From 3226a2a69ded041aef4e141a371c176f21bfef97 Mon Sep 17 00:00:00 2001 From: wanborj Date: Fri, 30 Sep 2022 17:46:17 +0800 Subject: [PATCH] Backport upstream bugfix Signed-off-by: wanborj (cherry picked from commit d72c1d27b2cdc70578ab2e9052961dcdb9012d0d) --- ...pcie-set-power-on-cap-on-parent-slot.patch | 121 ++++++++++++++++++ ...d-Fix-buffer-overflow-in-ati_2d_blt-.patch | 83 ++++++++++++ ...-add-missing-notifier-initialization.patch | 37 ++++++ pci-expose-TYPE_XIO3130_DOWNSTREAM-name.patch | 64 +++++++++ qemu.spec | 16 ++- qom-assert-integer-does-not-overflow.patch | 58 +++++++++ uas-add-missing-return.patch | 35 +++++ 7 files changed, 413 insertions(+), 1 deletion(-) create mode 100644 acpi-pcihp-pcie-set-power-on-cap-on-parent-slot.patch create mode 100644 hw-display-ati_2d-Fix-buffer-overflow-in-ati_2d_blt-.patch create mode 100644 job.c-add-missing-notifier-initialization.patch create mode 100644 pci-expose-TYPE_XIO3130_DOWNSTREAM-name.patch create mode 100644 qom-assert-integer-does-not-overflow.patch create mode 100644 uas-add-missing-return.patch diff --git a/acpi-pcihp-pcie-set-power-on-cap-on-parent-slot.patch b/acpi-pcihp-pcie-set-power-on-cap-on-parent-slot.patch new file mode 100644 index 0000000..1a70fcc --- /dev/null +++ b/acpi-pcihp-pcie-set-power-on-cap-on-parent-slot.patch @@ -0,0 +1,121 @@ +From 6c92ab0387c2af443142a0cc47134389711a14dc Mon Sep 17 00:00:00 2001 +From: Igor Mammedov +Date: Tue, 1 Mar 2022 10:11:59 -0500 +Subject: [PATCH 5/6] acpi: pcihp: pcie: set power on cap on parent slot + +on creation a PCIDevice has power turned on at the end of pci_qdev_realize() +however later on if PCIe slot isn't populated with any children +it's power is turned off. It's fine if native hotplug is used +as plug callback will power slot on among other things. +However when ACPI hotplug is enabled it replaces native PCIe plug +callbacks with ACPI specific ones (acpi_pcihp_device_*plug_cb) and +as result slot stays powered off. It works fine as ACPI hotplug +on guest side takes care of enumerating/initializing hotplugged +device. But when later guest is migrated, call chain introduced by] +commit d5daff7d312 (pcie: implement slot power control for pcie root ports) + + pcie_cap_slot_post_load() + -> pcie_cap_update_power() + -> pcie_set_power_device() + -> pci_set_power() + -> pci_update_mappings() + +will disable earlier initialized BARs for the hotplugged device +in powered off slot due to commit 23786d13441 (pci: implement power state) +which disables BARs if power is off. + +Fix it by setting PCI_EXP_SLTCTL_PCC to PCI_EXP_SLTCTL_PWR_ON +on slot (root port/downstream port) at the time a device +hotplugged into it. As result PCI_EXP_SLTCTL_PWR_ON is migrated +to target and above call chain keeps device plugged into it +powered on. + +Fixes: d5daff7d312 ("pcie: implement slot power control for pcie root ports") +Fixes: 23786d13441 ("pci: implement power state") +Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2053584 +Suggested-by: "Michael S. Tsirkin" +Signed-off-by: Igor Mammedov +Message-Id: <20220301151200.3507298-3-imammedo@redhat.com> +Reviewed-by: Michael S. Tsirkin +Signed-off-by: Michael S. Tsirkin +Signed-off-by: wanbo +--- + hw/acpi/pcihp.c | 12 +++++++++++- + hw/pci/pcie.c | 11 +++++++++++ + include/hw/pci/pcie.h | 1 + + 3 files changed, 23 insertions(+), 1 deletion(-) + +diff --git a/hw/acpi/pcihp.c b/hw/acpi/pcihp.c +index a5e182dd3a..be0e846b34 100644 +--- a/hw/acpi/pcihp.c ++++ b/hw/acpi/pcihp.c +@@ -32,6 +32,7 @@ + #include "hw/pci/pci_bridge.h" + #include "hw/pci/pci_host.h" + #include "hw/pci/pcie_port.h" ++#include "hw/pci-bridge/xio3130_downstream.h" + #include "hw/i386/acpi-build.h" + #include "hw/acpi/acpi.h" + #include "hw/pci/pci_bus.h" +@@ -341,6 +342,8 @@ void acpi_pcihp_device_plug_cb(HotplugHandler *hotplug_dev, AcpiPciHpState *s, + { + PCIDevice *pdev = PCI_DEVICE(dev); + int slot = PCI_SLOT(pdev->devfn); ++ PCIDevice *bridge; ++ PCIBus *bus; + int bsel; + + /* Don't send event when device is enabled during qemu machine creation: +@@ -370,7 +373,14 @@ void acpi_pcihp_device_plug_cb(HotplugHandler *hotplug_dev, AcpiPciHpState *s, + return; + } + +- bsel = acpi_pcihp_get_bsel(pci_get_bus(pdev)); ++ bus = pci_get_bus(pdev); ++ bridge = pci_bridge_get_device(bus); ++ if (object_dynamic_cast(OBJECT(bridge), TYPE_PCIE_ROOT_PORT) || ++ object_dynamic_cast(OBJECT(bridge), TYPE_XIO3130_DOWNSTREAM)) { ++ pcie_cap_slot_enable_power(bridge); ++ } ++ ++ bsel = acpi_pcihp_get_bsel(bus); + g_assert(bsel >= 0); + s->acpi_pcihp_pci_status[bsel].up |= (1U << slot); + acpi_send_event(DEVICE(hotplug_dev), ACPI_PCI_HOTPLUG_STATUS); +diff --git a/hw/pci/pcie.c b/hw/pci/pcie.c +index 30c09ed943..a2d1ae6021 100644 +--- a/hw/pci/pcie.c ++++ b/hw/pci/pcie.c +@@ -365,6 +365,17 @@ static void hotplug_event_clear(PCIDevice *dev) + } + } + ++void pcie_cap_slot_enable_power(PCIDevice *dev) ++{ ++ uint8_t *exp_cap = dev->config + dev->exp.exp_cap; ++ uint32_t sltcap = pci_get_long(exp_cap + PCI_EXP_SLTCAP); ++ ++ if (sltcap & PCI_EXP_SLTCAP_PCP) { ++ pci_set_word_by_mask(exp_cap + PCI_EXP_SLTCTL, ++ PCI_EXP_SLTCTL_PCC, PCI_EXP_SLTCTL_PWR_ON); ++ } ++} ++ + static void pcie_set_power_device(PCIBus *bus, PCIDevice *dev, void *opaque) + { + bool *power = opaque; +diff --git a/include/hw/pci/pcie.h b/include/hw/pci/pcie.h +index 6063bee0ec..c27368d077 100644 +--- a/include/hw/pci/pcie.h ++++ b/include/hw/pci/pcie.h +@@ -112,6 +112,7 @@ void pcie_cap_slot_write_config(PCIDevice *dev, + uint32_t addr, uint32_t val, int len); + int pcie_cap_slot_post_load(void *opaque, int version_id); + void pcie_cap_slot_push_attention_button(PCIDevice *dev); ++void pcie_cap_slot_enable_power(PCIDevice *dev); + + void pcie_cap_root_init(PCIDevice *dev); + void pcie_cap_root_reset(PCIDevice *dev); +-- +2.27.0 + diff --git a/hw-display-ati_2d-Fix-buffer-overflow-in-ati_2d_blt-.patch b/hw-display-ati_2d-Fix-buffer-overflow-in-ati_2d_blt-.patch new file mode 100644 index 0000000..8f86507 --- /dev/null +++ b/hw-display-ati_2d-Fix-buffer-overflow-in-ati_2d_blt-.patch @@ -0,0 +1,83 @@ +From d1d13b1f86a5ac0520dc7369873d6478b583af04 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= +Date: Mon, 6 Sep 2021 17:31:03 +0200 +Subject: [PATCH 6/6] hw/display/ati_2d: Fix buffer overflow in ati_2d_blt + (CVE-2021-3638) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +When building QEMU with DEBUG_ATI defined then running with +'-device ati-vga,romfile="" -d unimp,guest_errors -trace ati\*' +we get: + + ati_mm_write 4 0x16c0 DP_CNTL <- 0x1 + ati_mm_write 4 0x146c DP_GUI_MASTER_CNTL <- 0x2 + ati_mm_write 4 0x16c8 DP_MIX <- 0xff0000 + ati_mm_write 4 0x16c4 DP_DATATYPE <- 0x2 + ati_mm_write 4 0x224 CRTC_OFFSET <- 0x0 + ati_mm_write 4 0x142c DST_PITCH_OFFSET <- 0xfe00000 + ati_mm_write 4 0x1420 DST_Y <- 0x3fff + ati_mm_write 4 0x1410 DST_HEIGHT <- 0x3fff + ati_mm_write 4 0x1588 DST_WIDTH_X <- 0x3fff3fff + ati_2d_blt: vram:0x7fff5fa00000 addr:0 ds:0x7fff61273800 stride:2560 bpp:32 rop:0xff + ati_2d_blt: 0 0 0, 0 127 0, (0,0) -> (16383,16383) 16383x16383 > ^ + ati_2d_blt: pixman_fill(dst:0x7fff5fa00000, stride:254, bpp:8, x:16383, y:16383, w:16383, h:16383, xor:0xff000000) + Thread 3 "qemu-system-i38" received signal SIGSEGV, Segmentation fault. + (gdb) bt + #0 0x00007ffff7f62ce0 in sse2_fill.lto_priv () at /lib64/libpixman-1.so.0 + #1 0x00007ffff7f09278 in pixman_fill () at /lib64/libpixman-1.so.0 + #2 0x0000555557b5a9af in ati_2d_blt (s=0x631000028800) at hw/display/ati_2d.c:196 + #3 0x0000555557b4b5a2 in ati_mm_write (opaque=0x631000028800, addr=5512, data=1073692671, size=4) at hw/display/ati.c:843 + #4 0x0000555558b90ec4 in memory_region_write_accessor (mr=0x631000039cc0, addr=5512, ..., size=4, ...) at softmmu/memory.c:492 + +Commit 584acf34cb0 ("ati-vga: Fix reverse bit blts") introduced +the local dst_x and dst_y which adjust the (x, y) coordinates +depending on the direction in the SRCCOPY ROP3 operation, but +forgot to address the same issue for the PATCOPY, BLACKNESS and +WHITENESS operations, which also call pixman_fill(). + +Fix that now by using the adjusted coordinates in the pixman_fill +call, and update the related debug printf(). + +Reported-by: Qiang Liu +Fixes: 584acf34cb0 ("ati-vga: Fix reverse bit blts") +Signed-off-by: Philippe Mathieu-Daudé +Tested-by: Mauro Matteo Cascella +Message-Id: <20210906153103.1661195-1-philmd@redhat.com> +Signed-off-by: Gerd Hoffmann +Signed-off-by: wanbo +--- + hw/display/ati_2d.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/hw/display/ati_2d.c b/hw/display/ati_2d.c +index 4dc10ea795..692bec91de 100644 +--- a/hw/display/ati_2d.c ++++ b/hw/display/ati_2d.c +@@ -84,7 +84,7 @@ void ati_2d_blt(ATIVGAState *s) + DPRINTF("%d %d %d, %d %d %d, (%d,%d) -> (%d,%d) %dx%d %c %c\n", + s->regs.src_offset, s->regs.dst_offset, s->regs.default_offset, + s->regs.src_pitch, s->regs.dst_pitch, s->regs.default_pitch, +- s->regs.src_x, s->regs.src_y, s->regs.dst_x, s->regs.dst_y, ++ s->regs.src_x, s->regs.src_y, dst_x, dst_y, + s->regs.dst_width, s->regs.dst_height, + (s->regs.dp_cntl & DST_X_LEFT_TO_RIGHT ? '>' : '<'), + (s->regs.dp_cntl & DST_Y_TOP_TO_BOTTOM ? 