Commit e6ebbd46 authored by Peter Maydell's avatar Peter Maydell
Browse files

Merge remote-tracking branch 'remotes/kevin/tags/for-upstream' into staging 



Block layer patches:

- file-posix: Fix shared permission locks after reopen
- block: Fix error path for failed .bdrv_reopen_prepare
- qcow2: Catch invalid allocations when the image becomes too large
- vvfat/fdc/nvme: Fix segfaults and leaks

# gpg: Signature made Mon 19 Nov 2018 14:28:18 GMT
# gpg:                using RSA key 7F09B272C88F2FD6
# gpg: Good signature from "Kevin Wolf <kwolf@redhat.com>"
# Primary key fingerprint: DC3D EB15 9A9A F95D 3D74  56FE 7F09 B272 C88F 2FD6

* remotes/kevin/tags/for-upstream:
  iotests: Test file-posix locking and reopen
  file-posix: Fix shared locks on reopen commit
  block: Always abort reopen after prepare succeeded
  iotests: Add new test 220 for max compressed cluster offset
  qcow2: Don't allow overflow during cluster allocation
  qcow2: Document some maximum size constraints
  vvfat: Fix memory leak
  fdc: fix segfault in fdctrl_stop_transfer() when DMA is disabled
  nvme: fix oob access issue(CVE-2018-16847)

Signed-off-by: default avatarPeter Maydell <peter.maydell@linaro.org>
parents 9436e082 6d0a4a0f

block.c

+12 −0
Original line number Diff line number Diff line
@@ -3201,6 +3201,7 @@ int bdrv_reopen_prepare(BDRVReopenState *reopen_state, BlockReopenQueue *queue, 
    QDict *orig_reopen_opts;

    char *discard = NULL;

    bool read_only;

    bool drv_prepared = false;



    assert(reopen_state != NULL);

    assert(reopen_state->bs->drv != NULL);
@@ -3285,6 +3286,8 @@ int bdrv_reopen_prepare(BDRVReopenState *reopen_state, BlockReopenQueue *queue, 
        goto error;

    }



    drv_prepared = true;



    /* Options that are not handled are only okay if they are unchanged

     * compared to the old state. It is expected that some options are only

     * used for the initial open, but not reopen (e.g. filename) */
@@ -3350,6 +3353,15 @@ int bdrv_reopen_prepare(BDRVReopenState *reopen_state, BlockReopenQueue *queue, 
    reopen_state->options = qobject_ref(orig_reopen_opts);



error:

    if (ret < 0 && drv_prepared) {

        /* drv->bdrv_reopen_prepare() has succeeded, so we need to

         * call drv->bdrv_reopen_abort() before signaling an error

         * (bdrv_reopen_multiple() will not call bdrv_reopen_abort()

         * when the respective bdrv_reopen_prepare() has failed) */

        if (drv->bdrv_reopen_abort) {

            drv->bdrv_reopen_abort(reopen_state);

        }

    }

    qemu_opts_del(opts);

    qobject_unref(orig_reopen_opts);

    g_free(discard);

block/file-posix.c

+1 −1
Original line number Diff line number Diff line
@@ -959,7 +959,7 @@ static void raw_reopen_commit(BDRVReopenState *state) 


    /* Copy locks to the new fd before closing the old one. */

    raw_apply_lock_bytes(NULL, rs->fd, s->locked_perm,

                         ~s->locked_shared_perm, false, &local_err);

                         s->locked_shared_perm, false, &local_err);

    if (local_err) {

        /* shouldn't fail in a sane host, but report it just in case. */

        error_report_err(local_err);

block/qcow2-refcount.c

+13 −7
Original line number Diff line number Diff line
@@ -31,7 +31,8 @@ 
#include "qemu/bswap.h"

#include "qemu/cutils.h"



static int64_t alloc_clusters_noref(BlockDriverState *bs, uint64_t size);

static int64_t alloc_clusters_noref(BlockDriverState *bs, uint64_t size,

                                    uint64_t max);

static int QEMU_WARN_UNUSED_RESULT update_refcount(BlockDriverState *bs,

                            int64_t offset, int64_t length, uint64_t addend,

                            bool decrease, enum qcow2_discard_type type);
@@ -362,7 +363,7 @@ static int alloc_refcount_block(BlockDriverState *bs, 
    }



