From 87a29d9f942c13cf2c879ddcbfeaabad268e5b2d Mon Sep 17 00:00:00 2001 From: Jiabo Feng Date: Thu, 7 Nov 2024 09:21:18 +0800 Subject: [PATCH] QEMU update to version 8.2.0-21: - tests: bump QOS_PATH_MAX_ELEMENT_SIZE again - softmmu/physmem: fix memory leak in dirty_memory_extend() - crypto: run qcrypto_pbkdf2_count_iters in a new thread - hw/audio/virtio-sound: fix heap buffer overflow - hw/intc/arm_gic: fix spurious level triggered interrupts - ui/sdl2: set swap interval explicitly when OpenGL is enabled - target/riscv/kvm: tolerate KVM disable ext errors - virtio: remove virtio_tswap16s() call in vring_packed_event_read() - block: fix -Werror=maybe-uninitialized false-positive - hw/remote/vfio-user: Fix config space access byte order - hw/loongarch/virt: Fix memory leak - hw/intc/riscv_aplic: APLICs should add child earlier than realize - stdvga: fix screen blanking - ui/gtk: Draw guest frame at refresh cycle - target/i386: fix size of EBP writeback in gen_enter() - virtio-net: drop too short packets early - target/ppc: Fix lxv/stxv MSR facility check - target/ppc: Fix lxvx/stxvx facility check - virtio-snd: add max size bounds check in input cb(CVE-2024-7730) Signed-off-by: Jiabo Feng (cherry picked from commit e2eb79f1867bb8d8d870e758f06d2a32b3a4fc8a) --- ...r-maybe-uninitialized-false-positive.patch | 36 +++++ ...to_pbkdf2_count_iters-in-a-new-threa.patch | 117 +++++++++++++++ ...irtio-sound-fix-heap-buffer-overflow.patch | 86 +++++++++++ ...fix-spurious-level-triggered-interru.patch | 82 +++++++++++ ...lic-APLICs-should-add-child-earlier-.patch | 49 ++++++ hw-loongarch-virt-Fix-memory-leak.patch | 49 ++++++ ...ser-Fix-config-space-access-byte-ord.patch | 49 ++++++ qemu.spec | 42 +++++- ...fix-memory-leak-in-dirty_memory_exte.patch | 139 ++++++++++++++++++ stdvga-fix-screen-blanking.patch | 47 ++++++ ...x-size-of-EBP-writeback-in-gen_enter.patch | 43 ++++++ ...-ppc-Fix-lxv-stxv-MSR-facility-check.patch | 49 ++++++ ...et-ppc-Fix-lxvx-stxvx-facility-check.patch | 63 ++++++++ ...-kvm-tolerate-KVM-disable-ext-errors.patch | 69 +++++++++ ...bump-QOS_PATH_MAX_ELEMENT_SIZE-again.patch | 43 ++++++ ...tk-Draw-guest-frame-at-refresh-cycle.patch | 59 ++++++++ ...-interval-explicitly-when-OpenGL-is-.patch | 48 ++++++ virtio-net-drop-too-short-packets-early.patch | 91 ++++++++++++ ...rtio_tswap16s-call-in-vring_packed_e.patch | 52 +++++++ ...ax-size-bounds-check-in-input-cb-CVE.patch | 61 ++++++++ 20 files changed, 1273 insertions(+), 1 deletion(-) create mode 100644 block-fix-Werror-maybe-uninitialized-false-positive.patch create mode 100644 crypto-run-qcrypto_pbkdf2_count_iters-in-a-new-threa.patch create mode 100644 hw-audio-virtio-sound-fix-heap-buffer-overflow.patch create mode 100644 hw-intc-arm_gic-fix-spurious-level-triggered-interru.patch create mode 100644 hw-intc-riscv_aplic-APLICs-should-add-child-earlier-.patch create mode 100644 hw-loongarch-virt-Fix-memory-leak.patch create mode 100644 hw-remote-vfio-user-Fix-config-space-access-byte-ord.patch create mode 100644 softmmu-physmem-fix-memory-leak-in-dirty_memory_exte.patch create mode 100644 stdvga-fix-screen-blanking.patch create mode 100644 target-i386-fix-size-of-EBP-writeback-in-gen_enter.patch create mode 100644 target-ppc-Fix-lxv-stxv-MSR-facility-check.patch create mode 100644 target-ppc-Fix-lxvx-stxvx-facility-check.patch create mode 100644 target-riscv-kvm-tolerate-KVM-disable-ext-errors.patch create mode 100644 tests-bump-QOS_PATH_MAX_ELEMENT_SIZE-again.patch create mode 100644 ui-gtk-Draw-guest-frame-at-refresh-cycle.patch create mode 100644 ui-sdl2-set-swap-interval-explicitly-when-OpenGL-is-.patch create mode 100644 virtio-net-drop-too-short-packets-early.patch create mode 100644 virtio-remove-virtio_tswap16s-call-in-vring_packed_e.patch create mode 100644 virtio-snd-add-max-size-bounds-check-in-input-cb-CVE.patch diff --git a/block-fix-Werror-maybe-uninitialized-false-positive.patch b/block-fix-Werror-maybe-uninitialized-false-positive.patch new file mode 100644 index 00000000..13ba9ceb --- /dev/null +++ b/block-fix-Werror-maybe-uninitialized-false-positive.patch @@ -0,0 +1,36 @@ +From 2edda423f2bca2348595e99a4ef9f5c73e262e77 Mon Sep 17 00:00:00 2001 +From: qihao_yewu +Date: Wed, 9 Oct 2024 07:25:22 -0400 +Subject: [PATCH] block: fix -Werror=maybe-uninitialized false-positive +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +cheery-pick from eb5d28c783078ad2d7fb42349e146190cd98678b + +../block/file-posix.c:1405:17: error: ‘zoned’ may be used uninitialized [-Werror=maybe-uninitialized] + 1405 | if (ret < 0 || zoned == BLK_Z_NONE) { + +Signed-off-by: Marc-André Lureau +Reviewed-by: Vladimir Sementsov-Ogievskiy +Signed-off-by: qihao_yewu +--- + block/file-posix.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/block/file-posix.c b/block/file-posix.c +index 4ac8f684f1..787f613d52 100644 +--- a/block/file-posix.c ++++ b/block/file-posix.c +@@ -1423,7 +1423,7 @@ static void raw_refresh_zoned_limits(BlockDriverState *bs, struct stat *st, + Error **errp) + { + BDRVRawState *s = bs->opaque; +- BlockZoneModel zoned; ++ BlockZoneModel zoned = BLK_Z_NONE; + int ret; + + ret = get_sysfs_zoned_model(st, &zoned); +-- +2.41.0.windows.1 + diff --git a/crypto-run-qcrypto_pbkdf2_count_iters-in-a-new-threa.patch b/crypto-run-qcrypto_pbkdf2_count_iters-in-a-new-threa.patch new file mode 100644 index 00000000..55fa8a3c --- /dev/null +++ b/crypto-run-qcrypto_pbkdf2_count_iters-in-a-new-threa.patch @@ -0,0 +1,117 @@ +From d199d3a9af9f5bd7877a6ace1243c77097264f1a Mon Sep 17 00:00:00 2001 +From: Tiago Pasqualini +Date: Wed, 4 Sep 2024 20:52:30 -0300 +Subject: [PATCH] crypto: run qcrypto_pbkdf2_count_iters in a new thread +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +CPU time accounting in the kernel has been demonstrated to have a +sawtooth pattern[1][2]. This can cause the getrusage system call to +not be as accurate as we are expecting, which can cause this calculation +to stall. + +The kernel discussions shows that this inaccuracy happens when CPU time +gets big enough, so this patch changes qcrypto_pbkdf2_count_iters to run +in a fresh thread to avoid this inaccuracy. It also adds a sanity check +to fail the process if CPU time is not accounted. + +[1] https://lore.kernel.org/lkml/159231011694.16989.16351419333851309713.tip-bot2@tip-bot2/ +[2] https://lore.kernel.org/lkml/20221226031010.4079885-1-maxing.lan@bytedance.com/t/#m1c7f2fdc0ea742776a70fd1aa2a2e414c437f534 + +Resolves: #2398 +Signed-off-by: Tiago Pasqualini +Signed-off-by: Daniel P. Berrangé +(cherry picked from commit c72cab5ad9f849bbcfcf4be7952b8b8946cc626e) +Signed-off-by: zhujun2 +--- + crypto/pbkdf.c | 53 +++++++++++++++++++++++++++++++++++++++++++------- + 1 file changed, 46 insertions(+), 7 deletions(-) + +diff --git