Accepting request 889648 from Virtualization:Staging

Update version to v6.0.0

OBS-URL: https://build.opensuse.org/request/show/889648
OBS-URL: https://build.opensuse.org/package/show/Virtualization/qemu?expand=0&rev=641
This commit is contained in:
José Ricardo Ziviani 2021-04-30 21:53:49 +00:00 committed by Git OBS Bridge
parent 03fb60ec0f
commit f33f068cda
127 changed files with 729 additions and 10179 deletions

View File

@ -1,76 +0,0 @@
From: Greg Kurz <groug@kaod.org>
Date: Thu, 14 Jan 2021 17:04:12 +0100
Subject: 9pfs: Fully restart unreclaim loop (CVE-2021-20181)
Git-commit: 89fbea8737e8f7b954745a1ffc4238d377055305
References: bsc#1182137
Depending on the client activity, the server can be asked to open a huge
number of file descriptors and eventually hit RLIMIT_NOFILE. This is
currently mitigated using a reclaim logic : the server closes the file
descriptors of idle fids, based on the assumption that it will be able
to re-open them later. This assumption doesn't hold of course if the
client requests the file to be unlinked. In this case, we loop on the
entire fid list and mark all related fids as unreclaimable (the reclaim
logic will just ignore them) and, of course, we open or re-open their
file descriptors if needed since we're about to unlink the file.
This is the purpose of v9fs_mark_fids_unreclaim(). Since the actual
opening of a file can cause the coroutine to yield, another client
request could possibly add a new fid that we may want to mark as
non-reclaimable as well. The loop is thus restarted if the re-open
request was actually transmitted to the backend. This is achieved
by keeping a reference on the first fid (head) before traversing
the list.
This is wrong in several ways:
- a potential clunk request from the client could tear the first
fid down and cause the reference to be stale. This leads to a
use-after-free error that can be detected with ASAN, using a
custom 9p client
- fids are added at the head of the list : restarting from the
previous head will always miss fids added by a some other
potential request
All these problems could be avoided if fids were being added at the
end of the list. This can be achieved with a QSIMPLEQ, but this is
probably too much change for a bug fix. For now let's keep it
simple and just restart the loop from the current head.
Fixes: CVE-2021-20181
Buglink: https://bugs.launchpad.net/qemu/+bug/1911666
Reported-by: Zero Day Initiative <zdi-disclosures@trendmicro.com>
Reviewed-by: Christian Schoenebeck <qemu_oss@crudebyte.com>
Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
Message-Id: <161064025265.1838153.15185571283519390907.stgit@bahia.lan>
Signed-off-by: Greg Kurz <groug@kaod.org>
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/9pfs/9p.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
index 94df440fc74004bfa45b3fe30540..6026b51a1c04ee82d6366cb13d50 100644
--- a/hw/9pfs/9p.c
+++ b/hw/9pfs/9p.c
@@ -502,9 +502,9 @@ static int coroutine_fn v9fs_mark_fids_unreclaim(V9fsPDU *pdu, V9fsPath *path)
{
int err;
V9fsState *s = pdu->s;
- V9fsFidState *fidp, head_fid;
+ V9fsFidState *fidp;
- head_fid.next = s->fid_list;
+again:
for (fidp = s->fid_list; fidp; fidp = fidp->next) {
if (fidp->path.size != path->size) {
continue;
@@ -524,7 +524,7 @@ static int coroutine_fn v9fs_mark_fids_unreclaim(V9fsPDU *pdu, V9fsPath *path)
* switched to the worker thread
*/
if (err == 0) {
- fidp = &head_fid;
+ goto again;
}
}
}

View File

@ -25,9 +25,8 @@ Signed-off-by: Bruce Rogers <brogers@suse.com>
chardev/char-mux.c | 16 ++++++++++++++++
chardev/char.c | 1 +
chardev/chardev-internal.h | 3 +++
chardev/chardev-sysemu.c | 1 +
tests/test-char.c | 1 +
6 files changed, 23 insertions(+)
tests/unit/test-char.c | 1 +
5 files changed, 22 insertions(+)
diff --git a/chardev/char-fe.c b/chardev/char-fe.c
index 474715c5a9257ae9e9e286d2e02d..eeb1b3e0b548027e2bcda0c272d5 100644
@ -42,7 +41,7 @@ index 474715c5a9257ae9e9e286d2e02d..eeb1b3e0b548027e2bcda0c272d5 100644
#include "qemu/error-report.h"
#include "qapi/error.h"
diff --git a/chardev/char-mux.c b/chardev/char-mux.c
index 6f980bb83647da13c62f514391b3..094bc6703a3febdf5fefb7c0024f 100644
index 72beef29d21c3bed1ffe6e48c7e7..6e5a3fb272c6b02e900b9775bad6 100644
--- a/chardev/char-mux.c
+++ b/chardev/char-mux.c
@@ -22,6 +22,7 @@
@ -53,7 +52,7 @@ index 6f980bb83647da13c62f514391b3..094bc6703a3febdf5fefb7c0024f 100644
#include "qemu/osdep.h"
#include "qapi/error.h"
#include "qemu/module.h"
@@ -191,6 +192,17 @@ static void mux_chr_accept_input(Chardev *chr)
@@ -198,6 +199,17 @@ static void mux_chr_accept_input(Chardev *chr)
be->chr_read(be->opaque,
&d->buffer[m][d->cons[m]++ & MUX_BUFFER_MASK], 1);
}
@ -71,7 +70,7 @@ index 6f980bb83647da13c62f514391b3..094bc6703a3febdf5fefb7c0024f 100644
}
static int mux_chr_can_read(void *opaque)
@@ -325,6 +337,10 @@ static void qemu_chr_open_mux(Chardev *chr,
@@ -332,6 +344,10 @@ static void qemu_chr_open_mux(Chardev *chr,
}
d->focus = -1;
@ -83,7 +82,7 @@ index 6f980bb83647da13c62f514391b3..094bc6703a3febdf5fefb7c0024f 100644
* set of muxes
*/
diff --git a/chardev/char.c b/chardev/char.c
index aa4282164acabbba58a6eea76b8c..9add6ca377e402f5ce3215e4934d 100644
index 398f09df19cd8567fa1ea96ee4d4..5778bd7666f8ff053269bf5b6b81 100644
--- a/chardev/char.c
+++ b/chardev/char.c
@@ -22,6 +22,7 @@
@ -108,22 +107,10 @@ index aba0240759ebf938cf391d89edb8..fb3957b771f9e24547619fd45669 100644
int focus;
int mux_cnt;
int term_got_escape;
diff --git a/chardev/chardev-sysemu.c b/chardev/chardev-sysemu.c
index eecdc615ee1c6c64060452ac837d..c052f101e89c193af1effa9c6fa5 100644
--- a/chardev/chardev-sysemu.c
+++ b/chardev/chardev-sysemu.c
@@ -22,6 +22,7 @@
* THE SOFTWARE.
*/
+#define HW_POISON_H /* avoid poison since we patch against rules it "enforces" */
#include "qemu/osdep.h"
#include "sysemu/sysemu.h"
#include "chardev/char.h"
diff --git a/tests/test-char.c b/tests/test-char.c
index 9196e566e9ba671ed268a3178845..5d84a777738abfb28de151930c46 100644
--- a/tests/test-char.c
+++ b/tests/test-char.c
diff --git a/tests/unit/test-char.c b/tests/unit/test-char.c
index 5b3b48ebacd353d4525226e3aaf5..6ce130a663ec372d18f0a674af8e 100644
--- a/tests/unit/test-char.c
+++ b/tests/unit/test-char.c
@@ -1,3 +1,4 @@
+#define HW_POISON_H /* avoid poison since we patch against rules it "enforces" */
#include "qemu/osdep.h"

View File

@ -1,35 +0,0 @@
From: =?UTF-8?q?Stefan=20Br=C3=BCns?= <stefan.bruens@rwth-aachen.de>
Date: Mon, 5 Aug 2019 20:03:11 +0000
Subject: Make keycode-gen output reproducible (use SOURCE_DATE_EPOCH
timestamp)
Signed-off-by: Bruce Rogers <brogers@suse.com
---
tools/keymap-gen | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/ui/keycodemapdb/tools/keymap-gen b/ui/keycodemapdb/tools/keymap-gen
index f0269e3cabf57881bb41e2333143..a374eb255fb3c55b65b475e86461 100755
--- a/ui/keycodemapdb/tools/keymap-gen
+++ b/ui/keycodemapdb/tools/keymap-gen
@@ -20,6 +20,7 @@ except:
sys.path.append(os.path.join(os.path.dirname(__file__), "../thirdparty"))
import argparse
import hashlib
+import os
import time
import sys
@@ -317,7 +318,11 @@ class LanguageGenerator(object):
raise NotImplementedError()
def generate_header(self, database, args):
- today = time.strftime("%Y-%m-%d %H:%M")
+ sde = os.getenv("SOURCE_DATE_EPOCH")
+ if sde:
+ today = time.strftime("%Y-%m-%d %H:%M", time.gmtime(int(sde)))
+ else:
+ today = time.strftime("%Y-%m-%d %H:%M")
self._boilerplate([
"This file is auto-generated from keymaps.csv on %s" % today,
"Database checksum sha256(%s)" % database.mapchecksum,

View File

@ -11,10 +11,10 @@ Signed-off-by: Bruce Rogers <brogers@suse.com>
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Makefile b/Makefile
index 76dbb917f5cd3085ad93cb634c14..2e4808da4de018be61545ec681e3 100644
index bcbbec71a1cb61342dada30c54d3..884d7b03faeb6d17f677a298ebef 100644
--- a/Makefile
+++ b/Makefile
@@ -105,7 +105,7 @@ x := $(shell rm -rf meson-private meson-info meson-logs)
@@ -85,7 +85,7 @@ x := $(shell rm -rf meson-private meson-info meson-logs)
endif
# 1. ensure config-host.mak is up-to-date

View File

@ -14,10 +14,10 @@ Signed-off-by: Bruce Rogers <brogers@suse.com>
1 file changed, 2 insertions(+)
diff --git a/softmmu/physmem.c b/softmmu/physmem.c
index 2cd1de4a2c46814f10c60fc1b8e5..2b06d754afdea5215fead91d3419 100644
index 85034d9c11e3f65cce6041ea8acc..98d51d87249ea17ef30b7eaa2157 100644
--- a/softmmu/physmem.c
+++ b/softmmu/physmem.c
@@ -1957,11 +1957,13 @@ RAMBlock *qemu_ram_alloc_from_fd(ram_addr_t size, MemoryRegion *mr,
@@ -2029,11 +2029,13 @@ RAMBlock *qemu_ram_alloc_from_fd(ram_addr_t size, MemoryRegion *mr,
return NULL;
}
@ -29,5 +29,5 @@ index 2cd1de4a2c46814f10c60fc1b8e5..2b06d754afdea5215fead91d3419 100644
}
+#endif
if (phys_mem_alloc != qemu_anon_ram_alloc) {
/*
size = HOST_PAGE_ALIGN(size);
file_size = get_file_size(fd);

View File

@ -16,29 +16,23 @@ Signed-off-by: Bruce Rogers <brogers@suse.com>
1 file changed, 12 insertions(+)
diff --git a/softmmu/vl.c b/softmmu/vl.c
index e6e0ad5a9259038413f855ef6374..eaab7bf13e8c51e93b3d0f348f06 100644
index aadb52613888ef6ac1fe7ec3a038..07ade8e5ccd2934a69b82bcaabae 100644
--- a/softmmu/vl.c
+++ b/softmmu/vl.c
@@ -34,6 +34,7 @@
#include "qemu/uuid.h"
@@ -40,6 +40,7 @@
#include "sysemu/reset.h"
#include "sysemu/runstate.h"
#include "sysemu/runstate-action.h"
+#include <sys/resource.h>
#include "sysemu/seccomp.h"
#include "sysemu/tcg.h"
#include "sysemu/xen.h"
@@ -2899,6 +2900,7 @@ void qemu_init(int argc, char **argv, char **envp)
BlockdevOptionsQueue bdo_queue = QSIMPLEQ_HEAD_INITIALIZER(bdo_queue);
QemuPluginList plugin_list = QTAILQ_HEAD_INITIALIZER(plugin_list);
int mem_prealloc = 0; /* force preallocation of physical target memory */
@@ -2625,6 +2626,17 @@ void qemu_init(int argc, char **argv, char **envp)
MachineClass *machine_class;
bool userconfig = true;
FILE *vmstate_dump_file = NULL;
+ struct rlimit rlimit_as;
os_set_line_buffering();
@@ -2910,6 +2912,16 @@ void qemu_init(int argc, char **argv, char **envp)
qemu_mutex_lock_iothread();
+
+ /*
+ * Try to raise the soft address space limit.
+ * Default on SLES 11 SP2 is 80% of physical+swap memory.
@ -48,7 +42,6 @@ index e6e0ad5a9259038413f855ef6374..eaab7bf13e8c51e93b3d0f348f06 100644
+ rlimit_as.rlim_cur = rlimit_as.rlim_max;
+ setrlimit(RLIMIT_AS, &rlimit_as);
+ }
+
atexit(qemu_run_exit_notifiers);
qemu_init_exec_dir(argv[0]);
qemu_add_opts(&qemu_drive_opts);
qemu_add_drive_opts(&qemu_legacy_drive_opts);

File diff suppressed because it is too large Load Diff

View File

@ -8,10 +8,10 @@ Signed-off-by: Bruce Rogers <brogers@suse.com>
1 file changed, 6 insertions(+)
diff --git a/linux-user/signal.c b/linux-user/signal.c
index 73de934c65117c5caa0f2dabe8e2..be83f5e4030f2a6e90606f762396 100644
index 7eecec46c4070c119cfee9be2316..fdd9a86cc1ce0b8238562d1612a3 100644
--- a/linux-user/signal.c
+++ b/linux-user/signal.c
@@ -632,6 +632,10 @@ static void QEMU_NORETURN dump_core_and_abort(int target_sig)
@@ -631,6 +631,10 @@ static void QEMU_NORETURN dump_core_and_abort(int target_sig)
trace_user_force_sig(env, target_sig, host_sig);
gdb_signalled(env, target_sig);
@ -22,7 +22,7 @@ index 73de934c65117c5caa0f2dabe8e2..be83f5e4030f2a6e90606f762396 100644
/* dump core if supported by target binary format */
if (core_dump_signal(target_sig) && (ts->bprm->core_dump != NULL)) {
stop_all_tasks();
@@ -649,6 +653,8 @@ static void QEMU_NORETURN dump_core_and_abort(int target_sig)
@@ -648,6 +652,8 @@ static void QEMU_NORETURN dump_core_and_abort(int target_sig)
target_sig, strsignal(host_sig), "core dumped" );
}

View File

@ -16,10 +16,10 @@ Signed-off-by: Andreas Färber <afaerber@suse.de>
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/acpi/piix4.c b/hw/acpi/piix4.c
index 669be5bbf61ecc9308bb4b25e2b8..bd1c7cc447bda59190590cb4551f 100644
index 8f8b0e95e5201b1404b2a9bc7abd..4083edb21d17346ca9733de4915c 100644
--- a/hw/acpi/piix4.c
+++ b/hw/acpi/piix4.c
@@ -276,7 +276,7 @@ static bool piix4_vmstate_need_smbus(void *opaque, int version_id)
@@ -277,7 +277,7 @@ static bool piix4_vmstate_need_smbus(void *opaque, int version_id)
static const VMStateDescription vmstate_acpi = {
.name = "piix4_pm",
.version_id = 3,

View File

@ -1,35 +0,0 @@
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Tue, 15 Dec 2020 09:11:51 +0100
Subject: audio: add sanity check
Git-commit: 06c8c375389a54d8e4457d967f4f0896caecefb2
References: boo#1180210
Check whenever we actually found the spiceaudio driver
before flipping the can_be_default field.
Fixes: f0c4555edfdd ("audio: remove qemu_spice_audio_init()")
Buglink: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=977301
Reported-by: dann frazier <dann.frazier@canonical.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-Id: <20201215081151.20095-1-kraxel@redhat.com>
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
audio/audio.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/audio/audio.c b/audio/audio.c
index 46578e4a583b9ad5c5fd4d40c711..973804620d7b057b70833694947c 100644
--- a/audio/audio.c
+++ b/audio/audio.c
@@ -1709,7 +1709,9 @@ static AudioState *audio_init(Audiodev *dev, const char *name)
* backend and this can go away.
*/
driver = audio_driver_lookup("spice");
- driver->can_be_default = 1;
+ if (driver) {
+ driver->can_be_default = 1;
+ }
}
if (dev) {

View File

@ -1,119 +0,0 @@
From: Kevin Wolf <kwolf@redhat.com>
Date: Thu, 3 Dec 2020 18:23:11 +0100
Subject: block: Fix deadlock in bdrv_co_yield_to_drain()
Git-commit: 960d5fb3e8ee09bc5f1a5c84f66dce42a6cef920
If bdrv_co_yield_to_drain() is called for draining a block node that
runs in a different AioContext, it keeps that AioContext locked while it
yields and schedules a BH in the AioContext to do the actual drain.
As long as executing the BH is the very next thing that the event loop
of the node's AioContext does, this actually happens to work, but when
it tries to execute something else that wants to take the AioContext
lock, it will deadlock. (In the bug report, this other thing is a
virtio-scsi device running virtio_scsi_data_plane_handle_cmd().)
Instead, always drop the AioContext lock across the yield and reacquire
it only when the coroutine is reentered. The BH needs to unconditionally
take the lock for itself now.
This fixes the 'block_resize' QMP command on a block node that runs in
an iothread.
Cc: qemu-stable@nongnu.org
Fixes: eb94b81a94bce112e6b206df846c1551aaf6cab6
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1903511
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Message-Id: <20201203172311.68232-4-kwolf@redhat.com>
Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
block/io.c | 41 ++++++++++++++++++++++++-----------------
1 file changed, 24 insertions(+), 17 deletions(-)
diff --git a/block/io.c b/block/io.c
index ec5e152bb70f62371b608e95d514..a9f56a9ab1c56a3ca83833bfb0fa 100644
--- a/block/io.c
+++ b/block/io.c
@@ -306,17 +306,7 @@ static void bdrv_co_drain_bh_cb(void *opaque)
if (bs) {
AioContext *ctx = bdrv_get_aio_context(bs);
- AioContext *co_ctx = qemu_coroutine_get_aio_context(co);
-
- /*
- * When the coroutine yielded, the lock for its home context was
- * released, so we need to re-acquire it here. If it explicitly
- * acquired a different context, the lock is still held and we don't
- * want to lock it a second time (or AIO_WAIT_WHILE() would hang).
- */
- if (ctx == co_ctx) {
- aio_context_acquire(ctx);
- }
+ aio_context_acquire(ctx);
bdrv_dec_in_flight(bs);
if (data->begin) {
assert(!data->drained_end_counter);
@@ -328,9 +318,7 @@ static void bdrv_co_drain_bh_cb(void *opaque)
data->ignore_bds_parents,
data->drained_end_counter);
}
- if (ctx == co_ctx) {
- aio_context_release(ctx);
- }
+ aio_context_release(ctx);
} else {
assert(data->begin);
bdrv_drain_all_begin();
@@ -348,13 +336,16 @@ static void coroutine_fn bdrv_co_yield_to_drain(BlockDriverState *bs,
int *drained_end_counter)
{
BdrvCoDrainData data;
+ Coroutine *self = qemu_coroutine_self();
+ AioContext *ctx = bdrv_get_aio_context(bs);
+ AioContext *co_ctx = qemu_coroutine_get_aio_context(self);
/* Calling bdrv_drain() from a BH ensures the current coroutine yields and
* other coroutines run if they were queued by aio_co_enter(). */
assert(qemu_in_coroutine());
data = (BdrvCoDrainData) {
- .co = qemu_coroutine_self(),
+ .co = self,
.bs = bs,
.done = false,
.begin = begin,
@@ -368,13 +359,29 @@ static void coroutine_fn bdrv_co_yield_to_drain(BlockDriverState *bs,
if (bs) {
bdrv_inc_in_flight(bs);
}
- replay_bh_schedule_oneshot_event(bdrv_get_aio_context(bs),
- bdrv_co_drain_bh_cb, &data);
+
+ /*
+ * Temporarily drop the lock across yield or we would get deadlocks.
+ * bdrv_co_drain_bh_cb() reaquires the lock as needed.
+ *
+ * When we yield below, the lock for the current context will be
+ * released, so if this is actually the lock that protects bs, don't drop
+ * it a second time.
+ */
+ if (ctx != co_ctx) {
+ aio_context_release(ctx);
+ }
+ replay_bh_schedule_oneshot_event(ctx, bdrv_co_drain_bh_cb, &data);
qemu_coroutine_yield();
/* If we are resumed from some other event (such as an aio completion or a
* timer callback), it is a bug in the caller that should be fixed. */
assert(data.done);
+
+ /* Reaquire the AioContext of bs if we dropped it */
+ if (ctx != co_ctx) {
+ aio_context_acquire(ctx);
+ }
}
void bdrv_do_drained_begin_quiesce(BlockDriverState *bs,

View File

@ -1,42 +0,0 @@
From: Kevin Wolf <kwolf@redhat.com>
Date: Thu, 3 Dec 2020 18:23:10 +0100
Subject: block: Fix locking in qmp_block_resize()
Git-commit: 8089eab2bd5fb160b038e64e14cf7ffb3f37091e
The drain functions assume that we hold the AioContext lock of the
drained block node. Make sure to actually take the lock.
Cc: qemu-stable@nongnu.org
Fixes: eb94b81a94bce112e6b206df846c1551aaf6cab6
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Message-Id: <20201203172311.68232-3-kwolf@redhat.com>
Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
blockdev.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/blockdev.c b/blockdev.c
index a7f0149d64152651be78f6cd8e61..e4dfa65aa444346c3c09dbc6d1c5 100644
--- a/blockdev.c
+++ b/blockdev.c
@@ -2481,13 +2481,16 @@ void coroutine_fn qmp_block_resize(bool has_device, const char *device,
return;
}
+ bdrv_co_lock(bs);
bdrv_drained_begin(bs);
+ bdrv_co_unlock(bs);
+
old_ctx = bdrv_co_enter(bs);
blk_truncate(blk, size, false, PREALLOC_MODE_OFF, 0, errp);
bdrv_co_leave(bs, old_ctx);
- bdrv_drained_end(bs);
bdrv_co_lock(bs);
+ bdrv_drained_end(bs);
blk_unref(blk);
bdrv_co_unlock(bs);
}

View File

@ -1,481 +0,0 @@
From: Kevin Wolf <kwolf@redhat.com>
Date: Mon, 18 Jan 2021 13:34:47 +0100
Subject: block: Separate blk_is_writable() and blk_supports_write_perm()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Git-commit: 86b1cf322789b79c8ace977430ac6a443d491cc0
Currently, blk_is_read_only() tells whether a given BlockBackend can
only be used in read-only mode because its root node is read-only. Some
callers actually try to answer a slightly different question: Is the
BlockBackend configured to be writable, by taking write permissions on
the root node?
This can differ, for example, for CD-ROM devices which don't take write
permissions, but may be backed by a writable image file. scsi-cd allows
write requests to the drive if blk_is_read_only() returns false.
However, the write request will immediately run into an assertion
failure because the write permission is missing.
This patch introduces separate functions for both questions.
blk_supports_write_perm() answers the question whether the block
node/image file can support writable devices, whereas blk_is_writable()
tells whether the BlockBackend is currently configured to be writable.
All calls of blk_is_read_only() are converted to one of the two new
functions.
Fixes: https://bugs.launchpad.net/bugs/1906693
Cc: qemu-stable@nongnu.org
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Message-Id: <20210118123448.307825-2-kwolf@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
block/block-backend.c | 19 ++++++++++++++++---
hw/block/dataplane/xen-block.c | 2 +-
hw/block/fdc.c | 9 +++++----
hw/block/m25p80.c | 6 +++---
hw/block/nand.c | 2 +-
hw/block/nvme-ns.c | 7 ++++---
hw/block/onenand.c | 2 +-
hw/block/pflash_cfi01.c | 2 +-
hw/block/pflash_cfi02.c | 2 +-
hw/block/swim.c | 6 +++---
hw/block/virtio-blk.c | 6 +++---
hw/block/xen-block.c | 2 +-
hw/ide/core.c | 2 +-
hw/misc/sifive_u_otp.c | 2 +-
hw/ppc/pnv_pnor.c | 2 +-
hw/scsi/scsi-disk.c | 10 +++++-----
hw/scsi/scsi-generic.c | 4 ++--
hw/sd/sd.c | 6 +++---
hw/usb/dev-storage.c | 4 ++--
include/sysemu/block-backend.h | 3 ++-
20 files changed, 57 insertions(+), 41 deletions(-)
diff --git a/block/block-backend.c b/block/block-backend.c
index ce78d30794ade042fa9f1b8d2b68..e493f17515d88465796d298b5566 100644
--- a/block/block-backend.c
+++ b/block/block-backend.c
@@ -1826,17 +1826,30 @@ void blk_error_action(BlockBackend *blk, BlockErrorAction action,
}
}
-bool blk_is_read_only(BlockBackend *blk)
+/*
+ * Returns true if the BlockBackend can support taking write permissions
+ * (because its root node is not read-only).
+ */
+bool blk_supports_write_perm(BlockBackend *blk)
{
BlockDriverState *bs = blk_bs(blk);
if (bs) {
- return bdrv_is_read_only(bs);
+ return !bdrv_is_read_only(bs);
} else {
- return blk->root_state.read_only;
+ return !blk->root_state.read_only;
}
}
+/*
+ * Returns true if the BlockBackend can be written to in its current
+ * configuration (i.e. if write permission have been requested)
+ */
+bool blk_is_writable(BlockBackend *blk)
+{
+ return blk->perm & BLK_PERM_WRITE;
+}
+
bool blk_is_sg(BlockBackend *blk)
{
BlockDriverState *bs = blk_bs(blk);
diff --git a/hw/block/dataplane/xen-block.c b/hw/block/dataplane/xen-block.c
index 71c337c7b7e74085532754bb28b2..f5b4f4c0790c26887e21649010f1 100644
--- a/hw/block/dataplane/xen-block.c
+++ b/hw/block/dataplane/xen-block.c
@@ -168,7 +168,7 @@ static int xen_block_parse_request(XenBlockRequest *request)
};
if (request->req.operation != BLKIF_OP_READ &&
- blk_is_read_only(dataplane->blk)) {
+ !blk_is_writable(dataplane->blk)) {
error_report("error: write req for ro device");
goto err;
}
diff --git a/hw/block/fdc.c b/hw/block/fdc.c
index 4c2c35e223aa5fccb6b855b1aa9e..d6ba6c8f730092632770cf66908b 100644
--- a/hw/block/fdc.c
+++ b/hw/block/fdc.c
@@ -443,7 +443,7 @@ static void fd_revalidate(FDrive *drv)
FLOPPY_DPRINTF("revalidate\n");
if (drv->blk != NULL) {
- drv->ro = blk_is_read_only(drv->blk);
+ drv->ro = !blk_is_writable(drv->blk);
if (!blk_is_inserted(drv->blk)) {
FLOPPY_DPRINTF("No disk in drive\n");
drv->disk = FLOPPY_DRIVE_TYPE_NONE;
@@ -478,8 +478,8 @@ static void fd_change_cb(void *opaque, bool load, Error **errp)
blk_set_perm(drive->blk, 0, BLK_PERM_ALL, &error_abort);
} else {
if (!blkconf_apply_backend_options(drive->conf,
- blk_is_read_only(drive->blk), false,
- errp)) {
+ !blk_supports_write_perm(drive->blk),
+ false, errp)) {
return;
}
}
@@ -552,7 +552,8 @@ static void floppy_drive_realize(DeviceState *qdev, Error **errp)
* read-only node later */
read_only = true;
} else {
- read_only = !blk_bs(dev->conf.blk) || blk_is_read_only(dev->conf.blk);
+ read_only = !blk_bs(dev->conf.blk) ||
+ !blk_supports_write_perm(dev->conf.blk);
}
if (!blkconf_blocksizes(&dev->conf, errp)) {
diff --git a/hw/block/m25p80.c b/hw/block/m25p80.c
index 483925f57a9023f349bd70e8db9a..efe490a52fe4ff5dfeaec609b3e3 100644
--- a/hw/block/m25p80.c
+++ b/hw/block/m25p80.c
@@ -499,7 +499,7 @@ static void flash_sync_page(Flash *s, int page)
{
QEMUIOVector *iov;
- if (!s->blk || blk_is_read_only(s->blk)) {
+ if (!s->blk || !blk_is_writable(s->blk)) {
return;
}
@@ -515,7 +515,7 @@ static inline void flash_sync_area(Flash *s, int64_t off, int64_t len)
{
QEMUIOVector *iov;
- if (!s->blk || blk_is_read_only(s->blk)) {
+ if (!s->blk || !blk_is_writable(s->blk)) {
return;
}
@@ -1278,7 +1278,7 @@ static void m25p80_realize(SSISlave *ss, Error **errp)
if (s->blk) {
uint64_t perm = BLK_PERM_CONSISTENT_READ |
- (blk_is_read_only(s->blk) ? 0 : BLK_PERM_WRITE);
+ (blk_supports_write_perm(s->blk) ? BLK_PERM_WRITE : 0);
ret = blk_set_perm(s->blk, perm, BLK_PERM_ALL, errp);
if (ret < 0) {
return;
diff --git a/hw/block/nand.c b/hw/block/nand.c
index 1d7a48a2ec2ad7ac77dc4b28f677..8c5087f96a960420fc3f7aea03a5 100644
--- a/hw/block/nand.c
+++ b/hw/block/nand.c
@@ -409,7 +409,7 @@ static void nand_realize(DeviceState *dev, Error **errp)
pagesize = 1 << s->oob_shift;
s->mem_oob = 1;
if (s->blk) {
- if (blk_is_read_only(s->blk)) {
+ if (!blk_supports_write_perm(s->blk)) {
error_setg(errp, "Can't use a read-only drive");
return;
}
diff --git a/hw/block/nvme-ns.c b/hw/block/nvme-ns.c
index 31c80cdf5b5ff302052383cbada1..2670787d2630f8a3d1b1c7f138b8 100644
--- a/hw/block/nvme-ns.c
+++ b/hw/block/nvme-ns.c
@@ -48,13 +48,14 @@ static void nvme_ns_init(NvmeNamespace *ns)
static int nvme_ns_init_blk(NvmeCtrl *n, NvmeNamespace *ns, Error **errp)
{
+ bool read_only;
+
if (!blkconf_blocksizes(&ns->blkconf, errp)) {
return -1;
}
- if (!blkconf_apply_backend_options(&ns->blkconf,
- blk_is_read_only(ns->blkconf.blk),
- false, errp)) {
+ read_only = !blk_supports_write_perm(ns->blkconf.blk);
+ if (!blkconf_apply_backend_options(&ns->blkconf, read_only, false, errp)) {
return -1;
}
diff --git a/hw/block/onenand.c b/hw/block/onenand.c
index 5ff7be86bb798190b976779d7603..08994ca7da1aff06ff12615d4777 100644
--- a/hw/block/onenand.c
+++ b/hw/block/onenand.c
@@ -796,7 +796,7 @@ static void onenand_realize(DeviceState *dev, Error **errp)
s->image = memset(g_malloc(size + (size >> 5)),
0xff, size + (size >> 5));
} else {
- if (blk_is_read_only(s->blk)) {
+ if (!blk_supports_write_perm(s->blk)) {
error_setg(errp, "Can't use a read-only drive");
return;
}
diff --git a/hw/block/pflash_cfi01.c b/hw/block/pflash_cfi01.c
index daae9658605f4a348d6e91c84b31..af0bb6c26342405dc558df1be36c 100644
--- a/hw/block/pflash_cfi01.c
+++ b/hw/block/pflash_cfi01.c
@@ -744,7 +744,7 @@ static void pflash_cfi01_realize(DeviceState *dev, Error **errp)
if (pfl->blk) {
uint64_t perm;
- pfl->ro = blk_is_read_only(pfl->blk);
+ pfl->ro = !blk_supports_write_perm(pfl->blk);
perm = BLK_PERM_CONSISTENT_READ | (pfl->ro ? 0 : BLK_PERM_WRITE);
ret = blk_set_perm(pfl->blk, perm, BLK_PERM_ALL, errp);
if (ret < 0) {
diff --git a/hw/block/pflash_cfi02.c b/hw/block/pflash_cfi02.c
index 1b3d94e0473bd4490b7c97d7c7e7..1a855c5d3865c0d64b46c90a4cda 100644
--- a/hw/block/pflash_cfi02.c
+++ b/hw/block/pflash_cfi02.c
@@ -801,7 +801,7 @@ static void pflash_cfi02_realize(DeviceState *dev, Error **errp)
if (pfl->blk) {
uint64_t perm;
- pfl->ro = blk_is_read_only(pfl->blk);
+ pfl->ro = !blk_supports_write_perm(pfl->blk);
perm = BLK_PERM_CONSISTENT_READ | (pfl->ro ? 0 : BLK_PERM_WRITE);
ret = blk_set_perm(pfl->blk, perm, BLK_PERM_ALL, errp);
if (ret < 0) {
diff --git a/hw/block/swim.c b/hw/block/swim.c
index 20133a814c44095028ea0efe7d53..509c2f4900353c3b1e7fad9117f1 100644
--- a/hw/block/swim.c
+++ b/hw/block/swim.c
@@ -137,8 +137,8 @@ static void swim_change_cb(void *opaque, bool load, Error **errp)
blk_set_perm(drive->blk, 0, BLK_PERM_ALL, &error_abort);
} else {
if (!blkconf_apply_backend_options(drive->conf,
- blk_is_read_only(drive->blk), false,
- errp)) {
+ !blk_supports_write_perm(drive->blk),
+ false, errp)) {
return;
}
}
@@ -210,7 +210,7 @@ static void swim_drive_realize(DeviceState *qdev, Error **errp)
dev->conf.werror = BLOCKDEV_ON_ERROR_AUTO;
if (!blkconf_apply_backend_options(&dev->conf,
- blk_is_read_only(dev->conf.blk),
+ !blk_supports_write_perm(dev->conf.blk),
false, errp)) {
return;
}
diff --git a/hw/block/virtio-blk.c b/hw/block/virtio-blk.c
index bac2d6fa2b283854b21f225bea1c..e8600b069da36372f68c6b59baf9 100644
--- a/hw/block/virtio-blk.c
+++ b/hw/block/virtio-blk.c
@@ -1021,7 +1021,7 @@ static uint64_t virtio_blk_get_features(VirtIODevice *vdev, uint64_t features,
virtio_has_feature(features, VIRTIO_BLK_F_CONFIG_WCE))) {
virtio_add_feature(&features, VIRTIO_BLK_F_WCE);
}
- if (blk_is_read_only(s->blk)) {
+ if (!blk_is_writable(s->blk)) {
virtio_add_feature(&features, VIRTIO_BLK_F_RO);
}
if (s->conf.num_queues > 1) {
@@ -1175,8 +1175,8 @@ static void virtio_blk_device_realize(DeviceState *dev, Error **errp)
}
if (!blkconf_apply_backend_options(&conf->conf,
- blk_is_read_only(conf->conf.blk), true,
- errp)) {
+ !blk_supports_write_perm(conf->conf.blk),
+ true, errp)) {
return;
}
s->original_wce = blk_enable_write_cache(conf->conf.blk);
diff --git a/hw/block/xen-block.c b/hw/block/xen-block.c
index 8a7a3f54523ed050587c3e2047de..20b23c699bc1cb4cd796bf352c45 100644
--- a/hw/block/xen-block.c
+++ b/hw/block/xen-block.c
@@ -574,7 +574,7 @@ static void xen_disk_realize(XenBlockDevice *blockdev, Error **errp)
return;
}
- blockdev->info = blk_is_read_only(conf->blk) ? VDISK_READONLY : 0;
+ blockdev->info = blk_supports_write_perm(conf->blk) ? 0 : VDISK_READONLY;
}
static void xen_disk_class_init(ObjectClass *class, void *data)
diff --git a/hw/ide/core.c b/hw/ide/core.c
index e85821637c961121ad7a2ccfbaf9..50758a944172ba6ed12c3ca2bc4c 100644
--- a/hw/ide/core.c
+++ b/hw/ide/core.c
@@ -2537,7 +2537,7 @@ int ide_init_drive(IDEState *s, BlockBackend *blk, IDEDriveKind kind,
error_setg(errp, "Device needs media, but drive is empty");
return -1;
}
- if (blk_is_read_only(blk)) {
+ if (!blk_is_writable(blk)) {
error_setg(errp, "Can't use a read-only drive");
return -1;
}
diff --git a/hw/misc/sifive_u_otp.c b/hw/misc/sifive_u_otp.c
index 60066375abddfa4e74e424b7d693..84547ebf1ba4aae4c99be01342e5 100644
--- a/hw/misc/sifive_u_otp.c
+++ b/hw/misc/sifive_u_otp.c
@@ -218,7 +218,7 @@ static void sifive_u_otp_realize(DeviceState *dev, Error **errp)
if (s->blk) {
perm = BLK_PERM_CONSISTENT_READ |
- (blk_is_read_only(s->blk) ? 0 : BLK_PERM_WRITE);
+ (blk_supports_write_perm(s->blk) ? BLK_PERM_WRITE : 0);
ret = blk_set_perm(s->blk, perm, BLK_PERM_ALL, errp);
if (ret < 0) {
return;
diff --git a/hw/ppc/pnv_pnor.c b/hw/ppc/pnv_pnor.c
index c365ee58b884c02c77851a35f566..cc2a6a3db7eac7cab6750fe7f011 100644
--- a/hw/ppc/pnv_pnor.c
+++ b/hw/ppc/pnv_pnor.c
@@ -85,7 +85,7 @@ static void pnv_pnor_realize(DeviceState *dev, Error **errp)
if (s->blk) {
uint64_t perm = BLK_PERM_CONSISTENT_READ |
- (blk_is_read_only(s->blk) ? 0 : BLK_PERM_WRITE);
+ (blk_supports_write_perm(s->blk) ? BLK_PERM_WRITE : 0);
ret = blk_set_perm(s->blk, perm, BLK_PERM_ALL, errp);
if (ret < 0) {
return;
diff --git a/hw/scsi/scsi-disk.c b/hw/scsi/scsi-disk.c
index 90841ad79123a3a86547a70d6dd4..7ab2be05b3ce3f4fad2212037b34 100644
--- a/hw/scsi/scsi-disk.c
+++ b/hw/scsi/scsi-disk.c
@@ -1269,7 +1269,7 @@ static int scsi_disk_emulate_mode_sense(SCSIDiskReq *r, uint8_t *outbuf)
if (s->qdev.type == TYPE_DISK) {
dev_specific_param = s->features & (1 << SCSI_DISK_F_DPOFUA) ? 0x10 : 0;
- if (blk_is_read_only(s->qdev.conf.blk)) {
+ if (!blk_is_writable(s->qdev.conf.blk)) {
dev_specific_param |= 0x80; /* Readonly. */
}
} else {
@@ -1703,7 +1703,7 @@ static void scsi_disk_emulate_unmap(SCSIDiskReq *r, uint8_t *inbuf)
goto invalid_param_len;
}
- if (blk_is_read_only(s->qdev.conf.blk)) {
+ if (!blk_is_writable(s->qdev.conf.blk)) {
block_acct_invalid(blk_get_stats(s->qdev.conf.blk), BLOCK_ACCT_UNMAP);
scsi_check_condition(r, SENSE_CODE(WRITE_PROTECTED));
return;
@@ -1794,7 +1794,7 @@ static void scsi_disk_emulate_write_same(SCSIDiskReq *r, uint8_t *inbuf)
return;
}
- if (blk_is_read_only(s->qdev.conf.blk)) {
+ if (!blk_is_writable(s->qdev.conf.blk)) {
scsi_check_condition(r, SENSE_CODE(WRITE_PROTECTED));
return;
}
@@ -2206,7 +2206,7 @@ static int32_t scsi_disk_dma_command(SCSIRequest *req, uint8_t *buf)
case WRITE_VERIFY_10:
case WRITE_VERIFY_12:
case WRITE_VERIFY_16:
- if (blk_is_read_only(s->qdev.conf.blk)) {
+ if (!blk_is_writable(s->qdev.conf.blk)) {
scsi_check_condition(r, SENSE_CODE(WRITE_PROTECTED));
return 0;
}
@@ -2379,7 +2379,7 @@ static void scsi_realize(SCSIDevice *dev, Error **errp)
}
}
- read_only = blk_is_read_only(s->qdev.conf.blk);
+ read_only = !blk_supports_write_perm(s->qdev.conf.blk);
if (dev->type == TYPE_ROM) {
read_only = true;
}
diff --git a/hw/scsi/scsi-generic.c b/hw/scsi/scsi-generic.c
index 2cb23ca8913c91fc06f497af21be..836479ab017326fa058381efbb87 100644
--- a/hw/scsi/scsi-generic.c
+++ b/hw/scsi/scsi-generic.c
@@ -305,7 +305,7 @@ static void scsi_read_complete(void * opaque, int ret)
* readonly.
*/
if ((s->type == TYPE_DISK || s->type == TYPE_TAPE || s->type == TYPE_ZBC) &&
- blk_is_read_only(s->conf.blk) &&
+ !blk_is_writable(s->conf.blk) &&
(r->req.cmd.buf[0] == MODE_SENSE ||
r->req.cmd.buf[0] == MODE_SENSE_10) &&
(r->req.cmd.buf[1] & 0x8) == 0) {
@@ -693,7 +693,7 @@ static void scsi_generic_realize(SCSIDevice *s, Error **errp)
return;
}
if (!blkconf_apply_backend_options(&s->conf,
- blk_is_read_only(s->conf.blk),
+ !blk_supports_write_perm(s->conf.blk),
true, errp)) {
return;
}
diff --git a/hw/sd/sd.c b/hw/sd/sd.c
index 1842c037978c6b17c74d6b81a169..5cdcd54cfcbf467342b2e485ac3e 100644
--- a/hw/sd/sd.c
+++ b/hw/sd/sd.c
@@ -583,7 +583,7 @@ static void sd_reset(DeviceState *dev)
sd_set_sdstatus(sd);
g_free(sd->wp_groups);
- sd->wp_switch = sd->blk ? blk_is_read_only(sd->blk) : false;
+ sd->wp_switch = sd->blk ? !blk_is_writable(sd->blk) : false;
sd->wpgrps_size = sect;
sd->wp_groups = bitmap_new(sd->wpgrps_size);
memset(sd->function_group, 0, sizeof(sd->function_group));
@@ -751,7 +751,7 @@ void sd_set_cb(SDState *sd, qemu_irq readonly, qemu_irq insert)
{
sd->readonly_cb = readonly;
sd->inserted_cb = insert;
- qemu_set_irq(readonly, sd->blk ? blk_is_read_only(sd->blk) : 0);
+ qemu_set_irq(readonly, sd->blk ? !blk_is_writable(sd->blk) : 0);
qemu_set_irq(insert, sd->blk ? blk_is_inserted(sd->blk) : 0);
}
@@ -2155,7 +2155,7 @@ static void sd_realize(DeviceState *dev, Error **errp)
if (sd->blk) {
int64_t blk_size;
- if (blk_is_read_only(sd->blk)) {
+ if (!blk_supports_write_perm(sd->blk)) {
error_setg(errp, "Cannot use read-only drive as SD card");
return;
}
diff --git a/hw/usb/dev-storage.c b/hw/usb/dev-storage.c
index f0f005869d25976cc4d5d2394237..c49e8b819e97df5f3f1814f2f63f 100644
--- a/hw/usb/dev-storage.c
+++ b/hw/usb/dev-storage.c
@@ -613,8 +613,8 @@ static void usb_msd_storage_realize(USBDevice *dev, Error **errp)
return;
}
- if (!blkconf_apply_backend_options(&s->conf, blk_is_read_only(blk), true,
- errp)) {
+ if (!blkconf_apply_backend_options(&s->conf, !blk_supports_write_perm(blk),
+ true, errp)) {
return;
}
diff --git a/include/sysemu/block-backend.h b/include/sysemu/block-backend.h
index 8203d7f6f90c792ca3f70e516909..880e9032930b0207e2e3e6fe1bd7 100644
--- a/include/sysemu/block-backend.h
+++ b/include/sysemu/block-backend.h
@@ -191,7 +191,8 @@ BlockErrorAction blk_get_error_action(BlockBackend *blk, bool is_read,
int error);
void blk_error_action(BlockBackend *blk, BlockErrorAction action,
bool is_read, int error);
-bool blk_is_read_only(BlockBackend *blk);
+bool blk_supports_write_perm(BlockBackend *blk);
+bool blk_is_writable(BlockBackend *blk);
bool blk_is_sg(BlockBackend *blk);
bool blk_enable_write_cache(BlockBackend *blk);
void blk_set_enable_write_cache(BlockBackend *blk, bool wce);

