The following changes since commit ec11dc41eec5142b4776db1296972c6323ba5847:

Merge tag 'pull-misc-2022-05-11' of git://repo.or.cz/qemu/armbru into staging (2022-05-11 09:00:26 -0700)

for you to fetch changes up to f70625299ecc9ba577c87f3d1d75012c747c7d88:

qemu-iotests: inline common.config into common.rc (2022-05-12 15:42:49 +0200)

Block layer patches

- coroutine: Fix crashes due to too large pool batch size

- fdc: Prevent end-of-track overrun

- nbd: MULTI_CONN for shared writable exports

- iotests test runner improvements

Daniel P. Berrangé (2):

tests/qemu-iotests: print intent to run a test in TAP mode

.gitlab-ci.d: export meson testlog.txt as an artifact

Eric Blake (2):

qemu-nbd: Pass max connections to blockdev layer

nbd/server: Allow MULTI_CONN for shared writable exports

Hanna Reitz (1):

iotests/testrunner: Flush after run_test()

Kevin Wolf (2):

coroutine: Rename qemu_coroutine_inc/dec_pool_size()

coroutine: Revert to constant batch size

Paolo Bonzini (1):

qemu-iotests: inline common.config into common.rc

Philippe Mathieu-Daudé (2):

hw/block/fdc: Prevent end-of-track overrun (CVE-2021-3507)

tests/qtest/fdc-test: Add a regression test for CVE-2021-3507

qapi/block-export.json | 8 +-

docs/interop/nbd.txt | 1 +

docs/tools/qemu-nbd.rst | 3 +-

include/block/nbd.h | 5 +-

include/qemu/coroutine.h | 6 +-

blockdev-nbd.c | 13 +-

hw/block/fdc.c | 8 ++

hw/block/virtio-blk.c | 6 +-

nbd/server.c | 10 +-

qemu-nbd.c | 2 +-

tests/qtest/fdc-test.c | 21 ++++

util/qemu-coroutine.c | 26 ++--

tests/qemu-iotests/testrunner.py | 4 +

.gitlab-ci.d/buildtest-template.yml | 12 +-

MAINTAINERS | 1 +

tests/qemu-iotests/common.config | 41 -------

tests/qemu-iotests/common.rc | 31 +++--

tests/qemu-iotests/tests/nbd-multiconn | 145 +++++++++++++++++++++++

tests/qemu-iotests/tests/nbd-multiconn.out | 5 +

tests/qemu-iotests/tests/nbd-qemu-allocation.out | 2 +-

20 files changed, 261 insertions(+), 89 deletions(-)

delete mode 100644 tests/qemu-iotests/common.config

create mode 100755 tests/qemu-iotests/tests/nbd-multiconn

create mode 100644 tests/qemu-iotests/tests/nbd-multiconn.out

It's true that these functions currently affect the batch size in which

coroutines are reused (i.e. moved from the global release pool to the

allocation pool of a specific thread), but this is a bug and will be

fixed in a separate patch.

In fact, the comment in the header file already just promises that it

influences the pool size, so reflect this in the name of the functions.

As a nice side effect, the shorter function name makes some line

wrapping unnecessary.

Cc: qemu-stable@nongnu.org

Message-Id: <20220510151020.105528-2-kwolf@redhat.com>

include/qemu/coroutine.h | 6 +++---

hw/block/virtio-blk.c | 6 ++----

util/qemu-coroutine.c | 4 ++--

3 files changed, 7 insertions(+), 9 deletions(-)

diff --git a/include/qemu/coroutine.h b/include/qemu/coroutine.h

--- a/include/qemu/coroutine.h

+++ b/include/qemu/coroutine.h

@@ -XXX,XX +XXX,XX @@ void coroutine_fn yield_until_fd_readable(int fd);

/**

* Increase coroutine pool size

*/

-void qemu_coroutine_increase_pool_batch_size(unsigned int additional_pool_size);

+void qemu_coroutine_inc_pool_size(unsigned int additional_pool_size);

/**

- * Devcrease coroutine pool size

+ * Decrease coroutine pool size

*/

-void qemu_coroutine_decrease_pool_batch_size(unsigned int additional_pool_size);

+void qemu_coroutine_dec_pool_size(unsigned int additional_pool_size);

#include "qemu/lockable.h"

diff --git a/hw/block/virtio-blk.c b/hw/block/virtio-blk.c

index XXXXXXX..XXXXXXX 100644

--- a/hw/block/virtio-blk.c

+++ b/hw/block/virtio-blk.c

@@ -XXX,XX +XXX,XX @@ static void virtio_blk_device_realize(DeviceState *dev, Error **errp)

for (i = 0; i < conf->num_queues; i++) {

virtio_add_queue(vdev, conf->queue_size, virtio_blk_handle_output);

}

- qemu_coroutine_increase_pool_batch_size(conf->num_queues * conf->queue_size

- / 2);

+ qemu_coroutine_inc_pool_size(conf->num_queues * conf->queue_size / 2);

virtio_blk_data_plane_create(vdev, conf, &s->dataplane, &err);

if (err != NULL) {

error_propagate(errp, err);

@@ -XXX,XX +XXX,XX @@ static void virtio_blk_device_unrealize(DeviceState *dev)

for (i = 0; i < conf->num_queues; i++) {

virtio_del_queue(vdev, i);

