diff --git a/artist-set-memory-region-owners-for-buffers-to-the-a.patch b/artist-set-memory-region-owners-for-buffers-to-the-a.patch new file mode 100644 index 0000000000000000000000000000000000000000..4513e1e242c3ee0789b7c1facf98726a4d105285 --- /dev/null +++ b/artist-set-memory-region-owners-for-buffers-to-the-a.patch @@ -0,0 +1,37 @@ +From db2e1d340763e23180e4709e4ddf33390f2e49ea Mon Sep 17 00:00:00 2001 +From: tangbinzy +Date: Fri, 17 Nov 2023 09:00:01 +0000 +Subject: [PATCH] artist: set memory region owners for buffers to the artist + device mainline inclusion commit 39fbaeca096a9bf6cbe2af88572c1cb2aa62aa8c + category: bugfix + +--------------------------------------------------------------- + +This fixes the output of "info qom-tree" so that the buffers appear as children +of the artist device, rather than underneath the "unattached" container. + +Signed-off-by: Mark Cave-Ayland +Message-Id: <20220624160839.886649-1-mark.cave-ayland@ilande.co.uk> +Reviewed-by: Helge Deller + +Signed-off-by: tangbinzy +--- + hw/display/artist.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/display/artist.c b/hw/display/artist.c +index 21b7fd1b44..1767203477 100644 +--- a/hw/display/artist.c ++++ b/hw/display/artist.c +@@ -1359,7 +1359,7 @@ static void artist_create_buffer(ARTISTState *s, const char *name, + { + struct vram_buffer *buf = s->vram_buffer + idx; + +- memory_region_init_ram(&buf->mr, NULL, name, width * height, ++ memory_region_init_ram(&buf->mr, OBJECT(s), name, width * height, + &error_fatal); + memory_region_add_subregion_overlap(&s->mem_as_root, *offset, &buf->mr, 0); + +-- +2.27.0 + diff --git a/e1000-set-RX-descriptor-status-in-a-separate-operati.patch b/e1000-set-RX-descriptor-status-in-a-separate-operati.patch new file mode 100644 index 0000000000000000000000000000000000000000..ffa0f9654e24dbee18add738aead20bf835d4adc --- /dev/null +++ b/e1000-set-RX-descriptor-status-in-a-separate-operati.patch @@ -0,0 +1,89 @@ +From dcebeb0f7acf549620faff1badf73baba04b2068 Mon Sep 17 00:00:00 2001 +From: tangbinzy +Date: Fri, 17 Nov 2023 10:15:09 +0000 +Subject: [PATCH] e1000: set RX descriptor status in a separate operation + mainline inclusion commit 034d00d4858161e1d4cff82d8d230bce874a04d3 category: + bugfix + +--------------------------------------------------------------- + +The code of setting RX descriptor status field maybe work fine in +previously, however with the update of glibc version, it shows two +issues when guest using dpdk receive packets: + + 1. The dpdk has a certain probability getting wrong buffer_addr + + this impact may be not obvious, such as lost a packet once in + a while + + 2. The dpdk may consume a packet twice when scan the RX desc queue + over again + + this impact will lead a infinite wait in Qemu, since the RDT + (tail pointer) be inscreased to equal to RDH by unexpected, + which regard as the RX desc queue is full + +Write a whole of RX desc with DD flag on is not quite correct, because +when the underlying implementation of memcpy using XMM registers to +copy e1000_rx_desc (when AVX or something else CPU feature is usable), +the bytes order of desc writing to memory is indeterminacy + +We can use full-scale test case to reproduce the issue-2 by +https://github.com/BASM/qemu_dpdk_e1000_test (thanks to Leonid Myravjev) + +I also write a POC test case at https://github.com/cdkey/e1000_poc +which can reproduce both of them, and easy to verify the patch effect. + +The hw watchpoint also shows that, when Qemu using XMM related instructions +writing 16 bytes e1000_rx_desc, concurrent with DPDK using movb +writing 1 byte status, the final result of writing to memory will be one +of them, if it made by Qemu which DD flag is on, DPDK will consume it +again. + +Setting DD status in a separate operation, can prevent the impact of +disorder memory writing by memcpy, also avoid unexpected data when +concurrent writing status by qemu and guest dpdk. + +Links: https://lore.kernel.org/qemu-devel/20200102110504.GG121208@stefanha-x1.localdomain/T/ + +Reported-by: Leonid Myravjev +Cc: Stefan Hajnoczi +Cc: Paolo Bonzini +Cc: Michael S. Tsirkin +Cc: qemu-stable@nongnu.org +Tested-by: Jing Zhang +Reviewed-by: Frank Lee +Signed-off-by: Ding Hui +Signed-off-by: Jason Wang + +Signed-off-by: tangbinzy +--- + hw/net/e1000.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/hw/net/e1000.c b/hw/net/e1000.c +index f5bc81296d..e26e0a64c1 100644 +--- a/hw/net/e1000.c ++++ b/hw/net/e1000.c +@@ -979,7 +979,7 @@ e1000_receive_iov(NetClientState *nc, const struct iovec *iov, int iovcnt) + base = rx_desc_base(s) + sizeof(desc) * s->mac_reg[RDH]; + pci_dma_read(d, base, &desc, sizeof(desc)); + desc.special = vlan_special; +- desc.status |= (vlan_status | E1000_RXD_STAT_DD); ++ desc.status &= ~E1000_RXD_STAT_DD; + if (desc.buffer_addr) { + if (desc_offset < size) { + size_t iov_copy; +@@ -1013,6 +1013,9 @@ e1000_receive_iov(NetClientState *nc, const struct iovec *iov, int iovcnt) + DBGOUT(RX, "Null RX descriptor!!\n"); + } + pci_dma_write(d, base, &desc, sizeof(desc)); ++ desc.status |= (vlan_status | E1000_RXD_STAT_DD); ++ pci_dma_write(d, base + offsetof(struct e1000_rx_desc, status), ++ &desc.status, sizeof(desc.status)); + + if (++s->mac_reg[RDH] * sizeof(desc) >= s->mac_reg[RDLEN]) + s->mac_reg[RDH] = 0; +-- +2.27.0 + diff --git a/hw-arm-fsl-imx-Do-not-ignore-Error-argument.patch b/hw-arm-fsl-imx-Do-not-ignore-Error-argument.patch new file mode 100644 index 0000000000000000000000000000000000000000..8cc37891158df31ef5a281fba9921968b07ecd59 --- /dev/null +++ b/hw-arm-fsl-imx-Do-not-ignore-Error-argument.patch @@ -0,0 +1,62 @@ +From 81c2b665d9ea6670677f35aa1ab2ad68d6e73aa4 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= +Date: Mon, 20 Nov 2023 12:51:15 +0100 +Subject: [PATCH] hw/arm/fsl-imx: Do not ignore Error argument +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +mainline inclusion +commit 0cbb56c236a4a28f5149eed227d74bb737321cfc +category: bugfix + +-------------------------------------------------------- + +Both i.MX25 and i.MX6 SoC models ignore the Error argument when +setting the PHY number. Pick &error_abort which is the error +used by the i.MX7 SoC (see commit 1f7197deb0 "ability to change +the FEC PHY on i.MX7 processor"). + +Fixes: 74c1330582 ("ability to change the FEC PHY on i.MX25 processor") +Fixes: a9c167a3c4 ("ability to change the FEC PHY on i.MX6 processor") +Signed-off-by: Philippe Mathieu-Daudé +Message-id: 20231120115116.76858-1-philmd@linaro.org +Reviewed-by: Peter Maydell +Signed-off-by: Peter Maydell +Signed-off-by: zhujun2 +--- + hw/arm/fsl-imx25.c | 3 ++- + hw/arm/fsl-imx6.c | 3 ++- + 2 files changed, 4 insertions(+), 2 deletions(-) + +diff --git a/hw/arm/fsl-imx25.c b/hw/arm/fsl-imx25.c +index 24c4374590..9aabbf7f58 100644 +--- a/hw/arm/fsl-imx25.c ++++ b/hw/arm/fsl-imx25.c +@@ -169,7 +169,8 @@ static void fsl_imx25_realize(DeviceState *dev, Error **errp) + epit_table[i].irq)); + } + +- object_property_set_uint(OBJECT(&s->fec), "phy-num", s->phy_num, &err); ++ object_property_set_uint(OBJECT(&s->fec), "phy-num", s->phy_num, ++ &error_abort); + qdev_set_nic_properties(DEVICE(&s->fec), &nd_table[0]); + + if (!sysbus_realize(SYS_BUS_DEVICE(&s->fec), errp)) { +diff --git a/hw/arm/fsl-imx6.c b/hw/arm/fsl-imx6.c +index 00dafe3f62..c4b95dc7a7 100644 +--- a/hw/arm/fsl-imx6.c ++++ b/hw/arm/fsl-imx6.c +@@ -377,7 +377,8 @@ static void fsl_imx6_realize(DeviceState *dev, Error **errp) + spi_table[i].irq)); + } + +- object_property_set_uint(OBJECT(&s->eth), "phy-num", s->phy_num, &err); ++ object_property_set_uint(OBJECT(&s->eth), "phy-num", s->phy_num, ++ &error_abort); + qdev_set_nic_properties(DEVICE(&s->eth), &nd_table[0]); + if (!sysbus_realize(SYS_BUS_DEVICE(&s->eth), errp)) { + return; +-- +2.27.0 + diff --git a/hw-net-cadence_gem.c-spelling-fixes-Octects.patch b/hw-net-cadence_gem.c-spelling-fixes-Octects.patch new file mode 100644 index 0000000000000000000000000000000000000000..31ebc99f4cd161bfdaed64a15f4e8621061da394 --- /dev/null +++ b/hw-net-cadence_gem.c-spelling-fixes-Octects.patch @@ -0,0 +1,39 @@ +From 2e37d6ac7713c9962cb006900d18e83df54e8e0f Mon Sep 17 00:00:00 2001 +From: zhujun2 +Date: Fri, 24 Nov 2023 00:21:31 -0800 +Subject: [PATCH] hw/net/cadence_gem.c: spelling fixes: Octects + +Signed-off-by: zhujun2 +--- + hw/net/cadence_gem.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/hw/net/cadence_gem.c b/hw/net/cadence_gem.c +index 24b3a0ff66..21e1bd091f 100644 +--- a/hw/net/cadence_gem.c ++++ b/hw/net/cadence_gem.c +@@ -81,8 +81,8 @@ + #define GEM_IPGSTRETCH (0x000000BC / 4) /* IPG Stretch reg */ + #define GEM_SVLAN (0x000000C0 / 4) /* Stacked VLAN reg */ + #define GEM_MODID (0x000000FC / 4) /* Module ID reg */ +-#define GEM_OCTTXLO (0x00000100 / 4) /* Octects transmitted Low reg */ +-#define GEM_OCTTXHI (0x00000104 / 4) /* Octects transmitted High reg */ ++#define GEM_OCTTXLO (0x00000100 / 4) /* Octets transmitted Low reg */ ++#define GEM_OCTTXHI (0x00000104 / 4) /* Octets transmitted High reg */ + #define GEM_TXCNT (0x00000108 / 4) /* Error-free Frames transmitted */ + #define GEM_TXBCNT (0x0000010C / 4) /* Error-free Broadcast Frames */ + #define GEM_TXMCNT (0x00000110 / 4) /* Error-free Multicast Frame */ +@@ -101,8 +101,8 @@ + #define GEM_LATECOLLCNT (0x00000144 / 4) /* Late Collision Frames */ + #define GEM_DEFERTXCNT (0x00000148 / 4) /* Deferred Transmission Frames */ + #define GEM_CSENSECNT (0x0000014C / 4) /* Carrier Sense Error Counter */ +-#define GEM_OCTRXLO (0x00000150 / 4) /* Octects Received register Low */ +-#define GEM_OCTRXHI (0x00000154 / 4) /* Octects Received register High */ ++#define GEM_OCTRXLO (0x00000150 / 4) /* Octets Received register Low */ ++#define GEM_OCTRXHI (0x00000154 / 4) /* Octets Received register High */ + #define GEM_RXCNT (0x00000158 / 4) /* Error-free Frames Received */ + #define GEM_RXBROADCNT (0x0000015C / 4) /* Error-free Broadcast Frames RX */ + #define GEM_RXMULTICNT (0x00000160 / 4) /* Error-free Multicast Frames RX */ +-- +2.27.0 + diff --git a/hw-pvrdma-Protect-against-buggy-or-malicious-guest-driver.patch b/hw-pvrdma-Protect-against-buggy-or-malicious-guest-driver.patch new file mode 100644 index 0000000000000000000000000000000000000000..edc0d62fcecfeb7f5746ceaeb5ac7a98d34186ee --- /dev/null +++ b/hw-pvrdma-Protect-against-buggy-or-malicious-guest-driver.patch @@ -0,0 +1,65 @@ +From 6532f02449e7a001bc74ea43690d6e1a87a7e3fc Mon Sep 17 00:00:00 2001 +From: Yuval Shaia +Date: Wed, 1 Mar 2023 16:29:26 +0200 +Subject: [PATCH] hw/pvrdma: Protect against buggy or malicious guest driver + +Guest driver allocates and initialize page tables to be used as a ring +of descriptors for CQ and async events. +The page table that represents the ring, along with the