Accepting request 703018 from home:bfrogers:branches:Virtualization

A few gcc9 related patches, and one to add the md-clear cpu feature. OBS-URL: https://build.opensuse.org/request/show/703018 OBS-URL: https://build.opensuse.org/package/show/Virtualization/qemu?expand=0&rev=470
2019-05-14 22:20:21 +00:00 · 2019-05-14 22:20:21 +00:00 · 38bf12506e
commit 38bf12506e
parent a64b195f13
13 changed files with 319 additions and 191 deletions
--- a/0036-sockets-avoid-string-truncation-war.patch
+++ b/0036-sockets-avoid-string-truncation-war.patch
@ -29,6 +29,7 @@ Reviewed-by: Eric Blake <eblake@redhat.com>
 Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
 Message-Id: <20190501145052.12579-1-berrange@redhat.com>
 Signed-off-by: Laurent Vivier <laurent@vivier.eu>
 (cherry picked from commit 2d2023c3b99edb33ad4bb9791f70456ea1a1c049)
 Signed-off-by: Bruce Rogers <brogers@suse.com>
 ---
 util/qemu-sockets.c | 12 ++++++++----
--- a/0039-linux-user-avoid-string-truncation-.patch
+++ b/0039-linux-user-avoid-string-truncation-.patch
@ -23,6 +23,7 @@ Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
 Message-Id: <20190501144646.4851-1-berrange@redhat.com>
 Signed-off-by: Laurent Vivier <laurent@vivier.eu>
 [BR: Played with indent to avoid error from checkpatch.pl]
 (cherry picked from commit b2acfb55962bc8caeaa50a5158da2f701f2c1f7c)
 Signed-off-by: Bruce Rogers <brogers@suse.com>
 ---
 linux-user/uname.c | 5 ++---
--- a/0040-linux-user-elfload-Fix-GCC-9-build-.patch
+++ b/0040-linux-user-elfload-Fix-GCC-9-build-.patch
@ -19,6 +19,7 @@ Reviewed-by: Laurent Vivier <laurent@vivier.eu>
 Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
 Message-Id: <c4d2b1de9efadcf1c900b91361af9302823a72a9.1556666645.git.alistair.francis@wdc.com>
 Signed-off-by: Laurent Vivier <laurent@vivier.eu>
 (cherry picked from commit d7eb2b928a855a2e8038e8e75f7edf1a12226bd3)
 Signed-off-by: Bruce Rogers <brogers@suse.com>
 ---
 linux-user/elfload.c | 2 +-
--- a/0041-qxl-avoid-unaligned-pointer-reads-w.patch
+++ b/0041-qxl-avoid-unaligned-pointer-reads-w.patch
@ -0,0 +1,144 @@
 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
 Date: Fri, 12 Apr 2019 13:16:26 +0100
 Subject: qxl: avoid unaligned pointer reads/writes
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 The SPICE_RING_PROD_ITEM() macro is initializing a local
 'uint64_t *' variable to point to the 'el' field inside
 the QXLReleaseRing struct. This uint64_t field is not
 guaranteed aligned as the struct is packed.
 Code should not take the address of fields within a
 packed struct. Changing the SPICE_RING_PROD_ITEM()
 macro to avoid taking the address of the field is
 impractical. It is clearer to just remove the macro
 and inline its functionality in the three call sites
 that need it.
 Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
 Message-Id: <20190412121626.19829-6-berrange@redhat.com>
 Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
 (cherry picked from commit 94932c95c10400acd286fd768a6b411e7ebbec8f)
 Signed-off-by: Bruce Rogers <brogers@suse.com>
 ---
 hw/display/qxl.c | 55 +++++++++++++++++++++---------------------------
 1 file changed, 24 insertions(+), 31 deletions(-)
 diff --git a/hw/display/qxl.c b/hw/display/qxl.c
 index c8ce5781e0..5c38e6e906 100644
 --- a/hw/display/qxl.c
 +++ b/hw/display/qxl.c
@@ -33,24 +33,6 @@
 #include "qxl.h"
 -/*
 - * NOTE: SPICE_RING_PROD_ITEM accesses memory on the pci bar and as
 - * such can be changed by the guest, so to avoid a guest trigerrable
 - * abort we just qxl_set_guest_bug and set the return to NULL. Still
 - * it may happen as a result of emulator bug as well.
