From 98145c2dbeeb0189c36edca5028dae794ce46b00 Mon Sep 17 00:00:00 2001 From: Zhao Hang Date: Thu, 4 Aug 2022 16:15:53 +0800 Subject: [PATCH] update to qemu-kvm-6.2.0-11.module+el8.6.0+15668+464a1f31.2 Signed-off-by: Zhao Hang --- ...packet-for-vhost-vsock-device-in-rhe.patch | 107 ++++ ...d-hw_compat_4_2_extra-and-apply-to-u.patch | 81 +++ ...d-some-devices-for-exporting-upstrea.patch | 128 +++++ ...able-FDC-device-for-upstream-machine.patch | 41 ++ ...pose-upstream-machines-pc-4.2-and-pc.patch | 180 +++++++ ...acpi-fix-OEM-ID-OEM-Table-ID-padding.patch | 70 +++ ...U-crash-when-started-with-SLIC-table.patch | 99 ++++ ...pcie-set-power-on-cap-on-parent-slot.patch | 130 +++++ ...er-fix-race-condition-in-qxl_cursor-.patch | 59 +++ ...3-Check-for-MEMTX_OK-instead-of-MEMT.patch | 76 +++ ...ix-leak-of-host-notifier-memory-regi.patch | 60 +++ ...-Server-v6-CPU-model-with-5-level-EP.patch | 60 +++ ...08-Fix-when-missing-user_allow_other.patch | 52 ++ ...-Test-new-refcount-rebuild-algorithm.patch | 445 +++++++++++++++++ ...-expose-TYPE_XIO3130_DOWNSTREAM-name.patch | 73 +++ ...d-errp-to-rebuild_refcount_structure.patch | 162 ++++++ ...mprove-refcount-structure-rebuilding.patch | 465 ++++++++++++++++++ ...Introduce-MemTxAttrs-memory-field-an.patch | 176 +++++++ ...Simplify-flatview_write-and-address_.patch | 81 +++ ...get-i386-properly-reset-TSC-on-reset.patch | 83 ++++ ...ests-acpi-SLIC-update-expected-blobs.patch | 38 ++ kvm-tests-acpi-add-SLIC-table-test.patch | 68 +++ ...lly-pad-OEM_ID-OEM_TABLE_ID-for-test.patch | 76 +++ ...short-OEM_ID-OEM_TABLE_ID-values-in-.patch | 69 +++ kvm-tests-acpi-update-expected-blobs.patch | 51 ++ ...list-expected-blobs-before-changing-.patch | 40 ++ ...list-nvdimm-s-SSDT-and-FACP.slic-exp.patch | 49 ++ ...teger-overflow-in-cursor_alloc-CVE-2.patch | 105 ++++ ...ch-the-virqueue-element-in-case-of-e.patch | 78 +++ ...-map-leaking-on-error-during-receive.patch | 63 +++ ...iofsd-Adjust-limit-for-minor-version.patch | 41 -- kvm-vmxcap-Add-5-level-EPT-bit.patch | 49 ++ qemu-kvm.spec | 146 +++++- tests_data_acpi_pc_SSDT.dimmpxm | Bin 0 -> 734 bytes tests_data_acpi_q35_FACP.slic | Bin 0 -> 244 bytes tests_data_acpi_q35_SSDT.dimmpxm | Bin 0 -> 734 bytes tests_data_acpi_virt_SSDT.memhp | Bin 0 -> 736 bytes 37 files changed, 3454 insertions(+), 47 deletions(-) create mode 100644 kvm-RHEL-disable-seqpacket-for-vhost-vsock-device-in-rhe.patch create mode 100644 kvm-Revert-redhat-Add-hw_compat_4_2_extra-and-apply-to-u.patch create mode 100644 kvm-Revert-redhat-Add-some-devices-for-exporting-upstrea.patch create mode 100644 kvm-Revert-redhat-Enable-FDC-device-for-upstream-machine.patch create mode 100644 kvm-Revert-redhat-Expose-upstream-machines-pc-4.2-and-pc.patch create mode 100644 kvm-acpi-fix-OEM-ID-OEM-Table-ID-padding.patch create mode 100644 kvm-acpi-fix-QEMU-crash-when-started-with-SLIC-table.patch create mode 100644 kvm-acpi-pcihp-pcie-set-power-on-cap-on-parent-slot.patch create mode 100644 kvm-display-qxl-render-fix-race-condition-in-qxl_cursor-.patch create mode 100644 kvm-hw-intc-arm_gicv3-Check-for-MEMTX_OK-instead-of-MEMT.patch create mode 100644 kvm-hw-virtio-vdpa-Fix-leak-of-host-notifier-memory-regi.patch create mode 100644 kvm-i386-Add-Icelake-Server-v6-CPU-model-with-5-level-EP.patch create mode 100644 kvm-iotests-108-Fix-when-missing-user_allow_other.patch create mode 100644 kvm-iotests-108-Test-new-refcount-rebuild-algorithm.patch create mode 100644 kvm-pci-expose-TYPE_XIO3130_DOWNSTREAM-name.patch create mode 100644 kvm-qcow2-Add-errp-to-rebuild_refcount_structure.patch create mode 100644 kvm-qcow2-Improve-refcount-structure-rebuilding.patch create mode 100644 kvm-softmmu-physmem-Introduce-MemTxAttrs-memory-field-an.patch create mode 100644 kvm-softmmu-physmem-Simplify-flatview_write-and-address_.patch create mode 100644 kvm-target-i386-properly-reset-TSC-on-reset.patch create mode 100644 kvm-tests-acpi-SLIC-update-expected-blobs.patch create mode 100644 kvm-tests-acpi-add-SLIC-table-test.patch create mode 100644 kvm-tests-acpi-manually-pad-OEM_ID-OEM_TABLE_ID-for-test.patch create mode 100644 kvm-tests-acpi-test-short-OEM_ID-OEM_TABLE_ID-values-in-.patch create mode 100644 kvm-tests-acpi-update-expected-blobs.patch create mode 100644 kvm-tests-acpi-whitelist-expected-blobs-before-changing-.patch create mode 100644 kvm-tests-acpi-whitelist-nvdimm-s-SSDT-and-FACP.slic-exp.patch create mode 100644 kvm-ui-cursor-fix-integer-overflow-in-cursor_alloc-CVE-2.patch create mode 100644 kvm-vhost-vsock-detach-the-virqueue-element-in-case-of-e.patch create mode 100644 kvm-virtio-net-fix-map-leaking-on-error-during-receive.patch delete mode 100644 kvm-virtiofsd-Adjust-limit-for-minor-version.patch create mode 100644 kvm-vmxcap-Add-5-level-EPT-bit.patch create mode 100644 tests_data_acpi_pc_SSDT.dimmpxm create mode 100644 tests_data_acpi_q35_FACP.slic create mode 100644 tests_data_acpi_q35_SSDT.dimmpxm create mode 100644 tests_data_acpi_virt_SSDT.memhp diff --git a/kvm-RHEL-disable-seqpacket-for-vhost-vsock-device-in-rhe.patch b/kvm-RHEL-disable-seqpacket-for-vhost-vsock-device-in-rhe.patch new file mode 100644 index 0000000..c2df0b1 --- /dev/null +++ b/kvm-RHEL-disable-seqpacket-for-vhost-vsock-device-in-rhe.patch @@ -0,0 +1,107 @@ +From fb23aa4bc1842bb78e270ee7c4fdd663e45e2317 Mon Sep 17 00:00:00 2001 +From: Stefano Garzarella +Date: Thu, 24 Mar 2022 16:04:57 +0100 +Subject: [PATCH 01/11] RHEL: disable "seqpacket" for "vhost-vsock-device" in + rhel8.6.0 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Stefano Garzarella +RH-MergeRequest: 146: RHEL: disable "seqpacket" for "vhost-vsock-device" in rhel8.6.0 [rhel-8.6.0.z] +RH-Commit: [1/1] 516ee668b84252528de6f4946298089b153846f1 +RH-Bugzilla: 2071103 +RH-Acked-by: Jason Wang +RH-Acked-by: Stefan Hajnoczi +RH-Acked-by: Eugenio Pérez +RH-Acked-by: Dr. David Alan Gilbert + +vhost-vsock device in RHEL 8 kernels doesn't support seqpacket. +To avoid problems when migrating a VM from RHEL 9 host, we need to +disable it in rhel8-* machine types. + +Signed-off-by: Stefano Garzarella +--- + hw/core/machine.c | 10 ++++++++++ + hw/i386/pc_piix.c | 2 ++ + hw/i386/pc_q35.c | 2 ++ + hw/s390x/s390-virtio-ccw.c | 1 + + include/hw/boards.h | 3 +++ + 5 files changed, 18 insertions(+) + +diff --git a/hw/core/machine.c b/hw/core/machine.c +index 024b025fc2..76fcabec7a 100644 +--- a/hw/core/machine.c ++++ b/hw/core/machine.c +@@ -37,6 +37,16 @@ + #include "hw/virtio/virtio.h" + #include "hw/virtio/virtio-pci.h" + ++GlobalProperty hw_compat_rhel_8_6[] = { ++ /* hw_compat_rhel_8_6 bz 2068202 */ ++ /* ++ * vhost-vsock device in RHEL 8 kernels doesn't support seqpacket, so ++ * we need do disable it downstream on the latest hw_compat_rhel_8. ++ */ ++ { "vhost-vsock-device", "seqpacket", "off" }, ++}; ++const size_t hw_compat_rhel_8_6_len = G_N_ELEMENTS(hw_compat_rhel_8_6); ++ + /* + * Mostly the same as hw_compat_6_0 and hw_compat_6_1 + */ +diff --git a/hw/i386/pc_piix.c b/hw/i386/pc_piix.c +index f03a8f0db8..ab6d03e07a 100644 +--- a/hw/i386/pc_piix.c ++++ b/hw/i386/pc_piix.c +@@ -998,6 +998,8 @@ static void pc_machine_rhel760_options(MachineClass *m) + pcmc->kvmclock_create_always = false; + /* From pc_i440fx_5_1_machine_options() */ + pcmc->pci_root_uid = 1; ++ compat_props_add(m->compat_props, hw_compat_rhel_8_6, ++ hw_compat_rhel_8_6_len); + compat_props_add(m->compat_props, hw_compat_rhel_8_5, + hw_compat_rhel_8_5_len); + compat_props_add(m->compat_props, pc_rhel_8_5_compat, +diff --git a/hw/i386/pc_q35.c b/hw/i386/pc_q35.c +index 5559261d9e..882fe7a68d 100644 +--- a/hw/i386/pc_q35.c ++++ b/hw/i386/pc_q35.c +@@ -658,6 +658,8 @@ static void pc_q35_machine_rhel860_options(MachineClass *m) + m->desc = "RHEL-8.6.0 PC (Q35 + ICH9, 2009)"; + pcmc->smbios_stream_product = "RHEL-AV"; + pcmc->smbios_stream_version = "8.6.0"; ++ compat_props_add(m->compat_props, hw_compat_rhel_8_6, ++ hw_compat_rhel_8_6_len); + } + + DEFINE_PC_MACHINE(q35_rhel860, "pc-q35-rhel8.6.0", pc_q35_init_rhel860, +diff --git a/hw/s390x/s390-virtio-ccw.c b/hw/s390x/s390-virtio-ccw.c +index 9795eb9406..bec270598b 100644 +--- a/hw/s390x/s390-virtio-ccw.c ++++ b/hw/s390x/s390-virtio-ccw.c +@@ -1109,6 +1109,7 @@ static void ccw_machine_rhel860_instance_options(MachineState *machine) + + static void ccw_machine_rhel860_class_options(MachineClass *mc) + { ++ compat_props_add(mc->compat_props, hw_compat_rhel_8_6, hw_compat_rhel_8_6_len); + } + DEFINE_CCW_MACHINE(rhel860, "rhel8.6.0", true); + +diff --git a/include/hw/boards.h b/include/hw/boards.h +index 04e8759815..4ddb798144 100644 +--- a/include/hw/boards.h ++++ b/include/hw/boards.h +@@ -443,6 +443,9 @@ extern const size_t hw_compat_2_2_len; + extern GlobalProperty hw_compat_2_1[]; + extern const size_t hw_compat_2_1_len; + ++extern GlobalProperty hw_compat_rhel_8_6[]; ++extern const size_t hw_compat_rhel_8_6_len; ++ + extern GlobalProperty hw_compat_rhel_8_5[]; + extern const size_t hw_compat_rhel_8_5_len; + +-- +2.27.0 + diff --git a/kvm-Revert-redhat-Add-hw_compat_4_2_extra-and-apply-to-u.patch b/kvm-Revert-redhat-Add-hw_compat_4_2_extra-and-apply-to-u.patch new file mode 100644 index 0000000..6ad2776 --- /dev/null +++ b/kvm-Revert-redhat-Add-hw_compat_4_2_extra-and-apply-to-u.patch @@ -0,0 +1,81 @@ +From dc2e9ec1e014950c7918e23a3e9b0096b34a4a92 Mon Sep 17 00:00:00 2001 +From: "Dr. David Alan Gilbert" +Date: Wed, 9 Mar 2022 10:31:53 +0000 +Subject: [PATCH 1/6] Revert "redhat: Add hw_compat_4_2_extra and apply to + upstream machines" + +RH-Author: Dr. David Alan Gilbert +RH-MergeRequest: 121: x86: Remove upstream compat machines +RH-Commit: [1/3] 7a3e416b5a464a2a7892337289443268189baf44 +RH-Bugzilla: 2061856 +RH-Acked-by: Stephen Tweedie +RH-Acked-by: quintela1 +RH-Acked-by: Peter Xu + +This reverts commit 66882f9a3230246409f3918424aca26add5c034a. +We no longer need these compat machines it was added for. + +Signed-off-by: Dr. David Alan Gilbert +--- + hw/i386/pc.c | 12 ------------ + hw/i386/pc_piix.c | 6 ------ + include/hw/i386/pc.h | 3 --- + 3 files changed, 21 deletions(-) + +diff --git a/hw/i386/pc.c b/hw/i386/pc.c +index 4c08a1971c..357257349b 100644 +--- a/hw/i386/pc.c ++++ b/hw/i386/pc.c +@@ -670,18 +670,6 @@ GlobalProperty pc_rhel_7_0_compat[] = { + }; + const size_t pc_rhel_7_0_compat_len = G_N_ELEMENTS(pc_rhel_7_0_compat); + +-/* +- * RHEL: These properties only apply to the RHEL exported machine types +- * pc-4.2/2.11 for the purpose to have a limited upstream machines support +- * which can be migrated to RHEL. Let's avoid touching hw_compat_4_2 directly +- * so that we can have some isolation against the upstream code. +- */ +-GlobalProperty hw_compat_4_2_extra[] = { +- /* By default enlarge the default virtio-net-pci ROM to 512KB. */ +- { "virtio-net-pci", "romsize", "0x80000" }, +-}; +-const size_t hw_compat_4_2_extra_len = G_N_ELEMENTS(hw_compat_4_2_extra); +- + GSIState *pc_gsi_create(qemu_irq **irqs, bool pci_enabled) + { + GSIState *s; +diff --git a/hw/i386/pc_piix.c b/hw/i386/pc_piix.c +index c30057c443..7b7076cbc7 100644 +--- a/hw/i386/pc_piix.c ++++ b/hw/i386/pc_piix.c +@@ -531,12 +531,6 @@ static void pc_i440fx_4_2_machine_options(MachineClass *m) + * supported by RHEL, even if exported. + */ + m->deprecation_reason = "Not supported by RHEL"; +- /* +- * RHEL: Specific compat properties to have limited support for upstream +- * machines exported. +- */ +- compat_props_add(m->compat_props, hw_compat_4_2_extra, +- hw_compat_4_2_extra_len); + } + + /* RHEL: Export pc-4.2 */ +diff --git a/include/hw/i386/pc.h b/include/hw/i386/pc.h +index 9e8bfb69f8..4a593acb50 100644 +--- a/include/hw/i386/pc.h ++++ b/include/hw/i386/pc.h +@@ -325,9 +325,6 @@ extern const size_t pc_rhel_7_1_compat_len; + extern GlobalProperty pc_rhel_7_0_compat[]; + extern const size_t pc_rhel_7_0_compat_len; + +-extern GlobalProperty hw_compat_4_2_extra[]; +-extern const size_t hw_compat_4_2_extra_len; +- + /* Helper for setting model-id for CPU models that changed model-id + * depending on QEMU versions up to QEMU 2.4. + */ +-- +2.27.0 + diff --git a/kvm-Revert-redhat-Add-some-devices-for-exporting-upstrea.patch b/kvm-Revert-redhat-Add-some-devices-for-exporting-upstrea.patch new file mode 100644 index 0000000..3aac284 --- /dev/null +++ b/kvm-Revert-redhat-Add-some-devices-for-exporting-upstrea.patch @@ -0,0 +1,128 @@ +From 27fbe5c920c6680f9dbe994963183ee515f40c12 Mon Sep 17 00:00:00 2001 +From: Jon Maloy +Date: Thu, 14 Apr 2022 16:45:30 -0400 +Subject: [PATCH 1/2] Revert redhat: Add some devices for exporting upstream + machine types + +RH-Author: Jon Maloy +RH-MergeRequest: 177: Revert redhat: Add some devices for exporting upstream machine types +RH-Commit: [1/1] 9e5dd81cc2e2c8f1df76de9f75d815c91c250c69 (jmaloy/qemu-kvm) +RH-Bugzilla: 2077928 +RH-Acked-by: Miroslav Rezanina +RH-Acked-by: Thomas Huth +RH-Acked-by: Peter Xu + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2077928 +Upstream: no + +Manual revert of commit 70d3924521c9bfd912bcf1a1fc76f49eb377de46, since +the directory structure looks different from rhel-av-8.4.0.z where +this commit is taken from. Besides, x86_64-softmmu.mak looks totally +different and should not be affected by this reversal. + +Signed-off-by: Jon Maloy +--- + configs/devices/x86_64-softmmu/x86_64-rh-devices.mak | 1 - + .../devices/x86_64-softmmu/x86_64-upstream-devices.mak | 4 ---- + hw/char/parallel.c | 9 --------- + hw/i386/pc_piix.c | 2 +- + hw/i386/pc_q35.c | 2 +- + hw/timer/hpet.c | 8 -------- + 6 files changed, 2 insertions(+), 24 deletions(-) + delete mode 100644 configs/devices/x86_64-softmmu/x86_64-upstream-devices.mak + +diff --git a/configs/devices/x86_64-softmmu/x86_64-rh-devices.mak b/configs/devices/x86_64-softmmu/x86_64-rh-devices.mak +index fdbbdf9742..31ce08edab 100644 +--- a/configs/devices/x86_64-softmmu/x86_64-rh-devices.mak ++++ b/configs/devices/x86_64-softmmu/x86_64-rh-devices.mak +@@ -1,5 +1,4 @@ + include ../rh-virtio.mak +-include x86_64-upstream-devices.mak + + CONFIG_AC97=y + CONFIG_ACPI=y +diff --git a/configs/devices/x86_64-softmmu/x86_64-upstream-devices.mak b/configs/devices/x86_64-softmmu/x86_64-upstream-devices.mak +deleted file mode 100644 +index 2cd20f54d2..0000000000 +--- a/configs/devices/x86_64-softmmu/x86_64-upstream-devices.mak ++++ /dev/null +@@ -1,4 +0,0 @@ +-# We need "isa-parallel" +-CONFIG_PARALLEL=y +-# We need "hpet" +-CONFIG_HPET=y +diff --git a/hw/char/parallel.c b/hw/char/parallel.c +index e5f108211b..b45e67bfbb 100644 +--- a/hw/char/parallel.c ++++ b/hw/char/parallel.c +@@ -29,7 +29,6 @@ + #include "chardev/char-parallel.h" + #include "chardev/char-fe.h" + #include "hw/acpi/aml-build.h" +-#include "hw/boards.h" + #include "hw/irq.h" + #include "hw/isa/isa.h" + #include "hw/qdev-properties.h" +@@ -535,14 +534,6 @@ static void parallel_isa_realizefn(DeviceState *dev, Error **errp) + int base; + uint8_t dummy; + +- /* Restricted for Red Hat Enterprise Linux */ +- MachineClass *mc = MACHINE_GET_CLASS(qdev_get_machine()); +- if (strstr(mc->name, "rhel")) { +- error_setg(errp, "Device %s is not supported with machine type %s", +- object_get_typename(OBJECT(dev)), mc->name); +- return; +- } +- + if (!qemu_chr_fe_backend_connected(&s->chr)) { + error_setg(errp, "Can't create parallel device, empty char device"); + return; +diff --git a/hw/i386/pc_piix.c b/hw/i386/pc_piix.c +index ab6d03e07a..5f101c8748 100644 +--- a/hw/i386/pc_piix.c ++++ b/hw/i386/pc_piix.c +@@ -966,7 +966,7 @@ static void pc_machine_rhel7_options(MachineClass *m) + { + PCMachineClass *pcmc = PC_MACHINE_CLASS(m); + m->family = "pc_piix_Y"; +- m->default_machine_opts = "firmware=bios-256k.bin,hpet=off"; ++ m->default_machine_opts = "firmware=bios-256k.bin"; + pcmc->default_nic_model = "e1000"; + pcmc->pci_root_uid = 0; + m->default_display = "std"; +diff --git a/hw/i386/pc_q35.c b/hw/i386/pc_q35.c +index 882fe7a68d..73b0d0d317 100644 +--- a/hw/i386/pc_q35.c ++++ b/hw/i386/pc_q35.c +@@ -633,7 +633,7 @@ static void pc_q35_machine_rhel_options(MachineClass *m) + pcmc->pci_root_uid = 0; + m->family = "pc_q35_Z"; + m->units_per_default_bus = 1; +- m->default_machine_opts = "firmware=bios-256k.bin,hpet=off"; ++ m->default_machine_opts = "firmware=bios-256k.bin"; + m->default_display = "std"; + m->no_floppy = 1; + m->no_parallel = 1; +diff --git a/hw/timer/hpet.c b/hw/timer/hpet.c +index 202e032524..9520471be2 100644 +--- a/hw/timer/hpet.c ++++ b/hw/timer/hpet.c +@@ -733,14 +733,6 @@ static void hpet_realize(DeviceState *dev, Error **errp) + int i; + HPETTimer *timer; + +- /* Restricted for Red Hat Enterprise Linux */ +- MachineClass *mc = MACHINE_GET_CLASS(qdev_get_machine()); +- if (strstr(mc->name, "rhel")) { +- error_setg(errp, "Device %s is not supported with machine type %s", +- object_get_typename(OBJECT(dev)), mc->name); +- return; +- } +- + if (!s->intcap) { + warn_report("Hpet's intcap not initialized"); + } +-- +2.35.3 + diff --git a/kvm-Revert-redhat-Enable-FDC-device-for-upstream-machine.patch b/kvm-Revert-redhat-Enable-FDC-device-for-upstream-machine.patch new file mode 100644 index 0000000..11a4719 --- /dev/null +++ b/kvm-Revert-redhat-Enable-FDC-device-for-upstream-machine.patch @@ -0,0 +1,41 @@ +From 597cb6ca1da4a3eea77c1e4928f55203a1d5c70c Mon Sep 17 00:00:00 2001 +From: "Dr. David Alan Gilbert" +Date: Wed, 9 Mar 2022 10:32:39 +0000 +Subject: [PATCH 2/6] Revert "redhat: Enable FDC device for upstream machines + too" + +RH-Author: Dr. David Alan Gilbert +RH-MergeRequest: 121: x86: Remove upstream compat machines +RH-Commit: [2/3] 1d4d284babe8fe5b25ccb4ca85daf6f8c6cedcc2 +RH-Bugzilla: 2061856 +RH-Acked-by: Stephen Tweedie +RH-Acked-by: quintela1 +RH-Acked-by: Peter Xu + +This reverts commit c4d1aa8bf21fe98da94a9cff30b7c25bed12c17f. +We no longer need these compat machines it was added for. + +Signed-off-by: Dr. David Alan Gilbert +--- + hw/block/fdc.