1. 21 Dec, 2018 5 commits
  2. 12 Dec, 2018 11 commits
  3. 11 Dec, 2018 9 commits
  4. 06 Dec, 2018 2 commits
  5. 04 Dec, 2018 6 commits
  6. 03 Dec, 2018 7 commits
    • Peter Maydell's avatar
      Merge remote-tracking branch 'remotes/kraxel/tags/fixes-31-20181203-pull-request' into staging · 933cc4bb
      Peter Maydell authored
      
      
      usb: mtp fixes.
      
      # gpg: Signature made Mon 03 Dec 2018 19:50:26 GMT
      # gpg:                using RSA key 4CB6D8EED3E87138
      # gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>"
      # gpg:                 aka "Gerd Hoffmann <gerd@kraxel.org>"
      # gpg:                 aka "Gerd Hoffmann (private) <kraxel@gmail.com>"
      # Primary key fingerprint: A032 8CFF B93A 17A7 9901  FE7D 4CB6 D8EE D3E8 7138
      
      * remotes/kraxel/tags/fixes-31-20181203-pull-request:
        usb-mtp: outlaw slashes in filenames
        usb-mtp: fix utf16_to_str
      Signed-off-by: default avatarPeter Maydell <peter.maydell@linaro.org>
      933cc4bb
    • Gerd Hoffmann's avatar
      usb-mtp: outlaw slashes in filenames · c52d46e0
      Gerd Hoffmann authored
      
      
      Slash is unix directory separator, so they are not allowed in filenames.
      Note this also stops the classic escape via "../".
      
      Fixes: CVE-2018-16867
      Reported-by: default avatarMichael Hanselmann <public@hansmi.ch>
      Signed-off-by: default avatarGerd Hoffmann <kraxel@redhat.com>
      Reviewed-by: default avatarPhilippe Mathieu-Daudé <philmd@redhat.com>
      Message-id: 20181203101045.27976-3-kraxel@redhat.com
      c52d46e0
    • Gerd Hoffmann's avatar
      usb-mtp: fix utf16_to_str · 6de02a13
      Gerd Hoffmann authored
      
      
      Make utf16_to_str return an allocated string.  Remove the assumtion that
      the number of string bytes equals the number of utf16 chars (which is
      only true for ascii chars).  Instead call wcstombs twice, once to figure
      the storage size and once for the actual conversion (as suggested by the
      wcstombs manpage).
      
      FIXME: surrogate pairs are not working correctly.  Pre-existing bug,
      fixing that is left for another day.
      Reported-by: default avatarMichael Hanselmann <public@hansmi.ch>
      Signed-off-by: default avatarGerd Hoffmann <kraxel@redhat.com>
      Reviewed-by: default avatarPeter Maydell <peter.maydell@linaro.org>
      Reviewed-by: default avatarPhilippe Mathieu-Daudé <philmd@redhat.com>
      Reviewed-by: default avatarMarkus Armbruster <armbru@redhat.com>
      Message-id: 20181203101045.27976-2-kraxel@redhat.com
      6de02a13
    • Peter Maydell's avatar
      Merge remote-tracking branch 'remotes/ericb/tags/pull-nbd-2018-12-03' into staging · 9225cd12
      Peter Maydell authored
      
      
      nbd patches for 2018-12-03
      
      Improve x-dirty-bitmap handling for experimenting with pull mode
      incremental backups.
      
      - Eric Blake: 0/3 NBD dirty bitmap cleanups
      
      # gpg: Signature made Mon 03 Dec 2018 15:56:23 GMT
      # gpg:                using RSA key A7A16B4A2527436A
      # gpg: Good signature from "Eric Blake <eblake@redhat.com>"
      # gpg:                 aka "Eric Blake (Free Software Programmer) <ebb9@byu.net>"
      # gpg:                 aka "[jpeg image of size 6874]"
      # Primary key fingerprint: 71C2 CC22 B1C4 6029 27D2  F3AA A7A1 6B4A 2527 436A
      
      * remotes/ericb/tags/pull-nbd-2018-12-03:
        nbd/client: Send NBD_CMD_DISC if open fails after connect
        nbd/client: Make x-dirty-bitmap more reliable
        nbd/server: Advertise all contexts in response to bare LIST
      Signed-off-by: default avatarPeter Maydell <peter.maydell@linaro.org>
      9225cd12
    • Peter Maydell's avatar
      Merge remote-tracking branch 'remotes/kevin/tags/for-upstream' into staging · 3af8c4be
      Peter Maydell authored
      
      
      Block layer patches:
      
      - mirror: Fix deadlock
      
      # gpg: Signature made Mon 03 Dec 2018 16:57:33 GMT
      # gpg:                using RSA key 7F09B272C88F2FD6
      # gpg: Good signature from "Kevin Wolf <kwolf@redhat.com>"
      # Primary key fingerprint: DC3D EB15 9A9A F95D 3D74  56FE 7F09 B272 C88F 2FD6
      
