diff --git a/aio-posix-zero-out-io_uring-sqe-user_data.patch b/aio-posix-zero-out-io_uring-sqe-user_data.patch new file mode 100644 index 0000000000000000000000000000000000000000..5c038442acb64408743ae6719a63e9bae44aa7f6 --- /dev/null +++ b/aio-posix-zero-out-io_uring-sqe-user_data.patch @@ -0,0 +1,44 @@ +From c670a3038a0b7dffda79672a63c84609459218c6 Mon Sep 17 00:00:00 2001 +From: qihao +Date: Tue, 12 Sep 2023 10:22:09 +0800 +Subject: [PATCH] aio-posix: zero out io_uring sqe user_data + +cheery-pick from 87ec6f55af38e29be5b2b65a8acf84da73e06d06 + +liburing does not clear sqe->user_data. We must do it ourselves to avoid +undefined behavior in process_cqe() when user_data is used. + +Note that fdmon-io_uring is currently disabled, so this is a latent bug +that does not affect users. Let's merge this fix now to make it easier +to enable fdmon-io_uring in the future (and I'm working on that). + +Signed-off-by: Stefan Hajnoczi +Message-ID: <20230426212639.82310-1-stefanha@redhat.com> +Signed-off-by: qihao_yewu +--- + util/fdmon-io_uring.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/util/fdmon-io_uring.c b/util/fdmon-io_uring.c +index ab43052dd7..35165bcb46 100644 +--- a/util/fdmon-io_uring.c ++++ b/util/fdmon-io_uring.c +@@ -184,6 +184,7 @@ static void add_poll_remove_sqe(AioContext *ctx, AioHandler *node) + #else + io_uring_prep_poll_remove(sqe, node); + #endif ++ io_uring_sqe_set_data(sqe, NULL); + } + + /* Add a timeout that self-cancels when another cqe becomes ready */ +@@ -197,6 +198,7 @@ static void add_timeout_sqe(AioContext *ctx, int64_t ns) + + sqe = get_sqe(ctx); + io_uring_prep_timeout(sqe, &ts, 1, 0); ++ io_uring_sqe_set_data(sqe, NULL); + } + + /* Add sqes from ctx->submit_list for submission */ +-- +2.41.0.windows.1 + diff --git a/crypto-remove-shadowed-ret-variable.patch b/crypto-remove-shadowed-ret-variable.patch new file mode 100644 index 0000000000000000000000000000000000000000..ee0bf6ddcf428c7788233bb564fea4ae9123240d --- /dev/null +++ b/crypto-remove-shadowed-ret-variable.patch @@ -0,0 +1,36 @@ +From b055bedb3fba592ab7e73615faf29854a18b0abc Mon Sep 17 00:00:00 2001 +From: qihao +Date: Tue, 10 Oct 2023 15:24:35 +0800 +Subject: [PATCH] crypto: remove shadowed 'ret' variable +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +cheery-pick from 3cc9fe177f412494f084923149338c51dd232b9b + +Both instances of 'ret' are used to store a gnutls API return code. + +Signed-off-by: Daniel P. Berrangé +Message-ID: <20230922160644.438631-2-berrange@redhat.com> +Reviewed-by: Philippe Mathieu-Daudé +Signed-off-by: Markus Armbruster +Signed-off-by: qihao_yewu +--- + crypto/tls-cipher-suites.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/crypto/tls-cipher-suites.c b/crypto/tls-cipher-suites.c +index 5e4f597464..d0df4badc0 100644 +--- a/crypto/tls-cipher-suites.c ++++ b/crypto/tls-cipher-suites.c +@@ -52,7 +52,6 @@ GByteArray *qcrypto_tls_cipher_suites_get_data(QCryptoTLSCipherSuites *obj, + byte_array = g_byte_array_new(); + + for (i = 0;; i++) { +- int ret; + unsigned idx; + const char *name; + IANA_TLS_CIPHER cipher; +-- +2.41.0.windows.1 + diff --git a/disas-riscv-Fix-the-typo-of-inverted-order-of-pmpadd.patch b/disas-riscv-Fix-the-typo-of-inverted-order-of-pmpadd.patch new file mode 100644 index 0000000000000000000000000000000000000000..3185723a95d72a6d00a33aeebacd62eb74ca3c90 --- /dev/null +++ b/disas-riscv-Fix-the-typo-of-inverted-order-of-pmpadd.patch @@ -0,0 +1,37 @@ +From 80fd3d8f92b8a2c3b640d1dfa436da8331b37b01 Mon Sep 17 00:00:00 2001 +From: qihao +Date: Mon, 16 Oct 2023 09:47:25 +0800 +Subject: [PATCH] disas/riscv: Fix the typo of inverted order of pmpaddr13 and + pmpaddr14 + +cheery-pick from cffa9954908830276c93b430681f66cc0e599aef + +Fix the inverted order of pmpaddr13 and pmpaddr14 in csr_name(). + +Signed-off-by: Alvin Chang +Reviewed-by: Alistair Francis +Message-ID: <20230907084500.328-1-alvinga@andestech.com> +Signed-off-by: Alistair Francis +Signed-off-by: qihao_yewu +--- + disas/riscv.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/disas/riscv.c b/disas/riscv.c +index 6768ec8188..ad7b978815 100644 +--- a/disas/riscv.c ++++ b/disas/riscv.c +@@ -1307,8 +1307,8 @@ static const char *csr_name(int csrno) + case 0x03ba: return "pmpaddr10"; + case 0x03bb: return "pmpaddr11"; + case 0x03bc: return "pmpaddr12"; +- case 0x03bd: return "pmpaddr14"; +- case 0x03be: return "pmpaddr13"; ++ case 0x03bd: return "pmpaddr13"; ++ case 0x03be: return "pmpaddr14"; + case 0x03bf: return "pmpaddr15"; + case 0x0780: return "mtohost"; + case 0x0781: return "mfromhost"; +-- +2.41.0.windows.1 + diff --git a/hw-arm-xlnx-zynqmp-fix-unsigned-error-when-checking-.patch b/hw-arm-xlnx-zynqmp-fix-unsigned-error-when-checking-.patch new file mode 100644 index 0000000000000000000000000000000000000000..0968345e28418c949f5c25f680f78db5bbaabd42 --- /dev/null +++ b/hw-arm-xlnx-zynqmp-fix-unsigned-error-when-checking-.patch @@ -0,0 +1,47 @@ +From a1ecbf056603b4fabf8b5ab8a79f70a27fef06ee Mon Sep 17 00:00:00 2001 +From: jipengfei_yewu +Date: Sun, 24 Sep 2023 19:39:33 +0800 +Subject: [PATCH] hw/arm/xlnx-zynqmp: fix unsigned error when checking the RPUs + number +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +When passing --smp with a number lower than XLNX_ZYNQMP_NUM_APU_CPUS, +the expression (ms->smp.cpus - XLNX_ZYNQMP_NUM_APU_CPUS) will result +in a positive number as ms->smp.cpus is a unsigned int. +This will raise the following error afterwards, as Qemu will try to +instantiate some additional RPUs. + | $ qemu-system-aarch64 --smp 1 -M xlnx-zcu102 + | ** + | ERROR:../src/tcg/tcg.c:777:tcg_register_thread: + | assertion failed: (n < tcg_max_ctxs) + +cheery-pick from c9ba1c9f02cfede5329f504cdda6fd3a256e0434 + +Signed-off-by: jipengfei_yewu +Signed-off-by: Clément Chigot +Reviewed-by: Francisco Iglesias +Tested-by: Francisco Iglesias +Message-id: 20230524143714.565792-1-chigot@adacore.com +Signed-off-by: Peter Maydell +--- + hw/arm/xlnx-zynqmp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/arm/xlnx-zynqmp.c b/hw/arm/xlnx-zynqmp.c +index 1c52a575aa..2ffc6df70b 100644 +--- a/hw/arm/xlnx-zynqmp.c ++++ b/hw/arm/xlnx-zynqmp.c +@@ -194,7 +194,7 @@ static void xlnx_zynqmp_create_rpu(MachineState *ms, XlnxZynqMPState *s, + const char *boot_cpu, Error **errp) + { + int i; +- int num_rpus = MIN(ms->smp.cpus - XLNX_ZYNQMP_NUM_APU_CPUS, ++ int num_rpus = MIN((int)(ms->smp.cpus - XLNX_ZYNQMP_NUM_APU_CPUS), + XLNX_ZYNQMP_NUM_RPU_CPUS); + + if (num_rpus <= 0) { +-- +2.41.0.windows.1 + diff --git a/hw-char-fix-qcode-array-bounds-check-in-ESCC-impl.patch b/hw-char-fix-qcode-array-bounds-check-in-ESCC-impl.patch new file mode 100644 index 0000000000000000000000000000000000000000..9a00eb1be6f93ff6a03e40d44b1226b69c53070b --- /dev/null +++ b/hw-char-fix-qcode-array-bounds-check-in-ESCC-impl.patch @@ -0,0 +1,40 @@ +From 308cd236694ac13e2c45293b670b536b63765e62 Mon Sep 17 00:00:00 2001 +From: tangbinzy +Date: Mon, 4 Sep 2023 07:27:24 +0000 +Subject: [PATCH] hw/char: fix qcode array bounds check in ESCC impl mainline + inclusion commit 9aaf11e7f2b5487b684e900cf164f0aef25f72ab category: bugfix +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +--------------------------------------------------------------- + +There was an off-by-1 in the qcode conversion array bounds +check. + +Fixes: e709a61a8fe1076a487376fd657544418a38ba06 +Reported-by: Peter Maydell +Reviewed-by: Peter Maydell +Signed-off-by: Daniel P. Berrangé + +Signed-off-by: tangbinzy +--- + hw/char/escc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/char/escc.c b/hw/char/escc.c +index 8755d8d34f..17a908c59b 100644 +--- a/hw/char/escc.c ++++ b/hw/char/escc.c +@@ -828,7 +828,7 @@ static void sunkbd_handle_event(DeviceState *dev, QemuConsole *src, + } + } + +- if (qcode > qemu_input_map_qcode_to_sun_len) { ++ if (qcode >= qemu_input_map_qcode_to_sun_len) { + return; + } + +-- +2.41.0.windows.1 + diff --git a/hw-i2c-pmbus_device-Fix-modifying-QOM-class-internal.patch b/hw-i2c-pmbus_device-Fix-modifying-QOM-class-internal.patch new file mode 100644 index 0000000000000000000000000000000000000000..9b528ba567fd101ba7e93f7ab049f52ef3e4e650 --- /dev/null +++ b/hw-i2c-pmbus_device-Fix-modifying-QOM-class-internal.patch @@ -0,0 +1,63 @@ +From b2314562968c124503dbd08529a2bef39701aaa7 Mon Sep 17 00:00:00 2001 +From: qihao +Date: Wed, 6 Sep 2023 20:30:27 +0800 +Subject: [PATCH] hw/i2c/pmbus_device: Fix modifying QOM class internals from + instance +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +cheery-pick from f0e4588fd4ae39d1ad46f19c76ed298f89e61d6a + +QOM object instance should not modify its class state (because +all other objects instanciated from this class get affected). + +Instead of modifying the PMBusDeviceClass 'device_num_pages' field +the first time a instance is initialized (in pmbus_pages_alloc), +introduce a new pmbus_pages_num() helper which returns the page +number from the class without modifying the class