packages/qemu
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!695 QEMU update to verison 6.2.0-60

Browse Source 
From: @yezengruan 
Reviewed-by: @aven6 
Signed-off-by: @aven6
This commit is contained in:
openeuler-ci-bot 2022-12-06 08:02:23 +00:00 committed by Gitee
commit 4d4215ffd9
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
18 changed files with 1144 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
Add-flex-bison-to-debian-hexagon-cross.patch Normal file
View File

@ -0,0 +1,35 @@
From 96df1be5fee763f54db9f50466f4ccf433c48ea1 Mon Sep 17 00:00:00 2001
From: jianchunfu <jianchunfu_yewu@cmss.chinamobile.com>
Date: Wed, 30 Nov 2022 14:33:12 +0800
Subject: [PATCH 03/17] Add flex/bison to `debian-hexagon-cross`
debian-hexagon-cross contains two images, one to build the toolchain
used for building the Hexagon tests themselves, and one image to build
QEMU and run the tests.
This commit adds flex/bison to the final image that builds QEMU so that
it can also build idef-parser.
Note: This container is not built by the CI and needs to be rebuilt and
updated manually.
Signed-off-by: Anton Johansson <anjo@rev.ng>
Signed-off-by: jianchunfu <jianchunfu_yewu@cmss.chinamobile.com>
---
tests/docker/dockerfiles/debian-hexagon-cross.docker | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tests/docker/dockerfiles/debian-hexagon-cross.docker b/tests/docker/dockerfiles/debian-hexagon-cross.docker
index d5dc299dc1..a64e950f07 100644
--- a/tests/docker/dockerfiles/debian-hexagon-cross.docker
+++ b/tests/docker/dockerfiles/debian-hexagon-cross.docker
@@ -38,7 +38,7 @@ RUN cat /etc/apt/sources.list | sed "s/^deb\ /deb-src /" >> /etc/apt/sources.lis
# Install QEMU build deps for use in CI
RUN apt update && \
DEBIAN_FRONTEND=noninteractive apt install -yy eatmydata && \
- DEBIAN_FRONTEND=noninteractive eatmydata apt install -yy git ninja-build && \
+ DEBIAN_FRONTEND=noninteractive eatmydata apt install -yy bison flex git ninja-build && \
DEBIAN_FRONTEND=noninteractive eatmydata \
apt build-dep -yy --arch-only qemu
COPY --from=0 /usr/local /usr/local
--
2.27.0

40
Fix-several-typos-in-documentation.patch Normal file
View File

@ -0,0 +1,40 @@
From 4dd2cdf016e40c88b57480d9c296d6c7c2cb6600 Mon Sep 17 00:00:00 2001
From: tangzhongrui <tangzhongrui@cmss.chinamobile.com>
Date: Thu, 1 Dec 2022 20:24:53 +0800
Subject: [PATCH 06/17] Fix several typos in documentation
Signed-off-by: tangzhongrui tangzhongrui@cmss.chinamobile.com
---
docs/can.txt | 2 +-
hw/virtio/virtio-mem.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/docs/can.txt b/docs/can.txt
index 0d310237df..873c95a35d 100644
--- a/docs/can.txt
+++ b/docs/can.txt
@@ -166,7 +166,7 @@ and with bitrate switch
cangen can0 -b
-The test can be run viceversa, generate messages in the guest system and capture them
+The test can be run vice-versa, generate messages in the guest system and capture them
in the host one and much more combinations.
Links to other resources
diff --git a/hw/virtio/virtio-mem.c b/hw/virtio/virtio-mem.c
index 341c3fa2c1..becac0d93b 100644
--- a/hw/virtio/virtio-mem.c
+++ b/hw/virtio/virtio-mem.c
@@ -877,7 +877,7 @@ static int virtio_mem_mig_sanity_checks_post_load(void *opaque, int version_id)
return -EINVAL;
}
/*
- * Note: Preparation for resizeable memory regions. The maximum size
+ * Note: Preparation for resizable memory regions. The maximum size
* of the memory region must not change during migration.
*/
if (tmp->region_size != new_region_size) {
--
2.27.0

66
chardev-fix-segfault-in-finalize.patch Normal file
View File

@ -0,0 +1,66 @@
From 670866f0349229045c5cddaeb08f07347bb7583b Mon Sep 17 00:00:00 2001
From: cmss_dx <dingxiang@cmss.chinamobile.com>
Date: Tue, 29 Nov 2022 02:12:06 +0000
Subject: [PATCH 01/17] chardev: fix segfault in finalize
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
mainline inclusion
from mainline-v7.2.0-rc2
commit fc0c128531ed55f058bfbad4f1348ebd9a0187f2
category: bugfix
-----------------------
If finalize chardev-msmouse or chardev-wctable is called immediately after
init it cases QEMU to crash with segfault. This happens because of
QTAILQ_REMOVE in qemu_input_handler_unregister tries to dereference
NULL pointer.
For instance, this error can be reproduced via qom-list-properties
command.
Signed-off-by: Maksim Davydov davydov-max@yandex-team.ru
Reviewed-by: Marc-André Lureau marcandre.lureau@redhat.com
Reviewed-by: Vladimir Sementsov-Ogievskiy vsementsov@yandex-team.ru
Message-Id: 20220825165247.33704-1-davydov-max@yandex-team.ru
Signed-off-by: cmss_dx <dingxiang@cmss.chinamobile.com>
---
chardev/msmouse.c | 4 +++-
chardev/wctablet.c | 4 +++-
2 files changed, 6 insertions(+), 2 deletions(-)
diff --git a/chardev/msmouse.c b/chardev/msmouse.c
index eb9231dcdb..2cc1b16561 100644
--- a/chardev/msmouse.c
+++ b/chardev/msmouse.c
@@ -146,7 +146,9 @@ static void char_msmouse_finalize(Object *obj)
{
MouseChardev *mouse = MOUSE_CHARDEV(obj);
- qemu_input_handler_unregister(mouse->hs);
+ if (mouse->hs) {
+ qemu_input_handler_unregister(mouse->hs);
+ }
}
static QemuInputHandler msmouse_handler = {
diff --git a/chardev/wctablet.c b/chardev/wctablet.c
index e8b292c43c..43bdf6b608 100644
--- a/chardev/wctablet.c
+++ b/chardev/wctablet.c
@@ -319,7 +319,9 @@ static void wctablet_chr_finalize(Object *obj)
{
TabletChardev *tablet = WCTABLET_CHARDEV(obj);
- qemu_input_handler_unregister(tablet->hs);
+ if (tablet->hs) {
+ qemu_input_handler_unregister(tablet->hs);
+ }
}
static void wctablet_chr_open(Chardev *chr,
--
2.27.0

33
hw-display-qxl-Assert-memory-slot-fits-in-preallocat.patch Normal file
View File

