diff --git a/SOURCES/kvm-Add-support-to-KVM_GET_MSR_FEATURE_INDEX_LIST-an.patch b/SOURCES/kvm-Add-support-to-KVM_GET_MSR_FEATURE_INDEX_LIST-an.patch new file mode 100644 index 0000000..246bd33 --- /dev/null +++ b/SOURCES/kvm-Add-support-to-KVM_GET_MSR_FEATURE_INDEX_LIST-an.patch @@ -0,0 +1,160 @@ +From 792618b0b553323919ae9b8067bc13c9e0222526 Mon Sep 17 00:00:00 2001 +From: "plai@redhat.com" +Date: Tue, 20 Aug 2019 00:24:36 +0100 +Subject: [PATCH 5/9] kvm: Add support to KVM_GET_MSR_FEATURE_INDEX_LIST and + KVM_GET_MSRS system ioctl + +RH-Author: plai@redhat.com +Message-id: <1566260680-20995-6-git-send-email-plai@redhat.com> +Patchwork-id: 90070 +O-Subject: [RHEL8.0 qemu-kvm PATCH v3 5/9] kvm: Add support to KVM_GET_MSR_FEATURE_INDEX_LIST and KVM_GET_MSRS system ioctl +Bugzilla: 1718235 +RH-Acked-by: Eduardo Habkost +RH-Acked-by: John Snow +RH-Acked-by: Igor Mammedov + +From: Robert Hoo + +Add kvm_get_supported_feature_msrs() to get supported MSR feature index list. +Add kvm_arch_get_supported_msr_feature() to get each MSR features value. + +Signed-off-by: Robert Hoo +Message-Id: <1539578845-37944-2-git-send-email-robert.hu@linux.intel.com> +Reviewed-by: Eduardo Habkost +Signed-off-by: Eduardo Habkost +(cherry picked from commit f57bceb6ab5163ddd6c41ff4344ab8cf28a9c63d) +Signed-off-by: Paul Lai +Signed-off-by: Danilo C. L. de Paula +--- + include/sysemu/kvm.h | 2 ++ + target/i386/kvm.c | 80 ++++++++++++++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 82 insertions(+) + +diff --git a/include/sysemu/kvm.h b/include/sysemu/kvm.h +index 23669c4..3d8f294 100644 +--- a/include/sysemu/kvm.h ++++ b/include/sysemu/kvm.h +@@ -464,6 +464,8 @@ int kvm_vm_check_extension(KVMState *s, unsigned int extension); + + uint32_t kvm_arch_get_supported_cpuid(KVMState *env, uint32_t function, + uint32_t index, int reg); ++uint32_t kvm_arch_get_supported_msr_feature(KVMState *s, uint32_t index); ++ + + void kvm_set_sigmask_len(KVMState *s, unsigned int sigmask_len); + +diff --git a/target/i386/kvm.c b/target/i386/kvm.c +index 187ee19..d2cb91e 100644 +--- a/target/i386/kvm.c ++++ b/target/i386/kvm.c +@@ -106,6 +106,7 @@ static int has_pit_state2; + static bool has_msr_mcg_ext_ctl; + + static struct kvm_cpuid2 *cpuid_cache; ++static struct kvm_msr_list *kvm_feature_msrs; + + int kvm_has_pit_state2(void) + { +@@ -405,6 +406,42 @@ uint32_t kvm_arch_get_supported_cpuid(KVMState *s, uint32_t function, + return ret; + } + ++uint32_t kvm_arch_get_supported_msr_feature(KVMState *s, uint32_t index) ++{ ++ struct { ++ struct kvm_msrs info; ++ struct kvm_msr_entry entries[1]; ++ } msr_data; ++ uint32_t ret; ++ ++ if (kvm_feature_msrs == NULL) { /* Host doesn't support feature MSRs */ ++ return 0; ++ } ++ ++ /* Check if requested MSR is supported feature MSR */ ++ int i; ++ for (i = 0; i < kvm_feature_msrs->nmsrs; i++) ++ if (kvm_feature_msrs->indices[i] == index) { ++ break; ++ } ++ if (i == kvm_feature_msrs->nmsrs) { ++ return 0; /* if the feature MSR is not supported, simply return 0 */ ++ } ++ ++ msr_data.info.nmsrs = 1; ++ msr_data.entries[0].index = index; ++ ++ ret = kvm_ioctl(s, KVM_GET_MSRS, &msr_data); ++ if (ret != 1) { ++ error_report("KVM get MSR (index=0x%x) feature failed, %s", ++ index, strerror(-ret)); ++ exit(1); ++ } ++ ++ return msr_data.entries[0].data; ++} ++ ++ + typedef struct HWPoisonPage { + ram_addr_t ram_addr; + QLIST_ENTRY(HWPoisonPage) list; +@@ -1164,6 +1201,47 @@ void kvm_arch_do_init_vcpu(X86CPU *cpu) + } + } + ++static int kvm_get_supported_feature_msrs(KVMState *s) ++{ ++ int ret = 0; ++ ++ if (kvm_feature_msrs != NULL) { ++ return 0; ++ } ++ ++ if (!kvm_check_extension(s, KVM_CAP_GET_MSR_FEATURES)) { ++ return 0; ++ } ++ ++ struct kvm_msr_list msr_list; ++ ++ msr_list.nmsrs = 0; ++ ret = kvm_ioctl(s, KVM_GET_MSR_FEATURE_INDEX_LIST, &msr_list); ++ if (ret < 0 && ret != -E2BIG) { ++ error_report("Fetch KVM feature MSR list failed: %s", ++ strerror(-ret)); ++ return ret; ++ } ++ ++ assert(msr_list.nmsrs > 0); ++ kvm_feature_msrs = (struct kvm_msr_list *) \ ++ g_malloc0(sizeof(msr_list) + ++ msr_list.nmsrs * sizeof(msr_list.indices[0])); ++ ++ kvm_feature_msrs->nmsrs = msr_list.nmsrs; ++ ret = kvm_ioctl(s, KVM_GET_MSR_FEATURE_INDEX_LIST, kvm_feature_msrs); ++ ++ if (ret < 0) { ++ error_report("Fetch KVM feature MSR list failed: %s", ++ strerror(-ret)); ++ g_free(kvm_feature_msrs); ++ kvm_feature_msrs = NULL; ++ return ret; ++ } ++ ++ return 0; ++} ++ + static int kvm_get_supported_msrs(KVMState *s) + { + static int kvm_supported_msrs; +@@ -1320,6 +1398,8 @@ int kvm_arch_init(MachineState *ms, KVMState *s) + return ret; + } + ++ kvm_get_supported_feature_msrs(s); ++ + uname(&utsname); + lm_capable_kernel = strcmp(utsname.machine, "x86_64") == 0; + +-- +1.8.3.1 + diff --git a/SOURCES/kvm-Fix-heap-overflow-in-ip_reass-on-big-packet-input.patch b/SOURCES/kvm-Fix-heap-overflow-in-ip_reass-on-big-packet-input.patch new file mode 100644 index 0000000..d74ef55 --- /dev/null +++ b/SOURCES/kvm-Fix-heap-overflow-in-ip_reass-on-big-packet-input.patch @@ -0,0 +1,56 @@ +From e356fafe02c3ce32bad9b8d96ae9cfd6fcbb40a9 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= +Date: Wed, 31 Jul 2019 18:45:29 +0100 +Subject: [PATCH 5/5] Fix heap overflow in ip_reass on big packet input +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Philippe Mathieu-Daudé +Message-id: <20190731184529.21905-2-philmd@redhat.com> +Patchwork-id: 89820 +O-Subject: [RHEL-8.1.0 qemu-kvm PATCH 1/1] Fix heap overflow in ip_reass on big packet input +Bugzilla: 1734750 +RH-Acked-by: Marc-André Lureau +RH-Acked-by: Stefan Hajnoczi +RH-Acked-by: Thomas Huth + +From: Samuel Thibault + +When the first fragment does not fit in the preallocated buffer, q will +already be pointing to the ext buffer, so we mustn't try to update it. + +Signed-off-by: Samuel Thibault +(cherry picked from libslirp commit 126c04acbabd7ad32c2b018fe10dfac2a3bc1210) +Signed-off-by: Philippe Mathieu-Daudé + +Signed-off-by: Danilo C. L. de Paula +--- + slirp/ip_input.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/slirp/ip_input.c b/slirp/ip_input.c +index 348e1dc..07d8808 100644 +--- a/slirp/ip_input.c ++++ b/slirp/ip_input.c +@@ -334,6 +334,8 @@ insert: + q = fp->frag_link.next; + m = dtom(slirp, q); + ++ int was_ext = m->m_flags & M_EXT; ++ + q = (struct ipasfrag *) q->ipf_next; + while (q != (struct ipasfrag*)&fp->frag_link) { + struct mbuf *t = dtom(slirp, q); +@@ -356,7 +358,7 @@ insert: + * the old buffer (in the mbuf), so we must point ip + * into the new buffer. + */ +- if (m->m_flags & M_EXT) { ++ if (!was_ext && m->m_flags & M_EXT) { + int delta = (char *)q - m->m_dat; + q = (struct ipasfrag *)(m->m_ext + delta); + } +-- +1.8.3.1 + diff --git a/SOURCES/kvm-Introduce-new-no_guest_reset-parameter-for-usb-host-.patch b/SOURCES/kvm-Introduce-new-no_guest_reset-parameter-for-usb-host-.patch new file mode 100644 index 0000000..68e8ff2 --- /dev/null +++ b/SOURCES/kvm-Introduce-new-no_guest_reset-parameter-for-usb-host-.patch @@ -0,0 +1,140 @@ +From b52bdeda7653879d007bbd2ee776ec5201d0c786 Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Tue, 4 Jun 2019 05:12:43 +0100 +Subject: [PATCH 1/5] Introduce new "no_guest_reset" parameter for usb-host + device + +RH-Author: Gerd Hoffmann +Message-id: <20190604051246.11374-2-kraxel@redhat.com> +Patchwork-id: 88470 +O-Subject: [RHEL-8.1.0 qemu-kvm PATCH 1/4] Introduce new "no_guest_reset" parameter for usb-host device +Bugzilla: 1719228 +RH-Acked-by: Dr. David Alan Gilbert +RH-Acked-by: Max Reitz +RH-Acked-by: Danilo de Paula + +From: Alexander Kappner + +With certain USB devices passed through via usb-host, a guest attempting to +reset a usb-host device can trigger a reset loop that renders the USB device +unusable. In my use case, the device was an iPhone XR that was passed through to +a Mac OS X Mojave guest. Upon connecting the device, the following happens: + +1) Guest recognizes new device, sends reset to emulated USB host +2) QEMU's USB host sends reset to host kernel +3) Host kernel resets device +4) After reset, host kernel determines that some part of the device descriptor +has changed ("device firmware changed" in dmesg), so host kernel decides to +re-enumerate the device. +5) Re-enumeration causes QEMU to disconnect and reconnect the device in the +guest. +6) goto 1) + +Here's from the host kernel (note the "device firmware changed" lines") + +[3677704.473050] usb 1-1.3: new high-speed USB device number 53 using ehci-pci +[3677704.555594] usb 1-1.3: New USB device found, idVendor=05ac, idProduct=12a8, bcdDevice=11.08 +[3677704.555599] usb 1-1.3: New USB device strings: Mfr=1, Product=2, SerialNumber=3 +[3677704.555602] usb 1-1.3: Product: iPhone +[3677704.555605] usb 1-1.3: Manufacturer: Apple Inc. +[3677704.555607] usb 1-1.3: SerialNumber: [[removed]] +[3677709.401040] usb 1-1.3: reset high-speed USB device number 53 using ehci-pci +[3677709.479486] usb 1-1.3: device firmware changed +[3677709.479842] usb 1-1.3: USB disconnect, device number 53 +[3677709.546039] usb 1-1.3: new high-speed USB device number 54 using ehci-pci +[3677709.627471] usb 1-1.3: New USB device found, idVendor=05ac, idProduct=12a8, bcdDevice=11.08 +[3677709.627476] usb 1-1.3: New USB device strings: Mfr=1, Product=2, SerialNumber=3 +[3677709.627479] usb 1-1.3: Product: iPhone +[3677709.627481] usb 1-1.3: Manufacturer: Apple Inc. +[3677709.627483] usb 1-1.3: SerialNumber: [[removed]] +[3677762.320044] usb 1-1.3: reset high-speed USB device number 54 using ehci-pci +[3677762.615630] usb 1-1.3: USB disconnect, device number 54 +[3677762.787043] usb 1-1.3: new high-speed USB device number 55 using ehci-pci +[3677762.869016] usb 1-1.3: New USB device found, idVendor=05ac, idProduct=12a8, bcdDevice=11.08 +[3677762.869024] usb 1-1.3: New USB device strings: Mfr=1, Product=2, SerialNumber=3 +[3677762.869028] usb 1-1.3: Product: iPhone +[3677762.869032] usb 1-1.3: Manufacturer: Apple Inc. +[3677762.869035] usb 1-1.3: SerialNumber: [[removed]] +[3677815.662036] usb 1-1.3: reset high-speed USB device number 55 using ehci-pci + +Here's from QEMU: + +libusb: error [_get_usbfs_fd] libusb couldn't open USB device /dev/bus/usb/005/022: No such file or directory +libusb: error [udev_hotplug_event] ignoring udev action