state. + +The code logic become slighly simplified. + +Inspired-by: Bernhard Beschow +Signed-off-by: Philippe Mathieu-Daudé +Reviewed-by: Richard Henderson +Message-Id: <20230523064408.57941-4-philmd@linaro.org> +Signed-off-by: qihao_yewu +--- + hw/i2c/pmbus_device.c | 17 ++++++++++------- + 1 file changed, 10 insertions(+), 7 deletions(-) + +diff --git a/hw/i2c/pmbus_device.c b/hw/i2c/pmbus_device.c +index 24f8f522d9..f39cd532de 100644 +--- a/hw/i2c/pmbus_device.c ++++ b/hw/i2c/pmbus_device.c +@@ -166,15 +166,18 @@ static void pmbus_quick_cmd(SMBusDevice *smd, uint8_t read) + } + } + +-static void pmbus_pages_alloc(PMBusDevice *pmdev) ++static uint8_t pmbus_pages_num(PMBusDevice *pmdev) + { ++ const PMBusDeviceClass *k = PMBUS_DEVICE_GET_CLASS(pmdev); ++ + /* some PMBus devices don't use the PAGE command, so they get 1 page */ +- PMBusDeviceClass *k = PMBUS_DEVICE_GET_CLASS(pmdev); +- if (k->device_num_pages == 0) { +- k->device_num_pages = 1; +- } +- pmdev->num_pages = k->device_num_pages; +- pmdev->pages = g_new0(PMBusPage, k->device_num_pages); ++ return k->device_num_pages ? : 1; ++} ++ ++static void pmbus_pages_alloc(PMBusDevice *pmdev) ++{ ++ pmdev->num_pages = pmbus_pages_num(pmdev); ++ pmdev->pages = g_new0(PMBusPage, pmdev->num_pages); + } + + void pmbus_check_limits(PMBusDevice *pmdev) +-- +2.41.0.windows.1 + diff --git a/hw-net-Fix-read-of-uninitialized-memory-in-ftgmac100.patch b/hw-net-Fix-read-of-uninitialized-memory-in-ftgmac100.patch new file mode 100644 index 0000000000000000000000000000000000000000..55ad629995ea8e03e4a2e985ae900959d2e1e0e9 --- /dev/null +++ b/hw-net-Fix-read-of-uninitialized-memory-in-ftgmac100.patch @@ -0,0 +1,49 @@ +From 967c8f6e799756baf95c025ba8107206c3afd398 Mon Sep 17 00:00:00 2001 +From: dinglimin_yewu +Date: Thu, 28 Sep 2023 16:25:23 +0800 +Subject: [PATCH] hw/net: Fix read of uninitialized memory in ftgmac100 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +cheery-pick from 036e98e5c2b4e25c8d6ccbddb85c7ab05a753f6a + +With the `size += 4` before the call to `crc32`, the CRC calculation +would overrun the buffer. Size is used in the while loop starting on +line 1009 to determine how much data to write back, with the last +four bytes coming from `crc_ptr`, so do need to increase it, but should +do this after the computation. + +I'm unsure why this use of uninitialized memory in the CRC doesn't +result in CRC errors, but it seems clear to me that it should not be +included in the calculation. + +Signed-off-by: Stephen Longfield +Reviewed-by: Hao Wu +Reviewed-by: Joel Stanley +Message-Id: <20221220221437.3303721-1-slongfield@google.com> +Signed-off-by: Cédric Le Goater +Signed-off-by: dinglimin_yewu +--- + hw/net/ftgmac100.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/hw/net/ftgmac100.c b/hw/net/ftgmac100.c +index 83ef0a783e..d3bf14be53 100644 +--- a/hw/net/ftgmac100.c ++++ b/hw/net/ftgmac100.c +@@ -980,9 +980,9 @@ static ssize_t ftgmac100_receive(NetClientState *nc, const uint8_t *buf, + return size; + } + +- /* 4 bytes for the CRC. */ +- size += 4; + crc = cpu_to_be32(crc32(~0, buf, size)); ++ /* Increase size by 4, loop below reads the last 4 bytes from crc_ptr. */ ++ size += 4; + crc_ptr = (uint8_t *) &crc; + + /* Huge frames are truncated. */ +-- +2.41.0.windows.1 + diff --git a/hw-nvme-Avoid-dynamic-stack-allocation.patch b/hw-nvme-Avoid-dynamic-stack-allocation.patch new file mode 100644 index 0000000000000000000000000000000000000000..aaa5f740eeb3a4a3c808b264c10fd5a4594eb1f4 --- /dev/null +++ b/hw-nvme-Avoid-dynamic-stack-allocation.patch @@ -0,0 +1,38 @@ +From aa1f9c961de247522e772275635b7f15bf5bb13f Mon Sep 17 00:00:00 2001 +From: dinglimin +Date: Sat, 16 Sep 2023 17:20:08 +0800 +Subject: [PATCH] hw/nvme: Avoid dynamic stack allocation + +cheery-pick from b3c8246750b7077add335559341268f2956f6470 + +Instead of using a variable-length array in nvme_map_prp(), +allocate on the stack with a g_autofree pointer. + +The codebase has very few VLAs, and if we can get rid of them all we +can make the compiler error on new additions. This is a defensive +measure against security bugs where an on-stack dynamic allocation +isn't correctly size-checked (e.g. CVE-2021-3527). + +Signed-off-by: Peter Maydell +Signed-off-by: Klaus Jensen +Signed-off-by: dinglimin_yewu +--- + hw/nvme/ctrl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/nvme/ctrl.c b/hw/nvme/ctrl.c +index debd3916dd..d64dd9c361 100644 +--- a/hw/nvme/ctrl.c ++++ b/hw/nvme/ctrl.c +@@ -702,7 +702,7 @@ static uint16_t nvme_map_prp(NvmeCtrl *n, NvmeSg *sg, uint64_t prp1, + len -= trans_len; + if (len) { + if (len > n->page_size) { +- uint64_t prp_list[n->max_prp_ents]; ++ g_autofree uint64_t *prp_list = g_new(uint64_t, n->max_prp_ents); + uint32_t nents, prp_trans; + int i = 0; + +-- +2.41.0.windows.1 + diff --git a/hw-vfio-pci-quirks-Sanitize-capability-pointer.patch b/hw-vfio-pci-quirks-Sanitize-capability-pointer.patch new file mode 100644 index 0000000000000000000000000000000000000000..c6c480839523301648eb24f82915a85df1d001e7 --- /dev/null +++ b/hw-vfio-pci-quirks-Sanitize-capability-pointer.patch @@ -0,0 +1,60 @@ +From 193240c79f5c95aaf86b2998975189f1873ebcec Mon Sep 17 00:00:00 2001 +From: tangzhongrui +Date: Fri, 18 Aug 2023 14:41:45 +0800 +Subject: [PATCH] hw/vfio/pci-quirks: Sanitize capability pointer Coverity + reports a tained scalar when traversing the capabilities chain (CID 1516589). + In practice I've never seen a device with a chain so broken as to cause an + issue, but it's also pretty easy to sanitize. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Fixes: f6b30c1 ("hw/vfio/pci-quirks: Support alternate offset for +GPUDirect Cliques") +Signed-off-by: Alex Williamson +Reviewed-by: Cédric Le Goater +Signed-off-by: Cédric Le Goater + +Signed-off-by: Zhongrui Tang +--- + hw/vfio/pci-quirks.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/hw/vfio/pci-quirks.c b/hw/vfio/pci-quirks.c +index 7a8e6efcdc..a911e04a79 100644 +--- a/hw/vfio/pci-quirks.c ++++ b/hw/vfio/pci-quirks.c +@@ -1717,6 +1717,12 @@ const PropertyInfo qdev_prop_nv_gpudirect_clique = { + .set = set_nv_gpudirect_clique_id, + }; + ++static bool is_valid_std_cap_offset(uint8_t pos) ++{ ++ return (pos >= PCI_STD_HEADER_SIZEOF && ++ pos <= (PCI_CFG_SPACE_SIZE - PCI_CAP_SIZEOF)); ++} ++ + static int vfio_add_nv_gpudirect_cap(VFIOPCIDevice *vdev, Error **errp) + { + PCIDevice *pdev = &vdev->pdev; +@@ -1750,7 +1756,7 @@ static int vfio_add_nv_gpudirect_cap(VFIOPCIDevice *vdev, Error **errp) + */ + ret = pread(vdev->vbasedev.fd, &tmp, 1, + vdev->config_offset + PCI_CAPABILITY_LIST); +- if (ret != 1 || !tmp) { ++ if (ret != 1 || !is_valid_std_cap_offset(tmp)) { + error_setg(errp, "NVIDIA GPUDirect Clique ID: error getting cap list"); + return -EINVAL; + } +@@ -1762,7 +1768,7 @@ static int vfio_add_nv_gpudirect_cap(VFIOPCIDevice *vdev, Error **errp) + d4_conflict = true; + } + tmp = pdev->config[tmp + PCI_CAP_LIST_NEXT]; +- } while (tmp); ++ } while (is_valid_std_cap_offset(tmp)); + + if (!c8_conflict) { + pos = 0xC8; +-- +2.41.0.windows.1 + diff --git a/hw-vfio-pci-quirks-Support-alternate-offset-for-GPUD.patch b/hw-vfio-pci-quirks-Support-alternate-offset-for-GPUD.patch new file mode 100644 index 0000000000000000000000000000000000000000..7232ad3a34f8df7436134aec2368f1cf6c6c695c --- /dev/null +++ b/hw-vfio-pci-quirks-Support-alternate-offset-for-GPUD.patch @@ -0,0 +1,95 @@ +From d672e2f137933b26bd9b3488a873830435eadba5 Mon Sep 17 00:00:00 2001 +From: tangzhongrui +Date: Thu, 3 Aug 2023 15:10:16 +0800 +Subject: [PATCH] hw/vfio/pci-quirks: Support alternate offset for GPUDirect + Cliques +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +NVIDIA Turing and newer GPUs implement the MSI-X capability at the offset +previously reserved for use by hypervisors to implement the GPUDirect +Cliques capability. A revised specification provides an alternate +location. Add a config space walk to the quirk to check for conflicts, +allowing us to fall back to the new location or generate an error at the +quirk setup rather than when the real conflicting capability is added +should there be no available location. + +Signed-off-by: Alex Williamson +Reviewed-by: Cédric Le Goater +Signed-off-by: Cédric Le Goater + +Signed-off-by: Zhongrui Tang +--- + hw/vfio/pci-quirks.c | 41 ++++++++++++++++++++++++++++++++++++++++- + 1 file changed, 40 insertions(+), 1 deletion(-) + +diff --git a/hw/vfio/pci-quirks.c b/hw/vfio/pci-quirks.c +index 1222ccff0b..7a8e6efcdc 100644 +--- a/hw/vfio/pci-quirks.c ++++ b/hw/vfio/pci-quirks.c +@@ -1677,6 +1677,9 @@ void vfio_setup_resetfn_quirk(VFIOPCIDevice *vdev) + * +---------------------------------+---------------------------------+ + * + * https://lists.gnu.org/archive/html/qemu-devel/2017-08/pdfUda5iEpgOS.pdf ++ * ++ * Specification for Turning and later GPU architectures: ++ * https://lists.gnu.org/archive/html/qemu-devel/2023-06/pdf142OR4O4c2.pdf + */ + static void