number of pages +in the page table is passed to the device. +Currently our device supports only one page table for a ring. + +Let's make sure that the number of page table entries the driver +reports, do not exceeds the one page table size. + +Reported-by: Soul Chen +Signed-off-by: Yuval Shaia +Fixes: CVE-2023-1544 +Message-ID: <20230301142926.18686-1-yuval.shaia.ml@gmail.com> +Signed-off-by: Thomas Huth +--- + hw/rdma/vmw/pvrdma_main.c | 16 +++++++++++++++- + 1 file changed, 15 insertions(+), 1 deletion(-) + +diff --git a/hw/rdma/vmw/pvrdma_main.c b/hw/rdma/vmw/pvrdma_main.c +index 91206dbb8e..f99b12a592 100644 +--- a/hw/rdma/vmw/pvrdma_main.c ++++ b/hw/rdma/vmw/pvrdma_main.c +@@ -91,19 +91,33 @@ static int init_dev_ring(PvrdmaRing *ring, PvrdmaRingState **ring_state, + dma_addr_t dir_addr, uint32_t num_pages) + { + uint64_t *dir, *tbl; +- int rc = 0; ++ int max_pages, rc = 0; + + if (!num_pages) { + rdma_error_report("Ring pages count must be strictly positive"); + return -EINVAL; + } + ++ /* ++ * Make sure we can satisfy the requested number of pages in a single ++ * TARGET_PAGE_SIZE sized page table (taking into account that first entry ++ * is reserved for ring-state) ++ */ ++ max_pages = TARGET_PAGE_SIZE / sizeof(dma_addr_t) - 1; ++ if (num_pages > max_pages) { ++ rdma_error_report("Maximum pages on a single directory must not exceed %d\n", ++ max_pages); ++ return -EINVAL; ++ } ++ + dir = rdma_pci_dma_map(pci_dev, dir_addr, TARGET_PAGE_SIZE); + if (!dir) { + rdma_error_report("Failed to map to page directory (ring %s)", name); + rc = -ENOMEM; + goto out; + } ++ ++ /* We support only one page table for a ring */ + tbl = rdma_pci_dma_map(pci_dev, dir[0], TARGET_PAGE_SIZE); + if (!tbl) { + rdma_error_report("Failed to map to page table (ring %s)", name); +-- +2.27.0 + diff --git a/hw-timer-npcm7xx_timer-Prevent-timer-from-counting-d.patch b/hw-timer-npcm7xx_timer-Prevent-timer-from-counting-d.patch new file mode 100644 index 0000000000000000000000000000000000000000..c554bb4c3e77d88c4224611962cacc7936e2b478 --- /dev/null +++ b/hw-timer-npcm7xx_timer-Prevent-timer-from-counting-d.patch @@ -0,0 +1,38 @@ +From 7f5cf2958ee5d178d058470031b96a82d3002a5c Mon Sep 17 00:00:00 2001 +From: qihao +Date: Wed, 1 Nov 2023 19:00:34 +0800 +Subject: [PATCH] hw/timer/npcm7xx_timer: Prevent timer from counting down past + zero + +cheery-pick from 9ef2629712680e70cbf39d8b6cb1ec0e0e2e72fa + +The counter register is only 24-bits and counts down. If the timer is +running but the qtimer to reset it hasn't fired off yet, there is a chance +the regster read can return an invalid result. + +Signed-off-by: Chris Rauer +Message-id: 20230922181411.2697135-1-crauer@google.com +Reviewed-by: Peter Maydell +Signed-off-by: Peter Maydell +Signed-off-by: qihao_yewu +--- + hw/timer/npcm7xx_timer.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/hw/timer/npcm7xx_timer.c b/hw/timer/npcm7xx_timer.c +index 32f5e021f8..a8bd93aeb2 100644 +--- a/hw/timer/npcm7xx_timer.c ++++ b/hw/timer/npcm7xx_timer.c +@@ -138,6 +138,9 @@ static int64_t npcm7xx_timer_count_to_ns(NPCM7xxTimer *t, uint32_t count) + /* Convert a time interval in nanoseconds to a timer cycle count. */ + static uint32_t npcm7xx_timer_ns_to_count(NPCM7xxTimer *t, int64_t ns) + { ++ if (ns < 0) { ++ return 0; ++ } + return clock_ns_to_ticks(t->ctrl->clock, ns) / + npcm7xx_tcsr_prescaler(t->tcsr); + } +-- +2.27.0 + diff --git a/hw-usb-hcd-ehci-fix-writeback-order.patch b/hw-usb-hcd-ehci-fix-writeback-order.patch new file mode 100644 index 0000000000000000000000000000000000000000..8d0d61187c5bacca8ad56d6815f153f2fcd73cc3 --- /dev/null +++ b/hw-usb-hcd-ehci-fix-writeback-order.patch @@ -0,0 +1,64 @@ +From fc52088f7aa8a1be3b3c7d135a2aebd28ba4c673 Mon Sep 17 00:00:00 2001 +From: tangbinzy +Date: Mon, 6 Nov 2023 06:57:46 +0000 +Subject: [PATCH] hw/usb/hcd-ehci: fix writeback order mainline inclusion + commit f471e8b060798f26a7fc339c6152f82f22a7b33d category: bugfix + +--------------------------------------------------------------- + +The 'active' bit passes control over a qTD between the guest and the +controller: set to 1 by guest to enable execution by the controller, +and the controller sets it to '0' to hand back control to the guest. + +ehci_state_writeback write two dwords to main memory using DMA: +the third dword of the qTD (containing dt, total bytes to transfer, +cpage, cerr and status) and the fourth dword of the qTD (containing +the offset). + +This commit makes sure the fourth dword is written before the third, +avoiding a race condition where a new offset written into the qTD +by the guest after it observed the status going to go to '0' gets +overwritten by a 'late' DMA writeback of the previous offset. + +This race condition could lead to 'cpage out of range (5)' errors, +and reproduced by: + +./qemu-system-x86_64 -enable-kvm -bios $SEABIOS/bios.bin -m 4096 -device usb-ehci -blockdev driver=file,read-only=on,filename=/home/aengelen/Downloads/openSUSE-Tumbleweed-DVD-i586-Snapshot20220428-Media.iso,node-name=iso -device usb-storage,drive=iso,bootindex=0 -chardev pipe,id=shell,path=/tmp/pipe -device virtio-serial -device virtconsole,chardev=shell -device virtio-rng-pci -serial mon:stdio -nographic + +(press a key, select 'Installation' (2), and accept the default +values. On my machine the 'cpage out of range' is reproduced while +loading the Linux Kernel about once per 7 attempts. With the fix in +this commit it no longer fails) + +This problem was previously reported as a seabios problem in +https://mail.coreboot.org/hyperkitty/list/seabios@seabios.org/thread/OUTHT5ISSQJGXPNTUPY3O5E5EPZJCHM3/ +and as a nixos CI build failure in +https://github.com/NixOS/nixpkgs/issues/170803 + +Signed-off-by: Arnout Engelen +Signed-off-by: Gerd Hoffmann + +Signed-off-by: tangbinzy +--- + hw/usb/hcd-ehci.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c +index 0289b3696d..f9aa567f5d 100644 +--- a/hw/usb/hcd-ehci.c ++++ b/hw/usb/hcd-ehci.c +@@ -2013,7 +2013,10 @@ static int ehci_state_writeback(EHCIQueue *q) + ehci_trace_qtd(q, NLPTR_GET(p->qtdaddr), (EHCIqtd *) &q->qh.next_qtd); + qtd = (uint32_t *) &q->qh.next_qtd; + addr = NLPTR_GET(p->qtdaddr); +- put_dwords(q->ehci, addr + 2 * sizeof(uint32_t), qtd + 2, 2); ++ /* First write back the offset */ ++ put_dwords(q->ehci, addr + 3 * sizeof(uint32_t), qtd + 3, 1); ++ /* Then write back the token, clearing the 'active' bit */ ++ put_dwords(q->ehci, addr + 2 * sizeof(uint32_t), qtd + 2, 1); + ehci_free_packet(p); + + /* +-- +2.27.0 + diff --git a/io_uring-fix-short-read-slow-path.patch b/io_uring-fix-short-read-slow-path.patch new file mode 100644 index 0000000000000000000000000000000000000000..9a0722beb2f4a32655549749a363682f286c6126 --- /dev/null +++ b/io_uring-fix-short-read-slow-path.patch @@ -0,0 +1,55 @@ +From 78cb2c9c218155d048e566c5ac6d59961703b5d3 Mon Sep 17 00:00:00 2001 +From: tangbinzy +Date: Tue, 21 Nov 2023 06:14:40 +0000 +Subject: [PATCH] io_uring: fix short read slow path mainline inclusion commit + c06fc7ce147e57ab493bad9263f1601b8298484b category: bugfix + +--------------------------------------------------------------- + +sqeq.off here is the offset to read within the disk image, so obviously +not 'nread' (the amount we just read), but as the author meant to write +its current value incremented by the amount we just read. + +Normally recent versions of linux will not issue short reads, +but it can happen so we should fix this. + +This lead to weird image corruptions when short read happened + +Fixes: 6663a0a33764 ("block/io_uring: implements interfaces for io_uring") +Link: https://lkml.kernel.org/r/YrrFGO4A1jS0GI0G@atmark-techno.com +Signed-off-by: Dominique Martinet +Message-Id: <20220630010137.2518851-1-dominique.martinet@atmark-techno.com> +Reviewed-by: Hanna Reitz +Reviewed-by: Stefano Garzarella +Signed-off-by: Stefan Hajnoczi + +Signed-off-by: tangbinzy +--- + block/io_uring.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/block/io_uring.c b/block/io_uring.c +index dfa475cc87..e88d75d462 100644 +--- a/block/io_uring.c ++++ b/block/io_uring.c +@@ -89,7 +89,7 @@ static void luring_resubmit_short_read(LuringState *s, LuringAIOCB *luringcb, + trace_luring_resubmit_short_read(s, luringcb, nread); + + /* Update read position */ +- luringcb->total_read = nread; ++ luringcb->total_read += nread; + remaining = luringcb->qiov->size - luringcb->total_read; + + /* Shorten qiov */ +@@ -103,7 +103,7 @@ static void luring_resubmit_short_read(LuringState *s, LuringAIOCB *luringcb, + remaining); + + /* Update sqe */ +- luringcb->sqeq.off = nread; ++ luringcb->sqeq.off += nread; + luringcb->sqeq.addr = (__u64)(uintptr_t)luringcb->resubmit_qiov.iov; + luringcb->sqeq.len = luringcb->resubmit_qiov.niov; + +-- +2.27.0 + diff --git a/libvhost-user-Fix-VHOST_USER_ADD_MEM_REG-reply.patch b/libvhost-user-Fix-VHOST_USER_ADD_MEM_REG-reply.patch new file mode 100644 index 0000000000000000000000000000000000000000..23cde54cf1dcfe1b0c45e11bacd681d928d20a27 --- /dev/null +++ b/libvhost-user-Fix-VHOST_USER_ADD_MEM_REG-reply.patch @@ -0,0 +1,48 @@ +From c2353941d94a5aeb8364dc5204c29a4fbb09437f Mon Sep 17 00:00:00 2001 +From: tangbinzy +Date: Tue, 21 Nov 2023 06:47:43 +0000 +Subject: [PATCH] libvhost-user: Fix VHOST_USER_ADD_MEM_REG reply mainline + inclusion commit 7f27d20ded2f480f3e66d03f90ea71507b834276 category: bugfix + +--------------------------------------------------------------- + +With REPLY_NEEDED, libvhost-user sends both the acutal result and an +additional ACK reply for VHOST_USER_ADD_MEM_REG. This is incorrect, the +spec mandates that it behave the same with and without REPLY_NEEDED +because it always sends a reply. + +Fixes: ec94c8e621de96c50c2d381c8c9ec94f5beec7c1 +Signed-off-by: Kevin Wolf +Message-Id: <20220627134500.94842-4-kwolf@redhat.com> +Reviewed-by: Michael S. Tsirkin +Signed-off-by: Michael S. Tsirkin + +Signed-off-by: tangbinzy +--- + subprojects/libvhost-user/libvhost-user.c | 8 +------- + 1 file changed, 1 insertion(+), 7 deletions(-) + +diff --git a/subprojects/libvhost-user/libvhost-user.c b/subprojects/libvhost-user/libvhost-user.c +index 787f4d2d4f..8ab20138f4 100644 +--- a/subprojects/libvhost-user/libvhost-user.c ++++ b/subprojects/libvhost-user/libvhost-user.c +@@ -756,15 +756,9 @@ vu_add_mem_reg(VuDev *dev, VhostUserMsg *vmsg) { + + /* Send the message back to qemu with the addresses filled in. */ + vmsg->fd_num = 0; +- if (!vu_send_reply(dev, dev->sock, vmsg)) { +- vu_panic(dev, "failed to respond to add-mem-region for postcopy"); +- return false; +- } +- + DPRINT("Successfully added new region in postcopy\n"); + dev->nregions++; +- return false; +- ++ return true; + } else { + for (i = 0; i < dev->max_queues; i++) { + if (dev->vq[i].vring.desc) { +-- +2.27.0 + diff --git a/libvhost-user-Fix-VHOST_USER_GET_MAX_MEM_SLOTS-reply.patch b/libvhost-user-Fix-VHOST_USER_GET_MAX_MEM_SLOTS-reply.patch new file mode 100644 index 0000000000000000000000000000000000000000..fac419155b747664531c0cdbd0487dc560248256 --- /dev/null +++ b/libvhost-user-Fix-VHOST_USER_GET_MAX_MEM_SLOTS-reply.patch @@ -0,0 +1,53 @@ +From 3e2df0133efdf3e3aea63f413b42e37bc6c87112 Mon Sep 17 00:00:00 2001 +From: tangbinzy +Date: Tue, 21 Nov 2023 06:36:05 +0000 +Subject: [PATCH] libvhost-user: Fix VHOST_USER_GET_MAX_MEM_SLOTS reply + mainline inclusion commit 69a5daec06f423843ce1bb9be5fb049314996f78 category: + bugfix + +--------------------------------------------------------------- + +With REPLY_NEEDED, libvhost-user sends both the acutal result and an +additional ACK reply for VHOST_USER_GET_MAX_MEM_SLOTS. This is +incorrect, the spec mandates that it behave the same with and without +REPLY_NEEDED because it always sends a reply. + +Fixes: 6fb2e173d20c9bbb5466183d33a3ad7dcd0375fa +Signed-off-by: Kevin Wolf +Message-Id: <20220627134500.94842-3-kwolf@redhat.com> +Reviewed-by: Michael S. Tsirkin +Signed-off-by: Michael S. Tsirkin + +Signed-off-by: tangbinzy +--- + subprojects/libvhost-user/libvhost-user.c | 11 ++--------- + 1 file changed, 2 insertions(+), 9 deletions(-) + +diff --git a/subprojects/libvhost-user/libvhost-user.c b/subprojects/libvhost-user/libvhost-user.c +index 787f4d2d4f..27e7799262 100644 +--- a/subprojects/libvhost-user/libvhost-user.c ++++ b/subprojects/libvhost-user/libvhost-user.c +@@ -1788,18 +1788,11 @@ vu_handle_vring_kick(VuDev *dev, VhostUserMsg *vmsg) + + static bool vu_handle_get_max_memslots(VuDev *dev, VhostUserMsg *vmsg) + { +- vmsg->flags = VHOST_USER_REPLY_MASK | VHOST_USER_VERSION; +- vmsg->size = sizeof(vmsg->payload.u64); +- vmsg->payload.u64 = VHOST_USER_MAX_RAM_SLOTS; +- vmsg->fd_num = 0; +- +- if (!vu_message_write(dev, dev->sock, vmsg)) { +- vu_panic(dev, "Failed to send max ram slots: %s\n", strerror(errno)); +- } ++ vmsg_set_reply_u64(vmsg, VHOST_USER_MAX_RAM_SLOTS); + + DPRINT("u64: 0x%016"PRIx64"\n", (uint64_t) VHOST_USER_MAX_RAM_SLOTS); + +- return false; ++ return true; + } + + static bool +-- +2.27.0 + diff --git a/net-Fix-a-misleading-error-message.patch b/net-Fix-a-misleading-error-message.patch new file mode 100644 index 0000000000000000000000000000000000000000..75a49b12e60c6a8a5e20c02cc82d480e23df2d00 --- /dev/null +++ b/net-Fix-a-misleading-error-message.patch @@ -0,0 +1,50 @@ +From 1cc7783df04674ff375905cc9a8ec23f71617408 Mon Sep 17 00:00:00 2001 +From: qihao +Date: Tue, 21 Nov 2023 20:40:24 +0800 +Subject: [PATCH] net: Fix a misleading error message + +cheery-pick from 0a4a1512e01228fc59b00d68e86f7099b6439773 + +The error message + + $ qemu-system-x86_64 -netdev user,id=net0,ipv6-net=fec0::0/ + qemu-system-x86_64: -netdev user,id=net0,ipv6-net=fec0::0/: Parameter 'ipv6-prefixlen' expects a number + +points to ipv6-prefixlen instead of ipv6-net. Fix: + + qemu-system-x86_64: -netdev user,id=net0,ipv6-net=fec0::0/: parameter 'ipv6-net' expects a number after '/' + +Signed-off-by: Markus Armbruster +Message-ID: <20231031111059.3407803-6-armbru@redhat.com> +Signed-off-by: qihao_yewu +--- + net/net.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/net/net.c b/net/net.c +index ed4b1c1740..daad8784ec 100644 +--- a/net/net.c ++++ b/net/net.c +@@ -1122,7 +1122,7 @@ static int net_client_init(QemuOpts *opts, bool is_netdev, Error **errp) + int ret = -1; + Visitor *v = opts_visitor_new(opts); + +- /* Parse convenience option format ip6-net=fec0::0[/64] */ ++ /* Parse convenience option format ipv6-net=fec0::0[/64] */ + const char *ip6_net = qemu_opt_get(opts, "ipv6-net"); + + if (ip6_net) { +@@ -1142,8 +1142,8 @@ static int net_client_init(QemuOpts *opts, bool is_netdev, Error **errp) + if (substrings[1] && + qemu_strtoul(substrings[1], NULL, 10, &prefix_len)) + { +- error_setg(errp, QERR_INVALID_PARAMETER_VALUE, +- "ipv6-prefixlen", "a number"); ++ error_setg(errp, ++ "parameter 'ipv6-net' expects a number after '/'"); + goto out; + } + +-- +2.27.0 + diff --git a/pci-Fix-the-update-of-interrupt-disable-bit-in-PCI_C.patch b/pci-Fix-the-update-of-interrupt-disable-bit-in-PCI_C.patch new file mode 100644 index 0000000000000000000000000000000000000000..e2b162c06e787adcbdb6aff78ca98027f27297e5 --- /dev/null +++ b/pci-Fix-the-update-of-interrupt-disable-bit-in-PCI_C.patch @@ -0,0 +1,53 @@ +From d81bf8c86e2b024f85d90e199181ae048134d4ee Mon Sep 17 00:00:00 2001 +From: Guoyi Tu +Date: Fri, 11 Aug 2023 22:46:51 +0800 +Subject: [PATCH] pci: Fix the update of interrupt disable bit in PCI_COMMAND + register + +The PCI_COMMAND register is located at offset 4 within +the PCI configuration space and occupies 2 bytes. The +interrupt disable bit is at the 10th bit, which corresponds +to the byte at offset 5 in the PCI configuration space. + +In our testing environment, the guest driver may directly +updates the byte at offset 5 in the PCI configuration space. +The backtrace looks like as following: + at hw/pci/pci.c:1442 + at hw/virtio/virtio-pci.c:605 + val=5, len=1) at hw/pci/pci_host.c:81 + +In this situation, the range_covers_byte function called +by the pci_default_write_config function will return false, +resulting in the inability to handle the interrupt disable +update event. + +To fix this issue, we can use the ranges_overlap function +instead of range_covers_byte to determine whether the interrupt +bit has been updated. + +Signed-off-by: Guoyi Tu +Signed-off-by: yuanminghao +Message-Id: +Reviewed-by: Michael S. Tsirkin +Signed-off-by: Michael S. Tsirkin +Fixes: b6981cb57be5 ("pci: interrupt disable bit support") +--- + hw/pci/pci.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/pci/pci.c b/hw/pci/pci.c +index 3e6805d54a..3a4619e2a5 100644 +--- a/hw/pci/pci.c ++++ b/hw/pci/pci.c +@@ -1471,7 +1471,7 @@ void pci_default_write_config(PCIDevice *d, uint32_t addr, uint32_t val_in, int + range_covers_byte(addr, l, PCI_COMMAND)) + pci_update_mappings(d); + +- if (range_covers_byte(addr, l, PCI_COMMAND)) { ++ if (ranges_overlap(addr, l, PCI_COMMAND, 2)) { + pci_update_irq_disabled(d, was_irq_disabled); + memory_region_set_enabled(&d->bus_master_enable_region, + (pci_get_word(d->config + PCI_COMMAND) +-- +2.27.0 + diff --git a/pci-fix-overflow-in-snprintf-string-formatting.patch b/pci-fix-overflow-in-snprintf-string-formatting.patch new file mode 100644 index 0000000000000000000000000000000000000000..e1e2e1b6cd2a2d5da17bbe351a363631018e50cf --- /dev/null +++ b/pci-fix-overflow-in-snprintf-string-formatting.patch @@ -0,0 +1,106 @@ +From b2d665abb4dbd3c91c0ceceebe537cf411f6c650 Mon Sep 17 00:00:00 2001 +From: tangbinzy +Date: Mon, 6 Nov 2023 06:35:28 +0000 +Subject: [PATCH] pci: fix overflow in snprintf string formatting mainline + inclusion commit 36f18c6989a3d1ff1d7a0e50b0868ef3958299b4 category: bugfix +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +--------------------------------------------------------------- + +the code in pcibus_get_fw_dev_path contained the potential for a +stack buffer overflow of 1 byte, potentially writing to the stack an +extra NUL byte. + +This overflow could happen if the PCI slot is >= 0x10000000, +and the PCI function is >= 0x10000000, due to the size parameter +of snprintf being incorrectly calculated in the call: + + if (PCI_FUNC(d->devfn)) + snprintf(path + off, sizeof(path) + off, ",%x", PCI_FUNC(d->devfn)); + +since the off obtained from a previous call to snprintf is added +instead of subtracted from the total available size of the buffer. + +Without the accurate size guard from snprintf, we end up writing in the +worst case: + +name (32) + "@" (1) + SLOT (8) + "," (1) + FUNC (8) + term NUL (1) = 51 bytes + +In order to provide something more robust, replace all of the code in +pcibus_get_fw_dev_path with a single call to g_strdup_printf, +so there is no need to rely on manual calculations. + +Found by compiling QEMU with FORTIFY_SOURCE=3 as the error: + +*** buffer overflow detected ***: terminated + +Thread 1 "qemu-system-x86" received signal SIGABRT, Aborted. +[Switching to Thread 0x7ffff642c380 (LWP 121307)] +0x00007ffff71ff55c in __pthread_kill_implementation () from /lib64/libc.so.6 +(gdb) bt + #0 0x00007ffff71ff55c in __pthread_kill_implementation () at /lib64/libc.so.6 + #1 0x00007ffff71ac6f6 in raise () at /lib64/libc.so.6 + #2 0x00007ffff7195814 in abort () at /lib64/libc.so.6 + #3 0x00007ffff71f279e in __libc_message () at /lib64/libc.so.6 + #4 0x00007ffff729767a in __fortify_fail () at /lib64/libc.so.6 + #5 0x00007ffff7295c36 in () at /lib64/libc.so.6 + #6 0x00007ffff72957f5 in __snprintf_chk () at /lib64/libc.so.6 + #7 0x0000555555b1c1fd in pcibus_get_fw_dev_path () + #8 0x0000555555f2bde4 in qdev_get_fw_dev_path_helper.constprop () + #9 0x0000555555f2bd86 in qdev_get_fw_dev_path_helper.constprop () + #10 0x00005555559a6e5d in get_boot_device_path () + #11 0x00005555559a712c in get_boot_devices_list () + #12 0x0000555555b1a3d0 in fw_cfg_machine_reset () + #13 0x0000555555bf4c2d in pc_machine_reset () + #14 0x0000555555c66988 in qemu_system_reset () + #15 0x0000555555a6dff6 in qdev_machine_creation_done () + #16 0x0000555555c79186 in qmp_x_exit_preconfig.part () + #17 0x0000555555c7b459 in qemu_init () + #18 0x0000555555960a29 in main () + +Found-by: Dario Faggioli +Found-by: Martin Liška +Cc: qemu-stable@nongnu.org +Signed-off-by: Claudio Fontana +Message-Id: <20220531114707.18830-1-cfontana@suse.de> +Reviewed-by: Ani Sinha + +Signed-off-by: tangbinzy +--- + hw/pci/pci.c | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +diff --git a/hw/pci/pci.c b/hw/pci/pci.c +index 3e6805d54a..6a5e8a3654 100644 +--- a/hw/pci/pci.c ++++ b/hw/pci/pci.c +@@ -2588,15 +2588,15 @@ static char *pci_dev_fw_name(DeviceState *dev, char *buf, int len) + static char *pcibus_get_fw_dev_path(DeviceState *dev) + { + PCIDevice *d = (PCIDevice *)dev; +- char path[50], name[33]; +- int off; +- +- off = snprintf(path, sizeof(path), "%s@%x", +- pci_dev_fw_name(dev, name, sizeof name), +- PCI_SLOT(d->devfn)); +- if (PCI_FUNC(d->devfn)) +- snprintf(path + off, sizeof(path) + off, ",%x", PCI_FUNC(d->devfn)); +- return g_strdup(path); ++ char name[33]; ++ int has_func = !!PCI_FUNC(d->devfn); ++ ++ return g_strdup_printf("%s@%x%s%.