packages/qemu
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

QEMU update to version 6.2.0-81(master)

Browse Source 
- hw/nvme: Avoid dynamic stack allocation
- ppc/vof: Fix missed fields in VOF cleanup
- ui: fix crash when there are no active_console
- tests/qtest/pflash: Clean up local variable shadowing
- target/ppc: Fix the order of kvm_enable judgment about kvmppc_set_interrupt()
- tulip: Assign default MAC address if not specified
- hw/char: fix qcode array bounds check in ESCC impl

Signed-off-by: Jiabo Feng <fengjiabo1@huawei.com>
This commit is contained in:
Jiabo Feng 2023-10-30 15:56:04 +08:00
parent 62adddcd0b
commit c98850e210
8 changed files with 340 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
hw-char-fix-qcode-array-bounds-check-in-ESCC-impl.patch Normal file
View File

@ -0,0 +1,40 @@
From 308cd236694ac13e2c45293b670b536b63765e62 Mon Sep 17 00:00:00 2001
From: tangbinzy <tangbin_yewu@cmss.chinamobile.com>
Date: Mon, 4 Sep 2023 07:27:24 +0000
Subject: [PATCH] hw/char: fix qcode array bounds check in ESCC impl mainline
inclusion commit 9aaf11e7f2b5487b684e900cf164f0aef25f72ab category: bugfix
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---------------------------------------------------------------
There was an off-by-1 in the qcode conversion array bounds
check.
Fixes: e709a61a8fe1076a487376fd657544418a38ba06
Reported-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Signed-off-by: tangbinzy <tangbin_yewu@cmss.chinamobile.com>
---
hw/char/escc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/char/escc.c b/hw/char/escc.c
index 8755d8d34f..17a908c59b 100644
--- a/hw/char/escc.c
+++ b/hw/char/escc.c
@@ -828,7 +828,7 @@ static void sunkbd_handle_event(DeviceState *dev, QemuConsole *src,
}
}
- if (qcode > qemu_input_map_qcode_to_sun_len) {
+ if (qcode >= qemu_input_map_qcode_to_sun_len) {
return;
}
--
2.41.0.windows.1

38
hw-nvme-Avoid-dynamic-stack-allocation.patch Normal file
View File

@ -0,0 +1,38 @@
From aa1f9c961de247522e772275635b7f15bf5bb13f Mon Sep 17 00:00:00 2001
From: dinglimin <dinglimin@cmss.chinamobile.com>
Date: Sat, 16 Sep 2023 17:20:08 +0800
Subject: [PATCH] hw/nvme: Avoid dynamic stack allocation
cheery-pick from b3c8246750b7077add335559341268f2956f6470
Instead of using a variable-length array in nvme_map_prp(),
allocate on the stack with a g_autofree pointer.
The codebase has very few VLAs, and if we can get rid of them all we
can make the compiler error on new additions. This is a defensive
measure against security bugs where an on-stack dynamic allocation
isn't correctly size-checked (e.g. CVE-2021-3527).
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Klaus Jensen <k.jensen@samsung.com>
Signed-off-by: dinglimin_yewu <dinglimin_yewu@cmss.chinamobile.com>
---
hw/nvme/ctrl.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/nvme/ctrl.c b/hw/nvme/ctrl.c
index debd3916dd..d64dd9c361 100644
--- a/hw/nvme/ctrl.c
+++ b/hw/nvme/ctrl.c
@@ -702,7 +702,7 @@ static uint16_t nvme_map_prp(NvmeCtrl *n, NvmeSg *sg, uint64_t prp1,
len -= trans_len;
if (len) {
if (len > n->page_size) {
- uint64_t prp_list[n->max_prp_ents];
+ g_autofree uint64_t *prp_list = g_new(uint64_t, n->max_prp_ents);
uint32_t nents, prp_trans;
int i = 0;
--
2.41.0.windows.1

