From 0daa85c552b85d574bb0b52dc097e5c1a22a63a1 Mon Sep 17 00:00:00 2001 From: Jiabo Feng Date: Mon, 1 Apr 2024 08:48:07 +0800 Subject: [PATCH] =?UTF-8?q?QEMU=20update=20to=20version=208.2.0-4:=20-=20m?= =?UTF-8?q?igration:=20Skip=20only=20empty=20block=20devicesi=20-=20iotest?= =?UTF-8?q?s:=20adapt=20to=20output=20change=20for=20recently=20introduced?= =?UTF-8?q?=20'detached=20hea=E2=80=A6=20-=20travis-ci:=20Rename=20SOFTMMU?= =?UTF-8?q?=20->=20SYSTEM=20-=20block:=20disallow=20block=20jobs=20when=20?= =?UTF-8?q?there=20is=20a=20BDRV=5FO=5FINACTIVE=20flag=20-=20[backup]=20me?= =?UTF-8?q?mory:=20bakcup=20hugepages:=20hugepages=20files=20maybe=20lefto?= =?UTF-8?q?ver=20-=20memory:=20[backup]=20Modify=20the=20VM's=20physical?= =?UTF-8?q?=20bits=20value=20set=20policy.=20-=20ui/clipboard:=20mark=20ty?= =?UTF-8?q?pe=20as=20not=20available=20when=20there=20is=20no=20data=20(CV?= =?UTF-8?q?E-2023-6683)=20-=20virtio-net:=20correctly=20copy=20vnet=20head?= =?UTF-8?q?er=20when=20flushing=20TX=20(CVE-2023-6693)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Jiabo Feng --- ...kcup-hugepages-hugepages-files-maybe.patch | 101 ++++++++++++++ ...lock-jobs-when-there-is-a-BDRV_O_INA.patch | 47 +++++++ ...-output-change-for-recently-introduc.patch | 62 +++++++++ ...dify-the-VM-s-physical-bits-value-se.patch | 126 ++++++++++++++++++ ...ation-Skip-only-empty-block-devicesi.patch | 86 ++++++++++++ qemu.spec | 20 ++- travis-ci-Rename-SOFTMMU-SYSTEM.patch | 67 ++++++++++ ...k-type-as-not-available-when-there-i.patch | 89 +++++++++++++ ...ctly-copy-vnet-header-when-flushing-.patch | 72 ++++++++++ 9 files changed, 669 insertions(+), 1 deletion(-) create mode 100644 backup-memory-bakcup-hugepages-hugepages-files-maybe.patch create mode 100644 block-disallow-block-jobs-when-there-is-a-BDRV_O_INA.patch create mode 100644 iotests-adapt-to-output-change-for-recently-introduc.patch create mode 100644 memory-backup-Modify-the-VM-s-physical-bits-value-se.patch create mode 100644 migration-Skip-only-empty-block-devicesi.patch create mode 100644 travis-ci-Rename-SOFTMMU-SYSTEM.patch create mode 100644 ui-clipboard-mark-type-as-not-available-when-there-i.patch create mode 100644 virtio-net-correctly-copy-vnet-header-when-flushing-.patch diff --git a/backup-memory-bakcup-hugepages-hugepages-files-maybe.patch b/backup-memory-bakcup-hugepages-hugepages-files-maybe.patch new file mode 100644 index 0000000..9a08dc5 --- /dev/null +++ b/backup-memory-bakcup-hugepages-hugepages-files-maybe.patch @@ -0,0 +1,101 @@ +From c28455a0bac4bbf171d1f19e162557377a85e96c Mon Sep 17 00:00:00 2001 +From: Ming Yang +Date: Sat, 23 Mar 2024 16:32:46 +0800 +Subject: [PATCH] [backup] memory: bakcup hugepages: hugepages files maybe + leftover + +old info: +commit id: +3cb1b0ce091998532a30793e3272925da4e6f3aa +old messages: +hugepages: hugepages files maybe leftover + +Before qemu uses the hugepage memory directory /dev/hugepages/libvirt/qemu/xxx, +The directory may be deleted because of the destroy virtual machine. +Cause qemu to create files directly under /dev/hugepages/libvirt/qemu/. +After the file is created, the file is not cleaned up by unlink, +and when the virtual machine is destroyed, libvirt will only clean up +/dev/hugepages/libvirt/qemu/xxx directory. After creating the hugepage file, +execute unlink to clean up the file to fix the problem. + +Signed-off-by: Jinhua Cao +Signed-off-by: Jiajie Li + +Signed-off-by: Ming Yang +--- + include/qemu/mmap-alloc.h | 4 ++++ + system/physmem.c | 9 ++++++++- + util/mmap-alloc.c | 22 ++++++++++++++++++++++ + 3 files changed, 34 insertions(+), 1 deletion(-) + +diff --git a/include/qemu/mmap-alloc.h b/include/qemu/mmap-alloc.h +index 8344daaa03..63e4edfd2f 100644 +--- a/include/qemu/mmap-alloc.h ++++ b/include/qemu/mmap-alloc.h +@@ -1,6 +1,10 @@ + #ifndef QEMU_MMAP_ALLOC_H + #define QEMU_MMAP_ALLOC_H + ++#define HUGETLBFS_MAGIC 0x958458f6 ++ ++size_t qemu_fd_getfiletype(int fd); ++ + typedef enum { + QEMU_FS_TYPE_UNKNOWN = 0, + QEMU_FS_TYPE_TMPFS, +diff --git a/system/physmem.c b/system/physmem.c +index a63853a7bc..f14d64819b 100644 +--- a/system/physmem.c ++++ b/system/physmem.c +@@ -1329,7 +1329,14 @@ static int file_ram_open(const char *path, + /* @path names a file that doesn't exist, create it */ + fd = open(path, O_RDWR | O_CREAT | O_EXCL, 0644); + if (fd >= 0) { +- *created = true; ++ info_report("open %s success \n", path); ++ /* if fd file type is HUGETLBFS_MAGIC, unlink it, */ ++ /* in case to prevent residue after qemu killed */ ++ if (qemu_fd_getfiletype(fd) == HUGETLBFS_MAGIC) { ++ unlink(path); ++ } else { ++ *created = true; ++ } + break; + } + } else if (errno == EISDIR) { +diff --git a/util/mmap-alloc.c b/util/mmap-alloc.c +index ed14f9c64d..6890ad676c 100644 +--- a/util/mmap-alloc.c ++++ b/util/mmap-alloc.c +@@ -30,6 +30,28 @@ + #include + #endif + ++size_t qemu_fd_getfiletype(int fd) ++{ ++ struct statfs fs; ++ int ret; ++ ++ if (fd != -1) { ++ do { ++ ret = fstatfs(fd, &fs); ++ } while (ret != 0 && errno == EINTR); ++ ++ if (ret != 0) { ++ fprintf(stderr, "Couldn't fstatfs() fd: %s\n", ++ strerror(errno)); ++ return -1; ++ } ++ return fs.f_type; ++ } else { ++ fprintf(stderr, "fd is invalid \n"); ++ return -1; ++ } ++} ++ + QemuFsType qemu_fd_getfs(int fd) + { + #ifdef CONFIG_LINUX +-- +2.27.0 + diff --git a/block-disallow-block-jobs-when-there-is-a-BDRV_O_INA.patch b/block-disallow-block-jobs-when-there-is-a-BDRV_O_INA.patch new file mode 100644 index 0000000..f2f7ad6 --- /dev/null +++ b/block-disallow-block-jobs-when-there-is-a-BDRV_O_INA.patch @@ -0,0 +1,47 @@ +From f9aef3909d23af6a33c604f59dccfcb764090f01 Mon Sep 17 00:00:00 2001 +From: WangJian +Date: Wed, 9 Feb 2022 11:29:15 +0800 +Subject: [PATCH] block: disallow block jobs when there is a BDRV_O_INACTIVE + flag + +Currently, migration will put a BDRV_O_INACTIVE flag +on bs's open_flags until another resume being called. In that case, +any IO from vm or block jobs will cause a qemu crash with an assert +'assert(!(bs->open_flags & BDRV_O_INACTIVE))' failure in bdrv_co_pwritev +function. we hereby disallow block jobs by faking a blocker. + +Signed-off-by: wangjian161 +--- + block.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +diff --git a/block.c b/block.c +index bfb0861ec6..b7cb963929 100644 +--- a/block.c ++++ b/block.c +@@ -7298,6 +7298,22 @@ bool bdrv_op_is_blocked(BlockDriverState *bs, BlockOpType op, Error **errp) + bdrv_get_device_or_node_name(bs)); + return true; + } ++ ++ /* ++ * When migration puts a BDRV_O_INACTIVE flag on driver's open_flags, ++ * we fake a blocker that doesn't exist. From now on, block jobs ++ * will not be permitted. ++ */ ++ if ((op == BLOCK_OP_TYPE_RESIZE || op == BLOCK_OP_TYPE_COMMIT_SOURCE || ++ op == BLOCK_OP_TYPE_MIRROR_SOURCE || op == BLOCK_OP_TYPE_MIRROR_TARGET) && ++ (bs->open_flags & BDRV_O_INACTIVE)) { ++ if (errp) { ++ error_setg(errp, "block device is in use by migration with" ++ " a driver BDRV_O_INACTIVE flag setted"); ++ } ++ return true; ++ } ++ + return false; + } + +-- +2.27.0 + diff --git a/iotests-adapt-to-output-change-for-recently-introduc.patch b/iotests-adapt-to-output-change-for-recently-introduc.patch new file mode 100644 index 0000000..85946c3 --- /dev/null +++ b/iotests-adapt-to-output-change-for-recently-introduc.patch @@ -0,0 +1,62 @@ +From 7212ca27f0dc957f83fe29858430ee2927e0175c Mon Sep 17 00:00:00 2001 +From: root +Date: Mon, 25 Mar 2024 21:31:32 +0800 +Subject: [PATCH] =?UTF-8?q?iotests:=20adapt=20to=20output=20change=20for?= + =?UTF-8?q?=20recently=20introduced=20'detached=20hea=E2=80=A6?= +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +cheery-pick from 39a94d7c34ce9d222fa9c0c99a14e20a567456d7 + +…der' field + +Failure was noticed when running the tests for the qcow2 image format. + +Fixes: 0bd779e ("crypto: Introduce 'detached-header' field in QCryptoBlockInfoLUKS") +Signed-off-by: Fiona Ebner +Message-ID: <20240216101415.293769-1-f.ebner@proxmox.com> +Reviewed-by: Daniel P. Berrangé +Reviewed-by: Kevin Wolf +Signed-off-by: Kevin Wolf +Signed-off-by: Gao Jiazhen +--- + tests/qemu-iotests/198.out | 2 ++ + tests/qemu-iotests/206.out | 1 + + 2 files changed, 3 insertions(+) + +diff --git a/tests/qemu-iotests/198.out b/tests/qemu-iotests/198.out +index 805494916f..62fb73fa3e 100644 +--- a/tests/qemu-iotests/198.out ++++ b/tests/qemu-iotests/198.out +@@ -39,6 +39,7 @@ Format specific information: + compression type: COMPRESSION_TYPE + encrypt: + ivgen alg: plain64 ++ detached header: false + hash alg: sha256 + cipher alg: aes-256 + uuid: 00000000-0000-0000-0000-000000000000 +@@ -84,6 +85,7 @@ Format specific information: + compression type: COMPRESSION_TYPE + encrypt: + ivgen alg: plain64 ++ detached header: false + hash alg: sha256 + cipher alg: aes-256 + uuid: 00000000-0000-0000-0000-000000000000 +diff --git a/tests/qemu-iotests/206.out b/tests/qemu-iotests/206.out +index 7e95694777..979f00f9bf 100644 +--- a/tests/qemu-iotests/206.out ++++ b/tests/qemu-iotests/206.out +@@ -114,6 +114,7 @@ Format specific information: + refcount bits: 16 + encrypt: + ivgen alg: plain64 ++ detached header: false + hash alg: sha1 + cipher alg: aes-128 + uuid: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX +-- +2.27.0 + diff --git a/memory-backup-Modify-the-VM-s-physical-bits-value-se.patch b/memory-backup-Modify-the-VM-s-physical-bits-value-se.patch new file mode 100644 index 0000000..a1c270b --- /dev/null +++ b/memory-backup-Modify-the-VM-s-physical-bits-value-se.patch @@ -0,0 +1,126 @@ +From 65435e107fc8eee37c61a3a7d1adebd013ad466f Mon Sep 17 00:00:00 2001 +From: Ming Yang +Date: Sat, 23 Mar 2024 16:18:03 +0800 +Subject: [PATCH] memory: [backup] Modify the VM's physical bits value set + policy. + +backup code from qemu-6.2 to qemu-8.2 +old info: +commit id : +a09c3928b33b0c53831bd9eeb56f8171c26057bc +messages: +target-i386: Modify the VM's physical bits value set policy. + +To resolve the problem that a VM with large memory capacity fails +to be live migrated, determine whether the VM is a large memory +capacity based on the memory size (4 TB). If yes, set the bus width +of the VM address to 46 bits. If no, set the bus width to 42 bits. + +Signed-off-by: Jinhua Cao +Signed-off-by: Jiajie Li + +Signed-off-by: Ming Yang +--- + target/i386/cpu.c | 20 +++++++++++++++++++- + target/i386/cpu.h | 6 ++++++ + target/i386/host-cpu.c | 13 +++++++------ + 3 files changed, 32 insertions(+), 7 deletions(-) + +diff --git a/target/i386/cpu.c b/target/i386/cpu.c +index a66e5a357b..fc61a84b1e 100644 +--- a/target/i386/cpu.c ++++ b/target/i386/cpu.c +@@ -7666,6 +7666,24 @@ static void x86_cpu_set_pc(CPUState *cs, vaddr value) + cpu->env.eip = value; + } + ++ ++/* At present, we check the vm is *LARGE* or not, i.e. whether ++ * the memory size is more than 4T or not. ++ */ ++const uint64_t large_vm_mem_size = 0x40000000000UL; ++void x86_cpu_adjuest_by_ram_size(ram_addr_t ram_size, X86CPU *cpu) ++{ ++ /* If there is not a large vm, we set the phys_bits to 42 bits, ++ * otherwise, we increase the phys_bits to 46 bits. ++ */ ++ if (ram_size < large_vm_mem_size) { ++ cpu->phys_bits = DEFAULT_VM_CPU_PHYS_BITS; ++ } else { ++ cpu->phys_bits = LARGE_VM_CPU_PHYS_BITS; ++ cpu->fill_mtrr_mask = true; ++ } ++} ++ + static vaddr x86_cpu_get_pc(CPUState *cs) + { + X86CPU *cpu = X86_CPU(cs); +@@ -7868,7 +7886,7 @@ static Property x86_cpu_properties[] = { + DEFINE_PROP_UINT32("phys-bits", X86CPU, phys_bits, 0), + DEFINE_PROP_BOOL("host-phys-bits", X86CPU, host_phys_bits, false), + DEFINE_PROP_UINT8("host-phys-bits-limit", X86CPU, host_phys_bits_limit, 0), +- DEFINE_PROP_BOOL("fill-mtrr-mask", X86CPU, fill_mtrr_mask, true), ++ DEFINE_PROP_BOOL("fill-mtrr-mask", X86CPU, fill_mtrr_mask, false), + DEFINE_PROP_UINT32("level-func7", X86CPU, env.cpuid_level_func7, + UINT32_MAX), + DEFINE_PROP_UINT32("level", X86CPU, env.cpuid_level, UINT32_MAX), +diff --git a/target/i386/cpu.h b/target/i386/cpu.h +index ef987f344c..6993552cd9 100644 +--- a/target/i386/cpu.h ++++ b/target/i386/cpu.h +@@ -24,6 +24,7 @@ + #include "cpu-qom.h" + #include "kvm/hyperv-proto.h" + #include "exec/cpu-defs.h" ++#include "exec/cpu-common.h" + #include "qapi/qapi-types-common.h" + #include "qemu/cpu-float.h" + #include "qemu/timer.h" +@@ -2081,6 +2082,11 @@ struct X86CPUClass { + extern const VMStateDescription vmstate_x86_cpu; + #endif + ++#define DEFAULT_VM_CPU_PHYS_BITS 42 ++#define LARGE_VM_CPU_PHYS_BITS 46 ++ ++void x86_cpu_adjuest_by_ram_size(ram_addr_t ram_size, X86CPU *cpu); ++ + int x86_cpu_pending_interrupt(CPUState *cs, int interrupt_request); + + int x86_cpu_write_elf64_note(WriteCoreDumpFunction f, CPUState *cpu, +diff --git a/target/i386/host-cpu.c b/target/i386/host-cpu.c +index 92ecb7254b..07738bf857 100644 +--- a/target/i386/host-cpu.c ++++ b/target/i386/host-cpu.c +@@ -13,6 +13,7 @@ + #include "qapi/error.h" + #include "qemu/error-report.h" + #include "sysemu/sysemu.h" ++#include "hw/boards.h" + + /* Note: Only safe for use on x86(-64) hosts */ + static uint32_t host_cpu_phys_bits(void) +@@ -57,14 +58,14 @@ static uint32_t host_cpu_adjust_phys_bits(X86CPU *cpu) + uint32_t phys_bits = cpu->phys_bits; + static bool warned; + +- /* +- * Print a warning if the user set it to a value that's not the +- * host value. +- */ +- if (phys_bits != host_phys_bits && phys_bits != 0 && ++ /* adjust x86 cpu phys_bits according to ram_size. */ ++ x86_cpu_adjuest_by_ram_size(current_machine->ram_size, cpu); ++ ++ /* Print a warning if the host value less than the user set. */ ++ if (phys_bits > host_phys_bits && phys_bits != 0 && + !warned) { + warn_report("Host physical bits (%u)" +- " does not match phys-bits property (%u)", ++ " less