pool/qemu
SHA256
4
0
Fork 1
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Accepting request 879536 from home:bfrogers:branches:Virtualization

Browse Source 
- Fix DoS in e1000 emulated device (CVE-2021-20257 bsc#1182577)
  e1000-fail-early-for-evil-descriptor.patch
- Fix incorrect guest data in s390x PCI passthrough (bsc#1183372)
  s390x-pci-restore-missing-Query-PCI-Func.patch
- Include upstream patches designated as stable material and
  reviewed for applicability to include here
  lsilogic-Use-PCIDevice-exit-instead-of-D.patch
  vhost-user-blk-fix-blkcfg-num_queues-end.patch
- Fix potential privilege escalation in virtfs (CVE-2021-20181
  bsc#1182137)
  9pfs-Fully-restart-unreclaim-loop-CVE-20.patch
- Fix OOB access in vmxnet3 emulation (CVE-2021-20203 bsc#1181639)
  net-vmxnet3-validate-configuration-value.patch

OBS-URL: https://build.opensuse.org/request/show/879536
OBS-URL: https://build.opensuse.org/package/show/Virtualization/qemu?expand=0&rev=629
This commit is contained in:
Bruce Rogers 2021-03-17 01:17:25 +00:00 committed by Git OBS Bridge
parent 0c0fef9edd
commit 2746ce73b5
12 changed files with 491 additions and 88 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

76
9pfs-Fully-restart-unreclaim-loop-CVE-20.patch Normal file
View File

@ -0,0 +1,76 @@
From: Greg Kurz <groug@kaod.org>
Date: Thu, 14 Jan 2021 17:04:12 +0100
Subject: 9pfs: Fully restart unreclaim loop (CVE-2021-20181)
Git-commit: 89fbea8737e8f7b954745a1ffc4238d377055305
Reference: bsc#1182137
Depending on the client activity, the server can be asked to open a huge
number of file descriptors and eventually hit RLIMIT_NOFILE. This is
currently mitigated using a reclaim logic : the server closes the file
descriptors of idle fids, based on the assumption that it will be able
to re-open them later. This assumption doesn't hold of course if the
client requests the file to be unlinked. In this case, we loop on the
entire fid list and mark all related fids as unreclaimable (the reclaim
logic will just ignore them) and, of course, we open or re-open their
file descriptors if needed since we're about to unlink the file.
This is the purpose of v9fs_mark_fids_unreclaim(). Since the actual
opening of a file can cause the coroutine to yield, another client
request could possibly add a new fid that we may want to mark as
non-reclaimable as well. The loop is thus restarted if the re-open
request was actually transmitted to the backend. This is achieved
by keeping a reference on the first fid (head) before traversing
the list.
This is wrong in several ways:
- a potential clunk request from the client could tear the first
fid down and cause the reference to be stale. This leads to a
use-after-free error that can be detected with ASAN, using a
custom 9p client
- fids are added at the head of the list : restarting from the
previous head will always miss fids added by a some other
potential request
All these problems could be avoided if fids were being added at the
end of the list. This can be achieved with a QSIMPLEQ, but this is
probably too much change for a bug fix. For now let's keep it
simple and just restart the loop from the current head.
Fixes: CVE-2021-20181
Buglink: https://bugs.launchpad.net/qemu/+bug/1911666
Reported-by: Zero Day Initiative <zdi-disclosures@trendmicro.com>
Reviewed-by: Christian Schoenebeck <qemu_oss@crudebyte.com>
Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
Message-Id: <161064025265.1838153.15185571283519390907.stgit@bahia.lan>
Signed-off-by: Greg Kurz <groug@kaod.org>
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/9pfs/9p.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
index 94df440fc74004bfa45b3fe30540..6026b51a1c04ee82d6366cb13d50 100644
--- a/hw/9pfs/9p.c
+++ b/hw/9pfs/9p.c
@@ -502,9 +502,9 @@ static int coroutine_fn v9fs_mark_fids_unreclaim(V9fsPDU *pdu, V9fsPath *path)
{
int err;
V9fsState *s = pdu->s;
- V9fsFidState *fidp, head_fid;
+ V9fsFidState *fidp;
- head_fid.next = s->fid_list;
+again:
for (fidp = s->fid_list; fidp; fidp = fidp->next) {
if (fidp->path.size != path->size) {
continue;
@@ -524,7 +524,7 @@ static int coroutine_fn v9fs_mark_fids_unreclaim(V9fsPDU *pdu, V9fsPath *path)
* switched to the worker thread
*/
if (err == 0) {
- fidp = &head_fid;
+ goto again;
}
}
}

4
bundles.tar.xz
View File

@ -1,3 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:8f34342c09f25d5f80567221c26c96a68715145241afd35dbcc6796cec7c0f69
size 64884
oid sha256:b7ff5cf2fc82b361e7b07710e20758d230d543d7d1c967bdf131b5793573207e
size 68660

