9p: Simplify error path of v9fs_device_realize_common()

Make v9fs_device_unrealize_common() idempotent and use it for rollback,
in order to reduce code duplication.

Signed-off-b

9p: Simplify error path of v9fs_device_realize_common()

Make v9fs_device_unrealize_common() idempotent and use it for rollback,
in order to reduce code duplication.

Signed-off-by: Greg Kurz <groug@kaod.org>

show more ...

9p: unsigned type for type, version, path

There is no need for signedness on these QID fields for 9p.

Signed-off-by: Antonios Motakis <antonios.motakis@huawei.com>
[CS: - Also m

9p: unsigned type for type, version, path

There is no need for signedness on these QID fields for 9p.

Signed-off-by: Antonios Motakis <antonios.motakis@huawei.com>
[CS: - Also make QID type unsigned.
- Adjust donttouch_stat() to new types.
- Adjust trace-events to new types. ]
Signed-off-by: Christian Schoenebeck <qemu_oss@crudebyte.com>
Signed-off-by: Greg Kurz <groug@kaod.org>

show more ...

Merge remote-tracking branch 'remotes/pmaydell/tags/pull-target-arm-20190816' into staging

target-arm queue:
* target/arm: generate a custom MIDR for -cpu max
* hw/misc/zynq_slcr:

Merge remote-tracking branch 'remotes/pmaydell/tags/pull-target-arm-20190816' into staging

target-arm queue:
* target/arm: generate a custom MIDR for -cpu max
* hw/misc/zynq_slcr: refactor to use standard register definition
* Set ENET_BD_BDU in I.MX FEC controller
* target/arm: Fix routing of singlestep exceptions
* refactor a32/t32 decoder handling of PC
* minor optimisations/cleanups of some a32/t32 codegen
* target/arm/cpu64: Ensure kvm really supports aarch64=off
* target/arm/cpu: Ensure we can use the pmu with kvm
* target/arm: Minor cleanups preparatory to KVM SVE support

# gpg: Signature made Fri 16 Aug 2019 14:15:55 BST
# gpg: using RSA key E1A5C593CD419DE28E8315CF3C2525ED14360CDE
# gpg: issuer "peter.maydell@linaro.org"
# gpg: Good signature from "Peter Maydell <peter.maydell@linaro.org>" [ultimate]
# gpg: aka "Peter Maydell <pmaydell@gmail.com>" [ultimate]
# gpg: aka "Peter Maydell <pmaydell@chiark.greenend.org.uk>" [ultimate]
# Primary key fingerprint: E1A5 C593 CD41 9DE2 8E83 15CF 3C25 25ED 1436 0CDE

* remotes/pmaydell/tags/pull-target-arm-20190816: (29 commits)
target/arm: Use tcg_gen_extrh_i64_i32 to extract the high word
target/arm: Simplify SMMLA, SMMLAR, SMMLS, SMMLSR
target/arm: Use tcg_gen_rotri_i32 for gen_swap_half
target/arm: Use ror32 instead of open-coding the operation
target/arm: Remove redundant shift tests
target/arm: Use tcg_gen_deposit_i32 for PKHBT, PKHTB
target/arm: Use tcg_gen_extract_i32 for shifter_out_im
target/arm/kvm64: Move the get/put of fpsimd registers out
target/arm/kvm64: Fix error returns
target/arm/cpu: Use div-round-up to determine predicate register array size
target/arm/helper: zcr: Add build bug next to value range assumption
target/arm/cpu: Ensure we can use the pmu with kvm
target/arm/cpu64: Ensure kvm really supports aarch64=off
target/arm: Remove helper_double_saturate
target/arm: Use unallocated_encoding for aarch32
target/arm: Remove offset argument to gen_exception_bkpt_insn
target/arm: Replace offset with pc in gen_exception_internal_insn
target/arm: Replace offset with pc in gen_exception_insn
target/arm: Replace s->pc with s->base.pc_next
target/arm: Remove redundant s->pc & ~1
...

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

show more ...