*x", ++ pci_dev_fw_name(dev, name, sizeof(name)), ++ PCI_SLOT(d->devfn), ++ has_func ? "," : "", ++ has_func, ++ PCI_FUNC(d->devfn)); + } + + static char *pcibus_get_dev_path(DeviceState *dev) +-- +2.27.0 + diff --git a/qemu-timer-Skip-empty-timer-lists-before-locking-in-.patch b/qemu-timer-Skip-empty-timer-lists-before-locking-in-.patch new file mode 100644 index 0000000000000000000000000000000000000000..2578891b45520ce59eb60b5f303c4d7fd4bfa9bb --- /dev/null +++ b/qemu-timer-Skip-empty-timer-lists-before-locking-in-.patch @@ -0,0 +1,39 @@ +From 274dd10230eef97714a2a283ecd8a8ce2ecbf687 Mon Sep 17 00:00:00 2001 +From: tangbinzy +Date: Mon, 6 Nov 2023 07:28:31 +0000 +Subject: [PATCH] qemu-timer: Skip empty timer lists before locking in + qemu_clock_deadline_ns_all mainline inclusion commit + 3f42906c9ab2c777a895b48b87b8107167e4a275 category: bugfix + +--------------------------------------------------------------- + +This decreases qemu_clock_deadline_ns_all's share from 23.2% to 13% in a +profile of icount-enabled aarch64-softmmu. + +Signed-off-by: Idan Horowitz +Reviewed-by: Richard Henderson +Message-Id: <20220114004358.299534-2-idan.horowitz@gmail.com> +Signed-off-by: Richard Henderson + +Signed-off-by: tangbinzy +--- + util/qemu-timer.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/util/qemu-timer.c b/util/qemu-timer.c +index 40e8c83722..c5b6dc987c 100644 +--- a/util/qemu-timer.c ++++ b/util/qemu-timer.c +@@ -330,6 +330,9 @@ int64_t qemu_clock_deadline_ns_all(QEMUClockType type, int attr_mask) + } + + QLIST_FOREACH(timer_list, &clock->timerlists, list) { ++ if (!qatomic_read(&timer_list->active_timers)) { ++ continue; ++ } + qemu_mutex_lock(&timer_list->active_timers_lock); + ts = timer_list->active_timers; + /* Skip all external timers */ +-- +2.27.0 + diff --git a/qemu.spec b/qemu.spec index 9093fa36c2a2260eaaf8a4ca908054d94a8be8a4..587a6432af772da00ae2aaed14cdf14669f6b2ef 100644 --- a/qemu.spec +++ b/qemu.spec @@ -1,6 +1,6 @@ Name: qemu Version: 6.2.0 -Release: 82 +Release: 83 Epoch: 10 Summary: QEMU is a generic and open source machine emulator and virtualizer License: GPLv2 and BSD and MIT and CC-BY-SA-4.0 @@ -591,6 +591,38 @@ Patch0579: softmmu-dirtylimit-Add-parameter-check-for-hmp-set_v.patch Patch0580: tests-Fix-printf-format-string-in-acpi-utils.c.patch Patch0581: hw-virtio-virtio-pmem-Replace-impossible-check-by-as.patch Patch0582: Delete-the-default-vga-graphics-card-and-update-the-.patch +Patch0583: target-i386-Export-GDS_NO-bit-to-guests.patch +Patch0584: semihosting-fix-memleak-at-semihosting_arg_fallback.patch +Patch0585: semihosting-config-Merge-semihosting-config-option-g.patch +Patch0586: qemu-timer-Skip-empty-timer-lists-before-locking-in-.patch +Patch0587: hw-usb-hcd-ehci-fix-writeback-order.patch +Patch0588: pci-fix-overflow-in-snprintf-string-formatting.patch +Patch0589: tpm_crb-mark-command-buffer-as-dirty-on-request-comp.patch +Patch0590: hw-timer-npcm7xx_timer-Prevent-timer-from-counting-d.patch +Patch0591: pci-Fix-the-update-of-interrupt-disable-bit-in-PCI_C.patch +Patch0592: e1000-set-RX-descriptor-status-in-a-separate-operati.patch +Patch0593: virtio-iommu-Fix-the-partial-copy-of-probe-request.patch +Patch0594: artist-set-memory-region-owners-for-buffers-to-the-a.patch +Patch0595: qom-object-Remove-circular-include-dependency.patch +Patch0596: vga-avoid-crash-if-no-default-vga-card.patch +Patch0597: hw-pvrdma-Protect-against-buggy-or-malicious-guest-driver.patch +Patch0598: tracetool-avoid-invalid-escape-in-Python-string.patch +Patch0599: target-i386-Add-support-for-CMPCCXADD-in-CPUID-enume.patch +Patch0600: target-i386-Add-support-for-AMX-FP16-in-CPUID-enumer.patch +Patch0601: target-i386-Add-support-for-AVX-IFMA-in-CPUID-enumer.patch +Patch0602: target-i386-Add-support-for-AVX-VNNI-INT8-in-CPUID-e.patch +Patch0603: target-i386-Add-support-for-AVX-NE-CONVERT-in-CPUID-.patch +Patch0604: target-i386-Add-support-for-PREFETCHIT0-1-in-CPUID-e.patch +Patch0605: target-i386-Add-new-CPU-model-GraniteRapids.patch +Patch0606: target-i386-Adjust-feature-level-according-to-FEAT_7.patch +Patch0607: net-Fix-a-misleading-error-message.patch +Patch0608: qsd-Unlink-absolute-PID-file-path.patch +Patch0609: libvhost-user-Fix-VHOST_USER_ADD_MEM_REG-reply.patch +Patch0610: io_uring-fix-short-read-slow-path.patch +Patch0611: libvhost-user-Fix-VHOST_USER_GET_MAX_MEM_SLOTS-reply.patch +Patch0612: tests-qtest-check-the-return-value.patch +Patch0613: hw-net-cadence_gem.c-spelling-fixes-Octects.patch +Patch0614: hw-arm-fsl-imx-Do-not-ignore-Error-argument.patch BuildRequires: flex BuildRequires: gcc @@ -1150,6 +1182,40 @@ getent passwd qemu >/dev/null || \ %endif %changelog +* Tue Nov 28 2023 - 10:6.2.0-83 +- hw/arm/fsl-imx: Do not ignore Error argument +- hw/net/cadence_gem.c: spelling fixes: Octects +- tests/qtest: check the return value +- libvhost-user: Fix VHOST_USER_GET_MAX_MEM_SLOTS reply mainline inclusion commit 69a5daec06f423843ce1bb9be5fb049314996f78 category: bugfix +- io_uring: fix short read slow path mainline inclusion commit c06fc7ce147e57ab493bad9263f1601b8298484b category: bugfix +- libvhost-user: Fix VHOST_USER_ADD_MEM_REG reply mainline inclusion commit 7f27d20ded2f480f3e66d03f90ea71507b834276 category: bugfix +- qsd: Unlink absolute PID file path mainline inclusion commit 9d8f8233b9fa525a7e37350fbc18877051128c5d category: bugfix +- net: Fix a misleading error message +- target/i386: Adjust feature level according to FEAT_7_1_EDX +- target/i386: Add new CPU model GraniteRapids +- target/i386: Add support for PREFETCHIT0/1 in CPUID enumeration +- target/i386: Add support for AVX-NE-CONVERT in CPUID enumeration +- target/i386: Add support for AVX-VNNI-INT8 in CPUID enumeration +- target/i386: Add support for AVX-IFMA in CPUID enumeration +- target/i386: Add support for AMX-FP16 in CPUID enumeration +- target/i386: Add support for CMPCCXADD in CPUID enumeration +- tracetool: avoid invalid escape in Python string +- hw/pvrdma: Protect against buggy or malicious guest driver +- vga: avoid crash if no default vga card mainline inclusion commit 6985d8ede92494f3b791de01e8ee9306eb6d5e4a category: bugfix +- qom/object: Remove circular include dependency mainline inclusion commit 5bba9bcfbb42e7c016626420e148a1bf1b080835 category: bugfix +- artist: set memory region owners for buffers to the artist device mainline inclusion commit 39fbaeca096a9bf6cbe2af88572c1cb2aa62aa8c category: bugfix +- virtio-iommu: Fix the partial copy of probe request mainline inclusion commit 45461aace83d961e933b27519b81d17b4c690514 category: bugfix +- e1000: set RX descriptor status in a separate operation mainline inclusion commit 034d00d4858161e1d4cff82d8d230bce874a04d3 category: bugfix +- pci: Fix the update of interrupt disable bit in PCI_COMMAND register +- hw/timer/npcm7xx_timer: Prevent timer from counting down past zero +- tpm_crb: mark command buffer as dirty on request completion mainline inclusion commit e37a0ef4605e5d2041785ff3fc89ca6021faf7a0 category: bugfix +- pci: fix overflow in snprintf string formatting mainline inclusion commit 36f18c6989a3d1ff1d7a0e50b0868ef3958299b4 category: bugfix +- hw/usb/hcd-ehci: fix writeback order mainline inclusion commit f471e8b060798f26a7fc339c6152f82f22a7b33d category: bugfix +- qemu-timer: Skip empty timer lists before locking in qemu_clock_deadline_ns_all mainline inclusion commit 3f42906c9ab2c777a895b48b87b8107167e4a275 category: bugfix +- semihosting/config: Merge --semihosting-config option groups mainline inclusion commit 90c072e063737e9e8f431489bbd334452f89056e category: bugfix +- semihosting: fix memleak at semihosting_arg_fallback +- target/i386: Export GDS_NO bit to guests + * Wed Nov 8 2023 - 10:6.2.0-82 - Put the bios files and dynamic library files that qemu depends on in the qemu package. diff --git a/qom-object-Remove-circular-include-dependency.patch b/qom-object-Remove-circular-include-dependency.patch new file mode 100644 index 0000000000000000000000000000000000000000..f527a3b04c15a0aa76b7cc07efe4b19c94fc5b66 --- /dev/null +++ b/qom-object-Remove-circular-include-dependency.patch @@ -0,0 +1,41 @@ +From e4393667e45bdcf04150ada3840a6d87e3188d36 Mon Sep 17 00:00:00 2001 +From: tangbinzy +Date: Fri, 17 Nov 2023 09:13:07 +0000 +Subject: [PATCH] qom/object: Remove circular include dependency mainline + inclusion commit 5bba9bcfbb42e7c016626420e148a1bf1b080835 category: bugfix +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +--------------------------------------------------------------- + +"qom/object.h" doesn't need to include itself. + +Fixes: db1015e92e04 ("Move QOM typedefs and add missing includes") +Signed-off-by: Philippe Mathieu-Daudé +Reviewed-by: Damien Hedde +Reviewed-by: Peter Maydell +Reviewed-by: Markus Armbruster +Message-Id: <20220509084659.52076-1-philippe.mathieu.daude@gmail.com> +Signed-off-by: Laurent Vivier + +Signed-off-by: tangbinzy +--- + include/qom/object.h | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/include/qom/object.h b/include/qom/object.h +index fae096f51c..f658e1e0a0 100644 +--- a/include/qom/object.h ++++ b/include/qom/object.h +@@ -16,7 +16,6 @@ + + #include "qapi/qapi-builtin-types.h" + #include "qemu/module.h" +-#include "qom/object.h" + + struct TypeImpl; + typedef struct TypeImpl *Type; +-- +2.27.0 + diff --git a/qsd-Unlink-absolute-PID-file-path.patch b/qsd-Unlink-absolute-PID-file-path.patch new file mode 100644 index 0000000000000000000000000000000000000000..7c5138ad713432506c1bae7df83e78bdb9c402e8 --- /dev/null +++ b/qsd-Unlink-absolute-PID-file-path.patch @@ -0,0 +1,81 @@ +From 43668bdb7ebaa64536277d4b5b47875e58a3452a Mon Sep 17 00:00:00 2001 +From: tangbinzy +Date: Tue, 21 Nov 2023 07:00:39 +0000 +Subject: [PATCH] qsd: Unlink absolute PID file path mainline inclusion commit + 9d8f8233b9fa525a7e37350fbc18877051128c5d category: bugfix +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +--------------------------------------------------------------- + +After writing the PID file, we register an atexit() handler to unlink it +when the process terminates. However, if the process has changed its +working directory in the meantime (e.g. in os_setup_post() when +daemonizing), this will not work when the PID file path was relative. +Therefore, pass the absolute path (created with realpath()) to the +unlink() call in the atexit() handler. + +(realpath() needs a path pointing to an existing file, so we cannot use +it before qemu_write_pidfile().) + +Reproducer: +$ cd /tmp +$ qemu-storage-daemon --daemonize --pidfile qsd.pid +$ file qsd.pid +qsd.pid: ASCII text +$ kill $(cat qsd.pid) +$ file qsd.pid +qsd.pid: ASCII text + +(qsd.pid should be gone after the process has terminated.) + +Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=2092322 +Signed-off-by: Hanna Reitz +Message-Id: <20220609122701.17172-2-hreitz@redhat.com> +Reviewed-by: Daniel P. Berrangé + +Signed-off-by: tangbinzy +--- + storage-daemon/qemu-storage-daemon.