View File

@ -1,62 +0,0 @@
From: Kevin Wolf <kwolf@redhat.com>
Date: Thu, 3 Dec 2020 18:23:09 +0100
Subject: block: Simplify qmp_block_resize() error paths
Git-commit: d9dbf25f9624aac43e4357019bed4422f0b3368d
The only thing that happens after the 'out:' label is blk_unref(blk).
However, blk = NULL in all of the error cases, so instead of jumping to
'out:', we can just return directly.
Cc: qemu-stable@nongnu.org
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Message-Id: <20201203172311.68232-2-kwolf@redhat.com>
Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
blockdev.c | 9 ++++-----
1 file changed, 4 insertions(+), 5 deletions(-)
diff --git a/blockdev.c b/blockdev.c
index fe6fb5dc1d19716fba52e8b900e2..a7f0149d64152651be78f6cd8e61 100644
--- a/blockdev.c
+++ b/blockdev.c
@@ -2454,7 +2454,7 @@ void coroutine_fn qmp_block_resize(bool has_device, const char *device,
int64_t size, Error **errp)
{
Error *local_err = NULL;
- BlockBackend *blk = NULL;
+ BlockBackend *blk;
BlockDriverState *bs;
AioContext *old_ctx;
@@ -2468,17 +2468,17 @@ void coroutine_fn qmp_block_resize(bool has_device, const char *device,
if (size < 0) {
error_setg(errp, QERR_INVALID_PARAMETER_VALUE, "size", "a >0 size");
- goto out;
+ return;
}
if (bdrv_op_is_blocked(bs, BLOCK_OP_TYPE_RESIZE, NULL)) {
error_setg(errp, QERR_DEVICE_IN_USE, device);
- goto out;
+ return;
}
blk = blk_new_with_bs(bs, BLK_PERM_RESIZE, BLK_PERM_ALL, errp);
if (!blk) {
- goto out;
+ return;
}
bdrv_drained_begin(bs);
@@ -2487,7 +2487,6 @@ void coroutine_fn qmp_block_resize(bool has_device, const char *device,
bdrv_co_leave(bs, old_ctx);
bdrv_drained_end(bs);
-out:
bdrv_co_lock(bs);
blk_unref(blk);
bdrv_co_unlock(bs);

View File

@ -1,33 +0,0 @@
From: Peter Lieven <pl@kamp.de>
Date: Wed, 9 Dec 2020 13:17:35 +0100
Subject: block/nfs: fix int overflow in nfs_client_open_qdict
Git-commit: 182454dc63c66ff5a29eddd60cc987b6a1b45e7f
nfs_client_open returns the file size in sectors. This effectively
makes it impossible to open files larger than 1TB.
Fixes: c22a03454544c2a08f1107c5cc8481a5574533d5
Cc: qemu-stable@nongnu.org
Signed-off-by: Peter Lieven <pl@kamp.de>
Message-Id: <20201209121735.16437-1-pl@kamp.de>
Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
block/nfs.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/block/nfs.c b/block/nfs.c
index 77905f516d203d03012cdf362daf..8c1968bb415d9a9e542988fd5112 100644
--- a/block/nfs.c
+++ b/block/nfs.c
@@ -592,7 +592,7 @@ static int64_t nfs_client_open_qdict(NFSClient *client, QDict *options,
int flags, int open_flags, Error **errp)
{
BlockdevOptionsNfs *opts;
- int ret;
+ int64_t ret;
opts = nfs_options_qdict_to_qapi(options, errp);
if (opts == NULL) {

View File

@ -1,47 +0,0 @@
From: Stefano Garzarella <sgarzare@redhat.com>
Date: Mon, 29 Mar 2021 17:01:29 +0200
Subject: block/rbd: Fix memory leak in qemu_rbd_co_create_opts()
Git-commit: b084b420d9d6347dede328fbcf18c8e4c695f7e8
When we allocate 'q_namespace', we forgot to set 'has_q_namespace'
to true. This can cause several issues, including a memory leak,
since qapi_free_BlockdevCreateOptions() does not deallocate that
memory, as reported by valgrind:
13 bytes in 1 blocks are definitely lost in loss record 7 of 96
at 0x4839809: malloc (vg_replace_malloc.c:307)
by 0x48CEBB8: g_malloc (in /usr/lib64/libglib-2.0.so.0.6600.8)
by 0x48E3FE3: g_strdup (in /usr/lib64/libglib-2.0.so.0.6600.8)
by 0x180010: qemu_rbd_co_create_opts (rbd.c:446)
by 0x1AE72C: bdrv_create_co_entry (block.c:492)
by 0x241902: coroutine_trampoline (coroutine-ucontext.c:173)
by 0x57530AF: ??? (in /usr/lib64/libc-2.32.so)
by 0x1FFEFFFA6F: ???
Fix setting 'has_q_namespace' to true when we allocate 'q_namespace'.
Fixes: 19ae9ae014 ("block/rbd: Add support for ceph namespaces")
Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
Message-Id: <20210329150129.121182-3-sgarzare@redhat.com>
Reviewed-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Bruce Rogers <brogers@suse.com>
[BR: Modified subject to acheive unique patchname]
---
block/rbd.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/block/rbd.c b/block/rbd.c
index 15f1ac3b47d45e347a34579130ea..318e2826fc4180a1ad6837c81150 100644
--- a/block/rbd.c
+++ b/block/rbd.c
@@ -444,6 +444,7 @@ static int coroutine_fn qemu_rbd_co_create_opts(BlockDriver *drv,
loc->user = g_strdup(qdict_get_try_str(options, "user"));
loc->has_user = !!loc->user;
loc->q_namespace = g_strdup(qdict_get_try_str(options, "namespace"));
+ loc->has_q_namespace = !!loc->q_namespace;
loc->image = g_strdup(qdict_get_try_str(options, "image"));
keypairs = qdict_get_try_str(options, "=keyvalue-pairs");

View File

@ -1,74 +0,0 @@
From: Stefano Garzarella <sgarzare@redhat.com>
Date: Mon, 29 Mar 2021 17:01:28 +0200
Subject: block/rbd: fix memory leak in qemu_rbd_connect()
Git-commit: c1c1f6cf511496b985cb9a1c536d59c9be7b9317
In qemu_rbd_connect(), 'mon_host' is allocated by qemu_rbd_mon_host()
using g_strjoinv(), but it's only freed in the error path, leaking
memory in the success path as reported by valgrind:
80 bytes in 4 blocks are definitely lost in loss record 5,028 of 6,516
at 0x4839809: malloc (vg_replace_malloc.c:307)
by 0x5315BB8: g_malloc (in /usr/lib64/libglib-2.0.so.0.6600.8)
by 0x532B6FF: g_strjoinv (in /usr/lib64/libglib-2.0.so.0.6600.8)
by 0x87D07E: qemu_rbd_mon_host (rbd.c:538)
by 0x87D07E: qemu_rbd_connect (rbd.c:562)
by 0x87E1CE: qemu_rbd_open (rbd.c:740)
by 0x840EB1: bdrv_open_driver (block.c:1528)
by 0x8453A9: bdrv_open_common (block.c:1802)
by 0x8453A9: bdrv_open_inherit (block.c:3444)
by 0x8464C2: bdrv_open (block.c:3537)
by 0x8108CD: qmp_blockdev_add (blockdev.c:3569)
by 0x8EA61B: qmp_marshal_blockdev_add (qapi-commands-block-core.c:1086)
by 0x90B528: do_qmp_dispatch_bh (qmp-dispatch.c:131)
by 0x907EA4: aio_bh_poll (async.c:164)
Fix freeing 'mon_host' also when qemu_rbd_connect() ends correctly.
Fixes: 0a55679b4a5061f4d74bdb1a0e81611ba3390b00
Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
Message-Id: <20210329150129.121182-2-sgarzare@redhat.com>
Reviewed-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
block/rbd.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/block/rbd.c b/block/rbd.c
index 9bd2bce71651b8612e37c5dc040d..15f1ac3b47d45e347a34579130ea 100644
--- a/block/rbd.c
+++ b/block/rbd.c
@@ -563,13 +563,13 @@ static int qemu_rbd_connect(rados_t *cluster, rados_ioctx_t *io_ctx,
if (local_err) {
error_propagate(errp, local_err);
r = -EINVAL;
- goto failed_opts;
+ goto out;
}
r = rados_create(cluster, opts->user);
if (r < 0) {
error_setg_errno(errp, -r, "error initializing");
- goto failed_opts;
+ goto out;
}
/* try default location when conf=NULL, but ignore failure */
@@ -626,11 +626,12 @@ static int qemu_rbd_connect(rados_t *cluster, rados_ioctx_t *io_ctx,
*/
rados_ioctx_set_namespace(*io_ctx, opts->q_namespace);
- return 0;
+ r = 0;
+ goto out;
failed_shutdown:
rados_shutdown(*cluster);
-failed_opts:
+out:
g_free(mon_host);
return r;
}

View File

@ -1,113 +0,0 @@
From: Michael Qiu <qiudayu@huayun.com>
Date: Wed, 3 Feb 2021 10:40:59 +0800
Subject: blockjob: Fix crash with IOthread when block commit after snapshot
Git-commit: 076d467aacdf6dc5d01e2e61740b1795f2aec2f6
Currently, if guest has workloads, IO thread will acquire aio_context
lock before do io_submit, it leads to segmentfault when do block commit
after snapshot. Just like below:
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7f7c7d91f700 (LWP 99907)]
0x00005576d0f65aab in bdrv_mirror_top_pwritev at ../block/mirror.c:1437
1437 ../block/mirror.c: No such file or directory.
(gdb) p s->job
$17 = (MirrorBlockJob *) 0x0
(gdb) p s->stop
$18 = false
Call trace of IO thread:
0 0x00005576d0f65aab in bdrv_mirror_top_pwritev at ../block/mirror.c:1437
1 0x00005576d0f7f3ab in bdrv_driver_pwritev at ../block/io.c:1174
2 0x00005576d0f8139d in bdrv_aligned_pwritev at ../block/io.c:1988
3 0x00005576d0f81b65 in bdrv_co_pwritev_part at ../block/io.c:2156
4 0x00005576d0f8e6b7 in blk_do_pwritev_part at ../block/block-backend.c:1260
5 0x00005576d0f8e84d in blk_aio_write_entry at ../block/block-backend.c:1476
...
Switch to qemu main thread:
0 0x00007f903be704ed in __lll_lock_wait at
/lib/../lib64/libpthread.so.0
1 0x00007f903be6bde6 in _L_lock_941 at /lib/../lib64/libpthread.so.0
2 0x00007f903be6bcdf in pthread_mutex_lock at
/lib/../lib64/libpthread.so.0
3 0x0000564b21456889 in qemu_mutex_lock_impl at
../util/qemu-thread-posix.c:79
4 0x0000564b213af8a5 in block_job_add_bdrv at ../blockjob.c:224
5 0x0000564b213b00ad in block_job_create at ../blockjob.c:440
6 0x0000564b21357c0a in mirror_start_job at ../block/mirror.c:1622
7 0x0000564b2135a9af in commit_active_start at ../block/mirror.c:1867
8 0x0000564b2133d132 in qmp_block_commit at ../blockdev.c:2768
9 0x0000564b2141fef3 in qmp_marshal_block_commit at
qapi/qapi-commands-block-core.c:346
10 0x0000564b214503c9 in do_qmp_dispatch_bh at
../qapi/qmp-dispatch.c:110
11 0x0000564b21451996 in aio_bh_poll at ../util/async.c:164
12 0x0000564b2146018e in aio_dispatch at ../util/aio-posix.c:381
13 0x0000564b2145187e in aio_ctx_dispatch at ../util/async.c:306
14 0x00007f9040239049 in g_main_context_dispatch at
/lib/../lib64/libglib-2.0.so.0
15 0x0000564b21447368 in main_loop_wait at ../util/main-loop.c:232
16 0x0000564b21447368 in main_loop_wait at ../util/main-loop.c:255
17 0x0000564b21447368 in main_loop_wait at ../util/main-loop.c:531
18 0x0000564b212304e1 in qemu_main_loop at ../softmmu/runstate.c:721
19 0x0000564b20f7975e in main at ../softmmu/main.c:50
In IO thread when do bdrv_mirror_top_pwritev, the job is NULL, and stop field
is false, this means the MirrorBDSOpaque "s" object has not been initialized
yet, and this object is initialized by block_job_create(), but the initialize
process is stuck in acquiring the lock.
In this situation, IO thread come to bdrv_mirror_top_pwritev(),which means that
mirror-top node is already inserted into block graph, but its bs->opaque->job
is not initialized.
The root cause is that qemu main thread do release/acquire when hold the lock,
at the same time, IO thread get the lock after release stage, and the crash
occured.
Actually, in this situation, job->job.aio_context will not equal to
qemu_get_aio_context(), and will be the same as bs->aio_context,
thus, no need to release the lock, becasue bdrv_root_attach_child()
will not change the context.
This patch fix this issue.
Fixes: 132ada80 "block: Adjust AioContexts when attaching nodes"
Signed-off-by: Michael Qiu <qiudayu@huayun.com>
Message-Id: <20210203024059.52683-1-08005325@163.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
blockjob.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/blockjob.c b/blockjob.c
index 98ac8af98299ac26c50ce5e4c5bb..62f1a537399f07a88ebf520eb560 100644
--- a/blockjob.c
+++ b/blockjob.c
@@ -212,15 +212,19 @@ int block_job_add_bdrv(BlockJob *job, const char *name, BlockDriverState *bs,
uint64_t perm, uint64_t shared_perm, Error **errp)
{
BdrvChild *c;
+ bool need_context_ops;
bdrv_ref(bs);
- if (job->job.aio_context != qemu_get_aio_context()) {
+
+ need_context_ops = bdrv_get_aio_context(bs) != job->job.aio_context;
+
+ if (need_context_ops && job->job.aio_context != qemu_get_aio_context()) {
aio_context_release(job->job.aio_context);
}
c = bdrv_root_attach_child(bs, name, &child_job, 0,
job->job.aio_context, perm, shared_perm, job,
errp);
- if (job->job.aio_context != qemu_get_aio_context()) {
+ if (need_context_ops && job->job.aio_context != qemu_get_aio_context()) {
aio_context_acquire(job->job.aio_context);
}
if (c == NULL) {

View File

@ -1,49 +0,0 @@
From: Bruce Rogers <brogers@suse.com>
Date: Fri, 5 Mar 2021 13:25:44 -0700
Subject: brotli: fix actual variable-array parameters to match declaration
References: boo#1181922
GCC 11 complains about the mismatch between the variable-array
parameters not being defined as such in the actual function definition.
Make them match.
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
c/dec/decode.c | 6 ++++--
c/enc/encode.c | 5 +++--
2 files changed, 7 insertions(+), 4 deletions(-)
diff --git a/roms/edk2/BaseTools/Source/C/BrotliCompress/brotli/c/dec/decode.c b/roms/edk2/BaseTools/Source/C/BrotliCompress/brotli/c/dec/decode.c
index 114c5057d7d91f5a634167e00d84..bb6f1ab6cc42f54720fd07f665e3 100644
--- a/roms/edk2/BaseTools/Source/C/BrotliCompress/brotli/c/dec/decode.c
+++ b/roms/edk2/BaseTools/Source/C/BrotliCompress/brotli/c/dec/decode.c
@@ -2030,8 +2030,10 @@ static BROTLI_NOINLINE BrotliDecoderErrorCode SafeProcessCommands(
}
BrotliDecoderResult BrotliDecoderDecompress(
- size_t encoded_size, const uint8_t* encoded_buffer, size_t* decoded_size,
- uint8_t* decoded_buffer) {
+ size_t encoded_size,
+ const uint8_t encoded_buffer[BROTLI_ARRAY_PARAM(encoded_size)],
+ size_t* decoded_size,
+ uint8_t decoded_buffer[BROTLI_ARRAY_PARAM(*decoded_size)]) {
BrotliDecoderState s;
BrotliDecoderResult result;
size_t total_out = 0;
diff --git a/roms/edk2/BaseTools/Source/C/BrotliCompress/brotli/c/enc/encode.c b/roms/edk2/BaseTools/Source/C/BrotliCompress/brotli/c/enc/encode.c
index 68548ef55af8036d6f0fe720e721..ab0a4906060c98461102d45ab61d 100644
--- a/roms/edk2/BaseTools/Source/C/BrotliCompress/brotli/c/enc/encode.c
+++ b/roms/edk2/BaseTools/Source/C/BrotliCompress/brotli/c/enc/encode.c
@@ -1470,8 +1470,9 @@ static size_t MakeUncompressedStream(
BROTLI_BOOL BrotliEncoderCompress(
int quality, int lgwin, BrotliEncoderMode mode, size_t input_size,
- const uint8_t* input_buffer, size_t* encoded_size,
- uint8_t* encoded_buffer) {
+ const uint8_t input_buffer[BROTLI_ARRAY_PARAM(input_size)],
+ size_t* encoded_size,
+ uint8_t encoded_buffer[BROTLI_ARRAY_PARAM(*encoded_size)]) {
BrotliEncoderState* s;
size_t out_size = *encoded_size;
const uint8_t* input_start = input_buffer;

View File

@ -1,74 +0,0 @@
From: Christian Ehrhardt <christian.ehrhardt@canonical.com>
Date: Mon, 14 Dec 2020 16:09:38 +0100
Subject: build: -no-pie is no functional linker flag
Git-commit: bbd2d5a8120771ec59b86a80a1f51884e0a26e53
Recent binutils changes dropping unsupported options [1] caused a build
issue in regard to the optionroms.
ld -m elf_i386 -T /<<PKGBUILDDIR>>/pc-bios/optionrom//flat.lds -no-pie \
-s -o multiboot.img multiboot.o
ld.bfd: Error: unable to disambiguate: -no-pie (did you mean --no-pie ?)
This isn't really a regression in ld.bfd, filing the bug upstream
revealed that this never worked as a ld flag [2] - in fact it seems we
were by accident setting --nmagic).
Since it never had the wanted effect this usage of LDFLAGS_NOPIE, should be
droppable without any effect. This also is the only use-case of LDFLAGS_NOPIE
in .mak, therefore we can also remove it from being added there.
[1]: https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=983d925d
[2]: https://sourceware.org/bugzilla/show_bug.cgi?id=27050#c5
Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
Message-Id: <20201214150938.1297512-1-christian.ehrhardt@canonical.com>
Cc: qemu-stable@nongnu.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
configure | 3 ---
pc-bios/optionrom/Makefile | 1 -
2 files changed, 4 deletions(-)
diff --git a/configure b/configure
index 18c26e0389741643748c70ac7788..7ce723bbe769dac2af8456079e89 100755
--- a/configure
+++ b/configure
@@ -2121,7 +2121,6 @@ EOF
# Check we support --no-pie first; we will need this for building ROMs.
if compile_prog "-Werror -fno-pie" "-no-pie"; then
CFLAGS_NOPIE="-fno-pie"
- LDFLAGS_NOPIE="-no-pie"
fi
if test "$static" = "yes"; then
@@ -2137,7 +2136,6 @@ if test "$static" = "yes"; then
fi
elif test "$pie" = "no"; then
CONFIGURE_CFLAGS="$CFLAGS_NOPIE $CONFIGURE_CFLAGS"
- CONFIGURE_LDFLAGS="$LDFLAGS_NOPIE $CONFIGURE_LDFLAGS"
elif compile_prog "-Werror -fPIE -DPIE" "-pie"; then
CONFIGURE_CFLAGS="-fPIE -DPIE $CONFIGURE_CFLAGS"
CONFIGURE_LDFLAGS="-pie $CONFIGURE_LDFLAGS"
@@ -6756,7 +6754,6 @@ echo "QEMU_CXXFLAGS=$QEMU_CXXFLAGS" >> $config_host_mak
echo "GLIB_CFLAGS=$glib_cflags" >> $config_host_mak
echo "GLIB_LIBS=$glib_libs" >> $config_host_mak
echo "QEMU_LDFLAGS=$QEMU_LDFLAGS" >> $config_host_mak
-echo "LDFLAGS_NOPIE=$LDFLAGS_NOPIE" >> $config_host_mak
echo "LD_I386_EMULATION=$ld_i386_emulation" >> $config_host_mak
echo "EXESUF=$EXESUF" >> $config_host_mak
echo "HOST_DSOSUF=$HOST_DSOSUF" >> $config_host_mak
diff --git a/pc-bios/optionrom/Makefile b/pc-bios/optionrom/Makefile
index 084fc10f0540b62df06c476bb11c..30771f8d17cb2143eb7bbb004ceb 100644
--- a/pc-bios/optionrom/Makefile
+++ b/pc-bios/optionrom/Makefile
@@ -41,7 +41,6 @@ override CFLAGS += $(call cc-option, $(Wa)-32)
LD_I386_EMULATION ?= elf_i386
override LDFLAGS = -m $(LD_I386_EMULATION) -T $(SRC_DIR)/flat.lds
-override LDFLAGS += $(LDFLAGS_NOPIE)
all: multiboot.bin linuxboot.bin linuxboot_dma.bin kvmvapic.bin pvh.bin

View File

@ -1,3 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:efac9c8c227a19a38d7ab7ce7739d477c22732a6f6fcee07ce6b86d5d4f88ea7
size 109568
oid sha256:6ffc77f1d0e614c0f9b05329be58af08284d7d00063ef72cda10d54ef40c89ba
size 52160

View File

@ -1,39 +0,0 @@
From: Alexander Bulekov <alxndr@bu.edu>
Date: Mon, 1 Mar 2021 14:33:43 -0500
Subject: cadence_gem: switch to use qemu_receive_packet() for loopback
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Git-commit: e73adfbeec9d4e008630c814759052ed945c3fed
This patch switches to use qemu_receive_packet() which can detect
reentrancy and return early.
This is intended to address CVE-2021-3416.
Cc: Prasad J Pandit <ppandit@redhat.com>
Cc: qemu-stable@nongnu.org
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
Signed-off-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/net/cadence_gem.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/hw/net/cadence_gem.c b/hw/net/cadence_gem.c
index 7a534691f1f43ab4fefaf2f82dc9..43b760e3f1b7fb9bf0d116361713 100644
--- a/hw/net/cadence_gem.c
+++ b/hw/net/cadence_gem.c
@@ -1275,8 +1275,8 @@ static void gem_transmit(CadenceGEMState *s)
/* Send the packet somewhere */
if (s->phy_loop || (s->regs[GEM_NWCTRL] &
GEM_NWCTRL_LOCALLOOP)) {
- gem_receive(qemu_get_queue(s->nic), s->tx_packet,
- total_bytes);
+ qemu_receive_packet(qemu_get_queue(s->nic), s->tx_packet,
+ total_bytes);
} else {
qemu_send_packet(qemu_get_queue(s->nic), s->tx_packet,
total_bytes);

View File

@ -18,12 +18,12 @@ UPSTREAM_GIT_REPO=https://gitlab.com/qemu-project/qemu.git
# The following specifies the upstream tag or commit upon which our patchqueue
# gets rebased. The special value LATEST may be used to "automatically" track
# the upstream development tree in the master branch
GIT_UPSTREAM_COMMIT_ISH=v5.2.0
GIT_UPSTREAM_COMMIT_ISH=v6.0.0
# WARNING: If transitioning from using LATEST to not, MANUALLY re-set the
# tarball present. If transitioning TO LATEST, make sure that
# NEXT_RELEASE_IS_MAJOR is set correctly
# This is used to choose the version number when LATEST processing is active
NEXT_RELEASE_IS_MAJOR=1
NEXT_RELEASE_IS_MAJOR=0
# Unfortunately, SeaBIOS doesn't always follow an "always increasing" version
# model, so there may be times we should overide the automated version setting.

View File

@ -12,10 +12,10 @@ Signed-off-by: Bruce Rogers <brogers@suse.com>
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/configure b/configure
index 7ce723bbe769dac2af8456079e89..a1312935a5683ed740c9b6143c6b 100755
index 4f374b48890e7f1a868672f2fe49..9de240a6b3e7fb7d72b57353546a 100755
--- a/configure
+++ b/configure
@@ -5858,7 +5858,7 @@ if { test "$cpu" = "i386" || test "$cpu" = "x86_64"; } && \
@@ -5417,7 +5417,7 @@ if { test "$cpu" = "i386" || test "$cpu" = "x86_64"; } && \
fi
# Only build s390-ccw bios if we're on s390x and the compiler has -march=z900

View File

@ -18,10 +18,10 @@ Signed-off-by: Bruce Rogers <brogers@suse.com>
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/configure b/configure
index a1312935a5683ed740c9b6143c6b..2ed5366e82a194946a5a2ca12bac 100755
index 9de240a6b3e7fb7d72b57353546a..ceec2d3830ed44083a6c22295e70 100755
--- a/configure
+++ b/configure
@@ -6045,7 +6045,7 @@ echo "TARGET_DIRS=$target_list" >> $config_host_mak
@@ -5581,7 +5581,7 @@ echo "TARGET_DIRS=$target_list" >> $config_host_mak
if test "$modules" = "yes"; then
# $shacmd can generate a hash started with digit, which the compiler doesn't
# like as an symbol. So prefix it with an underscore

View File

@ -1,60 +0,0 @@
From: Greg Kurz <groug@kaod.org>
Date: Fri, 9 Apr 2021 18:03:39 +0200
Subject: cpu/core: Fix "help" of CPU core device types
Git-commit: 0b47ec4b95ad1952e55e639711d442f8ec6e1345
Calling qdev_get_machine() from a QOM instance_init function is
fragile because we can't be sure the machine object actually
exists. And this happens to break when passing ",help" on the
command line to get the list of properties for a CPU core
device types :
$ ./qemu-system-ppc64 -device power8_v2.0-spapr-cpu-core,help
qemu-system-ppc64: ../../hw/core/machine.c:1290:
qdev_get_machine: Assertion `machine != NULL' failed.
Aborted (core dumped)
This used to work before QEMU 5.0, but commit 3df261b6676b
unwillingly introduced a subtle regression : the above command
line needs to create an instance but the instance_init function
of the base class calls qdev_get_machine() before
qemu_create_machine() has been called, which is a programming bug.
Use current_machine instead. It is okay to skip the setting of
nr_thread in this case since only its type is displayed.
Fixes: 3df261b6676b ("softmmu/vl.c: Handle '-cpu help' and '-device help' before 'no default machine'")
Reported-by: Thomas Huth <thuth@redhat.com>
Signed-off-by: Greg Kurz <groug@kaod.org>
Cc: peter.maydell@linaro.org
Message-Id: <20210409160339.500167-3-groug@kaod.org>
Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/cpu/core.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/hw/cpu/core.c b/hw/cpu/core.c
index 92d3b2fbad62cc3dd7656f148bfd..9876075155743d8966a8383412fd 100644
--- a/hw/cpu/core.c
+++ b/hw/cpu/core.c
@@ -66,10 +66,16 @@ static void core_prop_set_nr_threads(Object *obj, Visitor *v, const char *name,
static void cpu_core_instance_init(Object *obj)
{
- MachineState *ms = MACHINE(qdev_get_machine());
CPUCore *core = CPU_CORE(obj);
- core->nr_threads = ms->smp.threads;
+ /*
+ * Only '-device something-cpu-core,help' can get us there before
+ * the machine has been created. We don't care to set nr_threads
+ * in this case since it isn't used afterwards.
+ */
+ if (current_machine) {
+ core->nr_threads = current_machine->smp.threads;
+ }
}
static void cpu_core_class_init(ObjectClass *oc, void *data)

View File

@ -0,0 +1,23 @@
From: Bruce Rogers <brogers@suse.com>
Date: Fri, 29 Jan 2021 20:06:16 -0700
Subject: doc: add our support doc to the main project doc for x86 and s390x
Include-If: %if %{legacy_qemu_kvm}
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
docs/index.rst | 1 +
1 file changed, 1 insertion(+)
diff --git a/docs/index.rst b/docs/index.rst
index 763e3d0426e8b15245b6ff0d0611..b659236f162532ea64931ec3e674 100644
--- a/docs/index.rst
+++ b/docs/index.rst
@@ -10,6 +10,7 @@ Welcome to QEMU's documentation!
:maxdepth: 2
:caption: Contents:
+ supported.rst
system/index
user/index
tools/index

View File

@ -1,27 +0,0 @@
From: Bruce Rogers <brogers@suse.com>
Date: Tue, 28 Apr 2020 09:53:49 -0600
Subject: docs: add SUSE support statements to html docs
Include-If: %if %{legacy_qemu_kvm}
We can fairly easily produce an html version of our support statements.
Now that qemu includes fairly good html-based documentation, leverage it
to expose our SUSE specific in-package support documentation.
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
docs/index.html.in | 1 +
1 file changed, 1 insertion(+)
diff --git a/docs/index.html.in b/docs/index.html.in
index 33db4396ac83b95b60ef16580d31..ba157bf3c8dcace7149eabf171af 100644
--- a/docs/index.html.in
+++ b/docs/index.html.in
@@ -7,6 +7,7 @@
<body>
<h1>QEMU @VERSION@ Documentation</h1>
<ul>
+ <li><a href="/usr/share/doc/packages/qemu-kvm/kvm-supported.html">SUSE Support Statements</a></li>
<li><a href="system/index.html">System Emulation User's Guide</a></li>
<li><a href="user/index.html">User Mode Emulation User's Guide</a></li>
<li><a href="tools/index.html">Tools Guide</a></li>

View File

@ -1,36 +0,0 @@
From: Jason Wang <jasowang@redhat.com>
Date: Wed, 24 Feb 2021 12:57:40 +0800
Subject: dp8393x: switch to use qemu_receive_packet() for loopback packet
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Git-commit: 331d2ac9ea307c990dc86e6493e8f0c48d14bb33
This patch switches to use qemu_receive_packet() which can detect
reentrancy and return early.
This is intended to address CVE-2021-3416.
Cc: Prasad J Pandit <ppandit@redhat.com>
Cc: qemu-stable@nongnu.org
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com
Signed-off-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/net/dp8393x.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/net/dp8393x.c b/hw/net/dp8393x.c
index 205c0decc535724de568023e9f23..533a8304d0bc4b7b8a7750389cc0 100644
--- a/hw/net/dp8393x.c
+++ b/hw/net/dp8393x.c
@@ -506,7 +506,7 @@ static void dp8393x_do_transmit_packets(dp8393xState *s)
s->regs[SONIC_TCR] |= SONIC_TCR_CRSL;
if (nc->info->can_receive(nc)) {
s->loopback_packet = 1;
- nc->info->receive(nc, s->tx_buffer, tx_len);
+ qemu_receive_packet(nc, s->tx_buffer, tx_len);
}
} else {
/* Transmit packet */

View File

@ -1,50 +0,0 @@
From: Jason Wang <jasowang@redhat.com>
Date: Wed, 24 Feb 2021 13:45:28 +0800
Subject: e1000: fail early for evil descriptor
Git-commit: 3de46e6fc489c52c9431a8a832ad8170a7569bd8
References: bsc#1182577, CVE-2021-20257
During procss_tx_desc(), driver can try to chain data descriptor with
legacy descriptor, when will lead underflow for the following
calculation in process_tx_desc() for bytes:
if (tp->size + bytes > msh)
bytes = msh - tp->size;
This will lead a infinite loop. So check and fail early if tp->size if
greater or equal to msh.
Reported-by: Alexander Bulekov <alxndr@bu.edu>
Reported-by: Cheolwoo Myung <cwmyung@snu.ac.kr>
Reported-by: Ruhr-University Bochum <bugs-syssec@rub.de>
Cc: Prasad J Pandit <ppandit@redhat.com>
Cc: qemu-stable@nongnu.org
Signed-off-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/net/e1000.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/hw/net/e1000.c b/hw/net/e1000.c
index d7d05ae30afafb2e7979c74564a6..02a446b89bae0dec0acdefa54760 100644
--- a/hw/net/e1000.c
+++ b/hw/net/e1000.c
@@ -670,6 +670,9 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp)
msh = tp->tso_props.hdr_len + tp->tso_props.mss;
do {
bytes = split_size;
+ if (tp->size >= msh) {
+ goto eop;
+ }
if (tp->size + bytes > msh)
bytes = msh - tp->size;
@@ -695,6 +698,7 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp)
tp->size += split_size;
}
+eop:
if (!(txd_lower & E1000_TXD_CMD_EOP))
return;
if (!(tp->cptse && tp->size < tp->tso_props.hdr_len)) {

View File

@ -1,36 +0,0 @@
From: Jason Wang <jasowang@redhat.com>
Date: Wed, 24 Feb 2021 12:13:22 +0800
Subject: e1000: switch to use qemu_receive_packet() for loopback
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Git-commit: 1caff0340f49c93d535c6558a5138d20d475315c
This patch switches to use qemu_receive_packet() which can detect
reentrancy and return early.
This is intended to address CVE-2021-3416.
Cc: Prasad J Pandit <ppandit@redhat.com>
Cc: qemu-stable@nongnu.org
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/net/e1000.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/net/e1000.c b/hw/net/e1000.c
index 02a446b89bae0dec0acdefa54760..c3564c7ce814004f72ab42854542 100644
--- a/hw/net/e1000.c
+++ b/hw/net/e1000.c
@@ -546,7 +546,7 @@ e1000_send_packet(E1000State *s, const uint8_t *buf, int size)
NetClientState *nc = qemu_get_queue(s->nic);
if (s->phy_reg[PHY_CTRL] & MII_CR_LOOPBACK) {
- nc->info->receive(nc, buf, size);
+ qemu_receive_packet(nc, buf, size);
} else {
qemu_send_packet(nc, buf, size);
}

View File

@ -1,87 +0,0 @@
From: Gavin Shan <gshan@redhat.com>
Date: Thu, 18 Mar 2021 10:38:01 +0800
Subject: hw/arm/virt: Disable pl011 clock migration if needed
Git-commit: e6fa978d8343ec7cf20b9c8b2dcb390646242457
A clock is added by commit aac63e0e6ea3 ("hw/char/pl011: add a clock
input") since v5.2.0 which corresponds to virt-5.2 machine type. It
causes backwards migration failure from upstream to downstream (v5.1.0)
when the machine type is specified with virt-5.1.
This fixes the issue by following instructions from section "Connecting
subsections to properties" in docs/devel/migration.rst. With this applied,
the PL011 clock is migrated based on the machine type.
virt-5.2 or newer: migration
virt-5.1 or older: non-migration
Cc: qemu-stable@nongnu.org # v5.2.0+
Fixes: aac63e0e6ea3 ("hw/char/pl011: add a clock input")
Suggested-by: Andrew Jones <drjones@redhat.com>
Signed-off-by: Gavin Shan <gshan@redhat.com>
Reviewed-by: Andrew Jones <drjones@redhat.com>
Message-id: 20210318023801.18287-1-gshan@redhat.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/char/pl011.c | 9 +++++++++
hw/core/machine.c | 1 +
include/hw/char/pl011.h | 1 +
3 files changed, 11 insertions(+)
diff --git a/hw/char/pl011.c b/hw/char/pl011.c
index ede16c781c9abcbeaf3ffb8f5c73..74cfa6cd663e397fdc4ba6d3bfe9 100644
--- a/hw/char/pl011.c
+++ b/hw/char/pl011.c
@@ -321,10 +321,18 @@ static const MemoryRegionOps pl011_ops = {
.endianness = DEVICE_NATIVE_ENDIAN,
};
+static bool pl011_clock_needed(void *opaque)
+{
+ PL011State *s = PL011(opaque);
+
+ return s->migrate_clk;
+}
+
static const VMStateDescription vmstate_pl011_clock = {
.name = "pl011/clock",
.version_id = 1,
.minimum_version_id = 1,
+ .needed = pl011_clock_needed,
.fields = (VMStateField[]) {
VMSTATE_CLOCK(clk, PL011State),
VMSTATE_END_OF_LIST()
@@ -362,6 +370,7 @@ static const VMStateDescription vmstate_pl011 = {
static Property pl011_properties[] = {
DEFINE_PROP_CHR("chardev", PL011State, chr),
+ DEFINE_PROP_BOOL("migrate-clk", PL011State, migrate_clk, true),
DEFINE_PROP_END_OF_LIST(),
};
diff --git a/hw/core/machine.c b/hw/core/machine.c
index 9e83400ecbfdd1c8ab20a54ff39c..72ceba57def38ca9dd5c683a71c4 100644
--- a/hw/core/machine.c
+++ b/hw/core/machine.c
@@ -36,6 +36,7 @@ GlobalProperty hw_compat_5_1[] = {
{ "virtio-scsi-device", "num_queues", "1"},
{ "nvme", "use-intel-id", "on"},
{ "pvpanic", "events", "1"}, /* PVPANIC_PANICKED */
+ { "pl011", "migrate-clk", "off" },
};
const size_t hw_compat_5_1_len = G_N_ELEMENTS(hw_compat_5_1);
diff --git a/include/hw/char/pl011.h b/include/hw/char/pl011.h
index 33e5e5317b82caaf39078a10b821..dc2c90eedca7b5f23d9db0c3a4ec 100644
--- a/include/hw/char/pl011.h
+++ b/include/hw/char/pl011.h
@@ -50,6 +50,7 @@ struct PL011State {
CharBackend chr;
qemu_irq irq[6];
Clock *clk;
+ bool migrate_clk;
const unsigned char *id;
};

