[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-commits] [qemu/qemu] 58164e: pc: fix possible NULL pointer derefer
|
From: |
Peter Maydell |
|
Subject: |
[Qemu-commits] [qemu/qemu] 58164e: pc: fix possible NULL pointer dereference in pc_ma... |
|
Date: |
Mon, 08 Jul 2019 04:48:23 -0700 |
Branch: refs/heads/master
Home: https://github.com/qemu/qemu
Commit: 58164eaff530a1e804f5710936dd37518ab5a90e
https://github.com/qemu/qemu/commit/58164eaff530a1e804f5710936dd37518ab5a90e
Author: Igor Mammedov <address@hidden>
Date: 2019-07-05 (Fri, 05 Jul 2019)
Changed paths:
M hw/i386/pc.c
Log Message:
-----------
pc: fix possible NULL pointer dereference in
pc_machine_get_device_memory_region_size()
QEMU will crash when device-memory-region-size property is read if
ms->device_memory
wasn't initialized yet.
Crash can be reproduced with:
$QEMU -preconfig -qmp unix:qmp_socket,server,nowait &
./scripts/qmp/qom-get -s qmp_socket /machine.device-memory-region-size
Instead of crashing return 0 if ms->device_memory hasn't been initialized.
Signed-off-by: Igor Mammedov <address@hidden>
Message-Id: <address@hidden>
Signed-off-by: Paolo Bonzini <address@hidden>
Commit: c20b139620498b2f158b52e0c4ad7f6de35a520e
https://github.com/qemu/qemu/commit/c20b139620498b2f158b52e0c4ad7f6de35a520e
Author: Paolo Bonzini <address@hidden>
Date: 2019-07-05 (Fri, 05 Jul 2019)
Changed paths:
M scripts/checkpatch.pl
Log Message:
-----------
checkpatch: do not warn for multiline parenthesized returned value
While indeed we do not want to have
return (a);
it is less clear that this applies to
return (a &&
b);
Some editors indent more nicely if you have parentheses, and some people's
eyes may appreciate that as well.
Signed-off-by: Paolo Bonzini <address@hidden>
Reviewed-by: Eric Blake <address@hidden>
Reviewed-by: Richard Henderson <address@hidden>
Message-Id: <address@hidden>
Signed-off-by: Paolo Bonzini <address@hidden>
Commit: 9dc83cd9c3cd766263a7180bccaf67afe970d816
https://github.com/qemu/qemu/commit/9dc83cd9c3cd766263a7180bccaf67afe970d816
Author: Max Reitz <address@hidden>
Date: 2019-07-05 (Fri, 05 Jul 2019)
Changed paths:
M target/i386/kvm.c
Log Message:
-----------
i386/kvm: Fix build with -m32
find_next_bit() takes a pointer of type "const unsigned long *", but the
first argument passed here is a "uint64_t *". These types are
incompatible when compiling qemu with -m32.
Just use ctz64() instead.
Fixes: c686193072a47032d83cb4e131dc49ae30f9e5d
Signed-off-by: Max Reitz <address@hidden>
Reviewed-by: Eduardo Habkost <address@hidden>
Message-Id: <address@hidden>
Signed-off-by: Paolo Bonzini <address@hidden>
Commit: d6d10793dcfa33504745be40b49bd747ff8752ef
https://github.com/qemu/qemu/commit/d6d10793dcfa33504745be40b49bd747ff8752ef
Author: Yan Zhao <address@hidden>
Date: 2019-07-05 (Fri, 05 Jul 2019)
Changed paths:
M hw/i386/intel_iommu.c
Log Message:
-----------
intel_iommu: Fix incorrect "end" for vtd_address_space_unmap
IOMMUNotifier is with inclusive ranges, so we should check
against (VTD_ADDRESS_SIZE(s->aw_bits) - 1).