bind +libusb: error [udev_hotplug_event] ignoring udev action bind +libusb: error [_open_sysfs_attr] open /sys/bus/usb/devices/5-1/bConfigurationValue failed ret=-1 errno=2 +libusb: error [_get_usbfs_fd] File doesn't exist, wait 10 ms and try again + +libusb: error [_get_usbfs_fd] libusb couldn't open USB device /dev/bus/usb/005/024: No such file or directory +libusb: error [udev_hotplug_event] ignoring udev action bind +libusb: error [udev_hotplug_event] ignoring udev action bind +libusb: error [_open_sysfs_attr] open /sys/bus/usb/devices/5-1/bConfigurationValue failed ret=-1 errno=2 +libusb: error [_get_usbfs_fd] File doesn't exist, wait 10 ms and try again + +libusb: error [_get_usbfs_fd] libusb couldn't open USB device /dev/bus/usb/005/026: No such file or directory + +The result of this is that the device remains permanently unusable in the guest. +The same problem has been previously reported for an iPad: +https://stackoverflow.com/questions/52617634/how-do-i-get-qemu-usb-passthrough-to-work-for-ipad-iphone + +This problem can be elegantly solved by interrupting step 2) above. Instead of +passing through the reset, QEMU simply ignores it. To allow this to be +configured on a per-device level, a new parameter "no_guest_reset" is +introduced for the usb-host device. I can confirm that the configuration +described above (iPhone XS + Mojave guest) works flawlessly with +no_guest_reset=True specified. + +Working command line for my scenario: +device_add usb-host,vendorid=0x05ac,productid=0x12a8,no_guest_reset=True,id=iphone + +Best regards +Alexander + +Signed-off-by: Alexander Kappner +Signed-off-by: Gerd Hoffmann +Message-id: 20190128140027.9448-1-kraxel@redhat.com + +[ kraxel: rename parameter to "guest-reset" ] + +Signed-off-by: Gerd Hoffmann +(cherry picked from commit ba4c735b4fc74e309ce4b2551d258e442ef513a5) +Signed-off-by: Danilo C. L. de Paula +--- + hw/usb/host-libusb.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/hw/usb/host-libusb.c b/hw/usb/host-libusb.c +index f31e9cb..d82a10a 100644 +--- a/hw/usb/host-libusb.c ++++ b/hw/usb/host-libusb.c +@@ -82,7 +82,7 @@ struct USBHostDevice { + uint32_t options; + uint32_t loglevel; + bool needs_autoscan; +- ++ bool allow_guest_reset; + /* state */ + QTAILQ_ENTRY(USBHostDevice) next; + int seen, errcount; +@@ -1451,6 +1451,10 @@ static void usb_host_handle_reset(USBDevice *udev) + USBHostDevice *s = USB_HOST_DEVICE(udev); + int rc; + ++ if (!s->allow_guest_reset) { ++ return; ++ } ++ + trace_usb_host_reset(s->bus_num, s->addr); + + rc = libusb_reset_device(s->dh); +@@ -1568,6 +1572,7 @@ static Property usb_host_dev_properties[] = { + DEFINE_PROP_UINT32("productid", USBHostDevice, match.product_id, 0), + DEFINE_PROP_UINT32("isobufs", USBHostDevice, iso_urb_count, 4), + DEFINE_PROP_UINT32("isobsize", USBHostDevice, iso_urb_frames, 32), ++ DEFINE_PROP_BOOL("guest-reset", USBHostDevice, allow_guest_reset, true), + DEFINE_PROP_UINT32("loglevel", USBHostDevice, loglevel, + LIBUSB_LOG_LEVEL_WARNING), + DEFINE_PROP_BIT("pipeline", USBHostDevice, options, +-- +1.8.3.1 + diff --git a/SOURCES/kvm-Use-KVM_GET_MSR_INDEX_LIST-for-MSR_IA32_ARCH_CAP.patch b/SOURCES/kvm-Use-KVM_GET_MSR_INDEX_LIST-for-MSR_IA32_ARCH_CAP.patch new file mode 100644 index 0000000..12ea887 --- /dev/null +++ b/SOURCES/kvm-Use-KVM_GET_MSR_INDEX_LIST-for-MSR_IA32_ARCH_CAP.patch @@ -0,0 +1,76 @@ +From ff712825c31188b19ece7b9388630f6456bb10db Mon Sep 17 00:00:00 2001 +From: "plai@redhat.com" +Date: Tue, 20 Aug 2019 00:24:37 +0100 +Subject: [PATCH 6/9] kvm: Use KVM_GET_MSR_INDEX_LIST for + MSR_IA32_ARCH_CAPABILITIES support + +RH-Author: plai@redhat.com +Message-id: <1566260680-20995-7-git-send-email-plai@redhat.com> +Patchwork-id: 90065 +O-Subject: [RHEL8.0 qemu-kvm PATCH v3 6/9] kvm: Use KVM_GET_MSR_INDEX_LIST for MSR_IA32_ARCH_CAPABILITIES support +Bugzilla: 1718235 +RH-Acked-by: Eduardo Habkost +RH-Acked-by: John Snow +RH-Acked-by: Igor Mammedov + +From: Bandan Das + +When writing to guest's MSR_IA32_ARCH_CAPABILITIES, check whether it's +supported in the guest using the KVM_GET_MSR_INDEX_LIST ioctl. + +Fixes: d86f963694df27f11b3681ffd225c9362de1b634 +Suggested-by: Eduardo Habkost +Tested-by: balducci@units.it +Signed-off-by: Bandan Das +Message-Id: +Signed-off-by: Eduardo Habkost +(cherry picked from commit aec5e9c3a94cf8b7920f59bef69a6f426092c4a0) +Signed-off-by: Paul Lai +Signed-off-by: Danilo C. L. de Paula +--- + target/i386/kvm.c | 15 +++++++-------- + 1 file changed, 7 insertions(+), 8 deletions(-) + +diff --git a/target/i386/kvm.c b/target/i386/kvm.c +index d2cb91e..6f661b2 100644 +--- a/target/i386/kvm.c ++++ b/target/i386/kvm.c +@@ -94,6 +94,7 @@ static bool has_msr_xss; + static bool has_msr_spec_ctrl; + static bool has_msr_virt_ssbd; + static bool has_msr_smi_count; ++static bool has_msr_arch_capabs; + + static uint32_t has_architectural_pmu_version; + static uint32_t num_architectural_pmu_gp_counters; +@@ -1330,6 +1331,9 @@ static int kvm_get_supported_msrs(KVMState *s) + case MSR_VIRT_SSBD: + has_msr_virt_ssbd = true; + break; ++ case MSR_IA32_ARCH_CAPABILITIES: ++ has_msr_arch_capabs = true; ++ break; + } + } + } +@@ -1834,14 +1838,9 @@ static int kvm_put_msrs(X86CPU *cpu, int level) + #endif + + /* If host supports feature MSR, write down. */ +- if (kvm_feature_msrs) { +- int i; +- for (i = 0; i < kvm_feature_msrs->nmsrs; i++) +- if (kvm_feature_msrs->indices[i] == MSR_IA32_ARCH_CAPABILITIES) { +- kvm_msr_entry_add(cpu, MSR_IA32_ARCH_CAPABILITIES, +- env->features[FEAT_ARCH_CAPABILITIES]); +- break; +- } ++ if (has_msr_arch_capabs) { ++ kvm_msr_entry_add(cpu, MSR_IA32_ARCH_CAPABILITIES, ++ env->features[FEAT_ARCH_CAPABILITIES]); + } + + /* +-- +1.8.3.1 + diff --git a/SOURCES/kvm-i386-Add-CPUID-bit-and-feature-words-for-IA32_ARCH_C.patch b/SOURCES/kvm-i386-Add-CPUID-bit-and-feature-words-for-IA32_ARCH_C.patch new file mode 100644 index 0000000..c1ea31a --- /dev/null +++ b/SOURCES/kvm-i386-Add-CPUID-bit-and-feature-words-for-IA32_ARCH_C.patch @@ -0,0 +1,72 @@ +From e5f76077a47460bcba0bdfc1d70c7b79f84d18b7 Mon Sep 17 00:00:00 2001 +From: "plai@redhat.com" +Date: Tue, 20 Aug 2019 00:24:33 +0100 +Subject: [PATCH 2/9] i386: Add CPUID bit and feature words for + IA32_ARCH_CAPABILITIES MSR + +RH-Author: plai@redhat.com +Message-id: <1566260680-20995-3-git-send-email-plai@redhat.com> +Patchwork-id: 90066 +O-Subject: [RHEL8.0 qemu-kvm PATCH v3 2/9] i386: Add CPUID bit and feature words for IA32_ARCH_CAPABILITIES MSR +Bugzilla: 1718235 +RH-Acked-by: Eduardo Habkost +RH-Acked-by: John Snow +RH-Acked-by: Igor Mammedov + +From: Robert Hoo + +Support of IA32_PRED_CMD MSR already be enumerated by same CPUID bit as +SPEC_CTRL. + +At present, mark CPUID_7_0_EDX_ARCH_CAPABILITIES unmigratable, per Paolo's +comment. + +Signed-off-by: Robert Hoo +Message-Id: <1530781798-183214-3-git-send-email-robert.hu@linux.intel.com> +Signed-off-by: Eduardo Habkost +(cherry picked from commit 3fc7c73139d2d38ae80c3b0bc963b1ac1555924c) +Signed-off-by: Paul Lai + +Resolved Conflicts: + target/i386/cpu.c + +Signed-off-by: Danilo C. L. de Paula +--- + target/i386/cpu.c | 3 ++- + target/i386/cpu.h | 1 + + 2 files changed, 3 insertions(+), 1 deletion(-) + +diff --git a/target/i386/cpu.c b/target/i386/cpu.c +index c979feb..6d38ac0 100644 +--- a/target/i386/cpu.c ++++ b/target/i386/cpu.c +@@ -1008,12 +1008,13 @@ static FeatureWordInfo feature_word_info[FEATURE_WORDS] = { + NULL, NULL, NULL, NULL, + NULL, NULL, NULL, NULL, + NULL, NULL, "spec-ctrl", "stibp", +- NULL, NULL, NULL, "ssbd", ++ NULL, "arch-capabilities", NULL, "ssbd", + }, + .cpuid_eax = 7, + .cpuid_needs_ecx = true, .cpuid_ecx = 0, + .cpuid_reg = R_EDX, + .tcg_features = TCG_7_0_EDX_FEATURES, ++ .unmigratable_flags = CPUID_7_0_EDX_ARCH_CAPABILITIES, + }, + [FEAT_8000_0007_EDX] = { + .feat_names = { +diff --git a/target/i386/cpu.h b/target/i386/cpu.h +index 1dc565c..e5e5169 100644 +--- a/target/i386/cpu.h ++++ b/target/i386/cpu.h +@@ -687,6 +687,7 @@ typedef uint32_t FeatureWordArray[FEATURE_WORDS]; + #define CPUID_7_0_EDX_AVX512_4VNNIW (1U << 2) /* AVX512 Neural Network Instructions */ + #define CPUID_7_0_EDX_AVX512_4FMAPS (1U << 3) /* AVX512 Multiply Accumulation Single Precision */ + #define CPUID_7_0_EDX_SPEC_CTRL (1U << 26) /* Speculation Control */ ++#define CPUID_7_0_EDX_ARCH_CAPABILITIES (1U << 29) /*Arch Capabilities*/ + #define CPUID_7_0_EDX_SPEC_CTRL_SSBD (1U << 31) /* Speculative Store Bypass Disable */ + + #define KVM_HINTS_DEDICATED (1U << 0) +-- +1.8.3.1 + diff --git a/SOURCES/kvm-i386-Add-new-MSR-indices-for-IA32_PRED_CMD-and-IA32_.patch b/SOURCES/kvm-i386-Add-new-MSR-indices-for-IA32_PRED_CMD-and-IA32_.patch new file mode 100644 index 0000000..c342a58 --- /dev/null +++ b/SOURCES/kvm-i386-Add-new-MSR-indices-for-IA32_PRED_CMD-and-IA32_.patch @@ -0,0 +1,50 @@ +From 98e94db3fe3a94ff3b827523ec6cf2a482c8e593 Mon Sep 17 00:00:00 2001 +From: "plai@redhat.com" +Date: Tue, 20 Aug 2019 00:24:32 +0100 +Subject: [PATCH 1/9] i386: Add new MSR indices for IA32_PRED_CMD and + IA32_ARCH_CAPABILITIES + +RH-Author: plai@redhat.com +Message-id: <1566260680-20995-2-git-send-email-plai@redhat.com> +Patchwork-id: 90063 +O-Subject: [RHEL8.0 qemu-kvm PATCH v3 1/9] i386: Add new MSR indices for IA32_PRED_CMD and IA32_ARCH_CAPABILITIES +Bugzilla: 1718235 +RH-Acked-by: Eduardo Habkost +RH-Acked-by: John Snow +RH-Acked-by: Igor Mammedov + +From: Robert Hoo + +IA32_PRED_CMD MSR gives software a way to issue commands that affect the state +of indirect branch predictors. Enumerated by CPUID.(EAX=7H,ECX=0):EDX[26]. +IA32_ARCH_CAPABILITIES MSR enumerates architectural features of RDCL_NO and +IBRS_ALL. Enumerated by CPUID.