diff --git a/aio-wait-delegate-polling-of-main-AioCon.patch b/aio-wait-delegate-polling-of-main-AioCon.patch new file mode 100644 index 0000000..c9be72b --- /dev/null +++ b/aio-wait-delegate-polling-of-main-AioCon.patch @@ -0,0 +1,116 @@ +From: Paolo Bonzini +Date: Tue, 7 Apr 2020 10:07:45 -0400 +Subject: aio-wait: delegate polling of main AioContext if BQL not held + +Git-commit: 3c18a92dc4b55ca8cc37a755ed119f11c0f34099 + +Any thread that is not a iothread returns NULL for qemu_get_current_aio_context(). +As a result, it would also return true for +in_aio_context_home_thread(qemu_get_aio_context()), causing +AIO_WAIT_WHILE to invoke aio_poll() directly. This is incorrect +if the BQL is not held, because aio_poll() does not expect to +run concurrently from multiple threads, and it can actually +happen when savevm writes to the vmstate file from the +migration thread. + +Therefore, restrict in_aio_context_home_thread to return true +for the main AioContext only if the BQL is held. + +The function is moved to aio-wait.h because it is mostly used +there and to avoid a circular reference between main-loop.h +and block/aio.h. + +Signed-off-by: Paolo Bonzini +Message-Id: <20200407140746.8041-5-pbonzini@redhat.com> +Signed-off-by: Stefan Hajnoczi +Signed-off-by: Bruce Rogers +--- + include/block/aio-wait.h | 22 ++++++++++++++++++++++ + include/block/aio.h | 29 ++++++++++------------------- + 2 files changed, 32 insertions(+), 19 deletions(-) + +diff --git a/include/block/aio-wait.h b/include/block/aio-wait.h +index afeeb18f95ebb593982b5d3f8917..716d2639df708f03e3f29d68315b 100644 +--- a/include/block/aio-wait.h ++++ b/include/block/aio-wait.h +@@ -26,6 +26,7 @@ + #define QEMU_AIO_WAIT_H + + #include "block/aio.h" ++#include "qemu/main-loop.h" + + /** + * AioWait: +@@ -124,4 +125,25 @@ void aio_wait_kick(void); + */ + void aio_wait_bh_oneshot(AioContext *ctx, QEMUBHFunc *cb, void *opaque); + ++/** ++ * in_aio_context_home_thread: ++ * @ctx: the aio context ++ * ++ * Return whether we are running in the thread that normally runs @ctx. Note ++ * that acquiring/releasing ctx does not affect the outcome, each AioContext ++ * still only has one home thread that is responsible for running it. ++ */ ++static inline bool in_aio_context_home_thread(AioContext *ctx) ++{ ++ if (ctx == qemu_get_current_aio_context()) { ++ return true; ++ } ++ ++ if (ctx == qemu_get_aio_context()) { ++ return qemu_mutex_iothread_locked(); ++ } else { ++ return false; ++ } ++} ++ + #endif /* QEMU_AIO_WAIT_H */ +diff --git a/include/block/aio.h b/include/block/aio.h +index 6b0d52f732b86caef07602281574..9d28e247df7f0d3a556644fcd9d1 100644 +--- a/include/block/aio.h ++++ b/include/block/aio.h +@@ -60,12 +60,16 @@ struct AioContext { + QLIST_HEAD(, AioHandler) aio_handlers; + + /* Used to avoid unnecessary event_notifier_set calls in aio_notify; +- * accessed with atomic primitives. If this field is 0, everything +- * (file descriptors, bottom halves, timers) will be re-evaluated +- * before the next blocking poll(), thus the event_notifier_set call +- * can be skipped. If it is non-zero, you may need to wake up a +- * concurrent aio_poll or the glib main event loop, making +- * event_notifier_set necessary. ++ * only written from the AioContext home thread, or under the BQL in ++ * the case of the main AioContext. However, it is read from any ++ * thread so it is still accessed with atomic primitives. ++ * ++ * If this field is 0, everything (file descriptors, bottom halves, ++ * timers) will be re-evaluated before the next blocking poll() or ++ * io_uring wait; therefore, the event_notifier_set call can be ++ * skipped. If it is non-zero, you may need to wake up a concurrent ++ * aio_poll or the glib main event loop, making event_notifier_set ++ * necessary. + * + * Bit 0 is reserved for GSource usage of the AioContext, and is 1 + * between a call to aio_ctx_prepare and the next call to aio_ctx_check. +@@ -580,19 +584,6 @@ void aio_co_enter(AioContext *ctx, struct Coroutine *co); + */ + AioContext *qemu_get_current_aio_context(void); + +-/** +- * in_aio_context_home_thread: +- * @ctx: the aio context +- * +- * Return whether we are running in the thread that normally runs @ctx. Note +- * that acquiring/releasing ctx does not affect the outcome, each AioContext +- * still only has one home thread that is responsible for running it. +- */ +-static inline bool in_aio_context_home_thread(AioContext *ctx) +-{ +- return ctx == qemu_get_current_aio_context(); +-} +- + /** + * aio_context_setup: + * @ctx: the aio context diff --git a/async-use-explicit-memory-barriers.patch b/async-use-explicit-memory-barriers.patch new file mode 100644 index 0000000..6f6f4eb --- /dev/null +++ b/async-use-explicit-memory-barriers.patch @@ -0,0 +1,168 @@ +From: Paolo Bonzini +Date: Tue, 7 Apr 2020 10:07:46 -0400 +Subject: async: use explicit memory barriers + +Git-commit: 5710a3e09f9b85801e5ce70797a4a511e5fc9e2c + +When using C11 atomics, non-seqcst reads and writes do not participate +in the total order of seqcst operations. In util/async.c and util/aio-posix.c, +in particular, the pattern that we use + + write ctx->notify_me write bh->scheduled + read bh->scheduled read ctx->notify_me + if !bh->scheduled, sleep if ctx->notify_me, notify + +needs to use seqcst operations for both the write and the read. In +general this is something that we do not want, because there can be +many sources that are polled in addition to bottom halves. The +alternative is to place a seqcst memory barrier between the write +and the read. This also comes with a disadvantage, in that the +memory barrier is implicit on strongly-ordered architectures and +it wastes a few dozen clock cycles. + +Fortunately, ctx->notify_me is never written concurrently by two +threads, so we can assert that and relax the writes to ctx->notify_me. +The resulting solution works and performs well on both aarch64 and x86. + +Note that the atomic_set/atomic_read combination is not an atomic +read-modify-write, and therefore it is even weaker than C11 ATOMIC_RELAXED; +on x86, ATOMIC_RELAXED compiles to a locked operation. + +Analyzed-by: Ying Fang +Signed-off-by: Paolo Bonzini +Tested-by: Ying Fang +Message-Id: <20200407140746.8041-6-pbonzini@redhat.com> +Signed-off-by: Stefan Hajnoczi +Signed-off-by: Bruce Rogers +--- + util/aio-posix.c | 16 ++++++++++++++-- + util/aio-win32.c | 17 ++++++++++++++--- + util/async.c | 16 ++++++++++++---- + 3 files changed, 40 insertions(+), 9 deletions(-) + +diff --git a/util/aio-posix.c b/util/aio-posix.c +index a4977f538ef28d56178267a1795c..fe2a46c439fa1505f5f688274566 100644 +--- a/util/aio-posix.c ++++ b/util/aio-posix.c +@@ -616,6 +616,11 @@ bool aio_poll(AioContext *ctx, bool blocking) + int64_t timeout; + int64_t start = 0; + ++ /* ++ * There cannot be two concurrent aio_poll calls for the same AioContext (or ++ * an aio_poll concurrent with a GSource prepare/check/dispatch callback). ++ * We rely on this below to avoid slow locked accesses to ctx->notify_me. ++ */ + assert(in_aio_context_home_thread(ctx)); + + /* aio_notify can avoid the expensive event_notifier_set if +@@ -626,7 +631,13 @@ bool aio_poll(AioContext *ctx, bool blocking) + * so disable the optimization now. + */ + if (blocking) { +- atomic_add(&ctx->notify_me, 2); ++ atomic_set(&ctx->notify_me, atomic_read(&ctx->notify_me) + 2); ++ /* ++ * Write ctx->notify_me before computing the timeout ++ * (reading bottom half flags, etc.). Pairs with ++ * smp_mb in aio_notify(). ++ */ ++ smp_mb(); + } + + qemu_lockcnt_inc(&ctx->list_lock); +@@ -671,7 +682,8 @@ bool aio_poll(AioContext *ctx, bool blocking) + } + + if (blocking) { +- atomic_sub(&ctx->notify_me, 2); ++ /* Finish the poll before clearing the flag. */ ++ atomic_store_release(&ctx->notify_me, atomic_read(&ctx->notify_me) - 2); + aio_notify_accept(ctx); + } + +diff --git a/util/aio-win32.c b/util/aio-win32.c +index a23b9c364db3a764a3e00c6b62e9..729d533faf4d807e0a5388edd2af 100644 +--- a/util/aio-win32.c ++++ b/util/aio-win32.c +@@ -321,6 +321,12 @@ bool aio_poll(AioContext *ctx, bool blocking) + int count; + int timeout; + ++ /* ++ * There cannot be two concurrent aio_poll calls for the same AioContext (or ++ * an aio_poll concurrent with a GSource prepare/check/dispatch callback). ++ * We rely on this below to avoid slow locked accesses to ctx->notify_me. ++ */ ++ assert(in_aio_context_home_thread(ctx)); + progress = false; + + /* aio_notify can avoid the expensive event_notifier_set if +@@ -331,7 +337,13 @@ bool aio_poll(AioContext *ctx, bool blocking) + * so disable the optimization now. + */ + if (blocking) { +- atomic_add(&ctx->notify_me, 2); ++ atomic_set(&ctx->notify_me, atomic_read(&ctx->notify_me) + 2); ++ /* ++ * Write ctx->notify_me before computing the timeout ++ * (reading bottom half flags, etc.). Pairs with ++ * smp_mb in aio_notify(). ++ */ ++ smp_mb(); + } + + qemu_lockcnt_inc(&ctx->list_lock); +@@ -364,8 +376,7 @@ bool aio_poll(AioContext *ctx, bool blocking) + ret = WaitForMultipleObjects(count, events, FALSE, timeout); + if (blocking) { + assert(first); +- assert(in_aio_context_home_thread(ctx)); +- atomic_sub(&ctx->notify_me, 2); ++ atomic_store_release(&ctx->notify_me, atomic_read(&ctx->notify_me) - 2); + aio_notify_accept(ctx); + } + +diff --git a/util/async.c b/util/async.c +index b1fa5319e5bc7830d50108f91139..c65c58bbc9f57bf1bbdb6acd5fd1 100644 +--- a/util/async.c ++++ b/util/async.c +@@ -220,7 +220,14 @@ aio_ctx_prepare(GSource *source, gint *timeout) + { + AioContext *ctx = (AioContext *) source; + +- atomic_or(&ctx->notify_me, 1); ++ atomic_set(&ctx->notify_me, atomic_read(&ctx->notify_me) | 1); ++ ++ /* ++ * Write ctx->notify_me before computing the timeout ++ * (reading bottom half flags, etc.). Pairs with ++ * smp_mb in aio_notify(). ++ */ ++ smp_mb(); + + /* We assume there is no timeout already supplied */ + *timeout = qemu_timeout_ns_to_ms(aio_compute_timeout(ctx)); +@@ -238,7 +245,8 @@ aio_ctx_check(GSource *source) + AioContext *ctx = (AioContext *) source; + QEMUBH *bh; + +- atomic_and(&ctx->notify_me, ~1); ++ /* Finish computing the timeout before clearing the flag. */ ++ atomic_store_release(&ctx->notify_me, atomic_read(&ctx->notify_me) & ~1); + aio_notify_accept(ctx); + + for (bh = ctx->first_bh; bh; bh = bh->next) { +@@ -343,10 +351,10 @@ LinuxAioState *aio_get_linux_aio(AioContext *ctx) + void aio_notify(AioContext *ctx) + { + /* Write e.g. bh->scheduled before reading ctx->notify_me. Pairs +- * with atomic_or in aio_ctx_prepare or atomic_add in aio_poll. ++ * with smp_mb in aio_ctx_prepare or aio_poll. + */ + smp_mb(); +- if (ctx->notify_me) { ++ if (atomic_read(&ctx->notify_me)) { + event_notifier_set(&ctx->notifier); + atomic_mb_set(&ctx->notified, true); + } diff --git a/block-Avoid-memleak-on-qcow2-image-info-.patch b/block-Avoid-memleak-on-qcow2-image-info-.patch new file mode 100644 index 0000000..4264609 --- /dev/null +++ b/block-Avoid-memleak-on-qcow2-image-info-.patch @@ -0,0 +1,33 @@ +From: Eric Blake +Date: Fri, 20 Mar 2020 13:36:20 -0500 +Subject: block: Avoid memleak on qcow2 image info failure + +Git-commit: 71eaec2e8c7c8d266137b5c5f42da0bd6d6b5eb7 + +If we fail to get bitmap info, we must not leak the encryption info. + +Fixes: b8968c875f403 +Fixes: Coverity CID 1421894 +Signed-off-by: Eric Blake +Message-Id: <20200320183620.1112123-1-eblake@redhat.com> +Reviewed-by: Vladimir Sementsov-Ogievskiy +Reviewed-by: Andrey Shinkevich +Tested-by: Andrey Shinkevich +Signed-off-by: Max Reitz +Signed-off-by: Bruce Rogers +--- + block/qcow2.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/block/qcow2.c b/block/qcow2.c +index 7c18721741eacfb7f6c2c1f0efe6..13e118e16f02f371c0f23c7aaa8d 100644 +--- a/block/qcow2.c ++++ b/block/qcow2.c +@@ -4800,6 +4800,7 @@ static ImageInfoSpecific *qcow2_get_specific_info(BlockDriverState *bs, + if (local_err) { + error_propagate(errp, local_err); + qapi_free_ImageInfoSpecific(spec_info); ++ qapi_free_QCryptoBlockInfo(encrypt_info); + return NULL; + } + *spec_info->u.qcow2.data = (ImageInfoSpecificQCow2){ diff --git a/block-bdrv_set_backing_bs-fix-use-after-.patch b/block-bdrv_set_backing_bs-fix-use-after-.patch new file mode 100644 index 0000000..b53637f --- /dev/null +++ b/block-bdrv_set_backing_bs-fix-use-after-.patch @@ -0,0 +1,114 @@ +From: Vladimir Sementsov-Ogievskiy +Date: Mon, 16 Mar 2020 09:06:30 +0300 +Subject: block: bdrv_set_backing_bs: fix use-after-free +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Git-commit: 6e57963a77df1e275a73dab4c6a7ec9a9d3468d4 + +There is a use-after-free possible: bdrv_unref_child() leaves +bs->backing freed but not NULL. bdrv_attach_child may produce nested +polling loop due to drain, than access of freed pointer is possible. + +I've produced the following crash on 30 iotest with modified code. It +does not reproduce on master, but still seems possible: + + #0 __strcmp_avx2 () at /lib64/libc.so.6 + #1 bdrv_backing_overridden (bs=0x55c9d3cc2060) at block.c:6350 + #2 bdrv_refresh_filename (bs=0x55c9d3cc2060) at block.c:6404 + #3 bdrv_backing_attach (c=0x55c9d48e5520) at block.c:1063 + #4 bdrv_replace_child_noperm + (child=child@entry=0x55c9d48e5520, + new_bs=new_bs@entry=0x55c9d3cc2060) at block.c:2290 + #5 bdrv_replace_child + (child=child@entry=0x55c9d48e5520, + new_bs=new_bs@entry=0x55c9d3cc2060) at block.c:2320 + #6 bdrv_root_attach_child + (child_bs=child_bs@entry=0x55c9d3cc2060, + child_name=child_name@entry=0x55c9d241d478 "backing", + child_role=child_role@entry=0x55c9d26ecee0 , + ctx=, perm=, shared_perm=21, + opaque=0x55c9d3c5a3d0, errp=0x7ffd117108e0) at block.c:2424 + #7 bdrv_attach_child + (parent_bs=parent_bs@entry=0x55c9d3c5a3d0, + child_bs=child_bs@entry=0x55c9d3cc2060, + child_name=child_name@entry=0x55c9d241d478 "backing", + child_role=child_role@entry=0x55c9d26ecee0 , + errp=errp@entry=0x7ffd117108e0) at block.c:5876 + #8 in bdrv_set_backing_hd + (bs=bs@entry=0x55c9d3c5a3d0, + backing_hd=backing_hd@entry=0x55c9d3cc2060, + errp=errp@entry=0x7ffd117108e0) + at block.c:2576 + #9 stream_prepare (job=0x55c9d49d84a0) at block/stream.c:150 + #10 job_prepare (job=0x55c9d49d84a0) at job.c:761 + #11 job_txn_apply (txn=, fn=) at + job.c:145 + #12 job_do_finalize (job=0x55c9d49d84a0) at job.c:778 + #13 job_completed_txn_success (job=0x55c9d49d84a0) at job.c:832 + #14 job_completed (job=0x55c9d49d84a0) at job.c:845 + #15 job_completed (job=0x55c9d49d84a0) at job.c:836 + #16 job_exit (opaque=0x55c9d49d84a0) at job.c:864 + #17 aio_bh_call (bh=0x55c9d471a160) at util/async.c:117 + #18 aio_bh_poll (ctx=ctx@entry=0x55c9d3c46720) at util/async.c:117 + #19 aio_poll (ctx=ctx@entry=0x55c9d3c46720, + blocking=blocking@entry=true) + at util/aio-posix.c:728 + #20 bdrv_parent_drained_begin_single (poll=true, c=0x55c9d3d558f0) + at block/io.c:121 + #21 bdrv_parent_drained_begin_single (c=c@entry=0x55c9d3d558f0, + poll=poll@entry=true) + at block/io.c:114 + #22 bdrv_replace_child_noperm + (child=child@entry=0x55c9d3d558f0, + new_bs=new_bs@entry=0x55c9d3d27300) at block.c:2258 + #23 bdrv_replace_child + (child=child@entry=0x55c9d3d558f0, + new_bs=new_bs@entry=0x55c9d3d27300) at block.c:2320 + #24 bdrv_root_attach_child + (child_bs=child_bs@entry=0x55c9d3d27300, + child_name=child_name@entry=0x55c9d241d478 "backing", + child_role=child_role@entry=0x55c9d26ecee0 , + ctx=, perm=, shared_perm=21, + opaque=0x55c9d3cc2060, errp=0x7ffd11710c60) at block.c:2424 + #25 bdrv_attach_child + (parent_bs=parent_bs@entry=0x55c9d3cc2060, + child_bs=child_bs@entry=0x55c9d3d27300, + child_name=child_name@entry=0x55c9d241d478 "backing", + child_role=child_role@entry=0x55c9d26ecee0 , + errp=errp@entry=0x7ffd11710c60) at block.c:5876 + #26 bdrv_set_backing_hd + (bs=bs@entry=0x55c9d3cc2060, + backing_hd=backing_hd@entry=0x55c9d3d27300, + errp=errp@entry=0x7ffd11710c60) + at block.c:2576 + #27 stream_prepare (job=0x55c9d495ead0) at block/stream.c:150 + ... + +Signed-off-by: Vladimir Sementsov-Ogievskiy +Message-Id: <20200316060631.30052-2-vsementsov@virtuozzo.com> +Reviewed-by: Philippe Mathieu-Daudé +Reviewed-by: John Snow +Signed-off-by: Max Reitz +Signed-off-by: Bruce Rogers +--- + block.