Signed-off-by: Yan Zhao <address@hidden>
[peterx: split from another bigger patch]
Reviewed-by: Eric Auger <address@hidden>
Signed-off-by: Peter Xu <address@hidden>
Message-Id: <address@hidden>
Signed-off-by: Paolo Bonzini <address@hidden>
Commit: 9a4bb8391fda2312803d44664575a662b9be7189
https://github.com/qemu/qemu/commit/9a4bb8391fda2312803d44664575a662b9be7189
Author: Peter Xu <address@hidden>
Date: 2019-07-05 (Fri, 05 Jul 2019)
Changed paths:
M hw/i386/intel_iommu.c
Log Message:
-----------
intel_iommu: Fix unexpected unmaps during global unmap
This is an replacement work of Yan Zhao's patch:
https://www.mail-archive.com/address@hidden/msg625340.html
vtd_address_space_unmap() will do proper page mask alignment to make
sure each IOTLB message will have correct masks for notification
messages (2^N-1), but sometimes it can be expanded to even supercede
the registered range. That could lead to unexpected UNMAP of already
mapped regions in some other notifiers.
Instead of doing mindless expension of the start address and address
mask, we split the range into smaller ones and guarantee that each
small range will have correct masks (2^N-1) and at the same time we
should also try our best to generate as less IOTLB messages as
possible.
Reported-by: Yan Zhao <address@hidden>
Signed-off-by: Peter Xu <address@hidden>
Reviewed-by: Eric Auger <address@hidden>
Tested-by: Yan Zhao <address@hidden>
Message-Id: <address@hidden>
Signed-off-by: Paolo Bonzini <address@hidden>
Commit: d15d3d573aa16ac4748d7c0291e582ed9d007485
https://github.com/qemu/qemu/commit/d15d3d573aa16ac4748d7c0291e582ed9d007485
Author: Li Qiang <address@hidden>
Date: 2019-07-05 (Fri, 05 Jul 2019)
Changed paths:
M hw/intc/ioapic.c
Log Message:
-----------
ioapic: clear irq_eoi when updating the ioapic redirect table entry
irq_eoi is used to count the number of irq injected during eoi
broadcast. It should be set to 0 when updating the ioapic's redirect
table entry.
Suggested-by: Peter Xu <address@hidden>
Signed-off-by: Li Qiang <address@hidden>
Reviewed-by: Peter Xu <address@hidden>
Message-Id: <address@hidden>
Signed-off-by: Paolo Bonzini <address@hidden>
Commit: 4b03403f7684ef2dc2af5f8ab8ab52515562e3fb
https://github.com/qemu/qemu/commit/4b03403f7684ef2dc2af5f8ab8ab52515562e3fb
Author: Alex Bennée <address@hidden>
Date: 2019-07-05 (Fri, 05 Jul 2019)
Changed paths:
M target/i386/hyperv-stub.c
Log Message:
-----------
target/i386: fix feature check in hyperv-stub.c
Commit 2d384d7c8 broken the build when built with:
configure --without-default-devices --disable-user
The reason was the conversion of cpu->hyperv_synic to
cpu->hyperv_synic_kvm_only although the rest of the patch introduces a
feature checking mechanism. So I've fixed the KVM_EXIT_HYPERV_SYNIC in
hyperv-stub to do the same feature check as in the real hyperv.c
Signed-off-by: Alex Bennée <address@hidden>
Cc: Vitaly Kuznetsov <address@hidden>
Cc: Paolo Bonzini <address@hidden>
Cc: Roman Kagan <address@hidden>
Message-Id: <address@hidden>
Reviewed-by: Vitaly Kuznetsov <address@hidden>
Signed-off-by: Paolo Bonzini <address@hidden>
Commit: 6b7ac49d570c66754fad1b80cc200c7596d1facd
https://github.com/qemu/qemu/commit/6b7ac49d570c66754fad1b80cc200c7596d1facd
Author: Paolo Bonzini <address@hidden>
Date: 2019-07-05 (Fri, 05 Jul 2019)
Changed paths:
M scripts/minikconf.py
Log Message:
-----------
minikconf: do not include variables from MINIKCONF_ARGS in
config-all-devices.mak
When minikconf writes config-devices.mak, it includes all variables including
those from MINIKCONF_ARGS. This causes values from config-host.mak to "stick"
to
the ones used in generating config-devices.mak, because config-devices.mak is
included after config-host.mak. Avoid this by omitting assignments coming
from the command line in the output of minikconf.