}

- qemu_coroutine_decrease_pool_batch_size(conf->num_queues * conf->queue_size

- / 2);

+ qemu_coroutine_dec_pool_size(conf->num_queues * conf->queue_size / 2);

qemu_del_vm_change_state_handler(s->change);

blockdev_mark_auto_del(s->blk);

virtio_cleanup(vdev);

diff --git a/util/qemu-coroutine.c b/util/qemu-coroutine.c

index XXXXXXX..XXXXXXX 100644

--- a/util/qemu-coroutine.c

+++ b/util/qemu-coroutine.c

@@ -XXX,XX +XXX,XX @@ AioContext *coroutine_fn qemu_coroutine_get_aio_context(Coroutine *co)

return co->ctx;

}

-void qemu_coroutine_increase_pool_batch_size(unsigned int additional_pool_size)

+void qemu_coroutine_inc_pool_size(unsigned int additional_pool_size)

qatomic_add(&pool_batch_size, additional_pool_size);

}

-void qemu_coroutine_decrease_pool_batch_size(unsigned int removing_pool_size)

+void qemu_coroutine_dec_pool_size(unsigned int removing_pool_size)

{

qatomic_sub(&pool_batch_size, removing_pool_size);

}

2.35.3

Commit 4c41c69e changed the way the coroutine pool is sized because for

virtio-blk devices with a large queue size and heavy I/O, it was just

too small and caused coroutines to be deleted and reallocated soon

afterwards. The change made the size dynamic based on the number of

queues and the queue size of virtio-blk devices.

There are two important numbers here: Slightly simplified, when a

coroutine terminates, it is generally stored in the global release pool

up to a certain pool size, and if the pool is full, it is freed.

Conversely, when allocating a new coroutine, the coroutines in the

release pool are reused if the pool already has reached a certain

minimum size (the batch size), otherwise we allocate new coroutines.

The problem after commit 4c41c69e is that it not only increases the

maximum pool size (which is the intended effect), but also the batch

size for reusing coroutines (which is a bug). It means that in cases

with many devices and/or a large queue size (which defaults to the

number of vcpus for virtio-blk-pci), many thousand coroutines could be

sitting in the release pool without being reused.

This is not only a waste of memory and allocations, but it actually

makes the QEMU process likely to hit the vm.max_map_count limit on Linux

because each coroutine requires two mappings (its stack and the guard

page for the stack), causing it to abort() in qemu_alloc_stack() because

when the limit is hit, mprotect() starts to fail with ENOMEM.

In order to fix the problem, change the batch size back to 64 to avoid

uselessly accumulating coroutines in the release pool, but keep the

dynamic maximum pool size so that coroutines aren't freed too early

in heavy I/O scenarios.

Note that this fix doesn't strictly make it impossible to hit the limit,

but this would only happen if most of the coroutines are actually in use

at the same time, not just sitting in a pool. This is the same behaviour

as we already had before commit 4c41c69e. Fully preventing this would

require allowing qemu_coroutine_create() to return an error, but it

doesn't seem to be a scenario that people hit in practice.

Cc: qemu-stable@nongnu.org

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2079938

Fixes: 4c41c69e05fe28c0f95f8abd2ebf407e95a4f04b

Signed-off-by: Kevin Wolf <kwolf@redhat.com>

Message-Id: <20220510151020.105528-3-kwolf@redhat.com>

Tested-by: Hiroki Narukawa <hnarukaw@yahoo-corp.jp>

util/qemu-coroutine.c | 22 ++++++++++++++--------

1 file changed, 14 insertions(+), 8 deletions(-)

diff --git a/util/qemu-coroutine.c b/util/qemu-coroutine.c

--- a/util/qemu-coroutine.c

+++ b/util/qemu-coroutine.c

@@ -XXX,XX +XXX,XX @@

#include "qemu/coroutine-tls.h"

#include "block/aio.h"

-/** Initial batch size is 64, and is increased on demand */

+/**

+ * The minimal batch size is always 64, coroutines from the release_pool are

+ * reused as soon as there are 64 coroutines in it. The maximum pool size starts

+ * with 64 and is increased on demand so that coroutines are not deleted even if

+ * they are not immediately reused.

+ */

enum {

- POOL_INITIAL_BATCH_SIZE = 64,

+ POOL_MIN_BATCH_SIZE = 64,

+ POOL_INITIAL_MAX_SIZE = 64,

};

/** Free list to speed up creation */

static QSLIST_HEAD(, Coroutine) release_pool = QSLIST_HEAD_INITIALIZER(pool);

-static unsigned int pool_batch_size = POOL_INITIAL_BATCH_SIZE;

+static unsigned int pool_max_size = POOL_INITIAL_MAX_SIZE;

static unsigned int release_pool_size;

typedef QSLIST_HEAD(, Coroutine) CoroutineQSList;

