Hello community, here is the log from the commit of package qemu for openSUSE:Factory checked in at 2017-06-28 10:35:00 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/qemu (Old) and /work/SRC/openSUSE:Factory/.qemu.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "qemu" Wed Jun 28 10:35:00 2017 rev:124 rq:505146 version:2.9.0 Changes: -------- --- /work/SRC/openSUSE:Factory/qemu/qemu-linux-user.changes 2017-06-04 01:50:09.958112390 +0200 +++ /work/SRC/openSUSE:Factory/.qemu.new/qemu-linux-user.changes 2017-06-28 10:35:07.373253436 +0200 @@ -1,0 +2,13 @@ +Tue Jun 20 14:14:17 UTC 2017 - brog...@suse.com + +- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-2.9 +* Patches added: + 0060-9pfs-local-fix-unlink-of-alien-file.patch + 0061-megasas-do-not-read-DCMD-opcode-mor.patch + 0062-megasas-always-store-SCSIRequest-in.patch + 0063-nbd-Fully-initialize-client-in-case.patch + 0064-9pfs-local-remove-use-correct-path-.patch +- Add --no-renames to the git format-patch command in the git + workflow script for better patch compatibility + +------------------------------------------------------------------- --- /work/SRC/openSUSE:Factory/qemu/qemu-testsuite.changes 2017-06-04 01:50:10.130088092 +0200 +++ /work/SRC/openSUSE:Factory/.qemu.new/qemu-testsuite.changes 2017-06-28 10:35:07.405248909 +0200 @@ -1,0 +2,29 @@ +Tue Jun 20 14:14:14 UTC 2017 - brog...@suse.com + +- Use most recent compiler to build size-critical firmware, instead + of hard-coding gcc6 for all target versions (bsc#1043390) +* A few upstream ipxe patches were needed for gcc7 compatibility: + ipxe-ath-Add-missing-break-statements.patch + ipxe-mucurses-Fix-erroneous-__nonnull-attribute.patch +- Add --no-renames to the git format-patch command in the git + workflow script for better patch compatibility +- Address various security/stability issues +* Fix potential privilege escalation in virtfs (CVE-2016-9602 + bsc#1020427) + 0060-9pfs-local-fix-unlink-of-alien-file.patch +* Fix DOS in megasas device emulation (CVE-2017-9503 bsc#1043296) + 0061-megasas-do-not-read-DCMD-opcode-mor.patch + 0062-megasas-always-store-SCSIRequest-in.patch +* Fix DOS in qemu-nbd server (CVE-2017-9524 bsc#1043808) + 0063-nbd-Fully-initialize-client-in-case.patch +* Fix regression introduced by recent virtfs security fixes (bsc#1045035) + 0064-9pfs-local-remove-use-correct-path-.patch +- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-2.9 + +------------------------------------------------------------------- +Tue Jun 6 21:21:53 UTC 2017 - l...@suse.com + +- Backport ipxe to support FirstBurstLength (bsc#1040476) + ipxe-iscsi-Always-send-FirstBurstLength-parameter.patch + +------------------------------------------------------------------- qemu.changes: same change New: ---- 0060-9pfs-local-fix-unlink-of-alien-file.patch 0061-megasas-do-not-read-DCMD-opcode-mor.patch 0062-megasas-always-store-SCSIRequest-in.patch 0063-nbd-Fully-initialize-client-in-case.patch 0064-9pfs-local-remove-use-correct-path-.patch ipxe-ath-Add-missing-break-statements.patch ipxe-iscsi-Always-send-FirstBurstLength-parameter.patch ipxe-mucurses-Fix-erroneous-__nonnull-attribute.