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/block.c b/block.c +index 8539f99ac47cdbf0e9b823751074..3d0134f00b55e0400efc70058d00 100644 +--- a/block.c ++++ b/block.c +@@ -2577,10 +2577,10 @@ void bdrv_set_backing_hd(BlockDriverState *bs, BlockDriverState *backing_hd, + + if (bs->backing) { + bdrv_unref_child(bs, bs->backing); ++ bs->backing = NULL; + } + + if (!backing_hd) { +- bs->backing = NULL; + goto out; + } + diff --git a/bundles.tar.xz b/bundles.tar.xz index e0bd16e..b3e2e2f 100644 --- a/bundles.tar.xz +++ b/bundles.tar.xz @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:8f2312cc7d4811cb10363273c211a6fcf58361e401b7b0c9824c9ed22c4ce898 -size 121876 +oid sha256:f7fba468b339538a09628a5a0b4521cd094b49037c1c7be7148a8c54330876ba +size 150040 diff --git a/config.sh b/config.sh index 02da362..5e469f9 100644 --- a/config.sh +++ b/config.sh @@ -67,6 +67,17 @@ LOCAL_REPO_MAP=( ~/git/qemu-edk2-openssl-pyca-cryptography ) +# TEMPORARY! FOR NOW WE REQUIRE THESE LOCALLY TO DO WORK ON PACKAGE +REQUIRED_LOCAL_REPO_MAP=( + ~/git/qemu-opensuse + ~/git/qemu-seabios + ~/git/qemu-ipxe + ~/git/qemu-sgabios + ~/git/qemu-keycodemapdb + ~/git/qemu-slirp + ~/git/qemu-qboot +) + PATCH_PATH_MAP=( "" "roms/seabios/" diff --git a/configure-remove-pkgversion-from-CONFIG_.patch b/configure-remove-pkgversion-from-CONFIG_.patch new file mode 100644 index 0000000..f273a1d --- /dev/null +++ b/configure-remove-pkgversion-from-CONFIG_.patch @@ -0,0 +1,32 @@ +From: Bruce Rogers +Date: Fri, 17 Apr 2020 13:07:37 -0600 +Subject: configure: remove $pkgversion from CONFIG_STAMP input to broaden + compatibility + +As part of the effort to close the gap with Leap I think we are fine +removing the $pkgversion component to creating a unique CONFIG_STAMP. +This stamp is only used in creating a unique symbol used in ensuring the +dynamically loaded modules correspond correctly to the loading qemu. +The default inputs to producing this unique symbol are somewhat reasonable +as a generic mechanism, but specific packaging and maintenance practices +might require the default to be modified for best use. This is an example +of that. + +Signed-off-by: Bruce Rogers +--- + configure | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/configure b/configure +index 94984691ab378620ac2e0ae771ca..c68e378776336748b227013a1a3f 100755 +--- a/configure ++++ b/configure +@@ -6811,7 +6811,7 @@ fi + if test "$modules" = "yes"; then + # $shacmd can generate a hash started with digit, which the compiler doesn't + # like as an symbol. So prefix it with an underscore +- echo "CONFIG_STAMP=_$( (echo $qemu_version; echo $pkgversion; cat $0) | $shacmd - | cut -f1 -d\ )" >> $config_host_mak ++ echo "CONFIG_STAMP=_$( (echo $qemu_version; cat $0) | $shacmd - | cut -f1 -d\ )" >> $config_host_mak + echo "CONFIG_MODULES=y" >> $config_host_mak + fi + if test "$have_x11" = "yes" && test "$need_x11" = "yes"; then diff --git a/hmp-vnc-Fix-info-vnc-list-leak.patch b/hmp-vnc-Fix-info-vnc-list-leak.patch new file mode 100644 index 0000000..2921f74 --- /dev/null +++ b/hmp-vnc-Fix-info-vnc-list-leak.patch @@ -0,0 +1,46 @@ +From: "Dr. David Alan Gilbert" +Date: Mon, 23 Mar 2020 12:08:22 +0000 +Subject: hmp/vnc: Fix info vnc list leak + +Git-commit: d4ff109373ce871928c7e9ef648973eba642b484 + +We're iterating the list, and then freeing the iteration pointer rather +than the list head. + +Fixes: 0a9667ecdb6d ("hmp: Update info vnc") +Reported-by: Coverity (CID 1421932) +Signed-off-by: Dr. David Alan Gilbert +Message-Id: <20200323120822.51266-1-dgilbert@redhat.com> +Reviewed-by: Peter Maydell +Signed-off-by: Dr. David Alan Gilbert +Signed-off-by: Bruce Rogers +--- + monitor/hmp-cmds.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/monitor/hmp-cmds.c b/monitor/hmp-cmds.c +index b2551c16d129291068ce64b5f1fd..2fdc84ec995449b5139a89575e18 100644 +--- a/monitor/hmp-cmds.c ++++ b/monitor/hmp-cmds.c +@@ -729,10 +729,11 @@ static void hmp_info_vnc_servers(Monitor *mon, VncServerInfo2List *server) + + void hmp_info_vnc(Monitor *mon, const QDict *qdict) + { +- VncInfo2List *info2l; ++ VncInfo2List *info2l, *info2l_head; + Error *err = NULL; + + info2l = qmp_query_vnc_servers(&err); ++ info2l_head = info2l; + if (err) { + hmp_handle_error(mon, &err); + return; +@@ -761,7 +762,7 @@ void hmp_info_vnc(Monitor *mon, const QDict *qdict) + info2l = info2l->next; + } + +- qapi_free_VncInfo2List(info2l); ++ qapi_free_VncInfo2List(info2l_head); + + } + #endif diff --git a/hw-i386-disable-smbus-migration-for-xenf.patch b/hw-i386-disable-smbus-migration-for-xenf.patch index 3544ba8..8053484 100644 --- a/hw-i386-disable-smbus-migration-for-xenf.patch +++ b/hw-i386-disable-smbus-migration-for-xenf.patch @@ -23,23 +23,21 @@ Adjust 'xenfv' to stay compatible with with 'pc-i440fx-3.1': Signed-off-by: Olaf Hering Signed-off-by: Bruce Rogers +[BR: Adjust implementation to simply call pc_i440fx_3_1_machine_options] --- - hw/i386/pc_piix.c | 5 +++++ - 1 file changed, 5 insertions(+) + hw/i386/pc_piix.c | 2 ++ + 1 file changed, 2 insertions(+) diff --git a/hw/i386/pc_piix.c b/hw/i386/pc_piix.c -index d760d3589607daf4997ea76854c4..7bf1021200a3baa06a58fa36c430 100644 +index d760d3589607daf4997ea76854c4..000e692d0e5af449270214ea9345 100644 --- a/hw/i386/pc_piix.c +++ b/hw/i386/pc_piix.c -@@ -1043,6 +1043,11 @@ DEFINE_PC_MACHINE(isapc, "isapc", pc_init_isa, +@@ -1043,6 +1043,8 @@ DEFINE_PC_MACHINE(isapc, "isapc", pc_init_isa, #ifdef CONFIG_XEN static void xenfv_machine_options(MachineClass *m) { + /* compat with pc_i440fx_3_1_machine_options */ -+ PCMachineClass *pcmc = PC_MACHINE_CLASS(m); -+ pcmc->do_not_add_smb_acpi = true; -+ m->smbus_no_migration_support = true; -+ pcmc->pvh_enabled = false; /* FIXME */ ++ pc_i440fx_3_1_machine_options(m); m->desc = "Xen Fully-virtualized PC"; m->max_cpus = HVM_MAX_VCPUS; m->default_machine_opts = "accel=xen"; diff --git a/iscsi-Cap-block-count-from-GET-LBA-STATU.patch b/iscsi-Cap-block-count-from-GET-LBA-STATU.patch index aff4e2c..b55365a 100644 --- a/iscsi-Cap-block-count-from-GET-LBA-STATU.patch +++ b/iscsi-Cap-block-count-from-GET-LBA-STATU.patch @@ -3,6 +3,7 @@ Date: Thu, 23 Jan 2020 12:44:59 +0000 Subject: iscsi: Cap block count from GET LBA STATUS (CVE-2020-1711) Git-commit: 693fd2acdf14dd86c0bf852610f1c2cca80a74dc +References: bsc#1166240, CVE-2020-1711 When querying an iSCSI server for the provisioning status of blocks (via GET LBA STATUS), Qemu only validates that the response descriptor zero's diff --git a/migration-colo-fix-use-after-free-of-loc.patch b/migration-colo-fix-use-after-free-of-loc.patch new file mode 100644 index 0000000..1eb189a --- /dev/null +++ b/migration-colo-fix-use-after-free-of-loc.patch @@ -0,0 +1,31 @@ +From: Vladimir Sementsov-Ogievskiy +Date: Tue, 24 Mar 2020 18:36:28 +0300 +Subject: migration/colo: fix use after free of local_err + +Git-commit: 27d07fcfa70c3afa0664288cbce5334ed9595a3a + +local_err is used again in secondary_vm_do_failover() after +replication_stop_all(), so we must zero it. Otherwise try to set +non-NULL local_err will crash. + +Signed-off-by: Vladimir Sementsov-Ogievskiy +Message-Id: <20200324153630.11882-5-vsementsov@virtuozzo.com> +Reviewed-by: Dr. David Alan Gilbert +Signed-off-by: Dr. David Alan Gilbert +Signed-off-by: Bruce Rogers +--- + migration/colo.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/migration/colo.c b/migration/colo.c +index 2c88aa57a29307963a15fc017b1d..6d46800aa6a2617521a36cc0dc33 100644 +--- a/migration/colo.c ++++ b/migration/colo.c +@@ -92,6 +92,7 @@ static void secondary_vm_do_failover(void) + replication_stop_all(true, &local_err); + if (local_err) { + error_report_err(local_err); ++ local_err = NULL; + } + + /* Notify all filters of all NIC to do checkpoint */ diff --git a/migration-ram-fix-use-after-free-of-loca.patch b/migration-ram-fix-use-after-free-of-loca.patch new file mode 100644 index 0000000..604cc3e --- /dev/null +++ b/migration-ram-fix-use-after-free-of-loca.patch @@ -0,0 +1,31 @@ +From: Vladimir Sementsov-Ogievskiy +Date: Tue, 24 Mar 2020 18:36:29 +0300 +Subject: migration/ram: fix use after free of local_err + +Git-commit: b4a1733c5e6827c72b0dcfa295e07ef7b1ebccff + +local_err is used again in migration_bitmap_sync_precopy() after +precopy_notify(), so we must zero it. Otherwise try to set +non-NULL local_err will crash. + +Signed-off-by: Vladimir Sementsov-Ogievskiy +Message-Id: <20200324153630.11882-6-vsementsov@virtuozzo.com> +Reviewed-by: Dr. David Alan Gilbert +Signed-off-by: Dr. David Alan Gilbert +Signed-off-by: Bruce Rogers +--- + migration/ram.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/migration/ram.c b/migration/ram.c +index b6de7d1d5552a0aa39b0d232c2d6..c44542175da044c78ef8dc0ce612 100644 +--- a/migration/ram.c ++++ b/migration/ram.c +@@ -1906,6 +1906,7 @@ static void migration_bitmap_sync_precopy(RAMState *rs) + */ + if (precopy_notify(PRECOPY_NOTIFY_BEFORE_BITMAP_SYNC, &local_err)) { + error_report_err(local_err); ++ local_err = NULL; + } + + migration_bitmap_sync(rs); diff --git a/net-tulip-check-frame-size-and-r-w-data-.patch b/net-tulip-check-frame-size-and-r-w-data-.patch new file mode 100644 index 0000000..1f1e9ec --- /dev/null +++ b/net-tulip-check-frame-size-and-r-w-data-.patch @@ -0,0 +1,144 @@ +From: Prasad J Pandit +Date: Tue, 24 Mar 2020 22:57:22 +0530 +Subject: net: tulip: check frame size and r/w data length + +Git-commit: 8ffb7265af64ec81748335ec8f20e7ab542c3850 +References: bsc#1168713, CVE-2020-11102 + +Tulip network driver while copying tx/rx buffers does not check +frame size against r/w data length. This may lead to OOB buffer +access. Add check to avoid it. + +Limit iterations over descriptors to avoid potential infinite +loop issue in tulip_xmit_list_update. + +Reported-by: Li Qiang +Reported-by: Ziming Zhang +Reported-by: Jason Wang +Tested-by: Li Qiang +Reviewed-by: Li Qiang +Signed-off-by: Prasad J Pandit +Signed-off-by: Jason Wang +Signed-off-by: Bruce Rogers +--- + hw/net/tulip.c | 36 +++++++++++++++++++++++++++--------- + 1 file changed, 27 insertions(+), 9 deletions(-) + +diff --git a/hw/net/tulip.c b/hw/net/tulip.c +index f85f54341fab635a4d5756a6c444..1167c1bb07d74783f3fa47b01996 100644 +--- a/hw/net/tulip.c ++++ b/hw/net/tulip.c +@@ -170,6 +170,10 @@ static void tulip_copy_rx_bytes(TULIPState *s, struct tulip_descriptor *desc) + } else { + len = s->rx_frame_len; + } ++ ++ if (s->rx_frame_len + len > sizeof(s->rx_frame)) { ++ return; ++ } + pci_dma_write(&s->dev, desc->buf_addr1, s->rx_frame + + (s->rx_frame_size - s->rx_frame_len), len); + s->rx_frame_len -= len; +@@ -181,6 +185,10 @@ static void tulip_copy_rx_bytes(TULIPState *s, struct tulip_descriptor *desc) + } else { + len = s->rx_frame_len; + } ++ ++ if (s->rx_frame_len + len > sizeof(s->rx_frame)) { ++ return; ++ } + pci_dma_write(&s->dev, desc->buf_addr2, s->rx_frame + + (s->rx_frame_size - s->rx_frame_len), len); + s->rx_frame_len -= len; +@@ -227,7 +235,8 @@ static ssize_t tulip_receive(TULIPState *s, const uint8_t *buf, size_t size) + + trace_tulip_receive(buf, size); + +- if (size < 14 || size > 2048 || s->rx_frame_len || tulip_rx_stopped(s)) { ++ if (size < 14 || size > sizeof(s->rx_frame) - 4 ++ || s->rx_frame_len || tulip_rx_stopped(s)) { + return 0; + } + +@@ -275,7 +284,6 @@ static ssize_t tulip_receive_nc(NetClientState *nc, + return tulip_receive(qemu_get_nic_opaque(nc), buf, size); + } + +- + static NetClientInfo net_tulip_info = { + .type = NET_CLIENT_DRIVER_NIC, + .size = sizeof(NICState), +@@ -558,7 +566,7 @@ static void tulip_tx(TULIPState *s, struct tulip_descriptor *desc) + if ((s->csr[6] >> CSR6_OM_SHIFT) & CSR6_OM_MASK) { + /* Internal or external Loopback */ + tulip_receive(s, s->tx_frame, s->tx_frame_len); +- } else { ++ } else if (s->tx_frame_len <= sizeof(s->tx_frame)) { + qemu_send_packet(qemu_get_queue(s->nic), + s->tx_frame, s->tx_frame_len); + } +@@ -570,23 +578,31 @@ static void tulip_tx(TULIPState *s, struct tulip_descriptor *desc) + } + } + +-static void tulip_copy_tx_buffers(TULIPState *s, struct tulip_descriptor *desc) ++static int tulip_copy_tx_buffers(TULIPState *s, struct tulip_descriptor *desc) + { + int len1 = (desc->control >> TDES1_BUF1_SIZE_SHIFT) & TDES1_BUF1_SIZE_MASK; + int len2 = (desc->control >> TDES1_BUF2_SIZE_SHIFT) & TDES1_BUF2_SIZE_MASK; + ++ if (s->tx_frame_len + len1 > sizeof(s->tx_frame)) { ++ return -1; ++ } + if (len1) { + pci_dma_read(&s->dev, desc->buf_addr1, + s->tx_frame + s->tx_frame_len, len1); + s->tx_frame_len += len1; + } + ++ if (s->tx_frame_len + len2 > sizeof(s->tx_frame)) { ++ return -1; ++ } + if (len2) { + pci_dma_read(&s->dev, desc->buf_addr2, + s->tx_frame + s->tx_frame_len, len2); + s->tx_frame_len += len2; + } + desc->status = (len1 + len2) ? 0 : 0x7fffffff; ++ ++ return 0; + } + + static void tulip_setup_filter_addr(TULIPState *s, uint8_t *buf, int n) +@@ -651,13 +667,15 @@ static uint32_t tulip_ts(TULIPState *s) + + static void tulip_xmit_list_update(TULIPState *s) + { ++#define TULIP_DESC_MAX 128 ++ uint8_t i = 0; + struct tulip_descriptor desc; + + if (tulip_ts(s) != CSR5_TS_SUSPENDED) { + return; + } + +- for (;;) { ++ for (i = 0; i < TULIP_DESC_MAX; i++) { + tulip_desc_read(s, s->current_tx_desc, &desc); + tulip_dump_tx_descriptor(s, &desc); + +@@ -675,10 +693,10 @@ static void tulip_xmit_list_update(TULIPState *s) + s->tx_frame_len = 0; + } + +- tulip_copy_tx_buffers(s, &desc); +- +- if (desc.control & TDES1_LS) { +- tulip_tx(s, &desc); ++ if (!tulip_copy_tx_buffers(s, &desc)) { ++ if (desc.control & TDES1_LS) { ++ tulip_tx(s, &desc); ++ } + } + } + tulip_desc_write(s, s->current_tx_desc, &desc); diff --git a/ppc-ppc405_boards-Remove-unnecessary-NUL.patch b/ppc-ppc405_boards-Remove-unnecessary-NUL.patch new file mode 100644 index 0000000..0a9f319 --- /dev/null +++ b/ppc-ppc405_boards-Remove-unnecessary-NUL.patch @@ -0,0 +1,55 @@ +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= +Date: Fri, 20 Mar 2020 16:57:40 +0100 +Subject: ppc/ppc405_boards: Remove unnecessary NULL check +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Git-commit: 1583794b9b36911df116cc726750dadbeeac506a + +This code is inside the "if (dinfo)" condition, so testing +again here whether it is NULL is unnecessary. + +Fixes: dd59bcae7 (Don't size flash memory to match backing image) +Reported-by: Coverity (CID 1421917) +Suggested-by: Peter Maydell +Signed-off-by: Philippe Mathieu-Daudé +Message-Id: <20200320155740.5342-1-philmd@redhat.com> +Reviewed-by: Markus Armbruster +Signed-off-by: David Gibson +Signed-off-by: Bruce Rogers +--- + hw/ppc/ppc405_boards.