 - */
 -#undef SPICE_RING_PROD_ITEM
 -#define SPICE_RING_PROD_ITEM(qxl, r, ret) {                             \
 -        uint32_t prod = (r)->prod & SPICE_RING_INDEX_MASK(r);           \
 -        if (prod >= ARRAY_SIZE((r)->items)) {                           \
 -            qxl_set_guest_bug(qxl, "SPICE_RING_PROD_ITEM indices mismatch " \
 -                          "%u >= %zu", prod, ARRAY_SIZE((r)->items));   \
 -            ret = NULL;                                                 \
 -        } else {                                                        \
 -            ret = &(r)->items[prod].el;                                 \
 -        }                                                               \
 -    }
 -
 #undef SPICE_RING_CONS_ITEM
 #define SPICE_RING_CONS_ITEM(qxl, r, ret) {                             \
         uint32_t cons = (r)->cons & SPICE_RING_INDEX_MASK(r);           \
@@ -414,7 +396,8 @@ static void init_qxl_rom(PCIQXLDevice *d)
 static void init_qxl_ram(PCIQXLDevice *d)
 {
     uint8_t *buf;
 -    uint64_t *item;
 +    uint32_t prod;
 +    QXLReleaseRing *ring;
     buf = d->vga.vram_ptr;
     d->ram = (QXLRam *)(buf + le32_to_cpu(d->shadow_rom.ram_header_offset));
@@ -426,9 +409,12 @@ static void init_qxl_ram(PCIQXLDevice *d)
     SPICE_RING_INIT(&d->ram->cmd_ring);
     SPICE_RING_INIT(&d->ram->cursor_ring);
     SPICE_RING_INIT(&d->ram->release_ring);
 -    SPICE_RING_PROD_ITEM(d, &d->ram->release_ring, item);
 -    assert(item);
 -    *item = 0;
 +
 +    ring = &d->ram->release_ring;
 +    prod = ring->prod & SPICE_RING_INDEX_MASK(ring);
 +    assert(prod < ARRAY_SIZE(ring->items));
 +    ring->items[prod].el = 0;
 +
     qxl_ring_set_dirty(d);
 }
@@ -732,7 +718,7 @@ static int interface_req_cmd_notification(QXLInstance *sin)
 static inline void qxl_push_free_res(PCIQXLDevice *d, int flush)
 {
     QXLReleaseRing *ring = &d->ram->release_ring;
 -    uint64_t *item;
 +    uint32_t prod;
     int notify;
 #define QXL_FREE_BUNCH_SIZE 32
@@ -759,11 +745,15 @@ static inline void qxl_push_free_res(PCIQXLDevice *d, int flush)
     if (notify) {
         qxl_send_events(d, QXL_INTERRUPT_DISPLAY);
     }
 -    SPICE_RING_PROD_ITEM(d, ring, item);
 -    if (!item) {
 +
 +    ring = &d->ram->release_ring;
 +    prod = ring->prod & SPICE_RING_INDEX_MASK(ring);
 +    if (prod >= ARRAY_SIZE(ring->items)) {
 +        qxl_set_guest_bug(d, "SPICE_RING_PROD_ITEM indices mismatch "
 +                          "%u >= %zu", prod, ARRAY_SIZE(ring->items));
         return;
     }
 -    *item = 0;
 +    ring->items[prod].el = 0;
     d->num_free_res = 0;
     d->last_release = NULL;
     qxl_ring_set_dirty(d);
@@ -775,7 +765,8 @@ static void interface_release_resource(QXLInstance *sin,
 {
     PCIQXLDevice *qxl = container_of(sin, PCIQXLDevice, ssd.qxl);
     QXLReleaseRing *ring;
 -    uint64_t *item, id;
 +    uint32_t prod;
 +    uint64_t id;
     if (ext.group_id == MEMSLOT_GROUP_HOST) {
         /* host group -> vga mode update request */
@@ -792,16 +783,18 @@ static void interface_release_resource(QXLInstance *sin,
      * pci bar 0, $command.release_info
      */
     ring = &qxl->ram->release_ring;
 -    SPICE_RING_PROD_ITEM(qxl, ring, item);
 -    if (!item) {
 +    prod = ring->prod & SPICE_RING_INDEX_MASK(ring);
 +    if (prod >= ARRAY_SIZE(ring->items)) {