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ qemu-linux-user.spec ++++++ --- /var/tmp/diff_new_pack.Xr0RqQ/_old 2017-06-28 10:35:08.909036162 +0200 +++ /var/tmp/diff_new_pack.Xr0RqQ/_new 2017-06-28 10:35:08.909036162 +0200 @@ -85,6 +85,11 @@ Patch0057: 0057-slirp-smb-Replace-constant-strings-.patch Patch0058: 0058-altera_timer-fix-incorrect-memset.patch Patch0059: 0059-Hacks-for-building-on-gcc-7-Fedora-.patch +Patch0060: 0060-9pfs-local-fix-unlink-of-alien-file.patch +Patch0061: 0061-megasas-do-not-read-DCMD-opcode-mor.patch +Patch0062: 0062-megasas-always-store-SCSIRequest-in.patch +Patch0063: 0063-nbd-Fully-initialize-client-in-case.patch +Patch0064: 0064-9pfs-local-remove-use-correct-path-.patch # Please do not add QEMU patches manually here. # Run update_git.sh to regenerate this queue. Source400: update_git.sh @@ -197,6 +202,11 @@ %patch0057 -p1 %patch0058 -p1 %patch0059 -p1 +%patch0060 -p1 +%patch0061 -p1 +%patch0062 -p1 +%patch0063 -p1 +%patch0064 -p1 %build ./configure \ ++++++ qemu-testsuite.spec ++++++ --- /var/tmp/diff_new_pack.Xr0RqQ/_old 2017-06-28 10:35:08.933032767 +0200 +++ /var/tmp/diff_new_pack.Xr0RqQ/_new 2017-06-28 10:35:08.937032201 +0200 @@ -189,6 +189,11 @@ Patch0057: 0057-slirp-smb-Replace-constant-strings-.patch Patch0058: 0058-altera_timer-fix-incorrect-memset.patch Patch0059: 0059-Hacks-for-building-on-gcc-7-Fedora-.patch +Patch0060: 0060-9pfs-local-fix-unlink-of-alien-file.patch +Patch0061: 0061-megasas-do-not-read-DCMD-opcode-mor.patch +Patch0062: 0062-megasas-always-store-SCSIRequest-in.patch +Patch0063: 0063-nbd-Fully-initialize-client-in-case.patch +Patch0064: 0064-9pfs-local-remove-use-correct-path-.patch # Please do not add QEMU patches manually here. # Run update_git.sh to regenerate this queue. @@ -199,6 +204,9 @@ Patch1100: ipxe-stable-buildid.patch Patch1101: ipxe-use-gcc6-for-more-compact-code.patch Patch1102: ipxe-build-Avoid-implicit-fallthrough-warnings-on-GCC-7.patch +Patch1103: ipxe-iscsi-Always-send-FirstBurstLength-parameter.patch +Patch1104: ipxe-ath-Add-missing-break-statements.patch +Patch1105: ipxe-mucurses-Fix-erroneous-__nonnull-attribute.patch # sgabios # PATCH-FIX-OPENSUSE sgabios-stable-buildid.patch brog...@suse.com -- reproducible builds @@ -237,8 +245,10 @@ BuildRequires: fdupes BuildRequires: gcc-c++ %if %{build_x86_firmware_from_source} +%if 0%{?suse_version} <= 1320 BuildRequires: gcc6 %endif +%endif BuildRequires: glib2-devel %if 0%{?suse_version} >= 1310 && 0%{?suse_version} != 1315 BuildRequires: glusterfs-devel @@ -894,11 +904,21 @@ %patch0057 -p1 %patch0058 -p1 %patch0059 -p1 +%patch0060 -p1 +%patch0061 -p1 +%patch0062 -p1 +%patch0063 -p1 +%patch0064 -p1 pushd roms/ipxe %patch1100 -p1 +%if 0%{?suse_version} <= 1320 %patch1101 -p1 +%endif %patch1102 -p1 +%patch1103 -p1 +%patch1104 -p1 +%patch1105 -p1 popd pushd roms/sgabios qemu.spec: same change ++++++ 0060-9pfs-local-fix-unlink-of-alien-file.patch ++++++ >From 85bc346e1f5d90e1be7147f982e18511304daaeb Mon Sep 17 00:00:00 2001 From: Greg Kurz <gr...@kaod.org> Date: Thu, 25 May 2017 10:30:13 +0200 Subject: [PATCH] 9pfs: local: fix unlink of alien files in mapped-file mode When trying to remove a file from a directory, both created in non-mapped mode, the file remains and EBADF is returned to the guest. This is a regression introduced by commit "df4938a6651b 9pfs: local: unlinkat: don't follow symlinks" when fixing CVE-2016-9602. It changed the way we unlink the metadata file from ret = remove("$dir/.virtfs_metadata/$name"); if (ret < 0 && errno != ENOENT) { /* Error out */ } /* Ignore absence of metadata */ to fd = openat("$dir/.virtfs_metadata") unlinkat(fd, "$name") if (ret < 0 && errno != ENOENT) { /* Error out */ } /* Ignore absence of metadata */ If $dir was created in non-mapped mode, openat() fails with ENOENT and we pass -1 to unlinkat(), which fails in turn with EBADF. We just need to check the return of openat() and ignore ENOENT, in order to restore the behaviour we had with remove(). Signed-off-by: Greg Kurz <gr...