diff --git a/0006-linux-user-add-binfmt-wrapper-for-a.patch b/0006-linux-user-add-binfmt-wrapper-for-a.patch index cf8f2d7d..b28098df 100644 --- a/0006-linux-user-add-binfmt-wrapper-for-a.patch +++ b/0006-linux-user-add-binfmt-wrapper-for-a.patch @@ -32,7 +32,7 @@ Signed-off-by: Andreas Färber --- Makefile.target | 13 +++++++++++++ linux-user/Makefile.objs | 2 ++ - linux-user/binfmt.c | 42 ++++++++++++++++++++++++++++++++++++++++++ + linux-user/binfmt.c | 42 ++++++++++++++++++++++++++++++++++++++++ 3 files changed, 57 insertions(+) create mode 100644 linux-user/binfmt.c diff --git a/0027-string-input-visitor-Fix-uint64-par.patch b/0027-string-input-visitor-Fix-uint64-par.patch index fa7c4d10..f644dce1 100644 --- a/0027-string-input-visitor-Fix-uint64-par.patch +++ b/0027-string-input-visitor-Fix-uint64-par.patch @@ -18,7 +18,7 @@ prefer the use of qemu_strto[u]ll() over strto[u]ll(). Cc: qemu-stable@nongnu.org Signed-off-by: Andreas Färber --- - qapi/string-input-visitor.c | 63 +++++++++++++++++++++++++++++++++++---------- + qapi/string-input-visitor.c | 63 +++++++++++++++++++++++++++++-------- 1 file changed, 50 insertions(+), 13 deletions(-) diff --git a/qapi/string-input-visitor.c b/qapi/string-input-visitor.c diff --git a/0030-tests-Add-QOM-property-unit-tests.patch b/0030-tests-Add-QOM-property-unit-tests.patch index 86ee10b2..b7c58b37 100644 --- a/0030-tests-Add-QOM-property-unit-tests.patch +++ b/0030-tests-Add-QOM-property-unit-tests.patch @@ -11,8 +11,8 @@ Add a test for parsing and setting a uint64 property. Signed-off-by: Andreas Färber --- MAINTAINERS | 1 + - tests/Makefile.include | 3 ++ - tests/check-qom-props.c | 122 ++++++++++++++++++++++++++++++++++++++++++++++++ + tests/Makefile.include | 3 + + tests/check-qom-props.c | 122 ++++++++++++++++++++++++++++++++++++++++ 3 files changed, 126 insertions(+) create mode 100644 tests/check-qom-props.c diff --git a/0031-tests-Add-scsi-disk-test.patch b/0031-tests-Add-scsi-disk-test.patch index be496d9b..73009ba0 100644 --- a/0031-tests-Add-scsi-disk-test.patch +++ b/0031-tests-Add-scsi-disk-test.patch @@ -15,7 +15,7 @@ Signed-off-by: Andreas Färber --- MAINTAINERS | 1 + tests/Makefile.include | 3 ++ - tests/scsi-disk-test.c | 83 ++++++++++++++++++++++++++++++++++++++++++++++++++ + tests/scsi-disk-test.c | 83 ++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 87 insertions(+) create mode 100644 tests/scsi-disk-test.c diff --git a/0035-smbios-Add-1-terminator-if-any-stri.patch b/0035-smbios-Add-1-terminator-if-any-stri.patch index 18ec953e..1aedb23a 100644 --- a/0035-smbios-Add-1-terminator-if-any-stri.patch +++ b/0035-smbios-Add-1-terminator-if-any-stri.patch @@ -24,8 +24,8 @@ For smbios tables which dont have string fields provided, qemu should add 2. [LM: BSC#1084316] Signed-off-by: Lin Ma --- - hw/smbios/smbios.c | 90 ++++++++++++++++++++++++++++++++++++++++++++++ - include/hw/smbios/smbios.h | 44 +++++++++++++++++++++++ + hw/smbios/smbios.c | 90 ++++++++++++++++++++++++++++++++++++++ + include/hw/smbios/smbios.h | 44 +++++++++++++++++++ 2 files changed, 134 insertions(+) diff --git a/hw/smbios/smbios.c b/hw/smbios/smbios.c diff --git a/0040-device_tree-Increase-FDT_MAX_SIZE-t.patch b/0040-device_tree-Increase-FDT_MAX_SIZE-t.patch new file mode 100644 index 00000000..2668992f --- /dev/null +++ b/0040-device_tree-Increase-FDT_MAX_SIZE-t.patch @@ -0,0 +1,39 @@ +From 3faf2d7bb2c32a603e65f68045a58524f3018937 Mon Sep 17 00:00:00 2001 +From: Geert Uytterhoeven +Date: Thu, 26 Apr 2018 11:04:38 +0100 +Subject: [PATCH] device_tree: Increase FDT_MAX_SIZE to 1 MiB + +It is not uncommon for a contemporary FDT to be larger than 64 KiB, +leading to failures loading the device tree from sysfs: + + qemu-system-aarch64: qemu_fdt_setprop: Couldn't set ...: FDT_ERR_NOSPACE + +Hence increase the limit to 1 MiB, like on PPC. + +For reference, the largest arm64 DTB created from the Linux sources is +ca. 75 KiB large (100 KiB when built with symbols/fixup support). + +Cc: qemu-stable@nongnu.org +Signed-off-by: Geert Uytterhoeven +Message-id: 1523541337-23919-1-git-send-email-geert+renesas@glider.be +Reviewed-by: Peter Maydell +Signed-off-by: Peter Maydell +(cherry picked from commit 14ec3cbd7c1e31dca4d23f028100c8f43e156573) +Signed-off-by: Bruce Rogers +--- + device_tree.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/device_tree.c b/device_tree.c +index 19458b32bf..52c3358a55 100644 +--- a/device_tree.c ++++ b/device_tree.c +@@ -29,7 +29,7 @@ + + #include + +-#define FDT_MAX_SIZE 0x10000 ++#define FDT_MAX_SIZE 0x100000 + + void *create_device_tree(int *sizep) + { diff --git a/0041-vnc-fix-use-after-free.patch b/0041-vnc-fix-use-after-free.patch new file mode 100644 index 00000000..1c0acb3d --- /dev/null +++ b/0041-vnc-fix-use-after-free.patch @@ -0,0 +1,47 @@ +From 62a58c5c2ab8ae7575a9d91d903e97ef250cc537 Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Fri, 20 Apr 2018 10:48:19 +0200 +Subject: [PATCH] vnc: fix use-after-free +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +When vnc_client_read() return value is -1 +vs is not valid any more. + +Fixes: d49b87f0d1e0520443a990fc610d0f02bc63c556 +Reported-by: Philippe Mathieu-Daudé +Signed-off-by: Gerd Hoffmann +Reviewed-by: Marc-André Lureau +Reviewed-by: Daniel P. Berrangé +Reviewed-by: Philippe Mathieu-Daudé +Tested-by: Marc-André Lureau +Tested-by: Philippe Mathieu-Daudé +Message-id: 20180420084820.3873-1-kraxel@redhat.com +(cherry picked from commit 1bc3117abad28d6465ecdb2c944b22943df0e4f3) +Signed-off-by: Bruce Rogers +--- + ui/vnc.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/ui/vnc.c b/ui/vnc.c +index 5ebae6f664..a4b2cc7666 100644 +--- a/ui/vnc.c ++++ b/ui/vnc.c +@@ -1539,13 +1539,14 @@ gboolean vnc_client_io(QIOChannel *ioc G_GNUC_UNUSED, + VncState *vs = opaque; + if (condition & G_IO_IN) { + if (vnc_client_read(vs) < 0) { +- goto end; ++ /* vs is free()ed here */ ++ return TRUE; + } + } + if (condition & G_IO_OUT) { + vnc_client_write(vs); + } +-end: ++ + if (vs->disconnecting) { + if (vs->ioc_tag != 0) { + g_source_remove(vs->ioc_tag); diff --git a/0042-ccid-Fix-dwProtocols-advertisement-.patch b/0042-ccid-Fix-dwProtocols-advertisement-.patch new file mode 100644 index 00000000..35dcabd2 --- /dev/null +++ b/0042-ccid-Fix-dwProtocols-advertisement-.patch @@ -0,0 +1,49 @@ +From 147b2d783526c7904732749cace06b62fd5fde9b Mon Sep 17 00:00:00 2001 +From: Jason Andryuk +Date: Fri, 20 Apr 2018 14:32:19 -0400 +Subject: [PATCH] ccid: Fix dwProtocols advertisement of T=0 + +Commit d7d218ef02d87c637d20d64da8f575d434ff6f78 attempted to change +dwProtocols to only advertise support for T=0 and not T=1. The change +was incorrect as it changed 0x00000003 to 0x00010000. + +lsusb -v in a linux guest shows: +"dwProtocols 65536 (Invalid values detected)", though the +smart card could still be accessed. Windows 7 does not detect inserted +smart cards and logs the the following Error in the Event Logs: + + Source: Smart Card Service + Event ID: 610 + Smart Card Reader 'QEMU QEMU USB CCID 0' rejected IOCTL SET_PROTOCOL: + Incorrect function. If this error persists, your smart card or reader + may not be functioning correctly + + Command Header: 03 00 00 00 + +Setting to 0x00000001 fixes the Windows issue. + +Signed-off-by: Jason Andryuk +Message-id: 20180420183219.20722-1-jandryuk@gmail.com +Cc: qemu-stable@nongnu.org +Signed-off-by: Gerd Hoffmann +(cherry picked from commit 0ee86bb6c5beb6498488850104f7557c376d0bef) +Signed-off-by: Bruce Rogers +--- + hw/usb/dev-smartcard-reader.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/hw/usb/dev-smartcard-reader.c b/hw/usb/dev-smartcard-reader.c +index e6468057a0..cabb564788 100644 +--- a/hw/usb/dev-smartcard-reader.c ++++ b/hw/usb/dev-smartcard-reader.c +@@ -329,8 +329,8 @@ static const uint8_t qemu_ccid_descriptor[] = { + */ + 0x07, /* u8 bVoltageSupport; 01h - 5.0v, 02h - 3.0, 03 - 1.8 */ + +- 0x00, 0x00, /* u32 dwProtocols; RRRR PPPP. RRRR = 0000h.*/ +- 0x01, 0x00, /* PPPP: 0001h = Protocol T=0, 0002h = Protocol T=1 */ ++ 0x01, 0x00, /* u32 dwProtocols; RRRR PPPP. RRRR = 0000h.*/ ++ 0x00, 0x00, /* PPPP: 0001h = Protocol T=0, 0002h = Protocol T=1 */ + /* u32 dwDefaultClock; in kHZ (0x0fa0 is 4 MHz) */ + 0xa0, 0x0f, 0x00, 0x00, + /* u32 dwMaximumClock; */ diff --git a/0043-tcg-arm-Fix-memory-barrier-encoding.patch b/0043-tcg-arm-Fix-memory-barrier-encoding.patch new file mode 100644 index 00000000..c09f40b1 --- /dev/null +++ b/0043-tcg-arm-Fix-memory-barrier-encoding.patch @@ -0,0 +1,48 @@ +From 99aaadeae3b73ce65b3695a9fcae454ac09db81d Mon Sep 17 00:00:00 2001 +From: Henry Wertz +Date: Tue, 17 Apr 2018 12:06:23 -1000 +Subject: [PATCH] tcg/arm: Fix memory barrier encoding + +I found with qemu 2.11.x or newer that I would get an illegal instruction +error running some Intel binaries on my ARM chromebook. On investigation, +I found it was quitting on memory barriers. + +qemu instruction: +mb $0x31 +was translating as: +0x604050cc: 5bf07ff5 blpl #0x600250a8 + +After patch it gives: +0x604050cc: f57ff05b dmb ish + +In short, I found INSN_DMB_ISH (memory barrier for ARMv7) appeared to be +correct based on online docs, but due to some endian-related shenanigans it +had to be byte-swapped to suit qemu; it appears INSN_DMB_MCR (memory +barrier for ARMv6) also should be byte swapped (and this patch does so). +I have not checked for correctness of aarch64's barrier instruction. + +Cc: qemu-stable@nongnu.org +Reviewed-by: Peter Maydell +Signed-off-by: Henry Wertz +Signed-off-by: Richard Henderson +(cherry picked from commit 3f814b803797c007abfe5c4041de754e01723031) +Signed-off-by: Bruce Rogers +--- + tcg/arm/tcg-target.inc.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/tcg/arm/tcg-target.inc.c b/tcg/arm/tcg-target.inc.c +index dc83f3e5be..56a32a470f 100644 +--- a/tcg/arm/tcg-target.inc.c ++++ b/tcg/arm/tcg-target.inc.c +@@ -159,8 +159,8 @@ typedef enum { + INSN_STRD_IMM = 0x004000f0, + INSN_STRD_REG = 0x000000f0, + +- INSN_DMB_ISH = 0x5bf07ff5, +- INSN_DMB_MCR = 0xba0f07ee, ++ INSN_DMB_ISH = 0xf57ff05b, ++ INSN_DMB_MCR = 0xee070fba, + + /* Architected nop introduced in v6k. */ + /* ??? This is an MSR (imm) 0,0,0 insn. Anyone know if this diff --git a/0044-s390-ccw-force-diag-308-subcode-to-.patch b/0044-s390-ccw-force-diag-308-subcode-to-.patch new file mode 100644 index 00000000..5b533c5e --- /dev/null +++ b/0044-s390-ccw-force-diag-308-subcode-to-.patch @@ -0,0 +1,39 @@ +From 5098e4e05ca692d356588714daa2feaecc0f3248 Mon Sep 17 00:00:00 2001 +From: Cornelia Huck +Date: Wed, 2 May 2018 14:52:21 +0200 +Subject: [PATCH] s390-ccw: force diag 308 subcode to unsigned long + +We currently pass an integer as the subcode parameter. However, +the upper bits of the register containing the subcode need to +be 0, which is not guaranteed unless we explicitly specify the +subcode to be an unsigned long value. + +Fixes: d046c51dad3 ("pc-bios/s390-ccw: Get device address via diag 308/6") +Cc: qemu-stable@nongnu.org +Signed-off-by: Cornelia Huck +Acked-by: Christian Borntraeger +Tested-by: Thomas Huth +Signed-off-by: Thomas Huth +(cherry picked from commit 63d8b5ace31c1e1f3996fe4cd551d6d377594d5a) +Signed-off-by: Bruce Rogers +--- + pc-bios/s390-ccw/iplb.h | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/pc-bios/s390-ccw/iplb.h b/pc-bios/s390-ccw/iplb.h +index 5357a36d51..ded20c834e 100644 +--- a/pc-bios/s390-ccw/iplb.h ++++ b/pc-bios/s390-ccw/iplb.h +@@ -101,10 +101,11 @@ static inline bool manage_iplb(IplParameterBlock *iplb, bool store) + { + register unsigned long addr asm("0") = (unsigned long) iplb; + register unsigned long rc asm("1") = 0; ++ unsigned long subcode = store ? 6 : 5; + + asm volatile ("diag %0,%2,0x308\n" + : "+d" (addr), "+d" (rc) +- : "d" (store ? 6 : 5) ++ : "d" (subcode) + : "memory", "cc"); + return rc == 0x01; + } diff --git a/0045-nbd-client-fix-nbd_negotiate_simple.patch b/0045-nbd-client-fix-nbd_negotiate_simple.patch new file mode 100644 index 00000000..9a38b00a --- /dev/null +++ b/0045-nbd-client-fix-nbd_negotiate_simple.patch @@ -0,0 +1,43 @@ +From d0583cf5cba9821cef70389de8aab7c661f9f8a3 Mon Sep 17 00:00:00 2001 +From: Vladimir Sementsov-Ogievskiy +Date: Fri, 27 Apr 2018 17:20:01 +0300 +Subject: [PATCH] nbd/client: fix nbd_negotiate_simple_meta_context + +Initialize received variable. Otherwise, is is possible for server to +answer without any contexts, but we will set context_id to something +random (received_id is not initialized too) and return 1, which is +wrong. + +To solve it, just initialize received to false. Initialize received_id +too, just to make all possible checkers happy. + +Bug was introduced in 78a33ab58782efdb206de14 "nbd: BLOCK_STATUS for +standard get_block_status function: client part" with the whole +function. + +Signed-off-by: Vladimir Sementsov-Ogievskiy +Message-Id: <20180427142002.21930-2-vsementsov@virtuozzo.com> +Reviewed-by: Eric Blake +CC: qemu-stable@nongnu.org +Signed-off-by: Eric Blake +(cherry picked from commit 89aa0d87634e2cb98517509dc8bdb876f26ecf8b) +Signed-off-by: Bruce Rogers +--- + nbd/client.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/nbd/client.c b/nbd/client.c +index b9e175d1c2..7f35b5c323 100644 +--- a/nbd/client.c ++++ b/nbd/client.c +@@ -613,8 +613,8 @@ static int nbd_negotiate_simple_meta_context(QIOChannel *ioc, + { + int ret; + NBDOptionReply reply; +- uint32_t received_id; +- bool received; ++ uint32_t received_id = 0; ++ bool received = false; + uint32_t export_len = strlen(export); + uint32_t context_len = strlen(context); + uint32_t data_len = sizeof(export_len) + export_len + diff --git a/0046-migration-block-dirty-bitmap-fix-me.patch b/0046-migration-block-dirty-bitmap-fix-me.patch new file mode 100644 index 00000000..68276319 --- /dev/null +++ b/0046-migration-block-dirty-bitmap-fix-me.patch @@ -0,0 +1,34 @@ +From dacb486f3fda3c43180f919cd8e9febf6016bc00 Mon Sep 17 00:00:00 2001 +From: Vladimir Sementsov-Ogievskiy +Date: Fri, 27 Apr 2018 17:20:02 +0300 +Subject: [PATCH] migration/block-dirty-bitmap: fix memory leak in + dirty_bitmap_load_bits + +Release buf on error path too. + +Bug was introduced in b35ebdf076d697bc "migration: add postcopy +migration of dirty bitmaps" with the whole function. + +Signed-off-by: Vladimir Sementsov-Ogievskiy +Message-Id: <20180427142002.21930-3-vsementsov@virtuozzo.com> +Reviewed-by: Eric Blake +CC: qemu-stable@nongnu.org +Signed-off-by: Eric Blake +(cherry picked from commit 16a2227893dc1d5cad78ed376ad1d7e300978fbe) +Signed-off-by: Bruce Rogers +--- + migration/block-dirty-bitmap.