Hello community,
here is the log from the commit of package qemu for openSUSE:Factory checked in
at 2017-06-28 10:35:00
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/qemu (Old)
and /work/SRC/openSUSE:Factory/.qemu.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "qemu"
Wed Jun 28 10:35:00 2017 rev:124 rq:505146 version:2.9.0
Changes:
--------
--- /work/SRC/openSUSE:Factory/qemu/qemu-linux-user.changes 2017-06-04
01:50:09.958112390 +0200
+++ /work/SRC/openSUSE:Factory/.qemu.new/qemu-linux-user.changes
2017-06-28 10:35:07.373253436 +0200
@@ -1,0 +2,13 @@
+Tue Jun 20 14:14:17 UTC 2017 - brog...@suse.com
+
+- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-2.9
+* Patches added:
+ 0060-9pfs-local-fix-unlink-of-alien-file.patch
+ 0061-megasas-do-not-read-DCMD-opcode-mor.patch
+ 0062-megasas-always-store-SCSIRequest-in.patch
+ 0063-nbd-Fully-initialize-client-in-case.patch
+ 0064-9pfs-local-remove-use-correct-path-.patch
+- Add --no-renames to the git format-patch command in the git
+ workflow script for better patch compatibility
+
+-------------------------------------------------------------------
--- /work/SRC/openSUSE:Factory/qemu/qemu-testsuite.changes 2017-06-04
01:50:10.130088092 +0200
+++ /work/SRC/openSUSE:Factory/.qemu.new/qemu-testsuite.changes 2017-06-28
10:35:07.405248909 +0200
@@ -1,0 +2,29 @@
+Tue Jun 20 14:14:14 UTC 2017 - brog...@suse.com
+
+- Use most recent compiler to build size-critical firmware, instead
+ of hard-coding gcc6 for all target versions (bsc#1043390)
+* A few upstream ipxe patches were needed for gcc7 compatibility:
+ ipxe-ath-Add-missing-break-statements.patch
+ ipxe-mucurses-Fix-erroneous-__nonnull-attribute.patch
+- Add --no-renames to the git format-patch command in the git
+ workflow script for better patch compatibility
+- Address various security/stability issues
+* Fix potential privilege escalation in virtfs (CVE-2016-9602
+ bsc#1020427)
+ 0060-9pfs-local-fix-unlink-of-alien-file.patch
+* Fix DOS in megasas device emulation (CVE-2017-9503 bsc#1043296)
+ 0061-megasas-do-not-read-DCMD-opcode-mor.patch
+ 0062-megasas-always-store-SCSIRequest-in.patch
+* Fix DOS in qemu-nbd server (CVE-2017-9524 bsc#1043808)
+ 0063-nbd-Fully-initialize-client-in-case.patch
+* Fix regression introduced by recent virtfs security fixes (bsc#1045035)
+ 0064-9pfs-local-remove-use-correct-path-.patch
+- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-2.9
+
+-------------------------------------------------------------------
+Tue Jun 6 21:21:53 UTC 2017 - l...@suse.com
+
+- Backport ipxe to support FirstBurstLength (bsc#1040476)
+ ipxe-iscsi-Always-send-FirstBurstLength-parameter.patch
+
+-------------------------------------------------------------------
qemu.changes: same change
New:
----
0060-9pfs-local-fix-unlink-of-alien-file.patch
0061-megasas-do-not-read-DCMD-opcode-mor.patch
0062-megasas-always-store-SCSIRequest-in.patch
0063-nbd-Fully-initialize-client-in-case.patch
0064-9pfs-local-remove-use-correct-path-.patch
ipxe-ath-Add-missing-break-statements.patch
ipxe-iscsi-Always-send-FirstBurstLength-parameter.patch
ipxe-mucurses-Fix-erroneous-__nonnull-attribute.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ qemu-linux-user.spec ++++++