43
ppc-vof-Fix-missed-fields-in-VOF-cleanup.patch Normal file
View File

@ -0,0 +1,43 @@
From 62083d43f24d801f74b8e0aee7693811c19a366d Mon Sep 17 00:00:00 2001
From: qihao <qihao_yewu@cmss.chinamobile.com>
Date: Mon, 18 Sep 2023 15:26:28 +0800
Subject: [PATCH] ppc/vof: Fix missed fields in VOF cleanup
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
cheery-pick from 7b8589d7ce7e23f26ff53338d575a5cbd7818e28
Failing to reset the of_instance_last makes ihandle allocation continue
to increase, which causes record-replay replay fail to match the
recorded trace.
Not resetting claimed_base makes VOF eventually run out of memory after
some resets.
Cc: Alexey Kardashevskiy <aik@ozlabs.ru>
Fixes: fc8c745d501 ("spapr: Implement Open Firmware client interface")
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
Reviewed-by: Alexey Kardashevskiy <aik@ozlabs.ru>
Signed-off-by: Cédric Le Goater <clg@kaod.org>
Signed-off-by: qihao_yewu <qihao_yewu@cmss.chinamobile.com>
---
hw/ppc/vof.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/hw/ppc/vof.c b/hw/ppc/vof.c
index 73adc44ec2..b1aa0ceb8b 100644
--- a/hw/ppc/vof.c
+++ b/hw/ppc/vof.c
@@ -1026,6 +1026,8 @@ void vof_cleanup(Vof *vof)
}
vof->claimed = NULL;
vof->of_instances = NULL;
+ vof->of_instance_last = 0;
+ vof->claimed_base = 0;
}
void vof_build_dt(void *fdt, Vof *vof)
--
2.41.0.windows.1

18
qemu.spec
View File

@ -3,7 +3,7 @@
Name: qemu
Version: 6.2.0
Release: 80
Release: 81
Epoch: 10
Summary: QEMU is a generic and open source machine emulator and virtualizer
License: GPLv2 and BSD and MIT and CC-BY-SA-4.0
@ -565,6 +565,13 @@ Patch0550: vhost-Drop-unused-eventfd_add-del-hooks.patch
Patch0551: chardev-report-the-handshake-error.patch
Patch0552: hw-ssi-Fix-Linux-driver-init-issue-with-xilinx_spi.patch
Patch0553: io-remove-io-watch-if-TLS-channel-is-closed-during-h.patch
Patch0554: hw-char-fix-qcode-array-bounds-check-in-ESCC-impl.patch
Patch0555: tulip-Assign-default-MAC-address-if-not-specified.patch
Patch0556: target-ppc-Fix-the-order-of-kvm_enable-judgment-abou.patch
Patch0557: tests-qtest-pflash-Clean-up-local-variable-shadowing.patch
Patch0558: ui-fix-crash-when-there-are-no-active_console.patch
Patch0559: ppc-vof-Fix-missed-fields-in-VOF-cleanup.patch
Patch0560: hw-nvme-Avoid-dynamic-stack-allocation.patch
BuildRequires: flex
BuildRequires: gcc
@ -1138,6 +1145,15 @@ getent passwd qemu >/dev/null || \
%endif
%changelog
* Mon Oct 30 2023 <fengjiabo1@huawei.com> - 10:6.2.0-81
- hw/nvme: Avoid dynamic stack allocation
- ppc/vof: Fix missed fields in VOF cleanup
- ui: fix crash when there are no active_console
- tests/qtest/pflash: Clean up local variable shadowing
- target/ppc: Fix the order of kvm_enable judgment about kvmppc_set_interrupt()
- tulip: Assign default MAC address if not specified
- hw/char: fix qcode array bounds check in ESCC impl
* Sat Sep 9 2023 <fengjiabo1@huawei.com> - 10:6.2.0-80
- io: remove io watch if TLS channel is closed during handshake
- hw/ssi: Fix Linux driver init issue with xilinx_spi

57
target-ppc-Fix-the-order-of-kvm_enable-judgment-abou.patch Normal file
View File