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/migration/block-dirty-bitmap.c b/migration/block-dirty-bitmap.c +index dd04f102d8..8819aabe3a 100644 +--- a/migration/block-dirty-bitmap.c ++++ b/migration/block-dirty-bitmap.c +@@ -600,6 +600,7 @@ static int dirty_bitmap_load_bits(QEMUFile *f, DirtyBitmapLoadState *s) + ret = qemu_get_buffer(f, buf, buf_size); + if (ret != buf_size) { + error_report("Failed to read bitmap bits"); ++ g_free(buf); + return -EIO; + } + diff --git a/0047-nbd-client-Fix-error-messages-durin.patch b/0047-nbd-client-Fix-error-messages-durin.patch new file mode 100644 index 00000000..aa232bb0 --- /dev/null +++ b/0047-nbd-client-Fix-error-messages-durin.patch @@ -0,0 +1,59 @@ +From 576c854128e5646e6b36a757eaead3f89f21fb51 Mon Sep 17 00:00:00 2001 +From: Eric Blake +Date: Tue, 1 May 2018 10:46:53 -0500 +Subject: [PATCH] nbd/client: Fix error messages during NBD_INFO_BLOCK_SIZE + +A missing space makes for poor error messages, and sizes can't +go negative. Also, we missed diagnosing a server that sends +a maximum block size less than the minimum. + +Fixes: 081dd1fe +CC: qemu-stable@nongnu.org +Signed-off-by: Eric Blake +Message-Id: <20180501154654.943782-1-eblake@redhat.com> +Reviewed-by: Vladimir Sementsov-Ogievskiy +(cherry picked from commit e475d108f1b3d3163f0affea67cdedbe5fc9752b) +Signed-off-by: Bruce Rogers +--- + nbd/client.c | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +diff --git a/nbd/client.c b/nbd/client.c +index 7f35b5c323..232ff4f46d 100644 +--- a/nbd/client.c ++++ b/nbd/client.c +@@ -435,8 +435,8 @@ static int nbd_opt_go(QIOChannel *ioc, const char *wantname, + } + be32_to_cpus(&info->min_block); + if (!is_power_of_2(info->min_block)) { +- error_setg(errp, "server minimum block size %" PRId32 +- "is not a power of two", info->min_block); ++ error_setg(errp, "server minimum block size %" PRIu32 ++ " is not a power of two", info->min_block); + nbd_send_opt_abort(ioc); + return -1; + } +@@ -450,8 +450,8 @@ static int nbd_opt_go(QIOChannel *ioc, const char *wantname, + be32_to_cpus(&info->opt_block); + if (!is_power_of_2(info->opt_block) || + info->opt_block < info->min_block) { +- error_setg(errp, "server preferred block size %" PRId32 +- "is not valid", info->opt_block); ++ error_setg(errp, "server preferred block size %" PRIu32 ++ " is not valid", info->opt_block); + nbd_send_opt_abort(ioc); + return -1; + } +@@ -462,6 +462,12 @@ static int nbd_opt_go(QIOChannel *ioc, const char *wantname, + return -1; + } + be32_to_cpus(&info->max_block); ++ if (info->max_block < info->min_block) { ++ error_setg(errp, "server maximum block size %" PRIu32 ++ " is not valid", info->max_block); ++ nbd_send_opt_abort(ioc); ++ return -1; ++ } + trace_nbd_opt_go_info_block_size(info->min_block, info->opt_block, + info->max_block); + break; diff --git a/0048-nbd-client-Relax-handling-of-large-.patch b/0048-nbd-client-Relax-handling-of-large-.patch new file mode 100644 index 00000000..ae937dfc --- /dev/null +++ b/0048-nbd-client-Relax-handling-of-large-.patch @@ -0,0 +1,54 @@ +From 15ada521b8ffff264f5322a188fa1ce080eec5a4 Mon Sep 17 00:00:00 2001 +From: Eric Blake +Date: Thu, 3 May 2018 17:26:26 -0500 +Subject: [PATCH] nbd/client: Relax handling of large NBD_CMD_BLOCK_STATUS + reply + +The NBD spec is proposing a relaxation of NBD_CMD_BLOCK_STATUS +where a server may have the final extent per context give a +length beyond the original request, if it can easily prove that +subsequent bytes have the same status, on the grounds that a +client can take advantage of this information for fewer block +status requests. Since qemu 2.12 as a client always sends +NBD_CMD_FLAG_REQ_ONE, and rejects a server that sends extra +length, the upstream NBD spec will probably limit this behavior +to clients that don't request REQ_ONE semantics; but it doesn't +hurt to relax qemu to always be permissive of this server +behavior, even if it continues to use REQ_ONE. + +CC: qemu-stable@nongnu.org +Signed-off-by: Eric Blake +Message-Id: <20180503222626.1303410-1-eblake@redhat.com> +Reviewed-by: Vladimir Sementsov-Ogievskiy +(cherry picked from commit acfd8f7a5f92e703d2d046cbe3d510008a697194) +Signed-off-by: Bruce Rogers +--- + block/nbd-client.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/block/nbd-client.c b/block/nbd-client.c +index e7caf49fbb..8d69eaaa32 100644 +--- a/block/nbd-client.c ++++ b/block/nbd-client.c +@@ -259,14 +259,18 @@ static int nbd_parse_blockstatus_payload(NBDClientSession *client, + + if (extent->length == 0 || + (client->info.min_block && !QEMU_IS_ALIGNED(extent->length, +- client->info.min_block)) || +- extent->length > orig_length) +- { ++ client->info.min_block))) { + error_setg(errp, "Protocol error: server sent status chunk with " + "invalid length"); + return -EINVAL; + } + ++ /* The server is allowed to send us extra information on the final ++ * extent; just clamp it to the length we requested. */ ++ if (extent->length > orig_length) { ++ extent->length = orig_length; ++ } ++ + return 0; + } + diff --git a/0049-qxl-fix-local-renderer-crash.patch b/0049-qxl-fix-local-renderer-crash.patch new file mode 100644 index 00000000..92880cdc --- /dev/null +++ b/0049-qxl-fix-local-renderer-crash.patch @@ -0,0 +1,40 @@ +From 103ae095901618329ae7bcc1c353fb9f89f0dce4 Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Fri, 27 Apr 2018 13:55:28 +0200 +Subject: [PATCH] qxl: fix local renderer crash +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Make sure we only ask the spice local renderer for display updates in +case we have a valid primary surface. Without that spice is confused +and throws errors in case a display update request (triggered by +screendump for example) happens in parallel to a mode switch and hits +the race window where the old primary surface is gone and the new isn't +establisted yet. + +Cc: qemu-stable@nongnu.org +Fixes: https://bugzilla.redhat.com//show_bug.cgi?id=1567733 +Signed-off-by: Gerd Hoffmann +Reviewed-by: Marc-André Lureau +Message-id: 20180427115528.345-1-kraxel@redhat.com +(cherry picked from commit 5bd5c27c7d284d01477c5cc022ce22438c46bf9f) +Signed-off-by: Bruce Rogers +--- + hw/display/qxl-render.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/hw/display/qxl-render.c b/hw/display/qxl-render.c +index e7ac4f8789..c62b9a5e75 100644 +--- a/hw/display/qxl-render.c ++++ b/hw/display/qxl-render.c +@@ -169,7 +169,8 @@ void qxl_render_update(PCIQXLDevice *qxl) + + qemu_mutex_lock(&qxl->ssd.lock); + +- if (!runstate_is_running() || !qxl->guest_primary.commands) { ++ if (!runstate_is_running() || !qxl->guest_primary.commands || ++ qxl->mode == QXL_MODE_UNDEFINED) { + qxl_render_update_area_unlocked(qxl); + qemu_mutex_unlock(&qxl->ssd.lock); + return; diff --git a/0050-tcg-Limit-the-number-of-ops-in-a-TB.patch b/0050-tcg-Limit-the-number-of-ops-in-a-TB.patch new file mode 100644 index 00000000..ea9884f6 --- /dev/null +++ b/0050-tcg-Limit-the-number-of-ops-in-a-TB.patch @@ -0,0 +1,83 @@ +From 4a80d570314e7d15b62ef1195b34ea635ec940fe Mon Sep 17 00:00:00 2001 +From: Richard Henderson +Date: Tue, 8 May 2018 19:18:59 +0000 +Subject: [PATCH] tcg: Limit the number of ops in a TB +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +In 6001f7729e12 we partially attempt to address the branch +displacement overflow caused by 15fa08f845. + +However, gcc/testsuite/gcc.target/aarch64/advsimd-intrinsics/vqtbX.c +is a testcase that contains a TB so large as to overflow anyway. +The limit here of 8000 ops produces a maximum output TB size of +24112 bytes on a ppc64le host with that test case. This is still +much less than the maximum forward branch distance of 32764 bytes. + +Cc: qemu-stable@nongnu.org +Fixes: 15fa08f845 ("tcg: Dynamically allocate TCGOps") +Reviewed-by: Laurent Vivier +Reviewed-by: Philippe Mathieu-Daudé +Signed-off-by: Richard Henderson +(cherry picked from commit abebf92597186be2bc48d487235da28b1127860f) +Signed-off-by: Bruce Rogers +--- + tcg/tcg.c | 3 +++ + tcg/tcg.h | 8 +++++++- + 2 files changed, 10 insertions(+), 1 deletion(-) + +diff --git a/tcg/tcg.c b/tcg/tcg.c +index bb24526c93..66997cc653 100644 +--- a/tcg/tcg.c ++++ b/tcg/tcg.c +@@ -866,6 +866,7 @@ void tcg_func_start(TCGContext *s) + /* No temps have been previously allocated for size or locality. */ + memset(s->free_temps, 0, sizeof(s->free_temps)); + ++ s->nb_ops = 0; + s->nb_labels = 0; + s->current_frame_offset = s->frame_start; + +@@ -1983,6 +1984,7 @@ void tcg_op_remove(TCGContext *s, TCGOp *op) + { + QTAILQ_REMOVE(&s->ops, op, link); + QTAILQ_INSERT_TAIL(&s->free_ops, op, link); ++ s->nb_ops--; + + #ifdef CONFIG_PROFILER + atomic_set(&s->prof.del_op_count, s->prof.del_op_count + 1); +@@ -2002,6 +2004,7 @@ static TCGOp *tcg_op_alloc(TCGOpcode opc) + } + memset(op, 0, offsetof(TCGOp, link)); + op->opc = opc; ++ s->nb_ops++; + + return op; + } +diff --git a/tcg/tcg.h b/tcg/tcg.h +index 30896ca304..17cf764565 100644 +--- a/tcg/tcg.h ++++ b/tcg/tcg.h +@@ -655,6 +655,7 @@ struct TCGContext { + int nb_globals; + int nb_temps; + int nb_indirects; ++ int nb_ops; + + /* goto_tb support */ + tcg_insn_unit *code_buf; +@@ -844,7 +845,12 @@ static inline TCGOp *tcg_last_op(void) + /* Test for whether to terminate the TB for using too many opcodes. */ + static inline bool tcg_op_buf_full(void) + { +- return false; ++ /* This is not a hard limit, it merely stops translation when ++ * we have produced "enough" opcodes. We want to limit TB size ++ * such that a RISC host can reasonably use a 16-bit signed ++ * branch within the TB. ++ */ ++ return tcg_ctx->nb_ops >= 8000; + } + + /* pool based memory allocation */ diff --git a/0051-target-arm-Clear-SVE-high-bits-for-.patch b/0051-target-arm-Clear-SVE-high-bits-for-.patch new file mode 100644 index 00000000..c3807b2c --- /dev/null +++ b/0051-target-arm-Clear-SVE-high-bits-for-.patch @@ -0,0 +1,63 @@ +From 5c37a7c504f63919341d277486e941c64584d171 Mon Sep 17 00:00:00 2001 +From: Richard Henderson +Date: Thu, 10 May 2018 18:10:58 +0100 +Subject: [PATCH] target/arm: Clear SVE high bits for FMOV +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Use write_fp_dreg and clear_vec_high to zero the bits +that need zeroing for these cases. + +Cc: qemu-stable@nongnu.org +Reviewed-by: Alex Bennée +Signed-off-by: Richard Henderson +Message-id: 20180502221552.3873-5-richard.henderson@linaro.org +Signed-off-by: Peter Maydell +(cherry picked from commit 9a9f1f59521f46e8ff4527d9a2b52f83577e2aa3) +Signed-off-by: Bruce Rogers +--- + target/arm/translate-a64.c | 17 +++++------------ + 1 file changed, 5 insertions(+), 12 deletions(-) + +diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c +index c91329249d..a2c26a5f0a 100644 +--- a/target/arm/translate-a64.c ++++ b/target/arm/translate-a64.c +@@ -5438,31 +5438,24 @@ static void handle_fmov(DisasContext *s, int rd, int rn, int type, bool itof) + + if (itof) { + TCGv_i64 tcg_rn = cpu_reg(s, rn); ++ TCGv_i64 tmp; + + switch (type) { + case 0: +- { + /* 32 bit */ +- TCGv_i64 tmp = tcg_temp_new_i64(); ++ tmp = tcg_temp_new_i64(); + tcg_gen_ext32u_i64(tmp, tcg_rn); +- tcg_gen_st_i64(tmp, cpu_env, fp_reg_offset(s, rd, MO_64)); +- tcg_gen_movi_i64(tmp, 0); +- tcg_gen_st_i64(tmp, cpu_env, fp_reg_hi_offset(s, rd)); ++ write_fp_dreg(s, rd, tmp); + tcg_temp_free_i64(tmp); + break; +- } + case 1: +- { + /* 64 bit */ +- TCGv_i64 tmp = tcg_const_i64(0); +- tcg_gen_st_i64(tcg_rn, cpu_env, fp_reg_offset(s, rd, MO_64)); +- tcg_gen_st_i64(tmp, cpu_env, fp_reg_hi_offset(s, rd)); +- tcg_temp_free_i64(tmp); ++ write_fp_dreg(s, rd, tcg_rn); + break; +- } + case 2: + /* 64 bit to top half. */ + tcg_gen_st_i64(tcg_rn, cpu_env, fp_reg_hi_offset(s, rd)); ++ clear_vec_high(s, true, rd); + break; + } + } else { diff --git a/0052-cpus-tcg-fix-never-exiting-loop-on-.patch b/0052-cpus-tcg-fix-never-exiting-loop-on-.patch new file mode 100644 index 00000000..6c573495 --- /dev/null +++ b/0052-cpus-tcg-fix-never-exiting-loop-on-.patch @@ -0,0 +1,47 @@ +From b75d0d531a92be9c7d4f8dbbb9ebf7d0cb6b4423 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?C=C3=A9dric=20Le=20Goater?= +Date: Wed, 25 Apr 2018 15:18:28 +0200 +Subject: [PATCH] cpus: tcg: fix never exiting loop on unplug +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Commit 9b0605f9837b ("cpus: tcg: unregister thread with RCU, fix +exiting of loop on unplug") changed the exit condition of the loop in +the vCPU thread function but forgot to remove the beginning 'while (1)' +statement. The resulting code : + + while (1) { + ... + } while (!cpu->unplug || cpu_can_run(cpu)); + +is a sequence of two distinct two while() loops, the first not exiting +in case of an unplug event. + +Remove the first while (1) to fix CPU unplug. + +Signed-off-by: Cédric Le Goater +Message-Id: <20180425131828.15604-1-clg@kaod.org> +Cc: qemu-stable@nongnu.org +Fixes: 9b0605f9837b68fd56c7fc7c96a3a1a3b983687d +Signed-off-by: Paolo Bonzini +Signed-off-by: Cédric Le Goater +(cherry picked from commit 54961aac190df28d311802364d19e18d5cda8bab) +Signed-off-by: Bruce Rogers +--- + cpus.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/cpus.c b/cpus.c +index ef39603cf9..b13112b8e2 100644 +--- a/cpus.c ++++ b/cpus.c +@@ -1648,7 +1648,7 @@ static void *qemu_tcg_cpu_thread_fn(void *arg) + /* process any pending work */ + cpu->exit_request = 1; + +- while (1) { ++ do { + if (cpu_can_run(cpu)) { + int r; + qemu_mutex_unlock_iothread(); diff --git a/0053-s390x-css-disabled-subchannels-cann.patch b/0053-s390x-css-disabled-subchannels-cann.patch new file mode 100644 index 00000000..fe558633 --- /dev/null +++ b/0053-s390x-css-disabled-subchannels-cann.patch @@ -0,0 +1,48 @@ +From 2b39c3abb35d0725bd94b21475737098fbea22ff Mon Sep 17 00:00:00 2001 +From: Cornelia Huck +Date: Fri, 4 May 2018 14:53:16 +0200 +Subject: [PATCH] s390x/css: disabled subchannels cannot be status pending + +The 3270 code will try to post an attention interrupt when the +3270 emulator (e.g. x3270) attaches. If the guest has not yet +enabled the subchannel for the 3270 device, we will present a spurious +cc 1 (status pending) when it uses msch on it later on, e.g. when +trying to enable the subchannel. + +To fix this, just don't do anything in css_conditional_io_interrupt() +if the subchannel is not enabled. The 3270 code will work fine with +that, and the other user of this function (virtio-ccw) never +attempts to post an interrupt for a disabled device to begin with. + +CC: qemu-stable@nongnu.org +Reported-by: Thomas Huth +Tested-by: Thomas Huth +Acked-by: Christian Borntraeger +Acked-by: Halil Pasic +Reviewed-by: David Hildenbrand +Signed-off-by: Cornelia Huck +(cherry picked from commit 6e9c893ecd00afd5344c35d0d0ded50eaa0938f6) +Signed-off-by: Bruce Rogers +--- + hw/s390x/css.