On 02/21/2017 08:58 AM, Kevin Wolf wrote:
> NBD can't cope with device size changes, so resize must be forbidden,
> but otherwise we can tolerate anything. Depending on whether the export
> is writable or not, we only require consistent reads and writes.
Well, there is a proposal for NBD to grow a
This series is the first part of implementing the new op blocker system
whose design was agreed on quite a while ago, but proved a bit tricky to
implement in places. There is more work to do to fully replace the old op
blocker system, but realistically we don't have that much time until the 2.9
fre
In many cases, the required permissions of one node on its children
depend on what its parents require from it. For example, the raw format
or most filter drivers only need to request consistent reads if that's
something that one of their parents wants.
In order to achieve this, this patch introdu
When attaching a node as a child to a new parent, the required and
shared permissions for this parent are checked against all other parents
of the node now, and an error is returned if there is a conflict.
This allows error returns to a function that previously always
succeeded, and the same is tr
This makes use of the .bdrv_child_perm() implementation for formats that
we just added. All format drivers expose the permissions they actually
need nows, so that they can be set accordingly and updated when parents
are attached or detached.
The only format not included here is raw, which was alre
It will have to return an error soon, so prepare the callers for it.
Signed-off-by: Kevin Wolf
Reviewed-by: Max Reitz
---
block.c | 16 +---
block/quorum.c| 9 -
include/block/block.h | 3 ++-
3 files changed, 23 insertions(+), 5 deletions(-)
diff --
This patch defines the permission categories that will be used by the
new op blocker system.
Signed-off-by: Kevin Wolf
Reviewed-by: Max Reitz
---
include/block/block.h | 36
1 file changed, 36 insertions(+)
diff --git a/include/block/block.h b/include/block
vvfat is the last remaining driver that can have children, but doesn't
implement .bdrv_child_perm() yet. The default handlers aren't suitable
here, so let's implement a very simple driver-specific one that protects
the internal child from being used by other users as good as our
permissions permit.
Now that all block drivers with children tell us what permissions they
need from each of their children, bdrv_attach_child() can use this
information and make the right requirements while trying to attach new
children.
Signed-off-by: Kevin Wolf
---
block.c | 22 +++---
1 file cha
Most filters need permissions related to read and write for their
children, but only if the node has a parent that wants to use the same
operation on the filter. The same is true for resize.
This adds a default implementation that simply forwards all necessary
permissions to all children of the no
All callers will have to request permissions for all of their child
nodes. Block drivers that act as simply filters can use the default
implementation of .bdrv_child_perm().
Signed-off-by: Kevin Wolf
Reviewed-by: Max Reitz
---
block/blkdebug.c| 2 ++
block/blkreplay.c | 1 +
block/blkveri
Now that blk_insert_bs() requests the BlockBackend permissions for the
node it attaches to, it can fail. Instead of aborting, pass the errors
to the callers.
Signed-off-by: Kevin Wolf
Reviewed-by: Max Reitz
---
block.c | 5 -
block/backup.c | 5 +
Almost all format drivers have the same characteristics as far as
permissions are concerned: They have one or more children for storing
their own data and, more importantly, metadata (can be written to and
grow even without external write requests, must be protected against
other writers and presen
The BlockBackend can now store the permissions that its user requires.
This is necessary because nodes can be ejected from or inserted into a
BlockBackend and all of these operations must make sure that the user
still gets what it requested initially.
Signed-off-by: Kevin Wolf
Reviewed-by: Max Re
For meaningful error messages in the permission system, we need to get
some human-readable description of the parent of a BdrvChild.
Signed-off-by: Kevin Wolf
Reviewed-by: Max Reitz
---
block.c | 9 +
block/block-backend.c | 21 +
include/block
This makes all device emulations with a qdev drive property request
permissions on their BlockBackend. The only thing we block at this point
is resizing images for some devices that can't support it.
Signed-off-by: Kevin Wolf
---
hw/block/block.c | 22 +-
hw/b
We want every user to be specific about the permissions it needs, so
we'll pass the initial permissions as parameters to blk_new(). A user
only needs to call blk_set_perm() if it wants to change the permissions
after the fact.
