4 years agoUpdate version for 2.6.2 release stable-2.6 github/stable-2.6 v2.6.2
Michael Roth [Thu, 29 Sep 2016 19:57:09 +0000 (14:57 -0500)] 
Update version for 2.6.2 release

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
4 years agos390x/css: handle cssid 255 correctly
Cornelia Huck [Mon, 15 Aug 2016 09:10:28 +0000 (11:10 +0200)] 
s390x/css: handle cssid 255 correctly

The cssid 255 is reserved but still valid from an architectural
point of view. However, feeding a bogus schid of 0xffffffff into
the virtio hypercall will lead to a crash:

Stack trace of thread 138363:
        #0  0x00000000100d168c css_find_subch (qemu-system-s390x)
        #1  0x00000000100d3290 virtio_ccw_hcall_notify
        #2  0x00000000100cbf60 s390_virtio_hypercall
        #3  0x000000001010ff7a handle_hypercall
        #4  0x0000000010079ed4 kvm_cpu_exec (qemu-system-s390x)
        #5  0x00000000100609b4 qemu_kvm_cpu_thread_fn
        #6  0x000003ff8b887bb4 start_thread (libpthread.so.0)
        #7  0x000003ff8b78df0a thread_start (libc.so.6)

This is because the css array was only allocated for 0..254
instead of 0..255.

Let's fix this by bumping MAX_CSSID to 255 and fencing off the
reserved cssid of 255 during css image allocation.

Reported-by: Christian Borntraeger <borntraeger@de.ibm.com>
Tested-by: Christian Borntraeger <borntraeger@de.ibm.com>
Cc: qemu-stable@nongnu.org
Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>
(cherry picked from commit 882b3b97697affb36ca3d174f42f846232008979)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
4 years agoahci: clear aiocb in ncq_cb
John Snow [Mon, 26 Sep 2016 18:33:37 +0000 (14:33 -0400)] 
ahci: clear aiocb in ncq_cb

Similar to existing fixes for IDE (87ac25fd) and ATAPI (7f951b2d), the
AIOCB must be cleared in the callback. Otherwise, we may accidentally
try to reset a dangling pointer in bdrv_aio_cancel() from a port reset.

Signed-off-by: John Snow <jsnow@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Message-id: 1474575040-32079-2-git-send-email-jsnow@redhat.com
Signed-off-by: John Snow <jsnow@redhat.com>
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
4 years agovnc: fix incorrect checking condition when updating client
Gonglei [Fri, 8 Jul 2016 03:37:36 +0000 (11:37 +0800)] 
vnc: fix incorrect checking condition when updating client

vs->disconnecting is set to TRUE and vs->ioc is closed, but
vs->ioc isn't set to NULL, so that the vnc_disconnect_finish()
isn't invoked when you update client in vnc_update_client()
after vnc_disconnect_start invoked. Let's using change the checking
condition to avoid resource leak.

Signed-off-by: Haibin Wang <wanghaibin.wang@huawei.com>
Signed-off-by: Gonglei <arei.gonglei@huawei.com>
Reviewed-by: Daniel P. Berrange <berrange@redhat.com>
Message-id: 1467949056-81208-1-git-send-email-arei.gonglei@huawei.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
(cherry picked from commit 5a693efda84d7df5136cc2bd31c959bb1530b0c9)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
4 years agovnc-enc-tight: fix off-by-one bug
Herongguang (Stephen) [Tue, 12 Jul 2016 09:31:23 +0000 (17:31 +0800)] 
vnc-enc-tight: fix off-by-one bug

In tight_encode_indexed_rect32, buf(or src)’s size is count. In for loop,
the logic is supposed to be that i is an index into src, i should be
incremented when incrementing src.

This is broken when src is incremented but i is not before while loop,
resulting in off-by-one bug in while loop.

Signed-off-by: He Rongguang <herongguang.he@huawei.com>
Message-id: 5784B8EB.7010008@huawei.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
(cherry picked from commit 3f7e51bca3ef2d64c53b35ab9916c99e4a9e3c69)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
4 years agovnc: make sure we finish disconnect
Gerd Hoffmann [Wed, 13 Jul 2016 10:21:20 +0000 (12:21 +0200)] 
vnc: make sure we finish disconnect

It may happen that vnc connections linger in disconnecting state forever
because VncState happens to be in a state where vnc_update_client()
exists early and never reaches the vnc_disconnect_finish() call at the
bottom of the function.  Fix that by doing an additinal check at the
start of the function.


Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 1468405280-2571-1-git-send-email-kraxel@redhat.com
(cherry picked from commit 5a8be0f73d6f60ff08746377eb09ca459f39deab)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
4 years agovnc: don't crash getting server info if lsock is NULL
Daniel P. Berrange [Tue, 2 Aug 2016 10:45:24 +0000 (11:45 +0100)] 
vnc: don't crash getting server info if lsock is NULL

When VNC is started with '-vnc none' there will be no
listener socket present. When we try to populate the
VncServerInfo we'll crash accessing a NULL 'lsock'

 #0  qio_channel_socket_get_local_address (ioc=0x0, errp=errp@entry=0x7ffd5b8aa0f0) at io/channel-socket.c:33
 #1  0x00007f4b9a297d6f in vnc_init_basic_info_from_server_addr (errp=0x7ffd5b8aa0f0, info=0x7f4b9d425460, ioc=<optimized out>)  at ui/vnc.c:146
 #2  vnc_server_info_get (vd=0x7f4b9e858000) at ui/vnc.c:223
 #3  0x00007f4b9a29d318 in vnc_qmp_event (vs=0x7f4b9ef82000, vs=0x7f4b9ef82000, event=QAPI_EVENT_VNC_CONNECTED) at ui/vnc.c:279
 #4  vnc_connect (vd=vd@entry=0x7f4b9e858000, sioc=sioc@entry=0x7f4b9e8b3a20, skipauth=skipauth@entry=true, websocket=websocket @entry=false) at ui/vnc.c:2994
 #5  0x00007f4b9a29e8c8 in vnc_display_add_client (id=<optimized out>, csock=<optimized out>, skipauth=<optimized out>) at ui/v nc.c:3825
 #6  0x00007f4b9a18d8a1 in qmp_marshal_add_client (args=<optimized out>, ret=<optimized out>, errp=0x7ffd5b8aa230) at qmp-marsh al.c:123
 #7  0x00007f4b9a0b53f5 in handle_qmp_command (parser=<optimized out>, tokens=<optimized out>) at /usr/src/debug/qemu-2.6.0/mon itor.c:3922
 #8  0x00007f4b9a348580 in json_message_process_token (lexer=0x7f4b9c78dfe8, input=0x7f4b9c7350e0, type=JSON_RCURLY, x=111, y=5 9) at qobject/json-streamer.c:94
 #9  0x00007f4b9a35cfeb in json_lexer_feed_char (lexer=lexer@entry=0x7f4b9c78dfe8, ch=125 '}', flush=flush@entry=false) at qobj ect/json-lexer.c:310
 #10 0x00007f4b9a35d0ae in json_lexer_feed (lexer=0x7f4b9c78dfe8, buffer=<optimized out>, size=<optimized out>) at qobject/json -lexer.c:360
 #11 0x00007f4b9a348679 in json_message_parser_feed (parser=<optimized out>, buffer=<optimized out>, size=<optimized out>) at q object/json-streamer.c:114
 #12 0x00007f4b9a0b3a1b in monitor_qmp_read (opaque=<optimized out>, buf=<optimized out>, size=<optimized out>) at /usr/src/deb ug/qemu-2.6.0/monitor.c:3938
 #13 0x00007f4b9a186751 in tcp_chr_read (chan=<optimized out>, cond=<optimized out>, opaque=0x7f4b9c7add40) at qemu-char.c:2895
 #14 0x00007f4b92b5c79a in g_main_context_dispatch () from /lib64/libglib-2.0.so.0
 #15 0x00007f4b9a2bb0c0 in glib_pollfds_poll () at main-loop.c:213
 #16 os_host_main_loop_wait (timeout=<optimized out>) at main-loop.c:258
 #17 main_loop_wait (nonblocking=<optimized out>) at main-loop.c:506
 #18 0x00007f4b9a0835cf in main_loop () at vl.c:1934
 #19 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at vl.c:4667

Do an upfront check for a NULL lsock and report an error to
the caller, which matches behaviour from before

  commit 04d2529da27db512dcbd5e99d0e26d333f16efcc
  Author: Daniel P. Berrange <berrange@redhat.com>
  Date:   Fri Feb 27 16:20:57 2015 +0000

    ui: convert VNC server to use QIOChannelSocket

where getsockname() would be given a FD value -1 and thus report
an error to the caller.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Message-id: 1470134726-15697-2-git-send-email-berrange@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
(cherry picked from commit 624cdd46d7f67fa2d23e87ffe0a36a569edde11a)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
4 years agovnc: ensure connection sharing/limits is always configured
Daniel P. Berrange [Tue, 2 Aug 2016 10:45:26 +0000 (11:45 +0100)] 
vnc: ensure connection sharing/limits is always configured

The connection sharing / limits are only set in the
vnc_display_open() method and so missed when VNC is running
with '-vnc none'. This in turn prevents clients being added
to the VNC server with the QMP "add_client" command.

This was introduced in

  commit e5f34cdd2da54f28d90889a3afd15fad2d6105ff
  Author: Gerd Hoffmann <kraxel@redhat.com>
  Date:   Thu Oct 2 12:09:34 2014 +0200

      vnc: track & limit connections

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Message-id: 1470134726-15697-4-git-send-email-berrange@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
(cherry picked from commit 12e29b1682e0a50ed57c324152addb585ae5ce69)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
4 years agovnc: fix crash when vnc_server_info_get has an error
Daniel P. Berrange [Tue, 2 Aug 2016 10:45:25 +0000 (11:45 +0100)] 
vnc: fix crash when vnc_server_info_get has an error

The vnc_server_info_get will allocate the VncServerInfo
struct and then call vnc_init_basic_info_from_server_addr
to populate the basic fields. If this returns an error
though, the qapi_free_VncServerInfo call will then crash
because the VncServerInfo struct instance was not properly
NULL-initialized and thus contains random stack garbage.

