From 41b8316784026e078143eeb3fa362c811d96263f Mon Sep 17 00:00:00 2001 From: Jiabo Feng Date: Mon, 22 Apr 2024 10:20:57 +0800 Subject: [PATCH] QEMU update to version 8.2.0-10 - hw/sd/sdhci: Do not update TRNMOD when Command Inhibit (DAT) is set(CVE-2024-3447) - hw/virtio/virtio-crypto: Protect from DMA re-entrancy bugs(CVE-2024-3446) - hw/char/virtio-serial-bus: Protect from DMA re-entrancy bugs(CVE-2024-3446) - hw/display/virtio-gpu: Protect from DMA re-entrancy bugs(CVE-2024-3446) - hw/virtio: Introduce virtio_bh_new_guarded() helper - hw/net/net_tx_pkt: Fix overrun in update_sctp_checksum() - hw/nvme: fix -Werror=maybe-uninitialized - block/virtio-blk: Fix memory leak from virtio_blk_zone_report - hw/net/virtio-net: fix qemu set used ring flag even vhost started - hw/scsi/scsi-generic: Fix io_timeout property not applying - tests: bios-tables-test: Rename smbios type 4 related test functions Signed-off-by: Jiabo Feng (cherry picked from commit 0b5938814d7f3f1c73745e7311d9698dd078adc7) --- ...-Fix-memory-leak-from-virtio_blk_zon.patch | 49 ++++++ ...erial-bus-Protect-from-DMA-re-entran.patch | 42 ++++++ ...o-gpu-Protect-from-DMA-re-entrancy-b.patch | 142 ++++++++++++++++++ ...t-Fix-overrun-in-update_sctp_checksu.patch | 71 +++++++++ ...t-fix-qemu-set-used-ring-flag-even-v.patch | 73 +++++++++ hw-nvme-fix-Werror-maybe-uninitialized.patch | 38 +++++ ...eric-Fix-io_timeout-property-not-app.patch | 48 ++++++ ...ot-update-TRNMOD-when-Command-Inhibi.patch | 135 +++++++++++++++++ ...troduce-virtio_bh_new_guarded-helper.patch | 67 +++++++++ ...-crypto-Protect-from-DMA-re-entrancy.patch | 43 ++++++ qemu.spec | 26 +++- ...s-test-Rename-smbios-type-4-related-.patch | 97 ++++++++++++ 12 files changed, 830 insertions(+), 1 deletion(-) create mode 100644 block-virtio-blk-Fix-memory-leak-from-virtio_blk_zon.patch create mode 100644 hw-char-virtio-serial-bus-Protect-from-DMA-re-entran.patch create mode 100644 hw-display-virtio-gpu-Protect-from-DMA-re-entrancy-b.patch create mode 100644 hw-net-net_tx_pkt-Fix-overrun-in-update_sctp_checksu.patch create mode 100644 hw-net-virtio-net-fix-qemu-set-used-ring-flag-even-v.patch create mode 100644 hw-nvme-fix-Werror-maybe-uninitialized.patch create mode 100644 hw-scsi-scsi-generic-Fix-io_timeout-property-not-app.patch create mode 100644 hw-sd-sdhci-Do-not-update-TRNMOD-when-Command-Inhibi.patch create mode 100644 hw-virtio-Introduce-virtio_bh_new_guarded-helper.patch create mode 100644 hw-virtio-virtio-crypto-Protect-from-DMA-re-entrancy.patch create mode 100644 tests-bios-tables-test-Rename-smbios-type-4-related-.patch diff --git a/block-virtio-blk-Fix-memory-leak-from-virtio_blk_zon.patch b/block-virtio-blk-Fix-memory-leak-from-virtio_blk_zon.patch new file mode 100644 index 00000000..8acce118 --- /dev/null +++ b/block-virtio-blk-Fix-memory-leak-from-virtio_blk_zon.patch @@ -0,0 +1,49 @@ +From b54d853396820150735294107e2e3d060724de04 Mon Sep 17 00:00:00 2001 +From: qihao +Date: Mon, 8 Apr 2024 14:39:43 +0800 +Subject: [PATCH] block/virtio-blk: Fix memory leak from virtio_blk_zone_report + +cheery-pick from bbdf9023665f409113cb07b463732861af63fb47 + +This modification ensures that in scenarios where the buffer size is +insufficient for a zone report, the function will now properly set an +error status and proceed to a cleanup label, instead of merely +returning. + +The following ASAN log reveals it: + +==1767400==ERROR: LeakSanitizer: detected memory leaks +Direct leak of 312 byte(s) in 1 object(s) allocated from: + #0 0x64ac7b3280cd in malloc llvm/compiler-rt/lib/asan/asan_malloc_linux.cpp:129:3 + #1 0x735b02fb9738 in g_malloc (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x5e738) + #2 0x64ac7d23be96 in virtqueue_split_pop hw/virtio/virtio.c:1612:12 + #3 0x64ac7d23728a in virtqueue_pop hw/virtio/virtio.c:1783:16 + #4 0x64ac7cfcaacd in virtio_blk_get_request hw/block/virtio-blk.c:228:27 + #5 0x64ac7cfca7c7 in virtio_blk_handle_vq hw/block/virtio-blk.c:1123:23 + #6 0x64ac7cfecb95 in virtio_blk_handle_output hw/block/virtio-blk.c:1157:5 + +Signed-off-by: Zheyu Ma +Message-id: 20240404120040.1951466-1-zheyuma97@gmail.com +Signed-off-by: Stefan Hajnoczi +Signed-off-by: qihao_yewu +--- + hw/block/virtio-blk.