From nobody Tue Feb 10 00:40:57 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1763845728138821.5921929862175; Sat, 22 Nov 2025 13:08:48 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vMumY-0007zv-8K; Sat, 22 Nov 2025 16:04:35 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMumU-0007zJ-LN; Sat, 22 Nov 2025 16:04:30 -0500 Received: from isrv.corpit.ru ([212.248.84.144]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMumK-00063o-QF; Sat, 22 Nov 2025 16:04:27 -0500 Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2]) by isrv.corpit.ru (Postfix) with ESMTP id C4A8C16D2FB; Sun, 23 Nov 2025 00:03:33 +0300 (MSK) Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146]) by tsrv.corpit.ru (Postfix) with ESMTP id 7B1A13223CF; Sun, 23 Nov 2025 00:03:44 +0300 (MSK) From: Michael Tokarev To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, Mathias Krause , Paolo Bonzini , Michael Tokarev Subject: [Stable-7.2.22 01/25] target/i386: Fix CR2 handling for non-canonical addresses Date: Sat, 22 Nov 2025 23:55:19 +0300 Message-ID: <20251122210344.48374-1-mjt@tls.msk.ru> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru; helo=isrv.corpit.ru X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZM-MESSAGEID: 1763845740200018900 Content-Type: text/plain; charset="utf-8" From: Mathias Krause Commit 3563362ddfae ("target/i386: Introduce structures for mmu_translate") accidentally modified CR2 for non-canonical address exceptions while these should lead to a #GP / #SS instead -- without changing CR2. Fix that. A KUT test for this was submitted as [1]. [1] https://lore.kernel.org/kvm/20250612141637.131314-1-minipli@grsecurity.= net/ Fixes: 3563362ddfae ("target/i386: Introduce structures for mmu_translate") Signed-off-by: Mathias Krause Link: https://lore.kernel.org/r/20250612142155.132175-1-minipli@grsecurity.= net Cc: qemu-stable@nongnu.org Signed-off-by: Paolo Bonzini (cherry picked from commit df9a3372ddebfcfc135861fa2d53cef6f98065f9) Signed-off-by: Michael Tokarev diff --git a/target/i386/tcg/sysemu/excp_helper.c b/target/i386/tcg/sysemu/= excp_helper.c index 9e9e02e1ad..436d65d742 100644 --- a/target/i386/tcg/sysemu/excp_helper.c +++ b/target/i386/tcg/sysemu/excp_helper.c @@ -582,7 +582,8 @@ static bool get_physical_address(CPUX86State *env, vadd= r addr, if (sext !=3D 0 && sext !=3D -1) { *err =3D (TranslateFault){ .exception_index =3D EXCP0D_GPF, - .cr2 =3D addr, + /* non-canonical #GP doesn't change CR2 */ + .cr2 =3D env->cr[2], }; return false; } --=20 2.47.3 From nobody Tue Feb 10 00:40:57 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1763845795543814.5875571736295; Sat, 22 Nov 2025 13:09:55 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vMun6-00087I-QD; Sat, 22 Nov 2025 16:05:10 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMun1-00083M-6Y; Sat, 22 Nov 2025 16:05:03 -0500 Received: from isrv.corpit.ru ([212.248.84.144]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMumr-0006E3-IX; Sat, 22 Nov 2025 16:04:59 -0500 Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2]) by isrv.corpit.ru (Postfix) with ESMTP id DB9D116D2FC; Sun, 23 Nov 2025 00:03:33 +0300 (MSK) Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146]) by tsrv.corpit.ru (Postfix) with ESMTP id 8FB633223D0; Sun, 23 Nov 2025 00:03:44 +0300 (MSK) From: Michael Tokarev To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, Paolo Bonzini , YiFei Zhu , Michael Tokarev Subject: [Stable-7.2.22 02/25] i386/cpu: Prevent delivering SIPI during SMM in TCG mode Date: Sat, 22 Nov 2025 23:55:20 +0300 Message-ID: <20251122210344.48374-2-mjt@tls.msk.ru> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru; helo=isrv.corpit.ru X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZM-MESSAGEID: 1763845796186018900 Content-Type: text/plain; charset="utf-8" From: Paolo Bonzini [commit message by YiFei Zhu] A malicious kernel may control the instruction pointer in SMM in a multi-processor VM by sending a sequence of IPIs via APIC: CPU0 CPU1 IPI(CPU1, MODE_INIT) x86_cpu_exec_reset() apic_init_reset() s->wait_for_sipi =3D true IPI(CPU1, MODE_SMI) do_smm_enter() env->hflags |=3D HF_SMM_MASK; IPI(CPU1, MODE_STARTUP, vector) do_cpu_sipi() apic_sipi() /* s->wait_for_sipi check passes */ cpu_x86_load_seg_cache_sipi(vector) A different sequence, SMI INIT SIPI, is also buggy in TCG because INIT is not blocked or latched during SMM. However, it is not vulnerable to an instruction pointer control in the same way because x86_cpu_exec_reset clears env->hflags, exiting SMM. Fixes: a9bad65d2c1f ("target-i386: wake up processors that receive an SMI") Analyzed-by: YiFei Zhu Cc: qemu-stable@nongnu.org Signed-off-by: Paolo Bonzini (cherry picked from commit df32e5c568c9cf68c15a9bbd98d0c3aff19eab63) Signed-off-by: Michael Tokarev diff --git a/hw/intc/apic.c b/hw/intc/apic.c index a7c2b301a8..315bef8f43 100644 --- a/hw/intc/apic.c +++ b/hw/intc/apic.c @@ -499,8 +499,6 @@ void apic_sipi(DeviceState *dev) { APICCommonState *s =3D APIC(dev); =20 - cpu_reset_interrupt(CPU(s->cpu), CPU_INTERRUPT_SIPI); - if (!s->wait_for_sipi) return; cpu_x86_load_seg_cache_sipi(s->cpu, s->sipi_vector); diff --git a/target/i386/helper.c b/target/i386/helper.c index 290d9d309c..723f50279a 100644 --- a/target/i386/helper.c +++ b/target/i386/helper.c @@ -602,6 +602,10 @@ void do_cpu_init(X86CPU *cpu) =20 void do_cpu_sipi(X86CPU *cpu) { + CPUX86State *env =3D &cpu->env; + if (env->hflags & HF_SMM_MASK) { + return; + } apic_sipi(cpu->apic_state); } #else diff --git a/target/i386/tcg/sysemu/seg_helper.c b/target/i386/tcg/sysemu/s= eg_helper.c index 2c9bd007ad..8294a668d6 100644 --- a/target/i386/tcg/sysemu/seg_helper.c +++ b/target/i386/tcg/sysemu/seg_helper.c @@ -146,6 +146,7 @@ bool x86_cpu_exec_interrupt(CPUState *cs, int interrupt= _request) apic_poll_irq(cpu->apic_state); break; case CPU_INTERRUPT_SIPI: + cpu_reset_interrupt(cs, CPU_INTERRUPT_SIPI); do_cpu_sipi(cpu); break; case CPU_INTERRUPT_SMI: --=20 2.47.3 From nobody Tue Feb 10 00:40:57 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 176384574582538.72456917205602; Sat, 22 Nov 2025 13:09:05 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vMunC-00088k-Jx; Sat, 22 Nov 2025 16:05:15 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMun1-00083P-Po; Sat, 22 Nov 2025 16:05:04 -0500 Received: from isrv.corpit.ru ([212.248.84.144]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMums-0006E9-6Z; Sat, 22 Nov 2025 16:05:00 -0500 Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2]) by isrv.corpit.ru (Postfix) with ESMTP id 021AE16D2FD; Sun, 23 Nov 2025 00:03:34 +0300 (MSK) Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146]) by tsrv.corpit.ru (Postfix) with ESMTP id A62E13223D1; Sun, 23 Nov 2025 00:03:44 +0300 (MSK) From: Michael Tokarev To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, YiFei Zhu , unvariant.winter@gmail.com, Paolo Bonzini , Michael Tokarev Subject: [Stable-7.2.22 03/25] i386/tcg/smm_helper: Properly apply DR values on SMM entry / exit Date: Sat, 22 Nov 2025 23:55:21 +0300 Message-ID: <20251122210344.48374-3-mjt@tls.msk.ru> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru; helo=isrv.corpit.ru X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZM-MESSAGEID: 1763845751252018900 Content-Type: text/plain; charset="utf-8" From: YiFei Zhu do_smm_enter and helper_rsm sets the env->dr, but does not sync the values with cpu_x86_update_dr7. A malicious kernel may control the instruction pointer in SMM by setting a breakpoint on the SMI entry point, and after do_smm_enter cpu->breakpoints contains the stale breakpoint; and because IDT is not reloaded upon SMI entry, the debug exception handler controlled by the malicious kernel is invoked. Fixes: 01df040b5247 ("x86: Debug register emulation (Jan Kiszka)") Reported-by: unvariant.winter@gmail.com Signed-off-by: YiFei Zhu Link: https://lore.kernel.org/r/2bacb9b24e9d337dbe48791aa25d349eb9c52c3a.17= 58794468.git.zhuyifei@google.com Cc: qemu-stable@nongnu.org Signed-off-by: Paolo Bonzini (cherry picked from commit cdba90ac1b0ac789b10c0b5f6ef7e9558237ec66) Signed-off-by: Michael Tokarev diff --git a/target/i386/tcg/sysemu/smm_helper.c b/target/i386/tcg/sysemu/s= mm_helper.c index a45b5651c3..f3d0bbb8c3 100644 --- a/target/i386/tcg/sysemu/smm_helper.c +++ b/target/i386/tcg/sysemu/smm_helper.c @@ -168,7 +168,7 @@ void do_smm_enter(X86CPU *cpu) env->cr[0] & ~(CR0_PE_MASK | CR0_EM_MASK | CR0_TS_M= ASK | CR0_PG_MASK)); cpu_x86_update_cr4(env, 0); - env->dr[7] =3D 0x00000400; + helper_set_dr(env, 7, 0x00000400); =20 cpu_x86_load_seg_cache(env, R_CS, (env->smbase >> 4) & 0xffff, env->sm= base, 0xffffffff, @@ -233,8 +233,8 @@ void helper_rsm(CPUX86State *env) env->eip =3D x86_ldq_phys(cs, sm_state + 0x7f78); cpu_load_eflags(env, x86_ldl_phys(cs, sm_state + 0x7f70), ~(CC_O | CC_S | CC_Z | CC_A | CC_P | CC_C | DF_MASK)); - env->dr[6] =3D x86_ldl_phys(cs, sm_state + 0x7f68); - env->dr[7] =3D x86_ldl_phys(cs, sm_state + 0x7f60); + helper_set_dr(env, 6, x86_ldl_phys(cs, sm_state + 0x7f68)); + helper_set_dr(env, 7, x86_ldl_phys(cs, sm_state + 0x7f60)); =20 cpu_x86_update_cr4(env, x86_ldl_phys(cs, sm_state + 0x7f48)); cpu_x86_update_cr3(env, x86_ldq_phys(cs, sm_state + 0x7f50)); @@ -268,8 +268,8 @@ void helper_rsm(CPUX86State *env) env->regs[R_EDX] =3D x86_ldl_phys(cs, sm_state + 0x7fd8); env->regs[R_ECX] =3D x86_ldl_phys(cs, sm_state + 0x7fd4); env->regs[R_EAX] =3D x86_ldl_phys(cs, sm_state + 0x7fd0); - env->dr[6] =3D x86_ldl_phys(cs, sm_state + 0x7fcc); - env->dr[7] =3D x86_ldl_phys(cs, sm_state + 0x7fc8); + helper_set_dr(env, 6, x86_ldl_phys(cs, sm_state + 0x7fcc)); + helper_set_dr(env, 7, x86_ldl_phys(cs, sm_state + 0x7fc8)); =20 env->tr.selector =3D x86_ldl_phys(cs, sm_state + 0x7fc4) & 0xffff; env->tr.base =3D x86_ldl_phys(cs, sm_state + 0x7f64); --=20 2.47.3 From nobody Tue Feb 10 00:40:57 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1763845922617596.6520635106193; Sat, 22 Nov 2025 13:12:02 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vMunm-0008Eo-Sa; Sat, 22 Nov 2025 16:05:51 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMunZ-0008BJ-Pl; Sat, 22 Nov 2025 16:05:37 -0500 Received: from isrv.corpit.ru ([212.248.84.144]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMunP-0006Jb-4G; Sat, 22 Nov 2025 16:05:34 -0500 Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2]) by isrv.corpit.ru (Postfix) with ESMTP id 15DCA16D2FE; Sun, 23 Nov 2025 00:03:34 +0300 (MSK) Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146]) by tsrv.corpit.ru (Postfix) with ESMTP id C2D0A3223D2; Sun, 23 Nov 2025 00:03:44 +0300 (MSK) From: Michael Tokarev To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, Paolo Bonzini , Michael Tokarev Subject: [Stable-7.2.22 04/25] async: access bottom half flags with qatomic_read Date: Sat, 22 Nov 2025 23:55:22 +0300 Message-ID: <20251122210344.48374-4-mjt@tls.msk.ru> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru; helo=isrv.corpit.ru X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZM-MESSAGEID: 1763845924764018900 Content-Type: text/plain; charset="utf-8" From: Paolo Bonzini Running test-aio-multithread under TSAN reveals data races on bh->flags. Because bottom halves may be scheduled or canceled asynchronously, without taking a lock, adjust aio_compute_bh_timeout() and aio_ctx_check() to use a relaxed read to access the flags. Use an acquire load to ensure that anything that was written prior to qemu_bh_schedule() is visible. Closes: https://gitlab.com/qemu-project/qemu/-/issues/2749 Closes: https://gitlab.com/qemu-project/qemu/-/issues/851 Cc: qemu-stable@nongnu.org Signed-off-by: Paolo Bonzini (cherry picked from commit 5142397c79330aab9bef3230991c8ac0c251110f) Signed-off-by: Michael Tokarev diff --git a/util/async.c b/util/async.c index 0cc3037e0c..01961898be 100644 --- a/util/async.c +++ b/util/async.c @@ -247,8 +247,9 @@ static int64_t aio_compute_bh_timeout(BHList *head, int= timeout) QEMUBH *bh; =20 QSLIST_FOREACH_RCU(bh, head, next) { - if ((bh->flags & (BH_SCHEDULED | BH_DELETED)) =3D=3D BH_SCHEDULED)= { - if (bh->flags & BH_IDLE) { + int flags =3D qatomic_load_acquire(&bh->flags); + if ((flags & (BH_SCHEDULED | BH_DELETED)) =3D=3D BH_SCHEDULED) { + if (flags & BH_IDLE) { /* idle bottom halves will be polled at least * every 10ms */ timeout =3D 10000000; @@ -326,14 +327,16 @@ aio_ctx_check(GSource *source) aio_notify_accept(ctx); =20 QSLIST_FOREACH_RCU(bh, &ctx->bh_list, next) { - if ((bh->flags & (BH_SCHEDULED | BH_DELETED)) =3D=3D BH_SCHEDULED)= { + int flags =3D qatomic_load_acquire(&bh->flags); + if ((flags & (BH_SCHEDULED | BH_DELETED)) =3D=3D BH_SCHEDULED) { return true; } } =20 QSIMPLEQ_FOREACH(s, &ctx->bh_slice_list, next) { QSLIST_FOREACH_RCU(bh, &s->bh_list, next) { - if ((bh->flags & (BH_SCHEDULED | BH_DELETED)) =3D=3D BH_SCHEDU= LED) { + int flags =3D qatomic_load_acquire(&bh->flags); + if ((flags & (BH_SCHEDULED | BH_DELETED)) =3D=3D BH_SCHEDULED)= { return true; } } --=20 2.47.3 From nobody Tue Feb 10 00:40:57 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 17638458187107.318171185496908; Sat, 22 Nov 2025 13:10:18 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vMung-0008Bn-ES; Sat, 22 Nov 2025 16:05:45 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMunZ-0008BI-Ix; Sat, 22 Nov 2025 16:05:37 -0500 Received: from isrv.corpit.ru ([212.248.84.144]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMunP-0006Jp-H5; Sat, 22 Nov 2025 16:05:34 -0500 Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2]) by isrv.corpit.ru (Postfix) with ESMTP id 30BDE16D2FF; Sun, 23 Nov 2025 00:03:34 +0300 (MSK) Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146]) by tsrv.corpit.ru (Postfix) with ESMTP id D45583223D3; Sun, 23 Nov 2025 00:03:44 +0300 (MSK) From: Michael Tokarev To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, Paolo Bonzini , Michael Tokarev Subject: [Stable-7.2.22 05/25] target/i386: user: do not set up a valid LDT on reset Date: Sat, 22 Nov 2025 23:55:23 +0300 Message-ID: <20251122210344.48374-5-mjt@tls.msk.ru> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru; helo=isrv.corpit.ru X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZM-MESSAGEID: 1763845820164018900 Content-Type: text/plain; charset="utf-8" From: Paolo Bonzini In user-mode emulation, QEMU uses the default setting of the LDT base and limit, which places it at the bottom 64K of virtual address space. However, by default there is no LDT at all in Linux processes, and therefore the limit should be 0. This is visible as a NULL pointer dereference in LSL and LAR instructions when they try to read the LDT at an unmapped address. Resolves: #1376 Cc: qemu-stable@nongnu.org Signed-off-by: Paolo