Compare commits
146 Commits
Author | SHA1 | Date | |
---|---|---|---|
|
dae2b79d15 | ||
|
abc86a585d | ||
|
da4ef4b66e | ||
|
09bf21d16d | ||
|
ce7904b88e | ||
|
a75c8ea61f | ||
|
daaab58bcb | ||
|
1176069249 | ||
|
34254733fe | ||
|
0eeaeaae15 | ||
|
2abd5d20f1 | ||
|
98276b3e5f | ||
|
22305b524e | ||
|
9fda121878 | ||
|
72c46205a7 | ||
|
18240b2c2d | ||
|
c6215ce146 | ||
|
0d9e001957 | ||
|
e84a043f40 | ||
|
cb880e77f3 | ||
|
8d6927e8da | ||
|
467b991168 | ||
|
a3d41732e4 | ||
|
9439665b5a | ||
|
870630749a | ||
|
a575c5e346 | ||
|
01af37d608 | ||
|
230e4a2b0a | ||
|
ef9df8de89 | ||
|
a686537d26 | ||
|
4e789f984b | ||
|
8825298cc2 | ||
|
d8c4df3d29 | ||
|
0007b37337 | ||
|
af7430aef5 | ||
|
fdc9ebb862 | ||
|
148536a5a4 | ||
|
3f428d8457 | ||
|
82e1f8635e | ||
|
41fa2b0e3c | ||
|
c8164e8043 | ||
|
5b1d8f6b37 | ||
|
06a96ef6dd | ||
|
f38131b637 | ||
|
ffa629f31c | ||
|
6dc1a3e091 | ||
|
a640e151b2 | ||
|
2d6f694dd7 | ||
|
842e805475 | ||
|
f54452a157 | ||
|
f9f5de9994 | ||
|
69b8f67c7d | ||
|
eedf91107a | ||
|
1609e9b0cd | ||
|
b34716a4e7 | ||
|
59b417a5f3 | ||
|
9182556bd5 | ||
|
7be05bc02d | ||
|
1d93f5191e | ||
|
65ccb9e09a | ||
|
c5273992ba | ||
|
c1a37784f9 | ||
|
9eb1916f15 | ||
|
1ba242c778 | ||
|
96944e0b05 | ||
|
050829c2b7 | ||
|
79f4b0ef32 | ||
|
a06059bd4d | ||
|
7403595754 | ||
|
bf8d867e21 | ||
|
51980a6acd | ||
|
b048de05e7 | ||
|
6bb4bb52c7 | ||
|
f744b8b952 | ||
|
f806e664d9 | ||
|
38b1a6c732 | ||
|
b7cbd7e5e1 | ||
|
e3c05f4d3e | ||
|
1ac11e4877 | ||
|
2dc6f7395e | ||
|
0edf0fe9c8 | ||
|
e5d06dbc16 | ||
|
2825584364 | ||
|
6af1856936 | ||
|
d6b4a46932 | ||
|
ba7d6c0e41 | ||
|
7ae7935089 | ||
|
e1bf97d468 | ||
|
51821d35c5 | ||
|
180e0d8daf | ||
|
e0cb84627a | ||
|
f1ea3b69f7 | ||
|
d13afbee6a | ||
|
b013f94648 | ||
|
d5c2bbe293 | ||
|
05fedb21f6 | ||
|
0ae9d20128 | ||
|
183fcd911e | ||
|
e6c8eaee02 | ||
|
d4c8ff71ce | ||
|
f4c1719ae1 | ||
|
73149263f3 | ||
|
b2595a5449 | ||
|
d636452cba | ||
|
4a2d9a4c52 | ||
|
f54ac0f7d7 | ||
|
833342c627 | ||
|
ad860648fa | ||
|
91b70a682d | ||
|
4abd8de197 | ||
|
566be371a3 | ||
|
7a925b3802 | ||
|
443b083edd | ||
|
ec76e0bb54 | ||
|
ec4dab0a93 | ||
|
7e8e4ff4c0 | ||
|
6c55704061 | ||
|
09badc27ce | ||
|
1081205b84 | ||
|
658feedf3f | ||
|
5c8060d1bd | ||
|
9348aa0ea4 | ||
|
1ba19df591 | ||
|
d9c8b54b44 | ||
|
169bee2e2a | ||
|
610d93e5b9 | ||
|
66fde773e9 | ||
|
7e7be1c025 | ||
|
47a69fd3ce | ||
|
c0b65475ef | ||
|
ac27562f19 | ||
|
dcfe42be8d | ||
|
ba23d039c8 | ||
|
c7533d29df | ||
|
0ff75312ab | ||
|
8b5ba7c256 | ||
|
c996909a49 | ||
|
d1c4548bc8 | ||
|
74370c64ef | ||
|
130b985a3c | ||
|
fac3f007a0 | ||
|
1abc8e9bf0 | ||
|
a3063707fe | ||
|
18c8d565ff | ||
|
5a84bef82e | ||
|
d283ab8f84 |
1
.fmf/version
Normal file
1
.fmf/version
Normal file
@ -0,0 +1 @@
|
|||||||
|
1
|
@ -0,0 +1,33 @@
|
|||||||
|
From 375a476bcdefe65057a38fe6ae3f50b941e63ddd Mon Sep 17 00:00:00 2001
|
||||||
|
From: Paolo Bonzini <pbonzini@redhat.com>
|
||||||
|
Date: Tue, 1 Feb 2022 20:09:37 +0100
|
||||||
|
Subject: [PATCH] target/i386: the sgx_epc_get_section stub is reachable
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
The sgx_epc_get_section stub is reachable from cpu_x86_cpuid. It
|
||||||
|
should not assert, instead it should just return true just like
|
||||||
|
the "real" sgx_epc_get_section does when SGX is disabled.
|
||||||
|
|
||||||
|
Reported-by: Vladimír Beneš <vbenes@redhat.com>
|
||||||
|
Cc: qemu-stable@nongnu.org
|
||||||
|
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||||
|
---
|
||||||
|
hw/i386/sgx-stub.c | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/hw/i386/sgx-stub.c b/hw/i386/sgx-stub.c
|
||||||
|
index 26833eb233..16b1dfd90b 100644
|
||||||
|
--- a/hw/i386/sgx-stub.c
|
||||||
|
+++ b/hw/i386/sgx-stub.c
|
||||||
|
@@ -34,5 +34,5 @@ void pc_machine_init_sgx_epc(PCMachineState *pcms)
|
||||||
|
|
||||||
|
bool sgx_epc_get_section(int section_nr, uint64_t *addr, uint64_t *size)
|
||||||
|
{
|
||||||
|
- g_assert_not_reached();
|
||||||
|
+ return true;
|
||||||
|
}
|
||||||
|
--
|
||||||
|
2.37.0.rc2
|
||||||
|
|
111
0002-virtio-scsi-fix-ctrl-and-event-handler-functions-in-.patch
Normal file
111
0002-virtio-scsi-fix-ctrl-and-event-handler-functions-in-.patch
Normal file
@ -0,0 +1,111 @@
|
|||||||
|
From 7a5a6dbbf40f7d2313173573b99dd26069f7e309 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Stefan Hajnoczi <stefanha@redhat.com>
|
||||||
|
Date: Wed, 27 Apr 2022 15:35:36 +0100
|
||||||
|
Subject: [PATCH] virtio-scsi: fix ctrl and event handler functions in
|
||||||
|
dataplane mode
|
||||||
|
|
||||||
|
Commit f34e8d8b8d48d73f36a67b6d5e492ef9784b5012 ("virtio-scsi: prepare
|
||||||
|
virtio_scsi_handle_cmd for dataplane") prepared the virtio-scsi cmd
|
||||||
|
virtqueue handler function to be used in both the dataplane and
|
||||||
|
non-datpalane code paths.
|
||||||
|
|
||||||
|
It failed to convert the ctrl and event virtqueue handler functions,
|
||||||
|
which are not designed to be called from the dataplane code path but
|
||||||
|
will be since the ioeventfd is set up for those virtqueues when
|
||||||
|
dataplane starts.
|
||||||
|
|
||||||
|
Convert the ctrl and event virtqueue handler functions now so they
|
||||||
|
operate correctly when called from the dataplane code path. Avoid code
|
||||||
|
duplication by extracting this code into a helper function.
|
||||||
|
|
||||||
|
Fixes: f34e8d8b8d48d73f36a67b6d5e492ef9784b5012 ("virtio-scsi: prepare virtio_scsi_handle_cmd for dataplane")
|
||||||
|
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
|
||||||
|
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||||
|
Message-id: 20220427143541.119567-2-stefanha@redhat.com
|
||||||
|
[Fixed s/by used/be used/ typo pointed out by Michael Tokarev
|
||||||
|
<mjt@tls.msk.ru>.
|
||||||
|
--Stefan]
|
||||||
|
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
|
||||||
|
(cherry picked from commit 2f743ef6366c2df4ef51ef3ae318138cdc0125ab)
|
||||||
|
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
|
||||||
|
---
|
||||||
|
hw/scsi/virtio-scsi.c | 42 +++++++++++++++++++++++++++---------------
|
||||||
|
1 file changed, 27 insertions(+), 15 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/hw/scsi/virtio-scsi.c b/hw/scsi/virtio-scsi.c
|
||||||
|
index 34a968ecfb..417fbc71d6 100644
|
||||||
|
--- a/hw/scsi/virtio-scsi.c
|
||||||
|
+++ b/hw/scsi/virtio-scsi.c
|
||||||
|
@@ -472,16 +472,32 @@ bool virtio_scsi_handle_ctrl_vq(VirtIOSCSI *s, VirtQueue *vq)
|
||||||
|
return progress;
|
||||||
|
}
|
||||||
|
|
||||||
|
+/*
|
||||||
|
+ * If dataplane is configured but not yet started, do so now and return true on
|
||||||
|
+ * success.
|
||||||
|
+ *
|
||||||
|
+ * Dataplane is started by the core virtio code but virtqueue handler functions
|
||||||
|
+ * can also be invoked when a guest kicks before DRIVER_OK, so this helper
|
||||||
|
+ * function helps us deal with manually starting ioeventfd in that case.
|
||||||
|
+ */
|
||||||
|
+static bool virtio_scsi_defer_to_dataplane(VirtIOSCSI *s)
|
||||||
|
+{
|
||||||
|
+ if (!s->ctx || s->dataplane_started) {
|
||||||
|
+ return false;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ virtio_device_start_ioeventfd(&s->parent_obj.parent_obj);
|
||||||
|
+ return !s->dataplane_fenced;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
static void virtio_scsi_handle_ctrl(VirtIODevice *vdev, VirtQueue *vq)
|
||||||
|
{
|
||||||
|
VirtIOSCSI *s = (VirtIOSCSI *)vdev;
|
||||||
|
|
||||||
|
- if (s->ctx) {
|
||||||
|
- virtio_device_start_ioeventfd(vdev);
|
||||||
|
- if (!s->dataplane_fenced) {
|
||||||
|
- return;
|
||||||
|
- }
|
||||||
|
+ if (virtio_scsi_defer_to_dataplane(s)) {
|
||||||
|
+ return;
|
||||||
|
}
|
||||||
|
+
|
||||||
|
virtio_scsi_acquire(s);
|
||||||
|
virtio_scsi_handle_ctrl_vq(s, vq);
|
||||||
|
virtio_scsi_release(s);
|
||||||
|
@@ -720,12 +736,10 @@ static void virtio_scsi_handle_cmd(VirtIODevice *vdev, VirtQueue *vq)
|
||||||
|
/* use non-QOM casts in the data path */
|
||||||
|
VirtIOSCSI *s = (VirtIOSCSI *)vdev;
|
||||||
|
|
||||||
|
- if (s->ctx && !s->dataplane_started) {
|
||||||
|
- virtio_device_start_ioeventfd(vdev);
|
||||||
|
- if (!s->dataplane_fenced) {
|
||||||
|
- return;
|
||||||
|
- }
|
||||||
|
+ if (virtio_scsi_defer_to_dataplane(s)) {
|
||||||
|
+ return;
|
||||||
|
}
|
||||||
|
+
|
||||||
|
virtio_scsi_acquire(s);
|
||||||
|
virtio_scsi_handle_cmd_vq(s, vq);
|
||||||
|
virtio_scsi_release(s);
|
||||||
|
@@ -855,12 +869,10 @@ static void virtio_scsi_handle_event(VirtIODevice *vdev, VirtQueue *vq)
|
||||||
|
{
|
||||||
|
VirtIOSCSI *s = VIRTIO_SCSI(vdev);
|
||||||
|
|
||||||
|
- if (s->ctx) {
|
||||||
|
- virtio_device_start_ioeventfd(vdev);
|
||||||
|
- if (!s->dataplane_fenced) {
|
||||||
|
- return;
|
||||||
|
- }
|
||||||
|
+ if (virtio_scsi_defer_to_dataplane(s)) {
|
||||||
|
+ return;
|
||||||
|
}
|
||||||
|
+
|
||||||
|
virtio_scsi_acquire(s);
|
||||||
|
virtio_scsi_handle_event_vq(s, vq);
|
||||||
|
virtio_scsi_release(s);
|
||||||
|
--
|
||||||
|
2.37.0.rc2
|
||||||
|
|
@ -0,0 +1,94 @@
|
|||||||
|
From 5a595325d84fe48fcef921b0810073906ff9284b Mon Sep 17 00:00:00 2001
|
||||||
|
From: Stefan Hajnoczi <stefanha@redhat.com>
|
||||||
|
Date: Tue, 17 May 2022 09:27:45 +0100
|
||||||
|
Subject: [PATCH] virtio-scsi: don't waste CPU polling the event virtqueue
|
||||||
|
|
||||||
|
The virtio-scsi event virtqueue is not emptied by its handler function.
|
||||||
|
This is typical for rx virtqueues where the device uses buffers when
|
||||||
|
some event occurs (e.g. a packet is received, an error condition
|
||||||
|
happens, etc).
|
||||||
|
|
||||||
|
Polling non-empty virtqueues wastes CPU cycles. We are not waiting for
|
||||||
|
new buffers to become available, we are waiting for an event to occur,
|
||||||
|
so it's a misuse of CPU resources to poll for buffers.
|
||||||
|
|
||||||
|
Introduce the new virtio_queue_aio_attach_host_notifier_no_poll() API,
|
||||||
|
which is identical to virtio_queue_aio_attach_host_notifier() except
|
||||||
|
that it does not poll the virtqueue.
|
||||||
|
|
||||||
|
Before this patch the following command-line consumed 100% CPU in the
|
||||||
|
IOThread polling and calling virtio_scsi_handle_event():
|
||||||
|
|
||||||
|
$ qemu-system-x86_64 -M accel=kvm -m 1G -cpu host \
|
||||||
|
--object iothread,id=iothread0 \
|
||||||
|
--device virtio-scsi-pci,iothread=iothread0 \
|
||||||
|
--blockdev file,filename=test.img,aio=native,cache.direct=on,node-name=drive0 \
|
||||||
|
--device scsi-hd,drive=drive0
|
||||||
|
|
||||||
|
After this patch CPU is no longer wasted.
|
||||||
|
|
||||||
|
Reported-by: Nir Soffer <nsoffer@redhat.com>
|
||||||
|
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
|
||||||
|
Tested-by: Nir Soffer <nsoffer@redhat.com>
|
||||||
|
Message-id: 20220427143541.119567-3-stefanha@redhat.com
|
||||||
|
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
|
||||||
|
(cherry picked from commit 38738f7dbbda90fbc161757b7f4be35b52205552)
|
||||||
|
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
|
||||||
|
---
|
||||||
|
hw/scsi/virtio-scsi-dataplane.c | 2 +-
|
||||||
|
hw/virtio/virtio.c | 13 +++++++++++++
|
||||||
|
include/hw/virtio/virtio.h | 1 +
|
||||||
|
3 files changed, 15 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/hw/scsi/virtio-scsi-dataplane.c b/hw/scsi/virtio-scsi-dataplane.c
|
||||||
|
index 29575cbaf6..8bb6e6acfc 100644
|
||||||
|
--- a/hw/scsi/virtio-scsi-dataplane.c
|
||||||
|
+++ b/hw/scsi/virtio-scsi-dataplane.c
|
||||||
|
@@ -138,7 +138,7 @@ int virtio_scsi_dataplane_start(VirtIODevice *vdev)
|
||||||
|
|
||||||
|
aio_context_acquire(s->ctx);
|
||||||
|
virtio_queue_aio_attach_host_notifier(vs->ctrl_vq, s->ctx);
|
||||||
|
- virtio_queue_aio_attach_host_notifier(vs->event_vq, s->ctx);
|
||||||
|
+ virtio_queue_aio_attach_host_notifier_no_poll(vs->event_vq, s->ctx);
|
||||||
|
|
||||||
|
for (i = 0; i < vs->conf.num_queues; i++) {
|
||||||
|
virtio_queue_aio_attach_host_notifier(vs->cmd_vqs[i], s->ctx);
|
||||||
|
diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
|
||||||
|
index 9d637e043e..67a873f54a 100644
|
||||||
|
--- a/hw/virtio/virtio.c
|
||||||
|
+++ b/hw/virtio/virtio.c
|
||||||
|
@@ -3534,6 +3534,19 @@ void virtio_queue_aio_attach_host_notifier(VirtQueue *vq, AioContext *ctx)
|
||||||
|
virtio_queue_host_notifier_aio_poll_end);
|
||||||
|
}
|
||||||
|
|
||||||
|
+/*
|
||||||
|
+ * Same as virtio_queue_aio_attach_host_notifier() but without polling. Use
|
||||||
|
+ * this for rx virtqueues and similar cases where the virtqueue handler
|
||||||
|
+ * function does not pop all elements. When the virtqueue is left non-empty
|
||||||
|
+ * polling consumes CPU cycles and should not be used.
