From fc92104e3e58659d0ce01ebb9b77fa9498b0715a Mon Sep 17 00:00:00 2001 From: Jiabo Feng Date: Fri, 21 Jul 2023 11:37:22 +0800 Subject: [PATCH] QEMU update to version 6.2.0-72 - qga/win32: Use rundll for VSS installation - qga/win32: Remove change action from MSI installer - ide: Increment BB in-flight counter for TRIM BH - hw/pci-bridge/pxb: Fix missing swizzle - host-vdpa: make notifiers _init()/_uninit() symmetric - hw/virtio: vdpa: Fix leak of host-notifier memory-region - accel/tcg/cpu-exec: Fix precise single-stepping after interrupt - Allow setting up to 8 bytes with the generic loader - hw/net/virtio-net: make some VirtIONet const - accel/tcg: Optimize jump cache flush during tlb range flush - 9pfs: prevent opening special files (CVE-2023-2861) - tcg: Reduce tcg_assert_listed_vecop() scope - gitlab: Disable plugins for cross-i386-tci - vfio/pci: Fix a segfault in vfio_realize - block/iscsi: fix double-free on BUSY or similar statuses - tests/tcg: fix unused variable in linux-test - hw/net/vmxnet3: allow VMXNET3_MAX_MTU itself as a value - qga/vss-win32: fix warning for clang++-15 - vnc: avoid underflow when accessing user-provided address - block/monitor: Fix crash when executing HMP commit - virtio-gpu: add a FIXME for virtio_gpu_load() - hw/ppc/Kconfig: MAC_NEWWORLD should always select USB_OHCI_PCI - migration: report compress thread pid to libvirt Signed-off-by: Jiabo Feng --- ...-opening-special-files-CVE-2023-2861.patch | 172 ++++++++++++++++++ ...p-to-8-bytes-with-the-generic-loader.patch | 48 +++++ ...ze-jump-cache-flush-during-tlb-range.patch | 49 +++++ ...ec-Fix-precise-single-stepping-after.patch | 48 +++++ ...double-free-on-BUSY-or-similar-statu.patch | 36 ++++ ...-Fix-crash-when-executing-HMP-commit.patch | 54 ++++++ ...b-Disable-plugins-for-cross-i386-tci.patch | 34 ++++ ...ke-notifiers-_init-_uninit-symmetric.patch | 79 ++++++++ ...virtio-net-make-some-VirtIONet-const.patch | 44 +++++ ...llow-VMXNET3_MAX_MTU-itself-as-a-val.patch | 47 +++++ hw-pci-bridge-pxb-Fix-missing-swizzle.patch | 52 ++++++ ...AC_NEWWORLD-should-always-select-USB.patch | 43 +++++ ...ix-leak-of-host-notifier-memory-regi.patch | 50 +++++ ...ent-BB-in-flight-counter-for-TRIM-BH.patch | 87 +++++++++ ...eport-compress-thread-pid-to-libvirt.patch | 54 ++++++ qemu.spec | 50 ++++- qga-vss-win32-fix-warning-for-clang-15.patch | 47 +++++ ...ove-change-action-from-MSI-installer.patch | 35 ++++ ...in32-Use-rundll-for-VSS-installation.patch | 99 ++++++++++ ...Reduce-tcg_assert_listed_vecop-scope.patch | 64 +++++++ ...cg-fix-unused-variable-in-linux-test.patch | 48 +++++ vfio-pci-Fix-a-segfault-in-vfio_realize.patch | 54 ++++++ ...-gpu-add-a-FIXME-for-virtio_gpu_load.patch | 37 ++++ ...low-when-accessing-user-provided-add.patch | 41 +++++ 24 files changed, 1371 insertions(+), 1 deletion(-) create mode 100644 9pfs-prevent-opening-special-files-CVE-2023-2861.patch create mode 100644 Allow-setting-up-to-8-bytes-with-the-generic-loader.patch create mode 100644 accel-tcg-Optimize-jump-cache-flush-during-tlb-range.patch create mode 100644 accel-tcg-cpu-exec-Fix-precise-single-stepping-after.patch create mode 100644 block-iscsi-fix-double-free-on-BUSY-or-similar-statu.patch create mode 100644 block-monitor-Fix-crash-when-executing-HMP-commit.patch create mode 100644 gitlab-Disable-plugins-for-cross-i386-tci.patch create mode 100644 host-vdpa-make-notifiers-_init-_uninit-symmetric.patch create mode 100644 hw-net-virtio-net-make-some-VirtIONet-const.patch create mode 100644 hw-net-vmxnet3-allow-VMXNET3_MAX_MTU-itself-as-a-val.patch create mode 100644 hw-pci-bridge-pxb-Fix-missing-swizzle.patch create mode 100644 hw-ppc-Kconfig-MAC_NEWWORLD-should-always-select-USB.patch create mode 100644 hw-virtio-vdpa-Fix-leak-of-host-notifier-memory-regi.patch create mode 100644 ide-Increment-BB-in-flight-counter-for-TRIM-BH.patch create mode 100644 migration-report-compress-thread-pid-to-libvirt.patch create mode 100644 qga-vss-win32-fix-warning-for-clang-15.patch create mode 100644 qga-win32-Remove-change-action-from-MSI-installer.patch create mode 100644 qga-win32-Use-rundll-for-VSS-installation.patch create mode 100644 tcg-Reduce-tcg_assert_listed_vecop-scope.patch create mode 100644 tests-tcg-fix-unused-variable-in-linux-test.patch create mode 100644 vfio-pci-Fix-a-segfault-in-vfio_realize.patch create mode 100644 virtio-gpu-add-a-FIXME-for-virtio_gpu_load.patch create mode 100644 vnc-avoid-underflow-when-accessing-user-provided-add.patch diff --git a/9pfs-prevent-opening-special-files-CVE-2023-2861.patch b/9pfs-prevent-opening-special-files-CVE-2023-2861.patch new file mode 100644 index 0000000..f19e039 --- /dev/null +++ b/9pfs-prevent-opening-special-files-CVE-2023-2861.patch @@ -0,0 +1,172 @@ +From beed3295acf786cec520a8a0aec5efcd2ca12b23 Mon Sep 17 00:00:00 2001 +From: liuxiangdong +Date: Fri, 14 Jul 2023 05:11:57 +0800 +Subject: [PATCH] 9pfs: prevent opening special files (CVE-2023-2861) The 9p + protocol does not specifically define how server shall behave when client + tries to open a special file, however from security POV it does make sense + for 9p server to prohibit opening any special file on host side in general. A + sane Linux 9p client for instance would never attempt to open a special file + on host side, it would always handle those exclusively on its guest side. A + malicious client however could potentially escape from the exported 9p tree + by creating and opening a device file on host side. + +With QEMU this could only be exploited in the following unsafe setups: + + - Running QEMU binary as root AND 9p 'local' fs driver AND 'passthrough' + security model. + +or + + - Using 9p 'proxy' fs driver (which is running its helper daemon as + root). + +These setups were already discouraged for safety reasons before, +however for obvious reasons we are now tightening behaviour on this. + +Fixes: CVE-2023-2861 +Reported-by: Yanwu Shen +Reported-by: Jietao Xiao +Reported-by: Jinku Li +Reported-by: Wenbo Shen +Signed-off-by: Christian Schoenebeck +Reviewed-by: Greg Kurz +Reviewed-by: Michael Tokarev +Message-Id: +--- + fsdev/virtfs-proxy-helper.c | 27 +++++++++++++++++++++++-- + hw/9pfs/9p-util.h | 40 +++++++++++++++++++++++++++++++++++++ + 2 files changed, 65 insertions(+), 2 deletions(-) + +diff --git a/fsdev/virtfs-proxy-helper.c b/fsdev/virtfs-proxy-helper.c +index 15c0e79b06..f9e4669a5b 100644 +--- a/fsdev/virtfs-proxy-helper.c ++++ b/fsdev/virtfs-proxy-helper.c +@@ -26,6 +26,7 @@ + #include "qemu/xattr.h" + #include "9p-iov-marshal.h" + #include "hw/9pfs/9p-proxy.h" ++#include "hw/9pfs/9p-util.h" + #include "fsdev/9p-iov-marshal.h" + + #define PROGNAME "virtfs-proxy-helper" +@@ -338,6 +339,28 @@ static void resetugid(int suid, int sgid) + } + } + ++/* ++ * Open regular file or directory. Attempts to open any special file are ++ * rejected. ++ * ++ * returns