diff --git a/SOURCES/kvm-balloon-fix-segfault-and-harden-the-stats-queue.patch b/SOURCES/kvm-balloon-fix-segfault-and-harden-the-stats-queue.patch new file mode 100644 index 0000000..9540f26 --- /dev/null +++ b/SOURCES/kvm-balloon-fix-segfault-and-harden-the-stats-queue.patch @@ -0,0 +1,138 @@ +From 75255574498fad12727529c4ecbd4ccdabe86839 Mon Sep 17 00:00:00 2001 +From: Ladi Prosek +Date: Wed, 5 Oct 2016 17:22:26 +0200 +Subject: [PATCH 4/8] balloon: fix segfault and harden the stats queue + +RH-Author: Ladi Prosek +Message-id: <1475666548-9186-5-git-send-email-lprosek@redhat.com> +Patchwork-id: 72483 +O-Subject: [RHEL-7.4 qemu-kvm v2 PATCH 4/6] balloon: fix segfault and harden the stats queue +Bugzilla: 1393484 +RH-Acked-by: Paolo Bonzini +RH-Acked-by: Michael S. Tsirkin +RH-Acked-by: Stefan Hajnoczi + +The segfault here is triggered by the driver notifying the stats queue +twice after adding a buffer to it. This effectively resets stats_vq_elem +back to NULL and QEMU crashes on the next stats timer tick in +balloon_stats_poll_cb. + +This is a regression introduced in 51b19ebe4320f3dc, although admittedly +the device assumed too much about the stats queue protocol even before +that commit. This commit adds a few more checks and ensures that the one +stats buffer gets deallocated on device reset. + +Cc: qemu-stable@nongnu.org +Signed-off-by: Ladi Prosek +Reviewed-by: Michael S. Tsirkin +Signed-off-by: Michael S. Tsirkin +(cherry picked from commit 4eae2a657d1ff5ada56eb9b4966eae0eff333b0b) +Signed-off-by: Ladi Prosek +Signed-off-by: Miroslav Rezanina + +Conflicts: + * 1.5.3 does not return pointers from virtqueue_pop so only the + "harden the stats queue" part of the upstream patch description + applies + * a new field stats_vq_elem_pending is introduced to keep track + of the state of stats_vq_elem in lieu of its nullness upstream + * virtio_balloon_device_reset only resets stats_vq_elem_pending + because there is nothing to free +--- + hw/virtio/virtio-balloon.c | 27 +++++++++++++++++++++++---- + include/hw/virtio/virtio-balloon.h | 1 + + 2 files changed, 24 insertions(+), 4 deletions(-) + +diff --git a/hw/virtio/virtio-balloon.c b/hw/virtio/virtio-balloon.c +index 016dc60..17b3029 100644 +--- a/hw/virtio/virtio-balloon.c ++++ b/hw/virtio/virtio-balloon.c +@@ -95,13 +95,14 @@ static void balloon_stats_poll_cb(void *opaque) + VirtIOBalloon *s = opaque; + VirtIODevice *vdev = VIRTIO_DEVICE(s); + +- if (!balloon_stats_supported(s)) { ++ if (!s->stats_vq_elem_pending || !balloon_stats_supported(s)) { + /* re-schedule */ + balloon_stats_change_timer(s, s->stats_poll_interval); + return; + } + + virtqueue_push(s->svq, &s->stats_vq_elem, s->stats_vq_offset); ++ s->stats_vq_elem_pending = false; + virtio_notify(vdev, s->svq); + } + +@@ -220,14 +221,22 @@ static void virtio_balloon_handle_output(VirtIODevice *vdev, VirtQueue *vq) + static void virtio_balloon_receive_stats(VirtIODevice *vdev, VirtQueue *vq) + { + VirtIOBalloon *s = VIRTIO_BALLOON(vdev); +- VirtQueueElement *elem = &s->stats_vq_elem; ++ VirtQueueElement elem; + VirtIOBalloonStat stat; + size_t offset = 0; + qemu_timeval tv; + +- if (!virtqueue_pop(vq, elem)) { ++ if (!virtqueue_pop(vq, &elem)) { + goto out; + } ++ if (s->stats_vq_elem_pending) { ++ /* This should never happen if the driver follows the spec. */ ++ virtqueue_push(vq, &s->stats_vq_elem, 0); ++ virtio_notify(vdev, vq); ++ } ++ ++ s->stats_vq_elem = elem; ++ s->stats_vq_elem_pending = true; + + /* Initialize the stats to get rid of any stale values. This is only + * needed to handle the case where a guest supports fewer stats than it +@@ -235,7 +244,7 @@ static void virtio_balloon_receive_stats(VirtIODevice *vdev, VirtQueue *vq) + */ + reset_stats(s); + +- while (iov_to_buf(elem->out_sg, elem->out_num, offset, &stat, sizeof(stat)) ++ while (iov_to_buf(elem.out_sg, elem.out_num, offset, &stat, sizeof(stat)) + == sizeof(stat)) { + uint16_t tag = tswap16(stat.tag); + uint64_t val = tswap64(stat.val); +@@ -384,6 +393,15 @@ static void virtio_balloon_device_exit(VirtIODevice *vdev) + virtio_cleanup(vdev); + } + ++static void virtio_balloon_device_reset(VirtIODevice *vdev) ++{ ++ VirtIOBalloon *s = VIRTIO_BALLOON(vdev); ++ ++ if (s->stats_vq_elem_pending) { ++ s->stats_vq_elem_pending = false; ++ } ++} ++ + static Property virtio_balloon_properties[] = { + DEFINE_PROP_END_OF_LIST(), + }; +@@ -396,6 +414,7 @@ static void virtio_balloon_class_init(ObjectClass *klass, void *data) + set_bit(DEVICE_CATEGORY_MISC, dc->categories); + vdc->init = virtio_balloon_device_init; + vdc->exit = virtio_balloon_device_exit; ++ vdc->reset = virtio_balloon_device_reset; + vdc->get_config = virtio_balloon_get_config; + vdc->set_config = virtio_balloon_set_config; + vdc->get_features = virtio_balloon_get_features; +diff --git a/include/hw/virtio/virtio-balloon.h b/include/hw/virtio/virtio-balloon.h +index f863bfe..a84736b 100644 +--- a/include/hw/virtio/virtio-balloon.h ++++ b/include/hw/virtio/virtio-balloon.h +@@ -63,6 +63,7 @@ typedef struct VirtIOBalloon { + uint32_t actual; + uint64_t stats[VIRTIO_BALLOON_S_NR]; + VirtQueueElement stats_vq_elem; ++ bool stats_vq_elem_pending; + size_t stats_vq_offset; + QEMUTimer *stats_timer; + int64_t stats_last_update; +-- +1.8.3.1 + diff --git a/SOURCES/kvm-hw-i386-regenerate-checked-in-AML-payload-RHEL-only.patch b/SOURCES/kvm-hw-i386-regenerate-checked-in-AML-payload-RHEL-only.patch new file mode 100644 index 0000000..d60e538 --- /dev/null +++ b/SOURCES/kvm-hw-i386-regenerate-checked-in-AML-payload-RHEL-only.patch @@ -0,0 +1,179 @@ +From 4f55d2d2f6efdce59440b57726f09578b8692158 Mon Sep 17 00:00:00 2001 +From: Laszlo Ersek +Date: Fri, 23 Sep 2016 14:39:35 +0200 +Subject: [PATCH 2/3] hw/i386: regenerate checked-in AML payload (RHEL only) + +RH-Author: Laszlo Ersek +Message-id: <20160923143936.25594-2-lersek@redhat.com> +Patchwork-id: 72414 +O-Subject: [RHEL-7.3 qemu-kvm PATCH 1/2] hw/i386: regenerate checked-in AML payload (RHEL only) +Bugzilla: 1392027 +RH-Acked-by: Paolo Bonzini +RH-Acked-by: Michael S. Tsirkin +RH-Acked-by: Igor Mammedov + +In preparation for the next patch, which will flip the build from IASL to +pre-generated AML, rebuild the checked-in AML content, with the last iasl +version that's known -- from Brew -- to generate good AML, namely +"acpica-tools-20150619-3.el7.x86_64". + +Only checksums and likely some metadata change in the AML payload. This +proves that our checked-in files have been up to date, and it's safe to +switch the build to them. I actually verified this in a RHEL-7 guest, with +"acpidump -b" and "iasl -d" -- the dumped and disassembled DSL files +remained identical across this change. + +Signed-off-by: Laszlo Ersek +Signed-off-by: Miroslav Rezanina +--- + hw/i386/acpi-dsdt.hex.generated | 8 ++++---- + hw/i386/q35-acpi-dsdt.hex.generated | 8 ++++---- + hw/i386/ssdt-misc.hex.generated | 8 ++++---- + hw/i386/ssdt-pcihp.hex.generated | 8 ++++---- + hw/i386/ssdt-proc.hex.generated | 12 ++++++------ + 5 files changed, 22 insertions(+), 22 deletions(-) + +diff --git a/hw/i386/acpi-dsdt.hex.generated b/hw/i386/acpi-dsdt.hex.generated +index 2c01107..b2af8d0 100644 +--- a/hw/i386/acpi-dsdt.hex.generated ++++ b/hw/i386/acpi-dsdt.hex.generated +@@ -8,7 +8,7 @@ static unsigned char AcpiDsdtAmlCode[] = { + 0x0, + 0x0, + 0x1, +-0xe0, ++0xea, + 0x42, + 0x58, + 0x50, +@@ -31,9 +31,9 @@ static unsigned char AcpiDsdtAmlCode[] = { + 0x4e, + 0x54, + 0x4c, +-0x23, +-0x8, +-0x13, ++0x19, ++0x6, ++0x15, + 0x20, + 0x10, + 0x49, +diff --git a/hw/i386/q35-acpi-dsdt.hex.generated b/hw/i386/q35-acpi-dsdt.hex.generated +index 32c16ff..23ab305 100644 +--- a/hw/i386/q35-acpi-dsdt.hex.generated ++++ b/hw/i386/q35-acpi-dsdt.hex.generated +@@ -8,7 +8,7 @@ static unsigned char Q35AcpiDsdtAmlCode[] = { + 0x0, + 0x0, + 0x1, +-0x6, ++0x10, + 0x42, + 0x58, + 0x50, +@@ -31,9 +31,9 @@ static unsigned char Q35AcpiDsdtAmlCode[] = { + 0x4e, + 0x54, + 0x4c, +-0x23, +-0x8, +-0x13, ++0x19, ++0x6, ++0x15, + 0x20, + 0x10, + 0x49, +diff --git a/hw/i386/ssdt-misc.hex.generated b/hw/i386/ssdt-misc.hex.generated +index 55e3bd2..86c5725 100644 +--- a/hw/i386/ssdt-misc.hex.generated ++++ b/hw/i386/ssdt-misc.hex.generated +@@ -23,7 +23,7 @@ static unsigned char ssdp_misc_aml[] = { + 0x0, + 0x0, + 0x1, +-0x76, ++0x80, + 0x42, + 0x58, + 0x50, +@@ -46,9 +46,9 @@ static unsigned char ssdp_misc_aml[] = { + 0x4e, + 0x54, + 0x4c, +-0x23, +-0x8, +-0x13, ++0x19, ++0x6, ++0x15, + 0x20, + 0x10, + 0x42, +diff --git a/hw/i386/ssdt-pcihp.hex.generated b/hw/i386/ssdt-pcihp.hex.generated +index b3c2cd5..2f946d5 100644 +--- a/hw/i386/ssdt-pcihp.hex.generated ++++ b/hw/i386/ssdt-pcihp.hex.generated +@@ -17,7 +17,7 @@ static unsigned char ssdp_pcihp_aml[] = { + 0x0, + 0x0, + 0x1, +-0x76, ++0x80, + 0x42, + 0x58, + 