From b3567f418c7e2b8631fb7bb14726ac82c6076ec6 Mon Sep 17 00:00:00 2001 From: Jiabo Feng Date: Wed, 18 Sep 2024 14:57:25 +0800 Subject: [PATCH] QEMU update to version 6.2.0-99: - target/i386: Introduce SapphireRapids-v3 to add missing features - qtest/fuzz-lsi53c895a-test: set guest RAM to 2G - hw/net/lan9118: Signal TSFL_INT flag when TX FIFO reaches specified level - target/arm: Fix alignment for VLD4.32 - hw/microblaze: pass random seed to fdt - tests/qtest: npcm7xx-emc-test: Skip checking MAC - tests: mark io-command test as skipped if socat is missing - tests: unit: add NULL-pointer check - tests: test-qga: close socket on failure to connect - vdpa:block device capacity expansion online support vdpa block device update capacity. - virtio-net: Ensure queue index fits with RSS(CVE-2024-6505) - nbd/server: CVE-2024-7409: Avoid use-after-free when closing server - ppc/vof: Fix unaligned FDT property access - vvfat: Fix reading files with non-continuous clusters - vvfat: Fix bug in writing to middle of file - savevm: Fix load_snapshot error path crash - hw/dma/xilinx_axidma: Use semicolon at end of statement, not comma - hw/remote/message.c: Don't directly invoke DeviceClass:reset - crypto/tlscredspsk: Free username on finalize - hw/display/vhost-user-gpu.c: fix vhost_user_gpu_chr_read() - virtio: remove virtio_tswap16s() call in vring_packed_event_read() - char-stdio: Restore blocking mode of stdout on exit - hw/ppc: spapr: Use qemu_vfree() to free spapr->htab - smbios: sanitize type from external type before checking have_fields_bitmap - spapr_pci: fix leak in spapr_phb_vfio_get_loc_code - KVM: use store-release to mark dirty pages as harvested - monitor/hmp: print trace as option in help for log command - tpm_crb: Avoid backend startup just before shutdown under Xen - crypto/block-luks: make range overlap check more readable - spapr: Free stdout path - target/rx: Use target_ulong for address in LI - virtio-pci: Fix the use of an uninitialized irqfd - rtl8139: Fix behaviour for old kernels. - virtio-rng: block max-bytes=0 MIME-Version: 1.0 - hw/audio/es1370: Clean up comment - vhost-user-server: do not set memory fd non-blocking - ui: reject extended clipboard message if not activated - virtio-net: Fix vhost virtqueue notifiers for RSS - hw/misc/applesmc: Fix memory leak in reset() handler Signed-off-by: Jiabo Feng (cherry picked from commit db7a5d9a7239db307c8c1454fab5f8a92fd486b8) --- ...lease-to-mark-dirty-pages-as-harvest.patch | 91 +++++++++++++++++++ ...tore-blocking-mode-of-stdout-on-exit.patch | 54 +++++++++++ ...s-make-range-overlap-check-more-read.patch | 47 ++++++++++ ...lscredspsk-Free-username-on-finalize.patch | 77 ++++++++++++++++ hw-audio-es1370-Clean-up-comment.patch | 44 +++++++++ ...-user-gpu.c-fix-vhost_user_gpu_chr_r.patch | 38 ++++++++ ...idma-Use-semicolon-at-end-of-stateme.patch | 42 +++++++++ hw-microblaze-pass-random-seed-to-fdt.patch | 54 +++++++++++ ...smc-Fix-memory-leak-in-reset-handler.patch | 40 ++++++++ ...ignal-TSFL_INT-flag-when-TX-FIFO-rea.patch | 49 ++++++++++ ...pr-Use-qemu_vfree-to-free-spapr-htab.patch | 44 +++++++++ ...e.c-Don-t-directly-invoke-DeviceClas.patch | 48 ++++++++++ ...t-trace-as-option-in-help-for-log-co.patch | 60 ++++++++++++ ...024-7409-Avoid-use-after-free-when-c.patch | 90 ++++++++++++++++++ ...of-Fix-unaligned-FDT-property-access.patch | 33 +++++++ qemu.spec | 82 ++++++++++++++++- ...-lsi53c895a-test-set-guest-RAM-to-2G.patch | 43 +++++++++ rtl8139-Fix-behaviour-for-old-kernels.patch | 35 +++++++ ...m-Fix-load_snapshot-error-path-crash.patch | 36 ++++++++ ...type-from-external-type-before-check.patch | 51 +++++++++++ spapr-Free-stdout-path.patch | 30 ++++++ ...-leak-in-spapr_phb_vfio_get_loc_code.patch | 35 +++++++ target-arm-Fix-alignment-for-VLD4.32.patch | 50 ++++++++++ ...oduce-SapphireRapids-v3-to-add-missi.patch | 48 ++++++++++ ...x-Use-target_ulong-for-address-in-LI.patch | 35 +++++++ ...mmand-test-as-skipped-if-socat-is-mi.patch | 39 ++++++++ ...t-npcm7xx-emc-test-Skip-checking-MAC.patch | 39 ++++++++ ...a-close-socket-on-failure-to-connect.patch | 32 +++++++ tests-unit-add-NULL-pointer-check.patch | 39 ++++++++ ...ckend-startup-just-before-shutdown-u.patch | 58 ++++++++++++ ...ed-clipboard-message-if-not-activate.patch | 41 +++++++++ ...ock-device-capacity-expansion-online.patch | 50 ++++++++++ ...er-do-not-set-memory-fd-non-blocking.patch | 59 ++++++++++++ ...e-queue-index-fits-with-RSS-CVE-2024.patch | 36 ++++++++ ...ix-vhost-virtqueue-notifiers-for-RSS.patch | 45 +++++++++ ...ix-the-use-of-an-uninitialized-irqfd.patch | 83 +++++++++++++++++ ...rtio_tswap16s-call-in-vring_packed_e.patch | 52 +++++++++++ ...g-block-max-bytes-0-MIME-Version-1.0.patch | 40 ++++++++ ...Fix-bug-in-writing-to-middle-of-file.patch | 42 +++++++++ ...g-files-with-non-continuous-clusters.patch | 50 ++++++++++ 40 files changed, 1960 insertions(+), 1 deletion(-) create mode 100644 KVM-use-store-release-to-mark-dirty-pages-as-harvest.patch create mode 100644 char-stdio-Restore-blocking-mode-of-stdout-on-exit.patch create mode 100644 crypto-block-luks-make-range-overlap-check-more-read.patch create mode 100644 crypto-tlscredspsk-Free-username-on-finalize.patch create mode 100644 hw-audio-es1370-Clean-up-comment.patch create mode 100644 hw-display-vhost-user-gpu.c-fix-vhost_user_gpu_chr_r.patch create mode 100644 hw-dma-xilinx_axidma-Use-semicolon-at-end-of-stateme.patch create mode 100644 hw-microblaze-pass-random-seed-to-fdt.patch create mode 100644 hw-misc-applesmc-Fix-memory-leak-in-reset-handler.patch create mode 100644 hw-net-lan9118-Signal-TSFL_INT-flag-when-TX-FIFO-rea.patch create mode 100644 hw-ppc-spapr-Use-qemu_vfree-to-free-spapr-htab.patch create mode 100644 hw-remote-message.c-Don-t-directly-invoke-DeviceClas.patch create mode 100644 monitor-hmp-print-trace-as-option-in-help-for-log-co.patch create mode 100644 nbd-server-CVE-2024-7409-Avoid-use-after-free-when-c.patch create mode 100644 ppc-vof-Fix-unaligned-FDT-property-access.patch create mode 100644 qtest-fuzz-lsi53c895a-test-set-guest-RAM-to-2G.patch create mode 100644 rtl8139-Fix-behaviour-for-old-kernels.patch create mode 100644 savevm-Fix-load_snapshot-error-path-crash.patch create mode 100644 smbios-sanitize-type-from-external-type-before-check.patch create mode 100644 spapr-Free-stdout-path.patch create mode 100644 spapr_pci-fix-leak-in-spapr_phb_vfio_get_loc_code.patch create mode 100644 target-arm-Fix-alignment-for-VLD4.32.patch create mode 100644 target-i386-Introduce-SapphireRapids-v3-to-add-missi.patch create mode 100644 target-rx-Use-target_ulong-for-address-in-LI.patch create mode 100644 tests-mark-io-command-test-as-skipped-if-socat-is-mi.patch create mode 100644 tests-qtest-npcm7xx-emc-test-Skip-checking-MAC.patch create mode 100644 tests-test-qga-close-socket-on-failure-to-connect.patch create mode 100644 tests-unit-add-NULL-pointer-check.patch create mode 100644 tpm_crb-Avoid-backend-startup-just-before-shutdown-u.patch create mode 100644 ui-reject-extended-clipboard-message-if-not-activate.patch create mode 100644 vdpa-block-device-capacity-expansion-online.patch create mode 100644 vhost-user-server-do-not-set-memory-fd-non-blocking.patch create mode 100644 virtio-net-Ensure-queue-index-fits-with-RSS-CVE-2024.patch create mode 100644 virtio-net-Fix-vhost-virtqueue-notifiers-for-RSS.patch create mode 100644 virtio-pci-Fix-the-use-of-an-uninitialized-irqfd.patch create mode 100644 virtio-remove-virtio_tswap16s-call-in-vring_packed_e.patch create mode 100644 virtio-rng-block-max-bytes-0-MIME-Version-1.0.patch create mode 100644 vvfat-Fix-bug-in-writing-to-middle-of-file.patch create mode 100644 vvfat-Fix-reading-files-with-non-continuous-clusters.patch diff --git a/KVM-use-store-release-to-mark-dirty-pages-as-harvest.patch b/KVM-use-store-release-to-mark-dirty-pages-as-harvest.patch new file mode 100644 index 00000000..f802de4b --- /dev/null +++ b/KVM-use-store-release-to-mark-dirty-pages-as-harvest.patch @@ -0,0 +1,91 @@ +From e9fc6950c9d253ab9243f662d20da3021da3cb03 Mon Sep 17 00:00:00 2001 +From: tangbinzy +Date: Wed, 4 Sep 2024 06:03:35 +0000 +Subject: [PATCH] KVM: use store-release to mark dirty pages as harvested + mainline inclusion commit 52281c6d11ec68b802e8a264780df2c4b981e6bc category: + bugfix +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +--------------------------------------------------------------- + +The following scenario can happen if QEMU sets more RESET flags while +the KVM_RESET_DIRTY_RINGS ioctl is ongoing on another host CPU: + + CPU0 CPU1 CPU2 + ------------------------ ------------------ ------------------------ + fill gfn0 + store-rel flags for gfn0 + fill gfn1 + store-rel flags for gfn1 + load-acq flags for gfn0 + set RESET for gfn0 + load-acq flags for gfn1 + set RESET for gfn1 + do ioctl! -----------> + ioctl(RESET_RINGS) + fill gfn2 + store-rel flags for gfn2 + load-acq flags for gfn2 + set RESET for gfn2 + process gfn0 + process gfn1 + process gfn2 + do ioctl! + etc. + +The three load-acquire in CPU0 synchronize with the three store-release +in CPU2, but CPU0 and CPU1 are only synchronized up to gfn1 and CPU1 +may miss gfn2's fields other than flags. + +The kernel must be able to cope with invalid values of the fields, and +userspace *will* invoke the ioctl once more. However, once the RESET flag +is cleared on gfn2, it is lost forever, therefore in the above scenario +CPU1 must read the correct value of gfn2's fields. + +Therefore RESET must be set with a store-release, that will synchronize +with KVM's load-acquire in CPU1. + +Cc: Gavin Shan +Reviewed-by: Peter Xu +Reviewed-by: Philippe Mathieu-Daudé +Signed-off-by: Paolo Bonzini + +Signed-off-by: tangbinzy +--- + accel/kvm/kvm-all.c | 18 +++++++++++++++++- + 1 file changed, 17 insertions(+), 1 deletion(-) + +diff --git a/accel/kvm/kvm-all.c b/accel/kvm/kvm-all.c +index 381e3c8552..3a09307a26 100644 +--- a/accel/kvm/kvm-all.c ++++ b/accel/kvm/kvm-all.c +@@ -675,7 +675,23 @@ static bool dirty_gfn_is_dirtied(struct kvm_dirty_gfn *gfn) + + static void dirty_gfn_set_collected(struct kvm_dirty_gfn *gfn) + { +- gfn->flags = KVM_DIRTY_GFN_F_RESET; ++ /* ++ * Use a store-release so that the CPU that executes KVM_RESET_DIRTY_RINGS ++ * sees the full content of the ring: ++ * ++ * CPU0 CPU1 CPU2 ++ * ------------------------------------------------------------------------------ ++ * fill gfn0 ++ * store-rel flags for gfn0 ++ * load-acq flags for gfn0 ++ * store-rel RESET for gfn0 ++ * ioctl(RESET_RINGS) ++ * load-acq flags for gfn0 ++ * check if flags have RESET ++ * ++ * The synchronization goes from CPU2 to CPU0 to CPU1. ++ */ ++ qatomic_store_release(&gfn->flags, KVM_DIRTY_GFN_F_RESET); + } + + /* +-- +2.41.0.windows.1 + diff --git a/char-stdio-Restore-blocking-mode-of-stdout-on-exit.patch b/char-stdio-Restore-blocking-mode-of-stdout-on-exit.patch new file mode 100644 index 00000000..6d0abf40 --- /dev/null +++ b/char-stdio-Restore-blocking-mode-of-stdout-on-exit.patch @@ -0,0 +1,54 @@ +From 17744d85df589f40e889639147889c98a50bc671 Mon Sep 17 00:00:00 2001 +From: zhujun2 +Date: Wed, 4 Sep 2024 23:25:17 -0700 +Subject: [PATCH] char-stdio: Restore blocking mode of stdout on exit + +qemu_chr_open_fd() sets stdout into non-blocking mode. Restore the old +fd flags on exit to avoid breaking unsuspecting applications that run on +the same terminal after qemu and don't expect to get EAGAIN. + +While at at, also ensure term_exit is called once (at the moment it's +called both from char_stdio_finalize() and as the atexit() hook. + +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2423 +Signed-off-by: Maxim Mikityanskiy +Link: https://lore.kernel.org/r/20240703190812.3459514-1-maxtram95@gmail.com +Signed-off-by: Paolo Bonzini +(cherry picked from commit a0124e333e2176640f233e5ea57a2f413985d9b5) +Signed-off-by: zhujun2 +--- + chardev/char-stdio.