 +        qxl_set_guest_bug(qxl, "SPICE_RING_PROD_ITEM indices mismatch "
 +                          "%u >= %zu", prod, ARRAY_SIZE(ring->items));
         return;
     }
 -    if (*item == 0) {
 +    if (ring->items[prod].el == 0) {
         /* stick head into the ring */
         id = ext.info->id;
         ext.info->next = 0;
         qxl_ram_set_dirty(qxl, &ext.info->next);
 -        *item = id;
 +        ring->items[prod].el = id;
         qxl_ring_set_dirty(qxl);
     } else {
         /* append item to the list */
--- a/0041-qxl-fix-Waddress-of-packed-member.patch
+++ b/0041-qxl-fix-Waddress-of-packed-member.patch
@ -1,188 +0,0 @@
 From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
 Date: Sat, 4 May 2019 07:59:35 -0600
 Subject: qxl: fix -Waddress-of-packed-member
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 The GCC9 compiler complains about QXL code that takes the address of
 members of the 'struct QXLReleaseRing' which is marked packed:
  CC      hw/display/qxl.o
 /home/elmarco/src/qemu/hw/display/qxl.c: In function 'init_qxl_ram':
 /home/elmarco/src/qemu/hw/display/qxl.c:50:19: warning: taking address of packed member of 'struct QXLReleaseRing_ring_el' may result in an unaligned pointer value [-Waddress-of-packed-member]
   50 |             ret = &(r)->items[prod].el;                                 \
      |                   ^~~~~~~~~~~~~~~~~~~~
 /home/elmarco/src/qemu/hw/display/qxl.c:429:5: note: in expansion of macro 'SPICE_RING_PROD_ITEM'
  429 |     SPICE_RING_PROD_ITEM(d, &d->ram->release_ring, item);
      |     ^~~~~~~~~~~~~~~~~~~~
 /home/elmarco/src/qemu/hw/display/qxl.c: In function 'qxl_push_free_res':
 /home/elmarco/src/qemu/hw/display/qxl.c:50:19: warning: taking address of packed member of 'struct QXLReleaseRing_ring_el' may result in an unaligned pointer value [-Waddress-of-packed-member]
   50 |             ret = &(r)->items[prod].el;                                 \
      |                   ^~~~~~~~~~~~~~~~~~~~
 /home/elmarco/src/qemu/hw/display/qxl.c:762:5: note: in expansion of macro 'SPICE_RING_PROD_ITEM'
  762 |     SPICE_RING_PROD_ITEM(d, ring, item);
      |     ^~~~~~~~~~~~~~~~~~~~
 /home/elmarco/src/qemu/hw/display/qxl.c: In function 'interface_release_resource':
 /home/elmarco/src/qemu/hw/display/qxl.c:50:19: warning: taking address of packed member of 'struct QXLReleaseRing_ring_el' may result in an unaligned pointer value [-Waddress-of-packed-member]
   50 |             ret = &(r)->items[prod].el;                                 \
      |                   ^~~~~~~~~~~~~~~~~~~~
 /home/elmarco/src/qemu/hw/display/qxl.c:795:5: note: in expansion of macro 'SPICE_RING_PROD_ITEM'
  795 |     SPICE_RING_PROD_ITEM(qxl, ring, item);
      |     ^~~~~~~~~~~~~~~~~~~~
 Replace pointer usage by direct structure/array access instead.
 Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
 Signed-off-by: Bruce Rogers <brogers@suse.com>
 ---
 hw/display/qxl.c | 83 +++++++++++++++++++++++++++++-------------------
 1 file changed, 50 insertions(+), 33 deletions(-)
 diff --git a/hw/display/qxl.c b/hw/display/qxl.c
 index c8ce5781e0..12d83dd6f1 100644
 --- a/hw/display/qxl.c
 +++ b/hw/display/qxl.c
@@ -39,29 +39,49 @@
  * abort we just qxl_set_guest_bug and set the return to NULL. Still
  * it may happen as a result of emulator bug as well.