Merge remote-tracking branch 'remotes/kevin/tags/for-upstream' into staging

Block layer patches:

- file-posix: Fix O_DIRECT alignment detection
- Fixes for concurrent block jobs

Merge remote-tracking branch 'remotes/kevin/tags/for-upstream' into staging

Block layer patches:

- file-posix: Fix O_DIRECT alignment detection
- Fixes for concurrent block jobs
- block-backend: Queue requests while drained (fix IDE vs. job crashes)
- qemu-img convert: Deprecate using -n and -o together
- iotests: Migration tests with filter nodes
- iotests: More media change tests

# gpg: Signature made Fri 16 Aug 2019 10:29:18 BST
# gpg: using RSA key 7F09B272C88F2FD6
# gpg: Good signature from "Kevin Wolf <kwolf@redhat.com>" [full]
# Primary key fingerprint: DC3D EB15 9A9A F95D 3D74 56FE 7F09 B272 C88F 2FD6

* remotes/kevin/tags/for-upstream:
file-posix: Handle undetectable alignment
qemu-img convert: Deprecate using -n and -o together
block-backend: Queue requests while drained
mirror: Keep mirror_top_bs drained after dropping permissions
block: Remove blk_pread_unthrottled()
iotests: Add test for concurrent stream/commit
tests: Test mid-drain bdrv_replace_child_noperm()
tests: Test polling in bdrv_drop_intermediate()
block: Reduce (un)drains when replacing a child
block: Keep subtree drained in drop_intermediate
block: Simplify bdrv_filter_default_perms()
iotests: Test migration with all kinds of filter nodes
iotests: Move migration helpers to iotests.py
iotests/118: Add -blockdev based tests
iotests/118: Create test classes dynamically
iotests/118: Test media change for scsi-cd

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

show more ...

Merge remote-tracking branch 'remotes/ericb/tags/pull-nbd-2019-08-15' into staging

nbd patches for 2019-08-15

- Addition of InetSocketAddress keep-alive
- Addition of BDRV_REQ_P

Merge remote-tracking branch 'remotes/ericb/tags/pull-nbd-2019-08-15' into staging

nbd patches for 2019-08-15

- Addition of InetSocketAddress keep-alive
- Addition of BDRV_REQ_PREFETCH for more efficient copy-on-read
- Initial refactoring in preparation of NBD reconnect

# gpg: Signature made Thu 15 Aug 2019 19:28:41 BST
# gpg: using RSA key A7A16B4A2527436A
# gpg: Good signature from "Eric Blake <eblake@redhat.com>" [full]
# gpg: aka "Eric Blake (Free Software Programmer) <ebb9@byu.net>" [full]
# gpg: aka "[jpeg image of size 6874]" [full]
# Primary key fingerprint: 71C2 CC22 B1C4 6029 27D2 F3AA A7A1 6B4A 2527 436A

* remotes/ericb/tags/pull-nbd-2019-08-15:
block/nbd: refactor nbd connection parameters
block/nbd: add cmdline and qapi parameter reconnect-delay
block/nbd: move from quit to state
block/nbd: use non-blocking io channel for nbd negotiation
block/nbd: split connection_co start out of nbd_client_connect
nbd: improve CMD_CACHE: use BDRV_REQ_PREFETCH
block/stream: use BDRV_REQ_PREFETCH
block: implement BDRV_REQ_PREFETCH
qapi: Add InetSocketAddress member keep-alive

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

show more ...

Merge remote-tracking branch 'remotes/armbru/tags/pull-include-2019-08-13-v2' into staging

Header cleanup patches for 2019-08-13

# gpg: Signature made Fri 16 Aug 2019 12:39:12 BST

Merge remote-tracking branch 'remotes/armbru/tags/pull-include-2019-08-13-v2' into staging

Header cleanup patches for 2019-08-13

# gpg: Signature made Fri 16 Aug 2019 12:39:12 BST
# gpg: using RSA key 354BC8B3D7EB2A6B68674E5F3870B400EB918653
# gpg: issuer "armbru@redhat.com"
# gpg: Good signature from "Markus Armbruster <armbru@redhat.com>" [full]
# gpg: aka "Markus Armbruster <armbru@pond.sub.org>" [full]
# Primary key fingerprint: 354B C8B3 D7EB 2A6B 6867 4E5F 3870 B400 EB91 8653

* remotes/armbru/tags/pull-include-2019-08-13-v2: (29 commits)
sysemu: Split sysemu/runstate.h off sysemu/sysemu.h
sysemu: Move the VMChangeStateEntry typedef to qemu/typedefs.h
Include sysemu/sysemu.h a lot less
Clean up inclusion of sysemu/sysemu.h
numa: Move remaining NUMA declarations from sysemu.h to numa.h
Include sysemu/hostmem.h less
numa: Don't include hw/boards.h into sysemu/numa.h
Include hw/boards.h a bit less
Include hw/qdev-properties.h less
Include qemu/main-loop.h less
Include qemu/queue.h slightly less
Include hw/hw.h exactly where needed
Include qom/object.h slightly less
Include exec/memory.h slightly less
Include migration/vmstate.h less
migration: Move the VMStateDescription typedef to typedefs.h
Clean up inclusion of exec/cpu-common.h
Include hw/irq.h a lot less
typedefs: Separate incomplete types and function types
ide: Include hw/ide/internal a bit less outside hw/ide/
...

