pool/qemu
SHA256
4
0
Fork 1
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Accepting request 703262 from Virtualization

Browse Source 
Misc patches, including one for the recent Intel Security issue

OBS-URL: https://build.opensuse.org/request/show/703262
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/qemu?expand=0&rev=155
This commit is contained in:
Dominique Leuenberger 2019-05-17 21:41:17 +00:00 committed by Git OBS Bridge
commit 41eb95de3d
19 changed files with 640 additions and 295 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

95
0036-sockets-avoid-string-truncation-war.patch Normal file
View File

@ -0,0 +1,95 @@
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Wed, 1 May 2019 15:50:52 +0100
Subject: sockets: avoid string truncation warnings when copying UNIX path
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
In file included from /usr/include/string.h:494,
from include/qemu/osdep.h:101,
from util/qemu-sockets.c:18:
In function strncpy,
inlined from unix_connect_saddr.isra.0 at util/qemu-sockets.c:925:5:
/usr/include/bits/string_fortified.h:106:10: warning: __builtin_strncpy specified bound 108 equals destination size [-Wstringop-truncation]
106 | return __builtin___strncpy_chk (__dest, __src, __len, __bos (__dest));
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In function strncpy,
inlined from unix_listen_saddr.isra.0 at util/qemu-sockets.c:880:5:
/usr/include/bits/string_fortified.h:106:10: warning: __builtin_strncpy specified bound 108 equals destination size [-Wstringop-truncation]
106 | return __builtin___strncpy_chk (__dest, __src, __len, __bos (__dest));
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
We are already validating the UNIX socket path length earlier in
the functions. If we save this string length when we first check
it, then we can simply use memcpy instead of strcpy later, avoiding
the gcc truncation warnings.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
Message-Id: <20190501145052.12579-1-berrange@redhat.com>
Signed-off-by: Laurent Vivier <laurent@vivier.eu>
(cherry picked from commit 2d2023c3b99edb33ad4bb9791f70456ea1a1c049)
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
util/qemu-sockets.c | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
diff --git a/util/qemu-sockets.c b/util/qemu-sockets.c
index 9705051690..ba6335e71a 100644
--- a/util/qemu-sockets.c
+++ b/util/qemu-sockets.c
@@ -830,6 +830,7 @@ static int unix_listen_saddr(UnixSocketAddress *saddr,
int sock, fd;
char *pathbuf = NULL;
const char *path;
+ size_t pathlen;
sock = qemu_socket(PF_UNIX, SOCK_STREAM, 0);
if (sock < 0) {
@@ -845,7 +846,8 @@ static int unix_listen_saddr(UnixSocketAddress *saddr,
path = pathbuf = g_strdup_printf("%s/qemu-socket-XXXXXX", tmpdir);
}
- if (strlen(path) > sizeof(un.sun_path)) {
+ pathlen = strlen(path);
+ if (pathlen > sizeof(un.sun_path)) {
error_setg(errp, "UNIX socket path '%s' is too long", path);
error_append_hint(errp, "Path must be less than %zu bytes\n",
sizeof(un.sun_path));
@@ -877,7 +879,7 @@ static int unix_listen_saddr(UnixSocketAddress *saddr,
memset(&un, 0, sizeof(un));
un.sun_family = AF_UNIX;
- strncpy(un.sun_path, path, sizeof(un.sun_path));
+ memcpy(un.sun_path, path, pathlen);
if (bind(sock, (struct sockaddr*) &un, sizeof(un)) < 0) {
error_setg_errno(errp, errno, "Failed to bind socket to %s", path);
@@ -901,6 +903,7 @@ static int unix_connect_saddr(UnixSocketAddress *saddr, Error **errp)
{
struct sockaddr_un un;
int sock, rc;
+ size_t pathlen;
if (saddr->path == NULL) {
error_setg(errp, "unix connect: no path specified");
@@ -913,7 +916,8 @@ static int unix_connect_saddr(UnixSocketAddress *saddr, Error **errp)
return -1;
}
- if (strlen(saddr->path) > sizeof(un.sun_path)) {
+ pathlen = strlen(saddr->path);
+ if (pathlen > sizeof(un.sun_path)) {
error_setg(errp, "UNIX socket path '%s' is too long", saddr->path);
error_append_hint(errp, "Path must be less than %zu bytes\n",
sizeof(un.sun_path));
@@ -922,7 +926,7 @@ static int unix_connect_saddr(UnixSocketAddress *saddr, Error **errp)
memset(&un, 0, sizeof(un));
un.sun_family = AF_UNIX;
- strncpy(un.sun_path, saddr->path, sizeof(un.sun_path));
+ memcpy(un.sun_path, saddr->path, pathlen);
/* connect to peer */
do {

44
0036-util-qemu-sockets-Fix-GCC-9-build-w.patch
View File

@ -1,44 +0,0 @@
From: Alistair Francis <Alistair.Francis@wdc.com>
Date: Sat, 4 May 2019 07:57:32 -0600
Subject: util/qemu-sockets: Fix GCC 9 build warnings
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Fix this warning when building with GCC9 on Fedora 30:
In function ‘strncpy’,
inlined from ‘unix_connect_saddr.isra.0’ at util/qemu-sockets.c:925:5:
/usr/include/bits/string_fortified.h:106:10: error: ‘__builtin_strncpy’ specified bound 108 equals destination size [-Werror=stringop-truncation]
106 | return __builtin___strncpy_chk (__dest, __src, __len, __bos (__dest));
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In function ‘strncpy’,
inlined from ‘unix_listen_saddr.isra.0’ at util/qemu-sockets.c:880:5:
Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
util/qemu-sockets.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/util/qemu-sockets.c b/util/qemu-sockets.c
index 9705051690..8c3322958f 100644
--- a/util/qemu-sockets.c
+++ b/util/qemu-sockets.c
@@ -829,7 +829,7 @@ static int unix_listen_saddr(UnixSocketAddress *saddr,
struct sockaddr_un un;
int sock, fd;
char *pathbuf = NULL;
- const char *path;
+ const char *path QEMU_NONSTRING;
sock = qemu_socket(PF_UNIX, SOCK_STREAM, 0);
if (sock < 0) {
@@ -922,7 +922,7 @@ static int unix_connect_saddr(UnixSocketAddress *saddr, Error **errp)
memset(&un, 0, sizeof(un));
un.sun_family = AF_UNIX;
- strncpy(un.sun_path, saddr->path, sizeof(un.sun_path));
+ memcpy(un.sun_path, saddr->path, MIN(strlen(saddr->path), sizeof(un.sun_path)));
/* connect to peer */
do {