  */
 -#undef SPICE_RING_PROD_ITEM
 -#define SPICE_RING_PROD_ITEM(qxl, r, ret) {                             \
 -        uint32_t prod = (r)->prod & SPICE_RING_INDEX_MASK(r);           \
 -        if (prod >= ARRAY_SIZE((r)->items)) {                           \
 -            qxl_set_guest_bug(qxl, "SPICE_RING_PROD_ITEM indices mismatch " \
 -                          "%u >= %zu", prod, ARRAY_SIZE((r)->items));   \
 -            ret = NULL;                                                 \
 -        } else {                                                        \
 -            ret = &(r)->items[prod].el;                                 \
 -        }                                                               \
 +#define SPICE_RING_GET_CHECK(qxl, r, field) ({                          \
 +    field = (r)->field & SPICE_RING_INDEX_MASK(r);                      \
 +    bool mismatch = field >= ARRAY_SIZE((r)->items);                    \
 +    if (mismatch) {                                                     \
 +        qxl_set_guest_bug(qxl, "SPICE_RING_GET %s indices mismatch "    \
 +                          "%u >= %zu", stringify(field), field,         \
 +                          ARRAY_SIZE((r)->items));                      \
 +    }                                                                   \
 +    !mismatch;                                                          \
 +})
 +
 +static inline uint64_t
 +qxl_release_ring_get_prod(PCIQXLDevice *qxl)
 +{
 +    struct QXLReleaseRing *ring = &qxl->ram->release_ring;
 +    uint32_t prod;
 +    bool ok = SPICE_RING_GET_CHECK(qxl, ring, prod);
 +    assert(ok);
 +
 +    return ring->items[prod].el;
 +}
 +
 +static inline bool
 +qxl_release_ring_set_prod(PCIQXLDevice *qxl, uint64_t val)
 +{
 +    struct QXLReleaseRing *ring = &qxl->ram->release_ring;
 +    uint32_t prod;
 +    bool ok = SPICE_RING_GET_CHECK(qxl, ring, prod);
 +    if (ok) {
 +        ring->items[prod].el = val;
     }
 +    return ok;
 +}
 #undef SPICE_RING_CONS_ITEM
 -#define SPICE_RING_CONS_ITEM(qxl, r, ret) {                             \
 -        uint32_t cons = (r)->cons & SPICE_RING_INDEX_MASK(r);           \
 -        if (cons >= ARRAY_SIZE((r)->items)) {                           \
 -            qxl_set_guest_bug(qxl, "SPICE_RING_CONS_ITEM indices mismatch " \
 -                          "%u >= %zu", cons, ARRAY_SIZE((r)->items));   \
 -            ret = NULL;                                                 \
 -        } else {                                                        \
 -            ret = &(r)->items[cons].el;                                 \
 -        }                                                               \
 -    }
 +#define SPICE_RING_CONS_ITEM(qxl, r, ret) {     \
 +    uint32_t cons;                              \
 +    if (!SPICE_RING_GET_CHECK(qxl, r, cons)) {  \
 +        ret = NULL;                             \
 +    } else {                                    \
 +        ret = &(r)->items[cons].el;             \
 +    }                                           \