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/chardev/char-stdio.c b/chardev/char-stdio.c +index 403da308c9..69bedca7f5 100644 +--- a/chardev/char-stdio.c ++++ b/chardev/char-stdio.c +@@ -41,6 +41,7 @@ + /* init terminal so that we can grab keys */ + static struct termios oldtty; + static int old_fd0_flags; ++static int old_fd1_flags; + static bool stdio_in_use; + static bool stdio_allow_signal; + static bool stdio_echo_state; +@@ -50,6 +51,8 @@ static void term_exit(void) + if (stdio_in_use) { + tcsetattr(0, TCSANOW, &oldtty); + fcntl(0, F_SETFL, old_fd0_flags); ++ fcntl(1, F_SETFL, old_fd1_flags); ++ stdio_in_use = false; + } + } + +@@ -102,6 +105,7 @@ static void qemu_chr_open_stdio(Chardev *chr, + + stdio_in_use = true; + old_fd0_flags = fcntl(0, F_GETFL); ++ old_fd1_flags = fcntl(1, F_GETFL); + tcgetattr(0, &oldtty); + qemu_set_nonblock(0); + atexit(term_exit); +-- +2.41.0.windows.1 + diff --git a/crypto-block-luks-make-range-overlap-check-more-read.patch b/crypto-block-luks-make-range-overlap-check-more-read.patch new file mode 100644 index 00000000..80bae5fc --- /dev/null +++ b/crypto-block-luks-make-range-overlap-check-more-read.patch @@ -0,0 +1,47 @@ +From ca6f8348075be1839e87fa826a2719127ec64d41 Mon Sep 17 00:00:00 2001 +From: dinglimin +Date: Mon, 2 Sep 2024 17:40:40 +0800 +Subject: [PATCH] crypto/block-luks: make range overlap check more readable +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +cheery-pick from 7cd9b9d476e729808f3c9b82a12f51a39673d5cb + +use ranges_overlap() instead of open-coding the overlap check to improve the readability of the code. + +Signed-off-by: Yao Xingtao +Reviewed-by: Philippe Mathieu-Daudé +Tested-by: Philippe Mathieu-Daudé +Reviewed-by: Daniel P. Berrangé +Message-ID: <20240722040742.11513-12-yaoxt.fnst@fujitsu.com> +Signed-off-by: Philippe Mathieu-Daudé +Signed-off-by: dinglimin +--- + crypto/block-luks.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/crypto/block-luks.c b/crypto/block-luks.c +index fe8f04ffb2..2648719337 100644 +--- a/crypto/block-luks.c ++++ b/crypto/block-luks.c +@@ -33,6 +33,7 @@ + + #include "qemu/coroutine.h" + #include "qemu/bitmap.h" ++#include "qemu/range.h" + + /* + * Reference for the LUKS format implemented here is +@@ -591,7 +592,7 @@ qcrypto_block_luks_check_header(const QCryptoBlockLUKS *luks, Error **errp) + header_sectors, + slot2->stripes); + +- if (start1 + len1 > start2 && start2 + len2 > start1) { ++ if (ranges_overlap(start1, len1, start2, len2)) { + error_setg(errp, + "Keyslots %zu and %zu are overlapping in the header", + i, j); +-- +2.41.0.windows.1 + diff --git a/crypto-tlscredspsk-Free-username-on-finalize.patch b/crypto-tlscredspsk-Free-username-on-finalize.patch new file mode 100644 index 00000000..84262124 --- /dev/null +++ b/crypto-tlscredspsk-Free-username-on-finalize.patch @@ -0,0 +1,77 @@ +From 58fb7b6216c6b2c8204e1046dd788f18eeb3b45f Mon Sep 17 00:00:00 2001 +From: Peter Maydell +Date: Mon, 19 Aug 2024 15:50:21 +0100 +Subject: [PATCH] crypto/tlscredspsk: Free username on finalize +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +When the creds->username property is set we allocate memory +for it in qcrypto_tls_creds_psk_prop_set_username(), but +we never free this when the QCryptoTLSCredsPSK is destroyed. +Free the memory in finalize. + +This fixes a LeakSanitizer complaint in migration-test: + +$ (cd build/asan; ASAN_OPTIONS="fast_unwind_on_malloc=0" QTEST_QEMU_BINARY=./qemu-system-x86_64 ./tests/qtest/migration-test --tap -k -p /x86_64/migration/precopy/unix/tls/psk) + +================================================================= +==3867512==ERROR: LeakSanitizer: detected memory leaks + +Direct leak of 5 byte(s) in 1 object(s) allocated from: + #0 0x5624e5c99dee in malloc (/mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/asan/qemu-system-x86_64+0x218edee) (BuildId: a9e623fa1009a9435c0142c037cd7b8c1ad04ce3) + #1 0x7fb199ae9738 in g_malloc debian/build/deb/../../../glib/gmem.c:128:13 + #2 0x7fb199afe583 in g_strdup debian/build/deb/../../../glib/gstrfuncs.c:361:17 + #3 0x5624e82ea919 in qcrypto_tls_creds_psk_prop_set_username /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/asan/../../crypto/tlscredspsk.c:255:23 + #4 0x5624e812c6b5 in property_set_str /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/asan/../../qom/object.c:2277:5 + #5 0x5624e8125ce5 in object_property_set /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/asan/../../qom/object.c:1463:5 + #6 0x5624e8136e7c in object_set_properties_from_qdict /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/asan/../../qom/object_interfaces.c:55:14 + #7 0x5624e81372d2 in user_creatable_add_type /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/asan/../../qom/object_interfaces.c:112:5 + #8 0x5624e8137964 in user_creatable_add_qapi /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/asan/../../qom/object_interfaces.c:157:11 + #9 0x5624e891ba3c in qmp_object_add /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/asan/../../qom/qom-qmp-cmds.c:227:5 + #10 0x5624e8af9118 in qmp_marshal_object_add /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/asan/qapi/qapi-commands-qom.c:337:5 + #11 0x5624e8bd1d49 in do_qmp_dispatch_bh /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/asan/../../qapi/qmp-dispatch.c:128:5 + #12 0x5624e8cb2531 in aio_bh_call /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/asan/../../util/async.c:171:5 + #13 0x5624e8cb340c in aio_bh_poll /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/asan/../../util/async.c:218:13 + #14 0x5624e8c0be98 in aio_dispatch /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/asan/../../util/aio-posix.c:423:5 + #15 0x5624e8cba3ce in aio_ctx_dispatch /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/asan/../../util/async.c:360:5 + #16 0x7fb199ae0d3a in g_main_dispatch debian/build/deb/../../../glib/gmain.c:3419:28 + #17 0x7fb199ae0d3a in g_main_context_dispatch debian/build/deb/../../../glib/gmain.c:4137:7 + #18 0x5624e8cbe1d9 in glib_pollfds_poll /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/asan/../../util/main-loop.c:287:9 + #19 0x5624e8cbcb13 in os_host_main_loop_wait /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/asan/../../util/main-loop.c:310:5 + #20 0x5624e8cbc6dc in main_loop_wait /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/asan/../../util/main-loop.c:589:11 + #21 0x5624e6f3f917 in qemu_main_loop /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/asan/../../system/runstate.c:801:9 + #22 0x5624e893379c in qemu_default_main /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/asan/../../system/main.c:37:14 + #23 0x5624e89337e7 in main /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/asan/../../system/main.c:48:12 + #24 0x7fb197972d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16 + #25 0x7fb197972e3f in __libc_start_main csu/../csu/libc-start.c:392:3 + #26 0x5624e5c16fa4 in _start (/mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/asan/qemu-system-x86_64+0x210bfa4) (BuildId: a9e623fa1009a9435c0142c037cd7b8c1ad04ce3) + +SUMMARY: AddressSanitizer: 5 byte(s) leaked in 1 allocation(s). + +Cc: qemu-stable@nongnu.org +Signed-off-by: Peter Maydell +Reviewed-by: Daniel P. Berrangé +Message-ID: <20240819145021.38524-1-peter.maydell@linaro.org> +Signed-off-by: Philippe Mathieu-Daudé +--- + crypto/tlscredspsk.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/crypto/tlscredspsk.c b/crypto/tlscredspsk.c +index 752f2d92be..9ab62b411d 100644 +--- a/crypto/tlscredspsk.c ++++ b/crypto/tlscredspsk.c +@@ -245,6 +245,7 @@ qcrypto_tls_creds_psk_finalize(Object *obj) + QCryptoTLSCredsPSK *creds = QCRYPTO_TLS_CREDS_PSK(obj); + + qcrypto_tls_creds_psk_unload(creds); ++ g_free(creds->username); + } + + static void +-- +2.41.0.windows.1 + diff --git a/hw-audio-es1370-Clean-up-comment.patch b/hw-audio-es1370-Clean-up-comment.patch new file mode 100644 index 00000000..8c04a0b6 --- /dev/null +++ b/hw-audio-es1370-Clean-up-comment.patch @@ -0,0 +1,44 @@ +From 25a18f3ade8c4c412d21b9147f018fc7c55558d4 Mon Sep 17 00:00:00 2001 +From: zhujun2 +Date: Thu, 15 Aug 2024 23:59:42 -0700 +Subject: [PATCH] hw/audio/es1370: Clean up comment +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Replace a sweary comment with one that's a bit more helpful to +future readers of the code. + +Signed-off-by: Peter Maydell +Reviewed-by: Volker Rümelin +Message-ID: <20231110164318.2197569-1-peter.maydell@linaro.org> +Signed-off-by: Thomas Huth +(cherry picked from commit 4409a6d85522925df580554d476161a570bb1ed9) +Signed-off-by: zhujun2 +--- + hw/audio/es1370.