--- /var/tmp/diff_new_pack.Xr0RqQ/_old 2017-06-28 10:35:08.909036162 +0200
+++ /var/tmp/diff_new_pack.Xr0RqQ/_new 2017-06-28 10:35:08.909036162 +0200
@@ -85,6 +85,11 @@
Patch0057: 0057-slirp-smb-Replace-constant-strings-.patch
Patch0058: 0058-altera_timer-fix-incorrect-memset.patch
Patch0059: 0059-Hacks-for-building-on-gcc-7-Fedora-.patch
+Patch0060: 0060-9pfs-local-fix-unlink-of-alien-file.patch
+Patch0061: 0061-megasas-do-not-read-DCMD-opcode-mor.patch
+Patch0062: 0062-megasas-always-store-SCSIRequest-in.patch
+Patch0063: 0063-nbd-Fully-initialize-client-in-case.patch
+Patch0064: 0064-9pfs-local-remove-use-correct-path-.patch
# Please do not add QEMU patches manually here.
# Run update_git.sh to regenerate this queue.
Source400: update_git.sh
@@ -197,6 +202,11 @@
%patch0057 -p1
%patch0058 -p1
%patch0059 -p1
+%patch0060 -p1
+%patch0061 -p1
+%patch0062 -p1
+%patch0063 -p1
+%patch0064 -p1
%build
./configure \
++++++ qemu-testsuite.spec ++++++
--- /var/tmp/diff_new_pack.Xr0RqQ/_old 2017-06-28 10:35:08.933032767 +0200
+++ /var/tmp/diff_new_pack.Xr0RqQ/_new 2017-06-28 10:35:08.937032201 +0200
@@ -189,6 +189,11 @@
Patch0057: 0057-slirp-smb-Replace-constant-strings-.patch
Patch0058: 0058-altera_timer-fix-incorrect-memset.patch
Patch0059: 0059-Hacks-for-building-on-gcc-7-Fedora-.patch
+Patch0060: 0060-9pfs-local-fix-unlink-of-alien-file.patch
+Patch0061: 0061-megasas-do-not-read-DCMD-opcode-mor.patch
+Patch0062: 0062-megasas-always-store-SCSIRequest-in.patch
+Patch0063: 0063-nbd-Fully-initialize-client-in-case.patch
+Patch0064: 0064-9pfs-local-remove-use-correct-path-.patch
# Please do not add QEMU patches manually here.
# Run update_git.sh to regenerate this queue.
@@ -199,6 +204,9 @@
Patch1100: ipxe-stable-buildid.patch
Patch1101: ipxe-use-gcc6-for-more-compact-code.patch
Patch1102: ipxe-build-Avoid-implicit-fallthrough-warnings-on-GCC-7.patch
+Patch1103: ipxe-iscsi-Always-send-FirstBurstLength-parameter.patch
+Patch1104: ipxe-ath-Add-missing-break-statements.patch
+Patch1105: ipxe-mucurses-Fix-erroneous-__nonnull-attribute.patch
# sgabios
# PATCH-FIX-OPENSUSE sgabios-stable-buildid.patch brog...@suse.com --
reproducible builds
@@ -237,8 +245,10 @@
BuildRequires: fdupes
BuildRequires: gcc-c++
%if %{build_x86_firmware_from_source}
+%if 0%{?suse_version} <= 1320
BuildRequires: gcc6
%endif
+%endif
BuildRequires: glib2-devel
%if 0%{?suse_version} >= 1310 && 0%{?suse_version} != 1315
BuildRequires: glusterfs-devel
@@ -894,11 +904,21 @@
%patch0057 -p1
%patch0058 -p1
%patch0059 -p1
+%patch0060 -p1
+%patch0061 -p1
+%patch0062 -p1
+%patch0063 -p1
+%patch0064 -p1
pushd roms/ipxe
%patch1100 -p1
+%if 0%{?suse_version} <= 1320
%patch1101 -p1
+%endif
%patch1102 -p1
+%patch1103 -p1
+%patch1104 -p1
+%patch1105 -p1
popd
pushd roms/sgabios
qemu.spec: same change
++++++ 0060-9pfs-local-fix-unlink-of-alien-file.patch ++++++
>From 85bc346e1f5d90e1be7147f982e18511304daaeb Mon Sep 17 00:00:00 2001
From: Greg Kurz <gr...@kaod.org>
Date: Thu, 25 May 2017 10:30:13 +0200
Subject: [PATCH] 9pfs: local: fix unlink of alien files in mapped-file mode
When trying to remove a file from a directory, both created in non-mapped
mode, the file remains and EBADF is returned to the guest.
This is a regression introduced by commit "df4938a6651b 9pfs: local:
unlinkat: don't follow symlinks" when fixing CVE-2016-9602. It changed the
way we unlink the metadata file from
ret = remove("$dir/.virtfs_metadata/$name");
if (ret < 0 && errno != ENOENT) {
/* Error out */
}
/* Ignore absence of metadata */
to
fd = openat("$dir/.virtfs_metadata")
unlinkat(fd, "$name")
if (ret < 0 && errno != ENOENT) {
/* Error out */
}
/* Ignore absence of metadata */
If $dir was created in non-mapped mode, openat() fails with ENOENT and
we pass -1 to unlinkat(), which fails in turn with EBADF.
We just need to check the return of openat() and ignore ENOENT, in order
to restore the behaviour we had with remove().
