From 67e963f7d78a168d74b672688d9ff0d85af73de38dec91f702858998d555ce59 Mon Sep 17 00:00:00 2001 From: Bruce Rogers Date: Tue, 24 Mar 2020 13:45:55 +0000 Subject: [PATCH 1/3] Accepting request 787812 from home:bfrogers:branches:Virtualization - Note The previous set of s390x patches also includes the fix for: bsc#1167445 OBS-URL: https://build.opensuse.org/request/show/787812 OBS-URL: https://build.opensuse.org/package/show/Virtualization/qemu?expand=0&rev=539 --- bundles.tar.xz | 4 ++-- qemu.changes | 6 ++++++ s390x-protvirt-Support-unpack-facility.patch | 4 ++-- vhost-correctly-turn-on-VIRTIO_F_IOMMU_P.patch | 2 +- 4 files changed, 11 insertions(+), 5 deletions(-) diff --git a/bundles.tar.xz b/bundles.tar.xz index e0bd16e..27dfa69 100644 --- a/bundles.tar.xz +++ b/bundles.tar.xz @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:8f2312cc7d4811cb10363273c211a6fcf58361e401b7b0c9824c9ed22c4ce898 -size 121876 +oid sha256:d7bed3704998a1c71915ce16de258559a687e4ec8d8c2deb4c934899cc3708a5 +size 121832 diff --git a/qemu.changes b/qemu.changes index b2c3609..69ef495 100644 --- a/qemu.changes +++ b/qemu.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Tue Mar 24 13:22:36 UTC 2020 - Bruce Rogers + +- Note The previous set of s390x patches also includes the fix for: + bsc#1167445 + ------------------------------------------------------------------- Fri Mar 20 17:27:29 UTC 2020 - Bruce Rogers diff --git a/s390x-protvirt-Support-unpack-facility.patch b/s390x-protvirt-Support-unpack-facility.patch index 7e33141..28ef6d3 100644 --- a/s390x-protvirt-Support-unpack-facility.patch +++ b/s390x-protvirt-Support-unpack-facility.patch @@ -69,7 +69,7 @@ index e02ed80b6829a511362abc3525ec..a46a1c7894e0f612a2d74cec74f6 100644 obj-y += ap-device.o obj-y += ap-bridge.o diff --git a/hw/s390x/ipl.c b/hw/s390x/ipl.c -index ca544d64c5e04782fb49d12521d5..73e5210b4d4e7ad912cfe5475ac4 100644 +index ca544d64c5e04782fb49d12521d5..c343cfb0bed4272cecf31207dae8 100644 --- a/hw/s390x/ipl.c +++ b/hw/s390x/ipl.c @@ -1,10 +1,11 @@ @@ -139,7 +139,7 @@ index ca544d64c5e04782fb49d12521d5..73e5210b4d4e7ad912cfe5475ac4 100644 + + cpu_physical_memory_read(ipib_pv->pv_header_addr, hdr, + ipib_pv->pv_header_len); -+ rc = s390_pv_set_sec_parms((uint64_t)(uintptr_t)hdr, ++ rc = s390_pv_set_sec_parms((uintptr_t)hdr, + ipib_pv->pv_header_len); + g_free(hdr); + return rc; diff --git a/vhost-correctly-turn-on-VIRTIO_F_IOMMU_P.patch b/vhost-correctly-turn-on-VIRTIO_F_IOMMU_P.patch index d4a810c..07f3ac5 100644 --- a/vhost-correctly-turn-on-VIRTIO_F_IOMMU_P.patch +++ b/vhost-correctly-turn-on-VIRTIO_F_IOMMU_P.patch @@ -2,7 +2,7 @@ From: Jason Wang Date: Mon, 2 Mar 2020 12:24:54 +0800 Subject: vhost: correctly turn on VIRTIO_F_IOMMU_PLATFORM -References: bsc#1167075 +References: bsc#1167075, bsc#1167445 We turn on device IOTLB via VIRTIO_F_IOMMU_PLATFORM unconditionally on platform without IOMMU support. This can lead unnecessary IOTLB From 22b3f26e048d6bb46d01c1ced44151732f961b6d0c527d10c83ea0c912a91b8c Mon Sep 17 00:00:00 2001 From: Bruce Rogers Date: Thu, 26 Mar 2020 22:01:41 +0000 Subject: [PATCH 2/3] Accepting request 788690 from home:bfrogers:branches:Virtualization - Include upstream patches targeted for the next stable release (bug fixes only) block-Avoid-memleak-on-qcow2-image-info-.patch block-bdrv_set_backing_bs-fix-use-after-.patch hmp-vnc-Fix-info-vnc-list-leak.patch migration-colo-fix-use-after-free-of-loc.patch migration-ram-fix-use-after-free-of-loca.patch ppc-ppc405_boards-Remove-unnecessary-NUL.patch qcow2-List-autoclear-bit-names-in-header.patch scsi-qemu-pr-helper-Fix-out-of-bounds-ac.patch sheepdog-Consistently-set-bdrv_has_zero_.patch OBS-URL: https://build.opensuse.org/request/show/788690 OBS-URL: https://build.opensuse.org/package/show/Virtualization/qemu?expand=0&rev=541 --- ...k-Avoid-memleak-on-qcow2-image-info-.patch | 33 +++ ...k-bdrv_set_backing_bs-fix-use-after-.patch | 114 ++++++++++ bundles.tar.xz | 4 +- hmp-vnc-Fix-info-vnc-list-leak.patch | 46 ++++ ...ation-colo-fix-use-after-free-of-loc.patch | 31 +++ ...ation-ram-fix-use-after-free-of-loca.patch | 31 +++ ...ppc405_boards-Remove-unnecessary-NUL.patch | 55 +++++ ...2-List-autoclear-bit-names-in-header.patch | 200 ++++++++++++++++++ qemu.changes | 15 ++ qemu.spec | 158 ++++++++------ ...-qemu-pr-helper-Fix-out-of-bounds-ac.patch | 93 ++++++++ ...pdog-Consistently-set-bdrv_has_zero_.patch | 46 ++++ 12 files changed, 754 insertions(+), 72 deletions(-) create mode 100644 block-Avoid-memleak-on-qcow2-image-info-.patch create mode 100644 block-bdrv_set_backing_bs-fix-use-after-.patch create mode 100644 hmp-vnc-Fix-info-vnc-list-leak.patch create mode 100644 migration-colo-fix-use-after-free-of-loc.patch create mode 100644 migration-ram-fix-use-after-free-of-loca.patch create mode 100644 ppc-ppc405_boards-Remove-unnecessary-NUL.patch create mode 100644 qcow2-List-autoclear-bit-names-in-header.patch create mode 100644 scsi-qemu-pr-helper-Fix-out-of-bounds-ac.patch create mode 100644 sheepdog-Consistently-set-bdrv_has_zero_.patch diff --git a/block-Avoid-memleak-on-qcow2-image-info-.patch b/block-Avoid-memleak-on-qcow2-image-info-.patch new file mode 100644 index 0000000..4264609 --- /dev/null +++ b/block-Avoid-memleak-on-qcow2-image-info-.patch @@ -0,0 +1,33 @@ +From: Eric Blake +Date: Fri, 20 Mar 2020 13:36:20 -0500 +Subject: block: Avoid memleak on qcow2 image info failure + +Git-commit: 71eaec2e8c7c8d266137b5c5f42da0bd6d6b5eb7 + +If we fail to get bitmap info, we must not leak the encryption info. + +Fixes: b8968c875f403 +Fixes: Coverity CID 1421894 +Signed-off-by: Eric Blake +Message-Id: <20200320183620.1112123-1-eblake@redhat.com> +Reviewed-by: Vladimir Sementsov-Ogievskiy +Reviewed-by: Andrey Shinkevich +Tested-by: Andrey Shinkevich +Signed-off-by: Max Reitz +Signed-off-by: Bruce Rogers +--- + block/qcow2.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/block/qcow2.c b/block/qcow2.c +index 7c18721741eacfb7f6c2c1f0efe6..13e118e16f02f371c0f23c7aaa8d 100644 +--- a/block/qcow2.c ++++ b/block/qcow2.c +@@ -4800,6 +4800,7 @@ static ImageInfoSpecific *qcow2_get_specific_info(BlockDriverState *bs, + if (local_err) { + error_propagate(errp, local_err); + qapi_free_ImageInfoSpecific(spec_info); ++ qapi_free_QCryptoBlockInfo(encrypt_info); + return NULL; + } + *spec_info->u.qcow2.data = (ImageInfoSpecificQCow2){ diff --git a/block-bdrv_set_backing_bs-fix-use-after-.patch b/block-bdrv_set_backing_bs-fix-use-after-.patch new file mode 100644 index 0000000..b53637f --- /dev/null +++ b/block-bdrv_set_backing_bs-fix-use-after-.patch @@ -0,0 +1,114 @@ +From: Vladimir Sementsov-Ogievskiy +Date: Mon, 16 Mar 2020 09:06:30 +0300 +Subject: block: bdrv_set_backing_bs: fix use-after-free +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Git-commit: 6e57963a77df1e275a73dab4c6a7ec9a9d3468d4 + +There is a use-after-free possible: bdrv_unref_child() leaves +bs->backing freed but not NULL. bdrv_attach_child may produce nested +polling loop due to drain, than access of freed pointer is possible. + +I've produced the following crash on 30 iotest with modified code. It +does not reproduce on master, but still seems possible: + + #0 __strcmp_avx2 () at /lib64/libc.so.6 + #1 bdrv_backing_overridden (bs=0x55c9d3cc2060) at block.c:6350 + #2 bdrv_refresh_filename (bs=0x55c9d3cc2060) at block.c:6404 + #3 bdrv_backing_attach (c=0x55c9d48e5520) at block.c:1063 + #4 bdrv_replace_child_noperm + (child=child@entry=0x55c9d48e5520, + new_bs=new_bs@entry=0x55c9d3cc2060) at block.c:2290 + #5 bdrv_replace_child + (child=child@entry=0x55c9d48e5520, + new_bs=new_bs@entry=0x55c9d3cc2060) at block.c:2320 + #6 bdrv_root_attach_child + (child_bs=child_bs@entry=0x55c9d3cc2060, + child_name=child_name@entry=0x55c9d241d478 "backing", + child_role=child_role@entry=0x55c9d26ecee0 , + ctx=, perm=, shared_perm=21, + opaque=0x55c9d3c5a3d0, errp=0x7ffd117108e0) at block.c:2424 + #7 bdrv_attach_child + (parent_bs=parent_bs@entry=0x55c9d3c5a3d0, + child_bs=child_bs@entry=0x55c9d3cc2060, + child_name=child_name@entry=0x55c9d241d478 "backing", + child_role=child_role@entry=0x55c9d26ecee0 , + errp=errp@entry=0x7ffd117108e0) at block.c:5876 + #8 in bdrv_set_backing_hd + (bs=bs@entry=0x55c9d3c5a3d0, + backing_hd=backing_hd@entry=0x55c9d3cc2060, + errp=errp@entry=0x7ffd117108e0) + at block.c:2576 + #9 stream_prepare (job=0x55c9d49d84a0) at block/stream.c:150 + #10 job_prepare (job=0x55c9d49d84a0) at job.c:761 + #11 job_txn_apply (txn=, fn=) at + job.c:145 + #12 job_do_finalize (job=0x55c9d49d84a0) at job.c:778 + #13 job_completed_txn_success (job=0x55c9d49d84a0) at job.c:832 + #14 job_completed (job=0x55c9d49d84a0) at job.c:845 + #15 job_completed (job=0x55c9d49d84a0) at job.c:836 + #16 job_exit (opaque=0x55c9d49d84a0) at job.c:864 + #17 aio_bh_call (bh=0x55c9d471a160) at util/async.c:117 + #18 aio_bh_poll (ctx=ctx@entry=0x55c9d3c46720) at util/async.c:117 + #19 aio_poll (ctx=ctx@entry=0x55c9d3c46720, + blocking=blocking@entry=true) + at util/aio-posix.c:728 + #20 bdrv_parent_drained_begin_single (poll=true, c=0x55c9d3d558f0) + at block/io.c:121 + #21 bdrv_parent_drained_begin_single (c=c@entry=0x55c9d3d558f0, + poll=poll@entry=true) + at block/io.c:114 + #22 bdrv_replace_child_noperm + (child=child@entry=0x55c9d3d558f0, + new_bs=new_bs@entry=0x55c9d3d27300) at block.c:2258 + #23 bdrv_replace_child + (child=child@entry=0x55c9d3d558f0, + new_bs=new_bs@entry=0x55c9d3d27300) at block.c:2320 + #24 bdrv_root_attach_child + (child_bs=child_bs@entry=0x55c9d3d27300, + child_name=child_name@entry=0x55c9d241d478 "backing", + child_role=child_role@entry=0x55c9d26ecee0 , + ctx=, perm=, shared_perm=21, + opaque=0x55c9d3cc2060, errp=0x7ffd11710c60) at block.c:2424 + #25 bdrv_attach_child + (parent_bs=parent_bs@entry=0x55c9d3cc2060, + child_bs=child_bs@entry=0x55c9d3d27300, + child_name=child_name@entry=0x55c9d241d478 "backing", + child_role=child_role@entry=0x55c9d26ecee0 , + errp=errp@entry=0x7ffd11710c60) at block.c:5876 + #26 bdrv_set_backing_hd + (bs=bs@entry=0x55c9d3cc2060, + backing_hd=backing_hd@entry=0x55c9d3d27300, + errp=errp@entry=0x7ffd11710c60) + at block.c:2576 + #27 stream_prepare (job=0x55c9d495ead0) at block/stream.c:150 + ... + +Signed-off-by: Vladimir Sementsov-Ogievskiy +Message-Id: <20200316060631.30052-2-vsementsov@virtuozzo.com> +Reviewed-by: Philippe Mathieu-Daudé +Reviewed-by: John Snow +Signed-off-by: Max Reitz +Signed-off-by: Bruce Rogers +--- + block.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/block.c b/block.c +index 8539f99ac47cdbf0e9b823751074..3d0134f00b55e0400efc70058d00 100644 +--- a/block.c ++++ b/block.c +@@ -2577,10 +2577,10 @@ void bdrv_set_backing_hd(BlockDriverState *bs, BlockDriverState *backing_hd, + + if (bs->backing) { + bdrv_unref_child(bs, bs->backing); ++ bs->backing = NULL; + } + + if (!backing_hd) { +- bs->backing = NULL; + goto out; + } + diff --git a/bundles.tar.xz b/bundles.tar.xz index 27dfa69..d89ea92 100644 --- a/bundles.tar.xz +++ b/bundles.tar.xz @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:d7bed3704998a1c71915ce16de258559a687e4ec8d8c2deb4c934899cc3708a5 -size 121832 +oid sha256:01029bd0e2cbba3484407c43afb4238a48cc7c66473832fa566be57c0439681e +size 129648 diff --git a/hmp-vnc-Fix-info-vnc-list-leak.patch b/hmp-vnc-Fix-info-vnc-list-leak.patch new file mode 100644 index 0000000..2921f74 --- /dev/null +++ b/hmp-vnc-Fix-info-vnc-list-leak.patch @@ -0,0 +1,46 @@ +From: "Dr. David Alan Gilbert" +Date: Mon, 23 Mar 2020 12:08:22 +0000 +Subject: hmp/vnc: Fix info vnc list leak + +Git-commit: d4ff109373ce871928c7e9ef648973eba642b484 + +We're iterating the list, and then freeing the iteration pointer rather +than the list head. + +Fixes: 0a9667ecdb6d ("hmp: Update info vnc") +Reported-by: Coverity (CID 1421932) +Signed-off-by: Dr. David Alan Gilbert +Message-Id: <20200323120822.51266-1-dgilbert@redhat.com> +Reviewed-by: Peter Maydell +Signed-off-by: Dr. David Alan Gilbert +Signed-off-by: Bruce Rogers +--- + monitor/hmp-cmds.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/monitor/hmp-cmds.c b/monitor/hmp-cmds.c +index b2551c16d129291068ce64b5f1fd..2fdc84ec995449b5139a89575e18 100644 +--- a/monitor/hmp-cmds.c ++++ b/monitor/hmp-cmds.c +@@ -729,10 +729,11 @@ static void hmp_info_vnc_servers(Monitor *mon, VncServerInfo2List *server) + + void hmp_info_vnc(Monitor *mon, const QDict *qdict) + { +- VncInfo2List *info2l; ++ VncInfo2List *info2l, *info2l_head; + Error *err = NULL; + + info2l = qmp_query_vnc_servers(&err); ++ info2l_head = info2l; + if (err) { + hmp_handle_error(mon, &err); + return; +@@ -761,7 +762,7 @@ void hmp_info_vnc(Monitor *mon, const QDict *qdict) + info2l = info2l->next; + } + +- qapi_free_VncInfo2List(info2l); ++ qapi_free_VncInfo2List(info2l_head); + + } + #endif diff --git a/migration-colo-fix-use-after-free-of-loc.patch b/migration-colo-fix-use-after-free-of-loc.patch new file mode 100644 index 0000000..1eb189a --- /dev/null +++ b/migration-colo-fix-use-after-free-of-loc.patch @@ -0,0 +1,31 @@ +From: Vladimir Sementsov-Ogievskiy +Date: Tue, 24 Mar 2020 18:36:28 +0300 +Subject: migration/colo: fix use after free of local_err + +Git-commit: 27d07fcfa70c3afa0664288cbce5334ed9595a3a + +local_err is used again in secondary_vm_do_failover() after +replication_stop_all(), so we must zero it. Otherwise try to set +non-NULL local_err will crash. + +Signed-off-by: Vladimir Sementsov-Ogievskiy +Message-Id: <20200324153630.11882-5-vsementsov@virtuozzo.com> +Reviewed-by: Dr. David Alan Gilbert +Signed-off-by: Dr. David Alan Gilbert +Signed-off-by: Bruce Rogers +--- + migration/colo.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/migration/colo.c b/migration/colo.c +index 2c88aa57a29307963a15fc017b1d..6d46800aa6a2617521a36cc0dc33 100644 +--- a/migration/colo.c ++++ b/migration/colo.c +@@ -92,6 +92,7 @@ static void secondary_vm_do_failover(void) + replication_stop_all(true, &local_err); + if (local_err) { + error_report_err(local_err); ++ local_err = NULL; + } + + /* Notify all filters of all NIC to do checkpoint */ diff --git a/migration-ram-fix-use-after-free-of-loca.patch b/migration-ram-fix-use-after-free-of-loca.patch new file mode 100644 index 0000000..604cc3e --- /dev/null +++ b/migration-ram-fix-use-after-free-of-loca.patch @@ -0,0 +1,31 @@ +From: Vladimir Sementsov-Ogievskiy +Date: Tue, 24 Mar 2020 18:36:29 +0300 +Subject: migration/ram: fix use after free of local_err + +Git-commit: b4a1733c5e6827c72b0dcfa295e07ef7b1ebccff + +local_err is used again in migration_bitmap_sync_precopy() after +precopy_notify(), so we must zero it. Otherwise try to set +non-NULL local_err will crash. + +Signed-off-by: Vladimir Sementsov-Ogievskiy +Message-Id: <20200324153630.11882-6-vsementsov@virtuozzo.com> +Reviewed-by: Dr. David Alan Gilbert +Signed-off-by: Dr. David Alan Gilbert +Signed-off-by: Bruce Rogers +--- + migration/ram.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/migration/ram.c b/migration/ram.c +index b6de7d1d5552a0aa39b0d232c2d6..c44542175da044c78ef8dc0ce612 100644 +--- a/migration/ram.c ++++ b/migration/ram.c +@@ -1906,6 +1906,7 @@ static void migration_bitmap_sync_precopy(RAMState *rs) + */ + if (precopy_notify(PRECOPY_NOTIFY_BEFORE_BITMAP_SYNC, &local_err)) { + error_report_err(local_err); ++ local_err = NULL; + } + + migration_bitmap_sync(rs); diff --git a/ppc-ppc405_boards-Remove-unnecessary-NUL.patch b/ppc-ppc405_boards-Remove-unnecessary-NUL.patch new file mode 100644 index 0000000..0a9f319 --- /dev/null +++ b/ppc-ppc405_boards-Remove-unnecessary-NUL.patch @@ -0,0 +1,55 @@ +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= +Date: Fri, 20 Mar 2020 16:57:40 +0100 +Subject: ppc/ppc405_boards: Remove unnecessary NULL check +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Git-commit: 1583794b9b36911df116cc726750dadbeeac506a + +This code is inside the "if (dinfo)" condition, so testing +again here whether it is NULL is unnecessary. + +Fixes: dd59bcae7 (Don't size flash memory to match backing image) +Reported-by: Coverity (CID 1421917) +Suggested-by: Peter Maydell +Signed-off-by: Philippe Mathieu-Daudé +Message-Id: <20200320155740.5342-1-philmd@redhat.com> +Reviewed-by: Markus Armbruster +Signed-off-by: David Gibson +Signed-off-by: Bruce Rogers +--- + hw/ppc/ppc405_boards.