file descriptor or -1 on error ++ */ ++static int open_regular(const char *pathname, int flags, mode_t mode) ++{ ++ int fd; ++ ++ fd = open(pathname, flags, mode); ++ if (fd < 0) { ++ return fd; ++ } ++ ++ if (close_if_special_file(fd) < 0) { ++ return -1; ++ } ++ ++ return fd; ++} ++ + /* + * send response in two parts + * 1) ProxyHeader +@@ -682,7 +705,7 @@ static int do_create(struct iovec *iovec) + if (ret < 0) { + goto unmarshal_err_out; + } +- ret = open(path.data, flags, mode); ++ ret = open_regular(path.data, flags, mode); + if (ret < 0) { + ret = -errno; + } +@@ -707,7 +730,7 @@ static int do_open(struct iovec *iovec) + if (ret < 0) { + goto err_out; + } +- ret = open(path.data, flags); ++ ret = open_regular(path.data, flags, 0); + if (ret < 0) { + ret = -errno; + } +diff --git a/hw/9pfs/9p-util.h b/hw/9pfs/9p-util.h +index 546f46dc7d..23000e917f 100644 +--- a/hw/9pfs/9p-util.h ++++ b/hw/9pfs/9p-util.h +@@ -13,12 +13,16 @@ + #ifndef QEMU_9P_UTIL_H + #define QEMU_9P_UTIL_H + ++#include "qemu/error-report.h" ++ + #ifdef O_PATH + #define O_PATH_9P_UTIL O_PATH + #else + #define O_PATH_9P_UTIL 0 + #endif + ++#define qemu_fstat fstat ++ + static inline void close_preserve_errno(int fd) + { + int serrno = errno; +@@ -26,6 +30,38 @@ static inline void close_preserve_errno(int fd) + errno = serrno; + } + ++/** ++ * close_if_special_file() - Close @fd if neither regular file nor directory. ++ * ++ * @fd: file descriptor of open file ++ * Return: 0 on regular file or directory, -1 otherwise ++ * ++ * CVE-2023-2861: Prohibit opening any special file directly on host ++ * (especially device files), as a compromised client could potentially gain ++ * access outside exported tree under certain, unsafe setups. We expect ++ * client to handle I/O on special files exclusively on guest side. ++ */ ++static inline int close_if_special_file(int fd) ++{ ++ struct stat stbuf; ++ ++ if (qemu_fstat(fd, &stbuf) < 0) { ++ close_preserve_errno(fd); ++ return -1; ++ } ++ if (!S_ISREG(stbuf.st_mode) && !S_ISDIR(stbuf.st_mode)) { ++ error_report_once( ++ "9p: broken or compromised client detected; attempt to open " ++ "special file (i.e. neither regular file, nor directory)" ++ ); ++ close(fd); ++ errno = ENXIO; ++ return -1; ++ } ++ ++ return 0; ++} ++ + static inline int openat_dir(int dirfd, const char *name) + { + return openat(dirfd, name, +@@ -56,6 +92,10 @@ again: + return -1; + } + ++ if (close_if_special_file(fd) < 0) { ++ return -1; ++ } ++ + serrno = errno; + /* O_NONBLOCK was only needed to open the file. Let's drop it. We don't + * do that with O_PATH since fcntl(F_SETFL) isn't supported, and openat() +-- +2.41.0.windows.1 + diff --git a/Allow-setting-up-to-8-bytes-with-the-generic-loader.patch b/Allow-setting-up-to-8-bytes-with-the-generic-loader.patch new file mode 100644 index 0000000..a33522a --- /dev/null +++ b/Allow-setting-up-to-8-bytes-with-the-generic-loader.patch @@ -0,0 +1,48 @@ +From baf464ea0c35f9b235e8385b0771392ce362a6ec Mon Sep 17 00:00:00 2001 +From: tangbinzy +Date: Fri, 21 Jul 2023 06:14:37 +0000 +Subject: [PATCH] Allow setting up to 8 bytes with the generic loader mainline + inclusion commit f42483d776bce29a9925ed61cc10eb27a5b2446c category: bugfix +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +--------------------------------------------------------------- + +The documentation for the generic loader says that "the maximum size of +the data is 8 bytes". However, attempts to set data-len=8 trigger the +following assertion failure: + +../hw/core/generic-loader.c:59: generic_loader_reset: Assertion `s->data_len < sizeof(s->data)' failed. + +The type of s->data is uint64_t (i.e. 8 bytes long), so I believe this +assert should use <= instead of <. + +Fixes: e481a1f63c93 ("generic-loader: Add a generic loader") +Signed-off-by: Petr Tesarik +Reviewed-by: Philippe Mathieu-Daudé +Reviewed-by: Alistair Francis +Message-id: 20220120092715.7805-1-ptesarik@suse.com +Signed-off-by: Alistair Francis + +Signed-off-by: tangbinzy +--- + hw/core/generic-loader.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/core/generic-loader.c b/hw/core/generic-loader.c +index 9a24ffb880..504ed7ca72 100644 +--- a/hw/core/generic-loader.c ++++ b/hw/core/generic-loader.c +@@ -56,7 +56,7 @@ static void generic_loader_reset(void *opaque) + } + + if (s->data_len) { +- assert(s->data_len < sizeof(s->data)); ++ assert(s->data_len <= sizeof(s->data)); + dma_memory_write(s->cpu->as, s->addr, &s->data, s->data_len, + MEMTXATTRS_UNSPECIFIED); + } +-- +2.41.0.windows.1 + diff --git a/accel-tcg-Optimize-jump-cache-flush-during-tlb-range.patch b/accel-tcg-Optimize-jump-cache-flush-during-tlb-range.patch new file mode 100644 index 0000000..403e3bb --- /dev/null +++ b/accel-tcg-Optimize-jump-cache-flush-during-tlb-range.patch @@ -0,0 +1,49 @@ +From 28ca488c585c556ce04419f927d13d46771e1ea4 Mon Sep 17 00:00:00 2001 +From: tangbinzy +Date: Tue, 18 Jul 2023 06:29:51 +0000 +Subject: [PATCH] accel/tcg: Optimize jump cache flush during tlb range flush + mainline inclusion commit cfc2a2d69d59f02b32df3098ce17e10ab86d43c6 category: + bugfix + +--------------------------------------------------------------- + +When the length of the range is large enough, clearing the whole cache is +faster than iterating over the (possibly extremely large) set of pages +contained in the range. + +This mimics the pre-existing similar optimization done on the flush of the +tlb itself. + +Signed-off-by: Idan Horowitz +Message-Id: <20220110164754.1066025-1-idan.horowitz@gmail.com> +Reviewed-by: Richard Henderson +Signed-off-by: Richard Henderson + +Signed-off-by: tangbinzy +--- + accel/tcg/cputlb.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/accel/tcg/cputlb.c b/accel/tcg/cputlb.c +index b69a953447..03526fa1ab 100644 +--- a/accel/tcg/cputlb.c ++++ b/accel/tcg/cputlb.c +@@ -783,6 +783,15 @@ static void tlb_flush_range_by_mmuidx_async_0(CPUState *cpu, + } + qemu_spin_unlock(&env_tlb(env)->c.lock); + ++ /* ++ * If the length is larger than the jump cache size, then it will take ++ * longer to clear each entry individually than it will to clear it all. ++ */ ++ if (d.len >= (TARGET_PAGE_SIZE * TB_JMP_CACHE_SIZE)) { ++ cpu_tb_jmp_cache_clear(cpu); ++ return; ++ } ++ + for (target_ulong i = 0; i < d.len; i += TARGET_PAGE_SIZE) { + tb_flush_jmp_cache(cpu, d.addr + i); + } +-- +2.41.0.windows.1 + diff --git a/accel-tcg-cpu-exec-Fix-precise-single-stepping-after.patch b/accel-tcg-cpu-exec-Fix-precise-single-stepping-after.patch new file mode 100644 index 0000000..cd77f90 --- /dev/null +++ b/accel-tcg-cpu-exec-Fix-precise-single-stepping-after.patch @@ -0,0 +1,48 @@ +From ddca9c0cba8e3c858b7998c67ae2739f58b5b681 Mon Sep 17 00:00:00 2001 +From: tangbinzy +Date: Fri, 21 Jul 2023 06:41:38 +0000 +Subject: [PATCH] accel/tcg/cpu-exec: Fix precise single-stepping after + interrupt mainline inclusion commit 5b7b197c87cefbd24bd1936614fd4e00ccc279ab + category: bugfix + +--------------------------------------------------------------- + +In some cases, cpu->exit_request can be false after handling the +interrupt, leading to another TB being executed instead of returning +to the main loop. + +Fix this by returning true unconditionally when in single-step mode. + +Fixes: ba3c35d9c402 ("tcg/cpu-exec: precise single-stepping after an interrupt") +Signed-off-by: Luc Michel +Message-Id: <20220214132656.11397-1-lmichel@kalray.eu> +[rth: Unlock iothread mutex; simplify indentation] +Signed-off-by: Richard Henderson + +Signed-off-by: tangbinzy +--- + accel/tcg/cpu-exec.