi-disclosures@trendmicro.com>
Reviewed-by: Christian Schoenebeck <qemu_oss@crudebyte.com>
Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
Message-Id: <161064025265.1838153.15185571283519390907.stgit@bahia.lan>
Signed-off-by: Greg Kurz <groug@kaod.org>
Signed-off-by: Bruce Rogers <brogers@suse.com>
2 years agohw/net/lan9118: Fix RX Status FIFO PEEK value
Peter Maydell [Fri, 8 Jan 2021 18:04:00 +0000 (18:04 +0000)]
hw/net/lan9118: Fix RX Status FIFO PEEK value

Git-commit: e7e29fdbbe07fb762d85af9c4d8eeff9b0f52a8e

A copy-and-paste error meant that the return value for register offset 0x44
(the RX Status FIFO PEEK register) returned a byte from a bogus offset in
the rx status FIFO. Fix the typo.

Cc: qemu-stable@nongnu.org
Fixes: https://bugs.launchpad.net/qemu/+bug/1904954
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-id: 20210108180401.2263-2-peter.maydell@linaro.org
Signed-off-by: Bruce Rogers <brogers@suse.com>
2 years agotarget/arm: Don't decode insns in the XScale/iWMMXt space as cp insns
Peter Maydell [Fri, 8 Jan 2021 19:51:57 +0000 (19:51 +0000)]
target/arm: Don't decode insns in the XScale/iWMMXt space as cp insns

Git-commit: e4d51ac6921dc861bfb3d20e4c7dcf345840a9da

In commit cd8be50e58f63413c0 we converted the A32 coprocessor
insns to decodetree. This accidentally broke XScale/iWMMXt insns,
because it moved the handling of "cp insns which are handled
by looking up the cp register in the hashtable" from after the
call to the legacy disas_xscale_insn() decode to before it,
with the result that all XScale/iWMMXt insns now UNDEF.

Update valid_cp() so that it knows that on XScale cp 0 and 1
are not standard coprocessor instructions; this will cause
the decodetree trans_ functions to ignore them, so that
execution will correctly get through to the legacy decode again.

Cc: qemu-stable@nongnu.org
Reported-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Tested-by: Guenter Roeck <linux@roeck-us.net>
Message-id: 20210108195157.32067-1-peter.maydell@linaro.org
Signed-off-by: Bruce Rogers <brogers@suse.com>
2 years agotarget/arm: Fix MTE0_ACTIVE
Richard Henderson [Mon, 21 Dec 2020 20:44:26 +0000 (12:44 -0800)]
target/arm: Fix MTE0_ACTIVE

Git-commit: cc97b0019bb590b9b3c2a623e9ebee48831e0ce3

In 50244cc76abc we updated mte_check_fail to match the ARM
pseudocode, using the correct EL to select the TCF field.
But we failed to update MTE0_ACTIVE the same way, which led
to g_assert_not_reached().

Cc: qemu-stable@nongnu.org
Buglink: https://bugs.launchpad.net/bugs/1907137
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20201221204426.88514-1-richard.henderson@linaro.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Bruce Rogers <brogers@suse.com>
2 years agohw/timer/slavio_timer: Allow 64-bit accesses
Philippe Mathieu-Daudé [Sat, 5 Dec 2020 15:09:03 +0000 (16:09 +0100)]
hw/timer/slavio_timer: Allow 64-bit accesses

Git-commit: 62a9b228b5fefe0f9e364dfeaf3c65022c63cdb9

Per the "NCR89C105 Chip Specification" referenced in the header:

                  Chip-level Address Map

  ------------------------------------------------------------------
  | 1D0 0000 ->   | Counter/Timers                        | W,D    |
  |   1DF FFFF    |                                       |        |
  ...

  The address map indicated the allowed accesses at each address.
  [...] W indicates a word access, and D indicates a double-word
  access.

The SLAVIO timer controller is implemented expecting 32-bit accesses.
Commit a3d12d073e1 restricted the memory accesses to 32-bit, while
the device allows 64-bit accesses.

This was not an issue until commit 5d971f9e67 which reverted
("memory: accept mismatching sizes in memory_region_access_valid").

Fix by renaming .valid MemoryRegionOps as .impl, and add the valid
access range (W -> 4, D -> 8).

