Accepting request 822154 from home:bfrogers:branches:Virtualization
- Updating to Sphinx v3.1.2 in Factory is exposing an issue in qemu doc sources. Fix it docs-fix-trace-docs-build-with-sphinx-3..patch - Fix DoS possibility in ati-vga emulation (CVE-2020-13800 bsc#1172495) ati-vga-check-mm_index-before-recursive-.patch - Fix DoS possibility in Network Block Device (nbd) support infrastructure (CVE-2020-10761 bsc#1172710) nbd-server-Avoid-long-error-message-asse.patch - Fix null pointer dereference possibility (DoS) in MegaRAID SAS 8708EM2 emulation (CVE-2020-13659 bsc#1172386) exec-set-map-length-to-zero-when-returni.patch - Fix OOB access possibility in MegaRAID SAS 8708EM2 emulation (CVE-2020-13362 bsc#1172383) megasas-use-unsigned-type-for-reply_queu.patch - Fix legacy IGD passthrough hw-vfio-pci-quirks-Fix-broken-legacy-IGD.patch - The latest gcc10 available in Factory has the fix for the issue this patch was created to avoid, so drop it build-Work-around-gcc10-bug-by-not-using.patch - Switch to upstream versions of some patches we carry add-enum-cast-to-avoid-gcc10-warning.patch -> golan-Add-explicit-type-casts-for-nodnic.patch Be-explicit-about-fcommon-compiler-direc.patch -> build-Be-explicit-about-fcommon-compiler.patch Do-not-apply-WORKAROUND_CFLAGS-for-host-.patch -> build-Do-not-apply-WORKAROUND_CFLAGS-for.patch Fix-s-directive-argument-is-null-error.patch -> build-Fix-s-directive-argument-is-null-e.patch Workaround-compilation-error-with-gcc-9..patch -> build-Workaround-compilation-error-with-.patch work-around-gcc10-problem-with-zero-leng.patch -> intel-Avoid-spurious-compiler-warning-on.patch - Fix vgabios issue for cirrus graphics emulation, which effectively downgraded it to standard VGA behavior vga-fix-cirrus-bios.patch - Fix OOB access possibility in ES1370 audio device emulation (CVE-2020-13361 bsc#1172384) es1370-check-total-frame-count-against-c.patch OBS-URL: https://build.opensuse.org/request/show/822154 OBS-URL: https://build.opensuse.org/package/show/Virtualization/qemu?expand=0&rev=553
This commit is contained in:
parent
594e246a0a
commit
af68a7132d
@ -1,35 +0,0 @@
|
||||
From: Bruce Rogers <brogers@suse.com>
|
||||
Date: Tue, 5 May 2020 10:09:47 -0600
|
||||
Subject: Be explicit about -fcommon compiler directive
|
||||
|
||||
References: boo#1171140
|
||||
|
||||
gcc10 switched default behavior from -fcommon to -fno-common. Since
|
||||
"__shared" relies on the legacy behavior, explicitly specify it.
|
||||
|
||||
Signed-off-by: Bruce Rogers <brogers@suse.com>
|
||||
---
|
||||
src/Makefile.housekeeping | 10 ++++++++++
|
||||
1 file changed, 10 insertions(+)
|
||||
|
||||
diff --git a/roms/ipxe/src/Makefile.housekeeping b/roms/ipxe/src/Makefile.housekeeping
|
||||
index 1ddbddd247d9929d63b1654d7206..3f091c7dc937fbdac6434d10aec7 100644
|
||||
--- a/roms/ipxe/src/Makefile.housekeeping
|
||||
+++ b/roms/ipxe/src/Makefile.housekeeping
|
||||
@@ -170,6 +170,16 @@ CFI_FLAGS := $(shell $(CFI_TEST) && \
|
||||
WORKAROUND_CFLAGS += $(CFI_FLAGS)
|
||||
endif
|
||||
|
||||
+# gcc 10 switched default behavior from -fcommon to -fno-common. Since
|
||||
+# "__shared" relies on the legacy behavior, explicitly specify it.
|
||||
+#
|
||||
+ifeq ($(CCTYPE),gcc)
|
||||
+FCOMMON_TEST = $(CC) -fcommon -x c -c /dev/null \
|
||||
+ -o /dev/null >/dev/null 2>&1
|
||||
+FCOMMON_FLAGS := $(shell $(FCOMMON_TEST) && $(ECHO) '-fcommon')
|
||||
+WORKAROUND_CFLAGS += $(FCOMMON_FLAGS)
|
||||
+endif
|
||||
+
|
||||
# gcc 4.6 generates spurious warnings if -Waddress is in force.
|
||||
# Inhibit this.
|
||||
#
|
@ -14,7 +14,7 @@ Signed-off-by: Bruce Rogers <brogers@suse.com>
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/exec.c b/exec.c
|
||||
index 2874bb508853d353bca3b9790e5d..76ac1f619b563c591f36f9601c15 100644
|
||||
index 2c419f327cf925ee55c46d111272..7adf108c66ed8912588cb83bc15e 100644
|
||||
--- a/exec.c
|
||||
+++ b/exec.c
|
||||
@@ -2297,11 +2297,13 @@ RAMBlock *qemu_ram_alloc_from_fd(ram_addr_t size, MemoryRegion *mr,
|
||||
|
@ -2,10 +2,10 @@ From: Janosch Frank <frankja@linux.ibm.com>
|
||||
Date: Tue, 25 Feb 2020 06:09:23 -0500
|
||||
Subject: Sync pv
|
||||
|
||||
Git-commit: 6807f464961cfee1dd81c95e22ddd91fa352fcc4
|
||||
References: bsc#1167075
|
||||
|
||||
Signed-off-by: Janosch Frank <frankja@linux.ibm.com>
|
||||
(cherry picked from commit 6807f464961cfee1dd81c95e22ddd91fa352fcc4)
|
||||
Signed-off-by: Bruce Rogers <brogers@suse.com>
|
||||
---
|
||||
linux-headers/linux/kvm.h | 45 +++++++++++++++++++++++++++++++++++++--
|
||||
|
@ -1,38 +0,0 @@
|
||||
From: Bruce Rogers <brogers@suse.com>
|
||||
Date: Tue, 5 May 2020 13:33:49 -0600
|
||||
Subject: add enum cast to avoid gcc10 warning
|
||||
|
||||
References: boo#1171139
|
||||
|
||||
Two enums are practically the same, and have been used interchangably
|
||||
without problem. But gcc10 has flagged that usage as problematic.
|
||||
Casting from one type to the other clears use the warning, and adds some
|
||||
clarity that this is intentional usage.
|
||||
|
||||
Signed-off-by: Bruce Rogers <brogers@suse.com>
|
||||
---
|
||||
src/drivers/infiniband/flexboot_nodnic.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/roms/ipxe/src/drivers/infiniband/flexboot_nodnic.c b/roms/ipxe/src/drivers/infiniband/flexboot_nodnic.c
|
||||
index c13fcefc56866da67d701baa96b8..ac28949d3cca6b0c29a8a32165e7 100644
|
||||
--- a/roms/ipxe/src/drivers/infiniband/flexboot_nodnic.c
|
||||
+++ b/roms/ipxe/src/drivers/infiniband/flexboot_nodnic.c
|
||||
@@ -365,7 +365,7 @@ static int flexboot_nodnic_create_qp ( struct ib_device *ibdev,
|
||||
goto qp_alloc_err;
|
||||
}
|
||||
|
||||
- status = nodnic_port_create_qp(&port->port_priv, qp->type,
|
||||
+ status = nodnic_port_create_qp(&port->port_priv, (nodnic_queue_pair_type)qp->type,
|
||||
qp->send.num_wqes * sizeof(struct nodnic_send_wqbb),
|
||||
qp->send.num_wqes,
|
||||
qp->recv.num_wqes * sizeof(struct nodnic_recv_wqe),
|
||||
@@ -406,7 +406,7 @@ static void flexboot_nodnic_destroy_qp ( struct ib_device *ibdev,
|
||||
struct flexboot_nodnic_port *port = &flexboot_nodnic->port[ibdev->port - 1];
|
||||
struct flexboot_nodnic_queue_pair *flexboot_nodnic_qp = ib_qp_get_drvdata ( qp );
|
||||
|
||||
- nodnic_port_destroy_qp(&port->port_priv, qp->type,
|
||||
+ nodnic_port_destroy_qp(&port->port_priv, (nodnic_queue_pair_type)qp->type,
|
||||
flexboot_nodnic_qp->nodnic_queue_pair);
|
||||
|
||||
free(flexboot_nodnic_qp);
|
58
ati-vga-check-mm_index-before-recursive-.patch
Normal file
58
ati-vga-check-mm_index-before-recursive-.patch
Normal file
@ -0,0 +1,58 @@
|
||||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Thu, 4 Jun 2020 14:38:30 +0530
|
||||
Subject: ati-vga: check mm_index before recursive call (CVE-2020-13800)
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Git-commit: a98610c429d52db0937c1e48659428929835c455
|
||||
References: bsc#1172495, CVE-2020-13800
|
||||
|
||||
While accessing VGA registers via ati_mm_read/write routines,
|
||||
a guest may set 's->regs.mm_index' such that it leads to infinite
|
||||
recursion. Check mm_index value to avoid such recursion. Log an
|
||||
error message for wrong values.
|
||||
|
||||
Reported-by: Ren Ding <rding@gatech.edu>
|
||||
Reported-by: Hanqing Zhao <hanqing@gatech.edu>
|
||||
Reported-by: Yi Ren <c4tren@gmail.com>
|
||||
Message-id: 20200604090830.33885-1-ppandit@redhat.com
|
||||
Suggested-by: BALATON Zoltan <balaton@eik.bme.hu>
|
||||
Suggested-by: Philippe Mathieu-Daudé <philmd@redhat.com>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Signed-off-by: Bruce Rogers <brogers@suse.com>
|
||||
---
|
||||
hw/display/ati.c | 10 ++++++++--
|
||||
1 file changed, 8 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/hw/display/ati.c b/hw/display/ati.c
|
||||
index 58ec8291d4601b70720fa1484f88..9228f1b242bb7b141eb50a19e12b 100644
|
||||
--- a/hw/display/ati.c
|
||||
+++ b/hw/display/ati.c
|
||||
@@ -285,8 +285,11 @@ static uint64_t ati_mm_read(void *opaque, hwaddr addr, unsigned int size)
|
||||
if (idx <= s->vga.vram_size - size) {
|
||||
val = ldn_le_p(s->vga.vram_ptr + idx, size);
|
||||
}
|
||||
- } else {
|
||||
+ } else if (s->regs.mm_index > MM_DATA + 3) {
|
||||
val = ati_mm_read(s, s->regs.mm_index + addr - MM_DATA, size);
|
||||
+ } else {
|
||||
+ qemu_log_mask(LOG_GUEST_ERROR,
|
||||
+ "ati_mm_read: mm_index too small: %u\n", s->regs.mm_index);
|
||||
}
|
||||
break;
|
||||
case BIOS_0_SCRATCH ... BUS_CNTL - 1:
|
||||
@@ -520,8 +523,11 @@ static void ati_mm_write(void *opaque, hwaddr addr,
|
||||
if (idx <= s->vga.vram_size - size) {
|
||||
stn_le_p(s->vga.vram_ptr + idx, size, data);
|
||||
}
|
||||
- } else {
|
||||
+ } else if (s->regs.mm_index > MM_DATA + 3) {
|
||||
ati_mm_write(s, s->regs.mm_index + addr - MM_DATA, data, size);
|
||||
+ } else {
|
||||
+ qemu_log_mask(LOG_GUEST_ERROR,
|
||||
+ "ati_mm_write: mm_index too small: %u\n", s->regs.mm_index);
|
||||
}
|
||||
break;
|
||||
case BIOS_0_SCRATCH ... BUS_CNTL - 1:
|
29
build-Be-explicit-about-fcommon-compiler.patch
Normal file
29
build-Be-explicit-about-fcommon-compiler.patch
Normal file
@ -0,0 +1,29 @@
|
||||
From: Bruce Rogers <brogers@suse.com>
|
||||
Date: Wed, 6 May 2020 15:03:02 -0600
|
||||
Subject: [build] Be explicit about -fcommon compiler directive
|
||||
|
||||
Git-commit: 6260364cc4bfea9a78867da63be8d4bf50e4a561
|
||||
References: boo#1171140
|
||||
|
||||
gcc10 switched default behavior from -fcommon to -fno-common. Since
|
||||
"__shared" relies on the legacy behavior, explicitly specify it.