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +diff --git a/storage-daemon/qemu-storage-daemon.c b/storage-daemon/qemu-storage-daemon.c +index 52cf17e8ac..f3d8c4ca11 100644 +--- a/storage-daemon/qemu-storage-daemon.c ++++ b/storage-daemon/qemu-storage-daemon.c +@@ -60,6 +60,7 @@ + #include "trace/control.h" + + static const char *pid_file; ++static char *pid_file_realpath; + static volatile bool exit_requested = false; + + void qemu_system_killed(int signal, pid_t pid) +@@ -292,7 +293,7 @@ static void process_options(int argc, char *argv[]) + + static void pid_file_cleanup(void) + { +- unlink(pid_file); ++ unlink(pid_file_realpath); + } + + static void pid_file_init(void) +@@ -308,6 +309,14 @@ static void pid_file_init(void) + exit(EXIT_FAILURE); + } + ++ pid_file_realpath = g_malloc(PATH_MAX); ++ if (!realpath(pid_file, pid_file_realpath)) { ++ error_report("cannot resolve PID file path: %s: %s", ++ pid_file, strerror(errno)); ++ unlink(pid_file); ++ exit(EXIT_FAILURE); ++ } ++ + atexit(pid_file_cleanup); + } + +-- +2.27.0 + diff --git a/semihosting-config-Merge-semihosting-config-option-g.patch b/semihosting-config-Merge-semihosting-config-option-g.patch new file mode 100644 index 0000000000000000000000000000000000000000..c7c9e59be4b675152c4379ab50661eda348147ce --- /dev/null +++ b/semihosting-config-Merge-semihosting-config-option-g.patch @@ -0,0 +1,54 @@ +From ff7918646e3c696d13732fb22f032d7d78c34fe1 Mon Sep 17 00:00:00 2001 +From: tangbinzy +Date: Mon, 6 Nov 2023 08:15:13 +0000 +Subject: [PATCH] semihosting/config: Merge --semihosting-config option groups + mainline inclusion commit 90c072e063737e9e8f431489bbd334452f89056e category: + bugfix + +--------------------------------------------------------------- + +Currently we mishandle the --semihosting-config option if the +user specifies it on the command line more than once. For +example with: + --semihosting-config target=gdb --semihosting-config arg=foo,arg=bar + +the function qemu_semihosting_config_options() is called twice, once +for each argument. But that function expects to be called only once, +and it always unconditionally sets the semihosting.enabled, +semihost_chardev and semihosting.target variables. This means that +if any of those options were set anywhere except the last +--semihosting-config option on the command line, those settings are +ignored. In the example above, 'target=gdb' in the first option is +overridden by an implied default 'target=auto' in the second. + +The QemuOptsList machinery has a flag for handling this kind of +"option group is setting global state": by setting + .merge_lists = true; +we make the machinery merge all the --semihosting-config arguments +the user passes into a single set of options and call our +qemu_semihosting_config_options() just once. + +Signed-off-by: Peter Maydell +Reviewed-by: Luc Michel +Message-id: 20220526190053.521505-3-peter.maydell@linaro.org + +Signed-off-by: tangbinzy +--- + semihosting/config.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/semihosting/config.c b/semihosting/config.c +index 137171b717..ba3e310a61 100644 +--- a/semihosting/config.c ++++ b/semihosting/config.c +@@ -27,6 +27,7 @@ + + QemuOptsList qemu_semihosting_config_opts = { + .name = "semihosting-config", ++ .merge_lists = true, + .implied_opt_name = "enable", + .head = QTAILQ_HEAD_INITIALIZER(qemu_semihosting_config_opts.head), + .desc = { +-- +2.27.0 + diff --git a/semihosting-fix-memleak-at-semihosting_arg_fallback.patch b/semihosting-fix-memleak-at-semihosting_arg_fallback.patch new file mode 100644 index 0000000000000000000000000000000000000000..ccee1a5bb1ca43518d5376480569873626a121b1 --- /dev/null +++ b/semihosting-fix-memleak-at-semihosting_arg_fallback.patch @@ -0,0 +1,47 @@ +From 47a24e233e335025ed37ab0ba4a4e728719a2ad3 Mon Sep 17 00:00:00 2001 +From: qihao +Date: Mon, 6 Nov 2023 18:14:06 +0800 +Subject: [PATCH] semihosting: fix memleak at semihosting_arg_fallback +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +cheery-pick from 2eb71a0c20a6a77be128a76c1ef8fb5dc7028a8b + +We duplicate "cmd" as strtok may modify its argument, but we forgot +to free it later. Furthermore, add_semihosting_arg doesn't take +responsibility for this memory either (it strdup's the argument). + +Signed-off-by: Matheus Tavares Bernardino +Reviewed-by: Philippe Mathieu-Daudé +Message-Id: <03d81c56bfc3d08224e4106efca5949d8894cfa5.1697801632.git.quic_mathbern@quicinc.com> +Reviewed-by: Richard Henderson +Signed-off-by: Alex Bennée +Message-Id: <20231029145033.592566-18-alex.bennee@linaro.org> +Signed-off-by: qihao_yewu +--- + semihosting/config.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/semihosting/config.c b/semihosting/config.c +index 137171b717..303338f647 100644 +--- a/semihosting/config.c ++++ b/semihosting/config.c +@@ -109,12 +109,13 @@ static int add_semihosting_arg(void *opaque, + void semihosting_arg_fallback(const char *file, const char *cmd) + { + char *cmd_token; ++ g_autofree char *cmd_dup = g_strdup(cmd); + + /* argv[0] */ + add_semihosting_arg(&semihosting, "arg", file, NULL); + + /* split -append and initialize argv[1..n] */ +- cmd_token = strtok(g_strdup(cmd), " "); ++ cmd_token = strtok(cmd_dup, " "); + while (cmd_token) { + add_semihosting_arg(&semihosting, "arg", cmd_token, NULL); + cmd_token = strtok(NULL, " "); +-- +2.27.0 + diff --git a/target-i386-Add-new-CPU-model-GraniteRapids.patch b/target-i386-Add-new-CPU-model-GraniteRapids.patch new file mode 100644 index 0000000000000000000000000000000000000000..24672e94aebfec3f6b06df7769652ea1098a2b43 --- /dev/null +++ b/target-i386-Add-new-CPU-model-GraniteRapids.patch @@ -0,0 +1,183 @@ +From 7ebcbfb9ac1d53ea46bfd86fa7f0a90a4012412e Mon Sep 17 00:00:00 2001 +From: Tao Su +Date: Thu, 6 Jul 2023 13:49:49 +0800 +Subject: [PATCH] target/i386: Add new CPU model GraniteRapids + +commit 6d5e9694ef374159072984c0958c3eaab6dd1d52 upstream. + +The GraniteRapids CPU model mainly adds the following new features +based on SapphireRapids: +- PREFETCHITI CPUID.(EAX=7,ECX=1):EDX[bit 14] +- AMX-FP16 CPUID.(EAX=7,ECX=1):EAX[bit 21] + +And adds the following security fix for corresponding vulnerabilities: +- MCDT_NO CPUID.(EAX=7,ECX=2):EDX[bit 5] +- SBDR_SSDP_NO MSR_IA32_ARCH_CAPABILITIES[bit 13] +- FBSDP_NO MSR_IA32_ARCH_CAPABILITIES[bit 14] +- PSDP_NO MSR_IA32_ARCH_CAPABILITIES[bit 15] +- PBRSB_NO MSR_IA32_ARCH_CAPABILITIES[bit 24] + +Intel-SIG: commit 6d5e9694ef37 target/i386: Add new CPU model GraniteRapids. +Backport GNR and SRF ISA into QEMU-6.2 + +Signed-off-by: Tao Su +Tested-by: Xuelian Guo +Reviewed-by: Xiaoyao Li +Message-ID: <20230706054949.66556-7-tao1.su@linux.intel.com> +Signed-off-by: Paolo Bonzini +[ Quanxian Wang: amend commit log ] +Signed-off-by: Quanxian Wang +--- + target/i386/cpu.c | 136 ++++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 136 insertions(+) + +diff --git a/target/i386/cpu.c b/target/i386/cpu.c +index ee243693e3..efe0c2b46c 100644 +--- a/target/i386/cpu.c ++++ b/target/i386/cpu.c +@@ -3707,6 +3707,142 @@ static const X86CPUDefinition builtin_x86_defs[] = { + { /* end of list */ } + } + }, ++ { ++ .name = "GraniteRapids", ++ .level = 0x20, ++ .vendor = CPUID_VENDOR_INTEL, ++ .family = 6, ++ .model = 173, ++ .stepping = 0, ++ /* ++ * please keep the ascending order so that we can have a clear view of ++ * bit position of each feature. ++ */ ++ .features[FEAT_1_EDX] = ++ CPUID_FP87 | CPUID_VME | CPUID_DE | CPUID_PSE | CPUID_TSC | ++ CPUID_MSR | CPUID_PAE | CPUID_MCE | CPUID_CX8 | CPUID_APIC | ++ CPUID_SEP | CPUID_MTRR | CPUID_PGE | CPUID_MCA | CPUID_CMOV | ++ CPUID_PAT | CPUID_PSE36 | CPUID_CLFLUSH | CPUID_MMX | CPUID_FXSR | ++ CPUID_SSE | CPUID_SSE2, ++ .features[FEAT_1_ECX] = ++ CPUID_EXT_SSE3 | CPUID_EXT_PCLMULQDQ | CPUID_EXT_SSSE3 | ++ CPUID_EXT_FMA | CPUID_EXT_CX16 | CPUID_EXT_PCID | CPUID_EXT_SSE41 | ++ CPUID_EXT_SSE42 | CPUID_EXT_X2APIC | CPUID_EXT_MOVBE | ++ CPUID_EXT_POPCNT | CPUID_EXT_TSC_DEADLINE_TIMER | CPUID_EXT_AES | ++ CPUID_EXT_XSAVE | CPUID_EXT_AVX | CPUID_EXT_F16C | CPUID_EXT_RDRAND, ++ .features[FEAT_8000_0001_EDX] = ++ CPUID_EXT2_SYSCALL | CPUID_EXT2_NX | CPUID_EXT2_PDPE1GB | ++ CPUID_EXT2_RDTSCP | CPUID_EXT2_LM, ++ .features[FEAT_8000_0001_ECX] = ++ CPUID_EXT3_LAHF_LM | CPUID_EXT3_ABM | CPUID_EXT3_3DNOWPREFETCH, ++ .features[FEAT_8000_0008_EBX] = ++ CPUID_8000_0008_EBX_WBNOINVD, ++ .features[FEAT_7_0_EBX] = ++ CPUID_7_0_EBX_FSGSBASE | CPUID_7_0_EBX_BMI1 | CPUID_7_0_EBX_HLE | ++ CPUID_7_0_EBX_AVX2 | CPUID_7_0_EBX_SMEP | CPUID_7_0_EBX_BMI2 | ++ CPUID_7_0_EBX_ERMS | CPUID_7_0_EBX_INVPCID | CPUID_7_0_EBX_RTM | ++ CPUID_7_0_EBX_AVX512F | CPUID_7_0_EBX_AVX512DQ | ++ CPUID_7_0_EBX_RDSEED | CPUID_7_0_EBX_ADX | CPUID_7_0_EBX_SMAP | ++ CPUID_7_0_EBX_AVX512IFMA | CPUID_7_0_EBX_CLFLUSHOPT | ++ CPUID_7_0_EBX_CLWB | CPUID_7_0_EBX_AVX512CD | CPUID_7_0_EBX_SHA_NI | ++ CPUID_7_0_EBX_AVX512BW | CPUID_7_0_EBX_AVX512VL, ++ .features[FEAT_7_0_ECX] = ++ CPUID_7_0_ECX_AVX512_VBMI | CPUID_7_0_ECX_UMIP | CPUID_7_0_ECX_PKU | ++ CPUID_7_0_ECX_AVX512_VBMI2 | CPUID_7_0_ECX_GFNI | ++ CPUID_7_0_ECX_VAES | CPUID_7_0_ECX_VPCLMULQDQ | ++ CPUID_7_0_ECX_AVX512VNNI | CPUID_7_0_ECX_AVX512BITALG | ++ CPUID_7_0_ECX_AVX512_VPOPCNTDQ | CPUID_7_0_ECX_LA57 | ++ CPUID_7_0_ECX_RDPID | CPUID_7_0_ECX_BUS_LOCK_DETECT, ++ .features[FEAT_7_0_EDX] = ++ CPUID_7_0_EDX_FSRM | CPUID_7_0_EDX_SERIALIZE | ++ CPUID_7_0_EDX_TSX_LDTRK | CPUID_7_0_EDX_AMX_BF16 | ++ CPUID_7_0_EDX_AVX512_FP16 | CPUID_7_0_EDX_AMX_TILE | ++ CPUID_7_0_EDX_AMX_INT8 | CPUID_7_0_EDX_SPEC_CTRL | ++ CPUID_7_0_EDX_ARCH_CAPABILITIES | CPUID_7_0_EDX_SPEC_CTRL_SSBD, ++ .features[FEAT_ARCH_CAPABILITIES] = ++ MSR_ARCH_CAP_RDCL_NO | MSR_ARCH_CAP_IBRS_ALL | ++ MSR_ARCH_CAP_SKIP_L1DFL_VMENTRY | MSR_ARCH_CAP_MDS_NO | ++ MSR_ARCH_CAP_PSCHANGE_MC_NO | MSR_ARCH_CAP_TAA_NO | ++ MSR_ARCH_CAP_SBDR_SSDP_NO | MSR_ARCH_CAP_FBSDP_NO | ++ MSR_ARCH_CAP_PSDP_NO | MSR_ARCH_CAP_PBRSB_NO, ++ .features[FEAT_XSAVE] = ++ CPUID_XSAVE_XSAVEOPT | CPUID_XSAVE_XSAVEC | ++ CPUID_XSAVE_XGETBV1 | CPUID_XSAVE_XSAVES | CPUID_D_1_EAX_XFD, ++ .features[FEAT_6_EAX] = ++ CPUID_6_EAX_ARAT, ++ .features[FEAT_7_1_EAX] = ++ CPUID_7_1_EAX_AVX_VNNI | CPUID_7_1_EAX_AVX512_BF16 | ++ CPUID_7_1_EAX_FZRM | CPUID_7_1_EAX_FSRS | CPUID_7_1_EAX_FSRC | ++ CPUID_7_1_EAX_AMX_FP16, ++ .features[FEAT_7_1_EDX] = ++ CPUID_7_1_EDX_PREFETCHITI, ++ .features[FEAT_7_2_EDX] = ++ CPUID_7_2_EDX_MCDT_NO, ++ .features[FEAT_VMX_BASIC] = ++ MSR_VMX_BASIC_INS_OUTS | MSR_VMX_BASIC_TRUE_CTLS, ++ .features[FEAT_VMX_ENTRY_CTLS] = ++ VMX_VM_ENTRY_LOAD_DEBUG_CONTROLS | VMX_VM_ENTRY_IA32E_MODE | ++ VMX_VM_ENTRY_LOAD_IA32_PERF_GLOBAL_CTRL | ++ VMX_VM_ENTRY_LOAD_IA32_PAT | VMX_VM_ENTRY_LOAD_IA32_EFER, ++ .features[FEAT_VMX_EPT_VPID_CAPS] = ++ MSR_VMX_EPT_EXECONLY | ++ MSR_VMX_EPT_PAGE_WALK_LENGTH_4 | MSR_VMX_EPT_PAGE_WALK_LENGTH_5 | ++ MSR_VMX_EPT_WB | MSR_VMX_EPT_2MB | MSR_VMX_EPT_1GB | ++ MSR_VMX_EPT_INVEPT | MSR_VMX_EPT_AD_BITS | ++ MSR_VMX_EPT_INVEPT_SINGLE_CONTEXT | MSR_VMX_EPT_INVEPT_ALL_CONTEXT | ++ MSR_VMX_EPT_INVVPID | MSR_VMX_EPT_INVVPID_SINGLE_ADDR | ++ MSR_VMX_EPT_INVVPID_SINGLE_CONTEXT | ++ MSR_VMX_EPT_INVVPID_ALL_CONTEXT | ++ MSR_VMX_EPT_INVVPID_SINGLE_CONTEXT_NOGLOBALS, ++ .features[FEAT_VMX_EXIT_CTLS] = ++ VMX_VM_EXIT_SAVE_DEBUG_CONTROLS | ++ VMX_VM_EXIT_LOAD_IA32_PERF_GLOBAL_CTRL | ++ VMX_VM_EXIT_ACK_INTR_ON_EXIT | VMX_VM_EXIT_SAVE_IA32_PAT | ++ VMX_VM_EXIT_LOAD_IA32_PAT | VMX_VM_EXIT_SAVE_IA32_EFER | ++ VMX_VM_EXIT_LOAD_IA32_EFER | VMX_VM_EXIT_SAVE_VMX_PREEMPTION_TIMER, ++ .features[FEAT_VMX_MISC] = ++ MSR_VMX_MISC_STORE_LMA | MSR_VMX_MISC_ACTIVITY_HLT | ++ MSR_VMX_MISC_VMWRITE_VMEXIT, ++ .features[FEAT_VMX_PINBASED_CTLS] = ++ VMX_PIN_BASED_EXT_INTR_MASK | VMX_PIN_BASED_NMI_EXITING | ++ VMX_PIN_BASED_VIRTUAL_NMIS | VMX_PIN_BASED_VMX_PREEMPTION_TIMER | ++ VMX_PIN_BASED_POSTED_INTR, ++ .features[FEAT_VMX_PROCBASED_CTLS] = ++ VMX_CPU_BASED_VIRTUAL_INTR_PENDING | ++ VMX_CPU_BASED_USE_TSC_OFFSETING | VMX_CPU_BASED_HLT_EXITING | ++ VMX_CPU_BASED_INVLPG_EXITING | VMX_CPU_BASED_MWAIT_EXITING | ++ VMX_CPU_BASED_RDPMC_EXITING | VMX_CPU_BASED_RDTSC_EXITING | ++ VMX_CPU_BASED_CR3_LOAD_EXITING | VMX_CPU_BASED_CR3_STORE_EXITING | ++ VMX_CPU_BASED_CR8_LOAD_EXITING | VMX_CPU_BASED_CR8_STORE_EXITING | ++ VMX_CPU_BASED_TPR_SHADOW | VMX_CPU_BASED_VIRTUAL_NMI_PENDING | ++ VMX_CPU_BASED_MOV_DR_EXITING | VMX_CPU_BASED_UNCOND_IO_EXITING | ++ VMX_CPU_BASED_USE_IO_BITMAPS | VMX_CPU_BASED_MONITOR_TRAP_FLAG | ++ VMX_CPU_BASED_USE_MSR_BITMAPS | VMX_CPU_BASED_MONITOR_EXITING | ++ VMX_CPU_BASED_PAUSE_EXITING | ++ VMX_CPU_BASED_ACTIVATE_SECONDARY_CONTROLS, ++ .features[FEAT_VMX_SECONDARY_CTLS] = ++ VMX_SECONDARY_EXEC_VIRTUALIZE_APIC_ACCESSES | ++ VMX_SECONDARY_EXEC_ENABLE_EPT | VMX_SECONDARY_EXEC_DESC | ++ VMX_SECONDARY_EXEC_RDTSCP | ++ VMX_SECONDARY_EXEC_VIRTUALIZE_X2APIC_MODE | ++ VMX_SECONDARY_EXEC_ENABLE_VPID | VMX_SECONDARY_EXEC_WBINVD_EXITING | ++ VMX_SECONDARY_EXEC_UNRESTRICTED_GUEST | ++ VMX_SECONDARY_EXEC_APIC_REGISTER_VIRT | ++ VMX_SECONDARY_EXEC_VIRTUAL_INTR_DELIVERY | ++ VMX_SECONDARY_EXEC_RDRAND_EXITING | ++ VMX_SECONDARY_EXEC_ENABLE_INVPCID | ++ VMX_SECONDARY_EXEC_ENABLE_VMFUNC | VMX_SECONDARY_EXEC_SHADOW_VMCS | ++ VMX_SECONDARY_EXEC_RDSEED_EXITING | VMX_SECONDARY_EXEC_ENABLE_PML | ++ VMX_SECONDARY_EXEC_XSAVES, ++ .features[FEAT_VMX_VMFUNC] = ++ MSR_VMX_VMFUNC_EPT_SWITCHING, ++ .xlevel = 0x80000008, ++ .model_id = "Intel Xeon Processor (GraniteRapids)", ++ .versions = (X86CPUVersionDefinition[]) { ++ { .version = 1 }, ++ { /* end of list */ }, ++ }, ++ }, + { + .name = "Denverton", + .level = 21, +-- +2.27.0 + diff --git a/target-i386-Add-support-for-AMX-FP16-in-CPUID-enumer.patch b/target-i386-Add-support-for-AMX-FP16-in-CPUID-enumer.patch new file mode 100644 index 0000000000000000000000000000000000000000..27cdfaf249c65be4ea1ac7a5c5940b3f7300bd51 --- /dev/null +++ b/target-i386-Add-support-for-AMX-FP16-in-CPUID-enumer.patch @@ -0,0 +1,62 @@ +From c362956eb88558991bee59e43d7db52c8bc7e5f5 Mon Sep 17 00:00:00 2001 +From: Jiaxi Chen +Date: Fri, 3 Mar 2023 14:59:09 +0800 +Subject: [PATCH] target/i386: Add support for AMX-FP16 in CPUID enumeration + +commit 99ed8445ea27742a4df40f51a3a5fbd6f8e76fa5 upstream. + +Latest Intel platform Granite Rapids has introduced a new instruction - +AMX-FP16, which performs dot-products of two FP16 tiles and accumulates +the results into a packed single precision tile. AMX-FP16 adds FP16 +capability and allows a FP16 GPU trained model to run faster without +loss of accuracy or added SW overhead. + +The bit definition: +CPUID.(EAX=7,ECX=1):EAX[bit 21] + +Add CPUID definition for AMX-FP16. + +Intel-SIG: commit 99ed8445ea27 target/i386: Add support for AMX-FP16 in CPUID enumeration. +Backport GNR and SRF ISA into QEMU-6.2 + +Signed-off-by: Jiaxi Chen +Signed-off-by: Tao Su +Reviewed-by: Xiaoyao Li +Message-Id: <20230303065913.1246327-3-tao1.su@linux.intel.com> +Signed-off-by: Paolo Bonzini +[ Quanxian Wang: amend commit log ] +Signed-off-by: Quanxian Wang +--- + target/i386/cpu.c | 2 +- + target/i386/cpu.h | 2 ++ + 2 files changed, 3 insertions(+), 1 deletion(-) + +diff --git a/target/i386/cpu.c b/target/i386/cpu.c +index 47c2d9da80..3fc3b8041a 100644 +--- a/target/i386/cpu.c ++++ b/target/i386/cpu.c +@@ -876,7 +876,7 @@ FeatureWordInfo feature_word_info[FEATURE_WORDS] = { + NULL, NULL, "fzrm", "fsrs", + "fsrc", NULL, NULL, NULL, + NULL, NULL, NULL, NULL, +- NULL, NULL, NULL, NULL, ++ NULL, "amx-fp16", NULL, NULL, + NULL, NULL, NULL, NULL, + NULL, NULL, NULL, NULL, + }, +diff --git a/target/i386/cpu.h b/target/i386/cpu.h +index 4a7362ee07..c747e68a7a 100644 +--- a/target/i386/cpu.h ++++ b/target/i386/cpu.h +@@ -891,6 +891,8 @@ uint64_t x86_cpu_get_supported_feature_word(FeatureWord w, + #define CPUID_7_1_EAX_FSRS (1U << 11) + /* Fast Short REP CMPS/SCAS */ + #define CPUID_7_1_EAX_FSRC (1U << 12) ++/* Support Tile Computational Operations on FP16 Numbers */ ++#define CPUID_7_1_EAX_AMX_FP16 (1U << 21) + + /* Do not exhibit MXCSR Configuration Dependent Timing (MCDT) behavior */ + #define CPUID_7_2_EDX_MCDT_NO (1U << 5) +-- +2.27.0 + diff --git a/target-i386-Add-support-for-AVX-IFMA-in-CPUID-enumer.patch b/target-i386-Add-support-for-AVX-IFMA-in-CPUID-enumer.patch new file mode 100644 index 0000000000000000000000000000000000000000..8b99815a4c1a33bdf4ce9d0825bf04c3a746c6e4 --- /dev/null +++ b/target-i386-Add-support-for-AVX-IFMA-in-CPUID-enumer.patch @@ -0,0 +1,60 @@ +From 8fe9899c39d86f9e0baf832744a7cfe19642a3fd Mon Sep 17 00:00:00 2001 +From: Jiaxi Chen +Date: Fri, 3 Mar 2023 14:59:10 +0800 +Subject: [PATCH] target/i386: Add support for AVX-IFMA in CPUID enumeration + +commit a957a88416ecbec51e147cba9fe89b93f6646b3b upstream. + +AVX-IFMA is a new instruction in the latest Intel platform Sierra +Forest. This instruction packed multiplies unsigned 52-bit integers and +adds the low/high 52-bit products to Qword Accumulators. + +The bit definition: +CPUID.(EAX=7,ECX=1):EAX[bit 23] + +Add CPUID definition for AVX-IFMA. + +Intel-SIG: commit a957a88416ec target/i386: Add support for AVX-IFMA in CPUID enumeration. +Backport GNR and SRF ISA into QEMU-6.2 + +Signed-off-by: Jiaxi Chen +Signed-off-by: Tao Su +Reviewed-by: Xiaoyao Li +Message-Id: <20230303065913.1246327-4-tao1.su@linux.intel.com> +Signed-off-by: Paolo Bonzini +[ Quanxian Wang: amend commit log ] +Signed-off-by: Quanxian Wang +--- + target/i386/cpu.c | 2 +- + target/i386/cpu.h | 2 ++ + 2 files changed, 3 insertions(+), 1 deletion(-) + +diff --git a/target/i386/cpu.c b/target/i386/cpu.c +index 3fc3b8041a..b19fb0cf87 100644 +--- a/target/i386/cpu.c ++++ b/target/i386/cpu.c +@@ -876,7 +876,7 @@ FeatureWordInfo feature_word_info[FEATURE_WORDS] = { + NULL, NULL, "fzrm", "fsrs", + "fsrc", NULL, NULL, NULL, + NULL, NULL, NULL, NULL, +- NULL, "amx-fp16", NULL, NULL, ++ NULL, "amx-fp16", NULL, "avx-ifma", + NULL, NULL, NULL, NULL, + NULL, NULL, NULL, NULL, + }, +diff --git a/target/i386/cpu.h b/target/i386/cpu.h +index c747e68a7a..2bcc127fac 100644 +--- a/target/i386/cpu.h ++++ b/target/i386/cpu.h +@@ -893,6 +893,8 @@ uint64_t x86_cpu_get_supported_feature_word(FeatureWord w, + #define CPUID_7_1_EAX_FSRC (1U << 12) + /* Support Tile Computational Operations on FP16 Numbers */ + #define CPUID_7_1_EAX_AMX_FP16 (1U << 21) ++/* Support for VPMADD52[H,L]UQ */ ++#define CPUID_7_1_EAX_AVX_IFMA (1U << 23) + + /* Do not exhibit MXCSR Configuration Dependent Timing (MCDT) behavior */ + #define CPUID_7_2_EDX_MCDT_NO (1U << 5) +-- +2.27.0 + diff --git a/target-i386-Add-support-for-AVX-NE-CONVERT-in-CPUID-.patch b/target-i386-Add-support-for-AVX-NE-CONVERT-in-CPUID-.patch new file mode 100644 index 0000000000000000000000000000000000000000..0eb1635b4d3fdc20048e7357ed1187e0dce8e058 --- /dev/null +++ b/target-i386-Add-support-for-AVX-NE-CONVERT-in-CPUID-.patch @@ -0,0 +1,62 @@ +From 165d587b52f7c8459d9a9deca389610f9165b33a Mon Sep 17 00:00:00 2001 +From: Quanxian Wang +Date: Wed, 8 Nov 2023 12:44:56 +0800 +Subject: [PATCH] target/i386: Add support for AVX-NE-CONVERT in CPUID + enumeration + +commit ecd2e6ca037d7bf3673c5478590d686d5cd6135a upstream. + +AVX-NE-CONVERT is a new set of instructions which can convert low +precision floating point like BF16/FP16 to high precision floating point +FP32, as well as convert FP32 elements to BF16. This instruction allows +the platform to have improved AI capabilities and better compatibility. + +The bit definition: +CPUID.(EAX=7,ECX=1):EDX[bit 5] + +Add CPUID definition for AVX-NE-CONVERT. + +Intel-SIG: commit ecd2e6ca037d target/i386: Add support for AVX-NE-CONVERT in CPUID enumeration. +Backport GNR and SRF ISA into QEMU-6.2 + +Signed-off-by: Jiaxi Chen +Signed-off-by: Tao Su +Reviewed-by: Xiaoyao Li +Message-Id: <20230303065913.1246327-6-tao1.su@linux.intel.com> +Signed-off-by: Paolo Bonzini +[ Quanxian Wang: amend commit log ] +Signed-off-by: Quanxian Wang +--- + target/i386/cpu.c | 2 +- + target/i386/cpu.h | 2 ++ + 2 files changed, 3 insertions(+), 1 deletion(-) + +diff --git a/target/i386/cpu.c b/target/i386/cpu.c +index a14284a81b..d36174d689 100644 +--- a/target/i386/cpu.c ++++ b/target/i386/cpu.c +@@ -911,7 +911,7 @@ FeatureWordInfo feature_word_info[FEATURE_WORDS] = { + .type = CPUID_FEATURE_WORD, + .feat_names = { + NULL, NULL, NULL, NULL, +- "avx-vnni-int8", NULL, NULL, NULL, ++ "avx-vnni-int8", "avx-ne-convert", NULL, NULL, + NULL, NULL, NULL, NULL, + NULL, NULL, NULL, NULL, + NULL, NULL, NULL, NULL, +diff --git a/target/i386/cpu.h b/target/i386/cpu.h +index b81d77084c..93c8bd6a13 100644 +--- a/target/i386/cpu.h ++++ b/target/i386/cpu.h +@@ -898,6 +898,8 @@ uint64_t x86_cpu_get_supported_feature_word(FeatureWord w, + #define CPUID_7_1_EAX_AVX_IFMA (1U << 23) + /* Support for VPDPB[SU,UU,SS]D[,S] */ + #define CPUID_7_1_EDX_AVX_VNNI_INT8 (1U << 4) ++/* AVX NE CONVERT Instructions */ ++#define CPUID_7_1_EDX_AVX_NE_CONVERT (1U << 5) + + /* Do not exhibit MXCSR Configuration Dependent Timing (MCDT) behavior */ + #define CPUID_7_2_EDX_MCDT_NO (1U << 5) +-- +2.27.0 + diff --git a/target-i386-Add-support-for-AVX-VNNI-INT8-in-CPUID-e.patch b/target-i386-Add-support-for-AVX-VNNI-INT8-in-CPUID-e.patch new file mode 100644 index 0000000000000000000000000000000000000000..b6fc1d0e249f9faa13f70b838153db3f5dc370b7 --- /dev/null +++ b/target-i386-Add-support-for-AVX-VNNI-INT8-in-CPUID-e.patch @@ -0,0 +1,110 @@ +From 71b820dc04fbe04342d5a05be3d774c704b682ec Mon Sep 17 00:00:00 2001 +From: Quanxian Wang +Date: Wed, 8 Nov 2023 12:43:11 +0800 +Subject: [PATCH] target/i386: Add support for AVX-VNNI-INT8 in CPUID + enumeration + +commit eaaa197d5b112ea2758b54df58881a2626de3af5 upstream. + +AVX-VNNI-INT8 is a new set of instructions in the latest Intel platform +Sierra Forest, aims for the platform to have superior AI capabilities. +This instruction multiplies the individual bytes of two unsigned or +unsigned source operands, then adds and accumulates the results into the +destination dword element size operand. + +The bit definition: +CPUID.