than phys-bits property (%u)", + host_phys_bits, phys_bits); + warned = true; + } +-- +2.27.0 + diff --git a/migration-Skip-only-empty-block-devicesi.patch b/migration-Skip-only-empty-block-devicesi.patch new file mode 100644 index 0000000..6787e29 --- /dev/null +++ b/migration-Skip-only-empty-block-devicesi.patch @@ -0,0 +1,86 @@ +From 4506b31c0fff0b7a69ec4c7e264715ed70df75a8 Mon Sep 17 00:00:00 2001 +From: gaojiazhen +Date: Mon, 25 Mar 2024 22:13:43 +0800 +Subject: [PATCH] migration: Skip only empty block devicesi +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +cheery-pick from 2e128776dc56f502c2ee41750afe83938f389528 + +The block .save_setup() handler calls a helper routine +init_blk_migration() which builds a list of block devices to take into +account for migration. When one device is found to be empty (sectors +== 0), the loop exits and all the remaining devices are ignored. This +is a regression introduced when bdrv_iterate() was removed. + +Change that by skipping only empty devices. + +Cc: Markus Armbruster +Cc: qemu-stable +Suggested-by: Kevin Wolf +Fixes: fea68bb ("block: Eliminate bdrv_iterate(), use bdrv_next()") +Signed-off-by: Cédric Le Goater +Reviewed-by: Stefan Hajnoczi +Reviewed-by: Kevin Wolf +Link: https://lore.kernel.org/r/20240312120431.550054-1-clg@redhat.com +[peterx: fix "Suggested-by:"] +Signed-off-by: Peter Xu +Signed-off-by: Gao Jiazhen +--- + migration/block.c | 5 ++++- + tests/qemu-iotests/198.out | 2 -- + tests/qemu-iotests/206.out | 1 - + 3 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/migration/block.c b/migration/block.c +index a15f9bddcb..710ef6f490 100644 +--- a/migration/block.c ++++ b/migration/block.c +@@ -409,7 +409,10 @@ static int init_blk_migration(QEMUFile *f) + } + + sectors = bdrv_nb_sectors(bs); +- if (sectors <= 0) { ++ if (sectors == 0) { ++ continue; ++ } ++ if (sectors < 0) { + ret = sectors; + bdrv_next_cleanup(&it); + goto out; +diff --git a/tests/qemu-iotests/198.out b/tests/qemu-iotests/198.out +index 62fb73fa3e..805494916f 100644 +--- a/tests/qemu-iotests/198.out ++++ b/tests/qemu-iotests/198.out +@@ -39,7 +39,6 @@ Format specific information: + compression type: COMPRESSION_TYPE + encrypt: + ivgen alg: plain64 +- detached header: false + hash alg: sha256 + cipher alg: aes-256 + uuid: 00000000-0000-0000-0000-000000000000 +@@ -85,7 +84,6 @@ Format specific information: + compression type: COMPRESSION_TYPE + encrypt: + ivgen alg: plain64 +- detached header: false + hash alg: sha256 + cipher alg: aes-256 + uuid: 00000000-0000-0000-0000-000000000000 +diff --git a/tests/qemu-iotests/206.out b/tests/qemu-iotests/206.out +index 979f00f9bf..7e95694777 100644 +--- a/tests/qemu-iotests/206.out ++++ b/tests/qemu-iotests/206.out +@@ -114,7 +114,6 @@ Format specific information: + refcount bits: 16 + encrypt: + ivgen alg: plain64 +- detached header: false + hash alg: sha1 + cipher alg: aes-128 + uuid: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX +-- +2.27.0 + diff --git a/qemu.spec b/qemu.spec index 85ae9ef..235ca8c 100644 --- a/qemu.spec +++ b/qemu.spec @@ -3,7 +3,7 @@ Name: qemu Version: 8.2.0 -Release: 3 +Release: 4 Epoch: 11 Summary: QEMU is a generic and open source machine emulator and virtualizer License: GPLv2 and BSD and MIT and CC-BY-SA-4.0 @@ -89,6 +89,14 @@ Patch0072: target-loongarch-kvm-Enable-LSX-LASX-extension.patch Patch0073: target-loongarch-Fix-qtest-test-hmp-error-when-KVM-o.patch