From dc7afb4fee8211ddf125b229bd9d2a612a539135 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Jun 08 2021 16:52:55 +0000 Subject: import qemu-kvm-4.2.0-51.module+el8.5.0+11141+9dff516f --- diff --git a/SOURCES/kvm-acpi-accept-byte-and-word-access-to-core-ACPI-regist.patch b/SOURCES/kvm-acpi-accept-byte-and-word-access-to-core-ACPI-regist.patch new file mode 100644 index 0000000..1538d11 --- /dev/null +++ b/SOURCES/kvm-acpi-accept-byte-and-word-access-to-core-ACPI-regist.patch @@ -0,0 +1,82 @@ +From dcac680adb6b8624f14eda3e812521bddbe8ecea Mon Sep 17 00:00:00 2001 +From: Jon Maloy +Date: Wed, 21 Apr 2021 22:30:04 -0400 +Subject: [PATCH 5/7] acpi: accept byte and word access to core ACPI registers +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Jon Maloy +Message-id: <20210421223006.19650-5-jmaloy@redhat.com> +Patchwork-id: 101482 +O-Subject: [RHEL-8.5.0 qemu-kvm PATCH v2 4/6] acpi: accept byte and word access to core ACPI registers +Bugzilla: 1842478 +RH-Acked-by: Stefano Garzarella +RH-Acked-by: Philippe Mathieu-Daudé +RH-Acked-by: Laszlo Ersek + +From: Michael Tokarev + +All ISA registers should be accessible as bytes, words or dwords +(if wide enough). Fix the access constraints for acpi-pm-evt, +acpi-pm-tmr & acpi-cnt registers. + +Fixes: 5d971f9e67 (memory: Revert "memory: accept mismatching sizes in memory_region_access_valid") +Fixes: afafe4bbe0 (apci: switch cnt to memory api) +Fixes: 77d58b1e47 (apci: switch timer to memory api) +Fixes: b5a7c024d2 (apci: switch evt to memory api) +Buglink: https://lore.kernel.org/xen-devel/20200630170913.123646-1-anthony.perard@citrix.com/T/ +Buglink: https://bugs.debian.org/964793 +BugLink: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=964247 +BugLink: https://bugs.launchpad.net/bugs/1886318 +Reported-By: Simon John +Signed-off-by: Michael Tokarev +Message-Id: <20200720160627.15491-1-mjt@msgid.tls.msk.ru> +Cc: qemu-stable@nongnu.org +Reviewed-by: Michael S. Tsirkin +Signed-off-by: Michael S. Tsirkin + +(cherry picked from commit dba04c3488c4699f5afe96f66e448b1d447cf3fb) +Signed-off-by: Jon Maloy +Signed-off-by: Danilo C. L. de Paula +--- + hw/acpi/core.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/hw/acpi/core.c b/hw/acpi/core.c +index 45cbed49ab..d85052c34a 100644 +--- a/hw/acpi/core.c ++++ b/hw/acpi/core.c +@@ -461,7 +461,8 @@ static void acpi_pm_evt_write(void *opaque, hwaddr addr, uint64_t val, + static const MemoryRegionOps acpi_pm_evt_ops = { + .read = acpi_pm_evt_read, + .write = acpi_pm_evt_write, +- .valid.min_access_size = 2, ++ .impl.min_access_size = 2, ++ .valid.min_access_size = 1, + .valid.max_access_size = 2, + .endianness = DEVICE_LITTLE_ENDIAN, + }; +@@ -530,7 +531,8 @@ static void acpi_pm_tmr_write(void *opaque, hwaddr addr, uint64_t val, + static const MemoryRegionOps acpi_pm_tmr_ops = { + .read = acpi_pm_tmr_read, + .write = acpi_pm_tmr_write, +- .valid.min_access_size = 4, ++ .impl.min_access_size = 4, ++ .valid.min_access_size = 1, + .valid.max_access_size = 4, + .endianness = DEVICE_LITTLE_ENDIAN, + }; +@@ -602,7 +604,8 @@ static void acpi_pm_cnt_write(void *opaque, hwaddr addr, uint64_t val, + static const MemoryRegionOps acpi_pm_cnt_ops = { + .read = acpi_pm_cnt_read, + .write = acpi_pm_cnt_write, +- .valid.min_access_size = 2, ++ .impl.min_access_size = 2, ++ .valid.min_access_size = 1, + .valid.max_access_size = 2, + .endianness = DEVICE_LITTLE_ENDIAN, + }; +-- +2.27.0 + diff --git a/SOURCES/kvm-audio-audio_generic_get_buffer_in-should-honor-size.patch b/SOURCES/kvm-audio-audio_generic_get_buffer_in-should-honor-size.patch new file mode 100644 index 0000000..1a20688 --- /dev/null +++ b/SOURCES/kvm-audio-audio_generic_get_buffer_in-should-honor-size.patch @@ -0,0 +1,53 @@ +From 96c8fcafa7325cd0e8a23a743a55f0ad0aa9f79b Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Thu, 18 Mar 2021 09:13:42 -0400 +Subject: [PATCH 5/5] audio: audio_generic_get_buffer_in should honor *size +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Gerd Hoffmann +Message-id: <20210318091342.3232471-2-kraxel@redhat.com> +Patchwork-id: 101352 +O-Subject: [RHEL-8.4.0 qemu-kvm PATCH 1/1] audio: audio_generic_get_buffer_in should honor *size +Bugzilla: 1932823 +RH-Acked-by: Stefan Hajnoczi +RH-Acked-by: Danilo de Paula +RH-Acked-by: Philippe Mathieu-Daudé + +From: Volker Rümelin + +The function generic_get_buffer_in currently ignores the *size +parameter and may return a buffer larger than *size. + +As a result the variable samples in function +audio_pcm_hw_run_in may underflow. The while loop then most +likely will never termiate. + +Buglink: http://bugs.debian.org/948658 +Signed-off-by: Volker Rümelin +Message-Id: <20200123074943.6699-9-vr_qemu@t-online.de> +Signed-off-by: Gerd Hoffmann +(cherry picked from commit 599eac4e5a41e828645594097daee39373acc3c0) +Signed-off-by: Danilo C. L. de Paula +--- + audio/audio.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/audio/audio.c b/audio/audio.c +index 56fae55047..39a62fc62a 100644 +--- a/audio/audio.c ++++ b/audio/audio.c +@@ -1402,7 +1402,8 @@ void *audio_generic_get_buffer_in(HWVoiceIn *hw, size_t *size) + } + assert(start >= 0 && start < hw->size_emul); + +- *size = MIN(hw->pending_emul, hw->size_emul - start); ++ *size = MIN(*size, hw->pending_emul); ++ *size = MIN(*size, hw->size_emul - start); + return hw->buf_emul + start; + } + +-- +2.27.0 + diff --git a/SOURCES/kvm-e1000-fail-early-for-evil-descriptor.patch b/SOURCES/kvm-e1000-fail-early-for-evil-descriptor.patch new file mode 100644 index 0000000..e599b7c --- /dev/null +++ b/SOURCES/kvm-e1000-fail-early-for-evil-descriptor.patch @@ -0,0 +1,65 @@ +From 7bd3000cf22a91e6bc6afc1e7adbf0ae1b731104 Mon Sep 17 00:00:00 2001 +From: Jon Maloy +Date: Tue, 13 Apr 2021 22:45:17 -0400 +Subject: [PATCH 2/5] e1000: fail early for evil descriptor + +RH-Author: Jon Maloy +Message-id: <20210413224517.3841507-2-jmaloy@redhat.com> +Patchwork-id: 101473 +O-Subject: [RHEL-8.5.0 qemu-kvm PATCH 1/1] e1000: fail early for evil descriptor +Bugzilla: 1930092 +RH-Acked-by: Stefano Garzarella +RH-Acked-by: Laszlo Ersek +RH-Acked-by: Stefan Hajnoczi + +From: Jason Wang + +During procss_tx_desc(), driver can try to chain data descriptor with +legacy descriptor, when will lead underflow for the following +calculation in process_tx_desc() for bytes: + + if (tp->size + bytes > msh) + bytes = msh - tp->size; + +This will lead a infinite loop. So check and fail early if tp->size if +greater or equal to msh. + +Reported-by: Alexander Bulekov +Reported-by: Cheolwoo Myung +Reported-by: Ruhr-University Bochum +Cc: Prasad J Pandit +Cc: qemu-stable@nongnu.org +Signed-off-by: Jason Wang + +(cherry picked from commit 3de46e6fc489c52c9431a8a832ad8170a7569bd8) +Signed-off-by: Jon Maloy +Signed-off-by: Danilo C. L. de Paula +--- + hw/net/e1000.