7
0037-hw-usb-hcd-xhci-Fix-GCC-9-build-war.patch
View File

@ -1,12 +1,9 @@
From: Alistair Francis <Alistair.Francis@wdc.com>
Date: Sat, 4 May 2019 07:58:35 -0600
Subject: hw/usb/hcd-xhci: Fix GCC 9 build warning
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Fix this build warning with GCC 9 on Fedora 30:
hw/usb/hcd-xhci.c:3339:66: error: ‘%d’ directive output may be truncated writing between 1 and 10 bytes into a region of size 5 [-Werror=format-truncation=]
hw/usb/hcd-xhci.c:3339:66: error: '%d' directive output may be truncated writing between 1 and 10 bytes into a region of size 5 [-Werror=format-truncation=]
3339 | snprintf(port->name, sizeof(port->name), "usb2 port #%d", i+1);
| ^~
hw/usb/hcd-xhci.c:3339:54: note: directive argument in the range [1, 2147483647]
@ -15,7 +12,7 @@ hw/usb/hcd-xhci.c:3339:54: note: directive argument in the range [1, 2147483647]
In file included from /usr/include/stdio.h:867,
from /home/alistair/qemu/include/qemu/osdep.h:99,
from hw/usb/hcd-xhci.c:21:
/usr/include/bits/stdio2.h:67:10: note: ‘__builtin___snprintf_chk’ output between 13 and 22 bytes into a destination of size 16
/usr/include/bits/stdio2.h:67:10: note: '__builtin___snprintf_chk' output between 13 and 22 bytes into a destination of size 16
67 | return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1,
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
68 | __bos (__s), __fmt, __va_arg_pack ());

5
0038-hw-usb-dev-mtp-Fix-GCC-9-build-warn.patch
View File

@ -1,12 +1,9 @@
From: Alistair Francis <Alistair.Francis@wdc.com>
Date: Sat, 4 May 2019 07:58:55 -0600
Subject: hw/usb/dev-mtp: Fix GCC 9 build warning
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Fix this warning with GCC 9 on Fedora 30:
hw/usb/dev-mtp.c:1715:36: error: taking address of packed member of ‘struct <anonymous>’ may result in an unaligned pointer value [-Werror=address-of-packed-member]
hw/usb/dev-mtp.c:1715:36: error: taking address of packed member of 'struct <anonymous>' may result in an unaligned pointer value [-Werror=address-of-packed-member]
1715 | dataset->filename);
| ~~~~~~~^~~~~~~~~~

47
0039-linux-user-avoid-string-truncation-.patch Normal file
View File

@ -0,0 +1,47 @@
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Wed, 1 May 2019 15:46:46 +0100
Subject: linux-user: avoid string truncation warnings in uname field copying
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
In file included from /usr/include/string.h:494,
from include/qemu/osdep.h:101,
from linux-user/uname.c:20:
In function strncpy,
inlined from sys_uname at linux-user/uname.c:94:3:
/usr/include/bits/string_fortified.h:106:10: warning: __builtin_strncpy output may be truncated copying 64 bytes from a string of length 64 [-Wstringop-truncation]
106 | return __builtin___strncpy_chk (__dest, __src, __len, __bos (__dest));
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
We don't care where the NUL terminator in the original uname
field was. It suffices to copy the entire original field and
simply force a NUL terminator at the end of the new field.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-Id: <20190501144646.4851-1-berrange@redhat.com>
Signed-off-by: Laurent Vivier <laurent@vivier.eu>
[BR: Played with indent to avoid error from checkpatch.pl]
(cherry picked from commit b2acfb55962bc8caeaa50a5158da2f701f2c1f7c)
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
linux-user/uname.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/linux-user/uname.c b/linux-user/uname.c
index 313b79dbad..0c6ddf2ad9 100644
--- a/linux-user/uname.c
+++ b/linux-user/uname.c
@@ -72,9 +72,8 @@ const char *cpu_to_uname_machine(void *cpu_env)
#define COPY_UTSNAME_FIELD(dest, src) \
do { \
- /* __NEW_UTS_LEN doesn't include terminating null */ \
- (void) strncpy((dest), (src), __NEW_UTS_LEN); \
- (dest)[__NEW_UTS_LEN] = '\0'; \
+ memcpy((dest), (src), MIN(sizeof(src), sizeof(dest))); \
+ (dest)[sizeof(dest) - 1] = '\0'; \
} while (0)
int sys_uname(struct new_utsname *buf)

33
0039-linux-user-uname-Fix-GCC-9-build-wa.patch
View File

@ -1,33 +0,0 @@
From: Alistair Francis <Alistair.Francis@wdc.com>
Date: Sat, 4 May 2019 07:59:09 -0600
Subject: linux-user/uname: Fix GCC 9 build warnings
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Fix this warning when building with GCC9 on Fedora 30:
In function ‘strncpy’,
inlined from ‘sys_uname’ at /home/alistair/qemu/linux-user/uname.c:94:3:
/usr/include/bits/string_fortified.h:106:10: error: ‘__builtin_strncpy’ output may be truncated copying 64 bytes from a string of length 64 [-Werror=stringop-truncation]
106 | return __builtin___strncpy_chk (__dest, __src, __len, __bos (__dest));
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
linux-user/uname.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/linux-user/uname.c b/linux-user/uname.c
index 313b79dbad..2fc6096a5b 100644
--- a/linux-user/uname.c
+++ b/linux-user/uname.c
@@ -73,7 +73,7 @@ const char *cpu_to_uname_machine(void *cpu_env)
#define COPY_UTSNAME_FIELD(dest, src) \
do { \
/* __NEW_UTS_LEN doesn't include terminating null */ \
- (void) strncpy((dest), (src), __NEW_UTS_LEN); \
+ (void) memcpy((dest), (src), MIN(strlen(src), __NEW_UTS_LEN)); \
(dest)[__NEW_UTS_LEN] = '\0'; \
} while (0)

17
0040-linux-user-elfload-Fix-GCC-9-build-.patch
View File

@ -1,20 +1,25 @@
From: Alistair Francis <Alistair.Francis@wdc.com>
Date: Sat, 4 May 2019 07:59:23 -0600
Date: Tue, 30 Apr 2019 23:29:01 +0000
Subject: linux-user/elfload: Fix GCC 9 build warnings
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Fix this warning when building with GCC9 on Fedora 30:
In function ‘strncpy’,
inlined from ‘fill_psinfo’ at /home/alistair/qemu/linux-user/elfload.c:3208:12,
inlined from ‘fill_note_info’ at /home/alistair/qemu/linux-user/elfload.c:3390:5,
inlined from ‘elf_core_dump’ at /home/alistair/qemu/linux-user/elfload.c:3539:9:
/usr/include/bits/string_fortified.h:106:10: error: ‘__builtin_strncpy’ specified bound 16 equals destination size [-Werror=stringop-truncation]
In function strncpy,
inlined from fill_psinfo at /home/alistair/qemu/linux-user/elfload.c:3208:12,
inlined from fill_note_info at /home/alistair/qemu/linux-user/elfload.c:3390:5,
inlined from elf_core_dump at /home/alistair/qemu/linux-user/elfload.c:3539:9:
/usr/include/bits/string_fortified.h:106:10: error: __builtin_strncpy specified bound 16 equals destination size [-Werror=stringop-truncation]
106 | return __builtin___strncpy_chk (__dest, __src, __len, __bos (__dest));
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Reviewed-by: Laurent Vivier <laurent@vivier.eu>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <c4d2b1de9efadcf1c900b91361af9302823a72a9.1556666645.git.alistair.francis@wdc.com>
Signed-off-by: Laurent Vivier <laurent@vivier.eu>
(cherry picked from commit d7eb2b928a855a2e8038e8e75f7edf1a12226bd3)
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
linux-user/elfload.c | 2 +-