0x50, +@@ -40,9 +40,9 @@ static unsigned char ssdp_pcihp_aml[] = { + 0x4e, + 0x54, + 0x4c, +-0x23, +-0x8, +-0x13, ++0x19, ++0x6, ++0x15, + 0x20, + 0x10, + 0x33, +diff --git a/hw/i386/ssdt-proc.hex.generated b/hw/i386/ssdt-proc.hex.generated +index bb9920d..1b4118a 100644 +--- a/hw/i386/ssdt-proc.hex.generated ++++ b/hw/i386/ssdt-proc.hex.generated +@@ -11,7 +11,7 @@ static unsigned char ssdp_proc_aml[] = { + 0x0, + 0x0, + 0x1, +-0xb8, ++0x82, + 0x42, + 0x58, + 0x50, +@@ -34,9 +34,9 @@ static unsigned char ssdp_proc_aml[] = { + 0x4e, + 0x54, + 0x4c, +-0x23, +-0x8, +-0x13, ++0x19, ++0x6, ++0x15, + 0x20, + 0x5b, + 0x83, +@@ -47,8 +47,8 @@ static unsigned char ssdp_proc_aml[] = { + 0x41, + 0x41, + 0xaa, +-0x10, +-0xb0, ++0x0, ++0x0, + 0x0, + 0x0, + 0x0, +-- +1.8.3.1 + diff --git a/SOURCES/kvm-ide-fix-halted-IO-segfault-at-reset.patch b/SOURCES/kvm-ide-fix-halted-IO-segfault-at-reset.patch new file mode 100644 index 0000000..b558bdf --- /dev/null +++ b/SOURCES/kvm-ide-fix-halted-IO-segfault-at-reset.patch @@ -0,0 +1,54 @@ +From 4d3c9646213bdf992af4e28eaf0d57610eb79fec Mon Sep 17 00:00:00 2001 +From: John Snow +Date: Thu, 29 Sep 2016 00:02:14 +0200 +Subject: [PATCH 1/3] ide: fix halted IO segfault at reset + +RH-Author: John Snow +Message-id: <1475107334-14972-2-git-send-email-jsnow@redhat.com> +Patchwork-id: 72436 +O-Subject: [RHEL-7.3.z qemu-kvm PATCH 1/1] ide: fix halted IO segfault at reset +Bugzilla: 1393042 +RH-Acked-by: Laszlo Ersek +RH-Acked-by: Paolo Bonzini +RH-Acked-by: Markus Armbruster + +If one attempts to perform a system_reset after a failed IO request +that causes the VM to enter a paused state, QEMU will segfault trying +to free up the pending IO requests. + +These requests have already been completed and freed, though, so all +we need to do is NULL them before we enter the paused state. + +Existing AHCI tests verify that halted requests are still resumed +successfully after a STOP event. + +Analyzed-by: Laszlo Ersek +Reviewed-by: Laszlo Ersek +Signed-off-by: John Snow +Message-id: 1469635201-11918-2-git-send-email-jsnow@redhat.com +Signed-off-by: John Snow +(cherry picked from commit 87ac25fd1fed05a30a93d27dbeb2a4c4b83ec95f) +Signed-off-by: John Snow +Signed-off-by: Miroslav Rezanina + +Conflicts: + hw/ide/core.c: Context and formatting of handle_rw_error +--- + hw/ide/core.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/hw/ide/core.c b/hw/ide/core.c +index 5d40093..5c33735 100644 +--- a/hw/ide/core.c ++++ b/hw/ide/core.c +@@ -658,6 +658,7 @@ void ide_dma_cb(void *opaque, int ret) + op |= BM_STATUS_RETRY_TRIM; + + if (ide_handle_rw_error(s, -ret, op)) { ++ s->bus->dma->aiocb = NULL; + return; + } + } +-- +1.8.3.1 + diff --git a/SOURCES/kvm-net-check-packet-payload-length.patch b/SOURCES/kvm-net-check-packet-payload-length.patch new file mode 100644 index 0000000..5ef1070 --- /dev/null +++ b/SOURCES/kvm-net-check-packet-payload-length.patch @@ -0,0 +1,64 @@ +From 6d126da8f958c57413a4505d98cb4a3ff48cbbfe Mon Sep 17 00:00:00 2001 +From: "wexu@redhat.com" +Date: Wed, 21 Dec 2016 06:04:24 +0100 +Subject: [PATCH] net: check packet payload length + +RH-Author: wexu@redhat.com +Message-id: <1482300264-29708-2-git-send-email-wexu@redhat.com> +Patchwork-id: 73088 +O-Subject: [RHEL-7.4/7.3.z qemu-kvm Patch v2] net: check packet payload length +Bugzilla: 1398217 +RH-Acked-by: Laurent Vivier +RH-Acked-by: Michael S. Tsirkin +RH-Acked-by: Stefan Hajnoczi + +From: Prasad J Pandit + +While computing IP checksum, 'net_checksum_calculate' reads +payload length from the packet. It could exceed the given 'data' +buffer size. Add a check to avoid it. + +This patch is to fix CVE-2016-2857. +https://access.redhat.com/security/cve/CVE-2016-2857 + +Reported-by: Liu Ling +Signed-off-by: Prasad J Pandit +Signed-off-by: Jason Wang +(cherry picked from commit 362786f14a753d8a5256ef97d7c10ed576d6572b) +Signed-off-by: Wei Xu +Signed-off-by: Miroslav Rezanina +--- + net/checksum.