From 2746ce73b52c940ea1c602a0c892ce67176ada735ced84da6c14252c2dd18f75 Mon Sep 17 00:00:00 2001 From: Bruce Rogers Date: Wed, 17 Mar 2021 01:17:25 +0000 Subject: [PATCH] Accepting request 879536 from home:bfrogers:branches:Virtualization - Fix DoS in e1000 emulated device (CVE-2021-20257 bsc#1182577) e1000-fail-early-for-evil-descriptor.patch - Fix incorrect guest data in s390x PCI passthrough (bsc#1183372) s390x-pci-restore-missing-Query-PCI-Func.patch - Include upstream patches designated as stable material and reviewed for applicability to include here lsilogic-Use-PCIDevice-exit-instead-of-D.patch vhost-user-blk-fix-blkcfg-num_queues-end.patch - Fix potential privilege escalation in virtfs (CVE-2021-20181 bsc#1182137) 9pfs-Fully-restart-unreclaim-loop-CVE-20.patch - Fix OOB access in vmxnet3 emulation (CVE-2021-20203 bsc#1181639) net-vmxnet3-validate-configuration-value.patch OBS-URL: https://build.opensuse.org/request/show/879536 OBS-URL: https://build.opensuse.org/package/show/Virtualization/qemu?expand=0&rev=629 --- ...-Fully-restart-unreclaim-loop-CVE-20.patch | 76 +++++++++ bundles.tar.xz | 4 +- config.sh | 3 + e1000-fail-early-for-evil-descriptor.patch | 50 ++++++ ...ogic-Use-PCIDevice-exit-instead-of-D.patch | 52 +++++++ ...vmxnet3-validate-configuration-value.patch | 74 +++++++++ qemu.changes | 25 +++ qemu.spec | 146 ++++++++++-------- qemu.spec.in | 2 +- ...x-pci-restore-missing-Query-PCI-Func.patch | 41 +++++ update_git.sh | 55 ++++--- ...t-user-blk-fix-blkcfg-num_queues-end.patch | 51 ++++++ 12 files changed, 491 insertions(+), 88 deletions(-) create mode 100644 9pfs-Fully-restart-unreclaim-loop-CVE-20.patch create mode 100644 e1000-fail-early-for-evil-descriptor.patch create mode 100644 lsilogic-Use-PCIDevice-exit-instead-of-D.patch create mode 100644 net-vmxnet3-validate-configuration-value.patch create mode 100644 s390x-pci-restore-missing-Query-PCI-Func.patch create mode 100644 vhost-user-blk-fix-blkcfg-num_queues-end.patch diff --git a/9pfs-Fully-restart-unreclaim-loop-CVE-20.patch b/9pfs-Fully-restart-unreclaim-loop-CVE-20.patch new file mode 100644 index 00000000..f7d93ac4 --- /dev/null +++ b/9pfs-Fully-restart-unreclaim-loop-CVE-20.patch @@ -0,0 +1,76 @@ +From: Greg Kurz +Date: Thu, 14 Jan 2021 17:04:12 +0100 +Subject: 9pfs: Fully restart unreclaim loop (CVE-2021-20181) + +Git-commit: 89fbea8737e8f7b954745a1ffc4238d377055305 +Reference: bsc#1182137 + +Depending on the client activity, the server can be asked to open a huge +number of file descriptors and eventually hit RLIMIT_NOFILE. This is +currently mitigated using a reclaim logic : the server closes the file +descriptors of idle fids, based on the assumption that it will be able +to re-open them later. This assumption doesn't hold of course if the +client requests the file to be unlinked. In this case, we loop on the +entire fid list and mark all related fids as unreclaimable (the reclaim +logic will just ignore them) and, of course, we open or re-open their +file descriptors if needed since we're about to unlink the file. + +This is the purpose of v9fs_mark_fids_unreclaim(). Since the actual +opening of a file can cause the coroutine to yield, another client +request could possibly add a new fid that we may want to mark as +non-reclaimable as well. The loop is thus restarted if the re-open +request was actually transmitted to the backend. This is achieved +by keeping a reference on the first fid (head) before traversing +the list. + +This is wrong in several ways: +- a potential clunk request from the client could tear the first + fid down and cause the reference to be stale. This leads to a + use-after-free error that can be detected with ASAN, using a + custom 9p client +- fids are added at the head of the list : restarting from the + previous head will always miss fids added by a some other + potential request + +All these problems could be avoided if fids were being added at the +end of the list. This can be achieved with a QSIMPLEQ, but this is +probably too much change for a bug fix. For now let's keep it +simple and just restart the loop from the current head. + +Fixes: CVE-2021-20181 +Buglink: https://bugs.launchpad.net/qemu/+bug/1911666 +Reported-by: Zero Day Initiative +Reviewed-by: Christian Schoenebeck +Reviewed-by: Stefano Stabellini +Message-Id: <161064025265.1838153.15185571283519390907.stgit@bahia.lan> +Signed-off-by: Greg Kurz +Signed-off-by: Bruce Rogers +--- + hw/9pfs/9p.