From 1f9e476e96edb07e34e0133a312f478ddab4b6ff Mon Sep 17 00:00:00 2001 From: Jiabo Feng Date: Wed, 21 Aug 2024 15:14:18 +0800 Subject: [PATCH] QEMU update to version 6.2.0-98: - pci-host: designware: Limit value range of iATU viewport register - hmat acpi: Fix out of bounds access due to missing use of indirection - migration: Skip only empty block devices - aspeed/hace: Initialize g_autofree pointer - hw/net/vmxnet3: Fix guest-triggerable assert() - qxl: don't assert() if device isn't yet initialized - Avoid unaligned fetch in ladr_match() - linux-user: Fix waitid return of siginfo_t and rusage - hw/net/lan9118: Replace magic '2048' value by MIL_TXFIFO_SIZE definition - stdvga: fix screen blanking - virtio-net: drop too short packets early - ebpf: replace deprecated bpf_program__set_socket_filter - vhsot-user: only read reply of SET_LOG_BASE from vq 0 - cpu: add Tengyun S5000C cpu support - hw/virtio: Fix obtain the buffer id from the last descriptor - hw/core: ensure kernel_end never gets used undefined Signed-off-by: Jiabo Feng --- Avoid-unaligned-fetch-in-ladr_match.patch | 36 ++++++++ ...d-hace-Initialize-g_autofree-pointer.patch | 50 ++++++++++ cpu-add-Tengyun-S5000C-cpu-support.patch | 82 +++++++++++++++++ ...recated-bpf_program__set_socket_filt.patch | 32 +++++++ ...t-of-bounds-access-due-to-missing-us.patch | 64 +++++++++++++ ...kernel_end-never-gets-used-undefined.patch | 51 +++++++++++ ...eplace-magic-2048-value-by-MIL_TXFIF.patch | 75 +++++++++++++++ ...vmxnet3-Fix-guest-triggerable-assert.patch | 45 +++++++++ ...tain-the-buffer-id-from-the-last-des.patch | 57 ++++++++++++ ...aitid-return-of-siginfo_t-and-rusage.patch | 60 ++++++++++++ migration-Skip-only-empty-block-devices.patch | 51 +++++++++++ ...are-Limit-value-range-of-iATU-viewpo.patch | 54 +++++++++++ qemu.spec | 36 +++++++- ...sert-if-device-isn-t-yet-initialized.patch | 52 +++++++++++ stdvga-fix-screen-blanking.patch | 47 ++++++++++ ...read-reply-of-SET_LOG_BASE-from-vq-0.patch | 30 ++++++ virtio-net-drop-too-short-packets-early.patch | 91 +++++++++++++++++++ 17 files changed, 912 insertions(+), 1 deletion(-) create mode 100644 Avoid-unaligned-fetch-in-ladr_match.patch create mode 100644 aspeed-hace-Initialize-g_autofree-pointer.patch create mode 100644 cpu-add-Tengyun-S5000C-cpu-support.patch create mode 100644 ebpf-replace-deprecated-bpf_program__set_socket_filt.patch create mode 100644 hmat-acpi-Fix-out-of-bounds-access-due-to-missing-us.patch create mode 100644 hw-core-ensure-kernel_end-never-gets-used-undefined.patch create mode 100644 hw-net-lan9118-Replace-magic-2048-value-by-MIL_TXFIF.patch create mode 100644 hw-net-vmxnet3-Fix-guest-triggerable-assert.patch create mode 100644 hw-virtio-Fix-obtain-the-buffer-id-from-the-last-des.patch create mode 100644 linux-user-Fix-waitid-return-of-siginfo_t-and-rusage.patch create mode 100644 migration-Skip-only-empty-block-devices.patch create mode 100644 pci-host-designware-Limit-value-range-of-iATU-viewpo.patch create mode 100644 qxl-don-t-assert-if-device-isn-t-yet-initialized.patch create mode 100644 stdvga-fix-screen-blanking.patch create mode 100644 vhsot-user-only-read-reply-of-SET_LOG_BASE-from-vq-0.patch create mode 100644 virtio-net-drop-too-short-packets-early.patch diff --git a/Avoid-unaligned-fetch-in-ladr_match.patch b/Avoid-unaligned-fetch-in-ladr_match.patch new file mode 100644 index 0000000..cc29ce6 --- /dev/null +++ b/Avoid-unaligned-fetch-in-ladr_match.patch @@ -0,0 +1,36 @@ +From 7696f21456a2a42279efd3f9fca6df839bdbe441 Mon Sep 17 00:00:00 2001 +From: Nick Briggs +Date: Thu, 1 Feb 2024 10:11:17 -0800 +Subject: [PATCH] Avoid unaligned fetch in ladr_match() + +There is no guarantee that the PCNetState is allocated such that +csr[8] is allocated on an 8-byte boundary. Since not all hosts are +capable of unaligned fetches the 16-bit elements need to be fetched +individually to avoid a potential fault. Closes issue #2143 + +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2143 +Signed-off-by: Nick Briggs +Reviewed-by: Peter Maydell +Signed-off-by: Jason Wang +(cherry picked from commit 6a5287ce80470bb8df95901d73ee779a64e70c3a) +Signed-off-by: zhujun2 +--- + hw/net/pcnet.