|
||||
|
||||
Signed-off-by: Bruce Rogers <brogers@suse.com>
|
||||
Modified-by: Michael Brown <mcb30@ipxe.org>
|
||||
Signed-off-by: Michael Brown <mcb30@ipxe.org>
|
||||
---
|
||||
src/Makefile.housekeeping | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/roms/ipxe/src/Makefile.housekeeping b/roms/ipxe/src/Makefile.housekeeping
|
||||
index 1b175b9508c0d20f169801f8763d..893bd20f1fd5cecf0e480dee05bd 100644
|
||||
--- a/roms/ipxe/src/Makefile.housekeeping
|
||||
+++ b/roms/ipxe/src/Makefile.housekeeping
|
||||
@@ -422,6 +422,7 @@ CFLAGS += -Os
|
||||
CFLAGS += -g
|
||||
ifeq ($(CCTYPE),gcc)
|
||||
CFLAGS += -ffreestanding
|
||||
+CFLAGS += -fcommon
|
||||
CFLAGS += -Wall -W -Wformat-nonliteral
|
||||
HOST_CFLAGS += -Wall -W -Wformat-nonliteral
|
||||
endif
|
@ -1,6 +1,6 @@
|
||||
From: Michael Brown <mcb30@ipxe.org>
|
||||
Date: Mon, 22 Jul 2019 14:51:28 +0100
|
||||
Subject: Do not apply WORKAROUND_CFLAGS for host compiler
|
||||
Subject: [build] Do not apply WORKAROUND_CFLAGS for host compiler
|
||||
|
||||
Git-commit: a4f8c6e31f6c62522cfc633bbbffa81b22f9d6f3
|
||||
Include-If: %ifarch aarch64
|
||||
@ -29,7 +29,7 @@ Signed-off-by: Bruce Rogers <brogers@suse.com>
|
||||
2 files changed, 6 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/roms/ipxe/src/Makefile.housekeeping b/roms/ipxe/src/Makefile.housekeeping
|
||||
index e5f6927de889167d286ccfcdda92..1ddbddd247d9929d63b1654d7206 100644
|
||||
index 4b09e81f0b1eb82e79f6af11986d..1b175b9508c0d20f169801f8763d 100644
|
||||
--- a/roms/ipxe/src/Makefile.housekeeping
|
||||
+++ b/roms/ipxe/src/Makefile.housekeeping
|
||||
@@ -454,7 +454,7 @@ endif
|
@ -1,6 +1,6 @@
|
||||
From: Valentine Barshak <gvaxon@gmail.com>
|
||||
Date: Sun, 9 Jun 2019 13:30:11 +0300
|
||||
Subject: Fix "'%s' directive argument is null" error
|
||||
Subject: [build] Fix "'%s' directive argument is null" error
|
||||
|
||||
Git-commit: 412acd7854de10e7194f362a6b1a3257a17974f7
|
||||
References: bsc#1121464
|
@ -1,78 +0,0 @@
|
||||
From: Bruce Rogers <brogers@suse.com>
|
||||
Date: Mon, 1 Jun 2020 14:48:23 -0600
|
||||
Subject: build: Work around gcc10 bug by not using char type in triggering
|
||||
code
|
||||
|
||||
References: boo#1172411
|
||||
|
||||
It appears we are bumping into a bug in the gcc10 compiler where it gets
|
||||
it wrong in deciding that we're beyond the end of an array, in this case
|
||||
because of some detection wrt the char type. Change to non-char type to
|
||||
work around this issue. As near as I can tell, this isn't introducing
|
||||
any behavioral changes or another bug. (see for eg:
|
||||
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=92955 )
|
||||
|
||||
Here is the error reported:
|
||||
[ 2046s] /home/abuild/rpmbuild/BUILD/qemu-5.0.50/target/xtensa/mmu_helper.c: In function 'reset_tlb_mmu_ways56.constprop.isra':
|
||||
[ 2046s] /home/abuild/rpmbuild/BUILD/qemu-5.0.50/target/xtensa/mmu_helper.c:377:31: error: writing 1 byte into a region of size 0 [-Werror=stringop-overflow=]
|
||||
[ 2046s] 377 | entry[6][ei].asid = 1;
|
||||
[ 2046s] | ~~~~~~~~~~~~~~~~~~^~~
|
||||
[ 2046s] /home/abuild/rpmbuild/BUILD/qemu-5.0.50/target/xtensa/mmu_helper.c:378:31: error: writing 1 byte into a region of size 0 [-Werror=stringop-overflow=]
|
||||
[ 2046s] 378 | entry[6][ei].attr = 3;
|
||||
[ 2046s] | ~~~~~~~~~~~~~~~~~~^~~
|
||||
[ 2046s] /home/abuild/rpmbuild/BUILD/qemu-5.0.50/target/xtensa/mmu_helper.c:377:31: error: writing 1 byte into a region of size 0 [-Werror=stringop-overflow=]
|
||||
[ 2046s] 377 | entry[6][ei].asid = 1;
|
||||
[ 2046s] | ~~~~~~~~~~~~~~~~~~^~~
|
||||
[ 2046s] /home/abuild/rpmbuild/BUILD/qemu-5.0.50/target/xtensa/mmu_helper.c:378:31: error: writing 1 byte into a region of size 0 [-Werror=stringop-overflow=]
|
||||
[ 2046s] 378 | entry[6][ei].attr = 3;
|
||||
[ 2046s] | ~~~~~~~~~~~~~~~~~~^~~
|
||||
[ 2046s] /home/abuild/rpmbuild/BUILD/qemu-5.0.50/target/xtensa/mmu_helper.c:377:31: error: writing 1 byte into a region of size 0 [-Werror=stringop-overflow=]
|
||||
[ 2046s] 377 | entry[6][ei].asid = 1;
|
||||
[ 2046s] | ~~~~~~~~~~~~~~~~~~^~~
|
||||
[ 2046s] /home/abuild/rpmbuild/BUILD/qemu-5.0.50/target/xtensa/mmu_helper.c:378:31: error: writing 1 byte into a region of size 0 [-Werror=stringop-overflow=]
|
||||
[ 2046s] 378 | entry[6][ei].attr = 3;
|
||||
[ 2046s] | ~~~~~~~~~~~~~~~~~~^~~
|
||||
[ 2046s] /home/abuild/rpmbuild/BUILD/qemu-5.0.50/target/xtensa/mmu_helper.c:377:31: error: writing 1 byte into a region of size 0 [-Werror=stringop-overflow=]
|
||||
[ 2046s] 377 | entry[6][ei].asid = 1;
|
||||
[ 2046s] | ~~~~~~~~~~~~~~~~~~^~~
|
||||
[ 2046s] /home/abuild/rpmbuild/BUILD/qemu-5.0.50/target/xtensa/mmu_helper.c:378:31: error: writing 1 byte into a region of size 0 [-Werror=stringop-overflow=]
|
||||
[ 2046s] 378 | entry[6][ei].attr = 3;
|
||||
[ 2046s] | ~~~~~~~~~~~~~~~~~~^~~
|
||||
[ 2046s] /home/abuild/rpmbuild/BUILD/qemu-5.0.50/target/xtensa/mmu_helper.c:377:31: error: writing 1 byte into a region of size 0 [-Werror=stringop-overflow=]
|
||||
[ 2046s] 377 | entry[6][ei].asid = 1;
|
||||
[ 2046s] | ~~~~~~~~~~~~~~~~~~^~~
|
||||
[ 2046s] /home/abuild/rpmbuild/BUILD/qemu-5.0.50/target/xtensa/mmu_helper.c:378:31: error: writing 1 byte into a region of size 0 [-Werror=stringop-overflow=]
|
||||
[ 2046s] 378 | entry[6][ei].attr = 3;
|
||||
[ 2046s] | ~~~~~~~~~~~~~~~~~~^~~
|
||||
[ 2046s] /home/abuild/rpmbuild/BUILD/qemu-5.0.50/target/xtensa/mmu_helper.c:377:31: error: writing 1 byte into a region of size 0 [-Werror=stringop-overflow=]
|
||||
[ 2046s] 377 | entry[6][ei].asid = 1;
|
||||
[ 2046s] | ~~~~~~~~~~~~~~~~~~^~~
|
||||
[ 2046s] /home/abuild/rpmbuild/BUILD/qemu-5.0.50/target/xtensa/mmu_helper.c:378:31: error: writing 1 byte into a region of size 0 [-Werror=stringop-overflow=]
|
||||
[ 2046s] 378 | entry[6][ei].attr = 3;
|
||||
[ 2046s] | ~~~~~~~~~~~~~~~~~~^~~
|
||||
[ 2046s] /home/abuild/rpmbuild/BUILD/qemu-5.0.50/target/xtensa/mmu_helper.c:377:31: error: writing 1 byte into a region of size 0 [-Werror=stringop-overflow=]
|
||||
[ 2046s] 377 | entry[6][ei].asid = 1;
|
||||
[ 2046s] | ~~~~~~~~~~~~~~~~~~^~~
|
||||
[ 2046s] /home/abuild/rpmbuild/BUILD/qemu-5.0.50/target/xtensa/mmu_helper.c:378:31: error: writing 1 byte into a region of size 0 [-Werror=stringop-overflow=]
|
||||
[ 2046s] 378 | entry[6][ei].attr = 3;
|
||||
|
||||
Signed-off-by: Bruce Rogers <brogers@suse.com>
|
||||
---
|
||||
target/xtensa/cpu.h | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/target/xtensa/cpu.h b/target/xtensa/cpu.h
|
||||
index 7a46dccbe11b05e9565192b9e242..fc039349623057083541c160270f 100644
|
||||
--- a/target/xtensa/cpu.h
|
||||
+++ b/target/xtensa/cpu.h
|
||||
@@ -309,8 +309,8 @@ struct CPUXtensaState;
|
||||
typedef struct xtensa_tlb_entry {
|
||||
uint32_t vaddr;
|
||||
uint32_t paddr;
|
||||
- uint8_t asid;
|
||||
- uint8_t attr;
|
||||
+ uint32_t asid;
|
||||
+ uint32_t attr;
|
||||
bool variable;
|
||||
} xtensa_tlb_entry;
|
||||
|
@ -1,7 +1,8 @@
|
||||
From: Valentine Barshak <gvaxon@gmail.com>
|
||||
Date: Mon, 22 Jul 2019 10:47:50 +0100
|
||||
Subject: Workaround compilation error with gcc 9.1
|
||||
Subject: [build] Workaround compilation error with gcc 9.1
|
||||
|
||||
Git-commit: 1dd56dbd11082fb622c2ed21cfaced4f47d798a6
|
||||
References: bsc#1121464
|
||||
|
||||
Compiling with gcc 9.1 generates lots of "taking address of packed
|
||||
@ -32,7 +33,7 @@ Signed-off-by: Bruce Rogers <brogers@suse.com>
|
||||
1 file changed, 9 insertions(+)
|
||||
|
||||
diff --git a/roms/ipxe/src/Makefile.housekeeping b/roms/ipxe/src/Makefile.housekeeping
|
||||
index 97fa325bb52314e05192d0414436..e5f6927de889167d286ccfcdda92 100644
|
||||
index f8334921b8b93cbd03f0a0de9910..4b09e81f0b1eb82e79f6af11986d 100644
|
||||
--- a/roms/ipxe/src/Makefile.housekeeping
|
||||
+++ b/roms/ipxe/src/Makefile.housekeeping
|
||||
@@ -185,6 +185,15 @@ WNST_TEST = $(CC) -Wstringop-truncation -x c -c /dev/null -o /dev/null \
|
@ -1,3 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:6a979bc525329c87dc152af9613a1d7bc00c0bb3a9f0deb477a4e70d2a833d94
|
||||
size 53172
|
||||
oid sha256:a3100e9fea5e800afc25cff3f405b4645ba98f79cf6ff36e27f120a33c1e8ffc
|
||||
size 58452
|
||||
|
61
docs-fix-trace-docs-build-with-sphinx-3..patch
Normal file
61
docs-fix-trace-docs-build-with-sphinx-3..patch
Normal file
@ -0,0 +1,61 @@
|
||||
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
|
||||
Date: Tue, 14 Jul 2020 17:26:59 +0100
|
||||
Subject: docs: fix trace docs build with sphinx 3.1.1
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Git-commit: 0000000000000000000000000000000000000000
|
||||
|
||||
In Fedora 33 rawhide, we now have sphinx 3.1.1, as opposed
|
||||
to previous 2.2.2. This new version generates a warning on
|
||||
the source:
|
||||
|
||||
docs/qemu-option-trace.rst.inc:4:Malformed option description
|
||||
'[enable=]PATTERN', should look like "opt", "-opt args",
|
||||
"--opt args", "/opt args" or "+opt args"
|
||||
|
||||
This turns into an error when QEMU passes -W to sphinx-build
|
||||
|
||||
Strangely the previous 2.2.2 code has the exact same logic
|
||||
for checking the syntax, but it is not being triggered. While
|
||||
it is only complaining about the first option, I changed all
|
||||
the options to give consistency.