@ -0,0 +1,33 @@
From ff99b327473454e3be7a89554ccbae856bcb7e3b Mon Sep 17 00:00:00 2001
From: jianchunfu <jianchunfu_yewu@cmss.chinamobile.com>
Date: Mon, 5 Dec 2022 16:09:13 +0800
Subject: [PATCH 17/17] hw/display/qxl: Assert memory slot fits in preallocated
MemoryRegion
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Assert memory slot fits in preallocated MemoryRegion.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: jianchunfu <jianchunfu_yewu@cmss.chinamobile.com>
---
hw/display/qxl.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/hw/display/qxl.c b/hw/display/qxl.c
index 2a4b2d4158..bcd9e8716a 100644
--- a/hw/display/qxl.c
+++ b/hw/display/qxl.c
@@ -1372,6 +1372,7 @@ static int qxl_add_memslot(PCIQXLDevice *d, uint32_t slot_id, uint64_t delta,
qxl_set_guest_bug(d, "%s: pci_region = %d", __func__, pci_region);
return 1;
}
+ assert(guest_end - pci_start <= memory_region_size(mr));
virt_start = (intptr_t)memory_region_get_ram_ptr(mr);
memslot.slot_id = slot_id;
--
2.27.0

107
hw-display-qxl-Avoid-buffer-overrun-in-qxl_phys2virt.patch Normal file
View File

@ -0,0 +1,107 @@
From 0c4e22da6bd0d2c15e53cb0b38f13ef11a3bd370 Mon Sep 17 00:00:00 2001
From: jianchunfu <jianchunfu_yewu@cmss.chinamobile.com>
Date: Mon, 5 Dec 2022 16:24:43 +0800
Subject: [PATCH 16/17] hw/display/qxl: Avoid buffer overrun in qxl_phys2virt
(CVE-2022-4144)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Have qxl_get_check_slot_offset() return false if the requested
buffer size does not fit within the slot memory region.
Similarly qxl_phys2virt() now returns NULL in such case, and
qxl_dirty_one_surface() aborts.
This avoids buffer overrun in the host pointer returned by
memory_region_get_ram_ptr().
Fixes: CVE-2022-4144 (out-of-bounds read)
Reported-by: Wenxu Yin (@awxylitol)
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1336
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: jianchunfu <jianchunfu_yewu@cmss.chinamobile.com>
---
hw/display/qxl.c | 27 +++++++++++++++++++++++----
hw/display/qxl.h | 2 +-
2 files changed, 24 insertions(+), 5 deletions(-)
diff --git a/hw/display/qxl.c b/hw/display/qxl.c
index aa9065183e..2a4b2d4158 100644
--- a/hw/display/qxl.c
+++ b/hw/display/qxl.c
@@ -1412,11 +1412,13 @@ static void qxl_reset_surfaces(PCIQXLDevice *d)
/* can be also called from spice server thread context */
static bool qxl_get_check_slot_offset(PCIQXLDevice *qxl, QXLPHYSICAL pqxl,
- uint32_t *s, uint64_t *o)
+ uint32_t *s, uint64_t *o,
+ size_t size_requested)
{
uint64_t phys = le64_to_cpu(pqxl);
uint32_t slot = (phys >> (64 - 8)) & 0xff;
uint64_t offset = phys & 0xffffffffffff;
+ uint64_t size_available;
if (slot >= NUM_MEMSLOTS) {
qxl_set_guest_bug(qxl, "slot too large %d >= %d", slot,
@@ -1440,6 +1442,23 @@ static bool qxl_get_check_slot_offset(PCIQXLDevice *qxl, QXLPHYSICAL pqxl,
slot, offset, qxl->guest_slots[slot].size);
return false;
}
+ size_available = memory_region_size(qxl->guest_slots[slot].mr);
+ if (qxl->guest_slots[slot].offset + offset >= size_available) {
+ qxl_set_guest_bug(qxl,
+ "slot %d offset %"PRIu64" > region size %"PRIu64"\n",
+ slot, qxl->guest_slots[slot].offset + offset,
+ size_available);
+ return false;
+ }
+ size_available -= qxl->guest_slots[slot].offset + offset;
+ if (size_requested > size_available) {
+ qxl_set_guest_bug(qxl,
+ "slot %d offset %"PRIu64" size %zu: "
+ "overrun by %"PRIu64" bytes\n",
+ slot, offset, size_requested,
+ size_requested - size_available);
+ return false;
+ }
*s = slot;
*o = offset;
@@ -1459,7 +1478,7 @@ void *qxl_phys2virt(PCIQXLDevice *qxl, QXLPHYSICAL pqxl, int group_id,
offset = le64_to_cpu(pqxl) & 0xffffffffffff;
return (void *)(intptr_t)offset;
case MEMSLOT_GROUP_GUEST:
- if (!qxl_get_check_slot_offset(qxl, pqxl, &slot, &offset)) {
+ if (!qxl_get_check_slot_offset(qxl, pqxl, &slot, &offset, size)) {
return NULL;
}
ptr = memory_region_get_ram_ptr(qxl->guest_slots[slot].mr);
@@ -1925,9 +1944,9 @@ static void qxl_dirty_one_surface(PCIQXLDevice *qxl, QXLPHYSICAL pqxl,
uint32_t slot;
bool rc;
- rc = qxl_get_check_slot_offset(qxl, pqxl, &slot, &offset);
- assert(rc == true);
size = (uint64_t)height * abs(stride);
+ rc = qxl_get_check_slot_offset(qxl, pqxl, &slot, &offset, size);
+ assert(rc == true);
trace_qxl_surfaces_dirty(qxl->id, offset, size);
qxl_set_dirty(qxl->guest_slots[slot].mr,
qxl->guest_slots[slot].offset + offset,
diff --git a/hw/display/qxl.h b/hw/display/qxl.h
index c784315daa..89ca832cf9 100644
--- a/hw/display/qxl.h
+++ b/hw/display/qxl.h
@@ -157,7 +157,7 @@ OBJECT_DECLARE_SIMPLE_TYPE(PCIQXLDevice, PCI_QXL)
*
* Returns a host pointer to a buffer placed at offset @phys within the
* active slot @group_id of the PCI VGA RAM memory region associated with
- * the @qxl device. If the slot is inactive, or the offset is out
+ * the @qxl device. If the slot is inactive, or the offset + size are out
* of the memory region, returns NULL.
*
* Use with care; by the time this function returns, the returned pointer is
--
2.27.0

49
hw-display-qxl-Document-qxl_phys2virt.patch Normal file
View File

@ -0,0 +1,49 @@
From c1747d1812a725b424745c6d1b291c176ed67bd3 Mon Sep 17 00:00:00 2001
From: jianchunfu <jianchunfu_yewu@cmss.chinamobile.com>
Date: Mon, 5 Dec 2022 15:16:31 +0800
Subject: [PATCH 14/17] hw/display/qxl: Document qxl_phys2virt()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: jianchunfu <jianchunfu_yewu@cmss.chinamobile.com>
---
hw/display/qxl.h | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
diff --git a/hw/display/qxl.h b/hw/display/qxl.h
index 30d21f4d0b..c938f88a2f 100644
--- a/hw/display/qxl.h
+++ b/hw/display/qxl.h
@@ -147,6 +147,25 @@ OBJECT_DECLARE_SIMPLE_TYPE(PCIQXLDevice, PCI_QXL)
#define QXL_DEFAULT_REVISION (QXL_REVISION_STABLE_V12 + 1)
/* qxl.c */
+/**
+ * qxl_phys2virt: Get a pointer within a PCI VRAM memory region.
+ *
+ * @qxl: QXL device
+ * @phys: physical offset of buffer within the VRAM
+ * @group_id: memory slot group
+ *
+ * Returns a host pointer to a buffer placed at offset @phys within the
+ * active slot @group_id of the PCI VGA RAM memory region associated with
+ * the @qxl device. If the slot is inactive, or the offset is out
+ * of the memory region, returns NULL.
+ *
+ * Use with care; by the time this function returns, the returned pointer is
+ * not protected by RCU anymore. If the caller is not within an RCU critical
+ * section and does not hold the iothread lock, it must have other means of
+ * protecting the pointer, such as a reference to the region that includes
+ * the incoming ram_addr_t.
+ *
+ */
void *qxl_phys2virt(PCIQXLDevice *qxl, QXLPHYSICAL phys, int group_id);
void qxl_set_guest_bug(PCIQXLDevice *qxl, const char *msg, ...)
GCC_FMT_ATTR(2, 3);
--
2.27.0

53
hw-display-qxl-Have-qxl_log_command-Return-early-if-.patch Normal file
View File

@ -0,0 +1,53 @@
From 2f991f98ba28e71ffc2ffdf704ee6568293a8bf0 Mon Sep 17 00:00:00 2001
From: jianchunfu <jianchunfu_yewu@cmss.chinamobile.com>
Date: Mon, 5 Dec 2022 15:21:45 +0800
Subject: [PATCH 13/17] hw/display/qxl: Have qxl_log_command Return early if no
log_cmd handler
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Only 3 command types are logged: no need to call qxl_phys2virt()
for the other types. Using different cases will help to pass
different structure sizes to qxl_phys2virt() in a pair of commits.
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: jianchunfu <jianchunfu_yewu@cmss.chinamobile.com>
---
hw/display/qxl-logger.c | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/hw/display/qxl-logger.c b/hw/display/qxl-logger.c
index 68bfa47568..1bcf803db6 100644
--- a/hw/display/qxl-logger.c
+++ b/hw/display/qxl-logger.c
@@ -247,6 +247,16 @@ int qxl_log_command(PCIQXLDevice *qxl, const char *ring, QXLCommandExt *ext)
qxl_name(qxl_type, ext->cmd.type),
compat ? "(compat)" : "");
+ switch (ext->cmd.type) {
+ case QXL_CMD_DRAW:
+ break;
+ case QXL_CMD_SURFACE:
+ break;
+ case QXL_CMD_CURSOR:
+ break;
+ default:
+ goto out;
+ }
data = qxl_phys2virt(qxl, ext->cmd.data, ext->group_id);
if (!data) {
return 1;
@@ -269,6 +279,7 @@ int qxl_log_command(PCIQXLDevice *qxl, const char *ring, QXLCommandExt *ext)
qxl_log_cmd_cursor(qxl, data, ext->group_id);
break;
}
+out:
fprintf(stderr, "\n");
return 0;
}
--
2.27.0

212
hw-display-qxl-Pass-requested-buffer-size-to-qxl_phy.patch Normal file
View File

@ -0,0 +1,212 @@
From 21082249be3cb9f5dd000f9d5f84e01548f825c9 Mon Sep 17 00:00:00 2001
From: jianchunfu <jianchunfu_yewu@cmss.chinamobile.com>
Date: Mon, 5 Dec 2022 16:05:23 +0800
Subject: [PATCH 15/17] hw/display/qxl: Pass requested buffer size to
qxl_phys2virt()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Currently qxl_phys2virt() doesn't check for buffer overrun.
In order to do so in the next commit, pass the buffer size
as argument.
For QXLCursor in qxl_render_cursor() -> qxl_cursor() we
verify the size of the chunked data ahead, checking we can
access 'sizeof(QXLCursor) + chunk->data_size' bytes.
Since in the SPICE_CURSOR_TYPE_MONO case the cursor is
assumed to fit in one chunk, no change are required.
In SPICE_CURSOR_TYPE_ALPHA the ahead read is handled in
qxl_unpack_chunks().
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Acked-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: jianchunfu <jianchunfu_yewu@cmss.chinamobile.com>
---
hw/display/qxl-logger.c | 11 ++++++++---
hw/display/qxl-render.c | 20 ++++++++++++++++----
hw/display/qxl.c | 14 +++++++++-----
hw/display/qxl.h | 4 +++-
4 files changed, 36 insertions(+), 13 deletions(-)
diff --git a/hw/display/qxl-logger.c b/hw/display/qxl-logger.c
index 1bcf803db6..35c38f6252 100644
--- a/hw/display/qxl-logger.c
+++ b/hw/display/qxl-logger.c
@@ -106,7 +106,7 @@ static int qxl_log_image(PCIQXLDevice *qxl, QXLPHYSICAL addr, int group_id)
QXLImage *image;
QXLImageDescriptor *desc;
- image = qxl_phys2virt(qxl, addr, group_id);
+ image = qxl_phys2virt(qxl, addr, group_id, sizeof(QXLImage));
if (!image) {
return 1;
}
@@ -214,7 +214,8 @@ int qxl_log_cmd_cursor(PCIQXLDevice *qxl, QXLCursorCmd *cmd, int group_id)
cmd->u.set.position.y,
cmd->u.set.visible ? "yes" : "no",
cmd->u.set.shape);
- cursor = qxl_phys2virt(qxl, cmd->u.set.shape, group_id);
+ cursor = qxl_phys2virt(qxl, cmd->u.set.shape, group_id,
+ sizeof(QXLCursor));
if (!cursor) {
return 1;
}
@@ -236,6 +237,7 @@ int qxl_log_command(PCIQXLDevice *qxl, const char *ring, QXLCommandExt *ext)
{
bool compat = ext->flags & QXL_COMMAND_FLAG_COMPAT;
void *data;
+ size_t datasz;
int ret;
if (!qxl->cmdlog) {
@@ -249,15 +251,18 @@ int qxl_log_command(PCIQXLDevice *qxl, const char *ring, QXLCommandExt *ext)
switch (ext->cmd.type) {
case QXL_CMD_DRAW:
+ datasz = compat ? sizeof(QXLCompatDrawable) : sizeof(QXLDrawable);
break;
case QXL_CMD_SURFACE:
+ datasz = sizeof(QXLSurfaceCmd);
break;
case QXL_CMD_CURSOR:
+ datasz = sizeof(QXLCursorCmd);
break;
default:
goto out;
}
- data = qxl_phys2virt(qxl, ext->cmd.data, ext->group_id);
+ data = qxl_phys2virt(qxl, ext->cmd.data, ext->group_id, datasz);
if (!data) {
return 1;
}
diff --git a/hw/display/qxl-render.c b/hw/display/qxl-render.c
index ca217004bf..fcfd40c3ac 100644
--- a/hw/display/qxl-render.c
+++ b/hw/display/qxl-render.c
@@ -107,7 +107,9 @@ static void qxl_render_update_area_unlocked(PCIQXLDevice *qxl)
qxl->guest_primary.resized = 0;
qxl->guest_primary.data = qxl_phys2virt(qxl,
qxl->guest_primary.surface.mem,
- MEMSLOT_GROUP_GUEST);
+ MEMSLOT_GROUP_GUEST,
+ qxl->guest_primary.abs_stride
+ * height);
if (!qxl->guest_primary.data) {
goto end;
}
@@ -228,7 +230,8 @@ static void qxl_unpack_chunks(void *dest, size_t size, PCIQXLDevice *qxl,
if (offset == size) {
return;
}
- chunk = qxl_phys2virt(qxl, chunk->next_chunk, group_id);
+ chunk = qxl_phys2virt(qxl, chunk->next_chunk, group_id,
+ sizeof(QXLDataChunk) + chunk->data_size);
if (!chunk) {
return;
}
@@ -295,7 +298,8 @@ fail:
/* called from spice server thread context only */
int qxl_render_cursor(PCIQXLDevice *qxl, QXLCommandExt *ext)
{
- QXLCursorCmd *cmd = qxl_phys2virt(qxl, ext->cmd.data, ext->group_id);
+ QXLCursorCmd *cmd = qxl_phys2virt(qxl, ext->cmd.data, ext->group_id,
+ sizeof(QXLCursorCmd));
QXLCursor *cursor;
QEMUCursor *c;
@@ -314,7 +318,15 @@ int qxl_render_cursor(PCIQXLDevice *qxl, QXLCommandExt *ext)
}
switch (cmd->type) {
case QXL_CURSOR_SET:
- cursor = qxl_phys2virt(qxl, cmd->u.set.shape, ext->group_id);
+ /* First read the QXLCursor to get QXLDataChunk::data_size ... */
+ cursor = qxl_phys2virt(qxl, cmd->u.set.shape, ext->group_id,
+ sizeof(QXLCursor));
+ if (!cursor) {
+ return 1;
+ }
+ /* Then read including the chunked data following QXLCursor. */
+ cursor = qxl_phys2virt(qxl, cmd->u.set.shape, ext->group_id,
+ sizeof(QXLCursor) + cursor->chunk.data_size);
if (!cursor) {
return 1;
}
diff --git a/hw/display/qxl.c b/hw/display/qxl.c
index 29c80b4289..aa9065183e 100644
--- a/hw/display/qxl.c
+++ b/hw/display/qxl.c
@@ -274,7 +274,8 @@ static void qxl_spice_monitors_config_async(PCIQXLDevice *qxl, int replay)
QXL_IO_MONITORS_CONFIG_ASYNC));
}
- cfg = qxl_phys2virt(qxl, qxl->guest_monitors_config, MEMSLOT_GROUP_GUEST);
+ cfg = qxl_phys2virt(qxl, qxl->guest_monitors_config, MEMSLOT_GROUP_GUEST,
+ sizeof(QXLMonitorsConfig));
if (cfg != NULL && cfg->count == 1) {
qxl->guest_primary.resized = 1;
qxl->guest_head0_width = cfg->heads[0].width;
@@ -459,7 +460,8 @@ static int qxl_track_command(PCIQXLDevice *qxl, struct QXLCommandExt *ext)
switch (le32_to_cpu(ext->cmd.type)) {
case QXL_CMD_SURFACE:
{
- QXLSurfaceCmd *cmd = qxl_phys2virt(qxl, ext->cmd.data, ext->group_id);
+ QXLSurfaceCmd *cmd = qxl_phys2virt(qxl, ext->cmd.data, ext->group_id,
+ sizeof(QXLSurfaceCmd));
if (!cmd) {
return 1;
@@ -494,7 +496,8 @@ static int qxl_track_command(PCIQXLDevice *qxl, struct QXLCommandExt *ext)
}
case QXL_CMD_CURSOR:
{
- QXLCursorCmd *cmd = qxl_phys2virt(qxl, ext->cmd.data, ext->group_id);
+ QXLCursorCmd *cmd = qxl_phys2virt(qxl, ext->cmd.data, ext->group_id,
+ sizeof(QXLCursorCmd));
if (!cmd) {
return 1;
@@ -1444,7 +1447,8 @@ static bool qxl_get_check_slot_offset(PCIQXLDevice *qxl, QXLPHYSICAL pqxl,
}
/* can be also called from spice server thread context */
-void *qxl_phys2virt(PCIQXLDevice *qxl, QXLPHYSICAL pqxl, int group_id)
+void *qxl_phys2virt(PCIQXLDevice *qxl, QXLPHYSICAL pqxl, int group_id,
+ size_t size)
{
uint64_t offset;
uint32_t slot;
@@ -1952,7 +1956,7 @@ static void qxl_dirty_surfaces(PCIQXLDevice *qxl)
}
cmd = qxl_phys2virt(qxl, qxl->guest_surfaces.cmds[i],
- MEMSLOT_GROUP_GUEST);
+ MEMSLOT_GROUP_GUEST, sizeof(QXLSurfaceCmd));
assert(cmd);
assert(cmd->type == QXL_SURFACE_CMD_CREATE);
qxl_dirty_one_surface(qxl, cmd->u.surface_create.data,
diff --git a/hw/display/qxl.h b/hw/display/qxl.h
index c938f88a2f..c784315daa 100644
--- a/hw/display/qxl.h
+++ b/hw/display/qxl.h
@@ -153,6 +153,7 @@ OBJECT_DECLARE_SIMPLE_TYPE(PCIQXLDevice, PCI_QXL)
* @qxl: QXL device
* @phys: physical offset of buffer within the VRAM
* @group_id: memory slot group
+ * @size: size of the buffer
*
* Returns a host pointer to a buffer placed at offset @phys within the
* active slot @group_id of the PCI VGA RAM memory region associated with
@@ -166,7 +167,8 @@ OBJECT_DECLARE_SIMPLE_TYPE(PCIQXLDevice, PCI_QXL)
* the incoming ram_addr_t.
*
*/
-void *qxl_phys2virt(PCIQXLDevice *qxl, QXLPHYSICAL phys, int group_id);
+void *qxl_phys2virt(PCIQXLDevice *qxl, QXLPHYSICAL phys, int group_id,
+ size_t size);
void qxl_set_guest_bug(PCIQXLDevice *qxl, const char *msg, ...)
GCC_FMT_ATTR(2, 3);
--
2.27.0

82
hw-net-can-fix-Xilinx-ZynqMP-CAN-RX-FIFO-logic.patch Normal file
View File

@ -0,0 +1,82 @@
From 071249a10ebc2cd8af68ee72d409e23c6bc0ea7c Mon Sep 17 00:00:00 2001
From: cmss_dx <dingxiang@cmss.chinamobile.com>
Date: Wed, 30 Nov 2022 01:52:08 -0500
Subject: [PATCH 04/17] hw/net/can: fix Xilinx ZynqMP CAN RX FIFO logic
mainline inclusion
from mainline-v7.2.0-rc2
commit fb96d131eec66ecb2993c544058a8cb2c9c3521f
category: bugfix
-----------------------
For consistency, function "update_rx_fifo()" should use the RX FIFO
register field names, not the TX FIFO ones, even if they refer to the
same bit positions in the register.
Signed-off-by: Anton Kochkov <anton.kochkov@proton.me>
Reviewed-by: Francisco Iglesias <frasse.iglesias@gmail.com>
Message-id: 20220817141754.2105981-1-anton.kochkov@proton.me
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1123
[PMM: tweaked commit message]
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: cmss_dx <dingxiang@cmss.chinamobile.com>
---
hw/net/can/xlnx-zynqmp-can.c | 32 ++++++++++++++++----------------
1 file changed, 16 insertions(+), 16 deletions(-)
diff --git a/hw/net/can/xlnx-zynqmp-can.c b/hw/net/can/xlnx-zynqmp-can.c
index 22bb8910fa..78a76a8ce2 100644
--- a/hw/net/can/xlnx-zynqmp-can.c
+++ b/hw/net/can/xlnx-zynqmp-can.c
@@ -696,30 +696,30 @@ static void update_rx_fifo(XlnxZynqMPCANState *s, const qemu_can_frame *frame)
timestamp));
/* First 32 bit of the data. */
- fifo32_push(&s->rx_fifo, deposit32(0, R_TXFIFO_DATA1_DB3_SHIFT,
- R_TXFIFO_DATA1_DB3_LENGTH,
+ fifo32_push(&s->rx_fifo, deposit32(0, R_RXFIFO_DATA1_DB3_SHIFT,
+ R_RXFIFO_DATA1_DB3_LENGTH,
frame->data[0]) |
- deposit32(0, R_TXFIFO_DATA1_DB2_SHIFT,
- R_TXFIFO_DATA1_DB2_LENGTH,
+ deposit32(0, R_RXFIFO_DATA1_DB2_SHIFT,
+ R_RXFIFO_DATA1_DB2_LENGTH,
frame->data[1]) |
- deposit32(0, R_TXFIFO_DATA1_DB1_SHIFT,
- R_TXFIFO_DATA1_DB1_LENGTH,
+ deposit32(0, R_RXFIFO_DATA1_DB1_SHIFT,
+ R_RXFIFO_DATA1_DB1_LENGTH,
frame->data[2]) |
- deposit32(0, R_TXFIFO_DATA1_DB0_SHIFT,
- R_TXFIFO_DATA1_DB0_LENGTH,
+ deposit32(0, R_RXFIFO_DATA1_DB0_SHIFT,
+ R_RXFIFO_DATA1_DB0_LENGTH,
frame->data[3]));
/* Last 32 bit of the data. */
- fifo32_push(&s->rx_fifo, deposit32(0, R_TXFIFO_DATA2_DB7_SHIFT,
- R_TXFIFO_DATA2_DB7_LENGTH,
+ fifo32_push(&s->rx_fifo, deposit32(0, R_RXFIFO_DATA2_DB7_SHIFT,
+ R_RXFIFO_DATA2_DB7_LENGTH,
frame->data[4]) |
- deposit32(0, R_TXFIFO_DATA2_DB6_SHIFT,
- R_TXFIFO_DATA2_DB6_LENGTH,
+ deposit32(0, R_RXFIFO_DATA2_DB6_SHIFT,
+ R_RXFIFO_DATA2_DB6_LENGTH,
frame->data[5]) |
- deposit32(0, R_TXFIFO_DATA2_DB5_SHIFT,
- R_TXFIFO_DATA2_DB5_LENGTH,
+ deposit32(0, R_RXFIFO_DATA2_DB5_SHIFT,
+ R_RXFIFO_DATA2_DB5_LENGTH,
frame->data[6]) |
- deposit32(0, R_TXFIFO_DATA2_DB4_SHIFT,
- R_TXFIFO_DATA2_DB4_LENGTH,
+ deposit32(0, R_RXFIFO_DATA2_DB4_SHIFT,
+ R_RXFIFO_DATA2_DB4_LENGTH,
frame->data[7]));
ARRAY_FIELD_DP32(s->regs, INTERRUPT_STATUS_REGISTER, RXOK, 1);
--
2.27.0

51
libdecnumber-dpd-decimal64-Fix-compiler-warning-from.patch Normal file
View File

@ -0,0 +1,51 @@
From ddc9e2437ee5e9cd7fb0c0ad153c23feb9d9722b Mon Sep 17 00:00:00 2001
From: tangzhongrui <tangzhongrui@cmss.chinamobile.com>
Date: Thu, 1 Dec 2022 20:41:44 +0800
Subject: [PATCH 05/17] libdecnumber/dpd/decimal64: Fix compiler warning from
Clang 15
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Clang 15 from Fedora 37 complains:
../libdecnumber/dpd/decimal64.c:620:8: error: variable 'n' set but
not used [-Werror,-Wunused-but-set-variable]
Int n; /* output bunch counter */
^
1 error generated.
Remove the unused variable to silence the compiler warning.
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Cédric Le Goater <clg@kaod.org>
Signed-off-by: Thomas Huth <thuth@redhat.com>
Signed-off-by: tangzhongrui tangzhongrui@cmss.chinamobile.com
---
libdecnumber/dpd/decimal64.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/libdecnumber/dpd/decimal64.c b/libdecnumber/dpd/decimal64.c
index 4816176410..f6fb2963d9 100644
--- a/libdecnumber/dpd/decimal64.c
+++ b/libdecnumber/dpd/decimal64.c
@@ -617,7 +617,6 @@ static const uInt multies[]={131073, 26215, 5243, 1049, 210};
#endif
void decDigitsToDPD(const decNumber *dn, uInt *targ, Int shift) {
Int cut; /* work */
- Int n; /* output bunch counter */
Int digits=dn->digits; /* digit countdown */
uInt dpd; /* densely packed decimal value */
uInt bin; /* binary value 0-999 */
@@ -676,7 +675,7 @@ void decDigitsToDPD(const decNumber *dn, uInt *targ, Int shift) {
bin=0; /* [keep compiler quiet] */
#endif
- for(n=0; digits>0; n++) { /* each output bunch */
+ while (digits > 0) { /* each output bunch */
#if DECDPUN==3 /* fast path, 3-at-a-time */
bin=*inu; /* 3 digits ready for convert */
digits-=3; /* [may go negative] */
--
2.27.0

