From 4a2d47e4647c1f306af3caeab7b555c92a0a8a64 Mon Sep 17 00:00:00 2001 From: Cole Robinson Date: Mon, 1 Apr 2013 21:15:57 -0400 Subject: [PATCH] Don't use reserved word 'function' in systemtap files (bz #871286) Fixes for iscsi dep Fix -vga vmware crashes (bz #836260) Fix possible crash with VNC and qxl (bz #919777) Fix mellanox card passthrough (bz #907996) Fix QXL migration from F17 to F18 (bz #907916) Fix kvm module permissions after first install (bz #907215) --- ...ut-of-bounds-and-invalid-rects-updat.patch | 109 ++++++++++++++++++ ...xl-better-vga-init-in-enter_vga_mode.patch | 31 +++++ ...Enable-MSIX-on-device-to-match-guest.patch | 70 +++++++++++ 0716-qxl-change-rom-size-to-8192.patch | 60 ++++++++++ ...-compat-property-fix-migration-from-.patch | 84 ++++++++++++++ qemu.spec | 62 +++++++--- 6 files changed, 399 insertions(+), 17 deletions(-) create mode 100644 0713-vmware_vga-fix-out-of-bounds-and-invalid-rects-updat.patch create mode 100644 0714-qxl-better-vga-init-in-enter_vga_mode.patch create mode 100644 0715-pci-assign-Enable-MSIX-on-device-to-match-guest.patch create mode 100644 0716-qxl-change-rom-size-to-8192.patch create mode 100644 0717-qxl-Add-rom_size-compat-property-fix-migration-from-.patch diff --git a/0713-vmware_vga-fix-out-of-bounds-and-invalid-rects-updat.patch b/0713-vmware_vga-fix-out-of-bounds-and-invalid-rects-updat.patch new file mode 100644 index 0000000..3c76776 --- /dev/null +++ b/0713-vmware_vga-fix-out-of-bounds-and-invalid-rects-updat.patch @@ -0,0 +1,109 @@ +From 58ef246dd1849e6b18b22c52ccca0a30e6325d1d Mon Sep 17 00:00:00 2001 +From: Michael Tokarev +Date: Fri, 25 Jan 2013 21:23:24 +0400 +Subject: [PATCH] vmware_vga: fix out of bounds and invalid rects updating + +This is a follow up for several attempts to fix this issue. + +Previous incarnations: + +1. http://thread.gmane.org/gmane.linux.ubuntu.bugs.general/3156089 +https://bugs.launchpad.net/bugs/918791 +"qemu-kvm dies when using vmvga driver and unity in the guest" bug. +Fix by Serge Hallyn: + https://launchpadlibrarian.net/94916786/qemu-vmware.debdiff +This fix is incomplete, since it does not check width and height +for being negative. Serge weren't sure if that's the right place +to fix it, maybe the fix should be up the stack somewhere. + +2. http://thread.gmane.org/gmane.comp.emulators.qemu/166064 +by Marek Vasut: "vmware_vga: Redraw only visible area" + +This one adds the (incomplete) check to vmsvga_update_rect_delayed(), +the routine just queues the rect updating but does no interesting +stuff. It is also incomplete in the same way as patch by Serge, +but also does not touch width&height at all after adjusting x&y, +which is wrong. + +As far as I can see, when processing guest requests, the device +places them into a queue (vmsvga_update_rect_delayed()) and +processes this queue in different place/time, namely, in +vmsvga_update_rect(). Sometimes, vmsvga_update_rect() is +called directly, without placing the request to the gueue. +This is the place this patch changes, which is the last +(deepest) in the stack. I'm not sure if this is the right +place still, since it is possible we have some queue optimization +(or may have in the future) which will be upset by negative/wrong +values here, so maybe we should check for validity of input +right when receiving request from the guest (and maybe even +use unsigned types