Series comparison

 [Qemu-devel] [PULL 0/2] Block patches
-The following changes since commit 285278ca785f5fa9a570927e1c0958a2ca2b2150:
+The following changes since commit 33f18cf7dca7741d3647d514040904ce83edd73d:
-  Merge remote-tracking branch 'remotes/famz/tags/testing-pull-request' into staging (2018-10-27 19:55:08 +0100)
+  Merge remote-tracking branch 'remotes/kraxel/tags/audio-20190821-pull-request' into staging (2019-08-21 15:18:50 +0100)
 are available in the Git repository at:
-  git://github.com/stefanha/qemu.git tags/block-pull-request
+  https://github.com/stefanha/qemu.git tags/block-pull-request
-for you to fetch changes up to bd54b11062c4baa7d2e4efadcf71b8cfd55311fd:
+for you to fetch changes up to 5d4c1ed3d46d7e2010b389fe5f3376f605182ab0:
-  nvdimm: Add docs hint for Linux driver name (2018-10-29 13:35:22 +0000)
+  vhost-user-scsi: prevent using uninitialized vqs (2019-08-22 16:52:23 +0100)
 ----------------------------------------------------------------
 Pull request
-No changelog-worthy entries, just small tweaks.
 ----------------------------------------------------------------
-Kees Cook (1):
+Raphael Norwitz (1):
-  nvdimm: Add docs hint for Linux driver name
+  vhost-user-scsi: prevent using uninitialized vqs
-Li Qiang (1):
+Stefan Hajnoczi (1):
-  util: aio-posix: fix a typo
+  util/async: hold AioContext ref to prevent use-after-free
- docs/nvdimm.txt  | 5 +++--
+ hw/scsi/vhost-user-scsi.c | 2 +-
- util/aio-posix.c | 2 +-
+ util/async.c              | 8 ++++++++
-files changed, 4 insertions(+), 3 deletions(-)
+files changed, 9 insertions(+), 1 deletion(-)
 --
-.17.2
+.21.0

-[Qemu-devel] [PULL 2/2] nvdimm: Add docs hint for Linux driver name
+[Qemu-devel] [PULL 1/2] util/async: hold AioContext ref to prevent use-after-free
-From: Kees Cook <keescook@chromium.org>
+The tests/test-bdrv-drain /bdrv-drain/iothread/drain test case does the
 following:
-I spent way too much time trying to figure out why the emulated NVDIMM
+. The preadv coroutine calls aio_bh_schedule_oneshot() and then yields.
-was missing under Linux. In an effort to help others who might be looking
+. The one-shot BH executes in another AioContext.  All it does is call
-for these kinds of things in the future, include a hint.
+   aio_co_wakeup(preadv_co).
 . The preadv coroutine is re-entered and returns.
-Signed-off-by: Kees Cook <keescook@chromium.org>
+There is a race condition in aio_co_wake() where the preadv coroutine
-Message-id: 20181018201351.GA25286@beast
+returns and the test case destroys the preadv IOThread.  aio_co_wake()
 can still be running in the other AioContext and it performs an access
 to the freed IOThread AioContext.
 Here is the race in aio_co_schedule():
   QSLIST_INSERT_HEAD_ATOMIC(&ctx->scheduled_coroutines,
                             co, co_scheduled_next);
   <-- race: co may execute before we invoke qemu_bh_schedule()!
   qemu_bh_schedule(ctx->co_schedule_bh);
 So if co causes ctx to be freed then we're in trouble.  Fix this problem
 by holding a reference to ctx.
 Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
 Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
 Message-id: 20190723190623.21537-1-stefanha@redhat.com
 Message-Id: <20190723190623.21537-1-stefanha@redhat.com>
 Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
 ---
- docs/nvdimm.txt | 5 +++--
+ util/async.c | 8 ++++++++
-file changed, 3 insertions(+), 2 deletions(-)
+file changed, 8 insertions(+)
-diff --git a/docs/nvdimm.txt b/docs/nvdimm.txt
+diff --git a/util/async.c b/util/async.c
 index XXXXXXX..XXXXXXX 100644
---- a/docs/nvdimm.txt
+--- a/util/async.c
-+++ b/docs/nvdimm.txt
++++ b/util/async.c
-@@ -XXX,XX +XXX,XX @@ Multiple vNVDIMM devices can be created if multiple pairs of "-object"
+@@ -XXX,XX +XXX,XX @@ void aio_co_schedule(AioContext *ctx, Coroutine *co)
- and "-device" are provided.
+         abort();
+     }
- For above command line options, if the guest OS has the proper NVDIMM
--driver, it should be able to detect a NVDIMM device which is in the
++    /* The coroutine might run and release the last ctx reference before we
--persistent memory mode and whose size is $NVDIMM_SIZE.
++     * invoke qemu_bh_schedule().  Take a reference to keep ctx alive until
-+driver (e.g. "CONFIG_ACPI_NFIT=y" under Linux), it should be able to
++     * we're done.
-+detect a NVDIMM device which is in the persistent memory mode and whose
++     */
-+size is $NVDIMM_SIZE.
++    aio_context_ref(ctx);
++
- Note:
+     QSLIST_INSERT_HEAD_ATOMIC(&ctx->scheduled_coroutines,
+                               co, co_scheduled_next);
      qemu_bh_schedule(ctx->co_schedule_bh);
 +
 +    aio_context_unref(ctx);
  }
  void aio_co_wake(struct Coroutine *co)
 --
-.17.2
+.21.0