24
qemu.spec
View File

@ -1,6 +1,6 @@
Name: qemu
Version: 6.2.0
Release: 59
Release: 60
Epoch: 10
Summary: QEMU is a generic and open source machine emulator and virtualizer
License: GPLv2 and BSD and MIT and CC-BY-SA-4.0
@ -416,6 +416,23 @@ Patch0404: vdpa-add-vdpa-dev-pci-support.patch
Patch0405: vdpa-dev-mark-the-device-as-unmigratable.patch
Patch0406: docs-Add-generic-vhost-vdpa-device-documentation.patch
Patch0407: vhost-vdpa-add-memslot-getter-setter-for-vhost-vdpa.patch
Patch0408: chardev-fix-segfault-in-finalize.patch
Patch0409: tests-avocado-raspi2_initrd-Wait-for-guest-shutdown-.patch
Patch0410: Add-flex-bison-to-debian-hexagon-cross.patch
Patch0411: hw-net-can-fix-Xilinx-ZynqMP-CAN-RX-FIFO-logic.patch
Patch0412: libdecnumber-dpd-decimal64-Fix-compiler-warning-from.patch
Patch0413: Fix-several-typos-in-documentation.patch
Patch0414: tests-avocado-use-new-rootfs-for-orangepi-test.patch
Patch0415: replay-Fix-declaration-of-replay_read_next_clock.patch
Patch0416: vhost-user-Refactor-vhost-acked-features-saving.patch
Patch0417: vhost-user-Refactor-the-chr_closed_bh.patch
Patch0418: vhost-user-Fix-the-virtio-features-negotiation-flaw.patch
Patch0419: tests-qtest-libqos-e1000e-Refer-common-PCI-ID-defini.patch
Patch0420: hw-display-qxl-Have-qxl_log_command-Return-early-if-.patch
Patch0421: hw-display-qxl-Document-qxl_phys2virt.patch
Patch0422: hw-display-qxl-Pass-requested-buffer-size-to-qxl_phy.patch
Patch0423: hw-display-qxl-Avoid-buffer-overrun-in-qxl_phys2virt.patch
Patch0424: hw-display-qxl-Assert-memory-slot-fits-in-preallocat.patch
BuildRequires: flex
BuildRequires: gcc
@ -934,6 +951,11 @@ getent passwd qemu >/dev/null || \
%endif
%changelog
* Tue Dec 06 2022 yezengruan <yezengruan@huawei.com> - 10:6.2.0-60
- sync some bugfix patches from upstream
- fix the virtio features negotiation flaw
- fix CVE-2022-4144
* Tue Nov 22 2022 yezengruan <yezengruan@huawei.com> - 10:6.2.0-59
- arm/virt: Fix vcpu hotplug idx_from_topo_ids
- Revert patches related to the vSVA

50
replay-Fix-declaration-of-replay_read_next_clock.patch Normal file
View File

@ -0,0 +1,50 @@
From 8c499e212fedfaa4323541d97a33187ea96ba555 Mon Sep 17 00:00:00 2001
From: tangzhongrui <tangzhongrui@cmss.chinamobile.com>
Date: Thu, 1 Dec 2022 18:58:34 +0800
Subject: [PATCH 08/17] replay: Fix declaration of replay_read_next_clock
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Fixes the build with gcc 13:
replay/replay-time.c:34:6: error: conflicting types for \
'replay_read_next_clock' due to enum/integer mismatch; \
have 'void(ReplayClockKind)' [-Werror=enum-int-mismatch]
34 | void replay_read_next_clock(ReplayClockKind kind)
| ^~~~~~~~~~~~~~~~~~~~~~
In file included from ../qemu/replay/replay-time.c:14:
replay/replay-internal.h:139:6: note: previous declaration of \
'replay_read_next_clock' with type 'void(unsigned int)'
139 | void replay_read_next_clock(unsigned int kind);
| ^~~~~~~~~~~~~~~~~~~~~~
Fixes: 8eda206e090 ("replay: recording and replaying clock ticks")
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Wilfred Mallawa <wilfred.mallawa@wdc.com>
Reviewed-by: Pavel Dovgalyuk <Pavel.Dovgalyuk@ispras.ru>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Message-Id: <20221129010547.284051-1-richard.henderson@linaro.org>
Signed-off-by: tangzhongrui <tangzhongrui@cmss.chinamobile.com>
---
replay/replay-internal.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/replay/replay-internal.h b/replay/replay-internal.h
index 97649ed8d7..b4238226f4 100644
--- a/replay/replay-internal.h
+++ b/replay/replay-internal.h
@@ -141,7 +141,7 @@ bool replay_next_event_is(int event);
/*! Reads next clock value from the file.
If clock kind read from the file is different from the parameter,
the value is not used. */
-void replay_read_next_clock(unsigned int kind);
+void replay_read_next_clock(ReplayClockKind kind);
/* Asynchronous events queue */
--
2.27.0

50
tests-avocado-raspi2_initrd-Wait-for-guest-shutdown-.patch Normal file
View File