@kaod.org> Reviewed-by: Eric Blake <ebl...@redhat.com> [groug: rewrote the comments as suggested by Eric] (cherry picked from commit 6a87e7929f97b86c5823d4616fa1aa7636b2f116) [BR: Fix and/or infrastructure for BSC#1020427 CVE-2016-9602] Signed-off-by: Bruce Rogers <brog...@suse.com> --- hw/9pfs/9p-local.c | 34 +++++++++++++++------------------- 1 file changed, 15 insertions(+), 19 deletions(-) diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c index a2486566af..226234d386 100644 --- a/hw/9pfs/9p-local.c +++ b/hw/9pfs/9p-local.c @@ -992,6 +992,14 @@ static int local_unlinkat_common(FsContext *ctx, int dirfd, const char *name, if (ctx->export_flags & V9FS_SM_MAPPED_FILE) { int map_dirfd; + /* We need to remove the metadata as well: + * - the metadata directory if we're removing a directory + * - the metadata file in the parent's metadata directory + * + * If any of these are missing (ie, ENOENT) then we're probably + * trying to remove something that wasn't created in mapped-file + * mode. We just ignore the error. + */ if (flags == AT_REMOVEDIR) { int fd; @@ -999,32 +1007,20 @@ static int local_unlinkat_common(FsContext *ctx, int dirfd, const char *name, if (fd == -1) { goto err_out; } - /* - * If directory remove .virtfs_metadata contained in the - * directory - */ ret = unlinkat(fd, VIRTFS_META_DIR, AT_REMOVEDIR); close_preserve_errno(fd); if (ret < 0 && errno != ENOENT) { - /* - * We didn't had the .virtfs_metadata file. May be file created - * in non-mapped mode ?. Ignore ENOENT. - */ goto err_out; } } - /* - * Now remove the name from parent directory - * .virtfs_metadata directory. - */ map_dirfd = openat_dir(dirfd, VIRTFS_META_DIR); - ret = unlinkat(map_dirfd, name, 0); - close_preserve_errno(map_dirfd); - if (ret < 0 && errno != ENOENT) { - /* - * We didn't had the .virtfs_metadata file. May be file created - * in non-mapped mode ?. Ignore ENOENT. - */ + if (map_dirfd != -1) { + ret = unlinkat(map_dirfd, name, 0); + close_preserve_errno(map_dirfd); + if (ret < 0 && errno != ENOENT) { + goto err_out; + } + } else if (errno != ENOENT) { goto err_out; } } ++++++ 0061-megasas-do-not-read-DCMD-opcode-mor.patch ++++++ >From e0653c80373f056fa0bd72fb9aef161dac13b1cf Mon Sep 17 00:00:00 2001 From: Paolo Bonzini <pbonz...@redhat.com> Date: Mon, 19 Jun 2017 16:36:08 -0600 Subject: [PATCH] megasas: do not read DCMD opcode more than once from frame Avoid TOC-TOU bugs by storing the DCMD opcode in the MegasasCmd Signed-off-by: Paolo Bonzini <pbonz...@redhat.com> [BR: BSC#1043296 CVE-2017-9503] Signed-off-by: Bruce Rogers <brog...@suse.com> --- hw/scsi/megasas.c | 25 +++++++++++-------------- 1 file changed, 11 insertions(+), 14 deletions(-) diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c index 804122ab05..887958481b 100644 --- a/hw/scsi/megasas.c +++ b/hw/scsi/megasas.c @@ -63,6 +63,7 @@ typedef struct MegasasCmd { hwaddr pa; hwaddr pa_size; + uint32_t dcmd_opcode; union mfi_frame *frame; SCSIRequest *req; QEMUSGList qsg; @@ -511,6 +512,7 @@ static MegasasCmd *megasas_enqueue_frame(MegasasState *s, cmd->context &= (uint64_t)0xFFFFFFFF; } cmd->count = count; + cmd->dcmd_opcode = -1; s->busy++; if (s->consumer_pa) { @@ -1559,22 +1561,21 @@ static const