Reported-by: Christophe de Dinechin <address@hidden>
Reviewed-by: Christophe de Dinechin <address@hidden>
Tested-by: Christophe de Dinechin <address@hidden>
Signed-off-by: Paolo Bonzini <address@hidden>
Commit: ec7b1bbd2c470d8766b61617bd4d8ba46aa2056b
https://github.com/qemu/qemu/commit/ec7b1bbd2c470d8766b61617bd4d8ba46aa2056b
Author: Liran Alon <address@hidden>
Date: 2019-07-05 (Fri, 05 Jul 2019)
Changed paths:
M target/i386/machine.c
Log Message:
-----------
target/i386: kvm: Fix when nested state is needed for migration
When vCPU is in VMX operation and enters SMM mode,
it temporarily exits VMX operation but KVM maintained nested-state
still stores the VMXON region physical address, i.e. even when the
vCPU is in SMM mode then (nested_state->hdr.vmx.vmxon_pa != -1ull).
Therefore, there is no need to explicitly check for
KVM_STATE_NESTED_SMM_VMXON to determine if it is necessary
to save nested-state as part of migration stream.
Reviewed-by: Karl Heubaum <address@hidden>
Signed-off-by: Liran Alon <address@hidden>
Message-Id: <address@hidden>
Signed-off-by: Paolo Bonzini <address@hidden>
Commit: 6c22ea9d83ca91a3f5453d2699381a901f144ab5
https://github.com/qemu/qemu/commit/6c22ea9d83ca91a3f5453d2699381a901f144ab5
Author: Julio Montes <address@hidden>
Date: 2019-07-05 (Fri, 05 Jul 2019)
Changed paths:
M Makefile.target
M scripts/create_config
Log Message:
-----------
Makefile: generate header file with the list of devices enabled
v2: generate config-devices.h which contains the list of devices enabled
Message-Id: <address@hidden>
Signed-off-by: Paolo Bonzini <address@hidden>
Signed-off-by: Julio Montes <address@hidden>
Commit: 60386ea270c8c9425b76d01ee42039f24d7bc833
https://github.com/qemu/qemu/commit/60386ea270c8c9425b76d01ee42039f24d7bc833
Author: Julio Montes <address@hidden>
Date: 2019-07-05 (Fri, 05 Jul 2019)
Changed paths:
M hw/i386/pc_piix.c
Log Message:
-----------
hw/i386: Fix linker error when ISAPC is disabled
v2: include config-devices.h to use CONFIG_IDE_ISA
Message-Id: <address@hidden>
Signed-off-by: Paolo Bonzini <address@hidden>
Signed-off-by: Julio Montes <address@hidden>
Commit: 03f990a5e31e28c9a2794729638f2117e028bfa5
https://github.com/qemu/qemu/commit/03f990a5e31e28c9a2794729638f2117e028bfa5
Author: Li Qiang <address@hidden>
Date: 2019-07-05 (Fri, 05 Jul 2019)
Changed paths:
M hw/intc/ioapic.c
Log Message:
-----------
ioapic: use irq number instead of vector in ioapic_eoi_broadcast
When emulating irqchip in qemu, such as following command:
x86_64-softmmu/qemu-system-x86_64 -m 1024 -smp 4 -hda /home/test/test.img
-machine kernel-irqchip=off --enable-kvm -vnc :0 -device edu -monitor stdio
We will get a crash with following asan output:
(qemu) /home/test/qemu5/qemu/hw/intc/ioapic.c:266:27: runtime error: index 35
out of bounds for type 'int [24]'
=================================================================
==113504==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x61b000003114 at pc 0x5579e3c7a80f bp 0x7fd004bf8c10 sp 0x7fd004bf8c00
WRITE of size 4 at 0x61b000003114 thread T4
#0 0x5579e3c7a80e in ioapic_eoi_broadcast
/home/test/qemu5/qemu/hw/intc/ioapic.c:266
#1 0x5579e3c6f480 in apic_eoi /home/test/qemu5/qemu/hw/intc/apic.c:428