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/hw/block/virtio-blk.c b/hw/block/virtio-blk.c +index 1ebc9188c0..2eb096a6dc 100644 +--- a/hw/block/virtio-blk.c ++++ b/hw/block/virtio-blk.c +@@ -790,7 +790,8 @@ static void virtio_blk_handle_zone_report(VirtIOBlockReq *req, + sizeof(struct virtio_blk_zone_report) + + sizeof(struct virtio_blk_zone_descriptor)) { + virtio_error(vdev, "in buffer too small for zone report"); +- return; ++ err_status = VIRTIO_BLK_S_ZONE_INVALID_CMD; ++ goto out; + } + + /* start byte offset of the zone report */ +-- +2.27.0 + diff --git a/hw-char-virtio-serial-bus-Protect-from-DMA-re-entran.patch b/hw-char-virtio-serial-bus-Protect-from-DMA-re-entran.patch new file mode 100644 index 00000000..2008350d --- /dev/null +++ b/hw-char-virtio-serial-bus-Protect-from-DMA-re-entran.patch @@ -0,0 +1,42 @@ +From fa62831c301fa2a1d4226e0fefdeb6b7a280fca6 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= +Date: Thu, 4 Apr 2024 20:56:35 +0200 +Subject: [PATCH] hw/char/virtio-serial-bus: Protect from DMA re-entrancy + bugs(CVE-2024-3446) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Replace qemu_bh_new_guarded() by virtio_bh_new_guarded() +so the bus and device use the same guard. Otherwise the +DMA-reentrancy protection can be bypassed. + +Fixes: CVE-2024-3446 +Cc: qemu-stable@nongnu.org +Suggested-by: Alexander Bulekov +Reviewed-by: Gerd Hoffmann +Acked-by: Michael S. Tsirkin +Signed-off-by: Philippe Mathieu-Daudé +Reviewed-by: Michael S. Tsirkin +Message-Id: <20240409105537.18308-4-philmd@linaro.org> +--- + hw/char/virtio-serial-bus.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/hw/char/virtio-serial-bus.c b/hw/char/virtio-serial-bus.c +index 44906057be..096214b11b 100644 +--- a/hw/char/virtio-serial-bus.c ++++ b/hw/char/virtio-serial-bus.c +@@ -990,8 +990,7 @@ static void virtser_port_device_realize(DeviceState *dev, Error **errp) + return; + } + +- port->bh = qemu_bh_new_guarded(flush_queued_data_bh, port, +- &dev->mem_reentrancy_guard); ++ port->bh = virtio_bh_new_guarded(dev, flush_queued_data_bh, port); + port->elem = NULL; + } + +-- +2.27.0 + diff --git a/hw-display-virtio-gpu-Protect-from-DMA-re-entrancy-b.patch b/hw-display-virtio-gpu-Protect-from-DMA-re-entrancy-b.patch new file mode 100644 index 00000000..6ba7daca --- /dev/null +++ b/hw-display-virtio-gpu-Protect-from-DMA-re-entrancy-b.patch @@ -0,0 +1,142 @@ +From e72177cc2b3a4425c4be5ca8cc12bc99e63e2788 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= +Date: Thu, 4 Apr 2024 20:56:27 +0200 +Subject: [PATCH] hw/display/virtio-gpu: Protect from DMA re-entrancy + bugs(CVE-2024-3446) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Replace qemu_bh_new_guarded() by virtio_bh_new_guarded() +so the bus and device use the same guard. Otherwise the +DMA-reentrancy protection can be bypassed: + + $ cat << EOF | qemu-system-i386 -display none -nodefaults \ + -machine q35,accel=qtest \ + -m 512M \ + -device virtio-gpu \ + -qtest stdio + outl 0xcf8 0x80000820 + outl 0xcfc 0xe0004000 + outl 0xcf8 0x80000804 + outw 0xcfc 0x06 + write 0xe0004030 0x4 0x024000e0 + write 0xe0004028 0x1 0xff + write 0xe0004020 0x4 0x00009300 + write 0xe000401c 0x1 0x01 + write 0x101 0x1 0x04 + write 0x103 0x1 0x1c + write 0x9301c8 0x1 0x18 + write 0x105 0x1 0x1c + write 0x107 0x1 0x1c + write 0x109 0x1 0x1c + write 0x10b 0x1 0x00 + write 0x10d 0x1 0x00 + write 0x10f 0x1 0x00 + write 0x111 0x1 0x00 + write 0x113 0x1 0x00 + write 0x115 0x1 0x00 + write 0x117 0x1 0x00 + write 0x119 0x1 0x00 + write 0x11b 0x1 0x00 + write 0x11d 0x1 0x00 + write 0x11f 0x1 0x00 + write 0x121 0x1 0x00 + write 0x123 0x1 0x00 + write 0x125 0x1 0x00 + write 0x127 0x1 0x00 + write 0x129 0x1 0x00 + write 0x12b 0x1 0x00 + write 0x12d 0x1 0x00 + write 0x12f 0x1 0x00 + write 0x131 0x1 0x00 + write 0x133 0x1 0x00 + write 0x135 0x1 0x00 + write 0x137 0x1 0x00 + write 0x139 0x1 0x00 + write 0xe0007003 0x1 0x00 + EOF + ... + ================================================================= + ==276099==ERROR: AddressSanitizer: heap-use-after-free on address 0x60d000011178 + at pc 0x562cc3b736c7 bp 0x7ffed49dee60 sp 0x7ffed49dee58 + READ of size 8 at 0x60d000011178 thread T0 + #0 0x562cc3b736c6 in virtio_gpu_ctrl_response hw/display/virtio-gpu.c:180:42 + #1 0x562cc3b7c40b in virtio_gpu_ctrl_response_nodata hw/display/virtio-gpu.c:192:5 + #2 0x562cc3b7c40b in virtio_gpu_simple_process_cmd hw/display/virtio-gpu.c:1015:13 + #3 0x562cc3b82873 in virtio_gpu_process_cmdq hw/display/virtio-gpu.c:1050:9 + #4 0x562cc4a85514 in aio_bh_call util/async.c:169:5 + #5 0x562cc4a85c52 in aio_bh_poll util/async.c:216:13 + #6 0x562cc4a1a79b in aio_dispatch util/aio-posix.c:423:5 + #7 0x562cc4a8a2da in aio_ctx_dispatch util/async.c:358:5 + #8 0x7f36840547a8 in g_main_context_dispatch (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x547a8) + #9 0x562cc4a8b753 in glib_pollfds_poll util/main-loop.c:290:9 + #10 0x562cc4a8b753 in os_host_main_loop_wait util/main-loop.c:313:5 + #11 0x562cc4a8b753 in main_loop_wait util/main-loop.c:592:11 + #12 0x562cc3938186 in qemu_main_loop system/runstate.c:782:9 + #13 0x562cc43b7af5 in qemu_default_main system/main.c:37:14 + #14 0x7f3683a6c189 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16 + #15 0x7f3683a6c244 in __libc_start_main csu/../csu/libc-start.c:381:3 + #16 0x562cc2a58ac0 in _start (qemu-system-i386+0x231bac0) + + 0x60d000011178 is located 56 bytes inside of 136-byte region [0x60d000011140,0x60d0000111c8) + freed by thread T0 here: + #0 0x562cc2adb662 in __interceptor_free (qemu-system-i386+0x239e662) + #1 0x562cc3b86b21 in virtio_gpu_reset hw/display/virtio-gpu.c:1524:9 + #2 0x562cc416e20e in virtio_reset hw/virtio/virtio.c:2145:9 + #3 0x562cc37c5644 in virtio_pci_reset hw/virtio/virtio-pci.c:2249:5 + #4 0x562cc4233758 in memory_region_write_accessor system/memory.c:497:5 + #5 0x562cc4232eea in access_with_adjusted_size system/memory.c:573:18 + + previously allocated by thread T0 here: + #0 0x562cc2adb90e in malloc (qemu-system-i386+0x239e90e) + #1 0x7f368405a678 in g_malloc (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x5a678) + #2 0x562cc4163ffc in virtqueue_split_pop hw/virtio/virtio.c:1612:12 + #3 0x562cc4163ffc in virtqueue_pop hw/virtio/virtio.c:1783:16 + #4 0x562cc3b91a95 in virtio_gpu_handle_ctrl hw/display/virtio-gpu.c:1112:15 + #5 0x562cc4a85514 in aio_bh_call util/async.c:169:5 + #6 0x562cc4a85c52 in aio_bh_poll util/async.c:216:13 + #7 0x562cc4a1a79b in aio_dispatch util/aio-posix.c:423:5 + + SUMMARY: AddressSanitizer: heap-use-after-free hw/display/virtio-gpu.c:180:42 in virtio_gpu_ctrl_response + +With this change, the same reproducer triggers: + + qemu-system-i386: warning: Blocked re-entrant IO on MemoryRegion: virtio-pci-common-virtio-gpu at addr: 0x6 + +Fixes: CVE-2024-3446 +Cc: qemu-stable@nongnu.org +Reported-by: Alexander Bulekov +Reported-by: Yongkang Jia +Reported-by: Xiao Lei +Reported-by: Yiming Tao +Buglink: https://bugs.launchpad.net/qemu/+bug/1888606 +Reviewed-by: Gerd Hoffmann +Acked-by: Michael S. Tsirkin +Signed-off-by: Philippe Mathieu-Daudé +Reviewed-by: Michael S. Tsirkin +Message-Id: <20240409105537.18308-3-philmd@linaro.org> +--- + hw/display/virtio-gpu.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/hw/display/virtio-gpu.c b/hw/display/virtio-gpu.c +index b02d1e3a4c..a714638822 100644 +--- a/hw/display/virtio-gpu.c ++++ b/hw/display/virtio-gpu.c +@@ -1456,10 +1456,8 @@ void virtio_gpu_device_realize(DeviceState *qdev, Error **errp) + + g->ctrl_vq = virtio_get_queue(vdev, 0); + g->cursor_vq = virtio_get_queue(vdev, 1); +- g->ctrl_bh = qemu_bh_new_guarded(virtio_gpu_ctrl_bh, g, +- &qdev->mem_reentrancy_guard); +- g->cursor_bh = qemu_bh_new_guarded(virtio_gpu_cursor_bh, g, +- &qdev->mem_reentrancy_guard); ++ g->ctrl_bh = virtio_bh_new_guarded(qdev, virtio_gpu_ctrl_bh, g); ++ g->cursor_bh = virtio_bh_new_guarded(qdev, virtio_gpu_cursor_bh, g); + g->reset_bh = qemu_bh_new(virtio_gpu_reset_bh, g); + qemu_cond_init(&g->reset_cond); + QTAILQ_INIT(&g->reslist); +-- +2.27.0 + diff --git a/hw-net-net_tx_pkt-Fix-overrun-in-update_sctp_checksu.patch b/hw-net-net_tx_pkt-Fix-overrun-in-update_sctp_checksu.patch new file mode 100644 index 00000000..e0659827 --- /dev/null +++ b/hw-net-net_tx_pkt-Fix-overrun-in-update_sctp_checksu.patch @@ -0,0 +1,71 @@ +From c23034c79ad8632388bc00dd4268e429638eee9e Mon Sep 17 00:00:00 2001 +From: qihao +Date: Thu, 18 Apr 2024 14:45:15 +0800 +Subject: [PATCH] hw/net/net_tx_pkt: Fix overrun in update_sctp_checksum() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +cheery-pick from 83ddb3dbba2ee0f1767442ae6ee665058aeb1093 + +If a fragmented packet size is too short, do not try to +calculate its checksum. + +Reproduced using: + + $ cat << EOF | qemu-system-i386 -display none -nodefaults \ + -machine q35,accel=qtest -m 32M \ + -device igb,netdev=net0 \ + -netdev user,id=net0 \ + -qtest stdio + outl 0xcf8 0x80000810 + outl 0xcfc 0xe0000000 + outl 0xcf8 0x80000804 + outw 0xcfc 0x06 + write 0xe0000403 0x1 0x02 + writel 0xe0003808 0xffffffff + write 0xe000381a 0x1 0x5b + write 0xe000381b 0x1 0x00 + EOF + Assertion failed: (offset == 0), function iov_from_buf_full, file util/iov.c, line 39. + #1 0x5575e81e952a in iov_from_buf_full qemu/util/iov.c:39:5 + #2 0x5575e6500768 in net_tx_pkt_update_sctp_checksum qemu/hw/net/net_tx_pkt.c:144:9 + #3 0x5575e659f3e1 in igb_setup_tx_offloads qemu/hw/net/igb_core.c:478:11 + #4 0x5575e659f3e1 in igb_tx_pkt_send qemu/hw/net/igb_core.c:552:10 + #5 0x5575e659f3e1 in igb_process_tx_desc qemu/hw/net/igb_core.c:671:17 + #6 0x5575e659f3e1 in igb_start_xmit qemu/hw/net/igb_core.c:903:9 + #7 0x5575e659f3e1 in igb_set_tdt qemu/hw/net/igb_core.c:2812:5 + #8 0x5575e657d6a4 in igb_core_write qemu/hw/net/igb_core.c:4248:9 + +Fixes: CVE-2024-3567 +Cc: qemu-stable@nongnu.org +Reported-by: Zheyu Ma +Fixes: f199b13bc1 ("igb: Implement Tx SCTP CSO") +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2273 +Signed-off-by: Philippe Mathieu-Daudé +Reviewed-by: Akihiko Odaki +Acked-by: Jason Wang +Message-Id: <20240410070459.49112-1-philmd@linaro.org> +Signed-off-by: qihao_yewu +--- + hw/net/net_tx_pkt.