Since commit 21786c7e598 ("memory: Log invalid memory accesses")
this class of bug can be quickly debugged displaying 'guest_errors'
accesses, as:

  $ qemu-system-sparc -M SS-20 -m 256 -bios ss20_v2.25_rom -serial stdio -d guest_errors

  Power-ON Reset
  Invalid access at addr 0x0, size 8, region 'timer-1', reason: invalid size (min:4 max:4)

  $ qemu-system-sparc -M SS-20 -m 256 -bios ss20_v2.25_rom -monitor stdio -S
  (qemu) info mtree
  address-space: memory
    0000000000000000-ffffffffffffffff (prio 0, i/o): system
      ...
      0000000ff1300000-0000000ff130000f (prio 0, i/o): timer-1
             ^^^^^^^^^                                 ^^^^^^^
                   \ memory region base address and name /

  (qemu) info qtree
  bus: main-system-bus
    dev: slavio_timer, id ""              <-- device type name
      gpio-out "sysbus-irq" 17
      num_cpus = 1 (0x1)
      mmio 0000000ff1310000/0000000000000014
      mmio 0000000ff1300000/0000000000000010 <--- base address
      mmio 0000000ff1301000/0000000000000010
      mmio 0000000ff1302000/0000000000000010
      ...

Reported-by: Yap KV <yapkv@yahoo.com>
Buglink: https://bugs.launchpad.net/bugs/1906905
Fixes: a3d12d073e1 ("slavio_timer: convert to memory API")
CC: qemu-stable@nongnu.org
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-Id: <20201205150903.3062711-1-f4bug@amsat.org>
Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Signed-off-by: Bruce Rogers <brogers@suse.com>
2 years agotcg: Use memset for large vector byte replication
Richard Henderson [Tue, 15 Dec 2020 17:47:59 +0000 (11:47 -0600)]
tcg: Use memset for large vector byte replication

Git-commit: 6d3ef04893bdea3e7aa08be3cce5141902836a31

In f47db80cc07, we handled odd-sized tail clearing for
the case of hosts that have vector operations, but did
not handle the case of hosts that do not have vector ops.

This was ok until e2e7168a214b, which changed the encoding
of simd_desc such that the odd sizes are impossible.

Add memset as a tcg helper, and use that for all out-of-line
byte stores to vectors.  This includes, but is not limited to,
the tail clearing operation in question.

Cc: qemu-stable@nongnu.org
Buglink: https://bugs.launchpad.net/bugs/1907817
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Bruce Rogers <brogers@suse.com>
2 years agoiotests: Fix _send_qemu_cmd with bash 5.1
Max Reitz [Thu, 17 Dec 2020 15:38:03 +0000 (16:38 +0100)]
iotests: Fix _send_qemu_cmd with bash 5.1

Git-commit: 0e72078128229bf9efb542e396ab44bf91b91340
References: boo#1181054

With bash 5.1, the output of the following script changes:

  a=("double  space")
  a=${a[@]:0:1}
  echo "$a"

from "double space" to "double  space", i.e. all white space is
preserved as-is.  This is probably what we actually want here (judging
from the "...to accommodate pathnames with spaces" comment), but before
5.1, we would have to quote the ${} slice to get the same behavior.

In any case, without quoting, the reference output of many iotests is
different between bash 5.1 and pre-5.1, which is not very good.  The
output of 5.1 is what we want, so whatever we do to get pre-5.1 to the
same result, it means we have to fix the reference output of basically
all tests that invoke _send_qemu_cmd (except the ones that only use
single spaces in the commands they invoke).

Instead of quoting the ${} slice (cmd="${$@: 1:...}"), we can also just
not use array slicing and replace the whole thing with a simple "cmd=$1;
shift", which works because all callers quote the whole $cmd argument
anyway.

Signed-off-by: Max Reitz <mreitz@redhat.com>
Message-Id: <20201217153803.101231-3-mreitz@redhat.com>
Reviewed-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Bruce Rogers <brogers@suse.com>
2 years agoblock/nfs: fix int overflow in nfs_client_open_qdict
Peter Lieven [Wed, 9 Dec 2020 12:17:35 +0000 (13:17 +0100)]
block/nfs: fix int overflow in nfs_client_open_qdict

Git-commit: 182454dc63c66ff5a29eddd60cc987b6a1b45e7f

nfs_client_open returns the file size in sectors. This effectively
makes it impossible to open files larger than 1TB.

Fixes: c22a03454544c2a08f1107c5cc8481a5574533d5
Cc: qemu-stable@nongnu.org
Signed-off-by: Peter Lieven <pl@kamp.de>
Message-Id: <20201209121735.16437-1-pl@kamp.de>
Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Bruce Rogers <brogers@suse.com>
2 years agobuild: -no-pie is no functional linker flag
Christian Ehrhardt [Mon, 14 Dec 2020 15:09:38 +0000 (16:09 +0100)]
build: -no-pie is no functional linker flag

Git-commit: bbd2d5a8120771ec59b86a80a1f51884e0a26e53

Recent binutils changes dropping unsupported options [1] caused a build
issue in regard to the optionroms.

  ld -m elf_i386 -T /<<PKGBUILDDIR>>/pc-bios/optionrom//flat.lds -no-pie \
    -s -o multiboot.img multiboot.o
  ld.bfd: Error: unable to disambiguate: -no-pie (did you mean --no-pie ?)