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/hw/net/e1000.c b/hw/net/e1000.c +index fc73fdd6fa..fe56bccd52 100644 +--- a/hw/net/e1000.c ++++ b/hw/net/e1000.c +@@ -671,6 +671,9 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp) + msh = tp->tso_props.hdr_len + tp->tso_props.mss; + do { + bytes = split_size; ++ if (tp->size >= msh) { ++ goto eop; ++ } + if (tp->size + bytes > msh) + bytes = msh - tp->size; + +@@ -696,6 +699,7 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp) + tp->size += split_size; + } + ++eop: + if (!(txd_lower & E1000_TXD_CMD_EOP)) + return; + if (!(tp->cptse && tp->size < tp->tso_props.hdr_len)) { +-- +2.27.0 + diff --git a/SOURCES/kvm-hw-intc-arm_gic-Fix-interrupt-ID-in-GICD_SGIR-regist.patch b/SOURCES/kvm-hw-intc-arm_gic-Fix-interrupt-ID-in-GICD_SGIR-regist.patch new file mode 100644 index 0000000..650555c --- /dev/null +++ b/SOURCES/kvm-hw-intc-arm_gic-Fix-interrupt-ID-in-GICD_SGIR-regist.patch @@ -0,0 +1,80 @@ +From dad4f9beaa3fd1eec1e0dd46c3d5cd2f444c0f48 Mon Sep 17 00:00:00 2001 +From: Jon Maloy +Date: Tue, 13 Apr 2021 20:05:51 -0400 +Subject: [PATCH 1/7] hw/intc/arm_gic: Fix interrupt ID in GICD_SGIR register +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Jon Maloy +Message-id: <20210413200551.3825495-2-jmaloy@redhat.com> +Patchwork-id: 101471 +O-Subject: [RHEL-8.5.0 qemu-kvm PATCH 1/1] hw/intc/arm_gic: Fix interrupt ID in GICD_SGIR register +Bugzilla: 1925430 +RH-Acked-by: Andrew Jones +RH-Acked-by: Stefan Hajnoczi +RH-Acked-by: Philippe Mathieu-Daudé + +From: Philippe Mathieu-Daudé + +Per the ARM Generic Interrupt Controller Architecture specification +(document "ARM IHI 0048B.b (ID072613)"), the SGIINTID field is 4 bit, +not 10: + + - 4.3 Distributor register descriptions + - 4.3.15 Software Generated Interrupt Register, GICD_SG + + - Table 4-21 GICD_SGIR bit assignments + + The Interrupt ID of the SGI to forward to the specified CPU + interfaces. The value of this field is the Interrupt ID, in + the range 0-15, for example a value of 0b0011 specifies + Interrupt ID 3. + +Correct the irq mask to fix an undefined behavior (which eventually +lead to a heap-buffer-overflow, see [Buglink]): + + $ echo 'writel 0x8000f00 0xff4affb0' | qemu-system-aarch64 -M virt,accel=qtest -qtest stdio + [I 1612088147.116987] OPENED + [R +0.278293] writel 0x8000f00 0xff4affb0 + ../hw/intc/arm_gic.c:1498:13: runtime error: index 944 out of bounds for type 'uint8_t [16][8]' + SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../hw/intc/arm_gic.c:1498:13 + +This fixes a security issue when running with KVM on Arm with +kernel-irqchip=off. (The default is kernel-irqchip=on, which is +unaffected, and which is also the correct choice for performance.) + +Cc: qemu-stable@nongnu.org +Fixes: CVE-2021-20221 +Fixes: 9ee6e8bb853 ("ARMv7 support.") +Buglink: https://bugs.launchpad.net/qemu/+bug/1913916 +Buglink: https://bugs.launchpad.net/qemu/+bug/1913917 +Reported-by: Alexander Bulekov +Signed-off-by: Philippe Mathieu-Daudé +Message-id: 20210131103401.217160-1-f4bug@amsat.org +Reviewed-by: Peter Maydell +Signed-off-by: Peter Maydell + +(cherry picked from commit edfe2eb4360cde4ed5d95bda7777edcb3510f76a) +Signed-off-by: Jon Maloy +Signed-off-by: Danilo C. L. de Paula +--- + hw/intc/arm_gic.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/intc/arm_gic.c b/hw/intc/arm_gic.c +index 1d7da7baa2..df355f4d11 100644 +--- a/hw/intc/arm_gic.c ++++ b/hw/intc/arm_gic.c +@@ -1455,7 +1455,7 @@ static void gic_dist_writel(void *opaque, hwaddr offset, + int target_cpu; + + cpu = gic_get_current_cpu(s); +- irq = value & 0x3ff; ++ irq = value & 0xf; + switch ((value >> 24) & 3) { + case 0: + mask = (value >> 16) & ALL_CPU_MASK; +-- +2.27.0 + diff --git a/SOURCES/kvm-libqos-pci-pc-use-32-bit-write-for-EJ-register.patch b/SOURCES/kvm-libqos-pci-pc-use-32-bit-write-for-EJ-register.patch new file mode 100644 index 0000000..71a2eac --- /dev/null +++ b/SOURCES/kvm-libqos-pci-pc-use-32-bit-write-for-EJ-register.patch @@ -0,0 +1,47 @@ +From 2687e0348e3e4d377b4f5356e46948dc2b371b6d Mon Sep 17 00:00:00 2001 +From: Jon Maloy +Date: Wed, 21 Apr 2021 22:30:02 -0400 +Subject: [PATCH 3/7] libqos: pci-pc: use 32-bit write for EJ register +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Jon Maloy +Message-id: <20210421223006.19650-3-jmaloy@redhat.com> +Patchwork-id: 101484 +O-Subject: [RHEL-8.5.0 qemu-kvm PATCH v2 2/6] libqos: pci-pc: use 32-bit write for EJ register +Bugzilla: 1842478 +RH-Acked-by: Stefano Garzarella +RH-Acked-by: Philippe Mathieu-Daudé +RH-Acked-by: Laszlo Ersek + +From: Paolo Bonzini + +The memory region ops have min_access_size == 4 so obey it. + +Tested-by: Thomas Huth +Signed-off-by: Paolo Bonzini + +(cherry picked from commit 4b7c06837ae0b1ff56473202a42e7e386f53d6db) +Signed-off-by: Jon Maloy +Signed-off-by: Danilo C. L. de Paula +--- + tests/libqos/pci-pc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tests/libqos/pci-pc.c b/tests/libqos/pci-pc.c +index 0bc591d1da..3bb2eb3ba8 100644 +--- a/tests/libqos/pci-pc.c ++++ b/tests/libqos/pci-pc.c +@@ -186,7 +186,7 @@ void qpci_unplug_acpi_device_test(QTestState *qts, const char *id, uint8_t slot) + g_assert(!qdict_haskey(response, "error")); + qobject_unref(response); + +- qtest_outb(qts, ACPI_PCIHP_ADDR + PCI_EJ_BASE, 1 << slot); ++ qtest_outl(qts, ACPI_PCIHP_ADDR + PCI_EJ_BASE, 1 << slot); + + qtest_qmp_eventwait(qts, "DEVICE_DELETED"); + } +-- +2.27.0 + diff --git a/SOURCES/kvm-libqos-usb-hcd-ehci-use-32-bit-write-for-config-regi.patch b/SOURCES/kvm-libqos-usb-hcd-ehci-use-32-bit-write-for-config-regi.patch new file mode 100644 index 0000000..424a60c --- /dev/null +++ b/SOURCES/kvm-libqos-usb-hcd-ehci-use-32-bit-write-for-config-regi.patch @@ -0,0 +1,48 @@ +From 6320b4e76965b1cf64da4307f4d313fe6b2aa971 Mon Sep 17 00:00:00 2001 +From: Jon Maloy +Date: Wed, 21 Apr 2021 22:30:01 -0400 +Subject: [PATCH 2/7] libqos: usb-hcd-ehci: use 32-bit write for config + register +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Jon Maloy +Message-id: <20210421223006.19650-2-jmaloy@redhat.com> +Patchwork-id: 101478 +O-Subject: [RHEL-8.5.0 qemu-kvm PATCH v2 1/6] libqos: usb-hcd-ehci: use 32-bit write for config register +Bugzilla: 1842478 +RH-Acked-by: Stefano Garzarella +RH-Acked-by: Philippe Mathieu-Daudé +RH-Acked-by: Laszlo Ersek + +From: Paolo Bonzini + +The memory region ops have min_access_size == 4 so obey it. + +Tested-by: Thomas Huth +Signed-off-by: Paolo Bonzini + +(cherry picked from commit 89ed83d8b23c11d250c290593cad3ca839d5b053) +Signed-off-by: Jon Maloy +Signed-off-by: Danilo C. L. de Paula +--- + tests/usb-hcd-ehci-test.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tests/usb-hcd-ehci-test.c b/tests/usb-hcd-ehci-test.c +index 5251d539e9..c51e8bb223 100644 +--- a/tests/usb-hcd-ehci-test.c ++++ b/tests/usb-hcd-ehci-test.c +@@ -96,7 +96,7 @@ static void pci_ehci_port_1(void) + static void pci_ehci_config(void) + { + /* hands over all ports from companion uhci to ehci */ +- qpci_io_writew(ehci1.dev, ehci1.bar, 0x60, 1); ++ qpci_io_writel(ehci1.dev, ehci1.bar, 0x60, 1); + } + + static void pci_uhci_port_2(void) +-- +2.27.0 + diff --git a/SOURCES/kvm-linux-headers-Add-VFIO_CCW_REQ_IRQ_INDEX.patch b/SOURCES/kvm-linux-headers-Add-VFIO_CCW_REQ_IRQ_INDEX.patch new file mode 100644 index 0000000..d9c81cf --- /dev/null +++ b/SOURCES/kvm-linux-headers-Add-VFIO_CCW_REQ_IRQ_INDEX.patch @@ -0,0 +1,43 @@ +From f844ca939adb619cce8426e104b0039a7eba70a6 Mon Sep 17 00:00:00 2001 +From: Thomas Huth +Date: Tue, 11 May 2021 11:24:04 -0400 +Subject: [PATCH 1/5] linux-headers: Add VFIO_CCW_REQ_IRQ_INDEX + +RH-Author: Thomas Huth +Message-id: <20210511112405.297037-2-thuth@redhat.com> +Patchwork-id: 101537 +O-Subject: [RHEL-8.5.0 qemu-kvm PATCH 1/2] linux-headers: Add VFIO_CCW_REQ_IRQ_INDEX +Bugzilla: 1940450 +RH-Acked-by: Laszlo Ersek +RH-Acked-by: Cornelia Huck +RH-Acked-by: David Hildenbrand + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1940450 +Upstream-status: N/A + +This is based on upstream commit b3c818a47f ("Update linux headers to +5.11-rc2"), but has been reduced to the single hunk that is required +for the next patch (there were too many unrelated conflicts in the other +files for doing full backport of the original upstream commit). + +Signed-off-by: Thomas Huth +Signed-off-by: Danilo C. L. de Paula +--- + linux-headers/linux/vfio.h | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/linux-headers/linux/vfio.h b/linux-headers/linux/vfio.h +index f660bd7bac..9c8810bef4 100644 +--- a/linux-headers/linux/vfio.h ++++ b/linux-headers/linux/vfio.h +@@ -580,6 +580,7 @@ enum { + enum { + VFIO_CCW_IO_IRQ_INDEX, + VFIO_CCW_CRW_IRQ_INDEX, ++ VFIO_CCW_REQ_IRQ_INDEX, + VFIO_CCW_NUM_IRQS + }; + +-- +2.27.0 + diff --git a/SOURCES/kvm-memory-Revert-memory-accept-mismatching-sizes-in-mem.patch b/SOURCES/kvm-memory-Revert-memory-accept-mismatching-sizes-in-mem.patch new file mode 100644 index 0000000..f81c86f --- /dev/null +++ b/SOURCES/kvm-memory-Revert-memory-accept-mismatching-sizes-in-mem.patch @@ -0,0 +1,104 @@ +From 13f4ebe4708f4f4dc20d710e475a42d520459860 Mon Sep 17 00:00:00 2001 +From: Jon Maloy +Date: Wed, 21 Apr 2021 22:30:03 -0400 +Subject: [PATCH 4/7] memory: Revert "memory: accept mismatching sizes in + memory_region_access_valid" +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Jon Maloy +Message-id: <20210421223006.19650-4-jmaloy@redhat.com> +Patchwork-id: 101480 +O-Subject: [RHEL-8.5.0 qemu-kvm PATCH v2 3/6] memory: Revert "memory: accept mismatching sizes in memory_region_access_valid" +Bugzilla: 1842478 +RH-Acked-by: Stefano Garzarella +RH-Acked-by: Philippe Mathieu-Daudé +RH-Acked-by: Laszlo Ersek + +From: "Michael S. Tsirkin" + +Memory API documentation documents valid .min_access_size and .max_access_size +fields and explains that any access outside these boundaries is blocked. + +This is what devices seem to assume. + +However this is not what the implementation does: it simply +ignores the boundaries unless there's an "accepts" callback. + +Naturally, this breaks a bunch of devices. + +Revert to the documented behaviour. + +Devices that want to allow any access can just drop the valid field, +or add the impl field to have accesses converted to appropriate +length. + +Cc: qemu-stable@nongnu.org +Reviewed-by: Richard Henderson +Fixes: CVE-2020-13754 +Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1842363 +Fixes: a014ed07bd5a ("memory: accept mismatching sizes in memory_region_access_valid") +Signed-off-by: Michael S. Tsirkin +Message-Id: <20200610134731.1514409-1-mst@redhat.com> +Signed-off-by: Paolo Bonzini + +(cherry picked from commit 5d971f9e672507210e77d020d89e0e89165c8fc9) +Signed-off-by: Jon Maloy +Signed-off-by: Danilo C. L. de Paula +--- + memory.c | 29 +++++++++-------------------- + 1 file changed, 9 insertions(+), 20 deletions(-) + +diff --git a/memory.c b/memory.c +index 5a4a80842d..0cfcb72a5a 100644 +--- a/memory.c ++++ b/memory.c +@@ -1351,35 +1351,24 @@ bool memory_region_access_valid(MemoryRegion *mr, + bool is_write, + MemTxAttrs attrs) + { +- int access_size_min, access_size_max; +- int access_size, i; +- +- if (!mr->ops->valid.unaligned && (addr & (size - 1))) { ++ if (mr->ops->valid.accepts ++ && !mr->ops->valid.accepts(mr->opaque, addr, size, is_write, attrs)) { + return false; + } + +- if (!mr->ops->valid.accepts) { +- return