 #0  0x00007f1987c8e6f5 in raise () at /lib64/libc.so.6
 #1  0x00007f1987c902fa in abort () at /lib64/libc.so.6
 #2  0x00007f1987ccf600 in __libc_message () at /lib64/libc.so.6
 #3  0x00007f1987cd7d4a in _int_free () at /lib64/libc.so.6
 #4  0x00007f1987cdb2ac in free () at /lib64/libc.so.6
 #5  0x00007f198b654f6e in g_free () at /lib64/libglib-2.0.so.0
 #6  0x0000559193cdcf54 in visit_type_str (v=v@entry=
     0x5591972f14b0, name=name@entry=0x559193de1e29 "host", obj=obj@entry=0x5591961dbfa0, errp=errp@entry=0x7fffd7899d80)
     at qapi/qapi-visit-core.c:255
 #7  0x0000559193cca8f3 in visit_type_VncBasicInfo_members (v=v@entry=
     0x5591972f14b0, obj=obj@entry=0x5591961dbfa0, errp=errp@entry=0x7fffd7899dc0) at qapi-visit.c:12307
 #8  0x0000559193ccb523 in visit_type_VncServerInfo_members (v=v@entry=
     0x5591972f14b0, obj=0x5591961dbfa0, errp=errp@entry=0x7fffd7899e00) at qapi-visit.c:12632
 #9  0x0000559193ccb60b in visit_type_VncServerInfo (v=v@entry=
     0x5591972f14b0, name=name@entry=0x0, obj=obj@entry=0x7fffd7899e48, errp=errp@entry=0x0) at qapi-visit.c:12658
 #10 0x0000559193cb53d8 in qapi_free_VncServerInfo (obj=<optimized out>) at qapi-types.c:3970
 #11 0x0000559193c1e6ba in vnc_server_info_get (vd=0x7f1951498010) at ui/vnc.c:233
 #12 0x0000559193c24275 in vnc_connect (vs=0x559197b2f200, vs=0x559197b2f200, event=QAPI_EVENT_VNC_CONNECTED) at ui/vnc.c:284
 #13 0x0000559193c24275 in vnc_connect (vd=vd@entry=0x7f1951498010, sioc=sioc@entry=0x559196bf9c00, skipauth=skipauth@entry=tru e, websocket=websocket@entry=false) at ui/vnc.c:3039
 #14 0x0000559193c25806 in vnc_display_add_client (id=<optimized out>, csock=<optimized out>, skipauth=<optimized out>)
     at ui/vnc.c:3877
 #15 0x0000559193a90c28 in qmp_marshal_add_client (args=<optimized out>, ret=<optimized out>, errp=0x7fffd7899f90)
     at qmp-marshal.c:105
 #16 0x000055919399c2b7 in handle_qmp_command (parser=<optimized out>, tokens=<optimized out>)
     at /home/berrange/src/virt/qemu/monitor.c:3971
 #17 0x0000559193ce3307 in json_message_process_token (lexer=0x559194ab0838, input=0x559194a6d940, type=JSON_RCURLY, x=111, y=1 2) at qobject/json-streamer.c:105
 #18 0x0000559193cfa90d in json_lexer_feed_char (lexer=lexer@entry=0x559194ab0838, ch=125 '}', flush=flush@entry=false)
     at qobject/json-lexer.c:319
 #19 0x0000559193cfaa1e in json_lexer_feed (lexer=0x559194ab0838, buffer=<optimized out>, size=<optimized out>)
     at qobject/json-lexer.c:369
 #20 0x0000559193ce33c9 in json_message_parser_feed (parser=<optimized out>, buffer=<optimized out>, size=<optimized out>)
     at qobject/json-streamer.c:124
 #21 0x000055919399a85b in monitor_qmp_read (opaque=<optimized out>, buf=<optimized out>, size=<optimized out>)
     at /home/berrange/src/virt/qemu/monitor.c:3987
 #22 0x0000559193a87d00 in tcp_chr_read (chan=<optimized out>, cond=<optimized out>, opaque=0x559194a7d900)
     at qemu-char.c:2895
 #23 0x00007f198b64f703 in g_main_context_dispatch () at /lib64/libglib-2.0.so.0
 #24 0x0000559193c484b3 in main_loop_wait () at main-loop.c:213
 #25 0x0000559193c484b3 in main_loop_wait (timeout=<optimized out>) at main-loop.c:258
 #26 0x0000559193c484b3 in main_loop_wait (nonblocking=<optimized out>) at main-loop.c:506
 #27 0x0000559193964c55 in main () at vl.c:1908
 #28 0x0000559193964c55 in main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at vl.c:4603

This was introduced in

  commit 98481bfcd661daa3c160cc87a297b0e60a307788
  Author: Eric Blake <eblake@redhat.com>
  Date:   Mon Oct 26 16:34:45 2015 -0600

    vnc: Hoist allocation of VncBasicInfo to callers

which added error reporting for vnc_init_basic_info_from_server_addr
but didn't change the g_malloc calls to g_malloc0.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Message-id: 1470134726-15697-3-git-send-email-berrange@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
(cherry picked from commit 3e7f136d8b4383d99f1b034a045b73f9b12a4eae)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
4 years agoui: avoid crash if vnc client disconnects with writes pending
Daniel P. Berrange [Mon, 27 Jun 2016 15:48:49 +0000 (16:48 +0100)] 
ui: avoid crash if vnc client disconnects with writes pending

The vnc_client_read() function is called from the vnc_client_io()
event handler callback when there is incoming data to process.
If it detects that the client has disconnected, then it will
trigger cleanup and free'ing of the VncState client struct at
a safe time.

Unfortunately, the vnc_client_io() event handler will also call
vnc_client_write() to handle any outgoing data writes. So if
vnc_client_io() was invoked with both G_IO_IN and G_IO_OUT
events set, and the client disconnects, we may try to write to
a client which has just been freed.


Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Message-id: 1467042529-3372-1-git-send-email-berrange@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
(cherry picked from commit ea697449884d83b83fefbc9cd87bdde0c94b49d6)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
4 years agovirtio-scsi: Don't abort when media is ejected
Fam Zheng [Wed, 14 Sep 2016 10:17:04 +0000 (18:17 +0800)] 
virtio-scsi: Don't abort when media is ejected

With an ejected block backend, blk_get_aio_context() would return
qemu_aio_context. In this case don't assert.

Signed-off-by: Fam Zheng <famz@redhat.com>
Message-Id: <1473848224-24809-3-git-send-email-famz@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 2a2d69f490c1b1dc6b6d2aef385ee7b654497a77)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
4 years agoscsi-disk: Cleaning up around tray open state
Fam Zheng [Wed, 14 Sep 2016 10:17:03 +0000 (18:17 +0800)] 
scsi-disk: Cleaning up around tray open state

Even if tray is not open, it can be empty (blk_is_inserted() == false).
Handle both cases correctly by replacing the s->tray_open checks with
blk_is_available(), which is an AND of the two.

Also simplify successive checks of them into blk_is_available(), in a
couple cases.

Signed-off-by: Fam Zheng <famz@redhat.com>
Message-Id: <1473848224-24809-2-git-send-email-famz@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit cd723b85601baa7a0eeffbac83421357a70d81ee)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
4 years agoiothread: Stop threads before main() quits
Fam Zheng [Thu, 8 Sep 2016 09:28:51 +0000 (17:28 +0800)] 
iothread: Stop threads before main() quits

Right after main_loop ends, we release various things but keep iothread
alive. The latter is not prepared to the sudden change of resources.

Specifically, after bdrv_close_all(), virtio-scsi dataplane get a
surprise at the empty BlockBackend:

(gdb) bt
    at /usr/src/debug/qemu-2.6.0/hw/scsi/virtio-scsi.c:543
    at /usr/src/debug/qemu-2.6.0/hw/scsi/virtio-scsi.c:577

It is because the d->conf.blk->root is set to NULL, then
blk_get_aio_context() returns qemu_aio_context, whereas s->ctx is still
pointing to the iothread:


    if (s->dataplane_started) {
        assert(blk_get_aio_context(d->conf.blk) == s->ctx);

To fix this, let's stop iothreads before doing bdrv_close_all().

Cc: qemu-stable@nongnu.org
Signed-off-by: Fam Zheng <famz@redhat.com>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Message-id: 1473326931-9699-1-git-send-email-famz@redhat.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit dce8921b2baaf95974af8176406881872067adfa)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
4 years agocrypto: ensure XTS is only used with ciphers with 16 byte blocks
Daniel P. Berrange [Wed, 24 Aug 2016 15:28:15 +0000 (16:28 +0100)] 
crypto: ensure XTS is only used with ciphers with 16 byte blocks

The XTS cipher mode needs to be used with a cipher which has
a block size of 16 bytes. If a mis-matching block size is used,
the code will either corrupt memory beyond the IV array, or
not fully encrypt/decrypt the IV.

This fixes a memory corruption crash when attempting to use
cast5-128 with xts, since the former has an 8 byte block size.

A test case is added to ensure the cipher creation fails with
such an invalid combination.

Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
(cherry picked from commit a5d2f44d0d3e7523670e103a8c37faed29ff2b76)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
4 years agoscsi: mptconfig: fix misuse of MPTSAS_CONFIG_PACK
Paolo Bonzini [Mon, 29 Aug 2016 09:35:37 +0000 (11:35 +0200)] 
scsi: mptconfig: fix misuse of MPTSAS_CONFIG_PACK

These issues cause respectively a QEMU crash and a leak of 2 bytes of
stack.  They were discovered by VictorV of 360 Marvel Team.

Reported-by: Tom Victor <i-tangtianwen@360.cm>
Cc: qemu-stable@nongnu.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 65a8e1f6413a0f6f79894da710b5d6d43361d27d)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
4 years agoscsi: mptconfig: fix an assert expression
Prasad J Pandit [Wed, 31 Aug 2016 12:06:07 +0000 (17:36 +0530)] 
scsi: mptconfig: fix an assert expression

When LSI SAS1068 Host Bus emulator builds configuration page
headers, mptsas_config_pack() should assert that the size
fits in a byte.  However, the size is expressed in 32-bit
units, so up to 1020 bytes fit.  The assertion was only
allowing replies up to 252 bytes, so fix it.

Suggested-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Message-Id: <1472645167-30765-2-git-send-email-ppandit@redhat.com>
Cc: qemu-stable@nongnu.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit cf2bce203a45d7437029d108357fb23fea0967b6)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
4 years agovmw_pvscsi: check page count while initialising descriptor rings
Prasad J Pandit [Wed, 31 Aug 2016 06:49:29 +0000 (12:19 +0530)] 
vmw_pvscsi: check page count while initialising descriptor rings

Vmware Paravirtual SCSI emulation uses command descriptors to
process SCSI commands. These descriptors come with their ring
buffers. A guest could set the page count for these rings to
an arbitrary value, leading to infinite loop or OOB access.
Add check to avoid it.

Reported-by: Tom Victor <vv474172261@gmail.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Message-Id: <1472626169-12989-1-git-send-email-ppandit@redhat.com>
Cc: qemu-stable@nongnu.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 7f61f4690dd153be98900a2a508b88989e692753)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
4 years agoscsi-disk: change disk serial length from 20 to 36
Rony Weng [Mon, 29 Aug 2016 07:52:18 +0000 (15:52 +0800)] 
scsi-disk: change disk serial length from 20 to 36

Openstack Cinder assigns volume a 36 characters uuid as serial.
QEMU will shrinks the uuid to 20 characters, which does not match
the original uuid.

Note that there is no limit to the length of the serial number in
the SCSI spec.  20 was copy-pasted from virtio-blk which in turn was
copy-pasted from ATA; 36 is even more arbitrary.  However, bumping it
up too much might cause issues (e.g. 252 seems to make sense because
then the maximum amount of returned data is 256; but who knows there's
no off-by-one somewhere for such a nicely rounded number).

Signed-off-by: Rony Weng <ronyweng@synology.com>
Message-Id: <1472457138-23386-1-git-send-email-ronyweng@synology.com>
Cc: qemu-stable@nongnu.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 48b6206305b8d56524ac2ee347b68e6e0a528559)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
4 years agoqemu-char: avoid segfault if user lacks of permisson of a given logfile
Lin Ma [Wed, 14 Sep 2016 06:22:50 +0000 (14:22 +0800)] 
qemu-char: avoid segfault if user lacks of permisson of a given logfile

Function qemu_chr_alloc returns NULL if it failed to open logfile by any reason,
says no write permission. For backends tty, stdio and msmouse, They need to
check this return value to avoid segfault in this case.

Signed-off-by: Lin Ma <lma@suse.com>
Cc: qemu-stable <qemu-stable@nongnu.org>
Message-Id: <20160914062250.22226-1-lma@suse.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 71200fb9664c2967a1cdd22b68b0da3a8b2b3eb7)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
4 years agoscsi: pvscsi: limit process IO loop to ring size
Prasad J Pandit [Wed, 14 Sep 2016 09:39:12 +0000 (15:09 +0530)] 
scsi: pvscsi: limit process IO loop to ring size

Vmware Paravirtual SCSI emulator while processing IO requests
could run into an infinite loop if 'pvscsi_ring_pop_req_descr'
always returned positive value. Limit IO loop to the ring size.

Cc: qemu-stable@nongnu.org
Reported-by: Li Qiang <liqiang6-s@360.cn>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Message-Id: <1473845952-30785-1-git-send-email-ppandit@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit d251157ac1928191af851d199a9ff255d330bec9)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
4 years agoscsi: mptsas: use g_new0 to allocate MPTSASRequest object
Li Qiang [Mon, 12 Sep 2016 12:44:11 +0000 (18:14 +0530)] 
scsi: mptsas: use g_new0 to allocate MPTSASRequest object

When processing IO request in mptsas, it uses g_new to allocate
a 'req' object. If an error occurs before 'req->sreq' is
allocated, It could lead to an OOB write in mptsas_free_request
function. Use g_new0 to avoid it.

Reported-by: Li Qiang <liqiang6-s@360.cn>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Message-Id: <1473684251-17476-1-git-send-email-ppandit@redhat.com>
Cc: qemu-stable@nongnu.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 670e56d3ed2918b3861d9216f2c0540d9e9ae0d5)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
4 years ago9pfs: fix potential segfault during walk
Greg Kurz [Fri, 16 Sep 2016 09:44:49 +0000 (11:44 +0200)] 
9pfs: fix potential segfault during walk

If the call to fid_to_qid() returns an error, we will call v9fs_path_free()
on uninitialized paths.

