Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package qemu for openSUSE:Factory checked in at 2021-05-25 21:08:15 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/qemu (Old) and /work/SRC/openSUSE:Factory/.qemu.new.2988 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "qemu" Tue May 25 21:08:15 2021 rev:204 rq:895371 version:unknown Changes: -------- --- /work/SRC/openSUSE:Factory/qemu/qemu.changes 2021-05-07 16:44:46.220502186 +0200 +++ /work/SRC/openSUSE:Factory/.qemu.new.2988/qemu.changes 2021-05-25 21:08:17.854985434 +0200 @@ -1,0 +2,39 @@ +Mon May 24 23:20:04 UTC 2021 - Jos?? Ricardo Ziviani <[email protected]> + +- Fix CVE-2021-3527 in usb/redir: + usb-redir-avoid-dynamic-stack-allocation.patch +- Fix issues found upstream: + hw-block-nvme-consider-metadata-read-aio.patch + sockets-update-SOCKET_ADDRESS_TYPE_FD-li.patch + vfio-ccw-Permit-missing-IRQs.patch + vhost-user-blk-Check-that-num-queues-is-.patch + vhost-user-blk-Don-t-reconnect-during-in.patch + vhost-user-blk-Fail-gracefully-on-too-la.patch + vhost-user-blk-Get-more-feature-flags-fr.patch + vhost-user-blk-Make-sure-to-set-Error-on.patch + virtio-blk-Fix-rollback-path-in-virtio_b.patch + virtio-Fail-if-iommu_platform-is-request.patch + virtiofsd-Fix-side-effect-in-assert.patch + monitor-qmp-fix-race-on-CHR_EVENT_CLOSED.patch + +------------------------------------------------------------------- +Mon May 17 20:34:14 UTC 2021 - Jos?? Ricardo Ziviani <[email protected]> + +- Brotli VLA error was already fixed in v5.2 but the patches wasn't + included in v6.0. This change fixed that +- Patches added: + brotli-fix-actual-variable-array-paramet.patch + hw-rx-rx-gdbsim-Do-not-accept-invalid-me.patch + ui-Fix-memory-leak-in-qemu_xkeymap_mappi.patch + +------------------------------------------------------------------- +Thu May 6 00:33:36 UTC 2021 - Bruce Rogers <[email protected]> + +- For the record, these issues are fixed in this package already. + Most are alternate references to previously mentioned issues: + (CVE-2019-15890, bsc#1149813, CVE-2020-8608, bsc#1163019, + CVE-2020-14364, bsc#1175534, CVE-2020-25707, bsc#1178683, + CVE-2020-25723, bsc#1178935, CVE-2020-29130, bsc#1179477, + CVE-2020-29129, bsc#1179484, CVE-2021-3419, bsc#1182975) + +------------------------------------------------------------------- New: ---- brotli-fix-actual-variable-array-paramet.patch hw-block-nvme-consider-metadata-read-aio.patch hw-rx-rx-gdbsim-Do-not-accept-invalid-me.patch monitor-qmp-fix-race-on-CHR_EVENT_CLOSED.patch sockets-update-SOCKET_ADDRESS_TYPE_FD-li.patch ui-Fix-memory-leak-in-qemu_xkeymap_mappi.patch usb-redir-avoid-dynamic-stack-allocation.patch vfio-ccw-Permit-missing-IRQs.patch vhost-user-blk-Check-that-num-queues-is-.patch vhost-user-blk-Don-t-reconnect-during-in.patch vhost-user-blk-Fail-gracefully-on-too-la.patch vhost-user-blk-Get-more-feature-flags-fr.patch vhost-user-blk-Make-sure-to-set-Error-on.patch virtio-Fail-if-iommu_platform-is-request.patch virtio-blk-Fix-rollback-path-in-virtio_b.patch virtiofsd-Fix-side-effect-in-assert.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ qemu.spec ++++++ --- /var/tmp/diff_new_pack.l01g1h/_old 2021-05-25 21:08:20.078975676 +0200 +++ /var/tmp/diff_new_pack.l01g1h/_new 2021-05-25 21:08:20.078975676 +0200 @@ -177,6 +177,21 @@ Patch00042: module-for-virtio-gpu-pre-load-module-to.patch Patch00043: qom-handle-case-of-chardev-spice-module-.patch Patch00044: doc-add-our-support-doc-to-the-main-proj.patch +Patch00045: ui-Fix-memory-leak-in-qemu_xkeymap_mappi.patch +Patch00046: hw-rx-rx-gdbsim-Do-not-accept-invalid-me.patch +Patch00047: monitor-qmp-fix-race-on-CHR_EVENT_CLOSED.patch +Patch00048: vhost-user-blk-Fail-gracefully-on-too-la.patch +Patch00049: usb-redir-avoid-dynamic-stack-allocation.patch +Patch00050: virtiofsd-Fix-side-effect-in-assert.patch +Patch00051: sockets-update-SOCKET_ADDRESS_TYPE_FD-li.patch +Patch00052: virtio-blk-Fix-rollback-path-in-virtio_b.patch +Patch00053: hw-block-nvme-consider-metadata-read-aio.patch +Patch00054: vhost-user-blk-Make-sure-to-set-Error-on.patch +Patch00055: vhost-user-blk-Don-t-reconnect-during-in.patch +Patch00056: vhost-user-blk-Get-more-feature-flags-fr.patch +Patch00057: virtio-Fail-if-iommu_platform-is-request.patch +Patch00058: vhost-user-blk-Check-that-num-queues-is-.patch +Patch00059: vfio-ccw-Permit-missing-IRQs.patch # Patches applied in roms/seabios/: Patch01000: seabios-use-python2-explicitly-as-needed.patch Patch01001: seabios-switch-to-python3-as-needed.patch @@ -192,6 +207,8 @@ Patch03001: roms-sgabios-Fix-csum8-to-be-built-by-ho.patch # Patches applied in roms/qboot/: Patch11000: qboot-add-cross.ini-file-to-handle-aarch.patch +# Patches applied in roms/edk2/BaseTools/Source/C/BrotliCompress/brotli/: +Patch27000: brotli-fix-actual-variable-array-paramet.patch # Please do not add patches manually here. @@ -1052,6 +1069,21 @@ %if %{legacy_qemu_kvm} %patch00044 -p1 %endif +%patch00045 -p1 +%patch00046 -p1 +%patch00047 -p1 +%patch00048 -p1 +%patch00049 -p1 +%patch00050 -p1 +%patch00051 -p1 +%patch00052 -p1 +%patch00053 -p1 +%patch00054 -p1 +%patch00055 -p1 +%patch00056 -p1 +%patch00057 -p1 +%patch00058 -p1 +%patch00059 -p1 %patch01000 -p1 %patch01001 -p1 %patch01002 -p1 @@ -1065,6 +1097,7 @@ %patch03000 -p1 %patch03001 -p1 %patch11000 -p1 +%patch27000 -p1 %if "%{name}" != "qemu-linux-user" # for the record, this set of firmware files is installed, but we don't @@ -1863,7 +1896,7 @@ %_docdir/%name/_static/doctools.js %_docdir/%name/_static/documentation_options.js %_docdir/%name/_static/file.png -%_docdir/%name/_static/jquery-3.5.1.js +%_docdir/%name/_static/jquery-* %_docdir/%name/_static/jquery.js %_docdir/%name/_static/language_data.js %_docdir/%name/_static/minus.png ++++++ brotli-fix-actual-variable-array-paramet.patch ++++++ From: Bruce Rogers <[email protected]> Date: Fri, 5 Mar 2021 13:25:44 -0700 Subject: brotli: fix actual variable-array parameters to match declaration References: boo#1181922 GCC 11 complains