|
||||
|
||||
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
|
||||
Signed-off-by: Bruce Rogers <brogers@suse.com>
|
||||
---
|
||||
docs/qemu-option-trace.rst.inc | 6 +++---
|
||||
1 file changed, 3 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/docs/qemu-option-trace.rst.inc b/docs/qemu-option-trace.rst.inc
|
||||
index 7e09773a9c518f6a47e9262b66c6..e79b0b43fcb3f5a05ad281109e6f 100644
|
||||
--- a/docs/qemu-option-trace.rst.inc
|
||||
+++ b/docs/qemu-option-trace.rst.inc
|
||||
@@ -1,7 +1,7 @@
|
||||
|
||||
Specify tracing options.
|
||||
|
||||
-.. option:: [enable=]PATTERN
|
||||
+.. option:: -trace [enable=]PATTERN
|
||||
|
||||
Immediately enable events matching *PATTERN*
|
||||
(either event name or a globbing pattern). This option is only
|
||||
@@ -11,7 +11,7 @@ Specify tracing options.
|
||||
|
||||
Use :option:`-trace help` to print a list of names of trace points.
|
||||
|
||||
-.. option:: events=FILE
|
||||
+.. option:: -trace events=FILE
|
||||
|
||||
Immediately enable events listed in *FILE*.
|
||||
The file must contain one event name (as listed in the ``trace-events-all``
|
||||
@@ -19,7 +19,7 @@ Specify tracing options.
|
||||
available if QEMU has been compiled with the ``simple``, ``log`` or
|
||||
``ftrace`` tracing backend.
|
||||
|
||||
-.. option:: file=FILE
|
||||
+.. option:: -trace file=FILE
|
||||
|
||||
Log output traces to *FILE*.
|
||||
This option is only available if QEMU has been compiled with
|
60
es1370-check-total-frame-count-against-c.patch
Normal file
60
es1370-check-total-frame-count-against-c.patch
Normal file
@ -0,0 +1,60 @@
|
||||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Fri, 15 May 2020 01:36:08 +0530
|
||||
Subject: es1370: check total frame count against current frame
|
||||
|
||||
Git-commit: 369ff955a8497988d079c4e3fa1e93c2570c1c69
|
||||
References: bsc#1172384, CVE-2020-13361
|
||||
|
||||
A guest user may set channel frame count via es1370_write()
|
||||
such that, in es1370_transfer_audio(), total frame count
|
||||
'size' is lesser than the number of frames that are processed
|
||||
'cnt'.
|
||||
|
||||
int cnt = d->frame_cnt >> 16;
|
||||
int size = d->frame_cnt & 0xffff;
|
||||
|
||||
if (size < cnt), it results in incorrect calculations leading
|
||||
to OOB access issue(s). Add check to avoid it.
|
||||
|
||||
Reported-by: Ren Ding <rding@gatech.edu>
|
||||
Reported-by: Hanqing Zhao <hanqing@gatech.edu>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Message-id: 20200514200608.1744203-1-ppandit@redhat.com
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Signed-off-by: Bruce Rogers <brogers@suse.com>
|
||||
---
|
||||
hw/audio/es1370.c | 7 +++++--
|
||||
1 file changed, 5 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/hw/audio/es1370.c b/hw/audio/es1370.c
|
||||
index 89c4dabcd44fb2d7782e3cabc51d..5f8a83ff56241d94347c1e51419e 100644
|
||||
--- a/hw/audio/es1370.c
|
||||
+++ b/hw/audio/es1370.c
|
||||
@@ -643,6 +643,9 @@ static void es1370_transfer_audio (ES1370State *s, struct chan *d, int loop_sel,
|
||||
int csc_bytes = (csc + 1) << d->shift;
|
||||
int cnt = d->frame_cnt >> 16;
|
||||
int size = d->frame_cnt & 0xffff;
|
||||
+ if (size < cnt) {
|
||||
+ return;
|
||||
+ }
|
||||
int left = ((size - cnt + 1) << 2) + d->leftover;
|
||||
int transferred = 0;
|
||||
int temp = MIN (max, MIN (left, csc_bytes));
|
||||
@@ -651,7 +654,7 @@ static void es1370_transfer_audio (ES1370State *s, struct chan *d, int loop_sel,
|
||||
addr += (cnt << 2) + d->leftover;
|
||||
|
||||
if (index == ADC_CHANNEL) {
|
||||
- while (temp) {
|
||||
+ while (temp > 0) {
|
||||
int acquired, to_copy;
|
||||
|
||||
to_copy = MIN ((size_t) temp, sizeof (tmpbuf));
|
||||
@@ -669,7 +672,7 @@ static void es1370_transfer_audio (ES1370State *s, struct chan *d, int loop_sel,
|
||||
else {
|
||||
SWVoiceOut *voice = s->dac_voice[index];
|
||||
|
||||
- while (temp) {
|
||||
+ while (temp > 0) {
|
||||
int copied, to_copy;
|
||||
|
||||
to_copy = MIN ((size_t) temp, sizeof (tmpbuf));
|
54
exec-set-map-length-to-zero-when-returni.patch
Normal file
54
exec-set-map-length-to-zero-when-returni.patch
Normal file
@ -0,0 +1,54 @@
|
||||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Tue, 26 May 2020 16:47:43 +0530
|
||||
Subject: exec: set map length to zero when returning NULL
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Git-commit: 77f55eac6c433e23e82a1b88b2d74f385c4c7d82
|
||||
References: bsc#1172386, CVE-2020-13659
|
||||
|
||||
When mapping physical memory into host's virtual address space,
|
||||
'address_space_map' may return NULL if BounceBuffer is in_use.
|
||||
Set and return '*plen = 0' to avoid later NULL pointer dereference.
|
||||
|
||||
Reported-by: Alexander Bulekov <alxndr@bu.edu>
|
||||
Fixes: https://bugs.launchpad.net/qemu/+bug/1878259
|
||||
Suggested-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
Suggested-by: Peter Maydell <peter.maydell@linaro.org>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Message-Id: <20200526111743.428367-1-ppandit@redhat.com>
|
||||
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
Signed-off-by: Bruce Rogers <brogers@suse.com>
|
||||
---
|
||||
exec.c | 1 +
|
||||
include/exec/memory.h | 3 ++-
|
||||
2 files changed, 3 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/exec.c b/exec.c
|
||||
index 2874bb508853d353bca3b9790e5d..2c419f327cf925ee55c46d111272 100644
|
||||
--- a/exec.c
|
||||
+++ b/exec.c
|
||||
@@ -3538,6 +3538,7 @@ void *address_space_map(AddressSpace *as,
|
||||
|
||||
if (!memory_access_is_direct(mr, is_write)) {
|
||||
if (atomic_xchg(&bounce.in_use, true)) {
|
||||
+ *plen = 0;
|
||||
return NULL;
|
||||
}
|
||||
/* Avoid unbounded allocations */
|
||||
diff --git a/include/exec/memory.h b/include/exec/memory.h
|
||||
index e000bd2f97b2fce76a41f9b5d9f3..8fa2d3cab2d51e5328e28151c65c 100644
|
||||
--- a/include/exec/memory.h
|
||||
+++ b/include/exec/memory.h
|
||||
@@ -2303,7 +2303,8 @@ bool address_space_access_valid(AddressSpace *as, hwaddr addr, hwaddr len,
|
||||
/* address_space_map: map a physical memory region into a host virtual address
|
||||
*
|
||||
* May map a subset of the requested range, given by and returned in @plen.
|
||||
- * May return %NULL if resources needed to perform the mapping are exhausted.
|
||||
+ * May return %NULL and set *@plen to zero(0), if resources needed to perform
|
||||
+ * the mapping are exhausted.
|
||||
* Use only for reads OR writes - not for read-modify-write operations.
|
||||
* Use cpu_register_map_client() to know when retrying the map operation is
|
||||
* likely to succeed.
|
43
golan-Add-explicit-type-casts-for-nodnic.patch
Normal file
43
golan-Add-explicit-type-casts-for-nodnic.patch
Normal file
@ -0,0 +1,43 @@
|
||||
From: Michael Brown <mcb30@ipxe.org>
|
||||
Date: Sat, 27 Jun 2020 20:43:32 +0100
|
||||
Subject: [golan] Add explicit type casts for nodnic_queue_pair_type
|
||||
|
||||
Git-commit: 8a1d66c7aec020f3e90254ed2fa55ecd9494fcc3
|
||||
References: boo#1171139
|
||||
|
||||
GCC 10 emits warnings for implicit conversions of enumerated types.
|
||||
|
||||
The flexboot_nodnic code defines nodnic_queue_pair_type with values
|
||||
identical to those of ib_queue_pair_type, and implicitly casts between
|
||||
them. Add an explicit cast to fix the warning.
|
||||
|
||||
Signed-off-by: Michael Brown <mcb30@ipxe.org>
|
||||
Signed-off-by: Bruce Rogers <brogers@suse.com>
|
||||
---
|
||||
src/drivers/infiniband/flexboot_nodnic.c | 6 ++++--
|
||||
1 file changed, 4 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/roms/ipxe/src/drivers/infiniband/flexboot_nodnic.c b/roms/ipxe/src/drivers/infiniband/flexboot_nodnic.c
|
||||
index c13fcefc56866da67d701baa96b8..4463bb78458cbeadd962ed7909ef 100644
|
||||
--- a/roms/ipxe/src/drivers/infiniband/flexboot_nodnic.c
|
||||
+++ b/roms/ipxe/src/drivers/infiniband/flexboot_nodnic.c
|
||||
@@ -365,7 +365,8 @@ static int flexboot_nodnic_create_qp ( struct ib_device *ibdev,
|
||||
goto qp_alloc_err;
|
||||
}
|
||||
|
||||
- status = nodnic_port_create_qp(&port->port_priv, qp->type,
|
||||
+ status = nodnic_port_create_qp(&port->port_priv,
|
||||
+ (nodnic_queue_pair_type) qp->type,
|
||||
qp->send.num_wqes * sizeof(struct nodnic_send_wqbb),
|
||||
qp->send.num_wqes,
|
||||
qp->recv.num_wqes * sizeof(struct nodnic_recv_wqe),
|
||||
@@ -406,7 +407,8 @@ static void flexboot_nodnic_destroy_qp ( struct ib_device *ibdev,
|
||||
struct flexboot_nodnic_port *port = &flexboot_nodnic->port[ibdev->port - 1];
|
||||
struct flexboot_nodnic_queue_pair *flexboot_nodnic_qp = ib_qp_get_drvdata ( qp );
|
||||
|
||||
- nodnic_port_destroy_qp(&port->port_priv, qp->type,
|
||||
+ nodnic_port_destroy_qp(&port->port_priv,
|
||||
+ (nodnic_queue_pair_type) qp->type,
|
||||
flexboot_nodnic_qp->nodnic_queue_pair);
|
||||
|
||||
free(flexboot_nodnic_qp);
|
36
hw-vfio-pci-quirks-Fix-broken-legacy-IGD.patch
Normal file
36
hw-vfio-pci-quirks-Fix-broken-legacy-IGD.patch
Normal file
@ -0,0 +1,36 @@
|
||||
From: Thomas Huth <thuth@redhat.com>
|
||||
Date: Thu, 11 Jun 2020 11:36:40 -0600
|
||||
Subject: hw/vfio/pci-quirks: Fix broken legacy IGD passthrough
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Git-commit: 643a4eacef87a318cf71800a4fb2ae1f78c4b245
|
||||
|
||||
The #ifdef CONFIG_VFIO_IGD in pci-quirks.c is not working since the
|
||||
required header config-devices.h is not included, so that the legacy
|
||||
IGD passthrough is currently broken. Let's include the right header
|
||||
to fix this issue.