View File

@ -1,36 +0,0 @@
From: Zenghui Yu <yuzenghui@huawei.com>
Date: Fri, 2 Apr 2021 16:47:31 +0800
Subject: hw/arm/virt-acpi-build: Fix GSIV values of the {GERR, Sync}
interrupts
Git-commit: 0c38f607836af40921ea2b58676b7c4a9fe33bef
The GSIV values in SMMUv3 IORT node are not correct as they don't match
the SMMUIrq enumeration, which describes the IRQ<->PIN mapping used by
our emulated vSMMU.
Fixes: a703b4f6c1ee ("hw/arm/virt-acpi-build: Add smmuv3 node in IORT table")
Signed-off-by: Zenghui Yu <yuzenghui@huawei.com>
Acked-by: Eric Auger <eric.auger@redhat.com>
Message-id: 20210402084731.93-1-yuzenghui@huawei.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/arm/virt-acpi-build.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/hw/arm/virt-acpi-build.c b/hw/arm/virt-acpi-build.c
index 9747a6458f0bfd34a3c2b3fda96a..6cd17c58c5535ee7277292b7372f 100644
--- a/hw/arm/virt-acpi-build.c
+++ b/hw/arm/virt-acpi-build.c
@@ -287,8 +287,8 @@ build_iort(GArray *table_data, BIOSLinker *linker, VirtMachineState *vms)
smmu->flags = cpu_to_le32(ACPI_IORT_SMMU_V3_COHACC_OVERRIDE);
smmu->event_gsiv = cpu_to_le32(irq);
smmu->pri_gsiv = cpu_to_le32(irq + 1);
- smmu->gerr_gsiv = cpu_to_le32(irq + 2);
- smmu->sync_gsiv = cpu_to_le32(irq + 3);
+ smmu->sync_gsiv = cpu_to_le32(irq + 2);
+ smmu->gerr_gsiv = cpu_to_le32(irq + 3);
/* Identity RID mapping covering the whole input RID range */
idmap = &smmu->id_mapping_array[0];

View File

@ -1,47 +0,0 @@
From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <f4bug@amsat.org>
Date: Wed, 7 Apr 2021 15:37:42 +0200
Subject: hw/block/fdc: Fix 'fallback' property on sysbus floppy disk
controllers
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Git-commit: da64789d3a16b2c5b5f1be9c75b00c2b8ae393a0
Setting the 'fallback' property corrupts the QOM instance state
(FDCtrlSysBus) because it accesses an incorrect offset (it uses
the offset of the FDCtrlISABus state).
Cc: qemu-stable@nongnu.org
Fixes: a73275dd6fc ("fdc: Add fallback option")
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-Id: <20210407133742.1680424-1-f4bug@amsat.org>
Reviewed-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/block/fdc.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/hw/block/fdc.c b/hw/block/fdc.c
index d6ba6c8f730092632770cf66908b..11a43cd4a18c02e3492d3f171049 100644
--- a/hw/block/fdc.c
+++ b/hw/block/fdc.c
@@ -2961,7 +2961,7 @@ static Property sysbus_fdc_properties[] = {
DEFINE_PROP_SIGNED("fdtypeB", FDCtrlSysBus, state.qdev_for_drives[1].type,
FLOPPY_DRIVE_TYPE_AUTO, qdev_prop_fdc_drive_type,
FloppyDriveType),
- DEFINE_PROP_SIGNED("fallback", FDCtrlISABus, state.fallback,
+ DEFINE_PROP_SIGNED("fallback", FDCtrlSysBus, state.fallback,
FLOPPY_DRIVE_TYPE_144, qdev_prop_fdc_drive_type,
FloppyDriveType),
DEFINE_PROP_END_OF_LIST(),
@@ -2987,7 +2987,7 @@ static Property sun4m_fdc_properties[] = {
DEFINE_PROP_SIGNED("fdtype", FDCtrlSysBus, state.qdev_for_drives[0].type,
FLOPPY_DRIVE_TYPE_AUTO, qdev_prop_fdc_drive_type,
FloppyDriveType),
- DEFINE_PROP_SIGNED("fallback", FDCtrlISABus, state.fallback,
+ DEFINE_PROP_SIGNED("fallback", FDCtrlSysBus, state.fallback,
FLOPPY_DRIVE_TYPE_144, qdev_prop_fdc_drive_type,
FloppyDriveType),
DEFINE_PROP_END_OF_LIST(),

View File

@ -1,65 +0,0 @@
From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <f4bug@amsat.org>
Date: Sun, 31 Jan 2021 11:34:01 +0100
Subject: hw/intc/arm_gic: Fix interrupt ID in GICD_SGIR register
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Git-commit: edfe2eb4360cde4ed5d95bda7777edcb3510f76a
References: bsc#1181933
Per the ARM Generic Interrupt Controller Architecture specification
(document "ARM IHI 0048B.b (ID072613)"), the SGIINTID field is 4 bit,
not 10:
- 4.3 Distributor register descriptions
- 4.3.15 Software Generated Interrupt Register, GICD_SG
- Table 4-21 GICD_SGIR bit assignments
The Interrupt ID of the SGI to forward to the specified CPU
interfaces. The value of this field is the Interrupt ID, in
the range 0-15, for example a value of 0b0011 specifies
Interrupt ID 3.
Correct the irq mask to fix an undefined behavior (which eventually
lead to a heap-buffer-overflow, see [Buglink]):
$ echo 'writel 0x8000f00 0xff4affb0' | qemu-system-aarch64 -M virt,accel=qtest -qtest stdio
[I 1612088147.116987] OPENED
[R +0.278293] writel 0x8000f00 0xff4affb0
../hw/intc/arm_gic.c:1498:13: runtime error: index 944 out of bounds for type 'uint8_t [16][8]'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../hw/intc/arm_gic.c:1498:13
This fixes a security issue when running with KVM on Arm with
kernel-irqchip=off. (The default is kernel-irqchip=on, which is
unaffected, and which is also the correct choice for performance.)
Cc: qemu-stable@nongnu.org
Fixes: CVE-2021-20221
Fixes: 9ee6e8bb853 ("ARMv7 support.")
Buglink: https://bugs.launchpad.net/qemu/+bug/1913916
Buglink: https://bugs.launchpad.net/qemu/+bug/1913917
Reported-by: Alexander Bulekov <alxndr@bu.edu>
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-id: 20210131103401.217160-1-f4bug@amsat.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/intc/arm_gic.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/intc/arm_gic.c b/hw/intc/arm_gic.c
index c60dc6b5e6e519e61b20dda66c7b..fbde60de05a20a607a64a5a91bad 100644
--- a/hw/intc/arm_gic.c
+++ b/hw/intc/arm_gic.c
@@ -1474,7 +1474,7 @@ static void gic_dist_writel(void *opaque, hwaddr offset,
int target_cpu;
cpu = gic_get_current_cpu(s);
- irq = value & 0x3ff;
+ irq = value & 0xf;
switch ((value >> 24) & 3) {
case 0:
mask = (value >> 16) & ALL_CPU_MASK;

View File

@ -1,33 +0,0 @@
From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <f4bug@amsat.org>
Date: Tue, 2 Mar 2021 09:00:42 +0100
Subject: hw/isa/Kconfig: Add missing dependency VIA VT82C686 -> APM
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Git-commit: 50fab4cc672233fee22fff2cf51543af57602c7d
TYPE_VIA_PM calls apm_init() in via_pm_realize(), so
requires APM to be selected.
Reported-by: BALATON Zoltan <balaton@eik.bme.hu>
Fixes: dd0ff8191ab ("isa: express SuperIO dependencies with Kconfig")
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-Id: <20210302080531.913802-1-f4bug@amsat.org>
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/isa/Kconfig | 1 +
1 file changed, 1 insertion(+)
diff --git a/hw/isa/Kconfig b/hw/isa/Kconfig
index c7f07854f7e7777a03c7dd1db0d0..9c026d0c5103b87b3e8c9348a8d0 100644
--- a/hw/isa/Kconfig
+++ b/hw/isa/Kconfig
@@ -47,6 +47,7 @@ config VT82C686
select ACPI_SMBUS
select SERIAL_ISA
select FDC
+ select APM
config SMC37C669
bool

View File

@ -1,62 +0,0 @@
From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <f4bug@amsat.org>
Date: Wed, 24 Mar 2021 14:54:43 +0100
Subject: hw/isa/piix4: Migrate Reset Control Register
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Git-commit: 62271205bcfaee440d06c06060ee79dac657caff
When adding the Reset register in commit 5790b757cfb we
forgot to migrate it.
While it is possible a VM using the PIIX4 is migrated just
after requesting a system shutdown, it is very unlikely.
However when restoring a migrated VM, we might have the
RCR bit #4 set on the stack and when the VM resume it
directly shutdowns.
Add a post_load() migration handler and set the default
RCR value to 0 for earlier versions, assuming the VM was
not going to shutdown before migration.
Fixes: 5790b757cfb ("piix4: Add the Reset Control Register")
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Message-Id: <20210324200334.729899-1-f4bug@amsat.org>
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/isa/piix4.c | 15 ++++++++++++++-
1 file changed, 14 insertions(+), 1 deletion(-)
diff --git a/hw/isa/piix4.c b/hw/isa/piix4.c
index a50d97834c760e3ebc5103614ee9..b3b6a4378a334b1a4bf0105a6857 100644
--- a/hw/isa/piix4.c
+++ b/hw/isa/piix4.c
@@ -93,12 +93,25 @@ static void piix4_isa_reset(DeviceState *dev)
pci_conf[0xae] = 0x00;
}
+static int piix4_ide_post_load(void *opaque, int version_id)
+{
+ PIIX4State *s = opaque;
+
+ if (version_id == 2) {
+ s->rcr = 0;
+ }
+
+ return 0;
+}
+
static const VMStateDescription vmstate_piix4 = {
.name = "PIIX4",
- .version_id = 2,
+ .version_id = 3,
.minimum_version_id = 2,
+ .post_load = piix4_ide_post_load,
.fields = (VMStateField[]) {
VMSTATE_PCI_DEVICE(dev, PIIX4State),
+ VMSTATE_UINT8_V(rcr, PIIX4State, 3),
VMSTATE_END_OF_LIST()
}
};

View File

@ -1,36 +0,0 @@
From: Peter Maydell <peter.maydell@linaro.org>
Date: Fri, 8 Jan 2021 18:04:00 +0000
Subject: hw/net/lan9118: Fix RX Status FIFO PEEK value
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Git-commit: e7e29fdbbe07fb762d85af9c4d8eeff9b0f52a8e
A copy-and-paste error meant that the return value for register offset 0x44
(the RX Status FIFO PEEK register) returned a byte from a bogus offset in
the rx status FIFO. Fix the typo.
Cc: qemu-stable@nongnu.org
Fixes: https://bugs.launchpad.net/qemu/+bug/1904954
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-id: 20210108180401.2263-2-peter.maydell@linaro.org
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/net/lan9118.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/net/lan9118.c b/hw/net/lan9118.c
index ab57c02c8e10d3ea1feb258fa4c5..13d469fe24fd8dd3a03eb2b60a58 100644
--- a/hw/net/lan9118.c
+++ b/hw/net/lan9118.c
@@ -1206,7 +1206,7 @@ static uint64_t lan9118_readl(void *opaque, hwaddr offset,
case 0x40:
return rx_status_fifo_pop(s);
case 0x44:
- return s->rx_status_fifo[s->tx_status_fifo_head];
+ return s->rx_status_fifo[s->rx_status_fifo_head];
case 0x48:
return tx_status_fifo_pop(s);
case 0x4c:

View File

@ -1,40 +0,0 @@
From: Halil Pasic <pasic@linux.ibm.com>
Date: Thu, 18 Feb 2021 04:40:59 +0100
Subject: hw/s390x: fix build for virtio-9p-ccw
Git-commit: 24056cbfd577fd219d55c03f69df66e6351456e7
References: bsc#1182496
Commit 2c44220d05 ("meson: convert hw/arch*"), which migrated the old
Makefile.objs to meson.build accidentally excluded virtio-ccw-9p.c and
thus the virtio-9p-ccw device from the build (and potentially also
included the file virtio-ccw-blk.c twice in the source set). And since
CONFIG_VIRTFS can't be used the way it was used here (see commit
2c9dce0196 ("meson: do not use CONFIG_VIRTFS")), the preconditions have
to be written differently.
Let's fix this!
Signed-off-by: Halil Pasic <pasic@linux.ibm.com>
Fixes: 2c44220d05 ("meson: convert hw/arch*")
Reported-by: Jakob Naucke <jakob.naucke@ibm.com>
Cc: qemu-stable@nongnu.org
[BR: back out the part which depends on the have_virtfs change]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/s390x/meson.build | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/s390x/meson.build b/hw/s390x/meson.build
index 2a7818d94b94d3832c0e944ecc42..e53b7a69930a27dd030994ab6a54 100644
--- a/hw/s390x/meson.build
+++ b/hw/s390x/meson.build
@@ -40,7 +40,7 @@ virtio_ss.add(when: 'CONFIG_VIRTIO_NET', if_true: files('virtio-ccw-net.c'))
virtio_ss.add(when: 'CONFIG_VIRTIO_RNG', if_true: files('virtio-ccw-rng.c'))
virtio_ss.add(when: 'CONFIG_VIRTIO_SCSI', if_true: files('virtio-ccw-scsi.c'))
virtio_ss.add(when: 'CONFIG_VIRTIO_SERIAL', if_true: files('virtio-ccw-serial.c'))
-virtio_ss.add(when: ['CONFIG_VIRTIO_9P', 'CONFIG_VIRTFS'], if_true: files('virtio-ccw-blk.c'))
+virtio_ss.add(when: ['CONFIG_VIRTIO_9P', 'CONFIG_VIRTFS'], if_true: files('virtio-ccw-9p.c'))
virtio_ss.add(when: 'CONFIG_VHOST_VSOCK', if_true: files('vhost-vsock-ccw.c'))
virtio_ss.add(when: 'CONFIG_VHOST_USER_FS', if_true: files('vhost-user-fs-ccw.c'))
s390x_ss.add_all(when: 'CONFIG_VIRTIO_CCW', if_true: virtio_ss)

View File

@ -1,69 +0,0 @@
From: Bin Meng <bin.meng@windriver.com>
Date: Sat, 20 Feb 2021 16:58:13 +0800
Subject: hw/sd: sd: Actually perform the erase operation
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Git-commit: 818a5cdcfcf0a55d60b59b2cb74482ef4ba6b205
References: bsc#1175144, CVE-2020-17380, bsc#1176681, CVE-2020-25085
References: bsc#1182282, CVE-2021-3409
At present the sd_erase() does not erase the requested range of card
data to 0xFFs. Let's make the erase operation actually happen.
Signed-off-by: Bin Meng <bin.meng@windriver.com>
Message-Id: <1613811493-58815-1-git-send-email-bmeng.cn@gmail.com>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/sd/sd.c | 22 +++++++++++++---------
1 file changed, 13 insertions(+), 9 deletions(-)
diff --git a/hw/sd/sd.c b/hw/sd/sd.c
index 6719cda1a0db8e6afa04c2b23915..26a5ae4d202656b4d04547cac8b8 100644
--- a/hw/sd/sd.c
+++ b/hw/sd/sd.c
@@ -779,10 +779,12 @@ static void sd_blk_write(SDState *sd, uint64_t addr, uint32_t len)
static void sd_erase(SDState *sd)
{
- int i;
uint64_t erase_start = sd->erase_start;
uint64_t erase_end = sd->erase_end;
bool sdsc = true;
+ uint64_t wpnum;
+ uint64_t erase_addr;
+ int erase_len = 1 << HWBLOCK_SHIFT;
trace_sdcard_erase(sd->erase_start, sd->erase_end);
if (sd->erase_start == INVALID_ADDRESS
@@ -811,17 +813,19 @@ static void sd_erase(SDState *sd)
sd->erase_end = INVALID_ADDRESS;
sd->csd[14] |= 0x40;
- /* Only SDSC cards support write protect groups */
- if (sdsc) {
- erase_start = sd_addr_to_wpnum(erase_start);
- erase_end = sd_addr_to_wpnum(erase_end);
-
- for (i = erase_start; i <= erase_end; i++) {
- assert(i < sd->wpgrps_size);
- if (test_bit(i, sd->wp_groups)) {
+ memset(sd->data, 0xff, erase_len);
+ for (erase_addr = erase_start; erase_addr <= erase_end;
+ erase_addr += erase_len) {
+ if (sdsc) {
+ /* Only SDSC cards support write protect groups */
+ wpnum = sd_addr_to_wpnum(erase_addr);
+ assert(wpnum < sd->wpgrps_size);
+ if (test_bit(wpnum, sd->wp_groups)) {
sd->card_status |= WP_ERASE_SKIP;
+ continue;
}
}
+ BLK_WRITE_BLOCK(erase_addr, erase_len);
}
}

View File

@ -1,35 +0,0 @@
From: Bin Meng <bin.meng@windriver.com>
Date: Sun, 28 Feb 2021 13:06:09 +0800
Subject: hw/sd: sd: Fix build error when DEBUG_SD is on
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Git-commit: a78d9f27b73de3c42f376540bd1d1d0570eb1fa3
References: bsc#1175144, CVE-2020-17380, bsc#1176681, CVE-2020-25085
References: bsc#1182282, CVE-2021-3409
"qemu-common.h" should be included to provide the forward declaration
of qemu_hexdump() when DEBUG_SD is on.
Signed-off-by: Bin Meng <bin.meng@windriver.com>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-Id: <20210228050609.24779-1-bmeng.cn@gmail.com>
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/sd/sd.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/hw/sd/sd.c b/hw/sd/sd.c
index a4ea365f4a74afd30dee5b16eebe..6719cda1a0db8e6afa04c2b23915 100644
--- a/hw/sd/sd.c
+++ b/hw/sd/sd.c
@@ -46,6 +46,7 @@
#include "qemu/timer.h"
#include "qemu/log.h"
#include "qemu/module.h"
+#include "qemu-common.h"
#include "sdmmc-internal.h"
#include "trace.h"

View File

@ -1,83 +0,0 @@
From: Bin Meng <bin.meng@windriver.com>
Date: Tue, 16 Feb 2021 23:02:21 +0800
Subject: hw/sd: sd: Move the sd_block_{read, write} and macros ahead
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Git-commit: ce6ea2efc5fb308ebf11339276f60215fe0ec44c
References: bsc#1175144, CVE-2020-17380, bsc#1176681, CVE-2020-25085
References: bsc#1182282, CVE-2021-3409
These APIs and macros may be referenced by functions that are
currently before them. Move them ahead a little bit.
Signed-off-by: Bin Meng <bin.meng@windriver.com>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-Id: <20210216150225.27996-5-bmeng.cn@gmail.com>
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/sd/sd.c | 42 +++++++++++++++++++++---------------------
1 file changed, 21 insertions(+), 21 deletions(-)
diff --git a/hw/sd/sd.c b/hw/sd/sd.c
index 5cdcd54cfcbf467342b2e485ac3e..ac48140251de7845a01ab4ad656c 100644
--- a/hw/sd/sd.c
+++ b/hw/sd/sd.c
@@ -755,6 +755,27 @@ void sd_set_cb(SDState *sd, qemu_irq readonly, qemu_irq insert)
qemu_set_irq(insert, sd->blk ? blk_is_inserted(sd->blk) : 0);
}
+static void sd_blk_read(SDState *sd, uint64_t addr, uint32_t len)
+{
+ trace_sdcard_read_block(addr, len);
+ if (!sd->blk || blk_pread(sd->blk, addr, sd->data, len) < 0) {
+ fprintf(stderr, "sd_blk_read: read error on host side\n");
+ }
+}
+
+static void sd_blk_write(SDState *sd, uint64_t addr, uint32_t len)
+{
+ trace_sdcard_write_block(addr, len);
+ if (!sd->blk || blk_pwrite(sd->blk, addr, sd->data, len, 0) < 0) {
+ fprintf(stderr, "sd_blk_write: write error on host side\n");
+ }
+}
+
+#define BLK_READ_BLOCK(a, len) sd_blk_read(sd, a, len)
+#define BLK_WRITE_BLOCK(a, len) sd_blk_write(sd, a, len)
+#define APP_READ_BLOCK(a, len) memset(sd->data, 0xec, len)
+#define APP_WRITE_BLOCK(a, len)
+
static void sd_erase(SDState *sd)
{
int i;
@@ -1815,27 +1836,6 @@ send_response:
return rsplen;
}
-static void sd_blk_read(SDState *sd, uint64_t addr, uint32_t len)
-{
- trace_sdcard_read_block(addr, len);
- if (!sd->blk || blk_pread(sd->blk, addr, sd->data, len) < 0) {
- fprintf(stderr, "sd_blk_read: read error on host side\n");
- }
-}
-
-static void sd_blk_write(SDState *sd, uint64_t addr, uint32_t len)
-{
- trace_sdcard_write_block(addr, len);
- if (!sd->blk || blk_pwrite(sd->blk, addr, sd->data, len, 0) < 0) {
- fprintf(stderr, "sd_blk_write: write error on host side\n");
- }
-}
-
-#define BLK_READ_BLOCK(a, len) sd_blk_read(sd, a, len)
-#define BLK_WRITE_BLOCK(a, len) sd_blk_write(sd, a, len)
-#define APP_READ_BLOCK(a, len) memset(sd->data, 0xec, len)
-#define APP_WRITE_BLOCK(a, len)
-
void sd_write_byte(SDState *sd, uint8_t value)
{
int i;

View File

@ -1,71 +0,0 @@
From: Bin Meng <bin.meng@windriver.com>
Date: Tue, 16 Feb 2021 23:02:22 +0800
Subject: hw/sd: sd: Skip write protect groups check in sd_erase() for high
capacity cards
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Git-commit: 2473dc4022458dcc05ec367ce97edbef29d7e50c
References: bsc#1175144, CVE-2020-17380, bsc#1176681, CVE-2020-25085
References: bsc#1182282, CVE-2021-3409
High capacity cards don't support write protection hence we should
not perform the write protect groups check in sd_erase() for them.
Signed-off-by: Bin Meng <bin.meng@windriver.com>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-Id: <20210216150225.27996-6-bmeng.cn@gmail.com>
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/sd/sd.c | 18 ++++++++++++------
1 file changed, 12 insertions(+), 6 deletions(-)
diff --git a/hw/sd/sd.c b/hw/sd/sd.c
index ac48140251de7845a01ab4ad656c..a4ea365f4a74afd30dee5b16eebe 100644
--- a/hw/sd/sd.c
+++ b/hw/sd/sd.c
@@ -781,6 +781,7 @@ static void sd_erase(SDState *sd)
int i;
uint64_t erase_start = sd->erase_start;
uint64_t erase_end = sd->erase_end;
+ bool sdsc = true;
trace_sdcard_erase(sd->erase_start, sd->erase_end);
if (sd->erase_start == INVALID_ADDRESS
@@ -795,6 +796,7 @@ static void sd_erase(SDState *sd)
/* High capacity memory card: erase units are 512 byte blocks */
erase_start *= 512;
erase_end *= 512;
+ sdsc = false;
}
if (sd->erase_start > sd->size || sd->erase_end > sd->size) {
@@ -804,16 +806,20 @@ static void sd_erase(SDState *sd)
return;
}
- erase_start = sd_addr_to_wpnum(erase_start);
- erase_end = sd_addr_to_wpnum(erase_end);
sd->erase_start = INVALID_ADDRESS;
sd->erase_end = INVALID_ADDRESS;
sd->csd[14] |= 0x40;
- for (i = erase_start; i <= erase_end; i++) {
- assert(i < sd->wpgrps_size);
- if (test_bit(i, sd->wp_groups)) {
- sd->card_status |= WP_ERASE_SKIP;
+ /* Only SDSC cards support write protect groups */
+ if (sdsc) {
+ erase_start = sd_addr_to_wpnum(erase_start);
+ erase_end = sd_addr_to_wpnum(erase_end);
+
+ for (i = erase_start; i <= erase_end; i++) {
+ assert(i < sd->wpgrps_size);
+ if (test_bit(i, sd->wp_groups)) {
+ sd->card_status |= WP_ERASE_SKIP;
+ }
}
}
}

View File

@ -1,70 +0,0 @@
From: Bin Meng <bmeng.cn@gmail.com>
Date: Wed, 3 Mar 2021 20:26:37 +0800
Subject: hw/sd: sdhci: Correctly set the controller status for ADMA
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Git-commit: bc6f28995ff88f5d82c38afcfd65406f0ae375aa
References: bsc#1175144, CVE-2020-17380, bsc#1176681, CVE-2020-25085
References: bsc#1182282, CVE-2021-3409
When an ADMA transfer is started, the codes forget to set the
controller status to indicate a transfer is in progress.
With this fix, the following 2 reproducers:
https://paste.debian.net/plain/1185136
https://paste.debian.net/plain/1185141
cannot be reproduced with the following QEMU command line:
$ qemu-system-x86_64 -nographic -machine accel=qtest -m 512M \
-nodefaults -device sdhci-pci,sd-spec-version=3 \
-drive if=sd,index=0,file=null-co://,format=raw,id=mydrive \
-device sd-card,drive=mydrive -qtest stdio
Cc: qemu-stable@nongnu.org
Fixes: CVE-2020-17380
Fixes: CVE-2020-25085
Fixes: CVE-2021-3409
Fixes: d7dfca0807a0 ("hw/sdhci: introduce standard SD host controller")
Reported-by: Alexander Bulekov <alxndr@bu.edu>
Reported-by: Cornelius Aschermann (Ruhr-Universität Bochum)
Reported-by: Sergej Schumilo (Ruhr-Universität Bochum)
Reported-by: Simon Wörner (Ruhr-Universität Bochum)
Buglink: https://bugs.launchpad.net/qemu/+bug/1892960
Buglink: https://bugs.launchpad.net/qemu/+bug/1909418
Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1928146
Tested-by: Alexander Bulekov <alxndr@bu.edu>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Bin Meng <bmeng.cn@gmail.com>
Message-Id: <20210303122639.20004-4-bmeng.cn@gmail.com>
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/sd/sdhci.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c
index 006426b64da916a3be86afcf75cf..a1639bbd39ca264fa24f27978d54 100644
--- a/hw/sd/sdhci.c
+++ b/hw/sd/sdhci.c
@@ -769,7 +769,9 @@ static void sdhci_do_adma(SDHCIState *s)
switch (dscr.attr & SDHC_ADMA_ATTR_ACT_MASK) {
case SDHC_ADMA_ATTR_ACT_TRAN: /* data transfer */
+ s->prnsts |= SDHC_DATA_INHIBIT | SDHC_DAT_LINE_ACTIVE;
if (s->trnmod & SDHC_TRNS_READ) {
+ s->prnsts |= SDHC_DOING_READ;
while (length) {
if (s->data_count == 0) {
sdbus_read_data(&s->sdbus, s->fifo_buffer, block_size);
@@ -797,6 +799,7 @@ static void sdhci_do_adma(SDHCIState *s)
}
}
} else {
+ s->prnsts |= SDHC_DOING_WRITE;
while (length) {
begin = s->data_count;
if ((length + begin) < block_size) {

View File

@ -1,87 +0,0 @@
From: Bin Meng <bmeng.cn@gmail.com>
Date: Wed, 3 Mar 2021 20:26:35 +0800
Subject: hw/sd: sdhci: Don't transfer any data when command time out
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Git-commit: b263d8f928001b5cfa2a993ea43b7a5b3a1811e8
References: bsc#1175144, CVE-2020-17380, bsc#1176681, CVE-2020-25085
References: bsc#1182282, CVE-2021-3409
At the end of sdhci_send_command(), it starts a data transfer if the
command register indicates data is associated. But the data transfer
should only be initiated when the command execution has succeeded.
With this fix, the following reproducer:
outl 0xcf8 0x80001810
outl 0xcfc 0xe1068000
outl 0xcf8 0x80001804
outw 0xcfc 0x7
write 0xe106802c 0x1 0x0f
write 0xe1068004 0xc 0x2801d10101fffffbff28a384
write 0xe106800c 0x1f 0x9dacbbcad9e8f7061524334251606f7e8d9cabbac9d8e7f60514233241505f
write 0xe1068003 0x28 0x80d000251480d000252280d000253080d000253e80d000254c80d000255a80d000256880d0002576
write 0xe1068003 0x1 0xfe
cannot be reproduced with the following QEMU command line:
$ qemu-system-x86_64 -nographic -M pc-q35-5.0 \
-device sdhci-pci,sd-spec-version=3 \
-drive if=sd,index=0,file=null-co://,format=raw,id=mydrive \
-device sd-card,drive=mydrive \
-monitor none -serial none -qtest stdio
Cc: qemu-stable@nongnu.org
Fixes: CVE-2020-17380
Fixes: CVE-2020-25085
Fixes: CVE-2021-3409
Fixes: d7dfca0807a0 ("hw/sdhci: introduce standard SD host controller")
Reported-by: Alexander Bulekov <alxndr@bu.edu>
Reported-by: Cornelius Aschermann (Ruhr-Universität Bochum)
Reported-by: Sergej Schumilo (Ruhr-Universität Bochum)
Reported-by: Simon Wörner (Ruhr-Universität Bochum)
Buglink: https://bugs.launchpad.net/qemu/+bug/1892960
Buglink: https://bugs.launchpad.net/qemu/+bug/1909418
Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1928146
Acked-by: Alistair Francis <alistair.francis@wdc.com>
Tested-by: Alexander Bulekov <alxndr@bu.edu>
Tested-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Bin Meng <bmeng.cn@gmail.com>
Message-Id: <20210303122639.20004-2-bmeng.cn@gmail.com>
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/sd/sdhci.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c
index 2f8b74a84f75ae72153dbffab8c1..5a4a156341eb1e330022f1128ba1 100644
--- a/hw/sd/sdhci.c
+++ b/hw/sd/sdhci.c
@@ -326,6 +326,7 @@ static void sdhci_send_command(SDHCIState *s)
SDRequest request;
uint8_t response[16];
int rlen;
+ bool timeout = false;
s->errintsts = 0;
s->acmd12errsts = 0;
@@ -349,6 +350,7 @@ static void sdhci_send_command(SDHCIState *s)
trace_sdhci_response16(s->rspreg[3], s->rspreg[2],
s->rspreg[1], s->rspreg[0]);
} else {
+ timeout = true;
trace_sdhci_error("timeout waiting for command response");
if (s->errintstsen & SDHC_EISEN_CMDTIMEOUT) {
s->errintsts |= SDHC_EIS_CMDTIMEOUT;
@@ -369,7 +371,7 @@ static void sdhci_send_command(SDHCIState *s)
sdhci_update_irq(s);
- if (s->blksize && (s->cmdreg & SDHC_CMD_DATA_PRESENT)) {
+ if (!timeout && s->blksize && (s->cmdreg & SDHC_CMD_DATA_PRESENT)) {
s->data_count = 0;
sdhci_data_transfer(s);
}

View File

@ -1,105 +0,0 @@
From: Bin Meng <bmeng.cn@gmail.com>
Date: Wed, 3 Mar 2021 20:26:36 +0800
Subject: hw/sd: sdhci: Don't write to SDHC_SYSAD register when transfer is in
progress
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Git-commit: 8be45cc947832b3c02144c9d52921f499f2d77fe
References: bsc#1175144, CVE-2020-17380, bsc#1176681, CVE-2020-25085
References: bsc#1182282, CVE-2021-3409
Per "SD Host Controller Standard Specification Version 7.00"
chapter 2.2.1 SDMA System Address Register:
This register can be accessed only if no transaction is executing
(i.e., after a transaction has stopped).
With this fix, the following reproducer:
outl 0xcf8 0x80001010
outl 0xcfc 0xfbefff00
outl 0xcf8 0x80001001
outl 0xcfc 0x06000000
write 0xfbefff2c 0x1 0x05
write 0xfbefff0f 0x1 0x37
write 0xfbefff0a 0x1 0x01
write 0xfbefff0f 0x1 0x29
write 0xfbefff0f 0x1 0x02
write 0xfbefff0f 0x1 0x03
write 0xfbefff04 0x1 0x01
write 0xfbefff05 0x1 0x01
write 0xfbefff07 0x1 0x02
write 0xfbefff0c 0x1 0x33
write 0xfbefff0e 0x1 0x20
write 0xfbefff0f 0x1 0x00
write 0xfbefff2a 0x1 0x01
write 0xfbefff0c 0x1 0x00
write 0xfbefff03 0x1 0x00
write 0xfbefff05 0x1 0x00
write 0xfbefff2a 0x1 0x02
write 0xfbefff0c 0x1 0x32
write 0xfbefff01 0x1 0x01
write 0xfbefff02 0x1 0x01
write 0xfbefff03 0x1 0x01
cannot be reproduced with the following QEMU command line:
$ qemu-system-x86_64 -nographic -machine accel=qtest -m 512M \
-nodefaults -device sdhci-pci,sd-spec-version=3 \
-drive if=sd,index=0,file=null-co://,format=raw,id=mydrive \
-device sd-card,drive=mydrive -qtest stdio
Cc: qemu-stable@nongnu.org
Fixes: CVE-2020-17380
Fixes: CVE-2020-25085
Fixes: CVE-2021-3409
Fixes: d7dfca0807a0 ("hw/sdhci: introduce standard SD host controller")
Reported-by: Alexander Bulekov <alxndr@bu.edu>
Reported-by: Cornelius Aschermann (Ruhr-Universität Bochum)
Reported-by: Sergej Schumilo (Ruhr-Universität Bochum)
Reported-by: Simon Wörner (Ruhr-Universität Bochum)
Buglink: https://bugs.launchpad.net/qemu/+bug/1892960
Buglink: https://bugs.launchpad.net/qemu/+bug/1909418
Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1928146
Tested-by: Alexander Bulekov <alxndr@bu.edu>
Signed-off-by: Bin Meng <bmeng.cn@gmail.com>
Message-Id: <20210303122639.20004-3-bmeng.cn@gmail.com>
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/sd/sdhci.c | 20 +++++++++++---------
1 file changed, 11 insertions(+), 9 deletions(-)
diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c
index 5a4a156341eb1e330022f1128ba1..006426b64da916a3be86afcf75cf 100644
--- a/hw/sd/sdhci.c
+++ b/hw/sd/sdhci.c
@@ -1122,15 +1122,17 @@ sdhci_write(void *opaque, hwaddr offset, uint64_t val, unsigned size)
switch (offset & ~0x3) {
case SDHC_SYSAD:
- s->sdmasysad = (s->sdmasysad & mask) | value;
- MASKED_WRITE(s->sdmasysad, mask, value);
- /* Writing to last byte of sdmasysad might trigger transfer */
- if (!(mask & 0xFF000000) && TRANSFERRING_DATA(s->prnsts) && s->blkcnt &&
- s->blksize && SDHC_DMA_TYPE(s->hostctl1) == SDHC_CTRL_SDMA) {
- if (s->trnmod & SDHC_TRNS_MULTI) {
- sdhci_sdma_transfer_multi_blocks(s);
- } else {
- sdhci_sdma_transfer_single_block(s);
+ if (!TRANSFERRING_DATA(s->prnsts)) {
+ s->sdmasysad = (s->sdmasysad & mask) | value;
+ MASKED_WRITE(s->sdmasysad, mask, value);
+ /* Writing to last byte of sdmasysad might trigger transfer */
+ if (!(mask & 0xFF000000) && s->blkcnt && s->blksize &&
+ SDHC_DMA_TYPE(s->hostctl1) == SDHC_CTRL_SDMA) {
+ if (s->trnmod & SDHC_TRNS_MULTI) {
+ sdhci_sdma_transfer_multi_blocks(s);
+ } else {
+ sdhci_sdma_transfer_single_block(s);
+ }
}
}
break;

View File

@ -1,52 +0,0 @@
From: Bin Meng <bmeng.cn@gmail.com>
Date: Wed, 3 Mar 2021 20:26:38 +0800
Subject: hw/sd: sdhci: Limit block size only when SDHC_BLKSIZE register is
writable
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Git-commit: 5cd7aa3451b76bb19c0f6adc2b931f091e5d7fcd
References: bsc#1175144, CVE-2020-17380, bsc#1176681, CVE-2020-25085
References: bsc#1182282, CVE-2021-3409
The codes to limit the maximum block size is only necessary when
SDHC_BLKSIZE register is writable.
Tested-by: Alexander Bulekov <alxndr@bu.edu>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Bin Meng <bmeng.cn@gmail.com>
Message-Id: <20210303122639.20004-5-bmeng.cn@gmail.com>
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/sd/sdhci.c | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c
index a1639bbd39ca264fa24f27978d54..51c2a3ffde21314afe2a2c84fa1b 100644
--- a/hw/sd/sdhci.c
+++ b/hw/sd/sdhci.c
@@ -1143,15 +1143,15 @@ sdhci_write(void *opaque, hwaddr offset, uint64_t val, unsigned size)
if (!TRANSFERRING_DATA(s->prnsts)) {
MASKED_WRITE(s->blksize, mask, extract32(value, 0, 12));
MASKED_WRITE(s->blkcnt, mask >> 16, value >> 16);
- }
- /* Limit block size to the maximum buffer size */
- if (extract32(s->blksize, 0, 12) > s->buf_maxsz) {
- qemu_log_mask(LOG_GUEST_ERROR, "%s: Size 0x%x is larger than "
- "the maximum buffer 0x%x\n", __func__, s->blksize,
- s->buf_maxsz);
+ /* Limit block size to the maximum buffer size */
+ if (extract32(s->blksize, 0, 12) > s->buf_maxsz) {
+ qemu_log_mask(LOG_GUEST_ERROR, "%s: Size 0x%x is larger than "
+ "the maximum buffer 0x%x\n", __func__, s->blksize,
+ s->buf_maxsz);
- s->blksize = deposit32(s->blksize, 0, 12, s->buf_maxsz);
+ s->blksize = deposit32(s->blksize, 0, 12, s->buf_maxsz);
+ }
}
break;

View File

@ -1,95 +0,0 @@
From: Bin Meng <bmeng.cn@gmail.com>
Date: Wed, 3 Mar 2021 20:26:39 +0800
Subject: hw/sd: sdhci: Reset the data pointer of s->fifo_buffer[] when a
different block size is programmed
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Git-commit: cffb446e8fd19a14e1634c7a3a8b07be3f01d5c9
References: bsc#1175144, CVE-2020-17380, bsc#1176681, CVE-2020-25085
References: bsc#1182282, CVE-2021-3409
If the block size is programmed to a different value from the
previous one, reset the data pointer of s->fifo_buffer[] so that
s->fifo_buffer[] can be filled in using the new block size in
the next transfer.
With this fix, the following reproducer:
outl 0xcf8 0x80001010
outl 0xcfc 0xe0000000
outl 0xcf8 0x80001001
outl 0xcfc 0x06000000
write 0xe000002c 0x1 0x05
write 0xe0000005 0x1 0x02
write 0xe0000007 0x1 0x01
write 0xe0000028 0x1 0x10
write 0x0 0x1 0x23
write 0x2 0x1 0x08
write 0xe000000c 0x1 0x01
write 0xe000000e 0x1 0x20
write 0xe000000f 0x1 0x00
write 0xe000000c 0x1 0x32
write 0xe0000004 0x2 0x0200
write 0xe0000028 0x1 0x00
write 0xe0000003 0x1 0x40
cannot be reproduced with the following QEMU command line:
$ qemu-system-x86_64 -nographic -machine accel=qtest -m 512M \
-nodefaults -device sdhci-pci,sd-spec-version=3 \
-drive if=sd,index=0,file=null-co://,format=raw,id=mydrive \
-device sd-card,drive=mydrive -qtest stdio
Cc: qemu-stable@nongnu.org
Fixes: CVE-2020-17380
Fixes: CVE-2020-25085
Fixes: CVE-2021-3409
Fixes: d7dfca0807a0 ("hw/sdhci: introduce standard SD host controller")
Reported-by: Alexander Bulekov <alxndr@bu.edu>
Reported-by: Cornelius Aschermann (Ruhr-Universität Bochum)
Reported-by: Sergej Schumilo (Ruhr-Universität Bochum)
Reported-by: Simon Wörner (Ruhr-Universität Bochum)
Buglink: https://bugs.launchpad.net/qemu/+bug/1892960
Buglink: https://bugs.launchpad.net/qemu/+bug/1909418
Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1928146
Tested-by: Alexander Bulekov <alxndr@bu.edu>
Signed-off-by: Bin Meng <bmeng.cn@gmail.com>
Message-Id: <20210303122639.20004-6-bmeng.cn@gmail.com>
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/sd/sdhci.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c
index 51c2a3ffde21314afe2a2c84fa1b..3c35942161097989e626f5cfd887 100644
--- a/hw/sd/sdhci.c
+++ b/hw/sd/sdhci.c
@@ -1141,6 +1141,8 @@ sdhci_write(void *opaque, hwaddr offset, uint64_t val, unsigned size)
break;
case SDHC_BLKSIZE:
if (!TRANSFERRING_DATA(s->prnsts)) {
+ uint16_t blksize = s->blksize;
+
MASKED_WRITE(s->blksize, mask, extract32(value, 0, 12));
MASKED_WRITE(s->blkcnt, mask >> 16, value >> 16);
@@ -1152,6 +1154,16 @@ sdhci_write(void *opaque, hwaddr offset, uint64_t val, unsigned size)
s->blksize = deposit32(s->blksize, 0, 12, s->buf_maxsz);
}
+
+ /*
+ * If the block size is programmed to a different value from
+ * the previous one, reset the data pointer of s->fifo_buffer[]
+ * so that s->fifo_buffer[] can be filled in using the new block
+ * size in the next transfer.
+ */
+ if (blksize != s->blksize) {
+ s->data_count = 0;
+ }
}
break;

View File

@ -16,7 +16,7 @@ Signed-off-by: Bruce Rogers <brogers@suse.com>
1 file changed, 39 insertions(+), 4 deletions(-)
diff --git a/hw/smbios/smbios.c b/hw/smbios/smbios.c
index 6a3d39793bc9dd13f6c6cc8c08e4..e3c9d92c1d60c0f791c5852f88e5 100644
index f22c4f5b734e89a390cada7ea422..c65f1b9dcfad50ab69ba92881b5f 100644
--- a/hw/smbios/smbios.c
+++ b/hw/smbios/smbios.c
@@ -1040,6 +1040,7 @@ void smbios_entry_add(QemuOpts *opts, Error **errp)