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/accel/tcg/cpu-exec.c b/accel/tcg/cpu-exec.c +index 409ec8c38c..7fb87afedc 100644 +--- a/accel/tcg/cpu-exec.c ++++ b/accel/tcg/cpu-exec.c +@@ -798,8 +798,12 @@ static inline bool cpu_handle_interrupt(CPUState *cpu, + * raised when single-stepping so that GDB doesn't miss the + * next instruction. + */ +- cpu->exception_index = +- (cpu->singlestep_enabled ? EXCP_DEBUG : -1); ++ if (unlikely(cpu->singlestep_enabled)) { ++ cpu->exception_index = EXCP_DEBUG; ++ qemu_mutex_unlock_iothread(); ++ return true; ++ } ++ cpu->exception_index = -1; + *last_tb = NULL; + } + /* The target hook may have updated the 'cpu->interrupt_request'; +-- +2.41.0.windows.1 + diff --git a/block-iscsi-fix-double-free-on-BUSY-or-similar-statu.patch b/block-iscsi-fix-double-free-on-BUSY-or-similar-statu.patch new file mode 100644 index 0000000..61ca057 --- /dev/null +++ b/block-iscsi-fix-double-free-on-BUSY-or-similar-statu.patch @@ -0,0 +1,36 @@ +From 2d37c08cc6f274c48a4a65a446788e946f0363c0 Mon Sep 17 00:00:00 2001 +From: qihao +Date: Wed, 28 Jun 2023 10:58:55 +0800 +Subject: [PATCH] block/iscsi: fix double-free on BUSY or similar statuses + +cheery-pick from 5080152e2ef6cde7aa692e29880c62bd54acb750 + +Commit 8c460269aa77 ("iscsi: base all handling of check condition on +scsi_sense_to_errno", 2019-07-15) removed a "goto out" so that the +same coroutine is re-entered twice; once from iscsi_co_generic_cb, +once from the timer callback iscsi_retry_timer_expired. This can +cause a crash. + +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1378 +Reported-by: Grzegorz Zdanowski +Signed-off-by: Paolo Bonzini +Signed-off-by: qihao_yewu +--- + block/iscsi.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/block/iscsi.c b/block/iscsi.c +index 57aa07a40d..61ccb58fc8 100644 +--- a/block/iscsi.c ++++ b/block/iscsi.c +@@ -268,6 +268,7 @@ iscsi_co_generic_cb(struct iscsi_context *iscsi, int status, + timer_mod(&iTask->retry_timer, + qemu_clock_get_ms(QEMU_CLOCK_REALTIME) + retry_time); + iTask->do_retry = 1; ++ return; + } else if (status == SCSI_STATUS_CHECK_CONDITION) { + int error = iscsi_translate_sense(&task->sense); + if (error == EAGAIN) { +-- +2.41.0.windows.1 + diff --git a/block-monitor-Fix-crash-when-executing-HMP-commit.patch b/block-monitor-Fix-crash-when-executing-HMP-commit.patch new file mode 100644 index 0000000..9f57f31 --- /dev/null +++ b/block-monitor-Fix-crash-when-executing-HMP-commit.patch @@ -0,0 +1,54 @@ +From 33dfb9d81a8cfe17aaa3f0804cbd491b06d38cd6 Mon Sep 17 00:00:00 2001 +From: qihao +Date: Tue, 27 Jun 2023 14:40:13 +0800 +Subject: [PATCH] block/monitor: Fix crash when executing HMP commit + +cheery-pick from b7b814cd87a5fbe9f0fb5732dd28932699317bda + +hmp_commit() calls blk_is_available() from a non-coroutine context (and +in the main loop). blk_is_available() is a co_wrapper_mixed_bdrv_rdlock +function, and in the non-coroutine context it calls AIO_WAIT_WHILE(), +which crashes if the aio_context lock is not taken before. + +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1615 +Signed-off-by: Wang Liang +Message-Id: <20230424103902.45265-1-wangliangzz@126.com> +Reviewed-by: Emanuele Giuseppe Esposito +Reviewed-by: Kevin Wolf +Signed-off-by: Kevin Wolf +(cherry picked from commit 8c1e8fb2e7fc2cbeb57703e143965a4cd3ad301a) +Signed-off-by: Michael Tokarev +Signed-off-by: qihao_yewu +--- + block/monitor/block-hmp-cmds.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/block/monitor/block-hmp-cmds.c b/block/monitor/block-hmp-cmds.c +index 2ac4aedfff..44f0af3430 100644 +--- a/block/monitor/block-hmp-cmds.c ++++ b/block/monitor/block-hmp-cmds.c +@@ -213,15 +213,17 @@ void hmp_commit(Monitor *mon, const QDict *qdict) + error_report("Device '%s' not found", device); + return; + } +- if (!blk_is_available(blk)) { +- error_report("Device '%s' has no medium", device); +- return; +- } + + bs = bdrv_skip_implicit_filters(blk_bs(blk)); + aio_context = bdrv_get_aio_context(bs); + aio_context_acquire(aio_context); + ++ if (!blk_is_available(blk)) { ++ error_report("Device '%s' has no medium", device); ++ aio_context_release(aio_context); ++ return; ++ } ++ + ret = bdrv_commit(bs); + + aio_context_release(aio_context); +-- +2.41.0.windows.1 + diff --git a/gitlab-Disable-plugins-for-cross-i386-tci.patch b/gitlab-Disable-plugins-for-cross-i386-tci.patch new file mode 100644 index 0000000..a2960a0 --- /dev/null +++ b/gitlab-Disable-plugins-for-cross-i386-tci.patch @@ -0,0 +1,34 @@ +From d301917340f0d0196fb8e346a5d489e9be329a0a Mon Sep 17 00:00:00 2001 +From: jipengfei +Date: Fri, 30 Jun 2023 21:33:34 +0800 +Subject: [PATCH] gitlab: Disable plugins for cross-i386-tci + +There are timeouts in the cross-i386-tci job that are related to plugins. +Restrict this job to basic TCI testing. + +cheery-pick from 0cc889c8826cefa5b80110d31a62273b56aa1832 + +Signed-off-by: jipengfei_yewu +Signed-off-by: Richard Henderson +Acked-by: Thomas Huth +Message-Id: <20230629130844.151453-1-richard.henderson@linaro.org> +--- + .gitlab-ci.d/crossbuilds.yml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/.gitlab-ci.d/crossbuilds.yml b/.gitlab-ci.d/crossbuilds.yml +index 17d6cb3e45..d06bf5f57d 100644 +--- a/.gitlab-ci.d/crossbuilds.yml ++++ b/.gitlab-ci.d/crossbuilds.yml +@@ -65,7 +65,7 @@ cross-i386-tci: + variables: + IMAGE: fedora-i386-cross + ACCEL: tcg-interpreter +- EXTRA_CONFIGURE_OPTS: --target-list=i386-softmmu,i386-linux-user,aarch64-softmmu,aarch64-linux-user,ppc-softmmu,ppc-linux-user ++ EXTRA_CONFIGURE_OPTS: --target-list=i386-softmmu,i386-linux-user,aarch64-softmmu,aarch64-linux-user,ppc-softmmu,ppc-linux-user --disable-plugins + MAKE_CHECK_ARGS: check check-tcg + + cross-mips-system: +-- +2.41.0.windows.1 + diff --git a/host-vdpa-make-notifiers-_init-_uninit-symmetric.patch b/host-vdpa-make-notifiers-_init-_uninit-symmetric.patch new file mode 100644 index 0000000..5cfe9aa --- /dev/null +++ b/host-vdpa-make-notifiers-_init-_uninit-symmetric.patch @@ -0,0 +1,79 @@ +From 8bba9208da0aa994b91d9568b58241e94b5d46fc Mon Sep 17 00:00:00 2001 +From: tangbinzy +Date: Wed, 26 Jul 2023 02:21:47 +0000 +Subject: [PATCH] host-vdpa: make notifiers _init()/_uninit() symmetric + mainline inclusion commit b1f030a0a2e281193b09350c0281c0084e84bcf4 category: + bugfix + +--------------------------------------------------------------- + +vhost_vdpa_host_notifiers_init() initializes queue notifiers +for queues "dev->vq_index" to queue "dev->vq_index + dev->nvqs", +whereas vhost_vdpa_host_notifiers_uninit() uninitializes the +same notifiers for queue "0" to queue "dev->nvqs". + +This asymmetry seems buggy, fix that by using dev->vq_index +as the base for both. + +Fixes: d0416d487bd5 ("vhost-vdpa: map virtqueue notification area if possible") +Cc: jasowang@redhat.com +Signed-off-by: Laurent Vivier +Message-Id: <20220211161309.1385839-1-lvivier@redhat.com> +Acked-by: Jason Wang +Reviewed-by: Stefano Garzarella +Reviewed-by: Michael S. Tsirkin +Signed-off-by: Michael S. Tsirkin + +Signed-off-by: tangbinzy +--- + hw/virtio/vhost-vdpa.c | 20 ++++++++++---------- + 1 file changed, 10 insertions(+), 10 deletions(-) + +diff --git a/hw/virtio/vhost-vdpa.c b/hw/virtio/vhost-vdpa.c +index 225c9b1730..287025ef93 100644 +--- a/hw/virtio/vhost-vdpa.c ++++ b/hw/virtio/vhost-vdpa.c +@@ -381,15 +381,6 @@ static void vhost_vdpa_host_notifier_uninit(struct vhost_dev *dev, + } + } + +-static void vhost_vdpa_host_notifiers_uninit(struct vhost_dev *dev, int n) +-{ +- int i; +- +- for (i = 0; i < n; i++) { +- vhost_vdpa_host_notifier_uninit(dev, i); +- } +-} +- + static int vhost_vdpa_host_notifier_init(struct vhost_dev *dev, int queue_index) + { + size_t page_size = qemu_real_host_page_size; +@@ -429,6 +420,15 @@ err: + return -1; + } + ++static void vhost_vdpa_host_notifiers_uninit(struct vhost_dev *dev, int n) ++{ ++ int i; ++ ++ for (i = dev->vq_index; i < dev->vq_index + n; i++) { ++ vhost_vdpa_host_notifier_uninit(dev, i); ++ } ++} ++ + static void vhost_vdpa_host_notifiers_init(struct vhost_dev *dev) + { + int i; +@@ -442,7 +442,7 @@ static void vhost_vdpa_host_notifiers_init(struct vhost_dev *dev) + return; + + err: +- vhost_vdpa_host_notifiers_uninit(dev, i); ++ vhost_vdpa_host_notifiers_uninit(dev, i - dev->vq_index); + return; + } + +-- +2.41.0.windows.1 + diff --git a/hw-net-virtio-net-make-some-VirtIONet-const.patch b/hw-net-virtio-net-make-some-VirtIONet-const.patch new file mode 100644 index 0000000..f2ff4b1 --- /dev/null +++ b/hw-net-virtio-net-make-some-VirtIONet-const.patch @@ -0,0 +1,44 @@ +From f6e12a7c892c5e823157f6b84955544ff659e980 Mon Sep 17 00:00:00 2001 +From: jipengfei +Date: Fri, 30 Jun 2023 22:19:22 +0800 +Subject: [PATCH] hw/net/virtio-net: make some VirtIONet const +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The VirtIONet structure is not modified in +virtio_net_supported_guest_offloads(). +Therefore, make it const to allow this function to +accept const variables. + +cheery-pick from 705e89cfaafc54491482742a756cf661b48608d2 + +Signed-off-by: jipengfei_yewu +Signed-off-by: Hawkins Jiawei +Reviewed-by: Eugenio Pérez +Message-Id: <489b09c3998ac09b9135e57a7dd8c56a4be8cdf9.1685704856.git.yin31149@gmail.com> +Tested-by: Lei Yang +Reviewed-by: Eugenio Pérez +Tested-by: Eugenio Pérez +Reviewed-by: Michael S. Tsirkin +Signed-off-by: Michael S. Tsirkin +--- + hw/net/virtio-net.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c +index 4946b65e22..3bd786cc22 100644 +--- a/hw/net/virtio-net.c ++++ b/hw/net/virtio-net.c +@@ -811,7 +811,7 @@ static uint64_t virtio_net_guest_offloads_by_features(uint32_t features) + return guest_offloads_mask & features; + } + +-static inline uint64_t virtio_net_supported_guest_offloads(VirtIONet *n) ++static inline uint64_t virtio_net_supported_guest_offloads(const VirtIONet *n) + { + VirtIODevice *vdev = VIRTIO_DEVICE(n); + return virtio_net_guest_offloads_by_features(vdev->guest_features); +-- +2.41.0.windows.1 + diff --git a/hw-net-vmxnet3-allow-VMXNET3_MAX_MTU-itself-as-a-val.patch b/hw-net-vmxnet3-allow-VMXNET3_MAX_MTU-itself-as-a-val.patch new file mode 100644 index 0000000..8219c0f --- /dev/null +++ b/hw-net-vmxnet3-allow-VMXNET3_MAX_MTU-itself-as-a-val.patch @@ -0,0 +1,47 @@ +From 2d7c5ea10b443c33ffe2c21de5a495bd6d2a67bd Mon Sep 17 00:00:00 2001 +From: qihao +Date: Wed, 28 Jun 2023 09:37:04 +0800 +Subject: [PATCH] hw/net/vmxnet3: allow VMXNET3_MAX_MTU itself as a value + +cheery-pick from b209cc4556d56938fa8a933670b8fb98c036af37 + +Currently, VMXNET3_MAX_MTU itself (being 9000) is not considered a +valid value for the MTU, but a guest running ESXi 7.0 might try to +set it and fail the assert [0]. + +In the Linux kernel, dev->max_mtu itself is a valid value for the MTU +and for the vmxnet3 driver it's 9000, so a guest running Linux will +also fail the assert when trying to set an MTU of 9000. + +VMXNET3_MAX_MTU and s->mtu don't seem to be used in relation to buffer +allocations/accesses, so allowing the upper limit itself as a value +should be fine. + +[0]: https://forum.proxmox.com/threads/114011/ + +Fixes: d05dcd94ae ("net: vmxnet3: validate configuration values during activate (CVE-2021-20203)") +Signed-off-by: Fiona Ebner +Signed-off-by: Jason Wang +(cherry picked from commit 099a63828130843741d317cb28e936f468b2b53b) +Signed-off-by: Michael Tokarev +Signed-off-by: qihao_yewu +--- + hw/net/vmxnet3.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c +index 0b7acf7f89..a2037583bf 100644 +--- a/hw/net/vmxnet3.c ++++ b/hw/net/vmxnet3.c +@@ -1441,7 +1441,7 @@ static void vmxnet3_activate_device(VMXNET3State *s) + vmxnet3_setup_rx_filtering(s); + /* Cache fields from shared memory */ + s->mtu = VMXNET3_READ_DRV_SHARED32(d, s->drv_shmem, devRead.misc.mtu); +- assert(VMXNET3_MIN_MTU <= s->mtu && s->mtu < VMXNET3_MAX_MTU); ++ assert(VMXNET3_MIN_MTU <= s->mtu && s->mtu <= VMXNET3_MAX_MTU); + VMW_CFPRN("MTU is %u", s->mtu); + + s->max_rx_frags = +-- +2.41.0.windows.1 + diff --git a/hw-pci-bridge-pxb-Fix-missing-swizzle.patch b/hw-pci-bridge-pxb-Fix-missing-swizzle.patch new file mode 100644 index 0000000..9d114f5 --- /dev/null +++ b/hw-pci-bridge-pxb-Fix-missing-swizzle.patch @@ -0,0 +1,52 @@ +From bf6161d03c1d6a8cb378a2f84743aa45b0ddf84b Mon Sep 17 00:00:00 2001 +From: tangbinzy +Date: Wed, 26 Jul 2023 02:34:48 +0000 +Subject: [PATCH] hw/pci-bridge/pxb: Fix missing swizzle mainline inclusion + commit e609301b458bf6daba478299dc5aea5d1fbaea39 category: bugfix + +--------------------------------------------------------------- + +pxb_map_irq_fn() handled the necessary removal of the swizzle +applied to the PXB interrupts by the bus to which it was attached +but neglected to apply the normal swizzle for PCI root ports +on the expander bridge. + +Result of this was on ARM virt, the PME interrupts for a second +RP on a PXB instance were miss-routed to #45 rather than #46. + +Tested with a selection of different configurations with 1 to 5 +RP per PXB instance. Note on my x86 test setup the PME interrupts +are not triggered so I haven't been able to test this. + +Signed-off-by: Jonathan Cameron +Cc: Michael S. Tsirkin +Cc: Marcel Apfelbaum +Message-Id: <20220118174855.19325-1-Jonathan.Cameron@huawei.com> +Reviewed-by: Michael S. Tsirkin +Signed-off-by: Michael S. Tsirkin + +Signed-off-by: tangbinzy +--- + hw/pci-bridge/pci_expander_bridge.