Bonzini (cherry picked from commit 58aa1d08bbc406ba3982f32ffb1bef0ff4f8f369) Signed-off-by: Michael Tokarev diff --git a/target/i386/cpu.c b/target/i386/cpu.c index 489ab9cd41..682d71be88 100644 --- a/target/i386/cpu.c +++ b/target/i386/cpu.c @@ -5906,7 +5906,11 @@ static void x86_cpu_reset(DeviceState *dev) =20 env->idt.limit =3D 0xffff; env->gdt.limit =3D 0xffff; +#if defined(CONFIG_USER_ONLY) + env->ldt.limit =3D 0; +#else env->ldt.limit =3D 0xffff; +#endif env->ldt.flags =3D DESC_P_MASK | (2 << DESC_TYPE_SHIFT); env->tr.limit =3D 0xffff; env->tr.flags =3D DESC_P_MASK | (11 << DESC_TYPE_SHIFT); --=20 2.47.3 From nobody Tue Feb 10 00:40:57 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1763845844457400.564581211799; Sat, 22 Nov 2025 13:10:44 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vMuoB-0008Oi-IX; Sat, 22 Nov 2025 16:06:16 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMuo5-0008Kg-K9; Sat, 22 Nov 2025 16:06:09 -0500 Received: from isrv.corpit.ru ([212.248.84.144]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMunx-0006be-1f; Sat, 22 Nov 2025 16:06:06 -0500 Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2]) by isrv.corpit.ru (Postfix) with ESMTP id 4704816D300; Sun, 23 Nov 2025 00:03:34 +0300 (MSK) Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146]) by tsrv.corpit.ru (Postfix) with ESMTP id EF5B53223D4; Sun, 23 Nov 2025 00:03:44 +0300 (MSK) From: Michael Tokarev To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, Bastian Blank , Bastian Blank , Peter Maydell , Helge Deller , Michael Tokarev Subject: [Stable-7.2.22 06/25] linux-user: Use correct type for FIBMAP and FIGETBSZ emulation Date: Sat, 22 Nov 2025 23:55:24 +0300 Message-ID: <20251122210344.48374-6-mjt@tls.msk.ru> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru; helo=isrv.corpit.ru X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZM-MESSAGEID: 1763845847074018900 Content-Type: text/plain; charset="utf-8" From: Bastian Blank Both the FIBMAP and FIGETBSZ ioctl get "int *" (pointer to 32bit integer) as argument, not "long *" as specified in qemu. Using the correct type makes the emulation work in cross endian context. Both ioctl does not seem to be documented. However the kernel implementation has always used "int *". Signed-off-by: Bastian Blank Resolves: https://gitlab.com/qemu-project/qemu/-/issues/3185 Reviewed-by: Peter Maydell Reviewed-by: Helge Deller Reviwed-by: Michael Tokarev Signed-off-by: Michael Tokarev (cherry picked from commit 7c7089321670fb51022a1c4493cbcc69aa288a0f) Signed-off-by: Michael Tokarev diff --git a/linux-user/ioctls.h b/linux-user/ioctls.h index 071f7ca253..261cef1e75 100644 --- a/linux-user/ioctls.h +++ b/linux-user/ioctls.h @@ -129,13 +129,13 @@ IOCTL(FDTWADDLE, 0, TYPE_NULL) IOCTL(FDEJECT, 0, TYPE_NULL) =20 - IOCTL(FIBMAP, IOC_W | IOC_R, MK_PTR(TYPE_LONG)) + IOCTL(FIBMAP, IOC_W | IOC_R, MK_PTR(TYPE_INT)) #ifdef FICLONE IOCTL(FICLONE, IOC_W, TYPE_INT) IOCTL(FICLONERANGE, IOC_W, MK_PTR(MK_STRUCT(STRUCT_file_clone_range))) #endif =20 - IOCTL(FIGETBSZ, IOC_R, MK_PTR(TYPE_LONG)) + IOCTL(FIGETBSZ, IOC_R, MK_PTR(TYPE_INT)) #ifdef CONFIG_FIEMAP IOCTL_SPECIAL(FS_IOC_FIEMAP, IOC_W | IOC_R, do_ioctl_fs_ioc_fiemap, MK_PTR(MK_STRUCT(STRUCT_fiemap))) --=20 2.47.3 From nobody Tue Feb 10 00:40:57 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 176384579565262.39771489346731; Sat, 22 Nov 2025 13:09:55 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vMuoE-0008Qz-QU; Sat, 22 Nov 2025 16:06:19 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMuo8-0008Nv-8h; Sat, 22 Nov 2025 16:06:14 -0500 Received: from isrv.corpit.ru ([212.248.84.144]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMunx-0006bi-8z; Sat, 22 Nov 2025 16:06:07 -0500 Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2]) by isrv.corpit.ru (Postfix) with ESMTP id 5B33E16D301; Sun, 23 Nov 2025 00:03:34 +0300 (MSK) Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146]) by tsrv.corpit.ru (Postfix) with ESMTP id 126183223D5; Sun, 23 Nov 2025 00:03:45 +0300 (MSK) From: Michael Tokarev To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, Peter Maydell , Michael Tokarev , =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , Richard Henderson Subject: [Stable-7.2.22 07/25] linux-user: permit sendto() with NULL buf and 0 len Date: Sat, 22 Nov 2025 23:55:25 +0300 Message-ID: <20251122210344.48374-7-mjt@tls.msk.ru> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru; helo=isrv.corpit.ru X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZM-MESSAGEID: 1763845800191018900 From: Peter Maydell If you pass sendto() a NULL buffer, this is usually an error (causing an EFAULT return); however if you pass a 0 length then we should not try to validate the buffer provided. Instead we skip the copying of the user data and possible processing through fd_trans_target_to_host_data, and call the host syscall with NULL, 0. (unlock_user() permits a NULL buffer pointer for "do nothing" so we don't need to special case the unlock code.) Cc: qemu-stable@nongnu.org Resolves: https://gitlab.com/qemu-project/qemu/-/issues/3102 Signed-off-by: Peter Maydell Reviewed-by: Michael Tokarev Reviewed-by: Philippe Mathieu-Daud=C3=A9 Signed-off-by: Richard Henderson Message-ID: <20251028142001.3011630-1-peter.maydell@linaro.org> (cherry picked from commit 0db2de22fcbf90adafab9d9dd1fc8203c66bfa75) Signed-off-by: Michael Tokarev diff --git a/linux-user/syscall.c b/linux-user/syscall.c index 737065c28c..93b66bd2d7 100644 --- a/linux-user/syscall.c +++ b/linux-user/syscall.c @@ -3529,7 +3529,7 @@ static abi_long do_sendto(int fd, abi_ulong msg, size= _t len, int flags, abi_ulong target_addr, socklen_t addrlen) { void *addr; - void *host_msg; + void *host_msg =3D NULL; void *copy_msg =3D NULL; abi_long ret; =20 @@ -3537,16 +3537,19 @@ static abi_long do_sendto(int fd, abi_ulong msg, si= ze_t len, int flags, return -TARGET_EINVAL; } =20 - host_msg =3D lock_user(VERIFY_READ, msg, len, 1); - if (!host_msg) - return -TARGET_EFAULT; - if (fd_trans_target_to_host_data(fd)) { - copy_msg =3D host_msg; - host_msg =3D g_malloc(len); - memcpy(host_msg, copy_msg, len); - ret =3D fd_trans_target_to_host_data(fd)(host_msg, len); - if (ret < 0) { - goto fail; + if (len !=3D 0) { + host_msg =3D lock_user(VERIFY_READ, msg, len, 1); + if (!host_msg) { + return -TARGET_EFAULT; + } + if (fd_trans_target_to_host_data(fd)) { + copy_msg =3D host_msg; + host_msg =3D g_malloc(len); + memcpy(host_msg, copy_msg, len); + ret =3D fd_trans_target_to_host_data(fd)(host_msg, len); + if (ret < 0) { + goto fail; + } } } if (target_addr) { --=20 2.47.3 From nobody Tue Feb 10 00:40:57 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1763846219791871.566018363765; Sat, 22 Nov 2025 13:16:59 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vMuoh-0008Vp-GA; Sat, 22 Nov 2025 16:06:48 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMuoe-0008VH-9P; Sat, 22 Nov 2025 16:06:44 -0500 Received: from isrv.corpit.ru ([212.248.84.144]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMuoV-0006hD-Jz; Sat, 22 Nov 2025 16:06:40 -0500 Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2]) by isrv.corpit.ru (Postfix) with ESMTP id 6C40816D302; Sun, 23 Nov 2025 00:03:34 +0300 (MSK) Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146]) by tsrv.corpit.ru (Postfix) with ESMTP id 24E9B3223D6; Sun, 23 Nov 2025 00:03:45 +0300 (MSK) From: Michael Tokarev To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= , =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , Michael Tokarev Subject: [Stable-7.2.22 08/25] io: add trace event when cancelling TLS handshake Date: Sat, 22 Nov 2025 23:55:26 +0300 Message-ID: <20251122210344.48374-8-mjt@tls.msk.ru> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru; helo=isrv.corpit.ru X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZM-MESSAGEID: 1763846221671018900 From: Daniel P. Berrang=C3=A9 Reviewed-by: Philippe Mathieu-Daud=C3=A9 Signed-off-by: Daniel P. Berrang=C3=A9 (cherry picked from commit 003f15369de4e290a4d2e58292d96c5a506e4ee6) (Mjt: pick this commit up so that the next changes applies (more) cleanly) Signed-off-by: Michael Tokarev diff --git a/io/channel-tls.c b/io/channel-tls.c index a91efb57f3..686271acf7 100644 --- a/io/channel-tls.c +++ b/io/channel-tls.c @@ -380,6 +380,7 @@ static int qio_channel_tls_close(QIOChannel *ioc, QIOChannelTLS *tioc =3D QIO_CHANNEL_TLS(ioc); =20 if (tioc->hs_ioc_tag) { + trace_qio_channel_tls_handshake_cancel(ioc); g_clear_handle_id(&tioc->hs_ioc_tag, g_source_remove); } =20 diff --git a/io/trace-events b/io/trace-events index 3cc5cf1efd..d4c0f84a9a 100644 --- a/io/trace-events +++ b/io/trace-events @@ -43,6 +43,7 @@ qio_channel_tls_handshake_start(void *ioc) "TLS handshake= start ioc=3D%p" qio_channel_tls_handshake_pending(void *ioc, int status) "TLS handshake pe= nding ioc=3D%p status=3D%d" qio_channel_tls_handshake_fail(void *ioc) "TLS handshake fail ioc=3D%p" qio_channel_tls_handshake_complete(void *ioc) "TLS handshake complete ioc= =3D%p" +qio_channel_tls_handshake_cancel(void *ioc) "TLS handshake cancel ioc=3D%p" qio_channel_tls_credentials_allow(void *ioc) "TLS credentials allow ioc=3D= %p" qio_channel_tls_credentials_deny(void *ioc) "TLS credentials deny ioc=3D%p" =20 --=20 2.47.3 From nobody Tue Feb 10 00:40:57 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1763845963375650.9206322650892; Sat, 22 Nov 2025 13:12:43 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vMuoq-00006D-Hr; Sat, 22 Nov 2025 16:06:57 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMuog-0008Vq-Hc; Sat, 22 Nov 2025 16:06:46 -0500 Received: from isrv.corpit.ru ([212.248.84.144]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMuoW-0006hW-KI; Sat, 22 Nov 2025 16:06:43 -0500 Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2]) by isrv.corpit.ru (Postfix) with ESMTP id 87CA716D303; Sun, 23 Nov 2025 00:03:34 +0300 (MSK) Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146]) by tsrv.corpit.ru (Postfix) with ESMTP id 35E993223D7; Sun, 23 Nov 2025 00:03:45 +0300 (MSK) From: Michael Tokarev To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= , Eric Blake , Michael Tokarev Subject: [Stable-7.2.22 09/25] io: release active GSource in TLS channel finalizer Date: Sat, 22 Nov 2025 23:55:27 +0300 Message-ID: <20251122210344.48374-9-mjt@tls.msk.ru> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru; helo=isrv.corpit.ru X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZM-MESSAGEID: 1763845964653018900 From: Daniel P. Berrang=C3=A9 While code is supposed to call qio_channel_close() before releasing the last reference on an QIOChannel, this is not guaranteed. QIOChannelFile and QIOChannelSocket both cleanup resources in their finalizer if the close operation was missed. This ensures the TLS channel will do the same failsafe cleanup. Reviewed-by: Eric Blake Signed-off-by: Daniel P. Berrang=C3=A9 (cherry picked from commit 2c147611cf568eb1cd7dc8bf4479b272bad3b9d6) (Mjt: remove releasing of ioc->bye_ioc_tag due to missing in 7.2.x v9.2.0-1773-g30ee88622edf "io: tls: Add qio_channel_tls_bye") Signed-off-by: Michael Tokarev diff --git a/io/channel-tls.c b/io/channel-tls.c index 686271acf7..3b3934db72 100644 --- a/io/channel-tls.c +++ b/io/channel-tls.c @@ -255,6 +255,11 @@ static void qio_channel_tls_finalize(Object *obj) { QIOChannelTLS *ioc =3D QIO_CHANNEL_TLS(obj); =20 + if (ioc->hs_ioc_tag) { + trace_qio_channel_tls_handshake_cancel(ioc); + g_clear_handle_id(&ioc->hs_ioc_tag, g_source_remove); + } + object_unref(OBJECT(ioc->master)); qcrypto_tls_session_free(ioc->session); } --=20 2.47.3 From nobody Tue Feb 10 00:40:57 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 176384589906365.66252138384823; Sat, 22 Nov 2025 13:11:39 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vMupL-0000H4-Mb; Sat, 22 Nov 2025 16:07:28 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMupD-0000FY-VE; Sat, 22 Nov 2025 16:07:20 -0500 Received: from isrv.corpit.ru ([212.248.84.144]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMup1-0006ox-O6; Sat, 22 Nov 2025 16:07:13 -0500 Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2]) by isrv.corpit.ru (Postfix) with ESMTP id 9B5DE16D304; Sun, 23 Nov 2025 00:03:34 +0300 (MSK) Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146]) by tsrv.corpit.ru (Postfix) with ESMTP id 538A43223D8; Sun, 23 Nov 2025 00:03:45 +0300 (MSK) From: Michael Tokarev To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= , Eric Blake , Michael Tokarev Subject: [Stable-7.2.22 10/25] io: move websock resource release to close method Date: Sat, 22 Nov 2025 23:55:28 +0300 Message-ID: <20251122210344.48374-10-mjt@tls.msk.ru> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru; helo=isrv.corpit.ru X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZM-MESSAGEID: 1763845900426018900 From: Daniel P. Berrang=C3=A9 The QIOChannelWebsock object releases all its resources in the finalize callback. This is later than desired, as callers expect to be able to call qio_channel_close() to fully close a channel and release resources related to I/O. The logic in the finalize method is at most a failsafe to handle cases where a consumer forgets to call qio_channel_close. This adds equivalent logic to the close method to release the resources, using g_clear_handle_id/g_clear_pointer to be robust against repeated invocations. The finalize method is tweaked so that the GSource is removed before releasing the underlying channel. Reviewed-by: Eric Blake Signed-off-by: Daniel P. Berrang=C3=A9 (cherry picked from commit 322c3c4f3abee616a18b3bfe563ec29dd67eae63) Signed-off-by: Michael Tokarev diff --git a/io/channel-websock.c b/io/channel-websock.c index fb4932ade7..205df0b25a 100644 --- a/io/channel-websock.c +++ b/io/channel-websock.c @@ -921,13 +921,13 @@ static void qio_channel_websock_finalize(Object *obj) buffer_free(&ioc->encinput); buffer_free(&ioc->encoutput); buffer_free(&ioc->rawinput); - object_unref(OBJECT(ioc->master)); if (ioc->io_tag) { g_source_remove(ioc->io_tag); } if (ioc->io_err) { error_free(ioc->io_err); } + object_unref(OBJECT(ioc->master)); } =20 =20 @@ -1217,6 +1217,15 @@ static int qio_channel_websock_close(QIOChannel *ioc, QIOChannelWebsock *wioc =3D QIO_CHANNEL_WEBSOCK(ioc); =20 trace_qio_channel_websock_close(ioc); + buffer_free(&wioc->encinput); + buffer_free(&wioc->encoutput); + buffer_free(&wioc->rawinput); + if (wioc->io_tag) { + g_clear_handle_id(&wioc->io_tag, g_source_remove); + } + if (wioc->io_err) { + g_clear_pointer(&wioc->io_err, error_free); + } return qio_channel_close(wioc->master, errp); } =20 --=20 2.47.3 From nobody Tue Feb 10 00:40:57 