It is a regression introduced by the following commit:

56f101ecce0e 9pfs: handle walk of ".." in the root directory

Let's fix this by initializing dpath and path before calling fid_to_qid().

Signed-off-by: Greg Kurz <groug@kaod.org>
Reviewed-by: Cédric Le Goater <clg@kaod.org>
[groug: updated the changelog to indicate this is regression and to provide
        the offending commit SHA1]
Signed-off-by: Greg Kurz <groug@kaod.org>
(cherry picked from commit 13fd08e631ec0c3ff5ad1bdcb6a4474c7d9a024f)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
4 years agovnc: fix qemu crash because of SIGSEGV
Gonglei [Fri, 2 Sep 2016 03:58:18 +0000 (11:58 +0800)] 
vnc: fix qemu crash because of SIGSEGV

The backtrace is:

0x00007f0b75cdf880 in pixman_image_get_stride () from /lib64/libpixman-1.so.0
0x00007f0b77bcb3cf in vnc_server_fb_stride (vd=0x7f0b7a1a2bb0) at ui/vnc.c:680
vnc_dpy_copy (dcl=0x7f0b7a1a2c00, src_x=224, src_y=263, dst_x=319, dst_y=363, w=1, h=1) at ui/vnc.c:915
0x00007f0b77bbcc35 in dpy_gfx_copy (con=0x7f0b7a146210, src_x=src_x@entry=224, src_y=src_y@entry=263, dst_x=dst_x@entry=319,
dst_y=dst_y@entry=363, w=1, h=1) at ui/console.c:1575
0x00007f0b77bbda4e in qemu_console_copy (con=<optimized out>, src_x=src_x@entry=224, src_y=src_y@entry=263, dst_x=dst_x@entry=319,
dst_y=dst_y@entry=363, w=<optimized out>, h=<optimized out>) at ui/console.c:2111
0x00007f0b77ac0980 in cirrus_do_copy (h=<optimized out>, w=<optimized out>, src=<optimized out>, dst=<optimized out>, s=0x7f0b7b086090) at hw/display/cirrus_vga.c:774
cirrus_bitblt_videotovideo_copy (s=0x7f0b7b086090) at hw/display/cirrus_vga.c:793
cirrus_bitblt_videotovideo (s=0x7f0b7b086090) at hw/display/cirrus_vga.c:915
cirrus_bitblt_start (s=0x7f0b7b086090) at hw/display/cirrus_vga.c:1056
0x00007f0b77965cfb in memory_region_write_accessor (mr=0x7f0b7b096e40, addr=320, value=<optimized out>, size=1, shift=<optimized out>,mask=<optimized out>, attrs=...) at /root/rpmbuild/BUILD/master/qemu/memory.c:525
0x00007f0b77963f59 in access_with_adjusted_size (addr=addr@entry=320, value=value@entry=0x7f0b69a268d8, size=size@entry=4,
access_size_min=<optimized out>, access_size_max=<optimized out>, access=access@entry=0x7f0b77965c80 <memory_region_write_accessor>,
mr=mr@entry=0x7f0b7b096e40, attrs=attrs@entry=...) at /root/rpmbuild/BUILD/master/qemu/memory.c:591
0x00007f0b77968315 in memory_region_dispatch_write (mr=mr@entry=0x7f0b7b096e40, addr=addr@entry=320, data=18446744073709551362,
size=size@entry=4, attrs=attrs@entry=...) at /root/rpmbuild/BUILD/master/qemu/memory.c:1262
0x00007f0b779256a9 in address_space_write_continue (mr=0x7f0b7b096e40, l=4, addr1=320, len=4, buf=0x7f0b77713028 "\002\377\377\377",
attrs=..., addr=4273930560, as=0x7f0b7827d280 <address_space_memory>) at /root/rpmbuild/BUILD/master/qemu/exec.c:2544
address_space_write (as=<optimized out>, addr=<optimized out>, attrs=..., buf=<optimized out>, len=<optimized out>) at /root/rpmbuild/BUILD/master/qemu/exec.c:2601
0x00007f0b77925c1d in address_space_rw (as=<optimized out>, addr=<optimized out>, attrs=..., attrs@entry=...,
buf=buf@entry=0x7f0b77713028 "\002\377\377\377", len=<optimized out>, is_write=<optimized out>) at /root/rpmbuild/BUILD/master/qemu/exec.c:2703
0x00007f0b77962f53 in kvm_cpu_exec (cpu=cpu@entry=0x7f0b79fcc2d0) at /root/rpmbuild/BUILD/master/qemu/kvm-all.c:1965
0x00007f0b77950cc6 in qemu_kvm_cpu_thread_fn (arg=0x7f0b79fcc2d0) at /root/rpmbuild/BUILD/master/qemu/cpus.c:1078
0x00007f0b744b3dc5 in start_thread (arg=0x7f0b69a27700) at pthread_create.c:308
0x00007f0b70d3d66d in clone () from /lib64/libc.so.6

The code path while meeting segfault:
     vnc_disconnect_finish [while vnc_disconnect_start() is invoked because somethins wrong]
         vd->server = NULL;

Let's add a non-NULL check before calling vnc_server_fb_stride() to avoid segmentation fault.

Cc: Gerd Hoffmann <kraxel@redhat.com>
Cc: Daniel P. Berrange <berrange@redhat.com>
Reported-by: Yanying Zhuang <ann.zhuangyanying@huawei.com>
Signed-off-by: Gonglei <arei.gonglei@huawei.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-id: 1472788698-120964-1-git-send-email-arei.gonglei@huawei.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
(cherry picked from commit 3e10c3ecfcaf604d8b400d6e463e1a186ce97d9b)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
4 years agovirtio-balloon: discard virtqueue element on reset
Ladi Prosek [Wed, 7 Sep 2016 15:20:47 +0000 (17:20 +0200)] 
virtio-balloon: discard virtqueue element on reset

The one pending element is being freed but not discarded on device
reset, which causes svq->inuse to creep up, eventually hitting the
"Virtqueue size exceeded" error.

Properly discarding the element on device reset makes sure that its
buffers are unmapped and the inuse counter stays balanced.

Cc: Michael S. Tsirkin <mst@redhat.com>
Cc: Roman Kagan <rkagan@virtuozzo.com>
Cc: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Ladi Prosek <lprosek@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
(cherry picked from commit 104e70cae78bd4afd95d948c6aff188f10508a9c)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
4 years agovirtio: zero vq->inuse in virtio_reset()
Stefan Hajnoczi [Wed, 7 Sep 2016 15:51:25 +0000 (11:51 -0400)] 
virtio: zero vq->inuse in virtio_reset()

vq->inuse must be zeroed upon device reset like most other virtqueue

In theory, virtio_reset() just needs assert(vq->inuse == 0) since
devices must clean up in-flight requests during reset (requests cannot
not be leaked!).

In practice, it is difficult to achieve vq->inuse == 0 across reset
because balloon, blk, 9p, etc implement various different strategies for
cleaning up requests.  Most devices call g_free(elem) directly without
telling virtio.c that the VirtQueueElement is cleaned up.  Therefore
vq->inuse is not decremented during reset.

This patch zeroes vq->inuse and trusts that devices are not leaking
VirtQueueElements across reset.

I will send a follow-up series that refactors request life-cycle across
all devices and converts vq->inuse = 0 into assert(vq->inuse == 0) but
this more invasive approach is not appropriate for stable trees.

Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Cc: qemu-stable <qemu-stable@nongnu.org>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Ladi Prosek <lprosek@redhat.com>
(cherry picked from commit 4b7f91ed0270a371e1933efa21ba600b6da23ab9)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
4 years ago9pfs: handle walk of ".." in the root directory
Greg Kurz [Tue, 30 Aug 2016 15:02:27 +0000 (17:02 +0200)] 
9pfs: handle walk of ".." in the root directory

The 9P spec at http://man.cat-v.org/plan_9/5/intro says:

All directories must support walks to the directory .. (dot-dot) meaning
parent directory, although by convention directories contain no explicit
entry for .. or . (dot).  The parent of the root directory of a server's
tree is itself.

This means that a client cannot walk further than the root directory
exported by the server. In other words, if the client wants to walk
"/.." or "/foo/../..", the server should answer like the request was
to walk "/".

This patch just does that:
- we cache the QID of the root directory at attach time
- during the walk we compare the QID of each path component with the root
  QID to detect if we're in a "/.." situation
- if so, we skip the current component and go to the next one

Signed-off-by: Greg Kurz <groug@kaod.org>
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
(cherry picked from commit 56f101ecce0eafd09e2daf1c4eeb1377d6959261)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
4 years ago9pfs: forbid . and .. in file names
Greg Kurz [Tue, 30 Aug 2016 17:13:11 +0000 (19:13 +0200)] 
9pfs: forbid . and .. in file names

According to the 9P spec http://man.cat-v.org/plan_9/5/open about the
create request:

The names . and .. are special; it is illegal to create files with these

This patch causes the create and lcreate requests to fail with EINVAL if
the file name is either "." or "..".

Even if it isn't explicitly written in the spec, this patch extends the
checking to all requests that may cause a directory entry to be created:

    - mknod
    - rename
    - renameat
    - mkdir
    - link
    - symlink

The unlinkat request also gets patched for consistency (even if
rmdir("foo/..") is expected to fail according to POSIX.1-2001).

The various error values come from the linux manual pages.

Suggested-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Greg Kurz <groug@kaod.org>
Reviewed-by: Eric Blake <eblake@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
(cherry picked from commit 805b5d98c649d26fc44d2d7755a97f18e62b438a)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
4 years ago9pfs: forbid illegal path names
Greg Kurz [Tue, 30 Aug 2016 17:11:05 +0000 (19:11 +0200)] 
9pfs: forbid illegal path names

Empty path components don't make sense for most commands and may cause
undefined behavior, depending on the backend.

Also, the walk request described in the 9P spec [1] clearly shows that
the client is supposed to send individual path components: the official
linux client never sends portions of path containing the / character for

Moreover, the 9P spec [2] also states that a system can decide to restrict
the set of supported characters used in path components, with an explicit
mention "to remove slashes from name components".

This patch introduces a new name_is_illegal() helper that checks the
names sent by the client are not empty and don't contain unwanted chars.
Since 9pfs is only supported on linux hosts, only the / character is
checked at the moment. When support for other hosts (AKA. win32) is added,
other chars may need to be blacklisted as well.

If a client sends an illegal path component, the request will fail and
ENOENT is returned to the client.

[1] http://man.cat-v.org/plan_9/5/walk
[2] http://man.cat-v.org/plan_9/5/intro

Suggested-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Greg Kurz <groug@kaod.org>
Reviewed-by: Eric Blake <eblake@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
(cherry picked from commit fff39a7ad09da07ef490de05c92c91f22f8002f2)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
4 years agonet: vmxnet: use g_new for pkt initialisation
Li Qiang [Mon, 22 Aug 2016 07:41:57 +0000 (13:11 +0530)] 
net: vmxnet: use g_new for pkt initialisation

When vmxnet transport abstraction layer initialises pkt,
the maximum fragmentation count is not checked. This could lead
to an integer overflow causing a NULL pointer dereference.
Replace g_malloc() with g_new() to catch the multiplication

Reported-by: Li Qiang <liqiang6-s@360.cn>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Acked-by: Dmitry Fleytman <dmitry@daynix.com>
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
4 years agonet: vmxnet: check IP header length
Li Qiang [Tue, 9 Aug 2016 11:19:47 +0000 (16:49 +0530)] 
net: vmxnet: check IP header length

Vmxnet3 device emulator when parsing packet headers does not check
for IP header length. It could lead to a OOB access when reading
further packet data. Add check to avoid it.

Reported-by: Li Qiang <liqiang6-s@360.cn>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Reviewed-by: Dmitry Fleytman <dmitry@daynix.com>
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
4 years agoiscsi: pass SCSI status back for SG_IO
Vadim Rozenfeld [Fri, 13 May 2016 11:03:22 +0000 (13:03 +0200)] 
iscsi: pass SCSI status back for SG_IO

Signed-off-by: Vadim Rozenfeld <vrozenfe@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 644c6869d335e10bc10b8399646f767763c4977f)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
4 years agovirtio: decrement vq->inuse in virtqueue_discard()
Stefan Hajnoczi [Mon, 15 Aug 2016 12:54:16 +0000 (13:54 +0100)] 
virtio: decrement vq->inuse in virtqueue_discard()

virtqueue_discard() moves vq->last_avail_idx back so the element can be
popped again.  It's necessary to decrement vq->inuse to avoid "leaking"
the element count.

