aboutsummaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2019-07-30i386/acpi: show PCI Express bus on pxb-pcie expandersEvgeny Yakovlev
Show PCIe host bridge PNP id with PCI host bridge as a compatible id when expanding a pcie bus. Cc: qemu-stable@nongnu.org Signed-off-by: Evgeny Yakovlev <wrfsh@yandex-team.ru> Message-Id: <1563526469-15588-1-git-send-email-wrfsh@yandex-team.ru> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> (cherry picked from commit ee4b0c8686f781987879508d7c6dd605b5435bac) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
2019-07-30i386/acpi: fix gint overflow in crs_range_compareEvgeny Yakovlev
When very large regions (32GB sized in our case, PCI pass-through of GPUs) are compared substraction result does not fit into gint. As a result crs_replace_with_free_ranges does not get sorted ranges and incorrectly computes PCI64 free space regions. Which then makes linux guest complain about device and PCI64 hole intersection and device becomes unusable. Fix that by returning exactly fitting ranges. Also fix indentation of an entire crs_replace_with_free_ranges to make checkpatch happy. Cc: qemu-stable@nongnu.org Signed-off-by: Evgeny Yakovlev <wrfsh@yandex-team.ru> Message-Id: <1563466463-26012-1-git-send-email-wrfsh@yandex-team.ru> Signed-off-by: Evgeny Yakovlev <wrfsh@yandex-team.ru> (cherry picked from commit 21e2acd583126db94f6d881005cd58e835160582) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
2019-07-30ioapic: kvm: Skip route updates for masked pinsJan Kiszka
Masked entries will not generate interrupt messages, thus do no need to be routed by KVM. This is a cosmetic cleanup, just avoiding warnings of the kind qemu-system-x86_64: vtd_irte_get: detected non-present IRTE (index=0, high=0xff00, low=0x100) if the masked entry happens to reference a non-present IRTE. Cc: qemu-stable@nongnu.org Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com> Message-Id: <a84b7e03-f9a8-b577-be27-4d93d1caa1c9@siemens.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Peter Xu <peterx@redhat.com> (cherry picked from commit be1927c97e564346cbd409cb17fe611df74b84e5) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
2019-07-30tpm_emulator: Translate TPM error codes to stringsStefan Berger
Implement a function to translate TPM error codes to strings so that at least the most common error codes can be translated to human readable strings. Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> (cherry picked from commit 7e095e84ba0b7c0a1ac45bc6824dace2fd352e56) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
2019-07-30tpm: Exit in reset when backend indicates failureStefan Berger
Exit() in the frontend reset function when the backend indicates intialization failure. Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> (cherry picked from commit bcfd16fe26d6bb6eabfd2dfb46b9fda59d5493db) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
2019-07-18vhost: fix vhost_log size overflow during migrationLi Hangjing
When a guest which doesn't support multiqueue is migrated with a multi queues vhost-user-blk deivce, a crash will occur like: 0 qemu_memfd_alloc (name=<value optimized out>, size=562949953421312, seals=<value optimized out>, fd=0x7f87171fe8b4, errp=0x7f87171fe8a8) at util/memfd.c:153 1 0x00007f883559d7cf in vhost_log_alloc (size=70368744177664, share=true) at hw/virtio/vhost.c:186 2 0x00007f88355a0758 in vhost_log_get (listener=0x7f8838bd7940, enable=1) at qemu-2-12/hw/virtio/vhost.c:211 3 vhost_dev_log_resize (listener=0x7f8838bd7940, enable=1) at hw/virtio/vhost.c:263 4 vhost_migration_log (listener=0x7f8838bd7940, enable=1) at hw/virtio/vhost.c:787 5 0x00007f88355463d6 in memory_global_dirty_log_start () at memory.c:2503 6 0x00007f8835550577 in ram_init_bitmaps (f=0x7f88384ce600, opaque=0x7f8836024098) at migration/ram.c:2173 7 ram_init_all (f=0x7f88384ce600, opaque=0x7f8836024098) at migration/ram.c:2192 8 ram_save_setup (f=0x7f88384ce600, opaque=0x7f8836024098) at migration/ram.c:2219 9 0x00007f88357a419d in qemu_savevm_state_setup (f=0x7f88384ce600) at migration/savevm.c:1002 10 0x00007f883579fc3e in migration_thread (opaque=0x7f8837530400) at migration/migration.c:2382 11 0x00007f8832447893 in start_thread () from /lib64/libpthread.so.0 12 0x00007f8832178bfd in clone () from /lib64/libc.so.6 This is because vhost_get_log_size() returns a overflowed vhost-log size. In this function, it uses the uninitialized variable vqs->used_phys and vqs->used_size to get the vhost-log size. Signed-off-by: Li Hangjing <lihangjing@baidu.com> Reviewed-by: Xie Yongji <xieyongji@baidu.com> Reviewed-by: Chai Wen <chaiwen@baidu.com> Message-Id: <20190603061524.24076-1-lihangjing@baidu.com> Cc: qemu-stable@nongnu.org Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> (cherry picked from commit 240e647a14df9677b3a501f7b8b870e40aac3fd5) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
2019-07-09iotests: Test unaligned raw images with O_DIRECTMax Reitz
We already have 221 for accesses through the page cache, but it is better to create a new file for O_DIRECT instead of integrating those test cases into 221. This way, we can make use of _supported_cache_modes (and _default_cache_mode) so the test is automatically skipped on filesystems that do not support O_DIRECT. As part of the split, add _supported_cache_modes to 221. With that, it no longer fails when run with -c none or -c directsync. Signed-off-by: Max Reitz <mreitz@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com> (cherry picked from commit 2fab30c80b33cdc6157c7efe6207e54b6835cf92) *remove context dependencies on iotests not in 3.1 Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