The permissions are stored in the BlockBackend and applied whenever a
B
Management tools need to be able to know about every node in the graph
and need a way to address them. Changing the graph structure was okay
because libvirt doesn't really manage the node level yet, but future
libvirt versions need to deal with both new and old version of qemu.
This new option to
All block drivers that can have child nodes implement .bdrv_child_perm()
now. Make this officially a requirement by asserting that only drivers
without children can omit .bdrv_child_perm().
Signed-off-by: Kevin Wolf
Reviewed-by: Max Reitz
---
block.c | 6 --
1 file changed, 4 insertions(+),
By default, don't allow another writer for block devices that are
attached to a guest device. For the cases where this setup is intended
(e.g. using a cluster filesystem on the disk), the new option can be
used to allow it.
This change affects only devices using DEFINE_BLOCK_PROPERTIES().
Devices
We can figure out the necessary permissions from the flags that the
caller passed.
Signed-off-by: Kevin Wolf
Reviewed-by: Max Reitz
---
block/block-backend.c | 22 +++---
1 file changed, 19 insertions(+), 3 deletions(-)
diff --git a/block/block-backend.c b/block/block-backend.c
blk_new_open() is a convenience function that processes flags rather
than QDict options as a simple way to just open an image file.
In order to keep it convenient in the future, it must automatically
request the necessary permissions. This can easily be inferred from the
flags for read and write,
The HMP command 'qemu-io' is a bit tricky because it wants to work on
the original BlockBackend, but additional permissions could be required.
The details are explained in a comment in the code, but in summary, just
request whatever permissions the current qemu-io command needs.
Signed-off-by: Kev
Backing files are somewhat special compared to other kinds of children
because they are attached and detached using bdrv_set_backing_hd()
rather than the normal set of functions, which does a few more things
like setting backing blockers, toggling the BDRV_O_NO_BACKING flag,
setting parent_bs->back
Some devices allow a media change between read-only and read-write
media. They need to adapt the permissions in their .change_media_cb()
implementation, which can fail. So add an Error parameter to the
function.
Signed-off-by: Kevin Wolf
Reviewed-by: Max Reitz
---
block/block-backend.c
This functions creates a BlockBackend internally, so the block jobs need
to tell it what they want to do with the BB.
Signed-off-by: Kevin Wolf
Reviewed-by: Max Reitz
---
block/backup.c | 5 +++--
block/commit.c | 5 +++--
block/mirror.c | 5 +++--
bloc
Aborting on error in bdrv_append() isn't correct. This patch fixes it
and lets the callers handle failures.
Test case 085 needs a reference output update. This is caused by the
reversed order of bdrv_set_backing_hd() and change_parent_backing_link()
in bdrv_append(): When the backing file of the n
Management tools need to be able to know about every node in the graph
and need a way to address them. Changing the graph structure was okay
because libvirt doesn't really manage the node level yet, but future
libvirt versions need to deal with both new and old version of qemu.
This new option to
Instead of just telling that there was some conflict, we can be specific
and tell which permissions were in conflict and which way the conflict
is.
Signed-off-by: Kevin Wolf
---
block.c | 67 ++---
1 file changed, 56 insertions(+), 11 d
Block jobs don't actually do I/O through the the reference they create
with block_job_add_bdrv(), but they might want to use the permisssion
system to express what the block job does to intermediate nodes. This
adds permissions to block_job_add_bdrv() to provide the means to request
permissions.
S
NBD can't cope with device size changes, so resize must be forbidden,
but otherwise we can tolerate anything. Depending on whether the export
is writable or not, we only require consistent reads and writes.
Signed-off-by: Kevin Wolf
Reviewed-by: Max Reitz
---
nbd/server.c | 11 +--
1 fi
* Vladimir Sementsov-Ogievskiy (vsement...@virtuozzo.com) wrote:
> 24.02.2017 16:26, Dr. David Alan Gilbert wrote:
> > * Vladimir Sementsov-Ogievskiy (vsement...@virtuozzo.com) wrote:
> > > Postcopy migration of dirty bitmaps. Only named dirty bitmaps,
> > > associated with root nodes and non-root
When the parents' child links are updated in bdrv_append() or
bdrv_replace_in_backing_chain(), this should affect all child links of
BlockBackends or other nodes, but not on child links held for other
purposes (like for setting permissions). This patch allows to control
the behaviour per BdrvChildR
This is a little simpler than the commit block job because it's
synchronous and only commits into the immediate backing file, but
otherwise doing more or less the same.