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/hw/audio/es1370.c b/hw/audio/es1370.c +index 6904589814..72de110e0b 100644 +--- a/hw/audio/es1370.c ++++ b/hw/audio/es1370.c +@@ -702,8 +702,13 @@ static void es1370_transfer_audio (ES1370State *s, struct chan *d, int loop_sel, + cnt += (transferred + d->leftover) >> 2; + + if (s->sctl & loop_sel) { +- /* Bah, how stupid is that having a 0 represent true value? +- i just spent few hours on this shit */ ++ /* ++ * loop_sel tells us which bit in the SCTL register to look at ++ * (either P1_LOOP_SEL, P2_LOOP_SEL or R1_LOOP_SEL). The sense ++ * of these bits is 0 for loop mode (set interrupt and keep recording ++ * when the sample count reaches zero) or 1 for stop mode (set ++ * interrupt and stop recording). ++ */ + AUD_log ("es1370: warning", "non looping mode\n"); + } + else { +-- +2.41.0.windows.1 + diff --git a/hw-display-vhost-user-gpu.c-fix-vhost_user_gpu_chr_r.patch b/hw-display-vhost-user-gpu.c-fix-vhost_user_gpu_chr_r.patch new file mode 100644 index 00000000..44c7b2ce --- /dev/null +++ b/hw-display-vhost-user-gpu.c-fix-vhost_user_gpu_chr_r.patch @@ -0,0 +1,38 @@ +From a5e9442e8e386e62c043fa0b5fba469251fa5d4d Mon Sep 17 00:00:00 2001 +From: Haoran Zhang +Date: Thu, 22 Aug 2024 11:07:58 +0800 +Subject: [PATCH] hw/display/vhost-user-gpu.c: fix vhost_user_gpu_chr_read() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +fix vhost_user_gpu_chr_read() where `size` was incorrectly passed to `msg->flags`. + +Fixes: 267f664658 ("hw/display: add vhost-user-vga & gpu-pci") +Signed-off-by: Haoran Zhang +Reviewed-by: Marc-André Lureau +Reviewed-by: Philippe Mathieu-Daudé +Reviewed-by: Michael Tokarev +Signed-off-by: Michael Tokarev +(cherry picked from commit d6192f3f7593536a4285e8ab6c6cf3f34973ce62) +Signed-off-by: zhujun2 +--- + hw/display/vhost-user-gpu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/display/vhost-user-gpu.c b/hw/display/vhost-user-gpu.c +index 4363e34db1..b2d89cd54e 100644 +--- a/hw/display/vhost-user-gpu.c ++++ b/hw/display/vhost-user-gpu.c +@@ -334,7 +334,7 @@ vhost_user_gpu_chr_read(void *opaque) + } + + msg->request = request; +- msg->flags = size; ++ msg->flags = flags; + msg->size = size; + + if (request == VHOST_USER_GPU_CURSOR_UPDATE || +-- +2.41.0.windows.1 + diff --git a/hw-dma-xilinx_axidma-Use-semicolon-at-end-of-stateme.patch b/hw-dma-xilinx_axidma-Use-semicolon-at-end-of-stateme.patch new file mode 100644 index 00000000..e54ca7a6 --- /dev/null +++ b/hw-dma-xilinx_axidma-Use-semicolon-at-end-of-stateme.patch @@ -0,0 +1,42 @@ +From 1816af81d099d0ab7dc434a42e7218184894e3ef Mon Sep 17 00:00:00 2001 +From: Peter Maydell +Date: Tue, 13 Aug 2024 17:52:45 +0100 +Subject: [PATCH] hw/dma/xilinx_axidma: Use semicolon at end of statement, not + comma +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +In axidma_class_init() we accidentally used a comma at the end of +a statement rather than a semicolon. This has no ill effects, but +it's obviously not intended and it means that Coccinelle scripts +for instance will fail to match on the two statements. Use a +semicolon instead. + +Signed-off-by: Peter Maydell +Reviewed-by: Richard Henderson +Reviewed-by: Thomas Huth +Message-ID: <20240813165250.2717650-6-peter.maydell@linaro.org> +Signed-off-by: Philippe Mathieu-Daudé +--- + hw/dma/xilinx_axidma.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/dma/xilinx_axidma.c b/hw/dma/xilinx_axidma.c +index bc383f53cc..5044fb146d 100644 +--- a/hw/dma/xilinx_axidma.c ++++ b/hw/dma/xilinx_axidma.c +@@ -598,7 +598,7 @@ static void axidma_class_init(ObjectClass *klass, void *data) + { + DeviceClass *dc = DEVICE_CLASS(klass); + +- dc->realize = xilinx_axidma_realize, ++ dc->realize = xilinx_axidma_realize; + dc->reset = xilinx_axidma_reset; + device_class_set_props(dc, axidma_properties); + } +-- +2.41.0.windows.1 + diff --git a/hw-microblaze-pass-random-seed-to-fdt.patch b/hw-microblaze-pass-random-seed-to-fdt.patch new file mode 100644 index 00000000..58f38c3a --- /dev/null +++ b/hw-microblaze-pass-random-seed-to-fdt.patch @@ -0,0 +1,54 @@ +From 74e95f7071c8d8f40b352992b19c967655459b31 Mon Sep 17 00:00:00 2001 +From: tangbinzy +Date: Mon, 9 Sep 2024 08:20:28 +0000 +Subject: [PATCH] hw/microblaze: pass random seed to fdt mainline inclusion + commit b91b6b5a2cd83a096116929dfc8e016091080adc category: bugfix + +--------------------------------------------------------------- + +If the FDT contains /chosen/rng-seed, then the Linux RNG will use it to +initialize early. Set this using the usual guest random number +generation function. This FDT node is part of the DT specification. + +Reviewed-by: Edgar E. Iglesias +Signed-off-by: Jason A. Donenfeld +Signed-off-by: Edgar E. Iglesias + +Signed-off-by: tangbinzy +--- + hw/microblaze/boot.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/hw/microblaze/boot.c b/hw/microblaze/boot.c +index 8821d009f1..26f315aaea 100644 +--- a/hw/microblaze/boot.c ++++ b/hw/microblaze/boot.c +@@ -31,6 +31,7 @@ + #include "qemu/option.h" + #include "qemu/config-file.h" + #include "qemu/error-report.h" ++#include "qemu/guest-random.h" + #include "sysemu/device_tree.h" + #include "sysemu/reset.h" + #include "hw/boards.h" +@@ -76,6 +77,7 @@ static int microblaze_load_dtb(hwaddr addr, + int fdt_size; + void *fdt = NULL; + int r; ++ uint8_t rng_seed[32]; + + if (dtb_filename) { + fdt = load_device_tree(dtb_filename, &fdt_size); +@@ -84,6 +86,9 @@ static int microblaze_load_dtb(hwaddr addr, + return 0; + } + ++ qemu_guest_getrandom_nofail(rng_seed, sizeof(rng_seed)); ++ qemu_fdt_setprop(fdt, "/chosen", "rng-seed", rng_seed, sizeof(rng_seed)); ++ + if (kernel_cmdline) { + r = qemu_fdt_setprop_string(fdt, "/chosen", "bootargs", + kernel_cmdline); +-- +2.41.0.windows.1 + diff --git a/hw-misc-applesmc-Fix-memory-leak-in-reset-handler.patch b/hw-misc-applesmc-Fix-memory-leak-in-reset-handler.patch new file mode 100644 index 00000000..74958e93 --- /dev/null +++ b/hw-misc-applesmc-Fix-memory-leak-in-reset-handler.patch @@ -0,0 +1,40 @@ +From dd51b99923c20a289f4b2c9de0cba5d272fbb493 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= +Date: Mon, 8 Apr 2024 11:41:59 +0200 +Subject: [PATCH] hw/misc/applesmc: Fix memory leak in reset() handler +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +AppleSMCData is allocated with g_new0() in applesmc_add_key(): +release it with g_free(). + +Leaked since commit 1ddda5cd36 ("AppleSMC device emulation"). + +Cc: qemu-stable@nongnu.org +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2272 +Reported-by: Zheyu Ma +Signed-off-by: Philippe Mathieu-Daudé +Reviewed-by: Peter Maydell +Message-Id: <20240408095217.57239-3-philmd@linaro.org> +(cherry picked from commit fc09ff2979defdcf8d00c2db94022d5d610e36ba) +Signed-off-by: zhujun2 +--- + hw/misc/applesmc.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/hw/misc/applesmc.c b/hw/misc/applesmc.c +index 1b9acaf1d3..e17229025f 100644 +--- a/hw/misc/applesmc.c ++++ b/hw/misc/applesmc.c +@@ -269,6 +269,7 @@ static void qdev_applesmc_isa_reset(DeviceState *dev) + /* Remove existing entries */ + QLIST_FOREACH_SAFE(d, &s->data_def, node, next) { + QLIST_REMOVE(d, node); ++ g_free(d); + } + s->status = 0x00; + s->status_1e = 0x00; +-- +2.41.0.windows.1 + diff --git a/hw-net-lan9118-Signal-TSFL_INT-flag-when-TX-FIFO-rea.patch b/hw-net-lan9118-Signal-TSFL_INT-flag-when-TX-FIFO-rea.patch new file mode 100644 index 00000000..3cebf928 --- /dev/null +++ b/hw-net-lan9118-Signal-TSFL_INT-flag-when-TX-FIFO-rea.patch @@ -0,0 +1,49 @@ +From 8b72b72180276e4f0af962e60fead6bdbe0e0577 Mon Sep 17 00:00:00 2001 +From: tangbinzy +Date: Tue, 10 Sep 2024 11:42:12 +0000 +Subject: [PATCH] hw/net/lan9118: Signal TSFL_INT flag when TX FIFO reaches + specified level mainline inclusion commit + 895a803ce91704f28c9b49621a4f589273289f1e category: bugfix + +--------------------------------------------------------------- + +The LAN9118 allows the guest to specify a level for both the TX and +RX FIFOs at which an interrupt will be generated. We implement the +RSFL_INT interrupt for the RX FIFO but are missing the handling of +the equivalent TSFL_INT for the TX FIFO. Add the missing test to set +the interrupt if the TX FIFO has exceeded the guest-specified level. + +This flag is required for Micrium lan911x ethernet driver to work. + +Signed-off-by: Lucas Dietrich +[PMM: Tweaked commit message and comment] +Reviewed-by: Peter Maydell +Signed-off-by: Peter Maydell + +Signed-off-by: tangbinzy +--- + hw/net/lan9118.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/hw/net/lan9118.c b/hw/net/lan9118.c +index fa43758105..9897296c21 100644 +--- a/hw/net/lan9118.c ++++ b/hw/net/lan9118.c +@@ -702,6 +702,14 @@ static void do_tx_packet(lan9118_state *s) + n = (s->tx_status_fifo_head + s->tx_status_fifo_used) & 511; + s->tx_status_fifo[n] = status; + s->tx_status_fifo_used++; ++ ++ /* ++ * Generate TSFL interrupt if TX FIFO level exceeds the level ++ * specified in the FIFO_INT TX Status Level field. ++ */ ++ if (s->tx_status_fifo_used > ((s->fifo_int >> 16) & 0xff)) { ++ s->int_sts |= TSFL_INT; ++ } + if (s->tx_status_fifo_used == 512) { + s->int_sts |= TSFF_INT; + /* TODO: Stop transmission. */ +-- +2.41.0.windows.1 + diff --git a/hw-ppc-spapr-Use-qemu_vfree-to-free-spapr-htab.patch b/hw-ppc-spapr-Use-qemu_vfree-to-free-spapr-htab.patch new file mode 100644 index 00000000..fe1d1ef9 --- /dev/null +++ b/hw-ppc-spapr-Use-qemu_vfree-to-free-spapr-htab.patch @@ -0,0 +1,44 @@ +From 814378bd1174b4cb9f98e5ed0cac4f4d700c893d Mon Sep 17 00:00:00 2001 +From: tangbinzy +Date: Wed, 4 Sep 2024 08:25:49 +0000 +Subject: [PATCH] hw/ppc: spapr: Use qemu_vfree() to free spapr->htab mainline + inclusion commit cb5b5ab9a516ce5ecddfc50971bf6f690300fd74 category: bugfix +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +--------------------------------------------------------------- + +spapr->htab is allocated by qemu_memalign(), hence we should use +qemu_vfree() to free it. + +Fixes: c5f54f3e31bf ("pseries: Move hash page table allocation to reset time") +Fixes: b4db54132ffe ("target/ppc: Implement H_REGISTER_PROCESS_TABLE H_CALL"") +Signed-off-by: Xuzhou Cheng +Signed-off-by: Bin Meng +Reviewed-by: Daniel Henrique Barboza +Reviewed-by: Marc-André Lureau +Message-Id: <20220920103159.1865256-28-bmeng.cn@gmail.com> +Signed-off-by: Daniel Henrique Barboza + +Signed-off-by: tangbinzy +--- + hw/ppc/spapr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/ppc/spapr.c b/hw/ppc/spapr.c +index d1fbea16e3..6727ea7118 100644 +--- a/hw/ppc/spapr.c ++++ b/hw/ppc/spapr.c +@@ -1482,7 +1482,7 @@ int spapr_hpt_shift_for_ramsize(uint64_t ramsize) + + void spapr_free_hpt(SpaprMachineState *spapr) + { +- g_free(spapr->htab); ++ qemu_vfree(spapr->htab); + spapr->htab = NULL; + spapr->htab_shift = 0; + close_htab_fd(spapr); +-- +2.41.0.windows.1 + diff --git a/hw-remote-message.c-Don-t-directly-invoke-DeviceClas.patch b/hw-remote-message.c-Don-t-directly-invoke-DeviceClas.patch new file mode 100644 index 00000000..2d4d8f6c --- /dev/null +++ b/hw-remote-message.c-Don-t-directly-invoke-DeviceClas.patch @@ -0,0 +1,48 @@ +From ea0169b5de433426e863f162f7a299fc29b9ff8d Mon Sep 17 00:00:00 2001 +From: Peter Maydell +Date: Tue, 13 Aug 2024 17:52:46 +0100 +Subject: [PATCH] hw/remote/message.c: Don't directly invoke DeviceClass:reset +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Directly invoking the DeviceClass::reset method is a bad idea, +because if the device is using three-phase reset then it relies on +transitional reset machinery which is likely to disappear at some +point. + +Reset the device in the standard way, by calling device_cold_reset(). + +Signed-off-by: Peter Maydell +Reviewed-by: Richard Henderson +Reviewed-by: Philippe Mathieu-Daudé +Message-ID: <20240813165250.2717650-7-peter.maydell@linaro.org> +Signed-off-by: Philippe Mathieu-Daudé +--- + hw/remote/message.