packages/qemu
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

QEMU update to version 8.2.0-17:

Browse Source 
- cvm : bug fix for undefined reference to 'virtcca_cvm_allowed' while compiling
- cvm : bug-fix for incorrect device name check for vhost-user-fs
- target/i386: add control bits support for LAM
- target/i386: add support for LAM in CPUID enumeration
- Add support for the virtcca cvm feature.
- target/sparc: use signed denominator in sdiv helper
- crypto: Introduce SM4 symmetric cipher algorithm
- ppc/vof: Fix unaligned FDT property access
- vl: fix "type is NULL" in -vga help
- hw/display/bcm2835_fb: fix fb_use_offsets condition
- aspeed/smc: Fix possible integer overflow
- hw/nvme: fix number of PIDs for FDP RUH update
- hw/nvme: fix memory leak in nvme_dsm
- hvf: arm: Do not advance PC when raising an exception
- physmem: Bail out qemu_ram_block_from_host() for invalid ram addrs

Signed-off-by: Jiabo Feng <fengjiabo1@huawei.com>
This commit is contained in:
Jiabo Feng 2024-08-21 14:56:27 +08:00
parent 959fbb9922
commit b36d41c519
16 changed files with 2001 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1047
Add-support-for-the-virtcca-cvm-feature.patch Normal file
View File

File diff suppressed because it is too large Load Diff

45
aspeed-smc-Fix-possible-integer-overflow.patch Normal file
View File

@ -0,0 +1,45 @@
From 041c319f2f91c85aeb4ed0cefa6afa76773fe960 Mon Sep 17 00:00:00 2001
From: qihao <qihao_yewu@cmss.chinamobile.com>
Date: Thu, 25 Jul 2024 09:57:01 +0800
Subject: [PATCH] aspeed/smc: Fix possible integer overflow
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
cheery-pick from 13951ccfcdf0f31902a93859506ccf8c0ef66583
Coverity reports a possible integer overflow because routine
aspeeed_smc_hclk_divisor() has a codepath returning 0, which could
lead to an integer overflow when computing variable 'hclk_shift' in
the caller aspeed_smc_dma_calibration().
The value passed to aspeed_smc_hclk_divisor() is always between 0 and
15 and, in this case, there is always a matching hclk divisor. Remove
the return 0 and use g_assert_not_reached() instead.
Fixes: Coverity CID 1547822
Suggested-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Cédric Le Goater <clg@redhat.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: qihao_yewu <qihao_yewu@cmss.chinamobile.com>
---
hw/ssi/aspeed_smc.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/hw/ssi/aspeed_smc.c b/hw/ssi/aspeed_smc.c
index 2a4001b774..8af919a970 100644
--- a/hw/ssi/aspeed_smc.c
+++ b/hw/ssi/aspeed_smc.c
@@ -764,8 +764,7 @@ static uint8_t aspeed_smc_hclk_divisor(uint8_t hclk_mask)
}
}
- aspeed_smc_error("invalid HCLK mask %x", hclk_mask);
- return 0;
+ g_assert_not_reached();
}
/*
--
2.41.0.windows.1