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/hw/ppc/ppc405_boards.c b/hw/ppc/ppc405_boards.c +index 1f721feed6a4bfc128187aefb5d9..556f3a80ec1ddbc018e00941c5c5 100644 +--- a/hw/ppc/ppc405_boards.c ++++ b/hw/ppc/ppc405_boards.c +@@ -184,7 +184,7 @@ static void ref405ep_init(MachineState *machine) + bios_size = 8 * MiB; + pflash_cfi02_register((uint32_t)(-bios_size), + "ef405ep.bios", bios_size, +- dinfo ? blk_by_legacy_dinfo(dinfo) : NULL, ++ blk_by_legacy_dinfo(dinfo), + 64 * KiB, 1, + 2, 0x0001, 0x22DA, 0x0000, 0x0000, 0x555, 0x2AA, + 1); +@@ -450,7 +450,7 @@ static void taihu_405ep_init(MachineState *machine) + bios_size = 2 * MiB; + pflash_cfi02_register(0xFFE00000, + "taihu_405ep.bios", bios_size, +- dinfo ? blk_by_legacy_dinfo(dinfo) : NULL, ++ blk_by_legacy_dinfo(dinfo), + 64 * KiB, 1, + 4, 0x0001, 0x22DA, 0x0000, 0x0000, 0x555, 0x2AA, + 1); +@@ -486,7 +486,7 @@ static void taihu_405ep_init(MachineState *machine) + if (dinfo) { + bios_size = 32 * MiB; + pflash_cfi02_register(0xfc000000, "taihu_405ep.flash", bios_size, +- dinfo ? blk_by_legacy_dinfo(dinfo) : NULL, ++ blk_by_legacy_dinfo(dinfo), + 64 * KiB, 1, + 4, 0x0001, 0x22DA, 0x0000, 0x0000, 0x555, 0x2AA, + 1); diff --git a/qcow2-List-autoclear-bit-names-in-header.patch b/qcow2-List-autoclear-bit-names-in-header.patch new file mode 100644 index 0000000..0f2e394 --- /dev/null +++ b/qcow2-List-autoclear-bit-names-in-header.patch @@ -0,0 +1,200 @@ +From: Eric Blake +Date: Tue, 24 Mar 2020 12:42:31 -0500 +Subject: qcow2: List autoclear bit names in header + +Git-commit bb40ebce2cb0bd4bf37968074d43d5a864fb6dee + +The feature table is supposed to advertise the name of all feature +bits that we support; however, we forgot to update the table for +autoclear bits. While at it, move the table to read-only memory in +code, and tweak the qcow2 spec to name the second autoclear bit. +Update iotests that are affected by the longer header length. + +Fixes: 88ddffae +Fixes: 93c24936 +Signed-off-by: Eric Blake +Reviewed-by: Vladimir Sementsov-Ogievskiy +Message-Id: <20200324174233.1622067-3-eblake@redhat.com> +Signed-off-by: Max Reitz +Signed-off-by: Bruce Rogers +--- + block/qcow2.c | 12 +++++++++++- + docs/interop/qcow2.txt | 3 ++- + tests/qemu-iotests/031.out | 8 ++++---- + tests/qemu-iotests/036.out | 4 ++-- + tests/qemu-iotests/061.out | 14 +++++++------- + 5 files changed, 26 insertions(+), 15 deletions(-) + +diff --git a/block/qcow2.c b/block/qcow2.c +index 13e118e16f02f371c0f23c7aaa8d..77edd98be6fbaf0949dcb7755e48 100644 +--- a/block/qcow2.c ++++ b/block/qcow2.c +@@ -2822,7 +2822,7 @@ int qcow2_update_header(BlockDriverState *bs) + + /* Feature table */ + if (s->qcow_version >= 3) { +- Qcow2Feature features[] = { ++ static const Qcow2Feature features[] = { + { + .type = QCOW2_FEAT_TYPE_INCOMPATIBLE, + .bit = QCOW2_INCOMPAT_DIRTY_BITNR, +@@ -2843,6 +2843,16 @@ int qcow2_update_header(BlockDriverState *bs) + .bit = QCOW2_COMPAT_LAZY_REFCOUNTS_BITNR, + .name = "lazy refcounts", + }, ++ { ++ .type = QCOW2_FEAT_TYPE_AUTOCLEAR, ++ .bit = QCOW2_AUTOCLEAR_BITMAPS_BITNR, ++ .name = "bitmaps", ++ }, ++ { ++ .type = QCOW2_FEAT_TYPE_AUTOCLEAR, ++ .bit = QCOW2_AUTOCLEAR_DATA_FILE_RAW_BITNR, ++ .name = "raw external data", ++ }, + }; + + ret = header_ext_add(buf, QCOW2_EXT_MAGIC_FEATURE_TABLE, +diff --git a/docs/interop/qcow2.txt b/docs/interop/qcow2.txt +index af5711e5337191d2c01932b0b3d0..8510d74c807927b86cf76a0f6cb8 100644 +--- a/docs/interop/qcow2.txt ++++ b/docs/interop/qcow2.txt +@@ -138,7 +138,8 @@ in the description of a field. + bit is unset, the bitmaps extension data must be + considered inconsistent. + +- Bit 1: If this bit is set, the external data file can ++ Bit 1: Raw external data bit ++ If this bit is set, the external data file can + be read as a consistent standalone raw image + without looking at the qcow2 metadata. + +diff --git a/tests/qemu-iotests/031.out b/tests/qemu-iotests/031.out +index 68a74d03b9971ea8946e8fce41d6..f1941300d817ef1026046891c4df 100644 +--- a/tests/qemu-iotests/031.out ++++ b/tests/qemu-iotests/031.out +@@ -117,7 +117,7 @@ header_length 104 + + Header extension: + magic 0x6803f857 +-length 192 ++length 288 + data + + Header extension: +@@ -150,7 +150,7 @@ header_length 104 + + Header extension: + magic 0x6803f857 +-length 192 ++length 288 + data + + Header extension: +@@ -164,7 +164,7 @@ No errors were found on the image. + + magic 0x514649fb + version 3 +-backing_file_offset 0x178 ++backing_file_offset 0x1d8 + backing_file_size 0x17 + cluster_bits 16 + size 67108864 +@@ -188,7 +188,7 @@ data 'host_device' + + Header extension: + magic 0x6803f857 +-length 192 ++length 288 + data + + Header extension: +diff --git a/tests/qemu-iotests/036.out b/tests/qemu-iotests/036.out +index e489b443866c515b42be344a9b85..3c19fa1edee7aeee1589a1c68366 100644 +--- a/tests/qemu-iotests/036.out ++++ b/tests/qemu-iotests/036.out +@@ -58,7 +58,7 @@ header_length 104 + + Header extension: + magic 0x6803f857 +-length 192 ++length 288 + data + + +@@ -86,7 +86,7 @@ header_length 104 + + Header extension: + magic 0x6803f857 +-length 192 ++length 288 + data + + *** done +diff --git a/tests/qemu-iotests/061.out b/tests/qemu-iotests/061.out +index d6a7c2af95f2dcff314f425fd6a3..f98c098b5431072d4e54de1475cc 100644 +--- a/tests/qemu-iotests/061.out ++++ b/tests/qemu-iotests/061.out +@@ -26,7 +26,7 @@ header_length 104 + + Header extension: + magic 0x6803f857 +-length 192 ++length 288 + data + + magic 0x514649fb +@@ -84,7 +84,7 @@ header_length 104 + + Header extension: + magic 0x6803f857 +-length 192 ++length 288 + data + + magic 0x514649fb +@@ -140,7 +140,7 @@ header_length 104 + + Header extension: + magic 0x6803f857 +-length 192 ++length 288 + data + + ERROR cluster 5 refcount=0 reference=1 +@@ -195,7 +195,7 @@ header_length 104 + + Header extension: + magic 0x6803f857 +-length 192 ++length 288 + data + + magic 0x514649fb +@@ -264,7 +264,7 @@ header_length 104 + + Header extension: + magic 0x6803f857 +-length 192 ++length 288 + data + + read 65536/65536 bytes at offset 44040192 +@@ -298,7 +298,7 @@ header_length 104 + + Header extension: + magic 0x6803f857 +-length 192 ++length 288 + data + + ERROR cluster 5 refcount=0 reference=1 +@@ -327,7 +327,7 @@ header_length 104 + + Header extension: + magic 0x6803f857 +-length 192 ++length 288 + data + + read 131072/131072 bytes at offset 0 diff --git a/qemu.changes b/qemu.changes index b2c3609..304d8a3 100644 --- a/qemu.changes +++ b/qemu.changes @@ -1,3 +1,68 @@ +------------------------------------------------------------------- +Fri Apr 17 19:23:38 UTC 2020 - Bruce Rogers + +- Include upstream patches targeted for the next stable release + (bug fixes only) + spapr-Fix-failure-path-for-attempting-to.patch + target-i386-do-not-set-unsupported-VMX-s.patch + target-xtensa-fix-pasto-in-pfwait.r-opco.patch + tcg-i386-Fix-INDEX_op_dup2_vec.patch + tcg-mips-mips-sync-encode-error.patch + vhost-user-gpu-Release-memory-returned-b.patch + vpc-Don-t-round-up-already-aligned-BAT-s.patch + xen-block-Fix-double-qlist-remove-and-re.patch +- Fix bug causing weak encryption in PAuth for ARM + (CVE-2020-10702 bsc#1168681) + target-arm-Fix-PAuth-sbox-functions.patch +- Fix OOB in tulip NIC emulation (CVE-2020-11102 bsc#1168713 + net-tulip-check-frame-size-and-r-w-data-.patch +- Note that previously included patch addresses CVE-2020-1711 + and bsc#1166240 + iscsi-Cap-block-count-from-GET-LBA-STATU.patch +- Include performance improvement (and related?) patch + aio-wait-delegate-polling-of-main-AioCon.patch + async-use-explicit-memory-barriers.patch +- Rework previous patch at Olaf H.'s direction + hw-i386-disable-smbus-migration-for-xenf.patch +- Eliminate is_opensuse usage in producing seabios version string + what we are doing here is just replacing the upstream string + with one indicating that the openSUSE build service built it, + and so just leave it as "-rebuilt.opensuse.org" +- Alter algorithm used to produce "unique" symbol for coordinating + qemu with the optional modules it may load. This is a reasonable + relaxation for broader compatibility + configure-remove-pkgversion-from-CONFIG_.patch +- Tweak supported.*.txt for latest deprecations, and other fixes +- Tweak update_git.sh, config.sh + +------------------------------------------------------------------- +Mon Apr 6 14:29:50 UTC 2020 - Bruce Rogers + +- One more fix is needed for: s390x Protected Virtualization support + - start and control guest in secure mode (bsc#1167075 jsc#SLE-7407) + s390x-s390-virtio-ccw-Fix-build-on-syste.patch + +------------------------------------------------------------------- +Thu Mar 26 18:28:03 UTC 2020 - Bruce Rogers + +- Include upstream patches targeted for the next stable release + (bug fixes only) + block-Avoid-memleak-on-qcow2-image-info-.patch + block-bdrv_set_backing_bs-fix-use-after-.patch + hmp-vnc-Fix-info-vnc-list-leak.patch + migration-colo-fix-use-after-free-of-loc.patch + migration-ram-fix-use-after-free-of-loca.patch + ppc-ppc405_boards-Remove-unnecessary-NUL.patch + qcow2-List-autoclear-bit-names-in-header.patch + scsi-qemu-pr-helper-Fix-out-of-bounds-ac.patch + sheepdog-Consistently-set-bdrv_has_zero_.patch + +------------------------------------------------------------------- +Tue Mar 24 13:22:36 UTC 2020 - Bruce Rogers + +- Note The previous set of s390x patches also includes the fix for: + bsc#1167445 + ------------------------------------------------------------------- Fri Mar 20 17:27:29 UTC 2020 - Bruce Rogers diff --git a/qemu.spec b/qemu.spec index 6e0f0eb..7bd2a9e 100644 --- a/qemu.spec +++ b/qemu.spec @@ -203,76 +203,99 @@ Patch00072: block-qcow2-threads-fix-qcow2_decompress.patch Patch00073: job-refactor-progress-to-separate-object.patch Patch00074: block-block-copy-fix-progress-calculatio.patch Patch00075: block-io-fix-bdrv_co_do_copy_on_readv.patch -Patch00076: target-ppc-Fix-rlwinm-on-ppc64.patch -Patch00077: compat-disable-edid-on-correct-virtio-gp.patch -Patch00078: XXX-dont-dump-core-on-sigabort.patch -Patch00079: qemu-binfmt-conf-Modify-default-path.patch -Patch00080: qemu-cvs-gettimeofday.patch -Patch00081: qemu-cvs-ioctl_debug.patch -Patch00082: qemu-cvs-ioctl_nodirection.patch -Patch00083: linux-user-add-binfmt-wrapper-for-argv-0.patch -Patch00084: PPC-KVM-Disable-mmu-notifier-check.patch -Patch00085: linux-user-binfmt-support-host-binaries.patch -Patch00086: linux-user-Fake-proc-cpuinfo.patch -Patch00087: linux-user-use-target_ulong.patch -Patch00088: Make-char-muxer-more-robust-wrt-small-FI.patch -Patch00089: linux-user-lseek-explicitly-cast-non-set.patch -Patch00090: AIO-Reduce-number-of-threads-for-32bit-h.patch -Patch00091: xen_disk-Add-suse-specific-flush-disable.patch -Patch00092: qemu-bridge-helper-reduce-security-profi.patch -Patch00093: qemu-binfmt-conf-use-qemu-ARCH-binfmt.patch -Patch00094: linux-user-properly-test-for-infinite-ti.patch -Patch00095: roms-Makefile-pass-a-packaging-timestamp.patch -Patch00096: Raise-soft-address-space-limit-to-hard-l.patch -Patch00097: increase-x86_64-physical-bits-to-42.patch -Patch00098: vga-Raise-VRAM-to-16-MiB-for-pc-0.15-and.patch -Patch00099: i8254-Fix-migration-from-SLE11-SP2.patch -Patch00100: acpi_piix4-Fix-migration-from-SLE11-SP2.patch -Patch00101: Switch-order-of-libraries-for-mpath-supp.patch -Patch00102: Make-installed-scripts-explicitly-python.patch -Patch00103: hw-smbios-handle-both-file-formats-regar.patch -Patch00104: xen-add-block-resize-support-for-xen-dis.patch -Patch00105: tests-qemu-iotests-Triple-timeout-of-i-o.patch -Patch00106: tests-Fix-block-tests-to-be-compatible-w.patch -Patch00107: xen-ignore-live-parameter-from-xen-save-.patch -Patch00108: Conditionalize-ui-bitmap-installation-be.patch -Patch00109: tests-change-error-message-in-test-162.patch -Patch00110: hw-usb-hcd-xhci-Fix-GCC-9-build-warning.patch -Patch00111: hw-usb-dev-mtp-Fix-GCC-9-build-warning.patch -Patch00112: hw-intc-exynos4210_gic-provide-more-room.patch -Patch00113: configure-only-populate-roms-if-softmmu.patch -Patch00114: pc-bios-s390-ccw-net-avoid-warning-about.patch -Patch00115: roms-change-cross-compiler-naming-to-be-.patch -Patch00116: tests-Disable-some-block-tests-for-now.patch -Patch00117: test-add-mapping-from-arch-of-i686-to-qe.patch -Patch00118: roms-Makefile-enable-cross-compile-for-b.patch -Patch00119: hw-i386-disable-smbus-migration-for-xenf.patch -Patch00120: s390x-Don-t-do-a-normal-reset-on-the-ini.patch -Patch00121: s390x-Move-reset-normal-to-shared-reset-.patch -Patch00122: s390x-Move-initial-reset.patch -Patch00123: s390x-Move-clear-reset.patch -Patch00124: s390x-kvm-Make-kvm_sclp_service_call-voi.patch -Patch00125: s390x-ipl-Consolidate-iplb-validity-chec.patch -Patch00126: s390x-Beautify-diag308-handling.patch -Patch00127: s390x-Add-missing-vcpu-reset-functions.patch -Patch00128: pc-bios-s390x-Save-iplb-location-in-lowc.patch -Patch00129: s390-sclp-improve-special-wait-psw-logic.patch -Patch00130: s390x-Move-diagnose-308-subcodes-and-rcs.patch -Patch00131: vhost-correctly-turn-on-VIRTIO_F_IOMMU_P.patch -Patch00132: Sync-pv.patch -Patch00133: s390x-protvirt-Support-unpack-facility.patch -Patch00134: s390x-protvirt-Add-migration-blocker.patch -Patch00135: s390x-protvirt-Inhibit-balloon-when-swit.patch -Patch00136: s390x-protvirt-KVM-intercept-changes.patch -Patch00137: s390x-Add-SIDA-memory-ops.patch -Patch00138: s390x-protvirt-Move-STSI-data-over-SIDAD.patch -Patch00139: s390x-protvirt-SCLP-interpretation.patch -Patch00140: s390x-protvirt-Set-guest-IPL-PSW.patch -Patch00141: s390x-protvirt-Move-diag-308-data-over-S.patch -Patch00142: s390x-protvirt-Disable-address-checks-fo.patch -Patch00143: s390x-protvirt-Move-IO-control-structure.patch -Patch00144: s390x-protvirt-Handle-SIGP-store-status-.patch -Patch00145: s390x-Add-unpack-facility-feature-to-GA1.patch +Patch00076: scsi-qemu-pr-helper-Fix-out-of-bounds-ac.patch +Patch00077: target-ppc-Fix-rlwinm-on-ppc64.patch +Patch00078: compat-disable-edid-on-correct-virtio-gp.patch +Patch00079: ppc-ppc405_boards-Remove-unnecessary-NUL.patch +Patch00080: block-Avoid-memleak-on-qcow2-image-info-.patch +Patch00081: block-bdrv_set_backing_bs-fix-use-after-.patch +Patch00082: hmp-vnc-Fix-info-vnc-list-leak.patch +Patch00083: migration-colo-fix-use-after-free-of-loc.patch +Patch00084: migration-ram-fix-use-after-free-of-loca.patch +Patch00085: qcow2-List-autoclear-bit-names-in-header.patch +Patch00086: sheepdog-Consistently-set-bdrv_has_zero_.patch +Patch00087: target-arm-Fix-PAuth-sbox-functions.patch +Patch00088: tcg-i386-Fix-INDEX_op_dup2_vec.patch +Patch00089: net-tulip-check-frame-size-and-r-w-data-.patch +Patch00090: target-i386-do-not-set-unsupported-VMX-s.patch +Patch00091: spapr-Fix-failure-path-for-attempting-to.patch +Patch00092: xen-block-Fix-double-qlist-remove-and-re.patch +Patch00093: vpc-Don-t-round-up-already-aligned-BAT-s.patch +Patch00094: target-xtensa-fix-pasto-in-pfwait.r-opco.patch +Patch00095: aio-wait-delegate-polling-of-main-AioCon.patch +Patch00096: async-use-explicit-memory-barriers.patch +Patch00097: tcg-mips-mips-sync-encode-error.patch +Patch00098: vhost-user-gpu-Release-memory-returned-b.patch +Patch00099: XXX-dont-dump-core-on-sigabort.patch +Patch00100: qemu-binfmt-conf-Modify-default-path.patch +Patch00101: qemu-cvs-gettimeofday.patch +Patch00102: qemu-cvs-ioctl_debug.patch +Patch00103: qemu-cvs-ioctl_nodirection.patch +Patch00104: linux-user-add-binfmt-wrapper-for-argv-0.patch +Patch00105: PPC-KVM-Disable-mmu-notifier-check.patch +Patch00106: linux-user-binfmt-support-host-binaries.patch +Patch00107: linux-user-Fake-proc-cpuinfo.patch +Patch00108: linux-user-use-target_ulong.patch +Patch00109: Make-char-muxer-more-robust-wrt-small-FI.patch +Patch00110: linux-user-lseek-explicitly-cast-non-set.patch +Patch00111: AIO-Reduce-number-of-threads-for-32bit-h.patch +Patch00112: xen_disk-Add-suse-specific-flush-disable.patch +Patch00113: qemu-bridge-helper-reduce-security-profi.patch +Patch00114: qemu-binfmt-conf-use-qemu-ARCH-binfmt.patch +Patch00115: linux-user-properly-test-for-infinite-ti.patch +Patch00116: roms-Makefile-pass-a-packaging-timestamp.patch +Patch00117: Raise-soft-address-space-limit-to-hard-l.patch +Patch00118: increase-x86_64-physical-bits-to-42.patch +Patch00119: vga-Raise-VRAM-to-16-MiB-for-pc-0.15-and.patch +Patch00120: i8254-Fix-migration-from-SLE11-SP2.patch +Patch00121: acpi_piix4-Fix-migration-from-SLE11-SP2.patch +Patch00122: Switch-order-of-libraries-for-mpath-supp.patch +Patch00123: Make-installed-scripts-explicitly-python.patch +Patch00124: hw-smbios-handle-both-file-formats-regar.patch +Patch00125: xen-add-block-resize-support-for-xen-dis.patch +Patch00126: tests-qemu-iotests-Triple-timeout-of-i-o.patch +Patch00127: tests-Fix-block-tests-to-be-compatible-w.patch +Patch00128: xen-ignore-live-parameter-from-xen-save-.patch +Patch00129: Conditionalize-ui-bitmap-installation-be.patch +Patch00130: tests-change-error-message-in-test-162.patch +Patch00131: hw-usb-hcd-xhci-Fix-GCC-9-build-warning.patch +Patch00132: hw-usb-dev-mtp-Fix-GCC-9-build-warning.patch +Patch00133: hw-intc-exynos4210_gic-provide-more-room.patch +Patch00134: configure-only-populate-roms-if-softmmu.patch +Patch00135: pc-bios-s390-ccw-net-avoid-warning-about.patch +Patch00136: roms-change-cross-compiler-naming-to-be-.patch +Patch00137: tests-Disable-some-block-tests-for-now.patch +Patch00138: test-add-mapping-from-arch-of-i686-to-qe.patch +Patch00139: roms-Makefile-enable-cross-compile-for-b.patch +Patch00140: hw-i386-disable-smbus-migration-for-xenf.patch +Patch00141: s390x-Don-t-do-a-normal-reset-on-the-ini.patch +Patch00142: s390x-Move-reset-normal-to-shared-reset-.patch +Patch00143: s390x-Move-initial-reset.patch +Patch00144: s390x-Move-clear-reset.patch +Patch00145: s390x-kvm-Make-kvm_sclp_service_call-voi.patch +Patch00146: s390x-ipl-Consolidate-iplb-validity-chec.patch +Patch00147: s390x-Beautify-diag308-handling.patch +Patch00148: s390x-Add-missing-vcpu-reset-functions.patch +Patch00149: pc-bios-s390x-Save-iplb-location-in-lowc.patch +Patch00150: s390-sclp-improve-special-wait-psw-logic.patch +Patch00151: s390x-Move-diagnose-308-subcodes-and-rcs.patch +Patch00152: vhost-correctly-turn-on-VIRTIO_F_IOMMU_P.patch +Patch00153: Sync-pv.patch +Patch00154: s390x-protvirt-Support-unpack-facility.patch +Patch00155: s390x-protvirt-Add-migration-blocker.patch +Patch00156: s390x-protvirt-Inhibit-balloon-when-swit.patch +Patch00157: s390x-protvirt-KVM-intercept-changes.patch +Patch00158: s390x-Add-SIDA-memory-ops.patch +Patch00159: s390x-protvirt-Move-STSI-data-over-SIDAD.patch +Patch00160: s390x-protvirt-SCLP-interpretation.patch +Patch00161: s390x-protvirt-Set-guest-IPL-PSW.patch +Patch00162: s390x-protvirt-Move-diag-308-data-over-S.patch +Patch00163: s390x-protvirt-Disable-address-checks-fo.patch +Patch00164: s390x-protvirt-Move-IO-control-structure.patch +Patch00165: s390x-protvirt-Handle-SIGP-store-status-.patch +Patch00166: s390x-Add-unpack-facility-feature-to-GA1.patch +Patch00167: s390x-s390-virtio-ccw-Fix-build-on-syste.patch +Patch00168: configure-remove-pkgversion-from-CONFIG_.patch # Patches applied in roms/seabios/: Patch01000: seabios-use-python2-explicitly-as-needed.patch Patch01001: seabios-switch-to-python3-as-needed.patch @@ -1134,6 +1157,29 @@ This package provides a service file for starting and stopping KSM. %patch00143 -p1 %patch00144 -p1 %patch00145 -p1 +%patch00146 -p1 +%patch00147 -p1 +%patch00148 -p1 +%patch00149 -p1 +%patch00150 -p1 +%patch00151 -p1 +%patch00152 -p1 +%patch00153 -p1 +%patch00154 -p1 +%patch00155 -p1 +%patch00156 -p1 +%patch00157 -p1 +%patch00158 -p1 +%patch00159 -p1 +%patch00160 -p1 +%patch00161 -p1 +%patch00162 -p1 +%patch00163 -p1 +%patch00164 -p1 +%patch00165 -p1 +%patch00166 -p1 +%patch00167 -p1 +%patch00168 -p1 %patch01000 -p1 %patch01001 -p1 %patch01002 -p1 @@ -1282,7 +1328,7 @@ mkdir -p %mybuilddir cd %mybuilddir %endif -%{_builddir}/%buildsubdir/configure \ +../%buildsubdir/configure \ --prefix=%_prefix \ --sysconfdir=%_sysconfdir \ --libdir=%_libdir \ @@ -1520,11 +1566,7 @@ export LD=x86_64-suse-linux-ld %endif make %{?_smp_mflags} -C %{_builddir}/%buildsubdir/roms bios \ -%if 0%{?is_opensuse} == 0 - SEABIOS_EXTRAVERSION="-rebuilt.suse.com" \ -%else SEABIOS_EXTRAVERSION="-rebuilt.opensuse.org" \ -%endif %ifnarch %ix86 x86_64 HOSTCC=cc \ %endif diff --git a/qemu.spec.in b/qemu.spec.in index 1a52d64..8bd6e3a 100644 --- a/qemu.spec.in +++ b/qemu.spec.in @@ -942,7 +942,7 @@ mkdir -p %mybuilddir cd %mybuilddir %endif -%{_builddir}/%buildsubdir/configure \ +../%buildsubdir/configure \ --prefix=%_prefix \ --sysconfdir=%_sysconfdir \ --libdir=%_libdir \ @@ -1180,11 +1180,7 @@ export LD=x86_64-suse-linux-ld %endif make %{?_smp_mflags} -C %{_builddir}/%buildsubdir/roms bios \ -%if 0%{?is_opensuse} == 0 - SEABIOS_EXTRAVERSION="-rebuilt.suse.com" \ -%else SEABIOS_EXTRAVERSION="-rebuilt.opensuse.org" \ -%endif %ifnarch %ix86 x86_64 HOSTCC=cc \ %endif diff --git a/s390x-protvirt-Support-unpack-facility.patch b/s390x-protvirt-Support-unpack-facility.patch index 7e33141..28ef6d3 100644 --- a/s390x-protvirt-Support-unpack-facility.patch +++ b/s390x-protvirt-Support-unpack-facility.patch @@ -69,7 +69,7 @@ index e02ed80b6829a511362abc3525ec..a46a1c7894e0f612a2d74cec74f6 100644 obj-y += ap-device.o obj-y += ap-bridge.o diff --git a/hw/s390x/ipl.c b/hw/s390x/ipl.c -index ca544d64c5e04782fb49d12521d5..73e5210b4d4e7ad912cfe5475ac4 100644 +index ca544d64c5e04782fb49d12521d5..c343cfb0bed4272cecf31207dae8 100644 --- a/hw/s390x/ipl.c +++ b/hw/s390x/ipl.c @@ -1,10 +1,11 @@ @@ -139,7 +139,7 @@ index ca544d64c5e04782fb49d12521d5..73e5210b4d4e7ad912cfe5475ac4 100644 + + cpu_physical_memory_read(ipib_pv->pv_header_addr, hdr, + ipib_pv->pv_header_len); -+ rc = s390_pv_set_sec_parms((uint64_t)(uintptr_t)hdr, ++ rc = s390_pv_set_sec_parms((uintptr_t)hdr, + ipib_pv->pv_header_len); + g_free(hdr); + return rc; diff --git a/s390x-s390-virtio-ccw-Fix-build-on-syste.patch b/s390x-s390-virtio-ccw-Fix-build-on-syste.patch new file mode 100644 index 0000000..fcc338c --- /dev/null +++ b/s390x-s390-virtio-ccw-Fix-build-on-syste.patch @@ -0,0 +1,129 @@ +From: Christian Borntraeger +Date: Mon, 6 Apr 2020 06:01:58 -0400 +Subject: s390x/s390-virtio-ccw: Fix build on systems without KVM + +References: bsc#1167075 + +linux/kvm.h is not available on all platforms. Let us move +s390_machine_inject_pv_error into pv.c as it uses KVM structures. +Also rename the function to s390_pv_inject_reset_error. + +While at it, ipl.h needs an include for "exec/address-spaces.h" +as it uses address_space_memory. + +Fixes: 49fc3220175e ("s390x: protvirt: Support unpack facility") +Reported-by: Bruce Rogers +Signed-off-by: Christian Borntraeger +Signed-off-by: Bruce Rogers +--- + hw/s390x/ipl.h | 1 + + hw/s390x/pv.c | 11 +++++++++++ + hw/s390x/s390-virtio-ccw.c | 12 +----------- + include/hw/s390x/pv.h | 3 +++ + 4 files changed, 16 insertions(+), 11 deletions(-) + +diff --git a/hw/s390x/ipl.h b/hw/s390x/ipl.h +index 89b3044d7a2ee54014daa8eeafc9..53cc9eb5ac4d326b2b61bf1668a8 100644 +--- a/hw/s390x/ipl.h ++++ b/hw/s390x/ipl.h +@@ -14,6 +14,7 @@ + #define HW_S390_IPL_H + + #include "cpu.h" ++#include "exec/address-spaces.h" + #include "hw/qdev-core.h" + + struct IPLBlockPVComp { +diff --git a/hw/s390x/pv.c b/hw/s390x/pv.c +index 8cf5cd2c9bcd48b03af1e546fb3a..2c4d5e89890b7d21abdcd718c2f2 100644 +--- a/hw/s390x/pv.c ++++ b/hw/s390x/pv.c +@@ -13,8 +13,10 @@ + + #include + ++#include "cpu.h" + #include "qemu/error-report.h" + #include "sysemu/kvm.h" ++#include "hw/s390x/ipl.h" + #include "hw/s390x/pv.h" + + static int __s390_pv_cmd(uint32_t cmd, const char *cmdname, void *data) +@@ -96,3 +98,12 @@ void s390_pv_unshare(void) + { + s390_pv_cmd_exit(KVM_PV_VM_UNSHARE_ALL, NULL); + } ++ ++void s390_pv_inject_reset_error(CPUState *cs) ++{ ++ int r1 = (cs->kvm_run->s390_sieic.ipa & 0x00f0) >> 4; ++ CPUS390XState *env = &S390_CPU(cs)->env; ++ ++ /* Report that we are unable to enter protected mode */ ++ env->regs[r1 + 1] = DIAG_308_RC_INVAL_FOR_PV; ++} +diff --git a/hw/s390x/s390-virtio-ccw.c b/hw/s390x/s390-virtio-ccw.c +index 85250bf046ed72313b03c6ff6c54..5df455e065504bc0eef0f1f084dc 100644 +--- a/hw/s390x/s390-virtio-ccw.c ++++ b/hw/s390x/s390-virtio-ccw.c +@@ -44,7 +44,6 @@ + #include "sysemu/sysemu.h" + #include "sysemu/balloon.h" + #include "hw/s390x/pv.h" +-#include + #include "migration/blocker.h" + + static Error *pv_mig_blocker; +@@ -392,15 +391,6 @@ out_err: + return rc; + } + +-static void s390_machine_inject_pv_error(CPUState *cs) +-{ +- int r1 = (cs->kvm_run->s390_sieic.ipa & 0x00f0) >> 4; +- CPUS390XState *env = &S390_CPU(cs)->env; +- +- /* Report that we are unable to enter protected mode */ +- env->regs[r1 + 1] = DIAG_308_RC_INVAL_FOR_PV; +-} +- + static void s390_pv_prepare_reset(S390CcwMachineState *ms) + { + CPUState *cs; +@@ -486,7 +476,7 @@ static void s390_machine_reset(MachineState *machine) + run_on_cpu(cs, s390_do_cpu_reset, RUN_ON_CPU_NULL); + + if (s390_machine_protect(ms)) { +- s390_machine_inject_pv_error(cs); ++ s390_pv_inject_reset_error(cs); + /* + * Continue after the diag308 so the guest knows something + * went wrong. +diff --git a/include/hw/s390x/pv.h b/include/hw/s390x/pv.h +index c6cb360f2f6a0a32a37970769e1b..522ca6a04ee877940ff1de9f410b 100644 +--- a/include/hw/s390x/pv.h ++++ b/include/hw/s390x/pv.h +@@ -13,6 +13,7 @@ + #define HW_S390_PV_H + + #ifdef CONFIG_KVM ++#include "cpu.h" + #include "hw/s390x/s390-virtio-ccw.h" + + static inline bool s390_is_pv(void) +@@ -41,6 +42,7 @@ int s390_pv_unpack(uint64_t addr, uint64_t size, uint64_t tweak); + void s390_pv_perf_clear_reset(void); + int s390_pv_verify(void); + void s390_pv_unshare(void); ++void s390_pv_inject_reset_error(CPUState *cs); + #else /* CONFIG_KVM */ + static inline bool s390_is_pv(void) { return false; } + static inline int s390_pv_vm_enable(void) { return 0; } +@@ -50,6 +52,7 @@ static inline int s390_pv_unpack(uint64_t addr, uint64_t size, uint64_t tweak) { + static inline void s390_pv_perf_clear_reset(void) {} + static inline int s390_pv_verify(void) { return 0; } + static inline void s390_pv_unshare(void) {} ++static inline void s390_pv_inject_reset_error(CPUState *cs) {}; + #endif /* CONFIG_KVM */ + + #endif /* HW_S390_PV_H */ diff --git a/scsi-qemu-pr-helper-Fix-out-of-bounds-ac.patch b/scsi-qemu-pr-helper-Fix-out-of-bounds-ac.patch new file mode 100644 index 0000000..3828f4a --- /dev/null +++ b/scsi-qemu-pr-helper-Fix-out-of-bounds-ac.patch @@ -0,0 +1,93 @@ +From: Christophe de Dinechin +Date: Fri, 28 Feb 2020 16:00:59 +0100 +Subject: scsi/qemu-pr-helper: Fix out-of-bounds access to trnptid_list[] +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Git-commit: 4ce1e15fbc7266a108a7c77a3962644b3935346e + +Compile error reported by gcc 10.0.1: + +scsi/qemu-pr-helper.c: In function ‘multipath_pr_out’: +scsi/qemu-pr-helper.c:523:32: error: array subscript is outside array bounds of ‘struct transportid *[0]’ [-Werror=array-bounds] + 523 | paramp.trnptid_list[paramp.num_transportid++] = id; + | ~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~ +In file included from scsi/qemu-pr-helper.c:36: +/usr/include/mpath_persist.h:168:22: note: while referencing ‘trnptid_list’ + 168 | struct transportid *trnptid_list[]; + | ^~~~~~~~~~~~ +scsi/qemu-pr-helper.c:424:35: note: defined here ‘paramp’ + 424 | struct prout_param_descriptor paramp; + | ^~~~~~ + +This highlights an actual implementation issue in function multipath_pr_out. +The variable paramp is declared with type `struct prout_param_descriptor`, +which is a struct terminated by an empty array in mpath_persist.h: + + struct transportid *trnptid_list[]; + +That empty array was filled with code that looked like that: + + trnptid_list[paramp.descr.num_transportid++] = id; + +This is an actual out-of-bounds access. + +The fix is to malloc `paramp`. + +Signed-off-by: Christophe de Dinechin +Signed-off-by: Paolo Bonzini +Signed-off-by: Bruce Rogers +--- + scsi/qemu-pr-helper.c | 17 ++++++++++------- + 1 file changed, 10 insertions(+), 7 deletions(-) + +diff --git a/scsi/qemu-pr-helper.c b/scsi/qemu-pr-helper.c +index debb18f4aa5d55a1720587cf82ea..38c273de19573ad8421da6439153 100644 +--- a/scsi/qemu-pr-helper.c ++++ b/scsi/qemu-pr-helper.c +@@ -421,10 +421,13 @@ static int multipath_pr_out(int fd, const uint8_t *cdb, uint8_t *sense, + int rq_servact = cdb[1]; + int rq_scope = cdb[2] >> 4; + int rq_type = cdb[2] & 0xf; +- struct prout_param_descriptor paramp; ++ g_autofree struct prout_param_descriptor *paramp = NULL; + char transportids[PR_HELPER_DATA_SIZE]; + int r; + ++ paramp = g_malloc0(sizeof(struct prout_param_descriptor) ++ + sizeof(struct transportid *) * MPATH_MX_TIDS); ++ + if (sz < PR_OUT_FIXED_PARAM_SIZE) { + /* Illegal request, Parameter list length error. This isn't fatal; + * we have read the data, send an error without closing the socket. +@@ -454,10 +457,9 @@ static int multipath_pr_out(int fd, const uint8_t *cdb, uint8_t *sense, + * used by libmpathpersist (which, of course, will immediately + * do the opposite). + */ +- memset(¶mp, 0, sizeof(paramp)); +- memcpy(¶mp.key, ¶m[0], 8); +- memcpy(¶mp.sa_key, ¶m[8], 8); +- paramp.sa_flags = param[20]; ++ memcpy(¶mp->key, ¶m[0], 8); ++ memcpy(¶mp->sa_key, ¶m[8], 8); ++ paramp->sa_flags = param[20]; + if (sz > PR_OUT_FIXED_PARAM_SIZE) { + size_t transportid_len; + int i, j; +@@ -520,12 +522,13 @@ static int multipath_pr_out(int fd, const uint8_t *cdb, uint8_t *sense, + return CHECK_CONDITION; + } + +- paramp.trnptid_list[paramp.num_transportid++] = id; ++ assert(paramp->num_transportid < MPATH_MX_TIDS); ++ paramp->trnptid_list[paramp->num_transportid++] = id; + } + } + + r = mpath_persistent_reserve_out(fd, rq_servact, rq_scope, rq_type, +- ¶mp, noisy, verbose); ++ paramp, noisy, verbose); + return mpath_reconstruct_sense(fd, r, sense); + } + #endif diff --git a/sheepdog-Consistently-set-bdrv_has_zero_.patch b/sheepdog-Consistently-set-bdrv_has_zero_.patch new file mode 100644 index 0000000..f7904f0 --- /dev/null +++ b/sheepdog-Consistently-set-bdrv_has_zero_.patch @@ -0,0 +1,46 @@ +From: Eric Blake +Date: Tue, 24 Mar 2020 12:42:33 -0500 +Subject: sheepdog: Consistently set bdrv_has_zero_init_truncate +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Git-commit: ed049910637be991c88cc25c864115bc5b1e4dab + +block_int.h claims that .bdrv_has_zero_init must return 0 if +.bdrv_has_zero_init_truncate does likewise; but this is violated if +only the former callback is provided if .bdrv_co_truncate also exists. +When adding the latter callback, it was mistakenly added to only one +of the three possible sheepdog instantiations. + +Fixes: 1dcaf527 +Signed-off-by: Eric Blake +Message-Id: <20200324174233.1622067-5-eblake@redhat.com> +Reviewed-by: John Snow +Reviewed-by: Philippe Mathieu-Daudé +Signed-off-by: Max Reitz +Signed-off-by: Bruce Rogers +--- + block/sheepdog.