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +diff --git a/hw/remote/message.c b/hw/remote/message.c +index 11d729845c..83b91c8762 100644 +--- a/hw/remote/message.c ++++ b/hw/remote/message.c +@@ -216,13 +216,10 @@ fail: + static void process_device_reset_msg(QIOChannel *ioc, PCIDevice *dev, + Error **errp) + { +- DeviceClass *dc = DEVICE_GET_CLASS(dev); + DeviceState *s = DEVICE(dev); + MPQemuMsg ret = { 0 }; + +- if (dc->reset) { +- dc->reset(s); +- } ++ device_cold_reset(s); + + ret.cmd = MPQEMU_CMD_RET; + +-- +2.41.0.windows.1 + diff --git a/monitor-hmp-print-trace-as-option-in-help-for-log-co.patch b/monitor-hmp-print-trace-as-option-in-help-for-log-co.patch new file mode 100644 index 00000000..6414d677 --- /dev/null +++ b/monitor-hmp-print-trace-as-option-in-help-for-log-co.patch @@ -0,0 +1,60 @@ +From 0807b94d2cb88f1253d90f649604f0110b33f9b4 Mon Sep 17 00:00:00 2001 +From: tangbinzy +Date: Tue, 3 Sep 2024 02:12:05 +0000 +Subject: [PATCH] monitor/hmp: print trace as option in help for log command + mainline inclusion commit 3183bb3f441ba5b9da570f7f5f9abdc3313ba311 category: + bugfix + +--------------------------------------------------------------- + +The below is printed when printing help information in qemu-system-x86_64 +command line, and when CONFIG_TRACE_LOG is enabled: + +---------------------------- +$ qemu-system-x86_64 -d help +... ... +trace:PATTERN enable trace events + +Use "-d trace:help" to get a list of trace events. +---------------------------- + +However, the options of "trace:PATTERN" are only printed by +"qemu-system-x86_64 -d help", but missing in hmp "help log" command. + +Fixes: c84ea00dc2 ("log: add "-d trace:PATTERN"") +Cc: Joe Jin +Signed-off-by: Dongli Zhang +Message-Id: <20220831213943.8155-1-dongli.zhang@oracle.com> +Reviewed-by: Markus Armbruster +Signed-off-by: Dr. David Alan Gilbert + +Signed-off-by: tangbinzy +--- + monitor/hmp.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/monitor/hmp.c b/monitor/hmp.c +index b20737e63c..9cbbe52812 100644 +--- a/monitor/hmp.c ++++ b/monitor/hmp.c +@@ -285,10 +285,15 @@ void help_cmd(Monitor *mon, const char *name) + if (!strcmp(name, "log")) { + const QEMULogItem *item; + monitor_printf(mon, "Log items (comma separated):\n"); +- monitor_printf(mon, "%-10s %s\n", "none", "remove all logs"); ++ monitor_printf(mon, "%-15s %s\n", "none", "remove all logs"); + for (item = qemu_log_items; item->mask != 0; item++) { +- monitor_printf(mon, "%-10s %s\n", item->name, item->help); ++ monitor_printf(mon, "%-15s %s\n", item->name, item->help); + } ++#ifdef CONFIG_TRACE_LOG ++ monitor_printf(mon, "trace:PATTERN enable trace events\n"); ++ monitor_printf(mon, "\nUse \"log trace:help\" to get a list of " ++ "trace events.\n\n"); ++#endif + return; + } + +-- +2.41.0.windows.1 + diff --git a/nbd-server-CVE-2024-7409-Avoid-use-after-free-when-c.patch b/nbd-server-CVE-2024-7409-Avoid-use-after-free-when-c.patch new file mode 100644 index 00000000..0d036345 --- /dev/null +++ b/nbd-server-CVE-2024-7409-Avoid-use-after-free-when-c.patch @@ -0,0 +1,90 @@ +From fa58315ae2b81ea8b5b352bf19ff6bc1d3a4c684 Mon Sep 17 00:00:00 2001 +From: Eric Blake +Date: Thu, 22 Aug 2024 09:35:29 -0500 +Subject: [PATCH] nbd/server: CVE-2024-7409: Avoid use-after-free when closing + server + +Commit 3e7ef738 plugged the use-after-free of the global nbd_server +object, but overlooked a use-after-free of nbd_server->listener. +Although this race is harder to hit, notice that our shutdown path +first drops the reference count of nbd_server->listener, then triggers +actions that can result in a pending client reaching the +nbd_blockdev_client_closed() callback, which in turn calls +qio_net_listener_set_client_func on a potentially stale object. + +If we know we don't want any more clients to connect, and have already +told the listener socket to shut down, then we should not be trying to +update the listener socket's associated function. + +Reproducer: + +> #!/usr/bin/python3 +> +> import os +> from threading import Thread +> +> def start_stop(): +> while 1: +> os.system('virsh qemu-monitor-command VM \'{"execute": "nbd-server-start", ++"arguments":{"addr":{"type":"unix","data":{"path":"/tmp/nbd-sock"}}}}\'') +> os.system('virsh qemu-monitor-command VM \'{"execute": "nbd-server-stop"}\'') +> +> def nbd_list(): +> while 1: +> os.system('/path/to/build/qemu-nbd -L -k /tmp/nbd-sock') +> +> def test(): +> sst = Thread(target=start_stop) +> sst.start() +> nlt = Thread(target=nbd_list) +> nlt.start() +> +> sst.join() +> nlt.join() +> +> test() + +Fixes: CVE-2024-7409 +Fixes: 3e7ef738c8 ("nbd/server: CVE-2024-7409: Close stray clients at server-stop") +CC: qemu-stable@nongnu.org +Reported-by: Andrey Drobyshev +Signed-off-by: Eric Blake +Message-ID: <20240822143617.800419-2-eblake@redhat.com> +Reviewed-by: Stefan Hajnoczi +--- + blockdev-nbd.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/blockdev-nbd.c b/blockdev-nbd.c +index c71ca38d29..94e9eddc3c 100644 +--- a/blockdev-nbd.c ++++ b/blockdev-nbd.c +@@ -87,10 +87,13 @@ static void nbd_accept(QIONetListener *listener, QIOChannelSocket *cioc, + + static void nbd_update_server_watch(NBDServerData *s) + { +- if (!s->max_connections || s->connections < s->max_connections) { +- qio_net_listener_set_client_func(s->listener, nbd_accept, NULL, NULL); +- } else { +- qio_net_listener_set_client_func(s->listener, NULL, NULL, NULL); ++ if (s->listener) { ++ if (!s->max_connections || s->connections < s->max_connections) { ++ qio_net_listener_set_client_func(s->listener, nbd_accept, NULL, ++ NULL); ++ } else { ++ qio_net_listener_set_client_func(s->listener, NULL, NULL, NULL); ++ } + } + } + +@@ -108,6 +111,7 @@ static void nbd_server_free(NBDServerData *server) + */ + qio_net_listener_disconnect(server->listener); + object_unref(OBJECT(server->listener)); ++ server->listener = NULL; + QLIST_FOREACH_SAFE(conn, &server->conns, next, tmp) { + qio_channel_shutdown(QIO_CHANNEL(conn->cioc), QIO_CHANNEL_SHUTDOWN_BOTH, + NULL); +-- +2.41.0.windows.1 + diff --git a/ppc-vof-Fix-unaligned-FDT-property-access.patch b/ppc-vof-Fix-unaligned-FDT-property-access.patch new file mode 100644 index 00000000..ee6eb267 --- /dev/null +++ b/ppc-vof-Fix-unaligned-FDT-property-access.patch @@ -0,0 +1,33 @@ +From 387b359dd8713cdf5e234bdbc41bc6546934c160 Mon Sep 17 00:00:00 2001 +From: Akihiko Odaki +Date: Mon, 8 Jul 2024 15:55:13 +0900 +Subject: [PATCH] ppc/vof: Fix unaligned FDT property access + +FDT properties are aligned by 4 bytes, not 8 bytes. + +Signed-off-by: Akihiko Odaki +Reviewed-by: Peter Maydell +Reviewed-by: Michael S. Tsirkin +Signed-off-by: Nicholas Piggin +(cherry picked from commit 785c8637f9d2362a8addf4ded853d975955a9d6b) +Signed-off-by: zhujun2 +--- + hw/ppc/vof.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/ppc/vof.c b/hw/ppc/vof.c +index b1aa0ceb8b..cb1ae6fabf 100644 +--- a/hw/ppc/vof.c ++++ b/hw/ppc/vof.c +@@ -648,7 +648,7 @@ static void vof_dt_memory_available(void *fdt, GArray *claimed, uint64_t base) + mem0_reg = fdt_getprop(fdt, offset, "reg", &proplen); + g_assert(mem0_reg && proplen == sizeof(uint32_t) * (ac + sc)); + if (sc == 2) { +- mem0_end = be64_to_cpu(*(uint64_t *)(mem0_reg + sizeof(uint32_t) * ac)); ++ mem0_end = ldq_be_p(mem0_reg + sizeof(uint32_t) * ac); + } else { + mem0_end = be32_to_cpu(*(uint32_t *)(mem0_reg + sizeof(uint32_t) * ac)); + } +-- +2.41.0.windows.1 + diff --git a/qemu.spec b/qemu.spec index 409feba2..fa7c941a 100644 --- a/qemu.spec +++ b/qemu.spec @@ -3,7 +3,7 @@ Name: qemu Version: 6.2.0 -Release: 98 +Release: 99 Epoch: 10 Summary: QEMU is a generic and open source machine emulator and virtualizer License: GPLv2 and BSD and MIT and CC-BY-SA-4.0 @@ -1005,6 +1005,45 @@ Patch0990: aspeed-hace-Initialize-g_autofree-pointer.patch Patch0991: migration-Skip-only-empty-block-devices.patch Patch0992: hmat-acpi-Fix-out-of-bounds-access-due-to-missing-us.patch Patch0993: pci-host-designware-Limit-value-range-of-iATU-viewpo.patch +Patch0994: hw-misc-applesmc-Fix-memory-leak-in-reset-handler.patch +Patch0995: virtio-net-Fix-vhost-virtqueue-notifiers-for-RSS.patch +Patch0996: ui-reject-extended-clipboard-message-if-not-activate.patch +Patch0997: vhost-user-server-do-not-set-memory-fd-non-blocking.patch +Patch0998: hw-audio-es1370-Clean-up-comment.patch +Patch0999: virtio-rng-block-max-bytes-0-MIME-Version-1.0.patch +Patch1000: rtl8139-Fix-behaviour-for-old-kernels.patch +Patch1001: virtio-pci-Fix-the-use-of-an-uninitialized-irqfd.patch +Patch1002: target-rx-Use-target_ulong-for-address-in-LI.patch +Patch1003: spapr-Free-stdout-path.patch +Patch1004: crypto-block-luks-make-range-overlap-check-more-read.patch +Patch1005: tpm_crb-Avoid-backend-startup-just-before-shutdown-u.patch +Patch1006: monitor-hmp-print-trace-as-option-in-help-for-log-co.patch +Patch1007: KVM-use-store-release-to-mark-dirty-pages-as-harvest.patch +Patch1008: spapr_pci-fix-leak-in-spapr_phb_vfio_get_loc_code.patch +Patch1009: smbios-sanitize-type-from-external-type-before-check.patch +Patch1010: hw-ppc-spapr-Use-qemu_vfree-to-free-spapr-htab.patch +Patch1011: char-stdio-Restore-blocking-mode-of-stdout-on-exit.patch +Patch1012: virtio-remove-virtio_tswap16s-call-in-vring_packed_e.patch +Patch1013: hw-display-vhost-user-gpu.c-fix-vhost_user_gpu_chr_r.patch +Patch1014: crypto-tlscredspsk-Free-username-on-finalize.patch +Patch1015: hw-remote-message.c-Don-t-directly-invoke-DeviceClas.patch +Patch1016: hw-dma-xilinx_axidma-Use-semicolon-at-end-of-stateme.patch +Patch1017: savevm-Fix-load_snapshot-error-path-crash.patch +Patch1018: vvfat-Fix-bug-in-writing-to-middle-of-file.patch +Patch1019: vvfat-Fix-reading-files-with-non-continuous-clusters.patch +Patch1020: ppc-vof-Fix-unaligned-FDT-property-access.patch +Patch1021: nbd-server-CVE-2024-7409-Avoid-use-after-free-when-c.patch +Patch1022: virtio-net-Ensure-queue-index-fits-with-RSS-CVE-2024.patch +Patch1023: vdpa-block-device-capacity-expansion-online.patch +Patch1024: tests-test-qga-close-socket-on-failure-to-connect.patch +Patch1025: tests-unit-add-NULL-pointer-check.patch +Patch1026: tests-mark-io-command-test-as-skipped-if-socat-is-mi.patch +Patch1027: tests-qtest-npcm7xx-emc-test-Skip-checking-MAC.patch +Patch1028: hw-microblaze-pass-random-seed-to-fdt.patch +Patch1029: target-arm-Fix-alignment-for-VLD4.32.patch +Patch1030: hw-net-lan9118-Signal-TSFL_INT-flag-when-TX-FIFO-rea.patch +Patch1031: qtest-fuzz-lsi53c895a-test-set-guest-RAM-to-2G.patch +Patch1032: target-i386-Introduce-SapphireRapids-v3-to-add-missi.patch BuildRequires: flex BuildRequires: gcc @@ -1603,6 +1642,47 @@ getent passwd qemu >/dev/null || \ %endif %changelog +* Wed Sep 18 2024 - 10:6.2.0-99 +- target/i386: Introduce SapphireRapids-v3 to add missing features +- qtest/fuzz-lsi53c895a-test: set guest RAM to 2G +- hw/net/lan9118: Signal TSFL_INT flag when TX FIFO reaches specified level +- target/arm: Fix alignment for VLD4.32 +- hw/microblaze: pass random seed to fdt +- tests/qtest: npcm7xx-emc-test: Skip checking MAC +- tests: mark io-command test as skipped if socat is missing +- tests: unit: add NULL-pointer check +- tests: test-qga: close