144
0041-qxl-avoid-unaligned-pointer-reads-w.patch Normal file
View File

@ -0,0 +1,144 @@
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Fri, 12 Apr 2019 13:16:26 +0100
Subject: qxl: avoid unaligned pointer reads/writes
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The SPICE_RING_PROD_ITEM() macro is initializing a local
'uint64_t *' variable to point to the 'el' field inside
the QXLReleaseRing struct. This uint64_t field is not
guaranteed aligned as the struct is packed.
Code should not take the address of fields within a
packed struct. Changing the SPICE_RING_PROD_ITEM()
macro to avoid taking the address of the field is
impractical. It is clearer to just remove the macro
and inline its functionality in the three call sites
that need it.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Message-Id: <20190412121626.19829-6-berrange@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
(cherry picked from commit 94932c95c10400acd286fd768a6b411e7ebbec8f)
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/display/qxl.c | 55 +++++++++++++++++++++---------------------------
1 file changed, 24 insertions(+), 31 deletions(-)
diff --git a/hw/display/qxl.c b/hw/display/qxl.c
index c8ce5781e0..5c38e6e906 100644
--- a/hw/display/qxl.c
+++ b/hw/display/qxl.c
@@ -33,24 +33,6 @@
#include "qxl.h"
-/*
- * NOTE: SPICE_RING_PROD_ITEM accesses memory on the pci bar and as
- * such can be changed by the guest, so to avoid a guest trigerrable
- * abort we just qxl_set_guest_bug and set the return to NULL. Still
- * it may happen as a result of emulator bug as well.
- */
-#undef SPICE_RING_PROD_ITEM
-#define SPICE_RING_PROD_ITEM(qxl, r, ret) { \
- uint32_t prod = (r)->prod & SPICE_RING_INDEX_MASK(r); \
- if (prod >= ARRAY_SIZE((r)->items)) { \
- qxl_set_guest_bug(qxl, "SPICE_RING_PROD_ITEM indices mismatch " \
- "%u >= %zu", prod, ARRAY_SIZE((r)->items)); \
- ret = NULL; \
- } else { \
- ret = &(r)->items[prod].el; \
- } \
- }
-
#undef SPICE_RING_CONS_ITEM
#define SPICE_RING_CONS_ITEM(qxl, r, ret) { \
uint32_t cons = (r)->cons & SPICE_RING_INDEX_MASK(r); \
@@ -414,7 +396,8 @@ static void init_qxl_rom(PCIQXLDevice *d)
static void init_qxl_ram(PCIQXLDevice *d)
{
uint8_t *buf;
- uint64_t *item;
+ uint32_t prod;
+ QXLReleaseRing *ring;
buf = d->vga.vram_ptr;
d->ram = (QXLRam *)(buf + le32_to_cpu(d->shadow_rom.ram_header_offset));
@@ -426,9 +409,12 @@ static void init_qxl_ram(PCIQXLDevice *d)
SPICE_RING_INIT(&d->ram->cmd_ring);
SPICE_RING_INIT(&d->ram->cursor_ring);
SPICE_RING_INIT(&d->ram->release_ring);
- SPICE_RING_PROD_ITEM(d, &d->ram->release_ring, item);
- assert(item);
- *item = 0;
+
+ ring = &d->ram->release_ring;
+ prod = ring->prod & SPICE_RING_INDEX_MASK(ring);
+ assert(prod < ARRAY_SIZE(ring->items));
+ ring->items[prod].el = 0;
+
qxl_ring_set_dirty(d);
}
@@ -732,7 +718,7 @@ static int interface_req_cmd_notification(QXLInstance *sin)
static inline void qxl_push_free_res(PCIQXLDevice *d, int flush)
{
QXLReleaseRing *ring = &d->ram->release_ring;
- uint64_t *item;
+ uint32_t prod;
int notify;
#define QXL_FREE_BUNCH_SIZE 32
@@ -759,11 +745,15 @@ static inline void qxl_push_free_res(PCIQXLDevice *d, int flush)
if (notify) {
qxl_send_events(d, QXL_INTERRUPT_DISPLAY);
}
- SPICE_RING_PROD_ITEM(d, ring, item);
- if (!item) {
+
+ ring = &d->ram->release_ring;
+ prod = ring->prod & SPICE_RING_INDEX_MASK(ring);
+ if (prod >= ARRAY_SIZE(ring->items)) {
+ qxl_set_guest_bug(d, "SPICE_RING_PROD_ITEM indices mismatch "
+ "%u >= %zu", prod, ARRAY_SIZE(ring->items));
return;
}
- *item = 0;
+ ring->items[prod].el = 0;
d->num_free_res = 0;
d->last_release = NULL;
qxl_ring_set_dirty(d);
@@ -775,7 +765,8 @@ static void interface_release_resource(QXLInstance *sin,
{
PCIQXLDevice *qxl = container_of(sin, PCIQXLDevice, ssd.qxl);
QXLReleaseRing *ring;
- uint64_t *item, id;
+ uint32_t prod;
+ uint64_t id;
if (ext.group_id == MEMSLOT_GROUP_HOST) {
/* host group -> vga mode update request */
@@ -792,16 +783,18 @@ static void interface_release_resource(QXLInstance *sin,
* pci bar 0, $command.release_info
*/
ring = &qxl->ram->release_ring;
- SPICE_RING_PROD_ITEM(qxl, ring, item);
- if (!item) {
+ prod = ring->prod & SPICE_RING_INDEX_MASK(ring);
+ if (prod >= ARRAY_SIZE(ring->items)) {
+ qxl_set_guest_bug(qxl, "SPICE_RING_PROD_ITEM indices mismatch "
+ "%u >= %zu", prod, ARRAY_SIZE(ring->items));
return;
}
- if (*item == 0) {
+ if (ring->items[prod].el == 0) {
/* stick head into the ring */
id = ext.info->id;
ext.info->next = 0;
qxl_ram_set_dirty(qxl, &ext.info->next);
- *item = id;
+ ring->items[prod].el = id;
qxl_ring_set_dirty(qxl);
} else {
/* append item to the list */

