From 51d35006ddc4eefd5fbed2c2392dc998453a03e9 Mon Sep 17 00:00:00 2001 From: Chen Qun Date: Mon, 21 Jun 2021 17:15:39 +0800 Subject: [PATCH 1/8] fix cve-2020-35504 esp: always check current_req is not NULL before use in DMA callbacks Signed-off-by: Mark Cave-Ayland Signed-off-by: imxcc --- fix-cve-2020-35504.patch | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 fix-cve-2020-35504.patch diff --git a/fix-cve-2020-35504.patch b/fix-cve-2020-35504.patch new file mode 100644 index 00000000..bf03fb5f --- /dev/null +++ b/fix-cve-2020-35504.patch @@ -0,0 +1,30 @@ +From dc8416b55d69e70912acd2364494a490b02e3198 Mon Sep 17 00:00:00 2001 +From: imxcc +Date: Mon, 21 Jun 2021 17:15:39 +0800 +Subject: [PATCH] fix cve-2020-35504 + +esp: always check current_req is not NULL before use in DMA callbacks + +Signed-off-by: Mark Cave-Ayland +Signed-off-by: imxcc +--- + hw/scsi/esp.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c +index 7508d035ca..d1f13b350e 100644 +--- a/hw/scsi/esp.c ++++ b/hw/scsi/esp.c +@@ -253,6 +253,9 @@ static void esp_do_dma(ESPState *s) + s->dma_memory_read(s->dma_opaque, &s->cmdbuf[s->cmdlen], len); + return; + } ++ if (!s->current_req) { ++ return; ++ } + if (s->async_len == 0) { + /* Defer until data is available. */ + return; +-- +2.27.0 + -- Gitee From 071d873df2feed6448d80d5fafbbc854346c7ea9 Mon Sep 17 00:00:00 2001 From: Chen Qun Date: Mon, 21 Jun 2021 17:20:55 +0800 Subject: [PATCH 2/8] fix cve-2020-35505 esp: ensure cmdfifo is not empty and current_dev is non-NULL Signed-off-by: Mark Cave-Ayland Signed-off-by: imxcc --- fix-cve-2020-35505.patch | 46 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 46 insertions(+) create mode 100644 fix-cve-2020-35505.patch diff --git a/fix-cve-2020-35505.patch b/fix-cve-2020-35505.patch new file mode 100644 index 00000000..eb639d92 --- /dev/null +++ b/fix-cve-2020-35505.patch @@ -0,0 +1,46 @@ +From a1c9b6747da5f3d2815a0c186473dc76d9e4f682 Mon Sep 17 00:00:00 2001 +From: imxcc +Date: Mon, 21 Jun 2021 17:20:55 +0800 +Subject: [PATCH] fix cve-2020-35505 + +esp: ensure cmdfifo is not empty and current_dev is non-NULL + +Signed-off-by: Mark Cave-Ayland +Signed-off-by: imxcc +--- + hw/scsi/esp.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c +index d1f13b350e..db6bed4f00 100644 +--- a/hw/scsi/esp.c ++++ b/hw/scsi/esp.c +@@ -79,6 +79,7 @@ void esp_request_cancelled(SCSIRequest *req) + scsi_req_unref(s->current_req); + s->current_req = NULL; + s->current_dev = NULL; ++ s->async_len = 0; + } + } + +@@ -113,7 +114,6 @@ static uint32_t get_cmd(ESPState *s, uint8_t *buf, uint8_t buflen) + if (s->current_req) { + /* Started a new command before the old one finished. Cancel it. */ + scsi_req_cancel(s->current_req); +- s->async_len = 0; + } + + s->current_dev = scsi_device_find(&s->bus, 0, target, 0); +@@ -136,6 +136,9 @@ static void do_busid_cmd(ESPState *s, uint8_t *buf, uint8_t busid) + + trace_esp_do_busid_cmd(busid); + lun = busid & 7; ++ if (!s->current_dev) { ++ return; ++ } + current_lun = scsi_device_find(&s->bus, 0, s->current_dev->id, lun); + s->current_req = scsi_req_new(current_lun, 0, lun, buf, s); + datalen = scsi_req_enqueue(s->current_req); +-- +2.27.0 + -- Gitee From e89ac6da1bed6f04baa513fa5fbdbb29fd0cdce3 Mon Sep 17 00:00:00 2001 From: Chen Qun Date: Fri, 28 Jan 2022 21:27:02 +0800 Subject: [PATCH 3/8] spec: Update patch and changelog with !208 sync from SP1 !208 fix cve-2020-35504 fix cve-2020-35505 Signed-off-by: Chen Qun --- qemu.spec | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/qemu.spec b/qemu.spec index f0008a5d..01bbfa8c 100644 --- a/qemu.spec +++ b/qemu.spec @@ -560,6 +560,8 @@ Patch0547: vfio-common-Fix-incorrect-address-alignment-in-vfio_.patch Patch0548: vfio-common-Add-address-alignment-check-in-vfio_list.patch Patch0549: uas-add-stream-number-sanity-checks.patch Patch0550: virtio-net-fix-use-after-unmap-free-for-sg.patch +Patch0551: fix-cve-2020-35504.patch +Patch0552: fix-cve-2020-35505.patch BuildRequires: flex BuildRequires: gcc @@ -963,6 +965,10 @@ getent passwd qemu >/dev/null || \ %endif %changelog +* Fri Jan 28 2022 Chen Qun +- fix cve-2020-35504 +- fix cve-2020-35505 + * Sun Sep 26 2021 Chen Qun - virtio-net: fix use after unmap/free for sg -- Gitee From 0fef6d2c023ff153f42534003bff7e8e07937982 Mon Sep 17 00:00:00 2001 From: Chen Qun Date: Tue, 16 Nov 2021 17:21:09 +0800 Subject: [PATCH 4/8] virtio-balloon: apply upstream patch. Signed-off-by: Ming Yang --- virtio-balloon-apply-upstream-patch.patch | 31 +++++++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 virtio-balloon-apply-upstream-patch.patch diff --git a/virtio-balloon-apply-upstream-patch.patch b/virtio-balloon-apply-upstream-patch.patch new file mode 100644 index 00000000..a400a496 --- /dev/null +++ b/virtio-balloon-apply-upstream-patch.patch @@ -0,0 +1,31 @@ +From 0d86ceed3cef76334c39d879dd8b532ca258eb65 Mon Sep 17 00:00:00 2001 +From: Ming Yang +Date: Tue, 16 Nov 2021 17:21:09 +0800 +Subject: [PATCH] virtio-balloon: apply upstream patch. + +Signed-off-by: Ming Yang +--- + hw/virtio/virtio-balloon.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/hw/virtio/virtio-balloon.c b/hw/virtio/virtio-balloon.c +index 25de154307..17fa767483 100644 +--- a/hw/virtio/virtio-balloon.c ++++ b/hw/virtio/virtio-balloon.c +@@ -830,6 +830,13 @@ static void virtio_balloon_device_unrealize(DeviceState *dev, Error **errp) + } + balloon_stats_destroy_timer(s); + qemu_remove_balloon_handler(s); ++ ++ virtio_del_queue(vdev, 0); ++ virtio_del_queue(vdev, 1); ++ virtio_del_queue(vdev, 2); ++ if (s->free_page_vq) { ++ virtio_del_queue(vdev, 3); ++ } + virtio_cleanup(vdev); + } + +-- +2.27.0 + -- Gitee From d47246a8c03f3e6cf81cdbede1250910e0779e25 Mon Sep 17 00:00:00 2001 From: Chen Qun