socket on failure to connect +- vdpa:block device capacity expansion online support vdpa block device update capacity. +- virtio-net: Ensure queue index fits with RSS(CVE-2024-6505) +- nbd/server: CVE-2024-7409: Avoid use-after-free when closing server +- ppc/vof: Fix unaligned FDT property access +- vvfat: Fix reading files with non-continuous clusters +- vvfat: Fix bug in writing to middle of file +- savevm: Fix load_snapshot error path crash +- hw/dma/xilinx_axidma: Use semicolon at end of statement, not comma +- hw/remote/message.c: Don't directly invoke DeviceClass:reset +- crypto/tlscredspsk: Free username on finalize +- hw/display/vhost-user-gpu.c: fix vhost_user_gpu_chr_read() +- virtio: remove virtio_tswap16s() call in vring_packed_event_read() +- char-stdio: Restore blocking mode of stdout on exit +- hw/ppc: spapr: Use qemu_vfree() to free spapr->htab +- smbios: sanitize type from external type before checking have_fields_bitmap +- spapr_pci: fix leak in spapr_phb_vfio_get_loc_code +- KVM: use store-release to mark dirty pages as harvested +- monitor/hmp: print trace as option in help for log command +- tpm_crb: Avoid backend startup just before shutdown under Xen +- crypto/block-luks: make range overlap check more readable +- spapr: Free stdout path +- target/rx: Use target_ulong for address in LI +- virtio-pci: Fix the use of an uninitialized irqfd +- rtl8139: Fix behaviour for old kernels. +- virtio-rng: block max-bytes=0 MIME-Version: 1.0 +- hw/audio/es1370: Clean up comment +- vhost-user-server: do not set memory fd non-blocking +- ui: reject extended clipboard message if not activated +- virtio-net: Fix vhost virtqueue notifiers for RSS +- hw/misc/applesmc: Fix memory leak in reset() handler + * Wed Aug 21 2024 - 10:6.2.0-98 - pci-host: designware: Limit value range of iATU viewport register - hmat acpi: Fix out of bounds access due to missing use of indirection diff --git a/qtest-fuzz-lsi53c895a-test-set-guest-RAM-to-2G.patch b/qtest-fuzz-lsi53c895a-test-set-guest-RAM-to-2G.patch new file mode 100644 index 00000000..006e46d7 --- /dev/null +++ b/qtest-fuzz-lsi53c895a-test-set-guest-RAM-to-2G.patch @@ -0,0 +1,43 @@ +From c113a6e7135eb5f3676c59f733dd109a8be95b44 Mon Sep 17 00:00:00 2001 +From: tangbinzy +Date: Tue, 10 Sep 2024 11:48:29 +0000 +Subject: [PATCH] qtest/fuzz-lsi53c895a-test: set guest RAM to 2G mainline + inclusion commit a772ddc1c013c3ff54cd6bc5f1e4a9107093fc01 category: bugfix +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +--------------------------------------------------------------- + +test_lsi_do_msgout_cancel_req does not run on machines with small size +memory. Reduce guest memory from 4G to 2G to alleviate the problem. + +Reported-by: Bin Meng +Signed-off-by: Mauro Matteo Cascella +Message-Id: <20220902133853.834065-1-mcascell@redhat.com> +Reviewed-by: Philippe Mathieu-Daudé +Tested-by: Bin Meng +Reviewed-by: Alexander Bulekov +Signed-off-by: Thomas Huth + +Signed-off-by: tangbinzy +--- + tests/qtest/fuzz-lsi53c895a-test.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tests/qtest/fuzz-lsi53c895a-test.c b/tests/qtest/fuzz-lsi53c895a-test.c +index 9c50958796..bd18e8622e 100644 +--- a/tests/qtest/fuzz-lsi53c895a-test.c ++++ b/tests/qtest/fuzz-lsi53c895a-test.c +@@ -51,7 +51,7 @@ static void test_lsi_do_msgout_cancel_req(void) + return; + } + +- s = qtest_init("-M q35 -m 4G -display none -nodefaults " ++ s = qtest_init("-M q35 -m 2G -display none -nodefaults " + "-device lsi53c895a,id=scsi " + "-device scsi-hd,drive=disk0 " + "-drive file=null-co://,id=disk0,if=none,format=raw"); +-- +2.41.0.windows.1 + diff --git a/rtl8139-Fix-behaviour-for-old-kernels.patch b/rtl8139-Fix-behaviour-for-old-kernels.patch new file mode 100644 index 00000000..a59e96fe --- /dev/null +++ b/rtl8139-Fix-behaviour-for-old-kernels.patch @@ -0,0 +1,35 @@ +From b5bcfc82399f2651e8370fe25e07104327ed5ae4 Mon Sep 17 00:00:00 2001 +From: dinglimin +Date: Mon, 26 Aug 2024 18:27:47 +0800 +Subject: [PATCH] rtl8139: Fix behaviour for old kernels. + +Old linux kernel rtl8139 drivers (ex. debian 2.1) uses outb to set the rx +mode for RxConfig. Unfortunatelly qemu does not support outb for RxConfig. + +Signed-off-by: Hans +Signed-off-by: Jason Wang +Signed-off-by: dinglimin +--- + hw/net/rtl8139.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/hw/net/rtl8139.c b/hw/net/rtl8139.c +index 8af396cf06..7bcc05e2a5 100644 +--- a/hw/net/rtl8139.c ++++ b/hw/net/rtl8139.c +@@ -2746,7 +2746,11 @@ static void rtl8139_io_writeb(void *opaque, uint8_t addr, uint32_t val) + } + + break; +- ++ case RxConfig: ++ DPRINTF("RxConfig write(b) val=0x%02x\n", val); ++ rtl8139_RxConfig_write(s, ++ (rtl8139_RxConfig_read(s) & 0xFFFFFF00) | val); ++ break; + default: + DPRINTF("not implemented write(b) addr=0x%x val=0x%02x\n", addr, + val); +-- +2.41.0.windows.1 + diff --git a/savevm-Fix-load_snapshot-error-path-crash.patch b/savevm-Fix-load_snapshot-error-path-crash.patch new file mode 100644 index 00000000..22033f73 --- /dev/null +++ b/savevm-Fix-load_snapshot-error-path-crash.patch @@ -0,0 +1,36 @@ +From 9c5278b1cb8c4f524f519e4f54332c5333a8e4a2 Mon Sep 17 00:00:00 2001 +From: zhujun2 +Date: Thu, 5 Sep 2024 04:13:36 -0700 +Subject: [PATCH] savevm: Fix load_snapshot error path crash +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +An error path missed setting *errp, which can cause a NULL deref. + +Reviewed-by: Alex Bennée +Signed-off-by: Nicholas Piggin +Message-Id: <20240813050638.446172-11-npiggin@gmail.com> +Signed-off-by: Alex Bennée +Message-Id: <20240813202329.1237572-19-alex.bennee@linaro.org> +(cherry picked from commit 97d2b66dcd8c771065807b4acfd0002dac4385be) +Signed-off-by: zhujun2 +--- + migration/savevm.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/migration/savevm.c b/migration/savevm.c +index d59e976d50..b501504bd5 100644 +--- a/migration/savevm.c ++++ b/migration/savevm.c +@@ -3022,6 +3022,7 @@ bool load_snapshot(const char *name, const char *vmstate, + ret = bdrv_snapshot_find(bs_vm_state, &sn, name); + aio_context_release(aio_context); + if (ret < 0) { ++ error_setg(errp, "Snapshot can not be found"); + return false; + } else if (sn.vm_state_size == 0) { + error_setg(errp, "This is a disk-only snapshot. Revert to it " +-- +2.41.0.windows.1 + diff --git a/smbios-sanitize-type-from-external-type-before-check.patch b/smbios-sanitize-type-from-external-type-before-check.patch new file mode 100644 index 00000000..f9ce5f02 --- /dev/null +++ b/smbios-sanitize-type-from-external-type-before-check.patch @@ -0,0 +1,51 @@ +From 27179c493623b7758aead29955e96a6c52248502 Mon Sep 17 00:00:00 2001 +From: tangbinzy +Date: Wed, 4 Sep 2024 07:56:16 +0000 +Subject: [PATCH] smbios: sanitize type from external type before checking + have_fields_bitmap mainline inclusion commit + 57e3069641d057a9ca90bb603c86477d5b331ecd category: bugfix + +--------------------------------------------------------------- + +test_bit uses header->type as an offset; if the file incorrectly specifies a +type greater than 127, smbios_entry_add will read and write garbage. + +To fix this, just pass the smbios data through, assuming the user knows what +to do. Reported by Coverity as CID 1487255. + +Signed-off-by: Paolo Bonzini + +Signed-off-by: tangbinzy +--- + hw/smbios/smbios.c | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +diff --git a/hw/smbios/smbios.c b/hw/smbios/smbios.c +index f73b9417c8..d506fd4e7e 100644 +--- a/hw/smbios/smbios.c ++++ b/hw/smbios/smbios.c +@@ -1171,13 +1171,15 @@ void smbios_entry_add(QemuOpts *opts, Error **errp) + return; + } + +- if (test_bit(header->type, have_fields_bitmap)) { +- error_setg(errp, +- "can't load type %d struct, fields already specified!", +- header->type); +- return; ++ if (header->type <= SMBIOS_MAX_TYPE) { ++ if (test_bit(header->type, have_fields_bitmap)) { ++ error_setg(errp, ++ "can't load type %d struct, fields already specified!", ++ header->type); ++ return; ++ } ++ set_bit(header->type, have_binfile_bitmap); + } +- set_bit(header->type, have_binfile_bitmap); + + if (header->type == 4) { + smbios_type4_count++; +-- +2.41.0.windows.1 + diff --git a/spapr-Free-stdout-path.patch b/spapr-Free-stdout-path.patch new file mode 100644 index 00000000..aa82540c --- /dev/null +++ b/spapr-Free-stdout-path.patch @@ -0,0 +1,30 @@ +From 3dd770cfc6a59b45c3a960177f36e57612cf8818 Mon Sep 17 00:00:00 2001 +From: dinglimin +Date: Mon, 2 Sep 2024 16:47:04 +0800 +Subject: [PATCH] spapr: Free stdout path + +cheery-pick from 8af863f2bd976b937f7e3d38b2ab1813b2fa1d9d + +This fixes LeakSanitizer warnings. + +Signed-off-by: dinglimin +--- + hw/ppc/spapr_vof.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/ppc/spapr_vof.c b/hw/ppc/spapr_vof.c +index 40ce8fe003..e437cab642 100644 +--- a/hw/ppc/spapr_vof.c ++++ b/hw/ppc/spapr_vof.c +@@ -29,7 +29,7 @@ target_ulong spapr_h_vof_client(PowerPCCPU *cpu, SpaprMachineState *spapr, + + void spapr_vof_client_dt_finalize(SpaprMachineState *spapr, void *fdt) + { +- char *stdout_path = spapr_vio_stdout_path(spapr->vio_bus); ++ g_autofree char *stdout_path = spapr_vio_stdout_path(spapr->vio_bus); + + vof_build_dt(fdt, spapr->vof); + +-- +2.41.0.windows.1 + diff --git a/spapr_pci-fix-leak-in-spapr_phb_vfio_get_loc_code.patch b/spapr_pci-fix-leak-in-spapr_phb_vfio_get_loc_code.patch new file mode 100644 index 00000000..4a0ae637 --- /dev/null +++ b/spapr_pci-fix-leak-in-spapr_phb_vfio_get_loc_code.patch @@ -0,0 +1,35 @@ +From 401dbfbce0b9acbc59f953d80461781afca4b0f7 Mon Sep 17 00:00:00 2001 +From: tangbinzy +Date: Wed, 4 Sep 2024 06:53:37 +0000 +Subject: [PATCH] spapr_pci: fix leak in spapr_phb_vfio_get_loc_code mainline + inclusion commit c4ef328bdc5dac319c8a1bdbe6d4108382b41584 category: bugfix + +--------------------------------------------------------------- + +Overwriting "path" in the second call to g_strdup_printf() causes a memory leak, +even if the variable itself is g_autofree. + +Reported by Coverity as CID 1460454. + +Signed-off-by: Paolo Bonzini + +Signed-off-by: tangbinzy +--- + hw/ppc/spapr_pci.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/hw/ppc/spapr_pci.c b/hw/ppc/spapr_pci.c +index 3b518f1be9..567bc8481c 100644 +--- a/hw/ppc/spapr_pci.c ++++ b/hw/ppc/spapr_pci.c +@@ -800,6 +800,7 @@ static char *spapr_phb_vfio_get_loc_code(SpaprPhbState *sphb, PCIDevice *pdev) + } + + /* Construct and read from host device tree the loc-code */ ++ g_free(path); + path = g_strdup_printf("/proc/device-tree%s/ibm,loc-code", devspec); + if (!g_file_get_contents(path, &buf, NULL, NULL)) { + return NULL; +-- +2.41.0.windows.1 + diff --git a/target-arm-Fix-alignment-for-VLD4.32.patch b/target-arm-Fix-alignment-for-VLD4.32.patch new file mode 100644 index 00000000..a0ca8c6b --- /dev/null +++ b/target-arm-Fix-alignment-for-VLD4.32.patch @@ -0,0 +1,50 @@ +From 6a071b8797f06850073b3a095a622117e554f302 Mon Sep 17 00:00:00 2001 +From: tangbinzy +Date: Mon, 9 Sep 2024 08:29:05 +0000 +Subject: [PATCH] target/arm: Fix alignment for VLD4.32 mainline inclusion + commit 3a661024cc680104ce2cd21f8f5466dacba6f405 category: bugfix +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +--------------------------------------------------------------- + +When requested, the alignment for VLD4.32 is 8 and not 16. + +See ARM documentation about VLD4 encoding: + ebytes = 1 << UInt(size); + if size == '10' then + alignment = if a == '0' then 1 else 8; + else + alignment = if a == '0' then 1 else 4*ebytes; + +Signed-off-by: Clément Chigot +Reviewed-by: Richard Henderson +Message-id: 20220914105058.2787404-1-chigot@adacore.com +Signed-off-by: Peter Maydell + +Signed-off-by: tangbinzy +--- + target/arm/translate-neon.