diff --git a/0036-sockets-avoid-string-truncation-war.patch b/0036-sockets-avoid-string-truncation-war.patch index fa0c6625..39b64865 100644 --- a/0036-sockets-avoid-string-truncation-war.patch +++ b/0036-sockets-avoid-string-truncation-war.patch @@ -29,6 +29,7 @@ Reviewed-by: Eric Blake Reviewed-by: Stefano Garzarella Message-Id: <20190501145052.12579-1-berrange@redhat.com> Signed-off-by: Laurent Vivier +(cherry picked from commit 2d2023c3b99edb33ad4bb9791f70456ea1a1c049) Signed-off-by: Bruce Rogers --- util/qemu-sockets.c | 12 ++++++++---- diff --git a/0039-linux-user-avoid-string-truncation-.patch b/0039-linux-user-avoid-string-truncation-.patch index 6454b5d9..7ddd0954 100644 --- a/0039-linux-user-avoid-string-truncation-.patch +++ b/0039-linux-user-avoid-string-truncation-.patch @@ -23,6 +23,7 @@ Reviewed-by: Philippe Mathieu-Daudé Message-Id: <20190501144646.4851-1-berrange@redhat.com> Signed-off-by: Laurent Vivier [BR: Played with indent to avoid error from checkpatch.pl] +(cherry picked from commit b2acfb55962bc8caeaa50a5158da2f701f2c1f7c) Signed-off-by: Bruce Rogers --- linux-user/uname.c | 5 ++--- diff --git a/0040-linux-user-elfload-Fix-GCC-9-build-.patch b/0040-linux-user-elfload-Fix-GCC-9-build-.patch index aa56126b..595de6c9 100644 --- a/0040-linux-user-elfload-Fix-GCC-9-build-.patch +++ b/0040-linux-user-elfload-Fix-GCC-9-build-.patch @@ -19,6 +19,7 @@ Reviewed-by: Laurent Vivier Reviewed-by: Richard Henderson Message-Id: Signed-off-by: Laurent Vivier +(cherry picked from commit d7eb2b928a855a2e8038e8e75f7edf1a12226bd3) Signed-off-by: Bruce Rogers --- linux-user/elfload.c | 2 +- diff --git a/0041-qxl-avoid-unaligned-pointer-reads-w.patch b/0041-qxl-avoid-unaligned-pointer-reads-w.patch new file mode 100644 index 00000000..33e9a718 --- /dev/null +++ b/0041-qxl-avoid-unaligned-pointer-reads-w.patch @@ -0,0 +1,144 @@ +From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= +Date: Fri, 12 Apr 2019 13:16:26 +0100 +Subject: qxl: avoid unaligned pointer reads/writes +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The SPICE_RING_PROD_ITEM() macro is initializing a local +'uint64_t *' variable to point to the 'el' field inside +the QXLReleaseRing struct. This uint64_t field is not +guaranteed aligned as the struct is packed. + +Code should not take the address of fields within a +packed struct. Changing the SPICE_RING_PROD_ITEM() +macro to avoid taking the address of the field is +impractical. It is clearer to just remove the macro +and inline its functionality in the three call sites +that need it. + +Signed-off-by: Daniel P. Berrangé +Message-Id: <20190412121626.19829-6-berrange@redhat.com> +Signed-off-by: Gerd Hoffmann +(cherry picked from commit 94932c95c10400acd286fd768a6b411e7ebbec8f) +Signed-off-by: Bruce Rogers +--- + hw/display/qxl.c | 55 +++++++++++++++++++++--------------------------- + 1 file changed, 24 insertions(+), 31 deletions(-) + +diff --git a/hw/display/qxl.c b/hw/display/qxl.c +index c8ce5781e0..5c38e6e906 100644 +--- a/hw/display/qxl.c ++++ b/hw/display/qxl.c +@@ -33,24 +33,6 @@ + + #include "qxl.h" + +-/* +- * NOTE: SPICE_RING_PROD_ITEM accesses memory on the pci bar and as +- * such can be changed by the guest, so to avoid a guest trigerrable +- * abort we just qxl_set_guest_bug and set the return to NULL. Still +- * it may happen as a result of emulator bug as well. +- */ +-#undef SPICE_RING_PROD_ITEM +-#define SPICE_RING_PROD_ITEM(qxl, r, ret) { \ +- uint32_t prod = (r)->prod & SPICE_RING_INDEX_MASK(r); \ +- if (prod >= ARRAY_SIZE((r)->items)) { \ +- qxl_set_guest_bug(qxl, "SPICE_RING_PROD_ITEM indices mismatch " \ +- "%u >= %zu", prod, ARRAY_SIZE((r)->items)); \ +- ret = NULL; \ +- } else { \ +- ret = &(r)->items[prod].el; \ +- } \ +- } +- + #undef SPICE_RING_CONS_ITEM + #define SPICE_RING_CONS_ITEM(qxl, r, ret) { \ + uint32_t cons = (r)->cons & SPICE_RING_INDEX_MASK(r); \ +@@ -414,7 +396,8 @@ static void init_qxl_rom(PCIQXLDevice *d) + static void init_qxl_ram(PCIQXLDevice *d) + { + uint8_t *buf; +- uint64_t *item; ++ uint32_t prod; ++ QXLReleaseRing *ring; + + buf = d->vga.vram_ptr; + d->ram = (QXLRam *)(buf + le32_to_cpu(d->shadow_rom.ram_header_offset)); +@@ -426,9 +409,12 @@ static void init_qxl_ram(PCIQXLDevice *d) + SPICE_RING_INIT(&d->ram->cmd_ring); + SPICE_RING_INIT(&d->ram->cursor_ring); + SPICE_RING_INIT(&d->ram->release_ring); +- SPICE_RING_PROD_ITEM(d, &d->ram->release_ring, item); +- assert(item); +- *item = 0; ++ ++ ring = &d->ram->release_ring; ++ prod = ring->prod & SPICE_RING_INDEX_MASK(ring); ++ assert(prod < ARRAY_SIZE(ring->items)); ++ ring->items[prod].el = 0; ++ + qxl_ring_set_dirty(d); + } + +@@ -732,7 +718,7 @@ static int interface_req_cmd_notification(QXLInstance *sin) + static inline void qxl_push_free_res(PCIQXLDevice *d, int flush) + { + QXLReleaseRing *ring = &d->ram->release_ring; +- uint64_t *item; ++ uint32_t prod; + int notify; + + #define QXL_FREE_BUNCH_SIZE 32 +@@ -759,11 +745,15 @@ static inline void qxl_push_free_res(PCIQXLDevice *d, int flush) + if (notify) { + qxl_send_events(d, QXL_INTERRUPT_DISPLAY); + } +- SPICE_RING_PROD_ITEM(d, ring, item); +- if (!item) { ++ ++ ring = &d->ram->release_ring; ++ prod = ring->prod & SPICE_RING_INDEX_MASK(ring); ++ if (prod >= ARRAY_SIZE(ring->items)) { ++ qxl_set_guest_bug(d, "SPICE_RING_PROD_ITEM indices mismatch " ++ "%u >= %zu", prod, ARRAY_SIZE(ring->items)); + return; + } +- *item = 0; ++ ring->items[prod].el = 0; + d->num_free_res = 0; + d->last_release = NULL; + qxl_ring_set_dirty(d); +@@ -775,7 +765,8 @@ static void interface_release_resource(QXLInstance *sin, + { + PCIQXLDevice *qxl = container_of(sin, PCIQXLDevice, ssd.qxl); + QXLReleaseRing *ring; +- uint64_t *item, id; ++ uint32_t prod; ++ uint64_t id; + + if (ext.group_id == MEMSLOT_GROUP_HOST) { + /* host group -> vga mode update request */ +@@ -792,16 +783,18 @@ static void interface_release_resource(QXLInstance *sin, + * pci bar 0, $command.release_info + */ + ring = &qxl->ram->release_ring; +- SPICE_RING_PROD_ITEM(qxl, ring, item); +- if (!item) { ++ prod = ring->prod & SPICE_RING_INDEX_MASK(ring); ++ if (prod >= ARRAY_SIZE(ring->items)) { ++ qxl_set_guest_bug(qxl, "SPICE_RING_PROD_ITEM indices mismatch " ++ "%u >= %zu", prod, ARRAY_SIZE(ring->items)); + return; + } +- if (*item == 0) { ++ if (ring->items[prod].el == 0) { + /* stick head into the ring */ + id = ext.info->id; + ext.info->next = 0; + qxl_ram_set_dirty(qxl, &ext.info->next); +- *item = id; ++ ring->items[prod].el = id; + qxl_ring_set_dirty(qxl); + } else { + /* append item to the list */ diff --git a/0041-qxl-fix-Waddress-of-packed-member.patch b/0041-qxl-fix-Waddress-of-packed-member.patch deleted file mode 100644 index 9d13e889..00000000 --- a/0041-qxl-fix-Waddress-of-packed-member.patch +++ /dev/null @@ -1,188 +0,0 @@ -From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= -Date: Sat, 4 May 2019 07:59:35 -0600 -Subject: qxl: fix -Waddress-of-packed-member -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The GCC9 compiler complains about QXL code that takes the address of -members of the 'struct QXLReleaseRing' which is marked packed: - - CC hw/display/qxl.o -/home/elmarco/src/qemu/hw/display/qxl.c: In function 'init_qxl_ram': -/home/elmarco/src/qemu/hw/display/qxl.c:50:19: warning: taking address of packed member of 'struct QXLReleaseRing_ring_el' may result in an unaligned pointer value [-Waddress-of-packed-member] - 50 | ret = &(r)->items[prod].el; \ - | ^~~~~~~~~~~~~~~~~~~~ -/home/elmarco/src/qemu/hw/display/qxl.c:429:5: note: in expansion of macro 'SPICE_RING_PROD_ITEM' - 429 | SPICE_RING_PROD_ITEM(d, &d->ram->release_ring, item); - | ^~~~~~~~~~~~~~~~~~~~ -/home/elmarco/src/qemu/hw/display/qxl.c: In function 'qxl_push_free_res': -/home/elmarco/src/qemu/hw/display/qxl.c:50:19: warning: taking address of packed member of 'struct QXLReleaseRing_ring_el' may result in an unaligned pointer value [-Waddress-of-packed-member] - 50 | ret = &(r)->items[prod].el; \ - | ^~~~~~~~~~~~~~~~~~~~ -/home/elmarco/src/qemu/hw/display/qxl.c:762:5: note: in expansion of macro 'SPICE_RING_PROD_ITEM' - 762 | SPICE_RING_PROD_ITEM(d, ring, item); - | ^~~~~~~~~~~~~~~~~~~~ -/home/elmarco/src/qemu/hw/display/qxl.c: In function 'interface_release_resource': -/home/elmarco/src/qemu/hw/display/qxl.c:50:19: warning: taking address of packed member of 'struct QXLReleaseRing_ring_el' may result in an unaligned pointer value [-Waddress-of-packed-member] - 50 | ret = &(r)->items[prod].el; \ - | ^~~~~~~~~~~~~~~~~~~~ -/home/elmarco/src/qemu/hw/display/qxl.c:795:5: note: in expansion of macro 'SPICE_RING_PROD_ITEM' - 795 | SPICE_RING_PROD_ITEM(qxl, ring, item); - | ^~~~~~~~~~~~~~~~~~~~ - -Replace pointer usage by direct structure/array access instead. - -Signed-off-by: Marc-André Lureau -Signed-off-by: Bruce Rogers ---- - hw/display/qxl.c | 83 +++++++++++++++++++++++++++++------------------- - 1 file changed, 50 insertions(+), 33 deletions(-) - -diff --git a/hw/display/qxl.c b/hw/display/qxl.c -index c8ce5781e0..12d83dd6f1 