Fix 9pfs xattrs on kernel 3.11 (bz #1013676)
This commit is contained in:
parent
ca009fd076
commit
c2ae918774
@ -1,7 +1,23 @@
|
||||
diff -ur qemu-1.4.2.old/target-ppc/translate_init.c qemu-1.4.2/target-ppc/translate_init.c
|
||||
--- qemu-1.4.2.old/target-ppc/translate_init.c 2013-05-24 14:37:58.000000000 +0100
|
||||
+++ qemu-1.4.2/target-ppc/translate_init.c 2013-09-05 09:53:58.787648890 +0100
|
||||
@@ -6738,6 +6738,10 @@
|
||||
From f8028b0aa2318fc10df39c8dec1353b91e1597be Mon Sep 17 00:00:00 2001
|
||||
From: Anton Blanchard <anton@samba.org>
|
||||
Date: Wed, 1 May 2013 00:44:51 +0000
|
||||
Subject: [PATCH] target-ppc: Add read and write of PPR SPR
|
||||
|
||||
Recent Linux kernels save and restore the PPR across exceptions
|
||||
so we need to handle it.
|
||||
|
||||
Signed-off-by: Anton Blanchard <anton@au1.ibm.com>
|
||||
Signed-off-by: Alexander Graf <agraf@suse.de>
|
||||
(cherry picked from commit 04559d5210860ea5853db09c75ea8ff2f8843e16)
|
||||
---
|
||||
target-ppc/translate_init.c | 4 ++++
|
||||
1 file changed, 4 insertions(+)
|
||||
|
||||
diff --git a/target-ppc/translate_init.c b/target-ppc/translate_init.c
|
||||
index 88d9dfa..7e46fdc 100644
|
||||
--- a/target-ppc/translate_init.c
|
||||
+++ b/target-ppc/translate_init.c
|
||||
@@ -6738,6 +6738,10 @@ static void init_proc_POWER7 (CPUPPCState *env)
|
||||
&spr_read_generic, &spr_write_generic,
|
||||
&spr_read_generic, &spr_write_generic,
|
||||
0x00000000);
|
||||
|
@ -1,4 +1,4 @@
|
||||
From d7a39084ead4274e58f01b713676e34242cbe2a1 Mon Sep 17 00:00:00 2001
|
||||
From 95a8ab8e74cdf9140601b436edc9b7240ef2f8d4 Mon Sep 17 00:00:00 2001
|
||||
From: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Date: Thu, 5 Sep 2013 21:57:19 +0200
|
||||
Subject: [PATCH] qxl: fix local renderer
|
||||
@ -18,10 +18,7 @@ memory location.
|
||||
https://bugzilla.redhat.com/show_bug.cgi?id=948717
|
||||
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
|
||||
cherry-picked from c58c7b959b93b864a27fd6b3646ee1465ab8832b
|
||||
applied cleanly to hw/qxl-render.c (upstream renamed to
|
||||
hw/display/qxl-render.c)
|
||||
(cherry picked from commit c58c7b959b93b864a27fd6b3646ee1465ab8832b)
|
||||
---
|
||||
hw/qxl-render.c | 15 ++++++++++-----
|
||||
1 file changed, 10 insertions(+), 5 deletions(-)
|
||||
@ -66,6 +63,3 @@ index 455fb91..fe21b18 100644
|
||||
for (i = 0; i < qxl->num_dirty_rects; i++) {
|
||||
if (qemu_spice_rect_is_empty(qxl->dirty+i)) {
|
||||
break;
|
||||
--
|
||||
1.8.3.1
|
||||
|
155
0318-scsi-Allocate-SCSITargetReq-r-buf-dynamically.patch
Normal file
155
0318-scsi-Allocate-SCSITargetReq-r-buf-dynamically.patch
Normal file
@ -0,0 +1,155 @@
|
||||
From e2fbed46dae80551daf1b8269cab5f6b586bd0d7 Mon Sep 17 00:00:00 2001
|
||||
From: Asias He <asias@redhat.com>
|
||||
Date: Fri, 13 Sep 2013 14:56:55 +0800
|
||||
Subject: [PATCH] scsi: Allocate SCSITargetReq r->buf dynamically
|
||||
|
||||
BZ: https://bugzilla.redhat.com/show_bug.cgi?id=1007330
|
||||
Brew: https://brewweb.devel.redhat.com/taskinfo?taskID=6282465
|
||||
|
||||
This is the backport of the following commit. The patch is not
|
||||
sent public since it is a embargoed bug.