a/crypto/pbkdf.c b/crypto/pbkdf.c +index 8d198c152c..d1c06ef3ed 100644 +--- a/crypto/pbkdf.c ++++ b/crypto/pbkdf.c +@@ -19,6 +19,7 @@ + */ + + #include "qemu/osdep.h" ++#include "qemu/thread.h" + #include "qapi/error.h" + #include "crypto/pbkdf.h" + #ifndef _WIN32 +@@ -85,12 +86,28 @@ static int qcrypto_pbkdf2_get_thread_cpu(unsigned long long *val_ms, + #endif + } + +-uint64_t qcrypto_pbkdf2_count_iters(QCryptoHashAlgorithm hash, +- const uint8_t *key, size_t nkey, +- const uint8_t *salt, size_t nsalt, +- size_t nout, +- Error **errp) ++typedef struct CountItersData { ++ QCryptoHashAlgorithm hash; ++ const uint8_t *key; ++ size_t nkey; ++ const uint8_t *salt; ++ size_t nsalt; ++ size_t nout; ++ uint64_t iterations; ++ Error **errp; ++} CountItersData; ++ ++static void *threaded_qcrypto_pbkdf2_count_iters(void *data) + { ++ CountItersData *iters_data = (CountItersData *) data; ++ QCryptoHashAlgorithm hash = iters_data->hash; ++ const uint8_t *key = iters_data->key; ++ size_t nkey = iters_data->nkey; ++ const uint8_t *salt = iters_data->salt; ++ size_t nsalt = iters_data->nsalt; ++ size_t nout = iters_data->nout; ++ Error **errp = iters_data->errp; ++ + uint64_t ret = -1; + g_autofree uint8_t *out = g_new(uint8_t, nout); + uint64_t iterations = (1 << 15); +@@ -114,7 +131,10 @@ uint64_t qcrypto_pbkdf2_count_iters(QCryptoHashAlgorithm hash, + + delta_ms = end_ms - start_ms; + +- if (delta_ms > 500) { ++ if (delta_ms == 0) { /* sanity check */ ++ error_setg(errp, "Unable to get accurate CPU usage"); ++ goto cleanup; ++ } else if (delta_ms > 500) { + break; + } else if (delta_ms < 100) { + iterations = iterations * 10; +@@ -129,5 +149,24 @@ uint64_t qcrypto_pbkdf2_count_iters(QCryptoHashAlgorithm hash, + + cleanup: + memset(out, 0, nout); +- return ret; ++ iters_data->iterations = ret; ++ return NULL; ++} ++ ++uint64_t qcrypto_pbkdf2_count_iters(QCryptoHashAlgorithm hash, ++ const uint8_t *key, size_t nkey, ++ const uint8_t *salt, size_t nsalt, ++ size_t nout, ++ Error **errp) ++{ ++ CountItersData data = { ++ hash, key, nkey, salt, nsalt, nout, 0, errp ++ }; ++ QemuThread thread; ++ ++ qemu_thread_create(&thread, "pbkdf2", threaded_qcrypto_pbkdf2_count_iters, ++ &data, QEMU_THREAD_JOINABLE); ++ qemu_thread_join(&thread); ++ ++ return data.iterations; + } +-- +2.41.0.windows.1 + diff --git a/hw-audio-virtio-sound-fix-heap-buffer-overflow.patch b/hw-audio-virtio-sound-fix-heap-buffer-overflow.patch new file mode 100644 index 00000000..a5ccb91b --- /dev/null +++ b/hw-audio-virtio-sound-fix-heap-buffer-overflow.patch @@ -0,0 +1,86 @@ +From 0981edabf57b5728211deeca459fb15927e7cc36 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Volker=20R=C3=BCmelin?= +Date: Sun, 1 Sep 2024 15:01:12 +0200 +Subject: [PATCH] hw/audio/virtio-sound: fix heap buffer overflow +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Currently, the guest may write to the device configuration space, +whereas the virtio sound device specification in chapter 5.14.4 +clearly states that the fields in the device configuration space +are driver-read-only. + +Remove the set_config function from the virtio_snd class. + +This also prevents a heap buffer overflow. See QEMU issue #2296. + +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2296 +Signed-off-by: Volker Rümelin +Message-Id: <20240901130112.8242-1-vr_qemu@t-online.de> +Reviewed-by: Michael S. Tsirkin +Signed-off-by: Michael S. Tsirkin +(cherry picked from commit 7fc6611cad3e9627b23ce83e550b668abba6c886) +Signed-off-by: zhujun2 +--- + hw/audio/trace-events | 1 - + hw/audio/virtio-snd.c | 24 ------------------------ + 2 files changed, 25 deletions(-) + +diff --git a/hw/audio/trace-events b/hw/audio/trace-events +index b1870ff224..b8ef572767 100644 +--- a/hw/audio/trace-events ++++ b/hw/audio/trace-events +@@ -41,7 +41,6 @@ asc_update_irq(int irq, int a, int b) "set IRQ to %d (A: 0x%x B: 0x%x)" + + #virtio-snd.c + virtio_snd_get_config(void *vdev, uint32_t jacks, uint32_t streams, uint32_t chmaps) "snd %p: get_config jacks=%"PRIu32" streams=%"PRIu32" chmaps=%"PRIu32"" +-virtio_snd_set_config(void *vdev, uint32_t jacks, uint32_t new_jacks, uint32_t streams, uint32_t new_streams, uint32_t chmaps, uint32_t new_chmaps) "snd %p: set_config jacks from %"PRIu32"->%"PRIu32", streams from %"PRIu32"->%"PRIu32", chmaps from %"PRIu32"->%"PRIu32 + virtio_snd_get_features(void *vdev, uint64_t features) "snd %p: get_features 0x%"PRIx64 + virtio_snd_vm_state_running(void) "vm state running" + virtio_snd_vm_state_stopped(void) "vm state stopped" +diff --git a/hw/audio/virtio-snd.c b/hw/audio/virtio-snd.c +index 137fa77a01..cb7049abb3 100644 +--- a/hw/audio/virtio-snd.c ++++ b/hw/audio/virtio-snd.c +@@ -107,29 +107,6 @@ virtio_snd_get_config(VirtIODevice *vdev, uint8_t *config) + + } + +-static void +-virtio_snd_set_config(VirtIODevice *vdev, const uint8_t *config) +-{ +- VirtIOSound *s = VIRTIO_SND(vdev); +- const virtio_snd_config *sndconfig = +- (const virtio_snd_config *)config; +- +- +- trace_virtio_snd_set_config(vdev, +- s->snd_conf.jacks, +- sndconfig->jacks, +- s->snd_conf.streams, +- sndconfig->streams, +- s->snd_conf.chmaps, +- sndconfig->chmaps); +- +- memcpy(&s->snd_conf, sndconfig, sizeof(virtio_snd_config)); +- le32_to_cpus(&s->snd_conf.jacks); +- le32_to_cpus(&s->snd_conf.streams); +- le32_to_cpus(&s->snd_conf.chmaps); +- +-} +- + static void + virtio_snd_pcm_buffer_free(VirtIOSoundPCMBuffer *buffer) + { +@@ -1399,7 +1376,6 @@ static void virtio_snd_class_init(ObjectClass *klass, void *data) + vdc->realize = virtio_snd_realize; + vdc->unrealize = virtio_snd_unrealize; + vdc->get_config = virtio_snd_get_config; +- vdc->set_config = virtio_snd_set_config; + vdc->get_features = get_features; + vdc->reset = virtio_snd_reset; + vdc->legacy_features = 0; +-- +2.41.0.windows.1 + diff --git a/hw-intc-arm_gic-fix-spurious-level-triggered-interru.patch b/hw-intc-arm_gic-fix-spurious-level-triggered-interru.patch new file mode 100644 index 00000000..fae3826c --- /dev/null +++ b/hw-intc-arm_gic-fix-spurious-level-triggered-interru.patch @@ -0,0 +1,82 @@ +From 0cb9a00d295cbf0ade0a55cea1039aec793fddf0 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20Kl=C3=B6tzke?