diff --git a/SOURCES/kvm-block-Fix-flags-in-reopen-queue.patch b/SOURCES/kvm-block-Fix-flags-in-reopen-queue.patch new file mode 100644 index 0000000..f3ecaba --- /dev/null +++ b/SOURCES/kvm-block-Fix-flags-in-reopen-queue.patch @@ -0,0 +1,60 @@ +From bf0e9a6374d872bde330fb3c4994697250ef235b Mon Sep 17 00:00:00 2001 +From: Fam Zheng +Date: Tue, 13 Mar 2018 15:27:54 +0100 +Subject: [PATCH 1/4] block: Fix flags in reopen queue + +RH-Author: Fam Zheng +Message-id: <20180313152755.31475-2-famz@redhat.com> +Patchwork-id: 79273 +O-Subject: [RHV7.5 qemu-kvm-ma PATCH v4 1/2] block: Fix flags in reopen queue +Bugzilla: 1557206 +RH-Acked-by: Max Reitz +RH-Acked-by: Kevin Wolf +RH-Acked-by: Stefan Hajnoczi + +Reopen flags are not synchronized according to the +bdrv_reopen_queue_child precedence until bdrv_reopen_prepare. It is a +bit too late: we already check the consistency in bdrv_check_perm before +that. + +This fixes the bug that when bdrv_reopen a RO node as RW, the flags for +backing child are wrong. Before, we could recurse with flags.rw=1; now, +role->inherit_options + update_flags_from_options will make sure to +clear the bit when necessary. Note that this will not clear an +explicitly set bit, as in the case of parallel block jobs (e.g. +test_stream_parallel in 030), because the explicit options include +'read-only=false' (for an intermediate node used by a different job). + +Signed-off-by: Fam Zheng +Reviewed-by: Max Reitz +Signed-off-by: Kevin Wolf +Signed-off-by: Fam Zheng +Signed-off-by: Miroslav Rezanina +--- + block.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/block.c b/block.c +index ca8a46b..a1084e7 100644 +--- a/block.c ++++ b/block.c +@@ -2759,8 +2759,16 @@ static BlockReopenQueue *bdrv_reopen_queue_child(BlockReopenQueue *bs_queue, + + /* Inherit from parent node */ + if (parent_options) { ++ QemuOpts *opts; ++ QDict *options_copy; + assert(!flags); + role->inherit_options(&flags, options, parent_flags, parent_options); ++ options_copy = qdict_clone_shallow(options); ++ opts = qemu_opts_create(&bdrv_runtime_opts, NULL, 0, &error_abort); ++ qemu_opts_absorb_qdict(opts, options_copy, NULL); ++ update_flags_from_options(&flags, opts); ++ qemu_opts_del(opts); ++ QDECREF(options_copy); + } + + /* Old values are used for options that aren't set yet */ +-- +1.8.3.1 + diff --git a/SOURCES/kvm-iotests-Add-regression-test-for-commit-base-locking.patch b/SOURCES/kvm-iotests-Add-regression-test-for-commit-base-locking.patch new file mode 100644 index 0000000..3effa27 --- /dev/null +++ b/SOURCES/kvm-iotests-Add-regression-test-for-commit-base-locking.patch @@ -0,0 +1,64 @@ +From 9cac958ac666c9095490cf6814110c8083ad8929 Mon Sep 17 00:00:00 2001 +From: Fam Zheng +Date: Tue, 13 Mar 2018 15:27:55 +0100 +Subject: [PATCH 2/4] iotests: Add regression test for commit base locking + +RH-Author: Fam Zheng +Message-id: <20180313152755.31475-3-famz@redhat.com> +Patchwork-id: 79276 +O-Subject: [RHV7.5 qemu-kvm-ma PATCH v4 2/2] iotests: Add regression test for commit base locking +Bugzilla: 1557206 +RH-Acked-by: Max Reitz +RH-Acked-by: Kevin Wolf +RH-Acked-by: Stefan Hajnoczi + +Signed-off-by: Fam Zheng +Reviewed-by: Max Reitz +Signed-off-by: Kevin Wolf +Signed-off-by: Fam Zheng +Signed-off-by: Miroslav Rezanina +--- + tests/qemu-iotests/153 | 11 +++++++++++ + tests/qemu-iotests/153.out | 4 ++++ + 2 files changed, 15 insertions(+) + +diff --git a/tests/qemu-iotests/153 b/tests/qemu-iotests/153 +index fa25eb2..0b62ac9 100755 +--- a/tests/qemu-iotests/153 ++++ b/tests/qemu-iotests/153 +@@ -178,6 +178,17 @@ ln -s ${TEST_IMG} "${TEST_IMG}.lnk" || echo "Failed to create link" + _run_qemu_with_images "${TEST_IMG}.lnk" "${TEST_IMG}" + + echo ++echo "== Active commit to intermediate layer should work when base in use ==" ++_launch_qemu -drive format=$IMGFMT,file="${TEST_IMG}.a",id=drive0,if=none \ ++ -device virtio-blk,drive=drive0 ++ ++_send_qemu_cmd $QEMU_HANDLE \ ++ "{ 'execute': 'qmp_capabilities' }" \ ++ 'return' ++_run_cmd $QEMU_IMG commit -b "${TEST_IMG}.b" "${TEST_IMG}.c" ++ ++_cleanup_qemu ++ + echo "== Closing an image should unlock it ==" + _launch_qemu + +diff --git a/tests/qemu-iotests/153.out b/tests/qemu-iotests/153.out +index 5b917b1..3f19afb 100644 +--- a/tests/qemu-iotests/153.out ++++ b/tests/qemu-iotests/153.out +@@ -373,6 +373,10 @@ Is another process using the image? + QEMU_PROG: -drive if=none,file=TEST_DIR/t.qcow2: Failed to get "write" lock + Is another process using the image? + ++== Active commit to intermediate layer should work when base in use == ++{"return": {}} ++ ++_qemu_img_wrapper commit -b TEST_DIR/t.qcow2.b TEST_DIR/t.qcow2.c + == Closing an image should unlock it == + {"return": {}} + Adding drive +-- +1.8.3.1 + diff --git a/SOURCES/kvm-vga-add-ram_addr_t-cast.patch b/SOURCES/kvm-vga-add-ram_addr_t-cast.patch new file mode 100644 index 0000000..b7ba905 --- /dev/null +++ b/SOURCES/kvm-vga-add-ram_addr_t-cast.patch @@ -0,0 +1,41 @@ +From 1d5aa1e3de92a5ceff6c30e48c10275c5d3ce9ac Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Mon, 19 Mar 2018 14:34:58 +0100 +Subject: [PATCH 3/4] vga: add ram_addr_t cast + +RH-Author: Gerd Hoffmann +Message-id: <20180319143459.15364-2-kraxel@redhat.com> +Patchwork-id: 79361 +O-Subject: [RHV7.5 qemu-kvm-rhev PATCH 1/2] vga: add ram_addr_t cast +Bugzilla: 1566878 +RH-Acked-by: Dr. David Alan Gilbert +RH-Acked-by: Stefan Hajnoczi +RH-Acked-by: Laszlo Ersek + +Reported by Coverity. + +Fixes: CID 1381409 +Signed-off-by: Gerd Hoffmann +Message-id: 20171010141323.14049-4-kraxel@redhat.com +(cherry picked from commit b0898b42ef099bc125db1fbf62b7f02b505ef3a2) +Signed-off-by: Miroslav Rezanina +--- + hw/display/vga.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/display/vga.c b/hw/display/vga.c +index b1cdf36..b6a3b95 100644 +--- a/hw/display/vga.c ++++ b/hw/display/vga.c +@@ -1488,7 +1488,7 @@ static void vga_draw_graphic(VGACommonState *s, int full_update) + disp_width = width; + + region_start = (s->start_addr * 4); +- region_end = region_start + s->line_offset * height; ++ region_end = region_start + (ram_addr_t)s->line_offset * height; + if (region_end > s->vbe_size) { + /* wraps around (can happen with cirrus vbe modes) */ + region_start = 0; +-- +1.8.3.1 + diff --git a/SOURCES/kvm-vga-fix-region-calculation.patch b/SOURCES/kvm-vga-fix-region-calculation.patch new file mode 100644 index 0000000..a4d234a --- /dev/null +++ b/SOURCES/kvm-vga-fix-region-calculation.patch @@ -0,0 +1,47 @@ +From a4a396ff1f6bf512d8a1e65f692242d4332c615c Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Mon, 19 Mar 2018 14:34:59 +0100 +Subject: [PATCH 4/4] vga: fix region calculation + +RH-Author: Gerd Hoffmann +Message-id: <20180319143459.15364-3-kraxel@redhat.com> +Patchwork-id: 79360 +O-Subject: [RHV7.5 qemu-kvm-rhev PATCH 2/2] vga: fix region calculation +Bugzilla: 1566878 +RH-Acked-by: Dr. David Alan Gilbert +RH-Acked-by: Stefan Hajnoczi +RH-Acked-by: Laszlo Ersek + +Typically the scanline length and the line offset are identical. But +in case they are not our calculation for region_end is incorrect. Using +line_offset is fine for all scanlines, except the last one where we have +to use the actual scanline length. + +Fixes: CVE-2018-7550 +Reported-by: Ross Lagerwall +Signed-off-by: Gerd Hoffmann +Reviewed-by: Prasad J Pandit +Tested-by: Ross Lagerwall +Message-id: 20180309143704.13420-1-kraxel@redhat.com +(cherry picked from commit 7cdc61becd095b64a786b2625f321624e7111f3d) +Signed-off-by: Miroslav Rezanina +--- + hw/display/vga.