|
||||
|
||||
r->buf is hardcoded to 2056 which is (256 + 1) * 8, allowing 256 luns at
|
||||
most. If more than 256 luns are specified by user, we have buffer
|
||||
overflow in scsi_target_emulate_report_luns.
|
||||
|
||||
To fix, we allocate the buffer dynamically.
|
||||
|
||||
Signed-off-by: Asias He <asias@redhat.com>
|
||||
|
||||
Signed-off-by: Asias He <asias@redhat.com>
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
|
||||
*s/&r->buf/r->buf/ due to type change
|
||||
|
||||
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
|
||||
(cherry picked from commit fdcbe7d587a64dec0db0d3c9a3b230c39efbfeef)
|
||||
---
|
||||
hw/scsi-bus.c | 44 +++++++++++++++++++++++++++++++++-----------
|
||||
hw/scsi.h | 2 ++
|
||||
2 files changed, 35 insertions(+), 11 deletions(-)
|
||||
|
||||
diff --git a/hw/scsi-bus.c b/hw/scsi-bus.c
|
||||
index 01e1dec..54c9596 100644
|
||||
--- a/hw/scsi-bus.c
|
||||
+++ b/hw/scsi-bus.c
|
||||
@@ -11,6 +11,8 @@ static char *scsibus_get_dev_path(DeviceState *dev);
|
||||
static char *scsibus_get_fw_dev_path(DeviceState *dev);
|
||||
static int scsi_req_parse(SCSICommand *cmd, SCSIDevice *dev, uint8_t *buf);
|
||||
static void scsi_req_dequeue(SCSIRequest *req);
|
||||
+static uint8_t *scsi_target_alloc_buf(SCSIRequest *req, size_t len);
|
||||
+static void scsi_target_free_buf(SCSIRequest *req);
|
||||
|
||||
static Property scsi_props[] = {
|
||||
DEFINE_PROP_UINT32("channel", SCSIDevice, channel, 0),
|
||||
@@ -304,7 +306,8 @@ typedef struct SCSITargetReq SCSITargetReq;
|
||||
struct SCSITargetReq {
|
||||
SCSIRequest req;
|
||||
int len;
|
||||
- uint8_t buf[2056];
|
||||
+ uint8_t *buf;
|
||||
+ int buf_len;
|
||||
};
|
||||
|
||||
static void store_lun(uint8_t *outbuf, int lun)
|
||||
@@ -348,14 +351,12 @@ static bool scsi_target_emulate_report_luns(SCSITargetReq *r)
|
||||
if (!found_lun0) {
|
||||
n += 8;
|
||||
}
|
||||
- len = MIN(n + 8, r->req.cmd.xfer & ~7);
|
||||
- if (len > sizeof(r->buf)) {
|
||||
- /* TODO: > 256 LUNs? */
|
||||
- return false;
|
||||
- }
|
||||
|
||||
+ scsi_target_alloc_buf(&r->req, n + 8);
|
||||
+
|
||||
+ len = MIN(n + 8, r->req.cmd.xfer & ~7);
|
||||
memset(r->buf, 0, len);
|
||||
- stl_be_p(&r->buf, n);
|
||||
+ stl_be_p(r->buf, n);
|
||||
i = found_lun0 ? 8 : 16;
|
||||
QTAILQ_FOREACH(kid, &r->req.bus->qbus.children, sibling) {
|
||||
DeviceState *qdev = kid->child;
|
||||
@@ -374,6 +375,9 @@ static bool scsi_target_emulate_report_luns(SCSITargetReq *r)
|
||||
static bool scsi_target_emulate_inquiry(SCSITargetReq *r)
|
||||
{
|
||||
assert(r->req.dev->lun != r->req.lun);
|
||||
+
|
||||
+ scsi_target_alloc_buf(&r->req, SCSI_INQUIRY_LEN);
|
||||
+
|
||||
if (r->req.cmd.buf[1] & 0x2) {
|
||||
/* Command support data - optional, not implemented */
|
||||
return false;
|
||||
@@ -398,7 +402,7 @@ static bool scsi_target_emulate_inquiry(SCSITargetReq *r)
|
||||
return false;
|
||||
}
|
||||
/* done with EVPD */
|
||||
- assert(r->len < sizeof(r->buf));