188
0041-qxl-fix-Waddress-of-packed-member.patch
View File

@ -1,188 +0,0 @@
From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
Date: Sat, 4 May 2019 07:59:35 -0600
Subject: qxl: fix -Waddress-of-packed-member
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The GCC9 compiler complains about QXL code that takes the address of
members of the 'struct QXLReleaseRing' which is marked packed:
CC hw/display/qxl.o
/home/elmarco/src/qemu/hw/display/qxl.c: In function ‘init_qxl_ram’:
/home/elmarco/src/qemu/hw/display/qxl.c:50:19: warning: taking address of packed member of ‘struct QXLReleaseRing_ring_el’ may result in an unaligned pointer value [-Waddress-of-packed-member]
50 | ret = &(r)->items[prod].el; \
| ^~~~~~~~~~~~~~~~~~~~
/home/elmarco/src/qemu/hw/display/qxl.c:429:5: note: in expansion of macro ‘SPICE_RING_PROD_ITEM’
429 | SPICE_RING_PROD_ITEM(d, &d->ram->release_ring, item);
| ^~~~~~~~~~~~~~~~~~~~
/home/elmarco/src/qemu/hw/display/qxl.c: In function ‘qxl_push_free_res’:
/home/elmarco/src/qemu/hw/display/qxl.c:50:19: warning: taking address of packed member of ‘struct QXLReleaseRing_ring_el’ may result in an unaligned pointer value [-Waddress-of-packed-member]
50 | ret = &(r)->items[prod].el; \
| ^~~~~~~~~~~~~~~~~~~~
/home/elmarco/src/qemu/hw/display/qxl.c:762:5: note: in expansion of macro ‘SPICE_RING_PROD_ITEM’
762 | SPICE_RING_PROD_ITEM(d, ring, item);
| ^~~~~~~~~~~~~~~~~~~~
/home/elmarco/src/qemu/hw/display/qxl.c: In function ‘interface_release_resource’:
/home/elmarco/src/qemu/hw/display/qxl.c:50:19: warning: taking address of packed member of ‘struct QXLReleaseRing_ring_el’ may result in an unaligned pointer value [-Waddress-of-packed-member]
50 | ret = &(r)->items[prod].el; \
| ^~~~~~~~~~~~~~~~~~~~
/home/elmarco/src/qemu/hw/display/qxl.c:795:5: note: in expansion of macro ‘SPICE_RING_PROD_ITEM’
795 | SPICE_RING_PROD_ITEM(qxl, ring, item);
| ^~~~~~~~~~~~~~~~~~~~
Replace pointer usage by direct structure/array access instead.
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/display/qxl.c | 83 +++++++++++++++++++++++++++++-------------------
1 file changed, 50 insertions(+), 33 deletions(-)
diff --git a/hw/display/qxl.c b/hw/display/qxl.c
index c8ce5781e0..12d83dd6f1 100644
--- a/hw/display/qxl.c
+++ b/hw/display/qxl.c
@@ -39,29 +39,49 @@
* abort we just qxl_set_guest_bug and set the return to NULL. Still
* it may happen as a result of emulator bug as well.
*/
-#undef SPICE_RING_PROD_ITEM
-#define SPICE_RING_PROD_ITEM(qxl, r, ret) { \
- uint32_t prod = (r)->prod & SPICE_RING_INDEX_MASK(r); \
- if (prod >= ARRAY_SIZE((r)->items)) { \
- qxl_set_guest_bug(qxl, "SPICE_RING_PROD_ITEM indices mismatch " \
- "%u >= %zu", prod, ARRAY_SIZE((r)->items)); \
- ret = NULL; \
- } else { \
- ret = &(r)->items[prod].el; \
- } \
+#define SPICE_RING_GET_CHECK(qxl, r, field) ({ \
+ field = (r)->field & SPICE_RING_INDEX_MASK(r); \
+ bool mismatch = field >= ARRAY_SIZE((r)->items); \
+ if (mismatch) { \
+ qxl_set_guest_bug(qxl, "SPICE_RING_GET %s indices mismatch " \
+ "%u >= %zu", stringify(field), field, \
+ ARRAY_SIZE((r)->items)); \
+ } \
+ !mismatch; \
+})
+
+static inline uint64_t
+qxl_release_ring_get_prod(PCIQXLDevice *qxl)
+{
+ struct QXLReleaseRing *ring = &qxl->ram->release_ring;
+ uint32_t prod;
+ bool ok = SPICE_RING_GET_CHECK(qxl, ring, prod);
+ assert(ok);
+
+ return ring->items[prod].el;
+}
+
+static inline bool
+qxl_release_ring_set_prod(PCIQXLDevice *qxl, uint64_t val)
+{
+ struct QXLReleaseRing *ring = &qxl->ram->release_ring;
+ uint32_t prod;
+ bool ok = SPICE_RING_GET_CHECK(qxl, ring, prod);
+ if (ok) {
+ ring->items[prod].el = val;
}
+ return ok;
+}
#undef SPICE_RING_CONS_ITEM
-#define SPICE_RING_CONS_ITEM(qxl, r, ret) { \
- uint32_t cons = (r)->cons & SPICE_RING_INDEX_MASK(r); \
- if (cons >= ARRAY_SIZE((r)->items)) { \
- qxl_set_guest_bug(qxl, "SPICE_RING_CONS_ITEM indices mismatch " \
- "%u >= %zu", cons, ARRAY_SIZE((r)->items)); \
- ret = NULL; \
- } else { \
- ret = &(r)->items[cons].el; \
- } \
- }
+#define SPICE_RING_CONS_ITEM(qxl, r, ret) { \
+ uint32_t cons; \
+ if (!SPICE_RING_GET_CHECK(qxl, r, cons)) { \
+ ret = NULL; \
+ } else { \
+ ret = &(r)->items[cons].el; \
+ } \
+}
#undef ALIGN
#define ALIGN(a, b) (((a) + ((b) - 1)) & ~((b) - 1))
@@ -414,7 +434,6 @@ static void init_qxl_rom(PCIQXLDevice *d)
static void init_qxl_ram(PCIQXLDevice *d)
{
uint8_t *buf;
- uint64_t *item;
buf = d->vga.vram_ptr;
d->ram = (QXLRam *)(buf + le32_to_cpu(d->shadow_rom.ram_header_offset));
@@ -426,9 +445,9 @@ static void init_qxl_ram(PCIQXLDevice *d)
SPICE_RING_INIT(&d->ram->cmd_ring);
SPICE_RING_INIT(&d->ram->cursor_ring);
SPICE_RING_INIT(&d->ram->release_ring);
- SPICE_RING_PROD_ITEM(d, &d->ram->release_ring, item);
- assert(item);
- *item = 0;
+ if (!qxl_release_ring_set_prod(d, 0)) {
+ g_assert_not_reached();
+ }
qxl_ring_set_dirty(d);
}
@@ -732,7 +751,6 @@ static int interface_req_cmd_notification(QXLInstance *sin)
static inline void qxl_push_free_res(PCIQXLDevice *d, int flush)
{
QXLReleaseRing *ring = &d->ram->release_ring;
- uint64_t *item;
int notify;
#define QXL_FREE_BUNCH_SIZE 32
@@ -759,11 +777,9 @@ static inline void qxl_push_free_res(PCIQXLDevice *d, int flush)
if (notify) {
qxl_send_events(d, QXL_INTERRUPT_DISPLAY);
}
- SPICE_RING_PROD_ITEM(d, ring, item);
- if (!item) {
+ if (!qxl_release_ring_set_prod(d, 0)) {
return;
}
- *item = 0;
d->num_free_res = 0;
d->last_release = NULL;
qxl_ring_set_dirty(d);
@@ -775,7 +791,8 @@ static void interface_release_resource(QXLInstance *sin,
{
PCIQXLDevice *qxl = container_of(sin, PCIQXLDevice, ssd.qxl);
QXLReleaseRing *ring;
- uint64_t *item, id;
+ uint32_t prod;
+ uint64_t id;
if (ext.group_id == MEMSLOT_GROUP_HOST) {
/* host group -> vga mode update request */
@@ -792,16 +809,16 @@ static void interface_release_resource(QXLInstance *sin,
* pci bar 0, $command.release_info
*/
ring = &qxl->ram->release_ring;
- SPICE_RING_PROD_ITEM(qxl, ring, item);
- if (!item) {
+
+ if (!SPICE_RING_GET_CHECK(qxl, ring, prod)) {
return;
}
- if (*item == 0) {
+ if (qxl_release_ring_get_prod(qxl) == 0) {
/* stick head into the ring */
id = ext.info->id;
ext.info->next = 0;
qxl_ram_set_dirty(qxl, &ext.info->next);
- *item = id;
+ qxl_release_ring_set_prod(qxl, id);
qxl_ring_set_dirty(qxl);
} else {
/* append item to the list */