View File

@ -1,88 +0,0 @@
From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <f4bug@amsat.org>
Date: Sat, 5 Dec 2020 16:09:03 +0100
Subject: hw/timer/slavio_timer: Allow 64-bit accesses
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Git-commit: 62a9b228b5fefe0f9e364dfeaf3c65022c63cdb9
Per the "NCR89C105 Chip Specification" referenced in the header:
Chip-level Address Map
------------------------------------------------------------------
| 1D0 0000 -> | Counter/Timers | W,D |
| 1DF FFFF | | |
...
The address map indicated the allowed accesses at each address.
[...] W indicates a word access, and D indicates a double-word
access.
The SLAVIO timer controller is implemented expecting 32-bit accesses.
Commit a3d12d073e1 restricted the memory accesses to 32-bit, while
the device allows 64-bit accesses.
This was not an issue until commit 5d971f9e67 which reverted
("memory: accept mismatching sizes in memory_region_access_valid").
Fix by renaming .valid MemoryRegionOps as .impl, and add the valid
access range (W -> 4, D -> 8).
Since commit 21786c7e598 ("memory: Log invalid memory accesses")
this class of bug can be quickly debugged displaying 'guest_errors'
accesses, as:
$ qemu-system-sparc -M SS-20 -m 256 -bios ss20_v2.25_rom -serial stdio -d guest_errors
Power-ON Reset
Invalid access at addr 0x0, size 8, region 'timer-1', reason: invalid size (min:4 max:4)
$ qemu-system-sparc -M SS-20 -m 256 -bios ss20_v2.25_rom -monitor stdio -S
(qemu) info mtree
address-space: memory
0000000000000000-ffffffffffffffff (prio 0, i/o): system
...
0000000ff1300000-0000000ff130000f (prio 0, i/o): timer-1
^^^^^^^^^ ^^^^^^^
\ memory region base address and name /
(qemu) info qtree
bus: main-system-bus
dev: slavio_timer, id "" <-- device type name
gpio-out "sysbus-irq" 17
num_cpus = 1 (0x1)
mmio 0000000ff1310000/0000000000000014
mmio 0000000ff1300000/0000000000000010 <--- base address
mmio 0000000ff1301000/0000000000000010
mmio 0000000ff1302000/0000000000000010
...
Reported-by: Yap KV <yapkv@yahoo.com>
Buglink: https://bugs.launchpad.net/bugs/1906905
Fixes: a3d12d073e1 ("slavio_timer: convert to memory API")
CC: qemu-stable@nongnu.org
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-Id: <20201205150903.3062711-1-f4bug@amsat.org>
Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/timer/slavio_timer.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/hw/timer/slavio_timer.c b/hw/timer/slavio_timer.c
index 5b2d20cb6a5a65a762e8021243cb..03e33fc592665360a72e87e1ac64 100644
--- a/hw/timer/slavio_timer.c
+++ b/hw/timer/slavio_timer.c
@@ -331,6 +331,10 @@ static const MemoryRegionOps slavio_timer_mem_ops = {
.write = slavio_timer_mem_writel,
.endianness = DEVICE_NATIVE_ENDIAN,
.valid = {
+ .min_access_size = 4,
+ .max_access_size = 8,
+ },
+ .impl = {
.min_access_size = 4,
.max_access_size = 4,
},

View File

@ -1,84 +0,0 @@
From: Andrew Melnychenko <andrew@daynix.com>
Date: Thu, 3 Dec 2020 13:07:13 +0200
Subject: hw/virtio-pci Added AER capability.
Git-commit: fdfa3b1d6f9edd97c807df496a0d8e9ea49240da
Added AER capability for virtio-pci devices.
Also added property for devices, by default AER is disabled.
Signed-off-by: Andrew Melnychenko <andrew@daynix.com>
Message-Id: <20201203110713.204938-3-andrew@daynix.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Bruce Rogers <brogers@suse.com>
[BR: needed for stable commit d83f46d189a26fa32434139954d264326f199a45]
---
hw/virtio/virtio-pci.c | 16 ++++++++++++++++
hw/virtio/virtio-pci.h | 4 ++++
2 files changed, 20 insertions(+)
diff --git a/hw/virtio/virtio-pci.c b/hw/virtio/virtio-pci.c
index ceaa233129c529b604f461e45336..f863f69ede4f4bf1c09fc39a5035 100644
--- a/hw/virtio/virtio-pci.c
+++ b/hw/virtio/virtio-pci.c
@@ -1817,6 +1817,12 @@ static void virtio_pci_realize(PCIDevice *pci_dev, Error **errp)
*/
pci_set_word(pci_dev->config + pos + PCI_PM_PMC, 0x3);
+ if (proxy->flags & VIRTIO_PCI_FLAG_AER) {
+ pcie_aer_init(pci_dev, PCI_ERR_VER, last_pcie_cap_offset,
+ PCI_ERR_SIZEOF, NULL);
+ last_pcie_cap_offset += PCI_ERR_SIZEOF;
+ }
+
if (proxy->flags & VIRTIO_PCI_FLAG_INIT_DEVERR) {
/* Init error enabling flags */
pcie_cap_deverr_init(pci_dev);
@@ -1858,7 +1864,15 @@ static void virtio_pci_realize(PCIDevice *pci_dev, Error **errp)
static void virtio_pci_exit(PCIDevice *pci_dev)
{
+ VirtIOPCIProxy *proxy = VIRTIO_PCI(pci_dev);
+ bool pcie_port = pci_bus_is_express(pci_get_bus(pci_dev)) &&
+ !pci_bus_is_root(pci_get_bus(pci_dev));
+
msix_uninit_exclusive_bar(pci_dev);
+ if (proxy->flags & VIRTIO_PCI_FLAG_AER && pcie_port &&
+ pci_is_express(pci_dev)) {
+ pcie_aer_exit(pci_dev);
+ }
}
static void virtio_pci_reset(DeviceState *qdev)
@@ -1911,6 +1925,8 @@ static Property virtio_pci_properties[] = {
VIRTIO_PCI_FLAG_INIT_PM_BIT, true),
DEFINE_PROP_BIT("x-pcie-flr-init", VirtIOPCIProxy, flags,
VIRTIO_PCI_FLAG_INIT_FLR_BIT, true),
+ DEFINE_PROP_BIT("aer", VirtIOPCIProxy, flags,
+ VIRTIO_PCI_FLAG_AER_BIT, false),
DEFINE_PROP_END_OF_LIST(),
};
diff --git a/hw/virtio/virtio-pci.h b/hw/virtio/virtio-pci.h
index 06e2af12de64c32f8c26c7f9e858..d7d5d403a9483f5f7e0f0f9b4110 100644
--- a/hw/virtio/virtio-pci.h
+++ b/hw/virtio/virtio-pci.h
@@ -41,6 +41,7 @@ enum {
VIRTIO_PCI_FLAG_INIT_LNKCTL_BIT,
VIRTIO_PCI_FLAG_INIT_PM_BIT,
VIRTIO_PCI_FLAG_INIT_FLR_BIT,
+ VIRTIO_PCI_FLAG_AER_BIT,
};
/* Need to activate work-arounds for buggy guests at vmstate load. */
@@ -80,6 +81,9 @@ enum {
/* Init Function Level Reset capability */
#define VIRTIO_PCI_FLAG_INIT_FLR (1 << VIRTIO_PCI_FLAG_INIT_FLR_BIT)
+/* Advanced Error Reporting capability */
+#define VIRTIO_PCI_FLAG_AER (1 << VIRTIO_PCI_FLAG_AER_BIT)
+
typedef struct {
MSIMessage msg;
int virq;

View File

@ -1,41 +0,0 @@
From: Andrew Melnychenko <andrew@daynix.com>
Date: Thu, 3 Dec 2020 13:07:12 +0200
Subject: hw/virtio-pci Added counter for pcie capabilities offsets.
Git-commit: 06e97442420b03a1e0ff05e8eb554fac684ca736
Removed hardcoded offset for ats. Added cap offset counter
for future capabilities like AER.
Signed-off-by: Andrew Melnychenko <andrew@daynix.com>
Message-Id: <20201203110713.204938-2-andrew@daynix.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Bruce Rogers <brogers@suse.com>
[BR: needed for stable commit d83f46d189a26fa32434139954d264326f199a45]
---
hw/virtio/virtio-pci.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/hw/virtio/virtio-pci.c b/hw/virtio/virtio-pci.c
index 36524a5728e40da961b4db862558..ceaa233129c529b604f461e45336 100644
--- a/hw/virtio/virtio-pci.c
+++ b/hw/virtio/virtio-pci.c
@@ -1798,6 +1798,7 @@ static void virtio_pci_realize(PCIDevice *pci_dev, Error **errp)
if (pcie_port && pci_is_express(pci_dev)) {
int pos;
+ uint16_t last_pcie_cap_offset = PCI_CONFIG_SPACE_SIZE;
pos = pcie_endpoint_cap_init(pci_dev, 0);
assert(pos > 0);
@@ -1833,7 +1834,8 @@ static void virtio_pci_realize(PCIDevice *pci_dev, Error **errp)
}
if (proxy->flags & VIRTIO_PCI_FLAG_ATS) {
- pcie_ats_init(pci_dev, 256);
+ pcie_ats_init(pci_dev, last_pcie_cap_offset);
+ last_pcie_cap_offset += PCI_EXT_CAP_ATS_SIZEOF;
}
if (proxy->flags & VIRTIO_PCI_FLAG_INIT_FLR) {

View File

@ -1,110 +0,0 @@
From: Vitaly Cheptsov <cheptsov@ispras.ru>
Date: Mon, 1 Mar 2021 22:59:18 +0300
Subject: i386/acpi: restore device paths for pre-5.1 vms
Git-commit: 0a343a5add75f9f90c65e932863d57ddbcb28f5c
After fixing the _UID value for the primary PCI root bridge in
af1b80ae it was discovered that this change updates Windows
configuration in an incompatible way causing network configuration
failure unless DHCP is used. More details provided on the list:
https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg08484.html
This change reverts the _UID update from 1 to 0 for q35 and i440fx
VMs before version 5.2 to maintain the original behaviour when
upgrading.
Cc: qemu-stable@nongnu.org
Cc: qemu-devel@nongnu.org
Reported-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Suggested-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Vitaly Cheptsov <cheptsov@ispras.ru>
Message-Id: <20210301195919.9333-1-cheptsov@ispras.ru>
Tested-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Reviewed-by: Igor Mammedov <imammedo@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Fixes: af1b80ae56c9 ("i386/acpi: fix inconsistent QEMU/OVMF device paths")
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/i386/acpi-build.c | 4 ++--
hw/i386/pc_piix.c | 2 ++
hw/i386/pc_q35.c | 2 ++
include/hw/i386/pc.h | 1 +
4 files changed, 7 insertions(+), 2 deletions(-)
diff --git a/hw/i386/acpi-build.c b/hw/i386/acpi-build.c
index 1f5c2112452a74bc19cb3a129fa9..b5616582a5d8395ab38080567356 100644
--- a/hw/i386/acpi-build.c
+++ b/hw/i386/acpi-build.c
@@ -1513,7 +1513,7 @@ build_dsdt(GArray *table_data, BIOSLinker *linker,
dev = aml_device("PCI0");
aml_append(dev, aml_name_decl("_HID", aml_eisaid("PNP0A03")));
aml_append(dev, aml_name_decl("_ADR", aml_int(0)));
- aml_append(dev, aml_name_decl("_UID", aml_int(0)));
+ aml_append(dev, aml_name_decl("_UID", aml_int(pcmc->pci_root_uid)));
aml_append(sb_scope, dev);
aml_append(dsdt, sb_scope);
@@ -1530,7 +1530,7 @@ build_dsdt(GArray *table_data, BIOSLinker *linker,
aml_append(dev, aml_name_decl("_HID", aml_eisaid("PNP0A08")));
aml_append(dev, aml_name_decl("_CID", aml_eisaid("PNP0A03")));
aml_append(dev, aml_name_decl("_ADR", aml_int(0)));
- aml_append(dev, aml_name_decl("_UID", aml_int(0)));
+ aml_append(dev, aml_name_decl("_UID", aml_int(pcmc->pci_root_uid)));
aml_append(dev, build_q35_osc_method());
aml_append(sb_scope, dev);
diff --git a/hw/i386/pc_piix.c b/hw/i386/pc_piix.c
index 13d1628f13bfc537cbefaec47e27..2524c962161115d026cc810b8dc8 100644
--- a/hw/i386/pc_piix.c
+++ b/hw/i386/pc_piix.c
@@ -417,6 +417,7 @@ static void pc_i440fx_machine_options(MachineClass *m)
{
PCMachineClass *pcmc = PC_MACHINE_CLASS(m);
pcmc->default_nic_model = "e1000";
+ pcmc->pci_root_uid = 0;
m->family = "pc_piix";
m->desc = "Standard PC (i440FX + PIIX, 1996)";
@@ -448,6 +449,7 @@ static void pc_i440fx_5_1_machine_options(MachineClass *m)
compat_props_add(m->compat_props, hw_compat_5_1, hw_compat_5_1_len);
compat_props_add(m->compat_props, pc_compat_5_1, pc_compat_5_1_len);
pcmc->kvmclock_create_always = false;
+ pcmc->pci_root_uid = 1;
}
DEFINE_I440FX_MACHINE(v5_1, "pc-i440fx-5.1", NULL,
diff --git a/hw/i386/pc_q35.c b/hw/i386/pc_q35.c
index a3f4959c43575ad9809a0ac8b7a5..c58dad5ae37f7190f308c512c339 100644
--- a/hw/i386/pc_q35.c
+++ b/hw/i386/pc_q35.c
@@ -329,6 +329,7 @@ static void pc_q35_machine_options(MachineClass *m)
{
PCMachineClass *pcmc = PC_MACHINE_CLASS(m);
pcmc->default_nic_model = "e1000e";
+ pcmc->pci_root_uid = 0;
m->family = "pc_q35";
m->desc = "Standard PC (Q35 + ICH9, 2009)";
@@ -364,6 +365,7 @@ static void pc_q35_5_1_machine_options(MachineClass *m)
compat_props_add(m->compat_props, hw_compat_5_1, hw_compat_5_1_len);
compat_props_add(m->compat_props, pc_compat_5_1, pc_compat_5_1_len);
pcmc->kvmclock_create_always = false;
+ pcmc->pci_root_uid = 1;
}
DEFINE_Q35_MACHINE(v5_1, "pc-q35-5.1", NULL,
diff --git a/include/hw/i386/pc.h b/include/hw/i386/pc.h
index 911e4600970c36de9371a46601c6..7f8e1a791f88ead6cd5cb2a91e8b 100644
--- a/include/hw/i386/pc.h
+++ b/include/hw/i386/pc.h
@@ -99,6 +99,7 @@ struct PCMachineClass {
int legacy_acpi_table_size;
unsigned acpi_data_size;
bool do_not_add_smb_acpi;
+ int pci_root_uid;
/* SMBIOS compat: */
bool smbios_defaults;

View File

@ -14,19 +14,19 @@ memory hole.
Signed-off-by: Bruce Rogers <brogers@suse.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>
---
target/i386/cpu.h | 2 +-
target/i386/tcg/helper-tcg.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/target/i386/cpu.h b/target/i386/cpu.h
index 88e8586f8fb46293810cb34a06a0..a72134a1874f2d7b3ab7c8f4fd59 100644
--- a/target/i386/cpu.h
+++ b/target/i386/cpu.h
@@ -1961,7 +1961,7 @@ uint64_t cpu_get_tsc(CPUX86State *env);
/* XXX: This value should match the one returned by CPUID
* and in exec.c */
# if defined(TARGET_X86_64)
diff --git a/target/i386/tcg/helper-tcg.h b/target/i386/tcg/helper-tcg.h
index bcdfca06f699863a6dd2e872231c..ade34e5681775657b0b5220b43d7 100644
--- a/target/i386/tcg/helper-tcg.h
+++ b/target/i386/tcg/helper-tcg.h
@@ -26,7 +26,7 @@
#define TARGET_MAX_INSN_SIZE 16
#if defined(TARGET_X86_64)
-# define TCG_PHYS_ADDR_BITS 40
+# define TCG_PHYS_ADDR_BITS 42
# else
#else
# define TCG_PHYS_ADDR_BITS 36
# endif
#endif

File diff suppressed because it is too large Load Diff

View File

@ -1,37 +0,0 @@
From: Alexander Bulekov <alxndr@bu.edu>
Date: Mon, 1 Mar 2021 14:35:30 -0500
Subject: lan9118: switch to use qemu_receive_packet() for loopback
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Git-commit: 37cee01784ff0df13e5209517e1b3594a5e792d1
This patch switches to use qemu_receive_packet() which can detect
reentrancy and return early.
This is intended to address CVE-2021-3416.
Cc: Prasad J Pandit <ppandit@redhat.com>
Cc: qemu-stable@nongnu.org
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com
Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
Signed-off-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/net/lan9118.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/net/lan9118.c b/hw/net/lan9118.c
index 13d469fe24fd8dd3a03eb2b60a58..da82dc1ad32be5e176aea93e7b11 100644
--- a/hw/net/lan9118.c
+++ b/hw/net/lan9118.c
@@ -669,7 +669,7 @@ static void do_tx_packet(lan9118_state *s)
/* FIXME: Honor TX disable, and allow queueing of packets. */
if (s->phy_control & 0x4000) {
/* This assumes the receive routine doesn't touch the VLANClient. */
- lan9118_receive(qemu_get_queue(s->nic), s->txp->data, s->txp->len);
+ qemu_receive_packet(qemu_get_queue(s->nic), s->txp->data, s->txp->len);
} else {
qemu_send_packet(qemu_get_queue(s->nic), s->txp->data, s->txp->len);
}

View File

@ -21,10 +21,10 @@ Signed-off-by: Andreas Färber <afaerber@suse.de>
1 file changed, 24 insertions(+)
diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index 2839a2c5e906dde840f040c5f235..e1341c9d391bde792d37443c4b9f 100644
index 9002e4d6187d4796773cfeb63723..e5d22c4806cf4f11b43371dc52c2 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -7887,6 +7887,27 @@ static int open_self_stat(void *cpu_env, int fd)
@@ -7977,6 +7977,27 @@ static int open_self_stat(void *cpu_env, int fd)
return 0;
}
@ -52,7 +52,7 @@ index 2839a2c5e906dde840f040c5f235..e1341c9d391bde792d37443c4b9f 100644
static int open_self_auxv(void *cpu_env, int fd)
{
CPUState *cpu = env_cpu((CPUArchState *)cpu_env);
@@ -8041,6 +8062,9 @@ static int do_openat(void *cpu_env, int dirfd, const char *pathname, int flags,
@@ -8131,6 +8152,9 @@ static int do_openat(void *cpu_env, int dirfd, const char *pathname, int flags,
#if defined(TARGET_SPARC) || defined(TARGET_HPPA)
{ "/proc/cpuinfo", open_cpuinfo, is_proc },
#endif

View File

@ -82,10 +82,10 @@ index 0000000000000000000000000000000000000000..cd1f513b334f3b263d9e4b5adb1981e3
+ return execve(new_argv[0], new_argv, envp);
+}
diff --git a/meson.build b/meson.build
index e3386196ba4106a973edb7f9d07c..a4743a83ae82bbe57e8dfeec3da4 100644
index c6f4b0cf5e8a88e2019fabd13f3a..4dd9c13852c017e89106e6a444ee 100644
--- a/meson.build
+++ b/meson.build
@@ -1883,6 +1883,11 @@ endforeach
@@ -2318,6 +2318,11 @@ endforeach
# Other build targets

View File

@ -15,10 +15,10 @@ Signed-off-by: Alexander Graf <agraf@suse.de>
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index 4c178ceab8ac708e4ee4587f6589..72c10911d6773e1e53fa36a3e741 100644
index ee3f66b0118d21748c1ff7475793..f15b5fda1296f2b1f9dc53f74734 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -8563,8 +8563,13 @@ static abi_long do_syscall1(void *cpu_env, int num, abi_ulong arg1,
@@ -8653,8 +8653,13 @@ static abi_long do_syscall1(void *cpu_env, int num, abi_ulong arg1,
return ret;
#endif
#ifdef TARGET_NR_lseek

View File

@ -16,7 +16,7 @@ Signed-off-by: Alexander Graf <agraf@suse.de>
2 files changed, 13 insertions(+), 13 deletions(-)
diff --git a/linux-user/qemu.h b/linux-user/qemu.h
index 534753ca12542383002cbf5544ac..c1c7448ef304cf8a56ac60ec8639 100644
index 74e06e7121c56fbf568bc0d48164..709714dad5384d0813083af204c4 100644
--- a/linux-user/qemu.h
+++ b/linux-user/qemu.h
@@ -231,10 +231,10 @@ abi_long memcpy_to_target(abi_ulong dest, const void *src,
@ -35,10 +35,10 @@ index 534753ca12542383002cbf5544ac..c1c7448ef304cf8a56ac60ec8639 100644
void cpu_loop(CPUArchState *env);
const char *target_strerror(int err);
diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index e1341c9d391bde792d37443c4b9f..4c178ceab8ac708e4ee4587f6589 100644
index e5d22c4806cf4f11b43371dc52c2..ee3f66b0118d21748c1ff7475793 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -8205,10 +8205,10 @@ static int host_to_target_cpu_mask(const unsigned long *host_mask,
@@ -8295,10 +8295,10 @@ static int host_to_target_cpu_mask(const unsigned long *host_mask,
* of syscall results, can be performed.
* All errnos that do_syscall() returns must be -TARGET_<errcode>.
*/
@ -53,7 +53,7 @@ index e1341c9d391bde792d37443c4b9f..4c178ceab8ac708e4ee4587f6589 100644
{
CPUState *cpu = env_cpu(cpu_env);
abi_long ret;
@@ -10871,7 +10871,7 @@ static abi_long do_syscall1(void *cpu_env, int num, abi_long arg1,
@@ -10966,7 +10966,7 @@ static abi_long do_syscall1(void *cpu_env, int num, abi_long arg1,
*/
ret = -TARGET_EINVAL;
if (cpu_isar_feature(aa64_sve, env_archcpu(cpu_env))
@ -62,7 +62,7 @@ index e1341c9d391bde792d37443c4b9f..4c178ceab8ac708e4ee4587f6589 100644
CPUARMState *env = cpu_env;
ARMCPU *cpu = env_archcpu(env);
uint32_t vq, old_vq;
@@ -13120,10 +13120,10 @@ static abi_long do_syscall1(void *cpu_env, int num, abi_long arg1,
@@ -13318,10 +13318,10 @@ static abi_long do_syscall1(void *cpu_env, int num, abi_long arg1,
return ret;
}

View File

@ -1,52 +0,0 @@
From: Peng Liang <liangpeng10@huawei.com>
Date: Tue, 2 Mar 2021 21:30:16 +0800
Subject: lsilogic: Use PCIDevice::exit instead of DeviceState::unrealize
Git-commit: faabca42cc4ff51110116dfe44d420c668b4d8d8
PCI_DEVICE has overwritten DeviceState::unrealize (pci_qdev_unrealize).
However, LSI53C895A, which is a subclass of PCI_DEVICE, overwrites it
again and doesn't save the parent's implementation so the PCI_DEVICE's
implementation of DeviceState::unrealize will never be called when
unrealize a LSI53C895A device. And it will lead to memory leak and
unplug failure.
For a PCI device, it's better to implement PCIDevice::exit instead of
DeviceState::unrealize. So let's change to use PCIDevice::exit.
Fixes: a8632434c7e9 ("lsi: implement I/O memory space for Memory Move instructions")
Cc: qemu-stable@nongnu.org
Signed-off-by: Peng Liang <liangpeng10@huawei.com>
Message-Id: <20210302133016.1221081-1-liangpeng10@huawei.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/scsi/lsi53c895a.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c
index 7d13c7dc1c46e8a32ed0e3e090ff..af46c62f0d78268b52d19ca9fd07 100644
--- a/hw/scsi/lsi53c895a.c
+++ b/hw/scsi/lsi53c895a.c
@@ -2312,7 +2312,7 @@ static void lsi_scsi_realize(PCIDevice *dev, Error **errp)
scsi_bus_new(&s->bus, sizeof(s->bus), d, &lsi_scsi_info, NULL);
}
-static void lsi_scsi_unrealize(DeviceState *dev)
+static void lsi_scsi_exit(PCIDevice *dev)
{
LSIState *s = LSI53C895A(dev);
@@ -2325,11 +2325,11 @@ static void lsi_class_init(ObjectClass *klass, void *data)
PCIDeviceClass *k = PCI_DEVICE_CLASS(klass);
k->realize = lsi_scsi_realize;
+ k->exit = lsi_scsi_exit;
k->vendor_id = PCI_VENDOR_ID_LSI_LOGIC;
k->device_id = PCI_DEVICE_ID_LSI_53C895A;
k->class_id = PCI_CLASS_STORAGE_SCSI;
k->subsystem_id = 0x1000;
- dc->unrealize = lsi_scsi_unrealize;
dc->reset = lsi_scsi_reset;
dc->vmsd = &vmstate_lsi_scsi;
set_bit(DEVICE_CATEGORY_STORAGE, dc->categories);

View File

@ -1,137 +0,0 @@
From: Paolo Bonzini <pbonzini@redhat.com>
Date: Tue, 1 Dec 2020 09:29:56 -0500
Subject: memory: clamp cached translation in case it points to an MMIO region
Git-commit: 4bfb024bc76973d40a359476dc0291f46e435442
References: bsc#1179686, CVE-2020-27821
In using the address_space_translate_internal API, address_space_cache_init
forgot one piece of advice that can be found in the code for
address_space_translate_internal:
/* MMIO registers can be expected to perform full-width accesses based only
* on their address, without considering adjacent registers that could
* decode to completely different MemoryRegions. When such registers
* exist (e.g. I/O ports 0xcf8 and 0xcf9 on most PC chipsets), MMIO
* regions overlap wildly. For this reason we cannot clamp the accesses
* here.
*
* If the length is small (as is the case for address_space_ldl/stl),
* everything works fine. If the incoming length is large, however,
* the caller really has to do the clamping through memory_access_size.
*/
address_space_cache_init is exactly one such case where "the incoming length
is large", therefore we need to clamp the resulting length---not to
memory_access_size though, since we are not doing an access yet, but to
the size of the resulting section. This ensures that subsequent accesses
to the cached MemoryRegionSection will be in range.
With this patch, the enclosed testcase notices that the used ring does
not fit into the MSI-X table and prints a "qemu-system-x86_64: Cannot map used"
error.
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
softmmu/physmem.c | 10 ++++++++
tests/qtest/fuzz-test.c | 51 +++++++++++++++++++++++++++++++++++++++++
2 files changed, 61 insertions(+)
diff --git a/softmmu/physmem.c b/softmmu/physmem.c
index 3027747c0302c0904db2568eabb8..2cd1de4a2c46814f10c60fc1b8e5 100644
--- a/softmmu/physmem.c
+++ b/softmmu/physmem.c
@@ -3255,6 +3255,7 @@ int64_t address_space_cache_init(MemoryRegionCache *cache,
AddressSpaceDispatch *d;
hwaddr l;
MemoryRegion *mr;
+ Int128 diff;
assert(len > 0);
@@ -3263,6 +3264,15 @@ int64_t address_space_cache_init(MemoryRegionCache *cache,
d = flatview_to_dispatch(cache->fv);
cache->mrs = *address_space_translate_internal(d, addr, &cache->xlat, &l, true);
+ /*
+ * cache->xlat is now relative to cache->mrs.mr, not to the section itself.
+ * Take that into account to compute how many bytes are there between
+ * cache->xlat and the end of the section.
+ */
+ diff = int128_sub(cache->mrs.size,
+ int128_make64(cache->xlat - cache->mrs.offset_within_region));
+ l = int128_get64(int128_min(diff, int128_make64(l)));
+
mr = cache->mrs.mr;
memory_region_ref(mr);
if (memory_access_is_direct(mr, is_write)) {
diff --git a/tests/qtest/fuzz-test.c b/tests/qtest/fuzz-test.c
index 9cb4c42bdea5cefa23473ed41b10..28739248e24d0b41d8ea5defebb8 100644
--- a/tests/qtest/fuzz-test.c
+++ b/tests/qtest/fuzz-test.c
@@ -47,6 +47,55 @@ static void test_lp1878642_pci_bus_get_irq_level_assert(void)
qtest_outl(s, 0x5d02, 0xebed205d);
}
+/*
+ * Here a MemoryRegionCache pointed to an MMIO region but had a
+ * larger size than the underlying region.
+ */
+static void test_mmio_oob_from_memory_region_cache(void)
+{
+ QTestState *s;
+
+ s = qtest_init("-M pc-q35-5.2 -display none -m 512M "
+ "-device virtio-scsi,num_queues=8,addr=03.0 ");
+
+ qtest_outl(s, 0xcf8, 0x80001811);
+ qtest_outb(s, 0xcfc, 0x6e);
+ qtest_outl(s, 0xcf8, 0x80001824);
+ qtest_outl(s, 0xcf8, 0x80001813);
+ qtest_outl(s, 0xcfc, 0xa080000);
+ qtest_outl(s, 0xcf8, 0x80001802);
+ qtest_outl(s, 0xcfc, 0x5a175a63);
+ qtest_outb(s, 0x6e08, 0x9e);
+ qtest_writeb(s, 0x9f003, 0xff);
+ qtest_writeb(s, 0x9f004, 0x01);
+ qtest_writeb(s, 0x9e012, 0x0e);
+ qtest_writeb(s, 0x9e01b, 0x0e);
+ qtest_writeb(s, 0x9f006, 0x01);
+ qtest_writeb(s, 0x9f008, 0x01);
+ qtest_writeb(s, 0x9f00a, 0x01);
+ qtest_writeb(s, 0x9f00c, 0x01);
+ qtest_writeb(s, 0x9f00e, 0x01);
+ qtest_writeb(s, 0x9f010, 0x01);
+ qtest_writeb(s, 0x9f012, 0x01);
+ qtest_writeb(s, 0x9f014, 0x01);
+ qtest_writeb(s, 0x9f016, 0x01);
+ qtest_writeb(s, 0x9f018, 0x01);
+ qtest_writeb(s, 0x9f01a, 0x01);
+ qtest_writeb(s, 0x9f01c, 0x01);
+ qtest_writeb(s, 0x9f01e, 0x01);
+ qtest_writeb(s, 0x9f020, 0x01);
+ qtest_writeb(s, 0x9f022, 0x01);
+ qtest_writeb(s, 0x9f024, 0x01);
+ qtest_writeb(s, 0x9f026, 0x01);
+ qtest_writeb(s, 0x9f028, 0x01);
+ qtest_writeb(s, 0x9f02a, 0x01);
+ qtest_writeb(s, 0x9f02c, 0x01);
+ qtest_writeb(s, 0x9f02e, 0x01);
+ qtest_writeb(s, 0x9f030, 0x01);
+ qtest_outb(s, 0x6e10, 0x00);
+ qtest_quit(s);
+}
+
int main(int argc, char **argv)
{
const char *arch = qtest_get_arch();
@@ -58,6 +107,8 @@ int main(int argc, char **argv)
test_lp1878263_megasas_zero_iov_cnt);
qtest_add_func("fuzz/test_lp1878642_pci_bus_get_irq_level_assert",
test_lp1878642_pci_bus_get_irq_level_assert);
+ qtest_add_func("fuzz/test_mmio_oob_from_memory_region_cache",
+ test_mmio_oob_from_memory_region_cache);
}
return g_test_run();

View File

@ -28,10 +28,10 @@ index 944d403cbd1535cc121af76a94f2..4b42dd285eeac1ba12e5c9e18ac0 100644
#endif
diff --git a/qom/object.c b/qom/object.c
index 10653552334549241cd5672d7a02..6f301fec34d103b0b07bc41d107c 100644
index 6a01d56546968c094ac4831acb2c..1b132653c3fc8d5150723b2d4cf7 100644
--- a/qom/object.c
+++ b/qom/object.c
@@ -516,6 +516,18 @@ static void object_initialize_with_type(Object *obj, size_t size, TypeImpl *type
@@ -518,6 +518,18 @@ static void object_initialize_with_type(Object *obj, size_t size, TypeImpl *type
object_post_init_with_type(obj, type);
}
@ -51,10 +51,10 @@ index 10653552334549241cd5672d7a02..6f301fec34d103b0b07bc41d107c 100644
{
TypeImpl *type = type_get_by_name(typename);
diff --git a/qom/qom-qmp-cmds.c b/qom/qom-qmp-cmds.c
index 310ab2d0481d1517b0432be23256..cf130dc875bb6a7921fd7fb5af26 100644
index 2d6f41ecc7ef4f2b82e55e730dc6..5ec565ad8f0f06d68022f3a4d3d5 100644
--- a/qom/qom-qmp-cmds.c
+++ b/qom/qom-qmp-cmds.c
@@ -131,6 +131,23 @@ ObjectPropertyInfoList *qmp_device_list_properties(const char *typename,
@@ -129,6 +129,23 @@ ObjectPropertyInfoList *qmp_device_list_properties(const char *typename,
ObjectPropertyIterator iter;
ObjectPropertyInfoList *prop_list = NULL;
@ -79,10 +79,10 @@ index 310ab2d0481d1517b0432be23256..cf130dc875bb6a7921fd7fb5af26 100644
if (klass == NULL) {
error_set(errp, ERROR_CLASS_DEVICE_NOT_FOUND,
diff --git a/softmmu/qdev-monitor.c b/softmmu/qdev-monitor.c
index bf79d0bbcd986320eb609f37253e..564dfaeeda9c3ae9dbf1afa97825 100644
index a9955b97a078ea657546d9e2382f..8b71c08af53010428b0fc209bc5b 100644
--- a/softmmu/qdev-monitor.c
+++ b/softmmu/qdev-monitor.c
@@ -263,6 +263,13 @@ int qdev_device_help(QemuOpts *opts)
@@ -274,6 +274,13 @@ int qdev_device_help(QemuOpts *opts)
int i;
driver = qemu_opt_get(opts, "driver");
@ -96,7 +96,7 @@ index bf79d0bbcd986320eb609f37253e..564dfaeeda9c3ae9dbf1afa97825 100644
if (driver && is_help_option(driver)) {
qdev_print_devinfos(false);
return 1;
@@ -650,6 +657,14 @@ DeviceState *qdev_device_add(QemuOpts *opts, Error **errp)
@@ -646,6 +653,14 @@ DeviceState *qdev_device_add(QemuOpts *opts, Error **errp)
return NULL;
}

View File

@ -1,86 +0,0 @@
From: Kevin Wolf <kwolf@redhat.com>
Date: Fri, 12 Feb 2021 18:20:27 +0100
Subject: monitor: Fix assertion failure on shutdown
Git-commit: c81219a7dd36a815bd85beed9932fc973d4f5d51
Commit 357bda95 already tried to fix the order in monitor_cleanup() by
moving shutdown of the dispatcher coroutine further to the start.
However, it didn't go far enough:
iothread_stop() makes sure that all pending work (bottom halves) in the
AioContext of the monitor iothread is completed. iothread_destroy()
depends on this and fails an assertion if there is still a pending BH.
While the dispatcher coroutine is running, it will try to resume the
monitor after taking a request out of the queue, which involves a BH.
The dispatcher is run until it terminates in the AIO_WAIT_WHILE() loop.
However, adding new BHs between iothread_stop() and iothread_destroy()
is forbidden.
Fix this by stopping the dispatcher first before shutting down the other
parts of the monitor. This means we can now receive requests that aren't
handled any more when QEMU is shutting down, but this is unlikely to be
a problem for QMP clients.
Fixes: 357bda9590784ff75803d52de43150d4107ed98e
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Message-Id: <20210212172028.288825-2-kwolf@redhat.com>
Tested-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
monitor/monitor.c | 25 +++++++++++++++----------
1 file changed, 15 insertions(+), 10 deletions(-)
diff --git a/monitor/monitor.c b/monitor/monitor.c
index 84222cd130043fd618bd40343829..27573348f3d7ac5c03b56637235d 100644
--- a/monitor/monitor.c
+++ b/monitor/monitor.c
@@ -622,16 +622,6 @@ void monitor_data_destroy(Monitor *mon)
void monitor_cleanup(void)
{
- /*
- * We need to explicitly stop the I/O thread (but not destroy it),
- * clean up the monitor resources, then destroy the I/O thread since
- * we need to unregister from chardev below in
- * monitor_data_destroy(), and chardev is not thread-safe yet
- */
- if (mon_iothread) {
- iothread_stop(mon_iothread);
- }
-
/*
* The dispatcher needs to stop before destroying the monitor and
* the I/O thread.
@@ -641,6 +631,11 @@ void monitor_cleanup(void)
* eventually terminates. qemu_aio_context is automatically
* polled by calling AIO_WAIT_WHILE on it, but we must poll
* iohandler_ctx manually.
+ *
+ * Letting the iothread continue while shutting down the dispatcher
+ * means that new requests may still be coming in. This is okay,
+ * we'll just leave them in the queue without sending a response
+ * and monitor_data_destroy() will free them.
*/
qmp_dispatcher_co_shutdown = true;
if (!qatomic_xchg(&qmp_dispatcher_co_busy, true)) {
@@ -651,6 +646,16 @@ void monitor_cleanup(void)
(aio_poll(iohandler_get_aio_context(), false),
qatomic_mb_read(&qmp_dispatcher_co_busy)));
+ /*
+ * We need to explicitly stop the I/O thread (but not destroy it),
+ * clean up the monitor resources, then destroy the I/O thread since
+ * we need to unregister from chardev below in
+ * monitor_data_destroy(), and chardev is not thread-safe yet
+ */
+ if (mon_iothread) {
+ iothread_stop(mon_iothread);
+ }
+
/* Flush output buffers and destroy monitors */
qemu_mutex_lock(&monitor_lock);
monitor_destroyed = true;

View File

@ -1,86 +0,0 @@
From: Michael Tokarev <mjt@tls.msk.ru>
Date: Mon, 19 Apr 2021 15:42:47 +0200
Subject: mptsas: Remove unused MPTSASState 'pending' field (CVE-2021-3392)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Git-commit: 3791642c8d60029adf9b00bcb4e34d7d8a1aea4d
While processing SCSI i/o requests in mptsas_process_scsi_io_request(),
the Megaraid emulator appends new MPTSASRequest object 'req' to
the 's->pending' queue. In case of an error, this same object gets
dequeued in mptsas_free_request() only if SCSIRequest object
'req->sreq' is initialised. This may lead to a use-after-free issue.
Since s->pending is actually not used, simply remove it from
MPTSASState.
Cc: qemu-stable@nongnu.org
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reported-by: Cheolwoo Myung <cwmyung@snu.ac.kr>
Message-id: 20210419134247.1467982-1-f4bug@amsat.org
Message-Id: <20210416102243.1293871-1-mjt@msgid.tls.msk.ru>
Suggested-by: Paolo Bonzini <pbonzini@redhat.com>
Reported-by: Cheolwoo Myung <cwmyung@snu.ac.kr>
BugLink: https://bugs.launchpad.net/qemu/+bug/1914236 (CVE-2021-3392)
Fixes: e351b826112 ("hw: Add support for LSI SAS1068 (mptsas) device")
[PMD: Reworded description, added more tags]
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/scsi/mptsas.c | 6 ------
hw/scsi/mptsas.h | 1 -
2 files changed, 7 deletions(-)
diff --git a/hw/scsi/mptsas.c b/hw/scsi/mptsas.c
index f86616544bacf71da60270ad06ed..12c957e06be41e80963bcabae1f8 100644
--- a/hw/scsi/mptsas.c
+++ b/hw/scsi/mptsas.c
@@ -251,13 +251,10 @@ static int mptsas_build_sgl(MPTSASState *s, MPTSASRequest *req, hwaddr addr)
static void mptsas_free_request(MPTSASRequest *req)
{
- MPTSASState *s = req->dev;
-
if (req->sreq != NULL) {
req->sreq->hba_private = NULL;
scsi_req_unref(req->sreq);
req->sreq = NULL;
- QTAILQ_REMOVE(&s->pending, req, next);
}
qemu_sglist_destroy(&req->qsg);
g_free(req);
@@ -303,7 +300,6 @@ static int mptsas_process_scsi_io_request(MPTSASState *s,
}
req = g_new0(MPTSASRequest, 1);
- QTAILQ_INSERT_TAIL(&s->pending, req, next);
req->scsi_io = *scsi_io;
req->dev = s;
@@ -1318,8 +1314,6 @@ static void mptsas_scsi_realize(PCIDevice *dev, Error **errp)
s->request_bh = qemu_bh_new(mptsas_fetch_requests, s);
- QTAILQ_INIT(&s->pending);
-
scsi_bus_new(&s->bus, sizeof(s->bus), &dev->qdev, &mptsas_scsi_info, NULL);
}
diff --git a/hw/scsi/mptsas.h b/hw/scsi/mptsas.h
index b85ac1a5fcc7ad3ffc72923c734c..c046497db71989a564ed46481036 100644
--- a/hw/scsi/mptsas.h
+++ b/hw/scsi/mptsas.h
@@ -79,7 +79,6 @@ struct MPTSASState {
uint16_t reply_frame_size;
SCSIBus bus;
- QTAILQ_HEAD(, MPTSASRequest) pending;
};
void mptsas_fix_scsi_io_endianness(MPIMsgSCSIIORequest *req);