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1763845927360897.8018518926023; Sat, 22 Nov 2025 13:12:07 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vMupT-0000IU-1N; Sat, 22 Nov 2025 16:07:36 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMupD-0000Fh-LA; Sat, 22 Nov 2025 16:07:20 -0500 Received: from isrv.corpit.ru ([212.248.84.144]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMup4-0006pN-SJ; Sat, 22 Nov 2025 16:07:16 -0500 Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2]) by isrv.corpit.ru (Postfix) with ESMTP id AE12716D305; Sun, 23 Nov 2025 00:03:34 +0300 (MSK) Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146]) by tsrv.corpit.ru (Postfix) with ESMTP id 651403223D9; Sun, 23 Nov 2025 00:03:45 +0300 (MSK) From: Michael Tokarev To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= , Grant Millar | Cylo , Eric Blake , Michael Tokarev Subject: [Stable-7.2.22 11/25] io: fix use after free in websocket handshake code Date: Sat, 22 Nov 2025 23:55:29 +0300 Message-ID: <20251122210344.48374-11-mjt@tls.msk.ru> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru; helo=isrv.corpit.ru X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZM-MESSAGEID: 1763845928668018900 From: Daniel P. Berrang=C3=A9 If the QIOChannelWebsock object is freed while it is waiting to complete a handshake, a GSource is leaked. This can lead to the callback firing later on and triggering a use-after-free in the use of the channel. This was observed in the VNC server with the following trace from valgrind: =3D=3D2523108=3D=3D Invalid read of size 4 =3D=3D2523108=3D=3D at 0x4054A24: vnc_disconnect_start (vnc.c:1296) =3D=3D2523108=3D=3D by 0x4054A24: vnc_client_error (vnc.c:1392) =3D=3D2523108=3D=3D by 0x4068A09: vncws_handshake_done (vnc-ws.c:105) =3D=3D2523108=3D=3D by 0x44863B4: qio_task_complete (task.c:197) =3D=3D2523108=3D=3D by 0x448343D: qio_channel_websock_handshake_io (chan= nel-websock.c:588) =3D=3D2523108=3D=3D by 0x6EDB862: UnknownInlinedFun (gmain.c:3398) =3D=3D2523108=3D=3D by 0x6EDB862: g_main_context_dispatch_unlocked.lto_p= riv.0 (gmain.c:4249) =3D=3D2523108=3D=3D by 0x6EDBAE4: g_main_context_dispatch (gmain.c:4237) =3D=3D2523108=3D=3D by 0x45EC79F: glib_pollfds_poll (main-loop.c:287) =3D=3D2523108=3D=3D by 0x45EC79F: os_host_main_loop_wait (main-loop.c:31= 0) =3D=3D2523108=3D=3D by 0x45EC79F: main_loop_wait (main-loop.c:589) =3D=3D2523108=3D=3D by 0x423A56D: qemu_main_loop (runstate.c:835) =3D=3D2523108=3D=3D by 0x454F300: qemu_default_main (main.c:37) =3D=3D2523108=3D=3D by 0x73D6574: (below main) (libc_start_call_main.h:5= 8) =3D=3D2523108=3D=3D Address 0x57a6e0dc is 28 bytes inside a block of size = 103,608 free'd =3D=3D2523108=3D=3D at 0x5F2FE43: free (vg_replace_malloc.c:989) =3D=3D2523108=3D=3D by 0x6EDC444: g_free (gmem.c:208) =3D=3D2523108=3D=3D by 0x4053F23: vnc_update_client (vnc.c:1153) =3D=3D2523108=3D=3D by 0x4053F23: vnc_refresh (vnc.c:3225) =3D=3D2523108=3D=3D by 0x4042881: dpy_refresh (console.c:880) =3D=3D2523108=3D=3D by 0x4042881: gui_update (console.c:90) =3D=3D2523108=3D=3D by 0x45EFA1B: timerlist_run_timers.part.0 (qemu-time= r.c:562) =3D=3D2523108=3D=3D by 0x45EFC8F: timerlist_run_timers (qemu-timer.c:495) =3D=3D2523108=3D=3D by 0x45EFC8F: qemu_clock_run_timers (qemu-timer.c:57= 6) =3D=3D2523108=3D=3D by 0x45EFC8F: qemu_clock_run_all_timers (qemu-timer.= c:663) =3D=3D2523108=3D=3D by 0x45EC765: main_loop_wait (main-loop.c:600) =3D=3D2523108=3D=3D by 0x423A56D: qemu_main_loop (runstate.c:835) =3D=3D2523108=3D=3D by 0x454F300: qemu_default_main (main.c:37) =3D=3D2523108=3D=3D by 0x73D6574: (below main) (libc_start_call_main.h:5= 8) =3D=3D2523108=3D=3D Block was alloc'd at =3D=3D2523108=3D=3D at 0x5F343F3: calloc (vg_replace_malloc.c:1675) =3D=3D2523108=3D=3D by 0x6EE2F81: g_malloc0 (gmem.c:133) =3D=3D2523108=3D=3D by 0x4057DA3: vnc_connect (vnc.c:3245) =3D=3D2523108=3D=3D by 0x448591B: qio_net_listener_channel_func (net-lis= tener.c:54) =3D=3D2523108=3D=3D by 0x6EDB862: UnknownInlinedFun (gmain.c:3398) =3D=3D2523108=3D=3D by 0x6EDB862: g_main_context_dispatch_unlocked.lto_p= riv.0 (gmain.c:4249) =3D=3D2523108=3D=3D by 0x6EDBAE4: g_main_context_dispatch (gmain.c:4237) =3D=3D2523108=3D=3D by 0x45EC79F: glib_pollfds_poll (main-loop.c:287) =3D=3D2523108=3D=3D by 0x45EC79F: os_host_main_loop_wait (main-loop.c:31= 0) =3D=3D2523108=3D=3D by 0x45EC79F: main_loop_wait (main-loop.c:589) =3D=3D2523108=3D=3D by 0x423A56D: qemu_main_loop (runstate.c:835) =3D=3D2523108=3D=3D by 0x454F300: qemu_default_main (main.c:37) =3D=3D2523108=3D=3D by 0x73D6574: (below main) (libc_start_call_main.h:5= 8) =3D=3D2523108=3D=3D The above can be reproduced by launching QEMU with $ qemu-system-x86_64 -vnc localhost:0,websocket=3D5700 and then repeatedly running: for i in {1..100}; do (echo -n "GET / HTTP/1.1" && sleep 0.05) | nc -w 1 localhost 5700 & done CVE-2025-11234 Reported-by: Grant Millar | Cylo Reviewed-by: Eric Blake Signed-off-by: Daniel P. Berrang=C3=A9 (cherry picked from commit b7a1f2ca45c7865b9e98e02ae605a65fc9458ae9) Signed-off-by: Michael Tokarev diff --git a/include/io/channel-websock.h b/include/io/channel-websock.h index e180827c57..6700cf8946 100644 --- a/include/io/channel-websock.h +++ b/include/io/channel-websock.h @@ -61,7 +61,8 @@ struct QIOChannelWebsock { size_t payload_remain; size_t pong_remain; QIOChannelWebsockMask mask; - guint io_tag; + guint hs_io_tag; /* tracking handshake task */ + guint io_tag; /* tracking watch task */ Error *io_err; gboolean io_eof; uint8_t opcode; diff --git a/io/channel-websock.c b/io/channel-websock.c index 205df0b25a..bc0bb80c9a 100644 --- a/io/channel-websock.c +++ b/io/channel-websock.c @@ -545,6 +545,7 @@ static gboolean qio_channel_websock_handshake_send(QIOC= hannel *ioc, trace_qio_channel_websock_handshake_fail(ioc, error_get_pretty(err= )); qio_task_set_error(task, err); qio_task_complete(task); + wioc->hs_io_tag =3D 0; return FALSE; } =20 @@ -560,6 +561,7 @@ static gboolean qio_channel_websock_handshake_send(QIOC= hannel *ioc, trace_qio_channel_websock_handshake_complete(ioc); qio_task_complete(task); } + wioc->hs_io_tag =3D 0; return FALSE; } trace_qio_channel_websock_handshake_pending(ioc, G_IO_OUT); @@ -586,6 +588,7 @@ static gboolean qio_channel_websock_handshake_io(QIOCha= nnel *ioc, trace_qio_channel_websock_handshake_fail(ioc, error_get_pretty(err= )); qio_task_set_error(task, err); qio_task_complete(task); + wioc->hs_io_tag =3D 0; return FALSE; } if (ret =3D=3D 0) { @@ -597,7 +600,7 @@ static gboolean qio_channel_websock_handshake_io(QIOCha= nnel *ioc, error_propagate(&wioc->io_err, err); =20 trace_qio_channel_websock_handshake_reply(ioc); - qio_channel_add_watch( + wioc->hs_io_tag =3D qio_channel_add_watch( wioc->master, G_IO_OUT, qio_channel_websock_handshake_send, @@ -906,11 +909,12 @@ void qio_channel_websock_handshake(QIOChannelWebsock = *ioc, =20 trace_qio_channel_websock_handshake_start(ioc); trace_qio_channel_websock_handshake_pending(ioc, G_IO_IN); - qio_channel_add_watch(ioc->master, - G_IO_IN, - qio_channel_websock_handshake_io, - task, - NULL); + ioc->hs_io_tag =3D qio_channel_add_watch( + ioc->master, + G_IO_IN, + qio_channel_websock_handshake_io, + task, + NULL); } =20 =20 @@ -921,6 +925,9 @@ static void qio_channel_websock_finalize(Object *obj) buffer_free(&ioc->encinput); buffer_free(&ioc->encoutput); buffer_free(&ioc->rawinput); + if (ioc->hs_io_tag) { + g_source_remove(ioc->hs_io_tag); + } if (ioc->io_tag) { g_source_remove(ioc->io_tag); } @@ -1220,6 +1227,9 @@ static int qio_channel_websock_close(QIOChannel *ioc, buffer_free(&wioc->encinput); buffer_free(&wioc->encoutput); buffer_free(&wioc->rawinput); + if (wioc->hs_io_tag) { + g_clear_handle_id(&wioc->hs_io_tag, g_source_remove); + } if (wioc->io_tag) { g_clear_handle_id(&wioc->io_tag, g_source_remove); } --=20 2.47.3 From nobody Tue Feb 10 00:40:57 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1763846679723788.9730284880063; Sat, 22 Nov 2025 13:24:39 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vMupy-0000XY-Fe; Sat, 22 Nov 2025 16:08:07 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMupm-0000Si-0Y; Sat, 22 Nov 2025 16:07:54 -0500 Received: from isrv.corpit.ru ([212.248.84.144]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMupa-0006wJ-Ef; Sat, 22 Nov 2025 16:07:49 -0500 Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2]) by isrv.corpit.ru (Postfix) with ESMTP id C02E616D306; Sun, 23 Nov 2025 00:03:34 +0300 (MSK) Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146]) by tsrv.corpit.ru (Postfix) with ESMTP id 784DA3223DA; Sun, 23 Nov 2025 00:03:45 +0300 (MSK) From: Michael Tokarev To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= , Eric Blake , Michael Tokarev Subject: [Stable-7.2.22 12/25] crypto: stop requiring "key encipherment" usage in x509 certs Date: Sat, 22 Nov 2025 23:55:30 +0300 Message-ID: <20251122210344.48374-12-mjt@tls.msk.ru> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru; helo=isrv.corpit.ru X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZM-MESSAGEID: 1763846681056018900 From: Daniel P. Berrang=C3=A9 This usage flag was deprecated by RFC8813, such that it is forbidden to be present for certs using ECDSA/ECDH algorithms, and in TLS 1.3 is conceptually obsolete. As such many valid certs will no longer have this key usage flag set, and QEMU should not be rejecting them, as this prevents use of otherwise valid & desirable algorithms. Reviewed-by: Eric Blake Signed-off-by: Daniel P. Berrang=C3=A9 (cherry picked from commit 3995fc238e0599e0417ba958ffc5c7a609e82a7f) Signed-off-by: Michael Tokarev diff --git a/crypto/tlscredsx509.c b/crypto/tlscredsx509.c index d14313925d..27ed568637 100644 --- a/crypto/tlscredsx509.c +++ b/crypto/tlscredsx509.c @@ -144,7 +144,7 @@ qcrypto_tls_creds_check_cert_key_usage(QCryptoTLSCredsX= 509 *creds, if (status < 0) { if (status =3D=3D GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) { usage =3D isCA ? GNUTLS_KEY_KEY_CERT_SIGN : - GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT; + GNUTLS_KEY_DIGITAL_SIGNATURE; } else { error_setg(errp, "Unable to query certificate %s key usage: %s", @@ -171,14 +171,6 @@ qcrypto_tls_creds_check_cert_key_usage(QCryptoTLSCreds= X509 *creds, return -1; } } - if (!(usage & GNUTLS_KEY_KEY_ENCIPHERMENT)) { - if (critical) { - error_setg(errp, - "Certificate %s usage does not permit key " - "encipherment", certFile); - return -1; - } - } } =20 return 0; diff --git a/docs/system/tls.rst b/docs/system/tls.rst index e284c82801..a4f6781d62 100644 --- a/docs/system/tls.rst +++ b/docs/system/tls.rst @@ -118,7 +118,6 @@ information for each server, and use it to issue server= certificates. ip_address =3D 2620:0:cafe::87 ip_address =3D 2001:24::92 tls_www_server - encryption_key signing_key EOF # certtool --generate-privkey > server-hostNNN-key.pem @@ -134,9 +133,8 @@ the subject alt name extension data. The ``tls_www_serv= er`` keyword is the key purpose extension to indicate this certificate is intended for usage in a web server. Although QEMU network services are not in fact HTTP servers (except for VNC websockets), setting this key purpose is -still recommended. The ``encryption_key`` and ``signing_key`` keyword is -the key usage extension to indicate this certificate is intended for -usage in the data session. +still recommended. The ``signing_key`` keyword is the key usage extension +to indicate this certificate is intended for usage in the data session. =20 The ``server-hostNNN-key.pem`` and ``server-hostNNN-cert.pem`` files should now be securely copied to the server for which they were @@ -171,7 +169,6 @@ certificates. organization =3D Name of your organization cn =3D hostNNN.foo.example.com tls_www_client - encryption_key signing_key EOF # certtool --generate-privkey > client-hostNNN-key.pem @@ -187,9 +184,8 @@ the ``dns_name`` and ``ip_address`` fields are not incl= uded. The ``tls_www_client`` keyword is the key purpose extension to indicate this certificate is intended for usage in a web client. Although QEMU network clients are not in fact HTTP clients, setting this key purpose is still -recommended. The ``encryption_key`` and ``signing_key`` keyword is the -key usage extension to indicate this certificate is intended for usage -in the data session. +recommended. The ``signing_key`` keyword is the key usage extension to +indicate this certificate is intended for usage in the data session. =20 The ``client-hostNNN-key.pem`` and ``client-hostNNN-cert.pem`` files should now be securely copied to the client for which they were @@ -222,7 +218,6 @@ client and server instructions in one. ip_address =3D 2001:24::92 tls_www_server tls_www_client - encryption_key signing_key EOF # certtool --generate-privkey > both-hostNNN-key.pem diff --git a/tests/unit/crypto-tls-x509-helpers.h b/tests/unit/crypto-tls-x= 509-helpers.h index 247e7160eb..d422838ef6 100644 --- a/tests/unit/crypto-tls-x509-helpers.h +++ b/tests/unit/crypto-tls-x509-helpers.h @@ -143,8 +143,7 @@ void test_tls_cleanup(const char *keyfile); .basicConstraintsIsCA =3D false, \ .keyUsageEnable =3D true, \ .keyUsageCritical =3D true, \ - .keyUsageValue =3D \ - GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT, \ + .keyUsageValue =3D GNUTLS_KEY_DIGITAL_SIGNATURE, \ .keyPurposeEnable =3D true, \ .keyPurposeCritical =3D true, \ .keyPurposeOID1 =3D GNUTLS_KP_TLS_WWW_CLIENT, \ @@ -163,8 +162,7 @@ void test_tls_cleanup(const char *keyfile); .basicConstraintsIsCA =3D false, \ .keyUsageEnable =3D true, \ .keyUsageCritical =3D true, \ - .keyUsageValue =3D \ - GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT, \ + .keyUsageValue =3D GNUTLS_KEY_DIGITAL_SIGNATURE, \ .keyPurposeEnable =3D true, \ .keyPurposeCritical =3D true, \ .keyPurposeOID1 =3D GNUTLS_KP_TLS_WWW_SERVER, \ diff --git a/tests/unit/test-crypto-tlscredsx509.c b/tests/unit/test-crypto= -tlscredsx509.c index 3c25d75ca1..2025d75365 100644 --- a/tests/unit/test-crypto-tlscredsx509.c +++ b/tests/unit/test-crypto-tlscredsx509.c @@ -166,14 +166,14 @@ int main(int argc, char **argv) "UK", "qemu.org", NULL, NULL, NULL, NULL, true, true, false, true, true, - GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMEN= T, + GNUTLS_KEY_DIGITAL_SIGNATURE, true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, 0, 0); TLS_CERT_REQ(clientcertreq, cacertreq, "UK", "qemu", NULL, NULL, NULL, NULL, true, true, false, true, true, - GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMEN= T, + GNUTLS_KEY_DIGITAL_SIGNATURE, true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL, 0, 0); =20 @@ -196,7 +196,7 @@ int main(int argc, char **argv) "UK", "qemu.org", NULL, NULL, NULL, NULL, true, true, false, true, true, - GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMEN= T, + GNUTLS_KEY_DIGITAL_SIGNATURE, true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, 