-[Qemu-devel] [PULL 1/2] util: aio-posix: fix a typo
+[Qemu-devel] [PULL 2/2] vhost-user-scsi: prevent using uninitialized vqs
-From: Li Qiang <liq3ea@gmail.com>
+From: Raphael Norwitz <raphael.norwitz@nutanix.com>
-Cc: qemu-trivial@nongnu.org
+Of the 3 virtqueues, seabios only sets cmd, leaving ctrl
-Signed-off-by: Li Qiang <liq3ea@gmail.com>
+and event without a physical address. This can cause
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+vhost_verify_ring_part_mapping to return ENOMEM, causing
-Reviewed-by: Fam Zheng <famz@redhat.com>
+the following logs:
-Message-id: 1538964972-3223-1-git-send-email-liq3ea@gmail.com
 qemu-system-x86_64: Unable to map available ring for ring 0
 qemu-system-x86_64: Verify ring failure on region 0
 The qemu commit e6cc11d64fc998c11a4dfcde8fda3fc33a74d844
 has already resolved the issue for vhost scsi devices but
 the fix was never applied to vhost-user scsi devices.
 Signed-off-by: Raphael Norwitz <raphael.norwitz@nutanix.com>
 Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
 Message-id: 1560299717-177734-1-git-send-email-raphael.norwitz@nutanix.com
 Message-Id: <1560299717-177734-1-git-send-email-raphael.norwitz@nutanix.com>
 Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
 ---
- util/aio-posix.c | 2 +-
+ hw/scsi/vhost-user-scsi.c | 2 +-
 file changed, 1 insertion(+), 1 deletion(-)
-diff --git a/util/aio-posix.c b/util/aio-posix.c
+diff --git a/hw/scsi/vhost-user-scsi.c b/hw/scsi/vhost-user-scsi.c
 index XXXXXXX..XXXXXXX 100644
---- a/util/aio-posix.c
+--- a/hw/scsi/vhost-user-scsi.c
-+++ b/util/aio-posix.c
++++ b/hw/scsi/vhost-user-scsi.c
-@@ -XXX,XX +XXX,XX @@ struct AioHandler
+@@ -XXX,XX +XXX,XX @@ static void vhost_user_scsi_realize(DeviceState *dev, Error **errp)
+     }
- #ifdef CONFIG_EPOLL_CREATE1
+     vsc->dev.nvqs = 2 + vs->conf.num_queues;
--/* The fd number threashold to switch to epoll */
+-    vsc->dev.vqs = g_new(struct vhost_virtqueue, vsc->dev.nvqs);
-+/* The fd number threshold to switch to epoll */
++    vsc->dev.vqs = g_new0(struct vhost_virtqueue, vsc->dev.nvqs);
- #define EPOLL_ENABLE_THRESHOLD 64
+     vsc->dev.vq_index = 0;
+     vsc->dev.backend_features = 0;
- static void aio_epoll_disable(AioContext *ctx)
+     vqs = vsc->dev.vqs;
 --
-.17.2
+.21.0

From: Kees Cook <keescook@chromium.org>

I spent way too much time trying to figure out why the emulated NVDIMM
was missing under Linux. In an effort to help others who might be looking
for these kinds of things in the future, include a hint.

