From 12991f1aafd3a2c3b7809144b5f1d469d6206d82 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: May 20 2020 11:33:22 +0000 Subject: import qemu-kvm-ma-2.12.0-46.el7 --- diff --git a/SOURCES/kvm-Revert-mc146818rtc-fix-timer-interrupt-reinjection.patch b/SOURCES/kvm-Revert-mc146818rtc-fix-timer-interrupt-reinjection.patch new file mode 100644 index 0000000..75b33c6 --- /dev/null +++ b/SOURCES/kvm-Revert-mc146818rtc-fix-timer-interrupt-reinjection.patch @@ -0,0 +1,121 @@ +From 8af16b9722f5bdeacf3a30c21490846e24b989b2 Mon Sep 17 00:00:00 2001 +From: Marcelo Tosatti +Date: Wed, 4 Dec 2019 15:21:08 +0100 +Subject: [PATCH 2/3] Revert "mc146818rtc: fix timer interrupt reinjection" + +RH-Author: Marcelo Tosatti +Message-id: <20191204152436.753293175@amt.cnet> +Patchwork-id: 92888 +O-Subject: [RHEL-7.8 qemu-kvm-rhev PATCH 2/3] Revert "mc146818rtc: fix timer interrupt reinjection" +Bugzilla: 1639098 +RH-Acked-by: Laszlo Ersek +RH-Acked-by: Paolo Bonzini +RH-Acked-by: Vitaly Kuznetsov + +BZ: 1639098 +Brew: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=24854309 +BRANCH: rhv7/master-2.12.0 +Upstream: 3ae32adff17226bc6a5f3fd7bb9804e6779e0660 +of pbonzini's for-upstream tree. + +This reverts commit b429de730174b388ea5760e3debb0d542ea3c261, except +that the reversal of the outer "if (period)" is left in. + +Signed-off-by: Paolo Bonzini +Signed-off-by: Marcelo Tosatti +Signed-off-by: Miroslav Rezanina +--- + hw/timer/mc146818rtc.c | 67 +++++++++++++++++++++++++------------------------- + 1 file changed, 33 insertions(+), 34 deletions(-) + +diff --git a/hw/timer/mc146818rtc.c b/hw/timer/mc146818rtc.c +index 296d974..d848911 100644 +--- a/hw/timer/mc146818rtc.c ++++ b/hw/timer/mc146818rtc.c +@@ -196,7 +196,6 @@ periodic_timer_update(RTCState *s, int64_t current_time, uint32_t old_period) + int64_t cur_clock, next_irq_clock, lost_clock = 0; + + period = rtc_periodic_clock_ticks(s); +- + if (!period) { + s->irq_coalesced = 0; + timer_del(s->periodic_timer); +@@ -219,42 +218,42 @@ periodic_timer_update(RTCState *s, int64_t current_time, uint32_t old_period) + last_periodic_clock = next_periodic_clock - old_period; + lost_clock = cur_clock - last_periodic_clock; + assert(lost_clock >= 0); ++ } + ++ /* ++ * s->irq_coalesced can change for two reasons: ++ * ++ * a) if one or more periodic timer interrupts have been lost, ++ * lost_clock will be more that a period. ++ * ++ * b) when the period may be reconfigured, we expect the OS to ++ * treat delayed tick as the new period. So, when switching ++ * from a shorter to a longer period, scale down the missing, ++ * because the OS will treat past delayed ticks as longer ++ * (leftovers are put back into lost_clock). When switching ++ * to a shorter period, scale up the missing ticks since the ++ * OS handler will treat past delayed ticks as shorter. ++ */ ++ if (s->lost_tick_policy == LOST_TICK_POLICY_SLEW) { ++ uint32_t old_irq_coalesced = s->irq_coalesced; ++ ++ s->period = period; ++ lost_clock += old_irq_coalesced * old_period; ++ s->irq_coalesced = lost_clock / s->period; ++ lost_clock %= s->period; ++ if (old_irq_coalesced != s->irq_coalesced || ++ old_period != s->period) { ++ DPRINTF_C("cmos: coalesced irqs scaled from %d to %d, " ++ "period scaled from %d to %d\n", old_irq_coalesced, ++ s->irq_coalesced, old_period, s->period); ++ rtc_coalesced_timer_update(s); ++ } ++ } else { + /* +- * s->irq_coalesced can change for two reasons: +- * +- * a) if one or more periodic timer interrupts have been lost, +- * lost_clock will be more that a period. +- * +- * b) when the period may be reconfigured, we expect the OS to +- * treat delayed tick as the new period. So, when switching +- * from a shorter to a longer period, scale down the missing, +- * because the OS will treat past delayed ticks as longer +- * (leftovers are put back into lost_clock). When switching +- * to a shorter period, scale up the missing ticks since the +- * OS handler will treat past delayed ticks as shorter. ++ * no way to compensate the interrupt if LOST_TICK_POLICY_SLEW ++ * is not used, we should make the time progress anyway. + */ +- if (s->lost_tick_policy == LOST_TICK_POLICY_SLEW) { +- uint32_t old_irq_coalesced = s->irq_coalesced; +- +- s->period = period; +- lost_clock += old_irq_coalesced * old_period; +- s->irq_coalesced = lost_clock / s->period; +- lost_clock %= s->period; +- if (old_irq_coalesced != s->irq_coalesced || +- old_period != s->period) { +- DPRINTF_C("cmos: coalesced irqs scaled from %d to %d, " +- "period scaled from %d to %d\n", old_irq_coalesced, +- s->irq_coalesced, old_period, s->period); +- rtc_coalesced_timer_update(s); +- } +- } else { +- /* +- * no way to compensate the interrupt if LOST_TICK_POLICY_SLEW +- * is not used, we should make the time progress anyway. +- */ +- lost_clock = MIN(lost_clock, period); +- } ++ lost_clock = MIN(lost_clock, period); + } + + assert(lost_clock >= 0 && lost_clock <= period); +-- +1.8.3.1 + diff --git a/SOURCES/kvm-clean-up-callback-when-del-virtqueue.patch b/SOURCES/kvm-clean-up-callback-when-del-virtqueue.patch new file mode 100644 index 0000000..2dfe279 --- /dev/null +++ b/SOURCES/kvm-clean-up-callback-when-del-virtqueue.patch @@ -0,0 +1,55 @@ +From c17dffff03c6ba03633b8e009599bd3863c638fa Mon Sep 17 00:00:00 2001 +From: Julia Suvorova +Date: Wed, 4 Mar 2020 20:07:51 -0500 +Subject: [PATCH 09/12] clean up callback when del virtqueue + +RH-Author: Julia Suvorova +Message-id: <20200304200754.32708-2-jusual@redhat.com> +Patchwork-id: 94152 +O-Subject: [RHEL-7.9 qemu-kvm-rhev PATCH 1/4] clean up callback when del virtqueue +Bugzilla: 1721403 +RH-Acked-by: Stefano Garzarella +RH-Acked-by: Maxim Levitsky +RH-Acked-by: Michael S. Tsirkin + +From: liujunjie + +Before, we did not clear callback like handle_output when delete +the virtqueue which may result be segmentfault. +The scene is as follows: +1. Start a vm with multiqueue vhost-net, +2. then we write VIRTIO_PCI_GUEST_FEATURES in PCI configuration to +triger multiqueue disable in this vm which will delete the virtqueue. +In this step, the tx_bh is deleted but the callback virtio_net_handle_tx_bh +still exist. +3. Finally, we write VIRTIO_PCI_QUEUE_NOTIFY in PCI configuration to +notify the deleted virtqueue. In this way, virtio_net_handle_tx_bh +will be called and qemu will be crashed. + +Although the way described above is uncommon, we had better reinforce it. + +CC: qemu-stable@nongnu.org +Signed-off-by: liujunjie +Signed-off-by: Jason Wang +(cherry picked from commit 7da2d99fb9fbf30104125c061caaff330e362d74) +Signed-off-by: Jon Maloy +--- + hw/virtio/virtio.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c +index 08a4332210..d228b9297d 100644 +--- a/hw/virtio/virtio.c ++++ b/hw/virtio/virtio.c +@@ -1610,6 +1610,8 @@ void virtio_del_queue(VirtIODevice *vdev, int n) + + vdev->vq[n].vring.num = 0; + vdev->vq[n].vring.num_default = 0; ++ vdev->vq[n].handle_output = NULL; ++ vdev->vq[n].handle_aio_output = NULL; + } + + static void virtio_set_isr(VirtIODevice *vdev, int value) +-- +2.18.2 + diff --git a/SOURCES/kvm-gluster-Handle-changed-glfs_ftruncate-signature.patch b/SOURCES/kvm-gluster-Handle-changed-glfs_ftruncate-signature.patch new file mode 100644 index 0000000..d765e13 --- /dev/null +++ b/SOURCES/kvm-gluster-Handle-changed-glfs_ftruncate-signature.patch @@ -0,0 +1,94 @@ +From afbc21e30ba77c76a6cce13b95940e32e43213bc Mon Sep 17 00:00:00 2001 +From: Maxim Levitsky +Date: Mon, 17 Feb 2020 14:52:04 -0500 +Subject: [PATCH 01/12] gluster: Handle changed glfs_ftruncate signature + +RH-Author: Maxim Levitsky +Message-id: <20200217145205.21347-2-mlevitsk@redhat.com> +Patchwork-id: 93894 +O-Subject: [RHEL-7.9 qemu-kvm-rhev PATCH 1/2] gluster: Handle changed glfs_ftruncate signature +Bugzilla: 1802216 +RH-Acked-by: Stefan Hajnoczi +RH-Acked-by: Sergio Lopez Pascual +RH-Acked-by: Stefano Garzarella + +From: Prasanna Kumar Kalever + +New versions of Glusters libgfapi.so have an updated glfs_ftruncate() +function that returns additional 'struct stat' structures to enable +advanced caching of attributes. This is useful for file servers, not so +much for QEMU. Nevertheless, the API has changed and needs to be +adopted. + +Signed-off-by: Prasanna Kumar Kalever +Signed-off-by: Niels de Vos +Signed-off-by: Kevin Wolf +(cherry picked from commit e014dbe74e0484188164c61ff6843f8a04a8cb9d) +Signed-off-by: Maxim Levitsky +Signed-off-by: Jon Maloy +--- + block/gluster.c | 4 ++++ + configure | 18 ++++++++++++++++++ + 2 files changed, 22 insertions(+) + +diff --git a/block/gluster.c b/block/gluster.c +index 8c13002fd4..e3ffa6136e 100644 +--- a/block/gluster.c ++++ b/block/gluster.c +@@ -20,6 +20,10 @@ + #include "qemu/option.h" + #include "qemu/cutils.h" + ++#ifdef CONFIG_GLUSTERFS_FTRUNCATE_HAS_STAT ++# define glfs_ftruncate(fd, offset) glfs_ftruncate(fd, offset, NULL, NULL) ++#endif ++ + #define GLUSTER_OPT_FILENAME "filename" + #define GLUSTER_OPT_VOLUME "volume" + #define GLUSTER_OPT_PATH "path" +diff --git a/configure b/configure +index 285fd47de3..f78663367e 100755 +--- a/configure ++++ b/configure +@@ -429,6 +429,7 @@ glusterfs_xlator_opt="no" + glusterfs_discard="no" + glusterfs_fallocate="no" + glusterfs_zerofill="no" ++glusterfs_ftruncate_has_stat="no" + gtk="" + gtkabi="" + gtk_gl="no" +@@ -3871,6 +3872,19 @@ if test "$glusterfs" != "no" ; then + glusterfs_fallocate="yes" + glusterfs_zerofill="yes" + fi ++ cat > $TMPC << EOF ++#include ++ ++int ++main(void) ++{ ++ /* new glfs_ftruncate() passes two additional args */ ++ return glfs_ftruncate(NULL, 0, NULL, NULL); ++} ++EOF ++ if compile_prog "$glusterfs_cflags" "$glusterfs_libs" ; then ++ glusterfs_ftruncate_has_stat="yes" ++ fi + else + if test "$glusterfs" = "yes" ; then + feature_not_found "GlusterFS backend support" \ +@@ -6529,6 +6543,10 @@ if test "$glusterfs_zerofill" = "yes" ; then + echo "CONFIG_GLUSTERFS_ZEROFILL=y" >> $config_host_mak + fi + ++if test "$glusterfs_ftruncate_has_stat" = "yes" ; then ++ echo "CONFIG_GLUSTERFS_FTRUNCATE_HAS_STAT=y" >> $config_host_mak ++fi ++ + if test "$libssh2" = "yes" ; then + echo "CONFIG_LIBSSH2=m" >> $config_host_mak + echo "LIBSSH2_CFLAGS=$libssh2_cflags" >> $config_host_mak +-- +2.18.2 + diff --git a/SOURCES/kvm-gluster-the-glfs_io_cbk-callback-function-pointer-ad.patch b/SOURCES/kvm-gluster-the-glfs_io_cbk-callback-function-pointer-ad.patch new file mode 100644 index 0000000..396c77a --- /dev/null +++ b/SOURCES/kvm-gluster-the-glfs_io_cbk-callback-function-pointer-ad.patch @@ -0,0 +1,105 @@ +From d0cf28359d8fee8437d664f98121b8af85a5d12e Mon Sep 17 00:00:00 2001 +From: Maxim Levitsky +Date: Mon, 17 Feb 2020 14:52:05 -0500 +Subject: [PATCH 02/12] gluster: the glfs_io_cbk callback function pointer adds + pre/post stat args + +RH-Author: Maxim Levitsky +Message-id: <20200217145205.21347-3-mlevitsk@redhat.com> +Patchwork-id: 93893 +O-Subject: [RHEL-7.9 qemu-kvm-rhev PATCH 2/2] gluster: the glfs_io_cbk callback function pointer adds pre/post stat args +Bugzilla: 1802216 +RH-Acked-by: Stefan Hajnoczi +RH-Acked-by: Sergio Lopez Pascual +RH-Acked-by: Stefano Garzarella + +From: Niels de Vos + +The glfs_*_async() functions do a callback once finished. This callback +has changed its arguments, pre- and post-stat structures have been +added. This makes it possible to improve caching, which is useful for +Samba and NFS-Ganesha, but not so much for QEMU. Gluster 6 is the first +release that includes these new arguments. + +With an additional detection in ./configure, the new arguments can +conditionally get included in the glfs_io_cbk handler. + +Signed-off-by: Niels de Vos +Signed-off-by: Kevin Wolf +(cherry picked from commit 0e3b891fefacc0e49f3c8ffa3a753b69eb7214d2) +Signed-off-by: Maxim Levitsky +Signed-off-by: Jon Maloy +--- + block/gluster.c | 6 +++++- + configure | 24 ++++++++++++++++++++++++ + 2 files changed, 29 insertions(+), 1 deletion(-) + +diff --git a/block/gluster.c b/block/gluster.c +index e3ffa6136e..a6ac2b1dc1 100644 +--- a/block/gluster.c ++++ b/block/gluster.c +@@ -729,7 +729,11 @@ static struct glfs *qemu_gluster_init(BlockdevOptionsGluster *gconf, + /* + * AIO callback routine called from GlusterFS thread. + */ +-static void gluster_finish_aiocb(struct glfs_fd *fd, ssize_t ret, void *arg) ++static void gluster_finish_aiocb(struct glfs_fd *fd, ssize_t ret, ++#ifdef CONFIG_GLUSTERFS_IOCB_HAS_STAT ++ struct glfs_stat *pre, struct glfs_stat *post, ++#endif ++ void *arg) + { + GlusterAIOCB *acb = (GlusterAIOCB *)arg; + +diff --git a/configure b/configure +index f78663367e..da50c091df 100755 +--- a/configure ++++ b/configure +@@ -430,6 +430,7 @@ glusterfs_discard="no" + glusterfs_fallocate="no" + glusterfs_zerofill="no" + glusterfs_ftruncate_has_stat="no" ++glusterfs_iocb_has_stat="no" + gtk="" + gtkabi="" + gtk_gl="no" +@@ -3885,6 +3886,25 @@ EOF + if compile_prog "$glusterfs_cflags" "$glusterfs_libs" ; then + glusterfs_ftruncate_has_stat="yes" + fi ++ cat > $TMPC << EOF ++#include ++ ++/* new glfs_io_cbk() passes two additional glfs_stat structs */ ++static void ++glusterfs_iocb(glfs_fd_t *fd, ssize_t ret, struct glfs_stat *prestat, struct glfs_stat *poststat, void *data) ++{} ++ ++int ++main(void) ++{ ++ glfs_io_cbk iocb = &glusterfs_iocb; ++ iocb(NULL, 0 , NULL, NULL, NULL); ++ return 0; ++} ++EOF ++ if compile_prog "$glusterfs_cflags" "$glusterfs_libs" ; then ++ glusterfs_iocb_has_stat="yes" ++ fi + else + if test "$glusterfs" = "yes" ; then + feature_not_found "GlusterFS backend support" \ +@@ -6547,6 +6567,10 @@ if test "$glusterfs_ftruncate_has_stat" = "yes" ; then + echo "CONFIG_GLUSTERFS_FTRUNCATE_HAS_STAT=y" >> $config_host_mak + fi + ++if test "$glusterfs_iocb_has_stat" = "yes" ; then ++ echo "CONFIG_GLUSTERFS_IOCB_HAS_STAT=y" >> $config_host_mak ++fi ++ + if test "$libssh2" = "yes" ; then + echo "CONFIG_LIBSSH2=m" >> $config_host_mak + echo "LIBSSH2_CFLAGS=$libssh2_cflags" >> $config_host_mak +-- +2.18.2 + diff --git a/SOURCES/kvm-i386-Add-new-model-of-Cascadelake-Server.patch b/SOURCES/kvm-i386-Add-new-model-of-Cascadelake-Server.patch new file mode 100644 index 0000000..d6fc740 --- /dev/null +++ b/SOURCES/kvm-i386-Add-new-model-of-Cascadelake-Server.patch @@ -0,0 +1,107 @@ +From 00a6c6f0214ad15a68870ad753e656e17a12afe6 Mon Sep 17 00:00:00 2001 +From: Eduardo Habkost +Date: Fri, 4 Oct 2019 19:57:12 +0200 +Subject: [PATCH 2/4] i386: Add new model of Cascadelake-Server + +RH-Author: Eduardo Habkost +Message-id: <20191004195714.10176-2-ehabkost@redhat.com> +Patchwork-id: 90960 +O-Subject: [RHEL-7.8 qemu-kvm-rhev PATCH 1/3] i386: Add new model of Cascadelake-Server +Bugzilla: 1638472 +RH-Acked-by: Paolo Bonzini +RH-Acked-by: Dr. David Alan Gilbert +RH-Acked-by: Igor Mammedov + +From: Tao Xu + +New CPU models mostly inherit features from ancestor Skylake-Server, +while addin new features: AVX512_VNNI, Intel PT. +SSBD support