|
||||
+ assert(r->len < r->buf_len);
|
||||
r->len = MIN(r->req.cmd.xfer, r->len);
|
||||
return true;
|
||||
}
|
||||
@@ -442,8 +446,8 @@ static int32_t scsi_target_send_command(SCSIRequest *req, uint8_t *buf)
|
||||
}
|
||||
break;
|
||||
case REQUEST_SENSE:
|
||||
- r->len = scsi_device_get_sense(r->req.dev, r->buf,
|
||||
- MIN(req->cmd.xfer, sizeof r->buf),
|
||||
+ scsi_target_alloc_buf(&r->req, SCSI_SENSE_LEN);
|
||||
+ r->len = scsi_device_get_sense(r->req.dev, r->buf, r->buf_len,
|
||||
(req->cmd.buf[1] & 1) == 0);
|
||||
if (r->req.dev->sense_is_ua) {
|
||||
scsi_device_unit_attention_reported(req->dev);
|
||||
@@ -488,11 +492,29 @@ static uint8_t *scsi_target_get_buf(SCSIRequest *req)
|
||||
return r->buf;
|
||||
}
|
||||
|
||||
+static uint8_t *scsi_target_alloc_buf(SCSIRequest *req, size_t len)
|
||||
+{
|
||||
+ SCSITargetReq *r = DO_UPCAST(SCSITargetReq, req, req);
|
||||
+
|
||||
+ r->buf = g_malloc(len);
|
||||
+ r->buf_len = len;
|
||||
+
|
||||
+ return r->buf;
|
||||
+}
|
||||
+
|
||||
+static void scsi_target_free_buf(SCSIRequest *req)
|
||||
+{
|
||||
+ SCSITargetReq *r = DO_UPCAST(SCSITargetReq, req, req);
|
||||
+
|
||||
+ g_free(r->buf);
|
||||
+}
|
||||
+
|
||||
static const struct SCSIReqOps reqops_target_command = {
|
||||
.size = sizeof(SCSITargetReq),
|
||||
.send_command = scsi_target_send_command,
|
||||
.read_data = scsi_target_read_data,
|
||||
.get_buf = scsi_target_get_buf,
|
||||
+ .free_req = scsi_target_free_buf,
|
||||
};
|
||||
|
||||
|
||||
@@ -1348,7 +1370,7 @@ int scsi_build_sense(uint8_t *in_buf, int in_len,
|
||||
buf[7] = 10;
|
||||
buf[12] = sense.asc;
|
||||
buf[13] = sense.ascq;
|
||||
- return MIN(len, 18);
|
||||
+ return MIN(len, SCSI_SENSE_LEN);
|
||||
} else {
|
||||
/* Return descriptor format sense buffer */
|
||||
buf[0] = 0x72;
|
||||
diff --git a/hw/scsi.h b/hw/scsi.h
|
||||
index a5b5b2e..d6028bf 100644
|
||||
--- a/hw/scsi.h
|
||||
+++ b/hw/scsi.h
|
||||
@@ -9,6 +9,8 @@
|
||||
#define MAX_SCSI_DEVS 255
|
||||
|
||||
#define SCSI_CMD_BUF_SIZE 16
|
||||
+#define SCSI_SENSE_LEN 18
|
||||
+#define SCSI_INQUIRY_LEN 36
|
||||
|
||||
typedef struct SCSIBus SCSIBus;
|
||||
typedef struct SCSIBusInfo SCSIBusInfo;
|
@ -0,0 +1,42 @@
|
||||
From 5ba99e361671bc22bfc3ce45d866826f297e25b7 Mon Sep 17 00:00:00 2001
|
||||
From: Gabriel de Perthuis <g2p.code@gmail.com>
|
||||
Date: Fri, 10 May 2013 19:53:28 +0200
|
||||
Subject: [PATCH] hw/9pfs: Be robust against paths without FS_IOC_GETVERSION
|
||||
|
||||
9P optionally uses the FS_IOC_GETVERSION ioctl to get information about
|
||||
a file's version (sometimes called generation number).
|
||||
|
||||
The code checks for supported filesystems at mount time, but some paths
|
||||
may come from other mounted filesystems.
|
||||
|
||||
Change it to treat unsupported paths the same as unsupported
|
||||
filesystems, returning 0 in both cases.
|
||||
|
||||
Note: ENOTTY is the error code for an unsupported ioctl.