0, 0); =20 @@ -211,7 +211,7 @@ int main(int argc, char **argv) "UK", "qemu.org", NULL, NULL, NULL, NULL, true, true, false, true, true, - GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMEN= T, + GNUTLS_KEY_DIGITAL_SIGNATURE, true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, 0, 0); =20 @@ -226,7 +226,7 @@ int main(int argc, char **argv) "UK", "qemu.org", NULL, NULL, NULL, NULL, true, true, false, true, true, - GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMEN= T, + GNUTLS_KEY_DIGITAL_SIGNATURE, true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, 0, 0); =20 @@ -250,7 +250,7 @@ int main(int argc, char **argv) "UK", "qemu.org", NULL, NULL, NULL, NULL, true, true, false, true, true, - GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMEN= T, + GNUTLS_KEY_DIGITAL_SIGNATURE, true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, 0, 0); /* no-basic */ @@ -264,7 +264,7 @@ int main(int argc, char **argv) "UK", "qemu.org", NULL, NULL, NULL, NULL, true, true, false, true, true, - GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMEN= T, + GNUTLS_KEY_DIGITAL_SIGNATURE, true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, 0, 0); /* Key usage:dig-sig:critical */ @@ -278,7 +278,7 @@ int main(int argc, char **argv) "UK", "qemu.org", NULL, NULL, NULL, NULL, true, true, false, true, true, - GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMEN= T, + GNUTLS_KEY_DIGITAL_SIGNATURE, true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, 0, 0); =20 @@ -303,7 +303,7 @@ int main(int argc, char **argv) "UK", "qemu", NULL, NULL, NULL, NULL, true, true, false, true, true, - GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMEN= T | + GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_CERT_SIGN, false, false, NULL, NULL, 0, 0); @@ -406,7 +406,7 @@ int main(int argc, char **argv) "UK", "qemu", NULL, NULL, NULL, NULL, true, true, false, true, true, - GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMEN= T | + GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_CERT_SIGN, false, false, NULL, NULL, 0, 0); @@ -508,21 +508,21 @@ int main(int argc, char **argv) "UK", "qemu.org", NULL, NULL, NULL, NULL, true, true, false, true, true, - GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMEN= T, + GNUTLS_KEY_DIGITAL_SIGNATURE, true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, 0, 0); TLS_CERT_REQ(servercertexp1req, cacertreq, "UK", "qemu", NULL, NULL, NULL, NULL, true, true, false, true, true, - GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMEN= T, + GNUTLS_KEY_DIGITAL_SIGNATURE, true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, 0, -1); TLS_CERT_REQ(clientcertexp1req, cacertreq, "UK", "qemu", NULL, NULL, NULL, NULL, true, true, false, true, true, - GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMEN= T, + GNUTLS_KEY_DIGITAL_SIGNATURE, true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL, 0, -1); =20 @@ -546,21 +546,21 @@ int main(int argc, char **argv) "UK", "qemu", NULL, NULL, NULL, NULL, true, true, false, true, true, - GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMEN= T, + GNUTLS_KEY_DIGITAL_SIGNATURE, true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, 0, 0); TLS_CERT_REQ(servercertnew1req, cacertreq, "UK", "qemu", NULL, NULL, NULL, NULL, true, true, false, true, true, - GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMEN= T, + GNUTLS_KEY_DIGITAL_SIGNATURE, true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, 1, 2); TLS_CERT_REQ(clientcertnew1req, cacertreq, "UK", "qemu", NULL, NULL, NULL, NULL, true, true, false, true, true, - GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMEN= T, + GNUTLS_KEY_DIGITAL_SIGNATURE, true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL, 1, 2); =20 @@ -599,14 +599,14 @@ int main(int argc, char **argv) "UK", "qemu.org", NULL, NULL, NULL, NULL, true, true, false, true, true, - GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMEN= T, + GNUTLS_KEY_DIGITAL_SIGNATURE, true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, 0, 0); TLS_CERT_REQ(clientcertlevel2breq, cacertlevel1breq, "UK", "qemu client level 2b", NULL, NULL, NULL, NULL, true, true, false, true, true, - GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMEN= T, + GNUTLS_KEY_DIGITAL_SIGNATURE, true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL, 0, 0); =20 diff --git a/tests/unit/test-crypto-tlssession.c b/tests/unit/test-crypto-t= lssession.c index 615a1344b4..10eaade834 100644 --- a/tests/unit/test-crypto-tlssession.c +++ b/tests/unit/test-crypto-tlssession.c @@ -454,14 +454,14 @@ int main(int argc, char **argv) "UK", "qemu.org", NULL, NULL, NULL, NULL, true, true, false, true, true, - GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMEN= T, + GNUTLS_KEY_DIGITAL_SIGNATURE, true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, 0, 0); TLS_CERT_REQ(clientcertreq, cacertreq, "UK", "qemu", NULL, NULL, NULL, NULL, true, true, false, true, true, - GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMEN= T, + GNUTLS_KEY_DIGITAL_SIGNATURE, true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL, 0, 0); =20 @@ -469,7 +469,7 @@ int main(int argc, char **argv) "UK", "qemu", NULL, NULL, NULL, NULL, true, true, false, true, true, - GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMEN= T, + GNUTLS_KEY_DIGITAL_SIGNATURE, true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL, 0, 0); =20 @@ -488,7 +488,7 @@ int main(int argc, char **argv) "192.168.122.1", "fec0::dead:beaf", true, true, false, true, true, - GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMEN= T, + GNUTLS_KEY_DIGITAL_SIGNATURE, true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, 0, 0); /* This intentionally doesn't replicate */ @@ -497,7 +497,7 @@ int main(int argc, char **argv) "192.168.122.1", "fec0::dead:beaf", true, true, false, true, true, - GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMEN= T, + GNUTLS_KEY_DIGITAL_SIGNATURE, true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, 0, 0); =20 @@ -601,14 +601,14 @@ int main(int argc, char **argv) "UK", "qemu.org", NULL, NULL, NULL, NULL, true, true, false, true, true, - GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMEN= T, + GNUTLS_KEY_DIGITAL_SIGNATURE, true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, 0, 0); TLS_CERT_REQ(clientcertlevel2breq, cacertlevel1breq, "UK", "qemu client level 2b", NULL, NULL, NULL, NULL, true, true, false, true, true, - GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMEN= T, + GNUTLS_KEY_DIGITAL_SIGNATURE, true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL, 0, 0); =20 diff --git a/tests/unit/test-io-channel-tls.c b/tests/unit/test-io-channel-= tls.c index cc39247556..ff73477671 100644 --- a/tests/unit/test-io-channel-tls.c +++ b/tests/unit/test-io-channel-tls.c @@ -302,14 +302,14 @@ int main(int argc, char **argv) "UK", "qemu.org", NULL, NULL, NULL, NULL, true, true, false, true, true, - GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMEN= T, + GNUTLS_KEY_DIGITAL_SIGNATURE, true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, 0, 0); TLS_CERT_REQ(clientcertreq, cacertreq, "UK", "qemu", NULL, NULL, NULL, NULL, true, true, false, true, true, - GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMEN= T, + GNUTLS_KEY_DIGITAL_SIGNATURE, true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL, 0, 0); =20 --=20 2.47.3 From nobody Tue Feb 10 00:40:57 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 176384611822366.23861592077833; Sat, 22 Nov 2025 13:15:18 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vMupr-0000TP-BH; Sat, 22 Nov 2025 16:08:00 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMupk-0000SX-OX; Sat, 22 Nov 2025 16:07:52 -0500 Received: from isrv.corpit.ru ([212.248.84.144]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMupb-0006wb-4W; Sat, 22 Nov 2025 16:07:48 -0500 Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2]) by isrv.corpit.ru (Postfix) with ESMTP id DAAD516D307; Sun, 23 Nov 2025 00:03:34 +0300 (MSK) Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146]) by tsrv.corpit.ru (Postfix) with ESMTP id 8A6E53223DB; Sun, 23 Nov 2025 00:03:45 +0300 (MSK) From: Michael Tokarev To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, "Richard W.M. Jones" , Chenxi Mao , =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= , Akihiko Odaki , Thomas Huth , Richard Henderson , Michael Tokarev Subject: [Stable-7.2.22 13/25] block/curl.c: Use explicit long constants in curl_easy_setopt calls Date: Sat, 22 Nov 2025 23:55:31 +0300 Message-ID: <20251122210344.48374-13-mjt@tls.msk.ru> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru; helo=isrv.corpit.ru X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZM-MESSAGEID: 1763846120998018900 From: "Richard W.M. Jones" curl_easy_setopt takes a variable argument that depends on what CURLOPT you are setting. Some require a long constant. Passing a plain int constant is potentially wrong on some platforms. With warnings enabled, multiple warnings like this were printed: ../block/curl.c: In function =E2=80=98curl_init_state=E2=80=99: ../block/curl.c:474:13: warning: call to =E2=80=98_curl_easy_setopt_err_lon= g=E2=80=99 declared with attribute warning: curl_easy_setopt expects a long= argument [-Wattribute-warning] 474 | curl_easy_setopt(state->curl, CURLOPT_AUTOREFERER, 1) || | ^ Signed-off-by: Richard W.M. Jones Signed-off-by: Chenxi Mao Reviewed-by: Daniel P. Berrang=C3=A9 Reviewed-by: Akihiko Odaki Reviewed-by: Thomas Huth Reviewed-by: Richard Henderson Signed-off-by: Richard Henderson Message-ID: <20251009141026.4042021-2-rjones@redhat.com> (cherry picked from commit ed26056d90ddff21351f3efd2cb47fea4f0e1d45) Signed-off-by: Michael Tokarev diff --git a/block/curl.c b/block/curl.c index f9c5a1c182..d2b094802e 100644 --- a/block/curl.c +++ b/block/curl.c @@ -478,11 +478,11 @@ static int curl_init_state(BDRVCURLState *s, CURLStat= e *state) (void *)curl_read_cb) || curl_easy_setopt(state->curl, CURLOPT_WRITEDATA, (void *)state= ) || curl_easy_setopt(state->curl, CURLOPT_PRIVATE, (void *)state) = || - curl_easy_setopt(state->curl, CURLOPT_AUTOREFERER, 1) || - curl_easy_setopt(state->curl, CURLOPT_FOLLOWLOCATION, 1) || - curl_easy_setopt(state->curl, CURLOPT_NOSIGNAL, 1) || + curl_easy_setopt(state->curl, CURLOPT_AUTOREFERER, 1L) || + curl_easy_setopt(state->curl, CURLOPT_FOLLOWLOCATION, 1L) || + curl_easy_setopt(state->curl, CURLOPT_NOSIGNAL, 1L) || curl_easy_setopt(state->curl, CURLOPT_ERRORBUFFER, state->errm= sg) || - curl_easy_setopt(state->curl, CURLOPT_FAILONERROR, 1)) { + curl_easy_setopt(state->curl, CURLOPT_FAILONERROR, 1L)) { goto err; } if (s->username) { @@ -805,7 +805,7 @@ static int curl_open(BlockDriverState *bs, QDict *optio= ns, int flags, } =20 s->accept_range =3D false; - if (curl_easy_setopt(state->curl, CURLOPT_NOBODY, 1) || + if (curl_easy_setopt(state->curl, CURLOPT_NOBODY, 1L) || curl_easy_setopt(state->curl, CURLOPT_HEADERFUNCTION, curl_header_= cb) || curl_easy_setopt(state->curl, CURLOPT_HEADERDATA, s)) { pstrcpy(state->errmsg, CURL_ERROR_SIZE, diff --git a/contrib/elf2dmp/download.c b/contrib/elf2dmp/download.c index bd7650a7a2..e0c1075446 100644 --- a/contrib/elf2dmp/download.c +++ b/contrib/elf2dmp/download.c @@ -28,8 +28,8 @@ int download_url(const char *name, const char *url) if (curl_easy_setopt(curl, CURLOPT_URL, url) !=3D CURLE_OK || curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, NULL) !=3D CU= RLE_OK || curl_easy_setopt(curl, CURLOPT_WRITEDATA, file) !=3D CURLE_= OK - || curl_easy_setopt(curl, CURLOPT_FOLLOWLOCATION, 1) !=3D CURL= E_OK - || curl_easy_setopt(curl, CURLOPT_NOPROGRESS, 0) !=3D CURLE_OK + || curl_easy_setopt(curl, CURLOPT_FOLLOWLOCATION, 1L) !=3D CUR= LE_OK + || curl_easy_setopt(curl, CURLOPT_NOPROGRESS, 0L) !=3D CURLE_OK || curl_easy_perform(curl) !=3D CURLE_OK) { unlink(name); fclose(file); --=20 2.47.3 From nobody Tue Feb 10 00:40:57 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 176384628954947.4590970824911; Sat, 22 Nov 2025 13:18:09 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vMuqZ-0000ec-LF; Sat, 22 Nov 2025 16:08:44 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMuqH-0000bl-3z; Sat, 22 Nov 2025 16:08:30 -0500 Received: from isrv.corpit.ru ([212.248.84.144]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMuq7-00072c-74; Sat, 22 Nov 2025 16:08:20 -0500 Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2]) by isrv.corpit.ru (Postfix) with ESMTP id 0310216D308; Sun, 23 Nov 2025 00:03:35 +0300 (MSK) Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146]) by tsrv.corpit.ru (Postfix) with ESMTP id A47903223DC; Sun, 23 Nov 2025 00:03:45 +0300 (MSK) From: Michael Tokarev To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, "Richard W.M. Jones" , Kevin Wolf , Michael Tokarev Subject: [Stable-7.2.22 14/25] block/curl.c: Fix CURLOPT_VERBOSE parameter type Date: Sat, 22 Nov 2025 23:55:32 +0300 Message-ID: <20251122210344.48374-14-mjt@tls.msk.ru> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru; helo=isrv.corpit.ru X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZM-MESSAGEID: 1763846291879018900 Content-Type: text/plain; charset="utf-8" From: "Richard W.M. Jones" In commit ed26056d90 ("block/curl.c: Use explicit long constants in curl_easy_setopt calls") we missed a further call that takes a long parameter. Reported-by: Kevin Wolf Signed-off-by: Richard W.M. Jones Message-ID: <20251013124127.604401-1-rjones@redhat.com> Reviewed-by: Kevin Wolf Signed-off-by: Kevin Wolf (cherry picked from commit ad97769e9dcf4dbdaae6d859176e5f37fd6a7c66) Signed-off-by: Michael Tokarev diff --git a/block/curl.c b/block/curl.c index d2b094802e..3b6f18d02c 100644 --- a/block/curl.c +++ b/block/curl.c @@ -531,7 +531,7 @@ static int curl_init_state(BDRVCURLState *s, CURLState = *state) #endif =20 #ifdef DEBUG_VERBOSE - if (curl_easy_setopt(state->curl, CURLOPT_VERBOSE, 1)) { + if (curl_easy_setopt(state->curl, CURLOPT_VERBOSE, 1L)) { goto err; } #endif --=20 2.47.3 From nobody Tue Feb 10 00:40:57 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1763845989039160.87705724776424; Sat, 22 Nov 2025 13:13:09 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vMuqc-0000h0-Ja; Sat, 22 Nov 2025 16:08:47 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMuqH-0000bp-00; Sat, 22 Nov 2025 16:08:28 -0500 Received: from isrv.corpit.ru ([212.248.84.144]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMuq8-00072v-F0; Sat, 22 Nov 2025 16:08:21 -0500 Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2]) by isrv.corpit.ru (Postfix) with ESMTP id 1714216D309; Sun, 23 Nov 2025 00:03:35 +0300 (MSK) Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146]) by tsrv.corpit.ru (Postfix) with ESMTP id C36873223DD; Sun, 23 Nov 2025 00:03:45 +0300 (MSK) From: Michael Tokarev To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, Eric Blake , =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= , Michael Tokarev Subject: [Stable-7.2.22 15/25] qio: Add trace points to net_listener Date: Sat, 22 Nov 2025 23:55:33 +0300 Message-ID: <20251122210344.48374-15-mjt@tls.msk.ru> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru; helo=isrv.corpit.ru X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZM-MESSAGEID: 1763845990771018900 From: Eric Blake Upcoming patches will adjust how net_listener watches for new client connections; adding trace points now makes it easier to debug that the changes work as intended. For example, adding --trace=3D'qio_net_listener*' to the qemu-storage-daemon command line before --nbd-server will track when the server first starts listening for clients. Signed-off-by: Eric Blake Reviewed-by: Daniel P. Berrang=C3=A9 Message-ID: <20251113011625.878876-17-eblake@redhat.com> (cherry picked from commit 59506e59e0f0a773e892104b945d0f15623381a7) Signed-off-by: Michael Tokarev diff --git a/io/net-listener.c b/io/net-listener.c index 1c984d69c6..99c3ef0fdb 100644 --- a/io/net-listener.c +++ b/io/net-listener.c @@ -23,6 +23,7 @@ #include "io/dns-resolver.h" #include "qapi/error.h" #include "qemu/module.h" +#include "trace.h" =20 QIONetListener *qio_net_listener_new(void) { @@ -50,6 +51,7 @@ static gboolean qio_net_listener_channel_func(QIOChannel = *ioc, return TRUE; } =20 + trace_qio_net_listener_callback(listener, listener->io_func); if (listener->io_func) { listener->io_func(listener, sioc, listener->io_data); } @@ -125,6 +127,7 @@ void qio_net_listener_add(QIONetListener *listener, object_ref(OBJECT(sioc)); listener->connected =3D true; =20 + trace_qio_net_listener_watch(listener, listener->io_func, "add"); if (listener->io_func !