View File

@ -1,36 +0,0 @@
From: Jason Wang <jasowang@redhat.com>
Date: Wed, 24 Feb 2021 13:00:01 +0800
Subject: msf2-mac: switch to use qemu_receive_packet() for loopback
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Git-commit: 26194a58f4eb83c5bdf4061a1628508084450ba1
This patch switches to use qemu_receive_packet() which can detect
reentrancy and return early.
This is intended to address CVE-2021-3416.
Cc: Prasad J Pandit <ppandit@redhat.com>
Cc: qemu-stable@nongnu.org
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/net/msf2-emac.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/net/msf2-emac.c b/hw/net/msf2-emac.c
index 32ba9e84124496fe22f165095d61..3e6206044f8b441c9222f28cc1ec 100644
--- a/hw/net/msf2-emac.c
+++ b/hw/net/msf2-emac.c
@@ -158,7 +158,7 @@ static void msf2_dma_tx(MSF2EmacState *s)
* R_CFG1 bit 0 is set.
*/
if (s->regs[R_CFG1] & R_CFG1_LB_EN_MASK) {
- nc->info->receive(nc, buf, size);
+ qemu_receive_packet(nc, buf, size);
} else {
qemu_send_packet(nc, buf, size);
}

View File

@ -1,119 +0,0 @@
From: Markus Armbruster <armbru@redhat.com>
Date: Wed, 25 Nov 2020 11:02:20 +0100
Subject: net: Fix handling of id in netdev_add and netdev_del
Git-commit: 831734cce6494032e9233caff4d8442b3a1e7fef
CLI -netdev accumulates in option group "netdev".
Before commit 08712fcb85 "net: Track netdevs in NetClientState rather
than QemuOpt", netdev_add added to the option group, and netdev_del
removed from it, both HMP and QMP. Thus, every netdev had a
corresponding QemuOpts in this option group.
Commit 08712fcb85 dropped this for QMP netdev_add and both netdev_del.
Now a netdev has a corresponding QemuOpts only when it was created
with CLI or HMP. Two issues:
* QMP and HMP netdev_del can leave QemuOpts behind, breaking HMP
netdev_add. Reproducer:
$ qemu-system-x86_64 -S -display none -nodefaults -monitor stdio
QEMU 5.1.92 monitor - type 'help' for more information
(qemu) netdev_add user,id=net0
(qemu) info network
net0: index=0,type=user,net=10.0.2.0,restrict=off
(qemu) netdev_del net0
(qemu) info network
(qemu) netdev_add user,id=net0
upstream-qemu: Duplicate ID 'net0' for netdev
Try "help netdev_add" for more information
Fix by restoring the QemuOpts deletion in qmp_netdev_del(), but with
a guard, because the QemuOpts need not exist.
* QMP netdev_add loses its "no duplicate ID" check. Reproducer:
$ qemu-system-x86_64 -S -display none -qmp stdio
{"QMP": {"version": {"qemu": {"micro": 92, "minor": 1, "major": 5}, "package": "v5.2.0-rc2-1-g02c1f0142c"}, "capabilities": ["oob"]}}
{"execute": "qmp_capabilities"}
{"return": {}}
{"execute": "netdev_add", "arguments": {"type": "user", "id":"net0"}}
{"return": {}}
{"execute": "netdev_add", "arguments": {"type": "user", "id":"net0"}}
{"return": {}}
Fix by adding a duplicate ID check to net_client_init1() to replace
the lost one. The check is redundant for callers where QemuOpts
still checks, i.e. for CLI and HMP.
Reported-by: Andrew Melnichenko <andrew@daynix.com>
Fixes: 08712fcb851034228b61f75bd922863a984a4f60
Cc: qemu-stable@nongnu.org
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
net/net.c | 20 ++++++++++++++++++--
1 file changed, 18 insertions(+), 2 deletions(-)
diff --git a/net/net.c b/net/net.c
index 6a2c3d95670ed5fec78078276301..af35fb2db7cd99933d20f8613ab3 100644
--- a/net/net.c
+++ b/net/net.c
@@ -983,6 +983,7 @@ static int (* const net_client_init_fun[NET_CLIENT_DRIVER__MAX])(
static int net_client_init1(const Netdev *netdev, bool is_netdev, Error **errp)
{
NetClientState *peer = NULL;
+ NetClientState *nc;
if (is_netdev) {
if (netdev->type == NET_CLIENT_DRIVER_NIC ||
@@ -1010,6 +1011,12 @@ static int net_client_init1(const Netdev *netdev, bool is_netdev, Error **errp)
}
}
+ nc = qemu_find_netdev(netdev->id);
+ if (nc) {
+ error_setg(errp, "Duplicate ID '%s'", netdev->id);
+ return -1;
+ }
+
if (net_client_init_fun[netdev->type](netdev, netdev->id, peer, errp) < 0) {
/* FIXME drop when all init functions store an Error */
if (errp && !*errp) {
@@ -1020,8 +1027,6 @@ static int net_client_init1(const Netdev *netdev, bool is_netdev, Error **errp)
}
if (is_netdev) {
- NetClientState *nc;
-
nc = qemu_find_netdev(netdev->id);
assert(nc);
nc->is_netdev = true;
@@ -1135,6 +1140,7 @@ void qmp_netdev_add(Netdev *netdev, Error **errp)
void qmp_netdev_del(const char *id, Error **errp)
{
NetClientState *nc;
+ QemuOpts *opts;
nc = qemu_find_netdev(id);
if (!nc) {
@@ -1149,6 +1155,16 @@ void qmp_netdev_del(const char *id, Error **errp)
}
qemu_del_net_client(nc);
+
+ /*
+ * Wart: we need to delete the QemuOpts associated with netdevs
+ * created via CLI or HMP, to avoid bogus "Duplicate ID" errors in
+ * HMP netdev_add.
+ */
+ opts = qemu_opts_find(qemu_find_opts("netdev"), id);
+ if (opts) {
+ qemu_opts_del(opts);
+ }
}
static void netfilter_print_info(Monitor *mon, NetFilterState *nf)

View File

@ -1,171 +0,0 @@
From: Jason Wang <jasowang@redhat.com>
Date: Wed, 24 Feb 2021 11:44:36 +0800
Subject: net: introduce qemu_receive_packet()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Git-commit: 705df5466c98f3efdd2b68d3b31dad86858acad7
References: bsc#1182968, CVE-2021-3416
Some NIC supports loopback mode and this is done by calling
nc->info->receive() directly which in fact suppresses the effort of
reentrancy check that is done in qemu_net_queue_send().
Unfortunately we can't use qemu_net_queue_send() here since for
loopback there's no sender as peer, so this patch introduce a
qemu_receive_packet() which is used for implementing loopback mode
for a NIC with this check.
NIC that supports loopback mode will be converted to this helper.
This is intended to address CVE-2021-3416.
Cc: Prasad J Pandit <ppandit@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Cc: qemu-stable@nongnu.org
Signed-off-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
include/net/net.h | 5 +++++
include/net/queue.h | 8 ++++++++
net/net.c | 38 +++++++++++++++++++++++++++++++-------
net/queue.c | 22 ++++++++++++++++++++++
4 files changed, 66 insertions(+), 7 deletions(-)
diff --git a/include/net/net.h b/include/net/net.h
index 778fc787ca14d3e1bc6f59d76cc6..03f058ecb0c1e8d4f4d3a8cb6c58 100644
--- a/include/net/net.h
+++ b/include/net/net.h
@@ -143,12 +143,17 @@ void *qemu_get_nic_opaque(NetClientState *nc);
void qemu_del_net_client(NetClientState *nc);
typedef void (*qemu_nic_foreach)(NICState *nic, void *opaque);
void qemu_foreach_nic(qemu_nic_foreach func, void *opaque);
+int qemu_can_receive_packet(NetClientState *nc);
int qemu_can_send_packet(NetClientState *nc);
ssize_t qemu_sendv_packet(NetClientState *nc, const struct iovec *iov,
int iovcnt);
ssize_t qemu_sendv_packet_async(NetClientState *nc, const struct iovec *iov,
int iovcnt, NetPacketSent *sent_cb);
ssize_t qemu_send_packet(NetClientState *nc, const uint8_t *buf, int size);
+ssize_t qemu_receive_packet(NetClientState *nc, const uint8_t *buf, int size);
+ssize_t qemu_receive_packet_iov(NetClientState *nc,
+ const struct iovec *iov,
+ int iovcnt);
ssize_t qemu_send_packet_raw(NetClientState *nc, const uint8_t *buf, int size);
ssize_t qemu_send_packet_async(NetClientState *nc, const uint8_t *buf,
int size, NetPacketSent *sent_cb);
diff --git a/include/net/queue.h b/include/net/queue.h
index c0269bb1dc436a912e2abc75db3b..9f2f289d7719ca1ed78604c37b65 100644
--- a/include/net/queue.h
+++ b/include/net/queue.h
@@ -55,6 +55,14 @@ void qemu_net_queue_append_iov(NetQueue *queue,
void qemu_del_net_queue(NetQueue *queue);
+ssize_t qemu_net_queue_receive(NetQueue *queue,
+ const uint8_t *data,
+ size_t size);
+
+ssize_t qemu_net_queue_receive_iov(NetQueue *queue,
+ const struct iovec *iov,
+ int iovcnt);
+
ssize_t qemu_net_queue_send(NetQueue *queue,
NetClientState *sender,
unsigned flags,
diff --git a/net/net.c b/net/net.c
index af35fb2db7cd99933d20f8613ab3..cad72a791d3f173eaaa66b8feb50 100644
--- a/net/net.c
+++ b/net/net.c
@@ -528,6 +528,17 @@ int qemu_set_vnet_be(NetClientState *nc, bool is_be)
#endif
}
+int qemu_can_receive_packet(NetClientState *nc)
+{
+ if (nc->receive_disabled) {
+ return 0;
+ } else if (nc->info->can_receive &&
+ !nc->info->can_receive(nc)) {
+ return 0;
+ }
+ return 1;
+}
+
int qemu_can_send_packet(NetClientState *sender)
{
int vm_running = runstate_is_running();
@@ -540,13 +551,7 @@ int qemu_can_send_packet(NetClientState *sender)
return 1;
}
- if (sender->peer->receive_disabled) {
- return 0;
- } else if (sender->peer->info->can_receive &&
- !sender->peer->info->can_receive(sender->peer)) {
- return 0;
- }
- return 1;
+ return qemu_can_receive_packet(sender->peer);
}
static ssize_t filter_receive_iov(NetClientState *nc,
@@ -679,6 +684,25 @@ ssize_t qemu_send_packet(NetClientState *nc, const uint8_t *buf, int size)
return qemu_send_packet_async(nc, buf, size, NULL);
}
+ssize_t qemu_receive_packet(NetClientState *nc, const uint8_t *buf, int size)
+{
+ if (!qemu_can_receive_packet(nc)) {
+ return 0;
+ }
+
+ return qemu_net_queue_receive(nc->incoming_queue, buf, size);
+}
+
+ssize_t qemu_receive_packet_iov(NetClientState *nc, const struct iovec *iov,
+ int iovcnt)
+{
+ if (!qemu_can_receive_packet(nc)) {
+ return 0;
+ }
+
+ return qemu_net_queue_receive_iov(nc->incoming_queue, iov, iovcnt);
+}
+
ssize_t qemu_send_packet_raw(NetClientState *nc, const uint8_t *buf, int size)
{
return qemu_send_packet_async_with_flags(nc, QEMU_NET_PACKET_FLAG_RAW,
diff --git a/net/queue.c b/net/queue.c
index 19e32c80fda730604fe7febf421f..c872d51df8b58518a644a2a8f68b 100644
--- a/net/queue.c
+++ b/net/queue.c
@@ -182,6 +182,28 @@ static ssize_t qemu_net_queue_deliver_iov(NetQueue *queue,
return ret;
}
+ssize_t qemu_net_queue_receive(NetQueue *queue,
+ const uint8_t *data,
+ size_t size)
+{
+ if (queue->delivering) {
+ return 0;
+ }
+
+ return qemu_net_queue_deliver(queue, NULL, 0, data, size);
+}
+
+ssize_t qemu_net_queue_receive_iov(NetQueue *queue,
+ const struct iovec *iov,
+ int iovcnt)
+{
+ if (queue->delivering) {
+ return 0;
+ }
+
+ return qemu_net_queue_deliver_iov(queue, NULL, 0, iov, iovcnt);
+}
+
ssize_t qemu_net_queue_send(NetQueue *queue,
NetClientState *sender,
unsigned flags,

View File

@ -1,38 +0,0 @@
From: Alexander Bulekov <alxndr@bu.edu>
Date: Mon, 1 Mar 2021 10:33:34 -0500
Subject: pcnet: switch to use qemu_receive_packet() for loopback
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Git-commit: 99ccfaa1edafd79f7a3a0ff7b58ae4da7c514928
This patch switches to use qemu_receive_packet() which can detect
reentrancy and return early.
This is intended to address CVE-2021-3416.
Cc: Prasad J Pandit <ppandit@redhat.com>
Cc: qemu-stable@nongnu.org
Buglink: https://bugs.launchpad.net/qemu/+bug/1917085
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com
Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
Signed-off-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/net/pcnet.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c
index f3f18d8598c43aca02ca138aa46e..dcd3fc49481b46a6d4bb7c726572 100644
--- a/hw/net/pcnet.c
+++ b/hw/net/pcnet.c
@@ -1250,7 +1250,7 @@ txagain:
if (BCR_SWSTYLE(s) == 1)
add_crc = !GET_FIELD(tmd.status, TMDS, NOFCS);
s->looptest = add_crc ? PCNET_LOOPTEST_CRC : PCNET_LOOPTEST_NOCRC;
- pcnet_receive(qemu_get_queue(s->nic), s->buffer, s->xmit_pos);
+ qemu_receive_packet(qemu_get_queue(s->nic), s->buffer, s->xmit_pos);
s->looptest = 0;
} else {
if (s->nic) {

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:cb18d889b628fbe637672b0326789d9b0e3b8027e0445b936537c78549df17bc
size 106902800

Binary file not shown.

3
qemu-6.0.0.tar.xz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:307a7c86ceaa9ea3fb4c01b792bf8c06a41505adbd35a25dd6ae015d25eea1dc
size 110592924

BIN
qemu-6.0.0.tar.xz.sig Normal file

Binary file not shown.

View File

@ -13,10 +13,10 @@ Signed-off-by: Andreas Färber <afaerber@suse.de>
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/scripts/qemu-binfmt-conf.sh b/scripts/qemu-binfmt-conf.sh
index 9f1580a91c7d3ad64120fe8ee66d..246546b10ca5df38035e5ba46a09 100755
index 573b5dc6acd7901b907ec8ffc065..820b0cecf80d0dd1fb564674b438 100755
--- a/scripts/qemu-binfmt-conf.sh
+++ b/scripts/qemu-binfmt-conf.sh
@@ -323,7 +323,7 @@ BINFMT_SET=qemu_register_interpreter
@@ -332,7 +332,7 @@ BINFMT_SET=qemu_register_interpreter
SYSTEMDDIR="/etc/binfmt.d"
DEBIANDIR="/usr/share/binfmts"
@ -24,4 +24,4 @@ index 9f1580a91c7d3ad64120fe8ee66d..246546b10ca5df38035e5ba46a09 100755
+QEMU_PATH=/usr/bin
CREDENTIAL=no
PERSISTENT=no
QEMU_SUFFIX=""
PRESERVE_ARG0=no

View File

@ -12,11 +12,11 @@ Signed-off-by: Andreas Färber <afaerber@suse.de>
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/scripts/qemu-binfmt-conf.sh b/scripts/qemu-binfmt-conf.sh
index 246546b10ca5df38035e5ba46a09..e0666a3afdc81f0f8277a53f3e1e 100755
index 820b0cecf80d0dd1fb564674b438..fb504a44a1e8d07220b65ee534dd 100755
--- a/scripts/qemu-binfmt-conf.sh
+++ b/scripts/qemu-binfmt-conf.sh
@@ -266,7 +266,7 @@ qemu_generate_register() {
flags="${flags}F"
@@ -275,7 +275,7 @@ qemu_generate_register() {
flags="${flags}P"
fi
- echo ":qemu-$cpu:M::$magic:$mask:$qemu:$flags"
@ -24,7 +24,7 @@ index 246546b10ca5df38035e5ba46a09..e0666a3afdc81f0f8277a53f3e1e 100755
}
qemu_register_interpreter() {
@@ -305,9 +305,9 @@ qemu_set_binfmts() {
@@ -314,9 +314,9 @@ qemu_set_binfmts() {
continue
fi

View File

@ -11,10 +11,10 @@ Signed-off-by: Bruce Rogers <brogers@suse.com>
1 file changed, 3 insertions(+)
diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index 27adee908ebcf5151a2e0c9875bc..e0cfb6227803c30755841477b593 100644
index 95d79ddc437a6741586071af532f..1e7f0206f4e4852c317f8ab0a7b6 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -9444,6 +9444,9 @@ static abi_long do_syscall1(void *cpu_env, int num, abi_long arg1,
@@ -9534,6 +9534,9 @@ static abi_long do_syscall1(void *cpu_env, int num, abi_long arg1,
{
struct timeval tv;
struct timezone tz;

View File

@ -13,10 +13,10 @@ Signed-off-by: Bruce Rogers <brogers@suse.com>
1 file changed, 14 insertions(+), 1 deletion(-)
diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index e0cfb6227803c30755841477b593..1526c70a6ef9899fa160bae96efc 100644
index 1e7f0206f4e4852c317f8ab0a7b6..dcbd44dbb4202e311c9fe91aa427 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -5728,8 +5728,21 @@ static abi_long do_ioctl(int fd, int cmd, abi_long arg)
@@ -5805,8 +5805,21 @@ static abi_long do_ioctl(int fd, int cmd, abi_long arg)
ie = ioctl_entries;
for(;;) {
if (ie->target_cmd == 0) {

View File

@ -16,10 +16,10 @@ Signed-off-by: Bruce Rogers <brogers@suse.com>
1 file changed, 8 insertions(+)
diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index 1526c70a6ef9899fa160bae96efc..2839a2c5e906dde840f040c5f235 100644
index dcbd44dbb4202e311c9fe91aa427..9002e4d6187d4796773cfeb63723 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -5773,6 +5773,13 @@ static abi_long do_ioctl(int fd, int cmd, abi_long arg)
@@ -5850,6 +5850,13 @@ static abi_long do_ioctl(int fd, int cmd, abi_long arg)
arg_type++;
target_size = thunk_type_size(arg_type, 0);
switch(ie->access) {
@ -33,7 +33,7 @@ index 1526c70a6ef9899fa160bae96efc..2839a2c5e906dde840f040c5f235 100644
case IOC_R:
ret = get_errno(safe_ioctl(fd, ie->host_cmd, buf_temp));
if (!is_error(ret)) {
@@ -5791,6 +5798,7 @@ static abi_long do_ioctl(int fd, int cmd, abi_long arg)
@@ -5868,6 +5875,7 @@ static abi_long do_ioctl(int fd, int cmd, abi_long arg)
unlock_user(argptr, arg, 0);
ret = get_errno(safe_ioctl(fd, ie->host_cmd, buf_temp));
break;

View File

@ -1,83 +0,0 @@
From: Eric Blake <eblake@redhat.com>
Date: Tue, 9 Feb 2021 09:27:58 -0600
Subject: qemu-nbd: Use SOMAXCONN for socket listen() backlog
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Git-commit: 582d4210eb2f2ab5baac328fe4b479cd86da1647
Our default of a backlog of 1 connection is rather puny; it gets in
the way when we are explicitly allowing multiple clients (such as
qemu-nbd -e N [--shared], or nbd-server-start with its default
"max-connections":0 for unlimited), but is even a problem when we
stick to qemu-nbd's default of only 1 active client but use -t
[--persistent] where a second client can start using the server once
the first finishes. While the effects are less noticeable on TCP
sockets (since the client can poll() to learn when the server is ready
again), it is definitely observable on Unix sockets, where on Linux, a
client will fail with EAGAIN and no recourse but to sleep an arbitrary
amount of time before retrying if the server backlog is already full.
Since QMP nbd-server-start is always persistent, it now always
requests a backlog of SOMAXCONN; meanwhile, qemu-nbd will request
SOMAXCONN if persistent, otherwise its backlog should be based on the
expected number of clients.
See https://bugzilla.redhat.com/1925045 for a demonstration of where
our low backlog prevents libnbd from connecting as many parallel
clients as it wants.
Reported-by: Richard W.M. Jones <rjones@redhat.com>
Signed-off-by: Eric Blake <eblake@redhat.com>
CC: qemu-stable@nongnu.org
Message-Id: <20210209152759.209074-2-eblake@redhat.com>
Tested-by: Richard W.M. Jones <rjones@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Signed-off-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
blockdev-nbd.c | 7 ++++++-
qemu-nbd.c | 10 +++++++++-
2 files changed, 15 insertions(+), 2 deletions(-)
diff --git a/blockdev-nbd.c b/blockdev-nbd.c
index d8443d235b7338949a4e6e10dec5..b264620b98d8c024b147872ce089 100644
--- a/blockdev-nbd.c
+++ b/blockdev-nbd.c
@@ -134,7 +134,12 @@ void nbd_server_start(SocketAddress *addr, const char *tls_creds,
qio_net_listener_set_name(nbd_server->listener,
"nbd-listener");
- if (qio_net_listener_open_sync(nbd_server->listener, addr, 1, errp) < 0) {
+ /*
+ * Because this server is persistent, a backlog of SOMAXCONN is
+ * better than trying to size it to max_connections.
+ */
+ if (qio_net_listener_open_sync(nbd_server->listener, addr, SOMAXCONN,
+ errp) < 0) {
goto error;
}
diff --git a/qemu-nbd.c b/qemu-nbd.c
index a7075c5419d710d773a5c5ed749f..39b517c948b4c45544e01fc3f070 100644
--- a/qemu-nbd.c
+++ b/qemu-nbd.c
@@ -969,8 +969,16 @@ int main(int argc, char **argv)
server = qio_net_listener_new();
if (socket_activation == 0) {
+ int backlog;
+
+ if (persistent) {
+ backlog = SOMAXCONN;
+ } else {
+ backlog = MIN(shared, SOMAXCONN);
+ }
saddr = nbd_build_socket_address(sockpath, bindto, port);
- if (qio_net_listener_open_sync(server, saddr, 1, &local_err) < 0) {
+ if (qio_net_listener_open_sync(server, saddr, backlog,
+ &local_err) < 0) {
object_unref(OBJECT(server));
error_report_err(local_err);
exit(EXIT_FAILURE);

View File

@ -1,36 +0,0 @@
From: Kevin Wolf <kwolf@redhat.com>
Date: Thu, 4 Feb 2021 08:21:37 +0100
Subject: qemu-storage-daemon: Enable object-add
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Git-commit: 15d40e9204eb3d89577187f117a1dde2237bdc4d
As we don't have a fully QAPIfied version of object-add yet and it still
has 'gen': false in the schema, it needs to be registered explicitly in
init_qmp_commands() to be available for users.
Fixes: 2af282ec51a27116d0402cab237b8970800f870c
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Message-Id: <20210204072137.19663-1-kwolf@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
storage-daemon/qemu-storage-daemon.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/storage-daemon/qemu-storage-daemon.c b/storage-daemon/qemu-storage-daemon.c
index 7c914b0dc1f851d6b6e72afd296c..65ccdb17c1a9fcb825dabaf38bb7 100644
--- a/storage-daemon/qemu-storage-daemon.c
+++ b/storage-daemon/qemu-storage-daemon.c
@@ -144,6 +144,8 @@ static void init_qmp_commands(void)
qmp_init_marshal(&qmp_commands);
qmp_register_command(&qmp_commands, "query-qmp-schema",
qmp_query_qmp_schema, QCO_ALLOW_PRECONFIG);
+ qmp_register_command(&qmp_commands, "object-add", qmp_object_add,
+ QCO_NO_OPTIONS);
QTAILQ_INIT(&qmp_cap_negotiation_commands);
qmp_register_command(&qmp_cap_negotiation_commands, "qmp_capabilities",

View File

@ -1,3 +1,137 @@
-------------------------------------------------------------------
Fri Apr 30 16:37:51 UTC 2021 - José Ricardo Ziviani <jose.ziviani@suse.com>
- Update to v6.0: see https://wiki.qemu.org/ChangeLog/6.0
For a full list of formely deprecated features that are removed now,
consult: https://qemu-project.gitlab.io/qemu/system/removed-features.html.
For a list of new deprecated features, consult:
https://qemu-project.gitlab.io/qemu/system/deprecated.html
Some noteworthy changes:
* Removed tileGX CPU (linux-user mode).
* Removed ide-drive device (use ide-hd or ide-cd instead).
* Removed scsi-disk device (use scsi-hd or scsi-cd instead).
* Removed pc-1.0, pc-1.1, pc-1.2, and pc-1.3 machine types.
* Added emulation of Arm-v8.1M arch and Cortex-M55 CPU.
* Added boards mps3-an524 (Cortex-M33) and mps3-an547 (Cortex-M55).
* x86: Support for running SEV-ES encrypted guests; TCG can emulate
the PKS feature; WHPX accelerator supports accelerated APIC.
* ARM: ARMv8.4-TTST, ARMv8.4-SEL2, FEAT_SSBS, and ARMv8.4-DIT emulation
are now supported; Added ARMv8.5-MemTag extension is now supported formely
linux-user. Additional device emulation support for xlnx-zynqmp, xlnx-versal,
sbsa-ref, npcm7xx, and sabrelite board models.
* PowerPC: powernv now allows external BMC; pseries can send QAPI message
if it detects a memory hotplug failure; CPU unplug request can be retried.
* s390: TCG works with Linux kernels built with clang-11 and clang12.
* RISC-V: OpenSBI upgraded to v0.9; Support the QMP dump-guest-memory
command; Add support for the SiFive SPI controller (sifive_u); Add QSPI
NOR flash to Microchip PFSoC.
* Misc doc improvements.
* Multiprocess: Add experimental options to support out-of-process device
emulation.
* ACPI: support for assigning NICs to known names in guest OS independently of
PCI slot placement.
* NVMe: new emulation support for v1.4 spec with many new features, experimental
support for Zoned Namespaces, multipath I/O, and End-to-End Data Protection.
* Xen: New guest loader for testing of Xen-like hypervisors booting kernels.
* virtiofs: misc. security fixes and performance improvements.
* Tools: FUSE block exports to allow mounting any QEMU block device node
as a host file.
* Migration: query/info-migrate now display the migration blocker status and
the reasons for blocking.
* User-mode: Added support for the Qualcomm Hexagon processor.
* TCG: Added support for Apple Silicon hosts (macOS).
* QMP: backup jobs now support multiple asynchronous requests in parallel
* VNC: virtio-vga support for scaling resolution based on client window size
* Patches added:
doc-add-our-support-doc-to-the-main-proj.patch
* Patches removed:
9pfs-Fully-restart-unreclaim-loop-CVE-20.patch
audio-add-sanity-check.patch
block-Fix-deadlock-in-bdrv_co_yield_to_d.patch
block-Fix-locking-in-qmp_block_resize.patch
blockjob-Fix-crash-with-IOthread-when-bl.patch
block-nfs-fix-int-overflow-in-nfs_client.patch
block-rbd-fix-memory-leak-in-qemu_rbd_co.patch
block-rbd-Fix-memory-leak-in-qemu_rbd_co.patch
block-Separate-blk_is_writable-and-blk_s.patch
block-Simplify-qmp_block_resize-error-pa.patch
brotli-fix-actual-variable-array-paramet.patch
build-no-pie-is-no-functional-linker-fla.patch
cadence_gem-switch-to-use-qemu_receive_p.patch
cpu-core-Fix-help-of-CPU-core-device-typ.patch
docs-add-SUSE-support-statements-to-html.patch
dp8393x-switch-to-use-qemu_receive_packe.patch
e1000-fail-early-for-evil-descriptor.patch
e1000-switch-to-use-qemu_receive_packet-.patch
hw-arm-virt-acpi-build-Fix-GSIV-values-o.patch
hw-arm-virt-Disable-pl011-clock-migratio.patch
hw-block-fdc-Fix-fallback-property-on-sy.patch
hw-intc-arm_gic-Fix-interrupt-ID-in-GICD.patch
hw-isa-Kconfig-Add-missing-dependency-VI.patch
hw-isa-piix4-Migrate-Reset-Control-Regis.patch
hw-net-lan9118-Fix-RX-Status-FIFO-PEEK-v.patch
hw-s390x-fix-build-for-virtio-9p-ccw.patch
hw-sd-sd-Actually-perform-the-erase-oper.patch
hw-sd-sd-Fix-build-error-when-DEBUG_SD-i.patch
hw-sd-sdhci-Correctly-set-the-controller.patch
hw-sd-sdhci-Don-t-transfer-any-data-when.patch
hw-sd-sdhci-Don-t-write-to-SDHC_SYSAD-re.patch
hw-sd-sdhci-Limit-block-size-only-when-S.patch
hw-sd-sdhci-Reset-the-data-pointer-of-s-.patch
hw-sd-sd-Move-the-sd_block_-read-write-a.patch
hw-sd-sd-Skip-write-protect-groups-check.patch
hw-timer-slavio_timer-Allow-64-bit-acces.patch
hw-virtio-pci-Added-AER-capability.patch
hw-virtio-pci-Added-counter-for-pcie-cap.patch
i386-acpi-restore-device-paths-for-pre-5.patch
iotests-Fix-_send_qemu_cmd-with-bash-5.1.patch
lan9118-switch-to-use-qemu_receive_packe.patch
lsilogic-Use-PCIDevice-exit-instead-of-D.patch
Make-keycode-gen-output-reproducible-use.patch
memory-clamp-cached-translation-in-case-.patch
monitor-Fix-assertion-failure-on-shutdow.patch
mptsas-Remove-unused-MPTSASState-pending.patch
msf2-mac-switch-to-use-qemu_receive_pack.patch
net-Fix-handling-of-id-in-netdev_add-and.patch
net-introduce-qemu_receive_packet.patch
pcnet-switch-to-use-qemu_receive_packet-.patch
qemu-nbd-Use-SOMAXCONN-for-socket-listen.patch
qemu-storage-daemon-Enable-object-add.patch
rtl8139-switch-to-use-qemu_receive_packe.patch
s390x-add-have_virtio_ccw.patch
s390x-css-report-errors-from-ccw_dstream.patch
s390x-Fix-stringop-truncation-issue-repo.patch
s390x-modularize-virtio-gpu-ccw.patch
s390x-move-S390_ADAPTER_SUPPRESSIBLE.patch
s390x-pci-restore-missing-Query-PCI-Func.patch
spice-app-avoid-crash-when-core-spice-mo.patch
sungem-switch-to-use-qemu_receive_packet.patch
target-arm-Don-t-decode-insns-in-the-XSc.patch
target-arm-Fix-MTE0_ACTIVE.patch
target-arm-Introduce-PREDDESC-field-defi.patch
target-arm-Update-PFIRST-PNEXT-for-pred_.patch
target-arm-Update-REV-PUNPK-for-pred_des.patch
target-arm-Update-ZIP-UZP-TRN-for-pred_d.patch
target-xtensa-fix-meson.build-rule-for-x.patch
tcg-Use-memset-for-large-vector-byte-rep.patch
tools-virtiofsd-Replace-the-word-whiteli.patch
tx_pkt-switch-to-use-qemu_receive_packet.patch
ui-vnc-Add-missing-lock-for-send_color_m.patch
update-linux-headers-Include-const.h.patch
Update-linux-headers-to-5.11-rc2.patch
util-fix-use-after-free-in-module_load_o.patch
vfio-ccw-Connect-the-device-request-noti.patch
vhost-user-blk-fix-blkcfg-num_queues-end.patch
viriofsd-Add-support-for-FUSE_HANDLE_KIL.patch
virtiofsd-extract-lo_do_open-from-lo_ope.patch
virtiofsd-optionally-return-inode-pointe.patch
virtiofsd-prevent-opening-of-special-fil.patch
virtiofs-drop-remapped-security.capabili.patch
virtiofsd-Save-error-code-early-at-the-f.patch
virtio-move-use-disabled-flag-property-t.patch
virtio-pci-compat-page-aligned-ATS.patch
xen-block-Fix-removal-of-backend-instanc.patch
-------------------------------------------------------------------
Mon Apr 19 15:40:22 UTC 2021 - Bruce Rogers <brogers@suse.com>

