diff --git a/.gitignore b/.gitignore index a1ef968..39dc421 100644 --- a/.gitignore +++ b/.gitignore @@ -5,3 +5,4 @@ SOURCES/rhel6-ne2k_pci.rom SOURCES/rhel6-pcnet.rom SOURCES/rhel6-rtl8139.rom SOURCES/rhel6-virtio.rom +SOURCES/sample_images.tar diff --git a/.qemu-kvm.metadata b/.qemu-kvm.metadata index 0722292..791976e 100644 --- a/.qemu-kvm.metadata +++ b/.qemu-kvm.metadata @@ -5,3 +5,4 @@ faac4c56f0ef593721edc66af965bac63760965b SOURCES/rhel6-ne2k_pci.rom f5ddbc9701698bc4adc5e98c63ad438c3b8e8510 SOURCES/rhel6-pcnet.rom ca79836ccce0ffbf25aac4687a3aa64bf281a3c1 SOURCES/rhel6-rtl8139.rom 82eda3fb78a792745e46bcbbea8290cc444ae6bf SOURCES/rhel6-virtio.rom +598e252c89da31924fbd9a6734fd15e4e97b67d8 SOURCES/sample_images.tar diff --git a/SOURCES/kvm-Do-not-hang-on-full-PTY.patch b/SOURCES/kvm-Do-not-hang-on-full-PTY.patch new file mode 100644 index 0000000..d7b9524 --- /dev/null +++ b/SOURCES/kvm-Do-not-hang-on-full-PTY.patch @@ -0,0 +1,40 @@ +From 40f55392d0bbe867547e5705c2be21d65924b024 Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini +Date: Fri, 9 Jun 2017 11:43:57 +0200 +Subject: [PATCH 2/6] Do not hang on full PTY + +RH-Author: Paolo Bonzini +Message-id: <20170609114359.13036-2-pbonzini@redhat.com> +Patchwork-id: 75565 +O-Subject: [RHEL7.4 qemu-kvm PATCH v2 1/3] Do not hang on full PTY +Bugzilla: 1452067 +RH-Acked-by: David Hildenbrand +RH-Acked-by: Dr. David Alan Gilbert +RH-Acked-by: Laszlo Ersek + +From: Don Slutz + +Signed-off-by: Don Slutz +Reviewed-by: Paolo Bonzini +Signed-off-by: Michael Tokarev +(cherry picked from commit fac6688a18574b6f2caa8c699a936e729ed53ece) +Signed-off-by: Miroslav Rezanina +--- + qemu-char.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/qemu-char.c b/qemu-char.c +index 5edca0a..08b2301 100644 +--- a/qemu-char.c ++++ b/qemu-char.c +@@ -1182,6 +1182,7 @@ static CharDriverState *qemu_chr_open_pty(const char *id, + } + + close(slave_fd); ++ qemu_set_nonblock(master_fd); + + chr = g_malloc0(sizeof(CharDriverState)); + +-- +1.8.3.1 + diff --git a/SOURCES/kvm-Fix-memory-slot-page-alignment-logic-bug-1455745.patch b/SOURCES/kvm-Fix-memory-slot-page-alignment-logic-bug-1455745.patch new file mode 100644 index 0000000..eebc4cb --- /dev/null +++ b/SOURCES/kvm-Fix-memory-slot-page-alignment-logic-bug-1455745.patch @@ -0,0 +1,61 @@ +From be6123e0eadd895a9fa47005df38c4dce655236c Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini +Date: Tue, 6 Jun 2017 17:08:19 +0200 +Subject: [PATCH 1/6] kvm: Fix memory slot page alignment logic (bug#1455745) + +RH-Author: Paolo Bonzini +Message-id: <20170606170819.18875-1-pbonzini@redhat.com> +Patchwork-id: 75507 +O-Subject: [RHEL7.4 qemu-kvm PATCH] kvm: Fix memory slot page alignment logic (bug#1455745) +Bugzilla: 1455745 +RH-Acked-by: Alex Williamson +RH-Acked-by: Marcel Apfelbaum +RH-Acked-by: Laszlo Ersek + +From: Alexander Graf + +Brew build: 13356300 + +Memory slots have to be page aligned to get entered into KVM. There +is existing logic that tries to ensure that we pad memory slots that +are not page aligned to the biggest region that would still fit in the +alignment requirements. + +Unfortunately, that logic is broken. It tries to calculate the start +offset based on the region size. + +Fix up the logic to do the thing it was intended to do and document it +properly in the comment above it. + +With this patch applied, I can successfully run an e500 guest with more +than 3GB RAM (at which point RAM starts overlapping subpage memory regions). +[Paolo: in RHEL's case, the issue was reported with assigned devices] + +Cc: qemu-stable@nongnu.org +Signed-off-by: Alexander Graf +(cherry picked from commit f2a64032a14c642d0ddc9a7a846fc3d737deede5) +Signed-off-by: Miroslav Rezanina +--- + kvm-all.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/kvm-all.c b/kvm-all.c +index fc6e3ab..9486b9a 100644 +--- a/kvm-all.c ++++ b/kvm-all.c +@@ -621,8 +621,10 @@ static void kvm_set_phys_mem(MemoryRegionSection *section, bool add) + unsigned delta; + + /* kvm works in page size chunks, but the function may be called +- with sub-page size and unaligned start address. */ +- delta = TARGET_PAGE_ALIGN(size) - size; ++ with sub-page size and unaligned start address. Pad the start ++ address to next and truncate size to previous page boundary. */ ++ delta = (TARGET_PAGE_SIZE - (start_addr & ~TARGET_PAGE_MASK)); ++ delta &= ~TARGET_PAGE_MASK; + if (delta > size) { + return; + } +-- +1.8.3.1 + diff --git a/SOURCES/kvm-HMP-Fix-documentation-of-__com.redhat.drive_add.patch b/SOURCES/kvm-HMP-Fix-documentation-of-__com.redhat.drive_add.patch new file mode 100644 index 0000000..2c9f803 --- /dev/null +++ b/SOURCES/kvm-HMP-Fix-documentation-of-__com.redhat.drive_add.patch @@ -0,0 +1,71 @@ +From cb8c7690048946dd298371876093997f07785269 Mon Sep 17 00:00:00 2001 +From: Markus Armbruster +Date: Tue, 7 Feb 2017 14:56:10 +0100 +Subject: [PATCH 11/11] HMP: Fix documentation of __com.redhat.drive_add + +RH-Author: Markus Armbruster +Message-id: <1486479370-24026-3-git-send-email-armbru@redhat.com> +Patchwork-id: 73592 +O-Subject: [RHEL-7.4 qemu-kvm PATCH 2/2] HMP: Fix documentation of __com.redhat.drive_add +Bugzilla: 1419898 +RH-Acked-by: Laszlo Ersek +RH-Acked-by: Fam Zheng +RH-Acked-by: Laurent Vivier + +It's similar to -drive if=none, not -device if=none. Screwed up in +RHEL-6.0 commit 545d0d8, forward-ported to RHEL-7.0 in commit c18bb50. + +Signed-off-by: Markus Armbruster +Signed-off-by: Miroslav Rezanina +--- + hmp-commands.hx | 4 ++-- + qmp-commands.hx | 4 ++-- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/hmp-commands.hx b/hmp-commands.hx +index a8ba626..5356c4c 100644 +--- a/hmp-commands.hx ++++ b/hmp-commands.hx +@@ -1105,7 +1105,7 @@ ETEXI + .name = RFQDN_REDHAT "drive_add", + .args_type = "simple-drive:O", + .params = "id=name,[file=file][,format=f][,media=d]...", +- .help = "Create a drive similar to -device if=none.", ++ .help = "Create a drive similar to -drive if=none.", + .user_print = monitor_user_noop, + .mhandler.cmd_new = simple_drive_add, + }, +@@ -1113,7 +1113,7 @@ ETEXI + STEXI + @item __com.redhat_drive_add + @findex __com.redhat_drive_add +-Create a drive similar to -device if=none. ++Create a drive similar to -drive if=none. + ETEXI + + #if defined(TARGET_I386) && 0 /* Disabled for Red Hat Enterprise Linux */ +diff --git a/qmp-commands.hx b/qmp-commands.hx +index 9522c44..4a89c24 100644 +--- a/qmp-commands.hx ++++ b/qmp-commands.hx +@@ -110,7 +110,7 @@ EQMP + .name = RFQDN_REDHAT "drive_add", + .args_type = "simple-drive:O", + .params = "id=name,[file=file][,format=f][,media=d]...", +- .help = "Create a drive similar to -device if=none.", ++ .help = "Create a drive similar to -drive if=none.", + .user_print = monitor_user_noop, + .mhandler.cmd_new = simple_drive_add, + }, +@@ -119,7 +119,7 @@ SQMP + __com.redhat_drive_add + ---------------------- + +-Create a drive similar to -device if=none. ++Create a drive similar to -drive if=none. + + Arguments: + +-- +1.8.3.1 + diff --git a/SOURCES/kvm-HMP-Fix-user-manual-typo-of-__com.redhat_qxl_screend.patch b/SOURCES/kvm-HMP-Fix-user-manual-typo-of-__com.redhat_qxl_screend.patch new file mode 100644 index 0000000..731c48a --- /dev/null +++ b/SOURCES/kvm-HMP-Fix-user-manual-typo-of-__com.redhat_qxl_screend.patch @@ -0,0 +1,42 @@ +From ae12e1158b6a27d94070f95f36879ce2f0da604c Mon Sep 17 00:00:00 2001 +From: Markus Armbruster +Date: Tue, 7 Feb 2017 14:56:09 +0100 +Subject: [PATCH 10/11] HMP: Fix user manual typo of + __com.redhat_qxl_screendump + +RH-Author: Markus Armbruster +Message-id: <1486479370-24026-2-git-send-email-armbru@redhat.com> +Patchwork-id: 73590 +O-Subject: [RHEL-7.4 qemu-kvm PATCH 1/2] HMP: Fix user manual typo of __com.redhat_qxl_screendump +Bugzilla: 1419898 +RH-Acked-by: Laszlo Ersek +RH-Acked-by: Fam Zheng +RH-Acked-by: Laurent Vivier + +Fat-fingered in RHEL-6.2 commit 1c6074d, forward ported to RHEL-7.0 in +commit faf00a8. + +Signed-off-by: Markus Armbruster +Signed-off-by: Miroslav Rezanina +--- + hmp-commands.hx | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/hmp-commands.hx b/hmp-commands.hx +index dd528d2..a8ba626 100644 +--- a/hmp-commands.hx ++++ b/hmp-commands.hx +@@ -264,8 +264,8 @@ ETEXI + }, + + STEXI +-@item __com.redhat_screendump @var{id} @var{filename} +-@findex __com.redhat_screendump ++@item __com.redhat_qxl_screendump @var{id} @var{filename} ++@findex __com.redhat_qxl_screendump + Save screen from qxl device @var{id} into PPM image @var{filename}. + ETEXI + +-- +1.8.3.1 + diff --git a/SOURCES/kvm-Revert-cirrus-allow-zero-source-pitch-in-pattern-fil.patch b/SOURCES/kvm-Revert-cirrus-allow-zero-source-pitch-in-pattern-fil.patch index 286031e..28dfa96 100644 --- a/SOURCES/kvm-Revert-cirrus-allow-zero-source-pitch-in-pattern-fil.patch +++ b/SOURCES/kvm-Revert-cirrus-allow-zero-source-pitch-in-pattern-fil.patch @@ -1,4 +1,4 @@ -From 1cd1297bf694c0a91d75a87b4fd22c2b80807b49 Mon Sep 17 00:00:00 2001 +From abfd9c2acaf70c60ec70807ba4d021ade69c7b79 Mon Sep 17 00:00:00 2001 From: Gerd Hoffmann Date: Fri, 10 Feb 2017 08:30:14 +0100 Subject: [PATCH 2/3] Revert "cirrus: allow zero source pitch in pattern fill @@ -8,7 +8,7 @@ RH-Author: Gerd Hoffmann Message-id: <1486715415-3462-3-git-send-email-kraxel@redhat.com> Patchwork-id: 73774 O-Subject: [virt-devel] [RHEL-7.4 qemu-kvm PATCH 2/3] Revert "cirrus: allow zero source pitch in pattern fill rops" -Bugzilla: 1420490 +Bugzilla: 1420492 CVE: CVE-2017-2620/20170221 RH-Acked-by: Paolo Bonzini RH-Acked-by: Dr. David Alan Gilbert diff --git a/SOURCES/kvm-balloon-fix-segfault-and-harden-the-stats-queue.patch b/SOURCES/kvm-balloon-fix-segfault-and-harden-the-stats-queue.patch index 9540f26..b73ee3a 100644 --- a/SOURCES/kvm-balloon-fix-segfault-and-harden-the-stats-queue.patch +++ b/SOURCES/kvm-balloon-fix-segfault-and-harden-the-stats-queue.patch @@ -1,4 +1,4 @@ -From 75255574498fad12727529c4ecbd4ccdabe86839 Mon Sep 17 00:00:00 2001 +From 1f177df6a47fb1e2961067a50e005efad52595cc Mon Sep 17 00:00:00 2001 From: Ladi Prosek Date: Wed, 5 Oct 2016 17:22:26 +0200 Subject: [PATCH 4/8] balloon: fix segfault and harden the stats queue @@ -7,7 +7,7 @@ RH-Author: Ladi Prosek Message-id: <1475666548-9186-5-git-send-email-lprosek@redhat.com> Patchwork-id: 72483 O-Subject: [RHEL-7.4 qemu-kvm v2 PATCH 4/6] balloon: fix segfault and harden the stats queue -Bugzilla: 1393484 +Bugzilla: 1377968 RH-Acked-by: Paolo Bonzini RH-Acked-by: Michael S. Tsirkin RH-Acked-by: Stefan Hajnoczi diff --git a/SOURCES/kvm-blkdebug-Add-bdrv_truncate.patch b/SOURCES/kvm-blkdebug-Add-bdrv_truncate.patch new file mode 100644 index 0000000..ac3ea21 --- /dev/null +++ b/SOURCES/kvm-blkdebug-Add-bdrv_truncate.patch @@ -0,0 +1,63 @@ +From 6c316a417a80fcf892935c51eb01c0e273561b32 Mon Sep 17 00:00:00 2001 +From: Max Reitz +Date: Mon, 13 Mar 2017 17:47:04 +0100 +Subject: [PATCH 16/24] blkdebug: Add bdrv_truncate() + +RH-Author: Max Reitz +Message-id: <20170313174706.29316-1-mreitz@redhat.com> +Patchwork-id: 74278 +O-Subject: [RHEL-7.4 qemu-kvm PATCH 7/9] blkdebug: Add bdrv_truncate() +Bugzilla: 1427176 +RH-Acked-by: Fam Zheng +RH-Acked-by: Stefan Hajnoczi +RH-Acked-by: Kevin Wolf + +From: Kevin Wolf + +This is, amongst others, required for qemu-iotests 033 to run as +intended on VHDX, which uses explicit bdrv_truncate() calls to bs->file +when allocating new blocks. + +Signed-off-by: Kevin Wolf +Reviewed-by: Jeff Cody +(cherry picked from commit 8eedfbd4a50299f03b3630659c34ad1b01f69370) +Signed-off-by: Miroslav Rezanina + +Conflicts: + block/blkdebug.c + +Contextual conflict due to blkdebug_refresh_filename() missing from +downstream. + +Signed-off-by: Max Reitz +--- + block/blkdebug.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/block/blkdebug.c b/block/blkdebug.c +index 8e468b2..7cfeccb 100644 +--- a/block/blkdebug.c ++++ b/block/blkdebug.c +@@ -652,6 +652,11 @@ static int64_t blkdebug_getlength(BlockDriverState *bs) + return bdrv_getlength(bs->file); + } + ++static int blkdebug_truncate(BlockDriverState *bs, int64_t offset) ++{ ++ return bdrv_truncate(bs->file, offset); ++} ++ + static BlockDriver bdrv_blkdebug = { + .format_name = "blkdebug", + .protocol_name = "blkdebug", +@@ -661,6 +666,7 @@ static BlockDriver bdrv_blkdebug = { + .bdrv_file_open = blkdebug_open, + .bdrv_close = blkdebug_close, + .bdrv_getlength = blkdebug_getlength, ++ .bdrv_truncate = blkdebug_truncate, + + .bdrv_aio_readv = blkdebug_aio_readv, + .bdrv_aio_writev = blkdebug_aio_writev, +-- +1.8.3.1 + diff --git a/SOURCES/kvm-block-gluster-add-support-for-selecting-debug-loggin.patch b/SOURCES/kvm-block-gluster-add-support-for-selecting-debug-loggin.patch new file mode 100644 index 0000000..031de1a --- /dev/null +++ b/SOURCES/kvm-block-gluster-add-support-for-selecting-debug-loggin.patch @@ -0,0 +1,202 @@ +From 2ffc3b31eafe39cc11678ef0e0ea39cdfef0469d Mon Sep 17 00:00:00 2001 +From: Jeffrey Cody +Date: Tue, 17 Jan 2017 19:51:32 +0100 +Subject: [PATCH 3/3] block/gluster: add support for selecting debug logging + level + +RH-Author: Jeffrey Cody +Message-id: <87a60937c8dfa4bee63e59871811dbda7794e818.1484682588.git.jcody@redhat.com> +Patchwork-id: 73255 +O-Subject: [RHEL-7.4 qemu-kvm 3/3] block/gluster: add support for selecting debug logging level +Bugzilla: 1151859 +RH-Acked-by: Stefan Hajnoczi +RH-Acked-by: Fam Zheng +RH-Acked-by: Thomas Huth + +This adds commandline support for the logging level of the +gluster protocol driver, output to stdout. The option is 'debug', +e.g.: + +-drive filename=gluster://192.168.15.180/gv2/test.qcow2,debug=9 + +Debug levels are 0-9, with 9 being the most verbose, and 0 representing +no debugging output. The default is the same as it was before, which +is a level of 4. The current logging levels defined in the gluster +source are: + + 0 - None + 1 - Emergency + 2 - Alert + 3 - Critical + 4 - Error + 5 - Warning + 6 - Notice + 7 - Info + 8 - Debug + 9 - Trace + +(From: glusterfs/logging.h) + +Reviewed-by: Niels de Vos +Signed-off-by: Jeff Cody +(cherry picked from commit 7eac868a508cdbf4cccef5c2084941b63fa3aded) +Signed-off-by: Miroslav Rezanina +--- + block/gluster.c | 61 +++++++++++++++++++++++++++++++++++++++++++++------------ + 1 file changed, 48 insertions(+), 13 deletions(-) + +diff --git a/block/gluster.c b/block/gluster.c +index 5266dce..86e136d 100644 +--- a/block/gluster.c ++++ b/block/gluster.c +@@ -35,6 +35,7 @@ typedef struct BDRVGlusterState { + int qemu_aio_count; + int event_reader_pos; + GlusterAIOCB *event_acb; ++ int debug_level; + } BDRVGlusterState; + + #define GLUSTER_FD_READ 0 +@@ -46,6 +47,7 @@ typedef struct GlusterConf { + char *volname; + char *image; + char *transport; ++ int debug_level; + } GlusterConf; + + static void qemu_gluster_gconf_free(GlusterConf *gconf) +@@ -208,11 +210,7 @@ static struct glfs *qemu_gluster_init(GlusterConf *gconf, const char *filename, + goto out; + } + +- /* +- * TODO: Use GF_LOG_ERROR instead of hard code value of 4 here when +- * GlusterFS makes GF_LOG_* macros available to libgfapi users. +- */ +- ret = glfs_set_logging(glfs, "-", 4); ++ ret = glfs_set_logging(glfs, "-", gconf->debug_level); + if (ret < 0) { + goto out; + } +@@ -292,16 +290,26 @@ static int qemu_gluster_aio_flush_cb(void *opaque) + return (s->qemu_aio_count > 0); + } + ++#define GLUSTER_OPT_FILENAME "filename" ++#define GLUSTER_OPT_DEBUG "debug" ++#define GLUSTER_DEBUG_DEFAULT 4 ++#define GLUSTER_DEBUG_MAX 9 ++ + /* TODO Convert to fine grained options */ + static QemuOptsList runtime_opts = { + .name = "gluster", + .head = QTAILQ_HEAD_INITIALIZER(runtime_opts.head), + .desc = { + { +- .name = "filename", ++ .name = GLUSTER_OPT_FILENAME, + .type = QEMU_OPT_STRING, + .help = "URL to the gluster image", + }, ++ { ++ .name = GLUSTER_OPT_DEBUG, ++ .type = QEMU_OPT_NUMBER, ++ .help = "Gluster log level, valid range is 0-9", ++ }, + { /* end of list */ } + }, + }; +@@ -342,8 +350,17 @@ static int qemu_gluster_open(BlockDriverState *bs, QDict *options, + goto out; + } + +- filename = qemu_opt_get(opts, "filename"); ++ filename = qemu_opt_get(opts, GLUSTER_OPT_FILENAME); + ++ s->debug_level = qemu_opt_get_number(opts, GLUSTER_OPT_DEBUG, ++ GLUSTER_DEBUG_DEFAULT); ++ if (s->debug_level < 0) { ++ s->debug_level = 0; ++ } else if (s->debug_level > GLUSTER_DEBUG_MAX) { ++ s->debug_level = GLUSTER_DEBUG_MAX; ++ } ++ ++ gconf->debug_level = s->debug_level; + s->glfs = qemu_gluster_init(gconf, filename, errp); + if (!s->glfs) { + ret = -errno; +@@ -398,6 +415,7 @@ static int qemu_gluster_reopen_prepare(BDRVReopenState *state, + BlockReopenQueue *queue, Error **errp) + { + int ret = 0; ++ BDRVGlusterState *s; + BDRVGlusterReopenState *reop_s; + GlusterConf *gconf = NULL; + int open_flags = 0; +@@ -405,6 +423,8 @@ static int qemu_gluster_reopen_prepare(BDRVReopenState *state, + assert(state != NULL); + assert(state->bs != NULL); + ++ s = state->bs->opaque; ++ + state->opaque = g_malloc0(sizeof(BDRVGlusterReopenState)); + reop_s = state->opaque; + +@@ -412,6 +432,7 @@ static int qemu_gluster_reopen_prepare(BDRVReopenState *state, + + gconf = g_malloc0(sizeof(GlusterConf)); + ++ gconf->debug_level = s->debug_level; + reop_s->glfs = qemu_gluster_init(gconf, state->bs->filename, errp); + if (reop_s->glfs == NULL) { + ret = -errno; +@@ -487,19 +508,28 @@ static int qemu_gluster_create(const char *filename, + int64_t total_size = 0; + GlusterConf *gconf = g_malloc0(sizeof(GlusterConf)); + +- glfs = qemu_gluster_init(gconf, filename, errp); +- if (!glfs) { +- ret = -errno; +- goto out; +- } +- ++ gconf->debug_level = GLUSTER_DEBUG_DEFAULT; + while (options && options->name) { + if (!strcmp(options->name, BLOCK_OPT_SIZE)) { + total_size = options->value.n / BDRV_SECTOR_SIZE; + } ++ if (!strcmp(options->name, GLUSTER_OPT_DEBUG)) { ++ gconf->debug_level = options->value.n; ++ if (gconf->debug_level < 0) { ++ gconf->debug_level = 0; ++ } else if (gconf->debug_level > GLUSTER_DEBUG_MAX) { ++ gconf->debug_level = GLUSTER_DEBUG_MAX; ++ } ++ } + options++; + } + ++ glfs = qemu_gluster_init(gconf, filename, errp); ++ if (!glfs) { ++ ret = -errno; ++ goto out; ++ } ++ + fd = glfs_creat(glfs, gconf->image, + O_WRONLY | O_CREAT | O_TRUNC | O_BINARY, S_IRUSR | S_IWUSR); + if (!fd) { +@@ -732,6 +762,11 @@ static QEMUOptionParameter qemu_gluster_create_options[] = { + .type = OPT_SIZE, + .help = "Virtual disk size" + }, ++ { ++ .name = GLUSTER_OPT_DEBUG, ++ .type = QEMU_OPT_NUMBER, ++ .help = "Gluster log level, valid range is 0-9", ++ }, + { NULL } + }; + +-- +1.8.3.1 + diff --git a/SOURCES/kvm-char-change-qemu_chr_fe_add_watch-to-return-unsigned.patch b/SOURCES/kvm-char-change-qemu_chr_fe_add_watch-to-return-unsigned.patch index 87f18bf..6792339 100644 --- a/SOURCES/kvm-char-change-qemu_chr_fe_add_watch-to-return-unsigned.patch +++ b/SOURCES/kvm-char-change-qemu_chr_fe_add_watch-to-return-unsigned.patch @@ -1,21 +1,21 @@ -From 357b8e45c81e79a1547f65ea4109b0882050b1e9 Mon Sep 17 00:00:00 2001 +From 6106261b0f1501a3772f4f9b67ae329697c7b815 Mon Sep 17 00:00:00 2001 From: Eduardo Habkost -Date: Tue, 23 May 2017 14:15:10 +0200 +Date: Tue, 23 May 2017 13:43:59 +0200 Subject: [PATCH] char: change qemu_chr_fe_add_watch to return unsigned RH-Author: Eduardo Habkost -Message-id: <20170523141510.24762-1-ehabkost@redhat.com> -Patchwork-id: 75397 -O-Subject: [RHEL-7.3.z qemu-kvm PATCH] char: change qemu_chr_fe_add_watch to return unsigned -Bugzilla: 1452332 +Message-id: <20170523134359.8747-1-ehabkost@redhat.com> +Patchwork-id: 75396 +O-Subject: [RHEL-7.4 qemu-kvm PATCH] char: change qemu_chr_fe_add_watch to return unsigned +Bugzilla: 1451470 RH-Acked-by: Laurent Vivier RH-Acked-by: Paolo Bonzini RH-Acked-by: Miroslav Rezanina From: Paolo Bonzini -Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1452332 -Brew: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=13257135 +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1451470#c32 +Brew: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=13257025 g_source_attach can return any value between 1 and UINT_MAX if you let QEMU run long enough. However, qemu_chr_fe_add_watch can also return @@ -26,11 +26,7 @@ these values. Fix the cadence_uart which asserts in this case (easily obtained with "-serial pty"). -Backport notes: - - This is the same patch submitted to the 7.4 branch. - -7.4 backport conflicts: +Backport Conflicts: hw/char/cadence_uart.c (no qemu_chr_fe_add_watch() call) net/vhost-user.c (doesn't exit) qemu-char.c (trivial conflict) diff --git a/SOURCES/kvm-char-serial-Fix-emptyness-check.patch b/SOURCES/kvm-char-serial-Fix-emptyness-check.patch index 7b571ce..4a30500 100644 --- a/SOURCES/kvm-char-serial-Fix-emptyness-check.patch +++ b/SOURCES/kvm-char-serial-Fix-emptyness-check.patch @@ -1,15 +1,15 @@ -From c9b0af3739fc5b79a20bf2492b5e8c1dea055dc0 Mon Sep 17 00:00:00 2001 +From a7f735cccb7d7b98998600eebc789c709eac5bca Mon Sep 17 00:00:00 2001 From: Fam Zheng -Date: Fri, 19 May 2017 00:35:10 +0200 +Date: Thu, 18 May 2017 09:21:18 +0200 Subject: [PATCH 05/18] char/serial: Fix emptyness check RH-Author: Fam Zheng -Message-id: <20170519003523.21163-6-famz@redhat.com> -Patchwork-id: 75361 -O-Subject: [RHEL-7.3.z qemu-kvm PATCH 05/18] char/serial: Fix emptyness check -Bugzilla: 1452332 +Message-id: <20170518092131.16571-6-famz@redhat.com> +Patchwork-id: 75296 +O-Subject: [RHEL-7.4 qemu-kvm PATCH v3 05/18] char/serial: Fix emptyness check +Bugzilla: 1451470 RH-Acked-by: Paolo Bonzini -RH-Acked-by: Laurent Vivier +RH-Acked-by: Stefan Hajnoczi RH-Acked-by: Eduardo Habkost From: Peter Crosthwaite diff --git a/SOURCES/kvm-char-serial-Fix-emptyness-handling.patch b/SOURCES/kvm-char-serial-Fix-emptyness-handling.patch index 966d2f5..3f42fe8 100644 --- a/SOURCES/kvm-char-serial-Fix-emptyness-handling.patch +++ b/SOURCES/kvm-char-serial-Fix-emptyness-handling.patch @@ -1,15 +1,15 @@ -From a14715c6b64f4764259028923a9c04ae7844c546 Mon Sep 17 00:00:00 2001 +From 63857964e14bbf4bcb91eaa56ca46a30d14934ed Mon Sep 17 00:00:00 2001 From: Fam Zheng -Date: Fri, 19 May 2017 00:35:11 +0200 +Date: Thu, 18 May 2017 09:21:19 +0200 Subject: [PATCH 06/18] char/serial: Fix emptyness handling RH-Author: Fam Zheng -Message-id: <20170519003523.21163-7-famz@redhat.com> -Patchwork-id: 75359 -O-Subject: [RHEL-7.3.z qemu-kvm PATCH 06/18] char/serial: Fix emptyness handling -Bugzilla: 1452332 +Message-id: <20170518092131.16571-7-famz@redhat.com> +Patchwork-id: 75298 +O-Subject: [RHEL-7.4 qemu-kvm PATCH v3 06/18] char/serial: Fix emptyness handling +Bugzilla: 1451470 RH-Acked-by: Paolo Bonzini -RH-Acked-by: Laurent Vivier +RH-Acked-by: Stefan Hajnoczi RH-Acked-by: Eduardo Habkost From: Don Slutz diff --git a/SOURCES/kvm-char-serial-Use-generic-Fifo8.patch b/SOURCES/kvm-char-serial-Use-generic-Fifo8.patch index ed8c9d1..bf9a9a4 100644 --- a/SOURCES/kvm-char-serial-Use-generic-Fifo8.patch +++ b/SOURCES/kvm-char-serial-Use-generic-Fifo8.patch @@ -1,15 +1,15 @@ -From 462caff619f890c56194ac50b70b095c26cd133e Mon Sep 17 00:00:00 2001 +From 18e92ed681383c787912d0cd4b8164d8e7df26d4 Mon Sep 17 00:00:00 2001 From: Fam Zheng -Date: Fri, 19 May 2017 00:35:07 +0200 +Date: Thu, 18 May 2017 09:21:15 +0200 Subject: [PATCH 02/18] char/serial: Use generic Fifo8 RH-Author: Fam Zheng -Message-id: <20170519003523.21163-3-famz@redhat.com> -Patchwork-id: 75358 -O-Subject: [RHEL-7.3.z qemu-kvm PATCH 02/18] char/serial: Use generic Fifo8 -Bugzilla: 1452332 +Message-id: <20170518092131.16571-3-famz@redhat.com> +Patchwork-id: 75292 +O-Subject: [RHEL-7.4 qemu-kvm PATCH v3 02/18] char/serial: Use generic Fifo8 +Bugzilla: 1451470 RH-Acked-by: Paolo Bonzini -RH-Acked-by: Laurent Vivier +RH-Acked-by: Stefan Hajnoczi RH-Acked-by: Eduardo Habkost From: Peter Crosthwaite diff --git a/SOURCES/kvm-char-serial-cosmetic-fixes.patch b/SOURCES/kvm-char-serial-cosmetic-fixes.patch index 2f9e776..2a507bd 100644 --- a/SOURCES/kvm-char-serial-cosmetic-fixes.patch +++ b/SOURCES/kvm-char-serial-cosmetic-fixes.patch @@ -1,18 +1,18 @@ -From f3c1372702f7cac6d8b405cf8c51e15eabc7c054 Mon Sep 17 00:00:00 2001 +From 30482e796857e7d29877d93cc017aca5c844e4e1 Mon Sep 17 00:00:00 2001 From: Fam Zheng -Date: Fri, 19 May 2017 00:35:06 +0200 +Date: Thu, 18 May 2017 09:21:14 +0200 Subject: [PATCH 01/18] char/serial: cosmetic fixes. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit RH-Author: Fam Zheng -Message-id: <20170519003523.21163-2-famz@redhat.com> -Patchwork-id: 75356 -O-Subject: [RHEL-7.3.z qemu-kvm PATCH 01/18] char/serial: cosmetic fixes. -Bugzilla: 1452332 +Message-id: <20170518092131.16571-2-famz@redhat.com> +Patchwork-id: 75293 +O-Subject: [RHEL-7.4 qemu-kvm PATCH v3 01/18] char/serial: cosmetic fixes. +Bugzilla: 1451470 RH-Acked-by: Paolo Bonzini -RH-Acked-by: Laurent Vivier +RH-Acked-by: Stefan Hajnoczi RH-Acked-by: Eduardo Habkost From: Peter Crosthwaite diff --git a/SOURCES/kvm-char-serial-fix-copy-paste-error-fifo8_is_full-vs-em.patch b/SOURCES/kvm-char-serial-fix-copy-paste-error-fifo8_is_full-vs-em.patch index 35577f6..0778ad2 100644 --- a/SOURCES/kvm-char-serial-fix-copy-paste-error-fifo8_is_full-vs-em.patch +++ b/SOURCES/kvm-char-serial-fix-copy-paste-error-fifo8_is_full-vs-em.patch @@ -1,16 +1,16 @@ -From a04a0d4cf131163600ebede71d223d9d01a32511 Mon Sep 17 00:00:00 2001 +From 6239c2bb55847293db2defeff645e1d5e6456a19 Mon Sep 17 00:00:00 2001 From: Fam Zheng -Date: Fri, 19 May 2017 00:35:09 +0200 +Date: Thu, 18 May 2017 09:21:17 +0200 Subject: [PATCH 04/18] char/serial: fix copy&paste error (fifo8_is_full vs empty) RH-Author: Fam Zheng -Message-id: <20170519003523.21163-5-famz@redhat.com> -Patchwork-id: 75360 -O-Subject: [RHEL-7.3.z qemu-kvm PATCH 04/18] char/serial: fix copy&paste error (fifo8_is_full vs empty) -Bugzilla: 1452332 +Message-id: <20170518092131.16571-5-famz@redhat.com> +Patchwork-id: 75294 +O-Subject: [RHEL-7.4 qemu-kvm PATCH v3 04/18] char/serial: fix copy&paste error (fifo8_is_full vs empty) +Bugzilla: 1451470 RH-Acked-by: Paolo Bonzini -RH-Acked-by: Laurent Vivier +RH-Acked-by: Stefan Hajnoczi RH-Acked-by: Eduardo Habkost From: Vladimir Senkov diff --git a/SOURCES/kvm-char-serial-serial_ioport_write-Factor-out-common-co.patch b/SOURCES/kvm-char-serial-serial_ioport_write-Factor-out-common-co.patch index 3970777..6b43fff 100644 --- a/SOURCES/kvm-char-serial-serial_ioport_write-Factor-out-common-co.patch +++ b/SOURCES/kvm-char-serial-serial_ioport_write-Factor-out-common-co.patch @@ -1,6 +1,6 @@ -From 5114efc4a077a1fdfa9873e6f44a00d5f8101f65 Mon Sep 17 00:00:00 2001 +From e675e8ae59a4eb6a39fa9d1f13011fd4e718ce67 Mon Sep 17 00:00:00 2001 From: Fam Zheng -Date: Fri, 19 May 2017 00:35:08 +0200 +Date: Thu, 18 May 2017 09:21:16 +0200 Subject: [PATCH 03/18] char/serial: serial_ioport_write: Factor out common code MIME-Version: 1.0 @@ -8,12 +8,12 @@ Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit RH-Author: Fam Zheng -Message-id: <20170519003523.21163-4-famz@redhat.com> -Patchwork-id: 75357 -O-Subject: [RHEL-7.3.z qemu-kvm PATCH 03/18] char/serial: serial_ioport_write: Factor out common code -Bugzilla: 1452332 +Message-id: <20170518092131.16571-4-famz@redhat.com> +Patchwork-id: 75295 +O-Subject: [RHEL-7.4 qemu-kvm PATCH v3 03/18] char/serial: serial_ioport_write: Factor out common code +Bugzilla: 1451470 RH-Acked-by: Paolo Bonzini -RH-Acked-by: Laurent Vivier +RH-Acked-by: Stefan Hajnoczi RH-Acked-by: Eduardo Habkost From: Peter Crosthwaite diff --git a/SOURCES/kvm-cirrus-add-blit_is_unsafe-call-to-cirrus_bitblt_cput.patch b/SOURCES/kvm-cirrus-add-blit_is_unsafe-call-to-cirrus_bitblt_cput.patch index 6e2023a..b6bfea6 100644 --- a/SOURCES/kvm-cirrus-add-blit_is_unsafe-call-to-cirrus_bitblt_cput.patch +++ b/SOURCES/kvm-cirrus-add-blit_is_unsafe-call-to-cirrus_bitblt_cput.patch @@ -1,4 +1,4 @@ -From e894ec03d7e6229488ae24d83809009162a0f9e0 Mon Sep 17 00:00:00 2001 +From 74db251c34369bd32148864b3abea6d6586270dc Mon Sep 17 00:00:00 2001 From: Gerd Hoffmann Date: Fri, 10 Feb 2017 08:30:15 +0100 Subject: [PATCH 3/3] cirrus: add blit_is_unsafe call to @@ -8,7 +8,7 @@ RH-Author: Gerd Hoffmann Message-id: <1486715415-3462-4-git-send-email-kraxel@redhat.com> Patchwork-id: 73773 O-Subject: [virt-devel] [EMBARGOED RHEL-7.4 qemu-kvm PATCH 3/3] cirrus: add blit_is_unsafe call to cirrus_bitblt_cputovideo -Bugzilla: 1420490 +Bugzilla: 1420492 CVE: CVE-2017-2620/20170221 RH-Acked-by: Paolo Bonzini RH-Acked-by: Laurent Vivier diff --git a/SOURCES/kvm-cirrus-add-option-to-disable-blitter.patch b/SOURCES/kvm-cirrus-add-option-to-disable-blitter.patch index 47d8984..48c7d9e 100644 --- a/SOURCES/kvm-cirrus-add-option-to-disable-blitter.patch +++ b/SOURCES/kvm-cirrus-add-option-to-disable-blitter.patch @@ -1,16 +1,16 @@ -From 319f3876fafc35412bbf0ef6797c6764c95af6f3 Mon Sep 17 00:00:00 2001 +From 04b0eed67c2564cf9c10a62f57ed606f627c9317 Mon Sep 17 00:00:00 2001 From: Gerd Hoffmann -Date: Tue, 21 Mar 2017 09:58:03 +0100 +Date: Mon, 27 Mar 2017 10:01:18 +0200 Subject: [PATCH 3/7] cirrus: add option to disable blitter RH-Author: Gerd Hoffmann -Message-id: <1490090287-1503-4-git-send-email-kraxel@redhat.com> -Patchwork-id: 74424 -O-Subject: [RHEL-7.4 qemu-kvm PATCH 3/7] cirrus: add option to disable blitter -Bugzilla: 1430059 +Message-id: <1490608882-10242-4-git-send-email-kraxel@redhat.com> +Patchwork-id: 74551 +O-Subject: [RHEL-7.4 qemu-kvm PATCH v2 3/7] cirrus: add option to disable blitter +Bugzilla: 1430060 RH-Acked-by: Dr. David Alan Gilbert RH-Acked-by: Laurent Vivier -RH-Acked-by: Miroslav Rezanina +RH-Acked-by: Paolo Bonzini Ok, we have this beast in the cirrus code which is not used at all by modern guests, except when you try to find security holes in qemu. So, diff --git a/SOURCES/kvm-cirrus-allow-zero-source-pitch-in-pattern-fill-rops.patch b/SOURCES/kvm-cirrus-allow-zero-source-pitch-in-pattern-fill-rops.patch index ed65c41..e710937 100644 --- a/SOURCES/kvm-cirrus-allow-zero-source-pitch-in-pattern-fill-rops.patch +++ b/SOURCES/kvm-cirrus-allow-zero-source-pitch-in-pattern-fill-rops.patch @@ -1,13 +1,13 @@ -From 9fd5f5b599e19c4485c3c7e6689081965e833df6 Mon Sep 17 00:00:00 2001 +From 03b4fe1dacb0e4a2bdebb86d11e1cff13b2972c1 Mon Sep 17 00:00:00 2001 From: Gerd Hoffmann Date: Tue, 7 Feb 2017 10:07:50 +0100 -Subject: [PATCH 6/8] cirrus: allow zero source pitch in pattern fill rops +Subject: [PATCH 07/11] cirrus: allow zero source pitch in pattern fill rops RH-Author: Gerd Hoffmann Message-id: <1486462072-32174-6-git-send-email-kraxel@redhat.com> Patchwork-id: 73569 O-Subject: [RHEL-7.4 qemu-kvm PATCH 5/7] cirrus: allow zero source pitch in pattern fill rops -Bugzilla: 1418232 +Bugzilla: 1418233 RH-Acked-by: Dr. David Alan Gilbert RH-Acked-by: Paolo Bonzini RH-Acked-by: Miroslav Rezanina diff --git a/SOURCES/kvm-cirrus-fix-blit-address-mask-handling.patch b/SOURCES/kvm-cirrus-fix-blit-address-mask-handling.patch index 8bc4b87..158737d 100644 --- a/SOURCES/kvm-cirrus-fix-blit-address-mask-handling.patch +++ b/SOURCES/kvm-cirrus-fix-blit-address-mask-handling.patch @@ -1,13 +1,13 @@ -From fdb1ec384fe65b7ca2ab7303b56c2731e5999058 Mon Sep 17 00:00:00 2001 +From a5ce32ef09ab8eb8ba2467e12d37020048c8803f Mon Sep 17 00:00:00 2001 From: Gerd Hoffmann Date: Tue, 7 Feb 2017 10:07:51 +0100 -Subject: [PATCH 7/8] cirrus: fix blit address mask handling +Subject: [PATCH 08/11] cirrus: fix blit address mask handling RH-Author: Gerd Hoffmann Message-id: <1486462072-32174-7-git-send-email-kraxel@redhat.com> Patchwork-id: 73570 O-Subject: [RHEL-7.4 qemu-kvm PATCH 6/7] cirrus: fix blit address mask handling -Bugzilla: 1418232 +Bugzilla: 1418233 RH-Acked-by: Dr. David Alan Gilbert RH-Acked-by: Paolo Bonzini RH-Acked-by: Miroslav Rezanina diff --git a/SOURCES/kvm-cirrus-fix-cirrus_invalidate_region.patch b/SOURCES/kvm-cirrus-fix-cirrus_invalidate_region.patch index b180965..0e38fac 100644 --- a/SOURCES/kvm-cirrus-fix-cirrus_invalidate_region.patch +++ b/SOURCES/kvm-cirrus-fix-cirrus_invalidate_region.patch @@ -1,16 +1,16 @@ -From 6c17f6355cac0bc40bae876acf4d31e32978991f Mon Sep 17 00:00:00 2001 +From 8396435dbcd13dc27c7f1c7576499354be48d2c7 Mon Sep 17 00:00:00 2001 From: Gerd Hoffmann -Date: Tue, 21 Mar 2017 09:58:04 +0100 +Date: Mon, 27 Mar 2017 10:01:19 +0200 Subject: [PATCH 4/7] cirrus: fix cirrus_invalidate_region RH-Author: Gerd Hoffmann -Message-id: <1490090287-1503-5-git-send-email-kraxel@redhat.com> -Patchwork-id: 74423 -O-Subject: [RHEL-7.4 qemu-kvm PATCH 4/7] cirrus: fix cirrus_invalidate_region -Bugzilla: 1430059 +Message-id: <1490608882-10242-5-git-send-email-kraxel@redhat.com> +Patchwork-id: 74552 +O-Subject: [RHEL-7.4 qemu-kvm PATCH v2 4/7] cirrus: fix cirrus_invalidate_region +Bugzilla: 1430060 RH-Acked-by: Dr. David Alan Gilbert RH-Acked-by: Laurent Vivier -RH-Acked-by: Miroslav Rezanina +RH-Acked-by: Paolo Bonzini off_cur_end is exclusive, so off_cur_end == cirrus_addr_mask is valid. Fix calculation to make sure to allow that, otherwise the assert added diff --git a/SOURCES/kvm-cirrus-fix-off-by-one-in-cirrus_bitblt_rop_bkwd_tran.patch b/SOURCES/kvm-cirrus-fix-off-by-one-in-cirrus_bitblt_rop_bkwd_tran.patch index 6188818..fc0f512 100644 --- a/SOURCES/kvm-cirrus-fix-off-by-one-in-cirrus_bitblt_rop_bkwd_tran.patch +++ b/SOURCES/kvm-cirrus-fix-off-by-one-in-cirrus_bitblt_rop_bkwd_tran.patch @@ -1,6 +1,6 @@ -From 8c2a803f9ba8b4293c207917a2acfcfac0548d24 Mon Sep 17 00:00:00 2001 +From 081ddf9d66155dbec8ec064d7671ba0799642fd6 Mon Sep 17 00:00:00 2001 From: Gerd Hoffmann -Date: Tue, 21 Mar 2017 09:58:07 +0100 +Date: Mon, 27 Mar 2017 10:01:22 +0200 Subject: [PATCH 7/7] cirrus: fix off-by-one in cirrus_bitblt_rop_bkwd_transp_*_16 MIME-Version: 1.0 @@ -8,13 +8,13 @@ Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit RH-Author: Gerd Hoffmann -Message-id: <1490090287-1503-8-git-send-email-kraxel@redhat.com> -Patchwork-id: 74422 -O-Subject: [RHEL-7.4 qemu-kvm PATCH 7/7] cirrus: fix off-by-one in cirrus_bitblt_rop_bkwd_transp_*_16 -Bugzilla: 1430059 +Message-id: <1490608882-10242-8-git-send-email-kraxel@redhat.com> +Patchwork-id: 74555 +O-Subject: [RHEL-7.4 qemu-kvm PATCH v2 7/7] cirrus: fix off-by-one in cirrus_bitblt_rop_bkwd_transp_*_16 +Bugzilla: 1430060 RH-Acked-by: Dr. David Alan Gilbert RH-Acked-by: Laurent Vivier -RH-Acked-by: Miroslav Rezanina +RH-Acked-by: Paolo Bonzini The switch from pointers to addresses (commit 026aeffcb4752054830ba203020ed6eb05bcaba8 and diff --git a/SOURCES/kvm-cirrus-fix-oob-access-issue-CVE-2017-2615.patch b/SOURCES/kvm-cirrus-fix-oob-access-issue-CVE-2017-2615.patch index 2e4cca6..01aecbd 100644 --- a/SOURCES/kvm-cirrus-fix-oob-access-issue-CVE-2017-2615.patch +++ b/SOURCES/kvm-cirrus-fix-oob-access-issue-CVE-2017-2615.patch @@ -1,13 +1,13 @@ -From 55c542cca671a5a130c44359c73d1e908353418e Mon Sep 17 00:00:00 2001 +From 2ff46c139a37bbe66732b9024daa771eff3e6c36 Mon Sep 17 00:00:00 2001 From: Gerd Hoffmann Date: Tue, 7 Feb 2017 10:07:52 +0100 -Subject: [PATCH 8/8] cirrus: fix oob access issue (CVE-2017-2615) +Subject: [PATCH 09/11] cirrus: fix oob access issue (CVE-2017-2615) RH-Author: Gerd Hoffmann Message-id: <1486462072-32174-8-git-send-email-kraxel@redhat.com> Patchwork-id: 73565 O-Subject: [RHEL-7.4 qemu-kvm PATCH 7/7] cirrus: fix oob access issue (CVE-2017-2615) -Bugzilla: 1418232 +Bugzilla: 1418233 RH-Acked-by: Dr. David Alan Gilbert RH-Acked-by: Paolo Bonzini RH-Acked-by: Miroslav Rezanina diff --git a/SOURCES/kvm-cirrus-fix-patterncopy-checks.patch b/SOURCES/kvm-cirrus-fix-patterncopy-checks.patch index 993204c..057c2b3 100644 --- a/SOURCES/kvm-cirrus-fix-patterncopy-checks.patch +++ b/SOURCES/kvm-cirrus-fix-patterncopy-checks.patch @@ -1,4 +1,4 @@ -From 46da39c9f9a9a72cf9e833d46ce10d785581ce63 Mon Sep 17 00:00:00 2001 +From 8ce7227f70248c7f4926124e16baab74c5689841 Mon Sep 17 00:00:00 2001 From: Gerd Hoffmann Date: Fri, 10 Feb 2017 08:30:13 +0100 Subject: [PATCH 1/3] cirrus: fix patterncopy checks @@ -7,7 +7,7 @@ RH-Author: Gerd Hoffmann Message-id: <1486715415-3462-2-git-send-email-kraxel@redhat.com> Patchwork-id: 73775 O-Subject: [virt-devel] [RHEL-7.4 qemu-kvm PATCH 1/3] cirrus: fix patterncopy checks -Bugzilla: 1420490 +Bugzilla: 1420492 CVE: CVE-2017-2620/20170221 RH-Acked-by: Paolo Bonzini RH-Acked-by: Dr. David Alan Gilbert diff --git a/SOURCES/kvm-cirrus-handle-negative-pitch-in-cirrus_invalidate_re.patch b/SOURCES/kvm-cirrus-handle-negative-pitch-in-cirrus_invalidate_re.patch index 023cff5..cd87244 100644 --- a/SOURCES/kvm-cirrus-handle-negative-pitch-in-cirrus_invalidate_re.patch +++ b/SOURCES/kvm-cirrus-handle-negative-pitch-in-cirrus_invalidate_re.patch @@ -1,14 +1,14 @@ -From 1d7bdd730d1537f931a95897b14fdb6c5754ea2c Mon Sep 17 00:00:00 2001 +From 45023277a5822c89806eae1cc5f4d5f897e28fcd Mon Sep 17 00:00:00 2001 From: Gerd Hoffmann Date: Tue, 7 Feb 2017 10:07:49 +0100 -Subject: [PATCH 5/8] cirrus: handle negative pitch in +Subject: [PATCH 06/11] cirrus: handle negative pitch in cirrus_invalidate_region() RH-Author: Gerd Hoffmann Message-id: <1486462072-32174-5-git-send-email-kraxel@redhat.com> Patchwork-id: 73566 O-Subject: [RHEL-7.4 qemu-kvm PATCH 4/7] cirrus: handle negative pitch in cirrus_invalidate_region() -Bugzilla: 1418232 +Bugzilla: 1418233 RH-Acked-by: Dr. David Alan Gilbert RH-Acked-by: Paolo Bonzini RH-Acked-by: Miroslav Rezanina diff --git a/SOURCES/kvm-cirrus-stop-passing-around-dst-pointers-in-the-blitt.patch b/SOURCES/kvm-cirrus-stop-passing-around-dst-pointers-in-the-blitt.patch index 2425a76..35b9eb0 100644 --- a/SOURCES/kvm-cirrus-stop-passing-around-dst-pointers-in-the-blitt.patch +++ b/SOURCES/kvm-cirrus-stop-passing-around-dst-pointers-in-the-blitt.patch @@ -1,16 +1,16 @@ -From c4928f394f862c78024f4dccb6ea1398dc743c49 Mon Sep 17 00:00:00 2001 +From f0327afe876acff27221cdeead1aca0444364133 Mon Sep 17 00:00:00 2001 From: Gerd Hoffmann -Date: Tue, 21 Mar 2017 09:58:05 +0100 +Date: Mon, 27 Mar 2017 10:01:20 +0200 Subject: [PATCH 5/7] cirrus: stop passing around dst pointers in the blitter RH-Author: Gerd Hoffmann -Message-id: <1490090287-1503-6-git-send-email-kraxel@redhat.com> -Patchwork-id: 74421 -O-Subject: [RHEL-7.4 qemu-kvm PATCH 5/7] cirrus: stop passing around dst pointers in the blitter -Bugzilla: 1430059 +Message-id: <1490608882-10242-6-git-send-email-kraxel@redhat.com> +Patchwork-id: 74550 +O-Subject: [RHEL-7.4 qemu-kvm PATCH v2 5/7] cirrus: stop passing around dst pointers in the blitter +Bugzilla: 1430060 RH-Acked-by: Dr. David Alan Gilbert RH-Acked-by: Laurent Vivier -RH-Acked-by: Miroslav Rezanina +RH-Acked-by: Paolo Bonzini Instead pass around the address (aka offset into vga memory). Calculate the pointer in the rop_* functions, after applying the mask to the diff --git a/SOURCES/kvm-cirrus-stop-passing-around-src-pointers-in-the-blitt.patch b/SOURCES/kvm-cirrus-stop-passing-around-src-pointers-in-the-blitt.patch index 29837cc..d3f34c1 100644 --- a/SOURCES/kvm-cirrus-stop-passing-around-src-pointers-in-the-blitt.patch +++ b/SOURCES/kvm-cirrus-stop-passing-around-src-pointers-in-the-blitt.patch @@ -1,16 +1,16 @@ -From d29af2a00b6126d2c3af535d128beeb80216c197 Mon Sep 17 00:00:00 2001 +From cc965429746aac94b7c37991f676dcd323ef212d Mon Sep 17 00:00:00 2001 From: Gerd Hoffmann -Date: Tue, 21 Mar 2017 09:58:06 +0100 +Date: Mon, 27 Mar 2017 10:01:21 +0200 Subject: [PATCH 6/7] cirrus: stop passing around src pointers in the blitter RH-Author: Gerd Hoffmann -Message-id: <1490090287-1503-7-git-send-email-kraxel@redhat.com> -Patchwork-id: 74417 -O-Subject: [RHEL-7.4 qemu-kvm PATCH 6/7] cirrus: stop passing around src pointers in the blitter -Bugzilla: 1430059 +Message-id: <1490608882-10242-7-git-send-email-kraxel@redhat.com> +Patchwork-id: 74549 +O-Subject: [RHEL-7.4 qemu-kvm PATCH v2 6/7] cirrus: stop passing around src pointers in the blitter +Bugzilla: 1430060 RH-Acked-by: Dr. David Alan Gilbert RH-Acked-by: Laurent Vivier -RH-Acked-by: Miroslav Rezanina +RH-Acked-by: Paolo Bonzini Does basically the same as "cirrus: stop passing around dst pointers in the blitter", just for the src pointer instead of the dst pointer. diff --git a/SOURCES/kvm-cirrus-vnc-zap-bitblit-support-from-console-code.patch b/SOURCES/kvm-cirrus-vnc-zap-bitblit-support-from-console-code.patch index 854e932..87006bf 100644 --- a/SOURCES/kvm-cirrus-vnc-zap-bitblit-support-from-console-code.patch +++ b/SOURCES/kvm-cirrus-vnc-zap-bitblit-support-from-console-code.patch @@ -1,16 +1,16 @@ -From de457fc23e747a0c622e0fd23e49893c1f1da460 Mon Sep 17 00:00:00 2001 +From 9bd81fb917c9ac22055e0dc7b3a89a22d5cfbfc1 Mon Sep 17 00:00:00 2001 From: Gerd Hoffmann -Date: Tue, 21 Mar 2017 09:58:02 +0100 +Date: Mon, 27 Mar 2017 10:01:17 +0200 Subject: [PATCH 2/7] cirrus/vnc: zap bitblit support from console code. RH-Author: Gerd Hoffmann -Message-id: <1490090287-1503-3-git-send-email-kraxel@redhat.com> -Patchwork-id: 74418 -O-Subject: [RHEL-7.4 qemu-kvm PATCH 2/7] cirrus/vnc: zap bitblit support from console code. -Bugzilla: 1430059 +Message-id: <1490608882-10242-3-git-send-email-kraxel@redhat.com> +Patchwork-id: 74554 +O-Subject: [RHEL-7.4 qemu-kvm PATCH v2 2/7] cirrus/vnc: zap bitblit support from console code. +Bugzilla: 1430060 RH-Acked-by: Dr. David Alan Gilbert RH-Acked-by: Laurent Vivier -RH-Acked-by: Miroslav Rezanina +RH-Acked-by: Paolo Bonzini There is a special code path (dpy_gfx_copy) to allow graphic emulation notify user interface code about bitblit operations carryed out by @@ -51,11 +51,11 @@ Conflicts: include/ui/console.h ui/vnc.c --- - hw/display/cirrus_vga.c | 12 ++----- + hw/display/cirrus_vga.c | 12 ++---- include/ui/console.h | 7 ---- - ui/console.c | 28 --------------- - ui/vnc.c | 96 ------------------------------------------------- - 4 files changed, 3 insertions(+), 140 deletions(-) + ui/console.c | 28 -------------- + ui/vnc.c | 99 ------------------------------------------------- + 4 files changed, 3 insertions(+), 143 deletions(-) diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c index 1b972db..83cef70 100644 @@ -165,7 +165,7 @@ index d422083..fb08ec0 100644 { return console->surface; diff --git a/ui/vnc.c b/ui/vnc.c -index a0e2d33..c7a7853 100644 +index b68918e..1834db0 100644 --- a/ui/vnc.c +++ b/ui/vnc.c @@ -417,7 +417,6 @@ out_error: @@ -176,7 +176,7 @@ index a0e2d33..c7a7853 100644 static void vnc_disconnect_start(VncState *vs); static void vnc_colordepth(VncState *vs); -@@ -721,93 +720,6 @@ int vnc_send_framebuffer_update(VncState *vs, int x, int y, int w, int h) +@@ -728,96 +727,6 @@ int vnc_send_framebuffer_update(VncState *vs, int x, int y, int w, int h) return n; } @@ -228,11 +228,12 @@ index a0e2d33..c7a7853 100644 - y = dst_y + h - 1; - inc = -1; - } -- w_lim = w - (16 - (dst_x % 16)); -- if (w_lim < 0) +- w_lim = w - (VNC_DIRTY_PIXELS_PER_BIT - (dst_x % VNC_DIRTY_PIXELS_PER_BIT)); +- if (w_lim < 0) { - w_lim = w; -- else -- w_lim = w - (w_lim % 16); +- } else { +- w_lim = w - (w_lim % VNC_DIRTY_PIXELS_PER_BIT); +- } - for (i = 0; i < h; i++) { - for (x = 0; x <= w_lim; - x += s, src_row += cmp_bytes, dst_row += cmp_bytes) { @@ -240,10 +241,11 @@ index a0e2d33..c7a7853 100644 - if ((s = w - w_lim) == 0) - break; - } else if (!x) { -- s = (16 - (dst_x % 16)); +- s = (VNC_DIRTY_PIXELS_PER_BIT - +- (dst_x % VNC_DIRTY_PIXELS_PER_BIT)); - s = MIN(s, w_lim); - } else { -- s = 16; +- s = VNC_DIRTY_PIXELS_PER_BIT; - } - cmp_bytes = s * VNC_SERVER_FB_BYTES; - if (memcmp(src_row, dst_row, cmp_bytes) == 0) @@ -251,7 +253,8 @@ index a0e2d33..c7a7853 100644 - memmove(dst_row, src_row, cmp_bytes); - QTAILQ_FOREACH(vs, &vd->clients, next) { - if (!vnc_has_feature(vs, VNC_FEATURE_COPYRECT)) { -- set_bit(((x + dst_x) / 16), vs->dirty[y]); +- set_bit(((x + dst_x) / VNC_DIRTY_PIXELS_PER_BIT), +- vs->dirty[y]); - } - } - } @@ -270,7 +273,7 @@ index a0e2d33..c7a7853 100644 static void vnc_mouse_set(DisplayChangeListener *dcl, int x, int y, int visible) { -@@ -873,13 +785,6 @@ static int find_and_clear_dirty_height(struct VncState *vs, +@@ -883,13 +792,6 @@ static int find_and_clear_dirty_height(struct VncState *vs, return h; } @@ -284,7 +287,7 @@ index a0e2d33..c7a7853 100644 static int vnc_update_client(VncState *vs, int has_dirty) { if (vs->need_update && vs->csock != -1) { -@@ -2912,7 +2817,6 @@ static void vnc_listen_websocket_read(void *opaque) +@@ -2936,7 +2838,6 @@ static void vnc_listen_websocket_read(void *opaque) static const DisplayChangeListenerOps dcl_ops = { .dpy_name = "vnc", .dpy_refresh = vnc_refresh, diff --git a/SOURCES/kvm-cirrus_vga-fix-off-by-one-in-blit_region_is_unsafe.patch b/SOURCES/kvm-cirrus_vga-fix-off-by-one-in-blit_region_is_unsafe.patch index 5b0accf..fb66656 100644 --- a/SOURCES/kvm-cirrus_vga-fix-off-by-one-in-blit_region_is_unsafe.patch +++ b/SOURCES/kvm-cirrus_vga-fix-off-by-one-in-blit_region_is_unsafe.patch @@ -1,13 +1,13 @@ -From 900ccf5cf6497234e1d3b1e80f4dfa8a60bcfb06 Mon Sep 17 00:00:00 2001 +From 8d230a5a57512c84545bd6345775e69b4b3b1983 Mon Sep 17 00:00:00 2001 From: Gerd Hoffmann Date: Tue, 7 Feb 2017 10:07:46 +0100 -Subject: [PATCH 2/8] cirrus_vga: fix off-by-one in blit_region_is_unsafe +Subject: [PATCH 03/11] cirrus_vga: fix off-by-one in blit_region_is_unsafe RH-Author: Gerd Hoffmann Message-id: <1486462072-32174-2-git-send-email-kraxel@redhat.com> Patchwork-id: 73564 O-Subject: [RHEL-7.4 qemu-kvm PATCH 1/7] cirrus_vga: fix off-by-one in blit_region_is_unsafe -Bugzilla: 1418232 +Bugzilla: 1418233 RH-Acked-by: Dr. David Alan Gilbert RH-Acked-by: Paolo Bonzini RH-Acked-by: Miroslav Rezanina diff --git a/SOURCES/kvm-display-cirrus-check-vga-bits-per-pixel-bpp-value.patch b/SOURCES/kvm-display-cirrus-check-vga-bits-per-pixel-bpp-value.patch index 569f78a..e3cbced 100644 --- a/SOURCES/kvm-display-cirrus-check-vga-bits-per-pixel-bpp-value.patch +++ b/SOURCES/kvm-display-cirrus-check-vga-bits-per-pixel-bpp-value.patch @@ -1,13 +1,13 @@ -From e0ec8bdaf64a147c83334ae6f59e279c4560d01b Mon Sep 17 00:00:00 2001 +From 4394f52159cec32cded60ec8f86cd4b92a85bfe5 Mon Sep 17 00:00:00 2001 From: Gerd Hoffmann Date: Tue, 7 Feb 2017 10:07:47 +0100 -Subject: [PATCH 3/8] display: cirrus: check vga bits per pixel(bpp) value +Subject: [PATCH 04/11] display: cirrus: check vga bits per pixel(bpp) value RH-Author: Gerd Hoffmann Message-id: <1486462072-32174-3-git-send-email-kraxel@redhat.com> Patchwork-id: 73568 O-Subject: [RHEL-7.4 qemu-kvm PATCH 2/7] display: cirrus: check vga bits per pixel(bpp) value -Bugzilla: 1418232 +Bugzilla: 1418233 RH-Acked-by: Dr. David Alan Gilbert RH-Acked-by: Paolo Bonzini RH-Acked-by: Miroslav Rezanina diff --git a/SOURCES/kvm-display-cirrus-ignore-source-pitch-value-as-needed-i.patch b/SOURCES/kvm-display-cirrus-ignore-source-pitch-value-as-needed-i.patch index eeaf45f..a61d958 100644 --- a/SOURCES/kvm-display-cirrus-ignore-source-pitch-value-as-needed-i.patch +++ b/SOURCES/kvm-display-cirrus-ignore-source-pitch-value-as-needed-i.patch @@ -1,14 +1,14 @@ -From 3178cae91f9fc3ddd025f1daa415b74ed387b6ca Mon Sep 17 00:00:00 2001 +From 23ae0a2bec72997626c3ba834f036b9a3626eedc Mon Sep 17 00:00:00 2001 From: Gerd Hoffmann Date: Tue, 7 Feb 2017 10:07:48 +0100 -Subject: [PATCH 4/8] display: cirrus: ignore source pitch value as needed in +Subject: [PATCH 05/11] display: cirrus: ignore source pitch value as needed in blit_is_unsafe RH-Author: Gerd Hoffmann Message-id: <1486462072-32174-4-git-send-email-kraxel@redhat.com> Patchwork-id: 73563 O-Subject: [RHEL-7.4 qemu-kvm PATCH 3/7] display: cirrus: ignore source pitch value as needed in blit_is_unsafe -Bugzilla: 1418232 +Bugzilla: 1418233 RH-Acked-by: Dr. David Alan Gilbert RH-Acked-by: Paolo Bonzini RH-Acked-by: Miroslav Rezanina diff --git a/SOURCES/kvm-fix-cirrus_vga-fix-OOB-read-case-qemu-Segmentation-f.patch b/SOURCES/kvm-fix-cirrus_vga-fix-OOB-read-case-qemu-Segmentation-f.patch index a8641a6..7c32197 100644 --- a/SOURCES/kvm-fix-cirrus_vga-fix-OOB-read-case-qemu-Segmentation-f.patch +++ b/SOURCES/kvm-fix-cirrus_vga-fix-OOB-read-case-qemu-Segmentation-f.patch @@ -1,16 +1,16 @@ -From d27fae125c1efd59ba3263260d41f8e054b070a2 Mon Sep 17 00:00:00 2001 +From f9b9adc4b66f991e655f51f2ef67dac46f6bd7d4 Mon Sep 17 00:00:00 2001 From: Gerd Hoffmann -Date: Tue, 21 Mar 2017 09:58:01 +0100 +Date: Mon, 27 Mar 2017 10:01:16 +0200 Subject: [PATCH 1/7] fix :cirrus_vga fix OOB read case qemu Segmentation fault RH-Author: Gerd Hoffmann -Message-id: <1490090287-1503-2-git-send-email-kraxel@redhat.com> -Patchwork-id: 74419 -O-Subject: [RHEL-7.4 qemu-kvm PATCH 1/7] fix :cirrus_vga fix OOB read case qemu Segmentation fault -Bugzilla: 1430059 +Message-id: <1490608882-10242-2-git-send-email-kraxel@redhat.com> +Patchwork-id: 74553 +O-Subject: [RHEL-7.4 qemu-kvm PATCH v2 1/7] fix :cirrus_vga fix OOB read case qemu Segmentation fault +Bugzilla: 1430060 RH-Acked-by: Dr. David Alan Gilbert RH-Acked-by: Laurent Vivier -RH-Acked-by: Miroslav Rezanina +RH-Acked-by: Paolo Bonzini From: hangaohuai diff --git a/SOURCES/kvm-gluster-Correctly-propagate-errors-when-volume-isn-t.patch b/SOURCES/kvm-gluster-Correctly-propagate-errors-when-volume-isn-t.patch new file mode 100644 index 0000000..92eeffb --- /dev/null +++ b/SOURCES/kvm-gluster-Correctly-propagate-errors-when-volume-isn-t.patch @@ -0,0 +1,75 @@ +From 22e47c104ff73885357a0be7b94270f3955427ea Mon Sep 17 00:00:00 2001 +From: Jeffrey Cody +Date: Tue, 17 Jan 2017 19:51:31 +0100 +Subject: [PATCH 2/3] gluster: Correctly propagate errors when volume isn't + accessible + +RH-Author: Jeffrey Cody +Message-id: <963a714d4eae919df79e2031e02c77af5a8697e2.1484682588.git.jcody@redhat.com> +Patchwork-id: 73256 +O-Subject: [RHEL-7.4 qemu-kvm 2/3] gluster: Correctly propagate errors when volume isn't accessible +Bugzilla: 1151859 +RH-Acked-by: Stefan Hajnoczi +RH-Acked-by: Fam Zheng +RH-Acked-by: Thomas Huth + +From: Peter Krempa + +The docs for glfs_init suggest that the function sets errno on every +failure. In fact it doesn't. As other functions such as +qemu_gluster_open() in the gluster block code report their errors based +on this fact we need to make sure that errno is set on each failure. + +This fixes a crash of qemu-img/qemu when a gluster brick isn't +accessible from given host while the server serving the volume +description is. + +Thread 1 (Thread 0x7ffff7fba740 (LWP 203880)): + #0 0x00007ffff77673f8 in glfs_lseek () from /usr/lib64/libgfapi.so.0 + #1 0x0000555555574a68 in qemu_gluster_getlength () + #2 0x0000555555565742 in refresh_total_sectors () + #3 0x000055555556914f in bdrv_open_common () + #4 0x000055555556e8e8 in bdrv_open () + #5 0x000055555556f02f in bdrv_open_image () + #6 0x000055555556e5f6 in bdrv_open () + #7 0x00005555555c5775 in bdrv_new_open () + #8 0x00005555555c5b91 in img_info () + #9 0x00007ffff62c9c05 in __libc_start_main () from /lib64/libc.so.6 + #10 0x00005555555648ad in _start () + +Signed-off-by: Stefan Hajnoczi +(cherry picked from commit 4557117d9eed8cadc360aec23b42fc39a7011864) +Signed-off-by: Jeff Cody +Signed-off-by: Miroslav Rezanina +--- + block/gluster.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/block/gluster.c b/block/gluster.c +index 248a031..5266dce 100644 +--- a/block/gluster.c ++++ b/block/gluster.c +@@ -224,6 +224,11 @@ static struct glfs *qemu_gluster_init(GlusterConf *gconf, const char *filename, + "volume=%s image=%s transport=%s", gconf->server, + gconf->port, gconf->volname, gconf->image, + gconf->transport); ++ ++ /* glfs_init sometimes doesn't set errno although docs suggest that */ ++ if (errno == 0) ++ errno = EINVAL; ++ + goto out; + } + return glfs; +@@ -484,7 +489,7 @@ static int qemu_gluster_create(const char *filename, + + glfs = qemu_gluster_init(gconf, filename, errp); + if (!glfs) { +- ret = -EINVAL; ++ ret = -errno; + goto out; + } + +-- +1.8.3.1 + diff --git a/SOURCES/kvm-gluster-correctly-propagate-errors.patch b/SOURCES/kvm-gluster-correctly-propagate-errors.patch new file mode 100644 index 0000000..0ab585f --- /dev/null +++ b/SOURCES/kvm-gluster-correctly-propagate-errors.patch @@ -0,0 +1,111 @@ +From 582eb6c9eef89809283e8d79b3f39e1ae9eeb64a Mon Sep 17 00:00:00 2001 +From: Jeffrey Cody +Date: Tue, 17 Jan 2017 19:51:30 +0100 +Subject: [PATCH 1/3] gluster: correctly propagate errors + +RH-Author: Jeffrey Cody +Message-id: <9299039bbb1797e4e61cdc8b4be062efeb152abb.1484682588.git.jcody@redhat.com> +Patchwork-id: 73254 +O-Subject: [RHEL-7.4 qemu-kvm 1/3] gluster: correctly propagate errors +Bugzilla: 1151859 +RH-Acked-by: Stefan Hajnoczi +RH-Acked-by: Fam Zheng +RH-Acked-by: Thomas Huth + +From: Paolo Bonzini + +Signed-off-by: Paolo Bonzini +Reviewed-by: Fam Zheng +Signed-off-by: Kevin Wolf +(cherry picked from commit a7451cb850d115f257080aff3fbc54f255ebf8f7) +Signed-off-by: Jeff Cody +Signed-off-by: Miroslav Rezanina +--- + block/gluster.c | 29 +++++++++++++++-------------- + 1 file changed, 15 insertions(+), 14 deletions(-) + +diff --git a/block/gluster.c b/block/gluster.c +index 1793386..248a031 100644 +--- a/block/gluster.c ++++ b/block/gluster.c +@@ -182,7 +182,8 @@ out: + return ret; + } + +-static struct glfs *qemu_gluster_init(GlusterConf *gconf, const char *filename) ++static struct glfs *qemu_gluster_init(GlusterConf *gconf, const char *filename, ++ Error **errp) + { + struct glfs *glfs = NULL; + int ret; +@@ -190,8 +191,8 @@ static struct glfs *qemu_gluster_init(GlusterConf *gconf, const char *filename) + + ret = qemu_gluster_parseuri(gconf, filename); + if (ret < 0) { +- error_report("Usage: file=gluster[+transport]://[server[:port]]/" +- "volname/image[?socket=...]"); ++ error_setg(errp, "Usage: file=gluster[+transport]://[server[:port]]/" ++ "volname/image[?socket=...]"); + errno = -ret; + goto out; + } +@@ -218,9 +219,11 @@ static struct glfs *qemu_gluster_init(GlusterConf *gconf, const char *filename) + + ret = glfs_init(glfs); + if (ret) { +- error_report("Gluster connection failed for server=%s port=%d " +- "volume=%s image=%s transport=%s", gconf->server, gconf->port, +- gconf->volname, gconf->image, gconf->transport); ++ error_setg_errno(errp, errno, ++ "Gluster connection failed for server=%s port=%d " ++ "volume=%s image=%s transport=%s", gconf->server, ++ gconf->port, gconf->volname, gconf->image, ++ gconf->transport); + goto out; + } + return glfs; +@@ -328,17 +331,15 @@ static int qemu_gluster_open(BlockDriverState *bs, QDict *options, + + opts = qemu_opts_create_nofail(&runtime_opts); + qemu_opts_absorb_qdict(opts, options, &local_err); +- if (error_is_set(&local_err)) { +- qerror_report_err(local_err); +- error_free(local_err); ++ if (local_err) { ++ error_propagate(errp, local_err); + ret = -EINVAL; + goto out; + } + + filename = qemu_opt_get(opts, "filename"); + +- +- s->glfs = qemu_gluster_init(gconf, filename); ++ s->glfs = qemu_gluster_init(gconf, filename, errp); + if (!s->glfs) { + ret = -errno; + goto out; +@@ -406,7 +407,7 @@ static int qemu_gluster_reopen_prepare(BDRVReopenState *state, + + gconf = g_malloc0(sizeof(GlusterConf)); + +- reop_s->glfs = qemu_gluster_init(gconf, state->bs->filename); ++ reop_s->glfs = qemu_gluster_init(gconf, state->bs->filename, errp); + if (reop_s->glfs == NULL) { + ret = -errno; + goto exit; +@@ -481,9 +482,9 @@ static int qemu_gluster_create(const char *filename, + int64_t total_size = 0; + GlusterConf *gconf = g_malloc0(sizeof(GlusterConf)); + +- glfs = qemu_gluster_init(gconf, filename); ++ glfs = qemu_gluster_init(gconf, filename, errp); + if (!glfs) { +- ret = -errno; ++ ret = -EINVAL; + goto out; + } + +-- +1.8.3.1 + diff --git a/SOURCES/kvm-hw-i386-regenerate-checked-in-AML-payload-RHEL-only.patch b/SOURCES/kvm-hw-i386-regenerate-checked-in-AML-payload-RHEL-only.patch index d60e538..e591156 100644 --- a/SOURCES/kvm-hw-i386-regenerate-checked-in-AML-payload-RHEL-only.patch +++ b/SOURCES/kvm-hw-i386-regenerate-checked-in-AML-payload-RHEL-only.patch @@ -1,13 +1,13 @@ -From 4f55d2d2f6efdce59440b57726f09578b8692158 Mon Sep 17 00:00:00 2001 +From 436e7a406724efa98d05d4c32cae027f31a66033 Mon Sep 17 00:00:00 2001 From: Laszlo Ersek -Date: Fri, 23 Sep 2016 14:39:35 +0200 -Subject: [PATCH 2/3] hw/i386: regenerate checked-in AML payload (RHEL only) +Date: Fri, 23 Sep 2016 14:39:35 -0300 +Subject: [PATCH 1/2] hw/i386: regenerate checked-in AML payload (RHEL only) RH-Author: Laszlo Ersek Message-id: <20160923143936.25594-2-lersek@redhat.com> Patchwork-id: 72414 O-Subject: [RHEL-7.3 qemu-kvm PATCH 1/2] hw/i386: regenerate checked-in AML payload (RHEL only) -Bugzilla: 1392027 +Bugzilla: 1377087 RH-Acked-by: Paolo Bonzini RH-Acked-by: Michael S. Tsirkin RH-Acked-by: Igor Mammedov @@ -24,7 +24,7 @@ switch the build to them. I actually verified this in a RHEL-7 guest, with remained identical across this change. Signed-off-by: Laszlo Ersek -Signed-off-by: Miroslav Rezanina +Signed-off-by: Danilo C. L. de Paula --- hw/i386/acpi-dsdt.hex.generated | 8 ++++---- hw/i386/q35-acpi-dsdt.hex.generated | 8 ++++---- diff --git a/SOURCES/kvm-i386-kvmvapic-initialise-imm32-variable.patch b/SOURCES/kvm-i386-kvmvapic-initialise-imm32-variable.patch new file mode 100644 index 0000000..f8919b6 --- /dev/null +++ b/SOURCES/kvm-i386-kvmvapic-initialise-imm32-variable.patch @@ -0,0 +1,46 @@ +From edb9059eb8f42f892d67df324eeb0098c05d1f4a Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini +Date: Tue, 28 Feb 2017 12:07:54 +0100 +Subject: [PATCH 09/24] i386: kvmvapic: initialise imm32 variable + +RH-Author: Paolo Bonzini +Message-id: <20170228120754.16073-1-pbonzini@redhat.com> +Patchwork-id: 74089 +O-Subject: [RHEL7.4 qemu-kvm PATCH] i386: kvmvapic: initialise imm32 variable +Bugzilla: 1335751 +RH-Acked-by: David Hildenbrand +RH-Acked-by: Thomas Huth +RH-Acked-by: Miroslav Rezanina + +When processing Task Priorty Register(TPR) access, it could leak +automatic stack variable 'imm32' in patch_instruction(). +Initialise the variable to avoid it. + +Reported by: Donghai Zdh +Cc: qemu-stable@nongnu.org +Signed-off-by: Prasad J Pandit +Message-Id: <1460013608-16670-1-git-send-email-ppandit@redhat.com> +Signed-off-by: Paolo Bonzini +(cherry picked from commit 691a02e2ce0c413236a78dee6f2651c937b09fb0) + +Signed-off-by: Miroslav Rezanina +--- + hw/i386/kvmvapic.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/i386/kvmvapic.c b/hw/i386/kvmvapic.c +index 577ae64..a5dd9dd 100644 +--- a/hw/i386/kvmvapic.c ++++ b/hw/i386/kvmvapic.c +@@ -390,7 +390,7 @@ static void patch_instruction(VAPICROMState *s, X86CPU *cpu, target_ulong ip) + CPUX86State *env = &cpu->env; + VAPICHandlers *handlers; + uint8_t opcode[2]; +- uint32_t imm32; ++ uint32_t imm32 = 0; + target_ulong current_pc = 0; + target_ulong current_cs_base = 0; + int current_flags = 0; +-- +1.8.3.1 + diff --git a/SOURCES/kvm-ide-fix-halted-IO-segfault-at-reset.patch b/SOURCES/kvm-ide-fix-halted-IO-segfault-at-reset.patch index b558bdf..1fe27a1 100644 --- a/SOURCES/kvm-ide-fix-halted-IO-segfault-at-reset.patch +++ b/SOURCES/kvm-ide-fix-halted-IO-segfault-at-reset.patch @@ -1,15 +1,15 @@ -From 4d3c9646213bdf992af4e28eaf0d57610eb79fec Mon Sep 17 00:00:00 2001 +From 4fbb16d71e7e9a893c665926642122b165c63425 Mon Sep 17 00:00:00 2001 From: John Snow -Date: Thu, 29 Sep 2016 00:02:14 +0200 -Subject: [PATCH 1/3] ide: fix halted IO segfault at reset +Date: Wed, 26 Apr 2017 23:49:07 +0200 +Subject: [PATCH] ide: fix halted IO segfault at reset RH-Author: John Snow -Message-id: <1475107334-14972-2-git-send-email-jsnow@redhat.com> -Patchwork-id: 72436 -O-Subject: [RHEL-7.3.z qemu-kvm PATCH 1/1] ide: fix halted IO segfault at reset -Bugzilla: 1393042 -RH-Acked-by: Laszlo Ersek +Message-id: <20170426234907.21151-2-jsnow@redhat.com> +Patchwork-id: 74905 +O-Subject: [RHEL-7.4 qemu-kvm PATCH v2 1/1] ide: fix halted IO segfault at reset +Bugzilla: 1299875 RH-Acked-by: Paolo Bonzini +RH-Acked-by: Laszlo Ersek RH-Acked-by: Markus Armbruster If one attempts to perform a system_reset after a failed IO request diff --git a/SOURCES/kvm-iotests-Filter-for-Killed-in-qemu-io-output.patch b/SOURCES/kvm-iotests-Filter-for-Killed-in-qemu-io-output.patch new file mode 100644 index 0000000..ab7ff1e --- /dev/null +++ b/SOURCES/kvm-iotests-Filter-for-Killed-in-qemu-io-output.patch @@ -0,0 +1,44 @@ +From 27158eec51a5a443d9ae9a7b565b40b749f6f41b Mon Sep 17 00:00:00 2001 +From: Max Reitz +Date: Mon, 13 Mar 2017 17:46:45 +0100 +Subject: [PATCH 14/24] iotests: Filter for "Killed" in qemu-io output + +RH-Author: Max Reitz +Message-id: <20170313174649.28932-1-mreitz@redhat.com> +Patchwork-id: 74276 +O-Subject: [RHEL-7.4 qemu-kvm PATCH 5/9] iotests: Filter for "Killed" in qemu-io output +Bugzilla: 1427176 +RH-Acked-by: Fam Zheng +RH-Acked-by: Stefan Hajnoczi +RH-Acked-by: Kevin Wolf + +_filter_qemu_io already filters out the process ID when qemu-io is +aborted; the same should be done when it is killed. + +Signed-off-by: Max Reitz +Reviewed-by: Fam Zheng +Message-id: 1418032092-16813-3-git-send-email-mreitz@redhat.com +Signed-off-by: Stefan Hajnoczi +(cherry picked from commit 9e0c3e8df5d1b12517d587d60b2fe587ea252ebe) +Signed-off-by: Max Reitz +Signed-off-by: Miroslav Rezanina +--- + tests/qemu-iotests/common.filter | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tests/qemu-iotests/common.filter b/tests/qemu-iotests/common.filter +index dcd246d..041e001 100644 +--- a/tests/qemu-iotests/common.filter ++++ b/tests/qemu-iotests/common.filter +@@ -150,7 +150,7 @@ _filter_win32() + _filter_qemu_io() + { + _filter_win32 | sed -e "s/[0-9]* ops\; [0-9/:. sec]* ([0-9/.inf]* [EPTGMKiBbytes]*\/sec and [0-9/.inf]* ops\/sec)/X ops\; XX:XX:XX.X (XXX YYY\/sec and XXX ops\/sec)/" \ +- -e "s/: line [0-9][0-9]*: *[0-9][0-9]*\( Aborted\)/:\1/" \ ++ -e "s/: line [0-9][0-9]*: *[0-9][0-9]*\( Aborted\| Killed\)/:\1/" \ + -e "s/qemu-io> //g" + } + +-- +1.8.3.1 + diff --git a/SOURCES/kvm-iotests-Fix-test-039.patch b/SOURCES/kvm-iotests-Fix-test-039.patch new file mode 100644 index 0000000..4dc4c38 --- /dev/null +++ b/SOURCES/kvm-iotests-Fix-test-039.patch @@ -0,0 +1,116 @@ +From 5eef8556fa85c070a242f93b675e7fb8e24a2fa0 Mon Sep 17 00:00:00 2001 +From: Max Reitz +Date: Mon, 13 Mar 2017 17:46:56 +0100 +Subject: [PATCH 15/24] iotests: Fix test 039 + +RH-Author: Max Reitz +Message-id: <20170313174659.29164-1-mreitz@redhat.com> +Patchwork-id: 74277 +O-Subject: [RHEL-7.4 qemu-kvm PATCH 6/9] iotests: Fix test 039 +Bugzilla: 1427176 +RH-Acked-by: Fam Zheng +RH-Acked-by: Stefan Hajnoczi +RH-Acked-by: Kevin Wolf + +Test 039 used qemu-io -c abort for simulating a qemu crash; however, +abort() generally results in a core dump and ulimit -c 0 is no reliable +way of preventing that. Use "sigraise $(kill -l KILL)" instead to have +it crash without a core dump. + +Signed-off-by: Max Reitz +Reviewed-by: Fam Zheng +Message-id: 1418032092-16813-4-git-send-email-mreitz@redhat.com +Signed-off-by: Stefan Hajnoczi +(cherry picked from commit 3f394472c5bca59de5cab9baafdff1984b0213a3) +Signed-off-by: Max Reitz +Signed-off-by: Miroslav Rezanina +--- + tests/qemu-iotests/039 | 18 +++++++++++++----- + tests/qemu-iotests/039.out | 6 +++--- + 2 files changed, 16 insertions(+), 8 deletions(-) + +diff --git a/tests/qemu-iotests/039 b/tests/qemu-iotests/039 +index 1e50651..ac85476 100755 +--- a/tests/qemu-iotests/039 ++++ b/tests/qemu-iotests/039 +@@ -46,9 +46,11 @@ _supported_proto generic + _supported_os Linux + _unsupported_qemu_io_options --nocache + +-_no_dump_exec() ++_subshell_exec() + { +- (ulimit -c 0; exec "$@") ++ # Executing crashing commands in a subshell prevents information like the ++ # "Killed" line from being lost ++ (exec "$@") + } + + size=128M +@@ -71,7 +73,9 @@ echo "== Creating a dirty image file ==" + IMGOPTS="compat=1.1,lazy_refcounts=on" + _make_test_img $size + +-_no_dump_exec $QEMU_IO -c "write -P 0x5a 0 512" -c "abort" "$TEST_IMG" 2>&1 | _filter_qemu_io ++_subshell_exec $QEMU_IO -c "write -P 0x5a 0 512" \ ++ -c "sigraise $(kill -l KILL)" "$TEST_IMG" 2>&1 \ ++ | _filter_qemu_io + + # The dirty bit must be set + ./qcow2.py "$TEST_IMG" dump-header | grep incompatible_features +@@ -104,7 +108,9 @@ echo "== Opening a dirty image read/write should repair it ==" + IMGOPTS="compat=1.1,lazy_refcounts=on" + _make_test_img $size + +-_no_dump_exec $QEMU_IO -c "write -P 0x5a 0 512" -c "abort" "$TEST_IMG" 2>&1 | _filter_qemu_io ++_subshell_exec $QEMU_IO -c "write -P 0x5a 0 512" \ ++ -c "sigraise $(kill -l KILL)" "$TEST_IMG" 2>&1 \ ++ | _filter_qemu_io + + # The dirty bit must be set + ./qcow2.py "$TEST_IMG" dump-header | grep incompatible_features +@@ -120,7 +126,9 @@ echo "== Creating an image file with lazy_refcounts=off ==" + IMGOPTS="compat=1.1,lazy_refcounts=off" + _make_test_img $size + +-_no_dump_exec $QEMU_IO -c "write -P 0x5a 0 512" -c "abort" "$TEST_IMG" 2>&1 | _filter_qemu_io ++_subshell_exec $QEMU_IO -c "write -P 0x5a 0 512" \ ++ -c "sigraise $(kill -l KILL)" "$TEST_IMG" 2>&1 \ ++ | _filter_qemu_io + + # The dirty bit must not be set since lazy_refcounts=off + ./qcow2.py "$TEST_IMG" dump-header | grep incompatible_features +diff --git a/tests/qemu-iotests/039.out b/tests/qemu-iotests/039.out +index af62da1..f3fe58b 100644 +--- a/tests/qemu-iotests/039.out ++++ b/tests/qemu-iotests/039.out +@@ -11,7 +11,7 @@ No errors were found on the image. + Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=134217728 + wrote 512/512 bytes at offset 0 + 512 bytes, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec) +-./039: Aborted ( ulimit -c 0; exec "$@" ) ++./039: Killed ( exec "$@" ) + incompatible_features 0x1 + ERROR cluster 5 refcount=0 reference=1 + ERROR OFLAG_COPIED data cluster: l2_entry=8000000000050000 refcount=0 +@@ -46,7 +46,7 @@ read 512/512 bytes at offset 0 + Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=134217728 + wrote 512/512 bytes at offset 0 + 512 bytes, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec) +-./039: Aborted ( ulimit -c 0; exec "$@" ) ++./039: Killed ( exec "$@" ) + incompatible_features 0x1 + ERROR cluster 5 refcount=0 reference=1 + Rebuilding refcount structure +@@ -60,7 +60,7 @@ incompatible_features 0x0 + Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=134217728 + wrote 512/512 bytes at offset 0 + 512 bytes, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec) +-./039: Aborted ( ulimit -c 0; exec "$@" ) ++./039: Killed ( exec "$@" ) + incompatible_features 0x0 + No errors were found on the image. + *** done +-- +1.8.3.1 + diff --git a/SOURCES/kvm-memory-Allow-access-only-upto-the-maximum-alignment-.patch b/SOURCES/kvm-memory-Allow-access-only-upto-the-maximum-alignment-.patch new file mode 100644 index 0000000..0f4df3e --- /dev/null +++ b/SOURCES/kvm-memory-Allow-access-only-upto-the-maximum-alignment-.patch @@ -0,0 +1,169 @@ +From 2ee2492513f9685cb716dc1cb4cf5b580da43e07 Mon Sep 17 00:00:00 2001 +From: Bandan Das +Date: Wed, 25 Jan 2017 03:36:07 +0100 +Subject: [PATCH 01/11] memory: Allow access only upto the maximum alignment + for memory_region_* functions + +RH-Author: Bandan Das +Message-id: +Patchwork-id: 73367 +O-Subject: [RHEL-7.4 qemu-kvm PATCH] memory: Allow access only upto the maximum alignment for memory_region_* functions +Bugzilla: 1342768 +RH-Acked-by: Paolo Bonzini +RH-Acked-by: Laurent Vivier +RH-Acked-by: Miroslav Rezanina + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1342768 +Brew: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=12437870 +Upstream: N/A, upstream doesn't exhibit this behavior + +Currently, there is no check in memory_region_iorange_* functions for whether +the size requested is greater than the maximum alignment. This causes +an abort with a specific version of the Linux kernel (4.7.0-RC1): +/usr/libexec/qemu-kvm -kernel ~/vmlinuz-4.7.0-rc1 --enable-kvm -m 1G -vnc :2 -monitor stdio + +0 0x00007fb057cb65f7 in raise () from /lib64/libc.so.6 +1 0x00007fb057cb7ce8 in abort () from /lib64/libc.so.6 +2 0x00007fb05eca5537 in acpi_gpe_ioport_readb () +3 0x00007fb05eca5ff0 in gpe_readb () +4 0x00007fb05ede6f4c in memory_region_read_accessor () +5 0x00007fb05ede6993 in access_with_adjusted_size () +6 0x00007fb05ede7ce8 in memory_region_iorange_read () +7 0x00007fb05ede2ac7 in ioport_readl_thunk () +8 0x00007fb05ede3141 in cpu_inl () +9 0x00007fb05ede5c49 in kvm_cpu_exec () +10 0x00007fb05ed98485 in qemu_kvm_cpu_thread_fn () +11 0x00007fb05bcc9dc5 in start_thread () from /lib64/libpthread.so.0 +12 0x00007fb057d77ced in clone () from /lib64/libc.so.6 + +This happens because guest code tries to read(l=4) from 0xafe2 +with GPE base being 0xafe0 which causes the abort in +acpi_gpe_ioport_get_ptr() to trigger. This change adds a +memory_access_size() which is similar to the one in upstream that +forces size to be equal to the maximum alignment if it's greater. +It also keeps the other checks present in upstream for safety and +is called from the memory_region_read/write functions before +calling the call specific access functions. + +Signed-off-by: Bandan Das +Signed-off-by: Miroslav Rezanina +--- + memory.c | 44 ++++++++++++++++++++++++++++++++++++++++---- + 1 file changed, 40 insertions(+), 4 deletions(-) + +diff --git a/memory.c b/memory.c +index 7bd6e87..573ecdd 100644 +--- a/memory.c ++++ b/memory.c +@@ -381,6 +381,33 @@ static const MemoryRegionPortio *find_portio(MemoryRegion *mr, uint64_t offset, + return NULL; + } + ++static int memory_access_size(MemoryRegion *mr, unsigned l, hwaddr addr) ++{ ++ unsigned access_size_max = mr->ops->valid.max_access_size; ++ ++ /* Regions are assumed to support 1-4 byte accesses unless ++ otherwise specified. */ ++ if (access_size_max == 0) { ++ access_size_max = 4; ++ } ++ ++ /* Bound the maximum access by the alignment of the address. */ ++ if (!mr->ops->impl.unaligned) { ++ unsigned align_size_max = addr & -addr; ++ if (align_size_max != 0 && align_size_max < access_size_max) { ++ access_size_max = align_size_max; ++ } ++ } ++ ++ /* Don't attempt accesses larger than the maximum. */ ++ if (l > access_size_max) { ++ l = access_size_max; ++ } ++ l = pow2floor(l); ++ ++ return l; ++} ++ + static void memory_region_iorange_read(IORange *iorange, + uint64_t offset, + unsigned width, +@@ -389,6 +416,7 @@ static void memory_region_iorange_read(IORange *iorange, + MemoryRegionIORange *mrio + = container_of(iorange, MemoryRegionIORange, iorange); + MemoryRegion *mr = mrio->mr; ++ unsigned l; + + offset += mrio->offset; + if (mr->ops->old_portio) { +@@ -407,7 +435,8 @@ static void memory_region_iorange_read(IORange *iorange, + return; + } + *data = 0; +- access_with_adjusted_size(offset, data, width, ++ l = memory_access_size(mr, width, offset); ++ access_with_adjusted_size(offset, data, l, + mr->ops->impl.min_access_size, + mr->ops->impl.max_access_size, + memory_region_read_accessor, mr); +@@ -421,6 +450,7 @@ static void memory_region_iorange_write(IORange *iorange, + MemoryRegionIORange *mrio + = container_of(iorange, MemoryRegionIORange, iorange); + MemoryRegion *mr = mrio->mr; ++ unsigned l; + + offset += mrio->offset; + if (mr->ops->old_portio) { +@@ -437,7 +467,8 @@ static void memory_region_iorange_write(IORange *iorange, + } + return; + } +- access_with_adjusted_size(offset, &data, width, ++ l = memory_access_size(mr, width, offset); ++ access_with_adjusted_size(offset, &data, l, + mr->ops->impl.min_access_size, + mr->ops->impl.max_access_size, + memory_region_write_accessor, mr); +@@ -850,6 +881,7 @@ static uint64_t memory_region_dispatch_read1(MemoryRegion *mr, + unsigned size) + { + uint64_t data = 0; ++ unsigned l; + + if (!memory_region_access_valid(mr, addr, size, false)) { + return -1U; /* FIXME: better signalling */ +@@ -859,8 +891,9 @@ static uint64_t memory_region_dispatch_read1(MemoryRegion *mr, + return mr->ops->old_mmio.read[ctz32(size)](mr->opaque, addr); + } + ++ l = memory_access_size(mr, size, addr); + /* FIXME: support unaligned access */ +- access_with_adjusted_size(addr, &data, size, ++ access_with_adjusted_size(addr, &data, l, + mr->ops->impl.min_access_size, + mr->ops->impl.max_access_size, + memory_region_read_accessor, mr); +@@ -902,6 +935,8 @@ static void memory_region_dispatch_write(MemoryRegion *mr, + uint64_t data, + unsigned size) + { ++ unsigned l; ++ + if (!memory_region_access_valid(mr, addr, size, true)) { + return; /* FIXME: better signalling */ + } +@@ -913,8 +948,9 @@ static void memory_region_dispatch_write(MemoryRegion *mr, + return; + } + ++ l = memory_access_size(mr, size, addr); + /* FIXME: support unaligned access */ +- access_with_adjusted_size(addr, &data, size, ++ access_with_adjusted_size(addr, &data, l, + mr->ops->impl.min_access_size, + mr->ops->impl.max_access_size, + memory_region_write_accessor, mr); +-- +1.8.3.1 + diff --git a/SOURCES/kvm-nbd-Fix-regression-on-resiliency-to-port-scan.patch b/SOURCES/kvm-nbd-Fix-regression-on-resiliency-to-port-scan.patch index 928ceab..72a0e45 100644 --- a/SOURCES/kvm-nbd-Fix-regression-on-resiliency-to-port-scan.patch +++ b/SOURCES/kvm-nbd-Fix-regression-on-resiliency-to-port-scan.patch @@ -1,15 +1,15 @@ -From 8ead1a8129b42b14a6ccddbf4c24535b3cb80209 Mon Sep 17 00:00:00 2001 +From 5bd3c61792fe793b1d42e675b53e47396f4219a3 Mon Sep 17 00:00:00 2001 From: Eric Blake -Date: Fri, 9 Jun 2017 22:07:15 +0200 -Subject: [PATCH 2/2] nbd: Fix regression on resiliency to port scan +Date: Fri, 9 Jun 2017 22:04:13 +0200 +Subject: [PATCH 6/6] nbd: Fix regression on resiliency to port scan RH-Author: Eric Blake -Message-id: <20170609220715.29645-3-eblake@redhat.com> -Patchwork-id: 75578 -O-Subject: [RHEL-7.3.z qemu-kvm PATCH 2/2] nbd: Fix regression on resiliency to port scan -Bugzilla: 1460179 +Message-id: <20170609220413.28793-3-eblake@redhat.com> +Patchwork-id: 75575 +O-Subject: [RHEL-7.4 qemu-kvm PATCH 2/2] nbd: Fix regression on resiliency to port scan +Bugzilla: 1451614 +RH-Acked-by: Laszlo Ersek RH-Acked-by: Paolo Bonzini -RH-Acked-by: Stefan Hajnoczi RH-Acked-by: Thomas Huth Back in qemu 2.5, qemu-nbd was immune to port probes (a transient @@ -52,7 +52,7 @@ Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1451614 Signed-off-by: Eric Blake Message-Id: <20170608222617.20376-1-eblake@redhat.com> (cherry picked from commit ???) -https://bugzilla.redhat.com/show_bug.cgi?id=1460179 +https://bugzilla.redhat.com/show_bug.cgi?id=1451614 Signed-off-by: Miroslav Rezanina Conflicts: diff --git a/SOURCES/kvm-nbd-Fully-initialize-client-in-case-of-failed-negoti.patch b/SOURCES/kvm-nbd-Fully-initialize-client-in-case-of-failed-negoti.patch index 765e2e7..17a739e 100644 --- a/SOURCES/kvm-nbd-Fully-initialize-client-in-case-of-failed-negoti.patch +++ b/SOURCES/kvm-nbd-Fully-initialize-client-in-case-of-failed-negoti.patch @@ -1,16 +1,16 @@ -From e34b480cd9a1fb23e361a514c98439672140bd37 Mon Sep 17 00:00:00 2001 +From 0e97bcfd7ab3c7b3d489de3cf4c7c4977b73cd23 Mon Sep 17 00:00:00 2001 From: Eric Blake -Date: Fri, 9 Jun 2017 22:07:14 +0200 -Subject: [PATCH 1/2] nbd: Fully initialize client in case of failed +Date: Fri, 9 Jun 2017 22:04:12 +0200 +Subject: [PATCH 5/6] nbd: Fully initialize client in case of failed negotiation RH-Author: Eric Blake -Message-id: <20170609220715.29645-2-eblake@redhat.com> -Patchwork-id: 75580 -O-Subject: [RHEL-7.3.z qemu-kvm PATCH 1/2] nbd: Fully initialize client in case of failed negotiation -Bugzilla: 1460179 +Message-id: <20170609220413.28793-2-eblake@redhat.com> +Patchwork-id: 75576 +O-Subject: [RHEL-7.4 qemu-kvm PATCH 1/2] nbd: Fully initialize client in case of failed negotiation +Bugzilla: 1451614 +RH-Acked-by: Laszlo Ersek RH-Acked-by: Paolo Bonzini -RH-Acked-by: Stefan Hajnoczi RH-Acked-by: Thomas Huth If a non-NBD client connects to qemu-nbd, we would end up with @@ -44,7 +44,7 @@ Signed-off-by: Eric Blake Message-Id: <20170527030421.28366-1-eblake@redhat.com> Signed-off-by: Paolo Bonzini (cherry picked from commit ???) -https://bugzilla.redhat.com/show_bug.cgi?id=1460179 +https://bugzilla.redhat.com/show_bug.cgi?id=1451614 Signed-off-by: Miroslav Rezanina Conflicts: diff --git a/SOURCES/kvm-net-check-packet-payload-length.patch b/SOURCES/kvm-net-check-packet-payload-length.patch index 5ef1070..34b0106 100644 --- a/SOURCES/kvm-net-check-packet-payload-length.patch +++ b/SOURCES/kvm-net-check-packet-payload-length.patch @@ -1,13 +1,13 @@ -From 6d126da8f958c57413a4505d98cb4a3ff48cbbfe Mon Sep 17 00:00:00 2001 +From fa1aaeeab2f10d7f107dd45a2c06e40e71bde1c3 Mon Sep 17 00:00:00 2001 From: "wexu@redhat.com" Date: Wed, 21 Dec 2016 06:04:24 +0100 -Subject: [PATCH] net: check packet payload length +Subject: [PATCH 3/4] net: check packet payload length RH-Author: wexu@redhat.com Message-id: <1482300264-29708-2-git-send-email-wexu@redhat.com> Patchwork-id: 73088 O-Subject: [RHEL-7.4/7.3.z qemu-kvm Patch v2] net: check packet payload length -Bugzilla: 1398217 +Bugzilla: 1398218 RH-Acked-by: Laurent Vivier RH-Acked-by: Michael S. Tsirkin RH-Acked-by: Stefan Hajnoczi diff --git a/SOURCES/kvm-qcow2-Don-t-rely-on-free_cluster_index-in-alloc_ref2.patch b/SOURCES/kvm-qcow2-Don-t-rely-on-free_cluster_index-in-alloc_ref2.patch new file mode 100644 index 0000000..7108c00 --- /dev/null +++ b/SOURCES/kvm-qcow2-Don-t-rely-on-free_cluster_index-in-alloc_ref2.patch @@ -0,0 +1,86 @@ +From 32dcdb3b1623e351d66bfe7cccbdcef3087f9b7b Mon Sep 17 00:00:00 2001 +From: Max Reitz +Date: Mon, 13 Mar 2017 17:45:09 +0100 +Subject: [PATCH 11/24] qcow2: Don't rely on free_cluster_index in + alloc_refcount_block() (CVE-2014-0147) + +RH-Author: Max Reitz +Message-id: <20170313174516.28044-3-mreitz@redhat.com> +Patchwork-id: 74274 +O-Subject: [RHEL-7.4 qemu-kvm PATCH 2/9] qcow2: Don't rely on free_cluster_index in alloc_refcount_block() (CVE-2014-0147) +Bugzilla: 1427176 +RH-Acked-by: Fam Zheng +RH-Acked-by: Stefan Hajnoczi +RH-Acked-by: Kevin Wolf + +From: Kevin Wolf + +free_cluster_index is only correct if update_refcount() was called from +an allocation function, and even there it's brittle because it's used to +protect unfinished allocations which still have a refcount of 0 - if it +moves in the wrong place, the unfinished allocation can be corrupted. + +So not using it any more seems to be a good idea. Instead, use the +first requested cluster to do the calculations. Return -EAGAIN if +unfinished allocations could become invalid and let the caller restart +its search for some free clusters. + +The context of creating a snapsnot is one situation where +update_refcount() is called outside of a cluster allocation. For this +case, the change fixes a buffer overflow if a cluster is referenced in +an L2 table that cannot be represented by an existing refcount block. +(new_table[refcount_table_index] was out of bounds) + +[Bump the qemu-iotests 026 refblock_alloc.write leak count from 10 to +11. +--Stefan] + +Signed-off-by: Kevin Wolf +Reviewed-by: Max Reitz +Signed-off-by: Stefan Hajnoczi +(cherry picked from commit b106ad9185f35fc4ad669555ad0e79e276083bd7) + +This patch was committed downstream before upstream (commit ID +a2b10eec76a72aa7fe63e797181b93f69de9600e), therefore the change to 026's +reference output is missing, which is amended by this backport. + +Signed-off-by: Max Reitz +Signed-off-by: Miroslav Rezanina +--- + tests/qemu-iotests/026.out | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/tests/qemu-iotests/026.out b/tests/qemu-iotests/026.out +index 0764389..5cedefc 100644 +--- a/tests/qemu-iotests/026.out ++++ b/tests/qemu-iotests/026.out +@@ -491,7 +491,7 @@ Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=1073741824 + Event: refblock_alloc.write_blocks; errno: 28; imm: off; once: off; write + write failed: No space left on device + +-10 leaked clusters were found on the image. ++11 leaked clusters were found on the image. + This means waste of disk space, but no harm to data. + Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=1073741824 + +@@ -515,7 +515,7 @@ Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=1073741824 + Event: refblock_alloc.write_table; errno: 28; imm: off; once: off; write + write failed: No space left on device + +-10 leaked clusters were found on the image. ++11 leaked clusters were found on the image. + This means waste of disk space, but no harm to data. + Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=1073741824 + +@@ -539,7 +539,7 @@ Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=1073741824 + Event: refblock_alloc.switch_table; errno: 28; imm: off; once: off; write + write failed: No space left on device + +-10 leaked clusters were found on the image. ++11 leaked clusters were found on the image. + This means waste of disk space, but no harm to data. + Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=1073741824 + +-- +1.8.3.1 + diff --git a/SOURCES/kvm-qemu-char-ignore-flow-control-if-a-PTY-s-slave-is-no.patch b/SOURCES/kvm-qemu-char-ignore-flow-control-if-a-PTY-s-slave-is-no.patch index 6463982..5c7e901 100644 --- a/SOURCES/kvm-qemu-char-ignore-flow-control-if-a-PTY-s-slave-is-no.patch +++ b/SOURCES/kvm-qemu-char-ignore-flow-control-if-a-PTY-s-slave-is-no.patch @@ -1,16 +1,16 @@ -From 1e2929d890fb4cc88162b9771ed93b1c61f89b33 Mon Sep 17 00:00:00 2001 +From 6a40d58e03beaef265f6c1293301f5f8860ecbea Mon Sep 17 00:00:00 2001 From: Fam Zheng -Date: Fri, 19 May 2017 00:35:14 +0200 +Date: Thu, 18 May 2017 09:21:22 +0200 Subject: [PATCH 09/18] qemu-char: ignore flow control if a PTY's slave is not connected RH-Author: Fam Zheng -Message-id: <20170519003523.21163-10-famz@redhat.com> -Patchwork-id: 75364 -O-Subject: [RHEL-7.3.z qemu-kvm PATCH 09/18] qemu-char: ignore flow control if a PTY's slave is not connected -Bugzilla: 1452332 +Message-id: <20170518092131.16571-10-famz@redhat.com> +Patchwork-id: 75301 +O-Subject: [RHEL-7.4 qemu-kvm PATCH v3 09/18] qemu-char: ignore flow control if a PTY's slave is not connected +Bugzilla: 1451470 RH-Acked-by: Paolo Bonzini -RH-Acked-by: Laurent Vivier +RH-Acked-by: Stefan Hajnoczi RH-Acked-by: Eduardo Habkost From: Paolo Bonzini diff --git a/SOURCES/kvm-qemu-io-Add-sigraise-command.patch b/SOURCES/kvm-qemu-io-Add-sigraise-command.patch new file mode 100644 index 0000000..b85ab5f --- /dev/null +++ b/SOURCES/kvm-qemu-io-Add-sigraise-command.patch @@ -0,0 +1,98 @@ +From 9bf536ecc296516cb5d82d5e9630663aaac56629 Mon Sep 17 00:00:00 2001 +From: Max Reitz +Date: Mon, 13 Mar 2017 17:46:24 +0100 +Subject: [PATCH 13/24] qemu-io: Add sigraise command + +RH-Author: Max Reitz +Message-id: <20170313174629.28735-2-mreitz@redhat.com> +Patchwork-id: 74275 +O-Subject: [RHEL-7.4 qemu-kvm PATCH 4/9] qemu-io: Add sigraise command +Bugzilla: 1427176 +RH-Acked-by: Fam Zheng +RH-Acked-by: Stefan Hajnoczi +RH-Acked-by: Kevin Wolf + +abort() has the sometimes undesirable side-effect of generating a core +dump. If that is not needed, SIGKILL has the same effect of abruptly +crash qemu; without a core dump. + +Thus, -c abort is not always useful to simulate a qemu-io crash; +therefore, this patch adds a new sigraise command which allows raising +a signal. + +Signed-off-by: Max Reitz +Reviewed-by: Fam Zheng +Message-id: 1418032092-16813-2-git-send-email-mreitz@redhat.com +Signed-off-by: Stefan Hajnoczi +(cherry picked from commit 0e82dc7bbd96f9b0fb76e5fe263ba04b15e68127) +Signed-off-by: Max Reitz +Signed-off-by: Miroslav Rezanina +--- + qemu-io-cmds.c | 46 ++++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 46 insertions(+) + +diff --git a/qemu-io-cmds.c b/qemu-io-cmds.c +index b41d6ee..010f05f 100644 +--- a/qemu-io-cmds.c ++++ b/qemu-io-cmds.c +@@ -2050,6 +2050,51 @@ static const cmdinfo_t abort_cmd = { + .oneline = "simulate a program crash using abort(3)", + }; + ++static void sigraise_help(void) ++{ ++ printf( ++"\n" ++" raises the given signal\n" ++"\n" ++" Example:\n" ++" 'sigraise %i' - raises SIGTERM\n" ++"\n" ++" Invokes raise(signal), where \"signal\" is the mandatory integer argument\n" ++" given to sigraise.