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +diff --git a/hw/block/fdc.c b/hw/block/fdc.c +index 63042ef030..97fa6de423 100644 +--- a/hw/block/fdc.c ++++ b/hw/block/fdc.c +@@ -2341,10 +2341,7 @@ void fdctrl_realize_common(DeviceState *dev, FDCtrl *fdctrl, Error **errp) + + /* Restricted for Red Hat Enterprise Linux: */ + MachineClass *mc = MACHINE_GET_CLASS(qdev_get_machine()); +- if (!strstr(mc->name, "-rhel7.") && +- /* Exported two upstream machine types allows FDC too */ +- strcmp(mc->name, "pc-i440fx-4.2") && +- strcmp(mc->name, "pc-i440fx-2.11")) { ++ if (!strstr(mc->name, "-rhel7.")) { + error_setg(errp, "Device %s is not supported with machine type %s", + object_get_typename(OBJECT(dev)), mc->name); + return; +-- +2.27.0 + diff --git a/kvm-Revert-redhat-Expose-upstream-machines-pc-4.2-and-pc.patch b/kvm-Revert-redhat-Expose-upstream-machines-pc-4.2-and-pc.patch new file mode 100644 index 0000000..f2d98fd --- /dev/null +++ b/kvm-Revert-redhat-Expose-upstream-machines-pc-4.2-and-pc.patch @@ -0,0 +1,180 @@ +From f3b50d6d4ae0be9e64aafe6a15f5423bab4899e9 Mon Sep 17 00:00:00 2001 +From: "Dr. David Alan Gilbert" +Date: Wed, 9 Mar 2022 10:34:58 +0000 +Subject: [PATCH 3/6] Revert "redhat: Expose upstream machines pc-4.2 and + pc-2.11" + +RH-Author: Dr. David Alan Gilbert +RH-MergeRequest: 121: x86: Remove upstream compat machines +RH-Commit: [3/3] 9aef91a363110034776c8d6b3013fc06aec9c674 +RH-Bugzilla: 2061856 +RH-Acked-by: Stephen Tweedie +RH-Acked-by: quintela1 +RH-Acked-by: Peter Xu + +This reverts commit 618e2424edba499d52cd26cf8363bc2dd85ef149. +We no longer need these compat machines. + +Signed-off-by: Dr. David Alan Gilbert +--- + hw/i386/pc_piix.c | 37 ------------------------------------- + 1 file changed, 37 deletions(-) + +diff --git a/hw/i386/pc_piix.c b/hw/i386/pc_piix.c +index 7b7076cbc7..f03a8f0db8 100644 +--- a/hw/i386/pc_piix.c ++++ b/hw/i386/pc_piix.c +@@ -315,14 +315,6 @@ static void pc_init1(MachineState *machine, + * hw_compat_*, pc_compat_*, or * pc_*_machine_options(). + */ + +-/* +- * NOTE! Not all the upstream machine types are disabled for RHEL. For +- * providing a very limited support for upstream machine types, pc machines +- * 2.11 and 4.2 are exposed explicitly. This will make the below "#if" macros +- * a bit messed up, but please read this comment first so that we can have a +- * rough understanding of what we're going to do. +- */ +- + #if 0 /* Disabled for Red Hat Enterprise Linux */ + static void pc_compat_2_3_fn(MachineState *machine) + { +@@ -399,8 +391,6 @@ static void pc_xen_hvm_init(MachineState *machine) + } + #endif + +-#endif /* Disabled for Red Hat Enterprise Linux */ +- + #define DEFINE_I440FX_MACHINE(suffix, name, compatfn, optionfn) \ + static void pc_init_##suffix(MachineState *machine) \ + { \ +@@ -465,10 +455,8 @@ static void pc_i440fx_6_0_machine_options(MachineClass *m) + compat_props_add(m->compat_props, pc_compat_6_0, pc_compat_6_0_len); + } + +-#if 0 /* Disabled for Red Hat Enterprise Linux */ + DEFINE_I440FX_MACHINE(v6_0, "pc-i440fx-6.0", NULL, + pc_i440fx_6_0_machine_options); +-#endif /* Disabled for Red Hat Enterprise Linux */ + + static void pc_i440fx_5_2_machine_options(MachineClass *m) + { +@@ -479,10 +467,8 @@ static void pc_i440fx_5_2_machine_options(MachineClass *m) + compat_props_add(m->compat_props, pc_compat_5_2, pc_compat_5_2_len); + } + +-#if 0 /* Disabled for Red Hat Enterprise Linux */ + DEFINE_I440FX_MACHINE(v5_2, "pc-i440fx-5.2", NULL, + pc_i440fx_5_2_machine_options); +-#endif /* Disabled for Red Hat Enterprise Linux */ + + static void pc_i440fx_5_1_machine_options(MachineClass *m) + { +@@ -497,10 +483,8 @@ static void pc_i440fx_5_1_machine_options(MachineClass *m) + pcmc->pci_root_uid = 1; + } + +-#if 0 /* Disabled for Red Hat Enterprise Linux */ + DEFINE_I440FX_MACHINE(v5_1, "pc-i440fx-5.1", NULL, + pc_i440fx_5_1_machine_options); +-#endif /* Disabled for Red Hat Enterprise Linux */ + + static void pc_i440fx_5_0_machine_options(MachineClass *m) + { +@@ -513,10 +497,8 @@ static void pc_i440fx_5_0_machine_options(MachineClass *m) + m->auto_enable_numa_with_memdev = false; + } + +-#if 0 /* Disabled for Red Hat Enterprise Linux */ + DEFINE_I440FX_MACHINE(v5_0, "pc-i440fx-5.0", NULL, + pc_i440fx_5_0_machine_options); +-#endif /* Disabled for Red Hat Enterprise Linux */ + + static void pc_i440fx_4_2_machine_options(MachineClass *m) + { +@@ -525,15 +507,8 @@ static void pc_i440fx_4_2_machine_options(MachineClass *m) + m->is_default = false; + compat_props_add(m->compat_props, hw_compat_4_2, hw_compat_4_2_len); + compat_props_add(m->compat_props, pc_compat_4_2, pc_compat_4_2_len); +- +- /* +- * RHEL: Mark all upstream machines as deprecated because they're not +- * supported by RHEL, even if exported. +- */ +- m->deprecation_reason = "Not supported by RHEL"; + } + +-/* RHEL: Export pc-4.2 */ + DEFINE_I440FX_MACHINE(v4_2, "pc-i440fx-4.2", NULL, + pc_i440fx_4_2_machine_options); + +@@ -546,10 +521,8 @@ static void pc_i440fx_4_1_machine_options(MachineClass *m) + compat_props_add(m->compat_props, pc_compat_4_1, pc_compat_4_1_len); + } + +-#if 0 /* Disabled for Red Hat Enterprise Linux */ + DEFINE_I440FX_MACHINE(v4_1, "pc-i440fx-4.1", NULL, + pc_i440fx_4_1_machine_options); +-#endif /* Disabled for Red Hat Enterprise Linux */ + + static void pc_i440fx_4_0_machine_options(MachineClass *m) + { +@@ -562,10 +535,8 @@ static void pc_i440fx_4_0_machine_options(MachineClass *m) + compat_props_add(m->compat_props, pc_compat_4_0, pc_compat_4_0_len); + } + +-#if 0 /* Disabled for Red Hat Enterprise Linux */ + DEFINE_I440FX_MACHINE(v4_0, "pc-i440fx-4.0", NULL, + pc_i440fx_4_0_machine_options); +-#endif /* Disabled for Red Hat Enterprise Linux */ + + static void pc_i440fx_3_1_machine_options(MachineClass *m) + { +@@ -581,10 +552,8 @@ static void pc_i440fx_3_1_machine_options(MachineClass *m) + compat_props_add(m->compat_props, pc_compat_3_1, pc_compat_3_1_len); + } + +-#if 0 /* Disabled for Red Hat Enterprise Linux */ + DEFINE_I440FX_MACHINE(v3_1, "pc-i440fx-3.1", NULL, + pc_i440fx_3_1_machine_options); +-#endif /* Disabled for Red Hat Enterprise Linux */ + + static void pc_i440fx_3_0_machine_options(MachineClass *m) + { +@@ -593,10 +562,8 @@ static void pc_i440fx_3_0_machine_options(MachineClass *m) + compat_props_add(m->compat_props, pc_compat_3_0, pc_compat_3_0_len); + } + +-#if 0 /* Disabled for Red Hat Enterprise Linux */ + DEFINE_I440FX_MACHINE(v3_0, "pc-i440fx-3.0", NULL, + pc_i440fx_3_0_machine_options); +-#endif /* Disabled for Red Hat Enterprise Linux */ + + static void pc_i440fx_2_12_machine_options(MachineClass *m) + { +@@ -605,10 +572,8 @@ static void pc_i440fx_2_12_machine_options(MachineClass *m) + compat_props_add(m->compat_props, pc_compat_2_12, pc_compat_2_12_len); + } + +-#if 0 /* Disabled for Red Hat Enterprise Linux */ + DEFINE_I440FX_MACHINE(v2_12, "pc-i440fx-2.12", NULL, + pc_i440fx_2_12_machine_options); +-#endif /* Disabled for Red Hat Enterprise Linux */ + + static void pc_i440fx_2_11_machine_options(MachineClass *m) + { +@@ -617,11 +582,9 @@ static void pc_i440fx_2_11_machine_options(MachineClass *m) + compat_props_add(m->compat_props, pc_compat_2_11, pc_compat_2_11_len); + } + +-/* RHEL: Export pc-2.11 */ + DEFINE_I440FX_MACHINE(v2_11, "pc-i440fx-2.11", NULL, + pc_i440fx_2_11_machine_options); + +-#if 0 /* Disabled for Red Hat Enterprise Linux */ + static void pc_i440fx_2_10_machine_options(MachineClass *m) + { + pc_i440fx_2_11_machine_options(m); +-- +2.27.0 + diff --git a/kvm-acpi-fix-OEM-ID-OEM-Table-ID-padding.patch b/kvm-acpi-fix-OEM-ID-OEM-Table-ID-padding.patch new file mode 100644 index 0000000..9699b3e --- /dev/null +++ b/kvm-acpi-fix-OEM-ID-OEM-Table-ID-padding.patch @@ -0,0 +1,70 @@ +From 5294117078691549e84e26a96a2d647debabf7db Mon Sep 17 00:00:00 2001 +From: Igor Mammedov +Date: Wed, 12 Jan 2022 08:03:31 -0500 +Subject: [PATCH 09/12] acpi: fix OEM ID/OEM Table ID padding + +RH-Author: Igor Mammedov +RH-MergeRequest: 129: acpi: fix QEMU crash when started with SLIC table +RH-Commit: [7/10] 3404492ef0094c8d5d2db0c82f1159705f9de7c7 +RH-Bugzilla: 2059311 +RH-Acked-by: Jon Maloy +RH-Acked-by: Gerd Hoffmann +RH-Acked-by: MST + +Commit [2] broke original '\0' padding of OEM ID and OEM Table ID +fields in headers of ACPI tables. While it doesn't have impact on +default values since QEMU uses 6 and 8 characters long values +respectively, it broke usecase where IDs are provided on QEMU CLI. +It shouldn't affect guest (but may cause licensing verification +issues in guest OS). +One of the broken usecases is user supplied SLIC table with IDs +shorter than max possible length, where [2] mangles IDs with extra +spaces in RSDT and FADT tables whereas guest OS expects those to +mirror the respective values of the used SLIC table. + +Fix it by replacing whitespace padding with '\0' padding in +accordance with [1] and expectations of guest OS + +1) ACPI spec, v2.0b + 17.2 AML Grammar Definition + ... + //OEM ID of up to 6 characters. If the OEM ID is + //shorter than 6 characters, it can be terminated + //with a NULL character. + +2) +Fixes: 602b458201 ("acpi: Permit OEM ID and OEM table ID fields to be changed") +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/707 +Reported-by: Dmitry V. Orekhov +Signed-off-by: Igor Mammedov +Cc: qemu-stable@nongnu.org +Message-Id: <20220112130332.1648664-4-imammedo@redhat.com> +Reviewed-by: Michael S. Tsirkin +Signed-off-by: Michael S. Tsirkin +Reviewed-by: Ani Sinha +Tested-by: Dmitry V. Orekhov dima.orekhov@gmail.com +(cherry picked from commit 748c030f360a940fe0c9382c8ca1649096c3a80d) +Signed-off-by: Igor Mammedov +--- + hw/acpi/aml-build.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/hw/acpi/aml-build.c b/hw/acpi/aml-build.c +index b3b3310df3..65148d5b9d 100644 +--- a/hw/acpi/aml-build.c ++++ b/hw/acpi/aml-build.c +@@ -1724,9 +1724,9 @@ void acpi_table_begin(AcpiTable *desc, GArray *array) + build_append_int_noprefix(array, 0, 4); /* Length */ + build_append_int_noprefix(array, desc->rev, 1); /* Revision */ + build_append_int_noprefix(array, 0, 1); /* Checksum */ +- build_append_padded_str(array, desc->oem_id, 6, ' '); /* OEMID */ ++ build_append_padded_str(array, desc->oem_id, 6, '\0'); /* OEMID */ + /* OEM Table ID */ +- build_append_padded_str(array, desc->oem_table_id, 8, ' '); ++ build_append_padded_str(array, desc->oem_table_id, 8, '\0'); + build_append_int_noprefix(array, 1, 4); /* OEM Revision */ + g_array_append_vals(array, ACPI_BUILD_APPNAME8, 4); /* Creator ID */ + build_append_int_noprefix(array, 1, 4); /* Creator Revision */ +-- +2.27.0 + diff --git a/kvm-acpi-fix-QEMU-crash-when-started-with-SLIC-table.patch b/kvm-acpi-fix-QEMU-crash-when-started-with-SLIC-table.patch new file mode 100644 index 0000000..c55cb9b --- /dev/null +++ b/kvm-acpi-fix-QEMU-crash-when-started-with-SLIC-table.patch @@ -0,0 +1,99 @@ +From 2596689db79a5710fdfdb1f0d5bfe02557bb30e5 Mon Sep 17 00:00:00 2001 +From: Igor Mammedov +Date: Mon, 27 Dec 2021 14:31:17 -0500 +Subject: [PATCH 03/12] acpi: fix QEMU crash when started with SLIC table +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Igor Mammedov +RH-MergeRequest: 129: acpi: fix QEMU crash when started with SLIC table +RH-Commit: [1/10] da8a19a574ce0c8862c84173434fa186aaddc855 +RH-Bugzilla: 2059311 +RH-Acked-by: Jon Maloy +RH-Acked-by: Gerd Hoffmann +RH-Acked-by: MST + +if QEMU is started with used provided SLIC table blob, + + -acpitable sig=SLIC,oem_id='CRASH ',oem_table_id="ME",oem_rev=00002210,asl_compiler_id="",asl_compiler_rev=00000000,data=/dev/null +it will assert with: + + hw/acpi/aml-build.c:61:build_append_padded_str: assertion failed: (len <= maxlen) + +and following backtrace: + + ... + build_append_padded_str (array=0x555556afe320, str=0x555556afdb2e "CRASH ME", maxlen=0x6, pad=0x20) at hw/acpi/aml-build.c:61 + acpi_table_begin (desc=0x7fffffffd1b0, array=0x555556afe320) at hw/acpi/aml-build.c:1727 + build_fadt (tbl=0x555556afe320, linker=0x555557ca3830, f=0x7fffffffd318, oem_id=0x555556afdb2e "CRASH ME", oem_table_id=0x555556afdb34 "ME") at hw/acpi/aml-build.c:2064 + ... + +which happens due to acpi_table_begin() expecting NULL terminated +oem_id and oem_table_id strings, which is normally the case, but +in case of user provided SLIC table, oem_id points to table's blob +directly and as result oem_id became longer than expected. + +Fix issue by handling oem_id consistently and make acpi_get_slic_oem() +return NULL terminated strings. + +PS: +After [1] refactoring, oem_id semantics became inconsistent, where +NULL terminated string was coming from machine and old way pointer +into byte array coming from -acpitable option. That used to work +since build_header() wasn't expecting NULL terminated string and +blindly copied the 1st 6 bytes only. + +However commit [2] broke that by replacing build_header() with +acpi_table_begin(), which was expecting NULL terminated string +and was checking oem_id size. + +1) 602b45820 ("acpi: Permit OEM ID and OEM table ID fields to be changed") +2) +Fixes: 4b56e1e4eb08 ("acpi: build_fadt: use acpi_table_begin()/acpi_table_end() instead of build_header()") +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/786 +Signed-off-by: Igor Mammedov +Message-Id: <20211227193120.1084176-2-imammedo@redhat.com> +Reviewed-by: Philippe Mathieu-Daudé +Tested-by: Denis Lisov +Tested-by: Alexander Tsoy +Cc: qemu-stable@nongnu.org +Reviewed-by: Michael S. Tsirkin +Signed-off-by: Michael S. Tsirkin +(cherry picked from commit 8cdb99af45365727ac17f45239a9b8c1d5155c6d) +--- + hw/acpi/core.c | 4 ++-- + hw/i386/acpi-build.c | 2 ++ + 2 files changed, 4 insertions(+), 2 deletions(-) + +diff --git a/hw/acpi/core.c b/hw/acpi/core.c +index 1e004d0078..3e811bf03c 100644 +--- a/hw/acpi/core.c ++++ b/hw/acpi/core.c +@@ -345,8 +345,8 @@ int acpi_get_slic_oem(AcpiSlicOem *oem) + struct acpi_table_header *hdr = (void *)(u - sizeof(hdr->_length)); + + if (memcmp(hdr->sig, "SLIC", 4) == 0) { +- oem->id = hdr->oem_id; +- oem->table_id = hdr->oem_table_id; ++ oem->id = g_strndup(hdr->oem_id, 6); ++ oem->table_id = g_strndup(hdr->oem_table_id, 8); + return 0; + } + } +diff --git a/hw/i386/acpi-build.c b/hw/i386/acpi-build.c +index a4478e77b7..acc4869db0 100644 +--- a/hw/i386/acpi-build.c ++++ b/hw/i386/acpi-build.c +@@ -2726,6 +2726,8 @@ void acpi_build(AcpiBuildTables *tables, MachineState *machine) + + /* Cleanup memory that's no longer used. */ + g_array_free(table_offsets, true); ++ g_free(slic_oem.id); ++ g_free(slic_oem.table_id); + } + + static void acpi_ram_update(MemoryRegion *mr, GArray *data) +-- +2.27.0 + diff --git a/kvm-acpi-pcihp-pcie-set-power-on-cap-on-parent-slot.patch b/kvm-acpi-pcihp-pcie-set-power-on-cap-on-parent-slot.patch new file mode 100644 index 0000000..36c2ed4 --- /dev/null +++ b/kvm-acpi-pcihp-pcie-set-power-on-cap-on-parent-slot.patch @@ -0,0 +1,130 @@ +From c655f89956c69dc4bb3c3c74515c6c04bd0195bb Mon Sep 17 00:00:00 2001 +From: Igor Mammedov +Date: Tue, 1 Mar 2022 10:11:59 -0500 +Subject: [PATCH 6/6] acpi: pcihp: pcie: set power on cap on parent slot + +RH-Author: Igor Mammedov +RH-MergeRequest: 125: RHEL-8.6 Fix broken PCIe device after migration +RH-Commit: [2/2] effbd75b9d495c88dd4d910b547154849fb1e821 +RH-Bugzilla: 2054597 +RH-Acked-by: Jon Maloy +RH-Acked-by: Gerd Hoffmann +RH-Acked-by: MST + +on creation a PCIDevice has power turned on at the end of pci_qdev_realize() +however later on if PCIe slot isn't populated with any children +it's power is turned off. It's fine if native hotplug is used +as plug callback will power slot on among other things. +However when ACPI hotplug is enabled it replaces native PCIe plug +callbacks with ACPI specific ones (acpi_pcihp_device_*plug_cb) and +as result slot stays powered off. It works fine as ACPI hotplug +on guest side takes care of enumerating/initializing hotplugged +device. But when later guest is migrated, call chain introduced by] +commit d5daff7d312 (pcie: implement slot power control for pcie root ports) + + pcie_cap_slot_post_load() + -> pcie_cap_update_power() + -> pcie_set_power_device() + -> pci_set_power() + -> pci_update_mappings() + +will disable earlier initialized BARs for the hotplugged device +in powered off slot due to commit 23786d13441 (pci: implement power state) +which disables BARs if power is off. + +Fix it by setting PCI_EXP_SLTCTL_PCC to PCI_EXP_SLTCTL_PWR_ON +on slot (root port/downstream port) at the time a device +hotplugged into it. As result PCI_EXP_SLTCTL_PWR_ON is migrated +to target and above call chain keeps device plugged into it +powered on. + +Fixes: d5daff7d312 ("pcie: implement slot power control for pcie root ports") +Fixes: 23786d13441 ("pci: implement power state") +Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2053584 +Suggested-by: "Michael S. Tsirkin" +Signed-off-by: Igor Mammedov +Message-Id: <20220301151200.3507298-3-imammedo@redhat.com> +Reviewed-by: Michael S. Tsirkin +Signed-off-by: Michael S. Tsirkin +(cherry picked from commit 6b0969f1ec825984cd74619f0730be421b0c46fb) +Signed-off-by: Igor Mammedov +--- + hw/acpi/pcihp.c | 12 +++++++++++- + hw/pci/pcie.c | 11 +++++++++++ + include/hw/pci/pcie.h | 1 + + 3 files changed, 23 insertions(+), 1 deletion(-) + +diff --git a/hw/acpi/pcihp.c b/hw/acpi/pcihp.c +index a5e182dd3a..be0e846b34 100644 +--- a/hw/acpi/pcihp.c ++++ b/hw/acpi/pcihp.c +@@ -32,6 +32,7 @@ + #include "hw/pci/pci_bridge.h" + #include "hw/pci/pci_host.h" + #include "hw/pci/pcie_port.h" ++#include "hw/pci-bridge/xio3130_downstream.h" + #include "hw/i386/acpi-build.h" + #include "hw/acpi/acpi.h" + #include "hw/pci/pci_bus.h" +@@ -341,6 +342,8 @@ void acpi_pcihp_device_plug_cb(HotplugHandler *hotplug_dev, AcpiPciHpState *s, + { + PCIDevice *pdev = PCI_DEVICE(dev); + int slot = PCI_SLOT(pdev->devfn); ++ PCIDevice *bridge; ++ PCIBus *bus; + int bsel; + + /* Don't send event when device is enabled during qemu machine creation: +@@ -370,7 +373,14 @@ void acpi_pcihp_device_plug_cb(HotplugHandler *hotplug_dev, AcpiPciHpState *s, + return; + } + +- bsel = acpi_pcihp_get_bsel(pci_get_bus(pdev)); ++ bus = pci_get_bus(pdev); ++ bridge = pci_bridge_get_device(bus); ++ if (object_dynamic_cast(OBJECT(bridge), TYPE_PCIE_ROOT_PORT) || ++ object_dynamic_cast(OBJECT(bridge), TYPE_XIO3130_DOWNSTREAM)) { ++ pcie_cap_slot_enable_power(bridge); ++ } ++ ++ bsel = acpi_pcihp_get_bsel(bus); + g_assert(bsel >= 0); + s->acpi_pcihp_pci_status[bsel].up |= (1U << slot); + acpi_send_event(DEVICE(hotplug_dev), ACPI_PCI_HOTPLUG_STATUS); +diff --git a/hw/pci/pcie.c b/hw/pci/pcie.c +index d7d73a31e4..996f0e24fe 100644 +--- a/hw/pci/pcie.c ++++ b/hw/pci/pcie.c +@@ -366,6 +366,17 @@ static void hotplug_event_clear(PCIDevice *dev) + } + } + ++void pcie_cap_slot_enable_power(PCIDevice *dev) ++{ ++ uint8_t *exp_cap = dev->config + dev->exp.exp_cap; ++ uint32_t sltcap = pci_get_long(exp_cap + PCI_EXP_SLTCAP); ++ ++ if (sltcap & PCI_EXP_SLTCAP_PCP) { ++ pci_set_word_by_mask(exp_cap + PCI_EXP_SLTCTL, ++ PCI_EXP_SLTCTL_PCC, PCI_EXP_SLTCTL_PWR_ON); ++ } ++} ++ + static void pcie_set_power_device(PCIBus *bus, PCIDevice *dev, void *opaque) + { + bool *power = opaque; +diff --git a/include/hw/pci/pcie.h b/include/hw/pci/pcie.h +index 6063bee0ec..c27368d077 100644 +--- a/include/hw/pci/pcie.h ++++ b/include/hw/pci/pcie.h +@@ -112,6 +112,7 @@ void pcie_cap_slot_write_config(PCIDevice *dev, + uint32_t addr, uint32_t val, int len); + int pcie_cap_slot_post_load(void *opaque, int version_id); + void pcie_cap_slot_push_attention_button(PCIDevice *dev); ++void pcie_cap_slot_enable_power(PCIDevice *dev); + + void pcie_cap_root_init(PCIDevice *dev); + void pcie_cap_root_reset(PCIDevice *dev); +-- +2.27.0 + diff --git a/kvm-display-qxl-render-fix-race-condition-in-qxl_cursor-.patch b/kvm-display-qxl-render-fix-race-condition-in-qxl_cursor-.patch new file mode 100644 index 0000000..c933542 --- /dev/null +++ b/kvm-display-qxl-render-fix-race-condition-in-qxl_cursor-.patch @@ -0,0 +1,59 @@ +From 08103b26cb393920410e0a943d35e79bbd9f5ce0 Mon Sep 17 00:00:00 2001 +From: Jon Maloy +Date: Wed, 13 Apr 2022 20:54:45 -0400 +Subject: [PATCH 05/11] display/qxl-render: fix race condition in qxl_cursor + (CVE-2021-4207) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Jon Maloy +RH-MergeRequest: 162: display/qxl-render: fix race condition in qxl_cursor (CVE-2021-4207) +RH-Commit: [1/1] 055c5a8345ad434a723b8106ba0a7b85fe117547 (jmaloy/qemu-kvm) +RH-Bugzilla: 2075683 +RH-Acked-by: Miroslav Rezanina +RH-Acked-by: Marc-André Lureau +RH-Acked-by: Mauro Matteo Cascella + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2075683 +Upstream: Merged +CVE: CVE-2021-4207 + +commit 9569f5cb5b4bffa9d3ebc8ba7da1e03830a9a895 +Author: Mauro Matteo Cascella +Date: Thu Apr 7 10:11:06 2022 +0200 + + display/qxl-render: fix race condition in qxl_cursor (CVE-2021-4207) + + Avoid fetching 'width' and 'height' a second time to prevent possible + race condition. Refer to security advisory + https://starlabs.sg/advisories/22-4207/ for more information. + + Fixes: CVE-2021-4207 + Signed-off-by: Mauro Matteo Cascella + Reviewed-by: Marc-André Lureau + Message-Id: <20220407081106.343235-1-mcascell@redhat.com> + Signed-off-by: Gerd Hoffmann + +(cherry picked from commit 9569f5cb5b4bffa9d3ebc8ba7da1e03830a9a895) +Signed-off-by: Jon Maloy +--- + hw/display/qxl-render.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/display/qxl-render.c b/hw/display/qxl-render.c +index d28849b121..237ed293ba 100644 +--- a/hw/display/qxl-render.c ++++ b/hw/display/qxl-render.c +@@ -266,7 +266,7 @@ static QEMUCursor *qxl_cursor(PCIQXLDevice *qxl, QXLCursor *cursor, + } + break; + case SPICE_CURSOR_TYPE_ALPHA: +- size = sizeof(uint32_t) * cursor->header.width * cursor->header.height; ++ size = sizeof(uint32_t) * c->width * c->height; + qxl_unpack_chunks(c->data, size, qxl, &cursor->chunk, group_id); + if (qxl->debug > 2) { + cursor_print_ascii_art(c, "qxl/alpha"); +-- +2.27.0 + diff --git a/kvm-hw-intc-arm_gicv3-Check-for-MEMTX_OK-instead-of-MEMT.patch b/kvm-hw-intc-arm_gicv3-Check-for-MEMTX_OK-instead-of-MEMT.patch new file mode 100644 index 0000000..4f7455b --- /dev/null +++ b/kvm-hw-intc-arm_gicv3-Check-for-MEMTX_OK-instead-of-MEMT.patch @@ -0,0 +1,76 @@ +From ef311c8ca284d11dc812a1004de52125fc9eb194 Mon Sep 17 00:00:00 2001 +From: Jon Maloy +Date: Wed, 13 Apr 2022 14:51:06 -0400 +Subject: [PATCH 02/11] hw/intc/arm_gicv3: Check for !MEMTX_OK instead of + MEMTX_ERROR +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Jon Maloy +RH-MergeRequest: 158: hw/intc/arm_gicv3: Check for !MEMTX_OK instead of MEMTX_ERROR +RH-Commit: [1/3] ebfd87ea3a2de51c6961569861d5f4fba25890cc (jmaloy/qemu-kvm) +RH-Bugzilla: 2075686 +RH-Acked-by: Miroslav Rezanina +RH-Acked-by: Stefan Hajnoczi +RH-Acked-by: Peter Xu + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2075686 +Upstream: Merged +CVE: CVE-2021-3750 + +commit b9d383ab797f54ae5fa8746117770709921dc529 +Author: Philippe Mathieu-Daudé +Date: Wed Dec 15 19:24:19 2021 +0100 + + hw/intc/arm_gicv3: Check for !MEMTX_OK instead of MEMTX_ERROR + + Quoting Peter Maydell: + + "These MEMTX_* aren't from the memory transaction + API functions; they're just being used by gicd_readl() and + friends as a way to indicate a success/failure so that the + actual MemoryRegionOps read/write fns like gicv3_dist_read() + can log a guest error." + + We are going to introduce more MemTxResult bits, so it is + safer to check for !MEMTX_OK rather than MEMTX_ERROR. + + Reviewed-by: Peter Xu + Reviewed-by: David Hildenbrand + Reviewed-by: Peter Maydell + Reviewed-by: Stefan Hajnoczi + Signed-off-by: Philippe Mathieu-Daudé + Signed-off-by: Peter Maydell + +(cherry picked from commit b9d383ab797f54ae5fa8746117770709921dc529) +Signed-off-by: Jon Maloy +--- + hw/intc/arm_gicv3_redist.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/hw/intc/arm_gicv3_redist.c b/hw/intc/arm_gicv3_redist.c +index c8ff3eca08..99b11ca5ee 100644 +--- a/hw/intc/arm_gicv3_redist.c ++++ b/hw/intc/arm_gicv3_redist.c +@@ -462,7 +462,7 @@ MemTxResult gicv3_redist_read(void *opaque, hwaddr offset, uint64_t *data, + break; + } + +- if (r == MEMTX_ERROR) { ++ if (r != MEMTX_OK) { + qemu_log_mask(LOG_GUEST_ERROR, + "%s: invalid guest read at offset " TARGET_FMT_plx + " size %u\n", __func__, offset, size); +@@ -521,7 +521,7 @@ MemTxResult gicv3_redist_write(void *opaque, hwaddr offset, uint64_t data, + break; + } + +- if (r == MEMTX_ERROR) { ++ if (r != MEMTX_OK) { + qemu_log_mask(LOG_GUEST_ERROR, + "%s: invalid guest write at offset " TARGET_FMT_plx + " size %u\n", __func__, offset, size); +-- +2.27.0 + diff --git a/kvm-hw-virtio-vdpa-Fix-leak-of-host-notifier-memory-regi.patch b/kvm-hw-virtio-vdpa-Fix-leak-of-host-notifier-memory-regi.patch new file mode 100644 index 0000000..4a88ae4 --- /dev/null +++ b/kvm-hw-virtio-vdpa-Fix-leak-of-host-notifier-memory-regi.patch @@ -0,0 +1,60 @@ +From 6f84eb3889a7035c07eeb2d337d2c3b06a6777f0 Mon Sep 17 00:00:00 2001 +From: Laurent Vivier +Date: Fri, 11 Feb 2022 18:02:59 +0100 +Subject: [PATCH 4/6] hw/virtio: vdpa: Fix leak of host-notifier memory-region + +RH-Author: Laurent Vivier +RH-MergeRequest: 122: hw/virtio: vdpa: Fix leak of host-notifier memory-region +RH-Commit: [1/1] cd8719f57b2eb398cce108e191c7155a112f4fc8 +RH-Bugzilla: 2027208 +RH-Acked-by: Jason Wang +RH-Acked-by: Cindy Lu +RH-Acked-by: MST +RH-Acked-by: Stefano Garzarella + +BZ: https://bugzilla.redhat.com/2027208 +BRANCH: rhel-8.6.0 +UPSTREAM: Merged +BREW: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=43682903 + +If call virtio_queue_set_host_notifier_mr fails, should free +host-notifier memory-region. + +This problem can trigger a coredump with some vDPA drivers (mlx5, +but not with the vdpasim), if we unplug the virtio-net card from +the guest after a stop/start. + +The same fix has been done for vhost-user: + 1f89d3b91e3e ("hw/virtio: Fix leak of host-notifier memory-region") + +Fixes: d0416d487bd5 ("vhost-vdpa: map virtqueue notification area if possible") +Cc: jasowang@redhat.com +Resolves: https://bugzilla.redhat.com/2027208 +Signed-off-by: Laurent Vivier +Message-Id: <20220211170259.1388734-1-lvivier@redhat.com> +Cc: qemu-stable@nongnu.org +Acked-by: Jason Wang +Reviewed-by: Stefano Garzarella +Reviewed-by: Michael S. Tsirkin +Signed-off-by: Michael S. Tsirkin +(cherry picked from commit 98f7607ecda00dea3cbb2ed7b4427c96846efb83) +Signed-off-by: Laurent Vivier +--- + hw/virtio/vhost-vdpa.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/hw/virtio/vhost-vdpa.c b/hw/virtio/vhost-vdpa.c +index bcaf00e09f..78da48a333 100644 +--- a/hw/virtio/vhost-vdpa.c ++++ b/hw/virtio/vhost-vdpa.c +@@ -415,6 +415,7 @@ static int vhost_vdpa_host_notifier_init(struct vhost_dev *dev, int queue_index) + g_free(name); + + if (virtio_queue_set_host_notifier_mr(vdev, queue_index, &n->mr, true)) { ++ object_unparent(OBJECT(&n->mr)); + munmap(addr, page_size); + goto err; + } +-- +2.27.0 + diff --git a/kvm-i386-Add-Icelake-Server-v6-CPU-model-with-5-level-EP.patch b/kvm-i386-Add-Icelake-Server-v6-CPU-model-with-5-level-EP.patch new file mode 100644 index 0000000..23a9904 --- /dev/null +++ b/kvm-i386-Add-Icelake-Server-v6-CPU-model-with-5-level-EP.patch @@ -0,0 +1,60 @@ +From f2578175ee0e0b0a7a99118e5fdf23ec0ad29ff4 Mon Sep 17 00:00:00 2001 +From: Vitaly Kuznetsov +Date: Wed, 16 Mar 2022 09:48:04 +0100 +Subject: [PATCH 02/12] i386: Add Icelake-Server-v6 CPU model with 5-level EPT + support + +RH-Author: Vitaly Kuznetsov +RH-MergeRequest: 127: i386: Add Icelake-Server-v6 CPU model with 5-level EPT support +RH-Commit: [2/2] 72eaf5608490f5b1fb94b6decb95d4092c57dd85 +RH-Bugzilla: 2056986 +RH-Acked-by: Paolo Bonzini +RH-Acked-by: Igor Mammedov +RH-Acked-by: Cornelia Huck + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2056986 +Brew: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=43862707 + +commit 12cab535db6440af41ed8dfefe908a594321b6ce +Author: Vitaly Kuznetsov +Date: Mon Feb 21 15:53:15 2022 +0100 + + i386: Add Icelake-Server-v6 CPU model with 5-level EPT support + + Windows 11 with WSL2 enabled (Hyper-V) fails to boot with Icelake-Server + {-v5} CPU model but boots well with '-cpu host'. Apparently, it expects + 5-level paging and 5-level EPT support to come in pair but QEMU's + Icelake-Server CPU model lacks the later. Introduce 'Icelake-Server-v6' + CPU model with 'vmx-page-walk-5' enabled by default. + + Signed-off-by: Vitaly Kuznetsov + Message-Id: <20220221145316.576138-1-vkuznets@redhat.com> + Signed-off-by: Paolo Bonzini + +Signed-off-by: Vitaly Kuznetsov +--- + target/i386/cpu.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/target/i386/cpu.c b/target/i386/cpu.c +index aa9e636800..6e25d13339 100644 +--- a/target/i386/cpu.c ++++ b/target/i386/cpu.c +@@ -3505,6 +3505,14 @@ static const X86CPUDefinition builtin_x86_defs[] = { + { /* end of list */ } + }, + }, ++ { ++ .version = 6, ++ .note = "5-level EPT", ++ .props = (PropValue[]) { ++ { "vmx-page-walk-5", "on" }, ++ { /* end of list */ } ++ }, ++ }, + { /* end of list */ } + } + }, +-- +2.27.0 + diff --git a/kvm-iotests-108-Fix-when-missing-user_allow_other.patch b/kvm-iotests-108-Fix-when-missing-user_allow_other.patch new file mode 100644 index 0000000..f50104d --- /dev/null +++ b/kvm-iotests-108-Fix-when-missing-user_allow_other.patch @@ -0,0 +1,52 @@ +From f663b951b87735bee6b5a4d75b726f609e557f8c Mon Sep 17 00:00:00 2001 +From: Hanna Reitz +Date: Thu, 21 Apr 2022 16:24:35 +0200 +Subject: [PATCH 11/11] iotests/108: Fix when missing user_allow_other + +RH-Author: Hanna Reitz +RH-MergeRequest: 173: qcow2: Improve refcount structure rebuilding +RH-Commit: [4/4] cea00f9cb38639d4c51fab13c20311d1737d5ca3 +RH-Bugzilla: 2072242 +RH-Acked-by: Miroslav Rezanina +RH-Acked-by: Eric Blake +RH-Acked-by: Stefan Hajnoczi + +FUSE exports' allow-other option defaults to "auto", which means that it +will try passing allow_other as a mount option, and fall back to not +using it when an error occurs. We make no effort to hide fusermount's +error message (because it would be difficult, and because users might +want to know about the fallback occurring), and so when allow_other does +not work (primarily when /etc/fuse.conf does not contain +user_allow_other), this error message will appear and break the +reference output. + +We do not need allow_other here, though, so we can just pass +allow-other=off to fix that. + +Reported-by: Markus Armbruster +Signed-off-by: Hanna Reitz +Message-Id: <20220421142435.569600-1-hreitz@redhat.com> +Tested-by: Markus Armbruster +Tested-by: Eric Blake +(cherry picked from commit 348a0740afc5b313599533eb69bbb2b95d2f1bba) +Signed-off-by: Hanna Reitz +--- + tests/qemu-iotests/108 | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tests/qemu-iotests/108 b/tests/qemu-iotests/108 +index 23abbeaff0..775ff08eca 100755 +--- a/tests/qemu-iotests/108 ++++ b/tests/qemu-iotests/108 +@@ -326,7 +326,7 @@ else + + $QSD \ + --blockdev file,node-name=export-node,filename="$TEST_IMG" \ +- --export fuse,id=fuse-export,node-name=export-node,mountpoint="$export_mp",writable=on,growable=off \ ++ --export fuse,id=fuse-export,node-name=export-node,mountpoint="$export_mp",writable=on,growable=off,allow-other=off \ + --pidfile "$TEST_DIR/qsd.pid" \ + & + +-- +2.27.0 + diff --git a/kvm-iotests-108-Test-new-refcount-rebuild-algorithm.patch b/kvm-iotests-108-Test-new-refcount-rebuild-algorithm.patch new file mode 100644 index 0000000..288557c --- /dev/null +++ b/kvm-iotests-108-Test-new-refcount-rebuild-algorithm.patch @@ -0,0 +1,445 @@ +From a5cc7f98669fbde7290fc363cb61dc7bd41718f3 Mon Sep 17 00:00:00 2001 +From: Hanna Reitz +Date: Tue, 5 Apr 2022 15:46:51 +0200 +Subject: [PATCH 09/11] iotests/108: Test new refcount rebuild algorithm + +RH-Author: Hanna Reitz +RH-MergeRequest: 173: qcow2: Improve refcount structure rebuilding +RH-Commit: [2/4] db808dcc1c5ee9fd901c0800b3fac1348fab246f +RH-Bugzilla: 2072242 +RH-Acked-by: Miroslav Rezanina +RH-Acked-by: Eric Blake +RH-Acked-by: Stefan Hajnoczi + +One clear problem with how qcow2's refcount structure rebuild algorithm +used to be before "qcow2: Improve refcount structure rebuilding" was +that it is prone to failure for qcow2 images on block devices: There is +generally unused space after the actual image, and if that exceeds what +one refblock covers, the old algorithm would invariably write the +reftable past the block device's end, which cannot work. The new +algorithm does not have this problem. + +Test it with three tests: +(1) Create an image with more empty space at the end than what one + refblock covers, see whether rebuilding the refcount structures + results in a change in the image file length. (It should not.) + +(2) Leave precisely enough space somewhere at the beginning of the image + for the new reftable (and the refblock for that place), see whether + the new algorithm puts the reftable there. (It should.) + +(3) Test the original problem: Create (something like) a block device + with a fixed size, then create a qcow2 image in there, write some + data, and then have qemu-img check rebuild the refcount structures. + Before HEAD^, the reftable would have been written past the image + file end, i.e. outside of what the block device provides, which + cannot work. HEAD^ should have fixed that. + ("Something like a block device" means a loop device if we can use + one ("sudo -n losetup" works), or a FUSE block export with + growable=false otherwise.) + +Reviewed-by: Eric Blake +Signed-off-by: Hanna Reitz +Message-Id: <20220405134652.19278-3-hreitz@redhat.com> +(cherry picked from commit 9ffd6d646d1d5ee9087a8cbf0b7d2f96c5656162) + +Conflicts: +- 108: The downstream qemu-storage-daemon does not support --daemonize, + so this switch has been replaced by a loop waiting for the PID file to + appear + +Signed-off-by: Hanna Reitz +--- + tests/qemu-iotests/108 | 263 ++++++++++++++++++++++++++++++++++++- + tests/qemu-iotests/108.out | 81 ++++++++++++ + 2 files changed, 343 insertions(+), 1 deletion(-) + +diff --git a/tests/qemu-iotests/108 b/tests/qemu-iotests/108 +index 8eaef0b8bf..23abbeaff0 100755 +--- a/tests/qemu-iotests/108 ++++ b/tests/qemu-iotests/108 +@@ -30,13 +30,20 @@ status=1 # failure is the default! + + _cleanup() + { +- _cleanup_test_img ++ _cleanup_test_img ++ if [ -f "$TEST_DIR/qsd.pid" ]; then ++ qsd_pid=$(cat "$TEST_DIR/qsd.pid") ++ kill -KILL "$qsd_pid" ++ fusermount -u "$TEST_DIR/fuse-export" &>/dev/null ++ fi ++ rm -f "$TEST_DIR/fuse-export" + } + trap "_cleanup; exit \$status" 0 1 2 3 15 + + # get standard environment, filters and checks + . ./common.rc + . ./common.filter ++. ./common.qemu + + # This tests qcow2-specific low-level functionality + _supported_fmt qcow2 +@@ -47,6 +54,22 @@ _supported_os Linux + # files + _unsupported_imgopts 'refcount_bits=\([^1]\|.