408
qemu.spec
View File

@ -93,8 +93,8 @@
%bcond_with system_membarrier
%define qemuver 5.2.0
%define srcver 5.2.0
%define qemuver 6.0.0
%define srcver 6.0.0
%define sbver 1.14.0_0_g155821a
%define srcname qemu
Name: qemu%{name_suffix}
@ -132,134 +132,51 @@ Source303: README.PACKAGING
# This patch queue is auto-generated - see README.PACKAGING for process
# Patches applied in base project:
Patch00000: ui-vnc-Add-missing-lock-for-send_color_m.patch
Patch00001: block-Simplify-qmp_block_resize-error-pa.patch
Patch00002: block-Fix-locking-in-qmp_block_resize.patch
Patch00003: block-Fix-deadlock-in-bdrv_co_yield_to_d.patch
Patch00004: audio-add-sanity-check.patch
Patch00005: memory-clamp-cached-translation-in-case-.patch
Patch00006: build-no-pie-is-no-functional-linker-fla.patch
Patch00007: block-nfs-fix-int-overflow-in-nfs_client.patch
Patch00008: iotests-Fix-_send_qemu_cmd-with-bash-5.1.patch
Patch00009: tcg-Use-memset-for-large-vector-byte-rep.patch
Patch00010: hw-timer-slavio_timer-Allow-64-bit-acces.patch
Patch00011: target-arm-Fix-MTE0_ACTIVE.patch
Patch00012: target-arm-Don-t-decode-insns-in-the-XSc.patch
Patch00013: hw-net-lan9118-Fix-RX-Status-FIFO-PEEK-v.patch
Patch00014: 9pfs-Fully-restart-unreclaim-loop-CVE-20.patch
Patch00015: target-arm-Introduce-PREDDESC-field-defi.patch
Patch00016: target-arm-Update-PFIRST-PNEXT-for-pred_.patch
Patch00017: target-arm-Update-ZIP-UZP-TRN-for-pred_d.patch
Patch00018: target-arm-Update-REV-PUNPK-for-pred_des.patch
Patch00019: update-linux-headers-Include-const.h.patch
Patch00020: Update-linux-headers-to-5.11-rc2.patch
Patch00021: vfio-ccw-Connect-the-device-request-noti.patch
Patch00022: net-Fix-handling-of-id-in-netdev_add-and.patch
Patch00023: block-Separate-blk_is_writable-and-blk_s.patch
Patch00024: hw-intc-arm_gic-Fix-interrupt-ID-in-GICD.patch
Patch00025: virtiofsd-extract-lo_do_open-from-lo_ope.patch
Patch00026: virtiofsd-optionally-return-inode-pointe.patch
Patch00027: virtiofsd-prevent-opening-of-special-fil.patch
Patch00028: virtio-move-use-disabled-flag-property-t.patch
Patch00029: qemu-nbd-Use-SOMAXCONN-for-socket-listen.patch
Patch00030: qemu-storage-daemon-Enable-object-add.patch
Patch00031: blockjob-Fix-crash-with-IOthread-when-bl.patch
Patch00032: monitor-Fix-assertion-failure-on-shutdow.patch
Patch00033: tools-virtiofsd-Replace-the-word-whiteli.patch
Patch00034: virtiofsd-Save-error-code-early-at-the-f.patch
Patch00035: viriofsd-Add-support-for-FUSE_HANDLE_KIL.patch
Patch00036: spice-app-avoid-crash-when-core-spice-mo.patch
Patch00037: i386-acpi-restore-device-paths-for-pre-5.patch
Patch00038: virtiofs-drop-remapped-security.capabili.patch
Patch00039: hw-s390x-fix-build-for-virtio-9p-ccw.patch
Patch00040: s390x-pci-restore-missing-Query-PCI-Func.patch
Patch00041: lsilogic-Use-PCIDevice-exit-instead-of-D.patch
Patch00042: vhost-user-blk-fix-blkcfg-num_queues-end.patch
Patch00043: e1000-fail-early-for-evil-descriptor.patch
Patch00044: net-introduce-qemu_receive_packet.patch
Patch00045: e1000-switch-to-use-qemu_receive_packet-.patch
Patch00046: dp8393x-switch-to-use-qemu_receive_packe.patch
Patch00047: msf2-mac-switch-to-use-qemu_receive_pack.patch
Patch00048: sungem-switch-to-use-qemu_receive_packet.patch
Patch00049: tx_pkt-switch-to-use-qemu_receive_packet.patch
Patch00050: rtl8139-switch-to-use-qemu_receive_packe.patch
Patch00051: pcnet-switch-to-use-qemu_receive_packet-.patch
Patch00052: cadence_gem-switch-to-use-qemu_receive_p.patch
Patch00053: lan9118-switch-to-use-qemu_receive_packe.patch
Patch00054: hw-sd-sd-Move-the-sd_block_-read-write-a.patch
Patch00055: hw-sd-sd-Skip-write-protect-groups-check.patch
Patch00056: hw-sd-sd-Fix-build-error-when-DEBUG_SD-i.patch
Patch00057: hw-sd-sd-Actually-perform-the-erase-oper.patch
Patch00058: hw-sd-sdhci-Don-t-transfer-any-data-when.patch
Patch00059: hw-sd-sdhci-Don-t-write-to-SDHC_SYSAD-re.patch
Patch00060: hw-sd-sdhci-Correctly-set-the-controller.patch
Patch00061: hw-sd-sdhci-Limit-block-size-only-when-S.patch
Patch00062: hw-sd-sdhci-Reset-the-data-pointer-of-s-.patch
Patch00063: xen-block-Fix-removal-of-backend-instanc.patch
Patch00064: hw-arm-virt-Disable-pl011-clock-migratio.patch
Patch00065: s390x-move-S390_ADAPTER_SUPPRESSIBLE.patch
Patch00066: s390x-add-have_virtio_ccw.patch
Patch00067: s390x-modularize-virtio-gpu-ccw.patch
Patch00068: util-fix-use-after-free-in-module_load_o.patch
Patch00069: target-xtensa-fix-meson.build-rule-for-x.patch
Patch00070: hw-virtio-pci-Added-counter-for-pcie-cap.patch
Patch00071: hw-virtio-pci-Added-AER-capability.patch
Patch00072: virtio-pci-compat-page-aligned-ATS.patch
Patch00073: s390x-css-report-errors-from-ccw_dstream.patch
Patch00074: block-rbd-fix-memory-leak-in-qemu_rbd_co.patch
Patch00075: block-rbd-Fix-memory-leak-in-qemu_rbd_co.patch
Patch00076: hw-block-fdc-Fix-fallback-property-on-sy.patch
Patch00077: cpu-core-Fix-help-of-CPU-core-device-typ.patch
Patch00078: hw-arm-virt-acpi-build-Fix-GSIV-values-o.patch
Patch00079: hw-isa-Kconfig-Add-missing-dependency-VI.patch
Patch00080: hw-isa-piix4-Migrate-Reset-Control-Regis.patch
Patch00081: mptsas-Remove-unused-MPTSASState-pending.patch
Patch00082: net-vmxnet3-validate-configuration-value.patch
Patch00083: XXX-dont-dump-core-on-sigabort.patch
Patch00084: qemu-binfmt-conf-Modify-default-path.patch
Patch00085: qemu-cvs-gettimeofday.patch
Patch00086: qemu-cvs-ioctl_debug.patch
Patch00087: qemu-cvs-ioctl_nodirection.patch
Patch00088: linux-user-add-binfmt-wrapper-for-argv-0.patch
Patch00089: PPC-KVM-Disable-mmu-notifier-check.patch
Patch00090: linux-user-binfmt-support-host-binaries.patch
Patch00091: linux-user-Fake-proc-cpuinfo.patch
Patch00092: linux-user-use-target_ulong.patch
Patch00093: Make-char-muxer-more-robust-wrt-small-FI.patch
Patch00094: linux-user-lseek-explicitly-cast-non-set.patch
Patch00095: AIO-Reduce-number-of-threads-for-32bit-h.patch
Patch00096: xen_disk-Add-suse-specific-flush-disable.patch
Patch00097: qemu-bridge-helper-reduce-security-profi.patch
Patch00098: qemu-binfmt-conf-use-qemu-ARCH-binfmt.patch
Patch00099: roms-Makefile-pass-a-packaging-timestamp.patch
Patch00100: Raise-soft-address-space-limit-to-hard-l.patch
Patch00101: increase-x86_64-physical-bits-to-42.patch
Patch00102: i8254-Fix-migration-from-SLE11-SP2.patch
Patch00103: acpi_piix4-Fix-migration-from-SLE11-SP2.patch
Patch00104: Make-installed-scripts-explicitly-python.patch
Patch00105: hw-smbios-handle-both-file-formats-regar.patch
Patch00106: xen-add-block-resize-support-for-xen-dis.patch
Patch00107: tests-qemu-iotests-Triple-timeout-of-i-o.patch
Patch00108: tests-Fix-block-tests-to-be-compatible-w.patch
Patch00109: xen-ignore-live-parameter-from-xen-save-.patch
Patch00110: tests-change-error-message-in-test-162.patch
Patch00111: hw-intc-exynos4210_gic-provide-more-room.patch
Patch00112: configure-only-populate-roms-if-softmmu.patch
Patch00113: pc-bios-s390-ccw-net-avoid-warning-about.patch
Patch00114: roms-change-cross-compiler-naming-to-be-.patch
Patch00115: test-add-mapping-from-arch-of-i686-to-qe.patch
Patch00116: configure-remove-pkgversion-from-CONFIG_.patch
Patch00117: docs-add-SUSE-support-statements-to-html.patch
Patch00118: s390x-Fix-stringop-truncation-issue-repo.patch
Patch00119: Revert-qht-constify-qht_statistics_init.patch
Patch00120: qht-Revert-some-constification-in-qht.c.patch
Patch00121: meson-install-ivshmem-client-and-ivshmem.patch
Patch00122: Revert-roms-efirom-tests-uefi-test-tools.patch
Patch00123: Makefile-Don-t-check-pc-bios-as-pre-requ.patch
Patch00124: roms-Makefile-add-cross-file-to-qboot-me.patch
Patch00125: usb-Help-compiler-out-to-avoid-a-warning.patch
Patch00126: module-for-virtio-gpu-pre-load-module-to.patch
Patch00127: qom-handle-case-of-chardev-spice-module-.patch
Patch00000: net-vmxnet3-validate-configuration-value.patch
Patch00001: XXX-dont-dump-core-on-sigabort.patch
Patch00002: qemu-binfmt-conf-Modify-default-path.patch
Patch00003: qemu-cvs-gettimeofday.patch
Patch00004: qemu-cvs-ioctl_debug.patch
Patch00005: qemu-cvs-ioctl_nodirection.patch
Patch00006: linux-user-add-binfmt-wrapper-for-argv-0.patch
Patch00007: PPC-KVM-Disable-mmu-notifier-check.patch
Patch00008: linux-user-binfmt-support-host-binaries.patch
Patch00009: linux-user-Fake-proc-cpuinfo.patch
Patch00010: linux-user-use-target_ulong.patch
Patch00011: Make-char-muxer-more-robust-wrt-small-FI.patch
Patch00012: linux-user-lseek-explicitly-cast-non-set.patch
Patch00013: AIO-Reduce-number-of-threads-for-32bit-h.patch
Patch00014: xen_disk-Add-suse-specific-flush-disable.patch
Patch00015: qemu-bridge-helper-reduce-security-profi.patch
Patch00016: qemu-binfmt-conf-use-qemu-ARCH-binfmt.patch
Patch00017: roms-Makefile-pass-a-packaging-timestamp.patch
Patch00018: Raise-soft-address-space-limit-to-hard-l.patch
Patch00019: increase-x86_64-physical-bits-to-42.patch
Patch00020: i8254-Fix-migration-from-SLE11-SP2.patch
Patch00021: acpi_piix4-Fix-migration-from-SLE11-SP2.patch
Patch00022: Make-installed-scripts-explicitly-python.patch
Patch00023: hw-smbios-handle-both-file-formats-regar.patch
Patch00024: xen-add-block-resize-support-for-xen-dis.patch
Patch00025: tests-qemu-iotests-Triple-timeout-of-i-o.patch
Patch00026: tests-Fix-block-tests-to-be-compatible-w.patch
Patch00027: xen-ignore-live-parameter-from-xen-save-.patch
Patch00028: tests-change-error-message-in-test-162.patch
Patch00029: hw-intc-exynos4210_gic-provide-more-room.patch
Patch00030: configure-only-populate-roms-if-softmmu.patch
Patch00031: pc-bios-s390-ccw-net-avoid-warning-about.patch
Patch00032: roms-change-cross-compiler-naming-to-be-.patch
Patch00033: test-add-mapping-from-arch-of-i686-to-qe.patch
Patch00034: configure-remove-pkgversion-from-CONFIG_.patch
Patch00035: Revert-qht-constify-qht_statistics_init.patch
Patch00036: qht-Revert-some-constification-in-qht.c.patch
Patch00037: meson-install-ivshmem-client-and-ivshmem.patch
Patch00038: Revert-roms-efirom-tests-uefi-test-tools.patch
Patch00039: Makefile-Don-t-check-pc-bios-as-pre-requ.patch
Patch00040: roms-Makefile-add-cross-file-to-qboot-me.patch
Patch00041: usb-Help-compiler-out-to-avoid-a-warning.patch
Patch00042: module-for-virtio-gpu-pre-load-module-to.patch
Patch00043: qom-handle-case-of-chardev-spice-module-.patch
Patch00044: doc-add-our-support-doc-to-the-main-proj.patch
# Patches applied in roms/seabios/:
Patch01000: seabios-use-python2-explicitly-as-needed.patch
Patch01001: seabios-switch-to-python3-as-needed.patch
@ -273,12 +190,8 @@ Patch02003: help-compiler-out-by-initializing-array.patch
# Patches applied in roms/sgabios/:
Patch03000: sgabios-Makefile-fix-issues-of-build-rep.patch
Patch03001: roms-sgabios-Fix-csum8-to-be-built-by-ho.patch
# Patches applied in ui/keycodemapdb/:
Patch08000: Make-keycode-gen-output-reproducible-use.patch
# Patches applied in roms/qboot/:
Patch11000: qboot-add-cross.ini-file-to-handle-aarch.patch
# Patches applied in roms/edk2/BaseTools/Source/C/BrotliCompress/brotli/:
Patch27000: brotli-fix-actual-variable-array-paramet.patch
# Please do not add patches manually here.
@ -328,7 +241,7 @@ BuildRequires: cross-x86_64-binutils
BuildRequires: cross-x86_64-gcc%gcc_version
%endif
%endif
BuildRequires: pkgconfig(libcurl)
BuildRequires: pkgconfig(libcurl) >= 7.29
BuildRequires: pkgconfig(libsasl2)
%if %{build_x86_firmware_from_source}
BuildRequires: dos2unix
@ -1128,100 +1041,17 @@ This package records qemu testsuite results and represents successful testing.
%patch00037 -p1
%patch00038 -p1
%patch00039 -p1
%patch00040 -p1
%patch00041 -p1
%patch00042 -p1
%patch00043 -p1
%patch00044 -p1
%patch00045 -p1
%patch00046 -p1
%patch00047 -p1
%patch00048 -p1
%patch00049 -p1
%patch00050 -p1
%patch00051 -p1
%patch00052 -p1
%patch00053 -p1
%patch00054 -p1
%patch00055 -p1
%patch00056 -p1
%patch00057 -p1
%patch00058 -p1
%patch00059 -p1
%patch00060 -p1
%patch00061 -p1
%patch00062 -p1
%patch00063 -p1
%patch00064 -p1
%patch00065 -p1
%patch00066 -p1
%patch00067 -p1
%patch00068 -p1
%patch00069 -p1
%patch00070 -p1
%patch00071 -p1
%patch00072 -p1
%patch00073 -p1
%patch00074 -p1
%patch00075 -p1
%patch00076 -p1
%patch00077 -p1
%patch00078 -p1
%patch00079 -p1
%patch00080 -p1
%patch00081 -p1
%patch00082 -p1
%patch00083 -p1
%patch00084 -p1
%patch00085 -p1
%patch00086 -p1
%patch00087 -p1
%patch00088 -p1
%patch00089 -p1
%patch00090 -p1
%patch00091 -p1
%patch00092 -p1
%patch00093 -p1
%patch00094 -p1
%patch00095 -p1
%patch00096 -p1
%patch00097 -p1
%patch00098 -p1
%patch00099 -p1
%patch00100 -p1
%patch00101 -p1
%patch00102 -p1
%patch00103 -p1
%patch00104 -p1
%patch00105 -p1
%patch00106 -p1
%patch00107 -p1
%patch00108 -p1
%patch00109 -p1
%patch00110 -p1
%patch00111 -p1
%patch00112 -p1
%patch00113 -p1
%patch00114 -p1
%patch00115 -p1
%patch00116 -p1
%if %{legacy_qemu_kvm}
%patch00117 -p1
%endif
%patch00118 -p1
%patch00119 -p1
%patch00120 -p1
%patch00121 -p1
%patch00122 -p1
%patch00123 -p1
%ifarch aarch64
%patch00124 -p1
%patch00040 -p1
%endif
%ifarch %arm %ix86 ppc
%patch00125 -p1
%patch00041 -p1
%endif
%patch00042 -p1
%patch00043 -p1
%if %{legacy_qemu_kvm}
%patch00044 -p1
%endif
%patch00126 -p1
%patch00127 -p1
%patch01000 -p1
%patch01001 -p1
%patch01002 -p1
@ -1234,9 +1064,7 @@ This package records qemu testsuite results and represents successful testing.
%patch02003 -p1
%patch03000 -p1
%patch03001 -p1
%patch08000 -p1
%patch11000 -p1
%patch27000 -p1
%if "%{name}" != "qemu-linux-user"
# for the record, this set of firmware files is installed, but we don't
@ -1338,6 +1166,14 @@ efi-vmxnet3.rom}
%define _lto_cflags %{nil}
%endif
%if %{legacy_qemu_kvm}
%ifarch s390x
cp %{SOURCE13} docs/supported.rst
%else
cp %{SOURCE13} docs/supported.rst
%endif
%endif
%define srcdir %{_builddir}/%buildsubdir
%define blddir %srcdir/build
mkdir -p %blddir
@ -1353,9 +1189,13 @@ cd %blddir
--firmwarepath=%_datadir/%name \
--python=%_bindir/python3 \
--extra-cflags="%{optflags}" \
--with-git-submodules=ignore \
--disable-fuzzing \
--disable-multiprocess \
--disable-stack-protector \
--disable-strip \
--disable-tcg-interpreter \
--with-git-submodules=ignore \
%if "%{name}" != "qemu-linux-user"
--with-pkgversion="%(echo '%{distro}' | sed 's/ (.*)//')" \
--with-default-devices \
@ -1381,6 +1221,7 @@ cd %blddir
--enable-curses \
--enable-dmg \
--enable-fdt \
--enable-gio \
--enable-gcrypt \
--enable-glusterfs \
--enable-gnutls \
@ -1503,6 +1344,7 @@ cd %blddir
--enable-coroutine-pool \
--disable-dmg \
--disable-fdt \
--disable-gio \
--disable-iconv \
--disable-kvm \
--disable-libdaxctl \
@ -1780,6 +1622,7 @@ ln -s qemu-binfmt %{buildroot}%_bindir/qemu-alpha-binfmt
ln -s qemu-binfmt %{buildroot}%_bindir/qemu-arm-binfmt
ln -s qemu-binfmt %{buildroot}%_bindir/qemu-armeb-binfmt
ln -s qemu-binfmt %{buildroot}%_bindir/qemu-cris-binfmt
ln -s qemu-binfmt %{buildroot}%_bindir/qemu-hexagon-binfmt
ln -s qemu-binfmt %{buildroot}%_bindir/qemu-hppa-binfmt
ln -s qemu-binfmt %{buildroot}%_bindir/qemu-i386-binfmt
ln -s qemu-binfmt %{buildroot}%_bindir/qemu-m68k-binfmt
@ -2001,52 +1844,91 @@ fi
%_datadir/%name/trace-events-all
%dir %_datadir/%name/vhost-user
%_datadir/%name/vhost-user/50-qemu-virtiofsd.json
%dir %_docdir/%name/_static
%dir %_docdir/%name/devel
%dir %_docdir/%name/interop
%dir %_docdir/%name/interop/_static
%dir %_docdir/%name/specs
%dir %_docdir/%name/specs/_static
%dir %_docdir/%name/system
%dir %_docdir/%name/system/_static
%dir %_docdir/%name/system/arm
%dir %_docdir/%name/system/i386
%dir %_docdir/%name/system/ppc
%dir %_docdir/%name/system/riscv
%dir %_docdir/%name/system/s390x
%dir %_docdir/%name/tools
%dir %_docdir/%name/tools/_static
%dir %_docdir/%name/user
%dir %_docdir/%name/user/_static
%_docdir/%name/.buildinfo
%_docdir/%name/_static/alabaster.css
%_docdir/%name/_static/basic.css
%_docdir/%name/_static/custom.css
%_docdir/%name/_static/doctools.js
%_docdir/%name/_static/documentation_options.js
%_docdir/%name/_static/file.png
%_docdir/%name/_static/jquery-3.5.1.js
%_docdir/%name/_static/jquery.js
%_docdir/%name/_static/language_data.js
%_docdir/%name/_static/minus.png
%_docdir/%name/_static/plus.png
%_docdir/%name/_static/pygments.css
%_docdir/%name/_static/searchtools.js
%_docdir/%name/_static/underscore-*
%_docdir/%name/_static/underscore.js
%_docdir/%name/devel/atomics.html
%_docdir/%name/devel/bitops.html
%_docdir/%name/devel/block-coroutine-wrapper.html
%_docdir/%name/devel/build-system.html
%_docdir/%name/devel/clocks.html
%_docdir/%name/devel/code-of-conduct.html
%_docdir/%name/devel/conflict-resolution.html
%_docdir/%name/devel/control-flow-integrity.html
%_docdir/%name/devel/decodetree.html
%_docdir/%name/devel/fuzzing.html
%_docdir/%name/devel/index.html
%_docdir/%name/devel/kconfig.html
%_docdir/%name/devel/loads-stores.html
%_docdir/%name/devel/memory.html
%_docdir/%name/devel/multi-process.html
%_docdir/%name/devel/migration.html
%_docdir/%name/devel/multi-thread-tcg.html
%_docdir/%name/devel/qom.html
%_docdir/%name/devel/qgraph.html
%_docdir/%name/devel/qtest.html
%_docdir/%name/devel/reset.html
%_docdir/%name/devel/s390-dasd-ipl.html
%_docdir/%name/devel/secure-coding-practices.html
%_docdir/%name/devel/stable-process.html
%_docdir/%name/devel/style.html
%_docdir/%name/devel/tcg-icount.html
%_docdir/%name/devel/tcg-plugins.html
%_docdir/%name/devel/tcg.html
%_docdir/%name/devel/testing.html
%_docdir/%name/devel/tracing.html
%_docdir/%name/genindex.html
%_docdir/%name/index.html
%_docdir/%name/interop/.buildinfo
%_docdir/%name/interop/_static/*
%_docdir/%name/interop/bitmaps.html
%_docdir/%name/interop/dbus.html
%_docdir/%name/interop/dbus-vmstate.html
%_docdir/%name/interop/genindex.html
%_docdir/%name/interop/index.html
%_docdir/%name/interop/live-block-operations.html
%_docdir/%name/interop/objects.inv
%_docdir/%name/interop/pr-helper.html
%_docdir/%name/interop/qemu-ga-ref.html
%_docdir/%name/interop/qemu-qmp-ref.html
%_docdir/%name/interop/search.html
%_docdir/%name/interop/searchindex.js
%_docdir/%name/interop/qemu-storage-daemon-qmp-ref.html
%_docdir/%name/interop/vhost-user.html
%_docdir/%name/interop/vhost-user-gpu.html
%_docdir/%name/interop/vhost-vdpa.html
%_docdir/%name/specs/.buildinfo
%_docdir/%name/specs/_static/*
%_docdir/%name/objects.inv
%_docdir/%name/search.html
%_docdir/%name/searchindex.js
%_docdir/%name/specs/acpi_hest_ghes.html
%_docdir/%name/specs/acpi_hw_reduced_hotplug.html
%_docdir/%name/specs/genindex.html
%_docdir/%name/specs/index.html
%_docdir/%name/specs/objects.inv
%_docdir/%name/specs/ppc-spapr-numa.html
%_docdir/%name/specs/ppc-spapr-xive.html
%_docdir/%name/specs/ppc-xive.html
%_docdir/%name/specs/search.html
%_docdir/%name/specs/searchindex.js
%_docdir/%name/specs/tpm.html
%_docdir/%name/system/.buildinfo
%_docdir/%name/system/_static/*
%if %{legacy_qemu_kvm}
%_docdir/%name/supported.html
%endif
%_docdir/%name/system/arm/aspeed.html
%_docdir/%name/system/arm/collie.html
%_docdir/%name/system/arm/cpu-features.html
@ -2062,6 +1944,7 @@ fi
%_docdir/%name/system/arm/palm.html
%_docdir/%name/system/arm/raspi.html
%_docdir/%name/system/arm/realview.html
%_docdir/%name/system/arm/sabrelite.html
%_docdir/%name/system/arm/sbsa.html
%_docdir/%name/system/arm/stellaris.html
%_docdir/%name/system/arm/sx1.html
@ -2074,7 +1957,8 @@ fi
%_docdir/%name/system/cpu-hotplug.html
%_docdir/%name/system/deprecated.html
%_docdir/%name/system/gdb.html
%_docdir/%name/system/genindex.html
%_docdir/%name/system/generic-loader.html
%_docdir/%name/system/guest-loader.html
%_docdir/%name/system/i386/microvm.html
%_docdir/%name/system/i386/pc.html
%_docdir/%name/system/images.html
@ -2086,22 +1970,29 @@ fi
%_docdir/%name/system/linuxboot.html
%_docdir/%name/system/managed-startup.html
%_docdir/%name/system/monitor.html
%_docdir/%name/system/multi-process.html
%_docdir/%name/system/mux-chardev.html
%_docdir/%name/system/net.html
%_docdir/%name/system/objects.inv
%_docdir/%name/system/nvme.html
%_docdir/%name/system/ppc/embedded.html
%_docdir/%name/system/ppc/powermac.html
%_docdir/%name/system/ppc/powernv.html
%_docdir/%name/system/ppc/prep.html
%_docdir/%name/system/ppc/pseries.html
%_docdir/%name/system/pr-manager.html
%_docdir/%name/system/qemu-block-drivers.html
%_docdir/%name/system/qemu-cpu-models.html
%_docdir/%name/system/qemu-manpage.html
%_docdir/%name/system/quickstart.html
%_docdir/%name/system/removed-features.html
%_docdir/%name/system/riscv/microchip-icicle-kit.html
%_docdir/%name/system/riscv/sifive_u.html
%_docdir/%name/system/s390x/3270.html
%_docdir/%name/system/s390x/bootdevices.html
%_docdir/%name/system/s390x/css.html
%_docdir/%name/system/s390x/protvirt.html
%_docdir/%name/system/s390x/vfio-ap.html
%_docdir/%name/system/s390x/vfio-ccw.html
%_docdir/%name/system/search.html
%_docdir/%name/system/searchindex.js
%_docdir/%name/system/security.html
%_docdir/%name/system/target-arm.html
%_docdir/%name/system/target-avr.html
@ -2109,6 +2000,7 @@ fi
%_docdir/%name/system/target-m68k.html
%_docdir/%name/system/target-mips.html
%_docdir/%name/system/target-ppc.html
%_docdir/%name/system/target-riscv.html
%_docdir/%name/system/target-rx.html
%_docdir/%name/system/target-s390x.html
%_docdir/%name/system/target-sparc64.html
@ -2120,36 +2012,27 @@ fi
%_docdir/%name/system/virtio-net-failover.html
%_docdir/%name/system/virtio-pmem.html
%_docdir/%name/system/vnc-security.html
%_docdir/%name/tools/.buildinfo
%_docdir/%name/tools/_static/*
%_docdir/%name/tools/genindex.html
%_docdir/%name/tools/index.html
%_docdir/%name/tools/objects.inv
%_docdir/%name/tools/qemu-img.html
%_docdir/%name/tools/qemu-nbd.html
%_docdir/%name/tools/qemu-pr-helper.html
%_docdir/%name/tools/qemu-trace-stap.html
%_docdir/%name/tools/search.html
%_docdir/%name/tools/searchindex.js
%_docdir/%name/tools/qemu-storage-daemon.html
%_docdir/%name/tools/virtfs-proxy-helper.html
%_docdir/%name/tools/virtiofsd.html
%_docdir/%name/user/.buildinfo
%_docdir/%name/user/_static/*
%_docdir/%name/user/genindex.html
%_docdir/%name/user/index.html
%_docdir/%name/user/main.html
%_docdir/%name/user/objects.inv
%_docdir/%name/user/search.html
%_docdir/%name/user/searchindex.js
%dir %_libexecdir/supportconfig
%dir %_libexecdir/supportconfig/plugins
%_libexecdir/supportconfig/plugins/%name
%_mandir/man1/%name.1.gz
%_mandir/man1/qemu-storage-daemon.1.gz
%_mandir/man1/virtiofsd.1.gz
%_mandir/man7/qemu-block-drivers.7.gz
%_mandir/man7/qemu-cpu-models.7.gz
%_mandir/man7/qemu-qmp-ref.7.gz
%_mandir/man7/qemu-ga-ref.7.gz
%_mandir/man7/qemu-storage-daemon-qmp-ref.7.gz
%dir %_sysconfdir/%name
%dir %_sysconfdir/%name/firmware
%if %{kvm_available}
@ -2531,6 +2414,7 @@ fi
%_bindir/qemu-arm
%_bindir/qemu-armeb
%_bindir/qemu-cris
%_bindir/qemu-hexagon
%_bindir/qemu-hppa
%_bindir/qemu-i386
%_bindir/qemu-m68k

View File

@ -178,7 +178,7 @@ BuildRequires: cross-x86_64-binutils
BuildRequires: cross-x86_64-gcc%gcc_version
%endif
%endif
BuildRequires: pkgconfig(libcurl)
BuildRequires: pkgconfig(libcurl) >= 7.29
BuildRequires: pkgconfig(libsasl2)
%if %{build_x86_firmware_from_source}
BuildRequires: dos2unix
@ -1040,6 +1040,14 @@ efi-vmxnet3.rom}
%define _lto_cflags %{nil}
%endif
%if %{legacy_qemu_kvm}
%ifarch s390x
cp %{SOURCE13} docs/supported.rst
%else
cp %{SOURCE13} docs/supported.rst
%endif
%endif
%define srcdir %{_builddir}/%buildsubdir
%define blddir %srcdir/build
mkdir -p %blddir
@ -1055,9 +1063,13 @@ cd %blddir
--firmwarepath=%_datadir/%name \
--python=%_bindir/python3 \
--extra-cflags="%{optflags}" \
--with-git-submodules=ignore \
--disable-fuzzing \
--disable-multiprocess \
--disable-stack-protector \
--disable-strip \
--disable-tcg-interpreter \
--with-git-submodules=ignore \
%if "%{name}" != "qemu-linux-user"
--with-pkgversion="%(echo '%{distro}' | sed 's/ (.*)//')" \
--with-default-devices \
@ -1083,6 +1095,7 @@ cd %blddir
--enable-curses \
--enable-dmg \
--enable-fdt \
--enable-gio \
--enable-gcrypt \
--enable-glusterfs \
--enable-gnutls \
@ -1205,6 +1218,7 @@ cd %blddir
--enable-coroutine-pool \
--disable-dmg \
--disable-fdt \
--disable-gio \
--disable-iconv \
--disable-kvm \
--disable-libdaxctl \
@ -1482,6 +1496,7 @@ ln -s qemu-binfmt %{buildroot}%_bindir/qemu-alpha-binfmt
ln -s qemu-binfmt %{buildroot}%_bindir/qemu-arm-binfmt
ln -s qemu-binfmt %{buildroot}%_bindir/qemu-armeb-binfmt
ln -s qemu-binfmt %{buildroot}%_bindir/qemu-cris-binfmt
ln -s qemu-binfmt %{buildroot}%_bindir/qemu-hexagon-binfmt
ln -s qemu-binfmt %{buildroot}%_bindir/qemu-hppa-binfmt
ln -s qemu-binfmt %{buildroot}%_bindir/qemu-i386-binfmt
ln -s qemu-binfmt %{buildroot}%_bindir/qemu-m68k-binfmt
@ -1703,52 +1718,91 @@ fi
%_datadir/%name/trace-events-all
%dir %_datadir/%name/vhost-user
%_datadir/%name/vhost-user/50-qemu-virtiofsd.json
%dir %_docdir/%name/_static
%dir %_docdir/%name/devel
%dir %_docdir/%name/interop
%dir %_docdir/%name/interop/_static
%dir %_docdir/%name/specs
%dir %_docdir/%name/specs/_static
%dir %_docdir/%name/system
%dir %_docdir/%name/system/_static
%dir %_docdir/%name/system/arm
%dir %_docdir/%name/system/i386
%dir %_docdir/%name/system/ppc
%dir %_docdir/%name/system/riscv
%dir %_docdir/%name/system/s390x
%dir %_docdir/%name/tools
%dir %_docdir/%name/tools/_static
%dir %_docdir/%name/user
%dir %_docdir/%name/user/_static
%_docdir/%name/.buildinfo
%_docdir/%name/_static/alabaster.css
%_docdir/%name/_static/basic.css
%_docdir/%name/_static/custom.css
%_docdir/%name/_static/doctools.js
%_docdir/%name/_static/documentation_options.js
%_docdir/%name/_static/file.png
%_docdir/%name/_static/jquery-3.5.1.js
%_docdir/%name/_static/jquery.js
%_docdir/%name/_static/language_data.js
%_docdir/%name/_static/minus.png
%_docdir/%name/_static/plus.png
%_docdir/%name/_static/pygments.css
%_docdir/%name/_static/searchtools.js
%_docdir/%name/_static/underscore-*
%_docdir/%name/_static/underscore.js
%_docdir/%name/devel/atomics.html
%_docdir/%name/devel/bitops.html
%_docdir/%name/devel/block-coroutine-wrapper.html
%_docdir/%name/devel/build-system.html
%_docdir/%name/devel/clocks.html
%_docdir/%name/devel/code-of-conduct.html
%_docdir/%name/devel/conflict-resolution.html
%_docdir/%name/devel/control-flow-integrity.html
%_docdir/%name/devel/decodetree.html
%_docdir/%name/devel/fuzzing.html
%_docdir/%name/devel/index.html
%_docdir/%name/devel/kconfig.html
%_docdir/%name/devel/loads-stores.html
%_docdir/%name/devel/memory.html
%_docdir/%name/devel/multi-process.html
%_docdir/%name/devel/migration.html
%_docdir/%name/devel/multi-thread-tcg.html
%_docdir/%name/devel/qom.html
%_docdir/%name/devel/qgraph.html
%_docdir/%name/devel/qtest.html
%_docdir/%name/devel/reset.html
%_docdir/%name/devel/s390-dasd-ipl.html
%_docdir/%name/devel/secure-coding-practices.html
%_docdir/%name/devel/stable-process.html
%_docdir/%name/devel/style.html
%_docdir/%name/devel/tcg-icount.html
%_docdir/%name/devel/tcg-plugins.html
%_docdir/%name/devel/tcg.html
%_docdir/%name/devel/testing.html
%_docdir/%name/devel/tracing.html
%_docdir/%name/genindex.html
%_docdir/%name/index.html
%_docdir/%name/interop/.buildinfo
%_docdir/%name/interop/_static/*
%_docdir/%name/interop/bitmaps.html
%_docdir/%name/interop/dbus.html
%_docdir/%name/interop/dbus-vmstate.html
%_docdir/%name/interop/genindex.html
%_docdir/%name/interop/index.html
%_docdir/%name/interop/live-block-operations.html
%_docdir/%name/interop/objects.inv
%_docdir/%name/interop/pr-helper.html
%_docdir/%name/interop/qemu-ga-ref.html
%_docdir/%name/interop/qemu-qmp-ref.html
%_docdir/%name/interop/search.html
%_docdir/%name/interop/searchindex.js
%_docdir/%name/interop/qemu-storage-daemon-qmp-ref.html
%_docdir/%name/interop/vhost-user.html
%_docdir/%name/interop/vhost-user-gpu.html
%_docdir/%name/interop/vhost-vdpa.html
%_docdir/%name/specs/.buildinfo
%_docdir/%name/specs/_static/*
%_docdir/%name/objects.inv
%_docdir/%name/search.html
%_docdir/%name/searchindex.js
%_docdir/%name/specs/acpi_hest_ghes.html
%_docdir/%name/specs/acpi_hw_reduced_hotplug.html
%_docdir/%name/specs/genindex.html
%_docdir/%name/specs/index.html
%_docdir/%name/specs/objects.inv
%_docdir/%name/specs/ppc-spapr-numa.html
%_docdir/%name/specs/ppc-spapr-xive.html
%_docdir/%name/specs/ppc-xive.html
%_docdir/%name/specs/search.html
%_docdir/%name/specs/searchindex.js
%_docdir/%name/specs/tpm.html
%_docdir/%name/system/.buildinfo
%_docdir/%name/system/_static/*
%if %{legacy_qemu_kvm}
%_docdir/%name/supported.html
%endif
%_docdir/%name/system/arm/aspeed.html
%_docdir/%name/system/arm/collie.html
%_docdir/%name/system/arm/cpu-features.html
@ -1764,6 +1818,7 @@ fi
%_docdir/%name/system/arm/palm.html
%_docdir/%name/system/arm/raspi.html
%_docdir/%name/system/arm/realview.html
%_docdir/%name/system/arm/sabrelite.html
%_docdir/%name/system/arm/sbsa.html
%_docdir/%name/system/arm/stellaris.html
%_docdir/%name/system/arm/sx1.html
@ -1776,7 +1831,8 @@ fi
%_docdir/%name/system/cpu-hotplug.html
%_docdir/%name/system/deprecated.html
%_docdir/%name/system/gdb.html
%_docdir/%name/system/genindex.html
%_docdir/%name/system/generic-loader.html
%_docdir/%name/system/guest-loader.html
%_docdir/%name/system/i386/microvm.html
%_docdir/%name/system/i386/pc.html
%_docdir/%name/system/images.html
@ -1788,22 +1844,29 @@ fi
%_docdir/%name/system/linuxboot.html
%_docdir/%name/system/managed-startup.html
%_docdir/%name/system/monitor.html
%_docdir/%name/system/multi-process.html
%_docdir/%name/system/mux-chardev.html
%_docdir/%name/system/net.html
%_docdir/%name/system/objects.inv
%_docdir/%name/system/nvme.html
%_docdir/%name/system/ppc/embedded.html
%_docdir/%name/system/ppc/powermac.html
%_docdir/%name/system/ppc/powernv.html
%_docdir/%name/system/ppc/prep.html
%_docdir/%name/system/ppc/pseries.html
%_docdir/%name/system/pr-manager.html
%_docdir/%name/system/qemu-block-drivers.html
%_docdir/%name/system/qemu-cpu-models.html
%_docdir/%name/system/qemu-manpage.html
%_docdir/%name/system/quickstart.html
%_docdir/%name/system/removed-features.html
%_docdir/%name/system/riscv/microchip-icicle-kit.html
%_docdir/%name/system/riscv/sifive_u.html
%_docdir/%name/system/s390x/3270.html
%_docdir/%name/system/s390x/bootdevices.html
%_docdir/%name/system/s390x/css.html
%_docdir/%name/system/s390x/protvirt.html
%_docdir/%name/system/s390x/vfio-ap.html
%_docdir/%name/system/s390x/vfio-ccw.html
%_docdir/%name/system/search.html
%_docdir/%name/system/searchindex.js
%_docdir/%name/system/security.html
%_docdir/%name/system/target-arm.html
%_docdir/%name/system/target-avr.html
@ -1811,6 +1874,7 @@ fi
%_docdir/%name/system/target-m68k.html
%_docdir/%name/system/target-mips.html
%_docdir/%name/system/target-ppc.html
%_docdir/%name/system/target-riscv.html
%_docdir/%name/system/target-rx.html
%_docdir/%name/system/target-s390x.html
%_docdir/%name/system/target-sparc64.html
@ -1822,36 +1886,27 @@ fi
%_docdir/%name/system/virtio-net-failover.html
%_docdir/%name/system/virtio-pmem.html
%_docdir/%name/system/vnc-security.html
%_docdir/%name/tools/.buildinfo
%_docdir/%name/tools/_static/*
%_docdir/%name/tools/genindex.html
%_docdir/%name/tools/index.html
%_docdir/%name/tools/objects.inv
%_docdir/%name/tools/qemu-img.html
%_docdir/%name/tools/qemu-nbd.html
%_docdir/%name/tools/qemu-pr-helper.html
%_docdir/%name/tools/qemu-trace-stap.html
%_docdir/%name/tools/search.html
%_docdir/%name/tools/searchindex.js
%_docdir/%name/tools/qemu-storage-daemon.html
%_docdir/%name/tools/virtfs-proxy-helper.html
%_docdir/%name/tools/virtiofsd.html
%_docdir/%name/user/.buildinfo
%_docdir/%name/user/_static/*
%_docdir/%name/user/genindex.html
%_docdir/%name/user/index.html
%_docdir/%name/user/main.html
%_docdir/%name/user/objects.inv
%_docdir/%name/user/search.html
%_docdir/%name/user/searchindex.js
%dir %_libexecdir/supportconfig
%dir %_libexecdir/supportconfig/plugins
%_libexecdir/supportconfig/plugins/%name
%_mandir/man1/%name.1.gz
%_mandir/man1/qemu-storage-daemon.1.gz
%_mandir/man1/virtiofsd.1.gz
%_mandir/man7/qemu-block-drivers.7.gz
%_mandir/man7/qemu-cpu-models.7.gz
%_mandir/man7/qemu-qmp-ref.7.gz
%_mandir/man7/qemu-ga-ref.7.gz
%_mandir/man7/qemu-storage-daemon-qmp-ref.7.gz
%dir %_sysconfdir/%name
%dir %_sysconfdir/%name/firmware
%if %{kvm_available}
@ -2233,6 +2288,7 @@ fi
%_bindir/qemu-arm
%_bindir/qemu-armeb
%_bindir/qemu-cris
%_bindir/qemu-hexagon
%_bindir/qemu-hppa
%_bindir/qemu-i386
%_bindir/qemu-m68k

View File

@ -14,7 +14,7 @@ Signed-off-by: Bruce Rogers <brogers@suse.com>
1 file changed, 6 insertions(+)
diff --git a/qom/object.c b/qom/object.c
index 6f301fec34d103b0b07bc41d107c..0dec164192a55d3d9d955d445db9 100644
index 1b132653c3fc8d5150723b2d4cf7..cb8cd9e6a5f48f94a0829ecc9e97 100644
--- a/qom/object.c
+++ b/qom/object.c
@@ -236,6 +236,12 @@ static bool type_is_ancestor(TypeImpl *type, TypeImpl *target_type)

View File

@ -1,39 +0,0 @@
From: Alexander Bulekov <alxndr@bu.edu>
Date: Fri, 26 Feb 2021 13:47:53 -0500
Subject: rtl8139: switch to use qemu_receive_packet() for loopback
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Git-commit: 5311fb805a4403bba024e83886fa0e7572265de4
References: bsc#1182968, CVE-2021-3416
This patch switches to use qemu_receive_packet() which can detect
reentrancy and return early.
This is intended to address CVE-2021-3416.
Cc: Prasad J Pandit <ppandit@redhat.com>
Cc: qemu-stable@nongnu.org
Buglink: https://bugs.launchpad.net/qemu/+bug/1910826
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com
Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
Signed-off-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/net/rtl8139.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/net/rtl8139.c b/hw/net/rtl8139.c
index ba5ace1ab75cc91330f8f60b25c0..d2dd03e6a5866f4f549af2e97399 100644
--- a/hw/net/rtl8139.c
+++ b/hw/net/rtl8139.c
@@ -1795,7 +1795,7 @@ static void rtl8139_transfer_frame(RTL8139State *s, uint8_t *buf, int size,
}
DPRINTF("+++ transmit loopback mode\n");
- rtl8139_do_receive(qemu_get_queue(s->nic), buf, size, do_interrupt);
+ qemu_receive_packet(qemu_get_queue(s->nic), buf, size);
if (iov) {
g_free(buf2);

View File

@ -1,22 +0,0 @@
From: Bruce Rogers <brogers@suse.com>
Date: Thu, 13 Aug 2020 14:03:29 -0600
Subject: s390x: Fix stringop-truncation issue reported by gcc 11
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
target/s390x/misc_helper.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/target/s390x/misc_helper.c b/target/s390x/misc_helper.c
index 58dbc023eb5495ec5da0321651ad..d8e18c0d4617c333fcd4cc1c5c8c 100644
--- a/target/s390x/misc_helper.c
+++ b/target/s390x/misc_helper.c
@@ -370,7 +370,7 @@ uint32_t HELPER(stsi)(CPUS390XState *env, uint64_t a0, uint64_t r0, uint64_t r1)
MIN(sizeof(sysib.sysib_322.vm[0].name),
strlen(qemu_name)));
strncpy((char *)sysib.sysib_322.ext_names[0], qemu_name,
- sizeof(sysib.sysib_322.ext_names[0]));
+ sizeof(sysib.sysib_322.ext_names[0] - 1));
} else {
ebcdic_put(sysib.sysib_322.vm[0].name, "TCGguest", 8);
strcpy((char *)sysib.sysib_322.ext_names[0], "TCGguest");

View File

@ -1,50 +0,0 @@
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Wed, 17 Mar 2021 10:56:21 +0100
Subject: s390x: add have_virtio_ccw
Git-commit: 2dd9d8cfb4f3bd30d9cdfc2edba5cb7ee5917f4b
References: bsc#1181103
Introduce a symbol which can be used to prevent ccw modules
being loaded into system emulators without ccw support.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Halil Pasic <pasic@linux.ibm.com>
Tested-by: Halil Pasic <pasic@linux.ibm.com>
Message-Id: <20210317095622.2839895-3-kraxel@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/s390x/virtio-ccw.c | 2 ++
hw/s390x/virtio-ccw.h | 5 +++++
2 files changed, 7 insertions(+)
diff --git a/hw/s390x/virtio-ccw.c b/hw/s390x/virtio-ccw.c
index 4582e94ae7dc4d75117ffc201047..82ec2889b0c7ce64bb96b9c67212 100644
--- a/hw/s390x/virtio-ccw.c
+++ b/hw/s390x/virtio-ccw.c
@@ -35,6 +35,8 @@
#define NR_CLASSIC_INDICATOR_BITS 64
+bool have_virtio_ccw = true;
+
static int virtio_ccw_dev_post_load(void *opaque, int version_id)
{
VirtioCcwDevice *dev = VIRTIO_CCW_DEVICE(opaque);
diff --git a/hw/s390x/virtio-ccw.h b/hw/s390x/virtio-ccw.h
index 49a2b8ca42df799f1815f8af32d1..0168232e3b8db1da2a91dfd157db 100644
--- a/hw/s390x/virtio-ccw.h
+++ b/hw/s390x/virtio-ccw.h
@@ -63,6 +63,11 @@ typedef struct VirtioBusClass VirtioCcwBusClass;
DECLARE_OBJ_CHECKERS(VirtioCcwBusState, VirtioCcwBusClass,
VIRTIO_CCW_BUS, TYPE_VIRTIO_CCW_BUS)
+/*
+ * modules can reference this symbol to avoid being loaded
+ * into system emulators without ccw support
+ */
+extern bool have_virtio_ccw;
struct VirtIOCCWDeviceClass {
CCWDeviceClass parent_class;