This isn't really a regression in ld.bfd, filing the bug upstream
revealed that this never worked as a ld flag [2] - in fact it seems we
were by accident setting --nmagic).

Since it never had the wanted effect this usage of LDFLAGS_NOPIE, should be
droppable without any effect. This also is the only use-case of LDFLAGS_NOPIE
in .mak, therefore we can also remove it from being added there.

[1]: https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=983d925d
[2]: https://sourceware.org/bugzilla/show_bug.cgi?id=27050#c5

Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
Message-Id: <20201214150938.1297512-1-christian.ehrhardt@canonical.com>
Cc: qemu-stable@nongnu.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Bruce Rogers <brogers@suse.com>
2 years agomemory: clamp cached translation in case it points to an MMIO region
Paolo Bonzini [Tue, 1 Dec 2020 14:29:56 +0000 (09:29 -0500)]
memory: clamp cached translation in case it points to an MMIO region

Git-commit: 4bfb024bc76973d40a359476dc0291f46e435442
References: bsc#1179686, CVE-2020-27821

In using the address_space_translate_internal API, address_space_cache_init
forgot one piece of advice that can be found in the code for
address_space_translate_internal:

    /* MMIO registers can be expected to perform full-width accesses based only
     * on their address, without considering adjacent registers that could
     * decode to completely different MemoryRegions.  When such registers
     * exist (e.g. I/O ports 0xcf8 and 0xcf9 on most PC chipsets), MMIO
     * regions overlap wildly.  For this reason we cannot clamp the accesses
     * here.
     *
     * If the length is small (as is the case for address_space_ldl/stl),
     * everything works fine.  If the incoming length is large, however,
     * the caller really has to do the clamping through memory_access_size.
     */

address_space_cache_init is exactly one such case where "the incoming length
is large", therefore we need to clamp the resulting length---not to
memory_access_size though, since we are not doing an access yet, but to
the size of the resulting section.  This ensures that subsequent accesses
to the cached MemoryRegionSection will be in range.

With this patch, the enclosed testcase notices that the used ring does
not fit into the MSI-X table and prints a "qemu-system-x86_64: Cannot map used"
error.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Bruce Rogers <brogers@suse.com>
2 years agoaudio: add sanity check
Gerd Hoffmann [Tue, 15 Dec 2020 08:11:51 +0000 (09:11 +0100)]
audio: add sanity check

Git-commit: 06c8c375389a54d8e4457d967f4f0896caecefb2
References: boo#1180210

Check whenever we actually found the spiceaudio driver
before flipping the can_be_default field.

Fixes: f0c4555edfdd ("audio: remove qemu_spice_audio_init()")
Buglink: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=977301
Reported-by: dann frazier <dann.frazier@canonical.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-Id: <20201215081151.20095-1-kraxel@redhat.com>
Signed-off-by: Bruce Rogers <brogers@suse.com>
2 years agoblock: Fix deadlock in bdrv_co_yield_to_drain()
Kevin Wolf [Thu, 3 Dec 2020 17:23:11 +0000 (18:23 +0100)]
block: Fix deadlock in bdrv_co_yield_to_drain()

Git-commit: 960d5fb3e8ee09bc5f1a5c84f66dce42a6cef920

If bdrv_co_yield_to_drain() is called for draining a block node that
runs in a different AioContext, it keeps that AioContext locked while it
yields and schedules a BH in the AioContext to do the actual drain.

As long as executing the BH is the very next thing that the event loop
of the node's AioContext does, this actually happens to work, but when
it tries to execute something else that wants to take the AioContext
lock, it will deadlock. (In the bug report, this other thing is a
virtio-scsi device running virtio_scsi_data_plane_handle_cmd().)

Instead, always drop the AioContext lock across the yield and reacquire
it only when the coroutine is reentered. The BH needs to unconditionally
take the lock for itself now.

This fixes the 'block_resize' QMP command on a block node that runs in
an iothread.

Cc: qemu-stable@nongnu.org
Fixes: eb94b81a94bce112e6b206df846c1551aaf6cab6
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1903511
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Message-Id: <20201203172311.68232-4-kwolf@redhat.com>
Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Bruce Rogers <brogers@suse.com>
2 years agoblock: Fix locking in qmp_block_resize()
Kevin Wolf [Thu, 3 Dec 2020 17:23:10 +0000 (18:23 +0100)]
block: Fix locking in qmp_block_resize()

Git-commit: 8089eab2bd5fb160b038e64e14cf7ffb3f37091e

The drain functions assume that we hold the AioContext lock of the
drained block node. Make sure to actually take the lock.