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

show more ...

Include qemu/main-loop.h less

In my "build everything" tree, changing qemu/main-loop.h triggers a
recompile of some 5600 out of 6600 objects (not counting tests and
objects that don'

Include qemu/main-loop.h less

In my "build everything" tree, changing qemu/main-loop.h triggers a
recompile of some 5600 out of 6600 objects (not counting tests and
objects that don't depend on qemu/osdep.h). It includes block/aio.h,
which in turn includes qemu/event_notifier.h, qemu/notify.h,
qemu/processor.h, qemu/qsp.h, qemu/queue.h, qemu/thread-posix.h,
qemu/thread.h, qemu/timer.h, and a few more.

Include qemu/main-loop.h only where it's needed. Touching it now
recompiles only some 1700 objects. For block/aio.h and
qemu/event_notifier.h, these numbers drop from 5600 to 2800. For the
others, they shrink only slightly.

Signed-off-by: Markus Armbruster <armbru@redhat.com>
Message-Id: <20190812052359.30071-21-armbru@redhat.com>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Tested-by: Philippe Mathieu-Daudé <philmd@redhat.com>

show more ...

Merge remote-tracking branch 'remotes/xtensa/tags/20190122-xtensa' into staging

target/xtensa: zero overhead loops rework/helpers split

- change xtensa zero overhead loops implement

Merge remote-tracking branch 'remotes/xtensa/tags/20190122-xtensa' into staging

target/xtensa: zero overhead loops rework/helpers split

- change xtensa zero overhead loops implementation to avoid invalidation
of TBs corresponding to previous loop body when a new loop is
encountered;
- extract helper function groups from op_helper.c and move them into
separate source files: exc_helper.c (exception helpers), win_helper.c
(windowed registers helpers), fpu_helper.c (floating point helpers),
mmu_helper.c (memory management helpers) and dbg_helper.c (native debug
helpers).

# gpg: Signature made Tue 22 Jan 2019 18:44:17 GMT
# gpg: using RSA key 51F9CC91F83FA044
# gpg: Good signature from "Max Filippov <filippov@cadence.com>"
# gpg: aka "Max Filippov <max.filippov@cogentembedded.com>"
# gpg: aka "Max Filippov <jcmvbkbc@gmail.com>"
# Primary key fingerprint: 2B67 854B 98E5 327D CDEB 17D8 51F9 CC91 F83F A044

* remotes/xtensa/tags/20190122-xtensa:
target/xtensa: move non-HELPER functions to helper.c
target/xtensa: drop dump_state helper
target/xtensa: extract interrupt and exception helpers
target/xtensa: extract debug helpers
target/xtensa: extract MMU helpers
target/xtensa: extract windowed registers helpers
target/xtensa: extract FPU helpers
target/xtensa: rework zero overhead loops implementation

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

show more ...

Merge remote-tracking branch 'remotes/pmaydell/tags/pull-misc-20181214' into staging

miscellaneous patches:
* checkpatch.pl: Enforce multiline comment syntax
* Rename cpu_physical_

Merge remote-tracking branch 'remotes/pmaydell/tags/pull-misc-20181214' into staging

miscellaneous patches:
* checkpatch.pl: Enforce multiline comment syntax
* Rename cpu_physical_memory_write_rom() to address_space_write_rom()
* disas, monitor, elf_ops: Use address_space_read() to read memory
* Remove load_image() in favour of load_image_size()
* Fix some minor memory leaks in arm boards/devices
* virt: fix broken indentation

# gpg: Signature made Fri 14 Dec 2018 14:41:20 GMT
# gpg: using RSA key 3C2525ED14360CDE
# gpg: Good signature from "Peter Maydell <peter.maydell@linaro.org>"
# gpg: aka "Peter Maydell <pmaydell@gmail.com>"
# gpg: aka "Peter Maydell <pmaydell@chiark.greenend.org.uk>"
# Primary key fingerprint: E1A5 C593 CD41 9DE2 8E83 15CF 3C25 25ED 1436 0CDE