Date: Fri, 28 Jan 2022 21:27:04 +0800 Subject: [PATCH 5/8] spec: Update patch and changelog with !213 virtio-balloon: apply upstream patch. !213 virtio-balloon: apply upstream patch. Signed-off-by: Chen Qun --- qemu.spec | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/qemu.spec b/qemu.spec index 01bbfa8c..ecf43ef0 100644 --- a/qemu.spec +++ b/qemu.spec @@ -562,6 +562,7 @@ Patch0549: uas-add-stream-number-sanity-checks.patch Patch0550: virtio-net-fix-use-after-unmap-free-for-sg.patch Patch0551: fix-cve-2020-35504.patch Patch0552: fix-cve-2020-35505.patch +Patch0553: virtio-balloon-apply-upstream-patch.patch BuildRequires: flex BuildRequires: gcc @@ -965,6 +966,9 @@ getent passwd qemu >/dev/null || \ %endif %changelog +* Fri Jan 28 2022 Chen Qun +- virtio-balloon: apply upstream patch. + * Fri Jan 28 2022 Chen Qun - fix cve-2020-35504 - fix cve-2020-35505 -- Gitee From c850c4f1a4c21878d73739c8f8c314da59039d6d Mon Sep 17 00:00:00 2001 From: Chen Qun Date: Thu, 11 Nov 2021 14:25:38 +0800 Subject: [PATCH 6/8] add Phytium's CPU models: FT-2000+ and Tengyun-S2500. Signed-off-by: Jiadong Zeng --- ...CPU-models-FT-2000-and-Tengyun-S2500.patch | 73 +++++++++++++++++++ 1 file changed, 73 insertions(+) create mode 100644 add-Phytium-s-CPU-models-FT-2000-and-Tengyun-S2500.patch diff --git a/add-Phytium-s-CPU-models-FT-2000-and-Tengyun-S2500.patch b/add-Phytium-s-CPU-models-FT-2000-and-Tengyun-S2500.patch new file mode 100644 index 00000000..bdf49311 --- /dev/null +++ b/add-Phytium-s-CPU-models-FT-2000-and-Tengyun-S2500.patch @@ -0,0 +1,73 @@ +From ea7a395de920cfecd9bf99f0cf55914d47718edf Mon Sep 17 00:00:00 2001 +From: Jiadong Zeng +Date: Thu, 11 Nov 2021 14:25:38 +0800 +Subject: [PATCH] add Phytium's CPU models: FT-2000+ and Tengyun-S2500. + +Signed-off-by: Jiadong Zeng +--- + hw/arm/virt.c | 2 ++ + target/arm/cpu64.c | 28 ++++++++++++++++++++++++++++ + 2 files changed, 30 insertions(+) + +diff --git a/hw/arm/virt.c b/hw/arm/virt.c +index 7506d0ff32..0e46260116 100644 +--- a/hw/arm/virt.c ++++ b/hw/arm/virt.c +@@ -195,6 +195,8 @@ static const char *valid_cpus[] = { + ARM_CPU_TYPE_NAME("cortex-a57"), + ARM_CPU_TYPE_NAME("cortex-a72"), + ARM_CPU_TYPE_NAME("Kunpeng-920"), ++ ARM_CPU_TYPE_NAME("FT-2000+"), ++ ARM_CPU_TYPE_NAME("Tengyun-S2500"), + ARM_CPU_TYPE_NAME("host"), + ARM_CPU_TYPE_NAME("max"), + }; +diff --git a/target/arm/cpu64.c b/target/arm/cpu64.c +index a1649f8844..4cf5b89db0 100644 +--- a/target/arm/cpu64.c ++++ b/target/arm/cpu64.c +@@ -327,6 +327,32 @@ static void cpu_max_set_sve_vq(Object *obj, Visitor *v, const char *name, + error_propagate(errp, err); + } + ++static void aarch64_max_ft2000plus_initfn(Object *obj) ++{ ++ ARMCPU *cpu = ARM_CPU(obj); ++ ++ if (kvm_enabled()) { ++ kvm_arm_set_cpu_features_from_host(cpu); ++ kvm_arm_add_vcpu_properties(obj); ++ } else { ++ aarch64_a72_initfn(obj); ++ cpu->midr = 