@ -0,0 +1,57 @@
From ba1e022f06300e6dafc7e89a4f3fe756dc9691dd Mon Sep 17 00:00:00 2001
From: JianChunfu <chunfu.jian@shingroup.cn>
Date: Wed, 20 Sep 2023 18:58:00 +0800
Subject: [PATCH] target/ppc: Fix the order of kvm_enable judgment about
kvmppc_set_interrupt()
It's unnecessary for non-KVM accelerators(TCG, for example),
to call this function, so change the order of kvm_enable() judgment.
The static inline function that returns -1 directly does not work
in TCG's situation.
Signed-off-by: JianChunfu <chunfu.jian@shingroup.cn>
---
hw/ppc/ppc.c | 8 ++++++--
target/ppc/kvm.c | 2 +-
2 files changed, 7 insertions(+), 3 deletions(-)
diff --git a/hw/ppc/ppc.c b/hw/ppc/ppc.c
index e8127599c9..cf90ab7805 100644
--- a/hw/ppc/ppc.c
+++ b/hw/ppc/ppc.c
@@ -66,7 +66,9 @@ void ppc_set_irq(PowerPCCPU *cpu, int n_IRQ, int level)
}
if (old_pending != env->pending_interrupts) {
- kvmppc_set_interrupt(cpu, n_IRQ, level);
+ if (kvm_enabled()) {
+ kvmppc_set_interrupt(cpu, irq, level);
+ }
}
@@ -1461,5 +1463,7 @@ void ppc_irq_reset(PowerPCCPU *cpu)
CPUPPCState *env = &cpu->env;
env->irq_input_state = 0;
- kvmppc_set_interrupt(cpu, PPC_INTERRUPT_EXT, 0);
+ if (kvm_enabled()) {
+ kvmppc_set_interrupt(cpu, PPC_INTERRUPT_EXT, 0);
+ }
}
diff --git a/target/ppc/kvm.c b/target/ppc/kvm.c
index d73563045b..397b1e902b 100644
--- a/target/ppc/kvm.c
+++ b/target/ppc/kvm.c
@@ -1323,7 +1323,7 @@ int kvmppc_set_interrupt(PowerPCCPU *cpu, int irq, int level)
return 0;
}
- if (!kvm_enabled() || !cap_interrupt_unset) {
+ if (!cap_interrupt_unset) {
return 0;
}
--
2.41.0.windows.1

45
tests-qtest-pflash-Clean-up-local-variable-shadowing.patch Normal file
View File

@ -0,0 +1,45 @@
From 42e516ba6969b8f61d7e5e45a4f48f257fecf8e1 Mon Sep 17 00:00:00 2001
From: dinglimin_yewu <dinglimin_yewu@cmss.chinamobile.com>
Date: Sat, 16 Sep 2023 17:56:31 +0800
Subject: [PATCH] tests/qtest/pflash: Clean up local variable shadowing
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
cherry-pick from 82fdcd3e140c8d4c63f177ece554f90f2bccdf68
Fix:
tests/qtest/pflash-cfi02-test.c: In function test_geometry:
tests/qtest/pflash-cfi02-test.c:409:22: warning: declaration of byte_addr shadows a previous local [-Wshadow=compatible-local]
409 | uint64_t byte_addr = (uint64_t)i * c->sector_len[region];
| ^~~~~~~~~
tests/qtest/pflash-cfi02-test.c:342:14: note: shadowed declaration is here
342 | uint64_t byte_addr = 0;
| ^~~~~~~~~
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20230904162824.85385-4-philmd@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Thomas Huth <thuth@redhat.com>
Signed-off-by: dinglimin_yewu <dinglimin_yewu@cmss.chinamobile.com>
---
tests/qtest/pflash-cfi02-test.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tests/qtest/pflash-cfi02-test.c b/tests/qtest/pflash-cfi02-test.c
index 6168edc821..bd1f946fc0 100644
--- a/tests/qtest/pflash-cfi02-test.c
+++ b/tests/qtest/pflash-cfi02-test.c
@@ -406,7 +406,7 @@ static void test_geometry(const void *opaque)
for (int region = 0; region < nb_erase_regions; ++region) {
for (uint32_t i = 0; i < c->nb_blocs[region]; ++i) {
- uint64_t byte_addr = (uint64_t)i * c->sector_len[region];
+ byte_addr = (uint64_t)i * c->sector_len[region];
g_assert_cmphex(flash_read(c, byte_addr), ==, bank_mask(c));
}
}
--
2.41.0.windows.1

