packages/qemu
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!836 QEMU update to version 6.2.0-83(master)

Browse Source 
From: @JiaboFeng 
Reviewed-by: @aven6 
Signed-off-by: @aven6
This commit is contained in:
openeuler-ci-bot 2023-10-30 13:10:07 +00:00 committed by Gitee
commit 24ecabf224
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
35 changed files with 1785 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

44
aio-posix-zero-out-io_uring-sqe-user_data.patch Normal file
View File

@ -0,0 +1,44 @@
From c670a3038a0b7dffda79672a63c84609459218c6 Mon Sep 17 00:00:00 2001
From: qihao <qihao_yewu@cmss.chinamobile.com>
Date: Tue, 12 Sep 2023 10:22:09 +0800
Subject: [PATCH] aio-posix: zero out io_uring sqe user_data
cheery-pick from 87ec6f55af38e29be5b2b65a8acf84da73e06d06
liburing does not clear sqe->user_data. We must do it ourselves to avoid
undefined behavior in process_cqe() when user_data is used.
Note that fdmon-io_uring is currently disabled, so this is a latent bug
that does not affect users. Let's merge this fix now to make it easier
to enable fdmon-io_uring in the future (and I'm working on that).
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Message-ID: <20230426212639.82310-1-stefanha@redhat.com>
Signed-off-by: qihao_yewu <qihao_yewu@cmss.chinamobile.com>
---
util/fdmon-io_uring.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/util/fdmon-io_uring.c b/util/fdmon-io_uring.c
index ab43052dd7..35165bcb46 100644
--- a/util/fdmon-io_uring.c
+++ b/util/fdmon-io_uring.c
@@ -184,6 +184,7 @@ static void add_poll_remove_sqe(AioContext *ctx, AioHandler *node)
#else
io_uring_prep_poll_remove(sqe, node);
#endif
+ io_uring_sqe_set_data(sqe, NULL);
}
/* Add a timeout that self-cancels when another cqe becomes ready */
@@ -197,6 +198,7 @@ static void add_timeout_sqe(AioContext *ctx, int64_t ns)
sqe = get_sqe(ctx);
io_uring_prep_timeout(sqe, &ts, 1, 0);
+ io_uring_sqe_set_data(sqe, NULL);
}
/* Add sqes from ctx->submit_list for submission */
--
2.41.0.windows.1

36
crypto-remove-shadowed-ret-variable.patch Normal file
View File

@ -0,0 +1,36 @@
From b055bedb3fba592ab7e73615faf29854a18b0abc Mon Sep 17 00:00:00 2001
From: qihao <qihao_yewu@cmss.chinamobile.com>
Date: Tue, 10 Oct 2023 15:24:35 +0800
Subject: [PATCH] crypto: remove shadowed 'ret' variable
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
cheery-pick from 3cc9fe177f412494f084923149338c51dd232b9b
Both instances of 'ret' are used to store a gnutls API return code.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Message-ID: <20230922160644.438631-2-berrange@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: qihao_yewu <qihao_yewu@cmss.chinamobile.com>
---
crypto/tls-cipher-suites.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/crypto/tls-cipher-suites.c b/crypto/tls-cipher-suites.c
index 5e4f597464..d0df4badc0 100644
--- a/crypto/tls-cipher-suites.c
+++ b/crypto/tls-cipher-suites.c
@@ -52,7 +52,6 @@ GByteArray *qcrypto_tls_cipher_suites_get_data(QCryptoTLSCipherSuites *obj,
byte_array = g_byte_array_new();
for (i = 0;; i++) {
- int ret;
unsigned idx;
const char *name;
IANA_TLS_CIPHER cipher;
--
2.41.0.windows.1

37
disas-riscv-Fix-the-typo-of-inverted-order-of-pmpadd.patch Normal file
View File

@ -0,0 +1,37 @@
From 80fd3d8f92b8a2c3b640d1dfa436da8331b37b01 Mon Sep 17 00:00:00 2001
From: qihao <qihao_yewu@cmss.chinamobile.com>
Date: Mon, 16 Oct 2023 09:47:25 +0800
Subject: [PATCH] disas/riscv: Fix the typo of inverted order of pmpaddr13 and
pmpaddr14
cheery-pick from cffa9954908830276c93b430681f66cc0e599aef
Fix the inverted order of pmpaddr13 and pmpaddr14 in csr_name().
Signed-off-by: Alvin Chang <alvinga@andestech.com>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-ID: <20230907084500.328-1-alvinga@andestech.com>
Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Signed-off-by: qihao_yewu <qihao_yewu@cmss.chinamobile.com>
---
disas/riscv.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/disas/riscv.c b/disas/riscv.c
index 6768ec8188..ad7b978815 100644
--- a/disas/riscv.c
+++ b/disas/riscv.c
@@ -1307,8 +1307,8 @@ static const char *csr_name(int csrno)
case 0x03ba: return "pmpaddr10";
case 0x03bb: return "pmpaddr11";
case 0x03bc: return "pmpaddr12";
- case 0x03bd: return "pmpaddr14";
- case 0x03be: return "pmpaddr13";
+ case 0x03bd: return "pmpaddr13";
+ case 0x03be: return "pmpaddr14";
case 0x03bf: return "pmpaddr15";
case 0x0780: return "mtohost";
case 0x0781: return "mfromhost";
--
2.41.0.windows.1

47
hw-arm-xlnx-zynqmp-fix-unsigned-error-when-checking-.patch Normal file
View File

@ -0,0 +1,47 @@
From a1ecbf056603b4fabf8b5ab8a79f70a27fef06ee Mon Sep 17 00:00:00 2001
From: jipengfei_yewu <jipengfei_yewu@cmss.chinamobile.com>
Date: Sun, 24 Sep 2023 19:39:33 +0800
Subject: [PATCH] hw/arm/xlnx-zynqmp: fix unsigned error when checking the RPUs
number
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
When passing --smp with a number lower than XLNX_ZYNQMP_NUM_APU_CPUS,
the expression (ms->smp.cpus - XLNX_ZYNQMP_NUM_APU_CPUS) will result
in a positive number as ms->smp.cpus is a unsigned int.
This will raise the following error afterwards, as Qemu will try to
instantiate some additional RPUs.
| $ qemu-system-aarch64 --smp 1 -M xlnx-zcu102
| **
| ERROR:../src/tcg/tcg.c:777:tcg_register_thread:
| assertion failed: (n < tcg_max_ctxs)
cheery-pick from c9ba1c9f02cfede5329f504cdda6fd3a256e0434
Signed-off-by: jipengfei_yewu <jipengfei_yewu@cmss.chinamobile.com>
Signed-off-by: Clément Chigot <chigot@adacore.com>
Reviewed-by: Francisco Iglesias <frasse.iglesias@gmail.com>
Tested-by: Francisco Iglesias <frasse.iglesias@gmail.com>
Message-id: 20230524143714.565792-1-chigot@adacore.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
hw/arm/xlnx-zynqmp.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/arm/xlnx-zynqmp.c b/hw/arm/xlnx-zynqmp.c
index 1c52a575aa..2ffc6df70b 100644
--- a/hw/arm/xlnx-zynqmp.c
+++ b/hw/arm/xlnx-zynqmp.c
@@ -194,7 +194,7 @@ static void xlnx_zynqmp_create_rpu(MachineState *ms, XlnxZynqMPState *s,
const char *boot_cpu, Error **errp)
{
int i;
- int num_rpus = MIN(ms->smp.cpus - XLNX_ZYNQMP_NUM_APU_CPUS,
+ int num_rpus = MIN((int)(ms->smp.cpus - XLNX_ZYNQMP_NUM_APU_CPUS),
XLNX_ZYNQMP_NUM_RPU_CPUS);
if (num_rpus <= 0) {
--
2.41.0.windows.1

40
hw-char-fix-qcode-array-bounds-check-in-ESCC-impl.patch Normal file
View File

@ -0,0 +1,40 @@
From 308cd236694ac13e2c45293b670b536b63765e62 Mon Sep 17 00:00:00 2001
From: tangbinzy <tangbin_yewu@cmss.chinamobile.com>
Date: Mon, 4 Sep 2023 07:27:24 +0000
Subject: [PATCH] hw/char: fix qcode array bounds check in ESCC impl mainline
inclusion commit 9aaf11e7f2b5487b684e900cf164f0aef25f72ab category: bugfix
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---------------------------------------------------------------
There was an off-by-1 in the qcode conversion array bounds
check.
Fixes: e709a61a8fe1076a487376fd657544418a38ba06
Reported-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Signed-off-by: tangbinzy <tangbin_yewu@cmss.chinamobile.com>
---
hw/char/escc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/char/escc.c b/hw/char/escc.c
index 8755d8d34f..17a908c59b 100644
--- a/hw/char/escc.c
+++ b/hw/char/escc.c
@@ -828,7 +828,7 @@ static void sunkbd_handle_event(DeviceState *dev, QemuConsole *src,
}
}
- if (qcode > qemu_input_map_qcode_to_sun_len) {
+ if (qcode >= qemu_input_map_qcode_to_sun_len) {
return;
}
--
2.41.0.windows.1

63
hw-i2c-pmbus_device-Fix-modifying-QOM-class-internal.patch Normal file
View File

@ -0,0 +1,63 @@
From b2314562968c124503dbd08529a2bef39701aaa7 Mon Sep 17 00:00:00 2001
From: qihao <qihao_yewu@cmss.chinamobile.com>
Date: Wed, 6 Sep 2023 20:30:27 +0800
Subject: [PATCH] hw/i2c/pmbus_device: Fix modifying QOM class internals from
instance
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
cheery-pick from f0e4588fd4ae39d1ad46f19c76ed298f89e61d6a
QOM object instance should not modify its class state (because
all other objects instanciated from this class get affected).
Instead of modifying the PMBusDeviceClass 'device_num_pages' field
the first time a instance is initialized (in pmbus_pages_alloc),
introduce a new pmbus_pages_num() helper which returns the page
number from the class without modifying the class state.
The code logic become slighly simplified.
Inspired-by: Bernhard Beschow <shentey@gmail.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20230523064408.57941-4-philmd@linaro.org>
Signed-off-by: qihao_yewu <qihao_yewu@cmss.chinamobile.com>
---
hw/i2c/pmbus_device.c | 17 ++++++++++-------
1 file changed, 10 insertions(+), 7 deletions(-)
diff --git a/hw/i2c/pmbus_device.c b/hw/i2c/pmbus_device.c
index 24f8f522d9..f39cd532de 100644
--- a/hw/i2c/pmbus_device.c
+++ b/hw/i2c/pmbus_device.c
@@ -166,15 +166,18 @@ static void pmbus_quick_cmd(SMBusDevice *smd, uint8_t read)
}
}
-static void pmbus_pages_alloc(PMBusDevice *pmdev)
+static uint8_t pmbus_pages_num(PMBusDevice *pmdev)
{
+ const PMBusDeviceClass *k = PMBUS_DEVICE_GET_CLASS(pmdev);
+
/* some PMBus devices don't use the PAGE command, so they get 1 page */
- PMBusDeviceClass *k = PMBUS_DEVICE_GET_CLASS(pmdev);
- if (k->device_num_pages == 0) {
- k->device_num_pages = 1;
- }
- pmdev->num_pages = k->device_num_pages;
- pmdev->pages = g_new0(PMBusPage, k->device_num_pages);
+ return k->device_num_pages ? : 1;
+}
+
+static void pmbus_pages_alloc(PMBusDevice *pmdev)
+{
+ pmdev->num_pages = pmbus_pages_num(pmdev);
+ pmdev->pages = g_new0(PMBusPage, pmdev->num_pages);
}
void pmbus_check_limits(PMBusDevice *pmdev)
--
2.41.0.windows.1