60
0042-libvhost-user-fix-Waddress-of-packe.patch Normal file
View File

@ -0,0 +1,60 @@
From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
Date: Fri, 3 May 2019 15:00:29 +0200
Subject: libvhost-user: fix -Waddress-of-packed-member
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
/home/elmarco/src/qemu/contrib/libvhost-user/libvhost-user.c: In function vu_set_mem_table_exec_postcopy:
/home/elmarco/src/qemu/contrib/libvhost-user/libvhost-user.c:546:31: warning: taking address of packed member of struct VhostUserMsg may result in an unaligned pointer value [-Waddress-of-packed-member]
546 | VhostUserMemory *memory = &vmsg->payload.memory;
| ^~~~~~~~~~~~~~~~~~~~~
/home/elmarco/src/qemu/contrib/libvhost-user/libvhost-user.c: In function vu_set_mem_table_exec:
/home/elmarco/src/qemu/contrib/libvhost-user/libvhost-user.c:688:31: warning: taking address of packed member of struct VhostUserMsg may result in an unaligned pointer value [-Waddress-of-packed-member]
688 | VhostUserMemory *memory = &vmsg->payload.memory;
| ^~~~~~~~~~~~~~~~~~~~~
/home/elmarco/src/qemu/contrib/libvhost-user/libvhost-user.c: In function vu_set_vring_addr_exec:
/home/elmarco/src/qemu/contrib/libvhost-user/libvhost-user.c:817:36: warning: taking address of packed member of struct VhostUserMsg may result in an unaligned pointer value [-Waddress-of-packed-member]
817 | struct vhost_vring_addr *vra = &vmsg->payload.addr;
| ^~~~~~~~~~~~~~~~~~~
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-id: 20190503130034.24916-2-marcandre.lureau@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
(cherry picked from commit d288eef3a0a8ac46cc45808b50d73606476148b0)
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
contrib/libvhost-user/libvhost-user.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/contrib/libvhost-user/libvhost-user.c b/contrib/libvhost-user/libvhost-user.c
index e08d6c7b97..dcf4a969f2 100644
--- a/contrib/libvhost-user/libvhost-user.c
+++ b/contrib/libvhost-user/libvhost-user.c
@@ -542,7 +542,7 @@ static bool
vu_set_mem_table_exec_postcopy(VuDev *dev, VhostUserMsg *vmsg)
{
int i;
- VhostUserMemory *memory = &vmsg->payload.memory;
+ VhostUserMemory m = vmsg->payload.memory, *memory = &m;
dev->nregions = memory->nregions;
DPRINT("Nregions: %d\n", memory->nregions);
@@ -684,7 +684,7 @@ static bool
vu_set_mem_table_exec(VuDev *dev, VhostUserMsg *vmsg)
{
int i;
- VhostUserMemory *memory = &vmsg->payload.memory;
+ VhostUserMemory m = vmsg->payload.memory, *memory = &m;
for (i = 0; i < dev->nregions; i++) {
VuDevRegion *r = &dev->regions[i];
@@ -813,7 +813,7 @@ vu_set_vring_num_exec(VuDev *dev, VhostUserMsg *vmsg)
static bool
vu_set_vring_addr_exec(VuDev *dev, VhostUserMsg *vmsg)
{
- struct vhost_vring_addr *vra = &vmsg->payload.addr;
+ struct vhost_vring_addr addr = vmsg->payload.addr, *vra = &addr;
unsigned int index = vra->index;
VuVirtq *vq = &dev->vq[index];

58
0043-target-i386-define-md-clear-bit.patch Normal file
View File

@ -0,0 +1,58 @@
From: Paolo Bonzini <pbonzini@redhat.com>
Date: Fri, 1 Mar 2019 21:40:52 +0100
Subject: target/i386: define md-clear bit
md-clear is a new CPUID bit which is set when microcode provides the
mechanism to invoke a flush of various exploitable CPU buffers by invoking
the VERW instruction. Add the new feature, and pass it down to
Hypervisor.framework guests.
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
[BR: BSC#1111331 CVE-2018-12126 CVE-2018-12127 CVE-2018-12130
CVE-2019-11091]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
target/i386/cpu.c | 2 +-
target/i386/cpu.h | 1 +
target/i386/hvf/x86_cpuid.c | 3 ++-
3 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/target/i386/cpu.c b/target/i386/cpu.c
index d6bb57d210..4ea78a4939 100644
--- a/target/i386/cpu.c
+++ b/target/i386/cpu.c
@@ -1076,7 +1076,7 @@ static FeatureWordInfo feature_word_info[FEATURE_WORDS] = {
.feat_names = {
NULL, NULL, "avx512-4vnniw", "avx512-4fmaps",
NULL, NULL, NULL, NULL,
- NULL, NULL, NULL, NULL,
+ NULL, NULL, "md-clear", NULL,
NULL, NULL, NULL, NULL,
NULL, NULL, NULL, NULL,
NULL, NULL, NULL, NULL,
diff --git a/target/i386/cpu.h b/target/i386/cpu.h
index 572290c3d6..d3bd0943ec 100644
--- a/target/i386/cpu.h
+++ b/target/i386/cpu.h
@@ -694,6 +694,7 @@ typedef uint32_t FeatureWordArray[FEATURE_WORDS];
#define CPUID_7_0_EDX_AVX512_4VNNIW (1U << 2) /* AVX512 Neural Network Instructions */
#define CPUID_7_0_EDX_AVX512_4FMAPS (1U << 3) /* AVX512 Multiply Accumulation Single Precision */
+#define CPUID_7_0_EDX_MD_CLEAR (1U << 10) /* Microarchitectural Data Clear */
#define CPUID_7_0_EDX_SPEC_CTRL (1U << 26) /* Speculation Control */
#define CPUID_7_0_EDX_ARCH_CAPABILITIES (1U << 29) /*Arch Capabilities*/
#define CPUID_7_0_EDX_SPEC_CTRL_SSBD (1U << 31) /* Speculative Store Bypass Disable */
diff --git a/target/i386/hvf/x86_cpuid.c b/target/i386/hvf/x86_cpuid.c
index 4d957fe896..b453552fb4 100644
--- a/target/i386/hvf/x86_cpuid.c
+++ b/target/i386/hvf/x86_cpuid.c
@@ -90,7 +90,8 @@ uint32_t hvf_get_supported_cpuid(uint32_t func, uint32_t idx,
}
ecx &= CPUID_7_0_ECX_AVX512BMI | CPUID_7_0_ECX_AVX512_VPOPCNTDQ;
- edx &= CPUID_7_0_EDX_AVX512_4VNNIW | CPUID_7_0_EDX_AVX512_4FMAPS;
+ edx &= CPUID_7_0_EDX_AVX512_4VNNIW | CPUID_7_0_EDX_AVX512_4FMAPS | \
+ CPUID_7_0_EDX_MD_CLEAR;
} else {
ebx = 0;
ecx = 0;

