From af68a7132dfa2a544111f9a88fa32e7de4f548a322d0deb81e20bfa9d4db939c Mon Sep 17 00:00:00 2001 From: Bruce Rogers Date: Wed, 22 Jul 2020 04:19:22 +0000 Subject: [PATCH] Accepting request 822154 from home:bfrogers:branches:Virtualization - Updating to Sphinx v3.1.2 in Factory is exposing an issue in qemu doc sources. Fix it docs-fix-trace-docs-build-with-sphinx-3..patch - Fix DoS possibility in ati-vga emulation (CVE-2020-13800 bsc#1172495) ati-vga-check-mm_index-before-recursive-.patch - Fix DoS possibility in Network Block Device (nbd) support infrastructure (CVE-2020-10761 bsc#1172710) nbd-server-Avoid-long-error-message-asse.patch - Fix null pointer dereference possibility (DoS) in MegaRAID SAS 8708EM2 emulation (CVE-2020-13659 bsc#1172386) exec-set-map-length-to-zero-when-returni.patch - Fix OOB access possibility in MegaRAID SAS 8708EM2 emulation (CVE-2020-13362 bsc#1172383) megasas-use-unsigned-type-for-reply_queu.patch - Fix legacy IGD passthrough hw-vfio-pci-quirks-Fix-broken-legacy-IGD.patch - The latest gcc10 available in Factory has the fix for the issue this patch was created to avoid, so drop it build-Work-around-gcc10-bug-by-not-using.patch - Switch to upstream versions of some patches we carry add-enum-cast-to-avoid-gcc10-warning.patch -> golan-Add-explicit-type-casts-for-nodnic.patch Be-explicit-about-fcommon-compiler-direc.patch -> build-Be-explicit-about-fcommon-compiler.patch Do-not-apply-WORKAROUND_CFLAGS-for-host-.patch -> build-Do-not-apply-WORKAROUND_CFLAGS-for.patch Fix-s-directive-argument-is-null-error.patch -> build-Fix-s-directive-argument-is-null-e.patch Workaround-compilation-error-with-gcc-9..patch -> build-Workaround-compilation-error-with-.patch work-around-gcc10-problem-with-zero-leng.patch -> intel-Avoid-spurious-compiler-warning-on.patch - Fix vgabios issue for cirrus graphics emulation, which effectively downgraded it to standard VGA behavior vga-fix-cirrus-bios.patch - Fix OOB access possibility in ES1370 audio device emulation (CVE-2020-13361 bsc#1172384) es1370-check-total-frame-count-against-c.patch OBS-URL: https://build.opensuse.org/request/show/822154 OBS-URL: https://build.opensuse.org/package/show/Virtualization/qemu?expand=0&rev=553 --- ...xplicit-about-fcommon-compiler-direc.patch | 35 ---- PPC-KVM-Disable-mmu-notifier-check.patch | 2 +- Sync-pv.patch | 2 +- add-enum-cast-to-avoid-gcc10-warning.patch | 38 ---- ...vga-check-mm_index-before-recursive-.patch | 58 ++++++ ...d-Be-explicit-about-fcommon-compiler.patch | 29 +++ ...d-Do-not-apply-WORKAROUND_CFLAGS-for.patch | 4 +- ...d-Fix-s-directive-argument-is-null-e.patch | 2 +- ...d-Work-around-gcc10-bug-by-not-using.patch | 78 -------- ...d-Workaround-compilation-error-with-.patch | 5 +- bundles.tar.xz | 4 +- ...-fix-trace-docs-build-with-sphinx-3..patch | 61 +++++++ ...70-check-total-frame-count-against-c.patch | 60 ++++++ ...-set-map-length-to-zero-when-returni.patch | 54 ++++++ ...n-Add-explicit-type-casts-for-nodnic.patch | 43 +++++ ...fio-pci-quirks-Fix-broken-legacy-IGD.patch | 36 ++++ ...l-Avoid-spurious-compiler-warning-on.patch | 89 +++++++++ ...-Makefile-fix-issues-of-build-reprod.patch | 6 +- ...sas-use-unsigned-type-for-reply_queu.patch | 50 +++++ ...server-Avoid-long-error-message-asse.patch | 148 +++++++++++++++ qemu.changes | 59 ++++++ qemu.spec | 172 ++++++++++-------- qemu.spec.in | 2 +- s390x-Add-SIDA-memory-ops.patch | 2 +- ...x-Add-unpack-facility-feature-to-GA1.patch | 2 +- ...x-Move-diagnose-308-subcodes-and-rcs.patch | 2 +- s390x-protvirt-Add-migration-blocker.patch | 2 +- ...x-protvirt-Disable-address-checks-fo.patch | 2 +- ...x-protvirt-Handle-SIGP-store-status-.patch | 2 +- ...x-protvirt-Inhibit-balloon-when-swit.patch | 2 +- s390x-protvirt-KVM-intercept-changes.patch | 2 +- ...x-protvirt-Move-IO-control-structure.patch | 2 +- ...x-protvirt-Move-STSI-data-over-SIDAD.patch | 2 +- ...x-protvirt-Move-diag-308-data-over-S.patch | 2 +- s390x-protvirt-SCLP-interpretation.patch | 2 +- s390x-protvirt-Set-guest-IPL-PSW.patch | 2 +- s390x-protvirt-Support-unpack-facility.patch | 2 +- tests-Disable-some-block-tests-for-now.patch | 91 +-------- vga-fix-cirrus-bios.patch | 30 +++ ...-around-gcc10-problem-with-zero-leng.patch | 30 --- 40 files changed, 845 insertions(+), 371 deletions(-) delete mode 100644 Be-explicit-about-fcommon-compiler-direc.patch delete mode 100644 add-enum-cast-to-avoid-gcc10-warning.patch create mode 100644 ati-vga-check-mm_index-before-recursive-.patch create mode 100644 build-Be-explicit-about-fcommon-compiler.patch rename Do-not-apply-WORKAROUND_CFLAGS-for-host-.patch => build-Do-not-apply-WORKAROUND_CFLAGS-for.patch (95%) rename Fix-s-directive-argument-is-null-error.patch => build-Fix-s-directive-argument-is-null-e.patch (95%) delete mode 100644 build-Work-around-gcc10-bug-by-not-using.patch rename Workaround-compilation-error-with-gcc-9..patch => build-Workaround-compilation-error-with-.patch (92%) create mode 100644 docs-fix-trace-docs-build-with-sphinx-3..patch create mode 100644 es1370-check-total-frame-count-against-c.patch create mode 100644 exec-set-map-length-to-zero-when-returni.patch create mode 100644 golan-Add-explicit-type-casts-for-nodnic.patch create mode 100644 hw-vfio-pci-quirks-Fix-broken-legacy-IGD.patch create mode 100644 intel-Avoid-spurious-compiler-warning-on.patch create mode 100644 megasas-use-unsigned-type-for-reply_queu.patch create mode 100644 nbd-server-Avoid-long-error-message-asse.patch create mode 100644 vga-fix-cirrus-bios.patch delete mode 100644 work-around-gcc10-problem-with-zero-leng.patch diff --git a/Be-explicit-about-fcommon-compiler-direc.patch b/Be-explicit-about-fcommon-compiler-direc.patch deleted file mode 100644 index c609d27d..00000000 --- a/Be-explicit-about-fcommon-compiler-direc.patch +++ /dev/null @@ -1,35 +0,0 @@ -From: Bruce Rogers -Date: Tue, 5 May 2020 10:09:47 -0600 -Subject: Be explicit about -fcommon compiler directive - -References: boo#1171140 - -gcc10 switched default behavior from -fcommon to -fno-common. Since -"__shared" relies on the legacy behavior, explicitly specify it. - -Signed-off-by: Bruce Rogers ---- - src/Makefile.housekeeping | 10 ++++++++++ - 1 file changed, 10 insertions(+) - -diff --git a/roms/ipxe/src/Makefile.housekeeping b/roms/ipxe/src/Makefile.housekeeping -index 1ddbddd247d9929d63b1654d7206..3f091c7dc937fbdac6434d10aec7 100644 ---- a/roms/ipxe/src/Makefile.housekeeping -+++ b/roms/ipxe/src/Makefile.housekeeping -@@ -170,6 +170,16 @@ CFI_FLAGS := $(shell $(CFI_TEST) && \ - WORKAROUND_CFLAGS += $(CFI_FLAGS) - endif - -+# gcc 10 switched default behavior from -fcommon to -fno-common. Since -+# "__shared" relies on the legacy behavior, explicitly specify it. -+# -+ifeq ($(CCTYPE),gcc) -+FCOMMON_TEST = $(CC) -fcommon -x c -c /dev/null \ -+ -o /dev/null >/dev/null 2>&1 -+FCOMMON_FLAGS := $(shell $(FCOMMON_TEST) && $(ECHO) '-fcommon') -+WORKAROUND_CFLAGS += $(FCOMMON_FLAGS) -+endif -+ - # gcc 4.6 generates spurious warnings if -Waddress is in force. - # Inhibit this. - # diff --git a/PPC-KVM-Disable-mmu-notifier-check.patch b/PPC-KVM-Disable-mmu-notifier-check.patch index 53a5ab12..54666a53 100644 --- a/PPC-KVM-Disable-mmu-notifier-check.patch +++ b/PPC-KVM-Disable-mmu-notifier-check.patch @@ -14,7 +14,7 @@ Signed-off-by: Bruce Rogers 1 file changed, 2 insertions(+) diff --git a/exec.c b/exec.c -index 2874bb508853d353bca3b9790e5d..76ac1f619b563c591f36f9601c15 100644 +index 2c419f327cf925ee55c46d111272..7adf108c66ed8912588cb83bc15e 100644 --- a/exec.c +++ b/exec.c @@ -2297,11 +2297,13 @@ RAMBlock *qemu_ram_alloc_from_fd(ram_addr_t size, MemoryRegion *mr, diff --git a/Sync-pv.patch b/Sync-pv.patch index a9f1934a..cb3e9c08 100644 --- a/Sync-pv.patch +++ b/Sync-pv.patch @@ -2,10 +2,10 @@ From: Janosch Frank Date: Tue, 25 Feb 2020 06:09:23 -0500 Subject: Sync pv +Git-commit: 6807f464961cfee1dd81c95e22ddd91fa352fcc4 References: bsc#1167075 Signed-off-by: Janosch Frank -(cherry picked from commit 6807f464961cfee1dd81c95e22ddd91fa352fcc4) Signed-off-by: Bruce Rogers --- linux-headers/linux/kvm.h | 45 +++++++++++++++++++++++++++++++++++++-- diff --git a/add-enum-cast-to-avoid-gcc10-warning.patch b/add-enum-cast-to-avoid-gcc10-warning.patch deleted file mode 100644 index 83fe702e..00000000 --- a/add-enum-cast-to-avoid-gcc10-warning.patch +++ /dev/null @@ -1,38 +0,0 @@ -From: Bruce Rogers -Date: Tue, 5 May 2020 13:33:49 -0600 -Subject: add enum cast to avoid gcc10 warning - -References: boo#1171139 - -Two enums are practically the same, and have been used interchangably -without problem. But gcc10 has flagged that usage as problematic. -Casting from one type to the other clears use the warning, and adds some -clarity that this is intentional usage. - -Signed-off-by: Bruce Rogers ---- - src/drivers/infiniband/flexboot_nodnic.