Cc: qemu-stable@nongnu.org
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Cornelia Huck <cornelia.huck@de.ibm.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
(cherry picked from commit 58a83c61496eeb0d31571a07a51bc1947e3379ac)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
4 years agovirtio: recalculate vq->inuse after migration
Stefan Hajnoczi [Mon, 15 Aug 2016 12:54:15 +0000 (13:54 +0100)] 
virtio: recalculate vq->inuse after migration

The vq->inuse field is not migrated.  Many devices don't hold
VirtQueueElements across migration so it doesn't matter that vq->inuse
starts at 0 on the destination QEMU.

At least virtio-serial, virtio-blk, and virtio-balloon migrate while
holding VirtQueueElements.  For these devices we need to recalculate
vq->inuse upon load so the value is correct.

Cc: qemu-stable@nongnu.org
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Cornelia Huck <cornelia.huck@de.ibm.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
(cherry picked from commit bccdef6b1a204db0f41ffb6e24ce373e4d7890d4)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
4 years agoui: fix refresh of VNC server surface
Daniel P. Berrange [Tue, 16 Aug 2016 16:30:32 +0000 (17:30 +0100)] 
ui: fix refresh of VNC server surface

In previous commit

  commit c7628bff4138ce906a3620d12e0820c1cf6c140d
  Author: Gerd Hoffmann <kraxel@redhat.com>
  Date:   Fri Oct 30 12:10:09 2015 +0100

    vnc: only alloc server surface with clients connected

the VNC server was changed so that the 'vd->server' pixman
image was only allocated when a client is connected.

Since then if a client disconnects and then reconnects to
the VNC server all they will see is a black screen until
they do something that triggers a refresh. On a graphical
desktop this is not often noticed since there's many things
going on which cause a refresh. On a plain text console it
is really obvious since nothing refreshes frequently.

The problem is that the VNC server didn't update the guest
dirty bitmap, so still believes its server image is in sync
with the guest contents.

To fix this we must explicitly mark the entire guest desktop
as dirty after re-creating the server surface. Move this
logic into vnc_update_server_surface() so it is guaranteed
to be call in all code paths that re-create the surface
instead of only in vnc_dpy_switch()

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Reviewed-by: Peter Lieven <pl@kamp.de>
Tested-by: Peter Lieven <pl@kamp.de>
Message-id: 1471365032-18096-1-git-send-email-berrange@redhat.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
(cherry picked from commit b69a553b4af9bc87a8b2e0a7b7a7de4cc7f0557e)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
4 years agonet: check fragment length during fragmentation
Prasad J Pandit [Thu, 4 Aug 2016 07:30:14 +0000 (13:00 +0530)] 
net: check fragment length during fragmentation

Network transport abstraction layer supports packet fragmentation.
While fragmenting a packet, it checks for more fragments from
packet length and current fragment length. It is susceptible
to an infinite loop, if the current fragment length is zero.
Add check to avoid it.

Reported-by: Li Qiang <liqiang6-s@360.cn>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Reviewed-by: Dmitry Fleytman <dmitry@daynix.com>
CC: qemu-stable@nongnu.org
Signed-off-by: Jason Wang <jasowang@redhat.com>
(cherry picked from commit ead315e43ea0c2ca3491209c6c8db8ce3f2bbe05)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
4 years agoUpdate version for 2.6.1 release v2.6.1
Michael Roth [Wed, 17 Aug 2016 15:24:53 +0000 (10:24 -0500)] 
Update version for 2.6.1 release

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
4 years agotimer: set vm_clock disabled default
Gonglei [Tue, 9 Aug 2016 07:49:15 +0000 (15:49 +0800)] 
timer: set vm_clock disabled default

(commit 80dcfb8532ae76343109a48f12ba8ca1c505c179)
Upon migration, the code use a timer based on vm_clock for 1ns
in the future from post_load to do the event send in case host_connected
differs between migration source and target.

However, it's not guaranteed that the apic is ready to inject irqs into
the guest, and the irq line remained high, resulting in any future interrupts
going unnoticed by the guest as well.

That's because 1) the migration coroutine is not blocked when it get EAGAIN
while reading QEMUFile. 2) The vm_clock is enabled default currently, it doesn't
rely on the calling of vm_start(), that means vm_clock timers can run before
VCPUs are running.

So, let's set the vm_clock disabled default, keep the initial intention of
design for vm_clock timers.

Meanwhile, change the test-aio usecase, using QEMU_CLOCK_REALTIME instead of
QEMU_CLOCK_VIRTUAL as the block code does.

CC: Paolo Bonzini <pbonzini@redhat.com>
CC: Dr. David Alan Gilbert <dgilbert@redhat.com>
CC: qemu-stable@nongnu.org
Signed-off-by: Gonglei <arei.gonglei@huawei.com>
Message-Id: <1470728955-90600-1-git-send-email-arei.gonglei@huawei.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 3fdd0ee393e26178a4892e101e60b011bbfaa9ea)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
4 years agoXen PCI passthrough: fix passthrough failure when no interrupt pin
Bruce Rogers [Wed, 27 Jul 2016 15:30:48 +0000 (09:30 -0600)] 
Xen PCI passthrough: fix passthrough failure when no interrupt pin

Commit 5a11d0f7 mistakenly converted a log message into an error
condition when no pin interrupt is found for the pci device being
passed through. Revert that part of the commit.

Signed-off-by: Bruce Rogers <brogers@suse.com>
Signed-off-by: Stefano Stabellini <sstabellini@kernel.org>
Acked-by: Anthony PERARD <anthony.perard@citrix.com>
(cherry picked from commit 0968c91ce00f42487fb11de5da38e53b5dc6bc7f)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
4 years agoppc64: fix compressed dump with pseries kernel
Laurent Vivier [Mon, 8 Aug 2016 13:08:53 +0000 (15:08 +0200)] 
ppc64: fix compressed dump with pseries kernel

If we don't provide the page size in target-ppc:cpu_get_dump_info(),
the default one (TARGET_PAGE_SIZE, 4KB) is used to create
the compressed dump. It works fine with Macintosh, but not with
pseries as the kernel default page size is 64KB.

Without this patch, if we generate a compressed dump in the QEMU monitor:

    (qemu) dump-guest-memory -z qemu.dump

This dump cannot be read by crash:

    # crash vmlinux qemu.dump
    WARNING: cannot translate vmemmap kernel virtual addresses:
             commands requiring page structure contents will fail

Page_size is used to determine the dumpfile's block size. The
block size needs to be at least the page size, but a multiple of page
size works fine too. For PPC64, linux supports either 4KB or 64KB software
page size. So we define the page_size to 64KB.

Signed-off-by: Laurent Vivier <lvivier@redhat.com>
Reviewed-by: Andrew Jones <drjones@redhat.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
(cherry picked from commit 760d88d1d0c409f1afe6f1c91539487413e8b2a9)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
4 years agoscsi: esp: check TI buffer index before read/write
Prasad J Pandit [Mon, 6 Jun 2016 16:34:43 +0000 (22:04 +0530)] 
scsi: esp: check TI buffer index before read/write

The 53C9X Fast SCSI Controller(FSC) comes with internal 16-byte
FIFO buffers. One is used to handle commands and other is for
information transfer. Three control variables 'ti_rptr',
'ti_wptr' and 'ti_size' are used to control r/w access to the
information transfer buffer ti_buf[TI_BUFSZ=16]. In that,

'ti_rptr' is used as read index, where read occurs.
'ti_wptr' is a write index, where write would occur.
'ti_size' indicates total bytes to be read from the buffer.

While reading/writing to this buffer, index could exceed its
size. Add check to avoid OOB r/w access.

Reported-by: Huawei PSIRT <psirt@huawei.com>
Reported-by: Li Qiang <liqiang6-s@360.cn>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Message-Id: <1465230883-22303-1-git-send-email-ppandit@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit ff589551c8e8e9e95e211b9d8daafb4ed39f1aec)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
4 years agoscsi: megasas: null terminate bios version buffer
Prasad J Pandit [Tue, 7 Jun 2016 11:14:03 +0000 (16:44 +0530)] 
scsi: megasas: null terminate bios version buffer

While reading information via 'megasas_ctrl_get_info' routine,
a local bios version buffer isn't null terminated. Add the
terminating null byte to avoid any OOB access.

Reported-by: Li Qiang <liqiang6-s@360.cn>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 844864fbae66935951529408831c2f22367a57b6)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
4 years agoscsi: esp: make cmdbuf big enough for maximum CDB size
Prasad J Pandit [Wed, 15 Jun 2016 22:22:35 +0000 (00:22 +0200)] 
scsi: esp: make cmdbuf big enough for maximum CDB size

While doing DMA read into ESP command buffer 's->cmdbuf', it could
write past the 's->cmdbuf' area, if it was transferring more than 16
bytes.  Increase the command buffer size to 32, which is maximum when
's->do_cmd' is set, and add a check on 'len' to avoid OOB access.

Reported-by: Li Qiang <liqiang6-s@360.cn>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 926cde5f3e4d2504ed161ed0cb771ac7cad6fd11)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
4 years agoscsi: esp: clean up handle_ti/esp_do_dma if s->do_cmd
Paolo Bonzini [Wed, 15 Jun 2016 12:29:33 +0000 (14:29 +0200)] 
scsi: esp: clean up handle_ti/esp_do_dma if s->do_cmd

Avoid duplicated code between esp_do_dma and handle_ti.  esp_do_dma
has the same code that handle_ti contains after the call to esp_do_dma;
but the code in handle_ti is never reached because it is in an "else if".
Remove the else and also the pointless return.

esp_do_dma also has a partially dead assignment of the to_device
variable.  Sink it to the point where it's actually used.

Finally, assert that the other caller of esp_do_dma (esp_transfer_data)
only transfers data and not a command.  This is true because get_cmd
cancels the old request synchronously before its caller handle_satn_stop
sets do_cmd to 1.

Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 7f0b6e114ae4e142e2b3dfc9fac138f4a30edc4f)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
4 years agoscsi: esp: respect FIFO invariant after message phase
Paolo Bonzini [Tue, 14 Jun 2016 13:10:24 +0000 (15:10 +0200)] 
scsi: esp: respect FIFO invariant after message phase

The FIFO contains two bytes; hence the write ptr should be two bytes ahead
of the read pointer.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit d020aa504cec8f525b55ba2ef982c09dc847c72e)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
4 years agoscsi: esp: check buffer length before reading scsi command
Prasad J Pandit [Tue, 31 May 2016 17:53:27 +0000 (23:23 +0530)] 
scsi: esp: check buffer length before reading scsi command

The 53C9X Fast SCSI Controller(FSC) comes with an internal 16-byte
FIFO buffer. It is used to handle command and data transfer.
Routine get_cmd() in non-DMA mode, uses 'ti_size' to read scsi
command into a buffer. Add check to validate command length against
buffer size to avoid any overrun.

Reported-by: Li Qiang <liqiang6-s@360.cn>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Message-Id: <1464717207-7549-1-git-send-email-ppandit@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit d3cdc49138c30be1d3c2f83d18f85d9fdee95f1a)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
4 years agoscsi: megasas: check 'read_queue_head' index value
Prasad J Pandit [Wed, 25 May 2016 12:25:10 +0000 (17:55 +0530)] 
scsi: megasas: check 'read_queue_head' index value

While doing MegaRAID SAS controller command frame lookup, routine
'megasas_lookup_frame' uses 'read_queue_head' value as an index
into 'frames[MEGASAS_MAX_FRAMES=2048]' array. Limit its value
within array bounds to avoid any OOB access.