@ -0,0 +1,50 @@
From b30894533ec65a304c304016eaa461c23ca8d70c Mon Sep 17 00:00:00 2001
From: jianchunfu <jianchunfu_yewu@cmss.chinamobile.com>
Date: Wed, 30 Nov 2022 14:21:17 +0800
Subject: [PATCH 02/17] tests/avocado: raspi2_initrd: Wait for guest shutdown
message before stopping
The avocado test
tests/avocado/boot_linux_console.py:BootLinuxConsole.test_arm_raspi2_initrd
finishes wiith
exec_command(self, 'halt')
# Wait for VM to shut down gracefully
self.vm.wait()
In theory this should be fine. In practice it runs into two bugs:
* when the test calls self.vm.wait() Avocado closes the socket
connection to the guest serial console immediately, so the
avocado logs don't have the last part of the guest output:
https://gitlab.com/qemu-project/qemu/-/issues/1265
* when the socket is closed, a bug in the QEMU socket chardev
means that it loses any data that the guest UART has not
yet consumed. This means that the guest doesn't always read
the full 'halt' command string, so the test intermittently
fails with a timeout:
https://gitlab.com/qemu-project/qemu/-/issues/1264
Work around both of these by waiting for the guest to print the
string that means it has completed the shutdown process. This fixes
a very long standing intermittent failure in this test.
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/636
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: jianchunfu <jianchunfu_yewu@cmss.chinamobile.com>
---
tests/avocado/boot_linux_console.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tests/avocado/boot_linux_console.py b/tests/avocado/boot_linux_console.py
index 9c618d4809..58864ec163 100644
--- a/tests/avocado/boot_linux_console.py
+++ b/tests/avocado/boot_linux_console.py
@@ -512,7 +512,7 @@ def test_arm_raspi2_initrd(self):
'BCM2835')
exec_command_and_wait_for_pattern(self, 'cat /proc/iomem',
'/soc/cprman@7e101000')
- exec_command(self, 'halt')
+ exec_command_and_wait_for_pattern(self, 'halt', 'reboot: System halted')
# Wait for VM to shut down gracefully
self.vm.wait()
--
2.27.0

39
tests-avocado-use-new-rootfs-for-orangepi-test.patch Normal file
View File

@ -0,0 +1,39 @@
From 5d2db876aa6f869dabe6f6132244c5ce2383af03 Mon Sep 17 00:00:00 2001
From: tangzhongrui <tangzhongrui@cmss.chinamobile.com>
Date: Thu, 1 Dec 2022 17:00:40 +0800
Subject: [PATCH 07/17] tests/avocado: use new rootfs for orangepi test
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The old URL wasn't stable. I suspect the current URL will only be
stable for a few months so maybe we need another strategy for hosting
rootfs snapshots?
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Message-Id: <20221118113309.1057790-1-alex.bennee@linaro.org>
Signed-off-by: Thomas Huth <thuth@redhat.com>
Signed-off-by: tangzhongrui <tangzhongrui@cmss.chinamobile.com>
---
tests/avocado/boot_linux_console.py | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/tests/avocado/boot_linux_console.py b/tests/avocado/boot_linux_console.py
index 9c618d4809..733481c53c 100644
--- a/tests/avocado/boot_linux_console.py
+++ b/tests/avocado/boot_linux_console.py
@@ -813,8 +813,8 @@ def test_arm_orangepi_sd(self):
dtb_path = '/usr/lib/linux-image-current-sunxi/sun8i-h3-orangepi-pc.dtb'
dtb_path = self.extract_from_deb(deb_path, dtb_path)
rootfs_url = ('http://storage.kernelci.org/images/rootfs/buildroot/'
- 'kci-2019.02/armel/base/rootfs.ext2.xz')
- rootfs_hash = '692510cb625efda31640d1de0a8d60e26040f061'
+ 'buildroot-baseline/20221116.0/armel/rootfs.ext2.xz')
+ rootfs_hash = 'fae32f337c7b87547b10f42599acf109da8b6d9a'
rootfs_path_xz = self.fetch_asset(rootfs_url, asset_hash=rootfs_hash)
rootfs_path = os.path.join(self.workdir, 'rootfs.cpio')
archive.lzma_uncompress(rootfs_path_xz, rootfs_path)
--
2.27.0

49
tests-qtest-libqos-e1000e-Refer-common-PCI-ID-defini.patch Normal file
View File

@ -0,0 +1,49 @@
From f2ee9b7314f8abea5634c4d92991e6b668577499 Mon Sep 17 00:00:00 2001
From: tangzhongrui <tangzhongrui@cmss.chinamobile.com>
Date: Mon, 5 Dec 2022 14:47:00 +0800
Subject: [PATCH 12/17] tests/qtest/libqos/e1000e: Refer common PCI ID
definitions
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This is yet another minor cleanup to ease understanding and
future refactoring of the tests.
Signed-off-by: Akihiko Odaki <akihiko.odaki@daynix.com>
Message-Id: <20221103015017.19947-1-akihiko.odaki@daynix.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Signed-off-by: Thomas Huth <thuth@redhat.com>
Signed-off-by: tangzhongrui <tangzhongrui@cmss.chinamobile.com>
---
tests/qtest/libqos/e1000e.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/tests/qtest/libqos/e1000e.c b/tests/qtest/libqos/e1000e.c
index a451f6168f..d351136975 100644
--- a/tests/qtest/libqos/e1000e.c
+++ b/tests/qtest/libqos/e1000e.c
@@ -26,6 +26,8 @@
#include "malloc.h"
#include "qgraph.h"
#include "e1000e.h"
+#include "hw/net/e1000_regs.h"
+#include "hw/pci/pci_ids.h"
#define E1000E_IMS (0x00d0)
@@ -248,8 +250,8 @@ static void *e1000e_pci_create(void *pci_bus, QGuestAllocator *alloc,
static void e1000e_register_nodes(void)
{
QPCIAddress addr = {
- .vendor_id = 0x8086,
- .device_id = 0x10D3,
+ .vendor_id = PCI_VENDOR_ID_INTEL,
+ .device_id = E1000_DEV_ID_82574L,
};
/* FIXME: every test using this node needs to setup a -netdev socket,id=hs0
--
2.27.0

92
vhost-user-Fix-the-virtio-features-negotiation-flaw.patch Normal file
View File