'v' : '^')); +@@ -180,11 +180,11 @@ void ati_2d_blt(ATIVGAState *s) + dst_stride /= sizeof(uint32_t); + DPRINTF("pixman_fill(%p, %d, %d, %d, %d, %d, %d, %x)\n", + dst_bits, dst_stride, bpp, +- s->regs.dst_x, s->regs.dst_y, ++ dst_x, dst_y, + s->regs.dst_width, s->regs.dst_height, + filler); + pixman_fill((uint32_t *)dst_bits, dst_stride, bpp, +- s->regs.dst_x, s->regs.dst_y, ++ dst_x, dst_y, + s->regs.dst_width, s->regs.dst_height, + filler); + if (dst_bits >= s->vga.vram_ptr + s->vga.vbe_start_addr && +-- +2.27.0 + diff --git a/job.c-add-missing-notifier-initialization.patch b/job.c-add-missing-notifier-initialization.patch new file mode 100644 index 0000000..ca795ef --- /dev/null +++ b/job.c-add-missing-notifier-initialization.patch @@ -0,0 +1,37 @@ +From d8962af271345ae4d7880219a62abed76a0268e0 Mon Sep 17 00:00:00 2001 +From: Emanuele Giuseppe Esposito +Date: Wed, 3 Nov 2021 12:21:55 -0400 +Subject: [PATCH 1/6] job.c: add missing notifier initialization +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +It seems that on_idle list is not properly initialized like +the other notifiers. + +Fixes: 34dc97b9a0e ("blockjob: Wake up BDS when job becomes idle") +Signed-off-by: Emanuele Giuseppe Esposito +Reviewed-by: Philippe Mathieu-Daudé +Reviewed-by: Stefan Hajnoczi +Reviewed-by: Vladimir Sementsov-Ogievskiy +Signed-off-by: Vladimir Sementsov-Ogievskiy +Signed-off-by: wanbo +--- + job.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/job.c b/job.c +index dbfa67bb0a..54db80df66 100644 +--- a/job.c ++++ b/job.c +@@ -352,6 +352,7 @@ void *job_create(const char *job_id, const JobDriver *driver, JobTxn *txn, + notifier_list_init(&job->on_finalize_completed); + notifier_list_init(&job->on_pending); + notifier_list_init(&job->on_ready); ++ notifier_list_init(&job->on_idle); + + job_state_transition(job, JOB_STATUS_CREATED); + aio_timer_init(qemu_get_aio_context(), &job->sleep_timer, +-- +2.27.0 + diff --git a/pci-expose-TYPE_XIO3130_DOWNSTREAM-name.patch b/pci-expose-TYPE_XIO3130_DOWNSTREAM-name.patch new file mode 100644 index 0000000..30d9615 --- /dev/null +++ b/pci-expose-TYPE_XIO3130_DOWNSTREAM-name.patch @@ -0,0 +1,64 @@ +From e88d2f15443811e40c4e1ba8299c12b35b75cb1e Mon Sep 17 00:00:00 2001 +From: Igor Mammedov +Date: Tue, 1 Mar 2022 10:11:58 -0500 +Subject: [PATCH 4/6] pci: expose TYPE_XIO3130_DOWNSTREAM name + +Type name will be used in followup patch for cast check +in pcihp code. + +Signed-off-by: Igor Mammedov +Message-Id: <20220301151200.3507298-2-imammedo@redhat.com> +Reviewed-by: Michael S. Tsirkin +Signed-off-by: Michael S. Tsirkin +Signed-off-by: wanbo +--- + hw/pci-bridge/xio3130_downstream.c | 3 ++- + include/hw/pci-bridge/xio3130_downstream.h | 15 +++++++++++++++ + 2 files changed, 17 insertions(+), 1 deletion(-) + create mode 100644 include/hw/pci-bridge/xio3130_downstream.h + +diff --git a/hw/pci-bridge/xio3130_downstream.c b/hw/pci-bridge/xio3130_downstream.c +index 04aae72cd6..b17cafd359 100644 +--- a/hw/pci-bridge/xio3130_downstream.c ++++ b/hw/pci-bridge/xio3130_downstream.c +@@ -28,6 +28,7 @@ + #include "migration/vmstate.h" + #include "qapi/error.h" + #include "qemu/module.h" ++#include "hw/pci-bridge/xio3130_downstream.h" + + #define PCI_DEVICE_ID_TI_XIO3130D 0x8233 /* downstream port */ + #define XIO3130_REVISION 0x1 +@@ -173,7 +174,7 @@ static void xio3130_downstream_class_init(ObjectClass *klass, void *data) + } + + static const TypeInfo xio3130_downstream_info = { +- .name = "xio3130-downstream", ++ .name = TYPE_XIO3130_DOWNSTREAM, + .parent = TYPE_PCIE_SLOT, + .class_init = xio3130_downstream_class_init, + .interfaces = (InterfaceInfo[]) { +diff --git a/include/hw/pci-bridge/xio3130_downstream.h b/include/hw/pci-bridge/xio3130_downstream.h +new file mode 100644 +index 0000000000..1d10139aea +--- /dev/null ++++ b/include/hw/pci-bridge/xio3130_downstream.h +@@ -0,0 +1,15 @@ ++/* ++ * TI X3130 pci express downstream port switch ++ * ++ * Copyright (C) 2022 Igor Mammedov ++ * ++ * SPDX-License-Identifier: GPL-2.0-or-later ++ */ ++ ++#ifndef HW_PCI_BRIDGE_XIO3130_DOWNSTREAM_H ++#define HW_PCI_BRIDGE_XIO3130_DOWNSTREAM_H ++ ++#define TYPE_XIO3130_DOWNSTREAM "xio3130-downstream" ++ ++#endif ++ +-- +2.27.0 + diff --git a/qemu.spec b/qemu.spec index ce46fca..1293241 100644 --- a/qemu.spec +++ b/qemu.spec @@ -1,6 +1,6 @@ Name: qemu Version: 6.2.0 -Release: 51 +Release: 52 Epoch: 10 Summary: QEMU is a generic and open source machine emulator and virtualizer License: GPLv2 and BSD and MIT and CC-BY-SA-4.0 @@ -310,6 +310,12 @@ Patch0297: hw-elf_ops-clear-uninitialized-segment-space.patch Patch0298: vhost-also-check-queue-state-in-the-vhost_dev_set_lo.patch Patch0299: vhost-net-fix-improper-cleanup-in-vhost_net_start.patch Patch0300: virtio-net-setup-vhost_dev-and-notifiers-for-cvq-onl.patch +Patch0301: job.c-add-missing-notifier-initialization.patch +Patch0302: uas-add-missing-return.patch +Patch0303: qom-assert-integer-does-not-overflow.patch +Patch0304: pci-expose-TYPE_XIO3130_DOWNSTREAM-name.patch +Patch0305: acpi-pcihp-pcie-set-power-on-cap-on-parent-slot.patch +Patch0306: hw-display-ati_2d-Fix-buffer-overflow-in-ati_2d_blt-.patch BuildRequires: flex BuildRequires: gcc @@ -822,6 +828,14 @@ getent passwd qemu >/dev/null || \ %endif %changelog +* Fri Sep 30 2022 wanbo - 10:6.2.0-52 +- job.c: add missing notifier initialization +- uas: add missing return +- qom: assert integer does not overflow +- pci: expose TYPE_XI03130_DOWNSTREAM name +- acpi: pcihp: pcie: set power on cap on parent slot +- hw/display/ati_2d: Fix buffer overflow in ati_2d_blt + * Fri Sep 30 2022 zhangxinhao - 10:6.2.0-51 - exec/memory: Extract address_space_set() from dma_memory_set() - hw/elf_ops: clear uninitialized segment space diff --git a/qom-assert-integer-does-not-overflow.patch b/qom-assert-integer-does-not-overflow.patch new file mode 100644 index 0000000..6a3314d --- /dev/null +++ b/qom-assert-integer-does-not-overflow.patch @@ -0,0 +1,58 @@ +From 7d94ca45a9c0ef8a4f1917f41496a826ecda90fb Mon