@@ -XXX,XX +XXX,XX @@ Coroutine *qemu_coroutine_create(CoroutineEntry *entry, void *opaque)

co = QSLIST_FIRST(alloc_pool);

if (!co) {

- if (release_pool_size > qatomic_read(&pool_batch_size)) {

+ if (release_pool_size > POOL_MIN_BATCH_SIZE) {

/* Slow path; a good place to register the destructor, too. */

Notifier *notifier = get_ptr_coroutine_pool_cleanup_notifier();

if (!notifier->notify) {

@@ -XXX,XX +XXX,XX @@ static void coroutine_delete(Coroutine *co)

co->caller = NULL;

if (CONFIG_COROUTINE_POOL) {

- if (release_pool_size < qatomic_read(&pool_batch_size) * 2) {

+ if (release_pool_size < qatomic_read(&pool_max_size) * 2) {

QSLIST_INSERT_HEAD_ATOMIC(&release_pool, co, pool_next);

qatomic_inc(&release_pool_size);

return;

}

- if (get_alloc_pool_size() < qatomic_read(&pool_batch_size)) {

+ if (get_alloc_pool_size() < qatomic_read(&pool_max_size)) {

QSLIST_INSERT_HEAD(get_ptr_alloc_pool(), co, pool_next);

set_alloc_pool_size(get_alloc_pool_size() + 1);

return;

@@ -XXX,XX +XXX,XX @@ AioContext *coroutine_fn qemu_coroutine_get_aio_context(Coroutine *co)

void qemu_coroutine_inc_pool_size(unsigned int additional_pool_size)

{

- qatomic_add(&pool_batch_size, additional_pool_size);

+ qatomic_add(&pool_max_size, additional_pool_size);

}

void qemu_coroutine_dec_pool_size(unsigned int removing_pool_size)

{

- qatomic_sub(&pool_batch_size, removing_pool_size);

+ qatomic_sub(&pool_max_size, removing_pool_size);

}

2.35.3

From: Hanna Reitz <hreitz@redhat.com>

When stdout is not a terminal, the buffer may not be flushed at each end

of line, so we should flush after each test is done. This is especially

apparent when run by check-block, in two ways:

First, when running make check-block -jX with X > 1, progress indication

was missing, even though testrunner.py does theoretically print each

test's status once it has been run, even in multi-processing mode.

Flushing after each test restores this progress indication.

Second, sometimes make check-block failed altogether, with an error

message that "too few tests [were] run". I presume that's because one

worker process in the job pool did not get to flush its stdout before

the main process exited, and so meson did not get to see that worker's

test results. In any case, by flushing at the end of run_test(), the

problem has disappeared for me.

Signed-off-by: Hanna Reitz <hreitz@redhat.com>

Message-Id: <20220506134215.10086-1-hreitz@redhat.com>

Reviewed-by: Eric Blake <eblake@redhat.com>

tests/qemu-iotests/testrunner.py | 1 +

diff --git a/tests/qemu-iotests/testrunner.py b/tests/qemu-iotests/testrunner.py

--- a/tests/qemu-iotests/testrunner.py

+++ b/tests/qemu-iotests/testrunner.py

@@ -XXX,XX +XXX,XX @@ def run_test(self, test: str,

else:

print(res.casenotrun)

+ sys.stdout.flush()

return res

def run_tests(self, tests: List[str], jobs: int = 1) -> bool:

2.35.3

From: Daniel P. Berrangé <berrange@redhat.com>

When running I/O tests using TAP output mode, we get a single TAP test

with a sub-test reported for each I/O test that is run. The output looks

something like this:

1..123

ok qcow2 011

ok qcow2 012

ok qcow2 013

ok qcow2 217

...

If everything runs or fails normally this is fine, but periodically we

have been seeing the test harness abort early before all 123 tests have

been run, just leaving a fairly useless message like

TAP parsing error: Too few tests run (expected 123, got 107)

we have no idea which tests were running at the time the test harness

abruptly exited. This change causes us to print a message about our

intent to run each test, so we have a record of what is active at the

time the harness exits abnormally.

1..123

# running qcow2 011

ok qcow2 011

# running qcow2 012

ok qcow2 012

# running qcow2 013

ok qcow2 013

# running qcow2 217

ok qcow2 217

...

Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>

Message-Id: <20220509124134.867431-2-berrange@redhat.com>

Reviewed-by: Thomas Huth <thuth@redhat.com>

tests/qemu-iotests/testrunner.py | 3 +++

1 file changed, 3 insertions(+)

diff --git a/tests/qemu-iotests/testrunner.py b/tests/qemu-iotests/testrunner.py

--- a/tests/qemu-iotests/testrunner.py

+++ b/tests/qemu-iotests/testrunner.py

@@ -XXX,XX +XXX,XX @@ def run_test(self, test: str,

starttime=start,

lasttime=last_el,

end = '\n' if mp else '\r')

+ else:

+ testname = os.path.basename(test)

+ print(f'# running {self.env.imgfmt} {testname}')

res = self.do_run_test(test, mp)

2.35.3

From: Daniel P. Berrangé <berrange@redhat.com>

When running 'make check' we only get a summary of progress on the

console. Fortunately meson/ninja have saved the raw test output to a

logfile. Exposing this log will make it easier to debug failures that

happen in CI.

Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>

Message-Id: <20220509124134.867431-3-berrange@redhat.com>

Reviewed-by: Thomas Huth <thuth@redhat.com>

Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>

.gitlab-ci.d/buildtest-template.yml | 12 ++++++++++--

1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/.gitlab-ci.d/buildtest-template.yml b/.gitlab-ci.d/buildtest-template.yml

index XXXXXXX..XXXXXXX 100644

--- a/.gitlab-ci.d/buildtest-template.yml

+++ b/.gitlab-ci.d/buildtest-template.yml

make -j"$JOBS" $MAKE_CHECK_ARGS ;

fi

-.native_test_job_template:

+.common_test_job_template:

stage: test

image: $CI_REGISTRY_IMAGE/qemu/$IMAGE:latest

script:

@@ -XXX,XX +XXX,XX @@

# Avoid recompiling by hiding ninja with NINJA=":"

- make NINJA=":" $MAKE_CHECK_ARGS

+.native_test_job_template:

+ extends: .common_test_job_template

+ artifacts:

+ name: "$CI_JOB_NAME-$CI_COMMIT_REF_SLUG"

+ expire_in: 7 days

+ paths:

+ - build/meson-logs/testlog.txt

+

.avocado_test_job_template:

- extends: .native_test_job_template

+ extends: .common_test_job_template

cache:

key: "${CI_JOB_NAME}-cache"

paths:

2.35.3

From: Philippe Mathieu-Daudé <philmd@redhat.com>

Per the 82078 datasheet, if the end-of-track (EOT byte in

the FIFO) is more than the number of sectors per side, the

command is terminated unsuccessfully:

* 5.2.5 DATA TRANSFER TERMINATION

The 82078 supports terminal count explicitly through

the TC pin and implicitly through the underrun/over-

run and end-of-track (EOT) functions. For full sector

transfers, the EOT parameter can define the last

sector to be transferred in a single or multisector

transfer. If the last sector to be transferred is a par-

tial sector, the host can stop transferring the data in

mid-sector, and the 82078 will continue to complete

the sector as if a hardware TC was received. The

only difference between these implicit functions and

TC is that they return "abnormal termination" result

status. Such status indications can be ignored if they

were expected.

* 6.1.3 READ TRACK

This command terminates when the EOT specified

number of sectors have been read. If the 82078

does not find an I D Address Mark on the diskette

after the second· occurrence of a pulse on the

INDX# pin, then it sets the IC code in Status Regis-

ter 0 to "01" (Abnormal termination), sets the MA bit

in Status Register 1 to "1", and terminates the com-

mand.

* 6.1.6 VERIFY

Refer to Table 6-6 and Table 6-7 for information

concerning the values of MT and EC versus SC and

EOT value.

* Table 6·6. Result Phase Table

* Table 6-7. Verify Command Result Phase Table

Fix by aborting the transfer when EOT > # Sectors Per Side.

Cc: qemu-stable@nongnu.org

Cc: Hervé Poussineau <hpoussin@reactos.org>

Fixes: baca51faff0 ("floppy driver: disk geometry auto detect")

Reported-by: Alexander Bulekov <alxndr@bu.edu>

Resolves: https://gitlab.com/qemu-project/qemu/-/issues/339

Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>

Message-Id: <20211118115733.4038610-2-philmd@redhat.com>

Reviewed-by: Hanna Reitz <hreitz@redhat.com>

hw/block/fdc.c | 8 ++++++++

1 file changed, 8 insertions(+)

diff --git a/hw/block/fdc.c b/hw/block/fdc.c

--- a/hw/block/fdc.c

+++ b/hw/block/fdc.c

@@ -XXX,XX +XXX,XX @@ static void fdctrl_start_transfer(FDCtrl *fdctrl, int direction)

int tmp;

fdctrl->data_len = 128 << (fdctrl->fifo[5] > 7 ? 7 : fdctrl->fifo[5]);

tmp = (fdctrl->fifo[6] - ks + 1);

+ if (tmp < 0) {

+ FLOPPY_DPRINTF("invalid EOT: %d\n", tmp);

+ fdctrl_stop_transfer(fdctrl, FD_SR0_ABNTERM, FD_SR1_MA, 0x00);

+ fdctrl->fifo[3] = kt;

+ fdctrl->fifo[4] = kh;

+ fdctrl->fifo[5] = ks;

if (fdctrl->fifo[0] & 0x80)

tmp += fdctrl->fifo[6];

fdctrl->data_len *= tmp;

2.35.3

From: Philippe Mathieu-Daudé <philmd@redhat.com>

Add the reproducer from https://gitlab.com/qemu-project/qemu/-/issues/339

Without the previous commit, when running 'make check-qtest-i386'

with QEMU configured with '--enable-sanitizers' we get:

==4028352==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x619000062a00 at pc 0x5626d03c491a bp 0x7ffdb4199410 sp 0x7ffdb4198bc0

READ of size 786432 at 0x619000062a00 thread T0

#0 0x5626d03c4919 in __asan_memcpy (qemu-system-i386+0x1e65919)

#1 0x5626d1c023cc in flatview_write_continue softmmu/physmem.c:2787:13

#2 0x5626d1bf0c0f in flatview_write softmmu/physmem.c:2822:14

#3 0x5626d1bf0798 in address_space_write softmmu/physmem.c:2914:18

#4 0x5626d1bf0f37 in address_space_rw softmmu/physmem.c:2924:16

#5 0x5626d1bf14c8 in cpu_physical_memory_rw softmmu/physmem.c:2933:5

#6 0x5626d0bd5649 in cpu_physical_memory_write include/exec/cpu-common.h:82:5

#7 0x5626d0bd0a07 in i8257_dma_write_memory hw/dma/i8257.c:452:9

#8 0x5626d09f825d in fdctrl_transfer_handler hw/block/fdc.c:1616:13

#9 0x5626d0a048b4 in fdctrl_start_transfer hw/block/fdc.c:1539:13

#10 0x5626d09f4c3e in fdctrl_write_data hw/block/fdc.c:2266:13

#11 0x5626d09f22f7 in fdctrl_write hw/block/fdc.c:829:9

#12 0x5626d1c20bc5 in portio_write softmmu/ioport.c:207:17

0x619000062a00 is located 0 bytes to the right of 512-byte region [0x619000062800,0x619000062a00)

allocated by thread T0 here:

#0 0x5626d03c66ec in posix_memalign (qemu-system-i386+0x1e676ec)

#1 0x5626d2b988d4 in qemu_try_memalign util/oslib-posix.c:210:11

#2 0x5626d2b98b0c in qemu_memalign util/oslib-posix.c:226:27

#3 0x5626d09fbaf0 in fdctrl_realize_common hw/block/fdc.c:2341:20

#4 0x5626d0a150ed in isabus_fdc_realize hw/block/fdc-isa.c:113:5

#5 0x5626d2367935 in device_set_realized hw/core/qdev.c:531:13

SUMMARY: AddressSanitizer: heap-buffer-overflow (qemu-system-i386+0x1e65919) in __asan_memcpy

Shadow bytes around the buggy address:

0x0c32800044f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

0x0c3280004500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

0x0c3280004510: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

0x0c3280004520: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

0x0c3280004530: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

=>0x0c3280004540:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

0x0c3280004550: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

0x0c3280004560: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

0x0c3280004570: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

0x0c3280004580: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

0x0c3280004590: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd

Shadow byte legend (one shadow byte represents 8 application bytes):

Addressable: 00

Heap left redzone: fa

Freed heap region: fd

==4028352==ABORTING

[ kwolf: Added snapshot=on to prevent write file lock failure ]

Reported-by: Alexander Bulekov <alxndr@bu.edu>

Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>

Reviewed-by: Alexander Bulekov <alxndr@bu.edu>

tests/qtest/fdc-test.c | 21 +++++++++++++++++++++

1 file changed, 21 insertions(+)

diff --git a/tests/qtest/fdc-test.c b/tests/qtest/fdc-test.c

--- a/tests/qtest/fdc-test.c

+++ b/tests/qtest/fdc-test.c

@@ -XXX,XX +XXX,XX @@ static void test_cve_2021_20196(void)

qtest_quit(s);

+static void test_cve_2021_3507(void)

+ QTestState *s;

+ s = qtest_initf("-nographic -m 32M -nodefaults "

+ "-drive file=%s,format=raw,if=floppy,snapshot=on",

+ test_image);

+ qtest_outl(s, 0x9, 0x0a0206);

+ qtest_outw(s, 0x3f4, 0x1600);

+ qtest_outw(s, 0x3f4, 0x0000);

+ qtest_outw(s, 0x3f4, 0x0000);

+ qtest_outw(s, 0x3f4, 0x0000);

+ qtest_outw(s, 0x3f4, 0x0200);

+ qtest_outw(s, 0x3f4, 0x0200);

+ qtest_outw(s, 0x3f4, 0x0000);

+ qtest_outw(s, 0x3f4, 0x0000);

+ qtest_outw(s, 0x3f4, 0x0000);

+ qtest_quit(s);

int main(int argc, char **argv)

{

int fd;

@@ -XXX,XX +XXX,XX @@ int main(int argc, char **argv)

qtest_add_func("/fdc/read_no_dma_19", test_read_no_dma_19);

qtest_add_func("/fdc/fuzz-registers", fuzz_registers);

qtest_add_func("/fdc/fuzz/cve_2021_20196", test_cve_2021_20196);

+ qtest_add_func("/fdc/fuzz/cve_2021_3507", test_cve_2021_3507);

ret = g_test_run();

2.35.3

From: Eric Blake <eblake@redhat.com>

The next patch wants to adjust whether the NBD server code advertises

MULTI_CONN based on whether it is known if the server limits to

exactly one client. For a server started by QMP, this information is

obtained through nbd_server_start (which can support more than one

export); but for qemu-nbd (which supports exactly one export), it is

controlled only by the command-line option -e/--shared. Since we

already have a hook function used by qemu-nbd, it's easiest to just

alter its signature to fit our needs.

Signed-off-by: Eric Blake <eblake@redhat.com>

Message-Id: <20220512004924.417153-2-eblake@redhat.com>

include/block/nbd.h | 2 +-

blockdev-nbd.c | 8 ++++----

qemu-nbd.c | 2 +-

3 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/include/block/nbd.h b/include/block/nbd.h

--- a/include/block/nbd.h

+++ b/include/block/nbd.h

@@ -XXX,XX +XXX,XX @@ void nbd_client_new(QIOChannelSocket *sioc,

void nbd_client_get(NBDClient *client);

void nbd_client_put(NBDClient *client);

-void nbd_server_is_qemu_nbd(bool value);

+void nbd_server_is_qemu_nbd(int max_connections);

bool nbd_server_is_running(void);

void nbd_server_start(SocketAddress *addr, const char *tls_creds,

const char *tls_authz, uint32_t max_connections,

diff --git a/blockdev-nbd.c b/blockdev-nbd.c

index XXXXXXX..XXXXXXX 100644

--- a/blockdev-nbd.c

+++ b/blockdev-nbd.c

@@ -XXX,XX +XXX,XX @@ typedef struct NBDServerData {

} NBDServerData;

static NBDServerData *nbd_server;