true; +- } +- +- access_size_min = mr->ops->valid.min_access_size; +- if (!mr->ops->valid.min_access_size) { +- access_size_min = 1; ++ if (!mr->ops->valid.unaligned && (addr & (size - 1))) { ++ return false; + } + +- access_size_max = mr->ops->valid.max_access_size; ++ /* Treat zero as compatibility all valid */ + if (!mr->ops->valid.max_access_size) { +- access_size_max = 4; ++ return true; + } + +- access_size = MAX(MIN(size, access_size_max), access_size_min); +- for (i = 0; i < size; i += access_size) { +- if (!mr->ops->valid.accepts(mr->opaque, addr + i, access_size, +- is_write, attrs)) { +- return false; +- } ++ if (size > mr->ops->valid.max_access_size ++ || size < mr->ops->valid.min_access_size) { ++ return false; + } +- + return true; + } + +-- +2.27.0 + diff --git a/SOURCES/kvm-net-forbid-the-reentrant-RX.patch b/SOURCES/kvm-net-forbid-the-reentrant-RX.patch new file mode 100644 index 0000000..aaf57ed --- /dev/null +++ b/SOURCES/kvm-net-forbid-the-reentrant-RX.patch @@ -0,0 +1,50 @@ +From 1e01e2f96fd5e903394eab59365d5363394c8b18 Mon Sep 17 00:00:00 2001 +From: Jon Maloy +Date: Tue, 13 Apr 2021 18:59:12 -0400 +Subject: [PATCH 3/5] net: forbid the reentrant RX + +RH-Author: Jon Maloy +Message-id: <20210413185912.3811035-2-jmaloy@redhat.com> +Patchwork-id: 101467 +O-Subject: [RHEL-8.5.0 qemu-kvm PATCH 1/1] net: forbid the reentrant RX +Bugzilla: 1859175 +RH-Acked-by: Stefan Hajnoczi +RH-Acked-by: Thomas Huth +RH-Acked-by: Xiao Wang + +From: Jason Wang + +The memory API allows DMA into NIC's MMIO area. This means the NIC's +RX routine must be reentrant. Instead of auditing all the NIC, we can +simply detect the reentrancy and return early. The queue->delivering +is set and cleared by qemu_net_queue_deliver() for other queue helpers +to know whether the delivering in on going (NIC's receive is being +called). We can check it and return early in qemu_net_queue_flush() to +forbid reentrant RX. + +Signed-off-by: Jason Wang + +(cherry picked from commit 22dc8663d9fc7baa22100544c600b6285a63c7a3) +Signed-off-by: Jon Maloy +Signed-off-by: Danilo C. L. de Paula +--- + net/queue.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/queue.c b/net/queue.c +index 61276ca4be..c679d79f4b 100644 +--- a/net/queue.c ++++ b/net/queue.c +@@ -250,6 +250,9 @@ void qemu_net_queue_purge(NetQueue *queue, NetClientState *from) + + bool qemu_net_queue_flush(NetQueue *queue) + { ++ if (queue->delivering) ++ return false; ++ + while (!QTAILQ_EMPTY(&queue->packets)) { + NetPacket *packet; + int ret; +-- +2.27.0 + diff --git a/SOURCES/kvm-net-remove-an-assert-call-in-eth_get_gso_type.patch b/SOURCES/kvm-net-remove-an-assert-call-in-eth_get_gso_type.patch new file mode 100644 index 0000000..b619e78 --- /dev/null +++ b/SOURCES/kvm-net-remove-an-assert-call-in-eth_get_gso_type.patch @@ -0,0 +1,59 @@ +From b7de63e72c479df42c324c058a487517210fa069 Mon Sep 17 00:00:00 2001 +From: Jon Maloy +Date: Tue, 13 Apr 2021 19:21:50 -0400 +Subject: [PATCH 1/5] net: remove an assert call in eth_get_gso_type + +RH-Author: Jon Maloy +Message-id: <20210413192150.3817133-2-jmaloy@redhat.com> +Patchwork-id: 101469 +O-Subject: [RHEL-8.5.0 qemu-kvm PATCH 1/1] net: remove an assert call in eth_get_gso_type +Bugzilla: 1892350 +RH-Acked-by: Laszlo Ersek +RH-Acked-by: Stefan Hajnoczi +RH-Acked-by: Xiao Wang + +From: Prasad J Pandit + +eth_get_gso_type() routine returns segmentation offload type based on +L3 protocol type. It calls g_assert_not_reached if L3 protocol is +unknown, making the following return statement unreachable. Remove the +g_assert call, it maybe triggered by a guest user. + +Reported-by: Gaoning Pan +Signed-off-by: Prasad J Pandit +Signed-off-by: Jason Wang + +(cherry picked from commit 7564bf7701f00214cdc8a678a9f7df765244def1) +Signed-off-by: Jon Maloy +Signed-off-by: Danilo C. L. de Paula +--- + net/eth.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/net/eth.c b/net/eth.c +index 0c1d413ee2..1e0821c5f8 100644 +--- a/net/eth.c ++++ b/net/eth.c +@@ -16,6 +16,7 @@ + */ + + #include "qemu/osdep.h" ++#include "qemu/log.h" + #include "net/eth.h" + #include "net/checksum.h" + #include "net/tap.h" +@@ -71,9 +72,8 @@ eth_get_gso_type(uint16_t l3_proto, uint8_t *l3_hdr, uint8_t l4proto) + return VIRTIO_NET_HDR_GSO_TCPV6 | ecn_state; + } + } +- +- /* Unsupported offload */ +- g_assert_not_reached(); ++ qemu_log_mask(LOG_UNIMP, "%s: probably not GSO frame, " ++ "unknown L3 protocol: 0x%04"PRIx16"\n", __func__, l3_proto); + + return VIRTIO_NET_HDR_GSO_NONE | ecn_state; + } +-- +2.27.0 + diff --git a/SOURCES/kvm-pc-bios-s390-ccw-break-loop-if-a-null-block-number-i.patch b/SOURCES/kvm-pc-bios-s390-ccw-break-loop-if-a-null-block-number-i.patch new file mode 100644 index 0000000..414cc13 --- /dev/null +++ b/SOURCES/kvm-pc-bios-s390-ccw-break-loop-if-a-null-block-number-i.patch @@ -0,0 +1,50 @@ +From 56ae2d8a1ee3a35e2eed4f4baa61f97184189b47 Mon Sep 17 00:00:00 2001 +From: Thomas Huth +Date: Tue, 18 May 2021 13:51:24 -0400 +Subject: [PATCH 4/5] pc-bios/s390-ccw: break loop if a null block number is + reached +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Thomas Huth +Message-id: <20210518135125.191329-3-thuth@redhat.com> +Patchwork-id: 101549 +O-Subject: [RHEL-8.5.0 qemu-kvm PATCH 2/3] pc-bios/s390-ccw: break loop if a null block number is reached +Bugzilla: 1942880 +RH-Acked-by: Philippe Mathieu-Daudé +RH-Acked-by: David Hildenbrand +RH-Acked-by: Cornelia Huck + +Break the loop if `cur_block_nr` is a null block number because this +means that the end of chunk is reached. In this case we will try to +boot the default entry. + +Fixes: ba831b25262a ("s390-ccw: read stage2 boot loader data to find menu") +Reviewed-by: Collin Walling +Signed-off-by: Marc Hartmayer +Message-Id: <20200924085926.21709-3-mhartmay@linux.ibm.com> +Signed-off-by: Thomas Huth +(cherry picked from commit 468184ec9024f4f7b55247f70ec57554e8a500d7) +Signed-off-by: Thomas Huth +Signed-off-by: Danilo C. L. de Paula +--- + pc-bios/s390-ccw/bootmap.