(EAX=07H, ECX=0):EDX[29]. + +https://software.intel.com/sites/default/files/managed/c5/63/336996-Speculative-Execution-Side-Channel-Mitigations.pdf + +Signed-off-by: Robert Hoo +Message-Id: <1530781798-183214-2-git-send-email-robert.hu@linux.intel.com> +Signed-off-by: Eduardo Habkost +(cherry picked from commit 8c80c99fcceabd0708a5a83f08577e778c9419f5) +Signed-off-by: Paul Lai +Signed-off-by: Danilo C. L. de Paula +--- + target/i386/cpu.h | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/target/i386/cpu.h b/target/i386/cpu.h +index fb6caf4..1dc565c 100644 +--- a/target/i386/cpu.h ++++ b/target/i386/cpu.h +@@ -352,6 +352,8 @@ typedef enum X86Seg { + #define MSR_TSC_ADJUST 0x0000003b + #define MSR_IA32_SPEC_CTRL 0x48 + #define MSR_VIRT_SSBD 0xc001011f ++#define MSR_IA32_PRED_CMD 0x49 ++#define MSR_IA32_ARCH_CAPABILITIES 0x10a + #define MSR_IA32_TSCDEADLINE 0x6e0 + + #define FEATURE_CONTROL_LOCKED (1<<0) +-- +1.8.3.1 + diff --git a/SOURCES/kvm-i386-Make-arch_capabilities-migratable.patch b/SOURCES/kvm-i386-Make-arch_capabilities-migratable.patch new file mode 100644 index 0000000..755941f --- /dev/null +++ b/SOURCES/kvm-i386-Make-arch_capabilities-migratable.patch @@ -0,0 +1,45 @@ +From c521a837f3490e8f61d129ab1940f8fd76a87b8a Mon Sep 17 00:00:00 2001 +From: "plai@redhat.com" +Date: Tue, 20 Aug 2019 00:24:39 +0100 +Subject: [PATCH 8/9] i386: Make arch_capabilities migratable + +RH-Author: plai@redhat.com +Message-id: <1566260680-20995-9-git-send-email-plai@redhat.com> +Patchwork-id: 90067 +O-Subject: [RHEL8.0 qemu-kvm PATCH v3 8/9] i386: Make arch_capabilities migratable +Bugzilla: 1718235 +RH-Acked-by: Eduardo Habkost +RH-Acked-by: John Snow +RH-Acked-by: Igor Mammedov + +From: Eduardo Habkost + +Now that kvm_arch_get_supported_cpuid() will only return +arch_capabilities if QEMU is able to initialize the MSR properly, +we know that the feature is safely migratable. + +Signed-off-by: Eduardo Habkost +Message-Id: <20190125220606.4864-3-ehabkost@redhat.com> +Signed-off-by: Eduardo Habkost +(cherry picked from commit 014018e19b3c54dd1bf5072bc912ceffea40abe8) +Signed-off-by: Paul Lai +Signed-off-by: Danilo C. L. de Paula +--- + target/i386/cpu.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/target/i386/cpu.c b/target/i386/cpu.c +index fbcf124..365c92c 100644 +--- a/target/i386/cpu.c ++++ b/target/i386/cpu.c +@@ -1053,7 +1053,6 @@ static FeatureWordInfo feature_word_info[FEATURE_WORDS] = { + .reg = R_EDX, + }, + .tcg_features = TCG_7_0_EDX_FEATURES, +- .unmigratable_flags = CPUID_7_0_EDX_ARCH_CAPABILITIES, + }, + [FEAT_8000_0007_EDX] = { + .type = CPUID_FEATURE_WORD, +-- +1.8.3.1 + diff --git a/SOURCES/kvm-i386-kvm-Disable-arch_capabilities-if-MSR-can-t-be-s.patch b/SOURCES/kvm-i386-kvm-Disable-arch_capabilities-if-MSR-can-t-be-s.patch new file mode 100644 index 0000000..1273172 --- /dev/null +++ b/SOURCES/kvm-i386-kvm-Disable-arch_capabilities-if-MSR-can-t-be-s.patch @@ -0,0 +1,70 @@ +From 2a73dad9463a9969e14f2496bad362547c5976eb Mon Sep 17 00:00:00 2001 +From: "plai@redhat.com" +Date: Tue, 20 Aug 2019 00:24:38 +0100 +Subject: [PATCH 7/9] i386: kvm: Disable arch_capabilities if MSR can't be set + +RH-Author: plai@redhat.com +Message-id: <1566260680-20995-8-git-send-email-plai@redhat.com> +Patchwork-id: 90068 +O-Subject: [RHEL8.0 qemu-kvm PATCH v3 7/9] i386: kvm: Disable arch_capabilities if MSR can't be set +Bugzilla: 1718235 +RH-Acked-by: Eduardo Habkost +RH-Acked-by: John Snow +RH-Acked-by: Igor Mammedov + +From: Eduardo Habkost + +KVM has two bugs in the handling of MSR_IA32_ARCH_CAPABILITIES: + +1) Linux commit commit 1eaafe91a0df ("kvm: x86: IA32_ARCH_CAPABILITIES + is always supported") makes GET_SUPPORTED_CPUID return + arch_capabilities even if running on SVM. This makes "-cpu + host,migratable=off" incorrectly expose arch_capabilities on CPUID on + AMD hosts (where the MSR is not emulated by KVM). + +2) KVM_GET_MSR_INDEX_LIST does not return MSR_IA32_ARCH_CAPABILITIES if + the MSR is not supported by the host CPU. This makes QEMU not + initialize the MSR properly at kvm_put_msrs() on those hosts. + +Work around both bugs on the QEMU side, by checking if the MSR +was returned by KVM_GET_MSR_INDEX_LIST before returning the +feature flag on kvm_arch_get_supported_cpuid(). + +This has the unfortunate side effect of making arch_capabilities +unavailable on hosts without hardware support for the MSR until bug #2 +is fixed on KVM, but I can't see another way to work around bug #1 +without that side effect. + +Signed-off-by: Eduardo Habkost +Message-Id: <20190125220606.4864-2-ehabkost@redhat.com> +Signed-off-by: Eduardo Habkost +(cherry picked from commit 485b1d256bcb0874bcde0223727c159b6837e6f8) +Signed-off-by: Paul Lai +Signed-off-by: Danilo C. L. de Paula +--- + target/i386/kvm.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/target/i386/kvm.c b/target/i386/kvm.c +index 6f661b2..e783427 100644 +--- a/target/i386/kvm.c ++++ b/target/i386/kvm.c +@@ -374,6 +374,15 @@ uint32_t kvm_arch_get_supported_cpuid(KVMState *s, uint32_t function, + if (host_tsx_blacklisted()) { + ret &= ~(CPUID_7_0_EBX_RTM | CPUID_7_0_EBX_HLE); + } ++ } else if (function == 7 && index == 0 && reg == R_EDX) { ++ /* ++ * Linux v4.17-v4.20 incorrectly return ARCH_CAPABILITIES on SVM hosts. ++ * We can detect the bug by checking if MSR_IA32_ARCH_CAPABILITIES is ++ * returned by KVM_GET_MSR_INDEX_LIST. ++ */ ++ if (!has_msr_arch_capabs) { ++ ret &= ~CPUID_7_0_EDX_ARCH_CAPABILITIES; ++ } + } else if (function == 0x80000001 && reg == R_ECX) { + /* + * It's safe to enable TOPOEXT even if it's not returned by +-- +1.8.3.1 + diff --git a/SOURCES/kvm-scsi-disk-Acquire-the-AioContext-in-scsi_-_realize.patch b/SOURCES/kvm-scsi-disk-Acquire-the-AioContext-in-scsi_-_realize.patch new file mode 100644 index 0000000..fc0576a --- /dev/null +++ b/SOURCES/kvm-scsi-disk-Acquire-the-AioContext-in-scsi_-_realize.patch @@ -0,0 +1,191 @@ +From e0999eaacc6e74f5e56f51fcf3b3d7aeca7d3b04 Mon Sep 17 00:00:00 2001 +From: Markus Armbruster +Date: Thu, 6 Jun 2019 19:15:23 +0100 +Subject: [PATCH 6/7] scsi-disk: Acquire the AioContext in scsi_*_realize() + +RH-Author: Markus Armbruster +Message-id: <20190606191524.30797-3-armbru@redhat.com> +Patchwork-id: 88605 +O-Subject: [RHEL-8.1.0 qemu-kvm PATCH 2/3] scsi-disk: Acquire the AioContext in scsi_*_realize() +Bugzilla: 1718992 +RH-Acked-by: Paolo Bonzini +RH-Acked-by: Stefan Hajnoczi +RH-Acked-by: Kevin Wolf + +From: Alberto Garcia + +This fixes a crash when attaching two disks with the same blockdev to +a SCSI device that is using iothreads. Test case included. + +Signed-off-by: Alberto Garcia +Signed-off-by: Kevin Wolf +(cherry picked from commit 3ff35ba391134e4e43ab96152deb38a62e62f858) +[Trivial conflict in hw/scsi/scsi-disk.c due to lack of commit +51f43d5792e resolved] +Signed-off-by: Markus Armbruster + +Signed-off-by: Danilo C. L. de Paula +--- + hw/scsi/scsi-disk.c | 23 ++++++++++++++++++++--- + tests/qemu-iotests/240 | 18 ++++++++++++++++++ + tests/qemu-iotests/240.out | 16 ++++++++++++++++ + 3 files changed, 54 insertions(+), 3 deletions(-) + +diff --git a/hw/scsi/scsi-disk.c b/hw/scsi/scsi-disk.c +index a20ef91..08da23d 100644 +--- a/hw/scsi/scsi-disk.c ++++ b/hw/scsi/scsi-disk.c +@@ -2378,10 +2378,13 @@ static void scsi_realize(SCSIDevice *dev, Error **errp) + static void scsi_hd_realize(SCSIDevice *dev, Error **errp) + { + SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, dev); ++ AioContext *ctx = NULL; + /* can happen for devices without drive. The error message for missing + * backend will be issued in scsi_realize + */ + if (s->qdev.conf.blk) { ++ ctx = blk_get_aio_context(s->qdev.conf.blk); ++ aio_context_acquire(ctx); + blkconf_blocksizes(&s->qdev.conf); + } + s->qdev.blocksize = s->qdev.conf.logical_block_size; +@@ -2390,11 +2393,15 @@ static void scsi_hd_realize(SCSIDevice *dev, Error **errp) + s->product = g_strdup("QEMU HARDDISK"); + } + scsi_realize(&s->qdev, errp); ++ if (ctx) { ++ aio_context_release(ctx); ++ } + } + + static void scsi_cd_realize(SCSIDevice *dev, Error **errp) + { + SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, dev); ++ AioContext *ctx; + int ret; + + if (!dev->conf.blk) { +@@ -2405,6 +2412,8 @@ static void scsi_cd_realize(SCSIDevice *dev, Error **errp) + assert(ret == 0); + } + ++ ctx = blk_get_aio_context(dev->conf.blk); ++ aio_context_acquire(ctx); + s->qdev.blocksize = 2048; + s->qdev.type = TYPE_ROM; + s->features |= 1 << SCSI_DISK_F_REMOVABLE; +@@ -2412,6 +2421,7 @@ static void scsi_cd_realize(SCSIDevice *dev, Error **errp) + s->product = g_strdup("QEMU CD-ROM"); + } + scsi_realize(&s->qdev, errp); ++ aio_context_release(ctx); + } + + static void scsi_disk_realize(SCSIDevice *dev, Error **errp) +@@ -2550,6 +2560,7 @@ static int get_device_type(SCSIDiskState *s) + static void scsi_block_realize(SCSIDevice *dev, Error **errp) + { + SCSIDiskState *s = DO_UPCAST(SCSIDiskState, qdev, dev); ++ AioContext *ctx; + int sg_version; + int rc; + +@@ -2558,6 +2569,9 @@ static void scsi_block_realize(SCSIDevice *dev, Error **errp) + return; + } + ++ ctx = blk_get_aio_context(s->qdev.conf.blk); ++ aio_context_acquire(ctx); ++ + /* check we are using a driver managing SG_IO (version 3 and after) */ + rc = blk_ioctl(s->qdev.conf.blk, SG_GET_VERSION_NUM, &sg_version); + if (rc < 0) { +@@ -2565,18 +2579,18 @@ static void scsi_block_realize(SCSIDevice *dev, Error **errp) + if (rc != -EPERM) { + error_append_hint(errp, "Is this a SCSI device?\n"); + } +- return; ++ goto out; + } + if (sg_version < 30000) { + error_setg(errp, "scsi generic interface too old"); +- return; ++ goto out; + } + + /* get device type from INQUIRY data */ + rc = get_device_type(s); + if (rc < 0) { + error_setg(errp, "INQUIRY failed"); +- return; ++ goto out; + } + + /* Make a guess for the block size, we'll fix it when the guest sends. +@@ -2596,6 +2610,9 @@ static void scsi_block_realize(SCSIDevice *dev, Error **errp) + + scsi_realize(&s->qdev, errp); + scsi_generic_read_device_inquiry(&s->qdev); ++ ++out: ++ aio_context_release(ctx); + } + + typedef struct SCSIBlockReq { +diff --git a/tests/qemu-iotests/240 b/tests/qemu-iotests/240 +index ead7ee0..5d499c9 100755 +--- a/tests/qemu-iotests/240 ++++ b/tests/qemu-iotests/240 +@@ -83,6 +83,24 @@ run_qemu < +Date: Mon, 8 Jul 2019 15:50:28 +0100 +Subject: [PATCH 1/7] slirp: check sscanf result when emulating ident +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Philippe Mathieu-Daudé +Message-id: <20190708155031.7778-2-philmd@redhat.com> +Patchwork-id: 89431 +O-Subject: [RHEL-8.0.0 qemu-kvm PATCH 1/4] slirp: check sscanf result when emulating ident +Bugzilla: 1732324 +RH-Acked-by: Stefan Hajnoczi +RH-Acked-by: Marc-André Lureau +RH-Acked-by: Stefano Garzarella + +From: William Bowling + +When emulating ident in tcp_emu, if the strchr checks passed but the +sscanf check failed, two uninitialized variables would be copied and +sent in the reply, so move this code inside the if(sscanf()) clause. + +Signed-off-by: William Bowling +Cc: qemu-stable@nongnu.org +Cc: secalert@redhat.com +Message-Id: <1551476756-25749-1-git-send-email-will@wbowling.info> +Signed-off-by: Samuel Thibault +Reviewed-by: Philippe Mathieu-Daudé +(cherry picked from commit d3222975c7d6cda9e25809dea05241188457b113) +Fixes: CVE-2019-9824 +Signed-off-by: Philippe Mathieu-Daudé +Signed-off-by: Danilo C. L. de Paula +--- + slirp/tcp_subr.