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/hw/ppc/ppc405_boards.c b/hw/ppc/ppc405_boards.c +index 1f721feed6a4bfc128187aefb5d9..556f3a80ec1ddbc018e00941c5c5 100644 +--- a/hw/ppc/ppc405_boards.c ++++ b/hw/ppc/ppc405_boards.c +@@ -184,7 +184,7 @@ static void ref405ep_init(MachineState *machine) + bios_size = 8 * MiB; + pflash_cfi02_register((uint32_t)(-bios_size), + "ef405ep.bios", bios_size, +- dinfo ? blk_by_legacy_dinfo(dinfo) : NULL, ++ blk_by_legacy_dinfo(dinfo), + 64 * KiB, 1, + 2, 0x0001, 0x22DA, 0x0000, 0x0000, 0x555, 0x2AA, + 1); +@@ -450,7 +450,7 @@ static void taihu_405ep_init(MachineState *machine) + bios_size = 2 * MiB; + pflash_cfi02_register(0xFFE00000, + "taihu_405ep.bios", bios_size, +- dinfo ? blk_by_legacy_dinfo(dinfo) : NULL, ++ blk_by_legacy_dinfo(dinfo), + 64 * KiB, 1, + 4, 0x0001, 0x22DA, 0x0000, 0x0000, 0x555, 0x2AA, + 1); +@@ -486,7 +486,7 @@ static void taihu_405ep_init(MachineState *machine) + if (dinfo) { + bios_size = 32 * MiB; + pflash_cfi02_register(0xfc000000, "taihu_405ep.flash", bios_size, +- dinfo ? blk_by_legacy_dinfo(dinfo) : NULL, ++ blk_by_legacy_dinfo(dinfo), + 64 * KiB, 1, + 4, 0x0001, 0x22DA, 0x0000, 0x0000, 0x555, 0x2AA, + 1); diff --git a/qcow2-List-autoclear-bit-names-in-header.patch b/qcow2-List-autoclear-bit-names-in-header.patch new file mode 100644 index 0000000..0f2e394 --- /dev/null +++ b/qcow2-List-autoclear-bit-names-in-header.patch @@ -0,0 +1,200 @@ +From: Eric Blake +Date: Tue, 24 Mar 2020 12:42:31 -0500 +Subject: qcow2: List autoclear bit names in header + +Git-commit bb40ebce2cb0bd4bf37968074d43d5a864fb6dee + +The feature table is supposed to advertise the name of all feature +bits that we support; however, we forgot to update the table for +autoclear bits. While at it, move the table to read-only memory in +code, and tweak the qcow2 spec to name the second autoclear bit. +Update iotests that are affected by the longer header length. + +Fixes: 88ddffae +Fixes: 93c24936 +Signed-off-by: Eric Blake +Reviewed-by: Vladimir Sementsov-Ogievskiy +Message-Id: <20200324174233.1622067-3-eblake@redhat.com> +Signed-off-by: Max Reitz +Signed-off-by: Bruce Rogers +--- + block/qcow2.c | 12 +++++++++++- + docs/interop/qcow2.txt | 3 ++- + tests/qemu-iotests/031.out | 8 ++++---- + tests/qemu-iotests/036.out | 4 ++-- + tests/qemu-iotests/061.out | 14 +++++++------- + 5 files changed, 26 insertions(+), 15 deletions(-) + +diff --git a/block/qcow2.c b/block/qcow2.c +index 13e118e16f02f371c0f23c7aaa8d..77edd98be6fbaf0949dcb7755e48 100644 +--- a/block/qcow2.c ++++ b/block/qcow2.c +@@ -2822,7 +2822,7 @@ int qcow2_update_header(BlockDriverState *bs) + + /* Feature table */ + if (s->qcow_version >= 3) { +- Qcow2Feature features[] = { ++ static const Qcow2Feature features[] = { + { + .type = QCOW2_FEAT_TYPE_INCOMPATIBLE, + .bit = QCOW2_INCOMPAT_DIRTY_BITNR, +@@ -2843,6 +2843,16 @@ int qcow2_update_header(BlockDriverState *bs) + .bit = QCOW2_COMPAT_LAZY_REFCOUNTS_BITNR, + .name = "lazy refcounts", + }, ++ { ++ .type = QCOW2_FEAT_TYPE_AUTOCLEAR, ++ .bit = QCOW2_AUTOCLEAR_BITMAPS_BITNR, ++ .name = "bitmaps", ++ }, ++ { ++ .type = QCOW2_FEAT_TYPE_AUTOCLEAR, ++ .bit = QCOW2_AUTOCLEAR_DATA_FILE_RAW_BITNR, ++ .name = "raw external data", ++ }, + }; + + ret = header_ext_add(buf, QCOW2_EXT_MAGIC_FEATURE_TABLE, +diff --git a/docs/interop/qcow2.txt b/docs/interop/qcow2.txt +index af5711e5337191d2c01932b0b3d0..8510d74c807927b86cf76a0f6cb8 100644 +--- a/docs/interop/qcow2.txt ++++ b/docs/interop/qcow2.txt +@@ -138,7 +138,8 @@ in the description of a field. + bit is unset, the bitmaps extension data must be + considered inconsistent. + +- Bit 1: If this bit is set, the external data file can ++ Bit 1: Raw external data bit ++ If this bit is set, the external data file can + be read as a consistent standalone raw image + without looking at the qcow2 metadata. + +diff --git a/tests/qemu-iotests/031.out b/tests/qemu-iotests/031.out +index 68a74d03b9971ea8946e8fce41d6..f1941300d817ef1026046891c4df 100644 +--- a/tests/qemu-iotests/031.out ++++ b/tests/qemu-iotests/031.out +@@ -117,7 +117,7 @@ header_length 104 + + Header extension: + magic 0x6803f857 +-length 192 ++length 288 + data + + Header extension: +@@ -150,7 +150,7 @@ header_length 104 + + Header extension: + magic 0x6803f857 +-length 192 ++length 288 + data + + Header extension: +@@ -164,7 +164,7 @@ No errors were found on the image. + + magic 0x514649fb + version 3 +-backing_file_offset 0x178 ++backing_file_offset 0x1d8 + backing_file_size 0x17 + cluster_bits 16 + size 67108864 +@@ -188,7 +188,7 @@ data 'host_device' + + Header extension: + magic 0x6803f857 +-length 192 ++length 288 + data + + Header extension: +diff --git a/tests/qemu-iotests/036.out b/tests/qemu-iotests/036.out +index e489b443866c515b42be344a9b85..3c19fa1edee7aeee1589a1c68366 100644 +--- a/tests/qemu-iotests/036.out ++++ b/tests/qemu-iotests/036.out +@@ -58,7 +58,7 @@ header_length 104 + + Header extension: + magic 0x6803f857 +-length 192 ++length 288 + data + + +@@ -86,7 +86,7 @@ header_length 104 + + Header extension: + magic 0x6803f857 +-length 192 ++length 288 + data + + *** done +diff --git a/tests/qemu-iotests/061.out b/tests/qemu-iotests/061.out +index d6a7c2af95f2dcff314f425fd6a3..f98c098b5431072d4e54de1475cc 100644 +--- a/tests/qemu-iotests/061.out ++++ b/tests/qemu-iotests/061.out +@@ -26,7 +26,7 @@ header_length 104 + + Header extension: + magic 0x6803f857 +-length 192 ++length 288 + data + + magic 0x514649fb +@@ -84,7 +84,7 @@ header_length 104 + + Header extension: + magic 0x6803f857 +-length 192 ++length 288 + data + + magic 0x514649fb +@@ -140,7 +140,7 @@ header_length 104 + + Header extension: + magic 0x6803f857 +-length 192 ++length 288 + data + + ERROR cluster 5 refcount=0 reference=1 +@@ -195,7 +195,7 @@ header_length 104 + + Header extension: + magic 0x6803f857 +-length 192 ++length 288 + data + + magic 0x514649fb +@@ -264,7 +264,7 @@ header_length 104 + + Header extension: + magic 0x6803f857 +-length 192 ++length 288 + data + + read 65536/65536 bytes at offset 44040192 +@@ -298,7 +298,7 @@ header_length 104 + + Header extension: + magic 0x6803f857 +-length 192 ++length 288 + data + + ERROR cluster 5 refcount=0 reference=1 +@@ -327,7 +327,7 @@ header_length 104 + + Header extension: + magic 0x6803f857 +-length 192 ++length 288 + data + + read 131072/131072 bytes at offset 0 diff --git a/qemu.changes b/qemu.changes index 69ef495..48d7b5f 100644 --- a/qemu.changes +++ b/qemu.changes @@ -1,3 +1,18 @@ +------------------------------------------------------------------- +Thu Mar 26 18:28:03 UTC 2020 - Bruce Rogers + +- Include upstream patches targeted for the next stable release + (bug fixes only) + block-Avoid-memleak-on-qcow2-image-info-.patch + block-bdrv_set_backing_bs-fix-use-after-.patch + hmp-vnc-Fix-info-vnc-list-leak.patch + migration-colo-fix-use-after-free-of-loc.patch + migration-ram-fix-use-after-free-of-loca.patch + ppc-ppc405_boards-Remove-unnecessary-NUL.patch + qcow2-List-autoclear-bit-names-in-header.patch + scsi-qemu-pr-helper-Fix-out-of-bounds-ac.patch + sheepdog-Consistently-set-bdrv_has_zero_.patch + ------------------------------------------------------------------- Tue Mar 24 13:22:36 UTC 2020 - Bruce Rogers diff --git a/qemu.spec b/qemu.spec index 6e0f0eb..5ebe2b2 100644 --- a/qemu.spec +++ b/qemu.spec @@ -203,76 +203,85 @@ Patch00072: block-qcow2-threads-fix-qcow2_decompress.patch Patch00073: job-refactor-progress-to-separate-object.patch Patch00074: block-block-copy-fix-progress-calculatio.patch Patch00075: block-io-fix-bdrv_co_do_copy_on_readv.patch -Patch00076: target-ppc-Fix-rlwinm-on-ppc64.patch -Patch00077: compat-disable-edid-on-correct-virtio-gp.patch -Patch00078: XXX-dont-dump-core-on-sigabort.patch -Patch00079: qemu-binfmt-conf-Modify-default-path.patch -Patch00080: qemu-cvs-gettimeofday.patch -Patch00081: qemu-cvs-ioctl_debug.patch -Patch00082: qemu-cvs-ioctl_nodirection.patch -Patch00083: linux-user-add-binfmt-wrapper-for-argv-0.patch -Patch00084: PPC-KVM-Disable-mmu-notifier-check.patch -Patch00085: linux-user-binfmt-support-host-binaries.patch -Patch00086: linux-user-Fake-proc-cpuinfo.patch -Patch00087: linux-user-use-target_ulong.patch -Patch00088: Make-char-muxer-more-robust-wrt-small-FI.patch -Patch00089: linux-user-lseek-explicitly-cast-non-set.patch -Patch00090: AIO-Reduce-number-of-threads-for-32bit-h.patch -Patch00091: xen_disk-Add-suse-specific-flush-disable.patch -Patch00092: qemu-bridge-helper-reduce-security-profi.patch -Patch00093: qemu-binfmt-conf-use-qemu-ARCH-binfmt.patch -Patch00094: linux-user-properly-test-for-infinite-ti.patch -Patch00095: roms-Makefile-pass-a-packaging-timestamp.patch -Patch00096: Raise-soft-address-space-limit-to-hard-l.patch -Patch00097: increase-x86_64-physical-bits-to-42.patch -Patch00098: vga-Raise-VRAM-to-16-MiB-for-pc-0.15-and.patch -Patch00099: i8254-Fix-migration-from-SLE11-SP2.patch -Patch00100: acpi_piix4-Fix-migration-from-SLE11-SP2.patch -Patch00101: Switch-order-of-libraries-for-mpath-supp.patch -Patch00102: Make-installed-scripts-explicitly-python.patch -Patch00103: hw-smbios-handle-both-file-formats-regar.patch -Patch00104: xen-add-block-resize-support-for-xen-dis.patch -Patch00105: tests-qemu-iotests-Triple-timeout-of-i-o.patch -Patch00106: tests-Fix-block-tests-to-be-compatible-w.patch -Patch00107: xen-ignore-live-parameter-from-xen-save-.patch -Patch00108: Conditionalize-ui-bitmap-installation-be.patch -Patch00109: tests-change-error-message-in-test-162.patch -Patch00110: hw-usb-hcd-xhci-Fix-GCC-9-build-warning.patch -Patch00111: hw-usb-dev-mtp-Fix-GCC-9-build-warning.patch -Patch00112: hw-intc-exynos4210_gic-provide-more-room.patch -Patch00113: configure-only-populate-roms-if-softmmu.patch -Patch00114: pc-bios-s390-ccw-net-avoid-warning-about.patch -Patch00115: roms-change-cross-compiler-naming-to-be-.patch -Patch00116: tests-Disable-some-block-tests-for-now.patch -Patch00117: test-add-mapping-from-arch-of-i686-to-qe.patch -Patch00118: roms-Makefile-enable-cross-compile-for-b.patch -Patch00119: hw-i386-disable-smbus-migration-for-xenf.patch -Patch00120: s390x-Don-t-do-a-normal-reset-on-the-ini.patch -Patch00121: s390x-Move-reset-normal-to-shared-reset-.patch -Patch00122: s390x-Move-initial-reset.patch -Patch00123: s390x-Move-clear-reset.patch -Patch00124: s390x-kvm-Make-kvm_sclp_service_call-voi.patch -Patch00125: s390x-ipl-Consolidate-iplb-validity-chec.patch -Patch00126: s390x-Beautify-diag308-handling.patch -Patch00127: s390x-Add-missing-vcpu-reset-functions.patch -Patch00128: pc-bios-s390x-Save-iplb-location-in-lowc.patch -Patch00129: s390-sclp-improve-special-wait-psw-logic.patch -Patch00130: s390x-Move-diagnose-308-subcodes-and-rcs.patch -Patch00131: vhost-correctly-turn-on-VIRTIO_F_IOMMU_P.patch -Patch00132: Sync-pv.patch -Patch00133: s390x-protvirt-Support-unpack-facility.patch -Patch00134: s390x-protvirt-Add-migration-blocker.patch -Patch00135: s390x-protvirt-Inhibit-balloon-when-swit.patch -Patch00136: s390x-protvirt-KVM-intercept-changes.patch -Patch00137: s390x-Add-SIDA-memory-ops.patch -Patch00138: s390x-protvirt-Move-STSI-data-over-SIDAD.patch -Patch00139: s390x-protvirt-SCLP-interpretation.patch -Patch00140: s390x-protvirt-Set-guest-IPL-PSW.patch -Patch00141: s390x-protvirt-Move-diag-308-data-over-S.patch -Patch00142: s390x-protvirt-Disable-address-checks-fo.patch -Patch00143: s390x-protvirt-Move-IO-control-structure.patch -Patch00144: s390x-protvirt-Handle-SIGP-store-status-.patch -Patch00145: s390x-Add-unpack-facility-feature-to-GA1.patch +Patch00076: scsi-qemu-pr-helper-Fix-out-of-bounds-ac.patch +Patch00077: target-ppc-Fix-rlwinm-on-ppc64.patch +Patch00078: compat-disable-edid-on-correct-virtio-gp.patch +Patch00079: ppc-ppc405_boards-Remove-unnecessary-NUL.patch +Patch00080: block-Avoid-memleak-on-qcow2-image-info-.patch +Patch00081: block-bdrv_set_backing_bs-fix-use-after-.patch +Patch00082: hmp-vnc-Fix-info-vnc-list-leak.patch +Patch00083: migration-colo-fix-use-after-free-of-loc.patch +Patch00084: migration-ram-fix-use-after-free-of-loca.patch +Patch00085: qcow2-List-autoclear-bit-names-in-header.patch +Patch00086: sheepdog-Consistently-set-bdrv_has_zero_.patch +Patch00087: XXX-dont-dump-core-on-sigabort.patch +Patch00088: qemu-binfmt-conf-Modify-default-path.patch +Patch00089: qemu-cvs-gettimeofday.patch +Patch00090: qemu-cvs-ioctl_debug.patch +Patch00091: qemu-cvs-ioctl_nodirection.patch +Patch00092: linux-user-add-binfmt-wrapper-for-argv-0.patch +Patch00093: PPC-KVM-Disable-mmu-notifier-check.patch +Patch00094: linux-user-binfmt-support-host-binaries.patch +Patch00095: linux-user-Fake-proc-cpuinfo.patch +Patch00096: linux-user-use-target_ulong.patch +Patch00097: Make-char-muxer-more-robust-wrt-small-FI.patch +Patch00098: linux-user-lseek-explicitly-cast-non-set.patch +Patch00099: AIO-Reduce-number-of-threads-for-32bit-h.patch +Patch00100: xen_disk-Add-suse-specific-flush-disable.patch +Patch00101: qemu-bridge-helper-reduce-security-profi.patch +Patch00102: qemu-binfmt-conf-use-qemu-ARCH-binfmt.patch +Patch00103: linux-user-properly-test-for-infinite-ti.patch +Patch00104: roms-Makefile-pass-a-packaging-timestamp.patch +Patch00105: Raise-soft-address-space-limit-to-hard-l.patch +Patch00106: increase-x86_64-physical-bits-to-42.patch +Patch00107: vga-Raise-VRAM-to-16-MiB-for-pc-0.15-and.patch +Patch00108: i8254-Fix-migration-from-SLE11-SP2.patch +Patch00109: acpi_piix4-Fix-migration-from-SLE11-SP2.patch +Patch00110: Switch-order-of-libraries-for-mpath-supp.patch +Patch00111: Make-installed-scripts-explicitly-python.patch +Patch00112: hw-smbios-handle-both-file-formats-regar.patch +Patch00113: xen-add-block-resize-support-for-xen-dis.patch +Patch00114: tests-qemu-iotests-Triple-timeout-of-i-o.patch +Patch00115: tests-Fix-block-tests-to-be-compatible-w.patch +Patch00116: xen-ignore-live-parameter-from-xen-save-.patch +Patch00117: Conditionalize-ui-bitmap-installation-be.patch +Patch00118: tests-change-error-message-in-test-162.patch +Patch00119: hw-usb-hcd-xhci-Fix-GCC-9-build-warning.patch +Patch00120: hw-usb-dev-mtp-Fix-GCC-9-build-warning.patch +Patch00121: hw-intc-exynos4210_gic-provide-more-room.patch +Patch00122: configure-only-populate-roms-if-softmmu.patch +Patch00123: pc-bios-s390-ccw-net-avoid-warning-about.patch +Patch00124: roms-change-cross-compiler-naming-to-be-.patch +Patch00125: tests-Disable-some-block-tests-for-now.patch +Patch00126: test-add-mapping-from-arch-of-i686-to-qe.patch +Patch00127: roms-Makefile-enable-cross-compile-for-b.patch +Patch00128: hw-i386-disable-smbus-migration-for-xenf.patch +Patch00129: s390x-Don-t-do-a-normal-reset-on-the-ini.patch +Patch00130: s390x-Move-reset-normal-to-shared-reset-.patch +Patch00131: s390x-Move-initial-reset.patch +Patch00132: s390x-Move-clear-reset.patch +Patch00133: s390x-kvm-Make-kvm_sclp_service_call-voi.patch +Patch00134: s390x-ipl-Consolidate-iplb-validity-chec.patch +Patch00135: s390x-Beautify-diag308-handling.patch +Patch00136: s390x-Add-missing-vcpu-reset-functions.patch +Patch00137: pc-bios-s390x-Save-iplb-location-in-lowc.patch +Patch00138: s390-sclp-improve-special-wait-psw-logic.patch +Patch00139: s390x-Move-diagnose-308-subcodes-and-rcs.patch +Patch00140: vhost-correctly-turn-on-VIRTIO_F_IOMMU_P.patch +Patch00141: Sync-pv.patch +Patch00142: s390x-protvirt-Support-unpack-facility.patch +Patch00143: s390x-protvirt-Add-migration-blocker.patch +Patch00144: s390x-protvirt-Inhibit-balloon-when-swit.patch +Patch00145: s390x-protvirt-KVM-intercept-changes.patch +Patch00146: s390x-Add-SIDA-memory-ops.patch +Patch00147: s390x-protvirt-Move-STSI-data-over-SIDAD.patch +Patch00148: s390x-protvirt-SCLP-interpretation.patch +Patch00149: s390x-protvirt-Set-guest-IPL-PSW.patch +Patch00150: s390x-protvirt-Move-diag-308-data-over-S.patch +Patch00151: s390x-protvirt-Disable-address-checks-fo.patch +Patch00152: s390x-protvirt-Move-IO-control-structure.patch +Patch00153: s390x-protvirt-Handle-SIGP-store-status-.patch +Patch00154: s390x-Add-unpack-facility-feature-to-GA1.patch # Patches applied in roms/seabios/: Patch01000: seabios-use-python2-explicitly-as-needed.patch Patch01001: seabios-switch-to-python3-as-needed.patch @@ -1134,6 +1143,15 @@ This package provides a service file for starting and stopping KSM. %patch00143 -p1 %patch00144 -p1 %patch00145 -p1 +%patch00146 -p1 +%patch00147 -p1 +%patch00148 -p1 +%patch00149 -p1 +%patch00150 -p1 +%patch00151 -p1 +%patch00152 -p1 +%patch00153 -p1 +%patch00154 -p1 %patch01000 -p1 %patch01001 -p1 %patch01002 -p1 diff --git a/scsi-qemu-pr-helper-Fix-out-of-bounds-ac.patch b/scsi-qemu-pr-helper-Fix-out-of-bounds-ac.patch new file mode 100644 index 0000000..3828f4a --- /dev/null +++ b/scsi-qemu-pr-helper-Fix-out-of-bounds-ac.patch @@ -0,0 +1,93 @@ +From: Christophe de Dinechin +Date: Fri, 28 Feb 2020 16:00:59 +0100 +Subject: scsi/qemu-pr-helper: Fix out-of-bounds access to trnptid_list[] +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Git-commit: 4ce1e15fbc7266a108a7c77a3962644b3935346e + +Compile error reported by gcc 10.0.1: + +scsi/qemu-pr-helper.c: In function ‘multipath_pr_out’: +scsi/qemu-pr-helper.c:523:32: error: array subscript is outside array bounds of ‘struct transportid *[0]’ [-Werror=array-bounds] + 523 | paramp.trnptid_list[paramp.num_transportid++] = id; + | ~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~ +In file included from scsi/qemu-pr-helper.c:36: +/usr/include/mpath_persist.h:168:22: note: while referencing ‘trnptid_list’ + 168 | struct transportid *trnptid_list[]; + | ^~~~~~~~~~~~ +scsi/qemu-pr-helper.c:424:35: note: defined here ‘paramp’ + 424 | struct prout_param_descriptor paramp; + | ^~~~~~ + +This highlights an actual implementation issue in function multipath_pr_out. +The variable paramp is declared with type `struct prout_param_descriptor`, +which is a struct terminated by an empty array in mpath_persist.h: + + struct transportid *trnptid_list[]; + +That empty array was filled with code that looked like that: + + trnptid_list[paramp.descr.num_transportid++] = id; + +This is an actual out-of-bounds access. + +The fix is to malloc `paramp`. + +Signed-off-by: Christophe de Dinechin +Signed-off-by: Paolo Bonzini +Signed-off-by: Bruce Rogers +--- + scsi/qemu-pr-helper.c | 17 ++++++++++------- + 1 file changed, 10 insertions(+), 7 deletions(-) + +diff --git a/scsi/qemu-pr-helper.c b/scsi/qemu-pr-helper.c +index debb18f4aa5d55a1720587cf82ea..38c273de19573ad8421da6439153 100644 +--- a/scsi/qemu-pr-helper.c ++++ b/scsi/qemu-pr-helper.c +@@ -421,10 +421,13 @@ static int multipath_pr_out(int fd, const uint8_t *cdb, uint8_t *sense, + int rq_servact = cdb[1]; + int rq_scope = cdb[2] >> 4; + int rq_type = cdb[2] & 0xf; +- struct prout_param_descriptor paramp; ++ g_autofree struct prout_param_descriptor *paramp = NULL; + char transportids[PR_HELPER_DATA_SIZE]; + int r; + ++ paramp = g_malloc0(sizeof(struct prout_param_descriptor) ++ + sizeof(struct transportid *) * MPATH_MX_TIDS); ++ + if (sz < PR_OUT_FIXED_PARAM_SIZE) { + /* Illegal request, Parameter list length error. This isn't fatal; + * we have read the data, send an error without closing the socket. +@@ -454,10 +457,9 @@ static int multipath_pr_out(int fd, const uint8_t *cdb, uint8_t *sense, + * used by libmpathpersist (which, of course, will immediately + * do the opposite). + */ +- memset(¶mp, 0, sizeof(paramp)); +- memcpy(¶mp.key, ¶m[0], 8); +- memcpy(¶mp.sa_key, ¶m[8], 8); +- paramp.sa_flags = param[20]; ++ memcpy(¶mp->key, ¶m[0], 8); ++ memcpy(¶mp->sa_key, ¶m[8], 8); ++ paramp->sa_flags = param[20]; + if (sz > PR_OUT_FIXED_PARAM_SIZE) { + size_t transportid_len; + int i, j; +@@ -520,12 +522,13 @@ static int multipath_pr_out(int fd, const uint8_t *cdb, uint8_t *sense, + return CHECK_CONDITION; + } + +- paramp.trnptid_list[paramp.num_transportid++] = id; ++ assert(paramp->num_transportid < MPATH_MX_TIDS); ++ paramp->trnptid_list[paramp->num_transportid++] = id; + } + } + + r = mpath_persistent_reserve_out(fd, rq_servact, rq_scope, rq_type, +- ¶mp, noisy, verbose); ++ paramp, noisy, verbose); + return mpath_reconstruct_sense(fd, r, sense); + } + #endif diff --git a/sheepdog-Consistently-set-bdrv_has_zero_.patch b/sheepdog-Consistently-set-bdrv_has_zero_.patch new file mode 100644 index 0000000..f7904f0 --- /dev/null +++ b/sheepdog-Consistently-set-bdrv_has_zero_.patch @@ -0,0 +1,46 @@ +From: Eric Blake +Date: Tue, 24 Mar 2020 12:42:33 -0500 +Subject: sheepdog: Consistently set bdrv_has_zero_init_truncate +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Git-commit: ed049910637be991c88cc25c864115bc5b1e4dab + +block_int.h claims that .bdrv_has_zero_init must return 0 if +.bdrv_has_zero_init_truncate does likewise; but this is violated if +only the former callback is provided if .bdrv_co_truncate also exists. +When adding the latter callback, it was mistakenly added to only one +of the three possible sheepdog instantiations. + +Fixes: 1dcaf527 +Signed-off-by: Eric Blake +Message-Id: <20200324174233.1622067-5-eblake@redhat.com> +Reviewed-by: John Snow +Reviewed-by: Philippe Mathieu-Daudé +Signed-off-by: Max Reitz +Signed-off-by: Bruce Rogers +--- + block/sheepdog.