|
||||||
|
+ */
|
||||||
|
+void virtio_queue_aio_attach_host_notifier_no_poll(VirtQueue *vq, AioContext *ctx)
|
||||||
|
+{
|
||||||
|
+ aio_set_event_notifier(ctx, &vq->host_notifier, true,
|
||||||
|
+ virtio_queue_host_notifier_read,
|
||||||
|
+ NULL, NULL);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
void virtio_queue_aio_detach_host_notifier(VirtQueue *vq, AioContext *ctx)
|
||||||
|
{
|
||||||
|
aio_set_event_notifier(ctx, &vq->host_notifier, true, NULL, NULL, NULL);
|
||||||
|
diff --git a/include/hw/virtio/virtio.h b/include/hw/virtio/virtio.h
|
||||||
|
index b31c4507f5..b62a35fdca 100644
|
||||||
|
--- a/include/hw/virtio/virtio.h
|
||||||
|
+++ b/include/hw/virtio/virtio.h
|
||||||
|
@@ -317,6 +317,7 @@ EventNotifier *virtio_queue_get_host_notifier(VirtQueue *vq);
|
||||||
|
void virtio_queue_set_host_notifier_enabled(VirtQueue *vq, bool enabled);
|
||||||
|
void virtio_queue_host_notifier_read(EventNotifier *n);
|
||||||
|
void virtio_queue_aio_attach_host_notifier(VirtQueue *vq, AioContext *ctx);
|
||||||
|
+void virtio_queue_aio_attach_host_notifier_no_poll(VirtQueue *vq, AioContext *ctx);
|
||||||
|
void virtio_queue_aio_detach_host_notifier(VirtQueue *vq, AioContext *ctx);
|
||||||
|
VirtQueue *virtio_vector_first_queue(VirtIODevice *vdev, uint16_t vector);
|
||||||
|
VirtQueue *virtio_vector_next_queue(VirtQueue *vq);
|
||||||
|
--
|
||||||
|
2.37.0.rc2
|
||||||
|
|
54
0004-virtio-scsi-clean-up-virtio_scsi_handle_event_vq.patch
Normal file
54
0004-virtio-scsi-clean-up-virtio_scsi_handle_event_vq.patch
Normal file
@ -0,0 +1,54 @@
|
|||||||
|
From 5edca84f63de972dd08e0c63c7c67003df237f23 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Stefan Hajnoczi <stefanha@redhat.com>
|
||||||
|
Date: Tue, 17 May 2022 09:28:06 +0100
|
||||||
|
Subject: [PATCH] virtio-scsi: clean up virtio_scsi_handle_event_vq()
|
||||||
|
|
||||||
|
virtio_scsi_handle_event_vq() is only called from hw/scsi/virtio-scsi.c
|
||||||
|
now and its return value is no longer used. Remove the function
|
||||||
|
prototype from virtio-scsi.h and drop the return value.
|
||||||
|
|
||||||
|
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
|
||||||
|
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||||
|
Message-id: 20220427143541.119567-4-stefanha@redhat.com
|
||||||
|
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
|
||||||
|
(cherry picked from commit 37ce2de95169dacab3fb53d11bd4509b9c2e3a4c)
|
||||||
|
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
|
||||||
|
---
|
||||||
|
hw/scsi/virtio-scsi.c | 4 +---
|
||||||
|
include/hw/virtio/virtio-scsi.h | 1 -
|
||||||
|
2 files changed, 1 insertion(+), 4 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/hw/scsi/virtio-scsi.c b/hw/scsi/virtio-scsi.c
|
||||||
|
index 417fbc71d6..aa03a713d8 100644
|
||||||
|
--- a/hw/scsi/virtio-scsi.c
|
||||||
|
+++ b/hw/scsi/virtio-scsi.c
|
||||||
|
@@ -856,13 +856,11 @@ void virtio_scsi_push_event(VirtIOSCSI *s, SCSIDevice *dev,
|
||||||
|
virtio_scsi_complete_req(req);
|
||||||
|
}
|
||||||
|
|
||||||
|
-bool virtio_scsi_handle_event_vq(VirtIOSCSI *s, VirtQueue *vq)
|
||||||
|
+static void virtio_scsi_handle_event_vq(VirtIOSCSI *s, VirtQueue *vq)
|
||||||
|
{
|
||||||
|
if (s->events_dropped) {
|
||||||
|
virtio_scsi_push_event(s, NULL, VIRTIO_SCSI_T_NO_EVENT, 0);
|
||||||
|
- return true;
|
||||||
|
}
|
||||||
|
- return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
static void virtio_scsi_handle_event(VirtIODevice *vdev, VirtQueue *vq)
|
||||||
|
diff --git a/include/hw/virtio/virtio-scsi.h b/include/hw/virtio/virtio-scsi.h
|
||||||
|
index 543681bc18..5957597825 100644
|
||||||
|
--- a/include/hw/virtio/virtio-scsi.h
|
||||||
|
+++ b/include/hw/virtio/virtio-scsi.h
|
||||||
|
@@ -151,7 +151,6 @@ void virtio_scsi_common_realize(DeviceState *dev,
|
||||||
|
Error **errp);
|
||||||
|
|
||||||
|
void virtio_scsi_common_unrealize(DeviceState *dev);
|
||||||
|
-bool virtio_scsi_handle_event_vq(VirtIOSCSI *s, VirtQueue *vq);
|
||||||
|
bool virtio_scsi_handle_cmd_vq(VirtIOSCSI *s, VirtQueue *vq);
|
||||||
|
bool virtio_scsi_handle_ctrl_vq(VirtIOSCSI *s, VirtQueue *vq);
|
||||||
|
void virtio_scsi_init_req(VirtIOSCSI *s, VirtQueue *vq, VirtIOSCSIReq *req);
|
||||||
|
--
|
||||||
|
2.37.0.rc2
|
||||||
|
|
57
0005-virtio-scsi-clean-up-virtio_scsi_handle_ctrl_vq.patch
Normal file
57
0005-virtio-scsi-clean-up-virtio_scsi_handle_ctrl_vq.patch
Normal file
@ -0,0 +1,57 @@
|
|||||||
|
From 4c4bec46e2ccbcb1e8360b118b46681369e3f05c Mon Sep 17 00:00:00 2001
|
||||||
|
From: Stefan Hajnoczi <stefanha@redhat.com>
|
||||||
|
Date: Tue, 17 May 2022 09:28:12 +0100
|
||||||
|
Subject: [PATCH] virtio-scsi: clean up virtio_scsi_handle_ctrl_vq()
|
||||||
|
|
||||||
|
virtio_scsi_handle_ctrl_vq() is only called from hw/scsi/virtio-scsi.c
|
||||||
|
now and its return value is no longer used. Remove the function
|
||||||
|
prototype from virtio-scsi.h and drop the return value.
|
||||||
|
|
||||||
|
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
|
||||||
|
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||||
|
Message-id: 20220427143541.119567-5-stefanha@redhat.com
|
||||||
|
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
|
||||||
|
(cherry picked from commit 73b3b49f1880f236b4d0ffd7efb00280c05a5fab)
|
||||||
|
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
|
||||||
|
---
|
||||||
|
hw/scsi/virtio-scsi.c | 5 +----
|
||||||
|
include/hw/virtio/virtio-scsi.h | 1 -
|
||||||
|
2 files changed, 1 insertion(+), 5 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/hw/scsi/virtio-scsi.c b/hw/scsi/virtio-scsi.c
|
||||||
|
index aa03a713d8..eefda16e4b 100644
|
||||||
|
--- a/hw/scsi/virtio-scsi.c
|
||||||
|
+++ b/hw/scsi/virtio-scsi.c
|
||||||
|
@@ -460,16 +460,13 @@ static void virtio_scsi_handle_ctrl_req(VirtIOSCSI *s, VirtIOSCSIReq *req)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
-bool virtio_scsi_handle_ctrl_vq(VirtIOSCSI *s, VirtQueue *vq)
|
||||||
|
+static void virtio_scsi_handle_ctrl_vq(VirtIOSCSI *s, VirtQueue *vq)
|
||||||
|
{
|
||||||
|
VirtIOSCSIReq *req;
|
||||||
|
- bool progress = false;
|
||||||
|
|
||||||
|
while ((req = virtio_scsi_pop_req(s, vq))) {
|
||||||
|
- progress = true;
|
||||||
|
virtio_scsi_handle_ctrl_req(s, req);
|
||||||
|
}
|
||||||
|
- return progress;
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
diff --git a/include/hw/virtio/virtio-scsi.h b/include/hw/virtio/virtio-scsi.h
|
||||||
|
index 5957597825..44dc3b81ec 100644
|
||||||
|
--- a/include/hw/virtio/virtio-scsi.h
|
||||||
|
+++ b/include/hw/virtio/virtio-scsi.h
|
||||||
|
@@ -152,7 +152,6 @@ void virtio_scsi_common_realize(DeviceState *dev,
|
||||||
|
|
||||||
|
void virtio_scsi_common_unrealize(DeviceState *dev);
|
||||||
|
bool virtio_scsi_handle_cmd_vq(VirtIOSCSI *s, VirtQueue *vq);
|
||||||
|
-bool virtio_scsi_handle_ctrl_vq(VirtIOSCSI *s, VirtQueue *vq);
|
||||||
|
void virtio_scsi_init_req(VirtIOSCSI *s, VirtQueue *vq, VirtIOSCSIReq *req);
|
||||||
|
void virtio_scsi_free_req(VirtIOSCSIReq *req);
|
||||||
|
void virtio_scsi_push_event(VirtIOSCSI *s, SCSIDevice *dev,
|
||||||
|
--
|
||||||
|
2.37.0.rc2
|
||||||
|
|
69
0006-virtio-scsi-clean-up-virtio_scsi_handle_cmd_vq.patch
Normal file
69
0006-virtio-scsi-clean-up-virtio_scsi_handle_cmd_vq.patch
Normal file
@ -0,0 +1,69 @@
|
|||||||
|
From 67a97290efc0e89c7c48bba46ed68de35121b9de Mon Sep 17 00:00:00 2001
|
||||||
|
From: Stefan Hajnoczi <stefanha@redhat.com>
|
||||||
|
Date: Tue, 17 May 2022 09:28:19 +0100
|
||||||
|
Subject: [PATCH] virtio-scsi: clean up virtio_scsi_handle_cmd_vq()
|
||||||
|
|
||||||
|
virtio_scsi_handle_cmd_vq() is only called from hw/scsi/virtio-scsi.c
|
||||||
|
now and its return value is no longer used. Remove the function
|
||||||
|
prototype from virtio-scsi.h and drop the return value.
|
||||||
|
|
||||||
|
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
|
||||||
|
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||||
|
Message-id: 20220427143541.119567-6-stefanha@redhat.com
|
||||||
|
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
|
||||||
|
(cherry picked from commit ad482b57ef841b2d4883c5079d20ba44ff5e4b3e)
|
||||||
|
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
|
||||||
|
---
|
||||||
|
hw/scsi/virtio-scsi.c | 5 +----
|
||||||
|
include/hw/virtio/virtio-scsi.h | 1 -
|
||||||
|
2 files changed, 1 insertion(+), 5 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/hw/scsi/virtio-scsi.c b/hw/scsi/virtio-scsi.c
|
||||||
|
index eefda16e4b..12c6a21202 100644
|
||||||
|
--- a/hw/scsi/virtio-scsi.c
|
||||||
|
+++ b/hw/scsi/virtio-scsi.c
|
||||||
|
@@ -685,12 +685,11 @@ static void virtio_scsi_handle_cmd_req_submit(VirtIOSCSI *s, VirtIOSCSIReq *req)
|
||||||
|
scsi_req_unref(sreq);
|
||||||
|
}
|
||||||
|
|
||||||
|
-bool virtio_scsi_handle_cmd_vq(VirtIOSCSI *s, VirtQueue *vq)
|
||||||
|
+static void virtio_scsi_handle_cmd_vq(VirtIOSCSI *s, VirtQueue *vq)
|
||||||
|
{
|
||||||
|
VirtIOSCSIReq *req, *next;
|
||||||
|
int ret = 0;
|
||||||
|
bool suppress_notifications = virtio_queue_get_notification(vq);
|
||||||
|
- bool progress = false;
|
||||||
|
|
||||||
|
QTAILQ_HEAD(, VirtIOSCSIReq) reqs = QTAILQ_HEAD_INITIALIZER(reqs);
|
||||||
|
|
||||||
|
@@ -700,7 +699,6 @@ bool virtio_scsi_handle_cmd_vq(VirtIOSCSI *s, VirtQueue *vq)
|
||||||
|
}
|
||||||
|
|
||||||
|
while ((req = virtio_scsi_pop_req(s, vq))) {
|
||||||
|
- progress = true;
|
||||||
|
ret = virtio_scsi_handle_cmd_req_prepare(s, req);
|
||||||
|
if (!ret) {
|
||||||
|
QTAILQ_INSERT_TAIL(&reqs, req, next);
|
||||||
|
@@ -725,7 +723,6 @@ bool virtio_scsi_handle_cmd_vq(VirtIOSCSI *s, VirtQueue *vq)
|
||||||
|
QTAILQ_FOREACH_SAFE(req, &reqs, next, next) {
|
||||||
|
virtio_scsi_handle_cmd_req_submit(s, req);
|
||||||
|
}
|
||||||
|
- return progress;
|
||||||
|
}
|
||||||
|
|
||||||
|
static void virtio_scsi_handle_cmd(VirtIODevice *vdev, VirtQueue *vq)
|
||||||
|
diff --git a/include/hw/virtio/virtio-scsi.h b/include/hw/virtio/virtio-scsi.h
|
||||||
|
index 44dc3b81ec..2497530064 100644
|
||||||
|
--- a/include/hw/virtio/virtio-scsi.h
|
||||||
|
+++ b/include/hw/virtio/virtio-scsi.h
|
||||||
|
@@ -151,7 +151,6 @@ void virtio_scsi_common_realize(DeviceState *dev,
|
||||||
|
Error **errp);
|
||||||
|
|
||||||
|
void virtio_scsi_common_unrealize(DeviceState *dev);
|
||||||
|
-bool virtio_scsi_handle_cmd_vq(VirtIOSCSI *s, VirtQueue *vq);
|
||||||
|
void virtio_scsi_init_req(VirtIOSCSI *s, VirtQueue *vq, VirtIOSCSIReq *req);
|
||||||
|
void virtio_scsi_free_req(VirtIOSCSIReq *req);
|
||||||
|
void virtio_scsi_push_event(VirtIOSCSI *s, SCSIDevice *dev,
|
||||||
|
--
|
||||||
|
2.37.0.rc2
|
||||||
|
|
160
0007-virtio-scsi-move-request-related-items-from-.h-to-.c.patch
Normal file
160
0007-virtio-scsi-move-request-related-items-from-.h-to-.c.patch
Normal file
@ -0,0 +1,160 @@
|
|||||||
|
From 8c2d952c608b15e188db90e26b7238d35f5cf289 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Stefan Hajnoczi <stefanha@redhat.com>
|
||||||
|
Date: Tue, 17 May 2022 09:28:26 +0100
|
||||||
|
Subject: [PATCH] virtio-scsi: move request-related items from .h to .c
|
||||||
|
|
||||||
|
There is no longer a need to expose the request and related APIs in
|
||||||
|
virtio-scsi.h since there are no callers outside virtio-scsi.c.
|
||||||
|
|
||||||
|
Note the block comment in VirtIOSCSIReq has been adjusted to meet the
|
||||||
|
coding style.
|
||||||
|
|
||||||
|
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
|
||||||
|
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||||
|
Message-id: 20220427143541.119567-7-stefanha@redhat.com
|
||||||
|
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
|
||||||
|
(cherry picked from commit 3dc584abeef0e1277c2de8c1c1974cb49444eb0a)
|
||||||
|
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
|
||||||
|
---
|
||||||
|
hw/scsi/virtio-scsi.c | 45 ++++++++++++++++++++++++++++++---
|
||||||
|
include/hw/virtio/virtio-scsi.h | 40 -----------------------------
|
||||||
|
2 files changed, 41 insertions(+), 44 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/hw/scsi/virtio-scsi.c b/hw/scsi/virtio-scsi.c
|
||||||
|
index 12c6a21202..db54d104be 100644
|
||||||
|
--- a/hw/scsi/virtio-scsi.c
|
||||||
|
+++ b/hw/scsi/virtio-scsi.c
|
||||||
|
@@ -29,6 +29,43 @@
|
||||||
|
#include "hw/virtio/virtio-access.h"
|
||||||
|
#include "trace.h"
|
||||||
|
|
||||||
|
+typedef struct VirtIOSCSIReq {
|
||||||
|
+ /*
|
||||||
|
+ * Note:
|
||||||
|
+ * - fields up to resp_iov are initialized by virtio_scsi_init_req;
|
||||||
|
+ * - fields starting at vring are zeroed by virtio_scsi_init_req.
|
||||||
|
+ */
|
||||||
|
+ VirtQueueElement elem;
|
||||||
|
+
|
||||||
|
+ VirtIOSCSI *dev;
|
||||||
|
+ VirtQueue *vq;
|
||||||
|
+ QEMUSGList qsgl;
|
||||||
|
+ QEMUIOVector resp_iov;
|
||||||
|
+
|
||||||
|
+ union {
|
||||||
|
+ /* Used for two-stage request submission */
|
||||||
|
+ QTAILQ_ENTRY(VirtIOSCSIReq) next;
|
||||||
|
+
|
||||||
|
+ /* Used for cancellation of request during TMFs */
|
||||||
|
+ int remaining;
|
||||||
|
+ };
|
||||||
|
+
|
||||||
|
+ SCSIRequest *sreq;
|
||||||
|
+ size_t resp_size;
|
||||||
|
+ enum SCSIXferMode mode;
|
||||||
|
+ union {
|
||||||
|
+ VirtIOSCSICmdResp cmd;
|
||||||
|
+ VirtIOSCSICtrlTMFResp tmf;
|
||||||
|
+ VirtIOSCSICtrlANResp an;
|
||||||
|
+ VirtIOSCSIEvent event;
|
||||||
|
+ } resp;
|
||||||
|
+ union {
|
||||||
|
+ VirtIOSCSICmdReq cmd;
|
||||||
|
+ VirtIOSCSICtrlTMFReq tmf;
|
||||||
|
+ VirtIOSCSICtrlANReq an;
|
||||||
|
+ } req;
|
||||||
|
+} VirtIOSCSIReq;
|
||||||
|
+
|
||||||
|
static inline int virtio_scsi_get_lun(uint8_t *lun)
|
||||||
|
{
|
||||||
|
return ((lun[2] << 8) | lun[3]) & 0x3FFF;
|
||||||
|
@@ -45,7 +82,7 @@ static inline SCSIDevice *virtio_scsi_device_get(VirtIOSCSI *s, uint8_t *lun)
|
||||||
|
return scsi_device_get(&s->bus, 0, lun[1], virtio_scsi_get_lun(lun));
|
||||||
|
}
|
||||||
|
|
||||||
|
-void virtio_scsi_init_req(VirtIOSCSI *s, VirtQueue *vq, VirtIOSCSIReq *req)
|
||||||
|
+static void virtio_scsi_init_req(VirtIOSCSI *s, VirtQueue *vq, VirtIOSCSIReq *req)
|
||||||
|
{
|
||||||
|
VirtIODevice *vdev = VIRTIO_DEVICE(s);
|
||||||
|
const size_t zero_skip =
|
||||||
|
@@ -58,7 +95,7 @@ void virtio_scsi_init_req(VirtIOSCSI *s, VirtQueue *vq, VirtIOSCSIReq *req)
|
||||||
|
memset((uint8_t *)req + zero_skip, 0, sizeof(*req) - zero_skip);
|
||||||
|
}
|
||||||
|
|
||||||
|
-void virtio_scsi_free_req(VirtIOSCSIReq *req)
|
||||||
|
+static void virtio_scsi_free_req(VirtIOSCSIReq *req)
|
||||||
|
{
|
||||||
|
qemu_iovec_destroy(&req->resp_iov);
|
||||||
|
qemu_sglist_destroy(&req->qsgl);
|
||||||
|
@@ -801,8 +838,8 @@ static void virtio_scsi_reset(VirtIODevice *vdev)
|
||||||
|
s->events_dropped = false;
|
||||||
|
}
|
||||||
|
|
||||||
|
-void virtio_scsi_push_event(VirtIOSCSI *s, SCSIDevice *dev,
|
||||||
|
- uint32_t event, uint32_t reason)
|
||||||
|
+static void virtio_scsi_push_event(VirtIOSCSI *s, SCSIDevice *dev,
|
||||||
|
+ uint32_t event, uint32_t reason)
|
||||||
|
{
|
||||||
|
VirtIOSCSICommon *vs = VIRTIO_SCSI_COMMON(s);
|
||||||
|
VirtIOSCSIReq *req;
|
||||||
|
diff --git a/include/hw/virtio/virtio-scsi.h b/include/hw/virtio/virtio-scsi.h
|
||||||
|
index 2497530064..abdda2cbd0 100644
|
||||||
|
--- a/include/hw/virtio/virtio-scsi.h
|
||||||
|
+++ b/include/hw/virtio/virtio-scsi.h
|
||||||
|
@@ -94,42 +94,6 @@ struct VirtIOSCSI {
|
||||||
|
uint32_t host_features;
|
||||||
|
};
|
||||||
|
|
||||||
|
-typedef struct VirtIOSCSIReq {
|
||||||
|
- /* Note:
|
||||||
|
- * - fields up to resp_iov are initialized by virtio_scsi_init_req;
|
||||||
|
- * - fields starting at vring are zeroed by virtio_scsi_init_req.