get_nv_gpudirect_clique_id(Object *obj, Visitor *v, + const char *name, void *opaque, +@@ -1717,7 +1720,9 @@ const PropertyInfo qdev_prop_nv_gpudirect_clique = { + static int vfio_add_nv_gpudirect_cap(VFIOPCIDevice *vdev, Error **errp) + { + PCIDevice *pdev = &vdev->pdev; +- int ret, pos = 0xC8; ++ int ret, pos; ++ bool c8_conflict = false, d4_conflict = false; ++ uint8_t tmp; + + if (vdev->nv_gpudirect_clique == 0xFF) { + return 0; +@@ -1734,6 +1739,40 @@ static int vfio_add_nv_gpudirect_cap(VFIOPCIDevice *vdev, Error **errp) + return -EINVAL; + } + ++ /* ++ * Per the updated specification above, it's recommended to use offset ++ * D4h for Turing and later GPU architectures due to a conflict of the ++ * MSI-X capability at C8h. We don't know how to determine the GPU ++ * architecture, instead we walk the capability chain to mark conflicts ++ * and choose one or error based on the result. ++ * ++ * NB. Cap list head in pdev->config is already cleared, read from device. ++ */ ++ ret = pread(vdev->vbasedev.fd, &tmp, 1, ++ vdev->config_offset + PCI_CAPABILITY_LIST); ++ if (ret != 1 || !tmp) { ++ error_setg(errp, "NVIDIA GPUDirect Clique ID: error getting cap list"); ++ return -EINVAL; ++ } ++ ++ do { ++ if (tmp == 0xC8) { ++ c8_conflict = true; ++ } else if (tmp == 0xD4) { ++ d4_conflict = true; ++ } ++ tmp = pdev->config[tmp + PCI_CAP_LIST_NEXT]; ++ } while (tmp); ++ ++ if (!c8_conflict) { ++ pos = 0xC8; ++ } else if (!d4_conflict) { ++ pos = 0xD4; ++ } else { ++ error_setg(errp, "NVIDIA GPUDirect Clique ID: invalid config space"); ++ return -EINVAL; ++ } ++ + ret = pci_add_capability(pdev, PCI_CAP_ID_VNDR, pos, 8, errp); + if (ret < 0) { + error_prepend(errp, "Failed to add NVIDIA GPUDirect cap: "); +-- +2.41.0.windows.1 + diff --git a/hw-virtio-virtio-pmem-Replace-impossible-check-by-as.patch b/hw-virtio-virtio-pmem-Replace-impossible-check-by-as.patch new file mode 100644 index 0000000000000000000000000000000000000000..4721ee7b8a877cc7cfc440cf488c7aa63f4bb046 --- /dev/null +++ b/hw-virtio-virtio-pmem-Replace-impossible-check-by-as.patch @@ -0,0 +1,45 @@ +From 12eed71f72cbb5d81b14f66fde254058f121979a Mon Sep 17 00:00:00 2001 +From: qihao +Date: Wed, 25 Oct 2023 17:44:42 +0800 +Subject: [PATCH] hw/virtio/virtio-pmem: Replace impossible check by assertion +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +cheery-pick from 184256d261cfc773360f14a80092ace5a716bb8f + +The get_memory_region() handler is used when (un)plugging the +device, which can only occur *after* it is realized. + +virtio_pmem_realize() ensure the instance can not be realized +without 'memdev'. Remove the superfluous check, replacing it +by an assertion. + +Signed-off-by: Philippe Mathieu-Daudé +Reviewed-by: Michael S. Tsirkin +Reviewed-by: Manos Pitsidianakis +Message-Id: <20231017140150.44995-2-philmd@linaro.org> +Signed-off-by: qihao_yewu +--- + hw/virtio/virtio-pmem.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +diff --git a/hw/virtio/virtio-pmem.c b/hw/virtio/virtio-pmem.c +index d1aeb90a31..39f3949a3b 100644 +--- a/hw/virtio/virtio-pmem.c ++++ b/hw/virtio/virtio-pmem.c +@@ -149,10 +149,7 @@ static void virtio_pmem_fill_device_info(const VirtIOPMEM *pmem, + static MemoryRegion *virtio_pmem_get_memory_region(VirtIOPMEM *pmem, + Error **errp) + { +- if (!pmem->memdev) { +- error_setg(errp, "'%s' property must be set", VIRTIO_PMEM_MEMDEV_PROP); +- return NULL; +- } ++ assert(pmem->memdev); + + return &pmem->memdev->mr; + } +-- +2.41.0.windows.1 + diff --git a/migration-rdma-zore-out-head.repeat-to-make-the-erro.patch b/migration-rdma-zore-out-head.repeat-to-make-the-erro.patch new file mode 100644 index 0000000000000000000000000000000000000000..b6a630aea9df6ff570ba8c35e1050279a8ae0b92 --- /dev/null +++ b/migration-rdma-zore-out-head.repeat-to-make-the-erro.patch @@ -0,0 +1,43 @@ +From e65dfad1fd7832fc206f3a22479169fcb4527317 Mon Sep 17 00:00:00 2001 +From: qihao +Date: Mon, 9 Oct 2023 18:11:54 +0800 +Subject: [PATCH] migration/rdma: zore out head.repeat to make the error more + clear + +cheery-pick from 2ada4b63f1764d13a2b9ca9cbeb5feda46ab6851 + +Previously, we got a confusion error that complains +the RDMAControlHeader.repeat: +qemu-system-x86_64: rdma: Too many requests in this message (3638950032).Bailing. + +Actually, it's caused by an unexpected RDMAControlHeader.type. +After this patch, error will become: +qemu-system-x86_64: Unknown control message QEMU FILE + +Reviewed-by: Fabiano Rosas +Reviewed-by: Peter Xu +Reviewed-by: Juan Quintela +Signed-off-by: Li Zhijian +Signed-off-by: Juan Quintela +Message-ID: <20230926100103.201564-2-lizhijian@fujitsu.com> +Signed-off-by: qihao_yewu +--- + migration/rdma.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/migration/rdma.c b/migration/rdma.c +index f5d3bbe7e9..60c856dd2f 100644 +--- a/migration/rdma.c ++++ b/migration/rdma.c +@@ -2866,7 +2866,7 @@ static ssize_t qio_channel_rdma_writev(QIOChannel *ioc, + size_t remaining = iov[i].iov_len; + uint8_t * data = (void *)iov[i].iov_base; + while (remaining) { +- RDMAControlHeader head; ++ RDMAControlHeader head = {}; + + len = MIN(remaining, RDMA_SEND_INCREMENT); + remaining -= len; +-- +2.41.0.windows.1 + diff --git a/ppc-vof-Fix-missed-fields-in-VOF-cleanup.patch b/ppc-vof-Fix-missed-fields-in-VOF-cleanup.patch new file mode 100644 index 0000000000000000000000000000000000000000..93498aea9948c72aec58513ab36246283896ce44 --- /dev/null +++ b/ppc-vof-Fix-missed-fields-in-VOF-cleanup.patch @@ -0,0 +1,43 @@ +From 62083d43f24d801f74b8e0aee7693811c19a366d Mon Sep 17 00:00:00 2001 +From: qihao +Date: Mon, 18 Sep 2023 15:26:28 +0800 +Subject: [PATCH] ppc/vof: Fix missed fields in VOF cleanup +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +cheery-pick from 7b8589d7ce7e23f26ff53338d575a5cbd7818e28 + +Failing to reset the of_instance_last makes ihandle allocation continue +to increase, which causes record-replay replay fail to match the +recorded trace. + +Not resetting claimed_base makes VOF eventually run out of memory after +some resets. + +Cc: Alexey Kardashevskiy +Fixes: fc8c745d501 ("spapr: Implement Open Firmware client interface") +Signed-off-by: Nicholas Piggin +Reviewed-by: Alexey Kardashevskiy +Signed-off-by: Cédric Le Goater +Signed-off-by: qihao_yewu +--- + hw/ppc/vof.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/hw/ppc/vof.c b/hw/ppc/vof.c +index 73adc44ec2..b1aa0ceb8b 100644 +--- a/hw/ppc/vof.c ++++ b/hw/ppc/vof.c +@@ -1026,6 +1026,8 @@ void vof_cleanup(Vof *vof) + } + vof->claimed = NULL; + vof->of_instances = NULL; ++ vof->of_instance_last = 0; ++ vof->claimed_base = 0; + } + + void vof_build_dt(void *fdt, Vof *vof) +-- +2.41.0.windows.1 + diff --git a/qemu.spec b/qemu.spec index 18fc73479dcf7046511aea1e717d75c762a2e82e..7e42c71b9e18cfd87b74e7882ebb37174724c91b 100644 --- a/qemu.spec +++ b/qemu.spec @@ -3,7 +3,7 @@ Name: qemu Version: 6.2.0 -Release: 80 +Release: 83 Epoch: 10 Summary: QEMU is a generic and open source machine emulator and virtualizer License: GPLv2 and BSD and MIT and CC-BY-SA-4.0 @@ -565,6 +565,40 @@ Patch0550: vhost-Drop-unused-eventfd_add-del-hooks.patch Patch0551: chardev-report-the-handshake-error.patch Patch0552: hw-ssi-Fix-Linux-driver-init-issue-with-xilinx_spi.patch Patch0553: io-remove-io-watch-if-TLS-channel-is-closed-during-h.patch +Patch0554: hw-char-fix-qcode-array-bounds-check-in-ESCC-impl.patch +Patch0555: tulip-Assign-default-MAC-address-if-not-specified.patch +Patch0556: target-ppc-Fix-the-order-of-kvm_enable-judgment-abou.patch +Patch0557: tests-qtest-pflash-Clean-up-local-variable-shadowing.patch +Patch0558: ui-fix-crash-when-there-are-no-active_console.patch +Patch0559: ppc-vof-Fix-missed-fields-in-VOF-cleanup.patch +Patch0560: hw-nvme-Avoid-dynamic-stack-allocation.patch +Patch0561: aio-posix-zero-out-io_uring-sqe-user_data.patch +Patch0562: qtest-npcm7xx_pwm-test-Fix-memory-leak-in-mft_qom_se.patch +Patch0563: target-i386-fix-INVD-vmexit.patch +Patch0564: target-ppc-Fix-tlbie.patch +Patch0565: hw-net-Fix-read-of-uninitialized-memory-in-ftgmac100.patch +Patch0566: replay-fix-event-queue-flush-for-qemu-shutdown.patch +Patch0567: hw-vfio-pci-quirks-Support-alternate-offset-for-GPUD.patch +Patch0568: hw-vfio-pci-quirks-Sanitize-capability-pointer.patch +Patch0569: vhost-user-fs-Back-up-vqs-before-cleaning-up-vhost_d.patch +Patch0570: migration-rdma-zore-out-head.repeat-to-make-the-erro.patch +Patch0571: thread-pool-optimize-scheduling-of-completion-bottom.patch +Patch0572: hw-arm-xlnx-zynqmp-fix-unsigned-error-when-checking-.patch +Patch0573: hw-i2c-pmbus_device-Fix-modifying-QOM-class-internal.patch +Patch0574: crypto-remove-shadowed-ret-variable.patch +Patch0575: target-i386-add-support-for-FLUSH_L1D-feature.patch +Patch0576: target-i386-add-support-for-FB_CLEAR-feature.patch +Patch0577: target-i386-Export-MSR_ARCH_CAPABILITIES-bits-to-gue.patch +Patch0578: target-i386-Add-support-for-MCDT_NO-in-CPUID-enumera.patch +Patch0579: target-i386-Allow-MCDT_NO-if-host-supports.patch +Patch0580: target-i386-Add-new-bit-definitions-of-MSR_IA32_ARCH.patch +Patch0581: target-i386-Add-few-security-fix-bits-in-ARCH_CAPABI.patch +Patch0582: ui-vnc-clipboard-fix-infinite-loop-in-inflate_buffer.patch +Patch0583: qga-Fix-memory-leak-when-output-stream-is-unused.patch +Patch0584: disas-riscv-Fix-the-typo-of-inverted-order-of-pmpadd.patch +Patch0585: softmmu-dirtylimit-Add-parameter-check-for-hmp-set_v.patch +Patch0586: tests-Fix-printf-format-string-in-acpi-utils.c.patch +Patch0587: hw-virtio-virtio-pmem-Replace-impossible-check-by-as.patch BuildRequires: flex BuildRequires: gcc @@ -1138,6 +1172,46 @@ getent passwd qemu >/dev/null || \ %endif %changelog +* Mon Oct 30 2023 - 10:6.2.0-83 +- hw/virtio/virtio-pmem: Replace impossible check by assertion +- tests: Fix printf format string in acpi-utils.c +- softmmu/dirtylimit: Add parameter check for hmp "set_vcpu_dirty_limit" +- disas/riscv: Fix the typo of inverted order of pmpaddr13 and pmpaddr14 +- qga: Fix memory leak when output stream is unused +- ui/vnc-clipboard: fix infinite loop in inflate_buffer (CVE-2023-3255) +- target/i386: Add few security fix bits in ARCH_CAPABILITIES into SapphireRapids CPU model +- target/i386: Add new bit definitions of MSR_IA32_ARCH_CAPABILITIES +- target/i386: Allow MCDT_NO if host supports +- target/i386: Add support for MCDT_NO in CPUID enumeration +- target/i386: Export MSR_ARCH_CAPABILITIES bits to guests +- target/i386: add support for FB_CLEAR feature +- target/i386: add support for FLUSH_L1D feature +- crypto: remove shadowed 'ret' variable +- hw/i2c/pmbus_device: Fix modifying QOM class internals from instance +- hw/arm/xlnx-zynqmp: fix unsigned error when checking the RPUs number + +* Mon Oct 30 2023 - 10:6.2.0-82 +- thread-pool: optimize scheduling of completion bottom half +- migration/rdma: zore out head.repeat to make the error more clear +- vhost-user-fs: Back up vqs before cleaning up vhost_dev +- hw/vfio/pci-quirks: Sanitize capability pointer +- hw/vfio/pci-quirks: Support alternate offset for GPUDirect Cliques +- replay: fix event queue flush for qemu shutdown +- hw/net: Fix read of uninitialized memory in ftgmac100 +- target/ppc: Fix tlbie +- target/i386: fix INVD vmexit +- qtest/npcm7xx_pwm-test: Fix memory leak in mft_qom_set +- aio-posix: zero out io_uring sqe user_data + +* Mon Oct 30 2023 - 10:6.2.0-81 +- hw/nvme: Avoid dynamic stack allocation +- ppc/vof: Fix missed fields in VOF cleanup +- ui: fix crash when there are no active_console +- tests/qtest/pflash: Clean up local variable shadowing +- target/ppc: Fix the order of kvm_enable judgment about kvmppc_set_interrupt() +- tulip: Assign default MAC address if not specified +- hw/char: fix qcode array bounds check in ESCC impl + * Sat Sep 9 2023 - 10:6.2.0-80 - io: remove io watch if TLS channel is closed during handshake - hw/ssi: Fix Linux driver init issue with xilinx_spi diff --git a/qga-Fix-memory-leak-when-output-stream-is-unused.patch b/qga-Fix-memory-leak-when-output-stream-is-unused.patch new file mode 100644 index 0000000000000000000000000000000000000000..b05a65c262263afc90258847c63fcb063c43787c --- /dev/null +++ b/qga-Fix-memory-leak-when-output-stream-is-unused.patch @@ -0,0 +1,56 @@ +From 877d97f7e7b88c9cb8754bece152dc27a2a0f47a Mon Sep 17 00:00:00 2001 +From: qihao +Date: Mon, 16 Oct 2023 10:22:03 +0800 +Subject: [PATCH] qga: Fix memory leak when output stream is unused + +cheery-pick from d6f67b83b81bf49b5c62e77143ed39c020e51830 + +If capture-output is requested but one of the channels goes unused (eg. +we attempt to capture stderr but the command never writes to stderr), we +can leak memory. + +guest_exec_output_watch() is (from what I understand) unconditionally +called for both streams if output capture is requested. The first call +will always pass the `p->size == p->length` check b/c both values are +0. Then GUEST_EXEC_IO_SIZE bytes will be allocated for the stream. + +But when we reap the exited process there's a `gei->err.length > 0` +check to actually free the buffer. Which does not get run if the command +doesn't write to the stream. + +Fix by making free() unconditional. + +Reviewed-by: Konstantin Kostiuk +Signed-off-by: Daniel Xu +Signed-off-by: Konstantin Kostiuk +Signed-off-by: qihao_yewu +--- + qga/commands.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/qga/commands.c b/qga/commands.c +index 80501e4a73..05f89725be 100644 +--- a/qga/commands.c ++++ b/qga/commands.c +@@ -210,16 +210,16 @@ GuestExecStatus *qmp_guest_exec_status(int64_t pid, Error **errp) + if (gei->out.length > 0) { + ges->has_out_data = true; + ges->out_data = g_base64_encode(gei->out.data, gei->out.length); +- g_free(gei->out.data); + ges->has_out_truncated = gei->out.truncated; + } ++ g_free(gei->out.data); + + if (gei->err.length > 0) { + ges->has_err_data = true; + ges->err_data = g_base64_encode(gei->err.data, gei->err.length); +- g_free(gei->err.data); + ges->has_err_truncated = gei->err.truncated; + } ++ g_free(gei->err.data); + + QTAILQ_REMOVE(&guest_exec_state.processes, gei, next); + g_free(gei); +-- +2.41.0.windows.1 + diff --git a/qtest-npcm7xx_pwm-test-Fix-memory-leak-in-mft_qom_se.patch b/qtest-npcm7xx_pwm-test-Fix-memory-leak-in-mft_qom_se.patch new file mode 100644 index 0000000000000000000000000000000000000000..3da09c8d3113e398bf13c8222456c91d7fb63b14 --- /dev/null +++ b/qtest-npcm7xx_pwm-test-Fix-memory-leak-in-mft_qom_se.patch @@ -0,0 +1,39 @@ +From b76d4a1a4d7d0635044cd8542564803318ac5412 Mon Sep 17 00:00:00 2001 +From: tangbinzy +Date: Tue, 26 Sep 2023 07:49:12 +0000 +Subject: [PATCH] qtest/npcm7xx_pwm-test: Fix memory leak in mft_qom_set + mainline inclusion commit d412597ec5a8406b2af6aa5fb7740e77c1bd3f8c category: + bugfix + +--------------------------------------------------------------- + +g_strdup_printf() allocated memory for path, we should free it with +g_free() when no longer needed. + +Signed-off-by: Miaoqian Lin +Reviewed-by: Hao Wu +Message-Id: <20220531080921.4704-1-linmq006@gmail.com> +Signed-off-by: Thomas Huth + +Signed-off-by: tangbinzy +--- + tests/qtest/npcm7xx_pwm-test.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/tests/qtest/npcm7xx_pwm-test.c b/tests/qtest/npcm7xx_pwm-test.c +index a54fd70d27..ddfc120df0 100644 +--- a/tests/qtest/npcm7xx_pwm-test.c ++++ b/tests/qtest/npcm7xx_pwm-test.c +@@ -268,6 +268,9 @@ static void mft_qom_set(QTestState *qts, int index, const char *name, + path, name, value); + /* The qom set message returns successfully. */ + g_assert_true(qdict_haskey(response, "return")); ++ ++ qobject_unref(response); ++ g_free(path); + } + + static uint32_t get_pll(uint32_t con) +-- +2.41.0.windows.1 + diff --git a/replay-fix-event-queue-flush-for-qemu-shutdown.patch b/replay-fix-event-queue-flush-for-qemu-shutdown.patch new file mode 100644 index 0000000000000000000000000000000000000000..0c129eedb484d01b09ad193255c9de4e15ebd3ea --- /dev/null +++ b/replay-fix-event-queue-flush-for-qemu-shutdown.patch @@ -0,0 +1,40 @@ +From d15694ef4ae7f7ebdbdac250a8a793ab66254655 Mon Sep 17 00:00:00 2001 +From: tangbinzy +Date: Tue, 26 Sep 2023 08:16:21 +0000 +Subject: [PATCH] replay: fix event queue flush for qemu shutdown mainline + inclusion commit c4b8ffcbb8531206e12cf3ad92fa90f7c80ed464 category: bugfix + +--------------------------------------------------------------- + +This patch fixes event queue flush in the case of emulator +shutdown. replay_finish_events should be called when replay_mode +is not cleared. + +Signed-off-by: Pavel Dovgalyuk +Reviewed-by: Richard Henderson +Message-Id: <165364836758.688121.7959245442743676491.stgit@pasha-ThinkPad-X280> +Signed-off-by: Paolo Bonzini + +Signed-off-by: tangbinzy +--- + replay/replay.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/replay/replay.c b/replay/replay.c +index 6df2abc18c..2d3607998a 100644 +--- a/replay/replay.c ++++ b/replay/replay.c +@@ -387,9 +387,8 @@ void replay_finish(void) + g_free(replay_snapshot); + replay_snapshot = NULL; + +- replay_mode = REPLAY_MODE_NONE; +- + replay_finish_events(); ++ replay_mode = REPLAY_MODE_NONE; + } + + void replay_add_blocker(Error *reason) +-- +2.41.0.windows.1 + diff --git a/softmmu-dirtylimit-Add-parameter-check-for-hmp-set_v.patch b/softmmu-dirtylimit-Add-parameter-check-for-hmp-set_v.patch new file mode 100644 index 0000000000000000000000000000000000000000..4fd759bc1aa684caf0add0e45c4ba4ac31885bd2 --- /dev/null +++ b/softmmu-dirtylimit-Add-parameter-check-for-hmp-set_v.patch @@ -0,0 +1,55 @@ +From 381500cc0b96e85165ae0314839c34976a4da1b2 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Hyman=20Huang=28=E9=BB=84=E5=8B=87=29?