for speculative execution +side channel mitigations. + +Note: + +On Cascadelake, some capabilities (RDCL_NO, IBRS_ALL, RSBA, +SKIP_L1DFL_VMENTRY and SSB_NO) are enumerated by MSR. +These features rely on MSR based feature support patch. +Will be added later after that patch's in. +http://lists.nongnu.org/archive/html/qemu-devel/2018-09/msg00074.html + +Signed-off-by: Tao Xu +Message-Id: <20180919031122.28487-2-tao3.xu@intel.com> +Signed-off-by: Eduardo Habkost +(cherry picked from commit c7a88b52f62b30c04158eeb07f73e3f72221b6a8) +Signed-off-by: Eduardo Habkost +Signed-off-by: Miroslav Rezanina +--- + target/i386/cpu.c | 54 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 54 insertions(+) + +diff --git a/target/i386/cpu.c b/target/i386/cpu.c +index 5d6b45b..2b85193 100644 +--- a/target/i386/cpu.c ++++ b/target/i386/cpu.c +@@ -2483,6 +2483,60 @@ static X86CPUDefinition builtin_x86_defs[] = { + .model_id = "Intel Xeon Processor (Skylake, IBRS)", + }, + { ++ .name = "Cascadelake-Server", ++ .level = 0xd, ++ .vendor = CPUID_VENDOR_INTEL, ++ .family = 6, ++ .model = 85, ++ .stepping = 5, ++ .features[FEAT_1_EDX] = ++ CPUID_VME | CPUID_SSE2 | CPUID_SSE | CPUID_FXSR | CPUID_MMX | ++ CPUID_CLFLUSH | CPUID_PSE36 | CPUID_PAT | CPUID_CMOV | CPUID_MCA | ++ CPUID_PGE | CPUID_MTRR | CPUID_SEP | CPUID_APIC | CPUID_CX8 | ++ CPUID_MCE | CPUID_PAE | CPUID_MSR | CPUID_TSC | CPUID_PSE | ++ CPUID_DE | CPUID_FP87, ++ .features[FEAT_1_ECX] = ++ CPUID_EXT_AVX | CPUID_EXT_XSAVE | CPUID_EXT_AES | ++ CPUID_EXT_POPCNT | CPUID_EXT_X2APIC | CPUID_EXT_SSE42 | ++ CPUID_EXT_SSE41 | CPUID_EXT_CX16 | CPUID_EXT_SSSE3 | ++ CPUID_EXT_PCLMULQDQ | CPUID_EXT_SSE3 | ++ CPUID_EXT_TSC_DEADLINE_TIMER | CPUID_EXT_FMA | CPUID_EXT_MOVBE | ++ CPUID_EXT_PCID | CPUID_EXT_F16C | CPUID_EXT_RDRAND, ++ .features[FEAT_8000_0001_EDX] = ++ CPUID_EXT2_LM | CPUID_EXT2_PDPE1GB | CPUID_EXT2_RDTSCP | ++ CPUID_EXT2_NX | CPUID_EXT2_SYSCALL, ++ .features[FEAT_8000_0001_ECX] = ++ CPUID_EXT3_ABM | CPUID_EXT3_LAHF_LM | CPUID_EXT3_3DNOWPREFETCH, ++ .features[FEAT_7_0_EBX] = ++ CPUID_7_0_EBX_FSGSBASE | CPUID_7_0_EBX_BMI1 | ++ CPUID_7_0_EBX_HLE | CPUID_7_0_EBX_AVX2 | CPUID_7_0_EBX_SMEP | ++ CPUID_7_0_EBX_BMI2 | CPUID_7_0_EBX_ERMS | CPUID_7_0_EBX_INVPCID | ++ CPUID_7_0_EBX_RTM | CPUID_7_0_EBX_RDSEED | CPUID_7_0_EBX_ADX | ++ CPUID_7_0_EBX_SMAP | CPUID_7_0_EBX_MPX | CPUID_7_0_EBX_CLWB | ++ CPUID_7_0_EBX_AVX512F | CPUID_7_0_EBX_AVX512DQ | ++ CPUID_7_0_EBX_AVX512BW | CPUID_7_0_EBX_AVX512CD | ++ CPUID_7_0_EBX_AVX512VL | CPUID_7_0_EBX_CLFLUSHOPT | ++ CPUID_7_0_EBX_INTEL_PT, ++ .features[FEAT_7_0_ECX] = ++ CPUID_7_0_ECX_PKU | CPUID_7_0_ECX_OSPKE | ++ CPUID_7_0_ECX_AVX512VNNI, ++ .features[FEAT_7_0_EDX] = ++ CPUID_7_0_EDX_SPEC_CTRL | CPUID_7_0_EDX_SPEC_CTRL_SSBD, ++ /* Missing: XSAVES (not supported by some Linux versions, ++ * including v4.1 to v4.12). ++ * KVM doesn't yet expose any XSAVES state save component, ++ * and the only one defined in Skylake (processor tracing) ++ * probably will block migration anyway. ++ */ ++ .features[FEAT_XSAVE] = ++ CPUID_XSAVE_XSAVEOPT | CPUID_XSAVE_XSAVEC | ++ CPUID_XSAVE_XGETBV1, ++ .features[FEAT_6_EAX] = ++ CPUID_6_EAX_ARAT, ++ .xlevel = 0x80000008, ++ .model_id = "Intel Xeon Processor (Cascadelake)", ++ }, ++ { + .name = "Opteron_G1", + .level = 5, + .vendor = CPUID_VENDOR_AMD, +-- +1.8.3.1 + diff --git a/SOURCES/kvm-i386-Disable-OSPKE-on-Cascadelake-Server.patch b/SOURCES/kvm-i386-Disable-OSPKE-on-Cascadelake-Server.patch new file mode 100644 index 0000000..85528dc --- /dev/null +++ b/SOURCES/kvm-i386-Disable-OSPKE-on-Cascadelake-Server.patch @@ -0,0 +1,76 @@ +From a746ca268865ce21cf72710577e1fc3f69ce9506 Mon Sep 17 00:00:00 2001 +From: Eduardo Habkost +Date: Fri, 4 Oct 2019 19:57:13 +0200 +Subject: [PATCH 3/4] i386: Disable OSPKE on Cascadelake-Server + +RH-Author: Eduardo Habkost +Message-id: <20191004195714.10176-3-ehabkost@redhat.com> +Patchwork-id: 90962 +O-Subject: [RHEL-7.8 qemu-kvm-rhev PATCH 2/3] i386: Disable OSPKE on Cascadelake-Server +Bugzilla: 1638472 +RH-Acked-by: Paolo Bonzini +RH-Acked-by: Dr. David Alan Gilbert +RH-Acked-by: Igor Mammedov + +This is a partial cherry pick of upstream commit: + +commit bb4928c7cafe50ab2137a0034e350ef1bfa044d9 +Author: Eduardo Habkost +Date: Tue Mar 19 17:05:15 2019 -0300 + + i386: Disable OSPKE on CPU model definitions + + Currently, the Cascadelake-Server, Icelake-Client, and + Icelake-Server are always generating the following warning: + + qemu-system-x86_64: warning: \ + host doesn't support requested feature: CPUID.07H:ECX [bit 4] + + This happens because OSPKE was never returned by + GET_SUPPORTED_CPUID or x86_cpu_get_supported_feature_word(). + OSPKE is a runtime flag automatically set by the KVM module or by + TCG code, was always cleared by x86_cpu_filter_features(), and + was not supposed to appear on the CPU model table. + + Remove the OSPKE flag from the CPU model table entries, to avoid + the bogus warning and avoid returning invalid feature data on + query-cpu-* QMP commands. As OSPKE was always cleared by + x86_cpu_filter_features(), this won't have any guest-visible + impact. + + Include a test case that should detect the problem if we introduce + a similar bug again. + + Fixes: c7a88b52f62b ("i386: Add new model of Cascadelake-Server") + Fixes: 8a11c62da914 ("i386: Add new CPU model Icelake-{Server,Client}") + Cc: Tao Xu + Cc: Robert Hoo + Signed-off-by: Eduardo Habkost + Message-Id: <20190319200515.14999-1-ehabkost@redhat.com> + Signed-off-by: Eduardo Habkost + +It includes only the Cascadelake-Server change, because Icelake* +is not present in the RHEL7 tree. + +Signed-off-by: Eduardo Habkost +Signed-off-by: Miroslav Rezanina +--- + target/i386/cpu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/target/i386/cpu.c b/target/i386/cpu.c +index 2b85193..b377564 100644 +--- a/target/i386/cpu.c ++++ b/target/i386/cpu.c +@@ -2518,7 +2518,7 @@ static X86CPUDefinition builtin_x86_defs[] = { + CPUID_7_0_EBX_AVX512VL | CPUID_7_0_EBX_CLFLUSHOPT | + CPUID_7_0_EBX_INTEL_PT, + .features[FEAT_7_0_ECX] = +- CPUID_7_0_ECX_PKU | CPUID_7_0_ECX_OSPKE | ++ CPUID_7_0_ECX_PKU | + CPUID_7_0_ECX_AVX512VNNI, + .features[FEAT_7_0_EDX] = + CPUID_7_0_EDX_SPEC_CTRL | CPUID_7_0_EDX_SPEC_CTRL_SSBD, +-- +1.8.3.1 + diff --git a/SOURCES/kvm-i386-remove-the-INTEL_PT-CPUID-bit-from-Cascadelake-.patch b/SOURCES/kvm-i386-remove-the-INTEL_PT-CPUID-bit-from-Cascadelake-.patch new file mode 100644 index 0000000..f87afbd --- /dev/null +++ b/SOURCES/kvm-i386-remove-the-INTEL_PT-CPUID-bit-from-Cascadelake-.patch @@ -0,0 +1,59 @@ +From e106165de465520a2bd1153dd41fe409e0157a77 Mon Sep 17 00:00:00 2001 +From: Eduardo Habkost +Date: Fri, 4 Oct 2019 19:57:14 +0200 +Subject: [PATCH 4/4] i386: remove the 'INTEL_PT' CPUID bit from + Cascadelake-Server + +RH-Author: Eduardo Habkost +Message-id: <20191004195714.10176-4-ehabkost@redhat.com> +Patchwork-id: 90961 +O-Subject: [RHEL-7.8 qemu-kvm-rhev PATCH 3/3] i386: remove the 'INTEL_PT' CPUID bit from Cascadelake-Server +Bugzilla: 1638472 +RH-Acked-by: Paolo Bonzini +RH-Acked-by: Dr. David Alan Gilbert +RH-Acked-by: Igor Mammedov + +From: Paolo Bonzini + +This is a partial cherry pick of upstream commit: + +commit 4c257911dcc7c4189768e9651755c849ce9db4e8 +Author: Paolo Bonzini +Date: Fri Dec 21 12:35:56 2018 +0100 + + i386: remove the 'INTEL_PT' CPUID bit from named CPU models + + Processor tracing is not yet implemented for KVM and it will be an + opt in feature requiring a special module parameter. + Disable it, because it is wrong to enable it by default and + it is impossible that no one has ever used it. + + Cc: qemu-stable@nongnu.org + Signed-off-by: Paolo Bonzini + +It includes only the Cascadelake-Server change, because the other +CPU models are not present in the RHEL7 tree. + +Signed-off-by: Eduardo Habkost +Signed-off-by: Miroslav Rezanina +--- + target/i386/cpu.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/target/i386/cpu.c b/target/i386/cpu.c +index b377564..6a1d59c 100644 +--- a/target/i386/cpu.c ++++ b/target/i386/cpu.c +@@ -2515,8 +2515,7 @@ static X86CPUDefinition builtin_x86_defs[] = { + CPUID_7_0_EBX_SMAP | CPUID_7_0_EBX_MPX | CPUID_7_0_EBX_CLWB | + CPUID_7_0_EBX_AVX512F | CPUID_7_0_EBX_AVX512DQ | + CPUID_7_0_EBX_AVX512BW | CPUID_7_0_EBX_AVX512CD | +- CPUID_7_0_EBX_AVX512VL | CPUID_7_0_EBX_CLFLUSHOPT | +- CPUID_7_0_EBX_INTEL_PT, ++ CPUID_7_0_EBX_AVX512VL | CPUID_7_0_EBX_CLFLUSHOPT, + .features[FEAT_7_0_ECX] = + CPUID_7_0_ECX_PKU | + CPUID_7_0_ECX_AVX512VNNI, +-- +1.8.3.1 + diff --git a/SOURCES/kvm-iscsi-Avoid-potential-for-get_status-overflow.patch b/SOURCES/kvm-iscsi-Avoid-potential-for-get_status-overflow.patch new file mode 100644 index 0000000..cbde759 --- /dev/null +++ b/SOURCES/kvm-iscsi-Avoid-potential-for-get_status-overflow.patch @@ -0,0 +1,61 @@ +From 5d61b8b267cb1d529681fd88a4538c8eee408812 Mon Sep 17 00:00:00 2001 +From: jmaloy +Date: Wed, 29 Jan 2020 18:47:14 +0100 +Subject: [PATCH 1/2] iscsi: Avoid potential for get_status overflow +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: jmaloy +Message-id: <20200129184715.18876-2-jmaloy@redhat.com> +Patchwork-id: 93577 +O-Subject: [RHEL-7.8 qemu-kvm-rhev PATCH 1/2] iscsi: Avoid potential for get_status overflow +Bugzilla: 1794499 1794505 +RH-Acked-by: Kevin Wolf +RH-Acked-by: Eduardo Habkost +RH-Acked-by: Philippe Mathieu-Daudé + +From: Eric Blake + +Detected by Coverity: Multiplying two 32-bit int and assigning +the result to a 64-bit number is a risk of overflow. Prior to +the conversion to byte-based interfaces, the block layer took +care of ensuring that a status request never exceeded 2G in +the driver; but after that conversion, the block layer expects +drivers to deal with any size request (the driver can always +truncate the request size back down, as long as it makes +progress). So, in the off-chance that someone makes a large +request, we are at the mercy of whether iscsi_get_lba_status_task() +will cap things to at most INT_MAX / iscsilun->block_size when +it populates lbasd->num_blocks; since I could not easily audit +that, it's better to be safe than sorry by just forcing a 64-bit +multiply. + +Fixes: 92809c36 +CC: qemu-stable@nongnu.org +Signed-off-by: Eric Blake +Message-Id: <20180508212718.1482663-1-eblake@redhat.com> +Reviewed-by: Philippe Mathieu-Daudé +(cherry picked from commit 8ee1cef4593a7bda076891470c0620e79333c0d0) +Signed-off-by: Jon Maloy +Signed-off-by: Miroslav Rezanina +--- + block/iscsi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/block/iscsi.c b/block/iscsi.c +index c412b12..336ce49 100644 +--- a/block/iscsi.c ++++ b/block/iscsi.c +@@ -734,7 +734,7 @@ retry: + goto out_unlock; + } + +- *pnum = lbasd->num_blocks * iscsilun->block_size; ++ *pnum = (int64_t) lbasd->num_blocks * iscsilun->block_size; + + if (lbasd->provisioning == SCSI_PROVISIONING_TYPE_DEALLOCATED || + lbasd->provisioning == SCSI_PROVISIONING_TYPE_ANCHORED) { +-- +1.8.3.1 + diff --git a/SOURCES/kvm-iscsi-Cap-block-count-from-GET-LBA-STATUS-CVE-2020-1.patch b/SOURCES/kvm-iscsi-Cap-block-count-from-GET-LBA-STATUS-CVE-2020-1.patch new file mode 100644 index 0000000..0dd2ae8 --- /dev/null +++ b/SOURCES/kvm-iscsi-Cap-block-count-from-GET-LBA-STATUS-CVE-2020-1.patch @@ -0,0 +1,79 @@ +From 899dabfb59004f7d69d244f836c250590c3574cd Mon Sep 17 00:00:00 2001 +From: jmaloy +Date: Wed, 29 Jan 2020 18:47:15 +0100 +Subject: [PATCH 2/2] iscsi: Cap block count from GET LBA STATUS + (CVE-2020-1711) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: jmaloy +Message-id: <20200129184715.18876-3-jmaloy@redhat.com> +Patchwork-id: 93576 +O-Subject: [RHEL-7.8 qemu-kvm-rhev PATCH 2/2] iscsi: Cap block count from GET LBA STATUS (CVE-2020-1711) +Bugzilla: 1794499 1794505 +RH-Acked-by: Kevin Wolf +RH-Acked-by: Eduardo Habkost +RH-Acked-by: Philippe Mathieu-Daudé + +From: Felipe Franciosi + +When querying an iSCSI server for the provisioning status of blocks (via +GET LBA STATUS), Qemu only validates that the response descriptor zero's +LBA matches the one requested. Given the SCSI spec allows servers to +respond with the status of blocks beyond the end of the LUN, Qemu may +have its heap corrupted by clearing/setting too many bits at the end of +its allocmap for the LUN. + +A malicious guest in control of the iSCSI server could carefully program +Qemu's heap (by selectively setting the bitmap) and then smash it. + +This limits the number of bits that iscsi_co_block_status() will try to +update in the allocmap so it can't overflow the bitmap. + +Fixes: CVE-2020-1711 +Cc: qemu-stable@nongnu.org +Signed-off-by: Felipe Franciosi +Signed-off-by: Peter Turschmid +Signed-off-by: Raphael Norwitz +Signed-off-by: Kevin Wolf +(cherry picked from commit 693fd2acdf14dd86c0bf852610f1c2cca80a74dc) +Signed-off-by: Jon Maloy +Signed-off-by: Miroslav Rezanina +--- + block/iscsi.