49
hw-net-Fix-read-of-uninitialized-memory-in-ftgmac100.patch Normal file
View File

@ -0,0 +1,49 @@
From 967c8f6e799756baf95c025ba8107206c3afd398 Mon Sep 17 00:00:00 2001
From: dinglimin_yewu <dinglimin_yewu@cmss.chinamobile.com>
Date: Thu, 28 Sep 2023 16:25:23 +0800
Subject: [PATCH] hw/net: Fix read of uninitialized memory in ftgmac100
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
cheery-pick from 036e98e5c2b4e25c8d6ccbddb85c7ab05a753f6a
With the `size += 4` before the call to `crc32`, the CRC calculation
would overrun the buffer. Size is used in the while loop starting on
line 1009 to determine how much data to write back, with the last
four bytes coming from `crc_ptr`, so do need to increase it, but should
do this after the computation.
I'm unsure why this use of uninitialized memory in the CRC doesn't
result in CRC errors, but it seems clear to me that it should not be
included in the calculation.
Signed-off-by: Stephen Longfield <slongfield@google.com>
Reviewed-by: Hao Wu <wuhaotsh@google.com>
Reviewed-by: Joel Stanley <joel@jms.id.au>
Message-Id: <20221220221437.3303721-1-slongfield@google.com>
Signed-off-by: Cédric Le Goater <clg@kaod.org>
Signed-off-by: dinglimin_yewu <dinglimin_yewu@cmss.chinamobile.com>
---
hw/net/ftgmac100.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/hw/net/ftgmac100.c b/hw/net/ftgmac100.c
index 83ef0a783e..d3bf14be53 100644
--- a/hw/net/ftgmac100.c
+++ b/hw/net/ftgmac100.c
@@ -980,9 +980,9 @@ static ssize_t ftgmac100_receive(NetClientState *nc, const uint8_t *buf,
return size;
}
- /* 4 bytes for the CRC. */
- size += 4;
crc = cpu_to_be32(crc32(~0, buf, size));
+ /* Increase size by 4, loop below reads the last 4 bytes from crc_ptr. */
+ size += 4;
crc_ptr = (uint8_t *) &crc;
/* Huge frames are truncated. */
--
2.41.0.windows.1

38
hw-nvme-Avoid-dynamic-stack-allocation.patch Normal file
View File

@ -0,0 +1,38 @@
From aa1f9c961de247522e772275635b7f15bf5bb13f Mon Sep 17 00:00:00 2001
From: dinglimin <dinglimin@cmss.chinamobile.com>
Date: Sat, 16 Sep 2023 17:20:08 +0800
Subject: [PATCH] hw/nvme: Avoid dynamic stack allocation
cheery-pick from b3c8246750b7077add335559341268f2956f6470
Instead of using a variable-length array in nvme_map_prp(),
allocate on the stack with a g_autofree pointer.
The codebase has very few VLAs, and if we can get rid of them all we
can make the compiler error on new additions. This is a defensive
measure against security bugs where an on-stack dynamic allocation
isn't correctly size-checked (e.g. CVE-2021-3527).
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Klaus Jensen <k.jensen@samsung.com>
Signed-off-by: dinglimin_yewu <dinglimin_yewu@cmss.chinamobile.com>
---
hw/nvme/ctrl.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/nvme/ctrl.c b/hw/nvme/ctrl.c
index debd3916dd..d64dd9c361 100644
--- a/hw/nvme/ctrl.c
+++ b/hw/nvme/ctrl.c
@@ -702,7 +702,7 @@ static uint16_t nvme_map_prp(NvmeCtrl *n, NvmeSg *sg, uint64_t prp1,
len -= trans_len;
if (len) {
if (len > n->page_size) {
- uint64_t prp_list[n->max_prp_ents];
+ g_autofree uint64_t *prp_list = g_new(uint64_t, n->max_prp_ents);
uint32_t nents, prp_trans;
int i = 0;
--
2.41.0.windows.1

60
hw-vfio-pci-quirks-Sanitize-capability-pointer.patch Normal file
View File

@ -0,0 +1,60 @@
From 193240c79f5c95aaf86b2998975189f1873ebcec Mon Sep 17 00:00:00 2001
From: tangzhongrui <tangzhongrui@cmss.chinamobile.com>
Date: Fri, 18 Aug 2023 14:41:45 +0800
Subject: [PATCH] hw/vfio/pci-quirks: Sanitize capability pointer Coverity
reports a tained scalar when traversing the capabilities chain (CID 1516589).
In practice I've never seen a device with a chain so broken as to cause an
issue, but it's also pretty easy to sanitize.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Fixes: f6b30c1 ("hw/vfio/pci-quirks: Support alternate offset for
GPUDirect Cliques")
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
Reviewed-by: Cédric Le Goater <clg@redhat.com>
Signed-off-by: Cédric Le Goater <clg@redhat.com>
Signed-off-by: Zhongrui Tang <tangzhongrui_yewu@cmss.chinamobile.com>
---
hw/vfio/pci-quirks.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/hw/vfio/pci-quirks.c b/hw/vfio/pci-quirks.c
index 7a8e6efcdc..a911e04a79 100644
--- a/hw/vfio/pci-quirks.c
+++ b/hw/vfio/pci-quirks.c
@@ -1717,6 +1717,12 @@ const PropertyInfo qdev_prop_nv_gpudirect_clique = {
.set = set_nv_gpudirect_clique_id,
};
+static bool is_valid_std_cap_offset(uint8_t pos)
+{
+ return (pos >= PCI_STD_HEADER_SIZEOF &&
+ pos <= (PCI_CFG_SPACE_SIZE - PCI_CAP_SIZEOF));
+}
+
static int vfio_add_nv_gpudirect_cap(VFIOPCIDevice *vdev, Error **errp)
{
PCIDevice *pdev = &vdev->pdev;
@@ -1750,7 +1756,7 @@ static int vfio_add_nv_gpudirect_cap(VFIOPCIDevice *vdev, Error **errp)
*/
ret = pread(vdev->vbasedev.fd, &tmp, 1,
vdev->config_offset + PCI_CAPABILITY_LIST);
- if (ret != 1 || !tmp) {
+ if (ret != 1 || !is_valid_std_cap_offset(tmp)) {
error_setg(errp, "NVIDIA GPUDirect Clique ID: error getting cap list");
return -EINVAL;
}
@@ -1762,7 +1768,7 @@ static int vfio_add_nv_gpudirect_cap(VFIOPCIDevice *vdev, Error **errp)
d4_conflict = true;
}
tmp = pdev->config[tmp + PCI_CAP_LIST_NEXT];
- } while (tmp);
+ } while (is_valid_std_cap_offset(tmp));
if (!c8_conflict) {
pos = 0xC8;
--
2.41.0.windows.1

95
hw-vfio-pci-quirks-Support-alternate-offset-for-GPUD.patch Normal file
View File

@ -0,0 +1,95 @@
From d672e2f137933b26bd9b3488a873830435eadba5 Mon Sep 17 00:00:00 2001
From: tangzhongrui <tangzhongrui@cmss.chinamobile.com>
Date: Thu, 3 Aug 2023 15:10:16 +0800
Subject: [PATCH] hw/vfio/pci-quirks: Support alternate offset for GPUDirect
Cliques
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
NVIDIA Turing and newer GPUs implement the MSI-X capability at the offset
previously reserved for use by hypervisors to implement the GPUDirect
Cliques capability. A revised specification provides an alternate
location. Add a config space walk to the quirk to check for conflicts,
allowing us to fall back to the new location or generate an error at the
quirk setup rather than when the real conflicting capability is added
should there be no available location.
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
Reviewed-by: Cédric Le Goater <clg@redhat.com>
Signed-off-by: Cédric Le Goater <clg@redhat.com>
Signed-off-by: Zhongrui Tang <tangzhongrui_yewu@cmss.chinamobile.com>
---
hw/vfio/pci-quirks.c | 41 ++++++++++++++++++++++++++++++++++++++++-
1 file changed, 40 insertions(+), 1 deletion(-)
diff --git a/hw/vfio/pci-quirks.c b/hw/vfio/pci-quirks.c
index 1222ccff0b..7a8e6efcdc 100644
--- a/hw/vfio/pci-quirks.c
+++ b/hw/vfio/pci-quirks.c
@@ -1677,6 +1677,9 @@ void vfio_setup_resetfn_quirk(VFIOPCIDevice *vdev)
* +---------------------------------+---------------------------------+
*
* https://lists.gnu.org/archive/html/qemu-devel/2017-08/pdfUda5iEpgOS.pdf
+ *
+ * Specification for Turning and later GPU architectures:
+ * https://lists.gnu.org/archive/html/qemu-devel/2023-06/pdf142OR4O4c2.pdf
*/
static void get_nv_gpudirect_clique_id(Object *obj, Visitor *v,
const char *name, void *opaque,
@@ -1717,7 +1720,9 @@ const PropertyInfo qdev_prop_nv_gpudirect_clique = {
static int vfio_add_nv_gpudirect_cap(VFIOPCIDevice *vdev, Error **errp)
{
PCIDevice *pdev = &vdev->pdev;
- int ret, pos = 0xC8;
+ int ret, pos;
+ bool c8_conflict = false, d4_conflict = false;
+ uint8_t tmp;
if (vdev->nv_gpudirect_clique == 0xFF) {
return 0;
@@ -1734,6 +1739,40 @@ static int vfio_add_nv_gpudirect_cap(VFIOPCIDevice *vdev, Error **errp)
return -EINVAL;
}
+ /*
+ * Per the updated specification above, it's recommended to use offset
+ * D4h for Turing and later GPU architectures due to a conflict of the
+ * MSI-X capability at C8h. We don't know how to determine the GPU
+ * architecture, instead we walk the capability chain to mark conflicts
+ * and choose one or error based on the result.
+ *
+ * NB. Cap list head in pdev->config is already cleared, read from device.
+ */
+ ret = pread(vdev->vbasedev.fd, &tmp, 1,
+ vdev->config_offset + PCI_CAPABILITY_LIST);
+ if (ret != 1 || !tmp) {
+ error_setg(errp, "NVIDIA GPUDirect Clique ID: error getting cap list");
+ return -EINVAL;
+ }
+
+ do {
+ if (tmp == 0xC8) {
+ c8_conflict = true;
+ } else if (tmp == 0xD4) {
+ d4_conflict = true;
+ }
+ tmp = pdev->config[tmp + PCI_CAP_LIST_NEXT];
+ } while (tmp);
+
+ if (!c8_conflict) {
+ pos = 0xC8;
+ } else if (!d4_conflict) {
+ pos = 0xD4;
+ } else {
+ error_setg(errp, "NVIDIA GPUDirect Clique ID: invalid config space");
+ return -EINVAL;
+ }
+
ret = pci_add_capability(pdev, PCI_CAP_ID_VNDR, pos, 8, errp);
if (ret < 0) {
error_prepend(errp, "Failed to add NVIDIA GPUDirect cap: ");
--
2.41.0.windows.1