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/block/sheepdog.c b/block/sheepdog.c +index cfa84338a2d6b653ce243ae53c7a..522c16a936762ff00ee23a5e9ca3 100644 +--- a/block/sheepdog.c ++++ b/block/sheepdog.c +@@ -3269,6 +3269,7 @@ static BlockDriver bdrv_sheepdog_tcp = { + .bdrv_co_create = sd_co_create, + .bdrv_co_create_opts = sd_co_create_opts, + .bdrv_has_zero_init = bdrv_has_zero_init_1, ++ .bdrv_has_zero_init_truncate = bdrv_has_zero_init_1, + .bdrv_getlength = sd_getlength, + .bdrv_get_allocated_file_size = sd_get_allocated_file_size, + .bdrv_co_truncate = sd_co_truncate, +@@ -3307,6 +3308,7 @@ static BlockDriver bdrv_sheepdog_unix = { + .bdrv_co_create = sd_co_create, + .bdrv_co_create_opts = sd_co_create_opts, + .bdrv_has_zero_init = bdrv_has_zero_init_1, ++ .bdrv_has_zero_init_truncate = bdrv_has_zero_init_1, + .bdrv_getlength = sd_getlength, + .bdrv_get_allocated_file_size = sd_get_allocated_file_size, + .bdrv_co_truncate = sd_co_truncate, diff --git a/spapr-Fix-failure-path-for-attempting-to.patch b/spapr-Fix-failure-path-for-attempting-to.patch new file mode 100644 index 0000000..9eea839 --- /dev/null +++ b/spapr-Fix-failure-path-for-attempting-to.patch @@ -0,0 +1,33 @@ +From: David Gibson +Date: Thu, 26 Mar 2020 16:12:40 +1100 +Subject: spapr: Fix failure path for attempting to hot unplug PCI bridges + +Git-commit: 7aab5899764887f6b0512cb2e5c11bdc2a5d3644 + +For various technical reasons we can't currently allow unplug a PCI to PCI +bridge on the pseries machine. spapr_pci_unplug_request() correctly +generates an error message if that's attempted. + +But.. if the given errp is not error_abort or error_fatal, it doesn't +actually stop trying to unplug the bridge anyway. + +Fixes: 14e714900f6b "spapr: Allow hot plug/unplug of PCI bridges and devices under PCI bridges" +Signed-off-by: David Gibson +Reviewed-by: Greg Kurz +Signed-off-by: Bruce Rogers +--- + hw/ppc/spapr_pci.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/hw/ppc/spapr_pci.c b/hw/ppc/spapr_pci.c +index f6fbcf99edaaf9844fe669951716..5b544adb4a4d7868cf17d6534e19 100644 +--- a/hw/ppc/spapr_pci.c ++++ b/hw/ppc/spapr_pci.c +@@ -1663,6 +1663,7 @@ static void spapr_pci_unplug_request(HotplugHandler *plug_handler, + + if (pc->is_bridge) { + error_setg(errp, "PCI: Hot unplug of PCI bridges not supported"); ++ return; + } + + /* ensure any other present functions are pending unplug */ diff --git a/supported.arm.txt b/supported.arm.txt index 60f4f56..f8bb8ad 100644 --- a/supported.arm.txt +++ b/supported.arm.txt @@ -28,7 +28,8 @@ Overview QEMU is a primary component of KVM based virtualization. The QEMU emulator binary qemu-system-aarch64 is the program to use to access KVM virtualization. When using this program, the -machine option accel=kvm (or its alias - -enable-kvm) must be specified for KVM acceleration to be used by the guest. + -enable-kvm) or --accel kvm option must be specified for KVM acceleration to + be used by the guest. Libvirt is the preferred means of accessing QEMU/KVM functionality and is documented elsewhere. This document focuses on the features and direct usage @@ -134,6 +135,10 @@ Noteworthy QEMU/KVM Unsupported Features - GlusterFS integration is not enabled. +- 32 bit ARM KVM has never been supported by SUSE, but it's worth noting that + this capability will cease to even be possible in a near-future QEMU/KVM + (kernel) combination. + Deprecated, Superseded, Modified and Dropped Features ----------------------------------------------------- @@ -163,8 +168,11 @@ Deprecated, Superseded, Modified and Dropped Features considered deprecated. In the future those names will be standardized to acpitable, boot, and smp respectively. -- This previously supported command line options is now considered deprecated: - -device scsi-disk (use scsi-hd or scsi-cd) +- These previously supported command line options are now considered deprecated: + -device scsi-disk (use scsi-hd or scsi-cd instead) + -device virtio-blk,scsi= (use virtio-scsi instead) + -device virtio-blk-pci,scsi= (use virtio-scsi instead) + -realtime mlock= (use -overcommit mem-lock- instead) - These previously supported command line options are no longer supported: diff --git a/supported.ppc.txt b/supported.ppc.txt index b374627..47545d9 100644 --- a/supported.ppc.txt +++ b/supported.ppc.txt @@ -2,785 +2,4 @@ SLES 15 SP2 QEMU/KVM RELATED SUPPORT STATEMENTS -Overview --------- - - The QEMU based packages included with SLES 15 SP2 provide a large variety of - features, from the very latest customer requests to features of questionable - quality or value. The linux kernel includes components which contribute KVM - virtualization features as well. This document was created to assist the user - in deciding which features can be relied upon to build enterprise class - virtualization solutions. KVM based virtualization for x86 (Intel 64/AMD64), - for IBM System z (s390x), and for the ARM64 architecture (AArch64) are - offered at the L3 (full support) level. The bulk of this document is primarily - Power8 centric. This document should be considered a companion to the standard - virtualization documentation delivered with the product. - - KVM is implemented in linux kernel modules which enable the linux kernel to - function as an integral part of the KVM hypervisor. The hypervisor-guest - interaction is managed by QEMU through the /dev/kvm ioctl interface. The linux - host assists in the virtualization of storage, networking and display - resources as well as allowing direct hardware passthrough of PCI and USB - devices. Linux memory and cpu management features are used by QEMU/KVM to - enable guests to share those host resources as efficiently as possible. - The kvm_hv kernel module is required. The kvm_pr kernel module is unsupported. - - QEMU is a primary component of KVM based virtualization. The QEMU emulator - binary qemu-system-ppc64 is the program to use to access KVM virtualization. - When using this program, the -machine option accel=kvm (or its alias - -enable-kvm) must be specified for KVM acceleration to be used by the guest. - - Libvirt is the preferred means of accessing QEMU/KVM functionality and is - documented elsewhere. This document focuses on the features and direct usage - of QEMU/KVM as provided by the QEMU based packages. - -Major QEMU/KVM Supported Features ---------------------------------- - -- KVM virtualization is accomplished by using the QEMU program in KVM - acceleration mode. KVM acceleration requires that both guest and host have - the same fundamental architecture. - -- Guest images created under previous QEMU versions are supported by machine - version compatibilities built into more recent QEMU versions. - -- For ease of use, the QEMU program has defaults which represent traditional - usage patterns. - -- Guest virtual machine characteristics are specified by a combination of - internal defaults, options provided on the QEMU program command-line, runtime - configurations set via the monitor interfaces and optional config files. The - runtime control of a VM is effected either through the Human Monitor - "Protocol" (HMP), or the JSON based programmatical QEMU Monitor Protocol (QMP) - interface. For QMP details, see qemu-qmp-ref man page. - Since a KVM guest runs in the context of a normal linux process, some types - of execution controls are managed with linux tools. - -- QEMU uses SLOF (Slimline Open Firmware) for booting ppc guests, which allow - boot options common to physical systems.Various VGABIOS ROMs, from the SEABIOS - project, are also available. - -- Some QEMU messages have been localized to various languages. This is provided - by the optional qemu-lang package. Keyboard mappings for various nationalities - is also provided. - -- Virtual machine lifecycle controls include startup through firmware or kernel - boot, firmware based shutdown, execution pausing, the saving and restoring of - machine state or disk state, VM migration to another host, and miscellaneous - controls available through the "monitors" mentioned above. - -- Guest execution state may be "moved" in both time (save/restore) and space - (static and live migration). These migrations or save/restore operations can - take place either from certain prior SLES versioned hosts to a SLES 12 SP3 - or between hosts of the same version. Certain other restrictions also apply. - -- Security considerations include privileged helpers and a security model which - allows running guests as a non-root user. - -- QEMU provides best effort reuse of existing disk images, including those with - systems installed, through geometry probing. Also disk images produced by - other popular virtualization technologies may be imported into QEMU supported - storage formats. These QEMU formats include features which exploit the - benefits of virtualization. - -- Memory, cpu and disk space overcommit are possible and can be beneficial when - done responsibly. Additional management of these resources comes in the form - of memory ballooning or hotplug, host KSM, vcpu hot-add, online disk resizing, - trim, discard and hole punching. - -- Guest performance is enhanced through the use of virtio devices, various disk - caching modes, network acceleration via the vhost-net kernel module, multi- - queue network transmit capabilities, host transparent huge pages (THP) and - direct hugetlb usage. Physical PCI and USB devices may also be passed through - to the guest, including SR-IOV VF's. - -- The guest UI is accessable via GTK, VNC, and serial (including curses TUI) - interfaces. - -- Guest timekeeping is supported in a variety of ways, including a paravirtual - clocksource, and options for the various guest clocks for how to handle the - timeslicing of the guest's execution on the host. - -- In addition to the para-virtualized devices already mentioned, other devices - and infrastructure designed to avoid virtualization "problem areas" are - available such as SPICE graphics, vmmouse emulation, tablet style pointer - interfaces and virtio based UI interfaces. - -- A built-in user-mode network (SLIRP) stack is available. - -- Portions of the host file system may be shared with a guest by using virtFS. - -- A guest "agent" is available for SLES 15 SP2 KVM guests via the - qemu-guest-agent package. This allows some introspection and control of the - guest OS environment from the host. - -QEMU/KVM Technology Previews ----------------------------- - -- All features indicated as not being supported in this document fall under the - Technology Preview definition contained in the main product's release notes. - -Noteworthy QEMU/KVM Unsupported Features ----------------------------------------- - -- Note that some features are unsupported simply due to lack of validation. If - an existing feature is desired, but not marked supported, let SUSE know about - your requirements. - -- The TCG "acceleration" mode may be helpful for problem isolation, but - otherwise presents insufficient benefit and stability. - -- GlusterFS integration is not enabled. - -Deprecated, Superseded, Modified and Dropped Features ------------------------------------------------------ - -- http://wiki.qemu-project.org/Features/LegacyRemoval - This website tracks feature deprecation and removal at the upstream - development level. Our qemu package inherits this community direction, but be - aware that we can and will deviate as needed. Those deviations and additional - information can be found in this section. Feature deprecation is also tracked - in Appendix B of the qemu-doc.* files installed with the qemu package. - -- The use of "?" as a parameter to "-cpu", "-soundhw", "-device", "-M", - "-machine" and "-d" is now considered deprecated. Use "help" - instead. - -- The use of "if=scsi" as a parameter to "-drive" does not work anymore with PC - machine types, as it created an obsolete SCSI controller model. - -- Use of aio=native without direct cache mode also being specified (cache=none, - cache=directsync, or cache.direct=on) is no longer allowed. - -- The use of image encryption in qcow and qcow2 formats is now considered - deprecated. - Analysis has shown it to be weak encryption, in addition to suffering from - poor design. Images can easily be converted to a non-encrypted format. - -- Use of acpi, boot-opts, and smp-opts in a -readconfig config file are now - considered deprecated. In the future those names will be standardized to - acpitable, boot, and smp respectively. - -- This previously supported command line option is now considered deprecated: - -device scsi-disk (use scsi-hd or scsi-cd) - -- These previously supported command line options are no longer supported: - - -- These previously supported command line options are no longer recognized: - -balloon (use -device virtio-balloon instead) - -clock - -device ivshmem (use ivshmem-doorbell or ivshmem-plain instead) - -device pc-sysfw (no longer needed) - -device pci-assign, -device kvm-pci-assign (use -device vfio-pci instead) - -display sdl - -no-frame - -nodefconfig (use -no-user-config instead) - -sdl - -virtioconsole (use -device virtconsole instead) - -- These previously unsupported command line options are no longer recognized: - -device cmd646-ide - -device macio-newworld - -device macio-oldworld - -device spapr-pci-vfio-host-bridge - -- Specifying a cpu feature with both "+feature/-feature" and "feature=on/off" - will now cause a warning. The current behavior for this combination where - "+feature/-feature" wins over "feature=on/off", will be changed going forward - so that "+feature" and "-feature" will be synonyms for "feature=on" and - "feature=off" respectively. - -- The previously supported blkdev-add QMP command has been flagged as lacking - and could possibly change syntax in the future. - -- These previously unsupported command line options are now deprecated: - -bt - -machine prep (use -machine 40p instead) - -M prep (use -M 40p instead) - -- These previously unsupported command line options are no longer recognized: - -device isa-cirrus-vga - -device ramfb - -enable-hax - -tdf - -xen-create - -- These previously supported QMPs command are now deprecated: - change (use blockdev-change-medium or change-vnc-password instead) - cpu-add - migrate-set-cache-size (use migrate-set-parameters instead) - migrate_set_downtime (use migrate-set-parameters instead) - migrate_set_speed (use migrate-set-parameters instead) - query-cpus (use query-cpus-fast instead) - query-events - query-migrate-cache-size (use query-migrate-parameters instead) - -- These previously supported monitor commands are now deprecated: - change - cpu-add - migrate_set_downtime - migrate_set_speed - -- These previously supported monitor commands are no longer recognized: - pci_add (use device_add instead) - pci_del (use device_del instead) - usb_add (use device_add instead) - usb_del (use device_del instead) - -- These previously unsupported monitor command are now deprecated: - acl_add ... - acl_policy ... - acl_remove ... - acl_reset ... - acl_show ... - -- These previously unsupported monitor commands are no longer recognized: - host_net_add - host_net_remove - -- These previously unsupported QMP commands are now supported under a new name: - x-block-dirty-bitmap-disable (use block-dirty-bitmap-disable instead) - x-block-dirty-bitmap-enable (use block-dirty-bitmap-enable instead) - x-block-dirty-bitmap-merge (use block-dirty-bitmap-merge instead) - x-block-latency-histogram-set (use block-latency-histogram-set instead) - x-blockdev-create (use blockdev-create instead) - -- This previously unsupported QMP commands is no longer recognized: - x-nbd-server-add-bitmap - -- Due to upstream's decision to no longer fully support the qed storage format - going