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/block/iscsi.c b/block/iscsi.c +index 336ce49..8ec97ab 100644 +--- a/block/iscsi.c ++++ b/block/iscsi.c +@@ -671,7 +671,7 @@ static int coroutine_fn iscsi_co_block_status(BlockDriverState *bs, + struct scsi_get_lba_status *lbas = NULL; + struct scsi_lba_status_descriptor *lbasd = NULL; + struct IscsiTask iTask; +- uint64_t lba; ++ uint64_t lba, max_bytes; + int ret; + + iscsi_co_init_iscsitask(iscsilun, &iTask); +@@ -691,6 +691,7 @@ static int coroutine_fn iscsi_co_block_status(BlockDriverState *bs, + } + + lba = offset / iscsilun->block_size; ++ max_bytes = (iscsilun->num_blocks - lba) * iscsilun->block_size; + + qemu_mutex_lock(&iscsilun->mutex); + retry: +@@ -734,7 +735,7 @@ retry: + goto out_unlock; + } + +- *pnum = (int64_t) lbasd->num_blocks * iscsilun->block_size; ++ *pnum = MIN((int64_t) lbasd->num_blocks * iscsilun->block_size, max_bytes); + + if (lbasd->provisioning == SCSI_PROVISIONING_TYPE_DEALLOCATED || + lbasd->provisioning == SCSI_PROVISIONING_TYPE_ANCHORED) { +-- +1.8.3.1 + diff --git a/SOURCES/kvm-mc146818rtc-fix-timer-interrupt-reinjection-again.patch b/SOURCES/kvm-mc146818rtc-fix-timer-interrupt-reinjection-again.patch new file mode 100644 index 0000000..438b7c3 --- /dev/null +++ b/SOURCES/kvm-mc146818rtc-fix-timer-interrupt-reinjection-again.patch @@ -0,0 +1,133 @@ +From 224a226b03d2c0503915bd1c1139b37b56afd62d Mon Sep 17 00:00:00 2001 +From: Marcelo Tosatti +Date: Wed, 4 Dec 2019 15:21:09 +0100 +Subject: [PATCH 3/3] mc146818rtc: fix timer interrupt reinjection again + +RH-Author: Marcelo Tosatti +Message-id: <20191204152436.823942711@amt.cnet> +Patchwork-id: 92887 +O-Subject: [RHEL-7.8 qemu-kvm-rhev PATCH 3/3] mc146818rtc: fix timer interrupt reinjection again +Bugzilla: 1639098 +RH-Acked-by: Laszlo Ersek +RH-Acked-by: Paolo Bonzini +RH-Acked-by: Vitaly Kuznetsov + +BZ: 1639098 +Brew: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=24854309 +BRANCH: rhv7/master-2.12.0 +Upstream: 7a3e29b12f5afe0106a5713bb4db6e23dc66ef91 +of pbonzini's for-upstream tree. + +Commit 369b41359af46bded5799c9ef8be2b641d92e043 broke timer interrupt +reinjection when there is no period change by the guest. In that +case, old_period is 0, which ends up zeroing irq_coalesced (counter of +reinjected interrupts). + +The consequence is Windows 7 is unable to synchronize time via NTP. +Easily reproducible by playing a fullscreen video with cirrus and VNC. + +Fix by passing s->period when periodic_timer_update is called due to +expiration of the timer. With this change, old_period == 0 only +means that the periodic timer was off. + +Reported-by: Marcelo Tosatti +Co-developed-by: Marcelo Tosatti +Signed-off-by: Paolo Bonzini +Signed-off-by: Miroslav Rezanina +--- + hw/timer/mc146818rtc.c | 18 ++++++++++-------- + 1 file changed, 10 insertions(+), 8 deletions(-) + +diff --git a/hw/timer/mc146818rtc.c b/hw/timer/mc146818rtc.c +index d848911..7459040 100644 +--- a/hw/timer/mc146818rtc.c ++++ b/hw/timer/mc146818rtc.c +@@ -190,12 +190,14 @@ static uint32_t rtc_periodic_clock_ticks(RTCState *s) + * is just due to period adjustment. + */ + static void +-periodic_timer_update(RTCState *s, int64_t current_time, uint32_t old_period) ++periodic_timer_update(RTCState *s, int64_t current_time, uint32_t old_period, bool period_change) + { + uint32_t period; + int64_t cur_clock, next_irq_clock, lost_clock = 0; + + period = rtc_periodic_clock_ticks(s); ++ s->period = period; ++ + if (!period) { + s->irq_coalesced = 0; + timer_del(s->periodic_timer); +@@ -210,7 +212,7 @@ periodic_timer_update(RTCState *s, int64_t current_time, uint32_t old_period) + * if the periodic timer's update is due to period re-configuration, + * we should count the clock since last interrupt. + */ +- if (old_period) { ++ if (old_period && period_change) { + int64_t last_periodic_clock, next_periodic_clock; + + next_periodic_clock = muldiv64(s->next_periodic_time, +@@ -237,7 +239,6 @@ periodic_timer_update(RTCState *s, int64_t current_time, uint32_t old_period) + if (s->lost_tick_policy == LOST_TICK_POLICY_SLEW) { + uint32_t old_irq_coalesced = s->irq_coalesced; + +- s->period = period; + lost_clock += old_irq_coalesced * old_period; + s->irq_coalesced = lost_clock / s->period; + lost_clock %= s->period; +@@ -267,7 +268,7 @@ static void rtc_periodic_timer(void *opaque) + { + RTCState *s = opaque; + +- periodic_timer_update(s, s->next_periodic_time, 0); ++ periodic_timer_update(s, s->next_periodic_time, s->period, false); + s->cmos_data[RTC_REG_C] |= REG_C_PF; + if (s->cmos_data[RTC_REG_B] & REG_B_PIE) { + s->cmos_data[RTC_REG_C] |= REG_C_IRQF; +@@ -533,7 +534,7 @@ static void cmos_ioport_write(void *opaque, hwaddr addr, + + if (update_periodic_timer) { + periodic_timer_update(s, qemu_clock_get_ns(rtc_clock), +- old_period); ++ old_period, true); + } + + check_update_timer(s); +@@ -572,7 +573,7 @@ static void cmos_ioport_write(void *opaque, hwaddr addr, + + if (update_periodic_timer) { + periodic_timer_update(s, qemu_clock_get_ns(rtc_clock), +- old_period); ++ old_period, true); + } + + check_update_timer(s); +@@ -816,6 +817,7 @@ static int rtc_post_load(void *opaque, int version_id) + s->offset = 0; + check_update_timer(s); + } ++ s->period = rtc_periodic_clock_ticks(s); + + /* The periodic timer is deterministic in record/replay mode, + * so there is no need to update it after loading the vmstate. +@@ -825,7 +827,7 @@ static int rtc_post_load(void *opaque, int version_id) + uint64_t now = qemu_clock_get_ns(rtc_clock); + if (now < s->next_periodic_time || + now > (s->next_periodic_time + get_max_clock_jump())) { +- periodic_timer_update(s, qemu_clock_get_ns(rtc_clock), 0); ++ periodic_timer_update(s, qemu_clock_get_ns(rtc_clock), s->period, false); + } + } + +@@ -893,7 +895,7 @@ static void rtc_notify_clock_reset(Notifier *notifier, void *data) + int64_t now = *(int64_t *)data; + + rtc_set_date_from_host(ISA_DEVICE(s)); +- periodic_timer_update(s, now, 0); ++ periodic_timer_update(s, now, s->period, false); + check_update_timer(s); + + if (s->lost_tick_policy == LOST_TICK_POLICY_SLEW) { +-- +1.8.3.1 + diff --git a/SOURCES/kvm-mc146818rtc-fix-timer-interrupt-reinjection.patch b/SOURCES/kvm-mc146818rtc-fix-timer-interrupt-reinjection.patch new file mode 100644 index 0000000..bcbd958 --- /dev/null +++ b/SOURCES/kvm-mc146818rtc-fix-timer-interrupt-reinjection.patch @@ -0,0 +1,123 @@ +From ae11a1ea30f43abebd96a22988619eb9f52e6a4e Mon Sep 17 00:00:00 2001 +From: Marcelo Tosatti +Date: Wed, 4 Dec 2019 15:21:07 +0100 +Subject: [PATCH 1/3] mc146818rtc: fix timer interrupt reinjection + +RH-Author: Marcelo Tosatti +Message-id: <20191204152436.680299856@amt.cnet> +Patchwork-id: 92889 +O-Subject: [RHEL-7.8 qemu-kvm-rhev PATCH 1/3] mc146818rtc: fix timer interrupt reinjection +Bugzilla: 1639098 +RH-Acked-by: Laszlo Ersek +RH-Acked-by: Paolo Bonzini +RH-Acked-by: Vitaly Kuznetsov + +BZ: 1639098 +Brew: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=24854309 +BRANCH: rhv7/master-2.12.0 +Upstream: b429de730174b388ea5760e3debb0d542ea3c261 +of pbonzini's for-upstream tree. + +commit 369b41359af46bded5799c9ef8be2b641d92e043 broke timer interrupt +reinjection when there is no period change by the guest. + +In that case, old_period is 0, which ends up zeroing irq_coalesced +(counter of reinjected interrupts). + +The consequence is Windows 7 is unable to synchronize time via NTP. +Easily reproducible by playing a fullscreen video with cirrus and VNC. + +Fix by not updating s->irq_coalesced when old_period is 0. + +V2: reorganize code (Paolo Bonzini) + +Signed-off-by: Marcelo Tosatti +Message-Id: <20191010123008.GA19158@amt.cnet> +Signed-off-by: Paolo Bonzini +Signed-off-by: Miroslav Rezanina +--- + hw/timer/mc146818rtc.c | 53 +++++++++++++++++++++++++------------------------- + 1 file changed, 27 insertions(+), 26 deletions(-) + +diff --git a/hw/timer/mc146818rtc.c b/hw/timer/mc146818rtc.c +index 68c353f..296d974 100644 +--- a/hw/timer/mc146818rtc.c ++++ b/hw/timer/mc146818rtc.c +@@ -197,24 +197,28 @@ periodic_timer_update(RTCState *s, int64_t current_time, uint32_t old_period) + + period = rtc_periodic_clock_ticks(s); + +- if (period) { +- /* compute 32 khz clock */ +- cur_clock = +- muldiv64(current_time, RTC_CLOCK_RATE, NANOSECONDS_PER_SECOND); ++ if (!period) { ++ s->irq_coalesced = 0; ++ timer_del(s->periodic_timer); ++ return; ++ } + +- /* +- * if the periodic timer's update is due to period re-configuration, +- * we should count the clock since last interrupt. +- */ +- if (old_period) { +- int64_t last_periodic_clock, next_periodic_clock; +- +- next_periodic_clock = muldiv64(s->next_periodic_time, +- RTC_CLOCK_RATE, NANOSECONDS_PER_SECOND); +- last_periodic_clock = next_periodic_clock - old_period; +- lost_clock = cur_clock - last_periodic_clock; +- assert(lost_clock >= 0); +- } ++ /* compute 32 khz clock */ ++ cur_clock = ++ muldiv64(current_time, RTC_CLOCK_RATE, NANOSECONDS_PER_SECOND); ++ ++ /* ++ * if the periodic timer's update is due to period re-configuration, ++ * we should count the clock since last interrupt. ++ */ ++ if (old_period) { ++ int64_t last_periodic_clock, next_periodic_clock; ++ ++ next_periodic_clock = muldiv64(s->next_periodic_time, ++ RTC_CLOCK_RATE, NANOSECONDS_PER_SECOND); ++ last_periodic_clock = next_periodic_clock - old_period; ++ lost_clock = cur_clock - last_periodic_clock; ++ assert(lost_clock >= 0); + + /* + * s->irq_coalesced can change for two reasons: +@@ -245,22 +249,19 @@ periodic_timer_update(RTCState *s, int64_t current_time, uint32_t old_period) + rtc_coalesced_timer_update(s); + } + } else { +- /* ++ /* + * no way to compensate the interrupt if LOST_TICK_POLICY_SLEW + * is not used, we should make the time progress anyway. + */ + lost_clock = MIN(lost_clock, period); + } ++ } + +- assert(lost_clock >= 0 && lost_clock <= period); ++ assert(lost_clock >= 0 && lost_clock <= period); + +- next_irq_clock = cur_clock + period - lost_clock; +- s->next_periodic_time = periodic_clock_to_ns(next_irq_clock) + 1; +- timer_mod(s->periodic_timer, s->next_periodic_time); +- } else { +- s->irq_coalesced = 0; +- timer_del(s->periodic_timer); +- } ++ next_irq_clock = cur_clock + period - lost_clock; ++ s->next_periodic_time = periodic_clock_to_ns(next_irq_clock) + 1; ++ timer_mod(s->periodic_timer, s->next_periodic_time); + } + + static void rtc_periodic_timer(void *opaque) +-- +1.8.3.1 + diff --git a/SOURCES/kvm-seccomp-set-the-seccomp-filter-to-all-threads.patch b/SOURCES/kvm-seccomp-set-the-seccomp-filter-to-all-threads.patch new file mode 100644 index 0000000..10796ca --- /dev/null +++ b/SOURCES/kvm-seccomp-set-the-seccomp-filter-to-all-threads.patch @@ -0,0 +1,77 @@ +From 72b8c0856ace652a57145ea58b0bec9d67d23851 Mon Sep 17 00:00:00 2001 +From: Eduardo Otubo +Date: Tue, 7 Apr 2020 07:03:37 +0200 +Subject: [PATCH] seccomp: set the seccomp filter to all threads +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Eduardo Otubo +Message-id: <20200305125537.4031-1-otubo@redhat.com> +Patchwork-id: 94159 +O-Subject: [RHEL-7.9 qemu-kvm-rhev PATCH] seccomp: set the seccomp filter to all threads +Bugzilla: 1618504 1622976 +RH-Acked-by: Marc-André Lureau +RH-Acked-by: Stefan Hajnoczi +RH-Acked-by: Mohammed Gamal + +BZ: 1618504 +BRANCH: rhv78/master +BREW: 27052907 + +commit 70dfabeaa79ba4d7a3b699abe1a047c8012db114 +Author: Marc-André Lureau +Date: Wed Aug 22 19:02:50 2018 +0200 + + When using "-seccomp on", the seccomp policy is only applied to the + main thread, the vcpu worker thread and other worker threads created + after seccomp policy is applied; the seccomp policy is not applied to + e.g. the RCU thread because it is created before the seccomp policy is + applied and SECCOMP_FILTER_FLAG_TSYNC isn't used. + + This can be verified with + for task in /proc/`pidof qemu`/task/*; do cat $task/status | grep Secc ; done + Seccomp: 2 + Seccomp: 0 + Seccomp: 0 + Seccomp: 2 + Seccomp: 2 + Seccomp: 2 + + Starting with libseccomp 2.2.0 and kernel >= 3.17, we can use + seccomp_attr_set(ctx, > SCMP_FLTATR_CTL_TSYNC, 1) to update the policy + on all threads. + + libseccomp requirement was bumped to 2.2.0 in previous patch. + libseccomp should fail to set the filter if it can't honour + SCMP_FLTATR_CTL_TSYNC (untested), and thus -sandbox will now fail on + kernel < 3.17. + + Signed-off-by: Marc-André Lureau + Acked-by: Eduardo Otubo + +Signed-off-by: Eduardo Otubo +Signed-off-by: Miroslav Rezanina +--- + qemu-seccomp.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/qemu-seccomp.c b/qemu-seccomp.c +index b770a77..a5455af 100644 +--- a/qemu-seccomp.c ++++ b/qemu-seccomp.c +@@ -108,6 +108,11 @@ int seccomp_start(uint32_t seccomp_opts) + goto seccomp_return; + } + ++ rc = seccomp_attr_set(ctx, SCMP_FLTATR_CTL_TSYNC, 1); ++ if (rc != 0) { ++ goto seccomp_return; ++ } ++ + for (i = 0; i < ARRAY_SIZE(blacklist); i++) { + if (!(seccomp_opts & blacklist[i].set)) { + continue; +-- +1.8.3.1 + diff --git a/SOURCES/kvm-slirp-use-correct-size-while-emulating-IRC-commands.patch b/SOURCES/kvm-slirp-use-correct-size-while-emulating-IRC-commands.patch new file mode 100644 index 0000000..9107ed4 --- /dev/null +++ b/SOURCES/kvm-slirp-use-correct-size-while-emulating-IRC-commands.patch @@ -0,0 +1,71 @@ +From 2cca40617df140d2907a47fb58d15487cbf2af59 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= +Date: Fri, 17 Jan 2020 11:49:41 +0100 +Subject: [PATCH 2/3] slirp: use correct size while emulating IRC commands +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Philippe Mathieu-Daudé +Message-id: <20200117114942.12236-3-philmd@redhat.com> +Patchwork-id: 93392 +O-Subject: [RHEL-7.7.z qemu-kvm-rhev + RHEL-7.8 qemu-kvm-rhev + RHEL-7.9 qemu-kvm-rhev + RHEL-8.1.0 qemu-kvm + RHEL-8.2.0 qemu-kvm + RHEL-7.7.z qemu-kvm-ma + RHEL-7.8 qemu-kvm-ma + RHEL-7.9 qemu-kvm-ma PATCH 2/3] slirp: use correct size while emulating IRC commands +Bugzilla: 1791563 1791570 +RH-Acked-by: Stefano Garzarella +RH-Acked-by: Stefan Hajnoczi +RH-Acked-by: Thomas Huth + +From: Prasad J Pandit + +While emulating IRC DCC commands, tcp_emu() uses 'mbuf' size +'m->m_size' to write DCC commands via snprintf(3). This may +lead to OOB write access, because 'bptr' points somewhere in +the middle of 'mbuf' buffer, not at the start. Use M_FREEROOM(m) +size to avoid OOB access. + +Reported-by: Vishnu Dev TJ +Signed-off-by: Prasad J Pandit +Reviewed-by: Samuel Thibault +Message-Id: <20200109094228.79764-2-ppandit@redhat.com> +(cherry picked from libslirp commit ce131029d6d4a405cb7d3ac6716d03e58fb4a5d9) +Signed-off-by: Philippe Mathieu-Daudé + +Signed-off-by: Miroslav Rezanina +--- + slirp/tcp_subr.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/slirp/tcp_subr.c b/slirp/tcp_subr.c +index decfd9b..b60310d 100644 +--- a/slirp/tcp_subr.c ++++ b/slirp/tcp_subr.c +@@ -783,7 +783,7 @@ tcp_emu(struct socket *so, struct mbuf *m) + return 1; + } + m->m_len = bptr - m->m_data; /* Adjust length */ +- m->m_len += snprintf(bptr, m->m_size, ++ m->m_len += snprintf(bptr, M_FREEROOM(m), + "DCC CHAT chat %lu %u%c\n", + (unsigned long)ntohl(so->so_faddr.s_addr), + ntohs(so->so_fport), 1); +@@ -794,7 +794,7 @@ tcp_emu(struct socket *so, struct mbuf *m) + return 1; + } + m->m_len = bptr - m->m_data; /* Adjust length */ +- m->m_len += snprintf(bptr, m->m_size, ++ m->m_len += snprintf(bptr, M_FREEROOM(m), + "DCC SEND %s %lu %u %u%c\n", buff, + (unsigned long)ntohl(so->so_faddr.s_addr), + ntohs(so->so_fport), n1, 1); +@@ -805,7 +805,7 @@ tcp_emu(struct socket *so, struct mbuf *m) + return 1; + } + m->m_len = bptr - m->m_data; /* Adjust length */ +- m->m_len += snprintf(bptr, m->m_size, ++ m->m_len += snprintf(bptr, M_FREEROOM(m), + "DCC MOVE %s %lu %u %u%c\n", buff, + (unsigned long)ntohl(so->so_faddr.s_addr), + ntohs(so->so_fport), n1, 1); +-- +1.8.3.1 + diff --git a/SOURCES/kvm-slirp-use-correct-size-while-emulating-commands.patch b/SOURCES/kvm-slirp-use-correct-size-while-emulating-commands.patch new file mode 100644 index 0000000..979210b --- /dev/null +++ b/SOURCES/kvm-slirp-use-correct-size-while-emulating-commands.patch @@ -0,0 +1,70 @@ +From 6d692d3045b7102db2a64ea95d040b1fa6277433 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= +Date: Fri, 17 Jan 2020 11:49:42 +0100 +Subject: [PATCH 3/3] slirp: use correct size while emulating commands +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Philippe Mathieu-Daudé +Message-id: <20200117114942.12236-4-philmd@redhat.com> +Patchwork-id: 93391 +O-Subject: [RHEL-7.7.z qemu-kvm-rhev + RHEL-7.8 qemu-kvm-rhev + RHEL-7.9 qemu-kvm-rhev + RHEL-8.1.0 qemu-kvm + RHEL-8.2.0 qemu-kvm + RHEL-7.7.z qemu-kvm-ma + RHEL-7.8 qemu-kvm-ma + RHEL-7.9 qemu-kvm-ma PATCH 3/3] slirp: use correct size while emulating commands +Bugzilla: 1791563 1791570 +RH-Acked-by: Stefano Garzarella +RH-Acked-by: Stefan Hajnoczi +RH-Acked-by: Thomas Huth + +From: Prasad J Pandit + +While emulating services in tcp_emu(), it uses 'mbuf' size +'m->m_size' to write commands via snprintf(3). Use M_FREEROOM(m) +size to avoid possible OOB access. + +Signed-off-by: Prasad J Pandit +Signed-off-by: Samuel Thibault +Message-Id: <20200109094228.79764-3-ppandit@redhat.com> +(cherry picked from libslirp commit 82ebe9c370a0e2970fb5695aa19aa5214a6a1c80) +Signed-off-by: Philippe Mathieu-Daudé + +Signed-off-by: Miroslav Rezanina +--- + slirp/tcp_subr.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/slirp/tcp_subr.c b/slirp/tcp_subr.c +index b60310d..b95ba23 100644 +--- a/slirp/tcp_subr.c ++++ b/slirp/tcp_subr.c +@@ -703,7 +703,7 @@ tcp_emu(struct socket *so, struct mbuf *m) + n4 = (laddr & 0xff); + + m->m_len = bptr - m->m_data; /* Adjust length */ +- m->m_len += snprintf(bptr, m->m_size - m->m_len, ++ m->m_len += snprintf(bptr, M_FREEROOM(m), + "ORT %d,%d,%d,%d,%d,%d\r\n%s", + n1, n2, n3, n4, n5, n6, x==7?buff:""); + return 1; +@@ -736,7 +736,7 @@ tcp_emu(struct socket *so, struct mbuf *m) + n4 = (laddr & 0xff); + + m->m_len = bptr - m->m_data; /* Adjust length */ +- m->m_len += snprintf(bptr, m->m_size - m->m_len, ++ m->m_len += snprintf(bptr, M_FREEROOM(m), + "27 Entering Passive Mode (%d,%d,%d,%d,%d,%d)\r\n%s", + n1, n2, n3, n4, n5, n6, x==7?buff:""); + +@@ -762,8 +762,8 @@ tcp_emu(struct socket *so, struct mbuf *m) + if (m->m_data[m->m_len-1] == '\0' && lport != 0 && + (so = tcp_listen(slirp, INADDR_ANY, 0, so->so_laddr.s_addr, + htons(lport), SS_FACCEPTONCE)) != NULL) +- m->m_len = snprintf(m->m_data, m->m_size, "%d", +- ntohs(so->so_fport)) + 1; ++ m->m_len = snprintf(m->m_data, M_ROOM(m), ++ "%d", ntohs(so->so_fport)) + 1; + return 1; + + case EMU_IRC: +-- +1.8.3.1 + diff --git a/SOURCES/kvm-target-i386-Export-TAA_NO-bit-to-guests.patch b/SOURCES/kvm-target-i386-Export-TAA_NO-bit-to-guests.patch new file mode 100644 index 0000000..aac0dc0 --- /dev/null +++ b/SOURCES/kvm-target-i386-Export-TAA_NO-bit-to-guests.patch @@ -0,0 +1,48 @@ +From 7aa728ae021e3b29fb5903ae0ff894a5bd40bbdc Mon Sep 17 00:00:00 2001 +From: Eduardo Habkost +Date: Tue, 17 Dec 2019 22:23:41 +0100 +Subject: [PATCH 1/2] target/i386: Export TAA_NO bit to guests + +RH-Author: Eduardo Habkost +Message-id: <20191217222342.1939034-2-ehabkost@redhat.com> +Patchwork-id: 93164 +O-Subject: [RHEL-7.8 qemu-kvm-rhev PATCH 1/2] target/i386: Export TAA_NO bit to guests +Bugzilla: 1779530 +RH-Acked-by: Dr. David Alan Gilbert +RH-Acked-by: Igor Mammedov +RH-Acked-by: Miroslav Rezanina + +From: Pawan Gupta + +TSX Async Abort (TAA) is a side channel attack on internal buffers in +some Intel processors similar to Microachitectural Data Sampling (MDS). + +Some future Intel processors will use the ARCH_CAP_TAA_NO bit in the +IA32_ARCH_CAPABILITIES MSR to report that they are not vulnerable to +TAA. Make this bit available to guests. + +Signed-off-by: Pawan Gupta +Signed-off-by: Paolo Bonzini +(cherry picked from commit 7fac38635e1cc5ebae34eb6530da1009bd5808e4) +Signed-off-by: Eduardo Habkost +Signed-off-by: Miroslav Rezanina +--- + target/i386/cpu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/target/i386/cpu.c b/target/i386/cpu.c +index 6a1d59c..8d03d0e 100644 +--- a/target/i386/cpu.c ++++ b/target/i386/cpu.c +@@ -1148,7 +1148,7 @@ static FeatureWordInfo feature_word_info[FEATURE_WORDS] = { + .feat_names = { + "rdctl-no", "ibrs-all", "rsba", "skip-l1dfl-vmentry", + "ssb-no", "mds-no", NULL, NULL, +- NULL, NULL, NULL, NULL, ++ "taa-no", NULL, NULL, NULL, + NULL, NULL, NULL, NULL, + NULL, NULL, NULL, NULL, + NULL, NULL, NULL, NULL, +-- +1.8.3.1 + diff --git a/SOURCES/kvm-target-i386-add-a-ucode-rev-property.patch b/SOURCES/kvm-target-i386-add-a-ucode-rev-property.patch new file mode 100644 index 0000000..6a4cbd1 --- /dev/null +++ b/SOURCES/kvm-target-i386-add-a-ucode-rev-property.patch @@ -0,0 +1,129 @@ +From ce999ee40575a2d6ebd862697af96169c8bfcb5f Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini +Date: Mon, 17 Feb 2020 16:23:19 -0500 +Subject: [PATCH 04/12] target/i386: add a ucode-rev property + +RH-Author: Paolo Bonzini +Message-id: <20200217162323.2572-3-pbonzini@redhat.com> +Patchwork-id: 93901 +O-Subject: [RHEL7.9 qemu-kvm-rhev PATCH 2/6] target/i386: add a ucode-rev property +Bugzilla: 1791653 +RH-Acked-by: Maxim Levitsky +RH-Acked-by: Eduardo Habkost +RH-Acked-by: Dr. David Alan Gilbert + +Add the property and plumb it in TCG and HVF (the latter of which +tried to support returning a constant value but used the wrong MSR). + +Signed-off-by: Paolo Bonzini +Message-Id: <1579544504-3616-3-git-send-email-pbonzini@redhat.com> +Signed-off-by: Paolo Bonzini +(cherry picked from commit 4e45aff398cd1542c2a384a2a3b8600f23337d86) + +[RHEL7: replace env_archcpu with x86_env_get_cpu] + +Signed-off-by: Jon Maloy +--- + target/i386/cpu.c | 10 ++++++++++ + target/i386/cpu.h | 4 ++++ + target/i386/hvf/x86_emu.c | 4 +--- + target/i386/misc_helper.c | 4 ++++ + 4 files changed, 19 insertions(+), 3 deletions(-) + +diff --git a/target/i386/cpu.c b/target/i386/cpu.c +index 4d87879328..ad905d6f8c 100644 +--- a/target/i386/cpu.c ++++ b/target/i386/cpu.c +@@ -4943,6 +4943,15 @@ static void x86_cpu_realizefn(DeviceState *dev, Error **errp) + goto out; + } + ++ if (cpu->ucode_rev == 0) { ++ /* The default is the same as KVM's. */ ++ if (IS_AMD_CPU(env)) { ++ cpu->ucode_rev = 0x01000065; ++ } else { ++ cpu->ucode_rev = 0x100000000ULL; ++ } ++ } ++ + if (cpu->apic_id == UNASSIGNED_APIC_ID) { + error_setg(errp, "apic-id property was not initialized properly"); + return; +@@ -5553,6 +5562,7 @@ static Property x86_cpu_properties[] = { + DEFINE_PROP_UINT32("min-level", X86CPU, env.cpuid_min_level, 0), + DEFINE_PROP_UINT32("min-xlevel", X86CPU, env.cpuid_min_xlevel, 0), + DEFINE_PROP_UINT32("min-xlevel2", X86CPU, env.cpuid_min_xlevel2, 0), ++ DEFINE_PROP_UINT64("ucode-rev", X86CPU, ucode_rev, 0), + DEFINE_PROP_BOOL("full-cpuid-auto-level", X86CPU, full_cpuid_auto_level, true), + DEFINE_PROP_STRING("hv-vendor-id", X86CPU, hyperv_vendor_id), + DEFINE_PROP_BOOL("cpuid-0xb", X86CPU, enable_cpuid_0xb, true), +diff --git a/target/i386/cpu.h b/target/i386/cpu.h +index 65c4fda102..4f3fc8ed59 100644 +--- a/target/i386/cpu.h ++++ b/target/i386/cpu.h +@@ -353,6 +353,8 @@ typedef enum X86Seg { + #define MSR_IA32_SPEC_CTRL 0x48 + #define MSR_VIRT_SSBD 0xc001011f + #define MSR_IA32_PRED_CMD 0x49 ++#define MSR_IA32_UCODE_REV 0x8b ++ + #define MSR_IA32_ARCH_CAPABILITIES 0x10a + #define ARCH_CAP_TSX_CTRL_MSR (1<<7) + +@@ -1370,6 +1372,8 @@ struct X86CPU { + + CPUX86State env; + ++ uint64_t ucode_rev; ++ + bool hyperv_vapic; + bool hyperv_relaxed_timing; + int hyperv_spinlock_attempts; +diff --git a/target/i386/hvf/x86_emu.c b/target/i386/hvf/x86_emu.c +index 3ea18edc68..e0986a9b5a 100644 +--- a/target/i386/hvf/x86_emu.c ++++ b/target/i386/hvf/x86_emu.c +@@ -658,8 +658,6 @@ static void exec_lods(struct CPUX86State *env, struct x86_decode *decode) + RIP(env) += decode->len; + } + +-#define MSR_IA32_UCODE_REV 0x00000017 +- + void simulate_rdmsr(struct CPUState *cpu) + { + X86CPU *x86_cpu = X86_CPU(cpu); +@@ -675,7 +673,7 @@ void simulate_rdmsr(struct CPUState *cpu) + val = cpu_get_apic_base(X86_CPU(cpu)->apic_state); + break; + case MSR_IA32_UCODE_REV: +- val = (0x100000000ULL << 32) | 0x100000000ULL; ++ val = x86_cpu->ucode_rev; + break; + case MSR_EFER: + val = rvmcs(cpu->hvf_fd, VMCS_GUEST_IA32_EFER); +diff --git a/target/i386/misc_helper.c b/target/i386/misc_helper.c +index 628f64aad5..f93e61f05d 100644 +--- a/target/i386/misc_helper.c ++++ b/target/i386/misc_helper.c +@@ -229,6 +229,7 @@ void helper_rdmsr(CPUX86State *env) + #else + void helper_wrmsr(CPUX86State *env) + { ++ X86CPU *x86_cpu = x86_env_get_cpu(env); + uint64_t val; + + cpu_svm_check_intercept_param(env, SVM_EXIT_MSR, 1, GETPC()); +@@ -371,6 +372,9 @@ void helper_wrmsr(CPUX86State *env) + env->msr_bndcfgs = val; + cpu_sync_bndcs_hflags(env); + break; ++ case MSR_IA32_UCODE_REV: ++ val = x86_cpu->ucode_rev; ++ break; + default: + if ((uint32_t)env->regs[R_ECX] >= MSR_MC0_CTL + && (uint32_t)env->regs[R_ECX] < MSR_MC0_CTL + +-- +2.18.2 + diff --git a/SOURCES/kvm-target-i386-add-support-for-MSR_IA32_TSX_CTRL.patch b/SOURCES/kvm-target-i386-add-support-for-MSR_IA32_TSX_CTRL.patch new file mode 100644 index 0000000..2d5c95e --- /dev/null +++ b/SOURCES/kvm-target-i386-add-support-for-MSR_IA32_TSX_CTRL.patch @@ -0,0 +1,161 @@ +From d84d88a3036a0d5db9b19a1611158946cd362603 Mon Sep 17 00:00:00 2001 +From: Eduardo Habkost +Date: Tue, 17 Dec 2019 22:23:42 +0100 +Subject: [PATCH 2/2] target/i386: add support for MSR_IA32_TSX_CTRL + +RH-Author: Eduardo Habkost +Message-id: <20191217222342.1939034-3-ehabkost@redhat.com> +Patchwork-id: 93165 +O-Subject: [RHEL-7.8 qemu-kvm-rhev PATCH 2/2] target/i386: add support for MSR_IA32_TSX_CTRL +Bugzilla: 1779530 +RH-Acked-by: Dr. David Alan Gilbert +RH-Acked-by: Igor Mammedov +RH-Acked-by: Miroslav Rezanina + +From: Paolo Bonzini + +The MSR_IA32_TSX_CTRL MSR can be used to hide TSX (also known as the +Trusty Side-channel Extension). By virtualizing the MSR, KVM guests +can disable TSX and avoid paying the price of mitigating TSX-based +attacks on microarchitectural side channels. + +Reviewed-by: Eduardo Habkost +Signed-off-by: Paolo Bonzini +(cherry picked from commit 2a9758c51e2c2d13fc3845c3d603c11df98b8823) +Signed-off-by: Eduardo Habkost +Signed-off-by: Miroslav Rezanina +--- + target/i386/cpu.c | 2 +- + target/i386/cpu.h | 4 ++++ + target/i386/kvm.c | 13 +++++++++++++ + target/i386/machine.c | 20 ++++++++++++++++++++ + 4 files changed, 38 insertions(+), 1 deletion(-) + +diff --git a/target/i386/cpu.c b/target/i386/cpu.c +index 8d03d0e..4d87879 100644 +--- a/target/i386/cpu.c ++++ b/target/i386/cpu.c +@@ -1147,7 +1147,7 @@ static FeatureWordInfo feature_word_info[FEATURE_WORDS] = { + .type = MSR_FEATURE_WORD, + .feat_names = { + "rdctl-no", "ibrs-all", "rsba", "skip-l1dfl-vmentry", +- "ssb-no", "mds-no", NULL, NULL, ++ "ssb-no", "mds-no", NULL, "tsx-ctrl", + "taa-no", NULL, NULL, NULL, + NULL, NULL, NULL, NULL, + NULL, NULL, NULL, NULL, +diff --git a/target/i386/cpu.h b/target/i386/cpu.h +index 095e695..65c4fda 100644 +--- a/target/i386/cpu.h ++++ b/target/i386/cpu.h +@@ -354,6 +354,9 @@ typedef enum X86Seg { + #define MSR_VIRT_SSBD 0xc001011f + #define MSR_IA32_PRED_CMD 0x49 + #define MSR_IA32_ARCH_CAPABILITIES 0x10a ++#define ARCH_CAP_TSX_CTRL_MSR (1<<7) ++ ++#define MSR_IA32_TSX_CTRL 0x122 + #define MSR_IA32_TSCDEADLINE 0x6e0 + + #define FEATURE_CONTROL_LOCKED (1<<0) +@@ -1221,6 +1224,7 @@ typedef struct CPUX86State { + uint64_t msr_smi_count; + + uint32_t pkru; ++ uint32_t tsx_ctrl; + + uint64_t spec_ctrl; + uint64_t virt_ssbd; +diff --git a/target/i386/kvm.c b/target/i386/kvm.c +index 72901e1..a6e5a87 100644 +--- a/target/i386/kvm.c ++++ b/target/i386/kvm.c +@@ -92,6 +92,7 @@ static bool has_msr_hv_stimer; + static bool has_msr_hv_frequencies; + static bool has_msr_xss; + static bool has_msr_spec_ctrl; ++static bool has_msr_tsx_ctrl; + static bool has_msr_virt_ssbd; + static bool has_msr_smi_count; + static bool has_msr_arch_capabs; +@@ -1340,6 +1341,9 @@ static int kvm_get_supported_msrs(KVMState *s) + case MSR_IA32_SPEC_CTRL: + has_msr_spec_ctrl = true; + break; ++ case MSR_IA32_TSX_CTRL: ++ has_msr_tsx_ctrl = true; ++ break; + case MSR_VIRT_SSBD: + has_msr_virt_ssbd = true; + break; +@@ -1836,6 +1840,9 @@ static int kvm_put_msrs(X86CPU *cpu, int level) + if (has_msr_spec_ctrl) { + kvm_msr_entry_add(cpu, MSR_IA32_SPEC_CTRL, env->spec_ctrl); + } ++ if (has_msr_tsx_ctrl) { ++ kvm_msr_entry_add(cpu, MSR_IA32_TSX_CTRL, env->tsx_ctrl); ++ } + if (has_msr_virt_ssbd) { + kvm_msr_entry_add(cpu, MSR_VIRT_SSBD, env->virt_ssbd); + } +@@ -2222,6 +2229,9 @@ static int kvm_get_msrs(X86CPU *cpu) + if (has_msr_spec_ctrl) { + kvm_msr_entry_add(cpu, MSR_IA32_SPEC_CTRL, 0); + } ++ if (has_msr_tsx_ctrl) { ++ kvm_msr_entry_add(cpu, MSR_IA32_TSX_CTRL, 0); ++ } + if (has_msr_virt_ssbd) { + kvm_msr_entry_add(cpu, MSR_VIRT_SSBD, 0); + } +@@ -2597,6 +2607,9 @@ static int kvm_get_msrs(X86CPU *cpu) + case MSR_IA32_SPEC_CTRL: + env->spec_ctrl = msrs[i].data; + break; ++ case MSR_IA32_TSX_CTRL: ++ env->tsx_ctrl = msrs[i].data; ++ break; + case MSR_VIRT_SSBD: + env->virt_ssbd = msrs[i].data; + break; +diff --git a/target/i386/machine.c b/target/i386/machine.c +index 52b1eae..6a2d761 100644 +--- a/target/i386/machine.c ++++ b/target/i386/machine.c +@@ -954,6 +954,25 @@ static const VMStateDescription vmstate_msr_virt_ssbd = { + } + }; + ++static bool msr_tsx_ctrl_needed(void *opaque) ++{ ++ X86CPU *cpu = opaque; ++ CPUX86State *env = &cpu->env; ++ ++ return env->features[FEAT_ARCH_CAPABILITIES] & ARCH_CAP_TSX_CTRL_MSR; ++} ++ ++static const VMStateDescription vmstate_msr_tsx_ctrl = { ++ .name = "cpu/msr_tsx_ctrl", ++ .version_id = 1, ++ .minimum_version_id = 1, ++ .needed = msr_tsx_ctrl_needed, ++ .fields = (VMStateField[]) { ++ VMSTATE_UINT32(env.tsx_ctrl, X86CPU), ++ VMSTATE_END_OF_LIST() ++ } ++}; ++ + VMStateDescription vmstate_x86_cpu = { + .name = "cpu", + .version_id = 12, +@@ -1079,6 +1098,7 @@ VMStateDescription vmstate_x86_cpu = { + &vmstate_msr_intel_pt, + &vmstate_xsave, + &vmstate_msr_virt_ssbd, ++ &vmstate_msr_tsx_ctrl, + NULL + } + }; +-- +1.8.3.1 + diff --git a/SOURCES/kvm-target-i386-check-for-availability-of-MSR_IA32_UCODE.patch b/SOURCES/kvm-target-i386-check-for-availability-of-MSR_IA32_UCODE.patch new file mode 100644 index 0000000..5fbf1b3 --- /dev/null +++ b/SOURCES/kvm-target-i386-check-for-availability-of-MSR_IA32_UCODE.patch @@ -0,0 +1,72 @@ +From 2b1ca7468155b2bda5d81be114335e264767cc7a Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini +Date: Mon, 17 Feb 2020 16:23:22 -0500 +Subject: [PATCH 07/12] target/i386: check for availability of + MSR_IA32_UCODE_REV as an emulated MSR +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Paolo Bonzini +Message-id: <20200217162323.2572-6-pbonzini@redhat.com> +Patchwork-id: 93908 +O-Subject: [RHEL7.9 qemu-kvm-rhev PATCH 5/6] target/i386: check for availability of MSR_IA32_UCODE_REV as an emulated MSR +Bugzilla: 1791653 +RH-Acked-by: Maxim Levitsky +RH-Acked-by: Philippe Mathieu-Daudé +RH-Acked-by: Dr. David Alan Gilbert + +Even though MSR_IA32_UCODE_REV has been available long before Linux 5.6, +which added it to the emulated MSR list, a bug caused the microcode +version to revert to 0x100000000 on INIT. As a result, processors other +than the bootstrap processor would not see the host microcode revision; +some Windows version complain loudly about this and crash with a +fairly explicit MICROCODE REVISION MISMATCH error. + +[If running 5.6 prereleases, the kernel fix "KVM: x86: do not reset + microcode version on INIT or RESET" should also be applied.] + +Reported-by: Alex Williamson +Message-id: <20200211175516.10716-1-pbonzini@redhat.com> +Signed-off-by: Paolo Bonzini +(cherry picked from commit 6702514814c7e7b4cbf179624539b5f38c72740b) +Signed-off-by: Jon Maloy +--- + target/i386/kvm.