Series comparison

-[Qemu-devel] [PULL 0/2] Block patches
+[PULL for-6.1 0/1] Block patches
-The following changes since commit 285278ca785f5fa9a570927e1c0958a2ca2b2150:
+The following changes since commit a2376507f615495b1d16685449ce0ea78c2caf9d:
-  Merge remote-tracking branch 'remotes/famz/tags/testing-pull-request' into staging (2018-10-27 19:55:08 +0100)
+  Merge remote-tracking branch 'remotes/bonzini-gitlab/tags/for-upstream' into staging (2021-07-24 11:04:57 +0100)
 are available in the Git repository at:
-  git://github.com/stefanha/qemu.git tags/block-pull-request
+  https://gitlab.com/stefanha/qemu.git tags/block-pull-request
-for you to fetch changes up to bd54b11062c4baa7d2e4efadcf71b8cfd55311fd:
+for you to fetch changes up to 15a730e7a3aaac180df72cd5730e0617bcf44a5a:
-  nvdimm: Add docs hint for Linux driver name (2018-10-29 13:35:22 +0000)
+  block/nvme: Fix VFIO_MAP_DMA failed: No space left on device (2021-07-26 09:38:12 +0100)
 ----------------------------------------------------------------
 Pull request
-No changelog-worthy entries, just small tweaks.
+Phil's block/nvme.c ENOSPC fix for newer Linux kernels that return this errno.
 ----------------------------------------------------------------
-Kees Cook (1):
+Philippe Mathieu-Daudé (1):
-  nvdimm: Add docs hint for Linux driver name
+  block/nvme: Fix VFIO_MAP_DMA failed: No space left on device
-Li Qiang (1):
+ block/nvme.c | 22 ++++++++++++++++++++++
-  util: aio-posix: fix a typo
+file changed, 22 insertions(+)
  docs/nvdimm.txt  | 5 +++--
  util/aio-posix.c | 2 +-
 files changed, 4 insertions(+), 3 deletions(-)
 --
-.17.2
+.31.1

-[Qemu-devel] [PULL 1/2] util: aio-posix: fix a typo
+Deleted patch
-From: Li Qiang <liq3ea@gmail.com>
-Cc: qemu-trivial@nongnu.org
-Signed-off-by: Li Qiang <liq3ea@gmail.com>
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Fam Zheng <famz@redhat.com>
-Message-id: 1538964972-3223-1-git-send-email-liq3ea@gmail.com
-Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
----
- util/aio-posix.c | 2 +-
-file changed, 1 insertion(+), 1 deletion(-)
-diff --git a/util/aio-posix.c b/util/aio-posix.c
-index XXXXXXX..XXXXXXX 100644
---- a/util/aio-posix.c
-+++ b/util/aio-posix.c
-@@ -XXX,XX +XXX,XX @@ struct AioHandler
- #ifdef CONFIG_EPOLL_CREATE1
--/* The fd number threashold to switch to epoll */
-+/* The fd number threshold to switch to epoll */
- #define EPOLL_ENABLE_THRESHOLD 64
- static void aio_epoll_disable(AioContext *ctx)
---
-.17.2