\([^6]\|$\)\)' data_file + ++# This test either needs sudo -n losetup or FUSE exports to work ++if sudo -n losetup &>/dev/null; then ++ loopdev=true ++else ++ loopdev=false ++ ++ # QSD --export fuse will either yield "Parameter 'id' is missing" ++ # or "Invalid parameter 'fuse'", depending on whether there is ++ # FUSE support or not. ++ error=$($QSD --export fuse 2>&1) ++ if [[ $error = *"'fuse'"* ]]; then ++ _notrun 'Passwordless sudo for losetup or FUSE support required, but' \ ++ 'neither is available' ++ fi ++fi ++ + echo + echo '=== Repairing an image without any refcount table ===' + echo +@@ -138,6 +161,244 @@ _make_test_img 64M + poke_file "$TEST_IMG" $((0x10008)) "\xff\xff\xff\xff\xff\xff\x00\x00" + _check_test_img -r all + ++echo ++echo '=== Check rebuilt reftable location ===' ++ ++# In an earlier version of the refcount rebuild algorithm, the ++# reftable was generally placed at the image end (unless something was ++# allocated in the area covered by the refblock right before the image ++# file end, then we would try to place the reftable in that refblock). ++# This was later changed so the reftable would be placed in the ++# earliest possible location. Test this. ++ ++echo ++echo '--- Does the image size increase? ---' ++echo ++ ++# First test: Just create some image, write some data to it, and ++# resize it so there is free space at the end of the image (enough ++# that it spans at least one full refblock, which for cluster_size=512 ++# images, spans 128k). With the old algorithm, the reftable would ++# have then been placed at the end of the image file, but with the new ++# one, it will be put in that free space. ++# We want to check whether the size of the image file increases due to ++# rebuilding the refcount structures (it should not). ++ ++_make_test_img -o 'cluster_size=512' 1M ++# Write something ++$QEMU_IO -c 'write 0 64k' "$TEST_IMG" | _filter_qemu_io ++ ++# Add free space ++file_len=$(stat -c '%s' "$TEST_IMG") ++truncate -s $((file_len + 256 * 1024)) "$TEST_IMG" ++ ++# Corrupt the image by saying the image header was not allocated ++rt_offset=$(peek_file_be "$TEST_IMG" 48 8) ++rb_offset=$(peek_file_be "$TEST_IMG" $rt_offset 8) ++poke_file "$TEST_IMG" $rb_offset "\x00\x00" ++ ++# Check whether rebuilding the refcount structures increases the image ++# file size ++file_len=$(stat -c '%s' "$TEST_IMG") ++echo ++# The only leaks there can be are the old refcount structures that are ++# leaked during rebuilding, no need to clutter the output with them ++_check_test_img -r all | grep -v '^Repairing cluster.*refcount=1 reference=0' ++echo ++post_repair_file_len=$(stat -c '%s' "$TEST_IMG") ++ ++if [[ $file_len -eq $post_repair_file_len ]]; then ++ echo 'OK: Image size did not change' ++else ++ echo 'ERROR: Image size differs' \ ++ "($file_len before, $post_repair_file_len after)" ++fi ++ ++echo ++echo '--- Will the reftable occupy a hole specifically left for it? ---' ++echo ++ ++# Note: With cluster_size=512, every refblock covers 128k. ++# The reftable covers 8M per reftable cluster. ++ ++# Create an image that requires two reftable clusters (just because ++# this is more interesting than a single-clustered reftable). ++_make_test_img -o 'cluster_size=512' 9M ++$QEMU_IO -c 'write 0 8M' "$TEST_IMG" | _filter_qemu_io ++ ++# Writing 8M will have resized the reftable. Unfortunately, doing so ++# will leave holes in the file, so we need to fill them up so we can ++# be sure the whole file is allocated. Do that by writing ++# consecutively smaller chunks starting from 8 MB, until the file ++# length increases even with a chunk size of 512. Then we must have ++# filled all holes. ++ofs=$((8 * 1024 * 1024)) ++block_len=$((16 * 1024)) ++while [[ $block_len -ge 512 ]]; do ++ file_len=$(stat -c '%s' "$TEST_IMG") ++ while [[ $(stat -c '%s' "$TEST_IMG") -eq $file_len ]]; do ++ # Do not include this in the reference output, it does not ++ # really matter which qemu-io calls we do here exactly ++ $QEMU_IO -c "write $ofs $block_len" "$TEST_IMG" >/dev/null ++ ofs=$((ofs + block_len)) ++ done ++ block_len=$((block_len / 2)) ++done ++ ++# Fill up to 9M (do not include this in the reference output either, ++# $ofs is random for all we know) ++$QEMU_IO -c "write $ofs $((9 * 1024 * 1024 - ofs))" "$TEST_IMG" >/dev/null ++ ++# Make space as follows: ++# - For the first refblock: Right at the beginning of the image (this ++# refblock is placed in the first place possible), ++# - For the reftable somewhere soon afterwards, still near the ++# beginning of the image (i.e. covered by the first refblock); the ++# reftable too is placed in the first place possible, but only after ++# all refblocks have been placed) ++# No space is needed for the other refblocks, because no refblock is ++# put before the space it covers. In this test case, we do not mind ++# if they are placed at the image file's end. ++ ++# Before we make that space, we have to find out the host offset of ++# the area that belonged to the two data clusters at guest offset 4k, ++# because we expect the reftable to be placed there, and we will have ++# to verify that it is. ++ ++l1_offset=$(peek_file_be "$TEST_IMG" 40 8) ++l2_offset=$(peek_file_be "$TEST_IMG" $l1_offset 8) ++l2_offset=$((l2_offset & 0x00fffffffffffe00)) ++data_4k_offset=$(peek_file_be "$TEST_IMG" \ ++ $((l2_offset + 4096 / 512 * 8)) 8) ++data_4k_offset=$((data_4k_offset & 0x00fffffffffffe00)) ++ ++$QEMU_IO -c "discard 0 512" -c "discard 4k 1k" "$TEST_IMG" | _filter_qemu_io ++ ++# Corrupt the image by saying the image header was not allocated ++rt_offset=$(peek_file_be "$TEST_IMG" 48 8) ++rb_offset=$(peek_file_be "$TEST_IMG" $rt_offset 8) ++poke_file "$TEST_IMG" $rb_offset "\x00\x00" ++ ++echo ++# The only leaks there can be are the old refcount structures that are ++# leaked during rebuilding, no need to clutter the output with them ++_check_test_img -r all | grep -v '^Repairing cluster.*refcount=1 reference=0' ++echo ++ ++# Check whether the reftable was put where we expected ++rt_offset=$(peek_file_be "$TEST_IMG" 48 8) ++if [[ $rt_offset -eq $data_4k_offset ]]; then ++ echo 'OK: Reftable is where we expect it' ++else ++ echo "ERROR: Reftable is at $rt_offset, but was expected at $data_4k_offset" ++fi ++ ++echo ++echo '--- Rebuilding refcount structures on block devices ---' ++echo ++ ++# A block device cannot really grow, at least not during qemu-img ++# check. As mentioned in the above cases, rebuilding the refcount ++# structure may lead to new refcount structures being written after ++# the end of the image, and in the past that happened even if there ++# was more than sufficient space in the image. Such post-EOF writes ++# will not work on block devices, so test that the new algorithm ++# avoids it. ++ ++# If we have passwordless sudo and losetup, we can use those to create ++# a block device. Otherwise, we can resort to qemu's FUSE export to ++# create a file that isn't growable, which effectively tests the same ++# thing. ++ ++_cleanup_test_img ++truncate -s $((64 * 1024 * 1024)) "$TEST_IMG" ++ ++if $loopdev; then ++ export_mp=$(sudo -n losetup --show -f "$TEST_IMG") ++ export_mp_driver=host_device ++ sudo -n chmod go+rw "$export_mp" ++else ++ # Create non-growable FUSE export that is a bit like an empty ++ # block device ++ export_mp="$TEST_DIR/fuse-export" ++ export_mp_driver=file ++ touch "$export_mp" ++ ++ $QSD \ ++ --blockdev file,node-name=export-node,filename="$TEST_IMG" \ ++ --export fuse,id=fuse-export,node-name=export-node,mountpoint="$export_mp",writable=on,growable=off \ ++ --pidfile "$TEST_DIR/qsd.pid" \ ++ & ++ ++ while [ ! -f "$TEST_DIR/qsd.pid" ]; do ++ sleep 0.1 ++ done ++fi ++ ++# Now create a qcow2 image on the device -- unfortunately, qemu-img ++# create force-creates the file, so we have to resort to the ++# blockdev-create job. ++_launch_qemu \ ++ --blockdev $export_mp_driver,node-name=file,filename="$export_mp" ++ ++_send_qemu_cmd \ ++ $QEMU_HANDLE \ ++ '{ "execute": "qmp_capabilities" }' \ ++ 'return' ++ ++# Small cluster size again, so the image needs multiple refblocks ++_send_qemu_cmd \ ++ $QEMU_HANDLE \ ++ '{ "execute": "blockdev-create", ++ "arguments": { ++ "job-id": "create", ++ "options": { ++ "driver": "qcow2", ++ "file": "file", ++ "size": '$((64 * 1024 * 1024))', ++ "cluster-size": 512 ++ } } }' \ ++ '"concluded"' ++ ++_send_qemu_cmd \ ++ $QEMU_HANDLE \ ++ '{ "execute": "job-dismiss", "arguments": { "id": "create" } }' \ ++ 'return' ++ ++_send_qemu_cmd \ ++ $QEMU_HANDLE \ ++ '{ "execute": "quit" }' \ ++ 'return' ++ ++wait=y _cleanup_qemu ++echo ++ ++# Write some data ++$QEMU_IO -c 'write 0 64k' "$export_mp" | _filter_qemu_io ++ ++# Corrupt the image by saying the image header was not allocated ++rt_offset=$(peek_file_be "$export_mp" 48 8) ++rb_offset=$(peek_file_be "$export_mp" $rt_offset 8) ++poke_file "$export_mp" $rb_offset "\x00\x00" ++ ++# Repairing such a simple case should just work ++# (We used to put the reftable at the end of the image file, which can ++# never work for non-growable devices.) ++echo ++TEST_IMG="$export_mp" _check_test_img -r all \ ++ | grep -v '^Repairing cluster.*refcount=1 reference=0' ++ ++if $loopdev; then ++ sudo -n losetup -d "$export_mp" ++else ++ qsd_pid=$(cat "$TEST_DIR/qsd.pid") ++ kill -TERM "$qsd_pid" ++ # Wait for process to exit (cannot `wait` because the QSD is daemonized) ++ while [ -f "$TEST_DIR/qsd.pid" ]; do ++ true ++ done ++fi ++ + # success, all done + echo '*** done' + rm -f $seq.full +diff --git a/tests/qemu-iotests/108.out b/tests/qemu-iotests/108.out +index 75bab8dc84..b5401d788d 100644 +--- a/tests/qemu-iotests/108.out ++++ b/tests/qemu-iotests/108.out +@@ -105,6 +105,87 @@ The following inconsistencies were found and repaired: + 0 leaked clusters + 1 corruptions + ++Double checking the fixed image now... ++No errors were found on the image. ++ ++=== Check rebuilt reftable location === ++ ++--- Does the image size increase? --- ++ ++Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=1048576 ++wrote 65536/65536 bytes at offset 0 ++64 KiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec) ++ ++ERROR cluster 0 refcount=0 reference=1 ++Rebuilding refcount structure ++The following inconsistencies were found and repaired: ++ ++ 0 leaked clusters ++ 1 corruptions ++ ++Double checking the fixed image now... ++No errors were found on the image. ++ ++OK: Image size did not change ++ ++--- Will the reftable occupy a hole specifically left for it? --- ++ ++Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=9437184 ++wrote 8388608/8388608 bytes at offset 0 ++8 MiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec) ++discard 512/512 bytes at offset 0 ++512 bytes, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec) ++discard 1024/1024 bytes at offset 4096 ++1 KiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec) ++ ++ERROR cluster 0 refcount=0 reference=1 ++Rebuilding refcount structure ++The following inconsistencies were found and repaired: ++ ++ 0 leaked clusters ++ 1 corruptions ++ ++Double checking the fixed image now... ++No errors were found on the image. ++ ++OK: Reftable is where we expect it ++ ++--- Rebuilding refcount structures on block devices --- ++ ++{ "execute": "qmp_capabilities" } ++{"return": {}} ++{ "execute": "blockdev-create", ++ "arguments": { ++ "job-id": "create", ++ "options": { ++ "driver": "IMGFMT", ++ "file": "file", ++ "size": 67108864, ++ "cluster-size": 512 ++ } } } ++{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "created", "id": "create"}} ++{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "running", "id": "create"}} ++{"return": {}} ++{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "waiting", "id": "create"}} ++{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "pending", "id": "create"}} ++{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "concluded", "id": "create"}} ++{ "execute": "job-dismiss", "arguments": { "id": "create" } } ++{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "JOB_STATUS_CHANGE", "data": {"status": "null", "id": "create"}} ++{"return": {}} ++{ "execute": "quit" } ++{"return": {}} ++{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "SHUTDOWN", "data": {"guest": false, "reason": "host-qmp-quit"}} ++ ++wrote 65536/65536 bytes at offset 0 ++64 KiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec) ++ ++ERROR cluster 0 refcount=0 reference=1 ++Rebuilding refcount structure ++The following inconsistencies were found and repaired: ++ ++ 0 leaked clusters ++ 1 corruptions ++ + Double checking the fixed image now... + No errors were found on the image. + *** done +-- +2.27.0 + diff --git a/kvm-pci-expose-TYPE_XIO3130_DOWNSTREAM-name.patch b/kvm-pci-expose-TYPE_XIO3130_DOWNSTREAM-name.patch new file mode 100644 index 0000000..dee75d2 --- /dev/null +++ b/kvm-pci-expose-TYPE_XIO3130_DOWNSTREAM-name.patch @@ -0,0 +1,73 @@ +From 5f5208c1d41477645b2707cfac206d24d86b9254 Mon Sep 17 00:00:00 2001 +From: Igor Mammedov +Date: Tue, 1 Mar 2022 10:11:58 -0500 +Subject: [PATCH 5/6] pci: expose TYPE_XIO3130_DOWNSTREAM name + +RH-Author: Igor Mammedov +RH-MergeRequest: 125: RHEL-8.6 Fix broken PCIe device after migration +RH-Commit: [1/2] 703782ce00f067c811056d5765a8b2094e585b4f +RH-Bugzilla: 2054597 +RH-Acked-by: Jon Maloy +RH-Acked-by: Gerd Hoffmann +RH-Acked-by: MST + +Type name will be used in followup patch for cast check +in pcihp code. + +Signed-off-by: Igor Mammedov +Message-Id: <20220301151200.3507298-2-imammedo@redhat.com> +Reviewed-by: Michael S. Tsirkin +Signed-off-by: Michael S. Tsirkin +(cherry picked from commit c41481af9a5d0d463607cc45b45c510875570817) +Signed-off-by: Igor Mammedov +--- + hw/pci-bridge/xio3130_downstream.c | 3 ++- + include/hw/pci-bridge/xio3130_downstream.h | 15 +++++++++++++++ + 2 files changed, 17 insertions(+), 1 deletion(-) + create mode 100644 include/hw/pci-bridge/xio3130_downstream.h + +diff --git a/hw/pci-bridge/xio3130_downstream.c b/hw/pci-bridge/xio3130_downstream.c +index 04aae72cd6..b17cafd359 100644 +--- a/hw/pci-bridge/xio3130_downstream.c ++++ b/hw/pci-bridge/xio3130_downstream.c +@@ -28,6 +28,7 @@ + #include "migration/vmstate.h" + #include "qapi/error.h" + #include "qemu/module.h" ++#include "hw/pci-bridge/xio3130_downstream.h" + + #define PCI_DEVICE_ID_TI_XIO3130D 0x8233 /* downstream port */ + #define XIO3130_REVISION 0x1 +@@ -173,7 +174,7 @@ static void xio3130_downstream_class_init(ObjectClass *klass, void *data) + } + + static const TypeInfo xio3130_downstream_info = { +- .name = "xio3130-downstream", ++ .name = TYPE_XIO3130_DOWNSTREAM, + .parent = TYPE_PCIE_SLOT, + .class_init = xio3130_downstream_class_init, + .interfaces = (InterfaceInfo[]) { +diff --git a/include/hw/pci-bridge/xio3130_downstream.h b/include/hw/pci-bridge/xio3130_downstream.h +new file mode 100644 +index 0000000000..1d10139aea +--- /dev/null ++++ b/include/hw/pci-bridge/xio3130_downstream.h +@@ -0,0 +1,15 @@ ++/* ++ * TI X3130 pci express downstream port switch ++ * ++ * Copyright (C) 2022 Igor Mammedov ++ * ++ * SPDX-License-Identifier: GPL-2.0-or-later ++ */ ++ ++#ifndef HW_PCI_BRIDGE_XIO3130_DOWNSTREAM_H ++#define HW_PCI_BRIDGE_XIO3130_DOWNSTREAM_H ++ ++#define TYPE_XIO3130_DOWNSTREAM "xio3130-downstream" ++ ++#endif ++ +-- +2.27.0 + diff --git a/kvm-qcow2-Add-errp-to-rebuild_refcount_structure.patch b/kvm-qcow2-Add-errp-to-rebuild_refcount_structure.patch new file mode 100644 index 0000000..6cd88e8 --- /dev/null +++ b/kvm-qcow2-Add-errp-to-rebuild_refcount_structure.patch @@ -0,0 +1,162 @@ +From 6c475f4bc2c323d75d40eb37386fbb86819791ec Mon Sep 17 00:00:00 2001 +From: Hanna Reitz +Date: Tue, 5 Apr 2022 15:46:52 +0200 +Subject: [PATCH 10/11] qcow2: Add errp to rebuild_refcount_structure() + +RH-Author: Hanna Reitz +RH-MergeRequest: 173: qcow2: Improve refcount structure rebuilding +RH-Commit: [3/4] 95a6b7bb558a9ed35afae3fa9fefd761312ecb3b +RH-Bugzilla: 2072242 +RH-Acked-by: Miroslav Rezanina +RH-Acked-by: Eric Blake +RH-Acked-by: Stefan Hajnoczi + +Instead of fprint()-ing error messages in rebuild_refcount_structure() +and its rebuild_refcounts_write_refblocks() helper, pass them through an +Error object to qcow2_check_refcounts() (which will then print it). + +Suggested-by: Eric Blake +Signed-off-by: Hanna Reitz +Message-Id: <20220405134652.19278-4-hreitz@redhat.com> +Reviewed-by: Eric Blake +(cherry picked from commit 0423f75351ab83b844a31349218b0eadd830e07a) +Signed-off-by: Hanna Reitz +--- + block/qcow2-refcount.c | 33 +++++++++++++++++++-------------- + 1 file changed, 19 insertions(+), 14 deletions(-) + +diff --git a/block/qcow2-refcount.c b/block/qcow2-refcount.c +index 555d8ba5ac..09f8ef4927 100644 +--- a/block/qcow2-refcount.c ++++ b/block/qcow2-refcount.c +@@ -2462,7 +2462,8 @@ static int64_t alloc_clusters_imrt(BlockDriverState *bs, + static int rebuild_refcounts_write_refblocks( + BlockDriverState *bs, void **refcount_table, int64_t *nb_clusters, + int64_t first_cluster, int64_t end_cluster, +- uint64_t **on_disk_reftable_ptr, uint32_t *on_disk_reftable_entries_ptr ++ uint64_t **on_disk_reftable_ptr, uint32_t *on_disk_reftable_entries_ptr, ++ Error **errp + ) + { + BDRVQcow2State *s = bs->opaque; +@@ -2513,8 +2514,8 @@ static int rebuild_refcounts_write_refblocks( + nb_clusters, + &first_free_cluster); + if (refblock_offset < 0) { +- fprintf(stderr, "ERROR allocating refblock: %s\n", +- strerror(-refblock_offset)); ++ error_setg_errno(errp, -refblock_offset, ++ "ERROR allocating refblock"); + return refblock_offset; + } + +@@ -2536,6 +2537,7 @@ static int rebuild_refcounts_write_refblocks( + on_disk_reftable_entries * + REFTABLE_ENTRY_SIZE); + if (!on_disk_reftable) { ++ error_setg(errp, "ERROR allocating reftable memory"); + return -ENOMEM; + } + +@@ -2559,7 +2561,7 @@ static int rebuild_refcounts_write_refblocks( + ret = qcow2_pre_write_overlap_check(bs, 0, refblock_offset, + s->cluster_size, false); + if (ret < 0) { +- fprintf(stderr, "ERROR writing refblock: %s\n", strerror(-ret)); ++ error_setg_errno(errp, -ret, "ERROR writing refblock"); + return ret; + } + +@@ -2575,7 +2577,7 @@ static int rebuild_refcounts_write_refblocks( + ret = bdrv_pwrite(bs->file, refblock_offset, on_disk_refblock, + s->cluster_size); + if (ret < 0) { +- fprintf(stderr, "ERROR writing refblock: %s\n", strerror(-ret)); ++ error_setg_errno(errp, -ret, "ERROR writing refblock"); + return ret; + } + +@@ -2598,7 +2600,8 @@ static int rebuild_refcounts_write_refblocks( + static int rebuild_refcount_structure(BlockDriverState *bs, + BdrvCheckResult *res, + void **refcount_table, +- int64_t *nb_clusters) ++ int64_t *nb_clusters, ++ Error **errp) + { + BDRVQcow2State *s = bs->opaque; + int64_t reftable_offset = -1; +@@ -2649,7 +2652,7 @@ static int rebuild_refcount_structure(BlockDriverState *bs, + rebuild_refcounts_write_refblocks(bs, refcount_table, nb_clusters, + 0, *nb_clusters, + &on_disk_reftable, +- &on_disk_reftable_entries); ++ &on_disk_reftable_entries, errp); + if (reftable_size_changed < 0) { + res->check_errors++; + ret = reftable_size_changed; +@@ -2673,8 +2676,8 @@ static int rebuild_refcount_structure(BlockDriverState *bs, + refcount_table, nb_clusters, + &first_free_cluster); + if (reftable_offset < 0) { +- fprintf(stderr, "ERROR allocating reftable: %s\n", +- strerror(-reftable_offset)); ++ error_setg_errno(errp, -reftable_offset, ++ "ERROR allocating reftable"); + res->check_errors++; + ret = reftable_offset; + goto fail; +@@ -2692,7 +2695,7 @@ static int rebuild_refcount_structure(BlockDriverState *bs, + reftable_start_cluster, + reftable_end_cluster, + &on_disk_reftable, +- &on_disk_reftable_entries); ++ &on_disk_reftable_entries, errp); + if (reftable_size_changed < 0) { + res->check_errors++; + ret = reftable_size_changed; +@@ -2722,7 +2725,7 @@ static int rebuild_refcount_structure(BlockDriverState *bs, + ret = qcow2_pre_write_overlap_check(bs, 0, reftable_offset, reftable_length, + false); + if (ret < 0) { +- fprintf(stderr, "ERROR writing reftable: %s\n", strerror(-ret)); ++ error_setg_errno(errp, -ret, "ERROR writing reftable"); + goto fail; + } + +@@ -2730,7 +2733,7 @@ static int rebuild_refcount_structure(BlockDriverState *bs, + ret = bdrv_pwrite(bs->file, reftable_offset, on_disk_reftable, + reftable_length); + if (ret < 0) { +- fprintf(stderr, "ERROR writing reftable: %s\n", strerror(-ret)); ++ error_setg_errno(errp, -ret, "ERROR writing reftable"); + goto fail; + } + +@@ -2743,7 +2746,7 @@ static int rebuild_refcount_structure(BlockDriverState *bs, + &reftable_offset_and_clusters, + sizeof(reftable_offset_and_clusters)); + if (ret < 0) { +- fprintf(stderr, "ERROR setting reftable: %s\n", strerror(-ret)); ++ error_setg_errno(errp, -ret, "ERROR setting reftable"); + goto fail; + } + +@@ -2811,11 +2814,13 @@ int qcow2_check_refcounts(BlockDriverState *bs, BdrvCheckResult *res, + if (rebuild && (fix & BDRV_FIX_ERRORS)) { + BdrvCheckResult old_res = *res; + int fresh_leaks = 0; ++ Error *local_err = NULL; + + fprintf(stderr, "Rebuilding refcount structure\n"); + ret = rebuild_refcount_structure(bs, res, &refcount_table, +- &nb_clusters); ++ &nb_clusters, &local_err); + if (ret < 0) { ++ error_report_err(local_err); + goto fail; + } + +-- +2.27.0 + diff --git a/kvm-qcow2-Improve-refcount-structure-rebuilding.patch b/kvm-qcow2-Improve-refcount-structure-rebuilding.patch new file mode 100644 index 0000000..b7cab6f --- /dev/null +++ b/kvm-qcow2-Improve-refcount-structure-rebuilding.patch @@ -0,0 +1,465 @@ +From 3daca05a8f845d2a389a6cf767314bcb72109578 Mon Sep 17 00:00:00 2001 +From: Hanna Reitz +Date: Tue, 5 Apr 2022 15:46:50 +0200 +Subject: [PATCH 08/11] qcow2: Improve refcount structure rebuilding + +RH-Author: Hanna Reitz +RH-MergeRequest: 173: qcow2: Improve refcount structure rebuilding +RH-Commit: [1/4] 586e7a0fc3cb7cc2296b544ffcef34d8395fa74c +RH-Bugzilla: 2072242 +RH-Acked-by: Miroslav Rezanina +RH-Acked-by: Eric Blake +RH-Acked-by: Stefan Hajnoczi + +When rebuilding the refcount structures (when qemu-img check -r found +errors with refcount = 0, but reference count > 0), the new refcount +table defaults to being put at the image file end[1]. There is no good +reason for that except that it means we will not have to rewrite any +refblocks we already wrote to disk. + +Changing the code to rewrite those refblocks is not too difficult, +though, so let us do that. That is beneficial for images on block +devices, where we cannot really write beyond the end of the image file. + +Use this opportunity to add extensive comments to the code, and refactor +it a bit, getting rid of the backwards-jumping goto. + +[1] Unless there is something allocated in the area pointed to by the + last refblock, so we have to write that refblock. In that case, we + try to put the reftable in there. + +Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1519071 +Closes: https://gitlab.com/qemu-project/qemu/-/issues/941 +Reviewed-by: Eric Blake +Signed-off-by: Hanna Reitz +Message-Id: <20220405134652.19278-2-hreitz@redhat.com> +(cherry picked from commit a8c07ec287554dcefd33733f0e5888a281ddc95e) +Signed-off-by: Hanna Reitz +--- + block/qcow2-refcount.c | 332 +++++++++++++++++++++++++++++------------ + 1 file changed, 235 insertions(+), 97 deletions(-) + +diff --git a/block/qcow2-refcount.c b/block/qcow2-refcount.c +index 4614572252..555d8ba5ac 100644 +--- a/block/qcow2-refcount.c ++++ b/block/qcow2-refcount.c +@@ -2435,111 +2435,140 @@ static int64_t alloc_clusters_imrt(BlockDriverState *bs, + } + + /* +- * Creates a new refcount structure based solely on the in-memory information +- * given through *refcount_table. All necessary allocations will be reflected +- * in that array. ++ * Helper function for rebuild_refcount_structure(). + * +- * On success, the old refcount structure is leaked (it will be covered by the +- * new refcount structure). ++ * Scan the range of clusters [first_cluster, end_cluster) for allocated ++ * clusters and write all corresponding refblocks to disk. The refblock ++ * and allocation data is taken from the in-memory refcount table ++ * *refcount_table[] (of size *nb_clusters), which is basically one big ++ * (unlimited size) refblock for the whole image. ++ * ++ * For these refblocks, clusters are allocated using said in-memory ++ * refcount table. Care is taken that these allocations are reflected ++ * in the refblocks written to disk. ++ * ++ * The refblocks' offsets are written into a reftable, which is ++ * *on_disk_reftable_ptr[] (of size *on_disk_reftable_entries_ptr). If ++ * that reftable is of insufficient size, it will be resized to fit. ++ * This reftable is not written to disk. ++ * ++ * (If *on_disk_reftable_ptr is not NULL, the entries within are assumed ++ * to point to existing valid refblocks that do not need to be allocated ++ * again.) ++ * ++ * Return whether the on-disk reftable array was resized (true/false), ++ * or -errno on error. + */ +-static int rebuild_refcount_structure(BlockDriverState *bs, +- BdrvCheckResult *res, +- void **refcount_table, +- int64_t *nb_clusters) ++static int rebuild_refcounts_write_refblocks( ++ BlockDriverState *bs, void **refcount_table, int64_t *nb_clusters, ++ int64_t first_cluster, int64_t end_cluster, ++ uint64_t **on_disk_reftable_ptr, uint32_t *on_disk_reftable_entries_ptr ++ ) + { + BDRVQcow2State *s = bs->opaque; +- int64_t first_free_cluster = 0, reftable_offset = -1, cluster = 0; ++ int64_t cluster; + int64_t refblock_offset, refblock_start, refblock_index; +- uint32_t reftable_size = 0; +- uint64_t *on_disk_reftable = NULL; ++ int64_t first_free_cluster = 0; ++ uint64_t *on_disk_reftable = *on_disk_reftable_ptr; ++ uint32_t on_disk_reftable_entries = *on_disk_reftable_entries_ptr; + void *on_disk_refblock; +- int ret = 0; +- struct { +- uint64_t reftable_offset; +- uint32_t reftable_clusters; +- } QEMU_PACKED reftable_offset_and_clusters; +- +- qcow2_cache_empty(bs, s->refcount_block_cache); ++ bool reftable_grown = false; ++ int ret; + +-write_refblocks: +- for (; cluster < *nb_clusters; cluster++) { ++ for (cluster = first_cluster; cluster < end_cluster; cluster++) { ++ /* Check all clusters to find refblocks that contain non-zero entries */ + if (!s->get_refcount(*refcount_table, cluster)) { + continue; + } + ++ /* ++ * This cluster is allocated, so we need to create a refblock ++ * for it. The data we will write to disk is just the ++ * respective slice from *refcount_table, so it will contain ++ * accurate refcounts for all clusters belonging to this ++ * refblock. After we have written it, we will therefore skip ++ * all remaining clusters in this refblock. ++ */ ++ + refblock_index = cluster >> s->refcount_block_bits; + refblock_start = refblock_index << s->refcount_block_bits; + +- /* Don't allocate a cluster in a refblock already written to disk */ +- if (first_free_cluster < refblock_start) { +- first_free_cluster = refblock_start; +- } +- refblock_offset = alloc_clusters_imrt(bs, 1, refcount_table, +- nb_clusters, &first_free_cluster); +- if (refblock_offset < 0) { +- fprintf(stderr, "ERROR allocating refblock: %s\n", +- strerror(-refblock_offset)); +- res->check_errors++; +- ret = refblock_offset; +- goto fail; +- } ++ if (on_disk_reftable_entries > refblock_index && ++ on_disk_reftable[refblock_index]) ++ { ++ /* ++ * We can get here after a `goto write_refblocks`: We have a ++ * reftable from a previous run, and the refblock is already ++ * allocated. No need to allocate it again. ++ */ ++ refblock_offset = on_disk_reftable[refblock_index]; ++ } else { ++ int64_t refblock_cluster_index; + +- if (reftable_size <= refblock_index) { +- uint32_t old_reftable_size = reftable_size; +- uint64_t *new_on_disk_reftable; ++ /* Don't allocate a cluster in a refblock already written to disk */ ++ if (first_free_cluster < refblock_start) { ++ first_free_cluster = refblock_start; ++ } ++ refblock_offset = alloc_clusters_imrt(bs, 1, refcount_table, ++ nb_clusters, ++ &first_free_cluster); ++ if (refblock_offset < 0) { ++ fprintf(stderr, "ERROR allocating refblock: %s\n", ++ strerror(-refblock_offset)); ++ return refblock_offset; ++ } + +- reftable_size = ROUND_UP((refblock_index + 1) * REFTABLE_ENTRY_SIZE, +- s->cluster_size) / REFTABLE_ENTRY_SIZE; +- new_on_disk_reftable = g_try_realloc(on_disk_reftable, +- reftable_size * +- REFTABLE_ENTRY_SIZE); +- if (!new_on_disk_reftable) { +- res->check_errors++; +- ret = -ENOMEM; +- goto fail; ++ refblock_cluster_index = refblock_offset / s->cluster_size; ++ if (refblock_cluster_index >= end_cluster) { ++ /* ++ * We must write the refblock that holds this refblock's ++ * refcount ++ */ ++ end_cluster = refblock_cluster_index + 1; + } +- on_disk_reftable = new_on_disk_reftable; + +- memset(on_disk_reftable + old_reftable_size, 0, +- (reftable_size - old_reftable_size) * REFTABLE_ENTRY_SIZE); ++ if (on_disk_reftable_entries <= refblock_index) { ++ on_disk_reftable_entries = ++ ROUND_UP((refblock_index + 1) * REFTABLE_ENTRY_SIZE, ++ s->cluster_size) / REFTABLE_ENTRY_SIZE; ++ on_disk_reftable = ++ g_try_realloc(on_disk_reftable, ++ on_disk_reftable_entries * ++ REFTABLE_ENTRY_SIZE); ++ if (!on_disk_reftable) { ++ return -ENOMEM; ++ } + +- /* The offset we have for the reftable is now no longer valid; +- * this will leak that range, but we can easily fix that by running +- * a leak-fixing check after this rebuild operation */ +- reftable_offset = -1; +- } else { +- assert(on_disk_reftable); +- } +- on_disk_reftable[refblock_index] = refblock_offset; ++ memset(on_disk_reftable + *on_disk_reftable_entries_ptr, 0, ++ (on_disk_reftable_entries - ++ *on_disk_reftable_entries_ptr) * ++ REFTABLE_ENTRY_SIZE); + +- /* If this is apparently the last refblock (for now), try to squeeze the +- * reftable in */ +- if (refblock_index == (*nb_clusters - 1) >> s->refcount_block_bits && +- reftable_offset < 0) +- { +- uint64_t reftable_clusters = size_to_clusters(s, reftable_size * +- REFTABLE_ENTRY_SIZE); +- reftable_offset = alloc_clusters_imrt(bs, reftable_clusters, +- refcount_table, nb_clusters, +- &first_free_cluster); +- if (reftable_offset < 0) { +- fprintf(stderr, "ERROR allocating reftable: %s\n", +- strerror(-reftable_offset)); +- res->check_errors++; +- ret = reftable_offset; +- goto fail; ++ *on_disk_reftable_ptr = on_disk_reftable; ++ *on_disk_reftable_entries_ptr = on_disk_reftable_entries; ++ ++ reftable_grown = true; ++ } else { ++ assert(on_disk_reftable); + } ++ on_disk_reftable[refblock_index] = refblock_offset; + } + ++ /* Refblock is allocated, write it to disk */ ++ + ret = qcow2_pre_write_overlap_check(bs, 0, refblock_offset, + s->cluster_size, false); + if (ret < 0) { + fprintf(stderr, "ERROR writing refblock: %s\n", strerror(-ret)); +- goto fail; ++ return ret; + } + +- /* The size of *refcount_table is always cluster-aligned, therefore the +- * write operation will not overflow */ ++ /* ++ * The refblock is simply a slice of *refcount_table. ++ * Note that the size of *refcount_table is always aligned to ++ * whole clusters, so the write operation will not result in ++ * out-of-bounds accesses. ++ */ + on_disk_refblock = (void *)((char *) *refcount_table + + refblock_index * s->cluster_size); + +@@ -2547,23 +2576,99 @@ write_refblocks: + s->cluster_size); + if (ret < 0) { + fprintf(stderr, "ERROR writing refblock: %s\n", strerror(-ret)); +- goto fail; ++ return ret; + } + +- /* Go to the end of this refblock */ ++ /* This refblock is done, skip to its end */ + cluster = refblock_start + s->refcount_block_size - 1; + } + +- if (reftable_offset < 0) { +- uint64_t post_refblock_start, reftable_clusters; ++ return reftable_grown; ++} ++ ++/* ++ * Creates a new refcount structure based solely on the in-memory information ++ * given through *refcount_table (this in-memory information is basically just ++ * the concatenation of all refblocks). All necessary allocations will be ++ * reflected in that array. ++ * ++ * On success, the old refcount structure is leaked (it will be covered by the ++ * new refcount structure). ++ */ ++static int rebuild_refcount_structure(BlockDriverState *bs, ++ BdrvCheckResult *res, ++ void **refcount_table, ++ int64_t *nb_clusters) ++{ ++ BDRVQcow2State *s = bs->opaque; ++ int64_t reftable_offset = -1; ++ int64_t reftable_length = 0; ++ int64_t reftable_clusters; ++ int64_t refblock_index; ++ uint32_t on_disk_reftable_entries = 0; ++ uint64_t *on_disk_reftable = NULL; ++ int ret = 0; ++ int reftable_size_changed = 0; ++ struct { ++ uint64_t reftable_offset; ++ uint32_t reftable_clusters; ++ } QEMU_PACKED reftable_offset_and_clusters; ++ ++ qcow2_cache_empty(bs, s->refcount_block_cache); ++ ++ /* ++ * For each refblock containing entries, we try to allocate a ++ * cluster (in the in-memory refcount table) and write its offset ++ * into on_disk_reftable[]. We then write the whole refblock to ++ * disk (as a slice of the in-memory refcount table). ++ * This is done by rebuild_refcounts_write_refblocks(). ++ * ++ * Once we have scanned all clusters, we try to find space for the ++ * reftable. This will dirty the in-memory refcount table (i.e. ++ * make it differ from the refblocks we have already written), so we ++ * need to run rebuild_refcounts_write_refblocks() again for the ++ * range of clusters where the reftable has been allocated. ++ * ++ * This second run might make the reftable grow again, in which case ++ * we will need to allocate another space for it, which is why we ++ * repeat all this until the reftable stops growing. ++ * ++ * (This loop will terminate, because with every cluster the ++ * reftable grows, it can accomodate a multitude of more refcounts, ++ * so that at some point this must be able to cover the reftable ++ * and all refblocks describing it.) ++ * ++ * We then convert the reftable to big-endian and write it to disk. ++ * ++ * Note that we never free any reftable allocations. Doing so would ++ * needlessly complicate the algorithm: The eventual second check ++ * run we do will clean up all leaks we have caused. ++ */ ++ ++ reftable_size_changed = ++ rebuild_refcounts_write_refblocks(bs, refcount_table, nb_clusters, ++ 0, *nb_clusters, ++ &on_disk_reftable, ++ &on_disk_reftable_entries); ++ if (reftable_size_changed < 0) { ++ res->check_errors++; ++ ret = reftable_size_changed; ++ goto fail; ++ } ++ ++ /* ++ * There was no reftable before, so rebuild_refcounts_write_refblocks() ++ * must have increased its size (from 0 to something). ++ */ ++ assert(reftable_size_changed); ++ ++ do { ++ int64_t reftable_start_cluster, reftable_end_cluster; ++ int64_t first_free_cluster = 0; ++ ++ reftable_length = on_disk_reftable_entries * REFTABLE_ENTRY_SIZE; ++ reftable_clusters = size_to_clusters(s, reftable_length); + +- post_refblock_start = ROUND_UP(*nb_clusters, s->refcount_block_size); +- reftable_clusters = +- size_to_clusters(s, reftable_size * REFTABLE_ENTRY_SIZE); +- /* Not pretty but simple */ +- if (first_free_cluster < post_refblock_start) { +- first_free_cluster = post_refblock_start; +- } + reftable_offset = alloc_clusters_imrt(bs, reftable_clusters, + refcount_table, nb_clusters, + &first_free_cluster); +@@ -2575,24 +2680,55 @@ write_refblocks: + goto fail; + } + +- goto write_refblocks; +- } ++ /* ++ * We need to update the affected refblocks, so re-run the ++ * write_refblocks loop for the reftable's range of clusters. ++ */ ++ assert(offset_into_cluster(s, reftable_offset) == 0); ++ reftable_start_cluster = reftable_offset / s->cluster_size; ++ reftable_end_cluster = reftable_start_cluster + reftable_clusters; ++ reftable_size_changed = ++ rebuild_refcounts_write_refblocks(bs, refcount_table, nb_clusters, ++ reftable_start_cluster, ++ reftable_end_cluster, ++ &on_disk_reftable, ++ &on_disk_reftable_entries); ++ if (reftable_size_changed < 0) { ++ res->check_errors++; ++ ret = reftable_size_changed; ++ goto fail; ++ } ++ ++ /* ++ * If the reftable size has changed, we will need to find a new ++ * allocation, repeating the loop. ++ */ ++ } while (reftable_size_changed); + +- for (refblock_index = 0; refblock_index < reftable_size; refblock_index++) { ++ /* The above loop must have run at least once */ ++ assert(reftable_offset >= 0); ++ ++ /* ++ * All allocations are done, all refblocks are written, convert the ++ * reftable to big-endian and write it to disk. ++ */ ++ ++ for (refblock_index = 0; refblock_index < on_disk_reftable_entries; ++ refblock_index++) ++ { + cpu_to_be64s(&on_disk_reftable[refblock_index]); + } + +- ret = qcow2_pre_write_overlap_check(bs, 0, reftable_offset, +- reftable_size * REFTABLE_ENTRY_SIZE, ++ ret = qcow2_pre_write_overlap_check(bs, 0, reftable_offset, reftable_length, + false); + if (ret < 0) { + fprintf(stderr, "ERROR writing reftable: %s\n", strerror(-ret)); + goto fail; + } + +- assert(reftable_size < INT_MAX / REFTABLE_ENTRY_SIZE); ++ assert(reftable_length < INT_MAX); + ret = bdrv_pwrite(bs->file, reftable_offset, on_disk_reftable, +- reftable_size * REFTABLE_ENTRY_SIZE); ++ reftable_length); + if (ret < 0) { + fprintf(stderr, "ERROR writing reftable: %s\n", strerror(-ret)); + goto fail; +@@ -2601,7 +2737,7 @@ write_refblocks: + /* Enter new reftable into the image header */ + reftable_offset_and_clusters.reftable_offset = cpu_to_be64(reftable_offset); + reftable_offset_and_clusters.reftable_clusters = +- cpu_to_be32(size_to_clusters(s, reftable_size * REFTABLE_ENTRY_SIZE)); ++ cpu_to_be32(reftable_clusters); + ret = bdrv_pwrite_sync(bs->file, + offsetof(QCowHeader, refcount_table_offset), + &reftable_offset_and_clusters, +@@ -2611,12 +2747,14 @@ write_refblocks: + goto fail; + } + +- for (refblock_index = 0; refblock_index < reftable_size; refblock_index++) { ++ for (refblock_index = 0; refblock_index < on_disk_reftable_entries; ++ refblock_index++) ++ { + be64_to_cpus(&on_disk_reftable[refblock_index]); + } + s->refcount_table = on_disk_reftable; + s->refcount_table_offset = reftable_offset; +- s->refcount_table_size = reftable_size; ++ s->refcount_table_size = on_disk_reftable_entries; + update_max_refcount_table_index(s); + + return 0; +-- +2.27.0 + diff --git a/kvm-softmmu-physmem-Introduce-MemTxAttrs-memory-field-an.patch b/kvm-softmmu-physmem-Introduce-MemTxAttrs-memory-field-an.patch new file mode 100644 index 0000000..8a9d7b4 --- /dev/null +++ b/kvm-softmmu-physmem-Introduce-MemTxAttrs-memory-field-an.patch @@ -0,0 +1,176 @@ +From b1eae36683cdfe63af5749b5fe86b1c08fc0f63e Mon Sep 17 00:00:00 2001 +From: Jon Maloy +Date: Wed, 13 Apr 2022 14:51:06 -0400 +Subject: [PATCH 04/11] softmmu/physmem: Introduce MemTxAttrs::memory field and + MEMTX_ACCESS_ERROR +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Jon Maloy +RH-MergeRequest: 158: hw/intc/arm_gicv3: Check for !MEMTX_OK instead of MEMTX_ERROR +RH-Commit: [3/3] 84d64fe85a106f8faf579e43266d4349fc8e65b4 (jmaloy/qemu-kvm) +RH-Bugzilla: 2075686 +RH-Acked-by: Miroslav Rezanina +RH-Acked-by: Stefan Hajnoczi +RH-Acked-by: Peter Xu + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2075686 +Upstream: Merged +CVE: CVE-2021-3750 +Conflicts: memalign.h has not been introduced in this version. Instead, + we include osdep.h where the function prototypes are to be + found. + +commit 3ab6fdc91b72e156da22848f0003ff4225690ced +Author: Philippe Mathieu-Daudé +Date: Wed Dec 15 19:24:21 2021 +0100 + + softmmu/physmem: Introduce MemTxAttrs::memory field and MEMTX_ACCESS_ERROR + + Add the 'memory' bit to the memory attributes to restrict bus + controller accesses to memories. + + Introduce flatview_access_allowed() to check bus permission + before running any bus transaction. + + Have read/write accessors return MEMTX_ACCESS_ERROR if an access is + restricted. + + There is no change for the default case where 'memory' is not set. + + Signed-off-by: Philippe Mathieu-Daudé + Message-Id: <20211215182421.418374-4-philmd@redhat.com> + Reviewed-by: Richard Henderson + Reviewed-by: Stefan Hajnoczi + [thuth: Replaced MEMTX_BUS_ERROR with MEMTX_ACCESS_ERROR, remove "inline"] + Signed-off-by: Thomas Huth + +(cherry picked from commit 3ab6fdc91b72e156da22848f0003ff4225690ced) +Signed-off-by: Jon Maloy +--- + include/exec/memattrs.h | 9 +++++++++ + softmmu/physmem.c | 45 +++++++++++++++++++++++++++++++++++++++-- + 2 files changed, 52 insertions(+), 2 deletions(-) + +diff --git a/include/exec/memattrs.h b/include/exec/memattrs.h +index 95f2d20d55..9fb98bc1ef 100644 +--- a/include/exec/memattrs.h ++++ b/include/exec/memattrs.h +@@ -35,6 +35,14 @@ typedef struct MemTxAttrs { + unsigned int secure:1; + /* Memory access is usermode (unprivileged) */ + unsigned int user:1; ++ /* ++ * Bus interconnect and peripherals can access anything (memories, ++ * devices) by default. By setting the 'memory' bit, bus transaction ++ * are restricted to "normal" memories (per the AMBA documentation) ++ * versus devices. Access to devices will be logged and rejected ++ * (see MEMTX_ACCESS_ERROR). ++ */ ++ unsigned int memory:1; + /* Requester ID (for MSI for example) */ + unsigned int requester_id:16; + /* Invert endianness for this page */ +@@ -66,6 +74,7 @@ typedef struct MemTxAttrs { + #define MEMTX_OK 0 + #define MEMTX_ERROR (1U << 0) /* device returned an error */ + #define MEMTX_DECODE_ERROR (1U << 1) /* nothing at that address */ ++#define MEMTX_ACCESS_ERROR (1U << 2) /* access denied */ + typedef uint32_t MemTxResult; + + #endif +diff --git a/softmmu/physmem.c b/softmmu/physmem.c +index 483a31be81..4d0ef5f92f 100644 +--- a/softmmu/physmem.c ++++ b/softmmu/physmem.c +@@ -41,6 +41,8 @@ + #include "qemu/config-file.h" + #include "qemu/error-report.h" + #include "qemu/qemu-print.h" ++#include "qemu/log.h" ++#include "qemu/osdep.h" + #include "exec/memory.h" + #include "exec/ioport.h" + #include "sysemu/dma.h" +@@ -2759,6 +2761,33 @@ static bool prepare_mmio_access(MemoryRegion *mr) + return release_lock; + } + ++/** ++ * flatview_access_allowed ++ * @mr: #MemoryRegion to be accessed ++ * @attrs: memory transaction attributes ++ * @addr: address within that memory region ++ * @len: the number of bytes to access ++ * ++ * Check if a memory transaction is allowed. ++ * ++ * Returns: true if transaction is allowed, false if denied. ++ */ ++static bool flatview_access_allowed(MemoryRegion *mr, MemTxAttrs attrs, ++ hwaddr addr, hwaddr len) ++{ ++ if (likely(!attrs.memory)) { ++ return true; ++ } ++ if (memory_region_is_ram(mr)) { ++ return true; ++ } ++ qemu_log_mask(LOG_GUEST_ERROR, ++ "Invalid access to non-RAM device at " ++ "addr 0x%" HWADDR_PRIX ", size %" HWADDR_PRIu ", " ++ "region '%s'\n", addr, len, memory_region_name(mr)); ++ return false; ++} ++ + /* Called within RCU critical section. */ + static MemTxResult flatview_write_continue(FlatView *fv, hwaddr addr, + MemTxAttrs attrs, +@@ -2773,7 +2802,10 @@ static MemTxResult flatview_write_continue(FlatView *fv, hwaddr addr, + const uint8_t *buf = ptr; + + for (;;) { +- if (!memory_access_is_direct(mr, true)) { ++ if (!flatview_access_allowed(mr, attrs, addr1, l)) { ++ result |= MEMTX_ACCESS_ERROR; ++ /* Keep going. */ ++ } else if (!memory_access_is_direct(mr, true)) { + release_lock |= prepare_mmio_access(mr); + l = memory_access_size(mr, l, addr1); + /* XXX: could force current_cpu to NULL to avoid +@@ -2818,6 +2850,9 @@ static MemTxResult flatview_write(FlatView *fv, hwaddr addr, MemTxAttrs attrs, + + l = len; + mr = flatview_translate(fv, addr, &addr1, &l, true, attrs); ++ if (!flatview_access_allowed(mr, attrs, addr, len)) { ++ return MEMTX_ACCESS_ERROR; ++ } + return flatview_write_continue(fv, addr, attrs, buf, len, + addr1, l, mr); + } +@@ -2836,7 +2871,10 @@ MemTxResult flatview_read_continue(FlatView *fv, hwaddr addr, + + fuzz_dma_read_cb(addr, len, mr); + for (;;) { +- if (!memory_access_is_direct(mr, false)) { ++ if (!flatview_access_allowed(mr, attrs, addr1, l)) { ++ result |= MEMTX_ACCESS_ERROR; ++ /* Keep going. */ ++ } else if (!memory_access_is_direct(mr, false)) { + /* I/O case */ + release_lock |= prepare_mmio_access(mr); + l = memory_access_size(mr, l, addr1); +@@ -2879,6 +2917,9 @@ static MemTxResult flatview_read(FlatView *fv, hwaddr addr, + + l = len; + mr = flatview_translate(fv, addr, &addr1, &l, false, attrs); ++ if (!flatview_access_allowed(mr, attrs, addr, len)) { ++ return MEMTX_ACCESS_ERROR; ++ } + return flatview_read_continue(fv, addr, attrs, buf, len, + addr1, l, mr); + } +-- +2.27.0 + diff --git a/kvm-softmmu-physmem-Simplify-flatview_write-and-address_.patch b/kvm-softmmu-physmem-Simplify-flatview_write-and-address_.patch new file mode 100644 index 0000000..d554db2 --- /dev/null +++ b/kvm-softmmu-physmem-Simplify-flatview_write-and-address_.patch @@ -0,0 +1,81 @@ +From b570eb3a78a3096af55979ce63d96f5fc012f9e5 Mon Sep 17 00:00:00 2001 +From: Jon Maloy +Date: Wed, 13 Apr 2022 14:51:06 -0400 +Subject: [PATCH 03/11] softmmu/physmem: Simplify flatview_write and + address_space_access_valid +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Jon Maloy +RH-MergeRequest: 158: hw/intc/arm_gicv3: Check for !MEMTX_OK instead of MEMTX_ERROR +RH-Commit: [2/3] 66281d1c439be549c7890a662a817dd1b9367ef2 (jmaloy/qemu-kvm) +RH-Bugzilla: 2075686 +RH-Acked-by: Miroslav Rezanina +RH-Acked-by: Stefan Hajnoczi +RH-Acked-by: Peter Xu + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2075686 +Upstream: Merged +CVE: CVE-2021-3750 + +commit 58e74682baf4e1ad26b064d8c02e5bc99c75c5d9 +Author: Philippe Mathieu-Daudé +Date: Wed Dec 15 19:24:20 2021 +0100 + + softmmu/physmem: Simplify flatview_write and address_space_access_valid + + Remove unuseful local 'result' variables. + + Reviewed-by: Peter Xu + Reviewed-by: David Hildenbrand + Reviewed-by: Alexander Bulekov + Reviewed-by: Stefan Hajnoczi + Signed-off-by: Philippe Mathieu-Daudé + Message-Id: <20211215182421.418374-3-philmd@redhat.com> + Signed-off-by: Thomas Huth + +(cherry picked from commit 58e74682baf4e1ad26b064d8c02e5bc99c75c5d9) +Signed-off-by: Jon Maloy +--- + softmmu/physmem.c | 11 +++-------- + 1 file changed, 3 insertions(+), 8 deletions(-) + +diff --git a/softmmu/physmem.c b/softmmu/physmem.c +index 3524c04c2a..483a31be81 100644 +--- a/softmmu/physmem.c ++++ b/softmmu/physmem.c +@@ -2815,14 +2815,11 @@ static MemTxResult flatview_write(FlatView *fv, hwaddr addr, MemTxAttrs attrs, + hwaddr l; + hwaddr addr1; + MemoryRegion *mr; +- MemTxResult result = MEMTX_OK; + + l = len; + mr = flatview_translate(fv, addr, &addr1, &l, true, attrs); +- result = flatview_write_continue(fv, addr, attrs, buf, len, +- addr1, l, mr); +- +- return result; ++ return flatview_write_continue(fv, addr, attrs, buf, len, ++ addr1, l, mr); + } + + /* Called within RCU critical section. */ +@@ -3119,12 +3116,10 @@ bool address_space_access_valid(AddressSpace *as, hwaddr addr, + MemTxAttrs attrs) + { + FlatView *fv; +- bool result; + + RCU_READ_LOCK_GUARD(); + fv = address_space_to_flatview(as); +- result = flatview_access_valid(fv, addr, len, is_write, attrs); +- return result; ++ return flatview_access_valid(fv, addr, len, is_write, attrs); + } + + static hwaddr +-- +2.27.0 + diff --git a/kvm-target-i386-properly-reset-TSC-on-reset.patch b/kvm-target-i386-properly-reset-TSC-on-reset.patch new file mode 100644 index 0000000..9bb8b03 --- /dev/null +++ b/kvm-target-i386-properly-reset-TSC-on-reset.patch @@ -0,0 +1,83 @@ +From 83642c73e127b895f91dcd409c4468c953488117 Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini +Date: Thu, 24 Mar 2022 09:21:41 +0100 +Subject: [PATCH] target/i386: properly reset TSC on reset + +RH-Author: Paolo Bonzini +RH-MergeRequest: 137: target/i386: properly reset TSC on reset +RH-Commit: [1/1] 5032ac138bf965c0536c2c9feb3dd4d4123c9f9d +RH-Bugzilla: 1975840 +RH-Acked-by: Marcelo Tosatti +RH-Acked-by: Igor Mammedov +RH-Acked-by: Vitaly Kuznetsov + +Some versions of Windows hang on reboot if their TSC value is greater +than 2^54. The calibration of the Hyper-V reference time overflows +and fails; as a result the processors' clock sources are out of sync. + +The issue is that the TSC _should_ be reset to 0 on CPU reset and +QEMU tries to do that. However, KVM special cases writing 0 to the +TSC and thinks that QEMU is trying to hot-plug a CPU, which is +correct the first time through but not later. Thwart this valiant +effort and reset the TSC to 1 instead, but only if the CPU has been +run once. + +For this to work, env->tsc has to be moved to the part of CPUArchState +that is not zeroed at the beginning of x86_cpu_reset. + +Reported-by: Vadim Rozenfeld +Supersedes: <20220324082346.72180-1-pbonzini@redhat.com> +Signed-off-by: Paolo Bonzini +(cherry picked from commit 5286c3662294119dc2dd1e9296757337211451f6) +--- + target/i386/cpu.c | 13 +++++++++++++ + target/i386/cpu.h | 2 +- + 2 files changed, 14 insertions(+), 1 deletion(-) + +diff --git a/target/i386/cpu.c b/target/i386/cpu.c +index 6e25d13339..dd6935b1dd 100644 +--- a/target/i386/cpu.c ++++ b/target/i386/cpu.c +@@ -5871,6 +5871,19 @@ static void x86_cpu_reset(DeviceState *dev) + env->xstate_bv = 0; + + env->pat = 0x0007040600070406ULL; ++ ++ if (kvm_enabled()) { ++ /* ++ * KVM handles TSC = 0 specially and thinks we are hot-plugging ++ * a new CPU, use 1 instead to force a reset. ++ */ ++ if (env->tsc != 0) { ++ env->tsc = 1; ++ } ++ } else { ++ env->tsc = 0; ++ } ++ + env->msr_ia32_misc_enable = MSR_IA32_MISC_ENABLE_DEFAULT; + if (env->features[FEAT_1_ECX] & CPUID_EXT_MONITOR) { + env->msr_ia32_misc_enable |= MSR_IA32_MISC_ENABLE_MWAIT; +diff --git a/target/i386/cpu.h b/target/i386/cpu.h +index 04f2b790c9..c6a6c871f1 100644 +--- a/target/i386/cpu.h ++++ b/target/i386/cpu.h +@@ -1510,7 +1510,6 @@ typedef struct CPUX86State { + target_ulong kernelgsbase; + #endif + +- uint64_t tsc; + uint64_t tsc_adjust; + uint64_t tsc_deadline; + uint64_t tsc_aux; +@@ -1660,6 +1659,7 @@ typedef struct CPUX86State { + int64_t tsc_khz; + int64_t user_tsc_khz; /* for sanity check only */ + uint64_t apic_bus_freq; ++ uint64_t tsc; + #if defined(CONFIG_KVM) || defined(CONFIG_HVF) + void *xsave_buf; + uint32_t xsave_buf_len; +-- +2.27.0 + diff --git a/kvm-tests-acpi-SLIC-update-expected-blobs.patch b/kvm-tests-acpi-SLIC-update-expected-blobs.patch new file mode 100644 index 0000000..7cea26a --- /dev/null +++ b/kvm-tests-acpi-SLIC-update-expected-blobs.patch @@ -0,0 +1,38 @@ +From 577d4682757e8a26f2eedfc866be09dbd7d37e5b Mon Sep 17 00:00:00 2001 +From: Igor Mammedov +Date: Mon, 27 Dec 2021 14:31:20 -0500 +Subject: [PATCH 06/12] tests: acpi: SLIC: update expected blobs + +RH-Author: Igor Mammedov +RH-MergeRequest: 129: acpi: fix QEMU crash when started with SLIC table +RH-Commit: [4/10] 4bef84bbff835d39d3a07f102c650d645f18f8c8 +RH-Bugzilla: 2059311 +RH-Acked-by: Jon Maloy +RH-Acked-by: Gerd Hoffmann +RH-Acked-by: MST + +Signed-off-by: Igor Mammedov +Message-Id: <20211227193120.1084176-5-imammedo@redhat.com> +Reviewed-by: Michael S. Tsirkin +Signed-off-by: Michael S. Tsirkin +(cherry picked from commit c8adb4d222c42951a9d0367e5f5d4e1f5e2c9ad7) +--- + tests/data/acpi/q35/FACP.slic | Bin 244 -> 244 bytes + tests/data/acpi/q35/SLIC.slic | Bin 0 -> 36 bytes + tests/qtest/bios-tables-test-allowed-diff.h | 2 -- + 3 files changed, 2 deletions(-) + +literal 0 +HcmV?d00001 + +diff --git a/tests/qtest/bios-tables-test-allowed-diff.h b/tests/qtest/bios-tables-test-allowed-diff.h +index 49dbf8fa3e..dfb8523c8b 100644 +--- a/tests/qtest/bios-tables-test-allowed-diff.h ++++ b/tests/qtest/bios-tables-test-allowed-diff.h +@@ -1,3 +1 @@ + /* List of comma-separated changed AML files to ignore */ +-"tests/data/acpi/q35/FACP.slic", +-"tests/data/acpi/q35/SLIC.slic", +-- +2.27.0 + diff --git a/kvm-tests-acpi-add-SLIC-table-test.patch b/kvm-tests-acpi-add-SLIC-table-test.patch new file mode 100644 index 0000000..fc5cd0a --- /dev/null +++ b/kvm-tests-acpi-add-SLIC-table-test.patch @@ -0,0 +1,68 @@ +From b3d5600c6bb4b2092f9f61eab0b7fc61226b888e Mon Sep 17 00:00:00 2001 +From: Igor Mammedov +Date: Mon, 27 Dec 2021 14:31:19 -0500 +Subject: [PATCH 05/12] tests: acpi: add SLIC table test + +RH-Author: Igor Mammedov +RH-MergeRequest: 129: acpi: fix QEMU crash when started with SLIC table +RH-Commit: [3/10] c27a8c69ef8054631a5551521b2debb67eed3c6b +RH-Bugzilla: 2059311 +RH-Acked-by: Jon Maloy +RH-Acked-by: Gerd Hoffmann +RH-Acked-by: MST + +When user uses '-acpitable' to add SLIC table, some ACPI +tables (FADT) will change its 'Oem ID'/'Oem Table ID' fields to +match that of SLIC. Test makes sure thati QEMU handles +those fields correctly when SLIC table is added with +'-acpitable' option. + +Conflicts: tests/qtest/bios-tables-test.c + due to missing 39d7554b2009 ("tests/acpi: add test case for VIOT") + +Signed-off-by: Igor Mammedov +Message-Id: <20211227193120.1084176-4-imammedo@redhat.com> +Reviewed-by: Michael S. Tsirkin +Signed-off-by: Michael S. Tsirkin +(cherry picked from commit 11edfabee443b149468a82b5efc88c96d1d259ec) +Signed-off-by: Igor Mammedov +--- + tests/qtest/bios-tables-test.