2019-07-09block/file-posix: Unaligned O_DIRECT block-statusMax Reitz
Currently, qemu crashes whenever someone queries the block status of an unaligned image tail of an O_DIRECT image: $ echo > foo $ qemu-img map --image-opts driver=file,filename=foo,cache.direct=on Offset Length Mapped to File qemu-img: block/io.c:2093: bdrv_co_block_status: Assertion `*pnum && QEMU_IS_ALIGNED(*pnum, align) && align > offset - aligned_offset' failed. This is because bdrv_co_block_status() checks that the result returned by the driver's implementation is aligned to the request_alignment, but file-posix can fail to do so, which is actually mentioned in a comment there: "[...] possibly including a partial sector at EOF". Fix this by rounding up those partial sectors. There are two possible alternative fixes: (1) We could refuse to open unaligned image files with O_DIRECT altogether. That sounds reasonable until you realize that qcow2 does necessarily not fill up its metadata clusters, and that nobody runs qemu-img create with O_DIRECT. Therefore, unpreallocated qcow2 files usually have an unaligned image tail. (2) bdrv_co_block_status() could ignore unaligned tails. It actually throws away everything past the EOF already, so that sounds reasonable. Unfortunately, the block layer knows file lengths only with a granularity of BDRV_SECTOR_SIZE, so bdrv_co_block_status() usually would have to guess whether its file length information is inexact or whether the driver is broken. Fixing what raw_co_block_status() returns is the safest thing to do. There seems to be no other block driver that sets request_alignment and does not make sure that it always returns aligned values. Cc: qemu-stable@nongnu.org Signed-off-by: Max Reitz <mreitz@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com> (cherry picked from commit 9c3db310ff0b7473272ae8dce5e04e2f8a825390) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
2019-07-09iotests: Filter second BLOCK_JOB_ERROR from 229Max Reitz
Without this filter, this test sometimes fails. Signed-off-by: Max Reitz <mreitz@redhat.com> Reviewed-by: John Snow <jsnow@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com> (cherry picked from commit fff2388d5d9caecca6200455d0ab6d5e13f4e9bd) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
2019-07-09megasas: fix mapped frame sizePeter Lieven
the current value of 1024 bytes (16 * MFI_FRAME_SIZE) we map is not enough to hold the maximum number of scatter gather elements we advertise. We actually need a maximum of 2048 bytes. This is 128 max sg elements * 16 bytes (sizeof (union mfi_sgl)). Cc: qemu-stable@nongnu.org Signed-off-by: Peter Lieven <pl@kamp.de> Message-Id: <20190404121015.28634-1-pl@kamp.de> Reviewed-by: Hannes Reinecke <hare@suse.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> (cherry picked from commit 2e56fbc87f6ec3cd56c37b01d313abd502b80d61) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
2019-07-09s390x/cpumodel: ignore csske for expansionChristian Borntraeger
csske will be removed in a future machine. Ignore it for expanding the cpu model. Otherwise qemu falls back to z9. Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com> Cc: qemu-stable@nongnu.org Reviewed-by: David Hildenbrand <david@redhat.com> Message-Id: <20190429090250.7648-3-borntraeger@de.ibm.com> Signed-off-by: Cornelia Huck <cohuck@redhat.com> (cherry picked from commit eaf6f642abf1d4d24791b70728d4068428fc4658) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
2019-07-09do not call vhost_net_cleanup() on running net from char user eventDan Streetman
Buglink: https://launchpad.net/bugs/1823458 Currently, a user CHR_EVENT_CLOSED event will cause net_vhost_user_event() to call vhost_user_cleanup(), which calls vhost_net_cleanup() for all its queues. However, vhost_net_cleanup() must never be called like this for fully-initialized nets; when other code later calls vhost_net_stop() - such as from virtio_net_vhost_status() - it will try to access the already-cleaned-up fields and fail with assertion errors or segfaults. The vhost_net_cleanup() will eventually be called from qemu_cleanup_net_client(). Signed-off-by: Dan Streetman <ddstreet@canonical.com> Message-Id: <20190416184624.15397-3-dan.streetman@canonical.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> (cherry picked from commit 6ab79a20af3a7b3bf610ba9aebb446a9f0b05930) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
2019-07-09block: Fix AioContext switch for bs->drv == NULLKevin Wolf
Even for block nodes with bs->drv == NULL, we can't just ignore a bdrv_set_aio_context() call. Leaving the node in its old context can mean that it's still in an iothread context in bdrv_close_all() during shutdown, resulting in an attempted unlock of the AioContext lock which we don't hold. This is an example stack trace of a related crash: #0 0x00007ffff59da57f in raise () at /lib64/libc.so.6 #1 0x00007ffff59c4895 in abort () at /lib64/libc.so.6 #2 0x0000555555b97b1e in error_exit (err=<optimized out>, msg=msg@entry=0x555555d386d0 <__func__.19059> "qemu_mutex_unlock_impl") at util/qemu-thread-posix.c:36 #3 0x0000555555b97f7f in qemu_mutex_unlock_impl (mutex=mutex@entry=0x5555568002f0, file=file@entry=0x555555d378df "util/async.c", line=line@entry=507) at util/qemu-thread-posix.c:97 #4 0x0000555555b92f55 in aio_context_release (ctx=ctx@entry=0x555556800290) at