diff --git a/hw-char-fix-qcode-array-bounds-check-in-ESCC-impl.patch b/hw-char-fix-qcode-array-bounds-check-in-ESCC-impl.patch new file mode 100644 index 0000000..9a00eb1 --- /dev/null +++ b/hw-char-fix-qcode-array-bounds-check-in-ESCC-impl.patch @@ -0,0 +1,40 @@ +From 308cd236694ac13e2c45293b670b536b63765e62 Mon Sep 17 00:00:00 2001 +From: tangbinzy +Date: Mon, 4 Sep 2023 07:27:24 +0000 +Subject: [PATCH] hw/char: fix qcode array bounds check in ESCC impl mainline + inclusion commit 9aaf11e7f2b5487b684e900cf164f0aef25f72ab category: bugfix +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +--------------------------------------------------------------- + +There was an off-by-1 in the qcode conversion array bounds +check. + +Fixes: e709a61a8fe1076a487376fd657544418a38ba06 +Reported-by: Peter Maydell +Reviewed-by: Peter Maydell +Signed-off-by: Daniel P. Berrangé + +Signed-off-by: tangbinzy +--- + hw/char/escc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/char/escc.c b/hw/char/escc.c +index 8755d8d34f..17a908c59b 100644 +--- a/hw/char/escc.c ++++ b/hw/char/escc.c +@@ -828,7 +828,7 @@ static void sunkbd_handle_event(DeviceState *dev, QemuConsole *src, + } + } + +- if (qcode > qemu_input_map_qcode_to_sun_len) { ++ if (qcode >= qemu_input_map_qcode_to_sun_len) { + return; + } + +-- +2.41.0.windows.1 + diff --git a/hw-nvme-Avoid-dynamic-stack-allocation.patch b/hw-nvme-Avoid-dynamic-stack-allocation.patch new file mode 100644 index 0000000..aaa5f74 --- /dev/null +++ b/hw-nvme-Avoid-dynamic-stack-allocation.patch @@ -0,0 +1,38 @@ +From aa1f9c961de247522e772275635b7f15bf5bb13f Mon Sep 17 00:00:00 2001 +From: dinglimin +Date: Sat, 16 Sep 2023 17:20:08 +0800 +Subject: [PATCH] hw/nvme: Avoid dynamic stack allocation + +cheery-pick from b3c8246750b7077add335559341268f2956f6470 + +Instead of using a variable-length array in nvme_map_prp(), +allocate on the stack with a g_autofree pointer. + +The codebase has very few VLAs, and if we can get rid of them all we +can make the compiler error on new additions. This is a defensive +measure against security bugs where an on-stack dynamic allocation +isn't correctly size-checked (e.g. CVE-2021-3527). + +Signed-off-by: Peter Maydell +Signed-off-by: Klaus Jensen +Signed-off-by: dinglimin_yewu +--- + hw/nvme/ctrl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/nvme/ctrl.c b/hw/nvme/ctrl.c +index debd3916dd..d64dd9c361 100644 +--- a/hw/nvme/ctrl.c ++++ b/hw/nvme/ctrl.c +@@ -702,7 +702,7 @@ static uint16_t nvme_map_prp(NvmeCtrl *n, NvmeSg *sg, uint64_t prp1, + len -= trans_len; + if (len) { + if (len > n->page_size) { +- uint64_t prp_list[n->max_prp_ents]; ++ g_autofree uint64_t *prp_list = g_new(uint64_t, n->max_prp_ents); + uint32_t nents, prp_trans; + int i = 0; + +-- +2.41.0.windows.1 + diff --git a/ppc-vof-Fix-missed-fields-in-VOF-cleanup.patch b/ppc-vof-Fix-missed-fields-in-VOF-cleanup.patch new file mode 100644 index 0000000..93498ae --- /dev/null +++ b/ppc-vof-Fix-missed-fields-in-VOF-cleanup.patch @@ -0,0 +1,43 @@ +From 62083d43f24d801f74b8e0aee7693811c19a366d Mon Sep 17 00:00:00 2001 +From: qihao +Date: Mon, 18 Sep 2023 15:26:28 +0800 +Subject: [PATCH] ppc/vof: Fix missed fields in VOF cleanup +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +cheery-pick