100644 ---- a/hw/display/qxl.c -+++ b/hw/display/qxl.c -@@ -39,29 +39,49 @@ - * abort we just qxl_set_guest_bug and set the return to NULL. Still - * it may happen as a result of emulator bug as well. - */ --#undef SPICE_RING_PROD_ITEM --#define SPICE_RING_PROD_ITEM(qxl, r, ret) { \ -- uint32_t prod = (r)->prod & SPICE_RING_INDEX_MASK(r); \ -- if (prod >= ARRAY_SIZE((r)->items)) { \ -- qxl_set_guest_bug(qxl, "SPICE_RING_PROD_ITEM indices mismatch " \ -- "%u >= %zu", prod, ARRAY_SIZE((r)->items)); \ -- ret = NULL; \ -- } else { \ -- ret = &(r)->items[prod].el; \ -- } \ -+#define SPICE_RING_GET_CHECK(qxl, r, field) ({ \ -+ field = (r)->field & SPICE_RING_INDEX_MASK(r); \ -+ bool mismatch = field >= ARRAY_SIZE((r)->items); \ -+ if (mismatch) { \ -+ qxl_set_guest_bug(qxl, "SPICE_RING_GET %s indices mismatch " \ -+ "%u >= %zu", stringify(field), field, \ -+ ARRAY_SIZE((r)->items)); \ -+ } \ -+ !mismatch; \ -+}) -+ -+static inline uint64_t -+qxl_release_ring_get_prod(PCIQXLDevice *qxl) -+{ -+ struct QXLReleaseRing *ring = &qxl->ram->release_ring; -+ uint32_t prod; -+ bool ok = SPICE_RING_GET_CHECK(qxl, ring, prod); -+ assert(ok); -+ -+ return ring->items[prod].el; -+} -+ -+static inline bool -+qxl_release_ring_set_prod(PCIQXLDevice *qxl, uint64_t val) -+{ -+ struct QXLReleaseRing *ring = &qxl->ram->release_ring; -+ uint32_t prod; -+ bool ok = SPICE_RING_GET_CHECK(qxl, ring, prod); -+ if (ok) { -+ ring->items[prod].el = val; - } -+ return ok; -+} - - #undef SPICE_RING_CONS_ITEM --#define SPICE_RING_CONS_ITEM(qxl, r, ret) { \ -- uint32_t cons = (r)->cons & SPICE_RING_INDEX_MASK(r); \ -- if (cons >= ARRAY_SIZE((r)->items)) { \ -- qxl_set_guest_bug(qxl, "SPICE_RING_CONS_ITEM indices mismatch " \ -- "%u >= %zu", cons, ARRAY_SIZE((r)->items)); \ -- ret = NULL; \ -- } else { \ -- ret = &(r)->items[cons].el; \ -- } \ -- } -+#define SPICE_RING_CONS_ITEM(qxl, r, ret) { \ -+ uint32_t cons; \ -+ if (!SPICE_RING_GET_CHECK(qxl, r, cons)) { \ -+ ret = NULL; \ -+ } else { \ -+ ret = &(r)->items[cons].el; \ -+ } \ -+} - - #undef ALIGN - #define ALIGN(a, b) (((a) + ((b) - 1)) & ~((b) - 1)) -@@ -414,7 +434,6 @@ static void init_qxl_rom(PCIQXLDevice *d) - static void init_qxl_ram(PCIQXLDevice *d) - { - uint8_t *buf; -- uint64_t *item; - - buf = d->vga.vram_ptr; - d->ram = (QXLRam *)(buf + le32_to_cpu(d->shadow_rom.ram_header_offset)); -@@ -426,9 +445,9 @@ static void init_qxl_ram(PCIQXLDevice *d) - SPICE_RING_INIT(&d->ram->cmd_ring); - SPICE_RING_INIT(&d->ram->cursor_ring); - SPICE_RING_INIT(&d->ram->release_ring); -- SPICE_RING_PROD_ITEM(d, &d->ram->release_ring, item); -- assert(item); -- *item = 0; -+ if (!qxl_release_ring_set_prod(d, 0)) { -+ g_assert_not_reached(); -+ } - qxl_ring_set_dirty(d); - } - -@@ -732,7 +751,6 @@ static int interface_req_cmd_notification(QXLInstance *sin) - static inline void qxl_push_free_res(PCIQXLDevice *d, int flush) - { - QXLReleaseRing *ring = &d->ram->release_ring; -- uint64_t *item; - int notify; - - #define QXL_FREE_BUNCH_SIZE 32 -@@ -759,11 +777,9 @@ static inline void qxl_push_free_res(PCIQXLDevice *d, int flush) - if (notify) { - qxl_send_events(d, QXL_INTERRUPT_DISPLAY); - } -- SPICE_RING_PROD_ITEM(d, ring, item); -- if (!item) { -+ if (!qxl_release_ring_set_prod(d, 0)) { - return; - } -- *item = 0; - d->num_free_res = 0; - d->last_release = NULL; - qxl_ring_set_dirty(d); -@@ -775,7 +791,8 @@ static void interface_release_resource(QXLInstance *sin, - { - PCIQXLDevice *qxl = container_of(sin, PCIQXLDevice, ssd.qxl); - QXLReleaseRing *ring; -- uint64_t *item, id; -+ uint32_t prod; -+ uint64_t id; - - if (ext.group_id == MEMSLOT_GROUP_HOST) { - /* host group -> vga mode update request */ -@@ -792,16 +809,16 @@ static void interface_release_resource(QXLInstance *sin, - * pci bar 0, $command.release_info - */ - ring = &qxl->ram->release_ring; -- SPICE_RING_PROD_ITEM(qxl, ring, item); -- if (!item) { -+ -+ if (!SPICE_RING_GET_CHECK(qxl, ring, prod)) { - return; - } -- if (*item == 0) { -+ if (qxl_release_ring_get_prod(qxl) == 0) { - /* stick head into the ring */ - id = ext.info->id; - ext.info->next = 0; - qxl_ram_set_dirty(qxl, &ext.info->next); -- *item = id; -+ qxl_release_ring_set_prod(qxl, id); - qxl_ring_set_dirty(qxl); - } else { - /* append item to the list */ diff --git a/0042-libvhost-user-fix-Waddress-of-packe.patch b/0042-libvhost-user-fix-Waddress-of-packe.patch new file mode 100644 index 00000000..9f29a453 --- /dev/null +++ b/0042-libvhost-user-fix-Waddress-of-packe.patch @@ -0,0 +1,60 @@ +From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= +Date: Fri, 3 May 2019 15:00:29 +0200 +Subject: libvhost-user: fix -Waddress-of-packed-member +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +/home/elmarco/src/qemu/contrib/libvhost-user/libvhost-user.c: In function ‘vu_set_mem_table_exec_postcopy’: +/home/elmarco/src/qemu/contrib/libvhost-user/libvhost-user.c:546:31: warning: taking address of packed member of ‘struct VhostUserMsg’ may result in an unaligned pointer value [-Waddress-of-packed-member] + 546 | VhostUserMemory *memory = &vmsg->payload.memory; + | ^~~~~~~~~~~~~~~~~~~~~ +/home/elmarco/src/qemu/contrib/libvhost-user/libvhost-user.c: In function ‘vu_set_mem_table_exec’: +/home/elmarco/src/qemu/contrib/libvhost-user/libvhost-user.c:688:31: warning: taking address of packed member of ‘struct VhostUserMsg’ may result in an unaligned pointer value [-Waddress-of-packed-member] + 688 | VhostUserMemory *memory = &vmsg->payload.memory; + | ^~~~~~~~~~~~~~~~~~~~~ +/home/elmarco/src/qemu/contrib/libvhost-user/libvhost-user.c: In function ‘vu_set_vring_addr_exec’: +/home/elmarco/src/qemu/contrib/libvhost-user/libvhost-user.c:817:36: warning: taking address of packed member of ‘struct VhostUserMsg’ may result in an unaligned pointer value [-Waddress-of-packed-member] + 817 | struct vhost_vring_addr *vra = &vmsg->payload.addr; + | ^~~~~~~~~~~~~~~~~~~ + +Signed-off-by: Marc-André Lureau +Message-id: 20190503130034.24916-2-marcandre.lureau@redhat.com +Signed-off-by: Gerd Hoffmann +(cherry picked from commit d288eef3a0a8ac46cc45808b50d73606476148b0) +Signed-off-by: Bruce Rogers +--- + contrib/libvhost-user/libvhost-user.