= +Date: Fri, 13 Sep 2024 15:31:50 +0100 +Subject: [PATCH] hw/intc/arm_gic: fix spurious level triggered interrupts +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +On GICv2 and later, level triggered interrupts are pending when either +the interrupt line is asserted or the interrupt was made pending by a +GICD_ISPENDRn write. Making a level triggered interrupt pending by +software persists until either the interrupt is acknowledged or cleared +by writing GICD_ICPENDRn. As long as the interrupt line is asserted, +the interrupt is pending in any case. + +This logic is transparently implemented in gic_test_pending() for +GICv1 and GICv2. The function combines the "pending" irq_state flag +(used for edge triggered interrupts and software requests) and the +line status (tracked in the "level" field). However, we also +incorrectly set the pending flag on a guest write to GICD_ISENABLERn +if the line of a level triggered interrupt was asserted. This keeps +the interrupt pending even if the line is de-asserted after some +time. + +This incorrect logic is a leftover of the initial 11MPCore GIC +implementation. That handles things slightly differently to the +architected GICv1 and GICv2. The 11MPCore TRM does not give a lot of +detail on the corner cases of its GIC's behaviour, and historically +we have not wanted to investigate exactly what it does in reality, so +QEMU's GIC model takes the approach of "retain our existing behaviour +for 11MPCore, and implement the architectural standard for later GIC +revisions". + +On that basis, commit 8d999995e45c10 in 2013 is where we added the +"level-triggered interrupt with the line asserted" handling to +gic_test_pending(), and we deliberately kept the old behaviour of +gic_test_pending() for REV_11MPCORE. That commit should have added +the "only if 11MPCore" condition to the setting of the pending bit on +writes to GICD_ISENABLERn, but forgot it. + +Add the missing "if REV_11MPCORE" condition, so that our behaviour +on GICv1 and GICv2 matches the GIC architecture requirements. + +Cc: qemu-stable@nongnu.org +Fixes: 8d999995e45c10 ("arm_gic: Fix GIC pending behavior") +Signed-off-by: Jan Klötzke +Message-id: 20240911114826.3558302-1-jan.kloetzke@kernkonzept.com +Reviewed-by: Peter Maydell +[PMM: expanded comment a little and converted to coding-style form; + expanded commit message with the historical backstory] +Signed-off-by: Peter Maydell +(cherry picked from commit 110684c9a69a02cbabfbddcd3afa921826ad565c) +Signed-off-by: zhujun2 +--- + hw/intc/arm_gic.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/hw/intc/arm_gic.c b/hw/intc/arm_gic.c +index 074cf50af2..dfe7a0a729 100644 +--- a/hw/intc/arm_gic.c ++++ b/hw/intc/arm_gic.c +@@ -1263,9 +1263,14 @@ static void gic_dist_writeb(void *opaque, hwaddr offset, + trace_gic_enable_irq(irq + i); + } + GIC_DIST_SET_ENABLED(irq + i, cm); +- /* If a raised level triggered IRQ enabled then mark +- is as pending. */ +- if (GIC_DIST_TEST_LEVEL(irq + i, mask) ++ /* ++ * If a raised level triggered IRQ enabled then mark ++ * it as pending on 11MPCore. For other GIC revisions we ++ * handle the "level triggered and line asserted" check ++ * at the other end in gic_test_pending(). ++ */ ++ if (s->revision == REV_11MPCORE ++ && GIC_DIST_TEST_LEVEL(irq + i, mask) + && !GIC_DIST_TEST_EDGE_TRIGGER(irq + i)) { + DPRINTF("Set %d pending mask %x\n", irq + i, mask); + GIC_DIST_SET_PENDING(irq + i, mask); +-- +2.41.0.windows.1 + diff --git a/hw-intc-riscv_aplic-APLICs-should-add-child-earlier-.patch b/hw-intc-riscv_aplic-APLICs-should-add-child-earlier-.patch new file mode 100644 index 00000000..70738c4d --- /dev/null +++ b/hw-intc-riscv_aplic-APLICs-should-add-child-earlier-.patch @@ -0,0 +1,49 @@ +From 8ee63ce50289adb4ea346901366bd30aa23e412a Mon Sep 17 00:00:00 2001 +From: "yang.zhang" +Date: Tue, 9 Apr 2024 09:44:45 +0800 +Subject: [PATCH] hw/intc/riscv_aplic: APLICs should add child earlier than + realize + +Since only root APLICs can have hw IRQ lines, aplic->parent should +be initialized first. + +Fixes: e8f79343cf ("hw/intc: Add RISC-V AIA APLIC device emulation") +Reviewed-by: Daniel Henrique Barboza +Signed-off-by: yang.zhang +Cc: qemu-stable +Message-ID: <20240409014445.278-1-gaoshanliukou@163.com> +Signed-off-by: Alistair Francis +(cherry picked from commit c76b121840c6ca79dc6305a5f4bcf17c72217d9c) +Signed-off-by: zhujun2 +--- + hw/intc/riscv_aplic.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/hw/intc/riscv_aplic.c b/hw/intc/riscv_aplic.c +index c677b5cfbb..2fdf85444e 100644 +--- a/hw/intc/riscv_aplic.c ++++ b/hw/intc/riscv_aplic.c +@@ -974,16 +974,16 @@ DeviceState *riscv_aplic_create(hwaddr addr, hwaddr size, + qdev_prop_set_bit(dev, "msimode", msimode); + qdev_prop_set_bit(dev, "mmode", mmode); + ++ if (parent) { ++ riscv_aplic_add_child(parent, dev); ++ } ++ + sysbus_realize_and_unref(SYS_BUS_DEVICE(dev), &error_fatal); + + if (!is_kvm_aia(msimode)) { + sysbus_mmio_map(SYS_BUS_DEVICE(dev), 0, addr); + } + +- if (parent) { +- riscv_aplic_add_child(parent, dev); +- } +- + if (!msimode) { + for (i = 0; i < num_harts; i++) { + CPUState *cpu = cpu_by_arch_id(hartid_base + i); +-- +2.41.0.windows.1 + diff --git a/hw-loongarch-virt-Fix-memory-leak.patch b/hw-loongarch-virt-Fix-memory-leak.patch new file mode 100644 index 00000000..c7f240a9 --- /dev/null +++ b/hw-loongarch-virt-Fix-memory-leak.patch @@ -0,0 +1,49 @@ +From 7d0006839846bef68fa3d96886b8e5d8f8ec52f1 Mon Sep 17 00:00:00 2001 +From: Song Gao +Date: Tue, 7 May 2024 10:22:39 +0800 +Subject: [PATCH] hw/loongarch/virt: Fix memory leak +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The char pointer 'ramName' point to a block of memory, +but never free it. Use 'g_autofree' to automatically free it. + +Resolves: Coverity CID 1544773 + +Fixes: 0cf1478d6 ("hw/loongarch: Add numa support") +Signed-off-by: Song Gao +Reviewed-by: Peter Maydell +Reviewed-by: Philippe Mathieu-Daudé +Message-ID: <20240507022239.3113987-1-gaosong@loongson.cn> +Signed-off-by: Philippe Mathieu-Daudé +(cherry picked from commit 54c52ec719fb8c83bbde54cb87b58688ab27c166) +Signed-off-by: zhujun2 +--- + hw/loongarch/virt.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/hw/loongarch/virt.c b/hw/loongarch/virt.c +index 5d4fcb7a55..eca3b94581 100644 +--- a/hw/loongarch/virt.c ++++ b/hw/loongarch/virt.c +@@ -925,7 +925,6 @@ static void loongarch_init(MachineState *machine) + const CPUArchIdList *possible_cpus; + MachineClass *mc = MACHINE_GET_CLASS(machine); + CPUState *cpu; +- char *ramName = NULL; + struct loaderparams loaderparams = { }; + + if (!cpu_model) { +@@ -985,7 +984,7 @@ static void loongarch_init(MachineState *machine) + + for (i = 1; i < nb_numa_nodes; i++) { + MemoryRegion *nodemem = g_new(MemoryRegion, 1); +- ramName = g_strdup_printf("loongarch.node%d.ram", i); ++ g_autofree char *ramName = g_strdup_printf("loongarch.node%d.ram", i); + memory_region_init_alias(nodemem, NULL, ramName, machine->ram, + offset, numa_info[i].node_mem); + memory_region_add_subregion(address_space_mem, phyAddr, nodemem); +-- +2.41.0.windows.1 + diff --git a/hw-remote-vfio-user-Fix-config-space-access-byte-ord.patch b/hw-remote-vfio-user-Fix-config-space-access-byte-ord.patch new file mode 100644 index 00000000..7abb7bf0 --- /dev/null +++ b/hw-remote-vfio-user-Fix-config-space-access-byte-ord.patch @@ -0,0 +1,49 @@ +From 6165cf85acd2600c8e0edb062d627e4cb42083af Mon Sep 17 00:00:00 2001 +From: Mattias Nissler +Date: Wed, 23 Aug 2023 02:29:30 -0700 +Subject: [PATCH] hw/remote/vfio-user: Fix config space access byte order +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +PCI config space is little-endian, so on a big-endian host we need to +perform byte swaps for values as they are passed to and received from +the generic PCI config space access machinery. + +Reviewed-by: Philippe Mathieu-Daudé +Reviewed-by: Stefan Hajnoczi +Reviewed-by: Jagannathan Raman +Signed-off-by: Mattias Nissler +Message-ID: <20240507094210.300566-6-mnissler@rivosinc.com> +Signed-off-by: Philippe Mathieu-Daudé +(cherry picked from commit e6578f1f68a0e90789a841ada532c3e494c9a04c) +Signed-off-by: zhujun2 +--- + hw/remote/vfio-user-obj.