Cc: qemu-stable@nongnu.org
Fixes: eb94b81a94bce112e6b206df846c1551aaf6cab6
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Message-Id: <20201203172311.68232-3-kwolf@redhat.com>
Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Bruce Rogers <brogers@suse.com>
2 years agoblock: Simplify qmp_block_resize() error paths
Kevin Wolf [Thu, 3 Dec 2020 17:23:09 +0000 (18:23 +0100)]
block: Simplify qmp_block_resize() error paths

Git-commit: d9dbf25f9624aac43e4357019bed4422f0b3368d

The only thing that happens after the 'out:' label is blk_unref(blk).
However, blk = NULL in all of the error cases, so instead of jumping to
'out:', we can just return directly.

Cc: qemu-stable@nongnu.org
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Message-Id: <20201203172311.68232-2-kwolf@redhat.com>
Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Bruce Rogers <brogers@suse.com>
2 years agoui/vnc: Add missing lock for send_color_map
Peng Liang [Mon, 16 Nov 2020 14:13:38 +0000 (22:13 +0800)]
ui/vnc: Add missing lock for send_color_map

Git-commit: 947191b4312a547621566d77d7b922d9e13bb63d
vnc_write() should be locked after the RFB protocol is initialized.

Fixes: 0c426e4534b4 ("vnc: Add support for color map")
Cc: qemu-stable@nongnu.org
Reported-by: Euler Robot <euler.robot@huawei.com>
Signed-off-by: Peng Liang <liangpeng10@huawei.com>
Message-id: 20201116141338.148911-1-liangpeng10@huawei.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Bruce Rogers <brogers@suse.com>
2 years agoImported vendor release 5.2.0-20.1
SoonKyu Park [Tue, 23 Nov 2021 04:45:12 +0000 (13:45 +0900)]
Imported vendor release 5.2.0-20.1

2 years agoImported Upstream version 5.2.0
SoonKyu Park [Tue, 23 Nov 2021 04:40:00 +0000 (13:40 +0900)]
Imported Upstream version 5.2.0

3 years agoTo support syscall_389 92/265992/1 sandbox/wangbiao/qemu_2_7
biao716.wang [Thu, 4 Nov 2021 16:13:17 +0000 (01:13 +0900)]
To support syscall_389

Change-Id: I7e780307e9c64525961fc70ecc7e1fcfb29d8d5e
Signed-off-by: biao716.wang <biao716.wang@samsung.com>
3 years agopackaging: add armv7hl support 14/265414/1
Dongkyun, Son [Fri, 24 Feb 2017 08:47:58 +0000 (17:47 +0900)]
packaging: add armv7hl support

Change-Id: I5e2568eb66be2fd4c10b4b6d6b376269b1e0b56d
Signed-off-by: Dongkyun, Son <dongkyun.s@samsung.com>
(cherry picked from commit a91f333858752b70d41d1e98a0c75fe4d59ce72a)

3 years agoRevert 8f8f75: "linux-user: Run multi-threaded code on a single core" 64/258964/2 tizen_6.5_base tizen_6.5.m2_release
hyokeun.jeon [Fri, 28 May 2021 09:14:49 +0000 (18:14 +0900)]
Revert 8f8f75: "linux-user: Run multi-threaded code on a single core"

Approved by Tizen PL team at 2021-05-27

Change-Id: I96f1312f0dd2d1e7aca611486c8df35669e2f722

4 years agoMerge '[Qemu-devel] [PATCH for-4.1] linux-user: Make sigaltstack stacks per-thread... 76/231176/2 accepted/tizen_base_tool sandbox/yan11meng/qemu_upgrade tizen_6.0_base tizen_6.0_base_hotfix accepted/tizen/6.0/base/20201029.105809 submit/tizen_6.0_base/20201029.184802 submit/tizen_6.0_base_hotfix/20201030.192502 submit/tizen_6.0_base_hotfix/20201102.162702 tizen_6.0.m2_release upstream/2.7.0.1
SoonKyu Park [Fri, 3 Apr 2020 00:31:58 +0000 (09:31 +0900)]
Merge '[Qemu-devel] [PATCH for-4.1] linux-user: Make sigaltstack stacks per-thread' for go language support
patch url : https://patchew.org/QEMU/20190725131645.19501-1-peter.maydell@linaro.org/