= + +Date: Fri, 18 Nov 2022 10:08:54 +0800 +Subject: [PATCH] softmmu/dirtylimit: Add parameter check for hmp + "set_vcpu_dirty_limit" +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +dirty_rate paraemter of hmp command "set_vcpu_dirty_limit" is invalid +if less than 0, so add parameter check for it. + +Note that this patch also delete the unsolicited help message and +clean up the code. + +Signed-off-by: Hyman Huang(黄勇) +Reviewed-by: Markus Armbruster +Reviewed-by: Peter Xu +Reviewed-by: Juan Quintela +Message-Id: <168618975839.6361.17407633874747688653-1@git.sr.ht> +Signed-off-by: Juan Quintela +--- + softmmu/dirtylimit.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +diff --git a/softmmu/dirtylimit.c b/softmmu/dirtylimit.c +index 8d98cb7f2c..5041c230d0 100644 +--- a/softmmu/dirtylimit.c ++++ b/softmmu/dirtylimit.c +@@ -515,14 +515,15 @@ void hmp_set_vcpu_dirty_limit(Monitor *mon, const QDict *qdict) + int64_t cpu_index = qdict_get_try_int(qdict, "cpu_index", -1); + Error *err = NULL; + +- qmp_set_vcpu_dirty_limit(!!(cpu_index != -1), cpu_index, dirty_rate, &err); +- if (err) { +- hmp_handle_error(mon, err); +- return; ++ if (dirty_rate < 0) { ++ error_setg(&err, "invalid dirty page limit %" PRId64, dirty_rate); ++ goto out; + } + +- monitor_printf(mon, "[Please use 'info vcpu_dirty_limit' to query " +- "dirty limit for virtual CPU]\n"); ++ qmp_set_vcpu_dirty_limit(!!(cpu_index != -1), cpu_index, dirty_rate, &err); ++ ++out: ++ hmp_handle_error(mon, err); + } + + static struct DirtyLimitInfo *dirtylimit_query_vcpu(int cpu_index) +-- +2.41.0.windows.1 + diff --git a/target-i386-Add-few-security-fix-bits-in-ARCH_CAPABI.patch b/target-i386-Add-few-security-fix-bits-in-ARCH_CAPABI.patch new file mode 100644 index 0000000000000000000000000000000000000000..0db8839a414c5e161fa4150d46bd38bc3460d7d5 --- /dev/null +++ b/target-i386-Add-few-security-fix-bits-in-ARCH_CAPABI.patch @@ -0,0 +1,53 @@ +From 732cb06c9b652cf899e9f329ad74ec3dae3d18b2 Mon Sep 17 00:00:00 2001 +From: Lei Wang +Date: Thu, 6 Jul 2023 13:49:48 +0800 +Subject: [PATCH] target/i386: Add few security fix bits in ARCH_CAPABILITIES + into SapphireRapids CPU model + +commit 3baf7ae63505eb1652d1e52d65798307fead8539 upstream. + +SapphireRapids has bit 13, 14 and 15 of MSR_IA32_ARCH_CAPABILITIES +enabled, which are related to some security fixes. + +Add version 2 of SapphireRapids CPU model with those bits enabled also. + +Intel-SIG: commit 3baf7ae63505 ("target/i386: Add few security fix bits in ARCH_CAPABILITIES into SapphireRapids CPU model") +Backport support of SapphireRapids CPU Model version 2 + +Signed-off-by: Lei Wang +Signed-off-by: Tao Su +Message-ID: <20230706054949.66556-6-tao1.su@linux.intel.com> +Signed-off-by: Paolo Bonzini +[ jason: amend commit log ] +Signed-off-by: Jason Zeng +--- + target/i386/cpu.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +diff --git a/target/i386/cpu.c b/target/i386/cpu.c +index 685bfca37e..eb911b12fa 100644 +--- a/target/i386/cpu.c ++++ b/target/i386/cpu.c +@@ -3675,8 +3675,17 @@ static const X86CPUDefinition builtin_x86_defs[] = { + .model_id = "Intel Xeon Processor (SapphireRapids)", + .versions = (X86CPUVersionDefinition[]) { + { .version = 1 }, +- { /* end of list */ }, +- }, ++ { ++ .version = 2, ++ .props = (PropValue[]) { ++ { "sbdr-ssdp-no", "on" }, ++ { "fbsdp-no", "on" }, ++ { "psdp-no", "on" }, ++ { /* end of list */ } ++ } ++ }, ++ { /* end of list */ } ++ } + }, + { + .name = "Denverton", +-- +2.41.0.windows.1 + diff --git a/target-i386-Add-new-bit-definitions-of-MSR_IA32_ARCH.patch b/target-i386-Add-new-bit-definitions-of-MSR_IA32_ARCH.patch new file mode 100644 index 0000000000000000000000000000000000000000..b0b81164ab851c0f1c1838d997b52b4b0044408e --- /dev/null +++ b/target-i386-Add-new-bit-definitions-of-MSR_IA32_ARCH.patch @@ -0,0 +1,43 @@ +From cdd89390a5e8fb55515798ab4ec5ec5fd6fed32b Mon Sep 17 00:00:00 2001 +From: Tao Su +Date: Thu, 6 Jul 2023 13:49:47 +0800 +Subject: [PATCH] target/i386: Add new bit definitions of + MSR_IA32_ARCH_CAPABILITIES + +commit 6c43ec3b206956a8a3008accafe9eb2dfd885190 upstream. + +Currently, bit 13, 14, 15 and 24 of MSR_IA32_ARCH_CAPABILITIES are +disclosed for fixing security issues, so add those bit definitions. + +Intel-SIG: commit 6c43ec3b2069 ("target/i386: Add new bit definitions of MSR_IA32_ARCH_CAPABILITIES") +Backport new bit definitions of MSR_IA32_ARCH_CAPABILITIES + +Signed-off-by: Tao Su +Reviewed-by: Igor Mammedov +Message-ID: <20230706054949.66556-5-tao1.su@linux.intel.com> +Signed-off-by: Paolo Bonzini +[ jason: amend commit log ] +Signed-off-by: Jason Zeng +--- + target/i386/cpu.h | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/target/i386/cpu.h b/target/i386/cpu.h +index edbaba0d62..37c687d4d8 100644 +--- a/target/i386/cpu.h ++++ b/target/i386/cpu.h +@@ -966,7 +966,11 @@ uint64_t x86_cpu_get_supported_feature_word(FeatureWord w, + #define MSR_ARCH_CAP_PSCHANGE_MC_NO (1U << 6) + #define MSR_ARCH_CAP_TSX_CTRL_MSR (1U << 7) + #define MSR_ARCH_CAP_TAA_NO (1U << 8) ++#define MSR_ARCH_CAP_SBDR_SSDP_NO (1U << 13) ++#define MSR_ARCH_CAP_FBSDP_NO (1U << 14) ++#define MSR_ARCH_CAP_PSDP_NO (1U << 15) + #define MSR_ARCH_CAP_FB_CLEAR (1U << 17) ++#define MSR_ARCH_CAP_PBRSB_NO (1U << 24) + + #define MSR_CORE_CAP_SPLIT_LOCK_DETECT (1U << 5) + +-- +2.41.0.windows.1 + diff --git a/target-i386-Add-support-for-MCDT_NO-in-CPUID-enumera.patch b/target-i386-Add-support-for-MCDT_NO-in-CPUID-enumera.patch new file mode 100644 index 0000000000000000000000000000000000000000..0dbfc10a7f56394119868f1a33fe7f891497e035 --- /dev/null +++ b/target-i386-Add-support-for-MCDT_NO-in-CPUID-enumera.patch @@ -0,0 +1,112 @@ +From a7329b80a2c8a50e53da17aa4eff0ef50aa21413 Mon Sep 17 00:00:00 2001 +From: Tao Su +Date: Thu, 6 Jul 2023 13:49:45 +0800 +Subject: [PATCH] target/i386: Add support for MCDT_NO in CPUID enumeration + +commit 9dd8b71091f47bac395f543779269c14d8d93c60 upstream. + +CPUID.(EAX=7,ECX=2):EDX[bit 5] enumerates MCDT_NO. Processors enumerate +this bit as 1 do not exhibit MXCSR Configuration Dependent Timing (MCDT) +behavior and do not need to be mitigated to avoid data-dependent behavior +for certain instructions. + +Since MCDT_NO is in a new sub-leaf, add a new CPUID feature word +FEAT_7_2_EDX. Also update cpuid_level_func7 by FEAT_7_2_EDX. + +Intel-SIG: commit 9dd8b71091f4 ("target/i386: Add support for MCDT_NO in CPUID enumeration") +Backport support for MCDT_NO in CPUID enumeration + +Signed-off-by: Tao Su +Reviewed-by: Xiaoyao Li +Message-ID: <20230706054949.66556-3-tao1.su@linux.intel.com> +Signed-off-by: Paolo Bonzini +[ jason: resolve conflict with FEAT_7_1_EDX which not backported yet ] +Signed-off-by: Jason Zeng +--- + target/i386/cpu.c | 26 ++++++++++++++++++++++++++ + target/i386/cpu.h | 4 ++++ + 2 files changed, 30 insertions(+) + +diff --git a/target/i386/cpu.c b/target/i386/cpu.c +index b878a1bf20..685bfca37e 100644 +--- a/target/i386/cpu.c ++++ b/target/i386/cpu.c +@@ -663,6 +663,7 @@ void x86_cpu_vendor_words2str(char *dst, uint32_t vendor1, + #define TCG_7_0_EDX_FEATURES CPUID_7_0_EDX_FSRM + #define TCG_7_1_EAX_FEATURES (CPUID_7_1_EAX_FZRM | CPUID_7_1_EAX_FSRS | \ + CPUID_7_1_EAX_FSRC) ++#define TCG_7_2_EDX_FEATURES 0 + #define TCG_APM_FEATURES 0 + #define TCG_6_EAX_FEATURES CPUID_6_EAX_ARAT + #define TCG_XSAVE_FEATURES (CPUID_XSAVE_XSAVEOPT | CPUID_XSAVE_XGETBV1) +@@ -886,6 +887,25 @@ FeatureWordInfo feature_word_info[FEATURE_WORDS] = { + }, + .tcg_features = TCG_7_1_EAX_FEATURES, + }, ++ [FEAT_7_2_EDX] = { ++ .type = CPUID_FEATURE_WORD, ++ .feat_names = { ++ NULL, NULL, NULL, NULL, ++ NULL, "mcdt-no", NULL, NULL, ++ NULL, NULL, NULL, NULL, ++ NULL, NULL, NULL, NULL, ++ NULL, NULL, NULL, NULL, ++ NULL, NULL, NULL, NULL, ++ NULL, NULL, NULL, NULL, ++ NULL, NULL, NULL, NULL, ++ }, ++ .cpuid = { ++ .eax = 7, ++ .needs_ecx = true, .ecx = 2, ++ .reg = R_EDX, ++ }, ++ .tcg_features = TCG_7_2_EDX_FEATURES, ++ }, + [FEAT_8000_0007_EDX] = { + .type = CPUID_FEATURE_WORD, + .feat_names = { +@@ -5531,6 +5551,11 @@ void cpu_x86_cpuid(CPUX86State *env, uint32_t index, uint32_t count, + *ebx = 0; + *ecx = 0; + *edx = 0; ++ } else if (count == 2) { ++ *edx = env->features[FEAT_7_2_EDX]; ++ *eax = 0; ++ *ebx = 0; ++ *ecx = 0; + } else { + *eax = 0; + *ebx = 0; +@@ -6361,6 +6386,7 @@ void x86_cpu_expand_features(X86CPU *cpu, Error **errp) + x86_cpu_adjust_feat_level(cpu, FEAT_6_EAX); + x86_cpu_adjust_feat_level(cpu, FEAT_7_0_ECX); + x86_cpu_adjust_feat_level(cpu, FEAT_7_1_EAX); ++ x86_cpu_adjust_feat_level(cpu, FEAT_7_2_EDX); + x86_cpu_adjust_feat_level(cpu, FEAT_8000_0001_EDX); + x86_cpu_adjust_feat_level(cpu, FEAT_8000_0001_ECX); + x86_cpu_adjust_feat_level(cpu, FEAT_8000_0007_EDX); +diff --git a/target/i386/cpu.h b/target/i386/cpu.h +index d9aac5acd2..edbaba0d62 100644 +--- a/target/i386/cpu.h ++++ b/target/i386/cpu.h +@@ -601,6 +601,7 @@ typedef enum FeatureWord { + FEAT_SGX_12_0_EAX, /* CPUID[EAX=0x12,ECX=0].EAX (SGX) */ + FEAT_SGX_12_0_EBX, /* CPUID[EAX=0x12,ECX=0].EBX (SGX MISCSELECT[31:0]) */ + FEAT_SGX_12_1_EAX, /* CPUID[EAX=0x12,ECX=1].EAX (SGX ATTRIBUTES[31:0]) */ ++ FEAT_7_2_EDX, /* CPUID[EAX=7,ECX=2].EDX */ + FEATURE_WORDS, + } FeatureWord; + +@@ -889,6 +890,9 @@ uint64_t x86_cpu_get_supported_feature_word(FeatureWord