|
||||||
|
- * */
|
||||||
|
- VirtQueueElement elem;
|
||||||
|
-
|
||||||
|
- VirtIOSCSI *dev;
|
||||||
|
- VirtQueue *vq;
|
||||||
|
- QEMUSGList qsgl;
|
||||||
|
- QEMUIOVector resp_iov;
|
||||||
|
-
|
||||||
|
- union {
|
||||||
|
- /* Used for two-stage request submission */
|
||||||
|
- QTAILQ_ENTRY(VirtIOSCSIReq) next;
|
||||||
|
-
|
||||||
|
- /* Used for cancellation of request during TMFs */
|
||||||
|
- int remaining;
|
||||||
|
- };
|
||||||
|
-
|
||||||
|
- SCSIRequest *sreq;
|
||||||
|
- size_t resp_size;
|
||||||
|
- enum SCSIXferMode mode;
|
||||||
|
- union {
|
||||||
|
- VirtIOSCSICmdResp cmd;
|
||||||
|
- VirtIOSCSICtrlTMFResp tmf;
|
||||||
|
- VirtIOSCSICtrlANResp an;
|
||||||
|
- VirtIOSCSIEvent event;
|
||||||
|
- } resp;
|
||||||
|
- union {
|
||||||
|
- VirtIOSCSICmdReq cmd;
|
||||||
|
- VirtIOSCSICtrlTMFReq tmf;
|
||||||
|
- VirtIOSCSICtrlANReq an;
|
||||||
|
- } req;
|
||||||
|
-} VirtIOSCSIReq;
|
||||||
|
-
|
||||||
|
static inline void virtio_scsi_acquire(VirtIOSCSI *s)
|
||||||
|
{
|
||||||
|
if (s->ctx) {
|
||||||
|
@@ -151,10 +115,6 @@ void virtio_scsi_common_realize(DeviceState *dev,
|
||||||
|
Error **errp);
|
||||||
|
|
||||||
|
void virtio_scsi_common_unrealize(DeviceState *dev);
|
||||||
|
-void virtio_scsi_init_req(VirtIOSCSI *s, VirtQueue *vq, VirtIOSCSIReq *req);
|
||||||
|
-void virtio_scsi_free_req(VirtIOSCSIReq *req);
|
||||||
|
-void virtio_scsi_push_event(VirtIOSCSI *s, SCSIDevice *dev,
|
||||||
|
- uint32_t event, uint32_t reason);
|
||||||
|
|
||||||
|
void virtio_scsi_dataplane_setup(VirtIOSCSI *s, Error **errp);
|
||||||
|
int virtio_scsi_dataplane_start(VirtIODevice *s);
|
||||||
|
--
|
||||||
|
2.37.0.rc2
|
||||||
|
|
39
0008-Disable-flakey-dbus-display-test.patch
Normal file
39
0008-Disable-flakey-dbus-display-test.patch
Normal file
@ -0,0 +1,39 @@
|
|||||||
|
From 7bbf88bfd6b5200926294788386398193afe623f Mon Sep 17 00:00:00 2001
|
||||||
|
From: Cole Robinson <crobinso@redhat.com>
|
||||||
|
Date: Sat, 4 Jun 2022 20:28:58 -0400
|
||||||
|
Subject: [PATCH] Disable flakey dbus-display-test
|
||||||
|
|
||||||
|
Signed-off-by: Cole Robinson <crobinso@redhat.com>
|
||||||
|
---
|
||||||
|
tests/qtest/meson.build | 8 --------
|
||||||
|
1 file changed, 8 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/tests/qtest/meson.build b/tests/qtest/meson.build
|
||||||
|
index d25f82bb5a..d085604727 100644
|
||||||
|
--- a/tests/qtest/meson.build
|
||||||
|
+++ b/tests/qtest/meson.build
|
||||||
|
@@ -94,10 +94,6 @@ qtests_i386 = \
|
||||||
|
'test-filter-redirector'
|
||||||
|
]
|
||||||
|
|
||||||
|
-if dbus_display
|
||||||
|
- qtests_i386 += ['dbus-display-test']
|
||||||
|
-endif
|
||||||
|
-
|
||||||
|
dbus_daemon = find_program('dbus-daemon', required: false)
|
||||||
|
if dbus_daemon.found() and config_host.has_key('GDBUS_CODEGEN')
|
||||||
|
# Temporarily disabled due to Patchew failures:
|
||||||
|
@@ -298,10 +294,6 @@ qtests = {
|
||||||
|
'vmgenid-test': files('boot-sector.c', 'acpi-utils.c'),
|
||||||
|
}
|
||||||
|
|
||||||
|
-if dbus_display
|
||||||
|
-qtests += {'dbus-display-test': [dbus_display1, gio]}
|
||||||
|
-endif
|
||||||
|
-
|
||||||
|
qtest_executables = {}
|
||||||
|
foreach dir : target_dirs
|
||||||
|
if not dir.endswith('-softmmu')
|
||||||
|
--
|
||||||
|
2.37.0.rc2
|
||||||
|
|
35
0009-Fix-iotests-with-modules-and-qemu-system-s390x.patch
Normal file
35
0009-Fix-iotests-with-modules-and-qemu-system-s390x.patch
Normal file
@ -0,0 +1,35 @@
|
|||||||
|
From 1917ca47ce2234b7d279f16aa7ef1ff165902d1f Mon Sep 17 00:00:00 2001
|
||||||
|
From: Cole Robinson <crobinso@redhat.com>
|
||||||
|
Date: Sat, 4 Jun 2022 20:29:46 -0400
|
||||||
|
Subject: [PATCH] Fix iotests with modules and qemu-system-s390x
|
||||||
|
|
||||||
|
Signed-off-by: Cole Robinson <crobinso@redhat.com>
|
||||||
|
---
|
||||||
|
tests/qemu-iotests/common.rc | 4 ++--
|
||||||
|
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/tests/qemu-iotests/common.rc b/tests/qemu-iotests/common.rc
|
||||||
|
index 227e0a5be9..97f8e0a15f 100644
|
||||||
|
--- a/tests/qemu-iotests/common.rc
|
||||||
|
+++ b/tests/qemu-iotests/common.rc
|
||||||
|
@@ -975,7 +975,7 @@ _require_large_file()
|
||||||
|
#
|
||||||
|
_require_devices()
|
||||||
|
{
|
||||||
|
- available=$($QEMU -M none -device help | \
|
||||||
|
+ available=$($QEMU -M none -device help 2> /dev/null | \
|
||||||
|
grep ^name | sed -e 's/^name "//' -e 's/".*$//')
|
||||||
|
for device
|
||||||
|
do
|
||||||
|
@@ -987,7 +987,7 @@ _require_devices()
|
||||||
|
|
||||||
|
_require_one_device_of()
|
||||||
|
{
|
||||||
|
- available=$($QEMU -M none -device help | \
|
||||||
|
+ available=$($QEMU -M none -device help 2> /dev/null | \
|
||||||
|
grep ^name | sed -e 's/^name "//' -e 's/".*$//')
|
||||||
|
for device
|
||||||
|
do
|
||||||
|
--
|
||||||
|
2.37.0.rc2
|
||||||
|
|
29
0010-Skip-iotests-entirely.patch
Normal file
29
0010-Skip-iotests-entirely.patch
Normal file
@ -0,0 +1,29 @@
|
|||||||
|
From 830cda479ec661b752c9c2566bcca0ac22bb478b Mon Sep 17 00:00:00 2001
|
||||||
|
From: Cole Robinson <crobinso@redhat.com>
|
||||||
|
Date: Sun, 5 Jun 2022 12:48:29 -0400
|
||||||
|
Subject: [PATCH] Skip iotests entirely
|
||||||
|
|
||||||
|
Getting sporadic failures like described here:
|
||||||
|
https://www.mail-archive.com/qemu-devel@nongnu.org/msg887683.html
|
||||||
|
|
||||||
|
Signed-off-by: Cole Robinson <crobinso@redhat.com>
|
||||||
|
---
|
||||||
|
tests/check-block.sh | 2 ++
|
||||||
|
1 file changed, 2 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/tests/check-block.sh b/tests/check-block.sh
|
||||||
|
index f59496396c..09cc735da4 100755
|
||||||
|
--- a/tests/check-block.sh
|
||||||
|
+++ b/tests/check-block.sh
|
||||||
|
@@ -50,6 +50,8 @@ fi
|
||||||
|
|
||||||
|
cd tests/qemu-iotests
|
||||||
|
|
||||||
|
+exit 0
|
||||||
|
+
|
||||||
|
# QEMU_CHECK_BLOCK_AUTO is used to disable some unstable sub-tests
|
||||||
|
export QEMU_CHECK_BLOCK_AUTO=1
|
||||||
|
export PYTHONUTF8=1
|
||||||
|
--
|
||||||
|
2.37.0.rc2
|
||||||
|
|
100
0011-linux-user-fix-compat-with-glibc-2.36-sys-mount.h.patch
Normal file
100
0011-linux-user-fix-compat-with-glibc-2.36-sys-mount.h.patch
Normal file
@ -0,0 +1,100 @@
|
|||||||
|
From 7605dc625bfd03c4f6bb8daddde909aac3e4badb Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
|
||||||
|
Date: Tue, 2 Aug 2022 12:34:23 -0400
|
||||||
|
Subject: [PATCH] linux-user: fix compat with glibc >= 2.36 sys/mount.h
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
The latest glibc 2.36 has extended sys/mount.h so that it
|
||||||
|
defines the FSCONFIG_* enum constants. These are historically
|
||||||
|
defined in linux/mount.h, and thus if you include both headers
|
||||||
|
the compiler complains:
|
||||||
|
|
||||||
|
In file included from /usr/include/linux/fs.h:19,
|
||||||
|
from ../linux-user/syscall.c:98:
|
||||||
|
/usr/include/linux/mount.h:95:6: error: redeclaration of 'enum fsconfig_command'
|
||||||
|
95 | enum fsconfig_command {
|
||||||
|
| ^~~~~~~~~~~~~~~~
|
||||||
|
In file included from ../linux-user/syscall.c:31:
|
||||||
|
/usr/include/sys/mount.h:189:6: note: originally defined here
|
||||||
|
189 | enum fsconfig_command
|
||||||
|
| ^~~~~~~~~~~~~~~~
|
||||||
|
/usr/include/linux/mount.h:96:9: error: redeclaration of enumerator 'FSCONFIG_SET_FLAG'
|
||||||
|
96 | FSCONFIG_SET_FLAG = 0, /* Set parameter, supplying no value */
|
||||||
|
| ^~~~~~~~~~~~~~~~~
|
||||||
|
/usr/include/sys/mount.h:191:3: note: previous definition of 'FSCONFIG_SET_FLAG' with type 'enum fsconfig_command'
|
||||||
|
191 | FSCONFIG_SET_FLAG = 0, /* Set parameter, supplying no value */
|
||||||
|
| ^~~~~~~~~~~~~~~~~
|
||||||
|
...snip...
|
||||||
|
|
||||||
|
QEMU doesn't include linux/mount.h, but it does use
|
||||||
|
linux/fs.h and thus gets linux/mount.h indirectly.
|
||||||
|
|
||||||
|
glibc acknowledges this problem but does not appear to
|
||||||
|
be intending to fix it in the forseeable future, simply
|
||||||
|
documenting it as a known incompatibility with no
|
||||||
|
workaround:
|
||||||
|
|
||||||
|
https://sourceware.org/glibc/wiki/Release/2.36#Usage_of_.3Clinux.2Fmount.h.3E_and_.3Csys.2Fmount.h.3E
|
||||||
|
https://sourceware.org/glibc/wiki/Synchronizing_Headers
|
||||||
|
|
||||||
|
To address this requires either removing use of sys/mount.h
|
||||||
|
or linux/fs.h, despite QEMU needing declarations from
|
||||||
|
both.
|
||||||
|
|
||||||
|
This patch removes linux/fs.h, meaning we have to define
|
||||||
|
various FS_IOC constants that are now unavailable.
|
||||||
|
|
||||||
|
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
|
||||||
|
---
|
||||||
|
linux-user/syscall.c | 18 ++++++++++++++++++
|
||||||
|
meson.build | 2 ++
|
||||||
|
2 files changed, 20 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/linux-user/syscall.c b/linux-user/syscall.c
|
||||||
|
index f65045efe6..834a86183c 100644
|
||||||
|
--- a/linux-user/syscall.c
|
||||||
|
+++ b/linux-user/syscall.c
|
||||||
|
@@ -95,7 +95,25 @@
|
||||||
|
#include <linux/soundcard.h>
|
||||||
|
#include <linux/kd.h>
|
||||||
|
#include <linux/mtio.h>
|
||||||
|
+
|
||||||
|
+#ifdef HAVE_SYS_MOUNT_FSCONFIG
|
||||||
|
+/*
|
||||||
|
+ * glibc >= 2.36 linux/mount.h conflicts with sys/mount.h,
|
||||||
|
+ * which in turn prevents use of linux/fs.h. So we have to
|
||||||
|
+ * define the constants ourselves for now.
|
||||||
|
+ */
|
||||||
|
+#define FS_IOC_GETFLAGS _IOR('f', 1, long)
|
||||||
|
+#define FS_IOC_SETFLAGS _IOW('f', 2, long)
|
||||||
|
+#define FS_IOC_GETVERSION _IOR('v', 1, long)
|
||||||
|
+#define FS_IOC_SETVERSION _IOW('v', 2, long)
|
||||||
|
+#define FS_IOC_FIEMAP _IOWR('f', 11, struct fiemap)
|
||||||
|
+#define FS_IOC32_GETFLAGS _IOR('f', 1, int)
|
||||||
|
+#define FS_IOC32_SETFLAGS _IOW('f', 2, int)
|
||||||
|
+#define FS_IOC32_GETVERSION _IOR('v', 1, int)
|
||||||
|
+#define FS_IOC32_SETVERSION _IOW('v', 2, int)
|
||||||
|
+#else
|
||||||
|
#include <linux/fs.h>
|
||||||
|
+#endif
|
||||||
|
#include <linux/fd.h>
|
||||||
|
#if defined(CONFIG_FIEMAP)
|
||||||
|
#include <linux/fiemap.h>
|
||||||
|
diff --git a/meson.build b/meson.build
|
||||||
|
index 861de93c4f..8ca99671ec 100644
|
||||||
|
--- a/meson.build
|
||||||
|
+++ b/meson.build
|
||||||
|
@@ -1686,6 +1686,8 @@ config_host_data.set('HAVE_OPTRESET',
|
||||||
|
cc.has_header_symbol('getopt.h', 'optreset'))
|
||||||
|
config_host_data.set('HAVE_IPPROTO_MPTCP',
|
||||||
|
cc.has_header_symbol('netinet/in.h', 'IPPROTO_MPTCP'))
|
||||||
|
+config_host_data.set('HAVE_SYS_MOUNT_FSCONFIG',
|
||||||
|
+ cc.has_header_symbol('sys/mount.h', 'FSCONFIG_SET_FLAG'))
|
||||||
|
|
||||||
|
# has_member
|
||||||
|
config_host_data.set('HAVE_SIGEV_NOTIFY_THREAD_ID',
|
||||||
|
--
|
||||||
|
2.37.0.rc2
|
||||||
|
|
36
0012-vga-avoid-crash-if-no-default-vga-card.patch
Normal file
36
0012-vga-avoid-crash-if-no-default-vga-card.patch
Normal file
@ -0,0 +1,36 @@
|
|||||||
|
From ac42f1e87f4f963836461691be22e39128b4eff2 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Guo Zhi <qtxuning1999@sjtu.edu.cn>
|
||||||
|
Date: Tue, 3 May 2022 17:17:24 +0800
|
||||||
|
Subject: [PATCH] vga: avoid crash if no default vga card
|
||||||
|
|
||||||
|
QEMU in some arch will crash when executing -vga help command, because
|
||||||
|
there is no default vga model. Add check to this case and avoid crash.
|
||||||
|
|
||||||
|
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/978
|
||||||
|
|
||||||
|
Signed-off-by: Guo Zhi <qtxuning1999@sjtu.edu.cn>
|
||||||
|
Reviewed-by: Thomas Huth <thuth@redhat.com>
|
||||||
|
Tested-by: Thomas Huth <thuth@redhat.com>
|
||||||
|
Message-Id: <20220503091724.970009-1-qtxuning1999@sjtu.edu.cn>
|
||||||
|
Signed-off-by: Laurent Vivier <laurent@vivier.eu>
|
||||||
|
---
|
||||||
|
softmmu/vl.c | 3 ++-
|
||||||
|
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/softmmu/vl.c b/softmmu/vl.c
|
||||||
|
index 6f646531a0..b16c1c48fa 100644
|
||||||
|
--- a/softmmu/vl.c
|
||||||
|
+++ b/softmmu/vl.c
|
||||||
|
@@ -974,7 +974,8 @@ static void select_vgahw(const MachineClass *machine_class, const char *p)
|
||||||
|
|
||||||
|
if (vga_interface_available(t) && ti->opt_name) {
|
||||||
|
printf("%-20s %s%s\n", ti->opt_name, ti->name ?: "",
|
||||||
|
- g_str_equal(ti->opt_name, def) ? " (default)" : "");
|
||||||
|
+ (def && g_str_equal(ti->opt_name, def)) ?