util/async.c:507 #5 0x0000555555b05cf8 in bdrv_prwv_co (child=child@entry=0x7fffc80012f0, offset=offset@entry=131072, qiov=qiov@entry=0x7fffffffd4f0, is_write=is_write@entry=true, flags=flags@entry=0) at block/io.c:833 #6 0x0000555555b060a9 in bdrv_pwritev (qiov=0x7fffffffd4f0, offset=131072, child=0x7fffc80012f0) at block/io.c:990 #7 0x0000555555b060a9 in bdrv_pwrite (child=0x7fffc80012f0, offset=131072, buf=<optimized out>, bytes=<optimized out>) at block/io.c:990 #8 0x0000555555ae172b in qcow2_cache_entry_flush (bs=bs@entry=0x555556810680, c=c@entry=0x5555568cc740, i=i@entry=0) at block/qcow2-cache.c:51 #9 0x0000555555ae18dd in qcow2_cache_write (bs=bs@entry=0x555556810680, c=0x5555568cc740) at block/qcow2-cache.c:248 #10 0x0000555555ae15de in qcow2_cache_flush (bs=0x555556810680, c=<optimized out>) at block/qcow2-cache.c:259 #11 0x0000555555ae16b1 in qcow2_cache_flush_dependency (c=0x5555568a1700, c=0x5555568a1700, bs=0x555556810680) at block/qcow2-cache.c:194 #12 0x0000555555ae16b1 in qcow2_cache_entry_flush (bs=bs@entry=0x555556810680, c=c@entry=0x5555568a1700, i=i@entry=0) at block/qcow2-cache.c:194 #13 0x0000555555ae18dd in qcow2_cache_write (bs=bs@entry=0x555556810680, c=0x5555568a1700) at block/qcow2-cache.c:248 #14 0x0000555555ae15de in qcow2_cache_flush (bs=bs@entry=0x555556810680, c=<optimized out>) at block/qcow2-cache.c:259 #15 0x0000555555ad242c in qcow2_inactivate (bs=bs@entry=0x555556810680) at block/qcow2.c:2124 #16 0x0000555555ad2590 in qcow2_close (bs=0x555556810680) at block/qcow2.c:2153 #17 0x0000555555ab0c62 in bdrv_close (bs=0x555556810680) at block.c:3358 #18 0x0000555555ab0c62 in bdrv_delete (bs=0x555556810680) at block.c:3542 #19 0x0000555555ab0c62 in bdrv_unref (bs=0x555556810680) at block.c:4598 #20 0x0000555555af4d72 in blk_remove_bs (blk=blk@entry=0x5555568103d0) at block/block-backend.c:785 #21 0x0000555555af4dbb in blk_remove_all_bs () at block/block-backend.c:483 #22 0x0000555555aae02f in bdrv_close_all () at block.c:3412 #23 0x00005555557f9796 in main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at vl.c:4776 The reproducer I used is a qcow2 image on gluster volume, where the virtual disk size (4 GB) is larger than the gluster volume size (64M), so we can easily trigger an ENOSPC. This backend is assigned to a virtio-blk device using an iothread, and then from the guest a 'dd if=/dev/zero of=/dev/vda bs=1G count=1' causes the VM to stop because of an I/O error. qemu_gluster_co_flush_to_disk() sets bs->drv = NULL on error, so when virtio-blk stops the dataplane, the block nodes stay in the iothread AioContext. A 'quit' monitor command issued from this paused state crashes the process. Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1631227 Cc: qemu-stable@nongnu.org Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com> Reviewed-by: Max Reitz <mreitz@redhat.com> Reviewed-by: Stefano Garzarella <sgarzare@redhat.com> (cherry picked from commit 1bffe1ae7a7b707c3a14ea2ccd00d3609d3ce4d8) *drop context dependency on e64f25f30b8 Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
2019-07-09cutils: Fix size_to_str() on 32-bit platformsEric Blake
When extracting a human-readable size formatter, we changed 'uint64_t div' pre-patch to 'unsigned long div' post-patch. Which breaks on 32-bit platforms, resulting in 'inf' instead of intended values larger than 999GB. Fixes: 22951aaa CC: qemu-stable@nongnu.org Reported-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Eric Blake <eblake@redhat.com> Reviewed-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com> (cherry picked from commit 754da86714d550c3f995f11a2587395081362e0a) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
2019-07-09qcow2: Avoid COW during metadata preallocationKevin Wolf
Limiting the allocation to INT_MAX bytes isn't particularly clever because it means that the final cluster will be a partial cluster which will be completed through a COW operation. This results in unnecessary data read and write requests which lead to an unwanted non-sparse filesystem block for metadata preallocation. Align the maximum allocation size down to the cluster size to avoid this situation. Cc: qemu-stable@nongnu.org Signed-off-by: Kevin Wolf <kwolf@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com> (cherry picked from commit f29fbf7c6b1c9a84f6931c1c222716fbe073e6e4) *modified to avoid functional dependency on 93e32b3e Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
2019-04-05qemu-img: fix error reporting for -objectDaniel P. Berrangé
Error reporting for user_creatable_add_opts_foreach was changed so that it no longer called 'error_report_err' in: commit 7e1e0c11127bde81cff260fc6859690435c509d6 Author: Markus Armbruster <armbru@redhat.com> Date: Wed Oct 17 10:26:43 2018 +0200 qom: Clean up error reporting in user_creatable_add_opts_foreach() Some callers were updated to pass in "&error_fatal" but all the ones in qemu-img were left passing NULL. As a result all errors went to /dev/null instead of being reported to the user. Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Reviewed-by: Markus Armbruster <armbru@redhat.com> Reviewed-by: Stefano Garzarella <sgarzare@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com> (cherry picked from commit 334c43e2c342e878311c66b4e62343f0a7c2c6be) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
2019-03-28usb-mtp: use O_NOFOLLOW and O_CLOEXEC.Gerd Hoffmann