Change-Id: I591a7d1eab277ecdedbe8a886de4fb553f31a264

6 years agoASan-related hack to speedup aarch64 builds. 93/175393/1 accepted/tizen_5.5_base_mobile_hotfix accepted/tizen_5.5_base_wearable_hotfix tizen_5.0_base tizen_5.5_base tizen_5.5_base_mobile_hotfix tizen_5.5_base_wearable_hotfix tizen_5.5_tv accepted/tizen/5.0/base/20181101.091254 accepted/tizen/5.5/base/mobile/hotfix/20201023.083817 accepted/tizen/5.5/base/wearable/hotfix/20201023.080204 submit/tizen_5.0_base/20181101.000001 submit/tizen_5.5_base_mobile_hotfix/20201023.171502 submit/tizen_5.5_base_wearable_hotfix/20201023.155602 tizen_5.5.m2_release
Maxim Ostapenko [Fri, 8 Jul 2016 12:47:42 +0000 (15:47 +0300)]
ASan-related hack to speedup aarch64 builds.

Switch off memory pages checks in qemu if memory regions are mapped by ASan

Change-Id: I8233802ee35db00c799f5645072b8014f823b5c6
Signed-off-by: Maxim Ostapenko <m.ostapenko@samsung.com>
7 years agoImported Upstream version 2.6.1 upstream upstream/2.6.1
hyokeun [Tue, 27 Dec 2016 08:29:09 +0000 (17:29 +0900)]
Imported Upstream version 2.6.1

8 years agoUse different names for qemu-user binary: 65/96565/1 tizen_4.0_base_not_used accepted/tizen/4.0/base/20170811.093141 submit/tizen_4.0_base/20170811.071500 submit/tizen_4.0_base/20170828.000000 tizen_4.0.IoT.p1_release tizen_4.0.IoT.p2_release tizen_4.0.m1_release tizen_4.0.m2_release
Pavel Kopyl [Tue, 23 Aug 2016 13:42:07 +0000 (13:42 +0000)]
Use different names for qemu-user binary:

1. qemu-linux-user-x86_64-cross for 64-bit.
2. qemu-linux-user-x86-cross for 32-bit.
Also keep binaries with old names.

Change-Id: Ib2487b82c57189942e0925427cb2144dc8817dec
Signed-off-by: Pavel Kopyl <p.kopyl@samsung.com>
Signed-off-by: Chan Lee <chan45.lee@samsung.com>
(cherry picked from commit 4f4fc9b2f8ac86e081b08fb48d77fa860626d148)

8 years agoremoved qemu log (Unsupported syscall) 05/92405/1
Dongkyun, Son [Mon, 29 Aug 2016 06:17:44 +0000 (15:17 +0900)]
removed qemu log (Unsupported syscall)

blocked unexpeced warning message (qemu: Unsupported syscall: 219 or 311)

Change-Id: If17b6d80c0835fcc44822551127eca068b23eec9
Signed-off-by: Dongkyun, Son <dongkyun.s@samsung.com>
(cherry picked from commit 6b4067f8f34ee83f94042551267e951ab0b5e10e)

8 years agopackaging: mic-bootstrap link issue accepted/tizen_3.0_base qemu-2.7.0 tizen_3.0_base_not_used accepted/tizen/3.0/base/20161028.103448 submit/tizen_3.0_base/20161028.062326
hyokeun [Wed, 7 Sep 2016 08:54:56 +0000 (17:54 +0900)]
packaging: mic-bootstrap link issue

8 years agobinfmt: translate symbolic links correctly with realpath
Julien Isorce [Tue, 10 May 2016 12:18:06 +0000 (13:18 +0100)]
binfmt: translate symbolic links correctly with realpath

Change-Id: Ic0eeac9de40a8e1082c83b442829ac28f68bff04
Signed-off-by: Julien Isorce <j.isorce@samsung.com>
Signed-off-by: Yury Usishchev <y.usishchev@samsung.com>
8 years agoModify spec file to build qemu package in Tools:qemu project and aggregate it to...
SoonKyu Park [Fri, 19 Feb 2016 00:05:59 +0000 (09:05 +0900)]
Modify spec file to build qemu package in Tools:qemu project and aggregate it to use it

Change-Id: Id2db3f863d1d3fcdb57f841b69c3acda94e32cef

8 years agoAdd compatibility symlinks
Yury Usishchev [Wed, 5 Aug 2015 18:03:26 +0000 (21:03 +0300)]
Add compatibility symlinks

Symlinks to qemu binaries placed in directories where they are searched by
common non-Tizen binfmt_misc configurations (eq. in Ubuntu).