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c +index 94df440fc74004bfa45b3fe30540..6026b51a1c04ee82d6366cb13d50 100644 +--- a/hw/9pfs/9p.c ++++ b/hw/9pfs/9p.c +@@ -502,9 +502,9 @@ static int coroutine_fn v9fs_mark_fids_unreclaim(V9fsPDU *pdu, V9fsPath *path) + { + int err; + V9fsState *s = pdu->s; +- V9fsFidState *fidp, head_fid; ++ V9fsFidState *fidp; + +- head_fid.next = s->fid_list; ++again: + for (fidp = s->fid_list; fidp; fidp = fidp->next) { + if (fidp->path.size != path->size) { + continue; +@@ -524,7 +524,7 @@ static int coroutine_fn v9fs_mark_fids_unreclaim(V9fsPDU *pdu, V9fsPath *path) + * switched to the worker thread + */ + if (err == 0) { +- fidp = &head_fid; ++ goto again; + } + } + } diff --git a/bundles.tar.xz b/bundles.tar.xz index e7476f0c..c4106a76 100644 --- a/bundles.tar.xz +++ b/bundles.tar.xz @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:8f34342c09f25d5f80567221c26c96a68715145241afd35dbcc6796cec7c0f69 -size 64884 +oid sha256:b7ff5cf2fc82b361e7b07710e20758d230d543d7d1c967bdf131b5793573207e +size 68660 diff --git a/config.sh b/config.sh index 3b7a8fcc..3dfe773b 100644 --- a/config.sh +++ b/config.sh @@ -37,6 +37,9 @@ NUMBERED_PATCHES=0 PATCH_RANGE=1000 +# For compatibility with old packages, we include this option +OVERRIDE_FIVE_DIGIT_NUMBERING=0 + # This array tracks all git submodule paths within the superproject (1st entry) PATCH_PATH_MAP=( "" diff --git a/e1000-fail-early-for-evil-descriptor.patch b/e1000-fail-early-for-evil-descriptor.patch new file mode 100644 index 00000000..3267b735 --- /dev/null +++ b/e1000-fail-early-for-evil-descriptor.patch @@ -0,0 +1,50 @@ +From: Jason Wang +Date: Wed, 24 Feb 2021 13:45:28 +0800 +Subject: e1000: fail early for evil descriptor + +Git-commit: 3de46e6fc489c52c9431a8a832ad8170a7569bd8 +References: bsc#1182577, CVE-2021-20257 + +During procss_tx_desc(), driver can try to chain data descriptor with +legacy descriptor, when will lead underflow for the following +calculation in process_tx_desc() for bytes: + + if (tp->size + bytes > msh) + bytes = msh - tp->size; + +This will lead a infinite loop. So check and fail early if tp->size if +greater or equal to msh. + +Reported-by: Alexander Bulekov +Reported-by: Cheolwoo Myung +Reported-by: Ruhr-University Bochum +Cc: Prasad J Pandit +Cc: qemu-stable@nongnu.org +Signed-off-by: Jason Wang +Signed-off-by: Bruce Rogers +--- + hw/net/e1000.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/hw/net/e1000.c b/hw/net/e1000.c +index d7d05ae30afafb2e7979c74564a6..02a446b89bae0dec0acdefa54760 100644 +--- a/hw/net/e1000.c ++++ b/hw/net/e1000.c +@@ -670,6 +670,9 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp) + msh = tp->tso_props.hdr_len + tp->tso_props.mss; + do { + bytes = split_size; ++ if (tp->size >= msh) { ++ goto eop; ++ } + if (tp->size + bytes > msh) + bytes = msh - tp->size; + +@@ -695,6 +698,7 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp) + tp->size += split_size; + } + ++eop: + if (!(txd_lower & E1000_TXD_CMD_EOP)) + return; + if (!(tp->cptse && tp->size < tp->tso_props.hdr_len)) { diff --git a/lsilogic-Use-PCIDevice-exit-instead-of-D.patch b/lsilogic-Use-PCIDevice-exit-instead-of-D.patch new file mode 100644 index 00000000..b9ea25fe --- /dev/null +++ b/lsilogic-Use-PCIDevice-exit-instead-of-D.patch @@ -0,0 +1,52 @@ +From: Peng Liang +Date: Tue, 2 Mar 2021 21:30:16 +0800 +Subject: lsilogic: Use PCIDevice::exit instead of DeviceState::unrealize + +Git-commit: faabca42cc4ff51110116dfe44d420c668b4d8d8 + +PCI_DEVICE has overwritten DeviceState::unrealize (pci_qdev_unrealize). +However, LSI53C895A, which is a subclass of PCI_DEVICE, overwrites it +again and doesn't save the parent's implementation so the PCI_DEVICE's +implementation of DeviceState::unrealize will never be called when +unrealize a LSI53C895A device. And it will lead to memory leak and +unplug failure. + +For a PCI device, it's better to implement PCIDevice::exit instead of +DeviceState::unrealize. So let's change to use PCIDevice::exit. + +Fixes: a8632434c7e9 ("lsi: implement I/O memory space for Memory Move instructions") +Cc: qemu-stable@nongnu.org +Signed-off-by: Peng Liang +Message-Id: <20210302133016.1221081-1-liangpeng10@huawei.com> +Signed-off-by: Paolo Bonzini +Signed-off-by: Bruce Rogers +--- + hw/scsi/lsi53c895a.