diff --git a/SOURCES/kvm-Add-missing-brackets-to-CPUID-0x80000008-code.patch b/SOURCES/kvm-Add-missing-brackets-to-CPUID-0x80000008-code.patch new file mode 100644 index 0000000..4fb8c36 --- /dev/null +++ b/SOURCES/kvm-Add-missing-brackets-to-CPUID-0x80000008-code.patch @@ -0,0 +1,54 @@ +From 23e038b8eb586dc19f1d653cd98d0cae109f359b Mon Sep 17 00:00:00 2001 +From: Eduardo Habkost +Date: Thu, 10 Oct 2019 22:18:07 +0200 +Subject: [PATCH 4/4] Add missing brackets to CPUID[0x80000008] code + +RH-Author: Eduardo Habkost +Message-id: <20191010221807.2953-1-ehabkost@redhat.com> +Patchwork-id: 91713 +O-Subject: [RHEL-7.8 qemu-kvm PATCH] Add missing brackets to CPUID[0x80000008] code +Bugzilla: 1760607 +RH-Acked-by: Dr. David Alan Gilbert +RH-Acked-by: Paolo Bonzini +RH-Acked-by: John Snow + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1760607 +Brew: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=23986041 +Upstream: not applicable + +I've made a mistake at downstream-only commit ba222e201e07 +("i386: Don't copy host virtual address limit"): I forgot to add +brackets to the existing if statement. This expose an invalid +physical address size to the guest if the host xlevel is less +than 0x80000008. + +Signed-off-by: Eduardo Habkost +Signed-off-by: Miroslav Rezanina +--- + target-i386/cpu.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/target-i386/cpu.c b/target-i386/cpu.c +index b4839df..9283902 100644 +--- a/target-i386/cpu.c ++++ b/target-i386/cpu.c +@@ -2978,7 +2978,7 @@ void cpu_x86_cpuid(CPUX86State *env, uint32_t index, uint32_t count, + if (kvm_enabled()) { + uint32_t _eax; + host_cpuid(0x80000000, 0, &_eax, NULL, NULL, NULL); +- if (_eax >= 0x80000008) ++ if (_eax >= 0x80000008) { + host_cpuid(0x80000008, 0, &_eax, NULL, NULL, NULL); + /* + * Override physical size only, as RHEL-7 KVM only supports +@@ -2986,6 +2986,7 @@ void cpu_x86_cpuid(CPUX86State *env, uint32_t index, uint32_t count, + */ + *eax &= ~0xff; + *eax |= _eax & 0xff; ++ } + } + } else { + if (env->features[FEAT_1_EDX] & CPUID_PSE36) { +-- +1.8.3.1 + diff --git a/SOURCES/kvm-gluster-Handle-changed-glfs_ftruncate-signature.patch b/SOURCES/kvm-gluster-Handle-changed-glfs_ftruncate-signature.patch new file mode 100644 index 0000000..f3ab197 --- /dev/null +++ b/SOURCES/kvm-gluster-Handle-changed-glfs_ftruncate-signature.patch @@ -0,0 +1,96 @@ +From b5c74112b314c185335de246c465d14ef68509a3 Mon Sep 17 00:00:00 2001 +From: Maxim Levitsky +Date: Sun, 16 Feb 2020 16:02:24 +0100 +Subject: [PATCH 4/6] gluster: Handle changed glfs_ftruncate signature + +Message-id: <20200216160225.22498-2-mlevitsk@redhat.com> +Patchwork-id: 93881 +O-Subject: [RHEL-7.9 qemu-kvm PATCH 1/2] gluster: Handle changed glfs_ftruncate