Commits
stable-5.0-sta…
Name already in use
Commits on Sep 15, 2020
-
riscv: sifive_test: Allow 16-bit writes to memory region
When shutting down the machine running a mainline Linux kernel, the following error happens: $ build/riscv64-softmmu/qemu-system-riscv64 -bios default -M virt \ -display none -initrd rootfs.cpio -kernel Image -m 512m \ -nodefaults -serial mon:stdio ... Requesting system poweroff [ 4.999630] reboot: Power down sbi_trap_error: hart0: trap handler failed (error -2) sbi_trap_error: hart0: mcause=0x0000000000000007 mtval=0x0000000000100000 sbi_trap_error: hart0: mepc=0x000000008000d4cc mstatus=0x0000000000001822 sbi_trap_error: hart0: ra=0x000000008000999e sp=0x0000000080015c78 sbi_trap_error: hart0: gp=0xffffffe000e76610 tp=0xffffffe0081b89c0 sbi_trap_error: hart0: s0=0x0000000080015c88 s1=0x0000000000000040 sbi_trap_error: hart0: a0=0x0000000000000000 a1=0x0000000080004024 sbi_trap_error: hart0: a2=0x0000000080004024 a3=0x0000000080004024 sbi_trap_error: hart0: a4=0x0000000000100000 a5=0x0000000000005555 sbi_trap_error: hart0: a6=0x0000000000004024 a7=0x0000000080011158 sbi_trap_error: hart0: s2=0x0000000000000000 s3=0x0000000080016000 sbi_trap_error: hart0: s4=0x0000000000000000 s5=0x0000000000000000 sbi_trap_error: hart0: s6=0x0000000000000001 s7=0x0000000000000000 sbi_trap_error: hart0: s8=0x0000000000000000 s9=0x0000000000000000 sbi_trap_error: hart0: s10=0x0000000000000000 s11=0x0000000000000008 sbi_trap_error: hart0: t0=0x0000000000000000 t1=0x0000000000000000 sbi_trap_error: hart0: t2=0x0000000000000000 t3=0x0000000000000000 sbi_trap_error: hart0: t4=0x0000000000000000 t5=0x0000000000000000 sbi_trap_error: hart0: t6=0x0000000000000000 The kernel does a 16-bit write when powering off the machine, which was allowed before commit 5d971f9 ("memory: Revert "memory: accept mismatching sizes in memory_region_access_valid""). Make min_access_size match reality so that the machine can shut down properly now. Cc: qemu-stable@nongnu.org Fixes: 88a0799 ("SiFive RISC-V Test Finisher") Fixes: 5d971f9 ("memory: Revert "memory: accept mismatching sizes in memory_region_access_valid"") Signed-off-by: Nathan Chancellor <natechancellor@gmail.com> Acked-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Alistair Francis <alistair.francis@wdc.com> Message-Id: <20200901055822.2721209-1-natechancellor@gmail.com> Signed-off-by: Alistair Francis <alistair.francis@wdc.com> (cherry picked from commit ab3d207) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Commits on Sep 10, 2020
-
virtio-ccw: fix virtio_set_ind_atomic
The atomic_cmpxchg() loop is broken because we occasionally end up with old and _old having different values (a legit compiler can generate code that accessed *ind_addr again to pick up a value for _old instead of using the value of old that was already fetched according to the rules of the abstract machine). This means the underlying CS instruction may use a different old (_old) than the one we intended to use if atomic_cmpxchg() performed the xchg part. Let us use volatile to force the rules of the abstract machine for accesses to *ind_addr. Let us also rewrite the loop so, we that the new old is used to compute the new desired value if the xchg part is not performed. Fixes: 7e74946 ("s390x/virtio-ccw: Adapter interrupt support.") Reported-by: Andre Wild <Andre.Wild1@ibm.com> Signed-off-by: Halil Pasic <pasic@linux.ibm.com> Reviewed-by: Christian Borntraeger <borntraeger@de.ibm.com> Message-Id: <20200616045035.51641-2-pasic@linux.ibm.com> Signed-off-by: Cornelia Huck <cohuck@redhat.com> (cherry picked from commit 1a8242f) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
-
nvram: Exit QEMU if NVRAM cannot contain all -prom-env data