 +}
 #undef ALIGN
 #define ALIGN(a, b) (((a) + ((b) - 1)) & ~((b) - 1))
@@ -414,7 +434,6 @@ static void init_qxl_rom(PCIQXLDevice *d)
 static void init_qxl_ram(PCIQXLDevice *d)
 {
     uint8_t *buf;
 -    uint64_t *item;
     buf = d->vga.vram_ptr;
     d->ram = (QXLRam *)(buf + le32_to_cpu(d->shadow_rom.ram_header_offset));
@@ -426,9 +445,9 @@ static void init_qxl_ram(PCIQXLDevice *d)
     SPICE_RING_INIT(&d->ram->cmd_ring);
     SPICE_RING_INIT(&d->ram->cursor_ring);
     SPICE_RING_INIT(&d->ram->release_ring);
 -    SPICE_RING_PROD_ITEM(d, &d->ram->release_ring, item);
 -    assert(item);
 -    *item = 0;
 +    if (!qxl_release_ring_set_prod(d, 0)) {
 +        g_assert_not_reached();
 +    }
     qxl_ring_set_dirty(d);
 }
@@ -732,7 +751,6 @@ static int interface_req_cmd_notification(QXLInstance *sin)
 static inline void qxl_push_free_res(PCIQXLDevice *d, int flush)
 {
     QXLReleaseRing *ring = &d->ram->release_ring;
 -    uint64_t *item;
     int notify;
 #define QXL_FREE_BUNCH_SIZE 32
@@ -759,11 +777,9 @@ static inline void qxl_push_free_res(PCIQXLDevice *d, int flush)
     if (notify) {
         qxl_send_events(d, QXL_INTERRUPT_DISPLAY);
     }
 -    SPICE_RING_PROD_ITEM(d, ring, item);
 -    if (!item) {
 +    if (!qxl_release_ring_set_prod(d, 0)) {
         return;
     }
 -    *item = 0;
     d->num_free_res = 0;
     d->last_release = NULL;
     qxl_ring_set_dirty(d);
@@ -775,7 +791,8 @@ static void interface_release_resource(QXLInstance *sin,
 {
     PCIQXLDevice *qxl = container_of(sin, PCIQXLDevice, ssd.qxl);
     QXLReleaseRing *ring;
 -    uint64_t *item, id;
 +    uint32_t prod;
 +    uint64_t id;
     if (ext.group_id == MEMSLOT_GROUP_HOST) {
         /* host group -> vga mode update request */
@@ -792,16 +809,16 @@ static void interface_release_resource(QXLInstance *sin,
      * pci bar 0, $command.release_info
      */
     ring = &qxl->ram->release_ring;
 -    SPICE_RING_PROD_ITEM(qxl, ring, item);
 -    if (!item) {
 +
 +    if (!SPICE_RING_GET_CHECK(qxl, ring, prod)) {
         return;
     }
 -    if (*item == 0) {
 +    if (qxl_release_ring_get_prod(qxl) == 0) {
         /* stick head into the ring */
         id = ext.info->id;
         ext.info->next = 0;
         qxl_ram_set_dirty(qxl, &ext.info->next);
 -        *item = id;
 +        qxl_release_ring_set_prod(qxl, id);
         qxl_ring_set_dirty(qxl);
     } else {
         /* append item to the list */
--- a/0042-libvhost-user-fix-Waddress-of-packe.patch
+++ b/0042-libvhost-user-fix-Waddress-of-packe.patch
@ -0,0 +1,60 @@
 From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
 Date: Fri, 3 May 2019 15:00:29 +0200
 Subject: libvhost-user: fix -Waddress-of-packed-member
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 /home/elmarco/src/qemu/contrib/libvhost-user/libvhost-user.c: In function ‘vu_set_mem_table_exec_postcopy’:
 /home/elmarco/src/qemu/contrib/libvhost-user/libvhost-user.c:546:31: warning: taking address of packed member of ‘struct VhostUserMsg’ may result in an unaligned pointer value [-Waddress-of-packed-member]