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/slirp/tcp_subr.c b/slirp/tcp_subr.c +index 1c7eb28..af1b3eb 100644 +--- a/slirp/tcp_subr.c ++++ b/slirp/tcp_subr.c +@@ -665,12 +665,12 @@ tcp_emu(struct socket *so, struct mbuf *m) + break; + } + } ++ so_rcv->sb_cc = snprintf(so_rcv->sb_data, ++ so_rcv->sb_datalen, ++ "%d,%d\r\n", n1, n2); ++ so_rcv->sb_rptr = so_rcv->sb_data; ++ so_rcv->sb_wptr = so_rcv->sb_data + so_rcv->sb_cc; + } +- so_rcv->sb_cc = snprintf(so_rcv->sb_data, +- so_rcv->sb_datalen, +- "%d,%d\r\n", n1, n2); +- so_rcv->sb_rptr = so_rcv->sb_data; +- so_rcv->sb_wptr = so_rcv->sb_data + so_rcv->sb_cc; + } + m_free(m); + return 0; +-- +1.8.3.1 + diff --git a/SOURCES/kvm-slirp-don-t-manipulate-so_rcv-in-tcp_emu.patch b/SOURCES/kvm-slirp-don-t-manipulate-so_rcv-in-tcp_emu.patch new file mode 100644 index 0000000..c1dad3c --- /dev/null +++ b/SOURCES/kvm-slirp-don-t-manipulate-so_rcv-in-tcp_emu.patch @@ -0,0 +1,131 @@ +From a89949eb46b41533234c4dea0e5a011bc2e583ea Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= +Date: Mon, 8 Jul 2019 15:50:31 +0100 +Subject: [PATCH 4/7] slirp: don't manipulate so_rcv in tcp_emu() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Philippe Mathieu-Daudé +Message-id: <20190708155031.7778-5-philmd@redhat.com> +Patchwork-id: 89428 +O-Subject: [RHEL-8.0.0 qemu-kvm PATCH 4/4] slirp: don't manipulate so_rcv in tcp_emu() +Bugzilla: 1732324 +RH-Acked-by: Stefan Hajnoczi +RH-Acked-by: Marc-André Lureau +RH-Acked-by: Stefano Garzarella + +From: Marc-André Lureau + +For some reason, EMU_IDENT is not like other "emulated" protocols and +tries to reconstitute the original buffer, if it came in multiple +packets. Unfortunately, it does so wrongly, as it doesn't respect the +sbuf circular buffer appending rules, nor does it maintain some of the +invariants (rptr is incremented without bounds, etc): this leads to +further memory corruption revealed by ASAN or various malloc +errors. Furthermore, the so_rcv buffer is regularly flushed, so there +is no guarantee that buffer reconstruction will do what is expected. + +Instead, do what the function comment says: "XXX Assumes the whole +command came in one packet", and don't touch so_rcv. + +Related to: https://bugzilla.redhat.com/show_bug.cgi?id=1664205 + +Cc: Prasad J Pandit +Signed-off-by: Marc-André Lureau + +(cherry picked from libslirp commit +9da0da837780f825b5db31db6620492f8b7cd5d6) +[ MA - backported with style conflicts, and without qemu commit +a7104eda7dab99d0cdbd3595c211864cba415905 which is unnecessary with +this patch ] +Signed-off-by: Marc-André Lureau +Signed-off-by: Philippe Mathieu-Daudé + +Signed-off-by: Danilo C. L. de Paula +--- + slirp/tcp_subr.c | 62 ++++++++++++++++++++++++-------------------------------- + 1 file changed, 27 insertions(+), 35 deletions(-) + +diff --git a/slirp/tcp_subr.c b/slirp/tcp_subr.c +index e245e0d..0152f72 100644 +--- a/slirp/tcp_subr.c ++++ b/slirp/tcp_subr.c +@@ -636,47 +636,39 @@ tcp_emu(struct socket *so, struct mbuf *m) + struct socket *tmpso; + struct sockaddr_in addr; + socklen_t addrlen = sizeof(struct sockaddr_in); +- struct sbuf *so_rcv = &so->so_rcv; ++ char *eol = g_strstr_len(m->m_data, m->m_len, "\r\n"); + +- if (m->m_len > so_rcv->sb_datalen +- - (so_rcv->sb_wptr - so_rcv->sb_data)) { +- return 1; ++ if (!eol) { ++ return 1; + } + +- memcpy(so_rcv->sb_wptr, m->m_data, m->m_len); +- so_rcv->sb_wptr += m->m_len; +- so_rcv->sb_rptr += m->m_len; +- m_inc(m, m->m_len + 1); +- m->m_data[m->m_len] = 0; /* NULL terminate */ +- if (strchr(m->m_data, '\r') || strchr(m->m_data, '\n')) { +- if (sscanf(so_rcv->sb_data, "%u%*[ ,]%u", &n1, &n2) == 2) { +- HTONS(n1); +- HTONS(n2); +- /* n2 is the one on our host */ +- for (tmpso = slirp->tcb.so_next; +- tmpso != &slirp->tcb; +- tmpso = tmpso->so_next) { +- if (tmpso->so_laddr.s_addr == so->so_laddr.s_addr && +- tmpso->so_lport == n2 && +- tmpso->so_faddr.s_addr == so->so_faddr.s_addr && +- tmpso->so_fport == n1) { +- if (getsockname(tmpso->s, +- (struct sockaddr *)&addr, &addrlen) == 0) +- n2 = addr.sin_port; +- break; +- } ++ *eol = '\0'; ++ if (sscanf(m->m_data, "%u%*[ ,]%u", &n1, &n2) == 2) { ++ HTONS(n1); ++ HTONS(n2); ++ /* n2 is the one on our host */ ++ for (tmpso = slirp->tcb.so_next; tmpso != &slirp->tcb; ++ tmpso = tmpso->so_next) { ++ if (tmpso->so_laddr.s_addr == so->so_laddr.s_addr && ++ tmpso->so_lport == n2 && ++ tmpso->so_faddr.s_addr == so->so_faddr.s_addr && ++ tmpso->so_fport == n1) { ++ if (getsockname(tmpso->s, (struct sockaddr *)&addr, ++ &addrlen) == 0) ++ n2 = addr.sin_port; ++ break; + } +- NTOHS(n1); +- NTOHS(n2); +- so_rcv->sb_cc = snprintf(so_rcv->sb_data, +- so_rcv->sb_datalen, +- "%d,%d\r\n", n1, n2); +- so_rcv->sb_rptr = so_rcv->sb_data; +- so_rcv->sb_wptr = so_rcv->sb_data + so_rcv->sb_cc; + } ++ NTOHS(n1); ++ NTOHS(n2); ++ m_inc(m, snprintf(NULL, 0, "%d,%d\r\n", n1, n2) + 1); ++ m->m_len = snprintf(m->m_data, M_ROOM(m), "%d,%d\r\n", n1, n2); ++ assert(m->m_len < M_ROOM(m)); ++ } else { ++ *eol = '\r'; + } +- m_free(m); +- return 0; ++ ++ return 1; + } + + case EMU_FTP: /* ftp */ +-- +1.8.3.1 + diff --git a/SOURCES/kvm-slirp-ensure-there-is-enough-space-in-mbuf-to-null-t.patch b/SOURCES/kvm-slirp-ensure-there-is-enough-space-in-mbuf-to-null-t.patch new file mode 100644 index 0000000..e3a828a --- /dev/null +++ b/SOURCES/kvm-slirp-ensure-there-is-enough-space-in-mbuf-to-null-t.patch @@ -0,0 +1,68 @@ +From 3bcddec301bcc3c251b4aab0446427de5fe35c57 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= +Date: Mon, 8 Jul 2019 15:50:30 +0100 +Subject: [PATCH 3/7] slirp: ensure there is enough space in mbuf to + null-terminate +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Philippe Mathieu-Daudé +Message-id: <20190708155031.7778-4-philmd@redhat.com> +Patchwork-id: 89430 +O-Subject: [RHEL-8.0.0 qemu-kvm PATCH 3/4] slirp: ensure there is enough space in mbuf to null-terminate +Bugzilla: 1732324 +RH-Acked-by: Stefan Hajnoczi +RH-Acked-by: Marc-André Lureau +RH-Acked-by: Stefano Garzarella + +From: Marc-André Lureau + +Prevents from buffer overflows. +Related to: https://bugzilla.redhat.com/show_bug.cgi?id=1664205 + +Cc: Prasad J Pandit +Signed-off-by: Marc-André Lureau + +(cherry picked from libslirp commit +306fef58b54d793ba4b259728c21322765bda917) +[ MA - backported with style conflicts fixes ] +Signed-off-by: Marc-André Lureau +Signed-off-by: Philippe Mathieu-Daudé + +Signed-off-by: Danilo C. L. de Paula +--- + slirp/tcp_subr.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/slirp/tcp_subr.c b/slirp/tcp_subr.c +index 393447d..e245e0d 100644 +--- a/slirp/tcp_subr.c ++++ b/slirp/tcp_subr.c +@@ -646,6 +646,7 @@ tcp_emu(struct socket *so, struct mbuf *m) + memcpy(so_rcv->sb_wptr, m->m_data, m->m_len); + so_rcv->sb_wptr += m->m_len; + so_rcv->sb_rptr += m->m_len; ++ m_inc(m, m->m_len + 1); + m->m_data[m->m_len] = 0; /* NULL terminate */ + if (strchr(m->m_data, '\r') || strchr(m->m_data, '\n')) { + if (sscanf(so_rcv->sb_data, "%u%*[ ,]%u", &n1, &n2) == 2) { +@@ -679,6 +680,7 @@ tcp_emu(struct socket *so, struct mbuf *m) + } + + case EMU_FTP: /* ftp */ ++ m_inc(m, m->m_len + 1); + *(m->m_data+m->m_len) = 0; /* NUL terminate for strstr */ + if ((bptr = (char *)strstr(m->m_data, "ORT")) != NULL) { + /* +@@ -776,6 +778,7 @@ tcp_emu(struct socket *so, struct mbuf *m) + /* + * Need to emulate DCC CHAT, DCC SEND and DCC MOVE + */ ++ m_inc(m, m->m_len + 1); + *(m->m_data+m->m_len) = 0; /* NULL terminate the string for strstr */ + if ((bptr = (char *)strstr(m->m_data, "DCC")) == NULL) + return 1; +-- +1.8.3.1 + diff --git a/SOURCES/kvm-slirp-fix-big-little-endian-conversion-in-ident-prot.patch b/SOURCES/kvm-slirp-fix-big-little-endian-conversion-in-ident-prot.patch new file mode 100644 index 0000000..cf0c398 --- /dev/null +++ b/SOURCES/kvm-slirp-fix-big-little-endian-conversion-in-ident-prot.patch @@ -0,0 +1,49 @@ +From 9ab58e678a85d9f7ec27c2a20ff10c17aa77f9e2 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= +Date: Mon, 8 Jul 2019 15:50:29 +0100 +Subject: [PATCH 2/7] slirp: fix big/little endian conversion in ident protocol +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Philippe Mathieu-Daudé +Message-id: <20190708155031.7778-3-philmd@redhat.com> +Patchwork-id: 89427 +O-Subject: [RHEL-8.0.0 qemu-kvm PATCH 2/4] slirp: fix big/little endian conversion in ident protocol +Bugzilla: 1732324 +RH-Acked-by: Stefan Hajnoczi +RH-Acked-by: Marc-André Lureau +RH-Acked-by: Stefano Garzarella + +From: Samuel Thibault + +Signed-off-by: Samuel Thibault +Reviewed-by: Philippe Mathieu-Daudé +(cherry picked from commit 1fd71067dae501f1c78618e9583c6cc72db0cfa6) +Signed-off-by: Philippe Mathieu-Daudé +Signed-off-by: Danilo C. L. de Paula +--- + slirp/tcp_subr.