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +diff --git a/tests/qtest/bios-tables-test.c b/tests/qtest/bios-tables-test.c +index 16d8304cde..e159b71136 100644 +--- a/tests/qtest/bios-tables-test.c ++++ b/tests/qtest/bios-tables-test.c +@@ -1467,6 +1467,20 @@ static void test_acpi_virt_tcg(void) + free_test_data(&data); + } + ++static void test_acpi_q35_slic(void) ++{ ++ test_data data = { ++ .machine = MACHINE_Q35, ++ .variant = ".slic", ++ }; ++ ++ test_acpi_one("-acpitable sig=SLIC,oem_id='CRASH ',oem_table_id='ME'," ++ "oem_rev=00002210,asl_compiler_id='qemu'," ++ "asl_compiler_rev=00000000,data=/dev/null", ++ &data); ++ free_test_data(&data); ++} ++ + static void test_oem_fields(test_data *data) + { + int i; +@@ -1641,6 +1655,7 @@ int main(int argc, char *argv[]) + qtest_add_func("acpi/q35/kvm/xapic", test_acpi_q35_kvm_xapic); + qtest_add_func("acpi/q35/kvm/dmar", test_acpi_q35_kvm_dmar); + } ++ qtest_add_func("acpi/q35/slic", test_acpi_q35_slic); + } else if (strcmp(arch, "aarch64") == 0) { + if (has_tcg) { + qtest_add_func("acpi/virt", test_acpi_virt_tcg); +-- +2.27.0 + diff --git a/kvm-tests-acpi-manually-pad-OEM_ID-OEM_TABLE_ID-for-test.patch b/kvm-tests-acpi-manually-pad-OEM_ID-OEM_TABLE_ID-for-test.patch new file mode 100644 index 0000000..326ccc7 --- /dev/null +++ b/kvm-tests-acpi-manually-pad-OEM_ID-OEM_TABLE_ID-for-test.patch @@ -0,0 +1,76 @@ +From 42554e549e4843f4611be3b48101985adb5f52de Mon Sep 17 00:00:00 2001 +From: Igor Mammedov +Date: Wed, 12 Jan 2022 08:03:29 -0500 +Subject: [PATCH 07/12] tests: acpi: manually pad OEM_ID/OEM_TABLE_ID for + test_oem_fields() test + +RH-Author: Igor Mammedov +RH-MergeRequest: 129: acpi: fix QEMU crash when started with SLIC table +RH-Commit: [5/10] eabc0211172d707e50564cc43060c3c383cdcac2 +RH-Bugzilla: 2059311 +RH-Acked-by: Jon Maloy +RH-Acked-by: Gerd Hoffmann +RH-Acked-by: MST + +The next commit will revert OEM fields padding with whitespace to +padding with '\0' as it was before [1]. As result test_oem_fields() will +fail due to unexpectedly smaller ID sizes read from QEMU ACPI tables. + +Pad OEM_ID/OEM_TABLE_ID manually with spaces so that values the test +puts on QEMU CLI and expected values match. + +1) 602b458201 ("acpi: Permit OEM ID and OEM table ID fields to be changed") +Signed-off-by: Igor Mammedov +Message-Id: <20220112130332.1648664-2-imammedo@redhat.com> +Reviewed-by: Michael S. Tsirkin +Signed-off-by: Michael S. Tsirkin +(cherry picked from commit a849522f726767022203ef2b6c395ea19facb866) +Signed-off-by: Igor Mammedov +--- + tests/qtest/bios-tables-test.c | 15 ++++++--------- + 1 file changed, 6 insertions(+), 9 deletions(-) + +diff --git a/tests/qtest/bios-tables-test.c b/tests/qtest/bios-tables-test.c +index e159b71136..348fdbd202 100644 +--- a/tests/qtest/bios-tables-test.c ++++ b/tests/qtest/bios-tables-test.c +@@ -71,9 +71,10 @@ + + #define ACPI_REBUILD_EXPECTED_AML "TEST_ACPI_REBUILD_AML" + +-#define OEM_ID "TEST" +-#define OEM_TABLE_ID "OEM" +-#define OEM_TEST_ARGS "-machine x-oem-id="OEM_ID",x-oem-table-id="OEM_TABLE_ID ++#define OEM_ID "TEST " ++#define OEM_TABLE_ID "OEM " ++#define OEM_TEST_ARGS "-machine x-oem-id='" OEM_ID "',x-oem-table-id='" \ ++ OEM_TABLE_ID "'" + + typedef struct { + bool tcg_only; +@@ -1484,11 +1485,7 @@ static void test_acpi_q35_slic(void) + static void test_oem_fields(test_data *data) + { + int i; +- char oem_id[6]; +- char oem_table_id[8]; + +- strpadcpy(oem_id, sizeof oem_id, OEM_ID, ' '); +- strpadcpy(oem_table_id, sizeof oem_table_id, OEM_TABLE_ID, ' '); + for (i = 0; i < data->tables->len; ++i) { + AcpiSdtTable *sdt; + +@@ -1498,8 +1495,8 @@ static void test_oem_fields(test_data *data) + continue; + } + +- g_assert(memcmp(sdt->aml + 10, oem_id, 6) == 0); +- g_assert(memcmp(sdt->aml + 16, oem_table_id, 8) == 0); ++ g_assert(memcmp(sdt->aml + 10, OEM_ID, 6) == 0); ++ g_assert(memcmp(sdt->aml + 16, OEM_TABLE_ID, 8) == 0); + } + } + +-- +2.27.0 + diff --git a/kvm-tests-acpi-test-short-OEM_ID-OEM_TABLE_ID-values-in-.patch b/kvm-tests-acpi-test-short-OEM_ID-OEM_TABLE_ID-values-in-.patch new file mode 100644 index 0000000..cf8c452 --- /dev/null +++ b/kvm-tests-acpi-test-short-OEM_ID-OEM_TABLE_ID-values-in-.patch @@ -0,0 +1,69 @@ +From 466d5a7fca84f2932a0b3262f9c62b42d6fb300e Mon Sep 17 00:00:00 2001 +From: Igor Mammedov +Date: Fri, 14 Jan 2022 09:26:41 -0500 +Subject: [PATCH 11/12] tests: acpi: test short OEM_ID/OEM_TABLE_ID values in + test_oem_fields() + +RH-Author: Igor Mammedov +RH-MergeRequest: 129: acpi: fix QEMU crash when started with SLIC table +RH-Commit: [9/10] 9daf8f8c63f513372f81268016885b71f5f89cf3 +RH-Bugzilla: 2059311 +RH-Acked-by: Jon Maloy +RH-Acked-by: Gerd Hoffmann +RH-Acked-by: MST + +Previous patch [1] added explicit whitespace padding to OEM_ID/OEM_TABLE_ID +values used in test_oem_fields() testcase to avoid false positive and +bisection issues when QEMU is switched to \0' padding. As result +testcase ceased to test values that were shorter than max possible +length values. + +Update testcase to make sure that it's testing shorter IDs like it +used to before [2]. + +1) "tests: acpi: manually pad OEM_ID/OEM_TABLE_ID for test_oem_fields() test" +2) 602b458201 ("acpi: Permit OEM ID and OEM table ID fields to be changed") + +Signed-off-by: Igor Mammedov +Message-Id: <20220114142641.1727679-1-imammedo@redhat.com> +Reviewed-by: Michael S. Tsirkin +Signed-off-by: Michael S. Tsirkin +(cherry picked from commit 408ca92634770de5eac7965ed97c6260e770f2e7) +Signed-off-by: Igor Mammedov +--- + tests/qtest/bios-tables-test.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/tests/qtest/bios-tables-test.c b/tests/qtest/bios-tables-test.c +index 348fdbd202..515a647490 100644 +--- a/tests/qtest/bios-tables-test.c ++++ b/tests/qtest/bios-tables-test.c +@@ -71,10 +71,10 @@ + + #define ACPI_REBUILD_EXPECTED_AML "TEST_ACPI_REBUILD_AML" + +-#define OEM_ID "TEST " +-#define OEM_TABLE_ID "OEM " +-#define OEM_TEST_ARGS "-machine x-oem-id='" OEM_ID "',x-oem-table-id='" \ +- OEM_TABLE_ID "'" ++#define OEM_ID "TEST" ++#define OEM_TABLE_ID "OEM" ++#define OEM_TEST_ARGS "-machine x-oem-id=" OEM_ID ",x-oem-table-id=" \ ++ OEM_TABLE_ID + + typedef struct { + bool tcg_only; +@@ -1495,8 +1495,8 @@ static void test_oem_fields(test_data *data) + continue; + } + +- g_assert(memcmp(sdt->aml + 10, OEM_ID, 6) == 0); +- g_assert(memcmp(sdt->aml + 16, OEM_TABLE_ID, 8) == 0); ++ g_assert(strncmp((char *)sdt->aml + 10, OEM_ID, 6) == 0); ++ g_assert(strncmp((char *)sdt->aml + 16, OEM_TABLE_ID, 8) == 0); + } + } + +-- +2.27.0 + diff --git a/kvm-tests-acpi-update-expected-blobs.patch b/kvm-tests-acpi-update-expected-blobs.patch new file mode 100644 index 0000000..210f116 --- /dev/null +++ b/kvm-tests-acpi-update-expected-blobs.patch @@ -0,0 +1,51 @@ +From 6072c9986ebe95feceadcf0d75d8a6b1ed919414 Mon Sep 17 00:00:00 2001 +From: Igor Mammedov +Date: Wed, 12 Jan 2022 08:03:32 -0500 +Subject: [PATCH 10/12] tests: acpi: update expected blobs + +RH-Author: Igor Mammedov +RH-MergeRequest: 129: acpi: fix QEMU crash when started with SLIC table +RH-Commit: [8/10] a4ba098c69a8a2911143ba6e74ed3a61640e02f8 +RH-Bugzilla: 2059311 +RH-Acked-by: Jon Maloy +RH-Acked-by: Gerd Hoffmann +RH-Acked-by: MST + +Expected changes caused by previous commit: + +nvdimm ssdt (q35/pc/virt): + - * OEM Table ID "NVDIMM " + + * OEM Table ID "NVDIMM" + +SLIC test FADT (tests/data/acpi/q35/FACP.slic): + -[010h 0016 8] Oem Table ID : "ME " + +[010h 0016 8] Oem Table ID : "ME" + +Signed-off-by: Igor Mammedov +Message-Id: <20220112130332.1648664-5-imammedo@redhat.com> +Reviewed-by: Michael S. Tsirkin +Signed-off-by: Michael S. Tsirkin +(cherry picked from commit 5adc3aba875416b0e077d8a29ddd0357883746f4) +Signed-off-by: Igor Mammedov +--- + tests/data/acpi/pc/SSDT.dimmpxm | Bin 734 -> 734 bytes + tests/data/acpi/q35/FACP.slic | Bin 244 -> 244 bytes + tests/data/acpi/q35/SSDT.dimmpxm | Bin 734 -> 734 bytes + tests/data/acpi/virt/SSDT.memhp | Bin 736 -> 736 bytes + tests/qtest/bios-tables-test-allowed-diff.h | 4 ---- + 5 files changed, 4 deletions(-) + + +diff --git a/tests/qtest/bios-tables-test-allowed-diff.h b/tests/qtest/bios-tables-test-allowed-diff.h +index 7faa8f53be..dfb8523c8b 100644 +--- a/tests/qtest/bios-tables-test-allowed-diff.h ++++ b/tests/qtest/bios-tables-test-allowed-diff.h +@@ -1,5 +1 @@ + /* List of comma-separated changed AML files to ignore */ +-"tests/data/acpi/virt/SSDT.memhp", +-"tests/data/acpi/pc/SSDT.dimmpxm", +-"tests/data/acpi/q35/SSDT.dimmpxm", +-"tests/data/acpi/q35/FACP.slic", +-- +2.27.0 + diff --git a/kvm-tests-acpi-whitelist-expected-blobs-before-changing-.patch b/kvm-tests-acpi-whitelist-expected-blobs-before-changing-.patch new file mode 100644 index 0000000..2d6a6a2 --- /dev/null +++ b/kvm-tests-acpi-whitelist-expected-blobs-before-changing-.patch @@ -0,0 +1,40 @@ +From 8ffeee963539987cada8999acb9438fab6969851 Mon Sep 17 00:00:00 2001 +From: Igor Mammedov +Date: Mon, 27 Dec 2021 14:31:18 -0500 +Subject: [PATCH 04/12] tests: acpi: whitelist expected blobs before changing + them + +RH-Author: Igor Mammedov +RH-MergeRequest: 129: acpi: fix QEMU crash when started with SLIC table +RH-Commit: [2/10] f25d60661656d4ebc14b9baebfb15bb140651011 +RH-Bugzilla: 2059311 +RH-Acked-by: Jon Maloy +RH-Acked-by: Gerd Hoffmann +RH-Acked-by: MST + +Signed-off-by: Igor Mammedov +Message-Id: <20211227193120.1084176-3-imammedo@redhat.com> +Reviewed-by: Michael S. Tsirkin +Signed-off-by: Michael S. Tsirkin +(cherry picked from commit e71f6ab9d93a7d01e833647e7010c1079c4cef30) +--- + tests/data/acpi/q35/FACP.slic | Bin 0 -> 244 bytes + tests/data/acpi/q35/SLIC.slic | 0 + tests/qtest/bios-tables-test-allowed-diff.h | 2 ++ + 3 files changed, 2 insertions(+) + create mode 100644 tests/data/acpi/q35/FACP.slic + create mode 100644 tests/data/acpi/q35/SLIC.slic + + + +diff --git a/tests/qtest/bios-tables-test-allowed-diff.h b/tests/qtest/bios-tables-test-allowed-diff.h +index dfb8523c8b..49dbf8fa3e 100644 +--- a/tests/qtest/bios-tables-test-allowed-diff.h ++++ b/tests/qtest/bios-tables-test-allowed-diff.h +@@ -1 +1,3 @@ + /* List of comma-separated changed AML files to ignore */ ++"tests/data/acpi/q35/FACP.slic", ++"tests/data/acpi/q35/SLIC.slic", +-- +2.27.0 + diff --git a/kvm-tests-acpi-whitelist-nvdimm-s-SSDT-and-FACP.slic-exp.patch b/kvm-tests-acpi-whitelist-nvdimm-s-SSDT-and-FACP.slic-exp.patch new file mode 100644 index 0000000..4d05044 --- /dev/null +++ b/kvm-tests-acpi-whitelist-nvdimm-s-SSDT-and-FACP.slic-exp.patch @@ -0,0 +1,49 @@ +From 12fc404b1ecf76e69c309b65ead86298a2606051 Mon Sep 17 00:00:00 2001 +From: Igor Mammedov +Date: Wed, 12 Jan 2022 08:03:30 -0500 +Subject: [PATCH 08/12] tests: acpi: whitelist nvdimm's SSDT and FACP.slic + expected blobs + +RH-Author: Igor Mammedov +RH-MergeRequest: 129: acpi: fix QEMU crash when started with SLIC table +RH-Commit: [6/10] 2e82d4c0184d499f449dc24a8bd6991273ad2db9 +RH-Bugzilla: 2059311 +RH-Acked-by: Jon Maloy +RH-Acked-by: Gerd Hoffmann +RH-Acked-by: MST + +The next commit will revert OEM fields whitespace padding to +padding with '\0' as it was before [1]. That will change OEM +Table ID for: + * SSDT.*: where it was padded from 6 characters to 8 + * FACP.slic: where it was padded from 2 characters to 8 +after reverting whitespace padding, it will be replaced with +'\0' which effectively will shorten OEM table ID to 6 and 2 +characters. + +Whitelist affected tables before introducing the change. + +1) 602b458201 ("acpi: Permit OEM ID and OEM table ID fields to be changed") +Signed-off-by: Igor Mammedov +Message-Id: <20220112130332.1648664-3-imammedo@redhat.com> +Reviewed-by: Michael S. Tsirkin +Signed-off-by: Michael S. Tsirkin +(cherry picked from commit d1e4a4654154925eddf0fc449fa9c92b806b9c8c) +Signed-off-by: Igor Mammedov +--- + tests/qtest/bios-tables-test-allowed-diff.h | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/tests/qtest/bios-tables-test-allowed-diff.h b/tests/qtest/bios-tables-test-allowed-diff.h +index dfb8523c8b..7faa8f53be 100644 +--- a/tests/qtest/bios-tables-test-allowed-diff.h ++++ b/tests/qtest/bios-tables-test-allowed-diff.h +@@ -1 +1,5 @@ + /* List of comma-separated changed AML files to ignore */ ++"tests/data/acpi/virt/SSDT.memhp", ++"tests/data/acpi/pc/SSDT.dimmpxm", ++"tests/data/acpi/q35/SSDT.dimmpxm", ++"tests/data/acpi/q35/FACP.slic", +-- +2.27.0 + diff --git a/kvm-ui-cursor-fix-integer-overflow-in-cursor_alloc-CVE-2.patch b/kvm-ui-cursor-fix-integer-overflow-in-cursor_alloc-CVE-2.patch new file mode 100644 index 0000000..cdff4fb --- /dev/null +++ b/kvm-ui-cursor-fix-integer-overflow-in-cursor_alloc-CVE-2.patch @@ -0,0 +1,105 @@ +From 0a493615833edbe6448bc639200b4a5fa7d492e3 Mon Sep 17 00:00:00 2001 +From: Jon Maloy +Date: Wed, 4 May 2022 10:35:17 -0400 +Subject: [PATCH 2/2] ui/cursor: fix integer overflow in cursor_alloc + (CVE-2021-4206) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Jon Maloy +RH-MergeRequest: 190: ui/cursor: fix integer overflow in cursor_alloc (CVE-2021-4206) +RH-Commit: [1/1] 80588f646942c345a2491812cb41aacd4c0805ff (jmaloy/qemu-kvm) +RH-Bugzilla: 2082622 +RH-Acked-by: Miroslav Rezanina +RH-Acked-by: Marc-André Lureau +RH-Acked-by: Mauro Matteo Cascella + +BZ: https://bugzilla.redhat.com/show_bug.cgi?id=2082622 +Upstream: Merged +CVE: CVE-2021-4206 + +commit fa892e9abb728e76afcf27323ab29c57fb0fe7aa +Author: Mauro Matteo Cascella +Date: Thu Apr 7 10:17:12 2022 +0200 + + ui/cursor: fix integer overflow in cursor_alloc (CVE-2021-4206) + + Prevent potential integer overflow by limiting 'width' and 'height' to + 512x512. Also change 'datasize' type to size_t. Refer to security + advisory https://starlabs.sg/advisories/22-4206/ for more information. + + Fixes: CVE-2021-4206 + Signed-off-by: Mauro Matteo Cascella + Reviewed-by: Marc-André Lureau + Message-Id: <20220407081712.345609-1-mcascell@redhat.com> + Signed-off-by: Gerd Hoffmann + +(cherry picked from commit fa892e9abb728e76afcf27323ab29c57fb0fe7aa) +Signed-off-by: Jon Maloy +--- + hw/display/qxl-render.c | 7 +++++++ + hw/display/vmware_vga.c | 2 ++ + ui/cursor.c | 8 +++++++- + 3 files changed, 16 insertions(+), 1 deletion(-) + +diff --git a/hw/display/qxl-render.c b/hw/display/qxl-render.c +index 237ed293ba..ca217004bf 100644 +--- a/hw/display/qxl-render.c ++++ b/hw/display/qxl-render.c +@@ -247,6 +247,13 @@ static QEMUCursor *qxl_cursor(PCIQXLDevice *qxl, QXLCursor *cursor, + size_t size; + + c = cursor_alloc(cursor->header.width, cursor->header.height); ++ ++ if (!c) { ++ qxl_set_guest_bug(qxl, "%s: cursor %ux%u alloc error", __func__, ++ cursor->header.width, cursor->header.height); ++ goto fail; ++ } ++ + c->hot_x = cursor->header.hot_spot_x; + c->hot_y = cursor->header.hot_spot_y; + switch (cursor->header.type) { +diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c +index e2969a6c81..2b81d6122f 100644 +--- a/hw/display/vmware_vga.c ++++ b/hw/display/vmware_vga.c +@@ -509,6 +509,8 @@ static inline void vmsvga_cursor_define(struct vmsvga_state_s *s, + int i, pixels; + + qc = cursor_alloc(c->width, c->height); ++ assert(qc != NULL); ++ + qc->hot_x = c->hot_x; + qc->hot_y = c->hot_y; + switch (c->bpp) { +diff --git a/ui/cursor.c b/ui/cursor.c +index 1d62ddd4d0..835f0802f9 100644 +--- a/ui/cursor.c ++++ b/ui/cursor.c +@@ -46,6 +46,8 @@ static QEMUCursor *cursor_parse_xpm(const char *xpm[]) + + /* parse pixel data */ + c = cursor_alloc(width, height); ++ assert(c != NULL); ++ + for (pixel = 0, y = 0; y < height; y++, line++) { + for (x = 0; x < height; x++, pixel++) { + idx = xpm[line][x]; +@@ -91,7 +93,11 @@ QEMUCursor *cursor_builtin_left_ptr(void) + QEMUCursor *cursor_alloc(int width, int height) + { + QEMUCursor *c; +- int datasize = width * height * sizeof(uint32_t); ++ size_t datasize = width * height * sizeof(uint32_t); ++ ++ if (width > 512 || height > 512) { ++ return NULL; ++ } + + c = g_malloc0(sizeof(QEMUCursor) + datasize); + c->width = width; +-- +2.35.3 + diff --git a/kvm-vhost-vsock-detach-the-virqueue-element-in-case-of-e.patch b/kvm-vhost-vsock-detach-the-virqueue-element-in-case-of-e.patch new file mode 100644 index 0000000..9378e84 --- /dev/null +++ b/kvm-vhost-vsock-detach-the-virqueue-element-in-case-of-e.patch @@ -0,0 +1,78 @@ +From 2abf617accf878bec7f1c0419d5b85c93b0aa426 Mon Sep 17 00:00:00 2001 +From: Jon Maloy +Date: Thu, 14 Apr 2022 10:38:26 -0400 +Subject: [PATCH 07/11] vhost-vsock: detach the virqueue element in case of + error + +RH-Author: Jon Maloy +RH-MergeRequest: 168: vhost-vsock: detach the virqueue element in case of error +RH-Commit: [1/1] f81a39d26a7165f8b717fdeeb9526081cb73129b (jmaloy/qemu-kvm) +RH-Bugzilla: 2075639 +RH-Acked-by: Stefano Garzarella +RH-Acked-by: Jason Wang +RH-Acked-by: Stefan Hajnoczi + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2075639 +Upstream: Merged +CVE: CVE-2022-26354 + +commit 8d1b247f3748ac4078524130c6d7ae42b6140aaf +Author: Stefano Garzarella +Date: Mon Feb 28 10:50:58 2022 +0100 + + vhost-vsock: detach the virqueue element in case of error + + In vhost_vsock_common_send_transport_reset(), if an element popped from + the virtqueue is invalid, we should call virtqueue_detach_element() to + detach it from the virtqueue before freeing its memory. + + Fixes: fc0b9b0e1c ("vhost-vsock: add virtio sockets device") + Fixes: CVE-2022-26354 + Cc: qemu-stable@nongnu.org + Reported-by: VictorV + Signed-off-by: Stefano Garzarella + Message-Id: <20220228095058.27899-1-sgarzare@redhat.com> + Reviewed-by: Stefan Hajnoczi + Reviewed-by: Michael S. Tsirkin + Signed-off-by: Michael S. Tsirkin + +(cherry picked from commit 8d1b247f3748ac4078524130c6d7ae42b6140aaf) +Signed-off-by: Jon Maloy +--- + hw/virtio/vhost-vsock-common.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/hw/virtio/vhost-vsock-common.c b/hw/virtio/vhost-vsock-common.c +index 3f3771274e..ed706681ac 100644 +--- a/hw/virtio/vhost-vsock-common.c ++++ b/hw/virtio/vhost-vsock-common.c +@@ -153,19 +153,23 @@ static void vhost_vsock_common_send_transport_reset(VHostVSockCommon *vvc) + if (elem->out_num) { + error_report("invalid vhost-vsock event virtqueue element with " + "out buffers"); +- goto out; ++ goto err; + } + + if (iov_from_buf(elem->in_sg, elem->in_num, 0, + &event, sizeof(event)) != sizeof(event)) { + error_report("vhost-vsock event virtqueue element is too short"); +- goto out; ++ goto err; + } + + virtqueue_push(vq, elem, sizeof(event)); + virtio_notify(VIRTIO_DEVICE(vvc), vq); + +-out: ++ g_free(elem); ++ return; ++ ++err: ++ virtqueue_detach_element(vq, elem, 0); + g_free(elem); + } + +-- +2.27.0 + diff --git a/kvm-virtio-net-fix-map-leaking-on-error-during-receive.patch b/kvm-virtio-net-fix-map-leaking-on-error-during-receive.patch new file mode 100644 index 0000000..494365a --- /dev/null +++ b/kvm-virtio-net-fix-map-leaking-on-error-during-receive.patch @@ -0,0 +1,63 @@ +From ba9806fd38f113deb452156fdc644407f061311c Mon Sep 17 00:00:00 2001 +From: Jason Wang +Date: Tue, 8 Mar 2022 10:42:51 +0800 +Subject: [PATCH 06/11] virtio-net: fix map leaking on error during receive +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Jon Maloy +RH-MergeRequest: 165: virtio-net: fix map leaking on error during receive +RH-Commit: [1/1] f0546c74a5bfd37de473703f6a7c6f8f29fb0831 (jmaloy/qemu-kvm) +RH-Bugzilla: 2075637 +RH-Acked-by: Mauro Matteo Cascella +RH-Acked-by: Marc-André Lureau +RH-Acked-by: Gerd Hoffmann + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2075637 +Upstream: Merged +CVE: CVE-2022-26353 + +commit abe300d9d894f7138e1af7c8e9c88c04bfe98b37 +Author: Jason Wang +Date: Tue Mar 8 10:42:51 2022 +0800 + + virtio-net: fix map leaking on error during receive + + Commit bedd7e93d0196 ("virtio-net: fix use after unmap/free for sg") + tries to fix the use after free of the sg by caching the virtqueue + elements in an array and unmap them at once after receiving the + packets, But it forgot to unmap the cached elements on error which + will lead to leaking of mapping and other unexpected results. + + Fixing this by detaching the cached elements on error. This addresses + CVE-2022-26353. + + Reported-by: Victor Tom + Cc: qemu-stable@nongnu.org + Fixes: CVE-2022-26353 + Fixes: bedd7e93d0196 ("virtio-net: fix use after unmap/free for sg") + Reviewed-by: Michael S. Tsirkin + Signed-off-by: Jason Wang + +(cherry picked from commit abe300d9d894f7138e1af7c8e9c88c04bfe98b37) +Signed-off-by: Jon Maloy +--- + hw/net/virtio-net.