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/target/i386/kvm.c b/target/i386/kvm.c +index 4d43fba716..22da78aee9 100644 +--- a/target/i386/kvm.c ++++ b/target/i386/kvm.c +@@ -98,6 +98,7 @@ static bool has_msr_tsx_ctrl; + static bool has_msr_virt_ssbd; + static bool has_msr_smi_count; + static bool has_msr_arch_capabs; ++static bool has_msr_ucode_rev; + + static uint32_t has_architectural_pmu_version; + static uint32_t num_architectural_pmu_gp_counters; +@@ -1354,6 +1355,9 @@ static int kvm_get_supported_msrs(KVMState *s) + case MSR_IA32_ARCH_CAPABILITIES: + has_msr_arch_capabs = true; + break; ++ case MSR_IA32_UCODE_REV: ++ has_msr_ucode_rev = true; ++ break; + } + } + } +@@ -1828,8 +1832,7 @@ static void kvm_init_msrs(X86CPU *cpu) + env->features[FEAT_ARCH_CAPABILITIES]); + } + +- if (kvm_arch_get_supported_msr_feature(kvm_state, +- MSR_IA32_UCODE_REV)) { ++ if (has_msr_ucode_rev) { + kvm_msr_entry_add(cpu, MSR_IA32_UCODE_REV, cpu->ucode_rev); + } + +-- +2.18.2 + diff --git a/SOURCES/kvm-target-i386-enable-monitor-and-ucode-revision-with-c.patch b/SOURCES/kvm-target-i386-enable-monitor-and-ucode-revision-with-c.patch new file mode 100644 index 0000000..12b6a18 --- /dev/null +++ b/SOURCES/kvm-target-i386-enable-monitor-and-ucode-revision-with-c.patch @@ -0,0 +1,49 @@ +From 6bd31dbbc477571124ea1ce9e64217c898f05f22 Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini +Date: Mon, 17 Feb 2020 16:23:23 -0500 +Subject: [PATCH 08/12] target/i386: enable monitor and ucode revision with + -cpu max +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Paolo Bonzini +Message-id: <20200217162323.2572-7-pbonzini@redhat.com> +Patchwork-id: 93905 +O-Subject: [RHEL7.9 qemu-kvm-rhev PATCH 6/6] target/i386: enable monitor and ucode revision with -cpu max +Bugzilla: 1791653 +RH-Acked-by: Maxim Levitsky +RH-Acked-by: Philippe Mathieu-Daudé +RH-Acked-by: Dr. David Alan Gilbert + +These two features were incorrectly tied to host_cpuid_required rather than +cpu->max_features. As a result, -cpu max was not enabling either MONITOR +features or ucode revision. + +Signed-off-by: Paolo Bonzini +(cherry picked from commit be02cda3afde60d219786e23c3f8edb53aec8e17) + +[RHEL7: only affects microcode revision; plus, upstream uses g_autofree] + +Signed-off-by: Jon Maloy +--- + target/i386/cpu.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/target/i386/cpu.c b/target/i386/cpu.c +index 3579bd53c5..88af0f4348 100644 +--- a/target/i386/cpu.c ++++ b/target/i386/cpu.c +@@ -4943,7 +4943,9 @@ static void x86_cpu_realizefn(DeviceState *dev, Error **errp) + g_free(name); + goto out; + } ++ } + ++ if (cpu->max_features && accel_uses_host_cpuid()) { + if (kvm_enabled() && cpu->ucode_rev == 0) { + cpu->ucode_rev = kvm_arch_get_supported_msr_feature(kvm_state, + MSR_IA32_UCODE_REV); +-- +2.18.2 + diff --git a/SOURCES/kvm-target-i386-fix-TCG-UCODE_REV-access.patch b/SOURCES/kvm-target-i386-fix-TCG-UCODE_REV-access.patch new file mode 100644 index 0000000..58e7536 --- /dev/null +++ b/SOURCES/kvm-target-i386-fix-TCG-UCODE_REV-access.patch @@ -0,0 +1,76 @@ +From 836c2251308bb9a3a8355e09c2d89c53526aa898 Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini +Date: Mon, 17 Feb 2020 16:23:21 -0500 +Subject: [PATCH 06/12] target/i386: fix TCG UCODE_REV access +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Paolo Bonzini +Message-id: <20200217162323.2572-5-pbonzini@redhat.com> +Patchwork-id: 93906 +O-Subject: [RHEL7.9 qemu-kvm-rhev PATCH 4/6] target/i386: fix TCG UCODE_REV access +Bugzilla: 1791653 +RH-Acked-by: Maxim Levitsky +RH-Acked-by: Philippe Mathieu-Daudé +RH-Acked-by: Dr. David Alan Gilbert + +This was a very interesting semantic conflict that caused git to move +the MSR_IA32_UCODE_REV read to helper_wrmsr. Not a big deal, but +still should be fixed... + +Fixes: 4e45aff398 ("target/i386: add a ucode-rev property", 2020-01-24) +Message-id: <20200206171022.9289-1-pbonzini@redhat.com> +Signed-off-by: Paolo Bonzini +(cherry picked from commit 9028c75c9d08be303ccc425bfe3d3b23d8f4cac7) + +[RHEL7: replace env_archcpu with x86_env_get_cpu] + +Signed-off-by: Jon Maloy +--- + target/i386/misc_helper.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/target/i386/misc_helper.c b/target/i386/misc_helper.c +index f93e61f05d..42daf36764 100644 +--- a/target/i386/misc_helper.c ++++ b/target/i386/misc_helper.c +@@ -229,7 +229,6 @@ void helper_rdmsr(CPUX86State *env) + #else + void helper_wrmsr(CPUX86State *env) + { +- X86CPU *x86_cpu = x86_env_get_cpu(env); + uint64_t val; + + cpu_svm_check_intercept_param(env, SVM_EXIT_MSR, 1, GETPC()); +@@ -372,9 +371,6 @@ void helper_wrmsr(CPUX86State *env) + env->msr_bndcfgs = val; + cpu_sync_bndcs_hflags(env); + break; +- case MSR_IA32_UCODE_REV: +- val = x86_cpu->ucode_rev; +- break; + default: + if ((uint32_t)env->regs[R_ECX] >= MSR_MC0_CTL + && (uint32_t)env->regs[R_ECX] < MSR_MC0_CTL + +@@ -393,6 +389,7 @@ void helper_wrmsr(CPUX86State *env) + + void helper_rdmsr(CPUX86State *env) + { ++ X86CPU *x86_cpu = x86_env_get_cpu(env); + uint64_t val; + + cpu_svm_check_intercept_param(env, SVM_EXIT_MSR, 0, GETPC()); +@@ -523,6 +520,9 @@ void helper_rdmsr(CPUX86State *env) + case MSR_IA32_BNDCFGS: + val = env->msr_bndcfgs; + break; ++ case MSR_IA32_UCODE_REV: ++ val = x86_cpu->ucode_rev; ++ break; + default: + if ((uint32_t)env->regs[R_ECX] >= MSR_MC0_CTL + && (uint32_t)env->regs[R_ECX] < MSR_MC0_CTL + +-- +2.18.2 + diff --git a/SOURCES/kvm-target-i386-kvm-initialize-feature-MSRs-very-early.patch b/SOURCES/kvm-target-i386-kvm-initialize-feature-MSRs-very-early.patch new file mode 100644 index 0000000..015d172 --- /dev/null +++ b/SOURCES/kvm-target-i386-kvm-initialize-feature-MSRs-very-early.patch @@ -0,0 +1,148 @@ +From d72e41f9a16360eb23e9d943fa7e33291c5fcd87 Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini +Date: Mon, 17 Feb 2020 16:23:18 -0500 +Subject: [PATCH 03/12] target/i386: kvm: initialize feature MSRs very early +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Paolo Bonzini +Message-id: <20200217162323.2572-2-pbonzini@redhat.com> +Patchwork-id: 93896 +O-Subject: [RHEL7.9 qemu-kvm-rhev PATCH 1/6] target/i386: kvm: initialize feature MSRs very early +Bugzilla: 1791653 +RH-Acked-by: Maxim Levitsky +RH-Acked-by: Philippe Mathieu-Daudé +RH-Acked-by: Dr. David Alan Gilbert + +Some read-only MSRs affect the behavior of ioctls such as +KVM_SET_NESTED_STATE. We can initialize them once and for all +right after the CPU is realized, since they will never be modified +by the guest. + +Reported-by: Qingua Cheng +Cc: qemu-stable@nongnu.org +Signed-off-by: Paolo Bonzini +Message-Id: <1579544504-3616-2-git-send-email-pbonzini@redhat.com> +Signed-off-by: Paolo Bonzini +(cherry picked from commit 420ae1fc51c99abfd03b1c590f55617edd2a2bed) + +[RHEL7: no MSR_IA32_CORE_CAPABILITY] + +Signed-off-by: Jon Maloy +--- + target/i386/kvm.c | 55 +++++++++++++++++++++++++++--------------- + target/i386/kvm_i386.h | 1 + + 2 files changed, 36 insertions(+), 20 deletions(-) + +diff --git a/target/i386/kvm.c b/target/i386/kvm.c +index a6e5a87cf5..d8a4dbfde3 100644 +--- a/target/i386/kvm.c ++++ b/target/i386/kvm.c +@@ -65,6 +65,8 @@ + * 255 kvm_msr_entry structs */ + #define MSR_BUF_SIZE 4096 + ++static void kvm_init_msrs(X86CPU *cpu); ++ + const KVMCapabilityInfo kvm_arch_required_capabilities[] = { + KVM_CAP_INFO(SET_TSS_ADDR), + KVM_CAP_INFO(EXT_CPUID), +@@ -1175,6 +1177,8 @@ int kvm_arch_init_vcpu(CPUState *cs) + has_msr_tsc_aux = false; + } + ++ kvm_init_msrs(cpu); ++ + return 0; + + fail: +@@ -1797,11 +1801,40 @@ static int kvm_put_msr_feature_control(X86CPU *cpu) + return 0; + } + ++static int kvm_buf_set_msrs(X86CPU *cpu) ++{ ++ int ret = kvm_vcpu_ioctl(CPU(cpu), KVM_SET_MSRS, cpu->kvm_msr_buf); ++ if (ret < 0) { ++ return ret; ++ } ++ ++ if (ret < cpu->kvm_msr_buf->nmsrs) { ++ struct kvm_msr_entry *e = &cpu->kvm_msr_buf->entries[ret]; ++ error_report("error: failed to set MSR 0x%" PRIx32 " to 0x%" PRIx64, ++ (uint32_t)e->index, (uint64_t)e->data); ++ } ++ ++ assert(ret == cpu->kvm_msr_buf->nmsrs); ++ return 0; ++} ++ ++static void kvm_init_msrs(X86CPU *cpu) ++{ ++ CPUX86State *env = &cpu->env; ++ ++ kvm_msr_buf_reset(cpu); ++ if (has_msr_arch_capabs) { ++ kvm_msr_entry_add(cpu, MSR_IA32_ARCH_CAPABILITIES, ++ env->features[FEAT_ARCH_CAPABILITIES]); ++ } ++ ++ assert(kvm_buf_set_msrs(cpu) == 0); ++} ++ + static int kvm_put_msrs(X86CPU *cpu, int level) + { + CPUX86State *env = &cpu->env; + int i; +- int ret; + + kvm_msr_buf_reset(cpu); + +@@ -1856,12 +1889,6 @@ static int kvm_put_msrs(X86CPU *cpu, int level) + } + #endif + +- /* If host supports feature MSR, write down. */ +- if (has_msr_arch_capabs) { +- kvm_msr_entry_add(cpu, MSR_IA32_ARCH_CAPABILITIES, +- env->features[FEAT_ARCH_CAPABILITIES]); +- } +- + /* + * The following MSRs have side effects on the guest or are too heavy + * for normal writeback. Limit them to reset or full state updates. +@@ -2040,19 +2067,7 @@ static int kvm_put_msrs(X86CPU *cpu, int level) + } + } + +- ret = kvm_vcpu_ioctl(CPU(cpu), KVM_SET_MSRS, cpu->kvm_msr_buf); +- if (ret < 0) { +- return ret; +- } +- +- if (ret < cpu->kvm_msr_buf->nmsrs) { +- struct kvm_msr_entry *e = &cpu->kvm_msr_buf->entries[ret]; +- error_report("error: failed to set MSR 0x%" PRIx32 " to 0x%" PRIx64, +- (uint32_t)e->index, (uint64_t)e->data); +- } +- +- assert(ret == cpu->kvm_msr_buf->nmsrs); +- return 0; ++ return kvm_buf_set_msrs(cpu); + } + + +diff --git a/target/i386/kvm_i386.h b/target/i386/kvm_i386.h +index 1de9876cd9..856044750e 100644 +--- a/target/i386/kvm_i386.h ++++ b/target/i386/kvm_i386.h +@@ -69,4 +69,5 @@ void kvm_put_apicbase(X86CPU *cpu, uint64_t value); + + bool kvm_enable_x2apic(void); + bool kvm_has_x2apic_api(void); ++ + #endif +-- +2.18.2 + diff --git a/SOURCES/kvm-target-i386-kvm-initialize-microcode-revision-from-K.patch b/SOURCES/kvm-target-i386-kvm-initialize-microcode-revision-from-K.patch new file mode 100644 index 0000000..e26a2de --- /dev/null +++ b/SOURCES/kvm-target-i386-kvm-initialize-microcode-revision-from-K.patch @@ -0,0 +1,107 @@ +From 3a740f27c76ccd7fa2c0ece979a480bece592674 Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini +Date: Mon, 17 Feb 2020 16:23:20 -0500 +Subject: [PATCH 05/12] target/i386: kvm: initialize microcode revision from + KVM +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Paolo Bonzini +Message-id: <20200217162323.2572-4-pbonzini@redhat.com> +Patchwork-id: 93900 +O-Subject: [RHEL7.9 qemu-kvm-rhev PATCH 3/6] target/i386: kvm: initialize microcode revision from KVM +Bugzilla: 1791653 +RH-Acked-by: Philippe Mathieu-Daudé +RH-Acked-by: Maxim Levitsky +RH-Acked-by: Dr. David Alan Gilbert + +KVM can return the host microcode revision as a feature MSR. +Use it as the default value for -cpu host. + +Signed-off-by: Paolo Bonzini +Message-Id: <1579544504-3616-4-git-send-email-pbonzini@redhat.com> +Signed-off-by: Paolo Bonzini +(cherry picked from commit 32c87d70ff55b96741f08c35108935cac6f40fe4) + +[RHEL7: change kvm_arch_get_supported_msr_feature to return 64-bit + value, originally done for VMX features; split "if" statement in + two parts, originally done for upstream commit 2266d44311 + ("i386/cpu: make -cpu host support monitor/mwait", 2018-06-29)] + +Signed-off-by: Jon Maloy +--- + include/sysemu/kvm.h | 2 +- + target/i386/cpu.c | 17 ++++++++++++----- + target/i386/kvm.c | 7 ++++++- + 3 files changed, 19 insertions(+), 7 deletions(-) + +diff --git a/include/sysemu/kvm.h b/include/sysemu/kvm.h +index 3d8f294633..cd9a0206ce 100644 +--- a/include/sysemu/kvm.h ++++ b/include/sysemu/kvm.h +@@ -464,7 +464,7 @@ int kvm_vm_check_extension(KVMState *s, unsigned int extension); + + uint32_t kvm_arch_get_supported_cpuid(KVMState *env, uint32_t function, + uint32_t index, int reg); +-uint32_t kvm_arch_get_supported_msr_feature(KVMState *s, uint32_t index); ++uint64_t kvm_arch_get_supported_msr_feature(KVMState *s, uint32_t index); + + + void kvm_set_sigmask_len(KVMState *s, unsigned int sigmask_len); +diff --git a/target/i386/cpu.c b/target/i386/cpu.c +index ad905d6f8c..3579bd53c5 100644 +--- a/target/i386/cpu.c ++++ b/target/i386/cpu.c +@@ -4936,11 +4936,18 @@ static void x86_cpu_realizefn(DeviceState *dev, Error **errp) + Error *local_err = NULL; + static bool ht_warned; + +- if (xcc->host_cpuid_required && !accel_uses_host_cpuid()) { +- char *name = x86_cpu_class_get_model_name(xcc); +- error_setg(&local_err, "CPU model '%s' requires KVM", name); +- g_free(name); +- goto out; ++ if (xcc->host_cpuid_required) { ++ if (!accel_uses_host_cpuid()) { ++ char *name = x86_cpu_class_get_model_name(xcc); ++ error_setg(&local_err, "CPU model '%s' requires KVM", name); ++ g_free(name); ++ goto out; ++ } ++ ++ if (kvm_enabled() && cpu->ucode_rev == 0) { ++ cpu->ucode_rev = kvm_arch_get_supported_msr_feature(kvm_state, ++ MSR_IA32_UCODE_REV); ++ } + } + + if (cpu->ucode_rev == 0) { +diff --git a/target/i386/kvm.c b/target/i386/kvm.c +index d8a4dbfde3..4d43fba716 100644 +--- a/target/i386/kvm.c ++++ b/target/i386/kvm.c +@@ -419,7 +419,7 @@ uint32_t kvm_arch_get_supported_cpuid(KVMState *s, uint32_t function, + return ret; + } + +-uint32_t kvm_arch_get_supported_msr_feature(KVMState *s, uint32_t index) ++uint64_t kvm_arch_get_supported_msr_feature(KVMState *s, uint32_t index) + { + struct { + struct kvm_msrs info; +@@ -1828,6 +1828,11 @@ static void kvm_init_msrs(X86CPU *cpu) + env->features[FEAT_ARCH_CAPABILITIES]); + } + ++ if (kvm_arch_get_supported_msr_feature(kvm_state, ++ MSR_IA32_UCODE_REV)) { ++ kvm_msr_entry_add(cpu, MSR_IA32_UCODE_REV, cpu->ucode_rev); ++ } ++ + assert(kvm_buf_set_msrs(cpu) == 0); + } + +-- +2.18.2 + diff --git a/SOURCES/kvm-tcp_emu-Fix-oob-access.patch b/SOURCES/kvm-tcp_emu-Fix-oob-access.patch new file mode 100644 index 0000000..6c2e897 --- /dev/null +++ b/SOURCES/kvm-tcp_emu-Fix-oob-access.patch @@ -0,0 +1,60 @@ +From 66013de2e0075ae67edd31efb3e86c728ec485fa Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= +Date: Fri, 17 Jan 2020 11:49:40 +0100 +Subject: [PATCH 1/3] tcp_emu: Fix oob access +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Philippe Mathieu-Daudé +Message-id: <20200117114942.12236-2-philmd@redhat.com> +Patchwork-id: 93393 +O-Subject: [RHEL-7.7.z qemu-kvm-rhev + RHEL-7.8 qemu-kvm-rhev + RHEL-7.9 qemu-kvm-rhev + RHEL-8.1.0 qemu-kvm + RHEL-8.2.0 qemu-kvm + RHEL-7.7.z qemu-kvm-ma + RHEL-7.8 qemu-kvm-ma + RHEL-7.9 qemu-kvm-ma PATCH 1/3] tcp_emu: Fix oob access +Bugzilla: 1791563 1791570 +RH-Acked-by: Stefano Garzarella +RH-Acked-by: Stefan Hajnoczi +RH-Acked-by: Thomas Huth + +From: Samuel Thibault + +The main loop only checks for one available byte, while we sometimes +need two bytes. + +(cherry picked from libslirp commit 2655fffed7a9e765bcb4701dd876e9dab975f289) +[PMD: backported with style conflicts, + CHANGELOG.md absent in downstream] +Signed-off-by: Philippe Mathieu-Daudé + +Signed-off-by: Miroslav Rezanina +--- + slirp/tcp_subr.