Since commit 61f20b9 ("spapr_nvram: Pre-initialize the NVRAM to support the -prom-env parameter"), pseries machines can pre-initialize the "system" partition in the NVRAM with the data passed to all -prom-env parameters on the QEMU command line. In this case it is assumed that all the data fits in 64 KiB, but the user can easily pass more and crash QEMU: $ qemu-system-ppc64 -M pseries $(for ((x=0;x<128;x++)); do \ echo -n " -prom-env " ; printf "%0.sx" {1..1024}; \ done) # this requires ~128 Kib malloc(): corrupted top size Aborted (core dumped) This happens because we don't check if all the prom-env data fits in the NVRAM and chrp_nvram_set_var() happily memcpy() it passed the buffer. This crash affects basically all ppc/ppc64 machine types that use -prom-env: - pseries (all versions) - g3beige - mac99 and also sparc/sparc64 machine types: - LX - SPARCClassic - SPARCbook - SS-10 - SS-20 - SS-4 - SS-5 - SS-600MP - Voyager - sun4u - sun4v Add a max_len argument to chrp_nvram_create_system_partition() so that it can check the available size before writing to memory. Since NVRAM is populated at machine init, it seems reasonable to consider this error as fatal. So, instead of reporting an error when we detect that the NVRAM is too small and adapt all machine types to handle it, we simply exit QEMU in all cases. This is still better than crashing. If someone wants another behavior, I guess this can be reworked later. Tested with: $ yes q | \ (for arch in ppc ppc64 sparc sparc64; do \ echo == $arch ==; \ qemu=${arch}-softmmu/qemu-system-$arch; \ for mach in $($qemu -M help | awk '! /^Supported/ { print $1 }'); do \ echo $mach; \ $qemu -M $mach -monitor stdio -nodefaults -nographic \ $(for ((x=0;x<128;x++)); do \ echo -n " -prom-env " ; printf "%0.sx" {1..1024}; \ done) >/dev/null; \ done; echo; \ done) Without the patch, affected machine types cause QEMU to report some memory corruption and crash: malloc(): corrupted top size free(): invalid size *** stack smashing detected ***: terminated With the patch, QEMU prints the following message and exits: NVRAM is too small. Try to pass less data to -prom-env It seems that the conditions for the crash have always existed, but it affects pseries, the machine type I care for, since commit 61f20b9 only. Fixes: 61f20b9 ("spapr_nvram: Pre-initialize the NVRAM to support the -prom-env parameter") RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1867739 Reported-by: John Snow <jsnow@redhat.com> Reviewed-by: Laurent Vivier <laurent@vivier.eu> Signed-off-by: Greg Kurz <groug@kaod.org> Message-Id: <159736033937.350502.12402444542194031035.stgit@bahia.lan> Signed-off-by: David Gibson <david@gibson.dropbear.id.au> (cherry picked from commit 37035df) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Commits on Sep 9, 2020
-
9p: null terminate fs driver options list
NULL terminate fs driver options' list, validate_opt() looks for a null entry to terminate the loop. Fixes: aee7f3e ("fsdev: Error out when unsupported option is passed") Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> Reviewed-by: Li Qiang <liq3ea@gmail.com> Message-Id: <20200709175848.650400-1-ppandit@redhat.com> Signed-off-by: Greg Kurz <groug@kaod.org> (cherry picked from commit 353b5a9) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
-
usb: fix setup_len init (CVE-2020-14364)
Store calculated setup_len in a local variable, verify it, and only write it to the struct (USBDevice->setup_len) in case it passed the sanity checks. This prevents other code (do_token_{in,out} functions specifically) from working with invalid USBDevice->setup_len values and overrunning the USBDevice->setup_buf[] buffer. Fixes: CVE-2020-14364 Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Tested-by: Gonglei <arei.gonglei@huawei.com> Reviewed-by: Li Qiang <liq3ea@gmail.com> Message-id: 20200825053636.29648-1-kraxel@redhat.com (cherry picked from commit b946434) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> -
hw/arm/sbsa-ref: fix typo breaking PCIe IRQs
Fixing a typo in a previous patch that translated an "i" to a 1 and therefore breaking the allocation of PCIe interrupts. This was discovered when virtio-net-pci devices ceased to function correctly. Cc: qemu-stable@nongnu.org Fixes: 48ba18e ("hw/arm/sbsa-ref: Simplify by moving the gic in the machine state") Signed-off-by: Graeme Gregory <graeme@nuviainc.com> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Message-id: 20200821083853.356490-1-graeme@nuviainc.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org> (cherry picked from commit 870f005) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