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/hw/s390x/css.c b/hw/s390x/css.c +index 301bf1772f..56c3fa8c89 100644 +--- a/hw/s390x/css.c ++++ b/hw/s390x/css.c +@@ -616,6 +616,14 @@ void css_inject_io_interrupt(SubchDev *sch) + + void css_conditional_io_interrupt(SubchDev *sch) + { ++ /* ++ * If the subchannel is not enabled, it is not made status pending ++ * (see PoP p. 16-17, "Status Control"). ++ */ ++ if (!(sch->curr_status.pmcw.flags & PMCW_FLAGS_MASK_ENA)) { ++ return; ++ } ++ + /* + * If the subchannel is not currently status pending, make it pending + * with alert status. diff --git a/0054-pc-bios-s390-ccw-struct-tpi_info-mu.patch b/0054-pc-bios-s390-ccw-struct-tpi_info-mu.patch new file mode 100644 index 00000000..acf236f8 --- /dev/null +++ b/0054-pc-bios-s390-ccw-struct-tpi_info-mu.patch @@ -0,0 +1,44 @@ +From 3179a2220ee4fbb087446148ab231898eae01fce Mon Sep 17 00:00:00 2001 +From: Thomas Huth +Date: Tue, 8 May 2018 12:17:52 +0200 +Subject: [PATCH] pc-bios/s390-ccw: struct tpi_info must be declared as + aligned(4) + +I've run into a compilation error today with the current version of GCC 8: + +In file included from s390-ccw.h:49, + from main.c:12: +cio.h:128:1: error: alignment 1 of 'struct tpi_info' is less than 4 [-Werror=packed-not-aligned] + } __attribute__ ((packed)); + ^ +cc1: all warnings being treated as errors + +Since the struct tpi_info contains an element ("struct subchannel_id schid") +which is marked as aligned(4), we've got to mark the struct tpi_info as +aligned(4), too. + +CC: qemu-stable@nongnu.org +Signed-off-by: Thomas Huth +Message-Id: <1525774672-11913-1-git-send-email-thuth@redhat.com> +Reviewed-by: Cornelia Huck +Acked-by: Christian Borntraeger +Signed-off-by: Cornelia Huck +(cherry picked from commit a6e4385dea94850d7b06b0542e7960c1063fdabd) +Signed-off-by: Bruce Rogers +--- + pc-bios/s390-ccw/cio.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/pc-bios/s390-ccw/cio.h b/pc-bios/s390-ccw/cio.h +index 55eaeee4b6..1a0795f645 100644 +--- a/pc-bios/s390-ccw/cio.h ++++ b/pc-bios/s390-ccw/cio.h +@@ -125,7 +125,7 @@ struct tpi_info { + __u32 reserved3 : 12; + __u32 int_type : 3; + __u32 reserved4 : 12; +-} __attribute__ ((packed)); ++} __attribute__ ((packed, aligned(4))); + + /* channel command word (type 1) */ + struct ccw1 { diff --git a/0055-virtio-ccw-common-reset-handler.patch b/0055-virtio-ccw-common-reset-handler.patch new file mode 100644 index 00000000..5c048267 --- /dev/null +++ b/0055-virtio-ccw-common-reset-handler.patch @@ -0,0 +1,127 @@ +From ffc072689e4202e198ea8e8a3df4ec128e53bbea Mon Sep 17 00:00:00 2001 +From: Cornelia Huck +Date: Mon, 7 May 2018 15:05:42 +0200 +Subject: [PATCH] virtio-ccw: common reset handler + +All the different virtio ccw devices use the same reset handler, +so let's move setting it into the base virtio ccw device class. + +CC: qemu-stable@nongnu.org +Reviewed-by: Thomas Huth +Reviewed-by: David Hildenbrand +Reviewed-by: Halil Pasic +Signed-off-by: Cornelia Huck +(cherry picked from commit 0c53057adb04d254bc09511880670c92ab185fc6) +Signed-off-by: Bruce Rogers +--- + hw/s390x/virtio-ccw.c | 13 +------------ + 1 file changed, 1 insertion(+), 12 deletions(-) + +diff --git a/hw/s390x/virtio-ccw.c b/hw/s390x/virtio-ccw.c +index e51fbefd23..40a33302a7 100644 +--- a/hw/s390x/virtio-ccw.c ++++ b/hw/s390x/virtio-ccw.c +@@ -1345,7 +1345,6 @@ static void virtio_ccw_net_class_init(ObjectClass *klass, void *data) + + k->realize = virtio_ccw_net_realize; + k->unrealize = virtio_ccw_unrealize; +- dc->reset = virtio_ccw_reset; + dc->props = virtio_ccw_net_properties; + set_bit(DEVICE_CATEGORY_NETWORK, dc->categories); + } +@@ -1373,7 +1372,6 @@ static void virtio_ccw_blk_class_init(ObjectClass *klass, void *data) + + k->realize = virtio_ccw_blk_realize; + k->unrealize = virtio_ccw_unrealize; +- dc->reset = virtio_ccw_reset; + dc->props = virtio_ccw_blk_properties; + set_bit(DEVICE_CATEGORY_STORAGE, dc->categories); + } +@@ -1401,7 +1399,6 @@ static void virtio_ccw_serial_class_init(ObjectClass *klass, void *data) + + k->realize = virtio_ccw_serial_realize; + k->unrealize = virtio_ccw_unrealize; +- dc->reset = virtio_ccw_reset; + dc->props = virtio_ccw_serial_properties; + set_bit(DEVICE_CATEGORY_INPUT, dc->categories); + } +@@ -1429,7 +1426,6 @@ static void virtio_ccw_balloon_class_init(ObjectClass *klass, void *data) + + k->realize = virtio_ccw_balloon_realize; + k->unrealize = virtio_ccw_unrealize; +- dc->reset = virtio_ccw_reset; + dc->props = virtio_ccw_balloon_properties; + set_bit(DEVICE_CATEGORY_MISC, dc->categories); + } +@@ -1457,7 +1453,6 @@ static void virtio_ccw_scsi_class_init(ObjectClass *klass, void *data) + + k->realize = virtio_ccw_scsi_realize; + k->unrealize = virtio_ccw_unrealize; +- dc->reset = virtio_ccw_reset; + dc->props = virtio_ccw_scsi_properties; + set_bit(DEVICE_CATEGORY_STORAGE, dc->categories); + } +@@ -1484,7 +1479,6 @@ static void vhost_ccw_scsi_class_init(ObjectClass *klass, void *data) + + k->realize = vhost_ccw_scsi_realize; + k->unrealize = virtio_ccw_unrealize; +- dc->reset = virtio_ccw_reset; + dc->props = vhost_ccw_scsi_properties; + set_bit(DEVICE_CATEGORY_STORAGE, dc->categories); + } +@@ -1521,7 +1515,6 @@ static void virtio_ccw_rng_class_init(ObjectClass *klass, void *data) + + k->realize = virtio_ccw_rng_realize; + k->unrealize = virtio_ccw_unrealize; +- dc->reset = virtio_ccw_reset; + dc->props = virtio_ccw_rng_properties; + set_bit(DEVICE_CATEGORY_MISC, dc->categories); + } +@@ -1559,7 +1552,6 @@ static void virtio_ccw_crypto_class_init(ObjectClass *klass, void *data) + + k->realize = virtio_ccw_crypto_realize; + k->unrealize = virtio_ccw_unrealize; +- dc->reset = virtio_ccw_reset; + dc->props = virtio_ccw_crypto_properties; + set_bit(DEVICE_CATEGORY_MISC, dc->categories); + } +@@ -1597,7 +1589,6 @@ static void virtio_ccw_gpu_class_init(ObjectClass *klass, void *data) + + k->realize = virtio_ccw_gpu_realize; + k->unrealize = virtio_ccw_unrealize; +- dc->reset = virtio_ccw_reset; + dc->props = virtio_ccw_gpu_properties; + dc->hotpluggable = false; + set_bit(DEVICE_CATEGORY_DISPLAY, dc->categories); +@@ -1626,7 +1617,6 @@ static void virtio_ccw_input_class_init(ObjectClass *klass, void *data) + + k->realize = virtio_ccw_input_realize; + k->unrealize = virtio_ccw_unrealize; +- dc->reset = virtio_ccw_reset; + dc->props = virtio_ccw_input_properties; + set_bit(DEVICE_CATEGORY_INPUT, dc->categories); + } +@@ -1730,6 +1720,7 @@ static void virtio_ccw_device_class_init(ObjectClass *klass, void *data) + dc->realize = virtio_ccw_busdev_realize; + dc->unrealize = virtio_ccw_busdev_unrealize; + dc->bus_type = TYPE_VIRTUAL_CSS_BUS; ++ dc->reset = virtio_ccw_reset; + } + + static const TypeInfo virtio_ccw_device_info = { +@@ -1806,7 +1797,6 @@ static void virtio_ccw_9p_class_init(ObjectClass *klass, void *data) + + k->unrealize = virtio_ccw_unrealize; + k->realize = virtio_ccw_9p_realize; +- dc->reset = virtio_ccw_reset; + dc->props = virtio_ccw_9p_properties; + set_bit(DEVICE_CATEGORY_STORAGE, dc->categories); + } +@@ -1856,7 +1846,6 @@ static void vhost_vsock_ccw_class_init(ObjectClass *klass, void *data) + k->unrealize = virtio_ccw_unrealize; + set_bit(DEVICE_CATEGORY_MISC, dc->categories); + dc->props = vhost_vsock_ccw_properties; +- dc->reset = virtio_ccw_reset; + } + + static void vhost_vsock_ccw_instance_init(Object *obj) diff --git a/0056-s390x-ccw-make-sure-all-ccw-devices.patch b/0056-s390x-ccw-make-sure-all-ccw-devices.patch new file mode 100644 index 00000000..f3ca5723 --- /dev/null +++ b/0056-s390x-ccw-make-sure-all-ccw-devices.patch @@ -0,0 +1,103 @@ +From 783d488a66a565aaf259e8736b6ccb97fb0cbb86 Mon Sep 17 00:00:00 2001 +From: Cornelia Huck +Date: Mon, 7 May 2018 15:27:57 +0200 +Subject: [PATCH] s390x/ccw: make sure all ccw devices are properly reset + +Thomas reported that the subchannel for a 3270 device that ended up +in a broken state (status pending even though not enabled) did not +get out of that state even after a reboot (which involves a subsytem +reset). The reason for this is that the 3270 device did not define +a reset handler. + +Let's fix this by introducing a base reset handler (set up for all +ccw devices) that resets the subchannel and have virtio-ccw call +its virtio-specific reset procedure in addition to that. + +CC: qemu-stable@nongnu.org +Reported-by: Thomas Huth +Suggested-by: Christian Borntraeger +Reviewed-by: Thomas Huth +Tested-by: Thomas Huth +Acked-by: Christian Borntraeger +Reviewed-by: Halil Pasic +Signed-off-by: Cornelia Huck +(cherry picked from commit 838fb84f83c84f00d15b1bede5e080b495644458) +Signed-off-by: Bruce Rogers +--- + hw/s390x/ccw-device.c | 8 ++++++++ + hw/s390x/virtio-ccw.c | 9 ++++++--- + hw/s390x/virtio-ccw.h | 1 + + 3 files changed, 15 insertions(+), 3 deletions(-) + +diff --git a/hw/s390x/ccw-device.c b/hw/s390x/ccw-device.c +index f9bfa154d6..7cd73df4aa 100644 +--- a/hw/s390x/ccw-device.c ++++ b/hw/s390x/ccw-device.c +@@ -40,6 +40,13 @@ static Property ccw_device_properties[] = { + DEFINE_PROP_END_OF_LIST(), + }; + ++static void ccw_device_reset(DeviceState *d) ++{ ++ CcwDevice *ccw_dev = CCW_DEVICE(d); ++ ++ css_reset_sch(ccw_dev->sch); ++} ++ + static void ccw_device_class_init(ObjectClass *klass, void *data) + { + DeviceClass *dc = DEVICE_CLASS(klass); +@@ -48,6 +55,7 @@ static void ccw_device_class_init(ObjectClass *klass, void *data) + k->realize = ccw_device_realize; + k->refill_ids = ccw_device_refill_ids; + dc->props = ccw_device_properties; ++ dc->reset = ccw_device_reset; + } + + const VMStateDescription vmstate_ccw_dev = { +diff --git a/hw/s390x/virtio-ccw.c b/hw/s390x/virtio-ccw.c +index 40a33302a7..22df33b509 100644 +--- a/hw/s390x/virtio-ccw.c ++++ b/hw/s390x/virtio-ccw.c +@@ -1058,10 +1058,12 @@ static void virtio_ccw_reset(DeviceState *d) + { + VirtioCcwDevice *dev = VIRTIO_CCW_DEVICE(d); + VirtIODevice *vdev = virtio_bus_get_device(&dev->bus); +- CcwDevice *ccw_dev = CCW_DEVICE(d); ++ VirtIOCCWDeviceClass *vdc = VIRTIO_CCW_DEVICE_GET_CLASS(dev); + + virtio_ccw_reset_virtio(dev, vdev); +- css_reset_sch(ccw_dev->sch); ++ if (vdc->parent_reset) { ++ vdc->parent_reset(d); ++ } + } + + static void virtio_ccw_vmstate_change(DeviceState *d, bool running) +@@ -1715,12 +1717,13 @@ static void virtio_ccw_device_class_init(ObjectClass *klass, void *data) + { + DeviceClass *dc = DEVICE_CLASS(klass); + CCWDeviceClass *k = CCW_DEVICE_CLASS(dc); ++ VirtIOCCWDeviceClass *vdc = VIRTIO_CCW_DEVICE_CLASS(klass); + + k->unplug = virtio_ccw_busdev_unplug; + dc->realize = virtio_ccw_busdev_realize; + dc->unrealize = virtio_ccw_busdev_unrealize; + dc->bus_type = TYPE_VIRTUAL_CSS_BUS; +- dc->reset = virtio_ccw_reset; ++ device_class_set_parent_reset(dc, virtio_ccw_reset, &vdc->parent_reset); + } + + static const TypeInfo virtio_ccw_device_info = { +diff --git a/hw/s390x/virtio-ccw.h b/hw/s390x/virtio-ccw.h +index 2fc513001e..3453aa1f98 100644 +--- a/hw/s390x/virtio-ccw.h ++++ b/hw/s390x/virtio-ccw.h +@@ -77,6 +77,7 @@ typedef struct VirtIOCCWDeviceClass { + CCWDeviceClass parent_class; + void (*realize)(VirtioCcwDevice *dev, Error **errp); + void (*unrealize)(VirtioCcwDevice *dev, Error **errp); ++ void (*parent_reset)(DeviceState *dev); + } VirtIOCCWDeviceClass; + + /* Performance improves when virtqueue kick processing is decoupled from the diff --git a/0057-blockjob-expose-error-string-via-qu.patch b/0057-blockjob-expose-error-string-via-qu.patch new file mode 100644 index 00000000..acd5cf30 --- /dev/null +++ b/0057-blockjob-expose-error-string-via-qu.patch @@ -0,0 +1,65 @@ +From 28f65ae0a583e3b0a9d2b26c6fa6dc50dfb25ad6 Mon Sep 17 00:00:00 2001 +From: John Snow +Date: Tue, 8 May 2018 19:36:59 -0400 +Subject: [PATCH] blockjob: expose error string via query + +When we've reached the concluded state, we need to expose the error +state if applicable. Add the new field. + +This should be sufficient for determining if a job completed +successfully or not after concluding; if we want to discriminate +based on how it failed more mechanically, we can always add an +explicit return code enumeration later. + +I didn't bother to make it only show up if we are in the concluded +state; I don't think it's necessary. + +Cc: qemu-stable@nongnu.org +Signed-off-by: John Snow +Reviewed-by: Eric Blake +Reviewed-by: Alberto Garcia +Signed-off-by: Kevin Wolf +(cherry picked from commit ab9ba614556ac5b0f8d96b99e0dba19f1e28d6c2) +Signed-off-by: Bruce Rogers +--- + blockjob.c | 2 ++ + qapi/block-core.json | 6 +++++- + 2 files changed, 7 insertions(+), 1 deletion(-) + +diff --git a/blockjob.c b/blockjob.c +index 27f957e571..4de48166b2 100644 +--- a/blockjob.c ++++ b/blockjob.c +@@ -831,6 +831,8 @@ BlockJobInfo *block_job_query(BlockJob *job, Error **errp) + info->status = job->status; + info->auto_finalize = job->auto_finalize; + info->auto_dismiss = job->auto_dismiss; ++ info->has_error = job->ret != 0; ++ info->error = job->ret ? g_strdup(strerror(-job->ret)) : NULL; + return info; + } + +diff --git a/qapi/block-core.json b/qapi/block-core.json +index c50517bff3..7da3bea6bc 100644 +--- a/qapi/block-core.json ++++ b/qapi/block-core.json +@@ -1172,6 +1172,9 @@ + # @auto-dismiss: Job will dismiss itself when CONCLUDED, moving to the NULL + # state and disappearing from the query list. (since 2.12) + # ++# @error: Error information if the job did not complete successfully. ++# Not set if the job completed successfully. (since 2.12.1) ++# + # Since: 1.1 + ## + { 'struct': 'BlockJobInfo', +@@ -1179,7 +1182,8 @@ + 'offset': 'int', 'busy': 'bool', 'paused': 'bool', 'speed': 'int', + 'io-status': 'BlockDeviceIoStatus', 'ready': 'bool', + 'status': 'BlockJobStatus', +- 'auto-finalize': 'bool', 'auto-dismiss': 'bool' } } ++ 'auto-finalize': 'bool', 'auto-dismiss': 'bool', ++ '*error': 'str' } } + + ## + # @query-block-jobs: diff --git a/0058-blockjob-Fix-assertion-in-block_job.patch b/0058-blockjob-Fix-assertion-in-block_job.patch new file mode 100644 index 00000000..5196684b --- /dev/null +++ b/0058-blockjob-Fix-assertion-in-block_job.patch @@ -0,0 +1,39 @@ +From 1eb457c2de41008aca9873be0ba2e2635e1f9cf1 Mon Sep 17 00:00:00 2001 +From: Kevin Wolf +Date: Tue, 8 May 2018 11:55:30 +0200 +Subject: [PATCH] blockjob: Fix assertion in block_job_finalize() + +Every job gets a non-NULL job->txn on creation, but it doesn't +necessarily keep it until it is decommissioned: Finalising a job removes +it from its transaction. Therefore, calling 'blockdev-job-finalize' a +second time on an already concluded job causes an assertion failure. + +Remove job->txn from the assertion in block_job_finalize() to fix this. +block_job_do_finalize() still has the same assertion, but if a job is +already removed from its transaction, block_job_apply_verb() will +already error out before we run into that assertion. + +Cc: qemu-stable@nongnu.org +Signed-off-by: Kevin Wolf +Reviewed-by: Eric Blake +Reviewed-by: Max Reitz +Reviewed-by: John Snow +(cherry picked from commit 37aa19b63c46d933f1e4ea944cfccee54e2caf4a) +Signed-off-by: Bruce Rogers +--- + blockjob.