Change-Id: I6b8602736926dba24a7ffbc70c91222ec3ba5cc8

8 years agopackaging: ln -sf qemu-arm64, qemu-arm64-binfmt
hyokeun [Tue, 6 Sep 2016 04:58:06 +0000 (13:58 +0900)]
packaging: ln -sf qemu-arm64, qemu-arm64-binfmt

8 years agobinfmt: use binaries from /emul
Yury Usishchev [Wed, 5 Aug 2015 18:01:01 +0000 (21:01 +0300)]
binfmt: use binaries from /emul

This allows removing hardcoded architecture-dependent paths
from qemu-accel package. Also allows using symlinks for qemu-*-binfmt
as path don't depend on binary name now.

Change-Id: I92b9bc6df477ef925c761045d5307aca8cc1b2d4

8 years agoenable 32 bit qemu for Tizen.
Junfeng Dong [Tue, 19 Nov 2013 11:14:41 +0000 (19:14 +0800)]
enable 32 bit qemu for Tizen.

Change-Id: I75ecb5ef6952d1083c030f5e48ba2a24e4d6f4a1
Signed-off-by: Junfeng Dong <junfeng.dong@intel.com>
8 years agopackaging: Adding permissions-file-setuid-bit
hyokeun [Tue, 6 Sep 2016 01:18:07 +0000 (10:18 +0900)]
packaging: Adding permissions-file-setuid-bit

8 years agopackaging: BuildRequires: -post-build-checks
hyokeun [Mon, 5 Sep 2016 11:12:59 +0000 (20:12 +0900)]
packaging: BuildRequires: -post-build-checks

Change-Id: I27b7123c2637e7af82d59ca5e7d5bd139d727647

8 years agopackaging: Disable libseccomp
hyokeun [Tue, 6 Sep 2016 05:29:28 +0000 (14:29 +0900)]
packaging: Disable libseccomp

Change-Id: I177741ece64572b63c7fbad8267324449735ca97

8 years agopackaging: add packaging directory
hyokeun [Mon, 5 Sep 2016 04:22:58 +0000 (13:22 +0900)]
packaging: add packaging directory

Change-Id: I7eb77abf7c4e5afdc9606c723c125910280c65e6

8 years agoconfigure: Fix detection of seccomp on s390x
markkp [Thu, 11 Aug 2016 20:28:39 +0000 (16:28 -0400)]
configure: Fix detection of seccomp on s390x

Signed-off-by: Mark Post <mpost@suse.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>
8 years agoqemu-binfmt-conf: use qemu-ARCH-binfmt
Andreas Schwab [Fri, 12 Aug 2016 16:20:49 +0000 (18:20 +0200)]
qemu-binfmt-conf: use qemu-ARCH-binfmt

Signed-off-by: Andreas Schwab <schwab@suse.de>
Signed-off-by: Andreas Färber <afaerber@suse.de>
8 years agoqemu-bridge-helper: reduce security profile
Bruce Rogers [Tue, 2 Aug 2016 17:36:02 +0000 (11:36 -0600)]
qemu-bridge-helper: reduce security profile

Change from using glib alloc and free routines to those
from libc. Also perform safety measure of dropping privs
to user if configured no-caps.

[BR: BOO#988279]
Signed-off-by: Bruce Rogers <brogers@suse.com>
[AF: Rebased for v2.7.0-rc2]
Signed-off-by: Andreas Färber <afaerber@suse.de>
8 years agoxen: SUSE xenlinux unplug for emulated PCI
Olaf Hering [Tue, 21 Jun 2016 16:42:45 +0000 (18:42 +0200)]
xen: SUSE xenlinux unplug for emulated PCI

Implement SUSE specific unplug protocol for emulated PCI devices
in PVonHVM guests
(bsc#953339, bsc#953362, bsc#953518, bsc#984981)

Signed-off-by: Olaf Hering <ohering@suse.de>
8 years agobuild: link with libatomic on powerpc-linux
Olaf Hering [Fri, 1 Apr 2016 10:27:16 +0000 (12:27 +0200)]
build: link with libatomic on powerpc-linux

Building on powerpc-linux fails with undefined reference to
__atomic_load_8 in icount_warp_rt(). Force linking to -latomic.

Fixes a0aa44b ("include/qemu/atomic.h: default to __atomic functions")

Signed-off-by: Olaf Hering <olaf@aepfle.de>
8 years agoxen_disk: Add suse specific flush disable handling and map to QEMU equiv
Bruce Rogers [Wed, 9 Mar 2016 22:18:11 +0000 (15:18 -0700)]
xen_disk: Add suse specific flush disable handling and map to QEMU equiv

Add code to read the suse specific suse-diskcache-disable-flush flag out
of xenstore, and set the equivalent flag within QEMU.