about the mismatch between the variable-array parameters not being defined as such in the actual function definition. Make them match. Signed-off-by: Bruce Rogers <[email protected]> --- c/dec/decode.c | 6 ++++-- c/enc/encode.c | 5 +++-- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/roms/edk2/BaseTools/Source/C/BrotliCompress/brotli/c/dec/decode.c b/roms/edk2/BaseTools/Source/C/BrotliCompress/brotli/c/dec/decode.c index 114c5057d7d91f5a634167e00d84..bb6f1ab6cc42f54720fd07f665e3 100644 --- a/roms/edk2/BaseTools/Source/C/BrotliCompress/brotli/c/dec/decode.c +++ b/roms/edk2/BaseTools/Source/C/BrotliCompress/brotli/c/dec/decode.c @@ -2030,8 +2030,10 @@ static BROTLI_NOINLINE BrotliDecoderErrorCode SafeProcessCommands( } BrotliDecoderResult BrotliDecoderDecompress( - size_t encoded_size, const uint8_t* encoded_buffer, size_t* decoded_size, - uint8_t* decoded_buffer) { + size_t encoded_size, + const uint8_t encoded_buffer[BROTLI_ARRAY_PARAM(encoded_size)], + size_t* decoded_size, + uint8_t decoded_buffer[BROTLI_ARRAY_PARAM(*decoded_size)]) { BrotliDecoderState s; BrotliDecoderResult result; size_t total_out = 0; diff --git a/roms/edk2/BaseTools/Source/C/BrotliCompress/brotli/c/enc/encode.c b/roms/edk2/BaseTools/Source/C/BrotliCompress/brotli/c/enc/encode.c index 68548ef55af8036d6f0fe720e721..ab0a4906060c98461102d45ab61d 100644 --- a/roms/edk2/BaseTools/Source/C/BrotliCompress/brotli/c/enc/encode.c +++ b/roms/edk2/BaseTools/Source/C/BrotliCompress/brotli/c/enc/encode.c @@ -1470,8 +1470,9 @@ static size_t MakeUncompressedStream( BROTLI_BOOL BrotliEncoderCompress( int quality, int lgwin, BrotliEncoderMode mode, size_t input_size, - const uint8_t* input_buffer, size_t* encoded_size, - uint8_t* encoded_buffer) { + const uint8_t input_buffer[BROTLI_ARRAY_PARAM(input_size)], + size_t* encoded_size, + uint8_t encoded_buffer[BROTLI_ARRAY_PARAM(*encoded_size)]) { BrotliEncoderState* s; size_t out_size = *encoded_size; const uint8_t* input_start = input_buffer; ++++++ bundles.tar.xz ++++++ Binary files old/609d7596524ab204ccd71ef42c9eee4c7c338ea4.bundle and new/609d7596524ab204ccd71ef42c9eee4c7c338ea4.bundle differ Binary files old/roms/edk2/BaseTools/Source/C/BrotliCompress/brotli/666c3280cc11dc433c303d79a83d4ffbdd12cc8d.bundle and new/roms/edk2/BaseTools/Source/C/BrotliCompress/brotli/666c3280cc11dc433c303d79a83d4ffbdd12cc8d.bundle differ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/roms/edk2/BaseTools/Source/C/BrotliCompress/brotli/repo new/roms/edk2/BaseTools/Source/C/BrotliCompress/brotli/repo --- old/roms/edk2/BaseTools/Source/C/BrotliCompress/brotli/repo 1970-01-01 01:00:00.000000000 +0100 +++ new/roms/edk2/BaseTools/Source/C/BrotliCompress/brotli/repo 2021-05-25 01:10:10.000000000 +0200 @@ -0,0 +1 @@ +https://github.com/openSUSE/qemu-edk2-BrotliCompress-brotli.git ++++++ hw-block-nvme-consider-metadata-read-aio.patch ++++++ From: Gollu Appalanaidu <[email protected]> Date: Fri, 16 Apr 2021 12:52:33 +0530 Subject: hw/block/nvme: consider metadata read aio return value in compare Git-commit: b4a983239343efd0a2d8a6cdf0690d0d707ec4ea Currently in compare command metadata aio read blk_aio_preadv return value ignored. Consider it and complete the block accounting. Signed-off-by: Gollu Appalanaidu <[email protected]> Fixes: 0a384f923f51 ("hw/block/nvme: add compare command") Signed-off-by: Klaus Jensen <[email protected]> Signed-off-by: Jose R. Ziviani <[email protected]> --- hw/block/nvme.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/hw/block/nvme.c b/hw/block/nvme.c index 5fe082ec34c57471fab0fa7e8a0c..ba90053b63ed4884deb98d62b6d6 100644 --- a/hw/block/nvme.c +++ b/hw/block/nvme.c @@ -2369,10 +2369,19 @@ static void nvme_compare_mdata_cb(void *opaque, int ret) uint32_t reftag = le32_to_cpu(rw->reftag); struct nvme_compare_ctx *ctx = req->opaque; g_autofree uint8_t *buf = NULL; + BlockBackend *blk = ns->blkconf.blk; + BlockAcctCookie *acct = &req->acct; + BlockAcctStats *stats = blk_get_stats(blk); uint16_t status = NVME_SUCCESS; trace_pci_nvme_compare_mdata_cb(nvme_cid(req)); + if (ret) { + block_acct_failed(stats, acct); + nvme_aio_err(req, ret); + goto out; + } + buf = g_malloc(ctx->mdata.iov.size); status = nvme_bounce_mdata(n, buf, ctx->mdata.iov.size, @@ -2421,6 +2430,8 @@ static void nvme_compare_mdata_cb(void *opaque, int ret) goto out; } + block_acct_done(stats, acct); + out: qemu_iovec_destroy(&ctx->data.iov); g_free(ctx->data.bounce); ++++++ hw-rx-rx-gdbsim-Do-not-accept-invalid-me.patch ++++++ From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <[email protected]> Date: Thu, 8 Apr 2021 00:30:56 +0200 Subject: hw/rx/rx-gdbsim: Do not accept invalid memory size MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Git-commit: 9197b5d4b5f163455c891baec531ae73f5d3a73a References: bsc#1186000 We check the amount of RAM is enough, warn when it is not, but if so we neglect to bail out. Fix that by adding the missing exit() call. Fixes: bda19d7bb56 ("hw/rx: Add RX GDB simulator") Signed-off-by: Philippe Mathieu-Daud?? <[email protected]> Reviewed-by: Richard Henderson <[email protected]> Reviewed-by: Yoshinori Sato <[email protected]> Message-Id: <[email protected]> Signed-off-by: Laurent Vivier <[email protected]> Signed-off-by: Jose R. Ziviani <[email protected]> --- hw/rx/rx-gdbsim.c | 1 + 1 file changed, 1 insertion(+) diff --git a/hw/rx/rx-gdbsim.c b/hw/rx/rx-gdbsim.c index b1d7c2488ff332cfc3de1e39f6d4..4e4ececae4b060ea75e6454f3a8c 100644 --- a/hw/rx/rx-gdbsim.c +++ b/hw/rx/rx-gdbsim.c @@ -93,6 +93,7 @@ static void rx_gdbsim_init(MachineState *machine) char *sz = size_to_str(mc->default_ram_size); error_report("Invalid RAM size, should be more than %s", sz); g_free(sz); + exit(1); } /* Allocate memory space */ ++++++ monitor-qmp-fix-race-on-CHR_EVENT_CLOSED.patch ++++++ From: Stefan Reiter <[email protected]> Date: Mon, 22 Mar 2021 16:40:24 +0100 Subject: monitor/qmp: fix race on CHR_EVENT_CLOSED without OOB Git-commit: a67b996e7894edfafbcd3fd007c9f58f26d25908 