From e14a8ce4eff7b870f2146014b9ea3ca2ef13eb5b Mon Sep 17 00:00:00 2001 From: Cole Robinson Date: Apr 17 2019 01:48:03 +0000 Subject: qemu-4.0.0-0.7.rc3.fc31 Don't block migration with nested VMX (bz #1697997) Update to qemu-4.0.0-rc3 --- diff --git a/0001-Remove-problematic-evdev-86-key-from-en-us-keymap.patch b/0001-Remove-problematic-evdev-86-key-from-en-us-keymap.patch deleted file mode 100644 index 837be82..0000000 --- a/0001-Remove-problematic-evdev-86-key-from-en-us-keymap.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 2c25ad161d7714f15b1951c69c50844ea81f4186 Mon Sep 17 00:00:00 2001 -From: Adam Williamson -Date: Wed, 20 Dec 2017 15:43:07 -0800 -Subject: [PATCH] Remove problematic 'evdev 86' key from en-us keymap - -This causes LP#1738283. Gerd will have to come up with a better -fix, but just hacking out the problematic key definition should -work for now. ---- - pc-bios/keymaps/en-us | 6 ------ - 1 file changed, 6 deletions(-) - -diff --git a/pc-bios/keymaps/en-us b/pc-bios/keymaps/en-us -index a70e03adc0..e518a9dc35 100644 ---- a/pc-bios/keymaps/en-us -+++ b/pc-bios/keymaps/en-us -@@ -343,12 +343,6 @@ KP_Decimal 0x53 numlock - - # evdev 85 (0x55): no evdev -> QKeyCode mapping (xkb keysym NoSymbol) - --# evdev 86 (0x56), QKeyCode "less", number 0x56 --less 0x56 --greater 0x56 shift --bar 0x56 altgr --brokenbar 0x56 shift altgr -- - # evdev 87 (0x57), QKeyCode "f11", number 0x57 - F11 0x57 - --- -2.15.1 - diff --git a/0001-Revert-target-i386-kvm-add-VMX-migration-blocker.patch b/0001-Revert-target-i386-kvm-add-VMX-migration-blocker.patch new file mode 100644 index 0000000..c550be2 --- /dev/null +++ b/0001-Revert-target-i386-kvm-add-VMX-migration-blocker.patch @@ -0,0 +1,46 @@ +From: Cole Robinson +Date: Tue, 16 Apr 2019 20:14:12 -0400 +Subject: [PATCH] Revert "target/i386: kvm: add VMX migration blocker" + +This reverts commit d98f26073bebddcd3da0ba1b86c3a34e840c0fb8. + +As is, it rejects libvirt managedsave and virt-manager snapshots +for default installed VMs on intel hosts. Upstream Paolo says that +the missing kernel bits are already queued up, and until then it's +fine to revert this. + +https://lists.gnu.org/archive/html/qemu-devel/2019-04/msg02326.html +--- + target/i386/kvm.c | 12 ------------ + 1 file changed, 12 deletions(-) + +diff --git a/target/i386/kvm.c b/target/i386/kvm.c +index 3b29ce5c0d..6ad450d9f1 100644 +--- a/target/i386/kvm.c ++++ b/target/i386/kvm.c +@@ -906,7 +906,6 @@ static int hyperv_init_vcpu(X86CPU *cpu) + } + + static Error *invtsc_mig_blocker; +-static Error *vmx_mig_blocker; + + #define KVM_MAX_CPUID_ENTRIES 100 + +@@ -1270,17 +1269,6 @@ int kvm_arch_init_vcpu(CPUState *cs) + !!(c->ecx & CPUID_EXT_SMX); + } + +- if ((env->features[FEAT_1_ECX] & CPUID_EXT_VMX) && !vmx_mig_blocker) { +- error_setg(&vmx_mig_blocker, +- "Nested VMX virtualization does not support live migration yet"); +- r = migrate_add_blocker(vmx_mig_blocker, &local_err); +- if (local_err) { +- error_report_err(local_err); +- error_free(vmx_mig_blocker); +- return r; +- } +- } +- + if (env->mcg_cap & MCG_LMCE_P) { + has_msr_mcg_ext_ctl = has_msr_feature_control = true; + } diff --git a/0001-qemu-seccomp-dont-kill-process-for-resource-contro.patch b/0001-qemu-seccomp-dont-kill-process-for-resource-contro.patch deleted file mode 100644 index e91274a..0000000 --- a/0001-qemu-seccomp-dont-kill-process-for-resource-contro.patch +++ /dev/null @@ -1,103 +0,0 @@ -From: Daniel P. Berrangé -Date: Wed, 13 Mar 2019 09:49:03 +0000 -Subject: [PATCH RFC] seccomp: don't kill process for resource control syscalls - -The Mesa library tries to set process affinity on some of its threads in -order to optimize its performance. Currently this results in QEMU being -immediately terminated when seccomp is enabled. - -Mesa doesn't consider failure of the process affinity settings to be -fatal to its operation, but our seccomp policy gives it no choice in -gracefully handling this denial. - -It is reasonable to consider that malicious code using the resource -control syscalls to be a less serious attack than if they were trying -to spawn processes or change UIDs and other such things. Generally -speaking changing the resource control setting will "merely" affect -quality of service of processes on the host. With this in mind, rather -than kill the process, we can relax the policy for these syscalls to -return the EPERM errno value. This allows callers to detect that QEMU -does not want them to change resource allocations, and apply some -reasonable fallback logic. - -The main downside to this is for code which uses these syscalls but does -not check the return value, blindly assuming they will always -succeeed. Returning an errno could result in sub-optimal behaviour. -Arguably though such code is already broken & needs fixing regardless. - -Signed-off-by: Daniel P. Berrangé ---- - qemu-seccomp.c | 32 +++++++++++++++++++++++++------- - 1 file changed, 25 insertions(+), 7 deletions(-) - -diff --git a/qemu-seccomp.c b/qemu-seccomp.c -index 36d5829831..9776c9ef40 100644 ---- a/qemu-seccomp.c -+++ b/qemu-seccomp.c -@@ -121,20 +121,37 @@ qemu_seccomp(unsigned int operation, unsigned int flags, void *args) - #endif - } - --static uint32_t qemu_seccomp_get_kill_action(void) -+static uint32_t qemu_seccomp_get_kill_action(int set) - { -+ switch (set) { -+ case QEMU_SECCOMP_SET_DEFAULT: -+ case QEMU_SECCOMP_SET_OBSOLETE: -+ case QEMU_SECCOMP_SET_PRIVILEGED: -+ case QEMU_SECCOMP_SET_SPAWN: { - #if defined(SECCOMP_GET_ACTION_AVAIL) && defined(SCMP_ACT_KILL_PROCESS) && \ - defined(SECCOMP_RET_KILL_PROCESS) -- { -- uint32_t action = SECCOMP_RET_KILL_PROCESS; -+ static int kill_process = -1; -+ if (kill_process == -1) { -+ uint32_t action = SECCOMP_RET_KILL_PROCESS; - -- if (qemu_seccomp(SECCOMP_GET_ACTION_AVAIL, 0, &action) == 0) { -+ if (qemu_seccomp(SECCOMP_GET_ACTION_AVAIL, 0, &action) == 0) { -+ kill_process = 1; -+ } -+ kill_process = 0; -+ } -+ if (kill_process == 1) { - return SCMP_ACT_KILL_PROCESS; - } -- } - #endif -+ return SCMP_ACT_TRAP; -+ } -+ -+ case QEMU_SECCOMP_SET_RESOURCECTL: -+ return SCMP_ACT_ERRNO(EPERM); - -- return SCMP_ACT_TRAP; -+ default: -+ g_assert_not_reached(); -+ } - } - - -@@ -143,7 +160,6 @@ static int seccomp_start(uint32_t seccomp_opts) - int rc = 0; - unsigned int i = 0; - scmp_filter_ctx ctx; -- uint32_t action = qemu_seccomp_get_kill_action(); - - ctx = seccomp_init(SCMP_ACT_ALLOW); - if (ctx == NULL) { -@@ -157,10 +173,12 @@ static int seccomp_start(uint32_t seccomp_opts) - } - - for (i = 0; i < ARRAY_SIZE(blacklist); i++) { -+ uint32_t action; - if (!