-static bool is_qemu_nbd;

+static int qemu_nbd_connections = -1; /* Non-negative if this is qemu-nbd */

static void nbd_update_server_watch(NBDServerData *s);

-void nbd_server_is_qemu_nbd(bool value)

+void nbd_server_is_qemu_nbd(int max_connections)

{

- is_qemu_nbd = value;

+ qemu_nbd_connections = max_connections;

bool nbd_server_is_running(void)

- return nbd_server || is_qemu_nbd;

+ return nbd_server || qemu_nbd_connections >= 0;

static void nbd_blockdev_client_closed(NBDClient *client, bool ignored)

diff --git a/qemu-nbd.c b/qemu-nbd.c

index XXXXXXX..XXXXXXX 100644

--- a/qemu-nbd.c

+++ b/qemu-nbd.c

@@ -XXX,XX +XXX,XX @@ int main(int argc, char **argv)

bs->detect_zeroes = detect_zeroes;

- nbd_server_is_qemu_nbd(true);

+ nbd_server_is_qemu_nbd(shared);

export_opts = g_new(BlockExportOptions, 1);

*export_opts = (BlockExportOptions) {

2.35.3

From: Eric Blake <eblake@redhat.com>

According to the NBD spec, a server that advertises

NBD_FLAG_CAN_MULTI_CONN promises that multiple client connections will

not see any cache inconsistencies: when properly separated by a single

flush, actions performed by one client will be visible to another

client, regardless of which client did the flush.

We always satisfy these conditions in qemu - even when we support

multiple clients, ALL clients go through a single point of reference

into the block layer, with no local caching. The effect of one client

is instantly visible to the next client. Even if our backend were a

network device, we argue that any multi-path caching effects that

would cause inconsistencies in back-to-back actions not seeing the

effect of previous actions would be a bug in that backend, and not the

fault of caching in qemu. As such, it is safe to unconditionally

advertise CAN_MULTI_CONN for any qemu NBD server situation that

supports parallel clients.

Note, however, that we don't want to advertise CAN_MULTI_CONN when we

know that a second client cannot connect (for historical reasons,

qemu-nbd defaults to a single connection while nbd-server-add and QMP

commands default to unlimited connections; but we already have

existing means to let either style of NBD server creation alter those

defaults). This is visible by no longer advertising MULTI_CONN for

'qemu-nbd -r' without -e, as in the iotest nbd-qemu-allocation.

The harder part of this patch is setting up an iotest to demonstrate

behavior of multiple NBD clients to a single server. It might be

possible with parallel qemu-io processes, but I found it easier to do

in python with the help of libnbd, and help from Nir and Vladimir in

writing the test.

Signed-off-by: Eric Blake <eblake@redhat.com>

Suggested-by: Nir Soffer <nsoffer@redhat.com>

Suggested-by: Vladimir Sementsov-Ogievskiy <v.sementsov-og@mail.ru>

Message-Id: <20220512004924.417153-3-eblake@redhat.com>

qapi/block-export.json | 8 +-

docs/interop/nbd.txt | 1 +

docs/tools/qemu-nbd.rst | 3 +-

include/block/nbd.h | 3 +-

blockdev-nbd.c | 5 +

nbd/server.c | 10 +-

MAINTAINERS | 1 +

tests/qemu-iotests/tests/nbd-multiconn | 145 ++++++++++++++++++

tests/qemu-iotests/tests/nbd-multiconn.out | 5 +

.../tests/nbd-qemu-allocation.out | 2 +-

10 files changed, 172 insertions(+), 11 deletions(-)

create mode 100755 tests/qemu-iotests/tests/nbd-multiconn

create mode 100644 tests/qemu-iotests/tests/nbd-multiconn.out

diff --git a/qapi/block-export.json b/qapi/block-export.json

index XXXXXXX..XXXXXXX 100644

--- a/qapi/block-export.json

+++ b/qapi/block-export.json

@@ -XXX,XX +XXX,XX @@

# recreated on the fly while the NBD server is active.

# If missing, it will default to denying access (since 4.0).

# @max-connections: The maximum number of connections to allow at the same

-# time, 0 for unlimited. (since 5.2; default: 0)

+# time, 0 for unlimited. Setting this to 1 also stops

+# the server from advertising multiple client support

+# (since 5.2; default: 0)

#

# Since: 4.2

##

@@ -XXX,XX +XXX,XX @@

# recreated on the fly while the NBD server is active.

# If missing, it will default to denying access (since 4.0).

# @max-connections: The maximum number of connections to allow at the same

-# time, 0 for unlimited. (since 5.2; default: 0)

+# time, 0 for unlimited. Setting this to 1 also stops

+# the server from advertising multiple client support

+# (since 5.2; default: 0).

