On 8/4/24 18:39, Richard Henderson wrote:
On 4/7/24 22:36, Philippe Mathieu-Daudé wrote:
nand_command() and nand_getio() don't check @offset points
into the block, nor the available data length (s->iolen) is
not negative.
In order to fix:
- check the offset is in range in
On Mon, 8 Apr 2024 at 13:34, Peter Maydell wrote:
>
> On Thu, 4 Apr 2024 at 09:56, Philippe Mathieu-Daudé wrote:
> > diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c
> > index c5e0bc018b..2dd88fa139 100644
> > --- a/hw/sd/sdhci.c
> > +++ b/hw/sd/sdhci.c
> > @@ -552,7 +552,7 @@ static void
On 4/7/24 22:36, Philippe Mathieu-Daudé wrote:
nand_command() and nand_getio() don't check @offset points
into the block, nor the available data length (s->iolen) is
not negative.
In order to fix:
- check the offset is in range in nand_blk_load_NAND_PAGE_SIZE(),
- do not set @iolen if
On 4/7/24 22:36, Philippe Mathieu-Daudé wrote:
Signed-off-by: Philippe Mathieu-Daudé
---
hw/block/nand.c | 12 +---
1 file changed, 9 insertions(+), 3 deletions(-)
Reviewed-by: Richard Henderson
r~
On 4/7/24 22:36, Philippe Mathieu-Daudé wrote:
Signed-off-by: Philippe Mathieu-Daudé
---
hw/block/nand.c | 32 +++-
1 file changed, 19 insertions(+), 13 deletions(-)
Reviewed-by: Richard Henderson
r~
On Mon, Apr 08, 2024 at 04:07:20PM +0200, Jinpu Wang wrote:
> Hi Peter,
Jinpu,
Thanks for joining the discussion.
>
> On Tue, Apr 2, 2024 at 11:24 PM Peter Xu wrote:
> >
> > On Mon, Apr 01, 2024 at 11:26:25PM +0200, Yu Zhang wrote:
> > > Hello Peter und Zhjian,
> > >
> > > Thank you so much
From: Zhu Yangyang
Coroutines are not supposed to block. Instead, they should yield.
The client performs TLS upgrade outside of an AIOContext, during
synchronous handshake; this still requires g_main_loop. But the
server responds to TLS upgrade inside a coroutine, so a nested
g_main_loop is
nbd_negotiate() is already marked coroutine_fn. And given the fix in
the previous patch to have nbd_negotiate_handle_starttls not create
and wait on a g_main_loop (as that would violate coroutine
constraints), it is worth marking the rest of the related static
functions reachable only during
v4 was here:
https://lists.gnu.org/archive/html/qemu-devel/2024-04/msg00624.html
Since then: add some asserts [Vladimir], add second patch with more
coroutine_fn annotations [Vladimir]
Eric Blake (1):
nbd/server: Mark negotiation functions as coroutine_fn
Zhu Yangyang (1):
nbd/server: do
On Mon, Apr 8, 2024 at 10:36 AM Philippe Mathieu-Daudé
wrote:
>
> Fix for https://gitlab.com/qemu-project/qemu/-/issues/1446
Does hw/block/nand meet the security requirements for CVE assignment?
=> https://www.qemu.org/docs/master/system/security.html
> Philippe Mathieu-Daudé (3):
>
Add support for the VIRTIO_F_IN_ORDER feature across a variety of vhost
devices.
The inclusion of VIRTIO_F_IN_ORDER in the feature bits arrays for these
devices ensures that the backend is capable of offering and providing
support for this feature, and that it can be disabled if the backend
does
Add VIRTIO_F_IN_ORDER feature support for virtqueue_flush operations.
The goal of the virtqueue_flush operation when the VIRTIO_F_IN_ORDER
feature has been negotiated is to write elements to the used/descriptor
ring in-order and then update used_idx.
The function iterates through the
Extend the virtio device property definitions to include the
VIRTIO_F_IN_ORDER feature.
The default state of this feature is disabled, allowing it to be
explicitly enabled where it's supported.
Acked-by: Eugenio Pérez
Signed-off-by: Jonah Palmer
---
include/hw/virtio/virtio.h | 4 +++-
1 file
Add VIRTIO_F_IN_ORDER feature support in virtqueue_split_pop and
virtqueue_packed_pop.
VirtQueueElements popped from the available/descritpor ring are added to
the VirtQueue's used_elems array in-order and in the same fashion as
they would be added the used and descriptor rings, respectively.
Add VIRTIO_F_IN_ORDER feature support for virtqueue_fill operations.
The goal of the virtqueue_fill operation when the VIRTIO_F_IN_ORDER
feature has been negotiated is to search for this now-used element,
set its length, and mark the element as filled in the VirtQueue's
used_elems array.
By
Add the boolean 'filled' member to the VirtQueueElement structure. The
use of this boolean will signify if the element has been written to the
used / descriptor ring or not. This boolean is used to support the
VIRTIO_F_IN_ORDER feature.
Signed-off-by: Jonah Palmer
---
include/hw/virtio/virtio.h
The goal of these patches is to add support to a variety of virtio and
vhost devices for the VIRTIO_F_IN_ORDER transport feature. This feature
indicates that all buffers are used by the device in the same order in
which they were made available by the driver.
These patches attempt to implement a
On Mon, 8 Apr 2024 at 15:18, Philippe Mathieu-Daudé wrote:
>
> Prevent out-of-bound access with assertions.
>
> Signed-off-by: Philippe Mathieu-Daudé
> ---
> hw/sd/sd.c | 14 ++
> 1 file changed, 14 insertions(+)
>
> diff --git a/hw/sd/sd.c b/hw/sd/sd.c
> index
For multi-bytes commands, our implementation uses the @data_start
and @data_offset fields to track byte access. We initialize the
command start/offset in buffer once. Malicious guest might abuse
by switching command while staying in the 'transfer' state, switching
command buffer size, and our
Prevent out-of-bound access with assertions.
Signed-off-by: Philippe Mathieu-Daudé
---
hw/sd/sd.c | 14 ++
1 file changed, 14 insertions(+)
diff --git a/hw/sd/sd.c b/hw/sd/sd.c
index 16d8d52a78..c081211582 100644
--- a/hw/sd/sd.c
+++ b/hw/sd/sd.c
@@ -1875,6 +1875,7 @@ void
Since this is Fix day, I went over this old bug:
https://gitlab.com/qemu-project/qemu/-/issues/487
It happens to be a QEMU implementation detail not
really related to the spec.
Philippe Mathieu-Daudé (2):
hw/sd/sdcard: Avoid OOB in sd_read_byte() during unexpected CMD switch
hw/sd/sdcard:
On Mon, Apr 08, 2024 at 11:46:39AM +0300, Vladimir Sementsov-Ogievskiy wrote:
> On 05.04.24 20:44, Eric Blake wrote:
> > From: Zhu Yangyang
> >
> > Coroutines are not supposed to block. Instead, they should yield.
> >
> > The client performs TLS upgrade outside of an AIOContext, during
> >
Hi Peter,
On Tue, Apr 2, 2024 at 11:24 PM Peter Xu wrote:
>
> On Mon, Apr 01, 2024 at 11:26:25PM +0200, Yu Zhang wrote:
> > Hello Peter und Zhjian,
> >
> > Thank you so much for letting me know about this. I'm also a bit surprised
> > at
> > the plan for deprecating the RDMA migration
On Thu, 4 Apr 2024 at 09:56, Philippe Mathieu-Daudé wrote:
>
> Per "SD Host Controller Standard Specification Version 3.00":
>
> * 1.7 Buffer Control
>
> - 1.7.1 Control of Buffer Pointer
>
> (3) Buffer Control with Block Size
>
> In case of write operation, the buffer accumulates the
On 05.04.24 20:44, Eric Blake wrote:
From: Zhu Yangyang
Coroutines are not supposed to block. Instead, they should yield.