* remotes/pmaydell/tags/pull-misc-20181214: (22 commits)
virt: Fix broken indentation
target/arm: Create timers in realize, not init
tests/test-arm-mptimer: Don't leak string memory
hw/sd/sdhci: Don't leak memory region in sdhci_sysbus_realize()
hw/arm/mps2-tz.c: Free mscname string in make_dma()
target/arm: Free name string in ARMCPRegInfo hashtable entries
include/hw/loader.h: Document load_image_size()
hw/core/loader.c: Remove load_image()
device_tree.c: Don't use load_image()
hw/block/tc58128.c: Don't use load_image()
hw/i386/multiboot.c: Don't use load_image()
hw/i386/pc.c: Don't use load_image()
hw/pci/pci.c: Don't use load_image()
hw/smbios/smbios.c: Don't use load_image()
hw/ppc/ppc405_boards: Don't use load_image()
hw/ppc/mac_newworld, mac_oldworld: Don't use load_image()
elf_ops.h: Use address_space_write() to write memory
monitor: Use address_space_read() to read memory
disas.c: Use address_space_read() to read memory
Rename cpu_physical_memory_write_rom() to address_space_write_rom()
...

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

show more ...

Merge remote-tracking branch 'remotes/kevin/tags/for-upstream' into staging

Block layer patches:

- qcow2: Decompression worker threads
- dmg: lzfse compression support
- fil

Merge remote-tracking branch 'remotes/kevin/tags/for-upstream' into staging

Block layer patches:

- qcow2: Decompression worker threads
- dmg: lzfse compression support
- file-posix: Simplify delegation to worker thread
- Don't pass flags to bdrv_reopen_queue()
- iotests: make 235 work on s390 (and others)

# gpg: Signature made Fri 14 Dec 2018 10:55:09 GMT
# gpg: using RSA key 7F09B272C88F2FD6
# gpg: Good signature from "Kevin Wolf <kwolf@redhat.com>"
# Primary key fingerprint: DC3D EB15 9A9A F95D 3D74 56FE 7F09 B272 C88F 2FD6

* remotes/kevin/tags/for-upstream: (42 commits)
block/mirror: add missing coroutine_fn annotations
iotests: make 235 work on s390 (and others)
block: Assert that flags are up-to-date in bdrv_reopen_prepare()
block: Remove assertions from update_flags_from_options()
block: Stop passing flags to bdrv_reopen_queue_child()
block: Remove flags parameter from bdrv_reopen_queue()
block: Clean up reopen_backing_file() in block/replication.c
qemu-io: Put flag changes in the options QDict in reopen_f()
block: Drop bdrv_reopen()
block: Use bdrv_reopen_set_read_only() in the mirror driver
block: Use bdrv_reopen_set_read_only() in external_snapshot_commit()
block: Use bdrv_reopen_set_read_only() in qmp_change_backing_file()
block: Use bdrv_reopen_set_read_only() in stream_start/complete()
block: Use bdrv_reopen_set_read_only() in bdrv_commit()
block: Use bdrv_reopen_set_read_only() in commit_start/complete()
block: Use bdrv_reopen_set_read_only() in bdrv_backing_update_filename()
block: Add bdrv_reopen_set_read_only()
file-posix: Avoid aio_worker() for QEMU_AIO_IOCTL
file-posix: Switch to .bdrv_co_ioctl
file-posix: Remove paio_submit_co()
...

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

show more ...

Merge remote-tracking branch 'remotes/kraxel/tags/usb-20181214-pull-request' into staging

usb: fixes for mtp, ehci, usb-host and pvusb (xen).

# gpg: Signature made Fri 14 Dec 2018 1

Merge remote-tracking branch 'remotes/kraxel/tags/usb-20181214-pull-request' into staging

usb: fixes for mtp, ehci, usb-host and pvusb (xen).

# gpg: Signature made Fri 14 Dec 2018 10:38:33 GMT
# gpg: using RSA key 4CB6D8EED3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>"
# gpg: aka "Gerd Hoffmann <gerd@kraxel.org>"
# gpg: aka "Gerd Hoffmann (private) <kraxel@gmail.com>"
# Primary key fingerprint: A032 8CFF B93A 17A7 9901 FE7D 4CB6 D8EE D3E8 7138

* remotes/kraxel/tags/usb-20181214-pull-request:
usb-mtp: Limit filename to object information size
usb-mtp: use O_NOFOLLOW and O_CLOEXEC.
ehci: fix fetch qtd race
usb-host: reset and close libusb_device_handle before qemu exit
pvusb: set max grants only in initialise

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

show more ...