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c +index da910a70bf..9c475d5721 100644 +--- a/hw/net/pcnet.c ++++ b/hw/net/pcnet.c +@@ -632,7 +632,7 @@ static inline int ladr_match(PCNetState *s, const uint8_t *buf, int size) + { + struct qemu_ether_header *hdr = (void *)buf; + if ((*(hdr->ether_dhost)&0x01) && +- ((uint64_t *)&s->csr[8])[0] != 0LL) { ++ (s->csr[8] | s->csr[9] | s->csr[10] | s->csr[11]) != 0) { + uint8_t ladr[8] = { + s->csr[8] & 0xff, s->csr[8] >> 8, + s->csr[9] & 0xff, s->csr[9] >> 8, +-- +2.41.0.windows.1 + diff --git a/aspeed-hace-Initialize-g_autofree-pointer.patch b/aspeed-hace-Initialize-g_autofree-pointer.patch new file mode 100644 index 0000000..66e5a6f --- /dev/null +++ b/aspeed-hace-Initialize-g_autofree-pointer.patch @@ -0,0 +1,50 @@ +From 4f957cd7c79c7820e6218560efde3de142d1caf1 Mon Sep 17 00:00:00 2001 +From: zhujun2 +Date: Tue, 13 Aug 2024 23:24:29 -0700 +Subject: [PATCH] aspeed/hace: Initialize g_autofree pointer +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +As mentioned in docs/devel/style.rst "Automatic memory deallocation": + +* Variables declared with g_auto* MUST always be initialized, + otherwise the cleanup function will use uninitialized stack memory + +This avoids QEMU to coredump when running the "hash test" command +under Zephyr. + +Cc: Steven Lee +Cc: Joel Stanley +Cc: qemu-stable@nongnu.org +Fixes: c5475b3f9a ("hw: Model ASPEED's Hash and Crypto Engine") +Reviewed-by: Philippe Mathieu-Daudé +Reviewed-by: Alex Bennée +Reviewed-by: Thomas Huth +Reviewed-by: Francisco Iglesias +Message-Id: <20230421131547.2177449-1-clg@kaod.org> +Signed-off-by: Cédric Le Goater +Reviewed-by: Joel Stanley +Signed-off-by: Cédric Le Goater +(cherry picked from commit c8f48b120b31f6bbe33135ef5d478e485c37e3c2) +Signed-off-by: zhujun2 +--- + hw/misc/aspeed_hace.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/misc/aspeed_hace.c b/hw/misc/aspeed_hace.c +index 10f00e65f4..1192322f0a 100644 +--- a/hw/misc/aspeed_hace.c ++++ b/hw/misc/aspeed_hace.c +@@ -97,7 +97,7 @@ static int hash_algo_lookup(uint32_t reg) + static void do_hash_operation(AspeedHACEState *s, int algo, bool sg_mode) + { + struct iovec iov[ASPEED_HACE_MAX_SG]; +- g_autofree uint8_t *digest_buf; ++ g_autofree uint8_t *digest_buf = NULL; + size_t digest_len = 0; + int i; + +-- +2.41.0.windows.1 + diff --git a/cpu-add-Tengyun-S5000C-cpu-support.patch b/cpu-add-Tengyun-S5000C-cpu-support.patch new file mode 100644 index 0000000..f782583 --- /dev/null +++ b/cpu-add-Tengyun-S5000C-cpu-support.patch @@ -0,0 +1,82 @@ +From 38d4158a556f27c9ce7d9229d6a28cf57dd8de26 Mon Sep 17 00:00:00 2001 +From: Jiakun Shuai +Date: Fri, 19 Jul 2024 15:29:13 +0800 +Subject: [PATCH] cpu: add Tengyun S5000C cpu support + +Add the Tengyun-S5000C CPU model. + +Signed-off-by: pengmengguang +Signed-off-by: Jiakun Shuai +--- + hw/arm/virt.c | 1 + + target/arm/cpu64.c | 35 +++++++++++++++++++++++++++++++++++ + 2 files changed, 36 insertions(+) + +diff --git a/hw/arm/virt.c b/hw/arm/virt.c +index dc119732f0..3394d3a6a6 100644 +--- a/hw/arm/virt.c ++++ b/hw/arm/virt.c +@@ -210,6 +210,7 @@ static const char *valid_cpus[] = { + ARM_CPU_TYPE_NAME("Kunpeng-920"), + ARM_CPU_TYPE_NAME("FT-2000+"), + ARM_CPU_TYPE_NAME("Tengyun-S2500"), ++ ARM_CPU_TYPE_NAME("Tengyun-S5000C"), + ARM_CPU_TYPE_NAME("a64fx"), + ARM_CPU_TYPE_NAME("host"), + ARM_CPU_TYPE_NAME("max"), +diff --git a/target/arm/cpu64.c b/target/arm/cpu64.c +index 3ec788fc29..b4522a337f 100644 +--- a/target/arm/cpu64.c ++++ b/target/arm/cpu64.c +@@ -724,6 +724,40 @@ static void aarch64_max_tengyun_s2500_initfn(Object *obj) + } + } + ++static void aarch64_tengyun_s5000c_initfn(Object *obj) ++{ ++ ARMCPU *cpu = ARM_CPU(obj); ++ ++ aarch64_a72_initfn(obj); ++ ++ cpu->midr = 0x700f8620; ++ cpu->ctr = 0x9444c004; ++ cpu->isar.regs[ID_ISAR0] = 0x2101110; ++ cpu->isar.regs[ID_ISAR1] = 0x1311211; ++ cpu->isar.regs[ID_ISAR2] = 0x21232042; ++ cpu->isar.regs[ID_ISAR3] = 0x1112131; ++ cpu->isar.regs[ID_ISAR4] = 0x10142; ++ cpu->isar.regs[ID_ISAR5] = 0x1011121; ++ cpu->isar.regs[ID_MMFR0] = 0x10201105; ++ cpu->isar.regs[ID_MMFR1] = 0x40000000; ++ cpu->isar.regs[ID_MMFR2] = 0x1260000; ++ cpu->isar.regs[ID_MMFR3] = 0x2122211; ++ cpu->isar.regs[ID_MMFR4] = 0x21110; ++ cpu->isar.regs[MVFR0] = 0x10110222; ++ cpu->isar.regs[MVFR1] = 0x13211111; ++ cpu->isar.regs[MVFR2] = 0x43; ++ cpu->isar.regs[ID_DFR0] = 0x4010088; ++ cpu->isar.regs[ID_PFR0] = 0x10131; ++ cpu->isar.regs[ID_PFR1] = 0x10010000; ++ cpu->isar.regs[ID_AA64PFR0] = 0x1100000011111112; ++ cpu->isar.regs[ID_AA64DFR0] = 0x10305408; ++ cpu->isar.regs[ID_AA64ISAR0] = 0x111110212120; ++ cpu->isar.regs[ID_AA64ISAR1] = 0x100001; ++ cpu->isar.regs[ID_AA64MMFR0] = 0x101125; ++ cpu->isar.regs[ID_AA64MMFR1] = 0x10212122; ++ cpu->isar.regs[ID_AA64MMFR2] = 0x1011; ++} ++ + /* -cpu max: if KVM is enabled, like -cpu host (best possible with this host); + * otherwise, a CPU with as many features enabled as our emulation supports. + * The version of '-cpu max' for qemu-system-arm is defined in cpu.c; +@@ -964,6 +998,7 @@ static const ARMCPUInfo aarch64_cpus[] = { + { .name = "Kunpeng-920", .initfn = aarch64_kunpeng_920_initfn}, + { .name = "FT-2000+", .initfn = aarch64_max_ft2000plus_initfn }, + { .name = "Tengyun-S2500", .initfn = aarch64_max_tengyun_s2500_initfn }, ++ { .name = "Tengyun-S5000C", .initfn = aarch64_tengyun_s5000c_initfn }, + { .name = "a64fx", .initfn = aarch64_a64fx_initfn }, + { .name = "max", .initfn = aarch64_max_initfn }, + }; +-- +2.41.0.windows.1 + diff --git a/ebpf-replace-deprecated-bpf_program__set_socket_filt.patch b/ebpf-replace-deprecated-bpf_program__set_socket_filt.patch new file mode 100644 index 0000000..8c1ed61 --- /dev/null +++ b/ebpf-replace-deprecated-bpf_program__set_socket_filt.patch @@ -0,0 +1,32 @@ +From 6824dd870cde75d4ef1e8c74d3d596ff94ce5a26 Mon Sep 17 00:00:00 2001 +From: Haochen Tong +Date: Sat, 28 May 2022 03:06:58 +0800 +Subject: [PATCH] ebpf: replace deprecated bpf_program__set_socket_filter + +bpf_program__set_ functions have been deprecated since libbpf 0.8. +Replace with the equivalent bpf_program__set_type call to avoid a +deprecation warning. + +Signed-off-by: Haochen Tong +Reviewed-by: Zhang Chen +Signed-off-by: Jason Wang +--- + ebpf/ebpf_rss.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/ebpf/ebpf_rss.c b/ebpf/ebpf_rss.c +index 118c68da83..cee658c158 100644 +--- a/ebpf/ebpf_rss.c ++++ b/ebpf/ebpf_rss.c +@@ -49,7 +49,7 @@ bool ebpf_rss_load(struct EBPFRSSContext *ctx) + goto error; + } + +- bpf_program__set_socket_filter(rss_bpf_ctx->progs.tun_rss_steering_prog); ++ bpf_program__set_type(rss_bpf_ctx->progs.tun_rss_steering_prog, BPF_PROG_TYPE_SOCKET_FILTER); + + if (rss_bpf__load(rss_bpf_ctx)) { + trace_ebpf_error("eBPF RSS", "can not load RSS program"); +-- +2.41.0.windows.1 + diff --git a/hmat-acpi-Fix-out-of-bounds-access-due-to-missing-us.patch b/hmat-acpi-Fix-out-of-bounds-access-due-to-missing-us.patch new file mode 100644 index 0000000..b6783f0 --- /dev/null +++ b/hmat-acpi-Fix-out-of-bounds-access-due-to-missing-us.patch @@ -0,0 +1,64 @@ +From a47cccd44f4f97238fc2877bf38fdb5ae72b65a6 Mon Sep 17 00:00:00 2001 +From: zhujun2 +Date: Wed, 14 Aug 2024 19:14:40 -0700 +Subject: [PATCH] hmat acpi: Fix out of bounds access due to missing use of + indirection + +With a numa set up such as + +-numa nodeid=0,cpus=0 \ +-numa nodeid=1,memdev=mem \ +-numa nodeid=2,cpus=1 + +and appropriate hmat_lb entries the initiator list is correctly +computed and writen to HMAT as 0,2 but then the LB data is accessed +using the node id (here 2), landing outside the entry_list array. + +Stash the reverse lookup when writing the initiator list and use +it to get the correct array index index. + +Fixes: 4586a2cb83 ("hmat acpi: Build System Locality Latency and Bandwidth Information Structure(s)") +Signed-off-by: Jonathan Cameron +Message-Id: <20240307160326.31570-3-Jonathan.Cameron@huawei.com> +Reviewed-by: Michael S. Tsirkin +Signed-off-by: Michael S. Tsirkin +(cherry picked from commit 74e2845c5f95b0c139c79233ddb65bb17f2dd679) +Signed-off-by: zhujun2 +--- + hw/acpi/hmat.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/hw/acpi/hmat.c b/hw/acpi/hmat.c +index 6913ebf730..8af753c67b 100644 +--- a/hw/acpi/hmat.c ++++ b/hw/acpi/hmat.c +@@ -77,6 +77,7 @@ static void build_hmat_lb(GArray *table_data, HMAT_LB_Info *hmat_lb, + uint32_t *initiator_list) + { + int i, index; ++ uint32_t initiator_to_index[MAX_NODES] = {}; + HMAT_LB_Data *lb_data; + uint16_t *entry_list; + uint32_t base; +@@ -120,6 +121,8 @@ static void build_hmat_lb(GArray *table_data, HMAT_LB_Info *hmat_lb, + /* Initiator Proximity Domain List */ + for (i = 0; i < num_initiator; i++) { + build_append_int_noprefix(table_data, initiator_list[i], 4); ++ /* Reverse mapping for array possitions */ ++ initiator_to_index[initiator_list[i]] = i; + } + + /* Target Proximity Domain List */ +@@ -131,7 +134,8 @@ static void build_hmat_lb(GArray *table_data, HMAT_LB_Info *hmat_lb, + entry_list = g_malloc0(num_initiator * num_target * sizeof(uint16_t)); + for (i = 0; i < hmat_lb->list->len; i++) { + lb_data = &g_array_index(hmat_lb->list, HMAT_LB_Data, i); +- index = lb_data->initiator * num_target + lb_data->target; ++ index = initiator_to_index[lb_data->initiator] * num_target + ++ lb_data->target; + + entry_list[index] = (uint16_t)(lb_data->data / hmat_lb->base); + } +-- +2.41.0.windows.1 + diff --git a/hw-core-ensure-kernel_end-never-gets-used-undefined.patch b/hw-core-ensure-kernel_end-never-gets-used-undefined.patch new file mode 100644 index 0000000..6d57182 --- /dev/null +++ b/hw-core-ensure-kernel_end-never-gets-used-undefined.patch @@ -0,0 +1,51 @@ +From 26faf838c837c09bf22ef6dc1621adc4e207fc8c Mon Sep 17 00:00:00 2001 +From: guping +Date: Tue, 9 Jul 2024 11:56:12 +0000 +Subject: [PATCH] hw/core: ensure kernel_end never gets used undefined + cherry-pick from f5fcc648083e71cfb9394894903f8ea108ff8831 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Really the problem here is the return values of fit_load_[kernel|fdt]() are a +little all over the place. However we don't want to somehow get +through not having set kernel_end and having it just be random unused +data. + +The compiler complained on an --enable-gcov build: + + In file included from ../../hw/core/loader-fit.c:20: + /home/alex/lsrc/qemu.git/include/qemu/osdep.h: In function ‘load_fit’: + /home/alex/lsrc/qemu.git/include/qemu/osdep.h:486:45: error: ‘kernel_end’ may be used uninitialized [-Werror=maybe-uninitialized] + 486 | #define ROUND_UP(n, d) ROUND_DOWN((n) + (d) - 1, (d)) + | ^ + ../../hw/core/loader-fit.c:270:12: note: ‘kernel_end’ was declared here + 270 | hwaddr kernel_end; + | ^~~~~~~~~~ + +Reviewed-by: default avatarManos Pitsidianakis +Signed-off-by: default avatarAlex Bennée +Reviewed-by: default avatarAleksandar Rikalo +Message-Id: <20240705084047.857176-5-alex.bennee@linaro.org> + +Signed-off-by: guping +--- + hw/core/loader-fit.