=3D NULL) { object_ref(OBJECT(listener)); listener->io_source[listener->nsioc] =3D qio_channel_add_watch_sou= rce( @@ -145,6 +148,8 @@ void qio_net_listener_set_client_func_full(QIONetListen= er *listener, { size_t i; =20 + trace_qio_net_listener_unwatch(listener, listener->io_func, + "set_client_func"); if (listener->io_notify) { listener->io_notify(listener->io_data); } @@ -160,6 +165,8 @@ void qio_net_listener_set_client_func_full(QIONetListen= er *listener, } } =20 + trace_qio_net_listener_watch(listener, listener->io_func, + "set_client_func"); if (listener->io_func !=3D NULL) { for (i =3D 0; i < listener->nsioc; i++) { object_ref(OBJECT(listener)); @@ -220,6 +227,7 @@ QIOChannelSocket *qio_net_listener_wait_client(QIONetLi= stener *listener) }; size_t i; =20 + trace_qio_net_listener_unwatch(listener, listener->io_func, "wait_clie= nt"); for (i =3D 0; i < listener->nsioc; i++) { if (listener->io_source[i]) { g_source_destroy(listener->io_source[i]); @@ -249,6 +257,7 @@ QIOChannelSocket *qio_net_listener_wait_client(QIONetLi= stener *listener) g_main_loop_unref(loop); g_main_context_unref(ctxt); =20 + trace_qio_net_listener_watch(listener, listener->io_func, "wait_client= "); if (listener->io_func !=3D NULL) { for (i =3D 0; i < listener->nsioc; i++) { object_ref(OBJECT(listener)); @@ -270,6 +279,7 @@ void qio_net_listener_disconnect(QIONetListener *listen= er) return; } =20 + trace_qio_net_listener_unwatch(listener, listener->io_func, "disconnec= t"); for (i =3D 0; i < listener->nsioc; i++) { if (listener->io_source[i]) { g_source_destroy(listener->io_source[i]); diff --git a/io/trace-events b/io/trace-events index d4c0f84a9a..263a8b82bd 100644 --- a/io/trace-events +++ b/io/trace-events @@ -67,3 +67,8 @@ qio_channel_command_new_pid(void *ioc, int writefd, int r= eadfd, int pid) "Comman qio_channel_command_new_spawn(void *ioc, const char *binary, int flags) "C= ommand new spawn ioc=3D%p binary=3D%s flags=3D%d" qio_channel_command_abort(void *ioc, int pid) "Command abort ioc=3D%p pid= =3D%d" qio_channel_command_wait(void *ioc, int pid, int ret, int status) "Command= abort ioc=3D%p pid=3D%d ret=3D%d status=3D%d" + +# net-listener.c +qio_net_listener_watch(void *listener, void *func, const char *extra) "Net= listener=3D%p watch enabled func=3D%p by %s" +qio_net_listener_unwatch(void *listener, void *func, const char *extra) "N= et listener=3D%p watch disabled func=3D%p by %s" +qio_net_listener_callback(void *listener, void *func) "Net listener=3D%p c= allback forwarding to func=3D%p" --=20 2.47.3 From nobody Tue Feb 10 00:40:57 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1763846255393932.4545518421378; Sat, 22 Nov 2025 13:17:35 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vMuqt-0000qp-LW; Sat, 22 Nov 2025 16:09:04 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMuqo-0000o1-De; Sat, 22 Nov 2025 16:08:58 -0500 Received: from isrv.corpit.ru ([212.248.84.144]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMuqd-00077s-JC; Sat, 22 Nov 2025 16:08:54 -0500 Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2]) by isrv.corpit.ru (Postfix) with ESMTP id 2947216D30A; Sun, 23 Nov 2025 00:03:35 +0300 (MSK) Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146]) by tsrv.corpit.ru (Postfix) with ESMTP id D539C3223DE; Sun, 23 Nov 2025 00:03:45 +0300 (MSK) From: Michael Tokarev To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, Eric Blake , =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= , Michael Tokarev Subject: [Stable-7.2.22 16/25] qio: Unwatch before notify in QIONetListener Date: Sat, 22 Nov 2025 23:55:34 +0300 Message-ID: <20251122210344.48374-16-mjt@tls.msk.ru> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru; helo=isrv.corpit.ru X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZM-MESSAGEID: 1763846257396018900 From: Eric Blake When changing the callback registered with QIONetListener, the code was calling notify on the old opaque data prior to actually removing the old GSource objects still pointing to that data. Similarly, during finalize, it called notify before tearing down the various GSource objects tied to the data. In practice, a grep of the QEMU code base found that every existing client of QIONetListener passes in a NULL notifier (the opaque data, if non-NULL, outlives the NetListener and so does not need cleanup when the NetListener is torn down), so this patch has no impact. And even if a caller had passed in a reference-counted object with a notifier of object_unref but kept its own reference on the data, then the early notify would merely reduce a refcount from (say) 2 to 1, but not free the object. However, it is a latent bug waiting to bite any future caller that passes in data where the notifier actually frees the object, because the GSource could then trigger a use-after-free if it loses the race on a last-minute client connection resulting in the data being passed to one final use of the async callback. Better is to delay the notify call until after all GSource that have been given a copy of the opaque data are torn down. CC: qemu-stable@nongnu.org Fixes: 530473924d "io: introduce a network socket listener API", v2.12.0 Signed-off-by: Eric Blake Reviewed-by: Daniel P. Berrang=C3=A9 Message-ID: <20251113011625.878876-18-eblake@redhat.com> (cherry picked from commit 6e03d5cdc991f5db86969fc6aeaca96234426263) Signed-off-by: Michael Tokarev diff --git a/io/net-listener.c b/io/net-listener.c index 99c3ef0fdb..70e70c49fb 100644 --- a/io/net-listener.c +++ b/io/net-listener.c @@ -150,13 +150,6 @@ void qio_net_listener_set_client_func_full(QIONetListe= ner *listener, =20 trace_qio_net_listener_unwatch(listener, listener->io_func, "set_client_func"); - if (listener->io_notify) { - listener->io_notify(listener->io_data); - } - listener->io_func =3D func; - listener->io_data =3D data; - listener->io_notify =3D notify; - for (i =3D 0; i < listener->nsioc; i++) { if (listener->io_source[i]) { g_source_destroy(listener->io_source[i]); @@ -165,6 +158,13 @@ void qio_net_listener_set_client_func_full(QIONetListe= ner *listener, } } =20 + if (listener->io_notify) { + listener->io_notify(listener->io_data); + } + listener->io_func =3D func; + listener->io_data =3D data; + listener->io_notify =3D notify; + trace_qio_net_listener_watch(listener, listener->io_func, "set_client_func"); if (listener->io_func !=3D NULL) { @@ -302,10 +302,10 @@ static void qio_net_listener_finalize(Object *obj) QIONetListener *listener =3D QIO_NET_LISTENER(obj); size_t i; =20 + qio_net_listener_disconnect(listener); if (listener->io_notify) { listener->io_notify(listener->io_data); } - qio_net_listener_disconnect(listener); =20 for (i =3D 0; i < listener->nsioc; i++) { object_unref(OBJECT(listener->sioc[i])); --=20 2.47.3 From nobody Tue Feb 10 00:40:57 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 176384638584839.86784353549763; Sat, 22 Nov 2025 13:19:45 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vMuqw-0000sG-DQ; Sat, 22 Nov 2025 16:09:07 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMuqp-0000p5-T4; Sat, 22 Nov 2025 16:08:59 -0500 Received: from isrv.corpit.ru ([212.248.84.144]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMuqe-000783-FL; Sat, 22 Nov 2025 16:08:55 -0500 Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2]) by isrv.corpit.ru (Postfix) with ESMTP id 3C4B516D30B; Sun, 23 Nov 2025 00:03:35 +0300 (MSK) Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146]) by tsrv.corpit.ru (Postfix) with ESMTP id E82623223DF; Sun, 23 Nov 2025 00:03:45 +0300 (MSK) From: Michael Tokarev To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, Eric Blake , =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= , Michael Tokarev Subject: [Stable-7.2.22 17/25] qio: Remember context of qio_net_listener_set_client_func_full Date: Sat, 22 Nov 2025 23:55:35 +0300 Message-ID: <20251122210344.48374-17-mjt@tls.msk.ru> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru; helo=isrv.corpit.ru X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZM-MESSAGEID: 1763846388012018900 From: Eric Blake io/net-listener.c has two modes of use: asynchronous (the user calls qio_net_listener_set_client_func to wake up the callback via the global GMainContext, or qio_net_listener_set_client_func_full to wake up the callback via the caller's own alternative GMainContext), and synchronous (the user calls qio_net_listener_wait_client which creates its own GMainContext and waits for the first client connection before returning, with no need for a user's callback). But commit 938c8b79 has a latent logic flaw: when qio_net_listener_wait_client finishes on its temporary context, it reverts all of the siocs back to the global GMainContext rather than the potentially non-NULL context they might have been originally registered with. Similarly, if the user creates a net-listener, adds initial addresses, registers an async callback with a non-default context (which ties to all siocs for the initial addresses), then adds more addresses with qio_net_listener_add, the siocs for later addresses are blindly placed in the global context, rather than sharing the context of the earlier ones. In practice, I don't think this has caused issues. As pointed out by the original commit, all async callers prior to that commit were already okay with the NULL default context; and the typical usage pattern is to first add ALL the addresses the listener will pay attention to before ever setting the async callback. Likewise, if a file uses only qio_net_listener_set_client_func instead of qio_net_listener_set_client_func_full, then it is never using a custom context, so later assignments of async callbacks will still be to the same global context as earlier ones. Meanwhile, any callers that want to do the sync operation to grab the first client are unlikely to register an async callback; altogether bypassing the question of whether later assignments of a GSource are being tied to a different context over time. I do note that chardev/char-socket.c is the only file that calls both qio_net_listener_wait_client (sync for a single client in tcp_chr_accept_server_sync), and qio_net_listener_set_client_func_full (several places, all with chr->gcontext, but sometimes with a NULL callback function during teardown). But as far as I can tell, the two uses are mutually exclusive, based on the is_waitconnect parameter to qmp_chardev_open_socket_server. That said, it is more robust to remember when an async callback function is tied to a non-default context, and have both the sync wait and any late address additions honor that same context. That way, the code will be robust even if a later user performs a sync wait for a specific client in the middle of servicing a longer-lived QIONetListener that has an async callback for all other clients. CC: qemu-stable@nongnu.org Fixes: 938c8b79 ("qio: store gsources for net listeners", v2.12.0) Signed-off-by: Eric Blake Reviewed-by: Daniel P. Berrang=C3=A9 Message-ID: <20251113011625.878876-19-eblake@redhat.com> (cherry picked from commit b5676493a08b4ff80680aae7a1b1bfef8797c6e7) Signed-off-by: Michael Tokarev diff --git a/include/io/net-listener.h b/include/io/net-listener.h index ab9f291ed6..42fbfab546 100644 --- a/include/io/net-listener.h +++ b/include/io/net-listener.h @@ -50,6 +50,7 @@ struct QIONetListener { QIOChannelSocket **sioc; GSource **io_source; size_t nsioc; + GMainContext *context; =20 bool connected; =20 diff --git a/io/net-listener.c b/io/net-listener.c index 70e70c49fb..6b8240a658 100644 --- a/io/net-listener.c +++ b/io/net-listener.c @@ -51,7 +51,8 @@ static gboolean qio_net_listener_channel_func(QIOChannel = *ioc, return TRUE; } =20 - trace_qio_net_listener_callback(listener, listener->io_func); + trace_qio_net_listener_callback(listener, listener->io_func, + listener->context); if (listener->io_func) { listener->io_func(listener, sioc, listener->io_data); } @@ -127,13 +128,14 @@ void qio_net_listener_add(QIONetListener *listener, object_ref(OBJECT(sioc)); listener->connected =3D true; =20 - trace_qio_net_listener_watch(listener, listener->io_func, "add"); + trace_qio_net_listener_watch(listener, listener->io_func, + listener->context, "add"); if (listener->io_func !