306
crypto-Introduce-SM4-symmetric-cipher-algorithm.patch Normal file
View File

@ -0,0 +1,306 @@
From f402887e0c3e97dcbd6d1929ca9908ec57e2bb1f Mon Sep 17 00:00:00 2001
From: Hyman Huang <yong.huang@smartx.com>
Date: Thu, 7 Dec 2023 23:47:35 +0800
Subject: [PATCH] crypto: Introduce SM4 symmetric cipher algorithm
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Introduce the SM4 cipher algorithms (OSCCA GB/T 32907-2016).
SM4 (GBT.32907-2016) is a cryptographic standard issued by the
Organization of State Commercial Administration of China (OSCCA)
as an authorized cryptographic algorithms for the use within China.
Detect the SM4 cipher algorithms and enable the feature silently
if it is available.
Signed-off-by: Hyman Huang <yong.huang@smartx.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Signed-off-by: cheliequan <cheliequan@inspur.com>
---
crypto/block-luks.c | 11 ++++++++
crypto/cipher-gcrypt.c.inc | 8 ++++++
crypto/cipher-nettle.c.inc | 49 +++++++++++++++++++++++++++++++++
crypto/cipher.c | 6 ++++
meson.build | 26 +++++++++++++++++
qapi/crypto.json | 5 +++-
tests/unit/test-crypto-cipher.c | 13 +++++++++
7 files changed, 117 insertions(+), 1 deletion(-)
diff --git a/crypto/block-luks.c b/crypto/block-luks.c
index fb01ec38bb..f0813d69b4 100644
--- a/crypto/block-luks.c
+++ b/crypto/block-luks.c
@@ -95,12 +95,23 @@ qcrypto_block_luks_cipher_size_map_twofish[] = {
{ 0, 0 },
};
+#ifdef CONFIG_CRYPTO_SM4
+static const QCryptoBlockLUKSCipherSizeMap
+qcrypto_block_luks_cipher_size_map_sm4[] = {
+ { 16, QCRYPTO_CIPHER_ALG_SM4},
+ { 0, 0 },
+};
+#endif
+
static const QCryptoBlockLUKSCipherNameMap
qcrypto_block_luks_cipher_name_map[] = {
{ "aes", qcrypto_block_luks_cipher_size_map_aes },
{ "cast5", qcrypto_block_luks_cipher_size_map_cast5 },
{ "serpent", qcrypto_block_luks_cipher_size_map_serpent },
{ "twofish", qcrypto_block_luks_cipher_size_map_twofish },
+#ifdef CONFIG_CRYPTO_SM4
+ { "sm4", qcrypto_block_luks_cipher_size_map_sm4},
+#endif
};
QEMU_BUILD_BUG_ON(sizeof(struct QCryptoBlockLUKSKeySlot) != 48);
diff --git a/crypto/cipher-gcrypt.c.inc b/crypto/cipher-gcrypt.c.inc
index a6a0117717..1377cbaf14 100644
--- a/crypto/cipher-gcrypt.c.inc
+++ b/crypto/cipher-gcrypt.c.inc
@@ -35,6 +35,9 @@ bool qcrypto_cipher_supports(QCryptoCipherAlgorithm alg,
case QCRYPTO_CIPHER_ALG_SERPENT_256:
case QCRYPTO_CIPHER_ALG_TWOFISH_128:
case QCRYPTO_CIPHER_ALG_TWOFISH_256:
+#ifdef CONFIG_CRYPTO_SM4
+ case QCRYPTO_CIPHER_ALG_SM4:
+#endif
break;
default:
return false;
@@ -219,6 +222,11 @@ static QCryptoCipher *qcrypto_cipher_ctx_new(QCryptoCipherAlgorithm alg,
case QCRYPTO_CIPHER_ALG_TWOFISH_256:
gcryalg = GCRY_CIPHER_TWOFISH;
break;
+#ifdef CONFIG_CRYPTO_SM4
+ case QCRYPTO_CIPHER_ALG_SM4:
+ gcryalg = GCRY_CIPHER_SM4;
+ break;
+#endif
default:
error_setg(errp, "Unsupported cipher algorithm %s",
QCryptoCipherAlgorithm_str(alg));
diff --git a/crypto/cipher-nettle.c.inc b/crypto/cipher-nettle.c.inc
index 24cc61f87b..42b39e18a2 100644
--- a/crypto/cipher-nettle.c.inc
+++ b/crypto/cipher-nettle.c.inc
@@ -33,6 +33,9 @@
#ifndef CONFIG_QEMU_PRIVATE_XTS
#include <nettle/xts.h>
#endif
+#ifdef CONFIG_CRYPTO_SM4
+#include <nettle/sm4.h>
+#endif
static inline bool qcrypto_length_check(size_t len, size_t blocksize,
Error **errp)
@@ -426,6 +429,30 @@ DEFINE_ECB_CBC_CTR_XTS(qcrypto_nettle_twofish,
QCryptoNettleTwofish, TWOFISH_BLOCK_SIZE,
twofish_encrypt_native, twofish_decrypt_native)
+#ifdef CONFIG_CRYPTO_SM4
+typedef struct QCryptoNettleSm4 {
+ QCryptoCipher base;
+ struct sm4_ctx key[2];
+} QCryptoNettleSm4;
+
+static void sm4_encrypt_native(void *ctx, size_t length,
+ uint8_t *dst, const uint8_t *src)
+{
+ struct sm4_ctx *keys = ctx;
+ sm4_crypt(&keys[0], length, dst, src);
+}
+
+static void sm4_decrypt_native(void *ctx, size_t length,
+ uint8_t *dst, const uint8_t *src)
+{
+ struct sm4_ctx *keys = ctx;
+ sm4_crypt(&keys[1], length, dst, src);
+}
+
+DEFINE_ECB(qcrypto_nettle_sm4,
+ QCryptoNettleSm4, SM4_BLOCK_SIZE,
+ sm4_encrypt_native, sm4_decrypt_native)
+#endif
bool qcrypto_cipher_supports(QCryptoCipherAlgorithm alg,
QCryptoCipherMode mode)
@@ -443,6 +470,9 @@ bool qcrypto_cipher_supports(QCryptoCipherAlgorithm alg,
case QCRYPTO_CIPHER_ALG_TWOFISH_128:
case QCRYPTO_CIPHER_ALG_TWOFISH_192:
case QCRYPTO_CIPHER_ALG_TWOFISH_256:
+#ifdef CONFIG_CRYPTO_SM4
+ case QCRYPTO_CIPHER_ALG_SM4:
+#endif
break;
default:
return false;
@@ -701,6 +731,25 @@ static QCryptoCipher *qcrypto_cipher_ctx_new(QCryptoCipherAlgorithm alg,
return &ctx->base;
}
+#ifdef CONFIG_CRYPTO_SM4
+ case QCRYPTO_CIPHER_ALG_SM4:
+ {
+ QCryptoNettleSm4 *ctx = g_new0(QCryptoNettleSm4, 1);
+
+ switch (mode) {
+ case QCRYPTO_CIPHER_MODE_ECB:
+ ctx->base.driver = &qcrypto_nettle_sm4_driver_ecb;
+ break;
+ default:
+ goto bad_cipher_mode;
+ }
+
+ sm4_set_encrypt_key(&ctx->key[0], key);
+ sm4_set_decrypt_key(&ctx->key[1], key);
+
+ return &ctx->base;
+ }
+#endif
default:
error_setg(errp, "Unsupported cipher algorithm %s",
diff --git a/crypto/cipher.c b/crypto/cipher.c
index 74b09a5b26..5f512768ea 100644
--- a/crypto/cipher.c
+++ b/crypto/cipher.c
@@ -38,6 +38,9 @@ static const size_t alg_key_len[QCRYPTO_CIPHER_ALG__MAX] = {
[QCRYPTO_CIPHER_ALG_TWOFISH_128] = 16,
[QCRYPTO_CIPHER_ALG_TWOFISH_192] = 24,
[QCRYPTO_CIPHER_ALG_TWOFISH_256] = 32,
+#ifdef CONFIG_CRYPTO_SM4
+ [QCRYPTO_CIPHER_ALG_SM4] = 16,
+#endif
};
static const size_t alg_block_len[QCRYPTO_CIPHER_ALG__MAX] = {
@@ -53,6 +56,9 @@ static const size_t alg_block_len[QCRYPTO_CIPHER_ALG__MAX] = {
[QCRYPTO_CIPHER_ALG_TWOFISH_128] = 16,
[QCRYPTO_CIPHER_ALG_TWOFISH_192] = 16,
[QCRYPTO_CIPHER_ALG_TWOFISH_256] = 16,
+#ifdef CONFIG_CRYPTO_SM4
+ [QCRYPTO_CIPHER_ALG_SM4] = 16,
+#endif
};
static const bool mode_need_iv[QCRYPTO_CIPHER_MODE__MAX] = {
diff --git a/meson.build b/meson.build
index 0c62b4156d..089f45d386 100644
--- a/meson.build
+++ b/meson.build
@@ -1485,6 +1485,7 @@ endif
gcrypt = not_found
nettle = not_found
hogweed = not_found
+crypto_sm4 = not_found
xts = 'none'
if get_option('nettle').enabled() and get_option('gcrypt').enabled()
@@ -1510,6 +1511,17 @@ if not gnutls_crypto.found()
cc.find_library('gpg-error', required: true)],
version: gcrypt.version())
endif
+ crypto_sm4 = gcrypt
+ # SM4 ALG is available in libgcrypt >= 1.9
+ if gcrypt.found() and not cc.links('''
+ #include <gcrypt.h>
+ int main(void) {
+ gcry_cipher_hd_t handler;
+ gcry_cipher_open(&handler, GCRY_CIPHER_SM4, GCRY_CIPHER_MODE_ECB, 0);
+ return 0;
+ }''', dependencies: gcrypt)
+ crypto_sm4 = not_found
+ endif
endif
if (not get_option('nettle').auto() or have_system) and not gcrypt.found()
nettle = dependency('nettle', version: '>=3.4',
@@ -1518,6 +1530,18 @@ if not gnutls_crypto.found()
if nettle.found() and not cc.has_header('nettle/xts.h', dependencies: nettle)
xts = 'private'
endif
+ crypto_sm4 = nettle
+ # SM4 ALG is available in nettle >= 3.9
+ if nettle.found() and not cc.links('''
+ #include <nettle/sm4.h>
+ int main(void) {
+ struct sm4_ctx ctx;
+ unsigned char key[16] = {0};
+ sm4_set_encrypt_key(&ctx, key);
+ return 0;
+ }''', dependencies: nettle)
+ crypto_sm4 = not_found
+ endif
endif
endif
@@ -2204,6 +2228,7 @@ config_host_data.set('CONFIG_GNUTLS_CRYPTO', gnutls_crypto.found())
config_host_data.set('CONFIG_TASN1', tasn1.found())
config_host_data.set('CONFIG_GCRYPT', gcrypt.found())
config_host_data.set('CONFIG_NETTLE', nettle.found())
+config_host_data.set('CONFIG_CRYPTO_SM4', crypto_sm4.found())
config_host_data.set('CONFIG_HOGWEED', hogweed.found())
config_host_data.set('CONFIG_QEMU_PRIVATE_XTS', xts == 'private')
config_host_data.set('CONFIG_MALLOC_TRIM', has_malloc_trim)
@@ -4280,6 +4305,7 @@ summary_info += {'nettle': nettle}
if nettle.found()
summary_info += {' XTS': xts != 'private'}
endif
+summary_info += {'SM4 ALG support': crypto_sm4}
summary_info += {'AF_ALG support': have_afalg}
summary_info += {'rng-none': get_option('rng_none')}
summary_info += {'Linux keyring': have_keyring}
diff --git a/qapi/crypto.json b/qapi/crypto.json
index fd3d46ebd1..2f2aeff5fd 100644
--- a/qapi/crypto.json
+++ b/qapi/crypto.json
@@ -94,6 +94,8 @@
#
# @twofish-256: Twofish with 256 bit / 32 byte keys
#
+# @sm4: SM4 with 128 bit / 16 byte keys (since 9.0)
+#
# Since: 2.6
##
{ 'enum': 'QCryptoCipherAlgorithm',
@@ -102,7 +104,8 @@
'des', '3des',
'cast5-128',
'serpent-128', 'serpent-192', 'serpent-256',
- 'twofish-128', 'twofish-192', 'twofish-256']}
+ 'twofish-128', 'twofish-192', 'twofish-256',
+ 'sm4']}
##
# @QCryptoCipherMode:
diff --git a/tests/unit/test-crypto-cipher.c b/tests/unit/test-crypto-cipher.c
index d9d9d078ff..11ab1a54fc 100644
--- a/tests/unit/test-crypto-cipher.c
+++ b/tests/unit/test-crypto-cipher.c
@@ -382,6 +382,19 @@ static QCryptoCipherTestData test_data[] = {
.plaintext = "90afe91bb288544f2c32dc239b2635e6",
.ciphertext = "6cb4561c40bf0a9705931cb6d408e7fa",
},
+#ifdef CONFIG_CRYPTO_SM4
+ {
+ /* SM4, GB/T 32907-2016, Appendix A.1 */
+ .path = "/crypto/cipher/sm4",
+ .alg = QCRYPTO_CIPHER_ALG_SM4,
+ .mode = QCRYPTO_CIPHER_MODE_ECB,
+ .key = "0123456789abcdeffedcba9876543210",
+ .plaintext =
+ "0123456789abcdeffedcba9876543210",
+ .ciphertext =
+ "681edf34d206965e86b3e94f536e4246",
+ },
+#endif
{
/* #1 32 byte key, 32 byte PTX */
.path = "/crypto/cipher/aes-xts-128-1",
--
2.41.0.windows.1

34
cvm-bug-fix-for-incorrect-device-name-check-for-vhos.patch Normal file
View File

@ -0,0 +1,34 @@
From 282d63f9b5915f0529e9d0ae54b47c0ceacc58c3 Mon Sep 17 00:00:00 2001
From: liupingwei <liupingwei0317@outlook.com>
Date: Mon, 19 Aug 2024 15:38:23 +0800
Subject: [PATCH] cvm : bug-fix for incorrect device name check for
vhost-user-fs
The 'vhost-user-fs' was being parsed as 'virtio-user-fs' during the
compilation and this caused the device to erroneously trigger the error
branch.
Fixes: 5db954cb188d3775aec053fad8a39bf4c26a2b92("Add support for the
virtcca cvm feature.)
Signed-off-by: liupingwei <liupingwei0317@outlook.com>
---
hw/virtio/virtio-bus.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/virtio/virtio-bus.c b/hw/virtio/virtio-bus.c
index 7e750d073d..4f16e7ef77 100644
--- a/hw/virtio/virtio-bus.c
+++ b/hw/virtio/virtio-bus.c
@@ -83,7 +83,7 @@ void virtio_bus_device_plugged(VirtIODevice *vdev, Error **errp)
if (has_iommu) {
vdev_has_iommu = virtio_host_has_feature(vdev, VIRTIO_F_IOMMU_PLATFORM);
- if (virtcca_cvm_enabled() && (strcmp(vdev->name, "vhost-user-fs") == 0)) {
+ if (virtcca_cvm_enabled() && (strcmp(vdev->name, "virtio-user-fs") == 0)) {
vdev_has_iommu = true;
}
--
2.41.0.windows.1

30
cvm-bug-fix-for-undefined-reference-to-virtcca_cvm_a.patch Normal file
View File

@ -0,0 +1,30 @@
From 87dfbca72fe11b7a8d3f1afce52a7925be0e0b01 Mon Sep 17 00:00:00 2001
From: liupingwei <liupingwei0317@outlook.com>
Date: Wed, 4 Sep 2024 14:29:02 +0800
Subject: [PATCH] cvm : bug fix for undefined reference to
'virtcca_cvm_allowed' while compiling.
Fixes a linking error due to an undefined reference to
'virtcca_cvm_allowed' when KVM is not enabled.
Signed-off-by: liupingwei <liupingwei0317@outlook.com>
---
accel/stubs/kvm-stub.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/accel/stubs/kvm-stub.c b/accel/stubs/kvm-stub.c
index 1b37d9a302..ad39a434c4 100644
--- a/accel/stubs/kvm-stub.c
+++ b/accel/stubs/kvm-stub.c
@@ -25,6 +25,8 @@ bool kvm_allowed;
bool kvm_readonly_mem_allowed;
bool kvm_msi_use_devid;
+bool virtcca_cvm_allowed;
+
void kvm_flush_coalesced_mmio_buffer(void)
{
}
--
2.41.0.windows.1

39
hvf-arm-Do-not-advance-PC-when-raising-an-exception.patch Normal file
View File

@ -0,0 +1,39 @@
From 550d304465b366a116e02d2cb006475ea453a98a Mon Sep 17 00:00:00 2001
From: guping <guping_yewu@cmss.chinamobile.com>
Date: Mon, 22 Jul 2024 00:37:30 +0000
Subject: [PATCH] hvf: arm: Do not advance PC when raising an exception
cherry-pick from 30a1690f2402e6c1582d5b3ebcf7940bfe2fad4b
hvf did not advance PC when raising an exception for most unhandled
system registers, but it mistakenly advanced PC when raising an
exception for GICv3 registers.
Cc: qemu-stable@nongnu.org
Fixes: a2260983
("hvf: arm: Add support for GICv3")
Signed-off-by: default avatarAkihiko Odaki <akihiko.odaki@daynix.com>
Message-id: 20240716-pmu-v3-4-8c7c1858a227@daynix.com
Reviewed-by: default avatarPeter Maydell <peter.maydell@linaro.org>
Signed-off-by: default avatarPeter Maydell <peter.maydell@linaro.org>
Signed-off-by: guping <guping_yewu@cmss.chinamobile.com>
---
target/arm/hvf/hvf.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/target/arm/hvf/hvf.c b/target/arm/hvf/hvf.c
index 757e13b0f9..b4e98a99e2 100644
--- a/target/arm/hvf/hvf.c
+++ b/target/arm/hvf/hvf.c
@@ -1272,6 +1272,7 @@ static int hvf_sysreg_read(CPUState *cpu, uint32_t reg, uint32_t rt)
/* Call the TCG sysreg handler. This is only safe for GICv3 regs. */
if (!hvf_sysreg_read_cp(cpu, reg, &val)) {
hvf_raise_exception(cpu, EXCP_UDEF, syn_uncategorized());
+ return 1;
}
break;
case SYSREG_DBGBVR0_EL1:
--
2.41.0.windows.1

51
hw-display-bcm2835_fb-fix-fb_use_offsets-condition.patch Normal file
View File

@ -0,0 +1,51 @@
From 1d3ea28fd7da9a23e278be70c7e028fbd2b69bf3 Mon Sep 17 00:00:00 2001
From: qihao <qihao_yewu@cmss.chinamobile.com>
Date: Thu, 25 Jul 2024 10:29:20 +0800
Subject: [PATCH] hw/display/bcm2835_fb: fix fb_use_offsets condition
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
cheery-pick from 345acc443905eda8008a1d328dd89b73c4a3f89e
It is common practice when implementing double-buffering on VideoCore
to do so by multiplying the height of the virtual buffer by the
number of virtual screens desired (i.e., two - in the case of
double-bufferring).
At present, this won't work in QEMU because the logic in
fb_use_offsets require that both the virtual width and height exceed
their physical counterparts.
This appears to be unintentional/a typo and indeed the comment
states; "Experimentally, the hardware seems to do this only if the
viewport size is larger than the physical screen". The
viewport/virtual size would be larger than the physical size if
either virtual dimension were larger than their physical counterparts
and not necessarily both.
Signed-off-by: SamJakob <me@samjakob.com>
Message-id: 20240713160353.62410-1-me@samjakob.com
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: qihao_yewu <qihao_yewu@cmss.chinamobile.com>
---
hw/display/bcm2835_fb.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/display/bcm2835_fb.c b/hw/display/bcm2835_fb.c
index a05277674f..c45da149d9 100644
--- a/hw/display/bcm2835_fb.c
+++ b/hw/display/bcm2835_fb.c
@@ -145,7 +145,7 @@ static bool fb_use_offsets(BCM2835FBConfig *config)
* viewport size is larger than the physical screen. (It doesn't
* prevent the guest setting this silly viewport setting, though...)
*/
- return config->xres_virtual > config->xres &&
+ return config->xres_virtual > config->xres ||
config->yres_virtual > config->yres;
}
--
2.41.0.windows.1

49
hw-nvme-fix-memory-leak-in-nvme_dsm.patch Normal file
View File

@ -0,0 +1,49 @@
From 0c23d22ea9f160a8e0e0e48b6cb400d7964ae868 Mon Sep 17 00:00:00 2001
From: qihao <qihao_yewu@cmss.chinamobile.com>
Date: Tue, 23 Jul 2024 21:06:08 +0800
Subject: [PATCH] hw/nvme: fix memory leak in nvme_dsm
cheery-pick from c510fe78f1b7c966524489d6ba752107423b20c8
The allocated memory to hold LBA ranges leaks in the nvme_dsm function. This
happens because the allocated memory for iocb->range is not freed in all
error handling paths.
Fix this by adding a free to ensure that the allocated memory is properly freed.
ASAN log:
==3075137==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 480 byte(s) in 6 object(s) allocated from:
#0 0x55f1f8a0eddd in malloc llvm/compiler-rt/lib/asan/asan_malloc_linux.cpp:129:3
#1 0x7f531e0f6738 in g_malloc (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x5e738)
#2 0x55f1faf1f091 in blk_aio_get block/block-backend.c:2583:12
#3 0x55f1f945c74b in nvme_dsm hw/nvme/ctrl.c:2609:30
#4 0x55f1f945831b in nvme_io_cmd hw/nvme/ctrl.c:4470:16
#5 0x55f1f94561b7 in nvme_process_sq hw/nvme/ctrl.c:7039:29
Cc: qemu-stable@nongnu.org
Fixes: d7d1474fd85d ("hw/nvme: reimplement dsm to allow cancellation")
Signed-off-by: Zheyu Ma <zheyuma97@gmail.com>
Reviewed-by: Klaus Jensen <k.jensen@samsung.com>
Signed-off-by: Klaus Jensen <k.jensen@samsung.com>
Signed-off-by: qihao_yewu <qihao_yewu@cmss.chinamobile.com>
---
hw/nvme/ctrl.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/hw/nvme/ctrl.c b/hw/nvme/ctrl.c
index 237b5c8871..dd1c962f93 100644
--- a/hw/nvme/ctrl.c
+++ b/hw/nvme/ctrl.c
@@ -2592,6 +2592,7 @@ next:
done:
iocb->aiocb = NULL;
iocb->common.cb(iocb->common.opaque, iocb->ret);
+ g_free(iocb->range);
qemu_aio_unref(iocb);
}
--
2.41.0.windows.1

35
hw-nvme-fix-number-of-PIDs-for-FDP-RUH-update.patch Normal file
View File

@ -0,0 +1,35 @@
From 3696b12c582440669de12d127701187828c5598f Mon Sep 17 00:00:00 2001
From: Xu Zheng <xuzheng_yewu@cmss.chinamobile.com>
Date: Fri, 19 Jul 2024 22:11:17 +0800
Subject: [PATCH] hw/nvme: fix number of PIDs for FDP RUH update
The number of PIDs is in the upper 16 bits of cdw10. So we need to
right-shift by 16 bits instead of only a single bit.
Fixes: 73064edfb864 ("hw/nvme: flexible data placement emulation")
cherry-pick from 3936bbdf9a2e9233875f850c7576c79d06add261
Signed-off-by: Vincent Fu <vincent.fu@samsung.com>
Signed-off-by: Klaus Jensen <k.jensen@samsung.com>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Signed-off-by: Xu Zheng <xuzheng_yewu@cmss.chinamobile.com>
---
hw/nvme/ctrl.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/nvme/ctrl.c b/hw/nvme/ctrl.c
index 237b5c8871..d7e83c3d55 100644
--- a/hw/nvme/ctrl.c
+++ b/hw/nvme/ctrl.c
@@ -4352,7 +4352,7 @@ static uint16_t nvme_io_mgmt_send_ruh_update(NvmeCtrl *n, NvmeRequest *req)
NvmeNamespace *ns = req->ns;
uint32_t cdw10 = le32_to_cpu(cmd->cdw10);
uint16_t ret = NVME_SUCCESS;
- uint32_t npid = (cdw10 >> 1) + 1;
+ uint32_t npid = (cdw10 >> 16) + 1;
unsigned int i = 0;
g_autofree uint16_t *pids = NULL;
uint32_t maxnpid;
--
2.41.0.windows.1

40
physmem-Bail-out-qemu_ram_block_from_host-for-invali.patch Normal file
View File

@ -0,0 +1,40 @@
From 39eae397a6b573505c0e84cc808cd9765a950908 Mon Sep 17 00:00:00 2001
From: guping <guping_yewu@cmss.chinamobile.com>
Date: Mon, 15 Jul 2024 00:54:12 +0000
Subject: [PATCH] physmem: Bail out qemu_ram_block_from_host() for invalid ram
addrs cherry-pick from 596ccccdbfa124adb42be8c2faf0c74f4849c7a6
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Bail out in qemu_ram_block_from_host() when
xen_ram_addr_from_mapcache() does not find an existing
mapping.
Signed-off-by: default avatarEdgar E. Iglesias <edgar.iglesias@amd.com>
Reviewed-by: default avatarAlex Bennée <alex.bennee@linaro.org>
Reviewed-by: default avatarStefano Stabellini <sstabellini@kernel.org>
Signed-off-by: guping <guping_yewu@cmss.chinamobile.com>
---
system/physmem.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/system/physmem.c b/system/physmem.c
index cbe838f203..0c629233bd 100644
--- a/system/physmem.c
+++ b/system/physmem.c
@@ -2263,6 +2263,10 @@ RAMBlock *qemu_ram_block_from_host(void *ptr, bool round_offset,
ram_addr_t ram_addr;
RCU_READ_LOCK_GUARD();
ram_addr = xen_ram_addr_from_mapcache(ptr);
+ if (ram_addr == RAM_ADDR_INVALID) {
+ return NULL;
+ }
+
block = qemu_get_ram_block(ram_addr);
if (block) {
*offset = ram_addr - block->offset;
--
2.41.0.windows.1

34
ppc-vof-Fix-unaligned-FDT-property-access.patch Normal file
View File

@ -0,0 +1,34 @@
From ad1d68502c41ff6a966ae89ae5ac008050602e2a Mon Sep 17 00:00:00 2001
From: qihao <qihao_yewu@cmss.chinamobile.com>
Date: Mon, 29 Jul 2024 10:38:46 +0800
Subject: [PATCH] ppc/vof: Fix unaligned FDT property access
cheery-pick from 785c8637f9d2362a8addf4ded853d975955a9d6b
FDT properties are aligned by 4 bytes, not 8 bytes.
Signed-off-by: Akihiko Odaki <akihiko.odaki@daynix.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
Signed-off-by: qihao_yewu <qihao_yewu@cmss.chinamobile.com>
---
hw/ppc/vof.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/ppc/vof.c b/hw/ppc/vof.c
index e3b430a81f..b5b6514d79 100644
--- a/hw/ppc/vof.c
+++ b/hw/ppc/vof.c
@@ -646,7 +646,7 @@ static void vof_dt_memory_available(void *fdt, GArray *claimed, uint64_t base)
mem0_reg = fdt_getprop(fdt, offset, "reg", &proplen);
g_assert(mem0_reg && proplen == sizeof(uint32_t) * (ac + sc));
if (sc == 2) {
- mem0_end = be64_to_cpu(*(uint64_t *)(mem0_reg + sizeof(uint32_t) * ac));
+ mem0_end = ldq_be_p(mem0_reg + sizeof(uint32_t) * ac);
} else {
mem0_end = be32_to_cpu(*(uint32_t *)(mem0_reg + sizeof(uint32_t) * ac));
}
--
2.41.0.windows.1

34
qemu.spec
View File

@ -3,7 +3,7 @@
Name: qemu
Version: 8.2.0
Release: 16
Release: 17
Epoch: 11
Summary: QEMU is a generic and open source machine emulator and virtualizer
License: GPLv2 and BSD and MIT and CC-BY-SA-4.0
@ -287,6 +287,21 @@ Patch0270: nbd-server-Plumb-in-new-args-to-nbd_client_add.patch
Patch0271: nbd-server-CVE-2024-7409-Cap-default-max-connections.patch
Patch0272: nbd-server-CVE-2024-7409-Drop-non-negotiating-client.patch
Patch0273: nbd-server-CVE-2024-7409-Close-stray-clients-at-serv.patch
Patch0274: physmem-Bail-out-qemu_ram_block_from_host-for-invali.patch
Patch0275: hvf-arm-Do-not-advance-PC-when-raising-an-exception.patch
Patch0276: hw-nvme-fix-memory-leak-in-nvme_dsm.patch
Patch0277: hw-nvme-fix-number-of-PIDs-for-FDP-RUH-update.patch
Patch0278: aspeed-smc-Fix-possible-integer-overflow.patch
Patch0279: hw-display-bcm2835_fb-fix-fb_use_offsets-condition.patch
Patch0280: vl-fix-type-is-NULL-in-vga-help.patch
Patch0281: ppc-vof-Fix-unaligned-FDT-property-access.patch
Patch0282: crypto-Introduce-SM4-symmetric-cipher-algorithm.patch
Patch0283: target-sparc-use-signed-denominator-in-sdiv-helper.patch
Patch0284: Add-support-for-the-virtcca-cvm-feature.patch
Patch0285: target-i386-add-support-for-LAM-in-CPUID-enumeration.patch
Patch0286: target-i386-add-control-bits-support-for-LAM.patch
Patch0287: cvm-bug-fix-for-incorrect-device-name-check-for-vhos.patch
Patch0288: cvm-bug-fix-for-undefined-reference-to-virtcca_cvm_a.patch
BuildRequires: flex
BuildRequires: gcc
@ -884,6 +899,23 @@ getent passwd qemu >/dev/null || \
%endif
%changelog
* Thu Sep 5 2024 Jiabo Feng <fengjiabo1@huawei.com> - 11:8.2.0-17
- cvm : bug fix for undefined reference to 'virtcca_cvm_allowed' while compiling
- cvm : bug-fix for incorrect device name check for vhost-user-fs
- target/i386: add control bits support for LAM
- target/i386: add support for LAM in CPUID enumeration
- Add support for the virtcca cvm feature.
- target/sparc: use signed denominator in sdiv helper
- crypto: Introduce SM4 symmetric cipher algorithm
- ppc/vof: Fix unaligned FDT property access
- vl: fix "type is NULL" in -vga help
- hw/display/bcm2835_fb: fix fb_use_offsets condition
- aspeed/smc: Fix possible integer overflow
- hw/nvme: fix number of PIDs for FDP RUH update
- hw/nvme: fix memory leak in nvme_dsm
- hvf: arm: Do not advance PC when raising an exception
- physmem: Bail out qemu_ram_block_from_host() for invalid ram addrs
* Tue Aug 13 2024 Jiabo Feng <fengjiabo1@huawei.com> - 11:8.2.0-16
- nbd/server: CVE-2024-7409: Close stray clients at server-stop
- nbd/server: CVE-2024-7409: Drop non-negotiating clients