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/core/loader-fit.c b/hw/core/loader-fit.c +index b7c7b3ba94..4a9a74cf3a 100644 +--- a/hw/core/loader-fit.c ++++ b/hw/core/loader-fit.c +@@ -265,7 +265,7 @@ int load_fit(const struct fit_loader *ldr, const char *filename, void *opaque) + const char *def_cfg_name; + char path[FIT_LOADER_MAX_PATH]; + int itb_size, configs, cfg_off, off; +- hwaddr kernel_end; ++ hwaddr kernel_end = 0; + int ret; + + itb = load_device_tree(filename, &itb_size); +-- +2.41.0.windows.1 + diff --git a/hw-net-lan9118-Replace-magic-2048-value-by-MIL_TXFIF.patch b/hw-net-lan9118-Replace-magic-2048-value-by-MIL_TXFIF.patch new file mode 100644 index 0000000..3bac2e1 --- /dev/null +++ b/hw-net-lan9118-Replace-magic-2048-value-by-MIL_TXFIF.patch @@ -0,0 +1,75 @@ +From c85a85a2c5eb5f26f9c713c010e2ca3408cb8ce4 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= +Date: Mon, 8 Apr 2024 12:44:22 +0200 +Subject: [PATCH] hw/net/lan9118: Replace magic '2048' value by MIL_TXFIFO_SIZE + definition +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The magic 2048 is explained in the LAN9211 datasheet (DS00002414A) +in chapter 1.4, "10/100 Ethernet MAC": + + The MAC Interface Layer (MIL), within the MAC, contains a + 2K Byte transmit and a 128 Byte receive FIFO which is separate + from the TX and RX FIFOs. [...] + +Note, the use of the constant in lan9118_receive() reveals that +our implementation is using the same buffer for both tx and rx. + +Signed-off-by: Philippe Mathieu-Daudé +Reviewed-by: Peter Maydell +Message-Id: <20240409133801.23503-2-philmd@linaro.org> +(cherry picked from commit a45223467e4e185fff1c76a6483784fa379ded77) +Signed-off-by: zhujun2 +--- + hw/net/lan9118.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/hw/net/lan9118.c b/hw/net/lan9118.c +index 942bce9ae6..fa43758105 100644 +--- a/hw/net/lan9118.c ++++ b/hw/net/lan9118.c +@@ -155,6 +155,12 @@ do { fprintf(stderr, "lan9118: error: " fmt , ## __VA_ARGS__);} while (0) + + #define GPT_TIMER_EN 0x20000000 + ++/* ++ * The MAC Interface Layer (MIL), within the MAC, contains a 2K Byte transmit ++ * and a 128 Byte receive FIFO which is separate from the TX and RX FIFOs. ++ */ ++#define MIL_TXFIFO_SIZE 2048 ++ + enum tx_state { + TX_IDLE, + TX_B, +@@ -171,7 +177,7 @@ typedef struct { + int32_t pad; + int32_t fifo_used; + int32_t len; +- uint8_t data[2048]; ++ uint8_t data[MIL_TXFIFO_SIZE]; + } LAN9118Packet; + + static const VMStateDescription vmstate_lan9118_packet = { +@@ -187,7 +193,7 @@ static const VMStateDescription vmstate_lan9118_packet = { + VMSTATE_INT32(pad, LAN9118Packet), + VMSTATE_INT32(fifo_used, LAN9118Packet), + VMSTATE_INT32(len, LAN9118Packet), +- VMSTATE_UINT8_ARRAY(data, LAN9118Packet, 2048), ++ VMSTATE_UINT8_ARRAY(data, LAN9118Packet, MIL_TXFIFO_SIZE), + VMSTATE_END_OF_LIST() + } + }; +@@ -549,7 +555,7 @@ static ssize_t lan9118_receive(NetClientState *nc, const uint8_t *buf, + return -1; + } + +- if (size >= 2048 || size < 14) { ++ if (size >= MIL_TXFIFO_SIZE || size < 14) { + return -1; + } + +-- +2.41.0.windows.1 + diff --git a/hw-net-vmxnet3-Fix-guest-triggerable-assert.patch b/hw-net-vmxnet3-Fix-guest-triggerable-assert.patch new file mode 100644 index 0000000..5207fb4 --- /dev/null +++ b/hw-net-vmxnet3-Fix-guest-triggerable-assert.patch @@ -0,0 +1,45 @@ +From 2c4d30134778dc9219a883243d207f9dff9f0a7e Mon Sep 17 00:00:00 2001 +From: Thomas Huth +Date: Thu, 17 Aug 2023 14:56:00 +0200 +Subject: [PATCH] hw/net/vmxnet3: Fix guest-triggerable assert() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The assert() that checks for valid MTU sizes can be triggered by +the guest (e.g. with the reproducer code from the bug ticket +https://gitlab.com/qemu-project/qemu/-/issues/517 ). Let's avoid +this problem by simply logging the error and refusing to activate +the device instead. + +Fixes: d05dcd94ae ("net: vmxnet3: validate configuration values during activate") +Signed-off-by: Thomas Huth +Cc: qemu-stable@nongnu.org +Reviewed-by: Philippe Mathieu-Daudé +Signed-off-by: Michael Tokarev +[Mjt: change format specifier from %d to %u for uint32_t argument] +(cherry picked from commit 90a0778421acdf4ca903be64c8ed19378183c944) +Signed-off-by: zhujun2 +--- + hw/net/vmxnet3.