=3D NULL) { object_ref(OBJECT(listener)); listener->io_source[listener->nsioc] =3D qio_channel_add_watch_sou= rce( QIO_CHANNEL(listener->sioc[listener->nsioc]), G_IO_IN, qio_net_listener_channel_func, - listener, (GDestroyNotify)object_unref, NULL); + listener, (GDestroyNotify)object_unref, listener->context); } =20 listener->nsioc++; @@ -149,7 +151,8 @@ void qio_net_listener_set_client_func_full(QIONetListen= er *listener, size_t i; =20 trace_qio_net_listener_unwatch(listener, listener->io_func, - "set_client_func"); + listener->context, "set_client_func"); + for (i =3D 0; i < listener->nsioc; i++) { if (listener->io_source[i]) { g_source_destroy(listener->io_source[i]); @@ -164,9 +167,10 @@ void qio_net_listener_set_client_func_full(QIONetListe= ner *listener, listener->io_func =3D func; listener->io_data =3D data; listener->io_notify =3D notify; + listener->context =3D context; =20 trace_qio_net_listener_watch(listener, listener->io_func, - "set_client_func"); + listener->context, "set_client_func"); if (listener->io_func !=3D NULL) { for (i =3D 0; i < listener->nsioc; i++) { object_ref(OBJECT(listener)); @@ -227,7 +231,8 @@ QIOChannelSocket *qio_net_listener_wait_client(QIONetLi= stener *listener) }; size_t i; =20 - trace_qio_net_listener_unwatch(listener, listener->io_func, "wait_clie= nt"); + trace_qio_net_listener_unwatch(listener, listener->io_func, + listener->context, "wait_client"); for (i =3D 0; i < listener->nsioc; i++) { if (listener->io_source[i]) { g_source_destroy(listener->io_source[i]); @@ -257,14 +262,15 @@ QIOChannelSocket *qio_net_listener_wait_client(QIONet= Listener *listener) g_main_loop_unref(loop); g_main_context_unref(ctxt); =20 - trace_qio_net_listener_watch(listener, listener->io_func, "wait_client= "); + trace_qio_net_listener_watch(listener, listener->io_func, + listener->context, "wait_client"); if (listener->io_func !=3D NULL) { for (i =3D 0; i < listener->nsioc; i++) { object_ref(OBJECT(listener)); listener->io_source[i] =3D qio_channel_add_watch_source( QIO_CHANNEL(listener->sioc[i]), G_IO_IN, qio_net_listener_channel_func, - listener, (GDestroyNotify)object_unref, NULL); + listener, (GDestroyNotify)object_unref, listener->context); } } =20 @@ -279,7 +285,8 @@ void qio_net_listener_disconnect(QIONetListener *listen= er) return; } =20 - trace_qio_net_listener_unwatch(listener, listener->io_func, "disconnec= t"); + trace_qio_net_listener_unwatch(listener, listener->io_func, + listener->context, "disconnect"); for (i =3D 0; i < listener->nsioc; i++) { if (listener->io_source[i]) { g_source_destroy(listener->io_source[i]); diff --git a/io/trace-events b/io/trace-events index 263a8b82bd..6f56f8ba2d 100644 --- a/io/trace-events +++ b/io/trace-events @@ -69,6 +69,6 @@ qio_channel_command_abort(void *ioc, int pid) "Command ab= ort ioc=3D%p pid=3D%d" qio_channel_command_wait(void *ioc, int pid, int ret, int status) "Command= abort ioc=3D%p pid=3D%d ret=3D%d status=3D%d" =20 # net-listener.c -qio_net_listener_watch(void *listener, void *func, const char *extra) "Net= listener=3D%p watch enabled func=3D%p by %s" -qio_net_listener_unwatch(void *listener, void *func, const char *extra) "N= et listener=3D%p watch disabled func=3D%p by %s" -qio_net_listener_callback(void *listener, void *func) "Net listener=3D%p c= allback forwarding to func=3D%p" +qio_net_listener_watch(void *listener, void *func, void *ctx, const char *= extra) "Net listener=3D%p watch enabled func=3D%p ctx=3D%p by %s" +qio_net_listener_unwatch(void *listener, void *func, void *ctx, const char= *extra) "Net listener=3D%p watch disabled func=3D%p ctx=3D%p by %s" +qio_net_listener_callback(void *listener, void *func, void *ctx) "Net list= ener=3D%p callback forwarding to func=3D%p ctx=3D%p" --=20 2.47.3 From nobody Tue Feb 10 00:40:57 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1763846152663579.1058967071591; Sat, 22 Nov 2025 13:15:52 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vMurP-0001FM-91; Sat, 22 Nov 2025 16:09:36 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMurL-0001Dk-0o; Sat, 22 Nov 2025 16:09:31 -0500 Received: from isrv.corpit.ru ([212.248.84.144]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMurA-0007DJ-UL; Sat, 22 Nov 2025 16:09:27 -0500 Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2]) by isrv.corpit.ru (Postfix) with ESMTP id 4DE9D16D30C; Sun, 23 Nov 2025 00:03:35 +0300 (MSK) Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146]) by tsrv.corpit.ru (Postfix) with ESMTP id 064F43223E0; Sun, 23 Nov 2025 00:03:46 +0300 (MSK) From: Michael Tokarev To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, Eric Blake , =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= , Michael Tokarev Subject: [Stable-7.2.22 18/25] qio: Protect NetListener callback with mutex Date: Sat, 22 Nov 2025 23:55:36 +0300 Message-ID: <20251122210344.48374-18-mjt@tls.msk.ru> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru; helo=isrv.corpit.ru X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZM-MESSAGEID: 1763846153578018900 From: Eric Blake Without a mutex, NetListener can run into this data race between a thread changing the async callback callback function to use when a client connects, and the thread servicing polling of the listening sockets: Thread 1: qio_net_listener_set_client_func(lstnr, f1, ...); =3D> foreach sock: socket =3D> object_ref(lstnr) =3D> sock_src =3D qio_channel_socket_add_watch_source(sock, = ...., lstnr, object_unref); Thread 2: poll() =3D> event POLLIN on socket =3D> ref(GSourceCallback) =3D> if (lstnr->io_func) // while lstnr->io_func is f1 ...interrupt.. Thread 1: qio_net_listener_set_client_func(lstnr, f2, ...); =3D> foreach sock: socket =3D> g_source_unref(sock_src) =3D> foreach sock: socket =3D> object_ref(lstnr) =3D> sock_src =3D qio_channel_socket_add_watch_source(sock, = ...., lstnr, object_unref); Thread 2: =3D> call lstnr->io_func(lstnr->io_data) // now sees f2 =3D> return dispatch(sock) =3D> unref(GSourceCallback) =3D> destroy-notify =3D> object_unref Found by inspection; I did not spend the time trying to add sleeps or execute under gdb to try and actually trigger the race in practice. This is a SEGFAULT waiting to happen if f2 can become NULL because thread 1 deregisters the user's callback while thread 2 is trying to service the callback. Other messes are also theoretically possible, such as running callback f1 with an opaque pointer that should only be passed to f2 (if the client code were to use more than just a binary choice between a single async function or NULL). Mitigating factor: if the code that modifies the QIONetListener can only be reached by the same thread that is executing the polling and async callbacks, then we are not in a two-thread race documented above (even though poll can see two clients trying to connect in the same window of time, any changes made to the listener by the first async callback will be completed before the thread moves on to the second client). However, QEMU is complex enough that this is hard to generically analyze. If QMP commands (like nbd-server-stop) are run in the main loop and the listener uses the main loop, things should be okay. But when a client uses an alternative GMainContext, or if servicing a QMP command hands off to a coroutine to avoid blocking, I am unable to state with certainty whether a given net listener can be modified by a thread different from the polling thread running callbacks. At any rate, it is worth having the API be robust. To ensure that modifying a NetListener can be safely done from any thread, add a mutex that guarantees atomicity to all members of a listener object related to callbacks. This problem has been present since QIONetListener was introduced. Note that this does NOT prevent the case of a second round of the user's old async callback being invoked with the old opaque data, even when the user has already tried to change the async callback during the first async callback; it is only about ensuring that there is no sharding (the eventual io_func(io_data) call that does get made will correspond to a particular combination that the user had requested at some point in time, and not be sharded to a combination that never existed in practice). In other words, this patch maintains the status quo that a user's async callback function already needs to be robust to parallel clients landing in the same window of poll servicing, even when only one client is desired, if that particular listener can be amended in a thread other than the one doing the polling. CC: qemu-stable@nongnu.org Fixes: 53047392 ("io: introduce a network socket listener API", v2.12.0) Signed-off-by: Eric Blake Message-ID: <20251113011625.878876-20-eblake@redhat.com> Reviewed-by: Daniel P. Berrang=C3=A9 [eblake: minor commit message wording improvements] Signed-off-by: Eric Blake (cherry picked from commit 9d86181874ab7b0e95ae988f6f80715943c618c6) Signed-off-by: Michael Tokarev diff --git a/include/io/net-listener.h b/include/io/net-listener.h index 42fbfab546..c2165dc166 100644 --- a/include/io/net-listener.h +++ b/include/io/net-listener.h @@ -54,6 +54,7 @@ struct QIONetListener { =20 bool connected; =20 + QemuMutex lock; /* Protects remaining fields */ QIONetListenerClientFunc io_func; gpointer io_data; GDestroyNotify io_notify; diff --git a/io/net-listener.c b/io/net-listener.c index 6b8240a658..7352b5f8d4 100644 --- a/io/net-listener.c +++ b/io/net-listener.c @@ -23,11 +23,16 @@ #include "io/dns-resolver.h" #include "qapi/error.h" #include "qemu/module.h" +#include "qemu/lockable.h" #include "trace.h" =20 QIONetListener *qio_net_listener_new(void) { - return QIO_NET_LISTENER(object_new(TYPE_QIO_NET_LISTENER)); + QIONetListener *listener; + + listener =3D QIO_NET_LISTENER(object_new(TYPE_QIO_NET_LISTENER)); + qemu_mutex_init(&listener->lock); + return listener; } =20 void qio_net_listener_set_name(QIONetListener *listener, @@ -44,6 +49,9 @@ static gboolean qio_net_listener_channel_func(QIOChannel = *ioc, { QIONetListener *listener =3D QIO_NET_LISTENER(opaque); QIOChannelSocket *sioc; + QIONetListenerClientFunc io_func; + gpointer io_data; + GMainContext *context; =20 sioc =3D qio_channel_socket_accept(QIO_CHANNEL_SOCKET(ioc), NULL); @@ -51,10 +59,15 @@ static gboolean qio_net_listener_channel_func(QIOChanne= l *ioc, return TRUE; } =20 - trace_qio_net_listener_callback(listener, listener->io_func, - listener->context); - if (listener->io_func) { - listener->io_func(listener, sioc, listener->io_data); + WITH_QEMU_LOCK_GUARD(&listener->lock) { + io_func =3D listener->io_func; + io_data =3D listener->io_data; + context =3D listener->context; + } + + trace_qio_net_listener_callback(listener, io_func, context); + if (io_func) { + io_func(listener, sioc, io_data); } =20 object_unref(OBJECT(sioc)); @@ -111,6 +124,9 @@ int qio_net_listener_open_sync(QIONetListener *listener, void qio_net_listener_add(QIONetListener *listener, QIOChannelSocket *sioc) { + QIONetListenerClientFunc io_func; + GMainContext *context; + if (listener->name) { char *name =3D g_strdup_printf("%s-listen", listener->name); qio_channel_set_name(QIO_CHANNEL(sioc), name); @@ -128,14 +144,18 @@ void qio_net_listener_add(QIONetListener *listener, object_ref(OBJECT(sioc)); listener->connected =3D true; =20 - trace_qio_net_listener_watch(listener, listener->io_func, - listener->context, "add"); - if (listener->io_func !=3D NULL) { + WITH_QEMU_LOCK_GUARD(&listener->lock) { + io_func =3D listener->io_func; + context =3D listener->context; + } + + trace_qio_net_listener_watch(listener, io_func, context, "add"); + if (io_func) { object_ref(OBJECT(listener)); listener->io_source[listener->nsioc] =3D qio_channel_add_watch_sou= rce( QIO_CHANNEL(listener->sioc[listener->nsioc]), G_IO_IN, qio_net_listener_channel_func, - listener, (GDestroyNotify)object_unref, listener->context); + listener, (GDestroyNotify)object_unref, context); } =20 listener->nsioc++; @@ -150,6 +170,7 @@ void qio_net_listener_set_client_func_full(QIONetListen= er *listener, { size_t i; =20 + QEMU_LOCK_GUARD(&listener->lock); trace_qio_net_listener_unwatch(listener, listener->io_func, listener->context, "set_client_func"); =20 @@ -230,9 +251,15 @@ QIOChannelSocket *qio_net_listener_wait_client(QIONetL= istener *listener) .loop =3D loop }; size_t i; + QIONetListenerClientFunc io_func; + GMainContext *context; =20 - trace_qio_net_listener_unwatch(listener, listener->io_func, - listener->context, "wait_client"); + WITH_QEMU_LOCK_GUARD(&listener->lock) { + io_func =3D listener->io_func; + context =3D listener->context; + } + + trace_qio_net_listener_unwatch(listener, io_func, context, "wait_clien= t"); for (i =3D 0; i < listener->nsioc; i++) { if (listener->io_source[i]) { g_source_destroy(listener->io_source[i]); @@ -262,15 +289,14 @@ QIOChannelSocket *qio_net_listener_wait_client(QIONet= Listener *listener) g_main_loop_unref(loop); g_main_context_unref(ctxt); =20 - trace_qio_net_listener_watch(listener, listener->io_func, - listener->context, "wait_client"); - if (listener->io_func !=3D NULL) { + trace_qio_net_listener_watch(listener, io_func, context, "wait_client"= ); + if (io_func !