w, + /* Fast Short REP CMPS/SCAS */ + #define CPUID_7_1_EAX_FSRC (1U << 12) + ++/* Do not exhibit MXCSR Configuration Dependent Timing (MCDT) behavior */ ++#define CPUID_7_2_EDX_MCDT_NO (1U << 5) ++ + /* XFD Extend Feature Disabled */ + #define CPUID_D_1_EAX_XFD (1U << 4) + +-- +2.41.0.windows.1 + diff --git a/target-i386-Allow-MCDT_NO-if-host-supports.patch b/target-i386-Allow-MCDT_NO-if-host-supports.patch new file mode 100644 index 0000000000000000000000000000000000000000..a95c27ea6ffc34d275cb1df8cd45420c1de83195 --- /dev/null +++ b/target-i386-Allow-MCDT_NO-if-host-supports.patch @@ -0,0 +1,43 @@ +From 6beadcde4d28a1e4ad3267b7702162ecf9d4541b Mon Sep 17 00:00:00 2001 +From: Tao Su +Date: Thu, 6 Jul 2023 13:49:46 +0800 +Subject: [PATCH] target/i386: Allow MCDT_NO if host supports + +commit ba3709feaab44631315e02cd793cfccae4c6bd2a upstream. + +MCDT_NO bit indicates HW contains the security fix and doesn't need to +be mitigated to avoid data-dependent behaviour for certain instructions. +It needs no hypervisor support. Treat it as supported regardless of what +KVM reports. + +Intel-SIG: commit ba3709feaab4 ("target/i386: Allow MCDT_NO if host supports") +Backport allowing MCDT_NO if host supports + +Signed-off-by: Tao Su +Reviewed-by: Xiaoyao Li +Message-ID: <20230706054949.66556-4-tao1.su@linux.intel.com> +Signed-off-by: Paolo Bonzini +[ jason: amend commit log ] +Signed-off-by: Jason Zeng +--- + target/i386/kvm/kvm.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/target/i386/kvm/kvm.c b/target/i386/kvm/kvm.c +index d323d08dcb..55ee75e844 100644 +--- a/target/i386/kvm/kvm.c ++++ b/target/i386/kvm/kvm.c +@@ -424,6 +424,10 @@ uint32_t kvm_arch_get_supported_cpuid(KVMState *s, uint32_t function, + uint32_t eax; + host_cpuid(7, 1, &eax, &unused, &unused, &unused); + ret |= eax & (CPUID_7_1_EAX_FZRM | CPUID_7_1_EAX_FSRS | CPUID_7_1_EAX_FSRC); ++ } else if (function == 7 && index == 2 && reg == R_EDX) { ++ uint32_t edx; ++ host_cpuid(7, 2, &unused, &unused, &unused, &edx); ++ ret |= edx & CPUID_7_2_EDX_MCDT_NO; + } else if (function == 0xd && index == 0 && + (reg == R_EAX || reg == R_EDX)) { + /* +-- +2.41.0.windows.1 + diff --git a/target-i386-Export-MSR_ARCH_CAPABILITIES-bits-to-gue.patch b/target-i386-Export-MSR_ARCH_CAPABILITIES-bits-to-gue.patch new file mode 100644 index 0000000000000000000000000000000000000000..ac4e016198be24f07fe83f1265440b45d0cbf963 --- /dev/null +++ b/target-i386-Export-MSR_ARCH_CAPABILITIES-bits-to-gue.patch @@ -0,0 +1,47 @@ +From 93551bb8747ffc9ef26fc3ced7be310d9aa805d6 Mon Sep 17 00:00:00 2001 +From: Pawan Gupta +Date: Fri, 23 Jun 2023 13:26:25 -0700 +Subject: [PATCH] target/i386: Export MSR_ARCH_CAPABILITIES bits to guests + +commit 5bef742cc4f0e21c80a31611af7881ba811e507f upstream. + +On Intel CPUs there are certain bits in MSR_ARCH_CAPABILITIES that +indicates if the CPU is not affected by a vulnerability. Without these +bits guests may try to deploy the mitigation even if the CPU is not +affected. + +Export the bits to guests that indicate immunity to hardware +vulnerabilities. + +Intel-SIG: commit 5bef742cc4f0 ("target/i386: Export MSR_ARCH_CAPABILITIES bits to guests") +Backport exporting MSR_ARCH_CAPABILITIES bits to guests + +Signed-off-by: Pawan Gupta +Message-ID: <63d85cc76d4cdc51e6c732478b81d8f13be11e5a.1687551881.git.pawan.kumar.gupta@linux.intel.com> +Signed-off-by: Paolo Bonzini +[ jason: amend commit log ] +Signed-off-by: Jason Zeng +--- + target/i386/cpu.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/target/i386/cpu.c b/target/i386/cpu.c +index 8adc84b7f9..b878a1bf20 100644 +--- a/target/i386/cpu.c ++++ b/target/i386/cpu.c +@@ -981,10 +981,10 @@ FeatureWordInfo feature_word_info[FEATURE_WORDS] = { + "rdctl-no", "ibrs-all", "rsba", "skip-l1dfl-vmentry", + "ssb-no", "mds-no", "pschange-mc-no", "tsx-ctrl", + "taa-no", NULL, NULL, NULL, +- NULL, NULL, NULL, NULL, ++ NULL, "sbdr-ssdp-no", "fbsdp-no", "psdp-no", + NULL, "fb-clear", NULL, NULL, + NULL, NULL, NULL, NULL, +- NULL, NULL, NULL, NULL, ++ "pbrsb-no", NULL, NULL, NULL, + NULL, NULL, NULL, NULL, + }, + .msr = { +-- +2.41.0.windows.1 + diff --git a/target-i386-add-support-for-FB_CLEAR-feature.patch b/target-i386-add-support-for-FB_CLEAR-feature.patch new file mode 100644 index 0000000000000000000000000000000000000000..621864375f71f8284080aba51d36ca69422836cb --- /dev/null +++ b/target-i386-add-support-for-FB_CLEAR-feature.patch @@ -0,0 +1,62 @@ +From fb84b9baa665ffa4596fd871537e0544d60e40fc Mon Sep 17 00:00:00 2001 +From: Emanuele Giuseppe Esposito +Date: Wed, 1 Feb 2023 08:57:59 -0500 +Subject: [PATCH] target/i386: add support for FB_CLEAR feature + +commit 22e1094ca82d5518c1b69aff3e87c550776ae1eb upstream. + +As reported by the Intel's doc: +"FB_CLEAR: The processor will overwrite fill buffer values as part of +MD_CLEAR operations with the VERW instruction. +On these processors, L1D_FLUSH does not overwrite fill buffer values." + +If this cpu feature is present in host, allow QEMU to choose whether to +show it to the guest too. +One disadvantage of not exposing it is that the guest will report +a non existing vulnerability in +/sys/devices/system/cpu/vulnerabilities/mmio_stale_data +because the mitigation is present only when the cpu has + (FLUSH_L1D and MD_CLEAR) or FB_CLEAR +features enabled. + +Intel-SIG: commit 22e1094ca82d ("target/i386: add support for FB_CLEAR feature") +Backport support for FB_CLEAR feature + +Signed-off-by: Emanuele Giuseppe Esposito +Message-Id: <20230201135759.555607-3-eesposit@redhat.com> +Signed-off-by: Paolo Bonzini +[ jason: amend commit log ] +Signed-off-by: Jason Zeng +--- + target/i386/cpu.c | 2 +- + target/i386/cpu.h | 1 + + 2 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/target/i386/cpu.c b/target/i386/cpu.c +index 512bec3ca3..8adc84b7f9 100644 +--- a/target/i386/cpu.c ++++ b/target/i386/cpu.c +@@ -982,7 +982,7 @@ FeatureWordInfo feature_word_info[FEATURE_WORDS] = { + "ssb-no", "mds-no", "pschange-mc-no", "tsx-ctrl", + "taa-no", NULL, NULL, NULL, + NULL, NULL, NULL, NULL, +- NULL, NULL, NULL, NULL, ++ NULL, "fb-clear", NULL, NULL, + NULL, NULL, NULL, NULL, + NULL, NULL, NULL, NULL, + NULL, NULL, NULL, NULL, +diff --git a/target/i386/cpu.h b/target/i386/cpu.h +index 9e094ef934..d9aac5acd2 100644 +--- a/target/i386/cpu.h ++++ b/target/i386/cpu.h +@@ -962,6 +962,7 @@ uint64_t x86_cpu_get_supported_feature_word(FeatureWord w, + #define MSR_ARCH_CAP_PSCHANGE_MC_NO (1U << 6) + #define MSR_ARCH_CAP_TSX_CTRL_MSR (1U << 7) + #define MSR_ARCH_CAP_TAA_NO (1U << 8) ++#define MSR_ARCH_CAP_FB_CLEAR (1U << 17) + + #define MSR_CORE_CAP_SPLIT_LOCK_DETECT (1U << 5) + +-- +2.41.0.windows.1 + diff --git a/target-i386-add-support-for-FLUSH_L1D-feature.patch b/target-i386-add-support-for-FLUSH_L1D-feature.patch new file mode 100644 index 0000000000000000000000000000000000000000..1853829386d65154b5ae8260e2bb4833314feb08 --- /dev/null +++ b/target-i386-add-support-for-FLUSH_L1D-feature.patch @@ -0,0 +1,61 @@ +From dd635e4b0340a426333b466a2222e5848dfda42c Mon Sep 17 00:00:00 2001 +From: Emanuele Giuseppe Esposito +Date: Wed, 1 Feb 2023 08:57:58 -0500 +Subject: [PATCH] target/i386: add support for FLUSH_L1D feature + +commit 0e7e3bf1a552c178924867fa7c2f30ccc8a179e0 upstream. + +As reported by Intel's doc: +"L1D_FLUSH: Writeback and invalidate the L1 data cache" + +If this cpu feature is present in host, allow QEMU to choose whether to +show it to the guest too. +One disadvantage of not exposing it is that the guest will report +a non existing vulnerability in +/sys/devices/system/cpu/vulnerabilities/mmio_stale_data +because the mitigation is present only when the cpu has + (FLUSH_L1D and MD_CLEAR) or FB_CLEAR +features enabled. + +Intel-SIG: commit 0e7e3bf1a552 ("target/i386: add support for FLUSH_L1D feature") +Backport support for FLUSH_L1D feature + +Signed-off-by: Emanuele Giuseppe Esposito +Message-Id: <20230201135759.555607-2-eesposit@redhat.com> +Signed-off-by: Paolo Bonzini +[ jason: amend commit log ] +Signed-off-by: Jason Zeng +--- + target/i386/cpu.c | 2 +- + target/i386/cpu.h | 2 ++ + 2 files changed, 3 insertions(+), 1 deletion(-) + +diff --git a/target/i386/cpu.c b/target/i386/cpu.c +index 66b5eaa14e..512bec3ca3 100644 +--- a/target/i386/cpu.c ++++ b/target/i386/cpu.c +@@ -858,7 +858,7 @@ FeatureWordInfo feature_word_info[FEATURE_WORDS] = { + "tsx-ldtrk", NULL, NULL /* pconfig */, NULL, + NULL, NULL, "amx-bf16", "avx512-fp16", + "amx-tile", "amx-int8", "spec-ctrl", "stibp", +- NULL, "arch-capabilities", "core-capability", "ssbd", ++ "flush-l1d", "arch-capabilities", "core-capability", "ssbd", + }, + .cpuid = { + .eax = 7, +diff --git a/target/i386/cpu.h b/target/i386/cpu.h +index d0c7791a1e..9e094ef934 100644 +--- a/target/i386/cpu.h ++++ b/target/i386/cpu.h +@@ -869,6 +869,8 @@ uint64_t x86_cpu_get_supported_feature_word(FeatureWord w, + #define CPUID_7_0_EDX_SPEC_CTRL (1U << 26) + /* Single Thread Indirect Branch Predictors */ + #define CPUID_7_0_EDX_STIBP (1U << 27) ++/* Flush L1D cache */ ++#define CPUID_7_0_EDX_FLUSH_L1D (1U << 28) + /* Arch Capabilities */ + #define CPUID_7_0_EDX_ARCH_CAPABILITIES (1U << 29) + /* Core Capability */ +-- +2.41.0.windows.1 + diff --git a/target-i386-fix-INVD-vmexit.patch b/target-i386-fix-INVD-vmexit.patch new file mode 100644 index 0000000000000000000000000000000000000000..2e9a1601a4e22d2242cb440fe38f1a35f8c6c003 --- /dev/null +++ b/target-i386-fix-INVD-vmexit.patch @@ -0,0 +1,34 @@ +From b17eea58c7497f96cb66d31b8c59fdcdb06b6c40 Mon Sep 17 00:00:00 2001 +From: jipengfei_yewu +Date: Sun, 24 Sep 2023 19:43:41 +0800 +Subject: [PATCH] target/i386: fix INVD vmexit + +Due to a typo or perhaps a brain fart, the INVD vmexit was never generated. +Fix it (but not that fixing just the typo would break both INVD and WBINVD, +due to a case of two wrongs making a right). + +cheery-pick from 4d714d1a0bf1fca9576ee53a1a5dfa3fd5ddae99 + +Signed-off-by: jipengfei_yewu +Reviewed-by: Richard Henderson +Signed-off-by: Paolo Bonzini +--- + target/i386/tcg/translate.