Patch0074: loongarch-Change-the-UEFI-loading-mode-to-loongarch.patch Patch0075: disable-keyring-option.patch +Patch0076: virtio-net-correctly-copy-vnet-header-when-flushing-.patch +Patch0077: ui-clipboard-mark-type-as-not-available-when-there-i.patch +Patch0078: memory-backup-Modify-the-VM-s-physical-bits-value-se.patch +Patch0079: backup-memory-bakcup-hugepages-hugepages-files-maybe.patch +Patch0080: block-disallow-block-jobs-when-there-is-a-BDRV_O_INA.patch +Patch0081: travis-ci-Rename-SOFTMMU-SYSTEM.patch +Patch0082: iotests-adapt-to-output-change-for-recently-introduc.patch +Patch0083: migration-Skip-only-empty-block-devicesi.patch BuildRequires: flex BuildRequires: gcc @@ -686,6 +694,16 @@ getent passwd qemu >/dev/null || \ %endif %changelog +* Mon Apr 1 2024 Jiabo Feng - 11:8.2.0-4 +- migration: Skip only empty block devicesi +- iotests: adapt to output change for recently introduced 'detached hea… +- travis-ci: Rename SOFTMMU -> SYSTEM +- block: disallow block jobs when there is a BDRV_O_INACTIVE flag +- [backup] memory: bakcup hugepages: hugepages files maybe leftover +- memory: [backup] Modify the VM's physical bits value set policy. +- ui/clipboard: mark type as not available when there is no data (CVE-2023-6683) +- virtio-net: correctly copy vnet header when flushing TX (CVE-2023-6693) + * Wed Mar 27 2024 Jiabo Feng - 11:8.2.0-3 - disable keyring option - loongarch: Change the UEFI loading mode to loongarch diff --git a/travis-ci-Rename-SOFTMMU-SYSTEM.patch b/travis-ci-Rename-SOFTMMU-SYSTEM.patch new file mode 100644 index 0000000..fa78813 --- /dev/null +++ b/travis-ci-Rename-SOFTMMU-SYSTEM.patch @@ -0,0 +1,67 @@ +From c03415f3b75e6a37c7eb392ef62bf92b94267b4d Mon Sep 17 00:00:00 2001 +From: gaojiazhen +Date: Mon, 25 Mar 2024 17:26:52 +0800 +Subject: [PATCH] travis-ci: Rename SOFTMMU -> SYSTEM +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +cheery-pick from 47833f817cc597db124c690bd14600bb5d00e824 + +Since we *might* have user emulation with softmmu, +rename MAIN_SOFTMMU_TARGETS as MAIN_SYSTEM_TARGETS +to express 'system emulation targets'. + +Signed-off-by: Philippe Mathieu-Daudé +Message-ID: <20240313213339.82071-3-philmd@linaro.org> +Reviewed-by: Thomas Huth +Reviewed-by: Richard Henderson +Signed-off-by: Thomas Huth +Signed-off-by: Gao Jiazhen +--- + .travis.yml | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/.travis.yml b/.travis.yml +index 76859d48da..597d151b80 100644 +--- a/.travis.yml ++++ b/.travis.yml +@@ -35,7 +35,7 @@ env: + - TEST_BUILD_CMD="" + - TEST_CMD="make check V=1" + # This is broadly a list of "mainline" system targets which have support across the major distros +- - MAIN_SOFTMMU_TARGETS="aarch64-softmmu,mips64-softmmu,ppc64-softmmu,riscv64-softmmu,s390x-softmmu,x86_64-softmmu" ++ - MAIN_SYSTEM_TARGETS="aarch64-softmmu,mips64-softmmu,ppc64-softmmu,riscv64-softmmu,s390x-softmmu,x86_64-softmmu" + - CCACHE_SLOPPINESS="include_file_ctime,include_file_mtime" + - CCACHE_MAXSIZE=1G + - G_MESSAGES_DEBUG=error +@@ -114,7 +114,7 @@ jobs: + env: + - TEST_CMD="make check check-tcg V=1" + - CONFIG="--disable-containers --enable-fdt=system +- --target-list=${MAIN_SOFTMMU_TARGETS} --cxx=/bin/false" ++ --target-list=${MAIN_SYSTEM_TARGETS} --cxx=/bin/false" + - UNRELIABLE=true + + - name: "[ppc64] GCC check-tcg" +@@ -185,7 +185,7 @@ jobs: + env: + - TEST_CMD="make check check-tcg V=1" + - CONFIG="--disable-containers --enable-fdt=system +- --target-list=${MAIN_SOFTMMU_TARGETS},s390x-linux-user" ++ --target-list=${MAIN_SYSTEM_TARGETS},s390x-linux-user" + - UNRELIABLE=true + script: + - BUILD_RC=0 && make -j${JOBS} || BUILD_RC=$? +@@ -226,7 +226,7 @@ jobs: + - genisoimage + env: + - CONFIG="--disable-containers --enable-fdt=system --audio-drv-list=sdl +- --disable-user --target-list-exclude=${MAIN_SOFTMMU_TARGETS}" ++ --disable-user --target-list-exclude=${MAIN_SYSTEM_TARGETS}" + + - name: "[s390x] GCC (user)" + arch: s390x +-- +2.27.0 + diff --git a/ui-clipboard-mark-type-as-not-available-when-there-i.patch b/ui-clipboard-mark-type-as-not-available-when-there-i.patch new file mode 100644 index 0000000..843479a --- /dev/null +++ b/ui-clipboard-mark-type-as-not-available-when-there-i.patch @@ -0,0 +1,89 @@ +From 855f7f30de962f79393f0b9f8b0355b996d72de7 Mon Sep 17 00:00:00 2001 +From: Fiona Ebner +Date: Wed, 24 Jan 2024 11:57:48 +0100 +Subject: [PATCH] ui/clipboard: mark type as not available when there is no + data (CVE-2023-6683) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +With VNC, a client can send a non-extended VNC_MSG_CLIENT_CUT_TEXT +message with len=0. In qemu_clipboard_set_data(), the clipboard info +will be updated setting data to NULL (because g_memdup(data, size) +returns NULL when size is 0). If the client does not set the +VNC_ENCODING_CLIPBOARD_EXT feature when setting up the encodings, then +the 'request' callback for the clipboard peer is not initialized. +Later, because data is NULL, qemu_clipboard_request() can be reached +via vdagent_chr_write() and vdagent_clipboard_recv_request() and +there, the clipboard owner's 'request' callback will be attempted to +be called, but that is a NULL pointer. + +In particular, this can happen when using the KRDC (22.12.3) VNC +client. + +Another scenario leading to the same issue is with two clients (say +noVNC and KRDC): + +The noVNC client sets the extension VNC_FEATURE_CLIPBOARD_EXT and +initializes its cbpeer. + +The KRDC client does not, but triggers a vnc_client_cut_text() (note +it's not the _ext variant)). There, a new clipboard info with it as +the 'owner' is created and via qemu_clipboard_set_data() is called, +which in turn calls qemu_clipboard_update() with that info. + +In qemu_clipboard_update(), the notifier for the noVNC client will be +called, i.e. vnc_clipboard_notify() and also set vs->cbinfo for the +noVNC client. The 'owner' in that clipboard info is the clipboard peer +for the KRDC client, which did not initialize the 'request' function. +That sounds correct to me, it is the owner of that clipboard info. + +Then when noVNC sends a VNC_MSG_CLIENT_CUT_TEXT message (it did set +the VNC_FEATURE_CLIPBOARD_EXT feature correctly, so a check for it +passes), that clipboard info is passed to qemu_clipboard_request() and +the original segfault still happens. + +Fix the issue by handling updates with size 0 differently. In +particular, mark in the clipboard info that the type is not available. + +While at it, switch to g_memdup2(), because g_memdup() is deprecated. + +Cc: qemu-stable@nongnu.org +Fixes: CVE-2023-6683 +Reported-by: Markus Frank +Suggested-by: Marc-André Lureau +Signed-off-by: Fiona Ebner +Reviewed-by: Marc-André Lureau +Tested-by: Markus Frank +Message-ID: <20240124105749.204610-1-f.ebner@proxmox.com> +Signed-off-by: liuxiangdong +--- + ui/clipboard.