View File

@ -1,269 +0,0 @@
From: Pierre Morel <pmorel@linux.ibm.com>
Date: Thu, 8 Apr 2021 18:32:09 +0200
Subject: s390x: css: report errors from ccw_dstream_read/write
Git-commit: d895d25ae2bb8519aa715dd2a97f09d4a66b189d
ccw_dstream_read/write functions returned values are sometime
not taking into account and reported back to the upper level
of interpretation of CCW instructions.
It follows that accessing an invalid address does not trigger
a subchannel status program check to the guest as it should.
Let's test the return values of ccw_dstream_write[_buf] and
ccw_dstream_read[_buf] and report it to the caller.
Cc: qemu-stable@nongnu.org
Signed-off-by: Pierre Morel <pmorel@linux.ibm.com>
Acked-by: Halil Pasic <pasic@linux.ibm.com>
Message-Id: <1617899529-9329-2-git-send-email-pmorel@linux.ibm.com>
Signed-off-by: Cornelia Huck <cohuck@redhat.com>
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/char/terminal3270.c | 11 +++++--
hw/s390x/3270-ccw.c | 5 +++-
hw/s390x/css.c | 14 +++++----
hw/s390x/virtio-ccw.c | 66 ++++++++++++++++++++++++++++++------------
4 files changed, 69 insertions(+), 27 deletions(-)
diff --git a/hw/char/terminal3270.c b/hw/char/terminal3270.c
index d77981bb6d52a2af651bfa2b6ecb..f969ee57fd85164073f98c3285b5 100644
--- a/hw/char/terminal3270.c
+++ b/hw/char/terminal3270.c
@@ -199,9 +199,13 @@ static int read_payload_3270(EmulatedCcw3270Device *dev)
{
Terminal3270 *t = TERMINAL_3270(dev);
int len;
+ int ret;
len = MIN(ccw_dstream_avail(get_cds(t)), t->in_len);
- ccw_dstream_write_buf(get_cds(t), t->inv, len);
+ ret = ccw_dstream_write_buf(get_cds(t), t->inv, len);
+ if (ret < 0) {
+ return ret;
+ }
t->in_len -= len;
return len;
@@ -259,7 +263,10 @@ static int write_payload_3270(EmulatedCcw3270Device *dev, uint8_t cmd)
t->outv[out_len++] = cmd;
do {
- ccw_dstream_read_buf(get_cds(t), &t->outv[out_len], len);
+ retval = ccw_dstream_read_buf(get_cds(t), &t->outv[out_len], len);
+ if (retval < 0) {
+ return retval;
+ }
count = ccw_dstream_avail(get_cds(t));
out_len += len;
diff --git a/hw/s390x/3270-ccw.c b/hw/s390x/3270-ccw.c
index 821319eee6d1066d7cf3113d3ab3..f3e7342b1e8eadc1938b5ad024c7 100644
--- a/hw/s390x/3270-ccw.c
+++ b/hw/s390x/3270-ccw.c
@@ -31,6 +31,9 @@ static int handle_payload_3270_read(EmulatedCcw3270Device *dev, CCW1 *ccw)
}
len = ck->read_payload_3270(dev);
+ if (len < 0) {
+ return len;
+ }
ccw_dev->sch->curr_status.scsw.count = ccw->count - len;
return 0;
@@ -50,7 +53,7 @@ static int handle_payload_3270_write(EmulatedCcw3270Device *dev, CCW1 *ccw)
len = ck->write_payload_3270(dev, ccw->cmd_code);
if (len <= 0) {
- return -EIO;
+ return len ? len : -EIO;
}
ccw_dev->sch->curr_status.scsw.count = ccw->count - len;
diff --git a/hw/s390x/css.c b/hw/s390x/css.c
index 9961cfe7bf67460924ea68cb72bd..1ad6069ceacfc7459c25307c1fd9 100644
--- a/hw/s390x/css.c
+++ b/hw/s390x/css.c
@@ -1055,10 +1055,11 @@ static int css_interpret_ccw(SubchDev *sch, hwaddr ccw_addr,
}
}
len = MIN(ccw.count, sizeof(sch->sense_data));
- ccw_dstream_write_buf(&sch->cds, sch->sense_data, len);
+ ret = ccw_dstream_write_buf(&sch->cds, sch->sense_data, len);
sch->curr_status.scsw.count = ccw_dstream_residual_count(&sch->cds);
- memset(sch->sense_data, 0, sizeof(sch->sense_data));
- ret = 0;
+ if (!ret) {
+ memset(sch->sense_data, 0, sizeof(sch->sense_data));
+ }
break;
case CCW_CMD_SENSE_ID:
{
@@ -1083,9 +1084,10 @@ static int css_interpret_ccw(SubchDev *sch, hwaddr ccw_addr,
} else {
sense_id[0] = 0;
}
- ccw_dstream_write_buf(&sch->cds, sense_id, len);
- sch->curr_status.scsw.count = ccw_dstream_residual_count(&sch->cds);
- ret = 0;
+ ret = ccw_dstream_write_buf(&sch->cds, sense_id, len);
+ if (!ret) {
+ sch->curr_status.scsw.count = ccw_dstream_residual_count(&sch->cds);
+ }
break;
}
case CCW_CMD_TIC:
diff --git a/hw/s390x/virtio-ccw.c b/hw/s390x/virtio-ccw.c
index 82ec2889b0c7ce64bb96b9c67212..43db5b93e1125d5ef806abfebb32 100644
--- a/hw/s390x/virtio-ccw.c
+++ b/hw/s390x/virtio-ccw.c
@@ -288,14 +288,20 @@ static int virtio_ccw_handle_set_vq(SubchDev *sch, CCW1 ccw, bool check_len,
return -EFAULT;
}
if (is_legacy) {
- ccw_dstream_read(&sch->cds, linfo);
+ ret = ccw_dstream_read(&sch->cds, linfo);
+ if (ret) {
+ return ret;
+ }
linfo.queue = be64_to_cpu(linfo.queue);
linfo.align = be32_to_cpu(linfo.align);
linfo.index = be16_to_cpu(linfo.index);
linfo.num = be16_to_cpu(linfo.num);
ret = virtio_ccw_set_vqs(sch, NULL, &linfo);
} else {
- ccw_dstream_read(&sch->cds, info);
+ ret = ccw_dstream_read(&sch->cds, info);
+ if (ret) {
+ return ret;
+ }
info.desc = be64_to_cpu(info.desc);
info.index = be16_to_cpu(info.index);
info.num = be16_to_cpu(info.num);
@@ -364,7 +370,10 @@ static int virtio_ccw_cb(SubchDev *sch, CCW1 ccw)
VirtioDeviceClass *vdc = VIRTIO_DEVICE_GET_CLASS(vdev);
ccw_dstream_advance(&sch->cds, sizeof(features.features));
- ccw_dstream_read(&sch->cds, features.index);
+ ret = ccw_dstream_read(&sch->cds, features.index);
+ if (ret) {
+ break;
+ }
if (features.index == 0) {
if (dev->revision >= 1) {
/* Don't offer legacy features for modern devices. */
@@ -385,9 +394,10 @@ static int virtio_ccw_cb(SubchDev *sch, CCW1 ccw)
}
ccw_dstream_rewind(&sch->cds);
features.features = cpu_to_le32(features.features);
- ccw_dstream_write(&sch->cds, features.features);
- sch->curr_status.scsw.count = ccw.count - sizeof(features);
- ret = 0;
+ ret = ccw_dstream_write(&sch->cds, features.features);
+ if (!ret) {
+ sch->curr_status.scsw.count = ccw.count - sizeof(features);
+ }
}
break;
case CCW_CMD_WRITE_FEAT:
@@ -404,7 +414,10 @@ static int virtio_ccw_cb(SubchDev *sch, CCW1 ccw)
if (!ccw.cda) {
ret = -EFAULT;
} else {
- ccw_dstream_read(&sch->cds, features);
+ ret = ccw_dstream_read(&sch->cds, features);
+ if (ret) {
+ break;
+ }
features.features = le32_to_cpu(features.features);
if (features.index == 0) {
virtio_set_features(vdev,
@@ -447,9 +460,10 @@ static int virtio_ccw_cb(SubchDev *sch, CCW1 ccw)
ret = -EFAULT;
} else {
virtio_bus_get_vdev_config(&dev->bus, vdev->config);
- ccw_dstream_write_buf(&sch->cds, vdev->config, len);
- sch->curr_status.scsw.count = ccw.count - len;
- ret = 0;
+ ret = ccw_dstream_write_buf(&sch->cds, vdev->config, len);
+ if (ret) {
+ sch->curr_status.scsw.count = ccw.count - len;
+ }
}
break;
case CCW_CMD_WRITE_CONF:
@@ -504,7 +518,10 @@ static int virtio_ccw_cb(SubchDev *sch, CCW1 ccw)
if (!ccw.cda) {
ret = -EFAULT;
} else {
- ccw_dstream_read(&sch->cds, status);
+ ret = ccw_dstream_read(&sch->cds, status);
+ if (ret) {
+ break;
+ }
if (!(status & VIRTIO_CONFIG_S_DRIVER_OK)) {
virtio_ccw_stop_ioeventfd(dev);
}
@@ -547,7 +564,10 @@ static int virtio_ccw_cb(SubchDev *sch, CCW1 ccw)
if (!ccw.cda) {
ret = -EFAULT;
} else {
- ccw_dstream_read(&sch->cds, indicators);
+ ret = ccw_dstream_read(&sch->cds, indicators);
+ if (ret) {
+ break;
+ }
indicators = be64_to_cpu(indicators);
dev->indicators = get_indicator(indicators, sizeof(uint64_t));
sch->curr_status.scsw.count = ccw.count - sizeof(indicators);
@@ -568,7 +588,10 @@ static int virtio_ccw_cb(SubchDev *sch, CCW1 ccw)
if (!ccw.cda) {
ret = -EFAULT;
} else {
- ccw_dstream_read(&sch->cds, indicators);
+ ret = ccw_dstream_read(&sch->cds, indicators);
+ if (ret) {
+ break;
+ }
indicators = be64_to_cpu(indicators);
dev->indicators2 = get_indicator(indicators, sizeof(uint64_t));
sch->curr_status.scsw.count = ccw.count - sizeof(indicators);
@@ -589,7 +612,10 @@ static int virtio_ccw_cb(SubchDev *sch, CCW1 ccw)
if (!ccw.cda) {
ret = -EFAULT;
} else {
- ccw_dstream_read(&sch->cds, vq_config.index);
+ ret = ccw_dstream_read(&sch->cds, vq_config.index);
+ if (ret) {
+ break;
+ }
vq_config.index = be16_to_cpu(vq_config.index);
if (vq_config.index >= VIRTIO_QUEUE_MAX) {
ret = -EINVAL;
@@ -598,9 +624,10 @@ static int virtio_ccw_cb(SubchDev *sch, CCW1 ccw)
vq_config.num_max = virtio_queue_get_num(vdev,
vq_config.index);
vq_config.num_max = cpu_to_be16(vq_config.num_max);
- ccw_dstream_write(&sch->cds, vq_config.num_max);
- sch->curr_status.scsw.count = ccw.count - sizeof(vq_config);
- ret = 0;
+ ret = ccw_dstream_write(&sch->cds, vq_config.num_max);
+ if (!ret) {
+ sch->curr_status.scsw.count = ccw.count - sizeof(vq_config);
+ }
}
break;
case CCW_CMD_SET_IND_ADAPTER:
@@ -657,7 +684,10 @@ static int virtio_ccw_cb(SubchDev *sch, CCW1 ccw)
ret = -EFAULT;
break;
}
- ccw_dstream_read_buf(&sch->cds, &revinfo, 4);
+ ret = ccw_dstream_read_buf(&sch->cds, &revinfo, 4);
+ if (ret < 0) {
+ break;
+ }
revinfo.revision = be16_to_cpu(revinfo.revision);
revinfo.length = be16_to_cpu(revinfo.length);
if (ccw.count < len + revinfo.length ||

View File

@ -1,87 +0,0 @@
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Wed, 17 Mar 2021 10:56:22 +0100
Subject: s390x: modularize virtio-gpu-ccw
Git-commit: adcf33a504de29feb720736051dc32889314c9e6
References: bsc#1181103
Since the virtio-gpu-ccw device depends on the hw-display-virtio-gpu
module, which provides the type virtio-gpu-device, packaging the
hw-display-virtio-gpu module as a separate package that may or may not
be installed along with the qemu package leads to problems. Namely if
the hw-display-virtio-gpu is absent, qemu continues to advertise
virtio-gpu-ccw, but it aborts not only when one attempts using
virtio-gpu-ccw, but also when libvirtd's capability probing tries
to instantiate the type to introspect it.
Let us thus introduce a module named hw-s390x-virtio-gpu-ccw that
is going to provide the virtio-gpu-ccw device. The hw-s390x prefix
was chosen because it is not a portable device.
With virtio-gpu-ccw built as a module, the correct way to package a
modularized qemu is to require that hw-display-virtio-gpu must be
installed whenever the module hw-s390x-virtio-gpu-ccw.
Signed-off-by: Halil Pasic <pasic@linux.ibm.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Halil Pasic <pasic@linux.ibm.com>
Tested-by: Halil Pasic <pasic@linux.ibm.com>
Message-Id: <20210317095622.2839895-4-kraxel@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/s390x/meson.build | 8 +++++++-
hw/s390x/virtio-ccw-gpu.c | 4 +++-
util/module.c | 1 +
3 files changed, 11 insertions(+), 2 deletions(-)
diff --git a/hw/s390x/meson.build b/hw/s390x/meson.build
index e53b7a69930a27dd030994ab6a54..8662ad04db2c51a229cbf7108c55 100644
--- a/hw/s390x/meson.build
+++ b/hw/s390x/meson.build
@@ -34,7 +34,6 @@ virtio_ss.add(files('virtio-ccw.c'))
virtio_ss.add(when: 'CONFIG_VIRTIO_BALLOON', if_true: files('virtio-ccw-balloon.c'))
virtio_ss.add(when: 'CONFIG_VIRTIO_BLK', if_true: files('virtio-ccw-blk.c'))
virtio_ss.add(when: 'CONFIG_VIRTIO_CRYPTO', if_true: files('virtio-ccw-crypto.c'))
-virtio_ss.add(when: 'CONFIG_VIRTIO_GPU', if_true: files('virtio-ccw-gpu.c'))
virtio_ss.add(when: 'CONFIG_VIRTIO_INPUT', if_true: files('virtio-ccw-input.c'))
virtio_ss.add(when: 'CONFIG_VIRTIO_NET', if_true: files('virtio-ccw-net.c'))
virtio_ss.add(when: 'CONFIG_VIRTIO_RNG', if_true: files('virtio-ccw-rng.c'))
@@ -46,3 +45,10 @@ virtio_ss.add(when: 'CONFIG_VHOST_USER_FS', if_true: files('vhost-user-fs-ccw.c'
s390x_ss.add_all(when: 'CONFIG_VIRTIO_CCW', if_true: virtio_ss)
hw_arch += {'s390x': s390x_ss}
+
+hw_s390x_modules = {}
+virtio_gpu_ccw_ss = ss.source_set()
+virtio_gpu_ccw_ss.add(when: ['CONFIG_VIRTIO_GPU', 'CONFIG_VIRTIO_CCW'],
+ if_true: [files('virtio-ccw-gpu.c'), pixman])
+hw_s390x_modules += {'virtio-gpu-ccw': virtio_gpu_ccw_ss}
+modules += {'hw-s390x': hw_s390x_modules}
diff --git a/hw/s390x/virtio-ccw-gpu.c b/hw/s390x/virtio-ccw-gpu.c
index c301e2586bde8aff7333ea029c02..75a9e4bb3908178d3aea335fd7a0 100644
--- a/hw/s390x/virtio-ccw-gpu.c
+++ b/hw/s390x/virtio-ccw-gpu.c
@@ -62,7 +62,9 @@ static const TypeInfo virtio_ccw_gpu = {
static void virtio_ccw_gpu_register(void)
{
- type_register_static(&virtio_ccw_gpu);
+ if (have_virtio_ccw) {
+ type_register_static(&virtio_ccw_gpu);
+ }
}
type_init(virtio_ccw_gpu_register)
diff --git a/util/module.c b/util/module.c
index c65060c167df236d6e2163472708..cbe89fede628c3674e49194ee688 100644
--- a/util/module.c
+++ b/util/module.c
@@ -304,6 +304,7 @@ static struct {
{ "virtio-gpu-pci-base", "hw-", "display-virtio-gpu-pci" },
{ "virtio-gpu-pci", "hw-", "display-virtio-gpu-pci" },
{ "vhost-user-gpu-pci", "hw-", "display-virtio-gpu-pci" },
+ { "virtio-gpu-ccw", "hw-", "s390x-virtio-gpu-ccw" },
{ "virtio-vga-base", "hw-", "display-virtio-vga" },
{ "virtio-vga", "hw-", "display-virtio-vga" },
{ "vhost-user-vga", "hw-", "display-virtio-vga" },

View File

@ -1,96 +0,0 @@
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Wed, 17 Mar 2021 10:56:20 +0100
Subject: s390x: move S390_ADAPTER_SUPPRESSIBLE
Git-commit: d4c603d7be2e4173252c5b55e62d30ddd26edaca
References: bsc#1181103
The definition S390_ADAPTER_SUPPRESSIBLE was moved to "cpu.h", per
suggestion of Thomas Huth. From interface design perspective, IMHO, not
a good thing as it belongs to the public interface of
css_register_io_adapters(). We did this because CONFIG_KVM requeires
NEED_CPU_H and Thomas, and other commenters did not like the
consequences of that.
Moving the interrupt related declarations to s390_flic.h was suggested
by Cornelia Huck.
Signed-off-by: Halil Pasic <pasic@linux.ibm.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Halil Pasic <pasic@linux.ibm.com>
Tested-by: Halil Pasic <pasic@linux.ibm.com>
Message-Id: <20210317095622.2839895-2-kraxel@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
include/hw/s390x/css.h | 7 -------
include/hw/s390x/s390_flic.h | 3 +++
target/s390x/cpu.h | 9 ++++++---
3 files changed, 9 insertions(+), 10 deletions(-)
diff --git a/include/hw/s390x/css.h b/include/hw/s390x/css.h
index 08c869ab0afc18f34fb28056ce29..7858666307a1baaf2586dce56c07 100644
--- a/include/hw/s390x/css.h
+++ b/include/hw/s390x/css.h
@@ -12,7 +12,6 @@
#ifndef CSS_H
#define CSS_H
-#include "cpu.h"
#include "hw/s390x/adapter.h"
#include "hw/s390x/s390_flic.h"
#include "hw/s390x/ioinst.h"
@@ -233,12 +232,6 @@ uint32_t css_get_adapter_id(CssIoAdapterType type, uint8_t isc);
void css_register_io_adapters(CssIoAdapterType type, bool swap, bool maskable,
uint8_t flags, Error **errp);
-#ifndef CONFIG_KVM
-#define S390_ADAPTER_SUPPRESSIBLE 0x01
-#else
-#define S390_ADAPTER_SUPPRESSIBLE KVM_S390_ADAPTER_SUPPRESSIBLE
-#endif
-
#ifndef CONFIG_USER_ONLY
SubchDev *css_find_subch(uint8_t m, uint8_t cssid, uint8_t ssid,
uint16_t schid);
diff --git a/include/hw/s390x/s390_flic.h b/include/hw/s390x/s390_flic.h
index e91b15d2d6af5feb2e7e7284bfbd..3907a13d07664bad96d466b3d20a 100644
--- a/include/hw/s390x/s390_flic.h
+++ b/include/hw/s390x/s390_flic.h
@@ -134,6 +134,9 @@ void s390_flic_init(void);
S390FLICState *s390_get_flic(void);
QEMUS390FLICState *s390_get_qemu_flic(S390FLICState *fs);
S390FLICStateClass *s390_get_flic_class(S390FLICState *fs);
+void s390_crw_mchk(void);
+void s390_io_interrupt(uint16_t subchannel_id, uint16_t subchannel_nr,
+ uint32_t io_int_parm, uint32_t io_int_word);
bool ais_needed(void *opaque);
#endif /* HW_S390_FLIC_H */
diff --git a/target/s390x/cpu.h b/target/s390x/cpu.h
index 60d434d5edd55c59cfe7e345967c..b434b905c0ae337c62ddcc9d7e34 100644
--- a/target/s390x/cpu.h
+++ b/target/s390x/cpu.h
@@ -40,6 +40,12 @@
#define S390_MAX_CPUS 248
+#ifndef CONFIG_KVM
+#define S390_ADAPTER_SUPPRESSIBLE 0x01
+#else
+#define S390_ADAPTER_SUPPRESSIBLE KVM_S390_ADAPTER_SUPPRESSIBLE
+#endif
+
typedef struct PSW {
uint64_t mask;
uint64_t addr;
@@ -806,9 +812,6 @@ int cpu_s390x_signal_handler(int host_signum, void *pinfo, void *puc);
/* interrupt.c */
-void s390_crw_mchk(void);
-void s390_io_interrupt(uint16_t subchannel_id, uint16_t subchannel_nr,
- uint32_t io_int_parm, uint32_t io_int_word);
#define RA_IGNORED 0
void s390_program_interrupt(CPUS390XState *env, uint32_t code, uintptr_t ra);
/* service interrupts are floating therefore we must not pass an cpustate */

View File

@ -1,41 +0,0 @@
From: Matthew Rosato <mjrosato@linux.ibm.com>
Date: Thu, 18 Feb 2021 15:53:29 -0500
Subject: s390x/pci: restore missing Query PCI Function CLP data
Git-commit: 403af209db8c030ed1e000640cd3cd80c6882883
References: bsc#1183372
Some CLP response data was accidentally dropped when fixing endianness
issues with the Query PCI Function CLP response. All of these values are
sent as 0s to the guest for emulated devices, so the impact is only
observed on passthrough devices.
Fixes: a4e2fff1b104 ("s390x/pci: fix endianness issues")
Signed-off-by: Matthew Rosato <mjrosato@linux.ibm.com>
Message-Id: <1613681609-9349-1-git-send-email-mjrosato@linux.ibm.com>
Signed-off-by: Cornelia Huck <cohuck@redhat.com>
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/s390x/s390-pci-inst.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/hw/s390x/s390-pci-inst.c b/hw/s390x/s390-pci-inst.c
index 70bfd91bf70edafaa7c93469f459..f0ed9ea6f96b1202521ae434e680 100644
--- a/hw/s390x/s390-pci-inst.c
+++ b/hw/s390x/s390-pci-inst.c
@@ -284,10 +284,15 @@ int clp_service_call(S390CPU *cpu, uint8_t r2, uintptr_t ra)
stq_p(&resquery->sdma, pbdev->zpci_fn.sdma);
stq_p(&resquery->edma, pbdev->zpci_fn.edma);
stw_p(&resquery->pchid, pbdev->zpci_fn.pchid);
+ stw_p(&resquery->vfn, pbdev->zpci_fn.vfn);
resquery->flags = pbdev->zpci_fn.flags;
resquery->pfgid = pbdev->zpci_fn.pfgid;
+ resquery->pft = pbdev->zpci_fn.pft;
+ resquery->fmbl = pbdev->zpci_fn.fmbl;
stl_p(&resquery->fid, pbdev->zpci_fn.fid);
stl_p(&resquery->uid, pbdev->zpci_fn.uid);
+ memcpy(resquery->pfip, pbdev->zpci_fn.pfip, CLP_PFIP_NR_SEGMENTS);
+ memcpy(resquery->util_str, pbdev->zpci_fn.util_str, CLP_UTIL_STR_LEN);
for (i = 0; i < PCI_BAR_COUNT; i++) {
uint32_t data = pci_get_long(pbdev->pdev->config +

View File

@ -1,55 +0,0 @@
From: Bruce Rogers <brogers@suse.com>
Date: Fri, 12 Feb 2021 20:23:18 -0700
Subject: spice-app: avoid crash when core spice module doesn't loaded
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
git-commit: 122e4ef6dea14a078a860ca253852e18ddebb8e2
When qemu is built with modules, but a given module doesn't load
qemu should handle that gracefully. When ui-spice-core.so isn't
able to be loaded and qemu is invoked with -display spice-app or
-spice, qemu will dereference a null pointer. With this change we
check the pointer before dereferencing and error out in a normal
way.
Signed-off-by: Bruce Rogers <brogers@suse.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-Id: <20210213032318.346093-1-brogers@suse.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
ui/spice-app.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/ui/spice-app.c b/ui/spice-app.c
index 026124ef56a0ef26fbe3cf0a1aba..4325ac2d9c5403e8d77099825fc3 100644
--- a/ui/spice-app.c
+++ b/ui/spice-app.c
@@ -129,6 +129,7 @@ static void spice_app_atexit(void)
static void spice_app_display_early_init(DisplayOptions *opts)
{
QemuOpts *qopts;
+ QemuOptsList *list;
GError *err = NULL;
if (opts->has_full_screen) {
@@ -159,11 +160,16 @@ static void spice_app_display_early_init(DisplayOptions *opts)
exit(1);
}
}
+ list = qemu_find_opts("spice");
+ if (list == NULL) {
+ error_report("spice-app missing spice support");
+ exit(1);
+ }
type_register(&char_vc_type_info);
sock_path = g_strjoin("", app_dir, "/", "spice.sock", NULL);
- qopts = qemu_opts_create(qemu_find_opts("spice"), NULL, 0, &error_abort);
+ qopts = qemu_opts_create(list, NULL, 0, &error_abort);
qemu_opt_set(qopts, "disable-ticketing", "on", &error_abort);
qemu_opt_set(qopts, "unix", "on", &error_abort);
qemu_opt_set(qopts, "addr", sock_path, &error_abort);

View File

@ -1,38 +0,0 @@
From: Jason Wang <jasowang@redhat.com>
Date: Wed, 24 Feb 2021 13:14:35 +0800
Subject: sungem: switch to use qemu_receive_packet() for loopback
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Git-commit: 8c92060d3c0248bd4d515719a35922cd2391b9b4
This patch switches to use qemu_receive_packet() which can detect
reentrancy and return early.
This is intended to address CVE-2021-3416.
Cc: Prasad J Pandit <ppandit@redhat.com>
Cc: qemu-stable@nongnu.org
Reviewed-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/net/sungem.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/net/sungem.c b/hw/net/sungem.c
index 33c3722df6f7c052b1632115e602..3684a4d733b6ec8bea39b4487e18 100644
--- a/hw/net/sungem.c
+++ b/hw/net/sungem.c
@@ -306,7 +306,7 @@ static void sungem_send_packet(SunGEMState *s, const uint8_t *buf,
NetClientState *nc = qemu_get_queue(s->nic);
if (s->macregs[MAC_XIFCFG >> 2] & MAC_XIFCFG_LBCK) {
- nc->info->receive(nc, buf, size);
+ qemu_receive_packet(nc, buf, size);
} else {
qemu_send_packet(nc, buf, size);
}

View File

@ -1,6 +1,7 @@
[qemu-arm package document]
SLES 15 SP3 QEMU/KVM RELATED SUPPORT STATEMENTS
POST SLES 15 SP3 QEMU/KVM RELATED SUPPORT STATEMENTS
====================================================
Overview
--------
@ -142,13 +143,14 @@ Noteworthy QEMU/KVM Unsupported Features
Deprecated, Superseded, Modified and Dropped Features
-----------------------------------------------------
- http://wiki.qemu-project.org/Features/LegacyRemoval
This website tracks feature deprecation and removal at the upstream
- http://wiki.qemu-project.org/Features/LegacyRemoval and
https://qemu-project.gitlab.io/qemu/system/deprecated.html
These websites track features deprecation and removal at the upstream
development level. Our qemu package inherits this community direction, but be
aware that we can and will deviate as needed. Those deviations and additional
information can be found in this section. Feature deprecation as well as
removed features are also tracked in the "QEMU System Emulator User's Guide"
section of the documentation installed with the qemu package.
removed features are also tracked in the "System Emulation" section of the
documentation installed with the qemu package.
- The use of "?" as a parameter to "-cpu", "-soundhw", "-device", "-M",
"-machine" and "-d" is now considered deprecated. Use "help"
@ -170,19 +172,21 @@ Deprecated, Superseded, Modified and Dropped Features
acpitable, boot, and smp respectively.
- These previously supported command line options are now considered deprecated:
-device scsi-disk (use scsi-hd or scsi-cd instead)
-device virtio-blk,scsi= (use virtio-scsi instead)
-device virtio-blk-pci,scsi= (use virtio-scsi instead)
-realtime mlock= (use -overcommit mem-lock- instead)
(the following are early notices of deprecation in a future qemu version)
-chardev tty (use serial name instead)
-chardev paraport (use parallel name instead)
-device virtio-blk,scsi= (use virtio-scsi instead)
-device virtio-blk-pci,scsi= (use virtio-scsi instead)
-enable-fips (not really helpful - see https://git.qemu.org/?p=qemu.git;a=commit;h=166310299a1e7824bbff17e1f016659d18b4a559 for details)
-realtime mlock= (use -overcommit mem-lock- instead)
-spice password=string (use password-string option instead)
-writeconfig (no replacement - never really worked right)
-share and noshare must be replaced by share=on/share=off
-nodelay must be replaced by nodelay=on rather than delay=off
-object-add options opened=on and loaded=on (both had no effect)
- These previously supported command line options are no longer supported:
<previously mentioned items have been moved to another category>
-device ide-drive (use ide-hd or ide-cd instead)
-device scsi-disk (use scsi-hd or scsi-cd instead)
- These previously supported command line options are no longer recognized:
-balloon (use -device virtio-balloon instead)
@ -193,7 +197,9 @@ Deprecated, Superseded, Modified and Dropped Features
-display sdl
-no-frame
-nodefconfig (use -no-user-config instead)
-realtime ...
-sdl
-show-cursor
-virtioconsole (use -device virtconsole instead)
- The previously unsupported machine type xlnx-ep108 is no longer recognized
@ -210,22 +216,29 @@ Deprecated, Superseded, Modified and Dropped Features
- This previously unsupported command line option is now deprecated:
-soundhw (use -device ... instead)
-tb-size
- These previously unsupported command line options are no longer recognized:
-bt
-device at24c-eeprom
-device mmio_interface
-device ssi-sd
-device tpm-tis-device
-device u2f-passthru
-device vhost-user-vsock-pci-transitional
-device vhost-vsock-pci-transitional
-device virtio-iommu-pci-transitional
-enable-hax
-tb-size
-tdf
-xen-create
- These previously supported QMP commands are now deprecated:
<previously mentioned items have been moved to another category>
- These previously supported QMP commands are no longer recognized:
block_passwd
change (use blockdev-change-medium or change-vnc-password instead)
cpu-add (use device_add instead)
migrate-set-cache-size (use migrate-set-parameters instead)
migrate_set_downtime (use migrate-set-parameters instead)
migrate_set_speed (use migrate-set-parameters instead)
@ -233,29 +246,29 @@ Deprecated, Superseded, Modified and Dropped Features
query-events
query-migrate-cache-size (use query-migrate-parameters instead)
- This previously supported QMP command is no longer recognized:
cpu-add (use device_add instead)
- These previously supported monitor commands are now deprecated:
change
migrate_set_downtime
migrate_set_speed
- These previously supported monitor commands are no longer recognized:
block_passwd ...
cpu-add (use device_add instead)
migrate_set_cache_size
migrate_set_downtime
migrate_set_speed
pci_add (use device_add instead)
pci_del (use device_del instead)
usb_add (use device_add instead)
usb_del (use device_del instead)
- These previously unsupported monitor command are now deprecated:
<previously mentioned items have been moved to another category>
- These previously unsupported monitor commands are no longer recognized:
acl_add ...
acl_policy ...
acl_remove ...
acl_reset ...
acl_show ...
- These previously unsupported monitor commands are no longer recognized:
host_net_add
host_net_remove
@ -298,6 +311,7 @@ QEMU Command-Line and Monitor Syntax and Support
- The following command line options are supported:
-accel ...
-action ...
-add-fd ...
-alt-grab
-append ...
@ -307,7 +321,8 @@ QEMU Command-Line and Monitor Syntax and Support
-blockdev ...
-boot ...
-cdrom ...
-chardev ..
-chardev ...
-compat ...
-cpu host
-ctrl-grab
-d ...
@ -338,7 +353,7 @@ QEMU Command-Line and Monitor Syntax and Support
virtio-scsi-pci-transitional|virtio-serial-pci-non-transitional|
virtio-serial-pci-transitional|vhost-user-fs-pci|vhost-user-gpu|
vhost-user-pci-pci|vhost-user-input|vhost-user-input-pci|
vhost-user-vga|virtio-mmio]
vhost-user-vga|virtio-mmio|guest-loader|nvme-subsys|pvpanic-pci]
(the following are aliases of these supported devices: ahci|
virtio-blk|virtio-net|virtio-serial|virtio-balloon| virtio-9p|
virtio-input-host|virtio-keyboard|virtio-mouse|virtio-tablet|
@ -368,8 +383,8 @@ QEMU Command-Line and Monitor Syntax and Support
-kernel ...
-loadvm ...
-m ...
-M [help|?|none|virt|virt-2.6|virt-2.11|virtio-3.1|virt-4.2|virt-5.2]
-machine [help|?|none|virt|virt-2.6|virt-2.11|virt-3.1|virt-4.2|virt-5.2]
-M [help|?|none|virt-2.6|virt-2.11|virtio-3.1|virt-4.2|virt-5.2]
-machine [help|?|none|virt-2.6|virt-2.11|virt-3.1|virt-4.2|virt-5.2]
-mem-path ...
-mem-prealloc
-mon ...
@ -398,7 +413,6 @@ QEMU Command-Line and Monitor Syntax and Support
-qmp ...
-qmp-pretty ...
-readconfig ...
-realtime ...
-rtc ...
-runas ...
-s
@ -406,7 +420,6 @@ QEMU Command-Line and Monitor Syntax and Support
-sandbox ...
-seed ...
-serial ...
-show-cursor
-smbios ...
-smp ...
-spice
@ -414,7 +427,7 @@ QEMU Command-Line and Monitor Syntax and Support
-trace ...
-usb
-usbdevice [braile|disk|host|mouse|net|serial|tablet]
-uuid ..
-uuid ...
-version
-vga [none|qxl|std|virtio]
-virtfs ...
@ -465,11 +478,8 @@ QEMU Command-Line and Monitor Syntax and Support
migrate_incoming
migrate_pause
migrate_recover ...
migrate_set_cache_size ...
migrate_set_capability ...
migrate_set_downtime ...
migrate_set_parameter ...
migrate_set_speed ...
migrate_start_post_copy
mouse_button ...
mouse_move ...
@ -529,13 +539,11 @@ QEMU Command-Line and Monitor Syntax and Support
block-export-add
block-export-del
block-latency-histogram-set
block_passwd
block_resize
block_set_io_throttle
block-set-write-threshold
block_stream
calc-dirty-rate
change
change-vnc-password
chardev-add
chardev-change
@ -548,6 +556,7 @@ QEMU Command-Line and Monitor Syntax and Support
device_add
device_del
device-list-properties
display-reload
dump-guest-memory
eject
expire_password
@ -568,10 +577,7 @@ QEMU Command-Line and Monitor Syntax and Support
migrate-incoming
migrate-pause
migrate-resume
migrate-set-cache-size
migrate-set-capabilities
migrate_set_downtime
migrate_set_speed
migrate-set-parameters
migrate-start-postcopy
object-add
@ -594,14 +600,12 @@ QEMU Command-Line and Monitor Syntax and Support
query-commands
query-cpu-definitions
query-cpu-model-expansion
query-cpus
query-cpus-fast
query-current-machine
query-display-options
query-dirty-rate
query-dump
query-dump-guest-memory-capability
query-events
query-fdsets
query-gic-capabilities
query-hotpluggable-cpus
@ -614,7 +618,6 @@ QEMU Command-Line and Monitor Syntax and Support
query-memory-size-summary
query-mice
query-migrate
query-migrate-cache-size
query-migrate-capabilities
query-migrate-parameters
query-name
@ -637,6 +640,7 @@ QEMU Command-Line and Monitor Syntax and Support
query-version
query-vnc
query-vnc-servers
query-yank
query-xen-replication-status
quit
remove-fd
@ -644,8 +648,12 @@ QEMU Command-Line and Monitor Syntax and Support
ringbuf-write
screendump
send-key
set-action
set_link
set_password
snapshot-delete
snapshot-load
snapshot-save
stop
system_powerdown
system_reset
@ -654,6 +662,7 @@ QEMU Command-Line and Monitor Syntax and Support
trace-event-set-state
transaction
watchdog-set-action
yank
- The following command line options are unsupported:
@ -668,7 +677,7 @@ QEMU Command-Line and Monitor Syntax and Support
allwinner-emac|amd-iommu|AMDVI-PCI|arm1026-arm-cpu|arm1136-arm-cpu|
arm1136-r2-arm-cpu|arm1176-arm-cpu|arm11mpcore-arm-cpu|
arm11mpcore_priv|arm11-scu|arm926-arm-cpu|arm946-arm-cpu|
ARMbitband-memory|arm.cortex-a9-global-timer|arm_gic|arm-gicv2m|
arm.cortex-a9-global-timer|arm_gic|arm-gicv2m|
arm_mptimer|armv7m_nvic|aspeed.timer|aspeed.vic|ast2400|
at25128a-nonjedec|at25256a-nonjedec|at25df041a|at25df321a|at25df641|
at25fs010|at25fs040|at26df081a|at26df161a|at26df321|at26f004|
@ -684,7 +693,7 @@ QEMU Command-Line and Monitor Syntax and Support
en25q64|exynos4210.combiner|exynos4210-ehci-usb|exynos4210.fimd|
exynos4210.gic|exynos4210.i2c|exynos4210.irq_gate|exynos4210.mct|
exynos4210.pmu|exynos4210.pwm|exynos4210.rtc|exynos4210.uart|floppy|
fsl,imx6ul|fslimx25|fslimx31|fusbh200-ehci-usb|fw_cfg|gd25q32|gd25q64|
fslimx25|fslimx31|fusbh200-ehci-usb|fw_cfg|gd25q32|gd25q64|
gpex-pcihost|gpex-root|gpio_i2c|gpio-key|gus|hyperv-testdev|
highbank-regs|host-arm-cpu|*-i386-cpu|i8042|ib700|icp-ctrl-regs|
igd-passthrough-isa-bridge|imx25.ccm|imx31.ccm|imx6.ccm|imx.avic|
@ -743,13 +752,16 @@ QEMU Command-Line and Monitor Syntax and Support
allwinner-rtc-sun4i|allwinner-rtc-sun6i|allwinner-rtc-sun7i|
allwinner-sdhost-sun4i|allwinner-sdhost-sun5i|allwinner-sid|
allwinner-sun8i-emac|imx.rngc|imx.usbphy|serial|serial-io|
stm32f405-soc|stm32f4xx-exti|stm32f4xx-syscfg|tpm-tis-device|nvdimm|
stm32f405-soc|stm32f4xx-exti|stm32f4xx-syscfg|nvdimm|
vhost-user-vsock-device|vhost-user-vsock-pci|
vhost-user-vsock-pci-non-transitional|nvme-ns|ads7846|led|ssd0323|
vhost-user-vga|ctucan_pci|bcm2835-cprman-clock-mux|
bcm2835-cprman-cprman-dsi0hsck-mux|bcm2835-cprman-cprman-pll|
bcm2835-cprman-cprman-pll-channel|mt25ql512ab|mx66l5123f|n25q512ax3|
ssd0323|u2f-passthru]
ssd0323|at24c-eeprom|emc1413|emc1414|is25lp016d|is25lp032|is25lp064|
is25lp080d|is25lp128|is25lp256|is25lq040b|is25wp032|is25wp064|
is25wp128|is25wp256|npcm7xx-clock-divider|npcm7xx-clock-pll|
npcm7xx-clock-sel]
(the following are aliases of these unsupported devices: lsi|
piix3-usb-uhci)
(note that some of these device names represent supported devices and
@ -771,34 +783,36 @@ QEMU Command-Line and Monitor Syntax and Support
-L ...
-M
[akita|ast2500-evb|ast2600-evb|borzoi|canon-a1100|cheetah|collie|connex|
cubieboard|highbank|imx25-pdk|integratorcp|kzm|lm3s6965evb|lm3s811evb|
mainstone|mcimx6ul-evk|mcimx7d-sabre|microbit|midway|mps2-an385|mps2-an386|
mps2-an500|mps2-an505|mps2-an511|mps2-an521|musca-a|musca-b1|musicpal|n800|
n810|netduino2|netduinoplus2|npcm750-evb|nuri|orangepi-pc|palmetto-bmc|
quanta-gsj|raspi0|raspi1ap|raspi2|raspi2b|raspi3|raspi3ap|raspi3b|
realview-eb|realview-eb-mpcore|realview-pb-a8|realview-pbx-a9|romulus-bmc|
sabrelite|sbsa-ref|smdkc210|sonorapass-bmc|spitz|supermicrox11-bmc|
swift-bmc|sx1|sx1-v1|tacoma-bmc|terrier|tosa|verdex|versatileab|
versatilepb|vexpress-a15|vexpress-a9|virt-2.7|virt-2.8|virt-2.12|virt-3.0|
virt-4.0|virt-4.1|virt-5.0|virt-5.1|witherspoon-bmc|xilinx-zynq-a9|
xlnx-versal-virt|xlnx-zcu102|z2]
[virt|akita|ast2500-evb|ast2600-evb|borzoi|canon-a1100|cheetah|collie|
connex|cubieboard|g220a-bmc|highbank|imx25-pdk|integratorcp|kzm|
lm3s6965evb|lm3s811evb|mainstone|mcimx6ul-evk|mcimx7d-sabre|microbit|
midway|mps2-an385|mps2-an386|mps2-an500|mps2-an505|mps2-an511|mps2-an521|
mps3-an524|mps3-an547|musca-a|musca-b1|musicpal|n800|n810|netduino2|
netduinoplus2|npcm750-evb|nuri|orangepi-pc|palmetto-bmc|quanta-gsj|raspi0|
raspi1ap|raspi2|raspi2b|raspi3|raspi3ap|raspi3b|realview-eb|
realview-eb-mpcore|realview-pb-a8|realview-pbx-a9|romulus-bmc|sabrelite|
sbsa-ref|smdkc210|sonorapass-bmc|spitz|supermicrox11-bmc|swift-bmc|sx1|
sx1-v1|tacoma-bmc|terrier|tosa|verdex|versatileab|versatilepb|vexpress-a15|
vexpress-a9|virt-2.7|virt-2.8|virt-2.12|virt-3.0|virt-4.0|virt-4.1|
virt-5.0|virt-5.1|virt-6.0|witherspoon-bmc|xilinx-zynq-a9|xlnx-versal-virt|
xlnx-zcu102|z2]
-machine
[akita|ast2500-evb|ast2600-evb|borzoi|canon-a1100|cheetah|collie|
connex|cubieboard|highbank|imx25-pdk|integratorcp|kzm|lm3s6965evb|
lm3s811evb|mainstone|mcimx6ul-evk|mcimx7d-sabre|microbit|midway|
mps2-an385|mps2-an386|mps2-an500|mps2-an521|mps2-an505|mps2-an511|
musca-a|musca-b1|musicpal|n800|n810|netduino2|netduinoplus2|
npcm750-evb|nuri|orangepi-pc|palmetto-bmc|quanta-gsj|raspi0|raspi1ap|
raspi2|raspi2b|raspi3|raspi3ap|raspi3b|realview-eb|
realview-eb-mpcore|realview-pb-a8|realview-pbx-a9|romulus-bmc|
sabrelite|sbsa-ref|smdkc210|sonorapass-bmc|spitz|supermicrox11-bmc|
swift-bmc|sx1|sx1-v1|tacoma-bmc|terrier|tosa|verdex|versatileab|
versatilepb|vexpress-a15|vexpress-a9|virt-2.7|virt-2.8|virt-2.12|
virt-3.0|virt-4.0|virt-4.1|virt-5.0|virt-5.1|witherspoon-bmc|
xilinx-zynq-a9|xlnx-versal-virt|xlnx-zcu102|z2]
[virt|akita|ast2500-evb|ast2600-evb|borzoi|canon-a1100|cheetah|
collie|connex|cubieboard|g220a-bmc|highbank|imx25-pdk|integratorcp|
kzm|lm3s6965evb|lm3s811evb|mainstone|mcimx6ul-evk|mcimx7d-sabre|
microbit|midway|mps2-an385|mps2-an386|mps2-an500|mps2-an521|
mps2-an505|mps2-an511|mps3-an524|mps3-an547|musca-a|musca-b1|
musicpal|n800|n810|netduino2|netduinoplus2|npcm750-evb|nuri|
orangepi-pc|palmetto-bmc|quanta-gsj|raspi0|raspi1ap|raspi2|raspi2b|
raspi3|raspi3ap|raspi3b|realview-eb|realview-eb-mpcore|
realview-pb-a8|realview-pbx-a9|romulus-bmc|sabrelite|sbsa-ref|
smdkc210|sonorapass-bmc|spitz|supermicrox11-bmc|swift-bmc|sx1|sx1-v1|
tacoma-bmc|terrier|tosa|verdex|versatileab|versatilepb|vexpress-a15|
vexpress-a9|virt-2.7|virt-2.8|virt-2.12|virt-3.0|virt-4.0|virt-4.1|
virt-5.0|virt-5.1|virt-6.0|witherspoon-bmc|xilinx-zynq-a9|
xlnx-versal-virt|xlnx-zcu102|z2]
-mtdblock file
-net [dump|socket|vde] ...
@ -827,7 +841,6 @@ QEMU Command-Line and Monitor Syntax and Support
-singlestep
-snapshot
-soundhw ...
-tb-size ...
-tpmdev emulator ...
-vga [cg3|tcx|virtio|cirrus|xenfb]
-win2k-hack
@ -836,17 +849,11 @@ QEMU Command-Line and Monitor Syntax and Support
-xen-domid-restrict ...
- The following monitor commands are unsupported:
acl_add ...
acl_policy ...
acl_remove ...
acl_reset ...
acl_show ...
block_job_cancel ...
block_job_complete ...
block_job_pause ...
block_job_resume ...
block_job_set_speed ...
block_passwd ...
commit ...
drive_mirror ...
exit_preconfig

View File

@ -1,5 +1,6 @@
[qemu-ppc package document]
SLES 15 SP3 QEMU/KVM RELATED SUPPORT STATEMENTS
POST SLES 15 SP3 QEMU/KVM RELATED SUPPORT STATEMENTS
====================================================
QEMU/KVM on ppc is not supported.