(EAX=7,ECX=1):EDX[bit 4] + +AVX-VNNI-INT8 is on a new feature bits leaf. Add a CPUID feature word +FEAT_7_1_EDX for this leaf. + +Add CPUID definition for AVX-VNNI-INT8. + +Intel-SIG: commit eaaa197d5b11 target/i386: Add support for AVX-VNNI-INT8 in CPUID enumeration. +Backport GNR and SRF ISA into QEMU-6.2 + +Signed-off-by: Jiaxi Chen +Signed-off-by: Tao Su +Reviewed-by: Xiaoyao Li +Message-Id: <20230303065913.1246327-5-tao1.su@linux.intel.com> +Signed-off-by: Paolo Bonzini +[ Quanxian Wang: amend commit log ] +Signed-off-by: Quanxian Wang +--- + target/i386/cpu.c | 22 +++++++++++++++++++++- + target/i386/cpu.h | 3 +++ + 2 files changed, 24 insertions(+), 1 deletion(-) + +diff --git a/target/i386/cpu.c b/target/i386/cpu.c +index b19fb0cf87..a14284a81b 100644 +--- a/target/i386/cpu.c ++++ b/target/i386/cpu.c +@@ -663,6 +663,7 @@ void x86_cpu_vendor_words2str(char *dst, uint32_t vendor1, + #define TCG_7_0_EDX_FEATURES CPUID_7_0_EDX_FSRM + #define TCG_7_1_EAX_FEATURES (CPUID_7_1_EAX_FZRM | CPUID_7_1_EAX_FSRS | \ + CPUID_7_1_EAX_FSRC) ++#define TCG_7_1_EDX_FEATURES 0 + #define TCG_7_2_EDX_FEATURES 0 + #define TCG_APM_FEATURES 0 + #define TCG_6_EAX_FEATURES CPUID_6_EAX_ARAT +@@ -906,6 +907,25 @@ FeatureWordInfo feature_word_info[FEATURE_WORDS] = { + }, + .tcg_features = TCG_7_2_EDX_FEATURES, + }, ++ [FEAT_7_1_EDX] = { ++ .type = CPUID_FEATURE_WORD, ++ .feat_names = { ++ NULL, NULL, NULL, NULL, ++ "avx-vnni-int8", NULL, NULL, NULL, ++ NULL, NULL, NULL, NULL, ++ NULL, NULL, NULL, NULL, ++ NULL, NULL, NULL, NULL, ++ NULL, NULL, NULL, NULL, ++ NULL, NULL, NULL, NULL, ++ NULL, NULL, NULL, NULL, ++ }, ++ .cpuid = { ++ .eax = 7, ++ .needs_ecx = true, .ecx = 1, ++ .reg = R_EDX, ++ }, ++ .tcg_features = TCG_7_1_EDX_FEATURES, ++ }, + [FEAT_8000_0007_EDX] = { + .type = CPUID_FEATURE_WORD, + .feat_names = { +@@ -5557,9 +5577,9 @@ void cpu_x86_cpuid(CPUX86State *env, uint32_t index, uint32_t count, + } + } else if (count == 1) { + *eax = env->features[FEAT_7_1_EAX]; ++ *edx = env->features[FEAT_7_1_EDX]; + *ebx = 0; + *ecx = 0; +- *edx = 0; + } else if (count == 2) { + *edx = env->features[FEAT_7_2_EDX]; + *eax = 0; +diff --git a/target/i386/cpu.h b/target/i386/cpu.h +index 2bcc127fac..b81d77084c 100644 +--- a/target/i386/cpu.h ++++ b/target/i386/cpu.h +@@ -601,6 +601,7 @@ typedef enum FeatureWord { + FEAT_SGX_12_0_EAX, /* CPUID[EAX=0x12,ECX=0].EAX (SGX) */ + FEAT_SGX_12_0_EBX, /* CPUID[EAX=0x12,ECX=0].EBX (SGX MISCSELECT[31:0]) */ + FEAT_SGX_12_1_EAX, /* CPUID[EAX=0x12,ECX=1].EAX (SGX ATTRIBUTES[31:0]) */ ++ FEAT_7_1_EDX, /* CPUID[EAX=7,ECX=1].EDX */ + FEAT_7_2_EDX, /* CPUID[EAX=7,ECX=2].EDX */ + FEATURE_WORDS, + } FeatureWord; +@@ -895,6 +896,8 @@ uint64_t x86_cpu_get_supported_feature_word(FeatureWord w, + #define CPUID_7_1_EAX_AMX_FP16 (1U << 21) + /* Support for VPMADD52[H,L]UQ */ + #define CPUID_7_1_EAX_AVX_IFMA (1U << 23) ++/* Support for VPDPB[SU,UU,SS]D[,S] */ ++#define CPUID_7_1_EDX_AVX_VNNI_INT8 (1U << 4) + + /* Do not exhibit MXCSR Configuration Dependent Timing (MCDT) behavior */ + #define CPUID_7_2_EDX_MCDT_NO (1U << 5) +-- +2.27.0 + diff --git a/target-i386-Add-support-for-CMPCCXADD-in-CPUID-enume.patch b/target-i386-Add-support-for-CMPCCXADD-in-CPUID-enume.patch new file mode 100644 index 0000000000000000000000000000000000000000..d1633122ee5d8dfc1129f1881de2ff4eb2beed84 --- /dev/null +++ b/target-i386-Add-support-for-CMPCCXADD-in-CPUID-enume.patch @@ -0,0 +1,61 @@ +From 25d08629eab566f5a47bf915a86e20318ee1cf08 Mon Sep 17 00:00:00 2001 +From: Jiaxi Chen +Date: Fri, 3 Mar 2023 14:59:08 +0800 +Subject: [PATCH] target/i386: Add support for CMPCCXADD in CPUID enumeration + +commit a9ce107fd0f2017af84255a9cf6542fa3eb3e214 upstream. + +CMPccXADD is a new set of instructions in the latest Intel platform +Sierra Forest. This new instruction set includes a semaphore operation +that can compare and add the operands if condition is met, which can +improve database performance. + +The bit definition: +CPUID.(EAX=7,ECX=1):EAX[bit 7] + +Add CPUID definition for CMPCCXADD. + +Intel-SIG: commit a9ce107fd0f2 target/i386: Add support for CMPCCXADD in CPUID enumeration. +Backport GNR and SRF ISA into QEMU-6.2 + +Signed-off-by: Jiaxi Chen +Signed-off-by: Tao Su +Reviewed-by: Xiaoyao Li +Message-Id: <20230303065913.1246327-2-tao1.su@linux.intel.com> +Signed-off-by: Paolo Bonzini +[ Quanxian Wang: amend commit log ] +Signed-off-by: Quanxian Wang +--- + target/i386/cpu.c | 2 +- + target/i386/cpu.h | 2 ++ + 2 files changed, 3 insertions(+), 1 deletion(-) + +diff --git a/target/i386/cpu.c b/target/i386/cpu.c +index 58124071da..47c2d9da80 100644 +--- a/target/i386/cpu.c ++++ b/target/i386/cpu.c +@@ -872,7 +872,7 @@ FeatureWordInfo feature_word_info[FEATURE_WORDS] = { + .type = CPUID_FEATURE_WORD, + .feat_names = { + NULL, NULL, NULL, NULL, +- "avx-vnni", "avx512-bf16", NULL, NULL, ++ "avx-vnni", "avx512-bf16", NULL, "cmpccxadd", + NULL, NULL, "fzrm", "fsrs", + "fsrc", NULL, NULL, NULL, + NULL, NULL, NULL, NULL, +diff --git a/target/i386/cpu.h b/target/i386/cpu.h +index 37c687d4d8..4a7362ee07 100644 +--- a/target/i386/cpu.h ++++ b/target/i386/cpu.h +@@ -883,6 +883,8 @@ uint64_t x86_cpu_get_supported_feature_word(FeatureWord w, + #define CPUID_7_1_EAX_AVX_VNNI (1U << 4) + /* AVX512 BFloat16 Instruction */ + #define CPUID_7_1_EAX_AVX512_BF16 (1U << 5) ++/* CMPCCXADD Instructions */ ++#define CPUID_7_1_EAX_CMPCCXADD (1U << 7) + /* Fast Zero REP MOVS */ + #define CPUID_7_1_EAX_FZRM (1U << 10) + /* Fast Short REP STOS */ +-- +2.27.0 + diff --git a/target-i386-Add-support-for-PREFETCHIT0-1-in-CPUID-e.patch b/target-i386-Add-support-for-PREFETCHIT0-1-in-CPUID-e.patch new file mode 100644 index 0000000000000000000000000000000000000000..59053fd787257ca0e120a32b0d398f10b81f2616 --- /dev/null +++ b/target-i386-Add-support-for-PREFETCHIT0-1-in-CPUID-e.patch @@ -0,0 +1,61 @@ +From 9a56c714caaf3bf31430a769befdf92e79388dda Mon Sep 17 00:00:00 2001 +From: Quanxian Wang +Date: Wed, 8 Nov 2023 12:46:00 +0800 +Subject: [PATCH] target/i386: Add support for PREFETCHIT0/1 in CPUID + enumeration + +commit d1a1111514333e46a98b136235f71eef90d610fa upstream. + +Latest Intel platform Granite Rapids has introduced a new instruction - +PREFETCHIT0/1, which moves code to memory (cache) closer to the +processor depending on specific hints. + +The bit definition: +CPUID.(EAX=7,ECX=1):EDX[bit 14] + +Add CPUID definition for PREFETCHIT0/1. + +Intel-SIG: commit d1a111151433 target/i386: Add support for PREFETCHIT0/1 in CPUID enumeration. +Backport GNR and SRF ISA into QEMU-6.2 + +Signed-off-by: Jiaxi Chen +Signed-off-by: Tao Su +Reviewed-by: Xiaoyao Li +Message-Id: <20230303065913.1246327-7-tao1.su@linux.intel.com> +Signed-off-by: Paolo Bonzini +[ Quanxian Wang: amend commit log ] +Signed-off-by: Quanxian Wang +--- + target/i386/cpu.c | 2 +- + target/i386/cpu.h | 2 ++ + 2 files changed, 3 insertions(+), 1 deletion(-) + +diff --git a/target/i386/cpu.c b/target/i386/cpu.c +index d36174d689..ee243693e3 100644 +--- a/target/i386/cpu.c ++++ b/target/i386/cpu.c +@@ -913,7 +913,7 @@ FeatureWordInfo feature_word_info[FEATURE_WORDS] = { + NULL, NULL, NULL, NULL, + "avx-vnni-int8", "avx-ne-convert", NULL, NULL, + NULL, NULL, NULL, NULL, +- NULL, NULL, NULL, NULL, ++ NULL, NULL, "prefetchiti", NULL, + NULL, NULL, NULL, NULL, + NULL, NULL, NULL, NULL, + NULL, NULL, NULL, NULL, +diff --git a/target/i386/cpu.h b/target/i386/cpu.h +index 93c8bd6a13..32ecec5fa7 100644 +--- a/target/i386/cpu.h ++++ b/target/i386/cpu.h +@@ -900,6 +900,8 @@ uint64_t x86_cpu_get_supported_feature_word(FeatureWord w, + #define CPUID_7_1_EDX_AVX_VNNI_INT8 (1U << 4) + /* AVX NE CONVERT Instructions */ + #define CPUID_7_1_EDX_AVX_NE_CONVERT (1U << 5) ++/* PREFETCHIT0/1 Instructions */ ++#define CPUID_7_1_EDX_PREFETCHITI (1U << 14) + + /* Do not exhibit MXCSR Configuration Dependent Timing (MCDT) behavior */ + #define CPUID_7_2_EDX_MCDT_NO (1U << 5) +-- +2.27.0 + diff --git a/target-i386-Adjust-feature-level-according-to-FEAT_7.patch b/target-i386-Adjust-feature-level-according-to-FEAT_7.patch new file mode 100644 index 0000000000000000000000000000000000000000..3c238c62f69f25e0943d4d95f2f6933361564b69 --- /dev/null +++ b/target-i386-Adjust-feature-level-according-to-FEAT_7.patch @@ -0,0 +1,46 @@ +From 52d000a4043f3000f880bb5c75a298f57b8e0fe0 Mon Sep 17 00:00:00 2001 +From: Tao Su +Date: Thu, 6 Jul 2023 13:49:44 +0800 +Subject: [PATCH] target/i386: Adjust feature level according to FEAT_7_1_EDX + +commit 8731336e90dea3dd04948127e775c9f087f97a4c upstream. + +If FEAT_7_1_EAX is 0 and FEAT_7_1_EDX is non-zero, as is the case +with a Granite Rapids host and +'-cpu host,-avx-vnni,-avx512-bf16,-fzrm,-fsrs,-fsrc,-amx-fp16', we can't +get CPUID_7_1 leaf even though CPUID_7_1_EDX has non-zero value. + +Update cpuid_level_func7 according to CPUID_7_1_EDX, otherwise +guest may report wrong maximum number sub-leaves in leaf 07H. + +Fixes: eaaa197d5b11 ("target/i386: Add support for AVX-VNNI-INT8 in CPUID enumeration") + +Intel-SIG: commit 8731336e90de target/i386: Adjust feature level according to FEAT_7_1_EDX. +Backport GNR and SRF ISA into QEMU-6.2 + +Cc: qemu-stable@nongnu.org +Signed-off-by: Tao Su +Reviewed-by: Xiaoyao Li +Message-ID: <20230706054949.66556-2-tao1.su@linux.intel.com> +Signed-off-by: Paolo Bonzini +[ Quanxian Wang: amend commit log ] +Signed-off-by: Quanxian Wang +--- + target/i386/cpu.