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/hw/net/net_tx_pkt.c b/hw/net/net_tx_pkt.c +index 2e5f58b3c9..d40d508a11 100644 +--- a/hw/net/net_tx_pkt.c ++++ b/hw/net/net_tx_pkt.c +@@ -141,6 +141,10 @@ bool net_tx_pkt_update_sctp_checksum(struct NetTxPkt *pkt) + uint32_t csum = 0; + struct iovec *pl_start_frag = pkt->vec + NET_TX_PKT_PL_START_FRAG; + ++ if (iov_size(pl_start_frag, pkt->payload_frags) < 8 + sizeof(csum)) { ++ return false; ++ } ++ + if (iov_from_buf(pl_start_frag, pkt->payload_frags, 8, &csum, sizeof(csum)) < sizeof(csum)) { + return false; + } +-- +2.27.0 + diff --git a/hw-net-virtio-net-fix-qemu-set-used-ring-flag-even-v.patch b/hw-net-virtio-net-fix-qemu-set-used-ring-flag-even-v.patch new file mode 100644 index 00000000..87892672 --- /dev/null +++ b/hw-net-virtio-net-fix-qemu-set-used-ring-flag-even-v.patch @@ -0,0 +1,73 @@ +From 7e18fd22e9c0b5b28462455f60c508d5341e0230 Mon Sep 17 00:00:00 2001 +From: qihao +Date: Wed, 3 Apr 2024 16:34:39 +0800 +Subject: [PATCH] hw/net/virtio-net: fix qemu set used ring flag even vhost + started +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +cheery-pick from 4c54f5bc8e1d38f15cc35b6a6932d8fbe219c692 + +When vhost-user or vhost-kernel is handling virtio net datapath, +QEMU should not touch used ring. + +But with vhost-user socket reconnect scenario, in a very rare case +(has pending kick event). VRING_USED_F_NO_NOTIFY is set by QEMU in +following code path: + + #0 virtio_queue_split_set_notification (vq=0x7ff5f4c920a8, enable=0) at ../hw/virtio/virtio.c:511 + #1 0x0000559d6dbf033b in virtio_queue_set_notification (vq=0x7ff5f4c920a8, enable=0) at ../hw/virtio/virtio.c:576 + #2 0x0000559d6dbbbdbc in virtio_net_handle_tx_bh (vdev=0x559d703a6aa0, vq=0x7ff5f4c920a8) at ../hw/net/virtio-net.c:2801 + #3 0x0000559d6dbf4791 in virtio_queue_notify_vq (vq=0x7ff5f4c920a8) at ../hw/virtio/virtio.c:2248 + #4 0x0000559d6dbf79da in virtio_queue_host_notifier_read (n=0x7ff5f4c9211c) at ../hw/virtio/virtio.c:3525 + #5 0x0000559d6d9a5814 in virtio_bus_cleanup_host_notifier (bus=0x559d703a6a20, n=1) at ../hw/virtio/virtio-bus.c:321 + #6 0x0000559d6dbf83c9 in virtio_device_stop_ioeventfd_impl (vdev=0x559d703a6aa0) at ../hw/virtio/virtio.c:3774 + #7 0x0000559d6d9a55c8 in virtio_bus_stop_ioeventfd (bus=0x559d703a6a20) at ../hw/virtio/virtio-bus.c:259 + #8 0x0000559d6d9a53e8 in virtio_bus_grab_ioeventfd (bus=0x559d703a6a20) at ../hw/virtio/virtio-bus.c:199 + #9 0x0000559d6dbf841c in virtio_device_grab_ioeventfd (vdev=0x559d703a6aa0) at ../hw/virtio/virtio.c:3783 + #10 0x0000559d6d9bde18 in vhost_dev_enable_notifiers (hdev=0x559d707edd70, vdev=0x559d703a6aa0) at ../hw/virtio/vhost.c:1592 + #11 0x0000559d6d89a0b8 in vhost_net_start_one (net=0x559d707edd70, dev=0x559d703a6aa0) at ../hw/net/vhost_net.c:266 + #12 0x0000559d6d89a6df in vhost_net_start (dev=0x559d703a6aa0, ncs=0x559d7048d890, data_queue_pairs=31, cvq=0) at ../hw/net/vhost_net.c:412 + #13 0x0000559d6dbb5b89 in virtio_net_vhost_status (n=0x559d703a6aa0, status=15 '\017') at ../hw/net/virtio-net.c:311 + #14 0x0000559d6dbb5e34 in virtio_net_set_status (vdev=0x559d703a6aa0, status=15 '\017') at ../hw/net/virtio-net.c:392 + #15 0x0000559d6dbb60d8 in virtio_net_set_link_status (nc=0x559d7048d890) at ../hw/net/virtio-net.c:455 + #16 0x0000559d6da64863 in qmp_set_link (name=0x559d6f0b83d0 "hostnet1", up=true, errp=0x7ffdd76569f0) at ../net/net.c:1459 + #17 0x0000559d6da7226e in net_vhost_user_event (opaque=0x559d6f0b83d0, event=CHR_EVENT_OPENED) at ../net/vhost-user.c:301 + #18 0x0000559d6ddc7f63 in chr_be_event (s=0x559d6f2ffea0, event=CHR_EVENT_OPENED) at ../chardev/char.c:62 + #19 0x0000559d6ddc7fdc in qemu_chr_be_event (s=0x559d6f2ffea0, event=CHR_EVENT_OPENED) at ../chardev/char.c:82 + +This issue causes guest kernel stop kicking device and traffic stop. + +Add vhost_started check in virtio_net_handle_tx_bh to fix this wrong +VRING_USED_F_NO_NOTIFY set. + +Signed-off-by: Yajun Wu +Reviewed-by: Jiri Pirko +Acked-by: Michael S. Tsirkin +Message-ID: <20240402045109.97729-1-yajunw@nvidia.com> +[PMD: Use unlikely()] +Signed-off-by: Philippe Mathieu-Daudé +Signed-off-by: qihao_yewu +--- + hw/net/virtio-net.