packages/qemu
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

QEMU update to version 6.2.0-83(master)

Browse Source 
- hw/virtio/virtio-pmem: Replace impossible check by assertion
- tests: Fix printf format string in acpi-utils.c
- softmmu/dirtylimit: Add parameter check for hmp "set_vcpu_dirty_limit"
- disas/riscv: Fix the typo of inverted order of pmpaddr13 and pmpaddr14
- qga: Fix memory leak when output stream is unused
- ui/vnc-clipboard: fix infinite loop in inflate_buffer (CVE-2023-3255)
- target/i386: Add few security fix bits in ARCH_CAPABILITIES into SapphireRapids CPU model
- target/i386: Add new bit definitions of MSR_IA32_ARCH_CAPABILITIES
- target/i386: Allow MCDT_NO if host supports
- target/i386: Add support for MCDT_NO in CPUID enumeration
- target/i386: Export MSR_ARCH_CAPABILITIES bits to guests
- target/i386: add support for FB_CLEAR feature
- target/i386: add support for FLUSH_L1D feature
- crypto: remove shadowed 'ret' variable
- hw/i2c/pmbus_device: Fix modifying QOM class internals from instance
- hw/arm/xlnx-zynqmp: fix unsigned error when checking the RPUs number

Signed-off-by: Jiabo Feng <fengjiabo1@huawei.com>
This commit is contained in:
Jiabo Feng 2023-10-30 16:29:07 +08:00
parent 0b0e518312
commit 80a22cff37
17 changed files with 883 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
crypto-remove-shadowed-ret-variable.patch Normal file
View File

@ -0,0 +1,36 @@
From b055bedb3fba592ab7e73615faf29854a18b0abc Mon Sep 17 00:00:00 2001
From: qihao <qihao_yewu@cmss.chinamobile.com>
Date: Tue, 10 Oct 2023 15:24:35 +0800
Subject: [PATCH] crypto: remove shadowed 'ret' variable
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
cheery-pick from 3cc9fe177f412494f084923149338c51dd232b9b
Both instances of 'ret' are used to store a gnutls API return code.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Message-ID: <20230922160644.438631-2-berrange@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: qihao_yewu <qihao_yewu@cmss.chinamobile.com>
---
crypto/tls-cipher-suites.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/crypto/tls-cipher-suites.c b/crypto/tls-cipher-suites.c
index 5e4f597464..d0df4badc0 100644
--- a/crypto/tls-cipher-suites.c
+++ b/crypto/tls-cipher-suites.c
@@ -52,7 +52,6 @@ GByteArray *qcrypto_tls_cipher_suites_get_data(QCryptoTLSCipherSuites *obj,
byte_array = g_byte_array_new();
for (i = 0;; i++) {
- int ret;
unsigned idx;
const char *name;
IANA_TLS_CIPHER cipher;
--
2.41.0.windows.1

37
disas-riscv-Fix-the-typo-of-inverted-order-of-pmpadd.patch Normal file
View File

@ -0,0 +1,37 @@
From 80fd3d8f92b8a2c3b640d1dfa436da8331b37b01 Mon Sep 17 00:00:00 2001
From: qihao <qihao_yewu@cmss.chinamobile.com>
Date: Mon, 16 Oct 2023 09:47:25 +0800
Subject: [PATCH] disas/riscv: Fix the typo of inverted order of pmpaddr13 and
pmpaddr14
cheery-pick from cffa9954908830276c93b430681f66cc0e599aef
Fix the inverted order of pmpaddr13 and pmpaddr14 in csr_name().
Signed-off-by: Alvin Chang <alvinga@andestech.com>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-ID: <20230907084500.328-1-alvinga@andestech.com>
Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Signed-off-by: qihao_yewu <qihao_yewu@cmss.chinamobile.com>
---
disas/riscv.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/disas/riscv.c b/disas/riscv.c
index 6768ec8188..ad7b978815 100644
--- a/disas/riscv.c
+++ b/disas/riscv.c
@@ -1307,8 +1307,8 @@ static const char *csr_name(int csrno)
case 0x03ba: return "pmpaddr10";
case 0x03bb: return "pmpaddr11";
case 0x03bc: return "pmpaddr12";
- case 0x03bd: return "pmpaddr14";
- case 0x03be: return "pmpaddr13";
+ case 0x03bd: return "pmpaddr13";
+ case 0x03be: return "pmpaddr14";
case 0x03bf: return "pmpaddr15";
case 0x0780: return "mtohost";
case 0x0781: return "mfromhost";
--
2.41.0.windows.1

47
hw-arm-xlnx-zynqmp-fix-unsigned-error-when-checking-.patch Normal file
View File

@ -0,0 +1,47 @@
From a1ecbf056603b4fabf8b5ab8a79f70a27fef06ee Mon Sep 17 00:00:00 2001
From: jipengfei_yewu <jipengfei_yewu@cmss.chinamobile.com>
Date: Sun, 24 Sep 2023 19:39:33 +0800
Subject: [PATCH] hw/arm/xlnx-zynqmp: fix unsigned error when checking the RPUs
number
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
When passing --smp with a number lower than XLNX_ZYNQMP_NUM_APU_CPUS,
the expression (ms->smp.cpus - XLNX_ZYNQMP_NUM_APU_CPUS) will result
in a positive number as ms->smp.cpus is a unsigned int.
This will raise the following error afterwards, as Qemu will try to
instantiate some additional RPUs.
| $ qemu-system-aarch64 --smp 1 -M xlnx-zcu102
| **
| ERROR:../src/tcg/tcg.c:777:tcg_register_thread:
| assertion failed: (n < tcg_max_ctxs)
cheery-pick from c9ba1c9f02cfede5329f504cdda6fd3a256e0434
Signed-off-by: jipengfei_yewu <jipengfei_yewu@cmss.chinamobile.com>
Signed-off-by: Clément Chigot <chigot@adacore.com>
Reviewed-by: Francisco Iglesias <frasse.iglesias@gmail.com>
Tested-by: Francisco Iglesias <frasse.iglesias@gmail.com>
Message-id: 20230524143714.565792-1-chigot@adacore.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
hw/arm/xlnx-zynqmp.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/arm/xlnx-zynqmp.c b/hw/arm/xlnx-zynqmp.c
index 1c52a575aa..2ffc6df70b 100644
--- a/hw/arm/xlnx-zynqmp.c
+++ b/hw/arm/xlnx-zynqmp.c
@@ -194,7 +194,7 @@ static void xlnx_zynqmp_create_rpu(MachineState *ms, XlnxZynqMPState *s,
const char *boot_cpu, Error **errp)
{
int i;
- int num_rpus = MIN(ms->smp.cpus - XLNX_ZYNQMP_NUM_APU_CPUS,
+ int num_rpus = MIN((int)(ms->smp.cpus - XLNX_ZYNQMP_NUM_APU_CPUS),
XLNX_ZYNQMP_NUM_RPU_CPUS);
if (num_rpus <= 0) {
--
2.41.0.windows.1