0x70186622; ++ } ++} ++ ++static void aarch64_max_tengyun_s2500_initfn(Object *obj) ++{ ++ ARMCPU *cpu = ARM_CPU(obj); ++ ++ if (kvm_enabled()) { ++ kvm_arm_set_cpu_features_from_host(cpu); ++ kvm_arm_add_vcpu_properties(obj); ++ } else { ++ aarch64_a72_initfn(obj); ++ cpu->midr = 0x70186632; ++ } ++} ++ + /* -cpu max: if KVM is enabled, like -cpu host (best possible with this host); + * otherwise, a CPU with as many features enabled as our emulation supports. + * The version of '-cpu max' for qemu-system-arm is defined in cpu.c; +@@ -442,6 +468,8 @@ static const ARMCPUInfo aarch64_cpus[] = { + { .name = "cortex-a53", .initfn = aarch64_a53_initfn }, + { .name = "cortex-a72", .initfn = aarch64_a72_initfn }, + { .name = "Kunpeng-920", .initfn = aarch64_kunpeng_920_initfn }, ++ { .name = "FT-2000+", .initfn = aarch64_max_ft2000plus_initfn }, ++ { .name = "Tengyun-S2500", .initfn = aarch64_max_tengyun_s2500_initfn }, + { .name = "max", .initfn = aarch64_max_initfn }, + { .name = NULL } + }; +-- +2.27.0 + -- Gitee From 25d894c6227dc1b4272a985aafcdd3222965c7bd Mon Sep 17 00:00:00 2001 From: Chen Qun Date: Fri, 28 Jan 2022 21:27:06 +0800 Subject: [PATCH 7/8] =?UTF-8?q?spec:=20Update=20patch=20and=20changelog=20?= =?UTF-8?q?with=20!211=20add=20Phytium's=20CPU=20models:=20FT-2000+=20and?= =?UTF-8?q?=20Tengyun-S2500.=20Merge=20pull=20request=20!211=20from=20?= =?UTF-8?q?=E6=9B=BE=E4=BD=B3=E6=A0=8B/qemu-4.1.0=20!211?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit add Phytium's CPU models: FT-2000+ and Tengyun-S2500. Signed-off-by: Chen Qun --- qemu.spec | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/qemu.spec b/qemu.spec index ecf43ef0..aa11fff3 100644 --- a/qemu.spec +++ b/qemu.spec @@ -563,6 +563,7 @@ Patch0550: virtio-net-fix-use-after-unmap-free-for-sg.patch Patch0551: fix-cve-2020-35504.patch Patch0552: fix-cve-2020-35505.patch Patch0553: virtio-balloon-apply-upstream-patch.patch +Patch0554: add-Phytium-s-CPU-models-FT-2000-and-Tengyun-S2500.patch BuildRequires: flex BuildRequires: gcc @@ -966,6 +967,9 @@ getent passwd qemu >/dev/null || \ %endif %changelog +* Fri Jan 28 2022 Chen Qun +- add Phytium's CPU models: FT-2000+ and Tengyun-S2500. + * Fri Jan 28 2022 Chen Qun - virtio-balloon: apply upstream patch. -- Gitee From e0b1b0093155a9250d58cd6ab0e8cfb7d4c8a51b Mon Sep 17 00:00:00 2001 From: Chen Qun Date: Fri, 28 Jan 2022 21:27:06 +0800 Subject: [PATCH 8/8] spec: Update release version with !208 !213 !211 increase release verison by one Signed-off-by: Chen Qun --- qemu.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/qemu.spec b/qemu.spec index aa11fff3..ab404130 100644 --- a/qemu.spec +++ b/qemu.spec @@ -1,6 +1,6 @@ Name: qemu Version: 4.1.0 -Release: 82 +Release: 83 Epoch: 2 Summary: QEMU is a generic and open source machine emulator and virtualizer License: GPLv2 and BSD and MIT and CC-BY-SA-4.0 -- Gitee