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/slirp/tcp_subr.c b/slirp/tcp_subr.c +index 0152f72..decfd9b 100644 +--- a/slirp/tcp_subr.c ++++ b/slirp/tcp_subr.c +@@ -892,6 +892,9 @@ tcp_emu(struct socket *so, struct mbuf *m) + break; + + case 5: ++ if (bptr == m->m_data + m->m_len - 1) ++ return 1; /* We need two bytes */ ++ + /* + * The difference between versions 1.0 and + * 2.0 is here. For future versions of +@@ -907,6 +910,10 @@ tcp_emu(struct socket *so, struct mbuf *m) + /* This is the field containing the port + * number that RA-player is listening to. + */ ++ ++ if (bptr == m->m_data + m->m_len - 1) ++ return 1; /* We need two bytes */ ++ + lport = (((u_char*)bptr)[0] << 8) + + ((u_char *)bptr)[1]; + if (lport < 6970) +-- +1.8.3.1 + diff --git a/SOURCES/kvm-tcp_emu-fix-unsafe-snprintf-usages.patch b/SOURCES/kvm-tcp_emu-fix-unsafe-snprintf-usages.patch new file mode 100644 index 0000000..dd70d6b --- /dev/null +++ b/SOURCES/kvm-tcp_emu-fix-unsafe-snprintf-usages.patch @@ -0,0 +1,148 @@ +From bac27b0e9302c5b869d962879d43df1ebdd09c83 Mon Sep 17 00:00:00 2001 +From: jmaloy +Date: Wed, 19 Feb 2020 16:29:23 +0100 +Subject: [PATCH 2/2] tcp_emu: fix unsafe snprintf() usages +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Message-id: <20200219162923.18327-3-jmaloy@redhat.com> +Patchwork-id: 93977 +O-Subject: [RHEL-7.8 qemu-kvm-rhev PATCH v2 2/2] tcp_emu: fix unsafe snprintf() usages +Bugzilla: 1798974 +RH-Acked-by: Stefan Hajnoczi +RH-Acked-by: Eduardo Habkost +RH-Acked-by: Philippe Mathieu-Daudé + +From: Marc-André Lureau + +Various calls to snprintf() assume that snprintf() returns "only" the +number of bytes written (excluding terminating NUL). + +https://pubs.opengroup.org/onlinepubs/9699919799/functions/snprintf.html#tag_16_159_04 + +"Upon successful completion, the snprintf() function shall return the +number of bytes that would be written to s had n been sufficiently +large excluding the terminating null byte." + +Before patch ce131029, if there isn't enough room in "m_data" for the +"DCC ..." message, we overflow "m_data". + +After the patch, if there isn't enough room for the same, we don't +overflow "m_data", but we set "m_len" out-of-bounds. The next time an +access is bounded by "m_len", we'll have a buffer overflow then. + +Use slirp_fmt*() to fix potential OOB memory access. + +Reported-by: Laszlo Ersek +Signed-off-by: Marc-André Lureau +Reviewed-by: Samuel Thibault +Message-Id: <20200127092414.169796-7-marcandre.lureau@redhat.com> +(cherry picked from libslirp commit 68ccb8021a838066f0951d4b2817eb6b6f10a843) +Signed-off-by: Jon Maloy + +Signed-off-by: Miroslav Rezanina +--- + slirp/tcp_subr.c | 44 +++++++++++++++++++++----------------------- + 1 file changed, 21 insertions(+), 23 deletions(-) + +diff --git a/slirp/tcp_subr.c b/slirp/tcp_subr.c +index c5196a4..944e1d7 100644 +--- a/slirp/tcp_subr.c ++++ b/slirp/tcp_subr.c +@@ -665,8 +665,7 @@ tcp_emu(struct socket *so, struct mbuf *m) + NTOHS(n1); + NTOHS(n2); + m_inc(m, snprintf(NULL, 0, "%d,%d\r\n", n1, n2) + 1); +- m->m_len = snprintf(m->m_data, M_ROOM(m), "%d,%d\r\n", n1, n2); +- assert(m->m_len < M_ROOM(m)); ++ m->m_len = slirp_fmt(m->m_data, M_ROOM(m), "%d,%d\r\n", n1, n2); + } else { + *eol = '\r'; + } +@@ -706,9 +705,9 @@ tcp_emu(struct socket *so, struct mbuf *m) + n4 = (laddr & 0xff); + + m->m_len = bptr - m->m_data; /* Adjust length */ +- m->m_len += snprintf(bptr, M_FREEROOM(m), +- "ORT %d,%d,%d,%d,%d,%d\r\n%s", +- n1, n2, n3, n4, n5, n6, x==7?buff:""); ++ m->m_len += slirp_fmt(bptr, M_FREEROOM(m), ++ "ORT %d,%d,%d,%d,%d,%d\r\n%s", ++ n1, n2, n3, n4, n5, n6, x == 7 ? buff : ""); + return 1; + } else if ((bptr = (char *)strstr(m->m_data, "27 Entering")) != NULL) { + /* +@@ -739,10 +738,9 @@ tcp_emu(struct socket *so, struct mbuf *m) + n4 = (laddr & 0xff); + + m->m_len = bptr - m->m_data; /* Adjust length */ +- m->m_len += snprintf(bptr, M_FREEROOM(m), +- "27 Entering Passive Mode (%d,%d,%d,%d,%d,%d)\r\n%s", +- n1, n2, n3, n4, n5, n6, x==7?buff:""); +- ++ m->m_len += slirp_fmt(bptr, M_FREEROOM(m), ++ "27 Entering Passive Mode (%d,%d,%d,%d,%d,%d)\r\n%s", ++ n1, n2, n3, n4, n5, n6, x == 7 ? buff : ""); + return 1; + } + +@@ -765,8 +763,8 @@ tcp_emu(struct socket *so, struct mbuf *m) + if (m->m_data[m->m_len-1] == '\0' && lport != 0 && + (so = tcp_listen(slirp, INADDR_ANY, 0, so->so_laddr.s_addr, + htons(lport), SS_FACCEPTONCE)) != NULL) +- m->m_len = snprintf(m->m_data, M_ROOM(m), +- "%d", ntohs(so->so_fport)) + 1; ++ m->m_len = slirp_fmt0(m->m_data, M_ROOM(m), ++ "%d", ntohs(so->so_fport)); + return 1; + + case EMU_IRC: +@@ -786,10 +784,10 @@ tcp_emu(struct socket *so, struct mbuf *m) + return 1; + } + m->m_len = bptr - m->m_data; /* Adjust length */ +- m->m_len += snprintf(bptr, M_FREEROOM(m), +- "DCC CHAT chat %lu %u%c\n", +- (unsigned long)ntohl(so->so_faddr.s_addr), +- ntohs(so->so_fport), 1); ++ m->m_len += slirp_fmt(bptr, M_FREEROOM(m), ++ "DCC CHAT chat %lu %u%c\n", ++ (unsigned long)ntohl(so->so_faddr.s_addr), ++ ntohs(so->so_fport), 1); + } else if (sscanf(bptr, "DCC SEND %256s %u %u %u", buff, &laddr, &lport, &n1) == 4) { + if ((so = tcp_listen(slirp, INADDR_ANY, 0, + htonl(laddr), htons(lport), +@@ -797,10 +795,10 @@ tcp_emu(struct socket *so, struct mbuf *m) + return 1; + } + m->m_len = bptr - m->m_data; /* Adjust length */ +- m->m_len += snprintf(bptr, M_FREEROOM(m), +- "DCC SEND %s %lu %u %u%c\n", buff, +- (unsigned long)ntohl(so->so_faddr.s_addr), +- ntohs(so->so_fport), n1, 1); ++ m->m_len += slirp_fmt(bptr, M_FREEROOM(m), ++ "DCC SEND %s %lu %u %u%c\n", buff, ++ (unsigned long)ntohl(so->so_faddr.s_addr), ++ ntohs(so->so_fport), n1, 1); + } else if (sscanf(bptr, "DCC MOVE %256s %u %u %u", buff, &laddr, &lport, &n1) == 4) { + if ((so = tcp_listen(slirp, INADDR_ANY, 0, + htonl(laddr), htons(lport), +@@ -808,10 +806,10 @@ tcp_emu(struct socket *so, struct mbuf *m) + return 1; + } + m->m_len = bptr - m->m_data; /* Adjust length */ +- m->m_len += snprintf(bptr, M_FREEROOM(m), +- "DCC MOVE %s %lu %u %u%c\n", buff, +- (unsigned long)ntohl(so->so_faddr.s_addr), +- ntohs(so->so_fport), n1, 1); ++ m->m_len += slirp_fmt(bptr, M_FREEROOM(m), ++ "DCC MOVE %s %lu %u %u%c\n", buff, ++ (unsigned long)ntohl(so->so_faddr.s_addr), ++ ntohs(so->so_fport), n1, 1); + } + return 1; + +-- +1.8.3.1 + diff --git a/SOURCES/kvm-usb-drop-unnecessary-usb_device_post_load-checks.patch b/SOURCES/kvm-usb-drop-unnecessary-usb_device_post_load-checks.patch new file mode 100644 index 0000000..2fbc14e --- /dev/null +++ b/SOURCES/kvm-usb-drop-unnecessary-usb_device_post_load-checks.patch @@ -0,0 +1,127 @@ +From ed9c0b1c244cb299cb0aa52b0dc93979ca503abd Mon Sep 17 00:00:00 2001 +From: "Dr. David Alan Gilbert" +Date: Tue, 1 Oct 2019 19:01:06 +0200 +Subject: [PATCH 1/4] usb: drop unnecessary usb_device_post_load checks + +RH-Author: Dr. David Alan Gilbert +Message-id: <20191001190106.30455-2-dgilbert@redhat.com> +Patchwork-id: 90937 +O-Subject: [RHEL-7.8 qemu-kvm-rhev PATCH 1/1] usb: drop unnecessary usb_device_post_load checks +Bugzilla: 1724048 +RH-Acked-by: Gerd Hoffmann +RH-Acked-by: Igor Mammedov +RH-Acked-by: Stefan Hajnoczi + +From: Jonathan Davies + +In usb_device_post_load, certain values of dev->setup_len or +dev->setup_index can cause -EINVAL to be returned. One example is when +setup_len exceeds 4096, the hard-coded value of sizeof(dev->data_buf). +This can happen through legitimate guest activity and will cause all +subsequent attempts to migrate the guest to fail in vmstate_load_state. + +The values of these variables can be set by USB packets originating in +the guest. There are two ways in which they can be set: in +do_token_setup and in do_parameter in hw/usb/core.c. + +It is easy to craft a USB packet in a guest that causes do_token_setup +to set setup_len to a value larger than 4096. When this has been done +once, all subsequent attempts to migrate the VM will fail in +usb_device_post_load until the VM is next power-cycled or a +smaller-sized USB packet is sent to the device. + +Sample code for achieving this in a VM started with "-device usb-tablet" +running Linux with CONFIG_HIDRAW=y and HID_MAX_BUFFER_SIZE > 4096: + + #include + #include + #include + #include + + int main() { + char buf[4097]; + int fd = open("/dev/hidraw0", O_RDWR|O_NONBLOCK); + + buf[0] = 0x1; + write(fd, buf, 4097); + + return 0; + } + +When this code is run in the VM, qemu will output: + + usb_generic_handle_packet: ctrl buffer too small (4097 > 4096) + +A subsequent attempt to migrate the VM will fail and output the +following on the destination host: + + qemu-kvm: error while loading state for instance 0x0 of device '0000:00:06.7/1/usb-ptr' + qemu-kvm: load of migration failed: Invalid argument + +The idea behind checking the values of setup_len and setup_index before +they are used is correct, but doing it in usb_device_post_load feels +arbitrary, and will cause unnecessary migration failures. Indeed, none +of the commit messages for c60174e8, 9f8e9895 and 719ffe1f justify why +post_load is the right place to do these checks. They correctly point +out that the important thing to protect is the usb_packet_copy. + +Instead, the right place to do the checks is in do_token_setup and +do_parameter. Indeed, there are already some checks here. We can examine +each of the disjuncts currently tested in usb_device_post_load to see +whether any need adding to do_token_setup or do_parameter to improve +safety there: + + * dev->setup_index < 0 + - This test is not needed because setup_index is explicitly set to +0 in do_token_setup and do_parameter. + + * dev->setup_len < 0 + - In both do_token_setup and do_parameter, the value of setup_len +is computed by (s->setup_buf[7] << 8) | s->setup_buf[6]. Since +s->setup_buf is a byte array and setup_len is an int32_t, it's +impossible for this arithmetic to set setup_len's top bit, so it can +never be negative. + + * dev->setup_index > dev->setup_len + - Since setup_index is 0, this is equivalent to the previous test, +so is redundant. + + * dev->setup_len > sizeof(dev->data_buf) + - This condition is already explicitly checked in both +do_token_setup and do_parameter. + +Hence there is no need to bolster the existing checks in do_token_setup +or do_parameter, and we can safely remove these checks from +usb_device_post_load without reducing safety but allowing migrations to +proceed regardless of what USB packets have been generated by the guest. + +Signed-off-by: Jonathan Davies +Message-Id: <20190107175117.23769-1-jonathan.davies@nutanix.com> +Signed-off-by: Gerd Hoffmann +Signed-off-by: Dr. David Alan Gilbert +(cherry picked from commit f30815390adb1ec153327c3832ab378e8bce9808) +Signed-off-by: Miroslav Rezanina +--- + hw/usb/bus.c | 6 ------ + 1 file changed, 6 deletions(-) + +diff --git a/hw/usb/bus.c b/hw/usb/bus.c +index 11f7720..5499810 100644 +--- a/hw/usb/bus.c ++++ b/hw/usb/bus.c +@@ -59,12 +59,6 @@ static int usb_device_post_load(void *opaque, int version_id) + } else { + dev->attached = true; + } +- if (dev->setup_index < 0 || +- dev->setup_len < 0 || +- dev->setup_index > dev->setup_len || +- dev->setup_len > sizeof(dev->data_buf)) { +- return -EINVAL; +- } + return 0; + } + +-- +1.8.3.1 + diff --git a/SOURCES/kvm-util-add-slirp_fmt-helpers.patch b/SOURCES/kvm-util-add-slirp_fmt-helpers.patch new file mode 100644 index 0000000..8c61825 --- /dev/null +++ b/SOURCES/kvm-util-add-slirp_fmt-helpers.patch @@ -0,0 +1,141 @@ +From 8f130c9462750f2ec8205b0749ecd64b799144b5 Mon Sep 17 00:00:00 2001 +From: jmaloy +Date: Wed, 19 Feb 2020 16:29:22 +0100 +Subject: [PATCH 1/2] util: add slirp_fmt() helpers +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Message-id: <20200219162923.18327-2-jmaloy@redhat.com> +Patchwork-id: 93976 +O-Subject: [RHEL-7.8 qemu-kvm-rhev PATCH v2 1/2] util: add slirp_fmt() helpers +Bugzilla: 1798974 +RH-Acked-by: Maxim Levitsky +RH-Acked-by: Stefan Hajnoczi +RH-Acked-by: Eduardo Habkost + +From: Marc-André Lureau + +Various calls to snprintf() in libslirp assume that snprintf() returns +"only" the number of bytes written (excluding terminating NUL). + +https://pubs.opengroup.org/onlinepubs/9699919799/functions/snprintf.html#tag_16_159_04 + +"Upon successful completion, the snprintf() function shall return the +number of bytes that would be written to s had n been sufficiently +large excluding the terminating null byte." + +Introduce slirp_fmt() that handles several pathological cases the +way libslirp usually expect: + +- treat error as fatal (instead of silently returning -1) + +- fmt0() will always \0 end + +- return the number of bytes actually written (instead of what would + have been written, which would usually result in OOB later), including + the ending \0 for fmt0() + +- warn if truncation happened (instead of ignoring) + + Other less common cases can still be handled with strcpy/snprintf() etc. + +Signed-off-by: Marc-André Lureau +Reviewed-by: Samuel Thibault +Message-Id: <20200127092414.169796-2-marcandre.lureau@redhat.com> + +(cherry picked from libslirp commit 30648c03b27fb8d9611b723184216cd3174b6775) + +Manually re-adapted, since there is no util.c file in this code version. +We add the two functions as static functions in the file where they +are going to be used. + +Signed-off-by: Jon Maloy +Signed-off-by: Miroslav Rezanina +--- + slirp/tcp_subr.c | 65 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 65 insertions(+) + +diff --git a/slirp/tcp_subr.c b/slirp/tcp_subr.c +index b95ba23..c5196a4 100644 +--- a/slirp/tcp_subr.c ++++ b/slirp/tcp_subr.c +@@ -45,6 +45,9 @@ + /* Don't do rfc1323 performance enhancements */ + #define TCP_DO_RFC1323 0 + ++static int slirp_fmt(char *str, size_t size, const char *format, ...); ++static int slirp_fmt0(char *str, size_t size, const char *format, ...); ++ + /* + * Tcp initialization + */ +@@ -990,3 +993,65 @@ int tcp_ctl(struct socket *so) + sb->sb_wptr += sb->sb_cc; + return 0; + } ++ ++static int slirp_vsnprintf(char *str, size_t size, ++ const char *format, va_list args) ++{ ++ int rv = vsnprintf(str, size, format, args); ++ ++ if (rv < 0) { ++ g_error("vsnprintf() failed: %s", g_strerror(errno)); ++ } ++ ++ return rv; ++} ++ ++/* ++ * A snprintf()-like function that: ++ * - returns the number of bytes written (excluding optional \0-ending) ++ * - dies on error ++ * - warn on truncation ++ */ ++static int slirp_fmt(char *str, size_t size, const char *format, ...) ++{ ++ va_list args; ++ int rv; ++ ++ va_start(args, format); ++ rv = slirp_vsnprintf(str, size, format, args); ++ va_end(args); ++ ++ if (rv > size) { ++ g_critical("vsnprintf() truncation"); ++ } ++ ++ return MIN(rv, size); ++} ++ ++/* ++ * A snprintf()-like