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/slirp/tcp_subr.c b/slirp/tcp_subr.c +index af1b3eb..393447d 100644 +--- a/slirp/tcp_subr.c ++++ b/slirp/tcp_subr.c +@@ -661,10 +661,12 @@ tcp_emu(struct socket *so, struct mbuf *m) + tmpso->so_fport == n1) { + if (getsockname(tmpso->s, + (struct sockaddr *)&addr, &addrlen) == 0) +- n2 = ntohs(addr.sin_port); ++ n2 = addr.sin_port; + break; + } + } ++ NTOHS(n1); ++ NTOHS(n2); + so_rcv->sb_cc = snprintf(so_rcv->sb_data, + so_rcv->sb_datalen, + "%d,%d\r\n", n1, n2); +-- +1.8.3.1 + diff --git a/SOURCES/kvm-target-i386-add-MDS-NO-feature.patch b/SOURCES/kvm-target-i386-add-MDS-NO-feature.patch new file mode 100644 index 0000000..ad49667 --- /dev/null +++ b/SOURCES/kvm-target-i386-add-MDS-NO-feature.patch @@ -0,0 +1,50 @@ +From 43f2e3a36586d9e7e12e5638ae19837f726490ff Mon Sep 17 00:00:00 2001 +From: "plai@redhat.com" +Date: Tue, 20 Aug 2019 00:24:40 +0100 +Subject: [PATCH 9/9] target/i386: add MDS-NO feature + +RH-Author: plai@redhat.com +Message-id: <1566260680-20995-10-git-send-email-plai@redhat.com> +Patchwork-id: 90071 +O-Subject: [RHEL8.0 qemu-kvm PATCH v3 9/9] target/i386: add MDS-NO feature +Bugzilla: 1718235 +RH-Acked-by: Eduardo Habkost +RH-Acked-by: John Snow +RH-Acked-by: Igor Mammedov + +From: Paolo Bonzini + +Microarchitectural Data Sampling is a hardware vulnerability which allows +unprivileged speculative access to data which is available in various CPU +internal buffers. + +Some Intel processors use the ARCH_CAP_MDS_NO bit in the +IA32_ARCH_CAPABILITIES +MSR to report that they are not vulnerable, make it available to guests. + +Signed-off-by: Paolo Bonzini +Message-Id: <20190516185320.28340-1-pbonzini@redhat.com> +Signed-off-by: Eduardo Habkost +(cherry picked from commit 20140a82c67467f53814ca197403d5e1b561a5e5) +Signed-off-by: Paul Lai +Signed-off-by: Danilo C. L. de Paula +--- + target/i386/cpu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/target/i386/cpu.c b/target/i386/cpu.c +index 365c92c..07ec8bc 100644 +--- a/target/i386/cpu.c ++++ b/target/i386/cpu.c +@@ -1147,7 +1147,7 @@ static FeatureWordInfo feature_word_info[FEATURE_WORDS] = { + .type = MSR_FEATURE_WORD, + .feat_names = { + "rdctl-no", "ibrs-all", "rsba", "skip-l1dfl-vmentry", +- "ssb-no", NULL, NULL, NULL, ++ "ssb-no", "mds-no", NULL, NULL, + NULL, NULL, NULL, NULL, + NULL, NULL, NULL, NULL, + NULL, NULL, NULL, NULL, +-- +1.8.3.1 + diff --git a/SOURCES/kvm-usb-call-reset-handler-before-updating-state.patch b/SOURCES/kvm-usb-call-reset-handler-before-updating-state.patch new file mode 100644 index 0000000..9913b7c --- /dev/null +++ b/SOURCES/kvm-usb-call-reset-handler-before-updating-state.patch @@ -0,0 +1,47 @@ +From 4ab6c32432b80103b72b412e0e849cdb087c6e78 Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Tue, 4 Jun 2019 05:12:44 +0100 +Subject: [PATCH 2/5] usb: call reset handler before updating state +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Gerd Hoffmann +Message-id: <20190604051246.11374-3-kraxel@redhat.com> +Patchwork-id: 88471 +O-Subject: [RHEL-8.1.0 qemu-kvm PATCH 2/4] usb: call reset handler before updating state +Bugzilla: 1719228 +RH-Acked-by: Dr. David Alan Gilbert +RH-Acked-by: Philippe Mathieu-Daudé +RH-Acked-by: Max Reitz + +That way the device reset handler can see what +the before-reset state of the device is. + +Signed-off-by: Gerd Hoffmann +Message-id: 20190522094702.17619-2-kraxel@redhat.com +(cherry picked from commit 7ed4657396add28382081a15557c78cd480c1cf1) +Signed-off-by: Danilo C. L. de Paula +--- + hw/usb/core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/usb/core.c b/hw/usb/core.c +index 241ae66..07b67fb 100644 +--- a/hw/usb/core.c ++++ b/hw/usb/core.c +@@ -87,10 +87,10 @@ void usb_device_reset(USBDevice *dev) + if (dev == NULL || !dev->attached) { + return; + } ++ usb_device_handle_reset(dev); + dev->remote_wakeup = 0; + dev->addr = 0; + dev->state = USB_STATE_DEFAULT; +- usb_device_handle_reset(dev); + } + + void usb_wakeup(USBEndpoint *ep, unsigned int stream) +-- +1.8.3.1 + diff --git a/SOURCES/kvm-usb-host-avoid-libusb_set_configuration-calls.patch b/SOURCES/kvm-usb-host-avoid-libusb_set_configuration-calls.patch new file mode 100644 index 0000000..4d18d92 --- /dev/null +++ b/SOURCES/kvm-usb-host-avoid-libusb_set_configuration-calls.patch @@ -0,0 +1,68 @@ +From 78a7dce49a0e3747e5aab9791434cb71297baf42 Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Tue, 4 Jun 2019 05:12:46 +0100 +Subject: [PATCH 4/5] usb-host: avoid libusb_set_configuration calls +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Gerd Hoffmann +Message-id: <20190604051246.11374-5-kraxel@redhat.com> +Patchwork-id: 88472 +O-Subject: [RHEL-8.1.0 qemu-kvm PATCH 4/4] usb-host: avoid libusb_set_configuration calls +Bugzilla: 1719228 +RH-Acked-by: Dr. David Alan Gilbert +RH-Acked-by: Philippe Mathieu-Daudé +RH-Acked-by: Max Reitz + +Seems some devices become confused when we call +libusb_set_configuration(). So before calling the function check +whenever the device has multiple configurations in the first place, and +in case it hasn't (which is the case for the majority of devices) simply +skip the call as it will have no effect anyway. + +Signed-off-by: Gerd Hoffmann +Message-id: 20190522094702.17619-4-kraxel@redhat.com +(cherry picked from commit bfe44898848614cfcb3a269bc965afbe1f0f331c) +Signed-off-by: Danilo C. L. de Paula +--- + hw/usb/host-libusb.c | 18 ++++++++++-------- + 1 file changed, 10 insertions(+), 8 deletions(-) + +diff --git a/hw/usb/host-libusb.c b/hw/usb/host-libusb.c +index dd3ed02..587ff70 100644 +--- a/hw/usb/host-libusb.c ++++ b/hw/usb/host-libusb.c +@@ -1220,19 +1220,21 @@ static void usb_host_set_address(USBHostDevice *s, int addr) + + static void usb_host_set_config(USBHostDevice *s, int config, USBPacket *p) + { +- int rc; ++ int rc = 0; + + trace_usb_host_set_config(s->bus_num, s->addr, config); + + usb_host_release_interfaces(s); +- rc = libusb_set_configuration(s->dh, config); +- if (rc != 0) { +- usb_host_libusb_error("libusb_set_configuration", rc); +- p->status = USB_RET_STALL; +- if (rc == LIBUSB_ERROR_NO_DEVICE) { +- usb_host_nodev(s); ++ if (s->ddesc.bNumConfigurations != 1) { ++ rc = libusb_set_configuration(s->dh, config); ++ if (rc != 0) { ++ usb_host_libusb_error("libusb_set_configuration", rc); ++ p->status = USB_RET_STALL; ++ if (rc == LIBUSB_ERROR_NO_DEVICE) { ++ usb_host_nodev(s); ++ } ++ return; + } +- return; + } + p->status = usb_host_claim_interfaces(s, config); + if (p->status != USB_RET_SUCCESS) { +-- +1.8.3.1 + diff --git a/SOURCES/kvm-usb-host-skip-reset-for-untouched-devices.patch b/SOURCES/kvm-usb-host-skip-reset-for-untouched-devices.patch new file mode 100644 index 0000000..bc3dae0 --- /dev/null +++ b/SOURCES/kvm-usb-host-skip-reset-for-untouched-devices.patch @@ -0,0 +1,46 @@ +From e1ceffd58a4fc842c2a31c977c24e3ac0ced42a5 Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Tue, 4 Jun 2019 05:12:45 +0100 +Subject: [PATCH 3/5] usb-host: skip reset for untouched devices +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Gerd Hoffmann +Message-id: <20190604051246.11374-4-kraxel@redhat.com> +Patchwork-id: 88474 +O-Subject: [RHEL-8.1.0 qemu-kvm PATCH 3/4] usb-host: skip reset for untouched devices +Bugzilla: 1719228 +RH-Acked-by: Dr. David Alan Gilbert +RH-Acked-by: Philippe Mathieu-Daudé +RH-Acked-by: Max Reitz + +If the guest didn't talk to the device yet, skip the reset. +Without this usb-host devices get resetted a number of times +at boot time for no good reason. + +Signed-off-by: Gerd Hoffmann +Message-id: 20190522094702.17619-3-kraxel@redhat.com +(cherry picked from commit 65f14ab98da1da920f98ee8734dc1588b01d6b2b) +Signed-off-by: Danilo C. L. de Paula +--- + hw/usb/host-libusb.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/hw/usb/host-libusb.c b/hw/usb/host-libusb.c +index d82a10a..dd3ed02 100644 +--- a/hw/usb/host-libusb.c ++++ b/hw/usb/host-libusb.c +@@ -1454,6 +1454,9 @@ static void usb_host_handle_reset(USBDevice *udev) + if (!s->allow_guest_reset) { + return; + } ++ if (udev->addr == 0) { ++ return; ++ } + + trace_usb_host_reset(s->bus_num, s->addr); + +-- +1.8.3.1 + diff --git a/SOURCES/kvm-virtio-scsi-Forbid-devices-with-different-iothreads-.patch b/SOURCES/kvm-virtio-scsi-Forbid-devices-with-different-iothreads-.patch new file mode 100644 index 0000000..27676bc --- /dev/null +++ b/SOURCES/kvm-virtio-scsi-Forbid-devices-with-different-iothreads-.patch @@ -0,0 +1,117 @@ +From 98d938374f47c7473366706aa5f5754d9b752eea Mon Sep 17 00:00:00 2001 +From: Markus Armbruster +Date: Thu, 6 Jun 2019 19:15:24 +0100 +Subject: [PATCH 7/7] virtio-scsi: Forbid devices with different iothreads + sharing a blockdev + +RH-Author: Markus Armbruster +Message-id: <20190606191524.30797-4-armbru@redhat.com> +Patchwork-id: 88608 +O-Subject: [RHEL-8.1.0 qemu-kvm PATCH 3/3] virtio-scsi: Forbid devices with different iothreads sharing a blockdev +Bugzilla: 1718992 +RH-Acked-by: Paolo Bonzini +RH-Acked-by: Stefan Hajnoczi +RH-Acked-by: Kevin Wolf + +From: Alberto Garcia + +This patch forbids attaching a disk to a SCSI device if its using a +different AioContext. Test case included. + +Signed-off-by: Alberto Garcia +Signed-off-by: Kevin Wolf +(cherry picked from commit eb97813ff5fd5bdffc8ed9f5be5a3a50eae70a2c) +Signed-off-by: Markus Armbruster +Signed-off-by: Danilo C. L. de Paula +--- + hw/scsi/virtio-scsi.c | 7 +++++++ + tests/qemu-iotests/240 | 22 ++++++++++++++++++++++ + tests/qemu-iotests/240.out | 20 ++++++++++++++++++++ + 3 files changed, 49 insertions(+) + +diff --git a/hw/scsi/virtio-scsi.c b/hw/scsi/virtio-scsi.c +index 85073f6..391500b 100644 +--- a/hw/scsi/virtio-scsi.c ++++ b/hw/scsi/virtio-scsi.c +@@ -800,9 +800,16 @@ static void virtio_scsi_hotplug(HotplugHandler *hotplug_dev, DeviceState *dev, + return; + } + if (s->ctx && !s->dataplane_fenced) { ++ AioContext *ctx; + if (blk_op_is_blocked(sd->conf.blk, BLOCK_OP_TYPE_DATAPLANE, errp)) { + return; + } ++ ctx = blk_get_aio_context(sd->conf.blk); ++ if (ctx != s->ctx && ctx != qemu_get_aio_context()) { ++ error_setg(errp, "Cannot attach a blockdev that is using " ++ "a different iothread"); ++ return; ++ } + virtio_scsi_acquire(s); + blk_set_aio_context(sd->conf.blk, s->ctx); + virtio_scsi_release(s); +diff --git a/tests/qemu-iotests/240 b/tests/qemu-iotests/240 +index 5d499c9..65cc3b3 100755 +--- a/tests/qemu-iotests/240 ++++ b/tests/qemu-iotests/240 +@@ -101,6 +101,28 @@ run_qemu < +Date: Thu, 6 Jun 2019 19:15:22 +0100 +Subject: [PATCH 5/7] virtio-scsi: Move BlockBackend back to the main + AioContext on unplug + +RH-Author: Markus Armbruster +Message-id: <20190606191524.30797-2-armbru@redhat.com> +Patchwork-id: 88607 +O-Subject: [RHEL-8.1.0 qemu-kvm PATCH 1/3] virtio-scsi: Move BlockBackend back to the main AioContext on unplug +Bugzilla: 1718992 +RH-Acked-by: Paolo Bonzini +RH-Acked-by: Stefan Hajnoczi +RH-Acked-by: Kevin Wolf + +From: Alberto Garcia + +This fixes a crash when attaching a disk to a SCSI device using +iothreads, then detaching it and reattaching it again. Test case +included. + +Signed-off-by: Alberto Garcia +Signed-off-by: Kevin Wolf +(cherry picked from commit a6f230c8d13a7ff3a0c7f1097412f44bfd9eff0b) +[Trivial conflict in tests/qemu-iotests/group resolved] +Signed-off-by: Markus Armbruster + +Signed-off-by: Danilo C. L. de Paula +--- + hw/scsi/virtio-scsi.c | 6 ++++ + tests/qemu-iotests/240 | 89 ++++++++++++++++++++++++++++++++++++++++++++++ + tests/qemu-iotests/240.out | 18 ++++++++++ + tests/qemu-iotests/group | 1 + + 4 files changed, 114 insertions(+) + create mode 100755 tests/qemu-iotests/240 + create mode 100644 tests/qemu-iotests/240.out + +diff --git a/hw/scsi/virtio-scsi.c b/hw/scsi/virtio-scsi.c +index 52a3c1d..85073f6 100644 +--- a/hw/scsi/virtio-scsi.c ++++ b/hw/scsi/virtio-scsi.c +@@ -841,6 +841,12 @@ static void virtio_scsi_hotunplug(HotplugHandler *hotplug_dev, DeviceState *dev, + virtio_scsi_release(s); + } + ++ if (s->ctx) { ++ virtio_scsi_acquire(s); ++ blk_set_aio_context(sd->conf.blk, qemu_get_aio_context()); ++ virtio_scsi_release(s); ++ } ++ + qdev_simple_device_unplug_cb(hotplug_dev, dev, errp); + } + +diff --git a/tests/qemu-iotests/240 b/tests/qemu-iotests/240 +new file mode 100755 +index 0000000..ead7ee0 +--- /dev/null ++++ b/tests/qemu-iotests/240 +@@ -0,0 +1,89 @@ ++#!