57
0044-hw-intc-exynos4210_gic-provide-more.patch Normal file
View File

@ -0,0 +1,57 @@
From: Bruce Rogers <brogers@suse.com>
Date: Wed, 15 May 2019 13:32:01 -0600
Subject: hw/intc/exynos4210_gic: provide more room when formatting alias names
sprintf related parameter validation complains about the size of the
buffer being written to in exynos4210_gic_realize(). Provide a bit more
space to avoid the following warning:
/home/abuild/rpmbuild/BUILD/qemu-4.0.0/hw/intc/exynos4210_gic.c: In function 'exynos4210_gic_realize':
/home/abuild/rpmbuild/BUILD/qemu-4.0.0/hw/intc/exynos4210_gic.c:316:36: error: '%x' directive writing between 1 and 7 bytes into a region of size between 4 and 28 [-Werror=format-overflow=]
316 | sprintf(cpu_alias_name, "%s%x", cpu_prefix, i);
| ^~
/home/abuild/rpmbuild/BUILD/qemu-4.0.0/hw/intc/exynos4210_gic.c:316:33: note: directive argument in the range [0, 29020050]
316 | sprintf(cpu_alias_name, "%s%x", cpu_prefix, i);
| ^~~~~~
In file included from /usr/include/stdio.h:867,
from /home/abuild/rpmbuild/BUILD/qemu-4.0.0/include/qemu/osdep.h:99,
from /home/abuild/rpmbuild/BUILD/qemu-4.0.0/hw/intc/exynos4210_gic.c:23:
/usr/include/bits/stdio2.h:36:10: note: '__builtin___sprintf_chk' output between 2 and 32 bytes into a destination of size 28
36 | return __builtin___sprintf_chk (__s, __USE_FORTIFY_LEVEL - 1,
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
37 | __bos (__s), __fmt, __va_arg_pack ());
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/home/abuild/rpmbuild/BUILD/qemu-4.0.0/hw/intc/exynos4210_gic.c:326:37: error: '%x' directive writing between 1 and 7 bytes into a region of size between 3 and 28 [-Werror=format-overflow=]
326 | sprintf(dist_alias_name, "%s%x", dist_prefix, i);
| ^~
/home/abuild/rpmbuild/BUILD/qemu-4.0.0/hw/intc/exynos4210_gic.c:326:34: note: directive argument in the range [0, 29020050]
326 | sprintf(dist_alias_name, "%s%x", dist_prefix, i);
| ^~~~~~
In file included from /usr/include/stdio.h:867,
from /home/abuild/rpmbuild/BUILD/qemu-4.0.0/include/qemu/osdep.h:99,
from /home/abuild/rpmbuild/BUILD/qemu-4.0.0/hw/intc/exynos4210_gic.c:23:
/usr/include/bits/stdio2.h:36:10: note: '__builtin___sprintf_chk' output between 2 and 33 bytes into a destination of size 28
36 | return __builtin___sprintf_chk (__s, __USE_FORTIFY_LEVEL - 1,
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
37 | __bos (__s), __fmt, __va_arg_pack ());
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/intc/exynos4210_gic.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/hw/intc/exynos4210_gic.c b/hw/intc/exynos4210_gic.c
index 69f9c18d73..4770950c94 100644
--- a/hw/intc/exynos4210_gic.c
+++ b/hw/intc/exynos4210_gic.c
@@ -288,8 +288,8 @@ static void exynos4210_gic_realize(DeviceState *dev, Error **errp)
SysBusDevice *sbd = SYS_BUS_DEVICE(obj);
const char cpu_prefix[] = "exynos4210-gic-alias_cpu";
const char dist_prefix[] = "exynos4210-gic-alias_dist";
- char cpu_alias_name[sizeof(cpu_prefix) + 3];
- char dist_alias_name[sizeof(cpu_prefix) + 3];
+ char cpu_alias_name[sizeof(cpu_prefix) + 7];
+ char dist_alias_name[sizeof(cpu_prefix) + 8];
SysBusDevice *gicbusdev;
uint32_t i;

28
qemu-linux-user.changes
View File

@ -1,3 +1,31 @@
-------------------------------------------------------------------
Wed May 15 19:36:50 UTC 2019 - Bruce Rogers <brogers@suse.com>
- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-4.0
* Patches added:
0044-hw-intc-exynos4210_gic-provide-more.patch
-------------------------------------------------------------------
Tue May 14 21:01:06 UTC 2019 - Bruce Rogers <brogers@suse.com>
- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-4.0
* Patches dropped:
0041-qxl-fix-Waddress-of-packed-member.patch
* Patches added:
0041-qxl-avoid-unaligned-pointer-reads-w.patch
0042-libvhost-user-fix-Waddress-of-packe.patch
0043-target-i386-define-md-clear-bit.patch
-------------------------------------------------------------------
Fri May 10 19:14:02 UTC 2019 - Bruce Rogers <brogers@suse.com>
- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-4.0
* Patches renamed:
0036-util-qemu-sockets-Fix-GCC-9-build-w.patch
-> 0036-sockets-avoid-string-truncation-war.patch
0039-linux-user-uname-Fix-GCC-9-build-wa.patch
-> 0039-linux-user-avoid-string-truncation-.patch
-------------------------------------------------------------------
Mon May 6 21:36:25 UTC 2019 - Bruce Rogers <brogers@suse.com>

12
qemu-linux-user.spec
View File

@ -69,12 +69,15 @@ Patch0032: 0032-tests-Fix-Makefile-handling-of-chec.patch
Patch0033: 0033-Conditionalize-ui-bitmap-installati.patch
Patch0034: 0034-Revert-target-i386-kvm-add-VMX-migr.patch
Patch0035: 0035-tests-change-error-message-in-test-.patch
Patch0036: 0036-util-qemu-sockets-Fix-GCC-9-build-w.patch
Patch0036: 0036-sockets-avoid-string-truncation-war.patch
Patch0037: 0037-hw-usb-hcd-xhci-Fix-GCC-9-build-war.patch
Patch0038: 0038-hw-usb-dev-mtp-Fix-GCC-9-build-warn.patch
Patch0039: 0039-linux-user-uname-Fix-GCC-9-build-wa.patch
Patch0039: 0039-linux-user-avoid-string-truncation-.patch
Patch0040: 0040-linux-user-elfload-Fix-GCC-9-build-.patch
Patch0041: 0041-qxl-fix-Waddress-of-packed-member.patch
Patch0041: 0041-qxl-avoid-unaligned-pointer-reads-w.patch
Patch0042: 0042-libvhost-user-fix-Waddress-of-packe.patch
Patch0043: 0043-target-i386-define-md-clear-bit.patch
Patch0044: 0044-hw-intc-exynos4210_gic-provide-more.patch
# Please do not add QEMU patches manually here.
# Run update_git.sh to regenerate this queue.
ExcludeArch: s390
@ -146,6 +149,9 @@ syscall layer occurs on the native hardware and operating system.
%patch0039 -p1
%patch0040 -p1
%patch0041 -p1
%patch0042 -p1
%patch0043 -p1
%patch0044 -p1
%build
%define _lto_cflags %{nil}