45
hw-virtio-virtio-pmem-Replace-impossible-check-by-as.patch Normal file
View File

@ -0,0 +1,45 @@
From 12eed71f72cbb5d81b14f66fde254058f121979a Mon Sep 17 00:00:00 2001
From: qihao <qihao_yewu@cmss.chinamobile.com>
Date: Wed, 25 Oct 2023 17:44:42 +0800
Subject: [PATCH] hw/virtio/virtio-pmem: Replace impossible check by assertion
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
cheery-pick from 184256d261cfc773360f14a80092ace5a716bb8f
The get_memory_region() handler is used when (un)plugging the
device, which can only occur *after* it is realized.
virtio_pmem_realize() ensure the instance can not be realized
without 'memdev'. Remove the superfluous check, replacing it
by an assertion.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Manos Pitsidianakis <manos.pitsidianakis@linaro.org>
Message-Id: <20231017140150.44995-2-philmd@linaro.org>
Signed-off-by: qihao_yewu <qihao_yewu@cmss.chinamobile.com>
---
hw/virtio/virtio-pmem.c | 5 +----
1 file changed, 1 insertion(+), 4 deletions(-)
diff --git a/hw/virtio/virtio-pmem.c b/hw/virtio/virtio-pmem.c
index d1aeb90a31..39f3949a3b 100644
--- a/hw/virtio/virtio-pmem.c
+++ b/hw/virtio/virtio-pmem.c
@@ -149,10 +149,7 @@ static void virtio_pmem_fill_device_info(const VirtIOPMEM *pmem,
static MemoryRegion *virtio_pmem_get_memory_region(VirtIOPMEM *pmem,
Error **errp)
{
- if (!pmem->memdev) {
- error_setg(errp, "'%s' property must be set", VIRTIO_PMEM_MEMDEV_PROP);
- return NULL;
- }
+ assert(pmem->memdev);
return &pmem->memdev->mr;
}
--
2.41.0.windows.1

43
migration-rdma-zore-out-head.repeat-to-make-the-erro.patch Normal file
View File

@ -0,0 +1,43 @@
From e65dfad1fd7832fc206f3a22479169fcb4527317 Mon Sep 17 00:00:00 2001
From: qihao <qihao_yewu@cmss.chinamobile.com>
Date: Mon, 9 Oct 2023 18:11:54 +0800
Subject: [PATCH] migration/rdma: zore out head.repeat to make the error more
clear
cheery-pick from 2ada4b63f1764d13a2b9ca9cbeb5feda46ab6851
Previously, we got a confusion error that complains
the RDMAControlHeader.repeat:
qemu-system-x86_64: rdma: Too many requests in this message (3638950032).Bailing.
Actually, it's caused by an unexpected RDMAControlHeader.type.
After this patch, error will become:
qemu-system-x86_64: Unknown control message QEMU FILE
Reviewed-by: Fabiano Rosas <farosas@suse.de>
Reviewed-by: Peter Xu <peterx@redhat.com>
Reviewed-by: Juan Quintela <quintela@redhat.com>
Signed-off-by: Li Zhijian <lizhijian@fujitsu.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
Message-ID: <20230926100103.201564-2-lizhijian@fujitsu.com>
Signed-off-by: qihao_yewu <qihao_yewu@cmss.chinamobile.com>
---
migration/rdma.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/migration/rdma.c b/migration/rdma.c
index f5d3bbe7e9..60c856dd2f 100644
--- a/migration/rdma.c
+++ b/migration/rdma.c
@@ -2866,7 +2866,7 @@ static ssize_t qio_channel_rdma_writev(QIOChannel *ioc,
size_t remaining = iov[i].iov_len;
uint8_t * data = (void *)iov[i].iov_base;
while (remaining) {
- RDMAControlHeader head;
+ RDMAControlHeader head = {};
len = MIN(remaining, RDMA_SEND_INCREMENT);
remaining -= len;
--
2.41.0.windows.1

43
ppc-vof-Fix-missed-fields-in-VOF-cleanup.patch Normal file
View File

@ -0,0 +1,43 @@
From 62083d43f24d801f74b8e0aee7693811c19a366d Mon Sep 17 00:00:00 2001
From: qihao <qihao_yewu@cmss.chinamobile.com>
Date: Mon, 18 Sep 2023 15:26:28 +0800
Subject: [PATCH] ppc/vof: Fix missed fields in VOF cleanup
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
cheery-pick from 7b8589d7ce7e23f26ff53338d575a5cbd7818e28
Failing to reset the of_instance_last makes ihandle allocation continue
to increase, which causes record-replay replay fail to match the
recorded trace.
Not resetting claimed_base makes VOF eventually run out of memory after
some resets.
Cc: Alexey Kardashevskiy <aik@ozlabs.ru>
Fixes: fc8c745d501 ("spapr: Implement Open Firmware client interface")
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
Reviewed-by: Alexey Kardashevskiy <aik@ozlabs.ru>
Signed-off-by: Cédric Le Goater <clg@kaod.org>
Signed-off-by: qihao_yewu <qihao_yewu@cmss.chinamobile.com>
---
hw/ppc/vof.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/hw/ppc/vof.c b/hw/ppc/vof.c
index 73adc44ec2..b1aa0ceb8b 100644
--- a/hw/ppc/vof.c
+++ b/hw/ppc/vof.c
@@ -1026,6 +1026,8 @@ void vof_cleanup(Vof *vof)
}
vof->claimed = NULL;
vof->of_instances = NULL;
+ vof->of_instance_last = 0;
+ vof->claimed_base = 0;
}
void vof_build_dt(void *fdt, Vof *vof)
--
2.41.0.windows.1