Merge remote-tracking branch 'remotes/armbru/tags/pull-qapi-2018-12-13-v2' into staging

QAPI patches for 2018-12-13

# gpg: Signature made Fri 14 Dec 2018 05:53:51 GMT
# gpg:

Merge remote-tracking branch 'remotes/armbru/tags/pull-qapi-2018-12-13-v2' into staging

QAPI patches for 2018-12-13

# gpg: Signature made Fri 14 Dec 2018 05:53:51 GMT
# gpg: using RSA key 3870B400EB918653
# gpg: Good signature from "Markus Armbruster <armbru@redhat.com>"
# gpg: aka "Markus Armbruster <armbru@pond.sub.org>"
# Primary key fingerprint: 354B C8B3 D7EB 2A6B 6867 4E5F 3870 B400 EB91 8653

* remotes/armbru/tags/pull-qapi-2018-12-13-v2: (32 commits)
qapi: add conditions to REPLICATION type/commands on the schema
qapi: add more conditions to SPICE
qapi: add condition to variants documentation
qapi: add 'If:' condition to struct members documentation
qapi: add 'If:' condition to enum values documentation
qapi: Add #if conditions to generated code members
qapi: add 'if' to alternate members
qapi: add 'if' to union members
qapi: Add 'if' to implicit struct members
qapi: add a dictionary form for TYPE
qapi-events: add 'if' condition to implicit event enum
qapi: add 'if' to enum members
qapi: add a dictionary form with 'name' key for enum members
qapi: improve reporting of unknown or missing keys
qapi: factor out checking for keys
tests: print enum type members more like object type members
qapi: change enum visitor and gen_enum* to take QAPISchemaMember
qapi: Do not define enumeration value explicitly
qapi: break long lines at 'data' member
qapi: rename QAPISchemaEnumType.values to .members
...

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

show more ...

Merge remote-tracking branch 'remotes/gkurz/tags/for-upstream' into staging

Most notable change in this PR is the full removal of the "handle" fsdev
backend.

# gpg: Signature ma

Merge remote-tracking branch 'remotes/gkurz/tags/for-upstream' into staging

Most notable change in this PR is the full removal of the "handle" fsdev
backend.

# gpg: Signature made Wed 12 Dec 2018 13:20:42 GMT
# gpg: using RSA key 71D4D5E5822F73D6
# gpg: Good signature from "Greg Kurz <groug@kaod.org>"
# gpg: aka "Gregory Kurz <gregory.kurz@free.fr>"
# gpg: aka "[jpeg image of size 3330]"
# Primary key fingerprint: B482 8BAF 9431 40CE F2A3 4910 71D4 D5E5 822F 73D6

* remotes/gkurz/tags/for-upstream:
9p: remove support for the "handle" backend
xen/9pfs: use g_new(T, n) instead of g_malloc(sizeof(T) * n)
9p: use g_new(T, n) instead of g_malloc(sizeof(T) * n)

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

show more ...

9p: use g_new(T, n) instead of g_malloc(sizeof(T) * n)

Because it is a recommended coding practice (see HACKING).

Signed-off-by: Greg Kurz <groug@kaod.org>
Reviewed-by: Anthony

9p: use g_new(T, n) instead of g_malloc(sizeof(T) * n)

Because it is a recommended coding practice (see HACKING).

Signed-off-by: Greg Kurz <groug@kaod.org>
Reviewed-by: Anthony PERARD <anthony.perard@citrix.com>

show more ...

Merge remote-tracking branch 'remotes/kraxel/tags/fixes-31-20181127-pull-request' into staging

various bugfixes for 3.1: fmops, ps2, cirrus, hda, usb-host, qapi

# gpg: Signature mad

Merge remote-tracking branch 'remotes/kraxel/tags/fixes-31-20181127-pull-request' into staging

various bugfixes for 3.1: fmops, ps2, cirrus, hda, usb-host, qapi

# gpg: Signature made Tue 27 Nov 2018 06:49:13 GMT
# gpg: using RSA key 4CB6D8EED3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>"
# gpg: aka "Gerd Hoffmann <gerd@kraxel.org>"
# gpg: aka "Gerd Hoffmann (private) <kraxel@gmail.com>"
# Primary key fingerprint: A032 8CFF B93A 17A7 9901 FE7D 4CB6 D8EE D3E8 7138

* remotes/kraxel/tags/fixes-31-20181127-pull-request:
qapi: add query-display-options command
usb-host: set ifs.detached as true if kernel driver is not active
audio/hda: fix guest triggerable assert
cirrus_vga/migration: update the bank offset before use
ps2kbd: default to scan enabled after reset
fmops: fix off-by-one in AR_TABLE and DR_TABLE array size

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

show more ...