46
qemu-testsuite.changes
View File

@ -1,3 +1,49 @@
-------------------------------------------------------------------
Wed May 15 19:36:49 UTC 2019 - Bruce Rogers <brogers@suse.com>
- Yet another gcc9 related code fix (bsc#1121464)
0044-hw-intc-exynos4210_gic-provide-more.patch
- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-4.0
-------------------------------------------------------------------
Tue May 14 21:01:05 UTC 2019 - Bruce Rogers <brogers@suse.com>
- Switch to now upstreamed version of patch and add one more
gcc9 related patch
* Patches renamed:
0041-qxl-fix-Waddress-of-packed-member.patch
-> 0041-qxl-avoid-unaligned-pointer-reads-w.patch
0042-libvhost-user-fix-Waddress-of-packe.patch
- Add x86 cpu feature "md-clear" (CVE-2018-12126 CVE-2018-12127
CVE-2018-12130 CVE-2019-11091 bsc#1111331)
0043-target-i386-define-md-clear-bit.patch
- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-4.0
-------------------------------------------------------------------
Sat May 11 14:58:50 UTC 2019 - Bruce Rogers <brogers@suse.com>
- Correct logic of which ipxe patches get included based on
suse_version. We were wrongly excluding a gcc9 related patch for
example
-------------------------------------------------------------------
Fri May 10 19:14:01 UTC 2019 - Bruce Rogers <brogers@suse.com>
- Switch to now upstreamed version of some patches
* Patches renamed:
0036-util-qemu-sockets-Fix-GCC-9-build-w.patch
-> 0036-sockets-avoid-string-truncation-war.patch
0039-linux-user-uname-Fix-GCC-9-build-wa.patch
-> 0039-linux-user-avoid-string-truncation-.patch
- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-4.0
-------------------------------------------------------------------
Thu May 9 14:51:24 UTC 2019 - Bruce Rogers <brogers@suse.com>
- Create /usr/share/qemu/firmware and /etc/qemu/firmware directories
in support of the firmware descriptor feature now in use as of
libvirt v5.2
-------------------------------------------------------------------
Mon May 6 21:36:24 UTC 2019 - Bruce Rogers <brogers@suse.com>

20
qemu-testsuite.spec
View File

@ -179,12 +179,15 @@ Patch0032: 0032-tests-Fix-Makefile-handling-of-chec.patch
Patch0033: 0033-Conditionalize-ui-bitmap-installati.patch
Patch0034: 0034-Revert-target-i386-kvm-add-VMX-migr.patch
Patch0035: 0035-tests-change-error-message-in-test-.patch
Patch0036: 0036-util-qemu-sockets-Fix-GCC-9-build-w.patch
Patch0036: 0036-sockets-avoid-string-truncation-war.patch
Patch0037: 0037-hw-usb-hcd-xhci-Fix-GCC-9-build-war.patch
Patch0038: 0038-hw-usb-dev-mtp-Fix-GCC-9-build-warn.patch
Patch0039: 0039-linux-user-uname-Fix-GCC-9-build-wa.patch
Patch0039: 0039-linux-user-avoid-string-truncation-.patch
Patch0040: 0040-linux-user-elfload-Fix-GCC-9-build-.patch
Patch0041: 0041-qxl-fix-Waddress-of-packed-member.patch
Patch0041: 0041-qxl-avoid-unaligned-pointer-reads-w.patch
Patch0042: 0042-libvhost-user-fix-Waddress-of-packe.patch
Patch0043: 0043-target-i386-define-md-clear-bit.patch
Patch0044: 0044-hw-intc-exynos4210_gic-provide-more.patch
# Please do not add QEMU patches manually here.
# Run update_git.sh to regenerate this queue.
@ -993,6 +996,9 @@ This package provides a service file for starting and stopping KSM.
%patch0039 -p1
%patch0040 -p1
%patch0041 -p1
%patch0042 -p1
%patch0043 -p1
%patch0044 -p1
pushd roms/seabios
%patch1100 -p1
@ -1006,9 +1012,9 @@ pushd roms/ipxe
%patch1200 -p1
%if 0%{?suse_version} <= 1320
%patch1201 -p1
%endif
%patch1202 -p1
%patch1203 -p1
%endif
%ifarch aarch64
%patch1204 -p1
%endif
@ -1401,12 +1407,14 @@ for f in %{x86_extra_firmware} \
done
%endif
%find_lang %name
install -d -m 0755 %{buildroot}%_datadir/%name/firmware
install -d -m 0755 %{buildroot}%_libexecdir/supportconfig/plugins
install -d -m 0755 %{buildroot}%_sysconfdir/%name/firmware
install -D -m 0644 %{SOURCE4} %{buildroot}%_sysconfdir/%name/bridge.conf
install -D -m 0755 %{SOURCE3} %{buildroot}%_datadir/%name/qemu-ifup
install -D -p -m 0644 %{SOURCE8} %{buildroot}%{_udevrulesdir}/80-qemu-ga.rules
install -D -m 0755 scripts/analyze-migration.py %{buildroot}%_bindir/analyze-migration.py
install -D -m 0755 scripts/vmstate-static-checker.py %{buildroot}%_bindir/vmstate-static-checker.py
mkdir -p %{buildroot}%_libexecdir/supportconfig/plugins
install -D -m 0755 %{SOURCE9} %{buildroot}%_libexecdir/supportconfig/plugins/%name
%if 0%{?is_opensuse} == 0
install -D -m 0644 %{SOURCE10} %{buildroot}%_docdir/qemu-arm/supported.txt
@ -1583,9 +1591,11 @@ fi
%_mandir/man7/qemu-qmp-ref.7.gz
%_mandir/man7/qemu-ga-ref.7.gz
%dir %_datadir/%name
%dir %_datadir/%name/firmware
%_datadir/%name/keymaps
%_datadir/%name/trace-events-all
%dir %_sysconfdir/%name
%dir %_sysconfdir/%name/firmware
%_datadir/%name/qemu-ifup
%dir %_libexecdir/supportconfig
%dir %_libexecdir/supportconfig/plugins