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/target/i386/cpu.c b/target/i386/cpu.c +index efe0c2b46c..6aaa730a0d 100644 +--- a/target/i386/cpu.c ++++ b/target/i386/cpu.c +@@ -6551,6 +6551,7 @@ void x86_cpu_expand_features(X86CPU *cpu, Error **errp) + x86_cpu_adjust_feat_level(cpu, FEAT_6_EAX); + x86_cpu_adjust_feat_level(cpu, FEAT_7_0_ECX); + x86_cpu_adjust_feat_level(cpu, FEAT_7_1_EAX); ++ x86_cpu_adjust_feat_level(cpu, FEAT_7_1_EDX); + x86_cpu_adjust_feat_level(cpu, FEAT_7_2_EDX); + x86_cpu_adjust_feat_level(cpu, FEAT_8000_0001_EDX); + x86_cpu_adjust_feat_level(cpu, FEAT_8000_0001_ECX); +-- +2.27.0 + diff --git a/target-i386-Export-GDS_NO-bit-to-guests.patch b/target-i386-Export-GDS_NO-bit-to-guests.patch new file mode 100644 index 0000000000000000000000000000000000000000..5b6e5f10815daeed3d809ead15b6141330f6f877 --- /dev/null +++ b/target-i386-Export-GDS_NO-bit-to-guests.patch @@ -0,0 +1,46 @@ +From 3cea2c36571b39a6fa956abe66507c04283ad614 Mon Sep 17 00:00:00 2001 +From: Pawan Gupta +Date: Mon, 14 Aug 2023 21:54:27 -0700 +Subject: [PATCH] target/i386: Export GDS_NO bit to guests + +commit 3a2a1f97ea349745094e789e6b0768dbd92d0dcd upstream. + +Gather Data Sampling (GDS) is a side-channel attack using Gather +instructions. Some Intel processors will set ARCH_CAP_GDS_NO bit in +MSR IA32_ARCH_CAPABILITIES to report that they are not vulnerable to +GDS. + +Make this bit available to guests. + +Intel-SIG: commit 3a2a1f97ea34 ("target/i386: Export GDS_NO bit to guests") +Backport to export GDS_NO bit to guests(CVE-2022-40982). + +Closes: https://lore.kernel.org/qemu-devel/CAMGffEmG6TNq0n3+4OJAgXc8J0OevY60KHZekXCBs3LoK9vehA@mail.gmail.com/ +Reported-by: Jack Wang +Signed-off-by: Pawan Gupta +Tested-by: Jack Wang +Tested-by: Daniel Sneddon +Message-ID: +Signed-off-by: Paolo Bonzini +[ Aichun Shi: amend commit log ] +Signed-off-by: Aichun Shi +--- + target/i386/cpu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/target/i386/cpu.c b/target/i386/cpu.c +index eb911b12fa..58124071da 100644 +--- a/target/i386/cpu.c ++++ b/target/i386/cpu.c +@@ -1004,7 +1004,7 @@ FeatureWordInfo feature_word_info[FEATURE_WORDS] = { + NULL, "sbdr-ssdp-no", "fbsdp-no", "psdp-no", + NULL, "fb-clear", NULL, NULL, + NULL, NULL, NULL, NULL, +- "pbrsb-no", NULL, NULL, NULL, ++ "pbrsb-no", NULL, "gds-no", NULL, + NULL, NULL, NULL, NULL, + }, + .msr = { +-- +2.27.0 + diff --git a/tests-qtest-check-the-return-value.patch b/tests-qtest-check-the-return-value.patch new file mode 100644 index 0000000000000000000000000000000000000000..ada8e4a34533defdd67bfda81721393fe039afe7 --- /dev/null +++ b/tests-qtest-check-the-return-value.patch @@ -0,0 +1,62 @@ +From 53e0242318e838013504688307af44e80ab36c70 Mon Sep 17 00:00:00 2001 +From: zhujun2 +Date: Tue, 21 Nov 2023 18:03:25 -0800 +Subject: [PATCH] tests/qtest: check the return value + +These variables "ret" are never referenced in the code, thus +add check logic for the "ret" + +Signed-off-by: zhujun2 +--- + tests/qtest/test-filter-mirror.c | 1 + + tests/qtest/test-filter-redirector.c | 2 ++ + tests/qtest/virtio-net-test.c | 1 + + 3 files changed, 4 insertions(+) + +diff --git a/tests/qtest/test-filter-mirror.c b/tests/qtest/test-filter-mirror.c +index bc0dee64dd..40f736734a 100644 +--- a/tests/qtest/test-filter-mirror.c ++++ b/tests/qtest/test-filter-mirror.c +@@ -71,6 +71,7 @@ static void test_mirror(void) + g_assert_cmpint(len, ==, sizeof(send_buf)); + recv_buf = g_malloc(len); + ret = qemu_recv(recv_sock[0], recv_buf, len, 0); ++ g_assert_cmpint(ret, ==, len); + g_assert_cmpstr(recv_buf, ==, send_buf); + + g_free(recv_buf); +diff --git a/tests/qtest/test-filter-redirector.c b/tests/qtest/test-filter-redirector.c +index 4269b2cdd9..f802c94f54 100644 +--- a/tests/qtest/test-filter-redirector.c ++++ b/tests/qtest/test-filter-redirector.c +@@ -133,6 +133,7 @@ static void test_redirector_tx(void) + g_assert_cmpint(len, ==, sizeof(send_buf)); + recv_buf = g_malloc(len); + ret = qemu_recv(recv_sock, recv_buf, len, 0); ++ g_assert_cmpint(ret, ==, len); + g_assert_cmpstr(recv_buf, ==, send_buf); + + g_free(recv_buf); +@@ -201,6 +202,7 @@ static void test_redirector_rx(void) + g_assert_cmpint(len, ==, sizeof(send_buf)); + recv_buf = g_malloc(len); + ret = qemu_recv(backend_sock[0], recv_buf, len, 0); ++ g_assert_cmpint(ret, ==, len); + g_assert_cmpstr(recv_buf, ==, send_buf); + + close(send_sock); +diff --git a/tests/qtest/virtio-net-test.c b/tests/qtest/virtio-net-test.c +index 8bf74e516c..aab4480fb0 100644 +--- a/tests/qtest/virtio-net-test.c ++++ b/tests/qtest/virtio-net-test.c +@@ -92,6 +92,7 @@ static void tx_test(QVirtioDevice *dev, + len = ntohl(len); + + ret = qemu_recv(socket, buffer, len, 0); ++ g_assert_cmpint(ret, ==, len); + g_assert_cmpstr(buffer, ==, "TEST"); + } + +-- +2.27.0 + diff --git a/tpm_crb-mark-command-buffer-as-dirty-on-request-comp.patch b/tpm_crb-mark-command-buffer-as-dirty-on-request-comp.patch new file mode 100644 index 0000000000000000000000000000000000000000..c989e26e417cfc3e093737193cf1babca5a6f3d3 --- /dev/null +++ b/tpm_crb-mark-command-buffer-as-dirty-on-request-comp.patch @@ -0,0 +1,43 @@ +From 1e32685272ff1932b9ca022db8717720fc901d0e Mon Sep 17 00:00:00 2001 +From: tangbinzy +Date: Mon, 6 Nov 2023 06:17:47 +0000 +Subject: [PATCH] tpm_crb: mark command buffer as dirty on request completion + mainline inclusion commit e37a0ef4605e5d2041785ff3fc89ca6021faf7a0 category: + bugfix + +--------------------------------------------------------------- + +At the moment, there doesn't seems to be any way to know that QEMU +made modification to the command buffer. This is potentially an issue +on Xen while migrating a guest, as modification to the buffer after +the migration as started could be ignored and not transfered to the +destination. + +Mark the memory region of the command buffer as dirty once a request +is completed. + +Signed-off-by: Anthony PERARD +Reviewed-by: Stefan Berger +Signed-off-by: Stefan Berger +Message-id: 20220411144749.47185-1-anthony.perard@citrix.com + +Signed-off-by: tangbinzy +--- + hw/tpm/tpm_crb.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/hw/tpm/tpm_crb.c b/hw/tpm/tpm_crb.c +index 58ebd1469c..c05972736a 100644 +--- a/hw/tpm/tpm_crb.c ++++ b/hw/tpm/tpm_crb.c +@@ -196,6 +196,7 @@ static void tpm_crb_request_completed(TPMIf *ti, int ret) + ARRAY_FIELD_DP32(s->regs, CRB_CTRL_STS, + tpmSts, 1); /* fatal error */ + } ++ memory_region_set_dirty(&s->cmdmem, 0, CRB_CTRL_CMD_SIZE); + } + + static enum TPMVersion tpm_crb_get_version(TPMIf *ti) +-- +2.27.0 + diff --git a/tracetool-avoid-invalid-escape-in-Python-string.patch b/tracetool-avoid-invalid-escape-in-Python-string.patch new file mode 100644 index 0000000000000000000000000000000000000000..ffd30a2c5787f4ce7a948eafd63d42bf89cc8b92 --- /dev/null +++ b/tracetool-avoid-invalid-escape-in-Python-string.patch @@ -0,0 +1,38 @@ +From cb5e4e55c489462a2ff11143a5768b5c096bf1ad Mon Sep 17 00:00:00 2001 +From: qihao +Date: Wed, 15 Nov 2023 14:49:44 +0800 +Subject: [PATCH] tracetool: avoid invalid escape in Python string +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +cheery-pick from 4d96307c5b4fac40c6ca25f38318b4b65d315de0 + +This is an error in Python 3.12; fix it by using a raw string literal. + +Cc: +Signed-off-by: Marc-André Lureau +Reviewed-by: Philippe Mathieu-Daudé +Signed-off-by: Stefan Hajnoczi +Message-ID: <20231108105649.60453-1-marcandre.lureau@redhat.com> +Signed-off-by: qihao_yewu +--- + scripts/tracetool/__init__.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/scripts/tracetool/__init__.py b/scripts/tracetool/__init__.py +index 5bc94d95cf..630e85a5d6 100644 +--- a/scripts/tracetool/__init__.py ++++ b/scripts/tracetool/__init__.py +@@ -94,7 +94,7 @@ def out(*lines, **kwargs): + def validate_type(name): + bits = name.split(" ") + for bit in bits: +- bit = re.sub("\*", "", bit) ++ bit = re.sub(r"\*", "", bit) + if bit == "": + continue + if bit == "const": +-- +2.27.0 + diff --git a/vga-avoid-crash-if-no-default-vga-card.patch b/vga-avoid-crash-if-no-default-vga-card.patch new file mode 100644 index 0000000000000000000000000000000000000000..829bcae46235e3d63cbee2cfdf9c28893c6374f2 --- /dev/null +++ b/vga-avoid-crash-if-no-default-vga-card.patch @@ -0,0 +1,41 @@ +From 70b0d16c684364594443520fba504e665f167cc4 Mon Sep 17 00:00:00 2001 +From: tangbinzy +Date: Fri, 17 Nov 2023 09:38:56 +0000 +Subject: [PATCH] vga: avoid crash if no default vga card mainline inclusion + commit 6985d8ede92494f3b791de01e8ee9306eb6d5e4a category: bugfix + +--------------------------------------------------------------- + +QEMU in some arch will crash when executing -vga help command, because +there is no default vga model. Add check to this case and avoid crash. + +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/978 + +Signed-off-by: Guo Zhi +Reviewed-by: Thomas Huth +Tested-by: Thomas Huth +Message-Id: <20220503091724.970009-1-qtxuning1999@sjtu.edu.cn> +Signed-off-by: Laurent Vivier + +Signed-off-by: tangbinzy +--- + softmmu/vl.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/softmmu/vl.c b/softmmu/vl.c +index d8996f3d6e..e34c8a0646 100644 +--- a/softmmu/vl.c ++++ b/softmmu/vl.c +@@ -974,7 +974,8 @@ static void select_vgahw(const MachineClass *machine_class, const char *p) + + if (vga_interface_available(t) && ti->opt_name) { + printf("%-20s %s%s\n", ti->opt_name, ti->name ?: "", +- g_str_equal(ti->opt_name, def) ? " (default)" : ""); ++ (def && g_str_equal(ti->opt_name, def)) ? ++ " (default)" : ""); + } + } + exit(0); +-- +2.27.0 + diff --git a/virtio-iommu-Fix-the-partial-copy-of-probe-request.patch b/virtio-iommu-Fix-the-partial-copy-of-probe-request.patch new file mode 100644 index 0000000000000000000000000000000000000000..4ae4766bbdb40027f7ea52064293b043dc2afdd9 --- /dev/null +++ b/virtio-iommu-Fix-the-partial-copy-of-probe-request.patch @@ -0,0 +1,60 @@ +From 1e73eaa18c753157046d22e43333fd9bc711eaa9 Mon Sep 17 00:00:00 2001 +From: tangbinzy +Date: Fri, 17 Nov 2023 09:55:19 +0000 +Subject: [PATCH] virtio-iommu: Fix the partial copy of probe request mainline + inclusion commit 45461aace83d961e933b27519b81d17b4c690514 category: bugfix + +--------------------------------------------------------------- + +The structure of probe request doesn't include the tail, this leads +to a few field missed to be copied. Currently this isn't an issue as +those missed field belong to reserved field, just in case reserved +field will be used in the future. + +Changed 4th parameter of virtio_iommu_iov_to_req() to receive size +of device-readable part. + +Fixes: 1733eebb9e75b ("virtio-iommu: Implement RESV_MEM probe request") +Signed-off-by: Zhenzhong Duan +Message-Id: <20220623023152.3473231-1-zhenzhong.duan@intel.com> +Reviewed-by: Michael S. Tsirkin +Signed-off-by: Michael S. Tsirkin +Reviewed-by: Jean-Philippe Brucker +Reviewed-by: Eric Auger + +Signed-off-by: tangbinzy +--- + hw/virtio/virtio-iommu.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/hw/virtio/virtio-iommu.c b/hw/virtio/virtio-iommu.c +index ed47d4cb64..ae33d93b11 100644 +--- a/hw/virtio/virtio-iommu.c ++++ b/hw/virtio/virtio-iommu.c +@@ -547,11 +547,10 @@ static int virtio_iommu_probe(VirtIOIOMMU *s, + + static int virtio_iommu_iov_to_req(struct iovec *iov, + unsigned int iov_cnt, +- void *req, size_t req_sz) ++ void *req, size_t payload_sz) + { +- size_t sz, payload_sz = req_sz - sizeof(struct virtio_iommu_req_tail); ++ size_t sz = iov_to_buf(iov, iov_cnt, 0, req, payload_sz); + +- sz = iov_to_buf(iov, iov_cnt, 0, req, payload_sz); + if (unlikely(sz != payload_sz)) { + return VIRTIO_IOMMU_S_INVAL; + } +@@ -564,7 +563,8 @@ static int virtio_iommu_handle_ ## __req(VirtIOIOMMU *s, \ + unsigned int iov_cnt) \ + { \ + struct virtio_iommu_req_ ## __req req; \ +- int ret = virtio_iommu_iov_to_req(iov, iov_cnt, &req, sizeof(req)); \ ++ int ret = virtio_iommu_iov_to_req(iov, iov_cnt, &req, \ ++ sizeof(req) - sizeof(struct virtio_iommu_req_tail));\ + \ + return ret ? ret : virtio_iommu_ ## __req(s, &req); \ + } +-- +2.27.0 +