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/blockjob.c b/blockjob.c +index 4de48166b2..b38ed7e265 100644 +--- a/blockjob.c ++++ b/blockjob.c +@@ -702,7 +702,7 @@ void block_job_complete(BlockJob *job, Error **errp) + + void block_job_finalize(BlockJob *job, Error **errp) + { +- assert(job && job->id && job->txn); ++ assert(job && job->id); + if (block_job_apply_verb(job, BLOCK_JOB_VERB_FINALIZE, errp)) { + return; + } diff --git a/0059-qemu-io-Use-purely-string-blockdev-.patch b/0059-qemu-io-Use-purely-string-blockdev-.patch new file mode 100644 index 00000000..8b78579b --- /dev/null +++ b/0059-qemu-io-Use-purely-string-blockdev-.patch @@ -0,0 +1,52 @@ +From 17f84e4f3e671f58c8c9fe909a5551ffd9dfdc87 Mon Sep 17 00:00:00 2001 +From: Max Reitz +Date: Wed, 2 May 2018 22:20:49 +0200 +Subject: [PATCH] qemu-io: Use purely string blockdev options + +Currently, qemu-io only uses string-valued blockdev options (as all are +converted directly from QemuOpts) -- with one exception: -U adds the +force-share option as a boolean. This in itself is already a bit +questionable, but a real issue is that it also assumes the value already +existing in the options QDict would be a boolean, which is wrong. + +That has the following effect: + +$ ./qemu-io -r -U --image-opts \ + driver=file,filename=/dev/null,force-share=off +[1] 15200 segmentation fault (core dumped) ./qemu-io -r -U +--image-opts driver=file,filename=/dev/null,force-share=off + +Since @opts is converted from QemuOpts, the value must be a string, and +we have to compare it as such. Consequently, it makes sense to also set +it as a string instead of a boolean. + +Cc: qemu-stable@nongnu.org +Signed-off-by: Max Reitz +Message-id: 20180502202051.15493-2-mreitz@redhat.com +Reviewed-by: Eric Blake +Signed-off-by: Max Reitz +(cherry picked from commit 2a01c01f9ecb43af4c0a85fe6adc429ffc9c31b5) +Signed-off-by: Bruce Rogers +--- + qemu-io.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/qemu-io.c b/qemu-io.c +index e692c555e0..0755a30447 100644 +--- a/qemu-io.c ++++ b/qemu-io.c +@@ -95,12 +95,12 @@ static int openfile(char *name, int flags, bool writethrough, bool force_share, + opts = qdict_new(); + } + if (qdict_haskey(opts, BDRV_OPT_FORCE_SHARE) +- && !qdict_get_bool(opts, BDRV_OPT_FORCE_SHARE)) { ++ && strcmp(qdict_get_str(opts, BDRV_OPT_FORCE_SHARE), "on")) { + error_report("-U conflicts with image options"); + QDECREF(opts); + return 1; + } +- qdict_put_bool(opts, BDRV_OPT_FORCE_SHARE, true); ++ qdict_put_str(opts, BDRV_OPT_FORCE_SHARE, "on"); + } + qemuio_blk = blk_new_open(name, NULL, opts, flags, &local_err); + if (!qemuio_blk) { diff --git a/0060-qemu-img-Use-only-string-options-in.patch b/0060-qemu-img-Use-only-string-options-in.patch new file mode 100644 index 00000000..c838952a --- /dev/null +++ b/0060-qemu-img-Use-only-string-options-in.patch @@ -0,0 +1,48 @@ +From a8a7fe80f036d584ffed21f9d2ddb65d269bc805 Mon Sep 17 00:00:00 2001 +From: Max Reitz +Date: Wed, 2 May 2018 22:20:50 +0200 +Subject: [PATCH] qemu-img: Use only string options in img_open_opts + +img_open_opts() takes a QemuOpts and converts them to a QDict, so all +values therein are strings. Then it may try to call qdict_get_bool(), +however, which will fail with a segmentation fault every time: + +$ ./qemu-img info -U --image-opts \ + driver=file,filename=/dev/null,force-share=off +[1] 27869 segmentation fault (core dumped) ./qemu-img info -U +--image-opts driver=file,filename=/dev/null,force-share=off + +Fix this by using qdict_get_str() and comparing the value as a string. +Also, when adding a force-share value to the QDict, add it as a string +so it fits the rest of the dict. + +Cc: qemu-stable@nongnu.org +Signed-off-by: Max Reitz +Message-id: 20180502202051.15493-3-mreitz@redhat.com +Reviewed-by: Eric Blake +Signed-off-by: Max Reitz +(cherry picked from commit 4615f87832d2fcb7a544bedeece2741bf8c21f94) +Signed-off-by: Bruce Rogers +--- + qemu-img.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/qemu-img.c b/qemu-img.c +index 855fa52514..42b60917b0 100644 +--- a/qemu-img.c ++++ b/qemu-img.c +@@ -277,12 +277,12 @@ static BlockBackend *img_open_opts(const char *optstr, + options = qemu_opts_to_qdict(opts, NULL); + if (force_share) { + if (qdict_haskey(options, BDRV_OPT_FORCE_SHARE) +- && !qdict_get_bool(options, BDRV_OPT_FORCE_SHARE)) { ++ && strcmp(qdict_get_str(options, BDRV_OPT_FORCE_SHARE), "on")) { + error_report("--force-share/-U conflicts with image options"); + QDECREF(options); + return NULL; + } +- qdict_put_bool(options, BDRV_OPT_FORCE_SHARE, true); ++ qdict_put_str(options, BDRV_OPT_FORCE_SHARE, "on"); + } + blk = blk_new_open(NULL, NULL, options, flags, &local_err); + if (!blk) { diff --git a/0061-nfs-Remove-processed-options-from-Q.patch b/0061-nfs-Remove-processed-options-from-Q.patch new file mode 100644 index 00000000..9ec1495e --- /dev/null +++ b/0061-nfs-Remove-processed-options-from-Q.patch @@ -0,0 +1,51 @@ +From 07cfae0f6649239efdbf4aa97db175468495c5a1 Mon Sep 17 00:00:00 2001 +From: Kevin Wolf +Date: Wed, 16 May 2018 18:08:16 +0200 +Subject: [PATCH] nfs: Remove processed options from QDict + +Commit c22a03454 QAPIfied option parsing in the NFS block driver, but +forgot to remove all the options we processed. Therefore, we get an +error in bdrv_open_inherit(), which thinks the remaining options are +invalid. Trying to open an NFS image will result in an error like this: + + Block protocol 'nfs' doesn't support the option 'server.host' + +Remove all options from the QDict to make the NFS driver work again. + +Cc: qemu-stable@nongnu.org +Signed-off-by: Kevin Wolf +Message-id: 20180516160816.26259-1-kwolf@redhat.com +Reviewed-by: Eric Blake +Reviewed-by: Jeff Cody +Signed-off-by: Jeff Cody +(cherry picked from commit c82be42cc803b36fd7aed5dceec68312c7056fd5) +Signed-off-by: Bruce Rogers +--- + block/nfs.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/block/nfs.c b/block/nfs.c +index 2577df4b26..dc12d5000d 100644 +--- a/block/nfs.c ++++ b/block/nfs.c +@@ -557,6 +557,7 @@ static BlockdevOptionsNfs *nfs_options_qdict_to_qapi(QDict *options, + BlockdevOptionsNfs *opts = NULL; + QObject *crumpled = NULL; + Visitor *v; ++ const QDictEntry *e; + Error *local_err = NULL; + + crumpled = qdict_crumple(options, errp); +@@ -573,6 +574,12 @@ static BlockdevOptionsNfs *nfs_options_qdict_to_qapi(QDict *options, + return NULL; + } + ++ /* Remove the processed options from the QDict (the visitor processes ++ * _all_ options in the QDict) */ ++ while ((e = qdict_first(options))) { ++ qdict_del(options, e->key); ++ } ++ + return opts; + } + diff --git a/0062-i386-define-the-ssbd-CPUID-feature-.patch b/0062-i386-define-the-ssbd-CPUID-feature-.patch new file mode 100644 index 00000000..f51bc633 --- /dev/null +++ b/0062-i386-define-the-ssbd-CPUID-feature-.patch @@ -0,0 +1,50 @@ +From 9641d6f6e656248df8c0877ef047c0764b2bbffc Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= +Date: Mon, 21 May 2018 22:54:22 +0100 +Subject: [PATCH] i386: define the 'ssbd' CPUID feature bit (CVE-2018-3639) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +New microcode introduces the "Speculative Store Bypass Disable" +CPUID feature bit. This needs to be exposed to guest OS to allow +them to protect against CVE-2018-3639. + +Signed-off-by: Daniel P. Berrangé +Reviewed-by: Konrad Rzeszutek Wilk +Signed-off-by: Konrad Rzeszutek Wilk +Message-Id: <20180521215424.13520-2-berrange@redhat.com> +Signed-off-by: Eduardo Habkost +(cherry picked from commit d19d1f965904a533998739698020ff4ee8a103da) +[BR: BSC#1092885] +Signed-off-by: Bruce Rogers +--- + target/i386/cpu.c | 2 +- + target/i386/cpu.h | 1 + + 2 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/target/i386/cpu.c b/target/i386/cpu.c +index a20fe26573..2f5263e22f 100644 +--- a/target/i386/cpu.c ++++ b/target/i386/cpu.c +@@ -510,7 +510,7 @@ static FeatureWordInfo feature_word_info[FEATURE_WORDS] = { + NULL, NULL, NULL, NULL, + NULL, NULL, NULL, NULL, + NULL, NULL, "spec-ctrl", NULL, +- NULL, NULL, NULL, NULL, ++ NULL, NULL, NULL, "ssbd", + }, + .cpuid_eax = 7, + .cpuid_needs_ecx = true, .cpuid_ecx = 0, +diff --git a/target/i386/cpu.h b/target/i386/cpu.h +index 164884f1d8..4c8e42e39d 100644 +--- a/target/i386/cpu.h ++++ b/target/i386/cpu.h +@@ -684,6 +684,7 @@ typedef uint32_t FeatureWordArray[FEATURE_WORDS]; + #define CPUID_7_0_EDX_AVX512_4VNNIW (1U << 2) /* AVX512 Neural Network Instructions */ + #define CPUID_7_0_EDX_AVX512_4FMAPS (1U << 3) /* AVX512 Multiply Accumulation Single Precision */ + #define CPUID_7_0_EDX_SPEC_CTRL (1U << 26) /* Speculation Control */ ++#define CPUID_7_0_EDX_SPEC_CTRL_SSBD (1U << 31) /* Speculative Store Bypass Disable */ + + #define KVM_HINTS_DEDICATED (1U << 0) + diff --git a/0063-i386-Define-the-Virt-SSBD-MSR-and-h.patch b/0063-i386-Define-the-Virt-SSBD-MSR-and-h.patch new file mode 100644 index 00000000..c8184bec --- /dev/null +++ b/0063-i386-Define-the-Virt-SSBD-MSR-and-h.patch @@ -0,0 +1,147 @@ +From 3d54c78e88efc794e3adc1b32c2bf24829f18dec Mon Sep 17 00:00:00 2001 +From: Konrad Rzeszutek Wilk +Date: Mon, 21 May 2018 22:54:24 +0100 +Subject: [PATCH] i386: Define the Virt SSBD MSR and handling of it + (CVE-2018-3639) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +"Some AMD processors only support a non-architectural means of enabling +speculative store bypass disable (SSBD). To allow a simplified view of +this to a guest, an architectural definition has been created through a new +CPUID bit, 0x80000008_EBX[25], and a new MSR, 0xc001011f. With this, a +hypervisor can virtualize the existence of this definition and provide an +architectural method for using SSBD to a guest. + +Add the new CPUID feature, the new MSR and update the existing SSBD +support to use this MSR when present." (from x86/speculation: Add virtualized +speculative store bypass disable support in Linux). + +Signed-off-by: Konrad Rzeszutek Wilk +Reviewed-by: Daniel P. Berrangé +Signed-off-by: Daniel P. Berrangé +Message-Id: <20180521215424.13520-4-berrange@redhat.com> +Signed-off-by: Eduardo Habkost +(cherry picked from commit cfeea0c021db6234c154dbc723730e81553924ff) +[BR: BSC#1092885] +Signed-off-by: Bruce Rogers +--- + target/i386/cpu.h | 2 ++ + target/i386/kvm.c | 16 ++++++++++++++-- + target/i386/machine.c | 20 ++++++++++++++++++++ + 3 files changed, 36 insertions(+), 2 deletions(-) + +diff --git a/target/i386/cpu.h b/target/i386/cpu.h +index 4c8e42e39d..e63205d1f0 100644 +--- a/target/i386/cpu.h ++++ b/target/i386/cpu.h +@@ -351,6 +351,7 @@ typedef enum X86Seg { + #define MSR_IA32_FEATURE_CONTROL 0x0000003a + #define MSR_TSC_ADJUST 0x0000003b + #define MSR_IA32_SPEC_CTRL 0x48 ++#define MSR_VIRT_SSBD 0xc001011f + #define MSR_IA32_TSCDEADLINE 0x6e0 + + #define FEATURE_CONTROL_LOCKED (1<<0) +@@ -1150,6 +1151,7 @@ typedef struct CPUX86State { + uint32_t pkru; + + uint64_t spec_ctrl; ++ uint64_t virt_ssbd; + + /* End of state preserved by INIT (dummy marker). */ + struct {} end_init_save; +diff --git a/target/i386/kvm.c b/target/i386/kvm.c +index 6c49954e68..19e6aa320d 100644 +--- a/target/i386/kvm.c ++++ b/target/i386/kvm.c +@@ -92,6 +92,7 @@ static bool has_msr_hv_stimer; + static bool has_msr_hv_frequencies; + static bool has_msr_xss; + static bool has_msr_spec_ctrl; ++static bool has_msr_virt_ssbd; + static bool has_msr_smi_count; + + static uint32_t has_architectural_pmu_version; +@@ -1218,6 +1219,9 @@ static int kvm_get_supported_msrs(KVMState *s) + case MSR_IA32_SPEC_CTRL: + has_msr_spec_ctrl = true; + break; ++ case MSR_VIRT_SSBD: ++ has_msr_virt_ssbd = true; ++ break; + } + } + } +@@ -1706,6 +1710,10 @@ static int kvm_put_msrs(X86CPU *cpu, int level) + if (has_msr_spec_ctrl) { + kvm_msr_entry_add(cpu, MSR_IA32_SPEC_CTRL, env->spec_ctrl); + } ++ if (has_msr_virt_ssbd) { ++ kvm_msr_entry_add(cpu, MSR_VIRT_SSBD, env->virt_ssbd); ++ } ++ + #ifdef TARGET_X86_64 + if (lm_capable_kernel) { + kvm_msr_entry_add(cpu, MSR_CSTAR, env->cstar); +@@ -2077,8 +2085,9 @@ static int kvm_get_msrs(X86CPU *cpu) + if (has_msr_spec_ctrl) { + kvm_msr_entry_add(cpu, MSR_IA32_SPEC_CTRL, 0); + } +- +- ++ if (has_msr_virt_ssbd) { ++ kvm_msr_entry_add(cpu, MSR_VIRT_SSBD, 0); ++ } + if (!env->tsc_valid) { + kvm_msr_entry_add(cpu, MSR_IA32_TSC, 0); + env->tsc_valid = !runstate_is_running(); +@@ -2444,6 +2453,9 @@ static int kvm_get_msrs(X86CPU *cpu) + case MSR_IA32_SPEC_CTRL: + env->spec_ctrl = msrs[i].data; + break; ++ case MSR_VIRT_SSBD: ++ env->virt_ssbd = msrs[i].data; ++ break; + case MSR_IA32_RTIT_CTL: + env->msr_rtit_ctrl = msrs[i].data; + break; +diff --git a/target/i386/machine.c b/target/i386/machine.c +index bd2d82e91b..f0a835c292 100644 +--- a/target/i386/machine.c ++++ b/target/i386/machine.c +@@ -893,6 +893,25 @@ static const VMStateDescription vmstate_msr_intel_pt = { + } + }; + ++static bool virt_ssbd_needed(void *opaque) ++{ ++ X86CPU *cpu = opaque; ++ CPUX86State *env = &cpu->env; ++ ++ return env->virt_ssbd != 0; ++} ++ ++static const VMStateDescription vmstate_msr_virt_ssbd = { ++ .name = "cpu/virt_ssbd", ++ .version_id = 1, ++ .minimum_version_id = 1, ++ .needed = virt_ssbd_needed, ++ .fields = (VMStateField[]){ ++ VMSTATE_UINT64(env.virt_ssbd, X86CPU), ++ VMSTATE_END_OF_LIST() ++ } ++}; ++ + VMStateDescription vmstate_x86_cpu = { + .name = "cpu", + .version_id = 12, +@@ -1015,6 +1034,7 @@ VMStateDescription vmstate_x86_cpu = { + &vmstate_spec_ctrl, + &vmstate_mcg_ext_ctl, + &vmstate_msr_intel_pt, ++ &vmstate_msr_virt_ssbd, + NULL + } + }; diff --git a/0064-i386-define-the-AMD-virt-ssbd-CPUID.patch b/0064-i386-define-the-AMD-virt-ssbd-CPUID.patch new file mode 100644 index 00000000..ae11d72e --- /dev/null +++ b/0064-i386-define-the-AMD-virt-ssbd-CPUID.patch @@ -0,0 +1,40 @@ +From b418432f84340d80f17b5b1317afe9c81a1d50ae Mon Sep 17 00:00:00 2001 +From: Konrad Rzeszutek Wilk +Date: Mon, 21 May 2018 22:54:23 +0100 +Subject: [PATCH] i386: define the AMD 'virt-ssbd' CPUID feature bit + (CVE-2018-3639) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +AMD Zen expose the Intel equivalant to Speculative Store Bypass Disable +via the 0x80000008_EBX[25] CPUID feature bit. + +This needs to be exposed to guest OS to allow them to protect +against CVE-2018-3639. + +Signed-off-by: Konrad Rzeszutek Wilk +Reviewed-by: Daniel P. Berrangé +Signed-off-by: Daniel P. Berrangé +Message-Id: <20180521215424.13520-3-berrange@redhat.com> +Signed-off-by: Eduardo Habkost +(cherry picked from commit 403503b162ffc33fb64cfefdf7b880acf41772cd) +[BR: BSC#1092885] +Signed-off-by: Bruce Rogers +--- + target/i386/cpu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/target/i386/cpu.c b/target/i386/cpu.c +index 2f5263e22f..2e305ab689 100644 +--- a/target/i386/cpu.c ++++ b/target/i386/cpu.c +@@ -541,7 +541,7 @@ static FeatureWordInfo feature_word_info[FEATURE_WORDS] = { + "ibpb", NULL, NULL, NULL, + NULL, NULL, NULL, NULL, + NULL, NULL, NULL, NULL, +- NULL, NULL, NULL, NULL, ++ NULL, "virt-ssbd", NULL, NULL, + NULL, NULL, NULL, NULL, + }, + .cpuid_eax = 0x80000008, diff --git a/0065-Revert-replay-don-t-process-async-e.patch b/0065-Revert-replay-don-t-process-async-e.patch new file mode 100644 index 00000000..5f62ad56 --- /dev/null +++ b/0065-Revert-replay-don-t-process-async-e.patch @@ -0,0 +1,45 @@ +From 41e6f70a01044bf814949da00e22a18d0ada809b Mon Sep 17 00:00:00 2001 +From: Bruce Rogers +Date: Fri, 25 May 2018 09:08:20 -0600 +Subject: [PATCH] Revert "replay: don't process async events when warping the + clock" + +This reverts commit 89e46eb477113550485bc24264d249de9fd1260a. + +[BR: BSC#1094406] +Signed-off-by: Bruce Rogers +--- + replay/replay-events.c | 1 - + replay/replay.c | 7 +------ + 2 files changed, 1 insertion(+), 7 deletions(-) + +diff --git a/replay/replay-events.c b/replay/replay-events.c +index 707de3867b..fc7d458b90 100644 +--- a/replay/replay-events.c ++++ b/replay/replay-events.c +@@ -201,7 +201,6 @@ static void replay_save_event(Event *event, int checkpoint) + void replay_save_events(int checkpoint) + { + g_assert(replay_mutex_locked()); +- g_assert(checkpoint != CHECKPOINT_CLOCK_WARP_START); + while (!QTAILQ_EMPTY(&events_list)) { + Event *event = QTAILQ_FIRST(&events_list); + replay_save_event(event, checkpoint); +diff --git a/replay/replay.c b/replay/replay.c +index 8228261401..eae8daf18a 100644 +--- a/replay/replay.c ++++ b/replay/replay.c +@@ -211,12 +211,7 @@ bool replay_checkpoint(ReplayCheckpoint checkpoint) + } else if (replay_mode == REPLAY_MODE_RECORD) { + g_assert(replay_mutex_locked()); + replay_put_event(EVENT_CHECKPOINT + checkpoint); +- /* This checkpoint belongs to several threads. +- Processing events from different threads is +- non-deterministic */ +- if (checkpoint != CHECKPOINT_CLOCK_WARP_START) { +- replay_save_events(checkpoint); +- } ++ replay_save_events(checkpoint); + res = true; + } + out: diff --git a/0066-Revert-replay-avoid-recursive-call-.patch b/0066-Revert-replay-avoid-recursive-call-.patch new file mode 100644 index 00000000..04c5cef4 --- /dev/null +++ b/0066-Revert-replay-avoid-recursive-call-.patch @@ -0,0 +1,51 @@ +From 00300f4a36119691fc8689575424d380b2450bf7 Mon Sep 17 00:00:00 2001 +From: Bruce Rogers +Date: Fri, 25 May 2018 09:09:04 -0600 +Subject: [PATCH] Revert "replay: avoid recursive call of checkpoints" + +This reverts commit 66eb7825d0bd84a870a054fb208fe765317109fa. + +[BR: BSC#1094406] +Signed-off-by: Bruce Rogers +--- + replay/replay.c | 14 +------------- + 1 file changed, 1 insertion(+), 13 deletions(-) + +diff --git a/replay/replay.c b/replay/replay.c +index eae8daf18a..90f98b7490 100644 +--- a/replay/replay.c ++++ b/replay/replay.c +@@ -176,24 +176,13 @@ void replay_shutdown_request(ShutdownCause cause) + bool replay_checkpoint(ReplayCheckpoint checkpoint) + { + bool res = false; +- static bool in_checkpoint; + assert(EVENT_CHECKPOINT + checkpoint <= EVENT_CHECKPOINT_LAST); ++ replay_save_instructions(); + + if (!replay_file) { + return true; + } + +- if (in_checkpoint) { +- /* If we are already in checkpoint, then there is no need +- for additional synchronization. +- Recursion occurs when HW event modifies timers. +- Timer modification may invoke the checkpoint and +- proceed to recursion. */ +- return true; +- } +- in_checkpoint = true; +- +- replay_save_instructions(); + + if (replay_mode == REPLAY_MODE_PLAY) { + g_assert(replay_mutex_locked()); +@@ -215,7 +204,6 @@ bool replay_checkpoint(ReplayCheckpoint checkpoint) + res = true; + } + out: +- in_checkpoint = false; + return res; + } + diff --git a/0067-Revert-replay-check-return-values-o.patch b/0067-Revert-replay-check-return-values-o.patch new file mode 100644 index 00000000..ca0d4e10 --- /dev/null +++ b/0067-Revert-replay-check-return-values-o.patch @@ -0,0 +1,53 @@ +From cceb1b09c36f71bdb84cd8b3ad20d63335fc1559 Mon Sep 17 00:00:00 2001 +From: Bruce Rogers +Date: Fri, 25 May 2018 09:09:28 -0600 +Subject: [PATCH] Revert "replay: check return values of fwrite" + +This reverts commit 6dc0f5296359ff59c248215a965c8658dea9544b. + +[BR: BSC#1094406] +Signed-off-by: Bruce Rogers +--- + replay/replay-internal.c | 17 ++--------------- + 1 file changed, 2 insertions(+), 15 deletions(-) + +diff --git a/replay/replay-internal.c b/replay/replay-internal.c +index b077cb5fd5..8e7474f787 100644 +--- a/replay/replay-internal.c ++++ b/replay/replay-internal.c +@@ -24,23 +24,12 @@ + static QemuMutex lock; + + /* File for replay writing */ +-static bool write_error; + FILE *replay_file; + +-static void replay_write_error(void) +-{ +- if (!write_error) { +- error_report("replay write error"); +- write_error = true; +- } +-} +- + void replay_put_byte(uint8_t byte) + { + if (replay_file) { +- if (putc(byte, replay_file) == EOF) { +- replay_write_error(); +- } ++ putc(byte, replay_file); + } + } + +@@ -73,9 +62,7 @@ void replay_put_array(const uint8_t *buf, size_t size) + { + if (replay_file) { + replay_put_dword(size); +- if (fwrite(buf, 1, size, replay_file) != size) { +- replay_write_error(); +- } ++ fwrite(buf, 1, size, replay_file); + } + } + diff --git a/0068-Revert-replay-push-replay_mutex_loc.patch b/0068-Revert-replay-push-replay_mutex_loc.patch new file mode 100644 index 00000000..7ddf67cb --- /dev/null +++ b/0068-Revert-replay-push-replay_mutex_loc.patch @@ -0,0 +1,680 @@ +From 844d663fad2ad36a2960d21a93f36ab29de8215f Mon Sep 17 00:00:00 2001 +From: Bruce Rogers +Date: Fri, 25 May 2018 09:10:26 -0600 +Subject: [PATCH] Revert "replay: push replay_mutex_lock up the call tree" + +This reverts commit d759c951f3287fad04210a52f2dc93f94cf58c7f. + +[BR: BSC#1094406] +Signed-off-by: Bruce Rogers +--- + cpus.c | 24 ++---------------------- + docs/replay.txt | 22 ---------------------- + replay/replay-audio.c | 14 ++++++++++---- + replay/replay-char.c | 21 +++++++++++++-------- + replay/replay-events.c | 19 ++++++++++++------- + replay/replay-internal.c | 24 ++++++++---------------- + replay/replay-time.c | 10 +++++----- + replay/replay.c | 34 +++++++++++++++++++++------------- + util/main-loop.c | 15 ++++----------- + vl.c | 1 - + 10 files changed, 75 insertions(+), 109 deletions(-) + +diff --git a/cpus.c b/cpus.c +index b13112b8e2..7ea0d1c560 100644 +--- a/cpus.c ++++ b/cpus.c +@@ -1325,8 +1325,6 @@ static void prepare_icount_for_run(CPUState *cpu) + insns_left = MIN(0xffff, cpu->icount_budget); + cpu->icount_decr.u16.low = insns_left; + cpu->icount_extra = cpu->icount_budget - insns_left; +- +- replay_mutex_lock(); + } + } + +@@ -1342,8 +1340,6 @@ static void process_icount_data(CPUState *cpu) + cpu->icount_budget = 0; + + replay_account_executed_instructions(); +- +- replay_mutex_unlock(); + } + } + +@@ -1358,9 +1354,11 @@ static int tcg_cpu_exec(CPUState *cpu) + #ifdef CONFIG_PROFILER + ti = profile_getclock(); + #endif ++ qemu_mutex_unlock_iothread(); + cpu_exec_start(cpu); + ret = cpu_exec(cpu); + cpu_exec_end(cpu); ++ qemu_mutex_lock_iothread(); + #ifdef CONFIG_PROFILER + tcg_time += profile_getclock() - ti; + #endif +@@ -1427,9 +1425,6 @@ static void *qemu_tcg_rr_cpu_thread_fn(void *arg) + cpu->exit_request = 1; + + while (1) { +- qemu_mutex_unlock_iothread(); +- replay_mutex_lock(); +- qemu_mutex_lock_iothread(); + /* Account partial waits to QEMU_CLOCK_VIRTUAL. */ + qemu_account_warp_timer(); + +@@ -1438,8 +1433,6 @@ static void *qemu_tcg_rr_cpu_thread_fn(void *arg) + */ + handle_icount_deadline(); + +- replay_mutex_unlock(); +- + if (!cpu) { + cpu = first_cpu; + } +@@ -1455,13 +1448,11 @@ static void *qemu_tcg_rr_cpu_thread_fn(void *arg) + if (cpu_can_run(cpu)) { + int r; + +- qemu_mutex_unlock_iothread(); + prepare_icount_for_run(cpu); + + r = tcg_cpu_exec(cpu); + + process_icount_data(cpu); +- qemu_mutex_lock_iothread(); + + if (r == EXCP_DEBUG) { + cpu_handle_guest_debug(cpu); +@@ -1651,9 +1642,7 @@ static void *qemu_tcg_cpu_thread_fn(void *arg) + do { + if (cpu_can_run(cpu)) { + int r; +- qemu_mutex_unlock_iothread(); + r = tcg_cpu_exec(cpu); +- qemu_mutex_lock_iothread(); + switch (r) { + case EXCP_DEBUG: + cpu_handle_guest_debug(cpu); +@@ -1800,21 +1789,12 @@ void pause_all_vcpus(void) + } + } + +- /* We need to drop the replay_lock so any vCPU threads woken up +- * can finish their replay tasks +- */ +- replay_mutex_unlock(); +- + while (!all_vcpus_paused()) { + qemu_cond_wait(&qemu_pause_cond, &qemu_global_mutex); + CPU_FOREACH(cpu) { + qemu_cpu_kick(cpu); + } + } +- +- qemu_mutex_unlock_iothread(); +- replay_mutex_lock(); +- qemu_mutex_lock_iothread(); + } + + void cpu_resume(CPUState *cpu) +diff --git a/docs/replay.txt b/docs/replay.txt +index 2e21e9ccb0..91875db3cd 100644 +--- a/docs/replay.txt ++++ b/docs/replay.txt +@@ -68,28 +68,6 @@ Modifications of qemu include: + * block driver for making block layer deterministic + * serial port input record and replay + +-Locking and thread synchronisation +----------------------------------- +- +-Previously the synchronisation of the main thread and the vCPU thread +-was ensured by the holding of the BQL. However the trend has been to +-reduce the time the BQL was held across the system including under TCG +-system emulation. As it is important that batches of events are kept +-in sequence (e.g. expiring timers and checkpoints in the main thread +-while instruction checkpoints are written by the vCPU thread) we need +-another lock to keep things in lock-step. This role is now handled by +-the replay_mutex_lock. It used to be held only for each event being +-written but now it is held for a whole execution period. This results +-in a deterministic ping-pong between the two main threads. +- +-As the BQL is now a finer grained lock than the replay_lock it is almost +-certainly a bug, and a source of deadlocks, to take the +-replay_mutex_lock while the BQL is held. This is enforced by an assert. +-While the unlocks are usually in the reverse order, this is not +-necessary; you can drop the replay_lock while holding the BQL, without +-doing a more complicated unlock_iothread/replay_unlock/lock_iothread +-sequence. +- + Non-deterministic events + ------------------------ + +diff --git a/replay/replay-audio.c b/replay/replay-audio.c +index b113836de4..3d837434d4 100644 +--- a/replay/replay-audio.c ++++ b/replay/replay-audio.c +@@ -19,17 +19,20 @@ + void replay_audio_out(int *played) + { + if (replay_mode == REPLAY_MODE_RECORD) { +- g_assert(replay_mutex_locked()); + replay_save_instructions(); ++ replay_mutex_lock(); + replay_put_event(EVENT_AUDIO_OUT); + replay_put_dword(*played); ++ replay_mutex_unlock(); + } else if (replay_mode == REPLAY_MODE_PLAY) { +- g_assert(replay_mutex_locked()); + replay_account_executed_instructions(); ++ replay_mutex_lock(); + if (replay_next_event_is(EVENT_AUDIO_OUT)) { + *played = replay_get_dword(); + replay_finish_event(); ++ replay_mutex_unlock(); + } else { ++ replay_mutex_unlock(); + error_report("Missing audio out event in the replay log"); + abort(); + } +@@ -41,8 +44,8 @@ void replay_audio_in(int *recorded, void *samples, int *wpos, int size) + int pos; + uint64_t left, right; + if (replay_mode == REPLAY_MODE_RECORD) { +- g_assert(replay_mutex_locked()); + replay_save_instructions(); ++ replay_mutex_lock(); + replay_put_event(EVENT_AUDIO_IN); + replay_put_dword(*recorded); + replay_put_dword(*wpos); +@@ -52,9 +55,10 @@ void replay_audio_in(int *recorded, void *samples, int *wpos, int size) + replay_put_qword(left); + replay_put_qword(right); + } ++ replay_mutex_unlock(); + } else if (replay_mode == REPLAY_MODE_PLAY) { +- g_assert(replay_mutex_locked()); + replay_account_executed_instructions(); ++ replay_mutex_lock(); + if (replay_next_event_is(EVENT_AUDIO_IN)) { + *recorded = replay_get_dword(); + *wpos = replay_get_dword(); +@@ -65,7 +69,9 @@ void replay_audio_in(int *recorded, void *samples, int *wpos, int size) + audio_sample_from_uint64(samples, pos, left, right); + } + replay_finish_event(); ++ replay_mutex_unlock(); + } else { ++ replay_mutex_unlock(); + error_report("Missing audio in event in the replay log"); + abort(); + } +diff --git a/replay/replay-char.c b/replay/replay-char.c +index 736cc8c2e6..cbf7c04a9f 100755 +--- a/replay/replay-char.c ++++ b/replay/replay-char.c +@@ -96,24 +96,25 @@ void *replay_event_char_read_load(void) + + void replay_char_write_event_save(int res, int offset) + { +- g_assert(replay_mutex_locked()); +- + replay_save_instructions(); ++ replay_mutex_lock(); + replay_put_event(EVENT_CHAR_WRITE); + replay_put_dword(res); + replay_put_dword(offset); ++ replay_mutex_unlock(); + } + + void replay_char_write_event_load(int *res, int *offset) + { +- g_assert(replay_mutex_locked()); +- + replay_account_executed_instructions(); ++ replay_mutex_lock(); + if (replay_next_event_is(EVENT_CHAR_WRITE)) { + *res = replay_get_dword(); + *offset = replay_get_dword(); + replay_finish_event(); ++ replay_mutex_unlock(); + } else { ++ replay_mutex_unlock(); + error_report("Missing character write event in the replay log"); + exit(1); + } +@@ -121,21 +122,23 @@ void replay_char_write_event_load(int *res, int *offset) + + int replay_char_read_all_load(uint8_t *buf) + { +- g_assert(replay_mutex_locked()); +- ++ replay_mutex_lock(); + if (replay_next_event_is(EVENT_CHAR_READ_ALL)) { + size_t size; + int res; + replay_get_array(buf, &size); + replay_finish_event(); ++ replay_mutex_unlock(); + res = (int)size; + assert(res >= 0); + return res; + } else if (replay_next_event_is(EVENT_CHAR_READ_ALL_ERROR)) { + int res = replay_get_dword(); + replay_finish_event(); ++ replay_mutex_unlock(); + return res; + } else { ++ replay_mutex_unlock(); + error_report("Missing character read all event in the replay log"); + exit(1); + } +@@ -143,17 +146,19 @@ int replay_char_read_all_load(uint8_t *buf) + + void replay_char_read_all_save_error(int res) + { +- g_assert(replay_mutex_locked()); + assert(res < 0); + replay_save_instructions(); ++ replay_mutex_lock(); + replay_put_event(EVENT_CHAR_READ_ALL_ERROR); + replay_put_dword(res); ++ replay_mutex_unlock(); + } + + void replay_char_read_all_save_buf(uint8_t *buf, int offset) + { +- g_assert(replay_mutex_locked()); + replay_save_instructions(); ++ replay_mutex_lock(); + replay_put_event(EVENT_CHAR_READ_ALL); + replay_put_array(buf, offset); ++ replay_mutex_unlock(); + } +diff --git a/replay/replay-events.c b/replay/replay-events.c +index fc7d458b90..75d7e09ccc 100644 +--- a/replay/replay-events.c ++++ b/replay/replay-events.c +@@ -75,14 +75,16 @@ bool replay_has_events(void) + + void