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c +index 2a32ab32ea..674b3a6946 100644 +--- a/hw/net/vmxnet3.c ++++ b/hw/net/vmxnet3.c +@@ -1441,7 +1441,10 @@ static void vmxnet3_activate_device(VMXNET3State *s) + vmxnet3_setup_rx_filtering(s); + /* Cache fields from shared memory */ + s->mtu = VMXNET3_READ_DRV_SHARED32(d, s->drv_shmem, devRead.misc.mtu); +- assert(VMXNET3_MIN_MTU <= s->mtu && s->mtu <= VMXNET3_MAX_MTU); ++ if (s->mtu < VMXNET3_MIN_MTU || s->mtu > VMXNET3_MAX_MTU) { ++ qemu_log_mask(LOG_GUEST_ERROR, "vmxnet3: Bad MTU size: %u\n", s->mtu); ++ return; ++ } + VMW_CFPRN("MTU is %u", s->mtu); + + s->max_rx_frags = +-- +2.41.0.windows.1 + diff --git a/hw-virtio-Fix-obtain-the-buffer-id-from-the-last-des.patch b/hw-virtio-Fix-obtain-the-buffer-id-from-the-last-des.patch new file mode 100644 index 0000000..fc35d0d --- /dev/null +++ b/hw-virtio-Fix-obtain-the-buffer-id-from-the-last-des.patch @@ -0,0 +1,57 @@ +From 1937c00107f7598d5b0632f2eb6045e5bb46f6db Mon Sep 17 00:00:00 2001 +From: guping +Date: Tue, 9 Jul 2024 12:39:01 +0000 +Subject: [PATCH] hw/virtio: Fix obtain the buffer id from the last descriptor + cherry-pick from 33abfea239592a706e98269b01c0096249612ea4 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The virtio-1.3 specification + writes: +2.8.6 Next Flag: Descriptor Chaining + Buffer ID is included in the last descriptor in the list. + +If the feature (_F_INDIRECT_DESC) has been negotiated, install only +one descriptor in the virtqueue. +Therefor the buffer id should be obtained from the first descriptor. + +In descriptor chaining scenarios, the buffer id should be obtained +from the last descriptor. + +Fixes: 86044b24 + + ("virtio: basic packed virtqueue support") + +Signed-off-by: default avatarWafer +Reviewed-by: Jason Wang's avatarJason Wang +Reviewed-by: default avatarEugenio Pérez +Acked-by: Jason Wang's avatarJason Wang +Message-Id: <20240510072753.26158-2-wafer@jaguarmicro.com> +Reviewed-by: MST's avatarMichael S. Tsirkin +Signed-off-by: MST's avatarMichael S. Tsirkin + +Signed-off-by: guping +--- + hw/virtio/virtio.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c +index 80156bfbd5..913b40e1f8 100644 +--- a/hw/virtio/virtio.c ++++ b/hw/virtio/virtio.c +@@ -1635,6 +1635,11 @@ static void *virtqueue_packed_pop(VirtQueue *vq, size_t sz) + &indirect_desc_cache); + } while (rc == VIRTQUEUE_READ_DESC_MORE); + ++ if (desc_cache != &indirect_desc_cache) { ++ /* Buffer ID is included in the last descriptor in the list. */ ++ id = desc.id; ++ } ++ + /* Now copy what we have collected and mapped */ + elem = virtqueue_alloc_element(sz, out_num, in_num); + for (i = 0; i < out_num; i++) { +-- +2.41.0.windows.1 + diff --git a/linux-user-Fix-waitid-return-of-siginfo_t-and-rusage.patch b/linux-user-Fix-waitid-return-of-siginfo_t-and-rusage.patch new file mode 100644 index 0000000..a98ee1e --- /dev/null +++ b/linux-user-Fix-waitid-return-of-siginfo_t-and-rusage.patch @@ -0,0 +1,60 @@ +From 828944a7eb5d67f81aa3bc7158860466dc1f1325 Mon Sep 17 00:00:00 2001 +From: Richard Henderson +Date: Fri, 5 Apr 2024 11:58:14 -1000 +Subject: [PATCH] linux-user: Fix waitid return of siginfo_t and rusage +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The copy back to siginfo_t should be conditional only on arg3, +not the specific values that might have been written. +The copy back to rusage was missing entirely. + +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2262 +Signed-off-by: Richard Henderson +Tested-by: Alex Fan +Reviewed-by: Philippe Mathieu-Daudé +(cherry picked from commit f0907ff4cae743f1a4ef3d0a55a047029eed06ff) +Signed-off-by: zhujun2 +--- + linux-user/syscall.c | 22 ++++++++++++++++------ + 1 file changed, 16 insertions(+), 6 deletions(-) + +diff --git a/linux-user/syscall.c b/linux-user/syscall.c +index a5fe399277..c4951d449f 100644 +--- a/linux-user/syscall.c ++++ b/linux-user/syscall.c +@@ -8460,14 +8460,24 @@ static abi_long do_syscall1(void *cpu_env, int num, abi_long arg1, + #ifdef TARGET_NR_waitid + case TARGET_NR_waitid: + { ++ struct rusage ru; + siginfo_t info; +- info.si_pid = 0; +- ret = get_errno(safe_waitid(arg1, arg2, &info, arg4, NULL)); +- if (!is_error(ret) && arg3 && info.si_pid != 0) { +- if (!(p = lock_user(VERIFY_WRITE, arg3, sizeof(target_siginfo_t), 0))) ++ ++ ret = get_errno(safe_waitid(arg1, arg2, (arg3 ? &info : NULL), ++ arg4, (arg5 ? &ru : NULL))); ++ if (!is_error(ret)) { ++ if (arg3) { ++ p = lock_user(VERIFY_WRITE, arg3, ++ sizeof(target_siginfo_t), 0); ++ if (!p) { ++ return -TARGET_EFAULT; ++ } ++ host_to_target_siginfo(p, &info); ++ unlock_user(p, arg3, sizeof(target_siginfo_t)); ++ } ++ if (arg5 && host_to_target_rusage(arg5, &ru)) { + return -TARGET_EFAULT; +- host_to_target_siginfo(p, &info); +- unlock_user(p, arg3, sizeof(target_siginfo_t)); ++ } + } + } + return ret; +-- +2.41.0.windows.1 + diff --git a/migration-Skip-only-empty-block-devices.patch b/migration-Skip-only-empty-block-devices.patch new file mode 100644 index 0000000..ef1f81d --- /dev/null +++ b/migration-Skip-only-empty-block-devices.patch @@ -0,0 +1,51 @@ +From 3fce4b6eed6f37140ff94ea119dd47caaf8eba10 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?C=C3=A9dric=20Le=20Goater?