struct dcmd_cmd_tbl_t { static int megasas_handle_dcmd(MegasasState *s, MegasasCmd *cmd) { - int opcode; int retval = 0; size_t len; const struct dcmd_cmd_tbl_t *cmdptr = dcmd_cmd_tbl; - opcode = le32_to_cpu(cmd->frame->dcmd.opcode); - trace_megasas_handle_dcmd(cmd->index, opcode); + cmd->dcmd_opcode = le32_to_cpu(cmd->frame->dcmd.opcode); + trace_megasas_handle_dcmd(cmd->index, cmd->dcmd_opcode); if (megasas_map_dcmd(s, cmd) < 0) { return MFI_STAT_MEMORY_NOT_AVAILABLE; } - while (cmdptr->opcode != -1 && cmdptr->opcode != opcode) { + while (cmdptr->opcode != -1 && cmdptr->opcode != cmd->dcmd_opcode) { cmdptr++; } len = cmd->iov_size; if (cmdptr->opcode == -1) { - trace_megasas_dcmd_unhandled(cmd->index, opcode, len); + trace_megasas_dcmd_unhandled(cmd->index, cmd->dcmd_opcode, len); retval = megasas_dcmd_dummy(s, cmd); } else { trace_megasas_dcmd_enter(cmd->index, cmdptr->desc, len); @@ -1589,13 +1590,11 @@ static int megasas_handle_dcmd(MegasasState *s, MegasasCmd *cmd) static int megasas_finish_internal_dcmd(MegasasCmd *cmd, SCSIRequest *req) { - int opcode; int retval = MFI_STAT_OK; int lun = req->lun; - opcode = le32_to_cpu(cmd->frame->dcmd.opcode); - trace_megasas_dcmd_internal_finish(cmd->index, opcode, lun); - switch (opcode) { + trace_megasas_dcmd_internal_finish(cmd->index, cmd->dcmd_opcode, lun); + switch (cmd->dcmd_opcode) { case MFI_DCMD_PD_GET_INFO: retval = megasas_pd_get_info_submit(req->dev, lun, cmd); break; @@ -1603,7 +1602,7 @@ static int megasas_finish_internal_dcmd(MegasasCmd *cmd, retval = megasas_ld_get_info_submit(req->dev, lun, cmd); break; default: - trace_megasas_dcmd_internal_invalid(cmd->index, opcode); + trace_megasas_dcmd_internal_invalid(cmd->index, cmd->dcmd_opcode); retval = MFI_STAT_INVALID_DCMD; break; } @@ -1824,7 +1823,6 @@ static void megasas_xfer_complete(SCSIRequest *req, uint32_t len) { MegasasCmd *cmd = req->hba_private; uint8_t *buf; - uint32_t opcode; trace_megasas_io_complete(cmd->index, len); @@ -1834,8 +1832,7 @@ static void megasas_xfer_complete(SCSIRequest *req, uint32_t len) } buf = scsi_req_get_buf(req); - opcode = le32_to_cpu(cmd->frame->dcmd.opcode); - if (opcode == MFI_DCMD_PD_GET_INFO && cmd->iov_buf) { + if (cmd->dcmd_opcode == MFI_DCMD_PD_GET_INFO && cmd->iov_buf) { struct mfi_pd_info *info = cmd->iov_buf; if (info->inquiry_data[0] == 0x7f) { @@ -1846,7 +1843,7 @@ static void megasas_xfer_complete(SCSIRequest *req, uint32_t len) memcpy(info->vpd_page83, buf, len); } scsi_req_continue(req); - } else if (opcode == MFI_DCMD_LD_GET_INFO) { + } else if (cmd->dcmd_opcode == MFI_DCMD_LD_GET_INFO) { struct mfi_ld_info *info = cmd->iov_buf; if (cmd->iov_buf) { ++++++ 0062-megasas-always-store-SCSIRequest-in.patch ++++++ >From 0199dd521a16bff213ee66fe1fb257790006237f Mon Sep 17 00:00:00 2001 From: Paolo Bonzini <pbonz...@redhat.com> Date: Sat, 10 Jun 2017 14:04:51 -0600 Subject: [PATCH] megasas: always store SCSIRequest* into MegasasCmd This ensures that the request is unref'ed properly, and avoids a segmentation fault in the new qtest testcase that is added. Reported-by: Zhangyanyu <zyy4...@stu.ouc.edu.cn> Signed-off-by: Paolo Bonzini <pbonz...@redhat.com> [BR: BSC#1043296 CVE-2017-9503, dropped testcase from patch] Signed-off-by: Bruce Rogers <brog...