replay_flush_events(void) + { +- g_assert(replay_mutex_locked()); +- ++ replay_mutex_lock(); + while (!QTAILQ_EMPTY(&events_list)) { + Event *event = QTAILQ_FIRST(&events_list); ++ replay_mutex_unlock(); + replay_run_event(event); ++ replay_mutex_lock(); + QTAILQ_REMOVE(&events_list, event, events); + g_free(event); + } ++ replay_mutex_unlock(); + } + + void replay_disable_events(void) +@@ -96,14 +98,14 @@ void replay_disable_events(void) + + void replay_clear_events(void) + { +- g_assert(replay_mutex_locked()); +- ++ replay_mutex_lock(); + while (!QTAILQ_EMPTY(&events_list)) { + Event *event = QTAILQ_FIRST(&events_list); + QTAILQ_REMOVE(&events_list, event, events); + + g_free(event); + } ++ replay_mutex_unlock(); + } + + /*! Adds specified async event to the queue */ +@@ -130,8 +132,9 @@ void replay_add_event(ReplayAsyncEventKind event_kind, + event->opaque2 = opaque2; + event->id = id; + +- g_assert(replay_mutex_locked()); ++ replay_mutex_lock(); + QTAILQ_INSERT_TAIL(&events_list, event, events); ++ replay_mutex_unlock(); + } + + void replay_bh_schedule_event(QEMUBH *bh) +@@ -200,11 +203,13 @@ static void replay_save_event(Event *event, int checkpoint) + /* Called with replay mutex locked */ + void replay_save_events(int checkpoint) + { +- g_assert(replay_mutex_locked()); + while (!QTAILQ_EMPTY(&events_list)) { + Event *event = QTAILQ_FIRST(&events_list); + replay_save_event(event, checkpoint); ++ ++ replay_mutex_unlock(); + replay_run_event(event); ++ replay_mutex_lock(); + QTAILQ_REMOVE(&events_list, event, events); + g_free(event); + } +@@ -285,7 +290,6 @@ static Event *replay_read_event(int checkpoint) + /* Called with replay mutex locked */ + void replay_read_events(int checkpoint) + { +- g_assert(replay_mutex_locked()); + while (replay_state.data_kind == EVENT_ASYNC) { + Event *event = replay_read_event(checkpoint); + if (!event) { +@@ -294,6 +298,7 @@ void replay_read_events(int checkpoint) + replay_finish_event(); + replay_state.read_event_kind = -1; + replay_run_event(event); ++ replay_mutex_lock(); + + g_free(event); + } +diff --git a/replay/replay-internal.c b/replay/replay-internal.c +index 8e7474f787..fa7bba6dfd 100644 +--- a/replay/replay-internal.c ++++ b/replay/replay-internal.c +@@ -174,9 +174,6 @@ static __thread bool replay_locked; + void replay_mutex_init(void) + { + qemu_mutex_init(&lock); +- /* Hold the mutex while we start-up */ +- qemu_mutex_lock(&lock); +- replay_locked = true; + } + + bool replay_mutex_locked(void) +@@ -184,31 +181,25 @@ bool replay_mutex_locked(void) + return replay_locked; + } + +-/* Ordering constraints, replay_lock must be taken before BQL */ + void replay_mutex_lock(void) + { +- if (replay_mode != REPLAY_MODE_NONE) { +- g_assert(!qemu_mutex_iothread_locked()); +- g_assert(!replay_mutex_locked()); +- qemu_mutex_lock(&lock); +- replay_locked = true; +- } ++ g_assert(!replay_mutex_locked()); ++ qemu_mutex_lock(&lock); ++ replay_locked = true; + } + + void replay_mutex_unlock(void) + { +- if (replay_mode != REPLAY_MODE_NONE) { +- g_assert(replay_mutex_locked()); +- replay_locked = false; +- qemu_mutex_unlock(&lock); +- } ++ g_assert(replay_mutex_locked()); ++ replay_locked = false; ++ qemu_mutex_unlock(&lock); + } + + /*! Saves cached instructions. */ + void replay_save_instructions(void) + { + if (replay_file && replay_mode == REPLAY_MODE_RECORD) { +- g_assert(replay_mutex_locked()); ++ replay_mutex_lock(); + int diff = (int)(replay_get_current_step() - replay_state.current_step); + + /* Time can only go forward */ +@@ -219,5 +210,6 @@ void replay_save_instructions(void) + replay_put_dword(diff); + replay_state.current_step += diff; + } ++ replay_mutex_unlock(); + } + } +diff --git a/replay/replay-time.c b/replay/replay-time.c +index 6a7565ec8d..f70382a88f 100644 +--- a/replay/replay-time.c ++++ b/replay/replay-time.c +@@ -17,13 +17,13 @@ + + int64_t replay_save_clock(ReplayClockKind kind, int64_t clock) + { ++ replay_save_instructions(); + + if (replay_file) { +- g_assert(replay_mutex_locked()); +- +- replay_save_instructions(); ++ replay_mutex_lock(); + replay_put_event(EVENT_CLOCK + kind); + replay_put_qword(clock); ++ replay_mutex_unlock(); + } + + return clock; +@@ -46,16 +46,16 @@ void replay_read_next_clock(ReplayClockKind kind) + /*! Reads next clock event from the input. */ + int64_t replay_read_clock(ReplayClockKind kind) + { +- g_assert(replay_file && replay_mutex_locked()); +- + replay_account_executed_instructions(); + + if (replay_file) { + int64_t ret; ++ replay_mutex_lock(); + if (replay_next_event_is(EVENT_CLOCK + kind)) { + replay_read_next_clock(kind); + } + ret = replay_state.cached_clock[kind]; ++ replay_mutex_unlock(); + + return ret; + } +diff --git a/replay/replay.c b/replay/replay.c +index 90f98b7490..5d05ee0460 100644 +--- a/replay/replay.c ++++ b/replay/replay.c +@@ -81,7 +81,7 @@ int replay_get_instructions(void) + void replay_account_executed_instructions(void) + { + if (replay_mode == REPLAY_MODE_PLAY) { +- g_assert(replay_mutex_locked()); ++ replay_mutex_lock(); + if (replay_state.instructions_count > 0) { + int count = (int)(replay_get_current_step() + - replay_state.current_step); +@@ -100,22 +100,24 @@ void replay_account_executed_instructions(void) + qemu_notify_event(); + } + } ++ replay_mutex_unlock(); + } + } + + bool replay_exception(void) + { +- + if (replay_mode == REPLAY_MODE_RECORD) { +- g_assert(replay_mutex_locked()); + replay_save_instructions(); ++ replay_mutex_lock(); + replay_put_event(EVENT_EXCEPTION); ++ replay_mutex_unlock(); + return true; + } else if (replay_mode == REPLAY_MODE_PLAY) { +- g_assert(replay_mutex_locked()); + bool res = replay_has_exception(); + if (res) { ++ replay_mutex_lock(); + replay_finish_event(); ++ replay_mutex_unlock(); + } + return res; + } +@@ -127,9 +129,10 @@ bool replay_has_exception(void) + { + bool res = false; + if (replay_mode == REPLAY_MODE_PLAY) { +- g_assert(replay_mutex_locked()); + replay_account_executed_instructions(); ++ replay_mutex_lock(); + res = replay_next_event_is(EVENT_EXCEPTION); ++ replay_mutex_unlock(); + } + + return res; +@@ -138,15 +141,17 @@ bool replay_has_exception(void) + bool replay_interrupt(void) + { + if (replay_mode == REPLAY_MODE_RECORD) { +- g_assert(replay_mutex_locked()); + replay_save_instructions(); ++ replay_mutex_lock(); + replay_put_event(EVENT_INTERRUPT); ++ replay_mutex_unlock(); + return true; + } else if (replay_mode == REPLAY_MODE_PLAY) { +- g_assert(replay_mutex_locked()); + bool res = replay_has_interrupt(); + if (res) { ++ replay_mutex_lock(); + replay_finish_event(); ++ replay_mutex_unlock(); + } + return res; + } +@@ -158,9 +163,10 @@ bool replay_has_interrupt(void) + { + bool res = false; + if (replay_mode == REPLAY_MODE_PLAY) { +- g_assert(replay_mutex_locked()); + replay_account_executed_instructions(); ++ replay_mutex_lock(); + res = replay_next_event_is(EVENT_INTERRUPT); ++ replay_mutex_unlock(); + } + return res; + } +@@ -168,8 +174,9 @@ bool replay_has_interrupt(void) + void replay_shutdown_request(ShutdownCause cause) + { + if (replay_mode == REPLAY_MODE_RECORD) { +- g_assert(replay_mutex_locked()); ++ replay_mutex_lock(); + replay_put_event(EVENT_SHUTDOWN + cause); ++ replay_mutex_unlock(); + } + } + +@@ -183,9 +190,9 @@ bool replay_checkpoint(ReplayCheckpoint checkpoint) + return true; + } + ++ replay_mutex_lock(); + + if (replay_mode == REPLAY_MODE_PLAY) { +- g_assert(replay_mutex_locked()); + if (replay_next_event_is(EVENT_CHECKPOINT + checkpoint)) { + replay_finish_event(); + } else if (replay_state.data_kind != EVENT_ASYNC) { +@@ -198,12 +205,12 @@ bool replay_checkpoint(ReplayCheckpoint checkpoint) + checkpoint were processed */ + res = replay_state.data_kind != EVENT_ASYNC; + } else if (replay_mode == REPLAY_MODE_RECORD) { +- g_assert(replay_mutex_locked()); + replay_put_event(EVENT_CHECKPOINT + checkpoint); + replay_save_events(checkpoint); + res = true; + } + out: ++ replay_mutex_unlock(); + return res; + } + +@@ -226,6 +233,8 @@ static void replay_enable(const char *fname, int mode) + + atexit(replay_finish); + ++ replay_mutex_init(); ++ + replay_file = fopen(fname, fmode); + if (replay_file == NULL) { + fprintf(stderr, "Replay: open %s: %s\n", fname, strerror(errno)); +@@ -233,9 +242,8 @@ static void replay_enable(const char *fname, int mode) + } + + replay_filename = g_strdup(fname); +- replay_mode = mode; +- replay_mutex_init(); + ++ replay_mode = mode; + replay_state.data_kind = -1; + replay_state.instructions_count = 0; + replay_state.current_step = 0; +diff --git a/util/main-loop.c b/util/main-loop.c +index 992f9b0f34..7558eb5f53 100644 +--- a/util/main-loop.c ++++ b/util/main-loop.c +@@ -29,7 +29,6 @@ + #include "qemu/sockets.h" // struct in_addr needed for libslirp.h + #include "sysemu/qtest.h" + #include "sysemu/cpus.h" +-#include "sysemu/replay.h" + #include "slirp/libslirp.h" + #include "qemu/main-loop.h" + #include "block/aio.h" +@@ -246,19 +245,18 @@ static int os_host_main_loop_wait(int64_t timeout) + timeout = SCALE_MS; + } + +- + if (timeout) { + spin_counter = 0; ++ qemu_mutex_unlock_iothread(); + } else { + spin_counter++; + } +- qemu_mutex_unlock_iothread(); +- replay_mutex_unlock(); + + ret = qemu_poll_ns((GPollFD *)gpollfds->data, gpollfds->len, timeout); + +- replay_mutex_lock(); +- qemu_mutex_lock_iothread(); ++ if (timeout) { ++ qemu_mutex_lock_iothread(); ++ } + + glib_pollfds_poll(); + +@@ -465,13 +463,8 @@ static int os_host_main_loop_wait(int64_t timeout) + poll_timeout_ns = qemu_soonest_timeout(poll_timeout_ns, timeout); + + qemu_mutex_unlock_iothread(); +- +- replay_mutex_unlock(); +- + g_poll_ret = qemu_poll_ns(poll_fds, n_poll_fds + w->num, poll_timeout_ns); + +- replay_mutex_lock(); +- + qemu_mutex_lock_iothread(); + if (g_poll_ret > 0) { + for (i = 0; i < w->num; i++) { +diff --git a/vl.c b/vl.c +index c00a250831..7b55c5ae7f 100644 +--- a/vl.c ++++ b/vl.c +@@ -3066,7 +3066,6 @@ int main(int argc, char **argv, char **envp) + + qemu_init_cpu_list(); + qemu_init_cpu_loop(); +- + qemu_mutex_lock_iothread(); + + /* diff --git a/qemu-linux-user.changes b/qemu-linux-user.changes index 22df5b6e..4d334f16 100644 --- a/qemu-linux-user.changes +++ b/qemu-linux-user.changes @@ -1,3 +1,44 @@ +------------------------------------------------------------------- +Fri May 25 15:13:19 UTC 2018 - brogers@suse.com + +- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-2.12 +* Patches added: + 0062-i386-define-the-ssbd-CPUID-feature-.patch + 0063-i386-Define-the-Virt-SSBD-MSR-and-h.patch + 0064-i386-define-the-AMD-virt-ssbd-CPUID.patch + 0065-Revert-replay-don-t-process-async-e.patch + 0066-Revert-replay-avoid-recursive-call-.patch + 0067-Revert-replay-check-return-values-o.patch + 0068-Revert-replay-push-replay_mutex_loc.patch + +------------------------------------------------------------------- +Thu May 17 13:28:41 UTC 2018 - brogers@suse.com + +- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-2.12 +* Patches added: + 0040-device_tree-Increase-FDT_MAX_SIZE-t.patch + 0041-vnc-fix-use-after-free.patch + 0042-ccid-Fix-dwProtocols-advertisement-.patch + 0043-tcg-arm-Fix-memory-barrier-encoding.patch + 0044-s390-ccw-force-diag-308-subcode-to-.patch + 0045-nbd-client-fix-nbd_negotiate_simple.patch + 0046-migration-block-dirty-bitmap-fix-me.patch + 0047-nbd-client-Fix-error-messages-durin.patch + 0048-nbd-client-Relax-handling-of-large-.patch + 0049-qxl-fix-local-renderer-crash.patch + 0050-tcg-Limit-the-number-of-ops-in-a-TB.patch + 0051-target-arm-Clear-SVE-high-bits-for-.patch + 0052-cpus-tcg-fix-never-exiting-loop-on-.patch + 0053-s390x-css-disabled-subchannels-cann.patch + 0054-pc-bios-s390-ccw-struct-tpi_info-mu.patch + 0055-virtio-ccw-common-reset-handler.patch + 0056-s390x-ccw-make-sure-all-ccw-devices.patch + 0057-blockjob-expose-error-string-via-qu.patch + 0058-blockjob-Fix-assertion-in-block_job.patch + 0059-qemu-io-Use-purely-string-blockdev-.patch + 0060-qemu-img-Use-only-string-options-in.patch + 0061-nfs-Remove-processed-options-from-Q.patch + ------------------------------------------------------------------- Fri Apr 27 20:54:16 UTC 2018 - brogers@suse.com diff --git a/qemu-linux-user.spec b/qemu-linux-user.spec index 76a3b9a4..b2e69fc4 100644 --- a/qemu-linux-user.spec +++ b/qemu-linux-user.spec @@ -65,6 +65,35 @@ Patch0036: 0036-Remove-problematic-evdev-86-key-fro.patch Patch0037: 0037-configure-Modify-python-used-for-io.patch Patch0038: 0038-qemu-io-tests-comment-out-problemat.patch Patch0039: 0039-tests-test-thread-pool-is-racy-add-.patch +Patch0040: 0040-device_tree-Increase-FDT_MAX_SIZE-t.patch +Patch0041: 0041-vnc-fix-use-after-free.patch +Patch0042: 0042-ccid-Fix-dwProtocols-advertisement-.patch +Patch0043: 0043-tcg-arm-Fix-memory-barrier-encoding.patch +Patch0044: 0044-s390-ccw-force-diag-308-subcode-to-.patch +Patch0045: 0045-nbd-client-fix-nbd_negotiate_simple.patch +Patch0046: 0046-migration-block-dirty-bitmap-fix-me.patch +Patch0047: 0047-nbd-client-Fix-error-messages-durin.patch +Patch0048: 0048-nbd-client-Relax-handling-of-large-.patch +Patch0049: 0049-qxl-fix-local-renderer-crash.patch +Patch0050: 0050-tcg-Limit-the-number-of-ops-in-a-TB.patch +Patch0051: 0051-target-arm-Clear-SVE-high-bits-for-.patch +Patch0052: 0052-cpus-tcg-fix-never-exiting-loop-on-.patch +Patch0053: 0053-s390x-css-disabled-subchannels-cann.patch +Patch0054: 0054-pc-bios-s390-ccw-struct-tpi_info-mu.patch +Patch0055: 0055-virtio-ccw-common-reset-handler.patch +Patch0056: 0056-s390x-ccw-make-sure-all-ccw-devices.patch +Patch0057: 0057-blockjob-expose-error-string-via-qu.patch +Patch0058: 0058-blockjob-Fix-assertion-in-block_job.patch +Patch0059: 0059-qemu-io-Use-purely-string-blockdev-.patch +Patch0060: 0060-qemu-img-Use-only-string-options-in.patch +Patch0061: 0061-nfs-Remove-processed-options-from-Q.patch +Patch0062: 0062-i386-define-the-ssbd-CPUID-feature-.patch +Patch0063: 0063-i386-Define-the-Virt-SSBD-MSR-and-h.patch +Patch0064: 0064-i386-define-the-AMD-virt-ssbd-CPUID.patch +Patch0065: 0065-Revert-replay-don-t-process-async-e.patch +Patch0066: 0066-Revert-replay-avoid-recursive-call-.patch +Patch0067: 0067-Revert-replay-check-return-values-o.patch +Patch0068: 0068-Revert-replay-push-replay_mutex_loc.patch # Please do not add QEMU patches manually here. # Run update_git.sh to regenerate this queue. Source400: update_git.sh @@ -137,6 +166,35 @@ syscall layer occurs on the native hardware and operating system. %patch0037 -p1 %patch0038 -p1 %patch0039 -p1 +%patch0040 -p1 +%patch0041 -p1 +%patch0042 -p1 +%patch0043 -p1 +%patch0044 -p1 +%patch0045 -p1 +%patch0046 -p1 +%patch0047 -p1 +%patch0048 -p1 +%patch0049 -p1 +%patch0050 -p1 +%patch0051 -p1 +%patch0052 -p1 +%patch0053 -p1 +%patch0054 -p1 +%patch0055 -p1 +%patch0056 -p1 +%patch0057 -p1 +%patch0058 -p1 +%patch0059 -p1 +%patch0060 -p1 +%patch0061 -p1 +%patch0062 -p1 +%patch0063 -p1 +%patch0064 -p1 +%patch0065 -p1 +%patch0066 -p1 +%patch0067 -p1 +%patch0068 -p1 %build ./configure \ @@ -261,7 +319,8 @@ install -m 755 scripts/qemu-binfmt-conf.sh %{buildroot}%_sbindir %files %defattr(-, root, root) -%doc COPYING COPYING.LIB COPYING.PYTHON Changelog README VERSION LICENSE +%doc Changelog README VERSION +%license COPYING COPYING.LIB COPYING.PYTHON LICENSE %_bindir/qemu-aarch64 %_bindir/qemu-aarch64_be %_bindir/qemu-alpha diff --git a/qemu-linux-user.spec.in b/qemu-linux-user.spec.in index a801886e..4a7a5497 100644 --- a/qemu-linux-user.spec.in +++ b/qemu-linux-user.spec.in @@ -185,7 +185,8 @@ install -m 755 scripts/qemu-binfmt-conf.sh %{buildroot}%_sbindir %files %defattr(-, root, root) -%doc COPYING COPYING.LIB COPYING.PYTHON Changelog README VERSION LICENSE +%doc Changelog README VERSION +%license COPYING COPYING.LIB COPYING.PYTHON LICENSE %_bindir/qemu-aarch64 %_bindir/qemu-aarch64_be %_bindir/qemu-alpha diff --git a/qemu-testsuite.changes b/qemu-testsuite.changes index 4c49c89c..8e2a7773 100644 --- a/qemu-testsuite.changes +++ b/qemu-testsuite.changes @@ -1,3 +1,68 @@ +------------------------------------------------------------------- +Fri May 25 15:13:16 UTC 2018 - brogers@suse.com + +- Spectre v4 vulnerability mitigation support for KVM guests. + High level description of vulnerability: Systems with microprocessors + utilizing speculative execution and speculative execution of memory + reads before the addresses of all prior memory writes are known may + allow unauthorized disclosure of information to an attacker with + local user access via a side-channel analysis. + This change permits the new x86 cpu feature flag named "ssbd" to be + presented to the guest, given that the host has this feature, and + KVM exposes it to the guest as well. + For this feature to be enabled, via adding it to the qemu commandline + (eg: -cpu ,+spec-ctrl,+ssbd), so the guest OS can take advantage + of the feature, spec-ctrl and ssbd support is also required in the host. + Another new x86 cpu feature flag named "virt-ssbd" is also added to + handle this vulnerability for AMD processors. + (CVE-2018-3639 bsc#1092885) + 0062-i386-define-the-ssbd-CPUID-feature-.patch + 0063-i386-Define-the-Virt-SSBD-MSR-and-h.patch + 0064-i386-define-the-AMD-virt-ssbd-CPUID.patch +- Replay code introduced an issue for AHCI emulation, where on Windows 10 + I/O would stop randomly, and Windows would then reset the AHCI device. + The issue is not yet fully identified, but reverting some of those + changes is at least for now a workaround. (bsc#1094406) + 0065-Revert-replay-don-t-process-async-e.patch + 0066-Revert-replay-avoid-recursive-call-.patch + 0067-Revert-replay-check-return-values-o.patch + 0068-Revert-replay-push-replay_mutex_loc.patch +- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-2.12 + +------------------------------------------------------------------- +Thu May 17 13:28:37 UTC 2018 - brogers@suse.com + +- Add some upstream fixes targeted for the next stable release + 0040-device_tree-Increase-FDT_MAX_SIZE-t.patch + 0041-vnc-fix-use-after-free.patch + 0042-ccid-Fix-dwProtocols-advertisement-.patch + 0043-tcg-arm-Fix-memory-barrier-encoding.patch + 0044-s390-ccw-force-diag-308-subcode-to-.patch + 0045-nbd-client-fix-nbd_negotiate_simple.patch + 0046-migration-block-dirty-bitmap-fix-me.patch + 0047-nbd-client-Fix-error-messages-durin.patch + 0048-nbd-client-Relax-handling-of-large-.patch + 0049-qxl-fix-local-renderer-crash.patch + 0050-tcg-Limit-the-number-of-ops-in-a-TB.patch + 0051-target-arm-Clear-SVE-high-bits-for-.patch + 0052-cpus-tcg-fix-never-exiting-loop-on-.patch + 0053-s390x-css-disabled-subchannels-cann.patch + 0054-pc-bios-s390-ccw-struct-tpi_info-mu.patch + 0055-virtio-ccw-common-reset-handler.patch + 0056-s390x-ccw-make-sure-all-ccw-devices.patch + 0057-blockjob-expose-error-string-via-qu.patch + 0058-blockjob-Fix-assertion-in-block_job.patch + 0059-qemu-io-Use-purely-string-blockdev-.patch + 0060-qemu-img-Use-only-string-options-in.patch + 0061-nfs-Remove-processed-options-from-Q.patch +- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-2.12 + +------------------------------------------------------------------- +Wed May 16 21:49:16 UTC 2018 - brogers@suse.com + +- Fix qemu-guest-agent uninstall (bsc#1093169) +- Minor tweak to qemu spec file + ------------------------------------------------------------------- Fri Apr 27 20:54:01 UTC 2018 - brogers@suse.com diff --git a/qemu-testsuite.spec b/qemu-testsuite.spec index 74ca605f..a216f6c6 100644 --- a/qemu-testsuite.spec +++ b/qemu-testsuite.spec @@ -169,6 +169,35 @@ Patch0036: 0036-Remove-problematic-evdev-86-key-fro.patch Patch0037: 0037-configure-Modify-python-used-for-io.patch Patch0038: 0038-qemu-io-tests-comment-out-problemat.patch Patch0039: 0039-tests-test-thread-pool-is-racy-add-.patch +Patch0040: 0040-device_tree-Increase-FDT_MAX_SIZE-t.patch +Patch0041: 0041-vnc-fix-use-after-free.patch +Patch0042: 0042-ccid-Fix-dwProtocols-advertisement-.patch +Patch0043: 0043-tcg-arm-Fix-memory-barrier-encoding.patch +Patch0044: 0044-s390-ccw-force-diag-308-subcode-to-.patch +Patch0045: 0045-nbd-client-fix-nbd_negotiate_simple.patch +Patch0046: 0046-migration-block-dirty-bitmap-fix-me.patch +Patch0047: 0047-nbd-client-Fix-error-messages-durin.patch +Patch0048: 0048-nbd-client-Relax-handling-of-large-.patch +Patch0049: 0049-qxl-fix-local-renderer-crash.patch +Patch0050: 0050-tcg-Limit-the-number-of-ops-in-a-TB.patch +Patch0051: 0051-target-arm-Clear-SVE-high-bits-for-.patch +Patch0052: 0052-cpus-tcg-fix-never-exiting-loop-on-.patch +Patch0053: 0053-s390x-css-disabled-subchannels-cann.patch +Patch0054: 0054-pc-bios-s390-ccw-struct-tpi_info-mu.patch +Patch0055: 0055-virtio-ccw-common-reset-handler.patch +Patch0056: 0056-s390x-ccw-make-sure-all-ccw-devices.patch +Patch0057: 0057-blockjob-expose-error-string-via-qu.patch +Patch0058: 0058-blockjob-Fix-assertion-in-block_job.patch +Patch0059: 0059-qemu-io-Use-purely-string-blockdev-.patch +Patch0060: 0060-qemu-img-Use-only-string-options-in.patch +Patch0061: 0061-nfs-Remove-processed-options-from-Q.patch +Patch0062: 0062-i386-define-the-ssbd-CPUID-feature-.patch +Patch0063: 0063-i386-Define-the-Virt-SSBD-MSR-and-h.patch +Patch0064: 0064-i386-define-the-AMD-virt-ssbd-CPUID.patch +Patch0065: 0065-Revert-replay-don-t-process-async-e.patch +Patch0066: 0066-Revert-replay-avoid-recursive-call-.patch +Patch0067: 0067-Revert-replay-check-return-values-o.patch +Patch0068: 0068-Revert-replay-push-replay_mutex_loc.patch # Please do not add QEMU patches manually here. # Run update_git.sh to regenerate this queue. @@ -342,30 +371,30 @@ BuildRequires: zlib-devel BuildRequires: python-base %endif BuildRequires: bc -BuildRequires: qemu-arm = %version -BuildRequires: qemu-block-curl = %version -BuildRequires: qemu-block-dmg = %version -BuildRequires: qemu-extra = %version -BuildRequires: qemu-guest-agent = %version -BuildRequires: qemu-ppc = %version -BuildRequires: qemu-s390 = %version -BuildRequires: qemu-tools = %version -BuildRequires: qemu-ui-curses = %version -BuildRequires: qemu-ui-gtk = %version +BuildRequires: qemu-arm = %{version} +BuildRequires: qemu-block-curl = %{version} +BuildRequires: qemu-block-dmg = %{version} +BuildRequires: qemu-extra = %{version} +BuildRequires: qemu-guest-agent = %{version} +BuildRequires: qemu-ppc = %{version} +BuildRequires: qemu-s390 = %{version} +BuildRequires: qemu-tools = %{version} +BuildRequires: qemu-ui-curses = %{version} +BuildRequires: qemu-ui-gtk = %{version} %if 0%{?is_opensuse} -BuildRequires: qemu-ui-sdl = %version +BuildRequires: qemu-ui-sdl = %{version} %endif -BuildRequires: qemu-x86 = %version +BuildRequires: qemu-x86 = %{version} %if 0%{?with_glusterfs} -BuildRequires: qemu-block-gluster = %version +BuildRequires: qemu-block-gluster = %{version} %endif %if 0%{?suse_version} > 1320 || ( 0%{?suse_version} == 1315 && 0%{?sle_version} > 120100 ) -BuildRequires: qemu-block-iscsi = %version +BuildRequires: qemu-block-iscsi = %{version} %endif %if 0%{?with_rbd} -BuildRequires: qemu-block-rbd = %version +BuildRequires: qemu-block-rbd = %{version} %endif -BuildRequires: qemu-block-ssh = %version +BuildRequires: qemu-block-ssh = %{version} %endif Requires(pre): shadow Requires(post): coreutils @@ -487,7 +516,7 @@ This package acts as an umbrella package to the other QEMU sub-packages. %package x86 Summary: Machine emulator and virtualizer for x86 architectures Group: System/Emulators/PC -Requires: qemu = %version +Requires: qemu = %{version} Requires: qemu-ipxe Requires: qemu-seabios Requires: qemu-sgabios @@ -507,7 +536,7 @@ This package provides i386 and x86_64 emulation. %package ppc Summary: Machine emulator and virtualizer for Power architectures Group: System/Emulators/PC -Requires: qemu = %version +Requires: qemu = %{version} Recommends: qemu-ipxe Recommends: qemu-vgabios @@ -523,7 +552,7 @@ This package provides ppc and ppc64 emulation. %package s390 Summary: Machine emulator and virtualizer for S/390 architectures Group: System/Emulators/PC -Requires: qemu = %version +Requires: qemu = %{version} %description s390 QEMU provides full machine emulation and cross architecture usage. It closely @@ -537,7 +566,7 @@ This package provides s390x emulation. %package arm Summary: Machine emulator and virtualizer for ARM architectures Group: System/Emulators/PC -Requires: qemu = %version +Requires: qemu = %{version} Recommends: qemu-ipxe Recommends: qemu-vgabios Recommends: ovmf @@ -555,7 +584,7 @@ This package provides arm emulation. %package extra Summary: Machine emulator and virtualizer for "extra" architectures Group: System/Emulators/PC -Requires: qemu = %version +Requires: qemu = %{version} Recommends: qemu-ipxe Recommends: qemu-vgabios @@ -576,13 +605,13 @@ Url: http://www.linux-kvm.org Summary: Wrapper to enable KVM acceleration under QEMU Group: System/Emulators/PC %ifarch %ix86 x86_64 -Requires: qemu-x86 = %version +Requires: qemu-x86 = %{version} %endif %ifarch s390x -Requires: qemu-s390 = %version +Requires: qemu-s390 = %{version} %endif -Provides: kvm = %version -Obsoletes: kvm < %version +Provides: kvm = %{version} +Obsoletes: kvm < %{version} %description kvm QEMU provides full machine emulation and cross architecture usage. It closely @@ -612,10 +641,10 @@ in QEMU are not localized. # Nor can we have modules require the right version of qemu and qemu-tools # as Xen reuses our qemu-tools but does not want our qemu and qemu-x86. %define qemu_module_conflicts \ -Conflicts: qemu < %version-%release \ -Conflicts: qemu > %version-%release \ -Conflicts: qemu-tools < %version-%release \ -Conflicts: qemu-tools > %version-%release +Conflicts: qemu < %{version}-%{release} \ +Conflicts: qemu > %{version}-%{release} \ +Conflicts: qemu-tools < %{version}-%{release} \ +Conflicts: qemu-tools > %{version}-%{release} %package block-curl Summary: cURL block support for QEMU @@ -876,6 +905,35 @@ This package provides a service file for starting and stopping KSM. %patch0037 -p1 %patch0038 -p1 %patch0039 -p1 +%patch0040 -p1 +%patch0041 -p1 +%patch0042 -p1 +%patch0043 -p1 +%patch0044 -p1 +%patch0045 -p1 +%patch0046 -p1 +%patch0047 -p1 +%patch0048 -p1 +%patch0049 -p1 +%patch0050 -p1 +%patch0051 -p1 +%patch0052 -p1 +%patch0053 -p1 +%patch0054 -p1 +%patch0055 -p1 +%patch0056 -p1 +%patch0057 -p1 +%patch0058 -p1 +%patch0059 -p1 +%patch0060 -p1 +%patch0061 -p1 +%patch0062 -p1 +%patch0063 -p1 +%patch0064 -p1 +%patch0065 -p1 +%patch0066 -p1 +%patch0067 -p1 +%patch0068 -p1 %if 0%{?suse_version} > 1320 %patch1000 -p1 @@ -1327,15 +1385,17 @@ fi %{_bindir}/getent group kvm >/dev/null || %{_sbindir}/groupadd -r kvm %service_add_pre qemu-ga@.service -%preun guest-agent -%service_del_preun qemu-ga@.service - %post guest-agent %service_add_post qemu-ga@.service if [ -e /dev/virtio-ports/org.qemu.guest_agent.0 ]; then /usr/bin/systemctl start qemu-ga@virtio\\x2dports-org.qemu.guest_agent.0.service || : fi +%preun guest-agent +if [ -e /dev/virtio-ports/org.qemu.guest_agent.0 ]; then + /usr/bin/systemctl stop qemu-ga@virtio\\x2dports-org.qemu.guest_agent.0.service || : +fi + %postun guest-agent %service_del_postun qemu-ga@.service @@ -1358,7 +1418,8 @@ fi %files %defattr(-, root, root) %if "%{name}" != "qemu-testsuite" -%doc COPYING COPYING.LIB COPYING.PYTHON Changelog README VERSION LICENSE +%doc Changelog README VERSION +%license COPYING COPYING.LIB COPYING.PYTHON LICENSE %_docdir/%name/qemu-doc.txt %_docdir/%name/qemu-doc.html %_docdir/%name/qemu-qmp-ref.txt diff --git a/qemu.changes b/qemu.changes index 4c49c89c..8e2a7773 100644 --- a/qemu.changes +++ b/qemu.changes @@ -1,3 +1,68 @@ +------------------------------------------------------------------- +Fri May 25 15:13:16 UTC 2018 - brogers@suse.com + +- Spectre v4 vulnerability mitigation support for KVM guests. + High level description of vulnerability: Systems with microprocessors + utilizing speculative execution and speculative execution of memory + reads before the addresses of all prior memory writes are known may + allow unauthorized disclosure of information to an attacker with + local user access via a side-channel analysis. + This change permits the new x86 cpu feature flag named "ssbd" to be + presented to the guest, given that the host has this feature, and + KVM exposes it to the guest as well. + For this feature to be enabled, via adding it to the qemu commandline + (eg: -cpu ,+spec-ctrl,+ssbd), so the guest OS can take advantage + of the feature, spec-ctrl and ssbd support is also required in the host. + Another new x86 cpu feature flag named "virt-ssbd" is also added to + handle this vulnerability for AMD processors. + (CVE-2018-3639 bsc#1092885) + 0062-i386-define-the-ssbd-CPUID-feature-.patch + 0063-i386-Define-the-Virt-SSBD-MSR-and-h.patch + 0064-i386-define-the-AMD-virt-ssbd-CPUID.patch +- Replay code introduced an issue for AHCI emulation, where on Windows 10 + I/O would stop randomly, and Windows would then reset the AHCI device. + The issue is not yet fully identified, but reverting some of those + changes is at least for now a workaround. (bsc#1094406) + 0065-Revert-replay-don-t-process-async-e.patch + 0066-Revert-replay-avoid-recursive-call-.patch + 0067-Revert-replay-check-return-values-o.patch + 0068-Revert-replay-push-replay_mutex_loc.patch +- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-2.12 + +------------------------------------------------------------------- +Thu May 17 13:28:37 UTC 2018 - brogers@suse.com + +- Add some upstream fixes targeted for the next stable release + 0040-device_tree-Increase-FDT_MAX_SIZE-t.patch + 0041-vnc-fix-use-after-free.patch + 0042-ccid-Fix-dwProtocols-advertisement-.patch + 0043-tcg-arm-Fix-memory-barrier-encoding.patch + 0044-s390-ccw-force-diag-308-subcode-to-.patch + 0045-nbd-client-fix-nbd_negotiate_simple.patch + 0046-migration-block-dirty-bitmap-fix-me.patch + 0047-nbd-client-Fix-error-messages-durin.patch + 0048-nbd-client-Relax-handling-of-large-.patch + 0049-qxl-fix-local-renderer-crash.patch + 0050-tcg-Limit-the-number-of-ops-in-a-TB.patch + 0051-target-arm-Clear-SVE-high-bits-for-.patch + 0052-cpus-tcg-fix-never-exiting-loop-on-.patch + 0053-s390x-css-disabled-subchannels-cann.patch + 0054-pc-bios-s390-ccw-struct-tpi_info-mu.patch + 0055-virtio-ccw-common-reset-handler.patch + 0056-s390x-ccw-make-sure-all-ccw-devices.patch + 0057-blockjob-expose-error-string-via-qu.patch + 0058-blockjob-Fix-assertion-in-block_job.patch + 0059-qemu-io-Use-purely-string-blockdev-.patch + 0060-qemu-img-Use-only-string-options-in.patch + 0061-nfs-Remove-processed-options-from-Q.patch +- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-2.12 + +------------------------------------------------------------------- +Wed May 16 21:49:16 UTC 2018 - brogers@suse.com + +- Fix qemu-guest-agent uninstall (bsc#1093169) +- Minor tweak to qemu spec file + ------------------------------------------------------------------- Fri Apr 27 20:54:01 UTC 2018 - brogers@suse.com diff --git a/qemu.spec b/qemu.spec index 1f222618..db50314d 100644 --- a/qemu.spec +++ b/qemu.spec @@ -169,6 +169,35 @@ Patch0036: 0036-Remove-problematic-evdev-86-key-fro.patch Patch0037: 0037-configure-Modify-python-used-for-io.patch Patch0038: 0038-qemu-io-tests-comment-out-problemat.patch Patch0039: 0039-tests-test-thread-pool-is-racy-add-.patch +Patch0040: 0040-device_tree-Increase-FDT_MAX_SIZE-t.patch +Patch0041: 0041-vnc-fix-use-after-free.patch +Patch0042: 0042-ccid-Fix-dwProtocols-advertisement-.patch +Patch0043: 0043-tcg-arm-Fix-memory-barrier-encoding.patch +Patch0044: 0044-s390-ccw-force-diag-308-subcode-to-.patch +Patch0045: 0045-nbd-client-fix-nbd_negotiate_simple.patch +Patch0046: 0046-migration-block-dirty-bitmap-fix-me.patch +Patch0047: 0047-nbd-client-Fix-error-messages-durin.patch +Patch0048: 0048-nbd-client-Relax-handling-of-large-.patch +Patch0049: 0049-qxl-fix-local-renderer-crash.patch +Patch0050: 0050-tcg-Limit-the-number-of-ops-in-a-TB.patch +Patch0051: 0051-target-arm-Clear-SVE-high-bits-for-.patch +Patch0052: 0052-cpus-tcg-fix-never-exiting-loop-on-.patch +Patch0053: 0053-s390x-css-disabled-subchannels-cann.patch +Patch0054: 0054-pc-bios-s390-ccw-struct-tpi_info-mu.patch +Patch0055: 0055-virtio-ccw-common-reset-handler.patch +Patch0056: 0056-s390x-ccw-make-sure-all-ccw-devices.patch +Patch0057: 0057-blockjob-expose-error-string-via-qu.patch +Patch0058: 0058-blockjob-Fix-assertion-in-block_job.patch +Patch0059: 0059-qemu-io-Use-purely-string-blockdev-.patch +Patch0060: 0060-qemu-img-Use-only-string-options-in.patch +Patch0061: 0061-nfs-Remove-processed-options-from-Q.patch +Patch0062: 0062-i386-define-the-ssbd-CPUID-feature-.patch +Patch0063: 0063-i386-Define-the-Virt-SSBD-MSR-and-h.patch +Patch0064: 0064-i386-define-the-AMD-virt-ssbd-CPUID.patch +Patch0065: 0065-Revert-replay-don-t-process-async-e.patch +Patch0066: 0066-Revert-replay-avoid-recursive-call-.patch +Patch0067: 0067-Revert-replay-check-return-values-o.patch +Patch0068: 0068-Revert-replay-push-replay_mutex_loc.patch # Please do not add QEMU patches manually here. # Run update_git.sh to regenerate this queue. @@ -342,30 +371,30 @@ BuildRequires: zlib-devel BuildRequires: python-base %endif BuildRequires: bc -BuildRequires: qemu-arm = %version -BuildRequires: qemu-block-curl = %version -BuildRequires: qemu-block-dmg = %version -BuildRequires: qemu-extra = %version -BuildRequires: qemu-guest-agent = %version -BuildRequires: qemu-ppc = %version -BuildRequires: qemu-s390 = %version -BuildRequires: qemu-tools = %version -BuildRequires: qemu-ui-curses = %version -BuildRequires: qemu-ui-gtk = %version +BuildRequires: qemu-arm = %{version} +BuildRequires: qemu-block-curl = %{version} +BuildRequires: qemu-block-dmg = %{version} +BuildRequires: qemu-extra = %{version} +BuildRequires: qemu-guest-agent = %{version} +BuildRequires: qemu-ppc = %{version} +BuildRequires: qemu-s390 = %{version} +BuildRequires: qemu-tools = %{version} +BuildRequires: qemu-ui-curses = %{version} +BuildRequires: qemu-ui-gtk = %{version} %if 0%{?is_opensuse} -BuildRequires: qemu-ui-sdl = %version +BuildRequires: qemu-ui-sdl = %{version} %endif -BuildRequires: qemu-x86 = %version +BuildRequires: qemu-x86 = %{version} %if 0%{?with_glusterfs} -BuildRequires: qemu-block-gluster = %version +BuildRequires: qemu-block-gluster = %{version} %endif %if 0%{?suse_version} > 1320 || ( 0%{?suse_version} == 1315 && 0%{?sle_version} > 120100 ) -BuildRequires: qemu-block-iscsi = %version +BuildRequires: qemu-block-iscsi = %{version} %endif %if 0%{?with_rbd} -BuildRequires: qemu-block-rbd = %version +BuildRequires: qemu-block-rbd = %{version} %endif -BuildRequires: qemu-block-ssh = %version +BuildRequires: qemu-block-ssh = %{version} %endif Requires(pre): shadow Requires(post): coreutils @@ -487,7 +516,7 @@ This package acts as an umbrella package to the other QEMU sub-packages. %package x86 Summary: Machine emulator and virtualizer for x86 architectures Group: System/Emulators/PC -Requires: qemu = %version +Requires: qemu = %{version} Requires: qemu-ipxe Requires: qemu-seabios Requires: qemu-sgabios @@ -507,7 +536,7 @@ This package provides i386 and x86_64 emulation. %package ppc Summary: Machine emulator and virtualizer for Power architectures Group: System/Emulators/PC -Requires: qemu = %version +Requires: qemu = %{version} Recommends: qemu-ipxe Recommends: qemu-vgabios @@ -523,7 +552,7 @@ This package provides ppc and ppc64 emulation. %package s390 Summary: Machine emulator and virtualizer for S/390 architectures Group: System/Emulators/PC -Requires: qemu = %version +Requires: qemu = %{version} %description s390 QEMU provides full machine emulation and cross architecture usage. It closely @@ -537,7 +566,7 @@ This package provides s390x emulation. %package arm Summary: Machine emulator and virtualizer for ARM architectures Group: System/Emulators/PC -Requires: qemu = %version +Requires: qemu = %{version} Recommends: qemu-ipxe Recommends: qemu-vgabios Recommends: ovmf @@ -555,7 +584,7 @@ This package provides arm emulation. %package extra Summary: Machine emulator and virtualizer for "extra" architectures Group: System/Emulators/PC -Requires: qemu = %version +Requires: qemu = %{version} Recommends: qemu-ipxe Recommends: qemu-vgabios @@ -576,13 +605,13 @@ Url: http://www.linux-kvm.org Summary: Wrapper to enable KVM acceleration under QEMU Group: System/Emulators/PC %ifarch %ix86 x86_64 -Requires: qemu-x86 = %version +Requires: qemu-x86 = %{version} %endif %ifarch s390x -Requires: qemu-s390 = %version +Requires: qemu-s390 = %{version} %endif -Provides: kvm = %version -Obsoletes: kvm < %version +Provides: kvm = %{version} +Obsoletes: kvm < %{version} %description kvm QEMU provides full machine emulation and cross architecture usage. It closely @@ -612,10 +641,10 @@ in QEMU are not localized. # Nor can we have modules require the right version of qemu and qemu-tools # as Xen reuses our qemu-tools but does not want our qemu and qemu-x86. %define qemu_module_conflicts \ -Conflicts: qemu < %version-%release \ -Conflicts: qemu > %version-%release \ -Conflicts: qemu-tools < %version-%release \ -Conflicts: qemu-tools > %version-%release +Conflicts: qemu < %{version}-%{release} \ +Conflicts: qemu > %{version}-%{release} \ +Conflicts: qemu-tools < %{version}-%{release} \ +Conflicts: qemu-tools > %{version}-%{release} %package block-curl Summary: cURL block support for QEMU @@ -876,6 +905,35 @@ This package provides a service file for starting and stopping KSM. %patch0037 -p1 %patch0038 -p1 %patch0039 -p1 +%patch0040 -p1 +%patch0041 -p1 +%patch0042 -p1 +%patch0043 -p1 +%patch0044 -p1 +%patch0045 -p1 +%patch0046 -p1 +%patch0047 -p1 +%patch0048 -p1 +%patch0049 -p1 +%patch0050 -p1 +%patch0051 -p1 +%patch0052 -p1 +%patch0053 -p1 +%patch0054 -p1 +%patch0055 -p1 +%patch0056 -p1 +%patch0057 -p1 +%patch0058 -p1 +%patch0059 -p1 +%patch0060 -p1 +%patch0061 -p1 +%patch0062 -p1 +%patch0063 -p1 +%patch0064 -p1 +%patch0065 -p1 +%patch0066 -p1 +%patch0067 -p1 +%patch0068 -p1 %if 0%{?suse_version} > 1320 %patch1000 -p1 @@ -1327,15 +1385,17 @@ fi %{_bindir}/getent group kvm >/dev/null || %{_sbindir}/groupadd -r kvm %service_add_pre qemu-ga@.service -%preun guest-agent -%service_del_preun qemu-ga@.service - %post guest-agent %service_add_post qemu-ga@.service if [ -e /dev/virtio-ports/org.qemu.guest_agent.0 ]; then /usr/bin/systemctl start qemu-ga@virtio\\x2dports-org.qemu.guest_agent.0.service || : fi +%preun guest-agent +if [ -e /dev/virtio-ports/org.qemu.guest_agent.0 ]; then + /usr/bin/systemctl stop qemu-ga@virtio\\x2dports-org.qemu.guest_agent.0.service || : +fi + %postun guest-agent %service_del_postun qemu-ga@.service @@ -1358,7 +1418,8 @@ fi %files %defattr(-, root, root) %if "%{name}" != "qemu-testsuite" -%doc COPYING COPYING.LIB COPYING.PYTHON Changelog README VERSION LICENSE +%doc Changelog README VERSION +%license COPYING COPYING.LIB COPYING.PYTHON LICENSE %_docdir/%name/qemu-doc.txt %_docdir/%name/qemu-doc.html %_docdir/%name/qemu-qmp-ref.txt diff --git a/qemu.spec.in b/qemu.spec.in index 88079fc7..be49704e 100644 --- a/qemu.spec.in +++ b/qemu.spec.in @@ -305,30 +305,30 @@ BuildRequires: zlib-devel BuildRequires: python-base %endif BuildRequires: bc -BuildRequires: qemu-arm = %version -BuildRequires: qemu-block-curl = %version -BuildRequires: qemu-block-dmg = %version -BuildRequires: qemu-extra = %version -BuildRequires: qemu-guest-agent = %version -BuildRequires: qemu-ppc = %version -BuildRequires: qemu-s390 = %version -BuildRequires: qemu-tools = %version -BuildRequires: qemu-ui-curses = %version -BuildRequires: qemu-ui-gtk = %version +BuildRequires: qemu-arm = %{version} +BuildRequires: qemu-block-curl = %{version} +BuildRequires: qemu-block-dmg = %{version} +BuildRequires: qemu-extra = %{version} +BuildRequires: qemu-guest-agent = %{version} +BuildRequires: qemu-ppc = %{version} +BuildRequires: qemu-s390 = %{version} +BuildRequires: qemu-tools = %{version} +BuildRequires: qemu-ui-curses = %{version} +BuildRequires: qemu-ui-gtk = %{version} %if 0%{?is_opensuse} -BuildRequires: qemu-ui-sdl = %version +BuildRequires: qemu-ui-sdl = %{version} %endif -BuildRequires: qemu-x86 = %version +BuildRequires: qemu-x86 = %{version} %if 0%{?with_glusterfs} -BuildRequires: qemu-block-gluster = %version +BuildRequires: qemu-block-gluster = %{version} %endif %if 0%{?suse_version} > 1320 || ( 0%{?suse_version} == 1315 && 0%{?sle_version} > 120100 ) -BuildRequires: qemu-block-iscsi = %version +BuildRequires: qemu-block-iscsi = %{version} %endif %if 0%{?with_rbd} -BuildRequires: qemu-block-rbd = %version +BuildRequires: qemu-block-rbd = %{version} %endif -BuildRequires: qemu-block-ssh = %version +BuildRequires: qemu-block-ssh = %{version} %endif Requires(pre): shadow Requires(post): coreutils @@ -450,7 +450,7 @@ This package acts as an umbrella package to the other QEMU sub-packages. %package x86 Summary: Machine emulator and virtualizer for x86 architectures Group: System/Emulators/PC -Requires: qemu = %version +Requires: qemu = %{version} Requires: qemu-ipxe Requires: qemu-seabios Requires: qemu-sgabios @@ -470,7 +470,7 @@ This package provides i386 and x86_64 emulation. %package ppc Summary: Machine emulator and virtualizer for Power architectures Group: System/Emulators/PC -Requires: qemu = %version +Requires: qemu = %{version} Recommends: qemu-ipxe Recommends: qemu-vgabios @@ -486,7 +486,7 @@ This package provides ppc and ppc64 emulation. %package s390 Summary: Machine emulator and virtualizer for S/390 architectures Group: System/Emulators/PC -Requires: qemu = %version +Requires: qemu = %{version} %description s390 QEMU provides full machine emulation and cross architecture usage. It closely @@ -500,7 +500,7 @@ This package provides s390x emulation. %package arm Summary: Machine emulator and virtualizer for ARM architectures Group: System/Emulators/PC -Requires: qemu = %version +Requires: qemu = %{version} Recommends: qemu-ipxe Recommends: qemu-vgabios Recommends: ovmf @@ -518,7 +518,7 @@ This package provides arm emulation. %package extra Summary: Machine emulator and virtualizer for "extra" architectures Group: System/Emulators/PC -Requires: qemu = %version +Requires: qemu = %{version} Recommends: qemu-ipxe Recommends: qemu-vgabios @@ -539,13 +539,13 @@ Url: http://www.linux-kvm.org Summary: Wrapper to enable KVM acceleration under QEMU Group: System/Emulators/PC %ifarch %ix86 x86_64 -Requires: qemu-x86 = %version +Requires: qemu-x86 = %{version} %endif %ifarch s390x -Requires: qemu-s390 = %version +Requires: qemu-s390 = %{version} %endif -Provides: kvm = %version -Obsoletes: kvm < %version +Provides: kvm = %{version} +Obsoletes: kvm < %{version} %description kvm QEMU provides full machine emulation and cross architecture usage. It closely @@ -575,10 +575,10 @@ in QEMU are not localized. # Nor can we have modules require the right version of qemu and qemu-tools # as Xen reuses our qemu-tools but does not want our qemu and qemu-x86. %define qemu_module_conflicts \ -Conflicts: qemu < %version-%release \ -Conflicts: qemu > %version-%release \ -Conflicts: qemu-tools < %version-%release \ -Conflicts: qemu-tools > %version-%release +Conflicts: qemu < %{version}-%{release} \ +Conflicts: qemu > %{version}-%{release} \ +Conflicts: qemu-tools < %{version}-%{release} \ +Conflicts: qemu-tools > %{version}-%{release} %package block-curl Summary: cURL block support for QEMU @@ -1252,15 +1252,17 @@ fi %{_bindir}/getent group kvm >/dev/null || %{_sbindir}/groupadd -r kvm %service_add_pre qemu-ga@.service -%preun guest-agent -%service_del_preun qemu-ga@.service - %post guest-agent %service_add_post qemu-ga@.service if [ -e /dev/virtio-ports/org.qemu.guest_agent.0 ]; then /usr/bin/systemctl start qemu-ga@virtio\\x2dports-org.qemu.guest_agent.0.service || : fi +%preun guest-agent +if [ -e /dev/virtio-ports/org.qemu.guest_agent.0 ]; then + /usr/bin/systemctl stop qemu-ga@virtio\\x2dports-org.qemu.guest_agent.0.service || : +fi + %postun guest-agent %service_del_postun qemu-ga@.service @@ -1283,7 +1285,8 @@ fi %files %defattr(-, root, root) %if "%{name}" != "qemu-testsuite" -%doc COPYING COPYING.LIB COPYING.PYTHON Changelog README VERSION LICENSE +%doc Changelog README VERSION +%license COPYING COPYING.LIB COPYING.PYTHON LICENSE %_docdir/%name/qemu-doc.txt %_docdir/%name/qemu-doc.html %_docdir/%name/qemu-qmp-ref.txt