Signed-off-by: Greg Kurz <gr...@kaod.org>
Reviewed-by: Eric Blake <ebl...@redhat.com>
[groug: rewrote the comments as suggested by Eric]
(cherry picked from commit 6a87e7929f97b86c5823d4616fa1aa7636b2f116)
[BR: Fix and/or infrastructure for BSC#1020427 CVE-2016-9602]
Signed-off-by: Bruce Rogers <brog...@suse.com>
---
hw/9pfs/9p-local.c | 34 +++++++++++++++-------------------
1 file changed, 15 insertions(+), 19 deletions(-)
diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c
index a2486566af..226234d386 100644
--- a/hw/9pfs/9p-local.c
+++ b/hw/9pfs/9p-local.c
@@ -992,6 +992,14 @@ static int local_unlinkat_common(FsContext *ctx, int
dirfd, const char *name,
if (ctx->export_flags & V9FS_SM_MAPPED_FILE) {
int map_dirfd;
+ /* We need to remove the metadata as well:
+ * - the metadata directory if we're removing a directory
+ * - the metadata file in the parent's metadata directory
+ *
+ * If any of these are missing (ie, ENOENT) then we're probably
+ * trying to remove something that wasn't created in mapped-file
+ * mode. We just ignore the error.
+ */
if (flags == AT_REMOVEDIR) {
int fd;
@@ -999,32 +1007,20 @@ static int local_unlinkat_common(FsContext *ctx, int
dirfd, const char *name,
if (fd == -1) {
goto err_out;
}
- /*
- * If directory remove .virtfs_metadata contained in the
- * directory
- */
ret = unlinkat(fd, VIRTFS_META_DIR, AT_REMOVEDIR);
close_preserve_errno(fd);
if (ret < 0 && errno != ENOENT) {
- /*
- * We didn't had the .virtfs_metadata file. May be file created
- * in non-mapped mode ?. Ignore ENOENT.
- */
goto err_out;
}
}
- /*
- * Now remove the name from parent directory
- * .virtfs_metadata directory.
- */
map_dirfd = openat_dir(dirfd, VIRTFS_META_DIR);
- ret = unlinkat(map_dirfd, name, 0);
- close_preserve_errno(map_dirfd);
- if (ret < 0 && errno != ENOENT) {
- /*
- * We didn't had the .virtfs_metadata file. May be file created
- * in non-mapped mode ?. Ignore ENOENT.
- */
+ if (map_dirfd != -1) {
+ ret = unlinkat(map_dirfd, name, 0);
+ close_preserve_errno(map_dirfd);
+ if (ret < 0 && errno != ENOENT) {
+ goto err_out;
+ }
+ } else if (errno != ENOENT) {
goto err_out;
}
}
++++++ 0061-megasas-do-not-read-DCMD-opcode-mor.patch ++++++
>From e0653c80373f056fa0bd72fb9aef161dac13b1cf Mon Sep 17 00:00:00 2001
From: Paolo Bonzini <pbonz...@redhat.com>
Date: Mon, 19 Jun 2017 16:36:08 -0600
Subject: [PATCH] megasas: do not read DCMD opcode more than once from frame
Avoid TOC-TOU bugs by storing the DCMD opcode in the MegasasCmd
Signed-off-by: Paolo Bonzini <pbonz...@redhat.com>
[BR: BSC#1043296 CVE-2017-9503]
Signed-off-by: Bruce Rogers <brog...@suse.com>
---
hw/scsi/megasas.c | 25 +++++++++++--------------
1 file changed, 11 insertions(+), 14 deletions(-)
diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
index 804122ab05..887958481b 100644
--- a/hw/scsi/megasas.c
+++ b/hw/scsi/megasas.c
@@ -63,6 +63,7 @@ typedef struct MegasasCmd {
hwaddr pa;
hwaddr pa_size;
+ uint32_t dcmd_opcode;
union mfi_frame *frame;
SCSIRequest *req;
QEMUSGList qsg;
@@ -511,6 +512,7 @@ static MegasasCmd *megasas_enqueue_frame(MegasasState *s,
cmd->context &= (uint64_t)0xFFFFFFFF;
}
cmd->count = count;