Merge remote-tracking branch 'remotes/gkurz/tags/for-upstream' into staging

Fixes a QEMU crash triggerable by guest userspace (CVE-2018-19489).

# gpg: Signature made Mon 26 Nov 2018

Merge remote-tracking branch 'remotes/gkurz/tags/for-upstream' into staging

Fixes a QEMU crash triggerable by guest userspace (CVE-2018-19489).

# gpg: Signature made Mon 26 Nov 2018 07:25:01 GMT
# gpg: using RSA key 71D4D5E5822F73D6
# gpg: Good signature from "Greg Kurz <groug@kaod.org>"
# gpg: aka "Gregory Kurz <gregory.kurz@free.fr>"
# gpg: aka "[jpeg image of size 3330]"
# Primary key fingerprint: B482 8BAF 9431 40CE F2A3 4910 71D4 D5E5 822F 73D6

* remotes/gkurz/tags/for-upstream:
9p: fix QEMU crash when renaming files

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

show more ...

9p: fix QEMU crash when renaming files

When using the 9P2000.u version of the protocol, the following shell
command line in the guest can cause QEMU to crash:

while true; do

9p: fix QEMU crash when renaming files

When using the 9P2000.u version of the protocol, the following shell
command line in the guest can cause QEMU to crash:

while true; do rm -rf aa; mkdir -p a/b & touch a/b/c & mv a aa; done

With 9P2000.u, file renaming is handled by the WSTAT command. The
v9fs_wstat() function calls v9fs_complete_rename(), which calls
v9fs_fix_path() for every fid whose path is affected by the change.
The involved calls to v9fs_path_copy() may race with any other access
to the fid path performed by some worker thread, causing a crash like
shown below:

Thread 12 "qemu-system-x86" received signal SIGSEGV, Segmentation fault.
0x0000555555a25da2 in local_open_nofollow (fs_ctx=0x555557d958b8, path=0x0,
flags=65536, mode=0) at hw/9pfs/9p-local.c:59
59 while (*path && fd != -1) {
(gdb) bt
#0 0x0000555555a25da2 in local_open_nofollow (fs_ctx=0x555557d958b8,
path=0x0, flags=65536, mode=0) at hw/9pfs/9p-local.c:59
#1 0x0000555555a25e0c in local_opendir_nofollow (fs_ctx=0x555557d958b8,
path=0x0) at hw/9pfs/9p-local.c:92
#2 0x0000555555a261b8 in local_lstat (fs_ctx=0x555557d958b8,
fs_path=0x555556b56858, stbuf=0x7fff84830ef0) at hw/9pfs/9p-local.c:185
#3 0x0000555555a2b367 in v9fs_co_lstat (pdu=0x555557d97498,
path=0x555556b56858, stbuf=0x7fff84830ef0) at hw/9pfs/cofile.c:53
#4 0x0000555555a1e9e2 in v9fs_stat (opaque=0x555557d97498)
at hw/9pfs/9p.c:1083
#5 0x0000555555e060a2 in coroutine_trampoline (i0=-669165424, i1=32767)
at util/coroutine-ucontext.c:116
#6 0x00007fffef4f5600 in __start_context () at /lib64/libc.so.6
#7 0x0000000000000000 in ()
(gdb)

The fix is to take the path write lock when calling v9fs_complete_rename(),
like in v9fs_rename().

Impact: DoS triggered by unprivileged guest users.

Fixes: CVE-2018-19489
Cc: P J P <ppandit@redhat.com>
Reported-by: zhibin hu <noirfate@gmail.com>
Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org>
Signed-off-by: Greg Kurz <groug@kaod.org>

show more ...

9p: take write lock on fid path updates (CVE-2018-19364)

Recent commit 5b76ef50f62079a fixed a race where v9fs_co_open2() could
possibly overwrite a fid path with v9fs_path_copy() while

9p: take write lock on fid path updates (CVE-2018-19364)

Recent commit 5b76ef50f62079a fixed a race where v9fs_co_open2() could
possibly overwrite a fid path with v9fs_path_copy() while it is being
accessed by some other thread, ie, use-after-free that can be detected
by ASAN with a custom 9p client.

It turns out that the same can happen at several locations where
v9fs_path_copy() is used to set the fid path. The fix is again to
take the write lock.

Fixes CVE-2018-19364.

Cc: P J P <ppandit@redhat.com>
Reported-by: zhibin hu <noirfate@gmail.com>
Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org>
Signed-off-by: Greg Kurz <groug@kaod.org>

show more ...

