[Qemu-devel] [PULL 0/4] Fixes for 2.4.0-rc3

[Qemu-devel] [PULL 0/4] Fixes for 2.4.0-rc3

[Paolo Bonzini]

The following changes since commit f793d97e454a56d17e404004867985622ca1a63b:

  Merge remote-tracking branch 'remotes/bonzini/tags/for-upstream' into staging (2015-07-24 13:07:10 +0100)

are available in the git repository at:

  git://github.com/bonzini/qemu.git tags/for-upstream

for you to fetch changes up to 52c91dac6bd891656f297dab76da51fc8bc61309:

  memory: do not add a reference to the owner of aliased regions (2015-07-27 23:05:49 +0200)

----------------------------------------------------------------
* crypto fixes
* megasas SIGSEGV fix
* memory refcount change to fix virtio hot-unplug

----------------------------------------------------------------
Daniel P. Berrange (2):
      crypto: fix built-in AES decrypt function
      crypto: extend unit tests to cover decryption too

Paolo Bonzini (1):
      memory: do not add a reference to the owner of aliased regions

Salva Peiró (1):
      megasas: Add write function to handle write access to PCI BAR 3

 crypto/cipher-builtin.c    |  8 ++++----
 hw/scsi/megasas.c          |  7 +++++++
 memory.c                   |  7 -------
 tests/test-crypto-cipher.c | 28 ++++++++++++++++++++--------
 4 files changed, 31 insertions(+), 19 deletions(-)
-- 
2.4.3

[Qemu-devel] [PULL 1/4] crypto: fix built-in AES decrypt function

[Paolo Bonzini]

From: "Daniel P. Berrange" <berrange@redhat.com>

The qcrypto_cipher_decrypt_aes method was using the wrong
key material, and passing the wrong mode. This caused it
to incorrectly decrypt ciphertext.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Message-Id: <1437740634-6261-1-git-send-email-berrange@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
 crypto/cipher-builtin.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/crypto/cipher-builtin.c b/crypto/cipher-builtin.c
index 912c1b9..30f4853 100644
--- a/crypto/cipher-builtin.c
+++ b/crypto/cipher-builtin.c
@@ -117,7 +117,7 @@ static int qcrypto_cipher_decrypt_aes(QCryptoCipher *cipher,
         uint8_t *outptr = out;
         while (len) {
             if (len > AES_BLOCK_SIZE) {
-                AES_decrypt(inptr, outptr, &ctxt->state.aes.encrypt_key);
+                AES_decrypt(inptr, outptr, &ctxt->state.aes.decrypt_key);
                 inptr += AES_BLOCK_SIZE;
                 outptr += AES_BLOCK_SIZE;
                 len -= AES_BLOCK_SIZE;
@@ -126,15 +126,15 @@ static int qcrypto_cipher_decrypt_aes(QCryptoCipher *cipher,
                 memcpy(tmp1, inptr, len);
                 /* Fill with 0 to avoid valgrind uninitialized reads */
                 memset(tmp1 + len, 0, sizeof(tmp1) - len);
-                AES_decrypt(tmp1, tmp2, &ctxt->state.aes.encrypt_key);
+                AES_decrypt(tmp1, tmp2, &ctxt->state.aes.decrypt_key);
                 memcpy(outptr, tmp2, len);
                 len = 0;
             }
         }
     } else {
         AES_cbc_encrypt(in, out, len,
-                        &ctxt->state.aes.encrypt_key,
-                        ctxt->state.aes.iv, 1);
+                        &ctxt->state.aes.decrypt_key,
+                        ctxt->state.aes.iv, 0);
     }
 
     return 0;
-- 
2.4.3

[Qemu-devel] [PULL 2/4] crypto: extend unit tests to cover decryption too

[Paolo Bonzini]

From: "Daniel P. Berrange" <berrange@redhat.com>

The current unit test only verifies the encryption API,
resulting in us missing a recently introduced bug in the
decryption API from commit d3462e3. It was fortunately
later discovered & fixed by commit bd09594, thanks to the
QEMU I/O tests for qcow2 encryption, but we should really
detect this directly in the crypto unit tests. Also remove
an accidental debug message and simplify some asserts.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Message-Id: <1437468902-23230-1-git-send-email-berrange@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
 tests/test-crypto-cipher.c | 28 ++++++++++++++++++++--------
 1 file changed, 20 insertions(+), 8 deletions(-)

diff --git a/tests/test-crypto-cipher.c b/tests/test-crypto-cipher.c
index f9b1a03..9d38d26 100644
--- a/tests/test-crypto-cipher.c
+++ b/tests/test-crypto-cipher.c
@@ -226,12 +226,10 @@ static void test_cipher(const void *opaque)
     const QCryptoCipherTestData *data = opaque;
 
     QCryptoCipher *cipher;
-    Error *err = NULL;
     uint8_t *key, *iv, *ciphertext, *plaintext, *outtext;
     size_t nkey, niv, nciphertext, nplaintext;
     char *outtexthex;
 