+ cmd->dcmd_opcode = -1;
s->busy++;
if (s->consumer_pa) {
@@ -1559,22 +1561,21 @@ static const struct dcmd_cmd_tbl_t {
static int megasas_handle_dcmd(MegasasState *s, MegasasCmd *cmd)
{
- int opcode;
int retval = 0;
size_t len;
const struct dcmd_cmd_tbl_t *cmdptr = dcmd_cmd_tbl;
- opcode = le32_to_cpu(cmd->frame->dcmd.opcode);
- trace_megasas_handle_dcmd(cmd->index, opcode);
+ cmd->dcmd_opcode = le32_to_cpu(cmd->frame->dcmd.opcode);
+ trace_megasas_handle_dcmd(cmd->index, cmd->dcmd_opcode);
if (megasas_map_dcmd(s, cmd) < 0) {
return MFI_STAT_MEMORY_NOT_AVAILABLE;
}
- while (cmdptr->opcode != -1 && cmdptr->opcode != opcode) {
+ while (cmdptr->opcode != -1 && cmdptr->opcode != cmd->dcmd_opcode) {
cmdptr++;
}
len = cmd->iov_size;
if (cmdptr->opcode == -1) {
- trace_megasas_dcmd_unhandled(cmd->index, opcode, len);
+ trace_megasas_dcmd_unhandled(cmd->index, cmd->dcmd_opcode, len);
retval = megasas_dcmd_dummy(s, cmd);
} else {
trace_megasas_dcmd_enter(cmd->index, cmdptr->desc, len);
@@ -1589,13 +1590,11 @@ static int megasas_handle_dcmd(MegasasState *s,
MegasasCmd *cmd)
static int megasas_finish_internal_dcmd(MegasasCmd *cmd,
SCSIRequest *req)
{
- int opcode;
int retval = MFI_STAT_OK;
int lun = req->lun;
- opcode = le32_to_cpu(cmd->frame->dcmd.opcode);
- trace_megasas_dcmd_internal_finish(cmd->index, opcode, lun);
- switch (opcode) {
+ trace_megasas_dcmd_internal_finish(cmd->index, cmd->dcmd_opcode, lun);
+ switch (cmd->dcmd_opcode) {
case MFI_DCMD_PD_GET_INFO:
retval = megasas_pd_get_info_submit(req->dev, lun, cmd);
break;
@@ -1603,7 +1602,7 @@ static int megasas_finish_internal_dcmd(MegasasCmd *cmd,
retval = megasas_ld_get_info_submit(req->dev, lun, cmd);
break;
default:
- trace_megasas_dcmd_internal_invalid(cmd->index, opcode);
+ trace_megasas_dcmd_internal_invalid(cmd->index, cmd->dcmd_opcode);
retval = MFI_STAT_INVALID_DCMD;
break;
}
@@ -1824,7 +1823,6 @@ static void megasas_xfer_complete(SCSIRequest *req,
uint32_t len)
{
MegasasCmd *cmd = req->hba_private;
uint8_t *buf;
- uint32_t opcode;
trace_megasas_io_complete(cmd->index, len);
@@ -1834,8 +1832,7 @@ static void megasas_xfer_complete(SCSIRequest *req,
uint32_t len)
}
buf = scsi_req_get_buf(req);
- opcode = le32_to_cpu(cmd->frame->dcmd.opcode);
- if (opcode == MFI_DCMD_PD_GET_INFO && cmd->iov_buf) {
+ if (cmd->dcmd_opcode == MFI_DCMD_PD_GET_INFO && cmd->iov_buf) {
struct mfi_pd_info *info = cmd->iov_buf;
if (info->inquiry_data[0] == 0x7f) {
@@ -1846,7 +1843,7 @@ static void megasas_xfer_complete(SCSIRequest *req,
uint32_t len)
memcpy(info->vpd_page83, buf, len);
}
scsi_req_continue(req);
- } else if (opcode == MFI_DCMD_LD_GET_INFO) {
+ } else if (cmd->dcmd_opcode == MFI_DCMD_LD_GET_INFO) {
struct mfi_ld_info *info = cmd->iov_buf;
if (cmd->iov_buf) {
++++++ 0062-megasas-always-store-SCSIRequest-in.patch ++++++
>From 0199dd521a16bff213ee66fe1fb257790006237f Mon Sep 17 00:00:00 2001
From: Paolo Bonzini <pbonz...@redhat.com>
Date: Sat, 10 Jun 2017 14:04:51 -0600
Subject: [PATCH] megasas: always store SCSIRequest* into MegasasCmd
This ensures that the request is unref'ed properly, and avoids a
segmentation fault in the new qtest testcase that is added.