there). But I don't know the protocol +and implementation enough to have a definitive answer. + +But since vmsvga_update_rect() has other sanity checks already, +I'm adding the missing ones there as well. + +Cc'ing BALATON Zoltan and Andrzej Zaborowski who shows in `git blame' +output and may know something in this area. + +If this patch is accepted, it should be applied to all active +stable branches (at least since 1.1, maybe even before), with +minor context change (ds_get_*(s->vga.ds) => s->*). I'm not +Cc'ing -stable yet, will do it explicitly once the patch is +accepted. + +BTW, these checks use fprintf(stderr) -- it should be converted +to something more appropriate, since stderr will most likely +disappear somewhere. + +Cc: Marek Vasut +CC: Serge Hallyn +Cc: BALATON Zoltan +Cc: Andrzej Zaborowski +Signed-off-by: Michael Tokarev +Reviewed-by: Marek Vasut +Signed-off-by: Serge Hallyn +Signed-off-by: Blue Swirl +(cherry picked from commit 8cb6bfb54e91b1a31a6ae704def595c2099efde1) + +Conflicts: + hw/vmware_vga.c +--- + hw/vmware_vga.c | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +diff --git a/hw/vmware_vga.c b/hw/vmware_vga.c +index f5e4f44..4c54946 100644 +--- a/hw/vmware_vga.c ++++ b/hw/vmware_vga.c +@@ -298,6 +298,15 @@ static inline void vmsvga_update_rect(struct vmsvga_state_s *s, + uint8_t *src; + uint8_t *dst; + ++ if (x < 0) { ++ fprintf(stderr, "%s: update x was < 0 (%d)\n", __func__, x); ++ w += x; ++ x = 0; ++ } ++ if (w < 0) { ++ fprintf(stderr, "%s: update w was < 0 (%d)\n", __func__, w); ++ w = 0; ++ } + if (x + w > s->width) { + fprintf(stderr, "%s: update width too large x: %d, w: %d\n", + __FUNCTION__, x, w); +@@ -305,6 +314,15 @@ static inline void vmsvga_update_rect(struct vmsvga_state_s *s, + w = s->width - x; + } + ++ if (y < 0) { ++ fprintf(stderr, "%s: update y was < 0 (%d)\n", __func__, y); ++ h += y; ++ y = 0; ++ } ++ if (h < 0) { ++ fprintf(stderr, "%s: update h was < 0 (%d)\n", __func__, h); ++ h = 0; ++ } + if (y + h > s->height) { + fprintf(stderr, "%s: update height too large y: %d, h: %d\n", + __FUNCTION__, y, h); diff --git a/0714-qxl-better-vga-init-in-enter_vga_mode.patch b/0714-qxl-better-vga-init-in-enter_vga_mode.patch new file mode 100644 index 0000000..73c60b9 --- /dev/null +++ b/0714-qxl-better-vga-init-in-enter_vga_mode.patch @@ -0,0 +1,31 @@ +From e0b3fabbb6833242803f0b02848083e95aeaca6c Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Thu, 28 Feb 2013 11:08:50 +0100 +Subject: [PATCH] qxl: better vga init in enter_vga_mode + +Ask the vga core to update the display. Will trigger dpy_gfx_resize +if needed. More complete than just calling dpy_gfx_resize. + +Signed-off-by: Gerd Hoffmann +(cherry picked from commit c099e7aa0295678859d58e9e60b7619f6ae3bac8) + +Conflicts: + hw/qxl.c +--- + hw/qxl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/qxl.c b/hw/qxl.c +index 9418ecb..8374771 100644 +--- a/hw/qxl.c ++++ b/hw/qxl.c +@@ -1084,8 +1084,8 @@ static void qxl_enter_vga_mode(PCIQXLDevice *d) + trace_qxl_enter_vga_mode(d->id); + qemu_spice_create_host_primary(&d->ssd); + d->mode = QXL_MODE_VGA; +- dpy_resize(d->ssd.ds); + vga_dirty_log_start(&d->vga); ++ vga_hw_update(); + } + + static void qxl_exit_vga_mode(PCIQXLDevice *d) diff --git a/0715-pci-assign-Enable-MSIX-on-device-to-match-guest.patch b/0715-pci-assign-Enable-MSIX-on-device-to-match-guest.patch new file mode 100644 