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/net/checksum.c b/net/checksum.c +index 14c0855..0942437 100644 +--- a/net/checksum.c ++++ b/net/checksum.c +@@ -59,6 +59,11 @@ void net_checksum_calculate(uint8_t *data, int length) + int hlen, plen, proto, csum_offset; + uint16_t csum; + ++ /* Ensure data has complete L2 & L3 headers. */ ++ if (length < 14 + 20) { ++ return; ++ } ++ + if ((data[14] & 0xf0) != 0x40) + return; /* not IPv4 */ + hlen = (data[14] & 0x0f) * 4; +@@ -76,8 +81,9 @@ void net_checksum_calculate(uint8_t *data, int length) + return; + } + +- if (plen < csum_offset+2) +- return; ++ if (plen < csum_offset + 2 || 14 + hlen + plen > length) { ++ return; ++ } + + data[14+hlen+csum_offset] = 0; + data[14+hlen+csum_offset+1] = 0; +-- +1.8.3.1 + diff --git a/SOURCES/kvm-virtio-add-virtqueue_rewind.patch b/SOURCES/kvm-virtio-add-virtqueue_rewind.patch new file mode 100644 index 0000000..1915e93 --- /dev/null +++ b/SOURCES/kvm-virtio-add-virtqueue_rewind.patch @@ -0,0 +1,86 @@ +From f7d6a76475d29e0edb5456e62492117b87f4bc41 Mon Sep 17 00:00:00 2001 +From: Ladi Prosek +Date: Thu, 10 Nov 2016 23:00:50 +0100 +Subject: [PATCH 7/8] virtio: add virtqueue_rewind() + +RH-Author: Ladi Prosek +Message-id: <1478797251-10302-1-git-send-email-lprosek@redhat.com> +Patchwork-id: 72818 +O-Subject: [PATCH v2 7/6] virtio: add virtqueue_rewind() +Bugzilla: 1393484 +RH-Acked-by: Paolo Bonzini +RH-Acked-by: Michael S. Tsirkin +RH-Acked-by: Miroslav Rezanina + +From: Stefan Hajnoczi + +virtqueue_discard() requires a VirtQueueElement but virtio-balloon does +not migrate its in-use element. Introduce a new function that is +similar to virtqueue_discard() but doesn't require a VirtQueueElement. + +This will allow virtio-balloon to access element again after migration +with the usual proviso that the guest may have modified the vring since +last time. + +Cc: Michael S. Tsirkin +Cc: Roman Kagan +Cc: Stefan Hajnoczi +Signed-off-by: Ladi Prosek +Reviewed-by: Michael S. Tsirkin +Signed-off-by: Michael S. Tsirkin +(cherry picked from commit 297a75e6c55d91db2704a3d6e4029d99c7df51fd) +Signed-off-by: Ladi Prosek +Signed-off-by: Miroslav Rezanina +--- + hw/virtio/virtio.c | 22 ++++++++++++++++++++++ + include/hw/virtio/virtio.h | 1 + + 2 files changed, 23 insertions(+) + +diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c +index cdb21b1..fe6b032 100644 +--- a/hw/virtio/virtio.c ++++ b/hw/virtio/virtio.c +@@ -259,6 +259,28 @@ void virtqueue_discard(VirtQueue *vq, const VirtQueueElement *elem, + virtqueue_unmap_sg(vq, elem, len); + } + ++/* virtqueue_rewind: ++ * @vq: The #VirtQueue ++ * @num: Number of elements to push back ++ * ++ * Pretend that elements weren't popped from the virtqueue. The next ++ * virtqueue_pop() will refetch the oldest element. ++ * ++ * Use virtqueue_discard() instead if you have a VirtQueueElement. ++ * ++ * Returns: true on success, false if @num is greater than the number of in use ++ * elements. ++ */ ++bool virtqueue_rewind(VirtQueue *vq, unsigned int num) ++{ ++ if (num > vq->inuse) { ++ return false; ++ } ++ vq->last_avail_idx -= num; ++ vq->inuse -= num; ++ return true; ++} ++ + void virtqueue_fill(VirtQueue *vq, const VirtQueueElement *elem, + unsigned int len, unsigned int idx) + { +diff --git a/include/hw/virtio/virtio.h b/include/hw/virtio/virtio.h +index de32425..d9bfe4c 100644 +--- a/include/hw/virtio/virtio.h ++++ b/include/hw/virtio/virtio.h +@@ -167,6 +167,7 @@ void virtqueue_push(VirtQueue *vq, const VirtQueueElement *elem, + void virtqueue_flush(VirtQueue *vq, unsigned int count); + void virtqueue_discard(VirtQueue *vq, const VirtQueueElement *elem, + unsigned int len); ++bool virtqueue_rewind(VirtQueue *vq, unsigned int num); + void virtqueue_fill(VirtQueue *vq, const VirtQueueElement *elem, + unsigned int len, unsigned int idx); + +-- +1.8.3.1 + diff --git a/SOURCES/kvm-virtio-balloon-discard-virtqueue-element-on-reset.patch b/SOURCES/kvm-virtio-balloon-discard-virtqueue-element-on-reset.patch new file mode 100644 index 0000000..a076d4e --- /dev/null +++ b/SOURCES/kvm-virtio-balloon-discard-virtqueue-element-on-reset.patch @@ -0,0 +1,54 @@ +From a1c91f04449eea0e678aeef78914213f092b7a19 Mon Sep 17 00:00:00 2001 +From: Ladi Prosek +Date: Wed, 5 Oct 2016 17:22:27 +0200 +Subject: [PATCH 5/8] virtio-balloon: discard virtqueue element on reset + +RH-Author: Ladi Prosek +Message-id: <1475666548-9186-6-git-send-email-lprosek@redhat.com> +Patchwork-id: 72484 +O-Subject: [RHEL-7.4 qemu-kvm v2 PATCH 5/6] virtio-balloon: discard virtqueue element on reset +Bugzilla: 1393484 +RH-Acked-by: Paolo Bonzini +RH-Acked-by: Michael S. Tsirkin +RH-Acked-by: Stefan Hajnoczi + +The one pending element is being freed but not discarded on device +reset, which causes svq->inuse to creep up, eventually hitting the +"Virtqueue size exceeded" error. + +Properly discarding the element on device reset makes sure that its +buffers are unmapped and the inuse counter stays balanced. + +Cc: Michael S. Tsirkin +Cc: Roman Kagan +Cc: Stefan Hajnoczi +Signed-off-by: Ladi Prosek +Reviewed-by: Stefan Hajnoczi +Reviewed-by: Michael S. Tsirkin +Signed-off-by: Michael S. Tsirkin +(cherry picked from commit 104e70cae78bd4afd95d948c6aff188f10508a9c) +Signed-off-by: Ladi Prosek +Signed-off-by: Miroslav Rezanina + +Conflicts: + * s->stats_vq_elem => &s->stats_vq_elem because the field is not + s pointer in 1.5.3 +--- + hw/virtio/virtio-balloon.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/hw/virtio/virtio-balloon.c b/hw/virtio/virtio-balloon.c +index 17b3029..faf93f7 100644 +--- a/hw/virtio/virtio-balloon.c ++++ b/hw/virtio/virtio-balloon.c +@@ -398,6 +398,7 @@ static void virtio_balloon_device_reset(VirtIODevice *vdev) + VirtIOBalloon *s = VIRTIO_BALLOON(vdev); + + if (s->stats_vq_elem_pending) { ++ virtqueue_discard(s->svq, &s->stats_vq_elem, 0); + s->stats_vq_elem_pending = false; + } + } +-- +1.8.3.1 + diff --git a/SOURCES/kvm-virtio-balloon-fix-stats-vq-migration.patch b/SOURCES/kvm-virtio-balloon-fix-stats-vq-migration.patch new file mode 100644 index 0000000..bd3b2e7 --- /dev/null +++ b/SOURCES/kvm-virtio-balloon-fix-stats-vq-migration.patch @@ -0,0 +1,75 @@ +From 6d5c0e0e98907244d72e7828337d7ff6160b6b80 Mon Sep 17 00:00:00 2001 +From: Ladi Prosek +Date: Thu, 10 Nov 2016 23:00:51 +0100 +Subject: [PATCH 8/8] virtio-balloon: fix stats vq migration + +RH-Author: Ladi Prosek +Message-id: <1478797251-10302-2-git-send-email-lprosek@redhat.com> +Patchwork-id: 72819 +O-Subject: [PATCH v2 8/6] virtio-balloon: fix stats vq migration +Bugzilla: 1393484 +RH-Acked-by: Paolo Bonzini +RH-Acked-by: Michael S. Tsirkin +RH-Acked-by: Miroslav Rezanina + +The statistics virtqueue is not migrated properly because virtio-balloon +does not include s->stats_vq_elem in the migration stream. + +After migration the statistics virtqueue hangs because the host never +completes the last element (s->stats_vq_elem is NULL on the destination +QEMU). Therefore the guest never submits new elements and the virtqueue +is hung. + +Instead of changing the migration stream format in an incompatible way, +detect the migration case and rewind the virtqueue so the last element +can be completed. + +Cc: Michael S. Tsirkin +Cc: Roman Kagan +Cc: Stefan Hajnoczi +Suggested-by: Roman Kagan +Signed-off-by: Ladi Prosek +Reviewed-by: Stefan Hajnoczi +Reviewed-by: Michael S. Tsirkin +Signed-off-by: Michael S. Tsirkin +(cherry picked from commit 4a1e48becab81020adfb74b22c76a595f2d02a01) +Signed-off-by: Ladi Prosek +Signed-off-by: Miroslav Rezanina +--- + hw/virtio/virtio-balloon.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/hw/virtio/virtio-balloon.c b/hw/virtio/virtio-balloon.c +index faf93f7..1a60d3c 100644 +--- a/hw/virtio/virtio-balloon.c ++++ b/hw/virtio/virtio-balloon.c +@@ -403,6 +403,18 @@ static void virtio_balloon_device_reset(VirtIODevice *vdev) + } + } + ++static void virtio_balloon_set_status(VirtIODevice *vdev, uint8_t status) ++{ ++ VirtIOBalloon *s = VIRTIO_BALLOON(vdev); ++ ++ if (!s->stats_vq_elem_pending && vdev->vm_running && ++ (status & VIRTIO_CONFIG_S_DRIVER_OK) && virtqueue_rewind(s->svq, 1)) { ++ /* poll stats queue for the element we have discarded when the VM ++ * was stopped */ ++ virtio_balloon_receive_stats(vdev, s->svq); ++ } ++} ++ + static Property virtio_balloon_properties[] = { + DEFINE_PROP_END_OF_LIST(), + }; +@@ -419,6 +431,7 @@ static void virtio_balloon_class_init(ObjectClass *klass, void *data) + vdc->get_config = virtio_balloon_get_config; + vdc->set_config = virtio_balloon_set_config; + vdc->get_features = virtio_balloon_get_features; ++ vdc->set_status = virtio_balloon_set_status; + } + + static const TypeInfo virtio_balloon_info = { +-- +1.8.3.1 + diff --git a/SOURCES/kvm-virtio-decrement-vq-inuse-in-virtqueue_discard.patch b/SOURCES/kvm-virtio-decrement-vq-inuse-in-virtqueue_discard.patch new file mode 100644 index 0000000..1822127 --- /dev/null +++ b/SOURCES/kvm-virtio-decrement-vq-inuse-in-virtqueue_discard.patch @@ -0,0 +1,48 @@ +From c24e1c927bad95d84e0ffab665baff98d91fb916 Mon Sep 17 00:00:00 2001 +From: Ladi Prosek +Date: Wed, 5 Oct 2016 17:22:25 +0200 +Subject: [PATCH 3/8] virtio: decrement vq->inuse in virtqueue_discard() + +RH-Author: Ladi Prosek +Message-id: <1475666548-9186-4-git-send-email-lprosek@redhat.com> +Patchwork-id: 72482 +O-Subject: [RHEL-7.4 qemu-kvm v2 PATCH 3/6] virtio: decrement vq->inuse in virtqueue_discard() +Bugzilla: 1393484 +RH-Acked-by: Paolo Bonzini +RH-Acked-by: Michael S. Tsirkin +RH-Acked-by: Stefan Hajnoczi + +From: Stefan Hajnoczi + +virtqueue_discard() moves vq->last_avail_idx back so the element can be +popped again. It's necessary to decrement vq->inuse to avoid "leaking" +the element count. + +Cc: qemu-stable@nongnu.org +Signed-off-by: Stefan Hajnoczi +Reviewed-by: Michael S. Tsirkin +Reviewed-by: Cornelia Huck +Reviewed-by: Michael S. Tsirkin +Signed-off-by: Michael S. Tsirkin +(cherry picked from commit 58a83c61496eeb0d31571a07a51bc1947e3379ac) +Signed-off-by: Ladi Prosek +Signed-off-by: Miroslav Rezanina +--- + hw/virtio/virtio.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c +index 91c9642..87a7639 100644 +--- a/hw/virtio/virtio.c ++++ b/hw/virtio/virtio.c +@@ -255,6 +255,7 @@ void virtqueue_discard(VirtQueue *vq, const VirtQueueElement *elem, + unsigned int len) + { + vq->last_avail_idx--; ++ vq->inuse--; + virtqueue_unmap_sg(vq, elem, len); + } + +-- +1.8.3.1 + diff --git a/SOURCES/kvm-virtio-introduce-virtqueue_discard.patch b/SOURCES/kvm-virtio-introduce-virtqueue_discard.patch new file mode 100644 index 0000000..8f233c6 --- /dev/null +++ b/SOURCES/kvm-virtio-introduce-virtqueue_discard.patch @@ -0,0 +1,66 @@ +From b5c6f7a910c5c16ac34ef2436d0a56991e0166e3 Mon Sep 17 00:00:00 2001 +From: Ladi Prosek +Date: Wed, 5 Oct 2016 17:22:24 +0200 +Subject: [PATCH 2/8] virtio: introduce virtqueue_discard() + +RH-Author: Ladi Prosek +Message-id: <1475666548-9186-3-git-send-email-lprosek@redhat.com> +Patchwork-id: 72481 +O-Subject: [RHEL-7.4 qemu-kvm v2 PATCH 2/6] virtio: introduce virtqueue_discard() +Bugzilla: 1393484 +RH-Acked-by: Paolo Bonzini +RH-Acked-by: Michael S. Tsirkin +RH-Acked-by: Stefan Hajnoczi + +From: Jason Wang + +This patch introduces virtqueue_discard() to discard a descriptor and +unmap the sgs. This will be used by the patch that will discard +descriptor when packet is truncated. + +Cc: Michael S. Tsirkin +Signed-off-by: Jason Wang +Reviewed-by: Michael S. Tsirkin +Signed-off-by: Michael S. Tsirkin +(cherry picked from commit 29b9f5efd78ae0f9cc02dd169b6e80d2c404bade) +Signed-off-by: Ladi Prosek +Signed-off-by: Miroslav Rezanina +--- + hw/virtio/virtio.c | 7 +++++++ + include/hw/virtio/virtio.h | 2 ++ + 2 files changed, 9 insertions(+) + +diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c +index 5ee899a..91c9642 100644 +--- a/hw/virtio/virtio.c ++++ b/hw/virtio/virtio.c +@@ -251,6 +251,13 @@ static void virtqueue_unmap_sg(VirtQueue *vq, const VirtQueueElement *elem, + 0, elem->out_sg[i].iov_len); + } + ++void virtqueue_discard(VirtQueue *vq, const VirtQueueElement *elem, ++ unsigned int len) ++{ ++ vq->last_avail_idx--; ++ virtqueue_unmap_sg(vq, elem, len); ++} ++ + void virtqueue_fill(VirtQueue *vq, const VirtQueueElement *elem, + unsigned int len, unsigned int idx) + { +diff --git a/include/hw/virtio/virtio.h b/include/hw/virtio/virtio.h +index 9e22865..de32425 100644 +--- a/include/hw/virtio/virtio.h ++++ b/include/hw/virtio/virtio.h +@@ -165,6 +165,8 @@ void virtio_del_queue(VirtIODevice *vdev, int n); + void virtqueue_push(VirtQueue *vq, const VirtQueueElement *elem, + unsigned int len); + void virtqueue_flush(VirtQueue *vq, unsigned int count); ++void virtqueue_discard(VirtQueue *vq, const VirtQueueElement *elem, ++ unsigned int len); + void virtqueue_fill(VirtQueue *vq, const VirtQueueElement *elem, + unsigned int len, unsigned int idx); + +-- +1.8.3.1 + diff --git a/SOURCES/kvm-virtio-introduce-virtqueue_unmap_sg.patch b/SOURCES/kvm-virtio-introduce-virtqueue_unmap_sg.patch new file mode 100644 index 0000000..77d40c9 --- /dev/null +++ b/SOURCES/kvm-virtio-introduce-virtqueue_unmap_sg.patch @@ -0,0 +1,70 @@ +From fc6f666f00182fe587068bd45e4e9e6d135d03fb Mon Sep 17 00:00:00 2001 +From: Ladi Prosek +Date: Wed, 5 Oct 2016 17:22:23 +0200 +Subject: [PATCH 1/8] virtio: introduce virtqueue_unmap_sg() + +RH-Author: Ladi Prosek +Message-id: <1475666548-9186-2-git-send-email-lprosek@redhat.com> +Patchwork-id: 72480 +O-Subject: [RHEL-7.4 qemu-kvm v2 PATCH 1/6] virtio: introduce virtqueue_unmap_sg() +Bugzilla: 1393484 +RH-Acked-by: Paolo Bonzini +RH-Acked-by: Michael S. Tsirkin +RH-Acked-by: Stefan Hajnoczi + +From: Jason Wang + +Factor out sg unmapping logic. This will be reused by the patch that +can discard descriptor. + +Cc: Michael S. Tsirkin +Cc: Andrew James +Signed-off-by: Jason Wang +Reviewed-by: Michael S. Tsirkin +Signed-off-by: Michael S. Tsirkin +(cherry picked from commit ce317461573bac12b10d67699b4ddf1f97cf066c) +Signed-off-by: Ladi Prosek +Signed-off-by: Miroslav Rezanina +--- + hw/virtio/virtio.c | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c +index 0df4ed3..5ee899a 100644 +--- a/hw/virtio/virtio.c ++++ b/hw/virtio/virtio.c +@@ -228,14 +228,12 @@ int virtio_queue_empty(VirtQueue *vq) + return vring_avail_idx(vq) == vq->last_avail_idx; + } + +-void virtqueue_fill(VirtQueue *vq, const VirtQueueElement *elem, +- unsigned int len, unsigned int idx) ++static void virtqueue_unmap_sg(VirtQueue *vq, const VirtQueueElement *elem, ++ unsigned int len) + { + unsigned int offset; + int i; + +- trace_virtqueue_fill(vq, elem, len, idx); +- + offset = 0; + for (i = 0; i < elem->in_num; i++) { + size_t size = MIN(len - offset, elem->in_sg[i].iov_len); +@@ -251,6 +249,14 @@ void virtqueue_fill(VirtQueue *vq, const VirtQueueElement *elem, + cpu_physical_memory_unmap(elem->out_sg[i].iov_base, + elem->out_sg[i].iov_len, + 0, elem->out_sg[i].iov_len); ++} ++ ++void virtqueue_fill(VirtQueue *vq, const VirtQueueElement *elem, ++ unsigned int len, unsigned int idx) ++{ ++ trace_virtqueue_fill(vq, elem, len, idx); ++ ++ virtqueue_unmap_sg(vq, elem, len); + + idx = (idx + vring_used_idx(vq)) % vq->vring.num; + +-- +1.8.3.1 + diff --git a/SOURCES/kvm-virtio-zero-vq-inuse-in-virtio_reset.patch b/SOURCES/kvm-virtio-zero-vq-inuse-in-virtio_reset.patch new file mode 100644 index 0000000..e231a0a --- /dev/null +++ b/SOURCES/kvm-virtio-zero-vq-inuse-in-virtio_reset.patch @@ -0,0 +1,63 @@ +From e3e5226d8ed3907bb818eb8db74175c08c011459 Mon Sep 17 00:00:00 2001 +From: Ladi Prosek +Date: Wed, 5 Oct 2016 17:22:28 +0200 +Subject: [PATCH 6/8] virtio: zero vq->inuse in virtio_reset() + +RH-Author: Ladi Prosek +Message-id: <1475666548-9186-7-git-send-email-lprosek@redhat.com> +Patchwork-id: 72485 +O-Subject: [RHEL-7.4 qemu-kvm v2 PATCH 6/6] virtio: zero vq->inuse in virtio_reset() +Bugzilla: 1393484 +RH-Acked-by: Paolo Bonzini +RH-Acked-by: Michael S. Tsirkin +RH-Acked-by: Stefan Hajnoczi + +From: Stefan Hajnoczi + +vq->inuse must be zeroed upon device reset like most other virtqueue +fields. + +In theory, virtio_reset() just needs assert(vq->inuse == 0) since +devices must clean up in-flight requests during reset (requests cannot +not be leaked!). + +In practice, it is difficult to achieve vq->inuse == 0 across reset +because balloon, blk, 9p, etc implement various different strategies for +cleaning up requests. Most devices call g_free(elem) directly without +telling virtio.c that the VirtQueueElement is cleaned up. Therefore +vq->inuse is not decremented during reset. + +This patch zeroes vq->inuse and trusts that devices are not leaking +VirtQueueElements across reset. + +I will send a follow-up series that refactors request life-cycle across +all devices and converts vq->inuse = 0 into assert(vq->inuse == 0) but +this more invasive approach is not appropriate for stable trees. + +Signed-off-by: Stefan Hajnoczi +Cc: qemu-stable +Reviewed-by: Michael S. Tsirkin +Signed-off-by: Michael S. Tsirkin +Reviewed-by: Ladi Prosek +(cherry picked from commit 4b7f91ed0270a371e1933efa21ba600b6da23ab9) +Signed-off-by: Ladi Prosek +Signed-off-by: Miroslav Rezanina +--- + hw/virtio/virtio.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c +index 87a7639..cdb21b1 100644 +--- a/hw/virtio/virtio.c ++++ b/hw/virtio/virtio.c +@@ -585,6 +585,7 @@ void virtio_reset(void *opaque) + vdev->vq[i].signalled_used = 0; + vdev->vq[i].signalled_used_valid = false; + vdev->vq[i].notification = true; ++ vdev->vq[i].inuse = 0; + } + } + +-- +1.8.3.1 + diff --git a/SPECS/qemu-kvm.spec b/SPECS/qemu-kvm.spec index 10713e5..490bffe 100644 --- a/SPECS/qemu-kvm.spec +++ b/SPECS/qemu-kvm.spec @@ -76,7 +76,7 @@ Obsoletes: %1 < %{obsoletes_version} \ Summary: QEMU is a FAST! processor emulator Name: %{pkgname}%{?pkgsuffix} Version: 1.5.3 -Release: 126%{?dist} +Release: 126%{?dist}.3 # Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped Epoch: 10 License: GPLv2+ and LGPLv2+ and BSD @@ -3388,6 +3388,28 @@ Patch1664: kvm-target-i386-Add-more-Intel-AVX-512-instructions-supp.patch