Reported-by: Zhangyanyu <zyy4...@stu.ouc.edu.cn>
Signed-off-by: Paolo Bonzini <pbonz...@redhat.com>
[BR: BSC#1043296 CVE-2017-9503, dropped testcase from patch]
Signed-off-by: Bruce Rogers <brog...@suse.com>
---
hw/scsi/megasas.c | 31 ++++++++++++++++---------------
1 file changed, 16 insertions(+), 15 deletions(-)
diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
index 887958481b..a0cafe3010 100644
--- a/hw/scsi/megasas.c
+++ b/hw/scsi/megasas.c
@@ -607,6 +607,9 @@ static void megasas_reset_frames(MegasasState *s)
static void megasas_abort_command(MegasasCmd *cmd)
{
/* Never abort internal commands. */
+ if (cmd->dcmd_opcode != -1) {
+ return;
+ }
if (cmd->req != NULL) {
scsi_req_cancel(cmd->req);
}
@@ -1014,7 +1017,6 @@ static int megasas_pd_get_info_submit(SCSIDevice *sdev,
int lun,
uint64_t pd_size;
uint16_t pd_id = ((sdev->id & 0xFF) << 8) | (lun & 0xFF);
uint8_t cmdbuf[6];
- SCSIRequest *req;
size_t len, resid;
if (!cmd->iov_buf) {
@@ -1023,8 +1025,8 @@ static int megasas_pd_get_info_submit(SCSIDevice *sdev,
int lun,
info->inquiry_data[0] = 0x7f; /* Force PQual 0x3, PType 0x1f */
info->vpd_page83[0] = 0x7f;
megasas_setup_inquiry(cmdbuf, 0, sizeof(info->inquiry_data));
- req = scsi_req_new(sdev, cmd->index, lun, cmdbuf, cmd);
- if (!req) {
+ cmd->req = scsi_req_new(sdev, cmd->index, lun, cmdbuf, cmd);
+ if (!cmd->req) {
trace_megasas_dcmd_req_alloc_failed(cmd->index,
"PD get info std inquiry");
g_free(cmd->iov_buf);
@@ -1033,26 +1035,26 @@ static int megasas_pd_get_info_submit(SCSIDevice *sdev,
int lun,
}
trace_megasas_dcmd_internal_submit(cmd->index,
"PD get info std inquiry", lun);
- len = scsi_req_enqueue(req);
+ len = scsi_req_enqueue(cmd->req);
if (len > 0) {
cmd->iov_size = len;
- scsi_req_continue(req);
+ scsi_req_continue(cmd->req);
}
return MFI_STAT_INVALID_STATUS;
} else if (info->inquiry_data[0] != 0x7f && info->vpd_page83[0] == 0x7f) {
megasas_setup_inquiry(cmdbuf, 0x83, sizeof(info->vpd_page83));
- req = scsi_req_new(sdev, cmd->index, lun, cmdbuf, cmd);
- if (!req) {
+ cmd->req = scsi_req_new(sdev, cmd->index, lun, cmdbuf, cmd);
+ if (!cmd->req) {
trace_megasas_dcmd_req_alloc_failed(cmd->index,
"PD get info vpd inquiry");
return MFI_STAT_FLASH_ALLOC_FAIL;
}
trace_megasas_dcmd_internal_submit(cmd->index,
"PD get info vpd inquiry", lun);
- len = scsi_req_enqueue(req);
+ len = scsi_req_enqueue(cmd->req);
if (len > 0) {
cmd->iov_size = len;
- scsi_req_continue(req);
+ scsi_req_continue(cmd->req);
}
return MFI_STAT_INVALID_STATUS;
}
@@ -1214,7 +1216,6 @@ static int megasas_ld_get_info_submit(SCSIDevice *sdev,
int lun,
struct mfi_ld_info *info = cmd->iov_buf;
size_t dcmd_size = sizeof(struct mfi_ld_info);
uint8_t cdb[6];
- SCSIRequest *req;
ssize_t len, resid;
uint16_t sdev_id = ((sdev->id & 0xFF) << 8) | (lun & 0xFF);
uint64_t ld_size;
@@ -1223,8 +1224,8 @@ static int megasas_ld_get_info_submit(SCSIDevice *sdev,
int lun,
cmd->iov_buf = g_malloc0(dcmd_size);
info = cmd->iov_buf;
megasas_setup_inquiry(cdb, 0x83, sizeof(info->vpd_page83));
- req = scsi_req_new(sdev, cmd->index, lun, cdb, cmd);
- if (!req) {
+ cmd->req = scsi_req_new(sdev, cmd->index, lun, cdb, cmd);
+ if (!cmd->req) {
trace_megasas_dcmd_req_alloc_failed(cmd->index,
"LD get info vpd inquiry");
g_free(cmd->iov_buf);
@@ -1233,10 +1234,10 @@ static int megasas_ld_get_info_submit(SCSIDevice *sdev,
int lun,
}
trace_megasas_dcmd_internal_submit(cmd->index,
"LD get info vpd inquiry", lun);
- len = scsi_req_enqueue(req);
+ len = scsi_req_enqueue(cmd->req);
if (len > 0) {
cmd->iov_size = len;
- scsi_req_continue(req);
+ scsi_req_continue(cmd->req);
}
return MFI_STAT_INVALID_STATUS;
}
@@ -1865,7 +1866,7 @@ static void megasas_command_complete(SCSIRequest *req,
uint32_t status,
return;
}
- if (cmd->req == NULL) {
+ if (cmd->dcmd_opcode != -1) {
/*
* Internal command complete
*/
++++++ 0063-nbd-Fully-initialize-client-in-case.patch ++++++
>From 94301dd6735f540dc9f6e01943fda914c4bbef8a Mon Sep 17 00:00:00 2001
From: Eric Blake <ebl...@redhat.com>
Date: Fri, 26 May 2017 22:04:21 -0500
Subject: [PATCH] nbd: Fully initialize client in case of failed negotiation
If a non-NBD client connects to qemu-nbd, we would end up with
a SIGSEGV in nbd_client_put() because we were trying to
unregister the client's association to the export, even though
we skipped inserting the client into that list. Easy trigger
in two terminals:
$ qemu-nbd -p 30001 --format=raw file
$ nmap 127.0.0.1 -p 30001
nmap claims that it thinks it connected to a pago-services1
server (which probably means nmap could be updated to learn the
NBD protocol and give a more accurate diagnosis of the open
port - but that's not our problem), then terminates immediately,
so our call to nbd_negotiate() fails. The fix is to reorder
nbd_co_client_start() to ensure that all initialization occurs
before we ever try talking to a client in nbd_negotiate(), so
that the teardown sequence on negotiation failure doesn't fault
while dereferencing a half-initialized object.