@suse.com> --- hw/scsi/megasas.c | 31 ++++++++++++++++--------------- 1 file changed, 16 insertions(+), 15 deletions(-) diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c index 887958481b..a0cafe3010 100644 --- a/hw/scsi/megasas.c +++ b/hw/scsi/megasas.c @@ -607,6 +607,9 @@ static void megasas_reset_frames(MegasasState *s) static void megasas_abort_command(MegasasCmd *cmd) { /* Never abort internal commands. */ + if (cmd->dcmd_opcode != -1) { + return; + } if (cmd->req != NULL) { scsi_req_cancel(cmd->req); } @@ -1014,7 +1017,6 @@ static int megasas_pd_get_info_submit(SCSIDevice *sdev, int lun, uint64_t pd_size; uint16_t pd_id = ((sdev->id & 0xFF) << 8) | (lun & 0xFF); uint8_t cmdbuf[6]; - SCSIRequest *req; size_t len, resid; if (!cmd->iov_buf) { @@ -1023,8 +1025,8 @@ static int megasas_pd_get_info_submit(SCSIDevice *sdev, int lun, info->inquiry_data[0] = 0x7f; /* Force PQual 0x3, PType 0x1f */ info->vpd_page83[0] = 0x7f; megasas_setup_inquiry(cmdbuf, 0, sizeof(info->inquiry_data)); - req = scsi_req_new(sdev, cmd->index, lun, cmdbuf, cmd); - if (!req) { + cmd->req = scsi_req_new(sdev, cmd->index, lun, cmdbuf, cmd); + if (!cmd->req) { trace_megasas_dcmd_req_alloc_failed(cmd->index, "PD get info std inquiry"); g_free(cmd->iov_buf); @@ -1033,26 +1035,26 @@ static int megasas_pd_get_info_submit(SCSIDevice *sdev, int lun, } trace_megasas_dcmd_internal_submit(cmd->index, "PD get info std inquiry", lun); - len = scsi_req_enqueue(req); + len = scsi_req_enqueue(cmd->req); if (len > 0) { cmd->iov_size = len; - scsi_req_continue(req); + scsi_req_continue(cmd->req); } return MFI_STAT_INVALID_STATUS; } else if (info->inquiry_data[0] != 0x7f && info->vpd_page83[0] == 0x7f) { megasas_setup_inquiry(cmdbuf, 0x83, sizeof(info->vpd_page83)); - req = scsi_req_new(sdev, cmd->index, lun, cmdbuf, cmd); - if (!req) { + cmd->req = scsi_req_new(sdev, cmd->index, lun, cmdbuf, cmd); + if (!cmd->req) { trace_megasas_dcmd_req_alloc_failed(cmd->index, "PD get info vpd inquiry"); return MFI_STAT_FLASH_ALLOC_FAIL; } trace_megasas_dcmd_internal_submit(cmd->index, "PD get info vpd inquiry", lun); - len = scsi_req_enqueue(req); + len = scsi_req_enqueue(cmd->req); if (len > 0) { cmd->iov_size = len; - scsi_req_continue(req); + scsi_req_continue(cmd->req); } return MFI_STAT_INVALID_STATUS; } @@ -1214,7 +1216,6 @@ static int megasas_ld_get_info_submit(SCSIDevice *sdev, int lun, struct mfi_ld_info *info = cmd->iov_buf; size_t dcmd_size = sizeof(struct mfi_ld_info); uint8_t cdb[6]; - SCSIRequest *req; ssize_t len, resid; uint16_t sdev_id = ((sdev->id & 0xFF) << 8) | (lun & 0xFF); uint64_t ld_size; @@ -1223,8 +1224,8 @@ static int megasas_ld_get_info_submit(SCSIDevice *sdev, int lun, cmd->iov_buf = g_malloc0(dcmd_size); info = cmd->iov_buf; megasas_setup_inquiry(cdb, 0x83, sizeof(info->vpd_page83)); - req = scsi_req_new(sdev, cmd->index, lun, cdb, cmd); - if (!req) { + cmd->req = scsi_req_new(sdev, cmd->index, lun, cdb, cmd); + if (!cmd->req) { trace_megasas_dcmd_req_alloc_failed(cmd->index, "LD get info vpd inquiry"); g_free(cmd->iov_buf); @@ -1233,10 +1234,10 @@ static int megasas_ld_get_info_submit(SCSIDevice *sdev, int lun, } trace_megasas_dcmd_internal_submit(cmd->index, "LD get info vpd inquiry", lun); - len = scsi_req_enqueue(req); + len = scsi_req_enqueue(cmd->req); if (len > 0) { cmd->iov_size = len; - scsi_req_continue(req); + scsi_req_continue(cmd->req); } return MFI_STAT_INVALID_STATUS; } @@ -1865,7 +1866,7 @@ static void megasas_command_complete(SCSIRequest *req, uint32_t status, return; } - if (cmd->req == NULL) { + if (cmd->dcmd_opcode != -1) { /* * Internal command complete */ ++++++ 0063-nbd-Fully-initialize-client-in-case.patch ++++++ >From 94301dd6735f540dc9f6e01943fda914c4bbef8a Mon Sep 17 00:00:00 2001 From: Eric Blake <ebl...