=3D NULL) { for (i =3D 0; i < listener->nsioc; i++) { object_ref(OBJECT(listener)); listener->io_source[i] =3D qio_channel_add_watch_source( QIO_CHANNEL(listener->sioc[i]), G_IO_IN, qio_net_listener_channel_func, - listener, (GDestroyNotify)object_unref, listener->context); + listener, (GDestroyNotify)object_unref, context); } } =20 @@ -285,6 +311,7 @@ void qio_net_listener_disconnect(QIONetListener *listen= er) return; } =20 + QEMU_LOCK_GUARD(&listener->lock); trace_qio_net_listener_unwatch(listener, listener->io_func, listener->context, "disconnect"); for (i =3D 0; i < listener->nsioc; i++) { @@ -320,6 +347,7 @@ static void qio_net_listener_finalize(Object *obj) g_free(listener->io_source); g_free(listener->sioc); g_free(listener->name); + qemu_mutex_destroy(&listener->lock); } =20 static const TypeInfo qio_net_listener_info =3D { --=20 2.47.3 From nobody Tue Feb 10 00:40:57 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1763846341636877.7306840188496; Sat, 22 Nov 2025 13:19:01 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vMura-0001Iy-2f; Sat, 22 Nov 2025 16:09:47 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMurM-0001Eg-7o; Sat, 22 Nov 2025 16:09:32 -0500 Received: from isrv.corpit.ru ([212.248.84.144]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMurC-0007Di-Dm; Sat, 22 Nov 2025 16:09:29 -0500 Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2]) by isrv.corpit.ru (Postfix) with ESMTP id 6128F16D30D; Sun, 23 Nov 2025 00:03:35 +0300 (MSK) Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146]) by tsrv.corpit.ru (Postfix) with ESMTP id 17DDA3223E1; Sun, 23 Nov 2025 00:03:46 +0300 (MSK) From: Michael Tokarev To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, Peter Maydell , Akihiko Odaki , Jason Wang , Michael Tokarev Subject: [Stable-7.2.22 19/25] hw/net/e1000e_core: Don't advance desc_offset for NULL buffer RX descriptors Date: Sat, 22 Nov 2025 23:55:37 +0300 Message-ID: <20251122210344.48374-19-mjt@tls.msk.ru> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru; helo=isrv.corpit.ru X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZM-MESSAGEID: 1763846343585018900 Content-Type: text/plain; charset="utf-8" From: Peter Maydell In e1000e_write_packet_to_guest() we don't write data for RX descriptors where the buffer address is NULL (as required by the i82574 datasheet section 7.1.7.2). However, when we do this we still update desc_offset by the amount of data we would have written to the RX descriptor if it had a valid buffer pointer, resulting in our dropping that data entirely. The data sheet is not 100% clear on the subject, but this seems unlikely to be the correct behaviour. Rearrange the null-descriptor logic so that we don't treat these do-nothing descriptors as if we'd really written the data. This both fixes a bug and also is a prerequisite to cleaning up the size calculation logic in the next patch. (Cc to stable largely because it will be needed for the next patch, which fixes a more serious bug.) Cc: qemu-stable@nongnu.org Signed-off-by: Peter Maydell Reviewed-by: Akihiko Odaki Signed-off-by: Jason Wang (cherry picked from commit 6da0c9828194eb21e54fe4264cd29a1b85a29f33) (Mjt: context fixup in hw/net/e1000e_core.c:e1000e_write_packet_to_guest()) Signed-off-by: Michael Tokarev diff --git a/hw/net/e1000e_core.c b/hw/net/e1000e_core.c index 5def4cfc1c..be9c15f01e 100644 --- a/hw/net/e1000e_core.c +++ b/hw/net/e1000e_core.c @@ -1512,7 +1512,6 @@ e1000e_write_packet_to_guest(E1000ECore *core, struct= NetRxPkt *pkt, PCIDevice *d =3D core->owner; dma_addr_t base; uint8_t desc[E1000_MAX_RX_DESC_LEN]; - size_t desc_size; size_t desc_offset =3D 0; size_t iov_ofs =3D 0; =20 @@ -1531,12 +1530,6 @@ e1000e_write_packet_to_guest(E1000ECore *core, struc= t NetRxPkt *pkt, e1000e_ba_state bastate =3D { { 0 } }; bool is_last =3D false; =20 - desc_size =3D total_size - desc_offset; - - if (desc_size > core->rx_desc_buf_size) { - desc_size =3D core->rx_desc_buf_size; - } - if (e1000e_ring_empty(core, rxi)) { return; } @@ -1550,6 +1543,12 @@ e1000e_write_packet_to_guest(E1000ECore *core, struc= t NetRxPkt *pkt, e1000e_read_rx_descr(core, desc, &ba); =20 if (ba[0]) { + size_t desc_size =3D total_size - desc_offset; + + if (desc_size > core->rx_desc_buf_size) { + desc_size =3D core->rx_desc_buf_size; + } + if (desc_offset < size) { static const uint32_t fcs_pad; size_t iov_copy; @@ -1609,13 +1608,13 @@ e1000e_write_packet_to_guest(E1000ECore *core, stru= ct NetRxPkt *pkt, (const char *) &fcs_pad, e1000x_fcs_len(core->ma= c)); } } + desc_offset +=3D desc_size; + if (desc_offset >=3D total_size) { + is_last =3D true; + } } else { /* as per intel docs; skip descriptors with null buf addr= */ trace_e1000e_rx_null_descriptor(); } - desc_offset +=3D desc_size; - if (desc_offset >=3D total_size) { - is_last =3D true; - } =20 e1000e_write_rx_descr(core, desc, is_last ? core->rx_pkt : NULL, rss_info, do_ps ? ps_hdr_len : 0, &bastate.writ= ten); --=20 2.47.3 From nobody Tue Feb 10 00:40:57 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1763846652850266.9046767423746; Sat, 22 Nov 2025 13:24:12 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vMus4-0001eP-SK; Sat, 22 Nov 2025 16:10:17 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMurs-0001Ya-ET; Sat, 22 Nov 2025 16:10:04 -0500 Received: from isrv.corpit.ru ([212.248.84.144]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMuri-0007K5-FC; Sat, 22 Nov 2025 16:10:01 -0500 Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2]) by isrv.corpit.ru (Postfix) with ESMTP id 7504516D30E; Sun, 23 Nov 2025 00:03:35 +0300 (MSK) Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146]) by tsrv.corpit.ru (Postfix) with ESMTP id 2B2D23223E2; Sun, 23 Nov 2025 00:03:46 +0300 (MSK) From: Michael Tokarev To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, Peter Maydell , Akihiko Odaki , Jason Wang , Michael Tokarev Subject: [Stable-7.2.22 20/25] hw/net/e1000e_core: Correct rx oversize packet checks Date: Sat, 22 Nov 2025 23:55:38 +0300 Message-ID: <20251122210344.48374-20-mjt@tls.msk.ru> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru; helo=isrv.corpit.ru X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZM-MESSAGEID: 1763846654841018900 Content-Type: text/plain; charset="utf-8" From: Peter Maydell In e1000e_write_packet_to_guest() we attempt to ensure that we don't write more of a packet to a descriptor than will fit in the guest configured receive buffers. However, this code does not allow for the "packet split" feature. When packet splitting is enabled, the first of up to 4 buffers in the descriptor is used for the packet header only, with the payload going into buffers 2, 3 and 4. Our length check only checks against the total sizes of all 4 buffers, which meant that if an incoming packet was large enough to fit in (1 + 2 + 3 + 4) but not into (2 + 3 + 4) and packet splitting was enabled, we would run into the assertion in e1000e_write_hdr_frag_to_rx_buffers() that we had enough buffers for the data: qemu-system-i386: ../../hw/net/e1000e_core.c:1418: void e1000e_write_payloa= d_frag_to_rx_buffers(E1000ECore *, hwaddr *, E1000EBAState *, const char *,= dma_addr_t): Assertion `bastate->cur_idx < MAX_PS_BUFFERS' failed. A malicious guest could provoke this assertion by configuring the device into loopback mode, and then sending itself a suitably sized packet into a suitably arrange rx descriptor. The code also fails to deal with the possibility that the descriptor buffers are sized such that the trailing checksum word does not fit into the last descriptor which has actual data, which might also trigger this assertion. Rework the length handling to use two variables: * desc_size is the total amount of data DMA'd to the guest for the descriptor being processed in this iteration of the loop * rx_desc_buf_size is the total amount of space left in it As we copy data to the guest (packet header, payload, checksum), update these two variables. (Previously we attempted to calculate desc_size once at the top of the loop, but this is too difficult to do correctly.) Then we can use the variables to ensure that we clamp the amount of copied payload data to the remaining space in the descriptor's buffers, even if we've used one of the buffers up in the packet-split code, and we can tell whether we have enough space for the full checksum word in this descriptor or whether we're going to need to split that to the following descriptor. I have included comments that hopefully help to make the loop logic a little clearer. Cc: qemu-stable@nongnu.org Resolves: https://gitlab.com/qemu-project/qemu/-/issues/537 Reviewed-by: Akihiko Odaki Signed-off-by: Peter Maydell Signed-off-by: Jason Wang (cherry picked from commit 9d946d56a2ac8a6c2df186e20d24810255c83a3f) (Mjt: rename e1000e_write_payload_frag_to_rx_buffers back to e1000e_write_to_rx_buffers for 7.2.x, to compensate for missing in 7.2.x v8.1.0-693-g17ccd0164796 "igb: RX payload guest writting refactoring") Signed-off-by: Michael Tokarev diff --git a/hw/net/e1000e_core.c b/hw/net/e1000e_core.c index be9c15f01e..deb070d17e 100644 --- a/hw/net/e1000e_core.c +++ b/hw/net/e1000e_core.c @@ -1526,6 +1526,13 @@ e1000e_write_packet_to_guest(E1000ECore *core, struc= t NetRxPkt *pkt, rxi =3D rxr->i; =20 do { + /* + * Loop processing descriptors while we have packet data to + * DMA to the guest. desc_offset tracks how much data we have + * sent to the guest in total over all descriptors, and goes + * from 0 up to total_size (the size of everything to send to + * the guest including possible trailing 4 bytes of CRC data). + */ hwaddr ba[MAX_PS_BUFFERS]; e1000e_ba_state bastate =3D { { 0 } }; bool is_last =3D false; @@ -1543,23 +1550,27 @@ e1000e_write_packet_to_guest(E1000ECore *core, stru= ct NetRxPkt *pkt, e1000e_read_rx_descr(core, desc, &ba); =20 if (ba[0]) { - size_t desc_size =3D total_size - desc_offset; - - if (desc_size > core->rx_desc_buf_size) { - desc_size =3D core->rx_desc_buf_size; - } + /* Total amount of data DMA'd to the guest in this iteration */ + size_t desc_size =3D 0; + /* + * Total space available in this descriptor (we will update + * this as we use it up) + */ + size_t rx_desc_buf_size =3D core->rx_desc_buf_size; =20 if (desc_offset < size) { - static const uint32_t fcs_pad; size_t iov_copy; + /* Amount of data to copy from the incoming packet */ size_t copy_size =3D size - desc_offset; - if (copy_size > core->rx_desc_buf_size) { - copy_size =3D core->rx_desc_buf_size; - } =20 /* For PS mode copy the packet header first */ if (do_ps) { if (is_first) { + /* + * e1000e_do_ps() guarantees that buffer 0 has eno= ugh + * space for the header; otherwise we will not spl= it + * the packet (i.e. do_ps is false). + */ size_t ps_hdr_copied =3D 0; do { iov_copy =3D MIN(ps_hdr_len - ps_hdr_copied, @@ -1579,14 +1590,26 @@ e1000e_write_packet_to_guest(E1000ECore *core, stru= ct NetRxPkt *pkt, } while (ps_hdr_copied < ps_hdr_len); =20 is_first =3D false; + desc_size +=3D ps_hdr_len; } else { /* Leave buffer 0 of each descriptor except first = */ /* empty as per spec 7.1.5.1 = */ e1000e_write_hdr_to_rx_buffers(core, &ba, &bastate, NULL, 0); } + rx_desc_buf_size -=3D core->rxbuf_sizes[0]; } =20 + /* + * Clamp the amount of packet data we copy into what will = fit + * into the remaining buffers in the descriptor. + */ + if (copy_size > rx_desc_buf_size) { + copy_size =3D rx_desc_buf_size; + } + desc_size +=3D copy_size; + rx_desc_buf_size -=3D copy_size; + /* Copy packet payload */ while (copy_size) { iov_copy =3D MIN(copy_size, iov->iov_len - iov_ofs); @@ -1601,12 +1624,22 @@ e1000e_write_packet_to_guest(E1000ECore *core, stru= ct NetRxPkt *pkt, iov_ofs =3D 0; } } + } =20 - if (desc_offset + desc_size >=3D total_size) { - /* Simulate FCS checksum presence in the last descript= or */ - e1000e_write_to_rx_buffers(core, &ba, &bastate, - (const char *) &fcs_pad, e1000x_fcs_len(core->ma= c)); - } + if (rx_desc_buf_size && + desc_offset >=3D size && desc_offset < total_size) { + /* + * We are in the last 4 bytes corresponding to the FCS che= cksum. + * We only ever write zeroes here (unlike the hardware). + */ + static const uint32_t fcs_pad; + /* Amount of space for the trailing checksum */ + size_t fcs_len =3D MIN(rx_desc_buf_size, + total_size - desc_offset); + e1000e_write_to_rx_buffers(core, &ba, &bastate, + (const char *)&fcs_pad, + fcs_len); + desc_size +=3D fcs_len; } desc_offset +=3D desc_size; if (desc_offset >=3D total_size) { --=20 2.47.3 From nobody Tue Feb 10 00:40:57 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1763846211848576.3606100949095; Sat, 22 Nov 2025 13:16:51 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vMus1-0001dY-1z; Sat, 22 Nov 2025 16:10:14 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMurw-0001cR-7v; Sat, 22 Nov 2025 16:10:08 -0500 Received: from isrv.corpit.ru ([212.248.84.144]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMurj-0007KH-Nh; Sat, 22 Nov 2025 16:10:03 -0500 Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2]) by isrv.corpit.ru (Postfix) with ESMTP id 8A05916D30F; Sun, 23 Nov 2025 00:03:35 +0300 (MSK) Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146]) by tsrv.corpit.ru (Postfix) with ESMTP id 3FBD73223E3; Sun, 23 Nov 2025 00:03:46 +0300 (MSK) From: Michael Tokarev To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, Peter Maydell , Akihiko Odaki , Jason Wang , Michael Tokarev Subject: [Stable-7.2.22 21/25] hw/net/e1000e_core: Adjust e1000e_write_payload_frag_to_rx_buffers() assert Date: Sat, 22 Nov 2025 23:55:39 +0300 Message-ID: <20251122210344.48374-21-mjt@tls.msk.ru> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru; helo=isrv.corpit.ru X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZM-MESSAGEID: 1763846214676018900 Content-Type: text/plain; charset="utf-8" From: Peter Maydell An assertion in e1000e_write_payload_frag_to_rx_buffers() attempts to guard against the calling code accidentally trying to write too much data to a single RX descriptor, such that the E1000EBAState::cur_idx indexes off the end of the EB1000BAState::written[] array. Unfortunately it is overzealous: it asserts that cur_idx is in range after it has been incremented. This will fire incorrectly for the case where the guest configures four buffers and exactly enough bytes are written to fill all four of them. The only places where we use cur_idx and index in to the written[] array are the functions e1000e_write_hdr_frag_to_rx_buffers() and e1000e_write_payload_frag_to_rx_buffers(), so we can rewrite this to assert before doing the array dereference, rather than asserting after updating cur_idx. Cc: qemu-stable@nongnu.org Reviewed-by: Akihiko Odaki Signed-off-by: Peter Maydell Signed-off-by: Jason Wang (cherry picked from commit bab496a18358643b686f69e2b97d73fb98d37e79) (Mjt: in 7.2.x it is e1000e_write_to_rx_buffers, not e1000e_write_payload_frag_to_rx_buffers, due to missing in 7.2.x v8.1.0-693-g17ccd0164796 "igb: RX payload guest writting refactoring") Signed-off-by: Michael Tokarev diff --git a/hw/net/e1000e_core.c b/hw/net/e1000e_core.c index deb070d17e..14bf3ee948 100644 --- a/hw/net/e1000e_core.c +++ b/hw/net/e1000e_core.c @@ -1411,10 +1411,13 @@ e1000e_write_to_rx_buffers(E1000ECore *core, dma_addr_t data_len) { while (data_len > 0) { - uint32_t cur_buf_len =3D core->rxbuf_sizes[bastate->cur_idx]; - uint32_t cur_buf_bytes_left =3D cur_buf_len - - bastate->written[bastate->cur_idx]; - uint32_t bytes_to_write =3D MIN(data_len, cur_buf_bytes_left); + uint32_t cur_buf_len, cur_buf_bytes_left, bytes_to_write; + + assert(bastate->cur_idx < MAX_PS_BUFFERS); + + cur_buf_len =3D core->rxbuf_sizes[bastate->cur_idx]; + cur_buf_bytes_left =3D cur_buf_len - bastate->written[bastate->cur= _idx]; + bytes_to_write =3D MIN(data_len, cur_buf_bytes_left); =20 trace_e1000e_rx_desc_buff_write(bastate->cur_idx, (*ba)[bastate->cur_idx], @@ -1433,8 +1436,6 @@ e1000e_write_to_rx_buffers(E1000ECore *core, if (bastate->written[bastate->cur_idx] =3D=3D cur_buf_len) { bastate->cur_idx++; } - - assert(bastate->cur_idx < MAX_PS_BUFFERS); } } =20 --=20 2.47.3 From nobody Tue Feb 10 00:40:57 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 176384669442677.15082086297832; Sat, 22 Nov 2025 13:24:54 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vMusV-0001lW-7b; Sat, 22 Nov 2025 16:10:44 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMusR-0001kg-AC; Sat, 22 Nov 2025 16:10:39 -0500 Received: from isrv.corpit.ru ([212.248.84.144]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMusF-0007PT-VF; Sat, 22 Nov 2025 16:10:35 -0500 Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2]) by isrv.corpit.ru (Postfix) with ESMTP