3
config.sh
View File

@ -37,6 +37,9 @@ NUMBERED_PATCHES=0
PATCH_RANGE=1000
# For compatibility with old packages, we include this option
OVERRIDE_FIVE_DIGIT_NUMBERING=0
# This array tracks all git submodule paths within the superproject (1st entry)
PATCH_PATH_MAP=(
""

50
e1000-fail-early-for-evil-descriptor.patch Normal file
View File

@ -0,0 +1,50 @@
From: Jason Wang <jasowang@redhat.com>
Date: Wed, 24 Feb 2021 13:45:28 +0800
Subject: e1000: fail early for evil descriptor
Git-commit: 3de46e6fc489c52c9431a8a832ad8170a7569bd8
References: bsc#1182577, CVE-2021-20257
During procss_tx_desc(), driver can try to chain data descriptor with
legacy descriptor, when will lead underflow for the following
calculation in process_tx_desc() for bytes:
if (tp->size + bytes > msh)
bytes = msh - tp->size;
This will lead a infinite loop. So check and fail early if tp->size if
greater or equal to msh.
Reported-by: Alexander Bulekov <alxndr@bu.edu>
Reported-by: Cheolwoo Myung <cwmyung@snu.ac.kr>
Reported-by: Ruhr-University Bochum <bugs-syssec@rub.de>
Cc: Prasad J Pandit <ppandit@redhat.com>
Cc: qemu-stable@nongnu.org
Signed-off-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/net/e1000.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/hw/net/e1000.c b/hw/net/e1000.c
index d7d05ae30afafb2e7979c74564a6..02a446b89bae0dec0acdefa54760 100644
--- a/hw/net/e1000.c
+++ b/hw/net/e1000.c
@@ -670,6 +670,9 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp)
msh = tp->tso_props.hdr_len + tp->tso_props.mss;
do {
bytes = split_size;
+ if (tp->size >= msh) {
+ goto eop;
+ }
if (tp->size + bytes > msh)
bytes = msh - tp->size;
@@ -695,6 +698,7 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp)
tp->size += split_size;
}
+eop:
if (!(txd_lower & E1000_TXD_CMD_EOP))
return;
if (!(tp->cptse && tp->size < tp->tso_props.hdr_len)) {

52
lsilogic-Use-PCIDevice-exit-instead-of-D.patch Normal file
View File

@ -0,0 +1,52 @@
From: Peng Liang <liangpeng10@huawei.com>
Date: Tue, 2 Mar 2021 21:30:16 +0800
Subject: lsilogic: Use PCIDevice::exit instead of DeviceState::unrealize
Git-commit: faabca42cc4ff51110116dfe44d420c668b4d8d8
PCI_DEVICE has overwritten DeviceState::unrealize (pci_qdev_unrealize).
However, LSI53C895A, which is a subclass of PCI_DEVICE, overwrites it
again and doesn't save the parent's implementation so the PCI_DEVICE's
implementation of DeviceState::unrealize will never be called when
unrealize a LSI53C895A device. And it will lead to memory leak and
unplug failure.
For a PCI device, it's better to implement PCIDevice::exit instead of
DeviceState::unrealize. So let's change to use PCIDevice::exit.
Fixes: a8632434c7e9 ("lsi: implement I/O memory space for Memory Move instructions")
Cc: qemu-stable@nongnu.org
Signed-off-by: Peng Liang <liangpeng10@huawei.com>
Message-Id: <20210302133016.1221081-1-liangpeng10@huawei.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/scsi/lsi53c895a.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c
index 7d13c7dc1c46e8a32ed0e3e090ff..af46c62f0d78268b52d19ca9fd07 100644
--- a/hw/scsi/lsi53c895a.c
+++ b/hw/scsi/lsi53c895a.c
@@ -2312,7 +2312,7 @@ static void lsi_scsi_realize(PCIDevice *dev, Error **errp)
scsi_bus_new(&s->bus, sizeof(s->bus), d, &lsi_scsi_info, NULL);
}
-static void lsi_scsi_unrealize(DeviceState *dev)
+static void lsi_scsi_exit(PCIDevice *dev)
{
LSIState *s = LSI53C895A(dev);
@@ -2325,11 +2325,11 @@ static void lsi_class_init(ObjectClass *klass, void *data)
PCIDeviceClass *k = PCI_DEVICE_CLASS(klass);
k->realize = lsi_scsi_realize;
+ k->exit = lsi_scsi_exit;
k->vendor_id = PCI_VENDOR_ID_LSI_LOGIC;
k->device_id = PCI_DEVICE_ID_LSI_53C895A;
k->class_id = PCI_CLASS_STORAGE_SCSI;
k->subsystem_id = 0x1000;
- dc->unrealize = lsi_scsi_unrealize;
dc->reset = lsi_scsi_reset;
dc->vmsd = &vmstate_lsi_scsi;
set_bit(DEVICE_CATEGORY_STORAGE, dc->categories);