Reported-by: Li Qiang <liqiang6-s@360.cn>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Message-Id: <1464179110-18593-1-git-send-email-ppandit@redhat.com>
Reviewed-by: Alexander Graf <agraf@suse.de>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit b60bdd1f1ee1616b7a9aeeffb4088e1ce2710fb2)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
4 years agoscsi: megasas: initialise local configuration data buffer
Prasad J Pandit [Wed, 25 May 2016 12:11:44 +0000 (17:41 +0530)] 
scsi: megasas: initialise local configuration data buffer

When reading MegaRAID SAS controller configuration via MegaRAID
Firmware Interface(MFI) commands, routine megasas_dcmd_cfg_read
uses an uninitialised local data buffer. Initialise this buffer
to avoid stack information leakage.

Reported-by: Li Qiang <liqiang6-s@360.cn>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Message-Id: <1464178304-12831-1-git-send-email-ppandit@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit d37af740730dbbb93960cd318e040372d04d6dcf)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
4 years agoscsi: megasas: use appropriate property buffer size
Prasad J Pandit [Wed, 25 May 2016 10:31:29 +0000 (16:01 +0530)] 
scsi: megasas: use appropriate property buffer size

When setting MegaRAID SAS controller properties via MegaRAID
Firmware Interface(MFI) commands, a user supplied size parameter
is used to set property value. Use appropriate size value to avoid
OOB access issues.

Reported-by: Li Qiang <liqiang6-s@360.cn>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Message-Id: <1464172291-2856-2-git-send-email-ppandit@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 1b85898025c4cd95dce673d15e67e60e98e91731)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
4 years agonet: mipsnet: check packet length against buffer
Prasad J Pandit [Thu, 7 Apr 2016 10:26:02 +0000 (15:56 +0530)] 
net: mipsnet: check packet length against buffer

When receiving packets over MIPSnet network device, it uses
receive buffer of size 1514 bytes. In case the controller
accepts large(MTU) packets, it could lead to memory corruption.
Add check to avoid it.

Reported by: Oleksandr Bazhaniuk <oleksandr.bazhaniuk@intel.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Signed-off-by: Jason Wang <jasowang@redhat.com>
(cherry picked from commit 3af9187fc6caaf415ab9c0c6d92c9678f65cb17f)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
4 years agohw/arm/virt: Reject gic-version=host for non-KVM
Cole Robinson [Mon, 6 Jun 2016 15:59:29 +0000 (16:59 +0100)] 
hw/arm/virt: Reject gic-version=host for non-KVM

If you try to gic-version=host with TCG on a KVM aarch64 host,
qemu segfaults, since host requires KVM APIs.

Explicitly reject gic-version=host if KVM is not enabled

Signed-off-by: Cole Robinson <crobinso@redhat.com>
Message-id: b1b3b0dd143b7995a7f4062966b80a2cf3e3c71e.1464273085.git.crobinso@redhat.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
(cherry picked from commit 0bf8039dca6bfecec243a13ebcd224d3941d9242)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
4 years agoui: spice: Exit if gl=on EGL init fails
Cole Robinson [Wed, 18 May 2016 16:40:50 +0000 (12:40 -0400)] 
ui: spice: Exit if gl=on EGL init fails

The user explicitly requested spice GL, so if we know it isn't
going to work we should exit

Signed-off-by: Cole Robinson <crobinso@redhat.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-id: e3789e35b16f9e3cc6f2652f91c52d88ba6d6936.1463588606.git.crobinso@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
(cherry picked from commit daafc661cc1a1de5a2e8ea0a7c0f396b827ebc3b)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
4 years agosdl2: skip init without outputs
Gerd Hoffmann [Wed, 1 Jun 2016 14:08:36 +0000 (16:08 +0200)] 
sdl2: skip init without outputs

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Tested-by: Cole Robinson <crobinso@redhat.com>
Message-id: 1464790116-32405-1-git-send-email-kraxel@redhat.com
(cherry picked from commit 8efa5f29f83816ae34f428143de49acbaacccb24)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
4 years agoui: sdl2: Release grab before opening console window
Cole Robinson [Fri, 6 May 2016 18:03:06 +0000 (14:03 -0400)] 
ui: sdl2: Release grab before opening console window

sdl 2.0.4 currently has a bug which causes our UI shortcuts to fire
rapidly in succession:


It's a toss up whether ctrl+alt+f or ctrl+alt+2 will fire an
odd or even number of times, thus determining whether the action
succeeds or fails.

Opening monitor/serial windows is doubly broken, since it will often
lock the UI trying to grab the pointer:

  0x00007fffef3720a5 in SDL_Delay_REAL () at /lib64/libSDL2-2.0.so.0
  0x00007fffef3688ba in X11_SetWindowGrab () at /lib64/libSDL2-2.0.so.0
  0x00007fffef2f2da7 in SDL_SendWindowEvent () at /lib64/libSDL2-2.0.so.0
  0x00007fffef2f080b in SDL_SetKeyboardFocus () at /lib64/libSDL2-2.0.so.0
  0x00007fffef35d784 in X11_DispatchFocusIn.isra.8 () at /lib64/libSDL2-2.0.so.0
  0x00007fffef35dbce in X11_DispatchEvent () at /lib64/libSDL2-2.0.so.0
  0x00007fffef35ee4a in X11_PumpEvents () at /lib64/libSDL2-2.0.so.0
  0x00007fffef2eea6a in SDL_PumpEvents_REAL () at /lib64/libSDL2-2.0.so.0
  0x00007fffef2eeab5 in SDL_WaitEventTimeout_REAL () at /lib64/libSDL2-2.0.so.0
  0x000055555597eed0 in sdl2_poll_events (scon=0x55555876f928) at ui/sdl2.c:593

We can work around that hang by ungrabbing the pointer before launching
a new window. This roughly matches what our sdl1 code does

Signed-off-by: Cole Robinson <crobinso@redhat.com>
Message-id: 31c9ab6540b031f7a614c59edcecea9877685612.1462557436.git.crobinso@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
(cherry picked from commit 56f289f383a871e871f944c7226920b35794efe6)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
4 years agoui: gtk: fix crash when terminal inner-border is NULL
Cole Robinson [Fri, 6 May 2016 18:03:05 +0000 (14:03 -0400)] 
ui: gtk: fix crash when terminal inner-border is NULL

VTE terminal inner-border can be NULL. The vte-0.36 (API 2.90)
code checks for the condition too so I assume it's not just a bug

Fixes a crash on Fedora 24 with gtk 3.20

Signed-off-by: Cole Robinson <crobinso@redhat.com>
Message-id: 2b2e85d403e8760ea53afd735a170500d5c17716.1462557436.git.crobinso@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
(cherry picked from commit 4fd811a6bd0b8f24f4761fc281454494c336d310)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
4 years agoahci: free irqs array
Marc-André Lureau [Thu, 14 Jul 2016 16:03:40 +0000 (18:03 +0200)] 
ahci: free irqs array

Each irq is referenced by the IDEBus in ide_init2(), thus we can free
the no longer used array.

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: John Snow <jsnow@redhat.com>
Acked-by: John Snow <jsnow@redhat.com>
(cherry picked from commit 9d324b0e67c2b570df389c1361f591b95a4e4278)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
4 years agoahci: fix sglist leak on retry
Marc-André Lureau [Tue, 19 Jul 2016 06:47:46 +0000 (10:47 +0400)] 
ahci: fix sglist leak on retry

ahci-test /x86_64/ahci/io/dma/lba28/retry triggers the following leak:

Direct leak of 16 byte(s) in 1 object(s) allocated from:
    #0 0x7fc4b2a25e20 in malloc (/lib64/libasan.so.3+0xc6e20)
    #1 0x7fc4993bce58 in g_malloc (/lib64/libglib-2.0.so.0+0x4ee58)
    #2 0x556a187d4b34 in ahci_populate_sglist hw/ide/ahci.c:896
    #3 0x556a187d8237 in ahci_dma_prepare_buf hw/ide/ahci.c:1367
    #4 0x556a187b5a1a in ide_dma_cb hw/ide/core.c:844
    #5 0x556a187d7eec in ahci_start_dma hw/ide/ahci.c:1333
    #6 0x556a187b650b in ide_start_dma hw/ide/core.c:921
    #7 0x556a187b61e6 in ide_sector_start_dma hw/ide/core.c:911
    #8 0x556a187b9e26 in cmd_write_dma hw/ide/core.c:1486
    #9 0x556a187bd519 in ide_exec_cmd hw/ide/core.c:2027
    #10 0x556a187d71c5 in handle_reg_h2d_fis hw/ide/ahci.c:1204
    #11 0x556a187d7681 in handle_cmd hw/ide/ahci.c:1254
    #12 0x556a187d168a in check_cmd hw/ide/ahci.c:510
    #13 0x556a187d0afc in ahci_port_write hw/ide/ahci.c:314
    #14 0x556a187d105d in ahci_mem_write hw/ide/ahci.c:435
    #15 0x556a1831d959 in memory_region_write_accessor /home/elmarco/src/qemu/memory.c:525
    #16 0x556a1831dc35 in access_with_adjusted_size /home/elmarco/src/qemu/memory.c:591
    #17 0x556a18323ce3 in memory_region_dispatch_write /home/elmarco/src/qemu/memory.c:1262
    #18 0x556a1828cf67 in address_space_write_continue /home/elmarco/src/qemu/exec.c:2578
    #19 0x556a1828d20b in address_space_write /home/elmarco/src/qemu/exec.c:2635
    #20 0x556a1828d92b in address_space_rw /home/elmarco/src/qemu/exec.c:2737
    #21 0x556a1828daf7 in cpu_physical_memory_rw /home/elmarco/src/qemu/exec.c:2746
    #22 0x556a183068d3 in cpu_physical_memory_write /home/elmarco/src/qemu/include/exec/cpu-common.h:72
    #23 0x556a18308194 in qtest_process_command /home/elmarco/src/qemu/qtest.c:382
    #24 0x556a18309999 in qtest_process_inbuf /home/elmarco/src/qemu/qtest.c:573
    #25 0x556a18309a4a in qtest_read /home/elmarco/src/qemu/qtest.c:585
    #26 0x556a18598b85 in qemu_chr_be_write_impl /home/elmarco/src/qemu/qemu-char.c:387
    #27 0x556a18598c52 in qemu_chr_be_write /home/elmarco/src/qemu/qemu-char.c:399
    #28 0x556a185a2afa in tcp_chr_read /home/elmarco/src/qemu/qemu-char.c:2902
    #29 0x556a18cbaf52 in qio_channel_fd_source_dispatch io/channel-watch.c:84

Follow John Snow recommendation:
  Everywhere else ncq_err is used, it is accompanied by a list cleanup
  except for ncq_cb, which is the case you are fixing here.

  Move the sglist destruction inside of ncq_err and then delete it from
  the other two locations to keep it tidy.

  Call dma_buf_commit in ide_dma_cb after the early return. Though, this
  is also a little wonky because this routine does more than clear the
  list, but it is at the moment the centralized "we're done with the
  sglist" function and none of the other side effects that occur in
  dma_buf_commit will interfere with the reset that occurs from
  ide_restart_bh, I think

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: John Snow <jsnow@redhat.com>
(cherry picked from commit 5839df7b71540a2af2580bb53ad1e2005bb175e6)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
4 years agomacio: set res_count value to 0 after non-block ATAPI DMA transfers
Mark Cave-Ayland [Fri, 5 Aug 2016 07:30:02 +0000 (08:30 +0100)] 
macio: set res_count value to 0 after non-block ATAPI DMA transfers

res_count should be set to the number of outstanding bytes after a DBDMA
request. Unfortunately this wasn't being set to zero by the non-block
transfer codepath meaning drivers that checked the descriptor result for
such requests (e.g reading the CDROM TOC) would assume from a non-zero result
that the transfer had failed.

Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
(cherry picked from commit 16275edb342342625cd7e7ac2048436474465b50)

* removed context dependancy on ddd495e5

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
4 years agoatapi: fix halted DMA reset
John Snow [Tue, 9 Aug 2016 15:47:23 +0000 (11:47 -0400)] 
atapi: fix halted DMA reset

Followup to 87ac25fd, this time for ATAPI DMA.

Reported-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: John Snow <jsnow@redhat.com>
Message-id: 1470164128-28158-1-git-send-email-jsnow@redhat.com
Acked-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: John Snow <jsnow@redhat.com>
(cherry picked from commit 7f951b2d7765f68ae1e563c2fed44071ca774790)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
4 years agoide: fix halted IO segfault at reset
John Snow [Thu, 28 Jul 2016 21:34:19 +0000 (17:34 -0400)] 
ide: fix halted IO segfault at reset

If one attempts to perform a system_reset after a failed IO request
that causes the VM to enter a paused state, QEMU will segfault trying
to free up the pending IO requests.