@redhat.com> Date: Fri, 26 May 2017 22:04:21 -0500 Subject: [PATCH] nbd: Fully initialize client in case of failed negotiation If a non-NBD client connects to qemu-nbd, we would end up with a SIGSEGV in nbd_client_put() because we were trying to unregister the client's association to the export, even though we skipped inserting the client into that list. Easy trigger in two terminals: $ qemu-nbd -p 30001 --format=raw file $ nmap 127.0.0.1 -p 30001 nmap claims that it thinks it connected to a pago-services1 server (which probably means nmap could be updated to learn the NBD protocol and give a more accurate diagnosis of the open port - but that's not our problem), then terminates immediately, so our call to nbd_negotiate() fails. The fix is to reorder nbd_co_client_start() to ensure that all initialization occurs before we ever try talking to a client in nbd_negotiate(), so that the teardown sequence on negotiation failure doesn't fault while dereferencing a half-initialized object. While debugging this, I also noticed that nbd_update_server_watch() called by nbd_client_closed() was still adding a channel to accept the next client, even when the state was no longer RUNNING. That is fixed by making nbd_can_accept() pay attention to the current state. Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1451614 Signed-off-by: Eric Blake <ebl...@redhat.com> Message-Id: <20170527030421.28366-1-ebl...@redhat.com> Signed-off-by: Paolo Bonzini <pbonz...@redhat.com> (cherry picked from commit df8ad9f128c15aa0a0ebc7b24e9a22c9775b67af) [BR: BSC#1043808 CVE-2017-9524] Signed-off-by: Bruce Rogers <brog...@suse.com> --- nbd/server.c | 8 +++----- qemu-nbd.c | 2 +- 2 files changed, 4 insertions(+), 6 deletions(-) diff --git a/nbd/server.c b/nbd/server.c index 924a1fe2db..edfda84d43 100644 --- a/nbd/server.c +++ b/nbd/server.c @@ -1376,16 +1376,14 @@ static coroutine_fn void nbd_co_client_start(void *opaque) if (exp) { nbd_export_get(exp); + QTAILQ_INSERT_TAIL(&exp->clients, client, next); } + qemu_co_mutex_init(&client->send_lock); + if (nbd_negotiate(data)) { client_close(client); goto out; } - qemu_co_mutex_init(&client->send_lock); - - if (exp) { - QTAILQ_INSERT_TAIL(&exp->clients, client, next); - } nbd_client_receive_next_request(client); diff --git a/qemu-nbd.c b/qemu-nbd.c index e080fb7c75..b44764eb87 100644 --- a/qemu-nbd.c +++ b/qemu-nbd.c @@ -324,7 +324,7 @@ out: static int nbd_can_accept(void) { - return nb_fds < shared; + return state == RUNNING && nb_fds < shared; } static void nbd_export_closed(NBDExport *exp) ++++++ 0064-9pfs-local-remove-use-correct-path-.patch ++++++ >From d8ebbbc6a85bc9a6a6e194564719e43a51ec2e86 Mon Sep 17 00:00:00 2001 From: Bruce Rogers <brog...@suse.com> Date: Mon, 19 Jun 2017 14:48:02 -0600 Subject: [PATCH] 9pfs: local: remove: use correct path component Commit a0e640a8 introduced a path processing error. Pass fstatat the dirpath based path component instead of the entire path. [BR: BSC#1045035] Signed-off-by: Bruce Rogers <brog...@suse.com> --- hw/9pfs/9p-local.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c index 226234d386..47f6d9ec99 100644 --- a/hw/9pfs/9p-local.c +++ b/hw/9pfs/9p-local.c @@ -1044,7 +1044,7 @@ static int local_remove(FsContext *ctx, const char *path) goto out; } - if (fstatat(dirfd, path, &stbuf, AT_SYMLINK_NOFOLLOW) < 0) { + if (fstatat(dirfd, name, &stbuf, AT_SYMLINK_NOFOLLOW) < 0) { goto err_out; } ++++++ ipxe-ath-Add-missing-break-statements.patch ++++++ >From 45f2265bfcbbf2afd7fac24372ae26e453f2b52d Mon Sep 17 00:00:00 2001 From: Michael Brown <mc...