Open files and directories with O_NOFOLLOW to avoid symlinks attacks. While being at it also add O_CLOEXEC. usb-mtp only handles regular files and directories and ignores everything else, so users should not see a difference. Because qemu ignores symlinks, carrying out a successful symlink attack requires swapping an existing file or directory below rootdir for a symlink and winning the race against the inotify notification to qemu. Fixes: CVE-2018-16872 Cc: Prasad J Pandit <ppandit@redhat.com> Cc: Bandan Das <bsd@redhat.com> Reported-by: Michael Hanselmann <public@hansmi.ch> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Reviewed-by: Michael Hanselmann <public@hansmi.ch> Message-id: 20181213122511.13853-1-kraxel@redhat.com (cherry picked from commit bab9df35ce73d1c8e19a37e2737717ea1c984dc1) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
2019-03-28qga: update docs with systemd suspend support infoDaniel Henrique Barboza
Commit 067927d62e ("qga: systemd hibernate/suspend/hybrid-sleep support") failed to update qapi-schema.json after adding systemd hibernate/suspend/hybrid-sleep capabilities to guest-suspend-* QGA commands. Signed-off-by: Daniel Henrique Barboza <danielhb413@gmail.com> Reviewed-by: Eric Blake <eblake@redhat.com> Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> (cherry picked from commit bb6c8d407e49d7b805ac52fe46abf4d8d5262046) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
2019-03-28mac_newworld: use node name instead of alias name for hd device in ↵Mark Cave-Ayland
FWPathProvider When using -drive to configure the hd drive for the New World machine, the node name "disk" should be used instead of the "hd" alias. Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk> Message-Id: <20190307212058.4890-3-mark.cave-ayland@ilande.co.uk> Signed-off-by: David Gibson <david@gibson.dropbear.id.au> (cherry picked from commit 31bc6fa7fa8124ff8fb08373f9402985c806919f) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
2019-03-28mac_oldworld: use node name instead of alias name for hd device in ↵Mark Cave-Ayland
FWPathProvider When using -drive to configure the hd drive for the Old World machine, the node name "disk" should be used instead of the "hd" alias. Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk> Message-Id: <20190307212058.4890-2-mark.cave-ayland@ilande.co.uk> Signed-off-by: David Gibson <david@gibson.dropbear.id.au> (cherry picked from commit 484d366e02732c8de6f92e53e2ee9bb93dd4ca23) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
2019-03-28configure: improve usbfs checkThomas Petazzoni
The current check to test if usbfs support should be compiled or not solely relies on the presence of <linux/usbdevice_fs.h>, without actually checking that all definition used by Qemu are provided by this header file. With sufficiently old kernel headers, <linux/usbdevice_fs.h> may be present, but some of the definitions needed by Qemu may not be available. This commit improves the check by building a small program that actually tests whether the necessary definitions are available. In addition, it fixes a bug where have_usbfs was set to "yes" regardless of the result of the test. Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> Reviewed-by: Thomas Huth <thuth@redhat.com> Message-Id: <20190213211827.20300-1-thomas.petazzoni@bootlin.com> Signed-off-by: Laurent Vivier <laurent@vivier.eu> (cherry picked from commit 96566d09aa105ee04cbc1c9539cf8a9a40e8e422) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
2019-03-28qga-win: include glib when building VSS DLLMichael Roth
Commit 3ebee3b191e defined assert() as g_assert(), but when we build the VSS DLL component of QGA (to handle fsfreeze) we do not include glib, which results in breakage when building with VSS support enabled. Fix this by including glib (along with the -lintl and -lws2_32 dependencies it brings). Since the VSS DLL is built statically, this introduces an additional dependency on static glib and supporting libs for the mingw environment (possibly why we didn't include glib originally), but VSS support already has very specific prerequisites so it shouldn't affect too many build environments. Since the VSS DLL code does use qemu/osdep.h, this should also help avoid future breakages and possibly allow for some clean ups in current VSS code. Suggested-by: Daniel P. Berrangé <berrange@redhat.com> Cc: Daniel P. Berrangé <berrange@redhat.com> Cc: qemu-stable@nongnu.org Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> (cherry picked from commit 82a58d270c6fbbe2f2381224946340fd3814a273) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
2019-03-28json: Fix % handling when not interpolatingChristophe Fergeau
Commit 8bca4613 added support for %% in json strings when interpolating, but in doing so broke handling of % when not interpolating. When parse_string() is fed a string token containing '%', it skips the '%' regardless of ctxt->ap, i.e. even it's not interpolating. If the '%' is the string's last character, it fails an assertion. Else, it "merely" swallows the '%'. Fix parse_string() to handle '%' specially only when interpolating. To gauge the bug's impact, let's review non-interpolating users of this parser, i.e. code passing NULL context to json_message_parser_init(): * tests/check-qjson.c, tests/test-qobject-input-visitor.c, tests/test-visitor-serialization.c Plenty of tests, but we still failed to cover the buggy case. * monitor.c: QMP input * qga/main.c: QGA input * qobject_from_json(): - qobject-input-visitor.c: JSON command line option arguments of -display and -blockdev Reproducer: -blockdev '{"%"}' - block.c: JSON pseudo-filenames starting with "json:" Reproducer: https://bugzilla.redhat.com/show_bug.cgi?id=1668244#c3 - block/rbd.c: JSON key pairs Pseudo-filenames starting with "rbd:". Command line, QMP and QGA input are trusted. Filenames are trusted when they come from command line, QMP or HMP. They are untrusted when they come from from image file headers. Example: QCOW2 backing file name. Note that this is *not* the security boundary between host and guest. It's the boundary between host and an image file from an untrusted source. Neither failing an assertion nor skipping a character in a filename of your choice looks exploitable. Note that we don't support compiling with NDEBUG. Fixes: 8bca4613e6cddd948895b8db3def05950463495b Cc: qemu-stable@nongnu.org Signed-off-by: Christophe Fergeau <cfergeau@redhat.com> Message-Id: <20190102140535.11512-1-cfergeau@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com> Tested-by: Richard W.M. Jones <rjones@redhat.com> [Commit message extended to discuss impact] Signed-off-by: Markus Armbruster <armbru@redhat.com> (cherry picked from commit bbc0586ced6e9ffdfd29d89fcc917b3d90ac3938) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
2019-03-28i386: remove the 'INTEL_PT' CPUID bit from named CPU modelsPaolo Bonzini
Processor tracing is not yet implemented for KVM and it will be an opt in feature requiring a special module parameter. Disable it, because it is wrong to enable it by default and it is impossible that no one has ever used it. Cc: qemu-stable@nongnu.org Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> (cherry picked from commit 4c257911dcc7c4189768e9651755c849ce9db4e8) *drop context dependency on ecb85fe48 Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
2019-03-28i386: remove the new CPUID 'PCONFIG' from Icelake-Server CPU modelRobert Hoo
PCONFIG is not available to guests; it must be specifically enabled using the PCONFIG_ENABLE execution control. Disable it, because no one can ever use it. Signed-off-by: Robert Hoo <robert.hu@linux.intel.com> Message-Id: <1545227081-213696-2-git-send-email-robert.hu@linux.intel.com> Cc: qemu-stable@nongnu.org Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> (cherry picked from commit 76e5a4d58357b9d077afccf7f7c82e17f733b722) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
2019-03-28vfio-ap: flag as compatible with balloonCornelia Huck
vfio-ap devices do not pin any pages in the host. Therefore, they are compatible with memory ballooning. Flag them as compatible, so both vfio-ap and a balloon can be used simultaneously. Cc: qemu-stable@nongnu.org Acked-by: Christian Borntraeger <borntraeger@de.ibm.com> Tested-by: Tony Krowiak <akrowiak@linux.ibm.com> Reviewed-by: Halil Pasic <pasic@linux.ibm.com> Signed-off-by: Cornelia Huck <cohuck@redhat.com> (cherry picked from commit 1883e8fc8005e9ef452890a075bae98e8c432968) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
2019-03-27tpm_tis: fix loop that cancels any seizure by a lower localityLiam Merwick
In tpm_tis_mmio_write() if the requesting locality is seizing access, any seizure by a lower locality is cancelled. However the loop doing the seizure had an off-by-one error and the locality immediately preceding the requesting locality was not being cleared. This is fixed by adjusting the test in the for loop to check the localities up to the requesting locality. Signed-off-by: Liam Merwick <Liam.Merwick@oracle.com> Reviewed-by: Stefan Berger <stefanb@linux.ibm.com> Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> (cherry picked from commit 37b55d67c0f001b20b7831db3f9f24f1d453e1de) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
2019-03-27slirp: check sscanf result when emulating identWilliam Bowling
When emulating ident in tcp_emu, if the strchr checks passed but the sscanf check failed, two uninitialized variables would be copied and sent in the reply, so move this code inside the if(sscanf()) clause. Signed-off-by: William Bowling <will@wbowling.info> Cc: qemu-stable@nongnu.org Cc: secalert@redhat.com Message-Id: <1551476756-25749-1-git-send-email-will@wbowling.info> Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> (cherry picked from commit d3222975c7d6cda9e25809dea05241188457b113) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
2019-03-27hw/rdma: another clang compilation fixMarcel Apfelbaum
Configuring QEMU with: configure --target-list="x86_64-softmmu" --cc=clang --enable-pvrdma Results in: qemu/hw/rdma/rdma_rm_defs.h:108:3: error: redefinition of typedef 'RdmaDeviceResources' is a C11 feature [-Werror,-Wtypedef-redefinition] } RdmaDeviceResources; ^ qemu/hw/rdma/rdma_backend_defs.h:24:36: note: previous definition is here typedef struct RdmaDeviceResources RdmaDeviceResources; Fix by removing one of the 'typedef' definitions. Signed-off-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com> Message-Id: <20190214154053.15050-1-marcel.apfelbaum@gmail.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Acked-by: Kamal Heib <kamalheib1@gmail.com> Signed-off-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com> (cherry picked from commit 59f911938fbaa6a5eff1146c8a4d74e1c55ecc2b) *drop context dep. on c2dd117b385 Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
2019-03-27block: Fix invalidate_cache error path for parent activationKevin Wolf
