Merge remote-tracking branch 'remotes/kevin/tags/for-upstream' into s…

…taging Block layer patches: - iscsi: Cap block count from GET LBA STATUS (CVE-2020-1711) - AioContext fixes in QMP commands for backup and bitmaps - iotests fixes # gpg: Signature made Mon 27 Jan 2020 17:49:58 GMT # gpg: using RSA key 7F09B272C88F2FD6 # gpg: Good signature from "Kevin Wolf <kwolf@redhat.com>" [full] # Primary key fingerprint: DC3D EB15 9A9A F95D 3D74 56FE 7F09 B272 C88F 2FD6 * remotes/kevin/tags/for-upstream: iscsi: Don't access non-existent scsi_lba_status_descriptor iscsi: Cap block count from GET LBA STATUS (CVE-2020-1711) block/backup: fix memory leak in bdrv_backup_top_append() iotests: Test handling of AioContexts with some blockdev actions blockdev: Return bs to the proper context on snapshot abort blockdev: Acquire AioContext on dirty bitmap functions block/backup-top: Don't acquire context while dropping top blockdev: honor bdrv_try_set_aio_context() context requirements blockdev: unify qmp_blockdev_backup and blockdev-backup transaction paths blockdev: unify qmp_drive_backup and drive-backup transaction paths blockdev: fix coding style issues in drive_backup_prepare iotests: Add more "skip_if_unsupported" statements to the python tests iotests.py: Let wait_migration wait even more Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
qemu · Jan 27, 2020 · 750fe59 · 750fe59
2 parents 105b07f + 5fbf1d5
commit 750fe59
Show file tree

Hide file tree

Showing 19 changed files with 510 additions and 239 deletions.
diff --git a/block/backup-top.c b/block/backup-top.c
@@ -196,7 +196,7 @@ BlockDriverState *bdrv_backup_top_append(BlockDriverState *source,
     }
 
     top->total_sectors = source->total_sectors;
-    top->opaque = state = g_new0(BDRVBackupTopState, 1);
+    state = top->opaque;
 
     bdrv_ref(target);
     state->target = bdrv_attach_child(top, target, "target", &child_file, errp);
@@ -255,9 +255,6 @@ BlockDriverState *bdrv_backup_top_append(BlockDriverState *source,
 void bdrv_backup_top_drop(BlockDriverState *bs)
 {
     BDRVBackupTopState *s = bs->opaque;
-    AioContext *aio_context = bdrv_get_aio_context(bs);
-
-    aio_context_acquire(aio_context);
 
     bdrv_drained_begin(bs);
 
@@ -271,6 +268,4 @@ void bdrv_backup_top_drop(BlockDriverState *bs)
     bdrv_drained_end(bs);
 
     bdrv_unref(bs);
-
-    aio_context_release(aio_context);
 }
diff --git a/block/backup.c b/block/backup.c
@@ -135,8 +135,11 @@ static void backup_abort(Job *job)
 static void backup_clean(Job *job)
 {
     BackupBlockJob *s = container_of(job, BackupBlockJob, common.job);
+    AioContext *aio_context = bdrv_get_aio_context(s->backup_top);
 
+    aio_context_acquire(aio_context);
     bdrv_backup_top_drop(s->backup_top);
+    aio_context_release(aio_context);
 }
 
 void backup_do_checkpoint(BlockJob *job, Error **errp)

diff --git a/block/iscsi.c b/block/iscsi.c
@@ -701,7 +701,7 @@ static int coroutine_fn iscsi_co_block_status(BlockDriverState *bs,
     struct scsi_get_lba_status *lbas = NULL;
     struct scsi_lba_status_descriptor *lbasd = NULL;
     struct IscsiTask iTask;
-    uint64_t lba;
+    uint64_t lba, max_bytes;
     int ret;
 
     iscsi_co_init_iscsitask(iscsilun, &iTask);
@@ -721,6 +721,7 @@ static int coroutine_fn iscsi_co_block_status(BlockDriverState *bs,
     }
 
     lba = offset / iscsilun->block_size;
+    max_bytes = (iscsilun->num_blocks - lba) * iscsilun->block_size;
 
     qemu_mutex_lock(&iscsilun->mutex);
 retry:
@@ -752,7 +753,7 @@ static int coroutine_fn iscsi_co_block_status(BlockDriverState *bs,
     }
 
     lbas = scsi_datain_unmarshall(iTask.task);
-    if (lbas == NULL) {
+    if (lbas == NULL || lbas->num_descriptors == 0) {
         ret = -EIO;
         goto out_unlock;
     }
@@ -764,7 +765,7 @@ static int coroutine_fn iscsi_co_block_status(BlockDriverState *bs,
         goto out_unlock;
     }
 
-    *pnum = (int64_t) lbasd->num_blocks * iscsilun->block_size;
+    *pnum = MIN((int64_t) lbasd->num_blocks * iscsilun->block_size, max_bytes);
 
     if (lbasd->provisioning == SCSI_PROVISIONING_TYPE_DEALLOCATED ||
         lbasd->provisioning == SCSI_PROVISIONING_TYPE_ANCHORED) {