= +Date: Tue, 12 Mar 2024 13:04:31 +0100 +Subject: [PATCH] migration: Skip only empty block devices +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The block .save_setup() handler calls a helper routine +init_blk_migration() which builds a list of block devices to take into +account for migration. When one device is found to be empty (sectors +== 0), the loop exits and all the remaining devices are ignored. This +is a regression introduced when bdrv_iterate() was removed. + +Change that by skipping only empty devices. + +Cc: Markus Armbruster +Cc: qemu-stable +Suggested-by: Kevin Wolf +Fixes: fea68bb6e9fa ("block: Eliminate bdrv_iterate(), use bdrv_next()") +Signed-off-by: Cédric Le Goater +Reviewed-by: Stefan Hajnoczi +Reviewed-by: Kevin Wolf +Link: https://lore.kernel.org/r/20240312120431.550054-1-clg@redhat.com +[peterx: fix "Suggested-by:"] +Signed-off-by: Peter Xu +(cherry picked from commit 2e128776dc56f502c2ee41750afe83938f389528) +Signed-off-by: zhujun2 +--- + migration/block.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/migration/block.c b/migration/block.c +index 391f8169fd..4055a6bb60 100644 +--- a/migration/block.c ++++ b/migration/block.c +@@ -415,7 +415,10 @@ static int init_blk_migration(QEMUFile *f) + } + + sectors = bdrv_nb_sectors(bs); +- if (sectors <= 0) { ++ if (sectors == 0) { ++ continue; ++ } ++ if (sectors < 0) { + ret = sectors; + bdrv_next_cleanup(&it); + goto out; +-- +2.41.0.windows.1 + diff --git a/pci-host-designware-Limit-value-range-of-iATU-viewpo.patch b/pci-host-designware-Limit-value-range-of-iATU-viewpo.patch new file mode 100644 index 0000000..3b05c15 --- /dev/null +++ b/pci-host-designware-Limit-value-range-of-iATU-viewpo.patch @@ -0,0 +1,54 @@ +From 13ece9fb57c74aafdb785b80d7a09b2d90c54cfd Mon Sep 17 00:00:00 2001 +From: Guenter Roeck +Date: Sun, 28 Jan 2024 22:00:55 -0800 +Subject: [PATCH] pci-host: designware: Limit value range of iATU viewport + register + +The latest version of qemu (v8.2.0-869-g7a1dc45af5) crashes when booting +the mcimx7d-sabre emulation with Linux v5.11 and later. + +qemu-system-arm: ../system/memory.c:2750: memory_region_set_alias_offset: Assertion `mr->alias' failed. + +Problem is that the Designware PCIe emulation accepts the full value range +for the iATU Viewport Register. However, both hardware and emulation only +support four inbound and four outbound viewports. + +The Linux kernel determines the number of supported viewports by writing +0xff into the viewport register and reading the value back. The expected +value when reading the register is the highest supported viewport index. +Match that code by masking the supported viewport value range when the +register is written. With this change, the Linux kernel reports + +imx6q-pcie 33800000.pcie: iATU: unroll F, 4 ob, 4 ib, align 0K, limit 4G + +as expected and supported. + +Fixes: d64e5eabc4c7 ("pci: Add support for Designware IP block") +Cc: Andrey Smirnov +Cc: Nikita Ostrenkov +Signed-off-by: Guenter Roeck +Message-id: 20240129060055.2616989-1-linux@roeck-us.net +Reviewed-by: Peter Maydell +Signed-off-by: Peter Maydell +(cherry picked from commit 8a73152020337a7fbf34daf0a006d4d89ec1494e) +Signed-off-by: zhujun2 +--- + hw/pci-host/designware.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/hw/pci-host/designware.c b/hw/pci-host/designware.c +index bde3a343a2..c235b9daa3 100644 +--- a/hw/pci-host/designware.c ++++ b/hw/pci-host/designware.c +@@ -340,6 +340,8 @@ static void designware_pcie_root_config_write(PCIDevice *d, uint32_t address, + break; + + case DESIGNWARE_PCIE_ATU_VIEWPORT: ++ val &= DESIGNWARE_PCIE_ATU_REGION_INBOUND | ++ (DESIGNWARE_PCIE_NUM_VIEWPORTS - 1); + root->atu_viewport = val; + break; + +-- +2.41.0.windows.1 + diff --git a/qemu.spec b/qemu.spec index 8e7eec2..409feba 100644 --- a/qemu.spec +++ b/qemu.spec @@ -3,7 +3,7 @@ Name: qemu Version: 6.2.0 -Release: 97 +Release: 98 Epoch: 10 Summary: QEMU is a generic and open source machine emulator and virtualizer License: GPLv2 and BSD and MIT and CC-BY-SA-4.0 @@ -989,6 +989,22 @@ Patch0974: nbd-server-CVE-2024-7409-Drop-non-negotiating-client.patch Patch0975: aio-wait.h-introduce-AIO_WAIT_WHILE_UNLOCKED.patch Patch0976: main-loop.h-introduce-qemu_in_main_thread.patch Patch0977: nbd-server-CVE-2024-7409-Close-stray-clients-at-serv.patch +Patch0978: hw-core-ensure-kernel_end-never-gets-used-undefined.patch +Patch0979: hw-virtio-Fix-obtain-the-buffer-id-from-the-last-des.patch +Patch0980: cpu-add-Tengyun-S5000C-cpu-support.patch +Patch0981: vhsot-user-only-read-reply-of-SET_LOG_BASE-from-vq-0.patch +Patch0982: ebpf-replace-deprecated-bpf_program__set_socket_filt.patch +Patch0983: virtio-net-drop-too-short-packets-early.patch +Patch0984: stdvga-fix-screen-blanking.patch +Patch0985: hw-net-lan9118-Replace-magic-2048-value-by-MIL_TXFIF.patch +Patch0986: linux-user-Fix-waitid-return-of-siginfo_t-and-rusage.patch +Patch0987: Avoid-unaligned-fetch-in-ladr_match.patch +Patch0988: qxl-don-t-assert-if-device-isn-t-yet-initialized.patch +Patch0989: hw-net-vmxnet3-Fix-guest-triggerable-assert.patch +Patch0990: aspeed-hace-Initialize-g_autofree-pointer.patch +Patch0991: migration-Skip-only-empty-block-devices.patch +Patch0992: hmat-acpi-Fix-out-of-bounds-access-due-to-missing-us.patch +Patch0993: pci-host-designware-Limit-value-range-of-iATU-viewpo.patch BuildRequires: flex BuildRequires: gcc @@ -1587,6 +1603,24 @@ getent passwd qemu >/dev/null || \ %endif %changelog +* Wed Aug 21 2024 - 10:6.2.0-98 +- pci-host: designware: Limit value range of iATU viewport register +- hmat acpi: Fix out of bounds access due to missing use of indirection +- migration: Skip only empty block devices +- aspeed/hace: Initialize g_autofree pointer +- hw/net/vmxnet3: Fix guest-triggerable assert() +- qxl: don't assert() if device isn't yet initialized +- Avoid unaligned fetch in ladr_match() +- linux-user: Fix waitid return of siginfo_t and rusage +- hw/net/lan9118: Replace magic '2048' value by MIL_TXFIFO_SIZE definition +- stdvga: fix screen blanking +- virtio-net: drop too short packets early +- ebpf: replace deprecated bpf_program__set_socket_filter +- vhsot-user: only read reply of SET_LOG_BASE from vq 0 +- cpu: add Tengyun S5000C cpu support +- hw/virtio: Fix obtain the buffer id from the last descriptor +- hw/core: ensure kernel_end never gets used undefined + * Tue Aug 13 2024 - 10:6.2.0-97 - nbd/server: CVE-2024-7409: Close stray clients at server-stop - main-loop.h: introduce qemu_in_main_thread() diff --git a/qxl-don-t-assert-if-device-isn-t-yet-initialized.patch b/qxl-don-t-assert-if-device-isn-t-yet-initialized.patch new file mode 100644 index 0000000..b64b815 --- /dev/null +++ b/qxl-don-t-assert-if-device-isn-t-yet-initialized.patch @@ -0,0 +1,52 @@ +From 5cb26fdba648f1347f0746cf5c8f619427e4c2b5 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= +Date: Mon, 14 Aug 2023 23:33:30 +0400 +Subject: [PATCH] qxl: don't assert() if device isn't yet initialized +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +If the PCI BAR isn't yet mapped or was unmapped, QXL_IO_SET_MODE will +assert(). Instead, report a guest bug and keep going. + +This can be reproduced with: + +cat << EOF | ./qemu-system-x86_64 -vga qxl -m 2048 -nodefaults -qtest stdio +outl 0xcf8 0x8000101c +outl 0xcfc 0xc000 +outl 0xcf8 0x80001001 +outl 0xcfc 0x01000000 +outl 0xc006 0x00 +EOF + +Fixes: https://gitlab.com/qemu-project/qemu/-/issues/1829 + +Signed-off-by: Marc-André Lureau +Reviewed-by: Thomas Huth +Cc: qemu-stable@nongnu.org +Signed-off-by: Michael Tokarev +(cherry picked from commit 95bef686e490bc3afc3f51f5fc6e20bf260b938c) +Signed-off-by: zhujun2 +--- + hw/display/qxl.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/hw/display/qxl.c b/hw/display/qxl.c +index 0f663b9912..d7673b8169 100644 +--- a/hw/display/qxl.c ++++ b/hw/display/qxl.c +@@ -1601,7 +1601,10 @@ static void qxl_set_mode(PCIQXLDevice *d, unsigned int modenr, int loadvm) + } + + d->guest_slots[0].slot = slot; +- assert(qxl_add_memslot(d, 0, devmem, QXL_SYNC) == 0); ++ if (qxl_add_memslot(d, 0, devmem, QXL_SYNC) != 0) { ++ qxl_set_guest_bug(d, "device isn't initialized yet"); ++ return; ++ } + + d->guest_primary.surface = surface; + qxl_create_guest_primary(d, 0, QXL_SYNC); +-- +2.41.0.windows.1 + diff --git a/stdvga-fix-screen-blanking.patch b/stdvga-fix-screen-blanking.patch new file mode 100644 index 0000000..286cbea --- /dev/null +++ b/stdvga-fix-screen-blanking.patch @@ -0,0 +1,47 @@ +From 5e725ce433c562e1e7fbcd1918305846303689fd Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Wed, 5 Jun 2024 15:14:41 +0200 +Subject: [PATCH] stdvga: fix screen blanking +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +In case the display surface uses a shared buffer (i.e. uses vga vram +directly instead of a shadow) go unshare the buffer before clearing it. + +This avoids vga memory corruption, which in turn fixes unblanking not +working properly with X11. + +Cc: qemu-stable@nongnu.org +Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2067 +Signed-off-by: Gerd Hoffmann +Reviewed-by: Marc-André Lureau +Message-ID: <20240605131444.797896-2-kraxel@redhat.com> +Signed-off-by: Philippe Mathieu-Daudé +(cherry picked from commit b1cf266c82cb1211ee2785f1813a6a3f3e693390) +Signed-off-by: zhujun2 +--- + hw/display/vga.