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/target/arm/translate-neon.c b/target/arm/translate-neon.c +index dd43de558e..761fd6a755 100644 +--- a/target/arm/translate-neon.c ++++ b/target/arm/translate-neon.c +@@ -586,7 +586,11 @@ static bool trans_VLD_all_lanes(DisasContext *s, arg_VLD_all_lanes *a) + case 3: + return false; + case 4: +- align = pow2_align(size + 2); ++ if (size == 2) { ++ align = pow2_align(3); ++ } else { ++ align = pow2_align(size + 2); ++ } + break; + default: + g_assert_not_reached(); +-- +2.41.0.windows.1 + diff --git a/target-i386-Introduce-SapphireRapids-v3-to-add-missi.patch b/target-i386-Introduce-SapphireRapids-v3-to-add-missi.patch new file mode 100644 index 00000000..ef505244 --- /dev/null +++ b/target-i386-Introduce-SapphireRapids-v3-to-add-missi.patch @@ -0,0 +1,48 @@ +From 147ca6c521c4b59a5dd610e3a2bcd9553901ba6a Mon Sep 17 00:00:00 2001 +From: Lei Wang +Date: Wed, 24 Apr 2024 03:29:12 -0400 +Subject: [PATCH] target/i386: Introduce SapphireRapids-v3 to add missing + features + +commit b10b2481738304db13d28252e86c10555121a5b3 upstream. + +Add the missing features(ss, tsc-adjust, cldemote, movdiri, movdir64b) in +the SapphireRapids-v3 CPU model. + +Intel-SIG: commit b10b24817383 target/i386: Introduce SapphireRapids-v3 to add missing features. +6.2-SPR new model support + +Signed-off-by: Lei Wang +Message-ID: <20240424072912.43188-1-lei4.wang@intel.com> +Signed-off-by: Paolo Bonzini +[ Quanxian Wang: amend commit log ] +Signed-off-by: Quanxian Wang +--- + target/i386/cpu.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/target/i386/cpu.c b/target/i386/cpu.c +index 4c8453e0df..4473e0923e 100644 +--- a/target/i386/cpu.c ++++ b/target/i386/cpu.c +@@ -3754,6 +3754,17 @@ static const X86CPUDefinition builtin_x86_defs[] = { + { /* end of list */ } + } + }, ++ { ++ .version = 3, ++ .props = (PropValue[]) { ++ { "ss", "on" }, ++ { "tsc-adjust", "on" }, ++ { "cldemote", "on" }, ++ { "movdiri", "on" }, ++ { "movdir64b", "on" }, ++ { /* end of list */ } ++ } ++ }, + { /* end of list */ } + } + }, +-- +2.41.0.windows.1 + diff --git a/target-rx-Use-target_ulong-for-address-in-LI.patch b/target-rx-Use-target_ulong-for-address-in-LI.patch new file mode 100644 index 00000000..d1aa0f0b --- /dev/null +++ b/target-rx-Use-target_ulong-for-address-in-LI.patch @@ -0,0 +1,35 @@ +From 3d5808bb00ec5cf2f2e78aa570a202af2ed3e201 Mon Sep 17 00:00:00 2001 +From: dinglimin +Date: Mon, 2 Sep 2024 14:42:51 +0800 +Subject: [PATCH] target/rx: Use target_ulong for address in LI + +cheery-pick from 83340193b991e7a974f117baa86a04db1fd835a9 + +Using int32_t meant that the address was sign-extended to uint64_t +when passing to translator_ld*, triggering an assert. + +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2453 +Signed-off-by: Richard Henderson +Tested-by: Thomas Huth +Signed-off-by: dinglimin +--- + target/rx/translate.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/target/rx/translate.c b/target/rx/translate.c +index 5db8f79a82..aacf59d5cb 100644 +--- a/target/rx/translate.c ++++ b/target/rx/translate.c +@@ -82,7 +82,8 @@ static uint32_t decode_load_bytes(DisasContext *ctx, uint32_t insn, + + static uint32_t li(DisasContext *ctx, int sz) + { +- int32_t tmp, addr; ++ target_ulong addr; ++ uint32_t tmp; + CPURXState *env = ctx->env; + addr = ctx->base.pc_next; + +-- +2.41.0.windows.1 + diff --git a/tests-mark-io-command-test-as-skipped-if-socat-is-mi.patch b/tests-mark-io-command-test-as-skipped-if-socat-is-mi.patch new file mode 100644 index 00000000..f42a01f1 --- /dev/null +++ b/tests-mark-io-command-test-as-skipped-if-socat-is-mi.patch @@ -0,0 +1,39 @@ +From 62e1305aa46d91915aa987aca125db7f32845cd9 Mon Sep 17 00:00:00 2001 +From: tangbinzy +Date: Mon, 9 Sep 2024 07:57:18 +0000 +Subject: [PATCH] tests: mark io-command test as skipped if socat is missing + mainline inclusion commit 525207cd77adb181b4ef61d0b7669f52f737e9d0 category: + bugfix +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +--------------------------------------------------------------- + +Signed-off-by: Marc-André Lureau +Reviewed-by: Daniel P. Berrangé +Message-Id: <20220901110414.2892954-1-marcandre.lureau@redhat.com> +Signed-off-by: Thomas Huth + +Signed-off-by: tangbinzy +--- + tests/unit/test-io-channel-command.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/tests/unit/test-io-channel-command.c b/tests/unit/test-io-channel-command.c +index 99056e07c0..aa09c559cd 100644 +--- a/tests/unit/test-io-channel-command.c ++++ b/tests/unit/test-io-channel-command.c +@@ -41,7 +41,8 @@ static void test_io_channel_command_fifo(bool async) + + unlink(TEST_FIFO); + if (access("/bin/socat", X_OK) < 0) { +- return; /* Pretend success if socat is not present */ ++ g_test_skip("socat is missing"); ++ return; + } + if (mkfifo(TEST_FIFO, 0600) < 0) { + abort(); +-- +2.41.0.windows.1 + diff --git a/tests-qtest-npcm7xx-emc-test-Skip-checking-MAC.patch b/tests-qtest-npcm7xx-emc-test-Skip-checking-MAC.patch new file mode 100644 index 00000000..5ff86c91 --- /dev/null +++ b/tests-qtest-npcm7xx-emc-test-Skip-checking-MAC.patch @@ -0,0 +1,39 @@ +From 00edc3a590c95bce8c4fa96dd682edd533280c3e Mon Sep 17 00:00:00 2001 +From: tangbinzy +Date: Mon, 9 Sep 2024 08:15:19 +0000 +Subject: [PATCH] tests/qtest: npcm7xx-emc-test: Skip checking MAC mainline + inclusion commit d1592cbe07fa7b653aa9dde2eb8dafbe1de16885 category: bugfix + +--------------------------------------------------------------- + +The register tests walks all the registers to verify they are initially +0 when appropriate. However, if the MAC address is set in the register +space, this should not be checked against 0. + +Reviewed-by: Hao Wu +Signed-off-by: Patrick Venture +Message-Id: <20220906163138.2831353-1-venture@google.com> +Signed-off-by: Thomas Huth + +Signed-off-by: tangbinzy +--- + tests/qtest/npcm7xx_emc-test.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/tests/qtest/npcm7xx_emc-test.c b/tests/qtest/npcm7xx_emc-test.c +index 9eec71d87c..1bc1d821c5 100644 +--- a/tests/qtest/npcm7xx_emc-test.c ++++ b/tests/qtest/npcm7xx_emc-test.c +@@ -378,7 +378,8 @@ static void test_init(gconstpointer test_data) + + #undef CHECK_REG + +- for (i = 0; i < NUM_CAMML_REGS; ++i) { ++ /* Skip over the MAC address registers, which is BASE+0 */ ++ for (i = 1; i < NUM_CAMML_REGS; ++i) { + g_assert_cmpuint(emc_read(qts, mod, REG_CAMM_BASE + i * 2), ==, + 0); + g_assert_cmpuint(emc_read(qts, mod, REG_CAML_BASE + i * 2), ==, +-- +2.41.0.windows.1 + diff --git a/tests-test-qga-close-socket-on-failure-to-connect.patch b/tests-test-qga-close-socket-on-failure-to-connect.patch new file mode 100644 index 00000000..08809d38 --- /dev/null +++ b/tests-test-qga-close-socket-on-failure-to-connect.patch @@ -0,0 +1,32 @@ +From 18e9e427e2355afab0c17ffaa85d3120837e292c Mon Sep 17 00:00:00 2001 +From: tangbinzy +Date: Mon, 9 Sep 2024 07:41:17 +0000 +Subject: [PATCH] tests: test-qga: close socket on failure to connect mainline + inclusion commit 5dc51100394206b4ca3fdcafb008de8f99fc4676 category: bugfix + +--------------------------------------------------------------- + +Reported by Coverity as CID 1432543. + +Signed-off-by: Paolo Bonzini + +Signed-off-by: tangbinzy +--- + tests/unit/test-qga.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/tests/unit/test-qga.c b/tests/unit/test-qga.c +index 5cb140d1b5..e6564c673b 100644 +--- a/tests/unit/test-qga.c ++++ b/tests/unit/test-qga.c +@@ -32,6 +32,7 @@ static int connect_qga(char *path) + g_usleep(G_USEC_PER_SEC); + } + if (i++ == 10) { ++ close(s); + return -1; + } + } while (ret == -1); +-- +2.41.0.windows.1 + diff --git a/tests-unit-add-NULL-pointer-check.patch b/tests-unit-add-NULL-pointer-check.patch new file mode 100644 index 00000000..6f5973ff --- /dev/null +++ b/tests-unit-add-NULL-pointer-check.patch @@ -0,0 +1,39 @@ +From f2f914e1868a83ffef1580465988557df0257bc6 Mon Sep 17 00:00:00 2001 +From: tangbinzy +Date: Mon, 9 Sep 2024 07:54:12 +0000 +Subject: [PATCH] tests: unit: add NULL-pointer check mainline inclusion commit + b3a58a6ae346f14075af0df7f9903ad389c33dbd category: bugfix + +--------------------------------------------------------------- + +In CID 1432593, Coverity complains that the result of qdict_crumple() +might leak if it is not a dictionary. This is not a practical concern +since the test would fail immediately with a NULL pointer dereference +in qdict_size(). + +However, it is not nice to depend on qdict_size() crashing, so add an +explicit assertion that that the crumpled object was indeed a dictionary. + +Signed-off-by: Paolo Bonzini + +Signed-off-by: tangbinzy +--- + tests/unit/check-block-qdict.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tests/unit/check-block-qdict.c b/tests/unit/check-block-qdict.c +index 5a25825093..751c58e737 100644 +--- a/tests/unit/check-block-qdict.c ++++ b/tests/unit/check-block-qdict.c +@@ -504,7 +504,7 @@ static void qdict_crumple_test_empty(void) + src = qdict_new(); + + dst = qobject_to(QDict, qdict_crumple(src, &error_abort)); +- ++ g_assert(dst); + g_assert_cmpint(qdict_size(dst), ==, 0); + + qobject_unref(src); +-- +2.41.0.windows.1 + diff --git a/tpm_crb-Avoid-backend-startup-just-before-shutdown-u.patch b/tpm_crb-Avoid-backend-startup-just-before-shutdown-u.patch new file mode 100644 index 00000000..fca83907 --- /dev/null +++ b/tpm_crb-Avoid-backend-startup-just-before-shutdown-u.patch @@ -0,0 +1,58 @@ +From 5cafaebb7f31713b826a678e79eef976beb8caf6 Mon Sep 17 00:00:00 2001 +From: tangbinzy +Date: Tue, 3 Sep 2024 01:56:25 +0000 +Subject: [PATCH] tpm_crb: Avoid backend startup just before shutdown under Xen + mainline inclusion commit f0ccce6a95f6ff947040692ef941230918181562 category: + bugfix + +--------------------------------------------------------------- + +When running under Xen and the guest reboots, it boots into a new domain +with a new QEMU process (and a new swtpm process if using the emulator +backend). The existing reset function is triggered just before the old +QEMU process exists which causes QEMU to startup the TPM backend and +then immediately shut it down. This is probably harmless but when using +the emulated backend, it wastes CPU and IO time reloading state, etc. + +Fix this by calling the reset function directly from realize() when +running under Xen. During a reboot, this will be called by the QEMU +process for the new domain. + +Signed-off-by: Ross Lagerwall +Reviewed-by: Stefan Berger +Message-id: 20220826143841.1515326-1-ross.lagerwall@citrix.com +Signed-off-by: Stefan Berger + +Signed-off-by: tangbinzy +--- + hw/tpm/tpm_crb.