  546 |     VhostUserMemory *memory = &vmsg->payload.memory;
      |                               ^~~~~~~~~~~~~~~~~~~~~
 /home/elmarco/src/qemu/contrib/libvhost-user/libvhost-user.c: In function ‘vu_set_mem_table_exec’:
 /home/elmarco/src/qemu/contrib/libvhost-user/libvhost-user.c:688:31: warning: taking address of packed member of ‘struct VhostUserMsg’ may result in an unaligned pointer value [-Waddress-of-packed-member]
  688 |     VhostUserMemory *memory = &vmsg->payload.memory;
      |                               ^~~~~~~~~~~~~~~~~~~~~
 /home/elmarco/src/qemu/contrib/libvhost-user/libvhost-user.c: In function ‘vu_set_vring_addr_exec’:
 /home/elmarco/src/qemu/contrib/libvhost-user/libvhost-user.c:817:36: warning: taking address of packed member of ‘struct VhostUserMsg’ may result in an unaligned pointer value [-Waddress-of-packed-member]
  817 |     struct vhost_vring_addr *vra = &vmsg->payload.addr;
      |                                    ^~~~~~~~~~~~~~~~~~~
 Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
 Message-id: 20190503130034.24916-2-marcandre.lureau@redhat.com
 Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
 (cherry picked from commit d288eef3a0a8ac46cc45808b50d73606476148b0)
 Signed-off-by: Bruce Rogers <brogers@suse.com>
 ---
 contrib/libvhost-user/libvhost-user.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)
 diff --git a/contrib/libvhost-user/libvhost-user.c b/contrib/libvhost-user/libvhost-user.c
 index e08d6c7b97..dcf4a969f2 100644
 --- a/contrib/libvhost-user/libvhost-user.c
 +++ b/contrib/libvhost-user/libvhost-user.c
@@ -542,7 +542,7 @@ static bool
 vu_set_mem_table_exec_postcopy(VuDev *dev, VhostUserMsg *vmsg)
 {
     int i;
 -    VhostUserMemory *memory = &vmsg->payload.memory;
 +    VhostUserMemory m = vmsg->payload.memory, *memory = &m;
     dev->nregions = memory->nregions;
     DPRINT("Nregions: %d\n", memory->nregions);
@@ -684,7 +684,7 @@ static bool
 vu_set_mem_table_exec(VuDev *dev, VhostUserMsg *vmsg)
 {
     int i;
 -    VhostUserMemory *memory = &vmsg->payload.memory;
 +    VhostUserMemory m = vmsg->payload.memory, *memory = &m;
     for (i = 0; i < dev->nregions; i++) {
         VuDevRegion *r = &dev->regions[i];
@@ -813,7 +813,7 @@ vu_set_vring_num_exec(VuDev *dev, VhostUserMsg *vmsg)
 static bool
 vu_set_vring_addr_exec(VuDev *dev, VhostUserMsg *vmsg)
 {
 -    struct vhost_vring_addr *vra = &vmsg->payload.addr;
 +    struct vhost_vring_addr addr = vmsg->payload.addr, *vra = &addr;
     unsigned int index = vra->index;
     VuVirtq *vq = &dev->vq[index];
--- a/0043-target-i386-define-md-clear-bit.patch
+++ b/0043-target-i386-define-md-clear-bit.patch
@ -0,0 +1,58 @@
 From: Paolo Bonzini <pbonzini@redhat.com>
 Date: Fri, 1 Mar 2019 21:40:52 +0100
 Subject: target/i386: define md-clear bit
 md-clear is a new CPUID bit which is set when microcode provides the
 mechanism to invoke a flush of various exploitable CPU buffers by invoking
 the VERW instruction.  Add the new feature, and pass it down to
 Hypervisor.framework guests.
 Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
 [BR: BSC#1111331 CVE-2018-12126 CVE-2018-12127 CVE-2018-12130
 CVE-2019-11091]
 Signed-off-by: Bruce Rogers <brogers@suse.com>
 ---
 target/i386/cpu.c           | 2 +-
 target/i386/cpu.h           | 1 +
 target/i386/hvf/x86_cpuid.c | 3 ++-
 3 files changed, 4 insertions(+), 2 deletions(-)
 diff --git a/target/i386/cpu.c b/target/i386/cpu.c
 index d6bb57d210..4ea78a4939 100644
 --- a/target/i386/cpu.c
 +++ b/target/i386/cpu.c
@@ -1076,7 +1076,7 @@ static FeatureWordInfo feature_word_info[FEATURE_WORDS] = {
         .feat_names = {
             NULL, NULL, "avx512-4vnniw", "avx512-4fmaps",
             NULL, NULL, NULL, NULL,
 -            NULL, NULL, NULL, NULL,
 +            NULL, NULL, "md-clear", NULL,
             NULL, NULL, NULL, NULL,
             NULL, NULL, NULL, NULL,
             NULL, NULL, NULL, NULL,
 diff --git a/target/i386/cpu.h b/target/i386/cpu.h
 index 572290c3d6..d3bd0943ec 100644
 --- a/target/i386/cpu.h
 +++ b/target/i386/cpu.h
@@ -694,6 +694,7 @@ typedef uint32_t FeatureWordArray[FEATURE_WORDS];
 #define CPUID_7_0_EDX_AVX512_4VNNIW (1U << 2) /* AVX512 Neural Network Instructions */
 #define CPUID_7_0_EDX_AVX512_4FMAPS (1U << 3) /* AVX512 Multiply Accumulation Single Precision */
 +#define CPUID_7_0_EDX_MD_CLEAR      (1U << 10) /* Microarchitectural Data Clear */
 #define CPUID_7_0_EDX_SPEC_CTRL     (1U << 26) /* Speculation Control */
 #define CPUID_7_0_EDX_ARCH_CAPABILITIES (1U << 29)  /*Arch Capabilities*/
 #define CPUID_7_0_EDX_SPEC_CTRL_SSBD  (1U << 31) /* Speculative Store Bypass Disable */
 diff --git a/target/i386/hvf/x86_cpuid.c b/target/i386/hvf/x86_cpuid.c
 index 4d957fe896..b453552fb4 100644
 --- a/target/i386/hvf/x86_cpuid.c
 +++ b/target/i386/hvf/x86_cpuid.c
@@ -90,7 +90,8 @@ uint32_t hvf_get_supported_cpuid(uint32_t func, uint32_t idx,
             }
             ecx &= CPUID_7_0_ECX_AVX512BMI | CPUID_7_0_ECX_AVX512_VPOPCNTDQ;
 -            edx &= CPUID_7_0_EDX_AVX512_4VNNIW | CPUID_7_0_EDX_AVX512_4FMAPS;
 +            edx &= CPUID_7_0_EDX_AVX512_4VNNIW | CPUID_7_0_EDX_AVX512_4FMAPS | \
 +                   CPUID_7_0_EDX_MD_CLEAR;
         } else {
             ebx = 0;
             ecx = 0;
--- a/qemu-linux-user.changes
+++ b/qemu-linux-user.changes
@ -1,3 +1,14 @@
 -------------------------------------------------------------------
 Tue May 14 21:01:06 UTC 2019 - Bruce Rogers <brogers@suse.com>
 - Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-4.0
 * Patches dropped:
  0041-qxl-fix-Waddress-of-packed-member.patch
 * Patches added:
  0041-qxl-avoid-unaligned-pointer-reads-w.patch
  0042-libvhost-user-fix-Waddress-of-packe.patch
  0043-target-i386-define-md-clear-bit.patch
 -------------------------------------------------------------------
 Fri May 10 19:14:02 UTC 2019 - Bruce Rogers <brogers@suse.com>
--- a/qemu-linux-user.spec
+++ b/qemu-linux-user.spec
@ -74,7 +74,9 @@ Patch0037:      0037-hw-usb-hcd-xhci-Fix-GCC-9-build-war.patch
 Patch0038:      0038-hw-usb-dev-mtp-Fix-GCC-9-build-warn.patch
 Patch0039:      0039-linux-user-avoid-string-truncation-.patch
 Patch0040:      0040-linux-user-elfload-Fix-GCC-9-build-.patch
-Patch0041:      0041-qxl-fix-Waddress-of-packed-member.patch
+Patch0041:      0041-qxl-avoid-unaligned-pointer-reads-w.patch
 Patch0042:      0042-libvhost-user-fix-Waddress-of-packe.patch
 Patch0043:      0043-target-i386-define-md-clear-bit.patch
 # Please do not add QEMU patches manually here.
 # Run update_git.sh to regenerate this queue.
 ExcludeArch:    s390
@ -146,6 +148,8 @@ syscall layer occurs on the native hardware and operating system.
