| 1 | The following changes since commit b384cd95eb9c6f73ad84ed1bb0717a26e29cc78f: | 1 | The following changes since commit 661c2e1ab29cd9c4d268ae3f44712e8d421c0e56: |
|---|---|---|---|
| 2 | 2 | ||
| 3 | Merge remote-tracking branch 'remotes/ehabkost/tags/machine-next-pull-request' into staging (2018-01-19 16:35:25 +0000) | 3 | scripts/checkpatch: Fix a typo (2025-03-04 09:30:26 +0800) |
| 4 | 4 | ||
| 5 | are available in the Git repository at: | 5 | are available in the Git repository at: |
| 6 | 6 | ||
| 7 | git://github.com/stefanha/qemu.git tags/block-pull-request | 7 | https://gitlab.com/stefanha/qemu.git tags/block-pull-request |
| 8 | 8 | ||
| 9 | for you to fetch changes up to 91661dbdff76d526d22bc7ddf9df3d41e80cdbbf: | 9 | for you to fetch changes up to 2ad638a3d160923ef3dbf87c73944e6e44bdc724: |
| 10 | 10 | ||
| 11 | block: add block_set_io_throttle virtio-blk-pci QMP example (2018-01-22 12:19:14 +0000) | 11 | block/qed: fix use-after-free by nullifying timer pointer after free (2025-03-06 10:19:54 +0800) |
| 12 | |||
| 13 | ---------------------------------------------------------------- | ||
| 14 | Pull request | ||
| 15 | |||
| 16 | QED need_check_timer use-after-free fix | ||
| 12 | 17 | ||
| 13 | ---------------------------------------------------------------- | 18 | ---------------------------------------------------------------- |
| 14 | 19 | ||
| 15 | ---------------------------------------------------------------- | 20 | Denis Rastyogin (1): |
| 21 | block/qed: fix use-after-free by nullifying timer pointer after free | ||
| 16 | 22 | ||
| 17 | Mao Zhongyi (1): | 23 | block/qed.c | 1 + |
| 18 | hw/block: Use errp directly rather than local_err | 24 | 1 file changed, 1 insertion(+) |
| 19 | |||
| 20 | Stefan Hajnoczi (1): | ||
| 21 | block: add block_set_io_throttle virtio-blk-pci QMP example | ||
| 22 | |||
| 23 | qapi/block-core.json | 18 ++++++++++++++++++ | ||
| 24 | hw/block/virtio-blk.c | 5 +---- | ||
| 25 | 2 files changed, 19 insertions(+), 4 deletions(-) | ||
| 26 | 25 | ||
| 27 | -- | 26 | -- |
| 28 | 2.14.3 | 27 | 2.48.1 |
| 29 | |||
| 30 | diff view generated by jsdifflib |
Deleted patch | |||
|---|---|---|---|
| 1 | From: Mao Zhongyi <maozy.fnst@cn.fujitsu.com> | ||
| 2 | 1 | ||
| 3 | Cc: John Snow <jsnow@redhat.com> | ||
| 4 | Cc: Kevin Wolf <kwolf@redhat.com> | ||
| 5 | Cc: Max Reitz <mreitz@redhat.com> | ||
| 6 | Cc: Keith Busch <keith.busch@intel.com> | ||
| 7 | Cc: Stefan Hajnoczi <stefanha@redhat.com> | ||
| 8 | Cc: "Michael S. Tsirkin" <mst@redhat.com> | ||
| 9 | Cc: Paolo Bonzini <pbonzini@redhat.com> | ||
| 10 | Cc: Gerd Hoffmann <kraxel@redhat.com> | ||
| 11 | Cc: Markus Armbruster <armbru@redhat.com> | ||
| 12 | |||
| 13 | Signed-off-by: Mao Zhongyi <maozy.fnst@cn.fujitsu.com> | ||
| 14 | Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> | ||
| 15 | Message-id: e77848d3735ba590f23ffbf8094379c646c33d79.1511317952.git.maozy.fnst@cn.fujitsu.com | ||
| 16 | Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> | ||
| 17 | --- | ||
| 18 | hw/block/virtio-blk.c | 5 +---- | ||
| 19 | 1 file changed, 1 insertion(+), 4 deletions(-) | ||
| 20 | |||
| 21 | diff --git a/hw/block/virtio-blk.c b/hw/block/virtio-blk.c | ||
| 22 | index XXXXXXX..XXXXXXX 100644 | ||
| 23 | --- a/hw/block/virtio-blk.c | ||
| 24 | +++ b/hw/block/virtio-blk.c | ||
| 25 | @@ -XXX,XX +XXX,XX @@ static void virtio_blk_device_realize(DeviceState *dev, Error **errp) | ||
| 26 | VirtIODevice *vdev = VIRTIO_DEVICE(dev); | ||
| 27 | VirtIOBlock *s = VIRTIO_BLK(dev); | ||
| 28 | VirtIOBlkConf *conf = &s->conf; | ||
| 29 | - Error *err = NULL; | ||
| 30 | unsigned i; | ||
| 31 | |||
| 32 | if (!conf->conf.blk) { | ||
| 33 | @@ -XXX,XX +XXX,XX @@ static void virtio_blk_device_realize(DeviceState *dev, Error **errp) | ||
| 34 | for (i = 0; i < conf->num_queues; i++) { | ||