Sep 17 00:00:00 2001 +From: "Michael S. Tsirkin" +Date: Fri, 25 Feb 2022 08:40:27 -0500 +Subject: [PATCH 3/6] qom: assert integer does not overflow + +QOM reference counting is not designed with an infinite amount of +references in mind, trying to take a reference in a loop without +dropping a reference will overflow the integer. + +It is generally a symptom of a reference leak (a missing deref, commonly +as part of error handling - such as one fixed here: +https://lore.kernel.org/r/20220228095058.27899-1-sgarzare%40redhat.com ). + +All this can lead to either freeing the object too early (memory +corruption) or never freeing it (memory leak). + +If we happen to dereference at just the right time (when it's wrapping +around to 0), we might eventually assert when dereferencing, but the +real problem is an extra object_ref so let's assert there to make such +issues cleaner and easier to debug. + +Some micro-benchmarking shows using fetch and add this is essentially +free on x86. + +Since multiple threads could be incrementing in parallel, we assert +around INT_MAX to make sure none of these approach the wrap around +point: this way we get a memory leak and not a memory corruption, the +former is generally easier to debug. + +Signed-off-by: Michael S. Tsirkin +Signed-off-by: wanbo +--- + qom/object.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/qom/object.c b/qom/object.c +index 4f0677cca9..5db3974f04 100644 +--- a/qom/object.c ++++ b/qom/object.c +@@ -1167,10 +1167,14 @@ GSList *object_class_get_list_sorted(const char *implements_type, + Object *object_ref(void *objptr) + { + Object *obj = OBJECT(objptr); ++ uint32_t ref; ++ + if (!obj) { + return NULL; + } +- qatomic_inc(&obj->ref); ++ ref = qatomic_fetch_inc(&obj->ref); ++ /* Assert waaay before the integer overflows */ ++ g_assert(ref < INT_MAX); + return obj; + } + +-- +2.27.0 + diff --git a/uas-add-missing-return.patch b/uas-add-missing-return.patch new file mode 100644 index 0000000..716c540 --- /dev/null +++ b/uas-add-missing-return.patch @@ -0,0 +1,35 @@ +From da75066823387c4f24b55e21ee6c856ffa537174 Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Fri, 10 Dec 2021 09:06:59 +0100 +Subject: [PATCH 2/6] uas: add missing return +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Otherwise we run the error handling code even for successful requests. + +Fixes: 13b250b12ad3 ("uas: add stream number sanity checks.") +Reported-by: Guenter Roeck +Signed-off-by: Gerd Hoffmann +Reviewed-by: Philippe Mathieu-Daudé +Message-Id: <20211210080659.2537084-1-kraxel@redhat.com> +Signed-off-by: wanbo +--- + hw/usb/dev-uas.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/hw/usb/dev-uas.c b/hw/usb/dev-uas.c +index 599d6b52a0..c9f295e7e4 100644 +--- a/hw/usb/dev-uas.c ++++ b/hw/usb/dev-uas.c +@@ -908,6 +908,7 @@ static void usb_uas_handle_data(USBDevice *dev, USBPacket *p) + p->status = USB_RET_STALL; + break; + } ++ return; + + err_stream: + error_report("%s: invalid stream %d", __func__, p->stream); +-- +2.27.0 + -- Gitee