|
||||
|
||||
Buglink: https://bugs.launchpad.net/qemu/+bug/1882784
|
||||
Fixes: 29d62771c81d ("hw/vfio: Move the IGD quirk code to a separate file")
|
||||
Signed-off-by: Thomas Huth <thuth@redhat.com>
|
||||
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
|
||||
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
|
||||
Signed-off-by: Bruce Rogers <brogers@suse.com>
|
||||
---
|
||||
hw/vfio/pci-quirks.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/hw/vfio/pci-quirks.c b/hw/vfio/pci-quirks.c
|
||||
index 2d348f8237fa6a8e7aac10a4a920..656098b827c69f04ac1d6e2ff227 100644
|
||||
--- a/hw/vfio/pci-quirks.c
|
||||
+++ b/hw/vfio/pci-quirks.c
|
||||
@@ -11,6 +11,7 @@
|
||||
*/
|
||||
|
||||
#include "qemu/osdep.h"
|
||||
+#include "config-devices.h"
|
||||
#include "exec/memop.h"
|
||||
#include "qemu/units.h"
|
||||
#include "qemu/error-report.h"
|
89
intel-Avoid-spurious-compiler-warning-on.patch
Normal file
89
intel-Avoid-spurious-compiler-warning-on.patch
Normal file
@ -0,0 +1,89 @@
|
||||
From: Michael Brown <mcb30@ipxe.org>
|
||||
Date: Sat, 27 Jun 2020 20:21:11 +0100
|
||||
Subject: [intel] Avoid spurious compiler warning on GCC 10
|
||||
|
||||
Git-commit: 28cf9806d1632d378485005babec295da0c77fcf
|
||||
References: boo#1171123
|
||||
`
|
||||
GCC 10 produces a spurious warning about an out-of-bounds array access
|
||||
for the unsized raw dword array in union intelvf_msg.
|
||||
|
||||
Avoid the warning by embedding the zero-length array within a struct.
|
||||
|
||||
Signed-off-by: Michael Brown <mcb30@ipxe.org>
|
||||
Signed-off-by: Bruce Rogers <brogers@suse.com>
|
||||
---
|
||||
src/drivers/net/intelvf.c | 18 ++++++++++--------
|
||||
src/drivers/net/intelvf.h | 8 +++++++-
|
||||
2 files changed, 17 insertions(+), 9 deletions(-)
|
||||
|
||||
diff --git a/roms/ipxe/src/drivers/net/intelvf.c b/roms/ipxe/src/drivers/net/intelvf.c
|
||||
index ac6fea745457863544edf6658138..0d48b4178cb5aa0542ba7c507d04 100644
|
||||
--- a/roms/ipxe/src/drivers/net/intelvf.c
|
||||
+++ b/roms/ipxe/src/drivers/net/intelvf.c
|
||||
@@ -52,14 +52,15 @@ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
|
||||
*/
|
||||
static void intelvf_mbox_write ( struct intel_nic *intel,
|
||||
const union intelvf_msg *msg ) {
|
||||
+ const struct intelvf_msg_raw *raw = &msg->raw;
|
||||
unsigned int i;
|
||||
|
||||
/* Write message */
|
||||
DBGC2 ( intel, "INTEL %p sending message", intel );
|
||||
- for ( i = 0 ; i < ( sizeof ( *msg ) / sizeof ( msg->dword[0] ) ) ; i++){
|
||||
- DBGC2 ( intel, "%c%08x", ( i ? ':' : ' ' ), msg->dword[i] );
|
||||
- writel ( msg->dword[i], ( intel->regs + intel->mbox.mem +
|
||||
- ( i * sizeof ( msg->dword[0] ) ) ) );
|
||||
+ for ( i = 0 ; i < ( sizeof ( *msg ) / sizeof ( raw->dword[0] ) ) ; i++){
|
||||
+ DBGC2 ( intel, "%c%08x", ( i ? ':' : ' ' ), raw->dword[i] );
|
||||
+ writel ( raw->dword[i], ( intel->regs + intel->mbox.mem +
|
||||
+ ( i * sizeof ( raw->dword[0] ) ) ) );
|
||||
}
|
||||
DBGC2 ( intel, "\n" );
|
||||
}
|
||||
@@ -72,14 +73,15 @@ static void intelvf_mbox_write ( struct intel_nic *intel,
|
||||
*/
|
||||
static void intelvf_mbox_read ( struct intel_nic *intel,
|
||||
union intelvf_msg *msg ) {
|
||||
+ struct intelvf_msg_raw *raw = &msg->raw;
|
||||
unsigned int i;
|
||||
|
||||
/* Read message */
|
||||
DBGC2 ( intel, "INTEL %p received message", intel );
|
||||
- for ( i = 0 ; i < ( sizeof ( *msg ) / sizeof ( msg->dword[0] ) ) ; i++){
|
||||
- msg->dword[i] = readl ( intel->regs + intel->mbox.mem +
|
||||
- ( i * sizeof ( msg->dword[0] ) ) );
|
||||
- DBGC2 ( intel, "%c%08x", ( i ? ':' : ' ' ), msg->dword[i] );
|
||||
+ for ( i = 0 ; i < ( sizeof ( *msg ) / sizeof ( raw->dword[0] ) ) ; i++){
|
||||
+ raw->dword[i] = readl ( intel->regs + intel->mbox.mem +
|
||||
+ ( i * sizeof ( raw->dword[0] ) ) );
|
||||
+ DBGC2 ( intel, "%c%08x", ( i ? ':' : ' ' ), raw->dword[i] );
|
||||
}
|
||||
DBGC2 ( intel, "\n" );
|
||||
}
|
||||
diff --git a/roms/ipxe/src/drivers/net/intelvf.h b/roms/ipxe/src/drivers/net/intelvf.h
|
||||
index ab404698fe6de9f48370931fdf56..ffb18e04052f1b4a6fe406f5062c 100644
|
||||
--- a/roms/ipxe/src/drivers/net/intelvf.h
|
||||
+++ b/roms/ipxe/src/drivers/net/intelvf.h
|
||||
@@ -119,6 +119,12 @@ struct intelvf_msg_queues {
|
||||
uint32_t dflt;
|
||||
} __attribute__ (( packed ));
|
||||
|
||||
+/** Raw mailbox message */
|
||||
+struct intelvf_msg_raw {
|
||||
+ /** Raw dwords */
|
||||
+ uint32_t dword[0];
|
||||
+} __attribute__ (( packed ));
|
||||
+
|
||||
/** Mailbox message */
|
||||
union intelvf_msg {
|
||||
/** Message header */
|
||||
@@ -132,7 +138,7 @@ union intelvf_msg {
|
||||
/** Queue configuration message */
|
||||
struct intelvf_msg_queues queues;
|
||||
/** Raw dwords */
|
||||
- uint32_t dword[0];
|
||||
+ struct intelvf_msg_raw raw;
|
||||
};
|
||||
|
||||
/** Maximum time to wait for mailbox message
|
@ -14,10 +14,10 @@ Signed-off-by: Bruce Rogers <brogers@suse.com>
|
||||
1 file changed, 10 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/roms/ipxe/src/Makefile.housekeeping b/roms/ipxe/src/Makefile.housekeeping
|
||||
index f8334921b8b93cbd03f0a0de9910..97fa325bb52314e05192d0414436 100644
|
||||
index 893bd20f1fd5cecf0e480dee05bd..9c33cc08c4db1bbd0f9966924fce 100644
|
||||
--- a/roms/ipxe/src/Makefile.housekeeping
|
||||
+++ b/roms/ipxe/src/Makefile.housekeeping
|
||||
@@ -1162,11 +1162,18 @@ blib : $(BLIB)
|
||||
@@ -1172,11 +1172,18 @@ blib : $(BLIB)
|
||||
# Command to generate build ID. Must be unique for each $(BIN)/%.tmp,
|
||||
# even within the same build run.
|
||||
#
|
||||
@ -38,7 +38,7 @@ index f8334921b8b93cbd03f0a0de9910..97fa325bb52314e05192d0414436 100644
|
||||
|
||||
# Build version
|
||||
#
|
||||
@@ -1186,7 +1193,7 @@ $(BIN)/version.%.o : core/version.c $(MAKEDEPS) $(GIT_INDEX)
|
||||
@@ -1196,7 +1203,7 @@ $(BIN)/version.%.o : core/version.c $(MAKEDEPS) $(GIT_INDEX)
|
||||
$(BIN)/%.tmp : $(BIN)/version.%.o $(BLIB) $(MAKEDEPS) $(LDSCRIPT)
|
||||
$(QM)$(ECHO) " [LD] $@"
|
||||
$(Q)$(LD) $(LDFLAGS) -T $(LDSCRIPT) $(TGT_LD_FLAGS) $< $(BLIB) -o $@ \
|
||||
|
50
megasas-use-unsigned-type-for-reply_queu.patch
Normal file
50
megasas-use-unsigned-type-for-reply_queu.patch
Normal file
@ -0,0 +1,50 @@
|
||||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Thu, 14 May 2020 00:55:38 +0530
|
||||
Subject: megasas: use unsigned type for reply_queue_head and check index
|
||||
|
||||
Git-commit: f50ab86a2620bd7e8507af865b164655ee921661
|
||||
References: bsc#1172383, CVE-2020-13362
|
||||
|
||||
A guest user may set 'reply_queue_head' field of MegasasState to
|
||||
a negative value. Later in 'megasas_lookup_frame' it is used to
|
||||
index into s->frames[] array. Use unsigned type to avoid OOB
|
||||
access issue.
|
||||
|
||||
Also check that 'index' value stays within s->frames[] bounds
|
||||
through the while() loop in 'megasas_lookup_frame' to avoid OOB
|
||||
access.
|
||||
|
||||
Reported-by: Ren Ding <rding@gatech.edu>
|
||||
Reported-by: Hanqing Zhao <hanqing@gatech.edu>
|
||||
Reported-by: Alexander Bulekov <alxndr@bu.edu>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Acked-by: Alexander Bulekov <alxndr@bu.edu>
|
||||
Message-Id: <20200513192540.1583887-2-ppandit@redhat.com>
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
Signed-off-by: Bruce Rogers <brogers@suse.com>
|
||||
---
|
||||
hw/scsi/megasas.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
|
||||
index af18c88b656e7f5fa299c5f0dda1..6ce598cd6908b5223470b506c481 100644
|
||||
--- a/hw/scsi/megasas.c
|
||||
+++ b/hw/scsi/megasas.c
|
||||
@@ -112,7 +112,7 @@ typedef struct MegasasState {
|
||||
uint64_t reply_queue_pa;
|
||||
void *reply_queue;
|
||||
int reply_queue_len;
|
||||
- int reply_queue_head;
|
||||
+ uint16_t reply_queue_head;
|
||||
int reply_queue_tail;
|
||||
uint64_t consumer_pa;
|
||||
uint64_t producer_pa;
|
||||
@@ -445,7 +445,7 @@ static MegasasCmd *megasas_lookup_frame(MegasasState *s,
|
||||
|
||||
index = s->reply_queue_head;
|
||||
|
||||
- while (num < s->fw_cmds) {
|
||||
+ while (num < s->fw_cmds && index < MEGASAS_MAX_FRAMES) {
|
||||
if (s->frames[index].pa && s->frames[index].pa == frame) {
|
||||
cmd = &s->frames[index];
|
||||
break;
|
148
nbd-server-Avoid-long-error-message-asse.patch
Normal file
148
nbd-server-Avoid-long-error-message-asse.patch
Normal file
@ -0,0 +1,148 @@
|
||||
From: Eric Blake <eblake@redhat.com>
|
||||
Date: Mon, 8 Jun 2020 13:26:37 -0500
|
||||
Subject: nbd/server: Avoid long error message assertions CVE-2020-10761
|
||||
|
||||
Git-commit: 5c4fe018c025740fef4a0a4421e8162db0c3eefd
|
||||
References: bsc#1172710, CVE-2020-10761
|
||||
|
||||
Ever since commit 36683283 (v2.8), the server code asserts that error
|
||||
strings sent to the client are well-formed per the protocol by not
|
||||
exceeding the maximum string length of 4096. At the time the server
|
||||
first started sending error messages, the assertion could not be
|
||||
triggered, because messages were completely under our control.
|
||||
However, over the years, we have added latent scenarios where a client
|
||||
could trigger the server to attempt an error message that would
|
||||
include the client's information if it passed other checks first:
|
||||
|
||||
- requesting NBD_OPT_INFO/GO on an export name that is not present
|
||||
(commit 0cfae925 in v2.12 echoes the name)
|
||||
|
||||
- requesting NBD_OPT_LIST/SET_META_CONTEXT on an export name that is
|
||||
not present (commit e7b1948d in v2.12 echoes the name)
|
||||
|
||||
At the time, those were still safe because we flagged names larger
|
||||
than 256 bytes with a different message; but that changed in commit
|
||||
93676c88 (v4.2) when we raised the name limit to 4096 to match the NBD
|
||||
string limit. (That commit also failed to change the magic number
|
||||
4096 in nbd_negotiate_send_rep_err to the just-introduced named
|
||||
constant.) So with that commit, long client names appended to server
|
||||
text can now trigger the assertion, and thus be used as a denial of
|
||||
service attack against a server. As a mitigating factor, if the
|
||||
server requires TLS, the client cannot trigger the problematic paths
|
||||
unless it first supplies TLS credentials, and such trusted clients are
|
||||
less likely to try to intentionally crash the server.