Merge remote-tracking branch 'remotes/thibault/tags/samuel-thibault' into staging

slirp updates

Prasad J Pandit (2):
slirp: Fix buffer overflow on packet reassembling

Merge remote-tracking branch 'remotes/thibault/tags/samuel-thibault' into staging

slirp updates

Prasad J Pandit (2):
slirp: Fix buffer overflow on packet reassembling

Samuel Thibault (3):
slirp: Add Samuel Thibault's staging tree for slirp
slirp: fix domainname version availability

# gpg: Signature made Fri 08 Jun 2018 07:12:24 BST
# gpg: using RSA key 996849C1CF560478
# gpg: Good signature from "Samuel Thibault <samuel.thibault@aquilenet.fr>"
# gpg: aka "Samuel Thibault <sthibault@debian.org>"
# gpg: aka "Samuel Thibault <samuel.thibault@gnu.org>"
# gpg: aka "Samuel Thibault <samuel.thibault@inria.fr>"
# gpg: aka "Samuel Thibault <samuel.thibault@labri.fr>"
# gpg: aka "Samuel Thibault <samuel.thibault@ens-lyon.org>"
# gpg: aka "Samuel Thibault <samuel.thibault@u-bordeaux.fr>"
# gpg: WARNING: This key is not certified with sufficiently trusted signatures!
# gpg: It is not certain that the signature belongs to the owner.
# Primary key fingerprint: 900C B024 B679 31D4 0F82 304B D017 8C76 7D06 9EE6
# Subkey fingerprint: 3A3A 5D46 4660 E867 610C A427 9968 49C1 CF56 0478

* remotes/thibault/tags/samuel-thibault:
slirp: reformat m_inc routine
slirp: correct size computation while concatenating mbuf
slirp: fix domainname version availability
slirp: Add Samuel Thibault's staging tree for slirp
slirp: Fix spurious error report when sending directly

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

show more ...

Merge remote-tracking branch 'remotes/gkurz/tags/for-upstream' into staging

Mostly bug fixes and code sanitization motivated by the upcoming
support for Darwin hosts. Thanks to Keno Fisc

Merge remote-tracking branch 'remotes/gkurz/tags/for-upstream' into staging

Mostly bug fixes and code sanitization motivated by the upcoming
support for Darwin hosts. Thanks to Keno Fischer.

# gpg: Signature made Thu 07 Jun 2018 11:30:56 BST
# gpg: using RSA key 71D4D5E5822F73D6
# gpg: Good signature from "Greg Kurz <groug@kaod.org>"
# gpg: aka "Gregory Kurz <gregory.kurz@free.fr>"
# gpg: aka "[jpeg image of size 3330]"
# Primary key fingerprint: B482 8BAF 9431 40CE F2A3 4910 71D4 D5E5 822F 73D6

* remotes/gkurz/tags/for-upstream:
9p: xattr: Properly translate xattrcreate flags
9p: Properly check/translate flags in unlinkat
9p: local: Avoid warning if FS_IOC_GETVERSION is not defined
9p: xattr: Fix crashes due to free of uninitialized value
9p: Move a couple xattr functions to 9p-util
9p: local: Properly set errp in fstatfs error path
9p: proxy: Fix size passed to `connect`

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

show more ...

9p: xattr: Properly translate xattrcreate flags

As with unlinkat, these flags come from the client and need to
be translated to their host values. The protocol values happen
to match

9p: xattr: Properly translate xattrcreate flags

As with unlinkat, these flags come from the client and need to
be translated to their host values. The protocol values happen
to match linux, but that need not be true in general.

Signed-off-by: Keno Fischer <keno@juliacomputing.com>
Signed-off-by: Greg Kurz <groug@kaod.org>

show more ...

9p: Properly check/translate flags in unlinkat

The 9p-local code previously relied on P9_DOTL_AT_REMOVEDIR and AT_REMOVEDIR
having the same numerical value and deferred any errorchecking

9p: Properly check/translate flags in unlinkat

The 9p-local code previously relied on P9_DOTL_AT_REMOVEDIR and AT_REMOVEDIR
having the same numerical value and deferred any errorchecking to the
syscall itself. However, while the former assumption is true on Linux,
it is not true in general. 9p-handle did this properly however. Move
the translation code to the generic 9p server code and add an error
if unrecognized flags are passed.

Signed-off-by: Keno Fischer <keno@juliacomputing.com>
Signed-off-by: Greg Kurz <groug@kaod.org>

show more ...