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/hw/tpm/tpm_crb.c b/hw/tpm/tpm_crb.c +index c05972736a..ed89ab4afe 100644 +--- a/hw/tpm/tpm_crb.c ++++ b/hw/tpm/tpm_crb.c +@@ -25,6 +25,7 @@ + #include "sysemu/tpm_backend.h" + #include "sysemu/tpm_util.h" + #include "sysemu/reset.h" ++#include "sysemu/xen.h" + #include "tpm_prop.h" + #include "tpm_ppi.h" + #include "trace.h" +@@ -307,7 +308,11 @@ static void tpm_crb_realize(DeviceState *dev, Error **errp) + TPM_PPI_ADDR_BASE, OBJECT(s)); + } + +- qemu_register_reset(tpm_crb_reset, dev); ++ if (xen_enabled()) { ++ tpm_crb_reset(dev); ++ } else { ++ qemu_register_reset(tpm_crb_reset, dev); ++ } + } + + static void tpm_crb_class_init(ObjectClass *klass, void *data) +-- +2.41.0.windows.1 + diff --git a/ui-reject-extended-clipboard-message-if-not-activate.patch b/ui-reject-extended-clipboard-message-if-not-activate.patch new file mode 100644 index 00000000..c03b1920 --- /dev/null +++ b/ui-reject-extended-clipboard-message-if-not-activate.patch @@ -0,0 +1,41 @@ +From 5dc2ba3fa793407b1dd6ee1920808a729990abf7 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= +Date: Mon, 15 Jan 2024 09:51:19 +0000 +Subject: [PATCH] ui: reject extended clipboard message if not activated +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The extended clipboard message protocol requires that the client +activate the extension by requesting a psuedo encoding. If this +is not done, then any extended clipboard messages from the client +should be considered invalid and the client dropped. + +Signed-off-by: Daniel P. Berrangé +Reviewed-by: Marc-André Lureau +Message-Id: <20240115095119.654271-1-berrange@redhat.com> +(cherry picked from commit 4cba8388968b70fe20e290221dc421c717051fdd) +Signed-off-by: zhujun2 +--- + ui/vnc.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/ui/vnc.c b/ui/vnc.c +index 3cb24badf6..667db3b990 100644 +--- a/ui/vnc.c ++++ b/ui/vnc.c +@@ -2458,6 +2458,11 @@ static int protocol_client_msg(VncState *vs, uint8_t *data, size_t len) + } + + if (read_s32(data, 4) < 0) { ++ if (!vnc_has_feature(vs, VNC_FEATURE_CLIPBOARD_EXT)) { ++ error_report("vnc: extended clipboard message while disabled"); ++ vnc_client_error(vs); ++ break; ++ } + if (dlen < 4) { + error_report("vnc: malformed payload (header less than 4 bytes)" + " in extended clipboard pseudo-encoding."); +-- +2.41.0.windows.1 + diff --git a/vdpa-block-device-capacity-expansion-online.patch b/vdpa-block-device-capacity-expansion-online.patch new file mode 100644 index 00000000..c8e11c95 --- /dev/null +++ b/vdpa-block-device-capacity-expansion-online.patch @@ -0,0 +1,50 @@ +From cec9c300b0a2ede77fa12f242ee7fd672546940c Mon Sep 17 00:00:00 2001 +From: jiangdongxu +Date: Sat, 7 Sep 2024 07:11:07 +0000 +Subject: [PATCH] vdpa:block device capacity expansion online support vdpa + block device update capacity. + +Signed-off-by: jiangdongxu +--- + hw/virtio/vdpa-dev.c | 17 +++++++++++++++++ + 1 file changed, 17 insertions(+) + +diff --git a/hw/virtio/vdpa-dev.c b/hw/virtio/vdpa-dev.c +index 04d8e96a5d..fa3a4dc8bc 100644 +--- a/hw/virtio/vdpa-dev.c ++++ b/hw/virtio/vdpa-dev.c +@@ -32,6 +32,7 @@ + #include "hw/virtio/vdpa-dev-mig.h" + #include "migration/migration.h" + #include "exec/address-spaces.h" ++#include "standard-headers/linux/virtio_ids.h" + + static void + vhost_vdpa_device_dummy_handle_output(VirtIODevice *vdev, VirtQueue *vq) +@@ -202,7 +203,23 @@ static void + vhost_vdpa_device_get_config(VirtIODevice *vdev, uint8_t *config) + { + VhostVdpaDevice *s = VHOST_VDPA_DEVICE(vdev); ++ uint8_t *new_config; ++ int ret; ++ ++ if (s->vdev_id != VIRTIO_ID_BLOCK) { ++ goto out; ++ } + ++ new_config = g_malloc0(s->config_size); ++ ret = vhost_dev_get_config(&s->dev, new_config, s->config_size, NULL); ++ if (ret < 0) { ++ error_report("vhost-vdpa-device: get config failed(%d)\n", ret); ++ goto free; ++ } ++ memcpy(s->config, new_config, s->config_size); ++free: ++ g_free(new_config); ++out: + memcpy(config, s->config, s->config_size); + } + +-- +2.41.0.windows.1 + diff --git a/vhost-user-server-do-not-set-memory-fd-non-blocking.patch b/vhost-user-server-do-not-set-memory-fd-non-blocking.patch new file mode 100644 index 00000000..f53912b3 --- /dev/null +++ b/vhost-user-server-do-not-set-memory-fd-non-blocking.patch @@ -0,0 +1,59 @@ +From 4b38d60e4a4a1fc4b7191ec94959f304b222b604 Mon Sep 17 00:00:00 2001 +From: zhujun2 +Date: Thu, 15 Aug 2024 20:20:35 -0700 +Subject: [PATCH] vhost-user-server: do not set memory fd non-blocking +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +In vhost-user-server we set all fd received from the other peer +in non-blocking mode. For some of them (e.g. memfd, shm_open, etc.) +it's not really needed, because we don't use these fd with blocking +operations, but only to map memory. + +In addition, in some systems this operation can fail (e.g. in macOS +setting an fd returned by shm_open() non-blocking fails with errno += ENOTTY). + +So, let's avoid setting fd non-blocking for those messages that we +know carry memory fd (e.g. VHOST_USER_ADD_MEM_REG, +VHOST_USER_SET_MEM_TABLE). + +Reviewed-by: Daniel P. Berrangé +Acked-by: Stefan Hajnoczi +Reviewed-by: David Hildenbrand +Signed-off-by: Stefano Garzarella +Message-Id: <20240618100043.144657-6-sgarzare@redhat.com> +Signed-off-by: Michael S. Tsirkin +(cherry picked from commit 4c58843e5d3192c67394b28a3330144ea56eefac) +Signed-off-by: zhujun2 +--- + util/vhost-user-server.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/util/vhost-user-server.c b/util/vhost-user-server.c +index 783d847a6d..eda82447bd 100644 +--- a/util/vhost-user-server.c ++++ b/util/vhost-user-server.c +@@ -64,6 +64,18 @@ static void vmsg_close_fds(VhostUserMsg *vmsg) + static void vmsg_unblock_fds(VhostUserMsg *vmsg) + { + int i; ++ ++ /* ++ * These messages carry fd used to map memory, not to send/receive messages, ++ * so this operation is useless. In addition, in some systems this ++ * operation can fail (e.g. in macOS setting an fd returned by shm_open() ++ * non-blocking fails with errno = ENOTTY) ++ */ ++ if (vmsg->request == VHOST_USER_ADD_MEM_REG || ++ vmsg->request == VHOST_USER_SET_MEM_TABLE) { ++ return; ++ } ++ + for (i = 0; i < vmsg->fd_num; i++) { + qemu_set_nonblock(vmsg->fds[i]); + } +-- +2.41.0.windows.1 + diff --git a/virtio-net-Ensure-queue-index-fits-with-RSS-CVE-2024.patch b/virtio-net-Ensure-queue-index-fits-with-RSS-CVE-2024.patch new file mode 100644 index 00000000..e01933a3 --- /dev/null +++ b/virtio-net-Ensure-queue-index-fits-with-RSS-CVE-2024.patch @@ -0,0 +1,36 @@ +From 8cd5679908e7af9353c8c4e9198aef2fbb3256ec Mon Sep 17 00:00:00 2001 +From: Akihiko Odaki +Date: Mon, 1 Jul 2024 20:58:04 +0900 +Subject: [PATCH] virtio-net: Ensure queue index fits with RSS(CVE-2024-6505) + +Ensure the queue index points to a valid queue when software RSS +enabled. The new calculation matches with the behavior of Linux's TAP +device with the RSS eBPF program. + +Fixes: 4474e37a5b3a ("virtio-net: implement RX RSS processing") +Reported-by: Zhibin Hu +Cc: qemu-stable@nongnu.org +Signed-off-by: Akihiko Odaki +Reviewed-by: Michael S. Tsirkin +Signed-off-by: Jason Wang +--- + hw/net/virtio-net.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c +index f7248fc2e2..cef7fc0aa0 100644 +--- a/hw/net/virtio-net.c ++++ b/hw/net/virtio-net.c +@@ -1818,7 +1818,8 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf, + if (!no_rss && n->rss_data.enabled && n->rss_data.enabled_software_rss) { + int index = virtio_net_process_rss(nc, buf, size); + if (index >= 0) { +- NetClientState *nc2 = qemu_get_subqueue(n->nic, index); ++ NetClientState *nc2 = ++ qemu_get_subqueue(n->nic, index % n->curr_queue_pairs); + return virtio_net_receive_rcu(nc2, buf, size, true); + } + } +-- +2.41.0.windows.1 + diff --git a/virtio-net-Fix-vhost-virtqueue-notifiers-for-RSS.patch b/virtio-net-Fix-vhost-virtqueue-notifiers-for-RSS.patch new file mode 100644 index 00000000..03387fd2 --- /dev/null +++ b/virtio-net-Fix-vhost-virtqueue-notifiers-for-RSS.patch @@ -0,0 +1,45 @@ +From 24140cab0cc08a239c6df320c6da59b8ce638055 Mon Sep 17 00:00:00 2001 +From: Akihiko Odaki +Date: Wed, 27 Mar 2024 11:05:09 +0900 +Subject: [PATCH] virtio-net: Fix vhost virtqueue notifiers for RSS + +virtio_net_guest_notifier_pending() and virtio_net_guest_notifier_mask() +checked VIRTIO_NET_F_MQ to know there are multiple queues, but +VIRTIO_NET_F_RSS also enables multiple queues. Refer to n->multiqueue, +which is set to true either of VIRTIO_NET_F_MQ or VIRTIO_NET_F_RSS is +enabled. + +Fixes: 68b0a6395f36 ("virtio-net: align ctrl_vq index for non-mq guest for vhost_vdpa") +Signed-off-by: Akihiko Odaki +Signed-off-by: Jason Wang +(cherry picked from commit 1c188fc8cbffc5f05cc616cab4e1372fb6e6f11f) +Signed-off-by: zhujun2 +--- + hw/net/virtio-net.