|
||||
|
||||
We may later want to further sanitize the user-supplied strings we
|
||||
place into our error messages, such as scrubbing out control
|
||||
characters, but that is less important to the CVE fix, so it can be a
|
||||
later patch to the new nbd_sanitize_name.
|
||||
|
||||
Consideration was given to changing the assertion in
|
||||
nbd_negotiate_send_rep_verr to instead merely log a server error and
|
||||
truncate the message, to avoid leaving a latent path that could
|
||||
trigger a future CVE DoS on any new error message. However, this
|
||||
merely complicates the code for something that is already (correctly)
|
||||
flagging coding errors, and now that we are aware of the long message
|
||||
pitfall, we are less likely to introduce such errors in the future,
|
||||
which would make such error handling dead code.
|
||||
|
||||
Reported-by: Xueqiang Wei <xuwei@redhat.com>
|
||||
CC: qemu-stable@nongnu.org
|
||||
Fixes: https://bugzilla.redhat.com/1843684 CVE-2020-10761
|
||||
Fixes: 93676c88d7
|
||||
Signed-off-by: Eric Blake <eblake@redhat.com>
|
||||
Message-Id: <20200610163741.3745251-2-eblake@redhat.com>
|
||||
Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
|
||||
Signed-off-by: Bruce Rogers <brogers@suse.com>
|
||||
---
|
||||
nbd/server.c | 23 ++++++++++++++++++++---
|
||||
tests/qemu-iotests/143 | 4 ++++
|
||||
tests/qemu-iotests/143.out | 2 ++
|
||||
3 files changed, 26 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/nbd/server.c b/nbd/server.c
|
||||
index 02b1ed080145b3f99979887d4268..20754e9ebc3c1342692c99e7a99f 100644
|
||||
--- a/nbd/server.c
|
||||
+++ b/nbd/server.c
|
||||
@@ -217,7 +217,7 @@ nbd_negotiate_send_rep_verr(NBDClient *client, uint32_t type,
|
||||
|
||||
msg = g_strdup_vprintf(fmt, va);
|
||||
len = strlen(msg);
|
||||
- assert(len < 4096);
|
||||
+ assert(len < NBD_MAX_STRING_SIZE);
|
||||
trace_nbd_negotiate_send_rep_err(msg);
|
||||
ret = nbd_negotiate_send_rep_len(client, type, len, errp);
|
||||
if (ret < 0) {
|
||||
@@ -231,6 +231,19 @@ nbd_negotiate_send_rep_verr(NBDClient *client, uint32_t type,
|
||||
return 0;
|
||||
}
|
||||
|
||||
+/*
|
||||
+ * Return a malloc'd copy of @name suitable for use in an error reply.
|
||||
+ */
|
||||
+static char *
|
||||
+nbd_sanitize_name(const char *name)
|
||||
+{
|
||||
+ if (strnlen(name, 80) < 80) {
|
||||
+ return g_strdup(name);
|
||||
+ }
|
||||
+ /* XXX Should we also try to sanitize any control characters? */
|
||||
+ return g_strdup_printf("%.80s...", name);
|
||||
+}
|
||||
+
|
||||
/* Send an error reply.
|
||||
* Return -errno on error, 0 on success. */
|
||||
static int GCC_FMT_ATTR(4, 5)
|
||||
@@ -595,9 +608,11 @@ static int nbd_negotiate_handle_info(NBDClient *client, Error **errp)
|
||||
|
||||
exp = nbd_export_find(name);
|
||||
if (!exp) {
|
||||
+ g_autofree char *sane_name = nbd_sanitize_name(name);
|
||||
+
|
||||
return nbd_negotiate_send_rep_err(client, NBD_REP_ERR_UNKNOWN,
|
||||
errp, "export '%s' not present",
|
||||
- name);
|
||||
+ sane_name);
|
||||
}
|
||||
|
||||
/* Don't bother sending NBD_INFO_NAME unless client requested it */
|
||||
@@ -995,8 +1010,10 @@ static int nbd_negotiate_meta_queries(NBDClient *client,
|
||||
|
||||
meta->exp = nbd_export_find(export_name);
|
||||
if (meta->exp == NULL) {
|
||||
+ g_autofree char *sane_name = nbd_sanitize_name(export_name);
|
||||
+
|
||||
return nbd_opt_drop(client, NBD_REP_ERR_UNKNOWN, errp,
|
||||
- "export '%s' not present", export_name);
|
||||
+ "export '%s' not present", sane_name);
|
||||
}
|
||||
|
||||
ret = nbd_opt_read(client, &nb_queries, sizeof(nb_queries), errp);
|
||||
diff --git a/tests/qemu-iotests/143 b/tests/qemu-iotests/143
|
||||
index f649b36195011e9b0f19e4b51a8d..d2349903b1b5fa1b48ffc3e7a00d 100755
|
||||
--- a/tests/qemu-iotests/143
|
||||
+++ b/tests/qemu-iotests/143
|
||||
@@ -58,6 +58,10 @@ _send_qemu_cmd $QEMU_HANDLE \
|
||||
$QEMU_IO_PROG -f raw -c quit \
|
||||
"nbd+unix:///no_such_export?socket=$SOCK_DIR/nbd" 2>&1 \
|
||||
| _filter_qemu_io | _filter_nbd
|
||||
+# Likewise, with longest possible name permitted in NBD protocol
|
||||
+$QEMU_IO_PROG -f raw -c quit \
|
||||
+ "nbd+unix:///$(printf %4096d 1 | tr ' ' a)?socket=$SOCK_DIR/nbd" 2>&1 \
|
||||
+ | _filter_qemu_io | _filter_nbd | sed 's/aaaa*aa/aa--aa/'
|
||||
|
||||
_send_qemu_cmd $QEMU_HANDLE \
|
||||
"{ 'execute': 'quit' }" \
|
||||
diff --git a/tests/qemu-iotests/143.out b/tests/qemu-iotests/143.out
|
||||
index 1f4001c6013137a13d90f64b4f86..fc9c0a761fa107a5c800d27af843 100644
|
||||
--- a/tests/qemu-iotests/143.out
|
||||
+++ b/tests/qemu-iotests/143.out
|
||||
@@ -5,6 +5,8 @@ QA output created by 143
|
||||
{"return": {}}
|
||||
qemu-io: can't open device nbd+unix:///no_such_export?socket=SOCK_DIR/nbd: Requested export not available
|
||||
server reported: export 'no_such_export' not present
|
||||
+qemu-io: can't open device nbd+unix:///aa--aa1?socket=SOCK_DIR/nbd: Requested export not available
|
||||
+server reported: export 'aa--aa...' not present
|
||||
{ 'execute': 'quit' }
|
||||
{"return": {}}
|
||||
{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "SHUTDOWN", "data": {"guest": false, "reason": "host-qmp-quit"}}
|
59
qemu.changes
59
qemu.changes
@ -1,3 +1,62 @@
|
||||
-------------------------------------------------------------------
|
||||
Tue Jul 21 15:58:10 UTC 2020 - Bruce Rogers <brogers@suse.com>
|
||||
|
||||
- Updating to Sphinx v3.1.2 in Factory is exposing an issue in
|
||||
qemu doc sources. Fix it
|
||||
docs-fix-trace-docs-build-with-sphinx-3..patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Jul 8 23:00:21 UTC 2020 - Bruce Rogers <brogers@suse.com>
|
||||
|
||||
- Fix DoS possibility in ati-vga emulation (CVE-2020-13800
|
||||
bsc#1172495)
|
||||
ati-vga-check-mm_index-before-recursive-.patch
|
||||
- Fix DoS possibility in Network Block Device (nbd) support
|
||||
infrastructure (CVE-2020-10761 bsc#1172710)
|
||||
nbd-server-Avoid-long-error-message-asse.patch
|
||||
- Fix null pointer dereference possibility (DoS) in MegaRAID SAS
|
||||
8708EM2 emulation (CVE-2020-13659 bsc#1172386)
|
||||
exec-set-map-length-to-zero-when-returni.patch
|
||||
- Fix OOB access possibility in MegaRAID SAS 8708EM2 emulation
|
||||
(CVE-2020-13362 bsc#1172383)
|
||||
megasas-use-unsigned-type-for-reply_queu.patch
|
||||
- Fix legacy IGD passthrough
|
||||
hw-vfio-pci-quirks-Fix-broken-legacy-IGD.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Jul 1 00:10:43 UTC 2020 - Bruce Rogers <brogers@suse.com>
|
||||
|
||||
- The latest gcc10 available in Factory has the fix for the
|
||||
issue this patch was created to avoid, so drop it
|
||||
build-Work-around-gcc10-bug-by-not-using.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Sun Jun 28 16:25:32 UTC 2020 - Bruce Rogers <brogers@suse.com>
|
||||
|
||||
- Switch to upstream versions of some patches we carry
|
||||
add-enum-cast-to-avoid-gcc10-warning.patch
|
||||
-> golan-Add-explicit-type-casts-for-nodnic.patch
|
||||
Be-explicit-about-fcommon-compiler-direc.patch
|
||||
-> build-Be-explicit-about-fcommon-compiler.patch
|
||||
Do-not-apply-WORKAROUND_CFLAGS-for-host-.patch
|
||||
-> build-Do-not-apply-WORKAROUND_CFLAGS-for.patch
|
||||
Fix-s-directive-argument-is-null-error.patch
|
||||
-> build-Fix-s-directive-argument-is-null-e.patch
|
||||
Workaround-compilation-error-with-gcc-9..patch
|
||||
-> build-Workaround-compilation-error-with-.patch
|
||||
work-around-gcc10-problem-with-zero-leng.patch
|
||||
-> intel-Avoid-spurious-compiler-warning-on.patch
|
||||
- Fix vgabios issue for cirrus graphics emulation, which
|
||||
effectively downgraded it to standard VGA behavior
|
||||
vga-fix-cirrus-bios.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Jun 12 16:14:07 UTC 2020 - Bruce Rogers <brogers@suse.com>
|
||||
|
||||
- Fix OOB access possibility in ES1370 audio device emulation
|
||||
(CVE-2020-13361 bsc#1172384)
|
||||
es1370-check-total-frame-count-against-c.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Jun 2 17:22:57 UTC 2020 - Bruce Rogers <brogers@suse.com>
|
||||
|
||||
|
172
qemu.spec
172
qemu.spec
@ -127,82 +127,89 @@ Source303: README.PACKAGING
|
||||
# This patch queue is auto-generated - see README.PACKAGING for process
|
||||
|
||||
# Patches applied in base project:
|
||||
Patch00000: virtiofsd-add-rlimit-nofile-NUM-option.patch
|
||||
Patch00001: virtiofsd-stay-below-fs.file-max-sysctl-.patch
|
||||
Patch00002: audio-fix-wavcapture-segfault.patch
|
||||
Patch00003: XXX-dont-dump-core-on-sigabort.patch
|
||||
Patch00004: qemu-binfmt-conf-Modify-default-path.patch
|
||||
Patch00005: qemu-cvs-gettimeofday.patch
|
||||
Patch00006: qemu-cvs-ioctl_debug.patch
|
||||
Patch00007: qemu-cvs-ioctl_nodirection.patch
|
||||
Patch00008: linux-user-add-binfmt-wrapper-for-argv-0.patch
|
||||
Patch00009: PPC-KVM-Disable-mmu-notifier-check.patch
|
||||
Patch00010: linux-user-binfmt-support-host-binaries.patch
|
||||
Patch00011: linux-user-Fake-proc-cpuinfo.patch
|
||||
Patch00012: linux-user-use-target_ulong.patch
|
||||
Patch00013: Make-char-muxer-more-robust-wrt-small-FI.patch