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/hw/remote/vfio-user-obj.c b/hw/remote/vfio-user-obj.c +index 8b10c32a3c..8b708422fe 100644 +--- a/hw/remote/vfio-user-obj.c ++++ b/hw/remote/vfio-user-obj.c +@@ -281,7 +281,7 @@ static ssize_t vfu_object_cfg_access(vfu_ctx_t *vfu_ctx, char * const buf, + while (bytes > 0) { + len = (bytes > pci_access_width) ? pci_access_width : bytes; + if (is_write) { +- memcpy(&val, ptr, len); ++ val = ldn_le_p(ptr, len); + pci_host_config_write_common(o->pci_dev, offset, + pci_config_size(o->pci_dev), + val, len); +@@ -289,7 +289,7 @@ static ssize_t vfu_object_cfg_access(vfu_ctx_t *vfu_ctx, char * const buf, + } else { + val = pci_host_config_read_common(o->pci_dev, offset, + pci_config_size(o->pci_dev), len); +- memcpy(ptr, &val, len); ++ stn_le_p(ptr, len, val); + trace_vfu_cfg_read(offset, val); + } + offset += len; +-- +2.41.0.windows.1 + diff --git a/qemu.spec b/qemu.spec index 145f44f3..242a4043 100644 --- a/qemu.spec +++ b/qemu.spec @@ -3,7 +3,7 @@ Name: qemu Version: 8.2.0 -Release: 20 +Release: 21 Epoch: 11 Summary: QEMU is a generic and open source machine emulator and virtualizer License: GPLv2 and BSD and MIT and CC-BY-SA-4.0 @@ -363,6 +363,25 @@ Patch0346: crypto-avoid-leak-of-ctx-when-bad-cipher-mode-is-giv.patch Patch0347: hw-ufs-add-basic-info-of-query-response-upiu.patch Patch0348: hw-block-fix-uint32-overflow.patch Patch0349: Added-CoDA-feature-support-in-the-context-of-CVM.-Wh.patch +Patch0350: virtio-snd-add-max-size-bounds-check-in-input-cb-CVE.patch +Patch0351: target-ppc-Fix-lxvx-stxvx-facility-check.patch +Patch0352: target-ppc-Fix-lxv-stxv-MSR-facility-check.patch +Patch0353: virtio-net-drop-too-short-packets-early.patch +Patch0354: target-i386-fix-size-of-EBP-writeback-in-gen_enter.patch +Patch0355: ui-gtk-Draw-guest-frame-at-refresh-cycle.patch +Patch0356: stdvga-fix-screen-blanking.patch +Patch0357: hw-intc-riscv_aplic-APLICs-should-add-child-earlier-.patch +Patch0358: hw-loongarch-virt-Fix-memory-leak.patch +Patch0359: hw-remote-vfio-user-Fix-config-space-access-byte-ord.patch +Patch0360: block-fix-Werror-maybe-uninitialized-false-positive.patch +Patch0361: virtio-remove-virtio_tswap16s-call-in-vring_packed_e.patch +Patch0362: target-riscv-kvm-tolerate-KVM-disable-ext-errors.patch +Patch0363: ui-sdl2-set-swap-interval-explicitly-when-OpenGL-is-.patch +Patch0364: hw-intc-arm_gic-fix-spurious-level-triggered-interru.patch +Patch0365: hw-audio-virtio-sound-fix-heap-buffer-overflow.patch +Patch0366: crypto-run-qcrypto_pbkdf2_count_iters-in-a-new-threa.patch +Patch0367: softmmu-physmem-fix-memory-leak-in-dirty_memory_exte.patch +Patch0368: tests-bump-QOS_PATH_MAX_ELEMENT_SIZE-again.patch BuildRequires: flex BuildRequires: gcc @@ -960,6 +979,27 @@ getent passwd qemu >/dev/null || \ %endif %changelog +* Thu Nov 7 2024 Jiabo Feng - 11:8.2.0-21 +- tests: bump QOS_PATH_MAX_ELEMENT_SIZE again +- softmmu/physmem: fix memory leak in dirty_memory_extend() +- crypto: run qcrypto_pbkdf2_count_iters in a new thread +- hw/audio/virtio-sound: fix heap buffer overflow +- hw/intc/arm_gic: fix spurious level triggered interrupts +- ui/sdl2: set swap interval explicitly when OpenGL is enabled +- target/riscv/kvm: tolerate KVM disable ext errors +- virtio: remove virtio_tswap16s() call in vring_packed_event_read() +- block: fix -Werror=maybe-uninitialized false-positive +- hw/remote/vfio-user: Fix config space access byte order +- hw/loongarch/virt: Fix memory leak +- hw/intc/riscv_aplic: APLICs should add child earlier than realize +- stdvga: fix screen blanking +- ui/gtk: Draw guest frame at refresh cycle +- target/i386: fix size of EBP writeback in gen_enter() +- virtio-net: drop too short packets early +- target/ppc: Fix lxv/stxv MSR facility check +- target/ppc: Fix lxvx/stxvx facility check +- virtio-snd: add max size bounds check in input cb(CVE-2024-7730) + * Mon Oct 21 2024 Jiabo Feng - 11:8.2.0-20 - Added CoDA feature support in the context of CVM. When virtcca cvm is enabled, the iommu is tagged as secure. - hw/block: fix uint32 overflow diff --git a/softmmu-physmem-fix-memory-leak-in-dirty_memory_exte.patch b/softmmu-physmem-fix-memory-leak-in-dirty_memory_exte.patch new file mode 100644 index 00000000..73b85f68 --- /dev/null +++ b/softmmu-physmem-fix-memory-leak-in-dirty_memory_exte.patch @@ -0,0 +1,139 @@ +From c6d6cbb2c33c3c7b2574c3baa2d2477d9d4ac91c Mon Sep 17 00:00:00 2001 +From: David Hildenbrand +Date: Wed, 28 Aug 2024 11:07:43 +0200 +Subject: [PATCH] softmmu/physmem: fix memory leak in dirty_memory_extend() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +As reported by Peter, we might be leaking memory when removing the +highest RAMBlock (in the weird ram_addr_t space), and adding a new one. + +We will fail to realize that we already allocated bitmaps for more +dirty memory blocks, and effectively discard the pointers to them. + +Fix it by getting rid of last_ram_page() and by remembering the number +of dirty memory blocks that have been allocated already. + +While at it, let's use "unsigned int" for the number of blocks, which +should be sufficient until we reach ~32 exabytes. + +Looks like this leak was introduced as we switched from using a single +bitmap_zero_extend() to allocating multiple bitmaps: +bitmap_zero_extend() relies on g_renew() which should have taken care of +this. + +Resolves: https://lkml.kernel.org/r/CAFEAcA-k7a+VObGAfCFNygQNfCKL=AfX6A4kScq=VSSK0peqPg@mail.gmail.com +Reported-by: Peter Maydell +Fixes: 5b82b703b69a ("memory: RCU ram_list.dirty_memory[] for safe RAM hotplug") +Reviewed-by: Stefan Hajnoczi +Reviewed-by: Peter Xu +Tested-by: Peter Maydell +Cc: qemu-stable@nongnu.org +Cc: Stefan Hajnoczi +Cc: Paolo Bonzini +Cc: Peter Xu +Cc: Philippe Mathieu-Daudé +Signed-off-by: David Hildenbrand +Link: https://lore.kernel.org/r/20240828090743.128647-1-david@redhat.com +Signed-off-by: Peter Xu +(cherry picked from commit b84f06c2bee727b3870b4eeccbe3a45c5aea14c1) +Signed-off-by: Michael Tokarev +Signed-off-by: zhujun2 +--- + include/exec/ramlist.h | 1 + + system/physmem.c | 35 +++++++++-------------------------- + 2 files changed, 10 insertions(+), 26 deletions(-) + +diff --git a/include/exec/ramlist.h b/include/exec/ramlist.h +index 2ad2a81acc..d9cfe530be 100644 +--- a/include/exec/ramlist.h ++++ b/include/exec/ramlist.h +@@ -50,6 +50,7 @@ typedef struct RAMList { + /* RCU-enabled, writes protected by the ramlist lock. */ + QLIST_HEAD(, RAMBlock) blocks; + DirtyMemoryBlocks *dirty_memory[DIRTY_MEMORY_NUM]; ++ unsigned int num_dirty_blocks; + uint32_t version; + QLIST_HEAD(, RAMBlockNotifier) ramblock_notifiers; + } RAMList; +diff --git a/system/physmem.c b/system/physmem.c +index 2c8b83f811..87f49e70c1 100644 +--- a/system/physmem.c ++++ b/system/physmem.c +@@ -1531,18 +1531,6 @@ static ram_addr_t find_ram_offset(ram_addr_t size) + return offset; + } + +-static unsigned long last_ram_page(void) +-{ +- RAMBlock *block; +- ram_addr_t last = 0; +- +- RCU_READ_LOCK_GUARD(); +- RAMBLOCK_FOREACH(block) { +- last = MAX(last, block->offset + block->max_length); +- } +- return last >> TARGET_PAGE_BITS; +-} +- + static void qemu_ram_setup_dump(void *addr, ram_addr_t size) + { + int ret; +@@ -1795,13 +1783,11 @@ void qemu_ram_msync(RAMBlock *block, ram_addr_t start, ram_addr_t length) + } + + /* Called with ram_list.mutex held */ +-static void dirty_memory_extend(ram_addr_t old_ram_size, +- ram_addr_t new_ram_size) ++static void dirty_memory_extend(ram_addr_t new_ram_size) + { +- ram_addr_t old_num_blocks = DIV_ROUND_UP(old_ram_size, +- DIRTY_MEMORY_BLOCK_SIZE); +- ram_addr_t new_num_blocks = DIV_ROUND_UP(new_ram_size, +- DIRTY_MEMORY_BLOCK_SIZE); ++ unsigned int old_num_blocks = ram_list.num_dirty_blocks; ++ unsigned int new_num_blocks = DIV_ROUND_UP(new_ram_size, ++ DIRTY_MEMORY_BLOCK_SIZE); + int i; + + /* Only need to extend if block count increased */ +@@ -1833,6 +1819,8 @@ static void dirty_memory_extend(ram_addr_t old_ram_size, + g_free_rcu(old_blocks, rcu); + } + } ++ ++ ram_list.num_dirty_blocks = new_num_blocks; + } + + static void ram_block_add(RAMBlock *new_block, Error **errp) +@@ -1841,11 +1829,9 @@ static void ram_block_add(RAMBlock *new_block, Error **errp) + const bool shared = qemu_ram_is_shared(new_block); + RAMBlock *block; + RAMBlock *last_block = NULL; +- ram_addr_t old_ram_size, new_ram_size; ++ ram_addr_t ram_size; + Error *err = NULL; + +- old_ram_size = last_ram_page(); +- + qemu_mutex_lock_ramlist(); + new_block->offset = find_ram_offset(new_block->max_length); + +@@ -1873,11 +1859,8 @@ static void ram_block_add(RAMBlock *new_block, Error **errp) + } + } + +- new_ram_size = MAX(old_ram_size, +- (new_block->offset + new_block->max_length) >> TARGET_PAGE_BITS); +- if (new_ram_size > old_ram_size) { +- dirty_memory_extend(old_ram_size, new_ram_size); +- } ++ ram_size = (new_block->offset + new_block->max_length) >> TARGET_PAGE_BITS; ++ dirty_memory_extend(ram_size); + /* Keep the list sorted from biggest to smallest block. Unlike QTAILQ, + * QLIST (which has an RCU-friendly variant) does not have insertion at + * tail, so save the last element in last_block. +-- +2.41.0.windows.1 + diff --git a/stdvga-fix-screen-blanking.patch b/stdvga-fix-screen-blanking.patch new file mode 100644 index 00000000..9b6416ff --- /dev/null +++ b/stdvga-fix-screen-blanking.patch @@ -0,0 +1,47 @@ +From 540314912566c91341226d9eb6df5b782f277813 Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Wed, 5 Jun 2024 15:14:41 +0200 +Subject: [PATCH] stdvga: fix screen blanking +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +In case the display surface uses a shared buffer (i.e. uses vga vram +directly instead of a shadow) go unshare the buffer before clearing it. + +This avoids vga memory corruption, which in turn fixes unblanking not +working properly with X11. + +Cc: qemu-stable@nongnu.org +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2067 +Signed-off-by: Gerd Hoffmann +Reviewed-by: Marc-André Lureau +Message-ID: <20240605131444.797896-2-kraxel@redhat.com> +Signed-off-by: Philippe Mathieu-Daudé +(cherry picked from commit b1cf266c82cb1211ee2785f1813a6a3f3e693390) +Signed-off-by: zhujun2 +--- + hw/display/vga.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/hw/display/vga.c b/hw/display/vga.c +index 37557c3442..cb6b6ee2ca 100644 +--- a/hw/display/vga.c ++++ b/hw/display/vga.c +@@ -1748,6 +1748,13 @@ static void vga_draw_blank(VGACommonState *s, int full_update) + if (s->last_scr_width <= 0 || s->last_scr_height <= 0) + return; + ++ if (is_buffer_shared(surface)) { ++ /* unshare buffer, otherwise the blanking corrupts vga vram */ ++ surface = qemu_create_displaysurface(s->last_scr_width, ++ s->last_scr_height); ++ dpy_gfx_replace_surface(s->con, surface); ++ } ++ + w = s->last_scr_width * surface_bytes_per_pixel(surface); + d = surface_data(surface); + for(i = 0; i < s->last_scr_height; i++) { +-- +2.41.0.windows.1 + diff --git a/target-i386-fix-size-of-EBP-writeback-in-gen_enter.patch b/target-i386-fix-size-of-EBP-writeback-in-gen_enter.patch new file mode 100644 index 00000000..9690299f --- /dev/null +++ b/target-i386-fix-size-of-EBP-writeback-in-gen_enter.patch @@ -0,0 +1,43 @@ +From 6d0eefdf70135a01476b787df50f34da77ae5529 Mon Sep 17 00:00:00 2001 +From: Mark Cave-Ayland +Date: Thu, 6 Jun 2024 10:53:19 +0100 +Subject: [PATCH] target/i386: fix size of EBP writeback in gen_enter() + +The calculation of FrameTemp is done using the size indicated by mo_pushpop() +before being written back to EBP, but the final writeback to EBP is done using +the size indicated by mo_stacksize(). + +In the case where mo_pushpop() is MO_32 and mo_stacksize() is MO_16 then the +final writeback to EBP is done using MO_16 which can leave junk in the top +16-bits of EBP after executing ENTER. + +Change the writeback of EBP to use the same size indicated by mo_pushpop() to +ensure that the full value is written back. + +Signed-off-by: Mark Cave-Ayland +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2198 +Message-ID: <20240606095319.229650-5-mark.cave-ayland@ilande.co.uk> +Cc: qemu-stable@nongnu.org +Signed-off-by: Paolo Bonzini +(cherry picked from commit 3973615e7fbaeef1deeaa067577e373781ced70a) +Signed-off-by: zhujun2 +--- + target/i386/tcg/translate.