74
net-vmxnet3-validate-configuration-value.patch Normal file
View File

@ -0,0 +1,74 @@
From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Sat, 30 Jan 2021 18:46:52 +0530
Subject: net: vmxnet3: validate configuration values during activate
(CVE-2021-20203)
Git-commit: 0000000000000000000000000000000000000000
References: bsc#1181639
While activating device in vmxnet3_acticate_device(), it does not
validate guest supplied configuration values against predefined
minimum - maximum limits. This may lead to integer overflow or
OOB access issues. Add checks to avoid it.
Fixes: CVE-2021-20203
Buglink: https://bugs.launchpad.net/qemu/+bug/1913873
Reported-by: Gaoning Pan <pgn@zju.edu.cn>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/net/vmxnet3.c | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c
index eff299f6290cee3e784d93561798..4a910ca97188df056219062c30da 100644
--- a/hw/net/vmxnet3.c
+++ b/hw/net/vmxnet3.c
@@ -1420,6 +1420,7 @@ static void vmxnet3_activate_device(VMXNET3State *s)
vmxnet3_setup_rx_filtering(s);
/* Cache fields from shared memory */
s->mtu = VMXNET3_READ_DRV_SHARED32(d, s->drv_shmem, devRead.misc.mtu);
+ assert(VMXNET3_MIN_MTU <= s->mtu && s->mtu < VMXNET3_MAX_MTU);
VMW_CFPRN("MTU is %u", s->mtu);
s->max_rx_frags =
@@ -1473,6 +1474,9 @@ static void vmxnet3_activate_device(VMXNET3State *s)
/* Read rings memory locations for TX queues */
pa = VMXNET3_READ_TX_QUEUE_DESCR64(d, qdescr_pa, conf.txRingBasePA);
size = VMXNET3_READ_TX_QUEUE_DESCR32(d, qdescr_pa, conf.txRingSize);
+ if (size > VMXNET3_TX_RING_MAX_SIZE) {
+ size = VMXNET3_TX_RING_MAX_SIZE;
+ }
vmxnet3_ring_init(d, &s->txq_descr[i].tx_ring, pa, size,
sizeof(struct Vmxnet3_TxDesc), false);
@@ -1483,6 +1487,9 @@ static void vmxnet3_activate_device(VMXNET3State *s)
/* TXC ring */
pa = VMXNET3_READ_TX_QUEUE_DESCR64(d, qdescr_pa, conf.compRingBasePA);
size = VMXNET3_READ_TX_QUEUE_DESCR32(d, qdescr_pa, conf.compRingSize);
+ if (size > VMXNET3_TC_RING_MAX_SIZE) {
+ size = VMXNET3_TC_RING_MAX_SIZE;
+ }
vmxnet3_ring_init(d, &s->txq_descr[i].comp_ring, pa, size,
sizeof(struct Vmxnet3_TxCompDesc), true);
VMXNET3_RING_DUMP(VMW_CFPRN, "TXC", i, &s->txq_descr[i].comp_ring);
@@ -1524,6 +1531,9 @@ static void vmxnet3_activate_device(VMXNET3State *s)
/* RX rings */
pa = VMXNET3_READ_RX_QUEUE_DESCR64(d, qd_pa, conf.rxRingBasePA[j]);
size = VMXNET3_READ_RX_QUEUE_DESCR32(d, qd_pa, conf.rxRingSize[j]);
+ if (size > VMXNET3_RX_RING_MAX_SIZE) {
+ size = VMXNET3_RX_RING_MAX_SIZE;
+ }
vmxnet3_ring_init(d, &s->rxq_descr[i].rx_ring[j], pa, size,
sizeof(struct Vmxnet3_RxDesc), false);
VMW_CFPRN("RX queue %d:%d: Base: %" PRIx64 ", Size: %d",
@@ -1533,6 +1543,9 @@ static void vmxnet3_activate_device(VMXNET3State *s)
/* RXC ring */
pa = VMXNET3_READ_RX_QUEUE_DESCR64(d, qd_pa, conf.compRingBasePA);
size = VMXNET3_READ_RX_QUEUE_DESCR32(d, qd_pa, conf.compRingSize);
+ if (size > VMXNET3_RC_RING_MAX_SIZE) {
+ size = VMXNET3_RC_RING_MAX_SIZE;
+ }
vmxnet3_ring_init(d, &s->rxq_descr[i].comp_ring, pa, size,
sizeof(struct Vmxnet3_RxCompDesc), true);
VMW_CFPRN("RXC queue %d: Base: %" PRIx64 ", Size: %d", i, pa, size);