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/roms/ipxe/src/drivers/infiniband/flexboot_nodnic.c b/roms/ipxe/src/drivers/infiniband/flexboot_nodnic.c -index c13fcefc56866da67d701baa96b8..ac28949d3cca6b0c29a8a32165e7 100644 ---- a/roms/ipxe/src/drivers/infiniband/flexboot_nodnic.c -+++ b/roms/ipxe/src/drivers/infiniband/flexboot_nodnic.c -@@ -365,7 +365,7 @@ static int flexboot_nodnic_create_qp ( struct ib_device *ibdev, - goto qp_alloc_err; - } - -- status = nodnic_port_create_qp(&port->port_priv, qp->type, -+ status = nodnic_port_create_qp(&port->port_priv, (nodnic_queue_pair_type)qp->type, - qp->send.num_wqes * sizeof(struct nodnic_send_wqbb), - qp->send.num_wqes, - qp->recv.num_wqes * sizeof(struct nodnic_recv_wqe), -@@ -406,7 +406,7 @@ static void flexboot_nodnic_destroy_qp ( struct ib_device *ibdev, - struct flexboot_nodnic_port *port = &flexboot_nodnic->port[ibdev->port - 1]; - struct flexboot_nodnic_queue_pair *flexboot_nodnic_qp = ib_qp_get_drvdata ( qp ); - -- nodnic_port_destroy_qp(&port->port_priv, qp->type, -+ nodnic_port_destroy_qp(&port->port_priv, (nodnic_queue_pair_type)qp->type, - flexboot_nodnic_qp->nodnic_queue_pair); - - free(flexboot_nodnic_qp); diff --git a/ati-vga-check-mm_index-before-recursive-.patch b/ati-vga-check-mm_index-before-recursive-.patch new file mode 100644 index 00000000..7de8e720 --- /dev/null +++ b/ati-vga-check-mm_index-before-recursive-.patch @@ -0,0 +1,58 @@ +From: Prasad J Pandit +Date: Thu, 4 Jun 2020 14:38:30 +0530 +Subject: ati-vga: check mm_index before recursive call (CVE-2020-13800) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Git-commit: a98610c429d52db0937c1e48659428929835c455 +References: bsc#1172495, CVE-2020-13800 + +While accessing VGA registers via ati_mm_read/write routines, +a guest may set 's->regs.mm_index' such that it leads to infinite +recursion. Check mm_index value to avoid such recursion. Log an +error message for wrong values. + +Reported-by: Ren Ding +Reported-by: Hanqing Zhao +Reported-by: Yi Ren +Message-id: 20200604090830.33885-1-ppandit@redhat.com +Suggested-by: BALATON Zoltan +Suggested-by: Philippe Mathieu-Daudé +Signed-off-by: Prasad J Pandit +Signed-off-by: Gerd Hoffmann +Signed-off-by: Bruce Rogers +--- + hw/display/ati.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/hw/display/ati.c b/hw/display/ati.c +index 58ec8291d4601b70720fa1484f88..9228f1b242bb7b141eb50a19e12b 100644 +--- a/hw/display/ati.c ++++ b/hw/display/ati.c +@@ -285,8 +285,11 @@ static uint64_t ati_mm_read(void *opaque, hwaddr addr, unsigned int size) + if (idx <= s->vga.vram_size - size) { + val = ldn_le_p(s->vga.vram_ptr + idx, size); + } +- } else { ++ } else if (s->regs.mm_index > MM_DATA + 3) { + val = ati_mm_read(s, s->regs.mm_index + addr - MM_DATA, size); ++ } else { ++ qemu_log_mask(LOG_GUEST_ERROR, ++ "ati_mm_read: mm_index too small: %u\n", s->regs.mm_index); + } + break; + case BIOS_0_SCRATCH ... BUS_CNTL - 1: +@@ -520,8 +523,11 @@ static void ati_mm_write(void *opaque, hwaddr addr, + if (idx <= s->vga.vram_size - size) { + stn_le_p(s->vga.vram_ptr + idx, size, data); + } +- } else { ++ } else if (s->regs.mm_index > MM_DATA + 3) { + ati_mm_write(s, s->regs.mm_index + addr - MM_DATA, data, size); ++ } else { ++ qemu_log_mask(LOG_GUEST_ERROR, ++ "ati_mm_write: mm_index too small: %u\n", s->regs.mm_index); + } + break; + case BIOS_0_SCRATCH ... BUS_CNTL - 1: diff --git a/build-Be-explicit-about-fcommon-compiler.patch b/build-Be-explicit-about-fcommon-compiler.patch new file mode 100644 index 00000000..3d831fd6 --- /dev/null +++ b/build-Be-explicit-about-fcommon-compiler.patch @@ -0,0 +1,29 @@ +From: Bruce Rogers +Date: Wed, 6 May 2020 15:03:02 -0600 +Subject: [build] Be explicit about -fcommon compiler directive + +Git-commit: 6260364cc4bfea9a78867da63be8d4bf50e4a561 +References: boo#1171140 + +gcc10 switched default behavior from -fcommon to -fno-common. Since +"__shared" relies on the legacy behavior, explicitly specify it. + +Signed-off-by: Bruce Rogers +Modified-by: Michael Brown +Signed-off-by: Michael Brown +--- + src/Makefile.housekeeping | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/roms/ipxe/src/Makefile.housekeeping b/roms/ipxe/src/Makefile.housekeeping +index 1b175b9508c0d20f169801f8763d..893bd20f1fd5cecf0e480dee05bd 100644 +--- a/roms/ipxe/src/Makefile.housekeeping ++++ b/roms/ipxe/src/Makefile.housekeeping +@@ -422,6 +422,7 @@ CFLAGS += -Os + CFLAGS += -g + ifeq ($(CCTYPE),gcc) + CFLAGS += -ffreestanding ++CFLAGS += -fcommon + CFLAGS += -Wall -W -Wformat-nonliteral + HOST_CFLAGS += -Wall -W -Wformat-nonliteral + endif diff --git a/Do-not-apply-WORKAROUND_CFLAGS-for-host-.patch b/build-Do-not-apply-WORKAROUND_CFLAGS-for.patch similarity index 95% rename from Do-not-apply-WORKAROUND_CFLAGS-for-host-.patch rename to build-Do-not-apply-WORKAROUND_CFLAGS-for.patch index 60c04309..af8f760c 100644 --- a/Do-not-apply-WORKAROUND_CFLAGS-for-host-.patch +++ b/build-Do-not-apply-WORKAROUND_CFLAGS-for.patch @@ -1,6 +1,6 @@ From: Michael Brown Date: Mon, 22 Jul 2019 14:51:28 +0100 -Subject: Do not apply WORKAROUND_CFLAGS for host compiler +Subject: [build] Do not apply WORKAROUND_CFLAGS for host compiler Git-commit: a4f8c6e31f6c62522cfc633bbbffa81b22f9d6f3 Include-If: %ifarch aarch64 @@ -29,7 +29,7 @@ Signed-off-by: Bruce Rogers 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/roms/ipxe/src/Makefile.housekeeping b/roms/ipxe/src/Makefile.housekeeping -index e5f6927de889167d286ccfcdda92..1ddbddd247d9929d63b1654d7206 100644 +index 4b09e81f0b1eb82e79f6af11986d..1b175b9508c0d20f169801f8763d 100644 --- a/roms/ipxe/src/Makefile.housekeeping +++ b/roms/ipxe/src/Makefile.housekeeping @@ -454,7 +454,7 @@ endif diff --git a/Fix-s-directive-argument-is-null-error.patch b/build-Fix-s-directive-argument-is-null-e.patch similarity index 95% rename from Fix-s-directive-argument-is-null-error.patch rename to build-Fix-s-directive-argument-is-null-e.patch index 712d17f1..c17deaad 100644 --- a/Fix-s-directive-argument-is-null-error.patch +++ b/build-Fix-s-directive-argument-is-null-e.patch @@ -1,6 +1,6 @@ From: Valentine Barshak Date: Sun, 9 Jun 2019 13:30:11 +0300 -Subject: Fix "'%s' directive argument is null" error +Subject: [build] Fix "'%s' directive argument is null" error Git-commit: 412acd7854de10e7194f362a6b1a3257a17974f7 References: bsc#1121464 diff --git a/build-Work-around-gcc10-bug-by-not-using.patch b/build-Work-around-gcc10-bug-by-not-using.patch deleted file mode 100644 index a4edbfb4..00000000 --- a/build-Work-around-gcc10-bug-by-not-using.patch +++ /dev/null @@ -1,78 +0,0 @@ -From: Bruce Rogers -Date: Mon, 1 Jun 2020 14:48:23 -0600 -Subject: build: Work around gcc10 bug by not using char type in triggering - code - -References: boo#1172411 - -It appears we are bumping into a bug in the gcc10 compiler where it gets -it wrong in deciding that we're beyond the end of an array, in this case -because of some detection wrt the char type. Change to non-char type to -work around this issue. As near as I can tell, this isn't introducing -any behavioral changes or another bug. (see for eg: -https://gcc.gnu.org/bugzilla/show_bug.cgi?id=92955 ) - -Here is the error reported: -[ 2046s] /home/abuild/rpmbuild/BUILD/qemu-5.0.50/target/xtensa/mmu_helper.c: In function 'reset_tlb_mmu_ways56.constprop.isra': -[ 2046s] /home/abuild/rpmbuild/BUILD/qemu-5.0.50/target/xtensa/mmu_helper.c:377:31: error: writing 1 byte into a region of size 0 [-Werror=stringop-overflow=] -[ 2046s] 377 | entry[6][ei].asid = 1; -[ 2046s] | ~~~~~~~~~~~~~~~~~~^~~ -[ 2046s] /home/abuild/rpmbuild/BUILD/qemu-5.0.50/target/xtensa/mmu_helper.c:378:31: error: writing 1 byte into a region of size 0 [-Werror=stringop-overflow=] -[ 2046s] 378 | entry[6][ei].attr = 3; -[ 2046s] | ~~~~~~~~~~~~~~~~~~^~~ -[ 2046s] /home/abuild/rpmbuild/BUILD/qemu-5.0.50/target/xtensa/mmu_helper.c:377:31: error: writing 1 byte into a region of size 0 [-Werror=stringop-overflow=] -[ 2046s] 377 | entry[6][ei].asid = 1; -[ 2046s] | ~~~~~~~~~~~~~~~~~~^~~ -[ 2046s] /home/abuild/rpmbuild/BUILD/qemu-5.0.50/target/xtensa/mmu_helper.c:378:31: error: writing 1 byte into a region of size 0 [-Werror=stringop-overflow=] -[ 2046s] 378 | entry[6][ei].attr = 3; -[ 2046s] | ~~~~~~~~~~~~~~~~~~^~~ -[ 2046s] /home/abuild/rpmbuild/BUILD/qemu-5.0.50/target/xtensa/mmu_helper.c:377:31: error: writing 1 byte into a region of size 0 [-Werror=stringop-overflow=] -[ 2046s] 377 | entry[6][ei].asid = 1; -[ 2046s] | ~~~~~~~~~~~~~~~~~~^~~ -[ 2046s] /home/abuild/rpmbuild/BUILD/qemu-5.0.50/target/xtensa/mmu_helper.c:378:31: error: writing 1 byte into a region of size 0 [-Werror=stringop-overflow=] -[ 2046s] 378 | entry[6][ei].attr = 3; -[ 2046s] | ~~~~~~~~~~~~~~~~~~^~~ -[ 2046s] /home/abuild/rpmbuild/BUILD/qemu-5.0.50/target/xtensa/mmu_helper.c:377:31: error: writing 1 byte into a region of size 0 [-Werror=stringop-overflow=] -[ 2046s] 377 | entry[6][ei].asid = 1; -[ 2046s] | ~~~~~~~~~~~~~~~~~~^~~ -[ 2046s] /home/abuild/rpmbuild/BUILD/qemu-5.0.50/target/xtensa/mmu_helper.c:378:31: error: writing 1 byte into a region of size 0 [-Werror=stringop-overflow=] -[ 2046s] 378 | entry[6][ei].attr = 3; -[ 2046s] | ~~~~~~~~~~~~~~~~~~^~~ -[ 2046s] /home/abuild/rpmbuild/BUILD/qemu-5.0.50/target/xtensa/mmu_helper.c:377:31: error: writing 1 byte into a region of size 0 [-Werror=stringop-overflow=] -[ 2046s] 377 | entry[6][ei].asid = 1; -[ 2046s] | ~~~~~~~~~~~~~~~~~~^~~ -[ 2046s] /home/abuild/rpmbuild/BUILD/qemu-5.0.50/target/xtensa/mmu_helper.c:378:31: error: writing 1 byte into a region of size 0 [-Werror=stringop-overflow=] -[ 2046s] 378 | entry[6][ei].attr = 3; -[ 2046s] | ~~~~~~~~~~~~~~~~~~^~~ -[ 2046s] /home/abuild/rpmbuild/BUILD/qemu-5.0.50/target/xtensa/mmu_helper.c:377:31: error: writing 1 byte into a region of size 0 [-Werror=stringop-overflow=] -[ 2046s] 377 | entry[6][ei].asid = 1; -[ 2046s] | ~~~~~~~~~~~~~~~~~~^~~ -[ 2046s] /home/abuild/rpmbuild/BUILD/qemu-5.0.50/target/xtensa/mmu_helper.c:378:31: error: writing 1 byte into a region of size 0 [-Werror=stringop-overflow=] -[ 2046s] 378 | entry[6][ei].attr = 3; -[ 2046s] | ~~~~~~~~~~~~~~~~~~^~~ -[ 2046s] /home/abuild/rpmbuild/BUILD/qemu-5.0.50/target/xtensa/mmu_helper.c:377:31: error: writing 1 byte into a region of size 0 [-Werror=stringop-overflow=] -[ 2046s] 377 | entry[6][ei].asid = 1; -[ 2046s] | ~~~~~~~~~~~~~~~~~~^~~ -[ 2046s] /home/abuild/rpmbuild/BUILD/qemu-5.0.50/target/xtensa/mmu_helper.c:378:31: error: writing 1 byte into a region of size 0 [-Werror=stringop-overflow=] -[ 2046s] 378 | entry[6][ei].attr = 3; - -Signed-off-by: Bruce Rogers ---- - target/xtensa/cpu.h | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/target/xtensa/cpu.h b/target/xtensa/cpu.h -index 7a46dccbe11b05e9565192b9e242..fc039349623057083541c160270f 100644 ---- a/target/xtensa/cpu.h -+++ b/target/xtensa/cpu.h -@@ -309,8 +309,8 @@ struct CPUXtensaState; - typedef struct xtensa_tlb_entry { - uint32_t vaddr; - uint32_t paddr; -- uint8_t asid; -- uint8_t attr; -+ uint32_t asid; -+ uint32_t attr; - bool variable; - } xtensa_tlb_entry; - diff --git a/Workaround-compilation-error-with-gcc-9..patch b/build-Workaround-compilation-error-with-.patch similarity index 92% rename from Workaround-compilation-error-with-gcc-9..patch rename to build-Workaround-compilation-error-with-.patch index 0d4fab6e..4154c05f 100644 --- a/Workaround-compilation-error-with-gcc-9..patch +++ b/build-Workaround-compilation-error-with-.patch @@ -1,7 +1,8 @@ From: Valentine Barshak Date: Mon, 22 Jul 2019 10:47:50 +0100 -Subject: Workaround compilation error with gcc 9.1 +Subject: [build] Workaround compilation error with gcc 9.1 +Git-commit: 1dd56dbd11082fb622c2ed21cfaced4f47d798a6 References: bsc#1121464 Compiling with gcc 9.1 generates lots of "taking address of packed @@ -32,7 +33,7 @@ Signed-off-by: Bruce Rogers 1 file changed, 9 insertions(+) diff --git a/roms/ipxe/src/Makefile.housekeeping b/roms/ipxe/src/Makefile.housekeeping -index 97fa325bb52314e05192d0414436..e5f6927de889167d286ccfcdda92 100644 +index f8334921b8b93cbd03f0a0de9910..4b09e81f0b1eb82e79f6af11986d 100644 --- a/roms/ipxe/src/Makefile.housekeeping +++ b/roms/ipxe/src/Makefile.housekeeping @@ -185,6 +185,15 @@ WNST_TEST = $(CC) -Wstringop-truncation -x c -c /dev/null -o /dev/null \ diff --git a/bundles.tar.xz b/bundles.tar.xz index 3a79d8ee..f43dc7d7 100644 --- a/bundles.tar.xz +++ b/bundles.tar.xz @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:6a979bc525329c87dc152af9613a1d7bc00c0bb3a9f0deb477a4e70d2a833d94 -size 53172 +oid sha256:a3100e9fea5e800afc25cff3f405b4645ba98f79cf6ff36e27f120a33c1e8ffc +size 58452 diff --git a/docs-fix-trace-docs-build-with-sphinx-3..patch b/docs-fix-trace-docs-build-with-sphinx-3..patch new file mode 100644 index 00000000..338eca5a --- /dev/null +++ b/docs-fix-trace-docs-build-with-sphinx-3..patch @@ -0,0 +1,61 @@ +From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= +Date: Tue, 14 Jul 2020 17:26:59 +0100 +Subject: docs: fix trace docs build with sphinx 3.1.1 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Git-commit: 0000000000000000000000000000000000000000 + +In Fedora 33 rawhide, we now have sphinx 3.1.1, as opposed +to previous 2.2.2. This new version generates a warning on +the source: + +docs/qemu-option-trace.rst.inc:4:Malformed option description + '[enable=]PATTERN', should look like "opt", "-opt args", + "--opt args", "/opt args" or "+opt args" + +This turns into an error when QEMU passes -W to sphinx-build + +Strangely the previous 2.2.2 code has the exact same logic +for checking the syntax, but it is not being triggered. While +it is only complaining about the first option, I changed all +the options to give consistency. + +Signed-off-by: Daniel P. Berrangé +Signed-off-by: Bruce Rogers +--- + docs/qemu-option-trace.rst.inc | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/docs/qemu-option-trace.rst.inc b/docs/qemu-option-trace.rst.inc +index 7e09773a9c518f6a47e9262b66c6..e79b0b43fcb3f5a05ad281109e6f 100644 +--- a/docs/qemu-option-trace.rst.inc ++++ b/docs/qemu-option-trace.rst.inc +@@ -1,7 +1,7 @@ + + Specify tracing options. + +-.. option:: [enable=]PATTERN ++.. option:: -trace [enable=]PATTERN + + Immediately enable events matching *PATTERN* + (either event name or a globbing pattern). This option is only +@@ -11,7 +11,7 @@ Specify tracing options. + + Use :option:`-trace help` to print a list of names of trace points. + +-.. option:: events=FILE ++.. option:: -trace events=FILE + + Immediately enable events listed in *FILE*. + The file must contain one event name (as listed in the ``trace-events-all`` +@@ -19,7 +19,7 @@ Specify tracing options. + available if QEMU has been compiled with the ``simple``, ``log`` or + ``ftrace`` tracing backend. + +-.. option:: file=FILE ++.. option:: -trace file=FILE + + Log output traces to *FILE*. + This option is only available if QEMU has been compiled with diff --git a/es1370-check-total-frame-count-against-c.patch b/es1370-check-total-frame-count-against-c.patch new file mode 100644 index 00000000..150ed715 --- /dev/null +++ b/es1370-check-total-frame-count-against-c.patch @@ -0,0 +1,60 @@ +From: Prasad J Pandit +Date: Fri, 15 May 2020 01:36:08 +0530 +Subject: es1370: check total frame count against current frame + +Git-commit: 369ff955a8497988d079c4e3fa1e93c2570c1c69 +References: bsc#1172384, CVE-2020-13361 + +A guest user may set channel frame count via es1370_write() +such that, in es1370_transfer_audio(), total frame count +'size' is lesser than the number of frames that are processed +'cnt'. + + int cnt = d->frame_cnt >> 16; + int size = d->frame_cnt & 0xffff; + +if (size < cnt), it results in incorrect calculations leading +to OOB access issue(s). Add check to avoid it. + +Reported-by: Ren Ding +Reported-by: Hanqing Zhao +Signed-off-by: Prasad J Pandit +Message-id: 20200514200608.1744203-1-ppandit@redhat.com +Signed-off-by: Gerd Hoffmann +Signed-off-by: Bruce Rogers +--- + hw/audio/es1370.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/hw/audio/es1370.c b/hw/audio/es1370.c +index 89c4dabcd44fb2d7782e3cabc51d..5f8a83ff56241d94347c1e51419e 100644 +--- a/hw/audio/es1370.c ++++ b/hw/audio/es1370.c +@@ -643,6 +643,9 @@ static void es1370_transfer_audio (ES1370State *s, struct chan *d, int loop_sel, + int csc_bytes = (csc + 1) << d->shift; + int cnt = d->frame_cnt >> 16; + int size = d->frame_cnt & 0xffff; ++ if (size < cnt) { ++ return; ++ } + int left = ((size - cnt + 1) << 2) + d->leftover; + int transferred = 0; + int temp = MIN (max, MIN (left, csc_bytes)); +@@ -651,7 +654,7 @@ static void es1370_transfer_audio (ES1370State *s, struct chan *d, int loop_sel, + addr += (cnt << 2) + d->leftover; + + if (index == ADC_CHANNEL) { +- while (temp) { ++ while (temp > 0) { + int acquired, to_copy; + + to_copy = MIN ((size_t) temp, sizeof (tmpbuf)); +@@ -669,7 +672,7 @@ static void es1370_transfer_audio (ES1370State *s, struct chan *d, int loop_sel, + else { + SWVoiceOut *voice = s->dac_voice[index]; + +- while (temp) { ++ while (temp > 0) { + int copied, to_copy; + + to_copy = MIN ((size_t) temp, sizeof (tmpbuf)); diff --git a/exec-set-map-length-to-zero-when-returni.patch b/exec-set-map-length-to-zero-when-returni.patch new file mode 100644 index 00000000..ba2d93fb --- /dev/null +++ b/exec-set-map-length-to-zero-when-returni.patch @@ -0,0 +1,54 @@ +From: Prasad J Pandit +Date: Tue, 26 May 2020 16:47:43 +0530 +Subject: exec: set map length to zero when returning NULL +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Git-commit: 77f55eac6c433e23e82a1b88b2d74f385c4c7d82 +References: bsc#1172386, CVE-2020-13659 + +When mapping physical memory into host's virtual address space, +'address_space_map' may return NULL if BounceBuffer is in_use. +Set and return '*plen = 0' to avoid later NULL pointer dereference. + +Reported-by: Alexander Bulekov +Fixes: https://bugs.launchpad.net/qemu/+bug/1878259 +Suggested-by: Paolo Bonzini +Suggested-by: Peter Maydell +Signed-off-by: Prasad J Pandit +Message-Id: <20200526111743.428367-1-ppandit@redhat.com> +Reviewed-by: Philippe Mathieu-Daudé +Signed-off-by: Paolo Bonzini +Signed-off-by: Bruce Rogers +--- + exec.c | 1 + + include/exec/memory.h | 3 ++- + 2 files changed, 3 insertions(+), 1 deletion(-) + +diff --git a/exec.c b/exec.c +index 2874bb508853d353bca3b9790e5d..2c419f327cf925ee55c46d111272 100644 +--- a/exec.c ++++ b/exec.c +@@ -3538,6 +3538,7 @@ void *address_space_map(AddressSpace *as, + + if (!memory_access_is_direct(mr, is_write)) { + if (atomic_xchg(&bounce.in_use, true)) { ++ *plen = 0; + return NULL; + } + /* Avoid unbounded allocations */ +diff --git a/include/exec/memory.h b/include/exec/memory.h +index e000bd2f97b2fce76a41f9b5d9f3..8fa2d3cab2d51e5328e28151c65c 100644 +--- a/include/exec/memory.h ++++ b/include/exec/memory.h +@@ -2303,7 +2303,8 @@ bool address_space_access_valid(AddressSpace *as, hwaddr addr, hwaddr len, + /* address_space_map: map a physical memory region into a host virtual address + * + * May map a subset of the requested range, given by and returned in @plen. +- * May return %NULL if resources needed to perform the mapping are exhausted. ++ * May return %NULL and set *@plen to zero(0), if resources needed to perform ++ * the mapping are exhausted. + * Use only for reads OR writes - not for read-modify-write operations. + * Use cpu_register_map_client() to know when retrying the map operation is + * likely to succeed. diff --git a/golan-Add-explicit-type-casts-for-nodnic.patch b/golan-Add-explicit-type-casts-for-nodnic.patch new file mode 100644 index 00000000..f92de54b --- /dev/null +++ b/golan-Add-explicit-type-casts-for-nodnic.patch @@ -0,0 +1,43 @@ +From: Michael Brown +Date: Sat, 27 Jun 2020 20:43:32 +0100 +Subject: [golan] Add explicit type casts for nodnic_queue_pair_type + +Git-commit: 8a1d66c7aec020f3e90254ed2fa55ecd9494fcc3 +References: boo#1171139 + +GCC 10 emits warnings for implicit conversions of enumerated types. + +The flexboot_nodnic code defines nodnic_queue_pair_type with values +identical to those of ib_queue_pair_type, and implicitly casts between +them. Add an explicit cast to fix the warning. + +Signed-off-by: Michael Brown +Signed-off-by: Bruce Rogers +--- + src/drivers/infiniband/flexboot_nodnic.