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c +index 9559b3386a..c0a54f2d61 100644 +--- a/hw/net/virtio-net.c ++++ b/hw/net/virtio-net.c +@@ -2831,6 +2831,10 @@ static void virtio_net_handle_tx_bh(VirtIODevice *vdev, VirtQueue *vq) + VirtIONet *n = VIRTIO_NET(vdev); + VirtIONetQueue *q = &n->vqs[vq2q(virtio_get_queue_index(vq))]; + ++ if (unlikely(n->vhost_started)) { ++ return; ++ } ++ + if (unlikely((n->status & VIRTIO_NET_S_LINK_UP) == 0)) { + virtio_net_drop_tx_queue_data(vdev, vq); + return; +-- +2.27.0 + diff --git a/hw-nvme-fix-Werror-maybe-uninitialized.patch b/hw-nvme-fix-Werror-maybe-uninitialized.patch new file mode 100644 index 00000000..29b8449f --- /dev/null +++ b/hw-nvme-fix-Werror-maybe-uninitialized.patch @@ -0,0 +1,38 @@ +From 2fc8029b9e274a0dbedc55b6b114b29e003b32ab Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?=E5=88=98=E5=A9=A720201110?= + +Date: Mon, 8 Apr 2024 04:32:11 -0400 +Subject: [PATCH] hw/nvme: fix -Werror=maybe-uninitialized +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +../hw/nvme/ctrl.c:6081:21: error: ‘result’ may be used uninitialized [-Werror=maybe-uninitialized] + +It's not obvious that 'result' is set in all code paths. When &result is +a returned argument, it's even less clear. + +Looking at various assignments, 0 seems to be a suitable default value. + +Signed-off-by: Marc-André Lureau +Signed-off-by: Liu Jing +--- + hw/nvme/ctrl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/nvme/ctrl.c b/hw/nvme/ctrl.c +index 7a56e7b79b..237b5c8871 100644 +--- a/hw/nvme/ctrl.c ++++ b/hw/nvme/ctrl.c +@@ -5882,7 +5882,7 @@ static uint16_t nvme_get_feature(NvmeCtrl *n, NvmeRequest *req) + uint32_t dw10 = le32_to_cpu(cmd->cdw10); + uint32_t dw11 = le32_to_cpu(cmd->cdw11); + uint32_t nsid = le32_to_cpu(cmd->nsid); +- uint32_t result; ++ uint32_t result = 0; + uint8_t fid = NVME_GETSETFEAT_FID(dw10); + NvmeGetFeatureSelect sel = NVME_GETFEAT_SELECT(dw10); + uint16_t iv; +-- +2.27.0 + diff --git a/hw-scsi-scsi-generic-Fix-io_timeout-property-not-app.patch b/hw-scsi-scsi-generic-Fix-io_timeout-property-not-app.patch new file mode 100644 index 00000000..9f9b7aba --- /dev/null +++ b/hw-scsi-scsi-generic-Fix-io_timeout-property-not-app.patch @@ -0,0 +1,48 @@ +From a57cbe41cd8b2d8bc31eac33ee74a3ac058d67dd Mon Sep 17 00:00:00 2001 +From: qihao +Date: Thu, 28 Mar 2024 15:24:25 +0800 +Subject: [PATCH] hw/scsi/scsi-generic: Fix io_timeout property not applying +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +cheery-pick from 7c7a9f578e4fb1adff7ac8d9acaaaedb87474e76 + +The io_timeout property, introduced in c9b6609 (part of 6.0) is +silently overwritten by the hardcoded default value of 30 seconds +(DEFAULT_IO_TIMEOUT) in scsi_generic_realize because that function is +being called after the properties have already been applied. + +The property definition already has a default value which is applied +correctly when no value is explicitly set, so we can just remove the +code which overrides the io_timeout completely. + +This has been tested by stracing SG_IO operations with the io_timeout +property set and unset and now sets the timeout field in the ioctl +request to the proper value. + +Fixes: c9b6609b69facad ("scsi: make io_timeout configurable") +Signed-off-by: Lorenz Brun +Message-ID: <20240315145831.2531695-1-lorenz@brun.one> +Reviewed-by: Alex Bennée +Signed-off-by: Philippe Mathieu-Daudé +Signed-off-by: qihao_yewu +--- + hw/scsi/scsi-generic.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/hw/scsi/scsi-generic.c b/hw/scsi/scsi-generic.c +index 22efcd09a6..12fdd8e748 100644 +--- a/hw/scsi/scsi-generic.c ++++ b/hw/scsi/scsi-generic.c +@@ -782,7 +782,6 @@ static void scsi_generic_realize(SCSIDevice *s, Error **errp) + + /* Only used by scsi-block, but initialize it nevertheless to be clean. */ + s->default_scsi_version = -1; +- s->io_timeout = DEFAULT_IO_TIMEOUT; + scsi_generic_read_device_inquiry(s); + } + +-- +2.27.0 + diff --git a/hw-sd-sdhci-Do-not-update-TRNMOD-when-Command-Inhibi.patch b/hw-sd-sdhci-Do-not-update-TRNMOD-when-Command-Inhibi.patch new file mode 100644 index 00000000..19a5a6a7 --- /dev/null +++ b/hw-sd-sdhci-Do-not-update-TRNMOD-when-Command-Inhibi.patch @@ -0,0 +1,135 @@ +From b628859b936c6d6348d2af9e6b6d2887c697b9b7 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= +Date: Tue, 9 Apr 2024 16:19:27 +0200 +Subject: [PATCH] hw/sd/sdhci: Do not update TRNMOD when Command Inhibit (DAT) + is set(CVE-2024-3447) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Per "SD Host Controller Standard Specification Version 3.00": + + * 2.2.5 Transfer Mode Register (Offset 00Ch) + + Writes to this register shall be ignored when the Command + Inhibit (DAT) in the Present State register is 1. + +Do not update the TRNMOD register when Command Inhibit (DAT) +bit is set to avoid the present-status register going out of +sync, leading to malicious guest using DMA mode and overflowing +the FIFO buffer: + + $ cat << EOF | qemu-system-i386 \ + -display none -nographic -nodefaults \ + -machine accel=qtest -m 512M \ + -device