25
qemu.changes
View File

@ -1,3 +1,28 @@
-------------------------------------------------------------------
Tue Mar 16 22:33:26 UTC 2021 - Bruce Rogers <brogers@suse.com>
- Fix DoS in e1000 emulated device (CVE-2021-20257 bsc#1182577)
e1000-fail-early-for-evil-descriptor.patch
-------------------------------------------------------------------
Mon Mar 15 17:52:47 UTC 2021 - Bruce Rogers <brogers@suse.com>
- Fix incorrect guest data in s390x PCI passthrough (bsc#1183372)
s390x-pci-restore-missing-Query-PCI-Func.patch
-------------------------------------------------------------------
Fri Mar 12 20:00:30 UTC 2021 - Bruce Rogers <brogers@suse.com>
- Include upstream patches designated as stable material and
reviewed for applicability to include here
lsilogic-Use-PCIDevice-exit-instead-of-D.patch
vhost-user-blk-fix-blkcfg-num_queues-end.patch
- Fix potential privilege escalation in virtfs (CVE-2021-20181
bsc#1182137)
9pfs-Fully-restart-unreclaim-loop-CVE-20.patch
- Fix OOB access in vmxnet3 emulation (CVE-2021-20203 bsc#1181639)
net-vmxnet3-validate-configuration-value.patch
-------------------------------------------------------------------
Fri Mar 12 19:22:46 UTC 2021 - Dominique Leuenberger <dimstar@opensuse.org>