forward (since it really provides no benefit over qcow2 and is now no - longer actively maintained upstream), creating qed storage images is no longer - supported and it is highly discouraged to continue using existing qed images. - They should instead be converted to another supported format. - -QEMU Command-Line and Monitor Syntax and Support ------------------------------------------------- - -- The QEMU program command-line syntax is as follows: - qemu-system-ppc64 [options] - - Where 'options' are taken from the options listed below. - The images used with -drive or -cdrom, may be in the raw (no format) or qcow2 - storage formats, and may be located in files within the host filesystem, - logical volumes, host physical disks, or network based storage. Read only - media may also be accessed via URL style protocol specifiers. - - Note that as a general rule, as new command line options are added which serve - to replace an older option or interface, you are strongly encouraged to adapt - your usage to the new option. The new option is being introduced to provide - better functionality and usability going forward. In some cases existing - problems or even bugs in older interfaces cannot be fixed due to functional - expectations, but are resolved in the newer interface or option. - This advice includes moving to the most recent machine type (eg pseries-4.2 - instead of pseries-3.1) if possible. - -- The following command line options are supported: - -accel ... - -add-fd ... - -alt-grab - -append ... - -audio-help - -audiodev - -bios ... - -blockdev ... - -boot ... - -cdrom ... - -chardev .. - -cpu host - -ctrl-grab - -d ... - -daemonize - -debugcon ... - -device [VGA|rtl8139|virtio-net-pci|virtio-blk-pci|virtio-balloon-pci| - virtio-9p-pci|usb-hub|usb-ehci|usb-tablet|usb-storage|usb-mouse| - usb-kbd|virtserialport|virtconsole|virtio-serial-pci|i82559er| - virtio-scsi-pci|scsi-cd|scsi-hd|scsi-generic|scsi-disk|scsi-block| - pci-serial|pci-serial-2x|pci-serial-4x|ich9-ahci|usb-host|usb-serial| - usb-wacom-tablet|usb-braille|usb-net|pci-ohci|virtio-rng-pci|i6300esb| - qxl|qxl-vga|pvpanic|vfio-pci|ivshmem-doorbell|ivshmem-plain| - virtio-crypto-pci|virtio-mmio|vhost-vsock-pci|vhost-user-blk| - vhost-user-blk-pci|pci-bridge|megasas-gen2|e1000e|e1000|cirrus-vga| - virtio-vga|vhost-scsi-pci-non-transitional| - vhost-scsi-pci-transitional|vhost-user-blk-pci-non-transitional| - vhost-user-blk-pci-transitional|vhost-user-scsi-pci-non-transitional| - vhost-user-scsi-pci-transitional|vhost-vsock-pci-non-transitional| - vhost-vsock-pci-transitional|virtio-9p-pci-non-transitional| - virtio-9p-pci-transitional|virtio-balloon-pci-non-transitional| - virtio-balloon-pci-transitional|virtio-blk-pci-non-transitional| - virtio-blk-pci-transitional|virtio-input-host-pci-non-transitional| - virtio-input-host-pci-transitional|virtio-net-pci-non-transitional| - virtio-net-pci-transitional|virtio-rng-pci-non-transitional| - virtio-rng-pci-transitional|virtio-scsi-pci-non-transitional| - virtio-scsi-pci-transitional|virtio-serial-pci-non-transitional| - virtio-serial-pci-transitional|vhost-user-fs-pci|vhost-user-gpu| - vhost-user-pci-pci|vhost-user-input|vhost-user-input-pci| - vhost-user-vga|mc146818rtc] - (the following are aliases of these supported devices: ahci| - virtio-blk|virtio-net|virtio-serial|virtio-balloon| virtio-9p| - virtio-input-host|virtio-keyboard|virtio-mouse|virtio-tablet| - virtio-gpu|virtio-scsi|virtio-rng|e1000-82540em) - -dfilter range, ... - -display ... - -drive ... (if specified if=[virtio] and format=[qcow2|raw] and - snapshot=off only) - -echr ... - -enable-fips - -enable-kvm - -fsdev ... - -full-screen - -fw_cfg ... - -gdb ... - -global ... - -h - -help - -incoming ... - -initrd ... - -iscsi ... - -k ... - -kernel ... - -loadvm ... - -m ... - -M [help|?|none|pseries|pseries-2.11|pseries-3.1|pseries-4.2] - -machine [help|?|none|pseries|pseries-2.11|pseries-3.1|pseries-4.2] - -mem-path ... - -mem-prealloc - -mon ... - -monitor ... - -msg ... - -name ... - -net [bridge|l2tpv3|nic|none|tap|user] ... (for model= only e1000, rtl8139, - and virtio are supported) - -netdev [bridge|tap|user] ... - -nic ... - -nodefaults - -nographic - -no-quit - -no-reboot - -no-shutdown - -no-user-config - -object ... - -only-migratable - -parallel ... - -pidfile ... - -plugin ... - -qmp ... - -qmp-pretty ... - -readconfig ... - -realtime ... - -rtc ... - -runas ... - -s - -S - -sandbox ... - -seed ... - -serial ... - -show-cursor - -smbios ... - -smp ... - -tpmdev passthrough ... - -trace ... - -usb - -usbdevice [braile|disk|host|mouse|net|serial|tablet] - -uuid .. - -version - -vga [none|qxl|std|virtio] - -virtfs ... - -vnc ... - -watchdog ... - -watchdog-action ... - -writeconfig ... - -- The following monitor commands are supported: - ? - announce_self ... - balloon ... - block_resize ... - boot_set ... - c - change ... - chardev-add ... - chardev-remove ... - client_migrate_info ... - closefd ... - cont - cpu ... - cpu-add ... - delvm ... - device_add ... - device_del ... - drive_add ... - drive_backup ... - drive_del ... - dump_guest_memory ... - eject ... - gdbserver ... - gpa2hpa ... - gpa2hva ... - gva2gpa ... - help - i ... - info ... - loadvm ... - logfile ... - logitem ... - mce ... - memsave ... - migrate ... - migrate_cancel - migrate_continue ... - migrate_incoming - migrate_pause - migrate_recover ... - migrate_set_cache_size ... - migrate_set_capability ... - migrate_set_downtime ... - migrate_set_parameter ... - migrate_set_speed ... - migrate_start_post_copy - mouse_button ... - mouse_move ... - mouse_set ... - nmi ... - o ... - object_add ... - object_del ... - p ... - pmemsave ... - print ... - q - qemu-io ... - qom-list - qom-set - ringbuf_read ... - ringbuf_write ... - savevm ... - screendump ... - sendkey ... - snapshot_blkdev_internal ... - snapshot_delete_blkdev_internal ... - stop - sum ... - system_powerdown - system_reset - system_wakeup - trace-event ... - watchdog_action ... - x ... - xp ... - -- The following QMP commands are supported: - add_client - add-fd - announce-self - balloon - blockdev-add - blockdev-backup - blockdev-change-medium - blockdev-close-tray - blockdev-create - blockdev-del - blockdev-mirror - blockdev-open-tray - blockdev-snapshot - blockdev-snapshot-delete-internal-sync - blockdev-snapshot-internal-sync - blockdev-snapshot-sync - block-commit - block-dirty-bitmap-add - block-dirty-bitmap-clear - block-dirty-bitmap-disable - block-dirty-bitmap-enable - block-dirty-bitmap-merge - block-dirty-bitmap-remove - block-latency-histogram-set - block_passwd - block_resize - block_set_io_throttle - block-set-write-threshold - block_stream - change - change-vnc-password - chardev-add - chardev-remove - client_migrate_info - closefd - cont - cpu - cpu-add - device_add - device_del - device-list-properties - dump-guest-memory - eject - expire_password - getfd - human-monitor-command - inject-nmi - input-send-event - job-cancel - job-complete - job-dismiss - job-finalize - job-pause - job-resume - memsave - migrate - migrate_cancel - migrate-continue - migrate-incoming - migrate-pause - migrate-resume - migrate-set-cache-size - migrate-set-capabilities - migrate_set_downtime - migrate_set_speed - migrate-set-parameters - migrate-start-postcopy - object-add - object-del - pmemsave - qmp_capabilities - qom-get - qom-list - qom-list-types - qom-set - query-acpi-ospm-status - query-balloon - query-block - query-block-jobs - query-blockstats - query-chardev - query-chardev-backends - query-command-line-options - query-commands - query-cpu-definitions - query-cpu-model-baseline - query-cpu-model-comparison - query-cpu-model-expansion - query-cpus - query-cpus-fast - query-current-machine - query-display-options - query-dump - query-dump-guest-memory-capability - query-events - query-fdsets - query-gic-capabilities - query-hotpluggable-cpus - query-iothreads - query-jobs - query-kvm - query-machines - query-memdev - query-memory-devices - query-memory-size-summary - query-mice - query-migrate - query-migrate-cache-size - query-migrate-capabilities - query-migrate-parameters - query-name - query-named-block-nodes - query-pci - query-pr-managers - query-qmp-schema - query-rocker - query-rocker-of-dpa-flows - query-rocker-of-dpa-groups - query-rocker-ports - query-rx-filter - query-spice - query-status - query-target - query-tpm - query-tpm-models - query-tpm-types - query-uuid - query-version - query-vnc - query-vnc-servers - query-xen-replication-status - quit - remove-fd - ringbuf-read - ringbuf-write - rtc-reset-reinjection - screendump - send-key - set_link - set_password - stop - system_powerdown - system_reset - system_wakeup - trace-event-get-state - trace-event-set-state - transaction - watchdog-set-action - -- The following command line options are unsupported: - -acpitable ... - -bt ... - -chroot ... - -cpu ... (all except host) - -curses - -device [adb-keyboard|adb-mouse|adlib|amd-iommu|AMDVI-PCI|ccid-card-emulated| - ccid-card-passthrough|cfi.pflash02|cirrus-vga|cs4231a| - dec-21154-p2p-bridge|dec-21154-sysbus|e1000 e500-ccsr|e500-pcihost| - e500-spin|escc|esp|eTSEC|floppy|generic-sdhci|gus|grackle-pcihost| - host-spapr-cpu-core|hyperv-testdev|i8042|i82374|i82378|ib700|icp| - icp-kvm|ics|icskvm|igd-passthrough-isa-bridge|intel_iommu| - ipmi-bmc-extern|ipmi-bmc-sim|isa-applesmc|isa-debugcon|isa-debug-exit| - isa-fdc|isa-ide|isa-ipmi-bt|isa-ipmi-kcs|isa-m48t59|isa-parallel| - isa-vga|isabus-bridge|kvm-openpic|loader|lsi53c810a|macio-ide| - macio-nvram|mpc8544-guts|mpc8xxx_gpio|ne2k_isa|nvdimm|openpic|pc-dimm| - pc-testdev|pc87312|piix3-ide|piix3-ide|piix3-ide-xen|piix3-usb-uhci| - platform-bus-device|powernv-chip-POWER8|powernv-chip-POWER8E| - powernv-chip-POWER8NVL|powernv-chip-POWER9|powernv-cpu-core-POWER8| - powernv-cpu-core-POWER8E|powernv-cpu-core-POWER8NVL| - powernv-cpu-core-POWER9|ppc4xx-pcihost|prep-systemio|raven-pcihost| - rs6000-mc|sb16|sdhci-pci|sga spapr-nvram|spapr-rng|spapr-rtc| - spapr-tce-table|spapr-vio-bridge|spapr-vlan|spapr-vscsi|spapr-vty| - sysbus-m48t02|sysbus-m48t08|sysbus-m48t59|u3-agp-pcihost| - uni-north-agp-pcihost|uni-north-internal-pci-pcihost|uni-north-pci| - uni-north-pci-pcihost|unimplemented-device|usb-redir| - vfio-pci-igd-lpc-bridge|vfio-pci-nohotplug|vfio-platform| - virtio-crypto-device|vhost-vsock-device|virtconsole|vmgenid| - vmware-svga|xen-backend|xen-pci-passthrough|xen-platform| - xen-pvdevice|xen-sysdev|xlnx.xps-ethernetlite|xlnx.xps-intc| - xlnx.xps-timer|xlnx.xps-uartlite|*-i386-cpu|*-powerpc64-cpu| - *-spapr-cpu-core|*-x86_64-cpu|vmcoreinfo|sii3112|pvrdma|sungem| - ccid-card-emulated|ccid-card-passthru| bochs-display|isa-cirrus-vga| - at24c-eeprom|i2c-ddc|kvaser_pci|m41t80|mioe3680_pci|pcm3680_pci| - ati-vga|cpu-cluster|ds1338|i82801b11-bridge|ib700|ioh3420|mpc-i2c| - pcie-pci-bridge|pcie-root-port|platform-ehci-usb|pnv-lpc-POWER8| - pnv-lpc-POWER9|pnv-occ-POWER8|pnv-occ-POWER9|pnv-psi-POWER8| - pnv-psi-POWER9|pnv-xive|powernv-cpu-quad|spapr-drc-phb|spapr-xive| - vfio-amd-xgbe|vfio-calxeda-xgmac|vmxnet3|x3130-upstream| - xio3130-downstream|xive-end-source|xive-source|xive-tctx| - vhost-user-fs-device|tulip|ati-vga] - (the following are aliases of these unsupported devices: lsi| - piix3-usb-uhci|mac-dbdma|ppc4xx-i2c) - (note that some of these device names represent supported devices and - are used internally, but are not specifyable via -device even though - they appear in the list of devices) - -drive ,if=[scsi|mtd|pflash], snapshot=on, format=[anything besides qcow2 or - raw] - -dtb file - -enable-hax - -enable-sync-profile - -fda/-fdb ... - -g ... - -hda/-hdb/-hdc/-hdd ... - -icount ... - -L ... - -M [40p|bamboo|g3beige|mac99|mpc8544ds|powernv|powernv8|powernv9|ppce500|prep| - pseries-2.1|pseries-2.2|pseries-2.3|pseries-2.4|pseries-2.5|pseries-2.6| - pseries-2.7|pseries-2.8|pseries-2.9|pseries-2.10|pseries-2.12| - pseries-2.12-sxxm|pseries-3.0|pseries-4.0|pseries-4.1|ref405ep|sam460ex| - taihu|virtex-ml507] - -machine [40p|bamboo|g3beige|mac99|mpc8544ds|powernv|powernv8|powernv9| - ppce500|prep|pseries-2.1|pseries-2.2|pseries-2.3|pseries-2.4| - pseries-2.5|pseries-2.6|pseries-2.7|pseries-2.8|pseries-2.10| - pseries-2.12|pseries-2.12-sxxm|pseries-3.0|pseries-4.0|pseries-4.1| - ref405ep|sam460ex|taihu|virtex-ml507] - -mtdblock file - -net [dump|socket|vde] ... - -netdev [dump|hubport|l2tpv3|socket|vde] ... - -no-acpi - -no-fd-bootchk - -no-hpet - -no-kvm - -no-kvm-irqchip - -no-kvm-pit - -no-kvm-pit-reinjection - -numa ... - -option-rom ... - -overcommit ... - -pflash file - -portrait - -preconfig - -prom-env ... - -qtest ... - -qtest-log ... - -rotate - -sd file - -sdl - -set ... - -singlestep - -snapshot - -soundhw ... - -spice - -tb-size ... - -tpmdev emulator ... - -vga [cg3|tcx|virtio|cirrus|xenfb] - -win2k-hack - -xen-attach ... - -xen-domid ... - -- The following monitor commands are unsupported: - acl_add ... - acl_policy ... - acl_remove ... - acl_reset ... - acl_show ... - block_job_cancel ... - block_job_complete ... - block_job_pause ... - block_job_resume ... - block_job_set_speed ... - block_passwd ... - commit ... - drive_mirror ... - expire_password ... - hostfwd_add ... - hostfwd_remove ... - nbd_server_add ... - nbd server_start ... - nbd_server_stop ... - netdev_add - netdev_del ... - pcie_aer_inject_error ... - set_link ... - set_password ... - singlestep ... - snapshot_blkdev ... - stopcapture ... - sync-profile ... - wavcapture ... - x_colo_lost_heartbeat - -- The following QMP commands are unsupported: - block-job-cancel - block-job-complete - block-job-pause - block-job-resume - block-job-set-speed - change-backing-file - drive-backup - drive-mirror - exit_preconfig - dump-skeys - netdev_add - netdev_del - nbd-server-add - nbd-server-start - nbd-server-stop - query-colo-status - query-sev - query-sev-launch-measure - x-blockdev-change - x-blockdev-insert-medium - x-blockdev-remove-medium - x-blockdev-reopen - x-colo-lost-heartbeat - x-exit-preconfig - x-debug-block-dirty-bitmap-sha256 - x-debug-query-block-graph - xen-colo-do-checkpoint - xen-load-devices-state - xen-save-devices-state - xen-set-global-dirty-log - xen-set-replication +QEMU/KVM on ppc is not supported. diff --git a/supported.s390.txt b/supported.s390.txt index 1bfe34a..d6940d7 100644 --- a/supported.s390.txt +++ b/supported.s390.txt @@ -29,8 +29,8 @@ Overview program is available for continuity with pre SLES 12 usage, including in libvirt domain xml references. The QEMU emulator binary qemu-system-s390x is now the primary program to use to access KVM virtualization. When using this - program, the -machine option accel=kvm (or its alias -enable-kvm) must be - specified for KVM acceleration to be used by the guest. + program, the -machine option accel=kvm (or its alias -enable-kvm) or --accel + kvm option must be specified for KVM acceleration to be used by the guest. Libvirt is the preferred means of accessing QEMU/KVM functionality and is documented elsewhere. This document focuses on the features and direct usage @@ -164,8 +164,10 @@ Deprecated, Superseded, Modified and Dropped Features considered deprecated. In the future those names will be standardized to acpitable, boot, and smp respectively. -- These previously supported command line options are now considered deprecated: - +- This previously supported command line option is now considered deprecated: + -device virtio-blk,scsi= (use virtio-scsi