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/roms/ipxe/src/drivers/infiniband/flexboot_nodnic.c b/roms/ipxe/src/drivers/infiniband/flexboot_nodnic.c +index c13fcefc56866da67d701baa96b8..4463bb78458cbeadd962ed7909ef 100644 +--- a/roms/ipxe/src/drivers/infiniband/flexboot_nodnic.c ++++ b/roms/ipxe/src/drivers/infiniband/flexboot_nodnic.c +@@ -365,7 +365,8 @@ static int flexboot_nodnic_create_qp ( struct ib_device *ibdev, + goto qp_alloc_err; + } + +- status = nodnic_port_create_qp(&port->port_priv, qp->type, ++ status = nodnic_port_create_qp(&port->port_priv, ++ (nodnic_queue_pair_type) qp->type, + qp->send.num_wqes * sizeof(struct nodnic_send_wqbb), + qp->send.num_wqes, + qp->recv.num_wqes * sizeof(struct nodnic_recv_wqe), +@@ -406,7 +407,8 @@ static void flexboot_nodnic_destroy_qp ( struct ib_device *ibdev, + struct flexboot_nodnic_port *port = &flexboot_nodnic->port[ibdev->port - 1]; + struct flexboot_nodnic_queue_pair *flexboot_nodnic_qp = ib_qp_get_drvdata ( qp ); + +- nodnic_port_destroy_qp(&port->port_priv, qp->type, ++ nodnic_port_destroy_qp(&port->port_priv, ++ (nodnic_queue_pair_type) qp->type, + flexboot_nodnic_qp->nodnic_queue_pair); + + free(flexboot_nodnic_qp); diff --git a/hw-vfio-pci-quirks-Fix-broken-legacy-IGD.patch b/hw-vfio-pci-quirks-Fix-broken-legacy-IGD.patch new file mode 100644 index 00000000..8cc01895 --- /dev/null +++ b/hw-vfio-pci-quirks-Fix-broken-legacy-IGD.patch @@ -0,0 +1,36 @@ +From: Thomas Huth +Date: Thu, 11 Jun 2020 11:36:40 -0600 +Subject: hw/vfio/pci-quirks: Fix broken legacy IGD passthrough +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Git-commit: 643a4eacef87a318cf71800a4fb2ae1f78c4b245 + +The #ifdef CONFIG_VFIO_IGD in pci-quirks.c is not working since the +required header config-devices.h is not included, so that the legacy +IGD passthrough is currently broken. Let's include the right header +to fix this issue. + +Buglink: https://bugs.launchpad.net/qemu/+bug/1882784 +Fixes: 29d62771c81d ("hw/vfio: Move the IGD quirk code to a separate file") +Signed-off-by: Thomas Huth +Reviewed-by: Philippe Mathieu-Daudé +Signed-off-by: Alex Williamson +Signed-off-by: Bruce Rogers +--- + hw/vfio/pci-quirks.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/hw/vfio/pci-quirks.c b/hw/vfio/pci-quirks.c +index 2d348f8237fa6a8e7aac10a4a920..656098b827c69f04ac1d6e2ff227 100644 +--- a/hw/vfio/pci-quirks.c ++++ b/hw/vfio/pci-quirks.c +@@ -11,6 +11,7 @@ + */ + + #include "qemu/osdep.h" ++#include "config-devices.h" + #include "exec/memop.h" + #include "qemu/units.h" + #include "qemu/error-report.h" diff --git a/intel-Avoid-spurious-compiler-warning-on.patch b/intel-Avoid-spurious-compiler-warning-on.patch new file mode 100644 index 00000000..51f175c6 --- /dev/null +++ b/intel-Avoid-spurious-compiler-warning-on.patch @@ -0,0 +1,89 @@ +From: Michael Brown +Date: Sat, 27 Jun 2020 20:21:11 +0100 +Subject: [intel] Avoid spurious compiler warning on GCC 10 + +Git-commit: 28cf9806d1632d378485005babec295da0c77fcf +References: boo#1171123 +` +GCC 10 produces a spurious warning about an out-of-bounds array access +for the unsized raw dword array in union intelvf_msg. + +Avoid the warning by embedding the zero-length array within a struct. + +Signed-off-by: Michael Brown +Signed-off-by: Bruce Rogers +--- + src/drivers/net/intelvf.c | 18 ++++++++++-------- + src/drivers/net/intelvf.h | 8 +++++++- + 2 files changed, 17 insertions(+), 9 deletions(-) + +diff --git a/roms/ipxe/src/drivers/net/intelvf.c b/roms/ipxe/src/drivers/net/intelvf.c +index ac6fea745457863544edf6658138..0d48b4178cb5aa0542ba7c507d04 100644 +--- a/roms/ipxe/src/drivers/net/intelvf.c ++++ b/roms/ipxe/src/drivers/net/intelvf.c +@@ -52,14 +52,15 @@ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL ); + */ + static void intelvf_mbox_write ( struct intel_nic *intel, + const union intelvf_msg *msg ) { ++ const struct intelvf_msg_raw *raw = &msg->raw; + unsigned int i; + + /* Write message */ + DBGC2 ( intel, "INTEL %p sending message", intel ); +- for ( i = 0 ; i < ( sizeof ( *msg ) / sizeof ( msg->dword[0] ) ) ; i++){ +- DBGC2 ( intel, "%c%08x", ( i ? ':' : ' ' ), msg->dword[i] ); +- writel ( msg->dword[i], ( intel->regs + intel->mbox.mem + +- ( i * sizeof ( msg->dword[0] ) ) ) ); ++ for ( i = 0 ; i < ( sizeof ( *msg ) / sizeof ( raw->dword[0] ) ) ; i++){ ++ DBGC2 ( intel, "%c%08x", ( i ? ':' : ' ' ), raw->dword[i] ); ++ writel ( raw->dword[i], ( intel->regs + intel->mbox.mem + ++ ( i * sizeof ( raw->dword[0] ) ) ) ); + } + DBGC2 ( intel, "\n" ); + } +@@ -72,14 +73,15 @@ static void intelvf_mbox_write ( struct intel_nic *intel, + */ + static void intelvf_mbox_read ( struct intel_nic *intel, + union intelvf_msg *msg ) { ++ struct intelvf_msg_raw *raw = &msg->raw; + unsigned int i; + + /* Read message */ + DBGC2 ( intel, "INTEL %p received message", intel ); +- for ( i = 0 ; i < ( sizeof ( *msg ) / sizeof ( msg->dword[0] ) ) ; i++){ +- msg->dword[i] = readl ( intel->regs + intel->mbox.mem + +- ( i * sizeof ( msg->dword[0] ) ) ); +- DBGC2 ( intel, "%c%08x", ( i ? ':' : ' ' ), msg->dword[i] ); ++ for ( i = 0 ; i < ( sizeof ( *msg ) / sizeof ( raw->dword[0] ) ) ; i++){ ++ raw->dword[i] = readl ( intel->regs + intel->mbox.mem + ++ ( i * sizeof ( raw->dword[0] ) ) ); ++ DBGC2 ( intel, "%c%08x", ( i ? ':' : ' ' ), raw->dword[i] ); + } + DBGC2 ( intel, "\n" ); + } +diff --git a/roms/ipxe/src/drivers/net/intelvf.h b/roms/ipxe/src/drivers/net/intelvf.h +index ab404698fe6de9f48370931fdf56..ffb18e04052f1b4a6fe406f5062c 100644 +--- a/roms/ipxe/src/drivers/net/intelvf.h ++++ b/roms/ipxe/src/drivers/net/intelvf.h +@@ -119,6 +119,12 @@ struct intelvf_msg_queues { + uint32_t dflt; + } __attribute__ (( packed )); + ++/** Raw mailbox message */ ++struct intelvf_msg_raw { ++ /** Raw dwords */ ++ uint32_t dword[0]; ++} __attribute__ (( packed )); ++ + /** Mailbox message */ + union intelvf_msg { + /** Message header */ +@@ -132,7 +138,7 @@ union intelvf_msg { + /** Queue configuration message */ + struct intelvf_msg_queues queues; + /** Raw dwords */ +- uint32_t dword[0]; ++ struct intelvf_msg_raw raw; + }; + + /** Maximum time to wait for mailbox message diff --git a/ipxe-Makefile-fix-issues-of-build-reprod.patch b/ipxe-Makefile-fix-issues-of-build-reprod.patch index 48f3c756..6e9962f3 100644 --- a/ipxe-Makefile-fix-issues-of-build-reprod.patch +++ b/ipxe-Makefile-fix-issues-of-build-reprod.patch @@ -14,10 +14,10 @@ Signed-off-by: Bruce Rogers 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/roms/ipxe/src/Makefile.housekeeping b/roms/ipxe/src/Makefile.housekeeping -index f8334921b8b93cbd03f0a0de9910..97fa325bb52314e05192d0414436 100644 +index 893bd20f1fd5cecf0e480dee05bd..9c33cc08c4db1bbd0f9966924fce 100644 --- a/roms/ipxe/src/Makefile.housekeeping +++ b/roms/ipxe/src/Makefile.housekeeping -@@ -1162,11 +1162,18 @@ blib : $(BLIB) +@@ -1172,11 +1172,18 @@ blib : $(BLIB) # Command to generate build ID. Must be unique for each $(BIN)/%.tmp, # even within the same build run. # @@ -38,7 +38,7 @@ index f8334921b8b93cbd03f0a0de9910..97fa325bb52314e05192d0414436 100644 # Build version # -@@ -1186,7 +1193,7 @@ $(BIN)/version.%.o : core/version.c $(MAKEDEPS) $(GIT_INDEX) +@@ -1196,7 +1203,7 @@ $(BIN)/version.%.o : core/version.c $(MAKEDEPS) $(GIT_INDEX) $(BIN)/%.tmp : $(BIN)/version.%.o $(BLIB) $(MAKEDEPS) $(LDSCRIPT) $(QM)$(ECHO) " [LD] $@" $(Q)$(LD) $(LDFLAGS) -T $(LDSCRIPT) $(TGT_LD_FLAGS) $< $(BLIB) -o $@ \ diff --git a/megasas-use-unsigned-type-for-reply_queu.patch b/megasas-use-unsigned-type-for-reply_queu.patch new file mode 100644 index 00000000..272ebc68 --- /dev/null +++ b/megasas-use-unsigned-type-for-reply_queu.patch @@ -0,0 +1,50 @@ +From: Prasad J Pandit +Date: Thu, 14 May 2020 00:55:38 +0530 +Subject: megasas: use unsigned type for reply_queue_head and check index + +Git-commit: f50ab86a2620bd7e8507af865b164655ee921661 +References: bsc#1172383, CVE-2020-13362 + +A guest user may set 'reply_queue_head' field of MegasasState to +a negative value. Later in 'megasas_lookup_frame' it is used to +index into s->frames[] array. Use unsigned type to avoid OOB +access issue. + +Also check that 'index' value stays within s->frames[] bounds +through the while() loop in 'megasas_lookup_frame' to avoid OOB +access. + +Reported-by: Ren Ding +Reported-by: Hanqing Zhao +Reported-by: Alexander Bulekov +Signed-off-by: Prasad J Pandit +Acked-by: Alexander Bulekov +Message-Id: <20200513192540.1583887-2-ppandit@redhat.com> +Signed-off-by: Paolo Bonzini +Signed-off-by: Bruce Rogers +--- + hw/scsi/megasas.