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/contrib/libvhost-user/libvhost-user.c b/contrib/libvhost-user/libvhost-user.c +index e08d6c7b97..dcf4a969f2 100644 +--- a/contrib/libvhost-user/libvhost-user.c ++++ b/contrib/libvhost-user/libvhost-user.c +@@ -542,7 +542,7 @@ static bool + vu_set_mem_table_exec_postcopy(VuDev *dev, VhostUserMsg *vmsg) + { + int i; +- VhostUserMemory *memory = &vmsg->payload.memory; ++ VhostUserMemory m = vmsg->payload.memory, *memory = &m; + dev->nregions = memory->nregions; + + DPRINT("Nregions: %d\n", memory->nregions); +@@ -684,7 +684,7 @@ static bool + vu_set_mem_table_exec(VuDev *dev, VhostUserMsg *vmsg) + { + int i; +- VhostUserMemory *memory = &vmsg->payload.memory; ++ VhostUserMemory m = vmsg->payload.memory, *memory = &m; + + for (i = 0; i < dev->nregions; i++) { + VuDevRegion *r = &dev->regions[i]; +@@ -813,7 +813,7 @@ vu_set_vring_num_exec(VuDev *dev, VhostUserMsg *vmsg) + static bool + vu_set_vring_addr_exec(VuDev *dev, VhostUserMsg *vmsg) + { +- struct vhost_vring_addr *vra = &vmsg->payload.addr; ++ struct vhost_vring_addr addr = vmsg->payload.addr, *vra = &addr; + unsigned int index = vra->index; + VuVirtq *vq = &dev->vq[index]; + diff --git a/0043-target-i386-define-md-clear-bit.patch b/0043-target-i386-define-md-clear-bit.patch new file mode 100644 index 00000000..e2aa5e20 --- /dev/null +++ b/0043-target-i386-define-md-clear-bit.patch @@ -0,0 +1,58 @@ +From: Paolo Bonzini +Date: Fri, 1 Mar 2019 21:40:52 +0100 +Subject: target/i386: define md-clear bit + +md-clear is a new CPUID bit which is set when microcode provides the +mechanism to invoke a flush of various exploitable CPU buffers by invoking +the VERW instruction. Add the new feature, and pass it down to +Hypervisor.framework guests. + +Signed-off-by: Paolo Bonzini +[BR: BSC#1111331 CVE-2018-12126 CVE-2018-12127 CVE-2018-12130 +CVE-2019-11091] +Signed-off-by: Bruce Rogers +--- + target/i386/cpu.c | 2 +- + target/i386/cpu.h | 1 + + target/i386/hvf/x86_cpuid.c | 3 ++- + 3 files changed, 4 insertions(+), 2 deletions(-) + +diff --git a/target/i386/cpu.c b/target/i386/cpu.c +index d6bb57d210..4ea78a4939 100644 +--- a/target/i386/cpu.c ++++ b/target/i386/cpu.c +@@ -1076,7 +1076,7 @@ static FeatureWordInfo feature_word_info[FEATURE_WORDS] = { + .feat_names = { + NULL, NULL, "avx512-4vnniw", "avx512-4fmaps", + NULL, NULL, NULL, NULL, +- NULL, NULL, NULL, NULL, ++ NULL, NULL, "md-clear", NULL, + NULL, NULL, NULL, NULL, + NULL, NULL, NULL, NULL, + NULL, NULL, NULL, NULL, +diff --git a/target/i386/cpu.h b/target/i386/cpu.h +index 572290c3d6..d3bd0943ec 100644 +--- a/target/i386/cpu.h ++++ b/target/i386/cpu.h +@@ -694,6 +694,7 @@ typedef uint32_t FeatureWordArray[FEATURE_WORDS]; + + #define CPUID_7_0_EDX_AVX512_4VNNIW (1U << 2) /* AVX512 Neural Network Instructions */ + #define CPUID_7_0_EDX_AVX512_4FMAPS (1U << 3) /* AVX512 Multiply Accumulation Single Precision */ ++#define CPUID_7_0_EDX_MD_CLEAR (1U << 10) /* Microarchitectural Data Clear */ + #define CPUID_7_0_EDX_SPEC_CTRL (1U << 26) /* Speculation Control */ + #define CPUID_7_0_EDX_ARCH_CAPABILITIES (1U << 29) /*Arch Capabilities*/ + #define CPUID_7_0_EDX_SPEC_CTRL_SSBD (1U << 31) /* Speculative Store Bypass Disable */ +diff --git a/target/i386/hvf/x86_cpuid.c b/target/i386/hvf/x86_cpuid.c +index 4d957fe896..b453552fb4 100644 +--- a/target/i386/hvf/x86_cpuid.c ++++ b/target/i386/hvf/x86_cpuid.c +@@ -90,7 +90,8 @@ uint32_t hvf_get_supported_cpuid(uint32_t func, uint32_t idx, + } + + ecx &= CPUID_7_0_ECX_AVX512BMI | CPUID_7_0_ECX_AVX512_VPOPCNTDQ; +- edx &= CPUID_7_0_EDX_AVX512_4VNNIW | CPUID_7_0_EDX_AVX512_4FMAPS; ++ edx &= CPUID_7_0_EDX_AVX512_4VNNIW | CPUID_7_0_EDX_AVX512_4FMAPS | \ ++ CPUID_7_0_EDX_MD_CLEAR; + } else { + ebx = 0; + ecx = 0; diff --git a/qemu-linux-user.changes b/qemu-linux-user.changes index b7271af6..e0223f94 100644 --- a/qemu-linux-user.changes +++ b/qemu-linux-user.changes @@ -1,3 +1,14 @@ +------------------------------------------------------------------- +Tue May 14 21:01:06 UTC 2019 - Bruce Rogers + +- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-4.0 +* Patches dropped: + 0041-qxl-fix-Waddress-of-packed-member.patch +* Patches added: + 0041-qxl-avoid-unaligned-pointer-reads-w.patch + 0042-libvhost-user-fix-Waddress-of-packe.patch + 0043-target-i386-define-md-clear-bit.patch + ------------------------------------------------------------------- Fri May 10 19:14:02 UTC 2019 - Bruce Rogers diff --git a/qemu-linux-user.spec b/qemu-linux-user.spec index 759b5f6f..a4836a8e 100644 --- a/qemu-linux-user.spec +++ b/qemu-linux-user.spec @@ -74,7 +74,9 @@ Patch0037: 0037-hw-usb-hcd-xhci-Fix-GCC-9-build-war.patch Patch0038: 0038-hw-usb-dev-mtp-Fix-GCC-9-build-warn.patch Patch0039: 0039-linux-user-avoid-string-truncation-.patch Patch0040: 0040-linux-user-elfload-Fix-GCC-9-build-.patch -Patch0041: 0041-qxl-fix-Waddress-of-packed-member.patch +Patch0041: 0041-qxl-avoid-unaligned-pointer-reads-w.patch +Patch0042: 0042-libvhost-user-fix-Waddress-of-packe.patch +Patch0043: 0043-target-i386-define-md-clear-bit.patch # Please do not add QEMU patches manually here. # Run update_git.sh to regenerate this queue. ExcludeArch: s390 @@ -146,6 +148,8 @@ syscall layer occurs on the native hardware and operating system. %patch0039 -p1 %patch0040 -p1 %patch0041 -p1 +%patch0042 -p1 +%patch0043 -p1 %build %define _lto_cflags %{nil} diff --git a/qemu-testsuite.changes b/qemu-testsuite.changes index 539db842..6b8083e8 100644 --- a/qemu-testsuite.changes +++ b/qemu-testsuite.changes @@ -1,3 +1,17 @@ +------------------------------------------------------------------- +Tue May 14 21:01:05 UTC 2019 - Bruce Rogers + +- Switch to now upstreamed version of patch and add one more + gcc9 related patch +* Patches renamed: + 0041-qxl-fix-Waddress-of-packed-member.patch + -> 0041-qxl-avoid-unaligned-pointer-reads-w.patch + 0042-libvhost-user-fix-Waddress-of-packe.patch +- Add x86 cpu feature "md-clear" (CVE-2018-12126 CVE-2018-12127 + CVE-2018-12130 CVE-2019-11091 bsc#1111331) + 0043-target-i386-define-md-clear-bit.patch +- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-4.0 + ------------------------------------------------------------------- Sat May 11 14:58:50 UTC 2019 - Bruce Rogers diff --git a/qemu-testsuite.spec b/qemu-testsuite.spec index 794f95fe..7b4ce510 100644 --- a/qemu-testsuite.spec +++ b/qemu-testsuite.spec @@ -184,7 +184,9 @@ Patch0037: 0037-hw-usb-hcd-xhci-Fix-GCC-9-build-war.patch Patch0038: 0038-hw-usb-dev-mtp-Fix-GCC-9-build-warn.patch Patch0039: 0039-linux-user-avoid-string-truncation-.patch Patch0040: 0040-linux-user-elfload-Fix-GCC-9-build-.patch -Patch0041: 0041-qxl-fix-Waddress-of-packed-member.patch +Patch0041: 0041-qxl-avoid-unaligned-pointer-reads-w.patch +Patch0042: 0042-libvhost-user-fix-Waddress-of-packe.patch +Patch0043: 0043-target-i386-define-md-clear-bit.patch # Please do not add QEMU patches manually here. # Run update_git.sh to regenerate this queue. @@ -993,6 +995,8 @@ This package provides a service file for starting and stopping KSM. %patch0039 -p1 %patch0040 -p1 %patch0041 -p1 +%patch0042 -p1 +%patch0043 -p1 pushd roms/seabios %patch1100 -p1 diff --git a/qemu.changes b/qemu.changes index 539db842..6b8083e8 100644 --- a/qemu.changes +++ b/qemu.changes @@ -1,3 +1,17 @@ +------------------------------------------------------------------- +Tue May 14 21:01:05 UTC 2019 - Bruce Rogers + +- Switch to now upstreamed version of patch and add one more + gcc9 related patch +* Patches renamed: + 0041-qxl-fix-Waddress-of-packed-member.patch + -> 0041-qxl-avoid-unaligned-pointer-reads-w.patch + 0042-libvhost-user-fix-Waddress-of-packe.patch +- Add x86 cpu feature "md-clear" (CVE-2018-12126 CVE-2018-12127 + CVE-2018-12130 CVE-2019-11091 bsc#1111331) + 0043-target-i386-define-md-clear-bit.patch +- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-4.0 + ------------------------------------------------------------------- Sat May 11 14:58:50 UTC 2019 - Bruce Rogers diff --git a/qemu.spec b/qemu.spec index 2b17e521..223f9d0b 100644 --- a/qemu.spec +++ b/qemu.spec @@ -184,7 +184,9 @@ Patch0037: 0037-hw-usb-hcd-xhci-Fix-GCC-9-build-war.patch Patch0038: 0038-hw-usb-dev-mtp-Fix-GCC-9-build-warn.patch Patch0039: 0039-linux-user-avoid-string-truncation-.patch Patch0040: 0040-linux-user-elfload-Fix-GCC-9-build-.patch -Patch0041: 0041-qxl-fix-Waddress-of-packed-member.patch +Patch0041: 0041-qxl-avoid-unaligned-pointer-reads-w.patch +Patch0042: 0042-libvhost-user-fix-Waddress-of-packe.patch +Patch0043: 0043-target-i386-define-md-clear-bit.patch # Please do not add QEMU patches manually here. # Run update_git.sh to regenerate this queue. @@ -993,6 +995,8 @@ This package provides a service file for starting and stopping KSM. %patch0039 -p1 %patch0040 -p1 %patch0041 -p1 +%patch0042 -p1 +%patch0043 -p1 pushd roms/seabios %patch1100 -p1