/bin/bash ++# ++# Test hot plugging and unplugging with iothreads ++# ++# Copyright (C) 2019 Igalia, S.L. ++# Author: Alberto Garcia ++# ++# This program is free software; you can redistribute it and/or modify ++# it under the terms of the GNU General Public License as published by ++# the Free Software Foundation; either version 2 of the License, or ++# (at your option) any later version. ++# ++# This program is distributed in the hope that it will be useful, ++# but WITHOUT ANY WARRANTY; without even the implied warranty of ++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++# GNU General Public License for more details. ++# ++# You should have received a copy of the GNU General Public License ++# along with this program. If not, see . ++# ++ ++# creator ++owner=berto@igalia.com ++ ++seq=`basename $0` ++echo "QA output created by $seq" ++ ++status=1 # failure is the default! ++ ++# get standard environment, filters and checks ++. ./common.rc ++. ./common.filter ++ ++_supported_fmt generic ++_supported_proto generic ++_supported_os Linux ++ ++do_run_qemu() ++{ ++ echo Testing: "$@" ++ $QEMU -nographic -qmp stdio -serial none "$@" ++ echo ++} ++ ++# Remove QMP events from (pretty-printed) output. Doesn't handle ++# nested dicts correctly, but we don't get any of those in this test. ++_filter_qmp_events() ++{ ++ tr '\n' '\t' | sed -e \ ++ 's/{\s*"timestamp":\s*{[^}]*},\s*"event":[^,}]*\(,\s*"data":\s*{[^}]*}\)\?\s*}\s*//g' \ ++ | tr '\t' '\n' ++} ++ ++run_qemu() ++{ ++ do_run_qemu "$@" 2>&1 | _filter_qmp | _filter_qmp_events ++} ++ ++case "$QEMU_DEFAULT_MACHINE" in ++ s390-ccw-virtio) ++ virtio_scsi=virtio-scsi-ccw ++ ;; ++ *) ++ virtio_scsi=virtio-scsi-pci ++ ;; ++esac ++ ++echo ++echo === Unplug a SCSI disk and then plug it again === ++echo ++ ++run_qemu < +Date: Tue, 20 Aug 2019 00:24:34 +0100 +Subject: [PATCH 3/9] x86: Data structure changes to support MSR based features + +RH-Author: plai@redhat.com +Message-id: <1566260680-20995-4-git-send-email-plai@redhat.com> +Patchwork-id: 90064 +O-Subject: [RHEL8.0 qemu-kvm PATCH v3 3/9] x86: Data structure changes to support MSR based features +Bugzilla: 1718235 +RH-Acked-by: Eduardo Habkost +RH-Acked-by: John Snow +RH-Acked-by: Igor Mammedov + +From: Robert Hoo + +Add FeatureWordType indicator in struct FeatureWordInfo. +Change feature_word_info[] accordingly. +Change existing functions that refer to feature_word_info[] accordingly. + +Signed-off-by: Robert Hoo +Message-Id: <1539578845-37944-3-git-send-email-robert.hu@linux.intel.com> +[ehabkost: fixed hvf_enabled() case] +Signed-off-by: Eduardo Habkost + +(cherry picked from commit 07585923485952bf4cb7da563c9f91fecc85d09c) +Signed-off-by: Paul Lai +Signed-off-by: Danilo C. L. de Paula +--- + target/i386/cpu.c | 197 +++++++++++++++++++++++++++++++++++++++--------------- + 1 file changed, 142 insertions(+), 55 deletions(-) + +diff --git a/target/i386/cpu.c b/target/i386/cpu.c +index 6d38ac0..bbca6f4 100644 +--- a/target/i386/cpu.c ++++ b/target/i386/cpu.c +@@ -773,17 +773,36 @@ static void x86_cpu_vendor_words2str(char *dst, uint32_t vendor1, + /* missing: + CPUID_XSAVE_XSAVEC, CPUID_XSAVE_XSAVES */ + ++typedef enum FeatureWordType { ++ CPUID_FEATURE_WORD, ++ MSR_FEATURE_WORD, ++} FeatureWordType; ++ + typedef struct FeatureWordInfo { ++ FeatureWordType type; + /* feature flags names are taken from "Intel Processor Identification and + * the CPUID Instruction" and AMD's "CPUID Specification". + * In cases of disagreement between feature naming conventions, + * aliases may be added. + */ + const char *feat_names[32]; +- uint32_t cpuid_eax; /* Input EAX for CPUID */ +- bool cpuid_needs_ecx; /* CPUID instruction uses ECX as input */ +- uint32_t cpuid_ecx; /* Input ECX value for CPUID */ +- int cpuid_reg; /* output register (R_* constant) */ ++ union { ++ /* If type==CPUID_FEATURE_WORD */ ++ struct { ++ uint32_t eax; /* Input EAX for CPUID */ ++ bool needs_ecx; /* CPUID instruction uses ECX as input */ ++ uint32_t ecx; /* Input ECX value for CPUID */ ++ int reg; /* output register (R_* constant) */ ++ } cpuid; ++ /* If type==MSR_FEATURE_WORD */ ++ struct { ++ uint32_t index; ++ struct { /*CPUID that enumerate this MSR*/ ++ FeatureWord cpuid_class; ++ uint32_t cpuid_flag; ++ } cpuid_dep; ++ } msr; ++ }; + uint32_t tcg_features; /* Feature flags supported by TCG */ + uint32_t unmigratable_flags; /* Feature flags known to be unmigratable */ + uint32_t migratable_flags; /* Feature flags known to be migratable */ +@@ -793,6 +812,7 @@ typedef struct FeatureWordInfo { + + static FeatureWordInfo feature_word_info[FEATURE_WORDS] = { + [FEAT_1_EDX] = { ++ .type = CPUID_FEATURE_WORD, + .feat_names = { + "fpu", "vme", "de", "pse", + "tsc", "msr", "pae", "mce", +@@ -803,10 +823,11 @@ static FeatureWordInfo feature_word_info[FEATURE_WORDS] = { + "fxsr", "sse", "sse2", "ss", + "ht" /* Intel htt */, "tm", "ia64", "pbe", + }, +- .cpuid_eax = 1, .cpuid_reg = R_EDX, ++ .cpuid = {.eax = 1, .reg = R_EDX, }, + .tcg_features = TCG_FEATURES, + }, + [FEAT_1_ECX] = { ++ .type = CPUID_FEATURE_WORD, + .feat_names = { + "pni" /* Intel,AMD sse3 */, "pclmulqdq", "dtes64", "monitor", + "ds-cpl", "vmx", "smx", "est", +@@ -817,7 +838,7 @@ static FeatureWordInfo feature_word_info[FEATURE_WORDS] = { + "tsc-deadline", "aes", "xsave", "osxsave", + "avx", "f16c", "rdrand", "hypervisor", + }, +- .cpuid_eax = 1, .cpuid_reg = R_ECX, ++ .cpuid = { .eax = 1, .reg = R_ECX, }, + .tcg_features = TCG_EXT_FEATURES, + }, + /* Feature names that are already defined on feature_name[] but +@@ -826,6 +847,7 @@ static FeatureWordInfo feature_word_info[FEATURE_WORDS] = { + * to features[FEAT_8000_0001_EDX] if and only if CPU vendor is AMD. + */ + [FEAT_8000_0001_EDX] = { ++ .type = CPUID_FEATURE_WORD, + .feat_names = { + NULL /* fpu */, NULL /* vme */, NULL /* de */, NULL /* pse */, + NULL /* tsc */, NULL /* msr */, NULL /* pae */, NULL /* mce */, +@@ -836,10 +858,11 @@ static FeatureWordInfo feature_word_info[FEATURE_WORDS] = { + NULL /* fxsr */, "fxsr-opt", "pdpe1gb", "rdtscp", + NULL, "lm", "3dnowext", "3dnow", + }, +- .cpuid_eax = 0x80000001, .cpuid_reg = R_EDX, ++ .cpuid = { .eax = 0x80000001, .reg = R_EDX, }, + .tcg_features = TCG_EXT2_FEATURES, + }, + [FEAT_8000_0001_ECX] = { ++ .type = CPUID_FEATURE_WORD, + .feat_names = { + "lahf-lm", "cmp-legacy", "svm", "extapic", + "cr8legacy", "abm", "sse4a", "misalignsse", +@@ -850,7 +873,7 @@ static FeatureWordInfo feature_word_info[FEATURE_WORDS] = { + "perfctr-nb", NULL, NULL, NULL, + NULL, NULL, NULL, NULL, + }, +- .cpuid_eax = 0x80000001, .cpuid_reg = R_ECX, ++ .cpuid = { .eax = 0x80000001, .reg = R_ECX, }, + .tcg_features = TCG_EXT3_FEATURES, + /* + * TOPOEXT is always allowed but can't be enabled blindly by +@@ -860,6 +883,7 @@ static FeatureWordInfo feature_word_info[FEATURE_WORDS] = { + .no_autoenable_flags = CPUID_EXT3_TOPOEXT, + }, + [FEAT_C000_0001_EDX] = { ++ .type = CPUID_FEATURE_WORD, + .feat_names = { + NULL, NULL, "xstore", "xstore-en", + NULL, NULL, "xcrypt", "xcrypt-en", +@@ -870,10 +894,11 @@ static FeatureWordInfo feature_word_info[FEATURE_WORDS] = { + NULL, NULL, NULL, NULL, + NULL, NULL, NULL, NULL, + }, +- .cpuid_eax = 0xC0000001, .cpuid_reg = R_EDX, ++ .cpuid = { .eax = 0xC0000001, .reg = R_EDX, }, + .tcg_features = TCG_EXT4_FEATURES, + }, + [FEAT_KVM] = { ++ .type = CPUID_FEATURE_WORD, + .feat_names = { + "kvmclock", "kvm-nopiodelay", "kvm-mmu", "kvmclock", + "kvm-asyncpf", "kvm-steal-time", "kvm-pv-eoi", "kvm-pv-unhalt", +@@ -884,10 +909,11 @@ static FeatureWordInfo feature_word_info[FEATURE_WORDS] = { + "kvmclock-stable-bit", NULL, NULL, NULL, + NULL, NULL, NULL, NULL, + }, +- .cpuid_eax = KVM_CPUID_FEATURES, .cpuid_reg = R_EAX, ++ .cpuid = { .eax = KVM_CPUID_FEATURES, .reg = R_EAX, }, + .tcg_features = TCG_KVM_FEATURES, + }, + [FEAT_KVM_HINTS] = { ++ .type = CPUID_FEATURE_WORD, + .feat_names = { + "kvm-hint-dedicated", NULL, NULL, NULL, + NULL, NULL, NULL, NULL, +@@ -898,7 +924,7 @@ static FeatureWordInfo feature_word_info[FEATURE_WORDS] = { + NULL, NULL, NULL, NULL, + NULL, NULL, NULL, NULL, + }, +- .cpuid_eax = KVM_CPUID_FEATURES, .cpuid_reg = R_EDX, ++ .cpuid = { .eax = KVM_CPUID_FEATURES, .reg = R_EDX, }, + .tcg_features = TCG_KVM_FEATURES, + /* + * KVM hints aren't auto-enabled by -cpu host, they need to be +@@ -907,6 +933,7 @@ static FeatureWordInfo feature_word_info[FEATURE_WORDS] = { + .no_autoenable_flags = ~0U, + }, + [FEAT_HYPERV_EAX] = { ++ .type = CPUID_FEATURE_WORD, + .feat_names = { + NULL /* hv_msr_vp_runtime_access */, NULL /* hv_msr_time_refcount_access */, + NULL /* hv_msr_synic_access */, NULL /* hv_msr_stimer_access */, +@@ -920,9 +947,10 @@ static FeatureWordInfo feature_word_info[FEATURE_WORDS] = { + NULL, NULL, NULL, NULL, + NULL, NULL, NULL, NULL, + }, +- .cpuid_eax = 0x40000003, .cpuid_reg = R_EAX, ++ .cpuid = { .eax = 0x40000003, .reg = R_EAX, }, + }, + [FEAT_HYPERV_EBX] = { ++ .type = CPUID_FEATURE_WORD, + .feat_names = { + NULL /* hv_create_partitions */, NULL /* hv_access_partition_id */, + NULL /* hv_access_memory_pool */, NULL /* hv_adjust_message_buffers */, +@@ -936,9 +964,10 @@ static FeatureWordInfo feature_word_info[FEATURE_WORDS] = { + NULL, NULL, NULL, NULL, + NULL, NULL, NULL, NULL, + }, +- .cpuid_eax = 