146
qemu.spec
View File

@ -145,67 +145,73 @@ Patch00009: hw-timer-slavio_timer-Allow-64-bit-acces.patch
Patch00010: target-arm-Fix-MTE0_ACTIVE.patch
Patch00011: target-arm-Don-t-decode-insns-in-the-XSc.patch
Patch00012: hw-net-lan9118-Fix-RX-Status-FIFO-PEEK-v.patch
Patch00013: target-arm-Introduce-PREDDESC-field-defi.patch
Patch00014: target-arm-Update-PFIRST-PNEXT-for-pred_.patch
Patch00015: target-arm-Update-ZIP-UZP-TRN-for-pred_d.patch
Patch00016: target-arm-Update-REV-PUNPK-for-pred_des.patch
Patch00017: net-Fix-handling-of-id-in-netdev_add-and.patch
Patch00018: block-Separate-blk_is_writable-and-blk_s.patch
Patch00019: hw-intc-arm_gic-Fix-interrupt-ID-in-GICD.patch
Patch00020: virtio-move-use-disabled-flag-property-t.patch
Patch00021: qemu-nbd-Use-SOMAXCONN-for-socket-listen.patch
Patch00022: qemu-storage-daemon-Enable-object-add.patch
Patch00023: blockjob-Fix-crash-with-IOthread-when-bl.patch
Patch00024: monitor-Fix-assertion-failure-on-shutdow.patch
Patch00025: spice-app-avoid-crash-when-core-spice-mo.patch
Patch00026: i386-acpi-restore-device-paths-for-pre-5.patch
Patch00027: hw-s390x-fix-build-for-virtio-9p-ccw.patch
Patch00028: hw-s390x-modularize-virtio-gpu-ccw.patch
Patch00029: XXX-dont-dump-core-on-sigabort.patch
Patch00030: qemu-binfmt-conf-Modify-default-path.patch
Patch00031: qemu-cvs-gettimeofday.patch
Patch00032: qemu-cvs-ioctl_debug.patch
Patch00033: qemu-cvs-ioctl_nodirection.patch
Patch00034: linux-user-add-binfmt-wrapper-for-argv-0.patch
Patch00035: PPC-KVM-Disable-mmu-notifier-check.patch
Patch00036: linux-user-binfmt-support-host-binaries.patch
Patch00037: linux-user-Fake-proc-cpuinfo.patch
Patch00038: linux-user-use-target_ulong.patch
Patch00039: Make-char-muxer-more-robust-wrt-small-FI.patch
Patch00040: linux-user-lseek-explicitly-cast-non-set.patch
Patch00041: AIO-Reduce-number-of-threads-for-32bit-h.patch
Patch00042: xen_disk-Add-suse-specific-flush-disable.patch
Patch00043: qemu-bridge-helper-reduce-security-profi.patch
Patch00044: qemu-binfmt-conf-use-qemu-ARCH-binfmt.patch
Patch00045: roms-Makefile-pass-a-packaging-timestamp.patch
Patch00046: Raise-soft-address-space-limit-to-hard-l.patch
Patch00047: increase-x86_64-physical-bits-to-42.patch
Patch00048: i8254-Fix-migration-from-SLE11-SP2.patch
Patch00049: acpi_piix4-Fix-migration-from-SLE11-SP2.patch
Patch00050: Make-installed-scripts-explicitly-python.patch
Patch00051: hw-smbios-handle-both-file-formats-regar.patch
Patch00052: xen-add-block-resize-support-for-xen-dis.patch
Patch00053: tests-qemu-iotests-Triple-timeout-of-i-o.patch
Patch00054: tests-Fix-block-tests-to-be-compatible-w.patch
Patch00055: xen-ignore-live-parameter-from-xen-save-.patch
Patch00056: tests-change-error-message-in-test-162.patch
Patch00057: hw-intc-exynos4210_gic-provide-more-room.patch
Patch00058: configure-only-populate-roms-if-softmmu.patch
Patch00059: pc-bios-s390-ccw-net-avoid-warning-about.patch
Patch00060: roms-change-cross-compiler-naming-to-be-.patch
Patch00061: test-add-mapping-from-arch-of-i686-to-qe.patch
Patch00062: configure-remove-pkgversion-from-CONFIG_.patch
Patch00063: docs-add-SUSE-support-statements-to-html.patch
Patch00064: s390x-Fix-stringop-truncation-issue-repo.patch
Patch00065: Revert-qht-constify-qht_statistics_init.patch
Patch00066: qht-Revert-some-constification-in-qht.c.patch
Patch00067: meson-install-ivshmem-client-and-ivshmem.patch
Patch00068: Revert-roms-efirom-tests-uefi-test-tools.patch
Patch00069: Makefile-Don-t-check-pc-bios-as-pre-requ.patch
Patch00070: roms-Makefile-add-cross-file-to-qboot-me.patch
Patch00071: usb-Help-compiler-out-to-avoid-a-warning.patch
Patch00072: module-for-virtio-gpu-pre-load-module-to.patch
Patch00073: qom-handle-case-of-chardev-spice-module-.patch
Patch00013: 9pfs-Fully-restart-unreclaim-loop-CVE-20.patch
Patch00014: target-arm-Introduce-PREDDESC-field-defi.patch
Patch00015: target-arm-Update-PFIRST-PNEXT-for-pred_.patch
Patch00016: target-arm-Update-ZIP-UZP-TRN-for-pred_d.patch
Patch00017: target-arm-Update-REV-PUNPK-for-pred_des.patch
Patch00018: net-Fix-handling-of-id-in-netdev_add-and.patch
Patch00019: block-Separate-blk_is_writable-and-blk_s.patch
Patch00020: hw-intc-arm_gic-Fix-interrupt-ID-in-GICD.patch
Patch00021: virtio-move-use-disabled-flag-property-t.patch
Patch00022: qemu-nbd-Use-SOMAXCONN-for-socket-listen.patch
Patch00023: qemu-storage-daemon-Enable-object-add.patch
Patch00024: blockjob-Fix-crash-with-IOthread-when-bl.patch
Patch00025: monitor-Fix-assertion-failure-on-shutdow.patch
Patch00026: spice-app-avoid-crash-when-core-spice-mo.patch
Patch00027: i386-acpi-restore-device-paths-for-pre-5.patch
Patch00028: hw-s390x-fix-build-for-virtio-9p-ccw.patch
Patch00029: s390x-pci-restore-missing-Query-PCI-Func.patch
Patch00030: lsilogic-Use-PCIDevice-exit-instead-of-D.patch
Patch00031: vhost-user-blk-fix-blkcfg-num_queues-end.patch
Patch00032: e1000-fail-early-for-evil-descriptor.patch
Patch00033: hw-s390x-modularize-virtio-gpu-ccw.patch
Patch00034: net-vmxnet3-validate-configuration-value.patch
Patch00035: XXX-dont-dump-core-on-sigabort.patch
Patch00036: qemu-binfmt-conf-Modify-default-path.patch
Patch00037: qemu-cvs-gettimeofday.patch
Patch00038: qemu-cvs-ioctl_debug.patch
Patch00039: qemu-cvs-ioctl_nodirection.patch
Patch00040: linux-user-add-binfmt-wrapper-for-argv-0.patch
Patch00041: PPC-KVM-Disable-mmu-notifier-check.patch
Patch00042: linux-user-binfmt-support-host-binaries.patch
Patch00043: linux-user-Fake-proc-cpuinfo.patch
Patch00044: linux-user-use-target_ulong.patch
Patch00045: Make-char-muxer-more-robust-wrt-small-FI.patch
Patch00046: linux-user-lseek-explicitly-cast-non-set.patch
Patch00047: AIO-Reduce-number-of-threads-for-32bit-h.patch
Patch00048: xen_disk-Add-suse-specific-flush-disable.patch
Patch00049: qemu-bridge-helper-reduce-security-profi.patch
Patch00050: qemu-binfmt-conf-use-qemu-ARCH-binfmt.patch
Patch00051: roms-Makefile-pass-a-packaging-timestamp.patch
Patch00052: Raise-soft-address-space-limit-to-hard-l.patch
Patch00053: increase-x86_64-physical-bits-to-42.patch
Patch00054: i8254-Fix-migration-from-SLE11-SP2.patch
Patch00055: acpi_piix4-Fix-migration-from-SLE11-SP2.patch
Patch00056: Make-installed-scripts-explicitly-python.patch
Patch00057: hw-smbios-handle-both-file-formats-regar.patch
Patch00058: xen-add-block-resize-support-for-xen-dis.patch
Patch00059: tests-qemu-iotests-Triple-timeout-of-i-o.patch
Patch00060: tests-Fix-block-tests-to-be-compatible-w.patch
Patch00061: xen-ignore-live-parameter-from-xen-save-.patch
Patch00062: tests-change-error-message-in-test-162.patch
Patch00063: hw-intc-exynos4210_gic-provide-more-room.patch
Patch00064: configure-only-populate-roms-if-softmmu.patch
Patch00065: pc-bios-s390-ccw-net-avoid-warning-about.patch
Patch00066: roms-change-cross-compiler-naming-to-be-.patch
Patch00067: test-add-mapping-from-arch-of-i686-to-qe.patch
Patch00068: configure-remove-pkgversion-from-CONFIG_.patch
Patch00069: docs-add-SUSE-support-statements-to-html.patch
Patch00070: s390x-Fix-stringop-truncation-issue-repo.patch
Patch00071: Revert-qht-constify-qht_statistics_init.patch
Patch00072: qht-Revert-some-constification-in-qht.c.patch
Patch00073: meson-install-ivshmem-client-and-ivshmem.patch
Patch00074: Revert-roms-efirom-tests-uefi-test-tools.patch
Patch00075: Makefile-Don-t-check-pc-bios-as-pre-requ.patch
Patch00076: roms-Makefile-add-cross-file-to-qboot-me.patch
Patch00077: usb-Help-compiler-out-to-avoid-a-warning.patch
Patch00078: module-for-virtio-gpu-pre-load-module-to.patch
Patch00079: qom-handle-case-of-chardev-spice-module-.patch
# Patches applied in roms/seabios/:
Patch01000: seabios-use-python2-explicitly-as-needed.patch
Patch01001: seabios-switch-to-python3-as-needed.patch
@ -1097,23 +1103,29 @@ This package records qemu testsuite results and represents successful testing.
%patch00060 -p1
%patch00061 -p1
%patch00062 -p1
%if %{legacy_qemu_kvm}
%patch00063 -p1
%endif
%patch00064 -p1
%patch00065 -p1
%patch00066 -p1
%patch00067 -p1
%patch00068 -p1
%if %{legacy_qemu_kvm}
%patch00069 -p1
%ifarch aarch64
%endif
%patch00070 -p1
%endif
%ifarch %arm %ix86 ppc
%patch00071 -p1
%endif
%patch00072 -p1
%patch00073 -p1
%patch00074 -p1
%patch00075 -p1
%ifarch aarch64
%patch00076 -p1
%endif
%ifarch %arm %ix86 ppc
%patch00077 -p1
%endif
%patch00078 -p1
%patch00079 -p1
%patch01000 -p1
%patch01001 -p1
%patch01002 -p1