@ -0,0 +1,92 @@
From d29a94eff93b12790fe96c40412854c4cff843d2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Hyman=20Huang=28=E9=BB=84=E5=8B=87=29?=
<huangy81@chinatelecom.cn>
Date: Fri, 11 Nov 2022 19:33:26 +0800
Subject: [PATCH 11/17] vhost-user: Fix the virtio features negotiation flaw
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This patch aims to fix unexpected negotiation features for
vhost-user netdev interface.
When openvswitch reconnect Qemu after an unexpected disconnection
and Qemu therefore start the vhost_dev, acked_features field in
vhost_dev is initialized with value fetched from acked_features
field in NetVhostUserState, which should be up-to-date at that
moment but Qemu could not make it actually during the time window
of virtio features negotiation.
So we save the acked_features right after being configured by
guest virtio driver so it can be used to restore acked_features
field in vhost_dev correctly.
Signed-off-by: Hyman Huang(黄勇) <huangy81@chinatelecom.cn>
Signed-off-by: Guoyi Tu <tugy@chinatelecom.cn>
---
hw/net/vhost_net-stub.c | 5 +++++
hw/net/vhost_net.c | 6 ++++++
hw/net/virtio-net.c | 6 ++++++
include/net/vhost_net.h | 1 +
4 files changed, 18 insertions(+)
diff --git a/hw/net/vhost_net-stub.c b/hw/net/vhost_net-stub.c
index 89d71cfb8e..199b09952a 100644
--- a/hw/net/vhost_net-stub.c
+++ b/hw/net/vhost_net-stub.c
@@ -101,3 +101,8 @@ int vhost_net_set_mtu(struct vhost_net *net, uint16_t mtu)
{
return 0;
}
+
+void vhost_net_save_acked_features(NetClientState *nc)
+{
+
+}
diff --git a/hw/net/vhost_net.c b/hw/net/vhost_net.c
index 1911ffd7ed..a98575ffbc 100644
--- a/hw/net/vhost_net.c
+++ b/hw/net/vhost_net.c
@@ -141,6 +141,12 @@ uint64_t vhost_net_get_acked_features(VHostNetState *net)
return net->dev.acked_features;
}
+void vhost_net_save_acked_features(NetClientState *nc)
+{
+ assert(nc->info->type == NET_CLIENT_DRIVER_VHOST_USER);
+ vhost_user_save_acked_features(nc);
+}
+
static int vhost_net_get_fd(NetClientState *backend)
{
switch (backend->info->type) {
diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c
index 918a7aba89..4946b65e22 100644
--- a/hw/net/virtio-net.c
+++ b/hw/net/virtio-net.c
@@ -935,6 +935,12 @@ static void virtio_net_set_features(VirtIODevice *vdev, uint64_t features)
continue;
}
vhost_net_ack_features(get_vhost_net(nc->peer), features);
+
+ /*
+ * keep acked_features in NetVhostUserState up-to-date so it
+ * can't miss any features configured by guest virtio driver.
+ */
+ vhost_net_save_acked_features(nc->peer);
}
if (virtio_has_feature(features, VIRTIO_NET_F_CTRL_VLAN)) {
diff --git a/include/net/vhost_net.h b/include/net/vhost_net.h
index 387e913e4e..7bdbf484e4 100644
--- a/include/net/vhost_net.h
+++ b/include/net/vhost_net.h
@@ -48,4 +48,5 @@ uint64_t vhost_net_get_acked_features(VHostNetState *net);
int vhost_net_set_mtu(struct vhost_net *net, uint16_t mtu);
+void vhost_net_save_acked_features(NetClientState *nc);
#endif
--
2.27.0

38
vhost-user-Refactor-the-chr_closed_bh.patch Normal file
View File

@ -0,0 +1,38 @@
From b8c6b11e9651c5c94d3a66c64a9d54becb625a8e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Hyman=20Huang=28=E9=BB=84=E5=8B=87=29?=
<huangy81@chinatelecom.cn>
Date: Fri, 11 Nov 2022 20:03:56 +0800
Subject: [PATCH 10/17] vhost-user: Refactor the chr_closed_bh
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Use vhost_user_save_acked_features to implemente acked features
saving.
Signed-off-by: Hyman Huang(黄勇) <huangy81@chinatelecom.cn>
Signed-off-by: Guoyi Tu <tugy@chinatelecom.cn>
---
net/vhost-user.c | 6 +-----
1 file changed, 1 insertion(+), 5 deletions(-)
diff --git a/net/vhost-user.c b/net/vhost-user.c
index dca277db8c..e3680b769f 100644
--- a/net/vhost-user.c
+++ b/net/vhost-user.c
@@ -263,11 +263,7 @@ static void chr_closed_bh(void *opaque)
s = DO_UPCAST(NetVhostUserState, nc, ncs[0]);
for (i = queues -1; i >= 0; i--) {
- s = DO_UPCAST(NetVhostUserState, nc, ncs[i]);
-
- if (s->vhost_net) {
- s->acked_features = vhost_net_get_acked_features(s->vhost_net);
- }
+ vhost_user_save_acked_features(ncs[i]);
}
qmp_set_link(name, false, &err);
--
2.27.0

75
vhost-user-Refactor-vhost-acked-features-saving.patch Normal file
View File

@ -0,0 +1,75 @@
From b51c193973c5bf80f08da173dcc8eb859f0f4049 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Hyman=20Huang=28=E9=BB=84=E5=8B=87=29?=
<huangy81@chinatelecom.cn>
Date: Mon, 26 Sep 2022 05:32:46 +0800
Subject: [PATCH 09/17] vhost-user: Refactor vhost acked features saving
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Abstract vhost acked features saving into
vhost_user_save_acked_features, export it as util function.
Signed-off-by: Hyman Huang(黄勇) <huangy81@chinatelecom.cn>
Signed-off-by: Guoyi Tu <tugy@chinatelecom.cn>
---
include/net/vhost-user.h | 1 +
net/vhost-user.c | 21 +++++++++++++++------
2 files changed, 16 insertions(+), 6 deletions(-)
diff --git a/include/net/vhost-user.h b/include/net/vhost-user.h
index 5bcd8a6285..35bf619709 100644
--- a/include/net/vhost-user.h
+++ b/include/net/vhost-user.h
@@ -14,5 +14,6 @@
struct vhost_net;
struct vhost_net *vhost_user_get_vhost_net(NetClientState *nc);
uint64_t vhost_user_get_acked_features(NetClientState *nc);
+void vhost_user_save_acked_features(NetClientState *nc);
#endif /* VHOST_USER_H */
diff --git a/net/vhost-user.c b/net/vhost-user.c
index f910a286e4..dca277db8c 100644
--- a/net/vhost-user.c
+++ b/net/vhost-user.c
@@ -48,10 +48,23 @@ uint64_t vhost_user_get_acked_features(NetClientState *nc)
return s->acked_features;
}
-static void vhost_user_stop(int queues, NetClientState *ncs[])
+void vhost_user_save_acked_features(NetClientState *nc)
{
NetVhostUserState *s;
+
+ s = DO_UPCAST(NetVhostUserState, nc, nc);
+ if (s->vhost_net) {
+ uint64_t features = vhost_net_get_acked_features(s->vhost_net);
+ if (features) {
+ s->acked_features = features;
+ }
+ }
+}
+
+static void vhost_user_stop(int queues, NetClientState *ncs[])
+{
int i;
+ NetVhostUserState *s;
for (i = 0; i < queues; i++) {
assert(ncs[i]->info->type == NET_CLIENT_DRIVER_VHOST_USER);
@@ -59,11 +72,7 @@ static void vhost_user_stop(int queues, NetClientState *ncs[])
s = DO_UPCAST(NetVhostUserState, nc, ncs[i]);
if (s->vhost_net) {
- /* save acked features */
- uint64_t features = vhost_net_get_acked_features(s->vhost_net);
- if (features) {
- s->acked_features = features;
- }
+ vhost_user_save_acked_features(ncs[i]);
vhost_net_cleanup(s->vhost_net);
}
}
--
2.27.0