bdrv_co_invalidate_cache() clears the BDRV_O_INACTIVE flag before actually activating a node so that the correct permissions etc. are taken. In case of errors, the flag must be restored so that the next call to bdrv_co_invalidate_cache() retries activation. Restoring the flag was missing in the error path for a failed parent->role->activate() call. The consequence is that this attempt to activate all images correctly fails because we still set errp, however on the next attempt BDRV_O_INACTIVE is already clear, so we return success without actually retrying the failed action. An example where this is observable in practice is migration to a QEMU instance that has a raw format block node attached to a guest device with share-rw=off (the default) while another process holds BLK_PERM_WRITE for the same image. In this case, all activation steps before parent->role->activate() succeed because raw can tolerate other writers to the image. Only the parent callback (in particular blk_root_activate()) tries to implement the share-rw=on property and requests exclusive write permissions. This fails when the migration completes and correctly displays an error. However, a manual 'cont' will incorrectly resume the VM without calling blk_root_activate() again. This case is described in more detail in the following bug report: https://bugzilla.redhat.com/show_bug.cgi?id=1531888 Fix this by correctly restoring the BDRV_O_INACTIVE flag in the error path. Cc: qemu-stable@nongnu.org Signed-off-by: Kevin Wolf <kwolf@redhat.com> Tested-by: Markus Armbruster <armbru@redhat.com> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> (cherry picked from commit 78fc3b3a26c145eebcdee992988644974b243a74) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
2019-03-27tpm: Make sure the locality received from backend is validStefan Berger
Make sure that the locality passed from the backend to tpm_tis_request_completed() is valid. Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> (cherry picked from commit a639f96111eadb3b8e3021fd3f27e2948ad1c640) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
2019-03-27tpm: Make sure new locality passed to tpm_tis_prep_abort() is validStefan Berger
Make sure that the new locality passed to tpm_tis_prep_abort() is valid. Add a comment to aborting_locty that it may be any locality, including TPM_TIS_NO_LOCALITY. Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> (cherry picked from commit e92b63ea610201bd743343fc6b11e6c39c8d3515) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
2019-03-27exec.c: Don't reallocate IOMMUNotifiers that are in usePeter Maydell
The tcg_register_iommu_notifier() code has a GArray of TCGIOMMUNotifier structs which it has registered by passing memory_region_register_iommu_notifier() a pointer to the embedded IOMMUNotifier field. Unfortunately, if we need to enlarge the array via g_array_set_size() this can cause a realloc(), which invalidates the pointer that memory_region_register_iommu_notifier() put into the MemoryRegion's iommu_notify list. This can result in segfaults. Switch the GArray to holding pointers to the TCGIOMMUNotifier structs, so that we can individually allocate and free them. Cc: qemu-stable@nongnu.org Fixes: 1f871c5e6b0f30644a60a ("exec.c: Handle IOMMUs in address_space_translate_for_iotlb()") Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Message-id: 20190128174241.5860-1-peter.maydell@linaro.org (cherry picked from commit 5601be3b01d73e21c09331599e2ce62df016ff94) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
2019-03-27s390x: Return specification exception for unimplemented diag 308 subcodesJanosch Frank
The architecture specifies specification exceptions for all unavailable subcodes. The presence of subcodes is indicated by checking some query subcode. For example 6 will indicate that 3-6 are available. So future systems might call new subcodes to check for new features. This should not trigger a hw error, instead we return the architectured specification exception. Signed-off-by: Janosch Frank <frankja@linux.ibm.com> Cc: qemu-stable@nongnu.org Message-Id: <20190111113657.66195-3-frankja@linux.ibm.com> Reviewed-by: Christian Borntraeger <borntraeger@de.ibm.com> Reviewed-by: David Hildenbrand <david@redhat.com> Signed-off-by: Cornelia Huck <cohuck@redhat.com> (cherry picked from commit 37dbd1f4d4805edcd18d94eb202bb3461b3cd52d) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
2019-03-27linux-user: make pwrite64/pread64(fd, NULL, 0, offset) return 0Peter Maydell
Linux returns success if pwrite64() or pread64() are called with a zero length NULL buffer, but QEMU was returning -TARGET_EFAULT. This is the same bug that we fixed in commit 58cfa6c2e6eb51b23cc9 for the write syscall, and long before that in 38d840e6790c29f59 for the read syscall. Fixes: https://bugs.launchpad.net/qemu/+bug/1810433 Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Laurent Vivier <laurent@vivier.eu> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Message-Id: <20190108184900.9654-1-peter.maydell@linaro.org> Signed-off-by: Laurent Vivier <laurent@vivier.eu> (cherry picked from commit 2bd3f8998e1e7dcd9afc29fab252fb9936f9e956) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
2019-03-27hw/s390x: Fix bad mask in time2tod()Thomas Huth
Since "s390x/tcg: avoid overflows in time2tod/tod2time", the time2tod() function tries to deal with the 9 uppermost bits in the time value, but uses the wrong mask for this: 0xff80000000000000 should be used instead of 0xff10000000000000 here. Fixes: 14055ce53c2d901d826ffad7fb7d6bb8ab46bdfd Cc: qemu-stable@nongnu.org Signed-off-by: Thomas Huth <thuth@redhat.com> Message-Id: <1544792887-14575-1-git-send-email-thuth@redhat.com> Reviewed-by: David Hildenbrand <david@redhat.com> [CH: tweaked commit message] Signed-off-by: Cornelia Huck <cohuck@redhat.com> (cherry picked from commit aba7a5a2de3dba5917024df25441f715b9249e31) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