Signed-off-by: Kevin Wolf
Reviewed-by: Max Reitz
---
block/commit.c | 33 +++--
1 file changed, 27
This adds an assertion that ensures that the necessary resize permission
has been granted before bdrv_truncate() is called.
Signed-off-by: Kevin Wolf
Reviewed-by: Max Reitz
---
block.c| 3 +++
block/io.c | 1 +
2 files changed, 4 insertions(+)
diff --git a/block.c b/block.c
index af2b8ff..
This is probably one of the most interesting conversions to the new
op blocker system because a commit block job intentionally leaves some
intermediate block nodes in the backing chain that aren't valid on their
own any more; only the whole chain together results in a valid view.
In order to provi
The backup block job doesn't have very complicated requirements: It
needs to read from the source and write to the target, but it's fine
with either side being changed. The only restriction is that we can't
resize the image because the job uses a cached value.
qemu-iotests 055 needs to be changed
Not all callers of bdrv_set_backing_hd() know for sure that attaching
the backing file will be allowed by the permission system. Return the
error from the function rather than aborting.
Signed-off-by: Kevin Wolf
---
block.c | 30 +++---
block/commit.c
On 02/24/2017 04:44 PM, Eric Blake wrote:
> On 02/24/2017 03:31 PM, John Snow wrote:
>>>
>>> But the Backup Server could instead connect to the NAS directly avoiding
>>> load on the frontent LAN
>>> and the Qemu Node.
>>>
>>
>> In a live backup I don't see how you will be removing QEMU from the d
bdrv_append() cares about isolation of the node that it modifies, but
not about activity in some subtree below it. Instead of using the
recursive bdrv_requests_pending(), directly check bs->in_flight, which
considers only the node in question.
Signed-off-by: Kevin Wolf
Reviewed-by: Max Reitz
---
Now that the backing file child role implements .attach/.detach
callbacks, nothing prevents us from modifying the graph even if that
involves changing backing file links.
Signed-off-by: Kevin Wolf
Reviewed-by: Max Reitz
---
block.c | 7 +++
1 file changed, 3 insertions(+), 4 deletions(-)
d
The correct permissions are relatively obvious here (and explained in
code comments). For intermediate streaming, we need to reopen the top
node read-write before creating the job now because the permissions
system catches attempts to get the BLK_PERM_WRITE_UNCHANGED permission
on a read-only node.
The mirror block job is mainly used for two different scenarios:
Mirroring to an otherwise unused, independent target node, or for active
commit where the target node is part of the backing chain of the source.
Similarly to the commit block job patch, we need to insert a new filter
node to keep th
Not requesting any permissions is actually correct for these test cases
because no actual I/O or other operation covered by the permission
system is performed.
Signed-off-by: Kevin Wolf
Reviewed-by: Max Reitz
---
tests/test-blockjob.c | 2 +-
tests/test-throttle.c | 2 +-
2 files changed, 2 ins
On Mon, Feb 27, 2017 at 03:12:26PM +0200, Marcel Apfelbaum wrote:
> Add the missing osc method for pxb-pcie devices as APCI spec recommends,
> see 6.2.10.3 OSC Implementation Example for PCI Host Bridge Devices, ACPI 5.0:
>
> It is recommended that a machine with multiple host bridge devices
>
Request BLK_PERM_CONSISTENT_READ for the source of block migration, and
handle potential permission errors as good as we can in this place
(which is not very good, but it matches the other failure cases).
Signed-off-by: Kevin Wolf
---
migration/block.c | 22 +-
1 file changed
This is where we want to check the permissions, so we need to have the
BdrvChild around where they are stored.