#2 0x5579e3c720a7 in apic_mem_write /home/test/qemu5/qemu/hw/intc/apic.c:802
#3 0x5579e3b1e31a in memory_region_write_accessor
/home/test/qemu5/qemu/memory.c:503
#4 0x5579e3b1e6a2 in access_with_adjusted_size
/home/test/qemu5/qemu/memory.c:569
#5 0x5579e3b28d77 in memory_region_dispatch_write
/home/test/qemu5/qemu/memory.c:1497
#6 0x5579e3a1b36b in flatview_write_continue
/home/test/qemu5/qemu/exec.c:3323
#7 0x5579e3a1b633 in flatview_write /home/test/qemu5/qemu/exec.c:3362
#8 0x5579e3a1bcb1 in address_space_write /home/test/qemu5/qemu/exec.c:3452
#9 0x5579e3a1bd03 in address_space_rw /home/test/qemu5/qemu/exec.c:3463
#10 0x5579e3b8b979 in kvm_cpu_exec
/home/test/qemu5/qemu/accel/kvm/kvm-all.c:2045
#11 0x5579e3ae4499 in qemu_kvm_cpu_thread_fn
/home/test/qemu5/qemu/cpus.c:1287
#12 0x5579e4cbdb9f in qemu_thread_start util/qemu-thread-posix.c:502
#13 0x7fd0146376da in start_thread
(/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)
#14 0x7fd01436088e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x12188e
This is because in ioapic_eoi_broadcast function, we uses 'vector' to
index the 's->irq_eoi'. To fix this, we should uses the irq number.
Signed-off-by: Li Qiang <address@hidden>
Reviewed-by: Peter Xu <address@hidden>
Message-Id: <address@hidden>
Commit: c4107e8208d0222f9b328691b519aaee4101db87
https://github.com/qemu/qemu/commit/c4107e8208d0222f9b328691b519aaee4101db87
Author: Peter Maydell <address@hidden>
Date: 2019-07-08 (Mon, 08 Jul 2019)
Changed paths:
M Makefile.target
M hw/i386/intel_iommu.c
M hw/i386/pc_piix.c
M hw/intc/ioapic.c
M scripts/checkpatch.pl
M scripts/create_config
M scripts/minikconf.py
M target/i386/kvm.c
M target/i386/machine.c
Log Message:
-----------
Merge remote-tracking branch 'remotes/bonzini/tags/for-upstream' into staging
Bugfixes.
# gpg: Signature made Fri 05 Jul 2019 21:21:52 BST
# gpg: using RSA key BFFBD25F78C7AE83
# gpg: Good signature from "Paolo Bonzini <address@hidden>" [full]
# gpg: aka "Paolo Bonzini <address@hidden>" [full]
# Primary key fingerprint: 46F5 9FBD 57D6 12E7 BFD4 E2F7 7E15 100C CD36 69B1
# Subkey fingerprint: F133 3857 4B66 2389 866C 7682 BFFB D25F 78C7 AE83
* remotes/bonzini/tags/for-upstream:
ioapic: use irq number instead of vector in ioapic_eoi_broadcast
hw/i386: Fix linker error when ISAPC is disabled
Makefile: generate header file with the list of devices enabled
target/i386: kvm: Fix when nested state is needed for migration
minikconf: do not include variables from MINIKCONF_ARGS in
config-all-devices.mak
target/i386: fix feature check in hyperv-stub.c
ioapic: clear irq_eoi when updating the ioapic redirect table entry
intel_iommu: Fix unexpected unmaps during global unmap
intel_iommu: Fix incorrect "end" for vtd_address_space_unmap
i386/kvm: Fix build with -m32
checkpatch: do not warn for multiline parenthesized returned value
pc: fix possible NULL pointer dereference in
pc_machine_get_device_memory_region_size()
Signed-off-by: Peter Maydell <address@hidden>
Compare: https://github.com/qemu/qemu/compare/3a1acf5d4729...c4107e8208d0
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Qemu-commits] [qemu/qemu] 58164e: pc: fix possible NULL pointer dereference in pc_ma...,
Peter Maydell <=