While debugging this, I also noticed that nbd_update_server_watch()
called by nbd_client_closed() was still adding a channel to accept
the next client, even when the state was no longer RUNNING. That
is fixed by making nbd_can_accept() pay attention to the current
state.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1451614
Signed-off-by: Eric Blake <ebl...@redhat.com>
Message-Id: <20170527030421.28366-1-ebl...@redhat.com>
Signed-off-by: Paolo Bonzini <pbonz...@redhat.com>
(cherry picked from commit df8ad9f128c15aa0a0ebc7b24e9a22c9775b67af)
[BR: BSC#1043808 CVE-2017-9524]
Signed-off-by: Bruce Rogers <brog...@suse.com>
---
nbd/server.c | 8 +++-----
qemu-nbd.c | 2 +-
2 files changed, 4 insertions(+), 6 deletions(-)
diff --git a/nbd/server.c b/nbd/server.c
index 924a1fe2db..edfda84d43 100644
--- a/nbd/server.c
+++ b/nbd/server.c
@@ -1376,16 +1376,14 @@ static coroutine_fn void nbd_co_client_start(void
*opaque)
if (exp) {
nbd_export_get(exp);
+ QTAILQ_INSERT_TAIL(&exp->clients, client, next);
}
+ qemu_co_mutex_init(&client->send_lock);
+
if (nbd_negotiate(data)) {
client_close(client);
goto out;
}
- qemu_co_mutex_init(&client->send_lock);
-
- if (exp) {
- QTAILQ_INSERT_TAIL(&exp->clients, client, next);
- }
nbd_client_receive_next_request(client);
diff --git a/qemu-nbd.c b/qemu-nbd.c
index e080fb7c75..b44764eb87 100644
--- a/qemu-nbd.c
+++ b/qemu-nbd.c
@@ -324,7 +324,7 @@ out:
static int nbd_can_accept(void)
{
- return nb_fds < shared;
+ return state == RUNNING && nb_fds < shared;
}
static void nbd_export_closed(NBDExport *exp)
++++++ 0064-9pfs-local-remove-use-correct-path-.patch ++++++
>From d8ebbbc6a85bc9a6a6e194564719e43a51ec2e86 Mon Sep 17 00:00:00 2001
From: Bruce Rogers <brog...@suse.com>
Date: Mon, 19 Jun 2017 14:48:02 -0600
Subject: [PATCH] 9pfs: local: remove: use correct path component
Commit a0e640a8 introduced a path processing error.
Pass fstatat the dirpath based path component instead
of the entire path.