from 7b8589d7ce7e23f26ff53338d575a5cbd7818e28 + +Failing to reset the of_instance_last makes ihandle allocation continue +to increase, which causes record-replay replay fail to match the +recorded trace. + +Not resetting claimed_base makes VOF eventually run out of memory after +some resets. + +Cc: Alexey Kardashevskiy +Fixes: fc8c745d501 ("spapr: Implement Open Firmware client interface") +Signed-off-by: Nicholas Piggin +Reviewed-by: Alexey Kardashevskiy +Signed-off-by: Cédric Le Goater +Signed-off-by: qihao_yewu +--- + hw/ppc/vof.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/hw/ppc/vof.c b/hw/ppc/vof.c +index 73adc44ec2..b1aa0ceb8b 100644 +--- a/hw/ppc/vof.c ++++ b/hw/ppc/vof.c +@@ -1026,6 +1026,8 @@ void vof_cleanup(Vof *vof) + } + vof->claimed = NULL; + vof->of_instances = NULL; ++ vof->of_instance_last = 0; ++ vof->claimed_base = 0; + } + + void vof_build_dt(void *fdt, Vof *vof) +-- +2.41.0.windows.1 + diff --git a/qemu.spec b/qemu.spec index 18fc734..4d5d797 100644 --- a/qemu.spec +++ b/qemu.spec @@ -3,7 +3,7 @@ Name: qemu Version: 6.2.0 -Release: 80 +Release: 81 Epoch: 10 Summary: QEMU is a generic and open source machine emulator and virtualizer License: GPLv2 and BSD and MIT and CC-BY-SA-4.0 @@ -565,6 +565,13 @@ Patch0550: vhost-Drop-unused-eventfd_add-del-hooks.patch Patch0551: chardev-report-the-handshake-error.patch Patch0552: hw-ssi-Fix-Linux-driver-init-issue-with-xilinx_spi.patch Patch0553: io-remove-io-watch-if-TLS-channel-is-closed-during-h.patch +Patch0554: hw-char-fix-qcode-array-bounds-check-in-ESCC-impl.patch +Patch0555: tulip-Assign-default-MAC-address-if-not-specified.patch +Patch0556: target-ppc-Fix-the-order-of-kvm_enable-judgment-abou.patch +Patch0557: tests-qtest-pflash-Clean-up-local-variable-shadowing.patch +Patch0558: ui-fix-crash-when-there-are-no-active_console.patch +Patch0559: ppc-vof-Fix-missed-fields-in-VOF-cleanup.patch +Patch0560: hw-nvme-Avoid-dynamic-stack-allocation.patch BuildRequires: flex BuildRequires: gcc @@ -1138,6 +1145,15 @@ getent passwd qemu >/dev/null || \ %endif %changelog +* Mon Oct 30 2023 - 10:6.2.0-81 +- hw/nvme: Avoid dynamic stack allocation +- ppc/vof: Fix missed fields in VOF cleanup +- ui: fix crash when there are no active_console +- tests/qtest/pflash: Clean up local variable shadowing +- target/ppc: Fix the order of kvm_enable judgment about kvmppc_set_interrupt() +- tulip: Assign default MAC address if not specified +- hw/char: fix qcode array bounds check in ESCC impl + * Sat Sep 9 2023 - 10:6.2.0-80 - io: remove io watch if TLS channel is closed during handshake - hw/ssi: Fix Linux driver init issue with xilinx_spi diff --git a/target-ppc-Fix-the-order-of-kvm_enable-judgment-abou.patch b/target-ppc-Fix-the-order-of-kvm_enable-judgment-abou.patch new file mode 100644 index 0000000..9485b03 --- /dev/null +++ b/target-ppc-Fix-the-order-of-kvm_enable-judgment-abou.patch @@ -0,0 +1,57 @@ +From ba1e022f06300e6dafc7e89a4f3fe756dc9691dd Mon Sep 17 00:00:00 2001 +From: JianChunfu +Date: Wed, 20 Sep 2023 18:58:00 +0800 +Subject: [PATCH] target/ppc: Fix the order of kvm_enable judgment about + kvmppc_set_interrupt() + +It's unnecessary for non-KVM accelerators(TCG, for example), +to call this function, so change the order of