|
||||||
|
+ " (default)" : "");
|
||||||
|
}
|
||||||
|
}
|
||||||
|
exit(0);
|
||||||
|
--
|
||||||
|
2.37.0.rc2
|
||||||
|
|
140
0013-scsi-lsi53c895a-fix-use-after-free-in-lsi_do_msgout.patch
Normal file
140
0013-scsi-lsi53c895a-fix-use-after-free-in-lsi_do_msgout.patch
Normal file
@ -0,0 +1,140 @@
|
|||||||
|
From 754371b1f2f872156dda4cb4aa16b510c142c381 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Mauro Matteo Cascella <mcascell@redhat.com>
|
||||||
|
Date: Tue, 5 Jul 2022 22:05:43 +0200
|
||||||
|
Subject: [PATCH] scsi/lsi53c895a: fix use-after-free in lsi_do_msgout
|
||||||
|
(CVE-2022-0216)
|
||||||
|
|
||||||
|
Set current_req to NULL to prevent reusing a free'd buffer in case of
|
||||||
|
repeated SCSI cancel requests. Also apply the fix to CLEAR QUEUE and BUS
|
||||||
|
DEVICE RESET messages as well, since they also cancel the request.
|
||||||
|
|
||||||
|
Fixes: CVE-2022-0216
|
||||||
|
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/972
|
||||||
|
Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
|
||||||
|
Reviewed-by: Thomas Huth <thuth@redhat.com>
|
||||||
|
Message-Id: <20220705200543.2366809-1-mcascell@redhat.com>
|
||||||
|
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||||
|
---
|
||||||
|
hw/scsi/lsi53c895a.c | 4 +-
|
||||||
|
tests/qtest/fuzz-lsi53c895a-test.c | 75 ++++++++++++++++++++++++++++++
|
||||||
|
2 files changed, 78 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c
|
||||||
|
index c8773f73f7..ad5f5e5f39 100644
|
||||||
|
--- a/hw/scsi/lsi53c895a.c
|
||||||
|
+++ b/hw/scsi/lsi53c895a.c
|
||||||
|
@@ -1028,8 +1028,9 @@ static void lsi_do_msgout(LSIState *s)
|
||||||
|
case 0x0d:
|
||||||
|
/* The ABORT TAG message clears the current I/O process only. */
|
||||||
|
trace_lsi_do_msgout_abort(current_tag);
|
||||||
|
- if (current_req) {
|
||||||
|
+ if (current_req && current_req->req) {
|
||||||
|
scsi_req_cancel(current_req->req);
|
||||||
|
+ current_req = NULL;
|
||||||
|
}
|
||||||
|
lsi_disconnect(s);
|
||||||
|
break;
|
||||||
|
@@ -1055,6 +1056,7 @@ static void lsi_do_msgout(LSIState *s)
|
||||||
|
/* clear the current I/O process */
|
||||||
|
if (s->current) {
|
||||||
|
scsi_req_cancel(s->current->req);
|
||||||
|
+ current_req = NULL;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* As the current implemented devices scsi_disk and scsi_generic
|
||||||
|
diff --git a/tests/qtest/fuzz-lsi53c895a-test.c b/tests/qtest/fuzz-lsi53c895a-test.c
|
||||||
|
index ba5d468970..0f968024c8 100644
|
||||||
|
--- a/tests/qtest/fuzz-lsi53c895a-test.c
|
||||||
|
+++ b/tests/qtest/fuzz-lsi53c895a-test.c
|
||||||
|
@@ -8,6 +8,79 @@
|
||||||
|
#include "qemu/osdep.h"
|
||||||
|
#include "libqos/libqtest.h"
|
||||||
|
|
||||||
|
+/*
|
||||||
|
+ * This used to trigger a UAF in lsi_do_msgout()
|
||||||
|
+ * https://gitlab.com/qemu-project/qemu/-/issues/972
|
||||||
|
+ */
|
||||||
|
+static void test_lsi_do_msgout_cancel_req(void)
|
||||||
|
+{
|
||||||
|
+ QTestState *s;
|
||||||
|
+
|
||||||
|
+ if (sizeof(void *) == 4) {
|
||||||
|
+ g_test_skip("memory size too big for 32-bit build");
|
||||||
|
+ return;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ s = qtest_init("-M q35 -m 4G -display none -nodefaults "
|
||||||
|
+ "-device lsi53c895a,id=scsi "
|
||||||
|
+ "-device scsi-hd,drive=disk0 "
|
||||||
|
+ "-drive file=null-co://,id=disk0,if=none,format=raw");
|
||||||
|
+
|
||||||
|
+ qtest_outl(s, 0xcf8, 0x80000810);
|
||||||
|
+ qtest_outl(s, 0xcf8, 0xc000);
|
||||||
|
+ qtest_outl(s, 0xcf8, 0x80000810);
|
||||||
|
+ qtest_outw(s, 0xcfc, 0x7);
|
||||||
|
+ qtest_outl(s, 0xcf8, 0x80000810);
|
||||||
|
+ qtest_outl(s, 0xcfc, 0xc000);
|
||||||
|
+ qtest_outl(s, 0xcf8, 0x80000804);
|
||||||
|
+ qtest_outw(s, 0xcfc, 0x05);
|
||||||
|
+ qtest_writeb(s, 0x69736c10, 0x08);
|
||||||
|
+ qtest_writeb(s, 0x69736c13, 0x58);
|
||||||
|
+ qtest_writeb(s, 0x69736c1a, 0x01);
|
||||||
|
+ qtest_writeb(s, 0x69736c1b, 0x06);
|
||||||
|
+ qtest_writeb(s, 0x69736c22, 0x01);
|
||||||
|
+ qtest_writeb(s, 0x69736c23, 0x07);
|
||||||
|
+ qtest_writeb(s, 0x69736c2b, 0x02);
|
||||||
|
+ qtest_writeb(s, 0x69736c48, 0x08);
|
||||||
|
+ qtest_writeb(s, 0x69736c4b, 0x58);
|
||||||
|
+ qtest_writeb(s, 0x69736c52, 0x04);
|
||||||
|
+ qtest_writeb(s, 0x69736c53, 0x06);
|
||||||
|
+ qtest_writeb(s, 0x69736c5b, 0x02);
|
||||||
|
+ qtest_outl(s, 0xc02d, 0x697300);
|
||||||
|
+ qtest_writeb(s, 0x5a554662, 0x01);
|
||||||
|
+ qtest_writeb(s, 0x5a554663, 0x07);
|
||||||
|
+ qtest_writeb(s, 0x5a55466a, 0x10);
|
||||||
|
+ qtest_writeb(s, 0x5a55466b, 0x22);
|
||||||
|
+ qtest_writeb(s, 0x5a55466c, 0x5a);
|
||||||
|
+ qtest_writeb(s, 0x5a55466d, 0x5a);
|
||||||
|
+ qtest_writeb(s, 0x5a55466e, 0x34);
|
||||||
|
+ qtest_writeb(s, 0x5a55466f, 0x5a);
|
||||||
|
+ qtest_writeb(s, 0x5a345a5a, 0x77);
|
||||||
|
+ qtest_writeb(s, 0x5a345a5b, 0x55);
|
||||||
|
+ qtest_writeb(s, 0x5a345a5c, 0x51);
|
||||||
|
+ qtest_writeb(s, 0x5a345a5d, 0x27);
|
||||||
|
+ qtest_writeb(s, 0x27515577, 0x41);
|
||||||
|
+ qtest_outl(s, 0xc02d, 0x5a5500);
|
||||||
|
+ qtest_writeb(s, 0x364001d0, 0x08);
|
||||||
|
+ qtest_writeb(s, 0x364001d3, 0x58);
|
||||||
|
+ qtest_writeb(s, 0x364001da, 0x01);
|
||||||
|
+ qtest_writeb(s, 0x364001db, 0x26);
|
||||||
|
+ qtest_writeb(s, 0x364001dc, 0x0d);
|
||||||
|
+ qtest_writeb(s, 0x364001dd, 0xae);
|
||||||
|
+ qtest_writeb(s, 0x364001de, 0x41);
|
||||||
|
+ qtest_writeb(s, 0x364001df, 0x5a);
|
||||||
|
+ qtest_writeb(s, 0x5a41ae0d, 0xf8);
|
||||||
|
+ qtest_writeb(s, 0x5a41ae0e, 0x36);
|
||||||
|
+ qtest_writeb(s, 0x5a41ae0f, 0xd7);
|
||||||
|
+ qtest_writeb(s, 0x5a41ae10, 0x36);
|
||||||
|
+ qtest_writeb(s, 0x36d736f8, 0x0c);
|
||||||
|
+ qtest_writeb(s, 0x36d736f9, 0x80);
|
||||||
|
+ qtest_writeb(s, 0x36d736fa, 0x0d);
|
||||||
|
+ qtest_outl(s, 0xc02d, 0x364000);
|
||||||
|
+
|
||||||
|
+ qtest_quit(s);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
/*
|
||||||
|
* This used to trigger the assert in lsi_do_dma()
|
||||||
|
* https://bugs.launchpad.net/qemu/+bug/697510
|
||||||
|
@@ -46,6 +119,8 @@ int main(int argc, char **argv)
|
||||||
|
if (strcmp(arch, "i386") == 0 || strcmp(arch, "x86_64") == 0) {
|
||||||
|
qtest_add_func("fuzz/lsi53c895a/lsi_do_dma_empty_queue",
|
||||||
|
test_lsi_do_dma_empty_queue);
|
||||||
|
+ qtest_add_func("fuzz/lsi53c895a/lsi_do_msgout_cancel_req",
|
||||||
|
+ test_lsi_do_msgout_cancel_req);
|
||||||
|
}
|
||||||
|
|
||||||
|
return g_test_run();
|
||||||
|
--
|
||||||
|
2.37.0.rc2
|
||||||
|
|
@ -0,0 +1,55 @@
|
|||||||
|
From effa979582e34687688df36c9a10b33862f2581f Mon Sep 17 00:00:00 2001
|
||||||
|
From: Mauro Matteo Cascella <mcascell@redhat.com>
|
||||||
|
Date: Sun, 25 Sep 2022 22:45:11 +0200
|
||||||
|
Subject: [PATCH] ui/vnc-clipboard: fix integer underflow in
|
||||||
|
vnc_client_cut_text_ext
|
||||||
|
|
||||||
|
Extended ClientCutText messages start with a 4-byte header. If len < 4,
|
||||||
|
an integer underflow occurs in vnc_client_cut_text_ext. The result is
|
||||||
|
used to decompress data in a while loop in inflate_buffer, leading to
|
||||||
|
CPU consumption and denial of service. Prevent this by checking dlen in
|
||||||
|
protocol_client_msg.
|
||||||
|
|
||||||
|
Fixes: CVE-2022-3165
|
||||||
|
Fixes: 0bf41cab93e5 ("ui/vnc: clipboard support")
|
||||||
|
Reported-by: TangPeng <tangpeng@qianxin.com>
|
||||||
|
Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
|
||||||
|
Message-Id: <20220925204511.1103214-1-mcascell@redhat.com>
|
||||||
|
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||||
|
---
|
||||||
|
ui/vnc.c | 11 ++++++++---
|
||||||
|
1 file changed, 8 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/ui/vnc.c b/ui/vnc.c
|
||||||
|
index 310a873c21..8a2e176b64 100644
|
||||||
|
--- a/ui/vnc.c
|
||||||
|
+++ b/ui/vnc.c
|
||||||
|
@@ -2442,8 +2442,8 @@ static int protocol_client_msg(VncState *vs, uint8_t *data, size_t len)
|
||||||
|
if (len == 1) {
|
||||||
|
return 8;
|
||||||
|
}
|
||||||
|
+ uint32_t dlen = abs(read_s32(data, 4));
|
||||||
|
if (len == 8) {
|
||||||
|
- uint32_t dlen = abs(read_s32(data, 4));
|
||||||
|
if (dlen > (1 << 20)) {
|
||||||
|
error_report("vnc: client_cut_text msg payload has %u bytes"
|
||||||
|
" which exceeds our limit of 1MB.", dlen);
|
||||||
|
@@ -2456,8 +2456,13 @@ static int protocol_client_msg(VncState *vs, uint8_t *data, size_t len)
|
||||||
|
}
|
||||||
|
|
||||||
|
if (read_s32(data, 4) < 0) {
|
||||||
|
- vnc_client_cut_text_ext(vs, abs(read_s32(data, 4)),
|
||||||
|
- read_u32(data, 8), data + 12);
|
||||||
|
+ if (dlen < 4) {
|
||||||
|
+ error_report("vnc: malformed payload (header less than 4 bytes)"
|
||||||
|
+ " in extended clipboard pseudo-encoding.");
|
||||||
|
+ vnc_client_error(vs);
|
||||||
|
+ break;
|
||||||
|
+ }
|
||||||
|
+ vnc_client_cut_text_ext(vs, dlen, read_u32(data, 8), data + 12);
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
vnc_client_cut_text(vs, read_u32(data, 4), data + 8);
|
||||||
|
--
|
||||||
|
2.37.0.rc2
|
||||||
|
|
92
0015-coroutine-Rename-qemu_coroutine_inc-dec_pool_size.patch
Normal file
92
0015-coroutine-Rename-qemu_coroutine_inc-dec_pool_size.patch
Normal file
@ -0,0 +1,92 @@
|
|||||||
|
From 9be9b8e36940756582c453c6bf08daa6955f916e Mon Sep 17 00:00:00 2001
|
||||||
|
From: Kevin Wolf <kwolf@redhat.com>
|
||||||
|
Date: Tue, 10 May 2022 17:10:19 +0200
|
||||||
|
Subject: [PATCH] coroutine: Rename qemu_coroutine_inc/dec_pool_size()
|
||||||
|
|
||||||
|
It's true that these functions currently affect the batch size in which
|
||||||
|
coroutines are reused (i.e. moved from the global release pool to the
|
||||||
|
allocation pool of a specific thread), but this is a bug and will be
|
||||||
|
fixed in a separate patch.
|
||||||
|
|
||||||
|
In fact, the comment in the header file already just promises that it
|
||||||
|
influences the pool size, so reflect this in the name of the functions.
|
||||||
|
As a nice side effect, the shorter function name makes some line
|
||||||
|
wrapping unnecessary.
|
||||||
|
|
||||||
|
Cc: qemu-stable@nongnu.org
|
||||||
|
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
|
||||||
|
Message-Id: <20220510151020.105528-2-kwolf@redhat.com>
|
||||||
|
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
|
||||||
|
(cherry picked from commit 98e3ab35054b946f7c2aba5408822532b0920b53)
|
||||||
|
---
|
||||||
|
hw/block/virtio-blk.c | 6 ++----
|
||||||
|
include/qemu/coroutine.h | 6 +++---
|
||||||
|
util/qemu-coroutine.c | 4 ++--
|
||||||
|
3 files changed, 7 insertions(+), 9 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/hw/block/virtio-blk.c b/hw/block/virtio-blk.c
|
||||||
|
index 540c38f829..6a1cc41877 100644
|
||||||
|
--- a/hw/block/virtio-blk.c
|
||||||
|
+++ b/hw/block/virtio-blk.c
|
||||||
|
@@ -1215,8 +1215,7 @@ static void virtio_blk_device_realize(DeviceState *dev, Error **errp)
|
||||||
|
for (i = 0; i < conf->num_queues; i++) {
|
||||||
|
virtio_add_queue(vdev, conf->queue_size, virtio_blk_handle_output);
|
||||||
|
}
|
||||||
|
- qemu_coroutine_increase_pool_batch_size(conf->num_queues * conf->queue_size
|
||||||
|
- / 2);
|
||||||
|
+ qemu_coroutine_inc_pool_size(conf->num_queues * conf->queue_size / 2);
|
||||||
|
virtio_blk_data_plane_create(vdev, conf, &s->dataplane, &err);
|
||||||
|
if (err != NULL) {
|
||||||
|
error_propagate(errp, err);
|
||||||
|
@@ -1253,8 +1252,7 @@ static void virtio_blk_device_unrealize(DeviceState *dev)
|
||||||
|
for (i = 0; i < conf->num_queues; i++) {
|
||||||
|
virtio_del_queue(vdev, i);
|
||||||
|
}
|
||||||
|
- qemu_coroutine_decrease_pool_batch_size(conf->num_queues * conf->queue_size
|
||||||
|
- / 2);
|
||||||
|
+ qemu_coroutine_dec_pool_size(conf->num_queues * conf->queue_size / 2);
|
||||||
|
qemu_del_vm_change_state_handler(s->change);
|
||||||
|
blockdev_mark_auto_del(s->blk);
|
||||||
|
virtio_cleanup(vdev);
|
||||||
|
diff --git a/include/qemu/coroutine.h b/include/qemu/coroutine.h
|
||||||
|
index c828a95ee0..5b621d1295 100644
|
||||||
|
--- a/include/qemu/coroutine.h
|
||||||
|
+++ b/include/qemu/coroutine.h
|
||||||
|
@@ -334,12 +334,12 @@ void coroutine_fn yield_until_fd_readable(int fd);
|
||||||
|
/**
|
||||||
|
* Increase coroutine pool size
|
||||||
|
*/
|
||||||
|
-void qemu_coroutine_increase_pool_batch_size(unsigned int additional_pool_size);
|
||||||
|
+void qemu_coroutine_inc_pool_size(unsigned int additional_pool_size);
|
||||||
|
|
||||||
|
/**
|
||||||
|
- * Devcrease coroutine pool size
|
||||||
|
+ * Decrease coroutine pool size
|
||||||
|
*/
|
||||||
|
-void qemu_coroutine_decrease_pool_batch_size(unsigned int additional_pool_size);
|
||||||
|
+void qemu_coroutine_dec_pool_size(unsigned int additional_pool_size);
|
||||||
|
|
||||||
|
#include "qemu/lockable.h"
|
||||||
|
|
||||||
|
diff --git a/util/qemu-coroutine.c b/util/qemu-coroutine.c
|
||||||
|
index c03b2422ff..faca0ca97c 100644
|
||||||
|
--- a/util/qemu-coroutine.c
|
||||||
|
+++ b/util/qemu-coroutine.c
|
||||||
|
@@ -205,12 +205,12 @@ AioContext *coroutine_fn qemu_coroutine_get_aio_context(Coroutine *co)
|
||||||
|
return co->ctx;
|
||||||
|
}
|
||||||
|
|
||||||
|
-void qemu_coroutine_increase_pool_batch_size(unsigned int additional_pool_size)
|
||||||
|
+void qemu_coroutine_inc_pool_size(unsigned int additional_pool_size)
|
||||||
|
{
|
||||||
|
qatomic_add(&pool_batch_size, additional_pool_size);
|
||||||
|
}
|
||||||
|
|
||||||
|
-void qemu_coroutine_decrease_pool_batch_size(unsigned int removing_pool_size)
|
||||||
|
+void qemu_coroutine_dec_pool_size(unsigned int removing_pool_size)
|
||||||
|
{
|
||||||
|
qatomic_sub(&pool_batch_size, removing_pool_size);
|
||||||
|
}
|
||||||
|
--
|
||||||
|
2.37.0.rc2
|
||||||
|
|
123
0016-coroutine-Revert-to-constant-batch-size.patch
Normal file
123
0016-coroutine-Revert-to-constant-batch-size.patch
Normal file
@ -0,0 +1,123 @@
|
|||||||
|
From f1ea4c55f0e9bb05db980f27b392617ef6615954 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Kevin Wolf <kwolf@redhat.com>
|
||||||
|
Date: Tue, 10 May 2022 17:10:20 +0200
|
||||||
|
Subject: [PATCH] coroutine: Revert to constant batch size
|
||||||
|
|
||||||
|
Commit 4c41c69e changed the way the coroutine pool is sized because for
|
||||||
|
virtio-blk devices with a large queue size and heavy I/O, it was just
|
||||||
|
too small and caused coroutines to be deleted and reallocated soon
|
||||||
|
afterwards. The change made the size dynamic based on the number of
|
||||||
|
queues and the queue size of virtio-blk devices.