46
qemu.changes
View File

@ -1,3 +1,49 @@
-------------------------------------------------------------------
Wed May 15 19:36:49 UTC 2019 - Bruce Rogers <brogers@suse.com>
- Yet another gcc9 related code fix (bsc#1121464)
0044-hw-intc-exynos4210_gic-provide-more.patch
- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-4.0
-------------------------------------------------------------------
Tue May 14 21:01:05 UTC 2019 - Bruce Rogers <brogers@suse.com>
- Switch to now upstreamed version of patch and add one more
gcc9 related patch
* Patches renamed:
0041-qxl-fix-Waddress-of-packed-member.patch
-> 0041-qxl-avoid-unaligned-pointer-reads-w.patch
0042-libvhost-user-fix-Waddress-of-packe.patch
- Add x86 cpu feature "md-clear" (CVE-2018-12126 CVE-2018-12127
CVE-2018-12130 CVE-2019-11091 bsc#1111331)
0043-target-i386-define-md-clear-bit.patch
- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-4.0
-------------------------------------------------------------------
Sat May 11 14:58:50 UTC 2019 - Bruce Rogers <brogers@suse.com>
- Correct logic of which ipxe patches get included based on
suse_version. We were wrongly excluding a gcc9 related patch for
example
-------------------------------------------------------------------
Fri May 10 19:14:01 UTC 2019 - Bruce Rogers <brogers@suse.com>
- Switch to now upstreamed version of some patches
* Patches renamed:
0036-util-qemu-sockets-Fix-GCC-9-build-w.patch
-> 0036-sockets-avoid-string-truncation-war.patch
0039-linux-user-uname-Fix-GCC-9-build-wa.patch
-> 0039-linux-user-avoid-string-truncation-.patch
- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-4.0
-------------------------------------------------------------------
Thu May 9 14:51:24 UTC 2019 - Bruce Rogers <brogers@suse.com>
- Create /usr/share/qemu/firmware and /etc/qemu/firmware directories
in support of the firmware descriptor feature now in use as of
libvirt v5.2
-------------------------------------------------------------------
Mon May 6 21:36:24 UTC 2019 - Bruce Rogers <brogers@suse.com>

20
qemu.spec
View File

@ -179,12 +179,15 @@ Patch0032: 0032-tests-Fix-Makefile-handling-of-chec.patch
Patch0033: 0033-Conditionalize-ui-bitmap-installati.patch
Patch0034: 0034-Revert-target-i386-kvm-add-VMX-migr.patch
Patch0035: 0035-tests-change-error-message-in-test-.patch
Patch0036: 0036-util-qemu-sockets-Fix-GCC-9-build-w.patch
Patch0036: 0036-sockets-avoid-string-truncation-war.patch
Patch0037: 0037-hw-usb-hcd-xhci-Fix-GCC-9-build-war.patch
Patch0038: 0038-hw-usb-dev-mtp-Fix-GCC-9-build-warn.patch
Patch0039: 0039-linux-user-uname-Fix-GCC-9-build-wa.patch
Patch0039: 0039-linux-user-avoid-string-truncation-.patch
Patch0040: 0040-linux-user-elfload-Fix-GCC-9-build-.patch
Patch0041: 0041-qxl-fix-Waddress-of-packed-member.patch
Patch0041: 0041-qxl-avoid-unaligned-pointer-reads-w.patch
Patch0042: 0042-libvhost-user-fix-Waddress-of-packe.patch
Patch0043: 0043-target-i386-define-md-clear-bit.patch
Patch0044: 0044-hw-intc-exynos4210_gic-provide-more.patch
# Please do not add QEMU patches manually here.
# Run update_git.sh to regenerate this queue.
@ -993,6 +996,9 @@ This package provides a service file for starting and stopping KSM.
%patch0039 -p1
%patch0040 -p1
%patch0041 -p1
%patch0042 -p1
%patch0043 -p1
%patch0044 -p1
pushd roms/seabios
%patch1100 -p1
@ -1006,9 +1012,9 @@ pushd roms/ipxe
%patch1200 -p1
%if 0%{?suse_version} <= 1320
%patch1201 -p1
%endif
%patch1202 -p1
%patch1203 -p1
%endif
%ifarch aarch64
%patch1204 -p1
%endif
@ -1401,12 +1407,14 @@ for f in %{x86_extra_firmware} \
done
%endif
%find_lang %name
install -d -m 0755 %{buildroot}%_datadir/%name/firmware
install -d -m 0755 %{buildroot}%_libexecdir/supportconfig/plugins
install -d -m 0755 %{buildroot}%_sysconfdir/%name/firmware
install -D -m 0644 %{SOURCE4} %{buildroot}%_sysconfdir/%name/bridge.conf
install -D -m 0755 %{SOURCE3} %{buildroot}%_datadir/%name/qemu-ifup
install -D -p -m 0644 %{SOURCE8} %{buildroot}%{_udevrulesdir}/80-qemu-ga.rules
install -D -m 0755 scripts/analyze-migration.py %{buildroot}%_bindir/analyze-migration.py
install -D -m 0755 scripts/vmstate-static-checker.py %{buildroot}%_bindir/vmstate-static-checker.py
mkdir -p %{buildroot}%_libexecdir/supportconfig/plugins
install -D -m 0755 %{SOURCE9} %{buildroot}%_libexecdir/supportconfig/plugins/%name
%if 0%{?is_opensuse} == 0
install -D -m 0644 %{SOURCE10} %{buildroot}%_docdir/qemu-arm/supported.txt
@ -1583,9 +1591,11 @@ fi
%_mandir/man7/qemu-qmp-ref.7.gz
%_mandir/man7/qemu-ga-ref.7.gz
%dir %_datadir/%name
%dir %_datadir/%name/firmware
%_datadir/%name/keymaps
%_datadir/%name/trace-events-all
%dir %_sysconfdir/%name
%dir %_sysconfdir/%name/firmware
%_datadir/%name/qemu-ifup
%dir %_libexecdir/supportconfig
%dir %_libexecdir/supportconfig/plugins

8
qemu.spec.in
View File

@ -923,9 +923,9 @@ pushd roms/ipxe
%patch1200 -p1
%if 0%{?suse_version} <= 1320
%patch1201 -p1
%endif
%patch1202 -p1
%patch1203 -p1
%endif
%ifarch aarch64
%patch1204 -p1
%endif
@ -1318,12 +1318,14 @@ for f in %{x86_extra_firmware} \
done
%endif
%find_lang %name
install -d -m 0755 %{buildroot}%_datadir/%name/firmware
install -d -m 0755 %{buildroot}%_libexecdir/supportconfig/plugins
install -d -m 0755 %{buildroot}%_sysconfdir/%name/firmware
install -D -m 0644 %{SOURCE4} %{buildroot}%_sysconfdir/%name/bridge.conf
install -D -m 0755 %{SOURCE3} %{buildroot}%_datadir/%name/qemu-ifup
install -D -p -m 0644 %{SOURCE8} %{buildroot}%{_udevrulesdir}/80-qemu-ga.rules
install -D -m 0755 scripts/analyze-migration.py %{buildroot}%_bindir/analyze-migration.py
install -D -m 0755 scripts/vmstate-static-checker.py %{buildroot}%_bindir/vmstate-static-checker.py
mkdir -p %{buildroot}%_libexecdir/supportconfig/plugins
install -D -m 0755 %{SOURCE9} %{buildroot}%_libexecdir/supportconfig/plugins/%name
%if 0%{?is_opensuse} == 0
install -D -m 0644 %{SOURCE10} %{buildroot}%_docdir/qemu-arm/supported.txt
@ -1500,9 +1502,11 @@ fi
%_mandir/man7/qemu-qmp-ref.7.gz
%_mandir/man7/qemu-ga-ref.7.gz
%dir %_datadir/%name
%dir %_datadir/%name/firmware
%_datadir/%name/keymaps
%_datadir/%name/trace-events-all
%dir %_sysconfdir/%name
%dir %_sysconfdir/%name/firmware
%_datadir/%name/qemu-ifup
%dir %_libexecdir/supportconfig
%dir %_libexecdir/supportconfig/plugins