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/hw/pci-bridge/pci_expander_bridge.c b/hw/pci-bridge/pci_expander_bridge.c +index 10e6e7c2ab..de932286b5 100644 +--- a/hw/pci-bridge/pci_expander_bridge.c ++++ b/hw/pci-bridge/pci_expander_bridge.c +@@ -192,6 +192,12 @@ static int pxb_map_irq_fn(PCIDevice *pci_dev, int pin) + { + PCIDevice *pxb = pci_get_bus(pci_dev)->parent_dev; + ++ /* ++ * First carry out normal swizzle to handle ++ * multple root ports on a pxb instance. ++ */ ++ pin = pci_swizzle_map_irq_fn(pci_dev, pin); ++ + /* + * The bios does not index the pxb slot number when + * it computes the IRQ because it resides on bus 0 +-- +2.41.0.windows.1 + diff --git a/hw-ppc-Kconfig-MAC_NEWWORLD-should-always-select-USB.patch b/hw-ppc-Kconfig-MAC_NEWWORLD-should-always-select-USB.patch new file mode 100644 index 0000000..5244466 --- /dev/null +++ b/hw-ppc-Kconfig-MAC_NEWWORLD-should-always-select-USB.patch @@ -0,0 +1,43 @@ +From f2ee3b11fc10dd5353beb8efca7d919668dd332c Mon Sep 17 00:00:00 2001 +From: qihao +Date: Mon, 26 Jun 2023 11:04:33 +0800 +Subject: [PATCH] hw/ppc/Kconfig: MAC_NEWWORLD should always select + USB_OHCI_PCI +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +cheery-pick 9ec08f3569be3bc8bfd4d9b8b0445b9136910661 + +The PowerMacs have an OHCI controller soldered on the motherboard, +so this should always be enabled for the "mac99" machine. +This fixes the problem that QEMU aborts when the user tries to run +the "mac99" machine with a build that has been compiled with the +"--without-default-devices" configure switch. + +Signed-off-by: Thomas Huth +Reviewed-by: Philippe Mathieu-Daudé +Reviewed-by: Richard Henderson +Reviewed-by: Mark Cave-Ayland +Message-Id: <20230530102041.55527-1-thuth@redhat.com> +Signed-off-by: Daniel Henrique Barboza +Signed-off-by: qihao_yewu +--- + hw/ppc/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/hw/ppc/Kconfig b/hw/ppc/Kconfig +index 400511c6b7..9e0b7184e3 100644 +--- a/hw/ppc/Kconfig ++++ b/hw/ppc/Kconfig +@@ -119,6 +119,7 @@ config MAC_NEWWORLD + select MAC_PMU + select UNIN_PCI + select FW_CFG_PPC ++ select USB_OHCI_PCI + + config E500 + bool +-- +2.41.0.windows.1 + diff --git a/hw-virtio-vdpa-Fix-leak-of-host-notifier-memory-regi.patch b/hw-virtio-vdpa-Fix-leak-of-host-notifier-memory-regi.patch new file mode 100644 index 0000000..ada19f0 --- /dev/null +++ b/hw-virtio-vdpa-Fix-leak-of-host-notifier-memory-regi.patch @@ -0,0 +1,50 @@ +From 862a150140b95bbd23d174307aacd06f65d36f1c Mon Sep 17 00:00:00 2001 +From: tangbinzy +Date: Fri, 21 Jul 2023 07:26:44 +0000 +Subject: [PATCH] hw/virtio: vdpa: Fix leak of host-notifier memory-region + mainline inclusion commit 98f7607ecda00dea3cbb2ed7b4427c96846efb83 category: + bugfix + +--------------------------------------------------------------- + +If call virtio_queue_set_host_notifier_mr fails, should free +host-notifier memory-region. + +This problem can trigger a coredump with some vDPA drivers (mlx5, +but not with the vdpasim), if we unplug the virtio-net card from +the guest after a stop/start. + +The same fix has been done for vhost-user: + 1f89d3b91e3e ("hw/virtio: Fix leak of host-notifier memory-region") + +Fixes: d0416d487bd5 ("vhost-vdpa: map virtqueue notification area if possible") +Cc: jasowang@redhat.com +Resolves: https://bugzilla.redhat.com/2027208 +Signed-off-by: Laurent Vivier +Message-Id: <20220211170259.1388734-1-lvivier@redhat.com> +Cc: qemu-stable@nongnu.org +Acked-by: Jason Wang +Reviewed-by: Stefano Garzarella +Reviewed-by: Michael S. Tsirkin +Signed-off-by: Michael S. Tsirkin + +Signed-off-by: tangbinzy +--- + hw/virtio/vhost-vdpa.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/hw/virtio/vhost-vdpa.c b/hw/virtio/vhost-vdpa.c +index f285edb786..225c9b1730 100644 +--- a/hw/virtio/vhost-vdpa.c ++++ b/hw/virtio/vhost-vdpa.c +@@ -417,6 +417,7 @@ static int vhost_vdpa_host_notifier_init(struct vhost_dev *dev, int queue_index) + g_free(name); + + if (virtio_queue_set_host_notifier_mr(vdev, queue_index, &n->mr, true)) { ++ object_unparent(OBJECT(&n->mr)); + munmap(addr, page_size); + goto err; + } +-- +2.41.0.windows.1 + diff --git a/ide-Increment-BB-in-flight-counter-for-TRIM-BH.patch b/ide-Increment-BB-in-flight-counter-for-TRIM-BH.patch new file mode 100644 index 0000000..9b551dc --- /dev/null +++ b/ide-Increment-BB-in-flight-counter-for-TRIM-BH.patch @@ -0,0 +1,87 @@ +From 31ae365f6c13d1bdad9d4eefe6e9f00928e5dd64 Mon Sep 17 00:00:00 2001 +From: tangbinzy +Date: Wed, 26 Jul 2023 02:50:59 +0000 +Subject: [PATCH] ide: Increment BB in-flight counter for TRIM BH mainline + inclusion commit 7e5cdb345f77d76cb4877fe6230c4e17a7d0d0ca category: bugfix +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +--------------------------------------------------------------- + +When we still have an AIOCB registered for DMA operations, we try to +settle the respective operation by draining the BlockBackend associated +with the IDE device. + +However, this assumes that every DMA operation is associated with an +increment of the BlockBackend’s in-flight counter (e.g. through some +ongoing I/O operation), so that draining the BB until its in-flight +counter reaches 0 will settle all DMA operations. That is not the case: +For TRIM, the guest can issue a zero-length operation that will not +result in any I/O operation forwarded to the BlockBackend, and also not +increment the in-flight counter in any other way. In such a case, +blk_drain() will be a no-op if no other operations are in flight. + +It is clear that if blk_drain() is a no-op, the value of +s->bus->dma->aiocb will not change between checking it in the `if` +condition and asserting that it is NULL after blk_drain(). + +The particular problem is that ide_issue_trim() creates a BH +(ide_trim_bh_cb()) to settle the TRIM request: iocb->common.cb() is +ide_dma_cb(), which will either create a new request, or find the +transfer to be done and call ide_set_inactive(), which clears +s->bus->dma->aiocb. Therefore, the blk_drain() must wait for +ide_trim_bh_cb() to run, which currently it will not always do. + +To fix this issue, we increment the BlockBackend's in-flight counter +when the TRIM operation begins (in ide_issue_trim(), when the +ide_trim_bh_cb() BH is created) and decrement it when ide_trim_bh_cb() +is done. + +Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=2029980 +Suggested-by: Paolo Bonzini +Signed-off-by: Hanna Reitz +Message-Id: <20220120142259.120189-1-hreitz@redhat.com> +Reviewed-by: Paolo Bonzini +Reviewed-by: John Snow +Tested-by: John Snow + +Signed-off-by: tangbinzy +--- + hw/ide/core.