[Qemu-commits] [qemu/qemu] 730a9c: virtio-blk: fix use-after-free while

qemu-commits
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-commits] [qemu/qemu] 730a9c: virtio-blk: fix use-after-free while

From:	Anthony Liguori
Subject:	[Qemu-commits] [qemu/qemu] 730a9c: virtio-blk: fix use-after-free while handling scsi...
Date:	Sun, 12 Aug 2012 11:30:12 -0700
  Branch: refs/heads/master
  Home:   https://github.com/qemu/qemu
  Commit: 730a9c53b4e52681fcfe31cf38854cbf91e132c7
      
https://github.com/qemu/qemu/commit/730a9c53b4e52681fcfe31cf38854cbf91e132c7
  Author: Avi Kivity <address@hidden>
  Date:   2012-08-10 (Fri, 10 Aug 2012)

  Changed paths:
    M hw/virtio-blk.c

  Log Message:
  -----------
  virtio-blk: fix use-after-free while handling scsi commands

The scsi passthrough handler falls through after completing a
request into the failure path, resulting in a use after free.

Reproducible by running a guest with aio=native on a block device.

Reported-by: Stefan Priebe <address@hidden>
Signed-off-by: Avi Kivity <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>


  Commit: 61f52e06f0a21bab782f98ef3ea789aa6d0aa046
      
https://github.com/qemu/qemu/commit/61f52e06f0a21bab782f98ef3ea789aa6d0aa046
  Author: Jason Baron <address@hidden>
  Date:   2012-08-10 (Fri, 10 Aug 2012)

  Changed paths:
    M hw/ide/ahci.c
    M hw/ide/internal.h

  Log Message:
  -----------
  ahci: Fix ahci cdrom read corruptions for reads > 128k

While testing q35, which has its cdrom attached to the ahci controller, I found
that the Fedora 17 install would panic on boot. The panic occurs while
squashfs is trying to read from the cdrom. The errors are:

[    8.622711] SQUASHFS error: xz_dec_run error, data probably corrupt
[    8.625180] SQUASHFS error: squashfs_read_data failed to read block
0x20be48a

I was also able to produce corrupt data reads using an installed piix based
qemu machine, using 'dd'. I found that the corruptions were only occuring when
then read size was greater than 128k. For example, the following command
results in corrupted reads:

dd if=/dev/sr0 of=/tmp/blah bs=256k iflag=direct

The > 128k size reads exercise a different code path than 128k and below. In
ide_atapi_cmd_read_dma_cb() s->io_buffer_size is capped at 128k. Thus,
ide_atapi_cmd_read_dma_cb() is called a second time when the read is > 128k.
However, ahci_dma_rw_buf() restart the read from offset 0, instead of at 128k.
Thus, resulting in a corrupted read.

To fix this, I've introduced 'io_buffer_offset' field in IDEState to keep
track of the offset. I've also modified ahci_populate_sglist() to take a new
3rd offset argument, so that the sglist is property initialized.

I've tested this patch using 'dd' testing, and Fedora 17 now correctly boots
and installs on q35 with the cdrom ahci controller.

Signed-off-by: Jason Baron <address@hidden>
Tested-by: Andreas Färber <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>


  Commit: ea8d82a1ed72634f089ed1bccccd9c84cc1ab855
      
https://github.com/qemu/qemu/commit/ea8d82a1ed72634f089ed1bccccd9c84cc1ab855
  Author: Jason Baron <address@hidden>
  Date:   2012-08-10 (Fri, 10 Aug 2012)

  Changed paths:
    M dma-helpers.c
    M hw/ide/ahci.c

  Log Message:
  -----------
  ahci: Fix sglist memleak in ahci_dma_rw_buf()

I noticed that in hw/ide/ahci:ahci_dma_rw_buf() we do not free the sglist. Thus,
I've added a call to qemu_sglist_destroy() to fix this memory leak.