76
qemu.spec
View File

@ -3,7 +3,7 @@
Name: qemu Name: qemu
Version: 6.2.0 Version: 6.2.0
Release: 80 Release: 83
Epoch: 10 Epoch: 10
Summary: QEMU is a generic and open source machine emulator and virtualizer Summary: QEMU is a generic and open source machine emulator and virtualizer
License: GPLv2 and BSD and MIT and CC-BY-SA-4.0 License: GPLv2 and BSD and MIT and CC-BY-SA-4.0
@ -565,6 +565,40 @@ Patch0550: vhost-Drop-unused-eventfd_add-del-hooks.patch
Patch0551: chardev-report-the-handshake-error.patch Patch0551: chardev-report-the-handshake-error.patch
Patch0552: hw-ssi-Fix-Linux-driver-init-issue-with-xilinx_spi.patch Patch0552: hw-ssi-Fix-Linux-driver-init-issue-with-xilinx_spi.patch
Patch0553: io-remove-io-watch-if-TLS-channel-is-closed-during-h.patch Patch0553: io-remove-io-watch-if-TLS-channel-is-closed-during-h.patch
Patch0554: hw-char-fix-qcode-array-bounds-check-in-ESCC-impl.patch
Patch0555: tulip-Assign-default-MAC-address-if-not-specified.patch
Patch0556: target-ppc-Fix-the-order-of-kvm_enable-judgment-abou.patch
Patch0557: tests-qtest-pflash-Clean-up-local-variable-shadowing.patch
Patch0558: ui-fix-crash-when-there-are-no-active_console.patch
Patch0559: ppc-vof-Fix-missed-fields-in-VOF-cleanup.patch
Patch0560: hw-nvme-Avoid-dynamic-stack-allocation.patch
Patch0561: aio-posix-zero-out-io_uring-sqe-user_data.patch
Patch0562: qtest-npcm7xx_pwm-test-Fix-memory-leak-in-mft_qom_se.patch
Patch0563: target-i386-fix-INVD-vmexit.patch
Patch0564: target-ppc-Fix-tlbie.patch
Patch0565: hw-net-Fix-read-of-uninitialized-memory-in-ftgmac100.patch
Patch0566: replay-fix-event-queue-flush-for-qemu-shutdown.patch
Patch0567: hw-vfio-pci-quirks-Support-alternate-offset-for-GPUD.patch
Patch0568: hw-vfio-pci-quirks-Sanitize-capability-pointer.patch
Patch0569: vhost-user-fs-Back-up-vqs-before-cleaning-up-vhost_d.patch
Patch0570: migration-rdma-zore-out-head.repeat-to-make-the-erro.patch
Patch0571: thread-pool-optimize-scheduling-of-completion-bottom.patch
Patch0572: hw-arm-xlnx-zynqmp-fix-unsigned-error-when-checking-.patch
Patch0573: hw-i2c-pmbus_device-Fix-modifying-QOM-class-internal.patch
Patch0574: crypto-remove-shadowed-ret-variable.patch
Patch0575: target-i386-add-support-for-FLUSH_L1D-feature.patch
Patch0576: target-i386-add-support-for-FB_CLEAR-feature.patch
Patch0577: target-i386-Export-MSR_ARCH_CAPABILITIES-bits-to-gue.patch
Patch0578: target-i386-Add-support-for-MCDT_NO-in-CPUID-enumera.patch
Patch0579: target-i386-Allow-MCDT_NO-if-host-supports.patch
Patch0580: target-i386-Add-new-bit-definitions-of-MSR_IA32_ARCH.patch
Patch0581: target-i386-Add-few-security-fix-bits-in-ARCH_CAPABI.patch
Patch0582: ui-vnc-clipboard-fix-infinite-loop-in-inflate_buffer.patch
Patch0583: qga-Fix-memory-leak-when-output-stream-is-unused.patch
Patch0584: disas-riscv-Fix-the-typo-of-inverted-order-of-pmpadd.patch
Patch0585: softmmu-dirtylimit-Add-parameter-check-for-hmp-set_v.patch
Patch0586: tests-Fix-printf-format-string-in-acpi-utils.c.patch
Patch0587: hw-virtio-virtio-pmem-Replace-impossible-check-by-as.patch
BuildRequires: flex BuildRequires: flex
BuildRequires: gcc BuildRequires: gcc
@ -1138,6 +1172,46 @@ getent passwd qemu >/dev/null || \
%endif %endif
%changelog %changelog
* Mon Oct 30 2023 <fengjiabo1@huawei.com> - 10:6.2.0-83
- hw/virtio/virtio-pmem: Replace impossible check by assertion
- tests: Fix printf format string in acpi-utils.c
- softmmu/dirtylimit: Add parameter check for hmp "set_vcpu_dirty_limit"
- disas/riscv: Fix the typo of inverted order of pmpaddr13 and pmpaddr14
- qga: Fix memory leak when output stream is unused
- ui/vnc-clipboard: fix infinite loop in inflate_buffer (CVE-2023-3255)
- target/i386: Add few security fix bits in ARCH_CAPABILITIES into SapphireRapids CPU model
- target/i386: Add new bit definitions of MSR_IA32_ARCH_CAPABILITIES
- target/i386: Allow MCDT_NO if host supports
- target/i386: Add support for MCDT_NO in CPUID enumeration
- target/i386: Export MSR_ARCH_CAPABILITIES bits to guests
- target/i386: add support for FB_CLEAR feature
- target/i386: add support for FLUSH_L1D feature
- crypto: remove shadowed 'ret' variable
- hw/i2c/pmbus_device: Fix modifying QOM class internals from instance
- hw/arm/xlnx-zynqmp: fix unsigned error when checking the RPUs number
* Mon Oct 30 2023 <fengjiabo1@huawei.com> - 10:6.2.0-82
- thread-pool: optimize scheduling of completion bottom half
- migration/rdma: zore out head.repeat to make the error more clear
- vhost-user-fs: Back up vqs before cleaning up vhost_dev
- hw/vfio/pci-quirks: Sanitize capability pointer
- hw/vfio/pci-quirks: Support alternate offset for GPUDirect Cliques
- replay: fix event queue flush for qemu shutdown
- hw/net: Fix read of uninitialized memory in ftgmac100
- target/ppc: Fix tlbie
- target/i386: fix INVD vmexit
- qtest/npcm7xx_pwm-test: Fix memory leak in mft_qom_set
- aio-posix: zero out io_uring sqe user_data
* Mon Oct 30 2023 <fengjiabo1@huawei.com> - 10:6.2.0-81
- hw/nvme: Avoid dynamic stack allocation
- ppc/vof: Fix missed fields in VOF cleanup
- ui: fix crash when there are no active_console
- tests/qtest/pflash: Clean up local variable shadowing
- target/ppc: Fix the order of kvm_enable judgment about kvmppc_set_interrupt()
- tulip: Assign default MAC address if not specified
- hw/char: fix qcode array bounds check in ESCC impl
* Sat Sep 9 2023 <fengjiabo1@huawei.com> - 10:6.2.0-80 * Sat Sep 9 2023 <fengjiabo1@huawei.com> - 10:6.2.0-80
- io: remove io watch if TLS channel is closed during handshake - io: remove io watch if TLS channel is closed during handshake
- hw/ssi: Fix Linux driver init issue with xilinx_spi - hw/ssi: Fix Linux driver init issue with xilinx_spi

56
qga-Fix-memory-leak-when-output-stream-is-unused.patch Normal file
View File

@ -0,0 +1,56 @@
From 877d97f7e7b88c9cb8754bece152dc27a2a0f47a Mon Sep 17 00:00:00 2001
From: qihao <qihao_yewu@cmss.chinamobile.com>
Date: Mon, 16 Oct 2023 10:22:03 +0800
Subject: [PATCH] qga: Fix memory leak when output stream is unused
cheery-pick from d6f67b83b81bf49b5c62e77143ed39c020e51830
If capture-output is requested but one of the channels goes unused (eg.
we attempt to capture stderr but the command never writes to stderr), we
can leak memory.
guest_exec_output_watch() is (from what I understand) unconditionally
called for both streams if output capture is requested. The first call
will always pass the `p->size == p->length` check b/c both values are
0. Then GUEST_EXEC_IO_SIZE bytes will be allocated for the stream.
But when we reap the exited process there's a `gei->err.length > 0`
check to actually free the buffer. Which does not get run if the command
doesn't write to the stream.
Fix by making free() unconditional.
Reviewed-by: Konstantin Kostiuk <kkostiuk@redhat.com>
Signed-off-by: Daniel Xu <dxu@dxuuu.xyz>
Signed-off-by: Konstantin Kostiuk <kkostiuk@redhat.com>
Signed-off-by: qihao_yewu <qihao_yewu@cmss.chinamobile.com>
---
qga/commands.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/qga/commands.c b/qga/commands.c
index 80501e4a73..05f89725be 100644
--- a/qga/commands.c
+++ b/qga/commands.c
@@ -210,16 +210,16 @@ GuestExecStatus *qmp_guest_exec_status(int64_t pid, Error **errp)
if (gei->out.length > 0) {
ges->has_out_data = true;
ges->out_data = g_base64_encode(gei->out.data, gei->out.length);
- g_free(gei->out.data);
ges->has_out_truncated = gei->out.truncated;
}
+ g_free(gei->out.data);
if (gei->err.length > 0) {
ges->has_err_data = true;
ges->err_data = g_base64_encode(gei->err.data, gei->err.length);
- g_free(gei->err.data);
ges->has_err_truncated = gei->err.truncated;
}
+ g_free(gei->err.data);
QTAILQ_REMOVE(&guest_exec_state.processes, gei, next);
g_free(gei);
--
2.41.0.windows.1

39
qtest-npcm7xx_pwm-test-Fix-memory-leak-in-mft_qom_se.patch Normal file
View File

@ -0,0 +1,39 @@
From b76d4a1a4d7d0635044cd8542564803318ac5412 Mon Sep 17 00:00:00 2001
From: tangbinzy <tangbin_yewu@cmss.chinamobile.com>
Date: Tue, 26 Sep 2023 07:49:12 +0000
Subject: [PATCH] qtest/npcm7xx_pwm-test: Fix memory leak in mft_qom_set
mainline inclusion commit d412597ec5a8406b2af6aa5fb7740e77c1bd3f8c category:
bugfix
---------------------------------------------------------------
g_strdup_printf() allocated memory for path, we should free it with
g_free() when no longer needed.
Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
Reviewed-by: Hao Wu <wuhaotsh@google.com>
Message-Id: <20220531080921.4704-1-linmq006@gmail.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>
Signed-off-by: tangbinzy <tangbin_yewu@cmss.chinamobile.com>
---
tests/qtest/npcm7xx_pwm-test.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/tests/qtest/npcm7xx_pwm-test.c b/tests/qtest/npcm7xx_pwm-test.c
index a54fd70d27..ddfc120df0 100644
--- a/tests/qtest/npcm7xx_pwm-test.c
+++ b/tests/qtest/npcm7xx_pwm-test.c
@@ -268,6 +268,9 @@ static void mft_qom_set(QTestState *qts, int index, const char *name,
path, name, value);
/* The qom set message returns successfully. */
g_assert_true(qdict_haskey(response, "return"));
+
+ qobject_unref(response);
+ g_free(path);
}
static uint32_t get_pll(uint32_t con)
--
2.41.0.windows.1

40
replay-fix-event-queue-flush-for-qemu-shutdown.patch Normal file
View File

@ -0,0 +1,40 @@
From d15694ef4ae7f7ebdbdac250a8a793ab66254655 Mon Sep 17 00:00:00 2001
From: tangbinzy <tangbin_yewu@cmss.chinamobile.com>
Date: Tue, 26 Sep 2023 08:16:21 +0000
Subject: [PATCH] replay: fix event queue flush for qemu shutdown mainline
inclusion commit c4b8ffcbb8531206e12cf3ad92fa90f7c80ed464 category: bugfix
---------------------------------------------------------------
This patch fixes event queue flush in the case of emulator
shutdown. replay_finish_events should be called when replay_mode
is not cleared.
Signed-off-by: Pavel Dovgalyuk <Pavel.Dovgalyuk@ispras.ru>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <165364836758.688121.7959245442743676491.stgit@pasha-ThinkPad-X280>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: tangbinzy <tangbin_yewu@cmss.chinamobile.com>
---
replay/replay.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/replay/replay.c b/replay/replay.c
index 6df2abc18c..2d3607998a 100644
--- a/replay/replay.c
+++ b/replay/replay.c
@@ -387,9 +387,8 @@ void replay_finish(void)
g_free(replay_snapshot);
replay_snapshot = NULL;
- replay_mode = REPLAY_MODE_NONE;
-
replay_finish_events();
+ replay_mode = REPLAY_MODE_NONE;
}
void replay_add_blocker(Error *reason)
--
2.41.0.windows.1

55
softmmu-dirtylimit-Add-parameter-check-for-hmp-set_v.patch Normal file
View File

@ -0,0 +1,55 @@
From 381500cc0b96e85165ae0314839c34976a4da1b2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Hyman=20Huang=28=E9=BB=84=E5=8B=87=29?=
<yong.huang@smartx.com>
Date: Fri, 18 Nov 2022 10:08:54 +0800
Subject: [PATCH] softmmu/dirtylimit: Add parameter check for hmp
"set_vcpu_dirty_limit"
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
dirty_rate paraemter of hmp command "set_vcpu_dirty_limit" is invalid
if less than 0, so add parameter check for it.
Note that this patch also delete the unsolicited help message and
clean up the code.
Signed-off-by: Hyman Huang(黄勇) <yong.huang@smartx.com>
Reviewed-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Peter Xu <peterx@redhat.com>
Reviewed-by: Juan Quintela <quintela@redhat.com>
Message-Id: <168618975839.6361.17407633874747688653-1@git.sr.ht>
Signed-off-by: Juan Quintela <quintela@redhat.com>
---
softmmu/dirtylimit.c | 13 +++++++------
1 file changed, 7 insertions(+), 6 deletions(-)
diff --git a/softmmu/dirtylimit.c b/softmmu/dirtylimit.c
index 8d98cb7f2c..5041c230d0 100644
--- a/softmmu/dirtylimit.c
+++ b/softmmu/dirtylimit.c
@@ -515,14 +515,15 @@ void hmp_set_vcpu_dirty_limit(Monitor *mon, const QDict *qdict)
int64_t cpu_index = qdict_get_try_int(qdict, "cpu_index", -1);
Error *err = NULL;
- qmp_set_vcpu_dirty_limit(!!(cpu_index != -1), cpu_index, dirty_rate, &err);
- if (err) {
- hmp_handle_error(mon, err);
- return;
+ if (dirty_rate < 0) {
+ error_setg(&err, "invalid dirty page limit %" PRId64, dirty_rate);
+ goto out;
}
- monitor_printf(mon, "[Please use 'info vcpu_dirty_limit' to query "
- "dirty limit for virtual CPU]\n");
+ qmp_set_vcpu_dirty_limit(!!(cpu_index != -1), cpu_index, dirty_rate, &err);
+
+out:
+ hmp_handle_error(mon, err);
}
static struct DirtyLimitInfo *dirtylimit_query_vcpu(int cpu_index)
--
2.41.0.windows.1