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/hw/ide/core.c b/hw/ide/core.c +index e28f8aad61..15138225be 100644 +--- a/hw/ide/core.c ++++ b/hw/ide/core.c +@@ -433,12 +433,16 @@ static const AIOCBInfo trim_aiocb_info = { + static void ide_trim_bh_cb(void *opaque) + { + TrimAIOCB *iocb = opaque; ++ BlockBackend *blk = iocb->s->blk; + + iocb->common.cb(iocb->common.opaque, iocb->ret); + + qemu_bh_delete(iocb->bh); + iocb->bh = NULL; + qemu_aio_unref(iocb); ++ ++ /* Paired with an increment in ide_issue_trim() */ ++ blk_dec_in_flight(blk); + } + + static void ide_issue_trim_cb(void *opaque, int ret) +@@ -508,6 +512,9 @@ BlockAIOCB *ide_issue_trim( + IDEState *s = opaque; + TrimAIOCB *iocb; + ++ /* Paired with a decrement in ide_trim_bh_cb() */ ++ blk_inc_in_flight(s->blk); ++ + iocb = blk_aio_get(&trim_aiocb_info, s->blk, cb, cb_opaque); + iocb->s = s; + iocb->bh = qemu_bh_new(ide_trim_bh_cb, iocb); +-- +2.41.0.windows.1 + diff --git a/migration-report-compress-thread-pid-to-libvirt.patch b/migration-report-compress-thread-pid-to-libvirt.patch new file mode 100644 index 0000000..9d11947 --- /dev/null +++ b/migration-report-compress-thread-pid-to-libvirt.patch @@ -0,0 +1,54 @@ +From 16c188d246f8d74f3d25098effdb836cdeb17e16 Mon Sep 17 00:00:00 2001 +From: jipengfei +Date: Sat, 1 Jul 2023 13:08:53 +0800 +Subject: [PATCH] migration: report compress thread pid to libvirt + +Supports migrating compressed threads bound to physical cores,qemu need to tell libvirt the compress thread pids. + +Signed-off-by:jipengfei +--- + migration/ram.c | 3 +++ + qapi/migration.json | 13 +++++++++++++ + 2 files changed, 16 insertions(+) + +diff --git a/migration/ram.c b/migration/ram.c +index c3484ee1a9..c6c59b54d9 100644 +--- a/migration/ram.c ++++ b/migration/ram.c +@@ -755,6 +755,9 @@ static void *do_data_compress(void *opaque) + RAMBlock *block; + bool zero_page; + ++ /* report compress thread pids to libvirt */ ++ qapi_event_send_migration_compress_pid(qemu_get_thread_id()); ++ + qemu_mutex_lock(¶m->mutex); + while (!param->quit) { + if (param->block) { +diff --git a/qapi/migration.json b/qapi/migration.json +index 8e18fd30e4..e965f4329b 100644 +--- a/qapi/migration.json ++++ b/qapi/migration.json +@@ -1308,6 +1308,19 @@ + { 'event': 'MIGRATION_PID', + 'data': { 'pid': 'int' } } + ++## ++# @MIGRATION_COMPRESS_PID: ++# ++# Emitted when compress thread appear ++# ++# @pid: pid of compress thread ++# ++# Since: 6.2 ++## ++{ 'event': 'MIGRATION_COMPRESS_PID', ++ 'data': { 'pid': 'int' } } ++ ++ + ## + # @COLOMessage: + # +-- +2.41.0.windows.1 + diff --git a/qemu.spec b/qemu.spec index 207cdfc..6dbc8c0 100644 --- a/qemu.spec +++ b/qemu.spec @@ -1,6 +1,6 @@ Name: qemu Version: 6.2.0 -Release: 71 +Release: 72 Epoch: 10 Summary: QEMU is a generic and open source machine emulator and virtualizer License: GPLv2 and BSD and MIT and CC-BY-SA-4.0 @@ -497,6 +497,29 @@ Patch0485: virtio-fix-reachable-assertion-due-to-stale-value-of.patch Patch0486: hw-nvme-Change-alignment-in-dma-functions-for-nvme_b.patch Patch0487: Fix-smp.cores-value-and-Fix-divide-0-error.patch Patch0488: Add-lbt-support-for-kvm.patch +Patch0489: migration-report-compress-thread-pid-to-libvirt.patch +Patch0490: hw-ppc-Kconfig-MAC_NEWWORLD-should-always-select-USB.patch +Patch0491: virtio-gpu-add-a-FIXME-for-virtio_gpu_load.patch +Patch0492: block-monitor-Fix-crash-when-executing-HMP-commit.patch +Patch0493: vnc-avoid-underflow-when-accessing-user-provided-add.patch +Patch0494: qga-vss-win32-fix-warning-for-clang-15.patch +Patch0495: hw-net-vmxnet3-allow-VMXNET3_MAX_MTU-itself-as-a-val.patch +Patch0496: tests-tcg-fix-unused-variable-in-linux-test.patch +Patch0497: block-iscsi-fix-double-free-on-BUSY-or-similar-statu.patch +Patch0498: vfio-pci-Fix-a-segfault-in-vfio_realize.patch +Patch0499: gitlab-Disable-plugins-for-cross-i386-tci.patch +Patch0500: tcg-Reduce-tcg_assert_listed_vecop-scope.patch +Patch0501: 9pfs-prevent-opening-special-files-CVE-2023-2861.patch +Patch0502: accel-tcg-Optimize-jump-cache-flush-during-tlb-range.patch +Patch0503: hw-net-virtio-net-make-some-VirtIONet-const.patch +Patch0504: Allow-setting-up-to-8-bytes-with-the-generic-loader.patch +Patch0505: accel-tcg-cpu-exec-Fix-precise-single-stepping-after.patch +Patch0506: hw-virtio-vdpa-Fix-leak-of-host-notifier-memory-regi.patch +Patch0507: host-vdpa-make-notifiers-_init-_uninit-symmetric.patch +Patch0508: hw-pci-bridge-pxb-Fix-missing-swizzle.patch +Patch0509: ide-Increment-BB-in-flight-counter-for-TRIM-BH.patch +Patch0510: qga-win32-Remove-change-action-from-MSI-installer.patch +Patch0511: qga-win32-Use-rundll-for-VSS-installation.patch BuildRequires: flex BuildRequires: gcc @@ -1053,6 +1076,31 @@ getent passwd qemu >/dev/null || \ %endif %changelog +* Fri Jul 28 2023 - 10:6.2.0-72 +- qga/win32: Use rundll for VSS installation +- qga/win32: Remove change action from MSI installer +- ide: Increment BB in-flight counter for TRIM BH +- hw/pci-bridge/pxb: Fix missing swizzle +- host-vdpa: make notifiers _init()/_uninit() symmetric +- hw/virtio: vdpa: Fix leak of host-notifier memory-region +- accel/tcg/cpu-exec: Fix precise single-stepping after interrupt +- Allow setting up to 8 bytes with the generic loader +- hw/net/virtio-net: make some VirtIONet const +- accel/tcg: Optimize jump cache flush during tlb range flush +- 9pfs: prevent opening special files (CVE-2023-2861) +- tcg: Reduce tcg_assert_listed_vecop() scope +- gitlab: Disable plugins for cross-i386-tci +- vfio/pci: Fix a segfault in vfio_realize +- block/iscsi: fix double-free on BUSY or similar statuses +- tests/tcg: fix unused variable in linux-test +- hw/net/vmxnet3: allow VMXNET3_MAX_MTU itself as a value +- qga/vss-win32: fix warning for clang++-15 +- vnc: avoid underflow when accessing user-provided address +- block/monitor: Fix crash when executing HMP commit +- virtio-gpu: add a FIXME for virtio_gpu_load() +- hw/ppc/Kconfig: MAC_NEWWORLD should always select USB_OHCI_PCI +- migration: report compress thread pid to libvirt + * Mon Jul 24 2023 - 10:6.2.0-71 - revert "add '--enable-slirp' compilation options" diff --git a/qga-vss-win32-fix-warning-for-clang-15.patch b/qga-vss-win32-fix-warning-for-clang-15.patch new file mode 100644 index 0000000..f4dfc2c --- /dev/null +++ b/qga-vss-win32-fix-warning-for-clang-15.patch @@ -0,0 +1,47 @@ +From b9212c3d72363f67d621dd4e16e507e4a677158e Mon Sep 17 00:00:00 2001 +From: qihao +Date: Tue, 27 Jun 2023 22:45:24 +0800 +Subject: [PATCH] qga/vss-win32: fix warning for clang++-15 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +cheery-pick from a3f531cee66b12041098f7a809c2a7d6ecb6ad7d + +Reported when compiling with clang-windows-arm64. + +../qga/vss-win32/install.cpp:537:9: error: variable 'hr' is used uninitialized whenever 'if' condition is false [-Werror,-Wsometimes-uninitialized] + if (!