|
||||
|
||||
This fix allows booting a linux kernel with the same / filesystem as the
|
||||
host; otherwise the boot fails when mounting devtmpfs.
|
||||
|
||||
Signed-off-by: Gabriel de Perthuis <g2p.code@gmail.com>
|
||||
Reviewed-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
|
||||
Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
|
||||
(cherry picked from commit db431f6adc881a0758512cd765b3108209013512)
|
||||
---
|
||||
hw/9pfs/cofile.c | 4 ++++
|
||||
1 file changed, 4 insertions(+)
|
||||
|
||||
diff --git a/hw/9pfs/cofile.c b/hw/9pfs/cofile.c
|
||||
index 2efebf3..194c130 100644
|
||||
--- a/hw/9pfs/cofile.c
|
||||
+++ b/hw/9pfs/cofile.c
|
||||
@@ -38,6 +38,10 @@ int v9fs_co_st_gen(V9fsPDU *pdu, V9fsPath *path, mode_t st_mode,
|
||||
});
|
||||
v9fs_path_unlock(s);
|
||||
}
|
||||
+ /* The ioctl may not be supported depending on the path */
|
||||
+ if (err == -ENOTTY) {
|
||||
+ err = 0;
|
||||
+ }
|
||||
return err;
|
||||
}
|
||||
|
68
0320-hw-9pfs-Fix-errno-value-for-xattr-functions.patch
Normal file
68
0320-hw-9pfs-Fix-errno-value-for-xattr-functions.patch
Normal file
@ -0,0 +1,68 @@
|
||||
From 79d5a6121844c36239cd4945a4b56e93f10367e8 Mon Sep 17 00:00:00 2001
|
||||
From: "Daniel P. Berrange" <berrange@redhat.com>
|
||||
Date: Tue, 1 Oct 2013 12:28:17 +0100
|
||||
Subject: [PATCH] hw/9pfs: Fix errno value for xattr functions
|
||||
|
||||
If there is no operation driver for the xattr type the
|
||||
functions return '-1' and set errno to '-EOPNOTSUPP'.
|
||||
When the calling code sets 'ret = -errno' this turns
|
||||
into a large positive number.
|
||||
|
||||
In Linux 3.11, the kernel has switched to using 9p
|
||||
version 9p2000.L, instead of 9p2000.u, which enables
|
||||
support for xattr operations. This on its own is harmless,
|
||||
but for another change which makes it request the xattr
|
||||
with a name 'security.capability'.
|
||||
|
||||
The result is that the guest sees a succesful return
|
||||
of 95 bytes of data, instead of a failure with errno
|
||||
set to 95. Since the kernel expects a maximum of 20
|
||||
bytes for an xattr return this gets translated to the
|
||||
unexpected errno ERANGE.
|
||||
|
||||
This all means that when running a binary off a 9p fs
|
||||
in 3.11 kernels you get a fun result of:
|
||||
|
||||
# ./date
|
||||
sh: ./date: Numerical result out of range
|
||||
|
||||
The only workaround is to pass 'version=9p2000.u' when
|
||||
mounting the 9p fs in the guest, to disable all use of
|
||||
xattrs.