Patch taken from Xen's patch queue, Olaf Hering being the original author.
[bsc#879425]

Signed-off-by: Bruce Rogers <brogers@suse.com>
Signed-off-by: Olaf Hering <olaf@aepfle.de>
8 years agodictzip: Fix on big endian systems
Alexander Graf [Mon, 15 Jun 2015 15:36:32 +0000 (17:36 +0200)]
dictzip: Fix on big endian systems

The dictzip code in SLE11 received some treatment over time to support
running on big endian hosts. Somewhere in the transition to SLE12 this
support got lost. Add it back in again from the SLE11 code base.

Furthermore while at it, fix up the debug prints to not emit warnings.

[AG: BSC#937572]
Signed-off-by: Alexander Graf <agraf@suse.de>
[AF: Rebased for v2.7.0-rc2]
Signed-off-by: Andreas Färber <afaerber@suse.de>
8 years agoAIO: Reduce number of threads for 32bit hosts
Alexander Graf [Wed, 14 Jan 2015 00:32:11 +0000 (01:32 +0100)]
AIO: Reduce number of threads for 32bit hosts

On hosts with limited virtual address space (32bit pointers), we can very
easily run out of virtual memory with big thread pools.

Instead, we should limit ourselves to small pools to keep memory footprint
low on those systems.

This patch fixes random VM stalls like

  (process:25114): GLib-ERROR **: gmem.c:103: failed to allocate 1048576 bytes

on 32bit ARM systems for me.

Signed-off-by: Alexander Graf <agraf@suse.de>
8 years agoconfigure: Enable PIE for ppc and ppc64 hosts
Dinar Valeev [Wed, 2 Oct 2013 15:56:03 +0000 (17:56 +0200)]
configure: Enable PIE for ppc and ppc64 hosts

Signed-off-by: Dinar Valeev <dvaleev@suse.com>
[AF: Rebased for v1.7]
Signed-off-by: Andreas Färber <afaerber@suse.de>
8 years agovirtfs-proxy-helper: Provide __u64 for broken sys/capability.h
Bruce Rogers [Thu, 16 May 2013 10:39:10 +0000 (12:39 +0200)]
virtfs-proxy-helper: Provide __u64 for broken sys/capability.h

Fixes the build on SLE 11 SP2.

[AF: Extend to ppc64]

8 years agolinux-user: lseek: explicitly cast non-set offsets to signed
Alexander Graf [Thu, 13 Dec 2012 13:29:22 +0000 (14:29 +0100)]
linux-user: lseek: explicitly cast non-set offsets to signed

When doing lseek, SEEK_SET indicates that the offset is an unsigned variable.
Other seek types have parameters that can be negative.

When converting from 32bit to 64bit parameters, we need to take this into
account and enable SEEK_END and SEEK_CUR to be negative, while SEEK_SET stays
absolute positioned which we need to maintain as unsigned.

Signed-off-by: Alexander Graf <agraf@suse.de>
8 years agoMake char muxer more robust wrt small FIFOs
Alexander Graf [Thu, 1 Apr 2010 15:36:23 +0000 (17:36 +0200)]
Make char muxer more robust wrt small FIFOs

Virtio-Console can only process one character at a time. Using it on S390
gave me strage "lags" where I got the character I pressed before when
pressing one. So I typed in "abc" and only received "a", then pressed "d"
but the guest received "b" and so on.

While the stdio driver calls a poll function that just processes on its
queue in case virtio-console can't take multiple characters at once, the
muxer does not have such callbacks, so it can't empty its queue.

To work around that limitation, I introduced a new timer that only gets
active when the guest can not receive any more characters. In that case
it polls again after a while to check if the guest is now receiving input.

This patch fixes input when using -nographic on s390 for me.

[AF: Rebased for v2.7.0-rc2]

8 years agoconsole: add question-mark escape operator
Alexander Graf [Mon, 6 Jun 2011 04:53:52 +0000 (06:53 +0200)]
console: add question-mark escape operator

Some termcaps (found using SLES11SP1) use [? sequences. According to man
console_codes (http://linux.die.net/man/4/console_codes) the question mark
is a nop and should simply be ignored.

This patch does exactly that, rendering screen output readable when
outputting guest serial consoles to the graphical console emulator.

Signed-off-by: Alexander Graf <agraf@suse.de>
8 years agoLegacy Patch kvm-qemu-preXX-dictzip3.patch
Alexander Graf [Wed, 12 Dec 2012 18:11:30 +0000 (19:11 +0100)]
Legacy Patch kvm-qemu-preXX-dictzip3.patch

8 years agoblock: Add tar container format
Alexander Graf [Wed, 5 Aug 2009 15:28:38 +0000 (17:28 +0200)]
block: Add tar container format

Tar is a very widely used format to store data in. Sometimes people even put
virtual machine images in there.

So it makes sense for qemu to be able to read from tar files. I implemented a
written from scratch reader that also knows about the GNU sparse format, which
is what pigz creates.