(ControlService(service, SERVICE_CONTROL_STOP, NULL))) { + ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +../qga/vss-win32/install.cpp:545:12: note: uninitialized use occurs here + return hr; + ^~ + +Signed-off-by: Pierrick Bouvier +Fixes: 917ebcb170 ("qga-win: Fix QGA VSS Provider service stop failure") +Reviewed-by: Konstantin Kostiuk +Reviewed-by: Philippe Mathieu-Daudé +Signed-off-by: Kostiantyn Kostiuk +(cherry picked from commit 0fcd574b025fccdf14d5140687cafe2bc30b634f) +Signed-off-by: Michael Tokarev +Signed-off-by: qihao_yewu +--- + qga/vss-win32/install.cpp | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/qga/vss-win32/install.cpp b/qga/vss-win32/install.cpp +index 40de133774..e90a03c1cf 100644 +--- a/qga/vss-win32/install.cpp ++++ b/qga/vss-win32/install.cpp +@@ -513,7 +513,7 @@ namespace _com_util + /* Stop QGA VSS provider service using Winsvc API */ + STDAPI StopService(void) + { +- HRESULT hr; ++ HRESULT hr = S_OK; + SC_HANDLE manager = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS); + SC_HANDLE service = NULL; + +-- +2.41.0.windows.1 + diff --git a/qga-win32-Remove-change-action-from-MSI-installer.patch b/qga-win32-Remove-change-action-from-MSI-installer.patch new file mode 100644 index 0000000..3ebd4e7 --- /dev/null +++ b/qga-win32-Remove-change-action-from-MSI-installer.patch @@ -0,0 +1,35 @@ +From 38a72d2fbaf732d0804fefca034c24b2ad068ad1 Mon Sep 17 00:00:00 2001 +From: Konstantin Kostiuk +Date: Fri, 3 Mar 2023 21:20:07 +0200 +Subject: [PATCH] qga/win32: Remove change action from MSI installer + +Remove the 'change' button from "Programs and Features" because it does +not checks if a user is an admin or not. The installer has no components +to choose from and always installs everything. So the 'change' button is +not obviously needed but can create a security issue. + +resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2167423 +fixes: CVE-2023-0664 (part 1 of 2) + +Signed-off-by: Konstantin Kostiuk +Reviewed-by: Yan Vugenfirer +Reported-by: Brian Wiltse +--- + qga/installer/qemu-ga.wxs | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/qga/installer/qemu-ga.wxs b/qga/installer/qemu-ga.wxs +index 0950e8c6be..b62e709a4c 100644 +--- a/qga/installer/qemu-ga.wxs ++++ b/qga/installer/qemu-ga.wxs +@@ -58,6 +58,7 @@ + /> + + ++ + +-- +2.41.0.windows.1 + diff --git a/qga-win32-Use-rundll-for-VSS-installation.patch b/qga-win32-Use-rundll-for-VSS-installation.patch new file mode 100644 index 0000000..36ddb7f --- /dev/null +++ b/qga-win32-Use-rundll-for-VSS-installation.patch @@ -0,0 +1,99 @@ +From bc472314a51895f67112e3ac35439df63292f101 Mon Sep 17 00:00:00 2001 +From: Konstantin Kostiuk +Date: Fri, 3 Mar 2023 21:20:08 +0200 +Subject: [PATCH] qga/win32: Use rundll for VSS installation + +The custom action uses cmd.exe to run VSS Service installation +and removal which causes an interactive command shell to spawn. +This shell can be used to execute any commands as a SYSTEM user. +Even if call qemu-ga.exe directly the interactive command shell +will be spawned as qemu-ga.exe is a console application and used +by users from the console as well as a service. + +As VSS Service runs from DLL which contains the installer and +uninstaller code, it can be run directly by rundll32.exe without +any interactive command shell. + +Add specific entry points for rundll which is just a wrapper +for COMRegister/COMUnregister functions with proper arguments. + +resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2167423 +fixes: CVE-2023-0664 (part 2 of 2) + +Signed-off-by: Konstantin Kostiuk +Reviewed-by: Yan Vugenfirer +Reported-by: Brian Wiltse +--- + qga/installer/qemu-ga.wxs | 10 +++++----- + qga/vss-win32/install.cpp | 9 +++++++++ + qga/vss-win32/qga-vss.def | 2 ++ + 3 files changed, 16 insertions(+), 5 deletions(-) + +diff --git a/qga/installer/qemu-ga.wxs b/qga/installer/qemu-ga.wxs +index b62e709a4c..11b66a22e6 100644 +--- a/qga/installer/qemu-ga.wxs ++++ b/qga/installer/qemu-ga.wxs +@@ -143,22 +143,22 @@ + + + +- ++ + + + + + + +diff --git a/qga/vss-win32/install.cpp b/qga/vss-win32/install.cpp +index e90a03c1cf..8b7400e4e5 100644 +--- a/qga/vss-win32/install.cpp ++++ b/qga/vss-win32/install.cpp +@@ -352,6 +352,15 @@ out: + return hr; + } + ++STDAPI_(void) CALLBACK DLLCOMRegister(HWND, HINSTANCE, LPSTR, int) ++{ ++ COMRegister(); ++} ++ ++STDAPI_(void) CALLBACK DLLCOMUnregister(HWND, HINSTANCE, LPSTR, int) ++{ ++ COMUnregister(); ++} + + static BOOL CreateRegistryKey(LPCTSTR key, LPCTSTR value, LPCTSTR data) + { +diff --git a/qga/vss-win32/qga-vss.def b/qga/vss-win32/qga-vss.def +index 927782c31b..ee97a81427 100644 +--- a/qga/vss-win32/qga-vss.def ++++ b/qga/vss-win32/qga-vss.def +@@ -1,6 +1,8 @@ + LIBRARY "QGA-PROVIDER.DLL" + + EXPORTS ++ DLLCOMRegister ++ DLLCOMUnregister + COMRegister PRIVATE + COMUnregister PRIVATE + DllCanUnloadNow PRIVATE +-- +2.41.0.windows.1 + diff --git a/tcg-Reduce-tcg_assert_listed_vecop-scope.patch b/tcg-Reduce-tcg_assert_listed_vecop-scope.patch new file mode 100644 index 0000000..15f46f7 --- /dev/null +++ b/tcg-Reduce-tcg_assert_listed_vecop-scope.patch @@ -0,0 +1,64 @@ +From 61af18384a150a2c7d1f54521692a93c0e4ebacc Mon Sep 17 00:00:00 2001 +From: tangzhongrui +Date: Sun, 2 Jul 2023 23:37:42 +0800 +Subject: [PATCH] tcg: Reduce tcg_assert_listed_vecop() scope + + tcg_assert_listed_vecop() is only used in tcg-op-vec.c. + + Signed-off-by: Philippe Mathieu-Daud + Message-Id: <20230629091107.74384-1-philmd@linaro.org> + Reviewed-by: Richard Henderson + Signed-off-by: Richard Henderson + + Signed-off-by: Zhongrui Tang +--- + include/tcg/tcg.h | 6 ------ + tcg/tcg-op-vec.c | 6 +++--- + 2 files changed, 3 insertions(+), 9 deletions(-) + +diff --git a/include/tcg/tcg.h b/include/tcg/tcg.h +index 42f5b500ed..0ab8e4e735 100644 +--- a/include/tcg/tcg.h ++++ b/include/tcg/tcg.h +@@ -1240,12 +1240,6 @@ uint64_t dup_const(unsigned vece, uint64_t c); + : (target_long)dup_const(VECE, C)) + #endif + +-#ifdef CONFIG_DEBUG_TCG +-void tcg_assert_listed_vecop(TCGOpcode); +-#else +-static inline void tcg_assert_listed_vecop(TCGOpcode op) { } +-#endif +- + static inline const TCGOpcode *tcg_swap_vecop_list(const TCGOpcode *n) + { + #ifdef CONFIG_DEBUG_TCG +diff --git a/tcg/tcg-op-vec.c b/tcg/tcg-op-vec.c +index faf30f9cdd..7c027099c4 100644 +--- a/tcg/tcg-op-vec.c ++++ b/tcg/tcg-op-vec.c +@@ -50,9 +50,9 @@ extern TCGv_i32 TCGV_HIGH_link_error(TCGv_i64); + * tcg_ctx->vec_opt_opc is non-NULL, the tcg_gen_*_vec expanders + * will validate that their opcode is present in the list. + */ +-#ifdef CONFIG_DEBUG_TCG +-void tcg_assert_listed_vecop(TCGOpcode op) ++static void tcg_assert_listed_vecop(TCGOpcode op) + { ++#ifdef CONFIG_DEBUG_TCG + const TCGOpcode *p = tcg_ctx->vecop_list; + if (p) { + for (; *p; ++p) { +@@ -62,8 +62,8 @@ void tcg_assert_listed_vecop(TCGOpcode op) + } + g_assert_not_reached(); + } +-} + #endif ++} + + bool tcg_can_emit_vecop_list(const TCGOpcode *list, + TCGType type, unsigned vece) +-- +2.41.0.windows.1 + diff --git a/tests-tcg-fix-unused-variable-in-linux-test.patch b/tests-tcg-fix-unused-variable-in-linux-test.patch new file mode 100644 index 0000000..9879696 --- /dev/null +++ b/tests-tcg-fix-unused-variable-in-linux-test.patch @@ -0,0 +1,48 @@ +From 050aa274447899ecb000aa8d62d95b6c6192fc56 Mon Sep 17 00:00:00 2001 +From: qihao +Date: Wed, 28 Jun 2023 10:08:22 +0800 +Subject: [PATCH] tests/tcg: fix unused variable in linux-test +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +cheery-pick from 2bc6c79417b89c3306b724577e775f03fe61fb2e + +The latest hexagon compiler picks up that we never consume wcount. +Given the name of the #define that rcount checks against is WCOUNT_MAX +I figured the check just got missed. + +Signed-off-by: Alex Bennée +Reviewed-by: Philippe Mathieu-Daudé +Message-Id: <20221221090411.1995037-5-alex.bennee@linaro.org> +Signed-off-by: qihao_yewu +--- + tests/tcg/multiarch/linux/linux-test.