-[Qemu-devel] [PULL 2/2] nvdimm: Add docs hint for Linux driver name
+[PULL for-6.1 1/1] block/nvme: Fix VFIO_MAP_DMA failed: No space left on device
-From: Kees Cook <keescook@chromium.org>
+From: Philippe Mathieu-Daudé <philmd@redhat.com>
-I spent way too much time trying to figure out why the emulated NVDIMM
+When the NVMe block driver was introduced (see commit bdd6a90a9e5,
-was missing under Linux. In an effort to help others who might be looking
+January 2018), Linux VFIO_IOMMU_MAP_DMA ioctl was only returning
-for these kinds of things in the future, include a hint.
+-ENOMEM in case of error. The driver was correctly handling the
 error path to recycle its volatile IOVA mappings.
-Signed-off-by: Kees Cook <keescook@chromium.org>
+To fix CVE-2019-3882, Linux commit 492855939bdb ("vfio/type1: Limit
-Message-id: 20181018201351.GA25286@beast
+DMA mappings per container", April 2019) added the -ENOSPC error to
 signal the user exhausted the DMA mappings available for a container.
 The block driver started to mis-behave:
   qemu-system-x86_64: VFIO_MAP_DMA failed: No space left on device
   (qemu)
   (qemu) info status
   VM status: paused (io-error)
   (qemu) c
   VFIO_MAP_DMA failed: No space left on device
   (qemu) c
   VFIO_MAP_DMA failed: No space left on device
 (The VM is not resumable from here, hence stuck.)
 Fix by handling the new -ENOSPC error (when DMA mappings are
 exhausted) without any distinction to the current -ENOMEM error,
 so we don't change the behavior on old kernels where the CVE-2019-3882
 fix is not present.
 An easy way to reproduce this bug is to restrict the DMA mapping
 limit (65535 by default) when loading the VFIO IOMMU module:
   # modprobe vfio_iommu_type1 dma_entry_limit=666
 Cc: qemu-stable@nongnu.org
 Cc: Fam Zheng <fam@euphon.net>
 Cc: Maxim Levitsky <mlevitsk@redhat.com>
 Cc: Alex Williamson <alex.williamson@redhat.com>
 Reported-by: Michal Prívozník <mprivozn@redhat.com>
 Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
 Message-id: 20210723195843.1032825-1-philmd@redhat.com
 Fixes: bdd6a90a9e5 ("block: Add VFIO based NVMe driver")
 Buglink: https://bugs.launchpad.net/qemu/+bug/1863333
 Resolves: https://gitlab.com/qemu-project/qemu/-/issues/65
 Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
 Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
 ---
- docs/nvdimm.txt | 5 +++--
+ block/nvme.c | 22 ++++++++++++++++++++++
-file changed, 3 insertions(+), 2 deletions(-)
+file changed, 22 insertions(+)
-diff --git a/docs/nvdimm.txt b/docs/nvdimm.txt
+diff --git a/block/nvme.c b/block/nvme.c
 index XXXXXXX..XXXXXXX 100644
---- a/docs/nvdimm.txt
+--- a/block/nvme.c
-+++ b/docs/nvdimm.txt
++++ b/block/nvme.c
-@@ -XXX,XX +XXX,XX @@ Multiple vNVDIMM devices can be created if multiple pairs of "-object"
+@@ -XXX,XX +XXX,XX @@ try_map:
- and "-device" are provided.
+         r = qemu_vfio_dma_map(s->vfio,
+                               qiov->iov[i].iov_base,
- For above command line options, if the guest OS has the proper NVDIMM
+                               len, true, &iova);
--driver, it should be able to detect a NVDIMM device which is in the
++        if (r == -ENOSPC) {
--persistent memory mode and whose size is $NVDIMM_SIZE.
++            /*
-+driver (e.g. "CONFIG_ACPI_NFIT=y" under Linux), it should be able to
++             * In addition to the -ENOMEM error, the VFIO_IOMMU_MAP_DMA
-+detect a NVDIMM device which is in the persistent memory mode and whose
++             * ioctl returns -ENOSPC to signal the user exhausted the DMA
-+size is $NVDIMM_SIZE.
++             * mappings available for a container since Linux kernel commit
++             * 492855939bdb ("vfio/type1: Limit DMA mappings per container",
- Note:
++             * April 2019, see CVE-2019-3882).
++             *
 +             * This block driver already handles this error path by checking
 +             * for the -ENOMEM error, so we directly replace -ENOSPC by
 +             * -ENOMEM. Beside, -ENOSPC has a specific meaning for blockdev
 +             * coroutines: it triggers BLOCKDEV_ON_ERROR_ENOSPC and
 +             * BLOCK_ERROR_ACTION_STOP which stops the VM, asking the operator
 +             * to add more storage to the blockdev. Not something we can do
 +             * easily with an IOMMU :)
 +             */
 +            r = -ENOMEM;
 +        }
          if (r == -ENOMEM && retry) {
 +            /*
 +             * We exhausted the DMA mappings available for our container:
 +             * recycle the volatile IOVA mappings.
 +             */
              retry = false;
              trace_nvme_dma_flush_queue_wait(s);
              if (s->dma_map_count) {
 --
-.17.2
+.31.1

From: Kees Cook <keescook@chromium.org>

I spent way too much time trying to figure out why the emulated NVDIMM
was missing under Linux. In an effort to help others who might be looking
for these kinds of things in the future, include a hint.