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/block/sheepdog.c b/block/sheepdog.c +index cfa84338a2d6b653ce243ae53c7a..522c16a936762ff00ee23a5e9ca3 100644 +--- a/block/sheepdog.c ++++ b/block/sheepdog.c +@@ -3269,6 +3269,7 @@ static BlockDriver bdrv_sheepdog_tcp = { + .bdrv_co_create = sd_co_create, + .bdrv_co_create_opts = sd_co_create_opts, + .bdrv_has_zero_init = bdrv_has_zero_init_1, ++ .bdrv_has_zero_init_truncate = bdrv_has_zero_init_1, + .bdrv_getlength = sd_getlength, + .bdrv_get_allocated_file_size = sd_get_allocated_file_size, + .bdrv_co_truncate = sd_co_truncate, +@@ -3307,6 +3308,7 @@ static BlockDriver bdrv_sheepdog_unix = { + .bdrv_co_create = sd_co_create, + .bdrv_co_create_opts = sd_co_create_opts, + .bdrv_has_zero_init = bdrv_has_zero_init_1, ++ .bdrv_has_zero_init_truncate = bdrv_has_zero_init_1, + .bdrv_getlength = sd_getlength, + .bdrv_get_allocated_file_size = sd_get_allocated_file_size, + .bdrv_co_truncate = sd_co_truncate, From 7325eaecfbc262f5e1d044fff10d5ef5959d6ece5f35f1d42552de5aad0e2257 Mon Sep 17 00:00:00 2001 From: Bruce Rogers Date: Fri, 17 Apr 2020 20:48:15 +0000 Subject: [PATCH 3/3] Accepting request 795118 from home:bfrogers:branches:Virtualization - Include upstream patches targeted for the next stable release (bug fixes only) spapr-Fix-failure-path-for-attempting-to.patch target-i386-do-not-set-unsupported-VMX-s.patch target-xtensa-fix-pasto-in-pfwait.r-opco.patch tcg-i386-Fix-INDEX_op_dup2_vec.patch tcg-mips-mips-sync-encode-error.patch vhost-user-gpu-Release-memory-returned-b.patch vpc-Don-t-round-up-already-aligned-BAT-s.patch xen-block-Fix-double-qlist-remove-and-re.patch - Fix bug causing weak encryption in PAuth for ARM (CVE-2020-10702 bsc#1168681) target-arm-Fix-PAuth-sbox-functions.patch - Fix OOB in tulip NIC emulation (CVE-2020-11102 bsc#1168713 net-tulip-check-frame-size-and-r-w-data-.patch - Note that previously included patch addresses CVE-2020-1711 and bsc#1166240 iscsi-Cap-block-count-from-GET-LBA-STATU.patch - Include performance improvement (and related?) patch aio-wait-delegate-polling-of-main-AioCon.patch async-use-explicit-memory-barriers.patch - Rework previous patch at Olaf H.'s direction hw-i386-disable-smbus-migration-for-xenf.patch - Eliminate is_opensuse usage in producing seabios version string what we are doing here is just replacing the upstream string with one indicating that the openSUSE build service built it, and so just leave it as "-rebuilt.opensuse.org" - Alter algorithm used to produce "unique" symbol for coordinating qemu with the optional modules it may load. This is a reasonable relaxation for broader compatibility configure-remove-pkgversion-from-CONFIG_.patch - Tweak supported.*.txt for latest deprecations, and other fixes - Tweak update_git.sh, config.sh - One more fix is needed for: s390x Protected Virtualization support - start and control guest in secure mode (bsc#1167075 jsc#SLE-7407) s390x-s390-virtio-ccw-Fix-build-on-syste.patch OBS-URL: https://build.opensuse.org/request/show/795118 OBS-URL: https://build.opensuse.org/package/show/Virtualization/qemu?expand=0&rev=542 --- ...wait-delegate-polling-of-main-AioCon.patch | 116 +++ async-use-explicit-memory-barriers.patch | 168 ++++ bundles.tar.xz | 4 +- config.sh | 11 + ...igure-remove-pkgversion-from-CONFIG_.patch | 32 + ...386-disable-smbus-migration-for-xenf.patch | 14 +- ...i-Cap-block-count-from-GET-LBA-STATU.patch | 1 + ...tulip-check-frame-size-and-r-w-data-.patch | 144 ++++ qemu.changes | 44 + qemu.spec | 170 ++-- qemu.spec.in | 6 +- ...x-s390-virtio-ccw-Fix-build-on-syste.patch | 129 +++ ...r-Fix-failure-path-for-attempting-to.patch | 33 + supported.arm.txt | 14 +- supported.ppc.txt | 783 +----------------- supported.s390.txt | 10 +- supported.x86.txt | 14 +- target-arm-Fix-PAuth-sbox-functions.patch | 48 ++ ...et-i386-do-not-set-unsupported-VMX-s.patch | 100 +++ ...et-xtensa-fix-pasto-in-pfwait.r-opco.patch | 28 + tcg-i386-Fix-INDEX_op_dup2_vec.patch | 37 + tcg-mips-mips-sync-encode-error.patch | 49 ++ update_git.sh | 79 +- ...t-user-gpu-Release-memory-returned-b.patch | 58 ++ ...Don-t-round-up-already-aligned-BAT-s.patch | 47 ++ ...block-Fix-double-qlist-remove-and-re.patch | 155 ++++ 26 files changed, 1389 insertions(+), 905 deletions(-) create mode 100644 aio-wait-delegate-polling-of-main-AioCon.patch create mode 100644 async-use-explicit-memory-barriers.patch create mode 100644 configure-remove-pkgversion-from-CONFIG_.patch create mode 100644 net-tulip-check-frame-size-and-r-w-data-.patch create mode 100644 s390x-s390-virtio-ccw-Fix-build-on-syste.patch create mode 100644 spapr-Fix-failure-path-for-attempting-to.patch create mode 100644 target-arm-Fix-PAuth-sbox-functions.patch create mode 100644 target-i386-do-not-set-unsupported-VMX-s.patch create mode 100644 target-xtensa-fix-pasto-in-pfwait.r-opco.patch create mode 100644 tcg-i386-Fix-INDEX_op_dup2_vec.patch create mode 100644 tcg-mips-mips-sync-encode-error.patch create mode 100644 vhost-user-gpu-Release-memory-returned-b.patch create mode 100644 vpc-Don-t-round-up-already-aligned-BAT-s.patch create mode 100644 xen-block-Fix-double-qlist-remove-and-re.patch diff --git a/aio-wait-delegate-polling-of-main-AioCon.patch b/aio-wait-delegate-polling-of-main-AioCon.patch new file mode 100644 index 0000000..c9be72b --- /dev/null +++ b/aio-wait-delegate-polling-of-main-AioCon.patch @@ -0,0 +1,116 @@ +From: Paolo Bonzini +Date: Tue, 7 Apr 2020 10:07:45 -0400 +Subject: aio-wait: delegate polling of main AioContext if BQL not held + +Git-commit: 3c18a92dc4b55ca8cc37a755ed119f11c0f34099 + +Any thread that is not a iothread returns NULL for qemu_get_current_aio_context(). +As a result, it would also return true for +in_aio_context_home_thread(qemu_get_aio_context()), causing +AIO_WAIT_WHILE to invoke aio_poll() directly. This is incorrect +if the BQL is not held, because aio_poll() does not expect to +run concurrently from multiple threads, and it can actually +happen when savevm writes to the vmstate file from the +migration thread. + +Therefore, restrict in_aio_context_home_thread to return true +for the main AioContext only if the BQL is held. + +The function is moved to aio-wait.h because it is mostly used +there and to avoid a circular reference between main-loop.h +and block/aio.h. + +Signed-off-by: Paolo Bonzini +Message-Id: <20200407140746.8041-5-pbonzini@redhat.com> +Signed-off-by: Stefan Hajnoczi +Signed-off-by: Bruce Rogers +--- + include/block/aio-wait.h | 22 ++++++++++++++++++++++ + include/block/aio.h | 29 ++++++++++------------------- + 2 files changed, 32 insertions(+), 19 deletions(-) + +diff --git a/include/block/aio-wait.h b/include/block/aio-wait.h +index afeeb18f95ebb593982b5d3f8917..716d2639df708f03e3f29d68315b 100644 +--- a/include/block/aio-wait.h ++++ b/include/block/aio-wait.h +@@ -26,6 +26,7 @@ + #define QEMU_AIO_WAIT_H + + #include "block/aio.h" ++#include "qemu/main-loop.h" + + /** + * AioWait: +@@ -124,4 +125,25 @@ void aio_wait_kick(void); + */ + void aio_wait_bh_oneshot(AioContext *ctx, QEMUBHFunc *cb, void *opaque); + ++/** ++ * in_aio_context_home_thread: ++ * @ctx: the aio context ++ * ++ * Return whether we are running in the thread that normally runs @ctx. Note ++ * that acquiring/releasing ctx does not affect the outcome, each AioContext ++ * still only has one home thread that is responsible for running it. ++ */ ++static inline bool in_aio_context_home_thread(AioContext *ctx) ++{ ++ if (ctx == qemu_get_current_aio_context()) { ++ return true; ++ } ++ ++ if (ctx == qemu_get_aio_context()) { ++ return qemu_mutex_iothread_locked(); ++ } else { ++ return false; ++ } ++} ++ + #endif /* QEMU_AIO_WAIT_H */ +diff --git a/include/block/aio.h b/include/block/aio.h +index 6b0d52f732b86caef07602281574..9d28e247df7f0d3a556644fcd9d1 100644 +--- a/include/block/aio.h ++++ b/include/block/aio.h +@@ -60,12 +60,16 @@ struct AioContext { + QLIST_HEAD(, AioHandler) aio_handlers; + + /* Used to avoid unnecessary event_notifier_set calls in aio_notify; +- * accessed with atomic primitives. If this field is 0, everything +- * (file descriptors, bottom halves, timers) will be re-evaluated +- * before the next blocking poll(), thus the event_notifier_set call +- * can be skipped. If it is non-zero, you may need to wake up a +- * concurrent aio_poll or the glib main event loop, making +- * event_notifier_set necessary. ++ * only written from the AioContext home thread, or under the BQL in ++ * the case of the main AioContext. However, it is read from any ++ * thread so it is still accessed with atomic primitives. ++ * ++ * If this field is 0, everything (file descriptors, bottom halves, ++ * timers) will be re-evaluated before the next blocking poll() or ++ * io_uring wait; therefore, the event_notifier_set call can be ++ * skipped. If it is non-zero, you may need to wake up a concurrent ++ * aio_poll or the glib main event loop, making event_notifier_set ++ * necessary. + * + * Bit 0 is reserved for GSource usage of the AioContext, and is 1 + * between a call to aio_ctx_prepare and the next call to aio_ctx_check. +@@ -580,19 +584,6 @@ void aio_co_enter(AioContext *ctx, struct Coroutine *co); + */ + AioContext *qemu_get_current_aio_context(void); + +-/** +- * in_aio_context_home_thread: +- * @ctx: the aio context +- * +- * Return whether we are running in the thread that normally runs @ctx. Note +- * that acquiring/releasing ctx does not affect the outcome, each AioContext +- * still only has one home thread that is responsible for running it. +- */ +-static inline bool in_aio_context_home_thread(AioContext *ctx) +-{ +- return ctx == qemu_get_current_aio_context(); +-} +- + /** + * aio_context_setup: + * @ctx: the aio context diff --git a/async-use-explicit-memory-barriers.patch b/async-use-explicit-memory-barriers.patch new file mode 100644 index 0000000..6f6f4eb --- /dev/null +++ b/async-use-explicit-memory-barriers.patch @@ -0,0 +1,168 @@ +From: Paolo Bonzini +Date: Tue, 7 Apr 2020 10:07:46 -0400 +Subject: async: use explicit memory barriers + +Git-commit: 5710a3e09f9b85801e5ce70797a4a511e5fc9e2c + +When using C11 atomics, non-seqcst reads and writes do not participate +in the total order of seqcst operations. In util/async.c and util/aio-posix.c, +in particular, the pattern that we use + + write ctx->notify_me write bh->scheduled + read bh->scheduled read ctx->notify_me + if !bh->scheduled, sleep if ctx->notify_me, notify + +needs to use seqcst operations for both the write and the read. In +general this is something that we do not want, because there can be +many sources that are polled in addition to bottom halves. The +alternative is to place a seqcst memory barrier between the write +and the read. This also comes with a disadvantage, in that the +memory barrier is implicit on strongly-ordered architectures and +it wastes a few dozen clock cycles. + +Fortunately, ctx->notify_me is never written concurrently by two +threads, so we can assert that and relax the writes to ctx->notify_me. +The resulting solution works and performs well on both aarch64 and x86. + +Note that the atomic_set/atomic_read combination is not an atomic +read-modify-write, and therefore it is even weaker than C11 ATOMIC_RELAXED; +on x86, ATOMIC_RELAXED compiles to a locked operation. + +Analyzed-by: Ying Fang +Signed-off-by: Paolo Bonzini +Tested-by: Ying Fang +Message-Id: <20200407140746.8041-6-pbonzini@redhat.com> +Signed-off-by: Stefan Hajnoczi +Signed-off-by: Bruce Rogers +--- + util/aio-posix.c | 16 ++++++++++++++-- + util/aio-win32.c | 17 ++++++++++++++--- + util/async.c | 16 ++++++++++++---- + 3 files changed, 40 insertions(+), 9 deletions(-) + +diff --git a/util/aio-posix.c b/util/aio-posix.c +index a4977f538ef28d56178267a1795c..fe2a46c439fa1505f5f688274566 100644 +--- a/util/aio-posix.c ++++ b/util/aio-posix.c +@@ -616,6 +616,11 @@ bool aio_poll(AioContext *ctx, bool blocking) + int64_t timeout; + int64_t start = 0; + ++ /* ++ * There cannot be two concurrent aio_poll calls for the same AioContext (or ++ * an aio_poll concurrent with a GSource prepare/check/dispatch callback). ++ * We rely on this below to avoid slow locked accesses to ctx->notify_me. ++ */ + assert(in_aio_context_home_thread(ctx)); + + /* aio_notify can avoid the expensive event_notifier_set if +@@ -626,7 +631,13 @@ bool aio_poll(AioContext *ctx, bool blocking) + * so disable the optimization now. + */ + if (blocking) { +- atomic_add(&ctx->notify_me, 2); ++ atomic_set(&ctx->notify_me, atomic_read(&ctx->notify_me) + 2); ++ /* ++ * Write ctx->notify_me before computing the timeout ++ * (reading bottom half flags, etc.). Pairs with ++ * smp_mb in aio_notify(). ++ */ ++ smp_mb(); + } + + qemu_lockcnt_inc(&ctx->list_lock); +@@ -671,7 +682,8 @@ bool aio_poll(AioContext *ctx, bool blocking) + } + + if (blocking) { +- atomic_sub(&ctx->notify_me, 2); ++ /* Finish the poll before clearing the flag. */ ++ atomic_store_release(&ctx->notify_me, atomic_read(&ctx->notify_me) - 2); + aio_notify_accept(ctx); + } + +diff --git a/util/aio-win32.c b/util/aio-win32.c +index a23b9c364db3a764a3e00c6b62e9..729d533faf4d807e0a5388edd2af 100644 +--- a/util/aio-win32.c ++++ b/util/aio-win32.c +@@ -321,6 +321,12 @@ bool aio_poll(AioContext *ctx, bool blocking) + int count; + int timeout; + ++ /* ++ * There cannot be two concurrent aio_poll calls for the same AioContext (or ++ * an aio_poll concurrent with a GSource prepare/check/dispatch callback). ++ * We rely on this below to avoid slow locked accesses to ctx->notify_me. ++ */ ++ assert(in_aio_context_home_thread(ctx)); + progress = false; + + /* aio_notify can avoid the expensive event_notifier_set if +@@ -331,7 +337,13 @@ bool aio_poll(AioContext *ctx, bool blocking) + * so disable the optimization now. + */ + if (blocking) { +- atomic_add(&ctx->notify_me, 2); ++ atomic_set(&ctx->notify_me, atomic_read(&ctx->notify_me) + 2); ++ /* ++ * Write ctx->notify_me before computing the timeout ++ * (reading bottom half flags, etc.). Pairs with ++ * smp_mb in aio_notify(). ++ */ ++ smp_mb(); + } + + qemu_lockcnt_inc(&ctx->list_lock); +@@ -364,8 +376,7 @@ bool aio_poll(AioContext *ctx, bool blocking) + ret = WaitForMultipleObjects(count, events, FALSE, timeout); + if (blocking) { + assert(first); +- assert(in_aio_context_home_thread(ctx)); +- atomic_sub(&ctx->notify_me, 2); ++ atomic_store_release(&ctx->notify_me, atomic_read(&ctx->notify_me) - 2); + aio_notify_accept(ctx); + } + +diff --git a/util/async.c b/util/async.c +index b1fa5319e5bc7830d50108f91139..c65c58bbc9f57bf1bbdb6acd5fd1 100644 +--- a/util/async.c ++++ b/util/async.c +@@ -220,7 +220,14 @@ aio_ctx_prepare(GSource *source, gint *timeout) + { + AioContext *ctx = (AioContext *) source; + +- atomic_or(&ctx->notify_me, 1); ++ atomic_set(&ctx->notify_me, atomic_read(&ctx->notify_me) | 1); ++ ++ /* ++ * Write ctx->notify_me before computing the timeout ++ * (reading bottom half flags, etc.). Pairs with ++ * smp_mb in aio_notify(). ++ */ ++ smp_mb(); + + /* We assume there is no timeout already supplied */ + *timeout = qemu_timeout_ns_to_ms(aio_compute_timeout(ctx)); +@@ -238,7 +245,8 @@ aio_ctx_check(GSource *source) + AioContext *ctx = (AioContext *) source; + QEMUBH *bh; + +- atomic_and(&ctx->notify_me, ~1); ++ /* Finish computing the timeout before clearing the flag. */ ++ atomic_store_release(&ctx->notify_me, atomic_read(&ctx->notify_me) & ~1); + aio_notify_accept(ctx); + + for (bh = ctx->first_bh; bh; bh = bh->next) { +@@ -343,10 +351,10 @@ LinuxAioState *aio_get_linux_aio(AioContext *ctx) + void aio_notify(AioContext *ctx) + { + /* Write e.g. bh->scheduled before reading ctx->notify_me. Pairs +- * with atomic_or in aio_ctx_prepare or atomic_add in aio_poll. ++ * with smp_mb in aio_ctx_prepare or aio_poll. + */ + smp_mb(); +- if (ctx->notify_me) { ++ if (atomic_read(&ctx->notify_me)) { + event_notifier_set(&ctx->notifier); + atomic_mb_set(&ctx->notified, true); + } diff --git a/bundles.tar.xz b/bundles.tar.xz index d89ea92..b3e2e2f 100644 --- a/bundles.tar.xz +++ b/bundles.tar.xz @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:01029bd0e2cbba3484407c43afb4238a48cc7c66473832fa566be57c0439681e -size 129648 +oid sha256:f7fba468b339538a09628a5a0b4521cd094b49037c1c7be7148a8c54330876ba +size 150040 diff --git a/config.sh b/config.sh index 02da362..5e469f9 100644 --- a/config.sh +++ b/config.sh @@ -67,6 +67,17 @@ LOCAL_REPO_MAP=( ~/git/qemu-edk2-openssl-pyca-cryptography ) +# TEMPORARY! FOR NOW WE REQUIRE THESE LOCALLY TO DO WORK ON PACKAGE +REQUIRED_LOCAL_REPO_MAP=( + ~/git/qemu-opensuse + ~/git/qemu-seabios + ~/git/qemu-ipxe + ~/git/qemu-sgabios + ~/git/qemu-keycodemapdb + ~/git/qemu-slirp + ~/git/qemu-qboot +) + PATCH_PATH_MAP=( "" "roms/seabios/" diff --git a/configure-remove-pkgversion-from-CONFIG_.patch b/configure-remove-pkgversion-from-CONFIG_.patch new file mode 100644 index 0000000..f273a1d --- /dev/null +++ b/configure-remove-pkgversion-from-CONFIG_.patch @@ -0,0 +1,32 @@ +From: Bruce Rogers +Date: Fri, 17 Apr 2020 13:07:37 -0600 +Subject: configure: remove $pkgversion from CONFIG_STAMP input to broaden + compatibility + +As part of the effort to close the gap with Leap I think we are fine +removing the $pkgversion component to creating a unique CONFIG_STAMP. +This stamp is only used in creating a unique symbol used in ensuring the +dynamically loaded modules correspond correctly to the loading qemu. +The default inputs to producing this unique symbol are somewhat reasonable +as a generic mechanism, but specific packaging and maintenance practices +might require the default to be modified for best use. This is an example +of that. + +Signed-off-by: Bruce Rogers +--- + configure | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/configure b/configure +index 94984691ab378620ac2e0ae771ca..c68e378776336748b227013a1a3f 100755 +--- a/configure ++++ b/configure +@@ -6811,7 +6811,7 @@ fi + if test "$modules" = "yes"; then + # $shacmd can generate a hash started with digit, which the compiler doesn't + # like as an symbol. So prefix it with an underscore +- echo "CONFIG_STAMP=_$( (echo $qemu_version; echo $pkgversion; cat $0) | $shacmd - | cut -f1 -d\ )" >> $config_host_mak ++ echo "CONFIG_STAMP=_$( (echo $qemu_version; cat $0) | $shacmd - | cut -f1 -d\ )" >> $config_host_mak + echo "CONFIG_MODULES=y" >> $config_host_mak + fi + if test "$have_x11" = "yes" && test "$need_x11" = "yes"; then diff --git a/hw-i386-disable-smbus-migration-for-xenf.patch b/hw-i386-disable-smbus-migration-for-xenf.patch index 3544ba8..8053484 100644 --- a/hw-i386-disable-smbus-migration-for-xenf.patch +++ b/hw-i386-disable-smbus-migration-for-xenf.patch @@ -23,23 +23,21 @@ Adjust 'xenfv' to stay compatible with with 'pc-i440fx-3.1': Signed-off-by: Olaf Hering Signed-off-by: Bruce Rogers +[BR: Adjust implementation to simply call pc_i440fx_3_1_machine_options] --- - hw/i386/pc_piix.c | 5 +++++ - 1 file changed, 5 insertions(+) + hw/i386/pc_piix.c | 2 ++ + 1 file changed, 2 insertions(+) diff --git a/hw/i386/pc_piix.c b/hw/i386/pc_piix.c -index d760d3589607daf4997ea76854c4..7bf1021200a3baa06a58fa36c430 100644 +index d760d3589607daf4997ea76854c4..000e692d0e5af449270214ea9345 100644 --- a/hw/i386/pc_piix.c +++ b/hw/i386/pc_piix.c -@@ -1043,6 +1043,11 @@ DEFINE_PC_MACHINE(isapc, "isapc", pc_init_isa, +@@ -1043,6 +1043,8 @@ DEFINE_PC_MACHINE(isapc, "isapc", pc_init_isa, #ifdef CONFIG_XEN static void xenfv_machine_options(MachineClass *m) { + /* compat with pc_i440fx_3_1_machine_options */ -+ PCMachineClass *pcmc = PC_MACHINE_CLASS(m); -+ pcmc->do_not_add_smb_acpi = true; -+ m->smbus_no_migration_support = true; -+ pcmc->pvh_enabled = false; /* FIXME */ ++ pc_i440fx_3_1_machine_options(m); m->desc = "Xen Fully-virtualized PC"; m->max_cpus = HVM_MAX_VCPUS; m->default_machine_opts = "accel=xen"; diff --git a/iscsi-Cap-block-count-from-GET-LBA-STATU.patch b/iscsi-Cap-block-count-from-GET-LBA-STATU.patch index aff4e2c..b55365a 100644 --- a/iscsi-Cap-block-count-from-GET-LBA-STATU.patch +++ b/iscsi-Cap-block-count-from-GET-LBA-STATU.patch @@ -3,6 +3,7 @@ Date: Thu, 23 Jan 2020 12:44:59 +0000 Subject: iscsi: Cap block count from GET LBA STATUS (CVE-2020-1711) Git-commit: 693fd2acdf14dd86c0bf852610f1c2cca80a74dc +References: bsc#1166240, CVE-2020-1711 When querying an iSCSI server for the provisioning status of blocks (via GET LBA STATUS), Qemu only validates that the response descriptor zero's diff --git a/net-tulip-check-frame-size-and-r-w-data-.patch b/net-tulip-check-frame-size-and-r-w-data-.patch new file mode 100644 index 0000000..1f1e9ec --- /dev/null +++ b/net-tulip-check-frame-size-and-r-w-data-.patch @@ -0,0 +1,144 @@ +From: Prasad J Pandit +Date: Tue, 24 Mar 2020 22:57:22 +0530 +Subject: net: tulip: check frame size and r/w data length + +Git-commit: 8ffb7265af64ec81748335ec8f20e7ab542c3850 +References: bsc#1168713, CVE-2020-11102 + +Tulip network driver while copying tx/rx buffers does not check +frame size against r/w data length. This may lead to OOB buffer +access. Add check to avoid it. + +Limit iterations over descriptors to avoid potential infinite +loop issue in tulip_xmit_list_update. + +Reported-by: Li Qiang +Reported-by: Ziming Zhang +Reported-by: Jason Wang +Tested-by: Li Qiang +Reviewed-by: Li Qiang +Signed-off-by: Prasad J Pandit +Signed-off-by: Jason Wang +Signed-off-by: Bruce Rogers +--- + hw/net/tulip.c | 36 +++++++++++++++++++++++++++--------- + 1 file changed, 27 insertions(+), 9 deletions(-) + +diff --git a/hw/net/tulip.c b/hw/net/tulip.c +index f85f54341fab635a4d5756a6c444..1167c1bb07d74783f3fa47b01996 100644 +--- a/hw/net/tulip.c ++++ b/hw/net/tulip.c +@@ -170,6 +170,10 @@ static void tulip_copy_rx_bytes(TULIPState *s, struct tulip_descriptor *desc) + } else { + len = s->rx_frame_len; + } ++ ++ if (s->rx_frame_len + len > sizeof(s->rx_frame)) { ++ return; ++ } + pci_dma_write(&s->dev, desc->buf_addr1, s->rx_frame + + (s->rx_frame_size - s->rx_frame_len), len); + s->rx_frame_len -= len; +@@ -181,6 +185,10 @@ static void tulip_copy_rx_bytes(TULIPState *s, struct tulip_descriptor *desc) + } else { + len = s->rx_frame_len; + } ++ ++ if (s->rx_frame_len + len > sizeof(s->rx_frame)) { ++ return; ++ } + pci_dma_write(&s->dev, desc->buf_addr2, s->rx_frame + + (s->rx_frame_size - s->rx_frame_len), len); + s->rx_frame_len -= len; +@@ -227,7 +235,8 @@ static ssize_t tulip_receive(TULIPState *s, const uint8_t *buf, size_t size) + + trace_tulip_receive(buf, size); + +- if (size < 14 || size > 2048 || s->rx_frame_len || tulip_rx_stopped(s)) { ++ if (size < 14 || size > sizeof(s->rx_frame) - 4 ++ || s->rx_frame_len || tulip_rx_stopped(s)) { + return 0; + } + +@@ -275,7 +284,6 @@ static ssize_t tulip_receive_nc(NetClientState *nc, + return tulip_receive(qemu_get_nic_opaque(nc), buf, size); + } + +- + static NetClientInfo net_tulip_info = { + .type = NET_CLIENT_DRIVER_NIC, + .size = sizeof(NICState), +@@ -558,7 +566,7 @@ static void tulip_tx(TULIPState *s, struct tulip_descriptor *desc) + if ((s->csr[6] >> CSR6_OM_SHIFT) & CSR6_OM_MASK) { + /* Internal or external Loopback */ + tulip_receive(s, s->tx_frame, s->tx_frame_len); +- } else { ++ } else if (s->tx_frame_len <= sizeof(s->tx_frame)) { + qemu_send_packet(qemu_get_queue(s->nic), + s->tx_frame, s->tx_frame_len); + } +@@ -570,23 +578,31 @@ static void tulip_tx(TULIPState *s, struct tulip_descriptor *desc) + } + } + +-static void tulip_copy_tx_buffers(TULIPState *s, struct tulip_descriptor *desc) ++static int tulip_copy_tx_buffers(TULIPState *s, struct tulip_descriptor *desc) + { + int len1 = (desc->control >> TDES1_BUF1_SIZE_SHIFT) & TDES1_BUF1_SIZE_MASK; + int len2 = (desc->control >> TDES1_BUF2_SIZE_SHIFT) & TDES1_BUF2_SIZE_MASK; + ++ if (s->tx_frame_len + len1 > sizeof(s->tx_frame)) { ++ return -1; ++ } + if (len1) { + pci_dma_read(&s->dev, desc->buf_addr1, + s->tx_frame + s->tx_frame_len, len1); + s->tx_frame_len += len1; + } + ++ if (s->tx_frame_len + len2 > sizeof(s->tx_frame)) { ++ return -1; ++ } + if (len2) { + pci_dma_read(&s->dev, desc->buf_addr2, + s->tx_frame + s->tx_frame_len, len2); + s->tx_frame_len += len2; + } + desc->status = (len1 + len2) ? 0 : 0x7fffffff; ++ ++ return 0; + } + + static void tulip_setup_filter_addr(TULIPState *s, uint8_t *buf, int n) +@@ -651,13 +667,15 @@ static uint32_t tulip_ts(TULIPState *s) + + static void tulip_xmit_list_update(TULIPState *s) + { ++#define TULIP_DESC_MAX 128 ++ uint8_t i = 0; + struct tulip_descriptor desc; + + if (tulip_ts(s) != CSR5_TS_SUSPENDED) { + return; + } + +- for (;;) { ++ for (i = 0; i < TULIP_DESC_MAX; i++) { + tulip_desc_read(s, s->current_tx_desc, &desc); + tulip_dump_tx_descriptor(s, &desc); + +@@ -675,10 +693,10 @@ static void tulip_xmit_list_update(TULIPState *s) + s->tx_frame_len = 0; + } + +- tulip_copy_tx_buffers(s, &desc); +- +- if (desc.control & TDES1_LS) { +- tulip_tx(s, &desc); ++ if (!tulip_copy_tx_buffers(s, &desc)) { ++ if (desc.control & TDES1_LS) { ++ tulip_tx(s, &desc); ++ } + } + } + tulip_desc_write(s, s->current_tx_desc, &desc); diff --git a/qemu.changes b/qemu.changes index 48d7b5f..304d8a3 100644 --- a/qemu.changes +++ b/qemu.changes @@ -1,3 +1,47 @@ +------------------------------------------------------------------- +Fri Apr 17 19:23:38 UTC 2020 - Bruce Rogers + +- Include upstream patches targeted for the next stable release + (bug fixes only) + spapr-Fix-failure-path-for-attempting-to.patch + target-i386-do-not-set-unsupported-VMX-s.patch + target-xtensa-fix-pasto-in-pfwait.r-opco.patch + tcg-i386-Fix-INDEX_op_dup2_vec.patch + tcg-mips-mips-sync-encode-error.patch + vhost-user-gpu-Release-memory-returned-b.patch + vpc-Don-t-round-up-already-aligned-BAT-s.patch + xen-block-Fix-double-qlist-remove-and-re.patch +- Fix bug causing weak encryption in PAuth for ARM + (CVE-2020-10702 bsc#1168681) + target-arm-Fix-PAuth-sbox-functions.patch +- Fix OOB in tulip NIC emulation (CVE-2020-11102 bsc#1168713 + net-tulip-check-frame-size-and-r-w-data-.patch +- Note that previously included patch addresses CVE-2020-1711 + and bsc#1166240 + iscsi-Cap-block-count-from-GET-LBA-STATU.patch +- Include performance improvement (and related?) patch + aio-wait-delegate-polling-of-main-AioCon.patch + async-use-explicit-memory-barriers.patch +- Rework previous patch at Olaf H.'s direction + hw-i386-disable-smbus-migration-for-xenf.patch +- Eliminate is_opensuse usage in producing seabios version string + what we are doing here is just replacing the upstream string + with one indicating that the openSUSE build service built it, + and so just leave it as "-rebuilt.opensuse.org" +- Alter algorithm used to produce "unique" symbol for coordinating + qemu with the optional modules it may load. This is a reasonable + relaxation for broader compatibility + configure-remove-pkgversion-from-CONFIG_.patch +- Tweak supported.*.txt for latest deprecations, and other fixes +- Tweak update_git.sh, config.sh + +------------------------------------------------------------------- +Mon Apr 6 14:29:50 UTC 2020 - Bruce Rogers + +- One more fix is needed for: s390x Protected Virtualization support + - start and control guest in secure mode (bsc#1167075 jsc#SLE-7407) + s390x-s390-virtio-ccw-Fix-build-on-syste.patch + ------------------------------------------------------------------- Thu Mar 26 18:28:03 UTC 2020 - Bruce Rogers diff --git a/qemu.spec b/qemu.spec index 5ebe2b2..7bd2a9e 100644 --- a/qemu.spec +++ b/qemu.spec @@ -214,74 +214,88 @@ Patch00083: migration-colo-fix-use-after-free-of-loc.patch Patch00084: migration-ram-fix-use-after-free-of-loca.patch Patch00085: qcow2-List-autoclear-bit-names-in-header.patch Patch00086: sheepdog-Consistently-set-bdrv_has_zero_.patch -Patch00087: XXX-dont-dump-core-on-sigabort.patch -Patch00088: qemu-binfmt-conf-Modify-default-path.patch -Patch00089: qemu-cvs-gettimeofday.patch -Patch00090: qemu-cvs-ioctl_debug.patch -Patch00091: qemu-cvs-ioctl_nodirection.patch -Patch00092: linux-user-add-binfmt-wrapper-for-argv-0.patch -Patch00093: PPC-KVM-Disable-mmu-notifier-check.patch -Patch00094: linux-user-binfmt-support-host-binaries.patch -Patch00095: linux-user-Fake-proc-cpuinfo.patch -Patch00096: linux-user-use-target_ulong.patch -Patch00097: Make-char-muxer-more-robust-wrt-small-FI.patch -Patch00098: linux-user-lseek-explicitly-cast-non-set.patch -Patch00099: AIO-Reduce-number-of-threads-for-32bit-h.patch -Patch00100: xen_disk-Add-suse-specific-flush-disable.patch -Patch00101: qemu-bridge-helper-reduce-security-profi.patch -Patch00102: qemu-binfmt-conf-use-qemu-ARCH-binfmt.patch -Patch00103: linux-user-properly-test-for-infinite-ti.patch -Patch00104: roms-Makefile-pass-a-packaging-timestamp.patch -Patch00105: Raise-soft-address-space-limit-to-hard-l.patch -Patch00106: increase-x86_64-physical-bits-to-42.patch -Patch00107: vga-Raise-VRAM-to-16-MiB-for-pc-0.15-and.patch -Patch00108: i8254-Fix-migration-from-SLE11-SP2.patch -Patch00109: acpi_piix4-Fix-migration-from-SLE11-SP2.patch -Patch00110: Switch-order-of-libraries-for-mpath-supp.patch -Patch00111: Make-installed-scripts-explicitly-python.patch -Patch00112: hw-smbios-handle-both-file-formats-regar.patch -Patch00113: xen-add-block-resize-support-for-xen-dis.patch -Patch00114: tests-qemu-iotests-Triple-timeout-of-i-o.patch -Patch00115: tests-Fix-block-tests-to-be-compatible-w.patch -Patch00116: xen-ignore-live-parameter-from-xen-save-.patch -Patch00117: Conditionalize-ui-bitmap-installation-be.patch -Patch00118: tests-change-error-message-in-test-162.patch -Patch00119: hw-usb-hcd-xhci-Fix-GCC-9-build-warning.patch -Patch00120: hw-usb-dev-mtp-Fix-GCC-9-build-warning.patch -Patch00121: hw-intc-exynos4210_gic-provide-more-room.patch -Patch00122: configure-only-populate-roms-if-softmmu.patch -Patch00123: pc-bios-s390-ccw-net-avoid-warning-about.patch -Patch00124: roms-change-cross-compiler-naming-to-be-.patch -Patch00125: tests-Disable-some-block-tests-for-now.patch -Patch00126: test-add-mapping-from-arch-of-i686-to-qe.patch -Patch00127: roms-Makefile-enable-cross-compile-for-b.patch -Patch00128: hw-i386-disable-smbus-migration-for-xenf.patch -Patch00129: s390x-Don-t-do-a-normal-reset-on-the-ini.patch -Patch00130: s390x-Move-reset-normal-to-shared-reset-.patch -Patch00131: s390x-Move-initial-reset.patch -Patch00132: s390x-Move-clear-reset.patch -Patch00133: s390x-kvm-Make-kvm_sclp_service_call-voi.patch -Patch00134: s390x-ipl-Consolidate-iplb-validity-chec.patch -Patch00135: s390x-Beautify-diag308-handling.patch -Patch00136: s390x-Add-missing-vcpu-reset-functions.patch -Patch00137: pc-bios-s390x-Save-iplb-location-in-lowc.patch -Patch00138: s390-sclp-improve-special-wait-psw-logic.patch -Patch00139: s390x-Move-diagnose-308-subcodes-and-rcs.patch -Patch00140: vhost-correctly-turn-on-VIRTIO_F_IOMMU_P.patch -Patch00141: Sync-pv.patch -Patch00142: s390x-protvirt-Support-unpack-facility.patch -Patch00143: s390x-protvirt-Add-migration-blocker.patch -Patch00144: s390x-protvirt-Inhibit-balloon-when-swit.patch -Patch00145: s390x-protvirt-KVM-intercept-changes.patch -Patch00146: s390x-Add-SIDA-memory-ops.patch -Patch00147: s390x-protvirt-Move-STSI-data-over-SIDAD.patch -Patch00148: s390x-protvirt-SCLP-interpretation.patch -Patch00149: s390x-protvirt-Set-guest-IPL-PSW.patch -Patch00150: s390x-protvirt-Move-diag-308-data-over-S.patch -Patch00151: s390x-protvirt-Disable-address-checks-fo.patch -Patch00152: s390x-protvirt-Move-IO-control-structure.patch -Patch00153: s390x-protvirt-Handle-SIGP-store-status-.patch -Patch00154: s390x-Add-unpack-facility-feature-to-GA1.patch +Patch00087: target-arm-Fix-PAuth-sbox-functions.patch +Patch00088: tcg-i386-Fix-INDEX_op_dup2_vec.patch +Patch00089: net-tulip-check-frame-size-and-r-w-data-.patch +Patch00090: target-i386-do-not-set-unsupported-VMX-s.patch +Patch00091: spapr-Fix-failure-path-for-attempting-to.patch +Patch00092: xen-block-Fix-double-qlist-remove-and-re.patch +Patch00093: vpc-Don-t-round-up-already-aligned-BAT-s.patch +Patch00094: target-xtensa-fix-pasto-in-pfwait.r-opco.patch +Patch00095: aio-wait-delegate-polling-of-main-AioCon.patch +Patch00096: async-use-explicit-memory-barriers.patch +Patch00097: tcg-mips-mips-sync-encode-error.patch +Patch00098: vhost-user-gpu-Release-memory-returned-b.patch +Patch00099: XXX-dont-dump-core-on-sigabort.patch +Patch00100: qemu-binfmt-conf-Modify-default-path.patch +Patch00101: qemu-cvs-gettimeofday.patch +Patch00102: qemu-cvs-ioctl_debug.patch +Patch00103: qemu-cvs-ioctl_nodirection.patch +Patch00104: linux-user-add-binfmt-wrapper-for-argv-0.patch +Patch00105: PPC-KVM-Disable-mmu-notifier-check.patch +Patch00106: linux-user-binfmt-support-host-binaries.patch +Patch00107: linux-user-Fake-proc-cpuinfo.patch +Patch00108: linux-user-use-target_ulong.patch +Patch00109: Make-char-muxer-more-robust-wrt-small-FI.patch +Patch00110: linux-user-lseek-explicitly-cast-non-set.patch +Patch00111: AIO-Reduce-number-of-threads-for-32bit-h.patch +Patch00112: xen_disk-Add-suse-specific-flush-disable.patch +Patch00113: qemu-bridge-helper-reduce-security-profi.patch +Patch00114: qemu-binfmt-conf-use-qemu-ARCH-binfmt.patch +Patch00115: linux-user-properly-test-for-infinite-ti.patch +Patch00116: roms-Makefile-pass-a-packaging-timestamp.patch +Patch00117: Raise-soft-address-space-limit-to-hard-l.patch +Patch00118: increase-x86_64-physical-bits-to-42.patch +Patch00119: vga-Raise-VRAM-to-16-MiB-for-pc-0.15-and.patch +Patch00120: i8254-Fix-migration-from-SLE11-SP2.patch +Patch00121: acpi_piix4-Fix-migration-from-SLE11-SP2.patch +Patch00122: Switch-order-of-libraries-for-mpath-supp.patch +Patch00123: Make-installed-scripts-explicitly-python.patch +Patch00124: hw-smbios-handle-both-file-formats-regar.patch +Patch00125: xen-add-block-resize-support-for-xen-dis.patch +Patch00126: tests-qemu-iotests-Triple-timeout-of-i-o.patch +Patch00127: tests-Fix-block-tests-to-be-compatible-w.patch +Patch00128: xen-ignore-live-parameter-from-xen-save-.patch +Patch00129: Conditionalize-ui-bitmap-installation-be.patch +Patch00130: tests-change-error-message-in-test-162.patch +Patch00131: hw-usb-hcd-xhci-Fix-GCC-9-build-warning.patch +Patch00132: hw-usb-dev-mtp-Fix-GCC-9-build-warning.patch +Patch00133: hw-intc-exynos4210_gic-provide-more-room.patch +Patch00134: configure-only-populate-roms-if-softmmu.patch +Patch00135: pc-bios-s390-ccw-net-avoid-warning-about.patch +Patch00136: roms-change-cross-compiler-naming-to-be-.patch +Patch00137: tests-Disable-some-block-tests-for-now.patch +Patch00138: test-add-mapping-from-arch-of-i686-to-qe.patch +Patch00139: roms-Makefile-enable-cross-compile-for-b.patch +Patch00140: hw-i386-disable-smbus-migration-for-xenf.patch +Patch00141: s390x-Don-t-do-a-normal-reset-on-the-ini.patch +Patch00142: s390x-Move-reset-normal-to-shared-reset-.patch +Patch00143: s390x-Move-initial-reset.patch +Patch00144: s390x-Move-clear-reset.patch +Patch00145: s390x-kvm-Make-kvm_sclp_service_call-voi.patch +Patch00146: s390x-ipl-Consolidate-iplb-validity-chec.patch +Patch00147: s390x-Beautify-diag308-handling.patch +Patch00148: s390x-Add-missing-vcpu-reset-functions.patch +Patch00149: pc-bios-s390x-Save-iplb-location-in-lowc.patch +Patch00150: s390-sclp-improve-special-wait-psw-logic.patch +Patch00151: s390x-Move-diagnose-308-subcodes-and-rcs.patch +Patch00152: vhost-correctly-turn-on-VIRTIO_F_IOMMU_P.patch +Patch00153: Sync-pv.patch +Patch00154: s390x-protvirt-Support-unpack-facility.patch +Patch00155: s390x-protvirt-Add-migration-blocker.patch +Patch00156: s390x-protvirt-Inhibit-balloon-when-swit.patch +Patch00157: s390x-protvirt-KVM-intercept-changes.patch +Patch00158: s390x-Add-SIDA-memory-ops.patch +Patch00159: s390x-protvirt-Move-STSI-data-over-SIDAD.patch +Patch00160: s390x-protvirt-SCLP-interpretation.patch +Patch00161: s390x-protvirt-Set-guest-IPL-PSW.patch +Patch00162: s390x-protvirt-Move-diag-308-data-over-S.patch +Patch00163: s390x-protvirt-Disable-address-checks-fo.patch +Patch00164: s390x-protvirt-Move-IO-control-structure.patch +Patch00165: s390x-protvirt-Handle-SIGP-store-status-.patch +Patch00166: s390x-Add-unpack-facility-feature-to-GA1.patch +Patch00167: s390x-s390-virtio-ccw-Fix-build-on-syste.patch +Patch00168: configure-remove-pkgversion-from-CONFIG_.patch # Patches applied in roms/seabios/: Patch01000: seabios-use-python2-explicitly-as-needed.patch Patch01001: seabios-switch-to-python3-as-needed.patch @@ -1152,6 +1166,20 @@ This package provides a service file for starting and stopping KSM. %patch00152 -p1 %patch00153 -p1 %patch00154 -p1 +%patch00155 -p1 +%patch00156 -p1 +%patch00157 -p1 +%patch00158 -p1 +%patch00159 -p1 +%patch00160 -p1 +%patch00161 -p1 +%patch00162 -p1 +%patch00163 -p1 +%patch00164 -p1 +%patch00165 -p1 +%patch00166 -p1 +%patch00167 -p1 +%patch00168 -p1 %patch01000 -p1 %patch01001 -p1 %patch01002 -p1 @@ -1300,7 +1328,7 @@ mkdir -p %mybuilddir cd %mybuilddir %endif -%{_builddir}/%buildsubdir/configure \ +../%buildsubdir/configure \ --prefix=%_prefix \ --sysconfdir=%_sysconfdir \ --libdir=%_libdir \ @@ -1538,11 +1566,7 @@ export LD=x86_64-suse-linux-ld %endif make %{?_smp_mflags} -C %{_builddir}/%buildsubdir/roms bios \ -%if 0%{?is_opensuse} == 0 - SEABIOS_EXTRAVERSION="-rebuilt.suse.com" \ -%else SEABIOS_EXTRAVERSION="-rebuilt.opensuse.org" \ -%endif %ifnarch %ix86 x86_64 HOSTCC=cc \ %endif diff --git a/qemu.spec.in b/qemu.spec.in index 1a52d64..8bd6e3a 100644 --- a/qemu.spec.in +++ b/qemu.spec.in @@ -942,7 +942,7 @@ mkdir -p %mybuilddir cd %mybuilddir %endif -%{_builddir}/%buildsubdir/configure \ +../%buildsubdir/configure \ --prefix=%_prefix \ --sysconfdir=%_sysconfdir \ --libdir=%_libdir \ @@ -1180,11 +1180,7 @@ export LD=x86_64-suse-linux-ld %endif make %{?_smp_mflags} -C %{_builddir}/%buildsubdir/roms bios \ -%if 0%{?is_opensuse} == 0 - SEABIOS_EXTRAVERSION="-rebuilt.suse.com" \ -%else SEABIOS_EXTRAVERSION="-rebuilt.opensuse.org" \ -%endif %ifnarch %ix86 x86_64 HOSTCC=cc \ %endif diff --git a/s390x-s390-virtio-ccw-Fix-build-on-syste.patch b/s390x-s390-virtio-ccw-Fix-build-on-syste.patch new file mode 100644 index 0000000..fcc338c --- /dev/null +++ b/s390x-s390-virtio-ccw-Fix-build-on-syste.patch @@ -0,0 +1,129 @@ +From: Christian Borntraeger +Date: Mon, 6 Apr 2020 06:01:58 -0400 +Subject: s390x/s390-virtio-ccw: Fix build on systems without KVM + +References: bsc#1167075 + +linux/kvm.h is not available on all platforms. Let us move +s390_machine_inject_pv_error into pv.c as it uses KVM structures. +Also rename the function to s390_pv_inject_reset_error. + +While at it, ipl.h needs an include for "exec/address-spaces.h" +as it uses address_space_memory. + +Fixes: 49fc3220175e ("s390x: protvirt: Support unpack facility") +Reported-by: Bruce Rogers +Signed-off-by: Christian Borntraeger +Signed-off-by: Bruce Rogers +--- + hw/s390x/ipl.h | 1 + + hw/s390x/pv.c | 11 +++++++++++ + hw/s390x/s390-virtio-ccw.c | 12 +----------- + include/hw/s390x/pv.h | 3 +++ + 4 files changed, 16 insertions(+), 11 deletions(-) + +diff --git a/hw/s390x/ipl.h b/hw/s390x/ipl.h +index 89b3044d7a2ee54014daa8eeafc9..53cc9eb5ac4d326b2b61bf1668a8 100644 +--- a/hw/s390x/ipl.h ++++ b/hw/s390x/ipl.h +@@ -14,6 +14,7 @@ + #define HW_S390_IPL_H + + #include "cpu.h" ++#include "exec/address-spaces.h" + #include "hw/qdev-core.h" + + struct IPLBlockPVComp { +diff --git a/hw/s390x/pv.c b/hw/s390x/pv.c +index 8cf5cd2c9bcd48b03af1e546fb3a..2c4d5e89890b7d21abdcd718c2f2 100644 +--- a/hw/s390x/pv.c ++++ b/hw/s390x/pv.c +@@ -13,8 +13,10 @@ + + #include + ++#include "cpu.h" + #include "qemu/error-report.h" + #include "sysemu/kvm.h" ++#include "hw/s390x/ipl.h" + #include "hw/s390x/pv.h" + + static int __s390_pv_cmd(uint32_t cmd, const char *cmdname, void *data) +@@ -96,3 +98,12 @@ void s390_pv_unshare(void) + { + s390_pv_cmd_exit(KVM_PV_VM_UNSHARE_ALL, NULL); + } ++ ++void s390_pv_inject_reset_error(CPUState *cs) ++{ ++ int r1 = (cs->kvm_run->s390_sieic.ipa & 0x00f0) >> 4; ++ CPUS390XState *env = &S390_CPU(cs)->env; ++ ++ /* Report that we are unable to enter protected mode */ ++ env->regs[r1 + 1] = DIAG_308_RC_INVAL_FOR_PV; ++} +diff --git a/hw/s390x/s390-virtio-ccw.c b/hw/s390x/s390-virtio-ccw.c +index 85250bf046ed72313b03c6ff6c54..5df455e065504bc0eef0f1f084dc 100644 +--- a/hw/s390x/s390-virtio-ccw.c ++++ b/hw/s390x/s390-virtio-ccw.c +@@ -44,7 +44,6 @@ + #include "sysemu/sysemu.h" + #include "sysemu/balloon.h" + #include "hw/s390x/pv.h" +-#include + #include "migration/blocker.h" + + static Error *pv_mig_blocker; +@@ -392,15 +391,6 @@ out_err: + return rc; + } + +-static void s390_machine_inject_pv_error(CPUState *cs) +-{ +- int r1 = (cs->kvm_run->s390_sieic.ipa & 0x00f0) >> 4; +- CPUS390XState *env = &S390_CPU(cs)->env; +- +- /* Report that we are unable to enter protected mode */ +- env->regs[r1 + 1] = DIAG_308_RC_INVAL_FOR_PV; +-} +- + static void s390_pv_prepare_reset(S390CcwMachineState *ms) + { + CPUState *cs; +@@ -486,7 +476,7 @@ static void s390_machine_reset(MachineState *machine) + run_on_cpu(cs, s390_do_cpu_reset, RUN_ON_CPU_NULL); + + if (s390_machine_protect(ms)) { +- s390_machine_inject_pv_error(cs); ++ s390_pv_inject_reset_error(cs); + /* + * Continue after the diag308 so the guest knows something + * went wrong. +diff --git a/include/hw/s390x/pv.h b/include/hw/s390x/pv.h +index c6cb360f2f6a0a32a37970769e1b..522ca6a04ee877940ff1de9f410b 100644 +--- a/include/hw/s390x/pv.h ++++ b/include/hw/s390x/pv.h +@@ -13,6 +13,7 @@ + #define HW_S390_PV_H + + #ifdef CONFIG_KVM ++#include "cpu.h" + #include "hw/s390x/s390-virtio-ccw.h" + + static inline bool s390_is_pv(void) +@@ -41,6 +42,7 @@ int s390_pv_unpack(uint64_t addr, uint64_t size, uint64_t tweak); + void s390_pv_perf_clear_reset(void); + int s390_pv_verify(void); + void s390_pv_unshare(void); ++void s390_pv_inject_reset_error(CPUState *cs); + #else /* CONFIG_KVM */ + static inline bool s390_is_pv(void) { return false; } + static inline int s390_pv_vm_enable(void) { return 0; } +@@ -50,6 +52,7 @@ static inline int s390_pv_unpack(uint64_t addr, uint64_t size, uint64_t tweak) { + static inline void s390_pv_perf_clear_reset(void) {} + static inline int s390_pv_verify(void) { return 0; } + static inline void s390_pv_unshare(void) {} ++static inline void s390_pv_inject_reset_error(CPUState *cs) {}; + #endif /* CONFIG_KVM */ + + #endif /* HW_S390_PV_H */ diff --git a/spapr-Fix-failure-path-for-attempting-to.patch b/spapr-Fix-failure-path-for-attempting-to.patch new file mode 100644 index 0000000..9eea839 --- /dev/null +++ b/spapr-Fix-failure-path-for-attempting-to.patch @@ -0,0 +1,33 @@ +From: David Gibson +Date: Thu, 26 Mar 2020 16:12:40 +1100 +Subject: spapr: Fix failure path for attempting to hot unplug PCI bridges + +Git-commit: 7aab5899764887f6b0512cb2e5c11bdc2a5d3644 + +For various technical reasons we can't currently allow unplug a PCI to PCI +bridge on the pseries machine. spapr_pci_unplug_request() correctly +generates an error message if that's attempted. + +But.. if the given errp is not error_abort or error_fatal, it doesn't +actually stop trying to unplug the bridge anyway. + +Fixes: 14e714900f6b "spapr: Allow hot plug/unplug of PCI bridges and devices under PCI bridges" +Signed-off-by: David Gibson +Reviewed-by: Greg Kurz +Signed-off-by: Bruce Rogers +--- + hw/ppc/spapr_pci.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/hw/ppc/spapr_pci.c b/hw/ppc/spapr_pci.c +index f6fbcf99edaaf9844fe669951716..5b544adb4a4d7868cf17d6534e19 100644 +--- a/hw/ppc/spapr_pci.c ++++ b/hw/ppc/spapr_pci.c +@@ -1663,6 +1663,7 @@ static void spapr_pci_unplug_request(HotplugHandler *plug_handler, + + if (pc->is_bridge) { + error_setg(errp, "PCI: Hot unplug of PCI bridges not supported"); ++ return; + } + + /* ensure any other present functions are pending unplug */ diff --git a/supported.arm.txt b/supported.arm.txt index 60f4f56..f8bb8ad 100644 --- a/supported.arm.txt +++ b/supported.arm.txt @@ -28,7 +28,8 @@ Overview QEMU is a primary component of KVM based virtualization. The QEMU emulator binary qemu-system-aarch64 is the program to use to access KVM virtualization. When using this program, the -machine option accel=kvm (or its alias - -enable-kvm) must be specified for KVM acceleration to be used by the guest. + -enable-kvm) or --accel kvm option must be specified for KVM acceleration to + be used by the guest. Libvirt is the preferred means of accessing QEMU/KVM functionality and is documented elsewhere. This document focuses on the features and direct usage @@ -134,6 +135,10 @@ Noteworthy QEMU/KVM Unsupported Features - GlusterFS integration is not enabled. +- 32 bit ARM KVM has never been supported by SUSE, but it's worth noting that + this capability will cease to even be possible in a near-future QEMU/KVM + (kernel) combination. + Deprecated, Superseded, Modified and Dropped Features ----------------------------------------------------- @@ -163,8 +168,11 @@ Deprecated, Superseded, Modified and Dropped Features considered deprecated. In the future those names will be standardized to acpitable, boot, and smp respectively. -- This previously supported command line options is now considered deprecated: - -device scsi-disk (use scsi-hd or scsi-cd) +- These previously supported command line options are now considered deprecated: + -device scsi-disk (use scsi-hd or scsi-cd instead) + -device virtio-blk,scsi= (use virtio-scsi instead) + -device virtio-blk-pci,scsi= (use virtio-scsi instead) + -realtime mlock= (use -overcommit mem-lock- instead) - These previously supported command line options are no longer supported: diff --git a/supported.ppc.txt b/supported.ppc.txt index b374627..47545d9 100644 --- a/supported.ppc.txt +++ b/supported.ppc.txt @@ -2,785 +2,4 @@ SLES 15 SP2 QEMU/KVM RELATED SUPPORT STATEMENTS -Overview --------- - - The QEMU based packages included with SLES 15 SP2 provide a large variety of - features, from the very latest customer requests to features of questionable - quality or value. The linux kernel includes components which contribute KVM - virtualization features as well. This document was created to assist the user - in deciding which features can be relied upon to build enterprise class - virtualization solutions. KVM based virtualization for x86 (Intel 64/AMD64), - for IBM System z (s390x), and for the ARM64 architecture (AArch64) are - offered at the L3 (full support) level. The bulk of this document is primarily - Power8 centric. This document should be considered a companion to the standard - virtualization documentation delivered with the product. - - KVM is implemented in linux kernel modules which enable the linux kernel to - function as an integral part of the KVM hypervisor. The hypervisor-guest - interaction is managed by QEMU through the /dev/kvm ioctl interface. The linux - host assists in the virtualization of storage, networking and display - resources as well as allowing direct hardware passthrough of PCI and USB - devices. Linux memory and cpu management features are used by QEMU/KVM to - enable guests to share those host resources as efficiently as possible. - The kvm_hv kernel module is required. The kvm_pr kernel module is unsupported. - - QEMU is a primary component of KVM based virtualization. The QEMU emulator - binary qemu-system-ppc64 is the program to use to access KVM virtualization. - When using this program, the -machine option accel=kvm (or its alias - -enable-kvm) must be specified for KVM acceleration to be used by the guest. - - Libvirt is the preferred means of accessing QEMU/KVM functionality and is - documented elsewhere. This document focuses on the features and direct usage - of QEMU/KVM as provided by the QEMU based packages. - -Major QEMU/KVM Supported Features ---------------------------------- - -- KVM virtualization is accomplished by using the QEMU program in KVM - acceleration mode. KVM acceleration requires that both guest and host have - the same fundamental architecture. - -- Guest images created under previous QEMU versions are supported by machine - version compatibilities built into more recent QEMU versions. - -- For ease of use, the QEMU program has defaults which represent traditional - usage patterns. - -- Guest virtual machine characteristics are specified by a combination of - internal defaults, options provided on the QEMU program command-line, runtime - configurations set via the monitor interfaces and optional config files. The - runtime control of a VM is effected either through the Human Monitor - "Protocol" (HMP), or the JSON based programmatical QEMU Monitor Protocol (QMP) - interface. For QMP details, see qemu-qmp-ref man page. - Since a KVM guest runs in the context of a normal linux process, some types - of execution controls are managed with linux tools. - -- QEMU uses SLOF (Slimline Open Firmware) for booting ppc guests, which allow - boot options common to physical systems.Various VGABIOS ROMs, from the SEABIOS - project, are also available. - -- Some QEMU messages have been localized to various languages. This is provided - by the optional qemu-lang package. Keyboard mappings for various nationalities - is also provided. - -- Virtual machine lifecycle controls include startup through firmware or kernel - boot, firmware based shutdown, execution pausing, the saving and restoring of - machine state or disk state, VM migration to another host, and miscellaneous - controls available through the "monitors" mentioned above. - -- Guest execution state may be "moved" in both time (save/restore) and space - (static and live migration). These migrations or save/restore operations can - take place either from certain prior SLES versioned hosts to a SLES 12 SP3 - or between hosts of the same version. Certain other restrictions also apply. - -- Security considerations include privileged helpers and a security model which - allows running guests as a non-root user. - -- QEMU provides best effort reuse of existing disk images, including those with - systems installed, through geometry probing. Also disk images produced by - other popular virtualization technologies may be imported into QEMU supported - storage formats. These QEMU formats include features which exploit the - benefits of virtualization. - -- Memory, cpu and disk space overcommit are possible and can be beneficial when - done responsibly. Additional management of these resources comes in the form - of memory ballooning or hotplug, host KSM, vcpu hot-add, online disk resizing, - trim, discard and hole punching. - -- Guest performance is enhanced through the use of virtio devices, various disk - caching modes, network acceleration via the vhost-net kernel module, multi- - queue network transmit capabilities, host transparent huge pages (THP) and - direct hugetlb usage. Physical PCI and USB devices may also be passed through - to the guest, including SR-IOV VF's. - -- The guest UI is accessable via GTK, VNC, and serial (including curses TUI) - interfaces. - -- Guest timekeeping is supported in a variety of ways, including a paravirtual - clocksource, and options for the various guest clocks for how to handle the - timeslicing of the guest's execution on the host. - -- In addition to the para-virtualized devices already mentioned, other devices - and infrastructure designed to avoid virtualization "problem areas" are - available such as SPICE graphics, vmmouse emulation, tablet style pointer - interfaces and virtio based UI interfaces. - -- A built-in user-mode network (SLIRP) stack is available. - -- Portions of the host file system may be shared with a guest by using virtFS. - -- A guest "agent" is available for SLES 15 SP2 KVM guests via the - qemu-guest-agent package. This allows some introspection and control of the - guest OS environment from the host. - -QEMU/KVM Technology Previews ----------------------------- - -- All features indicated as not being supported in this document fall under the - Technology Preview definition contained in the main product's release notes. - -Noteworthy QEMU/KVM Unsupported Features ----------------------------------------- - -- Note that some features are unsupported simply due to lack of validation. If - an existing feature is desired, but not marked supported, let SUSE know about - your requirements. - -- The TCG "acceleration" mode may be helpful for problem isolation, but - otherwise presents insufficient benefit and stability. - -- GlusterFS integration is not enabled. - -Deprecated, Superseded, Modified and Dropped Features ------------------------------------------------------ - -- http://wiki.qemu-project.org/Features/LegacyRemoval - This website tracks feature deprecation and removal at the upstream - development level. Our qemu package inherits this community direction, but be - aware that we can and will deviate as needed. Those deviations and additional - information can be found in this section. Feature deprecation is also tracked - in Appendix B of the qemu-doc.* files installed with the qemu package. - -- The use of "?" as a parameter to "-cpu", "-soundhw", "-device", "-M", - "-machine" and "-d" is now considered deprecated. Use "help" - instead. - -- The use of "if=scsi" as a parameter to "-drive" does not work anymore with PC - machine types, as it created an obsolete SCSI controller model. - -- Use of aio=native without direct cache mode also being specified (cache=none, - cache=directsync, or cache.direct=on) is no longer allowed. - -- The use of image encryption in qcow and qcow2 formats is now considered - deprecated. - Analysis has shown it to be weak encryption, in addition to suffering from - poor design. Images can easily be converted to a non-encrypted format. - -- Use of acpi, boot-opts, and smp-opts in a -readconfig config file are now - considered deprecated. In the future those names will be standardized to - acpitable, boot, and smp respectively. - -- This previously supported command line option is now considered deprecated: - -device scsi-disk (use scsi-hd or scsi-cd) - -- These previously supported command line options are no longer supported: - - -- These previously supported command line options are no longer recognized: - -balloon (use -device virtio-balloon instead) - -clock - -device ivshmem (use ivshmem-doorbell or ivshmem-plain instead) - -device pc-sysfw (no longer needed) - -device pci-assign, -device kvm-pci-assign (use -device vfio-pci instead) - -display sdl - -no-frame - -nodefconfig (use -no-user-config instead) - -sdl - -virtioconsole (use -device virtconsole instead) - -- These previously unsupported command line options are no longer recognized: - -device cmd646-ide - -device macio-newworld - -device macio-oldworld - -device spapr-pci-vfio-host-bridge - -- Specifying a cpu feature with both "+feature/-feature" and "feature=on/off" - will now cause a warning. The current behavior for this combination where - "+feature/-feature" wins over "feature=on/off", will be changed going forward - so that "+feature" and "-feature" will be synonyms for "feature=on" and - "feature=off" respectively. - -- The previously supported blkdev-add QMP command has been flagged as lacking - and could possibly change syntax in the future. - -- These previously unsupported command line options are now deprecated: - -bt - -machine prep (use -machine 40p instead) - -M prep (use -M 40p instead) - -- These previously unsupported command line options are no longer recognized: - -device isa-cirrus-vga - -device ramfb - -enable-hax - -tdf - -xen-create - -- These previously supported QMPs command are now deprecated: - change (use blockdev-change-medium or change-vnc-password instead) - cpu-add - migrate-set-cache-size (use migrate-set-parameters instead) - migrate_set_downtime (use migrate-set-parameters instead) - migrate_set_speed (use migrate-set-parameters instead) - query-cpus (use query-cpus-fast instead) - query-events - query-migrate-cache-size (use query-migrate-parameters instead) - -- These previously supported monitor commands are now deprecated: - change - cpu-add - migrate_set_downtime - migrate_set_speed - -- These previously supported monitor commands are no longer recognized: - pci_add (use device_add instead) - pci_del (use device_del instead) - usb_add (use device_add instead) - usb_del (use device_del instead) - -- These previously unsupported monitor command are now deprecated: - acl_add ... - acl_policy ... - acl_remove ... - acl_reset ... - acl_show ... - -- These previously unsupported monitor commands are no longer recognized: - host_net_add - host_net_remove - -- These previously unsupported QMP commands are now supported under a new name: - x-block-dirty-bitmap-disable (use block-dirty-bitmap-disable instead) - x-block-dirty-bitmap-enable (use block-dirty-bitmap-enable instead) - x-block-dirty-bitmap-merge (use block-dirty-bitmap-merge instead) - x-block-latency-histogram-set (use block-latency-histogram-set instead) - x-blockdev-create (use blockdev-create instead) - -- This previously unsupported QMP commands is no longer recognized: - x-nbd-server-add-bitmap - -- Due to upstream's decision to no longer fully support the qed storage format - going forward (since it really provides no benefit over qcow2 and is now no - longer actively maintained upstream), creating qed storage images is no longer - supported and it is highly discouraged to continue using existing qed images. - They should instead be converted to another supported format. - -QEMU Command-Line and Monitor Syntax and Support ------------------------------------------------- - -- The QEMU program command-line syntax is as follows: - qemu-system-ppc64 [options] - - Where 'options' are taken from the options listed below. - The images used with -drive or -cdrom, may be in the raw (no format) or qcow2 - storage formats, and may be located in files within the host filesystem, - logical volumes, host physical disks, or network based storage. Read only - media may also be accessed via URL style protocol specifiers. - - Note that as a general rule, as new command line options are added which serve - to replace an older option or interface, you are strongly encouraged to adapt - your usage to the new option. The new option is being introduced to provide - better functionality and usability going forward. In some cases existing - problems or even bugs in older interfaces cannot be fixed due to functional - expectations, but are resolved in the newer interface or option. - This advice includes moving to the most recent machine type (eg pseries-4.2 - instead of pseries-3.1) if possible. - -- The following command line options are supported: - -accel ... - -add-fd ... - -alt-grab - -append ... - -audio-help - -audiodev - -bios ... - -blockdev ... - -boot ... - -cdrom ... - -chardev .. - -cpu host - -ctrl-grab - -d ... - -daemonize - -debugcon ... - -device [VGA|rtl8139|virtio-net-pci|virtio-blk-pci|virtio-balloon-pci| - virtio-9p-pci|usb-hub|usb-ehci|usb-tablet|usb-storage|usb-mouse| - usb-kbd|virtserialport|virtconsole|virtio-serial-pci|i82559er| - virtio-scsi-pci|scsi-cd|scsi-hd|scsi-generic|scsi-disk|scsi-block| - pci-serial|pci-serial-2x|pci-serial-4x|ich9-ahci|usb-host|usb-serial| - usb-wacom-tablet|usb-braille|usb-net|pci-ohci|virtio-rng-pci|i6300esb| - qxl|qxl-vga|pvpanic|vfio-pci|ivshmem-doorbell|ivshmem-plain| - virtio-crypto-pci|virtio-mmio|vhost-vsock-pci|vhost-user-blk| - vhost-user-blk-pci|pci-bridge|megasas-gen2|e1000e|e1000|cirrus-vga| - virtio-vga|vhost-scsi-pci-non-transitional| - vhost-scsi-pci-transitional|vhost-user-blk-pci-non-transitional| - vhost-user-blk-pci-transitional|vhost-user-scsi-pci-non-transitional| - vhost-user-scsi-pci-transitional|vhost-vsock-pci-non-transitional| - vhost-vsock-pci-transitional|virtio-9p-pci-non-transitional| - virtio-9p-pci-transitional|virtio-balloon-pci-non-transitional| - virtio-balloon-pci-transitional|virtio-blk-pci-non-transitional| - virtio-blk-pci-transitional|virtio-input-host-pci-non-transitional| - virtio-input-host-pci-transitional|virtio-net-pci-non-transitional| - virtio-net-pci-transitional|virtio-rng-pci-non-transitional| - virtio-rng-pci-transitional|virtio-scsi-pci-non-transitional| - virtio-scsi-pci-transitional|virtio-serial-pci-non-transitional| - virtio-serial-pci-transitional|vhost-user-fs-pci|vhost-user-gpu| - vhost-user-pci-pci|vhost-user-input|vhost-user-input-pci| - vhost-user-vga|mc146818rtc] - (the following are aliases of these supported devices: ahci| - virtio-blk|virtio-net|virtio-serial|virtio-balloon| virtio-9p| - virtio-input-host|virtio-keyboard|virtio-mouse|virtio-tablet| - virtio-gpu|virtio-scsi|virtio-rng|e1000-82540em) - -dfilter range, ... - -display ... - -drive ... (if specified if=[virtio] and format=[qcow2|raw] and - snapshot=off only) - -echr ... - -enable-fips - -enable-kvm - -fsdev ... - -full-screen - -fw_cfg ... - -gdb ... - -global ... - -h - -help - -incoming ... - -initrd ... - -iscsi ... - -k ... - -kernel ... - -loadvm ... - -m ... - -M [help|?|none|pseries|pseries-2.11|pseries-3.1|pseries-4.2] - -machine [help|?|none|pseries|pseries-2.11|pseries-3.1|pseries-4.2] - -mem-path ... - -mem-prealloc - -mon ... - -monitor ... - -msg ... - -name ... - -net [bridge|l2tpv3|nic|none|tap|user] ... (for model= only e1000, rtl8139, - and virtio are supported) - -netdev [bridge|tap|user] ... - -nic ... - -nodefaults - -nographic - -no-quit - -no-reboot - -no-shutdown - -no-user-config - -object ... - -only-migratable - -parallel ... - -pidfile ... - -plugin ... - -qmp ... - -qmp-pretty ... - -readconfig ... - -realtime ... - -rtc ... - -runas ... - -s - -S - -sandbox ... - -seed ... - -serial ... - -show-cursor - -smbios ... - -smp ... - -tpmdev passthrough ... - -trace ... - -usb - -usbdevice [braile|disk|host|mouse|net|serial|tablet] - -uuid .. - -version - -vga [none|qxl|std|virtio] - -virtfs ... - -vnc ... - -watchdog ... - -watchdog-action ... - -writeconfig ... - -- The following monitor commands are supported: - ? - announce_self ... - balloon ... - block_resize ... - boot_set ... - c - change ... - chardev-add ... - chardev-remove ... - client_migrate_info ... - closefd ... - cont - cpu ... - cpu-add ... - delvm ... - device_add ... - device_del ... - drive_add ... - drive_backup ... - drive_del ... - dump_guest_memory ... - eject ... - gdbserver ... - gpa2hpa ... - gpa2hva ... - gva2gpa ... - help - i ... - info ... - loadvm ... - logfile ... - logitem ... - mce ... - memsave ... - migrate ... - migrate_cancel - migrate_continue ... - migrate_incoming - migrate_pause - migrate_recover ... - migrate_set_cache_size ... - migrate_set_capability ... - migrate_set_downtime ... - migrate_set_parameter ... - migrate_set_speed ... - migrate_start_post_copy - mouse_button ... - mouse_move ... - mouse_set ... - nmi ... - o ... - object_add ... - object_del ... - p ... - pmemsave ... - print ... - q - qemu-io ... - qom-list - qom-set - ringbuf_read ... - ringbuf_write ... - savevm ... - screendump ... - sendkey ... - snapshot_blkdev_internal ... - snapshot_delete_blkdev_internal ... - stop - sum ... - system_powerdown - system_reset - system_wakeup - trace-event ... - watchdog_action ... - x ... - xp ... - -- The following QMP commands are supported: - add_client - add-fd - announce-self - balloon - blockdev-add - blockdev-backup - blockdev-change-medium - blockdev-close-tray - blockdev-create - blockdev-del - blockdev-mirror - blockdev-open-tray - blockdev-snapshot - blockdev-snapshot-delete-internal-sync - blockdev-snapshot-internal-sync - blockdev-snapshot-sync - block-commit - block-dirty-bitmap-add - block-dirty-bitmap-clear - block-dirty-bitmap-disable - block-dirty-bitmap-enable - block-dirty-bitmap-merge - block-dirty-bitmap-remove - block-latency-histogram-set - block_passwd - block_resize - block_set_io_throttle - block-set-write-threshold - block_stream - change - change-vnc-password - chardev-add - chardev-remove - client_migrate_info - closefd - cont - cpu - cpu-add - device_add - device_del - device-list-properties - dump-guest-memory - eject - expire_password - getfd - human-monitor-command - inject-nmi - input-send-event - job-cancel - job-complete - job-dismiss - job-finalize - job-pause - job-resume - memsave - migrate - migrate_cancel - migrate-continue - migrate-incoming - migrate-pause - migrate-resume - migrate-set-cache-size - migrate-set-capabilities - migrate_set_downtime - migrate_set_speed - migrate-set-parameters - migrate-start-postcopy - object-add - object-del - pmemsave - qmp_capabilities - qom-get - qom-list - qom-list-types - qom-set - query-acpi-ospm-status - query-balloon - query-block - query-block-jobs - query-blockstats - query-chardev - query-chardev-backends - query-command-line-options - query-commands - query-cpu-definitions - query-cpu-model-baseline - query-cpu-model-comparison - query-cpu-model-expansion - query-cpus - query-cpus-fast - query-current-machine - query-display-options - query-dump - query-dump-guest-memory-capability - query-events - query-fdsets - query-gic-capabilities - query-hotpluggable-cpus - query-iothreads - query-jobs - query-kvm - query-machines - query-memdev - query-memory-devices - query-memory-size-summary - query-mice - query-migrate - query-migrate-cache-size - query-migrate-capabilities - query-migrate-parameters - query-name - query-named-block-nodes - query-pci - query-pr-managers - query-qmp-schema - query-rocker - query-rocker-of-dpa-flows - query-rocker-of-dpa-groups - query-rocker-ports - query-rx-filter - query-spice - query-status - query-target - query-tpm - query-tpm-models - query-tpm-types - query-uuid - query-version - query-vnc - query-vnc-servers - query-xen-replication-status - quit - remove-fd - ringbuf-read - ringbuf-write - rtc-reset-reinjection - screendump - send-key - set_link - set_password - stop - system_powerdown - system_reset - system_wakeup - trace-event-get-state - trace-event-set-state - transaction - watchdog-set-action - -- The following command line options are unsupported: - -acpitable ... - -bt ... - -chroot ... - -cpu ... (all except host) - -curses - -device [adb-keyboard|adb-mouse|adlib|amd-iommu|AMDVI-PCI|ccid-card-emulated| - ccid-card-passthrough|cfi.pflash02|cirrus-vga|cs4231a| - dec-21154-p2p-bridge|dec-21154-sysbus|e1000 e500-ccsr|e500-pcihost| - e500-spin|escc|esp|eTSEC|floppy|generic-sdhci|gus|grackle-pcihost| - host-spapr-cpu-core|hyperv-testdev|i8042|i82374|i82378|ib700|icp| - icp-kvm|ics|icskvm|igd-passthrough-isa-bridge|intel_iommu| - ipmi-bmc-extern|ipmi-bmc-sim|isa-applesmc|isa-debugcon|isa-debug-exit| - isa-fdc|isa-ide|isa-ipmi-bt|isa-ipmi-kcs|isa-m48t59|isa-parallel| - isa-vga|isabus-bridge|kvm-openpic|loader|lsi53c810a|macio-ide| - macio-nvram|mpc8544-guts|mpc8xxx_gpio|ne2k_isa|nvdimm|openpic|pc-dimm| - pc-testdev|pc87312|piix3-ide|piix3-ide|piix3-ide-xen|piix3-usb-uhci| - platform-bus-device|powernv-chip-POWER8|powernv-chip-POWER8E| - powernv-chip-POWER8NVL|powernv-chip-POWER9|powernv-cpu-core-POWER8| - powernv-cpu-core-POWER8E|powernv-cpu-core-POWER8NVL| - powernv-cpu-core-POWER9|ppc4xx-pcihost|prep-systemio|raven-pcihost| - rs6000-mc|sb16|sdhci-pci|sga spapr-nvram|spapr-rng|spapr-rtc| - spapr-tce-table|spapr-vio-bridge|spapr-vlan|spapr-vscsi|spapr-vty| - sysbus-m48t02|sysbus-m48t08|sysbus-m48t59|u3-agp-pcihost| - uni-north-agp-pcihost|uni-north-internal-pci-pcihost|uni-north-pci| - uni-north-pci-pcihost|unimplemented-device|usb-redir| - vfio-pci-igd-lpc-bridge|vfio-pci-nohotplug|vfio-platform| - virtio-crypto-device|vhost-vsock-device|virtconsole|vmgenid| - vmware-svga|xen-backend|xen-pci-passthrough|xen-platform| - xen-pvdevice|xen-sysdev|xlnx.xps-ethernetlite|xlnx.xps-intc| - xlnx.xps-timer|xlnx.xps-uartlite|*-i386-cpu|*-powerpc64-cpu| - *-spapr-cpu-core|*-x86_64-cpu|vmcoreinfo|sii3112|pvrdma|sungem| - ccid-card-emulated|ccid-card-passthru| bochs-display|isa-cirrus-vga| - at24c-eeprom|i2c-ddc|kvaser_pci|m41t80|mioe3680_pci|pcm3680_pci| - ati-vga|cpu-cluster|ds1338|i82801b11-bridge|ib700|ioh3420|mpc-i2c| - pcie-pci-bridge|pcie-root-port|platform-ehci-usb|pnv-lpc-POWER8| - pnv-lpc-POWER9|pnv-occ-POWER8|pnv-occ-POWER9|pnv-psi-POWER8| - pnv-psi-POWER9|pnv-xive|powernv-cpu-quad|spapr-drc-phb|spapr-xive| - vfio-amd-xgbe|vfio-calxeda-xgmac|vmxnet3|x3130-upstream| - xio3130-downstream|xive-end-source|xive-source|xive-tctx| - vhost-user-fs-device|tulip|ati-vga] - (the following are aliases of these unsupported devices: lsi| - piix3-usb-uhci|mac-dbdma|ppc4xx-i2c) - (note that some of these device names represent supported devices and - are used internally, but are not specifyable via -device even though - they appear in the list of devices) - -drive ,if=[scsi|mtd|pflash], snapshot=on, format=[anything besides qcow2 or - raw] - -dtb file - -enable-hax - -enable-sync-profile - -fda/-fdb ... - -g ... - -hda/-hdb/-hdc/-hdd ... - -icount ... - -L ... - -M [40p|bamboo|g3beige|mac99|mpc8544ds|powernv|powernv8|powernv9|ppce500|prep| - pseries-2.1|pseries-2.2|pseries-2.3|pseries-2.4|pseries-2.5|pseries-2.6| - pseries-2.7|pseries-2.8|pseries-2.9|pseries-2.10|pseries-2.12| - pseries-2.12-sxxm|pseries-3.0|pseries-4.0|pseries-4.1|ref405ep|sam460ex| - taihu|virtex-ml507] - -machine [40p|bamboo|g3beige|mac99|mpc8544ds|powernv|powernv8|powernv9| - ppce500|prep|pseries-2.1|pseries-2.2|pseries-2.3|pseries-2.4| - pseries-2.5|pseries-2.6|pseries-2.7|pseries-2.8|pseries-2.10| - pseries-2.12|pseries-2.12-sxxm|pseries-3.0|pseries-4.0|pseries-4.1| - ref405ep|sam460ex|taihu|virtex-ml507] - -mtdblock file - -net [dump|socket|vde] ... - -netdev [dump|hubport|l2tpv3|socket|vde] ... - -no-acpi - -no-fd-bootchk - -no-hpet - -no-kvm - -no-kvm-irqchip - -no-kvm-pit - -no-kvm-pit-reinjection - -numa ... - -option-rom ... - -overcommit ... - -pflash file - -portrait - -preconfig - -prom-env ... - -qtest ... - -qtest-log ... - -rotate - -sd file - -sdl - -set ... - -singlestep - -snapshot - -soundhw ... - -spice - -tb-size ... - -tpmdev emulator ... - -vga [cg3|tcx|virtio|cirrus|xenfb] - -win2k-hack - -xen-attach ... - -xen-domid ... - -- The following monitor commands are unsupported: - acl_add ... - acl_policy ... - acl_remove ... - acl_reset ... - acl_show ... - block_job_cancel ... - block_job_complete ... - block_job_pause ... - block_job_resume ... - block_job_set_speed ... - block_passwd ... - commit ... - drive_mirror ... - expire_password ... - hostfwd_add ... - hostfwd_remove ... - nbd_server_add ... - nbd server_start ... - nbd_server_stop ... - netdev_add - netdev_del ... - pcie_aer_inject_error ... - set_link ... - set_password ... - singlestep ... - snapshot_blkdev ... - stopcapture ... - sync-profile ... - wavcapture ... - x_colo_lost_heartbeat - -- The following QMP commands are unsupported: - block-job-cancel - block-job-complete - block-job-pause - block-job-resume - block-job-set-speed - change-backing-file - drive-backup - drive-mirror - exit_preconfig - dump-skeys - netdev_add - netdev_del - nbd-server-add - nbd-server-start - nbd-server-stop - query-colo-status - query-sev - query-sev-launch-measure - x-blockdev-change - x-blockdev-insert-medium - x-blockdev-remove-medium - x-blockdev-reopen - x-colo-lost-heartbeat - x-exit-preconfig - x-debug-block-dirty-bitmap-sha256 - x-debug-query-block-graph - xen-colo-do-checkpoint - xen-load-devices-state - xen-save-devices-state - xen-set-global-dirty-log - xen-set-replication +QEMU/KVM on ppc is not supported. diff --git a/supported.s390.txt b/supported.s390.txt index 1bfe34a..d6940d7 100644 --- a/supported.s390.txt +++ b/supported.s390.txt @@ -29,8 +29,8 @@ Overview program is available for continuity with pre SLES 12 usage, including in libvirt domain xml references. The QEMU emulator binary qemu-system-s390x is now the primary program to use to access KVM virtualization. When using this - program, the -machine option accel=kvm (or its alias -enable-kvm) must be - specified for KVM acceleration to be used by the guest. + program, the -machine option accel=kvm (or its alias -enable-kvm) or --accel + kvm option must be specified for KVM acceleration to be used by the guest. Libvirt is the preferred means of accessing QEMU/KVM functionality and is documented elsewhere. This document focuses on the features and direct usage @@ -164,8 +164,10 @@ Deprecated, Superseded, Modified and Dropped Features considered deprecated. In the future those names will be standardized to acpitable, boot, and smp respectively. -- These previously supported command line options are now considered deprecated: - +- This previously supported command line option is now considered deprecated: + -device virtio-blk,scsi= (use virtio-scsi instead) + -device virtio-blk-pci,scsi= (use virtio-scsi instead) + -realtime mlock= (use -overcommit mem-lock= instead) - These previously supported command line options are no longer supported: diff --git a/supported.x86.txt b/supported.x86.txt index 5310a89..6f46095 100644 --- a/supported.x86.txt +++ b/supported.x86.txt @@ -30,9 +30,10 @@ Overview libvirt domain xml references. The QEMU emulator binaries qemu-system-x86_64 and qemu-system-i386 (x86 host) are now the primary programs to use to access KVM virtualization. When using these programs, the -machine option accel=kvm - (or its alias -enable-kvm) must be specified for KVM acceleration to be - used by the guest. Although Xen uses QEMU for virtualization as well, this - document does not identify Xen supported features. + (or its alias -enable-kvm), or --accel kvm option must be specified for KVM + acceleration to be used by the guest. Although Xen uses QEMU for + virtualization as well, this document does not identify Xen supported + features. Libvirt is the preferred means of accessing QEMU/KVM functionality and is documented elsewhere. This document focuses on the features and direct usage @@ -208,8 +209,11 @@ Deprecated, Superseded, Modified and Dropped Features deprecated. - These previously supported command line options are now considered deprecated: - -device ide-drive (use ide-hd or ide-cd) - -device scsi-disk (use scsi-hd or scsi-cd) + -device ide-drive (use ide-hd or ide-cd instead) + -device scsi-disk (use scsi-hd or scsi-cd instead) + -device virtio-blk,scsi= (use virtio-scsi instead) + -device virtio-blk-pci,scsi= (use virtio-scsi instead) + -realtime mlock= (use -overcommit mem-lock= instead) - These previously supported command line options are no longer supported: diff --git a/target-arm-Fix-PAuth-sbox-functions.patch b/target-arm-Fix-PAuth-sbox-functions.patch new file mode 100644 index 0000000..8f8542f --- /dev/null +++ b/target-arm-Fix-PAuth-sbox-functions.patch @@ -0,0 +1,48 @@ +From: Vincent Dehors +Date: Thu, 23 Jan 2020 15:22:38 +0000 +Subject: target/arm: Fix PAuth sbox functions + +Git-commit: de0b1bae6461f67243282555475f88b2384a1eb9 +References: bsc#1168681, CVE-2020-10702 + +In the PAC computation, sbox was applied over wrong bits. +As this is a 4-bit sbox, bit index should be incremented by 4 instead of 16. + +Test vector from QARMA paper (https://eprint.iacr.org/2016/444.pdf) was +used to verify one computation of the pauth_computepac() function which +uses sbox2. + +Launchpad: https://bugs.launchpad.net/bugs/1859713 +Reviewed-by: Richard Henderson +Signed-off-by: Vincent DEHORS +Signed-off-by: Adrien GRASSEIN +Message-id: 20200116230809.19078-2-richard.henderson@linaro.org +Reviewed-by: Peter Maydell +Signed-off-by: Peter Maydell +Signed-off-by: Bruce Rogers +--- + target/arm/pauth_helper.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/target/arm/pauth_helper.c b/target/arm/pauth_helper.c +index d3194f20437b717ec1cc13a1003e..0a5f41e10c5f03d85a727b2b7c42 100644 +--- a/target/arm/pauth_helper.c ++++ b/target/arm/pauth_helper.c +@@ -89,7 +89,7 @@ static uint64_t pac_sub(uint64_t i) + uint64_t o = 0; + int b; + +- for (b = 0; b < 64; b += 16) { ++ for (b = 0; b < 64; b += 4) { + o |= (uint64_t)sub[(i >> b) & 0xf] << b; + } + return o; +@@ -104,7 +104,7 @@ static uint64_t pac_inv_sub(uint64_t i) + uint64_t o = 0; + int b; + +- for (b = 0; b < 64; b += 16) { ++ for (b = 0; b < 64; b += 4) { + o |= (uint64_t)inv_sub[(i >> b) & 0xf] << b; + } + return o; diff --git a/target-i386-do-not-set-unsupported-VMX-s.patch b/target-i386-do-not-set-unsupported-VMX-s.patch new file mode 100644 index 0000000..91277cd --- /dev/null +++ b/target-i386-do-not-set-unsupported-VMX-s.patch @@ -0,0 +1,100 @@ +From: Vitaly Kuznetsov +Date: Tue, 31 Mar 2020 18:27:52 +0200 +Subject: target/i386: do not set unsupported VMX secondary execution controls + +Git-commit: 4a910e1f6ab4155ec8b24c49b2585cc486916985 + +Commit 048c95163b4 ("target/i386: work around KVM_GET_MSRS bug for +secondary execution controls") added a workaround for KVM pre-dating +commit 6defc591846d ("KVM: nVMX: include conditional controls in /dev/kvm +KVM_GET_MSRS") which wasn't setting certain available controls. The +workaround uses generic CPUID feature bits to set missing VMX controls. + +It was found that in some cases it is possible to observe hosts which +have certain CPUID features but lack the corresponding VMX control. + +In particular, it was reported that Azure VMs have RDSEED but lack +VMX_SECONDARY_EXEC_RDSEED_EXITING; attempts to enable this feature +bit result in QEMU abort. + +Resolve the issue but not applying the workaround when we don't have +to. As there is no good way to find out if KVM has the fix itself, use +95c5c7c77c ("KVM: nVMX: list VMX MSRs in KVM_GET_MSR_INDEX_LIST") instead +as these [are supposed to] come together. + +Fixes: 048c95163b4 ("target/i386: work around KVM_GET_MSRS bug for secondary execution controls") +Suggested-by: Paolo Bonzini +Signed-off-by: Vitaly Kuznetsov +Message-Id: <20200331162752.1209928-1-vkuznets@redhat.com> +Signed-off-by: Paolo Bonzini +Signed-off-by: Bruce Rogers +--- + target/i386/kvm.c | 41 ++++++++++++++++++++++++++--------------- + 1 file changed, 26 insertions(+), 15 deletions(-) + +diff --git a/target/i386/kvm.c b/target/i386/kvm.c +index b8ea67a644c802358826a840bdf1..91cd4976e262ad6bbb83206114b3 100644 +--- a/target/i386/kvm.c ++++ b/target/i386/kvm.c +@@ -105,6 +105,7 @@ static bool has_msr_smi_count; + static bool has_msr_arch_capabs; + static bool has_msr_core_capabs; + static bool has_msr_vmx_vmfunc; ++static bool has_msr_vmx_procbased_ctls2; + + static uint32_t has_architectural_pmu_version; + static uint32_t num_architectural_pmu_gp_counters; +@@ -489,21 +490,28 @@ uint64_t kvm_arch_get_supported_msr_feature(KVMState *s, uint32_t index) + value = msr_data.entries[0].data; + switch (index) { + case MSR_IA32_VMX_PROCBASED_CTLS2: +- /* KVM forgot to add these bits for some time, do this ourselves. */ +- if (kvm_arch_get_supported_cpuid(s, 0xD, 1, R_ECX) & CPUID_XSAVE_XSAVES) { +- value |= (uint64_t)VMX_SECONDARY_EXEC_XSAVES << 32; +- } +- if (kvm_arch_get_supported_cpuid(s, 1, 0, R_ECX) & CPUID_EXT_RDRAND) { +- value |= (uint64_t)VMX_SECONDARY_EXEC_RDRAND_EXITING << 32; +- } +- if (kvm_arch_get_supported_cpuid(s, 7, 0, R_EBX) & CPUID_7_0_EBX_INVPCID) { +- value |= (uint64_t)VMX_SECONDARY_EXEC_ENABLE_INVPCID << 32; +- } +- if (kvm_arch_get_supported_cpuid(s, 7, 0, R_EBX) & CPUID_7_0_EBX_RDSEED) { +- value |= (uint64_t)VMX_SECONDARY_EXEC_RDSEED_EXITING << 32; +- } +- if (kvm_arch_get_supported_cpuid(s, 0x80000001, 0, R_EDX) & CPUID_EXT2_RDTSCP) { +- value |= (uint64_t)VMX_SECONDARY_EXEC_RDTSCP << 32; ++ if (!has_msr_vmx_procbased_ctls2) { ++ /* KVM forgot to add these bits for some time, do this ourselves. */ ++ if (kvm_arch_get_supported_cpuid(s, 0xD, 1, R_ECX) & ++ CPUID_XSAVE_XSAVES) { ++ value |= (uint64_t)VMX_SECONDARY_EXEC_XSAVES << 32; ++ } ++ if (kvm_arch_get_supported_cpuid(s, 1, 0, R_ECX) & ++ CPUID_EXT_RDRAND) { ++ value |= (uint64_t)VMX_SECONDARY_EXEC_RDRAND_EXITING << 32; ++ } ++ if (kvm_arch_get_supported_cpuid(s, 7, 0, R_EBX) & ++ CPUID_7_0_EBX_INVPCID) { ++ value |= (uint64_t)VMX_SECONDARY_EXEC_ENABLE_INVPCID << 32; ++ } ++ if (kvm_arch_get_supported_cpuid(s, 7, 0, R_EBX) & ++ CPUID_7_0_EBX_RDSEED) { ++ value |= (uint64_t)VMX_SECONDARY_EXEC_RDSEED_EXITING << 32; ++ } ++ if (kvm_arch_get_supported_cpuid(s, 0x80000001, 0, R_EDX) & ++ CPUID_EXT2_RDTSCP) { ++ value |= (uint64_t)VMX_SECONDARY_EXEC_RDTSCP << 32; ++ } + } + /* fall through */ + case MSR_IA32_VMX_TRUE_PINBASED_CTLS: +@@ -2056,6 +2064,9 @@ static int kvm_get_supported_msrs(KVMState *s) + case MSR_IA32_VMX_VMFUNC: + has_msr_vmx_vmfunc = true; + break; ++ case MSR_IA32_VMX_PROCBASED_CTLS2: ++ has_msr_vmx_procbased_ctls2 = true; ++ break; + } + } + } diff --git a/target-xtensa-fix-pasto-in-pfwait.r-opco.patch b/target-xtensa-fix-pasto-in-pfwait.r-opco.patch new file mode 100644 index 0000000..1ca43ee --- /dev/null +++ b/target-xtensa-fix-pasto-in-pfwait.r-opco.patch @@ -0,0 +1,28 @@ +From: Max Filippov +Date: Wed, 26 Feb 2020 12:43:52 -0800 +Subject: target/xtensa: fix pasto in pfwait.r opcode name + +Git-commit: 1a03362b14affa4d8ddede55df6e21d7a07b87c2 + +Core xtensa opcode table has pfwait.o instead of pfwait.r. Fix that. + +Fixes: c884400f2988 ("target/xtensa: implement block prefetch option opcodes") +Signed-off-by: Max Filippov +Signed-off-by: Bruce Rogers +--- + target/xtensa/translate.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/target/xtensa/translate.c b/target/xtensa/translate.c +index a99f5296e2f4f1d01fd21cfb3fd0..2ec0e5a047ed0e9b9c0926518649 100644 +--- a/target/xtensa/translate.c ++++ b/target/xtensa/translate.c +@@ -3740,7 +3740,7 @@ static const XtensaOpcodeOps core_ops[] = { + .name = "pfwait.a", + .translate = translate_nop, + }, { +- .name = "pfwait.o", ++ .name = "pfwait.r", + .translate = translate_nop, + }, { + .name = "pitlb", diff --git a/tcg-i386-Fix-INDEX_op_dup2_vec.patch b/tcg-i386-Fix-INDEX_op_dup2_vec.patch new file mode 100644 index 0000000..103f928 --- /dev/null +++ b/tcg-i386-Fix-INDEX_op_dup2_vec.patch @@ -0,0 +1,37 @@ +From: Richard Henderson +Date: Sat, 28 Mar 2020 18:16:10 -0700 +Subject: tcg/i386: Fix INDEX_op_dup2_vec + +Git-commit: e20cb81d9c5a3d0f9c08f3642728a210a1c162c9 + +We were only constructing the 64-bit element, and not +replicating the 64-bit element across the rest of the vector. + +Cc: qemu-stable@nongnu.org +Signed-off-by: Richard Henderson +Signed-off-by: Bruce Rogers +--- + tcg/i386/tcg-target.inc.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/tcg/i386/tcg-target.inc.c b/tcg/i386/tcg-target.inc.c +index 9d8ed974e011152d2df4cba613ad..77b78c941c5afcd065a8e153dca7 100644 +--- a/tcg/i386/tcg-target.inc.c ++++ b/tcg/i386/tcg-target.inc.c +@@ -2855,9 +2855,13 @@ static void tcg_out_vec_op(TCGContext *s, TCGOpcode opc, + goto gen_simd; + #if TCG_TARGET_REG_BITS == 32 + case INDEX_op_dup2_vec: +- /* Constraints have already placed both 32-bit inputs in xmm regs. */ +- insn = OPC_PUNPCKLDQ; +- goto gen_simd; ++ /* First merge the two 32-bit inputs to a single 64-bit element. */ ++ tcg_out_vex_modrm(s, OPC_PUNPCKLDQ, a0, a1, a2); ++ /* Then replicate the 64-bit elements across the rest of the vector. */ ++ if (type != TCG_TYPE_V64) { ++ tcg_out_dup_vec(s, type, MO_64, a0, a0); ++ } ++ break; + #endif + case INDEX_op_abs_vec: + insn = abs_insn[vece]; diff --git a/tcg-mips-mips-sync-encode-error.patch b/tcg-mips-mips-sync-encode-error.patch new file mode 100644 index 0000000..259650f --- /dev/null +++ b/tcg-mips-mips-sync-encode-error.patch @@ -0,0 +1,49 @@ +From: lixinyu +Date: Sat, 11 Apr 2020 20:46:12 +0800 +Subject: tcg/mips: mips sync* encode error +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Git-commit: a4e57084c16d5b0eff3651693fba04f26b30b551 + +OPC_SYNC_WMB, OPC_SYNC_MB, OPC_SYNC_ACQUIRE, OPC_SYNC_RELEASE and +OPC_SYNC_RMB have wrong encode. According to the mips manual, +their encode should be 'OPC_SYNC | 0x?? << 6' rather than +'OPC_SYNC | 0x?? << 5'. Wrong encode can lead illegal instruction +errors. These instructions often appear with multi-threaded +simulation. + +Fixes: 6f0b99104a3 ("tcg/mips: Add support for fence") +Reviewed-by: Richard Henderson +Reviewed-by: Aleksandar Markovic +Reviewed-by: Philippe Mathieu-Daudé +Signed-off-by: lixinyu +Message-Id: <20200411124612.12560-1-precinct@mail.ustc.edu.cn> +Signed-off-by: Richard Henderson +Signed-off-by: Bruce Rogers +--- + tcg/mips/tcg-target.inc.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/tcg/mips/tcg-target.inc.c b/tcg/mips/tcg-target.inc.c +index 544216704526a4bd24dce51ade83..006835348fe5c5818d89b0806ba3 100644 +--- a/tcg/mips/tcg-target.inc.c ++++ b/tcg/mips/tcg-target.inc.c +@@ -404,11 +404,11 @@ typedef enum { + + /* MIPS r6 introduced names for weaker variants of SYNC. These are + backward compatible to previous architecture revisions. */ +- OPC_SYNC_WMB = OPC_SYNC | 0x04 << 5, +- OPC_SYNC_MB = OPC_SYNC | 0x10 << 5, +- OPC_SYNC_ACQUIRE = OPC_SYNC | 0x11 << 5, +- OPC_SYNC_RELEASE = OPC_SYNC | 0x12 << 5, +- OPC_SYNC_RMB = OPC_SYNC | 0x13 << 5, ++ OPC_SYNC_WMB = OPC_SYNC | 0x04 << 6, ++ OPC_SYNC_MB = OPC_SYNC | 0x10 << 6, ++ OPC_SYNC_ACQUIRE = OPC_SYNC | 0x11 << 6, ++ OPC_SYNC_RELEASE = OPC_SYNC | 0x12 << 6, ++ OPC_SYNC_RMB = OPC_SYNC | 0x13 << 6, + + /* Aliases for convenience. */ + ALIAS_PADD = sizeof(void *) == 4 ? OPC_ADDU : OPC_DADDU, diff --git a/update_git.sh b/update_git.sh index 34056cc..c1aff92 100644 --- a/update_git.sh +++ b/update_git.sh @@ -1,4 +1,8 @@ #!