index 0000000..b856b00 --- /dev/null +++ b/0715-pci-assign-Enable-MSIX-on-device-to-match-guest.patch @@ -0,0 +1,70 @@ +From 96a60c347aa7da64d34b8980ea13f4fd06b3d679 Mon Sep 17 00:00:00 2001 +From: Alex Williamson +Date: Sun, 6 Jan 2013 21:30:31 -0700 +Subject: [PATCH] pci-assign: Enable MSIX on device to match guest + +When a guest enables MSIX on a device we evaluate the MSIX vector +table, typically find no unmasked vectors and don't switch the device +to MSIX mode. This generally works fine and the device will be +switched once the guest enables and therefore unmasks a vector. +Unfortunately some drivers enable MSIX, then use interfaces to send +commands between VF & PF or PF & firmware that act based on the host +state of the device. These therefore may break when MSIX is managed +lazily. This change re-enables the previous test used to enable MSIX +(see qemu-kvm a6b402c9), which basically guesses whether a vector +will be used based on the data field of the vector table. + +Cc: qemu-stable@nongnu.org +Signed-off-by: Alex Williamson +Acked-by: Michael S. Tsirkin +Signed-off-by: Michael S. Tsirkin +(cherry picked from commit feb9a2ab4b0260d8d680a7ffd25063dafc7ec628) + +Conflicts: + hw/kvm/pci-assign.c +--- + hw/kvm/pci-assign.c | 17 +++++++++++++++-- + 1 file changed, 15 insertions(+), 2 deletions(-) + +diff --git a/hw/kvm/pci-assign.c b/hw/kvm/pci-assign.c +index 9cce02c..493225f 100644 +--- a/hw/kvm/pci-assign.c ++++ b/hw/kvm/pci-assign.c +@@ -1046,6 +1046,19 @@ static bool msix_masked(MSIXTableEntry *entry) + return (entry->ctrl & cpu_to_le32(0x1)) != 0; + } + ++/* ++ * When MSI-X is first enabled the vector table typically has all the ++ * vectors masked, so we can't use that as the obvious test to figure out ++ * how many vectors to initially enable. Instead we look at the data field ++ * because this is what worked for pci-assign for a long time. This makes ++ * sure the physical MSI-X state tracks the guest's view, which is important ++ * for some VF/PF and PF/fw communication channels. ++ */ ++static bool assigned_dev_msix_skipped(MSIXTableEntry *entry) ++{ ++ return !entry->data; ++} ++ + static int assigned_dev_update_msix_mmio(PCIDevice *pci_dev) + { + AssignedDevice *adev = DO_UPCAST(AssignedDevice, dev, pci_dev); +@@ -1056,7 +1069,7 @@ static int assigned_dev_update_msix_mmio(PCIDevice *pci_dev) + + /* Get the usable entry number for allocating */ + for (i = 0; i < adev->msix_max; i++, entry++) { +- if (msix_masked(entry)) { ++ if (assigned_dev_msix_skipped(entry)) { + continue; + } + entries_nr++; +@@ -1085,7 +1098,7 @@ static int assigned_dev_update_msix_mmio(PCIDevice *pci_dev) + for (i = 0; i < adev->msix_max; i++, entry++) { + adev->msi_virq[i] = -1; + +- if (msix_masked(entry)) { ++ if (assigned_dev_msix_skipped(entry)) { + continue; + } + diff --git a/0716-qxl-change-rom-size-to-8192.patch b/0716-qxl-change-rom-size-to-8192.patch new file mode 100644 index 0000000..3b827a8 --- /dev/null +++ b/0716-qxl-change-rom-size-to-8192.patch @@ -0,0 +1,60 @@ +From b0929a65ac12a63a5b38f27261b13cf76ef7755e Mon Sep 17 00:00:00 2001 +From: Alon Levy +Date: Mon, 21 Jan 2013 14:48:07 +0200 +Subject: [PATCH] qxl: change rom size to 8192 + +This is a simpler solution to 869981, where migration breaks since qxl's +rom bar size has changed. Instead of ignoring fields in QXLRom, which is what has +actually changed, we