function that: ++ * - always \0-end (unless size == 0) ++ * - returns the number of bytes actually written, including \0 ending ++ * - dies on error ++ * - warn on truncation ++ */ ++static int slirp_fmt0(char *str, size_t size, const char *format, ...) ++{ ++ va_list args; ++ int rv; ++ ++ va_start(args, format); ++ rv = slirp_vsnprintf(str, size, format, args); ++ va_end(args); ++ ++ if (rv >= size) { ++ g_critical("vsnprintf() truncation"); ++ if (size > 0) ++ str[size - 1] = '\0'; ++ rv = size; ++ } else { ++ rv += 1; /* include \0 */ ++ } ++ ++ return rv; ++} +-- +1.8.3.1 + diff --git a/SOURCES/kvm-vhost-fix-vhost_log-size-overflow-during-migration.patch b/SOURCES/kvm-vhost-fix-vhost_log-size-overflow-during-migration.patch new file mode 100644 index 0000000..52c20c1 --- /dev/null +++ b/SOURCES/kvm-vhost-fix-vhost_log-size-overflow-during-migration.patch @@ -0,0 +1,81 @@ +From f55e32a7892964908252bb5fe3719bb22c2de2dd Mon Sep 17 00:00:00 2001 +From: "Dr. David Alan Gilbert" +Date: Tue, 26 Nov 2019 13:27:55 +0100 +Subject: [PATCH] vhost: fix vhost_log size overflow during migration + +RH-Author: Dr. David Alan Gilbert +Message-id: <20191126132755.42248-2-dgilbert@redhat.com> +Patchwork-id: 92686 +O-Subject: [RHEL-7.8 qemu-kvm-rhev PATCH 1/1] vhost: fix vhost_log size overflow during migration +Bugzilla: 1775251 +RH-Acked-by: Laszlo Ersek +RH-Acked-by: Peter Xu +RH-Acked-by: Juan Quintela + +From: Li Hangjing + +When a guest which doesn't support multiqueue is migrated with a multi queues +vhost-user-blk deivce, a crash will occur like: + +0 qemu_memfd_alloc (name=, size=562949953421312, seals=, fd=0x7f87171fe8b4, errp=0x7f87171fe8a8) at util/memfd.c:153 +1 0x00007f883559d7cf in vhost_log_alloc (size=70368744177664, share=true) at hw/virtio/vhost.c:186 +2 0x00007f88355a0758 in vhost_log_get (listener=0x7f8838bd7940, enable=1) at qemu-2-12/hw/virtio/vhost.c:211 +3 vhost_dev_log_resize (listener=0x7f8838bd7940, enable=1) at hw/virtio/vhost.c:263 +4 vhost_migration_log (listener=0x7f8838bd7940, enable=1) at hw/virtio/vhost.c:787 +5 0x00007f88355463d6 in memory_global_dirty_log_start () at memory.c:2503 +6 0x00007f8835550577 in ram_init_bitmaps (f=0x7f88384ce600, opaque=0x7f8836024098) at migration/ram.c:2173 +7 ram_init_all (f=0x7f88384ce600, opaque=0x7f8836024098) at migration/ram.c:2192 +8 ram_save_setup (f=0x7f88384ce600, opaque=0x7f8836024098) at migration/ram.c:2219 +9 0x00007f88357a419d in qemu_savevm_state_setup (f=0x7f88384ce600) at migration/savevm.c:1002 +10 0x00007f883579fc3e in migration_thread (opaque=0x7f8837530400) at migration/migration.c:2382 +11 0x00007f8832447893 in start_thread () from /lib64/libpthread.so.0 +12 0x00007f8832178bfd in clone () from /lib64/libc.so.6 + +This is because vhost_get_log_size() returns a overflowed vhost-log size. +In this function, it uses the uninitialized variable vqs->used_phys and +vqs->used_size to get the vhost-log size. + +Signed-off-by: Li Hangjing +Reviewed-by: Xie Yongji +Reviewed-by: Chai Wen +Message-Id: <20190603061524.24076-1-lihangjing@baidu.com> +Cc: qemu-stable@nongnu.org +Reviewed-by: Michael S. Tsirkin +Signed-off-by: Michael S. Tsirkin +(cherry picked from commit 240e647a14df9677b3a501f7b8b870e40aac3fd5) +Signed-off-by: Miroslav Rezanina +--- + hw/virtio/vhost.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/hw/virtio/vhost.c b/hw/virtio/vhost.c +index 1ae68ff..7bdc9c4 100644 +--- a/hw/virtio/vhost.c ++++ b/hw/virtio/vhost.c +@@ -131,6 +131,11 @@ static int vhost_sync_dirty_bitmap(struct vhost_dev *dev, + } + for (i = 0; i < dev->nvqs; ++i) { + struct vhost_virtqueue *vq = dev->vqs + i; ++ ++ if (!vq->used_phys && !vq->used_size) { ++ continue; ++ } ++ + vhost_dev_sync_region(dev, section, start_addr, end_addr, vq->used_phys, + range_get_last(vq->used_phys, vq->used_size)); + } +@@ -168,6 +173,11 @@ static uint64_t vhost_get_log_size(struct vhost_dev *dev) + } + for (i = 0; i < dev->nvqs; ++i) { + struct vhost_virtqueue *vq = dev->vqs + i; ++ ++ if (!vq->used_phys && !vq->used_size) { ++ continue; ++ } ++ + uint64_t last = vq->used_phys + vq->used_size - 1; + log_size = MAX(log_size, last / VHOST_LOG_CHUNK + 1); + } +-- +1.8.3.1 + diff --git a/SOURCES/kvm-virtio-add-ability-to-delete-vq-through-a-pointer.patch b/SOURCES/kvm-virtio-add-ability-to-delete-vq-through-a-pointer.patch new file mode 100644 index 0000000..e31d135 --- /dev/null +++ b/SOURCES/kvm-virtio-add-ability-to-delete-vq-through-a-pointer.patch @@ -0,0 +1,74 @@ +From 928998018b7c1665c5f033e1609ae32e27a3d2c2 Mon Sep 17 00:00:00 2001 +From: Julia Suvorova +Date: Wed, 4 Mar 2020 20:07:52 -0500 +Subject: [PATCH 10/12] virtio: add ability to delete vq through a pointer + +RH-Author: Julia Suvorova +Message-id: <20200304200754.32708-3-jusual@redhat.com> +Patchwork-id: 94153 +O-Subject: [RHEL-7.9 qemu-kvm-rhev PATCH 2/4] virtio: add ability to delete vq through a pointer +Bugzilla: 1721403 +RH-Acked-by: Stefano Garzarella +RH-Acked-by: Maxim Levitsky +RH-Acked-by: Michael S. Tsirkin + +From: "Michael S. Tsirkin" + +Devices tend to maintain vq pointers, allow deleting them trough a vq pointer. + +Signed-off-by: Michael S. Tsirkin +Reviewed-by: David Hildenbrand +Reviewed-by: David Hildenbrand +(cherry picked from commit 722f8c51d8af223751dfb1d02de40043e8ba067e) +Signed-off-by: Jon Maloy +--- + hw/virtio/virtio.c | 13 +++++++++---- + include/hw/virtio/virtio.h | 2 ++ + 2 files changed, 11 insertions(+), 4 deletions(-) + +diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c +index d228b9297d..29d8502500 100644 +--- a/hw/virtio/virtio.c ++++ b/hw/virtio/virtio.c +@@ -1602,16 +1602,21 @@ VirtQueue *virtio_add_queue(VirtIODevice *vdev, int queue_size, + return &vdev->vq[i]; + } + ++void virtio_delete_queue(VirtQueue *vq) ++{ ++ vq->vring.num = 0; ++ vq->vring.num_default = 0; ++ vq->handle_output = NULL; ++ vq->handle_aio_output = NULL; ++} ++ + void virtio_del_queue(VirtIODevice *vdev, int n) + { + if (n < 0 || n >= VIRTIO_QUEUE_MAX) { + abort(); + } + +- vdev->vq[n].vring.num = 0; +- vdev->vq[n].vring.num_default = 0; +- vdev->vq[n].handle_output = NULL; +- vdev->vq[n].handle_aio_output = NULL; ++ virtio_delete_queue(&vdev->vq[n]); + } + + static void virtio_set_isr(VirtIODevice *vdev, int value) +diff --git a/include/hw/virtio/virtio.h b/include/hw/virtio/virtio.h +index 302975889b..8b348be70c 100644 +--- a/include/hw/virtio/virtio.h ++++ b/include/hw/virtio/virtio.h +@@ -164,6 +164,8 @@ VirtQueue *virtio_add_queue(VirtIODevice *vdev, int queue_size, + + void virtio_del_queue(VirtIODevice *vdev, int n); + ++void virtio_delete_queue(VirtQueue *vq); ++ + void virtqueue_push(VirtQueue *vq, const VirtQueueElement *elem, + unsigned int len); + void virtqueue_flush(VirtQueue *vq, unsigned int count); +-- +2.18.2 + diff --git a/SOURCES/kvm-virtio-net-delete-also-control-queue-when-TX-RX-dele.patch b/SOURCES/kvm-virtio-net-delete-also-control-queue-when-TX-RX-dele.patch new file mode 100644 index 0000000..3bade5e --- /dev/null +++ b/SOURCES/kvm-virtio-net-delete-also-control-queue-when-TX-RX-dele.patch @@ -0,0 +1,53 @@ +From a1fd8f3e5f2faeccd08a617c0208dd786cf4a6d7 Mon Sep 17 00:00:00 2001 +From: Julia Suvorova +Date: Wed, 4 Mar 2020 20:07:54 -0500 +Subject: [PATCH 12/12] virtio-net: delete also control queue when TX/RX + deleted + +RH-Author: Julia Suvorova +Message-id: <20200304200754.32708-5-jusual@redhat.com> +Patchwork-id: 94155 +O-Subject: [RHEL-7.9 qemu-kvm-rhev PATCH 4/4] virtio-net: delete also control queue when TX/RX deleted +Bugzilla: 1721403 +RH-Acked-by: Stefano Garzarella +RH-Acked-by: Maxim Levitsky +RH-Acked-by: Michael S. Tsirkin + +From: Yuri Benditovich + +https://bugzilla.redhat.com/show_bug.cgi?id=1708480 +If the control queue is not deleted together with TX/RX, it +later will be ignored in freeing cache resources and hot +unplug will not be completed. + +Cc: qemu-stable@nongnu.org +Signed-off-by: Yuri Benditovich +Message-Id: <20191226043649.14481-3-yuri.benditovich@daynix.com> +Reviewed-by: Michael S. Tsirkin +Signed-off-by: Michael S. Tsirkin +(cherry picked from commit d945d9f1731244ef341f74ede93120fc9de35913) +Signed-off-by: Jon Maloy +--- + hw/net/virtio-net.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c +index 90502fca7c..c4896184ed 100644 +--- a/hw/net/virtio-net.c ++++ b/hw/net/virtio-net.c +@@ -2100,8 +2100,12 @@ static void virtio_net_device_unrealize(DeviceState *dev, Error **errp) + virtio_net_del_queue(n, i); + } + ++ /* delete also control vq */ ++ virtio_del_queue(vdev, max_queues * 2); ++ + timer_del(n->announce_timer); + timer_free(n->announce_timer); ++ + g_free(n->vqs); + qemu_del_nic(n->nic); + virtio_cleanup(vdev); +-- +2.18.2 + diff --git a/SOURCES/kvm-virtio-reset-region-cache-when-on-queue-deletion.patch b/SOURCES/kvm-virtio-reset-region-cache-when-on-queue-deletion.patch new file mode 100644 index 0000000..e1e7418 --- /dev/null +++ b/SOURCES/kvm-virtio-reset-region-cache-when-on-queue-deletion.patch @@ -0,0 +1,46 @@ +From eec59692f7c3a776a3b5d01a367a3f467f403941 Mon Sep 17 00:00:00 2001 +From: Julia Suvorova +Date: Wed, 4 Mar 2020 20:07:53 -0500 +Subject: [PATCH 11/12] virtio: reset region cache when on queue deletion + +RH-Author: Julia Suvorova +Message-id: <20200304200754.32708-4-jusual@redhat.com> +Patchwork-id: 94154 +O-Subject: [RHEL-7.9 qemu-kvm-rhev PATCH 3/4] virtio: reset region cache when on queue deletion +Bugzilla: 1721403 +RH-Acked-by: Stefano Garzarella +RH-Acked-by: Maxim Levitsky +RH-Acked-by: Michael S. Tsirkin + +From: Yuri Benditovich + +https://bugzilla.redhat.com/show_bug.cgi?id=1708480 +Fix leak of region reference that prevents complete +device deletion on hot unplug. + +Cc: qemu-stable@nongnu.org +Signed-off-by: Yuri Benditovich +Message-Id: <20191226043649.14481-2-yuri.benditovich@daynix.com> +Reviewed-by: Michael S. Tsirkin +Signed-off-by: Michael S. Tsirkin +(cherry picked from commit 421afd2fe8dd4603216cbf36081877c391f5a2a4) +Signed-off-by: Jon Maloy +--- + hw/virtio/virtio.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c +index 29d8502500..9d624a3529 100644 +--- a/hw/virtio/virtio.c ++++ b/hw/virtio/virtio.c +@@ -1608,6 +1608,7 @@ void virtio_delete_queue(VirtQueue *vq) + vq->vring.num_default = 0; + vq->handle_output = NULL; + vq->handle_aio_output = NULL; ++ virtio_virtqueue_reset_region_cache(vq); + } + + void virtio_del_queue(VirtIODevice *vdev, int n) +-- +2.18.2 + diff --git a/SOURCES/kvm-virtio-scsi-fixed-virtio_scsi_ctx_check-failed-when-.patch b/SOURCES/kvm-virtio-scsi-fixed-virtio_scsi_ctx_check-failed-when-.patch new file mode 100644 index 0000000..0026d56 --- /dev/null +++ b/SOURCES/kvm-virtio-scsi-fixed-virtio_scsi_ctx_check-failed-when-.patch @@ -0,0 +1,144 @@ +From ed8f16b1786f28d3fb6c6cef79cd4f94deae8857 Mon Sep 17 00:00:00 2001 +From: Sergio Lopez Pascual +Date: Thu, 28 Nov 2019 11:30:47 +0100 +Subject: [PATCH] virtio-scsi: fixed virtio_scsi_ctx_check failed when + detaching scsi disk +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Sergio Lopez Pascual +Message-id: <20191128113047.253669-2-slp@redhat.com> +Patchwork-id: 92747 +O-Subject: [RHEL-7.8 qemu-kvm-rhev PATCH v2 1/1] virtio-scsi: fixed virtio_scsi_ctx_check failed when detaching scsi disk +Bugzilla: 1764120 +RH-Acked-by: Markus Armbruster +RH-Acked-by: Max Reitz +RH-Acked-by: Maxim Levitsky + +From: Zhengui li + +commit a6f230c move blockbackend back to main AioContext on unplug. It set the AioContext of +SCSIDevice to the main AioContex, but s->ctx is still the iothread AioContex(if the scsi controller +is configure with iothread). So if there are having in-flight requests during unplug, a failing assertion +happend. The bt is below: +(gdb) bt +#0 0x0000ffff86aacbd0 in raise () from /lib64/libc.so.6 +#1 0x0000ffff86aadf7c in abort () from /lib64/libc.so.6 +#2 0x0000ffff86aa6124 in __assert_fail_base () from /lib64/libc.so.6 +#3 0x0000ffff86aa61a4 in __assert_fail () from /lib64/libc.so.6 +#4 0x0000000000529118 in virtio_scsi_ctx_check (d=, s=, s=) at /home/qemu-4.0.0/hw/scsi/virtio-scsi.c:246 +#5 0x0000000000529ec4 in virtio_scsi_handle_cmd_req_prepare (s=0x2779ec00, req=0xffff740397d0) at /home/qemu-4.0.0/hw/scsi/virtio-scsi.c:559 +#6 0x000000000052a228 in virtio_scsi_handle_cmd_vq (s=0x2779ec00, vq=0xffff7c6d7110) at /home/qemu-4.0.0/hw/scsi/virtio-scsi.c:603 +#7 0x000000000052afa8 in virtio_scsi_data_plane_handle_cmd (vdev=, vq=0xffff7c6d7110) at /home/qemu-4.0.0/hw/scsi/virtio-scsi-dataplane.c:59 +#8 0x000000000054d94c in virtio_queue_host_notifier_aio_poll (opaque=) at /home/qemu-4.0.0/hw/virtio/virtio.c:2452 + +assert(blk_get_aio_context(d->conf.blk) == s->ctx) failed. + +To avoid assertion failed, moving the "if" after qdev_simple_device_unplug_cb. + +In addition, to avoid another qemu crash below, add aio_disable_external before +qdev_simple_device_unplug_cb, which disable the further processing of external clients +when doing qdev_simple_device_unplug_cb. +(gdb) bt +#0 scsi_req_unref (req=0xffff6802c6f0) at hw/scsi/scsi-bus.c:1283 +#1 0x00000000005294a4 in virtio_scsi_handle_cmd_req_submit (req=, + s=) at /home/qemu-4.0.0/hw/scsi/virtio-scsi.c:589 +#2 0x000000000052a2a8 in virtio_scsi_handle_cmd_vq (s=s@entry=0x9c90e90, + vq=vq@entry=0xffff7c05f110) at /home/qemu-4.0.0/hw/scsi/virtio-scsi.c:625 +#3 0x000000000052afd8 in virtio_scsi_data_plane_handle_cmd (vdev=, + vq=0xffff7c05f110) at /home/qemu-4.0.0/hw/scsi/virtio-scsi-dataplane.c:60 +#4 0x000000000054d97c in virtio_queue_host_notifier_aio_poll (opaque=) + at /home/qemu-4.0.0/hw/virtio/virtio.c:2447 +#5 0x00000000009b204c in run_poll_handlers_once (ctx=ctx@entry=0x6efea40, + timeout=timeout@entry=0xffff7d7f7308) at util/aio-posix.c:521 +#6 0x00000000009b2b64 in run_poll_handlers (ctx=ctx@entry=0x6efea40, + max_ns=max_ns@entry=4000, timeout=timeout@entry=0xffff7d7f7308) at util/aio-posix.c:559 +#7 0x00000000009b2ca0 in try_poll_mode (ctx=ctx@entry=0x6efea40, timeout=0xffff7d7f7308, + timeout@entry=0xffff7d7f7348) at util/aio-posix.c:594 +#8 0x00000000009b31b8 in aio_poll (ctx=0x6efea40, blocking=blocking@entry=true) + at util/aio-posix.c:636 +#9 0x00000000006973cc in iothread_run (opaque=0x6ebd800) at iothread.c:75 +#10 0x00000000009b592c in qemu_thread_start (args=0x6efef60) at util/qemu-thread-posix.c:502 +#11 0x0000ffff8057f8bc in start_thread () from /lib64/libpthread.so.0 +#12 0x0000ffff804e5f8c in thread_start () from /lib64/libc.so.6 +(gdb) p bus +$1 = (SCSIBus *) 0x0 + +Signed-off-by: Zhengui li +Message-Id: <1563696502-7972-1-git-send-email-lizhengui@huawei.com> +Signed-off-by: Paolo Bonzini +Message-Id: <1563829520-17525-1-git-send-email-pbonzini@redhat.com> +Signed-off-by: Paolo Bonzini +(cherry picked from commit 9c5aad84da1c37429d06c193f23a8df6445ed29e) +[slp: we need to get a reference to the underlying BDS to be able +to switch the context after calling qdev_simple_device_unplug_cb(), +as in 2.12 this causes the SCSIDevice to go away immediately] +Signed-off-by: Sergio Lopez + +Signed-off-by: Miroslav Rezanina +--- + hw/scsi/virtio-scsi.c | 30 ++++++++++++++++++++++++++---- + 1 file changed, 26 insertions(+), 4 deletions(-) + +diff --git a/hw/scsi/virtio-scsi.c b/hw/scsi/virtio-scsi.c +index 391500b..2bd54b3 100644 +--- a/hw/scsi/virtio-scsi.c ++++ b/hw/scsi/virtio-scsi.c +@@ -20,6 +20,7 @@ + #include "qemu/error-report.h" + #include "qemu/iov.h" + #include "sysemu/block-backend.h" ++#include "sysemu/blockdev.h" + #include "hw/scsi/scsi.h" + #include "scsi/constants.h" + #include "hw/virtio/virtio-bus.h" +@@ -839,6 +840,9 @@ static void virtio_scsi_hotunplug(HotplugHandler *hotplug_dev, DeviceState *dev, + VirtIODevice *vdev = VIRTIO_DEVICE(hotplug_dev); + VirtIOSCSI *s = VIRTIO_SCSI(vdev); + SCSIDevice *sd = SCSI_DEVICE(dev); ++ AioContext *ctx = s->ctx ?: qemu_get_aio_context(); ++ BlockDriverState *bs; ++ DriveInfo *dinfo; + + if (virtio_vdev_has_feature(vdev, VIRTIO_SCSI_F_HOTPLUG)) { + virtio_scsi_acquire(s); +@@ -848,13 +852,31 @@ static void virtio_scsi_hotunplug(HotplugHandler *hotplug_dev, DeviceState *dev, + virtio_scsi_release(s); + } + +- if (s->ctx) { ++ /* ++ * This SCSIDevice goes away after calling qdev_simple_device_unplug_cb(), ++ * so get a reference to the underlying BDS here to be able to switch ++ * its AioContext afterwards. ++ */ ++ bs = blk_bs(sd->conf.blk); ++ ++ /* ++ * Drives attached to a legacy device will get auto deleted while ++ * unplugging the latter, so we don't need to switch their context. ++ * Get a reference to dinfo here, which is only NULL for non-legacy ++ * devices, and use it to avoid doing the switch for drives attached ++ * to legacy devices. ++ */ ++ dinfo = blk_legacy_dinfo(sd->conf.blk); ++ ++ aio_disable_external(ctx); ++ qdev_simple_device_unplug_cb(hotplug_dev, dev, errp); ++ aio_enable_external(ctx); ++ ++ if (s->ctx && bs && !dinfo) { + virtio_scsi_acquire(s); +- blk_set_aio_context(sd->conf.blk, qemu_get_aio_context()); ++ bdrv_set_aio_context(bs, qemu_get_aio_context()); + virtio_scsi_release(s); + } +- +- qdev_simple_device_unplug_cb(hotplug_dev, dev, errp); + } + + static struct SCSIBusInfo virtio_scsi_scsi_info = { +-- +1.8.3.1 + diff --git a/SPECS/qemu-kvm.spec b/SPECS/qemu-kvm.spec index 75d3169..061ba3b 100644 --- a/SPECS/qemu-kvm.spec +++ b/SPECS/qemu-kvm.spec @@ -108,7 +108,7 @@ Obsoletes: %1%{rhel_ma_suffix} < %{obsoletes_version2} \ Summary: QEMU is a machine emulator and virtualizer Name: %{pkgname}%{?pkgsuffix} Version: 2.12.0 -Release: 37%{?dist} +Release: 46%{?dist} # Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped Epoch: 10 License: GPLv2 and GPLv2+ and CC-BY @@ -1919,6 +1919,73 @@ Patch880: kvm-target-i386-add-MDS-NO-feature.patch Patch881: kvm-file-posix-Handle-undetectable-alignment.patch # For bz#1648622 - [v2v] Migration performance regression Patch882: kvm-qemu-img-Enable-BDRV_REQ_MAY_UNMAP-in-convert.patch +# For bz#1724048 - Fail to migrate a rhel6.10-mt7.6 guest with dimm device +Patch883: kvm-usb-drop-unnecessary-usb_device_post_load-checks.patch +# For bz#1638472 - [Intel 7.8 Feat] qemu-kvm-rhev Introduce Cascade Lake (CLX) cpu model +Patch884: kvm-i386-Add-new-model-of-Cascadelake-Server.patch +# For bz#1638472 - [Intel 7.8 Feat] qemu-kvm-rhev Introduce Cascade Lake (CLX) cpu model +Patch885: kvm-i386-Disable-OSPKE-on-Cascadelake-Server.patch +# For bz#1638472 - [Intel 7.8 Feat] qemu-kvm-rhev Introduce Cascade Lake (CLX) cpu model +Patch886: kvm-i386-remove-the-INTEL_PT-CPUID-bit-from-Cascadelake-.patch +# For bz#1764120 - [Data plane]virtio_scsi_ctx_check: Assertion `blk_get_aio_context(d->conf.blk) == s->ctx' failed when unplug a device that running block stream on it +Patch887: kvm-virtio-scsi-fixed-virtio_scsi_ctx_check-failed-when-.patch +# For bz#1775251 - qemu-kvm crashes when Windows VM is migrated with multiqueue +Patch888: kvm-vhost-fix-vhost_log-size-overflow-during-migration.patch +# For bz#1639098 - After host update, older windows clients have large time drift +Patch889: kvm-mc146818rtc-fix-timer-interrupt-reinjection.patch +# For bz#1639098 - After host update, older windows clients have large time drift +Patch890: kvm-Revert-mc146818rtc-fix-timer-interrupt-reinjection.patch +# For bz#1639098 - After host update, older windows clients have large time drift +Patch891: kvm-mc146818rtc-fix-timer-interrupt-reinjection-again.patch +# For bz#1779530 - CVE-2019-11135 qemu-kvm-rhev: hw: TSX Transaction Asynchronous Abort (TAA) [rhel-7.8] +Patch892: kvm-target-i386-Export-TAA_NO-bit-to-guests.patch +# For bz#1779530 - CVE-2019-11135 qemu-kvm-rhev: hw: TSX Transaction Asynchronous Abort (TAA) [rhel-7.8] +Patch893: kvm-target-i386-add-support-for-MSR_IA32_TSX_CTRL.patch +# For bz#1791563 - CVE-2020-7039 qemu-kvm-rhev: QEMU: slirp: OOB buffer access while emulating tcp protocols in tcp_emu() [rhel-7.8] +# For bz#1791570 - CVE-2020-7039 qemu-kvm-ma: QEMU: slirp: OOB buffer access while emulating tcp protocols in tcp_emu() [rhel-7.8] +Patch894: kvm-tcp_emu-Fix-oob-access.patch +# For bz#1791563 - CVE-2020-7039 qemu-kvm-rhev: QEMU: slirp: OOB buffer access while emulating tcp protocols in tcp_emu() [rhel-7.8] +# For bz#1791570 - CVE-2020-7039 qemu-kvm-ma: QEMU: slirp: OOB buffer access while emulating tcp protocols in tcp_emu() [rhel-7.8] +Patch895: kvm-slirp-use-correct-size-while-emulating-IRC-commands.patch +# For bz#1791563 - CVE-2020-7039 qemu-kvm-rhev: QEMU: slirp: OOB buffer access while emulating tcp protocols in tcp_emu() [rhel-7.8] +# For bz#1791570 - CVE-2020-7039 qemu-kvm-ma: QEMU: slirp: OOB buffer access while emulating tcp protocols in tcp_emu() [rhel-7.8] +Patch896: kvm-slirp-use-correct-size-while-emulating-commands.patch +# For bz#1794499 - CVE-2020-1711 qemu-kvm-rhev: QEMU: block: iscsi: OOB heap access via an unexpected response of iSCSI Server [rhel-7.8] +# For bz#1794505 - CVE-2020-1711 qemu-kvm-ma: QEMU: block: iscsi: OOB heap access via an unexpected response of iSCSI Server [rhel-7.8] +Patch897: kvm-iscsi-Avoid-potential-for-get_status-overflow.patch +# For bz#1794499 - CVE-2020-1711 qemu-kvm-rhev: QEMU: block: iscsi: OOB heap access via an unexpected response of iSCSI Server [rhel-7.8] +# For bz#1794505 - CVE-2020-1711 qemu-kvm-ma: QEMU: block: iscsi: OOB heap access via an unexpected response of iSCSI Server [rhel-7.8] +Patch898: kvm-iscsi-Cap-block-count-from-GET-LBA-STATUS-CVE-2020-1.patch +# For bz#1798974 - CVE-2020-8608 qemu-kvm-ma: QEMU: Slirp: potential OOB access due to unsafe snprintf() usages [rhel-7.8.z] +Patch899: kvm-util-add-slirp_fmt-helpers.patch +# For bz#1798974 - CVE-2020-8608 qemu-kvm-ma: QEMU: Slirp: potential OOB access due to unsafe snprintf() usages [rhel-7.8.z] +Patch900: kvm-tcp_emu-fix-unsafe-snprintf-usages.patch +# For bz#1802216 - Add support for newer glusterfs +Patch901: kvm-gluster-Handle-changed-glfs_ftruncate-signature.patch +# For bz#1802216 - Add support for newer glusterfs +Patch902: kvm-gluster-the-glfs_io_cbk-callback-function-pointer-ad.patch +# For bz#1791653 - Backport: Passthrough host CPU microcode version to KVM guest if using CPU passthrough to RHEL 7.7/7.8 +Patch903: kvm-target-i386-kvm-initialize-feature-MSRs-very-early.patch +# For bz#1791653 - Backport: Passthrough host CPU microcode version to KVM guest if using CPU passthrough to RHEL 7.7/7.8 +Patch904: kvm-target-i386-add-a-ucode-rev-property.patch +# For bz#1791653 - Backport: Passthrough host CPU microcode version to KVM guest if using CPU passthrough to RHEL 7.7/7.8 +Patch905: kvm-target-i386-kvm-initialize-microcode-revision-from-K.patch +# For bz#1791653 - Backport: Passthrough host CPU microcode version to KVM guest if using CPU passthrough to RHEL 7.7/7.8 +Patch906: kvm-target-i386-fix-TCG-UCODE_REV-access.patch +# For bz#1791653 - Backport: Passthrough host CPU microcode version to KVM guest if using CPU passthrough to RHEL 7.7/7.8 +Patch907: kvm-target-i386-check-for-availability-of-MSR_IA32_UCODE.patch +# For bz#1791653 - Backport: Passthrough host CPU microcode version to KVM guest if using CPU passthrough to RHEL 7.7/7.8 +Patch908: kvm-target-i386-enable-monitor-and-ucode-revision-with-c.patch +# For bz#1721403 - After hot unplug virtio-net and vfio nic, hot plug vfio-pci device fails in Win2019 guest +Patch909: kvm-clean-up-callback-when-del-virtqueue.patch +# For bz#1721403 - After hot unplug virtio-net and vfio nic, hot plug vfio-pci device fails in Win2019 guest +Patch910: kvm-virtio-add-ability-to-delete-vq-through-a-pointer.patch +# For bz#1721403 - After hot unplug virtio-net and vfio nic, hot plug vfio-pci device fails in Win2019 guest +Patch911: kvm-virtio-reset-region-cache-when-on-queue-deletion.patch +# For bz#1721403 - After hot unplug virtio-net and vfio nic, hot plug vfio-pci device fails in Win2019 guest +Patch912: kvm-virtio-net-delete-also-control-queue-when-TX-RX-dele.patch +# For bz#1622976 - CVE-2018-15746 qemu-kvm-ma: Qemu: seccomp: blacklist is not applied to all threads [rhel-7] +Patch913: kvm-seccomp-set-the-seccomp-filter-to-all-threads.patch BuildRequires: zlib-devel BuildRequires: glib2-devel @@ -3018,6 +3085,37 @@ ApplyOptionalPatch() %patch880 -p1 %patch881 -p1 %patch882 -p1 +%patch883 -p1 +%patch884 -p1 +%patch885 -p1 +%patch886 -p1 +%patch887 -p1 +%patch888 -p1 +%patch889 -p1 +%patch890 -p1 +%patch891 -p1 +%patch892 -p1 +%patch893 -p1 +%patch894 -p1 +%patch895 -p1 +%patch896 -p1 +%patch897 -p1 +%patch898 -p1 +%patch899 -p1 +%patch900 -p1 +%patch901 -p1 +%patch902 -p1 +%patch903 -p1 +%patch904 -p1 +%patch905 -p1 +%patch906 -p1 +%patch907 -p1 +%patch908 -p1 +%patch909 -p1 +%patch910 -p1 +%patch911 -p1 +%patch912 -p1 +%patch913 -p1 # Fix executable permission for iotests chmod 755 $(ls tests/qemu-iotests/???) @@ -3538,6 +3636,83 @@ useradd -r -u 107 -g qemu -G kvm -d / -s /sbin/nologin \ %endif %changelog +* Tue Apr 07 2020 Miroslav Rezanina - 2.12.0-46.el7 +- kvm-seccomp-set-the-seccomp-filter-to-all-threads.patch [bz#1622976] +- Resolves: bz#1622976 + (CVE-2018-15746 qemu-kvm-ma: Qemu: seccomp: blacklist is not applied to all threads [rhel-7]) + +* Tue Mar 17 2020 Jon Maloy - 2.12.0-45.el7 +- kvm-gluster-Handle-changed-glfs_ftruncate-signature.patch [bz#1802216] +- kvm-gluster-the-glfs_io_cbk-callback-function-pointer-ad.patch [bz#1802216] +- kvm-target-i386-kvm-initialize-feature-MSRs-very-early.patch [bz#1791653] +- kvm-target-i386-add-a-ucode-rev-property.patch [bz#1791653] +- kvm-target-i386-kvm-initialize-microcode-revision-from-K.patch [bz#1791653] +- kvm-target-i386-fix-TCG-UCODE_REV-access.patch [bz#1791653] +- kvm-target-i386-check-for-availability-of-MSR_IA32_UCODE.patch [bz#1791653] +- kvm-target-i386-enable-monitor-and-ucode-revision-with-c.patch [bz#1791653] +- kvm-clean-up-callback-when-del-virtqueue.patch [bz#1721403] +- kvm-virtio-add-ability-to-delete-vq-through-a-pointer.patch [bz#1721403] +- kvm-virtio-reset-region-cache-when-on-queue-deletion.patch [bz#1721403] +- kvm-virtio-net-delete-also-control-queue-when-TX-RX-dele.patch [bz#1721403] +- Resolves: bz#1721403 + (After hot unplug virtio-net and vfio nic, hot plug vfio-pci device fails in Win2019 guest) +- Resolves: bz#1791653 + (Backport: Passthrough host CPU microcode version to KVM guest if using CPU passthrough to RHEL 7.7/7.8) +- Resolves: bz#1802216 + (Add support for newer glusterfs) + +* Wed Mar 04 2020 Miroslav Rezanina - 2.12.0-44.el7_8.1 +- kvm-util-add-slirp_fmt-helpers.patch [bz#1798974] +- kvm-tcp_emu-fix-unsafe-snprintf-usages.patch [bz#1798974] +- Resolves: bz#1798974 + (CVE-2020-8608 qemu-kvm-ma: QEMU: Slirp: potential OOB access due to unsafe snprintf() usages [rhel-7.8.z]) + +* Wed Feb 05 2020 Miroslav Rezanina - 2.12.0-44.el7 +- kvm-iscsi-Avoid-potential-for-get_status-overflow.patch [bz#1794505] +- kvm-iscsi-Cap-block-count-from-GET-LBA-STATUS-CVE-2020-1.patch [bz#1794505] +- Resolves: bz#1794505 + (CVE-2020-1711 qemu-kvm-ma: QEMU: block: iscsi: OOB heap access via an unexpected response of iSCSI Server [rhel-7.8]) + +* Thu Jan 23 2020 Miroslav Rezanina - 2.12.0-43.el7 +- kvm-tcp_emu-Fix-oob-access.patch [bz#1791563 bz#1791570] +- kvm-slirp-use-correct-size-while-emulating-IRC-commands.patch [bz#1791570] +- kvm-slirp-use-correct-size-while-emulating-commands.patch [bz#1791570] +- Resolves: bz#1791570 + (CVE-2020-7039 qemu-kvm-ma: QEMU: slirp: OOB buffer access while emulating tcp protocols in tcp_emu() [rhel-7.8]) + +* Mon Jan 06 2020 Miroslav Rezanina - 2.12.0-42.el7 +- kvm-target-i386-Export-TAA_NO-bit-to-guests.patch [bz#1779530] +- kvm-target-i386-add-support-for-MSR_IA32_TSX_CTRL.patch [bz#1779530] +- Resolves: bz#1779530 + (CVE-2019-11135 qemu-kvm-rhev: hw: TSX Transaction Asynchronous Abort (TAA) [rhel-7.8]) + +* Tue Dec 10 2019 Miroslav Rezanina - 2.12.0-41.el7 +- kvm-mc146818rtc-fix-timer-interrupt-reinjection.patch [bz#1639098] +- kvm-Revert-mc146818rtc-fix-timer-interrupt-reinjection.patch [bz#1639098] +- kvm-mc146818rtc-fix-timer-interrupt-reinjection-again.patch [bz#1639098] +- Resolves: bz#1639098 + (After host update, older windows clients have large time drift) + +* Wed Dec 04 2019 Miroslav Rezanina - 2.12.0-40.el7 +- kvm-vhost-fix-vhost_log-size-overflow-during-migration.patch [bz#1775251] +- Resolves: bz#1775251 + (qemu-kvm crashes when Windows VM is migrated with multiqueue) + +* Tue Dec 03 2019 Miroslav Rezanina - 2.12.0-39.el7 +- kvm-virtio-scsi-fixed-virtio_scsi_ctx_check-failed-when-.patch [bz#1764120] +- Resolves: bz#1764120 + ([Data plane]virtio_scsi_ctx_check: Assertion `blk_get_aio_context(d->conf.blk) == s->ctx' failed when unplug a device that running block stream on it) + +* Tue Oct 15 2019 Miroslav Rezanina - 2.12.0-38.el7 +- kvm-usb-drop-unnecessary-usb_device_post_load-checks.patch [bz#1724048] +- kvm-i386-Add-new-model-of-Cascadelake-Server.patch [bz#1638472] +- kvm-i386-Disable-OSPKE-on-Cascadelake-Server.patch [bz#1638472] +- kvm-i386-remove-the-INTEL_PT-CPUID-bit-from-Cascadelake-.patch [bz#1638472] +- Resolves: bz#1638472 + ([Intel 7.8 Feat] qemu-kvm-rhev Introduce Cascade Lake (CLX) cpu model) +- Resolves: bz#1724048 + (Fail to migrate a rhel6.10-mt7.6 guest with dimm device) + * Thu Sep 26 2019 Miroslav Rezanina - 2.12.0-37.el7 - kvm-i386-halt-poll-control-MSR-support.patch [bz#1734502] - kvm-target-i386-add-MDS-NO-feature.patch [bz#1716726] @@ -5157,7 +5332,7 @@ useradd -r -u 107 -g qemu -G kvm -d / -s /sbin/nologin \ - Resolves: bz#1517051 (POWER9 - Virt: QEMU: Migration of HPT guest on Radix host fails) -* Tue Dec 05 2017 Miroslav Rezanina - ma-2.10.0-11.el7 +* Tue Dec 05 2017 Miroslav Rezanina - 2.10.0-11.el7 - kvm-qcow2-don-t-permit-changing-encryption-parameters.patch [bz#1406803] - kvm-qcow2-fix-image-corruption-after-committing-qcow2-im.patch [bz#1406803] - kvm-qemu-doc-Add-UUID-support-in-initiator-name.patch [bz#1494210]