This version checks for filenames that end on well-known extensions. The logic
could be changed to search for filenames given on the command line, but that
would require changes to more parts of qemu.

The tar reader in conjunctiuon with dzip gives us the chance to download
tar'ed up virtual machine images (even via http) and instantly make use of
them.

Signed-off-by: Alexander Graf <agraf@suse.de>
Signed-off-by: Bruce Rogers <brogers@novell.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>
[TH: Use bdrv_open options instead of filename]
Signed-off-by: Tim Hardeck <thardeck@suse.de>
[AF: bdrv_file_open got an Error **errp argument, bdrv_delete -> brd_unref]
[AF: qemu_opts_create_nofail() -> qemu_opts_create(),
     bdrv_file_open() -> bdrv_open(), based on work by brogers]
[AF: error_is_set() dropped for v2.1.0-rc0]
[AF: BlockDriverAIOCB -> BlockAIOCB,
     BlockDriverCompletionFunc -> BlockCompletionFunc,
     qemu_aio_release() -> qemu_aio_unref(),
     drop tar_aio_cancel()]
[AF: common-obj-y -> block-obj-y, drop probe hook (bsc#945778)]
[AF: Drop bdrv_open() drv parameter for 2.5]
Signed-off-by: Andreas Färber <afaerber@suse.de>
Signed-off-by: Bruce Rogers <brogers@suse.com>
[AF: Changed bdrv_open() bs parameter and return value for v2.7.0-rc2,
     for bdrv_pread() and bdrv_aio_readv() s/s->hd/s->hd->file/]
Signed-off-by: Andreas Färber <afaerber@suse.de>
8 years agoblock: Add support for DictZip enabled gzip files
Alexander Graf [Wed, 5 Aug 2009 07:49:37 +0000 (09:49 +0200)]
block: Add support for DictZip enabled gzip files

DictZip is an extension to the gzip format that allows random seeks in gzip
compressed files by cutting the file into pieces and storing the piece offsets
in the "extra" header of the gzip format.

Thanks to that extension, we can use gzip compressed files as block backend,
though only in read mode.

This makes a lot of sense when stacked with tar files that can then be shipped
to VM users. If a VM image is inside a tar file that is inside a DictZip
enabled gzip file, the user can run the tar.gz file as is without having to
extract the image first.

Tar patch follows.

Signed-off-by: Alexander Graf <agraf@suse.de>
Signed-off-by: Bruce Rogers <brogers@novell.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>
[TH: Use bdrv_open options instead of filename]
Signed-off-by: Tim Hardeck <thardeck@suse.de>
[AF: Error **errp added for bdrv_file_open, bdrv_delete -> bdrv_unref]
[AF: qemu_opts_create_nofail() -> qemu_opts_create(),
     bdrv_file_open() -> bdrv_open(), based on work by brogers]
[AF: error_is_set() dropped for v2.1.0-rc0]
[AF: BlockDriverAIOCB -> BlockAIOCB,
     BlockDriverCompletionFunc -> BlockCompletionFunc,
     qemu_aio_release() -> qemu_aio_unref(),
     drop dictzip_aio_cancel()]
[AF: common-obj-y -> block-obj-y, drop probe hook (bsc#945778)]
[AF: Drop bdrv_open() drv parameter for 2.5]
Signed-off-by: Andreas Färber <afaerber@suse.de>
Signed-off-by: Bruce Rogers <brogers@suse.com>
[AF: Drop bdrv_open() bs parameter and change return value for v2.7.0-rc2,
     for bdrv_pread() and bdrv_aio_readv() do s/s->hd/s->hd->file/]
Signed-off-by: Andreas Färber <afaerber@suse.de>
8 years agolinux-user: use target_ulong
Alexander Graf [Tue, 9 Oct 2012 07:06:49 +0000 (09:06 +0200)]
linux-user: use target_ulong

Linux syscalls pass pointers or data length or other information of that sort
to the kernel. This is all stuff you don't want to have sign extended.
Otherwise a host 64bit variable parameter with a size parameter will extend
it to a negative number, breaking lseek for example.

Pass syscall arguments as ulong always.

Signed-off-by: Alexander Graf <agraf@suse.de>
8 years agovnc: password-file= and incoming-connections=
Andreas Färber [Wed, 29 Aug 2012 18:06:01 +0000 (20:06 +0200)]
vnc: password-file= and incoming-connections=

TBD (from SUSE Studio team)

8 years agoslirp: -nooutgoing
Andreas Färber [Wed, 29 Aug 2012 16:42:56 +0000 (18:42 +0200)]
slirp: -nooutgoing

TBD (from SUSE Studio team)