View File

@ -1,6 +1,7 @@
[qemu-s390 package document]
SLES 15 SP3 QEMU/KVM RELATED SUPPORT STATEMENTS
POST SLES 15 SP3 QEMU/KVM RELATED SUPPORT STATEMENTS
====================================================
Overview
--------
@ -138,13 +139,14 @@ Noteworthy QEMU/KVM Unsupported Features
Deprecated, Superseded, Modified and Dropped Features
-----------------------------------------------------
- http://wiki.qemu-project.org/Features/LegacyRemoval
This website tracks feature deprecation and removal at the upstream
- http://wiki.qemu-project.org/Features/LegacyRemoval and
https://qemu-project.gitlab.io/qemu/system/deprecated.html
These websites track features deprecation and removal at the upstream
development level. Our qemu package inherits this community direction, but be
aware that we can and will deviate as needed. Those deviations and additional
information can be found in this section. Feature deprecation as well as
removed features are also tracked in the "QEMU System Emulator User's Guide"
section of the documentation installed with the qemu package.
removed features are also tracked in the "System Emulation" section of the
documentation installed with the qemu package.
- The use of "?" as a parameter to "-cpu", "-soundhw", "-device", "-M",
"-machine" and "-d" is now considered deprecated. Use "help"
@ -166,15 +168,17 @@ Deprecated, Superseded, Modified and Dropped Features
acpitable, boot, and smp respectively.
- These previously supported command line options are now considered deprecated:
-device virtio-blk,scsi= (use virtio-scsi instead)
-device virtio-blk-pci,scsi= (use virtio-scsi instead)
-realtime mlock= (use -overcommit mem-lock= instead)
(the following are early notices of deprecation in a future qemu version)
-chardev tty (use serial name instead)
-chardev paraport (use parallel name instead)
-device virtio-blk,scsi= (use virtio-scsi instead)
-device virtio-blk-pci,scsi= (use virtio-scsi instead)
-enable-fips (not really helpful - see https://git.qemu.org/?p=qemu.git;a=commit;h=166310299a1e7824bbff17e1f016659d18b4a559 for details)
-realtime mlock= (use -overcommit mem-lock= instead)
-spice password=string (use password-string option instead)
-writeconfig (no replacement - never really worked right)
-share and noshare must be replaced by share=on/share=off
-nodelay must be replaced by nodelay=on rather than delay=off
-object-add options opened=on and loaded=on (both had no effect)
- These previously supported command line options are no longer supported:
<previously mentioned items have been moved to another category>
@ -188,7 +192,9 @@ Deprecated, Superseded, Modified and Dropped Features
-display sdl
-no-frame
-nodefconfig (use -no-user-config instead)
-realtime ...
-sdl
-show-cursor
-virtioconsole (use -device virtconsole instead)
- Specifying a cpu feature with both "+feature/-feature" and "feature=on/off"
@ -202,23 +208,28 @@ Deprecated, Superseded, Modified and Dropped Features
- These previously unsupported command line options are now deprecated:
-bt
-device ide-drive (use ide-hd or ide-cd)
-device scsi-disk (use scsi-hd or scsi-cd)
-soundhw (use -device ... instead)
-tb-size
- These previously unsupported command line options are no longer recognized:
-device ide-drive (use ide-hd or ide-cd)
-device mmio_interface
-device ramfb
-device scsi-disk (use scsi-hd or scsi-cd)
-device vhost-user-vsock-pci-transitional
-device vhost-vsock-pci-transitional
-device virtio-iommu-pci-transitional
-enable-hax
-tb-size
-tdf
-xen-create
- These previously supported QMP commands are now deprecated:
<previously mentioned items have been moved to another category>
- These previously supported QMP commands are no longer recognized:
block_passwd
change (use blockdev-change-medium or change-vnc-password instead)
cpu-add (use device_add instead)
migrate-set-cache-size (use migrate-set-parameters instead)
migrate_set_downtime (use migrate-set-parameters instead)
migrate_set_speed (use migrate-set-parameters instead)
@ -226,27 +237,27 @@ Deprecated, Superseded, Modified and Dropped Features
query-events
query-migrate-cache-size (use query-migrate-parameters instead)
- This previously supported QMP command is no longer recognized:
cpu-add (use device_add instead)
- These previously supported monitor commands are now deprecated:
change
migrate_set_downtime
migrate_set_speed
- These previously supported monitor commands are no longer recognized:
block_passwd
cpu-add (use device_add instead)
migrate_set_cache_size
migrate_set_downtime
migrate_set_speed
pci_add (use device_add instead)
pci_del (use device_del instead)
- These previously unsupported monitor command are now deprecated:
<previously mentioned items have been moved to another category>
- These previously unsupported monitor commands are no longer recognized:
acl_add ...
acl_policy ...
acl_remove ...
acl_reset ...
acl_show ...
- These previously unsupported monitor commands are no longer recognized:
host_net_add
host_net_remove
usb_add
@ -291,6 +302,7 @@ QEMU Command-Line and Monitor Syntax and Support
- The following command line options are supported:
-accel ...
-action ...
-add-fd ...
-alt-grab
-append ...
@ -300,7 +312,8 @@ QEMU Command-Line and Monitor Syntax and Support
-blockdev ...
-boot ...
-cdrom ...
-chardev ..
-chardev ...
-compat ...
-cpu host
-ctrl-grab
-d ...
@ -310,13 +323,13 @@ QEMU Command-Line and Monitor Syntax and Support
[virtio-net-pci|virtio-blk-pci|virtio-balloon-pci|virtserialport|
virtconsole|virtio-serial-pci|virtio-scsi-pci|scsi-cd|scsi-hd|
scsi-generic|scsi-disk|scsi-block|virtio-rng-pci|pci-bridge|
megasas-gen2|e1000e|e1000|zpci|virtio-gpu-ccw|virtio-keyboard-ccw|
vhost-user-blk-pci|vhost-user-scsi|vhost-user-scsi-pci|
vhost-vsock-ccw|virtio-balloon-ccw|virtio-blk-ccw|vhost-scsi-ccw|
vhost-user-blk|virtio-crypto-ccw|virtio-net-ccw|virtio-rng-ccw|
virtio-scsi-ccw|virtio-serial-ccw|virtio-mouse-ccw|virtio-tablet-ccw|
vfio-pci|virtio-vga|vhost-scsi-pci-non-transitional|
scsi-generic|scsi-block|virtio-rng-pci|pci-bridge|megasas-gen2|e1000e|
e1000|zpci|virtio-gpu-ccw|virtio-keyboard-ccw|vhost-user-blk-pci|
vhost-user-scsi|vhost-user-scsi-pci|vhost-vsock-ccw|
virtio-balloon-ccw|virtio-blk-ccw|vhost-scsi-ccw|vhost-user-blk|
virtio-crypto-ccw|virtio-net-ccw|virtio-rng-ccw|virtio-scsi-ccw|
virtio-serial-ccw|virtio-mouse-ccw|virtio-tablet-ccw|vfio-pci|
virtio-vga|vhost-scsi-pci-non-transitional|
vhost-scsi-pci-transitional|vhost-user-blk-pci-non-transitional|
vhost-user-blk-pci-transitional|vhost-user-scsi-pci-non-transitional|
vhost-user-scsi-pci-transitional|vhost-vsock-pci-non-transitional|
@ -362,13 +375,12 @@ QEMU Command-Line and Monitor Syntax and Support
-m ...
-M
[help|?|none|s390-ccw-virtio|s390-ccw-virtio-2.6|s390-ccw-virtio-2.9|
s390-ccw-virtio-2.11|s390-ccw-virtio-3.1|s390-ccw-virtio-4.2|
s390-ccw-virtio-5.2]
[help|?|none|s390-ccw-virtio-2.6|s390-ccw-virtio-2.9|s390-ccw-virtio-2.11|
s390-ccw-virtio-3.1|s390-ccw-virtio-4.2|s390-ccw-virtio-5.2]
-machine
[help|?|none|s390-ccw-virtio|s390-ccw-virtio-2.6|s390-ccw-virtio-2.9|
[help|?|none|s390-ccw-virtio-2.6|s390-ccw-virtio-2.9|
s390-ccw-virtio-2.11|s390-ccw-virtio-3.1|s390-ccw-virtio-4.2|
s390-ccw-virtio-5.2]
@ -399,7 +411,6 @@ QEMU Command-Line and Monitor Syntax and Support
-qmp ...
-qmp-pretty ...
-readconfig ...
-realtime ...
-rtc ...
-runas ...
-s
@ -407,10 +418,9 @@ QEMU Command-Line and Monitor Syntax and Support
-sandbox ...
-seed ...
-serial ...
-show-cursor
-smp ...
-trace ...
-uuid ..
-uuid ...
-version
-vga [none|qxl|std]
-virtfs ...
@ -461,11 +471,8 @@ QEMU Command-Line and Monitor Syntax and Support
migrate_incoming
migrate_pause
migrate_recover ...
migrate_set_cache_size ...
migrate_set_capability ...
migrate_set_downtime ...
migrate_set_parameter ...
migrate_set_speed ...
migrate_start_post_copy
mouse_button ...
mouse_move ...
@ -525,13 +532,11 @@ QEMU Command-Line and Monitor Syntax and Support
block-export-add
block-export-del
block-latency-histogram-set
block_passwd
block_resize
block_set_io_throttle
block-set-write-threshold
block_stream
calc-dirty-rate
change
change-vnc-password
chardev-add
chardev-change
@ -544,6 +549,7 @@ QEMU Command-Line and Monitor Syntax and Support
device_add
device_del
device-list-properties
display-reload
dump-guest-memory
eject
expire_password
@ -564,10 +570,7 @@ QEMU Command-Line and Monitor Syntax and Support
migrate-incoming
migrate-pause
migrate-resume
migrate-set-cache-size
migrate-set-capabilities
migrate_set_downtime
migrate_set_speed
migrate-set-parameters
migrate-start-postcopy
object-add
@ -592,14 +595,12 @@ QEMU Command-Line and Monitor Syntax and Support
query-cpu-model-baseline
query-cpu-model-comparison
query-cpu-model-expansion
query-cpus
query-cpus-fast
query-current-machine
query-dirty-rate
query-display-options
query-dump
query-dump-guest-memory-capability
query-events
query-fdsets
query-gic-capabilities
query-hotpluggable-cpus
@ -612,7 +613,6 @@ QEMU Command-Line and Monitor Syntax and Support
query-memory-size-summary
query-mice
query-migrate
query-migrate-cache-size
query-migrate-capabilities
query-migrate-parameters
query-name
@ -632,6 +632,7 @@ QEMU Command-Line and Monitor Syntax and Support
query-version
query-vnc
query-vnc-servers
query-yank
query-xen-replication-status
quit
remove-fd
@ -639,8 +640,12 @@ QEMU Command-Line and Monitor Syntax and Support
ringbuf-write
screendump
send-key
set-action
set_link
set_password
snapshot-delete
snapshot-load
snapshot-save
stop
system_powerdown
system_reset
@ -649,6 +654,7 @@ QEMU Command-Line and Monitor Syntax and Support
trace-event-set-state
transaction
watchdog-set-action
yank
- The following command line options are unsupported:
@ -706,7 +712,7 @@ QEMU Command-Line and Monitor Syntax and Support
virtio-iommu-device|virtio-iommu-pci|
virtio-iommu-pci-non-transitional|vhost-user-vsock-device|
vhost-user-vsock-pci|vhost-user-vsock-pci-non-transitional|
vhost-user-fs-ccw]
vhost-user-fs-ccw|guest-loader]
(the following are aliases of these unsupported devices: lsi|
ahci|e1000-82540em|vfio-ccw)
(note that some of these device names represent supported devices and
@ -728,17 +734,19 @@ QEMU Command-Line and Monitor Syntax and Support
-L ...
-M
[s390-ccw-virtio-2.4|s390-ccw-virtio-2.5|s390-ccw-virtio-2.7|
s390-ccw-virtio-2.8|s390-ccw-virtio-2.10|s390-ccw-virtio-2.12|
s390-ccw-virtio-3.0|s390-ccw-virtio-4.0|s390-ccw-virtio-4.1|
s390-ccw-virtio-5.0|s390-ccw-virtio-5.1]
[s390-ccw-virtio|s390-ccw-virtio-2.4|s390-ccw-virtio-2.5|
s390-ccw-virtio-2.7|s390-ccw-virtio-2.8|s390-ccw-virtio-2.10|
s390-ccw-virtio-2.12|s390-ccw-virtio-3.0|s390-ccw-virtio-4.0|
s390-ccw-virtio-4.1|s390-ccw-virtio-5.0|s390-ccw-virtio-5.1|
s390-ccw-virtio-6.0]
-machine
[s390-ccw-virtio-2.4|s390-ccw-virtio-2.5|s390-ccw-virtio-2.7|
s390-ccw-virtio-2.8|s390-ccw-virtio-2.10|s390-ccw-virtio-2.12|
s390-ccw-virtio-3.0|s390-ccw-virtio-4.0|s390-ccw-virtio-4.1|
s390-ccw-virtio-5.0|s390-ccw-virtio-5.1]
[s390-ccw-virtio|s390-ccw-virtio-2.4|s390-ccw-virtio-2.5|
s390-ccw-virtio-2.7|s390-ccw-virtio-2.8|s390-ccw-virtio-2.10|
s390-ccw-virtio-2.12|s390-ccw-virtio-3.0|s390-ccw-virtio-4.0|
s390-ccw-virtio-4.1|s390-ccw-virtio-5.0|s390-ccw-virtio-5.1|
s390-ccw-virtio-6.0]
-mtdblock file
-net [dump|socket|vde] ...
@ -770,7 +778,6 @@ QEMU Command-Line and Monitor Syntax and Support
-snapshot
-soundhw ...
-spice
-tb-size ...
-tdf
-tpmdev emulator ...
-tpmdev passthrough ...
@ -783,17 +790,11 @@ QEMU Command-Line and Monitor Syntax and Support
-xen-domid-restrict ...
- The following monitor commands are unsupported:
acl_add ...
acl_policy ...
acl_remove ...
acl_reset ...
acl_show ...
block_job_cancel ...
block_job_complete ...
block_job_pause ...
block_job_resume ...
block_job_set_speed ...
block_passwd ...
commit ...
drive_mirror ...
exit_preconfig

View File

@ -1,6 +1,7 @@
[qemu-x86 package document]
SLES 15 SP3 QEMU/KVM RELATED SUPPORT STATEMENTS
POST SLES 15 SP3 QEMU/KVM RELATED SUPPORT STATEMENTS
====================================================
Overview
--------
@ -161,13 +162,14 @@ Noteworthy QEMU/KVM Unsupported Features
Deprecated, Superseded, Modified and Dropped Features
-----------------------------------------------------
- http://wiki.qemu-project.org/Features/LegacyRemoval
This website tracks feature deprecation and removal at the upstream
- http://wiki.qemu-project.org/Features/LegacyRemoval and
https://qemu-project.gitlab.io/qemu/system/deprecated.html
These websites track feature deprecation and removal at the upstream
development level. Our qemu package inherits this community direction, but be
aware that we can and will deviate as needed. Those deviations and additional
information can be found in this section. Feature deprecation as well as
removed features are also tracked in the "QEMU System Emulator User's Guide"
section of the documentation installed with the qemu package.
removed features are also tracked in the "System Emulation" section of the
documentation installed with the qemu package.
- When no video adapter is specified, the default used is stdvga. This differs
from the default of prior releases which was cirrus. The cirrus adapter was
@ -207,21 +209,22 @@ Deprecated, Superseded, Modified and Dropped Features
versions.
- These previously supported command line options are now considered deprecated:
-device ide-drive (use ide-hd or ide-cd instead)
-device scsi-disk (use scsi-hd or scsi-cd instead)
-device virtio-blk,scsi= (use virtio-scsi instead)
-device virtio-blk-pci,scsi= (use virtio-scsi instead)
-realtime mlock= (use -overcommit mem-lock= instead)
(the following are early notices of deprecation in a future qemu version)
-M option kernel-irqchip=off
-chardev tty (use serial name instead)
-chardev paraport (use parallel name instead)
-device virtio-blk,scsi= (use virtio-scsi instead)
-device virtio-blk-pci,scsi= (use virtio-scsi instead)
-enable-fips (not really helpful - see https://git.qemu.org/?p=qemu.git;a=commit;h=166310299a1e7824bbff17e1f016659d18b4a559 for details)
-realtime mlock= (use -overcommit mem-lock= instead)
-spice password=string (use password-string option instead)
-writeconfig (no replacement - never really worked right)
-share and noshare must be replaced by share=on/share=off
-nodelay must be replaced by nodelay=on rather than delay=off
-object-add options opened=on and loaded=on (both had no effect)
- These previously supported command line options are no longer supported:
<previously mentioned items have been moved to another category>
-device ide-drive (use ide-hd or ide-cd instead)
-device scsi-disk (use scsi-hd or scsi-cd instead)
- The previously supported machine types pc-0.12, pc-0.14 and pc-0.15 are no
longer recognized. Switch to a newer machine type.
@ -235,7 +238,9 @@ Deprecated, Superseded, Modified and Dropped Features
-display sdl
-no-frame
-nodefconfig (use -no-user-config instead)
-realtime ...
-sdl
-show-cursor
-virtioconsole (use -device virtconsole instead)
- Specifying a cpu feature with both "+feature/-feature" and "feature=on/off"
@ -244,17 +249,16 @@ Deprecated, Superseded, Modified and Dropped Features
so that "+feature" and "-feature" will be synonyms for "feature=on" and
"feature=off" respectively.
- The case of specified sockets, cores, and threads not matching the vcpu count
is no longer silently ignored. QEMU now requires that the topology match the
vcpu count.
- The previously supported blkdev-add QMP command has been flagged as lacking
and could possibly change syntax in the future.
- These previously unsupported command line options are now deprecated:
-no-kvm-pit
-soundhw (use -device ... instead)
-tb-size
- The case of specified sockets, cores, and threads not matching the vcpu count
is no longer silently ignored. QEMU now requires that the topology match the
vcpu count.
- These previously unsupported command line options are no longer recognized:
-bt
@ -294,17 +298,20 @@ Deprecated, Superseded, Modified and Dropped Features
-pcidevice (use -device vfio-pci instead)
-qtest
-semihosting
-tb-size
-tdf (note: mistakenly listed previously as supported)
-xen-create
- The previously unsupported machine types pc-1.0, pc-1.1, pc-1.2 and pc-1.3 are
now deprecated.
- The previously unsupported machine types pc-0.10, pc-0.13, pc-0.14 and
pc-0.11 are no longer recognized.
- The previously unsupported machine types pc-0.10, pc-0.11, pc-0.13,
pc-1.0, pc-1.1, pc-1.2 and pc-1.3 are are no longer recognized.
- These previously supported QMP commands are now deprecated:
<previously mentioned items have been moved to another category>
- These previously supported QMP commands are no longer recognized:
block_passwd
change (use blockdev-change-medium or change-vnc-password instead)
cpu-add (use device_add instead)
migrate-set-cache-size (use migrate-set-parameters instead)
migrate_set_downtime (use migrate-set-parameters instead)
migrate_set_speed (use migrate-set-parameters instead)
@ -312,30 +319,30 @@ Deprecated, Superseded, Modified and Dropped Features
query-events
query-migrate-cache-size (use query-migrate-parameters instead)
- This previously supported QMP command is no longer recognized:
cpu-add (use device_add instead)
- These previously supported monitor commands are now deprecated:
change
migrate_set_downtime
migrate_set_speed
- These previously supported monitor commands are no longer recognized:
cpu-add (use device_add instead)
block_passwd
cpu-add
cpu_set
migrate_set_cache_size
migrate_set_downtime
migrate_set_speed
pci_add (use device_add instead)
pci_del (use device_del instead)
usb_add (use device_add instead)
usb_del (use device_del instead)
- These previously unsupported monitor command are now deprecated:
<previously mentioned items have been moved to another category>
- These previously unsupported monitor commands are no longer recognized:
acl_add ...
acl_policy ...
acl_remove ...
acl_reset ...
acl_show ...
- These previously unsupported monitor commands are no longer recognized:
host_net_add
host_net_remove
@ -390,6 +397,7 @@ QEMU Command-Line and Monitor Syntax and Support
- The following command line options are supported:
-accel ...
-action ...
-add-fd ...
-alt-grab
-append ...
@ -399,7 +407,8 @@ QEMU Command-Line and Monitor Syntax and Support
-blockdev ...
-boot ...
-cdrom ...
-chardev ..
-chardev ...
-compat ...
-cpu ... (all except host)
-ctrl-grab
-d ...
@ -407,19 +416,19 @@ QEMU Command-Line and Monitor Syntax and Support
-debugcon ...
-device
[isa-serial|isa-parallel|isa-fdc|ide-drive|ide-hd|ide-cd|VGA|
cirrus-vga|rtl8139|usb-hub|usb-ehci|usb-tablet|usb-storage|usb-mouse|
usb-kbd|virtserialport|virtconsole|sga|i82559er|scsi-cd|scsi-hd|
scsi-generic|scsi-disk|scsi-block|pci-serial|pci-serial-2x|
pci-serial-4x|ich9-ahci|piix3-usb-uhci|usb-host|usb-serial|
usb-wacom-tablet|usb-braille|usb-net|pci-ohci|piix4-usb-uhci|i6300esb|
ib700|qxl|qxl-vga|pvpanic|vfio-pci|ivshmem-doorbell|ivshmem-plain|
pci-bridge|megasas-gen2|pc-dimm|floppy|e1000e|ccid-card-emulated|
ccid-card-passthrough|xen-backend|loader|e1000-82540em|vmgenid|
vmcoreinfo|pcie-pci-bridge|ich9-usb-ehci1|ich9-usb-ehci2|
ich9-usb-uhci1|ich9-usb-uhci2|ich9-usb-uhci3|ich9-usb-uhci4|
ich9-usb-uhci5|ich9-usb-uhci6|usb-redir|vhost-scsi|vhost-scsi-pci|
vhost-user-blk|vhost-user-blk-pci|vhost-user-blk-pci-non-transitional|
[isa-serial|isa-parallel|isa-fdc|ide-hd|ide-cd|VGA|cirrus-vga|rtl8139|
usb-hub|usb-ehci|usb-tablet|usb-storage|usb-mouse|usb-kbd|
virtserialport|virtconsole|sga|i82559er|scsi-cd|scsi-hd|scsi-generic|
scsi-block|pci-serial|pci-serial-2x|pci-serial-4x|ich9-ahci|
piix3-usb-uhci|usb-host|usb-serial|usb-wacom-tablet|usb-braille|
usb-net|pci-ohci|piix4-usb-uhci|i6300esb|ib700|qxl|qxl-vga|pvpanic|
vfio-pci|ivshmem-doorbell|ivshmem-plain|pci-bridge|megasas-gen2|
pc-dimm|floppy|e1000e|ccid-card-emulated|ccid-card-passthrough|
xen-backend|loader|e1000-82540em|vmgenid|vmcoreinfo|pcie-pci-bridge|
ich9-usb-ehci1|ich9-usb-ehci2|ich9-usb-uhci1|ich9-usb-uhci2|
ich9-usb-uhci3|ich9-usb-uhci4|ich9-usb-uhci5|ich9-usb-uhci6|
usb-redir|vhost-scsi|vhost-scsi-pci|vhost-user-blk|
vhost-user-blk-pci|vhost-user-blk-pci-non-transitional|
vhost-user-blk-pci-transitional|vhost-user-scsi|vhost-user-scsi-pci|
vhost-user-scsi-pci-non-transitional|vhost-user-pci-transitional|
vhost-vsock-pci|vhost-vsock-pci-non-transitional|virtio-balloon-pci|
@ -438,11 +447,11 @@ QEMU Command-Line and Monitor Syntax and Support
virtio-mouse-pci|virtio-tablet-pci|virtio-gpu-pci|virtio-crypto-pci|
virtio-vga|vhost-user-fs-pci|vhost-user-gpu|vhost-user-pci-pci|
vhost-user-input|vhost-user-input-pci|vhost-user-vga|virtio-mmio|
virtio-pmem|virtio-pmem-pci|mc146818rtc]
virtio-pmem|virtio-pmem-pci|mc146818rtci|nvme-subsys|guest-loader|
pvpanic-pci]
(the following are aliases of these supported devices: ahci|
e1000|virtio-blk|virtio-net|virtio-serial|virtio-balloon|virtio-9p|
virtio-scsi|virtio-rng|virtio-input-host|virtio-keyboard|virtio-mouse|
virtio-tablet|virtio-gpu)
virtio-scsi|virtio-rng|virtio-input-host|virtio-keyboard|virtio-mouse|virtio-tablet|virtio-gpu)
-dfilter range, ...
-display ...
@ -472,16 +481,16 @@ QEMU Command-Line and Monitor Syntax and Support
-m ...
-M
[help|?|none|pc|pc-i440fx-1.4|pc-i440fx-1.7|pc-i440fx-2.0|pc-i440fx-2.3|
[help|?|none|pc-i440fx-1.4|pc-i440fx-1.7|pc-i440fx-2.0|pc-i440fx-2.3|
pc-i440fx-2.6|pc-i440fx-2.9|pc-i440fx-2.11|pc-i440fx-3.1|pc-i440fx-4.2|
pc-i440fx-5.2|q35|pc-q35-2.6|pc-q35-2.9|pc-q35-2.11|pc-q35-3.1|pc-q35-4.2|
pc-i440fx-5.2|pc-q35-2.6|pc-q35-2.9|pc-q35-2.11|pc-q35-3.1|pc-q35-4.2|
pc-q35-5.2|xenfv|xenfv-4.2]
-machine
[help|?|none|pc|pc-i440fx-1.4|pc-i440fx-1.7|pc-i440fx-2.0|
[help|?|none|pc-i440fx-1.4|pc-i440fx-1.7|pc-i440fx-2.0|
pc-i440fx-2.3|pc-440fx-2.6|pc-i440fx-2.9|pc-i440fx-2.11|
pc-i440fx-3.1|pc-i440fx-4.2|pc-i440fx-5.2|q35|pc-q35-2.6|pc-q35-2.9|
pc-i440fx-3.1|pc-i440fx-4.2|pc-i440fx-5.2|pc-q35-2.6|pc-q35-2.9|
pc-q35-2.11|pc-q35-3.1|pc-q35-4.2|pc-q35-5.2|xenfv|xenifv-4.2]
-mem-path ...
@ -516,7 +525,6 @@ QEMU Command-Line and Monitor Syntax and Support
-qmp ...
-qmp-pretty ...
-readconfig ...
-realtime ...
-rtc ...
-runas ...
-s
@ -524,7 +532,6 @@ QEMU Command-Line and Monitor Syntax and Support
-sandbox ...
-seed ...
-serial ...
-show-cursor
-smbios ...
-smp ...
-spice
@ -532,7 +539,7 @@ QEMU Command-Line and Monitor Syntax and Support
-trace ...
-usb
-usbdevice [braile|disk|host|mouse|net|serial|tablet]
-uuid ..
-uuid ...
-version
-vga [cirrus|none|qxl|std|xenfb]
-virtfs ...
@ -586,11 +593,8 @@ QEMU Command-Line and Monitor Syntax and Support
migrate_incoming
migrate_pause
migrate_recover ...
migrate_set_cache_size ...
migrate_set_capability ...
migrate_set_downtime ...
migrate_set_parameter ...
migrate_set_speed ...
migrate_start_post_copy
mouse_button ...
mouse_move ...
@ -652,13 +656,11 @@ QEMU Command-Line and Monitor Syntax and Support
block-export-add
block-export-del
block-latency-histogram-set
block_passwd
block_resize
block_set_io_throttle
block-set-write-threshold
block_stream
calc-dirty-rate
change
change-vnc-password
chardev-add
chardev-change
@ -671,6 +673,7 @@ QEMU Command-Line and Monitor Syntax and Support
device_add
device_del
device-list-properties
display-reload
dump-guest-memory
eject
expire_password
@ -691,10 +694,7 @@ QEMU Command-Line and Monitor Syntax and Support
migrate-incoming
migrate-pause
migrate-resume
migrate-set-cache-size
migrate-set-capabilities
migrate_set_downtime
migrate_set_speed
migrate-set-parameters
migrate-start-postcopy
object-add
@ -717,14 +717,12 @@ QEMU Command-Line and Monitor Syntax and Support
query-commands
query-cpu-definitions
query-cpu-model-expansion
query-cpus
query-cpus-fast
query-current-machine
query-dirty-rate
query-display-options
query-dump
query-dump-guest-memory-capability
query-events
query-fdsets
query-gic-capabilities
query-hotpluggable-cpus
@ -737,7 +735,6 @@ QEMU Command-Line and Monitor Syntax and Support
query-memory-size-summary
query-mice
query-migrate
query-migrate-cache-size
query-migrate-capabilities
query-migrate-parameters
query-name
@ -763,6 +760,7 @@ QEMU Command-Line and Monitor Syntax and Support
query-version
query-vnc
query-vnc-servers
query-yank
query-xen-replication-status
quit
remove-fd
@ -770,9 +768,14 @@ QEMU Command-Line and Monitor Syntax and Support
ringbuf-write
screendump
send-key
set-action
set_link
set_password
set-numa-node
sev-inject-launch-secret
snapshot-delete
snapshot-load
snapshot-save
stop
system_powerdown
system_reset
@ -784,6 +787,7 @@ QEMU Command-Line and Monitor Syntax and Support
xen-load-devices-state
xen-save-devices-state
xen-set-global-dirty-log
yank
- The following command line options are unsupported:
@ -840,24 +844,24 @@ QEMU Command-Line and Monitor Syntax and Support
-L ...
-M
[isapc|microvm|pc-1.0|pc-1.1|pc-1.2|pc-1.3|pc-i440fx-1.5|pc-i440fx-1.6|
pc-i440fx-2.1|pc-i440fx-2.2|pc-i440fx-2.4|pc-i440fx-2.5|pc-i440fx-2.7|
pc-i440fx-2.8|pc-i440fx-2.10|pc-i440fx-2.12|pc-i440fx-3.0|pc-i440fx-4.0|
pc-i440fx-4.1|pc-i440fx-5.0|pc-i440fx-5.1|pc-q35-1.4|pc-q35-1.5|pc-q35-1.6|
pc-q35-1.7|pc-q35-2.0|pc-q35-2.1|pc-q35-2.2|pc-q35-2.3|pc-q35-2.4|
pc-q35-2.5|pc-q35-2.7|pc-q35-2.8|pc-q35-2.10|pc-q35-2.12|pc-q35-3.0|
pc-q35-4.0|pc-q35-4.1|pc-q35-5.0|pc-q35-5.1]
[pc|isapc|microvm|x-remote|pc-i440fx-1.5|pc-i440fx-1.6|pc-i440fx-2.1|
pc-i440fx-2.2|pc-i440fx-2.4|pc-i440fx-2.5|pc-i440fx-2.7|pc-i440fx-2.8|
pc-i440fx-2.10|pc-i440fx-2.12|pc-i440fx-3.0|pc-i440fx-4.0|pc-i440fx-4.1|
pc-i440fx-5.0|pc-i440fx-5.1|pc-i440fx-6.0|q35|pc-q35-1.4|pc-q35-1.5|
pc-q35-1.6|pc-q35-1.7|pc-q35-2.0|pc-q35-2.1|pc-q35-2.2|pc-q35-2.3|
pc-q35-2.4|pc-q35-2.5|pc-q35-2.7|pc-q35-2.8|pc-q35-2.10|pc-q35-2.12|
pc-q35-3.0|pc-q35-4.0|pc-q35-4.1|pc-q35-5.0|pc-q35-5.1|pc-q35-6.0]
-machine
[isapc|microvm|pc-1.0|pc-1.1|pc-1.2|pc-1.3|pc-i440fx-1.5|
pc-i440fx-1.6|pc-i440fx-2.1|pc-i440fx-2.2|pc-i440fx-2.4|
pc-i440fx-2.5|pc-i440fx-2.7|pc-i440fx-2.8|pc-i440fx-2.10|
pc-i440fx-2.12|pc-i440fx-3.0|pc-i440fx-4.0|pc-i440fx-4.1|
pc-i440fx-5.0|pc-i440fx-5.1|pc-q35-1.4|pc-q35-1.5|pc-q35-1.6|
pc-q35-1.7|pc-q35-2.0|pc-q35-2.1|pc-q35-2.2|pc-q35-2.3|pc-q35-2.4|
pc-q35-2.5|pc-q35-2.7|pc-q35-2.8|pc-q35-2.10|pc-q35-2.12|pc-q35-3.0|
pc-q35-4.0|pc-q35-4.1|pc-q35-5.0|pc-q35-5.1]
[pc|isapc|microvm|x-remote|pc-i440fx-1.5|pc-i440fx-1.6|pc-i440fx-2.1|
pc-i440fx-2.2|pc-i440fx-2.4|pc-i440fx-2.5|pc-i440fx-2.7|
pc-i440fx-2.8|pc-i440fx-2.10|pc-i440fx-2.12|pc-i440fx-3.0|
pc-i440fx-4.0|pc-i440fx-4.1|pc-i440fx-5.0|pc-i440fx-5.1|
pc-i440fx-6.0|q35|pc-q35-1.4|pc-q35-1.5|pc-q35-1.6|pc-q35-1.7|
pc-q35-2.0|pc-q35-2.1|pc-q35-2.2|pc-q35-2.3|pc-q35-2.4|pc-q35-2.5|
pc-q35-2.7|pc-q35-2.8|pc-q35-2.10|pc-q35-2.12|pc-q35-3.0|pc-q35-4.0|
pc-q35-4.1|pc-q35-5.0|pc-q35-5.1|pc-q35-6.0]
-mtdblock file
-net [dump|socket|vde] ...
@ -879,23 +883,16 @@ QEMU Command-Line and Monitor Syntax and Support
-singlestep
-snapshot
-soundhw ...
-tb-size ...
-tpmdev emulator ...
-vga [cg3|tcx|virtio|vmware]
-win2k-hack
- The following monitor commands are unsupported:
acl_add ...
acl_policy ...
acl_remove ...
acl_reset ...
acl_show ...
block_job_cancel ...
block_job_complete ...
block_job_pause ...
block_job_resume ...
block_job_set_speed ...
block_passwd ...
commit ...
drive_mirror ...
exit_preconfig

View File

@ -1,48 +0,0 @@
From: Peter Maydell <peter.maydell@linaro.org>
Date: Fri, 8 Jan 2021 19:51:57 +0000
Subject: target/arm: Don't decode insns in the XScale/iWMMXt space as cp insns
Git-commit: e4d51ac6921dc861bfb3d20e4c7dcf345840a9da
In commit cd8be50e58f63413c0 we converted the A32 coprocessor
insns to decodetree. This accidentally broke XScale/iWMMXt insns,
because it moved the handling of "cp insns which are handled
by looking up the cp register in the hashtable" from after the
call to the legacy disas_xscale_insn() decode to before it,
with the result that all XScale/iWMMXt insns now UNDEF.
Update valid_cp() so that it knows that on XScale cp 0 and 1
are not standard coprocessor instructions; this will cause
the decodetree trans_ functions to ignore them, so that
execution will correctly get through to the legacy decode again.
Cc: qemu-stable@nongnu.org
Reported-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Tested-by: Guenter Roeck <linux@roeck-us.net>
Message-id: 20210108195157.32067-1-peter.maydell@linaro.org
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
target/arm/translate.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/target/arm/translate.c b/target/arm/translate.c
index 6d04ca3a8a09818cfbfba706a4c3..8089a4ff7e542204a6a1bf6f5637 100644
--- a/target/arm/translate.c
+++ b/target/arm/translate.c
@@ -5275,7 +5275,14 @@ static bool valid_cp(DisasContext *s, int cp)
* only cp14 and cp15 are valid, and other values aren't considered
* to be in the coprocessor-instruction space at all. v8M still
* permits coprocessors 0..7.
+ * For XScale, we must not decode the XScale cp0, cp1 space as
+ * a standard coprocessor insn, because we want to fall through to
+ * the legacy disas_xscale_insn() decoder after decodetree is done.
*/
+ if (arm_dc_feature(s, ARM_FEATURE_XSCALE) && (cp == 0 || cp == 1)) {
+ return false;
+ }
+
if (arm_dc_feature(s, ARM_FEATURE_V8) &&
!arm_dc_feature(s, ARM_FEATURE_M)) {
return cp >= 14;

View File

@ -1,35 +0,0 @@
From: Richard Henderson <richard.henderson@linaro.org>
Date: Mon, 21 Dec 2020 12:44:26 -0800
Subject: target/arm: Fix MTE0_ACTIVE
Git-commit: cc97b0019bb590b9b3c2a623e9ebee48831e0ce3
In 50244cc76abc we updated mte_check_fail to match the ARM
pseudocode, using the correct EL to select the TCF field.
But we failed to update MTE0_ACTIVE the same way, which led
to g_assert_not_reached().
Cc: qemu-stable@nongnu.org
Buglink: https://bugs.launchpad.net/bugs/1907137
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20201221204426.88514-1-richard.henderson@linaro.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
target/arm/helper.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/target/arm/helper.c b/target/arm/helper.c
index 38cd35c049292d40df5a35854f4b..194d752763b2a74af2e4e45e0a96 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -12927,7 +12927,7 @@ static uint32_t rebuild_hflags_a64(CPUARMState *env, int el, int fp_el,
if (FIELD_EX32(flags, TBFLAG_A64, UNPRIV)
&& tbid
&& !(env->pstate & PSTATE_TCO)
- && (sctlr & SCTLR_TCF0)
+ && (sctlr & SCTLR_TCF)
&& allocation_tag_access_enabled(env, 0, sctlr)) {
flags = FIELD_DP32(flags, TBFLAG_A64, MTE0_ACTIVE, 1);
}

View File

@ -1,45 +0,0 @@
From: Richard Henderson <richard.henderson@linaro.org>
Date: Tue, 12 Jan 2021 20:26:47 -1000
Subject: target/arm: Introduce PREDDESC field definitions
Git-commit: b64ee454a4a086ed459bcda4c0bbb54e197841e4
SVE predicate operations cannot use the "usual" simd_desc
encoding, because the lengths are not a multiple of 8.
But we were abusing the SIMD_* fields to store values anyway.
This abuse broke when SIMD_OPRSZ_BITS was modified in e2e7168a214.
Introduce a new set of field definitions for exclusive use
of predicates, so that it is obvious what kind of predicate
we are manipulating. To be used in future patches.
Cc: qemu-stable@nongnu.org
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20210113062650.593824-2-richard.henderson@linaro.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
target/arm/internals.h | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/target/arm/internals.h b/target/arm/internals.h
index 5460678756d3c4e5f34abe5f6411..73698587d6b8eeffd6ccd1515e7a 100644
--- a/target/arm/internals.h
+++ b/target/arm/internals.h
@@ -1312,6 +1312,15 @@ void arm_log_exception(int idx);
#define LOG2_TAG_GRANULE 4
#define TAG_GRANULE (1 << LOG2_TAG_GRANULE)
+/*
+ * SVE predicates are 1/8 the size of SVE vectors, and cannot use
+ * the same simd_desc() encoding due to restrictions on size.
+ * Use these instead.
+ */
+FIELD(PREDDESC, OPRSZ, 0, 6)
+FIELD(PREDDESC, ESZ, 6, 2)
+FIELD(PREDDESC, DATA, 8, 24)
+
/*
* The SVE simd_data field, for memory ops, contains either
* rd (5 bits) or a shift count (2 bits).

Some files were not shown because too many files have changed in this diff Show More