remove some of the modes, a mechanism already +accounted for by the guest. The modes left allow for portrait and +landscape only modes, corresponding to orientations 0 and 1. +Orientations 2 and 3 are dropped. + +Added assert so that rom size will fit the future QXLRom increases via +spice-protocol changes. + +This patch has been tested with 6.1.0.10015. With the newer 6.1.0.10016 +there are problems with both "(flipped)" modes prior to the patch, and +the patch loses the ability to set "Portrait" modes. But this is a +separate bug to be fixed in the driver, and besides the patch doesn't +affect the new arbitrary mode setting functionality. + +Signed-off-by: Alon Levy +Signed-off-by: Gerd Hoffmann +(cherry picked from commit 038c1879a00153b14bce113315b693e8c2944fa9) +--- + hw/qxl.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +diff --git a/hw/qxl.c b/hw/qxl.c +index 8374771..6a3467f 100644 +--- a/hw/qxl.c ++++ b/hw/qxl.c +@@ -93,9 +93,7 @@ + + #define QXL_MODE_EX(x_res, y_res) \ + QXL_MODE_16_32(x_res, y_res, 0), \ +- QXL_MODE_16_32(y_res, x_res, 1), \ +- QXL_MODE_16_32(x_res, y_res, 2), \ +- QXL_MODE_16_32(y_res, x_res, 3) ++ QXL_MODE_16_32(x_res, y_res, 1) + + static QXLMode qxl_modes[] = { + QXL_MODE_EX(640, 480), +@@ -322,10 +320,13 @@ static inline uint32_t msb_mask(uint32_t val) + + static ram_addr_t qxl_rom_size(void) + { +- uint32_t rom_size = sizeof(QXLRom) + sizeof(QXLModes) + sizeof(qxl_modes); ++ uint32_t required_rom_size = sizeof(QXLRom) + sizeof(QXLModes) + ++ sizeof(qxl_modes); ++ uint32_t rom_size = 8192; /* two pages */ + +- rom_size = MAX(rom_size, TARGET_PAGE_SIZE); +- rom_size = msb_mask(rom_size * 2 - 1); ++ required_rom_size = MAX(required_rom_size, TARGET_PAGE_SIZE); ++ required_rom_size = msb_mask(required_rom_size * 2 - 1); ++ assert(required_rom_size <= rom_size); + return rom_size; + } + diff --git a/0717-qxl-Add-rom_size-compat-property-fix-migration-from-.patch b/0717-qxl-Add-rom_size-compat-property-fix-migration-from-.patch new file mode 100644 index 0000000..e701769 --- /dev/null +++ b/0717-qxl-Add-rom_size-compat-property-fix-migration-from-.patch @@ -0,0 +1,84 @@ +From cf8919bea07deeaa6cc07fd3f8ff000b13a7fac1 Mon Sep 17 00:00:00 2001 +From: Cole Robinson +Date: Mon, 1 Apr 2013 20:02:59 -0400 +Subject: [PATCH] qxl: Add rom_size compat property, fix migration from 1.2 + +Commit 038c1879a00153b14bce113315b693e8c2944fa9 changed the qxl rom +size to 8192, which fixes incoming migration from qemu 1.0. However +from qemu 1.2 and 1.3 had rom size 16384, so incoming migration +from those versions is now broken. + +Add a rom_size compat property. 1.2+ get 16384, everything else is +8192. + +This isn't actually fool proof, since rom_size can be dependent on +the version of spice qemu is built against: + +https://lists.gnu.org/archive/html/qemu-devel/2013-02/msg03154.html + +However these sizes match what native Fedora packages get, so it's +good enough for now. +--- + hw/pc_piix.c | 8 ++++++++ + hw/qxl.c | 9 ++++----- + 2 files changed, 12 insertions(+), 5 deletions(-) + +diff --git a/hw/pc_piix.c b/hw/pc_piix.c +index a771d79..c0af9b8 100644 +--- a/hw/pc_piix.c ++++ b/hw/pc_piix.c +@@ -398,6 +398,14 @@ static QEMUMachine pc_machine_v1_2 = { + .driver = "virtio-blk-pci",\ + .property = "config-wce",\ + .value = "off",\ ++ },{ \ ++ .driver = "qxl", \ ++ .property = "rom_size", \ ++ .value = stringify(8192), \ ++ },{\ ++ .driver = "qxl-vga", \ ++ .property = "rom_size", \ ++ .value = stringify(8192), \ + } + + static QEMUMachine pc_machine_v1_1 = { +diff --git a/hw/qxl.c b/hw/qxl.c +index 6a3467f..93fddb1 100644 +--- a/hw/qxl.c ++++ b/hw/qxl.c +@@ -318,16 +318,14 @@ static inline uint32_t msb_mask(uint32_t val) + return mask; + } + +-static ram_addr_t qxl_rom_size(void) ++static void check_qxl_rom_size(PCIQXLDevice *d) + { + uint32_t required_rom_size = sizeof(QXLRom) + sizeof(QXLModes) + + sizeof(qxl_modes); +- uint32_t rom_size = 8192; /* two pages */ + + required_rom_size = MAX(required_rom_size, TARGET_PAGE_SIZE); + required_rom_size = msb_mask(required_rom_size * 2 - 1); +- assert(required_rom_size <= rom_size); +- return rom_size; ++ assert(required_rom_size <= d->rom_size); + } + + static void init_qxl_rom(PCIQXLDevice *d) +@@ -1987,7 +1985,7 @@ static int qxl_init_common(PCIQXLDevice *qxl) + pci_set_byte(&config[PCI_REVISION_ID], pci_device_rev); + pci_set_byte(&config[PCI_INTERRUPT_PIN], 1); + +- qxl->rom_size = qxl_rom_size(); ++ check_qxl_rom_size(qxl); + memory_region_init_ram(&qxl->rom_bar, "qxl.vrom", qxl->rom_size); + vmstate_register_ram(&qxl->rom_bar, &qxl->pci.qdev); + init_qxl_rom(qxl); +@@ -2303,6 +2301,7 @@ static Property qxl_properties[] = { + DEFINE_PROP_UINT32("vram64_size_mb", PCIQXLDevice, vram_size_mb, -1), + DEFINE_PROP_UINT32("vgamem_mb", PCIQXLDevice, vgamem_size_mb, 16), + DEFINE_PROP_INT32("surfaces", PCIQXLDevice, ssd.num_surfaces, 1024), ++ DEFINE_PROP_UINT32("rom_size", PCIQXLDevice, rom_size, 16384), + DEFINE_PROP_END_OF_LIST(), + }; + diff --git a/qemu.spec b/qemu.spec index eea2de1..f0897cb 100644 --- a/qemu.spec +++ b/qemu.spec @@ -109,7 +109,7 @@ Summary: QEMU is a FAST! processor emulator Name: qemu Version: 1.2.2 -Release: 7%{?dist} +Release: 8%{?dist} # Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped Epoch: 2 License: GPLv2+ and LGPLv2+ and BSD @@ -149,7 +149,6 @@ Source10: qemu-guest-agent.service Source11: 99-qemu-guest-agent.rules Source12: bridge.conf - # Stable 1.2.1 patches Patch0001: 0001-target-xtensa-convert-host-errno-values-to-guest.patch Patch0002: 0002-target-cris-Fix-buffer-overflow.patch @@ -519,23 +518,33 @@ Patch0635: 0635-usb-redir-Don-t-make-migration-fail-in-none-seamless.patch Patch0701: 0701-mips-Fix-link-error-with-piix4_pm_init.patch # Add ./configure --disable-kvm-options Patch0702: 0702-configure-Add-disable-kvm-options.patch -# Fix loading arm initrd if kernel is very large (bz 862766) +# Fix loading arm initrd if kernel is very large (bz #862766) Patch0703: 0703-arm_boot-Change-initrd-load-address-to-halfway-throu.patch -# libcacard build fixes +# Don't use reserved word 'function' in systemtap files (bz #871286) Patch0704: 0704-dtrace-backend-add-function-to-reserved-words.patch +# libcacard build fixes Patch0705: 0705-libcacard-fix-missing-symbols-in-libcacard.so.patch Patch0706: 0706-configure-move-vscclient-binary-under-libcacard.patch -# Fix libvirt + seccomp combo (bz 855162) Patch0707: 0707-libcacard-fix-missing-symbol-in-libcacard.so.patch -# CVE-2012-6075: Buffer overflow in e1000 nic (bz 889301, bz 889304) +# Fix libvirt + seccomp combo (bz #855162) Patch0708: 0708-seccomp-adding-new-syscalls-bugzilla-855162.patch -# Fix boot hang if console is not connected (bz 894451) +# CVE-2012-6075: Buffer overflow in e1000 nic (bz #889301, bz #889304) Patch0709: 0709-e1000-Discard-oversized-packets-based-on-SBP-LPE.patch -# Fix segfault with zero length virtio-scsi disk (bz 847549) +# Fix boot hang if console is not connected (bz #894451) Patch0710: 0710-Revert-serial-fix-retry-logic.patch +# Fix segfault with zero length virtio-scsi disk (bz #847549) Patch0711: 0711-scsi-fix-segfault-with-0-byte-disk.patch -# Adapt to libiscsi packaging in Fedora (included upstream) +# Fixes for iscsi dep Patch0712: 0712-iscsi-look-for-pkg-config-file-too.patch +# Fix -vga vmware crashes (bz #836260) +Patch0713: 0713-vmware_vga-fix-out-of-bounds-and-invalid-rects-updat.patch +# Fix possible crash with VNC and qxl (bz #919777) +Patch0714: 0714-qxl-better-vga-init-in-enter_vga_mode.patch +# Fix mellanox card passthrough (bz #907996) +Patch0715: 0715-pci-assign-Enable-MSIX-on-device-to-match-guest.patch +# Fix QXL migration from F17 to F18 (bz #907916) +Patch0716: 0716-qxl-change-rom-size-to-8192.patch +Patch0717: 0717-qxl-Add-rom_size-compat-property-fix-migration-from-.patch BuildRequires: SDL-devel @@ -1341,23 +1350,33 @@ CAC emulation development files. %patch0701 -p1 # Add ./configure --disable-kvm-options %patch0702 -p1 -# Fix loading arm initrd if kernel is very large (bz 862766) +# Fix loading arm initrd if kernel is very large (bz #862766) %patch0703 -p1 -# libcacard build fixes +# Don't use reserved word 'function' in systemtap files (bz #871286) %patch0704 -p1 +# libcacard build fixes %patch0705 -p1 %patch0706 -p1 -# Fix libvirt + seccomp combo (bz 855162) %patch0707 -p1 -# CVE-2012-6075: Buffer overflow in e1000 nic (bz 889301, bz 889304) +# Fix libvirt + seccomp combo (bz #855162) %patch0708 -p1 -# Fix boot hang if console is not connected (bz 894451) +# CVE-2012-6075: Buffer overflow in e1000 nic (bz #889301, bz #889304) %patch0709 -p1 -# Fix segfault with zero length virtio-scsi disk (bz 847549) +# Fix boot hang if console is not connected (bz #894451) %patch0710 -p1 +# Fix segfault with zero length virtio-scsi disk (bz #847549) %patch0711 -p1 -# Adapt to libiscsi packaging in Fedora (included upstream) +# Fixes for iscsi dep %patch0712 -p1 +# Fix -vga vmware crashes (bz #836260) +%patch0713 -p1 +# Fix possible crash with VNC and qxl (bz #919777) +%patch0714 -p1 +# Fix mellanox card passthrough (bz #907996) +%patch0715 -p1 +# Fix QXL migration from F17 to F18 (bz #907916) +%patch0716 -p1 +%patch0717 -p1 %build @@ -1636,7 +1655,7 @@ make check # load kvm modules now, so we can make sure no reboot is needed. # If there's already a kvm module installed, we don't mess with it sh %{_sysconfdir}/sysconfig/modules/kvm.modules || : -udevadm trigger --sysname-match=kvm || : +udevadm trigger --subsystem-match=misc --sysname-match=kvm --action=add || : %endif @@ -1967,6 +1986,15 @@ getent passwd qemu >/dev/null || \ %{_libdir}/pkgconfig/libcacard.pc %changelog +* Mon Apr 01 2013 Cole Robinson - 2:1.2.2-8 +- Don't use reserved word 'function' in systemtap files (bz #871286) +- Fixes for iscsi dep +- Fix -vga vmware crashes (bz #836260) +- Fix possible crash with VNC and qxl (bz #919777) +- Fix mellanox card passthrough (bz #907996) +- Fix QXL migration from F17 to F18 (bz #907916) +- Fix kvm module permissions after first install (bz #907215) + * Mon Mar 11 2013 Paolo Bonzini - 2:1.2.2-7 - Added libiscsi-devel BuildRequires - Use pkg-config to search for libiscsi