53
target-i386-Add-few-security-fix-bits-in-ARCH_CAPABI.patch Normal file
View File

@ -0,0 +1,53 @@
From 732cb06c9b652cf899e9f329ad74ec3dae3d18b2 Mon Sep 17 00:00:00 2001
From: Lei Wang <lei4.wang@intel.com>
Date: Thu, 6 Jul 2023 13:49:48 +0800
Subject: [PATCH] target/i386: Add few security fix bits in ARCH_CAPABILITIES
into SapphireRapids CPU model
commit 3baf7ae63505eb1652d1e52d65798307fead8539 upstream.
SapphireRapids has bit 13, 14 and 15 of MSR_IA32_ARCH_CAPABILITIES
enabled, which are related to some security fixes.
Add version 2 of SapphireRapids CPU model with those bits enabled also.
Intel-SIG: commit 3baf7ae63505 ("target/i386: Add few security fix bits in ARCH_CAPABILITIES into SapphireRapids CPU model")
Backport support of SapphireRapids CPU Model version 2
Signed-off-by: Lei Wang <lei4.wang@intel.com>
Signed-off-by: Tao Su <tao1.su@linux.intel.com>
Message-ID: <20230706054949.66556-6-tao1.su@linux.intel.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
[ jason: amend commit log ]
Signed-off-by: Jason Zeng <jason.zeng@intel.com>
---
target/i386/cpu.c | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)
diff --git a/target/i386/cpu.c b/target/i386/cpu.c
index 685bfca37e..eb911b12fa 100644
--- a/target/i386/cpu.c
+++ b/target/i386/cpu.c
@@ -3675,8 +3675,17 @@ static const X86CPUDefinition builtin_x86_defs[] = {
.model_id = "Intel Xeon Processor (SapphireRapids)",
.versions = (X86CPUVersionDefinition[]) {
{ .version = 1 },
- { /* end of list */ },
- },
+ {
+ .version = 2,
+ .props = (PropValue[]) {
+ { "sbdr-ssdp-no", "on" },
+ { "fbsdp-no", "on" },
+ { "psdp-no", "on" },
+ { /* end of list */ }
+ }
+ },
+ { /* end of list */ }
+ }
},
{
.name = "Denverton",
--
2.41.0.windows.1

43
target-i386-Add-new-bit-definitions-of-MSR_IA32_ARCH.patch Normal file
View File

@ -0,0 +1,43 @@
From cdd89390a5e8fb55515798ab4ec5ec5fd6fed32b Mon Sep 17 00:00:00 2001
From: Tao Su <tao1.su@linux.intel.com>
Date: Thu, 6 Jul 2023 13:49:47 +0800
Subject: [PATCH] target/i386: Add new bit definitions of
MSR_IA32_ARCH_CAPABILITIES
commit 6c43ec3b206956a8a3008accafe9eb2dfd885190 upstream.
Currently, bit 13, 14, 15 and 24 of MSR_IA32_ARCH_CAPABILITIES are
disclosed for fixing security issues, so add those bit definitions.
Intel-SIG: commit 6c43ec3b2069 ("target/i386: Add new bit definitions of MSR_IA32_ARCH_CAPABILITIES")
Backport new bit definitions of MSR_IA32_ARCH_CAPABILITIES
Signed-off-by: Tao Su <tao1.su@linux.intel.com>
Reviewed-by: Igor Mammedov <imammedo@redhat.com>
Message-ID: <20230706054949.66556-5-tao1.su@linux.intel.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
[ jason: amend commit log ]
Signed-off-by: Jason Zeng <jason zeng@intel.com>
---
target/i386/cpu.h | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/target/i386/cpu.h b/target/i386/cpu.h
index edbaba0d62..37c687d4d8 100644
--- a/target/i386/cpu.h
+++ b/target/i386/cpu.h
@@ -966,7 +966,11 @@ uint64_t x86_cpu_get_supported_feature_word(FeatureWord w,
#define MSR_ARCH_CAP_PSCHANGE_MC_NO (1U << 6)
#define MSR_ARCH_CAP_TSX_CTRL_MSR (1U << 7)
#define MSR_ARCH_CAP_TAA_NO (1U << 8)
+#define MSR_ARCH_CAP_SBDR_SSDP_NO (1U << 13)
+#define MSR_ARCH_CAP_FBSDP_NO (1U << 14)
+#define MSR_ARCH_CAP_PSDP_NO (1U << 15)
#define MSR_ARCH_CAP_FB_CLEAR (1U << 17)
+#define MSR_ARCH_CAP_PBRSB_NO (1U << 24)
#define MSR_CORE_CAP_SPLIT_LOCK_DETECT (1U << 5)
--
2.41.0.windows.1

112
target-i386-Add-support-for-MCDT_NO-in-CPUID-enumera.patch Normal file
View File

@ -0,0 +1,112 @@
From a7329b80a2c8a50e53da17aa4eff0ef50aa21413 Mon Sep 17 00:00:00 2001
From: Tao Su <tao1.su@linux.intel.com>
Date: Thu, 6 Jul 2023 13:49:45 +0800
Subject: [PATCH] target/i386: Add support for MCDT_NO in CPUID enumeration
commit 9dd8b71091f47bac395f543779269c14d8d93c60 upstream.
CPUID.(EAX=7,ECX=2):EDX[bit 5] enumerates MCDT_NO. Processors enumerate
this bit as 1 do not exhibit MXCSR Configuration Dependent Timing (MCDT)
behavior and do not need to be mitigated to avoid data-dependent behavior
for certain instructions.
Since MCDT_NO is in a new sub-leaf, add a new CPUID feature word
FEAT_7_2_EDX. Also update cpuid_level_func7 by FEAT_7_2_EDX.
Intel-SIG: commit 9dd8b71091f4 ("target/i386: Add support for MCDT_NO in CPUID enumeration")
Backport support for MCDT_NO in CPUID enumeration
Signed-off-by: Tao Su <tao1.su@linux.intel.com>
Reviewed-by: Xiaoyao Li <xiaoyao.li@intel.com>
Message-ID: <20230706054949.66556-3-tao1.su@linux.intel.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
[ jason: resolve conflict with FEAT_7_1_EDX which not backported yet ]
Signed-off-by: Jason Zeng <jason.zeng@intel.com>
---
target/i386/cpu.c | 26 ++++++++++++++++++++++++++
target/i386/cpu.h | 4 ++++
2 files changed, 30 insertions(+)
diff --git a/target/i386/cpu.c b/target/i386/cpu.c
index b878a1bf20..685bfca37e 100644
--- a/target/i386/cpu.c
+++ b/target/i386/cpu.c
@@ -663,6 +663,7 @@ void x86_cpu_vendor_words2str(char *dst, uint32_t vendor1,
#define TCG_7_0_EDX_FEATURES CPUID_7_0_EDX_FSRM
#define TCG_7_1_EAX_FEATURES (CPUID_7_1_EAX_FZRM | CPUID_7_1_EAX_FSRS | \
CPUID_7_1_EAX_FSRC)
+#define TCG_7_2_EDX_FEATURES 0
#define TCG_APM_FEATURES 0
#define TCG_6_EAX_FEATURES CPUID_6_EAX_ARAT
#define TCG_XSAVE_FEATURES (CPUID_XSAVE_XSAVEOPT | CPUID_XSAVE_XGETBV1)
@@ -886,6 +887,25 @@ FeatureWordInfo feature_word_info[FEATURE_WORDS] = {
},
.tcg_features = TCG_7_1_EAX_FEATURES,
},
+ [FEAT_7_2_EDX] = {
+ .type = CPUID_FEATURE_WORD,
+ .feat_names = {
+ NULL, NULL, NULL, NULL,
+ NULL, "mcdt-no", NULL, NULL,
+ NULL, NULL, NULL, NULL,
+ NULL, NULL, NULL, NULL,
+ NULL, NULL, NULL, NULL,
+ NULL, NULL, NULL, NULL,
+ NULL, NULL, NULL, NULL,
+ NULL, NULL, NULL, NULL,
+ },
+ .cpuid = {
+ .eax = 7,
+ .needs_ecx = true, .ecx = 2,
+ .reg = R_EDX,
+ },
+ .tcg_features = TCG_7_2_EDX_FEATURES,
+ },
[FEAT_8000_0007_EDX] = {
.type = CPUID_FEATURE_WORD,
.feat_names = {
@@ -5531,6 +5551,11 @@ void cpu_x86_cpuid(CPUX86State *env, uint32_t index, uint32_t count,
*ebx = 0;
*ecx = 0;
*edx = 0;
+ } else if (count == 2) {
+ *edx = env->features[FEAT_7_2_EDX];
+ *eax = 0;
+ *ebx = 0;
+ *ecx = 0;
} else {
*eax = 0;
*ebx = 0;
@@ -6361,6 +6386,7 @@ void x86_cpu_expand_features(X86CPU *cpu, Error **errp)
x86_cpu_adjust_feat_level(cpu, FEAT_6_EAX);
x86_cpu_adjust_feat_level(cpu, FEAT_7_0_ECX);
x86_cpu_adjust_feat_level(cpu, FEAT_7_1_EAX);
+ x86_cpu_adjust_feat_level(cpu, FEAT_7_2_EDX);
x86_cpu_adjust_feat_level(cpu, FEAT_8000_0001_EDX);
x86_cpu_adjust_feat_level(cpu, FEAT_8000_0001_ECX);
x86_cpu_adjust_feat_level(cpu, FEAT_8000_0007_EDX);
diff --git a/target/i386/cpu.h b/target/i386/cpu.h
index d9aac5acd2..edbaba0d62 100644
--- a/target/i386/cpu.h
+++ b/target/i386/cpu.h
@@ -601,6 +601,7 @@ typedef enum FeatureWord {
FEAT_SGX_12_0_EAX, /* CPUID[EAX=0x12,ECX=0].EAX (SGX) */
FEAT_SGX_12_0_EBX, /* CPUID[EAX=0x12,ECX=0].EBX (SGX MISCSELECT[31:0]) */
FEAT_SGX_12_1_EAX, /* CPUID[EAX=0x12,ECX=1].EAX (SGX ATTRIBUTES[31:0]) */
+ FEAT_7_2_EDX, /* CPUID[EAX=7,ECX=2].EDX */
FEATURE_WORDS,
} FeatureWord;
@@ -889,6 +890,9 @@ uint64_t x86_cpu_get_supported_feature_word(FeatureWord w,
/* Fast Short REP CMPS/SCAS */
#define CPUID_7_1_EAX_FSRC (1U << 12)
+/* Do not exhibit MXCSR Configuration Dependent Timing (MCDT) behavior */
+#define CPUID_7_2_EDX_MCDT_NO (1U << 5)
+
/* XFD Extend Feature Disabled */
#define CPUID_D_1_EAX_XFD (1U << 4)
--
2.41.0.windows.1