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/target/i386/tcg/translate.c b/target/i386/tcg/translate.c +index e9e1451540..82f77b52fb 100644 +--- a/target/i386/tcg/translate.c ++++ b/target/i386/tcg/translate.c +@@ -7773,7 +7773,7 @@ static target_ulong disas_insn(DisasContext *s, CPUState *cpu) + case 0x108: /* invd */ + case 0x109: /* wbinvd */ + if (check_cpl0(s)) { +- gen_svm_check_intercept(s, (b & 2) ? SVM_EXIT_INVD : SVM_EXIT_WBINVD); ++ gen_svm_check_intercept(s, (b & 1) ? SVM_EXIT_WBINVD : SVM_EXIT_INVD); + /* nothing to do */ + } + break; +-- +2.41.0.windows.1 + diff --git a/target-ppc-Fix-the-order-of-kvm_enable-judgment-abou.patch b/target-ppc-Fix-the-order-of-kvm_enable-judgment-abou.patch new file mode 100644 index 0000000000000000000000000000000000000000..9485b039f10828edaa14d2d3f1a4683d4c70f25f --- /dev/null +++ b/target-ppc-Fix-the-order-of-kvm_enable-judgment-abou.patch @@ -0,0 +1,57 @@ +From ba1e022f06300e6dafc7e89a4f3fe756dc9691dd Mon Sep 17 00:00:00 2001 +From: JianChunfu +Date: Wed, 20 Sep 2023 18:58:00 +0800 +Subject: [PATCH] target/ppc: Fix the order of kvm_enable judgment about + kvmppc_set_interrupt() + +It's unnecessary for non-KVM accelerators(TCG, for example), +to call this function, so change the order of kvm_enable() judgment. +The static inline function that returns -1 directly does not work +in TCG's situation. + +Signed-off-by: JianChunfu +--- + hw/ppc/ppc.c | 8 ++++++-- + target/ppc/kvm.c | 2 +- + 2 files changed, 7 insertions(+), 3 deletions(-) + +diff --git a/hw/ppc/ppc.c b/hw/ppc/ppc.c +index e8127599c9..cf90ab7805 100644 +--- a/hw/ppc/ppc.c ++++ b/hw/ppc/ppc.c +@@ -66,7 +66,9 @@ void ppc_set_irq(PowerPCCPU *cpu, int n_IRQ, int level) + } + + if (old_pending != env->pending_interrupts) { +- kvmppc_set_interrupt(cpu, n_IRQ, level); ++ if (kvm_enabled()) { ++ kvmppc_set_interrupt(cpu, irq, level); ++ } + } + + +@@ -1461,5 +1463,7 @@ void ppc_irq_reset(PowerPCCPU *cpu) + CPUPPCState *env = &cpu->env; + + env->irq_input_state = 0; +- kvmppc_set_interrupt(cpu, PPC_INTERRUPT_EXT, 0); ++ if (kvm_enabled()) { ++ kvmppc_set_interrupt(cpu, PPC_INTERRUPT_EXT, 0); ++ } + } +diff --git a/target/ppc/kvm.c b/target/ppc/kvm.c +index d73563045b..397b1e902b 100644 +--- a/target/ppc/kvm.c ++++ b/target/ppc/kvm.c +@@ -1323,7 +1323,7 @@ int kvmppc_set_interrupt(PowerPCCPU *cpu, int irq, int level) + return 0; + } + +- if (!kvm_enabled() || !cap_interrupt_unset) { ++ if (!cap_interrupt_unset) { + return 0; + } + +-- +2.41.0.windows.1 + diff --git a/target-ppc-Fix-tlbie.patch b/target-ppc-Fix-tlbie.patch new file mode 100644 index 0000000000000000000000000000000000000000..63d3ebb86b56b9728a236cf16f1ea092c0e9ae5d --- /dev/null +++ b/target-ppc-Fix-tlbie.patch @@ -0,0 +1,47 @@ +From aba3dd63d054cd21054e295d5a9d493cb9d7a75f Mon Sep 17 00:00:00 2001 +From: tangbinzy +Date: Tue, 26 Sep 2023 06:25:04 +0000 +Subject: [PATCH] target/ppc: Fix tlbie mainline inclusion commit + 4ddc104689b186c4e4ed30be59a54463501761cf category: bugfix + +--------------------------------------------------------------- + +Commit 74c4912f097bab98 changed check_tlb_flush() to use +tlb_flush_all_cpus_synced() instead of calling tlb_flush() on each +CPU. However, as side effect of this, a CPU executing a ptesync +after a tlbie will have its TLB flushed only after exiting its +current Translation Block (TB). + +This causes memory accesses to invalid pages to succeed, if they +happen to be on the same TB as the ptesync. + +To fix this, use tlb_flush_all_cpus() instead, that immediately +flushes the TLB of the CPU executing the ptesync instruction. + +Fixes: 74c4912f097bab98 ("target/ppc: Fix synchronization of mttcg with broadcast TLB flushes") +Signed-off-by: Leandro Lupori +Reviewed-by: Fabiano Rosas +Message-Id: <20220503163904.22575-1-leandro.lupori@eldorado.org.br> +Signed-off-by: Daniel Henrique Barboza + +Signed-off-by: tangbinzy +--- + target/ppc/helper_regs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/target/ppc/helper_regs.c b/target/ppc/helper_regs.c +index 99562edd57..e97d25e9ab 100644 +--- a/target/ppc/helper_regs.c ++++ b/target/ppc/helper_regs.c +@@ -288,7 +288,7 @@ void check_tlb_flush(CPUPPCState *env, bool global) + if (global && (env->tlb_need_flush & TLB_NEED_GLOBAL_FLUSH)) { + env->tlb_need_flush &= ~TLB_NEED_GLOBAL_FLUSH; + env->tlb_need_flush &= ~TLB_NEED_LOCAL_FLUSH; +- tlb_flush_all_cpus_synced(cs); ++ tlb_flush_all_cpus(cs); + return; + } + +-- +2.41.0.windows.1 + diff --git a/tests-Fix-printf-format-string-in-acpi-utils.c.patch b/tests-Fix-printf-format-string-in-acpi-utils.c.patch new file mode 100644 index 0000000000000000000000000000000000000000..063584b36f2c158d596eaba750ac11870cec6ca1 --- /dev/null +++ b/tests-Fix-printf-format-string-in-acpi-utils.c.patch @@ -0,0 +1,30 @@ +From 847becf4850bc244b140644cb577e17e5ba5e732 Mon Sep 17 00:00:00 2001 +From: zhujun2 +Date: Thu, 26 Oct 2023 19:52:59 -0700 +Subject: [PATCH] tests: Fix printf format string in acpi-utils.c + +Inside of acpi_fetch_table() arguments are +printed via fprintf but '%d' is used to print @flags (of type +uint). Use '%u' instead. + +Signed-off-by: zhujun2 +--- + tests/qtest/acpi-utils.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tests/qtest/acpi-utils.c b/tests/qtest/acpi-utils.c +index 766c48e3a6..c6f5169b80 100644 +--- a/tests/qtest/acpi-utils.c ++++ b/tests/qtest/acpi-utils.c +@@ -103,7 +103,7 @@ void acpi_fetch_table(QTestState *qts, uint8_t **aml, uint32_t *aml_len, + char *fname = NULL; + GError *error = NULL; + +- fprintf(stderr, "Invalid '%.4s'(%d)\n", *aml, *aml_len); ++ fprintf(stderr, "Invalid '%.4s'(%u)\n", *aml, *aml_len); + fd = g_file_open_tmp("malformed-XXXXXX.dat", &fname, &error); + g_assert_no_error(error); + fprintf(stderr, "Dumping invalid table into '%s'\n", fname); +-- +2.41.0.windows.1 + diff --git a/tests-qtest-pflash-Clean-up-local-variable-shadowing.patch b/tests-qtest-pflash-Clean-up-local-variable-shadowing.patch new file mode 100644 index 0000000000000000000000000000000000000000..e33ee823b42036af2d8563e9fd81745e4594c80b --- /dev/null +++ b/tests-qtest-pflash-Clean-up-local-variable-shadowing.patch @@ -0,0 +1,45 @@ +From 42e516ba6969b8f61d7e5e45a4f48f257fecf8e1 Mon Sep 17 00:00:00 2001 +From: dinglimin_yewu +Date: Sat, 16 Sep 2023 17:56:31 +0800 +Subject: [PATCH] tests/qtest/pflash: Clean up local variable shadowing +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +cherry-pick from 82fdcd3e140c8d4c63f177ece554f90f2bccdf68 + +Fix: + + tests/qtest/pflash-cfi02-test.c: In function ‘test_geometry’: + tests/qtest/pflash-cfi02-test.c:409:22: warning: declaration of ‘byte_addr’ shadows a previous local [-Wshadow=compatible-local] + 409 | uint64_t byte_addr = (uint64_t)i * c->sector_len[region]; + | ^~~~~~~~~ + tests/qtest/pflash-cfi02-test.c:342:14: note: shadowed declaration is here + 342 | uint64_t byte_addr = 0; + | ^~~~~~~~~ + +Signed-off-by: Philippe Mathieu-Daudé +Message-ID: <20230904162824.85385-4-philmd@linaro.org> +Reviewed-by: Peter Maydell +Signed-off-by: Thomas Huth +Signed-off-by: dinglimin_yewu +--- + tests/qtest/pflash-cfi02-test.