      * remotes/kevin/tags/for-upstream:
        iotests: simple mirror test with kvm on 1G image
        mirror: fix dead-lock
      Signed-off-by: default avatarPeter Maydell <peter.maydell@linaro.org>
      3af8c4be
    • Vladimir Sementsov-Ogievskiy's avatar
      iotests: simple mirror test with kvm on 1G image · db5e8210
      Vladimir Sementsov-Ogievskiy authored
      
      
      This test is broken without previous commit fixing dead-lock in mirror.
      Signed-off-by: default avatarVladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
      Signed-off-by: default avatarMax Reitz <mreitz@redhat.com>
      Acked-by: default avatarVladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
      Signed-off-by: default avatarKevin Wolf <kwolf@redhat.com>
      db5e8210
    • Vladimir Sementsov-Ogievskiy's avatar
      mirror: fix dead-lock · d12ade57
      Vladimir Sementsov-Ogievskiy authored
      Let start from the beginning:
      
      Commit b9e413dd (in 2.9)
      "block: explicitly acquire aiocontext in aio callbacks that need it"
      added pairs of aio_context_acquire/release to mirror_write_complete and
      mirror_read_complete, when they were aio callbacks for blk_aio_* calls.
      
      Then, commit 2e1990b2
      
       (in 3.0) "block/mirror: Convert to coroutines"
      dropped these blk_aio_* calls, than mirror_write_complete and
      mirror_read_complete are not callbacks more, and don't need additional
      aiocontext acquiring. Furthermore, mirror_read_complete calls
      blk_co_pwritev inside these pair of aio_context_acquire/release, which
      leads to the following dead-lock with mirror:
      
       (gdb) info thr
         Id   Target Id         Frame
         3    Thread (LWP 145412) "qemu-system-x86" syscall ()
         2    Thread (LWP 145416) "qemu-system-x86" __lll_lock_wait ()
       * 1    Thread (LWP 145411) "qemu-system-x86" __lll_lock_wait ()
      
       (gdb) bt
       #0  __lll_lock_wait ()
       #1  _L_lock_812 ()
       #2  __GI___pthread_mutex_lock
       #3  qemu_mutex_lock_impl (mutex=0x561032dce420 <qemu_global_mutex>,
           file=0x5610327d8654 "util/main-loop.c", line=236) at
           util/qemu-thread-posix.c:66
       #4  qemu_mutex_lock_iothread_impl
       #5  os_host_main_loop_wait (timeout=480116000) at util/main-loop.c:236
       #6  main_loop_wait (nonblocking=0) at util/main-loop.c:497
       #7  main_loop () at vl.c:1892
       #8  main
      
      Printing contents of qemu_global_mutex, I see that "__owner = 145416",
      so, thr1 is main loop, and now it wants BQL, which is owned by thr2.
      
       (gdb) thr 2
       (gdb) bt
       #0  __lll_lock_wait ()
       #1  _L_lock_870 ()
       #2  __GI___pthread_mutex_lock
       #3  qemu_mutex_lock_impl (mutex=0x561034d25dc0, ...
       #4  aio_context_acquire (ctx=0x561034d25d60)
       #5  dma_blk_cb
       #6  dma_blk_io
       #7  dma_blk_read
       #8  ide_dma_cb
       #9  bmdma_cmd_writeb
       #10 bmdma_write
       #11 memory_region_write_accessor
       #12 access_with_adjusted_size
       #15 flatview_write
       #16 address_space_write
       #17 address_space_rw
       #18 kvm_handle_io
       #19 kvm_cpu_exec
       #20 qemu_kvm_cpu_thread_fn
       #21 qemu_thread_start
       #22 start_thread
       #23 clone ()
      
      Printing mutex in fr 2, I see "__owner = 145411", so thr2 wants aio
      context mutex, which is owned by thr1. Classic dead-lock.
      
      Then, let's check that aio context is hold by mirror coroutine: just
      print coroutine stack of first tracked request in mirror job target:
      
       (gdb) [...]
       (gdb) qemu coroutine 0x561035dd0860
       #0  qemu_coroutine_switch
       #1  qemu_coroutine_yield
       #2  qemu_co_mutex_lock_slowpath
       #3  qemu_co_mutex_lock
       #4  qcow2_co_pwritev
       #5  bdrv_driver_pwritev
       #6  bdrv_aligned_pwritev
       #7  bdrv_co_pwritev
       #8  blk_co_pwritev
       #9  mirror_read_complete () at block/mirror.c:232
       #10 mirror_co_read () at block/mirror.c:370
       #11 coroutine_trampoline
       #12 __start_context
      
      Yes it is mirror_read_complete calling blk_co_pwritev after acquiring
      aio context.
      Signed-off-by: default avatarVladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
      Reviewed-by: default avatarMax Reitz <mreitz@redhat.com>
      Signed-off-by: default avatarKevin Wolf <kwolf@redhat.com>
      d12ade57