|
||||
Patch00014: linux-user-lseek-explicitly-cast-non-set.patch
|
||||
Patch00015: AIO-Reduce-number-of-threads-for-32bit-h.patch
|
||||
Patch00016: xen_disk-Add-suse-specific-flush-disable.patch
|
||||
Patch00017: qemu-bridge-helper-reduce-security-profi.patch
|
||||
Patch00018: qemu-binfmt-conf-use-qemu-ARCH-binfmt.patch
|
||||
Patch00019: linux-user-properly-test-for-infinite-ti.patch
|
||||
Patch00020: roms-Makefile-pass-a-packaging-timestamp.patch
|
||||
Patch00021: Raise-soft-address-space-limit-to-hard-l.patch
|
||||
Patch00022: increase-x86_64-physical-bits-to-42.patch
|
||||
Patch00023: i8254-Fix-migration-from-SLE11-SP2.patch
|
||||
Patch00024: acpi_piix4-Fix-migration-from-SLE11-SP2.patch
|
||||
Patch00025: Switch-order-of-libraries-for-mpath-supp.patch
|
||||
Patch00026: Make-installed-scripts-explicitly-python.patch
|
||||
Patch00027: hw-smbios-handle-both-file-formats-regar.patch
|
||||
Patch00028: xen-add-block-resize-support-for-xen-dis.patch
|
||||
Patch00029: tests-qemu-iotests-Triple-timeout-of-i-o.patch
|
||||
Patch00030: tests-Fix-block-tests-to-be-compatible-w.patch
|
||||
Patch00031: xen-ignore-live-parameter-from-xen-save-.patch
|
||||
Patch00032: Conditionalize-ui-bitmap-installation-be.patch
|
||||
Patch00033: tests-change-error-message-in-test-162.patch
|
||||
Patch00034: hw-usb-hcd-xhci-Fix-GCC-9-build-warning.patch
|
||||
Patch00035: hw-usb-dev-mtp-Fix-GCC-9-build-warning.patch
|
||||
Patch00036: hw-intc-exynos4210_gic-provide-more-room.patch
|
||||
Patch00037: configure-only-populate-roms-if-softmmu.patch
|
||||
Patch00038: pc-bios-s390-ccw-net-avoid-warning-about.patch
|
||||
Patch00039: roms-change-cross-compiler-naming-to-be-.patch
|
||||
Patch00040: tests-Disable-some-block-tests-for-now.patch
|
||||
Patch00041: test-add-mapping-from-arch-of-i686-to-qe.patch
|
||||
Patch00042: roms-Makefile-enable-cross-compile-for-b.patch
|
||||
Patch00043: s390x-Move-diagnose-308-subcodes-and-rcs.patch
|
||||
Patch00044: Sync-pv.patch
|
||||
Patch00045: s390x-protvirt-Support-unpack-facility.patch
|
||||
Patch00046: s390x-protvirt-Add-migration-blocker.patch
|
||||
Patch00047: s390x-protvirt-Inhibit-balloon-when-swit.patch
|
||||
Patch00048: s390x-protvirt-KVM-intercept-changes.patch
|
||||
Patch00049: s390x-Add-SIDA-memory-ops.patch
|
||||
Patch00050: s390x-protvirt-Move-STSI-data-over-SIDAD.patch
|
||||
Patch00051: s390x-protvirt-SCLP-interpretation.patch
|
||||
Patch00052: s390x-protvirt-Set-guest-IPL-PSW.patch
|
||||
Patch00053: s390x-protvirt-Move-diag-308-data-over-S.patch
|
||||
Patch00054: s390x-protvirt-Disable-address-checks-fo.patch
|
||||
Patch00055: s390x-protvirt-Move-IO-control-structure.patch
|
||||
Patch00056: s390x-protvirt-Handle-SIGP-store-status-.patch
|
||||
Patch00057: s390x-Add-unpack-facility-feature-to-GA1.patch
|
||||
Patch00058: s390x-s390-virtio-ccw-Fix-build-on-syste.patch
|
||||
Patch00059: configure-remove-pkgversion-from-CONFIG_.patch
|
||||
Patch00060: gcc10-maybe-uninitialized.patch
|
||||
Patch00061: docs-add-SUSE-support-statements-to-html.patch
|
||||
Patch00062: build-Work-around-gcc10-bug-by-not-using.patch
|
||||
Patch00000: s390x-Move-diagnose-308-subcodes-and-rcs.patch
|
||||
Patch00001: Sync-pv.patch
|
||||
Patch00002: s390x-protvirt-Support-unpack-facility.patch
|
||||
Patch00003: s390x-protvirt-Add-migration-blocker.patch
|
||||
Patch00004: s390x-protvirt-Inhibit-balloon-when-swit.patch
|
||||
Patch00005: s390x-protvirt-KVM-intercept-changes.patch
|
||||
Patch00006: s390x-Add-SIDA-memory-ops.patch
|
||||
Patch00007: s390x-protvirt-Move-STSI-data-over-SIDAD.patch
|
||||
Patch00008: s390x-protvirt-SCLP-interpretation.patch
|
||||
Patch00009: s390x-protvirt-Set-guest-IPL-PSW.patch
|
||||
Patch00010: s390x-protvirt-Move-diag-308-data-over-S.patch
|
||||
Patch00011: s390x-protvirt-Disable-address-checks-fo.patch
|
||||
Patch00012: s390x-protvirt-Move-IO-control-structure.patch
|
||||
Patch00013: s390x-protvirt-Handle-SIGP-store-status-.patch
|
||||
Patch00014: s390x-Add-unpack-facility-feature-to-GA1.patch
|
||||
Patch00015: virtiofsd-add-rlimit-nofile-NUM-option.patch
|
||||
Patch00016: virtiofsd-stay-below-fs.file-max-sysctl-.patch
|
||||
Patch00017: es1370-check-total-frame-count-against-c.patch
|
||||
Patch00018: audio-fix-wavcapture-segfault.patch
|
||||
Patch00019: ati-vga-check-mm_index-before-recursive-.patch
|
||||
Patch00020: nbd-server-Avoid-long-error-message-asse.patch
|
||||
Patch00021: hw-vfio-pci-quirks-Fix-broken-legacy-IGD.patch
|
||||
Patch00022: megasas-use-unsigned-type-for-reply_queu.patch
|
||||
Patch00023: exec-set-map-length-to-zero-when-returni.patch
|
||||
Patch00024: XXX-dont-dump-core-on-sigabort.patch
|
||||
Patch00025: qemu-binfmt-conf-Modify-default-path.patch
|
||||
Patch00026: qemu-cvs-gettimeofday.patch
|
||||
Patch00027: qemu-cvs-ioctl_debug.patch
|
||||
Patch00028: qemu-cvs-ioctl_nodirection.patch
|
||||
Patch00029: linux-user-add-binfmt-wrapper-for-argv-0.patch
|
||||
Patch00030: PPC-KVM-Disable-mmu-notifier-check.patch
|
||||
Patch00031: linux-user-binfmt-support-host-binaries.patch
|
||||
Patch00032: linux-user-Fake-proc-cpuinfo.patch
|
||||
Patch00033: linux-user-use-target_ulong.patch
|
||||
Patch00034: Make-char-muxer-more-robust-wrt-small-FI.patch
|
||||
Patch00035: linux-user-lseek-explicitly-cast-non-set.patch
|
||||
Patch00036: AIO-Reduce-number-of-threads-for-32bit-h.patch
|
||||
Patch00037: xen_disk-Add-suse-specific-flush-disable.patch
|
||||
Patch00038: qemu-bridge-helper-reduce-security-profi.patch
|
||||
Patch00039: qemu-binfmt-conf-use-qemu-ARCH-binfmt.patch
|
||||
Patch00040: linux-user-properly-test-for-infinite-ti.patch
|
||||
Patch00041: roms-Makefile-pass-a-packaging-timestamp.patch
|
||||
Patch00042: Raise-soft-address-space-limit-to-hard-l.patch
|
||||
Patch00043: increase-x86_64-physical-bits-to-42.patch
|
||||
Patch00044: i8254-Fix-migration-from-SLE11-SP2.patch
|
||||
Patch00045: acpi_piix4-Fix-migration-from-SLE11-SP2.patch
|
||||
Patch00046: Switch-order-of-libraries-for-mpath-supp.patch
|
||||
Patch00047: Make-installed-scripts-explicitly-python.patch
|
||||
Patch00048: hw-smbios-handle-both-file-formats-regar.patch
|
||||
Patch00049: xen-add-block-resize-support-for-xen-dis.patch
|
||||
Patch00050: tests-qemu-iotests-Triple-timeout-of-i-o.patch
|
||||
Patch00051: tests-Fix-block-tests-to-be-compatible-w.patch
|
||||
Patch00052: xen-ignore-live-parameter-from-xen-save-.patch
|
||||
Patch00053: Conditionalize-ui-bitmap-installation-be.patch
|
||||
Patch00054: tests-change-error-message-in-test-162.patch
|
||||
Patch00055: hw-usb-hcd-xhci-Fix-GCC-9-build-warning.patch
|
||||
Patch00056: hw-usb-dev-mtp-Fix-GCC-9-build-warning.patch
|
||||
Patch00057: hw-intc-exynos4210_gic-provide-more-room.patch
|
||||
Patch00058: configure-only-populate-roms-if-softmmu.patch
|
||||
Patch00059: pc-bios-s390-ccw-net-avoid-warning-about.patch
|
||||
Patch00060: roms-change-cross-compiler-naming-to-be-.patch
|
||||
Patch00061: tests-Disable-some-block-tests-for-now.patch
|
||||
Patch00062: test-add-mapping-from-arch-of-i686-to-qe.patch
|
||||
Patch00063: roms-Makefile-enable-cross-compile-for-b.patch
|
||||
Patch00064: s390x-s390-virtio-ccw-Fix-build-on-syste.patch
|
||||
Patch00065: configure-remove-pkgversion-from-CONFIG_.patch
|
||||
Patch00066: gcc10-maybe-uninitialized.patch
|
||||
Patch00067: docs-add-SUSE-support-statements-to-html.patch
|
||||
Patch00068: docs-fix-trace-docs-build-with-sphinx-3..patch
|
||||
# Patches applied in roms/seabios/:
|
||||
Patch01000: seabios-use-python2-explicitly-as-needed.patch
|
||||
Patch01001: seabios-switch-to-python3-as-needed.patch
|
||||
Patch01002: enable-cross-compilation-on-ARM.patch
|
||||
Patch01003: vga-fix-cirrus-bios.patch
|
||||
# Patches applied in roms/ipxe/:
|
||||
Patch02000: stub-out-the-SAN-req-s-in-int13.patch
|
||||
Patch02001: ipxe-Makefile-fix-issues-of-build-reprod.patch
|
||||
Patch02002: Fix-s-directive-argument-is-null-error.patch
|
||||
Patch02003: Workaround-compilation-error-with-gcc-9..patch
|
||||
Patch02004: Do-not-apply-WORKAROUND_CFLAGS-for-host-.patch
|
||||
Patch02005: Be-explicit-about-fcommon-compiler-direc.patch
|
||||
Patch02006: work-around-gcc10-problem-with-zero-leng.patch
|
||||
Patch02007: add-enum-cast-to-avoid-gcc10-warning.patch
|
||||
Patch02000: build-Fix-s-directive-argument-is-null-e.patch
|
||||
Patch02001: build-Workaround-compilation-error-with-.patch
|
||||
Patch02002: build-Do-not-apply-WORKAROUND_CFLAGS-for.patch
|
||||
Patch02003: build-Be-explicit-about-fcommon-compiler.patch
|
||||
Patch02004: intel-Avoid-spurious-compiler-warning-on.patch
|
||||
Patch02005: golan-Add-explicit-type-casts-for-nodnic.patch
|
||||
Patch02006: stub-out-the-SAN-req-s-in-int13.patch
|
||||
Patch02007: ipxe-Makefile-fix-issues-of-build-reprod.patch
|
||||
# Patches applied in roms/sgabios/:
|
||||
Patch03000: sgabios-Makefile-fix-issues-of-build-rep.patch
|
||||
Patch03001: roms-sgabios-Fix-csum8-to-be-built-by-ho.patch
|
||||
@ -959,24 +966,31 @@ This package provides a service file for starting and stopping KSM.