|
||||
|
||||
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
|
||||
---
|
||||
hw/9pfs/virtio-9p-xattr.c | 6 +++---
|
||||
1 file changed, 3 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/hw/9pfs/virtio-9p-xattr.c b/hw/9pfs/virtio-9p-xattr.c
|
||||
index a839606..2115eee 100644
|
||||
--- a/hw/9pfs/virtio-9p-xattr.c
|
||||
+++ b/hw/9pfs/virtio-9p-xattr.c
|
||||
@@ -36,7 +36,7 @@ ssize_t v9fs_get_xattr(FsContext *ctx, const char *path,
|
||||
if (xops) {
|
||||
return xops->getxattr(ctx, path, name, value, size);
|
||||
}
|
||||
- errno = -EOPNOTSUPP;
|
||||
+ errno = EOPNOTSUPP;
|
||||
return -1;
|
||||
}
|
||||
|
||||
@@ -123,7 +123,7 @@ int v9fs_set_xattr(FsContext *ctx, const char *path, const char *name,
|
||||
if (xops) {
|
||||
return xops->setxattr(ctx, path, name, value, size, flags);
|
||||
}
|
||||
- errno = -EOPNOTSUPP;
|
||||
+ errno = EOPNOTSUPP;
|
||||
return -1;
|
||||
|
||||
}
|
||||
@@ -135,7 +135,7 @@ int v9fs_remove_xattr(FsContext *ctx,
|
||||
if (xops) {
|
||||
return xops->removexattr(ctx, path, name);
|
||||
}
|
||||
- errno = -EOPNOTSUPP;
|
||||
+ errno = EOPNOTSUPP;
|
||||
return -1;
|
||||
|
||||
}
|
30
qemu.spec
30
qemu.spec
@ -131,7 +131,7 @@
|
||||
Summary: QEMU is a FAST! processor emulator
|
||||
Name: qemu
|
||||
Version: 1.4.2
|
||||
Release: 11%{?dist}
|
||||
Release: 12%{?dist}
|
||||
# Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped
|
||||
Epoch: 2
|
||||
License: GPLv2+ and LGPLv2+ and BSD
|
||||
@ -295,11 +295,17 @@ Patch0313: 0313-qdev-allow-both-pre-and-post-order-vists-in-qdev-wal.patch
|
||||
Patch0314: 0314-qdev-switch-reset-to-post-order.patch
|
||||
# Fix crash in scsi_dma_complete (bz #1001617)
|
||||
Patch0315: 0315-scsi-avoid-assertion-failure-on-VERIFY-command.patch
|
||||
# ppc64 hangs at "Trying to read invalid spr 896 380 at .." (bz #1004532)
|
||||
# ppc64 hangs at "Trying to read invalid spr 896 380 at .." (bz
|
||||
# #1004532)
|
||||
Patch0316: 0316-target-ppc-Add-read-and-write-of-PPR-SPR.patch
|
||||
|
||||
# Fix screenshots for qxl kernel driver (bz #948717)
|
||||
Patch0400: 0400-qxl-fix-local-renderer.patch
|
||||
Patch0317: 0317-qxl-fix-local-renderer.patch
|
||||
# CVE-2013-4344: buffer overflow in scsi_target_emulate_report_luns (bz
|
||||
# #1015274, bz #1007330)
|
||||
Patch0318: 0318-scsi-Allocate-SCSITargetReq-r-buf-dynamically.patch
|
||||
# Fix 9pfs xattrs on kernel 3.11 (bz #1013676)
|
||||
Patch0319: 0319-hw-9pfs-Be-robust-against-paths-without-FS_IOC_GETVE.patch
|
||||
Patch0320: 0320-hw-9pfs-Fix-errno-value-for-xattr-functions.patch
|
||||
|
||||
BuildRequires: SDL-devel
|
||||
BuildRequires: zlib-devel
|
||||
@ -892,10 +898,17 @@ CAC emulation development files.
|
||||
%patch0314 -p1
|
||||
# Fix crash in scsi_dma_complete (bz #1001617)
|
||||
%patch0315 -p1
|
||||
# ppc64 hangs at "Trying to read invalid spr 896 380 at .." (bz #1004532)
|
||||
# ppc64 hangs at "Trying to read invalid spr 896 380 at .." (bz
|
||||
# #1004532)
|
||||
%patch0316 -p1
|
||||
# Fix screenshots for qxl kernel driver (bz #948717)
|
||||
%patch0400 -p1
|
||||
%patch0317 -p1
|
||||
# CVE-2013-4344: buffer overflow in scsi_target_emulate_report_luns (bz
|
||||
# #1015274, bz #1007330)
|
||||
%patch0318 -p1
|
||||
# Fix 9pfs xattrs on kernel 3.11 (bz #1013676)
|
||||
%patch0319 -p1
|
||||
%patch0320 -p1
|
||||
|
||||
%build
|
||||
%if %{with kvmonly}
|
||||
@ -1543,6 +1556,11 @@ getent passwd qemu >/dev/null || \
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Sun Oct 06 2013 Cole Robinson <crobinso@redhat.com> - 2:1.4.2-12
|
||||
- CVE-2013-4344: buffer overflow in scsi_target_emulate_report_luns (bz
|
||||
#1015274, bz #1007330)
|
||||
- Fix 9pfs xattrs on kernel 3.11 (bz #1013676)
|
||||
|
||||
* Wed Sep 25 2013 Alon Levy <alevy@redhat.com> 2:1.4.2-11
|
||||
- Fix screenshots for qxl kernel driver (bz #948717)
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user