signature +Bugzilla: 1802215 +RH-Acked-by: Stefan Hajnoczi +RH-Acked-by: Max Reitz +RH-Acked-by: Stefano Garzarella + +From: Prasanna Kumar Kalever + +New versions of Glusters libgfapi.so have an updated glfs_ftruncate() +function that returns additional 'struct stat' structures to enable +advanced caching of attributes. This is useful for file servers, not so +much for QEMU. Nevertheless, the API has changed and needs to be +adopted. + +Signed-off-by: Prasanna Kumar Kalever +Signed-off-by: Niels de Vos +Signed-off-by: Kevin Wolf +(cherry picked from commit e014dbe74e0484188164c61ff6843f8a04a8cb9d) +Signed-off-by: Maxim Levitsky + +RHEL: fixed conflicts +Signed-off-by: Miroslav Rezanina +--- + block/gluster.c | 5 +++++ + configure | 18 ++++++++++++++++++ + 2 files changed, 23 insertions(+) + +diff --git a/block/gluster.c b/block/gluster.c +index 86e136d..d6160af 100644 +--- a/block/gluster.c ++++ b/block/gluster.c +@@ -20,6 +20,11 @@ + #include "qemu/sockets.h" + #include "qemu/uri.h" + ++#ifdef CONFIG_GLUSTERFS_FTRUNCATE_HAS_STAT ++# define glfs_ftruncate(fd, offset) glfs_ftruncate(fd, offset, NULL, NULL) ++#endif ++ ++ + typedef struct GlusterAIOCB { + BlockDriverAIOCB common; + int64_t size; +diff --git a/configure b/configure +index 5877e82..70fd06f 100755 +--- a/configure ++++ b/configure +@@ -243,6 +243,7 @@ seccomp="" + glusterfs="" + glusterfs_discard="no" + virtio_blk_data_plane="" ++glusterfs_ftruncate_has_stat="no" + gtk="" + gtkabi="2.0" + tpm="no" +@@ -2748,6 +2749,19 @@ EOF + if $pkg_config --atleast-version=5 glusterfs-api >/dev/null 2>&1; then + glusterfs_discard="yes" + fi ++ cat > $TMPC << EOF ++#include ++ ++int ++main(void) ++{ ++ /* new glfs_ftruncate() passes two additional args */ ++ return glfs_ftruncate(NULL, 0, NULL, NULL); ++} ++EOF ++ if compile_prog "$glusterfs_cflags" "$glusterfs_libs" ; then ++ glusterfs_ftruncate_has_stat="yes" ++ fi + else + if test "$glusterfs" = "yes" ; then + feature_not_found "GlusterFS backend support" +@@ -4178,6 +4192,10 @@ if test "$live_block_ops" = "yes" ; then + echo "CONFIG_LIVE_BLOCK_OPS=y" >> $config_host_mak + fi + ++if test "$glusterfs_ftruncate_has_stat" = "yes" ; then ++ echo "CONFIG_GLUSTERFS_FTRUNCATE_HAS_STAT=y" >> $config_host_mak ++fi ++ + if test "$live_block_migration" = "yes" ; then + echo "CONFIG_LIVE_BLOCK_MIGRATION=y" >> $config_host_mak + fi +-- +1.8.3.1 + diff --git a/SOURCES/kvm-gluster-the-glfs_io_cbk-callback-function-pointer-ad.patch b/SOURCES/kvm-gluster-the-glfs_io_cbk-callback-function-pointer-ad.patch new file mode 100644 index 0000000..8b3b12c --- /dev/null +++ b/SOURCES/kvm-gluster-the-glfs_io_cbk-callback-function-pointer-ad.patch @@ -0,0 +1,109 @@ +From b9bf902e0a6739ba5db697fbd9b8f063dd130618 