|
||||||
|
|
||||||
|
There are two important numbers here: Slightly simplified, when a
|
||||||
|
coroutine terminates, it is generally stored in the global release pool
|
||||||
|
up to a certain pool size, and if the pool is full, it is freed.
|
||||||
|
Conversely, when allocating a new coroutine, the coroutines in the
|
||||||
|
release pool are reused if the pool already has reached a certain
|
||||||
|
minimum size (the batch size), otherwise we allocate new coroutines.
|
||||||
|
|
||||||
|
The problem after commit 4c41c69e is that it not only increases the
|
||||||
|
maximum pool size (which is the intended effect), but also the batch
|
||||||
|
size for reusing coroutines (which is a bug). It means that in cases
|
||||||
|
with many devices and/or a large queue size (which defaults to the
|
||||||
|
number of vcpus for virtio-blk-pci), many thousand coroutines could be
|
||||||
|
sitting in the release pool without being reused.
|
||||||
|
|
||||||
|
This is not only a waste of memory and allocations, but it actually
|
||||||
|
makes the QEMU process likely to hit the vm.max_map_count limit on Linux
|
||||||
|
because each coroutine requires two mappings (its stack and the guard
|
||||||
|
page for the stack), causing it to abort() in qemu_alloc_stack() because
|
||||||
|
when the limit is hit, mprotect() starts to fail with ENOMEM.
|
||||||
|
|
||||||
|
In order to fix the problem, change the batch size back to 64 to avoid
|
||||||
|
uselessly accumulating coroutines in the release pool, but keep the
|
||||||
|
dynamic maximum pool size so that coroutines aren't freed too early
|
||||||
|
in heavy I/O scenarios.
|
||||||
|
|
||||||
|
Note that this fix doesn't strictly make it impossible to hit the limit,
|
||||||
|
but this would only happen if most of the coroutines are actually in use
|
||||||
|
at the same time, not just sitting in a pool. This is the same behaviour
|
||||||
|
as we already had before commit 4c41c69e. Fully preventing this would
|
||||||
|
require allowing qemu_coroutine_create() to return an error, but it
|
||||||
|
doesn't seem to be a scenario that people hit in practice.
|
||||||
|
|
||||||
|
Cc: qemu-stable@nongnu.org
|
||||||
|
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2079938
|
||||||
|
Fixes: 4c41c69e05fe28c0f95f8abd2ebf407e95a4f04b
|
||||||
|
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
|
||||||
|
Message-Id: <20220510151020.105528-3-kwolf@redhat.com>
|
||||||
|
Tested-by: Hiroki Narukawa <hnarukaw@yahoo-corp.jp>
|
||||||
|
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
|
||||||
|
(cherry picked from commit 9ec7a59b5aad4b736871c378d30f5ef5ec51cb52)
|
||||||
|
---
|
||||||
|
util/qemu-coroutine.c | 22 ++++++++++++++--------
|
||||||
|
1 file changed, 14 insertions(+), 8 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/util/qemu-coroutine.c b/util/qemu-coroutine.c
|
||||||
|
index faca0ca97c..804f672e0a 100644
|
||||||
|
--- a/util/qemu-coroutine.c
|
||||||
|
+++ b/util/qemu-coroutine.c
|
||||||
|
@@ -20,14 +20,20 @@
|
||||||
|
#include "qemu/coroutine_int.h"
|
||||||
|
#include "block/aio.h"
|
||||||
|
|
||||||
|
-/** Initial batch size is 64, and is increased on demand */
|
||||||
|
+/**
|
||||||
|
+ * The minimal batch size is always 64, coroutines from the release_pool are
|
||||||
|
+ * reused as soon as there are 64 coroutines in it. The maximum pool size starts
|
||||||
|
+ * with 64 and is increased on demand so that coroutines are not deleted even if
|
||||||
|
+ * they are not immediately reused.
|
||||||
|
+ */
|
||||||
|
enum {
|
||||||
|
- POOL_INITIAL_BATCH_SIZE = 64,
|
||||||
|
+ POOL_MIN_BATCH_SIZE = 64,
|
||||||
|
+ POOL_INITIAL_MAX_SIZE = 64,
|
||||||
|
};
|
||||||
|
|
||||||
|
/** Free list to speed up creation */
|
||||||
|
static QSLIST_HEAD(, Coroutine) release_pool = QSLIST_HEAD_INITIALIZER(pool);
|
||||||
|
-static unsigned int pool_batch_size = POOL_INITIAL_BATCH_SIZE;
|
||||||
|
+static unsigned int pool_max_size = POOL_INITIAL_MAX_SIZE;
|
||||||
|
static unsigned int release_pool_size;
|
||||||
|
static __thread QSLIST_HEAD(, Coroutine) alloc_pool = QSLIST_HEAD_INITIALIZER(pool);
|
||||||
|
static __thread unsigned int alloc_pool_size;
|
||||||
|
@@ -51,7 +57,7 @@ Coroutine *qemu_coroutine_create(CoroutineEntry *entry, void *opaque)
|
||||||
|
if (CONFIG_COROUTINE_POOL) {
|
||||||
|
co = QSLIST_FIRST(&alloc_pool);
|
||||||
|
if (!co) {
|
||||||
|
- if (release_pool_size > qatomic_read(&pool_batch_size)) {
|
||||||
|
+ if (release_pool_size > POOL_MIN_BATCH_SIZE) {
|
||||||
|
/* Slow path; a good place to register the destructor, too. */
|
||||||
|
if (!coroutine_pool_cleanup_notifier.notify) {
|
||||||
|
coroutine_pool_cleanup_notifier.notify = coroutine_pool_cleanup;
|
||||||
|
@@ -88,12 +94,12 @@ static void coroutine_delete(Coroutine *co)
|
||||||
|
co->caller = NULL;
|
||||||
|
|
||||||
|
if (CONFIG_COROUTINE_POOL) {
|
||||||
|
- if (release_pool_size < qatomic_read(&pool_batch_size) * 2) {
|
||||||
|
+ if (release_pool_size < qatomic_read(&pool_max_size) * 2) {
|
||||||
|
QSLIST_INSERT_HEAD_ATOMIC(&release_pool, co, pool_next);
|
||||||
|
qatomic_inc(&release_pool_size);
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
- if (alloc_pool_size < qatomic_read(&pool_batch_size)) {
|
||||||
|
+ if (alloc_pool_size < qatomic_read(&pool_max_size)) {
|
||||||
|
QSLIST_INSERT_HEAD(&alloc_pool, co, pool_next);
|
||||||
|
alloc_pool_size++;
|
||||||
|
return;
|
||||||
|
@@ -207,10 +213,10 @@ AioContext *coroutine_fn qemu_coroutine_get_aio_context(Coroutine *co)
|
||||||
|
|
||||||
|
void qemu_coroutine_inc_pool_size(unsigned int additional_pool_size)
|
||||||
|
{
|
||||||
|
- qatomic_add(&pool_batch_size, additional_pool_size);
|
||||||
|
+ qatomic_add(&pool_max_size, additional_pool_size);
|
||||||
|
}
|
||||||
|
|
||||||
|
void qemu_coroutine_dec_pool_size(unsigned int removing_pool_size)
|
||||||
|
{
|
||||||
|
- qatomic_sub(&pool_batch_size, removing_pool_size);
|
||||||
|
+ qatomic_sub(&pool_max_size, removing_pool_size);
|
||||||
|
}
|
||||||
|
--
|
||||||
|
2.37.0.rc2
|
||||||
|
|
@ -0,0 +1,70 @@
|
|||||||
|
From: Thomas Huth <thuth@redhat.com>
|
||||||
|
Date: Thu, 4 Aug 2022 15:13:00 +0200
|
||||||
|
Subject: [PATCH] hw/usb/hcd-xhci: Fix unbounded loop in
|
||||||
|
xhci_ring_chain_length() (CVE-2020-14394)
|
||||||
|
|
||||||
|
The loop condition in xhci_ring_chain_length() is under control of
|
||||||
|
the guest, and additionally the code does not check for failed DMA
|
||||||
|
transfers (e.g. if reaching the end of the RAM), so the loop there
|
||||||
|
could run for a very long time or even forever. Fix it by checking
|
||||||
|
the return value of dma_memory_read() and by introducing a maximum
|
||||||
|
loop length.
|
||||||
|
|
||||||
|
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/646
|
||||||
|
Message-Id: <20220804131300.96368-1-thuth@redhat.com>
|
||||||
|
Reviewed-by: Mauro Matteo Cascella <mcascell@redhat.com>
|
||||||
|
Acked-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||||
|
Signed-off-by: Thomas Huth <thuth@redhat.com>
|
||||||
|
---
|
||||||
|
hw/usb/hcd-xhci.c | 23 +++++++++++++++++++----
|
||||||
|
1 file changed, 19 insertions(+), 4 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c
|
||||||
|
index 0cd0a5e540..213d0be6b6 100644
|
||||||
|
--- a/hw/usb/hcd-xhci.c
|
||||||
|
+++ b/hw/usb/hcd-xhci.c
|
||||||
|
@@ -21,6 +21,7 @@
|
||||||
|
|
||||||
|
#include "qemu/osdep.h"
|
||||||
|
#include "qemu/timer.h"
|
||||||
|
+#include "qemu/log.h"
|
||||||
|
#include "qemu/module.h"
|
||||||
|
#include "qemu/queue.h"
|
||||||
|
#include "migration/vmstate.h"
|
||||||
|
@@ -725,10 +726,14 @@ static int xhci_ring_chain_length(XHCIState *xhci, const XHCIRing *ring)
|
||||||
|
bool control_td_set = 0;
|
||||||
|
uint32_t link_cnt = 0;
|
||||||
|
|
||||||
|
- while (1) {
|
||||||
|
+ do {
|
||||||
|
TRBType type;
|
||||||
|
- dma_memory_read(xhci->as, dequeue, &trb, TRB_SIZE,
|
||||||
|
- MEMTXATTRS_UNSPECIFIED);
|
||||||
|
+ if (dma_memory_read(xhci->as, dequeue, &trb, TRB_SIZE,
|
||||||
|
+ MEMTXATTRS_UNSPECIFIED) != MEMTX_OK) {
|
||||||
|
+ qemu_log_mask(LOG_GUEST_ERROR, "%s: DMA memory access failed!\n",
|
||||||
|
+ __func__);
|
||||||
|
+ return -1;
|
||||||
|
+ }
|
||||||
|
le64_to_cpus(&trb.parameter);
|
||||||
|
le32_to_cpus(&trb.status);
|
||||||
|
le32_to_cpus(&trb.control);
|
||||||
|
@@ -762,7 +767,17 @@ static int xhci_ring_chain_length(XHCIState *xhci, const XHCIRing *ring)
|
||||||
|
if (!control_td_set && !(trb.control & TRB_TR_CH)) {
|
||||||
|
return length;
|
||||||
|
}
|
||||||
|
- }
|
||||||
|
+
|
||||||
|
+ /*
|
||||||
|
+ * According to the xHCI spec, Transfer Ring segments should have
|
||||||
|
+ * a maximum size of 64 kB (see chapter "6 Data Structures")
|
||||||
|
+ */
|
||||||
|
+ } while (length < TRB_LINK_LIMIT * 65536 / TRB_SIZE);
|
||||||
|
+
|
||||||
|
+ qemu_log_mask(LOG_GUEST_ERROR, "%s: exceeded maximum tranfer ring size!\n",
|
||||||
|
+ __func__);
|
||||||
|
+
|
||||||
|
+ return -1;
|
||||||
|
}
|
||||||
|
|
||||||
|
static void xhci_er_reset(XHCIState *xhci, int v)
|
@ -0,0 +1,78 @@
|
|||||||
|
From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
|
||||||
|
Date: Mon, 6 Sep 2021 17:31:03 +0200
|
||||||
|
Subject: [PATCH] hw/display/ati_2d: Fix buffer overflow in ati_2d_blt
|
||||||
|
(CVE-2021-3638)
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
When building QEMU with DEBUG_ATI defined then running with
|
||||||
|
'-device ati-vga,romfile="" -d unimp,guest_errors -trace ati\*'
|
||||||
|
we get:
|
||||||
|
|
||||||
|
ati_mm_write 4 0x16c0 DP_CNTL <- 0x1
|
||||||
|
ati_mm_write 4 0x146c DP_GUI_MASTER_CNTL <- 0x2
|
||||||
|
ati_mm_write 4 0x16c8 DP_MIX <- 0xff0000
|
||||||
|
ati_mm_write 4 0x16c4 DP_DATATYPE <- 0x2
|
||||||
|
ati_mm_write 4 0x224 CRTC_OFFSET <- 0x0
|
||||||
|
ati_mm_write 4 0x142c DST_PITCH_OFFSET <- 0xfe00000
|
||||||
|
ati_mm_write 4 0x1420 DST_Y <- 0x3fff
|
||||||
|
ati_mm_write 4 0x1410 DST_HEIGHT <- 0x3fff
|
||||||
|
ati_mm_write 4 0x1588 DST_WIDTH_X <- 0x3fff3fff
|
||||||
|
ati_2d_blt: vram:0x7fff5fa00000 addr:0 ds:0x7fff61273800 stride:2560 bpp:32 rop:0xff
|
||||||
|
ati_2d_blt: 0 0 0, 0 127 0, (0,0) -> (16383,16383) 16383x16383 > ^
|
||||||
|
ati_2d_blt: pixman_fill(dst:0x7fff5fa00000, stride:254, bpp:8, x:16383, y:16383, w:16383, h:16383, xor:0xff000000)
|
||||||
|
Thread 3 "qemu-system-i38" received signal SIGSEGV, Segmentation fault.
|
||||||
|
(gdb) bt
|
||||||
|
#0 0x00007ffff7f62ce0 in sse2_fill.lto_priv () at /lib64/libpixman-1.so.0
|
||||||
|
#1 0x00007ffff7f09278 in pixman_fill () at /lib64/libpixman-1.so.0
|
||||||
|
#2 0x0000555557b5a9af in ati_2d_blt (s=0x631000028800) at hw/display/ati_2d.c:196
|
||||||
|
#3 0x0000555557b4b5a2 in ati_mm_write (opaque=0x631000028800, addr=5512, data=1073692671, size=4) at hw/display/ati.c:843
|
||||||
|
#4 0x0000555558b90ec4 in memory_region_write_accessor (mr=0x631000039cc0, addr=5512, ..., size=4, ...) at softmmu/memory.c:492
|
||||||
|
|
||||||
|
Commit 584acf34cb0 ("ati-vga: Fix reverse bit blts") introduced
|
||||||
|
the local dst_x and dst_y which adjust the (x, y) coordinates
|
||||||
|
depending on the direction in the SRCCOPY ROP3 operation, but
|
||||||
|
forgot to address the same issue for the PATCOPY, BLACKNESS and
|
||||||
|
WHITENESS operations, which also call pixman_fill().
|
||||||
|
|
||||||
|
Fix that now by using the adjusted coordinates in the pixman_fill
|
||||||
|
call, and update the related debug printf().
|
||||||
|
|
||||||
|
Reported-by: Qiang Liu <qiangliu@zju.edu.cn>
|
||||||
|
Fixes: 584acf34cb0 ("ati-vga: Fix reverse bit blts")
|
||||||
|
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
|
||||||
|
Tested-by: Mauro Matteo Cascella <mcascell@redhat.com>
|
||||||
|
Message-Id: <20210906153103.1661195-1-philmd@redhat.com>
|
||||||
|
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||||
|
---
|
||||||
|
hw/display/ati_2d.c | 6 +++---
|
||||||
|
1 file changed, 3 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/hw/display/ati_2d.c b/hw/display/ati_2d.c
|
||||||
|
index 4dc10ea795..692bec91de 100644
|
||||||
|
--- a/hw/display/ati_2d.c
|
||||||
|
+++ b/hw/display/ati_2d.c
|
||||||
|
@@ -84,7 +84,7 @@ void ati_2d_blt(ATIVGAState *s)
|
||||||
|
DPRINTF("%d %d %d, %d %d %d, (%d,%d) -> (%d,%d) %dx%d %c %c\n",
|
||||||
|
s->regs.src_offset, s->regs.dst_offset, s->regs.default_offset,
|
||||||
|
s->regs.src_pitch, s->regs.dst_pitch, s->regs.default_pitch,
|
||||||
|
- s->regs.src_x, s->regs.src_y, s->regs.dst_x, s->regs.dst_y,
|
||||||
|
+ s->regs.src_x, s->regs.src_y, dst_x, dst_y,
|
||||||
|
s->regs.dst_width, s->regs.dst_height,
|
||||||
|
(s->regs.dp_cntl & DST_X_LEFT_TO_RIGHT ? '>' : '<'),
|
||||||
|
(s->regs.dp_cntl & DST_Y_TOP_TO_BOTTOM ? 'v' : '^'));
|
||||||
|
@@ -180,11 +180,11 @@ void ati_2d_blt(ATIVGAState *s)
|
||||||
|
dst_stride /= sizeof(uint32_t);
|
||||||
|
DPRINTF("pixman_fill(%p, %d, %d, %d, %d, %d, %d, %x)\n",
|
||||||
|
dst_bits, dst_stride, bpp,
|
||||||
|
- s->regs.dst_x, s->regs.dst_y,
|
||||||
|
+ dst_x, dst_y,
|
||||||
|
s->regs.dst_width, s->regs.dst_height,
|
||||||
|
filler);
|
||||||
|
pixman_fill((uint32_t *)dst_bits, dst_stride, bpp,
|
||||||
|
- s->regs.dst_x, s->regs.dst_y,
|
||||||
|
+ dst_x, dst_y,
|
||||||
|
s->regs.dst_width, s->regs.dst_height,
|
||||||
|
filler);
|
||||||
|
if (dst_bits >= s->vga.vram_ptr + s->vga.vbe_start_addr &&
|
58
0019-hw-acpi-erst.c-Fix-memory-handling-issues.patch
Normal file
58
0019-hw-acpi-erst.c-Fix-memory-handling-issues.patch
Normal file
@ -0,0 +1,58 @@
|
|||||||
|
From: "Christian A. Ehrhardt" <lk@c--e.de>
|
||||||
|
Date: Mon, 24 Oct 2022 17:42:33 +0200
|
||||||
|
Subject: [PATCH] hw/acpi/erst.c: Fix memory handling issues
|
||||||
|
|
||||||
|
- Fix memset argument order: The second argument is
|
||||||
|
the value, the length goes last.
|
||||||
|
- Fix an integer overflow reported by Alexander Bulekov.