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c +index af18c88b656e7f5fa299c5f0dda1..6ce598cd6908b5223470b506c481 100644 +--- a/hw/scsi/megasas.c ++++ b/hw/scsi/megasas.c +@@ -112,7 +112,7 @@ typedef struct MegasasState { + uint64_t reply_queue_pa; + void *reply_queue; + int reply_queue_len; +- int reply_queue_head; ++ uint16_t reply_queue_head; + int reply_queue_tail; + uint64_t consumer_pa; + uint64_t producer_pa; +@@ -445,7 +445,7 @@ static MegasasCmd *megasas_lookup_frame(MegasasState *s, + + index = s->reply_queue_head; + +- while (num < s->fw_cmds) { ++ while (num < s->fw_cmds && index < MEGASAS_MAX_FRAMES) { + if (s->frames[index].pa && s->frames[index].pa == frame) { + cmd = &s->frames[index]; + break; diff --git a/nbd-server-Avoid-long-error-message-asse.patch b/nbd-server-Avoid-long-error-message-asse.patch new file mode 100644 index 00000000..6f194a81 --- /dev/null +++ b/nbd-server-Avoid-long-error-message-asse.patch @@ -0,0 +1,148 @@ +From: Eric Blake +Date: Mon, 8 Jun 2020 13:26:37 -0500 +Subject: nbd/server: Avoid long error message assertions CVE-2020-10761 + +Git-commit: 5c4fe018c025740fef4a0a4421e8162db0c3eefd +References: bsc#1172710, CVE-2020-10761 + +Ever since commit 36683283 (v2.8), the server code asserts that error +strings sent to the client are well-formed per the protocol by not +exceeding the maximum string length of 4096. At the time the server +first started sending error messages, the assertion could not be +triggered, because messages were completely under our control. +However, over the years, we have added latent scenarios where a client +could trigger the server to attempt an error message that would +include the client's information if it passed other checks first: + +- requesting NBD_OPT_INFO/GO on an export name that is not present + (commit 0cfae925 in v2.12 echoes the name) + +- requesting NBD_OPT_LIST/SET_META_CONTEXT on an export name that is + not present (commit e7b1948d in v2.12 echoes the name) + +At the time, those were still safe because we flagged names larger +than 256 bytes with a different message; but that changed in commit +93676c88 (v4.2) when we raised the name limit to 4096 to match the NBD +string limit. (That commit also failed to change the magic number +4096 in nbd_negotiate_send_rep_err to the just-introduced named +constant.) So with that commit, long client names appended to server +text can now trigger the assertion, and thus be used as a denial of +service attack against a server. As a mitigating factor, if the +server requires TLS, the client cannot trigger the problematic paths +unless it first supplies TLS credentials, and such trusted clients are +less likely to try to intentionally crash the server. + +We may later want to further sanitize the user-supplied strings we +place into our error messages, such as scrubbing out control +characters, but that is less important to the CVE fix, so it can be a +later patch to the new nbd_sanitize_name. + +Consideration was given to changing the assertion in +nbd_negotiate_send_rep_verr to instead merely log a server error and +truncate the message, to avoid leaving a latent path that could +trigger a future CVE DoS on any new error message. However, this +merely complicates the code for something that is already (correctly) +flagging coding errors, and now that we are aware of the long message +pitfall, we are less likely to introduce such errors in the future, +which would make such error handling dead code. + +Reported-by: Xueqiang Wei +CC: qemu-stable@nongnu.org +Fixes: https://bugzilla.redhat.com/1843684 CVE-2020-10761 +Fixes: 93676c88d7 +Signed-off-by: Eric Blake +Message-Id: <20200610163741.3745251-2-eblake@redhat.com> +Reviewed-by: Vladimir Sementsov-Ogievskiy +Signed-off-by: Bruce Rogers +--- + nbd/server.c | 23 ++++++++++++++++++++--- + tests/qemu-iotests/143 | 4 ++++ + tests/qemu-iotests/143.out | 2 ++ + 3 files changed, 26 insertions(+), 3 deletions(-) + +diff --git a/nbd/server.c b/nbd/server.c +index 02b1ed080145b3f99979887d4268..20754e9ebc3c1342692c99e7a99f 100644 +--- a/nbd/server.c ++++ b/nbd/server.c +@@ -217,7 +217,7 @@ nbd_negotiate_send_rep_verr(NBDClient *client, uint32_t type, + + msg = g_strdup_vprintf(fmt, va); + len = strlen(msg); +- assert(len < 4096); ++ assert(len < NBD_MAX_STRING_SIZE); + trace_nbd_negotiate_send_rep_err(msg); + ret = nbd_negotiate_send_rep_len(client, type, len, errp); + if (ret < 0) { +@@ -231,6 +231,19 @@ nbd_negotiate_send_rep_verr(NBDClient *client, uint32_t type, + return 0; + } + ++/* ++ * Return a malloc'd copy of @name suitable for use in an error reply. ++ */ ++static char * ++nbd_sanitize_name(const char *name) ++{ ++ if (strnlen(name, 80) < 80) { ++ return g_strdup(name); ++ } ++ /* XXX Should we also try to sanitize any control characters? */ ++ return g_strdup_printf("%.80s...", name); ++} ++ + /* Send an error reply. + * Return -errno on error, 0 on success. */ + static int GCC_FMT_ATTR(4, 5) +@@ -595,9 +608,11 @@ static int nbd_negotiate_handle_info(NBDClient *client, Error **errp) + + exp = nbd_export_find(name); + if (!exp) { ++ g_autofree char *sane_name = nbd_sanitize_name(name); ++ + return nbd_negotiate_send_rep_err(client, NBD_REP_ERR_UNKNOWN, + errp, "export '%s' not present", +- name); ++ sane_name); + } + + /* Don't bother sending NBD_INFO_NAME unless client requested it */ +@@ -995,8 +1010,10 @@ static int nbd_negotiate_meta_queries(NBDClient *client, + + meta->exp = nbd_export_find(export_name); + if (meta->exp == NULL) { ++ g_autofree char *sane_name = nbd_sanitize_name(export_name); ++ + return nbd_opt_drop(client, NBD_REP_ERR_UNKNOWN, errp, +- "export '%s' not present", export_name); ++ "export '%s' not present", sane_name); + } + + ret = nbd_opt_read(client, &nb_queries, sizeof(nb_queries), errp); +diff --git a/tests/qemu-iotests/143 b/tests/qemu-iotests/143 +index f649b36195011e9b0f19e4b51a8d..d2349903b1b5fa1b48ffc3e7a00d 100755 +--- a/tests/qemu-iotests/143 ++++ b/tests/qemu-iotests/143 +@@ -58,6 +58,10 @@ _send_qemu_cmd $QEMU_HANDLE \ + $QEMU_IO_PROG -f raw -c quit \ + "nbd+unix:///no_such_export?socket=$SOCK_DIR/nbd" 2>&1 \ + | _filter_qemu_io | _filter_nbd ++# Likewise, with longest possible name permitted in NBD protocol ++$QEMU_IO_PROG -f raw -c quit \ ++ "nbd+unix:///$(printf %4096d 1 | tr ' ' a)?socket=$SOCK_DIR/nbd" 2>&1 \ ++ | _filter_qemu_io | _filter_nbd | sed 's/aaaa*aa/aa--aa/' + + _send_qemu_cmd $QEMU_HANDLE \ + "{ 'execute': 'quit' }" \ +diff --git a/tests/qemu-iotests/143.out b/tests/qemu-iotests/143.out +index 1f4001c6013137a13d90f64b4f86..fc9c0a761fa107a5c800d27af843 100644 +--- a/tests/qemu-iotests/143.out ++++ b/tests/qemu-iotests/143.out +@@ -5,6 +5,8 @@ QA output created by 143 + {"return": {}} + qemu-io: can't open device nbd+unix:///no_such_export?socket=SOCK_DIR/nbd: Requested export not available + server reported: export 'no_such_export' not present ++qemu-io: can't open device nbd+unix:///aa--aa1?socket=SOCK_DIR/nbd: Requested export not available ++server reported: export 'aa--aa...' not present + { 'execute': 'quit' } + {"return": {}} + {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "SHUTDOWN", "data": {"guest": false, "reason": "host-qmp-quit"}} diff --git a/qemu.changes b/qemu.changes index 02cd457c..f8f607ba 100644 --- a/qemu.changes +++ b/qemu.changes @@ -1,3 +1,62 @@ +------------------------------------------------------------------- +Tue Jul 21 15:58:10 UTC 2020 - Bruce Rogers + +- Updating to Sphinx v3.1.2 in Factory is exposing an issue in + qemu doc sources. Fix it + docs-fix-trace-docs-build-with-sphinx-3..patch + +------------------------------------------------------------------- +Wed Jul 8 23:00:21 UTC 2020 - Bruce Rogers + +- Fix DoS possibility in ati-vga emulation (CVE-2020-13800 + bsc#1172495) + ati-vga-check-mm_index-before-recursive-.patch +- Fix DoS possibility in Network Block Device (nbd) support + infrastructure (CVE-2020-10761 bsc#1172710) + nbd-server-Avoid-long-error-message-asse.patch +- Fix null pointer dereference possibility (DoS) in MegaRAID SAS + 8708EM2 emulation (CVE-2020-13659 bsc#1172386) + exec-set-map-length-to-zero-when-returni.patch +- Fix OOB access possibility in MegaRAID SAS 8708EM2 emulation + (CVE-2020-13362 bsc#1172383) + megasas-use-unsigned-type-for-reply_queu.patch +- Fix legacy IGD passthrough + hw-vfio-pci-quirks-Fix-broken-legacy-IGD.patch + +------------------------------------------------------------------- +Wed Jul 1 00:10:43 UTC 2020 - Bruce Rogers + +- The latest gcc10 available in Factory has the fix for the + issue this patch was created to avoid, so drop it + build-Work-around-gcc10-bug-by-not-using.patch + +------------------------------------------------------------------- +Sun Jun 28 16:25:32 UTC 2020 - Bruce Rogers + +- Switch to upstream versions of some patches we carry + add-enum-cast-to-avoid-gcc10-warning.patch + -> golan-Add-explicit-type-casts-for-nodnic.patch + Be-explicit-about-fcommon-compiler-direc.patch + -> build-Be-explicit-about-fcommon-compiler.patch + Do-not-apply-WORKAROUND_CFLAGS-for-host-.patch + -> build-Do-not-apply-WORKAROUND_CFLAGS-for.patch + Fix-s-directive-argument-is-null-error.patch + -> build-Fix-s-directive-argument-is-null-e.patch + Workaround-compilation-error-with-gcc-9..patch + -> build-Workaround-compilation-error-with-.patch + work-around-gcc10-problem-with-zero-leng.patch + -> intel-Avoid-spurious-compiler-warning-on.patch +- Fix vgabios issue for cirrus graphics emulation, which + effectively downgraded it to standard VGA behavior + vga-fix-cirrus-bios.patch + +------------------------------------------------------------------- +Fri Jun 12 16:14:07 UTC 2020 - Bruce Rogers + +- Fix OOB access possibility in ES1370 audio device emulation + (CVE-2020-13361 bsc#1172384) + es1370-check-total-frame-count-against-c.patch + ------------------------------------------------------------------- Tue Jun 2 17:22:57 UTC 2020 - Bruce Rogers diff --git a/qemu.spec b/qemu.spec index cdd866ac..3a09ba78 100644 --- a/qemu.spec +++ b/qemu.spec @@ -127,82 +127,89 @@ Source303: README.PACKAGING # This patch queue is auto-generated - see README.PACKAGING for process # Patches applied in base project: -Patch00000: virtiofsd-add-rlimit-nofile-NUM-option.patch -Patch00001: virtiofsd-stay-below-fs.file-max-sysctl-.patch -Patch00002: audio-fix-wavcapture-segfault.patch -Patch00003: XXX-dont-dump-core-on-sigabort.patch -Patch00004: qemu-binfmt-conf-Modify-default-path.patch -Patch00005: qemu-cvs-gettimeofday.patch -Patch00006: qemu-cvs-ioctl_debug.patch -Patch00007: qemu-cvs-ioctl_nodirection.patch -Patch00008: linux-user-add-binfmt-wrapper-for-argv-0.patch -Patch00009: PPC-KVM-Disable-mmu-notifier-check.patch -Patch00010: linux-user-binfmt-support-host-binaries.patch -Patch00011: linux-user-Fake-proc-cpuinfo.patch -Patch00012: linux-user-use-target_ulong.patch -Patch00013: Make-char-muxer-more-robust-wrt-small-FI.patch -Patch00014: linux-user-lseek-explicitly-cast-non-set.patch -Patch00015: AIO-Reduce-number-of-threads-for-32bit-h.patch -Patch00016: xen_disk-Add-suse-specific-flush-disable.patch -Patch00017: qemu-bridge-helper-reduce-security-profi.patch -Patch00018: qemu-binfmt-conf-use-qemu-ARCH-binfmt.patch -Patch00019: linux-user-properly-test-for-infinite-ti.patch -Patch00020: roms-Makefile-pass-a-packaging-timestamp.patch -Patch00021: Raise-soft-address-space-limit-to-hard-l.patch -Patch00022: increase-x86_64-physical-bits-to-42.patch -Patch00023: i8254-Fix-migration-from-SLE11-SP2.patch -Patch00024: acpi_piix4-Fix-migration-from-SLE11-SP2.patch -Patch00025: Switch-order-of-libraries-for-mpath-supp.patch -Patch00026: Make-installed-scripts-explicitly-python.patch -Patch00027: hw-smbios-handle-both-file-formats-regar.patch -Patch00028: xen-add-block-resize-support-for-xen-dis.patch -Patch00029: tests-qemu-iotests-Triple-timeout-of-i-o.patch -Patch00030: tests-Fix-block-tests-to-be-compatible-w.patch -Patch00031: xen-ignore-live-parameter-from-xen-save-.patch -Patch00032: Conditionalize-ui-bitmap-installation-be.patch -Patch00033: tests-change-error-message-in-test-162.patch -Patch00034: hw-usb-hcd-xhci-Fix-GCC-9-build-warning.patch -Patch00035: hw-usb-dev-mtp-Fix-GCC-9-build-warning.patch -Patch00036: hw-intc-exynos4210_gic-provide-more-room.patch -Patch00037: configure-only-populate-roms-if-softmmu.patch -Patch00038: pc-bios-s390-ccw-net-avoid-warning-about.patch -Patch00039: roms-change-cross-compiler-naming-to-be-.patch -Patch00040: tests-Disable-some-block-tests-for-now.patch -Patch00041: test-add-mapping-from-arch-of-i686-to-qe.patch -Patch00042: roms-Makefile-enable-cross-compile-for-b.patch -Patch00043: s390x-Move-diagnose-308-subcodes-and-rcs.patch -Patch00044: Sync-pv.patch -Patch00045: s390x-protvirt-Support-unpack-facility.patch -Patch00046: s390x-protvirt-Add-migration-blocker.patch -Patch00047: s390x-protvirt-Inhibit-balloon-when-swit.patch -Patch00048: s390x-protvirt-KVM-intercept-changes.patch -Patch00049: s390x-Add-SIDA-memory-ops.patch -Patch00050: s390x-protvirt-Move-STSI-data-over-SIDAD.patch -Patch00051: s390x-protvirt-SCLP-interpretation.patch -Patch00052: s390x-protvirt-Set-guest-IPL-PSW.patch -Patch00053: s390x-protvirt-Move-diag-308-data-over-S.patch -Patch00054: s390x-protvirt-Disable-address-checks-fo.patch -Patch00055: s390x-protvirt-Move-IO-control-structure.patch -Patch00056: s390x-protvirt-Handle-SIGP-store-status-.patch -Patch00057: s390x-Add-unpack-facility-feature-to-GA1.patch -Patch00058: s390x-s390-virtio-ccw-Fix-build-on-syste.patch -Patch00059: configure-remove-pkgversion-from-CONFIG_.patch -Patch00060: gcc10-maybe-uninitialized.patch -Patch00061: docs-add-SUSE-support-statements-to-html.patch -Patch00062: build-Work-around-gcc10-bug-by-not-using.patch +Patch00000: s390x-Move-diagnose-308-subcodes-and-rcs.patch +Patch00001: Sync-pv.patch +Patch00002: s390x-protvirt-Support-unpack-facility.patch +Patch00003: s390x-protvirt-Add-migration-blocker.patch +Patch00004: s390x-protvirt-Inhibit-balloon-when-swit.patch +Patch00005: s390x-protvirt-KVM-intercept-changes.patch +Patch00006: s390x-Add-SIDA-memory-ops.patch +Patch00007: s390x-protvirt-Move-STSI-data-over-SIDAD.patch +Patch00008: s390x-protvirt-SCLP-interpretation.patch +Patch00009: s390x-protvirt-Set-guest-IPL-PSW.patch +Patch00010: s390x-protvirt-Move-diag-308-data-over-S.patch +Patch00011: s390x-protvirt-Disable-address-checks-fo.patch +Patch00012: s390x-protvirt-Move-IO-control-structure.patch +Patch00013: s390x-protvirt-Handle-SIGP-store-status-.patch +Patch00014: s390x-Add-unpack-facility-feature-to-GA1.patch +Patch00015: virtiofsd-add-rlimit-nofile-NUM-option.patch +Patch00016: virtiofsd-stay-below-fs.file-max-sysctl-.patch +Patch00017: es1370-check-total-frame-count-against-c.patch +Patch00018: audio-fix-wavcapture-segfault.patch +Patch00019: ati-vga-check-mm_index-before-recursive-.patch +Patch00020: nbd-server-Avoid-long-error-message-asse.patch +Patch00021: hw-vfio-pci-quirks-Fix-broken-legacy-IGD.patch +Patch00022: megasas-use-unsigned-type-for-reply_queu.patch +Patch00023: exec-set-map-length-to-zero-when-returni.patch +Patch00024: XXX-dont-dump-core-on-sigabort.patch +Patch00025: qemu-binfmt-conf-Modify-default-path.patch +Patch00026: qemu-cvs-gettimeofday.patch +Patch00027: qemu-cvs-ioctl_debug.patch +Patch00028: qemu-cvs-ioctl_nodirection.patch +Patch00029: linux-user-add-binfmt-wrapper-for-argv-0.patch +Patch00030: PPC-KVM-Disable-mmu-notifier-check.patch +Patch00031: linux-user-binfmt-support-host-binaries.patch +Patch00032: linux-user-Fake-proc-cpuinfo.patch +Patch00033: linux-user-use-target_ulong.patch +Patch00034: Make-char-muxer-more-robust-wrt-small-FI.patch +Patch00035: linux-user-lseek-explicitly-cast-non-set.patch +Patch00036: AIO-Reduce-number-of-threads-for-32bit-h.patch +Patch00037: xen_disk-Add-suse-specific-flush-disable.patch +Patch00038: qemu-bridge-helper-reduce-security-profi.patch +Patch00039: qemu-binfmt-conf-use-qemu-ARCH-binfmt.patch +Patch00040: linux-user-properly-test-for-infinite-ti.patch +Patch00041: roms-Makefile-pass-a-packaging-timestamp.patch +Patch00042: Raise-soft-address-space-limit-to-hard-l.patch +Patch00043: increase-x86_64-physical-bits-to-42.patch +Patch00044: i8254-Fix-migration-from-SLE11-SP2.patch +Patch00045: acpi_piix4-Fix-migration-from-SLE11-SP2.patch +Patch00046: Switch-order-of-libraries-for-mpath-supp.patch +Patch00047: Make-installed-scripts-explicitly-python.patch +Patch00048: hw-smbios-handle-both-file-formats-regar.patch +Patch00049: xen-add-block-resize-support-for-xen-dis.patch +Patch00050: tests-qemu-iotests-Triple-timeout-of-i-o.patch +Patch00051: tests-Fix-block-tests-to-be-compatible-w.patch +Patch00052: xen-ignore-live-parameter-from-xen-save-.patch +Patch00053: Conditionalize-ui-bitmap-installation-be.patch +Patch00054: tests-change-error-message-in-test-162.patch +Patch00055: hw-usb-hcd-xhci-Fix-GCC-9-build-warning.patch +Patch00056: hw-usb-dev-mtp-Fix-GCC-9-build-warning.patch +Patch00057: hw-intc-exynos4210_gic-provide-more-room.patch +Patch00058: configure-only-populate-roms-if-softmmu.patch +Patch00059: pc-bios-s390-ccw-net-avoid-warning-about.patch +Patch00060: roms-change-cross-compiler-naming-to-be-.patch +Patch00061: tests-Disable-some-block-tests-for-now.patch +Patch00062: test-add-mapping-from-arch-of-i686-to-qe.patch +Patch00063: roms-Makefile-enable-cross-compile-for-b.patch +Patch00064: s390x-s390-virtio-ccw-Fix-build-on-syste.patch +Patch00065: configure-remove-pkgversion-from-CONFIG_.patch +Patch00066: gcc10-maybe-uninitialized.patch +Patch00067: docs-add-SUSE-support-statements-to-html.patch +Patch00068: docs-fix-trace-docs-build-with-sphinx-3..patch # Patches applied in roms/seabios/: Patch01000: seabios-use-python2-explicitly-as-needed.patch Patch01001: seabios-switch-to-python3-as-needed.patch Patch01002: enable-cross-compilation-on-ARM.patch +Patch01003: vga-fix-cirrus-bios.patch # Patches applied in roms/ipxe/: -Patch02000: stub-out-the-SAN-req-s-in-int13.patch -Patch02001: ipxe-Makefile-fix-issues-of-build-reprod.patch -Patch02002: Fix-s-directive-argument-is-null-error.patch -Patch02003: Workaround-compilation-error-with-gcc-9..patch -Patch02004: Do-not-apply-WORKAROUND_CFLAGS-for-host-.patch -Patch02005: Be-explicit-about-fcommon-compiler-direc.patch -Patch02006: work-around-gcc10-problem-with-zero-leng.patch -Patch02007: add-enum-cast-to-avoid-gcc10-warning.patch +Patch02000: build-Fix-s-directive-argument-is-null-e.patch +Patch02001: build-Workaround-compilation-error-with-.patch +Patch02002: build-Do-not-apply-WORKAROUND_CFLAGS-for.patch +Patch02003: build-Be-explicit-about-fcommon-compiler.patch +Patch02004: intel-Avoid-spurious-compiler-warning-on.patch +Patch02005: golan-Add-explicit-type-casts-for-nodnic.patch +Patch02006: stub-out-the-SAN-req-s-in-int13.patch +Patch02007: ipxe-Makefile-fix-issues-of-build-reprod.patch # Patches applied in roms/sgabios/: Patch03000: sgabios-Makefile-fix-issues-of-build-rep.patch Patch03001: roms-sgabios-Fix-csum8-to-be-built-by-ho.patch @@ -959,24 +966,31 @@ This package provides a service file for starting and stopping KSM. %patch00058 -p1 %patch00059 -p1 %patch00060 -p1 -%if %{legacy_qemu_kvm} && 0%{?is_opensuse} == 0 %patch00061 -p1 -%endif %patch00062 -p1 +%patch00063 -p1 +%patch00064 -p1 +%patch00065 -p1 +%patch00066 -p1 +%if %{legacy_qemu_kvm} && 0%{?is_opensuse} == 0 +%patch00067 -p1 +%endif +%patch00068 -p1 %patch01000 -p1 %patch01001 -p1 %patch01002 -p1 -%if 0%{?patch-possibly-applied-elsewhere} +%patch01003 -p1 %patch02000 -p1 -%endif %patch02001 -p1 -%patch02002 -p1 -%patch02003 -p1 %ifarch aarch64 -%patch02004 -p1 +%patch02002 -p1 %endif +%patch02003 -p1 +%patch02004 -p1 %patch02005 -p1 +%if 0%{?patch-possibly-applied-elsewhere} %patch02006 -p1 +%endif %patch02007 -p1 %patch03000 -p1 %patch03001 -p1 @@ -1468,7 +1482,7 @@ done # Compile the QOM test binary first, so that ... touch -r config-host.mak pc-bios -make %{?