    /* Allocate the refcount block itself and mark it as used */

    int64_t new_block = alloc_clusters_noref(bs, s->cluster_size);

    int64_t new_block = alloc_clusters_noref(bs, s->cluster_size, INT64_MAX);

    if (new_block < 0) {

        return new_block;

    }
@@ -954,7 +955,8 @@ int qcow2_update_cluster_refcount(BlockDriverState *bs, 




/* return < 0 if error */

static int64_t alloc_clusters_noref(BlockDriverState *bs, uint64_t size)

static int64_t alloc_clusters_noref(BlockDriverState *bs, uint64_t size,

                                    uint64_t max)

{

    BDRVQcow2State *s = bs->opaque;

    uint64_t i, nb_clusters, refcount;
@@ -979,9 +981,9 @@ retry: 
    }



    /* Make sure that all offsets in the "allocated" range are representable

     * in an int64_t */

     * in the requested max */

    if (s->free_cluster_index > 0 &&

        s->free_cluster_index - 1 > (INT64_MAX >> s->cluster_bits))

        s->free_cluster_index - 1 > (max >> s->cluster_bits))

    {

        return -EFBIG;

    }
@@ -1001,7 +1003,7 @@ int64_t qcow2_alloc_clusters(BlockDriverState *bs, uint64_t size) 


    BLKDBG_EVENT(bs->file, BLKDBG_CLUSTER_ALLOC);

    do {

        offset = alloc_clusters_noref(bs, size);

        offset = alloc_clusters_noref(bs, size, QCOW_MAX_CLUSTER_OFFSET);

        if (offset < 0) {

            return offset;

        }
@@ -1083,7 +1085,11 @@ int64_t qcow2_alloc_bytes(BlockDriverState *bs, int size) 
    free_in_cluster = s->cluster_size - offset_into_cluster(s, offset);

    do {

        if (!offset || free_in_cluster < size) {

            int64_t new_cluster = alloc_clusters_noref(bs, s->cluster_size);

            int64_t new_cluster;



            new_cluster = alloc_clusters_noref(bs, s->cluster_size,

                                               MIN(s->cluster_offset_mask,

                                                   QCOW_MAX_CLUSTER_OFFSET));

            if (new_cluster < 0) {

                return new_cluster;

            }

block/qcow2.h

+6 −0
Original line number Diff line number Diff line
@@ -42,6 +42,12 @@ 
#define QCOW_MAX_CRYPT_CLUSTERS 32

#define QCOW_MAX_SNAPSHOTS 65536



/* Field widths in qcow2 mean normal cluster offsets cannot reach

 * 64PB; depending on cluster size, compressed clusters can have a

 * smaller limit (64PB for up to 16k clusters, then ramps down to

 * 512TB for 2M clusters).  */

#define QCOW_MAX_CLUSTER_OFFSET ((1ULL << 56) - 1)



/* 8 MB refcount table is enough for 2 PB images at 64k cluster size

 * (128 GB for 512 byte clusters, 2 EB for 2 MB clusters) */

#define QCOW_MAX_REFTABLE_SIZE S_8MiB

block/vvfat.c

+3 −3
Original line number Diff line number Diff line
@@ -2510,7 +2510,7 @@ static int commit_one_file(BDRVVVFATState* s, 
    uint32_t first_cluster = c;

    mapping_t* mapping = find_mapping_for_cluster(s, c);

    uint32_t size = filesize_of_direntry(direntry);

    char* cluster = g_malloc(s->cluster_size);

    char *cluster;

    uint32_t i;

    int fd = 0;
@@ -2528,17 +2528,17 @@ static int commit_one_file(BDRVVVFATState* s, 
    if (fd < 0) {

        fprintf(stderr, "Could not open %s... (%s, %d)\n", mapping->path,

                strerror(errno), errno);

        g_free(cluster);

        return fd;

    }

    if (offset > 0) {

        if (lseek(fd, offset, SEEK_SET) != offset) {

            qemu_close(fd);

            g_free(cluster);

            return -3;

        }

    }



    cluster = g_malloc(s->cluster_size);



    while (offset < size) {

        uint32_t c1;

        int rest_size = (size - offset > s->cluster_size ?