|
||||||
|
|
||||||
|
Both issues allow the guest to overrun the host buffer
|
||||||
|
allocated for the ERST memory device.
|
||||||
|
|
||||||
|
Cc: Eric DeVolder <eric.devolder@oracle.com
|
||||||
|
Cc: Alexander Bulekov <alxndr@bu.edu>
|
||||||
|
Cc: qemu-stable@nongnu.org
|
||||||
|
Fixes: f7e26ffa590 ("ACPI ERST: support for ACPI ERST feature")
|
||||||
|
Tested-by: Alexander Bulekov <alxndr@bu.edu>
|
||||||
|
Signed-off-by: Christian A. Ehrhardt <lk@c--e.de>
|
||||||
|
Message-Id: <20221024154233.1043347-1-lk@c--e.de>
|
||||||
|
Fixes: https://gitlab.com/qemu-project/qemu/-/issues/1268
|
||||||
|
Reviewed-by: Alexander Bulekov <alxndr@bu.edu>
|
||||||
|
Reviewed-by: Eric DeVolder <eric.devolder@oracle.com>
|
||||||
|
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
|
||||||
|
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
|
||||||
|
---
|
||||||
|
hw/acpi/erst.c | 6 +++---
|
||||||
|
1 file changed, 3 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/hw/acpi/erst.c b/hw/acpi/erst.c
|
||||||
|
index de509c2b48..f092ce4d49 100644
|
||||||
|
--- a/hw/acpi/erst.c
|
||||||
|
+++ b/hw/acpi/erst.c
|
||||||
|
@@ -632,7 +632,7 @@ static unsigned read_erst_record(ERSTDeviceState *s)
|
||||||
|
if (record_length < UEFI_CPER_RECORD_MIN_SIZE) {
|
||||||
|
rc = STATUS_FAILED;
|
||||||
|
}
|
||||||
|
- if ((s->record_offset + record_length) > exchange_length) {
|
||||||
|
+ if (record_length > exchange_length - s->record_offset) {
|
||||||
|
rc = STATUS_FAILED;
|
||||||
|
}
|
||||||
|
/* If all is ok, copy the record to the exchange buffer */
|
||||||
|
@@ -681,7 +681,7 @@ static unsigned write_erst_record(ERSTDeviceState *s)
|
||||||
|
if (record_length < UEFI_CPER_RECORD_MIN_SIZE) {
|
||||||
|
return STATUS_FAILED;
|
||||||
|
}
|
||||||
|
- if ((s->record_offset + record_length) > exchange_length) {
|
||||||
|
+ if (record_length > exchange_length - s->record_offset) {
|
||||||
|
return STATUS_FAILED;
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -713,7 +713,7 @@ static unsigned write_erst_record(ERSTDeviceState *s)
|
||||||
|
if (nvram) {
|
||||||
|
/* Write the record into the slot */
|
||||||
|
memcpy(nvram, exchange, record_length);
|
||||||
|
- memset(nvram + record_length, exchange_length - record_length, 0xFF);
|
||||||
|
+ memset(nvram + record_length, 0xFF, exchange_length - record_length);
|
||||||
|
/* If a new record, increment the record_count */
|
||||||
|
if (!record_found) {
|
||||||
|
uint32_t record_count;
|
438
0020-hw-display-qxl-Avoid-buffer-overrun-qxl_phys2virt.patch
Normal file
438
0020-hw-display-qxl-Avoid-buffer-overrun-qxl_phys2virt.patch
Normal file
@ -0,0 +1,438 @@
|
|||||||
|
From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@linaro.org>
|
||||||
|
Date: Mon, 28 Nov 2022 21:27:37 +0100
|
||||||
|
Subject: [PATCH] hw/display/qxl: Have qxl_log_command Return early if no
|
||||||
|
log_cmd handler
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
Only 3 command types are logged: no need to call qxl_phys2virt()
|
||||||
|
for the other types. Using different cases will help to pass
|
||||||
|
different structure sizes to qxl_phys2virt() in a pair of commits.
|
||||||
|
|
||||||
|
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
||||||
|
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
|
||||||
|
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
|
||||||
|
Message-Id: <20221128202741.4945-2-philmd@linaro.org>
|
||||||
|
---
|
||||||
|
hw/display/qxl-logger.c | 11 +++++++++++
|
||||||
|
1 file changed, 11 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/hw/display/qxl-logger.c b/hw/display/qxl-logger.c
|
||||||
|
index 68bfa47568..1bcf803db6 100644
|
||||||
|
--- a/hw/display/qxl-logger.c
|
||||||
|
+++ b/hw/display/qxl-logger.c
|
||||||
|
@@ -247,6 +247,16 @@ int qxl_log_command(PCIQXLDevice *qxl, const char *ring, QXLCommandExt *ext)
|
||||||
|
qxl_name(qxl_type, ext->cmd.type),
|
||||||
|
compat ? "(compat)" : "");
|
||||||
|
|
||||||
|
+ switch (ext->cmd.type) {
|
||||||
|
+ case QXL_CMD_DRAW:
|
||||||
|
+ break;
|
||||||
|
+ case QXL_CMD_SURFACE:
|
||||||
|
+ break;
|
||||||
|
+ case QXL_CMD_CURSOR:
|
||||||
|
+ break;
|
||||||
|
+ default:
|
||||||
|
+ goto out;
|
||||||
|
+ }
|
||||||
|
data = qxl_phys2virt(qxl, ext->cmd.data, ext->group_id);
|
||||||
|
if (!data) {
|
||||||
|
return 1;
|
||||||
|
@@ -269,6 +279,7 @@ int qxl_log_command(PCIQXLDevice *qxl, const char *ring, QXLCommandExt *ext)
|
||||||
|
qxl_log_cmd_cursor(qxl, data, ext->group_id);
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
+out:
|
||||||
|
fprintf(stderr, "\n");
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@linaro.org>
|
||||||
|
Date: Mon, 28 Nov 2022 21:27:38 +0100
|
||||||
|
Subject: [PATCH] hw/display/qxl: Document qxl_phys2virt()
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
||||||
|
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
|
||||||
|
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
|
||||||
|
Message-Id: <20221128202741.4945-3-philmd@linaro.org>
|
||||||
|
---
|
||||||
|
hw/display/qxl.h | 19 +++++++++++++++++++
|
||||||
|
1 file changed, 19 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/hw/display/qxl.h b/hw/display/qxl.h
|
||||||
|
index e74de9579d..78b3a6c9ba 100644
|
||||||
|
--- a/hw/display/qxl.h
|
||||||
|
+++ b/hw/display/qxl.h
|
||||||
|
@@ -147,6 +147,25 @@ OBJECT_DECLARE_SIMPLE_TYPE(PCIQXLDevice, PCI_QXL)
|
||||||
|
#define QXL_DEFAULT_REVISION (QXL_REVISION_STABLE_V12 + 1)
|
||||||
|
|
||||||
|
/* qxl.c */
|
||||||
|
+/**
|
||||||
|
+ * qxl_phys2virt: Get a pointer within a PCI VRAM memory region.
|
||||||
|
+ *
|
||||||
|
+ * @qxl: QXL device
|
||||||
|
+ * @phys: physical offset of buffer within the VRAM
|
||||||
|
+ * @group_id: memory slot group
|
||||||
|
+ *
|
||||||
|
+ * Returns a host pointer to a buffer placed at offset @phys within the
|
||||||
|
+ * active slot @group_id of the PCI VGA RAM memory region associated with
|
||||||
|
+ * the @qxl device. If the slot is inactive, or the offset is out
|
||||||
|
+ * of the memory region, returns NULL.
|
||||||
|
+ *
|
||||||
|
+ * Use with care; by the time this function returns, the returned pointer is
|
||||||
|
+ * not protected by RCU anymore. If the caller is not within an RCU critical
|
||||||
|
+ * section and does not hold the iothread lock, it must have other means of
|
||||||
|
+ * protecting the pointer, such as a reference to the region that includes
|
||||||
|
+ * the incoming ram_addr_t.
|
||||||
|
+ *
|
||||||
|
+ */
|
||||||
|
void *qxl_phys2virt(PCIQXLDevice *qxl, QXLPHYSICAL phys, int group_id);
|
||||||
|
void qxl_set_guest_bug(PCIQXLDevice *qxl, const char *msg, ...)
|
||||||
|
G_GNUC_PRINTF(2, 3);
|
||||||
|
|
||||||
|
From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@linaro.org>
|
||||||
|
Date: Mon, 28 Nov 2022 21:27:39 +0100
|
||||||
|
Subject: [PATCH] hw/display/qxl: Pass requested buffer size to qxl_phys2virt()
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
Currently qxl_phys2virt() doesn't check for buffer overrun.
|
||||||
|
In order to do so in the next commit, pass the buffer size
|
||||||
|
as argument.
|
||||||
|
|
||||||
|
For QXLCursor in qxl_render_cursor() -> qxl_cursor() we
|
||||||
|
verify the size of the chunked data ahead, checking we can
|
||||||
|
access 'sizeof(QXLCursor) + chunk->data_size' bytes.
|
||||||
|
Since in the SPICE_CURSOR_TYPE_MONO case the cursor is
|
||||||
|
assumed to fit in one chunk, no change are required.
|
||||||
|
In SPICE_CURSOR_TYPE_ALPHA the ahead read is handled in
|
||||||
|
qxl_unpack_chunks().
|
||||||
|
|
||||||
|
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
|
||||||
|
Acked-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||||
|
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
|
||||||
|
Message-Id: <20221128202741.4945-4-philmd@linaro.org>
|
||||||
|
---
|
||||||
|
hw/display/qxl-logger.c | 11 ++++++++---
|
||||||
|
hw/display/qxl-render.c | 20 ++++++++++++++++----
|
||||||
|
hw/display/qxl.c | 14 +++++++++-----
|
||||||
|
hw/display/qxl.h | 4 +++-
|
||||||
|
4 files changed, 36 insertions(+), 13 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/hw/display/qxl-logger.c b/hw/display/qxl-logger.c
|
||||||
|
index 1bcf803db6..35c38f6252 100644
|
||||||
|
--- a/hw/display/qxl-logger.c
|
||||||
|
+++ b/hw/display/qxl-logger.c
|
||||||
|
@@ -106,7 +106,7 @@ static int qxl_log_image(PCIQXLDevice *qxl, QXLPHYSICAL addr, int group_id)
|
||||||
|
QXLImage *image;
|
||||||
|
QXLImageDescriptor *desc;
|
||||||
|
|
||||||
|
- image = qxl_phys2virt(qxl, addr, group_id);
|
||||||
|
+ image = qxl_phys2virt(qxl, addr, group_id, sizeof(QXLImage));
|
||||||
|
if (!image) {
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
@@ -214,7 +214,8 @@ int qxl_log_cmd_cursor(PCIQXLDevice *qxl, QXLCursorCmd *cmd, int group_id)
|
||||||
|
cmd->u.set.position.y,
|
||||||
|
cmd->u.set.visible ? "yes" : "no",
|
||||||
|
cmd->u.set.shape);
|
||||||
|
- cursor = qxl_phys2virt(qxl, cmd->u.set.shape, group_id);
|
||||||
|
+ cursor = qxl_phys2virt(qxl, cmd->u.set.shape, group_id,
|
||||||
|
+ sizeof(QXLCursor));
|
||||||
|
if (!cursor) {
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
@@ -236,6 +237,7 @@ int qxl_log_command(PCIQXLDevice *qxl, const char *ring, QXLCommandExt *ext)
|
||||||
|
{
|
||||||
|
bool compat = ext->flags & QXL_COMMAND_FLAG_COMPAT;
|
||||||
|
void *data;
|
||||||
|
+ size_t datasz;
|
||||||
|
int ret;
|
||||||
|
|
||||||
|
if (!qxl->cmdlog) {
|
||||||
|
@@ -249,15 +251,18 @@ int qxl_log_command(PCIQXLDevice *qxl, const char *ring, QXLCommandExt *ext)
|
||||||
|
|
||||||
|
switch (ext->cmd.type) {
|
||||||
|
case QXL_CMD_DRAW:
|
||||||
|
+ datasz = compat ? sizeof(QXLCompatDrawable) : sizeof(QXLDrawable);
|
||||||
|
break;
|
||||||
|
case QXL_CMD_SURFACE:
|
||||||
|
+ datasz = sizeof(QXLSurfaceCmd);
|
||||||
|
break;
|
||||||
|
case QXL_CMD_CURSOR:
|
||||||
|
+ datasz = sizeof(QXLCursorCmd);
|
||||||
|
break;
|
||||||
|
default:
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
- data = qxl_phys2virt(qxl, ext->cmd.data, ext->group_id);
|
||||||
|
+ data = qxl_phys2virt(qxl, ext->cmd.data, ext->group_id, datasz);
|
||||||
|
if (!data) {
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
diff --git a/hw/display/qxl-render.c b/hw/display/qxl-render.c
|
||||||
|
index ca217004bf..fcfd40c3ac 100644
|
||||||
|
--- a/hw/display/qxl-render.c
|
||||||
|
+++ b/hw/display/qxl-render.c
|
||||||
|
@@ -107,7 +107,9 @@ static void qxl_render_update_area_unlocked(PCIQXLDevice *qxl)
|
||||||
|
qxl->guest_primary.resized = 0;
|
||||||
|
qxl->guest_primary.data = qxl_phys2virt(qxl,
|
||||||
|
qxl->guest_primary.surface.mem,
|
||||||
|
- MEMSLOT_GROUP_GUEST);
|
||||||
|
+ MEMSLOT_GROUP_GUEST,
|
||||||
|
+ qxl->guest_primary.abs_stride
|
||||||
|
+ * height);
|
||||||
|
if (!qxl->guest_primary.data) {
|
||||||
|
goto end;
|
||||||
|
}
|
||||||
|
@@ -228,7 +230,8 @@ static void qxl_unpack_chunks(void *dest, size_t size, PCIQXLDevice *qxl,
|
||||||
|
if (offset == size) {
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
- chunk = qxl_phys2virt(qxl, chunk->next_chunk, group_id);
|
||||||
|
+ chunk = qxl_phys2virt(qxl, chunk->next_chunk, group_id,
|
||||||
|
+ sizeof(QXLDataChunk) + chunk->data_size);
|
||||||
|
if (!chunk) {
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
@@ -295,7 +298,8 @@ fail:
|
||||||
|
/* called from spice server thread context only */
|
||||||
|
int qxl_render_cursor(PCIQXLDevice *qxl, QXLCommandExt *ext)
|
||||||
|
{
|
||||||
|
- QXLCursorCmd *cmd = qxl_phys2virt(qxl, ext->cmd.data, ext->group_id);
|
||||||
|
+ QXLCursorCmd *cmd = qxl_phys2virt(qxl, ext->cmd.data, ext->group_id,
|
||||||
|
+ sizeof(QXLCursorCmd));
|
||||||
|
QXLCursor *cursor;
|
||||||
|
QEMUCursor *c;
|
||||||
|
|
||||||
|
@@ -314,7 +318,15 @@ int qxl_render_cursor(PCIQXLDevice *qxl, QXLCommandExt *ext)
|
||||||
|
}
|
||||||
|
switch (cmd->type) {
|
||||||
|
case QXL_CURSOR_SET:
|
||||||
|
- cursor = qxl_phys2virt(qxl, cmd->u.set.shape, ext->group_id);
|
||||||
|
+ /* First read the QXLCursor to get QXLDataChunk::data_size ... */
|
||||||
|
+ cursor = qxl_phys2virt(qxl, cmd->u.set.shape, ext->group_id,
|
||||||
|
+ sizeof(QXLCursor));
|
||||||
|
+ if (!cursor) {
|
||||||
|
+ return 1;
|
||||||
|
+ }
|
||||||
|
+ /* Then read including the chunked data following QXLCursor. */
|
||||||
|
+ cursor = qxl_phys2virt(qxl, cmd->u.set.shape, ext->group_id,
|
||||||
|
+ sizeof(QXLCursor) + cursor->chunk.data_size);
|
||||||
|
if (!cursor) {
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
diff --git a/hw/display/qxl.c b/hw/display/qxl.c
|
||||||
|
index adbdbcaeb6..c1ab202f98 100644
|
||||||
|
--- a/hw/display/qxl.c
|
||||||
|
+++ b/hw/display/qxl.c
|
||||||
|
@@ -274,7 +274,8 @@ static void qxl_spice_monitors_config_async(PCIQXLDevice *qxl, int replay)
|
||||||
|
QXL_IO_MONITORS_CONFIG_ASYNC));
|
||||||
|
}
|
||||||
|
|
||||||
|
- cfg = qxl_phys2virt(qxl, qxl->guest_monitors_config, MEMSLOT_GROUP_GUEST);
|
||||||
|
+ cfg = qxl_phys2virt(qxl, qxl->guest_monitors_config, MEMSLOT_GROUP_GUEST,
|
||||||
|
+ sizeof(QXLMonitorsConfig));
|
||||||
|
if (cfg != NULL && cfg->count == 1) {
|
||||||
|
qxl->guest_primary.resized = 1;
|
||||||
|
qxl->guest_head0_width = cfg->heads[0].width;
|
||||||
|
@@ -459,7 +460,8 @@ static int qxl_track_command(PCIQXLDevice *qxl, struct QXLCommandExt *ext)
|
||||||
|
switch (le32_to_cpu(ext->cmd.type)) {
|
||||||
|
case QXL_CMD_SURFACE:
|
||||||
|
{
|
||||||
|
- QXLSurfaceCmd *cmd = qxl_phys2virt(qxl, ext->cmd.data, ext->group_id);
|
||||||
|
+ QXLSurfaceCmd *cmd = qxl_phys2virt(qxl, ext->cmd.data, ext->group_id,
|
||||||
|
+ sizeof(QXLSurfaceCmd));
|
||||||
|
|
||||||
|
if (!cmd) {
|
||||||
|
return 1;
|
||||||
|
@@ -494,7 +496,8 @@ static int qxl_track_command(PCIQXLDevice *qxl, struct QXLCommandExt *ext)
|
||||||
|
}
|
||||||
|
case QXL_CMD_CURSOR:
|
||||||
|
{
|
||||||
|
- QXLCursorCmd *cmd = qxl_phys2virt(qxl, ext->cmd.data, ext->group_id);
|
||||||
|
+ QXLCursorCmd *cmd = qxl_phys2virt(qxl, ext->cmd.data, ext->group_id,
|
||||||
|
+ sizeof(QXLCursorCmd));
|
||||||
|
|
||||||
|
if (!cmd) {
|
||||||
|
return 1;
|
||||||
|
@@ -1456,7 +1459,8 @@ static bool qxl_get_check_slot_offset(PCIQXLDevice *qxl, QXLPHYSICAL pqxl,
|
||||||
|
}
|
||||||
|
|
||||||
|
/* can be also called from spice server thread context */
|
||||||
|
-void *qxl_phys2virt(PCIQXLDevice *qxl, QXLPHYSICAL pqxl, int group_id)
|
||||||
|
+void *qxl_phys2virt(PCIQXLDevice *qxl, QXLPHYSICAL pqxl, int group_id,
|
||||||
|
+ size_t size)
|
||||||
|
{
|
||||||
|
uint64_t offset;
|
||||||
|
uint32_t slot;
|
||||||
|
@@ -1964,7 +1968,7 @@ static void qxl_dirty_surfaces(PCIQXLDevice *qxl)
|
||||||
|
}
|
||||||
|
|
||||||
|
cmd = qxl_phys2virt(qxl, qxl->guest_surfaces.cmds[i],
|
||||||
|
- MEMSLOT_GROUP_GUEST);
|
||||||
|
+ MEMSLOT_GROUP_GUEST, sizeof(QXLSurfaceCmd));
|
||||||
|
assert(cmd);
|
||||||
|
assert(cmd->type == QXL_SURFACE_CMD_CREATE);
|
||||||
|
qxl_dirty_one_surface(qxl, cmd->u.surface_create.data,
|
||||||
|
diff --git a/hw/display/qxl.h b/hw/display/qxl.h
|
||||||
|
index 78b3a6c9ba..bf03138ab4 100644
|
||||||
|
--- a/hw/display/qxl.h
|
||||||
|
+++ b/hw/display/qxl.h
|
||||||
|
@@ -153,6 +153,7 @@ OBJECT_DECLARE_SIMPLE_TYPE(PCIQXLDevice, PCI_QXL)
|
||||||
|
* @qxl: QXL device
|
||||||
|
* @phys: physical offset of buffer within the VRAM
|
||||||
|
* @group_id: memory slot group
|
||||||
|
+ * @size: size of the buffer
|
||||||
|
*
|
||||||
|
* Returns a host pointer to a buffer placed at offset @phys within the
|
||||||
|
* active slot @group_id of the PCI VGA RAM memory region associated with
|
||||||
|
@@ -166,7 +167,8 @@ OBJECT_DECLARE_SIMPLE_TYPE(PCIQXLDevice, PCI_QXL)
|
||||||
|
* the incoming ram_addr_t.