2
qemu.spec.in
View File

@ -1,5 +1,5 @@
#
# spec file for package qemu%{name_suffix}
# spec file for package qemu
#
# Copyright (c) 2021 SUSE LLC
#

41
s390x-pci-restore-missing-Query-PCI-Func.patch Normal file
View File

@ -0,0 +1,41 @@
From: Matthew Rosato <mjrosato@linux.ibm.com>
Date: Thu, 18 Feb 2021 15:53:29 -0500
Subject: s390x/pci: restore missing Query PCI Function CLP data
Git-commit: 403af209db8c030ed1e000640cd3cd80c6882883
References: bsc#1183372
Some CLP response data was accidentally dropped when fixing endianness
issues with the Query PCI Function CLP response. All of these values are
sent as 0s to the guest for emulated devices, so the impact is only
observed on passthrough devices.
Fixes: a4e2fff1b104 ("s390x/pci: fix endianness issues")
Signed-off-by: Matthew Rosato <mjrosato@linux.ibm.com>
Message-Id: <1613681609-9349-1-git-send-email-mjrosato@linux.ibm.com>
Signed-off-by: Cornelia Huck <cohuck@redhat.com>
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/s390x/s390-pci-inst.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/hw/s390x/s390-pci-inst.c b/hw/s390x/s390-pci-inst.c
index 70bfd91bf70edafaa7c93469f459..f0ed9ea6f96b1202521ae434e680 100644
--- a/hw/s390x/s390-pci-inst.c
+++ b/hw/s390x/s390-pci-inst.c
@@ -284,10 +284,15 @@ int clp_service_call(S390CPU *cpu, uint8_t r2, uintptr_t ra)
stq_p(&resquery->sdma, pbdev->zpci_fn.sdma);
stq_p(&resquery->edma, pbdev->zpci_fn.edma);
stw_p(&resquery->pchid, pbdev->zpci_fn.pchid);
+ stw_p(&resquery->vfn, pbdev->zpci_fn.vfn);
resquery->flags = pbdev->zpci_fn.flags;
resquery->pfgid = pbdev->zpci_fn.pfgid;
+ resquery->pft = pbdev->zpci_fn.pft;
+ resquery->fmbl = pbdev->zpci_fn.fmbl;
stl_p(&resquery->fid, pbdev->zpci_fn.fid);
stl_p(&resquery->uid, pbdev->zpci_fn.uid);
+ memcpy(resquery->pfip, pbdev->zpci_fn.pfip, CLP_PFIP_NR_SEGMENTS);
+ memcpy(resquery->util_str, pbdev->zpci_fn.util_str, CLP_UTIL_STR_LEN);
for (i = 0; i < PCI_BAR_COUNT; i++) {
uint32_t data = pci_get_long(pbdev->pdev->config +

