packages/qemu
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!802 QEMU update to version 6.2.0-77(master)

Browse Source 
From: @JiaboFeng 
Reviewed-by: @aven6 
Signed-off-by: @aven6
This commit is contained in:
openeuler-ci-bot 2023-08-07 09:41:59 +00:00 committed by Gitee
commit d55b141ce6
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
25 changed files with 1439 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

172
9pfs-prevent-opening-special-files-CVE-2023-2861.patch Normal file
View File

@ -0,0 +1,172 @@
From beed3295acf786cec520a8a0aec5efcd2ca12b23 Mon Sep 17 00:00:00 2001
From: liuxiangdong <liuxiangdong5@huawei.com>
Date: Fri, 14 Jul 2023 05:11:57 +0800
Subject: [PATCH] 9pfs: prevent opening special files (CVE-2023-2861) The 9p
protocol does not specifically define how server shall behave when client
tries to open a special file, however from security POV it does make sense
for 9p server to prohibit opening any special file on host side in general. A
sane Linux 9p client for instance would never attempt to open a special file
on host side, it would always handle those exclusively on its guest side. A
malicious client however could potentially escape from the exported 9p tree
by creating and opening a device file on host side.
With QEMU this could only be exploited in the following unsafe setups:
- Running QEMU binary as root AND 9p 'local' fs driver AND 'passthrough'
security model.
or
- Using 9p 'proxy' fs driver (which is running its helper daemon as
root).
These setups were already discouraged for safety reasons before,
however for obvious reasons we are now tightening behaviour on this.
Fixes: CVE-2023-2861
Reported-by: Yanwu Shen <ywsPlz@gmail.com>
Reported-by: Jietao Xiao <shawtao1125@gmail.com>
Reported-by: Jinku Li <jkli@xidian.edu.cn>
Reported-by: Wenbo Shen <shenwenbo@zju.edu.cn>
Signed-off-by: Christian Schoenebeck <qemu_oss@crudebyte.com>
Reviewed-by: Greg Kurz <groug@kaod.org>
Reviewed-by: Michael Tokarev <mjt@tls.msk.ru>
Message-Id: <E1q6w7r-0000Q0-NM@lizzy.crudebyte.com>
---
fsdev/virtfs-proxy-helper.c | 27 +++++++++++++++++++++++--
hw/9pfs/9p-util.h | 40 +++++++++++++++++++++++++++++++++++++
2 files changed, 65 insertions(+), 2 deletions(-)
diff --git a/fsdev/virtfs-proxy-helper.c b/fsdev/virtfs-proxy-helper.c
index 15c0e79b06..f9e4669a5b 100644
--- a/fsdev/virtfs-proxy-helper.c
+++ b/fsdev/virtfs-proxy-helper.c
@@ -26,6 +26,7 @@
#include "qemu/xattr.h"
#include "9p-iov-marshal.h"
#include "hw/9pfs/9p-proxy.h"
+#include "hw/9pfs/9p-util.h"
#include "fsdev/9p-iov-marshal.h"
#define PROGNAME "virtfs-proxy-helper"
@@ -338,6 +339,28 @@ static void resetugid(int suid, int sgid)
}
}
+/*
+ * Open regular file or directory. Attempts to open any special file are
+ * rejected.
+ *
+ * returns file descriptor or -1 on error
+ */
+static int open_regular(const char *pathname, int flags, mode_t mode)
+{
+ int fd;
+
+ fd = open(pathname, flags, mode);
+ if (fd < 0) {
+ return fd;
+ }
+
+ if (close_if_special_file(fd) < 0) {
+ return -1;
+ }
+
+ return fd;
+}
+
/*
* send response in two parts
* 1) ProxyHeader
@@ -682,7 +705,7 @@ static int do_create(struct iovec *iovec)
if (ret < 0) {
goto unmarshal_err_out;
}
- ret = open(path.data, flags, mode);
+ ret = open_regular(path.data, flags, mode);
if (ret < 0) {
ret = -errno;
}
@@ -707,7 +730,7 @@ static int do_open(struct iovec *iovec)
if (ret < 0) {
goto err_out;
}
- ret = open(path.data, flags);
+ ret = open_regular(path.data, flags, 0);
if (ret < 0) {
ret = -errno;
}
diff --git a/hw/9pfs/9p-util.h b/hw/9pfs/9p-util.h
index 546f46dc7d..23000e917f 100644
--- a/hw/9pfs/9p-util.h
+++ b/hw/9pfs/9p-util.h
@@ -13,12 +13,16 @@
#ifndef QEMU_9P_UTIL_H
#define QEMU_9P_UTIL_H
+#include "qemu/error-report.h"
+
#ifdef O_PATH
#define O_PATH_9P_UTIL O_PATH
#else
#define O_PATH_9P_UTIL 0
#endif
+#define qemu_fstat fstat
+
static inline void close_preserve_errno(int fd)
{
int serrno = errno;
@@ -26,6 +30,38 @@ static inline void close_preserve_errno(int fd)
errno = serrno;
}
+/**
+ * close_if_special_file() - Close @fd if neither regular file nor directory.
+ *
+ * @fd: file descriptor of open file
+ * Return: 0 on regular file or directory, -1 otherwise
+ *
+ * CVE-2023-2861: Prohibit opening any special file directly on host
+ * (especially device files), as a compromised client could potentially gain
+ * access outside exported tree under certain, unsafe setups. We expect
+ * client to handle I/O on special files exclusively on guest side.
+ */
+static inline int close_if_special_file(int fd)
+{
+ struct stat stbuf;
+
+ if (qemu_fstat(fd, &stbuf) < 0) {
+ close_preserve_errno(fd);
+ return -1;
+ }
+ if (!S_ISREG(stbuf.st_mode) && !S_ISDIR(stbuf.st_mode)) {
+ error_report_once(
+ "9p: broken or compromised client detected; attempt to open "
+ "special file (i.e. neither regular file, nor directory)"
+ );
+ close(fd);
+ errno = ENXIO;
+ return -1;
+ }
+
+ return 0;
+}
+
static inline int openat_dir(int dirfd, const char *name)
{
return openat(dirfd, name,
@@ -56,6 +92,10 @@ again:
return -1;
}
+ if (close_if_special_file(fd) < 0) {
+ return -1;
+ }
+
serrno = errno;
/* O_NONBLOCK was only needed to open the file. Let's drop it. We don't
* do that with O_PATH since fcntl(F_SETFL) isn't supported, and openat()
--
2.41.0.windows.1

48
Allow-setting-up-to-8-bytes-with-the-generic-loader.patch Normal file
View File

@ -0,0 +1,48 @@
From baf464ea0c35f9b235e8385b0771392ce362a6ec Mon Sep 17 00:00:00 2001
From: tangbinzy <tangbin_yewu@cmss.chinamobile.com>
Date: Fri, 21 Jul 2023 06:14:37 +0000
Subject: [PATCH] Allow setting up to 8 bytes with the generic loader mainline
inclusion commit f42483d776bce29a9925ed61cc10eb27a5b2446c category: bugfix
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---------------------------------------------------------------
The documentation for the generic loader says that "the maximum size of
the data is 8 bytes". However, attempts to set data-len=8 trigger the
following assertion failure:
../hw/core/generic-loader.c:59: generic_loader_reset: Assertion `s->data_len < sizeof(s->data)' failed.
The type of s->data is uint64_t (i.e. 8 bytes long), so I believe this
assert should use <= instead of <.
Fixes: e481a1f63c93 ("generic-loader: Add a generic loader")
Signed-off-by: Petr Tesarik <ptesarik@suse.com>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-id: 20220120092715.7805-1-ptesarik@suse.com
Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Signed-off-by: tangbinzy <tangbin_yewu@cmss.chinamobile.com>
---
hw/core/generic-loader.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/core/generic-loader.c b/hw/core/generic-loader.c
index 9a24ffb880..504ed7ca72 100644
--- a/hw/core/generic-loader.c
+++ b/hw/core/generic-loader.c
@@ -56,7 +56,7 @@ static void generic_loader_reset(void *opaque)
}
if (s->data_len) {
- assert(s->data_len < sizeof(s->data));
+ assert(s->data_len <= sizeof(s->data));
dma_memory_write(s->cpu->as, s->addr, &s->data, s->data_len,
MEMTXATTRS_UNSPECIFIED);
}
--
2.41.0.windows.1

49
accel-tcg-Optimize-jump-cache-flush-during-tlb-range.patch Normal file
View File

@ -0,0 +1,49 @@
From 28ca488c585c556ce04419f927d13d46771e1ea4 Mon Sep 17 00:00:00 2001
From: tangbinzy <tangbin_yewu@cmss.chinamobile.com>
Date: Tue, 18 Jul 2023 06:29:51 +0000
Subject: [PATCH] accel/tcg: Optimize jump cache flush during tlb range flush
mainline inclusion commit cfc2a2d69d59f02b32df3098ce17e10ab86d43c6 category:
bugfix
---------------------------------------------------------------
When the length of the range is large enough, clearing the whole cache is
faster than iterating over the (possibly extremely large) set of pages
contained in the range.
This mimics the pre-existing similar optimization done on the flush of the
tlb itself.
Signed-off-by: Idan Horowitz <idan.horowitz@gmail.com>
Message-Id: <20220110164754.1066025-1-idan.horowitz@gmail.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: tangbinzy <tangbin_yewu@cmss.chinamobile.com>
---
accel/tcg/cputlb.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/accel/tcg/cputlb.c b/accel/tcg/cputlb.c
index b69a953447..03526fa1ab 100644
--- a/accel/tcg/cputlb.c
+++ b/accel/tcg/cputlb.c
@@ -783,6 +783,15 @@ static void tlb_flush_range_by_mmuidx_async_0(CPUState *cpu,
}
qemu_spin_unlock(&env_tlb(env)->c.lock);
+ /*
+ * If the length is larger than the jump cache size, then it will take
+ * longer to clear each entry individually than it will to clear it all.
+ */
+ if (d.len >= (TARGET_PAGE_SIZE * TB_JMP_CACHE_SIZE)) {
+ cpu_tb_jmp_cache_clear(cpu);
+ return;
+ }
+
for (target_ulong i = 0; i < d.len; i += TARGET_PAGE_SIZE) {
tb_flush_jmp_cache(cpu, d.addr + i);
}
--
2.41.0.windows.1

48
accel-tcg-cpu-exec-Fix-precise-single-stepping-after.patch Normal file
View File

@ -0,0 +1,48 @@
From ddca9c0cba8e3c858b7998c67ae2739f58b5b681 Mon Sep 17 00:00:00 2001
From: tangbinzy <tangbin_yewu@cmss.chinamobile.com>
Date: Fri, 21 Jul 2023 06:41:38 +0000
Subject: [PATCH] accel/tcg/cpu-exec: Fix precise single-stepping after
interrupt mainline inclusion commit 5b7b197c87cefbd24bd1936614fd4e00ccc279ab
category: bugfix
---------------------------------------------------------------
In some cases, cpu->exit_request can be false after handling the
interrupt, leading to another TB being executed instead of returning
to the main loop.
Fix this by returning true unconditionally when in single-step mode.
Fixes: ba3c35d9c402 ("tcg/cpu-exec: precise single-stepping after an interrupt")
Signed-off-by: Luc Michel <lmichel@kalray.eu>
Message-Id: <20220214132656.11397-1-lmichel@kalray.eu>
[rth: Unlock iothread mutex; simplify indentation]
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: tangbinzy <tangbin_yewu@cmss.chinamobile.com>
---
accel/tcg/cpu-exec.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/accel/tcg/cpu-exec.c b/accel/tcg/cpu-exec.c
index 409ec8c38c..7fb87afedc 100644
--- a/accel/tcg/cpu-exec.c
+++ b/accel/tcg/cpu-exec.c
@@ -798,8 +798,12 @@ static inline bool cpu_handle_interrupt(CPUState *cpu,
* raised when single-stepping so that GDB doesn't miss the
* next instruction.
*/
- cpu->exception_index =
- (cpu->singlestep_enabled ? EXCP_DEBUG : -1);
+ if (unlikely(cpu->singlestep_enabled)) {
+ cpu->exception_index = EXCP_DEBUG;
+ qemu_mutex_unlock_iothread();
+ return true;
+ }
+ cpu->exception_index = -1;
*last_tb = NULL;
}
/* The target hook may have updated the 'cpu->interrupt_request';
--
2.41.0.windows.1

36
block-iscsi-fix-double-free-on-BUSY-or-similar-statu.patch Normal file
View File

@ -0,0 +1,36 @@
From 2d37c08cc6f274c48a4a65a446788e946f0363c0 Mon Sep 17 00:00:00 2001
From: qihao <qihao_yewu@cmss.chinamobile.com>
Date: Wed, 28 Jun 2023 10:58:55 +0800
Subject: [PATCH] block/iscsi: fix double-free on BUSY or similar statuses
cheery-pick from 5080152e2ef6cde7aa692e29880c62bd54acb750
Commit 8c460269aa77 ("iscsi: base all handling of check condition on
scsi_sense_to_errno", 2019-07-15) removed a "goto out" so that the
same coroutine is re-entered twice; once from iscsi_co_generic_cb,
once from the timer callback iscsi_retry_timer_expired. This can
cause a crash.
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1378
Reported-by: Grzegorz Zdanowski <https://gitlab.com/kiler129>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: qihao_yewu <qihao_yewu@cmss.chinamobile.com>
---
block/iscsi.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/block/iscsi.c b/block/iscsi.c
index 57aa07a40d..61ccb58fc8 100644
--- a/block/iscsi.c
+++ b/block/iscsi.c
@@ -268,6 +268,7 @@ iscsi_co_generic_cb(struct iscsi_context *iscsi, int status,
timer_mod(&iTask->retry_timer,
qemu_clock_get_ms(QEMU_CLOCK_REALTIME) + retry_time);
iTask->do_retry = 1;
+ return;
} else if (status == SCSI_STATUS_CHECK_CONDITION) {
int error = iscsi_translate_sense(&task->sense);
if (error == EAGAIN) {
--
2.41.0.windows.1

54
block-monitor-Fix-crash-when-executing-HMP-commit.patch Normal file
View File

@ -0,0 +1,54 @@
From 33dfb9d81a8cfe17aaa3f0804cbd491b06d38cd6 Mon Sep 17 00:00:00 2001
From: qihao <qihao_yewu@cmss.chinamobile.com>
Date: Tue, 27 Jun 2023 14:40:13 +0800
Subject: [PATCH] block/monitor: Fix crash when executing HMP commit
cheery-pick from b7b814cd87a5fbe9f0fb5732dd28932699317bda
hmp_commit() calls blk_is_available() from a non-coroutine context (and
in the main loop). blk_is_available() is a co_wrapper_mixed_bdrv_rdlock
function, and in the non-coroutine context it calls AIO_WAIT_WHILE(),
which crashes if the aio_context lock is not taken before.
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1615
Signed-off-by: Wang Liang <wangliangzz@inspur.com>
Message-Id: <20230424103902.45265-1-wangliangzz@126.com>
Reviewed-by: Emanuele Giuseppe Esposito <eesposit@redhat.com>
Reviewed-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit 8c1e8fb2e7fc2cbeb57703e143965a4cd3ad301a)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Signed-off-by: qihao_yewu <qihao_yewu@cmss.chinamobile.com>
---
block/monitor/block-hmp-cmds.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/block/monitor/block-hmp-cmds.c b/block/monitor/block-hmp-cmds.c
index 2ac4aedfff..44f0af3430 100644
--- a/block/monitor/block-hmp-cmds.c
+++ b/block/monitor/block-hmp-cmds.c
@@ -213,15 +213,17 @@ void hmp_commit(Monitor *mon, const QDict *qdict)
error_report("Device '%s' not found", device);
return;
}
- if (!blk_is_available(blk)) {
- error_report("Device '%s' has no medium", device);
- return;
- }
bs = bdrv_skip_implicit_filters(blk_bs(blk));
aio_context = bdrv_get_aio_context(bs);
aio_context_acquire(aio_context);
+ if (!blk_is_available(blk)) {
+ error_report("Device '%s' has no medium", device);
+ aio_context_release(aio_context);
+ return;
+ }
+
ret = bdrv_commit(bs);
aio_context_release(aio_context);
--
2.41.0.windows.1

34
gitlab-Disable-plugins-for-cross-i386-tci.patch Normal file
View File

@ -0,0 +1,34 @@
From d301917340f0d0196fb8e346a5d489e9be329a0a Mon Sep 17 00:00:00 2001
From: jipengfei <jipengfei_yewu@cmss.chinamobile.com>
Date: Fri, 30 Jun 2023 21:33:34 +0800
Subject: [PATCH] gitlab: Disable plugins for cross-i386-tci
There are timeouts in the cross-i386-tci job that are related to plugins.
Restrict this job to basic TCI testing.
cheery-pick from 0cc889c8826cefa5b80110d31a62273b56aa1832
Signed-off-by: jipengfei_yewu <jipengfei_yewu@cmss.chinamobile.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Acked-by: Thomas Huth <thuth@redhat.com>
Message-Id: <20230629130844.151453-1-richard.henderson@linaro.org>
---
.gitlab-ci.d/crossbuilds.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/.gitlab-ci.d/crossbuilds.yml b/.gitlab-ci.d/crossbuilds.yml
index 17d6cb3e45..d06bf5f57d 100644
--- a/.gitlab-ci.d/crossbuilds.yml
+++ b/.gitlab-ci.d/crossbuilds.yml
@@ -65,7 +65,7 @@ cross-i386-tci:
variables:
IMAGE: fedora-i386-cross
ACCEL: tcg-interpreter
- EXTRA_CONFIGURE_OPTS: --target-list=i386-softmmu,i386-linux-user,aarch64-softmmu,aarch64-linux-user,ppc-softmmu,ppc-linux-user
+ EXTRA_CONFIGURE_OPTS: --target-list=i386-softmmu,i386-linux-user,aarch64-softmmu,aarch64-linux-user,ppc-softmmu,ppc-linux-user --disable-plugins
MAKE_CHECK_ARGS: check check-tcg
cross-mips-system:
--
2.41.0.windows.1

79
host-vdpa-make-notifiers-_init-_uninit-symmetric.patch Normal file
View File

@ -0,0 +1,79 @@
From 8bba9208da0aa994b91d9568b58241e94b5d46fc Mon Sep 17 00:00:00 2001
From: tangbinzy <tangbin_yewu@cmss.chinamobile.com>
Date: Wed, 26 Jul 2023 02:21:47 +0000
Subject: [PATCH] host-vdpa: make notifiers _init()/_uninit() symmetric
mainline inclusion commit b1f030a0a2e281193b09350c0281c0084e84bcf4 category:
bugfix
---------------------------------------------------------------
vhost_vdpa_host_notifiers_init() initializes queue notifiers
for queues "dev->vq_index" to queue "dev->vq_index + dev->nvqs",
whereas vhost_vdpa_host_notifiers_uninit() uninitializes the
same notifiers for queue "0" to queue "dev->nvqs".
This asymmetry seems buggy, fix that by using dev->vq_index
as the base for both.
Fixes: d0416d487bd5 ("vhost-vdpa: map virtqueue notification area if possible")
Cc: jasowang@redhat.com
Signed-off-by: Laurent Vivier <lvivier@redhat.com>
Message-Id: <20220211161309.1385839-1-lvivier@redhat.com>
Acked-by: Jason Wang <jasowang@redhat.com>
Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: tangbinzy <tangbin_yewu@cmss.chinamobile.com>
---
hw/virtio/vhost-vdpa.c | 20 ++++++++++----------
1 file changed, 10 insertions(+), 10 deletions(-)
diff --git a/hw/virtio/vhost-vdpa.c b/hw/virtio/vhost-vdpa.c
index 225c9b1730..287025ef93 100644
--- a/hw/virtio/vhost-vdpa.c
+++ b/hw/virtio/vhost-vdpa.c
@@ -381,15 +381,6 @@ static void vhost_vdpa_host_notifier_uninit(struct vhost_dev *dev,
}
}
-static void vhost_vdpa_host_notifiers_uninit(struct vhost_dev *dev, int n)
-{
- int i;
-
- for (i = 0; i < n; i++) {
- vhost_vdpa_host_notifier_uninit(dev, i);
- }
-}
-
static int vhost_vdpa_host_notifier_init(struct vhost_dev *dev, int queue_index)
{
size_t page_size = qemu_real_host_page_size;
@@ -429,6 +420,15 @@ err:
return -1;
}
+static void vhost_vdpa_host_notifiers_uninit(struct vhost_dev *dev, int n)
+{
+ int i;
+
+ for (i = dev->vq_index; i < dev->vq_index + n; i++) {
+ vhost_vdpa_host_notifier_uninit(dev, i);
+ }
+}
+
static void vhost_vdpa_host_notifiers_init(struct vhost_dev *dev)
{
int i;
@@ -442,7 +442,7 @@ static void vhost_vdpa_host_notifiers_init(struct vhost_dev *dev)
return;
err:
- vhost_vdpa_host_notifiers_uninit(dev, i);
+ vhost_vdpa_host_notifiers_uninit(dev, i - dev->vq_index);
return;
}
--
2.41.0.windows.1

44
hw-net-virtio-net-make-some-VirtIONet-const.patch Normal file
View File

@ -0,0 +1,44 @@
From f6e12a7c892c5e823157f6b84955544ff659e980 Mon Sep 17 00:00:00 2001
From: jipengfei <jipengfei_yewu@cmss.chinamobile.com>
Date: Fri, 30 Jun 2023 22:19:22 +0800
Subject: [PATCH] hw/net/virtio-net: make some VirtIONet const
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The VirtIONet structure is not modified in
virtio_net_supported_guest_offloads().
Therefore, make it const to allow this function to
accept const variables.
cheery-pick from 705e89cfaafc54491482742a756cf661b48608d2
Signed-off-by: jipengfei_yewu <jipengfei_yewu@cmss.chinamobile.com>
Signed-off-by: Hawkins Jiawei <yin31149@gmail.com>
Reviewed-by: Eugenio Pérez <eperezma@redhat.com>
Message-Id: <489b09c3998ac09b9135e57a7dd8c56a4be8cdf9.1685704856.git.yin31149@gmail.com>
Tested-by: Lei Yang <leiyang@redhat.com>
Reviewed-by: Eugenio Pérez <eperezma@redhat.com>
Tested-by: Eugenio Pérez <eperezma@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
---
hw/net/virtio-net.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c
index 4946b65e22..3bd786cc22 100644
--- a/hw/net/virtio-net.c
+++ b/hw/net/virtio-net.c
@@ -811,7 +811,7 @@ static uint64_t virtio_net_guest_offloads_by_features(uint32_t features)
return guest_offloads_mask & features;
}
-static inline uint64_t virtio_net_supported_guest_offloads(VirtIONet *n)
+static inline uint64_t virtio_net_supported_guest_offloads(const VirtIONet *n)
{
VirtIODevice *vdev = VIRTIO_DEVICE(n);
return virtio_net_guest_offloads_by_features(vdev->guest_features);
--
2.41.0.windows.1

47
hw-net-vmxnet3-allow-VMXNET3_MAX_MTU-itself-as-a-val.patch Normal file
View File

@ -0,0 +1,47 @@
From 2d7c5ea10b443c33ffe2c21de5a495bd6d2a67bd Mon Sep 17 00:00:00 2001
From: qihao <qihao_yewu@cmss.chinamobile.com>
Date: Wed, 28 Jun 2023 09:37:04 +0800
Subject: [PATCH] hw/net/vmxnet3: allow VMXNET3_MAX_MTU itself as a value
cheery-pick from b209cc4556d56938fa8a933670b8fb98c036af37
Currently, VMXNET3_MAX_MTU itself (being 9000) is not considered a
valid value for the MTU, but a guest running ESXi 7.0 might try to
set it and fail the assert [0].
In the Linux kernel, dev->max_mtu itself is a valid value for the MTU
and for the vmxnet3 driver it's 9000, so a guest running Linux will
also fail the assert when trying to set an MTU of 9000.
VMXNET3_MAX_MTU and s->mtu don't seem to be used in relation to buffer
allocations/accesses, so allowing the upper limit itself as a value
should be fine.
[0]: https://forum.proxmox.com/threads/114011/
Fixes: d05dcd94ae ("net: vmxnet3: validate configuration values during activate (CVE-2021-20203)")
Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
(cherry picked from commit 099a63828130843741d317cb28e936f468b2b53b)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Signed-off-by: qihao_yewu <qihao_yewu@cmss.chinamobile.com>
---
hw/net/vmxnet3.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c
index 0b7acf7f89..a2037583bf 100644
--- a/hw/net/vmxnet3.c
+++ b/hw/net/vmxnet3.c
@@ -1441,7 +1441,7 @@ static void vmxnet3_activate_device(VMXNET3State *s)
vmxnet3_setup_rx_filtering(s);
/* Cache fields from shared memory */
s->mtu = VMXNET3_READ_DRV_SHARED32(d, s->drv_shmem, devRead.misc.mtu);
- assert(VMXNET3_MIN_MTU <= s->mtu && s->mtu < VMXNET3_MAX_MTU);
+ assert(VMXNET3_MIN_MTU <= s->mtu && s->mtu <= VMXNET3_MAX_MTU);
VMW_CFPRN("MTU is %u", s->mtu);
s->max_rx_frags =
--
2.41.0.windows.1

52
hw-pci-bridge-pxb-Fix-missing-swizzle.patch Normal file
View File

@ -0,0 +1,52 @@
From bf6161d03c1d6a8cb378a2f84743aa45b0ddf84b Mon Sep 17 00:00:00 2001
From: tangbinzy <tangbin_yewu@cmss.chinamobile.com>
Date: Wed, 26 Jul 2023 02:34:48 +0000
Subject: [PATCH] hw/pci-bridge/pxb: Fix missing swizzle mainline inclusion
commit e609301b458bf6daba478299dc5aea5d1fbaea39 category: bugfix
---------------------------------------------------------------
pxb_map_irq_fn() handled the necessary removal of the swizzle
applied to the PXB interrupts by the bus to which it was attached
but neglected to apply the normal swizzle for PCI root ports
on the expander bridge.
Result of this was on ARM virt, the PME interrupts for a second
RP on a PXB instance were miss-routed to #45 rather than #46.
Tested with a selection of different configurations with 1 to 5
RP per PXB instance. Note on my x86 test setup the PME interrupts
are not triggered so I haven't been able to test this.
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Cc: Michael S. Tsirkin <mst@redhat.com>
Cc: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
Message-Id: <20220118174855.19325-1-Jonathan.Cameron@huawei.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: tangbinzy <tangbin_yewu@cmss.chinamobile.com>
---
hw/pci-bridge/pci_expander_bridge.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/hw/pci-bridge/pci_expander_bridge.c b/hw/pci-bridge/pci_expander_bridge.c
index 10e6e7c2ab..de932286b5 100644
--- a/hw/pci-bridge/pci_expander_bridge.c
+++ b/hw/pci-bridge/pci_expander_bridge.c
@@ -192,6 +192,12 @@ static int pxb_map_irq_fn(PCIDevice *pci_dev, int pin)
{
PCIDevice *pxb = pci_get_bus(pci_dev)->parent_dev;
+ /*
+ * First carry out normal swizzle to handle
+ * multple root ports on a pxb instance.
+ */
+ pin = pci_swizzle_map_irq_fn(pci_dev, pin);
+
/*
* The bios does not index the pxb slot number when
* it computes the IRQ because it resides on bus 0
--
2.41.0.windows.1

43
hw-ppc-Kconfig-MAC_NEWWORLD-should-always-select-USB.patch Normal file
View File

@ -0,0 +1,43 @@
From f2ee3b11fc10dd5353beb8efca7d919668dd332c Mon Sep 17 00:00:00 2001
From: qihao <qihao@cmss.chinamobile.com>
Date: Mon, 26 Jun 2023 11:04:33 +0800
Subject: [PATCH] hw/ppc/Kconfig: MAC_NEWWORLD should always select
USB_OHCI_PCI
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
cheery-pick 9ec08f3569be3bc8bfd4d9b8b0445b9136910661
The PowerMacs have an OHCI controller soldered on the motherboard,
so this should always be enabled for the "mac99" machine.
This fixes the problem that QEMU aborts when the user tries to run
the "mac99" machine with a build that has been compiled with the
"--without-default-devices" configure switch.
Signed-off-by: Thomas Huth <thuth@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Message-Id: <20230530102041.55527-1-thuth@redhat.com>
Signed-off-by: Daniel Henrique Barboza <danielhb413@gmail.com>
Signed-off-by: qihao_yewu <qihao_yewu@cmss.chinamobile.com>
---
hw/ppc/Kconfig | 1 +
1 file changed, 1 insertion(+)
diff --git a/hw/ppc/Kconfig b/hw/ppc/Kconfig
index 400511c6b7..9e0b7184e3 100644
--- a/hw/ppc/Kconfig
+++ b/hw/ppc/Kconfig
@@ -119,6 +119,7 @@ config MAC_NEWWORLD
select MAC_PMU
select UNIN_PCI
select FW_CFG_PPC
+ select USB_OHCI_PCI
config E500
bool
--
2.41.0.windows.1

50
hw-virtio-vdpa-Fix-leak-of-host-notifier-memory-regi.patch Normal file
View File

@ -0,0 +1,50 @@
From 862a150140b95bbd23d174307aacd06f65d36f1c Mon Sep 17 00:00:00 2001
From: tangbinzy <tangbin_yewu@cmss.chinamobile.com>
Date: Fri, 21 Jul 2023 07:26:44 +0000
Subject: [PATCH] hw/virtio: vdpa: Fix leak of host-notifier memory-region
mainline inclusion commit 98f7607ecda00dea3cbb2ed7b4427c96846efb83 category:
bugfix
---------------------------------------------------------------
If call virtio_queue_set_host_notifier_mr fails, should free
host-notifier memory-region.
This problem can trigger a coredump with some vDPA drivers (mlx5,
but not with the vdpasim), if we unplug the virtio-net card from
the guest after a stop/start.
The same fix has been done for vhost-user:
1f89d3b91e3e ("hw/virtio: Fix leak of host-notifier memory-region")
Fixes: d0416d487bd5 ("vhost-vdpa: map virtqueue notification area if possible")
Cc: jasowang@redhat.com
Resolves: https://bugzilla.redhat.com/2027208
Signed-off-by: Laurent Vivier <lvivier@redhat.com>
Message-Id: <20220211170259.1388734-1-lvivier@redhat.com>
Cc: qemu-stable@nongnu.org
Acked-by: Jason Wang <jasowang@redhat.com>
Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: tangbinzy <tangbin_yewu@cmss.chinamobile.com>
---
hw/virtio/vhost-vdpa.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/hw/virtio/vhost-vdpa.c b/hw/virtio/vhost-vdpa.c
index f285edb786..225c9b1730 100644
--- a/hw/virtio/vhost-vdpa.c
+++ b/hw/virtio/vhost-vdpa.c
@@ -417,6 +417,7 @@ static int vhost_vdpa_host_notifier_init(struct vhost_dev *dev, int queue_index)
g_free(name);
if (virtio_queue_set_host_notifier_mr(vdev, queue_index, &n->mr, true)) {
+ object_unparent(OBJECT(&n->mr));
munmap(addr, page_size);
goto err;
}
--
2.41.0.windows.1

87
ide-Increment-BB-in-flight-counter-for-TRIM-BH.patch Normal file
View File

@ -0,0 +1,87 @@
From 31ae365f6c13d1bdad9d4eefe6e9f00928e5dd64 Mon Sep 17 00:00:00 2001
From: tangbinzy <tangbin_yewu@cmss.chinamobile.com>
Date: Wed, 26 Jul 2023 02:50:59 +0000
Subject: [PATCH] ide: Increment BB in-flight counter for TRIM BH mainline
inclusion commit 7e5cdb345f77d76cb4877fe6230c4e17a7d0d0ca category: bugfix
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---------------------------------------------------------------
When we still have an AIOCB registered for DMA operations, we try to
settle the respective operation by draining the BlockBackend associated
with the IDE device.
However, this assumes that every DMA operation is associated with an
increment of the BlockBackends in-flight counter (e.g. through some
ongoing I/O operation), so that draining the BB until its in-flight
counter reaches 0 will settle all DMA operations. That is not the case:
For TRIM, the guest can issue a zero-length operation that will not
result in any I/O operation forwarded to the BlockBackend, and also not
increment the in-flight counter in any other way. In such a case,
blk_drain() will be a no-op if no other operations are in flight.
It is clear that if blk_drain() is a no-op, the value of
s->bus->dma->aiocb will not change between checking it in the `if`
condition and asserting that it is NULL after blk_drain().
The particular problem is that ide_issue_trim() creates a BH
(ide_trim_bh_cb()) to settle the TRIM request: iocb->common.cb() is
ide_dma_cb(), which will either create a new request, or find the
transfer to be done and call ide_set_inactive(), which clears
s->bus->dma->aiocb. Therefore, the blk_drain() must wait for
ide_trim_bh_cb() to run, which currently it will not always do.
To fix this issue, we increment the BlockBackend's in-flight counter
when the TRIM operation begins (in ide_issue_trim(), when the
ide_trim_bh_cb() BH is created) and decrement it when ide_trim_bh_cb()
is done.
Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=2029980
Suggested-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Hanna Reitz <hreitz@redhat.com>
Message-Id: <20220120142259.120189-1-hreitz@redhat.com>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: John Snow <jsnow@redhat.com>
Tested-by: John Snow <jsnow@redhat.com>
Signed-off-by: tangbinzy <tangbin_yewu@cmss.chinamobile.com>
---
hw/ide/core.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/hw/ide/core.c b/hw/ide/core.c
index e28f8aad61..15138225be 100644
--- a/hw/ide/core.c
+++ b/hw/ide/core.c
@@ -433,12 +433,16 @@ static const AIOCBInfo trim_aiocb_info = {
static void ide_trim_bh_cb(void *opaque)
{
TrimAIOCB *iocb = opaque;
+ BlockBackend *blk = iocb->s->blk;
iocb->common.cb(iocb->common.opaque, iocb->ret);
qemu_bh_delete(iocb->bh);
iocb->bh = NULL;
qemu_aio_unref(iocb);
+
+ /* Paired with an increment in ide_issue_trim() */
+ blk_dec_in_flight(blk);
}
static void ide_issue_trim_cb(void *opaque, int ret)
@@ -508,6 +512,9 @@ BlockAIOCB *ide_issue_trim(
IDEState *s = opaque;
TrimAIOCB *iocb;
+ /* Paired with a decrement in ide_trim_bh_cb() */
+ blk_inc_in_flight(s->blk);
+
iocb = blk_aio_get(&trim_aiocb_info, s->blk, cb, cb_opaque);
iocb->s = s;
iocb->bh = qemu_bh_new(ide_trim_bh_cb, iocb);
--
2.41.0.windows.1

54
migration-report-compress-thread-pid-to-libvirt.patch Normal file
View File

@ -0,0 +1,54 @@
From 16c188d246f8d74f3d25098effdb836cdeb17e16 Mon Sep 17 00:00:00 2001
From: jipengfei <jipengfei_yewu@cmss.chinamobile.com>
Date: Sat, 1 Jul 2023 13:08:53 +0800
Subject: [PATCH] migration: report compress thread pid to libvirt
Supports migrating compressed threads bound to physical cores,qemu need to tell libvirt the compress thread pids.
Signed-off-by:jipengfei <jipengfei_yewu@cmss.chinamobile.com>
---
migration/ram.c | 3 +++
qapi/migration.json | 13 +++++++++++++
2 files changed, 16 insertions(+)
diff --git a/migration/ram.c b/migration/ram.c
index c3484ee1a9..c6c59b54d9 100644
--- a/migration/ram.c
+++ b/migration/ram.c
@@ -755,6 +755,9 @@ static void *do_data_compress(void *opaque)
RAMBlock *block;
bool zero_page;
+ /* report compress thread pids to libvirt */
+ qapi_event_send_migration_compress_pid(qemu_get_thread_id());
+
qemu_mutex_lock(&param->mutex);
while (!param->quit) {
if (param->block) {
diff --git a/qapi/migration.json b/qapi/migration.json
index 8e18fd30e4..e965f4329b 100644
--- a/qapi/migration.json
+++ b/qapi/migration.json
@@ -1308,6 +1308,19 @@
{ 'event': 'MIGRATION_PID',
'data': { 'pid': 'int' } }
+##
+# @MIGRATION_COMPRESS_PID:
+#
+# Emitted when compress thread appear
+#
+# @pid: pid of compress thread
+#
+# Since: 6.2
+##
+{ 'event': 'MIGRATION_COMPRESS_PID',
+ 'data': { 'pid': 'int' } }
+
+
##
# @COLOMessage:
#
--
2.41.0.windows.1

54
qemu.spec
View File

@ -3,7 +3,7 @@
Name: qemu Name: qemu
Version: 6.2.0 Version: 6.2.0
Release: 75 Release: 77
Epoch: 10 Epoch: 10
Summary: QEMU is a generic and open source machine emulator and virtualizer Summary: QEMU is a generic and open source machine emulator and virtualizer
License: GPLv2 and BSD and MIT and CC-BY-SA-4.0 License: GPLv2 and BSD and MIT and CC-BY-SA-4.0
@ -507,6 +507,30 @@ Patch0492: virtio-fix-reachable-assertion-due-to-stale-value-of.patch
Patch0493: hw-nvme-Change-alignment-in-dma-functions-for-nvme_b.patch Patch0493: hw-nvme-Change-alignment-in-dma-functions-for-nvme_b.patch
Patch0494: Fix-smp.cores-value-and-Fix-divide-0-error.patch Patch0494: Fix-smp.cores-value-and-Fix-divide-0-error.patch
Patch0495: Add-lbt-support-for-kvm.patch Patch0495: Add-lbt-support-for-kvm.patch
Patch0496: migration-report-compress-thread-pid-to-libvirt.patch
Patch0497: hw-ppc-Kconfig-MAC_NEWWORLD-should-always-select-USB.patch
Patch0498: virtio-gpu-add-a-FIXME-for-virtio_gpu_load.patch
Patch0499: block-monitor-Fix-crash-when-executing-HMP-commit.patch
Patch0500: vnc-avoid-underflow-when-accessing-user-provided-add.patch
Patch0501: qga-vss-win32-fix-warning-for-clang-15.patch
Patch0502: hw-net-vmxnet3-allow-VMXNET3_MAX_MTU-itself-as-a-val.patch
Patch0503: tests-tcg-fix-unused-variable-in-linux-test.patch
Patch0504: block-iscsi-fix-double-free-on-BUSY-or-similar-statu.patch
Patch0505: vfio-pci-Fix-a-segfault-in-vfio_realize.patch
Patch0506: gitlab-Disable-plugins-for-cross-i386-tci.patch
Patch0507: tcg-Reduce-tcg_assert_listed_vecop-scope.patch
Patch0508: 9pfs-prevent-opening-special-files-CVE-2023-2861.patch
Patch0509: accel-tcg-Optimize-jump-cache-flush-during-tlb-range.patch
Patch0510: hw-net-virtio-net-make-some-VirtIONet-const.patch
Patch0511: Allow-setting-up-to-8-bytes-with-the-generic-loader.patch
Patch0512: accel-tcg-cpu-exec-Fix-precise-single-stepping-after.patch
Patch0513: hw-virtio-vdpa-Fix-leak-of-host-notifier-memory-regi.patch
Patch0514: host-vdpa-make-notifiers-_init-_uninit-symmetric.patch
Patch0515: hw-pci-bridge-pxb-Fix-missing-swizzle.patch
Patch0516: ide-Increment-BB-in-flight-counter-for-TRIM-BH.patch
Patch0517: qga-win32-Remove-change-action-from-MSI-installer.patch
Patch0518: qga-win32-Use-rundll-for-VSS-installation.patch
Patch0519: test-vmstate-fix-bad-GTree-usage-use-after-free.patch
BuildRequires: flex BuildRequires: flex
BuildRequires: gcc BuildRequires: gcc
@ -1080,6 +1104,34 @@ getent passwd qemu >/dev/null || \
%endif %endif
%changelog %changelog
* Mon Aug 7 2023 <fengjiabo1@huawei.com> - 10:6.2.0-77
- test-vmstate: fix bad GTree usage, use-after-free
* Fri Jul 28 2023 <fengjiabo1@huawei.com> - 10:6.2.0-76
- qga/win32: Use rundll for VSS installation
- qga/win32: Remove change action from MSI installer
- ide: Increment BB in-flight counter for TRIM BH
- hw/pci-bridge/pxb: Fix missing swizzle
- host-vdpa: make notifiers _init()/_uninit() symmetric
- hw/virtio: vdpa: Fix leak of host-notifier memory-region
- accel/tcg/cpu-exec: Fix precise single-stepping after interrupt
- Allow setting up to 8 bytes with the generic loader
- hw/net/virtio-net: make some VirtIONet const
- accel/tcg: Optimize jump cache flush during tlb range flush
- 9pfs: prevent opening special files (CVE-2023-2861)
- tcg: Reduce tcg_assert_listed_vecop() scope
- gitlab: Disable plugins for cross-i386-tci
- vfio/pci: Fix a segfault in vfio_realize
- block/iscsi: fix double-free on BUSY or similar statuses
- tests/tcg: fix unused variable in linux-test
- hw/net/vmxnet3: allow VMXNET3_MAX_MTU itself as a value
- qga/vss-win32: fix warning for clang++-15
- vnc: avoid underflow when accessing user-provided address
- block/monitor: Fix crash when executing HMP commit
- virtio-gpu: add a FIXME for virtio_gpu_load()
- hw/ppc/Kconfig: MAC_NEWWORLD should always select USB_OHCI_PCI
- migration: report compress thread pid to libvirt
* Thu Jun 29 2023 <fengjiabo1@huawei.com> - 10:6.2.0-75 * Thu Jun 29 2023 <fengjiabo1@huawei.com> - 10:6.2.0-75
- Add lbt support for kvm. - Add lbt support for kvm.
- Fix smp.cores value and Fix divide 0 error - Fix smp.cores value and Fix divide 0 error

47
qga-vss-win32-fix-warning-for-clang-15.patch Normal file
View File

@ -0,0 +1,47 @@
From b9212c3d72363f67d621dd4e16e507e4a677158e Mon Sep 17 00:00:00 2001
From: qihao <qihao_yewu@cmss.chinamobile.com>
Date: Tue, 27 Jun 2023 22:45:24 +0800
Subject: [PATCH] qga/vss-win32: fix warning for clang++-15
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
cheery-pick from a3f531cee66b12041098f7a809c2a7d6ecb6ad7d
Reported when compiling with clang-windows-arm64.
../qga/vss-win32/install.cpp:537:9: error: variable 'hr' is used uninitialized whenever 'if' condition is false [-Werror,-Wsometimes-uninitialized]
if (!(ControlService(service, SERVICE_CONTROL_STOP, NULL))) {
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
../qga/vss-win32/install.cpp:545:12: note: uninitialized use occurs here
return hr;
^~
Signed-off-by: Pierrick Bouvier <pierrick.bouvier@linaro.org>
Fixes: 917ebcb170 ("qga-win: Fix QGA VSS Provider service stop failure")
Reviewed-by: Konstantin Kostiuk <kkostiuk@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Signed-off-by: Kostiantyn Kostiuk <kostyanf14@live.com>
(cherry picked from commit 0fcd574b025fccdf14d5140687cafe2bc30b634f)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Signed-off-by: qihao_yewu <qihao_yewu@cmss.chinamobile.com>
---
qga/vss-win32/install.cpp | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/qga/vss-win32/install.cpp b/qga/vss-win32/install.cpp
index 40de133774..e90a03c1cf 100644
--- a/qga/vss-win32/install.cpp
+++ b/qga/vss-win32/install.cpp
@@ -513,7 +513,7 @@ namespace _com_util
/* Stop QGA VSS provider service using Winsvc API */
STDAPI StopService(void)
{
- HRESULT hr;
+ HRESULT hr = S_OK;
SC_HANDLE manager = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS);
SC_HANDLE service = NULL;
--
2.41.0.windows.1

35
qga-win32-Remove-change-action-from-MSI-installer.patch Normal file
View File

@ -0,0 +1,35 @@
From 38a72d2fbaf732d0804fefca034c24b2ad068ad1 Mon Sep 17 00:00:00 2001
From: Konstantin Kostiuk <kkostiuk@redhat.com>
Date: Fri, 3 Mar 2023 21:20:07 +0200
Subject: [PATCH] qga/win32: Remove change action from MSI installer
Remove the 'change' button from "Programs and Features" because it does
not checks if a user is an admin or not. The installer has no components
to choose from and always installs everything. So the 'change' button is
not obviously needed but can create a security issue.
resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2167423
fixes: CVE-2023-0664 (part 1 of 2)
Signed-off-by: Konstantin Kostiuk <kkostiuk@redhat.com>
Reviewed-by: Yan Vugenfirer <yvugenfi@redhat.com>
Reported-by: Brian Wiltse <brian.wiltse@live.com>
---
qga/installer/qemu-ga.wxs | 1 +
1 file changed, 1 insertion(+)
diff --git a/qga/installer/qemu-ga.wxs b/qga/installer/qemu-ga.wxs
index 0950e8c6be..b62e709a4c 100644
--- a/qga/installer/qemu-ga.wxs
+++ b/qga/installer/qemu-ga.wxs
@@ -58,6 +58,7 @@
/>
<Media Id="1" Cabinet="qemu_ga.$(env.QEMU_GA_VERSION).cab" EmbedCab="yes" />
<Property Id="WHSLogo">1</Property>
+ <Property Id="ARPNOMODIFY" Value="yes" Secure="yes" />
<MajorUpgrade
DowngradeErrorMessage="Error: A newer version of QEMU guest agent is already installed."
/>
--
2.41.0.windows.1

99
qga-win32-Use-rundll-for-VSS-installation.patch Normal file
View File

@ -0,0 +1,99 @@
From bc472314a51895f67112e3ac35439df63292f101 Mon Sep 17 00:00:00 2001
From: Konstantin Kostiuk <kkostiuk@redhat.com>
Date: Fri, 3 Mar 2023 21:20:08 +0200
Subject: [PATCH] qga/win32: Use rundll for VSS installation
The custom action uses cmd.exe to run VSS Service installation
and removal which causes an interactive command shell to spawn.
This shell can be used to execute any commands as a SYSTEM user.
Even if call qemu-ga.exe directly the interactive command shell
will be spawned as qemu-ga.exe is a console application and used
by users from the console as well as a service.
As VSS Service runs from DLL which contains the installer and
uninstaller code, it can be run directly by rundll32.exe without
any interactive command shell.
Add specific entry points for rundll which is just a wrapper
for COMRegister/COMUnregister functions with proper arguments.
resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2167423
fixes: CVE-2023-0664 (part 2 of 2)
Signed-off-by: Konstantin Kostiuk <kkostiuk@redhat.com>
Reviewed-by: Yan Vugenfirer <yvugenfi@redhat.com>
Reported-by: Brian Wiltse <brian.wiltse@live.com>
---
qga/installer/qemu-ga.wxs | 10 +++++-----
qga/vss-win32/install.cpp | 9 +++++++++
qga/vss-win32/qga-vss.def | 2 ++
3 files changed, 16 insertions(+), 5 deletions(-)
diff --git a/qga/installer/qemu-ga.wxs b/qga/installer/qemu-ga.wxs
index b62e709a4c..11b66a22e6 100644
--- a/qga/installer/qemu-ga.wxs
+++ b/qga/installer/qemu-ga.wxs
@@ -143,22 +143,22 @@
</Directory>
</Directory>
- <Property Id="cmd" Value="cmd.exe"/>
+ <Property Id="rundll" Value="rundll32.exe"/>
<Property Id="REINSTALLMODE" Value="amus"/>
<?ifdef var.InstallVss?>
<CustomAction Id="RegisterCom"
- ExeCommand='/c "[qemu_ga_directory]qemu-ga.exe" -s vss-install'
+ ExeCommand='"[qemu_ga_directory]qga-vss.dll",DLLCOMRegister'
Execute="deferred"
- Property="cmd"
+ Property="rundll"
Impersonate="no"
Return="check"
>
</CustomAction>
<CustomAction Id="UnRegisterCom"
- ExeCommand='/c "[qemu_ga_directory]qemu-ga.exe" -s vss-uninstall'
+ ExeCommand='"[qemu_ga_directory]qga-vss.dll",DLLCOMUnregister'
Execute="deferred"
- Property="cmd"
+ Property="rundll"
Impersonate="no"
Return="check"
>
diff --git a/qga/vss-win32/install.cpp b/qga/vss-win32/install.cpp
index e90a03c1cf..8b7400e4e5 100644
--- a/qga/vss-win32/install.cpp
+++ b/qga/vss-win32/install.cpp
@@ -352,6 +352,15 @@ out:
return hr;
}
+STDAPI_(void) CALLBACK DLLCOMRegister(HWND, HINSTANCE, LPSTR, int)
+{
+ COMRegister();
+}
+
+STDAPI_(void) CALLBACK DLLCOMUnregister(HWND, HINSTANCE, LPSTR, int)
+{
+ COMUnregister();
+}
static BOOL CreateRegistryKey(LPCTSTR key, LPCTSTR value, LPCTSTR data)
{
diff --git a/qga/vss-win32/qga-vss.def b/qga/vss-win32/qga-vss.def
index 927782c31b..ee97a81427 100644
--- a/qga/vss-win32/qga-vss.def
+++ b/qga/vss-win32/qga-vss.def
@@ -1,6 +1,8 @@
LIBRARY "QGA-PROVIDER.DLL"
EXPORTS
+ DLLCOMRegister
+ DLLCOMUnregister
COMRegister PRIVATE
COMUnregister PRIVATE
DllCanUnloadNow PRIVATE
--
2.41.0.windows.1

64
tcg-Reduce-tcg_assert_listed_vecop-scope.patch Normal file
View File

@ -0,0 +1,64 @@
From 61af18384a150a2c7d1f54521692a93c0e4ebacc Mon Sep 17 00:00:00 2001
From: tangzhongrui <tangzhongrui@cmss.chinamobile.com>
Date: Sun, 2 Jul 2023 23:37:42 +0800
Subject: [PATCH] tcg: Reduce tcg_assert_listed_vecop() scope
tcg_assert_listed_vecop() is only used in tcg-op-vec.c.
Signed-off-by: Philippe Mathieu-Daud<C3><A9> <philmd@linaro.org>
Message-Id: <20230629091107.74384-1-philmd@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Zhongrui Tang <tangzhongrui_yewu@cmss.chinamobile.com>
---
include/tcg/tcg.h | 6 ------
tcg/tcg-op-vec.c | 6 +++---
2 files changed, 3 insertions(+), 9 deletions(-)
diff --git a/include/tcg/tcg.h b/include/tcg/tcg.h
index 42f5b500ed..0ab8e4e735 100644
--- a/include/tcg/tcg.h
+++ b/include/tcg/tcg.h
@@ -1240,12 +1240,6 @@ uint64_t dup_const(unsigned vece, uint64_t c);
: (target_long)dup_const(VECE, C))
#endif
-#ifdef CONFIG_DEBUG_TCG
-void tcg_assert_listed_vecop(TCGOpcode);
-#else
-static inline void tcg_assert_listed_vecop(TCGOpcode op) { }
-#endif
-
static inline const TCGOpcode *tcg_swap_vecop_list(const TCGOpcode *n)
{
#ifdef CONFIG_DEBUG_TCG
diff --git a/tcg/tcg-op-vec.c b/tcg/tcg-op-vec.c
index faf30f9cdd..7c027099c4 100644
--- a/tcg/tcg-op-vec.c
+++ b/tcg/tcg-op-vec.c
@@ -50,9 +50,9 @@ extern TCGv_i32 TCGV_HIGH_link_error(TCGv_i64);
* tcg_ctx->vec_opt_opc is non-NULL, the tcg_gen_*_vec expanders
* will validate that their opcode is present in the list.
*/
-#ifdef CONFIG_DEBUG_TCG
-void tcg_assert_listed_vecop(TCGOpcode op)
+static void tcg_assert_listed_vecop(TCGOpcode op)
{
+#ifdef CONFIG_DEBUG_TCG
const TCGOpcode *p = tcg_ctx->vecop_list;
if (p) {
for (; *p; ++p) {
@@ -62,8 +62,8 @@ void tcg_assert_listed_vecop(TCGOpcode op)
}
g_assert_not_reached();
}
-}
#endif
+}
bool tcg_can_emit_vecop_list(const TCGOpcode *list,
TCGType type, unsigned vece)
--
2.41.0.windows.1

64
test-vmstate-fix-bad-GTree-usage-use-after-free.patch Normal file
View File

@ -0,0 +1,64 @@
From 974fcc3a97148b1af3bebfaa6a72645837233489 Mon Sep 17 00:00:00 2001
From: Eric Auger <eric.auger@redhat.com>
Date: Tue, 28 Feb 2023 10:29:44 +0100
Subject: [PATCH] test-vmstate: fix bad GTree usage, use-after-free
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
According to g_tree_foreach() documentation:
"The tree may not be modified while iterating over it (you can't
add/remove items)."
compare_trees()/diff_tree() fail to respect this rule.
Historically GLib2 used a slice allocator for the GTree APIs
which did not immediately release the memory back to the system
allocator. As a result QEMU's use-after-free bug was not visible.
With GLib > 2.75.3 however, GLib2 has switched to using malloc
and now a SIGSEGV can be observed while running test-vmstate.
Get rid of the node removal within the tree traversal. Also
check the trees have the same number of nodes before the actual
diff.
Fixes: 9a85e4b8f6 ("migration: Support gtree migration")
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1518
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Signed-off-by: Eric Auger <eric.auger@redhat.com>
Reported-by: Richard W.M. Jones <rjones@redhat.com>
Tested-by: Richard W.M. Jones <rjones@redhat.com>
Reviewed-by: Richard W.M. Jones <rjones@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Reviewed-by: Juan Quintela <quintela@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
---
tests/unit/test-vmstate.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/tests/unit/test-vmstate.c b/tests/unit/test-vmstate.c
index 4688c03ea7..ac47f0a44b 100644
--- a/tests/unit/test-vmstate.c
+++ b/tests/unit/test-vmstate.c
@@ -1076,7 +1076,6 @@ static gboolean diff_tree(gpointer key, gpointer value, gpointer data)
struct match_node_data d = {tp->tree2, key, value};
g_tree_foreach(tp->tree2, tp->match_node, &d);
- g_tree_remove(tp->tree1, key);
return false;
}
@@ -1085,9 +1084,9 @@ static void compare_trees(GTree *tree1, GTree *tree2,
{
struct tree_cmp_data tp = {tree1, tree2, function};
+ assert(g_tree_nnodes(tree1) == g_tree_nnodes(tree2));
g_tree_foreach(tree1, diff_tree, &tp);
- assert(g_tree_nnodes(tree1) == 0);
- assert(g_tree_nnodes(tree2) == 0);
+ g_tree_destroy(g_tree_ref(tree1));
}
static void diff_domain(TestGTreeDomain *d1, TestGTreeDomain *d2)
--
2.41.0.windows.1

48
tests-tcg-fix-unused-variable-in-linux-test.patch Normal file
View File

@ -0,0 +1,48 @@
From 050aa274447899ecb000aa8d62d95b6c6192fc56 Mon Sep 17 00:00:00 2001
From: qihao <qihao_yewu@cmss.chinamobile.com>
Date: Wed, 28 Jun 2023 10:08:22 +0800
Subject: [PATCH] tests/tcg: fix unused variable in linux-test
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
cheery-pick from 2bc6c79417b89c3306b724577e775f03fe61fb2e
The latest hexagon compiler picks up that we never consume wcount.
Given the name of the #define that rcount checks against is WCOUNT_MAX
I figured the check just got missed.
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-Id: <20221221090411.1995037-5-alex.bennee@linaro.org>
Signed-off-by: qihao_yewu <qihao_yewu@cmss.chinamobile.com>
---
tests/tcg/multiarch/linux/linux-test.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/tests/tcg/multiarch/linux/linux-test.c b/tests/tcg/multiarch/linux/linux-test.c
index 019d8175ca..78c68540ef 100644
--- a/tests/tcg/multiarch/linux/linux-test.c
+++ b/tests/tcg/multiarch/linux/linux-test.c
@@ -354,13 +354,17 @@ static void test_pipe(void)
if (FD_ISSET(fds[0], &rfds)) {
chk_error(read(fds[0], &ch, 1));
rcount++;
- if (rcount >= WCOUNT_MAX)
+ if (rcount >= WCOUNT_MAX) {
break;
+ }
}
if (FD_ISSET(fds[1], &wfds)) {
ch = 'a';
chk_error(write(fds[1], &ch, 1));
wcount++;
+ if (wcount >= WCOUNT_MAX) {
+ break;
+ }
}
}
}
--
2.41.0.windows.1

54
vfio-pci-Fix-a-segfault-in-vfio_realize.patch Normal file
View File

@ -0,0 +1,54 @@
From 22e8d7076800d7c62e41e8c69fc01444cf00d451 Mon Sep 17 00:00:00 2001
From: jipengfei <jipengfei_yewu@cmss.chinamobile.com>
Date: Fri, 30 Jun 2023 21:05:23 +0800
Subject: [PATCH] vfio/pci: Fix a segfault in vfio_realize
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The kvm irqchip notifier is only registered if the device supports
INTx, however it's unconditionally removed in vfio realize error
path. If the assigned device does not support INTx, this will cause
QEMU to crash when vfio realize fails. Change it to conditionally
remove the notifier only if the notify hook is setup.
Before fix:
(qemu) device_add vfio-pci,host=81:11.1,id=vfio1,bus=root1,xres=1
Connection closed by foreign host.
After fix:
(qemu) device_add vfio-pci,host=81:11.1,id=vfio1,bus=root1,xres=1
Error: vfio 0000:81:11.1: xres and yres properties require display=on
(qemu)
Fixes: c5478fea27ac ("vfio/pci: Respond to KVM irqchip change notifier")
cheery-pick from 357bd7932a136613d700ee8bc83e9165f059d1f7
Signed-off-by: jipengfei_yewu <jipengfei_yewu@cmss.chinamobile.com>
Signed-off-by: Zhenzhong Duan <zhenzhong.duan@intel.com>
Reviewed-by: Cédric Le Goater <clg@redhat.com>
Reviewed-by: Joao Martins <joao.m.martins@oracle.com>
Signed-off-by: Cédric Le Goater <clg@redhat.com>
---
hw/vfio/pci.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/hw/vfio/pci.c b/hw/vfio/pci.c
index 7b45353ce2..b085389ff8 100644
--- a/hw/vfio/pci.c
+++ b/hw/vfio/pci.c
@@ -3112,7 +3112,9 @@ static void vfio_realize(PCIDevice *pdev, Error **errp)
out_deregister:
pci_device_set_intx_routing_notifier(&vdev->pdev, NULL);
- kvm_irqchip_remove_change_notifier(&vdev->irqchip_change_notifier);
+ if (vdev->irqchip_change_notifier.notify) {
+ kvm_irqchip_remove_change_notifier(&vdev->irqchip_change_notifier);
+ }
out_teardown:
vfio_teardown_msi(vdev);
vfio_bars_exit(vdev);
--
2.41.0.windows.1

37
virtio-gpu-add-a-FIXME-for-virtio_gpu_load.patch Normal file
View File

@ -0,0 +1,37 @@
From 5a69ce95a920377f1c4f0c34c6cb8073dc5dbf8d Mon Sep 17 00:00:00 2001
From: qihao <qihao_yewu@cmss.chinamobile.com>
Date: Mon, 26 Jun 2023 14:29:40 +0800
Subject: [PATCH] virtio-gpu: add a FIXME for virtio_gpu_load()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
cheery-pick from 529969b8d03970bae5feef8c69ebf5e0f521131c
It looks like the virtio_gpu_load() does not compute and set the offset,
the same way virtio_gpu_set_scanout() does. This probably results in
incorrect display until the scanout/framebuffer is updated again, I
guess we should fix it, although I haven't checked this yet.
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-Id: <20230515132518.1025853-1-marcandre.lureau@redhat.com>
Signed-off-by: qihao_yewu <qihao_yewu@cmss.chinamobile.com>
---
hw/display/virtio-gpu.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/hw/display/virtio-gpu.c b/hw/display/virtio-gpu.c
index c6dc818988..9ccc0575e3 100644
--- a/hw/display/virtio-gpu.c
+++ b/hw/display/virtio-gpu.c
@@ -1284,6 +1284,7 @@ static int virtio_gpu_load(QEMUFile *f, void *opaque, size_t size,
/* load & apply scanout state */
vmstate_load_state(f, &vmstate_virtio_gpu_scanouts, g, 1);
for (i = 0; i < g->parent_obj.conf.max_outputs; i++) {
+ /* FIXME: should take scanout.r.{x,y} into account */
scanout = &g->parent_obj.scanout[i];
if (!scanout->resource_id) {
continue;
--
2.41.0.windows.1

41
vnc-avoid-underflow-when-accessing-user-provided-add.patch Normal file
View File

@ -0,0 +1,41 @@
From 3d6a5be54f59b86db1d9513cff24ca6f7d002400 Mon Sep 17 00:00:00 2001
From: qihao <qihao_yewu@cmss.chinamobile.com>
Date: Tue, 27 Jun 2023 17:39:56 +0800
Subject: [PATCH] vnc: avoid underflow when accessing user-provided address
cheery-pick from bfc532703f3c4f8d2744748c440ca36ce9798ccb
If hostlen is zero, there is a possibility that addrstr[hostlen - 1]
underflows and, if a closing bracked is there, hostlen - 2 is passed
to g_strndup() on the next line. If websocket==false then
addrstr[0] would be a colon, but if websocket==true this could in
principle happen.
Fix it by checking hostlen.
Reported by Coverity.
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 3f9c41c5df9617510d8533cf6588172efb3df34b)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Signed-off-by: qihao_yewu <qihao_yewu@cmss.chinamobile.com>
---
ui/vnc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ui/vnc.c b/ui/vnc.c
index 91e067ba7c..f4322a9065 100644
--- a/ui/vnc.c
+++ b/ui/vnc.c
@@ -3761,7 +3761,7 @@ static int vnc_display_get_address(const char *addrstr,
addr->type = SOCKET_ADDRESS_TYPE_INET;
inet = &addr->u.inet;
- if (addrstr[0] == '[' && addrstr[hostlen - 1] == ']') {
+ if (hostlen && addrstr[0] == '[' && addrstr[hostlen - 1] == ']') {
inet->host = g_strndup(addrstr + 1, hostlen - 2);
} else {
inet->host = g_strndup(addrstr, hostlen);
--
2.41.0.windows.1