_smp_mflags} tests/qtest/qom-test %{?_smp_mflags} V=1 +make %{?_smp_mflags} tests/qtest/qom-test V=1 # ... make comes in fresh and has lots of address space (needed for 32bit, bsc#957379) make %{?_smp_mflags} check-report.tap V=1 diff --git a/qemu.spec.in b/qemu.spec.in index 95d989b7..d23a0f0d 100644 --- a/qemu.spec.in +++ b/qemu.spec.in @@ -1297,7 +1297,7 @@ done # Compile the QOM test binary first, so that ... touch -r config-host.mak pc-bios -make %{?_smp_mflags} tests/qtest/qom-test %{?_smp_mflags} V=1 +make %{?_smp_mflags} tests/qtest/qom-test V=1 # ... make comes in fresh and has lots of address space (needed for 32bit, bsc#957379) make %{?_smp_mflags} check-report.tap V=1 diff --git a/s390x-Add-SIDA-memory-ops.patch b/s390x-Add-SIDA-memory-ops.patch index 911b0202..35010dc9 100644 --- a/s390x-Add-SIDA-memory-ops.patch +++ b/s390x-Add-SIDA-memory-ops.patch @@ -2,6 +2,7 @@ From: Janosch Frank Date: Wed, 5 Feb 2020 06:57:35 -0500 Subject: s390x: Add SIDA memory ops +Git-commit a9f21cec3bc9c86062c7c24bb2143d22cb3c2950 References: bsc#1167075 Protected guests save the instruction control blocks in the SIDA @@ -17,7 +18,6 @@ Reviewed-by: David Hildenbrand Reviewed-by: Christian Borntraeger Reviewed-by: Claudio Imbrenda Reviewed-by: Cornelia Huck -(cherry picked from commit a9f21cec3bc9c86062c7c24bb2143d22cb3c2950) Signed-off-by: Bruce Rogers --- target/s390x/cpu.h | 7 ++++++- diff --git a/s390x-Add-unpack-facility-feature-to-GA1.patch b/s390x-Add-unpack-facility-feature-to-GA1.patch index 3d880966..07f51f74 100644 --- a/s390x-Add-unpack-facility-feature-to-GA1.patch +++ b/s390x-Add-unpack-facility-feature-to-GA1.patch @@ -2,6 +2,7 @@ From: Christian Borntraeger Date: Tue, 25 Feb 2020 06:28:51 -0500 Subject: s390x: Add unpack facility feature to GA1 +Git-commit: 3034eaac3b2970ba85a1d77814ceef1352d05357 References: bsc#1167075 The unpack facility is an indication that diagnose 308 subcodes 8-10 @@ -21,7 +22,6 @@ Reviewed-by: David Hildenbrand Reviewed-by: Claudio Imbrenda Reviewed-by: Cornelia Huck Signed-off-by: Janosch Frank -(cherry picked from commit 3034eaac3b2970ba85a1d77814ceef1352d05357) Signed-off-by: Bruce Rogers --- target/s390x/gen-features.c | 1 + diff --git a/s390x-Move-diagnose-308-subcodes-and-rcs.patch b/s390x-Move-diagnose-308-subcodes-and-rcs.patch index 73735253..72181602 100644 --- a/s390x-Move-diagnose-308-subcodes-and-rcs.patch +++ b/s390x-Move-diagnose-308-subcodes-and-rcs.patch @@ -2,13 +2,13 @@ From: Janosch Frank Date: Fri, 13 Mar 2020 10:35:02 -0400 Subject: s390x: Move diagnose 308 subcodes and rcs into ipl.h +Git-commit: 284bc3dd6e9a978e6e34b00777ce72007a88d6d9 References: bsc#1167075 They are part of the IPL process, so let's put them into the ipl header. Signed-off-by: Janosch Frank -(cherry picked from commit 284bc3dd6e9a978e6e34b00777ce72007a88d6d9) Signed-off-by: Bruce Rogers --- hw/s390x/ipl.h | 11 +++++++++++ diff --git a/s390x-protvirt-Add-migration-blocker.patch b/s390x-protvirt-Add-migration-blocker.patch index c74952f7..3367bcce 100644 --- a/s390x-protvirt-Add-migration-blocker.patch +++ b/s390x-protvirt-Add-migration-blocker.patch @@ -2,6 +2,7 @@ From: Janosch Frank Date: Fri, 6 Mar 2020 06:40:13 -0500 Subject: s390x: protvirt: Add migration blocker +Git-commit: e721e55a3dabb2897081614b17dd4565e85249ac References: bsc#1167075 Migration is not yet supported. @@ -11,7 +12,6 @@ Reviewed-by: David Hildenbrand Reviewed-by: Christian Borntraeger Reviewed-by: Claudio Imbrenda Reviewed-by: Cornelia Huck -(cherry picked from commit e721e55a3dabb2897081614b17dd4565e85249ac) Signed-off-by: Bruce Rogers --- hw/s390x/s390-virtio-ccw.c | 18 ++++++++++++++++++ diff --git a/s390x-protvirt-Disable-address-checks-fo.patch b/s390x-protvirt-Disable-address-checks-fo.patch index b39bed20..3e40f214 100644 --- a/s390x-protvirt-Disable-address-checks-fo.patch +++ b/s390x-protvirt-Disable-address-checks-fo.patch @@ -2,6 +2,7 @@ From: Janosch Frank Date: Fri, 29 Nov 2019 04:22:41 -0500 Subject: s390x: protvirt: Disable address checks for PV guest IO emulation +Git-commit f658bf14295ad49caf8d1b21033982ce69423fb7 References: bsc#1167075 IO instruction data is routed through SIDAD for protected guests, so @@ -16,7 +17,6 @@ Reviewed-by: David Hildenbrand Reviewed-by: Christian Borntraeger Reviewed-by: Claudio Imbrenda Reviewed-by: Cornelia Huck -(cherry picked from commit f658bf14295ad49caf8d1b21033982ce69423fb7) Signed-off-by: Bruce Rogers --- target/s390x/ioinst.c | 35 ++++++++++++++++++++++++++++------- diff --git a/s390x-protvirt-Handle-SIGP-store-status-.patch b/s390x-protvirt-Handle-SIGP-store-status-.patch index 18d8518e..855a6057 100644 --- a/s390x-protvirt-Handle-SIGP-store-status-.patch +++ b/s390x-protvirt-Handle-SIGP-store-status-.patch @@ -2,6 +2,7 @@ From: Janosch Frank Date: Tue, 6 Aug 2019 15:40:05 +0200 Subject: s390x: protvirt: Handle SIGP store status correctly +Git-commit: 398fc6874438c320407449d1c9560925aba2280b References: bsc#1167075 For protected VMs status storing is not done by QEMU anymore. @@ -12,7 +13,6 @@ Reviewed-by: David Hildenbrand Reviewed-by: Christian Borntraeger Reviewed-by: Claudio Imbrenda Reviewed-by: Cornelia Huck -(cherry picked from commit 398fc6874438c320407449d1c9560925aba2280b) Signed-off-by: Bruce Rogers --- target/s390x/helper.c | 6 ++++++ diff --git a/s390x-protvirt-Inhibit-balloon-when-swit.patch b/s390x-protvirt-Inhibit-balloon-when-swit.patch index 91f62944..7c7c8bad 100644 --- a/s390x-protvirt-Inhibit-balloon-when-swit.patch +++ b/s390x-protvirt-Inhibit-balloon-when-swit.patch @@ -2,6 +2,7 @@ From: Janosch Frank Date: Mon, 24 Feb 2020 07:49:06 -0500 Subject: s390x: protvirt: Inhibit balloon when switching to protected mode +Git-commit: 59dc32a3494d6afdd420f3e401f1f324a1179256 References: bsc#1167075 Ballooning in protected VMs can only be done when the guest shares the @@ -29,7 +30,6 @@ Reviewed-by: David Hildenbrand Reviewed-by: Christian Borntraeger Reviewed-by: Claudio Imbrenda Reviewed-by: Cornelia Huck -(cherry picked from commit 59dc32a3494d6afdd420f3e401f1f324a1179256) Signed-off-by: Bruce Rogers --- hw/s390x/s390-virtio-ccw.c | 11 +++++++++++ diff --git a/s390x-protvirt-KVM-intercept-changes.patch b/s390x-protvirt-KVM-intercept-changes.patch index 6c33aab0..7ae942d2 100644 --- a/s390x-protvirt-KVM-intercept-changes.patch +++ b/s390x-protvirt-KVM-intercept-changes.patch @@ -2,6 +2,7 @@ From: Janosch Frank Date: Mon, 13 May 2019 10:35:27 +0200 Subject: s390x: protvirt: KVM intercept changes +Git-commit: fd70eb764f176c200d6723c2ad88362f23536bfa References: bsc#1167075 Protected VMs no longer intercept with code 4 for an instruction @@ -30,7 +31,6 @@ Reviewed-by: David Hildenbrand Reviewed-by: Christian Borntraeger Reviewed-by: Claudio Imbrenda Reviewed-by: Cornelia Huck -(cherry picked from commit fd70eb764f176c200d6723c2ad88362f23536bfa) Signed-off-by: Bruce Rogers --- target/s390x/kvm.c | 4 ++++ diff --git a/s390x-protvirt-Move-IO-control-structure.patch b/s390x-protvirt-Move-IO-control-structure.patch index 485a83dd..f859a405 100644 --- a/s390x-protvirt-Move-IO-control-structure.patch +++ b/s390x-protvirt-Move-IO-control-structure.patch @@ -2,6 +2,7 @@ From: Janosch Frank Date: Wed, 5 Feb 2020 07:02:33 -0500 Subject: s390x: protvirt: Move IO control structures over SIDA +Git-commit: 4989e18cbe5621df39020ef812316f479d8f5246 References: bsc#1167075 For protected guests, we need to put the IO emulation results into the @@ -10,7 +11,6 @@ SIDA, so SIE will write them into the guest at the next entry. Signed-off-by: Janosch Frank Reviewed-by: David Hildenbrand Reviewed-by: Cornelia Huck -(cherry picked from commit 4989e18cbe5621df39020ef812316f479d8f5246) Signed-off-by: Bruce Rogers --- target/s390x/ioinst.c | 61 +++++++++++++++++++++++++++++++------------ diff --git a/s390x-protvirt-Move-STSI-data-over-SIDAD.patch b/s390x-protvirt-Move-STSI-data-over-SIDAD.patch index 1c1e8991..dcb7e9ee 100644 --- a/s390x-protvirt-Move-STSI-data-over-SIDAD.patch +++ b/s390x-protvirt-Move-STSI-data-over-SIDAD.patch @@ -2,6 +2,7 @@ From: Janosch Frank Date: Wed, 5 Feb 2020 