55
update_git.sh
View File

@ -10,6 +10,14 @@ set -e
#
# (default is git2pkg)
# As an aid to bypassing issues with our multibuild package and obs (see code
# below following the osc localrun of osc service localrun format_spec_file),
# provide an automated way to checkin without needing to type so much
if [ "$1" = "ci" ]; then
osc ci -f -n --noservice
exit
fi
#==============================================================================
check_requirements() {
@ -95,7 +103,11 @@ check_requirements
# Zero based numbering, so we subtract 1 here:
if (( (REPO_COUNT * PATCH_RANGE) - 1 > 9999 )); then
FIVE_DIGIT_POTENTIAL=1
if [[ "$OVERRIDE_FIVE_DIGIT_NUMBERING" = "1" ]]; then
FIVE_DIGIT_POTENTIAL=0
else
FIVE_DIGIT_POTENTIAL=1
fi
else
FIVE_DIGIT_POTENTIAL=0
fi
@ -153,6 +165,10 @@ if [[ -e ${LOCAL_REPO_MAP[$i]}/.git/shallow ]]; then
exit
fi
else
#TODO: Is there a better way to do this (we don't want the old bundle commit id's relied on HERE for LATEST)
if [[ "$GIT_UPSTREAM_COMMIT_ISH" = "LATEST" ]]; then
rm bundles.tar.xz
fi
if [[ -e bundles.tar.xz ]]; then
tar --extract --xz -f bundles.tar.xz -C $BUNDLE_DIR .
else
@ -287,7 +303,7 @@ echo "Please wait..."
(cd $GIT_DIR && git remote add upstream \
$UPSTREAM_GIT_REPO &>/dev/null)
(cd $GIT_DIR && git remote update upstream &>/dev/null)
(cd $GIT_DIR && git reset --hard $NEW_COMMIT_ISH &>/dev/null)
(cd $GIT_DIR && git reset --hard --recurse-submodules $NEW_COMMIT_ISH &>/dev/null)
# As an alternative, we could add a --recurse-submodules to the checkout instead here as well, right?
#UPSTREAM DOESNT DO THIS (time takes 17 minutes!):
# (cd $GIT_DIR && git submodule update --init --recursive &>/dev/null)
@ -346,25 +362,18 @@ COMMIT_IDS_BY_SUBMODULE_PATH[SUPERPROJECT]=$NEW_COMMIT_ISH_FULL
bundle2local
#!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
# REBASE frombundle patches USING COMMIT_IDS_BY_SUBMODULE, ALSO USING OLD ID'S STORED IN OLD BUNDLE
# REBASE $GIT_BRANCH's on latest COMMIT_IDS_FROM_SUBMODULE_PATH, after reseting branch to frombundle branch
#!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
mkdir -p $BUNDLE_DIR
tar xJf bundles.tar.xz -C $BUNDLE_DIR
# Now go through all the submodule local repos that are present and create a bundle file for the patches found there
for (( i=0; i <$REPO_COUNT; i++ )); do
if [[ -e $(readlink -f ${LOCAL_REPO_MAP[$i]}) ]]; then
if $(git -C ${LOCAL_REPO_MAP[$i]} branch | grep -F "frombundle" >/dev/null); then
SUBDIR=${PATCH_PATH_MAP[$i]}
GITREPO_COMMIT_ISH=($BUNDLE_DIR/$SUBDIR*.id)
if [[ $GITREPO_COMMIT_ISH =~ .*(.{40})[.]id ]]; then
GITREPO_COMMIT_ISH=${BASH_REMATCH[1]}
fi
git -C ${LOCAL_REPO_MAP[$i]} checkout -B $GIT_BRANCH frombundle
if [[ "$SUBDIR" = "" ]]; then
SUBDIR=SUPERPROJECT
fi
if ! $(git -C ${LOCAL_REPO_MAP[$i]} rebase $GITREPO_COMMIT_ISH >/dev/null); then
if ! $(git -C ${LOCAL_REPO_MAP[$i]} rebase ${COMMIT_IDS_BY_SUBMODULE_PATH[$SUBDIR]} >/dev/null); then
echo "Rebase of ${LOCAL_REPO_MAP[$i]}, branch $GIT_BRANCH needs manual help"
REBASE_FAILS="${LOCAL_REPO_MAP[$i]} $REBASE_FAILS"
fi
@ -742,12 +751,13 @@ rm -rf $BUNDLE_DIR
rm -rf $CMP_DIR
rm -rf checkdir
osc service localrun format_spec_file
# First, make the results of the older format_spec_file look like what I believe is the intended output
# And then change THE POSSIBLY BROKEN OUTPUT from the new format_spec_file look like what I
# believe is the intended output
sed -i 's/^# spec file for package qemu$/# spec file for package qemu%{name_suffix}/g' qemu.spec
sed -i 's/^# spec file for package qemu-linux-user$/# spec file for package qemu%{name_suffix}/g' qemu.spec
osc service localrun format_spec_file || true
# Repair what I feel is incorrect modification of the package name in the header.
# Be aware that when checking into build service you should use --noservice, since we've
# already run this and --noservice will prevent the modification from happening at checkin
# time.
sed -i 's/^# spec file for package qemu%{name_suffix}$/# spec file for package qemu/g' qemu.spec
sed -i 's/^# spec file for package qemu-linux-user$/# spec file for package qemu/g' qemu.spec
}
#==============================================================================
@ -808,7 +818,7 @@ if [[ ! -e $(readlink -f ${LOCAL_REPO_MAP[0]}) ]]; then
git -c init.defaultBranch=$GIT_BRANCH init ${LOCAL_REPO_MAP[0]}
git -C ${LOCAL_REPO_MAP[0]} remote add origin $PACKAGE_MAIN_GIT_REPO &>/dev/null
git -C ${LOCAL_REPO_MAP[0]} fetch origin +refs/tags/initial:refs/tags/initial --no-tags
git -C ${LOCAL_REPO_MAP[0]} reset --hard initial
git -C ${LOCAL_REPO_MAP[0]} reset --hard --recurse-submodules initial
#TODO: The next is not actually used - get rid of when we decide for sure it won't get used
GIT_UPSTREAM_COMMIT=$(git -C ${LOCAL_REPO_MAP[0]} ls-remote origin |grep -F "$GIT_UPSTREAM_COMMIT_ISH^{}"|awk '{print $1}')
# Here we've changed to use *COMMIT_ISH, not *_COMMIT - is that an issue?
@ -890,6 +900,15 @@ for (( i=0; i <$REPO_COUNT; i++ )); do
fi
fi
fi
# The following is unfortunately needed due to an improper removal of roms/openhackware
# in the qemu v5.0.0 timeframe. After checking out a new $GIT_BRANCH, check for
# whether commit b2ce76a0730e48e60633a698cd876d55917ac9bc is in ancestry and
# if so, make sure that roms/openhackware is gone, so we have a clean local repo dir
if [[ "$i" = "0" ]]; then
if $(git -C ${LOCAL_REPO_MAP[$i]} merge-base --is-ancestor b2ce76a0730e48e60633a698cd876d55917ac9bc HEAD); then
(cd ${LOCAL_REPO_MAP[$i]} && rm -rf roms/openhackware/ >/dev/null)
fi
fi
# This does additional setup now that we've possibly grabbed additional submodules
if ! git -C ${LOCAL_REPO_MAP[$i]} submodule update --init --recursive &> /dev/null; then
echo "Please clean up state of local repo ${LOCAL_REPO_MAP[$i]} before using script"