The client performs TLS upgrade outside of an AIOContext, during
synchronous handshake; this still requires g_main_loop. But the
server responds to TLS upgrade inside a
On 8/4/24 10:36, Philippe Mathieu-Daudé wrote:
nand_command() and nand_getio() don't check @offset points
into the block, nor the available data length (s->iolen) is
not negative.
In order to fix:
- check the offset is in range in nand_blk_load_NAND_PAGE_SIZE(),
- do not set @iolen if
Signed-off-by: Philippe Mathieu-Daudé
---
hw/block/nand.c | 12 +---
1 file changed, 9 insertions(+), 3 deletions(-)
diff --git a/hw/block/nand.c b/hw/block/nand.c
index 6fa9038bb5..3627c799b5 100644
--- a/hw/block/nand.c
+++ b/hw/block/nand.c
@@ -84,7 +84,11 @@ struct NANDFlashState {
Signed-off-by: Philippe Mathieu-Daudé
---
hw/block/nand.c | 32 +++-
1 file changed, 19 insertions(+), 13 deletions(-)
diff --git a/hw/block/nand.c b/hw/block/nand.c
index d1435f2207..6fa9038bb5 100644
--- a/hw/block/nand.c
+++ b/hw/block/nand.c
@@ -243,9 +243,25 @@
Fix for https://gitlab.com/qemu-project/qemu/-/issues/1446
Philippe Mathieu-Daudé (3):
hw/block/nand: Factor nand_load_iolen() method out
hw/block/nand: Have blk_load() return boolean indicating success
hw/block/nand: Fix out-of-bound access in NAND block buffer
hw/block/nand.c | 50
nand_command() and nand_getio() don't check @offset points
into the block, nor the available data length (s->iolen) is
not negative.
In order to fix:
- check the offset is in range in nand_blk_load_NAND_PAGE_SIZE(),
- do not set @iolen if blk_load() failed.
Reproducer:
$ cat << EOF |
On Mon, Apr 08, 2024 at 10:03:15AM +0200, David Hildenbrand wrote:
On 08.04.24 09:58, Stefano Garzarella wrote:
On Thu, Apr 04, 2024 at 04:09:34PM +0200, David Hildenbrand wrote:
On 04.04.24 14:23, Stefano Garzarella wrote:
shm_open() creates and opens a new POSIX shared memory object.
A
On 08.04.24 09:58, Stefano Garzarella wrote:
On Thu, Apr 04, 2024 at 04:09:34PM +0200, David Hildenbrand wrote:
On 04.04.24 14:23, Stefano Garzarella wrote:
shm_open() creates and opens a new POSIX shared memory object.
A POSIX shared memory object allows creating memory backend with an
FYI I'll be on PTO till May 2nd, I'll send the v4 when I'm back ASAP.
Thanks,
Stefano
On Thu, Apr 04, 2024 at 02:23:19PM +0200, Stefano Garzarella wrote:
v1: https://patchew.org/QEMU/20240228114759.44758-1-sgarz...@redhat.com/
v2:
On Thu, Apr 04, 2024 at 04:09:34PM +0200, David Hildenbrand wrote:
On 04.04.24 14:23, Stefano Garzarella wrote:
shm_open() creates and opens a new POSIX shared memory object.
A POSIX shared memory object allows creating memory backend with an
associated file descriptor that can be shared with
On Thu, Apr 4, 2024 at 10:55 AM Philippe Mathieu-Daudé
wrote:
>
> Per "SD Host Controller Standard Specification Version 3.00":
>
> * 1.7 Buffer Control
>
> - 1.7.1 Control of Buffer Pointer
>
> (3) Buffer Control with Block Size
>
> In case of write operation, the buffer accumulates
On Thu, Apr 04, 2024 at 04:00:38PM +0200, Philippe Mathieu-Daudé wrote:
Hi Stefano,
Hi Phil!
On 4/4/24 14:23, Stefano Garzarella wrote:
Let's make the code more portable by using the "qemu/bswap.h" API
and adding defines from block/file-posix.c to support O_DIRECT in
other systems (e.g.
36 matches
Mail list logo