Signed-off-by: Kevin Wolf
---
block/io.c | 37 +
1 file changed, 21 insertions(+), 16 deletions(-)
diff --git a/block/io.c b/block/io.c
index d5c454
On Mon, Jan 30, 2017 at 04:19:56PM +0300, Denis V. Lunev wrote:
> From: Anton Nefedov
>
> According to RFC7230 Section 3.2, header field name is case-insensitive.
>
> The haystack string length is limited by 4096 bytes by
> qio_channel_websock_handshake_read().
>
> Further, handshake_process()
According to RFC7230 Section 3.2, header field name is case-insensitive.
Convert the header data into all lowercase before doing string matching
on the headers.
Signed-off-by: Daniel P. Berrange
---
io/channel-websock.c | 14 +-
1 file changed, 9 insertions(+), 5 deletions(-)
diff -
This adds assertions that ensure that the necessary write permissions
have been granted before someone attempts to write to a node.
Signed-off-by: Kevin Wolf
---
block/io.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/block/io.c b/block/io.c
index 2592ca1..4c79745 100644
--- a/block/io
On 02/27/2017 11:11 PM, Daniel P. Berrange wrote:
> On Mon, Jan 30, 2017 at 04:19:56PM +0300, Denis V. Lunev wrote:
>> From: Anton Nefedov
>>
>> According to RFC7230 Section 3.2, header field name is case-insensitive.
>>
>> The haystack string length is limited by 4096 bytes by
>> qio_channel_webs
On 02/27/2017 05:03 AM, Peter Lieven wrote:
> the convert process is currently completely implemented with sync operations.
> That means it reads one buffer and then writes it. No parallelism and each
> sync
> request takes as long as it takes until it is completed.
>
>
> This patches introduce
Am 27.02.2017 um 12:03 hat Peter Lieven geschrieben:
> the convert process is currently completely implemented with sync operations.
> That means it reads one buffer and then writes it. No parallelism and each
> sync
> request takes as long as it takes until it is completed.
>
> This can be a big
Hello, my name is Sergio Gómez.
It seems that QEMU has been accepted into GSoC 2017. I'm interested in
working with QEMU due to my interest in virtual machines in general.
Particularly, taking into account that I have experience developing a
(simple) emulator, and a (very simple) operating system,
On 02/27/2017 02:14 PM, Daniel P. Berrange wrote:
> According to RFC7230 Section 3.2, header field name is case-insensitive.
> Convert the header data into all lowercase before doing string matching
> on the headers.
>
> Signed-off-by: Daniel P. Berrange
> ---
> io/channel-websock.c | 14 +++
On 02/27/2017 12:58 PM, Jeff Cody wrote:
> This patch is prep work for parsing options for .bdrv_parse_filename,
> and using QDict options.
>
> The function qemu_rbd_next_tok() searched for various key/value pairs,
> and copied them into buffers. This will soon be an unnecessary extra
> step, so
Hi,
This series seems to have some coding style problems. See output below for
more information:
Message-id: 20170227201456.31814-1-berra...@redhat.com
Type: series
Subject: [Qemu-devel] [PATCH] io: ignore case when matching websockets HTTP
headers
=== TEST SCRIPT BEGIN ===
#!/bin/bash
BASE=ba
On 02/27/2017 01:55 PM, Markus Armbruster wrote:
> Commit 75cdcd1 neglected to update tests/qemu-iotests/049.out, and
> made the error message for negative size worse. Fix that.
>
> Reported-by: Thomas Huth
> Signed-off-by: Markus Armbruster
Tested-by: Christian Borntraeger
> ---
> tests/qe
On Thu, Feb 23, 2017 at 04:59:55PM +1100, Sam Bobroff wrote:
> Refactor the architecture specific code to make it easier
> to add new special case files.
>
> There should be no change in functionality.