These requests have already been completed and freed, though, so all
we need to do is NULL them before we enter the paused state.

Existing AHCI tests verify that halted requests are still resumed
successfully after a STOP event.

Analyzed-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Signed-off-by: John Snow <jsnow@redhat.com>
Message-id: 1469635201-11918-2-git-send-email-jsnow@redhat.com
Signed-off-by: John Snow <jsnow@redhat.com>
(cherry picked from commit 87ac25fd1fed05a30a93d27dbeb2a4c4b83ec95f)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
4 years agovirtio: error out if guest exceeds virtqueue size
Stefan Hajnoczi [Tue, 19 Jul 2016 12:07:13 +0000 (13:07 +0100)] 
virtio: error out if guest exceeds virtqueue size

A broken or malicious guest can submit more requests than the virtqueue
size permits, causing unbounded memory allocation in QEMU.

The guest can submit requests without bothering to wait for completion
and is therefore not bound by virtqueue size.  This requires reusing
vring descriptors in more than one request, which is not allowed by the
VIRTIO 1.0 specification.

In "3.2.1 Supplying Buffers to The Device", the VIRTIO 1.0 specification

  1. The driver places the buffer into free descriptor(s) in the
     descriptor table, chaining as necessary


  Note that the above code does not take precautions against the
  available ring buffer wrapping around: this is not possible since the
  ring buffer is the same size as the descriptor table, so step (1) will
  prevent such a condition.

This implies that placing more buffers into the virtqueue than the
descriptor table size is not allowed.

QEMU is missing the check to prevent this case.  Processing a request
allocates a VirtQueueElement leading to unbounded memory allocation
controlled by the guest.

Exit with an error if the guest provides more requests than the
virtqueue size permits.  This bounds memory allocation and makes the
buggy guest visible to the user.

This patch fixes CVE-2016-5403 and was reported by Zhenhao Hong from 360
Marvel Team, China.

Reported-by: Zhenhao Hong <hongzhenhao@360.cn>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit afd9096eb1882f23929f5b5c177898ed231bac66)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
4 years agotarget-i386: fix typo in xsetbv implementation
Dave Hansen [Sat, 23 Jul 2016 07:50:25 +0000 (09:50 +0200)] 
target-i386: fix typo in xsetbv implementation

QEMU 2.6 added support for the XSAVE family of instructions, which
includes the XSETBV instruction which allows setting the XCR0

But, when booting Linux kernels with XSAVE support enabled, I was
getting very early crashes where the instruction pointer was set
to 0x3.  I tracked it down to a jump instruction generated by this:

        gen_jmp_im(s->pc - pc_start);

where s->pc is pointing to the instruction after XSETBV and pc_start
is pointing _at_ XSETBV.  Subtract the two and you get 0x3.  Whoops.

The fix is to replace this typo with the pattern found everywhere
else in the file when folks want to end the translation buffer.

Richard Henderson confirmed that this is a bug and that this is the
correct fix.

Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
Cc: qemu-stable@nongnu.org
Cc: Eduardo Habkost <ehabkost@redhat.com>
Reviewed-by: Richard Henderson <rth@twiddle.net>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit ba03584f4f88082368b2562e515c3d60421b68ce)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
4 years agopcie: fix link active status bit migration
Michael S. Tsirkin [Tue, 19 Jul 2016 20:16:19 +0000 (23:16 +0300)] 
pcie: fix link active status bit migration

We changed link status register in pci express endpoint capability
over time. Specifically,

commit b2101eae63ea57b571cee4a9075a4287d24ba4a4 ("pcie: Set the "link
active" in the link status register") set data link layer link active
bit in this register without adding compatibility to old machine types.

When migrating from qemu 2.3 and older this affects xhci devices which
under machine type 2.0 and older have a pci express endpoint capability
even if they are on a pci bus.

Add compatibility flags to make this bit value match what it was under

Additionally, to avoid breaking migration from qemu 2.3 and up,
suppress checking link status during migration: this seems sane
since hardware can change link status at any time.


Reported-by: Gerd Hoffmann <kraxel@redhat.com>
Fixes: b2101eae63ea57b571cee4a9075a4287d24ba4a4
    ("pcie: Set the "link active" in the link status register")
Cc: qemu-stable@nongnu.org
Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
(cherry picked from commit 6b4495401bdf442457b713b7e3994b465c55af35)

* removed functional dependency on 6383292

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
4 years agonbd: Limit nbdflags to 16 bits
Eric Blake [Thu, 21 Jul 2016 19:34:46 +0000 (13:34 -0600)] 
nbd: Limit nbdflags to 16 bits

Rather than asserting that nbdflags is within range, just give
it the correct type to begin with :)  nbdflags corresponds to
the per-export portion of NBD Protocol "transmission flags", which
is 16 bits in response to NBD_OPT_EXPORT_NAME and NBD_OPT_GO.

Furthermore, upstream NBD has never passed the global flags to
the kernel via ioctl(NBD_SET_FLAGS) (the ioctl was first
introduced in NBD 2.9.22; then a latent bug in NBD 3.1 actually
tried to OR the global flags with the transmission flags, with
the disaster that the addition of NBD_FLAG_NO_ZEROES in 3.9
caused all earlier NBD 3.x clients to treat every export as
read-only; NBD 3.10 and later intentionally clip things to 16
bits to pass only transmission flags).  Qemu should follow suit,
since the current two global flags (NBD_FLAG_FIXED_NEWSTYLE
and NBD_FLAG_NO_ZEROES) have no impact on the kernel's behavior
during transmission.

CC: qemu-stable@nongnu.org
Signed-off-by: Eric Blake <eblake@redhat.com>
Message-Id: <1469129688-22848-3-git-send-email-eblake@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 7423f417827146f956df820f172d0bf80a489495)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
4 years agonbd: Don't use *_to_cpup() functions
Peter Maydell [Fri, 10 Jun 2016 15:00:36 +0000 (16:00 +0100)] 
nbd: Don't use *_to_cpup() functions

The *_to_cpup() functions are not very useful, as they simply do
a pointer dereference and then a *_to_cpu(). Instead use either:
 * ld*_*_p(), if the data is at an address that might not be
   correctly aligned for the load
 * a local dereference and *_to_cpu(), if the pointer is
   the correct type and known to be correctly aligned

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Message-Id: <1465570836-22211-1-git-send-email-peter.maydell@linaro.org>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 773dce3c7286a66c37f7b07994177faf7046bfa8)
* context prereq for 7423f417
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
4 years agonbd: More debug typo fixes, use correct formats
Eric Blake [Wed, 11 May 2016 22:39:35 +0000 (16:39 -0600)] 
nbd: More debug typo fixes, use correct formats

Clean up some debug message oddities missed earlier; this includes
some typos, and recognizing that %d is not necessarily compatible
with uint32_t. Also add a couple messages that I found useful
while debugging things.

Signed-off-by: Eric Blake <eblake@redhat.com>
Message-Id: <1463006384-7734-3-git-send-email-eblake@redhat.com>
[Do not use PRIx16, clang complains. - Paolo]
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 2cb347493c5a0c3634dc13942ba65fdcefbcd34b)
* context prereq for 7423f41
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
4 years agoFix some typos found by codespell
Stefan Weil [Wed, 23 Mar 2016 14:59:57 +0000 (15:59 +0100)] 
Fix some typos found by codespell

Signed-off-by: Stefan Weil <sw@weilnetz.de>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
(cherry picked from commit cb8d4c8f54b8271f642f02382eec29d468bb1c77)
* context prereq for 2cb34749
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
4 years agoblock/iscsi: fix rounding in iscsi_allocationmap_set
Peter Lieven [Mon, 18 Jul 2016 08:52:19 +0000 (10:52 +0200)] 
block/iscsi: fix rounding in iscsi_allocationmap_set

when setting clusters as alloacted the boundaries have
to be expanded. As Paolo pointed out the calculation of
the number of clusters is wrong:

Suppose cluster_sectors is 2, sector_num = 1, nb_sectors = 6:

In the "mark allocated" case, you want to set 0..8, i.e.
cluster_num=0, nb_clusters=4.

   <--|_________________|-->  (<--> = expanded)

Instead you are setting nb_clusters=3, so that 6..8 is not marked.

   <--|______________|!!!     (! = wrong)

Cc: qemu-stable@nongnu.org
Reported-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Peter Lieven <pl@kamp.de>
Message-Id: <1468831940-15556-2-git-send-email-pl@kamp.de>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit eb36b953e0ebf4129b188a241fbc367062ac2e06)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
4 years agoutil: Fix MIN_NON_ZERO
Fam Zheng [Tue, 12 Jul 2016 06:48:33 +0000 (14:48 +0800)] 
util: Fix MIN_NON_ZERO

MIN_NON_ZERO(1, 0) is evaluated to 0. Rewrite the macro to fix it.

Reported-by: Miroslav Rezanina <mrezanin@redhat.com>
Signed-off-by: Fam Zheng <famz@redhat.com>
Message-Id: <1468306113-847-1-git-send-email-famz@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit d27ba624aa1dfe5c07cc01200d95967ffce905d9)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
4 years agoqemu-iotests: Test naming of throttling groups
Alberto Garcia [Fri, 8 Jul 2016 14:05:14 +0000 (17:05 +0300)] 
qemu-iotests: Test naming of throttling groups

Throttling groups are named using the 'group' parameter of the
block_set_io_throttle command and the throttling.group command-line
option. If that parameter is unspecified the groups get the name of
the block device.

This patch adds a new test to check the naming of throttling groups.

Signed-off-by: Alberto Garcia <berto@igalia.com>
* backport of 435d5ee
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
4 years agoblockdev: Fix regression with the default naming of throttling groups
Alberto Garcia [Fri, 8 Jul 2016 14:05:13 +0000 (17:05 +0300)] 
blockdev: Fix regression with the default naming of throttling groups

When I/O limits are set for a block device, the name of the throttling
group is taken from the BlockBackend if the user doesn't specify one.

Commit efaa7c4eeb7490c6f37f3 moved the naming of the BlockBackend in
blockdev_init() to the end of the function, after I/O limits are set.
The consequence is that the throttling group gets an empty name.

Signed-off-by: Alberto Garcia <berto@igalia.com>
Reported-by: Stefan Hajnoczi <stefanha@redhat.com>
Cc: Max Reitz <mreitz@redhat.com>
Cc: qemu-stable@nongnu.org
* backport of ff356ee
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
4 years agos390x/ipl: fix reboots for migration from different bios
David Hildenbrand [Thu, 9 Jun 2016 13:36:41 +0000 (15:36 +0200)] 
s390x/ipl: fix reboots for migration from different bios

When migrating from a different QEMU version, the start_address and
bios_start_address may differ. During migration these values are migrated
and overwrite the values that were detected by QEMU itself.

On a reboot, QEMU will reload its own BIOS, but use the migrated start
addresses, which does not work if the values differ.

Fix this by not relying on the migrated values anymore, but still
provide them during migration, so existing QEMUs continue to work.

Signed-off-by: David Hildenbrand <dahi@linux.vnet.ibm.com>
Cc: qemu-stable@nongnu.org
Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>
(cherry picked from commit bb0995468a39f14077ceaa8ed5afdca849f00c7c)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
4 years agoRevert "virtio-net: unbreak self announcement and guest offloads after migration"
Michael S. Tsirkin [Mon, 4 Jul 2016 11:47:37 +0000 (14:47 +0300)] 
Revert "virtio-net: unbreak self announcement and guest offloads after migration"

This reverts commit 1f8828ef573c83365b4a87a776daf8bcef1caa21.

Cc: qemu-stable@nongnu.org
Reported-by: Robin Geuze <robing@transip.nl>
Tested-by: Robin Geuze <robing@transip.nl>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
(cherry picked from commit 6c6668232e71b7cf7ff39fa1a7abf660c40f9cea)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
4 years agovirtio: set low features early on load
Michael S. Tsirkin [Mon, 4 Jul 2016 11:39:10 +0000 (14:39 +0300)] 
virtio: set low features early on load

virtio migrates the low 32 feature bits twice, the first copy is there
for compatibility but ever since
019a3edbb25f1571e876f8af1ce4c55412939e5d: ("virtio: make features 64bit
wide") it's ignored on load. This is wrong since virtio_net_load tests
self announcement and guest offloads before the second copy including
high feature bits is loaded.  This means that self announcement, control
vq and guest offloads are all broken after migration.

Fix it up by loading low feature bits: somewhat ugly since high and low
bits become out of sync temporarily, but seems unavoidable for
compatibility.  The right thing to do for new features is probably to
test the host features, anyway.

Fixes: 019a3edbb25f1571e876f8af1ce4c55412939e5d
    ("virtio: make features 64bit wide")
Cc: qemu-stable@nongnu.org
Reported-by: Robin Geuze <robing@transip.nl>
Tested-by: Robin Geuze <robing@transip.nl>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
(cherry picked from commit 62cee1a28aada2cce4b0e1fb835d8fc830aed7ac)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
4 years agotarget-sparc: fix register corruption in ldstub if there is no write permission
Artyom Tarasenko [Fri, 24 Jun 2016 12:34:30 +0000 (14:34 +0200)] 
target-sparc: fix register corruption in ldstub if there is no write permission

Signed-off-by: Artyom Tarasenko <atar4qemu@gmail.com>
Reviewed-by: Richard Henderson <rth@twiddle.net>
Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
(cherry picked from commit b64d2e57e704edbb56ae969de864292dd38379bf)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
4 years agoscsi: Advertise limits by blocksize, not 512
Eric Blake [Thu, 23 Jun 2016 22:37:11 +0000 (16:37 -0600)] 
scsi: Advertise limits by blocksize, not 512

s->blocksize may be larger than 512, in which case our
tweaks to max_xfer_len and opt_xfer_len must be scaled

CC: qemu-stable@nongnu.org
Reported-by: Fam Zheng <famz@redhat.com>
Signed-off-by: Eric Blake <eblake@redhat.com>
Reviewed-by: Fam Zheng <famz@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit efaf4781a995aacd22b1dd521b14e4644bafae14)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
4 years agoscsi-generic: Merge block max xfer len in INQUIRY response
Fam Zheng [Thu, 26 May 2016 06:15:05 +0000 (14:15 +0800)] 
scsi-generic: Merge block max xfer len in INQUIRY response

The rationale is similar to the above mode sense response interception:
this is practically the only channel to communicate restraints from
elsewhere such as host and block driver.

The scsi bus we attach onto can have a larger max xfer len than what is
accepted by the host file system (guarding between the host scsi LUN and
QEMU), in which case the SG_IO we generate would get -EINVAL.

Signed-off-by: Fam Zheng <famz@redhat.com>
Message-Id: <1464243305-10661-3-git-send-email-famz@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 063143d5b1fde0fdcbae30bc7d6d14e76fa607d2)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
4 years agonbd: Allow larger requests
Eric Blake [Thu, 23 Jun 2016 22:37:08 +0000 (16:37 -0600)] 
nbd: Allow larger requests

The NBD layer was breaking up request at a limit of 2040 sectors
(just under 1M) to cater to old qemu-nbd. But the server limit
was raised to 32M in commit 2d8214885 to match the kernel, more
than three years ago; and the upstream NBD Protocol is proposing
documentation that without any explicit communication to state
otherwise, a client should be able to safely assume that a 32M
transaction will work.  It is time to rely on the larger sizing,
and any downstream distro that cares about maximum
interoperability to older qemu-nbd servers can just tweak the
value of #define NBD_MAX_SECTORS.

Signed-off-by: Eric Blake <eblake@redhat.com>
Reviewed-by: Kevin Wolf <kwolf@redhat.com>
Acked-by: Paolo Bonzini <pbonzini@redhat.com>
Cc: qemu-stable@nongnu.org
Reviewed-by: Fam Zheng <famz@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit 476b923c32ece0e268580776aaf1fab4ab4459a8)

* removed context dependency on 943cec86

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
4 years agovfio/pci: Fix VGA quirks
Alex Williamson [Thu, 30 Jun 2016 19:00:22 +0000 (13:00 -0600)] 
vfio/pci: Fix VGA quirks

Commit 2d82f8a3cdb2 ("vfio/pci: Convert all MemoryRegion to dynamic
alloc and consistent functions") converted VFIOPCIDevice.vga to be
dynamically allocted, negating the need for VFIOPCIDevice.has_vga.
Unfortunately not all of the has_vga users were converted, nor was
the field removed from the structure.  Correct these oversights.

Reported-by: Peter Maloney <peter.maloney@brockmann-consult.de>
Tested-by: Peter Maloney <peter.maloney@brockmann-consult.de>
Fixes: 2d82f8a3cdb2 ("vfio/pci: Convert all MemoryRegion to dynamic alloc and consistent functions")
Fixes: https://bugs.launchpad.net/qemu/+bug/1591628
Cc: qemu-stable@nongnu.org
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
(cherry picked from commit 4d3fc4fdc6857e33346ed58ae55870f59391ee71)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
4 years agopci-assign: Move "Invalid ROM" error message to pci-assign-load-rom.c
Lin Ma [Wed, 15 Jun 2016 17:05:27 +0000 (01:05 +0800)] 
pci-assign: Move "Invalid ROM" error message to pci-assign-load-rom.c

In function pci_assign_dev_load_option_rom, For those pci devices don't
have 'rom' file under sysfs or if loading ROM from external file, The
function returns NULL, and won't set the passed 'size' variable.

In these 2 cases, qemu still reports "Invalid ROM" error message, Users
may be confused by it.

Signed-off-by: Lin Ma <lma@suse.com>
Message-Id: <1466010327-22368-1-git-send-email-lma@suse.com>
Cc: qemu-stable@nongnu.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit be968c721ee9df49708691ab58f0e66b394dea82)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
4 years agoqapi: Fix crash on missing alternate member of QAPI struct
Eric Blake [Wed, 15 Jun 2016 17:37:51 +0000 (11:37 -0600)] 
qapi: Fix crash on missing alternate member of QAPI struct

If a QAPI struct has a mandatory alternate member which is not
present on input, the input visitor reports an error for the
missing alternate without setting the discriminator, but the
cleanup code for the struct still tries to use the dealloc
visitor to clean up the alternate.

Commit dbf11922 changed visit_start_alternate to set *obj to NULL
when an error occurs, where it was previously left untouched.
Thus, before the patch, the dealloc visitor is blindly trying to
cleanup whatever branch corresponds to (*obj)->type == 0 (that is,
QTYPE_NONE, because *obj still pointed to zeroed memory), which
selects the default branch of the switch and sets an error, but
this second error is ignored by the way the dealloc visitor is
used; but after the patch, the attempt to switch dereferences NULL.

When cleaning up after a partial object parse, we specifically
check for !*obj after visit_start_struct() (see gen_visit_object());
doing the same for alternates fixes the crash. Enhance the testsuite
to give coverage for both missing struct and missing alternate

Also add an abort - we expect visit_start_alternate() to either set an
error or to set (*obj)->type to a valid QType that corresponds to
actual user input, and QTYPE_NONE should never be reachable from valid
input.  Had the abort() been in place earlier, we might have noticed
the dealloc visitor dereferencing bogus zeroed memory prior to when
commit dbf11922 forced our hand by setting *obj to NULL and causing a

Test case:

{'execute':'blockdev-add', 'arguments':{'options':{'driver':'raw'}}}

The choice of 'driver':'raw' selects a BlockdevOptionsGenericFormat
struct, which has a mandatory 'file':'BlockdevRef' in QAPI.  Since
'file' is missing as a sibling of 'driver', this should report a
graceful error rather than fault.  After this patch, we are back to:

{"error": {"class": "GenericError", "desc": "Parameter 'file' is missing"}}

Generated code in qapi-visit.c changes as:

|@@ -2444,6 +2444,9 @@ void visit_type_BlockdevRef(Visitor *v,
|     if (err) {
|         goto out;
|     }
|+    if (!*obj) {
|+        goto out_obj;
|+    }
|     switch ((*obj)->type) {
|     case QTYPE_QDICT:
|         visit_start_struct(v, name, NULL, 0, &err);
|@@ -2459,10 +2462,13 @@ void visit_type_BlockdevRef(Visitor *v,
|     case QTYPE_QSTRING:
|         visit_type_str(v, name, &(*obj)->u.reference, &err);
|         break;
|+    case QTYPE_NONE:
|+        abort();
|     default:
|         error_setg(&err, QERR_INVALID_PARAMETER_TYPE, name ? name : "null",
|                    "BlockdevRef");
|     }
|     visit_end_alternate(v);

Reported by Kashyap Chamarthy <kchamart@redhat.com>
CC: qemu-stable@nongnu.org
Signed-off-by: Eric Blake <eblake@redhat.com>
Message-Id: <1466012271-5204-1-git-send-email-eblake@redhat.com>
Reviewed-by: Markus Armbruster <armbru@redhat.com>
Tested-by: Kashyap Chamarthy <kchamart@redhat.com>
[Commit message tweaked]
Signed-off-by: Markus Armbruster <armbru@redhat.com>
(cherry picked from commit 9b4e38fe6a35890bb1d995316d7be08de0b30ee5)

* removed contexual/functional dependencies on 68ab47e

Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
4 years agoqcow2: Avoid making the L1 table too big
Max Reitz [Wed, 15 Jun 2016 15:36:30 +0000 (17:36 +0200)] 
qcow2: Avoid making the L1 table too big

We refuse to open images whose L1 table we deem "too big". Consequently,
we should not produce such images ourselves.

Cc: qemu-stable@nongnu.org
Signed-off-by: Max Reitz <mreitz@redhat.com>
Message-id: 20160615153630.2116-3-mreitz@redhat.com
Reviewed-by: Eric Blake <eblake@redhat.com>
[mreitz: Added QEMU_BUILD_BUG_ON()]
Signed-off-by: Max Reitz <mreitz@redhat.com>
(cherry picked from commit 84c26520d3c1c9ff4a10455748139463278816d5)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
4 years agobackup: Don't leak BackupBlockJob in error path
Kevin Wolf [Thu, 14 Apr 2016 10:59:55 +0000 (12:59 +0200)] 
backup: Don't leak BackupBlockJob in error path

Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Reviewed-by: Alberto Garcia <berto@igalia.com>
(cherry picked from commit 91ab68837933232bcef99da7c968e6d41900419b)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
4 years agonet: fix qemu_announce_self not emitting packets
Peter Lieven [Thu, 9 Jun 2016 09:39:27 +0000 (11:39 +0200)] 
net: fix qemu_announce_self not emitting packets

commit fefe2a78 accidently dropped the code path for injecting
raw packets. This feature is needed for sending gratuitous ARPs
after an incoming migration has completed. The result is increased
network downtime for vservers where the network card is not virtio-net

Fixes: fefe2a78abde932e0f340b21bded2c86def1d242
Cc: qemu-stable@nongnu.org
Cc: hongyang.yang@easystack.cn
Signed-off-by: Peter Lieven <pl@kamp.de>
Signed-off-by: Jason Wang <jasowang@redhat.com>
(cherry picked from commit ca1ee3d6b546e841a1b9db413eb8fa09f13a061b)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
4 years agoui: fix regression in printing VNC host/port on startup
Daniel P. Berrange [Wed, 8 Jun 2016 10:42:56 +0000 (11:42 +0100)] 
ui: fix regression in printing VNC host/port on startup

If VNC is chosen as the compile time default display backend,
QEMU will print the host/port it listens on at startup.
Previously this would look like

  VNC server running on '::1:5900'

but in 04d2529da27db512dcbd5e99d0e26d333f16efcc the ':' was
accidentally replaced with a ';'. This the ':' back.

Reported-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Message-id: 1465382576-25552-1-git-send-email-berrange@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
(cherry picked from commit 83cf07b0b577bde1afe1329d25bbcc762966e637)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
4 years agoio: remove mistaken call to object_ref on QTask
Daniel P. Berrange [Tue, 7 Jun 2016 11:27:51 +0000 (12:27 +0100)] 
io: remove mistaken call to object_ref on QTask

The QTask struct is just a standalone struct, not a QOM Object,
so calling object_ref() on it is not appropriate. This results
in mangling the 'destroy' field in the QTask struct, causing
the later call to qtask_free() to try to call the function
at address 0x1, with predictably segfault happy results.