@ipxe.org> Date: Wed, 22 Mar 2017 11:52:09 +0200 Subject: [PATCH] [ath] Add missing break statements Signed-off-by: Michael Brown <mc...@ipxe.org> Signed-off-by: Bruce Rogers <brog...@suse.com> --- src/drivers/net/ath/ath5k/ath5k_desc.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/drivers/net/ath/ath5k/ath5k_desc.c b/src/drivers/net/ath/ath5k/ath5k_desc.c index 30fe1c77..816d26ed 100644 --- a/src/drivers/net/ath/ath5k/ath5k_desc.c +++ b/src/drivers/net/ath/ath5k/ath5k_desc.c @@ -104,10 +104,13 @@ ath5k_hw_setup_2word_tx_desc(struct ath5k_hw *ah, struct ath5k_desc *desc, case AR5K_PKT_TYPE_BEACON: case AR5K_PKT_TYPE_PROBE_RESP: frame_type = AR5K_AR5210_TX_DESC_FRAME_TYPE_NO_DELAY; + break; case AR5K_PKT_TYPE_PIFS: frame_type = AR5K_AR5210_TX_DESC_FRAME_TYPE_PIFS; + break; default: frame_type = type /*<< 2 ?*/; + break; } tx_ctl->tx_control_0 |= -- 2.12.2 ++++++ ipxe-iscsi-Always-send-FirstBurstLength-parameter.patch ++++++ >From 08a98a925917dc2445d098c3ce9a2d2d8b8acda4 Mon Sep 17 00:00:00 2001 From: Michael Brown <mc...@ipxe.org> Date: Wed, 3 May 2017 13:01:11 +0100 Subject: [PATCH 2/2] [iscsi] Always send FirstBurstLength parameter As of kernel 4.11, the LIO target will propose a value for FirstBurstLength if the initiator did not do so. This is entirely redundant in our case, since FirstBurstLength is defined by RFC 3720 to be "Irrelevant when: ( InitialR2T=Yes and ImmediateData=No )" and we already enforce both InitialR2T=Yes and ImmediateData=No in our initial proposal. However, LIO (arguably correctly) complains when we do not respond to its redundant proposal of an already-irrelevant value. Fix by always proposing the default value for FirstBurstLength. Debugged-by: Patrick Seeburger <i...@8bit.de> Tested-by: Patrick Seeburger <i...@8bit.de> Signed-off-by: Michael Brown <mc...@ipxe.org> [BR: BSC#1040476] Signed-off-by: Liang Yan <l...@suse.com> --- src/net/tcp/iscsi.c | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/src/net/tcp/iscsi.c b/src/net/tcp/iscsi.c index 6da8570c..aa30efda 100644 --- a/src/net/tcp/iscsi.c +++ b/src/net/tcp/iscsi.c @@ -434,12 +434,12 @@ static int iscsi_tx_data_out ( struct iscsi_session *iscsi ) { * * HeaderDigest=None * DataDigest=None - * MaxConnections is irrelevant; we make only one connection anyway [4] + * MaxConnections=1 (irrelevant; we make only one connection anyway) [4] * InitialR2T=Yes [1] - * ImmediateData is irrelevant; we never send immediate data [4] + * ImmediateData=No (irrelevant; we never send immediate data) [4] * MaxRecvDataSegmentLength=8192 (default; we don't care) [3] * MaxBurstLength=262144 (default; we don't care) [3] - * FirstBurstLength=262144 (default; we don't care) + * FirstBurstLength=65536 (irrelevant due to other settings) [5] * DefaultTime2Wait=0 [2] * DefaultTime2Retain=0 [2] * MaxOutstandingR2T=1 @@ -464,6 +464,11 @@ static int iscsi_tx_data_out ( struct iscsi_session *iscsi ) { * these parameters, but some targets (notably a QNAP TS-639Pro) fail * unless they are supplied, so we explicitly specify the default * values. + * + * [5] FirstBurstLength is defined to be irrelevant since we already + * force InitialR2T=Yes and ImmediateData=No, but some targets + * (notably LIO as of kernel 4.11) fail unless it is