Signed-off-by: Kees Cook <keescook@chromium.org>
Message-id: 20181018201351.GA25286@beast
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
---
 docs/nvdimm.txt | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/docs/nvdimm.txt b/docs/nvdimm.txt
index XXXXXXX..XXXXXXX 100644
--- a/docs/nvdimm.txt
+++ b/docs/nvdimm.txt
@@ -XXX,XX +XXX,XX @@ Multiple vNVDIMM devices can be created if multiple pairs of "-object"
 and "-device" are provided.
 
 For above command line options, if the guest OS has the proper NVDIMM
-driver, it should be able to detect a NVDIMM device which is in the
-persistent memory mode and whose size is $NVDIMM_SIZE.
+driver (e.g. "CONFIG_ACPI_NFIT=y" under Linux), it should be able to
+detect a NVDIMM device which is in the persistent memory mode and whose
+size is $NVDIMM_SIZE.
 
 Note:
 
-- 
2.17.2

From: Philippe Mathieu-Daudé <philmd@redhat.com>

When the NVMe block driver was introduced (see commit bdd6a90a9e5,
January 2018), Linux VFIO_IOMMU_MAP_DMA ioctl was only returning
-ENOMEM in case of error. The driver was correctly handling the
error path to recycle its volatile IOVA mappings.

To fix CVE-2019-3882, Linux commit 492855939bdb ("vfio/type1: Limit
DMA mappings per container", April 2019) added the -ENOSPC error to
signal the user exhausted the DMA mappings available for a container.

The block driver started to mis-behave:

qemu-system-x86_64: VFIO_MAP_DMA failed: No space left on device
  (qemu)
  (qemu) info status
  VM status: paused (io-error)
  (qemu) c
  VFIO_MAP_DMA failed: No space left on device
  (qemu) c
  VFIO_MAP_DMA failed: No space left on device

(The VM is not resumable from here, hence stuck.)

Fix by handling the new -ENOSPC error (when DMA mappings are
exhausted) without any distinction to the current -ENOMEM error,
so we don't change the behavior on old kernels where the CVE-2019-3882
fix is not present.

An easy way to reproduce this bug is to restrict the DMA mapping
limit (65535 by default) when loading the VFIO IOMMU module:

# modprobe vfio_iommu_type1 dma_entry_limit=666

Cc: qemu-stable@nongnu.org
Cc: Fam Zheng <fam@euphon.net>
Cc: Maxim Levitsky <mlevitsk@redhat.com>
Cc: Alex Williamson <alex.williamson@redhat.com>
Reported-by: Michal Prívozník <mprivozn@redhat.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-id: 20210723195843.1032825-1-philmd@redhat.com
Fixes: bdd6a90a9e5 ("block: Add VFIO based NVMe driver")
Buglink: https://bugs.launchpad.net/qemu/+bug/1863333
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/65
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
---
 block/nvme.c | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/block/nvme.c b/block/nvme.c
index XXXXXXX..XXXXXXX 100644
--- a/block/nvme.c
+++ b/block/nvme.c
@@ -XXX,XX +XXX,XX @@ try_map:
         r = qemu_vfio_dma_map(s->vfio,
                               qiov->iov[i].iov_base,
                               len, true, &iova);
+        if (r == -ENOSPC) {
+            /*
+             * In addition to the -ENOMEM error, the VFIO_IOMMU_MAP_DMA
+             * ioctl returns -ENOSPC to signal the user exhausted the DMA
+             * mappings available for a container since Linux kernel commit
+             * 492855939bdb ("vfio/type1: Limit DMA mappings per container",
+             * April 2019, see CVE-2019-3882).
+             *
+             * This block driver already handles this error path by checking
+             * for the -ENOMEM error, so we directly replace -ENOSPC by
+             * -ENOMEM. Beside, -ENOSPC has a specific meaning for blockdev
+             * coroutines: it triggers BLOCKDEV_ON_ERROR_ENOSPC and
+             * BLOCK_ERROR_ACTION_STOP which stops the VM, asking the operator
+             * to add more storage to the blockdev. Not something we can do
+             * easily with an IOMMU :)
+             */
+            r = -ENOMEM;
+        }
         if (r == -ENOMEM && retry) {
+            /*
+             * We exhausted the DMA mappings available for our container:
+             * recycle the volatile IOVA mappings.
+             */
             retry = false;
             trace_nvme_dma_flush_queue_wait(s);
             if (s->dma_map_count) {
-- 
2.31.1