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/tests/tcg/multiarch/linux/linux-test.c b/tests/tcg/multiarch/linux/linux-test.c +index 019d8175ca..78c68540ef 100644 +--- a/tests/tcg/multiarch/linux/linux-test.c ++++ b/tests/tcg/multiarch/linux/linux-test.c +@@ -354,13 +354,17 @@ static void test_pipe(void) + if (FD_ISSET(fds[0], &rfds)) { + chk_error(read(fds[0], &ch, 1)); + rcount++; +- if (rcount >= WCOUNT_MAX) ++ if (rcount >= WCOUNT_MAX) { + break; ++ } + } + if (FD_ISSET(fds[1], &wfds)) { + ch = 'a'; + chk_error(write(fds[1], &ch, 1)); + wcount++; ++ if (wcount >= WCOUNT_MAX) { ++ break; ++ } + } + } + } +-- +2.41.0.windows.1 + diff --git a/vfio-pci-Fix-a-segfault-in-vfio_realize.patch b/vfio-pci-Fix-a-segfault-in-vfio_realize.patch new file mode 100644 index 0000000..7ac8a6d --- /dev/null +++ b/vfio-pci-Fix-a-segfault-in-vfio_realize.patch @@ -0,0 +1,54 @@ +From 22e8d7076800d7c62e41e8c69fc01444cf00d451 Mon Sep 17 00:00:00 2001 +From: jipengfei +Date: Fri, 30 Jun 2023 21:05:23 +0800 +Subject: [PATCH] vfio/pci: Fix a segfault in vfio_realize +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The kvm irqchip notifier is only registered if the device supports +INTx, however it's unconditionally removed in vfio realize error +path. If the assigned device does not support INTx, this will cause +QEMU to crash when vfio realize fails. Change it to conditionally +remove the notifier only if the notify hook is setup. + +Before fix: +(qemu) device_add vfio-pci,host=81:11.1,id=vfio1,bus=root1,xres=1 +Connection closed by foreign host. + +After fix: +(qemu) device_add vfio-pci,host=81:11.1,id=vfio1,bus=root1,xres=1 +Error: vfio 0000:81:11.1: xres and yres properties require display=on +(qemu) + +Fixes: c5478fea27ac ("vfio/pci: Respond to KVM irqchip change notifier") + +cheery-pick from 357bd7932a136613d700ee8bc83e9165f059d1f7 + +Signed-off-by: jipengfei_yewu +Signed-off-by: Zhenzhong Duan +Reviewed-by: Cédric Le Goater +Reviewed-by: Joao Martins +Signed-off-by: Cédric Le Goater +--- + hw/vfio/pci.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/hw/vfio/pci.c b/hw/vfio/pci.c +index 7b45353ce2..b085389ff8 100644 +--- a/hw/vfio/pci.c ++++ b/hw/vfio/pci.c +@@ -3112,7 +3112,9 @@ static void vfio_realize(PCIDevice *pdev, Error **errp) + + out_deregister: + pci_device_set_intx_routing_notifier(&vdev->pdev, NULL); +- kvm_irqchip_remove_change_notifier(&vdev->irqchip_change_notifier); ++ if (vdev->irqchip_change_notifier.notify) { ++ kvm_irqchip_remove_change_notifier(&vdev->irqchip_change_notifier); ++ } + out_teardown: + vfio_teardown_msi(vdev); + vfio_bars_exit(vdev); +-- +2.41.0.windows.1 + diff --git a/virtio-gpu-add-a-FIXME-for-virtio_gpu_load.patch b/virtio-gpu-add-a-FIXME-for-virtio_gpu_load.patch new file mode 100644 index 0000000..04f60db --- /dev/null +++ b/virtio-gpu-add-a-FIXME-for-virtio_gpu_load.patch @@ -0,0 +1,37 @@ +From 5a69ce95a920377f1c4f0c34c6cb8073dc5dbf8d Mon Sep 17 00:00:00 2001 +From: qihao +Date: Mon, 26 Jun 2023 14:29:40 +0800 +Subject: [PATCH] virtio-gpu: add a FIXME for virtio_gpu_load() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +cheery-pick from 529969b8d03970bae5feef8c69ebf5e0f521131c + +It looks like the virtio_gpu_load() does not compute and set the offset, +the same way virtio_gpu_set_scanout() does. This probably results in +incorrect display until the scanout/framebuffer is updated again, I +guess we should fix it, although I haven't checked this yet. + +Signed-off-by: Marc-André Lureau +Message-Id: <20230515132518.1025853-1-marcandre.lureau@redhat.com> +Signed-off-by: qihao_yewu +--- + hw/display/virtio-gpu.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/hw/display/virtio-gpu.c b/hw/display/virtio-gpu.c +index c6dc818988..9ccc0575e3 100644 +--- a/hw/display/virtio-gpu.c ++++ b/hw/display/virtio-gpu.c +@@ -1284,6 +1284,7 @@ static int virtio_gpu_load(QEMUFile *f, void *opaque, size_t size, + /* load & apply scanout state */ + vmstate_load_state(f, &vmstate_virtio_gpu_scanouts, g, 1); + for (i = 0; i < g->parent_obj.conf.max_outputs; i++) { ++ /* FIXME: should take scanout.r.{x,y} into account */ + scanout = &g->parent_obj.scanout[i]; + if (!scanout->resource_id) { + continue; +-- +2.41.0.windows.1 + diff --git a/vnc-avoid-underflow-when-accessing-user-provided-add.patch b/vnc-avoid-underflow-when-accessing-user-provided-add.patch new file mode 100644 index 0000000..5d6b3ac --- /dev/null +++ b/vnc-avoid-underflow-when-accessing-user-provided-add.patch @@ -0,0 +1,41 @@ +From 3d6a5be54f59b86db1d9513cff24ca6f7d002400 Mon Sep 17 00:00:00 2001 +From: qihao +Date: Tue, 27 Jun 2023 17:39:56 +0800 +Subject: [PATCH] vnc: avoid underflow when accessing user-provided address + +cheery-pick from bfc532703f3c4f8d2744748c440ca36ce9798ccb + +If hostlen is zero, there is a possibility that addrstr[hostlen - 1] +underflows and, if a closing bracked is there, hostlen - 2 is passed +to g_strndup() on the next line. If websocket==false then +addrstr[0] would be a colon, but if websocket==true this could in +principle happen. + +Fix it by checking hostlen. + +Reported by Coverity. + +Signed-off-by: Paolo Bonzini +(cherry picked from commit 3f9c41c5df9617510d8533cf6588172efb3df34b) +Signed-off-by: Michael Tokarev +Signed-off-by: qihao_yewu +--- + ui/vnc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/ui/vnc.c b/ui/vnc.c +index 91e067ba7c..f4322a9065 100644 +--- a/ui/vnc.c ++++ b/ui/vnc.c +@@ -3761,7 +3761,7 @@ static int vnc_display_get_address(const char *addrstr, + + addr->type = SOCKET_ADDRESS_TYPE_INET; + inet = &addr->u.inet; +- if (addrstr[0] == '[' && addrstr[hostlen - 1] == ']') { ++ if (hostlen && addrstr[0] == '[' && addrstr[hostlen - 1] == ']') { + inet->host = g_strndup(addrstr + 1, hostlen - 2); + } else { + inet->host = g_strndup(addrstr, hostlen); +-- +2.41.0.windows.1 + -- Gitee