0x40000003, .cpuid_reg = R_EBX, ++ .cpuid = { .eax = 0x40000003, .reg = R_EBX, }, + }, + [FEAT_HYPERV_EDX] = { ++ .type = CPUID_FEATURE_WORD, + .feat_names = { + NULL /* hv_mwait */, NULL /* hv_guest_debugging */, + NULL /* hv_perf_monitor */, NULL /* hv_cpu_dynamic_part */, +@@ -951,9 +980,10 @@ static FeatureWordInfo feature_word_info[FEATURE_WORDS] = { + NULL, NULL, NULL, NULL, + NULL, NULL, NULL, NULL, + }, +- .cpuid_eax = 0x40000003, .cpuid_reg = R_EDX, ++ .cpuid = { .eax = 0x40000003, .reg = R_EDX, }, + }, + [FEAT_SVM] = { ++ .type = CPUID_FEATURE_WORD, + .feat_names = { + "npt", "lbrv", "svm-lock", "nrip-save", + "tsc-scale", "vmcb-clean", "flushbyasid", "decodeassists", +@@ -964,10 +994,11 @@ static FeatureWordInfo feature_word_info[FEATURE_WORDS] = { + NULL, NULL, NULL, NULL, + NULL, NULL, NULL, NULL, + }, +- .cpuid_eax = 0x8000000A, .cpuid_reg = R_EDX, ++ .cpuid = { .eax = 0x8000000A, .reg = R_EDX, }, + .tcg_features = TCG_SVM_FEATURES, + }, + [FEAT_7_0_EBX] = { ++ .type = CPUID_FEATURE_WORD, + .feat_names = { + "fsgsbase", "tsc-adjust", NULL, "bmi1", + "hle", "avx2", NULL, "smep", +@@ -978,12 +1009,15 @@ static FeatureWordInfo feature_word_info[FEATURE_WORDS] = { + "clwb", "intel-pt", "avx512pf", "avx512er", + "avx512cd", "sha-ni", "avx512bw", "avx512vl", + }, +- .cpuid_eax = 7, +- .cpuid_needs_ecx = true, .cpuid_ecx = 0, +- .cpuid_reg = R_EBX, ++ .cpuid = { ++ .eax = 7, ++ .needs_ecx = true, .ecx = 0, ++ .reg = R_EBX, ++ }, + .tcg_features = TCG_7_0_EBX_FEATURES, + }, + [FEAT_7_0_ECX] = { ++ .type = CPUID_FEATURE_WORD, + .feat_names = { + NULL, "avx512vbmi", "umip", "pku", + "ospke", NULL, "avx512vbmi2", NULL, +@@ -994,12 +1028,15 @@ static FeatureWordInfo feature_word_info[FEATURE_WORDS] = { + NULL, NULL, NULL, NULL, + NULL, NULL, NULL, NULL, + }, +- .cpuid_eax = 7, +- .cpuid_needs_ecx = true, .cpuid_ecx = 0, +- .cpuid_reg = R_ECX, ++ .cpuid = { ++ .eax = 7, ++ .needs_ecx = true, .ecx = 0, ++ .reg = R_ECX, ++ }, + .tcg_features = TCG_7_0_ECX_FEATURES, + }, + [FEAT_7_0_EDX] = { ++ .type = CPUID_FEATURE_WORD, + .feat_names = { + NULL, NULL, "avx512-4vnniw", "avx512-4fmaps", + NULL, NULL, NULL, NULL, +@@ -1010,13 +1047,16 @@ static FeatureWordInfo feature_word_info[FEATURE_WORDS] = { + NULL, NULL, "spec-ctrl", "stibp", + NULL, "arch-capabilities", NULL, "ssbd", + }, +- .cpuid_eax = 7, +- .cpuid_needs_ecx = true, .cpuid_ecx = 0, +- .cpuid_reg = R_EDX, ++ .cpuid = { ++ .eax = 7, ++ .needs_ecx = true, .ecx = 0, ++ .reg = R_EDX, ++ }, + .tcg_features = TCG_7_0_EDX_FEATURES, + .unmigratable_flags = CPUID_7_0_EDX_ARCH_CAPABILITIES, + }, + [FEAT_8000_0007_EDX] = { ++ .type = CPUID_FEATURE_WORD, + .feat_names = { + NULL, NULL, NULL, NULL, + NULL, NULL, NULL, NULL, +@@ -1027,12 +1067,12 @@ static FeatureWordInfo feature_word_info[FEATURE_WORDS] = { + NULL, NULL, NULL, NULL, + NULL, NULL, NULL, NULL, + }, +- .cpuid_eax = 0x80000007, +- .cpuid_reg = R_EDX, ++ .cpuid = { .eax = 0x80000007, .reg = R_EDX, }, + .tcg_features = TCG_APM_FEATURES, + .unmigratable_flags = CPUID_APM_INVTSC, + }, + [FEAT_8000_0008_EBX] = { ++ .type = CPUID_FEATURE_WORD, + .feat_names = { + NULL, NULL, NULL, NULL, + NULL, NULL, NULL, NULL, +@@ -1043,12 +1083,12 @@ static FeatureWordInfo feature_word_info[FEATURE_WORDS] = { + NULL, "virt-ssbd", NULL, NULL, + NULL, NULL, NULL, NULL, + }, +- .cpuid_eax = 0x80000008, +- .cpuid_reg = R_EBX, ++ .cpuid = { .eax = 0x80000008, .reg = R_EBX, }, + .tcg_features = 0, + .unmigratable_flags = 0, + }, + [FEAT_XSAVE] = { ++ .type = CPUID_FEATURE_WORD, + .feat_names = { + "xsaveopt", "xsavec", "xgetbv1", "xsaves", + NULL, NULL, NULL, NULL, +@@ -1059,12 +1099,15 @@ static FeatureWordInfo feature_word_info[FEATURE_WORDS] = { + NULL, NULL, NULL, NULL, + NULL, NULL, NULL, NULL, + }, +- .cpuid_eax = 0xd, +- .cpuid_needs_ecx = true, .cpuid_ecx = 1, +- .cpuid_reg = R_EAX, ++ .cpuid = { ++ .eax = 0xd, ++ .needs_ecx = true, .ecx = 1, ++ .reg = R_EAX, ++ }, + .tcg_features = TCG_XSAVE_FEATURES, + }, + [FEAT_6_EAX] = { ++ .type = CPUID_FEATURE_WORD, + .feat_names = { + NULL, NULL, "arat", NULL, + NULL, NULL, NULL, NULL, +@@ -1075,13 +1118,16 @@ static FeatureWordInfo feature_word_info[FEATURE_WORDS] = { + NULL, NULL, NULL, NULL, + NULL, NULL, NULL, NULL, + }, +- .cpuid_eax = 6, .cpuid_reg = R_EAX, ++ .cpuid = { .eax = 6, .reg = R_EAX, }, + .tcg_features = TCG_6_EAX_FEATURES, + }, + [FEAT_XSAVE_COMP_LO] = { +- .cpuid_eax = 0xD, +- .cpuid_needs_ecx = true, .cpuid_ecx = 0, +- .cpuid_reg = R_EAX, ++ .type = CPUID_FEATURE_WORD, ++ .cpuid = { ++ .eax = 0xD, ++ .needs_ecx = true, .ecx = 0, ++ .reg = R_EAX, ++ }, + .tcg_features = ~0U, + .migratable_flags = XSTATE_FP_MASK | XSTATE_SSE_MASK | + XSTATE_YMM_MASK | XSTATE_BNDREGS_MASK | XSTATE_BNDCSR_MASK | +@@ -1089,9 +1135,12 @@ static FeatureWordInfo feature_word_info[FEATURE_WORDS] = { + XSTATE_PKRU_MASK, + }, + [FEAT_XSAVE_COMP_HI] = { +- .cpuid_eax = 0xD, +- .cpuid_needs_ecx = true, .cpuid_ecx = 0, +- .cpuid_reg = R_EDX, ++ .type = CPUID_FEATURE_WORD, ++ .cpuid = { ++ .eax = 0xD, ++ .needs_ecx = true, .ecx = 0, ++ .reg = R_EDX, ++ }, + .tcg_features = ~0U, + }, + }; +@@ -2846,21 +2895,41 @@ static const TypeInfo host_x86_cpu_type_info = { + + #endif + ++static char *feature_word_description(FeatureWordInfo *f, uint32_t bit) ++{ ++ assert(f->type == CPUID_FEATURE_WORD || f->type == MSR_FEATURE_WORD); ++ ++ switch (f->type) { ++ case CPUID_FEATURE_WORD: ++ { ++ const char *reg = get_register_name_32(f->cpuid.reg); ++ assert(reg); ++ return g_strdup_printf("CPUID.%02XH:%s", ++ f->cpuid.eax, reg); ++ } ++ case MSR_FEATURE_WORD: ++ return g_strdup_printf("MSR(%02XH)", ++ f->msr.index); ++ } ++ ++ return NULL; ++} ++ + static void report_unavailable_features(FeatureWord w, uint32_t mask) + { + FeatureWordInfo *f = &feature_word_info[w]; + int i; ++ char *feat_word_str; + + for (i = 0; i < 32; ++i) { + if ((1UL << i) & mask) { +- const char *reg = get_register_name_32(f->cpuid_reg); +- assert(reg); +- warn_report("%s doesn't support requested feature: " +- "CPUID.%02XH:%s%s%s [bit %d]", ++ feat_word_str = feature_word_description(f, i); ++ warn_report("%s doesn't support requested feature: %s%s%s [bit %d]", + accel_uses_host_cpuid() ? "host" : "TCG", +- f->cpuid_eax, reg, ++ feat_word_str, + f->feat_names[i] ? "." : "", + f->feat_names[i] ? f->feat_names[i] : "", i); ++ g_free(feat_word_str); + } + } + } +@@ -3104,11 +3173,18 @@ static void x86_cpu_get_feature_words(Object *obj, Visitor *v, + + for (w = 0; w < FEATURE_WORDS; w++) { + FeatureWordInfo *wi = &feature_word_info[w]; ++ /* ++ * We didn't have MSR features when "feature-words" was ++ * introduced. Therefore skipped other type entries. ++ */ ++ if (wi->type != CPUID_FEATURE_WORD) { ++ continue; ++ } + X86CPUFeatureWordInfo *qwi = &word_infos[w]; +- qwi->cpuid_input_eax = wi->cpuid_eax; +- qwi->has_cpuid_input_ecx = wi->cpuid_needs_ecx; +- qwi->cpuid_input_ecx = wi->cpuid_ecx; +- qwi->cpuid_register = x86_reg_info_32[wi->cpuid_reg].qapi_enum; ++ qwi->cpuid_input_eax = wi->cpuid.eax; ++ qwi->has_cpuid_input_ecx = wi->cpuid.needs_ecx; ++ qwi->cpuid_input_ecx = wi->cpuid.ecx; ++ qwi->cpuid_register = x86_reg_info_32[wi->cpuid.reg].qapi_enum; + qwi->features = array[w]; + + /* List will be in reverse order, but order shouldn't matter */ +@@ -3464,16 +3540,26 @@ static uint32_t x86_cpu_get_supported_feature_word(FeatureWord w, + bool migratable_only) + { + FeatureWordInfo *wi = &feature_word_info[w]; +- uint32_t r; ++ uint32_t r = 0; + + if (kvm_enabled()) { +- r = kvm_arch_get_supported_cpuid(kvm_state, wi->cpuid_eax, +- wi->cpuid_ecx, +- wi->cpuid_reg); ++ switch (wi->type) { ++ case CPUID_FEATURE_WORD: ++ r = kvm_arch_get_supported_cpuid(kvm_state, wi->cpuid.eax, ++ wi->cpuid.ecx, ++ wi->cpuid.reg); ++ break; ++ case MSR_FEATURE_WORD: ++ r = kvm_arch_get_supported_msr_feature(kvm_state, wi->msr.index); ++ break; ++ } + } else if (hvf_enabled()) { +- r = hvf_get_supported_cpuid(wi->cpuid_eax, +- wi->cpuid_ecx, +- wi->cpuid_reg); ++ if (wi->type != CPUID_FEATURE_WORD) { ++ return 0; ++ } ++ r = hvf_get_supported_cpuid(wi->cpuid.eax, ++ wi->cpuid.ecx, ++ wi->cpuid.reg); + } else if (tcg_enabled()) { + r = wi->tcg_features; + } else { +@@ -4534,9 +4620,10 @@ static void x86_cpu_adjust_feat_level(X86CPU *cpu, FeatureWord w) + { + CPUX86State *env = &cpu->env; + FeatureWordInfo *fi = &feature_word_info[w]; +- uint32_t eax = fi->cpuid_eax; ++ uint32_t eax = fi->cpuid.eax; + uint32_t region = eax & 0xF0000000; + ++ assert(feature_word_info[w].type == CPUID_FEATURE_WORD); + if (!env->features[w]) { + return; + } +-- +1.8.3.1 + diff --git a/SOURCES/kvm-x86-define-a-new-MSR-based-feature-word-FEATURE_WORD.patch b/SOURCES/kvm-x86-define-a-new-MSR-based-feature-word-FEATURE_WORD.patch new file mode 100644 index 0000000..6afb822 --- /dev/null +++ b/SOURCES/kvm-x86-define-a-new-MSR-based-feature-word-FEATURE_WORD.patch @@ -0,0 +1,128 @@ +From 4263a1e54da9f6e1d1b0aa74d52436224a6cfd5e Mon Sep 17 00:00:00 2001 +From: "plai@redhat.com" +Date: Tue, 20 Aug 2019 00:24:35 +0100 +Subject: [PATCH 4/9] x86: define a new MSR based feature word -- + FEATURE_WORDS_ARCH_CAPABILITIES + +RH-Author: plai@redhat.com +Message-id: <1566260680-20995-5-git-send-email-plai@redhat.com> +Patchwork-id: 90069 +O-Subject: [RHEL8.0 qemu-kvm PATCH v3 4/9] x86: define a new MSR based feature word -- FEATURE_WORDS_ARCH_CAPABILITIES +Bugzilla: 1718235 +RH-Acked-by: Eduardo Habkost +RH-Acked-by: John Snow +RH-Acked-by: Igor Mammedov + +From: Robert Hoo + +Note RSBA is specially treated -- no matter host support it or not, qemu +pretends it is supported. + +Signed-off-by: Robert Hoo +Message-Id: <1539578845-37944-4-git-send-email-robert.hu@linux.intel.com> +[ehabkost: removed automatic enabling of RSBA] +Reviewed-by: Eduardo Habkost +Signed-off-by: Eduardo Habkost + +(cherry picked from commit d86f963694df27f11b3681ffd225c9362de1b634) +Signed-off-by: Paul Lai +Signed-off-by: Danilo C. L. de Paula +--- + target/i386/cpu.c | 24 +++++++++++++++++++++++- + target/i386/cpu.h | 8 ++++++++ + target/i386/kvm.c | 11 +++++++++++ + 3 files changed, 42 insertions(+), 1 deletion(-) + +diff --git a/target/i386/cpu.c b/target/i386/cpu.c +index bbca6f4..fbcf124 100644 +--- a/target/i386/cpu.c ++++ b/target/i386/cpu.c +@@ -1143,6 +1143,27 @@ static