Backport upstream bugfix

Signed-off-by: wanborj <wanbo13@huawei.com>
2022-09-30 17:46:17 +08:00 · 2022-09-30 17:46:17 +08:00 · d72c1d27b2
commit d72c1d27b2
parent c4e55971db
7 changed files with 413 additions and 1 deletions
--- a/acpi-pcihp-pcie-set-power-on-cap-on-parent-slot.patch
+++ b/acpi-pcihp-pcie-set-power-on-cap-on-parent-slot.patch
@ -0,0 +1,121 @@
 From 6c92ab0387c2af443142a0cc47134389711a14dc Mon Sep 17 00:00:00 2001
 From: Igor Mammedov <imammedo@redhat.com>
 Date: Tue, 1 Mar 2022 10:11:59 -0500
 Subject: [PATCH 5/6] acpi: pcihp: pcie: set power on cap on parent slot
 on creation a PCIDevice has power turned on at the end of pci_qdev_realize()
 however later on if PCIe slot isn't populated with any children
 it's power is turned off. It's fine if native hotplug is used
 as plug callback will power slot on among other things.
 However when ACPI hotplug is enabled it replaces native PCIe plug
 callbacks with ACPI specific ones (acpi_pcihp_device_*plug_cb) and
 as result slot stays powered off. It works fine as ACPI hotplug
 on guest side takes care of enumerating/initializing hotplugged
 device. But when later guest is migrated, call chain introduced by]
 commit d5daff7d312 (pcie: implement slot power control for pcie root ports)
   pcie_cap_slot_post_load()
       -> pcie_cap_update_power()
           -> pcie_set_power_device()
               -> pci_set_power()
                   -> pci_update_mappings()
 will disable earlier initialized BARs for the hotplugged device
 in powered off slot due to commit 23786d13441 (pci: implement power state)
 which disables BARs if power is off.
 Fix it by setting PCI_EXP_SLTCTL_PCC to PCI_EXP_SLTCTL_PWR_ON
 on slot (root port/downstream port) at the time a device
 hotplugged into it. As result PCI_EXP_SLTCTL_PWR_ON is migrated
 to target and above call chain keeps device plugged into it
 powered on.
 Fixes: d5daff7d312 ("pcie: implement slot power control for pcie root ports")
 Fixes: 23786d13441 ("pci: implement power state")
 Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2053584
 Suggested-by: "Michael S. Tsirkin" <mst@redhat.com>
 Signed-off-by: Igor Mammedov <imammedo@redhat.com>
 Message-Id: <20220301151200.3507298-3-imammedo@redhat.com>
 Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
 Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
 Signed-off-by: wanbo <wanbo13@huawei.com>
 ---
 hw/acpi/pcihp.c       | 12 +++++++++++-
 hw/pci/pcie.c         | 11 +++++++++++
 include/hw/pci/pcie.h |  1 +
 3 files changed, 23 insertions(+), 1 deletion(-)
 diff --git a/hw/acpi/pcihp.c b/hw/acpi/pcihp.c
 index a5e182dd3a..be0e846b34 100644
 --- a/hw/acpi/pcihp.c
 +++ b/hw/acpi/pcihp.c
@@ -32,6 +32,7 @@
 #include "hw/pci/pci_bridge.h"
 #include "hw/pci/pci_host.h"
 #include "hw/pci/pcie_port.h"
 +#include "hw/pci-bridge/xio3130_downstream.h"
 #include "hw/i386/acpi-build.h"
 #include "hw/acpi/acpi.h"
 #include "hw/pci/pci_bus.h"
@@ -341,6 +342,8 @@ void acpi_pcihp_device_plug_cb(HotplugHandler *hotplug_dev, AcpiPciHpState *s,
 {
     PCIDevice *pdev = PCI_DEVICE(dev);
     int slot = PCI_SLOT(pdev->devfn);
 +    PCIDevice *bridge;
 +    PCIBus *bus;
     int bsel;
     /* Don't send event when device is enabled during qemu machine creation:
@@ -370,7 +373,14 @@ void acpi_pcihp_device_plug_cb(HotplugHandler *hotplug_dev, AcpiPciHpState *s,
         return;
     }
 -    bsel = acpi_pcihp_get_bsel(pci_get_bus(pdev));
 +    bus = pci_get_bus(pdev);
 +    bridge = pci_bridge_get_device(bus);
 +    if (object_dynamic_cast(OBJECT(bridge), TYPE_PCIE_ROOT_PORT) ||
 +        object_dynamic_cast(OBJECT(bridge), TYPE_XIO3130_DOWNSTREAM)) {
 +        pcie_cap_slot_enable_power(bridge);
 +    }
 +
 +    bsel = acpi_pcihp_get_bsel(bus);
     g_assert(bsel >= 0);
     s->acpi_pcihp_pci_status[bsel].up |= (1U << slot);
     acpi_send_event(DEVICE(hotplug_dev), ACPI_PCI_HOTPLUG_STATUS);
 diff --git a/hw/pci/pcie.c b/hw/pci/pcie.c
 index 30c09ed943..a2d1ae6021 100644
 --- a/hw/pci/pcie.c
 +++ b/hw/pci/pcie.c
@@ -365,6 +365,17 @@ static void hotplug_event_clear(PCIDevice *dev)
     }
 }
 +void pcie_cap_slot_enable_power(PCIDevice *dev)
 +{
 +    uint8_t *exp_cap = dev->config + dev->exp.exp_cap;
 +    uint32_t sltcap = pci_get_long(exp_cap + PCI_EXP_SLTCAP);
 +
 +    if (sltcap & PCI_EXP_SLTCAP_PCP) {
 +        pci_set_word_by_mask(exp_cap + PCI_EXP_SLTCTL,
 +                             PCI_EXP_SLTCTL_PCC, PCI_EXP_SLTCTL_PWR_ON);
 +    }
 +}
 +
 static void pcie_set_power_device(PCIBus *bus, PCIDevice *dev, void *opaque)
 {
     bool *power = opaque;
 diff --git a/include/hw/pci/pcie.h b/include/hw/pci/pcie.h
 index 6063bee0ec..c27368d077 100644
 --- a/include/hw/pci/pcie.h
 +++ b/include/hw/pci/pcie.h
@@ -112,6 +112,7 @@ void pcie_cap_slot_write_config(PCIDevice *dev,
                                 uint32_t addr, uint32_t val, int len);
 int pcie_cap_slot_post_load(void *opaque, int version_id);
 void pcie_cap_slot_push_attention_button(PCIDevice *dev);
 +void pcie_cap_slot_enable_power(PCIDevice *dev);
 void pcie_cap_root_init(PCIDevice *dev);
 void pcie_cap_root_reset(PCIDevice *dev);
 -- 
 2.27.0
--- a/hw-display-ati_2d-Fix-buffer-overflow-in-ati_2d_blt-.patch
+++ b/hw-display-ati_2d-Fix-buffer-overflow-in-ati_2d_blt-.patch
@ -0,0 +1,83 @@
 From d1d13b1f86a5ac0520dc7369873d6478b583af04 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
 Date: Mon, 6 Sep 2021 17:31:03 +0200
 Subject: [PATCH 6/6] hw/display/ati_2d: Fix buffer overflow in ati_2d_blt
 (CVE-2021-3638)
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 When building QEMU with DEBUG_ATI defined then running with
 '-device ati-vga,romfile="" -d unimp,guest_errors -trace ati\*'
 we get:
  ati_mm_write 4 0x16c0 DP_CNTL <- 0x1
  ati_mm_write 4 0x146c DP_GUI_MASTER_CNTL <- 0x2
  ati_mm_write 4 0x16c8 DP_MIX <- 0xff0000
  ati_mm_write 4 0x16c4 DP_DATATYPE <- 0x2
  ati_mm_write 4 0x224 CRTC_OFFSET <- 0x0
  ati_mm_write 4 0x142c DST_PITCH_OFFSET <- 0xfe00000
  ati_mm_write 4 0x1420 DST_Y <- 0x3fff
  ati_mm_write 4 0x1410 DST_HEIGHT <- 0x3fff
  ati_mm_write 4 0x1588 DST_WIDTH_X <- 0x3fff3fff
  ati_2d_blt: vram:0x7fff5fa00000 addr:0 ds:0x7fff61273800 stride:2560 bpp:32 rop:0xff
  ati_2d_blt: 0 0 0, 0 127 0, (0,0) -> (16383,16383) 16383x16383 > ^
  ati_2d_blt: pixman_fill(dst:0x7fff5fa00000, stride:254, bpp:8, x:16383, y:16383, w:16383, h:16383, xor:0xff000000)
  Thread 3 "qemu-system-i38" received signal SIGSEGV, Segmentation fault.
  (gdb) bt
  #0  0x00007ffff7f62ce0 in sse2_fill.lto_priv () at /lib64/libpixman-1.so.0
  #1  0x00007ffff7f09278 in pixman_fill () at /lib64/libpixman-1.so.0
  #2  0x0000555557b5a9af in ati_2d_blt (s=0x631000028800) at hw/display/ati_2d.c:196
  #3  0x0000555557b4b5a2 in ati_mm_write (opaque=0x631000028800, addr=5512, data=1073692671, size=4) at hw/display/ati.c:843
  #4  0x0000555558b90ec4 in memory_region_write_accessor (mr=0x631000039cc0, addr=5512, ..., size=4, ...) at softmmu/memory.c:492
 Commit 584acf34cb0 ("ati-vga: Fix reverse bit blts") introduced
 the local dst_x and dst_y which adjust the (x, y) coordinates
 depending on the direction in the SRCCOPY ROP3 operation, but
 forgot to address the same issue for the PATCOPY, BLACKNESS and
 WHITENESS operations, which also call pixman_fill().
 Fix that now by using the adjusted coordinates in the pixman_fill
 call, and update the related debug printf().
 Reported-by: Qiang Liu <qiangliu@zju.edu.cn>
 Fixes: 584acf34cb0 ("ati-vga: Fix reverse bit blts")
 Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
 Tested-by: Mauro Matteo Cascella <mcascell@redhat.com>
 Message-Id: <20210906153103.1661195-1-philmd@redhat.com>
 Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
 Signed-off-by: wanbo <wanbo13@huawei.com>
 ---
 hw/display/ati_2d.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)
 diff --git a/hw/display/ati_2d.c b/hw/display/ati_2d.c
 index 4dc10ea795..692bec91de 100644
 --- a/hw/display/ati_2d.c
 +++ b/hw/display/ati_2d.c
@@ -84,7 +84,7 @@ void ati_2d_blt(ATIVGAState *s)
     DPRINTF("%d %d %d, %d %d %d, (%d,%d) -> (%d,%d) %dx%d %c %c\n",
             s->regs.src_offset, s->regs.dst_offset, s->regs.default_offset,
             s->regs.src_pitch, s->regs.dst_pitch, s->regs.default_pitch,
 -            s->regs.src_x, s->regs.src_y, s->regs.dst_x, s->regs.dst_y,
 +            s->regs.src_x, s->regs.src_y, dst_x, dst_y,
             s->regs.dst_width, s->regs.dst_height,
             (s->regs.dp_cntl & DST_X_LEFT_TO_RIGHT ? '>' : '<'),
             (s->regs.dp_cntl & DST_Y_TOP_TO_BOTTOM ? 'v' : '^'));
@@ -180,11 +180,11 @@ void ati_2d_blt(ATIVGAState *s)
         dst_stride /= sizeof(uint32_t);
         DPRINTF("pixman_fill(%p, %d, %d, %d, %d, %d, %d, %x)\n",
                 dst_bits, dst_stride, bpp,
 -                s->regs.dst_x, s->regs.dst_y,
 +                dst_x, dst_y,
                 s->regs.dst_width, s->regs.dst_height,
                 filler);
         pixman_fill((uint32_t *)dst_bits, dst_stride, bpp,
 -                    s->regs.dst_x, s->regs.dst_y,
 +                    dst_x, dst_y,
                     s->regs.dst_width, s->regs.dst_height,
                     filler);
         if (dst_bits >= s->vga.vram_ptr + s->vga.vbe_start_addr &&
 -- 
 2.27.0
--- a/job.c-add-missing-notifier-initialization.patch
+++ b/job.c-add-missing-notifier-initialization.patch
@ -0,0 +1,37 @@
 From d8962af271345ae4d7880219a62abed76a0268e0 Mon Sep 17 00:00:00 2001
 From: Emanuele Giuseppe Esposito <eesposit@redhat.com>
 Date: Wed, 3 Nov 2021 12:21:55 -0400
 Subject: [PATCH 1/6] job.c: add missing notifier initialization
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 It seems that on_idle list is not properly initialized like
 the other notifiers.
 Fixes: 34dc97b9a0e ("blockjob: Wake up BDS when job becomes idle")
 Signed-off-by: Emanuele Giuseppe Esposito <eesposit@redhat.com>
 Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
 Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
 Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
 Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
 Signed-off-by: wanbo <wanbo13@huawei.com>
 ---
 job.c | 1 +
 1 file changed, 1 insertion(+)
 diff --git a/job.c b/job.c
 index dbfa67bb0a..54db80df66 100644
 --- a/job.c
 +++ b/job.c
@@ -352,6 +352,7 @@ void *job_create(const char *job_id, const JobDriver *driver, JobTxn *txn,
     notifier_list_init(&job->on_finalize_completed);
     notifier_list_init(&job->on_pending);
     notifier_list_init(&job->on_ready);
 +    notifier_list_init(&job->on_idle);
     job_state_transition(job, JOB_STATUS_CREATED);
     aio_timer_init(qemu_get_aio_context(), &job->sleep_timer,
 -- 
 2.27.0
--- a/pci-expose-TYPE_XIO3130_DOWNSTREAM-name.patch
+++ b/pci-expose-TYPE_XIO3130_DOWNSTREAM-name.patch
@ -0,0 +1,64 @@
 From e88d2f15443811e40c4e1ba8299c12b35b75cb1e Mon Sep 17 00:00:00 2001
 From: Igor Mammedov <imammedo@redhat.com>
 Date: Tue, 1 Mar 2022 10:11:58 -0500
 Subject: [PATCH 4/6] pci: expose TYPE_XIO3130_DOWNSTREAM name
 Type name will be used in followup patch for cast check
 in pcihp code.
 Signed-off-by: Igor Mammedov <imammedo@redhat.com>
 Message-Id: <20220301151200.3507298-2-imammedo@redhat.com>
 Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
 Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
 Signed-off-by: wanbo <wanbo13@huawei.com>
 ---
 hw/pci-bridge/xio3130_downstream.c         |  3 ++-
 include/hw/pci-bridge/xio3130_downstream.h | 15 +++++++++++++++
 2 files changed, 17 insertions(+), 1 deletion(-)
 create mode 100644 include/hw/pci-bridge/xio3130_downstream.h
 diff --git a/hw/pci-bridge/xio3130_downstream.c b/hw/pci-bridge/xio3130_downstream.c
 index 04aae72cd6..b17cafd359 100644
 --- a/hw/pci-bridge/xio3130_downstream.c
 +++ b/hw/pci-bridge/xio3130_downstream.c
@@ -28,6 +28,7 @@
 #include "migration/vmstate.h"
 #include "qapi/error.h"
 #include "qemu/module.h"
 +#include "hw/pci-bridge/xio3130_downstream.h"
 #define PCI_DEVICE_ID_TI_XIO3130D       0x8233  /* downstream port */
 #define XIO3130_REVISION                0x1
@@ -173,7 +174,7 @@ static void xio3130_downstream_class_init(ObjectClass *klass, void *data)
 }
 static const TypeInfo xio3130_downstream_info = {
 -    .name          = "xio3130-downstream",
 +    .name          = TYPE_XIO3130_DOWNSTREAM,
     .parent        = TYPE_PCIE_SLOT,
     .class_init    = xio3130_downstream_class_init,
     .interfaces = (InterfaceInfo[]) {
 diff --git a/include/hw/pci-bridge/xio3130_downstream.h b/include/hw/pci-bridge/xio3130_downstream.h
 new file mode 100644
 index 0000000000..1d10139aea
 --- /dev/null
 +++ b/include/hw/pci-bridge/xio3130_downstream.h
@@ -0,0 +1,15 @@
 +/*
 + * TI X3130 pci express downstream port switch
 + *
 + * Copyright (C) 2022 Igor Mammedov <imammedo@redhat.com>
 + *
 + * SPDX-License-Identifier: GPL-2.0-or-later
 + */
 +
 +#ifndef HW_PCI_BRIDGE_XIO3130_DOWNSTREAM_H
 +#define HW_PCI_BRIDGE_XIO3130_DOWNSTREAM_H
 +
 +#define TYPE_XIO3130_DOWNSTREAM "xio3130-downstream"
 +
 +#endif
 +
 -- 
 2.27.0
--- a/qemu.spec
+++ b/qemu.spec
@ -1,6 +1,6 @@
 Name: qemu
 Version: 6.2.0
-Release: 51
+Release: 52
 Epoch: 10
 Summary: QEMU is a generic and open source machine emulator and virtualizer
 License: GPLv2 and BSD and MIT and CC-BY-SA-4.0
@ -310,6 +310,12 @@ Patch0297: hw-elf_ops-clear-uninitialized-segment-space.patch
 Patch0298: vhost-also-check-queue-state-in-the-vhost_dev_set_lo.patch
 Patch0299: vhost-net-fix-improper-cleanup-in-vhost_net_start.patch
 Patch0300: virtio-net-setup-vhost_dev-and-notifiers-for-cvq-onl.patch
 Patch0301: job.c-add-missing-notifier-initialization.patch
 Patch0302: uas-add-missing-return.patch
 Patch0303: qom-assert-integer-does-not-overflow.patch
 Patch0304: pci-expose-TYPE_XIO3130_DOWNSTREAM-name.patch
 Patch0305: acpi-pcihp-pcie-set-power-on-cap-on-parent-slot.patch
 Patch0306: hw-display-ati_2d-Fix-buffer-overflow-in-ati_2d_blt-.patch
 BuildRequires: flex
 BuildRequires: gcc
@ -822,6 +828,14 @@ getent passwd qemu >/dev/null || \
 %endif
 %changelog
 * Fri Sep 30 2022 wanbo <wanbo13@huawei.com> - 10:6.2.0-52
 - job.c: add missing notifier initialization
 - uas: add missing return
 - qom: assert integer does not overflow
 - pci: expose TYPE_XI03130_DOWNSTREAM name
 - acpi: pcihp: pcie: set power on cap on parent slot
 - hw/display/ati_2d: Fix buffer overflow in ati_2d_blt
 * Fri Sep 30 2022 zhangxinhao <zhangxinhao1@huawei.com> - 10:6.2.0-51
 - exec/memory: Extract address_space_set() from dma_memory_set()
 - hw/elf_ops: clear uninitialized segment space
--- a/qom-assert-integer-does-not-overflow.patch
+++ b/qom-assert-integer-does-not-overflow.patch
@ -0,0 +1,58 @@
 From 7d94ca45a9c0ef8a4f1917f41496a826ecda90fb Mon Sep 17 00:00:00 2001
 From: "Michael S. Tsirkin" <mst@redhat.com>
 Date: Fri, 25 Feb 2022 08:40:27 -0500
 Subject: [PATCH 3/6] qom: assert integer does not overflow
 QOM reference counting is not designed with an infinite amount of
 references in mind, trying to take a reference in a loop without
 dropping a reference will overflow the integer.
 It is generally a symptom of a reference leak (a missing deref, commonly
 as part of error handling - such as one fixed here:
 https://lore.kernel.org/r/20220228095058.27899-1-sgarzare%40redhat.com ).
 All this can lead to either freeing the object too early (memory
 corruption) or never freeing it (memory leak).
 If we happen to dereference at just the right time (when it's wrapping
 around to 0), we might eventually assert when dereferencing, but the
 real problem is an extra object_ref so let's assert there to make such
 issues cleaner and easier to debug.
 Some micro-benchmarking shows using fetch and add this is essentially
 free on x86.
 Since multiple threads could be incrementing in parallel, we assert
 around INT_MAX to make sure none of these approach the wrap around
 point: this way we get a memory leak and not a memory corruption, the
 former is generally easier to debug.
 Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
 Signed-off-by: wanbo <wanbo13@huawei.com>
 ---
 qom/object.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)
 diff --git a/qom/object.c b/qom/object.c
 index 4f0677cca9..5db3974f04 100644
 --- a/qom/object.c
 +++ b/qom/object.c
@@ -1167,10 +1167,14 @@ GSList *object_class_get_list_sorted(const char *implements_type,
 Object *object_ref(void *objptr)
 {
     Object *obj = OBJECT(objptr);
 +    uint32_t ref;
 +
     if (!obj) {
         return NULL;
     }
 -    qatomic_inc(&obj->ref);
 +    ref = qatomic_fetch_inc(&obj->ref);
 +    /* Assert waaay before the integer overflows */
 +    g_assert(ref < INT_MAX);
     return obj;
 }
 -- 
 2.27.0
--- a/uas-add-missing-return.patch
+++ b/uas-add-missing-return.patch
@ -0,0 +1,35 @@
 From da75066823387c4f24b55e21ee6c856ffa537174 Mon Sep 17 00:00:00 2001
 From: Gerd Hoffmann <kraxel@redhat.com>
 Date: Fri, 10 Dec 2021 09:06:59 +0100
 Subject: [PATCH 2/6] uas: add missing return
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 Otherwise we run the error handling code even for successful requests.
 Fixes: 13b250b12ad3 ("uas: add stream number sanity checks.")
 Reported-by: Guenter Roeck <linux@roeck-us.net>
 Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
 Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
 Message-Id: <20211210080659.2537084-1-kraxel@redhat.com>
 Signed-off-by: wanbo <wanbo13@huawei.com>
 ---
 hw/usb/dev-uas.c | 1 +
 1 file changed, 1 insertion(+)
 diff --git a/hw/usb/dev-uas.c b/hw/usb/dev-uas.c
 index 599d6b52a0..c9f295e7e4 100644
 --- a/hw/usb/dev-uas.c
 +++ b/hw/usb/dev-uas.c
@@ -908,6 +908,7 @@ static void usb_uas_handle_data(USBDevice *dev, USBPacket *p)
         p->status = USB_RET_STALL;
         break;
     }
 +    return;
 err_stream:
     error_report("%s: invalid stream %d", __func__, p->stream);
 -- 
 2.27.0