58
tulip-Assign-default-MAC-address-if-not-specified.patch Normal file
View File

@ -0,0 +1,58 @@
From 78b2167f1e2fadb4de930bf51c699247031c8880 Mon Sep 17 00:00:00 2001
From: tangbinzy <tangbin_yewu@cmss.chinamobile.com>
Date: Mon, 4 Sep 2023 08:27:33 +0000
Subject: [PATCH] tulip: Assign default MAC address if not specified mainline
inclusion commit 052c2579b89b0d87debe8b05594b5180f0fde87d category: bugfix
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---------------------------------------------------------------
The MAC of the tulip card is stored in the EEPROM and at startup
tulip_fill_eeprom() is called to initialize the EEPROM with the MAC
address given on the command line, e.g.:
-device tulip,mac=00:11:22:33:44:55
In case the mac address was not given on the command line,
tulip_fill_eeprom() initializes the MAC in EEPROM with 00:00:00:00:00:00
which breaks e.g. a HP-UX guest.
Fix this problem by moving qemu_macaddr_default_if_unset() a few lines
up, so that a default mac address is assigned before tulip_fill_eeprom()
initializes the EEPROM.
Signed-off-by: Helge Deller <deller@gmx.de>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: tangbinzy <tangbin_yewu@cmss.chinamobile.com>
---
hw/net/tulip.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/hw/net/tulip.c b/hw/net/tulip.c
index 5f8badefca..b9e42c322a 100644
--- a/hw/net/tulip.c
+++ b/hw/net/tulip.c
@@ -967,6 +967,8 @@ static void pci_tulip_realize(PCIDevice *pci_dev, Error **errp)
pci_conf = s->dev.config;
pci_conf[PCI_INTERRUPT_PIN] = 1; /* interrupt pin A */
+ qemu_macaddr_default_if_unset(&s->c.macaddr);
+
s->eeprom = eeprom93xx_new(&pci_dev->qdev, 64);
tulip_fill_eeprom(s);
@@ -981,8 +983,6 @@ static void pci_tulip_realize(PCIDevice *pci_dev, Error **errp)
s->irq = pci_allocate_irq(&s->dev);
- qemu_macaddr_default_if_unset(&s->c.macaddr);
-
s->nic = qemu_new_nic(&net_tulip_info, &s->c,
object_get_typename(OBJECT(pci_dev)),
pci_dev->qdev.id, s);
--
2.41.0.windows.1

42
ui-fix-crash-when-there-are-no-active_console.patch Normal file
View File

@ -0,0 +1,42 @@
From 89fda5a4410099a317bd1fcef56b130d6d97a2b5 Mon Sep 17 00:00:00 2001
From: dinglimin_yewu <dinglimin_yewu@cmss.chinamobile.com>
Date: Sat, 16 Sep 2023 17:41:07 +0800
Subject: [PATCH] ui: fix crash when there are no active_console
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
cherry-pick from 48a35e12faf90a896c5aa4755812201e00d60316
Thread 1 "qemu-system-x86" received signal SIGSEGV, Segmentation fault.
0x0000555555888630 in dpy_ui_info_supported (con=0x0) at ../ui/console.c:812
812 return con->hw_ops->ui_info != NULL;
(gdb) bt
Fixes:
https://issues.redhat.com/browse/RHEL-2600
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Albert Esteve <aesteve@redhat.com>
Signed-off-by: dinglimin_yewu <dinglimin_yewu@cmss.chinamobile.com>
---
ui/console.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/ui/console.c b/ui/console.c
index 29a3e3f0f5..d22c3def20 100644
--- a/ui/console.c
+++ b/ui/console.c
@@ -1526,6 +1526,9 @@ bool dpy_ui_info_supported(QemuConsole *con)
con = active_console;
}
+ if (con == NULL) {
+ return false;
+ }
return con->hw_ops->ui_info != NULL;
}
--
2.41.0.windows.1