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/pc-bios/s390-ccw/bootmap.c b/pc-bios/s390-ccw/bootmap.c +index bb6e003270..624f524331 100644 +--- a/pc-bios/s390-ccw/bootmap.c ++++ b/pc-bios/s390-ccw/bootmap.c +@@ -192,7 +192,7 @@ static int eckd_get_boot_menu_index(block_number_t s1b_block_nr) + for (i = 0; i < STAGE2_BLK_CNT_MAX; i++) { + cur_block_nr = eckd_block_num(&s1b->seek[i].chs); + +- if (!cur_block_nr) { ++ if (!cur_block_nr || is_null_block_number(cur_block_nr)) { + break; + } + +-- +2.27.0 + diff --git a/SOURCES/kvm-pc-bios-s390-ccw-don-t-try-to-read-the-next-block-if.patch b/SOURCES/kvm-pc-bios-s390-ccw-don-t-try-to-read-the-next-block-if.patch new file mode 100644 index 0000000..2597118 --- /dev/null +++ b/SOURCES/kvm-pc-bios-s390-ccw-don-t-try-to-read-the-next-block-if.patch @@ -0,0 +1,48 @@ +From 52ba1903b2c8ce69e8cd1de2a78c2c63cc60383b Mon Sep 17 00:00:00 2001 +From: Thomas Huth +Date: Tue, 18 May 2021 13:51:25 -0400 +Subject: [PATCH 5/5] pc-bios/s390-ccw: don't try to read the next block if end + of chunk is reached +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Thomas Huth +Message-id: <20210518135125.191329-4-thuth@redhat.com> +Patchwork-id: 101550 +O-Subject: [RHEL-8.5.0 qemu-kvm PATCH 3/3] pc-bios/s390-ccw: don't try to read the next block if end of chunk is reached +Bugzilla: 1942880 +RH-Acked-by: Philippe Mathieu-Daudé +RH-Acked-by: David Hildenbrand +RH-Acked-by: Cornelia Huck + +Don't read the block if a null block number is reached, because this means that +the end of chunk is reached. + +Reviewed-by: Collin Walling +Signed-off-by: Marc Hartmayer +Message-Id: <20210416074736.17409-1-mhartmay@linux.ibm.com> +Signed-off-by: Thomas Huth +(cherry picked from commit a6625d38cce3901a7c1cba069f0abcf743a293f1) +Signed-off-by: Thomas Huth +Signed-off-by: Danilo C. L. de Paula +--- + pc-bios/s390-ccw/bootmap.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/pc-bios/s390-ccw/bootmap.c b/pc-bios/s390-ccw/bootmap.c +index 624f524331..8458b15cb6 100644 +--- a/pc-bios/s390-ccw/bootmap.c ++++ b/pc-bios/s390-ccw/bootmap.c +@@ -212,7 +212,7 @@ static int eckd_get_boot_menu_index(block_number_t s1b_block_nr) + next_block_nr = eckd_block_num(&s1b->seek[i + 1].chs); + } + +- if (next_block_nr) { ++ if (next_block_nr && !is_null_block_number(next_block_nr)) { + read_block(next_block_nr, s2_next_blk, + "Cannot read stage2 boot loader"); + } +-- +2.27.0 + diff --git a/SOURCES/kvm-pc-bios-s390-ccw-fix-off-by-one-error.patch b/SOURCES/kvm-pc-bios-s390-ccw-fix-off-by-one-error.patch new file mode 100644 index 0000000..691bed4 --- /dev/null +++ b/SOURCES/kvm-pc-bios-s390-ccw-fix-off-by-one-error.patch @@ -0,0 +1,51 @@ +From 0e9bdb960045f98d70f765bbb585f1647e5fea08 Mon Sep 17 00:00:00 2001 +From: Thomas Huth +Date: Tue, 18 May 2021 13:51:23 -0400 +Subject: [PATCH 3/5] pc-bios/s390-ccw: fix off-by-one error +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Thomas Huth +Message-id: <20210518135125.191329-2-thuth@redhat.com> +Patchwork-id: 101548 +O-Subject: [RHEL-8.5.0 qemu-kvm PATCH 1/3] pc-bios/s390-ccw: fix off-by-one error +Bugzilla: 1942880 +RH-Acked-by: Philippe Mathieu-Daudé +RH-Acked-by: David Hildenbrand +RH-Acked-by: Cornelia Huck + +This error takes effect when the magic value "zIPL" is located at the +end of a block. For example if s2_cur_blk = 0x7fe18000 and the magic +value "zIPL" is located at 0x7fe18ffc - 0x7fe18fff. + +Fixes: ba831b25262a ("s390-ccw: read stage2 boot loader data to find menu") +Reviewed-by: Collin Walling +Signed-off-by: Marc Hartmayer +Message-Id: <20200924085926.21709-2-mhartmay@linux.ibm.com> +Reviewed-by: Thomas Huth +[thuth: Use "<= ... - 4" instead of "< ... - 3"] +Signed-off-by: Thomas Huth +(cherry picked from commit 5f97ba0c74ccace0a4014460de9751ff3c6f454a) +Signed-off-by: Thomas Huth +Signed-off-by: Danilo C. L. de Paula +--- + pc-bios/s390-ccw/bootmap.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/pc-bios/s390-ccw/bootmap.c b/pc-bios/s390-ccw/bootmap.c +index e91ea719ff..bb6e003270 100644 +--- a/pc-bios/s390-ccw/bootmap.c ++++ b/pc-bios/s390-ccw/bootmap.c +@@ -163,7 +163,7 @@ static bool find_zipl_boot_menu_banner(int *offset) + int i; + + /* Menu banner starts with "zIPL" */ +- for (i = 0; i < virtio_get_block_size() - 4; i++) { ++ for (i = 0; i <= virtio_get_block_size() - 4; i++) { + if (magic_match(s2_cur_blk + i, ZIPL_MAGIC_EBCDIC)) { + *offset = i; + return true; +-- +2.27.0 + diff --git a/SOURCES/kvm-qemu-img-convert-Don-t-pre-zero-images.patch b/SOURCES/kvm-qemu-img-convert-Don-t-pre-zero-images.patch new file mode 100644 index 0000000..28311f4 --- /dev/null +++ b/SOURCES/kvm-qemu-img-convert-Don-t-pre-zero-images.patch @@ -0,0 +1,73 @@ +From eea45924903f03dc6d8f20576be0a4a84d5acce4 Mon Sep 17 00:00:00 2001 +From: Kevin Wolf +Date: Wed, 10 Feb 2021 10:16:11 -0500 +Subject: [PATCH 4/5] qemu-img convert: Don't pre-zero images + +RH-Author: Kevin Wolf +Message-id: <20210210101611.137928-2-kwolf@redhat.com> +Patchwork-id: 101030 +O-Subject: [RHEL-8.4.0 qemu-kvm PATCH 1/1] qemu-img convert: Don't pre-zero images +Bugzilla: 1855250 +RH-Acked-by: Stefano Garzarella +RH-Acked-by: Laszlo Ersek +RH-Acked-by: Max Reitz + +Since commit 5a37b60a61c, qemu-img create will pre-zero the target image +if it isn't already zero-initialised (most importantly, for host block +devices, but also iscsi etc.), so that writing explicit zeros wouldn't +be necessary later. + +This could speed up the operation significantly, in particular when the +source image file was only sparsely populated. However, it also means +that some block are written twice: Once when pre-zeroing them, and then +when they are overwritten with actual data. On a full image, the +pre-zeroing is wasted work because everything will be overwritten. + +In practice, write_zeroes typically turns out faster than writing +explicit zero buffers, but slow enough that first zeroing everything and +then overwriting parts can be a significant net loss. + +Meanwhile, qemu-img convert was rewritten in 690c7301600 and zero blocks +are now written to the target using bdrv_co_pwrite_zeroes() if the +target could be pre-zeroed. This way we already make use of the faster +write_zeroes operation, but avoid writing any blocks twice. + +Remove the pre-zeroing because these days this former optimisation has +actually turned into a pessimisation in the common case. + +Reported-by: Nir Soffer +Signed-off-by: Kevin Wolf +Message-Id: <20200622151203.35624-1-kwolf@redhat.com> +Tested-by: Nir Soffer +Reviewed-by: Eric Blake +Signed-off-by: Kevin Wolf +(cherry picked from commit edafc70c0c8510862f2f213a3acf7067113bcd08) +Signed-off-by: Kevin Wolf +Signed-off-by: Danilo C. L. de Paula +--- + qemu-img.c | 9 --------- + 1 file changed, 9 deletions(-) + +diff --git a/qemu-img.c b/qemu-img.c +index a27ad70851..b10dc5129b 100644 +--- a/qemu-img.c ++++ b/qemu-img.c +@@ -2029,15 +2029,6 @@ static int convert_do_copy(ImgConvertState *s) + s->has_zero_init = false; + } + +- if (!s->has_zero_init && !s->target_has_backing && +- bdrv_can_write_zeroes_with_unmap(blk_bs(s->target))) +- { +- ret = blk_make_zero(s->target, BDRV_REQ_MAY_UNMAP | BDRV_REQ_NO_FALLBACK); +- if (ret == 0) { +- s->has_zero_init = true; +- } +- } +- + /* Allocate buffer for copied data. For compressed images, only one cluster + * can be copied at a time. */ + if (s->compressed) { +-- +2.27.0 + diff --git a/SOURCES/kvm-softmmu-memory-Log-invalid-memory-accesses.patch b/SOURCES/kvm-softmmu-memory-Log-invalid-memory-accesses.patch new file mode 100644 index 0000000..e4e1bc4 --- /dev/null +++ b/SOURCES/kvm-softmmu-memory-Log-invalid-memory-accesses.patch @@ -0,0 +1,84 @@ +From be0a190e3c5c4ff84f7c53630ed5a55644d18acc Mon Sep 17 00:00:00 2001 +From: Jon Maloy +Date: Wed, 21 Apr 2021 22:30:06 -0400 +Subject: [PATCH 7/7] softmmu/memory: Log invalid memory accesses +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Jon Maloy +Message-id: <20210421223006.19650-7-jmaloy@redhat.com> +Patchwork-id: 101481 +O-Subject: [RHEL-8.5.0 qemu-kvm PATCH v2 6/6] softmmu/memory: Log invalid memory accesses +Bugzilla: 1842478 +RH-Acked-by: Stefano Garzarella +RH-Acked-by: Philippe Mathieu-Daudé +RH-Acked-by: Laszlo Ersek + +From: Philippe Mathieu-Daudé + +Log invalid memory accesses with as GUEST_ERROR. + +This is particularly useful since commit 5d971f9e67 which reverted +("memory: accept mismatching sizes in memory_region_access_valid"). + +Signed-off-by: Philippe Mathieu-Daudé +Reviewed-by: Michael S. Tsirkin +Message-Id: <20201005152725.2143444-1-philmd@redhat.com> +Signed-off-by: Laurent Vivier + +(cherry picked from commit 21786c7e59847b1612406ff394958f22e5b323f8) +Signed-off-by: Jon Maloy +Signed-off-by: Danilo C. L. de Paula +--- + memory.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +diff --git a/memory.c b/memory.c +index 0cfcb72a5a..660df8159a 100644 +--- a/memory.c ++++ b/memory.c +@@ -14,6 +14,7 @@ + */ + + #include "qemu/osdep.h" ++#include "qemu/log.h" + #include "qapi/error.h" + #include "cpu.h" + #include "exec/memory.h" +@@ -1353,10 +1354,18 @@ bool memory_region_access_valid(MemoryRegion *mr, + { + if (mr->ops->valid.accepts + && !mr->ops->valid.accepts(mr->opaque, addr, size, is_write, attrs)) { ++ qemu_log_mask(LOG_GUEST_ERROR, "Invalid access at addr " ++ "0x%" HWADDR_PRIX ", size %u, " ++ "region '%s', reason: rejected\n", ++ addr, size, memory_region_name(mr)); + return false; + } + + if (!mr->ops->valid.unaligned && (addr & (size - 1))) { ++ qemu_log_mask(LOG_GUEST_ERROR, "Invalid access at addr " ++ "0x%" HWADDR_PRIX ", size %u, " ++ "region '%s', reason: unaligned\n", ++ addr, size, memory_region_name(mr)); + return false; + } + +@@ -1367,6 +1376,13 @@ bool memory_region_access_valid(MemoryRegion *mr, + + if (size > mr->ops->valid.max_access_size + || size < mr->ops->valid.min_access_size) { ++ qemu_log_mask(LOG_GUEST_ERROR, "Invalid access at addr " ++ "0x%" HWADDR_PRIX ", size %u, " ++ "region '%s', reason: invalid size " ++ "(min:%u max:%u)\n", ++ addr, size, memory_region_name(mr), ++ mr->ops->valid.min_access_size, ++ mr->ops->valid.max_access_size); + return false; + } + return true; +-- +2.27.0 + diff --git a/SOURCES/kvm-vfio-ccw-Connect-the-device-request-notifier.patch b/SOURCES/kvm-vfio-ccw-Connect-the-device-request-notifier.patch new file mode 100644 index 0000000..298fb29 --- /dev/null +++ b/SOURCES/kvm-vfio-ccw-Connect-the-device-request-notifier.patch @@ -0,0 +1,128 @@ +From db6a782f8b9ba062f195ff504b4d2f93e471fecc Mon Sep 17 00:00:00 2001 +From: Thomas Huth +Date: Tue, 11 May 2021 11:24:05 -0400 +Subject: [PATCH 2/5] vfio-ccw: Connect the device request notifier + +RH-Author: Thomas Huth +Message-id: <20210511112405.297037-3-thuth@redhat.com> +Patchwork-id: 101536 +O-Subject: [RHEL-8.5.0 qemu-kvm PATCH 2/2] vfio-ccw: Connect the device request notifier +Bugzilla: 1940450 +RH-Acked-by: Laszlo Ersek +RH-Acked-by: Cornelia Huck +RH-Acked-by: David Hildenbrand + +Now that the vfio-ccw code has a notifier interface to request that +a device be unplugged, let's wire that together. + +Signed-off-by: Eric Farman +Reviewed-by: Cornelia Huck +Message-Id: <20210104202057.48048-4-farman@linux.ibm.com> +Signed-off-by: Cornelia Huck +(cherry picked from commit b2f96f9e4f5fbc8f2770a436191cb328da4d5350) +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1940450 +Signed-off-by: Thomas Huth +Signed-off-by: Danilo C. L. de Paula +--- + hw/vfio/ccw.c | 40 ++++++++++++++++++++++++++++++++++++---- + 1 file changed, 36 insertions(+), 4 deletions(-) + +diff --git a/hw/vfio/ccw.c b/hw/vfio/ccw.c +index b72a505893..3d450fe1c9 100644 +--- a/hw/vfio/ccw.c ++++ b/hw/vfio/ccw.c +@@ -49,6 +49,7 @@ struct VFIOCCWDevice { + struct ccw_crw_region *crw_region; + EventNotifier io_notifier; + EventNotifier crw_notifier; ++ EventNotifier req_notifier; + bool force_orb_pfch; + bool warned_orb_pfch; + }; +@@ -287,6 +288,21 @@ static void vfio_ccw_crw_read(VFIOCCWDevice *vcdev) + } while (1); + } + ++static void vfio_ccw_req_notifier_handler(void *opaque) ++{ ++ VFIOCCWDevice *vcdev = opaque; ++ Error *err = NULL; ++ ++ if (!event_notifier_test_and_clear(&vcdev->req_notifier)) { ++ return; ++ } ++ ++ qdev_unplug(DEVICE(vcdev), &err); ++ if (err) { ++ warn_reportf_err(err, VFIO_MSG_PREFIX, vcdev->vdev.name); ++ } ++} ++ + static void vfio_ccw_crw_notifier_handler(void *opaque) + { + VFIOCCWDevice *vcdev = opaque; +@@ -386,6 +402,10 @@ static void vfio_ccw_register_irq_notifier(VFIOCCWDevice *vcdev, + notifier = &vcdev->crw_notifier; + fd_read = vfio_ccw_crw_notifier_handler; + break; ++ case VFIO_CCW_REQ_IRQ_INDEX: ++ notifier = &vcdev->req_notifier; ++ fd_read = vfio_ccw_req_notifier_handler; ++ break; + default: + error_setg(errp, "vfio: Unsupported device irq(%d)", irq); + return; +@@ -440,6 +460,9 @@ static void vfio_ccw_unregister_irq_notifier(VFIOCCWDevice *vcdev, + case VFIO_CCW_CRW_IRQ_INDEX: + notifier = &vcdev->crw_notifier; + break; ++ case VFIO_CCW_REQ_IRQ_INDEX: ++ notifier = &vcdev->req_notifier; ++ break; + default: + error_report("vfio: Unsupported device irq(%d)", irq); + return; +@@ -657,20 +680,28 @@ static void vfio_ccw_realize(DeviceState *dev, Error **errp) + + vfio_ccw_register_irq_notifier(vcdev, VFIO_CCW_IO_IRQ_INDEX, &err); + if (err) { +- goto out_notifier_err; ++ goto out_io_notifier_err; + } + + if (vcdev->crw_region) { + vfio_ccw_register_irq_notifier(vcdev, VFIO_CCW_CRW_IRQ_INDEX, &err); + if (err) { +- vfio_ccw_unregister_irq_notifier(vcdev, VFIO_CCW_IO_IRQ_INDEX); +- goto out_notifier_err; ++ goto out_crw_notifier_err; + } + } + ++ vfio_ccw_register_irq_notifier(vcdev, VFIO_CCW_REQ_IRQ_INDEX, &err); ++ if (err) { ++ goto out_req_notifier_err; ++ } ++ + return; + +-out_notifier_err: ++out_req_notifier_err: ++ vfio_ccw_unregister_irq_notifier(vcdev, VFIO_CCW_CRW_IRQ_INDEX); ++out_crw_notifier_err: ++ vfio_ccw_unregister_irq_notifier(vcdev, VFIO_CCW_IO_IRQ_INDEX); ++out_io_notifier_err: + vfio_ccw_put_region(vcdev); + out_region_err: + vfio_ccw_put_device(vcdev); +@@ -692,6 +723,7 @@ static void vfio_ccw_unrealize(DeviceState *dev, Error **errp) + S390CCWDeviceClass *cdc = S390_CCW_DEVICE_GET_CLASS(cdev); + VFIOGroup *group = vcdev->vdev.group; + ++ vfio_ccw_unregister_irq_notifier(vcdev, VFIO_CCW_REQ_IRQ_INDEX); + vfio_ccw_unregister_irq_notifier(vcdev, VFIO_CCW_CRW_IRQ_INDEX); + vfio_ccw_unregister_irq_notifier(vcdev, VFIO_CCW_IO_IRQ_INDEX); + vfio_ccw_put_region(vcdev); +-- +2.27.0 + diff --git a/SOURCES/kvm-xhci-fix-valid.max_access_size-to-access-address-reg.patch b/SOURCES/kvm-xhci-fix-valid.max_access_size-to-access-address-reg.patch new file mode 100644 index 0000000..aabe041 --- /dev/null +++ b/SOURCES/kvm-xhci-fix-valid.max_access_size-to-access-address-reg.patch @@ -0,0 +1,76 @@ +From f38f51d422e82d1241b678960dd6a033ffa398da Mon Sep 17 00:00:00 2001 +From: Jon Maloy +Date: Wed, 21 Apr 2021 22:30:05 -0400 +Subject: [PATCH 6/7] xhci: fix valid.max_access_size to access address + registers +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Jon Maloy +Message-id: <20210421223006.19650-6-jmaloy@redhat.com> +Patchwork-id: 101483 +O-Subject: [RHEL-8.5.0 qemu-kvm PATCH v2 5/6] xhci: fix valid.max_access_size to access address registers +Bugzilla: 1842478 +RH-Acked-by: Stefano Garzarella +RH-Acked-by: Philippe Mathieu-Daudé +RH-Acked-by: Laszlo Ersek + +From: Laurent Vivier + +QEMU XHCI advertises AC64 (64-bit addressing) but doesn't allow +64-bit mode access in "runtime" and "operational" MemoryRegionOps. + +Set the max_access_size based on sizeof(dma_addr_t) as AC64 is set. + +XHCI specs: +"If the xHC supports 64-bit addressing (AC64 = ‘1’), then software +should write 64-bit registers using only Qword accesses. If a +system is incapable of issuing Qword accesses, then writes to the +64-bit address fields shall be performed using 2 Dword accesses; +low Dword-first, high-Dword second. If the xHC supports 32-bit +addressing (AC64 = ‘0’), then the high Dword of registers containing +64-bit address fields are unused and software should write addresses +using only Dword accesses" + +The problem has been detected with SLOF, as linux kernel always accesses +registers using 32-bit access even if AC64 is set and revealed by +5d971f9e6725 ("memory: Revert "memory: accept mismatching sizes in memory_region_access_valid"") + +Suggested-by: Alexey Kardashevskiy +Signed-off-by: Laurent Vivier +Message-id: 20200721083322.90651-1-lvivier@redhat.com +Signed-off-by: Gerd Hoffmann + +(cherry picked from commit 8e67fda2dd6202ccec093fda561107ba14830a17) +Signed-off-by: Jon Maloy +Signed-off-by: Danilo C. L. de Paula +--- + hw/usb/hcd-xhci.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c +index 646c78cde9..ab449bb003 100644 +--- a/hw/usb/hcd-xhci.c ++++ b/hw/usb/hcd-xhci.c +@@ -3183,7 +3183,7 @@ static const MemoryRegionOps xhci_oper_ops = { + .read = xhci_oper_read, + .write = xhci_oper_write, + .valid.min_access_size = 4, +- .valid.max_access_size = 4, ++ .valid.max_access_size = sizeof(dma_addr_t), + .endianness = DEVICE_LITTLE_ENDIAN, + }; + +@@ -3199,7 +3199,7 @@ static const MemoryRegionOps xhci_runtime_ops = { + .read = xhci_runtime_read, + .write = xhci_runtime_write, + .valid.min_access_size = 4, +- .valid.max_access_size = 4, ++ .valid.max_access_size = sizeof(dma_addr_t), + .endianness = DEVICE_LITTLE_ENDIAN, + }; + +-- +2.27.0 + diff --git a/SPECS/qemu-kvm.spec b/SPECS/qemu-kvm.spec index 4a65e5f..aaa4f65 100644 --- a/SPECS/qemu-kvm.spec +++ b/SPECS/qemu-kvm.spec @@ -67,7 +67,7 @@ Obsoletes: %1-rhev Summary: QEMU is a machine emulator and virtualizer Name: qemu-kvm Version: 4.2.0 -Release: 48%{?dist} +Release: 51%{?dist} # Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped Epoch: 15 License: GPLv2 and GPLv2+ and CC-BY @@ -1130,6 +1130,40 @@ Patch489: kvm-x86-cpu-Populate-SVM-CPUID-feature-bits.patch Patch490: kvm-i386-Add-the-support-for-AMD-EPYC-3rd-generation-pro.patch # For bz#1917451 - CVE-2020-29443 virt:rhel/qemu-kvm: QEMU: ide: atapi: OOB access while processing read commands [rhel-8.4.0] Patch491: kvm-ide-atapi-check-logical-block-address-and-read-size-.patch +# For bz#1892350 - CVE-2020-27617 virt:rhel/qemu-kvm: QEMU: net: an assert failure via eth_get_gso_type [rhel-8.5.0] +Patch492: kvm-net-remove-an-assert-call-in-eth_get_gso_type.patch +# For bz#1930092 - CVE-2021-20257 virt:rhel/qemu-kvm: QEMU: net: e1000: infinite loop while processing transmit descriptors [rhel-8.5.0] +Patch493: kvm-e1000-fail-early-for-evil-descriptor.patch +# For bz#1859175 - CVE-2020-15859 virt:rhel/qemu-kvm: QEMU: net: e1000e: use-after-free while sending packets [rhel-8] +Patch494: kvm-net-forbid-the-reentrant-RX.patch +# For bz#1855250 - qemu-img convert uses possibly slow pre-zeroing on block storage +Patch495: kvm-qemu-img-convert-Don-t-pre-zero-images.patch +# For bz#1932823 - after upgrade from 4.3 to 4.4 audio stops working in guests after couple of seconds +Patch496: kvm-audio-audio_generic_get_buffer_in-should-honor-size.patch +# For bz#1925430 - CVE-2021-20221 virt:rhel/qemu-kvm: qemu: out-of-bound heap buffer access via an interrupt ID field [rhel-8.5.0] +Patch497: kvm-hw-intc-arm_gic-Fix-interrupt-ID-in-GICD_SGIR-regist.patch +# For bz#1842478 - CVE-2020-13754 virt:rhel/qemu-kvm: QEMU: msix: OOB access during mmio operations may lead to DoS [rhel-8.5.0] +Patch498: kvm-libqos-usb-hcd-ehci-use-32-bit-write-for-config-regi.patch +# For bz#1842478 - CVE-2020-13754 virt:rhel/qemu-kvm: QEMU: msix: OOB access during mmio operations may lead to DoS [rhel-8.5.0] +Patch499: kvm-libqos-pci-pc-use-32-bit-write-for-EJ-register.patch +# For bz#1842478 - CVE-2020-13754 virt:rhel/qemu-kvm: QEMU: msix: OOB access during mmio operations may lead to DoS [rhel-8.5.0] +Patch500: kvm-memory-Revert-memory-accept-mismatching-sizes-in-mem.patch +# For bz#1842478 - CVE-2020-13754 virt:rhel/qemu-kvm: QEMU: msix: OOB access during mmio operations may lead to DoS [rhel-8.5.0] +Patch501: kvm-acpi-accept-byte-and-word-access-to-core-ACPI-regist.patch +# For bz#1842478 - CVE-2020-13754 virt:rhel/qemu-kvm: QEMU: msix: OOB access during mmio operations may lead to DoS [rhel-8.5.0] +Patch502: kvm-xhci-fix-valid.max_access_size-to-access-address-reg.patch +# For bz#1842478 - CVE-2020-13754 virt:rhel/qemu-kvm: QEMU: msix: OOB access during mmio operations may lead to DoS [rhel-8.5.0] +Patch503: kvm-softmmu-memory-Log-invalid-memory-accesses.patch +# For bz#1940450 - RHEL8.5 - Mediated Device already in use by same domain we are booting (vfio-ccw/Multipath Testing) (kvm) - qemu-kvm part (also has kernel and libvirt parts) +Patch504: kvm-linux-headers-Add-VFIO_CCW_REQ_IRQ_INDEX.patch +# For bz#1940450 - RHEL8.5 - Mediated Device already in use by same domain we are booting (vfio-ccw/Multipath Testing) (kvm) - qemu-kvm part (also has kernel and libvirt parts) +Patch505: kvm-vfio-ccw-Connect-the-device-request-notifier.patch +# For bz#1942880 - RHEL8.4 Nightly[0322] - KVM guest fails to find zipl boot menu index (qemu-kvm) +Patch506: kvm-pc-bios-s390-ccw-fix-off-by-one-error.patch +# For bz#1942880 - RHEL8.4 Nightly[0322] - KVM guest fails to find zipl boot menu index (qemu-kvm) +Patch507: kvm-pc-bios-s390-ccw-break-loop-if-a-null-block-number-i.patch +# For bz#1942880 - RHEL8.4 Nightly[0322] - KVM guest fails to find zipl boot menu index (qemu-kvm) +Patch508: kvm-pc-bios-s390-ccw-don-t-try-to-read-the-next-block-if.patch BuildRequires: wget BuildRequires: rpm-build @@ -2078,6 +2112,47 @@ useradd -r -u 107 -g qemu -G kvm -d / -s /sbin/nologin \ %changelog +* Tue May 25 2021 Danilo Cesar Lemes de Paula - 4.2.0-51.el8 +- kvm-linux-headers-Add-VFIO_CCW_REQ_IRQ_INDEX.patch [bz#1940450] +- kvm-vfio-ccw-Connect-the-device-request-notifier.patch [bz#1940450] +- kvm-pc-bios-s390-ccw-fix-off-by-one-error.patch [bz#1942880] +- kvm-pc-bios-s390-ccw-break-loop-if-a-null-block-number-i.patch [bz#1942880] +- kvm-pc-bios-s390-ccw-don-t-try-to-read-the-next-block-if.patch [bz#1942880] +- Resolves: bz#1940450 + (RHEL8.5 - Mediated Device already in use by same domain we are booting (vfio-ccw/Multipath Testing) (kvm) - qemu-kvm part (also has kernel and libvirt parts)) +- Resolves: bz#1942880 + (RHEL8.4 Nightly[0322] - KVM guest fails to find zipl boot menu index (qemu-kvm)) + +* Wed May 05 2021 Danilo Cesar Lemes de Paula - 4.2.0-50.el8 +- kvm-hw-intc-arm_gic-Fix-interrupt-ID-in-GICD_SGIR-regist.patch [bz#1925430] +- kvm-libqos-usb-hcd-ehci-use-32-bit-write-for-config-regi.patch [bz#1842478] +- kvm-libqos-pci-pc-use-32-bit-write-for-EJ-register.patch [bz#1842478] +- kvm-memory-Revert-memory-accept-mismatching-sizes-in-mem.patch [bz#1842478] +- kvm-acpi-accept-byte-and-word-access-to-core-ACPI-regist.patch [bz#1842478] +- kvm-xhci-fix-valid.max_access_size-to-access-address-reg.patch [bz#1842478] +- kvm-softmmu-memory-Log-invalid-memory-accesses.patch [bz#1842478] +- Resolves: bz#1925430 + (CVE-2021-20221 virt:rhel/qemu-kvm: qemu: out-of-bound heap buffer access via an interrupt ID field [rhel-8.5.0]) +- Resolves: bz#1842478 + (CVE-2020-13754 virt:rhel/qemu-kvm: QEMU: msix: OOB access during mmio operations may lead to DoS [rhel-8.5.0]) + +* Wed Apr 28 2021 Danilo Cesar Lemes de Paula - 4.2.0-49.el8 +- kvm-net-remove-an-assert-call-in-eth_get_gso_type.patch [bz#1892350] +- kvm-e1000-fail-early-for-evil-descriptor.patch [bz#1930092] +- kvm-net-forbid-the-reentrant-RX.patch [bz#1859175] +- kvm-qemu-img-convert-Don-t-pre-zero-images.patch [bz#1855250] +- kvm-audio-audio_generic_get_buffer_in-should-honor-size.patch [bz#1932823] +- Resolves: bz#1892350 + (CVE-2020-27617 virt:rhel/qemu-kvm: QEMU: net: an assert failure via eth_get_gso_type [rhel-8.5.0]) +- Resolves: bz#1930092 + (CVE-2021-20257 virt:rhel/qemu-kvm: QEMU: net: e1000: infinite loop while processing transmit descriptors [rhel-8.5.0]) +- Resolves: bz#1859175 + (CVE-2020-15859 virt:rhel/qemu-kvm: QEMU: net: e1000e: use-after-free while sending packets [rhel-8]) +- Resolves: bz#1855250 + (qemu-img convert uses possibly slow pre-zeroing on block storage) +- Resolves: bz#1932823 + (after upgrade from 4.3 to 4.4 audio stops working in guests after couple of seconds) + * Tue Mar 16 2021 Danilo Cesar Lemes de Paula - 4.2.0-48.el8 - kvm-ide-atapi-check-logical-block-address-and-read-size-.patch [bz#1917451] - Resolves: bz#1917451