| 1 | The following changes since commit bb9bf94b3e8926553290bc9a7cb84315af422086: | 1 | The following changes since commit 661c2e1ab29cd9c4d268ae3f44712e8d421c0e56: |
|---|---|---|---|
| 2 | 2 | ||
| 3 | Merge remote-tracking branch 'remotes/ehabkost/tags/machine-next-pull-request' into staging (2018-12-11 19:18:58 +0000) | 3 | scripts/checkpatch: Fix a typo (2025-03-04 09:30:26 +0800) |
| 4 | 4 | ||
| 5 | are available in the Git repository at: | 5 | are available in the Git repository at: |
| 6 | 6 | ||
| 7 | git://github.com/stefanha/qemu.git tags/block-pull-request | 7 | https://gitlab.com/stefanha/qemu.git tags/block-pull-request |
| 8 | 8 | ||
| 9 | for you to fetch changes up to e61809ed8ac3a2f68eb1cc231244f84eb06adacf: | 9 | for you to fetch changes up to 2ad638a3d160923ef3dbf87c73944e6e44bdc724: |
| 10 | 10 | ||
| 11 | virtio-blk: fix comment for virtio_blk_rw_complete as nalloc is initially -1 (2018-12-12 09:16:55 +0000) | 11 | block/qed: fix use-after-free by nullifying timer pointer after free (2025-03-06 10:19:54 +0800) |
| 12 | 12 | ||
| 13 | ---------------------------------------------------------------- | 13 | ---------------------------------------------------------------- |
| 14 | Pull request | 14 | Pull request |
| 15 | 15 | ||
| 16 | Minor virtio-blk fixes. | 16 | QED need_check_timer use-after-free fix |
| 17 | 17 | ||
| 18 | ---------------------------------------------------------------- | 18 | ---------------------------------------------------------------- |
| 19 | 19 | ||
| 20 | Dongli Zhang (2): | 20 | Denis Rastyogin (1): |
| 21 | virtio-blk: rename iov to out_iov in virtio_blk_handle_request() | 21 | block/qed: fix use-after-free by nullifying timer pointer after free |
| 22 | virtio-blk: fix comment for virtio_blk_rw_complete as nalloc is | ||
| 23 | initially -1 | ||
| 24 | 22 | ||
| 25 | hw/block/virtio-blk.c | 10 +++++----- | 23 | block/qed.c | 1 + |
| 26 | 1 file changed, 5 insertions(+), 5 deletions(-) | 24 | 1 file changed, 1 insertion(+) |
| 27 | 25 | ||
| 28 | -- | 26 | -- |
| 29 | 2.19.2 | 27 | 2.48.1 |
| 30 | |||
| 31 | diff view generated by jsdifflib |
Deleted patch | |||
|---|---|---|---|
| 1 | From: Dongli Zhang <dongli.zhang@oracle.com> | ||
| 2 | 1 | ||
| 3 | In virtio_blk_handle_request(), in_iov is used for input header while iov | ||
| 4 | is used for output header. Rename iov to out_iov to pair output header's | ||
| 5 | name with in_iov to avoid confusing people when reading source code. | ||
| 6 | |||
| 7 | Signed-off-by: Dongli Zhang <dongli.zhang@oracle.com> | ||
| 8 | Message-id: 1541520556-8334-1-git-send-email-dongli.zhang@oracle.com | ||
| 9 | Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> | ||
| 10 | --- | ||
| 11 | hw/block/virtio-blk.c | 8 ++++---- | ||
| 12 | 1 file changed, 4 insertions(+), 4 deletions(-) | ||
| 13 | |||
| 14 | diff --git a/hw/block/virtio-blk.c b/hw/block/virtio-blk.c | ||
| 15 | index XXXXXXX..XXXXXXX 100644 | ||
| 16 | --- a/hw/block/virtio-blk.c | ||
| 17 | +++ b/hw/block/virtio-blk.c | ||
| 18 | @@ -XXX,XX +XXX,XX @@ static int virtio_blk_handle_request(VirtIOBlockReq *req, MultiReqBuffer *mrb) | ||
| 19 | { | ||
| 20 | uint32_t type; | ||
| 21 | struct iovec *in_iov = req->elem.in_sg; | ||
| 22 | - struct iovec *iov = req->elem.out_sg; | ||
| 23 | + struct iovec *out_iov = req->elem.out_sg; | ||
| 24 | unsigned in_num = req->elem.in_num; | ||
| 25 | unsigned out_num = req->elem.out_num; | ||
| 26 | VirtIOBlock *s = req->dev; | ||
| 27 | @@ -XXX,XX +XXX,XX @@ static int virtio_blk_handle_request(VirtIOBlockReq *req, MultiReqBuffer *mrb) | ||
| 28 | return -1; | ||
| 29 | } | ||
| 30 | |||
| 31 | - if (unlikely(iov_to_buf(iov, out_num, 0, &req->out, | ||