(seccomp_opts & blacklist[i].set)) { - continue; - } - -+ action = qemu_seccomp_get_kill_action(blacklist[i].set); - rc = seccomp_rule_add_array(ctx, action, blacklist[i].num, - blacklist[i].narg, blacklist[i].arg_cmp); - if (rc < 0) { --- -2.20.1 diff --git a/0002-linux-user-assume-__NR_gettid-always-exists.patch b/0002-linux-user-assume-__NR_gettid-always-exists.patch deleted file mode 100644 index 4895219..0000000 --- a/0002-linux-user-assume-__NR_gettid-always-exists.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 9abb23f799804ed7b30aecac2217f870b229f873 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= -Date: Wed, 20 Mar 2019 15:32:30 +0000 -Subject: [PATCH 1/2] linux-user: assume __NR_gettid always exists -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The gettid syscall was introduced in Linux 2.4.11. This is old enough -that we can assume it always exists and thus not bother with the -conditional backcompat logic. - -Signed-off-by: Daniel P. Berrangé ---- - linux-user/syscall.c | 8 -------- - 1 file changed, 8 deletions(-) - -diff --git a/linux-user/syscall.c b/linux-user/syscall.c -index 208fd1813d..11729f382c 100644 ---- a/linux-user/syscall.c -+++ b/linux-user/syscall.c -@@ -249,15 +249,7 @@ static type name (type1 arg1,type2 arg2,type3 arg3,type4 arg4,type5 arg5, \ - #define TARGET_NR__llseek TARGET_NR_llseek - #endif - --#ifdef __NR_gettid - _syscall0(int, gettid) --#else --/* This is a replacement for the host gettid() and must return a host -- errno. */ --static int gettid(void) { -- return -ENOSYS; --} --#endif - - /* For the 64-bit guest on 32-bit host case we must emulate - * getdents using getdents64, because otherwise the host --- -2.20.1 - diff --git a/0003-linux-user-rename-gettid-to-sys_gettid-to-avoid-clas.patch b/0003-linux-user-rename-gettid-to-sys_gettid-to-avoid-clas.patch deleted file mode 100644 index 7fc85bb..0000000 --- a/0003-linux-user-rename-gettid-to-sys_gettid-to-avoid-clas.patch +++ /dev/null @@ -1,87 +0,0 @@ -From 7bfee99b5dc6dd971d4e0dec49af7578ea1b405c Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= -Date: Tue, 19 Mar 2019 17:04:05 +0000 -Subject: [PATCH 2/2] linux-user: rename gettid() to sys_gettid() to avoid - clash with glibc -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The glibc-2.29.9000-6.fc31.x86_64 package finally includes the gettid() -function as part of unistd.h when __USE_GNU is defined. This clashes -with linux-user code which unconditionally defines this function name -itself. - -/home/berrange/src/virt/qemu/linux-user/syscall.c:253:16: error: static declaration of ‘gettid’ follows non-static declaration - 253 | _syscall0(int, gettid) - | ^~~~~~ -/home/berrange/src/virt/qemu/linux-user/syscall.c:184:13: note: in definition of macro ‘_syscall0’ - 184 | static type name (void) \ - | ^~~~ -In file included from /usr/include/unistd.h:1170, - from /home/berrange/src/virt/qemu/include/qemu/osdep.h:107, - from /home/berrange/src/virt/qemu/linux-user/syscall.c:20: -/usr/include/bits/unistd_ext.h:34:16: note: previous declaration of ‘gettid’ was here - 34 | extern __pid_t gettid (void) __THROW; - | ^~~~~~ - CC aarch64-linux-user/linux-user/signal.o -make[1]: *** [/home/berrange/src/virt/qemu/rules.mak:69: linux-user/syscall.o] Error 1 -make[1]: *** Waiting for unfinished jobs.... -make: *** [Makefile:449: subdir-aarch64-linux-user] Error 2 - -While we could make our definition conditional and rely on glibc's impl, -this patch simply renames our definition to sys_gettid() which is a -common pattern in this file. - -Signed-off-by: Daniel P. Berrangé ---- - linux-user/syscall.c | 11 ++++++----- - 1 file changed, 6 insertions(+), 5 deletions(-) - -diff --git a/linux-user/syscall.c b/linux-user/syscall.c -index 11729f382c..96cd4bf86d 100644 ---- a/linux-user/syscall.c -+++ b/linux-user/syscall.c -@@ -249,7 +249,8 @@ static type name (type1 arg1,type2 arg2,type3 arg3,type4 arg4,type5 arg5, \ - #define TARGET_NR__llseek TARGET_NR_llseek - #endif - --_syscall0(int, gettid) -+#define __NR_sys_gettid __NR_gettid -+_syscall0(int, sys_gettid) - - /* For the 64-bit guest on 32-bit host case we must emulate - * getdents using getdents64, because otherwise the host -@@ -5434,7 +5435,7 @@ static void *clone_func(void *arg) - cpu = ENV_GET_CPU(env); - thread_cpu = cpu; - ts = (TaskState *)cpu->opaque; -- info->tid = gettid(); -+ info->tid = sys_gettid(); - task_settid(ts); - if (info->child_tidptr) - put_user_u32(info->tid, info->child_tidptr); -@@ -5579,9 +5580,9 @@ static int do_fork(CPUArchState *env, unsigned int flags, abi_ulong newsp, - mapping. We can't repeat the spinlock hack used above because - the child process gets its own copy of the lock. */ - if (flags & CLONE_CHILD_SETTID) -- put_user_u32(gettid(), child_tidptr); -+ put_user_u32(sys_gettid(), child_tidptr); - if (flags & CLONE_PARENT_SETTID) -- put_user_u32(gettid(), parent_tidptr); -+ put_user_u32(sys_gettid(), parent_tidptr); - ts = (TaskState *)cpu->opaque; - if (flags & CLONE_SETTLS) - cpu_set_tls (env, newtls); -@@ -10621,7 +10622,7 @@ static abi_long do_syscall1(void *cpu_env, int num, abi_long arg1, - return TARGET_PAGE_SIZE; - #endif - case TARGET_NR_gettid: -- return get_errno(gettid()); -+ return get_errno(sys_gettid()); - #ifdef TARGET_NR_readahead - case TARGET_NR_readahead: - #if TARGET_ABI_BITS == 32 --- -2.20.1 - diff --git a/qemu.spec b/qemu.spec index 9be5f66..fd67a5b 100644 --- a/qemu.spec +++ b/qemu.spec @@ -138,7 +138,7 @@ %{obsoletes_block_rbd} # Release candidate version tracking -%global rcver rc2 +%global rcver rc3 %if 0%{?rcver:1} %global rcrel .%{rcver} %global rcstr -%{rcver} @@ -148,7 +148,7 @@ Summary: QEMU is a FAST! processor emulator Name: qemu Version: 4.0.0 -Release: 0.6%{?rcrel}%{?dist} +Release: 0.7%{?rcrel}%{?dist} Epoch: 2 License: GPLv2 and BSD and MIT and CC-BY URL: http://www.qemu.org/ @@ -172,9 +172,10 @@ Source20: kvm-x86.modprobe.conf # /etc/security/limits.d/95-kvm-ppc64-memlock.conf Source21: 95-kvm-ppc64-memlock.conf -# Modern glibc has a gettid function -Patch1: 0002-linux-user-assume-__NR_gettid-always-exists.patch -Patch2: 0003-linux-user-rename-gettid-to-sys_gettid-to-avoid-clas.patch +# Don't block migration with nested VMX (bz #1697997) +# Not upstream: temporary workaround until kernel supports lands for nested +# VMX migration +Patch0001: 0001-Revert-target-i386-kvm-add-VMX-migration-blocker.patch # documentation deps @@ -1726,6 +1727,10 @@ getent passwd qemu >/dev/null || \ %changelog +* Tue Apr 16 2019 Cole Robinson - 2:4.0.0-0.7.rc3 +- Don't block migration with nested VMX (bz #1697997) +- Update to qemu-4.0.0-rc3 + * Sat Apr 06 2019 Richard W.M. Jones - 2:4.0.0-0.6.rc2 - Rebuild against xen 4.12.