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c +index 7d13c7dc1c46e8a32ed0e3e090ff..af46c62f0d78268b52d19ca9fd07 100644 +--- a/hw/scsi/lsi53c895a.c ++++ b/hw/scsi/lsi53c895a.c +@@ -2312,7 +2312,7 @@ static void lsi_scsi_realize(PCIDevice *dev, Error **errp) + scsi_bus_new(&s->bus, sizeof(s->bus), d, &lsi_scsi_info, NULL); + } + +-static void lsi_scsi_unrealize(DeviceState *dev) ++static void lsi_scsi_exit(PCIDevice *dev) + { + LSIState *s = LSI53C895A(dev); + +@@ -2325,11 +2325,11 @@ static void lsi_class_init(ObjectClass *klass, void *data) + PCIDeviceClass *k = PCI_DEVICE_CLASS(klass); + + k->realize = lsi_scsi_realize; ++ k->exit = lsi_scsi_exit; + k->vendor_id = PCI_VENDOR_ID_LSI_LOGIC; + k->device_id = PCI_DEVICE_ID_LSI_53C895A; + k->class_id = PCI_CLASS_STORAGE_SCSI; + k->subsystem_id = 0x1000; +- dc->unrealize = lsi_scsi_unrealize; + dc->reset = lsi_scsi_reset; + dc->vmsd = &vmstate_lsi_scsi; + set_bit(DEVICE_CATEGORY_STORAGE, dc->categories); diff --git a/net-vmxnet3-validate-configuration-value.patch b/net-vmxnet3-validate-configuration-value.patch new file mode 100644 index 00000000..ba410357 --- /dev/null +++ b/net-vmxnet3-validate-configuration-value.patch @@ -0,0 +1,74 @@ +From: Prasad J Pandit +Date: Sat, 30 Jan 2021 18:46:52 +0530 +Subject: net: vmxnet3: validate configuration values during activate + (CVE-2021-20203) + +Git-commit: 0000000000000000000000000000000000000000 +References: bsc#1181639 + +While activating device in vmxnet3_acticate_device(), it does not +validate guest supplied configuration values against predefined +minimum - maximum limits. This may lead to integer overflow or +OOB access issues. Add checks to avoid it. + +Fixes: CVE-2021-20203 +Buglink: https://bugs.launchpad.net/qemu/+bug/1913873 +Reported-by: Gaoning Pan +Signed-off-by: Prasad J Pandit +Signed-off-by: Bruce Rogers +--- + hw/net/vmxnet3.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c +index eff299f6290cee3e784d93561798..4a910ca97188df056219062c30da 100644 +--- a/hw/net/vmxnet3.c ++++ b/hw/net/vmxnet3.c +@@ -1420,6 +1420,7 @@ static void vmxnet3_activate_device(VMXNET3State *s) + vmxnet3_setup_rx_filtering(s); + /* Cache fields from shared memory */ + s->mtu = VMXNET3_READ_DRV_SHARED32(d, s->drv_shmem, devRead.misc.mtu); ++ assert(VMXNET3_MIN_MTU <= s->mtu && s->mtu < VMXNET3_MAX_MTU); + VMW_CFPRN("MTU is %u", s->mtu); + + s->max_rx_frags = +@@ -1473,6 +1474,9 @@ static void vmxnet3_activate_device(VMXNET3State *s) + /* Read rings memory locations for TX queues */ + pa = VMXNET3_READ_TX_QUEUE_DESCR64(d, qdescr_pa, conf.txRingBasePA); + size = VMXNET3_READ_TX_QUEUE_DESCR32(d, qdescr_pa, conf.txRingSize); ++ if (size > VMXNET3_TX_RING_MAX_SIZE) { ++ size = VMXNET3_TX_RING_MAX_SIZE; ++ } + + vmxnet3_ring_init(d, &s->txq_descr[i].tx_ring, pa, size, + sizeof(struct Vmxnet3_TxDesc), false); +@@ -1483,6 +1487,9 @@ static void vmxnet3_activate_device(VMXNET3State *s) + /* TXC ring */ + pa = VMXNET3_READ_TX_QUEUE_DESCR64(d, qdescr_pa, conf.compRingBasePA); + size = VMXNET3_READ_TX_QUEUE_DESCR32(d, qdescr_pa, conf.compRingSize); ++ if (size > VMXNET3_TC_RING_MAX_SIZE) { ++ size = VMXNET3_TC_RING_MAX_SIZE; ++ } + vmxnet3_ring_init(d, &s->txq_descr[i].comp_ring, pa, size, + sizeof(struct Vmxnet3_TxCompDesc), true); + VMXNET3_RING_DUMP(VMW_CFPRN, "TXC", i, &s->txq_descr[i].comp_ring); +@@ -1524,6 +1531,9 @@ static void vmxnet3_activate_device(VMXNET3State *s) + /* RX rings */ + pa = VMXNET3_READ_RX_QUEUE_DESCR64(d, qd_pa, conf.rxRingBasePA[j]); + size = VMXNET3_READ_RX_QUEUE_DESCR32(d, qd_pa, conf.rxRingSize[j]); ++ if (size > VMXNET3_RX_RING_MAX_SIZE) { ++ size = VMXNET3_RX_RING_MAX_SIZE; ++ } + vmxnet3_ring_init(d, &s->rxq_descr[i].rx_ring[j], pa, size, + sizeof(struct Vmxnet3_RxDesc), false); + VMW_CFPRN("RX queue %d:%d: Base: %" PRIx64 ", Size: %d", +@@ -1533,6 +1543,9 @@ static void vmxnet3_activate_device(VMXNET3State *s) + /* RXC ring */ + pa = VMXNET3_READ_RX_QUEUE_DESCR64(d, qd_pa, conf.compRingBasePA); + size = VMXNET3_READ_RX_QUEUE_DESCR32(d, qd_pa, conf.compRingSize); ++ if (size > VMXNET3_RC_RING_MAX_SIZE) { ++ size = VMXNET3_RC_RING_MAX_SIZE; ++ } + vmxnet3_ring_init(d, &s->rxq_descr[i].comp_ring, pa, size, + sizeof(struct Vmxnet3_RxCompDesc), true); + VMW_CFPRN("RXC queue %d: Base: %" PRIx64 ", Size: %d", i, pa, size); diff --git a/qemu.changes b/qemu.changes index b37b1a2b..fdbbc1ff 100644 --- a/qemu.changes +++ b/qemu.changes @@ -1,3 +1,28 @@ +------------------------------------------------------------------- +Tue Mar 16 22:33:26 UTC 2021 - Bruce Rogers + +- Fix DoS in e1000 emulated device (CVE-2021-20257 bsc#1182577) + e1000-fail-early-for-evil-descriptor.patch + +------------------------------------------------------------------- +Mon Mar 15 17:52:47 UTC 2021 - Bruce Rogers + +- Fix incorrect guest data in s390x PCI passthrough (bsc#1183372) + s390x-pci-restore-missing-Query-PCI-Func.patch + +------------------------------------------------------------------- +Fri Mar 12 20:00:30 UTC 2021 - Bruce Rogers + +- Include upstream patches designated as stable material and + reviewed for applicability to include here + lsilogic-Use-PCIDevice-exit-instead-of-D.patch + vhost-user-blk-fix-blkcfg-num_queues-end.patch +- Fix potential privilege escalation in virtfs (CVE-2021-20181 + bsc#1182137) + 9pfs-Fully-restart-unreclaim-loop-CVE-20.patch +- Fix OOB access in vmxnet3 emulation (CVE-2021-20203 bsc#1181639) + net-vmxnet3-validate-configuration-value.patch + ------------------------------------------------------------------- Fri Mar 12 19:22:46 UTC 2021 - Dominique Leuenberger diff --git a/qemu.spec b/qemu.spec index 97741920..3bc37425 100644 --- a/qemu.spec +++ b/qemu.spec @@ -145,67 +145,73 @@ Patch00009: hw-timer-slavio_timer-Allow-64-bit-acces.patch Patch00010: target-arm-Fix-MTE0_ACTIVE.patch Patch00011: target-arm-Don-t-decode-insns-in-the-XSc.patch Patch00012: hw-net-lan9118-Fix-RX-Status-FIFO-PEEK-v.patch -Patch00013: target-arm-Introduce-PREDDESC-field-defi.patch -Patch00014: target-arm-Update-PFIRST-PNEXT-for-pred_.patch -Patch00015: target-arm-Update-ZIP-UZP-TRN-for-pred_d.patch -Patch00016: target-arm-Update-REV-PUNPK-for-pred_des.patch -Patch00017: net-Fix-handling-of-id-in-netdev_add-and.patch -Patch00018: block-Separate-blk_is_writable-and-blk_s.patch -Patch00019: hw-intc-arm_gic-Fix-interrupt-ID-in-GICD.patch -Patch00020: virtio-move-use-disabled-flag-property-t.patch -Patch00021: qemu-nbd-Use-SOMAXCONN-for-socket-listen.patch -Patch00022: qemu-storage-daemon-Enable-object-add.patch -Patch00023: blockjob-Fix-crash-with-IOthread-when-bl.patch -Patch00024: monitor-Fix-assertion-failure-on-shutdow.patch -Patch00025: spice-app-avoid-crash-when-core-spice-mo.patch -Patch00026: i386-acpi-restore-device-paths-for-pre-5.patch -Patch00027: hw-s390x-fix-build-for-virtio-9p-ccw.patch -Patch00028: hw-s390x-modularize-virtio-gpu-ccw.patch -Patch00029: XXX-dont-dump-core-on-sigabort.patch -Patch00030: qemu-binfmt-conf-Modify-default-path.patch -Patch00031: qemu-cvs-gettimeofday.patch -Patch00032: qemu-cvs-ioctl_debug.patch -Patch00033: qemu-cvs-ioctl_nodirection.patch -Patch00034: linux-user-add-binfmt-wrapper-for-argv-0.patch -Patch00035: PPC-KVM-Disable-mmu-notifier-check.patch -Patch00036: linux-user-binfmt-support-host-binaries.patch -Patch00037: linux-user-Fake-proc-cpuinfo.patch -Patch00038: linux-user-use-target_ulong.patch -Patch00039: Make-char-muxer-more-robust-wrt-small-FI.patch -Patch00040: linux-user-lseek-explicitly-cast-non-set.patch -Patch00041: AIO-Reduce-number-of-threads-for-32bit-h.patch -Patch00042: xen_disk-Add-suse-specific-flush-disable.patch -Patch00043: qemu-bridge-helper-reduce-security-profi.patch -Patch00044: qemu-binfmt-conf-use-qemu-ARCH-binfmt.patch -Patch00045: roms-Makefile-pass-a-packaging-timestamp.patch -Patch00046: Raise-soft-address-space-limit-to-hard-l.patch -Patch00047: increase-x86_64-physical-bits-to-42.patch -Patch00048: i8254-Fix-migration-from-SLE11-SP2.patch -Patch00049: acpi_piix4-Fix-migration-from-SLE11-SP2.patch -Patch00050: Make-installed-scripts-explicitly-python.patch -Patch00051: hw-smbios-handle-both-file-formats-regar.patch -Patch00052: xen-add-block-resize-support-for-xen-dis.patch -Patch00053: tests-qemu-iotests-Triple-timeout-of-i-o.patch -Patch00054: tests-Fix-block-tests-to-be-compatible-w.patch -Patch00055: xen-ignore-live-parameter-from-xen-save-.patch -Patch00056: tests-change-error-message-in-test-162.patch -Patch00057: hw-intc-exynos4210_gic-provide-more-room.patch -Patch00058: configure-only-populate-roms-if-softmmu.patch -Patch00059: pc-bios-s390-ccw-net-avoid-warning-about.patch -Patch00060: roms-change-cross-compiler-naming-to-be-.patch -Patch00061: test-add-mapping-from-arch-of-i686-to-qe.patch -Patch00062: configure-remove-pkgversion-from-CONFIG_.patch -Patch00063: docs-add-SUSE-support-statements-to-html.patch -Patch00064: s390x-Fix-stringop-truncation-issue-repo.patch -Patch00065: Revert-qht-constify-qht_statistics_init.patch -Patch00066: qht-Revert-some-constification-in-qht.c.patch -Patch00067: meson-install-ivshmem-client-and-ivshmem.patch -Patch00068: Revert-roms-efirom-tests-uefi-test-tools.patch -Patch00069: Makefile-Don-t-check-pc-bios-as-pre-requ.patch -Patch00070: roms-Makefile-add-cross-file-to-qboot-me.patch -Patch00071: usb-Help-compiler-out-to-avoid-a-warning.patch -Patch00072: module-for-virtio-gpu-pre-load-module-to.patch -Patch00073: qom-handle-case-of-chardev-spice-module-.patch +Patch00013: 9pfs-Fully-restart-unreclaim-loop-CVE-20.patch +Patch00014: target-arm-Introduce-PREDDESC-field-defi.patch +Patch00015: target-arm-Update-PFIRST-PNEXT-for-pred_.patch +Patch00016: target-arm-Update-ZIP-UZP-TRN-for-pred_d.patch +Patch00017: target-arm-Update-REV-PUNPK-for-pred_des.patch +Patch00018: net-Fix-handling-of-id-in-netdev_add-and.patch +Patch00019: block-Separate-blk_is_writable-and-blk_s.patch +Patch00020: hw-intc-arm_gic-Fix-interrupt-ID-in-GICD.patch +Patch00021: virtio-move-use-disabled-flag-property-t.patch +Patch00022: qemu-nbd-Use-SOMAXCONN-for-socket-listen.patch +Patch00023: qemu-storage-daemon-Enable-object-add.patch +Patch00024: blockjob-Fix-crash-with-IOthread-when-bl.patch +Patch00025: monitor-Fix-assertion-failure-on-shutdow.patch +Patch00026: spice-app-avoid-crash-when-core-spice-mo.patch +Patch00027: i386-acpi-restore-device-paths-for-pre-5.patch +Patch00028: hw-s390x-fix-build-for-virtio-9p-ccw.patch +Patch00029: s390x-pci-restore-missing-Query-PCI-Func.patch +Patch00030: lsilogic-Use-PCIDevice-exit-instead-of-D.patch +Patch00031: vhost-user-blk-fix-blkcfg-num_queues-end.patch +Patch00032: e1000-fail-early-for-evil-descriptor.patch +Patch00033: hw-s390x-modularize-virtio-gpu-ccw.patch +Patch00034: net-vmxnet3-validate-configuration-value.patch +Patch00035: XXX-dont-dump-core-on-sigabort.patch +Patch00036: qemu-binfmt-conf-Modify-default-path.patch +Patch00037: qemu-cvs-gettimeofday.patch +Patch00038: qemu-cvs-ioctl_debug.patch +Patch00039: qemu-cvs-ioctl_nodirection.patch +Patch00040: linux-user-add-binfmt-wrapper-for-argv-0.patch +Patch00041: PPC-KVM-Disable-mmu-notifier-check.patch +Patch00042: linux-user-binfmt-support-host-binaries.patch +Patch00043: linux-user-Fake-proc-cpuinfo.patch +Patch00044: linux-user-use-target_ulong.patch +Patch00045: Make-char-muxer-more-robust-wrt-small-FI.patch +Patch00046: linux-user-lseek-explicitly-cast-non-set.patch +Patch00047: AIO-Reduce-number-of-threads-for-32bit-h.patch +Patch00048: xen_disk-Add-suse-specific-flush-disable.patch +Patch00049: qemu-bridge-helper-reduce-security-profi.patch +Patch00050: qemu-binfmt-conf-use-qemu-ARCH-binfmt.patch +Patch00051: roms-Makefile-pass-a-packaging-timestamp.patch +Patch00052: Raise-soft-address-space-limit-to-hard-l.patch +Patch00053: increase-x86_64-physical-bits-to-42.patch +Patch00054: i8254-Fix-migration-from-SLE11-SP2.patch +Patch00055: acpi_piix4-Fix-migration-from-SLE11-SP2.patch +Patch00056: Make-installed-scripts-explicitly-python.patch +Patch00057: hw-smbios-handle-both-file-formats-regar.patch +Patch00058: xen-add-block-resize-support-for-xen-dis.patch +Patch00059: tests-qemu-iotests-Triple-timeout-of-i-o.patch +Patch00060: tests-Fix-block-tests-to-be-compatible-w.patch +Patch00061: xen-ignore-live-parameter-from-xen-save-.patch +Patch00062: tests-change-error-message-in-test-162.patch +Patch00063: hw-intc-exynos4210_gic-provide-more-room.patch +Patch00064: configure-only-populate-roms-if-softmmu.patch +Patch00065: pc-bios-s390-ccw-net-avoid-warning-about.patch +Patch00066: roms-change-cross-compiler-naming-to-be-.patch +Patch00067: test-add-mapping-from-arch-of-i686-to-qe.patch +Patch00068: configure-remove-pkgversion-from-CONFIG_.patch +Patch00069: docs-add-SUSE-support-statements-to-html.patch +Patch00070: s390x-Fix-stringop-truncation-issue-repo.patch +Patch00071: Revert-qht-constify-qht_statistics_init.patch +Patch00072: qht-Revert-some-constification-in-qht.c.patch +Patch00073: meson-install-ivshmem-client-and-ivshmem.patch +Patch00074: Revert-roms-efirom-tests-uefi-test-tools.patch +Patch00075: Makefile-Don-t-check-pc-bios-as-pre-requ.patch +Patch00076: roms-Makefile-add-cross-file-to-qboot-me.patch +Patch00077: usb-Help-compiler-out-to-avoid-a-warning.patch +Patch00078: module-for-virtio-gpu-pre-load-module-to.patch +Patch00079: qom-handle-case-of-chardev-spice-module-.patch # Patches applied in roms/seabios/: Patch01000: seabios-use-python2-explicitly-as-needed.patch Patch01001: seabios-switch-to-python3-as-needed.patch @@ -1097,23 +1103,29 @@ This package records qemu testsuite results and represents successful testing. %patch00060 -p1 %patch00061 -p1 %patch00062 -p1 -%if %{legacy_qemu_kvm} %patch00063 -p1 -%endif %patch00064 -p1 %patch00065 -p1 %patch00066 -p1 %patch00067 -p1 %patch00068 -p1 +%if %{legacy_qemu_kvm} %patch00069 -p1 -%ifarch aarch64 +%endif %patch00070 -p1 -%endif -%ifarch %arm %ix86 ppc %patch00071 -p1 -%endif %patch00072 -p1 %patch00073 -p1 +%patch00074 -p1 +%patch00075 -p1 +%ifarch aarch64 +%patch00076 -p1 +%endif +%ifarch %arm %ix86 ppc +%patch00077 -p1 +%endif +%patch00078 -p1 +%patch00079 -p1 %patch01000 -p1 %patch01001 -p1 %patch01002 -p1 diff --git a/qemu.spec.in b/qemu.spec.in index a2a64d44..b65793d5 100644 --- a/qemu.spec.in +++ b/qemu.spec.in @@ -1,5 +1,5 @@ # -# spec file for package qemu%{name_suffix} +# spec file for package qemu # # Copyright (c) 2021 SUSE LLC # diff --git a/s390x-pci-restore-missing-Query-PCI-Func.patch b/s390x-pci-restore-missing-Query-PCI-Func.patch new file mode 100644 index 00000000..680747b3 --- /dev/null +++ b/s390x-pci-restore-missing-Query-PCI-Func.patch @@ -0,0 +1,41 @@ +From: Matthew Rosato +Date: Thu, 18 Feb 2021 15:53:29 -0500 +Subject: s390x/pci: restore missing Query PCI Function CLP data + +Git-commit: 403af209db8c030ed1e000640cd3cd80c6882883 +References: bsc#1183372 + +Some CLP response data was accidentally dropped when fixing endianness +issues with the Query PCI Function CLP response. All of these values are +sent as 0s to the guest for emulated devices, so the impact is only +observed on passthrough devices. + +Fixes: a4e2fff1b104 ("s390x/pci: fix endianness issues") +Signed-off-by: Matthew Rosato +Message-Id: <1613681609-9349-1-git-send-email-mjrosato@linux.ibm.com> +Signed-off-by: Cornelia Huck +Signed-off-by: Bruce Rogers +--- + hw/s390x/s390-pci-inst.