There is in fact no need for ref counting with QTask, as the
call to qtask_abort() or qtask_complete() will automatically
free associated memory.

This fixes the crash shown in


Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
(cherry picked from commit bc35d51077b33e68a0ab10a057f352747214223f)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
4 years agovmsvga: don't process more than 1024 fifo commands at once
Gerd Hoffmann [Mon, 30 May 2016 07:09:21 +0000 (09:09 +0200)] 
vmsvga: don't process more than 1024 fifo commands at once

vmsvga_fifo_run is called in regular intervals (on each display update)
and will resume where it left off.  So we can simply exit the loop,
without having to worry about how processing will continue.

Fixes: CVE-2016-4453
Cc: qemu-stable@nongnu.org
Cc: P J P <ppandit@redhat.com>
Reported-by: 李强 <liqiang6-s@360.cn>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 1464592161-18348-5-git-send-email-kraxel@redhat.com
(cherry picked from commit 4e68a0ee17dad7b8d870df0081d4ab2e079016c2)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
4 years agovmsvga: shadow fifo registers
Gerd Hoffmann [Mon, 30 May 2016 07:09:20 +0000 (09:09 +0200)] 
vmsvga: shadow fifo registers

The fifo is normal ram.  So kvm vcpu threads and qemu iothread can
access the fifo in parallel without syncronization.  Which in turn
implies we can't use the fifo pointers in-place because the guest
can try changing them underneath us.  So add shadows for them, to
make sure the guest can't modify them after we've applied sanity

Fixes: CVE-2016-4454
Cc: qemu-stable@nongnu.org
Cc: P J P <ppandit@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 1464592161-18348-4-git-send-email-kraxel@redhat.com
(cherry picked from commit 7e486f7577764a07aa35588e119903c80a5c30a2)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
4 years agovmsvga: add more fifo checks
Gerd Hoffmann [Mon, 30 May 2016 07:09:19 +0000 (09:09 +0200)] 
vmsvga: add more fifo checks

Make sure all fifo ptrs are within range.

Fixes: CVE-2016-4454
Cc: qemu-stable@nongnu.org
Cc: P J P <ppandit@redhat.com>
Reported-by: 李强 <liqiang6-s@360.cn>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 1464592161-18348-3-git-send-email-kraxel@redhat.com
(cherry picked from commit c2e3c54d3960bc53bfa3a5ce7ea7a050b9be267e)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
4 years agovmsvga: move fifo sanity checks to vmsvga_fifo_length
Gerd Hoffmann [Mon, 30 May 2016 07:09:18 +0000 (09:09 +0200)] 
vmsvga: move fifo sanity checks to vmsvga_fifo_length

Sanity checks are applied when the fifo is enabled by the guest
(SVGA_REG_CONFIG_DONE write).  Which doesn't help much if the guest
changes the fifo registers afterwards.  Move the checks to
vmsvga_fifo_length so they are done each time qemu is about to read
from the fifo.

Fixes: CVE-2016-4454
Cc: qemu-stable@nongnu.org
Cc: P J P <ppandit@redhat.com>
Reported-by: 李强 <liqiang6-s@360.cn>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 1464592161-18348-2-git-send-email-kraxel@redhat.com
(cherry picked from commit 521360267876d3b6518b328051a2e56bca55bef8)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
4 years agoblock: Drop bdrv_ioctl_bh_cb
Fam Zheng [Wed, 1 Jun 2016 01:52:23 +0000 (09:52 +0800)] 
block: Drop bdrv_ioctl_bh_cb

Similar to the "!drv || !drv->bdrv_aio_ioctl" case above, here it is
okay to set co.ret and return. As pointed out by Paolo, a BH will be
created as necessary by the caller (bdrv_co_maybe_schedule_bh).
Besides, as pointed out by Kevin, "data" was leaked before.

Reported-by: Kevin Wolf <kwolf@redhat.com>
Reported-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Fam Zheng <famz@redhat.com>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Message-id: 20160601015223.19277-1-famz@redhat.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit c8a9fd80719e63615dac12e3625223fb54aa8430)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
4 years agoscsi: mptsas: infinite loop while fetching requests
Prasad J Pandit [Tue, 24 May 2016 08:07:44 +0000 (13:37 +0530)] 
scsi: mptsas: infinite loop while fetching requests

The LSI SAS1068 Host Bus Adapter emulator in Qemu, periodically
looks for requests and fetches them. A loop doing that in
mptsas_fetch_requests() could run infinitely if 's->state' was
not operational. Move check to avoid such a loop.

Reported-by: Li Qiang <liqiang6-s@360.cn>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Cc: qemu-stable@nongnu.org
Message-Id: <1464077264-25473-1-git-send-email-ppandit@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 06630554ccbdd25780aa03c3548aaff1eb56dffd)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
4 years agoscsi: pvscsi: check command descriptor ring buffer size (CVE-2016-4952)
Prasad J Pandit [Mon, 23 May 2016 10:48:05 +0000 (16:18 +0530)] 
scsi: pvscsi: check command descriptor ring buffer size (CVE-2016-4952)

Vmware Paravirtual SCSI emulation uses command descriptors to
process SCSI commands. These descriptors come with their ring
buffers. A guest could set the ring buffer size to an arbitrary
value leading to OOB access issue. Add check to avoid it.

Reported-by: Li Qiang <liqiang6-s@360.cn>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Cc: qemu-stable@nongnu.org
Message-Id: <1464000485-27041-1-git-send-email-ppandit@redhat.com>
Reviewed-by: Shmulik Ladkani <shmulik.ladkani@ravellosystems.com>
Reviewed-by: Dmitry Fleytman <dmitry@daynix.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 3e831b40e015ba34dfb55ff11f767001839425ff)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
4 years agoFix configure test for PBKDF2 in nettle
Steven Luo [Fri, 27 May 2016 04:53:13 +0000 (21:53 -0700)] 
Fix configure test for PBKDF2 in nettle

On my Debian jessie system, including nettle/pbkdf2.h does not cause
NULL to be defined, which causes the test to fail to compile.  Include
stddef.h to bring in a definition of NULL.

Cc: qemu-trivial@nongnu.org
Cc: qemu-stable@nongnu.org
Signed-off-by: Steven Luo <steven+qemu@steven676.net>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
(cherry picked from commit 9e87a691bd46846e2232f8c30605c491c85ac987)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
4 years agosavevm: fail if migration blockers are present
Greg Kurz [Wed, 4 May 2016 19:44:19 +0000 (21:44 +0200)] 
savevm: fail if migration blockers are present

QEMU has currently two ways to prevent migration to occur:
- migration blocker when it depends on runtime state
- VMStateDescription.unmigratable when migration is not supported at all

This patch gathers all the logic into a single function to be called from
both the savevm and the migrate paths.

This fixes a bug with 9p, at least, where savevm would succeed and the
following would happen in the guest after loadvm:

$ ls /host
ls: cannot access /host: Protocol error

With this patch:

(qemu) savevm foo
Migration is disabled when VirtFS export path '/' is mounted in the guest
using mount_tag 'host'

Signed-off-by: Greg Kurz <gkurz@linux.vnet.ibm.com>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Message-Id: <146239057139.11271.9011797645454781543.stgit@bahia.huguette.org>

[Update subject according to Paolo's suggestion - Amit]

Signed-off-by: Amit Shah <amit.shah@redhat.com>
(cherry picked from commit 24f3902b088cd4f2dbebfd90527b5d81d6a050e9)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
4 years agonbd: Don't trim unrequested bytes
Eric Blake [Wed, 25 May 2016 10:59:25 +0000 (04:59 -0600)] 
nbd: Don't trim unrequested bytes

Similar to commit df7b97ff, we are mishandling clients that
give an unaligned NBD_CMD_TRIM request, and potentially
trimming bytes that occur before their request; which in turn
can cause potential unintended data loss (unlikely in
practice, since most clients are sane and issue aligned trim
requests).  However, while we fixed read and write by switching
to the byte interfaces of blk_, we don't yet have a byte
interface for discard.  On the other hand, trim is advisory, so
rounding the user's request to simply ignore the first and last
unaligned sectors (or the entire request, if it is sub-sector
in length) is just fine.

CC: qemu-stable@nongnu.org
Signed-off-by: Eric Blake <eblake@redhat.com>
Message-Id: <1464173965-9694-1-git-send-email-eblake@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 353ab969730742b7392414d62f4ba9632e8cf22c)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
4 years agoblock/iscsi: avoid potential overflow of acb->task->cdb
Peter Lieven [Tue, 24 May 2016 08:59:28 +0000 (10:59 +0200)] 
block/iscsi: avoid potential overflow of acb->task->cdb

at least in the path via virtio-blk the maximum size is not

Cc: qemu-stable@nongnu.org
Signed-off-by: Peter Lieven <pl@kamp.de>
Message-Id: <1464080368-29584-1-git-send-email-pl@kamp.de>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit a6b3167fa0e825aebb5a7cd8b437b6d41584a196)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
4 years agovfio: Fix broken EEH
Gavin Shan [Wed, 15 Jun 2016 04:28:27 +0000 (14:28 +1000)] 
vfio: Fix broken EEH

vfio_eeh_container_op() is the backend that communicates with
host kernel to support EEH functionality in QEMU. However, the
functon should return the value from host kernel instead of 0

dwg: Specifically the problem occurs for the handful of EEH
sub-operations which can return a non-zero, non-error result.

Signed-off-by: Gavin Shan <gwshan@linux.vnet.ibm.com>
Acked-by: Alex Williamson <alex.williamson@redhat.com>
[dwg: clarification to commit message]
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
(cherry picked from commit d917e88d85a147a99f38a62a4f95cac21e366d51)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
4 years agovga: add sr_vbe register set
Gerd Hoffmann [Tue, 17 May 2016 08:54:54 +0000 (10:54 +0200)] 
vga: add sr_vbe register set

Commit "fd3c136 vga: make sure vga register setup for vbe stays intact
(CVE-2016-3712)." causes a regression.  The win7 installer is unhappy
because it can't freely modify vga registers any more while in vbe mode.

This patch introduces a new sr_vbe register set.  The vbe_update_vgaregs
will fill sr_vbe[] instead of sr[].  Normal vga register reads and
writes go to sr[].  Any sr register read access happens through a new
sr() helper function which will read from sr_vbe[] with vbe active and
from sr[] otherwise.

This way we can allow guests update sr[] registers as they want, without
allowing them disrupt vbe video modes that way.

Cc: qemu-stable@nongnu.org
Reported-by: Thomas Lamprecht <thomas@lamprecht.org>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 1463475294-14119-1-git-send-email-kraxel@redhat.com
(cherry picked from commit 94ef4f337fb614f18b765a8e0e878a4c23cdedcd)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
4 years agousb/ohci: Fix crash with when specifying too many num-ports
Thomas Huth [Mon, 23 May 2016 09:23:07 +0000 (11:23 +0200)] 
usb/ohci: Fix crash with when specifying too many num-ports

QEMU currently crashes when an OHCI controller is instantiated with
too many ports, e.g. "-device pci-ohci,num-ports=100,masterbus=1".
Thus add a proper check in usb_ohci_init() to make sure that we
do not use more than OHCI_MAX_PORTS = 15 ports here.

Ticket: https://bugs.launchpad.net/qemu/+bug/1581308
Signed-off-by: Thomas Huth <thuth@redhat.com>
Message-id: 1463995387-11710-1-git-send-email-thuth@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
(cherry picked from commit d400fc018b326104d26d730e5cc8c36c1f662c34)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
4 years agoblock/nfs: refuse readahead if cache.direct is on
Peter Lieven [Thu, 19 May 2016 12:48:02 +0000 (14:48 +0200)] 
block/nfs: refuse readahead if cache.direct is on

if we open a NFS export with disabled cache we should refuse
the readahead feature as it will cache data inside libnfs.

If a export was opened with readahead enabled it should
futher not be allowed to disable the cache while running.

Cc: qemu-stable@nongnu.org
Signed-off-by: Peter Lieven <pl@kamp.de>
Reviewed-by: Jeff Cody <jcody@redhat.com>
Message-id: 1463662083-20814-2-git-send-email-pl@kamp.de
Signed-off-by: Jeff Cody <jcody@redhat.com>
(cherry picked from commit 38f8d5e0251ae7d8257cf099cb3e5a375ef60378)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>