2019-03-27pc:piix4: Update smbus I/O space after a migrationCorey Minyard
Otherwise it won't be set up correctly and won't work after miigration. Signed-off-by: Corey Minyard <cminyard@mvista.com> Cc: Igor Mammedov <imammedo@redhat.com> Cc: qemu-stable@nongnu.org Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> (cherry picked from commit 2b4e573c7c7b9a698ba6931ba456bbd8d3d8c84c) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
2019-03-27pcie: set link state inactive/active after hot unplug/plugZheng Xiang
When VM boots from the latest version of linux kernel, after hot-unpluging virtio-blk disks which are hotplugged into pcie-root-port, the VM's dmesg log shows: [ 151.046242] pciehp 0000:00:05.0:pcie004: pending interrupts 0x0001 from Slot Status [ 151.046365] pciehp 0000:00:05.0:pcie004: Slot(0-3): Attention button pressed [ 151.046369] pciehp 0000:00:05.0:pcie004: Slot(0-3): Powering off due to button press [ 151.046420] pciehp 0000:00:05.0:pcie004: pending interrupts 0x0010 from Slot Status [ 151.046425] pciehp 0000:00:05.0:pcie004: pciehp_green_led_blink: SLOTCTRL a8 write cmd 200 [ 151.046464] pciehp 0000:00:05.0:pcie004: pending interrupts 0x0010 from Slot Status [ 151.046468] pciehp 0000:00:05.0:pcie004: pciehp_set_attention_status: SLOTCTRL a8 write cmd c0 [ 156.163421] pciehp 0000:00:05.0:pcie004: pciehp_get_power_status: SLOTCTRL a8 value read 2f1 [ 156.163427] pciehp 0000:00:05.0:pcie004: pciehp_unconfigure_device: domain:bus:dev = 0000:06:00 [ 156.198736] pciehp 0000:00:05.0:pcie004: pending interrupts 0x0010 from Slot Status [ 156.198772] pciehp 0000:00:05.0:pcie004: pciehp_power_off_slot: SLOTCTRL a8 write cmd 400 [ 157.224124] pciehp 0000:00:05.0:pcie004: pending interrupts 0x0018 from Slot Status [ 157.224194] pciehp 0000:00:05.0:pcie004: pciehp_green_led_off: SLOTCTRL a8 write cmd 300 [ 157.224220] pciehp 0000:00:05.0:pcie004: pciehp_check_link_active: lnk_status = 2011 [ 157.224223] pciehp 0000:00:05.0:pcie004: Slot(0-3): Link Up [ 157.224233] pciehp 0000:00:05.0:pcie004: pciehp_get_power_status: SLOTCTRL a8 value read 7f1 [ 157.224281] pciehp 0000:00:05.0:pcie004: pending interrupts 0x0010 from Slot Status [ 157.224285] pciehp 0000:00:05.0:pcie004: pciehp_power_on_slot: SLOTCTRL a8 write cmd 0 [ 157.224300] pciehp 0000:00:05.0:pcie004: __pciehp_link_set: lnk_ctrl = 0 [ 157.224336] pciehp 0000:00:05.0:pcie004: pending interrupts 0x0010 from Slot Status [ 157.224339] pciehp 0000:00:05.0:pcie004: pciehp_green_led_blink: SLOTCTRL a8 write cmd 200 [ 159.739294] pci 0000:06:00.0 id reading try 50 times with interval 20 ms to get ffffffff [ 159.739315] pciehp 0000:00:05.0:pcie004: pciehp_check_link_status: lnk_status = 2011 [ 159.739318] pciehp 0000:00:05.0:pcie004: Failed to check link status [ 159.739371] pciehp 0000:00:05.0:pcie004: pending interrupts 0x0010 from Slot Status [ 159.739394] pciehp 0000:00:05.0:pcie004: pciehp_power_off_slot: SLOTCTRL a8 write cmd 400 [ 160.771426] pciehp 0000:00:05.0:pcie004: pending interrupts 0x0010 from Slot Status [ 160.771452] pciehp 0000:00:05.0:pcie004: pciehp_green_led_off: SLOTCTRL a8 write cmd 300 [ 160.771495] pciehp 0000:00:05.0:pcie004: pending interrupts 0x0010 from Slot Status [ 160.771499] pciehp 0000:00:05.0:pcie004: pciehp_set_attention_status: SLOTCTRL a8 write cmd 40 [ 160.771535] pciehp 0000:00:05.0:pcie004: pending interrupts 0x0010 from Slot Status [ 160.771539] pciehp 0000:00:05.0:pcie004: pciehp_green_led_off: SLOTCTRL a8 write cmd 300 After analyzing the log information, it seems that qemu doesn't change the Link Status from active to inactive after hot-unplug. This results in the abnormal log after the linux kernel commit d331710ea78fea merged. Furthermore, If I hotplug the same virtio-blk disk after hot-unplug, the virtio-blk would turn on and then back off. So this patch set the Link Status inactive after hot-unplug and active after hot-plug. Signed-off-by: Zheng Xiang <zhengxiang9@huawei.com> Signed-off-by: Zheng Xiang <xiang.zheng@linaro.org> Cc: Wang Haibin <wanghaibin.wang@huawei.com> Cc: qemu-stable@nongnu.org Reviewed-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> (cherry picked from commit 2f2b18f60bf17453b4c01197a9316615a3c1f1de) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
2019-03-27Changes requirement for "vsubsbs" instructionPaul A. Clarke
Changes requirement for "vsubsbs" instruction, which has been supported since ISA 2.03. (Please see section 5.9.1.2 of ISA 2.03) Reported-by: Paul A. Clarke <pc@us.ibm.com> Signed-off-by: Paul A. Clarke <pc@us.ibm.com> Signed-off-by: Leonardo Bras <leonardo@linux.vnet.ibm.com> Signed-off-by: David Gibson <david@gibson.dropbear.id.au> (cherry picked from commit fcfbc18d00b10335310c9665edd6e04f2d152be8) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
2019-03-27iotests: make 235 work on s390 (and others)Christian Borntraeger
"-machine pc" will not work all architectures. Lets fall back to the default machine by not specifying it. In addition we also need to specify -no-shutdown on s390 as qemu will exit otherwise. Cc: qemu-stable@nongnu.org Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com> Reviewed-by: Eric Blake <eblake@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com> (cherry picked from commit 2c26e648e4350079b0c86a6627b2d3566c3709c0) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