43
target-i386-Allow-MCDT_NO-if-host-supports.patch Normal file
View File

@ -0,0 +1,43 @@
From 6beadcde4d28a1e4ad3267b7702162ecf9d4541b Mon Sep 17 00:00:00 2001
From: Tao Su <tao1.su@linux.intel.com>
Date: Thu, 6 Jul 2023 13:49:46 +0800
Subject: [PATCH] target/i386: Allow MCDT_NO if host supports
commit ba3709feaab44631315e02cd793cfccae4c6bd2a upstream.
MCDT_NO bit indicates HW contains the security fix and doesn't need to
be mitigated to avoid data-dependent behaviour for certain instructions.
It needs no hypervisor support. Treat it as supported regardless of what
KVM reports.
Intel-SIG: commit ba3709feaab4 ("target/i386: Allow MCDT_NO if host supports")
Backport allowing MCDT_NO if host supports
Signed-off-by: Tao Su <tao1.su@linux.intel.com>
Reviewed-by: Xiaoyao Li <xiaoyao.li@intel.com>
Message-ID: <20230706054949.66556-4-tao1.su@linux.intel.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
[ jason: amend commit log ]
Signed-off-by: Jason Zeng <jason.zeng@intel.com>
---
target/i386/kvm/kvm.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/target/i386/kvm/kvm.c b/target/i386/kvm/kvm.c
index d323d08dcb..55ee75e844 100644
--- a/target/i386/kvm/kvm.c
+++ b/target/i386/kvm/kvm.c
@@ -424,6 +424,10 @@ uint32_t kvm_arch_get_supported_cpuid(KVMState *s, uint32_t function,
uint32_t eax;
host_cpuid(7, 1, &eax, &unused, &unused, &unused);
ret |= eax & (CPUID_7_1_EAX_FZRM | CPUID_7_1_EAX_FSRS | CPUID_7_1_EAX_FSRC);
+ } else if (function == 7 && index == 2 && reg == R_EDX) {
+ uint32_t edx;
+ host_cpuid(7, 2, &unused, &unused, &unused, &edx);
+ ret |= edx & CPUID_7_2_EDX_MCDT_NO;
} else if (function == 0xd && index == 0 &&
(reg == R_EAX || reg == R_EDX)) {
/*
--
2.41.0.windows.1

47
target-i386-Export-MSR_ARCH_CAPABILITIES-bits-to-gue.patch Normal file
View File

@ -0,0 +1,47 @@
From 93551bb8747ffc9ef26fc3ced7be310d9aa805d6 Mon Sep 17 00:00:00 2001
From: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
Date: Fri, 23 Jun 2023 13:26:25 -0700
Subject: [PATCH] target/i386: Export MSR_ARCH_CAPABILITIES bits to guests
commit 5bef742cc4f0e21c80a31611af7881ba811e507f upstream.
On Intel CPUs there are certain bits in MSR_ARCH_CAPABILITIES that
indicates if the CPU is not affected by a vulnerability. Without these
bits guests may try to deploy the mitigation even if the CPU is not
affected.
Export the bits to guests that indicate immunity to hardware
vulnerabilities.
Intel-SIG: commit 5bef742cc4f0 ("target/i386: Export MSR_ARCH_CAPABILITIES bits to guests")
Backport exporting MSR_ARCH_CAPABILITIES bits to guests
Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
Message-ID: <63d85cc76d4cdc51e6c732478b81d8f13be11e5a.1687551881.git.pawan.kumar.gupta@linux.intel.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
[ jason: amend commit log ]
Signed-off-by: Jason Zeng <jason.zeng@intel.com>
---
target/i386/cpu.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/target/i386/cpu.c b/target/i386/cpu.c
index 8adc84b7f9..b878a1bf20 100644
--- a/target/i386/cpu.c
+++ b/target/i386/cpu.c
@@ -981,10 +981,10 @@ FeatureWordInfo feature_word_info[FEATURE_WORDS] = {
"rdctl-no", "ibrs-all", "rsba", "skip-l1dfl-vmentry",
"ssb-no", "mds-no", "pschange-mc-no", "tsx-ctrl",
"taa-no", NULL, NULL, NULL,
- NULL, NULL, NULL, NULL,
+ NULL, "sbdr-ssdp-no", "fbsdp-no", "psdp-no",
NULL, "fb-clear", NULL, NULL,
NULL, NULL, NULL, NULL,
- NULL, NULL, NULL, NULL,
+ "pbrsb-no", NULL, NULL, NULL,
NULL, NULL, NULL, NULL,
},
.msr = {
--
2.41.0.windows.1

62
target-i386-add-support-for-FB_CLEAR-feature.patch Normal file
View File

@ -0,0 +1,62 @@
From fb84b9baa665ffa4596fd871537e0544d60e40fc Mon Sep 17 00:00:00 2001
From: Emanuele Giuseppe Esposito <eesposit@redhat.com>
Date: Wed, 1 Feb 2023 08:57:59 -0500
Subject: [PATCH] target/i386: add support for FB_CLEAR feature
commit 22e1094ca82d5518c1b69aff3e87c550776ae1eb upstream.
As reported by the Intel's doc:
"FB_CLEAR: The processor will overwrite fill buffer values as part of
MD_CLEAR operations with the VERW instruction.
On these processors, L1D_FLUSH does not overwrite fill buffer values."
If this cpu feature is present in host, allow QEMU to choose whether to
show it to the guest too.
One disadvantage of not exposing it is that the guest will report
a non existing vulnerability in
/sys/devices/system/cpu/vulnerabilities/mmio_stale_data
because the mitigation is present only when the cpu has
(FLUSH_L1D and MD_CLEAR) or FB_CLEAR
features enabled.
Intel-SIG: commit 22e1094ca82d ("target/i386: add support for FB_CLEAR feature")
Backport support for FB_CLEAR feature
Signed-off-by: Emanuele Giuseppe Esposito <eesposit@redhat.com>
Message-Id: <20230201135759.555607-3-eesposit@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
[ jason: amend commit log ]
Signed-off-by: Jason Zeng <jason.zeng@intel.com>
---
target/i386/cpu.c | 2 +-
target/i386/cpu.h | 1 +
2 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/target/i386/cpu.c b/target/i386/cpu.c
index 512bec3ca3..8adc84b7f9 100644
--- a/target/i386/cpu.c
+++ b/target/i386/cpu.c
@@ -982,7 +982,7 @@ FeatureWordInfo feature_word_info[FEATURE_WORDS] = {
"ssb-no", "mds-no", "pschange-mc-no", "tsx-ctrl",
"taa-no", NULL, NULL, NULL,
NULL, NULL, NULL, NULL,
- NULL, NULL, NULL, NULL,
+ NULL, "fb-clear", NULL, NULL,
NULL, NULL, NULL, NULL,
NULL, NULL, NULL, NULL,
NULL, NULL, NULL, NULL,
diff --git a/target/i386/cpu.h b/target/i386/cpu.h
index 9e094ef934..d9aac5acd2 100644
--- a/target/i386/cpu.h
+++ b/target/i386/cpu.h
@@ -962,6 +962,7 @@ uint64_t x86_cpu_get_supported_feature_word(FeatureWord w,
#define MSR_ARCH_CAP_PSCHANGE_MC_NO (1U << 6)
#define MSR_ARCH_CAP_TSX_CTRL_MSR (1U << 7)
#define MSR_ARCH_CAP_TAA_NO (1U << 8)
+#define MSR_ARCH_CAP_FB_CLEAR (1U << 17)
#define MSR_CORE_CAP_SPLIT_LOCK_DETECT (1U << 5)
--
2.41.0.windows.1

61
target-i386-add-support-for-FLUSH_L1D-feature.patch Normal file
View File

@ -0,0 +1,61 @@
From dd635e4b0340a426333b466a2222e5848dfda42c Mon Sep 17 00:00:00 2001
From: Emanuele Giuseppe Esposito <eesposit@redhat.com>
Date: Wed, 1 Feb 2023 08:57:58 -0500
Subject: [PATCH] target/i386: add support for FLUSH_L1D feature
commit 0e7e3bf1a552c178924867fa7c2f30ccc8a179e0 upstream.
As reported by Intel's doc:
"L1D_FLUSH: Writeback and invalidate the L1 data cache"
If this cpu feature is present in host, allow QEMU to choose whether to
show it to the guest too.
One disadvantage of not exposing it is that the guest will report
a non existing vulnerability in
/sys/devices/system/cpu/vulnerabilities/mmio_stale_data
because the mitigation is present only when the cpu has
(FLUSH_L1D and MD_CLEAR) or FB_CLEAR
features enabled.
Intel-SIG: commit 0e7e3bf1a552 ("target/i386: add support for FLUSH_L1D feature")
Backport support for FLUSH_L1D feature
Signed-off-by: Emanuele Giuseppe Esposito <eesposit@redhat.com>
Message-Id: <20230201135759.555607-2-eesposit@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
[ jason: amend commit log ]
Signed-off-by: Jason Zeng <jason.zeng@intel.com>
---
target/i386/cpu.c | 2 +-
target/i386/cpu.h | 2 ++
2 files changed, 3 insertions(+), 1 deletion(-)
diff --git a/target/i386/cpu.c b/target/i386/cpu.c
index 66b5eaa14e..512bec3ca3 100644
--- a/target/i386/cpu.c
+++ b/target/i386/cpu.c
@@ -858,7 +858,7 @@ FeatureWordInfo feature_word_info[FEATURE_WORDS] = {
"tsx-ldtrk", NULL, NULL /* pconfig */, NULL,
NULL, NULL, "amx-bf16", "avx512-fp16",
"amx-tile", "amx-int8", "spec-ctrl", "stibp",
- NULL, "arch-capabilities", "core-capability", "ssbd",
+ "flush-l1d", "arch-capabilities", "core-capability", "ssbd",
},
.cpuid = {
.eax = 7,
diff --git a/target/i386/cpu.h b/target/i386/cpu.h
index d0c7791a1e..9e094ef934 100644
--- a/target/i386/cpu.h
+++ b/target/i386/cpu.h
@@ -869,6 +869,8 @@ uint64_t x86_cpu_get_supported_feature_word(FeatureWord w,
#define CPUID_7_0_EDX_SPEC_CTRL (1U << 26)
/* Single Thread Indirect Branch Predictors */
#define CPUID_7_0_EDX_STIBP (1U << 27)
+/* Flush L1D cache */
+#define CPUID_7_0_EDX_FLUSH_L1D (1U << 28)
/* Arch Capabilities */
#define CPUID_7_0_EDX_ARCH_CAPABILITIES (1U << 29)
/* Core Capability */
--
2.41.0.windows.1