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/hw/s390x/s390-pci-inst.c b/hw/s390x/s390-pci-inst.c +index 70bfd91bf70edafaa7c93469f459..f0ed9ea6f96b1202521ae434e680 100644 +--- a/hw/s390x/s390-pci-inst.c ++++ b/hw/s390x/s390-pci-inst.c +@@ -284,10 +284,15 @@ int clp_service_call(S390CPU *cpu, uint8_t r2, uintptr_t ra) + stq_p(&resquery->sdma, pbdev->zpci_fn.sdma); + stq_p(&resquery->edma, pbdev->zpci_fn.edma); + stw_p(&resquery->pchid, pbdev->zpci_fn.pchid); ++ stw_p(&resquery->vfn, pbdev->zpci_fn.vfn); + resquery->flags = pbdev->zpci_fn.flags; + resquery->pfgid = pbdev->zpci_fn.pfgid; ++ resquery->pft = pbdev->zpci_fn.pft; ++ resquery->fmbl = pbdev->zpci_fn.fmbl; + stl_p(&resquery->fid, pbdev->zpci_fn.fid); + stl_p(&resquery->uid, pbdev->zpci_fn.uid); ++ memcpy(resquery->pfip, pbdev->zpci_fn.pfip, CLP_PFIP_NR_SEGMENTS); ++ memcpy(resquery->util_str, pbdev->zpci_fn.util_str, CLP_UTIL_STR_LEN); + + for (i = 0; i < PCI_BAR_COUNT; i++) { + uint32_t data = pci_get_long(pbdev->pdev->config + diff --git a/update_git.sh b/update_git.sh index a242b888..1045dd13 100644 --- a/update_git.sh +++ b/update_git.sh @@ -10,6 +10,14 @@ set -e # # (default is git2pkg) +# As an aid to bypassing issues with our multibuild package and obs (see code +# below following the osc localrun of osc service localrun format_spec_file), +# provide an automated way to checkin without needing to type so much +if [ "$1" = "ci" ]; then + osc ci -f -n --noservice + exit +fi + #============================================================================== check_requirements() { @@ -95,7 +103,11 @@ check_requirements # Zero based numbering, so we subtract 1 here: if (( (REPO_COUNT * PATCH_RANGE) - 1 > 9999 )); then - FIVE_DIGIT_POTENTIAL=1 + if [[ "$OVERRIDE_FIVE_DIGIT_NUMBERING" = "1" ]]; then + FIVE_DIGIT_POTENTIAL=0 + else + FIVE_DIGIT_POTENTIAL=1 + fi else FIVE_DIGIT_POTENTIAL=0 fi @@ -153,6 +165,10 @@ if [[ -e ${LOCAL_REPO_MAP[$i]}/.git/shallow ]]; then exit fi else +#TODO: Is there a better way to do this (we don't want the old bundle commit id's relied on HERE for LATEST) + if [[ "$GIT_UPSTREAM_COMMIT_ISH" = "LATEST" ]]; then + rm bundles.tar.xz + fi if [[ -e bundles.tar.xz ]]; then tar --extract --xz -f bundles.tar.xz -C $BUNDLE_DIR . else @@ -287,7 +303,7 @@ echo "Please wait..." (cd $GIT_DIR && git remote add upstream \ $UPSTREAM_GIT_REPO &>/dev/null) (cd $GIT_DIR && git remote update upstream &>/dev/null) -(cd $GIT_DIR && git reset --hard $NEW_COMMIT_ISH &>/dev/null) +(cd $GIT_DIR && git reset --hard --recurse-submodules $NEW_COMMIT_ISH &>/dev/null) # As an alternative, we could add a --recurse-submodules to the checkout instead here as well, right? #UPSTREAM DOESNT DO THIS (time takes 17 minutes!): # (cd $GIT_DIR && git submodule update --init --recursive &>/dev/null) @@ -346,25 +362,18 @@ COMMIT_IDS_BY_SUBMODULE_PATH[SUPERPROJECT]=$NEW_COMMIT_ISH_FULL bundle2local #!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! -# REBASE frombundle patches USING COMMIT_IDS_BY_SUBMODULE, ALSO USING OLD ID'S STORED IN OLD BUNDLE +# REBASE $GIT_BRANCH's on latest COMMIT_IDS_FROM_SUBMODULE_PATH, after reseting branch to frombundle branch #!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! -mkdir -p $BUNDLE_DIR -tar xJf bundles.tar.xz -C $BUNDLE_DIR -# Now go through all the submodule local repos that are present and create a bundle file for the patches found there for (( i=0; i <$REPO_COUNT; i++ )); do if [[ -e $(readlink -f ${LOCAL_REPO_MAP[$i]}) ]]; then if $(git -C ${LOCAL_REPO_MAP[$i]} branch | grep -F "frombundle" >/dev/null); then SUBDIR=${PATCH_PATH_MAP[$i]} - GITREPO_COMMIT_ISH=($BUNDLE_DIR/$SUBDIR*.id) - if [[ $GITREPO_COMMIT_ISH =~ .*(.{40})[.]id ]]; then - GITREPO_COMMIT_ISH=${BASH_REMATCH[1]} - fi git -C ${LOCAL_REPO_MAP[$i]} checkout -B $GIT_BRANCH frombundle if [[ "$SUBDIR" = "" ]]; then SUBDIR=SUPERPROJECT fi - if ! $(git -C ${LOCAL_REPO_MAP[$i]} rebase $GITREPO_COMMIT_ISH >/dev/null); then + if ! $(git -C ${LOCAL_REPO_MAP[$i]} rebase ${COMMIT_IDS_BY_SUBMODULE_PATH[$SUBDIR]} >/dev/null); then echo "Rebase of ${LOCAL_REPO_MAP[$i]}, branch $GIT_BRANCH needs manual help" REBASE_FAILS="${LOCAL_REPO_MAP[$i]} $REBASE_FAILS" fi @@ -742,12 +751,13 @@ rm -rf $BUNDLE_DIR rm -rf $CMP_DIR rm -rf checkdir -osc service localrun format_spec_file -# First, make the results of the older format_spec_file look like what I believe is the intended output -# And then change THE POSSIBLY BROKEN OUTPUT from the new format_spec_file look like what I -# believe is the intended output -sed -i 's/^# spec file for package qemu$/# spec file for package qemu%{name_suffix}/g' qemu.spec -sed -i 's/^# spec file for package qemu-linux-user$/# spec file for