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/ui/clipboard.c b/ui/clipboard.c +index 3d14bffaf8..b3f6fa3c9e 100644 +--- a/ui/clipboard.c ++++ b/ui/clipboard.c +@@ -163,9 +163,15 @@ void qemu_clipboard_set_data(QemuClipboardPeer *peer, + } + + g_free(info->types[type].data); +- info->types[type].data = g_memdup(data, size); +- info->types[type].size = size; +- info->types[type].available = true; ++ if (size) { ++ info->types[type].data = g_memdup2(data, size); ++ info->types[type].size = size; ++ info->types[type].available = true; ++ } else { ++ info->types[type].data = NULL; ++ info->types[type].size = 0; ++ info->types[type].available = false; ++ } + + if (update) { + qemu_clipboard_update(info); +-- +2.27.0 + diff --git a/virtio-net-correctly-copy-vnet-header-when-flushing-.patch b/virtio-net-correctly-copy-vnet-header-when-flushing-.patch new file mode 100644 index 0000000..b381e10 --- /dev/null +++ b/virtio-net-correctly-copy-vnet-header-when-flushing-.patch @@ -0,0 +1,72 @@ +From 912641a75955a75f37ab8695a0753b1571762717 Mon Sep 17 00:00:00 2001 +From: Jason Wang +Date: Tue, 2 Jan 2024 11:29:01 +0800 +Subject: [PATCH] virtio-net: correctly copy vnet header when flushing TX + (CVE-2023-6693) + +When HASH_REPORT is negotiated, the guest_hdr_len might be larger than +the size of the mergeable rx buffer header. Using +virtio_net_hdr_mrg_rxbuf during the header swap might lead a stack +overflow in this case. Fixing this by using virtio_net_hdr_v1_hash +instead. + +Reported-by: Xiao Lei +Cc: Yuri Benditovich +Cc: qemu-stable@nongnu.org +Cc: Mauro Matteo Cascella +Fixes: CVE-2023-6693 +Fixes: e22f0603fb2f ("virtio-net: reference implementation of hash report") +Reviewed-by: Michael Tokarev +Signed-off-by: Jason Wang +--- + hw/net/virtio-net.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c +index 80c56f0cfc..73024babd4 100644 +--- a/hw/net/virtio-net.c ++++ b/hw/net/virtio-net.c +@@ -674,6 +674,11 @@ static void virtio_net_set_mrg_rx_bufs(VirtIONet *n, int mergeable_rx_bufs, + + n->mergeable_rx_bufs = mergeable_rx_bufs; + ++ /* ++ * Note: when extending the vnet header, please make sure to ++ * change the vnet header copying logic in virtio_net_flush_tx() ++ * as well. ++ */ + if (version_1) { + n->guest_hdr_len = hash_report ? + sizeof(struct virtio_net_hdr_v1_hash) : +@@ -2693,7 +2698,7 @@ static int32_t virtio_net_flush_tx(VirtIONetQueue *q) + ssize_t ret; + unsigned int out_num; + struct iovec sg[VIRTQUEUE_MAX_SIZE], sg2[VIRTQUEUE_MAX_SIZE + 1], *out_sg; +- struct virtio_net_hdr_mrg_rxbuf mhdr; ++ struct virtio_net_hdr_v1_hash vhdr; + + elem = virtqueue_pop(q->tx_vq, sizeof(VirtQueueElement)); + if (!elem) { +@@ -2710,7 +2715,7 @@ static int32_t virtio_net_flush_tx(VirtIONetQueue *q) + } + + if (n->has_vnet_hdr) { +- if (iov_to_buf(out_sg, out_num, 0, &mhdr, n->guest_hdr_len) < ++ if (iov_to_buf(out_sg, out_num, 0, &vhdr, n->guest_hdr_len) < + n->guest_hdr_len) { + virtio_error(vdev, "virtio-net header incorrect"); + virtqueue_detach_element(q->tx_vq, elem, 0); +@@ -2718,8 +2723,8 @@ static int32_t virtio_net_flush_tx(VirtIONetQueue *q) + return -EINVAL; + } + if (n->needs_vnet_hdr_swap) { +- virtio_net_hdr_swap(vdev, (void *) &mhdr); +- sg2[0].iov_base = &mhdr; ++ virtio_net_hdr_swap(vdev, (void *) &vhdr); ++ sg2[0].iov_base = &vhdr; + sg2[0].iov_len = n->guest_hdr_len; + out_num = iov_copy(&sg2[1], ARRAY_SIZE(sg2) - 1, + out_sg, out_num, +-- +2.27.0 + -- Gitee