| 32 | + if (unlikely(iov_to_buf(out_iov, out_num, 0, &req->out, | ||
| 33 | sizeof(req->out)) != sizeof(req->out))) { | ||
| 34 | virtio_error(vdev, "virtio-blk request outhdr too short"); | ||
| 35 | return -1; | ||
| 36 | } | ||
| 37 | |||
| 38 | - iov_discard_front(&iov, &out_num, sizeof(req->out)); | ||
| 39 | + iov_discard_front(&out_iov, &out_num, sizeof(req->out)); | ||
| 40 | |||
| 41 | if (in_iov[in_num - 1].iov_len < sizeof(struct virtio_blk_inhdr)) { | ||
| 42 | virtio_error(vdev, "virtio-blk request inhdr too short"); | ||
| 43 | @@ -XXX,XX +XXX,XX @@ static int virtio_blk_handle_request(VirtIOBlockReq *req, MultiReqBuffer *mrb) | ||
| 44 | &req->out.sector); | ||
| 45 | |||
| 46 | if (is_write) { | ||
| 47 | - qemu_iovec_init_external(&req->qiov, iov, out_num); | ||
| 48 | + qemu_iovec_init_external(&req->qiov, out_iov, out_num); | ||
| 49 | trace_virtio_blk_handle_write(vdev, req, req->sector_num, | ||
| 50 | req->qiov.size / BDRV_SECTOR_SIZE); | ||
| 51 | } else { | ||
| 52 | -- | ||
| 53 | 2.19.2 | ||
| 54 | |||
| 55 | diff view generated by jsdifflib |
| 1 | From: Dongli Zhang <dongli.zhang@oracle.com> | 1 | From: Denis Rastyogin <gerben@altlinux.org> |
|---|---|---|---|
| 2 | 2 | ||
| 3 | The initial value of nalloc is -1, but not 1. | 3 | This error was discovered by fuzzing qemu-img. |
| 4 | 4 | ||
| 5 | Signed-off-by: Dongli Zhang <dongli.zhang@oracle.com> | 5 | In the QED block driver, the need_check_timer timer is freed in |
| 6 | Reviewed-by: Laurent Vivier <laurent@vivier.eu> | 6 | bdrv_qed_detach_aio_context, but the pointer to the timer is not |
| 7 | Message-id: 1541479952-32355-1-git-send-email-dongli.zhang@oracle.com | 7 | set to NULL. This can lead to a use-after-free scenario |
| 8 | in bdrv_qed_drain_begin(). | ||
| 9 | |||
| 10 | The need_check_timer pointer is set to NULL after freeing the timer. | ||
| 11 | Which helps catch this condition when checking in bdrv_qed_drain_begin(). | ||
| 12 | |||
| 13 | Closes: https://gitlab.com/qemu-project/qemu/-/issues/2852 | ||
| 14 | Signed-off-by: Denis Rastyogin <gerben@altlinux.org> | ||
| 15 | Message-ID: <20250304083927.37681-1-gerben@altlinux.org> | ||
| 8 | Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> | 16 | Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> |
| 9 | --- | 17 | --- |
| 10 | hw/block/virtio-blk.c | 2 +- | 18 | block/qed.c | 1 + |
| 11 | 1 file changed, 1 insertion(+), 1 deletion(-) | 19 | 1 file changed, 1 insertion(+) |
| 12 | 20 | ||
| 13 | diff --git a/hw/block/virtio-blk.c b/hw/block/virtio-blk.c | 21 | diff --git a/block/qed.c b/block/qed.c |
| 14 | index XXXXXXX..XXXXXXX 100644 | 22 | index XXXXXXX..XXXXXXX 100644 |
| 15 | --- a/hw/block/virtio-blk.c | 23 | --- a/block/qed.c |
| 16 | +++ b/hw/block/virtio-blk.c | 24 | +++ b/block/qed.c |
| 17 | @@ -XXX,XX +XXX,XX @@ static void virtio_blk_rw_complete(void *opaque, int ret) | 25 | @@ -XXX,XX +XXX,XX @@ static void bdrv_qed_detach_aio_context(BlockDriverState *bs) |
| 18 | trace_virtio_blk_rw_complete(vdev, req, ret); | 26 | |
| 19 | 27 | qed_cancel_need_check_timer(s); | |
| 20 | if (req->qiov.nalloc != -1) { | 28 | timer_free(s->need_check_timer); |
| 21 | - /* If nalloc is != 1 req->qiov is a local copy of the original | 29 | + s->need_check_timer = NULL; |
| 22 | + /* If nalloc is != -1 req->qiov is a local copy of the original | 30 | } |
| 23 | * external iovec. It was allocated in submit_requests to be | 31 | |
| 24 | * able to merge requests. */ | 32 | static void bdrv_qed_attach_aio_context(BlockDriverState *bs, |
| 25 | qemu_iovec_destroy(&req->qiov); | ||
| 26 | -- | 33 | -- |
| 27 | 2.19.2 | 34 | 2.48.1 |
| 28 | |||
| 29 | diff view generated by jsdifflib |