instead) + -device virtio-blk-pci,scsi= (use virtio-scsi instead) + -realtime mlock= (use -overcommit mem-lock= instead) - These previously supported command line options are no longer supported: diff --git a/supported.x86.txt b/supported.x86.txt index 5310a89..6f46095 100644 --- a/supported.x86.txt +++ b/supported.x86.txt @@ -30,9 +30,10 @@ Overview libvirt domain xml references. The QEMU emulator binaries qemu-system-x86_64 and qemu-system-i386 (x86 host) are now the primary programs to use to access KVM virtualization. When using these programs, the -machine option accel=kvm - (or its alias -enable-kvm) must be specified for KVM acceleration to be - used by the guest. Although Xen uses QEMU for virtualization as well, this - document does not identify Xen supported features. + (or its alias -enable-kvm), or --accel kvm option must be specified for KVM + acceleration to be used by the guest. Although Xen uses QEMU for + virtualization as well, this document does not identify Xen supported + features. Libvirt is the preferred means of accessing QEMU/KVM functionality and is documented elsewhere. This document focuses on the features and direct usage @@ -208,8 +209,11 @@ Deprecated, Superseded, Modified and Dropped Features deprecated. - These previously supported command line options are now considered deprecated: - -device ide-drive (use ide-hd or ide-cd) - -device scsi-disk (use scsi-hd or scsi-cd) + -device ide-drive (use ide-hd or ide-cd instead) + -device scsi-disk (use scsi-hd or scsi-cd instead) + -device virtio-blk,scsi= (use virtio-scsi instead) + -device virtio-blk-pci,scsi= (use virtio-scsi instead) + -realtime mlock= (use -overcommit mem-lock= instead) - These previously supported command line options are no longer supported: diff --git a/target-arm-Fix-PAuth-sbox-functions.patch b/target-arm-Fix-PAuth-sbox-functions.patch new file mode 100644 index 0000000..8f8542f --- /dev/null +++ b/target-arm-Fix-PAuth-sbox-functions.patch @@ -0,0 +1,48 @@ +From: Vincent Dehors +Date: Thu, 23 Jan 2020 15:22:38 +0000 +Subject: target/arm: Fix PAuth sbox functions + +Git-commit: de0b1bae6461f67243282555475f88b2384a1eb9 +References: bsc#1168681, CVE-2020-10702 + +In the PAC computation, sbox was applied over wrong bits. +As this is a 4-bit sbox, bit index should be incremented by 4 instead of 16. + +Test vector from QARMA paper (https://eprint.iacr.org/2016/444.pdf) was +used to verify one computation of the pauth_computepac() function which +uses sbox2. + +Launchpad: https://bugs.launchpad.net/bugs/1859713 +Reviewed-by: Richard Henderson +Signed-off-by: Vincent DEHORS +Signed-off-by: Adrien GRASSEIN +Message-id: 20200116230809.19078-2-richard.henderson@linaro.org +Reviewed-by: Peter Maydell +Signed-off-by: Peter Maydell +Signed-off-by: Bruce Rogers +--- + target/arm/pauth_helper.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/target/arm/pauth_helper.c b/target/arm/pauth_helper.c +index d3194f20437b717ec1cc13a1003e..0a5f41e10c5f03d85a727b2b7c42 100644 +--- a/target/arm/pauth_helper.c ++++ b/target/arm/pauth_helper.c +@@ -89,7 +89,7 @@ static uint64_t pac_sub(uint64_t i) + uint64_t o = 0; + int b; + +- for (b = 0; b < 64; b += 16) { ++ for (b = 0; b < 64; b += 4) { + o |= (uint64_t)sub[(i >> b) & 0xf] << b; + } + return o; +@@ -104,7 +104,7 @@ static uint64_t pac_inv_sub(uint64_t i) + uint64_t o = 0; + int b; + +- for (b = 0; b < 64; b += 16) { ++ for (b = 0; b < 64; b += 4) { + o |= (uint64_t)inv_sub[(i >> b) & 0xf] << b; + } + return o; diff --git a/target-i386-do-not-set-unsupported-VMX-s.patch b/target-i386-do-not-set-unsupported-VMX-s.patch new file mode 100644 index 0000000..91277cd --- /dev/null +++ b/target-i386-do-not-set-unsupported-VMX-s.patch @@ -0,0 +1,100 @@ +From: Vitaly Kuznetsov +Date: Tue, 31 Mar 2020 18:27:52 +0200 +Subject: target/i386: do not set unsupported VMX secondary execution controls + +Git-commit: 4a910e1f6ab4155ec8b24c49b2585cc486916985 + +Commit 048c95163b4 ("target/i386: work around KVM_GET_MSRS bug for +secondary execution controls") added a workaround for KVM pre-dating +commit 6defc591846d ("KVM: nVMX: include conditional controls in /dev/kvm +KVM_GET_MSRS") which wasn't setting certain available controls. The +workaround uses generic CPUID feature bits to set missing VMX controls. + +It was found that in some cases it is possible to observe hosts which +have certain CPUID features but lack the corresponding VMX control. + +In particular, it was reported that Azure VMs have RDSEED but lack +VMX_SECONDARY_EXEC_RDSEED_EXITING; attempts to enable this feature +bit result in QEMU abort. + +Resolve the issue but not applying the workaround when we don't have +to. As there is no good way to find out if KVM has the fix itself, use +95c5c7c77c ("KVM: nVMX: list VMX MSRs in KVM_GET_MSR_INDEX_LIST") instead +as these [are supposed to] come together. + +Fixes: 048c95163b4 ("target/i386: work around KVM_GET_MSRS bug for secondary execution controls") +Suggested-by: Paolo Bonzini +Signed-off-by: Vitaly Kuznetsov +Message-Id: <20200331162752.1209928-1-vkuznets@redhat.com> +Signed-off-by: Paolo Bonzini +Signed-off-by: Bruce Rogers +--- + target/i386/kvm.c | 41 ++++++++++++++++++++++++++--------------- + 1 file changed, 26 insertions(+), 15 deletions(-) + +diff --git a/target/i386/kvm.c b/target/i386/kvm.c +index b8ea67a644c802358826a840bdf1..91cd4976e262ad6bbb83206114b3 100644 +--- a/target/i386/kvm.c ++++ b/target/i386/kvm.c +@@ -105,6 +105,7 @@ static bool has_msr_smi_count; + static bool has_msr_arch_capabs; + static bool has_msr_core_capabs; + static bool has_msr_vmx_vmfunc; ++static bool has_msr_vmx_procbased_ctls2; + + static uint32_t has_architectural_pmu_version; + static uint32_t num_architectural_pmu_gp_counters; +@@ -489,21 +490,28 @@ uint64_t kvm_arch_get_supported_msr_feature(KVMState *s, uint32_t index) + value = msr_data.entries[0].data; + switch (index) { + case MSR_IA32_VMX_PROCBASED_CTLS2: +- /* KVM forgot to add these bits for some time, do this ourselves. */ +- if (kvm_arch_get_supported_cpuid(s, 0xD, 1, R_ECX) & CPUID_XSAVE_XSAVES) { +- value |= (uint64_t)VMX_SECONDARY_EXEC_XSAVES << 32; +- } +- if (kvm_arch_get_supported_cpuid(s, 1, 0, R_ECX) & CPUID_EXT_RDRAND) { +- value |= (uint64_t)VMX_SECONDARY_EXEC_RDRAND_EXITING << 32; +- } +- if (kvm_arch_get_supported_cpuid(s, 7, 0, R_EBX) & CPUID_7_0_EBX_INVPCID) { +- value |= (uint64_t)VMX_SECONDARY_EXEC_ENABLE_INVPCID << 32; +- } +- if (kvm_arch_get_supported_cpuid(s, 7, 0, R_EBX) & CPUID_7_0_EBX_RDSEED) { +- value |= (uint64_t)VMX_SECONDARY_EXEC_RDSEED_EXITING << 32; +- } +- if (kvm_arch_get_supported_cpuid(s, 0x80000001, 0, R_EDX) & CPUID_EXT2_RDTSCP) { +- value |= (uint64_t)VMX_SECONDARY_EXEC_RDTSCP << 32; ++ if (!has_msr_vmx_procbased_ctls2) { ++ /* KVM forgot to add these bits for some time, do this ourselves. */ ++ if (kvm_arch_get_supported_cpuid(s, 0xD, 1, R_ECX) & ++ CPUID_XSAVE_XSAVES) { ++ value |= (uint64_t)VMX_SECONDARY_EXEC_XSAVES << 32; ++ } ++ if (kvm_arch_get_supported_cpuid(s, 1, 0, R_ECX) & ++ CPUID_EXT_RDRAND) { ++ value |= (uint64_t)VMX_SECONDARY_EXEC_RDRAND_EXITING << 32; ++ } ++ if (kvm_arch_get_supported_cpuid(s, 7, 0, R_EBX) & ++ CPUID_7_0_EBX_INVPCID) { ++ value |= (uint64_t)VMX_SECONDARY_EXEC_ENABLE_INVPCID << 32; ++ } ++ if (kvm_arch_get_supported_cpuid(s, 7, 0, R_EBX) & ++ CPUID_7_0_EBX_RDSEED) { ++ value |= (uint64_t)VMX_SECONDARY_EXEC_RDSEED_EXITING << 32; ++ } ++ if (kvm_arch_get_supported_cpuid(s, 0x80000001, 0, R_EDX) & ++ CPUID_EXT2_RDTSCP) { ++ value |= (uint64_t)VMX_SECONDARY_EXEC_RDTSCP << 32; ++ } + } + /* fall through */ + case MSR_IA32_VMX_TRUE_PINBASED_CTLS: +@@ -2056,6 +2064,9 @@ static int kvm_get_supported_msrs(KVMState *s) + case MSR_IA32_VMX_VMFUNC: + has_msr_vmx_vmfunc = true; + break; ++ case MSR_IA32_VMX_PROCBASED_CTLS2: ++ has_msr_vmx_procbased_ctls2 = true; ++ break; + } + } + } diff --git a/target-xtensa-fix-pasto-in-pfwait.r-opco.patch b/target-xtensa-fix-pasto-in-pfwait.r-opco.patch new file mode 100644 index 0000000..1ca43ee --- /dev/null +++ b/target-xtensa-fix-pasto-in-pfwait.r-opco.patch @@ -0,0 +1,28 @@ +From: Max Filippov +Date: Wed, 26 Feb 2020 12:43:52 -0800 +Subject: target/xtensa: fix pasto in pfwait.r opcode name + +Git-commit: 1a03362b14affa4d8ddede55df6e21d7a07b87c2 + +Core xtensa opcode table has pfwait.o instead of pfwait.r. Fix that. + +Fixes: c884400f2988 ("target/xtensa: implement block prefetch option opcodes") +Signed-off-by: Max Filippov +Signed-off-by: Bruce Rogers +--- + target/xtensa/translate.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/target/xtensa/translate.c b/target/xtensa/translate.c +index a99f5296e2f4f1d01fd21cfb3fd0..2ec0e5a047ed0e9b9c0926518649 100644 +--- a/target/xtensa/translate.c ++++ b/target/xtensa/translate.c +@@ -3740,7 +3740,7 @@ static const XtensaOpcodeOps core_ops[] = { + .name = "pfwait.a", + .translate = translate_nop, + }, { +- .name = "pfwait.o", ++ .name = "pfwait.r", + .translate = translate_nop, + }, { + .name = "pitlb", diff --git a/tcg-i386-Fix-INDEX_op_dup2_vec.patch b/tcg-i386-Fix-INDEX_op_dup2_vec.patch new file mode 100644 index 0000000..103f928 --- /dev/null +++ b/tcg-i386-Fix-INDEX_op_dup2_vec.patch @@ -0,0 +1,37 @@ +From: Richard Henderson +Date: Sat, 28 Mar 2020 18:16:10 -0700 +Subject: tcg/i386: Fix INDEX_op_dup2_vec + +Git-commit: e20cb81d9c5a3d0f9c08f3642728a210a1c162c9 + +We were only constructing the 64-bit element, and not +replicating the 64-bit element across the rest of the vector. + +Cc: qemu-stable@nongnu.org +Signed-off-by: Richard Henderson +Signed-off-by: Bruce Rogers +--- + tcg/i386/tcg-target.inc.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/tcg/i386/tcg-target.inc.c b/tcg/i386/tcg-target.inc.c +index 9d8ed974e011152d2df4cba613ad..77b78c941c5afcd065a8e153dca7 100644 +--- a/tcg/i386/tcg-target.inc.c ++++ b/tcg/i386/tcg-target.inc.c +@@ -2855,9 +2855,13 @@ static void tcg_out_vec_op(TCGContext *s, TCGOpcode opc, + goto gen_simd; + #if TCG_TARGET_REG_BITS == 32 + case INDEX_op_dup2_vec: +- /* Constraints have already placed both 32-bit inputs in xmm regs. */ +- insn = OPC_PUNPCKLDQ; +- goto gen_simd; ++ /* First merge the two 32-bit inputs to a single 64-bit element. */ ++ tcg_out_vex_modrm(s, OPC_PUNPCKLDQ, a0, a1, a2); ++ /* Then replicate the 64-bit elements across the rest of the vector. */ ++ if (type != TCG_TYPE_V64) { ++ tcg_out_dup_vec(s, type, MO_64, a0, a0); ++ } ++ break; + #endif + case INDEX_op_abs_vec: + insn = abs_insn[vece]; diff --git a/tcg-mips-mips-sync-encode-error.patch b/tcg-mips-mips-sync-encode-error.patch new file mode 100644 index 0000000..259650f --- /dev/null +++ b/tcg-mips-mips-sync-encode-error.patch @@ -0,0 +1,49 @@ +From: lixinyu +Date: Sat, 11 Apr 2020 20:46:12 +0800 +Subject: tcg/mips: mips sync* encode error +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Git-commit: a4e57084c16d5b0eff3651693fba04f26b30b551 + +OPC_SYNC_WMB, OPC_SYNC_MB, OPC_SYNC_ACQUIRE, OPC_SYNC_RELEASE and +OPC_SYNC_RMB have wrong encode. According to the mips manual, +their encode should be 'OPC_SYNC | 0x?? << 6' rather than +'OPC_SYNC | 0x?? << 5'. Wrong encode can lead illegal instruction +errors. These instructions often appear with multi-threaded +simulation. + +Fixes: 6f0b99104a3 ("tcg/mips: Add support for fence") +Reviewed-by: Richard Henderson +Reviewed-by: Aleksandar Markovic +Reviewed-by: Philippe Mathieu-Daudé +Signed-off-by: lixinyu +Message-Id: <20200411124612.12560-1-precinct@mail.ustc.edu.cn> +Signed-off-by: Richard Henderson +Signed-off-by: Bruce Rogers +--- + tcg/mips/tcg-target.inc.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/tcg/mips/tcg-target.inc.c b/tcg/mips/tcg-target.inc.c +index 544216704526a4bd24dce51ade83..006835348fe5c5818d89b0806ba3 100644 +--- a/tcg/mips/tcg-target.inc.c ++++ b/tcg/mips/tcg-target.inc.c +@@ -404,11 +404,11 @@ typedef enum { + + /* MIPS r6 introduced names for weaker variants of SYNC. These are + backward compatible to previous architecture revisions. */ +- OPC_SYNC_WMB = OPC_SYNC | 0x04 << 5, +- OPC_SYNC_MB = OPC_SYNC | 0x10 << 5, +- OPC_SYNC_ACQUIRE = OPC_SYNC | 0x11 << 5, +- OPC_SYNC_RELEASE = OPC_SYNC | 0x12 << 5, +- OPC_SYNC_RMB = OPC_SYNC | 0x13 << 5, ++ OPC_SYNC_WMB = OPC_SYNC | 0x04 << 6, ++ OPC_SYNC_MB = OPC_SYNC | 0x10 << 6, ++ OPC_SYNC_ACQUIRE = OPC_SYNC | 0x11 << 6, ++ OPC_SYNC_RELEASE = OPC_SYNC | 0x12 << 6, ++ OPC_SYNC_RMB = OPC_SYNC | 0x13 << 6, + + /* Aliases for convenience. */ + ALIAS_PADD = sizeof(void *) == 4 ? OPC_ADDU : OPC_DADDU, diff --git a/update_git.sh b/update_git.sh index 34056cc..c1aff92 100644 --- a/update_git.sh +++ b/update_git.sh @@ -1,4 +1,8 @@ #!/bin/bash +#POKEALL used to document where ALL repos are POKED +#POKEALL? question what repos are actually poked here +#TEMP_CHECK - try to eliminate +# !! FIX AFTER RUN - LEAVING REPO NOT IN GOOD STATE # update_git.sh: script to manage package maintenance using a git-based # workflow. Commands are as follows: @@ -64,16 +68,6 @@ fi #============================================================================== TEMP_CHECK() { -# TEMPORARY! FOR NOW WE REQUIRE THESE LOCALLY TO DO WORK ON PACKAGE -REQUIRED_LOCAL_REPO_MAP=( - ~/git/qemu-opensuse - ~/git/qemu-seabios - ~/git/qemu-ipxe - ~/git/qemu-sgabios - ~/git/qemu-skiboot - ~/git/qemu-keycodemapdb - ~/git/qemu-qboot -) # Validate that all the local repos that we currently have patches in are available # TEMPORARY REQUIREMENT! @@ -129,22 +123,25 @@ touch $BUNDLE_DIR/$GIT_UPSTREAM_COMMIT.id # Now go through all the submodule local repos that are present and create a bundle file for the patches found there for (( i=0; i <$REPO_COUNT; i++ )); do +#POKEALL (conditional on whether it IS there) if [[ -e $(readlink -f ${LOCAL_REPO_MAP[$i]}) ]]; then SUBDIR=${PATCH_PATH_MAP[$i]} GITREPO_COMMIT_ISH=($BUNDLE_DIR/$SUBDIR*.id) if [[ $GITREPO_COMMIT_ISH =~ .*(.