|
||||
%patch00058 -p1
|
||||
%patch00059 -p1
|
||||
%patch00060 -p1
|
||||
%if %{legacy_qemu_kvm} && 0%{?is_opensuse} == 0
|
||||
%patch00061 -p1
|
||||
%endif
|
||||
%patch00062 -p1
|
||||
%patch00063 -p1
|
||||
%patch00064 -p1
|
||||
%patch00065 -p1
|
||||
%patch00066 -p1
|
||||
%if %{legacy_qemu_kvm} && 0%{?is_opensuse} == 0
|
||||
%patch00067 -p1
|
||||
%endif
|
||||
%patch00068 -p1
|
||||
%patch01000 -p1
|
||||
%patch01001 -p1
|
||||
%patch01002 -p1
|
||||
%if 0%{?patch-possibly-applied-elsewhere}
|
||||
%patch01003 -p1
|
||||
%patch02000 -p1
|
||||
%endif
|
||||
%patch02001 -p1
|
||||
%patch02002 -p1
|
||||
%patch02003 -p1
|
||||
%ifarch aarch64
|
||||
%patch02004 -p1
|
||||
%patch02002 -p1
|
||||
%endif
|
||||
%patch02003 -p1
|
||||
%patch02004 -p1
|
||||
%patch02005 -p1
|
||||
%if 0%{?patch-possibly-applied-elsewhere}
|
||||
%patch02006 -p1
|
||||
%endif
|
||||
%patch02007 -p1
|
||||
%patch03000 -p1
|
||||
%patch03001 -p1
|
||||
@ -1468,7 +1482,7 @@ done
|
||||
|
||||
# Compile the QOM test binary first, so that ...
|
||||
touch -r config-host.mak pc-bios
|
||||
make %{?_smp_mflags} tests/qtest/qom-test %{?_smp_mflags} V=1
|
||||
make %{?_smp_mflags} tests/qtest/qom-test V=1
|
||||
# ... make comes in fresh and has lots of address space (needed for 32bit, bsc#957379)
|
||||
make %{?_smp_mflags} check-report.tap V=1
|
||||
|
||||
|
@ -1297,7 +1297,7 @@ done
|
||||
|
||||
# Compile the QOM test binary first, so that ...
|
||||
touch -r config-host.mak pc-bios
|
||||
make %{?_smp_mflags} tests/qtest/qom-test %{?_smp_mflags} V=1
|
||||
make %{?_smp_mflags} tests/qtest/qom-test V=1
|
||||
# ... make comes in fresh and has lots of address space (needed for 32bit, bsc#957379)
|
||||
make %{?_smp_mflags} check-report.tap V=1
|
||||
|
||||
|
@ -2,6 +2,7 @@ From: Janosch Frank <frankja@linux.ibm.com>
|
||||
Date: Wed, 5 Feb 2020 06:57:35 -0500
|
||||
Subject: s390x: Add SIDA memory ops
|
||||
|
||||
Git-commit a9f21cec3bc9c86062c7c24bb2143d22cb3c2950
|
||||
References: bsc#1167075
|
||||
|
||||
Protected guests save the instruction control blocks in the SIDA
|
||||
@ -17,7 +18,6 @@ Reviewed-by: David Hildenbrand <david@redhat.com>
|
||||
Reviewed-by: Christian Borntraeger <borntraeger@de.ibm.com>
|
||||
Reviewed-by: Claudio Imbrenda <imbrenda@linux.ibm.com>
|
||||
Reviewed-by: Cornelia Huck <cohuck@redhat.com>
|
||||
(cherry picked from commit a9f21cec3bc9c86062c7c24bb2143d22cb3c2950)
|
||||
Signed-off-by: Bruce Rogers <brogers@suse.com>
|
||||
---
|
||||
target/s390x/cpu.h | 7 ++++++-
|
||||
|
@ -2,6 +2,7 @@ From: Christian Borntraeger <borntraeger@de.ibm.com>
|
||||
Date: Tue, 25 Feb 2020 06:28:51 -0500
|
||||
Subject: s390x: Add unpack facility feature to GA1
|
||||
|
||||
Git-commit: 3034eaac3b2970ba85a1d77814ceef1352d05357
|
||||
References: bsc#1167075
|
||||
|
||||
The unpack facility is an indication that diagnose 308 subcodes 8-10
|
||||
@ -21,7 +22,6 @@ Reviewed-by: David Hildenbrand <david@redhat.com>
|
||||
Reviewed-by: Claudio Imbrenda <imbrenda@linux.ibm.com>
|
||||
Reviewed-by: Cornelia Huck <cohuck@redhat.com>
|
||||
Signed-off-by: Janosch Frank <frankja@linux.ibm.com>
|
||||
(cherry picked from commit 3034eaac3b2970ba85a1d77814ceef1352d05357)
|
||||
Signed-off-by: Bruce Rogers <brogers@suse.com>
|
||||
---
|
||||
target/s390x/gen-features.c | 1 +
|
||||
|
@ -2,13 +2,13 @@ From: Janosch Frank <frankja@linux.ibm.com>
|
||||
Date: Fri, 13 Mar 2020 10:35:02 -0400
|
||||
Subject: s390x: Move diagnose 308 subcodes and rcs into ipl.h
|
||||
|
||||
Git-commit: 284bc3dd6e9a978e6e34b00777ce72007a88d6d9
|
||||
References: bsc#1167075
|
||||
|
||||
They are part of the IPL process, so let's put them into the ipl
|
||||
header.
|
||||
|
||||
Signed-off-by: Janosch Frank <frankja@linux.ibm.com>
|
||||
(cherry picked from commit 284bc3dd6e9a978e6e34b00777ce72007a88d6d9)
|
||||
Signed-off-by: Bruce Rogers <brogers@suse.com>
|
||||
---
|
||||
hw/s390x/ipl.h | 11 +++++++++++
|
||||
|
@ -2,6 +2,7 @@ From: Janosch Frank <frankja@linux.ibm.com>
|
||||
Date: Fri, 6 Mar 2020 06:40:13 -0500
|
||||
Subject: s390x: protvirt: Add migration blocker
|
||||
|
||||
Git-commit: e721e55a3dabb2897081614b17dd4565e85249ac
|
||||
References: bsc#1167075
|
||||
|
||||
Migration is not yet supported.
|
||||
@ -11,7 +12,6 @@ Reviewed-by: David Hildenbrand <david@redhat.com>
|
||||
Reviewed-by: Christian Borntraeger <borntraeger@de.ibm.com>
|
||||
Reviewed-by: Claudio Imbrenda <imbrenda@linux.ibm.com>
|
||||
Reviewed-by: Cornelia Huck <cohuck@redhat.com>
|
||||
(cherry picked from commit e721e55a3dabb2897081614b17dd4565e85249ac)
|
||||
Signed-off-by: Bruce Rogers <brogers@suse.com>
|
||||
---
|
||||
hw/s390x/s390-virtio-ccw.c | 18 ++++++++++++++++++
|
||||
|
@ -2,6 +2,7 @@ From: Janosch Frank <frankja@linux.ibm.com>
|
||||
Date: Fri, 29 Nov 2019 04:22:41 -0500
|
||||
Subject: s390x: protvirt: Disable address checks for PV guest IO emulation
|
||||
|
||||
Git-commit f658bf14295ad49caf8d1b21033982ce69423fb7
|
||||
References: bsc#1167075
|
||||
|
||||
IO instruction data is routed through SIDAD for protected guests, so
|
||||
@ -16,7 +17,6 @@ Reviewed-by: David Hildenbrand <david@redhat.com>
|
||||
Reviewed-by: Christian Borntraeger <borntraeger@de.ibm.com>
|
||||
Reviewed-by: Claudio Imbrenda <imbrenda@linux.ibm.com>
|
||||
Reviewed-by: Cornelia Huck <cohuck@redhat.com>
|
||||
(cherry picked from commit f658bf14295ad49caf8d1b21033982ce69423fb7)
|
||||
Signed-off-by: Bruce Rogers <brogers@suse.com>
|
||||
---
|
||||
target/s390x/ioinst.c | 35 ++++++++++++++++++++++++++++-------
|
||||
|
@ -2,6 +2,7 @@ From: Janosch Frank <frankja@linux.ibm.com>
|
||||
Date: Tue, 6 Aug 2019 15:40:05 +0200
|
||||
Subject: s390x: protvirt: Handle SIGP store status correctly
|
||||
|
||||
Git-commit: 398fc6874438c320407449d1c9560925aba2280b
|
||||
References: bsc#1167075
|
||||
|
||||
For protected VMs status storing is not done by QEMU anymore.
|
||||
@ -12,7 +13,6 @@ Reviewed-by: David Hildenbrand <david@redhat.com>
|
||||
Reviewed-by: Christian Borntraeger <borntraeger@de.ibm.com>
|
||||
Reviewed-by: Claudio Imbrenda <imbrenda@linux.ibm.com>
|
||||
Reviewed-by: Cornelia Huck <cohuck@redhat.com>
|
||||
(cherry picked from commit 398fc6874438c320407449d1c9560925aba2280b)
|
||||
Signed-off-by: Bruce Rogers <brogers@suse.com>
|
||||
---
|
||||
target/s390x/helper.c | 6 ++++++
|
||||
|
@ -2,6 +2,7 @@ From: Janosch Frank <frankja@linux.ibm.com>
|
||||
Date: Mon, 24 Feb 2020 07:49:06 -0500
|
||||
Subject: s390x: protvirt: Inhibit balloon when switching to protected mode
|
||||
|
||||
Git-commit: 59dc32a3494d6afdd420f3e401f1f324a1179256
|
||||
References: bsc#1167075
|
||||
|
||||
Ballooning in protected VMs can only be done when the guest shares the
|
||||
@ -29,7 +30,6 @@ Reviewed-by: David Hildenbrand <david@redhat.com>
|
||||
Reviewed-by: Christian Borntraeger <borntraeger@de.ibm.com>
|
||||
Reviewed-by: Claudio Imbrenda <imbrenda@linux.ibm.com>
|
||||
Reviewed-by: Cornelia Huck <cohuck@redhat.com>
|
||||
(cherry picked from commit 59dc32a3494d6afdd420f3e401f1f324a1179256)
|
||||
Signed-off-by: Bruce Rogers <brogers@suse.com>
|
||||
---
|
||||
hw/s390x/s390-virtio-ccw.c | 11 +++++++++++
|
||||
|
@ -2,6 +2,7 @@ From: Janosch Frank <frankja@linux.ibm.com>
|
||||
Date: Mon, 13 May 2019 10:35:27 +0200
|
||||
Subject: s390x: protvirt: KVM intercept changes
|
||||
|
||||
Git-commit: fd70eb764f176c200d6723c2ad88362f23536bfa
|
||||
References: bsc#1167075
|
||||
|
||||
Protected VMs no longer intercept with code 4 for an instruction
|
||||
@ -30,7 +31,6 @@ Reviewed-by: David Hildenbrand <david@redhat.com>
|
||||
Reviewed-by: Christian Borntraeger <borntraeger@de.ibm.com>
|
||||
Reviewed-by: Claudio Imbrenda <imbrenda@linux.ibm.com>
|
||||
Reviewed-by: Cornelia Huck <cohuck@redhat.com>
|
||||
(cherry picked from commit fd70eb764f176c200d6723c2ad88362f23536bfa)
|
||||
Signed-off-by: Bruce Rogers <brogers@suse.com>
|
||||
---
|
||||
target/s390x/kvm.c | 4 ++++
|
||||
|
@ -2,6 +2,7 @@ From: Janosch Frank <frankja@linux.ibm.com>
|
||||
Date: Wed, 5 Feb 2020 07:02:33 -0500
|
||||
Subject: s390x: protvirt: Move IO control structures over SIDA
|
||||
|
||||
Git-commit: 4989e18cbe5621df39020ef812316f479d8f5246
|
||||
References: bsc#1167075
|
||||
|
||||
For protected guests, we need to put the IO emulation results into the
|
||||
@ -10,7 +11,6 @@ SIDA, so SIE will write them into the guest at the next entry.