|
||||||
|
*
|
||||||
|
*/
|
||||||
|
-void *qxl_phys2virt(PCIQXLDevice *qxl, QXLPHYSICAL phys, int group_id);
|
||||||
|
+void *qxl_phys2virt(PCIQXLDevice *qxl, QXLPHYSICAL phys, int group_id,
|
||||||
|
+ size_t size);
|
||||||
|
void qxl_set_guest_bug(PCIQXLDevice *qxl, const char *msg, ...)
|
||||||
|
G_GNUC_PRINTF(2, 3);
|
||||||
|
|
||||||
|
|
||||||
|
From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@linaro.org>
|
||||||
|
Date: Mon, 28 Nov 2022 21:27:40 +0100
|
||||||
|
Subject: [PATCH] hw/display/qxl: Avoid buffer overrun in qxl_phys2virt
|
||||||
|
(CVE-2022-4144)
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
Have qxl_get_check_slot_offset() return false if the requested
|
||||||
|
buffer size does not fit within the slot memory region.
|
||||||
|
|
||||||
|
Similarly qxl_phys2virt() now returns NULL in such case, and
|
||||||
|
qxl_dirty_one_surface() aborts.
|
||||||
|
|
||||||
|
This avoids buffer overrun in the host pointer returned by
|
||||||
|
memory_region_get_ram_ptr().
|
||||||
|
|
||||||
|
Fixes: CVE-2022-4144 (out-of-bounds read)
|
||||||
|
Reported-by: Wenxu Yin (@awxylitol)
|
||||||
|
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1336
|
||||||
|
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
|
||||||
|
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
|
||||||
|
Message-Id: <20221128202741.4945-5-philmd@linaro.org>
|
||||||
|
---
|
||||||
|
hw/display/qxl.c | 27 +++++++++++++++++++++++----
|
||||||
|
hw/display/qxl.h | 2 +-
|
||||||
|
2 files changed, 24 insertions(+), 5 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/hw/display/qxl.c b/hw/display/qxl.c
|
||||||
|
index c1ab202f98..91c0fe698c 100644
|
||||||
|
--- a/hw/display/qxl.c
|
||||||
|
+++ b/hw/display/qxl.c
|
||||||
|
@@ -1424,11 +1424,13 @@ static void qxl_reset_surfaces(PCIQXLDevice *d)
|
||||||
|
|
||||||
|
/* can be also called from spice server thread context */
|
||||||
|
static bool qxl_get_check_slot_offset(PCIQXLDevice *qxl, QXLPHYSICAL pqxl,
|
||||||
|
- uint32_t *s, uint64_t *o)
|
||||||
|
+ uint32_t *s, uint64_t *o,
|
||||||
|
+ size_t size_requested)
|
||||||
|
{
|
||||||
|
uint64_t phys = le64_to_cpu(pqxl);
|
||||||
|
uint32_t slot = (phys >> (64 - 8)) & 0xff;
|
||||||
|
uint64_t offset = phys & 0xffffffffffff;
|
||||||
|
+ uint64_t size_available;
|
||||||
|
|
||||||
|
if (slot >= NUM_MEMSLOTS) {
|
||||||
|
qxl_set_guest_bug(qxl, "slot too large %d >= %d", slot,
|
||||||
|
@@ -1452,6 +1454,23 @@ static bool qxl_get_check_slot_offset(PCIQXLDevice *qxl, QXLPHYSICAL pqxl,
|
||||||
|
slot, offset, qxl->guest_slots[slot].size);
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
+ size_available = memory_region_size(qxl->guest_slots[slot].mr);
|
||||||
|
+ if (qxl->guest_slots[slot].offset + offset >= size_available) {
|
||||||
|
+ qxl_set_guest_bug(qxl,
|
||||||
|
+ "slot %d offset %"PRIu64" > region size %"PRIu64"\n",
|
||||||
|
+ slot, qxl->guest_slots[slot].offset + offset,
|
||||||
|
+ size_available);
|
||||||
|
+ return false;
|
||||||
|
+ }
|
||||||
|
+ size_available -= qxl->guest_slots[slot].offset + offset;
|
||||||
|
+ if (size_requested > size_available) {
|
||||||
|
+ qxl_set_guest_bug(qxl,
|
||||||
|
+ "slot %d offset %"PRIu64" size %zu: "
|
||||||
|
+ "overrun by %"PRIu64" bytes\n",
|
||||||
|
+ slot, offset, size_requested,
|
||||||
|
+ size_requested - size_available);
|
||||||
|
+ return false;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
*s = slot;
|
||||||
|
*o = offset;
|
||||||
|
@@ -1471,7 +1490,7 @@ void *qxl_phys2virt(PCIQXLDevice *qxl, QXLPHYSICAL pqxl, int group_id,
|
||||||
|
offset = le64_to_cpu(pqxl) & 0xffffffffffff;
|
||||||
|
return (void *)(intptr_t)offset;
|
||||||
|
case MEMSLOT_GROUP_GUEST:
|
||||||
|
- if (!qxl_get_check_slot_offset(qxl, pqxl, &slot, &offset)) {
|
||||||
|
+ if (!qxl_get_check_slot_offset(qxl, pqxl, &slot, &offset, size)) {
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
ptr = memory_region_get_ram_ptr(qxl->guest_slots[slot].mr);
|
||||||
|
@@ -1937,9 +1956,9 @@ static void qxl_dirty_one_surface(PCIQXLDevice *qxl, QXLPHYSICAL pqxl,
|
||||||
|
uint32_t slot;
|
||||||
|
bool rc;
|
||||||
|
|
||||||
|
- rc = qxl_get_check_slot_offset(qxl, pqxl, &slot, &offset);
|
||||||
|
- assert(rc == true);
|
||||||
|
size = (uint64_t)height * abs(stride);
|
||||||
|
+ rc = qxl_get_check_slot_offset(qxl, pqxl, &slot, &offset, size);
|
||||||
|
+ assert(rc == true);
|
||||||
|
trace_qxl_surfaces_dirty(qxl->id, offset, size);
|
||||||
|
qxl_set_dirty(qxl->guest_slots[slot].mr,
|
||||||
|
qxl->guest_slots[slot].offset + offset,
|
||||||
|
diff --git a/hw/display/qxl.h b/hw/display/qxl.h
|
||||||
|
index bf03138ab4..7894bd5134 100644
|
||||||
|
--- a/hw/display/qxl.h
|
||||||
|
+++ b/hw/display/qxl.h
|
||||||
|
@@ -157,7 +157,7 @@ OBJECT_DECLARE_SIMPLE_TYPE(PCIQXLDevice, PCI_QXL)
|
||||||
|
*
|
||||||
|
* Returns a host pointer to a buffer placed at offset @phys within the
|
||||||
|
* active slot @group_id of the PCI VGA RAM memory region associated with
|
||||||
|
- * the @qxl device. If the slot is inactive, or the offset is out
|
||||||
|
+ * the @qxl device. If the slot is inactive, or the offset + size are out
|
||||||
|
* of the memory region, returns NULL.
|
||||||
|
*
|
||||||
|
* Use with care; by the time this function returns, the returned pointer is
|
||||||
|
|
||||||
|
From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@linaro.org>
|
||||||
|
Date: Mon, 28 Nov 2022 21:27:41 +0100
|
||||||
|
Subject: [PATCH] hw/display/qxl: Assert memory slot fits in preallocated
|
||||||
|
MemoryRegion
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
|
||||||
|
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
|
||||||
|
Message-Id: <20221128202741.4945-6-philmd@linaro.org>
|
||||||
|
---
|
||||||
|
hw/display/qxl.c | 1 +
|
||||||
|
1 file changed, 1 insertion(+)
|
||||||
|
|
||||||
|
diff --git a/hw/display/qxl.c b/hw/display/qxl.c
|
||||||
|
index 91c0fe698c..8fe4e6b8cd 100644
|
||||||
|
--- a/hw/display/qxl.c
|
||||||
|
+++ b/hw/display/qxl.c
|
||||||
|
@@ -1384,6 +1384,7 @@ static int qxl_add_memslot(PCIQXLDevice *d, uint32_t slot_id, uint64_t delta,
|
||||||
|
qxl_set_guest_bug(d, "%s: pci_region = %d", __func__, pci_region);
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
+ assert(guest_end - pci_start <= memory_region_size(mr));
|
||||||
|
|
||||||
|
virt_start = (intptr_t)memory_region_get_ram_ptr(mr);
|
||||||
|
memslot.slot_id = slot_id;
|
@ -0,0 +1,81 @@
|
|||||||
|
From ea3de64a58f5f157a75280bcddf884c5bda391be Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
|
||||||
|
Date: Fri, 23 Sep 2022 12:04:13 +0100
|
||||||
|
Subject: [PATCH 21/21] linux-user: use 'max' instead of 'qemu32' / 'qemu64' by
|
||||||
|
default
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
The 'qemu64' CPU model implements the least featureful x86_64 CPU that's
|
||||||
|
possible. Historically this hasn't been an issue since it was rare for
|
||||||
|
OS distros to build with a higher mandatory CPU baseline.
|
||||||
|
|
||||||
|
With RHEL-9, however, the entire distro is built for the x86_64-v2 ABI
|
||||||
|
baseline:
|
||||||
|
|
||||||
|
https://developers.redhat.com/blog/2021/01/05/building-red-hat-enterprise-linux-9-for-the-x86-64-v2-microarchitecture-level
|
||||||
|
|
||||||
|
It is likely that other distros may take similar steps in the not too
|
||||||
|
distant future. For example, it has been suggested for Fedora on a
|
||||||
|
number of occasions.
|
||||||
|
|
||||||
|
This new baseline is not compatible with the qemu64 CPU model though.
|
||||||
|
While it is possible to pass a '-cpu xxx' flag to qemu-x86_64, the
|
||||||
|
usage of QEMU doesn't always allow for this. For example, the args
|
||||||
|
are typically controlled via binfmt rules that the user has no ability
|
||||||
|
to change. This impacts users who are trying to use podman on aarch64
|
||||||
|
platforms, to run containers with x86_64 content. There's no arg to
|
||||||
|
podman that can be used to change the qemu-x86_64 args, and a non-root
|
||||||
|
user of podman can not change binfmt rules without elevating privileges:
|
||||||
|
|
||||||
|
https://github.com/containers/podman/issues/15456#issuecomment-1228210973
|
||||||
|
|
||||||
|
Changing to the 'max' CPU model gives 'qemu-x86_64' maximum
|
||||||
|
compatibility with binaries it is likely to encounter in the wild,
|
||||||
|
and not likely to have a significant downside for existing usage.
|
||||||
|
|
||||||
|
Most other architectures already use an 'any' CPU model, which is
|
||||||
|
often mapped to 'max' (or similar) already, rather than the oldest
|
||||||
|
possible CPU model.
|
||||||
|
|
||||||
|
For the sake of consistency the 'i386' architecture is also changed
|
||||||
|
from using 'qemu32' to 'max'.
|
||||||
|
|
||||||
|
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
|
||||||
|
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
|
||||||
|
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
|
||||||
|
Message-Id: <20220923110413.70593-1-berrange@redhat.com>
|
||||||
|
Signed-off-by: Laurent Vivier <laurent@vivier.eu>
|
||||||
|
---
|
||||||
|
linux-user/i386/target_elf.h | 2 +-
|
||||||
|
linux-user/x86_64/target_elf.h | 2 +-
|
||||||
|
2 files changed, 2 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/linux-user/i386/target_elf.h b/linux-user/i386/target_elf.h
|
||||||
|
index 1c6142e..238a9ab 100644
|
||||||
|
--- a/linux-user/i386/target_elf.h
|
||||||
|
+++ b/linux-user/i386/target_elf.h
|
||||||
|
@@ -9,6 +9,6 @@
|
||||||
|
#define I386_TARGET_ELF_H
|
||||||
|
static inline const char *cpu_get_model(uint32_t eflags)
|
||||||
|
{
|
||||||
|
- return "qemu32";
|
||||||
|
+ return "max";
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
diff --git a/linux-user/x86_64/target_elf.h b/linux-user/x86_64/target_elf.h
|
||||||
|
index 7b76a90..3f628f8 100644
|
||||||
|
--- a/linux-user/x86_64/target_elf.h
|
||||||
|
+++ b/linux-user/x86_64/target_elf.h
|
||||||
|
@@ -9,6 +9,6 @@
|
||||||
|
#define X86_64_TARGET_ELF_H
|
||||||
|
static inline const char *cpu_get_model(uint32_t eflags)
|
||||||
|
{
|
||||||
|
- return "qemu64";
|
||||||
|
+ return "max";
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
--
|
||||||
|
2.39.0
|
||||||
|
|
99
0022-block-move-bdrv_qiov_is_aligned-to-file-posix.patch
Normal file
99
0022-block-move-bdrv_qiov_is_aligned-to-file-posix.patch
Normal file
@ -0,0 +1,99 @@
|
|||||||
|
From 2b30e95684fec72e1c2db9dd350cb6967181b825 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Keith Busch <kbusch@kernel.org>
|
||||||
|
Date: Thu, 29 Sep 2022 13:05:22 -0700
|
||||||
|
Subject: [PATCH] block: move bdrv_qiov_is_aligned to file-posix
|
||||||
|
|
||||||
|
There is only user of bdrv_qiov_is_aligned(), so move the alignment
|
||||||
|
function to there and make it static.
|
||||||
|
|
||||||
|
Signed-off-by: Keith Busch <kbusch@kernel.org>
|
||||||
|
Message-Id: <20220929200523.3218710-2-kbusch@meta.com>
|
||||||
|
Reviewed-by: Kevin Wolf <kwolf@redhat.com>
|
||||||
|
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
|
||||||
|
(cherry picked from commit a7c5f67a78569f8c275ea4ea9962e9c79b9d03cb)
|
||||||
|
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
|
||||||
|
---
|
||||||
|
block/file-posix.c | 21 +++++++++++++++++++++
|
||||||
|
block/io.c | 21 ---------------------
|
||||||
|
include/block/block-io.h | 1 -
|
||||||
|
3 files changed, 21 insertions(+), 22 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/block/file-posix.c b/block/file-posix.c
|
||||||
|
index 39a3d6d..0185b4e 100644
|
||||||
|
--- a/block/file-posix.c
|
||||||
|
+++ b/block/file-posix.c
|
||||||
|
@@ -2047,6 +2047,27 @@ static int coroutine_fn raw_thread_pool_submit(BlockDriverState *bs,
|
||||||
|
return thread_pool_submit_co(pool, func, arg);
|
||||||
|
}
|
||||||
|
|
||||||
|
+/*
|
||||||
|
+ * Check if all memory in this vector is sector aligned.
|
||||||
|
+ */
|
||||||
|
+static bool bdrv_qiov_is_aligned(BlockDriverState *bs, QEMUIOVector *qiov)
|
||||||
|
+{
|
||||||
|
+ int i;
|
||||||
|
+ size_t alignment = bdrv_min_mem_align(bs);
|
||||||
|
+ IO_CODE();
|
||||||
|
+
|
||||||
|
+ for (i = 0; i < qiov->niov; i++) {
|
||||||
|
+ if ((uintptr_t) qiov->iov[i].iov_base % alignment) {
|
||||||
|
+ return false;
|
||||||
|
+ }
|
||||||
|
+ if (qiov->iov[i].iov_len % alignment) {
|
||||||
|
+ return false;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ return true;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
static int coroutine_fn raw_co_prw(BlockDriverState *bs, uint64_t offset,
|
||||||
|
uint64_t bytes, QEMUIOVector *qiov, int type)
|
||||||
|
{
|
||||||
|
diff --git a/block/io.c b/block/io.c
|
||||||
|
index 3280144..e44fc43 100644
|
||||||
|
--- a/block/io.c
|
||||||
|
+++ b/block/io.c
|
||||||
|
@@ -3296,27 +3296,6 @@ void *qemu_try_blockalign0(BlockDriverState *bs, size_t size)
|
||||||
|
return mem;
|
||||||
|
}
|
||||||
|
|
||||||
|
-/*
|
||||||
|
- * Check if all memory in this vector is sector aligned.