 %patch0039 -p1
 %patch0040 -p1
 %patch0041 -p1
 %patch0042 -p1
 %patch0043 -p1
 %build
 %define _lto_cflags %{nil}
--- a/qemu-testsuite.changes
+++ b/qemu-testsuite.changes
@ -1,3 +1,17 @@
 -------------------------------------------------------------------
 Tue May 14 21:01:05 UTC 2019 - Bruce Rogers <brogers@suse.com>
 - Switch to now upstreamed version of patch and add one more
  gcc9 related patch
 * Patches renamed:
  0041-qxl-fix-Waddress-of-packed-member.patch
  -> 0041-qxl-avoid-unaligned-pointer-reads-w.patch
  0042-libvhost-user-fix-Waddress-of-packe.patch
 - Add x86 cpu feature "md-clear" (CVE-2018-12126 CVE-2018-12127
  CVE-2018-12130 CVE-2019-11091 bsc#1111331)
  0043-target-i386-define-md-clear-bit.patch
 - Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-4.0
 -------------------------------------------------------------------
 Sat May 11 14:58:50 UTC 2019 - Bruce Rogers <brogers@suse.com>
--- a/qemu-testsuite.spec
+++ b/qemu-testsuite.spec
@ -184,7 +184,9 @@ Patch0037:      0037-hw-usb-hcd-xhci-Fix-GCC-9-build-war.patch
 Patch0038:      0038-hw-usb-dev-mtp-Fix-GCC-9-build-warn.patch
 Patch0039:      0039-linux-user-avoid-string-truncation-.patch
 Patch0040:      0040-linux-user-elfload-Fix-GCC-9-build-.patch
-Patch0041:      0041-qxl-fix-Waddress-of-packed-member.patch
+Patch0041:      0041-qxl-avoid-unaligned-pointer-reads-w.patch
 Patch0042:      0042-libvhost-user-fix-Waddress-of-packe.patch
 Patch0043:      0043-target-i386-define-md-clear-bit.patch
 # Please do not add QEMU patches manually here.
 # Run update_git.sh to regenerate this queue.
@ -993,6 +995,8 @@ This package provides a service file for starting and stopping KSM.
 %patch0039 -p1
 %patch0040 -p1
 %patch0041 -p1
 %patch0042 -p1
 %patch0043 -p1
 pushd roms/seabios
 %patch1100 -p1
--- a/qemu.changes
+++ b/qemu.changes
@ -1,3 +1,17 @@
 -------------------------------------------------------------------
 Tue May 14 21:01:05 UTC 2019 - Bruce Rogers <brogers@suse.com>
 - Switch to now upstreamed version of patch and add one more
  gcc9 related patch
 * Patches renamed:
  0041-qxl-fix-Waddress-of-packed-member.patch
  -> 0041-qxl-avoid-unaligned-pointer-reads-w.patch
  0042-libvhost-user-fix-Waddress-of-packe.patch
 - Add x86 cpu feature "md-clear" (CVE-2018-12126 CVE-2018-12127
  CVE-2018-12130 CVE-2019-11091 bsc#1111331)
  0043-target-i386-define-md-clear-bit.patch
 - Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-4.0
 -------------------------------------------------------------------
 Sat May 11 14:58:50 UTC 2019 - Bruce Rogers <brogers@suse.com>
--- a/qemu.spec
+++ b/qemu.spec
@ -184,7 +184,9 @@ Patch0037:      0037-hw-usb-hcd-xhci-Fix-GCC-9-build-war.patch
 Patch0038:      0038-hw-usb-dev-mtp-Fix-GCC-9-build-warn.patch
 Patch0039:      0039-linux-user-avoid-string-truncation-.patch
 Patch0040:      0040-linux-user-elfload-Fix-GCC-9-build-.patch
-Patch0041:      0041-qxl-fix-Waddress-of-packed-member.patch
+Patch0041:      0041-qxl-avoid-unaligned-pointer-reads-w.patch
 Patch0042:      0042-libvhost-user-fix-Waddress-of-packe.patch
 Patch0043:      0043-target-i386-define-md-clear-bit.patch
 # Please do not add QEMU patches manually here.
 # Run update_git.sh to regenerate this queue.
@ -993,6 +995,8 @@ This package provides a service file for starting and stopping KSM.
 %patch0039 -p1
 %patch0040 -p1
 %patch0041 -p1
 %patch0042 -p1
 %patch0043 -p1
 pushd roms/seabios
 %patch1100 -p1