The QMP dispatcher coroutine holds the qmp_queue_lock over a yield point, where it expects to be rescheduled from the main context. If a CHR_EVENT_CLOSED event is received just then, it can race and block the main thread on the mutex in monitor_qmp_cleanup_queue_and_resume. monitor_resume does not need to be called from main context, so we can call it immediately after popping a request from the queue, which allows us to drop the qmp_queue_lock mutex before yielding. Suggested-by: Wolfgang Bumiller <[email protected]> Signed-off-by: Stefan Reiter <[email protected]> Message-Id: <[email protected]> Reviewed-by: Kevin Wolf <[email protected]> Cc: [email protected] Signed-off-by: Markus Armbruster <[email protected]> Signed-off-by: Jose R. Ziviani <[email protected]> --- monitor/qmp.c | 40 ++++++++++++++++++++++------------------ 1 file changed, 22 insertions(+), 18 deletions(-) diff --git a/monitor/qmp.c b/monitor/qmp.c index 2b0308f93371dde1a8085ac9c402..092c527b6fc9c6363f4bf81d8573 100644 --- a/monitor/qmp.c +++ b/monitor/qmp.c @@ -257,24 +257,6 @@ void coroutine_fn monitor_qmp_dispatcher_co(void *data) trace_monitor_qmp_in_band_dequeue(req_obj, req_obj->mon->qmp_requests->length); - if (qatomic_xchg(&qmp_dispatcher_co_busy, true) == true) { - /* - * Someone rescheduled us (probably because a new requests - * came in), but we didn't actually yield. Do that now, - * only to be immediately reentered and removed from the - * list of scheduled coroutines. - */ - qemu_coroutine_yield(); - } - - /* - * Move the coroutine from iohandler_ctx to qemu_aio_context for - * executing the command handler so that it can make progress if it - * involves an AIO_WAIT_WHILE(). - */ - aio_co_schedule(qemu_get_aio_context(), qmp_dispatcher_co); - qemu_coroutine_yield(); - /* * @req_obj has a request, we hold req_obj->mon->qmp_queue_lock */ @@ -298,8 +280,30 @@ void coroutine_fn monitor_qmp_dispatcher_co(void *data) monitor_resume(&mon->common); } + /* + * Drop the queue mutex now, before yielding, otherwise we might + * deadlock if the main thread tries to lock it. + */ qemu_mutex_unlock(&mon->qmp_queue_lock); + if (qatomic_xchg(&qmp_dispatcher_co_busy, true) == true) { + /* + * Someone rescheduled us (probably because a new requests + * came in), but we didn't actually yield. Do that now, + * only to be immediately reentered and removed from the + * list of scheduled coroutines. + */ + qemu_coroutine_yield(); + } + + /* + * Move the coroutine from iohandler_ctx to qemu_aio_context for + * executing the command handler so that it can make progress if it + * involves an AIO_WAIT_WHILE(). + */ + aio_co_schedule(qemu_get_aio_context(), qmp_dispatcher_co); + qemu_coroutine_yield(); + /* Process request */ if (req_obj->req) { if (trace_event_get_state(TRACE_MONITOR_QMP_CMD_IN_BAND)) { ++++++ qemu.spec.in ++++++ --- /var/tmp/diff_new_pack.l01g1h/_old 2021-05-25 21:08:20.550973604 +0200 +++ /var/tmp/diff_new_pack.l01g1h/_new 2021-05-25 21:08:20.550973604 +0200 @@ -1737,7 +1737,7 @@ %_docdir/%name/_static/doctools.js %_docdir/%name/_static/documentation_options.js %_docdir/%name/_static/file.png -%_docdir/%name/_static/jquery-3.5.1.js +%_docdir/%name/_static/jquery-* %_docdir/%name/_static/jquery.js %_docdir/%name/_static/language_data.js %_docdir/%name/_static/minus.png ++++++ sockets-update-SOCKET_ADDRESS_TYPE_FD-li.patch ++++++ From: Stefan Hajnoczi <[email protected]> Date: Wed, 10 Mar 2021 17:30:04 +0000 Subject: sockets: update SOCKET_ADDRESS_TYPE_FD listen(2) backlog Git-commit: 37179e9ea45d6428b29ae789209c119ac18c1d39 socket_get_fd() fails with the error "socket_get_fd: too many connections" if the given listen backlog value is not 1. Not all callers set the backlog to 1. For example, commit 582d4210eb2f2ab5baac328fe4b479cd86da1647 ("qemu-nbd: Use SOMAXCONN for socket listen() backlog") uses SOMAXCONN. This will always fail with in socket_get_fd(). This patch calls listen(2) on the fd to update the backlog value. The socket may already be in the listen state. I have tested that this works on Linux 5.10 and macOS Catalina. As a bonus this allows us to detect when the fd cannot listen. Now we'll be able to catch unbound or connected fds in socket_listen(). Drop the num argument from socket_get_fd() since this function is also called by socket_connect() where a listen backlog value does not make sense. Fixes: e5b6353cf25c99c3f08bf51e29933352f7140e8f ("socket: Add backlog parameter to socket_listen") Reported-by: Richard W.M. Jones <[email protected]> Cc: Juan Quintela <[email protected]> Cc: Eric Blake <[email protected]> Signed-off-by: Stefan Hajnoczi <[email protected]> Message-Id: <[email protected]> Tested-by: Richard W.M. Jones <[email protected]> Reviewed-by: Eric Blake <[email protected]> Reviewed-by: Stefano Garzarella <[email protected]> Signed-off-by: Eric Blake <[email protected]> Signed-off-by: Jose R. Ziviani <[email protected]> --- util/qemu-sockets.c | 29 ++++++++++++++++++++++------- 1 file changed, 22 insertions(+), 7 deletions(-) diff --git a/util/qemu-sockets.c b/util/qemu-sockets.c index 8af0278f15c69fea136192e91650..2463c49773eae5ccac4c6c832c76 100644 --- a/util/qemu-sockets.c +++ b/util/qemu-sockets.c @@ -1116,14 +1116,10 @@ fail: return NULL; } -static int socket_get_fd(const char *fdstr, int num, Error **errp) +static int socket_get_fd(const char *fdstr, Error **errp) { Monitor *cur_mon = monitor_cur(); int fd; - if (num != 1) { - error_setg_errno(errp, EINVAL, "socket_get_fd: too many connections"); - return -1; - } if (cur_mon) { fd = monitor_get_fd(cur_mon, fdstr, errp); if (fd < 0) { @@ -1159,7 +1155,7 @@ int socket_connect(SocketAddress *addr, Error **errp) break; case SOCKET_ADDRESS_TYPE_FD: - fd = socket_get_fd(addr->u.fd.str, 1, errp); + fd = socket_get_fd(addr->u.fd.str, errp); break; case SOCKET_ADDRESS_TYPE_VSOCK: @@ -1187,7 +1183,26 @@ int socket_listen(SocketAddress *addr, int num, Error **errp) break; case SOCKET_ADDRESS_TYPE_FD: - fd = socket_get_fd(addr->u.fd.str, num, errp); + fd = socket_get_fd(addr->u.fd.str, errp); + if (fd < 0) { + return -1; + } + + /* + * If the socket is not yet in the listen state, then transition it to + * the listen state now. + * + * If it's already listening then this updates the backlog value as + * requested. + * + * If this socket cannot listen because it's already in another state + * (e.g. unbound or connected) then we'll catch the error here. + */ + if (listen(fd, num) != 0) { + error_setg_errno(errp, errno, "Failed to listen on fd socket"); + closesocket(fd); + return -1; + } break; case SOCKET_ADDRESS_TYPE_VSOCK: ++++++ ui-Fix-memory-leak-in-qemu_xkeymap_mappi.patch ++++++ From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <[email protected]> Date: Fri, 30 Apr 2021 17:50:09 +0200 Subject: ui: Fix memory leak in qemu_xkeymap_mapping_table() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Git-commit: 7c06a34c8c4f2c883d6ab6b15faa214d4ebfb269 References: bsc#1185999 Refactor qemu_xkeymap_mapping_table() to have a single exit point, so we can easily free the memory allocated by XGetAtomName(). This fixes when running a binary configured with --enable-sanitizers: Direct leak of 22 byte(s) in 1 object(s) allocated from: #0 0x561344a7473f in malloc (qemu-system-x86_64+0x1dab73f) #1 0x7fa4d9dc08aa in XGetAtomName (/lib64/libX11.so.6+0x2a8aa) Fixes: 2ec78706d18 ("ui: convert GTK and SDL1 frontends to keycodemapdb") Reviewed-by: Daniel P. Berrang?? <[email protected]> Reviewed-by: Laurent Vivier <[email protected]> Signed-off-by: Philippe Mathieu-Daud?? <[email protected]> Message-Id: <[email protected]> Signed-off-by: Laurent Vivier <[email protected]> Signed-off-by: Jose R. Ziviani <[email protected]> --- ui/x_keymap.c | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/ui/x_keymap.c b/ui/x_keymap.c index 555086fb6bd572aeb6dda17bdd15..2ce7b899615f8368c6a6e6984eab 100644 --- a/ui/x_keymap.c +++ b/ui/x_keymap.c @@ -56,6 +56,7 @@ const guint16 *qemu_xkeymap_mapping_table(Display *dpy, size_t *maplen) { XkbDescPtr desc; const gchar *keycodes = NULL; + const guint16 *map; /* There is no easy way to determine what X11 server * and platform & keyboard driver is in use. Thus we @@ -83,21 +84,21 @@ const guint16 *qemu_xkeymap_mapping_table(Display *dpy, size_t *maplen) if (check_for_xwin(dpy)) { trace_xkeymap_keymap("xwin"); *maplen = qemu_input_map_xorgxwin_to_qcode_len; - return qemu_input_map_xorgxwin_to_qcode; + map = qemu_input_map_xorgxwin_to_qcode; } else if (check_for_xquartz(dpy)) { trace_xkeymap_keymap("xquartz"); *maplen = qemu_input_map_xorgxquartz_to_qcode_len; - return qemu_input_map_xorgxquartz_to_qcode; + map = qemu_input_map_xorgxquartz_to_qcode; } else if ((keycodes && g_str_has_prefix(keycodes, "evdev")) || (XKeysymToKeycode(dpy, XK_Page_Up) == 0x70)) { trace_xkeymap_keymap("evdev"); *maplen = qemu_input_map_xorgevdev_to_qcode_len; - return qemu_input_map_xorgevdev_to_qcode; + map = qemu_input_map_xorgevdev_to_qcode; } else if ((keycodes && g_str_has_prefix(keycodes, "xfree86")) || (XKeysymToKeycode(dpy, XK_Page_Up) == 0x63)) { trace_xkeymap_keymap("kbd"); *maplen = qemu_input_map_xorgkbd_to_qcode_len; - return qemu_input_map_xorgkbd_to_qcode; + map = qemu_input_map_xorgkbd_to_qcode; } else { trace_xkeymap_keymap("NULL"); g_warning("Unknown X11 keycode mapping '%s'.\n" @@ -109,6 +110,10 @@ const guint16 *qemu_xkeymap_mapping_table(Display *dpy, size_t *maplen) " - xprop -root\n" " - xdpyinfo\n", keycodes ? keycodes : "<null>"); - return NULL; + map = NULL; } + if (keycodes) { + XFree((void *)keycodes); + } + return map; } ++++++ usb-redir-avoid-dynamic-stack-allocation.patch ++++++ From: Gerd Hoffmann <[email protected]> Date: Mon, 3 May 2021 15:29:12 +0200 Subject: usb/redir: avoid dynamic stack allocation (CVE-2021-3527) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Git-commit: 7ec54f9eb62b5d177e30eb8b1cad795a5f8d8986 References: CVE-2021-3527 Use autofree heap allocation instead. Fixes: 4f4321c11ff ("usb: use iovecs in USBPacket") Reviewed-by: Philippe Mathieu-Daud?? <[email protected]> Signed-off-by: Gerd Hoffmann <[email protected]> Tested-by: Philippe Mathieu-Daud?? <[email protected]> Message-Id: <[email protected]> Signed-off-by: Jose R. Ziviani <[email protected]> --- hw/usb/redirect.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/hw/usb/redirect.c b/hw/usb/redirect.c index 17f06f34179a257e3fd2b354164e..6a75b0dc4ab295a70b4c507c9821 100644 --- a/hw/usb/redirect.c +++ b/hw/usb/redirect.c @@ -620,7 +620,7 @@ static void usbredir_handle_iso_data(USBRedirDevice *dev, USBPacket *p, .endpoint = ep, .length = p->iov.size }; - uint8_t buf[p->iov.size]; + g_autofree uint8_t *buf = g_malloc(p->iov.size); /* No id, we look at the ep when receiving a status back */ usb_packet_copy(p, buf, p->iov.size); usbredirparser_send_iso_packet(dev->parser, 0, &iso_packet, @@ -818,7 +818,7 @@ static void usbredir_handle_bulk_data(USBRedirDevice *dev, USBPacket *p, usbredirparser_send_bulk_packet(dev->parser, p->id, &bulk_packet, NULL, 0); } else { - uint8_t buf[size]; + g_autofree uint8_t *buf = g_malloc(size); usb_packet_copy(p, buf, size); usbredir_log_data(dev, "bulk data out:", buf, size); usbredirparser_send_bulk_packet(dev->parser, p->id, @@ -923,7 +923,7 @@ static void usbredir_handle_interrupt_out_data(USBRedirDevice *dev, USBPacket *p, uint8_t ep) { struct usb_redir_interrupt_packet_header interrupt_packet; - uint8_t buf[p->iov.size]; + g_autofree uint8_t *buf = g_malloc(p->iov.size); DPRINTF("interrupt-out ep %02X len %zd id %"PRIu64"\n", ep, p->iov.size, p->id); ++++++ vfio-ccw-Permit-missing-IRQs.patch ++++++ From: Eric Farman <[email protected]> Date: Wed, 21 Apr 2021 17:20:53 +0200 Subject: vfio-ccw: Permit missing IRQs Git-commit: 6178d4689a1e6a0d2b6dea1dad990e74148fa9d1 Commit 690e29b91102 ("vfio-ccw: Refactor ccw irq handler") changed one of the checks for the IRQ notifier registration from saying "the host needs to recognize the only IRQ that exists" to saying "the host needs to recognize ANY IRQ that exists." And this worked fine, because the subsequent change to support the CRW IRQ notifier doesn't get into this code when running on an older kernel, thanks to a guard by a capability region. The later addition of the REQ(uest) IRQ by commit b2f96f9e4f5f ("vfio-ccw: Connect the device request notifier") broke this assumption because there is no matching capability region. Thus, running new QEMU on an older kernel fails with: vfio: unexpected number of irqs 2 Let's adapt the message here so that there's a better clue of what IRQ is missing. Furthermore, let's make the REQ(uest) IRQ not fail when attempting to register it, to permit running vfio-ccw on a newer QEMU with an older kernel. Fixes: b2f96f9e4f5f ("vfio-ccw: Connect the device request notifier") Signed-off-by: Eric Farman <[email protected]> Message-Id: <[email protected]> Signed-off-by: Cornelia Huck <[email protected]> Signed-off-by: Jose R. Ziviani <[email protected]> --- hw/vfio/ccw.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/hw/vfio/ccw.c b/hw/vfio/ccw.c index b2df708e4b0192cc6af898edeca4..400bc07fe260837953de87d0f272 100644 --- a/hw/vfio/ccw.c +++ b/hw/vfio/ccw.c @@ -412,8 +412,8 @@ static void vfio_ccw_register_irq_notifier(VFIOCCWDevice *vcdev, } if (vdev->num_irqs < irq + 1) { - error_setg(errp, "vfio: unexpected number of irqs %u", - vdev->num_irqs); + error_setg(errp, "vfio: IRQ %u not available (number of irqs %u)", + irq, vdev->num_irqs); return; } @@ -696,13 +696,15 @@ static void vfio_ccw_realize(DeviceState *dev, Error **errp) vfio_ccw_register_irq_notifier(vcdev, VFIO_CCW_REQ_IRQ_INDEX, &err); if (err) { - goto out_req_notifier_err; + /* + * Report this error, but do not make it a failing condition. + * Lack of this IRQ in the host does not prevent normal operation. + */ + error_report_err(err); } return; -out_req_notifier_err: - vfio_ccw_unregister_irq_notifier(vcdev, VFIO_CCW_CRW_IRQ_INDEX); out_crw_notifier_err: vfio_ccw_unregister_irq_notifier(vcdev, VFIO_CCW_IO_IRQ_INDEX); out_io_notifier_err: ++++++ vhost-user-blk-Check-that-num-queues-is-.patch ++++++ From: Kevin Wolf <[email protected]> Date: Thu, 29 Apr 2021 19:13:16 +0200 Subject: vhost-user-blk: Check that num-queues is supported by backend Git-commit: c90bd505a3e8210c23d69fecab9ee6f56ec4a161 Creating a device with a number of queues that isn't supported by the backend is pointless, the device won't work properly and the error messages are rather confusing. Just fail to create the device if num-queues is higher than what the backend supports. Since the relationship between num-queues and the number of virtqueues depends on the specific device, this is an additional value that needs to be initialised by the device. For convenience, allow leaving it 0 if the check should be skipped. This makes sense for vhost-user-net where separate vhost devices are used for the queues and custom initialisation code is needed to perform the check. Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1935031 Signed-off-by: Kevin Wolf <[email protected]> Reviewed-by: Raphael Norwitz <[email protected]> Message-Id: <[email protected]> Reviewed-by: Michael S. Tsirkin <[email protected]> Signed-off-by: Kevin Wolf <[email protected]> Signed-off-by: Jose R. Ziviani <[email protected]> --- hw/block/vhost-user-blk.c | 1 + hw/virtio/vhost-user.c | 5 +++++ include/hw/virtio/vhost.h | 2 ++ 3 files changed, 8 insertions(+) diff --git a/hw/block/vhost-user-blk.c b/hw/block/vhost-user-blk.c index 738e8498b4a1d650047f7190c435..ceb6bdde71e57640677a48425148 100644 --- a/hw/block/vhost-user-blk.c +++ b/hw/block/vhost-user-blk.c @@ -324,6 +324,7 @@ static int vhost_user_blk_connect(DeviceState *dev) } s->connected = true; + s->dev.num_queues = s->num_queues; s->dev.nvqs = s->num_queues; s->dev.vqs = s->vhost_vqs; s->dev.vq_index = 0; diff --git a/hw/virtio/vhost-user.c b/hw/virtio/vhost-user.c index ded0c10453095830e24b6e53e8f8..ee57abe04526f6c55d983cb0254c 100644 --- a/hw/virtio/vhost-user.c +++ b/hw/virtio/vhost-user.c @@ -1909,6 +1909,11 @@ static int vhost_user_backend_init(struct vhost_dev *dev, void *opaque) return err; } } + if (dev->num_queues && dev->max_queues < dev->num_queues) { + error_report("The maximum number of queues supported by the " + "backend is %" PRIu64, dev->max_queues); + return -EINVAL; + } if (virtio_has_feature(features, VIRTIO_F_IOMMU_PLATFORM) && !(virtio_has_feature(dev->protocol_features, diff --git a/include/hw/virtio/vhost.h b/include/hw/virtio/vhost.h index 4a8bc75415f6bba597c195e10a47..21a9a52088dd01838099046587fd 100644 --- a/include/hw/virtio/vhost.h +++ b/include/hw/virtio/vhost.h @@ -74,6 +74,8 @@ struct vhost_dev { int nvqs; /* the first virtqueue which would be used by this vhost dev */ int vq_index; + /* if non-zero, minimum required value for max_queues */ + int num_queues; uint64_t features; uint64_t acked_features; uint64_t backend_features; ++++++ vhost-user-blk-Don-t-reconnect-during-in.patch ++++++ From: Kevin Wolf <[email protected]> Date: Thu, 29 Apr 2021 19:13:12 +0200 Subject: vhost-user-blk: Don't reconnect during initialisation Git-commit: dabefdd6abcbc7d858e9413e4734aab2e0b5c8d9 This is a partial revert of commits 77542d43149 and bc79c87bcde. Usually, an error during initialisation means that the configuration was wrong. Reconnecting won't make the error go away, but just turn the error condition into an endless loop. Avoid this and return errors again. Additionally, calling vhost_user_blk_disconnect() from the chardev event handler could result in use-after-free because none of the initialisation code expects that the device could just go away in the middle. So removing the call fixes crashes in several places. For example, using a num-queues setting that is incompatible with the backend would result in a crash like this (dereferencing dev->opaque, which is already NULL): #0 0x0000555555d0a4bd in vhost_user_read_cb (source=0x5555568f4690, condition=(G_IO_IN | G_IO_HUP), opaque=0x7fffffffcbf0) at ../hw/virtio/vhost-user.c:313 #1 0x0000555555d950d3 in qio_channel_fd_source_dispatch (source=0x555557c3f750, callback=0x555555d0a478 <vhost_user_read_cb>, user_data=0x7fffffffcbf0) at ../io/channel-watch.c:84 #2 0x00007ffff7b32a9f in g_main_context_dispatch () at /lib64/libglib-2.0.so.0 #3 0x00007ffff7b84a98 in g_main_context_iterate.constprop () at /lib64/libglib-2.0.so.0 #4 0x00007ffff7b32163 in g_main_loop_run () at /lib64/libglib-2.0.so.0 #5 0x0000555555d0a724 in vhost_user_read (dev=0x555557bc62f8, msg=0x7fffffffcc50) at ../hw/virtio/vhost-user.c:402 #6 0x0000555555d0ee6b in vhost_user_get_config (dev=0x555557bc62f8, config=0x555557bc62ac "", config_len=60) at ../hw/virtio/vhost-user.c:2133 #7 0x0000555555d56d46 in vhost_dev_get_config (hdev=0x555557bc62f8, config=0x555557bc62ac "", config_len=60) at ../hw/virtio/vhost.c:1566 #8 0x0000555555cdd150 in vhost_user_blk_device_realize (dev=0x555557bc60b0, errp=0x7fffffffcf90) at ../hw/block/vhost-user-blk.c:510 #9 0x0000555555d08f6d in virtio_device_realize (dev=0x555557bc60b0, errp=0x7fffffffcff0) at ../hw/virtio/virtio.c:3660 Note that this removes the ability to reconnect during initialisation (but not during operation) when there is no permanent error, but the backend restarts, as the implementation was buggy. This feature can be added back in a follow-up series after changing error paths to distinguish cases where retrying could help from cases with permanent errors. Signed-off-by: Kevin Wolf <[email protected]> Message-Id: <[email protected]> Reviewed-by: Michael S. Tsirkin <[email protected]> Signed-off-by: Kevin Wolf <[email protected]> Signed-off-by: Jose R. Ziviani <[email protected]> --- hw/block/vhost-user-blk.c | 59 +++++++++++---------------------------- 1 file changed, 17 insertions(+), 42 deletions(-) diff --git a/hw/block/vhost-user-blk.c b/hw/block/vhost-user-blk.c index 7c85248a7b78b9d9ec8614a3b5fe..c0b9958da1b4e155e063fb3426d0 100644 --- a/hw/block/vhost-user-blk.c +++ b/hw/block/vhost-user-blk.c @@ -50,6 +50,8 @@ static const int user_feature_bits[] = { VHOST_INVALID_FEATURE_BIT }; +static void vhost_user_blk_event(void *opaque, QEMUChrEvent event); + static void vhost_user_blk_update_config(VirtIODevice *vdev, uint8_t *config) { VHostUserBlk *s = VHOST_USER_BLK(vdev); @@ -362,19 +364,6 @@ static void vhost_user_blk_disconnect(DeviceState *dev) vhost_dev_cleanup(&s->dev); } -static void vhost_user_blk_event(void *opaque, QEMUChrEvent event, - bool realized); - -static void vhost_user_blk_event_realize(void *opaque, QEMUChrEvent event) -{ - vhost_user_blk_event(opaque, event, false); -} - -static void vhost_user_blk_event_oper(void *opaque, QEMUChrEvent event) -{ - vhost_user_blk_event(opaque, event, true); -} - static void vhost_user_blk_chr_closed_bh(void *opaque) { DeviceState *dev = opaque; @@ -382,12 +371,11 @@ static void vhost_user_blk_chr_closed_bh(void *opaque) VHostUserBlk *s = VHOST_USER_BLK(vdev); vhost_user_blk_disconnect(dev); - qemu_chr_fe_set_handlers(&s->chardev, NULL, NULL, - vhost_user_blk_event_oper, NULL, opaque, NULL, true); + qemu_chr_fe_set_handlers(&s->chardev, NULL, NULL, vhost_user_blk_event, + NULL, opaque, NULL, true); } -static void vhost_user_blk_event(void *opaque, QEMUChrEvent event, - bool realized) +static void vhost_user_blk_event(void *opaque, QEMUChrEvent event) { DeviceState *dev = opaque; VirtIODevice *vdev = VIRTIO_DEVICE(dev); @@ -401,17 +389,7 @@ static void vhost_user_blk_event(void *opaque, QEMUChrEvent event, } break; case CHR_EVENT_CLOSED: - /* - * Closing the connection should happen differently on device - * initialization and operation stages. - * On initalization, we want to re-start vhost_dev initialization - * from the very beginning right away when the connection is closed, - * so we clean up vhost_dev on each connection closing. - * On operation, we want to postpone vhost_dev cleanup to let the - * other code perform its own cleanup sequence using vhost_dev data - * (e.g. vhost_dev_set_log). - */ - if (realized && !runstate_check(RUN_STATE_SHUTDOWN)) { + if (!runstate_check(RUN_STATE_SHUTDOWN)) { /* * A close event may happen during a read/write, but vhost * code assumes the vhost_dev remains setup, so delay the @@ -431,8 +409,6 @@ static void vhost_user_blk_event(void *opaque, QEMUChrEvent event, * knowing its type (in this case vhost-user). */ s->dev.started = false; - } else { - vhost_user_blk_disconnect(dev); } break; case CHR_EVENT_BREAK: @@ -489,33 +465,32 @@ static void vhost_user_blk_device_realize(DeviceState *dev, Error **errp) s->vhost_vqs = g_new0(struct vhost_virtqueue, s->num_queues); s->connected = false; - qemu_chr_fe_set_handlers(&s->chardev, NULL, NULL, - vhost_user_blk_event_realize, NULL, (void *)dev, - NULL, true); - -reconnect: if (qemu_chr_fe_wait_connected(&s->chardev, errp) < 0) { goto virtio_err; } - /* check whether vhost_user_blk_connect() failed or not */ - if (!s->connected) { - goto reconnect; + if (vhost_user_blk_connect(dev) < 0) { + error_setg(errp, "vhost-user-blk: could not connect"); + qemu_chr_fe_disconnect(&s->chardev); + goto virtio_err; } + assert(s->connected); ret = vhost_dev_get_config(&s->dev, (uint8_t *)&s->blkcfg, sizeof(struct virtio_blk_config)); if (ret < 0) { - error_report("vhost-user-blk: get block config failed"); - goto reconnect; + error_setg(errp, "vhost-user-blk: get block config failed"); + goto vhost_err; } - /* we're fully initialized, now we can operate, so change the handler */ + /* we're fully initialized, now we can operate, so add the handler */ qemu_chr_fe_set_handlers(&s->chardev, NULL, NULL, - vhost_user_blk_event_oper, NULL, (void *)dev, + vhost_user_blk_event, NULL, (void *)dev, NULL, true); return; +vhost_err: + vhost_dev_cleanup(&s->dev); virtio_err: g_free(s->vhost_vqs); s->vhost_vqs = NULL; ++++++ vhost-user-blk-Fail-gracefully-on-too-la.patch ++++++ From: Kevin Wolf <[email protected]> Date: Tue, 13 Apr 2021 18:56:54 +0200 Subject: vhost-user-blk: Fail gracefully on too large queue size MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Git-commit: 68bf7336533faa6aa90fdd4558edddbf5d8ef814 virtio_add_queue() aborts when queue_size > VIRTQUEUE_MAX_SIZE, so vhost_user_blk_device_realize() should check this before calling it. Simple reproducer: qemu-system-x86_64 \ -chardev null,id=foo \ -device vhost-user-blk-pci,queue-size=4096,chardev=foo Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1935014 Signed-off-by: Kevin Wolf <[email protected]> Message-Id: <[email protected]> Reviewed-by: Stefan Hajnoczi <[email protected]> Reviewed-by: Raphael Norwitz <[email protected]> Reviewed-by: Philippe Mathieu-Daud?? <[email protected]> Tested-by: Philippe Mathieu-Daud?? <[email protected]> Signed-off-by: Kevin Wolf <[email protected]> Signed-off-by: Jose R. Ziviani <[email protected]> --- hw/block/vhost-user-blk.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/hw/block/vhost-user-blk.c b/hw/block/vhost-user-blk.c index 0b5b9d44cdb0ed4d4a43974e7cdd..f5e9682703f3433c4b363003f90f 100644 --- a/hw/block/vhost-user-blk.c +++ b/hw/block/vhost-user-blk.c @@ -467,6 +467,11 @@ static void vhost_user_blk_device_realize(DeviceState *dev, Error **errp) error_setg(errp, "vhost-user-blk: queue size must be non-zero"); return; } + if (s->queue_size > VIRTQUEUE_MAX_SIZE) { + error_setg(errp, "vhost-user-blk: queue size must not exceed %d", + VIRTQUEUE_MAX_SIZE); + return; + } if (!vhost_user_init(&s->vhost_user, &s->chardev, errp)) { return; ++++++ vhost-user-blk-Get-more-feature-flags-fr.patch ++++++ From: Kevin Wolf <[email protected]> Date: Thu, 29 Apr 2021 19:13:14 +0200 Subject: vhost-user-blk: Get more feature flags from vhost device Git-commit: 7556a320c98812ca6648b707393f4513387faf73 VIRTIO_F_RING_PACKED and VIRTIO_F_IOMMU_PLATFORM need to be supported by the vhost device, otherwise advertising it to the guest doesn't result in a working configuration. They are currently not supported by the vhost-user-blk export in QEMU. Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1935020 Signed-off-by: Kevin Wolf <[email protected]> Acked-by: Raphael Norwitz <[email protected]> Message-Id: <[email protected]> Reviewed-by: Michael S. Tsirkin <[email protected]> Signed-off-by: Kevin Wolf <[email protected]> Signed-off-by: Jose R. Ziviani <[email protected]> --- hw/block/vhost-user-blk.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/hw/block/vhost-user-blk.c b/hw/block/vhost-user-blk.c index c0b9958da1b4e155e063fb3426d0..738e8498b4a1d650047f7190c435 100644 --- a/hw/block/vhost-user-blk.c +++ b/hw/block/vhost-user-blk.c @@ -47,6 +47,8 @@ static const int user_feature_bits[] = { VIRTIO_RING_F_INDIRECT_DESC, VIRTIO_RING_F_EVENT_IDX, VIRTIO_F_NOTIFY_ON_EMPTY, + VIRTIO_F_RING_PACKED, + VIRTIO_F_IOMMU_PLATFORM, VHOST_INVALID_FEATURE_BIT }; ++++++ vhost-user-blk-Make-sure-to-set-Error-on.patch ++++++ From: Kevin Wolf <[email protected]> Date: Thu, 29 Apr 2021 19:13:11 +0200 Subject: vhost-user-blk: Make sure to set Error on realize failure Git-commit: f26729715ef21325f972f693607580a829ad1cbb We have to set errp before jumping to virtio_err, otherwise the caller (virtio_device_realize()) will take this as success and crash when it later tries to access things that we've already freed in the error path. Fixes: 77542d431491788d1e8e79d93ce10172ef207775 Signed-off-by: Kevin Wolf <[email protected]> Message-Id: <[email protected]> Reviewed-by: Michael S. Tsirkin <[email protected]> Reviewed-by: Eric Blake <[email protected]> Acked-by: Raphael Norwitz <[email protected]> Signed-off-by: Kevin Wolf <[email protected]> Signed-off-by: Jose R. Ziviani <[email protected]> --- hw/block/vhost-user-blk.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/hw/block/vhost-user-blk.c b/hw/block/vhost-user-blk.c index f5e9682703f3433c4b363003f90f..7c85248a7b78b9d9ec8614a3b5fe 100644 --- a/hw/block/vhost-user-blk.c +++ b/hw/block/vhost-user-blk.c @@ -447,7 +447,6 @@ static void vhost_user_blk_device_realize(DeviceState *dev, Error **errp) { VirtIODevice *vdev = VIRTIO_DEVICE(dev); VHostUserBlk *s = VHOST_USER_BLK(vdev); - Error *err = NULL; int i, ret; if (!s->chardev.chr) { @@ -495,8 +494,7 @@ static void vhost_user_blk_device_realize(DeviceState *dev, Error **errp) NULL, true); reconnect: - if (qemu_chr_fe_wait_connected(&s->chardev, &err) < 0) { - error_report_err(err); + if (qemu_chr_fe_wait_connected(&s->chardev, errp) < 0) { goto virtio_err; } ++++++ virtio-Fail-if-iommu_platform-is-request.patch ++++++ From: Kevin Wolf <[email protected]> Date: Thu, 29 Apr 2021 19:13:15 +0200 Subject: virtio: Fail if iommu_platform is requested, but unsupported Git-commit: 04ceb61a4075fadbf374ef89662c41999da83489 Commit 2943b53f6 (' virtio: force VIRTIO_F_IOMMU_PLATFORM') made sure that vhost can't just reject VIRTIO_F_IOMMU_PLATFORM when it was requested. However, just adding it back to the negotiated flags isn't right either because it promises support to the guest that the device actually doesn't support. One example of a vhost-user device that doesn't have support for the flag is the vhost-user-blk export of QEMU. Instead of successfully creating a device that doesn't work, just fail to plug the device when it doesn't support the feature, but it was requested. This results in much clearer error messages. Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1935019 Signed-off-by: Kevin Wolf <[email protected]> Reviewed-by: Raphael Norwitz <[email protected]> Message-Id: <[email protected]> Reviewed-by: Michael S. Tsirkin <[email protected]> Signed-off-by: Kevin Wolf <[email protected]> Signed-off-by: Jose R. Ziviani <[email protected]> --- hw/virtio/virtio-bus.