FeatureWordInfo feature_word_info[FEATURE_WORDS] = { + }, + .tcg_features = ~0U, + }, ++ /*Below are MSR exposed features*/ ++ [FEAT_ARCH_CAPABILITIES] = { ++ .type = MSR_FEATURE_WORD, ++ .feat_names = { ++ "rdctl-no", "ibrs-all", "rsba", "skip-l1dfl-vmentry", ++ "ssb-no", NULL, NULL, NULL, ++ NULL, NULL, NULL, NULL, ++ NULL, NULL, NULL, NULL, ++ NULL, NULL, NULL, NULL, ++ NULL, NULL, NULL, NULL, ++ NULL, NULL, NULL, NULL, ++ NULL, NULL, NULL, NULL, ++ }, ++ .msr = { ++ .index = MSR_IA32_ARCH_CAPABILITIES, ++ .cpuid_dep = { ++ FEAT_7_0_EDX, ++ CPUID_7_0_EDX_ARCH_CAPABILITIES ++ } ++ }, ++ }, + }; + + typedef struct X86RegisterInfo32 { +@@ -3550,7 +3571,8 @@ static uint32_t x86_cpu_get_supported_feature_word(FeatureWord w, + wi->cpuid.reg); + break; + case MSR_FEATURE_WORD: +- r = kvm_arch_get_supported_msr_feature(kvm_state, wi->msr.index); ++ r = kvm_arch_get_supported_msr_feature(kvm_state, ++ wi->msr.index); + break; + } + } else if (hvf_enabled()) { +diff --git a/target/i386/cpu.h b/target/i386/cpu.h +index e5e5169..6820a70 100644 +--- a/target/i386/cpu.h ++++ b/target/i386/cpu.h +@@ -500,6 +500,7 @@ typedef enum FeatureWord { + FEAT_6_EAX, /* CPUID[6].EAX */ + FEAT_XSAVE_COMP_LO, /* CPUID[EAX=0xd,ECX=0].EAX */ + FEAT_XSAVE_COMP_HI, /* CPUID[EAX=0xd,ECX=0].EDX */ ++ FEAT_ARCH_CAPABILITIES, + FEATURE_WORDS, + } FeatureWord; + +@@ -726,6 +727,13 @@ typedef uint32_t FeatureWordArray[FEATURE_WORDS]; + #define CPUID_TOPOLOGY_LEVEL_SMT (1U << 8) + #define CPUID_TOPOLOGY_LEVEL_CORE (2U << 8) + ++/* MSR Feature Bits */ ++#define MSR_ARCH_CAP_RDCL_NO (1U << 0) ++#define MSR_ARCH_CAP_IBRS_ALL (1U << 1) ++#define MSR_ARCH_CAP_RSBA (1U << 2) ++#define MSR_ARCH_CAP_SKIP_L1DFL_VMENTRY (1U << 3) ++#define MSR_ARCH_CAP_SSB_NO (1U << 4) ++ + #ifndef HYPERV_SPINLOCK_NEVER_RETRY + #define HYPERV_SPINLOCK_NEVER_RETRY 0xFFFFFFFF + #endif +diff --git a/target/i386/kvm.c b/target/i386/kvm.c +index 87e4771..187ee19 100644 +--- a/target/i386/kvm.c ++++ b/target/i386/kvm.c +@@ -1753,6 +1753,17 @@ static int kvm_put_msrs(X86CPU *cpu, int level) + } + #endif + ++ /* If host supports feature MSR, write down. */ ++ if (kvm_feature_msrs) { ++ int i; ++ for (i = 0; i < kvm_feature_msrs->nmsrs; i++) ++ if (kvm_feature_msrs->indices[i] == MSR_IA32_ARCH_CAPABILITIES) { ++ kvm_msr_entry_add(cpu, MSR_IA32_ARCH_CAPABILITIES, ++ env->features[FEAT_ARCH_CAPABILITIES]); ++ break; ++ } ++ } ++ + /* + * The following MSRs have side effects on the guest or are too heavy + * for normal writeback. Limit them to reset or full state updates. +-- +1.8.3.1 + diff --git a/SPECS/qemu-kvm.spec b/SPECS/qemu-kvm.spec index 2fd59bf..59eacd8 100644 --- a/SPECS/qemu-kvm.spec +++ b/SPECS/qemu-kvm.spec @@ -68,7 +68,7 @@ Obsoletes: %1-rhev Summary: QEMU is a machine emulator and virtualizer Name: qemu-kvm Version: 2.12.0 -Release: 64%{?dist}.2 +Release: 65%{?dist}.5 # Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped Epoch: 15 License: GPLv2 and GPLv2+ and CC-BY @@ -1322,6 +1322,48 @@ Patch640: kvm-scsi-generic-avoid-possible-out-of-bounds-access-to-.patch Patch641: kvm-device_tree-Fix-integer-overflowing-in-load_device_t.patch # For bz#1704545 - CVE-2018-12126 virt:rhel/qemu-kvm: hardware: Microarchitectural Store Buffer Data Sampling [rhel-8.0.0.z] Patch642: kvm-target-i386-define-md-clear-bit-rhev.patch +# For bz#1732324 - CVE-2019-6778 qemu-kvm: QEMU: slirp: heap buffer overflow in tcp_emu() [rhel-8.0.0.z] +Patch643: kvm-slirp-check-sscanf-result-when-emulating-ident.patch +# For bz#1732324 - CVE-2019-6778 qemu-kvm: QEMU: slirp: heap buffer overflow in tcp_emu() [rhel-8.0.0.z] +Patch644: kvm-slirp-fix-big-little-endian-conversion-in-ident-prot.patch +# For bz#1732324 - CVE-2019-6778 qemu-kvm: QEMU: slirp: heap buffer overflow in tcp_emu() [rhel-8.0.0.z] +Patch645: kvm-slirp-ensure-there-is-enough-space-in-mbuf-to-null-t.patch +# For bz#1732324 - CVE-2019-6778 qemu-kvm: QEMU: slirp: heap buffer overflow in tcp_emu() [rhel-8.0.0.z] +Patch646: kvm-slirp-don-t-manipulate-so_rcv-in-tcp_emu.patch +# For bz#1718992 - qemu-kvm core dumped after hotplug the deleted disk with iothread parameter [rhel-8.0.0.z] +Patch647: kvm-virtio-scsi-Move-BlockBackend-back-to-the-main-AioCo.patch +# For bz#1718992 - qemu-kvm core dumped after hotplug the deleted disk with iothread parameter [rhel-8.0.0.z] +Patch648: kvm-scsi-disk-Acquire-the-AioContext-in-scsi_-_realize.patch +# For bz#1718992 - qemu-kvm core dumped after hotplug the deleted disk with iothread parameter [rhel-8.0.0.z] +Patch649: kvm-virtio-scsi-Forbid-devices-with-different-iothreads-.patch +# For bz#1719228 - Detached device when trying to upgrade USB device firmware when in doing USB Passthrough via QEMU [rhel-8.0.0.z] +Patch650: kvm-Introduce-new-no_guest_reset-parameter-for-usb-host-.patch +# For bz#1719228 - Detached device when trying to upgrade USB device firmware when in doing USB Passthrough via QEMU [rhel-8.0.0.z] +Patch651: kvm-usb-call-reset-handler-before-updating-state.patch +# For bz#1719228 - Detached device when trying to upgrade USB device firmware when in doing USB Passthrough via QEMU [rhel-8.0.0.z] +Patch652: kvm-usb-host-skip-reset-for-untouched-devices.patch +# For bz#1719228 - Detached device when trying to upgrade USB device firmware when in doing USB Passthrough via QEMU [rhel-8.0.0.z] +Patch653: kvm-usb-host-avoid-libusb_set_configuration-calls.patch +# For bz#1734750 - CVE-2019-14378 qemu-kvm: QEMU: slirp: heap buffer overflow during packet reassembly [rhel-8.0.0.z] +Patch654: kvm-Fix-heap-overflow-in-ip_reass-on-big-packet-input.patch +# For bz#1718235 - [Intel 8.1 Bug] [KVM][CLX] CPUID_7_0_EDX_ARCH_CAPABILITIES is not enabled in VM - qemu-kvm [rhel-8.0.0.z] +Patch655: kvm-i386-Add-new-MSR-indices-for-IA32_PRED_CMD-and-IA32_.patch +# For bz#1718235 - [Intel 8.1 Bug] [KVM][CLX] CPUID_7_0_EDX_ARCH_CAPABILITIES is not enabled in VM - qemu-kvm [rhel-8.0.0.z] +Patch656: kvm-i386-Add-CPUID-bit-and-feature-words-for-IA32_ARCH_C.patch +# For bz#1718235 - [Intel 8.1 Bug] [KVM][CLX] CPUID_7_0_EDX_ARCH_CAPABILITIES is not enabled in VM - qemu-kvm [rhel-8.0.0.z] +Patch657: kvm-x86-Data-structure-changes-to-support-MSR-based-feat.patch +# For bz#1718235 - [Intel 8.1 Bug] [KVM][CLX] CPUID_7_0_EDX_ARCH_CAPABILITIES is not enabled in VM - qemu-kvm [rhel-8.0.0.z] +Patch658: kvm-x86-define-a-new-MSR-based-feature-word-FEATURE_WORD.patch +# For bz#1718235 - [Intel 8.1 Bug] [KVM][CLX] CPUID_7_0_EDX_ARCH_CAPABILITIES is not enabled in VM - qemu-kvm [rhel-8.0.0.z] +Patch659: kvm-Add-support-to-KVM_GET_MSR_FEATURE_INDEX_LIST-an.patch +# For bz#1718235 - [Intel 8.1 Bug] [KVM][CLX] CPUID_7_0_EDX_ARCH_CAPABILITIES is not enabled in VM - qemu-kvm [rhel-8.0.0.z] +Patch660: kvm-Use-KVM_GET_MSR_INDEX_LIST-for-MSR_IA32_ARCH_CAP.patch +# For bz#1718235 - [Intel 8.1 Bug] [KVM][CLX] CPUID_7_0_EDX_ARCH_CAPABILITIES is not enabled in VM - qemu-kvm [rhel-8.0.0.z] +Patch661: kvm-i386-kvm-Disable-arch_capabilities-if-MSR-can-t-be-s.patch +# For bz#1718235 - [Intel 8.1 Bug] [KVM][CLX] CPUID_7_0_EDX_ARCH_CAPABILITIES is not enabled in VM - qemu-kvm [rhel-8.0.0.z] +Patch662: kvm-i386-Make-arch_capabilities-migratable.patch +# For bz#1718235 - [Intel 8.1 Bug] [KVM][CLX] CPUID_7_0_EDX_ARCH_CAPABILITIES is not enabled in VM - qemu-kvm [rhel-8.0.0.z] +Patch663: kvm-target-i386-add-MDS-NO-feature.patch BuildRequires: zlib-devel BuildRequires: glib2-devel @@ -2212,6 +2254,48 @@ useradd -r -u 107 -g qemu -G kvm -d / -s /sbin/nologin \ %changelog +* Wed Aug 28 2019 Danilo Cesar Lemes de Paula - 2.12.0-65.el8_0_0.5 +- kvm-i386-Add-new-MSR-indices-for-IA32_PRED_CMD-and-IA32_.patch [bz#1718235] +- kvm-i386-Add-CPUID-bit-and-feature-words-for-IA32_ARCH_C.patch [bz#1718235] +- kvm-x86-Data-structure-changes-to-support-MSR-based-feat.patch [bz#1718235] +- kvm-x86-define-a-new-MSR-based-feature-word-FEATURE_WORD.patch [bz#1718235] +- kvm-Add-support-to-KVM_GET_MSR_FEATURE_INDEX_LIST-an.patch [bz#1718235] +- kvm-Use-KVM_GET_MSR_INDEX_LIST-for-MSR_IA32_ARCH_CAP.patch [bz#1718235] +- kvm-i386-kvm-Disable-arch_capabilities-if-MSR-can-t-be-s.patch [bz#1718235] +- kvm-i386-Make-arch_capabilities-migratable.patch [bz#1718235] +- kvm-target-i386-add-MDS-NO-feature.patch [bz#1718235] +- Resolves: bz#1718235 + ([Intel 8.1 Bug] [KVM][CLX] CPUID_7_0_EDX_ARCH_CAPABILITIES is not enabled in VM - qemu-kvm [rhel-8.0.0.z]) + +* Mon Aug 26 2019 Danilo Cesar Lemes de Paula - 2.12.0-65.el8_0_0.4 +- kvm-Introduce-new-no_guest_reset-parameter-for-usb-host-.patch [bz#1719228] +- kvm-usb-call-reset-handler-before-updating-state.patch [bz#1719228] +- kvm-usb-host-skip-reset-for-untouched-devices.patch [bz#1719228] +- kvm-usb-host-avoid-libusb_set_configuration-calls.patch [bz#1719228] +- kvm-Fix-heap-overflow-in-ip_reass-on-big-packet-input.patch [bz#1734750] +- Resolves: bz#1719228 + (Detached device when trying to upgrade USB device firmware when in doing USB Passthrough via QEMU [rhel-8.0.0.z]) +- Resolves: bz#1734750 + (CVE-2019-14378 qemu-kvm: QEMU: slirp: heap buffer overflow during packet reassembly [rhel-8.0.0.z]) + +* Wed Jul 24 2019 Danilo Cesar Lemes de Paula - 2.12.0-65.el8_0_0.3 +- kvm-slirp-check-sscanf-result-when-emulating-ident.patch [bz#1732324] +- kvm-slirp-fix-big-little-endian-conversion-in-ident-prot.patch [bz#1732324] +- kvm-slirp-ensure-there-is-enough-space-in-mbuf-to-null-t.patch [bz#1732324] +- kvm-slirp-don-t-manipulate-so_rcv-in-tcp_emu.patch [bz#1732324] +- kvm-virtio-scsi-Move-BlockBackend-back-to-the-main-AioCo.patch [bz#1718992] +- kvm-scsi-disk-Acquire-the-AioContext-in-scsi_-_realize.patch [bz#1718992] +- kvm-virtio-scsi-Forbid-devices-with-different-iothreads-.patch [bz#1718992] +- Resolves: bz#1718992 + (qemu-kvm core dumped after hotplug the deleted disk with iothread parameter [rhel-8.0.0.z]) +- Resolves: bz#1732324 + (CVE-2019-6778 qemu-kvm: QEMU: slirp: heap buffer overflow in tcp_emu() [rhel-8.0.0.z]) + +* Sun Jun 30 2019 Danilo de Paula - 15:2.12.0-65.2 +- Rebuild all virt packages to fix RHEL's upgrade path +- Resolves: rhbz#1696354 + (Ensure modular RPM upgrade path [ZStream Clone] [rhel-8.0.0.z]) + * Fri May 10 2019 Danilo Cesar Lemes de Paula - 2.12.0-64.el8.0.0.2 - Bump release version to fix the versioning problem (zstream release lower than ystream). - Resolves: bz#1704545