2019-03-27i2c: Move typedef of bitbang_i2c_interface to i2c.hBALATON Zoltan
Clang 3.4 considers duplicate typedef in ppc4xx_i2c.h and bitbang_i2c.h an error even if they are identical. Move it to a common place to allow building with this clang version. Reported-by: Thomas Huth <thuth@redhat.com> Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu> Acked-by: David Gibson <david@gibson.dropbear.id.au> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Signed-off-by: Thomas Huth <thuth@redhat.com> (cherry picked from commit 2b4c1125ac3db2734222ff43c25388a16aca4a99) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
2018-12-11Update version for v3.1.0 releasev3.1.0Peter Maydell
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2018-12-06Update version for v3.1.0-rc5 releasev3.1.0-rc5Peter Maydell
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2018-12-06i2c: pm_smbus: check smb_index before block transfer writePrasad J Pandit
While performing block transfer write in smb_ioport_writeb(), 'smb_index' is incremented and used to index smb_data[] array. Check 'smb_index' value to avoid OOB access. Note that this bug is exploitable by a guest to escape from the virtual machine. However the commit which introduced the bug was only made after the 3.0 release, and so it is not present in any released QEMU versions. Fixes: 38ad4fae43 i2c: pm_smbus: Add block transfer capability Reported-by: Michael Hanselmann <public@hansmi.ch> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> Reviewed-by: Igor Mammedov <imammedo@redhat.com> Reviewed-by: Li Qiang <liq3ea@gmail.com> Reviewed-by: Michael Hanselmann <public@hansmi.ch> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Message-id: 20181206121830.6177-1-ppandit@redhat.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2018-12-04Update version for v3.1.0-rc4 releasev3.1.0-rc4Peter Maydell
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2018-12-04virtio-net-test: add large tx buffer testJason Wang
This test tries to build a packet whose size is greater than INT_MAX which tries to trigger integer overflow in qemu_net_queue_append_iov() which may result OOB. Signed-off-by: Jason Wang <jasowang@redhat.com> Reviewed-by: Thomas Huth <thuth@redhat.com> Message-id: 20181204035347.6148-6-jasowang@redhat.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2018-12-04virtio-net-test: remove unused macroJason Wang
Reviewed-by: Thomas Huth <thuth@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com> Signed-off-by: Jason Wang <jasowang@redhat.com> Message-id: 20181204035347.6148-5-jasowang@redhat.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2018-12-04virtio-net-test: accept variable length argument in pci_test_start()Jason Wang
This allows flexibility to be reused for all kinds of command line used by other tests. Reviewed-by: Eric Blake <eblake@redhat.com> Reviewed-by: Thomas Huth <thuth@redhat.com> Signed-off-by: Jason Wang <jasowang@redhat.com> Message-id: 20181204035347.6148-4-jasowang@redhat.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2018-12-04net: hub: suppress warnings of no host network for qtestJason Wang
If we want to qtest through hub, it would be much more simpler and safer to configure the hub without host network. So silent this warnings for qtest. Signed-off-by: Jason Wang <jasowang@redhat.com> Reviewed-by: Thomas Huth <thuth@redhat.com> Message-id: 20181204035347.6148-3-jasowang@redhat.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2018-12-04net: drop too large packet earlyJason Wang
We try to detect and drop too large packet (>INT_MAX) in 1592a9947036 ("net: ignore packet size greater than INT_MAX") during packet delivering. Unfortunately, this is not sufficient as we may hit another integer overflow when trying to queue such large packet in qemu_net_queue_append_iov(): - size of the allocation may overflow on 32bit - packet->size is integer which may overflow even on 64bit Fixing this by moving the check to qemu_sendv_packet_async() which is the entrance of all networking codes and reduce the limit to NET_BUFSIZE to be more conservative. This works since: - For the callers that call qemu_sendv_packet_async() directly, they only care about if zero is returned to determine whether to prevent the source from producing more packets. A callback will be triggered if peer can accept more then source could be enabled. This is usually used by high speed networking implementation like virtio-net or netmap. - For the callers that call qemu_sendv_packet() that calls qemu_sendv_packet_async() indirectly, they often ignore the return value. In this case qemu will just the drop packets if peer can't receive. Qemu will copy the packet if it was queued. So it was safe for both kinds of the callers to assume the packet was sent. Since we move the check from qemu_deliver_packet_iov() to qemu_sendv_packet_async(), it would be safer to make qemu_deliver_packet_iov() static to prevent any external user in the future. This is a revised patch of CVE-2018-17963. Cc: qemu-stable@nongnu.org Cc: Li Qiang <liq3ea@163.com> Fixes: 1592a9947036 ("net: ignore packet size greater than INT_MAX") Reported-by: Li Qiang <liq3ea@gmail.com> Reviewed-by: Li Qiang <liq3ea@gmail.com> Signed-off-by: Jason Wang <jasowang@redhat.com> Reviewed-by: Thomas Huth <thuth@redhat.com> Message-id: 20181204035347.6148-2-jasowang@redhat.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org>