specified, so we + * explicitly specify the default value. */ static int iscsi_build_login_request_strings ( struct iscsi_session *iscsi, void *data, size_t len ) { @@ -526,13 +531,14 @@ static int iscsi_build_login_request_strings ( struct iscsi_session *iscsi, "ImmediateData=No%c" "MaxRecvDataSegmentLength=8192%c" "MaxBurstLength=262144%c" + "FirstBurstLength=65536%c" "DefaultTime2Wait=0%c" "DefaultTime2Retain=0%c" "MaxOutstandingR2T=1%c" "DataPDUInOrder=Yes%c" "DataSequenceInOrder=Yes%c" "ErrorRecoveryLevel=0%c", - 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 ); + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 ); } return used; -- 2.13.0 ++++++ ipxe-mucurses-Fix-erroneous-__nonnull-attribute.patch ++++++ >From 28e26dd2503e6006fabb26f8c33050ba93a99623 Mon Sep 17 00:00:00 2001 From: Michael Brown <mc...@ipxe.org> Date: Wed, 29 Mar 2017 10:35:05 +0300 Subject: [PATCH] [mucurses] Fix erroneous __nonnull attribute Signed-off-by: Michael Brown <mc...@ipxe.org> Signed-off-by: Bruce Rogers <brog...@suse.com> --- src/include/curses.h | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/include/curses.h b/src/include/curses.h index 04060fe2..1f6fe029 100644 --- a/src/include/curses.h +++ b/src/include/curses.h @@ -443,7 +443,8 @@ extern int wborder ( WINDOW *, chtype, chtype, chtype, chtype, chtype, chtype, extern int wclrtobot ( WINDOW * ) __nonnull; extern int wclrtoeol ( WINDOW * ) __nonnull; extern void wcursyncup ( WINDOW * ); -extern int wcolour_set ( WINDOW *, short, void * ) __nonnull; +extern int wcolour_set ( WINDOW *, short, void * ) + __attribute__ (( nonnull (1))); #define wcolor_set(w,s,v) wcolour_set((w),(s),(v)) extern int wdelch ( WINDOW * ) __nonnull; extern int wdeleteln ( WINDOW * ) __nonnull; -- 2.12.2 ++++++ qemu.spec.in ++++++ --- /var/tmp/diff_new_pack.Xr0RqQ/_old 2017-06-28 10:35:09.460958080 +0200 +++ /var/tmp/diff_new_pack.Xr0RqQ/_new 2017-06-28 10:35:09.460958080 +0200 @@ -141,6 +141,9 @@ Patch1100: ipxe-stable-buildid.patch Patch1101: ipxe-use-gcc6-for-more-compact-code.patch Patch1102: ipxe-build-Avoid-implicit-fallthrough-warnings-on-GCC-7.patch +Patch1103: ipxe-iscsi-Always-send-FirstBurstLength-parameter.patch +Patch1104: ipxe-ath-Add-missing-break-statements.patch +Patch1105: ipxe-mucurses-Fix-erroneous-__nonnull-attribute.patch # sgabios # PATCH-FIX-OPENSUSE sgabios-stable-buildid.patch brog...@suse.com -- reproducible builds @@ -179,8 +182,10 @@ BuildRequires: fdupes BuildRequires: gcc-c++ %if %{build_x86_firmware_from_source} +%if 0%{?suse_version} <= 1320 BuildRequires: gcc6 %endif +%endif BuildRequires: glib2-devel %if 0%{?suse_version} >= 1310 && 0%{?suse_version} != 1315 BuildRequires: glusterfs-devel @@ -781,8 +786,13 @@ pushd roms/ipxe %patch1100 -p1 +%if 0%{?suse_version} <= 1320 %patch1101 -p1 +%endif %patch1102 -p1 +%patch1103 -p1 +%patch1104 -p1 +%patch1105 -p1 popd pushd roms/sgabios ++++++ update_git.sh ++++++ --- /var/tmp/diff_new_pack.Xr0RqQ/_old 2017-06-28 10:35:09.552945066 +0200 +++ /var/tmp/diff_new_pack.Xr0RqQ/_new 2017-06-28 10:35:09.552945066 +0200 @@ -45,7 +45,7 @@ (cd $GIT_DIR && git remote add upstream git://git.qemu-project.org/qemu.git) (cd $GIT_DIR && git remote update) fi -(cd $GIT_DIR && git format-patch -N $GIT_UPSTREAM_TAG --suffix= -o $CMP_DIR >/dev/null) +(cd $GIT_DIR && git format-patch -N $GIT_UPSTREAM_TAG --suffix= -o $CMP_DIR --no-renames >/dev/null) QEMU_VERSION=`cat $GIT_DIR/VERSION` echo "QEMU version: $QEMU_VERSION"