-
virtio-net: align RSC fields with updated virtio-net header
Removal of duplicated RSC definitions. Changing names of the fields to ones defined in the Linux header. Signed-off-by: Yuri Benditovich <yuri.benditovich@daynix.com> Signed-off-by: Jason Wang <jasowang@redhat.com> (cherry picked from commit dd3d85e) Conflicts: hw/net/virtio-net.c *drop context dep. on 5907902 Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
-
nbd: Fix large trim/zero requests
Although qemu as NBD client limits requests to <2G, the NBD protocol allows clients to send requests almost all the way up to 4G. But because our block layer is not yet 64-bit clean, we accidentally wrap such requests into a negative size, and fail with EIO instead of performing the intended operation. The bug is visible in modern systems with something as simple as: $ qemu-img create -f qcow2 /tmp/image.img 5G $ sudo qemu-nbd --connect=/dev/nbd0 /tmp/image.img $ sudo blkdiscard /dev/nbd0 or with user-space only: $ truncate --size=3G file $ qemu-nbd -f raw file $ nbdsh -u nbd://localhost:10809 -c 'h.trim(3*1024*1024*1024,0)' Although both blk_co_pdiscard and blk_pwrite_zeroes currently return 0 on success, this is also a good time to fix our code to a more robust paradigm that treats all non-negative values as success. Alas, our iotests do not currently make it easy to add external dependencies on blkdiscard or nbdsh, so we have to rely on manual testing for now. This patch can be reverted when we later improve the overall block layer to be 64-bit clean, but for now, a minimal fix was deemed less risky prior to release. CC: qemu-stable@nongnu.org Fixes: 1f4d6d1 Fixes: 1c6c4bb Fixes: systemd/systemd#16242 Signed-off-by: Eric Blake <eblake@redhat.com> Message-Id: <20200722212231.535072-1-eblake@redhat.com> Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com> [eblake: rework success tests to use >=0] (cherry picked from commit 890cbcc) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
-
iotests/028: Add test for cross-base-EOF reads
Signed-off-by: Max Reitz <mreitz@redhat.com> Message-Id: <20200728120806.265916-3-mreitz@redhat.com> Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com> Tested-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com> Tested-by: Claudio Fontana <cfontana@suse.de> (cherry picked from commit ae15945) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
-
block: Fix bdrv_aligned_p*v() for qiov_offset != 0
Since these functions take a @qiov_offset, they must always take it into account when working with @qiov. There are a couple of places where they do not, but they should. Fixes: 65cd442 ("block/io: bdrv_aligned_preadv: use and support qiov_offset") Fixes: 28c4da2 ("block/io: bdrv_aligned_pwritev: use and support qiov_offset") Reported-by: Claudio Fontana <cfontana@suse.de> Reported-by: Bruce Rogers <brogers@suse.com> Cc: qemu-stable@nongnu.org Signed-off-by: Max Reitz <mreitz@redhat.com> Message-Id: <20200728120806.265916-2-mreitz@redhat.com> Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com> Tested-by: Claudio Fontana <cfontana@suse.de> Tested-by: Bruce Rogers <brogers@suse.com> (cherry picked from commit 134b7de) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
-
migration/block-dirty-bitmap: fix dirty_bitmap_mig_before_vm_start
Using the _locked version of bdrv_enable_dirty_bitmap to bypass locking is wrong as we do not already own the mutex. Moreover, the adjacent call to bdrv_dirty_bitmap_enable_successor grabs the mutex. Fixes: 58f72b965e9e1q Cc: qemu-stable@nongnu.org # v3.0 Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com> Reviewed-by: Andrey Shinkevich <andrey.shinkevich@virtuozzo.com> Reviewed-by: Eric Blake <eblake@redhat.com> Message-Id: <20200727194236.19551-8-vsementsov@virtuozzo.com> Signed-off-by: Eric Blake <eblake@redhat.com> (cherry picked from commit e6ce5e9) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
-
Update OpenBIOS images to 7f28286f built from submodule.
Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk> Cc: qemu-stable@nongnu.org (cherry picked from commit 54414d0) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
-
libvhost-user: Report descriptor index on panic
We want to report the index of the descriptor, not its pointer. Fixes: 7b2e5c6 ("contrib: add libvhost-user") Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> Message-Id: <20200723171935.18535-1-philmd@redhat.com> Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> Reviewed-by: Raphael Norwitz <raphael.norwitz@nutanix.com> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Cc: qemu-stable@nongnu.org Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> (cherry picked from commit 8fe9805) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
-
virtio-pci: Changed vdev to proxy for VirtIO PCI BAR callbacks.
There is an issue when callback may be called with invalid vdev. It happens on unplug when vdev already deleted and VirtIOPciProxy is not. So now, callbacks accept proxy device, and vdev retrieved from it. Technically memio callbacks should be removed during the flatview update, but memoryregions remain til PCI device(and it's address space) completely deleted. Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1716352 Signed-off-by: Andrew Melnychenko <andrew@daynix.com> Message-Id: <20200706112123.971087-1-andrew@daynix.com> Cc: qemu-stable@nongnu.org Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> (cherry picked from commit ccec7e9) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
-
intel_iommu: Use correct shift for 256 bits qi descriptor
In chapter 10.4.23 of VT-d spec 3.0, Descriptor Width bit was introduced in VTD_IQA_REG. Software could set this bit to tell VT-d the QI descriptor from software would be 256 bits. Accordingly, the VTD_IQH_QH_SHIFT should be 5 when descriptor size is 256 bits. This patch adds the DW bit check when deciding the shift used to update VTD_IQH_REG. Signed-off-by: Liu Yi L <yi.l.liu@intel.com> Message-Id: <1593850035-35483-1-git-send-email-yi.l.liu@intel.com> Reviewed-by: Peter Xu <peterx@redhat.com> Acked-by: Jason Wang <jasowang@redhat.com> Cc: qemu-stable@nongnu.org Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> (cherry picked from commit a4544c4) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Commits on Sep 3, 2020
-
virtio-balloon: Replace free page hinting references to 'report' with…
… 'hint' Recently a feature named Free Page Reporting was added to the virtio balloon. In order to avoid any confusion we should drop the use of the word 'report' when referring to Free Page Hinting. So what this patch does is go through and replace all instances of 'report' with 'hint" when we are referring to free page hinting. Acked-by: David Hildenbrand <david@redhat.com> Signed-off-by: Alexander Duyck <alexander.h.duyck@linux.intel.com> Message-Id: <20200720175128.21935.93927.stgit@localhost.localdomain> Cc: qemu-stable@nongnu.org Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> (cherry picked from commit 3219b42) Conflicts: hw/virtio/virtio-balloon.c include/hw/virtio/virtio-balloon.h *drop context deps on 91b8671 and 7483cbb Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
-
linux-headers: update against Linux 5.7-rc3
commit 6a8b55ed4056ea5559ebe4f6a4b247f627870d4c Reviewed-by: Michael S. Tsirkin <mst@redhat.com> # virtio/vhost parts Signed-off-by: Cornelia Huck <cohuck@redhat.com> Message-Id: <20200427102415.10915-3-cohuck@redhat.com> (cherry picked from commit dc6f8d4) *dep for 3219b42 Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
-
virtio-balloon: always indicate S_DONE when migration fails
If something goes wrong during precopy, before stopping the VM, we will never send a S_DONE indication to the VM, resulting in the hinted pages not getting released to be used by the guest OS (e.g., Linux). Easy to reproduce: 1. Start migration (e.g., HMP "migrate -d 'exec:gzip -c > STATEFILE.gz'") 2. Cancel migration (e.g., HMP "migrate_cancel") 3. Oberve in the guest (e.g., cat /proc/meminfo) that there is basically no free memory left. While at it, add similar locking to virtio_balloon_free_page_done() as done in virtio_balloon_free_page_stop. Locking is still weird, but that has to be sorted out separately. There is nothing to do in the PRECOPY_NOTIFY_COMPLETE case. Add some comments regarding S_DONE handling. Fixes: c13c415 ("virtio-balloon: VIRTIO_BALLOON_F_FREE_PAGE_HINT") Reviewed-by: Alexander Duyck <alexander.h.duyck@linux.intel.com> Cc: Wei Wang <wei.w.wang@intel.com> Cc: Alexander Duyck <alexander.duyck@gmail.com> Signed-off-by: David Hildenbrand <david@redhat.com> Message-Id: <20200629080615.26022-1-david@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> (cherry picked from commit dd8eeb9) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