|
||||||
|
- */
|
||||||
|
-bool bdrv_qiov_is_aligned(BlockDriverState *bs, QEMUIOVector *qiov)
|
||||||
|
-{
|
||||||
|
- int i;
|
||||||
|
- size_t alignment = bdrv_min_mem_align(bs);
|
||||||
|
- IO_CODE();
|
||||||
|
-
|
||||||
|
- for (i = 0; i < qiov->niov; i++) {
|
||||||
|
- if ((uintptr_t) qiov->iov[i].iov_base % alignment) {
|
||||||
|
- return false;
|
||||||
|
- }
|
||||||
|
- if (qiov->iov[i].iov_len % alignment) {
|
||||||
|
- return false;
|
||||||
|
- }
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- return true;
|
||||||
|
-}
|
||||||
|
-
|
||||||
|
void bdrv_io_plug(BlockDriverState *bs)
|
||||||
|
{
|
||||||
|
BdrvChild *child;
|
||||||
|
diff --git a/include/block/block-io.h b/include/block/block-io.h
|
||||||
|
index 5e3f346..80810e1 100644
|
||||||
|
--- a/include/block/block-io.h
|
||||||
|
+++ b/include/block/block-io.h
|
||||||
|
@@ -141,7 +141,6 @@ void *qemu_blockalign(BlockDriverState *bs, size_t size);
|
||||||
|
void *qemu_blockalign0(BlockDriverState *bs, size_t size);
|
||||||
|
void *qemu_try_blockalign(BlockDriverState *bs, size_t size);
|
||||||
|
void *qemu_try_blockalign0(BlockDriverState *bs, size_t size);
|
||||||
|
-bool bdrv_qiov_is_aligned(BlockDriverState *bs, QEMUIOVector *qiov);
|
||||||
|
|
||||||
|
void bdrv_enable_copy_on_read(BlockDriverState *bs);
|
||||||
|
void bdrv_disable_copy_on_read(BlockDriverState *bs);
|
||||||
|
--
|
||||||
|
2.39.2
|
||||||
|
|
42
0023-block-use-the-request-length-for-iov-alignment.patch
Normal file
42
0023-block-use-the-request-length-for-iov-alignment.patch
Normal file
@ -0,0 +1,42 @@
|
|||||||
|
From cd316ab11b01b3470148612e6df9891faf1fb311 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Keith Busch <kbusch@kernel.org>
|
||||||
|
Date: Thu, 29 Sep 2022 13:05:23 -0700
|
||||||
|
Subject: [PATCH] block: use the request length for iov alignment
|
||||||
|
|
||||||
|
An iov length needs to be aligned to the logical block size, which may
|
||||||
|
be larger than the memory alignment.
|
||||||
|
|
||||||
|
Tested-by: Jens Axboe <axboe@kernel.dk>
|
||||||
|
Signed-off-by: Keith Busch <kbusch@kernel.org>
|
||||||
|
Message-Id: <20220929200523.3218710-3-kbusch@meta.com>
|
||||||
|
Reviewed-by: Kevin Wolf <kwolf@redhat.com>
|
||||||
|
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
|
||||||
|
(cherry picked from commit 25474d90aa50bd32e0de395a33d8de42dd6f2aef)
|
||||||
|
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
|
||||||
|
---
|
||||||
|
block/file-posix.c | 3 ++-
|
||||||
|
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/block/file-posix.c b/block/file-posix.c
|
||||||
|
index 0185b4e..6818b0e 100644
|
||||||
|
--- a/block/file-posix.c
|
||||||
|
+++ b/block/file-posix.c
|
||||||
|
@@ -2054,13 +2054,14 @@ static bool bdrv_qiov_is_aligned(BlockDriverState *bs, QEMUIOVector *qiov)
|
||||||
|
{
|
||||||
|
int i;
|
||||||
|
size_t alignment = bdrv_min_mem_align(bs);
|
||||||
|
+ size_t len = bs->bl.request_alignment;
|
||||||
|
IO_CODE();
|
||||||
|
|
||||||
|
for (i = 0; i < qiov->niov; i++) {
|
||||||
|
if ((uintptr_t) qiov->iov[i].iov_base % alignment) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
- if (qiov->iov[i].iov_len % alignment) {
|
||||||
|
+ if (qiov->iov[i].iov_len % len) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
--
|
||||||
|
2.39.2
|
||||||
|
|
129
0024-qga-win32-local-privilege-escalation.patch
Normal file
129
0024-qga-win32-local-privilege-escalation.patch
Normal file
@ -0,0 +1,129 @@
|
|||||||
|
From f45ee21bebeda4fc1fdd2c359a8a5bfeb1fd4459 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Konstantin Kostiuk <kkostiuk@redhat.com>
|
||||||
|
Date: Fri, 3 Mar 2023 21:20:07 +0200
|
||||||
|
Subject: [PATCH] qga/win32: Remove change action from MSI installer
|
||||||
|
|
||||||
|
Remove the 'change' button from "Programs and Features" because it does
|
||||||
|
not checks if a user is an admin or not. The installer has no components
|
||||||
|
to choose from and always installs everything. So the 'change' button is
|
||||||
|
not obviously needed but can create a security issue.
|
||||||
|
|
||||||
|
resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2167423
|
||||||
|
fixes: CVE-2023-0664 (part 1 of 2)
|
||||||
|
|
||||||
|
Signed-off-by: Konstantin Kostiuk <kkostiuk@redhat.com>
|
||||||
|
Reviewed-by: Yan Vugenfirer <yvugenfi@redhat.com>
|
||||||
|
Reported-by: Brian Wiltse <brian.wiltse@live.com>
|
||||||
|
---
|
||||||
|
qga/installer/qemu-ga.wxs | 1 +
|
||||||
|
1 file changed, 1 insertion(+)
|
||||||
|
|
||||||
|
diff --git a/qga/installer/qemu-ga.wxs b/qga/installer/qemu-ga.wxs
|
||||||
|
index 0950e8c6be..b62e709a4c 100644
|
||||||
|
--- a/qga/installer/qemu-ga.wxs
|
||||||
|
+++ b/qga/installer/qemu-ga.wxs
|
||||||
|
@@ -58,6 +58,7 @@
|
||||||
|
/>
|
||||||
|
<Media Id="1" Cabinet="qemu_ga.$(env.QEMU_GA_VERSION).cab" EmbedCab="yes" />
|
||||||
|
<Property Id="WHSLogo">1</Property>
|
||||||
|
+ <Property Id="ARPNOMODIFY" Value="yes" Secure="yes" />
|
||||||
|
<MajorUpgrade
|
||||||
|
DowngradeErrorMessage="Error: A newer version of QEMU guest agent is already installed."
|
||||||
|
/>
|
||||||
|
|
||||||
|
From 020caf0b49dbfef8bc9ec7f02c93c3d5097bb932 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Konstantin Kostiuk <kkostiuk@redhat.com>
|
||||||
|
Date: Fri, 3 Mar 2023 21:20:08 +0200
|
||||||
|
Subject: [PATCH] qga/win32: Use rundll for VSS installation
|
||||||
|
|
||||||
|
The custom action uses cmd.exe to run VSS Service installation
|
||||||
|
and removal which causes an interactive command shell to spawn.
|
||||||
|
This shell can be used to execute any commands as a SYSTEM user.
|
||||||
|
Even if call qemu-ga.exe directly the interactive command shell
|
||||||
|
will be spawned as qemu-ga.exe is a console application and used
|
||||||
|
by users from the console as well as a service.
|
||||||
|
|
||||||
|
As VSS Service runs from DLL which contains the installer and
|
||||||
|
uninstaller code, it can be run directly by rundll32.exe without
|
||||||
|
any interactive command shell.
|
||||||
|
|
||||||
|
Add specific entry points for rundll which is just a wrapper
|
||||||
|
for COMRegister/COMUnregister functions with proper arguments.
|
||||||
|
|
||||||
|
resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2167423
|
||||||
|
fixes: CVE-2023-0664 (part 2 of 2)
|
||||||
|
|
||||||
|
Signed-off-by: Konstantin Kostiuk <kkostiuk@redhat.com>
|
||||||
|
Reviewed-by: Yan Vugenfirer <yvugenfi@redhat.com>
|
||||||
|
Reported-by: Brian Wiltse <brian.wiltse@live.com>
|
||||||
|
---
|
||||||
|
qga/installer/qemu-ga.wxs | 10 +++++-----
|
||||||
|
qga/vss-win32/install.cpp | 9 +++++++++
|
||||||
|
qga/vss-win32/qga-vss.def | 2 ++
|
||||||
|
3 files changed, 16 insertions(+), 5 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/qga/installer/qemu-ga.wxs b/qga/installer/qemu-ga.wxs
|
||||||
|
index b62e709a4c..11b66a22e6 100644
|
||||||
|
--- a/qga/installer/qemu-ga.wxs
|
||||||
|
+++ b/qga/installer/qemu-ga.wxs
|
||||||
|
@@ -143,22 +143,22 @@
|
||||||
|
</Directory>
|
||||||
|
</Directory>
|
||||||
|
|
||||||
|
- <Property Id="cmd" Value="cmd.exe"/>
|
||||||
|
+ <Property Id="rundll" Value="rundll32.exe"/>
|
||||||
|
<Property Id="REINSTALLMODE" Value="amus"/>
|
||||||
|
|
||||||
|
<?ifdef var.InstallVss?>
|
||||||
|
<CustomAction Id="RegisterCom"
|
||||||
|
- ExeCommand='/c "[qemu_ga_directory]qemu-ga.exe" -s vss-install'
|
||||||
|
+ ExeCommand='"[qemu_ga_directory]qga-vss.dll",DLLCOMRegister'
|
||||||
|
Execute="deferred"
|
||||||
|
- Property="cmd"
|
||||||
|
+ Property="rundll"
|
||||||
|
Impersonate="no"
|
||||||
|
Return="check"
|
||||||
|
>
|
||||||
|
</CustomAction>
|
||||||
|
<CustomAction Id="UnRegisterCom"
|
||||||
|
- ExeCommand='/c "[qemu_ga_directory]qemu-ga.exe" -s vss-uninstall'
|
||||||
|
+ ExeCommand='"[qemu_ga_directory]qga-vss.dll",DLLCOMUnregister'
|
||||||
|
Execute="deferred"
|
||||||
|
- Property="cmd"
|
||||||
|
+ Property="rundll"
|
||||||
|
Impersonate="no"
|
||||||
|
Return="check"
|
||||||
|
>
|
||||||
|
diff --git a/qga/vss-win32/install.cpp b/qga/vss-win32/install.cpp
|
||||||
|
index b57508fbe0..68662a6dfc 100644
|
||||||
|
--- a/qga/vss-win32/install.cpp
|
||||||
|
+++ b/qga/vss-win32/install.cpp
|
||||||
|
@@ -357,6 +357,15 @@ out:
|
||||||
|
return hr;
|
||||||
|
}
|
||||||
|
|
||||||
|
+STDAPI_(void) CALLBACK DLLCOMRegister(HWND, HINSTANCE, LPSTR, int)
|
||||||
|
+{
|
||||||
|
+ COMRegister();
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+STDAPI_(void) CALLBACK DLLCOMUnregister(HWND, HINSTANCE, LPSTR, int)
|
||||||
|
+{
|
||||||
|
+ COMUnregister();
|
||||||
|
+}
|
||||||
|
|
||||||
|
static BOOL CreateRegistryKey(LPCTSTR key, LPCTSTR value, LPCTSTR data)
|
||||||
|
{
|
||||||
|
diff --git a/qga/vss-win32/qga-vss.def b/qga/vss-win32/qga-vss.def
|
||||||
|
index 927782c31b..ee97a81427 100644
|
||||||
|
--- a/qga/vss-win32/qga-vss.def
|
||||||
|
+++ b/qga/vss-win32/qga-vss.def
|
||||||
|
@@ -1,6 +1,8 @@
|
||||||
|
LIBRARY "QGA-PROVIDER.DLL"
|
||||||
|
|
||||||
|
EXPORTS
|
||||||
|
+ DLLCOMRegister
|
||||||
|
+ DLLCOMUnregister
|
||||||
|
COMRegister PRIVATE
|
||||||
|
COMUnregister PRIVATE
|
||||||
|
DllCanUnloadNow PRIVATE
|
39
README.tests
Normal file
39
README.tests
Normal file
@ -0,0 +1,39 @@
|
|||||||
|
qemu-kvm-tests README
|
||||||
|
=====================
|
||||||
|
|
||||||
|
The qemu-kvm-tests rpm contains tests that can be used to verify the
|
||||||
|
functionality of the installed qemu-kvm package
|
||||||
|
|
||||||
|
When installed, the files from this rpm will be arranged in the following
|
||||||
|
directory structure
|
||||||
|
|
||||||
|
tests-src/
|
||||||
|
├── README
|
||||||
|
├── scripts
|
||||||
|
│ ├── qemu.py
|
||||||
|
│ └── qmp
|
||||||
|
└── tests
|
||||||
|
├── acceptance
|
||||||
|
├── Makefile.include
|
||||||
|
└── qemu-iotests
|
||||||
|
|
||||||
|
The tests/ directory within the tests-src/ directory is setup to remain a copy
|
||||||
|
of a subset of the tests/ directory from the QEMU source tree
|
||||||
|
|
||||||
|
The avocado_qemu tests and qemu-iotests, along with files required for the
|
||||||
|
execution of the avocado_qemu tests (scripts/qemu.py and scripts/qmp/) will be
|
||||||
|
installed in a new location - /usr/lib64/qemu-kvm/tests-src/
|
||||||
|
|
||||||
|
avocado_qemu tests:
|
||||||
|
The avocado_qemu tests can be executed by running the following avocado command:
|
||||||
|
avocado run -p qemu_bin=/usr/libexec/qemu-kvm /usr/lib64/qemu-kvm/tests/acceptance/
|
||||||
|
Avocado needs to be installed separately using either pip or from source as
|
||||||
|
Avocado is not being packaged for RHEL-8.
|
||||||
|
|
||||||
|
qemu-iotests:
|
||||||
|
symlinks to corresponding binaries need to be created for QEMU_PROG,
|
||||||
|
QEMU_IO_PROG, QEMU_IMG_PROG, and QEMU_NBD_PROG before the iotests can be
|
||||||
|
executed.
|
||||||
|
|
||||||
|
The primary purpose of this package is to make these tests available to be
|
||||||
|
executed as gating tests for the virt module in the RHEL-8 OSCI environment.
|
6
gating.yaml
Normal file
6
gating.yaml
Normal file
@ -0,0 +1,6 @@
|
|||||||
|
--- !Policy
|
||||||
|
product_versions:
|
||||||
|
- fedora-*
|
||||||
|
decision_context: bodhi_update_push_stable
|
||||||
|
rules:
|
||||||
|
- !PassingTestCaseRule {test_case_name: fedora-ci.koji-build.tier0.functional}
|
19
kvm-s390x.conf
Normal file
19
kvm-s390x.conf
Normal file
@ -0,0 +1,19 @@
|
|||||||
|
# User changes in this file are preserved across upgrades.
|
||||||
|
#
|
||||||
|
# Setting "modprobe kvm nested=1" only enables Nested Virtualization until
|
||||||
|
# the next reboot or module reload. Uncomment the option below to enable
|
||||||
|
# the feature permanently.
|
||||||
|
#
|
||||||
|
#options kvm nested=1
|
||||||
|
#
|
||||||
|
#
|
||||||
|
# Setting "modprobe kvm hpage=1" only enables Huge Page Backing (1MB)
|
||||||
|
# support until the next reboot or module reload. Uncomment the option
|
||||||
|
# below to enable the feature permanently.
|
||||||
|
#
|
||||||
|
# Note: - Incompatible with "nested=1". Loading the module will fail.
|
||||||
|
# - Dirty page logging will be performed on a 1MB (not 4KB) basis,
|
||||||
|
# which can result in a lot of data having to be transferred during
|
||||||
|
# migration, and therefore taking very long to converge.
|
||||||
|
#
|
||||||
|
#options kvm hpage=1
|
12
kvm-x86.conf
Normal file
12
kvm-x86.conf
Normal file
@ -0,0 +1,12 @@
|
|||||||
|
# Setting modprobe kvm_intel/kvm_amd nested = 1
|
||||||
|
# only enables Nested Virtualization until the next reboot or
|
||||||
|
# module reload. Uncomment the option applicable
|
||||||
|
# to your system below to enable the feature permanently.
|
||||||
|
#
|
||||||
|
# User changes in this file are preserved across upgrades.
|
||||||
|
#
|
||||||
|
# For Intel
|
||||||
|
#options kvm_intel nested=1
|
||||||
|
#
|
||||||
|
# For AMD
|
||||||
|
#options kvm_amd nested=1
|
@ -1,11 +0,0 @@
|
|||||||
###
|
|
||||||
### This configuration file was provided by the qemu package.
|
|
||||||
### Feel free to update as needed.
|
|
||||||
###
|
|
||||||
|
|
||||||
###
|
|
||||||
### Set these options to enable nested virtualization
|
|
||||||
###
|
|
||||||
|
|
||||||
#options kvm_intel nested=1
|
|
||||||
#options kvm_amd nested=1
|
|
3
kvm.conf
Normal file
3
kvm.conf
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
#
|
||||||
|
# User changes in this file are preserved across upgrades.
|
||||||
|
#
|
8
plans/main.fmf
Normal file
8
plans/main.fmf
Normal file
@ -0,0 +1,8 @@
|
|||||||
|
# toplevel plan boilerplate
|
||||||
|
summary: qemu tests
|
||||||
|
description:
|
||||||
|
Test qemu
|
||||||
|
discover:
|
||||||
|
how: fmf
|
||||||
|
execute:
|
||||||
|
how: tmt
|
10
qemu-kvm.sh
10
qemu-kvm.sh
@ -1,10 +0,0 @@
|
|||||||
#!/bin/sh
|
|
||||||
|
|
||||||
# Libvirt introspects the binary using -M none. In that case, don't try
|
|
||||||
# to init KVM, which will fail and be noisy if the host has kvm disabled
|
|
||||||
opts="-machine accel=kvm"
|
|
||||||
if echo "$@" | grep -q " -M none "; then
|
|
||||||
opts=
|
|
||||||
fi
|
|
||||||
|
|
||||||
exec /usr/bin/qemu-system-x86_64 $opts "$@"
|
|
2
sources
2
sources
@ -1 +1 @@
|
|||||||
SHA512 (qemu-5.2.0-rc4.tar.xz) = 47e918392609c34f904962e5759125485407ae52c273053729054300e10fc67fc7ed443c9af25d1d852a5f5c70eee125c703ce15d0e571068848f405de33db3b
|
SHA512 (qemu-7.0.0.tar.xz) = 44ecd10c018a3763e1bc87d1d35b98890d0d5636acd69fe9b5cadf5024d5af6a31684d60cbe1c3370e02986434c1fb0ad99224e0e6f6fe7eda169992508157b1
|
||||||
|
20
tests/main.fmf
Normal file
20
tests/main.fmf
Normal file
@ -0,0 +1,20 @@
|
|||||||
|
# This is 'tmt' config format
|
||||||
|
# https://tmt.readthedocs.io/en/stable/spec.html
|
||||||
|
|
||||||
|
summary: Runtime test qemu
|
||||||
|
|
||||||
|
require:
|
||||||
|
- qemu
|
||||||
|
- qemu-sanity-check
|
||||||
|
|
||||||
|
/smoke:
|
||||||
|
# Make sure -help doesn't fail
|
||||||
|
test: |
|
||||||
|
set -eux
|
||||||
|
qemu-system-x86_64 -help
|
||||||
|
qemu-img -help
|
||||||
|
|
||||||
|
/qemu-sanity-check:
|
||||||
|
test: |
|
||||||
|
set -eux
|
||||||
|
qemu-sanity-check -v
|
3
vhost.conf
Normal file
3
vhost.conf
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
# Increase default vhost memory map limit to match
|
||||||
|
# KVM's memory slot limit
|
||||||
|
options vhost max_mem_regions=509
|
Loading…
Reference in New Issue
Block a user