>
> Signed-off-by: Sam Bobroff
Reviewed-by: David Gibson
> ---
> v2:
>
> I've factored the
On Thu, Feb 23, 2017 at 04:59:54PM +1100, Sam Bobroff wrote:
> The PPC MMU types are sometimes treated as if they were a bit field
> and sometime as if they were an enum which causes maintenance
> problems: flipping bits in the MMU type (which is done on both the 1TB
> segment and 64K segment bits)
On Mon, 27 Feb 2017 12:09:53 +1100
David Gibson wrote:
> On Fri, Feb 24, 2017 at 10:13:50AM +0100, Greg Kurz wrote:
> > On Fri, 24 Feb 2017 15:55:31 +1100
> > Alexey Kardashevskiy wrote:
> >
> > > From: Greg Kurz
> > >
> > > Some systems can already provide more than 255 hardware threads.
>
On 02/27/2017 12:58 PM, Jeff Cody wrote:
> This adds all the currently supported runtime opts, which
> are the options as parsed from the filename. All of these
> options are explicitly checked for during during runtime,
> with an exception to the "keyvalue-pairs" option.
>
> This option contains
David,
Any chances to have this in 2.9 ?
On Wed, 22 Feb 2017 11:56:53 +0100
Greg Kurz wrote:
> From: Greg Kurz
>
> Since commit 1d2d974244c6 "spapr_pci: enumerate and add PCI device tree", QEMU
> populates the PCI device tree in the opposite order compared to SLOF.
>
> Before 1d2d974244c6:
>
On Mon, Feb 27, 2017 at 04:18:57PM -0600, Eric Blake wrote:
> On 02/27/2017 12:58 PM, Jeff Cody wrote:
> > This adds all the currently supported runtime opts, which
> > are the options as parsed from the filename. All of these
> > options are explicitly checked for during during runtime,
> > with
Eric, are you OK with this series going upstream? If so, do you want me
to send the pull request for it or are you going to handle it?
On Sat, 25 Feb 2017, Zhang Chen wrote:
> Xen COLO depend on qemu COLO replication function.
> So, We need new qmp commands for Xen to use qemu replication.
>
> Co
The following changes since commit 8f2d7c341184a95d05476ea3c45dbae2b9ddbe51:
Merge remote-tracking branch
'remotes/berrange/tags/pull-qcrypto-2017-02-27-1' into staging (2017-02-27
15:33:21 +)
are available in the git repository at:
git://github.com/vivier/qemu.git tags/linux-user-for-
Since commit 5ea2fc8 ("linux-user: Sanity check clone flags"),
trying to run fork() fails with old distro on some architectures.
This is the case with HP-PA and Debian 5 (Lenny).
It fails on:
if ((flags & CSIGNAL) != TARGET_SIGCHLD) {
return -TARGET_EINVAL;
}
beca
From: Helge Deller
Add the neccessary sockopts for ping and traceroute on IPv6.
This fixes the following qemu warnings with IPv6:
Unsupported ancillary data: 0/2
Unsupported ancillary data: 0/11
Unsupported ancillary data: 41/25
Unsupported setsockopt level=0 optname=12
Unsupported setsockopt le
Use cpu_m68k_get_ccr()/cpu_m68k_set_ccr() to setup and restore correctly
the value of SR in the ucontext structure
Signed-off-by: Laurent Vivier
Message-Id: <20170225110517.2832-2-laur...@vivier.eu>
---
linux-user/signal.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/
From: Michael Karcher
do_rt_sigreturn uses an uninitialised local variable instead of fetching
the old signal mask directly from the signal frame when restoring the mask,
so the signal mask is undefined after do_rt_sigreturn. As the signal
frame data is in target-endian order, target_to_host_sigs
From: Pranith Kumar
Note that x86_64 has only _rt signal handlers. This implementation
attempts to share code with the x86_32 implementation.
CC: Laurent Vivier
Signed-off-by: Allan Wirth
Reviewed-by: Peter Maydell
Signed-off-by: Pranith Kumar
Reviewed-by: Laurent Vivier
Message-Id: <201702
On 02/27/2017 12:58 PM, Jeff Cody wrote:
> Get rid of qemu_rbd_parsename in favor of bdrv_parse_filename.
> This simplifies a lot of the parsing as well, as we can treat everything
> a bit simpler since nonexistent options are simply NULL pointers instead
> of empy strings.
s/empy/empty/
>
> An
From: "Franklin \\\"Snaipe\\\" Mathieu"
The current implementation of the mincore(2) syscall sets errno to
EFAULT when the region identified by the first two parameters is
invalid.