Mon Sep 17 00:00:00 2001 +From: Maxim Levitsky +Date: Sun, 16 Feb 2020 16:02:25 +0100 +Subject: [PATCH 5/6] gluster: the glfs_io_cbk callback function pointer adds + pre/post stat args + +Message-id: <20200216160225.22498-3-mlevitsk@redhat.com> +Patchwork-id: 93880 +O-Subject: [RHEL-7.9 qemu-kvm PATCH 2/2] gluster: the glfs_io_cbk callback function pointer adds pre/post stat args +Bugzilla: 1802215 +RH-Acked-by: Stefan Hajnoczi +RH-Acked-by: Max Reitz +RH-Acked-by: Stefano Garzarella + +From: Niels de Vos + +The glfs_*_async() functions do a callback once finished. This callback +has changed its arguments, pre- and post-stat structures have been +added. This makes it possible to improve caching, which is useful for +Samba and NFS-Ganesha, but not so much for QEMU. Gluster 6 is the first +release that includes these new arguments. + +With an additional detection in ./configure, the new arguments can +conditionally get included in the glfs_io_cbk handler. + +Signed-off-by: Niels de Vos +Signed-off-by: Kevin Wolf +(cherry picked from commit 0e3b891fefacc0e49f3c8ffa3a753b69eb7214d2) +Signed-off-by: Maxim Levitsky + +RHEL: first chunk of the patch was applied manually due to very +different context, for other chunks conficts were fixed. + +Signed-off-by: Miroslav Rezanina +--- + block/gluster.c | 7 ++++++- + configure | 24 ++++++++++++++++++++++++ + 2 files changed, 30 insertions(+), 1 deletion(-) + +diff --git a/block/gluster.c b/block/gluster.c +index d6160af..dba3e0a 100644 +--- a/block/gluster.c ++++ b/block/gluster.c +@@ -571,7 +571,12 @@ static const AIOCBInfo gluster_aiocb_info = { + .cancel = qemu_gluster_aio_cancel, + }; + +-static void gluster_finish_aiocb(struct glfs_fd *fd, ssize_t ret, void *arg) ++static void gluster_finish_aiocb(struct glfs_fd *fd, ssize_t ret, ++#ifdef CONFIG_GLUSTERFS_IOCB_HAS_STAT ++ struct glfs_stat *pre, struct glfs_stat *post, ++#endif ++ void *arg) ++ + { + GlusterAIOCB *acb = (GlusterAIOCB *)arg; + BlockDriverState *bs = acb->common.bs; +diff --git a/configure b/configure +index 70fd06f..34e3acc 100755 +--- a/configure ++++ b/configure +@@ -244,6 +244,7 @@ glusterfs="" + glusterfs_discard="no" + virtio_blk_data_plane="" + glusterfs_ftruncate_has_stat="no" ++glusterfs_iocb_has_stat="no" + gtk="" + gtkabi="2.0" + tpm="no" +@@ -2762,6 +2763,25 @@ EOF + if compile_prog "$glusterfs_cflags" "$glusterfs_libs" ; then + glusterfs_ftruncate_has_stat="yes" + fi ++ cat > $TMPC << EOF ++#include ++ ++/* new glfs_io_cbk() passes two additional glfs_stat structs */ ++static void ++glusterfs_iocb(glfs_fd_t *fd, ssize_t ret, struct glfs_stat *prestat, struct glfs_stat *poststat, void *data) ++{} ++ ++int ++main(void) ++{ ++ glfs_io_cbk