|
||||
Signed-off-by: Janosch Frank <frankja@linux.ibm.com>
|
||||
Reviewed-by: David Hildenbrand <david@redhat.com>
|
||||
Reviewed-by: Cornelia Huck <cohuck@redhat.com>
|
||||
(cherry picked from commit 4989e18cbe5621df39020ef812316f479d8f5246)
|
||||
Signed-off-by: Bruce Rogers <brogers@suse.com>
|
||||
---
|
||||
target/s390x/ioinst.c | 61 +++++++++++++++++++++++++++++++------------
|
||||
|
@ -2,6 +2,7 @@ From: Janosch Frank <frankja@linux.ibm.com>
|
||||
Date: Wed, 5 Feb 2020 07:02:51 -0500
|
||||
Subject: s390x: protvirt: Move STSI data over SIDAD
|
||||
|
||||
Git-commit: ccce7a654911ae507c962aff5f41004a7a88fad6
|
||||
References: bsc#1167075
|
||||
|
||||
For protected guests, we need to put the STSI emulation results into
|
||||
@ -11,7 +12,6 @@ Signed-off-by: Janosch Frank <frankja@linux.ibm.com>
|
||||
Reviewed-by: David Hildenbrand <david@redhat.com>
|
||||
Reviewed-by: Claudio Imbrenda <imbrenda@linux.ibm.com>
|
||||
Reviewed-by: Cornelia Huck <cohuck@redhat.com>
|
||||
(cherry picked from commit ccce7a654911ae507c962aff5f41004a7a88fad6)
|
||||
Signed-off-by: Bruce Rogers <brogers@suse.com>
|
||||
---
|
||||
target/s390x/kvm.c | 11 +++++++++--
|
||||
|
@ -2,6 +2,7 @@ From: Janosch Frank <frankja@linux.ibm.com>
|
||||
Date: Wed, 31 Jul 2019 17:49:08 +0200
|
||||
Subject: s390x: protvirt: Move diag 308 data over SIDA
|
||||
|
||||
Git-commit: 258da1c7736d3aa4604ceea6cce00995c6f30058
|
||||
References: bsc#1167075
|
||||
|
||||
For protected guests the IPIB is written/read to/from the SIDA, so we
|
||||
@ -12,7 +13,6 @@ Reviewed-by: David Hildenbrand <david@redhat.com>
|
||||
Reviewed-by: Christian Borntraeger <borntraeger@de.ibm.com>
|
||||
Reviewed-by: Claudio Imbrenda <imbrenda@linux.ibm.com>
|
||||
Reviewed-by: Cornelia Huck <cohuck@redhat.com>
|
||||
(cherry picked from commit 258da1c7736d3aa4604ceea6cce00995c6f30058)
|
||||
Signed-off-by: Bruce Rogers <brogers@suse.com>
|
||||
---
|
||||
target/s390x/diag.c | 25 ++++++++++++++++++++-----
|
||||
|
@ -2,6 +2,7 @@ From: Janosch Frank <frankja@linux.ibm.com>
|
||||
Date: Mon, 3 Jun 2019 16:40:29 +0200
|
||||
Subject: s390x: protvirt: SCLP interpretation
|
||||
|
||||
Git-commit: 32633cf4539341180dbc7a92c2655c711b4a6996
|
||||
References: bsc#1167075
|
||||
|
||||
SCLP for a protected guest is done over the SIDAD, so we need to use
|
||||
@ -16,7 +17,6 @@ Signed-off-by: Janosch Frank <frankja@linux.ibm.com>
|
||||
Reviewed-by: David Hildenbrand <david@redhat.com>
|
||||
Reviewed-by: Claudio Imbrenda <imbrenda@linux.ibm.com>
|
||||
Reviewed-by: Cornelia Huck <cohuck@redhat.com>
|
||||
(cherry picked from commit 32633cf4539341180dbc7a92c2655c711b4a6996)
|
||||
Signed-off-by: Bruce Rogers <brogers@suse.com>
|
||||
---
|
||||
hw/s390x/sclp.c | 56 +++++++++++++++++++++++++++++++++--------
|
||||
|
@ -2,6 +2,7 @@ From: Janosch Frank <frankja@linux.ibm.com>
|
||||
Date: Tue, 23 Jul 2019 13:17:32 +0200
|
||||
Subject: s390x: protvirt: Set guest IPL PSW
|
||||
|
||||
Git-commit: e8686d9849f1625f4f4b28403f0555181b72d1b6
|
||||
References: bsc#1167075
|
||||
|
||||
Handling of CPU reset and setting of the IPL psw from guest storage at
|
||||
@ -14,7 +15,6 @@ Reviewed-by: David Hildenbrand <david@redhat.com>
|
||||
Reviewed-by: Christian Borntraeger <borntraeger@de.ibm.com>
|
||||
Reviewed-by: Claudio Imbrenda <imbrenda@linux.ibm.com>
|
||||
Reviewed-by: Cornelia Huck <cohuck@redhat.com>
|
||||
(cherry picked from commit e8686d9849f1625f4f4b28403f0555181b72d1b6)
|
||||
Signed-off-by: Bruce Rogers <brogers@suse.com>
|
||||
---
|
||||
target/s390x/cpu.c | 26 +++++++++++++++++---------
|
||||
|
@ -2,6 +2,7 @@ From: Janosch Frank <frankja@linux.ibm.com>
|
||||
Date: Mon, 11 Feb 2019 16:07:19 +0100
|
||||
Subject: s390x: protvirt: Support unpack facility
|
||||
|
||||
Git-commit: 2150c92b9b7d12b5fbdd2c59e5b17197d28f53db
|
||||
References: bsc#1167075
|
||||
|
||||
The unpack facility provides the means to setup a protected guest. A
|
||||
@ -23,7 +24,6 @@ to machine]
|
||||
Reviewed-by: David Hildenbrand <david@redhat.com>
|
||||
Reviewed-by: Claudio Imbrenda <imbrenda@linux.ibm.com>
|
||||
Reviewed-by: Cornelia Huck <cohuck@redhat.com>
|
||||
(cherry picked from commit 2150c92b9b7d12b5fbdd2c59e5b17197d28f53db)
|
||||
[BR: Needed to fix a compiler warning on i586 in hw/s390x/ipl.c]
|
||||
Signed-off-by: Bruce Rogers <brogers@suse.com>
|
||||
---
|
||||
|
@ -2,48 +2,22 @@ From: Bruce Rogers <brogers@suse.com>
|
||||
Date: Wed, 2 Oct 2019 07:28:04 -0600
|
||||
Subject: tests: Disable some block tests for now
|
||||
|
||||
For a very long time we've experienced intermittent failure of some
|
||||
block tests. There doesn't seem to be an obvious cause. Given that we
|
||||
now build qemu using multibuild, the qemu-testsuite failure is now more
|
||||
problematic to just ignore. Until we can address these failures, which
|
||||
seem to be tied to the build environment in some way, disable the tests
|
||||
which are either randomly or reliably failing.
|
||||
|
||||
Currently, this patch is based on these failures seen on 09OCT2019 on
|
||||
v4.1.0 qemu:
|
||||
disable 065, 129, 169, 182, 205, 218, 242, 248, 250
|
||||
(other architectures not evaluated at this time)
|
||||
Most tests previously disabled for qemu-testsuite to be able to complete
|
||||
successfully are no longer (as of v4.1) listed as auto, and therefore
|
||||
do not get run anymore.
|
||||
|
||||
27NOV2019 - added 161 since it is failing on s390x and ppc consistently
|
||||
|
||||
Signed-off-by: Bruce Rogers <brogers@suse.com>
|
||||
---
|
||||
tests/qemu-iotests/group | 20 ++++++++++----------
|
||||
1 file changed, 10 insertions(+), 10 deletions(-)
|
||||
tests/qemu-iotests/group | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/tests/qemu-iotests/group b/tests/qemu-iotests/group
|
||||
index 435dccd5af90754a3f80f4455bdb..8409dad73f2cbd7447235ea10b03 100644
|
||||
index 435dccd5af90754a3f80f4455bdb..a6c8ed8a5cdef50383594305c0c1 100644
|
||||
--- a/tests/qemu-iotests/group
|
||||
+++ b/tests/qemu-iotests/group
|
||||
@@ -86,7 +86,7 @@
|
||||
062 rw auto quick
|
||||
063 rw auto quick
|
||||
064 rw quick
|
||||
-065 rw quick
|
||||
+#DISABLE FOR NOW 065 rw quick
|
||||
066 rw auto quick
|
||||
067 rw quick
|
||||
068 rw quick
|
||||
@@ -150,7 +150,7 @@
|
||||
126 rw auto backing
|
||||
127 rw auto backing quick
|
||||
128 rw quick
|
||||
-129 rw quick
|
||||
+#DISABLE FOR NOW 129 rw quick
|
||||
130 rw quick
|
||||
131 rw quick
|
||||
132 rw quick
|
||||
@@ -182,11 +182,11 @@
|
||||
@@ -182,7 +182,7 @@
|
||||
158 rw auto quick
|
||||
159 rw auto quick
|
||||
160 rw quick
|
||||
@ -52,54 +26,3 @@ index 435dccd5af90754a3f80f4455bdb..8409dad73f2cbd7447235ea10b03 100644
|
||||
162 quick
|
||||
163 rw
|
||||
165 rw quick
|
||||
-169 rw quick migration
|
||||
+#DISABLE FOR NOW 169 rw quick migration
|
||||
170 rw auto quick
|
||||
171 rw quick
|
||||
172 auto
|
||||
@@ -198,7 +198,7 @@
|
||||
178 img
|
||||
179 rw auto quick
|
||||
181 rw auto migration
|
||||
-182 rw quick
|
||||
+#DISABLE FOR NOW 182 rw quick
|
||||
183 rw migration
|
||||
184 rw auto quick
|
||||
185 rw
|
||||
@@ -220,7 +220,7 @@
|
||||
202 rw quick
|
||||
203 rw auto migration
|
||||
204 rw quick
|
||||
-205 rw quick
|
||||
+#DISABLE FOR NOW 205 rw quick
|
||||
206 rw
|
||||
207 rw
|
||||
208 rw quick
|
||||
@@ -233,7 +233,7 @@
|
||||
215 rw quick
|
||||
216 rw quick
|
||||
217 rw auto quick
|
||||
-218 rw quick
|
||||
+#DISABLE FOR NOW 218 rw quick
|
||||
219 rw
|
||||
220 rw auto
|
||||
221 rw quick
|
||||
@@ -256,15 +256,15 @@
|
||||
239 rw quick
|
||||
240 quick
|
||||
241 rw quick
|
||||
-242 rw quick
|
||||
+#DISABLE FOR NOW 242 rw quick
|
||||
243 rw quick
|
||||
244 rw auto quick
|
||||
245 rw
|
||||
246 rw quick
|
||||
247 rw quick
|
||||
-248 rw quick
|
||||
+#DISABLE FOR NOW 248 rw quick
|
||||
249 rw auto quick
|
||||
-250 rw quick
|
||||
+#DISABLE FOR NOW 250 rw quick
|
||||
251 rw auto quick
|
||||
252 rw auto backing quick
|
||||
253 rw quick
|
||||
|
30
vga-fix-cirrus-bios.patch
Normal file
30
vga-fix-cirrus-bios.patch
Normal file
@ -0,0 +1,30 @@
|
||||
From: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Date: Thu, 25 Jun 2020 11:17:09 +0200
|
||||
Subject: vga: fix cirrus bios
|
||||
|
||||
Git-commit: d11c75185276ded944f2ea0277532b7fee849bbc
|
||||
|
||||
Little mistake, big effect. The patch adding the ati driver broke
|
||||
cirrus due to a missing "else", which effectively downgrades cirrus
|
||||
to standard vga.
|
||||
|
||||
Fixes: 34b6ecc16074 ("vga: add atiext driver")
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Signed-off-by: Bruce Rogers <brogers@suse.com>
|
||||
---
|
||||
vgasrc/vgahw.h | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/roms/seabios/vgasrc/vgahw.h b/roms/seabios/vgasrc/vgahw.h
|
||||
index c774f4f2c6b7c8012096bac2f0ed..8b64660e5ef70d71b440013300bc 100644
|
||||
--- a/roms/seabios/vgasrc/vgahw.h
|
||||
+++ b/roms/seabios/vgasrc/vgahw.h
|
||||
@@ -36,7 +36,7 @@ static inline int vgahw_set_mode(struct vgamode_s *vmode_g, int flags) {
|
||||
static inline void vgahw_list_modes(u16 seg, u16 *dest, u16 *last) {
|
||||
if (CONFIG_VGA_CIRRUS)
|
||||
clext_list_modes(seg, dest, last);
|
||||
- if (CONFIG_VGA_ATI)
|
||||
+ else if (CONFIG_VGA_ATI)
|
||||
ati_list_modes(seg, dest, last);
|
||||
else if (CONFIG_VGA_BOCHS)
|
||||
bochsvga_list_modes(seg, dest, last);
|
@ -1,30 +0,0 @@
|
||||
From: Bruce Rogers <brogers@suse.com>
|
||||
Date: Tue, 5 May 2020 13:26:33 -0600
|
||||
Subject: work around gcc10 problem with zero-length array
|
||||
|
||||
References: boo#1171123
|
||||
|
||||
gcc10 has introduced a regression in handling zero-length array under
|
||||
certain cirumstances. For now simply work around it by extending the
|
||||
array to have 1 member. I've audited the code to ensure that will still
|
||||
work right.
|
||||
See: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=94940
|
||||
|
||||
Signed-off-by: Bruce Rogers <brogers@suse.com>
|
||||
---
|
||||
src/drivers/net/intelvf.h | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/roms/ipxe/src/drivers/net/intelvf.h b/roms/ipxe/src/drivers/net/intelvf.h
|
||||
index ab404698fe6de9f48370931fdf56..abc2cd254bd44f4b2168e1ecee54 100644
|
||||
--- a/roms/ipxe/src/drivers/net/intelvf.h
|
||||
+++ b/roms/ipxe/src/drivers/net/intelvf.h
|
||||
@@ -132,7 +132,7 @@ union intelvf_msg {
|
||||
/** Queue configuration message */
|
||||
struct intelvf_msg_queues queues;
|
||||
/** Raw dwords */
|
||||
- uint32_t dword[0];
|
||||
+ uint32_t dword[1];
|
||||
};
|
||||
|
||||
/** Maximum time to wait for mailbox message
|
Loading…
Reference in New Issue
Block a user