package qemu%{name_suffix}/g' qemu.spec +osc service localrun format_spec_file || true +# Repair what I feel is incorrect modification of the package name in the header. +# Be aware that when checking into build service you should use --noservice, since we've +# already run this and --noservice will prevent the modification from happening at checkin +# time. +sed -i 's/^# spec file for package qemu%{name_suffix}$/# spec file for package qemu/g' qemu.spec +sed -i 's/^# spec file for package qemu-linux-user$/# spec file for package qemu/g' qemu.spec } #============================================================================== @@ -808,7 +818,7 @@ if [[ ! -e $(readlink -f ${LOCAL_REPO_MAP[0]}) ]]; then git -c init.defaultBranch=$GIT_BRANCH init ${LOCAL_REPO_MAP[0]} git -C ${LOCAL_REPO_MAP[0]} remote add origin $PACKAGE_MAIN_GIT_REPO &>/dev/null git -C ${LOCAL_REPO_MAP[0]} fetch origin +refs/tags/initial:refs/tags/initial --no-tags - git -C ${LOCAL_REPO_MAP[0]} reset --hard initial + git -C ${LOCAL_REPO_MAP[0]} reset --hard --recurse-submodules initial #TODO: The next is not actually used - get rid of when we decide for sure it won't get used GIT_UPSTREAM_COMMIT=$(git -C ${LOCAL_REPO_MAP[0]} ls-remote origin |grep -F "$GIT_UPSTREAM_COMMIT_ISH^{}"|awk '{print $1}') # Here we've changed to use *COMMIT_ISH, not *_COMMIT - is that an issue? @@ -890,6 +900,15 @@ for (( i=0; i <$REPO_COUNT; i++ )); do fi fi fi + # The following is unfortunately needed due to an improper removal of roms/openhackware + # in the qemu v5.0.0 timeframe. After checking out a new $GIT_BRANCH, check for + # whether commit b2ce76a0730e48e60633a698cd876d55917ac9bc is in ancestry and + # if so, make sure that roms/openhackware is gone, so we have a clean local repo dir + if [[ "$i" = "0" ]]; then + if $(git -C ${LOCAL_REPO_MAP[$i]} merge-base --is-ancestor b2ce76a0730e48e60633a698cd876d55917ac9bc HEAD); then + (cd ${LOCAL_REPO_MAP[$i]} && rm -rf roms/openhackware/ >/dev/null) + fi + fi # This does additional setup now that we've possibly grabbed additional submodules if ! git -C ${LOCAL_REPO_MAP[$i]} submodule update --init --recursive &> /dev/null; then echo "Please clean up state of local repo ${LOCAL_REPO_MAP[$i]} before using script" diff --git a/vhost-user-blk-fix-blkcfg-num_queues-end.patch b/vhost-user-blk-fix-blkcfg-num_queues-end.patch new file mode 100644 index 00000000..5a6886f7 --- /dev/null +++ b/vhost-user-blk-fix-blkcfg-num_queues-end.patch @@ -0,0 +1,51 @@ +From: Stefan Hajnoczi +Date: Tue, 23 Feb 2021 14:46:42 +0000 +Subject: vhost-user-blk: fix blkcfg->num_queues endianness + +Git-commit: 535255b43898d2e96744057eb86f8497d4d7a461 + +Treat the num_queues field as virtio-endian. On big-endian hosts the +vhost-user-blk num_queues field was in the wrong endianness. + +Move the blkcfg.num_queues store operation from realize to +vhost_user_blk_update_config() so feature negotiation has finished and +we know the endianness of the device. VIRTIO 1.0 devices are +little-endian, but in case someone wants to use legacy VIRTIO we support +all endianness cases. + +Cc: qemu-stable@nongnu.org +Signed-off-by: Stefan Hajnoczi +Reviewed-by: Raphael Norwitz +Reviewed-by: Michael S. Tsirkin +Message-Id: <20210223144653.811468-2-stefanha@redhat.com> +Signed-off-by: Kevin Wolf +Signed-off-by: Bruce Rogers +--- + hw/block/vhost-user-blk.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/hw/block/vhost-user-blk.c b/hw/block/vhost-user-blk.c +index 2dd3d93ca02f077b9fe8aaaa4d14..d9d9dc8a890d9d24b772c029e57f 100644 +--- a/hw/block/vhost-user-blk.c ++++ b/hw/block/vhost-user-blk.c +@@ -53,6 +53,9 @@ static void vhost_user_blk_update_config(VirtIODevice *vdev, uint8_t *config) + { + VHostUserBlk *s = VHOST_USER_BLK(vdev); + ++ /* Our num_queues overrides the device backend */ ++ virtio_stw_p(vdev, &s->blkcfg.num_queues, s->num_queues); ++ + memcpy(config, &s->blkcfg, sizeof(struct virtio_blk_config)); + } + +@@ -490,10 +493,6 @@ reconnect: + goto reconnect; + } + +- if (s->blkcfg.num_queues != s->num_queues) { +- s->blkcfg.num_queues = s->num_queues; +- } +- + return; + + virtio_err: