packages/qemu
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Rebase qemu to 4.1.0 version

Browse Source 
Signed-off-by: Ying Fang <fangying1@huawei.com>
This commit is contained in:
Ying Fang 2020-05-12 10:31:40 +08:00
parent 9750247ab0
commit cbfda6760e
27 changed files with 755 additions and 951 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

64
ARM-KVM-Check-KVM_CAP_ARM_IRQ_LINE_LAYOUT_2-for-smp.patch Normal file
View File

@ -0,0 +1,64 @@
From e3a7ec839fa4f823666d726989c375dcf73348a4 Mon Sep 17 00:00:00 2001
From: Ying Fang <fangying1@huawei.com>
Date: Wed, 15 Apr 2020 16:14:50 +0800
Subject: [PATCH] ARM: KVM: Check KVM_CAP_ARM_IRQ_LINE_LAYOUT_2 for smp_cpus >
256
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Host kernel within [4.18, 5.3] report an erroneous KVM_MAX_VCPUS=512
for ARM. The actual capability to instantiate more than 256 vcpus
was fixed in 5.4 with the upgrade of the KVM_IRQ_LINE ABI to support
vcpu id encoded on 12 bits instead of 8 and a redistributor consuming
a single KVM IO device instead of 2.
So let's check this capability when attempting to use more than 256
vcpus within any ARM kvm accelerated machine.
Signed-off-by: Eric Auger <eric.auger@redhat.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Andrew Jones <drjones@redhat.com>
Acked-by: Marc Zyngier <maz@kernel.org>
Message-id: 20191003154640.22451-4-eric.auger@redhat.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
(cherry-picked from commit fff9f5558d0e0813d4f80bfe1602acf225eca4fd)
[yu: Use the legacy smp_cpus instead of ms->smp.cpus, as we don't have
¦struct CpuTopology in MachineState at that time. See commit
¦edeeec911702 for details.]
Signed-off-by: Zenghui Yu <yuzenghui@huawei.com>
---
target/arm/kvm.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/target/arm/kvm.c b/target/arm/kvm.c
index 50e86f8b..cc7a46df 100644
--- a/target/arm/kvm.c
+++ b/target/arm/kvm.c
@@ -173,6 +173,8 @@ int kvm_arm_get_max_vm_ipa_size(MachineState *ms)
int kvm_arch_init(MachineState *ms, KVMState *s)
{
+ int ret = 0;
+ unsigned int smp_cpus = ms->smp.cpus;
/* For ARM interrupt delivery is always asynchronous,
* whether we are using an in-kernel VGIC or not.
*/
@@ -186,7 +188,14 @@ int kvm_arch_init(MachineState *ms, KVMState *s)
cap_has_mp_state = kvm_check_extension(s, KVM_CAP_MP_STATE);
- return 0;
+ if (smp_cpus > 256 &&
+ !kvm_check_extension(s, KVM_CAP_ARM_IRQ_LINE_LAYOUT_2)) {
+ error_report("Using more than 256 vcpus requires a host kernel "
+ "with KVM_CAP_ARM_IRQ_LINE_LAYOUT_2");
+ ret = -EINVAL;
+ }
+
+ return ret;
}
unsigned long kvm_arch_vcpu_id(CPUState *cpu)
--
2.23.0

134
ARM64-record-vtimer-tick-when-cpu-is-stopped.patch
View File

@ -1,134 +0,0 @@
From d2fd6d1a5200b9a58863839d21d291cd4f76ac31 Mon Sep 17 00:00:00 2001
From: Ying Fang <fangying1@huawei.com>
Date: Mon, 29 Jul 2019 15:47:27 +0800
Subject: [PATCH] ARM64: record vtimer tick when cpu is stopped
The vtimer kick still increases even if the vcpu is stopped when VM has
save/restore or suspend/resume operation. This will cause guest watchdog
soft-lockup if the VM has lots of memory in use.
Signed-off-by: Hao Hong <honghao5@huawei.com>
Signed-off-by: Haibin Wang <wanghaibin.wang@huawei.com>
Signed-off-by: Ying Fang <fangying1@huawei.com>
---
cpus.c | 58 ++++++++++++++++++++++++++++++++++++++++++++
target/arm/cpu.h | 2 ++
target/arm/machine.c | 1 +
3 files changed, 61 insertions(+)
diff --git a/cpus.c b/cpus.c
index e83f72b4..f6ec48a2 100644
--- a/cpus.c
+++ b/cpus.c
@@ -1063,6 +1063,28 @@ void cpu_synchronize_all_pre_loadvm(void)
}
}
+#ifdef __aarch64__
+static void get_vcpu_timer_tick(CPUState *cs)
+{
+ CPUARMState *env = &ARM_CPU(cs)->env;
+ int err;
+ struct kvm_one_reg reg;
+ uint64_t timer_tick;
+
+ reg.id = KVM_REG_ARM_TIMER_CNT;
+ reg.addr = (uintptr_t) &timer_tick;
+
+ err = kvm_vcpu_ioctl(cs, KVM_GET_ONE_REG, &reg);
+ if (err < 0) {
+ error_report("get vcpu tick failed, ret = %d", err);
+ env->vtimer = 0;
+ return;
+ }
+ env->vtimer = timer_tick;
+ return;
+}
+#endif
+
static int do_vm_stop(RunState state, bool send_stop)
{
int ret = 0;
@@ -1070,6 +1092,11 @@ static int do_vm_stop(RunState state, bool send_stop)
if (runstate_is_running()) {
cpu_disable_ticks();
pause_all_vcpus();
+#ifdef __aarch64__
+ if (first_cpu) {
+ get_vcpu_timer_tick(first_cpu);
+ }
+#endif
runstate_set(state);
vm_state_notify(0, state);
if (send_stop) {
@@ -1909,11 +1936,42 @@ void cpu_resume(CPUState *cpu)
qemu_cpu_kick(cpu);
}
+#ifdef __aarch64__
+static void set_vcpu_timer_tick(CPUState *cs)
+{
+ CPUARMState *env = &ARM_CPU(cs)->env;
+
+ if (env->vtimer == 0) {
+ return;
+ }
+
+ int err;
+ struct kvm_one_reg reg;
+ uint64_t timer_tick = env->vtimer;
+ env->vtimer = 0;
+
+ reg.id = KVM_REG_ARM_TIMER_CNT;
+ reg.addr = (uintptr_t) &timer_tick;
+
+ err = kvm_vcpu_ioctl(cs, KVM_SET_ONE_REG, &reg);
+ if (err < 0) {
+ error_report("Set vcpu tick failed, ret = %d", err);
+ return;
+ }
+ return;
+}
+#endif
+
void resume_all_vcpus(void)
{
CPUState *cpu;
qemu_clock_enable(QEMU_CLOCK_VIRTUAL, true);
+#ifdef __aarch64__
+ if (first_cpu) {
+ set_vcpu_timer_tick(first_cpu);
+ }
+#endif
CPU_FOREACH(cpu) {
cpu_resume(cpu);
}
diff --git a/target/arm/cpu.h b/target/arm/cpu.h
index d4d28369..e107e395 100644
--- a/target/arm/cpu.h
+++ b/target/arm/cpu.h
@@ -270,6 +270,8 @@ typedef struct CPUARMState {
uint64_t elr_el[4]; /* AArch64 exception link regs */
uint64_t sp_el[4]; /* AArch64 banked stack pointers */
+ uint64_t vtimer; /* Timer tick when vcpu stop */
+
/* System control coprocessor (cp15) */
struct {
uint32_t c0_cpuid;
diff --git a/target/arm/machine.c b/target/arm/machine.c
index b2925496..d64a0057 100644
--- a/target/arm/machine.c
+++ b/target/arm/machine.c
@@ -792,6 +792,7 @@ const VMStateDescription vmstate_arm_cpu = {
VMSTATE_UINT32(env.exception.syndrome, ARMCPU),
VMSTATE_UINT32(env.exception.fsr, ARMCPU),
VMSTATE_UINT64(env.exception.vaddress, ARMCPU),
+ VMSTATE_UINT64(env.vtimer, ARMCPU),
VMSTATE_TIMER_PTR(gt_timer[GTIMER_PHYS], ARMCPU),
VMSTATE_TIMER_PTR(gt_timer[GTIMER_VIRT], ARMCPU),
{
--
2.23.0

44
Fix-use-afte-free-in-ip_reass-CVE-2020-1983.patch
View File

@ -1,44 +0,0 @@
From 477c7aea5f2f9090c016c0a9813dc5901bd1b66a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
Date: Fri, 24 Apr 2020 11:36:41 +0800
Subject: [PATCH] Fix use-afte-free in ip_reass() (CVE-2020-1983)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The q pointer is updated when the mbuf data is moved from m_dat to
m_ext.
m_ext buffer may also be realloc()'ed and moved during m_cat():
q should also be updated in this case.
Reported-by: Aviv Sasson <asasson@paloaltonetworks.com>
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
diff --git a/slirp/src/ip_input.c b/slirp/src/ip_input.c
index 89ae04e0..7fdde631 100644
--- a/slirp/src/ip_input.c
+++ b/slirp/src/ip_input.c
@@ -333,7 +333,7 @@ insert:
q = fp->frag_link.next;
m = dtom(slirp, q);
- int was_ext = m->m_flags & M_EXT;
+ int delta = (char *)q - (m->m_flags & M_EXT ? m->m_ext : m->m_dat);
q = (struct ipasfrag *) q->ipf_next;
while (q != (struct ipasfrag*)&fp->frag_link) {
@@ -356,8 +356,7 @@ insert:
* then an m_ext buffer was alloced. But fp->ipq_next points to the old
* buffer (in the mbuf), so we must point ip into the new buffer.
*/
- if (!was_ext && m->m_flags & M_EXT) {
- int delta = (char *)q - m->m_dat;
+ if (m->m_flags & M_EXT) {
q = (struct ipasfrag *)(m->m_ext + delta);
}
--
2.23.0

24
aio-wait-delegate-polling-of-main-AioContext-if-BQL-not-held.patch
View File

@ -1,8 +1,7 @@
From a2bae876b7f694b12073bac8ad6668e4d975ad88 Mon Sep 17 00:00:00 2001
From: Ying Fang <fangying1@huawei.com>
Date: Fri, 10 Apr 2020 16:08:19 +0000
Subject: [PATCH 1/2] aio-wait: delegate polling of main AioContext if BQL not
held
From 929d29ec7bf9dd6ec3802bea2148a041ff30d59b Mon Sep 17 00:00:00 2001
From: Paolo Bonzini <pbonzini@redhat.com>
Date: Tue, 14 Apr 2020 21:17:09 +0800
Subject: [PATCH] aio-wait: delegate polling of main AioContext if BQL not held
Any thread that is not a iothread returns NULL for qemu_get_current_aio_context().
As a result, it would also return true for
@ -20,8 +19,6 @@ The function is moved to aio-wait.h because it is mostly used
there and to avoid a circular reference between main-loop.h
and block/aio.h.
upstream_url: https://patchwork.kernel.org/patch/11482099/
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Message-Id: <20200407140746.8041-5-pbonzini@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
@ -31,7 +28,7 @@ Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2 files changed, 32 insertions(+), 19 deletions(-)
diff --git a/include/block/aio-wait.h b/include/block/aio-wait.h
index afd0ff7e..d349e7e3 100644
index afeeb18f..716d2639 100644
--- a/include/block/aio-wait.h
+++ b/include/block/aio-wait.h
@@ -26,6 +26,7 @@
@ -67,12 +64,12 @@ index afd0ff7e..d349e7e3 100644
+ }
+}
+
#endif /* QEMU_AIO_WAIT */
#endif /* QEMU_AIO_WAIT_H */
diff --git a/include/block/aio.h b/include/block/aio.h
index 0ca25dfe..c527893b 100644
index 6b0d52f7..9d28e247 100644
--- a/include/block/aio.h
+++ b/include/block/aio.h
@@ -61,12 +61,16 @@ struct AioContext {
@@ -60,12 +60,16 @@ struct AioContext {
QLIST_HEAD(, AioHandler) aio_handlers;
/* Used to avoid unnecessary event_notifier_set calls in aio_notify;
@ -95,7 +92,7 @@ index 0ca25dfe..c527893b 100644
*
* Bit 0 is reserved for GSource usage of the AioContext, and is 1
* between a call to aio_ctx_prepare and the next call to aio_ctx_check.
@@ -581,19 +585,6 @@ void aio_co_enter(AioContext *ctx, struct Coroutine *co);
@@ -580,19 +584,6 @@ void aio_co_enter(AioContext *ctx, struct Coroutine *co);
*/
AioContext *qemu_get_current_aio_context(void);
@ -116,5 +113,4 @@ index 0ca25dfe..c527893b 100644
* aio_context_setup:
* @ctx: the aio context
--
2.25.2
2.23.0

24
bios-tables-test-prepare-to-change-ARM-virt-ACPI-DSDT.patch Normal file
View File

@ -0,0 +1,24 @@
From 2892a4b1f7dfc75e06d0ce770d44a062b6334eb0 Mon Sep 17 00:00:00 2001
From: Ying Fang <fangying1@huawei.com>
Date: Wed, 15 Apr 2020 17:03:54 +0800
Subject: [PATCH] bios-tables-test: prepare to change ARM virt ACPI DSDT
We will change ARM virt ACPI DSDT table in order to add the cpufreq device,
which use ACPI CPPC to show CPU frequency info to guest.
Signed-off-by: Ying Fang <fangying1@huawei.com>
---
tests/bios-tables-test-allowed-diff.h | 3 +++
1 file changed, 3 insertions(+)
diff --git a/tests/bios-tables-test-allowed-diff.h b/tests/bios-tables-test-allowed-diff.h
index dfb8523c..32a401ae 100644
--- a/tests/bios-tables-test-allowed-diff.h
+++ b/tests/bios-tables-test-allowed-diff.h
@@ -1 +1,4 @@
/* List of comma-separated changed AML files to ignore */
+"tests/data/acpi/virt/DSDT",
+"tests/data/acpi/virt/DSDT.memhp",
+"tests/data/acpi/virt/DSDT.numamem",
--
2.23.0

3
cpu-add-Kunpeng-920-cpu-support.patch
View File

@ -3,6 +3,8 @@ From: Xu Yandong <xuyandong2@huawei.com>
Date: Wed, 28 Aug 2019 01:36:21 -0400
Subject: [PATCH] cpu: add Kunpeng-920 cpu support
Add the Kunpeng-920 CPU model.
Signed-off-by: Xu Yandong <xuyandong2@huawei.com>
---
hw/arm/virt.c | 1 +
@ -62,4 +64,3 @@ index 228906f2..5581d5e1 100644
};
--
2.19.1

5
cpu-parse-feature-to-avoid-failure.patch
View File

@ -1,8 +1,11 @@
From ba1ca232cfa2ca273c610beda40bee2143f11964 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
From: Xu Yandong <xuyandong2@huawei.com>
Date: Tue, 3 Sep 2019 16:27:39 +0800
Subject: [PATCH] cpu: parse +/- feature to avoid failure
To avoid cpu feature parse failuer, +/- feature is added.
Signed-off-by: Xu Yandong <xuyandong2@huawei.com>
---
target/arm/cpu64.c | 38 ++++++++++++++++++++++++++++++++++++++
1 file changed, 38 insertions(+)

89
hw-arm-expose-host-CPU-frequency-info-to-guest.patch
View File

@ -1,54 +1,57 @@
From 773b25c55c7428b64d21b23a6b08fc629a665ca5 Mon Sep 17 00:00:00 2001
From: zhanghailiang <zhang.zhanghailiang@huawei.com>
Date: Mon, 29 Jul 2019 09:54:43 +0800
Subject: [PATCH] hw/arm: expose host CPU frequency info to guest
From b70d020dba72283d7b16a77c377512c84aab5f81 Mon Sep 17 00:00:00 2001
From: Ying Fang <fangying1@huawei.com>
Date: Mon, 20 Apr 2020 10:38:12 +0800
Subject: [PATCH] arm64: Add the cpufreq device to show cpufreq info to guest
On ARM64, CPU frequency is fetched by ACPI CPPC, so we add virtual
CPPC registers and ACPI _CPC objects.
On ARM64 platform, cpu frequency is retrieved via ACPI CPPC.
A virtual cpufreq device based on ACPI CPPC is created to
present cpu frequency info to the guest.
The default frequency is set to the nominal frequency of Hi1616, which
will not support CPPC in future. On Hi1620 we are fetching the value
from Host CPPC sys file.
The default frequency is set to host cpu nominal frequency,
which is obtained from the host CPPC sysfs. Other performance
data are set to the same value, since we don't support guest
performance scaling here.
All performance data are set to the same value for we don't support
guest initiating performance scaling.
We don't emulate performance counters and simply return 1 for all
counter readings, and guest Linux should fall back to use the desired
Performance counters are also not emulated and they simply
return 1 if read, and guest should fallback to use desired
performance value as the current performance.
Signed-off-by: Heyi Guo <guoheyi@huawei.com>
Signed-off-by: zhanghailiang <zhang.zhanghailiang@huawei.com>
Guest kernel version above 4.18 is required to make it work.
This series is backported from:
https://patchwork.kernel.org/cover/11379943/
Signed-off-by: Ying Fang <fangying1@huawei.com>
---
default-configs/aarch64-softmmu.mak | 1 +
hw/acpi/Makefile.objs | 1 +
hw/acpi/aml-build.c | 22 +++
hw/acpi/cpufreq.c | 278 ++++++++++++++++++++++++++++
hw/acpi/cpufreq.c | 287 ++++++++++++++++++++++++++++
hw/arm/virt-acpi-build.c | 78 +++++++-
hw/arm/virt.c | 13 ++
hw/char/Kconfig | 4 +
include/hw/acpi/acpi-defs.h | 38 ++++
include/hw/acpi/aml-build.h | 3 +
include/hw/arm/virt.h | 1 +
10 files changed, 437 insertions(+), 2 deletions(-)
10 files changed, 446 insertions(+), 2 deletions(-)
create mode 100644 hw/acpi/cpufreq.c
diff --git a/default-configs/aarch64-softmmu.mak b/default-configs/aarch64-softmmu.mak
index 4ea9add0..37399c14 100644
index 958b1e08..0a030e85 100644
--- a/default-configs/aarch64-softmmu.mak
+++ b/default-configs/aarch64-softmmu.mak
@@ -10,3 +10,4 @@ CONFIG_XLNX_ZYNQMP=y
@@ -6,3 +6,4 @@ include arm-softmmu.mak
CONFIG_XLNX_ZYNQMP_ARM=y
CONFIG_XLNX_VERSAL=y
CONFIG_ARM_SMMUV3=y
CONFIG_SBSA_REF=y
+CONFIG_CPUFREQ=y
diff --git a/hw/acpi/Makefile.objs b/hw/acpi/Makefile.objs
index 2d46e378..60979db9 100644
index 9bb2101e..1a720c38 100644
--- a/hw/acpi/Makefile.objs
+++ b/hw/acpi/Makefile.objs
@@ -12,6 +12,7 @@ common-obj-y += acpi_interface.o
common-obj-y += bios-linker-loader.o
common-obj-y += aml-build.o
@@ -13,6 +13,7 @@ common-obj-y += bios-linker-loader.o
common-obj-y += aml-build.o utils.o
common-obj-$(CONFIG_ACPI_PCI) += pci.o
common-obj-$(CONFIG_TPM) += tpm.o
+common-obj-$(CONFIG_CPUFREQ) += cpufreq.o
@ -89,10 +92,10 @@ index 555c24f2..73f97751 100644
int hi, lo;
diff --git a/hw/acpi/cpufreq.c b/hw/acpi/cpufreq.c
new file mode 100644
index 00000000..c123a22b
index 00000000..d02a25a6
--- /dev/null
+++ b/hw/acpi/cpufreq.c
@@ -0,0 +1,278 @@
@@ -0,0 +1,287 @@
+/*
+ * ACPI CPPC register device
+ *
@ -124,6 +127,7 @@ index 00000000..c123a22b
+#include "hw/acpi/acpi-defs.h"
+#include "qemu/cutils.h"
+#include "qemu/error-report.h"
+#include "hw/boards.h"
+
+#define TYPE_CPUFREQ "cpufreq"
+#define CPUFREQ(obj) OBJECT_CHECK(CpuhzState, (obj), TYPE_CPUFREQ)
@ -189,6 +193,9 @@ index 00000000..c123a22b
+ uint64_t r;
+ uint64_t n;
+
+ MachineState *ms = MACHINE(qdev_get_machine());
+ unsigned int smp_cpus = ms->smp.cpus;
+
+ if (offset >= smp_cpus * CPPC_REG_PER_CPU_STRIDE) {
+ warn_report("cpufreq_read: offset 0x%lx out of range", offset);
+ return 0;
@ -258,6 +265,8 @@ index 00000000..c123a22b
+ uint64_t value, unsigned size)
+{
+ uint64_t n;
+ MachineState *ms = MACHINE(qdev_get_machine());
+ unsigned int smp_cpus = ms->smp.cpus;
+
+ if (offset >= smp_cpus * CPPC_REG_PER_CPU_STRIDE) {
+ error_printf("cpufreq_write: offset 0x%lx out of range", offset);
@ -339,6 +348,9 @@ index 00000000..c123a22b
+ SysBusDevice *sbd = SYS_BUS_DEVICE(obj);
+ CpuhzState *s = CPUFREQ(obj);
+
+ MachineState *ms = MACHINE(qdev_get_machine());
+ unsigned int smp_cpus = ms->smp.cpus;
+
+ s->reg_size = smp_cpus * CPPC_REG_PER_CPU_STRIDE;
+ if (s->reg_size > MAX_SUPPORT_SPACE) {
+ error_report("Required space 0x%x excesses the max support 0x%x",
@ -372,7 +384,7 @@ index 00000000..c123a22b
+type_init(cpufreq_register_types)
+
diff --git a/hw/arm/virt-acpi-build.c b/hw/arm/virt-acpi-build.c
index bf9c0bc2..33a8e2e3 100644
index 0afb3727..29494ebd 100644
--- a/hw/arm/virt-acpi-build.c
+++ b/hw/arm/virt-acpi-build.c
@@ -45,11 +45,73 @@
@ -469,7 +481,7 @@ index bf9c0bc2..33a8e2e3 100644
aml_append(scope, dev);
}
}
@@ -740,7 +814,7 @@ build_dsdt(GArray *table_data, BIOSLinker *linker, VirtMachineState *vms)
@@ -718,7 +792,7 @@ build_dsdt(GArray *table_data, BIOSLinker *linker, VirtMachineState *vms)
* the RTC ACPI device at all when using UEFI.
*/
scope = aml_scope("\\_SB");
@ -479,10 +491,10 @@ index bf9c0bc2..33a8e2e3 100644
(irqmap[VIRT_UART] + ARM_SPI_BASE));
acpi_dsdt_add_flash(scope, &memmap[VIRT_FLASH]);
diff --git a/hw/arm/virt.c b/hw/arm/virt.c
index ce2664a3..ec6f00ab 100644
index d9496c93..0fa355ba 100644
--- a/hw/arm/virt.c
+++ b/hw/arm/virt.c
@@ -132,6 +132,7 @@ static const MemMapEntry base_memmap[] = {
@@ -135,6 +135,7 @@ static const MemMapEntry base_memmap[] = {
[VIRT_SECURE_UART] = { 0x09040000, 0x00001000 },
[VIRT_SMMU] = { 0x09050000, 0x00020000 },
[VIRT_MMIO] = { 0x0a000000, 0x00000200 },
@ -490,7 +502,7 @@ index ce2664a3..ec6f00ab 100644
/* ...repeating for a total of NUM_VIRTIO_TRANSPORTS, each of that size */
[VIRT_PLATFORM_BUS] = { 0x0c000000, 0x02000000 },
[VIRT_SECURE_MEM] = { 0x0e000000, 0x01000000 },
@@ -725,6 +726,16 @@ static void create_uart(const VirtMachineState *vms, qemu_irq *pic, int uart,
@@ -731,6 +732,16 @@ static void create_uart(const VirtMachineState *vms, qemu_irq *pic, int uart,
g_free(nodename);
}
@ -507,7 +519,7 @@ index ce2664a3..ec6f00ab 100644
static void create_rtc(const VirtMachineState *vms, qemu_irq *pic)
{
char *nodename;
@@ -1618,6 +1629,8 @@ static void machvirt_init(MachineState *machine)
@@ -1682,6 +1693,8 @@ static void machvirt_init(MachineState *machine)
create_uart(vms, pic, VIRT_UART, sysmem, serial_hd(0));
@ -517,10 +529,10 @@ index ce2664a3..ec6f00ab 100644
create_secure_ram(vms, secure_sysmem);
create_uart(vms, pic, VIRT_SECURE_UART, secure_sysmem, serial_hd(1));
diff --git a/hw/char/Kconfig b/hw/char/Kconfig
index 6360c9ff..8cc3ae2a 100644
index 40e7a8b8..2f61bf53 100644
--- a/hw/char/Kconfig
+++ b/hw/char/Kconfig
@@ -40,3 +40,7 @@ config SCLPCONSOLE
@@ -46,3 +46,7 @@ config SCLPCONSOLE
config TERMINAL3270
bool
@ -529,10 +541,10 @@ index 6360c9ff..8cc3ae2a 100644
+ bool
+ default y
diff --git a/include/hw/acpi/acpi-defs.h b/include/hw/acpi/acpi-defs.h
index f9aa4bd3..b4899a32 100644
index 57a3f58b..39ae91d3 100644
--- a/include/hw/acpi/acpi-defs.h
+++ b/include/hw/acpi/acpi-defs.h
@@ -652,4 +652,42 @@ struct AcpiIortRC {
@@ -634,4 +634,42 @@ struct AcpiIortRC {
} QEMU_PACKED;
typedef struct AcpiIortRC AcpiIortRC;
@ -590,7 +602,7 @@ index 1a563ad7..375335ab 100644
/* Block AML object primitives */
Aml *aml_scope(const char *name_format, ...) GCC_FMT_ATTR(1, 2);
diff --git a/include/hw/arm/virt.h b/include/hw/arm/virt.h
index 507517c6..8465f9bd 100644
index a7209420..43a6ce91 100644
--- a/include/hw/arm/virt.h
+++ b/include/hw/arm/virt.h
@@ -66,6 +66,7 @@ enum {
@ -603,4 +615,3 @@ index 507517c6..8465f9bd 100644
VIRT_FW_CFG,
--
2.19.1

44
hw-arm-virt-Introduce-cpu-topology-support.patch
View File

@ -1,6 +1,6 @@
From 123b4eb3cb7b9b4e3e0705a9b5f974b37d3b8431 Mon Sep 17 00:00:00 2001
From: zhanghailiang <zhang.zhanghailiang@huawei.com>
Date: Mon, 5 Aug 2019 15:04:31 +0800
From 73fc4af05ebe12d77915e6b3c85c48f5e0c432f3 Mon Sep 17 00:00:00 2001
From: Ying Fang <fangying1@huawei.com>
Date: Wed, 22 Apr 2020 19:23:27 +0800
Subject: [PATCH] hw/arm/virt: Introduce cpu topology support
Add topology support for guest vcpu by cpu-map in dtb when the guest is booted
@ -11,13 +11,13 @@ Signed-off-by: zhanghailiang <zhang.zhanghailiang@huawei.com>
(picked-from https://patchwork.ozlabs.org/cover/939301/ which is pushed by
Andrew Jones <drjones@redhat.com>)
---
device_tree.c | 32 +++++++++++++++++++++++
hw/acpi/aml-build.c | 50 ++++++++++++++++++++++++++++++++++++
device_tree.c | 32 ++++++++++++++++++++++
hw/acpi/aml-build.c | 53 ++++++++++++++++++++++++++++++++++++
hw/arm/virt-acpi-build.c | 4 +++
hw/arm/virt.c | 29 +++++++++++++++++++++
hw/arm/virt.c | 32 +++++++++++++++++++++-
include/hw/acpi/aml-build.h | 2 ++
include/sysemu/device_tree.h | 1 +
6 files changed, 118 insertions(+)
6 files changed, 123 insertions(+), 1 deletion(-)
diff --git a/device_tree.c b/device_tree.c
index f8b46b3c..03906a14 100644
@ -63,7 +63,7 @@ index f8b46b3c..03906a14 100644
{
const char *dumpdtb = qemu_opt_get(qemu_get_machine_opts(), "dumpdtb");
diff --git a/hw/acpi/aml-build.c b/hw/acpi/aml-build.c
index 73f97751..9d39ad10 100644
index 73f97751..f2c8c28f 100644
--- a/hw/acpi/aml-build.c
+++ b/hw/acpi/aml-build.c
@@ -25,6 +25,7 @@
@ -74,7 +74,7 @@ index 73f97751..9d39ad10 100644
static GArray *build_alloc_array(void)
{
@@ -51,6 +52,55 @@ static void build_append_array(GArray *array, GArray *val)
@@ -51,6 +52,58 @@ static void build_append_array(GArray *array, GArray *val)
g_array_append_vals(array, val->data, val->len);
}
@ -97,6 +97,9 @@ index 73f97751..9d39ad10 100644
+{
+ int pptt_start = table_data->len;
+ int uid = 0, cpus = 0, socket;
+ MachineState *ms = MACHINE(qdev_get_machine());
+ unsigned int smp_cores = ms->smp.cores;
+ unsigned int smp_threads = ms->smp.threads;
+
+ acpi_data_push(table_data, sizeof(AcpiTableHeader));
+
@ -131,10 +134,10 @@ index 73f97751..9d39ad10 100644
static void
diff --git a/hw/arm/virt-acpi-build.c b/hw/arm/virt-acpi-build.c
index 33a8e2e3..18653e6d 100644
index 29494ebd..fe54411f 100644
--- a/hw/arm/virt-acpi-build.c
+++ b/hw/arm/virt-acpi-build.c
@@ -870,6 +870,10 @@ void virt_acpi_build(VirtMachineState *vms, AcpiBuildTables *tables)
@@ -848,6 +848,10 @@ void virt_acpi_build(VirtMachineState *vms, AcpiBuildTables *tables)
acpi_add_table(table_offsets, tables_blob);
build_fadt_rev5(tables_blob, tables->linker, vms, dsdt);
@ -146,10 +149,10 @@ index 33a8e2e3..18653e6d 100644
build_madt(tables_blob, tables->linker, vms);
diff --git a/hw/arm/virt.c b/hw/arm/virt.c
index 57a78b16..16700a2e 100644
index 0fa355ba..272455bc 100644
--- a/hw/arm/virt.c
+++ b/hw/arm/virt.c
@@ -42,6 +42,7 @@
@@ -44,6 +44,7 @@
#include "net/net.h"
#include "sysemu/device_tree.h"
#include "sysemu/numa.h"
@ -157,7 +160,17 @@ index 57a78b16..16700a2e 100644
#include "sysemu/sysemu.h"
#include "sysemu/kvm.h"
#include "hw/loader.h"
@@ -364,8 +365,36 @@ static void fdt_add_cpu_nodes(const VirtMachineState *vms)
@@ -312,7 +313,8 @@ static void fdt_add_cpu_nodes(const VirtMachineState *vms)
int cpu;
int addr_cells = 1;
const MachineState *ms = MACHINE(vms);
-
+ unsigned int smp_cores = ms->smp.cores;
+ unsigned int smp_threads = ms->smp.threads;
/*
* From Documentation/devicetree/bindings/arm/cpus.txt
* On ARM v8 64-bit systems value should be set to 2,
@@ -368,8 +370,36 @@ static void fdt_add_cpu_nodes(const VirtMachineState *vms)
ms->possible_cpus->cpus[cs->cpu_index].props.node_id);
}
@ -220,5 +233,4 @@ index c16fd69b..d62fc873 100644
#define qemu_fdt_setprop_cells(fdt, node_path, property, ...) \
do { \
--
2.19.1
2.23.0

33
hw-arm64-add-vcpu-cache-info-support.patch
View File

@ -1,6 +1,6 @@
From 8db6d888e3eb131900111506b93f6101413df5b4 Mon Sep 17 00:00:00 2001
From: zhanghailiang <zhang.zhanghailiang@huawei.com>
Date: Mon, 5 Aug 2019 15:30:05 +0800
From 5a0ed254f99ca37498bd81994b906b6984b5ffa9 Mon Sep 17 00:00:00 2001
From: Ying Fang <fangying1@huawei.com>
Date: Wed, 22 Apr 2020 19:25:00 +0800
Subject: [PATCH] hw/arm64: add vcpu cache info support
Support VCPU Cache info by dtb and PPTT table, including L1, L2 and L3 Cache.
@ -8,16 +8,16 @@ Support VCPU Cache info by dtb and PPTT table, including L1, L2 and L3 Cache.
Signed-off-by: zhanghailiang <zhang.zhanghailiang@huawei.com>
Signed-off-by: Honghao <honghao5@huawei.com>
---
hw/acpi/aml-build.c | 124 ++++++++++++++++++++++++++++++++++++
hw/arm/virt.c | 76 +++++++++++++++++++++-
hw/acpi/aml-build.c | 126 ++++++++++++++++++++++++++++++++++++
hw/arm/virt.c | 80 ++++++++++++++++++++++-
include/hw/acpi/aml-build.h | 46 +++++++++++++
3 files changed, 245 insertions(+), 1 deletion(-)
3 files changed, 251 insertions(+), 1 deletion(-)
diff --git a/hw/acpi/aml-build.c b/hw/acpi/aml-build.c
index 9d39ad10..99209c0a 100644
index f2c8c28f..74e95005 100644
--- a/hw/acpi/aml-build.c
+++ b/hw/acpi/aml-build.c
@@ -55,6 +55,129 @@ static void build_append_array(GArray *array, GArray *val)
@@ -55,6 +55,131 @@ static void build_append_array(GArray *array, GArray *val)
/*
* ACPI 6.2 Processor Properties Topology Table (PPTT)
*/
@ -115,6 +115,8 @@ index 9d39ad10..99209c0a 100644
+ int pptt_start = table_data->len;
+ int uid = 0, cpus = 0, socket;
+ struct offset_status offset;
+ const MachineState *ms = MACHINE(qdev_get_machine());
+ unsigned int smp_cores = ms->smp.cores;
+
+ acpi_data_push(table_data, sizeof(AcpiTableHeader));
+
@ -147,7 +149,7 @@ index 9d39ad10..99209c0a 100644
static void build_cpu_hierarchy(GArray *tbl, uint32_t flags,
uint32_t parent, uint32_t id)
{
@@ -100,6 +223,7 @@ void build_pptt(GArray *table_data, BIOSLinker *linker, int possible_cpus)
@@ -103,6 +228,7 @@ void build_pptt(GArray *table_data, BIOSLinker *linker, int possible_cpus)
(void *)(table_data->data + pptt_start), "PPTT",
table_data->len - pptt_start, 1, NULL, NULL);
}
@ -156,16 +158,18 @@ index 9d39ad10..99209c0a 100644
#define ACPI_NAMESEG_LEN 4
diff --git a/hw/arm/virt.c b/hw/arm/virt.c
index 16700a2e..96f56e2e 100644
index 272455bc..9669c70b 100644
--- a/hw/arm/virt.c
+++ b/hw/arm/virt.c
@@ -304,6 +304,77 @@ static void fdt_add_timer_nodes(const VirtMachineState *vms)
@@ -308,6 +308,81 @@ static void fdt_add_timer_nodes(const VirtMachineState *vms)
GIC_FDT_IRQ_TYPE_PPI, ARCH_TIMER_NS_EL2_IRQ, irqflags);
}
+static void fdt_add_l3cache_nodes(const VirtMachineState *vms)
+{
+ int i;
+ const MachineState *ms = MACHINE(qdev_get_machine());
+ unsigned int smp_cores = ms->smp.cores;
+ unsigned int sockets = vms->smp_cpus / smp_cores;
+
+ /* If current is not equal to max */
@ -191,6 +195,8 @@ index 16700a2e..96f56e2e 100644
+static void fdt_add_l2cache_nodes(const VirtMachineState *vms)
+{
+ int i, j;
+ const MachineState *ms = MACHINE(qdev_get_machine());
+ unsigned int smp_cores = ms->smp.cores;
+ signed int sockets = vms->smp_cpus / smp_cores;
+
+ /* If current is not equal to max */
@ -237,7 +243,7 @@ index 16700a2e..96f56e2e 100644
static void fdt_add_cpu_nodes(const VirtMachineState *vms)
{
int cpu;
@@ -336,6 +407,9 @@ static void fdt_add_cpu_nodes(const VirtMachineState *vms)
@@ -341,6 +416,9 @@ static void fdt_add_cpu_nodes(const VirtMachineState *vms)
qemu_fdt_setprop_cell(vms->fdt, "/cpus", "#address-cells", addr_cells);
qemu_fdt_setprop_cell(vms->fdt, "/cpus", "#size-cells", 0x0);
@ -247,7 +253,7 @@ index 16700a2e..96f56e2e 100644
for (cpu = vms->smp_cpus - 1; cpu >= 0; cpu--) {
char *nodename = g_strdup_printf("/cpus/cpu@%d", cpu);
ARMCPU *armcpu = ARM_CPU(qemu_get_cpu(cpu));
@@ -364,7 +438,7 @@ static void fdt_add_cpu_nodes(const VirtMachineState *vms)
@@ -369,7 +447,7 @@ static void fdt_add_cpu_nodes(const VirtMachineState *vms)
qemu_fdt_setprop_cell(vms->fdt, nodename, "numa-node-id",
ms->possible_cpus->cpus[cs->cpu_index].props.node_id);
}
@ -315,4 +321,3 @@ index bfb0b100..0be3453a 100644
*
--
2.23.0

23
linux-headers-update-against-KVM-ARM-Fix-256-vcpus.patch
View File

@ -1,7 +1,7 @@
From 896b9892d4df316b85836daa973e442c0c64cec6 Mon Sep 17 00:00:00 2001
From 27a9f40b308efd8ddcb81e286441865b5a0cb541 Mon Sep 17 00:00:00 2001
From: Zenghui Yu <yuzenghui@huawei.com>
Date: Fri, 3 Jan 2020 17:16:55 +0800
Subject: [PATCH 1/3] linux headers: update against "KVM/ARM: Fix >256 vcpus"
Date: Tue, 14 Apr 2020 21:52:42 +0800
Subject: [PATCH] linux headers: update against "KVM/ARM: Fix >256 vcpus"
This is part of upstream commit f363d039e883 ("linux headers: update
against v5.4-rc1"), authored by Eric Auger <eric.auger@redhat.com>.
@ -30,10 +30,10 @@ index e1f8b745..137a2730 100644
#define KVM_ARM_IRQ_VCPU_MASK 0xff
#define KVM_ARM_IRQ_NUM_SHIFT 0
diff --git a/linux-headers/asm-arm64/kvm.h b/linux-headers/asm-arm64/kvm.h
index e6a98c14..dfd3a028 100644
index 2431ec35..cdfd5f33 100644
--- a/linux-headers/asm-arm64/kvm.h
+++ b/linux-headers/asm-arm64/kvm.h
@@ -265,8 +265,10 @@ struct kvm_vcpu_events {
@@ -308,8 +308,10 @@ struct kvm_vcpu_events {
#define KVM_ARM_VCPU_TIMER_IRQ_PTIMER 1
/* KVM_IRQ_LINE irq field index values */
@ -46,17 +46,16 @@ index e6a98c14..dfd3a028 100644
#define KVM_ARM_IRQ_VCPU_MASK 0xff
#define KVM_ARM_IRQ_NUM_SHIFT 0
diff --git a/linux-headers/linux/kvm.h b/linux-headers/linux/kvm.h
index b53ee597..086cea4d 100644
index c8423e76..744e888e 100644
--- a/linux-headers/linux/kvm.h
+++ b/linux-headers/linux/kvm.h
@@ -988,6 +988,7 @@ struct kvm_ppc_resize_hpt {
#define KVM_CAP_ARM_VM_IPA_SIZE 165
#define KVM_CAP_MANUAL_DIRTY_LOG_PROTECT 166
#define KVM_CAP_MANUAL_DIRTY_LOG_PROTECT 166 /* Obsolete */
#define KVM_CAP_HYPERV_CPUID 167
+#define KVM_CAP_ARM_IRQ_LINE_LAYOUT_2 174
#ifdef KVM_CAP_IRQ_ROUTING
#define KVM_CAP_MANUAL_DIRTY_LOG_PROTECT2 168
#define KVM_CAP_PPC_IRQ_XIVE 169
#define KVM_CAP_ARM_SVE 170
--
2.19.1
2.23.0

85
memory-unref-the-memory-region-in-simplify-flatview.patch
View File

@ -1,85 +0,0 @@
From b9f43f0cca03586a31b53e47ade72e77db01cb4c Mon Sep 17 00:00:00 2001
From: King Wang <king.wang@huawei.com>
Date: Fri, 12 Jul 2019 14:52:41 +0800
Subject: [PATCH 2/5] memory: unref the memory region in simplify flatview
The memory region reference is increased when insert a range
into flatview range array, then decreased by destroy flatview.
If some flat range merged by flatview_simplify, the memory region
reference can not be decreased by destroy flatview any more.
In this case, start virtual machine by the command line:
qemu-system-x86_64
-name guest=ubuntu,debug-threads=on
-machine pc,accel=kvm,usb=off,dump-guest-core=off
-cpu host
-m 16384
-realtime mlock=off
-smp 8,sockets=2,cores=4,threads=1
-object memory-backend-file,id=ram-node0,prealloc=yes,mem-path=/dev/hugepages,share=yes,size=8589934592
-numa node,nodeid=0,cpus=0-3,memdev=ram-node0
-object memory-backend-file,id=ram-node1,prealloc=yes,mem-path=/dev/hugepages,share=yes,size=8589934592
-numa node,nodeid=1,cpus=4-7,memdev=ram-node1
-no-user-config
-nodefaults
-rtc base=utc
-no-shutdown
-boot strict=on
-device piix3-usb-uhci,id=usb,bus=pci.0,addr=0x1.0x2
-device virtio-scsi-pci,id=scsi0,bus=pci.0,addr=0x2
-device virtio-serial-pci,id=virtio-serial0,bus=pci.0,addr=0x3
-drive file=ubuntu.qcow2,format=qcow2,if=none,id=drive-virtio-disk0,cache=none,aio=native
-device virtio-blk-pci,scsi=off,bus=pci.0,addr=0x4,drive=drive-virtio-disk0,id=virtio-disk0,bootindex=1
-chardev pty,id=charserial0
-device isa-serial,chardev=charserial0,id=serial0
-device usb-tablet,id=input0,bus=usb.0,port=1
-vnc 0.0.0.0:0
-device VGA,id=video0,vgamem_mb=16,bus=pci.0,addr=0x5
-device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x6
-msg timestamp=on
And run the script in guest OS:
while true
do
setpci -s 00:06.0 04.b=03
setpci -s 00:06.0 04.b=07
done
I found the reference of node0 HostMemoryBackendFile is a big one.
(gdb) p numa_info[0]->node_memdev->parent.ref
$6 = 1636278
(gdb)
Signed-off-by: King Wang<king.wang@huawei.com>
Message-Id: <20190712065241.11784-1-king.wang@huawei.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
memory.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/memory.c b/memory.c
index 9fbca52..0b49281 100644
--- a/memory.c
+++ b/memory.c
@@ -320,7 +320,7 @@ static bool can_merge(FlatRange *r1, FlatRange *r2)
/* Attempt to simplify a view by merging adjacent ranges */
static void flatview_simplify(FlatView *view)
{
- unsigned i, j;
+ unsigned i, j, k;
i = 0;
while (i < view->nr) {
@@ -331,6 +331,9 @@ static void flatview_simplify(FlatView *view)
++j;
}
++i;
+ for (k = i; k < j; k++) {
+ memory_region_unref(view->ranges[k].mr);
+ }
memmove(&view->ranges[i], &view->ranges[j],
(view->nr - j) * sizeof(view->ranges[j]));
view->nr -= j - i;
--
1.8.3.1

19
monitor-fix-memory-leak-in-monitor_fdset_dup_fd_find.patch
View File

@ -1,6 +1,6 @@
From 6f7a7f18f4460b0891eabbe1ca69e599216427b7 Mon Sep 17 00:00:00 2001
From 117082ef493e62e6e2cd972b309e0cd72682ab02 Mon Sep 17 00:00:00 2001
From: Chen Qun <kuhn.chenqun@huawei.com>
Date: Mon, 16 Mar 2020 14:26:06 +0800
Date: Tue, 14 Apr 2020 19:50:59 +0800
Subject: [PATCH] moniter: fix memleak in monitor_fdset_dup_fd_find_remove
When remove dup_fd in monitor_fdset_dup_fd_find_remove function,
@ -25,14 +25,14 @@ Reported-by: Euler Robot <euler.robot@huawei.com>
Signed-off-by: Chen Qun <kuhn.chenqun@huawei.com>
(cherry picked from commit a661614de18c89f58cad3fc1bb8aab44e820183a)
---
monitor.c | 1 +
monitor/misc.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/monitor.c b/monitor.c
index 4807bbe..b5b15b5 100644
--- a/monitor.c
+++ b/monitor.c
@@ -2596,6 +2596,7 @@ static int monitor_fdset_dup_fd_find_remove(int dup_fd, bool remove)
diff --git a/monitor/misc.c b/monitor/misc.c
index 00338c00..0d6369ba 100644
--- a/monitor/misc.c
+++ b/monitor/misc.c
@@ -1746,6 +1746,7 @@ static int64_t monitor_fdset_dup_fd_find_remove(int dup_fd, bool remove)
if (mon_fdset_fd_dup->fd == dup_fd) {
if (remove) {
QLIST_REMOVE(mon_fdset_fd_dup, next);
@ -41,5 +41,4 @@ index 4807bbe..b5b15b5 100644
monitor_fdset_cleanup(mon_fdset);
}
--
1.8.3.1
2.23.0

60
nbd-Fix-regression-with-multiple-meta-contexts.patch
View File

@ -1,60 +0,0 @@
From 32c6cb39cbadd6fc2026ff6311fcf58549f71d49 Mon Sep 17 00:00:00 2001
From: Pan Nengyuan <pannengyuan@huawei.com>
Date: Wed, 15 Apr 2020 14:29:04 +0800
Subject: [PATCH] nbd: Fix regression with multiple meta contexts
Detected by a hang in the libnbd testsuite. If a client requests
multiple meta contexts (both base:allocation and qemu:dirty-bitmap:x)
at the same time, our attempt to silence a false-positive warning
about a potential uninitialized variable introduced botched logic: we
were short-circuiting the second context, and never sending the
NBD_REPLY_FLAG_DONE. Combining two 'if' into one 'if/else' in
bdf200a55 was wrong (I'm a bit embarrassed that such a change was my
initial suggestion after the v1 patch, then I did not review the v2
patch that actually got committed). Revert that, and instead silence
the false positive warning by replacing 'return ret' with 'return 0'
(the value it always has at that point in the code, even though it
eluded the deduction abilities of the robot that reported the false
positive).
Fixes: bdf200a5535
Signed-off-by: Eric Blake <eblake@redhat.com>
Message-Id: <20200206173832.130004-1-eblake@redhat.com>
Reviewed-by: Laurent Vivier <laurent@vivier.eu>
(cherry picked from commit 73e064ccf09d908febc83761addcc6e76feabf78)
---
nbd/server.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/nbd/server.c b/nbd/server.c
index aefb07d..3630352 100644
--- a/nbd/server.c
+++ b/nbd/server.c
@@ -2304,15 +2304,22 @@ static coroutine_fn int nbd_handle_request(NBDClient *client,
!client->export_meta.bitmap,
NBD_META_ID_BASE_ALLOCATION,
errp);
- } else { /* client->export_meta.bitmap */
+ if (ret < 0) {
+ return ret;
+ }
+ }
+ if (client->export_meta.bitmap) {
ret = nbd_co_send_bitmap(client, request->handle,
client->exp->export_bitmap,
request->from, request->len,
dont_fragment,
true, NBD_META_ID_DIRTY_BITMAP, errp);
+ if (ret < 0) {
+ return ret;
+ }
}
- return ret;
+ return 0;
} else {
return nbd_send_generic_reply(client, request->handle, -EINVAL,
"CMD_BLOCK_STATUS not negotiated",
--
1.8.3.1

BIN
qemu-4.0.1.tar.xz → qemu-4.1.0.tar.xz
View File

Binary file not shown.

75
qemu-bridge-helper-move-repeating-code-in-parse_acl.patch
View File

@ -1,75 +0,0 @@
From 3283dde4b5b5cce0f96f48d536bebff66d97ce0b Mon Sep 17 00:00:00 2001
From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Tue, 23 Jul 2019 16:17:53 +0530
Subject: [PATCH 2/2] qemu-bridge-helper: move repeating code in parse_acl_file
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Move repeating error handling sequence in parse_acl_file routine
to an 'err' label.
This patch fixes CVE-2019-13164.
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Reviewed-by: Li Qiang <liq3ea@gmail.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
(cherry-picked from commit 3283dde4b5b5cce0f96f48d536bebff66d97ce0b)
---
qemu-bridge-helper.c | 19 +++++++++----------
1 file changed, 9 insertions(+), 10 deletions(-)
diff --git a/qemu-bridge-helper.c b/qemu-bridge-helper.c
index 2058e10454..3d50ec094c 100644
--- a/qemu-bridge-helper.c
+++ b/qemu-bridge-helper.c
@@ -102,9 +102,7 @@ static int parse_acl_file(const char *filename, ACLList *acl_list)
if (arg == NULL) {
fprintf(stderr, "Invalid config line:\n %s\n", line);
- fclose(f);
- errno = EINVAL;
- return -1;
+ goto err;
}
*arg = 0;
@@ -121,9 +119,7 @@ static int parse_acl_file(const char *filename, ACLList *acl_list)
if (!g_str_equal(cmd, "include") && strlen(arg) >= IFNAMSIZ) {
fprintf(stderr, "name `%s' too long: %zu\n", arg, strlen(arg));
- fclose(f);
- errno = EINVAL;
- return -1;
+ goto err;
}
if (strcmp(cmd, "deny") == 0) {
@@ -149,15 +145,18 @@ static int parse_acl_file(const char *filename, ACLList *acl_list)
parse_acl_file(arg, acl_list);
} else {
fprintf(stderr, "Unknown command `%s'\n", cmd);
- fclose(f);
- errno = EINVAL;
- return -1;
+ goto err;
}
}
fclose(f);
-
return 0;
+
+err:
+ fclose(f);
+ errno = EINVAL;
+ return -1;
+
}
static bool has_vnet_hdr(int fd)
--
2.19.1

60
qemu-bridge-helper-restrict-interface-name-to-IFNAMS.patch
View File

@ -1,60 +0,0 @@
From 6f5d8671225dc77190647f18a27a0d156d4ca97a Mon Sep 17 00:00:00 2001
From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Tue, 23 Jul 2019 16:17:52 +0530
Subject: [PATCH 1/2] qemu-bridge-helper: restrict interface name to IFNAMSIZ
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The network interface name in Linux is defined to be of size
IFNAMSIZ(=16), including the terminating null('\0') byte.
The same is applied to interface names read from 'bridge.conf'
file to form ACL rules. If user supplied '--br=bridge' name
is not restricted to the same length, it could lead to ACL bypass
issue. Restrict interface name to IFNAMSIZ, including null byte.
This patch fixes CVE-2019-13164.
Reported-by: Riccardo Schirone <rschiron@redhat.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Reviewed-by: Li Qiang <liq3ea@gmail.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
(cherry-picked from commit 6f5d8671225dc77190647f18a27a0d156d4ca97a)
---
qemu-bridge-helper.c | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/qemu-bridge-helper.c b/qemu-bridge-helper.c
index 95624bc300..2058e10454 100644
--- a/qemu-bridge-helper.c
+++ b/qemu-bridge-helper.c
@@ -119,6 +119,13 @@ static int parse_acl_file(const char *filename, ACLList *acl_list)
}
*argend = 0;
+ if (!g_str_equal(cmd, "include") && strlen(arg) >= IFNAMSIZ) {
+ fprintf(stderr, "name `%s' too long: %zu\n", arg, strlen(arg));
+ fclose(f);
+ errno = EINVAL;
+ return -1;
+ }
+
if (strcmp(cmd, "deny") == 0) {
acl_rule = g_malloc(sizeof(*acl_rule));
if (strcmp(arg, "all") == 0) {
@@ -269,6 +276,10 @@ int main(int argc, char **argv)
usage();
return EXIT_FAILURE;
}
+ if (strlen(bridge) >= IFNAMSIZ) {
+ fprintf(stderr, "name `%s' too long: %zu\n", bridge, strlen(bridge));
+ return EXIT_FAILURE;
+ }
/* parse default acl file */
QSIMPLEQ_INIT(&acl_list);
--
2.19.1

246
qemu.spec
View File

@ -1,6 +1,6 @@
Name: qemu
Version: 4.0.1
Release: 11
Version: 4.1.0
Release: 1
Epoch: 2
Summary: QEMU is a generic and open source machine emulator and virtualizer
License: GPLv2 and BSD and MIT and CC-BY
@ -10,61 +10,58 @@ Source1: 80-kvm.rules
Source2: 99-qemu-guest-agent.rules
Source3: bridge.conf
Patch0001: qxl-check-release-info-object.patch
Patch0002: ARM64-record-vtimer-tick-when-cpu-is-stopped.patch
Patch0003: pl011-reset-read-FIFO-when-UARTTIMSC-0-UARTICR-0xfff.patch
Patch0004: pl031-support-rtc-timer-property-for-pl031.patch
Patch0005: vhost-cancel-migration-when-vhost-user-restarted.patch
Patch0006: qcow2-fix-memory-leak-in-qcow2_read_extensions.patch
Patch0007: hw-arm-expose-host-CPU-frequency-info-to-guest.patch
Patch0008: qemu-bridge-helper-restrict-interface-name-to-IFNAMS.patch
Patch0009: qemu-bridge-helper-move-repeating-code-in-parse_acl.patch
Patch0010: smbios-Add-missing-member-of-type-4-for-smbios-3.0.patch
Patch0011: hw-arm-virt-Introduce-cpu-topology-support.patch
Patch0012: hw-arm64-add-vcpu-cache-info-support.patch
Patch0013: xhci-Fix-memory-leak-in-xhci_address_slot.patch
Patch0014: xhci-Fix-memory-leak-in-xhci_kick_epctx.patch
Patch0015: ehci-fix-queue-dev-null-ptr-dereference.patch
Patch0016: memory-unref-the-memory-region-in-simplify-flatview.patch
Patch0017: util-async-hold-AioContext-ref-to-prevent-use-after-free.patch
Patch0018: vhost-user-scsi-prevent-using-uninitialized-vqs.patch
Patch0019: cpu-add-Kunpeng-920-cpu-support.patch
Patch0020: cpu-parse-feature-to-avoid-failure.patch
Patch0021: cpu-add-Cortex-A72-processor-kvm-target-support.patch
Patch0022: vnc-fix-memory-leak-when-vnc-disconnect.patch
Patch0023: pcie-disable-the-PCI_EXP_LINKSTA_DLLA-cap.patch
Patch0024: linux-headers-update-against-KVM-ARM-Fix-256-vcpus.patch
Patch0025: intc-arm_gic-Support-IRQ-injection-for-more-than-256.patch
Patch0026: ARM-KVM-Check-KVM_CAP_ARM_IRQ_LINE_LAYOUT_2-for-smp_.patch
Patch0027: 9pfs-local-Fix-possible-memory-leak-in-local_link.patch
Patch0028: scsi-disk-define-props-in-scsi_block_disk-to-avoid-memleaks.patch
Patch0029: arm-translate-a64-fix-uninitialized-variable-warning.patch
Patch0030: nbd-fix-uninitialized-variable-warning.patch
Patch0031: xhci-Fix-memory-leak-in-xhci_kick_epctx-when-poweroff.patch
Patch0032: block-fix-memleaks-in-bdrv_refresh_filename.patch
Patch0033: iscsi-Cap-block-count-from-GET-LBA-STATUS-CVE-2020-1.patch
Patch0034: tcp_emu-Fix-oob-access.patch
Patch0035: slirp-use-correct-size-while-emulating-IRC-commands.patch
Patch0036: slirp-use-correct-size-while-emulating-commands.patch
Patch0037: tcp_emu-fix-unsafe-snprintf-usages.patch
Patch0038: block-iscsi-use-MIN-between-mx_sb_len-and-sb_len_wr.patch
Patch0039: monitor-fix-memory-leak-in-monitor_fdset_dup_fd_find.patch
Patch0001: pl011-reset-read-FIFO-when-UARTTIMSC-0-UARTICR-0xfff.patch
Patch0002: pl031-support-rtc-timer-property-for-pl031.patch
Patch0003: vhost-cancel-migration-when-vhost-user-restarted.patch
Patch0004: qcow2-fix-memory-leak-in-qcow2_read_extensions.patch
Patch0005: bios-tables-test-prepare-to-change-ARM-virt-ACPI-DSDT.patch
Patch0006: hw-arm-expose-host-CPU-frequency-info-to-guest.patch
Patch0007: smbios-Add-missing-member-of-type-4-for-smbios-3.0.patch
Patch0008: tests-bios-tables-test-disable-this-testcase.patch
Patch0009: hw-arm-virt-Introduce-cpu-topology-support.patch
Patch0010: hw-arm64-add-vcpu-cache-info-support.patch
Patch0011: xhci-Fix-memory-leak-in-xhci_address_slot.patch
Patch0012: xhci-Fix-memory-leak-in-xhci_kick_epctx.patch
Patch0013: ehci-fix-queue-dev-null-ptr-dereference.patch
Patch0014: util-async-hold-AioContext-ref-to-prevent-use-after-free.patch
Patch0015: vhost-user-scsi-prevent-using-uninitialized-vqs.patch
Patch0016: cpu-add-Kunpeng-920-cpu-support.patch
Patch0017: cpu-parse-feature-to-avoid-failure.patch
Patch0018: cpu-add-Cortex-A72-processor-kvm-target-support.patch
Patch0019: pcie-disable-the-PCI_EXP_LINKSTA_DLLA-cap.patch
Patch0020: vnc-fix-memory-leak-when-vnc-disconnect.patch
Patch0021: linux-headers-update-against-KVM-ARM-Fix-256-vcpus.patch
Patch0022: intc-arm_gic-Support-IRQ-injection-for-more-than-256.patch
Patch0023: ARM-KVM-Check-KVM_CAP_ARM_IRQ_LINE_LAYOUT_2-for-smp.patch
Patch0024: 9pfs-local-Fix-possible-memory-leak-in-local_link.patch
Patch0025: scsi-disk-define-props-in-scsi_block_disk-to-avoid-memleaks.patch
Patch0026: arm-translate-a64-fix-uninitialized-variable-warning.patch
Patch0027: nbd-fix-uninitialized-variable-warning.patch
Patch0028: xhci-Fix-memory-leak-in-xhci_kick_epctx-when-poweroff.patch
Patch0029: block-fix-memleaks-in-bdrv_refresh_filename.patch
Patch0030: iscsi-Cap-block-count-from-GET-LBA-STATUS-CVE-2020-1.patch
Patch0031: tcp_emu-Fix-oob-access.patch
Patch0032: slirp-use-correct-size-while-emulating-IRC-commands.patch
Patch0033: slirp-use-correct-size-while-emulating-commands.patch
Patch0034: util-add-slirp_fmt-helpers.patch
Patch0035: tcp_emu-fix-unsafe-snprintf-usages.patch
Patch0036: block-iscsi-use-MIN-between-mx_sb_len-and-sb_len_wr.patch
Patch0037: monitor-fix-memory-leak-in-monitor_fdset_dup_fd_find.patch
Patch0038: memory-Align-MemoryRegionSections-fields.patch
Patch0039: memory-Provide-an-equality-function-for-MemoryRegion.patch
Patch0040: vhost-Fix-memory-region-section-comparison.patch
Patch0041: memory-Align-MemoryRegionSections-fields.patch
Patch0042: memory-Provide-an-equality-function-for-MemoryRegion.patch
Patch0043: file-posix-Handle-undetectable-alignment.patch
Patch0044: block-backup-fix-max_transfer-handling-for-copy_rang.patch
Patch0045: block-backup-fix-backup_cow_with_offload-for-last-cl.patch
Patch0046: qcow2-Limit-total-allocation-range-to-INT_MAX.patch
Patch0047: mirror-Do-not-dereference-invalid-pointers.patch
Patch0048: COLO-compare-Fix-incorrect-if-logic.patch
Patch0049: qcow2-bitmap-Fix-uint64_t-left-shift-overflow.patch
Patch0050: pcie-Add-pcie-root-port-fast-plug-unplug-feature.patch
Patch0051: pcie-Compat-with-devices-which-do-not-support-Link-W.patch
Patch0052: aio-wait-delegate-polling-of-main-AioContext-if-BQL-not-held.patch
Patch0053: async-use-explicit-memory-barriers.patch
Patch0054: Fix-use-afte-free-in-ip_reass-CVE-2020-1983.patch
Patch0055: nbd-Fix-regression-with-multiple-meta-contexts.patch
Patch0041: file-posix-Handle-undetectable-alignment.patch
Patch0042: block-backup-fix-max_transfer-handling-for-copy_rang.patch
Patch0043: block-backup-fix-backup_cow_with_offload-for-last-cl.patch
Patch0044: qcow2-Limit-total-allocation-range-to-INT_MAX.patch
Patch0045: mirror-Do-not-dereference-invalid-pointers.patch
Patch0046: COLO-compare-Fix-incorrect-if-logic.patch
Patch0047: qcow2-bitmap-Fix-uint64_t-left-shift-overflow.patch
Patch0048: pcie-Add-pcie-root-port-fast-plug-unplug-feature.patch
Patch0049: pcie-Compat-with-devices-which-do-not-support-Link-W.patch
Patch0050: aio-wait-delegate-polling-of-main-AioContext-if-BQL-not-held.patch
Patch0051: async-use-explicit-memory-barriers.patch
BuildRequires: flex
BuildRequires: bison
@ -251,7 +248,9 @@ install -D -m 0644 %{_sourcedir}/99-qemu-guest-agent.rules %{buildroot}%{_udevdi
mkdir -p %{buildroot}%{_localstatedir}/log
touch %{buildroot}%{_localstatedir}/log/qga-fsfreeze-hook.log
# For qemu docs package
%global qemudocdir %{_docdir}/%{name}
rm -rf %{buildroot}%{qemudocdir}/specs
install -D -p -m 0644 -t %{buildroot}%{qemudocdir} Changelog README COPYING COPYING.LIB LICENSE
chmod -x %{buildroot}%{_mandir}/man1/*
@ -266,6 +265,9 @@ rm -rf %{buildroot}%{_datadir}/%{name}/multiboot.bin
rm -rf %{buildroot}%{_datadir}/%{name}/linuxboot_dma.bin
rm -rf %{buildroot}%{_datadir}/%{name}/pvh.bin
%endif
%ifarch x86_64
rm -rf %{buildroot}%{_datadir}/%{name}/vgabios-ati.bin
%endif
rm -rf %{buildroot}%{_datadir}/%{name}/openbios-*
rm -rf %{buildroot}%{_datadir}/%{name}/slof.bin
rm -rf %{buildroot}%{_datadir}/%{name}/QEMU,*.bin
@ -281,6 +283,11 @@ rm -rf %{buildroot}%{_datadir}/%{name}/skiboot.lid
rm -rf %{buildroot}%{_datadir}/%{name}/spapr-*
rm -rf %{buildroot}%{_datadir}/%{name}/u-boot*
rm -rf %{buildroot}%{_bindir}/ivshmem*
rm -f %{buildroot}%{_datadir}/%{name}/edk2*
rm -rf %{buildroot}%{_datadir}/%{name}/firmware
rm -rf %{buildroot}%{_datadir}/%{name}/opensbi*
rm -rf %{buildroot}%{_datadir}/%{name}/qemu-nsis.bmp
for f in %{buildroot}%{_bindir}/* %{buildroot}%{_libdir}/* \
%{buildroot}%{_libexecdir}/*; do
@ -400,99 +407,100 @@ getent passwd qemu >/dev/null || \
%endif
%changelog
* Fri Apr 24 2020 backport nbd fix from qemu upstream
- nbd: Fix regression with multiple meta contexts
* Fri Apr 24 2020 Huawei Technologies Co., Ltd. <fangying1@huawei.com>
- Fix use-afte-free in ip_reass() (CVE-2020-1983)
* Sat Apr 11 2020 Huawei Technologies Co., Ltd. <fangying1@huawei.com>
* Thu Apr 16 2020 Huawei Technologies Co., Ltd. <fangying1@huawei.com>
- aio-wait: delegate polling of main AioContext if BQL not held
- async: use explicit memory barriers
* Wed Mar 18 2020 Huawei Technologies Co., Ltd. <fangying1@huawei.com>
* Thu Apr 16 2020 Huawei Technologies Co., Ltd. <fangying1@huawei.com>
- pcie: Add pcie-root-port fast plug/unplug feature
- pcie: Compat with devices which do not support Link Width
- pcie: Compat with devices which do not support Link Width, such as ioh3420
* Tue Mar 17 2020 Huawei Technologies Co., Ltd. <zhang.zhanghailiang@huawei.com>
- Put linuxboot_dma.bin and pvh.bin in x86 package
* Thu Apr 16 2020 Huawei Technologies Co., Ltd. <fangying1@huawei.com>
- qcow2-bitmap: Fix uint64_t left-shift overflow
* Mon Mar 16 2020 backport some bug fix patches from upstream
- Patch from number 0040 to 0049 are picked from stable-4.1.1
* Thu Apr 16 2020 Huawei Technologies Co., Ltd. <fangying1@huawei.com>
- COLO-compare: Fix incorrect `if` logic
* Mon Mar 16 2020 Huawei Technologies Co., Ltd. <kuhn.chenqun@huawei.com>
- moniter: fix memleak in monitor_fdset_dup_fd_find_remove
* Thu Apr 16 2020 Huawei Technologies Co., Ltd. <fangying1@huawei.com>
- block/backup: fix max_transfer handling for copy_range
- block/backup: fix backup_cow_with_offload for last cluster
- qcow2: Limit total allocation range to INT_MAX
- mirror: Do not dereference invalid pointers
* Thu Apr 16 2020 Huawei Technologies Co., Ltd. <fangying1@huawei.com>
- file-posix: Handle undetectable alignment
* Thu Apr 16 2020 Huawei Technologies Co., Ltd. <fangying1@huawei.com>
- vhost: Fix memory region section comparison
- memory: Provide an equality function for MemoryRegionSections
- memory: Align MemoryRegionSections fields
* Thu Apr 16 2020 Huawei Technologies Co., Ltd. <fangying1@huawei.com>
- block/iscsi: use MIN() between mx_sb_len and sb_len_wr
- moniter: fix memleak in monitor_fdset_dup_fd_find_remove
* Wed Mar 11 2020 backport from qemu upstream
- tcp_emu: Fix oob access
- slirp: use correct size while emulating IRC commands
- slirp: use correct size while emulating commands
* Thu Apr 16 2020 Huawei Technologies Co., Ltd. <fangying1@huawei.com>
- tcp_emu: fix unsafe snprintf() usages
* Mon Mar 9 2020 backport from qemu upstream
- util: add slirp_fmt() helpers
- slirp: use correct size while emulating commands
- slirp: use correct size while emulating IRC commands
- tcp_emu: Fix oob access
- iscsi: Cap block count from GET LBA STATUS (CVE-2020-1711)
* Thu Feb 6 2020 Huawei Technologies Co., Ltd. <zhang.zhanghailiang@huawei.com>
- spec: remove fno-inline option for configure
* Thu Jan 16 2020 Huawei Technologies Co., Ltd. <pannengyuan@huawei.com>
* Thu Apr 16 2020 Huawei Technologies Co., Ltd. <fangying1@huawei.com>
- 9pfs: local: Fix possible memory leak in local_link()
- scsi-disk: define props in scsi_block_disk to avoid memleaks
- arm/translate-a64: fix uninitialized variable warning
- block: fix memleaks in bdrv_refresh_filename
- vnc: fix memory leak when vnc disconnect
- block: fix memleaks in bdrv_refresh_filename
* Mon Jan 13 2020 Huawei Technologies Co., Ltd. <fangying1@huawei.com>
- 9pfs: Fix a possible memory leak in local_link
- scsi-disk: disk define props in scsi_block to avoid memleaks
- arm/translate-a64: fix uninitialized variable warning
- nbd: fix uninitialized variable warning
- xhci: Fix memory leak in xhci_kick_epctx when poweroff
* Thu Apr 16 2020 Huawei Technologies Co., Ltd. <fangying1@huawei.com>
- linux headers: update against "KVM/ARM: Fix >256 vcpus"
- intc/arm_gic: Support IRQ injection for more than 256 vcpus
- ARM: KVM: Check KVM_CAP_ARM_IRQ_LINE_LAYOUT_2 for smp_cpus >
* Mon Jan 6 2020 backport from qemu upstream
- linux headers: update against "KVM/ARM: Fix >256 vcp
- intc/arm_gic: Support IRQ injection for more than 256 vpus
- ARM: KVM: Check KVM_CAP_ARM_IRQ_LINE_LAYOUT_2 for smp_cpus > 256
* Thu Apr 16 2020 Huawei Technologies Co., Ltd. <fangying1@huawei.com>
- vnc: fix memory leak when vnc disconnect
* Thu Dec 12 2019 backport from qemu upstream v4.0.1 release
- tpm: Exit in reset when backend indicates failure
- tpm_emulator: Translate TPM error codes to strings
* Thu Apr 16 2020 Huawei Technologies Co., Ltd. <fangying1@huawei.com>
- pcie: disable the PCI_EXP_LINKSTA_DLLA cap for pcie-root-port by default
* Thu Oct 17 2019 backport from qemu upstream
- vnc-fix-memory-leak-when-vnc-disconnect.patch
* Thu Apr 16 2020 Huawei Technologies Co., Ltd. <fangying1@huawei.com>
- cpu: add Kunpeng-920 cpu support
- cpu: parse +/- feature to avoid failure
- cpu: add Cortex-A72 processor kvm target support
* Mon Sep 9 2019 backport from qemu upstream
- ehci-fix-queue-dev-null-ptr-dereference.patch
- memory-unref-the-memory-region-in-simplify-flatview.patch
- util-async-hold-AioContext-ref-to-prevent-use-after-.patch
- vhost-user-scsi-prevent-using-uninitialized-vqs.patch
* Thu Apr 16 2020 Huawei Technologies Co., Ltd. <fangying1@huawei.com>
- vhost-user-scsi: prevent using uninitialized vqs
* Fri Aug 30 2019 Huawei Technologies Co., Ltd. <fangying1@huawei.com>
* Thu Apr 16 2020 Huawei Technologies Co., Ltd. <fangying1@huawei.com>
- util/async: hold AioContext ref to prevent use-after-free
* Thu Apr 16 2020 Huawei Technologies Co., Ltd. <fangying1@huawei.com>
- xhci: Fix memory leak in xhci_address_slot
- xhci: Fix memory leak in xhci_kick_epctx
- ehci: fix queue->dev null ptr dereference
* Wed Aug 7 2019 Huawei Technologies Co., Ltd. <zhang.zhanghailiang@huawei.com>
* Thu Apr 16 2020 Huawei Technologies Co., Ltd. <fangying1@huawei.com>
- tests/bios-tables-test: disable this testcase
- hw/arm/virt: Introduce cpu topology support
- hw/arm64: add vcpu cache info support
* Tue Aug 6 2019 Huawei Technologies Co., Ltd. <zhang.zhanghailiang@huawei.com>
- Update release version to 4.0.0-2
* Mon Aug 5 2019 Huawei Technologies Co., Ltd. <zhang.zhanghailiang@huawei.com>
- enable make check
* Wed Apr 15 2020 Huawei Technologies Co., Ltd. <fangying1@huawei.com>
- smbios: Add missing member of type 4 for smbios 3.0
* Mon Aug 5 2019 fix CVE-2019-13164
- qemu-bridge-helper: restrict interface name to IFNAMSIZ
- qemu-bridge-helper: move repeating code in parse_acl_file
* Wed Apr 15 2020 Huawei Technologies Co., Ltd. <fangying1@huawei.com>
- bios-tables-test: prepare to change ARM virt ACPI DSDT
- arm64: Add the cpufreq device to show cpufreq info to guest
* Tue Jul 30 2019 Huawei Technologies Co., Ltd. <zhang.zhanghailiang@huawei.com
* Wed Apr 15 2020 Huawei Technologies Co., Ltd. <fangying1@huawei.com>
- qcow2: fix memory leak in qcow2_read_extensions
- hw/arm: expose host CPU frequency info to guest
* Fri Jul 26 2019 Huawei Technologies Co., Ltd. <fangying1@huawei.com>
- vhost: cancel migration when vhost-user restarted
* Wed Apr 15 2020 Huawei Technologies Co., Ltd. <fangying1@huawei.com>
- pl011: reset read FIFIO when UARTTIMSC=0 & UARTICR=0xff
- pl031: support rtc-timer property for pl031
- pl011: reset read FIFO when UARTTIMSC=0 & UARTICR=0xffff
- ARM64: record vtimer tick when cpu is stopped
- vhost: cancel migration when vhost-user restarted
* Tue Jul 23 2019 openEuler Buildteam <buildteam@openeuler.org> - version-release
* Mon Apr 13 2020 openEuler Buildteam <buildteam@openeuler.org> - version-release
- Package init

36
qxl-check-release-info-object.patch
View File

@ -1,36 +0,0 @@
From cbed4e0108ca1403f1f47cde292330b87a0d8bf2 Mon Sep 17 00:00:00 2001
From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Thu, 25 Apr 2019 12:05:34 +0530
Subject: [PATCH] qxl: check release info object
When releasing spice resources in release_resource() routine,
if release info object 'ext.info' is null, it leads to null
pointer dereference. Add check to avoid it.
(This is cherry-pick d52680fc932efb8a2f334cc6993e705ed1e31e99)
Reported-by: Bugs SysSec <bugs-syssec@rub.de>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Message-id: 20190425063534.32747-1-ppandit@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
hw/display/qxl.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/hw/display/qxl.c b/hw/display/qxl.c
index c8ce578..632923a 100644
--- a/hw/display/qxl.c
+++ b/hw/display/qxl.c
@@ -777,6 +777,9 @@ static void interface_release_resource(QXLInstance *sin,
QXLReleaseRing *ring;
uint64_t *item, id;
+ if (!ext.info) {
+ return;
+ }
if (ext.group_id == MEMSLOT_GROUP_HOST) {
/* host group -> vga mode update request */
QXLCommandExt *cmdext = (void *)(intptr_t)(ext.info->id);
--
1.8.3.1

70
slirp-use-correct-size-while-emulating-IRC-commands.patch
View File

@ -1,6 +1,6 @@
From 882149fd8401f8ff667ea384bb68008354fd110f Mon Sep 17 00:00:00 2001
From 011880f527ff317a40769ea8673a6353e5db53ac Mon Sep 17 00:00:00 2001
From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Wed, 11 Mar 2020 18:19:36 +0800
Date: Tue, 14 Apr 2020 18:23:23 +0800
Subject: [PATCH] slirp: use correct size while emulating IRC commands
While emulating IRC DCC commands, tcp_emu() uses 'mbuf' size
@ -13,40 +13,42 @@ Signed-off-by: default avatarPrasad J Pandit <pjp@fedoraproject.org>
Reviewed-by: Samuel Thibault's avatarSamuel Thibault <samuel.thibault@ens-lyon.org>
Message-Id: <20200109094228.79764-2-ppandit@redhat.com>
---
slirp/src/tcp_subr.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
slirp/src/tcp_subr.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/slirp/src/tcp_subr.c b/slirp/src/tcp_subr.c
index 4608942f..2053b11b 100644
index 9c94c03a..2a15b16a 100644
--- a/slirp/src/tcp_subr.c
+++ b/slirp/src/tcp_subr.c
@@ -786,7 +786,7 @@ tcp_emu(struct socket *so, struct mbuf *m)
return 1;
}
m->m_len = bptr - m->m_data; /* Adjust length */
- m->m_len += snprintf(bptr, m->m_size,
+ m->m_len += snprintf(bptr, M_FREEROOM(m),
"DCC CHAT chat %lu %u%c\n",
(unsigned long)ntohl(so->so_faddr.s_addr),
ntohs(so->so_fport), 1);
@@ -797,7 +797,7 @@ tcp_emu(struct socket *so, struct mbuf *m)
return 1;
}
m->m_len = bptr - m->m_data; /* Adjust length */
- m->m_len += snprintf(bptr, m->m_size,
+ m->m_len += snprintf(bptr, M_FREEROOM(m),
"DCC SEND %s %lu %u %u%c\n", buff,
(unsigned long)ntohl(so->so_faddr.s_addr),
ntohs(so->so_fport), n1, 1);
@@ -808,7 +808,7 @@ tcp_emu(struct socket *so, struct mbuf *m)
return 1;
}
m->m_len = bptr - m->m_data; /* Adjust length */
- m->m_len += snprintf(bptr, m->m_size,
+ m->m_len += snprintf(bptr, M_FREEROOM(m),
"DCC MOVE %s %lu %u %u%c\n", buff,
(unsigned long)ntohl(so->so_faddr.s_addr),
ntohs(so->so_fport), n1, 1);
@@ -778,7 +778,8 @@ int tcp_emu(struct socket *so, struct mbuf *m)
return 1;
}
m->m_len = bptr - m->m_data; /* Adjust length */
- m->m_len += snprintf(bptr, m->m_size, "DCC CHAT chat %lu %u%c\n",
+ m->m_len += snprintf(bptr, M_FREEROOM(m),
+ "DCC CHAT chat %lu %u%c\n",
(unsigned long)ntohl(so->so_faddr.s_addr),
ntohs(so->so_fport), 1);
} else if (sscanf(bptr, "DCC SEND %256s %u %u %u", buff, &laddr, &lport,
@@ -789,7 +790,8 @@ int tcp_emu(struct socket *so, struct mbuf *m)
}
m->m_len = bptr - m->m_data; /* Adjust length */
m->m_len +=
- snprintf(bptr, m->m_size, "DCC SEND %s %lu %u %u%c\n", buff,
+ snprintf(bptr, M_FREEROOM(m),
+ "DCC SEND %s %lu %u %u%c\n", buff,
(unsigned long)ntohl(so->so_faddr.s_addr),
ntohs(so->so_fport), n1, 1);
} else if (sscanf(bptr, "DCC MOVE %256s %u %u %u", buff, &laddr, &lport,
@@ -800,7 +802,8 @@ int tcp_emu(struct socket *so, struct mbuf *m)
}
m->m_len = bptr - m->m_data; /* Adjust length */
m->m_len +=
- snprintf(bptr, m->m_size, "DCC MOVE %s %lu %u %u%c\n", buff,
+ snprintf(bptr, M_FREEROOM(m),
+ "DCC MOVE %s %lu %u %u%c\n", buff,
(unsigned long)ntohl(so->so_faddr.s_addr),
ntohs(so->so_fport), n1, 1);
}
--
2.21.1 (Apple Git-122.3)
2.23.0

62
slirp-use-correct-size-while-emulating-commands.patch
View File

@ -1,6 +1,6 @@
From 66e2f47a01ffcaafe11acae0a191efd1805f86c6 Mon Sep 17 00:00:00 2001
From 662aa4f1d168b32335a4dc40782e816329afcac0 Mon Sep 17 00:00:00 2001
From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Wed, 11 Mar 2020 18:27:22 +0800
Date: Tue, 14 Apr 2020 18:36:12 +0800
Subject: [PATCH] slirp: use correct size while emulating commands
While emulating services in tcp_emu(), it uses 'mbuf' size
@ -10,42 +10,40 @@ Signed-off-by: default avatarPrasad J Pandit <pjp@fedoraproject.org>
Signed-off-by: Samuel Thibault's avatarSamuel Thibault <samuel.thibault@ens-lyon.org>
Message-Id: <20200109094228.79764-3-ppandit@redhat.com>
---
slirp/src/tcp_subr.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
slirp/src/tcp_subr.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/slirp/src/tcp_subr.c b/slirp/src/tcp_subr.c
index 2053b11b..e898fd03 100644
index 2a15b16a..019b637a 100644
--- a/slirp/src/tcp_subr.c
+++ b/slirp/src/tcp_subr.c
@@ -707,7 +707,7 @@ tcp_emu(struct socket *so, struct mbuf *m)
n4 = (laddr & 0xff);
@@ -696,7 +696,7 @@ int tcp_emu(struct socket *so, struct mbuf *m)
n4 = (laddr & 0xff);
m->m_len = bptr - m->m_data; /* Adjust length */
- m->m_len += snprintf(bptr, m->m_size - m->m_len,
+ m->m_len += snprintf(bptr, M_FREEROOM(m),
"ORT %d,%d,%d,%d,%d,%d\r\n%s",
n1, n2, n3, n4, n5, n6, x==7?buff:"");
return 1;
@@ -740,7 +740,7 @@ tcp_emu(struct socket *so, struct mbuf *m)
n4 = (laddr & 0xff);
m->m_len = bptr - m->m_data; /* Adjust length */
- m->m_len += snprintf(bptr, m->m_size - m->m_len,
+ m->m_len += snprintf(bptr, M_FREEROOM(m),
"ORT %d,%d,%d,%d,%d,%d\r\n%s", n1, n2, n3, n4,
n5, n6, x == 7 ? buff : "");
return 1;
@@ -732,7 +732,7 @@ int tcp_emu(struct socket *so, struct mbuf *m)
m->m_len = bptr - m->m_data; /* Adjust length */
- m->m_len += snprintf(bptr, m->m_size - m->m_len,
+ m->m_len += snprintf(bptr, M_FREEROOM(m),
"27 Entering Passive Mode (%d,%d,%d,%d,%d,%d)\r\n%s",
n1, n2, n3, n4, n5, n6, x==7?buff:"");
m->m_len = bptr - m->m_data; /* Adjust length */
m->m_len +=
- snprintf(bptr, m->m_size - m->m_len,
+ snprintf(bptr, M_FREEROOM(m),
"27 Entering Passive Mode (%d,%d,%d,%d,%d,%d)\r\n%s",
n1, n2, n3, n4, n5, n6, x == 7 ? buff : "");
@@ -766,8 +766,8 @@ tcp_emu(struct socket *so, struct mbuf *m)
if (m->m_data[m->m_len-1] == '\0' && lport != 0 &&
(so = tcp_listen(slirp, INADDR_ANY, 0, so->so_laddr.s_addr,
htons(lport), SS_FACCEPTONCE)) != NULL)
- m->m_len = snprintf(m->m_data, m->m_size, "%d",
- ntohs(so->so_fport)) + 1;
+ m->m_len = snprintf(m->m_data, M_ROOM(m),
+ "%d", ntohs(so->so_fport)) + 1;
return 1;
@@ -759,7 +759,8 @@ int tcp_emu(struct socket *so, struct mbuf *m)
(so = tcp_listen(slirp, INADDR_ANY, 0, so->so_laddr.s_addr,
htons(lport), SS_FACCEPTONCE)) != NULL)
m->m_len =
- snprintf(m->m_data, m->m_size, "%d", ntohs(so->so_fport)) + 1;
+ snprintf(m->m_data, M_ROOM(m),
+ "%d", ntohs(so->so_fport)) + 1;
return 1;
case EMU_IRC:
case EMU_IRC:
--
2.21.1 (Apple Git-122.3)
2.23.0

33
smbios-Add-missing-member-of-type-4-for-smbios-3.0.patch
View File

@ -1,21 +1,19 @@
From e52fdbd850b49304c5bbd5f19c9f518b80efef42 Mon Sep 17 00:00:00 2001
From: zhanghailiang <zhang.zhanghailiang@huawei.com>
Date: Wed, 31 Jul 2019 15:40:55 +0800
From 2b8ad77678da175cb92c902955cb85827e661de3 Mon Sep 17 00:00:00 2001
From: Ying Fang <fangying1@huawei.com>
Date: Tue, 14 Apr 2020 14:53:44 +0800
Subject: [PATCH] smbios: Add missing member of type 4 for smbios 3.0
According to smbios 3.0 spec, for processor information (type 4),
it adds three new members (Core Count 2, Core enabled 2, thread count 2) for 3.0,
Without this three members, we can not get correct cpu frequency from dmi,
it adds three new members (Core Count 2, Core enabled 2, thread count 2) for 3.0, Without this three members, we can not get correct cpu frequency from dmi,
Because it will failed to check the length of Processor Infomation in DMI.
The corresponding codes in kernel is like:
if (dm->type == DMI_ENTRY_PROCESSOR &&
dm->length >= DMI_ENTRY_PROCESSOR_MIN_LENGTH) {
u16 val = (u16)get_unaligned((const u16 *)
(dmi_data + DMI_PROCESSOR_MAX_SPEED));
*mhz = val > *mhz ? val : *mhz;
}
if (dm->type == DMI_ENTRY_PROCESSOR &&
dm->length >= DMI_ENTRY_PROCESSOR_MIN_LENGTH) {
u16 val = (u16)get_unaligned((const u16 *)
(dmi_data + DMI_PROCESSOR_MAX_SPEED));
*mhz = val > *mhz ? val : *mhz;
}
Signed-off-by: zhanghailiang <zhang.zhanghailiang@huawei.com>
---
@ -24,11 +22,11 @@ Signed-off-by: zhanghailiang <zhang.zhanghailiang@huawei.com>
2 files changed, 6 insertions(+), 1 deletion(-)
diff --git a/hw/smbios/smbios.c b/hw/smbios/smbios.c
index 47be9071..b11ec6e3 100644
index 7bcd67b0..51b00d44 100644
--- a/hw/smbios/smbios.c
+++ b/hw/smbios/smbios.c
@@ -600,7 +600,9 @@ static void smbios_build_type_4_table(unsigned instance)
t->thread_count = smp_threads;
@@ -603,7 +603,9 @@ static void smbios_build_type_4_table(MachineState *ms, unsigned instance)
t->thread_count = ms->smp.threads;
t->processor_characteristics = cpu_to_le16(0x02); /* Unknown */
t->processor_family2 = cpu_to_le16(0x01); /* Other */
-
@ -39,7 +37,7 @@ index 47be9071..b11ec6e3 100644
smbios_type4_count++;
}
diff --git a/include/hw/firmware/smbios.h b/include/hw/firmware/smbios.h
index 6fef32a3..70eb7304 100644
index 02a0ced0..6887bca4 100644
--- a/include/hw/firmware/smbios.h
+++ b/include/hw/firmware/smbios.h
@@ -193,6 +193,9 @@ struct smbios_type_4 {
@ -53,5 +51,4 @@ index 6fef32a3..70eb7304 100644
/* SMBIOS type 11 - OEM strings */
--
2.19.1
2.23.0

43
tcp_emu-Fix-oob-access.patch
View File

@ -1,6 +1,6 @@
From 0f7224535cdfec549cd43a5ae4ccde936f50ee95 Mon Sep 17 00:00:00 2001
From 585634894f511bc1821cef54494bf2d9abc109c9 Mon Sep 17 00:00:00 2001
From: Samuel Thibault <samuel.thibault@ens-lyon.org>
Date: Wed, 11 Mar 2020 17:33:46 +0800
Date: Tue, 14 Apr 2020 18:04:33 +0800
Subject: [PATCH] tcp_emu: Fix oob access
The main loop only checks for one available byte, while we sometimes
@ -10,29 +10,28 @@ need two bytes.
1 file changed, 6 insertions(+)
diff --git a/slirp/src/tcp_subr.c b/slirp/src/tcp_subr.c
index fde9207b..4608942f 100644
index d6dd133a..9c94c03a 100644
--- a/slirp/src/tcp_subr.c
+++ b/slirp/src/tcp_subr.c
@@ -895,6 +895,9 @@ tcp_emu(struct socket *so, struct mbuf *m)
break;
@@ -886,6 +886,9 @@ int tcp_emu(struct socket *so, struct mbuf *m)
break;
case 5:
+ if (bptr == m->m_data + m->m_len - 1)
+ return 1; /* We need two bytes */
case 5:
+ if (bptr == m->m_data + m->m_len - 1)
+ return 1; /* We need two bytes */
+
/*
* The difference between versions 1.0 and
* 2.0 is here. For future versions of
@@ -910,6 +913,9 @@ tcp_emu(struct socket *so, struct mbuf *m)
/* This is the field containing the port
* number that RA-player is listening to.
*/
+ if (bptr == m->m_data + m->m_len - 1)
+ return 1; /* We need two bytes */
/*
* The difference between versions 1.0 and
* 2.0 is here. For future versions of
@@ -901,6 +904,9 @@ int tcp_emu(struct socket *so, struct mbuf *m)
/* This is the field containing the port
* number that RA-player is listening to.
*/
+ if (bptr == m->m_data + m->m_len - 1)
+ return 1; /* We need two bytes */
+
lport = (((uint8_t*)bptr)[0] << 8)
+ ((uint8_t *)bptr)[1];
if (lport < 6970)
lport = (((uint8_t *)bptr)[0] << 8) + ((uint8_t *)bptr)[1];
if (lport < 6970)
lport += 256; /* don't know why */
--
2.21.1 (Apple Git-122.3)
2.23.0

125
tcp_emu-fix-unsafe-snprintf-usages.patch
View File

@ -1,6 +1,6 @@
From 1db8bcc0ec91bb4374b3ffdd03da3c4ede381fb5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
Date: Wed, 11 Mar 2020 18:52:07 +0800
From 220a52fda279038d46c25d39a372154ff9b024d2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureauls?= <marcandre.lureau@redhat.com>
Date: Tue, 14 Apr 2020 19:06:35 +0800
Subject: [PATCH] tcp_emu: fix unsafe snprintf() usages
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
@ -28,67 +28,76 @@ Signed-off-by: default avatarMarc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Samuel Thibault's avatarSamuel Thibault <samuel.thibault@ens-lyon.org>
Message-Id: <20200127092414.169796-7-marcandre.lureau@redhat.com>
---
slirp/src/tcp_subr.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
slirp/src/tcp_subr.c | 15 +++++++--------
1 file changed, 7 insertions(+), 8 deletions(-)
diff --git a/slirp/src/tcp_subr.c b/slirp/src/tcp_subr.c
index e898fd03..88dadc76 100644
index 019b637a..6c1b17bd 100644
--- a/slirp/src/tcp_subr.c
+++ b/slirp/src/tcp_subr.c
@@ -707,7 +707,7 @@ tcp_emu(struct socket *so, struct mbuf *m)
n4 = (laddr & 0xff);
@@ -655,8 +655,7 @@ int tcp_emu(struct socket *so, struct mbuf *m)
NTOHS(n1);
NTOHS(n2);
m_inc(m, snprintf(NULL, 0, "%d,%d\r\n", n1, n2) + 1);
- m->m_len = snprintf(m->m_data, M_ROOM(m), "%d,%d\r\n", n1, n2);
- assert(m->m_len < M_ROOM(m));
+ m->m_len = slirp_fmt(m->m_data, M_ROOM(m), "%d,%d\r\n", n1, n2);
} else {
*eol = '\r';
}
@@ -696,7 +695,7 @@ int tcp_emu(struct socket *so, struct mbuf *m)
n4 = (laddr & 0xff);
m->m_len = bptr - m->m_data; /* Adjust length */
- m->m_len += snprintf(bptr, M_FREEROOM(m),
+ m->m_len += slirp_fmt(bptr, M_FREEROOM(m),
"ORT %d,%d,%d,%d,%d,%d\r\n%s",
n1, n2, n3, n4, n5, n6, x==7?buff:"");
return 1;
@@ -740,7 +740,7 @@ tcp_emu(struct socket *so, struct mbuf *m)
n4 = (laddr & 0xff);
m->m_len = bptr - m->m_data; /* Adjust length */
- m->m_len += snprintf(bptr, M_FREEROOM(m),
+ m->m_len += slirp_fmt(bptr, M_FREEROOM(m),
"ORT %d,%d,%d,%d,%d,%d\r\n%s", n1, n2, n3, n4,
n5, n6, x == 7 ? buff : "");
return 1;
@@ -732,7 +731,7 @@ int tcp_emu(struct socket *so, struct mbuf *m)
m->m_len = bptr - m->m_data; /* Adjust length */
- m->m_len += snprintf(bptr, M_FREEROOM(m),
+ m->m_len += slirp_fmt(bptr, M_FREEROOM(m),
"27 Entering Passive Mode (%d,%d,%d,%d,%d,%d)\r\n%s",
n1, n2, n3, n4, n5, n6, x==7?buff:"");
m->m_len = bptr - m->m_data; /* Adjust length */
m->m_len +=
- snprintf(bptr, M_FREEROOM(m),
+ slirp_fmt(bptr, M_FREEROOM(m),
"27 Entering Passive Mode (%d,%d,%d,%d,%d,%d)\r\n%s",
n1, n2, n3, n4, n5, n6, x == 7 ? buff : "");
@@ -766,7 +766,7 @@ tcp_emu(struct socket *so, struct mbuf *m)
if (m->m_data[m->m_len-1] == '\0' && lport != 0 &&
(so = tcp_listen(slirp, INADDR_ANY, 0, so->so_laddr.s_addr,
htons(lport), SS_FACCEPTONCE)) != NULL)
- m->m_len = snprintf(m->m_data, M_ROOM(m),
+ m->m_len = slirp_fmt0(m->m_data, M_ROOM(m),
"%d", ntohs(so->so_fport)) + 1;
return 1;
@@ -759,7 +758,7 @@ int tcp_emu(struct socket *so, struct mbuf *m)
(so = tcp_listen(slirp, INADDR_ANY, 0, so->so_laddr.s_addr,
htons(lport), SS_FACCEPTONCE)) != NULL)
m->m_len =
- snprintf(m->m_data, M_ROOM(m),
+ slirp_fmt0(m->m_data, M_ROOM(m),
"%d", ntohs(so->so_fport)) + 1;
return 1;
@@ -786,7 +786,7 @@ tcp_emu(struct socket *so, struct mbuf *m)
return 1;
}
m->m_len = bptr - m->m_data; /* Adjust length */
- m->m_len += snprintf(bptr, M_FREEROOM(m),
+ m->m_len += slirp_fmt(bptr, M_FREEROOM(m),
"DCC CHAT chat %lu %u%c\n",
(unsigned long)ntohl(so->so_faddr.s_addr),
ntohs(so->so_fport), 1);
@@ -797,7 +797,7 @@ tcp_emu(struct socket *so, struct mbuf *m)
return 1;
}
m->m_len = bptr - m->m_data; /* Adjust length */
- m->m_len += snprintf(bptr, M_FREEROOM(m),
+ m->m_len += slirp_fmt(bptr, M_FREEROOM(m),
"DCC SEND %s %lu %u %u%c\n", buff,
(unsigned long)ntohl(so->so_faddr.s_addr),
ntohs(so->so_fport), n1, 1);
@@ -808,7 +808,7 @@ tcp_emu(struct socket *so, struct mbuf *m)
return 1;
}
m->m_len = bptr - m->m_data; /* Adjust length */
- m->m_len += snprintf(bptr, M_FREEROOM(m),
+ m->m_len += slirp_fmt(bptr, M_FREEROOM(m),
"DCC MOVE %s %lu %u %u%c\n", buff,
(unsigned long)ntohl(so->so_faddr.s_addr),
ntohs(so->so_fport), n1, 1);
@@ -779,7 +778,7 @@ int tcp_emu(struct socket *so, struct mbuf *m)
return 1;
}
m->m_len = bptr - m->m_data; /* Adjust length */
- m->m_len += snprintf(bptr, M_FREEROOM(m),
+ m->m_len += slirp_fmt(bptr, M_FREEROOM(m),
"DCC CHAT chat %lu %u%c\n",
(unsigned long)ntohl(so->so_faddr.s_addr),
ntohs(so->so_fport), 1);
@@ -791,7 +790,7 @@ int tcp_emu(struct socket *so, struct mbuf *m)
}
m->m_len = bptr - m->m_data; /* Adjust length */
m->m_len +=
- snprintf(bptr, M_FREEROOM(m),
+ slirp_fmt(bptr, M_FREEROOM(m),
"DCC SEND %s %lu %u %u%c\n", buff,
(unsigned long)ntohl(so->so_faddr.s_addr),
ntohs(so->so_fport), n1, 1);
@@ -803,7 +802,7 @@ int tcp_emu(struct socket *so, struct mbuf *m)
}
m->m_len = bptr - m->m_data; /* Adjust length */
m->m_len +=
- snprintf(bptr, M_FREEROOM(m),
+ slirp_fmt(bptr, M_FREEROOM(m),
"DCC MOVE %s %lu %u %u%c\n", buff,
(unsigned long)ntohl(so->so_faddr.s_addr),
ntohs(so->so_fport), n1, 1);
--
2.21.1 (Apple Git-122.3)
2.23.0

48
tests-bios-tables-test-disable-this-testcase.patch Normal file
View File

@ -0,0 +1,48 @@
From 0814ef80cdf212c68b73fc1fbad4eeece3560ef9 Mon Sep 17 00:00:00 2001
From: Ying Fang <fangying1@huawei.com>
Date: Wed, 15 Apr 2020 19:52:09 +0800
Subject: [PATCH] tests/bios-tables-test: disable this testcase
We will change ARM virt ACPI FACP and PPTT table in order to
support CPU topology information presentation. However our
change make this testcase fail since we changed the table
totally and we cannot apply patch with rpmbuild system.
Signed-off-by: Ying Fang <fangying1@huawei.com>
---
tests/Makefile.include | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/tests/Makefile.include b/tests/Makefile.include
index fd7fdb86..d8cf00c1 100644
--- a/tests/Makefile.include
+++ b/tests/Makefile.include
@@ -164,7 +164,7 @@ check-qtest-i386-y += tests/ide-test$(EXESUF)
check-qtest-i386-y += tests/ahci-test$(EXESUF)
check-qtest-i386-y += tests/hd-geo-test$(EXESUF)
check-qtest-i386-y += tests/boot-order-test$(EXESUF)
-check-qtest-i386-y += tests/bios-tables-test$(EXESUF)
+# check-qtest-i386-y += tests/bios-tables-test$(EXESUF)
check-qtest-i386-$(CONFIG_SGA) += tests/boot-serial-test$(EXESUF)
check-qtest-i386-$(CONFIG_SLIRP) += tests/pxe-test$(EXESUF)
check-qtest-i386-y += tests/rtc-test$(EXESUF)
@@ -269,7 +269,7 @@ check-qtest-aarch64-y += tests/boot-serial-test$(EXESUF)
check-qtest-aarch64-y += tests/migration-test$(EXESUF)
# TODO: once aarch64 TCG is fixed on ARM 32 bit host, make test unconditional
ifneq ($(ARCH),arm)
-check-qtest-aarch64-y += tests/bios-tables-test$(EXESUF)
+#check-qtest-aarch64-y += tests/bios-tables-test$(EXESUF)
endif
check-qtest-microblazeel-y += $(check-qtest-microblaze-y)
@@ -783,7 +783,7 @@ tests/ipmi-bt-test$(EXESUF): tests/ipmi-bt-test.o
tests/hd-geo-test$(EXESUF): tests/hd-geo-test.o
tests/boot-order-test$(EXESUF): tests/boot-order-test.o $(libqos-obj-y)
tests/boot-serial-test$(EXESUF): tests/boot-serial-test.o $(libqos-obj-y)
-tests/bios-tables-test$(EXESUF): tests/bios-tables-test.o \
+#tests/bios-tables-test$(EXESUF): tests/bios-tables-test.o \
tests/boot-sector.o tests/acpi-utils.o $(libqos-obj-y)
tests/pxe-test$(EXESUF): tests/pxe-test.o tests/boot-sector.o $(libqos-obj-y)
tests/microbit-test$(EXESUF): tests/microbit-test.o
--
2.23.0

124
util-add-slirp_fmt-helpers.patch Normal file
View File

@ -0,0 +1,124 @@
From f3475a4a22dd84be0d2d7daa11676ac861da64bc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureauls?= <marcandre.lureau@redhat.com>
Date: Tue, 14 Apr 2020 18:51:39 +0800
Subject: [PATCH] util: add slirp_fmt() helpers
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Various calls to snprintf() in libslirp assume that snprintf() returns
"only" the number of bytes written (excluding terminating NUL).
https://pubs.opengroup.org/onlinepubs/9699919799/functions/snprintf.html#tag_16_159_04
"Upon successful completion, the snprintf() function shall return the
number of bytes that would be written to s had n been sufficiently
large excluding the terminating null byte."
Introduce slirp_fmt() that handles several pathological cases the
way libslirp usually expect:
- treat error as fatal (instead of silently returning -1)
- fmt0() will always \0 end
- return the number of bytes actually written (instead of what would
have been written, which would usually result in OOB later), including
the ending \0 for fmt0()
- warn if truncation happened (instead of ignoring)
Other less common cases can still be handled with strcpy/snprintf() etc.
Signed-off-by: default avatarMarc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Samuel Thibault's avatarSamuel Thibault <samuel.thibault@ens-lyon.org>
Message-Id: <20200127092414.169796-2-marcandre.lureau@redhat.com>
---
slirp/src/util.c | 63 ++++++++++++++++++++++++++++++++++++++++++++++++
slirp/src/util.h | 3 +++
2 files changed, 66 insertions(+)
diff --git a/slirp/src/util.c b/slirp/src/util.c
index e5960871..dcae899e 100644
--- a/slirp/src/util.c
+++ b/slirp/src/util.c
@@ -364,3 +364,66 @@ void slirp_pstrcpy(char *buf, int buf_size, const char *str)
}
*q = '\0';
}
+
+static int slirp_vsnprintf(char *str, size_t size,
+ const char *format, va_list args)
+{
+ int rv = vsnprintf(str, size, format, args);
+
+ if (rv < 0) {
+ g_error("vsnprintf() failed: %s", g_strerror(errno));
+ }
+
+ return rv;
+}
+
+/*
+ * A snprintf()-like function that:
+ * - returns the number of bytes written (excluding optional \0-ending)
+ * - dies on error
+ * - warn on truncation
+ */
+int slirp_fmt(char *str, size_t size, const char *format, ...)
+{
+ va_list args;
+ int rv;
+
+ va_start(args, format);
+ rv = slirp_vsnprintf(str, size, format, args);
+ va_end(args);
+
+ if (rv > size) {
+ g_critical("vsnprintf() truncation");
+ }
+
+ return MIN(rv, size);
+}
+
+/*
+ * A snprintf()-like function that:
+ * - always \0-end (unless size == 0)
+ * - returns the number of bytes actually written, including \0 ending
+ * - dies on error
+ * - warn on truncation
+ */
+int slirp_fmt0(char *str, size_t size, const char *format, ...)
+{
+ va_list args;
+ int rv;
+
+ va_start(args, format);
+ rv = slirp_vsnprintf(str, size, format, args);
+ va_end(args);
+
+ if (rv >= size) {
+ g_critical("vsnprintf() truncation");
+ if (size > 0)
+ str[size - 1] = '\0';
+ rv = size;
+ } else {
+ rv += 1; /* include \0 */
+ }
+
+ return rv;
+}
+
diff --git a/slirp/src/util.h b/slirp/src/util.h
index 3c6223ce..0558dfc2 100644
--- a/slirp/src/util.h
+++ b/slirp/src/util.h
@@ -177,4 +177,7 @@ static inline int slirp_socket_set_fast_reuse(int fd)
void slirp_pstrcpy(char *buf, int buf_size, const char *str);
+int slirp_fmt(char *str, size_t size, const char *format, ...);
+int slirp_fmt0(char *str, size_t size, const char *format, ...);
+
#endif
--
2.23.0

15
vhost-user-scsi-prevent-using-uninitialized-vqs.patch
View File

@ -1,7 +1,7 @@
From 19d56f560879081de411f359417eaaa2998c9e3a Mon Sep 17 00:00:00 2001
From 4d8f2885b3f1219c3df2cf1a00dc0c55b23ee715 Mon Sep 17 00:00:00 2001
From: Raphael Norwitz <raphael.norwitz@nutanix.com>
Date: Tue, 11 Jun 2019 17:35:17 -0700
Subject: [PATCH 5/5] vhost-user-scsi: prevent using uninitialized vqs
Date: Tue, 14 Apr 2020 21:39:05 +0800
Subject: [PATCH] vhost-user-scsi: prevent using uninitialized vqs
Of the 3 virtqueues, seabios only sets cmd, leaving ctrl
and event without a physical address. This can cause
@ -26,10 +26,10 @@ Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/scsi/vhost-user-scsi.c b/hw/scsi/vhost-user-scsi.c
index 8b1e687..241631f 100644
index fcee67d5..affc2431 100644
--- a/hw/scsi/vhost-user-scsi.c
+++ b/hw/scsi/vhost-user-scsi.c
@@ -90,7 +90,7 @@ static void vhost_user_scsi_realize(DeviceState *dev, Error **errp)
@@ -91,7 +91,7 @@ static void vhost_user_scsi_realize(DeviceState *dev, Error **errp)
}
vsc->dev.nvqs = 2 + vs->conf.num_queues;
@ -37,7 +37,6 @@ index 8b1e687..241631f 100644
+ vsc->dev.vqs = g_new0(struct vhost_virtqueue, vsc->dev.nvqs);
vsc->dev.vq_index = 0;
vsc->dev.backend_features = 0;
vqs = vsc->dev.vqs;
--
1.8.3.1
2.23.0