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/hw/display/vga.c b/hw/display/vga.c +index 33765148d9..5e5fdf67d7 100644 +--- a/hw/display/vga.c ++++ b/hw/display/vga.c +@@ -1745,6 +1745,13 @@ static void vga_draw_blank(VGACommonState *s, int full_update) + if (s->last_scr_width <= 0 || s->last_scr_height <= 0) + return; + ++ if (is_buffer_shared(surface)) { ++ /* unshare buffer, otherwise the blanking corrupts vga vram */ ++ surface = qemu_create_displaysurface(s->last_scr_width, ++ s->last_scr_height); ++ dpy_gfx_replace_surface(s->con, surface); ++ } ++ + w = s->last_scr_width * surface_bytes_per_pixel(surface); + d = surface_data(surface); + for(i = 0; i < s->last_scr_height; i++) { +-- +2.41.0.windows.1 + diff --git a/vhsot-user-only-read-reply-of-SET_LOG_BASE-from-vq-0.patch b/vhsot-user-only-read-reply-of-SET_LOG_BASE-from-vq-0.patch new file mode 100644 index 0000000..53ce87d --- /dev/null +++ b/vhsot-user-only-read-reply-of-SET_LOG_BASE-from-vq-0.patch @@ -0,0 +1,30 @@ +From 840318752f3d4611f46378395d67add885f422e0 Mon Sep 17 00:00:00 2001 +From: BillXiang <1373760142@qq.com> +Date: Thu, 18 Jul 2024 15:29:07 +0800 +Subject: [PATCH] vhsot-user: only read reply of SET_LOG_BASE from vq 0 + +We have added VHOST_USER_SET_LOG_BASE to vhost_user_one_time_request +in https://gitee.com/openeuler/qemu/pulls/913 +and will not send this message for other vqs. + +Signed-off-by: BillXiang <1373760142@qq.com> +--- + hw/virtio/vhost-user.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/virtio/vhost-user.c b/hw/virtio/vhost-user.c +index c97ea2544d..f10620494b 100644 +--- a/hw/virtio/vhost-user.c ++++ b/hw/virtio/vhost-user.c +@@ -534,7 +534,7 @@ static int vhost_user_set_log_base(struct vhost_dev *dev, uint64_t base, + return ret; + } + +- if (shmfd) { ++ if (shmfd && (dev->vq_index == 0)) { + msg.hdr.size = 0; + ret = vhost_user_read(dev, &msg); + if (ret < 0) { +-- +2.41.0.windows.1 + diff --git a/virtio-net-drop-too-short-packets-early.patch b/virtio-net-drop-too-short-packets-early.patch new file mode 100644 index 0000000..b42b7b7 --- /dev/null +++ b/virtio-net-drop-too-short-packets-early.patch @@ -0,0 +1,91 @@ +From b808292dbbb5e49db4b54123010ed2832d0ac548 Mon Sep 17 00:00:00 2001 +From: zhujun2 +Date: Tue, 13 Aug 2024 00:30:30 -0700 +Subject: [PATCH] virtio-net: drop too short packets early + +Reproducer from https://gitlab.com/qemu-project/qemu/-/issues/1451 +creates small packet (1 segment, len = 10 == n->guest_hdr_len), +then destroys queue. + +"if (n->host_hdr_len != n->guest_hdr_len)" is triggered, if body creates +zero length/zero segment packet as there is nothing after guest header. + +qemu_sendv_packet_async() tries to send it. + +slirp discards it because it is smaller than Ethernet header, +but returns 0 because tx hooks are supposed to return total length of data. + +0 is propagated upwards and is interpreted as "packet has been sent" +which is terrible because queue is being destroyed, nobody is waiting for TX +to complete and assert it triggered. + +Fix is discard such empty packets instead of sending them. + +Length 1 packets will go via different codepath: + +virtqueue_push(q->tx_vq, elem, 0); +virtio_notify(vdev, q->tx_vq); +g_free(elem); + +and aren't problematic. + +Signed-off-by: Alexey Dobriyan +Signed-off-by: Jason Wang +(cherry picked from commit 2c3e4e2de699cd4d9f6c71f30a22d8f125cd6164) +Signed-off-by: zhujun2 +--- + hw/net/virtio-net.c | 18 ++++++++++++------ + 1 file changed, 12 insertions(+), 6 deletions(-) + +diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c +index f3fb9393b3..ab794ee789 100644 +--- a/hw/net/virtio-net.c ++++ b/hw/net/virtio-net.c +@@ -2602,18 +2602,14 @@ static int32_t virtio_net_flush_tx(VirtIONetQueue *q) + out_sg = elem->out_sg; + if (out_num < 1) { + virtio_error(vdev, "virtio-net header not in first element"); +- virtqueue_detach_element(q->tx_vq, elem, 0); +- g_free(elem); +- return -EINVAL; ++ goto detach; + } + + if (n->has_vnet_hdr) { + if (iov_to_buf(out_sg, out_num, 0, &vhdr, n->guest_hdr_len) < + n->guest_hdr_len) { + virtio_error(vdev, "virtio-net header incorrect"); +- virtqueue_detach_element(q->tx_vq, elem, 0); +- g_free(elem); +- return -EINVAL; ++ goto detach; + } + if (n->needs_vnet_hdr_swap) { + virtio_net_hdr_swap(vdev, (void *) &vhdr); +@@ -2644,6 +2640,11 @@ static int32_t virtio_net_flush_tx(VirtIONetQueue *q) + n->guest_hdr_len, -1); + out_num = sg_num; + out_sg = sg; ++ ++ if (out_num < 1) { ++ virtio_error(vdev, "virtio-net nothing to send"); ++ goto detach; ++ } + } + + ret = qemu_sendv_packet_async(qemu_get_subqueue(n->nic, queue_index), +@@ -2664,6 +2665,11 @@ drop: + } + } + return num_packets; ++ ++detach: ++ virtqueue_detach_element(q->tx_vq, elem, 0); ++ g_free(elem); ++ return -EINVAL; + } + + static void virtio_net_handle_tx_timer(VirtIODevice *vdev, VirtQueue *vq) +-- +2.41.0.windows.1 + -- Gitee