#

# Returns: error if the server is already running.

#

diff --git a/docs/interop/nbd.txt b/docs/interop/nbd.txt

index XXXXXXX..XXXXXXX 100644

--- a/docs/interop/nbd.txt

+++ b/docs/interop/nbd.txt

@@ -XXX,XX +XXX,XX @@ NBD_CMD_BLOCK_STATUS for "qemu:dirty-bitmap:", NBD_CMD_CACHE

* 4.2: NBD_FLAG_CAN_MULTI_CONN for shareable read-only exports,

NBD_CMD_FLAG_FAST_ZERO

* 5.2: NBD_CMD_BLOCK_STATUS for "qemu:allocation-depth"

+* 7.1: NBD_FLAG_CAN_MULTI_CONN for shareable writable exports

diff --git a/docs/tools/qemu-nbd.rst b/docs/tools/qemu-nbd.rst

index XXXXXXX..XXXXXXX 100644

--- a/docs/tools/qemu-nbd.rst

+++ b/docs/tools/qemu-nbd.rst

@@ -XXX,XX +XXX,XX @@ driver options if :option:`--image-opts` is specified.

.. option:: -e, --shared=NUM

Allow up to *NUM* clients to share the device (default

- ``1``), 0 for unlimited. Safe for readers, but for now,

- consistency is not guaranteed between multiple writers.

+ ``1``), 0 for unlimited.

.. option:: -t, --persistent

diff --git a/include/block/nbd.h b/include/block/nbd.h

index XXXXXXX..XXXXXXX 100644

--- a/include/block/nbd.h

+++ b/include/block/nbd.h

@@ -XXX,XX +XXX,XX @@

/*

- * Copyright (C) 2016-2020 Red Hat, Inc.

+ * Copyright (C) 2016-2022 Red Hat, Inc.

* Copyright (C) 2005 Anthony Liguori <anthony@codemonkey.ws>

*

* Network Block Device

@@ -XXX,XX +XXX,XX @@ void nbd_client_put(NBDClient *client);

void nbd_server_is_qemu_nbd(int max_connections);

bool nbd_server_is_running(void);

+int nbd_server_max_connections(void);

void nbd_server_start(SocketAddress *addr, const char *tls_creds,

const char *tls_authz, uint32_t max_connections,

Error **errp);

diff --git a/blockdev-nbd.c b/blockdev-nbd.c

index XXXXXXX..XXXXXXX 100644

--- a/blockdev-nbd.c

+++ b/blockdev-nbd.c

@@ -XXX,XX +XXX,XX @@ bool nbd_server_is_running(void)

return nbd_server || qemu_nbd_connections >= 0;

}

+int nbd_server_max_connections(void)

+{

+ return nbd_server ? nbd_server->max_connections : qemu_nbd_connections;

+}

+

static void nbd_blockdev_client_closed(NBDClient *client, bool ignored)

nbd_client_put(client);

diff --git a/nbd/server.c b/nbd/server.c

index XXXXXXX..XXXXXXX 100644

--- a/nbd/server.c

+++ b/nbd/server.c

@@ -XXX,XX +XXX,XX @@

/*

- * Copyright (C) 2016-2021 Red Hat, Inc.

+ * Copyright (C) 2016-2022 Red Hat, Inc.

* Copyright (C) 2005 Anthony Liguori <anthony@codemonkey.ws>

*

* Network Block Device Server Side

@@ -XXX,XX +XXX,XX @@ static int nbd_export_create(BlockExport *blk_exp, BlockExportOptions *exp_args,

int64_t size;

uint64_t perm, shared_perm;

bool readonly = !exp_args->writable;

- bool shared = !exp_args->writable;

BlockDirtyBitmapOrStrList *bitmaps;

size_t i;

int ret;

@@ -XXX,XX +XXX,XX @@ static int nbd_export_create(BlockExport *blk_exp, BlockExportOptions *exp_args,

exp->description = g_strdup(arg->description);

exp->nbdflags = (NBD_FLAG_HAS_FLAGS | NBD_FLAG_SEND_FLUSH |

NBD_FLAG_SEND_FUA | NBD_FLAG_SEND_CACHE);

+

+ if (nbd_server_max_connections() != 1) {

+ exp->nbdflags |= NBD_FLAG_CAN_MULTI_CONN;

+ }

if (readonly) {

exp->nbdflags |= NBD_FLAG_READ_ONLY;

- if (shared) {

- exp->nbdflags |= NBD_FLAG_CAN_MULTI_CONN;

- }

} else {

exp->nbdflags |= (NBD_FLAG_SEND_TRIM | NBD_FLAG_SEND_WRITE_ZEROES |

NBD_FLAG_SEND_FAST_ZERO);

diff --git a/MAINTAINERS b/MAINTAINERS

index XXXXXXX..XXXXXXX 100644

--- a/MAINTAINERS

+++ b/MAINTAINERS

@@ -XXX,XX +XXX,XX @@ F: qemu-nbd.*

F: blockdev-nbd.c

F: docs/interop/nbd.txt

F: docs/tools/qemu-nbd.rst

+F: tests/qemu-iotests/tests/*nbd*

T: git https://repo.or.cz/qemu/ericb.git nbd

T: git https://src.openvz.org/scm/~vsementsov/qemu.git nbd

diff --git a/tests/qemu-iotests/tests/nbd-multiconn b/tests/qemu-iotests/tests/nbd-multiconn

new file mode 100755

index XXXXXXX..XXXXXXX

--- /dev/null

+++ b/tests/qemu-iotests/tests/nbd-multiconn

@@ -XXX,XX +XXX,XX @@

+#!/usr/bin/env python3

+# group: rw auto quick

+#

+# Test cases for NBD multi-conn advertisement

+#

+# Copyright (C) 2022 Red Hat, Inc.