99
target-i386-add-control-bits-support-for-LAM.patch Normal file
View File

@ -0,0 +1,99 @@
From 03e73f225c44daa067ff1c57845dcd4678897a49 Mon Sep 17 00:00:00 2001
From: Binbin Wu <binbin.wu@linux.intel.com>
Date: Fri, 12 Jan 2024 14:00:42 +0800
Subject: [PATCH] target/i386: add control bits support for LAM
commit 0117067131f99acaab4f4d2cca0290c5510e37cf upstream.
LAM uses CR3[61] and CR3[62] to configure/enable LAM on user pointers.
LAM uses CR4[28] to configure/enable LAM on supervisor pointers.
For CR3 LAM bits, no additional handling needed:
- TCG
LAM is not supported for TCG of target-i386. helper_write_crN() and
helper_vmrun() check max physical address bits before calling
cpu_x86_update_cr3(), no change needed, i.e. CR3 LAM bits are not allowed
to be set in TCG.
- gdbstub
x86_cpu_gdb_write_register() will call cpu_x86_update_cr3() to update cr3.
Allow gdb to set the LAM bit(s) to CR3, if vcpu doesn't support LAM,
KVM_SET_SREGS will fail as other reserved bits.
For CR4 LAM bit, its reservation depends on vcpu supporting LAM feature or
not.
- TCG
LAM is not supported for TCG of target-i386. helper_write_crN() and
helper_vmrun() check CR4 reserved bit before calling cpu_x86_update_cr4(),
i.e. CR4 LAM bit is not allowed to be set in TCG.
- gdbstub
x86_cpu_gdb_write_register() will call cpu_x86_update_cr4() to update cr4.
Mask out LAM bit on CR4 if vcpu doesn't support LAM.
- x86_cpu_reset_hold() doesn't need special handling.
Intel-SIG: commit 0117067131f9 target/i386: add control bits support for
LAM
Backport Qemu Linear Address Masking (LAM) support.
Signed-off-by: Binbin Wu <binbin.wu@linux.intel.com>
Tested-by: Xuelian Guo <xuelian.guo@intel.com>
Reviewed-by: Xiaoyao Li <xiaoyao.li@intel.com>
Reviewed-by: Zhao Liu <zhao1.liu@intel.com>
Message-ID: <20240112060042.19925-3-binbin.wu@linux.intel.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
[ Zhiquan Li: amend commit log ]
Signed-off-by: Zhiquan Li <zhiquan1.li@intel.com>
---
target/i386/cpu.h | 7 ++++++-
target/i386/helper.c | 4 ++++
2 files changed, 10 insertions(+), 1 deletion(-)
diff --git a/target/i386/cpu.h b/target/i386/cpu.h
index 8dbcb4a35f..b0666167d2 100644
--- a/target/i386/cpu.h
+++ b/target/i386/cpu.h
@@ -262,6 +262,7 @@ typedef enum X86Seg {
#define CR4_SMAP_MASK (1U << 21)
#define CR4_PKE_MASK (1U << 22)
#define CR4_PKS_MASK (1U << 24)
+#define CR4_LAM_SUP_MASK (1U << 28)
#define CR4_RESERVED_MASK \
(~(target_ulong)(CR4_VME_MASK | CR4_PVI_MASK | CR4_TSD_MASK \
@@ -270,7 +271,8 @@ typedef enum X86Seg {
| CR4_OSFXSR_MASK | CR4_OSXMMEXCPT_MASK | CR4_UMIP_MASK \
| CR4_LA57_MASK \
| CR4_FSGSBASE_MASK | CR4_PCIDE_MASK | CR4_OSXSAVE_MASK \
- | CR4_SMEP_MASK | CR4_SMAP_MASK | CR4_PKE_MASK | CR4_PKS_MASK))
+ | CR4_SMEP_MASK | CR4_SMAP_MASK | CR4_PKE_MASK | CR4_PKS_MASK \
+ | CR4_LAM_SUP_MASK))
#define DR6_BD (1 << 13)
#define DR6_BS (1 << 14)
@@ -2527,6 +2529,9 @@ static inline uint64_t cr4_reserved_bits(CPUX86State *env)
if (!(env->features[FEAT_7_0_ECX] & CPUID_7_0_ECX_PKS)) {
reserved_bits |= CR4_PKS_MASK;
}
+ if (!(env->features[FEAT_7_1_EAX] & CPUID_7_1_EAX_LAM)) {
+ reserved_bits |= CR4_LAM_SUP_MASK;
+ }
return reserved_bits;
}
diff --git a/target/i386/helper.c b/target/i386/helper.c
index 2070dd0dda..1da7a7d315 100644
--- a/target/i386/helper.c
+++ b/target/i386/helper.c
@@ -219,6 +219,10 @@ void cpu_x86_update_cr4(CPUX86State *env, uint32_t new_cr4)
new_cr4 &= ~CR4_PKS_MASK;
}
+ if (!(env->features[FEAT_7_1_EAX] & CPUID_7_1_EAX_LAM)) {
+ new_cr4 &= ~CR4_LAM_SUP_MASK;
+ }
+
env->cr[4] = new_cr4;
env->hflags = hflags;
--
2.41.0.windows.1

69
target-i386-add-support-for-LAM-in-CPUID-enumeration.patch Normal file
View File