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/hw/virtio/virtio-bus.c b/hw/virtio/virtio-bus.c index d6332d45c3b201d6528d84306da9..859978d24877a04ed5eaa03d060d 100644 --- a/hw/virtio/virtio-bus.c +++ b/hw/virtio/virtio-bus.c @@ -69,6 +69,11 @@ void virtio_bus_device_plugged(VirtIODevice *vdev, Error **errp) return; } + if (has_iommu && !virtio_host_has_feature(vdev, VIRTIO_F_IOMMU_PLATFORM)) { + error_setg(errp, "iommu_platform=true is not supported by the device"); + return; + } + if (klass->device_plugged != NULL) { klass->device_plugged(qbus->parent, &local_err); } ++++++ virtio-blk-Fix-rollback-path-in-virtio_b.patch ++++++ From: Greg Kurz <[email protected]> Date: Wed, 7 Apr 2021 16:34:58 +0200 Subject: virtio-blk: Fix rollback path in virtio_blk_data_plane_start() Git-commit: 570fe439e5d1b8626cf344c6bc97d90cfcaf0c79 When dataplane multiqueue support was added in QEMU 2.7, the path that would rollback guest notifiers assignment in case of error simply got dropped. Later on, when Error was added to blk_set_aio_context() in QEMU 4.1, another error path was introduced, but it ommits to rollback both host and guest notifiers. It seems cleaner to fix the rollback path in one go. The patch is simple enough that it can be adjusted if backported to a pre-4.1 QEMU. Fixes: 51b04ac5c6a6 ("virtio-blk: dataplane multiqueue support") Cc: [email protected] Fixes: 97896a4887a0 ("block: Add Error to blk_set_aio_context()") Cc: [email protected] Signed-off-by: Greg Kurz <[email protected]> Reviewed-by: Stefan Hajnoczi <[email protected]> Message-Id: <[email protected]> Reviewed-by: Michael S. Tsirkin <[email protected]> Signed-off-by: Michael S. Tsirkin <[email protected]> Signed-off-by: Jose R. Ziviani <[email protected]> --- hw/block/dataplane/virtio-blk.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/hw/block/dataplane/virtio-blk.c b/hw/block/dataplane/virtio-blk.c index e9050c8987e7d4c8496135dd87ea..d7b5c95d26d9ec818118513b40c3 100644 --- a/hw/block/dataplane/virtio-blk.c +++ b/hw/block/dataplane/virtio-blk.c @@ -207,7 +207,7 @@ int virtio_blk_data_plane_start(VirtIODevice *vdev) virtio_bus_set_host_notifier(VIRTIO_BUS(qbus), i, false); virtio_bus_cleanup_host_notifier(VIRTIO_BUS(qbus), i); } - goto fail_guest_notifiers; + goto fail_host_notifiers; } } @@ -221,7 +221,7 @@ int virtio_blk_data_plane_start(VirtIODevice *vdev) aio_context_release(old_context); if (r < 0) { error_report_err(local_err); - goto fail_guest_notifiers; + goto fail_aio_context; } /* Process queued requests before the ones in vring */ @@ -245,6 +245,13 @@ int virtio_blk_data_plane_start(VirtIODevice *vdev) aio_context_release(s->ctx); return 0; + fail_aio_context: + for (i = 0; i < nvqs; i++) { + virtio_bus_set_host_notifier(VIRTIO_BUS(qbus), i, false); + virtio_bus_cleanup_host_notifier(VIRTIO_BUS(qbus), i); + } + fail_host_notifiers: + k->set_guest_notifiers(qbus->parent, nvqs, false); fail_guest_notifiers: /* * If we failed to set up the guest notifiers queued requests will be ++++++ virtiofsd-Fix-side-effect-in-assert.patch ++++++ From: Greg Kurz <[email protected]> Date: Fri, 9 Apr 2021 12:06:27 +0200 Subject: virtiofsd: Fix side-effect in assert() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Git-commit: 0adb3aff3932d05b069bd2cb13480f1611cce654 It is bad practice to put an expression with a side-effect in assert() because the side-effect won't happen if the code is compiled with -DNDEBUG. Use an intermediate variable. Consolidate this in an macro to have proper line numbers when the assertion is hit. virtiofsd: ../../tools/virtiofsd/passthrough_ll.c:2797: lo_getxattr: Assertion `fchdir_res == 0' failed. Aborted 2796 /* fchdir should not fail here */ =>2797 FCHDIR_NOFAIL(lo->proc_self_fd); 2798 ret = getxattr(procname, name, value, size); 2799 FCHDIR_NOFAIL(lo->root.fd); Fixes: bdfd66788349 ("virtiofsd: Fix xattr operations") Cc: [email protected] Signed-off-by: Greg Kurz <[email protected]> Message-Id: <[email protected]> Signed-off-by: Dr. David Alan Gilbert <[email protected]> Reviewed-by: Philippe Mathieu-Daud?? <[email protected]> Signed-off-by: Jose R. Ziviani <[email protected]> --- tools/virtiofsd/passthrough_ll.c | 21 +++++++++++++-------- 1 file changed, 13 insertions(+), 8 deletions(-) diff --git a/tools/virtiofsd/passthrough_ll.c b/tools/virtiofsd/passthrough_ll.c index 1553d2ef454f55a3103b452841d5..6592f96f685e52fecf5703739e7d 100644 --- a/tools/virtiofsd/passthrough_ll.c +++ b/tools/virtiofsd/passthrough_ll.c @@ -2723,6 +2723,11 @@ static int xattr_map_server(const struct lo_data *lo, const char *server_name, return -ENODATA; } +#define FCHDIR_NOFAIL(fd) do { \ + int fchdir_res = fchdir(fd); \ + assert(fchdir_res == 0); \ + } while (0) + static void lo_getxattr(fuse_req_t req, fuse_ino_t ino, const char *in_name, size_t size) { @@ -2789,9 +2794,9 @@ static void lo_getxattr(fuse_req_t req, fuse_ino_t ino, const char *in_name, ret = fgetxattr(fd, name, value, size); } else { /* fchdir should not fail here */ - assert(fchdir(lo->proc_self_fd) == 0); + FCHDIR_NOFAIL(lo->proc_self_fd); ret = getxattr(procname, name, value, size); - assert(fchdir(lo->root.fd) == 0); + FCHDIR_NOFAIL(lo->root.fd); } if (ret == -1) { @@ -2864,9 +2869,9 @@ static void lo_listxattr(fuse_req_t req, fuse_ino_t ino, size_t size) ret = flistxattr(fd, value, size); } else { /* fchdir should not fail here */ - assert(fchdir(lo->proc_self_fd) == 0); + FCHDIR_NOFAIL(lo->proc_self_fd); ret = listxattr(procname, value, size); - assert(fchdir(lo->root.fd) == 0); + FCHDIR_NOFAIL(lo->root.fd); } if (ret == -1) { @@ -3000,9 +3005,9 @@ static void lo_setxattr(fuse_req_t req, fuse_ino_t ino, const char *in_name, ret = fsetxattr(fd, name, value, size, flags); } else { /* fchdir should not fail here */ - assert(fchdir(lo->proc_self_fd) == 0); + FCHDIR_NOFAIL(lo->proc_self_fd); ret = setxattr(procname, name, value, size, flags); - assert(fchdir(lo->root.fd) == 0); + FCHDIR_NOFAIL(lo->root.fd); } saverr = ret == -1 ? errno : 0; @@ -3066,9 +3071,9 @@ static void lo_removexattr(fuse_req_t req, fuse_ino_t ino, const char *in_name) ret = fremovexattr(fd, name); } else { /* fchdir should not fail here */ - assert(fchdir(lo->proc_self_fd) == 0); + FCHDIR_NOFAIL(lo->proc_self_fd); ret = removexattr(procname, name); - assert(fchdir(lo->root.fd) == 0); + FCHDIR_NOFAIL(lo->root.fd); } saverr = ret == -1 ? errno : 0;