+#

+# This program is free software; you can redistribute it and/or modify

+# it under the terms of the GNU General Public License as published by

+# the Free Software Foundation; either version 2 of the License, or

+# (at your option) any later version.

+#

+# This program is distributed in the hope that it will be useful,

+# but WITHOUT ANY WARRANTY; without even the implied warranty of

+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the

+# GNU General Public License for more details.

+#

+# You should have received a copy of the GNU General Public License

+# along with this program. If not, see <http://www.gnu.org/licenses/>.

+

+import os

+from contextlib import contextmanager

+import iotests

+from iotests import qemu_img_create, qemu_io

+

+

+disk = os.path.join(iotests.test_dir, 'disk')

+size = '4M'

+nbd_sock = os.path.join(iotests.sock_dir, 'nbd_sock')

+nbd_uri = 'nbd+unix:///{}?socket=' + nbd_sock

+

+

+@contextmanager

+def open_nbd(export_name):

+ h = nbd.NBD()

+ try:

+ h.connect_uri(nbd_uri.format(export_name))

+ yield h

+ finally:

+ h.shutdown()

+

+class TestNbdMulticonn(iotests.QMPTestCase):

+ def setUp(self):

+ qemu_img_create('-f', iotests.imgfmt, disk, size)

+ qemu_io('-c', 'w -P 1 0 2M', '-c', 'w -P 2 2M 2M', disk)

+

+ self.vm = iotests.VM()

+ self.vm.launch()

+ result = self.vm.qmp('blockdev-add', {

+ 'driver': 'qcow2',

+ 'node-name': 'n',

+ 'file': {'driver': 'file', 'filename': disk}

+ })

+ self.assert_qmp(result, 'return', {})

+

+ def tearDown(self):

+ self.vm.shutdown()

+ os.remove(disk)

+ try:

+ os.remove(nbd_sock)

+ except OSError:

+ pass

+

+ @contextmanager

+ def run_server(self, max_connections=None):

+ args = {

+ 'addr': {

+ 'type': 'unix',

+ 'data': {'path': nbd_sock}

+ }

+ }

+ if max_connections is not None:

+ args['max-connections'] = max_connections

+

+ result = self.vm.qmp('nbd-server-start', args)

+ self.assert_qmp(result, 'return', {})

+ yield

+

+ result = self.vm.qmp('nbd-server-stop')

+ self.assert_qmp(result, 'return', {})

+

+ def add_export(self, name, writable=None):

+ args = {

+ 'type': 'nbd',

+ 'id': name,

+ 'node-name': 'n',

+ 'name': name,

+ }

+ if writable is not None:

+ args['writable'] = writable

+

+ result = self.vm.qmp('block-export-add', args)

+ self.assert_qmp(result, 'return', {})

+

+ def test_default_settings(self):

+ with self.run_server():

+ self.add_export('r')

+ self.add_export('w', writable=True)

+ with open_nbd('r') as h:

+ self.assertTrue(h.can_multi_conn())

+ with open_nbd('w') as h:

+ self.assertTrue(h.can_multi_conn())

+

+ def test_limited_connections(self):

+ with self.run_server(max_connections=1):

+ self.add_export('r')

+ self.add_export('w', writable=True)

+ with open_nbd('r') as h:

+ self.assertFalse(h.can_multi_conn())

+ with open_nbd('w') as h:

+ self.assertFalse(h.can_multi_conn())

+

+ def test_parallel_writes(self):

+ with self.run_server():

+ self.add_export('w', writable=True)

+

+ clients = [nbd.NBD() for _ in range(3)]

+ for c in clients:

+ c.connect_uri(nbd_uri.format('w'))

+ self.assertTrue(c.can_multi_conn())

+

+ initial_data = clients[0].pread(1024 * 1024, 0)

+ self.assertEqual(initial_data, b'\x01' * 1024 * 1024)

+

+ updated_data = b'\x03' * 1024 * 1024

+ clients[1].pwrite(updated_data, 0)

+ clients[2].flush()

+ current_data = clients[0].pread(1024 * 1024, 0)

+

+ self.assertEqual(updated_data, current_data)

+

+ for i in range(3):

+ clients[i].shutdown()

+

+

+if __name__ == '__main__':

+ try:

+ # Easier to use libnbd than to try and set up parallel

+ # 'qemu-nbd --list' or 'qemu-io' processes, but not all systems

+ # have libnbd installed.

+ import nbd # type: ignore

+

+ iotests.main(supported_fmts=['qcow2'])

+ except ImportError:

+ iotests.notrun('libnbd not installed')

diff --git a/tests/qemu-iotests/tests/nbd-multiconn.out b/tests/qemu-iotests/tests/nbd-multiconn.out

new file mode 100644

index XXXXXXX..XXXXXXX

--- /dev/null

+++ b/tests/qemu-iotests/tests/nbd-multiconn.out

@@ -XXX,XX +XXX,XX @@

+...

+----------------------------------------------------------------------

+Ran 3 tests

+

+OK

diff --git a/tests/qemu-iotests/tests/nbd-qemu-allocation.out b/tests/qemu-iotests/tests/nbd-qemu-allocation.out

index XXXXXXX..XXXXXXX 100644