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/target/i386/tcg/translate.c b/target/i386/tcg/translate.c +index dc672d7995..19b8250452 100644 +--- a/target/i386/tcg/translate.c ++++ b/target/i386/tcg/translate.c +@@ -2661,7 +2661,7 @@ static void gen_enter(DisasContext *s, int esp_addend, int level) + } + + /* Copy the FrameTemp value to EBP. */ +- gen_op_mov_reg_v(s, a_ot, R_EBP, s->T1); ++ gen_op_mov_reg_v(s, d_ot, R_EBP, s->T1); + + /* Compute the final value of ESP. */ + tcg_gen_subi_tl(s->T1, s->T1, esp_addend + size * level); +-- +2.41.0.windows.1 + diff --git a/target-ppc-Fix-lxv-stxv-MSR-facility-check.patch b/target-ppc-Fix-lxv-stxv-MSR-facility-check.patch new file mode 100644 index 00000000..1afd8e32 --- /dev/null +++ b/target-ppc-Fix-lxv-stxv-MSR-facility-check.patch @@ -0,0 +1,49 @@ +From a8b171a0e5be721ee173a533f98594f62b0f0250 Mon Sep 17 00:00:00 2001 +From: qihao_yewu +Date: Sun, 29 Sep 2024 07:07:36 -0400 +Subject: [PATCH] target/ppc: Fix lxv/stxv MSR facility check +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +cheery-pick from 2cc0e449d17310877fb28a942d4627ad22bb68ea + +The move to decodetree flipped the inequality test for the VEC / VSX +MSR facility check. + +This caused application crashes under Linux, where these facility +unavailable interrupts are used for lazy-switching of VEC/VSX register +sets. Getting the incorrect interrupt would result in wrong registers +being loaded, potentially overwriting live values and/or exposing +stale ones. + +Cc: qemu-stable@nongnu.org +Reported-by: Joel Stanley +Fixes: 70426b5bb738 ("target/ppc: moved stxvx and lxvx from legacy to decodtree") +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1769 +Reviewed-by: Harsh Prateek Bora +Tested-by: Harsh Prateek Bora +Reviewed-by: Cédric Le Goater +Tested-by: Cédric Le Goater +Signed-off-by: Nicholas Piggin +Signed-off-by: qihao_yewu +--- + target/ppc/translate/vsx-impl.c.inc | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/target/ppc/translate/vsx-impl.c.inc b/target/ppc/translate/vsx-impl.c.inc +index 6db87ab336..0266f09119 100644 +--- a/target/ppc/translate/vsx-impl.c.inc ++++ b/target/ppc/translate/vsx-impl.c.inc +@@ -2268,7 +2268,7 @@ static bool do_lstxv(DisasContext *ctx, int ra, TCGv displ, + + static bool do_lstxv_D(DisasContext *ctx, arg_D *a, bool store, bool paired) + { +- if (paired || a->rt >= 32) { ++ if (paired || a->rt < 32) { + REQUIRE_VSX(ctx); + } else { + REQUIRE_VECTOR(ctx); +-- +2.41.0.windows.1 + diff --git a/target-ppc-Fix-lxvx-stxvx-facility-check.patch b/target-ppc-Fix-lxvx-stxvx-facility-check.patch new file mode 100644 index 00000000..45c7c5ef --- /dev/null +++ b/target-ppc-Fix-lxvx-stxvx-facility-check.patch @@ -0,0 +1,63 @@ +From 67ce79a910ab02d8c1e08a9ebfa6c5aae2e9d5af Mon Sep 17 00:00:00 2001 +From: qihao_ss +Date: Sun, 29 Sep 2024 06:44:29 -0400 +Subject: [PATCH] target/ppc: Fix lxvx/stxvx facility check +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +cheery-pick from 8bded2e73e80823a67f730140788a3c5e60bf4b5 + +The XT check for the lxvx/stxvx instructions is currently +inverted. This was introduced during the move to decodetree. + +>From the ISA: + Chapter 7. Vector-Scalar Extension Facility + Load VSX Vector Indexed X-form + + lxvx XT,RA,RB + if TX=0 & MSR.VSX=0 then VSX_Unavailable() + if TX=1 & MSR.VEC=0 then Vector_Unavailable() + ... + Let XT be the value 32×TX + T. + +The code currently does the opposite: + + if (paired || a->rt >= 32) { + REQUIRE_VSX(ctx); + } else { + REQUIRE_VECTOR(ctx); + } + +This was already fixed for lxv/stxv at commit "2cc0e449d1 (target/ppc: +Fix lxv/stxv MSR facility check)", but the indexed forms were missed. + +Cc: qemu-stable@nongnu.org +Fixes: 70426b5bb7 ("target/ppc: moved stxvx and lxvx from legacy to decodtree") +Signed-off-by: Fabiano Rosas +Reviewed-by: Claudio Fontana +Acked-by: Ilya Leoshkevich +Reviewed-by: Fabiano Rosas +Message-ID: <20240911141651.6914-1-farosas@suse.de> +Signed-off-by: Richard Henderson +Signed-off-by: qihao_yewu +--- + target/ppc/translate/vsx-impl.c.inc | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/target/ppc/translate/vsx-impl.c.inc b/target/ppc/translate/vsx-impl.c.inc +index 6db87ab336..a2020da9fd 100644 +--- a/target/ppc/translate/vsx-impl.c.inc ++++ b/target/ppc/translate/vsx-impl.c.inc +@@ -2292,7 +2292,7 @@ static bool do_lstxv_PLS_D(DisasContext *ctx, arg_PLS_D *a, + + static bool do_lstxv_X(DisasContext *ctx, arg_X *a, bool store, bool paired) + { +- if (paired || a->rt >= 32) { ++ if (paired || a->rt < 32) { + REQUIRE_VSX(ctx); + } else { + REQUIRE_VECTOR(ctx); +-- +2.41.0.windows.1 + diff --git a/target-riscv-kvm-tolerate-KVM-disable-ext-errors.patch b/target-riscv-kvm-tolerate-KVM-disable-ext-errors.patch new file mode 100644 index 00000000..c8f6257f --- /dev/null +++ b/target-riscv-kvm-tolerate-KVM-disable-ext-errors.patch @@ -0,0 +1,69 @@ +From 33d8e65f37caa34bf0c18a3ecbaa48d3b706564b Mon Sep 17 00:00:00 2001 +From: Daniel Henrique Barboza +Date: Mon, 22 Apr 2024 14:14:25 -0300 +Subject: [PATCH] target/riscv/kvm: tolerate KVM disable ext errors + +Running a KVM guest using a 6.9-rc3 kernel, in a 6.8 host that has zkr +enabled, will fail with a kernel oops SIGILL right at the start. The +reason is that we can't expose zkr without implementing the SEED CSR. +Disabling zkr in the guest would be a workaround, but if the KVM doesn't +allow it we'll error out and never boot. + +In hindsight this is too strict. If we keep proceeding, despite not +disabling the extension in the KVM vcpu, we'll not add the extension in +the riscv,isa. The guest kernel will be unaware of the extension, i.e. +it doesn't matter if the KVM vcpu has it enabled underneath or not. So +it's ok to keep booting in this case. + +Change our current logic to not error out if we fail to disable an +extension in kvm_set_one_reg(), but show a warning and keep booting. It +is important to throw a warning because we must make the user aware that +the extension is still available in the vcpu, meaning that an +ill-behaved guest can ignore the riscv,isa settings and use the +extension. + +The case we're handling happens with an EINVAL error code. If we fail to +disable the extension in KVM for any other reason, error out. + +We'll also keep erroring out when we fail to enable an extension in KVM, +since adding the extension in riscv,isa at this point will cause a guest +malfunction because the extension isn't enabled in the vcpu. + +Suggested-by: Andrew Jones +Signed-off-by: Daniel Henrique Barboza +Reviewed-by: Andrew Jones +Cc: qemu-stable +Message-ID: <20240422171425.333037-2-dbarboza@ventanamicro.com> +Signed-off-by: Alistair Francis +(cherry picked from commit 1215d45b2aa97512a2867e401aa59f3d0c23cb23) +Signed-off-by: zhujun2 +--- + target/riscv/kvm/kvm-cpu.