This goes against the man page specification, where mincore(2) should
only fail with EFAULT when the third paramete
On 02/27/2017 04:31 PM, Stefano Stabellini wrote:
> Eric, are you OK with this series going upstream? If so, do you want me
> to send the pull request for it or are you going to handle it?
Both patches have my R-b, but MAINTAINERS suggests the pull request
should go through COLO Framework (zhangha
On 02/27/2017 12:58 PM, Jeff Cody wrote:
> Signed-off-by: Jeff Cody
> ---
> qapi/block-core.json | 34 +++---
> 1 file changed, 31 insertions(+), 3 deletions(-)
>
> diff --git a/qapi/block-core.json b/qapi/block-core.json
> index 5f82d35..5b311ff 100644
> --- a/qapi/b
On 02/27/2017 12:58 PM, Jeff Cody wrote:
> This adds support for two additional options that may be specified
> by QAPI in blockdev-add:
>
> mon_host: servername and port
> auth_supported: either 'cephx' or 'none'
Please spell new options with '-'
>
> Signed-off-by: Jeff Cody
> ---
>
On 02/26/2017 03:43 PM, Markus Armbruster wrote:
> The qobject input visitor comes in a strict and a non-strict variant.
> This test is the non-strict variant's last user. Turns out it relies
> on non-strict only in test_visitor_in_null(), and just out of
> laziness. We don't actually test the no
On Mon, 27 Feb 2017, Eric Blake wrote:
> On 02/27/2017 04:31 PM, Stefano Stabellini wrote:
> > Eric, are you OK with this series going upstream? If so, do you want me
> > to send the pull request for it or are you going to handle it?
>
> Both patches have my R-b, but MAINTAINERS suggests the pull
On Mon, Feb 27, 2017 at 04:35:58PM -0600, Eric Blake wrote:
> On 02/27/2017 12:58 PM, Jeff Cody wrote:
> > Get rid of qemu_rbd_parsename in favor of bdrv_parse_filename.
> > This simplifies a lot of the parsing as well, as we can treat everything
> > a bit simpler since nonexistent options are simp
The local_lsetxattr() callback is vulnerable to symlink attacks because
it calls lsetxattr() which follows symbolic links in all path elements but
the rightmost one.
This patch introduces a helper to emulate the non-existing fsetxattrat()
function: it is implemented with /proc/self/fd which provid
If this function fails, it should not modify *ctx.
Signed-off-by: Greg Kurz
Reviewed-by: Stefan Hajnoczi
---
hw/9pfs/9p-local.c | 37 +++--
1 file changed, 19 insertions(+), 18 deletions(-)
diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c
index 2369b918aa3f.
When using the passthrough security mode, symbolic links created by the
guest are actual symbolic links on the host file system.
Since the resolution of symbolic links during path walk is supposed to
occur on the client side. The server should hence never receive any path
pointing to an actual sym
The local_lremovexattr() callback is vulnerable to symlink attacks because
it calls lremovexattr() which follows symbolic links in all path elements
but the rightmost one.
This patch introduces a helper to emulate the non-existing fremovexattrat()
function: it is implemented with /proc/self/fd whi
This patch opens the shared folder and caches the file descriptor, so that
it can be used to do symlink-safe path walk.
Signed-off-by: Greg Kurz
Reviewed-by: Stefan Hajnoczi
---
hw/9pfs/9p-local.c | 30 --
1 file changed, 28 insertions(+), 2 deletions(-)
diff --git
The local_unlinkat() callback is vulnerable to symlink attacks because it
calls remove() which follows symbolic links in all path elements but the
rightmost one.
This patch converts local_unlinkat() to rely on opendir_nofollow() and
unlinkat() instead.
Most of the code is moved to a separate loca
From: Paolo Bonzini
In this case, we are marshaling an error status instead of the errno value.
Reorganize the out and out_nofid labels to look like all the other cases.