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tests/qtest/pflash-cfi02-test.c b/tests/qtest/pflash-cfi02-test.c +index 6168edc821..bd1f946fc0 100644 +--- a/tests/qtest/pflash-cfi02-test.c ++++ b/tests/qtest/pflash-cfi02-test.c +@@ -406,7 +406,7 @@ static void test_geometry(const void *opaque) + + for (int region = 0; region < nb_erase_regions; ++region) { + for (uint32_t i = 0; i < c->nb_blocs[region]; ++i) { +- uint64_t byte_addr = (uint64_t)i * c->sector_len[region]; ++ byte_addr = (uint64_t)i * c->sector_len[region]; + g_assert_cmphex(flash_read(c, byte_addr), ==, bank_mask(c)); + } + } +-- +2.41.0.windows.1 + diff --git a/thread-pool-optimize-scheduling-of-completion-bottom.patch b/thread-pool-optimize-scheduling-of-completion-bottom.patch new file mode 100644 index 0000000000000000000000000000000000000000..cd24a4ee963a6e36db6bfce81b671b57c11b01b1 --- /dev/null +++ b/thread-pool-optimize-scheduling-of-completion-bottom.patch @@ -0,0 +1,45 @@ +From c84bb01c0c56cadb70a95c874b32ed85b8177504 Mon Sep 17 00:00:00 2001 +From: tangbinzy +Date: Tue, 26 Sep 2023 06:41:50 +0000 +Subject: [PATCH] thread-pool: optimize scheduling of completion bottom half + mainline inclusion commit 3c7b72ddca9ce85a9d1e8a98fd0996b74597b5ae category: + bugfix + +--------------------------------------------------------------- + +The completion bottom half was scheduled within the pool->lock +critical section. That actually results in worse performance, +because the worker thread can run its own small critical section +and go to sleep before the bottom half starts running. + +Note that this simple change does not produce an improvement without +changing the thread pool QemuSemaphore to a condition variable. + +Reviewed-by: Stefan Hajnoczi +Reviewed-by: Nicolas Saenz Julienne +Message-Id: <20220514065012.1149539-2-pbonzini@redhat.com> +Signed-off-by: Paolo Bonzini + +Signed-off-by: tangbinzy +--- + util/thread-pool.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/util/thread-pool.c b/util/thread-pool.c +index d763cea505..7e9e2c178b 100644 +--- a/util/thread-pool.c ++++ b/util/thread-pool.c +@@ -108,9 +108,8 @@ static void *worker_thread(void *opaque) + smp_wmb(); + req->state = THREAD_DONE; + +- qemu_mutex_lock(&pool->lock); +- + qemu_bh_schedule(pool->completion_bh); ++ qemu_mutex_lock(&pool->lock); + } + + pool->cur_threads--; +-- +2.41.0.windows.1 + diff --git a/tulip-Assign-default-MAC-address-if-not-specified.patch b/tulip-Assign-default-MAC-address-if-not-specified.patch new file mode 100644 index 0000000000000000000000000000000000000000..5bf830823626516e81edb9e6b9fd81c70993bf32 --- /dev/null +++ b/tulip-Assign-default-MAC-address-if-not-specified.patch @@ -0,0 +1,58 @@ +From 78b2167f1e2fadb4de930bf51c699247031c8880 Mon Sep 17 00:00:00 2001 +From: tangbinzy +Date: Mon, 4 Sep 2023 08:27:33 +0000 +Subject: [PATCH] tulip: Assign default MAC address if not specified mainline + inclusion commit 052c2579b89b0d87debe8b05594b5180f0fde87d category: bugfix +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +--------------------------------------------------------------- + +The MAC of the tulip card is stored in the EEPROM and at startup +tulip_fill_eeprom() is called to initialize the EEPROM with the MAC +address given on the command line, e.g.: + -device tulip,mac=00:11:22:33:44:55 + +In case the mac address was not given on the command line, +tulip_fill_eeprom() initializes the MAC in EEPROM with 00:00:00:00:00:00 +which breaks e.g. a HP-UX guest. + +Fix this problem by moving qemu_macaddr_default_if_unset() a few lines +up, so that a default mac address is assigned before tulip_fill_eeprom() +initializes the EEPROM. + +Signed-off-by: Helge Deller +Reviewed-by: Philippe Mathieu-Daudé +Signed-off-by: Jason Wang + +Signed-off-by: tangbinzy +--- + hw/net/tulip.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/hw/net/tulip.c b/hw/net/tulip.c +index 5f8badefca..b9e42c322a 100644 +--- a/hw/net/tulip.c ++++ b/hw/net/tulip.c +@@ -967,6 +967,8 @@ static void pci_tulip_realize(PCIDevice *pci_dev, Error **errp) + pci_conf = s->dev.config; + pci_conf[PCI_INTERRUPT_PIN] = 1; /* interrupt pin A */ + ++ qemu_macaddr_default_if_unset(&s->c.macaddr); ++ + s->eeprom = eeprom93xx_new(&pci_dev->qdev, 64); + tulip_fill_eeprom(s); + +@@ -981,8 +983,6 @@ static void pci_tulip_realize(PCIDevice *pci_dev, Error **errp) + + s->irq = pci_allocate_irq(&s->dev); + +- qemu_macaddr_default_if_unset(&s->c.macaddr); +- + s->nic = qemu_new_nic(&net_tulip_info, &s->c, + object_get_typename(OBJECT(pci_dev)), + pci_dev->qdev.id, s); +-- +2.41.0.windows.1 + diff --git a/ui-fix-crash-when-there-are-no-active_console.patch b/ui-fix-crash-when-there-are-no-active_console.patch new file mode 100644 index 0000000000000000000000000000000000000000..0ed65946770fc864a1ebd499ef6bafa1e8163b3b --- /dev/null +++ b/ui-fix-crash-when-there-are-no-active_console.patch @@ -0,0 +1,42 @@ +From 89fda5a4410099a317bd1fcef56b130d6d97a2b5 Mon Sep 17 00:00:00 2001 +From: dinglimin_yewu +Date: Sat, 16 Sep 2023 17:41:07 +0800 +Subject: [PATCH] ui: fix crash when there are no active_console +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +cherry-pick from 48a35e12faf90a896c5aa4755812201e00d60316 + +Thread 1 "qemu-system-x86" received signal SIGSEGV, Segmentation fault. +0x0000555555888630 in dpy_ui_info_supported (con=0x0) at ../ui/console.c:812 +812 return con->hw_ops->ui_info != NULL; +(gdb) bt + +Fixes: +https://issues.redhat.com/browse/RHEL-2600 + +Signed-off-by: Marc-André Lureau +Reviewed-by: Albert Esteve +Signed-off-by: dinglimin_yewu +--- + ui/console.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/ui/console.c b/ui/console.c +index 29a3e3f0f5..d22c3def20 100644 +--- a/ui/console.c ++++ b/ui/console.c +@@ -1526,6 +1526,9 @@ bool dpy_ui_info_supported(QemuConsole *con) + con = active_console; + } + ++ if (con == NULL) { ++ return false; ++ } + return con->hw_ops->ui_info != NULL; + } + +-- +2.41.0.windows.1 + diff --git a/ui-vnc-clipboard-fix-infinite-loop-in-inflate_buffer.patch b/ui-vnc-clipboard-fix-infinite-loop-in-inflate_buffer.patch new file mode 100644 index 0000000000000000000000000000000000000000..ceb609cf569c7cfb25e88cb626980bfddbf71cba --- /dev/null +++ b/ui-vnc-clipboard-fix-infinite-loop-in-inflate_buffer.patch @@ -0,0 +1,58 @@ +From 2858029a5dbdd3fab73b1884e296daa3f3f0b1a1 Mon Sep 17 00:00:00 2001 +From: Mauro Matteo Cascella +Date: Tue, 4 Jul 2023 10:41:22 +0200 +Subject: [PATCH] ui/vnc-clipboard: fix infinite loop in inflate_buffer + (CVE-2023-3255) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +A wrong exit condition may lead to an infinite loop when inflating a +valid zlib buffer containing some extra bytes in the `inflate_buffer` +function. The bug only occurs post-authentication. Return the buffer +immediately if the end of the compressed data has been reached +(Z_STREAM_END). + +Fixes: CVE-2023-3255 +Fixes: 0bf41cab ("ui/vnc: clipboard support") +Reported-by: Kevin Denis +Signed-off-by: Mauro Matteo Cascella +Reviewed-by: Marc-André Lureau +Tested-by: Marc-André Lureau +Message-ID: <20230704084210.101822-1-mcascell@redhat.com> +--- + ui/vnc-clipboard.c | 10 ++++------ + 1 file changed, 4 insertions(+), 6 deletions(-) + +diff --git a/ui/vnc-clipboard.c b/ui/vnc-clipboard.c +index 67284b556c..c84599cfdb 100644 +--- a/ui/vnc-clipboard.c ++++ b/ui/vnc-clipboard.c +@@ -51,8 +51,11 @@ static uint8_t *inflate_buffer(uint8_t *in, uint32_t in_len, uint32_t *size) + ret = inflate(&stream, Z_FINISH); + switch (ret) { + case Z_OK: +- case Z_STREAM_END: + break; ++ case Z_STREAM_END: ++ *size = stream.total_out; ++ inflateEnd(&stream); ++ return out; + case Z_BUF_ERROR: + out_len <<= 1; + if (out_len > (1 << 20)) { +@@ -67,11 +70,6 @@ static uint8_t *inflate_buffer(uint8_t *in, uint32_t in_len, uint32_t *size) + } + } + +- *size = stream.total_out; +- inflateEnd(&stream); +- +- return out; +- + err_end: + inflateEnd(&stream); + err: +-- +2.41.0.windows.1 + diff --git a/vhost-user-fs-Back-up-vqs-before-cleaning-up-vhost_d.patch b/vhost-user-fs-Back-up-vqs-before-cleaning-up-vhost_d.patch new file mode 100644 index 0000000000000000000000000000000000000000..3d9f4c575026e47dc712786fbb069fccea62c36c --- /dev/null +++ b/vhost-user-fs-Back-up-vqs-before-cleaning-up-vhost_d.patch @@ -0,0 +1,43 @@ +From d48beee81ba11b6bc5151f4f882a9fe2ff9b1d2c Mon Sep 17 00:00:00 2001 +From: dinglimin_yewu +Date: Thu, 28 Sep 2023 16:07:30 +0800 +Subject: [PATCH] vhost-user-fs: Back up vqs before cleaning up vhost_dev + +cheery-pick from 331acddc87b739c64b936ba4e58518f8491f1c6b + +vhost_dev_cleanup() clears vhost_dev so back up its vqs member to free the memory pointed by the member. + +Fixes: 98fc1ada4c ("virtio: add vhost-user-fs base device") +Signed-off-by: Akihiko Odaki +Signed-off-by: Stefan Hajnoczi +Message-Id: <20230130140225.77964-1-akihiko.odaki at daynix.com> +Signed-off-by: dinglimin_yewu +--- + hw/virtio/vhost-user-fs.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/hw/virtio/vhost-user-fs.c b/hw/virtio/vhost-user-fs.c +index c595957983..fc7dcc96ef 100644 +--- a/hw/virtio/vhost-user-fs.c ++++ b/hw/virtio/vhost-user-fs.c +@@ -258,6 +258,7 @@ static void vuf_device_unrealize(DeviceState *dev) + { + VirtIODevice *vdev = VIRTIO_DEVICE(dev); + VHostUserFS *fs = VHOST_USER_FS(dev); ++ struct vhost_virtqueue *vhost_vqs = fs->vhost_dev.vqs; + int i; + + /* This will stop vhost backend if appropriate. */ +@@ -273,8 +274,7 @@ static void vuf_device_unrealize(DeviceState *dev) + } + g_free(fs->req_vqs); + virtio_cleanup(vdev); +- g_free(fs->vhost_dev.vqs); +- fs->vhost_dev.vqs = NULL; ++ g_free(vhost_vqs); + } + + static const VMStateDescription vuf_vmstate = { +-- +2.41.0.windows.1 +