Patch1665: kvm-nbd-server-Set-O_NONBLOCK-on-client-fd.patch # For bz#1376542 - RHSA-2016-1756 breaks migration of instances Patch1666: kvm-virtio-recalculate-vq-inuse-after-migration.patch +# For bz#1393042 - system_reset should clear pending request for error (IDE) +Patch1667: kvm-ide-fix-halted-IO-segfault-at-reset.patch +# For bz#1392027 - shutdown rhel 5.11 guest failed and stop at "system halted" +Patch1668: kvm-hw-i386-regenerate-checked-in-AML-payload-RHEL-only.patch +# For bz#1393484 - [RHEL7.3] KVM guest shuts itself down after 128th reboot +Patch1669: kvm-virtio-introduce-virtqueue_unmap_sg.patch +# For bz#1393484 - [RHEL7.3] KVM guest shuts itself down after 128th reboot +Patch1670: kvm-virtio-introduce-virtqueue_discard.patch +# For bz#1393484 - [RHEL7.3] KVM guest shuts itself down after 128th reboot +Patch1671: kvm-virtio-decrement-vq-inuse-in-virtqueue_discard.patch +# For bz#1393484 - [RHEL7.3] KVM guest shuts itself down after 128th reboot +Patch1672: kvm-balloon-fix-segfault-and-harden-the-stats-queue.patch +# For bz#1393484 - [RHEL7.3] KVM guest shuts itself down after 128th reboot +Patch1673: kvm-virtio-balloon-discard-virtqueue-element-on-reset.patch +# For bz#1393484 - [RHEL7.3] KVM guest shuts itself down after 128th reboot +Patch1674: kvm-virtio-zero-vq-inuse-in-virtio_reset.patch +# For bz#1393484 - [RHEL7.3] KVM guest shuts itself down after 128th reboot +Patch1675: kvm-virtio-add-virtqueue_rewind.patch +# For bz#1393484 - [RHEL7.3] KVM guest shuts itself down after 128th reboot +Patch1676: kvm-virtio-balloon-fix-stats-vq-migration.patch +# For bz#1398217 - CVE-2016-2857 qemu-kvm: Qemu: net: out of bounds read in net_checksum_calculate() [rhel-7.3.z] +Patch1677: kvm-net-check-packet-payload-length.patch BuildRequires: zlib-devel @@ -3462,10 +3484,8 @@ BuildRequires: texinfo %if 0%{?have_librdma:1} BuildRequires: librdmacm-devel %endif -# iasl and cpp for acpi generation (not a hard requirement as we can use -# pre-compiled files, but it's better to use this) +# cpp for preprocessing option ROM assembly files %ifarch %{ix86} x86_64 -BuildRequires: iasl BuildRequires: cpp %endif %if 0%{!?build_only_sub:1} @@ -5236,6 +5256,17 @@ cp %{SOURCE18} pc-bios # keep "make check" happy %patch1664 -p1 %patch1665 -p1 %patch1666 -p1 +%patch1667 -p1 +%patch1668 -p1 +%patch1669 -p1 +%patch1670 -p1 +%patch1671 -p1 +%patch1672 -p1 +%patch1673 -p1 +%patch1674 -p1 +%patch1675 -p1 +%patch1676 -p1 +%patch1677 -p1 %build buildarch="%{kvm_target}-softmmu" @@ -5320,6 +5351,7 @@ dobuild() { %endif --block-drv-rw-whitelist=qcow2,raw,file,host_device,blkdebug,nbd,iscsi,gluster,rbd \ --block-drv-ro-whitelist=vmdk,vhdx,vpc,ssh,https \ + --iasl=/bin/false \ "$@" echo "config-host.mak contents:" @@ -5680,6 +5712,32 @@ sh %{_sysconfdir}/sysconfig/modules/kvm.modules &> /dev/null || : %{_mandir}/man8/qemu-nbd.8* %changelog +* Wed Jan 04 2017 Miroslav Rezanina - 1.5.3-126.el7_3.3 +- kvm-net-check-packet-payload-length.patch [bz#1398217] +- Resolves: bz#1398217 + (CVE-2016-2857 qemu-kvm: Qemu: net: out of bounds read in net_checksum_calculate() [rhel-7.3.z]) + +* Thu Nov 24 2016 Miroslav Rezanina - 1.5.3-126.el7_3.2 +- kvm-virtio-introduce-virtqueue_unmap_sg.patch [bz#1393484] +- kvm-virtio-introduce-virtqueue_discard.patch [bz#1393484] +- kvm-virtio-decrement-vq-inuse-in-virtqueue_discard.patch [bz#1393484] +- kvm-balloon-fix-segfault-and-harden-the-stats-queue.patch [bz#1393484] +- kvm-virtio-balloon-discard-virtqueue-element-on-reset.patch [bz#1393484] +- kvm-virtio-zero-vq-inuse-in-virtio_reset.patch [bz#1393484] +- kvm-virtio-add-virtqueue_rewind.patch [bz#1393484] +- kvm-virtio-balloon-fix-stats-vq-migration.patch [bz#1393484] +- Resolves: bz#1393484 + ([RHEL7.3] KVM guest shuts itself down after 128th reboot) + +* Fri Nov 11 2016 Miroslav Rezanina - 1.5.3-126.el7_3.1 +- kvm-ide-fix-halted-IO-segfault-at-reset.patch [bz#1393042] +- kvm-hw-i386-regenerate-checked-in-AML-payload-RHEL-only.patch [bz#1392027] +- kvm-SPEC-file-flip-the-build-from-IASL-to-checked-in-AML.patch [bz#1392027] +- Resolves: bz#1392027 + (shutdown rhel 5.11 guest failed and stop at "system halted") +- Resolves: bz#1393042 + (system_reset should clear pending request for error (IDE)) + * Tue Sep 20 2016 Miroslav Rezanina - 1.5.3-126.el7 - kvm-virtio-recalculate-vq-inuse-after-migration.patch [bz#1376542] - Resolves: bz#1376542