-
virtio-balloon: Add locking to prevent possible race when starting hi…
…nting There is already locking in place when we are stopping free page hinting but there is not similar protections in place when we start. I can only assume this was overlooked as in most cases the page hinting should not be occurring when we are starting the hinting, however there is still a chance we could be processing hints by the time we get back around to restarting the hinting so we are better off making sure to protect the state with the mutex lock rather than just updating the value with no protections. Based on feedback from Peter Maydell this issue had also been spotted by Coverity: CID 1430269 Acked-by: David Hildenbrand <david@redhat.com> Signed-off-by: Alexander Duyck <alexander.h.duyck@linux.intel.com> Message-Id: <20200720175122.21935.78013.stgit@localhost.localdomain> Cc: qemu-stable@nongnu.org Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> (cherry picked from commit 1a83e0b) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
-
virtio-balloon: Prevent guest from starting a report when we didn't r…
…equest one Based on code review it appears possible for the driver to force the device out of a stopped state when hinting by repeating the last ID it was provided. Prevent this by only allowing a transition to the start state when we are in the requested state. This way the driver is only allowed to send one descriptor that will transition the device into the start state. All others will leave it in the stop state once it has finished. Fixes: c13c415 ("virtio-balloon: VIRTIO_BALLOON_F_FREE_PAGE_HINT") Acked-by: David Hildenbrand <david@redhat.com> Signed-off-by: Alexander Duyck <alexander.h.duyck@linux.intel.com> Message-Id: <20200720175115.21935.99563.stgit@localhost.localdomain> Cc: qemu-stable@nongnu.org Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> (cherry picked from commit 20a4da0) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
-
qdev: Fix device_add DRIVER,help to print to monitor
Help on device properties gets printed to stdout instead of the monitor. If you have the monitor anywhere else, no help for you. Broken when commit e1043d6 "qdev: use object_property_help()" accidentally switched from qemu_printf() to printf(). Switch right back. Fixes: e1043d6 Cc: Marc-André Lureau <marcandre.lureau@redhat.com> Cc: qemu-stable@nongnu.org Signed-off-by: Markus Armbruster <armbru@redhat.com> Message-Id: <20200714160202.3121879-2-armbru@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Reviewed-by: Li Qiang <liq3ea@gmail.com> Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com> (cherry picked from commit 029afc4) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
-
tests: tpm: Skip over pcrUpdateCounter byte in result comparison
The TPM 2 code in libtpms was fixed to handle the PCR 'TCB group' according to the PCClient profile. The change of the PCRs belonging to the 'TCB group' now affects the pcrUpdateCounter in the TPM2_PCRRead() responses where its value is now different (typically lower by '1') than what it was before. To not fail the tests, we skip the comparison of the 14th byte, which represents the pcrUpdateCounter. Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> Message-id: 20200707201625.4177419-3-stefanb@linux.vnet.ibm.com (cherry picked from commit df8a756) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
-
tpm: tpm_spapr: Exit on TPM backend failures
Exit on TPM backend failures in the same way as the TPM CRB and TIS device models do. With this change we now get an error report when the backend did not start up properly: error: internal error: qemu unexpectedly closed the monitor: 2020-07-07T12:49:28.333928Z qemu-system-ppc64: tpm-emulator: \ TPM result for CMD_INIT: 0x101 operation failed Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> Message-id: 20200707201625.4177419-2-stefanb@linux.vnet.ibm.com (cherry picked from commit f8b332a) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
-
target/hppa: Free some temps in do_sub
Two temps allocated but not freed. Do enough subtractions within a single TB and one can run out of temps entirely. Fixes: b216745 ("target-hppa: Implement basic arithmetic") Buglink: https://bugs.launchpad.net/qemu/+bug/1880287 Tested-by: Sven Schnelle <svens@stackframe.org> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org> Message-Id: <20200720174039.517902-1-richard.henderson@linaro.org> (cherry picked from commit 79826f9) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