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/target/riscv/kvm/kvm-cpu.c b/target/riscv/kvm/kvm-cpu.c +index 45b6cf1cfa..b3dc2070f9 100644 +--- a/target/riscv/kvm/kvm-cpu.c ++++ b/target/riscv/kvm/kvm-cpu.c +@@ -369,10 +369,14 @@ static void kvm_riscv_update_cpu_cfg_isa_ext(RISCVCPU *cpu, CPUState *cs) + reg = kvm_cpu_cfg_get(cpu, multi_ext_cfg); + ret = kvm_set_one_reg(cs, id, ®); + if (ret != 0) { +- error_report("Unable to %s extension %s in KVM, error %d", +- reg ? "enable" : "disable", +- multi_ext_cfg->name, ret); +- exit(EXIT_FAILURE); ++ if (!reg && ret == -EINVAL) { ++ warn_report("KVM cannot disable extension %s", ++ multi_ext_cfg->name); ++ } else { ++ error_report("Unable to enable extension %s in KVM, error %d", ++ multi_ext_cfg->name, ret); ++ exit(EXIT_FAILURE); ++ } + } + } + } +-- +2.41.0.windows.1 + diff --git a/tests-bump-QOS_PATH_MAX_ELEMENT_SIZE-again.patch b/tests-bump-QOS_PATH_MAX_ELEMENT_SIZE-again.patch new file mode 100644 index 00000000..3124074c --- /dev/null +++ b/tests-bump-QOS_PATH_MAX_ELEMENT_SIZE-again.patch @@ -0,0 +1,43 @@ +From 8c7e606ff2e59df7be719b13f28fe629414fcb30 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Alex=20Benn=C3=A9e?= +Date: Tue, 5 Mar 2024 12:09:37 +0000 +Subject: [PATCH] tests: bump QOS_PATH_MAX_ELEMENT_SIZE again +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +We "fixed" a bug with LTO builds with 100c459f194 (tests/qtest: bump +up QOS_PATH_MAX_ELEMENT_SIZE) but it seems it has triggered again. + +The array is sized according to the maximum anticipated length of a +path on the graph. However, the worst case for a depth-first search is +to push all nodes on the graph. So it's not really LTO, it depends on +the ordering of the constructors. + +Lets be more assertive raising QOS_PATH_MAX_ELEMENT_SIZE to make it go +away again. + +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1186 (again) +Reviewed-by: Thomas Huth +Signed-off-by: Alex Bennée +Message-Id: <20240305121005.3528075-2-alex.bennee@linaro.org> +--- + tests/qtest/libqos/qgraph.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tests/qtest/libqos/qgraph.h b/tests/qtest/libqos/qgraph.h +index 287022a67c..1b5de02e7b 100644 +--- a/tests/qtest/libqos/qgraph.h ++++ b/tests/qtest/libqos/qgraph.h +@@ -24,7 +24,7 @@ + #include "libqos-malloc.h" + + /* maximum path length */ +-#define QOS_PATH_MAX_ELEMENT_SIZE 64 ++#define QOS_PATH_MAX_ELEMENT_SIZE 128 + + typedef struct QOSGraphObject QOSGraphObject; + typedef struct QOSGraphNode QOSGraphNode; +-- +2.41.0.windows.1 + diff --git a/ui-gtk-Draw-guest-frame-at-refresh-cycle.patch b/ui-gtk-Draw-guest-frame-at-refresh-cycle.patch new file mode 100644 index 00000000..3aeb1db6 --- /dev/null +++ b/ui-gtk-Draw-guest-frame-at-refresh-cycle.patch @@ -0,0 +1,59 @@ +From 228e14db9a85e7e978c38b97ae622302a0d4f784 Mon Sep 17 00:00:00 2001 +From: Dongwon Kim +Date: Fri, 26 Apr 2024 15:50:59 -0700 +Subject: [PATCH] ui/gtk: Draw guest frame at refresh cycle +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Draw routine needs to be manually invoked in the next refresh +if there is a scanout blob from the guest. This is to prevent +a situation where there is a scheduled draw event but it won't +happen bacause the window is currently in inactive state +(minimized or tabified). If draw is not done for a long time, +gl_block timeout and/or fence timeout (on the guest) will happen +eventually. + +v2: Use gd_gl_area_draw(vc) in gtk-gl-area.c + +Suggested-by: Vivek Kasireddy +Cc: Gerd Hoffmann +Cc: Marc-André Lureau +Cc: Daniel P. Berrangé +Signed-off-by: Dongwon Kim +Acked-by: Marc-André Lureau +Message-Id: <20240426225059.3871283-1-dongwon.kim@intel.com> +(cherry picked from commit 77bf310084dad38b3a2badf01766c659056f1cf2) +Signed-off-by: zhujun2 +--- + ui/gtk-egl.c | 1 + + ui/gtk-gl-area.c | 1 + + 2 files changed, 2 insertions(+) + +diff --git a/ui/gtk-egl.c b/ui/gtk-egl.c +index 3af5ac5bcf..75f6b9011a 100644 +--- a/ui/gtk-egl.c ++++ b/ui/gtk-egl.c +@@ -150,6 +150,7 @@ void gd_egl_refresh(DisplayChangeListener *dcl) + vc, vc->window ? vc->window : vc->gfx.drawing_area); + + if (vc->gfx.guest_fb.dmabuf && vc->gfx.guest_fb.dmabuf->draw_submitted) { ++ gd_egl_draw(vc); + return; + } + +diff --git a/ui/gtk-gl-area.c b/ui/gtk-gl-area.c +index 52dcac161e..4fff957c3f 100644 +--- a/ui/gtk-gl-area.c ++++ b/ui/gtk-gl-area.c +@@ -126,6 +126,7 @@ void gd_gl_area_refresh(DisplayChangeListener *dcl) + gd_update_monitor_refresh_rate(vc, vc->window ? vc->window : vc->gfx.drawing_area); + + if (vc->gfx.guest_fb.dmabuf && vc->gfx.guest_fb.dmabuf->draw_submitted) { ++ gd_gl_area_draw(vc); + return; + } + +-- +2.41.0.windows.1 + diff --git a/ui-sdl2-set-swap-interval-explicitly-when-OpenGL-is-.patch b/ui-sdl2-set-swap-interval-explicitly-when-OpenGL-is-.patch new file mode 100644 index 00000000..c2a5954c --- /dev/null +++ b/ui-sdl2-set-swap-interval-explicitly-when-OpenGL-is-.patch @@ -0,0 +1,48 @@ +From 855f389c98787baaa8afd1139fb82e0710167d9a Mon Sep 17 00:00:00 2001 +From: Gert Wollny +Date: Wed, 11 Sep 2024 09:14:30 +0000 +Subject: [PATCH] ui/sdl2: set swap interval explicitly when OpenGL is enabled +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Before 176e3783f2ab (ui/sdl2: OpenGL window context) +SDL_CreateRenderer was called unconditionally setting +the swap interval to 0. Since SDL_CreateRenderer is now no +longer called when OpenGL is enabled, the swap interval is +no longer set explicitly and vsync handling depends on +the environment settings which may lead to a performance +regression with virgl as reported in + https://gitlab.com/qemu-project/qemu/-/issues/2565 + +Restore the old vsync handling by explicitly calling +SDL_GL_SetSwapInterval if OpenGL is enabled. + +Fixes: 176e3783f2ab (ui/sdl2: OpenGL window context) +Closes: https://gitlab.com/qemu-project/qemu/-/issues/2565 + +Signed-off-by: Gert Wollny +Acked-by: Marc-André Lureau +Message-ID: <01020191e05ce6df-84da6386-62c2-4ce8-840e-ad216ac253dd-000000@eu-west-1.amazonses.com> +Signed-off-by: Philippe Mathieu-Daudé +(cherry picked from commit ae23cd00170baaa2777eb1ee87b70f472dbb3c44) +Signed-off-by: zhujun2 +--- + ui/sdl2.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/ui/sdl2.c b/ui/sdl2.c +index 4971963f00..cc44d2708b 100644 +--- a/ui/sdl2.c ++++ b/ui/sdl2.c +@@ -115,6 +115,7 @@ void sdl2_window_create(struct sdl2_console *scon) + SDL_SetHint(SDL_HINT_RENDER_BATCHING, "1"); + + scon->winctx = SDL_GL_CreateContext(scon->real_window); ++ SDL_GL_SetSwapInterval(0); + } else { + /* The SDL renderer is only used by sdl2-2D, when OpenGL is disabled */ + scon->real_renderer = SDL_CreateRenderer(scon->real_window, -1, 0); +-- +2.41.0.windows.1 + diff --git a/virtio-net-drop-too-short-packets-early.patch b/virtio-net-drop-too-short-packets-early.patch new file mode 100644 index 00000000..ffe4c0bf --- /dev/null +++ b/virtio-net-drop-too-short-packets-early.patch @@ -0,0 +1,91 @@ +From 5651eb5cfd3a49506be4be97f8def3fed713c641 Mon Sep 17 00:00:00 2001 +From: Alexey Dobriyan +Date: Tue, 30 Apr 2024 13:53:33 +0300 +Subject: [PATCH] virtio-net: drop too short packets early + +Reproducer from https://gitlab.com/qemu-project/qemu/-/issues/1451 +creates small packet (1 segment, len = 10 == n->guest_hdr_len), +then destroys queue. + +"if (n->host_hdr_len != n->guest_hdr_len)" is triggered, if body creates +zero length/zero segment packet as there is nothing after guest header. + +qemu_sendv_packet_async() tries to send it. + +slirp discards it because it is smaller than Ethernet header, +but returns 0 because tx hooks are supposed to return total length of data. + +0 is propagated upwards and is interpreted as "packet has been sent" +which is terrible because queue is being destroyed, nobody is waiting for TX +to complete and assert it triggered. + +Fix is discard such empty packets instead of sending them. + +Length 1 packets will go via different codepath: + + virtqueue_push(q->tx_vq, elem, 0); + virtio_notify(vdev, q->tx_vq); + g_free(elem); + +and aren't problematic. + +Signed-off-by: Alexey Dobriyan +Signed-off-by: Jason Wang +(cherry picked from commit 2c3e4e2de699cd4d9f6c71f30a22d8f125cd6164) +Signed-off-by: zhujun2 +--- + hw/net/virtio-net.c | 18 ++++++++++++------ + 1 file changed, 12 insertions(+), 6 deletions(-) + +diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c +index 432c433540..b17137a686 100644 +--- a/hw/net/virtio-net.c ++++ b/hw/net/virtio-net.c +@@ -2732,18 +2732,14 @@ static int32_t virtio_net_flush_tx(VirtIONetQueue *q) + out_sg = elem->out_sg; + if (out_num < 1) { + virtio_error(vdev, "virtio-net header not in first element"); +- virtqueue_detach_element(q->tx_vq, elem, 0); +- g_free(elem); +- return -EINVAL; ++ goto detach; + } + + if (n->has_vnet_hdr) { + if (iov_to_buf(out_sg, out_num, 0, &vhdr, n->guest_hdr_len) < + n->guest_hdr_len) { + virtio_error(vdev, "virtio-net header incorrect"); +- virtqueue_detach_element(q->tx_vq, elem, 0); +- g_free(elem); +- return -EINVAL; ++ goto detach; + } + if (n->needs_vnet_hdr_swap) { + virtio_net_hdr_swap(vdev, (void *) &vhdr); +@@ -2774,6 +2770,11 @@ static int32_t virtio_net_flush_tx(VirtIONetQueue *q) + n->guest_hdr_len, -1); + out_num = sg_num; + out_sg = sg; ++ ++ if (out_num < 1) { ++ virtio_error(vdev, "virtio-net nothing to send"); ++ goto detach; ++ } + } + + ret = qemu_sendv_packet_async(qemu_get_subqueue(n->nic, queue_index), +@@ -2794,6 +2795,11 @@ drop: + } + } + return num_packets; ++ ++detach: ++ virtqueue_detach_element(q->tx_vq, elem, 0); ++ g_free(elem); ++ return -EINVAL; + } + + static void virtio_net_tx_timer(void *opaque); +-- +2.41.0.windows.1 + diff --git a/virtio-remove-virtio_tswap16s-call-in-vring_packed_e.patch b/virtio-remove-virtio_tswap16s-call-in-vring_packed_e.patch new file mode 100644 index 00000000..c3613175 --- /dev/null +++ b/virtio-remove-virtio_tswap16s-call-in-vring_packed_e.patch @@ -0,0 +1,52 @@ +From 400e9dbe4dae8efc110a2363590ce35fd11d7d29 Mon Sep 17 00:00:00 2001 +From: Stefano Garzarella +Date: Mon, 1 Jul 2024 09:52:08 +0200 +Subject: [PATCH] virtio: remove virtio_tswap16s() call in + vring_packed_event_read() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Commit d152cdd6f6 ("virtio: use virtio accessor to access packed event") +switched using of address_space_read_cached() to virito_lduw_phys_cached() +to access packed descriptor event. + +When we used address_space_read_cached(), we needed to call +virtio_tswap16s() to handle the endianess of the field, but +virito_lduw_phys_cached() already handles it internally, so we no longer +need to call virtio_tswap16s() (as the commit had done for `off_wrap`, +but forgot for `flags`). + +Fixes: d152cdd6f6 ("virtio: use virtio accessor to access packed event") +Cc: jasowang@redhat.com +Cc: qemu-stable@nongnu.org +Reported-by: Xoykie +Link: https://lore.kernel.org/qemu-devel/CAFU8RB_pjr77zMLsM0Unf9xPNxfr_--Tjr49F_eX32ZBc5o2zQ@mail.gmail.com +Signed-off-by: Stefano Garzarella +Message-Id: <20240701075208.19634-1-sgarzare@redhat.com> +Acked-by: Jason Wang +Reviewed-by: Peter Maydell +Reviewed-by: Eugenio Pérez +Reviewed-by: Michael S. Tsirkin +Signed-off-by: Michael S. Tsirkin +(cherry picked from commit 7aa6492401e95fb296dec7cda81e67d91f6037d7) +Signed-off-by: zhujun2 +--- + hw/virtio/virtio.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c +index 202aae868e..8c3b6b87aa 100644 +--- a/hw/virtio/virtio.c ++++ b/hw/virtio/virtio.c +@@ -322,7 +322,6 @@ static void vring_packed_event_read(VirtIODevice *vdev, + /* Make sure flags is seen before off_wrap */ + smp_rmb(); + e->off_wrap = virtio_lduw_phys_cached(vdev, cache, off_off); +- virtio_tswap16s(vdev, &e->flags); + } + + static void vring_packed_off_wrap_write(VirtIODevice *vdev, +-- +2.41.0.windows.1 + diff --git a/virtio-snd-add-max-size-bounds-check-in-input-cb-CVE.patch b/virtio-snd-add-max-size-bounds-check-in-input-cb-CVE.patch new file mode 100644 index 00000000..f68bc0c0 --- /dev/null +++ b/virtio-snd-add-max-size-bounds-check-in-input-cb-CVE.patch @@ -0,0 +1,61 @@ +From 56a588dad8d085a89b24fe2103bd623d4260e02d Mon Sep 17 00:00:00 2001 +From: Manos Pitsidianakis +Date: Mon, 8 Jul 2024 10:09:49 +0300 +Subject: [PATCH] virtio-snd: add max size bounds check in input + cb(CVE-2024-7730) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +cherry-pick from 98e77e3dd8dd6e7aa9a7dffa60f49c8c8a49d4e3 + +When reading input audio in the virtio-snd input callback, +virtio_snd_pcm_in_cb(), we do not check whether the iov can actually fit +the data buffer. This is because we use the buffer->size field as a +total-so-far accumulator instead of byte-size-left like in TX buffers. + +This triggers an out of bounds write if the size of the virtio queue +element is equal to virtio_snd_pcm_status, which makes the available +space for audio data zero. This commit adds a check for reaching the +maximum buffer size before attempting any writes. + +Reported-by: Zheyu Ma +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2427 +Signed-off-by: Manos Pitsidianakis +Message-Id: +Reviewed-by: Philippe Mathieu-Daudé +Reviewed-by: Michael S. Tsirkin +Signed-off-by: Michael S. Tsirkin +--- + hw/audio/virtio-snd.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/hw/audio/virtio-snd.c b/hw/audio/virtio-snd.c +index 137fa77a01..15986af41e 100644 +--- a/hw/audio/virtio-snd.c ++++ b/hw/audio/virtio-snd.c +@@ -1274,7 +1274,7 @@ static void virtio_snd_pcm_in_cb(void *data, int available) + { + VirtIOSoundPCMStream *stream = data; + VirtIOSoundPCMBuffer *buffer; +- size_t size; ++ size_t size, max_size; + + WITH_QEMU_LOCK_GUARD(&stream->queue_mutex) { + while (!QSIMPLEQ_EMPTY(&stream->queue)) { +@@ -1288,7 +1288,12 @@ static void virtio_snd_pcm_in_cb(void *data, int available) + continue; + } + ++ max_size = iov_size(buffer->elem->in_sg, buffer->elem->in_num); + for (;;) { ++ if (buffer->size >= max_size) { ++ return_rx_buffer(stream, buffer); ++ break; ++ } + size = AUD_read(stream->voice.in, + buffer->data + buffer->size, + MIN(available, (stream->params.period_bytes - +-- +2.41.0.windows.1 + -- Gitee