51
vhost-user-blk-fix-blkcfg-num_queues-end.patch Normal file
View File

@ -0,0 +1,51 @@
From: Stefan Hajnoczi <stefanha@redhat.com>
Date: Tue, 23 Feb 2021 14:46:42 +0000
Subject: vhost-user-blk: fix blkcfg->num_queues endianness
Git-commit: 535255b43898d2e96744057eb86f8497d4d7a461
Treat the num_queues field as virtio-endian. On big-endian hosts the
vhost-user-blk num_queues field was in the wrong endianness.
Move the blkcfg.num_queues store operation from realize to
vhost_user_blk_update_config() so feature negotiation has finished and
we know the endianness of the device. VIRTIO 1.0 devices are
little-endian, but in case someone wants to use legacy VIRTIO we support
all endianness cases.
Cc: qemu-stable@nongnu.org
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Raphael Norwitz <raphael.norwitz@nutanix.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20210223144653.811468-2-stefanha@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/block/vhost-user-blk.c | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/hw/block/vhost-user-blk.c b/hw/block/vhost-user-blk.c
index 2dd3d93ca02f077b9fe8aaaa4d14..d9d9dc8a890d9d24b772c029e57f 100644
--- a/hw/block/vhost-user-blk.c
+++ b/hw/block/vhost-user-blk.c
@@ -53,6 +53,9 @@ static void vhost_user_blk_update_config(VirtIODevice *vdev, uint8_t *config)
{
VHostUserBlk *s = VHOST_USER_BLK(vdev);
+ /* Our num_queues overrides the device backend */
+ virtio_stw_p(vdev, &s->blkcfg.num_queues, s->num_queues);
+
memcpy(config, &s->blkcfg, sizeof(struct virtio_blk_config));
}
@@ -490,10 +493,6 @@ reconnect:
goto reconnect;
}
- if (s->blkcfg.num_queues != s->num_queues) {
- s->blkcfg.num_queues = s->num_queues;
- }
-
return;
virtio_err: