rpms
/
qemu
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

qemu-4.0.0-0.7.rc3.fc31 

Don't block migration with nested VMX (bz #1697997)
Update to qemu-4.0.0-rc3
This commit is contained in:
Cole Robinson 2019-04-16 21:48:03 -04:00
parent 09f7c02959
commit e14a8ce4ef
6 changed files with 56 additions and 267 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
0001-Remove-problematic-evdev-86-key-from-en-us-keymap.patch
View File

@ -1,32 +0,0 @@
From 2c25ad161d7714f15b1951c69c50844ea81f4186 Mon Sep 17 00:00:00 2001
From: Adam Williamson <awilliam@redhat.com>
Date: Wed, 20 Dec 2017 15:43:07 -0800
Subject: [PATCH] Remove problematic 'evdev 86' key from en-us keymap
This causes LP#1738283. Gerd will have to come up with a better
fix, but just hacking out the problematic key definition should
work for now.
---
pc-bios/keymaps/en-us | 6 ------
1 file changed, 6 deletions(-)
diff --git a/pc-bios/keymaps/en-us b/pc-bios/keymaps/en-us
index a70e03adc0..e518a9dc35 100644
--- a/pc-bios/keymaps/en-us
+++ b/pc-bios/keymaps/en-us
@@ -343,12 +343,6 @@ KP_Decimal 0x53 numlock
# evdev 85 (0x55): no evdev -> QKeyCode mapping (xkb keysym NoSymbol)
-# evdev 86 (0x56), QKeyCode "less", number 0x56
-less 0x56
-greater 0x56 shift
-bar 0x56 altgr
-brokenbar 0x56 shift altgr
-
# evdev 87 (0x57), QKeyCode "f11", number 0x57
F11 0x57
--
2.15.1

46
0001-Revert-target-i386-kvm-add-VMX-migration-blocker.patch Normal file
View File

@ -0,0 +1,46 @@
From: Cole Robinson <crobinso@redhat.com>
Date: Tue, 16 Apr 2019 20:14:12 -0400
Subject: [PATCH] Revert "target/i386: kvm: add VMX migration blocker"
This reverts commit d98f26073bebddcd3da0ba1b86c3a34e840c0fb8.
As is, it rejects libvirt managedsave and virt-manager snapshots
for default installed VMs on intel hosts. Upstream Paolo says that
the missing kernel bits are already queued up, and until then it's
fine to revert this.
https://lists.gnu.org/archive/html/qemu-devel/2019-04/msg02326.html
---
target/i386/kvm.c | 12 ------------
1 file changed, 12 deletions(-)
diff --git a/target/i386/kvm.c b/target/i386/kvm.c
index 3b29ce5c0d..6ad450d9f1 100644
--- a/target/i386/kvm.c
+++ b/target/i386/kvm.c
@@ -906,7 +906,6 @@ static int hyperv_init_vcpu(X86CPU *cpu)
}
static Error *invtsc_mig_blocker;
-static Error *vmx_mig_blocker;
#define KVM_MAX_CPUID_ENTRIES 100
@@ -1270,17 +1269,6 @@ int kvm_arch_init_vcpu(CPUState *cs)
!!(c->ecx & CPUID_EXT_SMX);
}
- if ((env->features[FEAT_1_ECX] & CPUID_EXT_VMX) && !vmx_mig_blocker) {
- error_setg(&vmx_mig_blocker,
- "Nested VMX virtualization does not support live migration yet");
- r = migrate_add_blocker(vmx_mig_blocker, &local_err);
- if (local_err) {
- error_report_err(local_err);
- error_free(vmx_mig_blocker);
- return r;
- }
- }
-
if (env->mcg_cap & MCG_LMCE_P) {
has_msr_mcg_ext_ctl = has_msr_feature_control = true;
}

103
0001-qemu-seccomp-dont-kill-process-for-resource-contro.patch
View File

@ -1,103 +0,0 @@
From: Daniel P. Berrangé <berrange@redhat.com>
Date: Wed, 13 Mar 2019 09:49:03 +0000
Subject: [PATCH RFC] seccomp: don't kill process for resource control syscalls
The Mesa library tries to set process affinity on some of its threads in
order to optimize its performance. Currently this results in QEMU being
immediately terminated when seccomp is enabled.
Mesa doesn't consider failure of the process affinity settings to be
fatal to its operation, but our seccomp policy gives it no choice in
gracefully handling this denial.
It is reasonable to consider that malicious code using the resource
control syscalls to be a less serious attack than if they were trying
to spawn processes or change UIDs and other such things. Generally
speaking changing the resource control setting will "merely" affect
quality of service of processes on the host. With this in mind, rather
than kill the process, we can relax the policy for these syscalls to
return the EPERM errno value. This allows callers to detect that QEMU
does not want them to change resource allocations, and apply some
reasonable fallback logic.
The main downside to this is for code which uses these syscalls but does
not check the return value, blindly assuming they will always
succeeed. Returning an errno could result in sub-optimal behaviour.
Arguably though such code is already broken & needs fixing regardless.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
qemu-seccomp.c | 32 +++++++++++++++++++++++++-------
1 file changed, 25 insertions(+), 7 deletions(-)
diff --git a/qemu-seccomp.c b/qemu-seccomp.c
index 36d5829831..9776c9ef40 100644
--- a/qemu-seccomp.c
+++ b/qemu-seccomp.c
@@ -121,20 +121,37 @@ qemu_seccomp(unsigned int operation, unsigned int flags, void *args)
#endif
}
-static uint32_t qemu_seccomp_get_kill_action(void)
+static uint32_t qemu_seccomp_get_kill_action(int set)
{
+ switch (set) {
+ case QEMU_SECCOMP_SET_DEFAULT:
+ case QEMU_SECCOMP_SET_OBSOLETE:
+ case QEMU_SECCOMP_SET_PRIVILEGED:
+ case QEMU_SECCOMP_SET_SPAWN: {
#if defined(SECCOMP_GET_ACTION_AVAIL) && defined(SCMP_ACT_KILL_PROCESS) && \
defined(SECCOMP_RET_KILL_PROCESS)
- {
- uint32_t action = SECCOMP_RET_KILL_PROCESS;
+ static int kill_process = -1;
+ if (kill_process == -1) {
+ uint32_t action = SECCOMP_RET_KILL_PROCESS;
- if (qemu_seccomp(SECCOMP_GET_ACTION_AVAIL, 0, &action) == 0) {
+ if (qemu_seccomp(SECCOMP_GET_ACTION_AVAIL, 0, &action) == 0) {
+ kill_process = 1;
+ }
+ kill_process = 0;
+ }
+ if (kill_process == 1) {
return SCMP_ACT_KILL_PROCESS;
}
- }
#endif
+ return SCMP_ACT_TRAP;
+ }
+
+ case QEMU_SECCOMP_SET_RESOURCECTL:
+ return SCMP_ACT_ERRNO(EPERM);
- return SCMP_ACT_TRAP;
+ default:
+ g_assert_not_reached();
+ }
}
@@ -143,7 +160,6 @@ static int seccomp_start(uint32_t seccomp_opts)
int rc = 0;
unsigned int i = 0;
scmp_filter_ctx ctx;
- uint32_t action = qemu_seccomp_get_kill_action();
ctx = seccomp_init(SCMP_ACT_ALLOW);
if (ctx == NULL) {
@@ -157,10 +173,12 @@ static int seccomp_start(uint32_t seccomp_opts)
}
for (i = 0; i < ARRAY_SIZE(blacklist); i++) {
+ uint32_t action;
if (!(seccomp_opts & blacklist[i].set)) {
continue;
}
+ action = qemu_seccomp_get_kill_action(blacklist[i].set);
rc = seccomp_rule_add_array(ctx, action, blacklist[i].num,
blacklist[i].narg, blacklist[i].arg_cmp);
if (rc < 0) {
--
2.20.1

40
0002-linux-user-assume-__NR_gettid-always-exists.patch
View File

@ -1,40 +0,0 @@
From 9abb23f799804ed7b30aecac2217f870b229f873 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Wed, 20 Mar 2019 15:32:30 +0000
Subject: [PATCH 1/2] linux-user: assume __NR_gettid always exists
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The gettid syscall was introduced in Linux 2.4.11. This is old enough
that we can assume it always exists and thus not bother with the
conditional backcompat logic.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
linux-user/syscall.c | 8 --------
1 file changed, 8 deletions(-)
diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index 208fd1813d..11729f382c 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -249,15 +249,7 @@ static type name (type1 arg1,type2 arg2,type3 arg3,type4 arg4,type5 arg5, \
#define TARGET_NR__llseek TARGET_NR_llseek
#endif
-#ifdef __NR_gettid
_syscall0(int, gettid)
-#else
-/* This is a replacement for the host gettid() and must return a host
- errno. */
-static int gettid(void) {
- return -ENOSYS;
-}
-#endif
/* For the 64-bit guest on 32-bit host case we must emulate
* getdents using getdents64, because otherwise the host
--
2.20.1