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c +index f2014d5ea0..e1f4748831 100644 +--- a/hw/net/virtio-net.c ++++ b/hw/net/virtio-net.c +@@ -1862,6 +1862,7 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf, + + err: + for (j = 0; j < i; j++) { ++ virtqueue_detach_element(q->rx_vq, elems[j], lens[j]); + g_free(elems[j]); + } + +-- +2.27.0 + diff --git a/kvm-virtiofsd-Adjust-limit-for-minor-version.patch b/kvm-virtiofsd-Adjust-limit-for-minor-version.patch deleted file mode 100644 index 30ec553..0000000 --- a/kvm-virtiofsd-Adjust-limit-for-minor-version.patch +++ /dev/null @@ -1,41 +0,0 @@ -From 3b7200134925fcf5ae99b5c3b34465456d3bc002 Mon Sep 17 00:00:00 2001 -From: Jacob Wang -Date: Mon, 2 Aug 2021 01:16:05 +0800 -Subject: [PATCH 1/1] virtiofsd: Adjust limit for minor version - -Upstream virtiofsd only supports fuse >= 7.31 -(https://github.com/qemu/qemu/commit/72c42e2d65510e073cf78fdc924d121c77fa0080), -while Cloud Kernel has fuse version 7.27, which causes virtiofs fails to run -due to version mismatch. This limitation is unnecessary in Cloud Kernel because -we have already backported mandatory fuse patches to support virtofs -frontend in Kernel. Hence, adjust the minor version limit to 7.27 to -suppress the limitation. - -Note that current fuse implementation in Cloud Kernel might lack of some -certain capabilities in fuse 7.28 ~ 7.31, which may cause unexpected results, -this patch is merely a workaround to enable virtiofs in guest kernel side and -further action is ongoing to make sure fuse APIs in both sides are 100% -compatible. - -Signed-off-by: Jacob Wang -Acked-by: Caspar Zhang ---- - tools/virtiofsd/fuse_lowlevel.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/tools/virtiofsd/fuse_lowlevel.c b/tools/virtiofsd/fuse_lowlevel.c -index 2dd36ec..2bb4318 100644 ---- a/tools/virtiofsd/fuse_lowlevel.c -+++ b/tools/virtiofsd/fuse_lowlevel.c -@@ -1917,7 +1917,7 @@ static void do_init(fuse_req_t req, fuse_ino_t nodeid, - outarg.major = FUSE_KERNEL_VERSION; - outarg.minor = FUSE_KERNEL_MINOR_VERSION; - -- if (arg->major < 7 || (arg->major == 7 && arg->minor < 31)) { -+ if (arg->major < 7 || (arg->major == 7 && arg->minor < 27)) { - fuse_log(FUSE_LOG_ERR, "fuse: unsupported protocol version: %u.%u\n", - arg->major, arg->minor); - fuse_reply_err(req, EPROTO); --- -1.8.3.1 - diff --git a/kvm-vmxcap-Add-5-level-EPT-bit.patch b/kvm-vmxcap-Add-5-level-EPT-bit.patch new file mode 100644 index 0000000..e52d7ac --- /dev/null +++ b/kvm-vmxcap-Add-5-level-EPT-bit.patch @@ -0,0 +1,49 @@ +From 51246c7571ba4cac7bd08ad318abe135a9ca7aa5 Mon Sep 17 00:00:00 2001 +From: Vitaly Kuznetsov +Date: Wed, 16 Mar 2022 09:47:32 +0100 +Subject: [PATCH 01/12] vmxcap: Add 5-level EPT bit + +RH-Author: Vitaly Kuznetsov +RH-MergeRequest: 127: i386: Add Icelake-Server-v6 CPU model with 5-level EPT support +RH-Commit: [1/2] e05cbbd3e6544fc86f2cfa86a097cbd11a91a68e +RH-Bugzilla: 2056986 +RH-Acked-by: Paolo Bonzini +RH-Acked-by: Igor Mammedov +RH-Acked-by: Cornelia Huck + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2056986 +Brew: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=43862707 + +commit d312378e59658473aa91aa15c67ec6200d92e5ff +Author: Vitaly Kuznetsov +Date: Mon Feb 21 15:53:16 2022 +0100 + + vmxcap: Add 5-level EPT bit + + 5-level EPT is present in Icelake Server CPUs and is supported by QEMU + ('vmx-page-walk-5'). + + Signed-off-by: Vitaly Kuznetsov + Message-Id: <20220221145316.576138-2-vkuznets@redhat.com> + Signed-off-by: Paolo Bonzini + +Signed-off-by: Vitaly Kuznetsov +--- + scripts/kvm/vmxcap | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/scripts/kvm/vmxcap b/scripts/kvm/vmxcap +index 6fe66d5f57..f140040104 100755 +--- a/scripts/kvm/vmxcap ++++ b/scripts/kvm/vmxcap +@@ -249,6 +249,7 @@ controls = [ + bits = { + 0: 'Execute-only EPT translations', + 6: 'Page-walk length 4', ++ 7: 'Page-walk length 5', + 8: 'Paging-structure memory type UC', + 14: 'Paging-structure memory type WB', + 16: '2MB EPT pages', +-- +2.27.0 + diff --git a/qemu-kvm.spec b/qemu-kvm.spec index 91ff72a..ca923fd 100644 --- a/qemu-kvm.spec +++ b/qemu-kvm.spec @@ -1,4 +1,3 @@ -%define anolis_release .0.1 %global SLOF_gittagdate 20191022 %global SLOF_gittagcommit 899d9883 @@ -84,7 +83,7 @@ Obsoletes: %1-rhev <= %{epoch}:%{version}-%{release} Summary: QEMU is a machine emulator and virtualizer Name: qemu-kvm Version: 6.2.0 -Release: 8%{?rcrel}%{anolis_release}%{?dist} +Release: 11%{?rcrel}%{?dist}.2 # Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped Epoch: 15 License: GPLv2 and GPLv2+ and CC-BY @@ -119,6 +118,10 @@ Source33: qemu-pr-helper.socket Source34: 81-kvm-rhel.rules Source35: udev-kvm-check.c Source36: README.tests +Source37: tests_data_acpi_pc_SSDT.dimmpxm +Source38: tests_data_acpi_q35_FACP.slic +Source39: tests_data_acpi_q35_SSDT.dimmpxm +Source40: tests_data_acpi_virt_SSDT.memhp Patch0001: 0001-redhat-Adding-slirp-to-the-exploded-tree.patch @@ -203,8 +206,69 @@ Patch52: kvm-iotests-281-Test-lingering-timers.patch Patch53: kvm-block-nbd-Move-s-ioc-on-AioContext-change.patch # For bz#2035185 - Qemu core dump when start guest with nbd node or do block jobs to nbd node Patch54: kvm-iotests-281-Let-NBD-connection-yield-in-iothread.patch +# For bz#2061856 - Revert IBM-specific Ubuntu-compatibility machine type for 8.6-AV GA +Patch55: kvm-Revert-redhat-Add-hw_compat_4_2_extra-and-apply-to-u.patch +# For bz#2061856 - Revert IBM-specific Ubuntu-compatibility machine type for 8.6-AV GA +Patch56: kvm-Revert-redhat-Enable-FDC-device-for-upstream-machine.patch +# For bz#2061856 - Revert IBM-specific Ubuntu-compatibility machine type for 8.6-AV GA +Patch57: kvm-Revert-redhat-Expose-upstream-machines-pc-4.2-and-pc.patch +# For bz#2027208 - [virtual network][vDPA] qemu crash after hot unplug vdpa device +Patch58: kvm-hw-virtio-vdpa-Fix-leak-of-host-notifier-memory-regi.patch +# For bz#2054597 - Do operation to disk will hang in the guest of target host after hotplugging and migrating +Patch59: kvm-pci-expose-TYPE_XIO3130_DOWNSTREAM-name.patch +# For bz#2054597 - Do operation to disk will hang in the guest of target host after hotplugging and migrating +Patch60: kvm-acpi-pcihp-pcie-set-power-on-cap-on-parent-slot.patch +# For bz#2056986 - Win11 (q35+edk2) guest broke after install wsl2 through 'wsl --install -d Ubuntu-20.04' +Patch61: kvm-vmxcap-Add-5-level-EPT-bit.patch +# For bz#2056986 - Win11 (q35+edk2) guest broke after install wsl2 through 'wsl --install -d Ubuntu-20.04' +Patch62: kvm-i386-Add-Icelake-Server-v6-CPU-model-with-5-level-EP.patch +# For bz#2059311 - Guest can not start with SLIC acpi table +Patch63: kvm-acpi-fix-QEMU-crash-when-started-with-SLIC-table.patch +# For bz#2059311 - Guest can not start with SLIC acpi table +Patch64: kvm-tests-acpi-whitelist-expected-blobs-before-changing-.patch +# For bz#2059311 - Guest can not start with SLIC acpi table +Patch65: kvm-tests-acpi-add-SLIC-table-test.patch +# For bz#2059311 - Guest can not start with SLIC acpi table +Patch66: kvm-tests-acpi-SLIC-update-expected-blobs.patch +# For bz#2059311 - Guest can not start with SLIC acpi table +Patch67: kvm-tests-acpi-manually-pad-OEM_ID-OEM_TABLE_ID-for-test.patch +# For bz#2059311 - Guest can not start with SLIC acpi table +Patch68: kvm-tests-acpi-whitelist-nvdimm-s-SSDT-and-FACP.slic-exp.patch +# For bz#2059311 - Guest can not start with SLIC acpi table +Patch69: kvm-acpi-fix-OEM-ID-OEM-Table-ID-padding.patch +# For bz#2059311 - Guest can not start with SLIC acpi table +Patch70: kvm-tests-acpi-update-expected-blobs.patch +# For bz#2059311 - Guest can not start with SLIC acpi table +Patch71: kvm-tests-acpi-test-short-OEM_ID-OEM_TABLE_ID-values-in-.patch +# For bz#1975840 - Windows guest hangs after updating and restarting from the guest OS +Patch72: kvm-target-i386-properly-reset-TSC-on-reset.patch +# For bz#2071103 - RHEL 9.0 guest with vsock device migration failed from RHEL 9.0 > RHEL 8.6 [rhel-8.6.0.z] +Patch73: kvm-RHEL-disable-seqpacket-for-vhost-vsock-device-in-rhe.patch +# For bz#2075686 - CVE-2021-3750 virt:rhel/qemu-kvm: QEMU: hcd-ehci: DMA reentrancy issue leads to use-after-free [rhel-8] [rhel-8.6.0.z] +Patch74: kvm-hw-intc-arm_gicv3-Check-for-MEMTX_OK-instead-of-MEMT.patch +# For bz#2075686 - CVE-2021-3750 virt:rhel/qemu-kvm: QEMU: hcd-ehci: DMA reentrancy issue leads to use-after-free [rhel-8] [rhel-8.6.0.z] +Patch75: kvm-softmmu-physmem-Simplify-flatview_write-and-address_.patch +# For bz#2075686 - CVE-2021-3750 virt:rhel/qemu-kvm: QEMU: hcd-ehci: DMA reentrancy issue leads to use-after-free [rhel-8] [rhel-8.6.0.z] +Patch76: kvm-softmmu-physmem-Introduce-MemTxAttrs-memory-field-an.patch +# For bz#2075683 - CVE-2021-4207 virt:rhel/qemu-kvm: QEMU: QXL: double fetch in qxl_cursor() can lead to heap buffer overflow [rhel-8] [rhel-8.6.0.z] +Patch77: kvm-display-qxl-render-fix-race-condition-in-qxl_cursor-.patch +# For bz#2075637 - CVE-2022-26353 virt:rhel/qemu-kvm: QEMU: virtio-net: map leaking on error during receive [rhel-8] [rhel-8.6.0.z] +Patch78: kvm-virtio-net-fix-map-leaking-on-error-during-receive.patch +# For bz#2075639 - CVE-2022-26354 virt:rhel/qemu-kvm: QEMU: vhost-vsock: missing virtqueue detach on error can lead to memory leak [rhel-8] [rhel-8.6.0.z] +Patch79: kvm-vhost-vsock-detach-the-virqueue-element-in-case-of-e.patch +# For bz#2072242 - Fail to rebuild the reference count tables of qcow2 image on host block devices (e.g. LVs) [rhel-8.6.0.z] +Patch80: kvm-qcow2-Improve-refcount-structure-rebuilding.patch +# For bz#2072242 - Fail to rebuild the reference count tables of qcow2 image on host block devices (e.g. LVs) [rhel-8.6.0.z] +Patch81: kvm-iotests-108-Test-new-refcount-rebuild-algorithm.patch +# For bz#2072242 - Fail to rebuild the reference count tables of qcow2 image on host block devices (e.g. LVs) [rhel-8.6.0.z] +Patch82: kvm-qcow2-Add-errp-to-rebuild_refcount_structure.patch +# For bz#2072242 - Fail to rebuild the reference count tables of qcow2 image on host block devices (e.g. LVs) [rhel-8.6.0.z] +Patch83: kvm-iotests-108-Fix-when-missing-user_allow_other.patch +# For bz#2077928 - Remove upstream-only devices from the qemu-kvm binary [rhel-8.6.0.z] +Patch84: kvm-Revert-redhat-Add-some-devices-for-exporting-upstrea.patch +# For bz#2082622 - CVE-2021-4206 virt:rhel/qemu-kvm: QEMU: QXL: integer overflow in cursor_alloc() can lead to heap buffer overflow [rhel-8.6.0.z] +Patch85: kvm-ui-cursor-fix-integer-overflow-in-cursor_alloc-CVE-2.patch -Patch1000: kvm-virtiofsd-Adjust-limit-for-minor-version.patch BuildRequires: wget BuildRequires: rpm-build @@ -535,7 +599,10 @@ mkdir slirp %global qemu_kvm_build qemu_kvm_build mkdir -p %{qemu_kvm_build} - +cp -f %{SOURCE37} tests/data/acpi/pc/SSDT.dimmpxm +cp -f %{SOURCE38} tests/data/acpi/q35/FACP.slic +cp -f %{SOURCE39} tests/data/acpi/q35/SSDT.dimmpxm +cp -f %{SOURCE40} tests/data/acpi/virt/SSDT.memhp %build %global buildarch %{kvm_target}-softmmu @@ -1370,8 +1437,75 @@ sh %{_sysconfdir}/sysconfig/modules/kvm.modules &> /dev/null || : %changelog -* Tue Apr 19 2022 Jacob Wang - 6.2.0-8.0.1 -- Adjust limit for virtiofsd minor version +* Wed Jun 15 2022 Jon Maloy - 6.2.0-11.el8_6.2 +- kvm-Revert-redhat-Add-some-devices-for-exporting-upstrea.patch [bz#2077928] +- kvm-ui-cursor-fix-integer-overflow-in-cursor_alloc-CVE-2.patch [bz#2082622] +- Resolves: bz#2077928 + (Remove upstream-only devices from the qemu-kvm binary [rhel-8.6.0.z]) +- Resolves: bz#2082622 + (CVE-2021-4206 virt:rhel/qemu-kvm: QEMU: QXL: integer overflow in cursor_alloc() can lead to heap buffer overflow [rhel-8.6.0.z]) + +* Wed May 25 2022 Jon Maloy - 6.2.0-11.el8_6.1 +- kvm-RHEL-disable-seqpacket-for-vhost-vsock-device-in-rhe.patch [bz#2071103] +- kvm-hw-intc-arm_gicv3-Check-for-MEMTX_OK-instead-of-MEMT.patch [bz#2075686] +- kvm-softmmu-physmem-Simplify-flatview_write-and-address_.patch [bz#2075686] +- kvm-softmmu-physmem-Introduce-MemTxAttrs-memory-field-an.patch [bz#2075686] +- kvm-display-qxl-render-fix-race-condition-in-qxl_cursor-.patch [bz#2075683] +- kvm-virtio-net-fix-map-leaking-on-error-during-receive.patch [bz#2075637] +- kvm-vhost-vsock-detach-the-virqueue-element-in-case-of-e.patch [bz#2075639] +- kvm-qcow2-Improve-refcount-structure-rebuilding.patch [bz#2072242] +- kvm-iotests-108-Test-new-refcount-rebuild-algorithm.patch [bz#2072242] +- kvm-qcow2-Add-errp-to-rebuild_refcount_structure.patch [bz#2072242] +- kvm-iotests-108-Fix-when-missing-user_allow_other.patch [bz#2072242] +- Resolves: bz#2071103 + (RHEL 9.0 guest with vsock device migration failed from RHEL 9.0 > RHEL 8.6 [rhel-8.6.0.z]) +- Resolves: bz#2075686 + (CVE-2021-3750 virt:rhel/qemu-kvm: QEMU: hcd-ehci: DMA reentrancy issue leads to use-after-free [rhel-8] [rhel-8.6.0.z]) +- Resolves: bz#2075683 + (CVE-2021-4207 virt:rhel/qemu-kvm: QEMU: QXL: double fetch in qxl_cursor() can lead to heap buffer overflow [rhel-8] [rhel-8.6.0.z]) +- Resolves: bz#2075637 + (CVE-2022-26353 virt:rhel/qemu-kvm: QEMU: virtio-net: map leaking on error during receive [rhel-8] [rhel-8.6.0.z]) +- Resolves: bz#2075639 + (CVE-2022-26354 virt:rhel/qemu-kvm: QEMU: vhost-vsock: missing virtqueue detach on error can lead to memory leak [rhel-8] [rhel-8.6.0.z]) +- Resolves: bz#2072242 + (Fail to rebuild the reference count tables of qcow2 image on host block devices (e.g. LVs) [rhel-8.6.0.z]) + +* Tue Apr 05 2022 Jon Maloy - 6.2.0-11 +- kvm-target-i386-properly-reset-TSC-on-reset.patch [bz#1975840] +- Resolves: bz#1975840 + (Windows guest hangs after updating and restarting from the guest OS) + +* Mon Mar 21 2022 Jon Maloy - 6.2.0-10 +- kvm-vmxcap-Add-5-level-EPT-bit.patch [bz#2056986] +- kvm-i386-Add-Icelake-Server-v6-CPU-model-with-5-level-EP.patch [bz#2056986] +- kvm-acpi-fix-QEMU-crash-when-started-with-SLIC-table.patch [bz#2059311] +- kvm-tests-acpi-whitelist-expected-blobs-before-changing-.patch [bz#2059311] +- kvm-tests-acpi-add-SLIC-table-test.patch [bz#2059311] +- kvm-tests-acpi-SLIC-update-expected-blobs.patch [bz#2059311] +- kvm-tests-acpi-manually-pad-OEM_ID-OEM_TABLE_ID-for-test.patch [bz#2059311] +- kvm-tests-acpi-whitelist-nvdimm-s-SSDT-and-FACP.slic-exp.patch [bz#2059311] +- kvm-acpi-fix-OEM-ID-OEM-Table-ID-padding.patch [bz#2059311] +- kvm-tests-acpi-update-expected-blobs.patch [bz#2059311] +- kvm-tests-acpi-test-short-OEM_ID-OEM_TABLE_ID-values-in-.patch [bz#2059311] +- kvm-rhel-workaround-for-lack-of-binary-patches-in-SRPM.patch [bz#2059311] +- Resolves: bz#2056986 + (Win11 (q35+edk2) guest broke after install wsl2 through 'wsl --install -d Ubuntu-20.04') +- Resolves: bz#2059311 + (Guest can not start with SLIC acpi table) + +* Sat Mar 12 2022 Jon Maloy - 6.2.0-9 +- kvm-Revert-redhat-Add-hw_compat_4_2_extra-and-apply-to-u.patch [bz#2061856] +- kvm-Revert-redhat-Enable-FDC-device-for-upstream-machine.patch [bz#2061856] +- kvm-Revert-redhat-Expose-upstream-machines-pc-4.2-and-pc.patch [bz#2061856] +- kvm-hw-virtio-vdpa-Fix-leak-of-host-notifier-memory-regi.patch [bz#2027208] +- kvm-pci-expose-TYPE_XIO3130_DOWNSTREAM-name.patch [bz#2054597] +- kvm-acpi-pcihp-pcie-set-power-on-cap-on-parent-slot.patch [bz#2054597] +- Resolves: bz#2061856 + (Revert IBM-specific Ubuntu-compatibility machine type for 8.6-AV GA) +- Resolves: bz#2027208 + ([virtual network][vDPA] qemu crash after hot unplug vdpa device) +- Resolves: bz#2054597 + (Do operation to disk will hang in the guest of target host after hotplugging and migrating) * Tue Feb 22 2022 Jon Maloy - 6.2.0-8 - kvm-block-nbd-Delete-reconnect-delay-timer-when-done.patch [bz#2035185] diff --git a/tests_data_acpi_pc_SSDT.dimmpxm b/tests_data_acpi_pc_SSDT.dimmpxm new file mode 100644 index 0000000000000000000000000000000000000000..ac55387d57e48adb99eb738a102308688a262fb8 GIT binary patch literal 734 zcmZWnJ&4m_7=F`~Ynryuv=x7-N9J4Xbr8Wp(xkD0CMii;gd8+KN84*Ve0b*|BDB5X z>Ip(G+#(|Bkx_6L++3ZUT*TqP-9>Ov^X72yT;BJ~`@DI+=Xv-{Q?kCK0H|I=7h5K; z^&~}A<8J_HJm`qni~811-)!{lg}fEx2GegTQb7{lkd5ln$_Wwsc7E8beYKIfi&D%}l!?7VZ{Ys}%!${^h_4uRje2a1x9h2(!T$B95k#LXjydBYP-~j8R)y zeGVX>jc_E`Y1Y^9W0&*q2N-9bv?yz3~JX!?c7r^o$`ZR+iCa z(*iQWMsNo+x*P#Tl{P5cNK$f+9f&Eq1PhXd`I8`-M6pnE1p4e`o#xC%V!B literal 0 HcmV?d00001 diff --git a/tests_data_acpi_q35_FACP.slic b/tests_data_acpi_q35_FACP.slic new file mode 100644 index 0000000000000000000000000000000000000000..15986e095cf2db7ee92f7ce113c1d46d54018c62 GIT binary patch literal 244 zcmZ>BbPo8!z`($K$vMa|*h9hB703YsMj&>I2yh0`Fu=&b$*>8?VPXanY!FcvC=KFq z0NDyKaV7>90if7_{{Q?Cl?)6Ip(G+#(|Bkx_6L++3ZUT$~PE#YJ#X^X72yT;BJ~`@DI+=Xv-{Q?|aO04Sy2mYOE7 z_hePm;%@+`Kj=uDhS&(sAyMoNo*B}*3iU(J<~gC zo622d*>rq1L=6TxDBANJ&S~9JRNkIf5ulrLtHB$Mp2;g+UE&qdxIg=uvFD`(HChdw zZ_A=J`;`fA1XCbfnJq?Ni?>#<&$(xxN_T@FJMY}}op3Xl=23F8@cq^E-Sx+kbo^QU z@V55ech^^wx$q_{afNekwPJwJzZ|&X^{2rAPJ)pOVKx{;#L-kzC^AK5WDlj0F=`8| zPl6W{HXR&I;%k-@0G}NCebPtGWPq*?P%oSI!rP}F%MkDxtKLf4-}hbLUR3p-ATW+7 n8`Ncol)c!D(d`6fQx)#t0NB(8Uc12Q|8SbYhnR@A=!SHy6V5FNJ%-&%O8V`fj)#OzB2uGw|c}i-+q^1^MKw z_VHcygYT}d#t$oR)3T7e5LPP=#O$kq8(w=B4B#{vxe%s8(#DyVKR7Unu8X2Ru zu>3T5IpLGR@r15fP5^vzWXMNT3lV0eDx%=gIA z5)JvVL=50yh<*6jkA~!l$Ftx$MH~RHMeidlrF>7Z^kjq~kM_qC;7rSwprofvRkPDv zOSNnuBWwg`Fr&*6Fic^K!HGB}_rwKC(IHrnEXmT^8?<~qjw^HGH nl43HK9Wu^ho1!~0$|p*~zX9-x4PM>g?0-1R;a8+qKg)jr(Nxg^ literal 0 HcmV?d00001 -- Gitee