sdhci-pci,sd-spec-version=3 \ + -device sd-card,drive=mydrive \ + -drive if=none,index=0,file=null-co://,format=raw,id=mydrive \ + -qtest stdio + outl 0xcf8 0x80001013 + outl 0xcfc 0x91 + outl 0xcf8 0x80001001 + outl 0xcfc 0x06000000 + write 0x9100002c 0x1 0x05 + write 0x91000058 0x1 0x16 + write 0x91000005 0x1 0x04 + write 0x91000028 0x1 0x08 + write 0x16 0x1 0x21 + write 0x19 0x1 0x20 + write 0x9100000c 0x1 0x01 + write 0x9100000e 0x1 0x20 + write 0x9100000f 0x1 0x00 + write 0x9100000c 0x1 0x00 + write 0x91000020 0x1 0x00 + EOF + +Stack trace (part): +================================================================= +==89993==ERROR: AddressSanitizer: heap-buffer-overflow on address +0x615000029900 at pc 0x55d5f885700d bp 0x7ffc1e1e9470 sp 0x7ffc1e1e9468 +WRITE of size 1 at 0x615000029900 thread T0 + #0 0x55d5f885700c in sdhci_write_dataport hw/sd/sdhci.c:564:39 + #1 0x55d5f8849150 in sdhci_write hw/sd/sdhci.c:1223:13 + #2 0x55d5fa01db63 in memory_region_write_accessor system/memory.c:497:5 + #3 0x55d5fa01d245 in access_with_adjusted_size system/memory.c:573:18 + #4 0x55d5fa01b1a9 in memory_region_dispatch_write system/memory.c:1521:16 + #5 0x55d5fa09f5c9 in flatview_write_continue system/physmem.c:2711:23 + #6 0x55d5fa08f78b in flatview_write system/physmem.c:2753:12 + #7 0x55d5fa08f258 in address_space_write system/physmem.c:2860:18 + ... +0x615000029900 is located 0 bytes to the right of 512-byte region +[0x615000029700,0x615000029900) allocated by thread T0 here: + #0 0x55d5f7237b27 in __interceptor_calloc + #1 0x7f9e36dd4c50 in g_malloc0 + #2 0x55d5f88672f7 in sdhci_pci_realize hw/sd/sdhci-pci.c:36:5 + #3 0x55d5f844b582 in pci_qdev_realize hw/pci/pci.c:2092:9 + #4 0x55d5fa2ee74b in device_set_realized hw/core/qdev.c:510:13 + #5 0x55d5fa325bfb in property_set_bool qom/object.c:2358:5 + #6 0x55d5fa31ea45 in object_property_set qom/object.c:1472:5 + #7 0x55d5fa332509 in object_property_set_qobject om/qom-qobject.c:28:10 + #8 0x55d5fa31f6ed in object_property_set_bool qom/object.c:1541:15 + #9 0x55d5fa2e2948 in qdev_realize hw/core/qdev.c:292:12 + #10 0x55d5f8eed3f1 in qdev_device_add_from_qdict system/qdev-monitor.c:719:10 + #11 0x55d5f8eef7ff in qdev_device_add system/qdev-monitor.c:738:11 + #12 0x55d5f8f211f0 in device_init_func system/vl.c:1200:11 + #13 0x55d5fad0877d in qemu_opts_foreach util/qemu-option.c:1135:14 + #14 0x55d5f8f0df9c in qemu_create_cli_devices system/vl.c:2638:5 + #15 0x55d5f8f0db24 in qmp_x_exit_preconfig system/vl.c:2706:5 + #16 0x55d5f8f14dc0 in qemu_init system/vl.c:3737:9 + ... +SUMMARY: AddressSanitizer: heap-buffer-overflow hw/sd/sdhci.c:564:39 +in sdhci_write_dataport + +Add assertions to ensure the fifo_buffer[] is not overflowed by +malicious accesses to the Buffer Data Port register. + +Fixes: CVE-2024-3447 +Cc: qemu-stable@nongnu.org +Fixes: d7dfca0807 ("hw/sdhci: introduce standard SD host controller") +Buglink: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=58813 +Reported-by: Alexander Bulekov +Reported-by: Chuhong Yuan +Signed-off-by: Peter Maydell +Message-Id: +Signed-off-by: Philippe Mathieu-Daudé +Message-Id: <20240409145524.27913-1-philmd@linaro.org> +--- + hw/sd/sdhci.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c +index 40473b0db0..e95ea34895 100644 +--- a/hw/sd/sdhci.c ++++ b/hw/sd/sdhci.c +@@ -473,6 +473,7 @@ static uint32_t sdhci_read_dataport(SDHCIState *s, unsigned size) + } + + for (i = 0; i < size; i++) { ++ assert(s->data_count < s->buf_maxsz); + value |= s->fifo_buffer[s->data_count] << i * 8; + s->data_count++; + /* check if we've read all valid data (blksize bytes) from buffer */ +@@ -561,6 +562,7 @@ static void sdhci_write_dataport(SDHCIState *s, uint32_t value, unsigned size) + } + + for (i = 0; i < size; i++) { ++ assert(s->data_count < s->buf_maxsz); + s->fifo_buffer[s->data_count] = value & 0xFF; + s->data_count++; + value >>= 8; +@@ -1208,6 +1210,12 @@ sdhci_write(void *opaque, hwaddr offset, uint64_t val, unsigned size) + if (!(s->capareg & R_SDHC_CAPAB_SDMA_MASK)) { + value &= ~SDHC_TRNS_DMA; + } ++ ++ /* TRNMOD writes are inhibited while Command Inhibit (DAT) is true */ ++ if (s->prnsts & SDHC_DATA_INHIBIT) { ++ mask |= 0xffff; ++ } ++ + MASKED_WRITE(s->trnmod, mask, value & SDHC_TRNMOD_MASK); + MASKED_WRITE(s->cmdreg, mask >> 16, value >> 16); + +-- +2.27.0 + diff --git a/hw-virtio-Introduce-virtio_bh_new_guarded-helper.patch b/hw-virtio-Introduce-virtio_bh_new_guarded-helper.patch new file mode 100644 index 00000000..6355641a --- /dev/null +++ b/hw-virtio-Introduce-virtio_bh_new_guarded-helper.patch @@ -0,0 +1,67 @@ +From 8c1ad2043705184da00d39250402a70f403d14a7 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= +Date: Thu, 4 Apr 2024 20:56:11 +0200 +Subject: [PATCH] hw/virtio: Introduce virtio_bh_new_guarded() helper +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Introduce virtio_bh_new_guarded(), similar to qemu_bh_new_guarded() +but using the transport memory guard, instead of the device one +(there can only be one virtio device per virtio bus). + +Inspired-by: Gerd Hoffmann +Reviewed-by: Gerd Hoffmann +Acked-by: Michael S. Tsirkin +Signed-off-by: Philippe Mathieu-Daudé +Reviewed-by: Michael S. Tsirkin +Message-Id: <20240409105537.18308-2-philmd@linaro.org> +--- + hw/virtio/virtio.c | 10 ++++++++++ + include/hw/virtio/virtio.h | 7 +++++++ + 2 files changed, 17 insertions(+) + +diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c +index d00effe4d5..202aae868e 100644 +--- a/hw/virtio/virtio.c ++++ b/hw/virtio/virtio.c +@@ -4148,3 +4148,13 @@ static void virtio_register_types(void) + } + + type_init(virtio_register_types) ++ ++QEMUBH *virtio_bh_new_guarded_full(DeviceState *dev, ++ QEMUBHFunc *cb, void *opaque, ++ const char *name) ++{ ++ DeviceState *transport = qdev_get_parent_bus(dev)->parent; ++ ++ return qemu_bh_new_full(cb, opaque, name, ++ &transport->mem_reentrancy_guard); ++} +diff --git a/include/hw/virtio/virtio.h b/include/hw/virtio/virtio.h +index e612441357..60494aed62 100644 +--- a/include/hw/virtio/virtio.h ++++ b/include/hw/virtio/virtio.h +@@ -22,6 +22,7 @@ + #include "standard-headers/linux/virtio_config.h" + #include "standard-headers/linux/virtio_ring.h" + #include "qom/object.h" ++#include "block/aio.h" + + /* + * A guest should never accept this. It implies negotiation is broken +@@ -510,4 +511,10 @@ static inline bool virtio_device_disabled(VirtIODevice *vdev) + bool virtio_legacy_allowed(VirtIODevice *vdev); + bool virtio_legacy_check_disabled(VirtIODevice *vdev); + ++QEMUBH *virtio_bh_new_guarded_full(DeviceState *dev, ++ QEMUBHFunc *cb, void *opaque, ++ const char *name); ++#define virtio_bh_new_guarded(dev, cb, opaque) \ ++ virtio_bh_new_guarded_full((dev), (cb), (opaque), (stringify(cb))) ++ + #endif +-- +2.27.0 + diff --git a/hw-virtio-virtio-crypto-Protect-from-DMA-re-entrancy.patch b/hw-virtio-virtio-crypto-Protect-from-DMA-re-entrancy.patch new file mode 100644 index 00000000..3b4fc6c0 --- /dev/null +++ b/hw-virtio-virtio-crypto-Protect-from-DMA-re-entrancy.patch @@ -0,0 +1,43 @@ +From edb30c972ba68b03cc5febefc880698573a17b04 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= +Date: Thu, 4 Apr 2024 20:56:41 +0200 +Subject: [PATCH] hw/virtio/virtio-crypto: Protect from DMA re-entrancy + bugs(CVE-2024-3446) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Replace qemu_bh_new_guarded() by virtio_bh_new_guarded() +so the bus and device use the same guard. Otherwise the +DMA-reentrancy protection can be bypassed. + +Fixes: CVE-2024-3446 +Cc: qemu-stable@nongnu.org +Suggested-by: Alexander Bulekov +Reviewed-by: Gerd Hoffmann +Acked-by: Michael S. Tsirkin +Signed-off-by: Philippe Mathieu-Daudé +Reviewed-by: Michael S. Tsirkin +Message-Id: <20240409105537.18308-5-philmd@linaro.org> +--- + hw/virtio/virtio-crypto.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/hw/virtio/virtio-crypto.c b/hw/virtio/virtio-crypto.c +index 0e2cc8d5a8..4aaced74be 100644 +--- a/hw/virtio/virtio-crypto.c ++++ b/hw/virtio/virtio-crypto.c +@@ -1080,8 +1080,8 @@ static void virtio_crypto_device_realize(DeviceState *dev, Error **errp) + vcrypto->vqs[i].dataq = + virtio_add_queue(vdev, 1024, virtio_crypto_handle_dataq_bh); + vcrypto->vqs[i].dataq_bh = +- qemu_bh_new_guarded(virtio_crypto_dataq_bh, &vcrypto->vqs[i], +- &dev->mem_reentrancy_guard); ++ virtio_bh_new_guarded(dev, virtio_crypto_dataq_bh, ++ &vcrypto->vqs[i]); + vcrypto->vqs[i].vcrypto = vcrypto; + } + +-- +2.27.0 + diff --git a/qemu.spec b/qemu.spec index 01f75ad7..36e697a2 100644 --- a/qemu.spec +++ b/qemu.spec @@ -3,7 +3,7 @@ Name: qemu Version: 8.2.0 -Release: 9 +Release: 10 Epoch: 11 Summary: QEMU is a generic and open source machine emulator and virtualizer License: GPLv2 and BSD and MIT and CC-BY-SA-4.0 @@ -239,6 +239,17 @@ Patch0222: coro-support-live-patch-for-libcare.patch Patch0223: arm-virt-Use-separate-filed-to-identify-cpu-hotplug-.patch Patch0224: arm-virt-Use-max_cpus-to-calculate-redist1_count.patch Patch0225: include-ui-rect.h-fix-qemu_rect_init-mis-assignment.patch +Patch0226: tests-bios-tables-test-Rename-smbios-type-4-related-.patch +Patch0227: hw-scsi-scsi-generic-Fix-io_timeout-property-not-app.patch +Patch0228: hw-net-virtio-net-fix-qemu-set-used-ring-flag-even-v.patch +Patch0229: block-virtio-blk-Fix-memory-leak-from-virtio_blk_zon.patch +Patch0230: hw-nvme-fix-Werror-maybe-uninitialized.patch +Patch0231: hw-net-net_tx_pkt-Fix-overrun-in-update_sctp_checksu.patch +Patch0232: hw-virtio-Introduce-virtio_bh_new_guarded-helper.patch +Patch0233: hw-display-virtio-gpu-Protect-from-DMA-re-entrancy-b.patch +Patch0234: hw-char-virtio-serial-bus-Protect-from-DMA-re-entran.patch +Patch0235: hw-virtio-virtio-crypto-Protect-from-DMA-re-entrancy.patch +Patch0236: hw-sd-sdhci-Do-not-update-TRNMOD-when-Command-Inhibi.patch BuildRequires: flex BuildRequires: gcc @@ -836,6 +847,19 @@ getent passwd qemu >/dev/null || \ %endif %changelog +* Mon Apr 22 2024 Jiabo Feng - 11:8.2.0-10 +- hw/sd/sdhci: Do not update TRNMOD when Command Inhibit (DAT) is set(CVE-2024-3447) +- hw/virtio/virtio-crypto: Protect from DMA re-entrancy bugs(CVE-2024-3446) +- hw/char/virtio-serial-bus: Protect from DMA re-entrancy bugs(CVE-2024-3446) +- hw/display/virtio-gpu: Protect from DMA re-entrancy bugs(CVE-2024-3446) +- hw/virtio: Introduce virtio_bh_new_guarded() helper +- hw/net/net_tx_pkt: Fix overrun in update_sctp_checksum() +- hw/nvme: fix -Werror=maybe-uninitialized +- block/virtio-blk: Fix memory leak from virtio_blk_zone_report +- hw/net/virtio-net: fix qemu set used ring flag even vhost started +- hw/scsi/scsi-generic: Fix io_timeout property not applying +- tests: bios-tables-test: Rename smbios type 4 related test functions + * Thu Apr 18 2024 Tao Yang - 11:8.2.0-9 - add '--enable-slirp' compilation options diff --git a/tests-bios-tables-test-Rename-smbios-type-4-related-.patch b/tests-bios-tables-test-Rename-smbios-type-4-related-.patch new file mode 100644 index 00000000..6622fc9d --- /dev/null +++ b/tests-bios-tables-test-Rename-smbios-type-4-related-.patch @@ -0,0 +1,97 @@ +From b59b75fc9f7ed73323179305363f0c2e00613863 Mon Sep 17 00:00:00 2001 +From: Zhao Liu +Date: Tue, 28 Nov 2023 00:02:02 +0800 +Subject: [PATCH] tests: bios-tables-test: Rename smbios type 4 related test + functions +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +In fact, type4-count, core-count, core-count2, thread-count and +thread-count2 are tested with KVM not TCG. + +Rename these test functions to reflect KVM base instead of TCG. + +Signed-off-by: Zhao Liu +Message-Id: <20231127160202.1037290-1-zhao1.liu@linux.intel.com> +Reviewed-by: Philippe Mathieu-Daudé +Reviewed-by: Igor Mammedov +Reviewed-by: Michael S. Tsirkin +Signed-off-by: Michael S. Tsirkin +--- + tests/qtest/bios-tables-test.c | 20 ++++++++++---------- + 1 file changed, 10 insertions(+), 10 deletions(-) + +diff --git a/tests/qtest/bios-tables-test.c b/tests/qtest/bios-tables-test.c +index fe6a9a8563..21811a1ab5 100644 +--- a/tests/qtest/bios-tables-test.c ++++ b/tests/qtest/bios-tables-test.c +@@ -1015,7 +1015,7 @@ static void test_acpi_q35_tcg(void) + free_test_data(&data); + } + +-static void test_acpi_q35_tcg_type4_count(void) ++static void test_acpi_q35_kvm_type4_count(void) + { + test_data data = { + .machine = MACHINE_Q35, +@@ -1031,7 +1031,7 @@ static void test_acpi_q35_tcg_type4_count(void) + free_test_data(&data); + } + +-static void test_acpi_q35_tcg_core_count(void) ++static void test_acpi_q35_kvm_core_count(void) + { + test_data data = { + .machine = MACHINE_Q35, +@@ -1048,7 +1048,7 @@ static void test_acpi_q35_tcg_core_count(void) + free_test_data(&data); + } + +-static void test_acpi_q35_tcg_core_count2(void) ++static void test_acpi_q35_kvm_core_count2(void) + { + test_data data = { + .machine = MACHINE_Q35, +@@ -1065,7 +1065,7 @@ static void test_acpi_q35_tcg_core_count2(void) + free_test_data(&data); + } + +-static void test_acpi_q35_tcg_thread_count(void) ++static void test_acpi_q35_kvm_thread_count(void) + { + test_data data = { + .machine = MACHINE_Q35, +@@ -1082,7 +1082,7 @@ static void test_acpi_q35_tcg_thread_count(void) + free_test_data(&data); + } + +-static void test_acpi_q35_tcg_thread_count2(void) ++static void test_acpi_q35_kvm_thread_count2(void) + { + test_data data = { + .machine = MACHINE_Q35, +@@ -2262,15 +2262,15 @@ int main(int argc, char *argv[]) + qtest_add_func("acpi/q35/kvm/xapic", test_acpi_q35_kvm_xapic); + qtest_add_func("acpi/q35/kvm/dmar", test_acpi_q35_kvm_dmar); + qtest_add_func("acpi/q35/type4-count", +- test_acpi_q35_tcg_type4_count); ++ test_acpi_q35_kvm_type4_count); + qtest_add_func("acpi/q35/core-count", +- test_acpi_q35_tcg_core_count); ++ test_acpi_q35_kvm_core_count); + qtest_add_func("acpi/q35/core-count2", +- test_acpi_q35_tcg_core_count2); ++ test_acpi_q35_kvm_core_count2); + qtest_add_func("acpi/q35/thread-count", +- test_acpi_q35_tcg_thread_count); ++ test_acpi_q35_kvm_thread_count); + qtest_add_func("acpi/q35/thread-count2", +- test_acpi_q35_tcg_thread_count2); ++ test_acpi_q35_kvm_thread_count2); + } + if (qtest_has_device("virtio-iommu-pci")) { + qtest_add_func("acpi/q35/viot", test_acpi_q35_viot); +-- +2.27.0 + -- Gitee