[BR: BSC#1045035]
Signed-off-by: Bruce Rogers <brog...@suse.com>
---
hw/9pfs/9p-local.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c
index 226234d386..47f6d9ec99 100644
--- a/hw/9pfs/9p-local.c
+++ b/hw/9pfs/9p-local.c
@@ -1044,7 +1044,7 @@ static int local_remove(FsContext *ctx, const char *path)
goto out;
}
- if (fstatat(dirfd, path, &stbuf, AT_SYMLINK_NOFOLLOW) < 0) {
+ if (fstatat(dirfd, name, &stbuf, AT_SYMLINK_NOFOLLOW) < 0) {
goto err_out;
}
++++++ ipxe-ath-Add-missing-break-statements.patch ++++++
>From 45f2265bfcbbf2afd7fac24372ae26e453f2b52d Mon Sep 17 00:00:00 2001
From: Michael Brown <mc...@ipxe.org>
Date: Wed, 22 Mar 2017 11:52:09 +0200
Subject: [PATCH] [ath] Add missing break statements
Signed-off-by: Michael Brown <mc...@ipxe.org>
Signed-off-by: Bruce Rogers <brog...@suse.com>
---
src/drivers/net/ath/ath5k/ath5k_desc.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/drivers/net/ath/ath5k/ath5k_desc.c
b/src/drivers/net/ath/ath5k/ath5k_desc.c
index 30fe1c77..816d26ed 100644
--- a/src/drivers/net/ath/ath5k/ath5k_desc.c
+++ b/src/drivers/net/ath/ath5k/ath5k_desc.c
@@ -104,10 +104,13 @@ ath5k_hw_setup_2word_tx_desc(struct ath5k_hw *ah, struct
ath5k_desc *desc,
case AR5K_PKT_TYPE_BEACON:
case AR5K_PKT_TYPE_PROBE_RESP:
frame_type = AR5K_AR5210_TX_DESC_FRAME_TYPE_NO_DELAY;
+ break;
case AR5K_PKT_TYPE_PIFS:
frame_type = AR5K_AR5210_TX_DESC_FRAME_TYPE_PIFS;
+ break;
default:
frame_type = type /*<< 2 ?*/;
+ break;
}
tx_ctl->tx_control_0 |=
--
2.12.2
++++++ ipxe-iscsi-Always-send-FirstBurstLength-parameter.patch ++++++
>From 08a98a925917dc2445d098c3ce9a2d2d8b8acda4 Mon Sep 17 00:00:00 2001
From: Michael Brown <mc...@ipxe.org>
Date: Wed, 3 May 2017 13:01:11 +0100
Subject: [PATCH 2/2] [iscsi] Always send FirstBurstLength parameter
As of kernel 4.11, the LIO target will propose a value for
FirstBurstLength if the initiator did not do so. This is entirely
redundant in our case, since FirstBurstLength is defined by RFC 3720
to be
"Irrelevant when: ( InitialR2T=Yes and ImmediateData=No )"
and we already enforce both InitialR2T=Yes and ImmediateData=No in our
initial proposal. However, LIO (arguably correctly) complains when we
do not respond to its redundant proposal of an already-irrelevant
value.
Fix by always proposing the default value for FirstBurstLength.
Debugged-by: Patrick Seeburger <i...@8bit.de>
Tested-by: Patrick Seeburger <i...@8bit.de>
Signed-off-by: Michael Brown <mc...@ipxe.org>
[BR: BSC#1040476]
Signed-off-by: Liang Yan <l...@suse.com>
---
src/net/tcp/iscsi.c | 14 ++++++++++----
1 file changed, 10 insertions(+), 4 deletions(-)
diff --git a/src/net/tcp/iscsi.c b/src/net/tcp/iscsi.c
index 6da8570c..aa30efda 100644
--- a/src/net/tcp/iscsi.c
+++ b/src/net/tcp/iscsi.c
@@ -434,12 +434,12 @@ static int iscsi_tx_data_out ( struct iscsi_session
*iscsi ) {
*
* HeaderDigest=None
* DataDigest=None
- * MaxConnections is irrelevant; we make only one connection anyway [4]
+ * MaxConnections=1 (irrelevant; we make only one connection anyway) [4]
* InitialR2T=Yes [1]
- * ImmediateData is irrelevant; we never send immediate data [4]
+ * ImmediateData=No (irrelevant; we never send immediate data) [4]
* MaxRecvDataSegmentLength=8192 (default; we don't care) [3]
* MaxBurstLength=262144 (default; we don't care) [3]
- * FirstBurstLength=262144 (default; we don't care)
+ * FirstBurstLength=65536 (irrelevant due to other settings) [5]
* DefaultTime2Wait=0 [2]
* DefaultTime2Retain=0 [2]
* MaxOutstandingR2T=1
@@ -464,6 +464,11 @@ static int iscsi_tx_data_out ( struct iscsi_session *iscsi
) {
* these parameters, but some targets (notably a QNAP TS-639Pro) fail
* unless they are supplied, so we explicitly specify the default
* values.
+ *
+ * [5] FirstBurstLength is defined to be irrelevant since we already
+ * force InitialR2T=Yes and ImmediateData=No, but some targets
+ * (notably LIO as of kernel 4.11) fail unless it is specified, so we
+ * explicitly specify the default value.