In addition, I've adeed a call in qemu_sglist_destroy() to 0 all of the sglist
fields, in case there is some other codepath that tries to free the sglist.

Signed-off-by: Jason Baron <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>


  Commit: 353a41be05f9616f7bd7120456f706b3c85683ea
      
https://github.com/qemu/qemu/commit/353a41be05f9616f7bd7120456f706b3c85683ea
  Author: Kevin Wolf <address@hidden>
  Date:   2012-08-10 (Fri, 10 Aug 2012)

  Changed paths:
    M tests/qemu-iotests/common.rc

  Log Message:
  -----------
  qemu-iotests: Save some sed processes

Instead of building a huge pipeline, just pass all expressions to a
single sed process.

Suggested-by: Eric Blake <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: Eric Blake <address@hidden>


  Commit: 13e3dce068773c971ff2f19d986378c55897c4a3
      
https://github.com/qemu/qemu/commit/13e3dce068773c971ff2f19d986378c55897c4a3
  Author: Paolo Bonzini <address@hidden>
  Date:   2012-08-10 (Fri, 10 Aug 2012)

  Changed paths:
    M hw/virtio-blk.c
    M hw/virtio-blk.h

  Log Message:
  -----------
  virtio-blk: support VIRTIO_BLK_F_CONFIG_WCE

Also rename VIRTIO_BLK_F_WCACHE to VIRTIO_BLK_F_WCE for consistency with
the spec.

Signed-off-by: Paolo Bonzini <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>


  Commit: 9315cbfd8d7074eca44fbc5f93902e97b27d5240
      
https://github.com/qemu/qemu/commit/9315cbfd8d7074eca44fbc5f93902e97b27d5240
  Author: Paolo Bonzini <address@hidden>
  Date:   2012-08-10 (Fri, 10 Aug 2012)

  Changed paths:
    M hw/virtio-blk.c

  Log Message:
  -----------
  virtio-blk: disable write cache if not negotiated

If the guest does not support flushes, we should run in writethrough mode.
The setting is temporary until the next reset, so that for example the
BIOS will run in writethrough mode while Linux will run with a writeback
cache.

Signed-off-by: Paolo Bonzini <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>


  Commit: 1f212b9d3edd8679bafd3bcf0301795206438724
      
https://github.com/qemu/qemu/commit/1f212b9d3edd8679bafd3bcf0301795206438724
  Author: Paolo Bonzini <address@hidden>
  Date:   2012-08-10 (Fri, 10 Aug 2012)

  Changed paths:
    M blockdev.c

  Log Message:
  -----------
  blockdev: flip default cache mode from writethrough to writeback

Now all major device models (IDE, SCSI, virtio) can choose between
writethrough and writeback at run-time, and virtio will even revert
to writethrough if the guest is not capable of sending flushes.  So
we can change the default to writeback at last.

Tested, for lack of a better idea, with a breakpoint on bdrv_open
and all cache choices one by one.

Signed-off-by: Paolo Bonzini <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>


  Commit: b10170aca0616df85482dcc7ddda03437bc07cca
      
https://github.com/qemu/qemu/commit/b10170aca0616df85482dcc7ddda03437bc07cca
  Author: Stefan Hajnoczi <address@hidden>
  Date:   2012-08-10 (Fri, 10 Aug 2012)

  Changed paths:
    M block/qed-check.c
    M block/qed.c
    M block/qed.h

  Log Message:
  -----------
  qed: mark image clean after repair succeeds

The dirty bit is cleared after image repair succeeds in qed_open().
Move this into qed_check() so that all callers benefit from this
behavior when fix=true.

This is necessary so qemu-img check can call .bdrv_check() and mark the
image clean.