@ -0,0 +1,69 @@
From 8bc3dd094a9daa348d49436dc4d0867b7b514ba7 Mon Sep 17 00:00:00 2001
From: Robert Hoo <robert.hu@linux.intel.com>
Date: Fri, 12 Jan 2024 14:00:41 +0800
Subject: [PATCH] target/i386: add support for LAM in CPUID enumeration
commit ba6780905943696d790cc880c8e5684b51f027fe upstream.
Linear Address Masking (LAM) is a new Intel CPU feature, which allows
software to use of the untranslated address bits for metadata.
The bit definition:
CPUID.(EAX=7,ECX=1):EAX[26]
Add CPUID definition for LAM.
Note LAM feature is not supported for TCG of target-i386, LAM CPIUD bit
will not be added to TCG_7_1_EAX_FEATURES.
More info can be found in Intel ISE Chapter "LINEAR ADDRESS MASKING(LAM)"
https://cdrdv2.intel.com/v1/dl/getContent/671368
Intel-SIG: commit ba6780905943 target/i386: add support for LAM in CPUID
enumeration
Backport Qemu Linear Address Masking (LAM) support.
Signed-off-by: Robert Hoo <robert.hu@linux.intel.com>
Co-developed-by: Binbin Wu <binbin.wu@linux.intel.com>
Signed-off-by: Binbin Wu <binbin.wu@linux.intel.com>
Tested-by: Xuelian Guo <xuelian.guo@intel.com>
Reviewed-by: Xiaoyao Li <xiaoyao.li@intel.com>
Reviewed-by: Zhao Liu <zhao1.liu@intel.com>
Message-ID: <20240112060042.19925-2-binbin.wu@linux.intel.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
[ Zhiquan Li: amend commit log ]
Signed-off-by: Zhiquan Li <zhiquan1.li@intel.com>
---
target/i386/cpu.c | 2 +-
target/i386/cpu.h | 2 ++
2 files changed, 3 insertions(+), 1 deletion(-)
diff --git a/target/i386/cpu.c b/target/i386/cpu.c
index 711370d9b8..19ebd49e8c 100644
--- a/target/i386/cpu.c
+++ b/target/i386/cpu.c
@@ -967,7 +967,7 @@ FeatureWordInfo feature_word_info[FEATURE_WORDS] = {
"fsrc", NULL, NULL, NULL,
NULL, NULL, NULL, NULL,
NULL, "amx-fp16", NULL, "avx-ifma",
- NULL, NULL, NULL, NULL,
+ NULL, NULL, "lam", NULL,
NULL, NULL, NULL, NULL,
},
.cpuid = {
diff --git a/target/i386/cpu.h b/target/i386/cpu.h
index 6993552cd9..8dbcb4a35f 100644
--- a/target/i386/cpu.h
+++ b/target/i386/cpu.h
@@ -926,6 +926,8 @@ uint64_t x86_cpu_get_supported_feature_word(FeatureWord w,
#define CPUID_7_1_EAX_AMX_FP16 (1U << 21)
/* Support for VPMADD52[H,L]UQ */
#define CPUID_7_1_EAX_AVX_IFMA (1U << 23)
+/* Linear Address Masking */
+#define CPUID_7_1_EAX_LAM (1U << 26)
/* Support for VPDPB[SU,UU,SS]D[,S] */
#define CPUID_7_1_EDX_AVX_VNNI_INT8 (1U << 4)
--
2.41.0.windows.1

41
target-sparc-use-signed-denominator-in-sdiv-helper.patch Normal file
View File

@ -0,0 +1,41 @@
From a222f9c1eea20db470c55f534d85987df27a1654 Mon Sep 17 00:00:00 2001
From: Xu Zheng <xuzheng_yewu@cmss.chinamobile.com>
Date: Fri, 19 Jul 2024 22:45:21 +0800
Subject: [PATCH] target/sparc: use signed denominator in sdiv helper
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The result has to be done with the signed denominator (b32) instead of
the unsigned value passed in argument (b).
cherry-pick from 6b4965373e561b77f91cfbdf41353635c9661358
Fixes: 1326010322d6 ("target/sparc: Remove CC_OP_DIV")
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2319
Signed-off-by: Clément Chigot <chigot@adacore.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20240606144331.698361-1-chigot@adacore.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
(cherry picked from commit 6b4965373e561b77f91cfbdf41353635c9661358)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Signed-off-by: Xu Zheng <xuzheng_yewu@cmss.chinamobile.com>
---
target/sparc/helper.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/target/sparc/helper.c b/target/sparc/helper.c
index bd10b60e4b..8820c59e7c 100644
--- a/target/sparc/helper.c
+++ b/target/sparc/helper.c
@@ -121,7 +121,7 @@ uint64_t helper_sdiv(CPUSPARCState *env, target_ulong a, target_ulong b)
return (uint32_t)(b32 < 0 ? INT32_MAX : INT32_MIN) | (-1ull << 32);
}
- a64 /= b;
+ a64 /= b32;
r = a64;
if (unlikely(r != a64)) {
return (uint32_t)(a64 < 0 ? INT32_MIN : INT32_MAX) | (-1ull << 32);
--
2.41.0.windows.1

49
vl-fix-type-is-NULL-in-vga-help.patch Normal file
View File

@ -0,0 +1,49 @@
From ef42d79d805e430e24df57d46c156f9a7e3e1bed Mon Sep 17 00:00:00 2001
From: qihao <qihao_yewu@cmss.chinamobile.com>
Date: Thu, 25 Jul 2024 14:11:12 +0800
Subject: [PATCH] vl: fix "type is NULL" in -vga help
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
cheery-pick from a99dc9cd611cbaf10edee6260272e299626d0871
Don't pass NULL to module_object_class_by_name(), when the interface is
unavailable.
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20240715114420.2062870-1-marcandre.lureau@redhat.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Signed-off-by: qihao_yewu <qihao_yewu@cmss.chinamobile.com>
---
system/vl.c | 13 ++++++++++---
1 file changed, 10 insertions(+), 3 deletions(-)
diff --git a/system/vl.c b/system/vl.c
index 165c3cae8a..8e3357c578 100644
--- a/system/vl.c
+++ b/system/vl.c
@@ -994,9 +994,16 @@ static bool vga_interface_available(VGAInterfaceType t)
const VGAInterfaceInfo *ti = &vga_interfaces[t];
assert(t < VGA_TYPE_MAX);
- return !ti->class_names[0] ||
- module_object_class_by_name(ti->class_names[0]) ||
- module_object_class_by_name(ti->class_names[1]);
+
+ if (!ti->class_names[0] || module_object_class_by_name(ti->class_names[0])) {
+ return true;
+ }
+
+ if (ti->class_names[1] && module_object_class_by_name(ti->class_names[1])) {
+ return true;
+ }
+
+ return false;
}
static const char *
--
2.41.0.windows.1