Signed-off-by: Kees Cook <keescook@chromium.org>
Message-id: 20181018201351.GA25286@beast
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
---
 docs/nvdimm.txt | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/docs/nvdimm.txt b/docs/nvdimm.txt
index XXXXXXX..XXXXXXX 100644
--- a/docs/nvdimm.txt
+++ b/docs/nvdimm.txt
@@ -XXX,XX +XXX,XX @@ Multiple vNVDIMM devices can be created if multiple pairs of "-object"
 and "-device" are provided.
 
 For above command line options, if the guest OS has the proper NVDIMM
-driver, it should be able to detect a NVDIMM device which is in the
-persistent memory mode and whose size is $NVDIMM_SIZE.
+driver (e.g. "CONFIG_ACPI_NFIT=y" under Linux), it should be able to
+detect a NVDIMM device which is in the persistent memory mode and whose
+size is $NVDIMM_SIZE.
 
 Note:
 
-- 
2.17.2

The tests/test-bdrv-drain /bdrv-drain/iothread/drain test case does the
following:

1. The preadv coroutine calls aio_bh_schedule_oneshot() and then yields.
2. The one-shot BH executes in another AioContext.  All it does is call
   aio_co_wakeup(preadv_co).
3. The preadv coroutine is re-entered and returns.

There is a race condition in aio_co_wake() where the preadv coroutine
returns and the test case destroys the preadv IOThread.  aio_co_wake()
can still be running in the other AioContext and it performs an access
to the freed IOThread AioContext.

Here is the race in aio_co_schedule():

QSLIST_INSERT_HEAD_ATOMIC(&ctx->scheduled_coroutines,
                            co, co_scheduled_next);
  <-- race: co may execute before we invoke qemu_bh_schedule()!
  qemu_bh_schedule(ctx->co_schedule_bh);

So if co causes ctx to be freed then we're in trouble.  Fix this problem
by holding a reference to ctx.

Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Message-id: 20190723190623.21537-1-stefanha@redhat.com
Message-Id: <20190723190623.21537-1-stefanha@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
---
 util/async.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/util/async.c b/util/async.c
index XXXXXXX..XXXXXXX 100644
--- a/util/async.c
+++ b/util/async.c
@@ -XXX,XX +XXX,XX @@ void aio_co_schedule(AioContext *ctx, Coroutine *co)
         abort();
     }
 
+    /* The coroutine might run and release the last ctx reference before we
+     * invoke qemu_bh_schedule().  Take a reference to keep ctx alive until
+     * we're done.
+     */
+    aio_context_ref(ctx);
+
     QSLIST_INSERT_HEAD_ATOMIC(&ctx->scheduled_coroutines,
                               co, co_scheduled_next);
     qemu_bh_schedule(ctx->co_schedule_bh);
+
+    aio_context_unref(ctx);
 }
 
 void aio_co_wake(struct Coroutine *co)
-- 
2.21.0

From: Raphael Norwitz <raphael.norwitz@nutanix.com>

Of the 3 virtqueues, seabios only sets cmd, leaving ctrl
and event without a physical address. This can cause
vhost_verify_ring_part_mapping to return ENOMEM, causing
the following logs:

qemu-system-x86_64: Unable to map available ring for ring 0
qemu-system-x86_64: Verify ring failure on region 0

The qemu commit e6cc11d64fc998c11a4dfcde8fda3fc33a74d844
has already resolved the issue for vhost scsi devices but
the fix was never applied to vhost-user scsi devices.

Signed-off-by: Raphael Norwitz <raphael.norwitz@nutanix.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Message-id: 1560299717-177734-1-git-send-email-raphael.norwitz@nutanix.com
Message-Id: <1560299717-177734-1-git-send-email-raphael.norwitz@nutanix.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
---
 hw/scsi/vhost-user-scsi.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/scsi/vhost-user-scsi.c b/hw/scsi/vhost-user-scsi.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/scsi/vhost-user-scsi.c
+++ b/hw/scsi/vhost-user-scsi.c
@@ -XXX,XX +XXX,XX @@ static void vhost_user_scsi_realize(DeviceState *dev, Error **errp)
     }
 
     vsc->dev.nvqs = 2 + vs->conf.num_queues;
-    vsc->dev.vqs = g_new(struct vhost_virtqueue, vsc->dev.nvqs);
+    vsc->dev.vqs = g_new0(struct vhost_virtqueue, vsc->dev.nvqs);
     vsc->dev.vq_index = 0;
     vsc->dev.backend_features = 0;
     vqs = vsc->dev.vqs;
-- 
2.21.0