9p: xattr: Fix crashes due to free of uninitialized value

If the size returned from llistxattr/lgetxattr is 0, we skipped
the malloc call, leaving xattr.value uninitialized. However, thi

9p: xattr: Fix crashes due to free of uninitialized value

If the size returned from llistxattr/lgetxattr is 0, we skipped
the malloc call, leaving xattr.value uninitialized. However, this
value is later passed to `g_free` without any further checks,
causing an error. Fix that by always calling g_malloc unconditionally.
If `size` is 0, it will return NULL, which is safe to pass to g_free.

Signed-off-by: Keno Fischer <keno@juliacomputing.com>
Signed-off-by: Greg Kurz <groug@kaod.org>

show more ...

Merge remote-tracking branch 'remotes/ericb/tags/pull-nbd-2018-05-04' into staging

nbd patches for 2018-05-04

- Vladimir Sementsov-Ogievskiy: 0/2 fix coverity bugs
- Eric Blake:

Merge remote-tracking branch 'remotes/ericb/tags/pull-nbd-2018-05-04' into staging

nbd patches for 2018-05-04

- Vladimir Sementsov-Ogievskiy: 0/2 fix coverity bugs
- Eric Blake: nbd/client: Fix error messages during NBD_INFO_BLOCK_SIZE
- Eric Blake: nbd/client: Relax handling of large NBD_CMD_BLOCK_STATUS reply

# gpg: Signature made Fri 04 May 2018 14:25:55 BST
# gpg: using RSA key A7A16B4A2527436A
# gpg: Good signature from "Eric Blake <eblake@redhat.com>"
# gpg: aka "Eric Blake (Free Software Programmer) <ebb9@byu.net>"
# gpg: aka "[jpeg image of size 6874]"
# Primary key fingerprint: 71C2 CC22 B1C4 6029 27D2 F3AA A7A1 6B4A 2527 436A

* remotes/ericb/tags/pull-nbd-2018-05-04:
nbd/client: Relax handling of large NBD_CMD_BLOCK_STATUS reply
nbd/client: Fix error messages during NBD_INFO_BLOCK_SIZE
migration/block-dirty-bitmap: fix memory leak in dirty_bitmap_load_bits
nbd/client: fix nbd_negotiate_simple_meta_context

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

show more ...

Merge remote-tracking branch 'remotes/cohuck/tags/s390x-20180504' into staging

First s390x pull request for 2.13.
- new machine type
- extend SCLP event masks
- support configura

Merge remote-tracking branch 'remotes/cohuck/tags/s390x-20180504' into staging

First s390x pull request for 2.13.
- new machine type
- extend SCLP event masks
- support configuration of consoles via -serial
- firmware improvements: non-sequential entries in boot menu, support
for indirect loading via .INS files in s390-netboot
- bugfixes and cleanups

# gpg: Signature made Fri 04 May 2018 08:19:57 BST
# gpg: using RSA key DECF6B93C6F02FAF
# gpg: Good signature from "Cornelia Huck <conny@cornelia-huck.de>"
# gpg: aka "Cornelia Huck <huckc@linux.vnet.ibm.com>"
# gpg: aka "Cornelia Huck <cornelia.huck@de.ibm.com>"
# gpg: aka "Cornelia Huck <cohuck@kernel.org>"
# gpg: aka "Cornelia Huck <cohuck@redhat.com>"
# Primary key fingerprint: C3D0 D66D C362 4FF6 A8C0 18CE DECF 6B93 C6F0 2FAF

* remotes/cohuck/tags/s390x-20180504:
pc-bios/s390: Update firmware images
s390-ccw: force diag 308 subcode to unsigned long
pc-bios/s390-ccw/net: Add support for .INS config files
pc-bios/s390-ccw/net: Use diag308 to reset machine before jumping to the OS
pc-bios/s390-ccw/net: Split up net_load() into init, load and release parts
pc-bios/s390-ccw: fix non-sequential boot entries (enum)
pc-bios/s390-ccw: fix non-sequential boot entries (eckd)
pc-bios/s390-ccw: fix loadparm initialization and int conversion
pc-bios/s390-ccw: rename MAX_TABLE_ENTRIES to MAX_BOOT_ENTRIES
pc-bios/s390-ccw: size_t should be unsigned
hw/s390x: Allow to configure the consoles with the "-serial" parameter
s390x/kvm: cleanup calls to cpu_synchronize_state()
vfio-ccw: introduce vfio_ccw_get_device()
s390x/sclp: extend SCLP event masks to 64 bits
s390x: introduce 2.13 compat machine

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>

show more ...