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/hw/display/vga.c b/hw/display/vga.c +index b6a3b95..f060f26 100644 +--- a/hw/display/vga.c ++++ b/hw/display/vga.c +@@ -1489,6 +1489,8 @@ static void vga_draw_graphic(VGACommonState *s, int full_update) + + region_start = (s->start_addr * 4); + region_end = region_start + (ram_addr_t)s->line_offset * height; ++ region_end += width * s->get_bpp(s) / 8; /* scanline length */ ++ region_end -= s->line_offset; + if (region_end > s->vbe_size) { + /* wraps around (can happen with cirrus vbe modes) */ + region_start = 0; +-- +1.8.3.1 + diff --git a/SPECS/qemu-kvm.spec b/SPECS/qemu-kvm.spec index f74896f..9f7889a 100644 --- a/SPECS/qemu-kvm.spec +++ b/SPECS/qemu-kvm.spec @@ -106,7 +106,7 @@ Obsoletes: %1%{rhel_ma_suffix} < %{obsoletes_version2} \ Summary: QEMU is a machine emulator and virtualizer Name: %{pkgname}%{?pkgsuffix} Version: 2.10.0 -Release: 21%{?dist}.1 +Release: 21%{?dist}.2 # Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped Epoch: 10 License: GPLv2+ and LGPLv2+ and BSD @@ -1049,6 +1049,14 @@ Patch446: kvm-redhat-Define-the-pseries-rhel7.5-sxxm-machine-type.patch Patch447: kvm-redhat-Define-the-pseries-rhel7.4-sxxm-machine-type.patch # For bz#1554957 - [CVE-2017-5754] Variant3: POWER {qemu-kvm-ma} Add machine type variants [rhel-7.5.z] Patch448: kvm-redhat-Define-the-pseries-rhel7.3-sxxm-machine-type.patch +# For bz#1557206 - [Regression] Cannot delete VM's snapshot [rhel-7.5.z] +Patch449: kvm-block-Fix-flags-in-reopen-queue.patch +# For bz#1557206 - [Regression] Cannot delete VM's snapshot [rhel-7.5.z] +Patch450: kvm-iotests-Add-regression-test-for-commit-base-locking.patch +# For bz#1566878 - CVE-2018-7858 qemu-kvm-ma: Qemu: cirrus: OOB access when updating vga display [rhel-7] [rhel-7.5.z] +Patch451: kvm-vga-add-ram_addr_t-cast.patch +# For bz#1566878 - CVE-2018-7858 qemu-kvm-ma: Qemu: cirrus: OOB access when updating vga display [rhel-7] [rhel-7.5.z] +Patch452: kvm-vga-fix-region-calculation.patch BuildRequires: zlib-devel BuildRequires: glib2-devel @@ -1674,6 +1682,10 @@ cp %{SOURCE29} pc-bios %patch446 -p1 %patch447 -p1 %patch448 -p1 +%patch449 -p1 +%patch450 -p1 +%patch451 -p1 +%patch452 -p1 # for tscdeadline_latency.flat %ifarch x86_64 @@ -2172,6 +2184,16 @@ useradd -r -u 107 -g qemu -G kvm -d / -s /sbin/nologin \ %endif %changelog +* Fri Apr 13 2018 Miroslav Rezanina - ma-2.10.0-21.el7_5.2 +- kvm-block-Fix-flags-in-reopen-queue.patch [bz#1557206] +- kvm-iotests-Add-regression-test-for-commit-base-locking.patch [bz#1557206] +- kvm-vga-add-ram_addr_t-cast.patch [bz#1566878] +- kvm-vga-fix-region-calculation.patch [bz#1566878] +- Resolves: bz#1557206 + ([Regression] Cannot delete VM's snapshot [rhel-7.5.z]) +- Resolves: bz#1566878 + (CVE-2018-7858 qemu-kvm-ma: Qemu: cirrus: OOB access when updating vga display [rhel-7] [rhel-7.5.z]) + * Wed Mar 14 2018 Miroslav Rezanina - ma-2.10.0-21.el7_5.1 - kvm-memory-inline-some-performance-sensitive-accessors.patch [bz#1554930] - kvm-address_space_write-address_space_to_flatview-needs-.patch [bz#1554930]