-
hw/sd/sdcard: Do not switch to ReceivingData if address is invalid
Only move the state machine to ReceivingData if there is no pending error. This avoids later OOB access while processing commands queued. "SD Specifications Part 1 Physical Layer Simplified Spec. v3.01" 4.3.3 Data Read Read command is rejected if BLOCK_LEN_ERROR or ADDRESS_ERROR occurred and no data transfer is performed. 4.3.4 Data Write Write command is rejected if BLOCK_LEN_ERROR or ADDRESS_ERROR occurred and no data transfer is performed. WP_VIOLATION errors are not modified: the error bit is set, we stay in receive-data state, wait for a stop command. All further data transfer is ignored. See the check on sd->card_status at the beginning of sd_read_data() and sd_write_data(). Fixes: CVE-2020-13253 Cc: qemu-stable@nongnu.org Reported-by: Alexander Bulekov <alxndr@bu.edu> Buglink: https://bugs.launchpad.net/qemu/+bug/1880822 Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Reviewed-by: Alistair Francis <alistair.francis@wdc.com> Message-Id: <20200630133912.9428-6-f4bug@amsat.org> (cherry picked from commit 790762e) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
-
hw/sd/sdcard: Update coding style to make checkpatch.pl happy
To make the next commit easier to review, clean this code first. Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Reviewed-by: Alistair Francis <alistair.francis@wdc.com> Reviewed-by: Alexander Bulekov <alxndr@bu.edu> Message-Id: <20200630133912.9428-3-f4bug@amsat.org> (cherry picked from commit 794d68d) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
-
hw/sd/sdcard: Do not allow invalid SD card sizes
QEMU allows to create SD card with unrealistic sizes. This could work, but some guests (at least Linux) consider sizes that are not a power of 2 as a firmware bug and fix the card size to the next power of 2. While the possibility to use small SD card images has been seen as a feature, it became a bug with CVE-2020-13253, where the guest is able to do OOB read/write accesses past the image size end. In a pair of commits we will fix CVE-2020-13253 as: Read command is rejected if BLOCK_LEN_ERROR or ADDRESS_ERROR occurred and no data transfer is performed. Write command is rejected if BLOCK_LEN_ERROR or ADDRESS_ERROR occurred and no data transfer is performed. WP_VIOLATION errors are not modified: the error bit is set, we stay in receive-data state, wait for a stop command. All further data transfer is ignored. See the check on sd->card_status at the beginning of sd_read_data() and sd_write_data(). While this is the correct behavior, in case QEMU create smaller SD cards, guests still try to access past the image size end, and QEMU considers this is an invalid address, thus "all further data transfer is ignored". This is wrong and make the guest looping until eventually timeouts. Fix by not allowing invalid SD card sizes (suggesting the expected size as a hint): $ qemu-system-arm -M orangepi-pc -drive file=rootfs.ext2,if=sd,format=raw qemu-system-arm: Invalid SD card size: 60 MiB SD card size has to be a power of 2, e.g. 64 MiB. You can resize disk images with 'qemu-img resize <imagefile> <new-size>' (note that this will lose data if you make the image smaller than it currently is). Cc: qemu-stable@nongnu.org Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Reviewed-by: Alistair Francis <alistair.francis@wdc.com> Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Message-Id: <20200713183209.26308-8-f4bug@amsat.org> (cherry picked from commit a9bcedd) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
-
hw/sd/sdcard: Simplify realize() a bit
We don't need to check if sd->blk is set twice. Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Reviewed-by: Alistair Francis <alistair.francis@wdc.com> Message-Id: <20200630133912.9428-18-f4bug@amsat.org> (cherry picked from commit 6dd3a16) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
-
hw/sd/sdcard: Restrict Class 6 commands to SCSD cards
Only SCSD cards support Class 6 (Block Oriented Write Protection) commands. "SD Specifications Part 1 Physical Layer Simplified Spec. v3.01" 4.3.14 Command Functional Difference in Card Capacity Types * Write Protected Group SDHC and SDXC do not support write-protected groups. Issuing CMD28, CMD29 and CMD30 generates the ILLEGAL_COMMAND error. Cc: qemu-stable@nongnu.org Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Reviewed-by: Alistair Francis <alistair.francis@wdc.com> Message-Id: <20200630133912.9428-7-f4bug@amsat.org> (cherry picked from commit 9157dd5) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