kvm_enable() judgment. +The static inline function that returns -1 directly does not work +in TCG's situation. + +Signed-off-by: JianChunfu +--- + hw/ppc/ppc.c | 8 ++++++-- + target/ppc/kvm.c | 2 +- + 2 files changed, 7 insertions(+), 3 deletions(-) + +diff --git a/hw/ppc/ppc.c b/hw/ppc/ppc.c +index e8127599c9..cf90ab7805 100644 +--- a/hw/ppc/ppc.c ++++ b/hw/ppc/ppc.c +@@ -66,7 +66,9 @@ void ppc_set_irq(PowerPCCPU *cpu, int n_IRQ, int level) + } + + if (old_pending != env->pending_interrupts) { +- kvmppc_set_interrupt(cpu, n_IRQ, level); ++ if (kvm_enabled()) { ++ kvmppc_set_interrupt(cpu, irq, level); ++ } + } + + +@@ -1461,5 +1463,7 @@ void ppc_irq_reset(PowerPCCPU *cpu) + CPUPPCState *env = &cpu->env; + + env->irq_input_state = 0; +- kvmppc_set_interrupt(cpu, PPC_INTERRUPT_EXT, 0); ++ if (kvm_enabled()) { ++ kvmppc_set_interrupt(cpu, PPC_INTERRUPT_EXT, 0); ++ } + } +diff --git a/target/ppc/kvm.c b/target/ppc/kvm.c +index d73563045b..397b1e902b 100644 +--- a/target/ppc/kvm.c ++++ b/target/ppc/kvm.c +@@ -1323,7 +1323,7 @@ int kvmppc_set_interrupt(PowerPCCPU *cpu, int irq, int level) + return 0; + } + +- if (!kvm_enabled() || !cap_interrupt_unset) { ++ if (!cap_interrupt_unset) { + return 0; + } + +-- +2.41.0.windows.1 + diff --git a/tests-qtest-pflash-Clean-up-local-variable-shadowing.patch b/tests-qtest-pflash-Clean-up-local-variable-shadowing.patch new file mode 100644 index 0000000..e33ee82 --- /dev/null +++ b/tests-qtest-pflash-Clean-up-local-variable-shadowing.patch @@ -0,0 +1,45 @@ +From 42e516ba6969b8f61d7e5e45a4f48f257fecf8e1 Mon Sep 17 00:00:00 2001 +From: dinglimin_yewu +Date: Sat, 16 Sep 2023 17:56:31 +0800 +Subject: [PATCH] tests/qtest/pflash: Clean up local variable shadowing +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +cherry-pick from 82fdcd3e140c8d4c63f177ece554f90f2bccdf68 + +Fix: + + tests/qtest/pflash-cfi02-test.c: In function ‘test_geometry’: + tests/qtest/pflash-cfi02-test.c:409:22: warning: declaration of ‘byte_addr’ shadows a previous local [-Wshadow=compatible-local] + 409 | uint64_t byte_addr = (uint64_t)i * c->sector_len[region]; + | ^~~~~~~~~ + tests/qtest/pflash-cfi02-test.c:342:14: note: shadowed declaration is here + 342 | uint64_t byte_addr = 0; + | ^~~~~~~~~ + +Signed-off-by: Philippe Mathieu-Daudé +Message-ID: <20230904162824.85385-4-philmd@linaro.org> +Reviewed-by: Peter Maydell +Signed-off-by: Thomas Huth +Signed-off-by: dinglimin_yewu +--- + tests/qtest/pflash-cfi02-test.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tests/qtest/pflash-cfi02-test.c b/tests/qtest/pflash-cfi02-test.c +index 6168edc821..bd1f946fc0 100644 +--- a/tests/qtest/pflash-cfi02-test.c ++++ b/tests/qtest/pflash-cfi02-test.c +@@ -406,7 +406,7 @@ static void test_geometry(const void *opaque) + + for (int region = 0; region < nb_erase_regions; ++region) { + for (uint32_t i = 0; i < c->nb_blocs[region]; ++i) { +- uint64_t byte_addr = (uint64_t)i * c->sector_len[region]; ++ byte_addr = (uint64_t)i * c->sector_len[region]; + g_assert_cmphex(flash_read(c, byte_addr), ==, bank_mask(c)); + } + } +-- +2.41.0.windows.1 + diff --git a/tulip-Assign-default-MAC-address-if-not-specified.patch b/tulip-Assign-default-MAC-address-if-not-specified.patch new file mode 100644 index 0000000..5bf8308 --- /dev/null +++ b/tulip-Assign-default-MAC-address-if-not-specified.patch @@ -0,0 +1,58 @@ +From 78b2167f1e2fadb4de930bf51c699247031c8880 Mon Sep 17 00:00:00 2001 +From: tangbinzy +Date: Mon, 4 Sep 2023 08:27:33 +0000 +Subject: [PATCH] tulip: Assign default MAC address if not specified mainline + inclusion commit 052c2579b89b0d87debe8b05594b5180f0fde87d category: bugfix +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +--------------------------------------------------------------- + +The MAC of the tulip card is stored in the EEPROM and at startup +tulip_fill_eeprom() is called to initialize the EEPROM with the MAC +address given on the command line, e.g.: + -device tulip,mac=00:11:22:33:44:55 + +In case the mac address was not given on the command line, +tulip_fill_eeprom() initializes the MAC in EEPROM with 00:00:00:00:00:00 +which breaks e.g. a HP-UX guest. + +Fix this problem by moving qemu_macaddr_default_if_unset() a few lines +up, so that a default mac address is assigned before tulip_fill_eeprom() +initializes the EEPROM. + +Signed-off-by: Helge Deller +Reviewed-by: Philippe Mathieu-Daudé +Signed-off-by: Jason Wang + +Signed-off-by: tangbinzy +--- + hw/net/tulip.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/hw/net/tulip.c b/hw/net/tulip.c +index 5f8badefca..b9e42c322a 100644 +--- a/hw/net/tulip.c ++++ b/hw/net/tulip.c +@@ -967,6 +967,8 @@ static void pci_tulip_realize(PCIDevice *pci_dev, Error **errp) + pci_conf = s->dev.config; + pci_conf[PCI_INTERRUPT_PIN] = 1; /* interrupt pin A */ + ++ qemu_macaddr_default_if_unset(&s->c.macaddr); ++ + s->eeprom = eeprom93xx_new(&pci_dev->qdev, 64); + tulip_fill_eeprom(s); + +@@ -981,8 +983,6 @@ static void pci_tulip_realize(PCIDevice *pci_dev, Error **errp) + + s->irq = pci_allocate_irq(&s->dev); + +- qemu_macaddr_default_if_unset(&s->c.macaddr); +- + s->nic = qemu_new_nic(&net_tulip_info, &s->c, + object_get_typename(OBJECT(pci_dev)), + pci_dev->qdev.id, s); +-- +2.41.0.windows.1 + diff --git a/ui-fix-crash-when-there-are-no-active_console.patch b/ui-fix-crash-when-there-are-no-active_console.patch new file mode 100644 index 0000000..0ed6594 --- /dev/null +++ b/ui-fix-crash-when-there-are-no-active_console.patch @@ -0,0 +1,42 @@ +From 89fda5a4410099a317bd1fcef56b130d6d97a2b5 Mon Sep 17 00:00:00 2001 +From: dinglimin_yewu +Date: Sat, 16 Sep 2023 17:41:07 +0800 +Subject: [PATCH] ui: fix crash when there are no active_console +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +cherry-pick from 48a35e12faf90a896c5aa4755812201e00d60316 + +Thread 1 "qemu-system-x86" received signal SIGSEGV, Segmentation fault. +0x0000555555888630 in dpy_ui_info_supported (con=0x0) at ../ui/console.c:812 +812 return con->hw_ops->ui_info != NULL; +(gdb) bt + +Fixes: +https://issues.redhat.com/browse/RHEL-2600 + +Signed-off-by: Marc-André Lureau +Reviewed-by: Albert Esteve +Signed-off-by: dinglimin_yewu +--- + ui/console.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/ui/console.c b/ui/console.c +index 29a3e3f0f5..d22c3def20 100644 +--- a/ui/console.c ++++ b/ui/console.c +@@ -1526,6 +1526,9 @@ bool dpy_ui_info_supported(QemuConsole *con) + con = active_console; + } + ++ if (con == NULL) { ++ return false; ++ } + return con->hw_ops->ui_info != NULL; + } + +-- +2.41.0.windows.1 +