-    g_test_message("foo");
     nkey = unhex_string(data->key, &key);
     niv = unhex_string(data->iv, &iv);
     nciphertext = unhex_string(data->ciphertext, &ciphertext);
@@ -244,28 +242,42 @@ static void test_cipher(const void *opaque)
     cipher = qcrypto_cipher_new(
         data->alg, data->mode,
         key, nkey,
-        &err);
+        &error_abort);
     g_assert(cipher != NULL);
-    g_assert(err == NULL);
 
 
     if (iv) {
         g_assert(qcrypto_cipher_setiv(cipher,
                                       iv, niv,
-                                      &err) == 0);
-        g_assert(err == NULL);
+                                      &error_abort) == 0);
     }
     g_assert(qcrypto_cipher_encrypt(cipher,
                                     plaintext,
                                     outtext,
                                     nplaintext,
-                                    &err) == 0);
-    g_assert(err == NULL);
+                                    &error_abort) == 0);
 
     outtexthex = hex_string(outtext, nciphertext);
 
     g_assert_cmpstr(outtexthex, ==, data->ciphertext);
 
+    g_free(outtexthex);
+
+    if (iv) {
+        g_assert(qcrypto_cipher_setiv(cipher,
+                                      iv, niv,
+                                      &error_abort) == 0);
+    }
+    g_assert(qcrypto_cipher_decrypt(cipher,
+                                    ciphertext,
+                                    outtext,
+                                    nplaintext,
+                                    &error_abort) == 0);
+
+    outtexthex = hex_string(outtext, nplaintext);
+
+    g_assert_cmpstr(outtexthex, ==, data->plaintext);
+
     g_free(outtext);
     g_free(outtexthex);
     g_free(key);
-- 
2.4.3

[Qemu-devel] [PULL 3/4] megasas: Add write function to handle write access to PCI BAR 3

[Paolo Bonzini]

From: Salva Peiró <speirofr@gmail.com>

This patch fixes a QEMU SEGFAULT when a write operation is performed on
the memory region of the PCI BAR 3 (base address space).
When a writeb(0xe0000000) is performed the .write function is invoked to
handle the write access, however, since the .write is not initialised,
the call to 0, causes QEMU to SEGFAULT.

Signed-off-by: Salva Peiró <speirofr@gmail.com>
Acked-by: Hannes Reinecke <hare@suse.com>
Message-Id: <1437987112-24744-1-git-send-email-speirofr@gmail.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
 hw/scsi/megasas.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
index 51ba9e0..a04369c 100644
--- a/hw/scsi/megasas.c
+++ b/hw/scsi/megasas.c
@@ -2202,8 +2202,15 @@ static uint64_t megasas_queue_read(void *opaque, hwaddr addr,
     return 0;
 }
 
+static void megasas_queue_write(void *opaque, hwaddr addr,
+                               uint64_t val, unsigned size)
+{
+    return;
+}
+
 static const MemoryRegionOps megasas_queue_ops = {
     .read = megasas_queue_read,
+    .write = megasas_queue_write,
     .endianness = DEVICE_LITTLE_ENDIAN,
     .impl = {
         .min_access_size = 8,
-- 
2.4.3

[Qemu-devel] [PULL 4/4] memory: do not add a reference to the owner of aliased regions

[Paolo Bonzini]

Very often the owner of the aliased region is the same as the owner of the alias
region itself.  When this happens, the reference count can never go back to 0 and
the owner is leaked.  This is for example breaking hot-unplug of virtio-pci
devices (the device cannot be plugged back again with the same id).

Another common use for alias is to transform the system I/O address space
into an MMIO regions; in this case the aliased region never dies, so there
is no problem.  Otherwise the owner is always the same for aliasing
and aliased region.

I checked all calls to memory_region_init_alias introduced after commit
dfde4e6 (memory: add ref/unref calls, 2013-05-06) and they do not need the
reference in order to keep the owner of the aliased region alive.

Reported-by: Michael S. Tsirkin <mst@redhat.com>
Tested-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
 memory.c | 7 -------
 1 file changed, 7 deletions(-)

diff --git a/memory.c b/memory.c
index 5e5f325..4eb138a 100644
--- a/memory.c
+++ b/memory.c
@@ -859,11 +859,6 @@ static void memory_region_destructor_ram(MemoryRegion *mr)
     qemu_ram_free(mr->ram_addr);
 }
 
-static void memory_region_destructor_alias(MemoryRegion *mr)
-{
-    memory_region_unref(mr->alias);
-}
-
 static void memory_region_destructor_ram_from_ptr(MemoryRegion *mr)
 {
     qemu_ram_free_from_ptr(mr->ram_addr);
@@ -1272,8 +1267,6 @@ void memory_region_init_alias(MemoryRegion *mr,
                               uint64_t size)
 {
     memory_region_init(mr, owner, name, size);
-    memory_region_ref(orig);
-    mr->destructor = memory_region_destructor_alias;
     mr->alias = orig;
     mr->alias_offset = offset;
 }
-- 
2.4.3

Re: [Qemu-devel] [PULL 0/4] Fixes for 2.4.0-rc3

[Peter Maydell]

On 28 July 2015 at 09:04, Paolo Bonzini <pbonzini@redhat.com> wrote:
> The following changes since commit f793d97e454a56d17e404004867985622ca1a63b:
>
>   Merge remote-tracking branch 'remotes/bonzini/tags/for-upstream' into staging (2015-07-24 13:07:10 +0100)
>
> are available in the git repository at:
>
>   git://github.com/bonzini/qemu.git tags/for-upstream
>
> for you to fetch changes up to 52c91dac6bd891656f297dab76da51fc8bc61309:
>
>   memory: do not add a reference to the owner of aliased regions (2015-07-27 23:05:49 +0200)
>
> ----------------------------------------------------------------
> * crypto fixes
> * megasas SIGSEGV fix
> * memory refcount change to fix virtio hot-unplug

Applied, thanks.

-- PMM