| 35 | virtio_add_queue(vdev, conf->queue_size, virtio_blk_handle_output); | ||
| 36 | } | ||
| 37 | - virtio_blk_data_plane_create(vdev, conf, &s->dataplane, &err); | ||
| 38 | - if (err != NULL) { | ||
| 39 | - error_propagate(errp, err); | ||
| 40 | + if (!virtio_blk_data_plane_create(vdev, conf, &s->dataplane, errp)) { | ||
| 41 | virtio_cleanup(vdev); | ||
| 42 | return; | ||
| 43 | } | ||
| 44 | -- | ||
| 45 | 2.14.3 | ||
| 46 | |||
| 47 | diff view generated by jsdifflib |
| 1 | The block_set_io_throttle command can look up BlockBackends by the | 1 | From: Denis Rastyogin <gerben@altlinux.org> |
|---|---|---|---|
| 2 | attached qdev device ID. virtio-blk-pci is a special case because the | ||
| 3 | actual VirtIOBlock device is the "/virtio-backend" child of the PCI | ||
| 4 | adapter device. | ||
| 5 | 2 | ||
| 6 | Add a QMP schema example so clients will know how to use | 3 | This error was discovered by fuzzing qemu-img. |
| 7 | block_set_io_throttle on the virtio-blk-pci device. | ||
| 8 | 4 | ||
| 9 | The alternative is to implement some sort of aliasing for qmp_get_blk() | 5 | In the QED block driver, the need_check_timer timer is freed in |
| 10 | but that is likely to cause confusion and could break future use cases. | 6 | bdrv_qed_detach_aio_context, but the pointer to the timer is not |
| 11 | Let's not go there. | 7 | set to NULL. This can lead to a use-after-free scenario |
| 8 | in bdrv_qed_drain_begin(). | ||
| 12 | 9 | ||
| 13 | Cc: Kevin Wolf <kwolf@redhat.com> | 10 | The need_check_timer pointer is set to NULL after freeing the timer. |
| 14 | Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> | 11 | Which helps catch this condition when checking in bdrv_qed_drain_begin(). |
| 15 | Reviewed-by: Alberto Garcia <berto@igalia.com> | 12 | |
| 16 | Message-id: 20180117090700.25811-1-stefanha@redhat.com | 13 | Closes: https://gitlab.com/qemu-project/qemu/-/issues/2852 |
| 14 | Signed-off-by: Denis Rastyogin <gerben@altlinux.org> | ||
| 15 | Message-ID: <20250304083927.37681-1-gerben@altlinux.org> | ||
| 17 | Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> | 16 | Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> |
| 18 | --- | 17 | --- |
| 19 | qapi/block-core.json | 18 ++++++++++++++++++ | 18 | block/qed.c | 1 + |
| 20 | 1 file changed, 18 insertions(+) | 19 | 1 file changed, 1 insertion(+) |
| 21 | 20 | ||
| 22 | diff --git a/qapi/block-core.json b/qapi/block-core.json | 21 | diff --git a/block/qed.c b/block/qed.c |
| 23 | index XXXXXXX..XXXXXXX 100644 | 22 | index XXXXXXX..XXXXXXX 100644 |
| 24 | --- a/qapi/block-core.json | 23 | --- a/block/qed.c |
| 25 | +++ b/qapi/block-core.json | 24 | +++ b/block/qed.c |
| 26 | @@ -XXX,XX +XXX,XX @@ | 25 | @@ -XXX,XX +XXX,XX @@ static void bdrv_qed_detach_aio_context(BlockDriverState *bs) |
| 27 | # Example: | 26 | |
| 28 | # | 27 | qed_cancel_need_check_timer(s); |
| 29 | # -> { "execute": "block_set_io_throttle", | 28 | timer_free(s->need_check_timer); |
| 30 | +# "arguments": { "id": "virtio-blk-pci0/virtio-backend", | 29 | + s->need_check_timer = NULL; |
| 31 | +# "bps": 0, | 30 | } |
| 32 | +# "bps_rd": 0, | 31 | |
| 33 | +# "bps_wr": 0, | 32 | static void bdrv_qed_attach_aio_context(BlockDriverState *bs, |
| 34 | +# "iops": 512, | ||
| 35 | +# "iops_rd": 0, | ||
| 36 | +# "iops_wr": 0, | ||
| 37 | +# "bps_max": 0, | ||
| 38 | +# "bps_rd_max": 0, | ||
| 39 | +# "bps_wr_max": 0, | ||
| 40 | +# "iops_max": 0, | ||
| 41 | +# "iops_rd_max": 0, | ||
| 42 | +# "iops_wr_max": 0, | ||
| 43 | +# "bps_max_length": 0, | ||
| 44 | +# "iops_size": 0 } } | ||
| 45 | +# <- { "return": {} } | ||
| 46 | +# | ||
| 47 | +# -> { "execute": "block_set_io_throttle", | ||
| 48 | # "arguments": { "id": "ide0-1-0", | ||
| 49 | # "bps": 1000000, | ||
| 50 | # "bps_rd": 0, | ||
| 51 | -- | 33 | -- |
| 52 | 2.14.3 | 34 | 2.48.1 |
| 53 | |||
| 54 | diff view generated by jsdifflib |