*/
static int iscsi_build_login_request_strings ( struct iscsi_session *iscsi,
void *data, size_t len ) {
@@ -526,13 +531,14 @@ static int iscsi_build_login_request_strings ( struct
iscsi_session *iscsi,
"ImmediateData=No%c"
"MaxRecvDataSegmentLength=8192%c"
"MaxBurstLength=262144%c"
+ "FirstBurstLength=65536%c"
"DefaultTime2Wait=0%c"
"DefaultTime2Retain=0%c"
"MaxOutstandingR2T=1%c"
"DataPDUInOrder=Yes%c"
"DataSequenceInOrder=Yes%c"
"ErrorRecoveryLevel=0%c",
- 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 );
+ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 );
}
return used;
--
2.13.0
++++++ ipxe-mucurses-Fix-erroneous-__nonnull-attribute.patch ++++++
>From 28e26dd2503e6006fabb26f8c33050ba93a99623 Mon Sep 17 00:00:00 2001
From: Michael Brown <mc...@ipxe.org>
Date: Wed, 29 Mar 2017 10:35:05 +0300
Subject: [PATCH] [mucurses] Fix erroneous __nonnull attribute
Signed-off-by: Michael Brown <mc...@ipxe.org>
Signed-off-by: Bruce Rogers <brog...@suse.com>
---
src/include/curses.h | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/include/curses.h b/src/include/curses.h
index 04060fe2..1f6fe029 100644
--- a/src/include/curses.h
+++ b/src/include/curses.h
@@ -443,7 +443,8 @@ extern int wborder ( WINDOW *, chtype, chtype, chtype,
chtype, chtype, chtype,
extern int wclrtobot ( WINDOW * ) __nonnull;
extern int wclrtoeol ( WINDOW * ) __nonnull;
extern void wcursyncup ( WINDOW * );
-extern int wcolour_set ( WINDOW *, short, void * ) __nonnull;
+extern int wcolour_set ( WINDOW *, short, void * )
+ __attribute__ (( nonnull (1)));
#define wcolor_set(w,s,v) wcolour_set((w),(s),(v))
extern int wdelch ( WINDOW * ) __nonnull;
extern int wdeleteln ( WINDOW * ) __nonnull;
--
2.12.2
++++++ qemu.spec.in ++++++
--- /var/tmp/diff_new_pack.Xr0RqQ/_old 2017-06-28 10:35:09.460958080 +0200
+++ /var/tmp/diff_new_pack.Xr0RqQ/_new 2017-06-28 10:35:09.460958080 +0200
@@ -141,6 +141,9 @@
Patch1100: ipxe-stable-buildid.patch
Patch1101: ipxe-use-gcc6-for-more-compact-code.patch
Patch1102: ipxe-build-Avoid-implicit-fallthrough-warnings-on-GCC-7.patch
+Patch1103: ipxe-iscsi-Always-send-FirstBurstLength-parameter.patch
+Patch1104: ipxe-ath-Add-missing-break-statements.patch
+Patch1105: ipxe-mucurses-Fix-erroneous-__nonnull-attribute.patch
# sgabios
# PATCH-FIX-OPENSUSE sgabios-stable-buildid.patch brog...@suse.com --
reproducible builds
@@ -179,8 +182,10 @@
BuildRequires: fdupes
BuildRequires: gcc-c++
%if %{build_x86_firmware_from_source}
+%if 0%{?suse_version} <= 1320
BuildRequires: gcc6
%endif
+%endif
BuildRequires: glib2-devel
%if 0%{?suse_version} >= 1310 && 0%{?suse_version} != 1315
BuildRequires: glusterfs-devel
@@ -781,8 +786,13 @@
pushd roms/ipxe
%patch1100 -p1
+%if 0%{?suse_version} <= 1320
%patch1101 -p1
+%endif
%patch1102 -p1
+%patch1103 -p1
+%patch1104 -p1
+%patch1105 -p1
popd
pushd roms/sgabios
++++++ update_git.sh ++++++
--- /var/tmp/diff_new_pack.Xr0RqQ/_old 2017-06-28 10:35:09.552945066 +0200
+++ /var/tmp/diff_new_pack.Xr0RqQ/_new 2017-06-28 10:35:09.552945066 +0200
@@ -45,7 +45,7 @@
(cd $GIT_DIR && git remote add upstream
git://git.qemu-project.org/qemu.git)
(cd $GIT_DIR && git remote update)
fi
-(cd $GIT_DIR && git format-patch -N $GIT_UPSTREAM_TAG --suffix= -o $CMP_DIR
>/dev/null)
+(cd $GIT_DIR && git format-patch -N $GIT_UPSTREAM_TAG --suffix= -o $CMP_DIR
--no-renames >/dev/null)
QEMU_VERSION=`cat $GIT_DIR/VERSION`
echo "QEMU version: $QEMU_VERSION"