/bin/bash +#POKEALL used to document where ALL repos are POKED +#POKEALL? question what repos are actually poked here +#TEMP_CHECK - try to eliminate +# !! FIX AFTER RUN - LEAVING REPO NOT IN GOOD STATE # update_git.sh: script to manage package maintenance using a git-based # workflow. Commands are as follows: @@ -64,16 +68,6 @@ fi #============================================================================== TEMP_CHECK() { -# TEMPORARY! FOR NOW WE REQUIRE THESE LOCALLY TO DO WORK ON PACKAGE -REQUIRED_LOCAL_REPO_MAP=( - ~/git/qemu-opensuse - ~/git/qemu-seabios - ~/git/qemu-ipxe - ~/git/qemu-sgabios - ~/git/qemu-skiboot - ~/git/qemu-keycodemapdb - ~/git/qemu-qboot -) # Validate that all the local repos that we currently have patches in are available # TEMPORARY REQUIREMENT! @@ -129,22 +123,25 @@ touch $BUNDLE_DIR/$GIT_UPSTREAM_COMMIT.id # Now go through all the submodule local repos that are present and create a bundle file for the patches found there for (( i=0; i <$REPO_COUNT; i++ )); do +#POKEALL (conditional on whether it IS there) if [[ -e $(readlink -f ${LOCAL_REPO_MAP[$i]}) ]]; then SUBDIR=${PATCH_PATH_MAP[$i]} GITREPO_COMMIT_ISH=($BUNDLE_DIR/$SUBDIR*.id) if [[ $GITREPO_COMMIT_ISH =~ .*(.{40})[.]id ]]; then GITREPO_COMMIT_ISH=${BASH_REMATCH[1]} echo "Using $GITREPO_COMMIT_ISH" - PATCH_RANGE_INDEX=$i mkdir -p $GIT_DIR/$SUBDIR git -C $GIT_DIR/$SUBDIR init +#POKEALL git -C $GIT_DIR/$SUBDIR remote add origin file://$(readlink -f \ - ${LOCAL_REPO_MAP[$PATCH_RANGE_INDEX]}) - git -C $(readlink -f ${LOCAL_REPO_MAP[$PATCH_RANGE_INDEX]}) remote get-url origin >$BUNDLE_DIR/$SUBDIR/repo + ${LOCAL_REPO_MAP[$i]}) if [[ $(git -C $GIT_DIR/$SUBDIR ls-remote --heads origin $GIT_BRANCH) ]]; then git -C $GIT_DIR/$SUBDIR fetch origin $GIT_BRANCH if [[ $(git -C $GIT_DIR/$SUBDIR rev-list $GITREPO_COMMIT_ISH..FETCH_HEAD) ]]; then git -C $GIT_DIR/$SUBDIR bundle create $BUNDLE_DIR/$SUBDIR$GITREPO_COMMIT_ISH.bundle $GITREPO_COMMIT_ISH..FETCH_HEAD +#TODO: post-process repo info to avoid un-needed diffs (eg git vs https) +#POKEALL + git -C $(readlink -f ${LOCAL_REPO_MAP[$i]}) remote get-url origin >$BUNDLE_DIR/$SUBDIR/repo fi fi fi @@ -180,12 +177,12 @@ for entry in ${BUNDLE_FILES[@]}; do fi for (( i=0; i <$REPO_COUNT; i++ )); do if [[ "$SUBDIR" = "${PATCH_PATH_MAP[$i]}" ]]; then - PATCH_RANGE_INDEX=$i break fi done - LOCAL_REPO=$(readlink -f ${LOCAL_REPO_MAP[$PATCH_RANGE_INDEX]}) +#POKEALL ? + LOCAL_REPO=$(readlink -f ${LOCAL_REPO_MAP[$i]}) if [ -e $LOCAL_REPO ]; then git -C $LOCAL_REPO remote remove bundlerepo || true # git won't let you delete a branch we're on - so get onto master temporarily (TODO: is there a better approach?) @@ -283,6 +280,7 @@ mkdir -p $BUNDLE_DIR tar xJf bundles.tar.xz -C $BUNDLE_DIR # Now go through all the submodule local repos that are present and create a bundle file for the patches found there for (( i=0; i <$REPO_COUNT; i++ )); do +#POKEALL if [[ -e $(readlink -f ${LOCAL_REPO_MAP[$i]}) ]]; then if $(git -C ${LOCAL_REPO_MAP[$i]} branch | grep -F "frombundle" >/dev/null); then SUBDIR=${PATCH_PATH_MAP[$i]} @@ -334,15 +332,19 @@ for entry in ${BUNDLE_FILES[@]}; do fi for (( i=0; i <$REPO_COUNT; i++ )); do if [[ "$SUBDIR" = "${PATCH_PATH_MAP[$i]}" ]]; then - PATCH_RANGE_INDEX=$i break fi done + if [[ $i = $REPO_COUNT ]]; then + echo "Error matching bundle dir to project submodule path" + exit + fi mkdir -p $GIT_DIR/$SUBDIR git -C $GIT_DIR/$SUBDIR init +#POKEALL? git -C $GIT_DIR/$SUBDIR remote add origin file://$(readlink -f \ - ${LOCAL_REPO_MAP[$PATCH_RANGE_INDEX]}) + ${LOCAL_REPO_MAP[$i]}) git -C $GIT_DIR/$SUBDIR fetch origin $GIT_BRANCH git -C $GIT_DIR/$SUBDIR reset --hard $GITREPO_COMMIT_ISH git -C $GIT_DIR/$SUBDIR remote add bundle $BUNDLE_DIR/$entry @@ -350,7 +352,7 @@ for entry in ${BUNDLE_FILES[@]}; do git -C $GIT_DIR/$SUBDIR format-patch -N --suffix= --no-renames -o $CMP_DIR -k --stat=72 \ --indent-heuristic --zero-commit --no-signature --full-index \ --src-prefix=a/$SUBDIR --dst-prefix=b/$SUBDIR \ - --start-number=$(expr $PATCH_RANGE_INDEX \* $PATCH_RANGE) \ + --start-number=$(expr $i \* $PATCH_RANGE) \ $GITREPO_COMMIT_ISH..FETCH_HEAD > /dev/null done @@ -584,6 +586,10 @@ rm -rf $BUNDLE_DIR if [ -e qemu.changes.added ]; then rm -f qemu.changes.added fi +# Decide if there is a better way to handle the no change case: + if [[ "0" = "$(expr $CHANGED_COUNT + $DELETED_COUNT + $ADDED_COUNT)" ]]; then + osc revert bundles.tar.xz + fi echo "git patch summary" echo " unchanged: $UNCHANGED_COUNT" echo " changed: $CHANGED_COUNT" @@ -611,9 +617,27 @@ echo "(See script for details on doing 'LATEST' workflow)" #============================================================================== +explain_setup() { +echo "Currently we require local git repos at these locations:" +echo "${REQUIRED_LOCAL_REPO_MAP[@]}" +echo "Where each has as it's remote the uri: https://github.com/opensuse/*.git" +echo "and where * is replaced by the qemu-whatever, and the remote is named origin" +echo "and the qemu or qemu submodule repos as remotes named upstream" +} + +#============================================================================== + +#?? Should we be LATEST or not specific here? +if [[ ! -e $(readlink -f ${LOCAL_REPO_MAP[0]}) ]]; then + echo "ERROR: Main local QEMU related git repo not found. Please follow these setup instructions:" + explain_setup + exit +fi + echo "WARNING: Script using local git repos. Some operations may be time consuming..." #TODO: Most of these checks are not necessary for (( i=0; i <$REPO_COUNT; i++ )); do +#POKEALL if [[ -e $(readlink -f ${LOCAL_REPO_MAP[$i]}) ]]; then if [[ -d ${LOCAL_REPO_MAP[$i]}/.git/rebase-merge || \ -d ${LOCAL_REPO_MAP[$i]}/.git/rebase-apply ]]; then @@ -660,6 +684,7 @@ if [ "$GIT_UPSTREAM_COMMIT_ISH" = "LATEST" ]; then fi fi fi +#POKEALL for (( i=0; i <$REPO_COUNT; i++ )); do if [[ -e $(readlink -f ${LOCAL_REPO_MAP[$i]}) ]]; then git -C ${LOCAL_REPO_MAP[$i]} remote update upstream &> /dev/null @@ -692,13 +717,13 @@ if [ "$GIT_UPSTREAM_COMMIT_ISH" = "LATEST" ]; then WRITE_LOG=0 echo "Processing LATEST upstream changes" echo "(If SUCCESS is not printed upon completion, see /tmp/latest.log for issues)" - TEMP_CHECK + TEMP_CHECK # DOING LATEST if [[ $QEMU_TARBALL =~ $BASE_RE$EXTRA_RE$SUFFIX_RE ]]; then OLD_COMMIT_ISH=${BASH_REMATCH[3]} else #Assume release (or release candidate) tarball with equivalent tag: OLD_COMMIT_ISH=$(cd ${LOCAL_REPO_MAP[0]} && git rev-list --abbrev-commit \ - --abbrev=9 -1 v$OLD_SOURCE_VERSION_AND_EXTRA) + --abbrev=8 -1 v$OLD_SOURCE_VERSION_AND_EXTRA) fi if [ ${#QEMU_TARBALL_SIG[@]} -ne 0 ]; then echo "INFO: Ignoring signature file: $QEMU_TARBALL_SIG" @@ -737,10 +762,18 @@ if [ "$GIT_UPSTREAM_COMMIT_ISH" = "LATEST" ]; then echo "SUCCESS" tail -9 /tmp/latest.log else # not LATEST + if [ ! "$GIT_UPSTREAM_COMMIT_ISH" = "v$OLD_SOURCE_VERSION_AND_EXTRA" ]; then + echo "Tarball name (which we decode) doesn't correspond to the \$GIT_UPSTREAM_COMMIT_ISH in config.sh" + exit + fi git -C ${LOCAL_REPO_MAP[0]} checkout $GIT_UPSTREAM_COMMIT_ISH --recurse-submodules -f &> /dev/null NEW_COMMIT_ISH= SOURCE_VERSION=$OLD_SOURCE_VERSION_AND_EXTRA QEMU_VERSION=$(tar JxfO qemu-$SOURCE_VERSION$VERSION_EXTRA.tar.xz qemu-$SOURCE_VERSION/VERSION) + if [ ! "$QEMU_VERSION" = "$OLD_SOURCE_VERSION_AND_EXTRA" ]; then + echo "Tarball name (which we decode) doesn't correspond to the VERSION file contained therein" + exit + fi MAJOR_VERSION=$(echo $QEMU_VERSION|awk -F. '{print $1}') MINOR_VERSION=$(echo $QEMU_VERSION|awk -F. '{print $2}') GIT_BRANCH=opensuse-$MAJOR_VERSION.$MINOR_VERSION @@ -755,7 +788,7 @@ else # not LATEST git2pkg ) echo "Updating the package using the $GIT_BRANCH branch of the local repos." echo "(If SUCCESS is not printed upon completion, see /tmp/git2pkg.log for issues)" - TEMP_CHECK + TEMP_CHECK #NOT LATEST initbundle &> /tmp/git2pkg.log bundle2spec &>> /tmp/git2pkg.log echo "SUCCESS" @@ -764,7 +797,7 @@ else # not LATEST pkg2git ) echo "Exporting the package's git bundles to the local repo's frombundle branches..." echo "(If SUCCESS is not printed upon completion, see /tmp/pkg2git.log for issues)" - TEMP_CHECK + TEMP_CHECK #NOT LATEST bundle2local &> /tmp/pkg2git.log echo "SUCCESS" echo "To modify package patches, use the frombundle branch as the basis for updating" @@ -775,7 +808,7 @@ else # not LATEST echo "Updating the spec file and patches from the spec file template and the bundle" echo "of bundles (bundles.tar.xz)" echo "(If SUCCESS is not printed upon completion, see /tmp/refresh.log for issues)" - TEMP_CHECK + TEMP_CHECK #NOT LATEST bundle2spec &> /tmp/refresh.log echo "SUCCESS" tail -9 /tmp/refresh.log diff --git a/vhost-user-gpu-Release-memory-returned-b.patch b/vhost-user-gpu-Release-memory-returned-b.patch new file mode 100644 index 0000000..a420705 --- /dev/null +++ b/vhost-user-gpu-Release-memory-returned-b.patch @@ -0,0 +1,58 @@ +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= +Date: Mon, 23 Mar 2020 12:29:41 +0100 +Subject: vhost-user-gpu: Release memory returned by vu_queue_pop() with free() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Git-commit: 4ff97121a3ee631971aadc87e3d4e7fb66f15aa8 + +vu_queue_pop() returns memory that must be freed with free(). + +Cc: qemu-stable@nongnu.org +Reported-by: Coverity (CID 1421887 ALLOC_FREE_MISMATCH) +Suggested-by: Peter Maydell +Signed-off-by: Philippe Mathieu-Daudé +Reviewed-by: Marc-André Lureau +Signed-off-by: Peter Maydell +Signed-off-by: Bruce Rogers +--- + contrib/vhost-user-gpu/main.c | 4 ++-- + contrib/vhost-user-gpu/virgl.c | 2 +- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/contrib/vhost-user-gpu/main.c b/contrib/vhost-user-gpu/main.c +index b45d2019b46bdfac64b59d5702ae..a019d0a9acea61a7629f1c74c79a 100644 +--- a/contrib/vhost-user-gpu/main.c ++++ b/contrib/vhost-user-gpu/main.c +@@ -848,7 +848,7 @@ vg_handle_ctrl(VuDev *dev, int qidx) + QTAILQ_INSERT_TAIL(&vg->fenceq, cmd, next); + vg->inflight++; + } else { +- g_free(cmd); ++ free(cmd); + } + } + } +@@ -939,7 +939,7 @@ vg_handle_cursor(VuDev *dev, int qidx) + } + vu_queue_push(dev, vq, elem, 0); + vu_queue_notify(dev, vq); +- g_free(elem); ++ free(elem); + } + } + +diff --git a/contrib/vhost-user-gpu/virgl.c b/contrib/vhost-user-gpu/virgl.c +index 43413e29df9d46739c09d2d501df..b0bc22c3c13db0e8b0b450dac19d 100644 +--- a/contrib/vhost-user-gpu/virgl.c ++++ b/contrib/vhost-user-gpu/virgl.c +@@ -519,7 +519,7 @@ virgl_write_fence(void *opaque, uint32_t fence) + g_debug("FENCE %" PRIu64, cmd->cmd_hdr.fence_id); + vg_ctrl_response_nodata(g, cmd, VIRTIO_GPU_RESP_OK_NODATA); + QTAILQ_REMOVE(&g->fenceq, cmd, next); +- g_free(cmd); ++ free(cmd); + g->inflight--; + } + } diff --git a/vpc-Don-t-round-up-already-aligned-BAT-s.patch b/vpc-Don-t-round-up-already-aligned-BAT-s.patch new file mode 100644 index 0000000..98d32e8 --- /dev/null +++ b/vpc-Don-t-round-up-already-aligned-BAT-s.patch @@ -0,0 +1,47 @@ +From: Kevin Wolf +Date: Thu, 2 Apr 2020 11:36:03 +0200 +Subject: vpc: Don't round up already aligned BAT sizes +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Git-commit: 3f6de653b946fe849330208becf79d6af7e876cb + +As reported on Launchpad, Azure apparently doesn't accept images for +upload that are not both aligned to 1 MB blocks and have a BAT size that +matches the image size exactly. + +As far as I can tell, there is no real reason why we create a BAT that +is one entry longer than necessary for aligned image sizes, so change +that. + +(Even though the condition is only mentioned as "should" in the spec and +previous products accepted larger BATs - but we'll try to maintain +compatibility with as many of Microsoft's ever-changing interpretations +of the VHD spec as possible.) + +Fixes: https://bugs.launchpad.net/bugs/1870098 +Reported-by: Tobias Witek +Signed-off-by: Kevin Wolf +Message-Id: <20200402093603.2369-1-kwolf@redhat.com> +Reviewed-by: Max Reitz +Reviewed-by: Philippe Mathieu-Daudé +Signed-off-by: Kevin Wolf +Signed-off-by: Bruce Rogers +--- + block/vpc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/block/vpc.c b/block/vpc.c +index a65550298e195af52c51a31d1f9f..21b08033a6ab56115c6258b7ef3c 100644 +--- a/block/vpc.c ++++ b/block/vpc.c +@@ -835,7 +835,7 @@ static int create_dynamic_disk(BlockBackend *blk, uint8_t *buf, + + /* Write the footer (twice: at the beginning and at the end) */ + block_size = 0x200000; +- num_bat_entries = (total_sectors + block_size / 512) / (block_size / 512); ++ num_bat_entries = DIV_ROUND_UP(total_sectors, block_size / 512); + + ret = blk_pwrite(blk, offset, buf, HEADER_SIZE, 0); + if (ret < 0) { diff --git a/xen-block-Fix-double-qlist-remove-and-re.patch b/xen-block-Fix-double-qlist-remove-and-re.patch new file mode 100644 index 0000000..fe06357 --- /dev/null +++ b/xen-block-Fix-double-qlist-remove-and-re.patch @@ -0,0 +1,155 @@ +From: Anthony PERARD +Date: Mon, 6 Apr 2020 15:02:17 +0100 +Subject: xen-block: Fix double qlist remove and request leak + +Git-commit: 36d883ba0de8a281072ded2b51e0a711fd002139 + +Commit a31ca6801c02 ("qemu/queue.h: clear linked list pointers on +remove") revealed that a request was removed twice from a list, once +in xen_block_finish_request() and a second time in +xen_block_release_request() when both function are called from +xen_block_complete_aio(). But also, the `requests_inflight' counter is +decreased twice, and thus became negative. + +This is a bug that was introduced in bfd0d6366043 ("xen-block: improve +response latency"), where a `finished' list was removed. + +That commit also introduced a leak of request in xen_block_do_aio(). +That function calls xen_block_finish_request() but the request is +never released after that. + +To fix both issue, we do two changes: +- we squash finish_request() and release_request() together as we want + to remove a request from 'inflight' list to add it to 'freelist'. +- before releasing a request, we need to let the other end know the + result, thus we should call xen_block_send_response() before + releasing a request. + +The first change fixes the double QLIST_REMOVE() as we remove the extra +call. The second change makes the leak go away because if we want to +call finish_request(), we need to call a function that does all of +finish, send response, and release. + +Fixes: bfd0d6366043 ("xen-block: improve response latency") +Signed-off-by: Anthony PERARD +Message-Id: <20200406140217.1441858-1-anthony.perard@citrix.com> +Reviewed-by: Paul Durrant +[mreitz: Amended commit message as per Paul's suggestions] +Signed-off-by: Max Reitz +Signed-off-by: Bruce Rogers +--- + hw/block/dataplane/xen-block.c | 48 ++++++++++++---------------------- + 1 file changed, 16 insertions(+), 32 deletions(-) + +diff --git a/hw/block/dataplane/xen-block.c b/hw/block/dataplane/xen-block.c +index 3b9caeb2fa00a1f4eb338fca7a89..c4ed2870ecd779bf40eb4f3eded3 100644 +--- a/hw/block/dataplane/xen-block.c ++++ b/hw/block/dataplane/xen-block.c +@@ -64,6 +64,8 @@ struct XenBlockDataPlane { + AioContext *ctx; + }; + ++static int xen_block_send_response(XenBlockRequest *request); ++ + static void reset_request(XenBlockRequest *request) + { + memset(&request->req, 0, sizeof(request->req)); +@@ -115,23 +117,26 @@ out: + return request; + } + +-static void xen_block_finish_request(XenBlockRequest *request) ++static void xen_block_complete_request(XenBlockRequest *request) + { + XenBlockDataPlane *dataplane = request->dataplane; + +- QLIST_REMOVE(request, list); +- dataplane->requests_inflight--; +-} ++ if (xen_block_send_response(request)) { ++ Error *local_err = NULL; + +-static void xen_block_release_request(XenBlockRequest *request) +-{ +- XenBlockDataPlane *dataplane = request->dataplane; ++ xen_device_notify_event_channel(dataplane->xendev, ++ dataplane->event_channel, ++ &local_err); ++ if (local_err) { ++ error_report_err(local_err); ++ } ++ } + + QLIST_REMOVE(request, list); ++ dataplane->requests_inflight--; + reset_request(request); + request->dataplane = dataplane; + QLIST_INSERT_HEAD(&dataplane->freelist, request, list); +- dataplane->requests_inflight--; + } + + /* +@@ -246,7 +251,6 @@ static int xen_block_copy_request(XenBlockRequest *request) + } + + static int xen_block_do_aio(XenBlockRequest *request); +-static int xen_block_send_response(XenBlockRequest *request); + + static void xen_block_complete_aio(void *opaque, int ret) + { +@@ -286,7 +290,6 @@ static void xen_block_complete_aio(void *opaque, int ret) + } + + request->status = request->aio_errors ? BLKIF_RSP_ERROR : BLKIF_RSP_OKAY; +- xen_block_finish_request(request); + + switch (request->req.operation) { + case BLKIF_OP_WRITE: +@@ -306,17 +309,8 @@ static void xen_block_complete_aio(void *opaque, int ret) + default: + break; + } +- if (xen_block_send_response(request)) { +- Error *local_err = NULL; + +- xen_device_notify_event_channel(dataplane->xendev, +- dataplane->event_channel, +- &local_err); +- if (local_err) { +- error_report_err(local_err); +- } +- } +- xen_block_release_request(request); ++ xen_block_complete_request(request); + + if (dataplane->more_work) { + qemu_bh_schedule(dataplane->bh); +@@ -420,8 +414,8 @@ static int xen_block_do_aio(XenBlockRequest *request) + return 0; + + err: +- xen_block_finish_request(request); + request->status = BLKIF_RSP_ERROR; ++ xen_block_complete_request(request); + return -1; + } + +@@ -575,17 +569,7 @@ static bool xen_block_handle_requests(XenBlockDataPlane *dataplane) + break; + }; + +- if (xen_block_send_response(request)) { +- Error *local_err = NULL; +- +- xen_device_notify_event_channel(dataplane->xendev, +- dataplane->event_channel, +- &local_err); +- if (local_err) { +- error_report_err(local_err); +- } +- } +- xen_block_release_request(request); ++ xen_block_complete_request(request); + continue; + } +