Coverity reports this because the "err = -ENOENT" and "err = -EINVAL"
assignments above are dead, overwritten by the call to pd
The local_llistxattr() callback is vulnerable to symlink attacks because
it calls llistxattr() which follows symbolic links in all path elements but
the rightmost one.
This patch introduces a helper to emulate the non-existing flistxattrat()
function: it is implemented with /proc/self/fd which pro
The following changes since commit 8f2d7c341184a95d05476ea3c45dbae2b9ddbe51:
Merge remote-tracking branch
'remotes/berrange/tags/pull-qcrypto-2017-02-27-1' into staging (2017-02-27
15:33:21 +)
are available in the git repository at:
https://github.com/gkurz/qemu.git tags/for-upstream
The local_utimensat() callback is vulnerable to symlink attacks because it
calls qemu_utimens()->utimensat(AT_SYMLINK_NOFOLLOW) which follows symbolic
links in all path elements but the rightmost one or qemu_utimens()->utimes()
which follows symbolic links for all path elements.
This patch convert
If these functions fail, they should not change *fs. Let's use local
variables to fix this.
Signed-off-by: Greg Kurz
Reviewed-by: Stefan Hajnoczi
---
hw/9pfs/9p-local.c | 13 ++---
1 file changed, 10 insertions(+), 3 deletions(-)
diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c
ind
The local_remove() callback is vulnerable to symlink attacks because it
calls:
(1) lstat() which follows symbolic links in all path elements but the
rightmost one
(2) remove() which follows symbolic links in all path elements but the
rightmost one
This patch converts local_remove() to rel
The local_statfs() callback is vulnerable to symlink attacks because it
calls statfs() which follows symbolic links in all path elements.
This patch converts local_statfs() to rely on open_nofollow() and fstatfs()
instead.
This partly fixes CVE-2016-9602.
Signed-off-by: Greg Kurz
Reviewed-by: S
This patchset adds the throttle support for the 9p-local driver.
For now this functionality can be enabled only through qemu cli options.
QMP interface and support to other drivers need further extensions.
To make it simple for other 9p drivers, the throttle code has been put in
separate files.
Si
These functions are always called indirectly. It really doesn't make sense
for them to sit in a header file.
Signed-off-by: Greg Kurz
Reviewed-by: Stefan Hajnoczi
---
hw/9pfs/9p-xattr.c | 61 +
hw/9pfs/9p-xattr.h | 80 ++---
The local_lstat() callback is vulnerable to symlink attacks because it
calls:
(1) lstat() which follows symbolic links in all path elements but the
rightmost one
(2) getxattr() which follows symbolic links in all path elements
(3) local_mapped_file_attr()->local_fopen()->openat(O_NOFOLLOW) whi
The local_truncate() callback is vulnerable to symlink attacks because
it calls truncate() which follows symbolic links in all path elements.
This patch converts local_truncate() to rely on open_nofollow() and
ftruncate() instead.
This partly fixes CVE-2016-9602.
Signed-off-by: Greg Kurz
Review
The local_lgetxattr() callback is vulnerable to symlink attacks because
it calls lgetxattr() which follows symbolic links in all path elements but
the rightmost one.
This patch introduces a helper to emulate the non-existing fgetxattrat()
function: it is implemented with /proc/self/fd which provid
When using the mapped-file security model, we also have to create a link
for the metadata file if it exists. In case of failure, we should rollback.
That's what this patch does.
Signed-off-by: Greg Kurz
Reviewed-by: Stefan Hajnoczi
---
hw/9pfs/9p-local.c | 32 +---
From: Pradeep
This patch removes the redundant throttle code that was present in
block and fsdev device files. Now the common code is moved
to a single file.
Signed-off-by: Pradeep Jagadeesh
Reviewed-by: Stefan Hajnoczi
Reviewed-by: Alberto Garcia
(fix indent nit, Greg Kurz)
Signed-off-by: Gr
The local_readlink() callback is vulnerable to symlink attacks because it
calls:
(1) open(O_NOFOLLOW) which follows symbolic links for all path elements but
the rightmost one
(2) readlink() which follows symbolic links for all path elements but the
rightmost one
This patch converts local_
401 - 500 of 599 matches
Mail list logo