07:02:51 -0500 Subject: s390x: protvirt: Move STSI data over SIDAD +Git-commit: ccce7a654911ae507c962aff5f41004a7a88fad6 References: bsc#1167075 For protected guests, we need to put the STSI emulation results into @@ -11,7 +12,6 @@ Signed-off-by: Janosch Frank Reviewed-by: David Hildenbrand Reviewed-by: Claudio Imbrenda Reviewed-by: Cornelia Huck -(cherry picked from commit ccce7a654911ae507c962aff5f41004a7a88fad6) Signed-off-by: Bruce Rogers --- target/s390x/kvm.c | 11 +++++++++-- diff --git a/s390x-protvirt-Move-diag-308-data-over-S.patch b/s390x-protvirt-Move-diag-308-data-over-S.patch index 778c757b..6ec5e747 100644 --- a/s390x-protvirt-Move-diag-308-data-over-S.patch +++ b/s390x-protvirt-Move-diag-308-data-over-S.patch @@ -2,6 +2,7 @@ From: Janosch Frank Date: Wed, 31 Jul 2019 17:49:08 +0200 Subject: s390x: protvirt: Move diag 308 data over SIDA +Git-commit: 258da1c7736d3aa4604ceea6cce00995c6f30058 References: bsc#1167075 For protected guests the IPIB is written/read to/from the SIDA, so we @@ -12,7 +13,6 @@ Reviewed-by: David Hildenbrand Reviewed-by: Christian Borntraeger Reviewed-by: Claudio Imbrenda Reviewed-by: Cornelia Huck -(cherry picked from commit 258da1c7736d3aa4604ceea6cce00995c6f30058) Signed-off-by: Bruce Rogers --- target/s390x/diag.c | 25 ++++++++++++++++++++----- diff --git a/s390x-protvirt-SCLP-interpretation.patch b/s390x-protvirt-SCLP-interpretation.patch index dee5cf0d..d827dcab 100644 --- a/s390x-protvirt-SCLP-interpretation.patch +++ b/s390x-protvirt-SCLP-interpretation.patch @@ -2,6 +2,7 @@ From: Janosch Frank Date: Mon, 3 Jun 2019 16:40:29 +0200 Subject: s390x: protvirt: SCLP interpretation +Git-commit: 32633cf4539341180dbc7a92c2655c711b4a6996 References: bsc#1167075 SCLP for a protected guest is done over the SIDAD, so we need to use @@ -16,7 +17,6 @@ Signed-off-by: Janosch Frank Reviewed-by: David Hildenbrand Reviewed-by: Claudio Imbrenda Reviewed-by: Cornelia Huck -(cherry picked from commit 32633cf4539341180dbc7a92c2655c711b4a6996) Signed-off-by: Bruce Rogers --- hw/s390x/sclp.c | 56 +++++++++++++++++++++++++++++++++-------- diff --git a/s390x-protvirt-Set-guest-IPL-PSW.patch b/s390x-protvirt-Set-guest-IPL-PSW.patch index 364ae4d4..7b241347 100644 --- a/s390x-protvirt-Set-guest-IPL-PSW.patch +++ b/s390x-protvirt-Set-guest-IPL-PSW.patch @@ -2,6 +2,7 @@ From: Janosch Frank Date: Tue, 23 Jul 2019 13:17:32 +0200 Subject: s390x: protvirt: Set guest IPL PSW +Git-commit: e8686d9849f1625f4f4b28403f0555181b72d1b6 References: bsc#1167075 Handling of CPU reset and setting of the IPL psw from guest storage at @@ -14,7 +15,6 @@ Reviewed-by: David Hildenbrand Reviewed-by: Christian Borntraeger Reviewed-by: Claudio Imbrenda Reviewed-by: Cornelia Huck -(cherry picked from commit e8686d9849f1625f4f4b28403f0555181b72d1b6) Signed-off-by: Bruce Rogers --- target/s390x/cpu.c | 26 +++++++++++++++++--------- diff --git a/s390x-protvirt-Support-unpack-facility.patch b/s390x-protvirt-Support-unpack-facility.patch index b065d0df..dada75bf 100644 --- a/s390x-protvirt-Support-unpack-facility.patch +++ b/s390x-protvirt-Support-unpack-facility.patch @@ -2,6 +2,7 @@ From: Janosch Frank Date: Mon, 11 Feb 2019 16:07:19 +0100 Subject: s390x: protvirt: Support unpack facility +Git-commit: 2150c92b9b7d12b5fbdd2c59e5b17197d28f53db References: bsc#1167075 The unpack facility provides the means to setup a protected guest. A @@ -23,7 +24,6 @@ to machine] Reviewed-by: David Hildenbrand Reviewed-by: Claudio Imbrenda Reviewed-by: Cornelia Huck -(cherry picked from commit 2150c92b9b7d12b5fbdd2c59e5b17197d28f53db) [BR: Needed to fix a compiler warning on i586 in hw/s390x/ipl.c] Signed-off-by: Bruce Rogers --- diff --git a/tests-Disable-some-block-tests-for-now.patch b/tests-Disable-some-block-tests-for-now.patch index 976f4688..0791b058 100644 --- a/tests-Disable-some-block-tests-for-now.patch +++ b/tests-Disable-some-block-tests-for-now.patch @@ -2,48 +2,22 @@ From: Bruce Rogers Date: Wed, 2 Oct 2019 07:28:04 -0600 Subject: tests: Disable some block tests for now -For a very long time we've experienced intermittent failure of some -block tests. There doesn't seem to be an obvious cause. Given that we -now build qemu using multibuild, the qemu-testsuite failure is now more -problematic to just ignore. Until we can address these failures, which -seem to be tied to the build environment in some way, disable the tests -which are either randomly or reliably failing. - -Currently, this patch is based on these failures seen on 09OCT2019 on -v4.1.0 qemu: -disable 065, 129, 169, 182, 205, 218, 242, 248, 250 -(other architectures not evaluated at this time) +Most tests previously disabled for qemu-testsuite to be able to complete +successfully are no longer (as of v4.1) listed as auto, and therefore +do not get run anymore. 27NOV2019 - added 161 since it is failing on s390x and ppc consistently Signed-off-by: Bruce Rogers --- - tests/qemu-iotests/group | 20 ++++++++++---------- - 1 file changed, 10 insertions(+), 10 deletions(-) + tests/qemu-iotests/group | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/qemu-iotests/group b/tests/qemu-iotests/group -index 435dccd5af90754a3f80f4455bdb..8409dad73f2cbd7447235ea10b03 100644 +index 435dccd5af90754a3f80f4455bdb..a6c8ed8a5cdef50383594305c0c1 100644 --- a/tests/qemu-iotests/group +++ b/tests/qemu-iotests/group -@@ -86,7 +86,7 @@ - 062 rw auto quick - 063 rw auto quick - 064 rw quick --065 rw quick -+#DISABLE FOR NOW 065 rw quick - 066 rw auto quick - 067 rw quick - 068 rw quick -@@ -150,7 +150,7 @@ - 126 rw auto backing - 127 rw auto backing quick - 128 rw quick --129 rw quick -+#DISABLE FOR NOW 129 rw quick - 130 rw quick - 131 rw quick - 132 rw quick -@@ -182,11 +182,11 @@ +@@ -182,7 +182,7 @@ 158 rw auto quick 159 rw auto quick 160 rw quick @@ -52,54 +26,3 @@ index 435dccd5af90754a3f80f4455bdb..8409dad73f2cbd7447235ea10b03 100644 162 quick 163 rw 165 rw quick --169 rw quick migration -+#DISABLE FOR NOW 169 rw quick migration - 170 rw auto quick - 171 rw quick - 172 auto -@@ -198,7 +198,7 @@ - 178 img - 179 rw auto quick - 181 rw auto migration --182 rw quick -+#DISABLE FOR NOW 182 rw quick - 183 rw migration - 184 rw auto quick - 185 rw -@@ -220,7 +220,7 @@ - 202 rw quick - 203 rw auto migration - 204 rw quick --205 rw quick -+#DISABLE FOR NOW 205 rw quick - 206 rw - 207 rw - 208 rw quick -@@ -233,7 +233,7 @@ - 215 rw quick - 216 rw quick - 217 rw auto quick --218 rw quick -+#DISABLE FOR NOW 218 rw quick - 219 rw - 220 rw auto - 221 rw quick -@@ -256,15 +256,15 @@ - 239 rw quick - 240 quick - 241 rw quick --242 rw quick -+#DISABLE FOR NOW 242 rw quick - 243 rw quick - 244 rw auto quick - 245 rw - 246 rw quick - 247 rw quick --248 rw quick -+#DISABLE FOR NOW 248 rw quick - 249 rw auto quick --250 rw quick -+#DISABLE FOR NOW 250 rw quick - 251 rw auto quick - 252 rw auto backing quick - 253 rw quick diff --git a/vga-fix-cirrus-bios.patch b/vga-fix-cirrus-bios.patch new file mode 100644 index 00000000..dda7e845 --- /dev/null +++ b/vga-fix-cirrus-bios.patch @@ -0,0 +1,30 @@ +From: Gerd Hoffmann +Date: Thu, 25 Jun 2020 11:17:09 +0200 +Subject: vga: fix cirrus bios + +Git-commit: d11c75185276ded944f2ea0277532b7fee849bbc + +Little mistake, big effect. The patch adding the ati driver broke +cirrus due to a missing "else", which effectively downgrades cirrus +to standard vga. + +Fixes: 34b6ecc16074 ("vga: add atiext driver") +Signed-off-by: Gerd Hoffmann +Signed-off-by: Bruce Rogers +--- + vgasrc/vgahw.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/roms/seabios/vgasrc/vgahw.h b/roms/seabios/vgasrc/vgahw.h +index c774f4f2c6b7c8012096bac2f0ed..8b64660e5ef70d71b440013300bc 100644 +--- a/roms/seabios/vgasrc/vgahw.h ++++ b/roms/seabios/vgasrc/vgahw.h +@@ -36,7 +36,7 @@ static inline int vgahw_set_mode(struct vgamode_s *vmode_g, int flags) { + static inline void vgahw_list_modes(u16 seg, u16 *dest, u16 *last) { + if (CONFIG_VGA_CIRRUS) + clext_list_modes(seg, dest, last); +- if (CONFIG_VGA_ATI) ++ else if (CONFIG_VGA_ATI) + ati_list_modes(seg, dest, last); + else if (CONFIG_VGA_BOCHS) + bochsvga_list_modes(seg, dest, last); diff --git a/work-around-gcc10-problem-with-zero-leng.patch b/work-around-gcc10-problem-with-zero-leng.patch deleted file mode 100644 index b8bf03ff..00000000 --- a/work-around-gcc10-problem-with-zero-leng.patch +++ /dev/null @@ -1,30 +0,0 @@ -From: Bruce Rogers -Date: Tue, 5 May 2020 13:26:33 -0600 -Subject: work around gcc10 problem with zero-length array - -References: boo#1171123 - -gcc10 has introduced a regression in handling zero-length array under -certain cirumstances. For now simply work around it by extending the -array to have 1 member. I've audited the code to ensure that will still -work right. -See: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=94940 - -Signed-off-by: Bruce Rogers ---- - src/drivers/net/intelvf.h | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/roms/ipxe/src/drivers/net/intelvf.h b/roms/ipxe/src/drivers/net/intelvf.h -index ab404698fe6de9f48370931fdf56..abc2cd254bd44f4b2168e1ecee54 100644 ---- a/roms/ipxe/src/drivers/net/intelvf.h -+++ b/roms/ipxe/src/drivers/net/intelvf.h -@@ -132,7 +132,7 @@ union intelvf_msg { - /** Queue configuration message */ - struct intelvf_msg_queues queues; - /** Raw dwords */ -- uint32_t dword[0]; -+ uint32_t dword[1]; - }; - - /** Maximum time to wait for mailbox message