From c7470199922e6bb6f8bf7fb50ae45942c03d756e Mon Sep 17 00:00:00 2001 From: dinglimin Date: Thu, 14 Aug 2025 16:43:12 +0800 Subject: [PATCH 1/2] migration: activate TLS thread safety workaround MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit When either the postcopy or return path capabilities are enabled, the migration code will use the primary channel for bidirectional I/O. If either of those capabilities are enabled, the migration code needs to mark the channel as expecting concurrent I/O in order to activate the thread safety workarounds for GNUTLS bug 1717 Closes: https://gitlab.com/qemu-project/qemu/-/issues/1937 Signed-off-by: Daniel P. Berrangé Reviewed-by: Fabiano Rosas Link: https://lore.kernel.org/qemu-devel/20250718150514.2635338-4-berrange@redhat.com Signed-off-by: Fabiano Rosas Signed-off-by: dinglimin --- migration/tls.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/migration/tls.c b/migration/tls.c index fa03d9136c..bf2b67b52c 100644 --- a/migration/tls.c +++ b/migration/tls.c @@ -90,6 +90,10 @@ void migration_tls_channel_process_incoming(MigrationState *s, trace_migration_tls_incoming_handshake_start(); qio_channel_set_name(QIO_CHANNEL(tioc), "migration-tls-incoming"); + if (migrate_postcopy_ram() || migrate_return_path()) { + qio_channel_set_feature(QIO_CHANNEL(tioc), + QIO_CHANNEL_FEATURE_CONCURRENT_IO); + } qio_channel_tls_handshake(tioc, migration_tls_incoming_handshake, NULL, @@ -149,6 +153,10 @@ void migration_tls_channel_connect(MigrationState *s, s->hostname = g_strdup(hostname); trace_migration_tls_outgoing_handshake_start(hostname); qio_channel_set_name(QIO_CHANNEL(tioc), "migration-tls-outgoing"); + if (migrate_postcopy_ram() || migrate_return_path()) { + qio_channel_set_feature(QIO_CHANNEL(tioc), + QIO_CHANNEL_FEATURE_CONCURRENT_IO); + } qio_channel_tls_handshake(tioc, migration_tls_outgoing_handshake, s, -- Gitee From 6b90487f1f0045854561a6ff9383e636961fc6ad Mon Sep 17 00:00:00 2001 From: dinglimin Date: Thu, 21 Aug 2025 11:09:23 +0800 Subject: [PATCH 2/2] qemu-img: fix division by zero in bench_cb() for zero-sized images This error was discovered by fuzzing qemu-img. This commit fixes a division by zero error in the bench_cb() function that occurs when using the bench command with a zero-sized image. The issue arises because b->image_size can be zero, leading to a division by zero in the modulo operation (b->offset %= b->image_size). This patch adds a check for b->image_size == 0 and resets b->offset to 0 in such cases, preventing the error. Signed-off-by: Denis Rastyogin Message-ID: <20250318101933.255617-1-gerben@altlinux.org> Reviewed-by: Kevin Wolf Signed-off-by: Kevin Wolf Signed-off-by: dinglimin --- qemu-img.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/qemu-img.c b/qemu-img.c index 49d914c9c4..ae6efb0e09 100644 --- a/qemu-img.c +++ b/qemu-img.c @@ -4522,7 +4522,12 @@ static void bench_cb(void *opaque, int ret) */ b->in_flight++; b->offset += b->step; - b->offset %= b->image_size; + if (b->image_size == 0) { + b->offset = 0; + } else { + b->offset %= b->image_size; + } + if (b->write) { acb = blk_aio_pwritev(b->blk, offset, b->qiov, 0, bench_cb, b); } else { -- Gitee