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c +index f3fb9393b3..f72fe61dda 100644 +--- a/hw/net/virtio-net.c ++++ b/hw/net/virtio-net.c +@@ -3239,7 +3239,7 @@ static bool virtio_net_guest_notifier_pending(VirtIODevice *vdev, int idx) + VirtIONet *n = VIRTIO_NET(vdev); + NetClientState *nc; + assert(n->vhost_started); +- if (!virtio_vdev_has_feature(vdev, VIRTIO_NET_F_MQ) && idx == 2) { ++ if (!n->multiqueue && idx == 2) { + /* Must guard against invalid features and bogus queue index + * from being set by malicious guest, or penetrated through + * buggy migration stream. +@@ -3271,7 +3271,7 @@ static void virtio_net_guest_notifier_mask(VirtIODevice *vdev, int idx, + VirtIONet *n = VIRTIO_NET(vdev); + NetClientState *nc; + assert(n->vhost_started); +- if (!virtio_vdev_has_feature(vdev, VIRTIO_NET_F_MQ) && idx == 2) { ++ if (!n->multiqueue && idx == 2) { + /* Must guard against invalid features and bogus queue index + * from being set by malicious guest, or penetrated through + * buggy migration stream. +-- +2.41.0.windows.1 + diff --git a/virtio-pci-Fix-the-use-of-an-uninitialized-irqfd.patch b/virtio-pci-Fix-the-use-of-an-uninitialized-irqfd.patch new file mode 100644 index 00000000..2acebaa0 --- /dev/null +++ b/virtio-pci-Fix-the-use-of-an-uninitialized-irqfd.patch @@ -0,0 +1,83 @@ +From f57991f3f88e281d3c9bcf7c1d1e2b15651c6262 Mon Sep 17 00:00:00 2001 +From: guping +Date: Mon, 2 Sep 2024 09:29:45 +0000 +Subject: [PATCH] virtio-pci: Fix the use of an uninitialized irqfd chery-pick + from a8e63ff289d137197ad7a701a587cc432872d798 + +The crash was reported in MAC OS and NixOS, here is the link for this bug +#2334 +#2321 + +In this bug, they are using the virtio_input device. The guest notifier was +not supported for this device, The function virtio_pci_set_guest_notifiers() +was not called, and the vector_irqfd was not initialized. + +So the fix is adding the check for vector_irqfd in virtio_pci_get_notifier() + +The function virtio_pci_get_notifier() can be used in various devices. +It could also be called when VIRTIO_CONFIG_S_DRIVER_OK is not set. In this situation, +the vector_irqfd being NULL is acceptable. We can allow the device continue to boot + +If the vector_irqfd still hasn't been initialized after VIRTIO_CONFIG_S_DRIVER_OK +is set, it means that the function set_guest_notifiers was not called before the +driver started. This indicates that the device is not using the notifier. +At this point, we will let the check fail. + +This fix is verified in vyatta,MacOS,NixOS,fedora system. + +The bt tree for this bug is: +Thread 6 "CPU 0/KVM" received signal SIGSEGV, Segmentation fault. +[Switching to Thread 0x7c817be006c0 (LWP 1269146)] +kvm_virtio_pci_vq_vector_use () at ../qemu-9.0.0/hw/virtio/virtio-pci.c:817 +817 if (irqfd->users == 0) { +(gdb) thread apply all bt +... +Thread 6 (Thread 0x7c817be006c0 (LWP 1269146) "CPU 0/KVM"): +0 kvm_virtio_pci_vq_vector_use () at ../qemu-9.0.0/hw/virtio/virtio-pci.c:817 +1 kvm_virtio_pci_vector_use_one () at ../qemu-9.0.0/hw/virtio/virtio-pci.c:893 +2 0x00005983657045e2 in memory_region_write_accessor () at ../qemu-9.0.0/system/memory.c:497 +3 0x0000598365704ba6 in access_with_adjusted_size () at ../qemu-9.0.0/system/memory.c:573 +4 0x0000598365705059 in memory_region_dispatch_write () at ../qemu-9.0.0/system/memory.c:1528 +5 0x00005983659b8e1f in flatview_write_continue_step.isra.0 () at ../qemu-9.0.0/system/physmem.c:2713 +6 0x000059836570ba7d in flatview_write_continue () at ../qemu-9.0.0/system/physmem.c:2743 +7 flatview_write () at ../qemu-9.0.0/system/physmem.c:2774 +8 0x000059836570bb76 in address_space_write () at ../qemu-9.0.0/system/physmem.c:2894 +9 0x0000598365763afe in address_space_rw () at ../qemu-9.0.0/system/physmem.c:2904 +10 kvm_cpu_exec () at ../qemu-9.0.0/accel/kvm/kvm-all.c:2917 +11 0x000059836576656e in kvm_vcpu_thread_fn () at ../qemu-9.0.0/accel/kvm/kvm-accel-ops.c:50 +12 0x0000598365926ca8 in qemu_thread_start () at ../qemu-9.0.0/util/qemu-thread-posix.c:541 +13 0x00007c8185bcd1cf in ??? () at /usr/lib/libc.so.6 +14 0x00007c8185c4e504 in clone () at /usr/lib/libc.so.6 + +Fixes: 2ce6cff9 + + ("virtio-pci: fix use of a released vector") +Cc: qemu-stable@nongnu.org +Signed-off-by: Cindy Lu's avatarCindy Lu +Message-Id: <20240806093715.65105-1-lulu@redhat.com> +Acked-by: Jason Wang's avatarJason Wang +Reviewed-by: MST's avatarMichael S. Tsirkin +Signed-off-by: MST's avatarMichael S. Tsirkin + +Signed-off-by: guping +--- + hw/virtio/virtio-pci.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/hw/virtio/virtio-pci.c b/hw/virtio/virtio-pci.c +index d675526016..1e4661bebd 100644 +--- a/hw/virtio/virtio-pci.c ++++ b/hw/virtio/virtio-pci.c +@@ -811,6 +811,9 @@ static int virtio_pci_get_notifier(VirtIOPCIProxy *proxy, int queue_no, + VirtIODevice *vdev = virtio_bus_get_device(&proxy->bus); + VirtQueue *vq; + ++ if (!proxy->vector_irqfd && vdev->status & VIRTIO_CONFIG_S_DRIVER_OK) ++ return -1; ++ + if (queue_no == VIRTIO_CONFIG_IRQ_IDX) { + *n = virtio_config_get_guest_notifier(vdev); + *vector = vdev->config_vector; +-- +2.41.0.windows.1 + diff --git a/virtio-remove-virtio_tswap16s-call-in-vring_packed_e.patch b/virtio-remove-virtio_tswap16s-call-in-vring_packed_e.patch new file mode 100644 index 00000000..4f789bd1 --- /dev/null +++ b/virtio-remove-virtio_tswap16s-call-in-vring_packed_e.patch @@ -0,0 +1,52 @@ +From f91ab1b5dc0a3b9713472a0f0762b189c33334d0 Mon Sep 17 00:00:00 2001 +From: Stefano Garzarella +Date: Mon, 1 Jul 2024 09:52:08 +0200 +Subject: [PATCH] virtio: remove virtio_tswap16s() call in + vring_packed_event_read() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Commit d152cdd6f6 ("virtio: use virtio accessor to access packed event") +switched using of address_space_read_cached() to virito_lduw_phys_cached() +to access packed descriptor event. + +When we used address_space_read_cached(), we needed to call +virtio_tswap16s() to handle the endianess of the field, but +virito_lduw_phys_cached() already handles it internally, so we no longer +need to call virtio_tswap16s() (as the commit had done for `off_wrap`, +but forgot for `flags`). + +Fixes: d152cdd6f6 ("virtio: use virtio accessor to access packed event") +Cc: jasowang@redhat.com +Cc: qemu-stable@nongnu.org +Reported-by: Xoykie +Link: https://lore.kernel.org/qemu-devel/CAFU8RB_pjr77zMLsM0Unf9xPNxfr_--Tjr49F_eX32ZBc5o2zQ@mail.gmail.com +Signed-off-by: Stefano Garzarella +Message-Id: <20240701075208.19634-1-sgarzare@redhat.com> +Acked-by: Jason Wang +Reviewed-by: Peter Maydell +Reviewed-by: Eugenio Pérez +Reviewed-by: Michael S. Tsirkin +Signed-off-by: Michael S. Tsirkin +(cherry picked from commit 7aa6492401e95fb296dec7cda81e67d91f6037d7) +Signed-off-by: zhujun2 +--- + hw/virtio/virtio.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c +index 913b40e1f8..9c40d565bb 100644 +--- a/hw/virtio/virtio.c ++++ b/hw/virtio/virtio.c +@@ -251,7 +251,6 @@ static void vring_packed_event_read(VirtIODevice *vdev, + /* Make sure flags is seen before off_wrap */ + smp_rmb(); + e->off_wrap = virtio_lduw_phys_cached(vdev, cache, off_off); +- virtio_tswap16s(vdev, &e->flags); + } + + static void vring_packed_off_wrap_write(VirtIODevice *vdev, +-- +2.41.0.windows.1 + diff --git a/virtio-rng-block-max-bytes-0-MIME-Version-1.0.patch b/virtio-rng-block-max-bytes-0-MIME-Version-1.0.patch new file mode 100644 index 00000000..46842832 --- /dev/null +++ b/virtio-rng-block-max-bytes-0-MIME-Version-1.0.patch @@ -0,0 +1,40 @@ +From 38b34a054490d7dd8a3ed6ee313c1ee501363688 Mon Sep 17 00:00:00 2001 +From: dinglimin +Date: Mon, 26 Aug 2024 15:27:20 +0800 +Subject: [PATCH] virtio-rng: block max-bytes=0 MIME-Version: 1.0 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +cheery-pick from 024d046bf41b5256adec671085bcee767a6da125 + +with max-bytes set to 0, quota is 0 and so device does not work. +block this to avoid user confusion + +Message-Id: <73a89a42d82ec8b47358f25119b87063e4a6ea57.1721818306.git.mst@redhat.com> +Signed-off-by: Michael S. Tsirkin +Reviewed-by: Philippe Mathieu-Daudé +Signed-off-by: dinglimin +--- + hw/virtio/virtio-rng.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/hw/virtio/virtio-rng.c b/hw/virtio/virtio-rng.c +index cc8e9f775d..e0f71ddd0f 100644 +--- a/hw/virtio/virtio-rng.c ++++ b/hw/virtio/virtio-rng.c +@@ -184,8 +184,9 @@ static void virtio_rng_device_realize(DeviceState *dev, Error **errp) + + /* Workaround: Property parsing does not enforce unsigned integers, + * So this is a hack to reject such numbers. */ +- if (vrng->conf.max_bytes > INT64_MAX) { +- error_setg(errp, "'max-bytes' parameter must be non-negative, " ++ if (vrng->conf.max_bytes == 0 || ++ vrng->conf.max_bytes > INT64_MAX) { ++ error_setg(errp, "'max-bytes' parameter must be positive, " + "and less than 2^63"); + return; + } +-- +2.41.0.windows.1 + diff --git a/vvfat-Fix-bug-in-writing-to-middle-of-file.patch b/vvfat-Fix-bug-in-writing-to-middle-of-file.patch new file mode 100644 index 00000000..9ccc412b --- /dev/null +++ b/vvfat-Fix-bug-in-writing-to-middle-of-file.patch @@ -0,0 +1,42 @@ +From f0f408c65fc606cb5a4dfce2f5b051519820d967 Mon Sep 17 00:00:00 2001 +From: Amjad Alsharafi +Date: Sat, 20 Jul 2024 18:13:30 +0800 +Subject: [PATCH] vvfat: Fix bug in writing to middle of file + +Before this commit, the behavior when calling `commit_one_file` for +example with `offset=0x2000` (second cluster), what will happen is that +we won't fetch the next cluster from the fat, and instead use the first +cluster for the read operation. + +This is due to off-by-one error here, where `i=0x2000 !< offset=0x2000`, +thus not fetching the next cluster. + +Signed-off-by: Amjad Alsharafi +Reviewed-by: Kevin Wolf +Tested-by: Kevin Wolf +Message-ID: +Signed-off-by: Kevin Wolf +(cherry picked from commit b881cf00c99e03bc8a3648581f97736ff275b18b) +Signed-off-by: zhujun2 +--- + block/vvfat.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/block/vvfat.c b/block/vvfat.c +index 5dacc6cfac..2d9c4ff6a4 100644 +--- a/block/vvfat.c ++++ b/block/vvfat.c +@@ -2521,8 +2521,9 @@ static int commit_one_file(BDRVVVFATState* s, + return -1; + } + +- for (i = s->cluster_size; i < offset; i += s->cluster_size) ++ for (i = 0; i < offset; i += s->cluster_size) { + c = modified_fat_get(s, c); ++ } + + fd = qemu_open_old(mapping->path, O_RDWR | O_CREAT | O_BINARY, 0666); + if (fd < 0) { +-- +2.41.0.windows.1 + diff --git a/vvfat-Fix-reading-files-with-non-continuous-clusters.patch b/vvfat-Fix-reading-files-with-non-continuous-clusters.patch new file mode 100644 index 00000000..18a3a722 --- /dev/null +++ b/vvfat-Fix-reading-files-with-non-continuous-clusters.patch @@ -0,0 +1,50 @@ +From 9399660f4ef94129f4f8ba9277a316bd6e7151b5 Mon Sep 17 00:00:00 2001 +From: Amjad Alsharafi +Date: Sat, 20 Jul 2024 18:13:33 +0800 +Subject: [PATCH] vvfat: Fix reading files with non-continuous clusters + +When reading with `read_cluster` we get the `mapping` with +`find_mapping_for_cluster` and then we call `open_file` for this +mapping. +The issue appear when its the same file, but a second cluster that is +not immediately after it, imagine clusters `500 -> 503`, this will give +us 2 mappings one has the range `500..501` and another `503..504`, both +point to the same file, but different offsets. + +When we don't open the file since the path is the same, we won't assign +`s->current_mapping` and thus accessing way out of bound of the file. + +From our example above, after `open_file` (that didn't open anything) we +will get the offset into the file with +`s->cluster_size*(cluster_num-s->current_mapping->begin)`, which will +give us `0x2000 * (504-500)`, which is out of bound for this mapping and +will produce some issues. + +Signed-off-by: Amjad Alsharafi +Message-ID: <1f3ea115779abab62ba32c788073cdc99f9ad5dd.1721470238.git.amjadsharafi10@gmail.com> +[kwolf: Simplified the patch based on Amjad's analysis and input] +Signed-off-by: Kevin Wolf +(cherry picked from commit 5eed3db336506b529b927ba221fe0d836e5b8819) +Signed-off-by: zhujun2 +--- + block/vvfat.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/block/vvfat.c b/block/vvfat.c +index 5dacc6cfac..9af817088f 100644 +--- a/block/vvfat.c ++++ b/block/vvfat.c +@@ -1368,8 +1368,9 @@ static int open_file(BDRVVVFATState* s,mapping_t* mapping) + return -1; + vvfat_close_current_file(s); + s->current_fd = fd; +- s->current_mapping = mapping; + } ++ ++ s->current_mapping = mapping; + return 0; + } + +-- +2.41.0.windows.1 + -- Gitee