Signed-off-by: Stefan Hajnoczi <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>


  Commit: acbe59829e448aa63bdccc6ee484b7e1ac605e25
      
https://github.com/qemu/qemu/commit/acbe59829e448aa63bdccc6ee484b7e1ac605e25
  Author: Stefan Hajnoczi <address@hidden>
  Date:   2012-08-10 (Fri, 10 Aug 2012)

  Changed paths:
    M block/qcow2.c

  Log Message:
  -----------
  qcow2: mark image clean after repair succeeds

The dirty bit is cleared after image repair succeeds in qcow2_open().
Move this into qcow2_check() so that all callers benefit from this
behavior when fix mode is enabled.

This is necessary so qemu-img check can call .bdrv_check() and mark the
image clean.

Signed-off-by: Stefan Hajnoczi <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>


  Commit: 058f8f16db0c1c528b665a6283457f019c8b0926
      
https://github.com/qemu/qemu/commit/058f8f16db0c1c528b665a6283457f019c8b0926
  Author: Stefan Hajnoczi <address@hidden>
  Date:   2012-08-10 (Fri, 10 Aug 2012)

  Changed paths:
    M block.h
    M block/qcow2.c
    M block/qed.c
    M qemu-img.c
    M tests/qemu-iotests/039.out

  Log Message:
  -----------
  block: add BLOCK_O_CHECK for qemu-img check

Image formats with a dirty bit, like qed and qcow2, repair dirty image
files upon open with BDRV_O_RDWR.  Performing automatic repair when
qemu-img check runs is not ideal because the bdrv_open() call repairs
the image before the actual bdrv_check() call from qemu-img.c.

Fix this "double repair" since it leads to confusing output from
qemu-img check.  Tell the block driver that this image is being opened
just for bdrv_check().  This skips automatic repair and qemu-img.c can
invoke it manually with bdrv_check().

Update the golden output for qemu-iotests 039 to reflect the new
qemu-img check output.

Signed-off-by: Stefan Hajnoczi <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>


  Commit: 166f3c7b7026f9cd55a7daeec3b3444ec41092ab
      
https://github.com/qemu/qemu/commit/166f3c7b7026f9cd55a7daeec3b3444ec41092ab
  Author: Stefan Hajnoczi <address@hidden>
  Date:   2012-08-10 (Fri, 10 Aug 2012)

  Changed paths:
    M tests/qemu-iotests/039
    M tests/qemu-iotests/common.rc

  Log Message:
  -----------
  qemu-iotests: skip 039 with ./check -nocache

When the qemu-io --nocache option is used the 039 test case cannot abort
QEMU at a point where the image is dirty.  Skip the test case.

Signed-off-by: Stefan Hajnoczi <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>


  Commit: fb7c269ed694c103397c5fffbfcccd3e90aed23c
      
https://github.com/qemu/qemu/commit/fb7c269ed694c103397c5fffbfcccd3e90aed23c
  Author: Dunrong Huang <address@hidden>
  Date:   2012-08-10 (Fri, 10 Aug 2012)

  Changed paths:
    M vl.c

  Log Message:
  -----------
  vl.c: Exit QEMU early if no machine is found

We check whether the variable machine is NULL or not before accessing
it. If machine is NULL, exit QEMU with an error, this can avoids a
segfault error.

Markus Armbruster <address@hidden> adds that the segfault can be
reproduced as follows:

  $ qemu-system-xtensa -cpu help

Signed-off-by: Dunrong Huang <address@hidden>
Reviewed-by: Markus Armbruster <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>


  Commit: 656267413c17db3344c443fcf2b954a456a6863e
      
https://github.com/qemu/qemu/commit/656267413c17db3344c443fcf2b954a456a6863e
  Author: Peter A. G. Crosthwaite <address@hidden>
  Date:   2012-08-10 (Fri, 10 Aug 2012)

  Changed paths:
    M target-arm/translate.c

  Log Message:
  -----------
  arm: translate: comment typo - s/middel/middle/

Signed-off-by: Peter A. G. Crosthwaite <address@hidden>
Reviewed-by: Andreas Färber <address@hidden>
Reviewed-by: Peter Maydell <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>