{40})[.]id ]]; then GITREPO_COMMIT_ISH=${BASH_REMATCH[1]} echo "Using $GITREPO_COMMIT_ISH" - PATCH_RANGE_INDEX=$i mkdir -p $GIT_DIR/$SUBDIR git -C $GIT_DIR/$SUBDIR init +#POKEALL git -C $GIT_DIR/$SUBDIR remote add origin file://$(readlink -f \ - ${LOCAL_REPO_MAP[$PATCH_RANGE_INDEX]}) - git -C $(readlink -f ${LOCAL_REPO_MAP[$PATCH_RANGE_INDEX]}) remote get-url origin >$BUNDLE_DIR/$SUBDIR/repo + ${LOCAL_REPO_MAP[$i]}) if [[ $(git -C $GIT_DIR/$SUBDIR ls-remote --heads origin $GIT_BRANCH) ]]; then git -C $GIT_DIR/$SUBDIR fetch origin $GIT_BRANCH if [[ $(git -C $GIT_DIR/$SUBDIR rev-list $GITREPO_COMMIT_ISH..FETCH_HEAD) ]]; then git -C $GIT_DIR/$SUBDIR bundle create $BUNDLE_DIR/$SUBDIR$GITREPO_COMMIT_ISH.bundle $GITREPO_COMMIT_ISH..FETCH_HEAD +#TODO: post-process repo info to avoid un-needed diffs (eg git vs https) +#POKEALL + git -C $(readlink -f ${LOCAL_REPO_MAP[$i]}) remote get-url origin >$BUNDLE_DIR/$SUBDIR/repo fi fi fi @@ -180,12 +177,12 @@ for entry in ${BUNDLE_FILES[@]}; do fi for (( i=0; i <$REPO_COUNT; i++ )); do if [[ "$SUBDIR" = "${PATCH_PATH_MAP[$i]}" ]]; then - PATCH_RANGE_INDEX=$i break fi done - LOCAL_REPO=$(readlink -f ${LOCAL_REPO_MAP[$PATCH_RANGE_INDEX]}) +#POKEALL ? + LOCAL_REPO=$(readlink -f ${LOCAL_REPO_MAP[$i]}) if [ -e $LOCAL_REPO ]; then git -C $LOCAL_REPO remote remove bundlerepo || true # git won't let you delete a branch we're on - so get onto master temporarily (TODO: is there a better approach?) @@ -283,6 +280,7 @@ mkdir -p $BUNDLE_DIR tar xJf bundles.tar.xz -C $BUNDLE_DIR # Now go through all the submodule local repos that are present and create a bundle file for the patches found there for (( i=0; i <$REPO_COUNT; i++ )); do +#POKEALL if [[ -e $(readlink -f ${LOCAL_REPO_MAP[$i]}) ]]; then if $(git -C ${LOCAL_REPO_MAP[$i]} branch | grep -F "frombundle" >/dev/null); then SUBDIR=${PATCH_PATH_MAP[$i]} @@ -334,15 +332,19 @@ for entry in ${BUNDLE_FILES[@]}; do fi for (( i=0; i <$REPO_COUNT; i++ )); do if [[ "$SUBDIR" = "${PATCH_PATH_MAP[$i]}" ]]; then - PATCH_RANGE_INDEX=$i break fi done + if [[ $i = $REPO_COUNT ]]; then + echo "Error matching bundle dir to project submodule path" + exit + fi mkdir -p $GIT_DIR/$SUBDIR git -C $GIT_DIR/$SUBDIR init +#POKEALL? git -C $GIT_DIR/$SUBDIR remote add origin file://$(readlink -f \ - ${LOCAL_REPO_MAP[$PATCH_RANGE_INDEX]}) + ${LOCAL_REPO_MAP[$i]}) git -C $GIT_DIR/$SUBDIR fetch origin $GIT_BRANCH git -C $GIT_DIR/$SUBDIR reset --hard $GITREPO_COMMIT_ISH git -C $GIT_DIR/$SUBDIR remote add bundle $BUNDLE_DIR/$entry @@ -350,7 +352,7 @@ for entry in ${BUNDLE_FILES[@]}; do git -C $GIT_DIR/$SUBDIR format-patch -N --suffix= --no-renames -o $CMP_DIR -k --stat=72 \ --indent-heuristic --zero-commit --no-signature --full-index \ --src-prefix=a/$SUBDIR --dst-prefix=b/$SUBDIR \ - --start-number=$(expr $PATCH_RANGE_INDEX \* $PATCH_RANGE) \ + --start-number=$(expr $i \* $PATCH_RANGE) \ $GITREPO_COMMIT_ISH..FETCH_HEAD > /dev/null done @@ -584,6 +586,10 @@ rm -rf $BUNDLE_DIR if [ -e qemu.changes.added ]; then rm -f qemu.changes.added fi +# Decide if there is a better way to handle the no change case: + if [[ "0" = "$(expr $CHANGED_COUNT + $DELETED_COUNT + $ADDED_COUNT)" ]]; then + osc revert bundles.tar.xz + fi echo "git patch summary" echo " unchanged: $UNCHANGED_COUNT" echo " changed: $CHANGED_COUNT" @@ -611,9 +617,27 @@ echo "(See script for details on doing 'LATEST' workflow)" #============================================================================== +explain_setup() { +echo "Currently we require local git repos at these locations:" +echo "${REQUIRED_LOCAL_REPO_MAP[@]}" +echo "Where each has as it's remote the uri: https://github.com/opensuse/*.git" +echo "and where * is replaced by the qemu-whatever, and the remote is named origin" +echo "and the qemu or qemu submodule repos as remotes named upstream" +} + +#============================================================================== + +#?? Should we be LATEST or not specific here? +if [[ ! -e $(readlink -f ${LOCAL_REPO_MAP[0]}) ]]; then + echo "ERROR: Main local QEMU related git repo not found. Please follow these setup instructions:" + explain_setup + exit +fi + echo "WARNING: Script using local git repos. Some operations may be time consuming..." #TODO: Most of these checks are not necessary for (( i=0; i <$REPO_COUNT; i++ )); do +#POKEALL if [[ -e $(readlink -f ${LOCAL_REPO_MAP[$i]}) ]]; then if [[ -d ${LOCAL_REPO_MAP[$i]}/.git/rebase-merge || \ -d ${LOCAL_REPO_MAP[$i]}/.git/rebase-apply ]]; then @@ -660,6 +684,7 @@ if [ "$GIT_UPSTREAM_COMMIT_ISH" = "LATEST" ]; then fi fi fi +#POKEALL for (( i=0; i <$REPO_COUNT; i++ )); do if [[ -e $(readlink -f ${LOCAL_REPO_MAP[$i]}) ]]; then git -C ${LOCAL_REPO_MAP[$i]} remote update upstream &> /dev/null @@ -692,13 +717,13 @@ if [ "$GIT_UPSTREAM_COMMIT_ISH" = "LATEST" ]; then WRITE_LOG=0 echo "Processing LATEST upstream changes" echo "(If SUCCESS is not printed upon completion, see /tmp/latest.log for issues)" - TEMP_CHECK + TEMP_CHECK # DOING LATEST if [[ $QEMU_TARBALL =~ $BASE_RE$EXTRA_RE$SUFFIX_RE ]]; then OLD_COMMIT_ISH=${BASH_REMATCH[3]} else #Assume release (or release candidate) tarball with equivalent tag: OLD_COMMIT_ISH=$(cd ${LOCAL_REPO_MAP[0]} && git rev-list --abbrev-commit \ - --abbrev=9 -1 v$OLD_SOURCE_VERSION_AND_EXTRA) + --abbrev=8 -1 v$OLD_SOURCE_VERSION_AND_EXTRA) fi if [ ${#QEMU_TARBALL_SIG[@]} -ne 0 ]; then echo "INFO: Ignoring signature file: $QEMU_TARBALL_SIG" @@ -737,10 +762,18 @@ if [ "$GIT_UPSTREAM_COMMIT_ISH" = "LATEST" ]; then echo "SUCCESS" tail -9 /tmp/latest.log else # not LATEST + if [ ! "$GIT_UPSTREAM_COMMIT_ISH" = "v$OLD_SOURCE_VERSION_AND_EXTRA" ]; then + echo "Tarball name (which we decode) doesn't correspond to the \$GIT_UPSTREAM_COMMIT_ISH in config.sh" + exit + fi git -C ${LOCAL_REPO_MAP[0]} checkout $GIT_UPSTREAM_COMMIT_ISH --recurse-submodules -f &> /dev/null NEW_COMMIT_ISH= SOURCE_VERSION=$OLD_SOURCE_VERSION_AND_EXTRA QEMU_VERSION=$(tar JxfO qemu-$SOURCE_VERSION$VERSION_EXTRA.tar.xz qemu-$SOURCE_VERSION/VERSION) + if [ ! "$QEMU_VERSION" = "$OLD_SOURCE_VERSION_AND_EXTRA" ]; then + echo "Tarball name (which we decode) doesn't correspond to the VERSION file contained therein" + exit + fi MAJOR_VERSION=$(echo $QEMU_VERSION|awk -F. '{print $1}') MINOR_VERSION=$(echo $QEMU_VERSION|awk -F. '{print $2}') GIT_BRANCH=opensuse-$MAJOR_VERSION.$MINOR_VERSION @@ -755,7 +788,7 @@ else # not LATEST git2pkg ) echo "Updating the package using the $GIT_BRANCH branch of the local repos." echo "(If SUCCESS is not printed upon completion, see /tmp/git2pkg.log for issues)" - TEMP_CHECK + TEMP_CHECK #NOT LATEST initbundle &> /tmp/git2pkg.log bundle2spec &>> /tmp/git2pkg.log echo "SUCCESS" @@ -764,7 +797,7 @@ else # not LATEST pkg2git ) echo "Exporting the package's git bundles to the local repo's frombundle branches..." echo "(If SUCCESS is not printed upon completion, see /tmp/pkg2git.log for issues)" - TEMP_CHECK + TEMP_CHECK #NOT LATEST bundle2local &> /tmp/pkg2git.log echo "SUCCESS" echo "To modify package patches, use the frombundle branch as the basis for updating" @@ -775,7 +808,7 @@ else # not LATEST echo "Updating the spec file and patches from the spec file template and the bundle" echo "of bundles (bundles.tar.xz)" echo "(If SUCCESS is not printed upon completion, see /tmp/refresh.log for issues)" - TEMP_CHECK + TEMP_CHECK #NOT LATEST bundle2spec &> /tmp/refresh.log echo "SUCCESS" tail -9 /tmp/refresh.log diff --git a/vhost-correctly-turn-on-VIRTIO_F_IOMMU_P.patch b/vhost-correctly-turn-on-VIRTIO_F_IOMMU_P.patch index d4a810c..07f3ac5 100644 --- a/vhost-correctly-turn-on-VIRTIO_F_IOMMU_P.patch +++ b/vhost-correctly-turn-on-VIRTIO_F_IOMMU_P.patch @@ -2,7 +2,7 @@ From: Jason Wang Date: Mon, 2 Mar 2020 12:24:54 +0800 Subject: vhost: correctly turn on VIRTIO_F_IOMMU_PLATFORM -References: bsc#1167075 +References: bsc#1167075, bsc#1167445 We turn on device IOTLB via VIRTIO_F_IOMMU_PLATFORM unconditionally on platform without IOMMU support. This can lead unnecessary IOTLB diff --git a/vhost-user-gpu-Release-memory-returned-b.patch b/vhost-user-gpu-Release-memory-returned-b.patch new file mode 100644 index 0000000..a420705 --- /dev/null +++ b/vhost-user-gpu-Release-memory-returned-b.patch @@ -0,0 +1,58 @@ +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= +Date: Mon, 23 Mar 2020 12:29:41 +0100 +Subject: vhost-user-gpu: Release memory returned by vu_queue_pop() with free() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Git-commit: 4ff97121a3ee631971aadc87e3d4e7fb66f15aa8 + +vu_queue_pop() returns memory that must be freed with free(). + +Cc: qemu-stable@nongnu.org +Reported-by: Coverity (CID 1421887 ALLOC_FREE_MISMATCH) +Suggested-by: Peter Maydell +Signed-off-by: Philippe Mathieu-Daudé +Reviewed-by: Marc-André Lureau +Signed-off-by: Peter Maydell +Signed-off-by: Bruce Rogers +--- + contrib/vhost-user-gpu/main.c | 4 ++-- + contrib/vhost-user-gpu/virgl.c | 2 +- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/contrib/vhost-user-gpu/main.c b/contrib/vhost-user-gpu/main.c +index b45d2019b46bdfac64b59d5702ae..a019d0a9acea61a7629f1c74c79a 100644 +--- a/contrib/vhost-user-gpu/main.c ++++ b/contrib/vhost-user-gpu/main.c +@@ -848,7 +848,7 @@ vg_handle_ctrl(VuDev *dev, int qidx) + QTAILQ_INSERT_TAIL(&vg->fenceq, cmd, next); + vg->inflight++; + } else { +- g_free(cmd); ++ free(cmd); + } + } + } +@@ -939,7 +939,7 @@ vg_handle_cursor(VuDev *dev, int qidx) + } + vu_queue_push(dev, vq, elem, 0); + vu_queue_notify(dev, vq); +- g_free(elem); ++ free(elem); + } + } + +diff --git a/contrib/vhost-user-gpu/virgl.c b/contrib/vhost-user-gpu/virgl.c +index 43413e29df9d46739c09d2d501df..b0bc22c3c13db0e8b0b450dac19d 100644 +--- a/contrib/vhost-user-gpu/virgl.c ++++ b/contrib/vhost-user-gpu/virgl.c +@@ -519,7 +519,7 @@ virgl_write_fence(void *opaque, uint32_t fence) + g_debug("FENCE %" PRIu64, cmd->cmd_hdr.fence_id); + vg_ctrl_response_nodata(g, cmd, VIRTIO_GPU_RESP_OK_NODATA); + QTAILQ_REMOVE(&g->fenceq, cmd, next); +- g_free(cmd); ++ free(cmd); + g->inflight--; + } + } diff --git a/vpc-Don-t-round-up-already-aligned-BAT-s.patch b/vpc-Don-t-round-up-already-aligned-BAT-s.patch new file mode 100644 index 0000000..98d32e8 --- /dev/null +++ b/vpc-Don-t-round-up-already-aligned-BAT-s.patch @@ -0,0 +1,47 @@ +From: Kevin Wolf +Date: Thu, 2 Apr 2020 11:36:03 +0200 +Subject: vpc: Don't round up already aligned BAT sizes +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Git-commit: 3f6de653b946fe849330208becf79d6af7e876cb + +As reported on Launchpad, Azure apparently doesn't accept images for +upload that are not both aligned to 1 MB blocks and have a BAT size that +matches the image size exactly. + +As far as I can tell, there is no real reason why we create a BAT that +is one entry longer than necessary for aligned image sizes, so change +that. + +(Even though the condition is only mentioned as "should" in the spec and +previous products accepted larger BATs - but we'll try to maintain +compatibility with as many of Microsoft's ever-changing interpretations +of the VHD spec as possible.) + +Fixes: https://bugs.launchpad.net/bugs/1870098 +Reported-by: Tobias Witek +Signed-off-by: Kevin Wolf +Message-Id: <20200402093603.2369-1-kwolf@redhat.com> +Reviewed-by: Max Reitz +Reviewed-by: Philippe Mathieu-Daudé +Signed-off-by: Kevin Wolf +Signed-off-by: Bruce Rogers +--- + block/vpc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/block/vpc.c b/block/vpc.c +index a65550298e195af52c51a31d1f9f..21b08033a6ab56115c6258b7ef3c 100644 +--- a/block/vpc.c ++++ b/block/vpc.c +@@ -835,7 +835,7 @@ static int create_dynamic_disk(BlockBackend *blk, uint8_t *buf, + + /* Write the footer (twice: at the beginning and at the end) */ + block_size = 0x200000; +- num_bat_entries = (total_sectors + block_size / 512) / (block_size / 512); ++ num_bat_entries = DIV_ROUND_UP(total_sectors, block_size / 512); + + ret = blk_pwrite(blk, offset, buf, HEADER_SIZE, 0); + if (ret < 0) { diff --git a/xen-block-Fix-double-qlist-remove-and-re.patch b/xen-block-Fix-double-qlist-remove-and-re.patch new file mode 100644 index 0000000..fe06357 --- /dev/null +++ b/xen-block-Fix-double-qlist-remove-and-re.patch @@ -0,0 +1,155 @@ +From: Anthony PERARD +Date: Mon, 6 Apr 2020 15:02:17 +0100 +Subject: xen-block: Fix double qlist remove and request leak + +Git-commit: 36d883ba0de8a281072ded2b51e0a711fd002139 + +Commit a31ca6801c02 ("qemu/queue.h: clear linked list pointers on +remove") revealed that a request was removed twice from a list, once +in xen_block_finish_request() and a second time in +xen_block_release_request() when both function are called from +xen_block_complete_aio(). But also, the `requests_inflight' counter is +decreased twice, and thus became negative. + +This is a bug that was introduced in bfd0d6366043 ("xen-block: improve +response latency"), where a `finished' list was removed. + +That commit also introduced a leak of request in xen_block_do_aio(). +That function calls xen_block_finish_request() but the request is +never released after that. + +To fix both issue, we do two changes: +- we squash finish_request() and release_request() together as we want + to remove a request from 'inflight' list to add it to 'freelist'. +- before releasing a request, we need to let the other end know the + result, thus we should call xen_block_send_response() before + releasing a request. + +The first change fixes the double QLIST_REMOVE() as we remove the extra +call. The second change makes the leak go away because if we want to +call finish_request(), we need to call a function that does all of +finish, send response, and release. + +Fixes: bfd0d6366043 ("xen-block: improve response latency") +Signed-off-by: Anthony PERARD +Message-Id: <20200406140217.1441858-1-anthony.perard@citrix.com> +Reviewed-by: Paul Durrant +[mreitz: Amended commit message as per Paul's suggestions] +Signed-off-by: Max Reitz +Signed-off-by: Bruce Rogers +--- + hw/block/dataplane/xen-block.c | 48 ++++++++++++---------------------- + 1 file changed, 16 insertions(+), 32 deletions(-) + +diff --git a/hw/block/dataplane/xen-block.c b/hw/block/dataplane/xen-block.c +index 3b9caeb2fa00a1f4eb338fca7a89..c4ed2870ecd779bf40eb4f3eded3 100644 +--- a/hw/block/dataplane/xen-block.c ++++ b/hw/block/dataplane/xen-block.c +@@ -64,6 +64,8 @@ struct XenBlockDataPlane { + AioContext *ctx; + }; + ++static int xen_block_send_response(XenBlockRequest *request); ++ + static void reset_request(XenBlockRequest *request) + { + memset(&request->req, 0, sizeof(request->req)); +@@ -115,23 +117,26 @@ out: + return request; + } + +-static void xen_block_finish_request(XenBlockRequest *request) ++static void xen_block_complete_request(XenBlockRequest *request) + { + XenBlockDataPlane *dataplane = request->dataplane; + +- QLIST_REMOVE(request, list); +- dataplane->requests_inflight--; +-} ++ if (xen_block_send_response(request)) { ++ Error *local_err = NULL; + +-static void xen_block_release_request(XenBlockRequest *request) +-{ +- XenBlockDataPlane *dataplane = request->dataplane; ++ xen_device_notify_event_channel(dataplane->xendev, ++ dataplane->event_channel, ++ &local_err); ++ if (local_err) { ++ error_report_err(local_err); ++ } ++ } + + QLIST_REMOVE(request, list); ++ dataplane->requests_inflight--; + reset_request(request); + request->dataplane = dataplane; + QLIST_INSERT_HEAD(&dataplane->freelist, request, list); +- dataplane->requests_inflight--; + } + + /* +@@ -246,7 +251,6 @@ static int xen_block_copy_request(XenBlockRequest *request) + } + + static int xen_block_do_aio(XenBlockRequest *request); +-static int xen_block_send_response(XenBlockRequest *request); + + static void xen_block_complete_aio(void *opaque, int ret) + { +@@ -286,7 +290,6 @@ static void xen_block_complete_aio(void *opaque, int ret) + } + + request->status = request->aio_errors ? BLKIF_RSP_ERROR : BLKIF_RSP_OKAY; +- xen_block_finish_request(request); + + switch (request->req.operation) { + case BLKIF_OP_WRITE: +@@ -306,17 +309,8 @@ static void xen_block_complete_aio(void *opaque, int ret) + default: + break; + } +- if (xen_block_send_response(request)) { +- Error *local_err = NULL; + +- xen_device_notify_event_channel(dataplane->xendev, +- dataplane->event_channel, +- &local_err); +- if (local_err) { +- error_report_err(local_err); +- } +- } +- xen_block_release_request(request); ++ xen_block_complete_request(request); + + if (dataplane->more_work) { + qemu_bh_schedule(dataplane->bh); +@@ -420,8 +414,8 @@ static int xen_block_do_aio(XenBlockRequest *request) + return 0; + + err: +- xen_block_finish_request(request); + request->status = BLKIF_RSP_ERROR; ++ xen_block_complete_request(request); + return -1; + } + +@@ -575,17 +569,7 @@ static bool xen_block_handle_requests(XenBlockDataPlane *dataplane) + break; + }; + +- if (xen_block_send_response(request)) { +- Error *local_err = NULL; +- +- xen_device_notify_event_channel(dataplane->xendev, +- dataplane->event_channel, +- &local_err); +- if (local_err) { +- error_report_err(local_err); +- } +- } +- xen_block_release_request(request); ++ xen_block_complete_request(request); + continue; + } +