34
target-i386-fix-INVD-vmexit.patch Normal file
View File

@ -0,0 +1,34 @@
From b17eea58c7497f96cb66d31b8c59fdcdb06b6c40 Mon Sep 17 00:00:00 2001
From: jipengfei_yewu <jipengfei_yewu@cmss.chinamobile.com>
Date: Sun, 24 Sep 2023 19:43:41 +0800
Subject: [PATCH] target/i386: fix INVD vmexit
Due to a typo or perhaps a brain fart, the INVD vmexit was never generated.
Fix it (but not that fixing just the typo would break both INVD and WBINVD,
due to a case of two wrongs making a right).
cheery-pick from 4d714d1a0bf1fca9576ee53a1a5dfa3fd5ddae99
Signed-off-by: jipengfei_yewu <jipengfei_yewu@cmss.chinamobile.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
target/i386/tcg/translate.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/target/i386/tcg/translate.c b/target/i386/tcg/translate.c
index e9e1451540..82f77b52fb 100644
--- a/target/i386/tcg/translate.c
+++ b/target/i386/tcg/translate.c
@@ -7773,7 +7773,7 @@ static target_ulong disas_insn(DisasContext *s, CPUState *cpu)
case 0x108: /* invd */
case 0x109: /* wbinvd */
if (check_cpl0(s)) {
- gen_svm_check_intercept(s, (b & 2) ? SVM_EXIT_INVD : SVM_EXIT_WBINVD);
+ gen_svm_check_intercept(s, (b & 1) ? SVM_EXIT_WBINVD : SVM_EXIT_INVD);
/* nothing to do */
}
break;
--
2.41.0.windows.1

57
target-ppc-Fix-the-order-of-kvm_enable-judgment-abou.patch Normal file
View File

@ -0,0 +1,57 @@
From ba1e022f06300e6dafc7e89a4f3fe756dc9691dd Mon Sep 17 00:00:00 2001
From: JianChunfu <chunfu.jian@shingroup.cn>
Date: Wed, 20 Sep 2023 18:58:00 +0800
Subject: [PATCH] target/ppc: Fix the order of kvm_enable judgment about
kvmppc_set_interrupt()
It's unnecessary for non-KVM accelerators(TCG, for example),
to call this function, so change the order of kvm_enable() judgment.
The static inline function that returns -1 directly does not work
in TCG's situation.
Signed-off-by: JianChunfu <chunfu.jian@shingroup.cn>
---
hw/ppc/ppc.c | 8 ++++++--
target/ppc/kvm.c | 2 +-
2 files changed, 7 insertions(+), 3 deletions(-)
diff --git a/hw/ppc/ppc.c b/hw/ppc/ppc.c
index e8127599c9..cf90ab7805 100644
--- a/hw/ppc/ppc.c
+++ b/hw/ppc/ppc.c
@@ -66,7 +66,9 @@ void ppc_set_irq(PowerPCCPU *cpu, int n_IRQ, int level)
}
if (old_pending != env->pending_interrupts) {
- kvmppc_set_interrupt(cpu, n_IRQ, level);
+ if (kvm_enabled()) {
+ kvmppc_set_interrupt(cpu, irq, level);
+ }
}
@@ -1461,5 +1463,7 @@ void ppc_irq_reset(PowerPCCPU *cpu)
CPUPPCState *env = &cpu->env;
env->irq_input_state = 0;
- kvmppc_set_interrupt(cpu, PPC_INTERRUPT_EXT, 0);
+ if (kvm_enabled()) {
+ kvmppc_set_interrupt(cpu, PPC_INTERRUPT_EXT, 0);
+ }
}
diff --git a/target/ppc/kvm.c b/target/ppc/kvm.c
index d73563045b..397b1e902b 100644
--- a/target/ppc/kvm.c
+++ b/target/ppc/kvm.c
@@ -1323,7 +1323,7 @@ int kvmppc_set_interrupt(PowerPCCPU *cpu, int irq, int level)
return 0;
}
- if (!kvm_enabled() || !cap_interrupt_unset) {
+ if (!cap_interrupt_unset) {
return 0;
}
--
2.41.0.windows.1

47
target-ppc-Fix-tlbie.patch Normal file
View File

@ -0,0 +1,47 @@
From aba3dd63d054cd21054e295d5a9d493cb9d7a75f Mon Sep 17 00:00:00 2001
From: tangbinzy <tangbin_yewu@cmss.chinamobile.com>
Date: Tue, 26 Sep 2023 06:25:04 +0000
Subject: [PATCH] target/ppc: Fix tlbie mainline inclusion commit
4ddc104689b186c4e4ed30be59a54463501761cf category: bugfix
---------------------------------------------------------------
Commit 74c4912f097bab98 changed check_tlb_flush() to use
tlb_flush_all_cpus_synced() instead of calling tlb_flush() on each
CPU. However, as side effect of this, a CPU executing a ptesync
after a tlbie will have its TLB flushed only after exiting its
current Translation Block (TB).
This causes memory accesses to invalid pages to succeed, if they
happen to be on the same TB as the ptesync.
To fix this, use tlb_flush_all_cpus() instead, that immediately
flushes the TLB of the CPU executing the ptesync instruction.
Fixes: 74c4912f097bab98 ("target/ppc: Fix synchronization of mttcg with broadcast TLB flushes")
Signed-off-by: Leandro Lupori <leandro.lupori@eldorado.org.br>
Reviewed-by: Fabiano Rosas <farosas@linux.ibm.com>
Message-Id: <20220503163904.22575-1-leandro.lupori@eldorado.org.br>
Signed-off-by: Daniel Henrique Barboza <danielhb413@gmail.com>
Signed-off-by: tangbinzy <tangbin_yewu@cmss.chinamobile.com>
---
target/ppc/helper_regs.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/target/ppc/helper_regs.c b/target/ppc/helper_regs.c
index 99562edd57..e97d25e9ab 100644
--- a/target/ppc/helper_regs.c
+++ b/target/ppc/helper_regs.c
@@ -288,7 +288,7 @@ void check_tlb_flush(CPUPPCState *env, bool global)
if (global && (env->tlb_need_flush & TLB_NEED_GLOBAL_FLUSH)) {
env->tlb_need_flush &= ~TLB_NEED_GLOBAL_FLUSH;
env->tlb_need_flush &= ~TLB_NEED_LOCAL_FLUSH;
- tlb_flush_all_cpus_synced(cs);
+ tlb_flush_all_cpus(cs);
return;
}
--
2.41.0.windows.1

30
tests-Fix-printf-format-string-in-acpi-utils.c.patch Normal file
View File

@ -0,0 +1,30 @@
From 847becf4850bc244b140644cb577e17e5ba5e732 Mon Sep 17 00:00:00 2001
From: zhujun2 <zhujun2_yewu@cmss.chinamobile.com>
Date: Thu, 26 Oct 2023 19:52:59 -0700
Subject: [PATCH] tests: Fix printf format string in acpi-utils.c
Inside of acpi_fetch_table() arguments are
printed via fprintf but '%d' is used to print @flags (of type
uint). Use '%u' instead.
Signed-off-by: zhujun2 <zhujun2_yewu@cmss.chinamobile.com>
---
tests/qtest/acpi-utils.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tests/qtest/acpi-utils.c b/tests/qtest/acpi-utils.c
index 766c48e3a6..c6f5169b80 100644
--- a/tests/qtest/acpi-utils.c
+++ b/tests/qtest/acpi-utils.c
@@ -103,7 +103,7 @@ void acpi_fetch_table(QTestState *qts, uint8_t **aml, uint32_t *aml_len,
char *fname = NULL;
GError *error = NULL;
- fprintf(stderr, "Invalid '%.4s'(%d)\n", *aml, *aml_len);
+ fprintf(stderr, "Invalid '%.4s'(%u)\n", *aml, *aml_len);
fd = g_file_open_tmp("malformed-XXXXXX.dat", &fname, &error);
g_assert_no_error(error);
fprintf(stderr, "Dumping invalid table into '%s'\n", fname);
--
2.41.0.windows.1

45
tests-qtest-pflash-Clean-up-local-variable-shadowing.patch Normal file
View File

@ -0,0 +1,45 @@
From 42e516ba6969b8f61d7e5e45a4f48f257fecf8e1 Mon Sep 17 00:00:00 2001
From: dinglimin_yewu <dinglimin_yewu@cmss.chinamobile.com>
Date: Sat, 16 Sep 2023 17:56:31 +0800
Subject: [PATCH] tests/qtest/pflash: Clean up local variable shadowing
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
cherry-pick from 82fdcd3e140c8d4c63f177ece554f90f2bccdf68
Fix:
tests/qtest/pflash-cfi02-test.c: In function test_geometry:
tests/qtest/pflash-cfi02-test.c:409:22: warning: declaration of byte_addr shadows a previous local [-Wshadow=compatible-local]
409 | uint64_t byte_addr = (uint64_t)i * c->sector_len[region];
| ^~~~~~~~~
tests/qtest/pflash-cfi02-test.c:342:14: note: shadowed declaration is here
342 | uint64_t byte_addr = 0;
| ^~~~~~~~~
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20230904162824.85385-4-philmd@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Thomas Huth <thuth@redhat.com>
Signed-off-by: dinglimin_yewu <dinglimin_yewu@cmss.chinamobile.com>
---
tests/qtest/pflash-cfi02-test.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tests/qtest/pflash-cfi02-test.c b/tests/qtest/pflash-cfi02-test.c
index 6168edc821..bd1f946fc0 100644
--- a/tests/qtest/pflash-cfi02-test.c
+++ b/tests/qtest/pflash-cfi02-test.c
@@ -406,7 +406,7 @@ static void test_geometry(const void *opaque)
for (int region = 0; region < nb_erase_regions; ++region) {
for (uint32_t i = 0; i < c->nb_blocs[region]; ++i) {
- uint64_t byte_addr = (uint64_t)i * c->sector_len[region];
+ byte_addr = (uint64_t)i * c->sector_len[region];
g_assert_cmphex(flash_read(c, byte_addr), ==, bank_mask(c));
}
}
--
2.41.0.windows.1

45
thread-pool-optimize-scheduling-of-completion-bottom.patch Normal file
View File

@ -0,0 +1,45 @@
From c84bb01c0c56cadb70a95c874b32ed85b8177504 Mon Sep 17 00:00:00 2001
From: tangbinzy <tangbin_yewu@cmss.chinamobile.com>
Date: Tue, 26 Sep 2023 06:41:50 +0000
Subject: [PATCH] thread-pool: optimize scheduling of completion bottom half
mainline inclusion commit 3c7b72ddca9ce85a9d1e8a98fd0996b74597b5ae category:
bugfix
---------------------------------------------------------------
The completion bottom half was scheduled within the pool->lock
critical section. That actually results in worse performance,
because the worker thread can run its own small critical section
and go to sleep before the bottom half starts running.
Note that this simple change does not produce an improvement without
changing the thread pool QemuSemaphore to a condition variable.
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Nicolas Saenz Julienne <nsaenzju@redhat.com>
Message-Id: <20220514065012.1149539-2-pbonzini@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: tangbinzy <tangbin_yewu@cmss.chinamobile.com>
---
util/thread-pool.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/util/thread-pool.c b/util/thread-pool.c
index d763cea505..7e9e2c178b 100644
--- a/util/thread-pool.c
+++ b/util/thread-pool.c
@@ -108,9 +108,8 @@ static void *worker_thread(void *opaque)
smp_wmb();
req->state = THREAD_DONE;
- qemu_mutex_lock(&pool->lock);
-
qemu_bh_schedule(pool->completion_bh);
+ qemu_mutex_lock(&pool->lock);
}
pool->cur_threads--;
--
2.41.0.windows.1

58
tulip-Assign-default-MAC-address-if-not-specified.patch Normal file
View File

@ -0,0 +1,58 @@
From 78b2167f1e2fadb4de930bf51c699247031c8880 Mon Sep 17 00:00:00 2001
From: tangbinzy <tangbin_yewu@cmss.chinamobile.com>
Date: Mon, 4 Sep 2023 08:27:33 +0000
Subject: [PATCH] tulip: Assign default MAC address if not specified mainline
inclusion commit 052c2579b89b0d87debe8b05594b5180f0fde87d category: bugfix
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---------------------------------------------------------------
The MAC of the tulip card is stored in the EEPROM and at startup
tulip_fill_eeprom() is called to initialize the EEPROM with the MAC
address given on the command line, e.g.:
-device tulip,mac=00:11:22:33:44:55
In case the mac address was not given on the command line,
tulip_fill_eeprom() initializes the MAC in EEPROM with 00:00:00:00:00:00
which breaks e.g. a HP-UX guest.
Fix this problem by moving qemu_macaddr_default_if_unset() a few lines
up, so that a default mac address is assigned before tulip_fill_eeprom()
initializes the EEPROM.
Signed-off-by: Helge Deller <deller@gmx.de>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: tangbinzy <tangbin_yewu@cmss.chinamobile.com>
---
hw/net/tulip.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/hw/net/tulip.c b/hw/net/tulip.c
index 5f8badefca..b9e42c322a 100644
--- a/hw/net/tulip.c
+++ b/hw/net/tulip.c
@@ -967,6 +967,8 @@ static void pci_tulip_realize(PCIDevice *pci_dev, Error **errp)
pci_conf = s->dev.config;
pci_conf[PCI_INTERRUPT_PIN] = 1; /* interrupt pin A */
+ qemu_macaddr_default_if_unset(&s->c.macaddr);
+
s->eeprom = eeprom93xx_new(&pci_dev->qdev, 64);
tulip_fill_eeprom(s);
@@ -981,8 +983,6 @@ static void pci_tulip_realize(PCIDevice *pci_dev, Error **errp)
s->irq = pci_allocate_irq(&s->dev);
- qemu_macaddr_default_if_unset(&s->c.macaddr);
-
s->nic = qemu_new_nic(&net_tulip_info, &s->c,
object_get_typename(OBJECT(pci_dev)),
pci_dev->qdev.id, s);
--
2.41.0.windows.1

42
ui-fix-crash-when-there-are-no-active_console.patch Normal file
View File

@ -0,0 +1,42 @@
From 89fda5a4410099a317bd1fcef56b130d6d97a2b5 Mon Sep 17 00:00:00 2001
From: dinglimin_yewu <dinglimin_yewu@cmss.chinamobile.com>
Date: Sat, 16 Sep 2023 17:41:07 +0800
Subject: [PATCH] ui: fix crash when there are no active_console
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
cherry-pick from 48a35e12faf90a896c5aa4755812201e00d60316
Thread 1 "qemu-system-x86" received signal SIGSEGV, Segmentation fault.
0x0000555555888630 in dpy_ui_info_supported (con=0x0) at ../ui/console.c:812
812 return con->hw_ops->ui_info != NULL;
(gdb) bt
Fixes:
https://issues.redhat.com/browse/RHEL-2600
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Albert Esteve <aesteve@redhat.com>
Signed-off-by: dinglimin_yewu <dinglimin_yewu@cmss.chinamobile.com>
---
ui/console.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/ui/console.c b/ui/console.c
index 29a3e3f0f5..d22c3def20 100644
--- a/ui/console.c
+++ b/ui/console.c
@@ -1526,6 +1526,9 @@ bool dpy_ui_info_supported(QemuConsole *con)
con = active_console;
}
+ if (con == NULL) {
+ return false;
+ }
return con->hw_ops->ui_info != NULL;
}
--
2.41.0.windows.1

58
ui-vnc-clipboard-fix-infinite-loop-in-inflate_buffer.patch Normal file
View File

@ -0,0 +1,58 @@
From 2858029a5dbdd3fab73b1884e296daa3f3f0b1a1 Mon Sep 17 00:00:00 2001
From: Mauro Matteo Cascella <mcascell@redhat.com>
Date: Tue, 4 Jul 2023 10:41:22 +0200
Subject: [PATCH] ui/vnc-clipboard: fix infinite loop in inflate_buffer
(CVE-2023-3255)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
A wrong exit condition may lead to an infinite loop when inflating a
valid zlib buffer containing some extra bytes in the `inflate_buffer`
function. The bug only occurs post-authentication. Return the buffer
immediately if the end of the compressed data has been reached
(Z_STREAM_END).
Fixes: CVE-2023-3255
Fixes: 0bf41cab ("ui/vnc: clipboard support")
Reported-by: Kevin Denis <kevin.denis@synacktiv.com>
Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Tested-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-ID: <20230704084210.101822-1-mcascell@redhat.com>
---
ui/vnc-clipboard.c | 10 ++++------
1 file changed, 4 insertions(+), 6 deletions(-)
diff --git a/ui/vnc-clipboard.c b/ui/vnc-clipboard.c
index 67284b556c..c84599cfdb 100644
--- a/ui/vnc-clipboard.c
+++ b/ui/vnc-clipboard.c
@@ -51,8 +51,11 @@ static uint8_t *inflate_buffer(uint8_t *in, uint32_t in_len, uint32_t *size)
ret = inflate(&stream, Z_FINISH);
switch (ret) {
case Z_OK:
- case Z_STREAM_END:
break;
+ case Z_STREAM_END:
+ *size = stream.total_out;
+ inflateEnd(&stream);
+ return out;
case Z_BUF_ERROR:
out_len <<= 1;
if (out_len > (1 << 20)) {
@@ -67,11 +70,6 @@ static uint8_t *inflate_buffer(uint8_t *in, uint32_t in_len, uint32_t *size)
}
}
- *size = stream.total_out;
- inflateEnd(&stream);
-
- return out;
-
err_end:
inflateEnd(&stream);
err:
--
2.41.0.windows.1

43
vhost-user-fs-Back-up-vqs-before-cleaning-up-vhost_d.patch Normal file
View File

@ -0,0 +1,43 @@
From d48beee81ba11b6bc5151f4f882a9fe2ff9b1d2c Mon Sep 17 00:00:00 2001
From: dinglimin_yewu <dinglimin_yewu@cmss.chinamobile.com>
Date: Thu, 28 Sep 2023 16:07:30 +0800
Subject: [PATCH] vhost-user-fs: Back up vqs before cleaning up vhost_dev
cheery-pick from 331acddc87b739c64b936ba4e58518f8491f1c6b
vhost_dev_cleanup() clears vhost_dev so back up its vqs member to free the memory pointed by the member.
Fixes: 98fc1ada4c ("virtio: add vhost-user-fs base device")
Signed-off-by: Akihiko Odaki <akihiko.odaki at daynix.com>
Signed-off-by: Stefan Hajnoczi <stefanha at redhat.com>
Message-Id: <20230130140225.77964-1-akihiko.odaki at daynix.com>
Signed-off-by: dinglimin_yewu <dinglimin_yewu@cmss.chinamobile.com>
---
hw/virtio/vhost-user-fs.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/hw/virtio/vhost-user-fs.c b/hw/virtio/vhost-user-fs.c
index c595957983..fc7dcc96ef 100644
--- a/hw/virtio/vhost-user-fs.c
+++ b/hw/virtio/vhost-user-fs.c
@@ -258,6 +258,7 @@ static void vuf_device_unrealize(DeviceState *dev)
{
VirtIODevice *vdev = VIRTIO_DEVICE(dev);
VHostUserFS *fs = VHOST_USER_FS(dev);
+ struct vhost_virtqueue *vhost_vqs = fs->vhost_dev.vqs;
int i;
/* This will stop vhost backend if appropriate. */
@@ -273,8 +274,7 @@ static void vuf_device_unrealize(DeviceState *dev)
}
g_free(fs->req_vqs);
virtio_cleanup(vdev);
- g_free(fs->vhost_dev.vqs);
- fs->vhost_dev.vqs = NULL;
+ g_free(vhost_vqs);
}
static const VMStateDescription vuf_vmstate = {
--
2.41.0.windows.1