id 9EA1216D310; Sun, 23 Nov 2025 00:03:35 +0300 (MSK) Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146]) by tsrv.corpit.ru (Postfix) with ESMTP id 549B03223E4; Sun, 23 Nov 2025 00:03:46 +0300 (MSK) From: Michael Tokarev To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, Peter Maydell , Akihiko Odaki , Jason Wang , Michael Tokarev Subject: [Stable-7.2.22 22/25] net: pad packets to minimum length in qemu_receive_packet() Date: Sat, 22 Nov 2025 23:55:40 +0300 Message-ID: <20251122210344.48374-22-mjt@tls.msk.ru> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru; helo=isrv.corpit.ru X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZM-MESSAGEID: 1763846694796018900 Content-Type: text/plain; charset="utf-8" From: Peter Maydell In commits like 969e50b61a28 ("net: Pad short frames to minimum size before sending from SLiRP/TAP") we switched away from requiring network devices to handle short frames to instead having the net core code do the padding of short frames out to the ETH_ZLEN minimum size. We then dropped the code for handling short frames from the network devices in a series of commits like 140eae9c8f7 ("hw/net: e1000: Remove the logic of padding short frames in the receive path"). This missed one route where the device's receive code can still see a short frame: if the device is in loopback mode and it transmits a short frame via the qemu_receive_packet() function, this will be fed back into its own receive code without being padded. Add the padding logic to qemu_receive_packet(). This fixes a buffer overrun which can be triggered in the e1000_receive_iov() logic via the loopback code path. Other devices that use qemu_receive_packet() to implement loopback are cadence_gem, dp8393x, lan9118, msf2-emac, pcnet, rtl8139 and sungem. Cc: qemu-stable@nongnu.org Resolves: https://gitlab.com/qemu-project/qemu/-/issues/3043 Reviewed-by: Akihiko Odaki Signed-off-by: Peter Maydell Signed-off-by: Jason Wang (cherry picked from commit a01344d9d78089e9e585faaeb19afccff2050abf) Signed-off-by: Michael Tokarev diff --git a/net/net.c b/net/net.c index c3391168f6..40db3b5dc0 100644 --- a/net/net.c +++ b/net/net.c @@ -728,10 +728,20 @@ ssize_t qemu_send_packet(NetClientState *nc, const ui= nt8_t *buf, int size) =20 ssize_t qemu_receive_packet(NetClientState *nc, const uint8_t *buf, int si= ze) { + uint8_t min_pkt[ETH_ZLEN]; + size_t min_pktsz =3D sizeof(min_pkt); + if (!qemu_can_receive_packet(nc)) { return 0; } =20 + if (net_peer_needs_padding(nc)) { + if (eth_pad_short_frame(min_pkt, &min_pktsz, buf, size)) { + buf =3D min_pkt; + size =3D min_pktsz; + } + } + return qemu_net_queue_receive(nc->incoming_queue, buf, size); } =20 --=20 2.47.3 From nobody Tue Feb 10 00:40:57 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1763846488340278.92716480811634; Sat, 22 Nov 2025 13:21:28 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vMusU-0001lX-GS; Sat, 22 Nov 2025 16:10:43 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMusR-0001kr-JV; Sat, 22 Nov 2025 16:10:39 -0500 Received: from isrv.corpit.ru ([212.248.84.144]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMusI-0007TR-Nj; Sat, 22 Nov 2025 16:10:36 -0500 Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2]) by isrv.corpit.ru (Postfix) with ESMTP id B563916D311; Sun, 23 Nov 2025 00:03:35 +0300 (MSK) Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146]) by tsrv.corpit.ru (Postfix) with ESMTP id 69E3A3223E5; Sun, 23 Nov 2025 00:03:46 +0300 (MSK) From: Michael Tokarev To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, Peter Maydell , =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , "Edgar E. Iglesias" , Michael Tokarev Subject: [Stable-7.2.22 23/25] hw/display/xlnx_dp.c: Don't abort on AUX FIFO overrun/underrun Date: Sat, 22 Nov 2025 23:55:41 +0300 Message-ID: <20251122210344.48374-23-mjt@tls.msk.ru> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru; helo=isrv.corpit.ru X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZM-MESSAGEID: 1763846490462018900 From: Peter Maydell The documentation of the Xilinx DisplayPort subsystem at https://www.xilinx.com/support/documents/ip_documentation/v_dp_txss1/v3_1/p= g299-v-dp-txss1.pdf doesn't say what happens if a guest tries to issue an AUX write command with a length greater than the amount of data in the AUX write FIFO, or tries to write more data to the write FIFO than it can hold, or issues multiple commands that put data into the AUX read FIFO without reading it such that it overflows. Currently QEMU will abort() in these guest-error situations, either in xlnx_dp.c itself or in the fifo8 code. Make these cases all be logged as guest errors instead. We choose to ignore the new data on overflow, and return 0 on underflow. This is in line with how we handled the "read from empty RX FIFO" case in commit a09ef5040477. Cc: qemu-stable@nongnu.org Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1418 Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1419 Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1424 Signed-off-by: Peter Maydell Reviewed-by: Philippe Mathieu-Daud=C3=A9 Reviewed-by: Edgar E. Iglesias Message-id: 20251106145209.1083998-2-peter.maydell@linaro.org (cherry picked from commit f52db7f34242d3398bab0bacaa3e5dde99be5258) Signed-off-by: Michael Tokarev diff --git a/hw/display/xlnx_dp.c b/hw/display/xlnx_dp.c index b0828d65aa..d5c6d19ab5 100644 --- a/hw/display/xlnx_dp.c +++ b/hw/display/xlnx_dp.c @@ -432,7 +432,18 @@ static void xlnx_dp_aux_clear_rx_fifo(XlnxDPState *s) =20 static void xlnx_dp_aux_push_rx_fifo(XlnxDPState *s, uint8_t *buf, size_t = len) { + size_t avail =3D fifo8_num_free(&s->rx_fifo); DPRINTF("Push %u data in rx_fifo\n", (unsigned)len); + if (len > avail) { + /* + * Data sheet doesn't specify behaviour here: we choose to ignore + * the excess data. + */ + qemu_log_mask(LOG_GUEST_ERROR, + "%s: ignoring %zu bytes pushed to full RX_FIFO\n", + __func__, len - avail); + len =3D avail; + } fifo8_push_all(&s->rx_fifo, buf, len); } =20 @@ -463,7 +474,18 @@ static void xlnx_dp_aux_clear_tx_fifo(XlnxDPState *s) =20 static void xlnx_dp_aux_push_tx_fifo(XlnxDPState *s, uint8_t *buf, size_t = len) { + size_t avail =3D fifo8_num_free(&s->tx_fifo); DPRINTF("Push %u data in tx_fifo\n", (unsigned)len); + if (len > avail) { + /* + * Data sheet doesn't specify behaviour here: we choose to ignore + * the excess data. + */ + qemu_log_mask(LOG_GUEST_ERROR, + "%s: ignoring %zu bytes pushed to full TX_FIFO\n", + __func__, len - avail); + len =3D avail; + } fifo8_push_all(&s->tx_fifo, buf, len); } =20 @@ -472,8 +494,10 @@ static uint8_t xlnx_dp_aux_pop_tx_fifo(XlnxDPState *s) uint8_t ret; =20 if (fifo8_is_empty(&s->tx_fifo)) { - error_report("%s: TX_FIFO underflow", __func__); - abort(); + /* Data sheet doesn't specify behaviour here: we choose to return = 0 */ + qemu_log_mask(LOG_GUEST_ERROR, "%s: attempt to read empty TX_FIFO\= n", + __func__); + return 0; } ret =3D fifo8_pop(&s->tx_fifo); DPRINTF("pop 0x%2.2X from tx_fifo.\n", ret); --=20 2.47.3 From nobody Tue Feb 10 00:40:57 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1763846518378255.35165019217436; Sat, 22 Nov 2025 13:21:58 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vMut2-00028a-Dd; Sat, 22 Nov 2025 16:11:17 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMusx-00026b-IU; Sat, 22 Nov 2025 16:11:11 -0500 Received: from isrv.corpit.ru ([212.248.84.144]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMusn-0007hz-Q3; Sat, 22 Nov 2025 16:11:08 -0500 Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2]) by isrv.corpit.ru (Postfix) with ESMTP id C9AFA16D312; Sun, 23 Nov 2025 00:03:35 +0300 (MSK) Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146]) by tsrv.corpit.ru (Postfix) with ESMTP id 7FF843223E6; Sun, 23 Nov 2025 00:03:46 +0300 (MSK) From: Michael Tokarev To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, Peter Maydell , "Edgar E. Iglesias" , =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , Michael Tokarev Subject: [Stable-7.2.22 24/25] hw/display/xlnx_dp: Don't abort for unsupported graphics formats Date: Sat, 22 Nov 2025 23:55:42 +0300 Message-ID: <20251122210344.48374-24-mjt@tls.msk.ru> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru; helo=isrv.corpit.ru X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZM-MESSAGEID: 1763846520300018900 From: Peter Maydell If the guest writes an invalid or unsupported value to the AV_BUF_FORMAT register, currently we abort(). Instead, log this as either a guest error or an unimplemented error and continue. The existing code treats DP_NL_VID_CB_Y0_CR_Y1 as x8b8g8r8 via a "case 0" that does not use the enum constant name for some reason; we leave that alone beyond adding a comment about the weird code. Documentation of this register seems to be at: https://docs.amd.com/r/en-US/ug1087-zynq-ultrascale-registers/AV_BUF_FORMAT= -DISPLAY_PORT-Register Cc: qemu-stable@nongnu.org Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1415 Signed-off-by: Peter Maydell Reviewed-by: Edgar E. Iglesias Reviewed-by: Philippe Mathieu-Daud=C3=A9 Message-id: 20251106145209.1083998-3-peter.maydell@linaro.org (cherry picked from commit 032333eba77b83dfbd74071cc2971f0bda9a3d4f) Signed-off-by: Michael Tokarev diff --git a/hw/display/xlnx_dp.c b/hw/display/xlnx_dp.c index d5c6d19ab5..2cbbfeef59 100644 --- a/hw/display/xlnx_dp.c +++ b/hw/display/xlnx_dp.c @@ -662,14 +662,28 @@ static void xlnx_dp_change_graphic_fmt(XlnxDPState *s) case DP_GRAPHIC_BGR888: s->g_plane.format =3D PIXMAN_b8g8r8; break; + case DP_GRAPHIC_RGBA5551: + case DP_GRAPHIC_RGBA4444: + case DP_GRAPHIC_8BPP: + case DP_GRAPHIC_4BPP: + case DP_GRAPHIC_2BPP: + case DP_GRAPHIC_1BPP: + qemu_log_mask(LOG_UNIMP, "%s: unimplemented graphic format %u", + __func__, + s->avbufm_registers[AV_BUF_FORMAT] & DP_GRAPHIC_MASK= ); + s->g_plane.format =3D PIXMAN_r8g8b8a8; + break; default: - error_report("%s: unsupported graphic format %u", __func__, - s->avbufm_registers[AV_BUF_FORMAT] & DP_GRAPHIC_MASK); - abort(); + qemu_log_mask(LOG_GUEST_ERROR, "%s: invalid graphic format %u", + __func__, + s->avbufm_registers[AV_BUF_FORMAT] & DP_GRAPHIC_MASK= ); + s->g_plane.format =3D PIXMAN_r8g8b8a8; + break; } =20 switch (s->avbufm_registers[AV_BUF_FORMAT] & DP_NL_VID_FMT_MASK) { case 0: + /* This is DP_NL_VID_CB_Y0_CR_Y1 ??? */ s->v_plane.format =3D PIXMAN_x8b8g8r8; break; case DP_NL_VID_Y0_CB_Y1_CR: @@ -678,10 +692,39 @@ static void xlnx_dp_change_graphic_fmt(XlnxDPState *s) case DP_NL_VID_RGBA8880: s->v_plane.format =3D PIXMAN_x8b8g8r8; break; + case DP_NL_VID_CR_Y0_CB_Y1: + case DP_NL_VID_Y0_CR_Y1_CB: + case DP_NL_VID_YV16: + case DP_NL_VID_YV24: + case DP_NL_VID_YV16CL: + case DP_NL_VID_MONO: + case DP_NL_VID_YV16CL2: + case DP_NL_VID_YUV444: + case DP_NL_VID_RGB888: + case DP_NL_VID_RGB888_10BPC: + case DP_NL_VID_YUV444_10BPC: + case DP_NL_VID_YV16CL2_10BPC: + case DP_NL_VID_YV16CL_10BPC: + case DP_NL_VID_YV16_10BPC: + case DP_NL_VID_YV24_10BPC: + case DP_NL_VID_Y_ONLY_10BPC: + case DP_NL_VID_YV16_420: + case DP_NL_VID_YV16CL_420: + case DP_NL_VID_YV16CL2_420: + case DP_NL_VID_YV16_420_10BPC: + case DP_NL_VID_YV16CL_420_10BPC: + case DP_NL_VID_YV16CL2_420_10BPC: + qemu_log_mask(LOG_UNIMP, "%s: unimplemented video format %u", + __func__, + s->avbufm_registers[AV_BUF_FORMAT] & DP_NL_VID_FMT_M= ASK); + s->v_plane.format =3D PIXMAN_x8b8g8r8; + break; default: - error_report("%s: unsupported video format %u", __func__, - s->avbufm_registers[AV_BUF_FORMAT] & DP_NL_VID_FMT_MA= SK); - abort(); + qemu_log_mask(LOG_UNIMP, "%s: invalid video format %u", + __func__, + s->avbufm_registers[AV_BUF_FORMAT] & DP_NL_VID_FMT_M= ASK); + s->v_plane.format =3D PIXMAN_x8b8g8r8; + break; } =20 xlnx_dp_recreate_surface(s); --=20 2.47.3 From nobody Tue Feb 10 00:40:57 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1763846616071702.0919933416707; Sat, 22 Nov 2025 13:23:36 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vMut7-0002A9-RG; Sat, 22 Nov 2025 16:11:22 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMut0-00028L-8O; Sat, 22 Nov 2025 16:11:14 -0500 Received: from isrv.corpit.ru ([212.248.84.144]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vMusp-0007iG-3T; Sat, 22 Nov 2025 16:11:11 -0500 Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2]) by isrv.corpit.ru (Postfix) with ESMTP id DB2B616D313; Sun, 23 Nov 2025 00:03:35 +0300 (MSK) Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146]) by tsrv.corpit.ru (Postfix) with ESMTP id 939CD3223E7; Sun, 23 Nov 2025 00:03:46 +0300 (MSK) From: Michael Tokarev To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, Peter Maydell , =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , Michael Tokarev Subject: [Stable-7.2.22 25/25] hw/misc/npcm_clk: Don't divide by zero when calculating frequency Date: Sat, 22 Nov 2025 23:55:43 +0300 Message-ID: <20251122210344.48374-25-mjt@tls.msk.ru> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru; helo=isrv.corpit.ru X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZM-MESSAGEID: 1763846616481018900 From: Peter Maydell If the guest misprograms the PLL registers to request a zero divisor, we currently fall over with a division by zero: ../../hw/misc/npcm_clk.c:221:14: runtime error: division by zero SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../../hw/misc/npcm_= clk.c:221:14 Thread 1 "qemu-system-aar" received signal SIGFPE, Arithmetic exception. 0x00005555584d8f6d in npcm7xx_clk_update_pll (opaque=3D0x7fffed159a20) at .= ./../hw/misc/npcm_clk.c:221 221 freq /=3D PLLCON_INDV(con) * PLLCON_OTDV1(con) * PLLCON_OTD= V2(con); Avoid this by treating this invalid setting like a stopped clock (setting freq to 0). Cc: qemu-stable@nongnu.org Resolves: https://gitlab.com/qemu-project/qemu/-/issues/549 Signed-off-by: Peter Maydell Reviewed-by: Philippe Mathieu-Daud=C3=A9 Message-id: 20251107150137.1353532-1-peter.maydell@linaro.org (cherry picked from commit 5fc50b4ec841c8a01e7346c2c804088fc3accb6b) Signed-off-by: Michael Tokarev diff --git a/hw/misc/npcm7xx_clk.c b/hw/misc/npcm7xx_clk.c index bc2b879feb..6d86f54113 100644 --- a/hw/misc/npcm7xx_clk.c +++ b/hw/misc/npcm7xx_clk.c @@ -122,13 +122,14 @@ static void npcm7xx_clk_update_pll(void *opaque) { NPCM7xxClockPLLState *s =3D opaque; uint32_t con =3D s->clk->regs[s->reg]; - uint64_t freq; + uint64_t freq, freq_div; =20 /* The PLL is grounded if it is not locked yet. */ if (con & PLLCON_LOKI) { freq =3D clock_get_hz(s->clock_in); freq *=3D PLLCON_FBDV(con); - freq /=3D PLLCON_INDV(con) * PLLCON_OTDV1(con) * PLLCON_OTDV2(con); + freq_div =3D PLLCON_INDV(con) * PLLCON_OTDV1(con) * PLLCON_OTDV2(c= on); + freq =3D freq_div ? freq / freq_div : 0; } else { freq =3D 0; } --=20 2.47.3