  Commit: b90372ad2a69a9cdad2a40766eb46f0a89d98535
      
https://github.com/qemu/qemu/commit/b90372ad2a69a9cdad2a40766eb46f0a89d98535
  Author: Peter Maydell <address@hidden>
  Date:   2012-08-10 (Fri, 10 Aug 2012)

  Changed paths:
    M target-arm/arm-semi.c
    M target-arm/cpu.h
    M target-arm/helper.c
    M target-arm/neon_helper.c
    M target-arm/op_helper.c
    M target-arm/translate.c

  Log Message:
  -----------
  target-arm: Fix typos in comments

Fix a variety of typos in comments in target-arm files.

Signed-off-by: Peter Maydell <address@hidden>
Reviewed-by: Peter Crosthwaite <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>


  Commit: 53810bab3acd73b9844807e53f02d867c1ad1d2a
      
https://github.com/qemu/qemu/commit/53810bab3acd73b9844807e53f02d867c1ad1d2a
  Author: Anthony Liguori <address@hidden>
  Date:   2012-08-11 (Sat, 11 Aug 2012)

  Changed paths:
    M block.h
    M block/qcow2.c
    M block/qed-check.c
    M block/qed.c
    M block/qed.h
    M blockdev.c
    M dma-helpers.c
    M hw/ide/ahci.c
    M hw/ide/internal.h
    M hw/virtio-blk.c
    M hw/virtio-blk.h
    M qemu-img.c
    M tests/qemu-iotests/039
    M tests/qemu-iotests/039.out
    M tests/qemu-iotests/common.rc

  Log Message:
  -----------
  Merge remote-tracking branch 'kwolf/for-anthony' into staging

* kwolf/for-anthony:
  qemu-iotests: skip 039 with ./check -nocache
  block: add BLOCK_O_CHECK for qemu-img check
  qcow2: mark image clean after repair succeeds
  qed: mark image clean after repair succeeds
  blockdev: flip default cache mode from writethrough to writeback
  virtio-blk: disable write cache if not negotiated
  virtio-blk: support VIRTIO_BLK_F_CONFIG_WCE
  qemu-iotests: Save some sed processes
  ahci: Fix sglist memleak in ahci_dma_rw_buf()
  ahci: Fix ahci cdrom read corruptions for reads > 128k
  virtio-blk: fix use-after-free while handling scsi commands


  Commit: 346fe0c4c0b88f11a3d0c01c34d9a170d73429cc
      
https://github.com/qemu/qemu/commit/346fe0c4c0b88f11a3d0c01c34d9a170d73429cc
  Author: Anthony Liguori <address@hidden>
  Date:   2012-08-11 (Sat, 11 Aug 2012)

  Changed paths:
    M target-arm/arm-semi.c
    M target-arm/cpu.h
    M target-arm/helper.c
    M target-arm/neon_helper.c
    M target-arm/op_helper.c
    M target-arm/translate.c
    M vl.c

  Log Message:
  -----------
  Merge remote-tracking branch 'stefanha/trivial-patches' into staging

* stefanha/trivial-patches:
  target-arm: Fix typos in comments
  arm: translate: comment typo - s/middel/middle/
  vl.c: Exit QEMU early if no machine is found


Compare: https://github.com/qemu/qemu/compare/312942619af7...346fe0c4c0b8
[Prev in Thread]
Current Thread
[Next in Thread]
[Qemu-commits] [qemu/qemu] 730a9c: virtio-blk: fix use-after-free while handling scsi..., Anthony Liguori <=
Next by Date: [Qemu-commits] [qemu/qemu] 669b49: xilinx_axi*: Re-implemented interconnect
Next by thread: [Qemu-commits] [qemu/qemu] 669b49: xilinx_axi*: Re-implemented interconnect
Index(es):
- Date
- Thread