-
tests/acceptance/boot_linux: Expand SD card image to power of 2
In few commits we won't allow SD card images with invalid size (not aligned to a power of 2). Prepare the tests: add the pow2ceil() and image_pow2ceil_expand() methods and resize the images (expanding) of the tests using SD cards. Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Reviewed-by: Alistair Francis <alistair.francis@wdc.com> Reviewed-by: Cleber Rosa <crosa@redhat.com> Message-Id: <20200713183209.26308-5-f4bug@amsat.org> (cherry picked from commit 6a289a5) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
-
tests/acceptance: refactor boot_linux_console test to allow code reuse
This patch splits code in BootLinuxConsole class into two different classes to allow reusing it by record/replay tests. Signed-off-by: Pavel Dovgalyuk <Pavel.Dovgaluk@ispras.ru> Reviewed-by: Alex Bennée <alex.bennee@linaro.org> Tested-by: Philippe Mathieu-Daudé <philmd@redhat.com> Message-Id: <159073588490.20809.13942096070255577558.stgit@pasha-ThinkPad-X280> Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> (cherry picked from commit 12121c4) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
-
tests/acceptance: refactor boot_linux to allow code reuse
This patch moves image downloading functions to the separate class to allow reusing them from record/replay tests. Signed-off-by: Pavel Dovgalyuk <Pavel.Dovgaluk@ispras.ru> Tested-by: Philippe Mathieu-Daudé <philmd@redhat.com> Message-Id: <159073593167.20809.17582679291556188984.stgit@pasha-ThinkPad-X280> Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> (cherry picked from commit 1c80c87) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
-
tests/acceptance: allow console interaction with specific VMs
Console interaction in avocado scripts was possible only with single default VM. This patch modifies the function parameters to allow passing a specific VM as a parameter to interact with it. Signed-off-by: Pavel Dovgalyuk <Pavel.Dovgaluk@ispras.ru> Reviewed-by: Willian Rampazzo <willianr@redhat.com> Reviewed-by: Alex Bennée <alex.bennee@linaro.org> Tested-by: Philippe Mathieu-Daudé <philmd@redhat.com> Message-Id: <159073587933.20809.5122618715976660635.stgit@pasha-ThinkPad-X280> Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> (cherry picked from commit a5ba86d) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
-
tests/acceptance/boot_linux: Tag tests using a SD card with 'device:sd'
Avocado tags are handy to automatically select tests matching the tags. Since these tests use a SD card, tag them. We can run all the tests using a SD card at once with: $ avocado --show=app run -t u-boot tests/acceptance/ $ AVOCADO_ALLOW_LARGE_STORAGE=ok \ avocado --show=app \ run -t device:sd tests/acceptance/ Fetching asset from tests/acceptance/boot_linux_console.py:BootLinuxConsole.test_arm_orangepi_sd Fetching asset from tests/acceptance/boot_linux_console.py:BootLinuxConsole.test_arm_orangepi_bionic Fetching asset from tests/acceptance/boot_linux_console.py:BootLinuxConsole.test_arm_orangepi_uboot_netbsd9 (1/3) tests/acceptance/boot_linux_console.py:BootLinuxConsole.test_arm_orangepi_sd: PASS (19.56 s) (2/3) tests/acceptance/boot_linux_console.py:BootLinuxConsole.test_arm_orangepi_bionic: PASS (49.97 s) (3/3) tests/acceptance/boot_linux_console.py:BootLinuxConsole.test_arm_orangepi_uboot_netbsd9: PASS (20.06 s) RESULTS : PASS 3 | ERROR 0 | FAIL 0 | SKIP 0 | WARN 0 | INTERRUPT 0 | CANCEL 0 JOB TIME : 90.02 s Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Reviewed-by: Alistair Francis <alistair.francis@wdc.com> Reviewed-by: Cleber Rosa <crosa@redhat.com> Tested-by: Cleber Rosa <crosa@redhat.com> Message-Id: <20200713183209.26308-4-f4bug@amsat.org> (cherry picked from commit b7dcbf1) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> -
docs/orangepi: Add instructions for resizing SD image to power of two
SD cards need to have a size of a power of two. Update the Orange Pi machine documentation to include instructions for resizing downloaded images using the qemu-img command. Signed-off-by: Niek Linnenbank <nieklinnenbank@gmail.com> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Message-Id: <20200712183708.15450-1-nieklinnenbank@gmail.com> Reviewed-by: Alistair Francis <alistair.francis@wdc.com> Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> (cherry picked from commit 1c2329b) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>