\n" ++"\n", SIGTERM); ++} ++ ++static int sigraise_f(BlockDriverState *bs, int argc, char **argv); ++ ++static const cmdinfo_t sigraise_cmd = { ++ .name = "sigraise", ++ .cfunc = sigraise_f, ++ .argmin = 1, ++ .argmax = 1, ++ .flags = CMD_NOFILE_OK, ++ .args = "signal", ++ .oneline = "raises a signal", ++ .help = sigraise_help, ++}; ++ ++static int sigraise_f(BlockDriverState *bs, int argc, char **argv) ++{ ++ int sig = cvtnum(argv[1]); ++ if (sig < 0) { ++ printf("non-numeric signal number argument -- %s\n", argv[1]); ++ return 0; ++ } ++ ++ /* Using raise() to kill this process does not necessarily flush all open ++ * streams. At least stdout and stderr (although the latter should be ++ * non-buffered anyway) should be flushed, though. */ ++ fflush(stdout); ++ fflush(stderr); ++ ++ raise(sig); ++ return 0; ++} ++ + static void sleep_cb(void *opaque) + { + bool *expired = opaque; +@@ -2203,4 +2248,5 @@ static void __attribute((constructor)) init_qemuio_commands(void) + qemuio_add_command(&wait_break_cmd); + qemuio_add_command(&abort_cmd); + qemuio_add_command(&sleep_cmd); ++ qemuio_add_command(&sigraise_cmd); + } +-- +1.8.3.1 + diff --git a/SOURCES/kvm-qemu-iotests-Disable-030-040-041.patch b/SOURCES/kvm-qemu-iotests-Disable-030-040-041.patch new file mode 100644 index 0000000..5f26239 --- /dev/null +++ b/SOURCES/kvm-qemu-iotests-Disable-030-040-041.patch @@ -0,0 +1,53 @@ +From 17c2dbd411ce0b2221b5559c3c0eff01920dea40 Mon Sep 17 00:00:00 2001 +From: Max Reitz +Date: Mon, 13 Mar 2017 17:47:19 +0100 +Subject: [PATCH 18/24] qemu-iotests: Disable 030, 040, 041 + +RH-Author: Max Reitz +Message-id: <20170313174719.29543-1-mreitz@redhat.com> +Patchwork-id: 74280 +O-Subject: [RHEL-7.4 qemu-kvm PATCH 9/9] qemu-iotests: Disable 030, 040, 041 +Bugzilla: 1427176 +RH-Acked-by: Fam Zheng +RH-Acked-by: Stefan Hajnoczi +RH-Acked-by: Kevin Wolf + +Upstream: N/A + +All of these tests require (and test) live block operations, 030 and 041 +also need blkdebug support. Both of these features are disabled +downstream, so the tests need to be disabled, too. + +Signed-off-by: Max Reitz +Signed-off-by: Miroslav Rezanina +--- + tests/qemu-iotests/group | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/tests/qemu-iotests/group b/tests/qemu-iotests/group +index 58b3d05..c1fc89d 100644 +--- a/tests/qemu-iotests/group ++++ b/tests/qemu-iotests/group +@@ -36,7 +36,7 @@ + 027 rw auto quick + 028 rw backing auto + 029 rw auto quick +-030 rw auto backing ++# 030 rw auto backing -- requires blkdebug and block jobs + 031 rw auto quick + 032 rw auto + 033 rw auto quick +@@ -46,8 +46,8 @@ + 037 rw auto backing + 038 rw auto backing + 039 rw auto +-040 rw auto +-041 rw auto backing ++# 040 rw auto -- requires block jobs ++# 041 rw auto backing -- requires blkdebug and block jobs + 042 rw auto quick + 043 rw auto backing + 044 rw auto +-- +1.8.3.1 + diff --git a/SOURCES/kvm-qemu-iotests-Filter-out-actual-image-size-in-067.patch b/SOURCES/kvm-qemu-iotests-Filter-out-actual-image-size-in-067.patch new file mode 100644 index 0000000..55fb981 --- /dev/null +++ b/SOURCES/kvm-qemu-iotests-Filter-out-actual-image-size-in-067.patch @@ -0,0 +1,93 @@ +From 858514a037db08493b7cdd6adaf87466ee2f7831 Mon Sep 17 00:00:00 2001 +From: Max Reitz +Date: Mon, 13 Mar 2017 17:45:08 +0100 +Subject: [PATCH 10/24] qemu-iotests: Filter out actual image size in 067 + +RH-Author: Max Reitz +Message-id: <20170313174516.28044-2-mreitz@redhat.com> +Patchwork-id: 74273 +O-Subject: [RHEL-7.4 qemu-kvm PATCH 1/9] qemu-iotests: Filter out actual image size in 067 +Bugzilla: 1427176 +RH-Acked-by: Fam Zheng +RH-Acked-by: Stefan Hajnoczi +RH-Acked-by: Kevin Wolf + +The actual size of the image file may differ depending on the Linux +kernel currently running on the host. Filtering out this value makes +this test pass in such cases. + +Signed-off-by: Max Reitz +Reviewed-by: Benoit Canet +Signed-off-by: Stefan Hajnoczi +(cherry picked from commit 64815e2a966f0a3f18818b9d542f1ef02dc992a2) +Signed-off-by: Max Reitz +Signed-off-by: Miroslav Rezanina +--- + tests/qemu-iotests/067 | 2 +- + tests/qemu-iotests/067.out | 10 +++++----- + 2 files changed, 6 insertions(+), 6 deletions(-) + +diff --git a/tests/qemu-iotests/067 b/tests/qemu-iotests/067 +index 79dc38b..d025192 100644 +--- a/tests/qemu-iotests/067 ++++ b/tests/qemu-iotests/067 +@@ -45,7 +45,7 @@ function do_run_qemu() + + function run_qemu() + { +- do_run_qemu "$@" 2>&1 | _filter_testdir | _filter_qmp ++ do_run_qemu "$@" 2>&1 | _filter_testdir | _filter_qmp | sed -e 's/\("actual-size":\s*\)[0-9]\+/\1SIZE/g' + } + + size=128M +diff --git a/tests/qemu-iotests/067.out b/tests/qemu-iotests/067.out +index 4bb9ff9..8d271cc 100644 +--- a/tests/qemu-iotests/067.out ++++ b/tests/qemu-iotests/067.out +@@ -6,7 +6,7 @@ Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=134217728 + Testing: -drive file=TEST_DIR/t.qcow2,format=qcow2,if=none,id=disk -device virtio-blk-pci,drive=disk,id=virtio0 + QMP_VERSION + {"return": {}} +-{"return": [{"io-status": "ok", "device": "disk", "locked": false, "removable": false, "inserted": {"iops_rd": 0, "image": {"virtual-size": 134217728, "filename": "TEST_DIR/t.qcow2", "cluster-size": 65536, "format": "qcow2", "actual-size": 139264, "format-specific": {"type": "qcow2", "data": {"compat": "1.1", "lazy-refcounts": false}}, "dirty-flag": false}, "iops_wr": 0, "ro": false, "backing_file_depth": 0, "drv": "qcow2", "iops": 0, "bps_wr": 0, "encrypted": false, "bps": 0, "bps_rd": 0, "file": "TEST_DIR/t.qcow2", "encryption_key_missing": false}, "type": "unknown"}, {"io-status": "ok", "device": "ide1-cd0", "locked": false, "removable": true, "tray_open": false, "type": "unknown"}, {"device": "floppy0", "locked": false, "removable": true, "tray_open": false, "type": "unknown"}, {"device": "sd0", "locked": false, "removable": true, "tray_open": false, "type": "unknown"}]} ++{"return": [{"io-status": "ok", "device": "disk", "locked": false, "removable": false, "inserted": {"iops_rd": 0, "image": {"virtual-size": 134217728, "filename": "TEST_DIR/t.qcow2", "cluster-size": 65536, "format": "qcow2", "actual-size": SIZE, "format-specific": {"type": "qcow2", "data": {"compat": "1.1", "lazy-refcounts": false}}, "dirty-flag": false}, "iops_wr": 0, "ro": false, "backing_file_depth": 0, "drv": "qcow2", "iops": 0, "bps_wr": 0, "encrypted": false, "bps": 0, "bps_rd": 0, "file": "TEST_DIR/t.qcow2", "encryption_key_missing": false}, "type": "unknown"}, {"io-status": "ok", "device": "ide1-cd0", "locked": false, "removable": true, "tray_open": false, "type": "unknown"}, {"device": "floppy0", "locked": false, "removable": true, "tray_open": false, "type": "unknown"}, {"device": "sd0", "locked": false, "removable": true, "tray_open": false, "type": "unknown"}]} + {"return": {}} + {"return": {}} + {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "DEVICE_DELETED", "data": {"path": "/machine/peripheral/virtio0/virtio-backend"}} +@@ -24,7 +24,7 @@ QMP_VERSION + Testing: -drive file=TEST_DIR/t.qcow2,format=qcow2,if=none,id=disk + QMP_VERSION + {"return": {}} +-{"return": [{"device": "disk", "locked": false, "removable": true, "inserted": {"iops_rd": 0, "image": {"virtual-size": 134217728, "filename": "TEST_DIR/t.qcow2", "cluster-size": 65536, "format": "qcow2", "actual-size": 139264, "format-specific": {"type": "qcow2", "data": {"compat": "1.1", "lazy-refcounts": false}}, "dirty-flag": false}, "iops_wr": 0, "ro": false, "backing_file_depth": 0, "drv": "qcow2", "iops": 0, "bps_wr": 0, "encrypted": false, "bps": 0, "bps_rd": 0, "file": "TEST_DIR/t.qcow2", "encryption_key_missing": false}, "tray_open": false, "type": "unknown"}, {"io-status": "ok", "device": "ide1-cd0", "locked": false, "removable": true, "tray_open": false, "type": "unknown"}, {"device": "floppy0", "locked": false, "removable": true, "tray_open": false, "type": "unknown"}, {"device": "sd0", "locked": false, "removable": true, "tray_open": false, "type": "unknown"}]} ++{"return": [{"device": "disk", "locked": false, "removable": true, "inserted": {"iops_rd": 0, "image": {"virtual-size": 134217728, "filename": "TEST_DIR/t.qcow2", "cluster-size": 65536, "format": "qcow2", "actual-size": SIZE, "format-specific": {"type": "qcow2", "data": {"compat": "1.1", "lazy-refcounts": false}}, "dirty-flag": false}, "iops_wr": 0, "ro": false, "backing_file_depth": 0, "drv": "qcow2", "iops": 0, "bps_wr": 0, "encrypted": false, "bps": 0, "bps_rd": 0, "file": "TEST_DIR/t.qcow2", "encryption_key_missing": false}, "tray_open": false, "type": "unknown"}, {"io-status": "ok", "device": "ide1-cd0", "locked": false, "removable": true, "tray_open": false, "type": "unknown"}, {"device": "floppy0", "locked": false, "removable": true, "tray_open": false, "type": "unknown"}, {"device": "sd0", "locked": false, "removable": true, "tray_open": false, "type": "unknown"}]} + {"return": {}} + {"return": {}} + {"return": {}} +@@ -44,7 +44,7 @@ Testing: + QMP_VERSION + {"return": {}} + {"return": "OK\r\n"} +-{"return": [{"io-status": "ok", "device": "ide1-cd0", "locked": false, "removable": true, "tray_open": false, "type": "unknown"}, {"device": "floppy0", "locked": false, "removable": true, "tray_open": false, "type": "unknown"}, {"device": "sd0", "locked": false, "removable": true, "tray_open": false, "type": "unknown"}, {"device": "disk", "locked": false, "removable": true, "inserted": {"iops_rd": 0, "image": {"virtual-size": 134217728, "filename": "TEST_DIR/t.qcow2", "cluster-size": 65536, "format": "qcow2", "actual-size": 139264, "format-specific": {"type": "qcow2", "data": {"compat": "1.1", "lazy-refcounts": false}}, "dirty-flag": false}, "iops_wr": 0, "ro": false, "backing_file_depth": 0, "drv": "qcow2", "iops": 0, "bps_wr": 0, "encrypted": false, "bps": 0, "bps_rd": 0, "file": "TEST_DIR/t.qcow2", "encryption_key_missing": false}, "tray_open": false, "type": "unknown"}]} ++{"return": [{"io-status": "ok", "device": "ide1-cd0", "locked": false, "removable": true, "tray_open": false, "type": "unknown"}, {"device": "floppy0", "locked": false, "removable": true, "tray_open": false, "type": "unknown"}, {"device": "sd0", "locked": false, "removable": true, "tray_open": false, "type": "unknown"}, {"device": "disk", "locked": false, "removable": true, "inserted": {"iops_rd": 0, "image": {"virtual-size": 134217728, "filename": "TEST_DIR/t.qcow2", "cluster-size": 65536, "format": "qcow2", "actual-size": SIZE, "format-specific": {"type": "qcow2", "data": {"compat": "1.1", "lazy-refcounts": false}}, "dirty-flag": false}, "iops_wr": 0, "ro": false, "backing_file_depth": 0, "drv": "qcow2", "iops": 0, "bps_wr": 0, "encrypted": false, "bps": 0, "bps_rd": 0, "file": "TEST_DIR/t.qcow2", "encryption_key_missing": false}, "tray_open": false, "type": "unknown"}]} + {"return": {}} + {"return": {}} + {"return": {}} +@@ -64,14 +64,14 @@ Testing: + QMP_VERSION + {"return": {}} + {"return": {}} +-{"return": [{"io-status": "ok", "device": "ide1-cd0", "locked": false, "removable": true, "tray_open": false, "type": "unknown"}, {"device": "floppy0", "locked": false, "removable": true, "tray_open": false, "type": "unknown"}, {"device": "sd0", "locked": false, "removable": true, "tray_open": false, "type": "unknown"}, {"device": "disk", "locked": false, "removable": true, "inserted": {"iops_rd": 0, "image": {"virtual-size": 134217728, "filename": "TEST_DIR/t.qcow2", "cluster-size": 65536, "format": "qcow2", "actual-size": 139264, "format-specific": {"type": "qcow2", "data": {"compat": "1.1", "lazy-refcounts": false}}, "dirty-flag": false}, "iops_wr": 0, "ro": false, "backing_file_depth": 0, "drv": "qcow2", "iops": 0, "bps_wr": 0, "encrypted": false, "bps": 0, "bps_rd": 0, "file": "TEST_DIR/t.qcow2", "encryption_key_missing": false}, "tray_open": false, "type": "unknown"}]} ++{"return": [{"io-status": "ok", "device": "ide1-cd0", "locked": false, "removable": true, "tray_open": false, "type": "unknown"}, {"device": "floppy0", "locked": false, "removable": true, "tray_open": false, "type": "unknown"}, {"device": "sd0", "locked": false, "removable": true, "tray_open": false, "type": "unknown"}, {"device": "disk", "locked": false, "removable": true, "inserted": {"iops_rd": 0, "image": {"virtual-size": 134217728, "filename": "TEST_DIR/t.qcow2", "cluster-size": 65536, "format": "qcow2", "actual-size": SIZE, "format-specific": {"type": "qcow2", "data": {"compat": "1.1", "lazy-refcounts": false}}, "dirty-flag": false}, "iops_wr": 0, "ro": false, "backing_file_depth": 0, "drv": "qcow2", "iops": 0, "bps_wr": 0, "encrypted": false, "bps": 0, "bps_rd": 0, "file": "TEST_DIR/t.qcow2", "encryption_key_missing": false}, "tray_open": false, "type": "unknown"}]} + {"return": {}} + {"return": {}} + {"return": {}} + {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "DEVICE_DELETED", "data": {"path": "/machine/peripheral/virtio0/virtio-backend"}} + {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "DEVICE_DELETED", "data": {"device": "virtio0", "path": "/machine/peripheral/virtio0"}} + {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "RESET"} +-{"return": [{"io-status": "ok", "device": "ide1-cd0", "locked": false, "removable": true, "tray_open": false, "type": "unknown"}, {"device": "floppy0", "locked": false, "removable": true, "tray_open": false, "type": "unknown"}, {"device": "sd0", "locked": false, "removable": true, "tray_open": false, "type": "unknown"}, {"io-status": "ok", "device": "disk", "locked": false, "removable": true, "inserted": {"iops_rd": 0, "image": {"virtual-size": 134217728, "filename": "TEST_DIR/t.qcow2", "cluster-size": 65536, "format": "qcow2", "actual-size": 139264, "format-specific": {"type": "qcow2", "data": {"compat": "1.1", "lazy-refcounts": false}}, "dirty-flag": false}, "iops_wr": 0, "ro": false, "backing_file_depth": 0, "drv": "qcow2", "iops": 0, "bps_wr": 0, "encrypted": false, "bps": 0, "bps_rd": 0, "file": "TEST_DIR/t.qcow2", "encryption_key_missing": false}, "tray_open": false, "type": "unknown"}]} ++{"return": [{"io-status": "ok", "device": "ide1-cd0", "locked": false, "removable": true, "tray_open": false, "type": "unknown"}, {"device": "floppy0", "locked": false, "removable": true, "tray_open": false, "type": "unknown"}, {"device": "sd0", "locked": false, "removable": true, "tray_open": false, "type": "unknown"}, {"io-status": "ok", "device": "disk", "locked": false, "removable": true, "inserted": {"iops_rd": 0, "image": {"virtual-size": 134217728, "filename": "TEST_DIR/t.qcow2", "cluster-size": 65536, "format": "qcow2", "actual-size": SIZE, "format-specific": {"type": "qcow2", "data": {"compat": "1.1", "lazy-refcounts": false}}, "dirty-flag": false}, "iops_wr": 0, "ro": false, "backing_file_depth": 0, "drv": "qcow2", "iops": 0, "bps_wr": 0, "encrypted": false, "bps": 0, "bps_rd": 0, "file": "TEST_DIR/t.qcow2", "encryption_key_missing": false}, "tray_open": false, "type": "unknown"}]} + {"return": {}} + {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "SHUTDOWN"} + {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "DEVICE_TRAY_MOVED", "data": {"device": "ide1-cd0", "tray-open": true}} +-- +1.8.3.1 + diff --git a/SOURCES/kvm-qemu-iotests-Fix-core-dump-suppression-in-test-039.patch b/SOURCES/kvm-qemu-iotests-Fix-core-dump-suppression-in-test-039.patch new file mode 100644 index 0000000..d23e58c --- /dev/null +++ b/SOURCES/kvm-qemu-iotests-Fix-core-dump-suppression-in-test-039.patch @@ -0,0 +1,141 @@ +From 3d0fa39257aac5ee843c0f3e5e69703e299bb90c Mon Sep 17 00:00:00 2001 +From: Max Reitz +Date: Mon, 13 Mar 2017 17:46:23 +0100 +Subject: [PATCH 12/24] qemu-iotests: Fix core dump suppression in test 039 + +RH-Author: Max Reitz +Message-id: <20170313174629.28735-1-mreitz@redhat.com> +Patchwork-id: 74281 +O-Subject: [RHEL-7.4 qemu-kvm PATCH 3/9] qemu-iotests: Fix core dump suppression in test 039 +Bugzilla: 1427176 +RH-Acked-by: Fam Zheng +RH-Acked-by: Stefan Hajnoczi +RH-Acked-by: Kevin Wolf + +From: Markus Armbruster + +The shell script attempts to suppress core dumps like this: + + old_ulimit=$(ulimit -c) + ulimit -c 0 + $QEMU_IO arg... + ulimit -c "$old_ulimit" + +This breaks the test hard unless the limit was zero to begin with! +ulimit sets both hard and soft limit by default, and (re-)raising the +hard limit requires privileges. Broken since it was added in commit +dc68afe. + +Could be fixed by adding -S to set only the soft limit, but I'm not +sure how portable that is in practice. Simply do it in a subshell +instead, like this: + + (ulimit -c 0; exec $QEMU_IO arg...) + +Signed-off-by: Markus Armbruster +Reviewed-by: Fam Zheng +Signed-off-by: Kevin Wolf +(cherry picked from commit d530e342320d4db3c9522bfadc60a7bc8142343a) +Signed-off-by: Max Reitz +Signed-off-by: Miroslav Rezanina +--- + tests/qemu-iotests/039 | 20 ++++++++------------ + tests/qemu-iotests/039.out | 3 +++ + tests/qemu-iotests/common.filter | 1 + + 3 files changed, 12 insertions(+), 12 deletions(-) + +diff --git a/tests/qemu-iotests/039 b/tests/qemu-iotests/039 +index 8bade92..1e50651 100755 +--- a/tests/qemu-iotests/039 ++++ b/tests/qemu-iotests/039 +@@ -46,6 +46,11 @@ _supported_proto generic + _supported_os Linux + _unsupported_qemu_io_options --nocache + ++_no_dump_exec() ++{ ++ (ulimit -c 0; exec "$@") ++} ++ + size=128M + + echo +@@ -66,10 +71,7 @@ echo "== Creating a dirty image file ==" + IMGOPTS="compat=1.1,lazy_refcounts=on" + _make_test_img $size + +-old_ulimit=$(ulimit -c) +-ulimit -c 0 # do not produce a core dump on abort(3) +-$QEMU_IO -c "write -P 0x5a 0 512" -c "abort" "$TEST_IMG" | _filter_qemu_io +-ulimit -c "$old_ulimit" ++_no_dump_exec $QEMU_IO -c "write -P 0x5a 0 512" -c "abort" "$TEST_IMG" 2>&1 | _filter_qemu_io + + # The dirty bit must be set + ./qcow2.py "$TEST_IMG" dump-header | grep incompatible_features +@@ -102,10 +104,7 @@ echo "== Opening a dirty image read/write should repair it ==" + IMGOPTS="compat=1.1,lazy_refcounts=on" + _make_test_img $size + +-old_ulimit=$(ulimit -c) +-ulimit -c 0 # do not produce a core dump on abort(3) +-$QEMU_IO -c "write -P 0x5a 0 512" -c "abort" "$TEST_IMG" | _filter_qemu_io +-ulimit -c "$old_ulimit" ++_no_dump_exec $QEMU_IO -c "write -P 0x5a 0 512" -c "abort" "$TEST_IMG" 2>&1 | _filter_qemu_io + + # The dirty bit must be set + ./qcow2.py "$TEST_IMG" dump-header | grep incompatible_features +@@ -121,10 +120,7 @@ echo "== Creating an image file with lazy_refcounts=off ==" + IMGOPTS="compat=1.1,lazy_refcounts=off" + _make_test_img $size + +-old_ulimit=$(ulimit -c) +-ulimit -c 0 # do not produce a core dump on abort(3) +-$QEMU_IO -c "write -P 0x5a 0 512" -c "abort" "$TEST_IMG" | _filter_qemu_io +-ulimit -c "$old_ulimit" ++_no_dump_exec $QEMU_IO -c "write -P 0x5a 0 512" -c "abort" "$TEST_IMG" 2>&1 | _filter_qemu_io + + # The dirty bit must not be set since lazy_refcounts=off + ./qcow2.py "$TEST_IMG" dump-header | grep incompatible_features +diff --git a/tests/qemu-iotests/039.out b/tests/qemu-iotests/039.out +index d25bf0b..af62da1 100644 +--- a/tests/qemu-iotests/039.out ++++ b/tests/qemu-iotests/039.out +@@ -11,6 +11,7 @@ No errors were found on the image. + Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=134217728 + wrote 512/512 bytes at offset 0 + 512 bytes, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec) ++./039: Aborted ( ulimit -c 0; exec "$@" ) + incompatible_features 0x1 + ERROR cluster 5 refcount=0 reference=1 + ERROR OFLAG_COPIED data cluster: l2_entry=8000000000050000 refcount=0 +@@ -45,6 +46,7 @@ read 512/512 bytes at offset 0 + Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=134217728 + wrote 512/512 bytes at offset 0 + 512 bytes, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec) ++./039: Aborted ( ulimit -c 0; exec "$@" ) + incompatible_features 0x1 + ERROR cluster 5 refcount=0 reference=1 + Rebuilding refcount structure +@@ -58,6 +60,7 @@ incompatible_features 0x0 + Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=134217728 + wrote 512/512 bytes at offset 0 + 512 bytes, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec) ++./039: Aborted ( ulimit -c 0; exec "$@" ) + incompatible_features 0x0 + No errors were found on the image. + *** done +diff --git a/tests/qemu-iotests/common.filter b/tests/qemu-iotests/common.filter +index 9c82c77..dcd246d 100644 +--- a/tests/qemu-iotests/common.filter ++++ b/tests/qemu-iotests/common.filter +@@ -150,6 +150,7 @@ _filter_win32() + _filter_qemu_io() + { + _filter_win32 | sed -e "s/[0-9]* ops\; [0-9/:. sec]* ([0-9/.inf]* [EPTGMKiBbytes]*\/sec and [0-9/.inf]* ops\/sec)/X ops\; XX:XX:XX.X (XXX YYY\/sec and XXX ops\/sec)/" \ ++ -e "s/: line [0-9][0-9]*: *[0-9][0-9]*\( Aborted\)/:\1/" \ + -e "s/qemu-io> //g" + } + +-- +1.8.3.1 + diff --git a/SOURCES/kvm-qxl-Only-emit-QXL_INTERRUPT_CLIENT_MONITORS_CONFIG-o.patch b/SOURCES/kvm-qxl-Only-emit-QXL_INTERRUPT_CLIENT_MONITORS_CONFIG-o.patch new file mode 100644 index 0000000..9794833 --- /dev/null +++ b/SOURCES/kvm-qxl-Only-emit-QXL_INTERRUPT_CLIENT_MONITORS_CONFIG-o.patch @@ -0,0 +1,125 @@ +From de84e9659aa6b91bd1a7c4fb30fde859882b9201 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= +Date: Thu, 5 Jan 2017 23:58:10 +0100 +Subject: [PATCH 4/4] qxl: Only emit QXL_INTERRUPT_CLIENT_MONITORS_CONFIG on + config changes +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Marc-André Lureau +Message-id: <20170105235810.27189-1-marcandre.lureau@redhat.com> +Patchwork-id: 73185 +O-Subject: [RHEL-7.4 qemu-kvm PATCH] qxl: Only emit QXL_INTERRUPT_CLIENT_MONITORS_CONFIG on config changes +Bugzilla: 1342489 +RH-Acked-by: Gerd Hoffmann +RH-Acked-by: Christophe Fergeau +RH-Acked-by: Miroslav Rezanina + +From: Christophe Fergeau + +Currently if the client keeps sending the same monitor config to +QEMU/spice-server, QEMU will always raise +a QXL_INTERRUPT_CLIENT_MONITORS_CONFIG regardless of whether there was a +change or not. +Guest-side (with fedora 25), the kernel QXL KMS driver will also forward the +event to user-space without checking if there were actual changes. +Next in line are gnome-shell/mutter (on a default f25 install), which +will try to reconfigure everything without checking if there is anything +to do. +Where this gets ugly is that when applying the resolution changes, +gnome-shell/mutter will call drmModeRmFB, drmModeAddFB, and +drmModeSetCrtc, which will cause the primary surface to be destroyed and +recreated by the QXL KMS driver. This in turn will cause the client to +resend a client monitors config message, which will cause QEMU to reemit +an interrupt with an unchanged monitors configuration, ... +This causes https://bugzilla.redhat.com/show_bug.cgi?id=1266484 + +This commit makes sure that we only emit +QXL_INTERRUPT_CLIENT_MONITORS_CONFIG when there are actual configuration +changes the guest should act on. + +Signed-off-by: Christophe Fergeau +Message-id: 20161028144840.18326-1-cfergeau@redhat.com +Signed-off-by: Gerd Hoffmann + +(cherry picked from commit 6c7565028c272c4c6f2a83c3a90b044eeaf2804a) + +Signed-off-by: Marc-André Lureau +Signed-off-by: Miroslav Rezanina +--- + hw/display/qxl.c | 37 ++++++++++++++++++++++++++++++++++++- + 1 file changed, 36 insertions(+), 1 deletion(-) + +diff --git a/hw/display/qxl.c b/hw/display/qxl.c +index f762439..c76c237 100644 +--- a/hw/display/qxl.c ++++ b/hw/display/qxl.c +@@ -989,6 +989,34 @@ static uint32_t qxl_crc32(const uint8_t *p, unsigned len) + return crc32(0xffffffff, p, len) ^ 0xffffffff; + } + ++static bool qxl_rom_monitors_config_changed(QXLRom *rom, ++ VDAgentMonitorsConfig *monitors_config, ++ unsigned int max_outputs) ++{ ++ int i; ++ unsigned int monitors_count; ++ ++ monitors_count = MIN(monitors_config->num_of_monitors, max_outputs); ++ ++ if (rom->client_monitors_config.count != monitors_count) { ++ return true; ++ } ++ ++ for (i = 0 ; i < rom->client_monitors_config.count ; ++i) { ++ VDAgentMonConfig *monitor = &monitors_config->monitors[i]; ++ QXLURect *rect = &rom->client_monitors_config.heads[i]; ++ /* monitor->depth ignored */ ++ if ((rect->left != monitor->x) || ++ (rect->top != monitor->y) || ++ (rect->right != monitor->x + monitor->width) || ++ (rect->bottom != monitor->y + monitor->height)) { ++ return true; ++ } ++ } ++ ++ return false; ++} ++ + /* called from main context only */ + static int interface_client_monitors_config(QXLInstance *sin, + VDAgentMonitorsConfig *monitors_config) +@@ -997,6 +1025,7 @@ static int interface_client_monitors_config(QXLInstance *sin, + QXLRom *rom = memory_region_get_ram_ptr(&qxl->rom_bar); + int i; + unsigned max_outputs = ARRAY_SIZE(rom->client_monitors_config.heads); ++ bool config_changed = false; + + if (qxl->revision < 4) { + trace_qxl_client_monitors_config_unsupported_by_device(qxl->id, +@@ -1027,6 +1056,10 @@ static int interface_client_monitors_config(QXLInstance *sin, + } + #endif + ++ config_changed = qxl_rom_monitors_config_changed(rom, ++ monitors_config, ++ max_outputs); ++ + memset(&rom->client_monitors_config, 0, + sizeof(rom->client_monitors_config)); + rom->client_monitors_config.count = monitors_config->num_of_monitors; +@@ -1056,7 +1089,9 @@ static int interface_client_monitors_config(QXLInstance *sin, + trace_qxl_interrupt_client_monitors_config(qxl->id, + rom->client_monitors_config.count, + rom->client_monitors_config.heads); +- qxl_send_events(qxl, QXL_INTERRUPT_CLIENT_MONITORS_CONFIG); ++ if (config_changed) { ++ qxl_send_events(qxl, QXL_INTERRUPT_CLIENT_MONITORS_CONFIG); ++ } + return 1; + } + +-- +1.8.3.1 + diff --git a/SOURCES/kvm-serial-change-retry-logic-to-avoid-concurrency.patch b/SOURCES/kvm-serial-change-retry-logic-to-avoid-concurrency.patch index df1f0e6..5b76103 100644 --- a/SOURCES/kvm-serial-change-retry-logic-to-avoid-concurrency.patch +++ b/SOURCES/kvm-serial-change-retry-logic-to-avoid-concurrency.patch @@ -1,15 +1,15 @@ -From 3ddb1809fc188f9aca337b19a81b40da5b992057 Mon Sep 17 00:00:00 2001 +From 19651bdbf15a4ce03d6fc6e3a6be514a3f46a118 Mon Sep 17 00:00:00 2001 From: Fam Zheng -Date: Fri, 19 May 2017 00:35:13 +0200 +Date: Thu, 18 May 2017 09:21:21 +0200 Subject: [PATCH 08/18] serial: change retry logic to avoid concurrency RH-Author: Fam Zheng -Message-id: <20170519003523.21163-9-famz@redhat.com> -Patchwork-id: 75362 -O-Subject: [RHEL-7.3.z qemu-kvm PATCH 08/18] serial: change retry logic to avoid concurrency -Bugzilla: 1452332 +Message-id: <20170518092131.16571-9-famz@redhat.com> +Patchwork-id: 75300 +O-Subject: [RHEL-7.4 qemu-kvm PATCH v3 08/18] serial: change retry logic to avoid concurrency +Bugzilla: 1451470 RH-Acked-by: Paolo Bonzini -RH-Acked-by: Laurent Vivier +RH-Acked-by: Stefan Hajnoczi RH-Acked-by: Eduardo Habkost From: Kirill Batuzov diff --git a/SOURCES/kvm-serial-check-if-backed-by-a-physical-serial-port-at-.patch b/SOURCES/kvm-serial-check-if-backed-by-a-physical-serial-port-at-.patch index 733d5ba..9b8e621 100644 --- a/SOURCES/kvm-serial-check-if-backed-by-a-physical-serial-port-at-.patch +++ b/SOURCES/kvm-serial-check-if-backed-by-a-physical-serial-port-at-.patch @@ -1,16 +1,16 @@ -From 1882bb1a0967e7d513b0d5bd060fa214bc44efcb Mon Sep 17 00:00:00 2001 +From 3ad8bb6f424f7ff1d4bbf73237fb1590f0ce1810 Mon Sep 17 00:00:00 2001 From: Fam Zheng -Date: Fri, 19 May 2017 00:35:15 +0200 +Date: Thu, 18 May 2017 09:21:23 +0200 Subject: [PATCH 10/18] serial: check if backed by a physical serial port at realize time RH-Author: Fam Zheng -Message-id: <20170519003523.21163-11-famz@redhat.com> -Patchwork-id: 75366 -O-Subject: [RHEL-7.3.z qemu-kvm PATCH 10/18] serial: check if backed by a physical serial port at realize time -Bugzilla: 1452332 +Message-id: <20170518092131.16571-11-famz@redhat.com> +Patchwork-id: 75299 +O-Subject: [RHEL-7.4 qemu-kvm PATCH v3 10/18] serial: check if backed by a physical serial port at realize time +Bugzilla: 1451470 RH-Acked-by: Paolo Bonzini -RH-Acked-by: Laurent Vivier +RH-Acked-by: Stefan Hajnoczi RH-Acked-by: Eduardo Habkost From: Paolo Bonzini diff --git a/SOURCES/kvm-serial-clean-up-THRE-TEMT-handling.patch b/SOURCES/kvm-serial-clean-up-THRE-TEMT-handling.patch index 18e9b50..dfc6fa0 100644 --- a/SOURCES/kvm-serial-clean-up-THRE-TEMT-handling.patch +++ b/SOURCES/kvm-serial-clean-up-THRE-TEMT-handling.patch @@ -1,15 +1,15 @@ -From 9afba2b1b9f8c2af3165fb0d9b68888996fe2330 Mon Sep 17 00:00:00 2001 +From 1b37b298fc1f0d69e24229191e4bbe741e4d96ab Mon Sep 17 00:00:00 2001 From: Fam Zheng -Date: Fri, 19 May 2017 00:35:17 +0200 +Date: Thu, 18 May 2017 09:21:25 +0200 Subject: [PATCH 12/18] serial: clean up THRE/TEMT handling RH-Author: Fam Zheng -Message-id: <20170519003523.21163-13-famz@redhat.com> -Patchwork-id: 75367 -O-Subject: [RHEL-7.3.z qemu-kvm PATCH 12/18] serial: clean up THRE/TEMT handling -Bugzilla: 1452332 +Message-id: <20170518092131.16571-13-famz@redhat.com> +Patchwork-id: 75303 +O-Subject: [RHEL-7.4 qemu-kvm PATCH v3 12/18] serial: clean up THRE/TEMT handling +Bugzilla: 1451470 RH-Acked-by: Paolo Bonzini -RH-Acked-by: Laurent Vivier +RH-Acked-by: Stefan Hajnoczi RH-Acked-by: Eduardo Habkost From: Paolo Bonzini diff --git a/SOURCES/kvm-serial-fixing-vmstate-for-save-restore.patch b/SOURCES/kvm-serial-fixing-vmstate-for-save-restore.patch new file mode 100644 index 0000000..e23ec75 --- /dev/null +++ b/SOURCES/kvm-serial-fixing-vmstate-for-save-restore.patch @@ -0,0 +1,355 @@ +From 7d2e8f9662feb64c0b15b6fd53e06e3c56921f27 Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini +Date: Fri, 9 Jun 2017 11:43:58 +0200 +Subject: [PATCH 3/6] serial: fixing vmstate for save/restore + +RH-Author: Paolo Bonzini +Message-id: <20170609114359.13036-3-pbonzini@redhat.com> +Patchwork-id: 75567 +O-Subject: [RHEL7.4 qemu-kvm PATCH v2 2/3] serial: fixing vmstate for save/restore +Bugzilla: 1452067 +RH-Acked-by: David Hildenbrand +RH-Acked-by: Dr. David Alan Gilbert +RH-Acked-by: Laszlo Ersek + +From: Pavel Dovgalyuk + +Some fields were added to VMState by this patch to preserve correct +loading of the serial port controller state. +Updating FCR value while loading was also modified to disable generating +an interrupt by loadvm. + +Signed-off-by: Pavel Dovgalyuk +Signed-off-by: Paolo Bonzini +(cherry picked from commit 7385b275d9ae8bdf3c012bc4e2ae9779fcea6312) + +[RHEL: omit some subsections. thr_ipending can be reconstructed fairly + reliably by serial_post_load. The others are features that are + unlikely to be used in RHEL, respectively receive timeout (Linux + does not even have the UART_IIR_CTI symbol in the driver) and + physical serial ports connected to a modem] + +Signed-off-by: Miroslav Rezanina +--- + hw/char/serial.c | 245 ++++++++++++++++++++++++++++++++++++++++++++++++------- + 1 file changed, 215 insertions(+), 30 deletions(-) + +diff --git a/hw/char/serial.c b/hw/char/serial.c +index 39de1ca..0518a6f 100644 +--- a/hw/char/serial.c ++++ b/hw/char/serial.c +@@ -275,6 +275,36 @@ static void serial_xmit(SerialState *s) + s->lsr |= UART_LSR_TEMT; + } + ++/* Setter for FCR. ++ is_load flag means, that value is set while loading VM state ++ and interrupt should not be invoked */ ++static void serial_write_fcr(SerialState *s, uint8_t val) ++{ ++ /* Set fcr - val only has the bits that are supposed to "stick" */ ++ s->fcr = val; ++ ++ if (val & UART_FCR_FE) { ++ s->iir |= UART_IIR_FE; ++ /* Set recv_fifo trigger Level */ ++ switch (val & 0xC0) { ++ case UART_FCR_ITL_1: ++ s->recv_fifo_itl = 1; ++ break; ++ case UART_FCR_ITL_2: ++ s->recv_fifo_itl = 4; ++ break; ++ case UART_FCR_ITL_3: ++ s->recv_fifo_itl = 8; ++ break; ++ case UART_FCR_ITL_4: ++ s->recv_fifo_itl = 14; ++ break; ++ } ++ } else { ++ s->iir &= ~UART_IIR_FE; ++ } ++} ++ + static void serial_ioport_write(void *opaque, hwaddr addr, uint64_t val, + unsigned size) + { +@@ -351,21 +381,17 @@ static void serial_ioport_write(void *opaque, hwaddr addr, uint64_t val, + } + break; + case 2: +- val = val & 0xFF; +- +- if (s->fcr == val) +- break; +- + /* Did the enable/disable flag change? If so, make sure FIFOs get flushed */ +- if ((val ^ s->fcr) & UART_FCR_FE) ++ if ((val ^ s->fcr) & UART_FCR_FE) { + val |= UART_FCR_XFR | UART_FCR_RFR; ++ } + + /* FIFO clear */ + + if (val & UART_FCR_RFR) { + s->lsr &= ~(UART_LSR_DR | UART_LSR_BI); + qemu_del_timer(s->fifo_timeout_timer); +- s->timeout_ipending=0; ++ s->timeout_ipending = 0; + fifo8_reset(&s->recv_fifo); + } + +@@ -375,28 +401,7 @@ static void serial_ioport_write(void *opaque, hwaddr addr, uint64_t val, + fifo8_reset(&s->xmit_fifo); + } + +- if (val & UART_FCR_FE) { +- s->iir |= UART_IIR_FE; +- /* Set recv_fifo trigger Level */ +- switch (val & 0xC0) { +- case UART_FCR_ITL_1: +- s->recv_fifo_itl = 1; +- break; +- case UART_FCR_ITL_2: +- s->recv_fifo_itl = 4; +- break; +- case UART_FCR_ITL_3: +- s->recv_fifo_itl = 8; +- break; +- case UART_FCR_ITL_4: +- s->recv_fifo_itl = 14; +- break; +- } +- } else +- s->iir &= ~UART_IIR_FE; +- +- /* Set fcr - or at least the bits in it that are supposed to "stick" */ +- s->fcr = val & 0xC9; ++ serial_write_fcr(s, val & 0xC9); + serial_update_irq(s); + break; + case 3: +@@ -617,6 +622,14 @@ static void serial_pre_save(void *opaque) + s->fcr_vmstate = s->fcr; + } + ++static int serial_pre_load(void *opaque) ++{ ++ SerialState *s = opaque; ++ s->thr_ipending = -1; ++ s->poll_msl = -1; ++ return 0; ++} ++ + static int serial_post_load(void *opaque, int version_id) + { + SerialState *s = opaque; +@@ -628,17 +641,159 @@ static int serial_post_load(void *opaque, int version_id) + s->tsr_retry = MAX_XMIT_RETRY; + } + ++ if (s->thr_ipending == -1) { ++ s->thr_ipending = ((s->iir & UART_IIR_ID) == UART_IIR_THRI); ++ } ++ s->last_break_enable = (s->lcr >> 6) & 1; + /* Initialize fcr via setter to perform essential side-effects */ +- serial_ioport_write(s, 0x02, s->fcr_vmstate, 1); ++ serial_write_fcr(s, s->fcr_vmstate); + serial_update_parameters(s); + return 0; + } + ++static bool serial_thr_ipending_needed(void *opaque) ++{ ++#if 0 ++ SerialState *s = opaque; ++ bool expected_value = ((s->iir & UART_IIR_ID) == UART_IIR_THRI); ++ return s->thr_ipending != expected_value; ++#else ++ /* for migration compatibility with RHEL <= 7.3 */ ++ return 0; ++#endif ++} ++ ++const VMStateDescription vmstate_serial_thr_ipending = { ++ .name = "serial/thr_ipending", ++ .version_id = 1, ++ .minimum_version_id = 1, ++ .fields = (VMStateField[]) { ++ VMSTATE_INT32(thr_ipending, SerialState), ++ VMSTATE_END_OF_LIST() ++ } ++}; ++ ++static bool serial_tsr_needed(void *opaque) ++{ ++ SerialState *s = (SerialState *)opaque; ++ return s->tsr_retry != 0; ++} ++ ++const VMStateDescription vmstate_serial_tsr = { ++ .name = "serial/tsr", ++ .version_id = 1, ++ .minimum_version_id = 1, ++ .fields = (VMStateField[]) { ++ VMSTATE_UINT32(tsr_retry, SerialState), ++ VMSTATE_UINT8(thr, SerialState), ++ VMSTATE_UINT8(tsr, SerialState), ++ VMSTATE_END_OF_LIST() ++ } ++}; ++ ++static bool serial_recv_fifo_needed(void *opaque) ++{ ++ SerialState *s = (SerialState *)opaque; ++ return !fifo8_is_empty(&s->recv_fifo); ++ ++} ++ ++const VMStateDescription vmstate_serial_recv_fifo = { ++ .name = "serial/recv_fifo", ++ .version_id = 1, ++ .minimum_version_id = 1, ++ .fields = (VMStateField[]) { ++ VMSTATE_STRUCT(recv_fifo, SerialState, 1, vmstate_fifo8, Fifo8), ++ VMSTATE_END_OF_LIST() ++ } ++}; ++ ++static bool serial_xmit_fifo_needed(void *opaque) ++{ ++ SerialState *s = (SerialState *)opaque; ++ return !fifo8_is_empty(&s->xmit_fifo); ++} ++ ++const VMStateDescription vmstate_serial_xmit_fifo = { ++ .name = "serial/xmit_fifo", ++ .version_id = 1, ++ .minimum_version_id = 1, ++ .fields = (VMStateField[]) { ++ VMSTATE_STRUCT(xmit_fifo, SerialState, 1, vmstate_fifo8, Fifo8), ++ VMSTATE_END_OF_LIST() ++ } ++}; ++ ++static bool serial_fifo_timeout_timer_needed(void *opaque) ++{ ++#if 0 ++ SerialState *s = (SerialState *)opaque; ++ return timer_pending(s->fifo_timeout_timer); ++#else ++ /* for migration compatibility with RHEL <= 7.3 */ ++ return 0; ++#endif ++} ++ ++const VMStateDescription vmstate_serial_fifo_timeout_timer = { ++ .name = "serial/fifo_timeout_timer", ++ .version_id = 1, ++ .minimum_version_id = 1, ++ .fields = (VMStateField[]) { ++ VMSTATE_TIMER(fifo_timeout_timer, SerialState), ++ VMSTATE_END_OF_LIST() ++ } ++}; ++ ++static bool serial_timeout_ipending_needed(void *opaque) ++{ ++#if 0 ++ SerialState *s = (SerialState *)opaque; ++ return s->timeout_ipending != 0; ++#else ++ /* for migration compatibility with RHEL <= 7.3 */ ++ return 0; ++#endif ++} ++ ++const VMStateDescription vmstate_serial_timeout_ipending = { ++ .name = "serial/timeout_ipending", ++ .version_id = 1, ++ .minimum_version_id = 1, ++ .fields = (VMStateField[]) { ++ VMSTATE_INT32(timeout_ipending, SerialState), ++ VMSTATE_END_OF_LIST() ++ } ++}; ++ ++static bool serial_poll_needed(void *opaque) ++{ ++#if 0 ++ SerialState *s = (SerialState *)opaque; ++ return s->poll_msl >= 0; ++#else ++ /* for migration compatibility with RHEL <= 7.3 */ ++ return 0; ++#endif ++} ++ ++const VMStateDescription vmstate_serial_poll = { ++ .name = "serial/poll", ++ .version_id = 1, ++ .minimum_version_id = 1, ++ .fields = (VMStateField[]) { ++ VMSTATE_INT32(poll_msl, SerialState), ++ VMSTATE_TIMER(modem_status_poll, SerialState), ++ VMSTATE_END_OF_LIST() ++ } ++}; ++ + const VMStateDescription vmstate_serial = { + .name = "serial", + .version_id = 3, + .minimum_version_id = 2, + .pre_save = serial_pre_save, ++ .pre_load = serial_pre_load, + .post_load = serial_post_load, + .fields = (VMStateField []) { + VMSTATE_UINT16_V(divider, SerialState, 2), +@@ -652,6 +807,32 @@ const VMStateDescription vmstate_serial = { + VMSTATE_UINT8(scr, SerialState), + VMSTATE_UINT8_V(fcr_vmstate, SerialState, 3), + VMSTATE_END_OF_LIST() ++ }, ++ .subsections = (VMStateSubsection[]) { ++ { ++ .vmsd = &vmstate_serial_thr_ipending, ++ .needed = &serial_thr_ipending_needed, ++ } , { ++ .vmsd = &vmstate_serial_tsr, ++ .needed = &serial_tsr_needed, ++ } , { ++ .vmsd = &vmstate_serial_recv_fifo, ++ .needed = &serial_recv_fifo_needed, ++ } , { ++ .vmsd = &vmstate_serial_xmit_fifo, ++ .needed = &serial_xmit_fifo_needed, ++ } , { ++ .vmsd = &vmstate_serial_fifo_timeout_timer, ++ .needed = &serial_fifo_timeout_timer_needed, ++ } , { ++ .vmsd = &vmstate_serial_timeout_ipending, ++ .needed = &serial_timeout_ipending_needed, ++ } , { ++ .vmsd = &vmstate_serial_poll, ++ .needed = &serial_poll_needed, ++ } , { ++ /* empty */ ++ } + } + }; + +@@ -678,6 +859,10 @@ static void serial_reset(void *opaque) + s->char_transmit_time = (get_ticks_per_sec() / 9600) * 10; + s->poll_msl = 0; + ++ s->timeout_ipending = 0; ++ qemu_del_timer(s->fifo_timeout_timer); ++ qemu_del_timer(s->modem_status_poll); ++ + fifo8_reset(&s->recv_fifo); + fifo8_reset(&s->xmit_fifo); + +-- +1.8.3.1 + diff --git a/SOURCES/kvm-serial-make-tsr_retry-unsigned.patch b/SOURCES/kvm-serial-make-tsr_retry-unsigned.patch index 85fc949..be7cc03 100644 --- a/SOURCES/kvm-serial-make-tsr_retry-unsigned.patch +++ b/SOURCES/kvm-serial-make-tsr_retry-unsigned.patch @@ -1,15 +1,15 @@ -From fece1f0b57a8daa08e04338baab90202d75766ec Mon Sep 17 00:00:00 2001 +From 03b9104f9cf6c0b4f7b7976b987753afddb32599 Mon Sep 17 00:00:00 2001 From: Fam Zheng -Date: Fri, 19 May 2017 00:35:20 +0200 +Date: Thu, 18 May 2017 09:21:28 +0200 Subject: [PATCH 15/18] serial: make tsr_retry unsigned RH-Author: Fam Zheng -Message-id: <20170519003523.21163-16-famz@redhat.com> -Patchwork-id: 75371 -O-Subject: [RHEL-7.3.z qemu-kvm PATCH 15/18] serial: make tsr_retry unsigned -Bugzilla: 1452332 +Message-id: <20170518092131.16571-16-famz@redhat.com> +Patchwork-id: 75305 +O-Subject: [RHEL-7.4 qemu-kvm PATCH v3 15/18] serial: make tsr_retry unsigned +Bugzilla: 1451470 RH-Acked-by: Paolo Bonzini -RH-Acked-by: Laurent Vivier +RH-Acked-by: Stefan Hajnoczi RH-Acked-by: Eduardo Habkost From: Paolo Bonzini diff --git a/SOURCES/kvm-serial-only-resample-THR-interrupt-on-rising-edge-of.patch b/SOURCES/kvm-serial-only-resample-THR-interrupt-on-rising-edge-of.patch index 2e30ae8..6c0dce6 100644 --- a/SOURCES/kvm-serial-only-resample-THR-interrupt-on-rising-edge-of.patch +++ b/SOURCES/kvm-serial-only-resample-THR-interrupt-on-rising-edge-of.patch @@ -1,16 +1,16 @@ -From 95388b9e0745ca0125012f050c53f651811b5189 Mon Sep 17 00:00:00 2001 +From 0c6d2ffcebff88c6cda738aa46fa77c09b93b78b Mon Sep 17 00:00:00 2001 From: Fam Zheng -Date: Fri, 19 May 2017 00:35:19 +0200 +Date: Thu, 18 May 2017 09:21:27 +0200 Subject: [PATCH 14/18] serial: only resample THR interrupt on rising edge of IER.THRI RH-Author: Fam Zheng -Message-id: <20170519003523.21163-15-famz@redhat.com> -Patchwork-id: 75370 -O-Subject: [RHEL-7.3.z qemu-kvm PATCH 14/18] serial: only resample THR interrupt on rising edge of IER.THRI -Bugzilla: 1452332 +Message-id: <20170518092131.16571-15-famz@redhat.com> +Patchwork-id: 75304 +O-Subject: [RHEL-7.4 qemu-kvm PATCH v3 14/18] serial: only resample THR interrupt on rising edge of IER.THRI +Bugzilla: 1451470 RH-Acked-by: Paolo Bonzini -RH-Acked-by: Laurent Vivier +RH-Acked-by: Stefan Hajnoczi RH-Acked-by: Eduardo Habkost From: Paolo Bonzini diff --git a/SOURCES/kvm-serial-poll-the-serial-console-with-G_IO_HUP.patch b/SOURCES/kvm-serial-poll-the-serial-console-with-G_IO_HUP.patch index ae0367b..cfb1898 100644 --- a/SOURCES/kvm-serial-poll-the-serial-console-with-G_IO_HUP.patch +++ b/SOURCES/kvm-serial-poll-the-serial-console-with-G_IO_HUP.patch @@ -1,18 +1,18 @@ -From 3ca9dc028e21f6e66e4ad21d6b2948e23691d2ae Mon Sep 17 00:00:00 2001 +From 4b71b3a9e37d06da2ecc48e06eea7e4a4ae1cfe9 Mon Sep 17 00:00:00 2001 From: Fam Zheng -Date: Fri, 19 May 2017 00:35:12 +0200 +Date: Thu, 18 May 2017 09:21:20 +0200 Subject: [PATCH 07/18] serial: poll the serial console with G_IO_HUP MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit RH-Author: Fam Zheng -Message-id: <20170519003523.21163-8-famz@redhat.com> -Patchwork-id: 75363 -O-Subject: [RHEL-7.3.z qemu-kvm PATCH 07/18] serial: poll the serial console with G_IO_HUP -Bugzilla: 1452332 +Message-id: <20170518092131.16571-8-famz@redhat.com> +Patchwork-id: 75297 +O-Subject: [RHEL-7.4 qemu-kvm PATCH v3 07/18] serial: poll the serial console with G_IO_HUP +Bugzilla: 1451470 RH-Acked-by: Paolo Bonzini -RH-Acked-by: Laurent Vivier +RH-Acked-by: Stefan Hajnoczi RH-Acked-by: Eduardo Habkost From: Roger Pau Monne diff --git a/SOURCES/kvm-serial-reinstate-watch-after-migration.patch b/SOURCES/kvm-serial-reinstate-watch-after-migration.patch new file mode 100644 index 0000000..b18fcc0 --- /dev/null +++ b/SOURCES/kvm-serial-reinstate-watch-after-migration.patch @@ -0,0 +1,72 @@ +From ba96da130a625a71b574c1bb9f6027e3b8d655ab Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini +Date: Fri, 9 Jun 2017 11:43:59 +0200 +Subject: [PATCH 4/6] serial: reinstate watch after migration + +RH-Author: Paolo Bonzini +Message-id: <20170609114359.13036-4-pbonzini@redhat.com> +Patchwork-id: 75566 +O-Subject: [RHEL7.4 qemu-kvm PATCH v2 3/3] serial: reinstate watch after migration +Bugzilla: 1452067 +RH-Acked-by: David Hildenbrand +RH-Acked-by: Dr. David Alan Gilbert +RH-Acked-by: Laszlo Ersek + +Otherwise, a serial port can get stuck if it is migrated while flow control +is in effect. + +Tested-by: Bret Ketchum +Reviewed-by: Dr. David Alan Gilbert +Signed-off-by: Paolo Bonzini +(cherry picked from commit 9f34a35e0020b0b2b2e21c086a486d7dfd18df4f) +Signed-off-by: Miroslav Rezanina +--- + hw/char/serial.c | 29 +++++++++++++++++++++++++---- + 1 file changed, 25 insertions(+), 4 deletions(-) + +diff --git a/hw/char/serial.c b/hw/char/serial.c +index 0518a6f..820960b 100644 +--- a/hw/char/serial.c ++++ b/hw/char/serial.c +@@ -637,13 +637,34 @@ static int serial_post_load(void *opaque, int version_id) + if (version_id < 3) { + s->fcr_vmstate = 0; + } +- if (s->tsr_retry > MAX_XMIT_RETRY) { +- s->tsr_retry = MAX_XMIT_RETRY; +- } +- + if (s->thr_ipending == -1) { + s->thr_ipending = ((s->iir & UART_IIR_ID) == UART_IIR_THRI); + } ++ ++ if (s->tsr_retry > 0) { ++ /* tsr_retry > 0 implies LSR.TEMT = 0 (transmitter not empty). */ ++ if (s->lsr & UART_LSR_TEMT) { ++ error_report("inconsistent state in serial device " ++ "(tsr empty, tsr_retry=%d", s->tsr_retry); ++ return -1; ++ } ++ ++ if (s->tsr_retry > MAX_XMIT_RETRY) { ++ s->tsr_retry = MAX_XMIT_RETRY; ++ } ++ ++ assert(s->watch_tag == 0); ++ s->watch_tag = qemu_chr_fe_add_watch(s->chr, G_IO_OUT|G_IO_HUP, ++ serial_watch_cb, s); ++ } else { ++ /* tsr_retry == 0 implies LSR.TEMT = 1 (transmitter empty). */ ++ if (!(s->lsr & UART_LSR_TEMT)) { ++ error_report("inconsistent state in serial device " ++ "(tsr not empty, tsr_retry=0"); ++ return -1; ++ } ++ } ++ + s->last_break_enable = (s->lcr >> 6) & 1; + /* Initialize fcr via setter to perform essential side-effects */ + serial_write_fcr(s, s->fcr_vmstate); +-- +1.8.3.1 + diff --git a/SOURCES/kvm-serial-remove-watch-on-reset.patch b/SOURCES/kvm-serial-remove-watch-on-reset.patch index a33f76c..4293ee6 100644 --- a/SOURCES/kvm-serial-remove-watch-on-reset.patch +++ b/SOURCES/kvm-serial-remove-watch-on-reset.patch @@ -1,15 +1,15 @@ -From ac39e63d788b8bcb748f08347312b0fccde7ce0e Mon Sep 17 00:00:00 2001 +From 768dddfbe60ecc3a9a920101aa755804f8a5700e Mon Sep 17 00:00:00 2001 From: Fam Zheng -Date: Fri, 19 May 2017 00:35:23 +0200 +Date: Thu, 18 May 2017 09:21:31 +0200 Subject: [PATCH 18/18] serial: remove watch on reset RH-Author: Fam Zheng -Message-id: <20170519003523.21163-19-famz@redhat.com> -Patchwork-id: 75373 -O-Subject: [RHEL-7.3.z qemu-kvm PATCH 18/18] serial: remove watch on reset -Bugzilla: 1452332 +Message-id: <20170518092131.16571-19-famz@redhat.com> +Patchwork-id: 75308 +O-Subject: [RHEL-7.4 qemu-kvm PATCH v3 18/18] serial: remove watch on reset +Bugzilla: 1451470 RH-Acked-by: Paolo Bonzini -RH-Acked-by: Laurent Vivier +RH-Acked-by: Stefan Hajnoczi RH-Acked-by: Eduardo Habkost From: Paolo Bonzini diff --git a/SOURCES/kvm-serial-reset-thri_pending-on-IER-writes-with-THRI-0.patch b/SOURCES/kvm-serial-reset-thri_pending-on-IER-writes-with-THRI-0.patch index d7242e3..d04d626 100644 --- a/SOURCES/kvm-serial-reset-thri_pending-on-IER-writes-with-THRI-0.patch +++ b/SOURCES/kvm-serial-reset-thri_pending-on-IER-writes-with-THRI-0.patch @@ -1,15 +1,15 @@ -From 6d2a5ef7994e753197bb9653872601db4e6cff5d Mon Sep 17 00:00:00 2001 +From 09ff2706109ce647d1fe59e99f44f96810d80b7c Mon Sep 17 00:00:00 2001 From: Fam Zheng -Date: Fri, 19 May 2017 00:35:16 +0200 +Date: Thu, 18 May 2017 09:21:24 +0200 Subject: [PATCH 11/18] serial: reset thri_pending on IER writes with THRI=0 RH-Author: Fam Zheng -Message-id: <20170519003523.21163-12-famz@redhat.com> -Patchwork-id: 75365 -O-Subject: [RHEL-7.3.z qemu-kvm PATCH 11/18] serial: reset thri_pending on IER writes with THRI=0 -Bugzilla: 1452332 +Message-id: <20170518092131.16571-12-famz@redhat.com> +Patchwork-id: 75302 +O-Subject: [RHEL-7.4 qemu-kvm PATCH v3 11/18] serial: reset thri_pending on IER writes with THRI=0 +Bugzilla: 1451470 RH-Acked-by: Paolo Bonzini -RH-Acked-by: Laurent Vivier +RH-Acked-by: Stefan Hajnoczi RH-Acked-by: Eduardo Habkost From: Paolo Bonzini diff --git a/SOURCES/kvm-serial-separate-serial_xmit-and-serial_watch_cb.patch b/SOURCES/kvm-serial-separate-serial_xmit-and-serial_watch_cb.patch index 698096f..79df988 100644 --- a/SOURCES/kvm-serial-separate-serial_xmit-and-serial_watch_cb.patch +++ b/SOURCES/kvm-serial-separate-serial_xmit-and-serial_watch_cb.patch @@ -1,15 +1,15 @@ -From 2600e8a94c5434d07e820c7cf5bcd62d69849099 Mon Sep 17 00:00:00 2001 +From 8497b21c6dabe117b27d76f3bdbd86d80b0dd1d7 Mon Sep 17 00:00:00 2001 From: Fam Zheng -Date: Fri, 19 May 2017 00:35:22 +0200 +Date: Thu, 18 May 2017 09:21:30 +0200 Subject: [PATCH 17/18] serial: separate serial_xmit and serial_watch_cb RH-Author: Fam Zheng -Message-id: <20170519003523.21163-18-famz@redhat.com> -Patchwork-id: 75368 -O-Subject: [RHEL-7.3.z qemu-kvm PATCH 17/18] serial: separate serial_xmit and serial_watch_cb -Bugzilla: 1452332 +Message-id: <20170518092131.16571-18-famz@redhat.com> +Patchwork-id: 75309 +O-Subject: [RHEL-7.4 qemu-kvm PATCH v3 17/18] serial: separate serial_xmit and serial_watch_cb +Bugzilla: 1451470 RH-Acked-by: Paolo Bonzini -RH-Acked-by: Laurent Vivier +RH-Acked-by: Stefan Hajnoczi RH-Acked-by: Eduardo Habkost From: Paolo Bonzini diff --git a/SOURCES/kvm-serial-simplify-tsr_retry-reset.patch b/SOURCES/kvm-serial-simplify-tsr_retry-reset.patch index 1325ff3..f61be2c 100644 --- a/SOURCES/kvm-serial-simplify-tsr_retry-reset.patch +++ b/SOURCES/kvm-serial-simplify-tsr_retry-reset.patch @@ -1,15 +1,15 @@ -From 4a5819d1786be74df4b2393f72d6901e05d0eb4a Mon Sep 17 00:00:00 2001 +From 8f143ae501a5bd1010dc4526ff8e0e85c4d2baf1 Mon Sep 17 00:00:00 2001 From: Fam Zheng -Date: Fri, 19 May 2017 00:35:21 +0200 +Date: Thu, 18 May 2017 09:21:29 +0200 Subject: [PATCH 16/18] serial: simplify tsr_retry reset RH-Author: Fam Zheng -Message-id: <20170519003523.21163-17-famz@redhat.com> -Patchwork-id: 75372 -O-Subject: [RHEL-7.3.z qemu-kvm PATCH 16/18] serial: simplify tsr_retry reset -Bugzilla: 1452332 +Message-id: <20170518092131.16571-17-famz@redhat.com> +Patchwork-id: 75307 +O-Subject: [RHEL-7.4 qemu-kvm PATCH v3 16/18] serial: simplify tsr_retry reset +Bugzilla: 1451470 RH-Acked-by: Paolo Bonzini -RH-Acked-by: Laurent Vivier +RH-Acked-by: Stefan Hajnoczi RH-Acked-by: Eduardo Habkost From: Paolo Bonzini diff --git a/SOURCES/kvm-serial-update-LSR-on-enabling-disabling-FIFOs.patch b/SOURCES/kvm-serial-update-LSR-on-enabling-disabling-FIFOs.patch index f4b8523..7a61ec1 100644 --- a/SOURCES/kvm-serial-update-LSR-on-enabling-disabling-FIFOs.patch +++ b/SOURCES/kvm-serial-update-LSR-on-enabling-disabling-FIFOs.patch @@ -1,15 +1,15 @@ -From 727ebf3f24a6f519aab1306bad6e63014c76aec5 Mon Sep 17 00:00:00 2001 +From d6acc0368578932ee6a2949054a6f640a5b6fa09 Mon Sep 17 00:00:00 2001 From: Fam Zheng -Date: Fri, 19 May 2017 00:35:18 +0200 +Date: Thu, 18 May 2017 09:21:26 +0200 Subject: [PATCH 13/18] serial: update LSR on enabling/disabling FIFOs RH-Author: Fam Zheng -Message-id: <20170519003523.21163-14-famz@redhat.com> -Patchwork-id: 75369 -O-Subject: [RHEL-7.3.z qemu-kvm PATCH 13/18] serial: update LSR on enabling/disabling FIFOs -Bugzilla: 1452332 +Message-id: <20170518092131.16571-14-famz@redhat.com> +Patchwork-id: 75306 +O-Subject: [RHEL-7.4 qemu-kvm PATCH v3 13/18] serial: update LSR on enabling/disabling FIFOs +Bugzilla: 1451470 RH-Acked-by: Paolo Bonzini -RH-Acked-by: Laurent Vivier +RH-Acked-by: Stefan Hajnoczi RH-Acked-by: Eduardo Habkost From: Paolo Bonzini diff --git a/SOURCES/kvm-spice-fix-spice_chr_add_watch-pre-condition.patch b/SOURCES/kvm-spice-fix-spice_chr_add_watch-pre-condition.patch index 35d702b..d184899 100644 --- a/SOURCES/kvm-spice-fix-spice_chr_add_watch-pre-condition.patch +++ b/SOURCES/kvm-spice-fix-spice_chr_add_watch-pre-condition.patch @@ -1,19 +1,19 @@ -From 9b379db2f11257f5ef88979fdf9660eaa0ad6b4b Mon Sep 17 00:00:00 2001 -From: Fam Zheng -Date: Tue, 6 Jun 2017 06:16:56 +0200 +From a88811fcdd3dbc600a669eed0b106a5bf8f6b907 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= +Date: Wed, 31 May 2017 08:09:49 +0200 Subject: [PATCH] spice: fix spice_chr_add_watch() pre-condition MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit -RH-Author: Fam Zheng -Message-id: <20170606061656.29212-2-famz@redhat.com> -Patchwork-id: 75488 -O-Subject: [RHEL-7.3.z qemu-kvm PATCH 1/1] spice: fix spice_chr_add_watch() pre-condition -Bugzilla: 1452332 -RH-Acked-by: John Snow +RH-Author: Marc-André Lureau +Message-id: <20170531080949.17102-1-marcandre.lureau@redhat.com> +Patchwork-id: 75440 +O-Subject: [RHEL-7.4 qemu-kvm PATCH] spice: fix spice_chr_add_watch() pre-condition +Bugzilla: 1456983 +RH-Acked-by: Fam Zheng RH-Acked-by: Eduardo Habkost -RH-Acked-by: Miroslav Rezanina +RH-Acked-by: John Snow From: Marc-André Lureau @@ -24,18 +24,25 @@ precondition must be changed. https://bugzilla.redhat.com/show_bug.cgi?id=1128992 Signed-off-by: Gerd Hoffmann + +BZ: https://bugzilla.redhat.com/show_bug.cgi?id=1456983 +Brew: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=13310981 + +"serial: poll the serial console with G_IO_HUP" was backported without +the Spice related fix. + (cherry picked from commit f7a8beb5e6a13dc924895244777d9ef08b23b367) -Signed-off-by: Fam Zheng +Signed-off-by: Marc-André Lureau Signed-off-by: Miroslav Rezanina --- spice-qemu-char.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/spice-qemu-char.c b/spice-qemu-char.c -index 6d147a7..079c214 100644 +index cd51f3c..02c568c 100644 --- a/spice-qemu-char.c +++ b/spice-qemu-char.c -@@ -171,7 +171,7 @@ static GSource *spice_chr_add_watch(CharDriverState *chr, GIOCondition cond) +@@ -170,7 +170,7 @@ static GSource *spice_chr_add_watch(CharDriverState *chr, GIOCondition cond) SpiceCharDriver *scd = chr->opaque; SpiceCharSource *src; diff --git a/SOURCES/kvm-spice-remove-spice-experimental.h-include.patch b/SOURCES/kvm-spice-remove-spice-experimental.h-include.patch new file mode 100644 index 0000000..37f1f57 --- /dev/null +++ b/SOURCES/kvm-spice-remove-spice-experimental.h-include.patch @@ -0,0 +1,58 @@ +From 8ed773749fd59ff4036ded5ad106de027f92cefe Mon Sep 17 00:00:00 2001 +From: Miroslav Rezanina +Date: Thu, 9 Mar 2017 06:12:04 +0100 +Subject: [PATCH 16/17] spice: remove spice-experimental.h include +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Miroslav Rezanina +Message-id: +Patchwork-id: 74258 +O-Subject: [RHEL-7.4 qemu-kvm PATCH 1/2] spice: remove spice-experimental.h include +Bugzilla: 1430606 +RH-Acked-by: Gerd Hoffmann +RH-Acked-by: Marc-André Lureau +RH-Acked-by: David Hildenbrand + +From: Marc-André Lureau + +Nothing seems to be using functions from spice-experimental.h (better +that way). Let's remove its inclusion. + +Signed-off-by: Marc-André Lureau +Signed-off-by: Gerd Hoffmann +(cherry picked from commit e0883e2de0ef36f254acc274e80ddeac13a2a8f6) +Signed-off-by: Miroslav Rezanina +--- + spice-qemu-char.c | 1 - + ui/spice-core.c | 1 - + 2 files changed, 2 deletions(-) + +diff --git a/spice-qemu-char.c b/spice-qemu-char.c +index 6d147a7..cd51f3c 100644 +--- a/spice-qemu-char.c ++++ b/spice-qemu-char.c +@@ -3,7 +3,6 @@ + #include "ui/qemu-spice.h" + #include "sysemu/char.h" + #include +-#include + #include + + #include "qemu/osdep.h" +diff --git a/ui/spice-core.c b/ui/spice-core.c +index 8d6e726..0585267 100644 +--- a/ui/spice-core.c ++++ b/ui/spice-core.c +@@ -16,7 +16,6 @@ + */ + + #include +-#include + + #include + #include "sysemu/sysemu.h" +-- +1.8.3.1 + diff --git a/SOURCES/kvm-spice-replace-use-of-deprecated-API.patch b/SOURCES/kvm-spice-replace-use-of-deprecated-API.patch new file mode 100644 index 0000000..e9ab192 --- /dev/null +++ b/SOURCES/kvm-spice-replace-use-of-deprecated-API.patch @@ -0,0 +1,179 @@ +From 43d3585ba869c97c46cffc3c9fd7e46885d539c0 Mon Sep 17 00:00:00 2001 +From: Miroslav Rezanina +Date: Thu, 9 Mar 2017 06:12:05 +0100 +Subject: [PATCH 17/17] spice: replace use of deprecated API +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Miroslav Rezanina +Message-id: <4696b589a948f544ea081abeb496cb383a466020.1489039263.git.mrezanin@redhat.com> +Patchwork-id: 74259 +O-Subject: [RHEL-7.4 qemu-kvm PATCH 2/2] spice: replace use of deprecated API +Bugzilla: 1430606 +RH-Acked-by: Gerd Hoffmann +RH-Acked-by: Marc-André Lureau +RH-Acked-by: David Hildenbrand + +From: Marc-André Lureau + +hose API are deprecated since 0.11, and qemu depends on 0.12 already. + +Signed-off-by: Gerd Hoffmann +(cherry picked from commit 26defe81f6a878f33e0aaeb1df4d0d7022c929ca) +Signed-off-by: Miroslav Rezanina +--- + hw/display/qxl.c | 16 ++++++++-------- + ui/spice-core.c | 15 +++++++-------- + ui/spice-display.c | 10 +++++----- + 3 files changed, 20 insertions(+), 21 deletions(-) + +diff --git a/hw/display/qxl.c b/hw/display/qxl.c +index c76c237..0a755df 100644 +--- a/hw/display/qxl.c ++++ b/hw/display/qxl.c +@@ -162,7 +162,7 @@ void qxl_spice_update_area(PCIQXLDevice *qxl, uint32_t surface_id, + trace_qxl_spice_update_area_rest(qxl->id, num_dirty_rects, + clear_dirty_region); + if (async == QXL_SYNC) { +- qxl->ssd.worker->update_area(qxl->ssd.worker, surface_id, area, ++ spice_qxl_update_area(&qxl->ssd.qxl, surface_id, area, + dirty_rects, num_dirty_rects, clear_dirty_region); + } else { + assert(cookie != NULL); +@@ -193,7 +193,7 @@ static void qxl_spice_destroy_surface_wait(PCIQXLDevice *qxl, uint32_t id, + cookie->u.surface_id = id; + spice_qxl_destroy_surface_async(&qxl->ssd.qxl, id, (uintptr_t)cookie); + } else { +- qxl->ssd.worker->destroy_surface_wait(qxl->ssd.worker, id); ++ spice_qxl_destroy_surface_wait(&qxl->ssd.qxl, id); + qxl_spice_destroy_surface_wait_complete(qxl, id); + } + } +@@ -211,19 +211,19 @@ void qxl_spice_loadvm_commands(PCIQXLDevice *qxl, struct QXLCommandExt *ext, + uint32_t count) + { + trace_qxl_spice_loadvm_commands(qxl->id, ext, count); +- qxl->ssd.worker->loadvm_commands(qxl->ssd.worker, ext, count); ++ spice_qxl_loadvm_commands(&qxl->ssd.qxl, ext, count); + } + + void qxl_spice_oom(PCIQXLDevice *qxl) + { + trace_qxl_spice_oom(qxl->id); +- qxl->ssd.worker->oom(qxl->ssd.worker); ++ spice_qxl_oom(&qxl->ssd.qxl); + } + + void qxl_spice_reset_memslots(PCIQXLDevice *qxl) + { + trace_qxl_spice_reset_memslots(qxl->id); +- qxl->ssd.worker->reset_memslots(qxl->ssd.worker); ++ spice_qxl_reset_memslots(&qxl->ssd.qxl); + } + + static void qxl_spice_destroy_surfaces_complete(PCIQXLDevice *qxl) +@@ -244,7 +244,7 @@ static void qxl_spice_destroy_surfaces(PCIQXLDevice *qxl, qxl_async_io async) + (uintptr_t)qxl_cookie_new(QXL_COOKIE_TYPE_IO, + QXL_IO_DESTROY_ALL_SURFACES_ASYNC)); + } else { +- qxl->ssd.worker->destroy_surfaces(qxl->ssd.worker); ++ spice_qxl_destroy_surfaces(&qxl->ssd.qxl); + qxl_spice_destroy_surfaces_complete(qxl); + } + } +@@ -283,13 +283,13 @@ static void qxl_spice_monitors_config_async(PCIQXLDevice *qxl, int replay) + void qxl_spice_reset_image_cache(PCIQXLDevice *qxl) + { + trace_qxl_spice_reset_image_cache(qxl->id); +- qxl->ssd.worker->reset_image_cache(qxl->ssd.worker); ++ spice_qxl_reset_image_cache(&qxl->ssd.qxl); + } + + void qxl_spice_reset_cursor(PCIQXLDevice *qxl) + { + trace_qxl_spice_reset_cursor(qxl->id); +- qxl->ssd.worker->reset_cursor(qxl->ssd.worker); ++ spice_qxl_reset_cursor(&qxl->ssd.qxl); + qemu_mutex_lock(&qxl->track_lock); + qxl->guest_cursor = 0; + qemu_mutex_unlock(&qxl->track_lock); +diff --git a/ui/spice-core.c b/ui/spice-core.c +index 0585267..0cd60f3 100644 +--- a/ui/spice-core.c ++++ b/ui/spice-core.c +@@ -383,17 +383,16 @@ static SpiceChannelList *qmp_query_spice_channels(void) + struct sockaddr *paddr; + socklen_t plen; + ++ if (!(item->info->flags & SPICE_CHANNEL_EVENT_FLAG_ADDR_EXT)) { ++ error_report("invalid channel event"); ++ return NULL; ++ } ++ + chan = g_malloc0(sizeof(*chan)); + chan->value = g_malloc0(sizeof(*chan->value)); + +- if (item->info->flags & SPICE_CHANNEL_EVENT_FLAG_ADDR_EXT) { +- paddr = (struct sockaddr *)&item->info->paddr_ext; +- plen = item->info->plen_ext; +- } else { +- paddr = &item->info->paddr; +- plen = item->info->plen; +- } +- ++ paddr = (struct sockaddr *)&item->info->paddr_ext; ++ plen = item->info->plen_ext; + getnameinfo(paddr, plen, + host, sizeof(host), port, sizeof(port), + NI_NUMERICHOST | NI_NUMERICSERV); +diff --git a/ui/spice-display.c b/ui/spice-display.c +index d29d2ab..e2c24a9 100644 +--- a/ui/spice-display.c ++++ b/ui/spice-display.c +@@ -83,14 +83,14 @@ void qemu_spice_add_memslot(SimpleSpiceDisplay *ssd, QXLDevMemSlot *memslot, + (uintptr_t)qxl_cookie_new(QXL_COOKIE_TYPE_IO, + QXL_IO_MEMSLOT_ADD_ASYNC)); + } else { +- ssd->worker->add_memslot(ssd->worker, memslot); ++ spice_qxl_add_memslot(&ssd->qxl, memslot); + } + } + + void qemu_spice_del_memslot(SimpleSpiceDisplay *ssd, uint32_t gid, uint32_t sid) + { + trace_qemu_spice_del_memslot(ssd->qxl.id, gid, sid); +- ssd->worker->del_memslot(ssd->worker, gid, sid); ++ spice_qxl_del_memslot(&ssd->qxl, gid, sid); + } + + void qemu_spice_create_primary_surface(SimpleSpiceDisplay *ssd, uint32_t id, +@@ -103,7 +103,7 @@ void qemu_spice_create_primary_surface(SimpleSpiceDisplay *ssd, uint32_t id, + (uintptr_t)qxl_cookie_new(QXL_COOKIE_TYPE_IO, + QXL_IO_CREATE_PRIMARY_ASYNC)); + } else { +- ssd->worker->create_primary_surface(ssd->worker, id, surface); ++ spice_qxl_create_primary_surface(&ssd->qxl, id, surface); + } + } + +@@ -116,14 +116,14 @@ void qemu_spice_destroy_primary_surface(SimpleSpiceDisplay *ssd, + (uintptr_t)qxl_cookie_new(QXL_COOKIE_TYPE_IO, + QXL_IO_DESTROY_PRIMARY_ASYNC)); + } else { +- ssd->worker->destroy_primary_surface(ssd->worker, id); ++ spice_qxl_destroy_primary_surface(&ssd->qxl, id); + } + } + + void qemu_spice_wakeup(SimpleSpiceDisplay *ssd) + { + trace_qemu_spice_wakeup(ssd->qxl.id); +- ssd->worker->wakeup(ssd->worker); ++ spice_qxl_wakeup(&ssd->qxl); + } + + static void qemu_spice_create_one_update(SimpleSpiceDisplay *ssd, +-- +1.8.3.1 + diff --git a/SOURCES/kvm-target-i386-Define-TCG_-_FEATURES-earlier-in-cpu.c.patch b/SOURCES/kvm-target-i386-Define-TCG_-_FEATURES-earlier-in-cpu.c.patch new file mode 100644 index 0000000..0fcd889 --- /dev/null +++ b/SOURCES/kvm-target-i386-Define-TCG_-_FEATURES-earlier-in-cpu.c.patch @@ -0,0 +1,171 @@ +From 30c05c032f0af4e959b304f5223dbaf331955488 Mon Sep 17 00:00:00 2001 +From: Eduardo Habkost +Date: Thu, 23 Feb 2017 14:29:43 +0100 +Subject: [PATCH 13/17] target-i386: Define TCG_*_FEATURES earlier in cpu.c +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Eduardo Habkost +Message-id: <20170223142945.17790-13-ehabkost@redhat.com> +Patchwork-id: 74042 +O-Subject: [RHEL-7.4 qemu-kvm PATCH v2 12/14] target-i386: Define TCG_*_FEATURES earlier in cpu.c +Bugzilla: 1382122 +RH-Acked-by: Paolo Bonzini +RH-Acked-by: Igor Mammedov +RH-Acked-by: Miroslav Rezanina + +Those macros will be used in the feature_word_info array data, so need +to be defined earlier. + +Signed-off-by: Eduardo Habkost +Signed-off-by: Andreas Färber +(cherry picked from commit 621626ce7d44f008298c7e6cfefa9fbb80a33dc2) +Signed-off-by: Eduardo Habkost +Signed-off-by: Miroslav Rezanina +--- + target-i386/cpu.c | 121 +++++++++++++++++++++++++++--------------------------- + 1 file changed, 61 insertions(+), 60 deletions(-) + +diff --git a/target-i386/cpu.c b/target-i386/cpu.c +index e6821b6..d611062 100644 +--- a/target-i386/cpu.c ++++ b/target-i386/cpu.c +@@ -187,6 +187,67 @@ static const char *cpuid_xsave_feature_name[] = { + NULL, NULL, NULL, NULL, + }; + ++#define I486_FEATURES (CPUID_FP87 | CPUID_VME | CPUID_PSE) ++#define PENTIUM_FEATURES (I486_FEATURES | CPUID_DE | CPUID_TSC | \ ++ CPUID_MSR | CPUID_MCE | CPUID_CX8 | CPUID_MMX | CPUID_APIC) ++#define PENTIUM2_FEATURES (PENTIUM_FEATURES | CPUID_PAE | CPUID_SEP | \ ++ CPUID_MTRR | CPUID_PGE | CPUID_MCA | CPUID_CMOV | CPUID_PAT | \ ++ CPUID_PSE36 | CPUID_FXSR) ++#define PENTIUM3_FEATURES (PENTIUM2_FEATURES | CPUID_SSE) ++#define PPRO_FEATURES (CPUID_FP87 | CPUID_DE | CPUID_PSE | CPUID_TSC | \ ++ CPUID_MSR | CPUID_MCE | CPUID_CX8 | CPUID_PGE | CPUID_CMOV | \ ++ CPUID_PAT | CPUID_FXSR | CPUID_MMX | CPUID_SSE | CPUID_SSE2 | \ ++ CPUID_PAE | CPUID_SEP | CPUID_APIC) ++ ++#define TCG_FEATURES (CPUID_FP87 | CPUID_PSE | CPUID_TSC | CPUID_MSR | \ ++ CPUID_PAE | CPUID_MCE | CPUID_CX8 | CPUID_APIC | CPUID_SEP | \ ++ CPUID_MTRR | CPUID_PGE | CPUID_MCA | CPUID_CMOV | CPUID_PAT | \ ++ CPUID_PSE36 | CPUID_CLFLUSH | CPUID_ACPI | CPUID_MMX | \ ++ CPUID_FXSR | CPUID_SSE | CPUID_SSE2 | CPUID_SS) ++ /* partly implemented: ++ CPUID_MTRR, CPUID_MCA, CPUID_CLFLUSH (needed for Win64) ++ CPUID_PSE36 (needed for Solaris) */ ++ /* missing: ++ CPUID_VME, CPUID_DTS, CPUID_SS, CPUID_HT, CPUID_TM, CPUID_PBE */ ++#define TCG_EXT_FEATURES (CPUID_EXT_SSE3 | CPUID_EXT_PCLMULQDQ | \ ++ CPUID_EXT_MONITOR | CPUID_EXT_SSSE3 | CPUID_EXT_CX16 | \ ++ CPUID_EXT_SSE41 | CPUID_EXT_SSE42 | CPUID_EXT_POPCNT | \ ++ CPUID_EXT_MOVBE | CPUID_EXT_AES | CPUID_EXT_HYPERVISOR) ++ /* missing: ++ CPUID_EXT_DTES64, CPUID_EXT_DSCPL, CPUID_EXT_VMX, CPUID_EXT_SMX, ++ CPUID_EXT_EST, CPUID_EXT_TM2, CPUID_EXT_CID, CPUID_EXT_FMA, ++ CPUID_EXT_XTPR, CPUID_EXT_PDCM, CPUID_EXT_PCID, CPUID_EXT_DCA, ++ CPUID_EXT_X2APIC, CPUID_EXT_TSC_DEADLINE_TIMER, CPUID_EXT_XSAVE, ++ CPUID_EXT_OSXSAVE, CPUID_EXT_AVX, CPUID_EXT_F16C, ++ CPUID_EXT_RDRAND */ ++ ++#ifdef TARGET_X86_64 ++#define TCG_EXT2_X86_64_FEATURES (CPUID_EXT2_SYSCALL | CPUID_EXT2_LM) ++#else ++#define TCG_EXT2_X86_64_FEATURES 0 ++#endif ++ ++#define TCG_EXT2_FEATURES ((TCG_FEATURES & CPUID_EXT2_AMD_ALIASES) | \ ++ CPUID_EXT2_NX | CPUID_EXT2_MMXEXT | CPUID_EXT2_RDTSCP | \ ++ CPUID_EXT2_3DNOW | CPUID_EXT2_3DNOWEXT | \ ++ TCG_EXT2_X86_64_FEATURES) ++ /* missing: ++ CPUID_EXT2_PDPE1GB */ ++#define TCG_EXT3_FEATURES (CPUID_EXT3_LAHF_LM | CPUID_EXT3_SVM | \ ++ CPUID_EXT3_CR8LEG | CPUID_EXT3_ABM | CPUID_EXT3_SSE4A) ++#define TCG_EXT4_FEATURES 0 ++#define TCG_SVM_FEATURES 0 ++#define TCG_KVM_FEATURES 0 ++#define TCG_7_0_EBX_FEATURES (CPUID_7_0_EBX_SMEP | CPUID_7_0_EBX_SMAP | \ ++ CPUID_7_0_EBX_BMI1 | CPUID_7_0_EBX_BMI2 | CPUID_7_0_EBX_ADX) ++ /* missing: ++ CPUID_7_0_EBX_FSGSBASE, CPUID_7_0_EBX_HLE, CPUID_7_0_EBX_AVX2, ++ CPUID_7_0_EBX_ERMS, CPUID_7_0_EBX_INVPCID, CPUID_7_0_EBX_RTM, ++ CPUID_7_0_EBX_RDSEED */ ++#define TCG_7_0_ECX_FEATURES 0 ++#define TCG_7_0_EDX_FEATURES 0 ++ ++ + typedef struct FeatureWordInfo { + const char **feat_names; + uint32_t cpuid_eax; /* Input EAX for CPUID */ +@@ -453,66 +514,6 @@ typedef struct x86_def_t { + char model_id[48]; + } x86_def_t; + +-#define I486_FEATURES (CPUID_FP87 | CPUID_VME | CPUID_PSE) +-#define PENTIUM_FEATURES (I486_FEATURES | CPUID_DE | CPUID_TSC | \ +- CPUID_MSR | CPUID_MCE | CPUID_CX8 | CPUID_MMX | CPUID_APIC) +-#define PENTIUM2_FEATURES (PENTIUM_FEATURES | CPUID_PAE | CPUID_SEP | \ +- CPUID_MTRR | CPUID_PGE | CPUID_MCA | CPUID_CMOV | CPUID_PAT | \ +- CPUID_PSE36 | CPUID_FXSR) +-#define PENTIUM3_FEATURES (PENTIUM2_FEATURES | CPUID_SSE) +-#define PPRO_FEATURES (CPUID_FP87 | CPUID_DE | CPUID_PSE | CPUID_TSC | \ +- CPUID_MSR | CPUID_MCE | CPUID_CX8 | CPUID_PGE | CPUID_CMOV | \ +- CPUID_PAT | CPUID_FXSR | CPUID_MMX | CPUID_SSE | CPUID_SSE2 | \ +- CPUID_PAE | CPUID_SEP | CPUID_APIC) +- +-#define TCG_FEATURES (CPUID_FP87 | CPUID_PSE | CPUID_TSC | CPUID_MSR | \ +- CPUID_PAE | CPUID_MCE | CPUID_CX8 | CPUID_APIC | CPUID_SEP | \ +- CPUID_MTRR | CPUID_PGE | CPUID_MCA | CPUID_CMOV | CPUID_PAT | \ +- CPUID_PSE36 | CPUID_CLFLUSH | CPUID_ACPI | CPUID_MMX | \ +- CPUID_FXSR | CPUID_SSE | CPUID_SSE2 | CPUID_SS) +- /* partly implemented: +- CPUID_MTRR, CPUID_MCA, CPUID_CLFLUSH (needed for Win64) +- CPUID_PSE36 (needed for Solaris) */ +- /* missing: +- CPUID_VME, CPUID_DTS, CPUID_SS, CPUID_HT, CPUID_TM, CPUID_PBE */ +-#define TCG_EXT_FEATURES (CPUID_EXT_SSE3 | CPUID_EXT_PCLMULQDQ | \ +- CPUID_EXT_MONITOR | CPUID_EXT_SSSE3 | CPUID_EXT_CX16 | \ +- CPUID_EXT_SSE41 | CPUID_EXT_SSE42 | CPUID_EXT_POPCNT | \ +- CPUID_EXT_MOVBE | CPUID_EXT_AES | CPUID_EXT_HYPERVISOR) +- /* missing: +- CPUID_EXT_DTES64, CPUID_EXT_DSCPL, CPUID_EXT_VMX, CPUID_EXT_SMX, +- CPUID_EXT_EST, CPUID_EXT_TM2, CPUID_EXT_CID, CPUID_EXT_FMA, +- CPUID_EXT_XTPR, CPUID_EXT_PDCM, CPUID_EXT_PCID, CPUID_EXT_DCA, +- CPUID_EXT_X2APIC, CPUID_EXT_TSC_DEADLINE_TIMER, CPUID_EXT_XSAVE, +- CPUID_EXT_OSXSAVE, CPUID_EXT_AVX, CPUID_EXT_F16C, +- CPUID_EXT_RDRAND */ +- +-#ifdef TARGET_X86_64 +-#define TCG_EXT2_X86_64_FEATURES (CPUID_EXT2_SYSCALL | CPUID_EXT2_LM) +-#else +-#define TCG_EXT2_X86_64_FEATURES 0 +-#endif +- +-#define TCG_EXT2_FEATURES ((TCG_FEATURES & CPUID_EXT2_AMD_ALIASES) | \ +- CPUID_EXT2_NX | CPUID_EXT2_MMXEXT | CPUID_EXT2_RDTSCP | \ +- CPUID_EXT2_3DNOW | CPUID_EXT2_3DNOWEXT | \ +- TCG_EXT2_X86_64_FEATURES) +- /* missing: +- CPUID_EXT2_PDPE1GB */ +-#define TCG_EXT3_FEATURES (CPUID_EXT3_LAHF_LM | CPUID_EXT3_SVM | \ +- CPUID_EXT3_CR8LEG | CPUID_EXT3_ABM | CPUID_EXT3_SSE4A) +-#define TCG_EXT4_FEATURES 0 +-#define TCG_SVM_FEATURES 0 +-#define TCG_KVM_FEATURES 0 +-#define TCG_7_0_EBX_FEATURES (CPUID_7_0_EBX_SMEP | CPUID_7_0_EBX_SMAP | \ +- CPUID_7_0_EBX_BMI1 | CPUID_7_0_EBX_BMI2 | CPUID_7_0_EBX_ADX) +- /* missing: +- CPUID_7_0_EBX_FSGSBASE, CPUID_7_0_EBX_HLE, CPUID_7_0_EBX_AVX2, +- CPUID_7_0_EBX_ERMS, CPUID_7_0_EBX_INVPCID, CPUID_7_0_EBX_RTM, +- CPUID_7_0_EBX_RDSEED */ +-#define TCG_7_0_ECX_FEATURES 0 +-#define TCG_7_0_EDX_FEATURES 0 +- + /* built-in CPU model definitions + */ + static x86_def_t builtin_x86_defs[] = { +-- +1.8.3.1 + diff --git a/SOURCES/kvm-target-i386-Filter-FEAT_7_0_EBX-TCG-features-too.patch b/SOURCES/kvm-target-i386-Filter-FEAT_7_0_EBX-TCG-features-too.patch new file mode 100644 index 0000000..0752c5f --- /dev/null +++ b/SOURCES/kvm-target-i386-Filter-FEAT_7_0_EBX-TCG-features-too.patch @@ -0,0 +1,56 @@ +From 65c528e40cc9e6d3d887fd79284d465bb482bbe2 Mon Sep 17 00:00:00 2001 +From: Eduardo Habkost +Date: Thu, 23 Feb 2017 14:29:41 +0100 +Subject: [PATCH 11/17] target-i386: Filter FEAT_7_0_EBX TCG features too +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Eduardo Habkost +Message-id: <20170223142945.17790-11-ehabkost@redhat.com> +Patchwork-id: 74044 +O-Subject: [RHEL-7.4 qemu-kvm PATCH v2 10/14] target-i386: Filter FEAT_7_0_EBX TCG features too +Bugzilla: 1382122 +RH-Acked-by: Paolo Bonzini +RH-Acked-by: Igor Mammedov +RH-Acked-by: Miroslav Rezanina + +The TCG_7_0_EBX_FEATURES macro was defined but never used (it even had a +typo that was never noticed). Make the existing TCG feature filtering +code use it. + +Reviewed-by: Richard Henderson +Signed-off-by: Eduardo Habkost +Cc: qemu-stable@nongnu.org +Signed-off-by: Andreas Färber +(cherry picked from commit d0a70f46fa9a3257089a56f2f620b0eff868557f) +Signed-off-by: Eduardo Habkost +Signed-off-by: Miroslav Rezanina +--- + target-i386/cpu.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/target-i386/cpu.c b/target-i386/cpu.c +index e32d4d7..d424211 100644 +--- a/target-i386/cpu.c ++++ b/target-i386/cpu.c +@@ -502,7 +502,7 @@ typedef struct x86_def_t { + #define TCG_EXT3_FEATURES (CPUID_EXT3_LAHF_LM | CPUID_EXT3_SVM | \ + CPUID_EXT3_CR8LEG | CPUID_EXT3_ABM | CPUID_EXT3_SSE4A) + #define TCG_SVM_FEATURES 0 +-#define TCG_7_0_EBX_FEATURES (CPUID_7_0_EBX_SMEP | CPUID_7_0_EBX_SMAP \ ++#define TCG_7_0_EBX_FEATURES (CPUID_7_0_EBX_SMEP | CPUID_7_0_EBX_SMAP | \ + CPUID_7_0_EBX_BMI1 | CPUID_7_0_EBX_BMI2 | CPUID_7_0_EBX_ADX) + /* missing: + CPUID_7_0_EBX_FSGSBASE, CPUID_7_0_EBX_HLE, CPUID_7_0_EBX_AVX2, +@@ -2640,6 +2640,7 @@ static void x86_cpu_realizefn(DeviceState *dev, Error **errp) + if (!kvm_enabled()) { + env->features[FEAT_1_EDX] &= TCG_FEATURES; + env->features[FEAT_1_ECX] &= TCG_EXT_FEATURES; ++ env->features[FEAT_7_0_EBX] &= TCG_7_0_EBX_FEATURES; + env->features[FEAT_8000_0001_EDX] &= TCG_EXT2_FEATURES; + env->features[FEAT_8000_0001_ECX] &= TCG_EXT3_FEATURES; + env->features[FEAT_SVM] &= TCG_SVM_FEATURES; +-- +1.8.3.1 + diff --git a/SOURCES/kvm-target-i386-Filter-KVM-and-0xC0000001-features-on-TC.patch b/SOURCES/kvm-target-i386-Filter-KVM-and-0xC0000001-features-on-TC.patch new file mode 100644 index 0000000..20f595a --- /dev/null +++ b/SOURCES/kvm-target-i386-Filter-KVM-and-0xC0000001-features-on-TC.patch @@ -0,0 +1,57 @@ +From d037664335efca55df79abcde79f4f2733ca535b Mon Sep 17 00:00:00 2001 +From: Eduardo Habkost +Date: Thu, 23 Feb 2017 14:29:42 +0100 +Subject: [PATCH 12/17] target-i386: Filter KVM and 0xC0000001 features on TCG +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Eduardo Habkost +Message-id: <20170223142945.17790-12-ehabkost@redhat.com> +Patchwork-id: 74040 +O-Subject: [RHEL-7.4 qemu-kvm PATCH v2 11/14] target-i386: Filter KVM and 0xC0000001 features on TCG +Bugzilla: 1382122 +RH-Acked-by: Paolo Bonzini +RH-Acked-by: Igor Mammedov +RH-Acked-by: Miroslav Rezanina + +TCG doesn't support any of the feature flags on FEAT_KVM and +FEAT_C000_0001_EDX feature words, so clear all bits on those feature +words. + +Reviewed-by: Richard Henderson +Signed-off-by: Eduardo Habkost +Signed-off-by: Andreas Färber +(cherry picked from commit 84a6c6cd40687598c7e85d7de8095e08b5e636d7) +Signed-off-by: Eduardo Habkost +Signed-off-by: Miroslav Rezanina +--- + target-i386/cpu.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/target-i386/cpu.c b/target-i386/cpu.c +index d424211..e6821b6 100644 +--- a/target-i386/cpu.c ++++ b/target-i386/cpu.c +@@ -501,7 +501,9 @@ typedef struct x86_def_t { + CPUID_EXT2_PDPE1GB */ + #define TCG_EXT3_FEATURES (CPUID_EXT3_LAHF_LM | CPUID_EXT3_SVM | \ + CPUID_EXT3_CR8LEG | CPUID_EXT3_ABM | CPUID_EXT3_SSE4A) ++#define TCG_EXT4_FEATURES 0 + #define TCG_SVM_FEATURES 0 ++#define TCG_KVM_FEATURES 0 + #define TCG_7_0_EBX_FEATURES (CPUID_7_0_EBX_SMEP | CPUID_7_0_EBX_SMAP | \ + CPUID_7_0_EBX_BMI1 | CPUID_7_0_EBX_BMI2 | CPUID_7_0_EBX_ADX) + /* missing: +@@ -2644,6 +2646,8 @@ static void x86_cpu_realizefn(DeviceState *dev, Error **errp) + env->features[FEAT_8000_0001_EDX] &= TCG_EXT2_FEATURES; + env->features[FEAT_8000_0001_ECX] &= TCG_EXT3_FEATURES; + env->features[FEAT_SVM] &= TCG_SVM_FEATURES; ++ env->features[FEAT_KVM] &= TCG_KVM_FEATURES; ++ env->features[FEAT_C000_0001_EDX] &= TCG_EXT4_FEATURES; + env->features[FEAT_XSAVE] = 0; + env->features[FEAT_7_0_ECX] &= TCG_7_0_ECX_FEATURES; + env->features[FEAT_7_0_EDX] &= TCG_7_0_EDX_FEATURES; +-- +1.8.3.1 + diff --git a/SOURCES/kvm-target-i386-Loop-based-copying-and-setting-unsetting.patch b/SOURCES/kvm-target-i386-Loop-based-copying-and-setting-unsetting.patch new file mode 100644 index 0000000..6efcc59 --- /dev/null +++ b/SOURCES/kvm-target-i386-Loop-based-copying-and-setting-unsetting.patch @@ -0,0 +1,112 @@ +From 04a8a3d76b171deb5eaf8318591e5cfaea3cc843 Mon Sep 17 00:00:00 2001 +From: Eduardo Habkost +Date: Thu, 23 Feb 2017 14:29:44 +0100 +Subject: [PATCH 14/17] target-i386: Loop-based copying and setting/unsetting + of feature words +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Eduardo Habkost +Message-id: <20170223142945.17790-14-ehabkost@redhat.com> +Patchwork-id: 74045 +O-Subject: [RHEL-7.4 qemu-kvm PATCH v2 13/14] target-i386: Loop-based copying and setting/unsetting of feature words +Bugzilla: 1382122 +RH-Acked-by: Paolo Bonzini +RH-Acked-by: Igor Mammedov +RH-Acked-by: Miroslav Rezanina + +Now that we have the feature word arrays, we don't need to manually copy +each array item, we can simply iterate through each feature word. + +Signed-off-by: Eduardo Habkost +Signed-off-by: Andreas Färber +(cherry picked from commit e1c224b4eb3b8693c230bb2762a959ae1f531f76) +Signed-off-by: Eduardo Habkost +Signed-off-by: Miroslav Rezanina +--- + target-i386/cpu.c | 44 ++++++++++---------------------------------- + 1 file changed, 10 insertions(+), 34 deletions(-) + +diff --git a/target-i386/cpu.c b/target-i386/cpu.c +index d611062..010b95f 100644 +--- a/target-i386/cpu.c ++++ b/target-i386/cpu.c +@@ -1755,6 +1755,7 @@ static inline void feat2prop(char *s) + static void cpu_x86_parse_featurestr(X86CPU *cpu, char *features, Error **errp) + { + char *featurestr; /* Single 'key=value" string being parsed */ ++ FeatureWord w; + /* Features to be added */ + FeatureWordArray plus_features = { 0 }; + /* Features to be removed */ +@@ -1844,28 +1845,11 @@ static void cpu_x86_parse_featurestr(X86CPU *cpu, char *features, Error **errp) + } + featurestr = strtok(NULL, ","); + } +- env->features[FEAT_1_EDX] |= plus_features[FEAT_1_EDX]; +- env->features[FEAT_1_ECX] |= plus_features[FEAT_1_ECX]; +- env->features[FEAT_8000_0001_EDX] |= plus_features[FEAT_8000_0001_EDX]; +- env->features[FEAT_8000_0001_ECX] |= plus_features[FEAT_8000_0001_ECX]; +- env->features[FEAT_C000_0001_EDX] |= plus_features[FEAT_C000_0001_EDX]; +- env->features[FEAT_KVM] |= plus_features[FEAT_KVM]; +- env->features[FEAT_SVM] |= plus_features[FEAT_SVM]; +- env->features[FEAT_7_0_EBX] |= plus_features[FEAT_7_0_EBX]; +- env->features[FEAT_7_0_ECX] |= plus_features[FEAT_7_0_ECX]; +- env->features[FEAT_7_0_EDX] |= plus_features[FEAT_7_0_EDX]; +- env->features[FEAT_XSAVE] |= plus_features[FEAT_XSAVE]; +- env->features[FEAT_1_EDX] &= ~minus_features[FEAT_1_EDX]; +- env->features[FEAT_1_ECX] &= ~minus_features[FEAT_1_ECX]; +- env->features[FEAT_8000_0001_EDX] &= ~minus_features[FEAT_8000_0001_EDX]; +- env->features[FEAT_8000_0001_ECX] &= ~minus_features[FEAT_8000_0001_ECX]; +- env->features[FEAT_C000_0001_EDX] &= ~minus_features[FEAT_C000_0001_EDX]; +- env->features[FEAT_KVM] &= ~minus_features[FEAT_KVM]; +- env->features[FEAT_SVM] &= ~minus_features[FEAT_SVM]; +- env->features[FEAT_7_0_EBX] &= ~minus_features[FEAT_7_0_EBX]; +- env->features[FEAT_7_0_ECX] &= ~minus_features[FEAT_7_0_ECX]; +- env->features[FEAT_7_0_EDX] &= ~minus_features[FEAT_7_0_EDX]; +- env->features[FEAT_XSAVE] &= ~minus_features[FEAT_XSAVE]; ++ ++ for (w = 0; w < FEATURE_WORDS; w++) { ++ env->features[w] |= plus_features[w]; ++ env->features[w] &= ~minus_features[w]; ++ } + + out: + return; +@@ -1974,6 +1958,7 @@ static void cpu_x86_register(X86CPU *cpu, const char *name, Error **errp) + { + CPUX86State *env = &cpu->env; + x86_def_t def1, *def = &def1; ++ FeatureWord w; + + memset(def, 0, sizeof(*def)); + +@@ -1992,21 +1977,12 @@ static void cpu_x86_register(X86CPU *cpu, const char *name, Error **errp) + object_property_set_int(OBJECT(cpu), def->family, "family", errp); + object_property_set_int(OBJECT(cpu), def->model, "model", errp); + object_property_set_int(OBJECT(cpu), def->stepping, "stepping", errp); +- env->features[FEAT_1_EDX] = def->features[FEAT_1_EDX]; +- env->features[FEAT_1_ECX] = def->features[FEAT_1_ECX]; +- env->features[FEAT_8000_0001_EDX] = def->features[FEAT_8000_0001_EDX]; +- env->features[FEAT_8000_0001_ECX] = def->features[FEAT_8000_0001_ECX]; + object_property_set_int(OBJECT(cpu), def->xlevel, "xlevel", errp); +- env->features[FEAT_KVM] = def->features[FEAT_KVM]; +- env->features[FEAT_SVM] = def->features[FEAT_SVM]; +- env->features[FEAT_C000_0001_EDX] = def->features[FEAT_C000_0001_EDX]; +- env->features[FEAT_7_0_EBX] = def->features[FEAT_7_0_EBX]; +- env->features[FEAT_7_0_ECX] = def->features[FEAT_7_0_ECX]; +- env->features[FEAT_7_0_EDX] = def->features[FEAT_7_0_EDX]; +- env->features[FEAT_XSAVE] = def->features[FEAT_XSAVE]; + env->cpuid_xlevel2 = def->xlevel2; +- + object_property_set_str(OBJECT(cpu), def->model_id, "model-id", errp); ++ for (w = 0; w < FEATURE_WORDS; w++) { ++ env->features[w] = def->features[w]; ++ } + } + + X86CPU *cpu_x86_create(const char *cpu_model, DeviceState *icc_bridge, +-- +1.8.3.1 + diff --git a/SOURCES/kvm-target-i386-Loop-based-feature-word-filtering-in-TCG.patch b/SOURCES/kvm-target-i386-Loop-based-feature-word-filtering-in-TCG.patch new file mode 100644 index 0000000..5b90519 --- /dev/null +++ b/SOURCES/kvm-target-i386-Loop-based-feature-word-filtering-in-TCG.patch @@ -0,0 +1,127 @@ +From 91e436476830a82f429e1df848ea751280580b46 Mon Sep 17 00:00:00 2001 +From: Eduardo Habkost +Date: Thu, 23 Feb 2017 14:29:45 +0100 +Subject: [PATCH 15/17] target-i386: Loop-based feature word filtering in TCG + mode +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Eduardo Habkost +Message-id: <20170223142945.17790-15-ehabkost@redhat.com> +Patchwork-id: 74046 +O-Subject: [RHEL-7.4 qemu-kvm PATCH v2 14/14] target-i386: Loop-based feature word filtering in TCG mode +Bugzilla: 1382122 +RH-Acked-by: Paolo Bonzini +RH-Acked-by: Igor Mammedov +RH-Acked-by: Miroslav Rezanina + +Instead of manually filtering each feature word, add a tcg_features +field to FeatureWordInfo, and use that field to filter all feature words +in TCG mode. + +Reviewed-by: Richard Henderson +Signed-off-by: Eduardo Habkost +Signed-off-by: Andreas Färber +(cherry picked from commit 37ce3522cb88c524caec57cb52a4bfbb880abbe5) +Signed-off-by: Eduardo Habkost +Signed-off-by: Miroslav Rezanina +--- + target-i386/cpu.c | 26 +++++++++++++++----------- + 1 file changed, 15 insertions(+), 11 deletions(-) + +diff --git a/target-i386/cpu.c b/target-i386/cpu.c +index 010b95f..38056eb 100644 +--- a/target-i386/cpu.c ++++ b/target-i386/cpu.c +@@ -254,54 +254,65 @@ typedef struct FeatureWordInfo { + bool cpuid_needs_ecx; /* CPUID instruction uses ECX as input */ + uint32_t cpuid_ecx; /* Input ECX value for CPUID */ + int cpuid_reg; /* output register (R_* constant) */ ++ uint32_t tcg_features; /* Feature flags supported by TCG */ + } FeatureWordInfo; + + static FeatureWordInfo feature_word_info[FEATURE_WORDS] = { + [FEAT_1_EDX] = { + .feat_names = feature_name, + .cpuid_eax = 1, .cpuid_reg = R_EDX, ++ .tcg_features = TCG_FEATURES, + }, + [FEAT_1_ECX] = { + .feat_names = ext_feature_name, + .cpuid_eax = 1, .cpuid_reg = R_ECX, ++ .tcg_features = TCG_EXT_FEATURES, + }, + [FEAT_8000_0001_EDX] = { + .feat_names = ext2_feature_name, + .cpuid_eax = 0x80000001, .cpuid_reg = R_EDX, ++ .tcg_features = TCG_EXT2_FEATURES, + }, + [FEAT_8000_0001_ECX] = { + .feat_names = ext3_feature_name, + .cpuid_eax = 0x80000001, .cpuid_reg = R_ECX, ++ .tcg_features = TCG_EXT3_FEATURES, + }, + [FEAT_C000_0001_EDX] = { + .feat_names = ext4_feature_name, + .cpuid_eax = 0xC0000001, .cpuid_reg = R_EDX, ++ .tcg_features = TCG_EXT4_FEATURES, + }, + [FEAT_KVM] = { + .feat_names = kvm_feature_name, + .cpuid_eax = KVM_CPUID_FEATURES, .cpuid_reg = R_EAX, ++ .tcg_features = TCG_KVM_FEATURES, + }, + [FEAT_SVM] = { + .feat_names = svm_feature_name, + .cpuid_eax = 0x8000000A, .cpuid_reg = R_EDX, ++ .tcg_features = TCG_SVM_FEATURES, + }, + [FEAT_7_0_EBX] = { + .feat_names = cpuid_7_0_ebx_feature_name, + .cpuid_eax = 7, + .cpuid_needs_ecx = true, .cpuid_ecx = 0, + .cpuid_reg = R_EBX, ++ .tcg_features = TCG_7_0_EBX_FEATURES, + }, + [FEAT_7_0_ECX] = { + .feat_names = cpuid_7_0_ecx_feature_name, + .cpuid_eax = 7, + .cpuid_needs_ecx = true, .cpuid_ecx = 0, + .cpuid_reg = R_ECX, ++ .tcg_features = TCG_7_0_ECX_FEATURES, + }, + [FEAT_7_0_EDX] = { + .feat_names = cpuid_7_0_edx_feature_name, + .cpuid_eax = 7, + .cpuid_needs_ecx = true, .cpuid_ecx = 0, + .cpuid_reg = R_EDX, ++ .tcg_features = TCG_7_0_EDX_FEATURES, + }, + [FEAT_XSAVE] = { + .feat_names = cpuid_xsave_feature_name, +@@ -2617,17 +2628,10 @@ static void x86_cpu_realizefn(DeviceState *dev, Error **errp) + } + + if (!kvm_enabled()) { +- env->features[FEAT_1_EDX] &= TCG_FEATURES; +- env->features[FEAT_1_ECX] &= TCG_EXT_FEATURES; +- env->features[FEAT_7_0_EBX] &= TCG_7_0_EBX_FEATURES; +- env->features[FEAT_8000_0001_EDX] &= TCG_EXT2_FEATURES; +- env->features[FEAT_8000_0001_ECX] &= TCG_EXT3_FEATURES; +- env->features[FEAT_SVM] &= TCG_SVM_FEATURES; +- env->features[FEAT_KVM] &= TCG_KVM_FEATURES; +- env->features[FEAT_C000_0001_EDX] &= TCG_EXT4_FEATURES; +- env->features[FEAT_XSAVE] = 0; +- env->features[FEAT_7_0_ECX] &= TCG_7_0_ECX_FEATURES; +- env->features[FEAT_7_0_EDX] &= TCG_7_0_EDX_FEATURES; ++ FeatureWord w; ++ for (w = 0; w < FEATURE_WORDS; w++) { ++ env->features[w] &= feature_word_info[w].tcg_features; ++ } + } else { + KVMState *s = kvm_state; + if ((cpu->check_cpuid || cpu->enforce_cpuid) +-- +1.8.3.1 + diff --git a/SOURCES/kvm-target-i386-Make-TCG-feature-filtering-more-readable.patch b/SOURCES/kvm-target-i386-Make-TCG-feature-filtering-more-readable.patch new file mode 100644 index 0000000..2683994 --- /dev/null +++ b/SOURCES/kvm-target-i386-Make-TCG-feature-filtering-more-readable.patch @@ -0,0 +1,69 @@ +From 6e553d9996682836a35a1020e9d992c856236342 Mon Sep 17 00:00:00 2001 +From: Eduardo Habkost +Date: Thu, 23 Feb 2017 14:29:40 +0100 +Subject: [PATCH 10/17] target-i386: Make TCG feature filtering more readable +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Eduardo Habkost +Message-id: <20170223142945.17790-10-ehabkost@redhat.com> +Patchwork-id: 74041 +O-Subject: [RHEL-7.4 qemu-kvm PATCH v2 09/14] target-i386: Make TCG feature filtering more readable +Bugzilla: 1382122 +RH-Acked-by: Paolo Bonzini +RH-Acked-by: Igor Mammedov +RH-Acked-by: Miroslav Rezanina + +Instead of an #ifdef in the middle of the code, just set +TCG_EXT2_FEATURES to a different value depending on TARGET_X86_64. + +Reviewed-by: Richard Henderson +Signed-off-by: Eduardo Habkost +Signed-off-by: Andreas Färber +(cherry picked from commit a42d9938a162c3e3c9e441d1927dca5bd59167d9) +Signed-off-by: Eduardo Habkost +Signed-off-by: Miroslav Rezanina +--- + target-i386/cpu.c | 16 ++++++++++------ + 1 file changed, 10 insertions(+), 6 deletions(-) + +diff --git a/target-i386/cpu.c b/target-i386/cpu.c +index bb8abf7..e32d4d7 100644 +--- a/target-i386/cpu.c ++++ b/target-i386/cpu.c +@@ -486,9 +486,17 @@ typedef struct x86_def_t { + CPUID_EXT_X2APIC, CPUID_EXT_TSC_DEADLINE_TIMER, CPUID_EXT_XSAVE, + CPUID_EXT_OSXSAVE, CPUID_EXT_AVX, CPUID_EXT_F16C, + CPUID_EXT_RDRAND */ ++ ++#ifdef TARGET_X86_64 ++#define TCG_EXT2_X86_64_FEATURES (CPUID_EXT2_SYSCALL | CPUID_EXT2_LM) ++#else ++#define TCG_EXT2_X86_64_FEATURES 0 ++#endif ++ + #define TCG_EXT2_FEATURES ((TCG_FEATURES & CPUID_EXT2_AMD_ALIASES) | \ + CPUID_EXT2_NX | CPUID_EXT2_MMXEXT | CPUID_EXT2_RDTSCP | \ +- CPUID_EXT2_3DNOW | CPUID_EXT2_3DNOWEXT) ++ CPUID_EXT2_3DNOW | CPUID_EXT2_3DNOWEXT | \ ++ TCG_EXT2_X86_64_FEATURES) + /* missing: + CPUID_EXT2_PDPE1GB */ + #define TCG_EXT3_FEATURES (CPUID_EXT3_LAHF_LM | CPUID_EXT3_SVM | \ +@@ -2632,11 +2640,7 @@ static void x86_cpu_realizefn(DeviceState *dev, Error **errp) + if (!kvm_enabled()) { + env->features[FEAT_1_EDX] &= TCG_FEATURES; + env->features[FEAT_1_ECX] &= TCG_EXT_FEATURES; +- env->features[FEAT_8000_0001_EDX] &= (TCG_EXT2_FEATURES +-#ifdef TARGET_X86_64 +- | CPUID_EXT2_SYSCALL | CPUID_EXT2_LM +-#endif +- ); ++ env->features[FEAT_8000_0001_EDX] &= TCG_EXT2_FEATURES; + env->features[FEAT_8000_0001_ECX] &= TCG_EXT3_FEATURES; + env->features[FEAT_SVM] &= TCG_SVM_FEATURES; + env->features[FEAT_XSAVE] = 0; +-- +1.8.3.1 + diff --git a/SOURCES/kvm-target-i386-add-Ivy-Bridge-CPU-model.patch b/SOURCES/kvm-target-i386-add-Ivy-Bridge-CPU-model.patch new file mode 100644 index 0000000..d211806 --- /dev/null +++ b/SOURCES/kvm-target-i386-add-Ivy-Bridge-CPU-model.patch @@ -0,0 +1,73 @@ +From 8075eadce1f9f144ae2e2fcf23c1890943caf1f8 Mon Sep 17 00:00:00 2001 +From: Eduardo Habkost +Date: Wed, 22 Feb 2017 21:11:07 +0100 +Subject: [PATCH 01/17] target-i386: add Ivy Bridge CPU model + +RH-Author: Eduardo Habkost +Message-id: <20170222211107.29696-1-ehabkost@redhat.com> +Patchwork-id: 74028 +O-Subject: [RHEL-7.4 qemu-kvm PATCH] target-i386: add Ivy Bridge CPU model +Bugzilla: 1368375 +RH-Acked-by: Bandan Das +RH-Acked-by: Igor Mammedov +RH-Acked-by: Paolo Bonzini + +From: Paolo Bonzini + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1368375 +Brew: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=12606134 + +Signed-off-by: Paolo Bonzini +(cherry picked from commit 2f9ac42acf4602453d5839221df6cc7cabc3355e) +Signed-off-by: Eduardo Habkost +Signed-off-by: Miroslav Rezanina +--- + target-i386/cpu.c | 32 ++++++++++++++++++++++++++++++++ + 1 file changed, 32 insertions(+) + +diff --git a/target-i386/cpu.c b/target-i386/cpu.c +index 476306d..c3c8306 100644 +--- a/target-i386/cpu.c ++++ b/target-i386/cpu.c +@@ -878,6 +878,38 @@ static x86_def_t builtin_x86_defs[] = { + .model_id = "Intel Xeon E312xx (Sandy Bridge)", + }, + { ++ .name = "IvyBridge", ++ .level = 0xd, ++ .vendor = CPUID_VENDOR_INTEL, ++ .family = 6, ++ .model = 58, ++ .stepping = 9, ++ .features[FEAT_1_EDX] = ++ CPUID_VME | CPUID_SSE2 | CPUID_SSE | CPUID_FXSR | CPUID_MMX | ++ CPUID_CLFLUSH | CPUID_PSE36 | CPUID_PAT | CPUID_CMOV | CPUID_MCA | ++ CPUID_PGE | CPUID_MTRR | CPUID_SEP | CPUID_APIC | CPUID_CX8 | ++ CPUID_MCE | CPUID_PAE | CPUID_MSR | CPUID_TSC | CPUID_PSE | ++ CPUID_DE | CPUID_FP87, ++ .features[FEAT_1_ECX] = ++ CPUID_EXT_AVX | CPUID_EXT_XSAVE | CPUID_EXT_AES | ++ CPUID_EXT_TSC_DEADLINE_TIMER | CPUID_EXT_POPCNT | ++ CPUID_EXT_X2APIC | CPUID_EXT_SSE42 | CPUID_EXT_SSE41 | ++ CPUID_EXT_CX16 | CPUID_EXT_SSSE3 | CPUID_EXT_PCLMULQDQ | ++ CPUID_EXT_SSE3 | CPUID_EXT_F16C | CPUID_EXT_RDRAND, ++ .features[FEAT_7_0_EBX] = ++ CPUID_7_0_EBX_FSGSBASE | CPUID_7_0_EBX_SMEP | ++ CPUID_7_0_EBX_ERMS, ++ .features[FEAT_8000_0001_EDX] = ++ CPUID_EXT2_LM | CPUID_EXT2_RDTSCP | CPUID_EXT2_NX | ++ CPUID_EXT2_SYSCALL, ++ .features[FEAT_8000_0001_ECX] = ++ CPUID_EXT3_LAHF_LM, ++ .features[FEAT_XSAVE] = ++ CPUID_XSAVE_XSAVEOPT, ++ .xlevel = 0x8000000A, ++ .model_id = "Intel Xeon E3-12xx v2 (Ivy Bridge)", ++ }, ++ { + .name = "Haswell", + .level = 0xd, + .vendor = CPUID_VENDOR_INTEL, +-- +1.8.3.1 + diff --git a/SOURCES/kvm-target-i386-get-set-migrate-XSAVES-state.patch b/SOURCES/kvm-target-i386-get-set-migrate-XSAVES-state.patch new file mode 100644 index 0000000..760ac99 --- /dev/null +++ b/SOURCES/kvm-target-i386-get-set-migrate-XSAVES-state.patch @@ -0,0 +1,170 @@ +From a824033fdc6956ee449f49f6d1a74ebfb21d0700 Mon Sep 17 00:00:00 2001 +From: Eduardo Habkost +Date: Fri, 31 Mar 2017 11:37:37 +0200 +Subject: [PATCH 1/4] target-i386: get/set/migrate XSAVES state + +RH-Author: Eduardo Habkost +Message-id: <20170331113737.9930-1-ehabkost@redhat.com> +Patchwork-id: 74596 +O-Subject: [RHEL-7.4 qemu-kvm PATCH] target-i386: get/set/migrate XSAVES state +Bugzilla: 1327593 +RH-Acked-by: Paolo Bonzini +RH-Acked-by: Bandan Das +RH-Acked-by: David Hildenbrand + +From: Wanpeng Li + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1327593 +Brew: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=12913269 + +Add xsaves related definition, it also adds corresponding part +to kvm_get/put, and vmstate. + +Backport notes: +* As we didn't have unmigratable_flags yet, our backport + of upstream commit 0bb0b2d2fe7f645ddaf1f0ff40ac669c9feb4aa1 + (commit 5fcaf5176d7545518c76f3aa8ea7ce6fb063c62d) didn't + include "xsaves" cpuid_xsave_feature_name[]. This patch now + adds "xsave" to cpuid_xsave_feature_name[]. + +Signed-off-by: Wanpeng Li +Signed-off-by: Paolo Bonzini +(cherry picked from commit 18cd2c17b5370369a886155c001da0a7f54bbcca) +Signed-off-by: Eduardo Habkost +Signed-off-by: Miroslav Rezanina +--- + target-i386/cpu.c | 2 +- + target-i386/cpu.h | 2 ++ + target-i386/kvm.c | 15 +++++++++++++++ + target-i386/machine.c | 21 +++++++++++++++++++++ + 4 files changed, 39 insertions(+), 1 deletion(-) + +diff --git a/target-i386/cpu.c b/target-i386/cpu.c +index 33f0997..ae56995 100644 +--- a/target-i386/cpu.c ++++ b/target-i386/cpu.c +@@ -177,7 +177,7 @@ static const char *cpuid_7_0_edx_feature_name[] = { + }; + + static const char *cpuid_xsave_feature_name[] = { +- "xsaveopt", "xsavec", "xgetbv1", NULL, ++ "xsaveopt", "xsavec", "xgetbv1", "xsaves", + NULL, NULL, NULL, NULL, + NULL, NULL, NULL, NULL, + NULL, NULL, NULL, NULL, +diff --git a/target-i386/cpu.h b/target-i386/cpu.h +index f04deb4..ac60309 100644 +--- a/target-i386/cpu.h ++++ b/target-i386/cpu.h +@@ -384,6 +384,7 @@ + #define MSR_VM_HSAVE_PA 0xc0010117 + + #define MSR_IA32_BNDCFGS 0x00000d90 ++#define MSR_IA32_XSS 0x00000da0 + + #define XSTATE_FP (1ULL << 0) + #define XSTATE_SSE (1ULL << 1) +@@ -1026,6 +1027,7 @@ typedef struct CPUX86State { + uint64_t xstate_bv; + + uint64_t xcr0; ++ uint64_t xss; + + TPRAccess tpr_access_type; + } CPUX86State; +diff --git a/target-i386/kvm.c b/target-i386/kvm.c +index e1b0ca2..6a479f4 100644 +--- a/target-i386/kvm.c ++++ b/target-i386/kvm.c +@@ -76,6 +76,7 @@ static bool has_msr_hv_hypercall; + static bool has_msr_hv_vapic; + static bool has_msr_hv_tsc; + static bool has_msr_mtrr; ++static bool has_msr_xss; + + static bool has_msr_architectural_pmu; + static uint32_t num_architectural_pmu_counters; +@@ -795,6 +796,10 @@ static int kvm_get_supported_msrs(KVMState *s) + has_msr_bndcfgs = true; + continue; + } ++ if (kvm_msr_list->indices[i] == MSR_IA32_XSS) { ++ has_msr_xss = true; ++ continue; ++ } + } + } + +@@ -1177,6 +1182,9 @@ static int kvm_put_msrs(X86CPU *cpu, int level) + if (has_msr_bndcfgs) { + kvm_msr_entry_set(&msrs[n++], MSR_IA32_BNDCFGS, env->msr_bndcfgs); + } ++ if (has_msr_xss) { ++ kvm_msr_entry_set(&msrs[n++], MSR_IA32_XSS, env->xss); ++ } + #ifdef TARGET_X86_64 + if (lm_capable_kernel) { + kvm_msr_entry_set(&msrs[n++], MSR_CSTAR, env->cstar); +@@ -1530,6 +1538,10 @@ static int kvm_get_msrs(X86CPU *cpu) + if (has_msr_bndcfgs) { + msrs[n++].index = MSR_IA32_BNDCFGS; + } ++ if (has_msr_xss) { ++ msrs[n++].index = MSR_IA32_XSS; ++ } ++ + + if (!env->tsc_valid) { + msrs[n++].index = MSR_IA32_TSC; +@@ -1677,6 +1689,9 @@ static int kvm_get_msrs(X86CPU *cpu) + case MSR_IA32_BNDCFGS: + env->msr_bndcfgs = msrs[i].data; + break; ++ case MSR_IA32_XSS: ++ env->xss = msrs[i].data; ++ break; + default: + if (msrs[i].index >= MSR_MC0_CTL && + msrs[i].index < MSR_MC0_CTL + (env->mcg_cap & 0xff) * 4) { +diff --git a/target-i386/machine.c b/target-i386/machine.c +index 2c97002..ce7fcd3 100644 +--- a/target-i386/machine.c ++++ b/target-i386/machine.c +@@ -704,6 +704,24 @@ static const VMStateDescription vmstate_avx512 = { + } + }; + ++static bool xss_needed(void *opaque) ++{ ++ X86CPU *cpu = opaque; ++ CPUX86State *env = &cpu->env; ++ ++ return env->xss != 0; ++} ++ ++static const VMStateDescription vmstate_xss = { ++ .name = "cpu/xss", ++ .version_id = 1, ++ .minimum_version_id = 1, ++ .fields = (VMStateField[]) { ++ VMSTATE_UINT64(env.xss, X86CPU), ++ VMSTATE_END_OF_LIST() ++ } ++}; ++ + const VMStateDescription vmstate_x86_cpu = { + .name = "cpu", + .version_id = 12, +@@ -850,6 +868,9 @@ const VMStateDescription vmstate_x86_cpu = { + }, { + .vmsd = &vmstate_avx512, + .needed = avx512_needed, ++ }, { ++ .vmsd = &vmstate_xss, ++ .needed = xss_needed, + } , { + /* empty */ + } +-- +1.8.3.1 + diff --git a/SOURCES/kvm-target-i386-kvm_check_features_against_host-Kill-fea.patch b/SOURCES/kvm-target-i386-kvm_check_features_against_host-Kill-fea.patch new file mode 100644 index 0000000..ce9514e --- /dev/null +++ b/SOURCES/kvm-target-i386-kvm_check_features_against_host-Kill-fea.patch @@ -0,0 +1,114 @@ +From 6d76a3d10423f99561a431964637b58d7e5f2e77 Mon Sep 17 00:00:00 2001 +From: Eduardo Habkost +Date: Thu, 23 Feb 2017 14:29:39 +0100 +Subject: [PATCH 09/17] target-i386: kvm_check_features_against_host(): Kill + feature word array + +RH-Author: Eduardo Habkost +Message-id: <20170223142945.17790-9-ehabkost@redhat.com> +Patchwork-id: 74039 +O-Subject: [RHEL-7.4 qemu-kvm PATCH v2 08/14] target-i386: kvm_check_features_against_host(): Kill feature word array +Bugzilla: 1382122 +RH-Acked-by: Paolo Bonzini +RH-Acked-by: Igor Mammedov +RH-Acked-by: Miroslav Rezanina + +We don't need the ft[] array on kvm_check_features_against_host() +anymore, as we can simply use the feature_word_info[] array, that has +everything we need. + +Signed-off-by: Eduardo Habkost +Signed-off-by: Paolo Bonzini +(cherry picked from commit f0b9b11164482a8a2283dee25cecc4a4c531259e) +Signed-off-by: Eduardo Habkost +Signed-off-by: Miroslav Rezanina +--- + target-i386/cpu.c | 57 ++++++++++++------------------------------------------- + 1 file changed, 12 insertions(+), 45 deletions(-) + +diff --git a/target-i386/cpu.c b/target-i386/cpu.c +index 22ad4f9..bb8abf7 100644 +--- a/target-i386/cpu.c ++++ b/target-i386/cpu.c +@@ -1303,57 +1303,23 @@ static int unavailable_host_feature(FeatureWordInfo *f, uint32_t mask) + * + * This function may be called only if KVM is enabled. + */ +-static int kvm_check_features_against_host(X86CPU *cpu) ++static int kvm_check_features_against_host(KVMState *s, X86CPU *cpu) + { + CPUX86State *env = &cpu->env; +- x86_def_t host_def; +- uint32_t mask; +- int rv, i; +- struct model_features_t ft[] = { +- {&env->features[FEAT_1_EDX], +- &host_def.features[FEAT_1_EDX], +- FEAT_1_EDX }, +- {&env->features[FEAT_1_ECX], +- &host_def.features[FEAT_1_ECX], +- FEAT_1_ECX }, +- {&env->features[FEAT_8000_0001_EDX], +- &host_def.features[FEAT_8000_0001_EDX], +- FEAT_8000_0001_EDX }, +- {&env->features[FEAT_8000_0001_ECX], +- &host_def.features[FEAT_8000_0001_ECX], +- FEAT_8000_0001_ECX }, +- {&env->features[FEAT_C000_0001_EDX], +- &host_def.features[FEAT_C000_0001_EDX], +- FEAT_C000_0001_EDX }, +- {&env->features[FEAT_7_0_EBX], +- &host_def.features[FEAT_7_0_EBX], +- FEAT_7_0_EBX }, +- {&env->features[FEAT_7_0_ECX], +- &host_def.features[FEAT_7_0_ECX], +- FEAT_7_0_ECX }, +- {&env->features[FEAT_7_0_EDX], +- &host_def.features[FEAT_7_0_EDX], +- FEAT_7_0_EDX }, +- {&env->features[FEAT_XSAVE], +- &host_def.features[FEAT_XSAVE], +- FEAT_XSAVE }, +- {&env->features[FEAT_SVM], +- &host_def.features[FEAT_SVM], +- FEAT_SVM }, +- {&env->features[FEAT_KVM], +- &host_def.features[FEAT_KVM], +- FEAT_KVM }, +- }; ++ int rv = 0; ++ FeatureWord w; + + assert(kvm_enabled()); + +- kvm_cpu_fill_host(&host_def); +- for (rv = 0, i = 0; i < ARRAY_SIZE(ft); ++i) { +- FeatureWord w = ft[i].feat_word; ++ for (w = 0; w < FEATURE_WORDS; w++) { + FeatureWordInfo *wi = &feature_word_info[w]; ++ uint32_t guest_feat = env->features[w]; ++ uint32_t host_feat = kvm_arch_get_supported_cpuid(s, wi->cpuid_eax, ++ wi->cpuid_ecx, ++ wi->cpuid_reg); ++ uint32_t mask; + for (mask = 1; mask; mask <<= 1) { +- if (*ft[i].guest_feat & mask && +- !(*ft[i].host_feat & mask)) { ++ if (guest_feat & mask && !(host_feat & mask)) { + unavailable_host_feature(wi, mask); + rv = 1; + } +@@ -2677,8 +2643,9 @@ static void x86_cpu_realizefn(DeviceState *dev, Error **errp) + env->features[FEAT_7_0_ECX] &= TCG_7_0_ECX_FEATURES; + env->features[FEAT_7_0_EDX] &= TCG_7_0_EDX_FEATURES; + } else { ++ KVMState *s = kvm_state; + if ((cpu->check_cpuid || cpu->enforce_cpuid) +- && kvm_check_features_against_host(cpu) && cpu->enforce_cpuid) { ++ && kvm_check_features_against_host(s, cpu) && cpu->enforce_cpuid) { + error_setg(&local_err, + "Host's CPU doesn't support requested features"); + goto out; +-- +1.8.3.1 + diff --git a/SOURCES/kvm-target-i386-kvm_cpu_fill_host-Fill-feature-words-in-.patch b/SOURCES/kvm-target-i386-kvm_cpu_fill_host-Fill-feature-words-in-.patch new file mode 100644 index 0000000..ab2524c --- /dev/null +++ b/SOURCES/kvm-target-i386-kvm_cpu_fill_host-Fill-feature-words-in-.patch @@ -0,0 +1,70 @@ +From acedcdc24c0aad54530c0d41958b19981207e803 Mon Sep 17 00:00:00 2001 +From: Eduardo Habkost +Date: Thu, 23 Feb 2017 14:29:38 +0100 +Subject: [PATCH 08/17] target-i386: kvm_cpu_fill_host(): Fill feature words in + a loop + +RH-Author: Eduardo Habkost +Message-id: <20170223142945.17790-8-ehabkost@redhat.com> +Patchwork-id: 74038 +O-Subject: [RHEL-7.4 qemu-kvm PATCH v2 07/14] target-i386: kvm_cpu_fill_host(): Fill feature words in a loop +Bugzilla: 1382122 +RH-Acked-by: Paolo Bonzini +RH-Acked-by: Igor Mammedov +RH-Acked-by: Miroslav Rezanina + +Now that the kvm_cpu_fill_host() code is simplified, we can simply set +the feature word array using a simple loop. + +Signed-off-by: Eduardo Habkost +Signed-off-by: Paolo Bonzini +(cherry picked from commit 2bc65d2b020887da3eb9043ae4f7d133ed85a7fe) +Signed-off-by: Eduardo Habkost +Signed-off-by: Miroslav Rezanina +--- + target-i386/cpu.c | 29 +++++++---------------------- + 1 file changed, 7 insertions(+), 22 deletions(-) + +diff --git a/target-i386/cpu.c b/target-i386/cpu.c +index 1515b87..22ad4f9 100644 +--- a/target-i386/cpu.c ++++ b/target-i386/cpu.c +@@ -1268,28 +1268,13 @@ static void kvm_cpu_fill_host(x86_def_t *x86_cpu_def) + + cpu_x86_fill_model_id(x86_cpu_def->model_id); + +- x86_cpu_def->features[FEAT_1_EDX] = +- kvm_arch_get_supported_cpuid(s, 0x1, 0, R_EDX); +- x86_cpu_def->features[FEAT_1_ECX] = +- kvm_arch_get_supported_cpuid(s, 0x1, 0, R_ECX); +- x86_cpu_def->features[FEAT_7_0_EBX] = +- kvm_arch_get_supported_cpuid(s, 0x7, 0, R_EBX); +- x86_cpu_def->features[FEAT_7_0_ECX] = +- kvm_arch_get_supported_cpuid(s, 0x7, 0, R_ECX); +- x86_cpu_def->features[FEAT_7_0_EDX] = +- kvm_arch_get_supported_cpuid(s, 0x7, 0, R_EDX); +- x86_cpu_def->features[FEAT_XSAVE] = +- kvm_arch_get_supported_cpuid(s, 0xd, 1, R_EAX); +- x86_cpu_def->features[FEAT_8000_0001_EDX] = +- kvm_arch_get_supported_cpuid(s, 0x80000001, 0, R_EDX); +- x86_cpu_def->features[FEAT_8000_0001_ECX] = +- kvm_arch_get_supported_cpuid(s, 0x80000001, 0, R_ECX); +- x86_cpu_def->features[FEAT_C000_0001_EDX] = +- kvm_arch_get_supported_cpuid(s, 0xC0000001, 0, R_EDX); +- x86_cpu_def->features[FEAT_SVM] = +- kvm_arch_get_supported_cpuid(s, 0x8000000A, 0, R_EDX); +- x86_cpu_def->features[FEAT_KVM] = +- kvm_arch_get_supported_cpuid(s, KVM_CPUID_FEATURES, 0, R_EAX); ++ FeatureWord w; ++ for (w = 0; w < FEATURE_WORDS; w++) { ++ FeatureWordInfo *wi = &feature_word_info[w]; ++ x86_cpu_def->features[w] = ++ kvm_arch_get_supported_cpuid(s, wi->cpuid_eax, wi->cpuid_ecx, ++ wi->cpuid_reg); ++ } + + #endif /* CONFIG_KVM */ + } +-- +1.8.3.1 + diff --git a/SOURCES/kvm-target-i386-kvm_cpu_fill_host-Kill-unused-code.patch b/SOURCES/kvm-target-i386-kvm_cpu_fill_host-Kill-unused-code.patch new file mode 100644 index 0000000..7956a54 --- /dev/null +++ b/SOURCES/kvm-target-i386-kvm_cpu_fill_host-Kill-unused-code.patch @@ -0,0 +1,46 @@ +From bdde6d373b48144d8b4c1ebb60a3d50d9c31dc87 Mon Sep 17 00:00:00 2001 +From: Eduardo Habkost +Date: Thu, 23 Feb 2017 14:29:33 +0100 +Subject: [PATCH 03/17] target-i386: kvm_cpu_fill_host(): Kill unused code + +RH-Author: Eduardo Habkost +Message-id: <20170223142945.17790-3-ehabkost@redhat.com> +Patchwork-id: 74034 +O-Subject: [RHEL-7.4 qemu-kvm PATCH v2 02/14] target-i386: kvm_cpu_fill_host(): Kill unused code +Bugzilla: 1382122 +RH-Acked-by: Paolo Bonzini +RH-Acked-by: Igor Mammedov +RH-Acked-by: Miroslav Rezanina + +Those host_cpuid() calls are useless. They are leftovers from when the +old code using host_cpuid() was removed. + +Signed-off-by: Eduardo Habkost +Signed-off-by: Paolo Bonzini +(cherry picked from commit 81e207707e7b6204f64451779d752f23777ed451) +Signed-off-by: Eduardo Habkost +Signed-off-by: Miroslav Rezanina +--- + target-i386/cpu.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/target-i386/cpu.c b/target-i386/cpu.c +index 789e687..8a49ff5 100644 +--- a/target-i386/cpu.c ++++ b/target-i386/cpu.c +@@ -1292,12 +1292,10 @@ static void kvm_cpu_fill_host(x86_def_t *x86_cpu_def) + + /* Call Centaur's CPUID instruction. */ + if (!strcmp(x86_cpu_def->vendor, CPUID_VENDOR_VIA)) { +- host_cpuid(0xC0000000, 0, &eax, &ebx, &ecx, &edx); + eax = kvm_arch_get_supported_cpuid(s, 0xC0000000, 0, R_EAX); + if (eax >= 0xC0000001) { + /* Support VIA max extended level */ + x86_cpu_def->xlevel2 = eax; +- host_cpuid(0xC0000001, 0, &eax, &ebx, &ecx, &edx); + x86_cpu_def->features[FEAT_C000_0001_EDX] = + kvm_arch_get_supported_cpuid(s, 0xC0000001, 0, R_EDX); + } +-- +1.8.3.1 + diff --git a/SOURCES/kvm-target-i386-kvm_cpu_fill_host-No-need-to-check-CPU-v.patch b/SOURCES/kvm-target-i386-kvm_cpu_fill_host-No-need-to-check-CPU-v.patch new file mode 100644 index 0000000..69ebd26 --- /dev/null +++ b/SOURCES/kvm-target-i386-kvm_cpu_fill_host-No-need-to-check-CPU-v.patch @@ -0,0 +1,62 @@ +From ce8b0103a1c5cae9030156d9f17daf5dee5ed4c5 Mon Sep 17 00:00:00 2001 +From: Eduardo Habkost +Date: Thu, 23 Feb 2017 14:29:35 +0100 +Subject: [PATCH 05/17] target-i386: kvm_cpu_fill_host(): No need to check CPU + vendor + +RH-Author: Eduardo Habkost +Message-id: <20170223142945.17790-5-ehabkost@redhat.com> +Patchwork-id: 74043 +O-Subject: [RHEL-7.4 qemu-kvm PATCH v2 04/14] target-i386: kvm_cpu_fill_host(): No need to check CPU vendor +Bugzilla: 1382122 +RH-Acked-by: Paolo Bonzini +RH-Acked-by: Igor Mammedov +RH-Acked-by: Miroslav Rezanina + +There's no need to check CPU vendor before calling +kvm_arch_get_supported_cpuid(s, 0xC0000000, 0, R_EAX), because: + + * The kernel won't return any entry for 0xC0000000 if host CPU vendor + is not Centaur (See kvm_dev_ioctl_get_cpuid() on the kernel code); + * kvm_arch_get_supported_cpuid() will return 0 if no entry is returned + by the kernel for the requested leaf. + +This will simplify the kvm_cpu_fill_host() code a little. + +Signed-off-by: Eduardo Habkost +Signed-off-by: Paolo Bonzini +(cherry picked from commit b73dcfb16fc894041de553ac9f98b9e1640fcf06) +Signed-off-by: Eduardo Habkost +Signed-off-by: Miroslav Rezanina +--- + target-i386/cpu.c | 14 ++++++-------- + 1 file changed, 6 insertions(+), 8 deletions(-) + +diff --git a/target-i386/cpu.c b/target-i386/cpu.c +index c82073e..a10055b 100644 +--- a/target-i386/cpu.c ++++ b/target-i386/cpu.c +@@ -1285,14 +1285,12 @@ static void kvm_cpu_fill_host(x86_def_t *x86_cpu_def) + cpu_x86_fill_model_id(x86_cpu_def->model_id); + + /* Call Centaur's CPUID instruction. */ +- if (!strcmp(x86_cpu_def->vendor, CPUID_VENDOR_VIA)) { +- eax = kvm_arch_get_supported_cpuid(s, 0xC0000000, 0, R_EAX); +- if (eax >= 0xC0000001) { +- /* Support VIA max extended level */ +- x86_cpu_def->xlevel2 = eax; +- x86_cpu_def->features[FEAT_C000_0001_EDX] = +- kvm_arch_get_supported_cpuid(s, 0xC0000001, 0, R_EDX); +- } ++ eax = kvm_arch_get_supported_cpuid(s, 0xC0000000, 0, R_EAX); ++ if (eax >= 0xC0000001) { ++ /* Support VIA max extended level */ ++ x86_cpu_def->xlevel2 = eax; ++ x86_cpu_def->features[FEAT_C000_0001_EDX] = ++ kvm_arch_get_supported_cpuid(s, 0xC0000001, 0, R_EDX); + } + + /* Other KVM-specific feature fields: */ +-- +1.8.3.1 + diff --git a/SOURCES/kvm-target-i386-kvm_cpu_fill_host-No-need-to-check-level.patch b/SOURCES/kvm-target-i386-kvm_cpu_fill_host-No-need-to-check-level.patch new file mode 100644 index 0000000..2a6cde8 --- /dev/null +++ b/SOURCES/kvm-target-i386-kvm_cpu_fill_host-No-need-to-check-level.patch @@ -0,0 +1,66 @@ +From 40d8624f4a90769b60ee567035f8231b64c10011 Mon Sep 17 00:00:00 2001 +From: Eduardo Habkost +Date: Thu, 23 Feb 2017 14:29:34 +0100 +Subject: [PATCH 04/17] target-i386: kvm_cpu_fill_host(): No need to check + level + +RH-Author: Eduardo Habkost +Message-id: <20170223142945.17790-4-ehabkost@redhat.com> +Patchwork-id: 74035 +O-Subject: [RHEL-7.4 qemu-kvm PATCH v2 03/14] target-i386: kvm_cpu_fill_host(): No need to check level +Bugzilla: 1382122 +RH-Acked-by: Paolo Bonzini +RH-Acked-by: Igor Mammedov +RH-Acked-by: Miroslav Rezanina + +There's no need to check level (CPUID[0].EAX) before calling +kvm_arch_get_supported_cpuid(s, 0x7, 0, R_EBX), because: + + * The kernel won't return any entry for CPUID 7 if CPUID[0].EAX is < 7 + on the host (See kvm_dev_ioctl_get_cpuid() on the kernel code); + * kvm_arch_get_supported_cpuid() will return 0 if no entry is returned + by the kernel for the requested leaf. + +This will simplify the kvm_cpu_fill_host() code a little. + +Signed-off-by: Eduardo Habkost +Signed-off-by: Paolo Bonzini +(cherry picked from commit 7171a3933f2ee8cb984fd64c59ca081f39b943a4) +Signed-off-by: Eduardo Habkost +Signed-off-by: Miroslav Rezanina +--- + target-i386/cpu.c | 18 ++++++------------ + 1 file changed, 6 insertions(+), 12 deletions(-) + +diff --git a/target-i386/cpu.c b/target-i386/cpu.c +index 8a49ff5..c82073e 100644 +--- a/target-i386/cpu.c ++++ b/target-i386/cpu.c +@@ -1267,18 +1267,12 @@ static void kvm_cpu_fill_host(x86_def_t *x86_cpu_def) + x86_cpu_def->features[FEAT_1_ECX] = + kvm_arch_get_supported_cpuid(s, 0x1, 0, R_ECX); + +- if (x86_cpu_def->level >= 7) { +- x86_cpu_def->features[FEAT_7_0_EBX] = +- kvm_arch_get_supported_cpuid(s, 0x7, 0, R_EBX); +- x86_cpu_def->features[FEAT_7_0_ECX] = +- kvm_arch_get_supported_cpuid(s, 0x7, 0, R_ECX); +- x86_cpu_def->features[FEAT_7_0_EDX] = +- kvm_arch_get_supported_cpuid(s, 0x7, 0, R_EDX); +- } else { +- x86_cpu_def->features[FEAT_7_0_EBX] = 0; +- x86_cpu_def->features[FEAT_7_0_ECX] = 0; +- x86_cpu_def->features[FEAT_7_0_EDX] = 0; +- } ++ x86_cpu_def->features[FEAT_7_0_EBX] = ++ kvm_arch_get_supported_cpuid(s, 0x7, 0, R_EBX); ++ x86_cpu_def->features[FEAT_7_0_ECX] = ++ kvm_arch_get_supported_cpuid(s, 0x7, 0, R_ECX); ++ x86_cpu_def->features[FEAT_7_0_EDX] = ++ kvm_arch_get_supported_cpuid(s, 0x7, 0, R_EDX); + x86_cpu_def->features[FEAT_XSAVE] = + kvm_arch_get_supported_cpuid(s, 0xd, 1, R_EAX); + +-- +1.8.3.1 + diff --git a/SOURCES/kvm-target-i386-kvm_cpu_fill_host-No-need-to-check-xleve.patch b/SOURCES/kvm-target-i386-kvm_cpu_fill_host-No-need-to-check-xleve.patch new file mode 100644 index 0000000..3accad7 --- /dev/null +++ b/SOURCES/kvm-target-i386-kvm_cpu_fill_host-No-need-to-check-xleve.patch @@ -0,0 +1,68 @@ +From f51c618ce3598d9a6a3256e4dd2b9dd3164fbc81 Mon Sep 17 00:00:00 2001 +From: Eduardo Habkost +Date: Thu, 23 Feb 2017 14:29:36 +0100 +Subject: [PATCH 06/17] target-i386: kvm_cpu_fill_host(): No need to check + xlevel2 + +RH-Author: Eduardo Habkost +Message-id: <20170223142945.17790-6-ehabkost@redhat.com> +Patchwork-id: 74036 +O-Subject: [RHEL-7.4 qemu-kvm PATCH v2 05/14] target-i386: kvm_cpu_fill_host(): No need to check xlevel2 +Bugzilla: 1382122 +RH-Acked-by: Paolo Bonzini +RH-Acked-by: Igor Mammedov +RH-Acked-by: Miroslav Rezanina + +There's no need to check CPU xlevel2 before calling +kvm_arch_get_supported_cpuid(s, 0xC0000001, 0, R_EDX), because: + + * The kernel won't return any entry for 0xC0000000 if host CPU vendor + is not Centaur (See kvm_dev_ioctl_get_supported_cpuid() on the kernel + code) + * Similarly, the kernel won't return any entry for 0xC0000001 if + CPUID[0xC0000000].EAX is < 0xC0000001 + * kvm_arch_get_supported_cpuid() will return 0 if no entry is returned + by the kernel for the requested leaf + +For similar reasons, we can simply set x86_cpu_def->xlevel2 directly +instead of making it conditional, because it will be set to 0 CPU vendor +is not Centaur. + +This will simplify the kvm_cpu_fill_host() code a little. + +Signed-off-by: Eduardo Habkost +[Remove unparseable comment. - Paolo] +Signed-off-by: Paolo Bonzini +(cherry picked from commit 803a932706e3ba335d4c98f3577a05cb000f1699) +Signed-off-by: Eduardo Habkost + +Signed-off-by: Miroslav Rezanina +--- + target-i386/cpu.c | 11 ++++------- + 1 file changed, 4 insertions(+), 7 deletions(-) + +diff --git a/target-i386/cpu.c b/target-i386/cpu.c +index a10055b..02bd038 100644 +--- a/target-i386/cpu.c ++++ b/target-i386/cpu.c +@@ -1285,13 +1285,10 @@ static void kvm_cpu_fill_host(x86_def_t *x86_cpu_def) + cpu_x86_fill_model_id(x86_cpu_def->model_id); + + /* Call Centaur's CPUID instruction. */ +- eax = kvm_arch_get_supported_cpuid(s, 0xC0000000, 0, R_EAX); +- if (eax >= 0xC0000001) { +- /* Support VIA max extended level */ +- x86_cpu_def->xlevel2 = eax; +- x86_cpu_def->features[FEAT_C000_0001_EDX] = +- kvm_arch_get_supported_cpuid(s, 0xC0000001, 0, R_EDX); +- } ++ x86_cpu_def->xlevel2 = ++ kvm_arch_get_supported_cpuid(s, 0xC0000000, 0, R_EAX); ++ x86_cpu_def->features[FEAT_C000_0001_EDX] = ++ kvm_arch_get_supported_cpuid(s, 0xC0000001, 0, R_EDX); + + /* Other KVM-specific feature fields: */ + x86_cpu_def->features[FEAT_SVM] = +-- +1.8.3.1 + diff --git a/SOURCES/kvm-target-i386-kvm_cpu_fill_host-Set-all-feature-words-.patch b/SOURCES/kvm-target-i386-kvm_cpu_fill_host-Set-all-feature-words-.patch new file mode 100644 index 0000000..0de6ac3 --- /dev/null +++ b/SOURCES/kvm-target-i386-kvm_cpu_fill_host-Set-all-feature-words-.patch @@ -0,0 +1,82 @@ +From 905a9704d3099a82421850ae172b89f4de2e58b3 Mon Sep 17 00:00:00 2001 +From: Eduardo Habkost +Date: Thu, 23 Feb 2017 14:29:37 +0100 +Subject: [PATCH 07/17] target-i386: kvm_cpu_fill_host(): Set all feature words + at end of function + +RH-Author: Eduardo Habkost +Message-id: <20170223142945.17790-7-ehabkost@redhat.com> +Patchwork-id: 74037 +O-Subject: [RHEL-7.4 qemu-kvm PATCH v2 06/14] target-i386: kvm_cpu_fill_host(): Set all feature words at end of function +Bugzilla: 1382122 +RH-Acked-by: Paolo Bonzini +RH-Acked-by: Igor Mammedov +RH-Acked-by: Miroslav Rezanina + +Reorder the code so all the code that sets x86_cpu_def->features is at +the end of the function. + +Signed-off-by: Eduardo Habkost +Signed-off-by: Paolo Bonzini +(cherry picked from commit 2a573259ebf8b1072707257d547603520d1ed236) +Signed-off-by: Eduardo Habkost +Signed-off-by: Miroslav Rezanina +--- + target-i386/cpu.c | 29 ++++++++++++----------------- + 1 file changed, 12 insertions(+), 17 deletions(-) + +diff --git a/target-i386/cpu.c b/target-i386/cpu.c +index 02bd038..1515b87 100644 +--- a/target-i386/cpu.c ++++ b/target-i386/cpu.c +@@ -1262,35 +1262,30 @@ static void kvm_cpu_fill_host(x86_def_t *x86_cpu_def) + x86_cpu_def->stepping = eax & 0x0F; + + x86_cpu_def->level = kvm_arch_get_supported_cpuid(s, 0x0, 0, R_EAX); ++ x86_cpu_def->xlevel = kvm_arch_get_supported_cpuid(s, 0x80000000, 0, R_EAX); ++ x86_cpu_def->xlevel2 = ++ kvm_arch_get_supported_cpuid(s, 0xC0000000, 0, R_EAX); ++ ++ cpu_x86_fill_model_id(x86_cpu_def->model_id); ++ + x86_cpu_def->features[FEAT_1_EDX] = + kvm_arch_get_supported_cpuid(s, 0x1, 0, R_EDX); + x86_cpu_def->features[FEAT_1_ECX] = + kvm_arch_get_supported_cpuid(s, 0x1, 0, R_ECX); +- + x86_cpu_def->features[FEAT_7_0_EBX] = +- kvm_arch_get_supported_cpuid(s, 0x7, 0, R_EBX); ++ kvm_arch_get_supported_cpuid(s, 0x7, 0, R_EBX); + x86_cpu_def->features[FEAT_7_0_ECX] = +- kvm_arch_get_supported_cpuid(s, 0x7, 0, R_ECX); ++ kvm_arch_get_supported_cpuid(s, 0x7, 0, R_ECX); + x86_cpu_def->features[FEAT_7_0_EDX] = +- kvm_arch_get_supported_cpuid(s, 0x7, 0, R_EDX); ++ kvm_arch_get_supported_cpuid(s, 0x7, 0, R_EDX); + x86_cpu_def->features[FEAT_XSAVE] = +- kvm_arch_get_supported_cpuid(s, 0xd, 1, R_EAX); +- +- x86_cpu_def->xlevel = kvm_arch_get_supported_cpuid(s, 0x80000000, 0, R_EAX); ++ kvm_arch_get_supported_cpuid(s, 0xd, 1, R_EAX); + x86_cpu_def->features[FEAT_8000_0001_EDX] = +- kvm_arch_get_supported_cpuid(s, 0x80000001, 0, R_EDX); ++ kvm_arch_get_supported_cpuid(s, 0x80000001, 0, R_EDX); + x86_cpu_def->features[FEAT_8000_0001_ECX] = +- kvm_arch_get_supported_cpuid(s, 0x80000001, 0, R_ECX); +- +- cpu_x86_fill_model_id(x86_cpu_def->model_id); +- +- /* Call Centaur's CPUID instruction. */ +- x86_cpu_def->xlevel2 = +- kvm_arch_get_supported_cpuid(s, 0xC0000000, 0, R_EAX); ++ kvm_arch_get_supported_cpuid(s, 0x80000001, 0, R_ECX); + x86_cpu_def->features[FEAT_C000_0001_EDX] = + kvm_arch_get_supported_cpuid(s, 0xC0000001, 0, R_EDX); +- +- /* Other KVM-specific feature fields: */ + x86_cpu_def->features[FEAT_SVM] = + kvm_arch_get_supported_cpuid(s, 0x8000000A, 0, R_EDX); + x86_cpu_def->features[FEAT_KVM] = +-- +1.8.3.1 + diff --git a/SOURCES/kvm-ui-vnc-derive-cmp_bytes-from-VNC_DIRTY_PIXELS_PER_BI.patch b/SOURCES/kvm-ui-vnc-derive-cmp_bytes-from-VNC_DIRTY_PIXELS_PER_BI.patch new file mode 100644 index 0000000..38db6ec --- /dev/null +++ b/SOURCES/kvm-ui-vnc-derive-cmp_bytes-from-VNC_DIRTY_PIXELS_PER_BI.patch @@ -0,0 +1,47 @@ +From 6eed761f1505348596f34c915c56e8a98ce7c3af Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Wed, 22 Feb 2017 12:36:20 +0100 +Subject: [PATCH 02/24] ui/vnc: derive cmp_bytes from VNC_DIRTY_PIXELS_PER_BIT +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Gerd Hoffmann +Message-id: <1487766986-6329-3-git-send-email-kraxel@redhat.com> +Patchwork-id: 73973 +O-Subject: [RHEL-7.4 qemu-kvm PATCH 2/8] ui/vnc: derive cmp_bytes from VNC_DIRTY_PIXELS_PER_BIT +Bugzilla: 1377977 +RH-Acked-by: Thomas Huth +RH-Acked-by: Marc-André Lureau +RH-Acked-by: Laurent Vivier + +From: Peter Lieven + +this allows for setting VNC_DIRTY_PIXELS_PER_BIT to different +values than 16 if desired. + +Reviewed-by: Wenchao Xia +Signed-off-by: Peter Lieven +Signed-off-by: Gerd Hoffmann +(cherry picked from commit 6cd859aa8a7fb60fe6edb89e628cddfe25dfe186) +Signed-off-by: Miroslav Rezanina +--- + ui/vnc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/ui/vnc.c b/ui/vnc.c +index 0c799ed..13fb34b 100644 +--- a/ui/vnc.c ++++ b/ui/vnc.c +@@ -2709,7 +2709,7 @@ static int vnc_refresh_server_surface(VncDisplay *vd) + * Check and copy modified bits from guest to server surface. + * Update server dirty map. + */ +- cmp_bytes = 64; ++ cmp_bytes = VNC_DIRTY_PIXELS_PER_BIT * VNC_SERVER_FB_BYTES; + if (cmp_bytes > vnc_server_fb_stride(vd)) { + cmp_bytes = vnc_server_fb_stride(vd); + } +-- +1.8.3.1 + diff --git a/SOURCES/kvm-ui-vnc-fix-potential-memory-corruption-issues.patch b/SOURCES/kvm-ui-vnc-fix-potential-memory-corruption-issues.patch new file mode 100644 index 0000000..ba588c9 --- /dev/null +++ b/SOURCES/kvm-ui-vnc-fix-potential-memory-corruption-issues.patch @@ -0,0 +1,407 @@ +From 3d842d39e26560dfb7679d88746c314a3545ca18 Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Wed, 22 Feb 2017 12:36:24 +0100 +Subject: [PATCH 06/24] ui/vnc: fix potential memory corruption issues +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Gerd Hoffmann +Message-id: <1487766986-6329-7-git-send-email-kraxel@redhat.com> +Patchwork-id: 73977 +O-Subject: [RHEL-7.4 qemu-kvm PATCH 6/8] ui/vnc: fix potential memory corruption issues +Bugzilla: 1377977 +RH-Acked-by: Thomas Huth +RH-Acked-by: Marc-André Lureau +RH-Acked-by: Laurent Vivier + +From: Peter Lieven + +this patch makes the VNC server work correctly if the +server surface and the guest surface have different sizes. + +Basically the server surface is adjusted to not exceed VNC_MAX_WIDTH +x VNC_MAX_HEIGHT and additionally the width is rounded up to multiple of +VNC_DIRTY_PIXELS_PER_BIT. + +If we have a resolution whose width is not dividable by VNC_DIRTY_PIXELS_PER_BIT +we now get a small black bar on the right of the screen. + +If the surface is too big to fit the limits only the upper left area is shown. + +On top of that this fixes 2 memory corruption issues: + +The first was actually discovered during playing +around with a Windows 7 vServer. During resolution +change in Windows 7 it happens sometimes that Windows +changes to an intermediate resolution where +server_stride % cmp_bytes != 0 (in vnc_refresh_server_surface). +This happens only if width % VNC_DIRTY_PIXELS_PER_BIT != 0. + +The second is a theoretical issue, but is maybe exploitable +by the guest. If for some reason the guest surface size is bigger +than VNC_MAX_WIDTH x VNC_MAX_HEIGHT we end up in severe corruption since +this limit is nowhere enforced. + +Signed-off-by: Peter Lieven +Signed-off-by: Gerd Hoffmann +(cherry picked from commit bea60dd7679364493a0d7f5b54316c767cf894ef) +Signed-off-by: Miroslav Rezanina + +Conflicts: + ui/vnc.c [ in pointer_event, input subsystem differences ] +--- + ui/vnc.c | 149 +++++++++++++++++++++++++++++---------------------------------- + ui/vnc.h | 14 +++--- + 2 files changed, 77 insertions(+), 86 deletions(-) + +diff --git a/ui/vnc.c b/ui/vnc.c +index 51f95be..80b7792 100644 +--- a/ui/vnc.c ++++ b/ui/vnc.c +@@ -427,14 +427,10 @@ static void framebuffer_update_request(VncState *vs, int incremental, + static void vnc_refresh(DisplayChangeListener *dcl); + static int vnc_refresh_server_surface(VncDisplay *vd); + +-static void vnc_dpy_update(DisplayChangeListener *dcl, +- int x, int y, int w, int h) +-{ +- VncDisplay *vd = container_of(dcl, VncDisplay, dcl); +- struct VncSurface *s = &vd->guest; +- int width = surface_width(vd->ds); +- int height = surface_height(vd->ds); +- ++static void vnc_set_area_dirty(DECLARE_BITMAP(dirty[VNC_MAX_HEIGHT], ++ VNC_MAX_WIDTH / VNC_DIRTY_PIXELS_PER_BIT), ++ int width, int height, ++ int x, int y, int w, int h) { + /* this is needed this to ensure we updated all affected + * blocks if x % VNC_DIRTY_PIXELS_PER_BIT != 0 */ + w += (x % VNC_DIRTY_PIXELS_PER_BIT); +@@ -446,11 +442,22 @@ static void vnc_dpy_update(DisplayChangeListener *dcl, + h = MIN(y + h, height); + + for (; y < h; y++) { +- bitmap_set(s->dirty[y], x / VNC_DIRTY_PIXELS_PER_BIT, ++ bitmap_set(dirty[y], x / VNC_DIRTY_PIXELS_PER_BIT, + DIV_ROUND_UP(w, VNC_DIRTY_PIXELS_PER_BIT)); + } + } + ++static void vnc_dpy_update(DisplayChangeListener *dcl, ++ int x, int y, int w, int h) ++{ ++ VncDisplay *vd = container_of(dcl, VncDisplay, dcl); ++ struct VncSurface *s = &vd->guest; ++ int width = pixman_image_get_width(vd->server); ++ int height = pixman_image_get_height(vd->server); ++ ++ vnc_set_area_dirty(s->dirty, width, height, x, y, w, h); ++} ++ + void vnc_framebuffer_update(VncState *vs, int x, int y, int w, int h, + int32_t encoding) + { +@@ -512,17 +519,15 @@ void buffer_advance(Buffer *buf, size_t len) + + static void vnc_desktop_resize(VncState *vs) + { +- DisplaySurface *ds = vs->vd->ds; +- + if (vs->csock == -1 || !vnc_has_feature(vs, VNC_FEATURE_RESIZE)) { + return; + } +- if (vs->client_width == surface_width(ds) && +- vs->client_height == surface_height(ds)) { ++ if (vs->client_width == pixman_image_get_width(vs->vd->server) && ++ vs->client_height == pixman_image_get_height(vs->vd->server)) { + return; + } +- vs->client_width = surface_width(ds); +- vs->client_height = surface_height(ds); ++ vs->client_width = pixman_image_get_width(vs->vd->server); ++ vs->client_height = pixman_image_get_height(vs->vd->server); + vnc_lock_output(vs); + vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE); + vnc_write_u8(vs, 0); +@@ -566,31 +571,24 @@ void *vnc_server_fb_ptr(VncDisplay *vd, int x, int y) + ptr += x * VNC_SERVER_FB_BYTES; + return ptr; + } +-/* this sets only the visible pixels of a dirty bitmap */ +-#define VNC_SET_VISIBLE_PIXELS_DIRTY(bitmap, w, h) {\ +- int y;\ +- memset(bitmap, 0x00, sizeof(bitmap));\ +- for (y = 0; y < h; y++) {\ +- bitmap_set(bitmap[y], 0,\ +- DIV_ROUND_UP(w, VNC_DIRTY_PIXELS_PER_BIT));\ +- } \ +- } + + static void vnc_dpy_switch(DisplayChangeListener *dcl, + DisplaySurface *surface) + { + VncDisplay *vd = container_of(dcl, VncDisplay, dcl); + VncState *vs; ++ int width, height; + + vnc_abort_display_jobs(vd); + + /* server surface */ + qemu_pixman_image_unref(vd->server); + vd->ds = surface; ++ width = MIN(VNC_MAX_WIDTH, ROUND_UP(surface_width(vd->ds), ++ VNC_DIRTY_PIXELS_PER_BIT)); ++ height = MIN(VNC_MAX_HEIGHT, surface_height(vd->ds)); + vd->server = pixman_image_create_bits(VNC_SERVER_FB_FORMAT, +- surface_width(vd->ds), +- surface_height(vd->ds), +- NULL, 0); ++ width, height, NULL, 0); + + /* guest surface */ + #if 0 /* FIXME */ +@@ -600,9 +598,9 @@ static void vnc_dpy_switch(DisplayChangeListener *dcl, + qemu_pixman_image_unref(vd->guest.fb); + vd->guest.fb = pixman_image_ref(surface->image); + vd->guest.format = surface->format; +- VNC_SET_VISIBLE_PIXELS_DIRTY(vd->guest.dirty, +- surface_width(vd->ds), +- surface_height(vd->ds)); ++ memset(vd->guest.dirty, 0x00, sizeof(vd->guest.dirty)); ++ vnc_set_area_dirty(vd->guest.dirty, width, height, 0, 0, ++ width, height); + + QTAILQ_FOREACH(vs, &vd->clients, next) { + vnc_colordepth(vs); +@@ -610,9 +608,9 @@ static void vnc_dpy_switch(DisplayChangeListener *dcl, + if (vs->vd->cursor) { + vnc_cursor_define(vs); + } +- VNC_SET_VISIBLE_PIXELS_DIRTY(vs->dirty, +- surface_width(vd->ds), +- surface_height(vd->ds)); ++ memset(vs->dirty, 0x00, sizeof(vs->dirty)); ++ vnc_set_area_dirty(vs->dirty, width, height, 0, 0, ++ width, height); + } + } + +@@ -916,8 +914,8 @@ static int vnc_update_client(VncState *vs, int has_dirty) + */ + job = vnc_job_new(vs); + +- height = MIN(pixman_image_get_height(vd->server), vs->client_height); +- width = MIN(pixman_image_get_width(vd->server), vs->client_width); ++ height = pixman_image_get_height(vd->server); ++ width = pixman_image_get_width(vd->server); + + y = 0; + for (;;) { +@@ -1500,8 +1498,8 @@ static void check_pointer_type_change(Notifier *notifier, void *data) + vnc_write_u8(vs, 0); + vnc_write_u16(vs, 1); + vnc_framebuffer_update(vs, absolute, 0, +- surface_width(vs->vd->ds), +- surface_height(vs->vd->ds), ++ pixman_image_get_width(vs->vd->server), ++ pixman_image_get_height(vs->vd->server), + VNC_ENCODING_POINTER_TYPE_CHANGE); + vnc_unlock_output(vs); + vnc_flush(vs); +@@ -1513,8 +1511,8 @@ static void pointer_event(VncState *vs, int button_mask, int x, int y) + { + int buttons = 0; + int dz = 0; +- int width = surface_width(vs->vd->ds); +- int height = surface_height(vs->vd->ds); ++ int width = pixman_image_get_width(vs->vd->server); ++ int height = pixman_image_get_height(vs->vd->server); + + if (button_mask & 0x01) + buttons |= MOUSE_EVENT_LBUTTON; +@@ -1866,29 +1864,18 @@ static void ext_key_event(VncState *vs, int down, + } + + static void framebuffer_update_request(VncState *vs, int incremental, +- int x_position, int y_position, +- int w, int h) ++ int x, int y, int w, int h) + { +- int i; +- const size_t width = surface_width(vs->vd->ds) / VNC_DIRTY_PIXELS_PER_BIT; +- const size_t height = surface_height(vs->vd->ds); +- +- if (y_position > height) { +- y_position = height; +- } +- if (y_position + h >= height) { +- h = height - y_position; +- } ++ int width = pixman_image_get_width(vs->vd->server); ++ int height = pixman_image_get_height(vs->vd->server); + + vs->need_update = 1; +- if (!incremental) { +- vs->force_update = 1; +- for (i = 0; i < h; i++) { +- bitmap_set(vs->dirty[y_position + i], 0, width); +- bitmap_clear(vs->dirty[y_position + i], width, +- VNC_DIRTY_BITS - width); +- } ++ ++ if (incremental) { ++ return; + } ++ ++ vnc_set_area_dirty(vs->dirty, width, height, x, y, w, h); + } + + static void send_ext_key_event_ack(VncState *vs) +@@ -1898,8 +1885,8 @@ static void send_ext_key_event_ack(VncState *vs) + vnc_write_u8(vs, 0); + vnc_write_u16(vs, 1); + vnc_framebuffer_update(vs, 0, 0, +- surface_width(vs->vd->ds), +- surface_height(vs->vd->ds), ++ pixman_image_get_width(vs->vd->server), ++ pixman_image_get_height(vs->vd->server), + VNC_ENCODING_EXT_KEY_EVENT); + vnc_unlock_output(vs); + vnc_flush(vs); +@@ -1912,8 +1899,8 @@ static void send_ext_audio_ack(VncState *vs) + vnc_write_u8(vs, 0); + vnc_write_u16(vs, 1); + vnc_framebuffer_update(vs, 0, 0, +- surface_width(vs->vd->ds), +- surface_height(vs->vd->ds), ++ pixman_image_get_width(vs->vd->server), ++ pixman_image_get_height(vs->vd->server), + VNC_ENCODING_AUDIO); + vnc_unlock_output(vs); + vnc_flush(vs); +@@ -2101,8 +2088,8 @@ static void vnc_colordepth(VncState *vs) + vnc_write_u8(vs, 0); + vnc_write_u16(vs, 1); /* number of rects */ + vnc_framebuffer_update(vs, 0, 0, +- surface_width(vs->vd->ds), +- surface_height(vs->vd->ds), ++ pixman_image_get_width(vs->vd->server), ++ pixman_image_get_height(vs->vd->server), + VNC_ENCODING_WMVi); + pixel_format_message(vs); + vnc_unlock_output(vs); +@@ -2317,8 +2304,8 @@ static int protocol_client_init(VncState *vs, uint8_t *data, size_t len) + } + vnc_set_share_mode(vs, mode); + +- vs->client_width = surface_width(vs->vd->ds); +- vs->client_height = surface_height(vs->vd->ds); ++ vs->client_width = pixman_image_get_width(vs->vd->server); ++ vs->client_height = pixman_image_get_height(vs->vd->server); + vnc_write_u16(vs, vs->client_width); + vnc_write_u16(vs, vs->client_height); + +@@ -2685,12 +2672,12 @@ static void vnc_rect_updated(VncDisplay *vd, int x, int y, struct timeval * tv) + + static int vnc_refresh_server_surface(VncDisplay *vd) + { +- int width = pixman_image_get_width(vd->guest.fb); +- int height = pixman_image_get_height(vd->guest.fb); +- int y; ++ int width = MIN(pixman_image_get_width(vd->guest.fb), ++ pixman_image_get_width(vd->server)); ++ int height = MIN(pixman_image_get_height(vd->guest.fb), ++ pixman_image_get_height(vd->server)); ++ int cmp_bytes, server_stride, min_stride, guest_stride, y = 0; + uint8_t *guest_row0 = NULL, *server_row0; +- int guest_stride = 0, server_stride; +- int cmp_bytes; + VncState *vs; + int has_dirty = 0; + pixman_image_t *tmpbuf = NULL; +@@ -2707,10 +2694,10 @@ static int vnc_refresh_server_surface(VncDisplay *vd) + * Check and copy modified bits from guest to server surface. + * Update server dirty map. + */ +- cmp_bytes = VNC_DIRTY_PIXELS_PER_BIT * VNC_SERVER_FB_BYTES; +- if (cmp_bytes > vnc_server_fb_stride(vd)) { +- cmp_bytes = vnc_server_fb_stride(vd); +- } ++ server_row0 = (uint8_t *)pixman_image_get_data(vd->server); ++ server_stride = guest_stride = pixman_image_get_stride(vd->server); ++ cmp_bytes = MIN(VNC_DIRTY_PIXELS_PER_BIT * VNC_SERVER_FB_BYTES, ++ server_stride); + if (vd->guest.format != VNC_SERVER_FB_FORMAT) { + int width = pixman_image_get_width(vd->server); + tmpbuf = qemu_pixman_linebuf_create(VNC_SERVER_FB_FORMAT, width); +@@ -2718,10 +2705,8 @@ static int vnc_refresh_server_surface(VncDisplay *vd) + guest_row0 = (uint8_t *)pixman_image_get_data(vd->guest.fb); + guest_stride = pixman_image_get_stride(vd->guest.fb); + } +- server_row0 = (uint8_t *)pixman_image_get_data(vd->server); +- server_stride = pixman_image_get_stride(vd->server); ++ min_stride = MIN(server_stride, guest_stride); + +- y = 0; + for (;;) { + int x; + uint8_t *guest_ptr, *server_ptr; +@@ -2747,13 +2732,17 @@ static int vnc_refresh_server_surface(VncDisplay *vd) + + for (; x < DIV_ROUND_UP(width, VNC_DIRTY_PIXELS_PER_BIT); + x++, guest_ptr += cmp_bytes, server_ptr += cmp_bytes) { ++ int _cmp_bytes = cmp_bytes; + if (!test_and_clear_bit(x, vd->guest.dirty[y])) { + continue; + } +- if (memcmp(server_ptr, guest_ptr, cmp_bytes) == 0) { ++ if ((x + 1) * cmp_bytes > min_stride) { ++ _cmp_bytes = min_stride - x * cmp_bytes; ++ } ++ if (memcmp(server_ptr, guest_ptr, _cmp_bytes) == 0) { + continue; + } +- memcpy(server_ptr, guest_ptr, cmp_bytes); ++ memcpy(server_ptr, guest_ptr, _cmp_bytes); + if (!vd->non_adaptive) { + vnc_rect_updated(vd, x * VNC_DIRTY_PIXELS_PER_BIT, + y, &tv); +diff --git a/ui/vnc.h b/ui/vnc.h +index ebf4bdd..8d534b6 100644 +--- a/ui/vnc.h ++++ b/ui/vnc.h +@@ -77,14 +77,15 @@ typedef void VncSendHextileTile(VncState *vs, + void *last_fg, + int *has_bg, int *has_fg); + +-/* VNC_MAX_WIDTH must be a multiple of 16. */ +-#define VNC_MAX_WIDTH 2560 +-#define VNC_MAX_HEIGHT 2048 +- + /* VNC_DIRTY_PIXELS_PER_BIT is the number of dirty pixels represented +- * by one bit in the dirty bitmap */ ++ * by one bit in the dirty bitmap, should be a power of 2 */ + #define VNC_DIRTY_PIXELS_PER_BIT 16 + ++/* VNC_MAX_WIDTH must be a multiple of VNC_DIRTY_PIXELS_PER_BIT. */ ++ ++#define VNC_MAX_WIDTH ROUND_UP(2560, VNC_DIRTY_PIXELS_PER_BIT) ++#define VNC_MAX_HEIGHT 2048 ++ + /* VNC_DIRTY_BITS is the number of bits in the dirty bitmap. */ + #define VNC_DIRTY_BITS (VNC_MAX_WIDTH / VNC_DIRTY_PIXELS_PER_BIT) + +@@ -126,7 +127,8 @@ typedef struct VncRectStat VncRectStat; + struct VncSurface + { + struct timeval last_freq_check; +- DECLARE_BITMAP(dirty[VNC_MAX_HEIGHT], VNC_MAX_WIDTH / 16); ++ DECLARE_BITMAP(dirty[VNC_MAX_HEIGHT], ++ VNC_MAX_WIDTH / VNC_DIRTY_PIXELS_PER_BIT); + VncRectStat stats[VNC_STAT_ROWS][VNC_STAT_COLS]; + pixman_image_t *fb; + pixman_format_code_t format; +-- +1.8.3.1 + diff --git a/SOURCES/kvm-ui-vnc-fix-vmware-VGA-incompatiblities.patch b/SOURCES/kvm-ui-vnc-fix-vmware-VGA-incompatiblities.patch new file mode 100644 index 0000000..96479d3 --- /dev/null +++ b/SOURCES/kvm-ui-vnc-fix-vmware-VGA-incompatiblities.patch @@ -0,0 +1,94 @@ +From e35f40730d3d79ebc1870c5716c14f821a67a5ef Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Wed, 22 Feb 2017 12:36:23 +0100 +Subject: [PATCH 05/24] ui/vnc: fix vmware VGA incompatiblities +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Gerd Hoffmann +Message-id: <1487766986-6329-6-git-send-email-kraxel@redhat.com> +Patchwork-id: 73976 +O-Subject: [RHEL-7.4 qemu-kvm PATCH 5/8] ui/vnc: fix vmware VGA incompatiblities +Bugzilla: 1377977 +RH-Acked-by: Thomas Huth +RH-Acked-by: Marc-André Lureau +RH-Acked-by: Laurent Vivier + +From: Peter Lieven + +this fixes invalid rectangle updates observed after commit 12b316d +with the vmware VGA driver. The issues occured because the server +and client surface update seems to be out of sync at some points +and the max width of the surface is not dividable by +VNC_DIRTY_BITS_PER_PIXEL (16). + +Reported-by: Serge Hallyn +Signed-off-by: Peter Lieven +Signed-off-by: Gerd Hoffmann +(cherry picked from commit 2f487a3d40faff1772e14da6b921900915501f9a) +Signed-off-by: Miroslav Rezanina +--- + hw/display/vmware_vga.c | 3 ++- + ui/vnc.c | 10 +++++++--- + 2 files changed, 9 insertions(+), 4 deletions(-) + +diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c +index df76aec..8e334c0 100644 +--- a/hw/display/vmware_vga.c ++++ b/hw/display/vmware_vga.c +@@ -24,6 +24,7 @@ + #include "hw/hw.h" + #include "hw/loader.h" + #include "ui/console.h" ++#include "ui/vnc.h" + #include "hw/pci/pci.h" + + #undef VERBOSE +@@ -209,7 +210,7 @@ enum { + + /* These values can probably be changed arbitrarily. */ + #define SVGA_SCRATCH_SIZE 0x8000 +-#define SVGA_MAX_WIDTH 2360 ++#define SVGA_MAX_WIDTH ROUND_UP(2360, VNC_DIRTY_PIXELS_PER_BIT) + #define SVGA_MAX_HEIGHT 1770 + + #ifdef VERBOSE +diff --git a/ui/vnc.c b/ui/vnc.c +index 2540261..51f95be 100644 +--- a/ui/vnc.c ++++ b/ui/vnc.c +@@ -898,7 +898,7 @@ static int vnc_update_client(VncState *vs, int has_dirty) + VncDisplay *vd = vs->vd; + VncJob *job; + int y; +- int height; ++ int height, width; + int n = 0; + + if (vs->output.offset && !vs->audio_cap && !vs->force_update) +@@ -917,6 +917,7 @@ static int vnc_update_client(VncState *vs, int has_dirty) + job = vnc_job_new(vs); + + height = MIN(pixman_image_get_height(vd->server), vs->client_height); ++ width = MIN(pixman_image_get_width(vd->server), vs->client_width); + + y = 0; + for (;;) { +@@ -935,8 +936,11 @@ static int vnc_update_client(VncState *vs, int has_dirty) + VNC_DIRTY_BPL(vs), x); + bitmap_clear(vs->dirty[y], x, x2 - x); + h = find_and_clear_dirty_height(vs, y, x, x2, height); +- n += vnc_job_add_rect(job, x * VNC_DIRTY_PIXELS_PER_BIT, y, +- (x2 - x) * VNC_DIRTY_PIXELS_PER_BIT, h); ++ x2 = MIN(x2, width / VNC_DIRTY_PIXELS_PER_BIT); ++ if (x2 > x) { ++ n += vnc_job_add_rect(job, x * VNC_DIRTY_PIXELS_PER_BIT, y, ++ (x2 - x) * VNC_DIRTY_PIXELS_PER_BIT, h); ++ } + } + + vnc_job_push(job); +-- +1.8.3.1 + diff --git a/SOURCES/kvm-ui-vnc-introduce-VNC_DIRTY_PIXELS_PER_BIT-macro.patch b/SOURCES/kvm-ui-vnc-introduce-VNC_DIRTY_PIXELS_PER_BIT-macro.patch new file mode 100644 index 0000000..f435ab8 --- /dev/null +++ b/SOURCES/kvm-ui-vnc-introduce-VNC_DIRTY_PIXELS_PER_BIT-macro.patch @@ -0,0 +1,203 @@ +From fd7f778fd9bd7b99ce790081544b28adede189b2 Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Wed, 22 Feb 2017 12:36:19 +0100 +Subject: [PATCH 01/24] ui/vnc: introduce VNC_DIRTY_PIXELS_PER_BIT macro +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Gerd Hoffmann +Message-id: <1487766986-6329-2-git-send-email-kraxel@redhat.com> +Patchwork-id: 73972 +O-Subject: [RHEL-7.4 qemu-kvm PATCH 1/8] ui/vnc: introduce VNC_DIRTY_PIXELS_PER_BIT macro +Bugzilla: 1377977 +RH-Acked-by: Thomas Huth +RH-Acked-by: Marc-André Lureau +RH-Acked-by: Laurent Vivier + +From: Peter Lieven + +Signed-off-by: Peter Lieven +Reviewed-by: Wenchao Xia +Signed-off-by: Gerd Hoffmann +(cherry picked from commit b4c85ddcec24c60616aad9b3b7fc36ce19ba3ca4) +Signed-off-by: Miroslav Rezanina +--- + ui/vnc.c | 65 ++++++++++++++++++++++++++++++++++++++++------------------------ + ui/vnc.h | 6 +++++- + 2 files changed, 46 insertions(+), 25 deletions(-) + +diff --git a/ui/vnc.c b/ui/vnc.c +index a0e2d33..0c799ed 100644 +--- a/ui/vnc.c ++++ b/ui/vnc.c +@@ -442,17 +442,19 @@ static void vnc_dpy_update(DisplayChangeListener *dcl, + iteration. otherwise, if (x % 16) != 0, the last iteration may span + two 16-pixel blocks but we only mark the first as dirty + */ +- w += (x % 16); +- x -= (x % 16); ++ w += (x % VNC_DIRTY_PIXELS_PER_BIT); ++ x -= (x % VNC_DIRTY_PIXELS_PER_BIT); + + x = MIN(x, width); + y = MIN(y, height); + w = MIN(x + w, width) - x; + h = MIN(h, height); + +- for (; y < h; y++) +- for (i = 0; i < w; i += 16) +- set_bit((x + i) / 16, s->dirty[y]); ++ for (; y < h; y++) { ++ for (i = 0; i < w; i += VNC_DIRTY_PIXELS_PER_BIT) { ++ set_bit((x + i) / VNC_DIRTY_PIXELS_PER_BIT, s->dirty[y]); ++ } ++ } + } + + void vnc_framebuffer_update(VncState *vs, int x, int y, int w, int h, +@@ -769,11 +771,12 @@ static void vnc_dpy_copy(DisplayChangeListener *dcl, + y = dst_y + h - 1; + inc = -1; + } +- w_lim = w - (16 - (dst_x % 16)); +- if (w_lim < 0) ++ w_lim = w - (VNC_DIRTY_PIXELS_PER_BIT - (dst_x % VNC_DIRTY_PIXELS_PER_BIT)); ++ if (w_lim < 0) { + w_lim = w; +- else +- w_lim = w - (w_lim % 16); ++ } else { ++ w_lim = w - (w_lim % VNC_DIRTY_PIXELS_PER_BIT); ++ } + for (i = 0; i < h; i++) { + for (x = 0; x <= w_lim; + x += s, src_row += cmp_bytes, dst_row += cmp_bytes) { +@@ -781,10 +784,11 @@ static void vnc_dpy_copy(DisplayChangeListener *dcl, + if ((s = w - w_lim) == 0) + break; + } else if (!x) { +- s = (16 - (dst_x % 16)); ++ s = (VNC_DIRTY_PIXELS_PER_BIT - ++ (dst_x % VNC_DIRTY_PIXELS_PER_BIT)); + s = MIN(s, w_lim); + } else { +- s = 16; ++ s = VNC_DIRTY_PIXELS_PER_BIT; + } + cmp_bytes = s * VNC_SERVER_FB_BYTES; + if (memcmp(src_row, dst_row, cmp_bytes) == 0) +@@ -792,7 +796,8 @@ static void vnc_dpy_copy(DisplayChangeListener *dcl, + memmove(dst_row, src_row, cmp_bytes); + QTAILQ_FOREACH(vs, &vd->clients, next) { + if (!vnc_has_feature(vs, VNC_FEATURE_COPYRECT)) { +- set_bit(((x + dst_x) / 16), vs->dirty[y]); ++ set_bit(((x + dst_x) / VNC_DIRTY_PIXELS_PER_BIT), ++ vs->dirty[y]); + } + } + } +@@ -911,7 +916,7 @@ static int vnc_update_client(VncState *vs, int has_dirty) + for (y = 0; y < height; y++) { + int x; + int last_x = -1; +- for (x = 0; x < width / 16; x++) { ++ for (x = 0; x < width / VNC_DIRTY_PIXELS_PER_BIT; x++) { + if (test_and_clear_bit(x, vs->dirty[y])) { + if (last_x == -1) { + last_x = x; +@@ -921,16 +926,22 @@ static int vnc_update_client(VncState *vs, int has_dirty) + int h = find_and_clear_dirty_height(vs, y, last_x, x, + height); + +- n += vnc_job_add_rect(job, last_x * 16, y, +- (x - last_x) * 16, h); ++ n += vnc_job_add_rect(job, ++ last_x * VNC_DIRTY_PIXELS_PER_BIT, ++ y, ++ (x - last_x) * ++ VNC_DIRTY_PIXELS_PER_BIT, ++ h); + } + last_x = -1; + } + } + if (last_x != -1) { + int h = find_and_clear_dirty_height(vs, y, last_x, x, height); +- n += vnc_job_add_rect(job, last_x * 16, y, +- (x - last_x) * 16, h); ++ n += vnc_job_add_rect(job, last_x * VNC_DIRTY_PIXELS_PER_BIT, ++ y, ++ (x - last_x) * VNC_DIRTY_PIXELS_PER_BIT, ++ h); + } + } + +@@ -1861,7 +1872,7 @@ static void framebuffer_update_request(VncState *vs, int incremental, + int w, int h) + { + int i; +- const size_t width = surface_width(vs->vd->ds) / 16; ++ const size_t width = surface_width(vs->vd->ds) / VNC_DIRTY_PIXELS_PER_BIT; + const size_t height = surface_height(vs->vd->ds); + + if (y_position > height) { +@@ -2573,7 +2584,9 @@ static int vnc_refresh_lossy_rect(VncDisplay *vd, int x, int y) + + vs->lossy_rect[sty][stx] = 0; + for (j = 0; j < VNC_STAT_RECT; ++j) { +- bitmap_set(vs->dirty[y + j], x / 16, VNC_STAT_RECT / 16); ++ bitmap_set(vs->dirty[y + j], ++ x / VNC_DIRTY_PIXELS_PER_BIT, ++ VNC_STAT_RECT / VNC_DIRTY_PIXELS_PER_BIT); + } + has_dirty++; + } +@@ -2720,17 +2733,21 @@ static int vnc_refresh_server_surface(VncDisplay *vd) + } + server_ptr = server_row; + +- for (x = 0; x + 15 < width; +- x += 16, guest_ptr += cmp_bytes, server_ptr += cmp_bytes) { +- if (!test_and_clear_bit((x / 16), vd->guest.dirty[y])) ++ for (x = 0; x + VNC_DIRTY_PIXELS_PER_BIT - 1 < width; ++ x += VNC_DIRTY_PIXELS_PER_BIT, guest_ptr += cmp_bytes, ++ server_ptr += cmp_bytes) { ++ if (!test_and_clear_bit((x / VNC_DIRTY_PIXELS_PER_BIT), ++ vd->guest.dirty[y])) { + continue; +- if (memcmp(server_ptr, guest_ptr, cmp_bytes) == 0) ++ } ++ if (memcmp(server_ptr, guest_ptr, cmp_bytes) == 0) { + continue; ++ } + memcpy(server_ptr, guest_ptr, cmp_bytes); + if (!vd->non_adaptive) + vnc_rect_updated(vd, x, y, &tv); + QTAILQ_FOREACH(vs, &vd->clients, next) { +- set_bit((x / 16), vs->dirty[y]); ++ set_bit((x / VNC_DIRTY_PIXELS_PER_BIT), vs->dirty[y]); + } + has_dirty++; + } +diff --git a/ui/vnc.h b/ui/vnc.h +index 0efc5c6..561f383 100644 +--- a/ui/vnc.h ++++ b/ui/vnc.h +@@ -81,8 +81,12 @@ typedef void VncSendHextileTile(VncState *vs, + #define VNC_MAX_WIDTH 2560 + #define VNC_MAX_HEIGHT 2048 + ++/* VNC_DIRTY_PIXELS_PER_BIT is the number of dirty pixels represented ++ * by one bit in the dirty bitmap */ ++#define VNC_DIRTY_PIXELS_PER_BIT 16 ++ + /* VNC_DIRTY_BITS is the number of bits in the dirty bitmap. */ +-#define VNC_DIRTY_BITS (VNC_MAX_WIDTH / 16) ++#define VNC_DIRTY_BITS (VNC_MAX_WIDTH / VNC_DIRTY_PIXELS_PER_BIT) + + #define VNC_STAT_RECT 64 + #define VNC_STAT_COLS (VNC_MAX_WIDTH / VNC_STAT_RECT) +-- +1.8.3.1 + diff --git a/SOURCES/kvm-ui-vnc-optimize-dirty-bitmap-tracking.patch b/SOURCES/kvm-ui-vnc-optimize-dirty-bitmap-tracking.patch new file mode 100644 index 0000000..d45c7a3 --- /dev/null +++ b/SOURCES/kvm-ui-vnc-optimize-dirty-bitmap-tracking.patch @@ -0,0 +1,287 @@ +From ea939f77fa0b152746821afb017cfef8170e5500 Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Wed, 22 Feb 2017 12:36:21 +0100 +Subject: [PATCH 03/24] ui/vnc: optimize dirty bitmap tracking +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Gerd Hoffmann +Message-id: <1487766986-6329-4-git-send-email-kraxel@redhat.com> +Patchwork-id: 73979 +O-Subject: [RHEL-7.4 qemu-kvm PATCH 3/8] ui/vnc: optimize dirty bitmap tracking +Bugzilla: 1377977 +RH-Acked-by: Thomas Huth +RH-Acked-by: Marc-André Lureau +RH-Acked-by: Laurent Vivier + +From: Peter Lieven + +vnc_update_client currently scans the dirty bitmap of each client +bitwise which is a very costly operation if only few bits are dirty. +vnc_refresh_server_surface does almost the same. +this patch optimizes both by utilizing the heavily optimized +function find_next_bit to find the offset of the next dirty +bit in the dirty bitmaps. + +The following artifical test (just the bitmap operation part) running +vnc_update_client 65536 times on a 2560x2048 surface illustrates the +performance difference: + +All bits clean - vnc_update_client_new: 0.07 secs + vnc_update_client_old: 10.98 secs + +All bits dirty - vnc_update_client_new: 11.26 secs + vnc_update_client_old: 20.19 secs + +Few bits dirty - vnc_update_client_new: 0.08 secs + vnc_update_client_old: 10.98 secs + +The case for all bits dirty is still rather slow, this +is due to the implementation of find_and_clear_dirty_height. +This will be addresses in a separate patch. + +Signed-off-by: Peter Lieven +Reviewed-by: Wenchao Xia +Signed-off-by: Gerd Hoffmann +(cherry picked from commit 12b316d4c173bf07f421ef9dc98ba4b53916066e) +Signed-off-by: Miroslav Rezanina +--- + ui/vnc.c | 155 ++++++++++++++++++++++++++++++++++----------------------------- + ui/vnc.h | 4 ++ + 2 files changed, 88 insertions(+), 71 deletions(-) + +diff --git a/ui/vnc.c b/ui/vnc.c +index 13fb34b..54530a2 100644 +--- a/ui/vnc.c ++++ b/ui/vnc.c +@@ -572,6 +572,15 @@ void *vnc_server_fb_ptr(VncDisplay *vd, int x, int y) + ptr += x * VNC_SERVER_FB_BYTES; + return ptr; + } ++/* this sets only the visible pixels of a dirty bitmap */ ++#define VNC_SET_VISIBLE_PIXELS_DIRTY(bitmap, w, h) {\ ++ int y;\ ++ memset(bitmap, 0x00, sizeof(bitmap));\ ++ for (y = 0; y < h; y++) {\ ++ bitmap_set(bitmap[y], 0,\ ++ DIV_ROUND_UP(w, VNC_DIRTY_PIXELS_PER_BIT));\ ++ } \ ++ } + + static void vnc_dpy_switch(DisplayChangeListener *dcl, + DisplaySurface *surface) +@@ -597,7 +606,9 @@ static void vnc_dpy_switch(DisplayChangeListener *dcl, + qemu_pixman_image_unref(vd->guest.fb); + vd->guest.fb = pixman_image_ref(surface->image); + vd->guest.format = surface->format; +- memset(vd->guest.dirty, 0xFF, sizeof(vd->guest.dirty)); ++ VNC_SET_VISIBLE_PIXELS_DIRTY(vd->guest.dirty, ++ surface_width(vd->ds), ++ surface_height(vd->ds)); + + QTAILQ_FOREACH(vs, &vd->clients, next) { + vnc_colordepth(vs); +@@ -605,7 +616,9 @@ static void vnc_dpy_switch(DisplayChangeListener *dcl, + if (vs->vd->cursor) { + vnc_cursor_define(vs); + } +- memset(vs->dirty, 0xFF, sizeof(vs->dirty)); ++ VNC_SET_VISIBLE_PIXELS_DIRTY(vs->dirty, ++ surface_width(vd->ds), ++ surface_height(vd->ds)); + } + } + +@@ -891,10 +904,9 @@ static int vnc_update_client(VncState *vs, int has_dirty) + VncDisplay *vd = vs->vd; + VncJob *job; + int y; +- int width, height; ++ int height; + int n = 0; + +- + if (vs->output.offset && !vs->audio_cap && !vs->force_update) + /* kernel send buffers are full -> drop frames to throttle */ + return 0; +@@ -910,39 +922,27 @@ static int vnc_update_client(VncState *vs, int has_dirty) + */ + job = vnc_job_new(vs); + +- width = MIN(pixman_image_get_width(vd->server), vs->client_width); + height = MIN(pixman_image_get_height(vd->server), vs->client_height); + +- for (y = 0; y < height; y++) { +- int x; +- int last_x = -1; +- for (x = 0; x < width / VNC_DIRTY_PIXELS_PER_BIT; x++) { +- if (test_and_clear_bit(x, vs->dirty[y])) { +- if (last_x == -1) { +- last_x = x; +- } +- } else { +- if (last_x != -1) { +- int h = find_and_clear_dirty_height(vs, y, last_x, x, +- height); +- +- n += vnc_job_add_rect(job, +- last_x * VNC_DIRTY_PIXELS_PER_BIT, +- y, +- (x - last_x) * +- VNC_DIRTY_PIXELS_PER_BIT, +- h); +- } +- last_x = -1; +- } +- } +- if (last_x != -1) { +- int h = find_and_clear_dirty_height(vs, y, last_x, x, height); +- n += vnc_job_add_rect(job, last_x * VNC_DIRTY_PIXELS_PER_BIT, +- y, +- (x - last_x) * VNC_DIRTY_PIXELS_PER_BIT, +- h); ++ y = 0; ++ for (;;) { ++ int x, h; ++ unsigned long x2; ++ unsigned long offset = find_next_bit((unsigned long *) &vs->dirty, ++ height * VNC_DIRTY_BPL(vs), ++ y * VNC_DIRTY_BPL(vs)); ++ if (offset == height * VNC_DIRTY_BPL(vs)) { ++ /* no more dirty bits */ ++ break; + } ++ y = offset / VNC_DIRTY_BPL(vs); ++ x = offset % VNC_DIRTY_BPL(vs); ++ x2 = find_next_zero_bit((unsigned long *) &vs->dirty[y], ++ VNC_DIRTY_BPL(vs), x); ++ bitmap_clear(vs->dirty[y], x, x2 - x); ++ h = find_and_clear_dirty_height(vs, y, x, x2, height); ++ n += vnc_job_add_rect(job, x * VNC_DIRTY_PIXELS_PER_BIT, y, ++ (x2 - x) * VNC_DIRTY_PIXELS_PER_BIT, h); + } + + vnc_job_push(job); +@@ -2690,8 +2690,8 @@ static int vnc_refresh_server_surface(VncDisplay *vd) + int width = pixman_image_get_width(vd->guest.fb); + int height = pixman_image_get_height(vd->guest.fb); + int y; +- uint8_t *guest_row; +- uint8_t *server_row; ++ uint8_t *guest_row0 = NULL, *server_row0; ++ int guest_stride = 0, server_stride; + int cmp_bytes; + VncState *vs; + int has_dirty = 0; +@@ -2716,44 +2716,57 @@ static int vnc_refresh_server_surface(VncDisplay *vd) + if (vd->guest.format != VNC_SERVER_FB_FORMAT) { + int width = pixman_image_get_width(vd->server); + tmpbuf = qemu_pixman_linebuf_create(VNC_SERVER_FB_FORMAT, width); +- } +- guest_row = (uint8_t *)pixman_image_get_data(vd->guest.fb); +- server_row = (uint8_t *)pixman_image_get_data(vd->server); +- for (y = 0; y < height; y++) { +- if (!bitmap_empty(vd->guest.dirty[y], VNC_DIRTY_BITS)) { +- int x; +- uint8_t *guest_ptr; +- uint8_t *server_ptr; +- +- if (vd->guest.format != VNC_SERVER_FB_FORMAT) { +- qemu_pixman_linebuf_fill(tmpbuf, vd->guest.fb, width, 0, y); +- guest_ptr = (uint8_t *)pixman_image_get_data(tmpbuf); +- } else { +- guest_ptr = guest_row; +- } +- server_ptr = server_row; ++ } else { ++ guest_row0 = (uint8_t *)pixman_image_get_data(vd->guest.fb); ++ guest_stride = pixman_image_get_stride(vd->guest.fb); ++ } ++ server_row0 = (uint8_t *)pixman_image_get_data(vd->server); ++ server_stride = pixman_image_get_stride(vd->server); ++ ++ y = 0; ++ for (;;) { ++ int x; ++ uint8_t *guest_ptr, *server_ptr; ++ unsigned long offset = find_next_bit((unsigned long *) &vd->guest.dirty, ++ height * VNC_DIRTY_BPL(&vd->guest), ++ y * VNC_DIRTY_BPL(&vd->guest)); ++ if (offset == height * VNC_DIRTY_BPL(&vd->guest)) { ++ /* no more dirty bits */ ++ break; ++ } ++ y = offset / VNC_DIRTY_BPL(&vd->guest); ++ x = offset % VNC_DIRTY_BPL(&vd->guest); + +- for (x = 0; x + VNC_DIRTY_PIXELS_PER_BIT - 1 < width; +- x += VNC_DIRTY_PIXELS_PER_BIT, guest_ptr += cmp_bytes, +- server_ptr += cmp_bytes) { +- if (!test_and_clear_bit((x / VNC_DIRTY_PIXELS_PER_BIT), +- vd->guest.dirty[y])) { +- continue; +- } +- if (memcmp(server_ptr, guest_ptr, cmp_bytes) == 0) { +- continue; +- } +- memcpy(server_ptr, guest_ptr, cmp_bytes); +- if (!vd->non_adaptive) +- vnc_rect_updated(vd, x, y, &tv); +- QTAILQ_FOREACH(vs, &vd->clients, next) { +- set_bit((x / VNC_DIRTY_PIXELS_PER_BIT), vs->dirty[y]); +- } +- has_dirty++; ++ server_ptr = server_row0 + y * server_stride + x * cmp_bytes; ++ ++ if (vd->guest.format != VNC_SERVER_FB_FORMAT) { ++ qemu_pixman_linebuf_fill(tmpbuf, vd->guest.fb, width, 0, y); ++ guest_ptr = (uint8_t *)pixman_image_get_data(tmpbuf); ++ } else { ++ guest_ptr = guest_row0 + y * guest_stride; ++ } ++ guest_ptr += x * cmp_bytes; ++ ++ for (; x < DIV_ROUND_UP(width, VNC_DIRTY_PIXELS_PER_BIT); ++ x++, guest_ptr += cmp_bytes, server_ptr += cmp_bytes) { ++ if (!test_and_clear_bit(x, vd->guest.dirty[y])) { ++ continue; ++ } ++ if (memcmp(server_ptr, guest_ptr, cmp_bytes) == 0) { ++ continue; ++ } ++ memcpy(server_ptr, guest_ptr, cmp_bytes); ++ if (!vd->non_adaptive) { ++ vnc_rect_updated(vd, x * VNC_DIRTY_PIXELS_PER_BIT, ++ y, &tv); + } ++ QTAILQ_FOREACH(vs, &vd->clients, next) { ++ set_bit(x, vs->dirty[y]); ++ } ++ has_dirty++; + } +- guest_row += pixman_image_get_stride(vd->guest.fb); +- server_row += pixman_image_get_stride(vd->server); ++ ++ y++; + } + qemu_pixman_image_unref(tmpbuf); + return has_dirty; +diff --git a/ui/vnc.h b/ui/vnc.h +index 561f383..ebf4bdd 100644 +--- a/ui/vnc.h ++++ b/ui/vnc.h +@@ -88,6 +88,10 @@ typedef void VncSendHextileTile(VncState *vs, + /* VNC_DIRTY_BITS is the number of bits in the dirty bitmap. */ + #define VNC_DIRTY_BITS (VNC_MAX_WIDTH / VNC_DIRTY_PIXELS_PER_BIT) + ++/* VNC_DIRTY_BPL (BPL = bits per line) might be greater than ++ * VNC_DIRTY_BITS due to alignment */ ++#define VNC_DIRTY_BPL(x) (sizeof((x)->dirty) / VNC_MAX_HEIGHT * BITS_PER_BYTE) ++ + #define VNC_STAT_RECT 64 + #define VNC_STAT_COLS (VNC_MAX_WIDTH / VNC_STAT_RECT) + #define VNC_STAT_ROWS (VNC_MAX_HEIGHT / VNC_STAT_RECT) +-- +1.8.3.1 + diff --git a/SOURCES/kvm-ui-vnc-optimize-setting-in-vnc_dpy_update.patch b/SOURCES/kvm-ui-vnc-optimize-setting-in-vnc_dpy_update.patch new file mode 100644 index 0000000..d2de57e --- /dev/null +++ b/SOURCES/kvm-ui-vnc-optimize-setting-in-vnc_dpy_update.patch @@ -0,0 +1,71 @@ +From 9730b328cc524281334344466a01fb861b271b82 Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Wed, 22 Feb 2017 12:36:22 +0100 +Subject: [PATCH 04/24] ui/vnc: optimize setting in vnc_dpy_update() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Gerd Hoffmann +Message-id: <1487766986-6329-5-git-send-email-kraxel@redhat.com> +Patchwork-id: 73974 +O-Subject: [RHEL-7.4 qemu-kvm PATCH 4/8] ui/vnc: optimize setting in vnc_dpy_update() +Bugzilla: 1377977 +RH-Acked-by: Thomas Huth +RH-Acked-by: Marc-André Lureau +RH-Acked-by: Laurent Vivier + +From: Peter Lieven + +Signed-off-by: Peter Lieven +Reviewed-by: Wenchao Xia +Signed-off-by: Gerd Hoffmann +(cherry picked from commit 919372251cbfa9e43b0264fec475dd1eca23784f) +Signed-off-by: Miroslav Rezanina +--- + ui/vnc.c | 16 +++++----------- + 1 file changed, 5 insertions(+), 11 deletions(-) + +diff --git a/ui/vnc.c b/ui/vnc.c +index 54530a2..2540261 100644 +--- a/ui/vnc.c ++++ b/ui/vnc.c +@@ -430,30 +430,24 @@ static int vnc_refresh_server_surface(VncDisplay *vd); + static void vnc_dpy_update(DisplayChangeListener *dcl, + int x, int y, int w, int h) + { +- int i; + VncDisplay *vd = container_of(dcl, VncDisplay, dcl); + struct VncSurface *s = &vd->guest; + int width = surface_width(vd->ds); + int height = surface_height(vd->ds); + +- h += y; +- +- /* round x down to ensure the loop only spans one 16-pixel block per, +- iteration. otherwise, if (x % 16) != 0, the last iteration may span +- two 16-pixel blocks but we only mark the first as dirty +- */ ++ /* this is needed this to ensure we updated all affected ++ * blocks if x % VNC_DIRTY_PIXELS_PER_BIT != 0 */ + w += (x % VNC_DIRTY_PIXELS_PER_BIT); + x -= (x % VNC_DIRTY_PIXELS_PER_BIT); + + x = MIN(x, width); + y = MIN(y, height); + w = MIN(x + w, width) - x; +- h = MIN(h, height); ++ h = MIN(y + h, height); + + for (; y < h; y++) { +- for (i = 0; i < w; i += VNC_DIRTY_PIXELS_PER_BIT) { +- set_bit((x + i) / VNC_DIRTY_PIXELS_PER_BIT, s->dirty[y]); +- } ++ bitmap_set(s->dirty[y], x / VNC_DIRTY_PIXELS_PER_BIT, ++ DIV_ROUND_UP(w, VNC_DIRTY_PIXELS_PER_BIT)); + } + } + +-- +1.8.3.1 + diff --git a/SOURCES/kvm-usb-ccid-add-check-message-size-checks.patch b/SOURCES/kvm-usb-ccid-add-check-message-size-checks.patch new file mode 100644 index 0000000..f0c2e48 --- /dev/null +++ b/SOURCES/kvm-usb-ccid-add-check-message-size-checks.patch @@ -0,0 +1,64 @@ +From 3d6cc57909eca16bd7bc4dc823b5eb71e65baffb Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Tue, 14 Mar 2017 08:52:56 +0100 +Subject: [PATCH 23/24] usb-ccid: add check message size checks +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Gerd Hoffmann +Message-id: <1489481576-26911-5-git-send-email-kraxel@redhat.com> +Patchwork-id: 74287 +O-Subject: [RHEL-7.4 qemu-kvm PATCH 4/4] usb-ccid: add check message size checks +Bugzilla: 1419818 +RH-Acked-by: Stefan Hajnoczi +RH-Acked-by: Laurent Vivier +RH-Acked-by: Miroslav Rezanina + +Check message size too when figuring whenever we should expect more data. +Fix debug message to show useful data, p->iov.size is fixed anyway if we +land there, print how much we got meanwhile instead. + +Also check announced message size against actual message size. That +is a more general fix for CVE-2017-5898 than commit "c7dfbf3 usb: ccid: +check ccid apdu length". + +Signed-off-by: Gerd Hoffmann +Reviewed-by: Marc-André Lureau +Message-id: 1487250819-23764-4-git-send-email-kraxel@redhat.com +(cherry picked from commit 31fb4444a485a348f8e2699d7c3dd15e1819ad2c) +Signed-off-by: Miroslav Rezanina +--- + hw/usb/dev-smartcard-reader.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +diff --git a/hw/usb/dev-smartcard-reader.c b/hw/usb/dev-smartcard-reader.c +index 07d15ba..5e96a18 100644 +--- a/hw/usb/dev-smartcard-reader.c ++++ b/hw/usb/dev-smartcard-reader.c +@@ -1009,12 +1009,19 @@ static void ccid_handle_bulk_out(USBCCIDState *s, USBPacket *p) + } + + ccid_header = (CCID_Header *)s->bulk_out_data; +- if (p->iov.size == CCID_MAX_PACKET_SIZE) { ++ if ((s->bulk_out_pos - 10 < ccid_header->dwLength) && ++ (p->iov.size == CCID_MAX_PACKET_SIZE)) { + DPRINTF(s, D_VERBOSE, +- "usb-ccid: bulk_in: expecting more packets (%zd/%d)\n", +- p->iov.size, ccid_header->dwLength); ++ "usb-ccid: bulk_in: expecting more packets (%d/%d)\n", ++ s->bulk_out_pos - 10, ccid_header->dwLength); + return; + } ++ if (s->bulk_out_pos - 10 != ccid_header->dwLength) { ++ DPRINTF(s, 1, ++ "usb-ccid: bulk_in: message size mismatch (got %d, expected %d)\n", ++ s->bulk_out_pos - 10, ccid_header->dwLength); ++ goto err; ++ } + + DPRINTF(s, D_MORE_INFO, "%s %x %s\n", __func__, + ccid_header->bMessageType, +-- +1.8.3.1 + diff --git a/SOURCES/kvm-usb-ccid-better-bulk_out-error-handling.patch b/SOURCES/kvm-usb-ccid-better-bulk_out-error-handling.patch new file mode 100644 index 0000000..6eab01a --- /dev/null +++ b/SOURCES/kvm-usb-ccid-better-bulk_out-error-handling.patch @@ -0,0 +1,175 @@ +From b71bd2f7f4a259183fa3d38e6e891cffb86683e2 Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Tue, 14 Mar 2017 08:52:54 +0100 +Subject: [PATCH 21/24] usb-ccid: better bulk_out error handling +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Gerd Hoffmann +Message-id: <1489481576-26911-3-git-send-email-kraxel@redhat.com> +Patchwork-id: 74289 +O-Subject: [RHEL-7.4 qemu-kvm PATCH 2/4] usb-ccid: better bulk_out error handling +Bugzilla: 1419818 +RH-Acked-by: Stefan Hajnoczi +RH-Acked-by: Laurent Vivier +RH-Acked-by: Miroslav Rezanina + +Add err goto label where we can jump to from all error conditions. +STALL request on all errors. Reset position on all errors. + +Normal request processing is not in a else branch any more, so this code +is reintended, there are no code changes in that part of the code +though. + +Signed-off-by: Gerd Hoffmann +Reviewed-by: Marc-André Lureau +Message-id: 1487250819-23764-2-git-send-email-kraxel@redhat.com +(cherry picked from commit 0aeebc73b7976bae5cb7e9768e3d9a0fd9d634e8) +Signed-off-by: Miroslav Rezanina +--- + hw/usb/dev-smartcard-reader.c | 116 ++++++++++++++++++++++-------------------- + 1 file changed, 61 insertions(+), 55 deletions(-) + +diff --git a/hw/usb/dev-smartcard-reader.c b/hw/usb/dev-smartcard-reader.c +index 0e0b363..672a7bf 100644 +--- a/hw/usb/dev-smartcard-reader.c ++++ b/hw/usb/dev-smartcard-reader.c +@@ -999,8 +999,7 @@ static void ccid_handle_bulk_out(USBCCIDState *s, USBPacket *p) + CCID_Header *ccid_header; + + if (p->iov.size + s->bulk_out_pos > BULK_OUT_DATA_SIZE) { +- p->status = USB_RET_STALL; +- return; ++ goto err; + } + ccid_header = (CCID_Header *)s->bulk_out_data; + usb_packet_copy(p, s->bulk_out_data + s->bulk_out_pos, p->iov.size); +@@ -1015,64 +1014,71 @@ static void ccid_handle_bulk_out(USBCCIDState *s, USBPacket *p) + DPRINTF(s, 1, + "%s: bad USB_TOKEN_OUT length, should be at least 10 bytes\n", + __func__); +- } else { +- DPRINTF(s, D_MORE_INFO, "%s %x %s\n", __func__, +- ccid_header->bMessageType, +- ccid_message_type_to_str(ccid_header->bMessageType)); +- switch (ccid_header->bMessageType) { +- case CCID_MESSAGE_TYPE_PC_to_RDR_GetSlotStatus: +- ccid_write_slot_status(s, ccid_header); +- break; +- case CCID_MESSAGE_TYPE_PC_to_RDR_IccPowerOn: +- DPRINTF(s, 1, "%s: PowerOn: %d\n", __func__, ++ goto err; ++ } ++ ++ DPRINTF(s, D_MORE_INFO, "%s %x %s\n", __func__, ++ ccid_header->bMessageType, ++ ccid_message_type_to_str(ccid_header->bMessageType)); ++ switch (ccid_header->bMessageType) { ++ case CCID_MESSAGE_TYPE_PC_to_RDR_GetSlotStatus: ++ ccid_write_slot_status(s, ccid_header); ++ break; ++ case CCID_MESSAGE_TYPE_PC_to_RDR_IccPowerOn: ++ DPRINTF(s, 1, "%s: PowerOn: %d\n", __func__, + ((CCID_IccPowerOn *)(ccid_header))->bPowerSelect); +- s->powered = true; +- if (!ccid_card_inserted(s)) { +- ccid_report_error_failed(s, ERROR_ICC_MUTE); +- } +- /* atr is written regardless of error. */ +- ccid_write_data_block_atr(s, ccid_header); +- break; +- case CCID_MESSAGE_TYPE_PC_to_RDR_IccPowerOff: +- ccid_reset_error_status(s); +- s->powered = false; +- ccid_write_slot_status(s, ccid_header); +- break; +- case CCID_MESSAGE_TYPE_PC_to_RDR_XfrBlock: +- ccid_on_apdu_from_guest(s, (CCID_XferBlock *)s->bulk_out_data); +- break; +- case CCID_MESSAGE_TYPE_PC_to_RDR_SetParameters: +- ccid_reset_error_status(s); +- ccid_set_parameters(s, ccid_header); +- ccid_write_parameters(s, ccid_header); +- break; +- case CCID_MESSAGE_TYPE_PC_to_RDR_ResetParameters: +- ccid_reset_error_status(s); +- ccid_reset_parameters(s); +- ccid_write_parameters(s, ccid_header); +- break; +- case CCID_MESSAGE_TYPE_PC_to_RDR_GetParameters: +- ccid_reset_error_status(s); +- ccid_write_parameters(s, ccid_header); +- break; +- case CCID_MESSAGE_TYPE_PC_to_RDR_Mechanical: +- ccid_report_error_failed(s, 0); +- ccid_write_slot_status(s, ccid_header); +- break; +- default: +- DPRINTF(s, 1, ++ s->powered = true; ++ if (!ccid_card_inserted(s)) { ++ ccid_report_error_failed(s, ERROR_ICC_MUTE); ++ } ++ /* atr is written regardless of error. */ ++ ccid_write_data_block_atr(s, ccid_header); ++ break; ++ case CCID_MESSAGE_TYPE_PC_to_RDR_IccPowerOff: ++ ccid_reset_error_status(s); ++ s->powered = false; ++ ccid_write_slot_status(s, ccid_header); ++ break; ++ case CCID_MESSAGE_TYPE_PC_to_RDR_XfrBlock: ++ ccid_on_apdu_from_guest(s, (CCID_XferBlock *)s->bulk_out_data); ++ break; ++ case CCID_MESSAGE_TYPE_PC_to_RDR_SetParameters: ++ ccid_reset_error_status(s); ++ ccid_set_parameters(s, ccid_header); ++ ccid_write_parameters(s, ccid_header); ++ break; ++ case CCID_MESSAGE_TYPE_PC_to_RDR_ResetParameters: ++ ccid_reset_error_status(s); ++ ccid_reset_parameters(s); ++ ccid_write_parameters(s, ccid_header); ++ break; ++ case CCID_MESSAGE_TYPE_PC_to_RDR_GetParameters: ++ ccid_reset_error_status(s); ++ ccid_write_parameters(s, ccid_header); ++ break; ++ case CCID_MESSAGE_TYPE_PC_to_RDR_Mechanical: ++ ccid_report_error_failed(s, 0); ++ ccid_write_slot_status(s, ccid_header); ++ break; ++ default: ++ DPRINTF(s, 1, + "handle_data: ERROR: unhandled message type %Xh\n", + ccid_header->bMessageType); +- /* +- * The caller is expecting the device to respond, tell it we +- * don't support the operation. +- */ +- ccid_report_error_failed(s, ERROR_CMD_NOT_SUPPORTED); +- ccid_write_slot_status(s, ccid_header); +- break; +- } ++ /* ++ * The caller is expecting the device to respond, tell it we ++ * don't support the operation. ++ */ ++ ccid_report_error_failed(s, ERROR_CMD_NOT_SUPPORTED); ++ ccid_write_slot_status(s, ccid_header); ++ break; + } + s->bulk_out_pos = 0; ++ return; ++ ++err: ++ p->status = USB_RET_STALL; ++ s->bulk_out_pos = 0; ++ return; + } + + static void ccid_bulk_in_copy_to_guest(USBCCIDState *s, USBPacket *p) +-- +1.8.3.1 + diff --git a/SOURCES/kvm-usb-ccid-check-ccid-apdu-length.patch b/SOURCES/kvm-usb-ccid-check-ccid-apdu-length.patch new file mode 100644 index 0000000..7091df9 --- /dev/null +++ b/SOURCES/kvm-usb-ccid-check-ccid-apdu-length.patch @@ -0,0 +1,48 @@ +From c69bcffde2abc36576ff8b9d60f721e1261fec32 Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Tue, 14 Mar 2017 08:52:53 +0100 +Subject: [PATCH 20/24] usb: ccid: check ccid apdu length + +RH-Author: Gerd Hoffmann +Message-id: <1489481576-26911-2-git-send-email-kraxel@redhat.com> +Patchwork-id: 74286 +O-Subject: [RHEL-7.4 qemu-kvm PATCH 1/4] usb: ccid: check ccid apdu length +Bugzilla: 1419818 +RH-Acked-by: Stefan Hajnoczi +RH-Acked-by: Laurent Vivier +RH-Acked-by: Miroslav Rezanina + +From: Prasad J Pandit + +CCID device emulator uses Application Protocol Data Units(APDU) +to exchange command and responses to and from the host. +The length in these units couldn't be greater than 65536. Add +check to ensure the same. It'd also avoid potential integer +overflow in emulated_apdu_from_guest. + +Reported-by: Li Qiang +Signed-off-by: Prasad J Pandit +Message-id: 20170202192228.10847-1-ppandit@redhat.com +Signed-off-by: Gerd Hoffmann +(cherry picked from commit c7dfbf322595ded4e70b626bf83158a9f3807c6a) +Signed-off-by: Miroslav Rezanina +--- + hw/usb/dev-smartcard-reader.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/usb/dev-smartcard-reader.c b/hw/usb/dev-smartcard-reader.c +index 0e666e1..0e0b363 100644 +--- a/hw/usb/dev-smartcard-reader.c ++++ b/hw/usb/dev-smartcard-reader.c +@@ -965,7 +965,7 @@ static void ccid_on_apdu_from_guest(USBCCIDState *s, CCID_XferBlock *recv) + DPRINTF(s, 1, "%s: seq %d, len %d\n", __func__, + recv->hdr.bSeq, len); + ccid_add_pending_answer(s, (CCID_Header *)recv); +- if (s->card) { ++ if (s->card && len <= BULK_OUT_DATA_SIZE) { + ccid_card_apdu_from_guest(s->card, recv->abData, len); + } else { + DPRINTF(s, D_WARN, "warning: discarded apdu\n"); +-- +1.8.3.1 + diff --git a/SOURCES/kvm-usb-ccid-move-header-size-check.patch b/SOURCES/kvm-usb-ccid-move-header-size-check.patch new file mode 100644 index 0000000..ac197eb --- /dev/null +++ b/SOURCES/kvm-usb-ccid-move-header-size-check.patch @@ -0,0 +1,64 @@ +From 6116e5c19a7623b2543fbd937970da9a6e0e1ce7 Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Tue, 14 Mar 2017 08:52:55 +0100 +Subject: [PATCH 22/24] usb-ccid: move header size check +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Gerd Hoffmann +Message-id: <1489481576-26911-4-git-send-email-kraxel@redhat.com> +Patchwork-id: 74285 +O-Subject: [RHEL-7.4 qemu-kvm PATCH 3/4] usb-ccid: move header size check +Bugzilla: 1419818 +RH-Acked-by: Stefan Hajnoczi +RH-Acked-by: Laurent Vivier +RH-Acked-by: Miroslav Rezanina + +Move up header size check, so we can use header fields in sanity checks +(in followup patches). Also reword the debug message. + +Signed-off-by: Gerd Hoffmann +Reviewed-by: Marc-André Lureau +Message-id: 1487250819-23764-3-git-send-email-kraxel@redhat.com +(cherry picked from commit 7569c54642e8aa9fa03e250c7c578bd4d3747f00) +Signed-off-by: Miroslav Rezanina +--- + hw/usb/dev-smartcard-reader.c | 13 ++++++------- + 1 file changed, 6 insertions(+), 7 deletions(-) + +diff --git a/hw/usb/dev-smartcard-reader.c b/hw/usb/dev-smartcard-reader.c +index 672a7bf..07d15ba 100644 +--- a/hw/usb/dev-smartcard-reader.c ++++ b/hw/usb/dev-smartcard-reader.c +@@ -1001,21 +1001,20 @@ static void ccid_handle_bulk_out(USBCCIDState *s, USBPacket *p) + if (p->iov.size + s->bulk_out_pos > BULK_OUT_DATA_SIZE) { + goto err; + } +- ccid_header = (CCID_Header *)s->bulk_out_data; + usb_packet_copy(p, s->bulk_out_data + s->bulk_out_pos, p->iov.size); + s->bulk_out_pos += p->iov.size; ++ if (s->bulk_out_pos < 10) { ++ DPRINTF(s, 1, "%s: header incomplete\n", __func__); ++ goto err; ++ } ++ ++ ccid_header = (CCID_Header *)s->bulk_out_data; + if (p->iov.size == CCID_MAX_PACKET_SIZE) { + DPRINTF(s, D_VERBOSE, + "usb-ccid: bulk_in: expecting more packets (%zd/%d)\n", + p->iov.size, ccid_header->dwLength); + return; + } +- if (s->bulk_out_pos < 10) { +- DPRINTF(s, 1, +- "%s: bad USB_TOKEN_OUT length, should be at least 10 bytes\n", +- __func__); +- goto err; +- } + + DPRINTF(s, D_MORE_INFO, "%s %x %s\n", __func__, + ccid_header->bMessageType, +-- +1.8.3.1 + diff --git a/SOURCES/kvm-vhdx-Fix-zero-fill-iov-length.patch b/SOURCES/kvm-vhdx-Fix-zero-fill-iov-length.patch new file mode 100644 index 0000000..d0fdca3 --- /dev/null +++ b/SOURCES/kvm-vhdx-Fix-zero-fill-iov-length.patch @@ -0,0 +1,57 @@ +From a7cfda7b304697450f0a55c22f4459b25999e9c5 Mon Sep 17 00:00:00 2001 +From: Max Reitz +Date: Mon, 13 Mar 2017 17:47:05 +0100 +Subject: [PATCH 17/24] vhdx: Fix zero-fill iov length + +RH-Author: Max Reitz +Message-id: <20170313174706.29316-2-mreitz@redhat.com> +Patchwork-id: 74279 +O-Subject: [RHEL-7.4 qemu-kvm PATCH 8/9] vhdx: Fix zero-fill iov length +Bugzilla: 1427176 +RH-Acked-by: Fam Zheng +RH-Acked-by: Stefan Hajnoczi +RH-Acked-by: Kevin Wolf + +From: Kevin Wolf + +Fix the length of the zero-fill for the back, which was accidentally +using the same value as for the front. This is caught by qemu-iotests +033. + +For consistency, change the code for the front as well to use the length +stored in the iov (it is the same value, copied four lines above). + +Signed-off-by: Kevin Wolf +Acked-by: Jeff Cody +(cherry picked from commit d1a126c53ddc563b7b731cee013e0362f7a5f22f) +Signed-off-by: Max Reitz +Signed-off-by: Miroslav Rezanina +--- + block/vhdx.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/block/vhdx.c b/block/vhdx.c +index 21ad6ad..47a872d 100644 +--- a/block/vhdx.c ++++ b/block/vhdx.c +@@ -1247,7 +1247,7 @@ static coroutine_fn int vhdx_co_writev(BlockDriverState *bs, int64_t sector_num, + iov1.iov_base = qemu_blockalign(bs, iov1.iov_len); + memset(iov1.iov_base, 0, iov1.iov_len); + qemu_iovec_concat_iov(&hd_qiov, &iov1, 1, 0, +- sinfo.block_offset); ++ iov1.iov_len); + sectors_to_write += iov1.iov_len >> BDRV_SECTOR_BITS; + } + +@@ -1263,7 +1263,7 @@ static coroutine_fn int vhdx_co_writev(BlockDriverState *bs, int64_t sector_num, + iov2.iov_base = qemu_blockalign(bs, iov2.iov_len); + memset(iov2.iov_base, 0, iov2.iov_len); + qemu_iovec_concat_iov(&hd_qiov, &iov2, 1, 0, +- sinfo.block_offset); ++ iov2.iov_len); + sectors_to_write += iov2.iov_len >> BDRV_SECTOR_BITS; + } + } +-- +1.8.3.1 + diff --git a/SOURCES/kvm-virtio-add-virtqueue_rewind.patch b/SOURCES/kvm-virtio-add-virtqueue_rewind.patch index 1915e93..a5d98d3 100644 --- a/SOURCES/kvm-virtio-add-virtqueue_rewind.patch +++ b/SOURCES/kvm-virtio-add-virtqueue_rewind.patch @@ -1,4 +1,4 @@ -From f7d6a76475d29e0edb5456e62492117b87f4bc41 Mon Sep 17 00:00:00 2001 +From 6b2d5dafa9847ce29e5cddeb369b35db5ce076b1 Mon Sep 17 00:00:00 2001 From: Ladi Prosek Date: Thu, 10 Nov 2016 23:00:50 +0100 Subject: [PATCH 7/8] virtio: add virtqueue_rewind() @@ -7,7 +7,7 @@ RH-Author: Ladi Prosek Message-id: <1478797251-10302-1-git-send-email-lprosek@redhat.com> Patchwork-id: 72818 O-Subject: [PATCH v2 7/6] virtio: add virtqueue_rewind() -Bugzilla: 1393484 +Bugzilla: 1377968 RH-Acked-by: Paolo Bonzini RH-Acked-by: Michael S. Tsirkin RH-Acked-by: Miroslav Rezanina diff --git a/SOURCES/kvm-virtio-balloon-discard-virtqueue-element-on-reset.patch b/SOURCES/kvm-virtio-balloon-discard-virtqueue-element-on-reset.patch index a076d4e..2c37b1d 100644 --- a/SOURCES/kvm-virtio-balloon-discard-virtqueue-element-on-reset.patch +++ b/SOURCES/kvm-virtio-balloon-discard-virtqueue-element-on-reset.patch @@ -1,4 +1,4 @@ -From a1c91f04449eea0e678aeef78914213f092b7a19 Mon Sep 17 00:00:00 2001 +From 2c71eba27413f9b34610cee3f6b16b0678f4d102 Mon Sep 17 00:00:00 2001 From: Ladi Prosek Date: Wed, 5 Oct 2016 17:22:27 +0200 Subject: [PATCH 5/8] virtio-balloon: discard virtqueue element on reset @@ -7,7 +7,7 @@ RH-Author: Ladi Prosek Message-id: <1475666548-9186-6-git-send-email-lprosek@redhat.com> Patchwork-id: 72484 O-Subject: [RHEL-7.4 qemu-kvm v2 PATCH 5/6] virtio-balloon: discard virtqueue element on reset -Bugzilla: 1393484 +Bugzilla: 1377968 RH-Acked-by: Paolo Bonzini RH-Acked-by: Michael S. Tsirkin RH-Acked-by: Stefan Hajnoczi diff --git a/SOURCES/kvm-virtio-balloon-fix-stats-vq-migration.patch b/SOURCES/kvm-virtio-balloon-fix-stats-vq-migration.patch index bd3b2e7..38c7762 100644 --- a/SOURCES/kvm-virtio-balloon-fix-stats-vq-migration.patch +++ b/SOURCES/kvm-virtio-balloon-fix-stats-vq-migration.patch @@ -1,4 +1,4 @@ -From 6d5c0e0e98907244d72e7828337d7ff6160b6b80 Mon Sep 17 00:00:00 2001 +From 92a638cb3b0601746d47b4a443762fe71bb21431 Mon Sep 17 00:00:00 2001 From: Ladi Prosek Date: Thu, 10 Nov 2016 23:00:51 +0100 Subject: [PATCH 8/8] virtio-balloon: fix stats vq migration @@ -7,7 +7,7 @@ RH-Author: Ladi Prosek Message-id: <1478797251-10302-2-git-send-email-lprosek@redhat.com> Patchwork-id: 72819 O-Subject: [PATCH v2 8/6] virtio-balloon: fix stats vq migration -Bugzilla: 1393484 +Bugzilla: 1377968 RH-Acked-by: Paolo Bonzini RH-Acked-by: Michael S. Tsirkin RH-Acked-by: Miroslav Rezanina diff --git a/SOURCES/kvm-virtio-blk-Release-s-rq-queue-at-system_reset.patch b/SOURCES/kvm-virtio-blk-Release-s-rq-queue-at-system_reset.patch index a58ed36..f730a9a 100644 --- a/SOURCES/kvm-virtio-blk-Release-s-rq-queue-at-system_reset.patch +++ b/SOURCES/kvm-virtio-blk-Release-s-rq-queue-at-system_reset.patch @@ -1,16 +1,16 @@ -From cc9a8ce29ba364abcf019f6fe44b218255b9e4d7 Mon Sep 17 00:00:00 2001 +From 200748826a6069c31f5004dde00614675bac659b Mon Sep 17 00:00:00 2001 From: Fam Zheng -Date: Wed, 8 Feb 2017 07:05:34 +0100 -Subject: [PATCH 1/8] virtio-blk: Release s->rq queue at system_reset +Date: Tue, 7 Feb 2017 09:21:53 +0100 +Subject: [PATCH 02/11] virtio-blk: Release s->rq queue at system_reset RH-Author: Fam Zheng -Message-id: <20170208070534.10571-1-famz@redhat.com> -Patchwork-id: 73642 -O-Subject: [RHEL-7.3.z qemu-kvm PATCH] virtio-blk: Release s->rq queue at system_reset -Bugzilla: 1420049 -RH-Acked-by: Paolo Bonzini +Message-id: <20170207092153.8331-1-famz@redhat.com> +Patchwork-id: 73553 +O-Subject: [RHEL-7.4 qemu-kvm PATCH] virtio-blk: Release s->rq queue at system_reset +Bugzilla: 1361488 RH-Acked-by: Laszlo Ersek -RH-Acked-by: Laurent Vivier +RH-Acked-by: Paolo Bonzini +RH-Acked-by: Stefan Hajnoczi At system_reset, there is no point in retrying the queued request, because the driver that issued the request won't be around any more. diff --git a/SOURCES/kvm-virtio-decrement-vq-inuse-in-virtqueue_discard.patch b/SOURCES/kvm-virtio-decrement-vq-inuse-in-virtqueue_discard.patch index 1822127..949fd97 100644 --- a/SOURCES/kvm-virtio-decrement-vq-inuse-in-virtqueue_discard.patch +++ b/SOURCES/kvm-virtio-decrement-vq-inuse-in-virtqueue_discard.patch @@ -1,4 +1,4 @@ -From c24e1c927bad95d84e0ffab665baff98d91fb916 Mon Sep 17 00:00:00 2001 +From bf7aa4bb11e9991a3d5a1007dbe52dd0ac6dae99 Mon Sep 17 00:00:00 2001 From: Ladi Prosek Date: Wed, 5 Oct 2016 17:22:25 +0200 Subject: [PATCH 3/8] virtio: decrement vq->inuse in virtqueue_discard() @@ -7,7 +7,7 @@ RH-Author: Ladi Prosek Message-id: <1475666548-9186-4-git-send-email-lprosek@redhat.com> Patchwork-id: 72482 O-Subject: [RHEL-7.4 qemu-kvm v2 PATCH 3/6] virtio: decrement vq->inuse in virtqueue_discard() -Bugzilla: 1393484 +Bugzilla: 1377968 RH-Acked-by: Paolo Bonzini RH-Acked-by: Michael S. Tsirkin RH-Acked-by: Stefan Hajnoczi diff --git a/SOURCES/kvm-virtio-introduce-virtqueue_discard.patch b/SOURCES/kvm-virtio-introduce-virtqueue_discard.patch index 8f233c6..ee5aedc 100644 --- a/SOURCES/kvm-virtio-introduce-virtqueue_discard.patch +++ b/SOURCES/kvm-virtio-introduce-virtqueue_discard.patch @@ -1,4 +1,4 @@ -From b5c6f7a910c5c16ac34ef2436d0a56991e0166e3 Mon Sep 17 00:00:00 2001 +From 06ca4cab12a4216d40c297d8a79c83a4df4dd80e Mon Sep 17 00:00:00 2001 From: Ladi Prosek Date: Wed, 5 Oct 2016 17:22:24 +0200 Subject: [PATCH 2/8] virtio: introduce virtqueue_discard() @@ -7,7 +7,7 @@ RH-Author: Ladi Prosek Message-id: <1475666548-9186-3-git-send-email-lprosek@redhat.com> Patchwork-id: 72481 O-Subject: [RHEL-7.4 qemu-kvm v2 PATCH 2/6] virtio: introduce virtqueue_discard() -Bugzilla: 1393484 +Bugzilla: 1377968 RH-Acked-by: Paolo Bonzini RH-Acked-by: Michael S. Tsirkin RH-Acked-by: Stefan Hajnoczi diff --git a/SOURCES/kvm-virtio-introduce-virtqueue_unmap_sg.patch b/SOURCES/kvm-virtio-introduce-virtqueue_unmap_sg.patch index 77d40c9..bd3e621 100644 --- a/SOURCES/kvm-virtio-introduce-virtqueue_unmap_sg.patch +++ b/SOURCES/kvm-virtio-introduce-virtqueue_unmap_sg.patch @@ -1,4 +1,4 @@ -From fc6f666f00182fe587068bd45e4e9e6d135d03fb Mon Sep 17 00:00:00 2001 +From 9d3ccec3b8323f7cfbce932f8c6530aa4105ba02 Mon Sep 17 00:00:00 2001 From: Ladi Prosek Date: Wed, 5 Oct 2016 17:22:23 +0200 Subject: [PATCH 1/8] virtio: introduce virtqueue_unmap_sg() @@ -7,7 +7,7 @@ RH-Author: Ladi Prosek Message-id: <1475666548-9186-2-git-send-email-lprosek@redhat.com> Patchwork-id: 72480 O-Subject: [RHEL-7.4 qemu-kvm v2 PATCH 1/6] virtio: introduce virtqueue_unmap_sg() -Bugzilla: 1393484 +Bugzilla: 1377968 RH-Acked-by: Paolo Bonzini RH-Acked-by: Michael S. Tsirkin RH-Acked-by: Stefan Hajnoczi diff --git a/SOURCES/kvm-virtio-zero-vq-inuse-in-virtio_reset.patch b/SOURCES/kvm-virtio-zero-vq-inuse-in-virtio_reset.patch index e231a0a..6c4eb84 100644 --- a/SOURCES/kvm-virtio-zero-vq-inuse-in-virtio_reset.patch +++ b/SOURCES/kvm-virtio-zero-vq-inuse-in-virtio_reset.patch @@ -1,4 +1,4 @@ -From e3e5226d8ed3907bb818eb8db74175c08c011459 Mon Sep 17 00:00:00 2001 +From f5f0d9ed92f4ba1ea746529ccc945cf60d4973c8 Mon Sep 17 00:00:00 2001 From: Ladi Prosek Date: Wed, 5 Oct 2016 17:22:28 +0200 Subject: [PATCH 6/8] virtio: zero vq->inuse in virtio_reset() @@ -7,7 +7,7 @@ RH-Author: Ladi Prosek Message-id: <1475666548-9186-7-git-send-email-lprosek@redhat.com> Patchwork-id: 72485 O-Subject: [RHEL-7.4 qemu-kvm v2 PATCH 6/6] virtio: zero vq->inuse in virtio_reset() -Bugzilla: 1393484 +Bugzilla: 1377968 RH-Acked-by: Paolo Bonzini RH-Acked-by: Michael S. Tsirkin RH-Acked-by: Stefan Hajnoczi diff --git a/SOURCES/kvm-vl-Don-t-silently-change-topology-when-all-smp-optio.patch b/SOURCES/kvm-vl-Don-t-silently-change-topology-when-all-smp-optio.patch new file mode 100644 index 0000000..8d9d72f --- /dev/null +++ b/SOURCES/kvm-vl-Don-t-silently-change-topology-when-all-smp-optio.patch @@ -0,0 +1,57 @@ +From 1f9218a32773bb616f65f581f3a6b22699b2f6be Mon Sep 17 00:00:00 2001 +From: Eduardo Habkost +Date: Tue, 27 Dec 2016 20:43:20 +0100 +Subject: [PATCH 2/4] vl: Don't silently change topology when all -smp options + were set + +RH-Author: Eduardo Habkost +Message-id: <1482871400-24971-1-git-send-email-ehabkost@redhat.com> +Patchwork-id: 73103 +O-Subject: [RHEL-7.4 qemu-kvm PATCH] vl: Don't silently change topology when all -smp options were set +Bugzilla: 1375507 +RH-Acked-by: Igor Mammedov +RH-Acked-by: Andrew Jones +RH-Acked-by: David Hildenbrand + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1375507 + +QEMU tries to change the "threads" option even if it was explicitly set +in the command-line, and it shouldn't do that. + +The right thing to do when all options (cpus, sockets, cores, threds) +are explicitly set is to sanity check them and abort in case they don't +make sense (i.e. when sockets*cores*threads < cpus). + +Signed-off-by: Eduardo Habkost +Reviewed-by: Andrew Jones +Signed-off-by: Paolo Bonzini +(cherry picked from commit ec2cbbdd80463efd4bc81a9d1362a2acb3097a21) +Signed-off-by: Eduardo Habkost +Signed-off-by: Miroslav Rezanina +--- + vl.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/vl.c b/vl.c +index 9756361..7c34b7c 100644 +--- a/vl.c ++++ b/vl.c +@@ -1393,8 +1393,14 @@ static void smp_parse(const char *optarg) + if (cores == 0) { + threads = threads > 0 ? threads : 1; + cores = smp / (sockets * threads); +- } else { ++ } else if (threads == 0) { + threads = smp / (cores * sockets); ++ } else if (sockets * cores * threads < smp) { ++ fprintf(stderr, "cpu topology: error: " ++ "sockets (%u) * cores (%u) * threads (%u) < " ++ "smp_cpus (%u)\n", ++ sockets, cores, threads, smp); ++ exit(1); + } + } + smp_cpus = smp; +-- +1.8.3.1 + diff --git a/SOURCES/kvm-vnc-fix-memory-corruption-CVE-2015-5225.patch b/SOURCES/kvm-vnc-fix-memory-corruption-CVE-2015-5225.patch new file mode 100644 index 0000000..0808fa3 --- /dev/null +++ b/SOURCES/kvm-vnc-fix-memory-corruption-CVE-2015-5225.patch @@ -0,0 +1,93 @@ +From e543257370cce5153bbcf0085a116e6aa4a6d91b Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Wed, 22 Feb 2017 12:36:25 +0100 +Subject: [PATCH 07/24] vnc: fix memory corruption (CVE-2015-5225) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Gerd Hoffmann +Message-id: <1487766986-6329-8-git-send-email-kraxel@redhat.com> +Patchwork-id: 73978 +O-Subject: [RHEL-7.4 qemu-kvm PATCH 7/8] vnc: fix memory corruption (CVE-2015-5225) +Bugzilla: 1377977 +RH-Acked-by: Thomas Huth +RH-Acked-by: Marc-André Lureau +RH-Acked-by: Laurent Vivier + +The _cmp_bytes variable added by commit "bea60dd ui/vnc: fix potential +memory corruption issues" can become negative. Result is (possibly +exploitable) memory corruption. Reason for that is it uses the stride +instead of bytes per scanline to apply limits. + +For the server surface is is actually fine. vnc creates that itself, +there is never any padding and thus scanline length always equals stride. + +For the guest surface scanline length and stride are typically identical +too, but it doesn't has to be that way. So add and use a new variable +(guest_ll) for the guest scanline length. Also rename min_stride to +line_bytes to make more clear what it actually is. Finally sprinkle +in an assert() to make sure we never use a negative _cmp_bytes again. + +Reported-by: 范祚至(库特) +Reviewed-by: P J P +Signed-off-by: Gerd Hoffmann +(cherry picked from commit eb8934b0418b3b1d125edddc4fc334a54334a49b) +Signed-off-by: Miroslav Rezanina +--- + ui/vnc.c | 15 ++++++++++----- + 1 file changed, 10 insertions(+), 5 deletions(-) + +diff --git a/ui/vnc.c b/ui/vnc.c +index 80b7792..d0ada7e 100644 +--- a/ui/vnc.c ++++ b/ui/vnc.c +@@ -2676,7 +2676,7 @@ static int vnc_refresh_server_surface(VncDisplay *vd) + pixman_image_get_width(vd->server)); + int height = MIN(pixman_image_get_height(vd->guest.fb), + pixman_image_get_height(vd->server)); +- int cmp_bytes, server_stride, min_stride, guest_stride, y = 0; ++ int cmp_bytes, server_stride, line_bytes, guest_ll, guest_stride, y = 0; + uint8_t *guest_row0 = NULL, *server_row0; + VncState *vs; + int has_dirty = 0; +@@ -2695,17 +2695,21 @@ static int vnc_refresh_server_surface(VncDisplay *vd) + * Update server dirty map. + */ + server_row0 = (uint8_t *)pixman_image_get_data(vd->server); +- server_stride = guest_stride = pixman_image_get_stride(vd->server); ++ server_stride = guest_stride = guest_ll = ++ pixman_image_get_stride(vd->server); + cmp_bytes = MIN(VNC_DIRTY_PIXELS_PER_BIT * VNC_SERVER_FB_BYTES, + server_stride); + if (vd->guest.format != VNC_SERVER_FB_FORMAT) { + int width = pixman_image_get_width(vd->server); + tmpbuf = qemu_pixman_linebuf_create(VNC_SERVER_FB_FORMAT, width); + } else { ++ int guest_bpp = ++ PIXMAN_FORMAT_BPP(pixman_image_get_format(vd->guest.fb)); + guest_row0 = (uint8_t *)pixman_image_get_data(vd->guest.fb); + guest_stride = pixman_image_get_stride(vd->guest.fb); ++ guest_ll = pixman_image_get_width(vd->guest.fb) * ((guest_bpp + 7) / 8); + } +- min_stride = MIN(server_stride, guest_stride); ++ line_bytes = MIN(server_stride, guest_ll); + + for (;;) { + int x; +@@ -2736,9 +2740,10 @@ static int vnc_refresh_server_surface(VncDisplay *vd) + if (!test_and_clear_bit(x, vd->guest.dirty[y])) { + continue; + } +- if ((x + 1) * cmp_bytes > min_stride) { +- _cmp_bytes = min_stride - x * cmp_bytes; ++ if ((x + 1) * cmp_bytes > line_bytes) { ++ _cmp_bytes = line_bytes - x * cmp_bytes; + } ++ assert(_cmp_bytes >= 0); + if (memcmp(server_ptr, guest_ptr, _cmp_bytes) == 0) { + continue; + } +-- +1.8.3.1 + diff --git a/SOURCES/kvm-vnc-fix-overflow-in-vnc_update_stats.patch b/SOURCES/kvm-vnc-fix-overflow-in-vnc_update_stats.patch new file mode 100644 index 0000000..db0c181 --- /dev/null +++ b/SOURCES/kvm-vnc-fix-overflow-in-vnc_update_stats.patch @@ -0,0 +1,56 @@ +From 8c2d53ffb72c574d0c81e2c86115a18598e66c65 Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Wed, 22 Feb 2017 12:36:26 +0100 +Subject: [PATCH 08/24] vnc: fix overflow in vnc_update_stats +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Gerd Hoffmann +Message-id: <1487766986-6329-9-git-send-email-kraxel@redhat.com> +Patchwork-id: 73975 +O-Subject: [RHEL-7.4 qemu-kvm PATCH 8/8] vnc: fix overflow in vnc_update_stats +Bugzilla: 1377977 +RH-Acked-by: Thomas Huth +RH-Acked-by: Marc-André Lureau +RH-Acked-by: Laurent Vivier + +Commit "bea60dd ui/vnc: fix potential memory corruption issues" is +incomplete. vnc_update_stats must calculate width and height the same +way vnc_refresh_server_surface does it, to make sure we don't use width +and height values larger than the qemu vnc server can handle. + +Commit "e22492d ui/vnc: disable adaptive update calculations if not +needed" masks the issue in the default configuration. It triggers only +in case the "lossy" option is set to "on" (default is "off"). + +Cc: Marc-André Lureau +Signed-off-by: Gerd Hoffmann +Reviewed-by: Marc-André Lureau +Message-id: 1485248428-575-1-git-send-email-kraxel@redhat.com +(cherry picked from commit eebe0b7905642a986cbce7406d6ab7bf78f3e210) +Signed-off-by: Miroslav Rezanina +--- + ui/vnc.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/ui/vnc.c b/ui/vnc.c +index d0ada7e..b68918e 100644 +--- a/ui/vnc.c ++++ b/ui/vnc.c +@@ -2581,8 +2581,10 @@ static int vnc_refresh_lossy_rect(VncDisplay *vd, int x, int y) + + static int vnc_update_stats(VncDisplay *vd, struct timeval * tv) + { +- int width = pixman_image_get_width(vd->guest.fb); +- int height = pixman_image_get_height(vd->guest.fb); ++ int width = MIN(pixman_image_get_width(vd->guest.fb), ++ pixman_image_get_width(vd->server)); ++ int height = MIN(pixman_image_get_height(vd->guest.fb), ++ pixman_image_get_height(vd->server)); + int x, y; + struct timeval res; + int has_dirty = 0; +-- +1.8.3.1 + diff --git a/SOURCES/kvm-x86-add-AVX512_4VNNIW-and-AVX512_4FMAPS-features.patch b/SOURCES/kvm-x86-add-AVX512_4VNNIW-and-AVX512_4FMAPS-features.patch new file mode 100644 index 0000000..1035dbe --- /dev/null +++ b/SOURCES/kvm-x86-add-AVX512_4VNNIW-and-AVX512_4FMAPS-features.patch @@ -0,0 +1,174 @@ +From 7b43b5139f8e919203d3ed20fbba6cb143fde6d7 Mon Sep 17 00:00:00 2001 +From: Eduardo Habkost +Date: Thu, 23 Feb 2017 14:29:32 +0100 +Subject: [PATCH 02/17] x86: add AVX512_4VNNIW and AVX512_4FMAPS features + +RH-Author: Eduardo Habkost +Message-id: <20170223142945.17790-2-ehabkost@redhat.com> +Patchwork-id: 74033 +O-Subject: [RHEL-7.4 qemu-kvm PATCH v2 01/14] x86: add AVX512_4VNNIW and AVX512_4FMAPS features +Bugzilla: 1382122 +RH-Acked-by: Paolo Bonzini +RH-Acked-by: Igor Mammedov +RH-Acked-by: Miroslav Rezanina + +From: Luwei Kang + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1382122 + +The spec can be found in Intel Software Developer Manual or in +Instruction Set Extensions Programming Reference. + +Backport notes: + +Changes v1 -> v2: +* Fixed build error, moved feat_names to a separate static array + variable +* Fixed backport mistakes (I had forgotten to add + features[FEAT_7_0_EDX] initialization and filtering code) + +Signed-off-by: Piotr Luc +Signed-off-by: Luwei Kang +Message-Id: <1477902446-5932-1-git-send-email-he.chen@linux.intel.com> +Signed-off-by: Paolo Bonzini +(cherry picked from commit 95ea69fb46266aaa46d0c8b7f0ba8c4903dbe4e3) +Signed-off-by: Eduardo Habkost +Signed-off-by: Miroslav Rezanina +--- + target-i386/cpu.c | 31 ++++++++++++++++++++++++++++++- + target-i386/cpu.h | 4 ++++ + 2 files changed, 34 insertions(+), 1 deletion(-) + +diff --git a/target-i386/cpu.c b/target-i386/cpu.c +index c3c8306..789e687 100644 +--- a/target-i386/cpu.c ++++ b/target-i386/cpu.c +@@ -165,6 +165,17 @@ static const char *cpuid_7_0_ecx_feature_name[] = { + NULL, NULL, NULL, NULL, + }; + ++static const char *cpuid_7_0_edx_feature_name[] = { ++ NULL, NULL, "avx512-4vnniw", "avx512-4fmaps", ++ NULL, NULL, NULL, NULL, ++ NULL, NULL, NULL, NULL, ++ NULL, NULL, NULL, NULL, ++ NULL, NULL, NULL, NULL, ++ NULL, NULL, NULL, NULL, ++ NULL, NULL, NULL, NULL, ++ NULL, NULL, NULL, NULL, ++}; ++ + static const char *cpuid_xsave_feature_name[] = { + "xsaveopt", "xsavec", "xgetbv1", NULL, + NULL, NULL, NULL, NULL, +@@ -225,6 +236,12 @@ static FeatureWordInfo feature_word_info[FEATURE_WORDS] = { + .cpuid_needs_ecx = true, .cpuid_ecx = 0, + .cpuid_reg = R_ECX, + }, ++ [FEAT_7_0_EDX] = { ++ .feat_names = cpuid_7_0_edx_feature_name, ++ .cpuid_eax = 7, ++ .cpuid_needs_ecx = true, .cpuid_ecx = 0, ++ .cpuid_reg = R_EDX, ++ }, + [FEAT_XSAVE] = { + .feat_names = cpuid_xsave_feature_name, + .cpuid_eax = 0xd, +@@ -484,6 +501,7 @@ typedef struct x86_def_t { + CPUID_7_0_EBX_ERMS, CPUID_7_0_EBX_INVPCID, CPUID_7_0_EBX_RTM, + CPUID_7_0_EBX_RDSEED */ + #define TCG_7_0_ECX_FEATURES 0 ++#define TCG_7_0_EDX_FEATURES 0 + + /* built-in CPU model definitions + */ +@@ -1254,9 +1272,12 @@ static void kvm_cpu_fill_host(x86_def_t *x86_cpu_def) + kvm_arch_get_supported_cpuid(s, 0x7, 0, R_EBX); + x86_cpu_def->features[FEAT_7_0_ECX] = + kvm_arch_get_supported_cpuid(s, 0x7, 0, R_ECX); ++ x86_cpu_def->features[FEAT_7_0_EDX] = ++ kvm_arch_get_supported_cpuid(s, 0x7, 0, R_EDX); + } else { + x86_cpu_def->features[FEAT_7_0_EBX] = 0; + x86_cpu_def->features[FEAT_7_0_ECX] = 0; ++ x86_cpu_def->features[FEAT_7_0_EDX] = 0; + } + x86_cpu_def->features[FEAT_XSAVE] = + kvm_arch_get_supported_cpuid(s, 0xd, 1, R_EAX); +@@ -1343,6 +1364,9 @@ static int kvm_check_features_against_host(X86CPU *cpu) + {&env->features[FEAT_7_0_ECX], + &host_def.features[FEAT_7_0_ECX], + FEAT_7_0_ECX }, ++ {&env->features[FEAT_7_0_EDX], ++ &host_def.features[FEAT_7_0_EDX], ++ FEAT_7_0_EDX }, + {&env->features[FEAT_XSAVE], + &host_def.features[FEAT_XSAVE], + FEAT_XSAVE }, +@@ -1885,6 +1909,7 @@ static void cpu_x86_parse_featurestr(X86CPU *cpu, char *features, Error **errp) + env->features[FEAT_SVM] |= plus_features[FEAT_SVM]; + env->features[FEAT_7_0_EBX] |= plus_features[FEAT_7_0_EBX]; + env->features[FEAT_7_0_ECX] |= plus_features[FEAT_7_0_ECX]; ++ env->features[FEAT_7_0_EDX] |= plus_features[FEAT_7_0_EDX]; + env->features[FEAT_XSAVE] |= plus_features[FEAT_XSAVE]; + env->features[FEAT_1_EDX] &= ~minus_features[FEAT_1_EDX]; + env->features[FEAT_1_ECX] &= ~minus_features[FEAT_1_ECX]; +@@ -1895,6 +1920,7 @@ static void cpu_x86_parse_featurestr(X86CPU *cpu, char *features, Error **errp) + env->features[FEAT_SVM] &= ~minus_features[FEAT_SVM]; + env->features[FEAT_7_0_EBX] &= ~minus_features[FEAT_7_0_EBX]; + env->features[FEAT_7_0_ECX] &= ~minus_features[FEAT_7_0_ECX]; ++ env->features[FEAT_7_0_EDX] &= ~minus_features[FEAT_7_0_EDX]; + env->features[FEAT_XSAVE] &= ~minus_features[FEAT_XSAVE]; + + out: +@@ -2032,6 +2058,7 @@ static void cpu_x86_register(X86CPU *cpu, const char *name, Error **errp) + env->features[FEAT_C000_0001_EDX] = def->features[FEAT_C000_0001_EDX]; + env->features[FEAT_7_0_EBX] = def->features[FEAT_7_0_EBX]; + env->features[FEAT_7_0_ECX] = def->features[FEAT_7_0_ECX]; ++ env->features[FEAT_7_0_EDX] = def->features[FEAT_7_0_EDX]; + env->features[FEAT_XSAVE] = def->features[FEAT_XSAVE]; + env->cpuid_xlevel2 = def->xlevel2; + +@@ -2270,7 +2297,7 @@ void cpu_x86_cpuid(CPUX86State *env, uint32_t index, uint32_t count, + *eax = 0; /* Maximum ECX value for sub-leaves */ + *ebx = env->features[FEAT_7_0_EBX]; /* Feature flags */ + *ecx = env->features[FEAT_7_0_ECX]; /* Feature flags */ +- *edx = 0; /* Reserved */ ++ *edx = env->features[FEAT_7_0_EDX]; /* Feature flags */ + } else { + *eax = 0; + *ebx = 0; +@@ -2680,6 +2707,8 @@ static void x86_cpu_realizefn(DeviceState *dev, Error **errp) + env->features[FEAT_8000_0001_ECX] &= TCG_EXT3_FEATURES; + env->features[FEAT_SVM] &= TCG_SVM_FEATURES; + env->features[FEAT_XSAVE] = 0; ++ env->features[FEAT_7_0_ECX] &= TCG_7_0_ECX_FEATURES; ++ env->features[FEAT_7_0_EDX] &= TCG_7_0_EDX_FEATURES; + } else { + if ((cpu->check_cpuid || cpu->enforce_cpuid) + && kvm_check_features_against_host(cpu) && cpu->enforce_cpuid) { +diff --git a/target-i386/cpu.h b/target-i386/cpu.h +index d541809..eec5c49 100644 +--- a/target-i386/cpu.h ++++ b/target-i386/cpu.h +@@ -401,6 +401,7 @@ typedef enum FeatureWord { + FEAT_1_ECX, /* CPUID[1].ECX */ + FEAT_7_0_EBX, /* CPUID[EAX=7,ECX=0].EBX */ + FEAT_7_0_ECX, /* CPUID[EAX=7,ECX=0].ECX */ ++ FEAT_7_0_EDX, /* CPUID[EAX=7,ECX=0].EDX */ + FEAT_8000_0001_EDX, /* CPUID[8000_0001].EDX */ + FEAT_8000_0001_ECX, /* CPUID[8000_0001].ECX */ + FEAT_C000_0001_EDX, /* CPUID[C000_0001].EDX */ +@@ -580,6 +581,9 @@ typedef uint32_t FeatureWordArray[FEATURE_WORDS]; + #define CPUID_7_0_ECX_OSPKE (1U << 4) + #define CPUID_7_0_ECX_RDPID (1U << 22) + ++#define CPUID_7_0_EDX_AVX512_4VNNIW (1U << 2) /* AVX512 Neural Network Instructions */ ++#define CPUID_7_0_EDX_AVX512_4FMAPS (1U << 3) /* AVX512 Multiply Accumulation Single Precision */ ++ + #define CPUID_XSAVE_XSAVEOPT (1U << 0) + #define CPUID_XSAVE_XSAVEC (1U << 1) + #define CPUID_XSAVE_XGETBV1 (1U << 2) +-- +1.8.3.1 + diff --git a/SOURCES/kvm-x86-add-AVX512_VPOPCNTDQ-features.patch b/SOURCES/kvm-x86-add-AVX512_VPOPCNTDQ-features.patch new file mode 100644 index 0000000..a0e2e5f --- /dev/null +++ b/SOURCES/kvm-x86-add-AVX512_VPOPCNTDQ-features.patch @@ -0,0 +1,63 @@ +From 3a10799602b257d8d890965a1c3144476d8aa48d Mon Sep 17 00:00:00 2001 +From: "plai@redhat.com" +Date: Mon, 13 Mar 2017 20:15:12 +0100 +Subject: [PATCH 19/24] x86: add AVX512_VPOPCNTDQ features + +RH-Author: plai@redhat.com +Message-id: <1489436112-5802-2-git-send-email-plai@redhat.com> +Patchwork-id: 74283 +O-Subject: [RHEL7.4 qemu-kvm BZ1415830 v2 RESEND] x86: add AVX512_VPOPCNTDQ features +Bugzilla: 1415830 +RH-Acked-by: Eduardo Habkost +RH-Acked-by: David Hildenbrand +RH-Acked-by: Bandan Das + +From: He Chen + +AVX512_VPOPCNTDQ: Vector POPCNT instructions for word and qwords. +variable precision. + +Signed-off-by: He Chen +Message-Id: <1484272411-28073-1-git-send-email-he.chen@linux.intel.com> +Reviewed-by: Eduardo Habkost +Signed-off-by: Eduardo Habkost +(cherry picked from commit f77543772dcd38fa438470d9b80bafbd3a3ebbd7) +Signed-off-by: Paul Lai +Signed-off-by: Miroslav Rezanina + +Conflicts: + target/i386/cpu.c -> changes applied to target-i386/cpu.c + target/i386/cpu.h -> changes applied to target-i386/cpu.h +--- + target-i386/cpu.c | 2 +- + target-i386/cpu.h | 1 + + 2 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/target-i386/cpu.c b/target-i386/cpu.c +index 38056eb..33f0997 100644 +--- a/target-i386/cpu.c ++++ b/target-i386/cpu.c +@@ -158,7 +158,7 @@ static const char *cpuid_7_0_ecx_feature_name[] = { + NULL, "avx512vbmi", NULL, NULL, + NULL, NULL, NULL, NULL, + NULL, NULL, NULL, NULL, +- NULL, NULL, NULL, NULL, ++ NULL, NULL, "avx512-vpopcntdq", NULL, + NULL, NULL, NULL, NULL, + NULL, NULL, NULL, NULL, + NULL, NULL, NULL, NULL, +diff --git a/target-i386/cpu.h b/target-i386/cpu.h +index eec5c49..f04deb4 100644 +--- a/target-i386/cpu.h ++++ b/target-i386/cpu.h +@@ -579,6 +579,7 @@ typedef uint32_t FeatureWordArray[FEATURE_WORDS]; + #define CPUID_7_0_ECX_UMIP (1U << 2) + #define CPUID_7_0_ECX_PKU (1U << 3) + #define CPUID_7_0_ECX_OSPKE (1U << 4) ++#define CPUID_7_0_ECX_AVX512_VPOPCNTDQ (1U << 14) /* POPCNT for vectors of DW/QW */ + #define CPUID_7_0_ECX_RDPID (1U << 22) + + #define CPUID_7_0_EDX_AVX512_4VNNIW (1U << 2) /* AVX512 Neural Network Instructions */ +-- +1.8.3.1 + diff --git a/SPECS/qemu-kvm.spec b/SPECS/qemu-kvm.spec index 69085fe..fc54cb1 100644 --- a/SPECS/qemu-kvm.spec +++ b/SPECS/qemu-kvm.spec @@ -73,19 +73,16 @@ Provides: %1%{extra_provides_suffix} = %{epoch}:%{version}-%{release} \ Obsoletes: %1 < %{obsoletes_version} \ %endif -Summary: QEMU is a FAST! processor emulator +Summary: QEMU is a machine emulator and virtualizer Name: %{pkgname}%{?pkgsuffix} Version: 1.5.3 -Release: 126%{?dist}.10 +Release: 141%{?dist} # Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped Epoch: 10 License: GPLv2+ and LGPLv2+ and BSD Group: Development/Tools URL: http://www.qemu.org/ -# RHEV will build Qemu only on x86_64: -%if %{rhev} -ExclusiveArch: %{power64} x86_64 -%endif +ExclusiveArch: x86_64 %{power64} aarch64 s390x Requires: seabios-bin >= 1.7.2.2-5 Requires: sgabios-bin Requires: seavgabios-bin @@ -130,6 +127,7 @@ Source17: rhel6-ne2k_pci.rom Source18: bios-256k.bin Source19: README.rhel6-gpxe-source Source20: rhel6-e1000.rom +Source21: sample_images.tar # libcacard build fixes (heading upstream) Patch1: 0000-libcacard-fix-missing-symbols-in-libcacard.so.patch @@ -3388,114 +3386,219 @@ Patch1664: kvm-target-i386-Add-more-Intel-AVX-512-instructions-supp.patch Patch1665: kvm-nbd-server-Set-O_NONBLOCK-on-client-fd.patch # For bz#1376542 - RHSA-2016-1756 breaks migration of instances Patch1666: kvm-virtio-recalculate-vq-inuse-after-migration.patch -# For bz#1393042 - system_reset should clear pending request for error (IDE) -Patch1667: kvm-ide-fix-halted-IO-segfault-at-reset.patch -# For bz#1392027 - shutdown rhel 5.11 guest failed and stop at "system halted" -Patch1668: kvm-hw-i386-regenerate-checked-in-AML-payload-RHEL-only.patch -# For bz#1393484 - [RHEL7.3] KVM guest shuts itself down after 128th reboot -Patch1669: kvm-virtio-introduce-virtqueue_unmap_sg.patch -# For bz#1393484 - [RHEL7.3] KVM guest shuts itself down after 128th reboot -Patch1670: kvm-virtio-introduce-virtqueue_discard.patch -# For bz#1393484 - [RHEL7.3] KVM guest shuts itself down after 128th reboot -Patch1671: kvm-virtio-decrement-vq-inuse-in-virtqueue_discard.patch -# For bz#1393484 - [RHEL7.3] KVM guest shuts itself down after 128th reboot -Patch1672: kvm-balloon-fix-segfault-and-harden-the-stats-queue.patch -# For bz#1393484 - [RHEL7.3] KVM guest shuts itself down after 128th reboot -Patch1673: kvm-virtio-balloon-discard-virtqueue-element-on-reset.patch -# For bz#1393484 - [RHEL7.3] KVM guest shuts itself down after 128th reboot -Patch1674: kvm-virtio-zero-vq-inuse-in-virtio_reset.patch -# For bz#1393484 - [RHEL7.3] KVM guest shuts itself down after 128th reboot -Patch1675: kvm-virtio-add-virtqueue_rewind.patch -# For bz#1393484 - [RHEL7.3] KVM guest shuts itself down after 128th reboot -Patch1676: kvm-virtio-balloon-fix-stats-vq-migration.patch -# For bz#1398217 - CVE-2016-2857 qemu-kvm: Qemu: net: out of bounds read in net_checksum_calculate() [rhel-7.3.z] +# For bz#1377087 - shutdown rhel 5.11 guest failed and stop at "system halted" +Patch1667: kvm-hw-i386-regenerate-checked-in-AML-payload-RHEL-only.patch +# For bz#1377968 - [RHEL7.3] KVM guest shuts itself down after 128th reboot +Patch1668: kvm-virtio-introduce-virtqueue_unmap_sg.patch +# For bz#1377968 - [RHEL7.3] KVM guest shuts itself down after 128th reboot +Patch1669: kvm-virtio-introduce-virtqueue_discard.patch +# For bz#1377968 - [RHEL7.3] KVM guest shuts itself down after 128th reboot +Patch1670: kvm-virtio-decrement-vq-inuse-in-virtqueue_discard.patch +# For bz#1377968 - [RHEL7.3] KVM guest shuts itself down after 128th reboot +Patch1671: kvm-balloon-fix-segfault-and-harden-the-stats-queue.patch +# For bz#1377968 - [RHEL7.3] KVM guest shuts itself down after 128th reboot +Patch1672: kvm-virtio-balloon-discard-virtqueue-element-on-reset.patch +# For bz#1377968 - [RHEL7.3] KVM guest shuts itself down after 128th reboot +Patch1673: kvm-virtio-zero-vq-inuse-in-virtio_reset.patch +# For bz#1377968 - [RHEL7.3] KVM guest shuts itself down after 128th reboot +Patch1674: kvm-virtio-add-virtqueue_rewind.patch +# For bz#1377968 - [RHEL7.3] KVM guest shuts itself down after 128th reboot +Patch1675: kvm-virtio-balloon-fix-stats-vq-migration.patch +# For bz#1375507 - "threads" option is overwritten if both "sockets" and "cores" is set on -smp +Patch1676: kvm-vl-Don-t-silently-change-topology-when-all-smp-optio.patch +# For bz#1398218 - CVE-2016-2857 qemu-kvm: Qemu: net: out of bounds read in net_checksum_calculate() [rhel-7.4] Patch1677: kvm-net-check-packet-payload-length.patch -# For bz#1420049 - system_reset should clear pending request for error (virtio-blk) -Patch1678: kvm-virtio-blk-Release-s-rq-queue-at-system_reset.patch -# For bz#1418232 - CVE-2017-2615 qemu-kvm: Qemu: display: cirrus: oob access while doing bitblt copy backward mode [rhel-7.3.z] -Patch1679: kvm-cirrus_vga-fix-off-by-one-in-blit_region_is_unsafe.patch -# For bz#1418232 - CVE-2017-2615 qemu-kvm: Qemu: display: cirrus: oob access while doing bitblt copy backward mode [rhel-7.3.z] -Patch1680: kvm-display-cirrus-check-vga-bits-per-pixel-bpp-value.patch -# For bz#1418232 - CVE-2017-2615 qemu-kvm: Qemu: display: cirrus: oob access while doing bitblt copy backward mode [rhel-7.3.z] -Patch1681: kvm-display-cirrus-ignore-source-pitch-value-as-needed-i.patch -# For bz#1418232 - CVE-2017-2615 qemu-kvm: Qemu: display: cirrus: oob access while doing bitblt copy backward mode [rhel-7.3.z] -Patch1682: kvm-cirrus-handle-negative-pitch-in-cirrus_invalidate_re.patch -# For bz#1418232 - CVE-2017-2615 qemu-kvm: Qemu: display: cirrus: oob access while doing bitblt copy backward mode [rhel-7.3.z] -Patch1683: kvm-cirrus-allow-zero-source-pitch-in-pattern-fill-rops.patch -# For bz#1418232 - CVE-2017-2615 qemu-kvm: Qemu: display: cirrus: oob access while doing bitblt copy backward mode [rhel-7.3.z] -Patch1684: kvm-cirrus-fix-blit-address-mask-handling.patch -# For bz#1418232 - CVE-2017-2615 qemu-kvm: Qemu: display: cirrus: oob access while doing bitblt copy backward mode [rhel-7.3.z] -Patch1685: kvm-cirrus-fix-oob-access-issue-CVE-2017-2615.patch -# For bz#1420490 - EMBARGOED CVE-2017-2620 qemu-kvm: Qemu: display: cirrus: potential arbitrary code execution via cirrus_bitblt_cputovideo [rhel-7.3.z] -Patch1686: kvm-cirrus-fix-patterncopy-checks.patch -# For bz#1420490 - EMBARGOED CVE-2017-2620 qemu-kvm: Qemu: display: cirrus: potential arbitrary code execution via cirrus_bitblt_cputovideo [rhel-7.3.z] -Patch1687: kvm-Revert-cirrus-allow-zero-source-pitch-in-pattern-fil.patch -# For bz#1420490 - EMBARGOED CVE-2017-2620 qemu-kvm: Qemu: display: cirrus: potential arbitrary code execution via cirrus_bitblt_cputovideo [rhel-7.3.z] -Patch1688: kvm-cirrus-add-blit_is_unsafe-call-to-cirrus_bitblt_cput.patch -# For bz#1430059 - CVE-2016-9603 qemu-kvm: Qemu: cirrus: heap buffer overflow via vnc connection [rhel-7.3.z] -Patch1689: kvm-fix-cirrus_vga-fix-OOB-read-case-qemu-Segmentation-f.patch -# For bz#1430059 - CVE-2016-9603 qemu-kvm: Qemu: cirrus: heap buffer overflow via vnc connection [rhel-7.3.z] -Patch1690: kvm-cirrus-vnc-zap-bitblit-support-from-console-code.patch -# For bz#1430059 - CVE-2016-9603 qemu-kvm: Qemu: cirrus: heap buffer overflow via vnc connection [rhel-7.3.z] -Patch1691: kvm-cirrus-add-option-to-disable-blitter.patch -# For bz#1430059 - CVE-2016-9603 qemu-kvm: Qemu: cirrus: heap buffer overflow via vnc connection [rhel-7.3.z] -Patch1692: kvm-cirrus-fix-cirrus_invalidate_region.patch -# For bz#1430059 - CVE-2016-9603 qemu-kvm: Qemu: cirrus: heap buffer overflow via vnc connection [rhel-7.3.z] -Patch1693: kvm-cirrus-stop-passing-around-dst-pointers-in-the-blitt.patch -# For bz#1430059 - CVE-2016-9603 qemu-kvm: Qemu: cirrus: heap buffer overflow via vnc connection [rhel-7.3.z] -Patch1694: kvm-cirrus-stop-passing-around-src-pointers-in-the-blitt.patch -# For bz#1430059 - CVE-2016-9603 qemu-kvm: Qemu: cirrus: heap buffer overflow via vnc connection [rhel-7.3.z] -Patch1695: kvm-cirrus-fix-off-by-one-in-cirrus_bitblt_rop_bkwd_tran.patch -# For bz#1452332 - RHEL 7.2 based VM (Virtual Machine) hung for several hours apparently waiting for lock held by main_loop -Patch1696: kvm-char-serial-cosmetic-fixes.patch -# For bz#1452332 - RHEL 7.2 based VM (Virtual Machine) hung for several hours apparently waiting for lock held by main_loop -Patch1697: kvm-char-serial-Use-generic-Fifo8.patch -# For bz#1452332 - RHEL 7.2 based VM (Virtual Machine) hung for several hours apparently waiting for lock held by main_loop -Patch1698: kvm-char-serial-serial_ioport_write-Factor-out-common-co.patch -# For bz#1452332 - RHEL 7.2 based VM (Virtual Machine) hung for several hours apparently waiting for lock held by main_loop -Patch1699: kvm-char-serial-fix-copy-paste-error-fifo8_is_full-vs-em.patch -# For bz#1452332 - RHEL 7.2 based VM (Virtual Machine) hung for several hours apparently waiting for lock held by main_loop -Patch1700: kvm-char-serial-Fix-emptyness-check.patch -# For bz#1452332 - RHEL 7.2 based VM (Virtual Machine) hung for several hours apparently waiting for lock held by main_loop -Patch1701: kvm-char-serial-Fix-emptyness-handling.patch -# For bz#1452332 - RHEL 7.2 based VM (Virtual Machine) hung for several hours apparently waiting for lock held by main_loop -Patch1702: kvm-serial-poll-the-serial-console-with-G_IO_HUP.patch -# For bz#1452332 - RHEL 7.2 based VM (Virtual Machine) hung for several hours apparently waiting for lock held by main_loop -Patch1703: kvm-serial-change-retry-logic-to-avoid-concurrency.patch -# For bz#1452332 - RHEL 7.2 based VM (Virtual Machine) hung for several hours apparently waiting for lock held by main_loop -Patch1704: kvm-qemu-char-ignore-flow-control-if-a-PTY-s-slave-is-no.patch -# For bz#1452332 - RHEL 7.2 based VM (Virtual Machine) hung for several hours apparently waiting for lock held by main_loop -Patch1705: kvm-serial-check-if-backed-by-a-physical-serial-port-at-.patch -# For bz#1452332 - RHEL 7.2 based VM (Virtual Machine) hung for several hours apparently waiting for lock held by main_loop -Patch1706: kvm-serial-reset-thri_pending-on-IER-writes-with-THRI-0.patch -# For bz#1452332 - RHEL 7.2 based VM (Virtual Machine) hung for several hours apparently waiting for lock held by main_loop -Patch1707: kvm-serial-clean-up-THRE-TEMT-handling.patch -# For bz#1452332 - RHEL 7.2 based VM (Virtual Machine) hung for several hours apparently waiting for lock held by main_loop -Patch1708: kvm-serial-update-LSR-on-enabling-disabling-FIFOs.patch -# For bz#1452332 - RHEL 7.2 based VM (Virtual Machine) hung for several hours apparently waiting for lock held by main_loop -Patch1709: kvm-serial-only-resample-THR-interrupt-on-rising-edge-of.patch -# For bz#1452332 - RHEL 7.2 based VM (Virtual Machine) hung for several hours apparently waiting for lock held by main_loop -Patch1710: kvm-serial-make-tsr_retry-unsigned.patch -# For bz#1452332 - RHEL 7.2 based VM (Virtual Machine) hung for several hours apparently waiting for lock held by main_loop -Patch1711: kvm-serial-simplify-tsr_retry-reset.patch -# For bz#1452332 - RHEL 7.2 based VM (Virtual Machine) hung for several hours apparently waiting for lock held by main_loop -Patch1712: kvm-serial-separate-serial_xmit-and-serial_watch_cb.patch -# For bz#1452332 - RHEL 7.2 based VM (Virtual Machine) hung for several hours apparently waiting for lock held by main_loop -Patch1713: kvm-serial-remove-watch-on-reset.patch -# For bz#1452332 - RHEL 7.2 based VM (Virtual Machine) hung for several hours apparently waiting for lock held by main_loop -Patch1714: kvm-char-change-qemu_chr_fe_add_watch-to-return-unsigned.patch -# For bz#1452332 - RHEL 7.2 based VM (Virtual Machine) hung for several hours apparently waiting for lock held by main_loop -Patch1715: kvm-spice-fix-spice_chr_add_watch-pre-condition.patch -# For bz#1460179 - CVE-2017-9524 qemu-kvm: Qemu: nbd: segmentation fault due to client non-negotiation [rhel-7.3.z] -Patch1716: kvm-nbd-Fully-initialize-client-in-case-of-failed-negoti.patch -# For bz#1460179 - CVE-2017-9524 qemu-kvm: Qemu: nbd: segmentation fault due to client non-negotiation [rhel-7.3.z] -Patch1717: kvm-nbd-Fix-regression-on-resiliency-to-port-scan.patch +# For bz#1342489 - Flickering Fedora 24 Login Screen on RHEL 7 +Patch1678: kvm-qxl-Only-emit-QXL_INTERRUPT_CLIENT_MONITORS_CONFIG-o.patch +# For bz#1151859 - [RFE] Allow the libgfapi logging level to be controlled. +Patch1679: kvm-gluster-correctly-propagate-errors.patch +# For bz#1151859 - [RFE] Allow the libgfapi logging level to be controlled. +Patch1680: kvm-gluster-Correctly-propagate-errors-when-volume-isn-t.patch +# For bz#1151859 - [RFE] Allow the libgfapi logging level to be controlled. +Patch1681: kvm-block-gluster-add-support-for-selecting-debug-loggin.patch +# For bz#1342768 - [Intel 7.4 Bug] qemu-kvm crashes with Linux kernel 4.6.0 or above +Patch1682: kvm-memory-Allow-access-only-upto-the-maximum-alignment-.patch +# For bz#1361488 - system_reset should clear pending request for error (virtio-blk) +Patch1683: kvm-virtio-blk-Release-s-rq-queue-at-system_reset.patch +# For bz#1418233 - CVE-2017-2615 qemu-kvm: Qemu: display: cirrus: oob access while doing bitblt copy backward mode [rhel-7.4] +Patch1684: kvm-cirrus_vga-fix-off-by-one-in-blit_region_is_unsafe.patch +# For bz#1418233 - CVE-2017-2615 qemu-kvm: Qemu: display: cirrus: oob access while doing bitblt copy backward mode [rhel-7.4] +Patch1685: kvm-display-cirrus-check-vga-bits-per-pixel-bpp-value.patch +# For bz#1418233 - CVE-2017-2615 qemu-kvm: Qemu: display: cirrus: oob access while doing bitblt copy backward mode [rhel-7.4] +Patch1686: kvm-display-cirrus-ignore-source-pitch-value-as-needed-i.patch +# For bz#1418233 - CVE-2017-2615 qemu-kvm: Qemu: display: cirrus: oob access while doing bitblt copy backward mode [rhel-7.4] +Patch1687: kvm-cirrus-handle-negative-pitch-in-cirrus_invalidate_re.patch +# For bz#1418233 - CVE-2017-2615 qemu-kvm: Qemu: display: cirrus: oob access while doing bitblt copy backward mode [rhel-7.4] +Patch1688: kvm-cirrus-allow-zero-source-pitch-in-pattern-fill-rops.patch +# For bz#1418233 - CVE-2017-2615 qemu-kvm: Qemu: display: cirrus: oob access while doing bitblt copy backward mode [rhel-7.4] +Patch1689: kvm-cirrus-fix-blit-address-mask-handling.patch +# For bz#1418233 - CVE-2017-2615 qemu-kvm: Qemu: display: cirrus: oob access while doing bitblt copy backward mode [rhel-7.4] +Patch1690: kvm-cirrus-fix-oob-access-issue-CVE-2017-2615.patch +# For bz#1419898 - Documentation inaccurate for __com.redhat_qxl_screendump and __com.redhat_drive_add +Patch1691: kvm-HMP-Fix-user-manual-typo-of-__com.redhat_qxl_screend.patch +# For bz#1419898 - Documentation inaccurate for __com.redhat_qxl_screendump and __com.redhat_drive_add +Patch1692: kvm-HMP-Fix-documentation-of-__com.redhat.drive_add.patch +# For bz#1420492 - EMBARGOED CVE-2017-2620 qemu-kvm: Qemu: display: cirrus: potential arbitrary code execution via cirrus_bitblt_cputovideo [rhel-7.4] +Patch1693: kvm-cirrus-fix-patterncopy-checks.patch +# For bz#1420492 - EMBARGOED CVE-2017-2620 qemu-kvm: Qemu: display: cirrus: potential arbitrary code execution via cirrus_bitblt_cputovideo [rhel-7.4] +Patch1694: kvm-Revert-cirrus-allow-zero-source-pitch-in-pattern-fil.patch +# For bz#1420492 - EMBARGOED CVE-2017-2620 qemu-kvm: Qemu: display: cirrus: potential arbitrary code execution via cirrus_bitblt_cputovideo [rhel-7.4] +Patch1695: kvm-cirrus-add-blit_is_unsafe-call-to-cirrus_bitblt_cput.patch +# For bz#1368375 - [Intel 7.4 Bug] qemu-kvm does not support “-cpu IvyBridge” +Patch1696: kvm-target-i386-add-Ivy-Bridge-CPU-model.patch +# For bz#1382122 - [Intel 7.4 FEAT] KVM Enable the avx512_4vnniw, avx512_4fmaps instructions in qemu +Patch1697: kvm-x86-add-AVX512_4VNNIW-and-AVX512_4FMAPS-features.patch +# For bz#1382122 - [Intel 7.4 FEAT] KVM Enable the avx512_4vnniw, avx512_4fmaps instructions in qemu +Patch1698: kvm-target-i386-kvm_cpu_fill_host-Kill-unused-code.patch +# For bz#1382122 - [Intel 7.4 FEAT] KVM Enable the avx512_4vnniw, avx512_4fmaps instructions in qemu +Patch1699: kvm-target-i386-kvm_cpu_fill_host-No-need-to-check-level.patch +# For bz#1382122 - [Intel 7.4 FEAT] KVM Enable the avx512_4vnniw, avx512_4fmaps instructions in qemu +Patch1700: kvm-target-i386-kvm_cpu_fill_host-No-need-to-check-CPU-v.patch +# For bz#1382122 - [Intel 7.4 FEAT] KVM Enable the avx512_4vnniw, avx512_4fmaps instructions in qemu +Patch1701: kvm-target-i386-kvm_cpu_fill_host-No-need-to-check-xleve.patch +# For bz#1382122 - [Intel 7.4 FEAT] KVM Enable the avx512_4vnniw, avx512_4fmaps instructions in qemu +Patch1702: kvm-target-i386-kvm_cpu_fill_host-Set-all-feature-words-.patch +# For bz#1382122 - [Intel 7.4 FEAT] KVM Enable the avx512_4vnniw, avx512_4fmaps instructions in qemu +Patch1703: kvm-target-i386-kvm_cpu_fill_host-Fill-feature-words-in-.patch +# For bz#1382122 - [Intel 7.4 FEAT] KVM Enable the avx512_4vnniw, avx512_4fmaps instructions in qemu +Patch1704: kvm-target-i386-kvm_check_features_against_host-Kill-fea.patch +# For bz#1382122 - [Intel 7.4 FEAT] KVM Enable the avx512_4vnniw, avx512_4fmaps instructions in qemu +Patch1705: kvm-target-i386-Make-TCG-feature-filtering-more-readable.patch +# For bz#1382122 - [Intel 7.4 FEAT] KVM Enable the avx512_4vnniw, avx512_4fmaps instructions in qemu +Patch1706: kvm-target-i386-Filter-FEAT_7_0_EBX-TCG-features-too.patch +# For bz#1382122 - [Intel 7.4 FEAT] KVM Enable the avx512_4vnniw, avx512_4fmaps instructions in qemu +Patch1707: kvm-target-i386-Filter-KVM-and-0xC0000001-features-on-TC.patch +# For bz#1382122 - [Intel 7.4 FEAT] KVM Enable the avx512_4vnniw, avx512_4fmaps instructions in qemu +Patch1708: kvm-target-i386-Define-TCG_-_FEATURES-earlier-in-cpu.c.patch +# For bz#1382122 - [Intel 7.4 FEAT] KVM Enable the avx512_4vnniw, avx512_4fmaps instructions in qemu +Patch1709: kvm-target-i386-Loop-based-copying-and-setting-unsetting.patch +# For bz#1382122 - [Intel 7.4 FEAT] KVM Enable the avx512_4vnniw, avx512_4fmaps instructions in qemu +Patch1710: kvm-target-i386-Loop-based-feature-word-filtering-in-TCG.patch +# For bz#1430606 - Can't build qemu-kvm with newer spice packages +Patch1711: kvm-spice-remove-spice-experimental.h-include.patch +# For bz#1430606 - Can't build qemu-kvm with newer spice packages +Patch1712: kvm-spice-replace-use-of-deprecated-API.patch +# For bz#1377977 - qemu-kvm coredump in vnc_raw_send_framebuffer_update [rhel-7.4] +Patch1713: kvm-ui-vnc-introduce-VNC_DIRTY_PIXELS_PER_BIT-macro.patch +# For bz#1377977 - qemu-kvm coredump in vnc_raw_send_framebuffer_update [rhel-7.4] +Patch1714: kvm-ui-vnc-derive-cmp_bytes-from-VNC_DIRTY_PIXELS_PER_BI.patch +# For bz#1377977 - qemu-kvm coredump in vnc_raw_send_framebuffer_update [rhel-7.4] +Patch1715: kvm-ui-vnc-optimize-dirty-bitmap-tracking.patch +# For bz#1377977 - qemu-kvm coredump in vnc_raw_send_framebuffer_update [rhel-7.4] +Patch1716: kvm-ui-vnc-optimize-setting-in-vnc_dpy_update.patch +# For bz#1377977 - qemu-kvm coredump in vnc_raw_send_framebuffer_update [rhel-7.4] +Patch1717: kvm-ui-vnc-fix-vmware-VGA-incompatiblities.patch +# For bz#1377977 - qemu-kvm coredump in vnc_raw_send_framebuffer_update [rhel-7.4] +Patch1718: kvm-ui-vnc-fix-potential-memory-corruption-issues.patch +# For bz#1377977 - qemu-kvm coredump in vnc_raw_send_framebuffer_update [rhel-7.4] +Patch1719: kvm-vnc-fix-memory-corruption-CVE-2015-5225.patch +# For bz#1377977 - qemu-kvm coredump in vnc_raw_send_framebuffer_update [rhel-7.4] +Patch1720: kvm-vnc-fix-overflow-in-vnc_update_stats.patch +# For bz#1335751 - CVE-2016-4020 qemu-kvm: Qemu: i386: leakage of stack memory to guest in kvmvapic.c [rhel-7.4] +Patch1721: kvm-i386-kvmvapic-initialise-imm32-variable.patch +# For bz#1427176 - test cases of qemu-iotests failed +Patch1722: kvm-qemu-iotests-Filter-out-actual-image-size-in-067.patch +# For bz#1427176 - test cases of qemu-iotests failed +Patch1723: kvm-qcow2-Don-t-rely-on-free_cluster_index-in-alloc_ref2.patch +# For bz#1427176 - test cases of qemu-iotests failed +Patch1724: kvm-qemu-iotests-Fix-core-dump-suppression-in-test-039.patch +# For bz#1427176 - test cases of qemu-iotests failed +Patch1725: kvm-qemu-io-Add-sigraise-command.patch +# For bz#1427176 - test cases of qemu-iotests failed +Patch1726: kvm-iotests-Filter-for-Killed-in-qemu-io-output.patch +# For bz#1427176 - test cases of qemu-iotests failed +Patch1727: kvm-iotests-Fix-test-039.patch +# For bz#1427176 - test cases of qemu-iotests failed +Patch1728: kvm-blkdebug-Add-bdrv_truncate.patch +# For bz#1427176 - test cases of qemu-iotests failed +Patch1729: kvm-vhdx-Fix-zero-fill-iov-length.patch +# For bz#1427176 - test cases of qemu-iotests failed +Patch1730: kvm-qemu-iotests-Disable-030-040-041.patch +# For bz#1415830 - [Intel 7.4 FEAT] Enable vpopcntdq for KNM - qemu/kvm +Patch1731: kvm-x86-add-AVX512_VPOPCNTDQ-features.patch +# For bz#1419818 - CVE-2017-5898 qemu-kvm: Qemu: usb: integer overflow in emulated_apdu_from_guest [rhel-7.4] +Patch1732: kvm-usb-ccid-check-ccid-apdu-length.patch +# For bz#1419818 - CVE-2017-5898 qemu-kvm: Qemu: usb: integer overflow in emulated_apdu_from_guest [rhel-7.4] +Patch1733: kvm-usb-ccid-better-bulk_out-error-handling.patch +# For bz#1419818 - CVE-2017-5898 qemu-kvm: Qemu: usb: integer overflow in emulated_apdu_from_guest [rhel-7.4] +Patch1734: kvm-usb-ccid-move-header-size-check.patch +# For bz#1419818 - CVE-2017-5898 qemu-kvm: Qemu: usb: integer overflow in emulated_apdu_from_guest [rhel-7.4] +Patch1735: kvm-usb-ccid-add-check-message-size-checks.patch +# For bz#1430060 - CVE-2016-9603 qemu-kvm: Qemu: cirrus: heap buffer overflow via vnc connection [rhel-7.4] +Patch1736: kvm-fix-cirrus_vga-fix-OOB-read-case-qemu-Segmentation-f.patch +# For bz#1430060 - CVE-2016-9603 qemu-kvm: Qemu: cirrus: heap buffer overflow via vnc connection [rhel-7.4] +Patch1737: kvm-cirrus-vnc-zap-bitblit-support-from-console-code.patch +# For bz#1430060 - CVE-2016-9603 qemu-kvm: Qemu: cirrus: heap buffer overflow via vnc connection [rhel-7.4] +Patch1738: kvm-cirrus-add-option-to-disable-blitter.patch +# For bz#1430060 - CVE-2016-9603 qemu-kvm: Qemu: cirrus: heap buffer overflow via vnc connection [rhel-7.4] +Patch1739: kvm-cirrus-fix-cirrus_invalidate_region.patch +# For bz#1430060 - CVE-2016-9603 qemu-kvm: Qemu: cirrus: heap buffer overflow via vnc connection [rhel-7.4] +Patch1740: kvm-cirrus-stop-passing-around-dst-pointers-in-the-blitt.patch +# For bz#1430060 - CVE-2016-9603 qemu-kvm: Qemu: cirrus: heap buffer overflow via vnc connection [rhel-7.4] +Patch1741: kvm-cirrus-stop-passing-around-src-pointers-in-the-blitt.patch +# For bz#1430060 - CVE-2016-9603 qemu-kvm: Qemu: cirrus: heap buffer overflow via vnc connection [rhel-7.4] +Patch1742: kvm-cirrus-fix-off-by-one-in-cirrus_bitblt_rop_bkwd_tran.patch +# For bz#1327593 - [Intel 7.4 FEAT] KVM Enable the XSAVEC, XSAVES and XRSTORS instructions +Patch1743: kvm-target-i386-get-set-migrate-XSAVES-state.patch +# For bz#1299875 - system_reset should clear pending request for error (IDE) +Patch1744: kvm-ide-fix-halted-IO-segfault-at-reset.patch +# For bz#1451470 - RHEL 7.2 based VM (Virtual Machine) hung for several hours apparently waiting for lock held by main_loop +Patch1745: kvm-char-serial-cosmetic-fixes.patch +# For bz#1451470 - RHEL 7.2 based VM (Virtual Machine) hung for several hours apparently waiting for lock held by main_loop +Patch1746: kvm-char-serial-Use-generic-Fifo8.patch +# For bz#1451470 - RHEL 7.2 based VM (Virtual Machine) hung for several hours apparently waiting for lock held by main_loop +Patch1747: kvm-char-serial-serial_ioport_write-Factor-out-common-co.patch +# For bz#1451470 - RHEL 7.2 based VM (Virtual Machine) hung for several hours apparently waiting for lock held by main_loop +Patch1748: kvm-char-serial-fix-copy-paste-error-fifo8_is_full-vs-em.patch +# For bz#1451470 - RHEL 7.2 based VM (Virtual Machine) hung for several hours apparently waiting for lock held by main_loop +Patch1749: kvm-char-serial-Fix-emptyness-check.patch +# For bz#1451470 - RHEL 7.2 based VM (Virtual Machine) hung for several hours apparently waiting for lock held by main_loop +Patch1750: kvm-char-serial-Fix-emptyness-handling.patch +# For bz#1451470 - RHEL 7.2 based VM (Virtual Machine) hung for several hours apparently waiting for lock held by main_loop +Patch1751: kvm-serial-poll-the-serial-console-with-G_IO_HUP.patch +# For bz#1451470 - RHEL 7.2 based VM (Virtual Machine) hung for several hours apparently waiting for lock held by main_loop +Patch1752: kvm-serial-change-retry-logic-to-avoid-concurrency.patch +# For bz#1451470 - RHEL 7.2 based VM (Virtual Machine) hung for several hours apparently waiting for lock held by main_loop +Patch1753: kvm-qemu-char-ignore-flow-control-if-a-PTY-s-slave-is-no.patch +# For bz#1451470 - RHEL 7.2 based VM (Virtual Machine) hung for several hours apparently waiting for lock held by main_loop +Patch1754: kvm-serial-check-if-backed-by-a-physical-serial-port-at-.patch +# For bz#1451470 - RHEL 7.2 based VM (Virtual Machine) hung for several hours apparently waiting for lock held by main_loop +Patch1755: kvm-serial-reset-thri_pending-on-IER-writes-with-THRI-0.patch +# For bz#1451470 - RHEL 7.2 based VM (Virtual Machine) hung for several hours apparently waiting for lock held by main_loop +Patch1756: kvm-serial-clean-up-THRE-TEMT-handling.patch +# For bz#1451470 - RHEL 7.2 based VM (Virtual Machine) hung for several hours apparently waiting for lock held by main_loop +Patch1757: kvm-serial-update-LSR-on-enabling-disabling-FIFOs.patch +# For bz#1451470 - RHEL 7.2 based VM (Virtual Machine) hung for several hours apparently waiting for lock held by main_loop +Patch1758: kvm-serial-only-resample-THR-interrupt-on-rising-edge-of.patch +# For bz#1451470 - RHEL 7.2 based VM (Virtual Machine) hung for several hours apparently waiting for lock held by main_loop +Patch1759: kvm-serial-make-tsr_retry-unsigned.patch +# For bz#1451470 - RHEL 7.2 based VM (Virtual Machine) hung for several hours apparently waiting for lock held by main_loop +Patch1760: kvm-serial-simplify-tsr_retry-reset.patch +# For bz#1451470 - RHEL 7.2 based VM (Virtual Machine) hung for several hours apparently waiting for lock held by main_loop +Patch1761: kvm-serial-separate-serial_xmit-and-serial_watch_cb.patch +# For bz#1451470 - RHEL 7.2 based VM (Virtual Machine) hung for several hours apparently waiting for lock held by main_loop +Patch1762: kvm-serial-remove-watch-on-reset.patch +# For bz#1451470 - RHEL 7.2 based VM (Virtual Machine) hung for several hours apparently waiting for lock held by main_loop +Patch1763: kvm-char-change-qemu_chr_fe_add_watch-to-return-unsigned.patch +# For bz#1456983 - Character device regression due to missing patch +Patch1764: kvm-spice-fix-spice_chr_add_watch-pre-condition.patch +# For bz#1455745 - Backport fix for broken logic that's supposed to ensure memory slots are page aligned +Patch1765: kvm-Fix-memory-slot-page-alignment-logic-bug-1455745.patch +# For bz#1452067 - migration can confuse serial port user +Patch1766: kvm-Do-not-hang-on-full-PTY.patch +# For bz#1452067 - migration can confuse serial port user +Patch1767: kvm-serial-fixing-vmstate-for-save-restore.patch +# For bz#1452067 - migration can confuse serial port user +Patch1768: kvm-serial-reinstate-watch-after-migration.patch +# For bz#1451614 - CVE-2017-9524 qemu-kvm: segment fault when private user nmap qemu-nbd server [rhel-7.4] +Patch1769: kvm-nbd-Fully-initialize-client-in-case-of-failed-negoti.patch +# For bz#1451614 - CVE-2017-9524 qemu-kvm: segment fault when private user nmap qemu-nbd server [rhel-7.4] +Patch1770: kvm-nbd-Fix-regression-on-resiliency-to-port-scan.patch BuildRequires: zlib-devel BuildRequires: SDL-devel BuildRequires: which -BuildRequires: texi2html BuildRequires: gnutls-devel BuildRequires: cyrus-sasl-devel BuildRequires: libtool @@ -3562,7 +3665,7 @@ BuildRequires: perl-podlators BuildRequires: texinfo # For rdma %if 0%{?have_librdma:1} -BuildRequires: librdmacm-devel +BuildRequires: rdma-core-devel %endif # cpp for preprocessing option ROM assembly files %ifarch %{ix86} x86_64 @@ -3590,12 +3693,10 @@ Requires: qemu-img = %{epoch}:%{version}-%{release} %define qemudocdir %{_docdir}/%{pkgname} %description -qemu-kvm is an open source virtualizer that provides hardware emulation for -the KVM hypervisor. qemu-kvm acts as a virtual machine monitor together with -the KVM kernel modules, and emulates the hardware for a full system such as -a PC and its assocated peripherals. - -As qemu-kvm requires no host kernel patches to run, it is safe and easy to use. +qemu-kvm%{?pkgsuffix} is an open source virtualizer that provides hardware +emulation for the KVM hypervisor. qemu-kvm%{?pkgsuffix} acts as a virtual +machine monitor together with the KVM kernel modules, and emulates the +hardware for a full system such as a PC and its associated peripherals. %package -n qemu-img%{?pkgsuffix} Summary: QEMU command line tool for manipulating disk images @@ -3670,6 +3771,7 @@ such as kvm_stat. %prep %setup -q -n qemu-%{version} cp %{SOURCE18} pc-bios # keep "make check" happy +tar -xf %{SOURCE21} %patch1 -p1 #%%patch2 -p1 #%%patch3 -p1 @@ -5387,6 +5489,59 @@ cp %{SOURCE18} pc-bios # keep "make check" happy %patch1715 -p1 %patch1716 -p1 %patch1717 -p1 +%patch1718 -p1 +%patch1719 -p1 +%patch1720 -p1 +%patch1721 -p1 +%patch1722 -p1 +%patch1723 -p1 +%patch1724 -p1 +%patch1725 -p1 +%patch1726 -p1 +%patch1727 -p1 +%patch1728 -p1 +%patch1729 -p1 +%patch1730 -p1 +%patch1731 -p1 +%patch1732 -p1 +%patch1733 -p1 +%patch1734 -p1 +%patch1735 -p1 +%patch1736 -p1 +%patch1737 -p1 +%patch1738 -p1 +%patch1739 -p1 +%patch1740 -p1 +%patch1741 -p1 +%patch1742 -p1 +%patch1743 -p1 +%patch1744 -p1 +%patch1745 -p1 +%patch1746 -p1 +%patch1747 -p1 +%patch1748 -p1 +%patch1749 -p1 +%patch1750 -p1 +%patch1751 -p1 +%patch1752 -p1 +%patch1753 -p1 +%patch1754 -p1 +%patch1755 -p1 +%patch1756 -p1 +%patch1757 -p1 +%patch1758 -p1 +%patch1759 -p1 +%patch1760 -p1 +%patch1761 -p1 +%patch1762 -p1 +%patch1763 -p1 +%patch1764 -p1 +%patch1765 -p1 +%patch1766 -p1 +%patch1767 -p1 +%patch1768 -p1 +%patch1769 -p1 +%patch1770 -p1 %build buildarch="%{kvm_target}-softmmu" @@ -5832,101 +5987,211 @@ sh %{_sysconfdir}/sysconfig/modules/kvm.modules &> /dev/null || : %{_mandir}/man8/qemu-nbd.8* %changelog -* Fri Jun 16 2017 Miroslav Rezanina - 1.5.3-126.el7_3.10 -- kvm-nbd-Fully-initialize-client-in-case-of-failed-negoti.patch [bz#1460179] -- kvm-nbd-Fix-regression-on-resiliency-to-port-scan.patch [bz#1460179] -- Resolves: bz#1460179 - (CVE-2017-9524 qemu-kvm: Qemu: nbd: segmentation fault due to client non-negotiation [rhel-7.3.z]) - -* Tue Jun 06 2017 Miroslav Rezanina - 1.5.3-126.el7_3.9 -- kvm-spice-fix-spice_chr_add_watch-pre-condition.patch [bz#1452332] -- Resolves: bz#1452332 +* Tue Jun 13 2017 Miroslav Rezanina - 1.5.3-141.el7 +- kvm-Fix-memory-slot-page-alignment-logic-bug-1455745.patch [bz#1455745] +- kvm-Do-not-hang-on-full-PTY.patch [bz#1452067] +- kvm-serial-fixing-vmstate-for-save-restore.patch [bz#1452067] +- kvm-serial-reinstate-watch-after-migration.patch [bz#1452067] +- kvm-nbd-Fully-initialize-client-in-case-of-failed-negoti.patch [bz#1451614] +- kvm-nbd-Fix-regression-on-resiliency-to-port-scan.patch [bz#1451614] +- Resolves: bz#1451614 + (CVE-2017-9524 qemu-kvm: segment fault when private user nmap qemu-nbd server [rhel-7.4]) +- Resolves: bz#1452067 + (migration can confuse serial port user) +- Resolves: bz#1455745 + (Backport fix for broken logic that's supposed to ensure memory slots are page aligned) + +* Tue Jun 06 2017 Miroslav Rezanina - 1.5.3-140.el7 +- kvm-spice-fix-spice_chr_add_watch-pre-condition.patch [bz#1456983] +- Resolves: bz#1456983 + (Character device regression due to missing patch) + +* Wed May 24 2017 Miroslav Rezanina - 1.5.3-139.el7 +- kvm-char-change-qemu_chr_fe_add_watch-to-return-unsigned.patch [bz#1451470] +- Resolves: bz#1451470 (RHEL 7.2 based VM (Virtual Machine) hung for several hours apparently waiting for lock held by main_loop) -* Wed May 24 2017 Miroslav Rezanina - 1.5.3-126.el7_3.8 -- kvm-char-change-qemu_chr_fe_add_watch-to-return-unsigned.patch [bz#1452332] -- Resolves: bz#1452332 +* Tue May 23 2017 Miroslav Rezanina - 1.5.3-138.el7 +- kvm-char-serial-cosmetic-fixes.patch [bz#1451470] +- kvm-char-serial-Use-generic-Fifo8.patch [bz#1451470] +- kvm-char-serial-serial_ioport_write-Factor-out-common-co.patch [bz#1451470] +- kvm-char-serial-fix-copy-paste-error-fifo8_is_full-vs-em.patch [bz#1451470] +- kvm-char-serial-Fix-emptyness-check.patch [bz#1451470] +- kvm-char-serial-Fix-emptyness-handling.patch [bz#1451470] +- kvm-serial-poll-the-serial-console-with-G_IO_HUP.patch [bz#1451470] +- kvm-serial-change-retry-logic-to-avoid-concurrency.patch [bz#1451470] +- kvm-qemu-char-ignore-flow-control-if-a-PTY-s-slave-is-no.patch [bz#1451470] +- kvm-serial-check-if-backed-by-a-physical-serial-port-at-.patch [bz#1451470] +- kvm-serial-reset-thri_pending-on-IER-writes-with-THRI-0.patch [bz#1451470] +- kvm-serial-clean-up-THRE-TEMT-handling.patch [bz#1451470] +- kvm-serial-update-LSR-on-enabling-disabling-FIFOs.patch [bz#1451470] +- kvm-serial-only-resample-THR-interrupt-on-rising-edge-of.patch [bz#1451470] +- kvm-serial-make-tsr_retry-unsigned.patch [bz#1451470] +- kvm-serial-simplify-tsr_retry-reset.patch [bz#1451470] +- kvm-serial-separate-serial_xmit-and-serial_watch_cb.patch [bz#1451470] +- kvm-serial-remove-watch-on-reset.patch [bz#1451470] +- Resolves: bz#1451470 (RHEL 7.2 based VM (Virtual Machine) hung for several hours apparently waiting for lock held by main_loop) -* Mon May 22 2017 Miroslav Rezanina - 1.5.3-126.el7_3.7 -- kvm-char-serial-cosmetic-fixes.patch [bz#1452332] -- kvm-char-serial-Use-generic-Fifo8.patch [bz#1452332] -- kvm-char-serial-serial_ioport_write-Factor-out-common-co.patch [bz#1452332] -- kvm-char-serial-fix-copy-paste-error-fifo8_is_full-vs-em.patch [bz#1452332] -- kvm-char-serial-Fix-emptyness-check.patch [bz#1452332] -- kvm-char-serial-Fix-emptyness-handling.patch [bz#1452332] -- kvm-serial-poll-the-serial-console-with-G_IO_HUP.patch [bz#1452332] -- kvm-serial-change-retry-logic-to-avoid-concurrency.patch [bz#1452332] -- kvm-qemu-char-ignore-flow-control-if-a-PTY-s-slave-is-no.patch [bz#1452332] -- kvm-serial-check-if-backed-by-a-physical-serial-port-at-.patch [bz#1452332] -- kvm-serial-reset-thri_pending-on-IER-writes-with-THRI-0.patch [bz#1452332] -- kvm-serial-clean-up-THRE-TEMT-handling.patch [bz#1452332] -- kvm-serial-update-LSR-on-enabling-disabling-FIFOs.patch [bz#1452332] -- kvm-serial-only-resample-THR-interrupt-on-rising-edge-of.patch [bz#1452332] -- kvm-serial-make-tsr_retry-unsigned.patch [bz#1452332] -- kvm-serial-simplify-tsr_retry-reset.patch [bz#1452332] -- kvm-serial-separate-serial_xmit-and-serial_watch_cb.patch [bz#1452332] -- kvm-serial-remove-watch-on-reset.patch [bz#1452332] -- Resolves: bz#1452332 - (RHEL 7.2 based VM (Virtual Machine) hung for several hours apparently waiting for lock held by main_loop) +* Fri Apr 28 2017 Miroslav Rezanina - 1.5.3-137.el7 +- kvm-ide-fix-halted-IO-segfault-at-reset.patch [bz#1299875] +- Resolves: bz#1299875 + (system_reset should clear pending request for error (IDE)) -* Fri Mar 24 2017 Miroslav Rezanina - 1.5.3-126.el7_3.6 -- kvm-fix-cirrus_vga-fix-OOB-read-case-qemu-Segmentation-f.patch [bz#1430059] -- kvm-cirrus-vnc-zap-bitblit-support-from-console-code.patch [bz#1430059] -- kvm-cirrus-add-option-to-disable-blitter.patch [bz#1430059] -- kvm-cirrus-fix-cirrus_invalidate_region.patch [bz#1430059] -- kvm-cirrus-stop-passing-around-dst-pointers-in-the-blitt.patch [bz#1430059] -- kvm-cirrus-stop-passing-around-src-pointers-in-the-blitt.patch [bz#1430059] -- kvm-cirrus-fix-off-by-one-in-cirrus_bitblt_rop_bkwd_tran.patch [bz#1430059] -- Resolves: bz#1430059 - (CVE-2016-9603 qemu-kvm: Qemu: cirrus: heap buffer overflow via vnc connection [rhel-7.3.z]) - -* Mon Feb 13 2017 Miroslav Rezanina - 1.5.3-126.el7_3.5 -- kvm-cirrus-fix-patterncopy-checks.patch [bz#1420490] -- kvm-Revert-cirrus-allow-zero-source-pitch-in-pattern-fil.patch [bz#1420490] -- kvm-cirrus-add-blit_is_unsafe-call-to-cirrus_bitblt_cput.patch [bz#1420490] -- Resolves: bz#1420490 - (EMBARGOED CVE-2017-2620 qemu-kvm: Qemu: display: cirrus: potential arbitrary code execution via cirrus_bitblt_cputovideo [rhel-7.3.z]) - -* Fri Feb 10 2017 Miroslav Rezanina - 1.5.3-126.el7_3.4 -- kvm-virtio-blk-Release-s-rq-queue-at-system_reset.patch [bz#1420049] -- kvm-cirrus_vga-fix-off-by-one-in-blit_region_is_unsafe.patch [bz#1418232] -- kvm-display-cirrus-check-vga-bits-per-pixel-bpp-value.patch [bz#1418232] -- kvm-display-cirrus-ignore-source-pitch-value-as-needed-i.patch [bz#1418232] -- kvm-cirrus-handle-negative-pitch-in-cirrus_invalidate_re.patch [bz#1418232] -- kvm-cirrus-allow-zero-source-pitch-in-pattern-fill-rops.patch [bz#1418232] -- kvm-cirrus-fix-blit-address-mask-handling.patch [bz#1418232] -- kvm-cirrus-fix-oob-access-issue-CVE-2017-2615.patch [bz#1418232] -- Resolves: bz#1418232 - (CVE-2017-2615 qemu-kvm: Qemu: display: cirrus: oob access while doing bitblt copy backward mode [rhel-7.3.z]) -- Resolves: bz#1420049 +* Tue Apr 18 2017 Miroslav Rezanina - 1.5.3-136.el7 +- kvm-target-i386-get-set-migrate-XSAVES-state.patch [bz#1327593] +- kvm-Removing-texi2html-from-build-requirements.patch [bz#1440987] +- kvm-Disable-build-of-32bit-packages.patch [bz#1441778] +- kvm-Add-sample-images-to-srpm.patch [bz#1436280] +- Resolves: bz#1327593 + ([Intel 7.4 FEAT] KVM Enable the XSAVEC, XSAVES and XRSTORS instructions) +- Resolves: bz#1436280 + (sample images for qemu-iotests are missing in the SRPM) +- Resolves: bz#1440987 + (Remove texi2html build dependancy from RPM) +- Resolves: bz#1441778 + (Stop building qemu-img for 32bit architectures.) + +* Thu Mar 30 2017 Miroslav Rezanina - 1.5.3-135.el7 +- kvm-fix-cirrus_vga-fix-OOB-read-case-qemu-Segmentation-f.patch [bz#1430060] +- kvm-cirrus-vnc-zap-bitblit-support-from-console-code.patch [bz#1430060] +- kvm-cirrus-add-option-to-disable-blitter.patch [bz#1430060] +- kvm-cirrus-fix-cirrus_invalidate_region.patch [bz#1430060] +- kvm-cirrus-stop-passing-around-dst-pointers-in-the-blitt.patch [bz#1430060] +- kvm-cirrus-stop-passing-around-src-pointers-in-the-blitt.patch [bz#1430060] +- kvm-cirrus-fix-off-by-one-in-cirrus_bitblt_rop_bkwd_tran.patch [bz#1430060] +- Resolves: bz#1430060 + (CVE-2016-9603 qemu-kvm: Qemu: cirrus: heap buffer overflow via vnc connection [rhel-7.4]) + +* Tue Mar 21 2017 Miroslav Rezanina - 1.5.3-134.el7 +- kvm-ui-vnc-introduce-VNC_DIRTY_PIXELS_PER_BIT-macro.patch [bz#1377977] +- kvm-ui-vnc-derive-cmp_bytes-from-VNC_DIRTY_PIXELS_PER_BI.patch [bz#1377977] +- kvm-ui-vnc-optimize-dirty-bitmap-tracking.patch [bz#1377977] +- kvm-ui-vnc-optimize-setting-in-vnc_dpy_update.patch [bz#1377977] +- kvm-ui-vnc-fix-vmware-VGA-incompatiblities.patch [bz#1377977] +- kvm-ui-vnc-fix-potential-memory-corruption-issues.patch [bz#1377977] +- kvm-vnc-fix-memory-corruption-CVE-2015-5225.patch [bz#1377977] +- kvm-vnc-fix-overflow-in-vnc_update_stats.patch [bz#1377977] +- kvm-i386-kvmvapic-initialise-imm32-variable.patch [bz#1335751] +- kvm-qemu-iotests-Filter-out-actual-image-size-in-067.patch [bz#1427176] +- vm-qcow2-Don-t-rely-on-free_cluster_index-in-alloc_ref2.patch [bz#1427176] +- kvm-qemu-iotests-Fix-core-dump-suppression-in-test-039.patch [bz#1427176] +- kvm-qemu-io-Add-sigraise-command.patch [bz#1427176] +- kvm-iotests-Filter-for-Killed-in-qemu-io-output.patch [bz#1427176] +- kvm-iotests-Fix-test-039.patch [bz#1427176] +- kvm-blkdebug-Add-bdrv_truncate.patch [bz#1427176] +- kvm-vhdx-Fix-zero-fill-iov-length.patch [bz#1427176] +- kvm-qemu-iotests-Disable-030-040-041.patch [bz#1427176] +- kvm-x86-add-AVX512_VPOPCNTDQ-features.patch [bz#1415830] +- kvm-usb-ccid-check-ccid-apdu-length.patch [bz#1419818] +- kvm-usb-ccid-better-bulk_out-error-handling.patch [bz#1419818] +- kvm-usb-ccid-move-header-size-check.patch [bz#1419818] +- kvm-usb-ccid-add-check-message-size-checks.patch [bz#1419818] +- kvm-spec-Update-rdma-build-dependency.patch [bz#1433920] +- Resolves: bz#1335751 + (CVE-2016-4020 qemu-kvm: Qemu: i386: leakage of stack memory to guest in kvmvapic.c [rhel-7.4]) +- Resolves: bz#1377977 + (qemu-kvm coredump in vnc_raw_send_framebuffer_update [rhel-7.4]) +- Resolves: bz#1415830 + ([Intel 7.4 FEAT] Enable vpopcntdq for KNM - qemu/kvm) +- Resolves: bz#1419818 + (CVE-2017-5898 qemu-kvm: Qemu: usb: integer overflow in emulated_apdu_from_guest [rhel-7.4]) +- Resolves: bz#1427176 + (test cases of qemu-iotests failed) +- Resolves: bz#1433920 + (Switch from librdmacm-devel to rdma-core-devel) + +* Thu Mar 09 2017 Miroslav Rezanina - 1.5.3-133.el7 +- kvm-target-i386-add-Ivy-Bridge-CPU-model.patch [bz#1368375] +- kvm-x86-add-AVX512_4VNNIW-and-AVX512_4FMAPS-features.patch [bz#1382122] +- kvm-target-i386-kvm_cpu_fill_host-Kill-unused-code.patch [bz#1382122] +- kvm-target-i386-kvm_cpu_fill_host-No-need-to-check-level.patch [bz#1382122] +- kvm-target-i386-kvm_cpu_fill_host-No-need-to-check-CPU-v.patch [bz#1382122] +- kvm-target-i386-kvm_cpu_fill_host-No-need-to-check-xleve.patch [bz#1382122] +- kvm-target-i386-kvm_cpu_fill_host-Set-all-feature-words-.patch [bz#1382122] +- kvm-target-i386-kvm_cpu_fill_host-Fill-feature-words-in-.patch [bz#1382122] +- kvm-target-i386-kvm_check_features_against_host-Kill-fea.patch [bz#1382122] +- kvm-target-i386-Make-TCG-feature-filtering-more-readable.patch [bz#1382122] +- kvm-target-i386-Filter-FEAT_7_0_EBX-TCG-features-too.patch [bz#1382122] +- kvm-target-i386-Filter-KVM-and-0xC0000001-features-on-TC.patch [bz#1382122] +- kvm-target-i386-Define-TCG_-_FEATURES-earlier-in-cpu.c.patch [bz#1382122] +- kvm-target-i386-Loop-based-copying-and-setting-unsetting.patch [bz#1382122] +- kvm-target-i386-Loop-based-feature-word-filtering-in-TCG.patch [bz#1382122] +- kvm-spice-remove-spice-experimental.h-include.patch [bz#1430606] +- kvm-spice-replace-use-of-deprecated-API.patch [bz#1430606] +- Resolves: bz#1368375 + ([Intel 7.4 Bug] qemu-kvm does not support “-cpu IvyBridge”) +- Resolves: bz#1382122 + ([Intel 7.4 FEAT] KVM Enable the avx512_4vnniw, avx512_4fmaps instructions in qemu) +- Resolves: bz#1430606 + (Can't build qemu-kvm with newer spice packages) + +* Tue Feb 21 2017 Miroslav Rezanina - 1.5.3-132.el7 +- kvm-cirrus-fix-patterncopy-checks.patch [bz#1420492] +- kvm-Revert-cirrus-allow-zero-source-pitch-in-pattern-fil.patch [bz#1420492] +- kvm-cirrus-add-blit_is_unsafe-call-to-cirrus_bitblt_cput.patch [bz#1420492] +- Resolves: bz#1420492 + (EMBARGOED CVE-2017-2620 qemu-kvm: Qemu: display: cirrus: potential arbitrary code execution via cirrus_bitblt_cputovideo [rhel-7.4]) + +* Fri Feb 10 2017 Miroslav Rezanina - 1.5.3-131.el7 +- kvm-memory-Allow-access-only-upto-the-maximum-alignment-.patch [bz#1342768] +- kvm-virtio-blk-Release-s-rq-queue-at-system_reset.patch [bz#1361488] +- kvm-cirrus_vga-fix-off-by-one-in-blit_region_is_unsafe.patch [bz#1418233] +- kvm-display-cirrus-check-vga-bits-per-pixel-bpp-value.patch [bz#1418233] +- kvm-display-cirrus-ignore-source-pitch-value-as-needed-i.patch [bz#1418233] +- kvm-cirrus-handle-negative-pitch-in-cirrus_invalidate_re.patch [bz#1418233] +- kvm-cirrus-allow-zero-source-pitch-in-pattern-fill-rops.patch [bz#1418233] +- kvm-cirrus-fix-blit-address-mask-handling.patch [bz#1418233] +- kvm-cirrus-fix-oob-access-issue-CVE-2017-2615.patch [bz#1418233] +- kvm-HMP-Fix-user-manual-typo-of-__com.redhat_qxl_screend.patch [bz#1419898] +- kvm-HMP-Fix-documentation-of-__com.redhat.drive_add.patch [bz#1419898] +- Resolves: bz#1342768 + ([Intel 7.4 Bug] qemu-kvm crashes with Linux kernel 4.6.0 or above) +- Resolves: bz#1361488 (system_reset should clear pending request for error (virtio-blk)) - -* Wed Jan 04 2017 Miroslav Rezanina - 1.5.3-126.el7_3.3 -- kvm-net-check-packet-payload-length.patch [bz#1398217] -- Resolves: bz#1398217 - (CVE-2016-2857 qemu-kvm: Qemu: net: out of bounds read in net_checksum_calculate() [rhel-7.3.z]) - -* Thu Nov 24 2016 Miroslav Rezanina - 1.5.3-126.el7_3.2 -- kvm-virtio-introduce-virtqueue_unmap_sg.patch [bz#1393484] -- kvm-virtio-introduce-virtqueue_discard.patch [bz#1393484] -- kvm-virtio-decrement-vq-inuse-in-virtqueue_discard.patch [bz#1393484] -- kvm-balloon-fix-segfault-and-harden-the-stats-queue.patch [bz#1393484] -- kvm-virtio-balloon-discard-virtqueue-element-on-reset.patch [bz#1393484] -- kvm-virtio-zero-vq-inuse-in-virtio_reset.patch [bz#1393484] -- kvm-virtio-add-virtqueue_rewind.patch [bz#1393484] -- kvm-virtio-balloon-fix-stats-vq-migration.patch [bz#1393484] -- Resolves: bz#1393484 +- Resolves: bz#1418233 + (CVE-2017-2615 qemu-kvm: Qemu: display: cirrus: oob access while doing bitblt copy backward mode [rhel-7.4]) +- Resolves: bz#1419898 + (Documentation inaccurate for __com.redhat_qxl_screendump and __com.redhat_drive_add) + +* Wed Feb 01 2017 Miroslav Rezanina - 1.5.3-130.el7 +- kvm-gluster-correctly-propagate-errors.patch [bz#1151859] +- kvm-gluster-Correctly-propagate-errors-when-volume-isn-t.patch [bz#1151859] +- kvm-block-gluster-add-support-for-selecting-debug-loggin.patch [bz#1151859] +- Resolves: bz#1151859 + ([RFE] Allow the libgfapi logging level to be controlled.) + +* Wed Jan 18 2017 Miroslav Rezanina - 1.5.3-129.el7 +- kvm-Update-qemu-kvm-package-Summary-and-Description.patch [bz#1378541] +- kvm-vl-Don-t-silently-change-topology-when-all-smp-optio.patch [bz#1375507] +- kvm-net-check-packet-payload-length.patch [bz#1398218] +- kvm-qxl-Only-emit-QXL_INTERRUPT_CLIENT_MONITORS_CONFIG-o.patch [bz#1342489] +- Resolves: bz#1342489 + (Flickering Fedora 24 Login Screen on RHEL 7) +- Resolves: bz#1375507 + ("threads" option is overwritten if both "sockets" and "cores" is set on -smp) +- Resolves: bz#1378541 + (QEMU: update package summary and description) +- Resolves: bz#1398218 + (CVE-2016-2857 qemu-kvm: Qemu: net: out of bounds read in net_checksum_calculate() [rhel-7.4]) + +* Thu Nov 24 2016 Miroslav Rezanina - 1.5.3-128.el7 +- kvm-virtio-introduce-virtqueue_unmap_sg.patch [bz#1377968] +- kvm-virtio-introduce-virtqueue_discard.patch [bz#1377968] +- kvm-virtio-decrement-vq-inuse-in-virtqueue_discard.patch [bz#1377968] +- kvm-balloon-fix-segfault-and-harden-the-stats-queue.patch [bz#1377968] +- kvm-virtio-balloon-discard-virtqueue-element-on-reset.patch [bz#1377968] +- kvm-virtio-zero-vq-inuse-in-virtio_reset.patch [bz#1377968] +- kvm-virtio-add-virtqueue_rewind.patch [bz#1377968] +- kvm-virtio-balloon-fix-stats-vq-migration.patch [bz#1377968] +- Resolves: bz#1377968 ([RHEL7.3] KVM guest shuts itself down after 128th reboot) -* Fri Nov 11 2016 Miroslav Rezanina - 1.5.3-126.el7_3.1 -- kvm-ide-fix-halted-IO-segfault-at-reset.patch [bz#1393042] -- kvm-hw-i386-regenerate-checked-in-AML-payload-RHEL-only.patch [bz#1392027] -- kvm-SPEC-file-flip-the-build-from-IASL-to-checked-in-AML.patch [bz#1392027] -- Resolves: bz#1392027 +* Wed Nov 16 2016 Danilo de Paula - 1.5.3-127.el7 +- kvm-hw-i386-regenerate-checked-in-AML-payload-RHEL-only.patch [bz#1377087] +- kvm-ide-fix-halted-IO-segfault-at-reset.patch [bz#1377087] +- Resolves: bz#1377087 (shutdown rhel 5.11 guest failed and stop at "system halted") -- Resolves: bz#1393042 - (system_reset should clear pending request for error (IDE)) * Tue Sep 20 2016 Miroslav Rezanina - 1.5.3-126.el7 - kvm-virtio-recalculate-vq-inuse-after-migration.patch [bz#1376542]