87
0003-linux-user-rename-gettid-to-sys_gettid-to-avoid-clas.patch
View File

@ -1,87 +0,0 @@
From 7bfee99b5dc6dd971d4e0dec49af7578ea1b405c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Tue, 19 Mar 2019 17:04:05 +0000
Subject: [PATCH 2/2] linux-user: rename gettid() to sys_gettid() to avoid
clash with glibc
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The glibc-2.29.9000-6.fc31.x86_64 package finally includes the gettid()
function as part of unistd.h when __USE_GNU is defined. This clashes
with linux-user code which unconditionally defines this function name
itself.
/home/berrange/src/virt/qemu/linux-user/syscall.c:253:16: error: static declaration of gettid follows non-static declaration
253 | _syscall0(int, gettid)
| ^~~~~~
/home/berrange/src/virt/qemu/linux-user/syscall.c:184:13: note: in definition of macro _syscall0
184 | static type name (void) \
| ^~~~
In file included from /usr/include/unistd.h:1170,
from /home/berrange/src/virt/qemu/include/qemu/osdep.h:107,
from /home/berrange/src/virt/qemu/linux-user/syscall.c:20:
/usr/include/bits/unistd_ext.h:34:16: note: previous declaration of gettid was here
34 | extern __pid_t gettid (void) __THROW;
| ^~~~~~
CC aarch64-linux-user/linux-user/signal.o
make[1]: *** [/home/berrange/src/virt/qemu/rules.mak:69: linux-user/syscall.o] Error 1
make[1]: *** Waiting for unfinished jobs....
make: *** [Makefile:449: subdir-aarch64-linux-user] Error 2
While we could make our definition conditional and rely on glibc's impl,
this patch simply renames our definition to sys_gettid() which is a
common pattern in this file.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
linux-user/syscall.c | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index 11729f382c..96cd4bf86d 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -249,7 +249,8 @@ static type name (type1 arg1,type2 arg2,type3 arg3,type4 arg4,type5 arg5, \
#define TARGET_NR__llseek TARGET_NR_llseek
#endif
-_syscall0(int, gettid)
+#define __NR_sys_gettid __NR_gettid
+_syscall0(int, sys_gettid)
/* For the 64-bit guest on 32-bit host case we must emulate
* getdents using getdents64, because otherwise the host
@@ -5434,7 +5435,7 @@ static void *clone_func(void *arg)
cpu = ENV_GET_CPU(env);
thread_cpu = cpu;
ts = (TaskState *)cpu->opaque;
- info->tid = gettid();
+ info->tid = sys_gettid();
task_settid(ts);
if (info->child_tidptr)
put_user_u32(info->tid, info->child_tidptr);
@@ -5579,9 +5580,9 @@ static int do_fork(CPUArchState *env, unsigned int flags, abi_ulong newsp,
mapping. We can't repeat the spinlock hack used above because
the child process gets its own copy of the lock. */
if (flags & CLONE_CHILD_SETTID)
- put_user_u32(gettid(), child_tidptr);
+ put_user_u32(sys_gettid(), child_tidptr);
if (flags & CLONE_PARENT_SETTID)
- put_user_u32(gettid(), parent_tidptr);
+ put_user_u32(sys_gettid(), parent_tidptr);
ts = (TaskState *)cpu->opaque;
if (flags & CLONE_SETTLS)
cpu_set_tls (env, newtls);
@@ -10621,7 +10622,7 @@ static abi_long do_syscall1(void *cpu_env, int num, abi_long arg1,
return TARGET_PAGE_SIZE;
#endif
case TARGET_NR_gettid:
- return get_errno(gettid());
+ return get_errno(sys_gettid());
#ifdef TARGET_NR_readahead
case TARGET_NR_readahead:
#if TARGET_ABI_BITS == 32
--
2.20.1

15
qemu.spec
View File

@ -138,7 +138,7 @@
%{obsoletes_block_rbd}
# Release candidate version tracking
%global rcver rc2
%global rcver rc3
%if 0%{?rcver:1}
%global rcrel .%{rcver}
%global rcstr -%{rcver}
@ -148,7 +148,7 @@
Summary: QEMU is a FAST! processor emulator
Name: qemu
Version: 4.0.0
Release: 0.6%{?rcrel}%{?dist}
Release: 0.7%{?rcrel}%{?dist}
Epoch: 2
License: GPLv2 and BSD and MIT and CC-BY
URL: http://www.qemu.org/
@ -172,9 +172,10 @@ Source20: kvm-x86.modprobe.conf
# /etc/security/limits.d/95-kvm-ppc64-memlock.conf
Source21: 95-kvm-ppc64-memlock.conf
# Modern glibc has a gettid function
Patch1: 0002-linux-user-assume-__NR_gettid-always-exists.patch
Patch2: 0003-linux-user-rename-gettid-to-sys_gettid-to-avoid-clas.patch
# Don't block migration with nested VMX (bz #1697997)
# Not upstream: temporary workaround until kernel supports lands for nested
# VMX migration
Patch0001: 0001-Revert-target-i386-kvm-add-VMX-migration-blocker.patch
# documentation deps
@ -1726,6 +1727,10 @@ getent passwd qemu >/dev/null || \
%changelog
* Tue Apr 16 2019 Cole Robinson <crobinso@redhat.com> - 2:4.0.0-0.7.rc3
- Don't block migration with nested VMX (bz #1697997)
- Update to qemu-4.0.0-rc3
* Sat Apr 06 2019 Richard W.M. Jones <rjones@redhat.com> - 2:4.0.0-0.6.rc2
- Rebuild against xen 4.12.