63
hw-i2c-pmbus_device-Fix-modifying-QOM-class-internal.patch Normal file
View File

@ -0,0 +1,63 @@
From b2314562968c124503dbd08529a2bef39701aaa7 Mon Sep 17 00:00:00 2001
From: qihao <qihao_yewu@cmss.chinamobile.com>
Date: Wed, 6 Sep 2023 20:30:27 +0800
Subject: [PATCH] hw/i2c/pmbus_device: Fix modifying QOM class internals from
instance
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
cheery-pick from f0e4588fd4ae39d1ad46f19c76ed298f89e61d6a
QOM object instance should not modify its class state (because
all other objects instanciated from this class get affected).
Instead of modifying the PMBusDeviceClass 'device_num_pages' field
the first time a instance is initialized (in pmbus_pages_alloc),
introduce a new pmbus_pages_num() helper which returns the page
number from the class without modifying the class state.
The code logic become slighly simplified.
Inspired-by: Bernhard Beschow <shentey@gmail.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20230523064408.57941-4-philmd@linaro.org>
Signed-off-by: qihao_yewu <qihao_yewu@cmss.chinamobile.com>
---
hw/i2c/pmbus_device.c | 17 ++++++++++-------
1 file changed, 10 insertions(+), 7 deletions(-)
diff --git a/hw/i2c/pmbus_device.c b/hw/i2c/pmbus_device.c
index 24f8f522d9..f39cd532de 100644
--- a/hw/i2c/pmbus_device.c
+++ b/hw/i2c/pmbus_device.c
@@ -166,15 +166,18 @@ static void pmbus_quick_cmd(SMBusDevice *smd, uint8_t read)
}
}
-static void pmbus_pages_alloc(PMBusDevice *pmdev)
+static uint8_t pmbus_pages_num(PMBusDevice *pmdev)
{
+ const PMBusDeviceClass *k = PMBUS_DEVICE_GET_CLASS(pmdev);
+
/* some PMBus devices don't use the PAGE command, so they get 1 page */
- PMBusDeviceClass *k = PMBUS_DEVICE_GET_CLASS(pmdev);
- if (k->device_num_pages == 0) {
- k->device_num_pages = 1;
- }
- pmdev->num_pages = k->device_num_pages;
- pmdev->pages = g_new0(PMBusPage, k->device_num_pages);
+ return k->device_num_pages ? : 1;
+}
+
+static void pmbus_pages_alloc(PMBusDevice *pmdev)
+{
+ pmdev->num_pages = pmbus_pages_num(pmdev);
+ pmdev->pages = g_new0(PMBusPage, pmdev->num_pages);
}
void pmbus_check_limits(PMBusDevice *pmdev)
--
2.41.0.windows.1

45
hw-virtio-virtio-pmem-Replace-impossible-check-by-as.patch Normal file
View File

@ -0,0 +1,45 @@
From 12eed71f72cbb5d81b14f66fde254058f121979a Mon Sep 17 00:00:00 2001
From: qihao <qihao_yewu@cmss.chinamobile.com>
Date: Wed, 25 Oct 2023 17:44:42 +0800
Subject: [PATCH] hw/virtio/virtio-pmem: Replace impossible check by assertion
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
cheery-pick from 184256d261cfc773360f14a80092ace5a716bb8f
The get_memory_region() handler is used when (un)plugging the
device, which can only occur *after* it is realized.
virtio_pmem_realize() ensure the instance can not be realized
without 'memdev'. Remove the superfluous check, replacing it
by an assertion.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Manos Pitsidianakis <manos.pitsidianakis@linaro.org>
Message-Id: <20231017140150.44995-2-philmd@linaro.org>
Signed-off-by: qihao_yewu <qihao_yewu@cmss.chinamobile.com>
---
hw/virtio/virtio-pmem.c | 5 +----
1 file changed, 1 insertion(+), 4 deletions(-)
diff --git a/hw/virtio/virtio-pmem.c b/hw/virtio/virtio-pmem.c
index d1aeb90a31..39f3949a3b 100644
--- a/hw/virtio/virtio-pmem.c
+++ b/hw/virtio/virtio-pmem.c
@@ -149,10 +149,7 @@ static void virtio_pmem_fill_device_info(const VirtIOPMEM *pmem,
static MemoryRegion *virtio_pmem_get_memory_region(VirtIOPMEM *pmem,
Error **errp)
{
- if (!pmem->memdev) {
- error_setg(errp, "'%s' property must be set", VIRTIO_PMEM_MEMDEV_PROP);
- return NULL;
- }
+ assert(pmem->memdev);
return &pmem->memdev->mr;
}
--
2.41.0.windows.1

36
qemu.spec
View File

@ -3,7 +3,7 @@
Name: qemu Name: qemu
Version: 6.2.0 Version: 6.2.0
Release: 82 Release: 83
Epoch: 10 Epoch: 10
Summary: QEMU is a generic and open source machine emulator and virtualizer Summary: QEMU is a generic and open source machine emulator and virtualizer
License: GPLv2 and BSD and MIT and CC-BY-SA-4.0 License: GPLv2 and BSD and MIT and CC-BY-SA-4.0
@ -583,6 +583,22 @@ Patch0568: hw-vfio-pci-quirks-Sanitize-capability-pointer.patch
Patch0569: vhost-user-fs-Back-up-vqs-before-cleaning-up-vhost_d.patch Patch0569: vhost-user-fs-Back-up-vqs-before-cleaning-up-vhost_d.patch
Patch0570: migration-rdma-zore-out-head.repeat-to-make-the-erro.patch Patch0570: migration-rdma-zore-out-head.repeat-to-make-the-erro.patch
Patch0571: thread-pool-optimize-scheduling-of-completion-bottom.patch Patch0571: thread-pool-optimize-scheduling-of-completion-bottom.patch
Patch0572: hw-arm-xlnx-zynqmp-fix-unsigned-error-when-checking-.patch
Patch0573: hw-i2c-pmbus_device-Fix-modifying-QOM-class-internal.patch
Patch0574: crypto-remove-shadowed-ret-variable.patch
Patch0575: target-i386-add-support-for-FLUSH_L1D-feature.patch
Patch0576: target-i386-add-support-for-FB_CLEAR-feature.patch
Patch0577: target-i386-Export-MSR_ARCH_CAPABILITIES-bits-to-gue.patch
Patch0578: target-i386-Add-support-for-MCDT_NO-in-CPUID-enumera.patch
Patch0579: target-i386-Allow-MCDT_NO-if-host-supports.patch
Patch0580: target-i386-Add-new-bit-definitions-of-MSR_IA32_ARCH.patch
Patch0581: target-i386-Add-few-security-fix-bits-in-ARCH_CAPABI.patch
Patch0582: ui-vnc-clipboard-fix-infinite-loop-in-inflate_buffer.patch
Patch0583: qga-Fix-memory-leak-when-output-stream-is-unused.patch
Patch0584: disas-riscv-Fix-the-typo-of-inverted-order-of-pmpadd.patch
Patch0585: softmmu-dirtylimit-Add-parameter-check-for-hmp-set_v.patch
Patch0586: tests-Fix-printf-format-string-in-acpi-utils.c.patch
Patch0587: hw-virtio-virtio-pmem-Replace-impossible-check-by-as.patch
BuildRequires: flex BuildRequires: flex
BuildRequires: gcc BuildRequires: gcc
@ -1156,6 +1172,24 @@ getent passwd qemu >/dev/null || \
%endif %endif
%changelog %changelog
* Mon Oct 30 2023 <fengjiabo1@huawei.com> - 10:6.2.0-83
- hw/virtio/virtio-pmem: Replace impossible check by assertion
- tests: Fix printf format string in acpi-utils.c
- softmmu/dirtylimit: Add parameter check for hmp "set_vcpu_dirty_limit"
- disas/riscv: Fix the typo of inverted order of pmpaddr13 and pmpaddr14
- qga: Fix memory leak when output stream is unused
- ui/vnc-clipboard: fix infinite loop in inflate_buffer (CVE-2023-3255)
- target/i386: Add few security fix bits in ARCH_CAPABILITIES into SapphireRapids CPU model
- target/i386: Add new bit definitions of MSR_IA32_ARCH_CAPABILITIES
- target/i386: Allow MCDT_NO if host supports
- target/i386: Add support for MCDT_NO in CPUID enumeration
- target/i386: Export MSR_ARCH_CAPABILITIES bits to guests
- target/i386: add support for FB_CLEAR feature
- target/i386: add support for FLUSH_L1D feature
- crypto: remove shadowed 'ret' variable
- hw/i2c/pmbus_device: Fix modifying QOM class internals from instance
- hw/arm/xlnx-zynqmp: fix unsigned error when checking the RPUs number
* Mon Oct 30 2023 <fengjiabo1@huawei.com> - 10:6.2.0-82 * Mon Oct 30 2023 <fengjiabo1@huawei.com> - 10:6.2.0-82
- thread-pool: optimize scheduling of completion bottom half - thread-pool: optimize scheduling of completion bottom half
- migration/rdma: zore out head.repeat to make the error more clear - migration/rdma: zore out head.repeat to make the error more clear

56
qga-Fix-memory-leak-when-output-stream-is-unused.patch Normal file
View File

@ -0,0 +1,56 @@
From 877d97f7e7b88c9cb8754bece152dc27a2a0f47a Mon Sep 17 00:00:00 2001
From: qihao <qihao_yewu@cmss.chinamobile.com>
Date: Mon, 16 Oct 2023 10:22:03 +0800
Subject: [PATCH] qga: Fix memory leak when output stream is unused
cheery-pick from d6f67b83b81bf49b5c62e77143ed39c020e51830
If capture-output is requested but one of the channels goes unused (eg.
we attempt to capture stderr but the command never writes to stderr), we
can leak memory.
guest_exec_output_watch() is (from what I understand) unconditionally
called for both streams if output capture is requested. The first call
will always pass the `p->size == p->length` check b/c both values are
0. Then GUEST_EXEC_IO_SIZE bytes will be allocated for the stream.
But when we reap the exited process there's a `gei->err.length > 0`
check to actually free the buffer. Which does not get run if the command
doesn't write to the stream.
Fix by making free() unconditional.
Reviewed-by: Konstantin Kostiuk <kkostiuk@redhat.com>
Signed-off-by: Daniel Xu <dxu@dxuuu.xyz>
Signed-off-by: Konstantin Kostiuk <kkostiuk@redhat.com>
Signed-off-by: qihao_yewu <qihao_yewu@cmss.chinamobile.com>
---
qga/commands.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/qga/commands.c b/qga/commands.c
index 80501e4a73..05f89725be 100644
--- a/qga/commands.c
+++ b/qga/commands.c
@@ -210,16 +210,16 @@ GuestExecStatus *qmp_guest_exec_status(int64_t pid, Error **errp)
if (gei->out.length > 0) {
ges->has_out_data = true;
ges->out_data = g_base64_encode(gei->out.data, gei->out.length);
- g_free(gei->out.data);
ges->has_out_truncated = gei->out.truncated;
}
+ g_free(gei->out.data);
if (gei->err.length > 0) {
ges->has_err_data = true;
ges->err_data = g_base64_encode(gei->err.data, gei->err.length);
- g_free(gei->err.data);
ges->has_err_truncated = gei->err.truncated;
}
+ g_free(gei->err.data);
QTAILQ_REMOVE(&guest_exec_state.processes, gei, next);
g_free(gei);
--
2.41.0.windows.1

55
softmmu-dirtylimit-Add-parameter-check-for-hmp-set_v.patch Normal file
View File

@ -0,0 +1,55 @@
From 381500cc0b96e85165ae0314839c34976a4da1b2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Hyman=20Huang=28=E9=BB=84=E5=8B=87=29?=
<yong.huang@smartx.com>
Date: Fri, 18 Nov 2022 10:08:54 +0800
Subject: [PATCH] softmmu/dirtylimit: Add parameter check for hmp
"set_vcpu_dirty_limit"
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
dirty_rate paraemter of hmp command "set_vcpu_dirty_limit" is invalid
if less than 0, so add parameter check for it.
Note that this patch also delete the unsolicited help message and
clean up the code.
Signed-off-by: Hyman Huang(黄勇) <yong.huang@smartx.com>
Reviewed-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Peter Xu <peterx@redhat.com>
Reviewed-by: Juan Quintela <quintela@redhat.com>
Message-Id: <168618975839.6361.17407633874747688653-1@git.sr.ht>
Signed-off-by: Juan Quintela <quintela@redhat.com>
---
softmmu/dirtylimit.c | 13 +++++++------
1 file changed, 7 insertions(+), 6 deletions(-)
diff --git a/softmmu/dirtylimit.c b/softmmu/dirtylimit.c
index 8d98cb7f2c..5041c230d0 100644
--- a/softmmu/dirtylimit.c
+++ b/softmmu/dirtylimit.c
@@ -515,14 +515,15 @@ void hmp_set_vcpu_dirty_limit(Monitor *mon, const QDict *qdict)
int64_t cpu_index = qdict_get_try_int(qdict, "cpu_index", -1);
Error *err = NULL;
- qmp_set_vcpu_dirty_limit(!!(cpu_index != -1), cpu_index, dirty_rate, &err);
- if (err) {
- hmp_handle_error(mon, err);
- return;
+ if (dirty_rate < 0) {
+ error_setg(&err, "invalid dirty page limit %" PRId64, dirty_rate);
+ goto out;
}
- monitor_printf(mon, "[Please use 'info vcpu_dirty_limit' to query "
- "dirty limit for virtual CPU]\n");
+ qmp_set_vcpu_dirty_limit(!!(cpu_index != -1), cpu_index, dirty_rate, &err);
+
+out:
+ hmp_handle_error(mon, err);
}
static struct DirtyLimitInfo *dirtylimit_query_vcpu(int cpu_index)
--
2.41.0.windows.1

53
target-i386-Add-few-security-fix-bits-in-ARCH_CAPABI.patch Normal file
View File

@ -0,0 +1,53 @@
From 732cb06c9b652cf899e9f329ad74ec3dae3d18b2 Mon Sep 17 00:00:00 2001
From: Lei Wang <lei4.wang@intel.com>
Date: Thu, 6 Jul 2023 13:49:48 +0800
Subject: [PATCH] target/i386: Add few security fix bits in ARCH_CAPABILITIES
into SapphireRapids CPU model
commit 3baf7ae63505eb1652d1e52d65798307fead8539 upstream.
SapphireRapids has bit 13, 14 and 15 of MSR_IA32_ARCH_CAPABILITIES
enabled, which are related to some security fixes.
Add version 2 of SapphireRapids CPU model with those bits enabled also.
Intel-SIG: commit 3baf7ae63505 ("target/i386: Add few security fix bits in ARCH_CAPABILITIES into SapphireRapids CPU model")
Backport support of SapphireRapids CPU Model version 2
Signed-off-by: Lei Wang <lei4.wang@intel.com>
Signed-off-by: Tao Su <tao1.su@linux.intel.com>
Message-ID: <20230706054949.66556-6-tao1.su@linux.intel.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
[ jason: amend commit log ]
Signed-off-by: Jason Zeng <jason.zeng@intel.com>
---
target/i386/cpu.c | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)
diff --git a/target/i386/cpu.c b/target/i386/cpu.c
index 685bfca37e..eb911b12fa 100644
--- a/target/i386/cpu.c
+++ b/target/i386/cpu.c
@@ -3675,8 +3675,17 @@ static const X86CPUDefinition builtin_x86_defs[] = {
.model_id = "Intel Xeon Processor (SapphireRapids)",
.versions = (X86CPUVersionDefinition[]) {
{ .version = 1 },
- { /* end of list */ },
- },
+ {
+ .version = 2,
+ .props = (PropValue[]) {
+ { "sbdr-ssdp-no", "on" },
+ { "fbsdp-no", "on" },
+ { "psdp-no", "on" },
+ { /* end of list */ }
+ }
+ },
+ { /* end of list */ }
+ }
},
{
.name = "Denverton",
--
2.41.0.windows.1

43
target-i386-Add-new-bit-definitions-of-MSR_IA32_ARCH.patch Normal file
View File

@ -0,0 +1,43 @@
From cdd89390a5e8fb55515798ab4ec5ec5fd6fed32b Mon Sep 17 00:00:00 2001
From: Tao Su <tao1.su@linux.intel.com>
Date: Thu, 6 Jul 2023 13:49:47 +0800
Subject: [PATCH] target/i386: Add new bit definitions of
MSR_IA32_ARCH_CAPABILITIES
commit 6c43ec3b206956a8a3008accafe9eb2dfd885190 upstream.
Currently, bit 13, 14, 15 and 24 of MSR_IA32_ARCH_CAPABILITIES are
disclosed for fixing security issues, so add those bit definitions.
Intel-SIG: commit 6c43ec3b2069 ("target/i386: Add new bit definitions of MSR_IA32_ARCH_CAPABILITIES")
Backport new bit definitions of MSR_IA32_ARCH_CAPABILITIES
Signed-off-by: Tao Su <tao1.su@linux.intel.com>
Reviewed-by: Igor Mammedov <imammedo@redhat.com>
Message-ID: <20230706054949.66556-5-tao1.su@linux.intel.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
[ jason: amend commit log ]
Signed-off-by: Jason Zeng <jason zeng@intel.com>
---
target/i386/cpu.h | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/target/i386/cpu.h b/target/i386/cpu.h
index edbaba0d62..37c687d4d8 100644
--- a/target/i386/cpu.h
+++ b/target/i386/cpu.h
@@ -966,7 +966,11 @@ uint64_t x86_cpu_get_supported_feature_word(FeatureWord w,
#define MSR_ARCH_CAP_PSCHANGE_MC_NO (1U << 6)
#define MSR_ARCH_CAP_TSX_CTRL_MSR (1U << 7)
#define MSR_ARCH_CAP_TAA_NO (1U << 8)
+#define MSR_ARCH_CAP_SBDR_SSDP_NO (1U << 13)
+#define MSR_ARCH_CAP_FBSDP_NO (1U << 14)
+#define MSR_ARCH_CAP_PSDP_NO (1U << 15)
#define MSR_ARCH_CAP_FB_CLEAR (1U << 17)
+#define MSR_ARCH_CAP_PBRSB_NO (1U << 24)
#define MSR_CORE_CAP_SPLIT_LOCK_DETECT (1U << 5)
--
2.41.0.windows.1

112
target-i386-Add-support-for-MCDT_NO-in-CPUID-enumera.patch Normal file
View File

@ -0,0 +1,112 @@
From a7329b80a2c8a50e53da17aa4eff0ef50aa21413 Mon Sep 17 00:00:00 2001
From: Tao Su <tao1.su@linux.intel.com>
Date: Thu, 6 Jul 2023 13:49:45 +0800
Subject: [PATCH] target/i386: Add support for MCDT_NO in CPUID enumeration
commit 9dd8b71091f47bac395f543779269c14d8d93c60 upstream.
CPUID.(EAX=7,ECX=2):EDX[bit 5] enumerates MCDT_NO. Processors enumerate
this bit as 1 do not exhibit MXCSR Configuration Dependent Timing (MCDT)
behavior and do not need to be mitigated to avoid data-dependent behavior
for certain instructions.
Since MCDT_NO is in a new sub-leaf, add a new CPUID feature word
FEAT_7_2_EDX. Also update cpuid_level_func7 by FEAT_7_2_EDX.
Intel-SIG: commit 9dd8b71091f4 ("target/i386: Add support for MCDT_NO in CPUID enumeration")
Backport support for MCDT_NO in CPUID enumeration
Signed-off-by: Tao Su <tao1.su@linux.intel.com>
Reviewed-by: Xiaoyao Li <xiaoyao.li@intel.com>
Message-ID: <20230706054949.66556-3-tao1.su@linux.intel.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
[ jason: resolve conflict with FEAT_7_1_EDX which not backported yet ]
Signed-off-by: Jason Zeng <jason.zeng@intel.com>
---
target/i386/cpu.c | 26 ++++++++++++++++++++++++++
target/i386/cpu.h | 4 ++++
2 files changed, 30 insertions(+)
diff --git a/target/i386/cpu.c b/target/i386/cpu.c
index b878a1bf20..685bfca37e 100644
--- a/target/i386/cpu.c
+++ b/target/i386/cpu.c
@@ -663,6 +663,7 @@ void x86_cpu_vendor_words2str(char *dst, uint32_t vendor1,
#define TCG_7_0_EDX_FEATURES CPUID_7_0_EDX_FSRM
#define TCG_7_1_EAX_FEATURES (CPUID_7_1_EAX_FZRM | CPUID_7_1_EAX_FSRS | \
CPUID_7_1_EAX_FSRC)
+#define TCG_7_2_EDX_FEATURES 0
#define TCG_APM_FEATURES 0
#define TCG_6_EAX_FEATURES CPUID_6_EAX_ARAT
#define TCG_XSAVE_FEATURES (CPUID_XSAVE_XSAVEOPT | CPUID_XSAVE_XGETBV1)
@@ -886,6 +887,25 @@ FeatureWordInfo feature_word_info[FEATURE_WORDS] = {
},
.tcg_features = TCG_7_1_EAX_FEATURES,
},
+ [FEAT_7_2_EDX] = {
+ .type = CPUID_FEATURE_WORD,
+ .feat_names = {
+ NULL, NULL, NULL, NULL,
+ NULL, "mcdt-no", NULL, NULL,
+ NULL, NULL, NULL, NULL,
+ NULL, NULL, NULL, NULL,
+ NULL, NULL, NULL, NULL,
+ NULL, NULL, NULL, NULL,
+ NULL, NULL, NULL, NULL,
+ NULL, NULL, NULL, NULL,
+ },
+ .cpuid = {
+ .eax = 7,
+ .needs_ecx = true, .ecx = 2,
+ .reg = R_EDX,
+ },
+ .tcg_features = TCG_7_2_EDX_FEATURES,
+ },
[FEAT_8000_0007_EDX] = {
.type = CPUID_FEATURE_WORD,
.feat_names = {
@@ -5531,6 +5551,11 @@ void cpu_x86_cpuid(CPUX86State *env, uint32_t index, uint32_t count,
*ebx = 0;
*ecx = 0;
*edx = 0;
+ } else if (count == 2) {
+ *edx = env->features[FEAT_7_2_EDX];
+ *eax = 0;
+ *ebx = 0;
+ *ecx = 0;
} else {
*eax = 0;
*ebx = 0;
@@ -6361,6 +6386,7 @@ void x86_cpu_expand_features(X86CPU *cpu, Error **errp)
x86_cpu_adjust_feat_level(cpu, FEAT_6_EAX);
x86_cpu_adjust_feat_level(cpu, FEAT_7_0_ECX);
x86_cpu_adjust_feat_level(cpu, FEAT_7_1_EAX);
+ x86_cpu_adjust_feat_level(cpu, FEAT_7_2_EDX);
x86_cpu_adjust_feat_level(cpu, FEAT_8000_0001_EDX);
x86_cpu_adjust_feat_level(cpu, FEAT_8000_0001_ECX);
x86_cpu_adjust_feat_level(cpu, FEAT_8000_0007_EDX);
diff --git a/target/i386/cpu.h b/target/i386/cpu.h
index d9aac5acd2..edbaba0d62 100644
--- a/target/i386/cpu.h
+++ b/target/i386/cpu.h
@@ -601,6 +601,7 @@ typedef enum FeatureWord {
FEAT_SGX_12_0_EAX, /* CPUID[EAX=0x12,ECX=0].EAX (SGX) */
FEAT_SGX_12_0_EBX, /* CPUID[EAX=0x12,ECX=0].EBX (SGX MISCSELECT[31:0]) */
FEAT_SGX_12_1_EAX, /* CPUID[EAX=0x12,ECX=1].EAX (SGX ATTRIBUTES[31:0]) */
+ FEAT_7_2_EDX, /* CPUID[EAX=7,ECX=2].EDX */
FEATURE_WORDS,
} FeatureWord;
@@ -889,6 +890,9 @@ uint64_t x86_cpu_get_supported_feature_word(FeatureWord w,
/* Fast Short REP CMPS/SCAS */
#define CPUID_7_1_EAX_FSRC (1U << 12)
+/* Do not exhibit MXCSR Configuration Dependent Timing (MCDT) behavior */
+#define CPUID_7_2_EDX_MCDT_NO (1U << 5)
+
/* XFD Extend Feature Disabled */
#define CPUID_D_1_EAX_XFD (1U << 4)
--
2.41.0.windows.1

43
target-i386-Allow-MCDT_NO-if-host-supports.patch Normal file
View File

@ -0,0 +1,43 @@
From 6beadcde4d28a1e4ad3267b7702162ecf9d4541b Mon Sep 17 00:00:00 2001
From: Tao Su <tao1.su@linux.intel.com>
Date: Thu, 6 Jul 2023 13:49:46 +0800
Subject: [PATCH] target/i386: Allow MCDT_NO if host supports
commit ba3709feaab44631315e02cd793cfccae4c6bd2a upstream.
MCDT_NO bit indicates HW contains the security fix and doesn't need to
be mitigated to avoid data-dependent behaviour for certain instructions.
It needs no hypervisor support. Treat it as supported regardless of what
KVM reports.
Intel-SIG: commit ba3709feaab4 ("target/i386: Allow MCDT_NO if host supports")
Backport allowing MCDT_NO if host supports
Signed-off-by: Tao Su <tao1.su@linux.intel.com>
Reviewed-by: Xiaoyao Li <xiaoyao.li@intel.com>
Message-ID: <20230706054949.66556-4-tao1.su@linux.intel.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
[ jason: amend commit log ]
Signed-off-by: Jason Zeng <jason.zeng@intel.com>
---
target/i386/kvm/kvm.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/target/i386/kvm/kvm.c b/target/i386/kvm/kvm.c
index d323d08dcb..55ee75e844 100644
--- a/target/i386/kvm/kvm.c
+++ b/target/i386/kvm/kvm.c
@@ -424,6 +424,10 @@ uint32_t kvm_arch_get_supported_cpuid(KVMState *s, uint32_t function,
uint32_t eax;
host_cpuid(7, 1, &eax, &unused, &unused, &unused);
ret |= eax & (CPUID_7_1_EAX_FZRM | CPUID_7_1_EAX_FSRS | CPUID_7_1_EAX_FSRC);
+ } else if (function == 7 && index == 2 && reg == R_EDX) {
+ uint32_t edx;
+ host_cpuid(7, 2, &unused, &unused, &unused, &edx);
+ ret |= edx & CPUID_7_2_EDX_MCDT_NO;
} else if (function == 0xd && index == 0 &&
(reg == R_EAX || reg == R_EDX)) {
/*
--
2.41.0.windows.1

47
target-i386-Export-MSR_ARCH_CAPABILITIES-bits-to-gue.patch Normal file
View File

@ -0,0 +1,47 @@
From 93551bb8747ffc9ef26fc3ced7be310d9aa805d6 Mon Sep 17 00:00:00 2001
From: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
Date: Fri, 23 Jun 2023 13:26:25 -0700
Subject: [PATCH] target/i386: Export MSR_ARCH_CAPABILITIES bits to guests
commit 5bef742cc4f0e21c80a31611af7881ba811e507f upstream.
On Intel CPUs there are certain bits in MSR_ARCH_CAPABILITIES that
indicates if the CPU is not affected by a vulnerability. Without these
bits guests may try to deploy the mitigation even if the CPU is not
affected.
Export the bits to guests that indicate immunity to hardware
vulnerabilities.
Intel-SIG: commit 5bef742cc4f0 ("target/i386: Export MSR_ARCH_CAPABILITIES bits to guests")
Backport exporting MSR_ARCH_CAPABILITIES bits to guests
Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
Message-ID: <63d85cc76d4cdc51e6c732478b81d8f13be11e5a.1687551881.git.pawan.kumar.gupta@linux.intel.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
[ jason: amend commit log ]
Signed-off-by: Jason Zeng <jason.zeng@intel.com>
---
target/i386/cpu.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/target/i386/cpu.c b/target/i386/cpu.c
index 8adc84b7f9..b878a1bf20 100644
--- a/target/i386/cpu.c
+++ b/target/i386/cpu.c
@@ -981,10 +981,10 @@ FeatureWordInfo feature_word_info[FEATURE_WORDS] = {
"rdctl-no", "ibrs-all", "rsba", "skip-l1dfl-vmentry",
"ssb-no", "mds-no", "pschange-mc-no", "tsx-ctrl",
"taa-no", NULL, NULL, NULL,
- NULL, NULL, NULL, NULL,
+ NULL, "sbdr-ssdp-no", "fbsdp-no", "psdp-no",
NULL, "fb-clear", NULL, NULL,
NULL, NULL, NULL, NULL,
- NULL, NULL, NULL, NULL,
+ "pbrsb-no", NULL, NULL, NULL,
NULL, NULL, NULL, NULL,
},
.msr = {
--
2.41.0.windows.1

62
target-i386-add-support-for-FB_CLEAR-feature.patch Normal file
View File

@ -0,0 +1,62 @@
From fb84b9baa665ffa4596fd871537e0544d60e40fc Mon Sep 17 00:00:00 2001
From: Emanuele Giuseppe Esposito <eesposit@redhat.com>
Date: Wed, 1 Feb 2023 08:57:59 -0500
Subject: [PATCH] target/i386: add support for FB_CLEAR feature
commit 22e1094ca82d5518c1b69aff3e87c550776ae1eb upstream.
As reported by the Intel's doc:
"FB_CLEAR: The processor will overwrite fill buffer values as part of
MD_CLEAR operations with the VERW instruction.
On these processors, L1D_FLUSH does not overwrite fill buffer values."
If this cpu feature is present in host, allow QEMU to choose whether to
show it to the guest too.
One disadvantage of not exposing it is that the guest will report
a non existing vulnerability in
/sys/devices/system/cpu/vulnerabilities/mmio_stale_data
because the mitigation is present only when the cpu has
(FLUSH_L1D and MD_CLEAR) or FB_CLEAR
features enabled.
Intel-SIG: commit 22e1094ca82d ("target/i386: add support for FB_CLEAR feature")
Backport support for FB_CLEAR feature
Signed-off-by: Emanuele Giuseppe Esposito <eesposit@redhat.com>
Message-Id: <20230201135759.555607-3-eesposit@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
[ jason: amend commit log ]
Signed-off-by: Jason Zeng <jason.zeng@intel.com>
---
target/i386/cpu.c | 2 +-
target/i386/cpu.h | 1 +
2 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/target/i386/cpu.c b/target/i386/cpu.c
index 512bec3ca3..8adc84b7f9 100644
--- a/target/i386/cpu.c
+++ b/target/i386/cpu.c
@@ -982,7 +982,7 @@ FeatureWordInfo feature_word_info[FEATURE_WORDS] = {
"ssb-no", "mds-no", "pschange-mc-no", "tsx-ctrl",
"taa-no", NULL, NULL, NULL,
NULL, NULL, NULL, NULL,
- NULL, NULL, NULL, NULL,
+ NULL, "fb-clear", NULL, NULL,
NULL, NULL, NULL, NULL,
NULL, NULL, NULL, NULL,
NULL, NULL, NULL, NULL,
diff --git a/target/i386/cpu.h b/target/i386/cpu.h
index 9e094ef934..d9aac5acd2 100644
--- a/target/i386/cpu.h
+++ b/target/i386/cpu.h
@@ -962,6 +962,7 @@ uint64_t x86_cpu_get_supported_feature_word(FeatureWord w,
#define MSR_ARCH_CAP_PSCHANGE_MC_NO (1U << 6)
#define MSR_ARCH_CAP_TSX_CTRL_MSR (1U << 7)
#define MSR_ARCH_CAP_TAA_NO (1U << 8)
+#define MSR_ARCH_CAP_FB_CLEAR (1U << 17)
#define MSR_CORE_CAP_SPLIT_LOCK_DETECT (1U << 5)
--
2.41.0.windows.1

61
target-i386-add-support-for-FLUSH_L1D-feature.patch Normal file
View File

@ -0,0 +1,61 @@
From dd635e4b0340a426333b466a2222e5848dfda42c Mon Sep 17 00:00:00 2001
From: Emanuele Giuseppe Esposito <eesposit@redhat.com>
Date: Wed, 1 Feb 2023 08:57:58 -0500
Subject: [PATCH] target/i386: add support for FLUSH_L1D feature
commit 0e7e3bf1a552c178924867fa7c2f30ccc8a179e0 upstream.
As reported by Intel's doc:
"L1D_FLUSH: Writeback and invalidate the L1 data cache"
If this cpu feature is present in host, allow QEMU to choose whether to
show it to the guest too.
One disadvantage of not exposing it is that the guest will report
a non existing vulnerability in
/sys/devices/system/cpu/vulnerabilities/mmio_stale_data
because the mitigation is present only when the cpu has
(FLUSH_L1D and MD_CLEAR) or FB_CLEAR
features enabled.
Intel-SIG: commit 0e7e3bf1a552 ("target/i386: add support for FLUSH_L1D feature")
Backport support for FLUSH_L1D feature
Signed-off-by: Emanuele Giuseppe Esposito <eesposit@redhat.com>
Message-Id: <20230201135759.555607-2-eesposit@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
[ jason: amend commit log ]
Signed-off-by: Jason Zeng <jason.zeng@intel.com>
---
target/i386/cpu.c | 2 +-
target/i386/cpu.h | 2 ++
2 files changed, 3 insertions(+), 1 deletion(-)
diff --git a/target/i386/cpu.c b/target/i386/cpu.c
index 66b5eaa14e..512bec3ca3 100644
--- a/target/i386/cpu.c
+++ b/target/i386/cpu.c
@@ -858,7 +858,7 @@ FeatureWordInfo feature_word_info[FEATURE_WORDS] = {
"tsx-ldtrk", NULL, NULL /* pconfig */, NULL,
NULL, NULL, "amx-bf16", "avx512-fp16",
"amx-tile", "amx-int8", "spec-ctrl", "stibp",
- NULL, "arch-capabilities", "core-capability", "ssbd",
+ "flush-l1d", "arch-capabilities", "core-capability", "ssbd",
},
.cpuid = {
.eax = 7,
diff --git a/target/i386/cpu.h b/target/i386/cpu.h
index d0c7791a1e..9e094ef934 100644
--- a/target/i386/cpu.h
+++ b/target/i386/cpu.h
@@ -869,6 +869,8 @@ uint64_t x86_cpu_get_supported_feature_word(FeatureWord w,
#define CPUID_7_0_EDX_SPEC_CTRL (1U << 26)
/* Single Thread Indirect Branch Predictors */
#define CPUID_7_0_EDX_STIBP (1U << 27)
+/* Flush L1D cache */
+#define CPUID_7_0_EDX_FLUSH_L1D (1U << 28)
/* Arch Capabilities */
#define CPUID_7_0_EDX_ARCH_CAPABILITIES (1U << 29)
/* Core Capability */
--
2.41.0.windows.1

30
tests-Fix-printf-format-string-in-acpi-utils.c.patch Normal file
View File

@ -0,0 +1,30 @@
From 847becf4850bc244b140644cb577e17e5ba5e732 Mon Sep 17 00:00:00 2001
From: zhujun2 <zhujun2_yewu@cmss.chinamobile.com>
Date: Thu, 26 Oct 2023 19:52:59 -0700
Subject: [PATCH] tests: Fix printf format string in acpi-utils.c
Inside of acpi_fetch_table() arguments are
printed via fprintf but '%d' is used to print @flags (of type
uint). Use '%u' instead.
Signed-off-by: zhujun2 <zhujun2_yewu@cmss.chinamobile.com>
---
tests/qtest/acpi-utils.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tests/qtest/acpi-utils.c b/tests/qtest/acpi-utils.c
index 766c48e3a6..c6f5169b80 100644
--- a/tests/qtest/acpi-utils.c
+++ b/tests/qtest/acpi-utils.c
@@ -103,7 +103,7 @@ void acpi_fetch_table(QTestState *qts, uint8_t **aml, uint32_t *aml_len,
char *fname = NULL;
GError *error = NULL;
- fprintf(stderr, "Invalid '%.4s'(%d)\n", *aml, *aml_len);
+ fprintf(stderr, "Invalid '%.4s'(%u)\n", *aml, *aml_len);
fd = g_file_open_tmp("malformed-XXXXXX.dat", &fname, &error);
g_assert_no_error(error);
fprintf(stderr, "Dumping invalid table into '%s'\n", fname);
--
2.41.0.windows.1

58
ui-vnc-clipboard-fix-infinite-loop-in-inflate_buffer.patch Normal file
View File

@ -0,0 +1,58 @@
From 2858029a5dbdd3fab73b1884e296daa3f3f0b1a1 Mon Sep 17 00:00:00 2001
From: Mauro Matteo Cascella <mcascell@redhat.com>
Date: Tue, 4 Jul 2023 10:41:22 +0200
Subject: [PATCH] ui/vnc-clipboard: fix infinite loop in inflate_buffer
(CVE-2023-3255)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
A wrong exit condition may lead to an infinite loop when inflating a
valid zlib buffer containing some extra bytes in the `inflate_buffer`
function. The bug only occurs post-authentication. Return the buffer
immediately if the end of the compressed data has been reached
(Z_STREAM_END).
Fixes: CVE-2023-3255
Fixes: 0bf41cab ("ui/vnc: clipboard support")
Reported-by: Kevin Denis <kevin.denis@synacktiv.com>
Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Tested-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-ID: <20230704084210.101822-1-mcascell@redhat.com>
---
ui/vnc-clipboard.c | 10 ++++------
1 file changed, 4 insertions(+), 6 deletions(-)
diff --git a/ui/vnc-clipboard.c b/ui/vnc-clipboard.c
index 67284b556c..c84599cfdb 100644
--- a/ui/vnc-clipboard.c
+++ b/ui/vnc-clipboard.c
@@ -51,8 +51,11 @@ static uint8_t *inflate_buffer(uint8_t *in, uint32_t in_len, uint32_t *size)
ret = inflate(&stream, Z_FINISH);
switch (ret) {
case Z_OK:
- case Z_STREAM_END:
break;
+ case Z_STREAM_END:
+ *size = stream.total_out;
+ inflateEnd(&stream);
+ return out;
case Z_BUF_ERROR:
out_len <<= 1;
if (out_len > (1 << 20)) {
@@ -67,11 +70,6 @@ static uint8_t *inflate_buffer(uint8_t *in, uint32_t in_len, uint32_t *size)
}
}
- *size = stream.total_out;
- inflateEnd(&stream);
-
- return out;
-
err_end:
inflateEnd(&stream);
err:
--
2.41.0.windows.1