iocb = &glusterfs_iocb; ++ iocb(NULL, 0 , NULL, NULL, NULL); ++ return 0; ++} ++EOF ++ if compile_prog "$glusterfs_cflags" "$glusterfs_libs" ; then ++ glusterfs_iocb_has_stat="yes" ++ fi + else + if test "$glusterfs" = "yes" ; then + feature_not_found "GlusterFS backend support" +@@ -4196,6 +4216,10 @@ if test "$glusterfs_ftruncate_has_stat" = "yes" ; then + echo "CONFIG_GLUSTERFS_FTRUNCATE_HAS_STAT=y" >> $config_host_mak + fi + ++if test "$glusterfs_iocb_has_stat" = "yes" ; then ++ echo "CONFIG_GLUSTERFS_IOCB_HAS_STAT=y" >> $config_host_mak ++fi ++ + if test "$live_block_migration" = "yes" ; then + echo "CONFIG_LIVE_BLOCK_MIGRATION=y" >> $config_host_mak + fi +-- +1.8.3.1 + diff --git a/SOURCES/kvm-i386-Add-new-model-of-Cascadelake-Server.patch b/SOURCES/kvm-i386-Add-new-model-of-Cascadelake-Server.patch new file mode 100644 index 0000000..526daaa --- /dev/null +++ b/SOURCES/kvm-i386-Add-new-model-of-Cascadelake-Server.patch @@ -0,0 +1,118 @@ +From 4f73c145a24ba196d904234a1ea437af22c33240 Mon Sep 17 00:00:00 2001 +From: Eduardo Habkost +Date: Thu, 3 Oct 2019 22:12:15 +0200 +Subject: [PATCH 1/4] i386: Add new model of Cascadelake-Server + +RH-Author: Eduardo Habkost +Message-id: <20191003221217.8527-2-ehabkost@redhat.com> +Patchwork-id: 90952 +O-Subject: [RHEL-7.8 qemu-kvm PATCH 1/3] i386: Add new model of Cascadelake-Server +Bugzilla: 1638471 +RH-Acked-by: Dr. David Alan Gilbert +RH-Acked-by: Paolo Bonzini +RH-Acked-by: Igor Mammedov + +From: Tao Xu + +New CPU models mostly inherit features from ancestor Skylake-Server, +while addin new features: AVX512_VNNI, Intel PT. +SSBD support for speculative execution +side channel mitigations. + +Note: + +On Cascadelake, some capabilities (RDCL_NO, IBRS_ALL, RSBA, +SKIP_L1DFL_VMENTRY and SSB_NO) are enumerated by MSR. +These features rely on MSR based feature support patch. +Will be added later after that patch's in. +http://lists.nongnu.org/archive/html/qemu-devel/2018-09/msg00074.html + +Backport notes: +* Like we already did in Skylake-Server and EPYC, ARAT is + not present in the CPU model (RHEL7-3+ and RHEL-8 already have + arat=off in PC_COMPAT_RHEL7_2) + +Signed-off-by: Tao Xu +Message-Id: <20180919031122.28487-2-tao3.xu@intel.com> +Signed-off-by: Eduardo Habkost +(cherry picked from commit c7a88b52f62b30c04158eeb07f73e3f72221b6a8) +Signed-off-by: Eduardo Habkost +Signed-off-by: Miroslav Rezanina +--- + target-i386/cpu.c | 60 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 60 insertions(+) + +diff --git a/target-i386/cpu.c b/target-i386/cpu.c +index f92cb62..5b988c9 100644 +--- a/target-i386/cpu.c ++++ b/target-i386/cpu.c +@@ -1496,6 +1496,66 @@ static x86_def_t builtin_x86_defs[] = { + .model_id = "Intel Xeon Processor (Skylake, IBRS)", + }, + { ++ .name = "Cascadelake-Server", ++ .level = 0xd, ++ .vendor = CPUID_VENDOR_INTEL, ++ .family = 6, ++ .model = 85, ++ .stepping = 5, ++ .features[FEAT_1_EDX] = ++ CPUID_VME | CPUID_SSE2 | CPUID_SSE | CPUID_FXSR | CPUID_MMX | ++ CPUID_CLFLUSH | CPUID_PSE36 | CPUID_PAT | CPUID_CMOV | CPUID_MCA | ++ CPUID_PGE | CPUID_MTRR | CPUID_SEP | CPUID_APIC | CPUID_CX8 | ++ CPUID_MCE | CPUID_PAE | CPUID_MSR | CPUID_TSC | CPUID_PSE | ++ CPUID_DE | CPUID_FP87, ++ .features[FEAT_1_ECX] = ++ CPUID_EXT_AVX | CPUID_EXT_XSAVE | CPUID_EXT_AES | ++ CPUID_EXT_POPCNT | CPUID_EXT_X2APIC | CPUID_EXT_SSE42 | ++ CPUID_EXT_SSE41 | CPUID_EXT_CX16 | CPUID_EXT_SSSE3 | ++ CPUID_EXT_PCLMULQDQ | CPUID_EXT_SSE3 | ++ CPUID_EXT_TSC_DEADLINE_TIMER | CPUID_EXT_FMA | CPUID_EXT_MOVBE | ++ CPUID_EXT_PCID | CPUID_EXT_F16C | CPUID_EXT_RDRAND, ++ .features[FEAT_8000_0001_EDX] = ++ CPUID_EXT2_LM | CPUID_EXT2_PDPE1GB | CPUID_EXT2_RDTSCP | ++ CPUID_EXT2_NX | CPUID_EXT2_SYSCALL, ++ .features[FEAT_8000_0001_ECX] = ++ CPUID_EXT3_ABM | CPUID_EXT3_LAHF_LM | CPUID_EXT3_3DNOWPREFETCH, ++ .features[FEAT_7_0_EBX] = ++ CPUID_7_0_EBX_FSGSBASE | CPUID_7_0_EBX_BMI1 | ++ CPUID_7_0_EBX_HLE | CPUID_7_0_EBX_AVX2 | CPUID_7_0_EBX_SMEP | ++ CPUID_7_0_EBX_BMI2 | CPUID_7_0_EBX_ERMS | CPUID_7_0_EBX_INVPCID | ++ CPUID_7_0_EBX_RTM | CPUID_7_0_EBX_RDSEED | CPUID_7_0_EBX_ADX | ++ CPUID_7_0_EBX_SMAP | CPUID_7_0_EBX_MPX | CPUID_7_0_EBX_CLWB | ++ CPUID_7_0_EBX_AVX512F | CPUID_7_0_EBX_AVX512DQ | ++ CPUID_7_0_EBX_AVX512BW | CPUID_7_0_EBX_AVX512CD | ++ CPUID_7_0_EBX_AVX512VL | CPUID_7_0_EBX_CLFLUSHOPT | ++ CPUID_7_0_EBX_INTEL_PT, ++ .features[FEAT_7_0_ECX] = ++ CPUID_7_0_ECX_PKU | CPUID_7_0_ECX_OSPKE | ++ CPUID_7_0_ECX_AVX512VNNI, ++ .features[FEAT_7_0_EDX] = ++ CPUID_7_0_EDX_SPEC_CTRL | CPUID_7_0_EDX_SPEC_CTRL_SSBD, ++ /* Missing: XSAVES (not supported by some Linux versions, ++ * including v4.1 to v4.12). ++ * KVM doesn't yet expose any XSAVES state save component, ++ * and the only one defined in Skylake (processor tracing) ++ * probably will block migration anyway. ++ */ ++ .features[FEAT_XSAVE] = ++ CPUID_XSAVE_XSAVEOPT | CPUID_XSAVE_XSAVEC | ++ CPUID_XSAVE_XGETBV1, ++ /* Missing: ARAT. not available in the qemu-kvm-1.5.3 tree (and ++ * disabled by compat code in pc-i440fx-rhel7.2.0 and older on ++ * qemu-kvm-rhev) ++ */ ++#if 0 ++ .features[FEAT_6_EAX] = ++ CPUID_6_EAX_ARAT, ++#endif ++ .xlevel = 0x80000008, ++ .model_id = "Intel Xeon Processor (Cascadelake)", ++ }, ++ { + .name = "Opteron_G1", + .level = 5, + .vendor = CPUID_VENDOR_AMD, +-- +1.8.3.1 + diff --git a/SOURCES/kvm-i386-Disable-OSPKE-on-Cascadelake-Server.patch b/SOURCES/kvm-i386-Disable-OSPKE-on-Cascadelake-Server.patch new file mode 100644 index 0000000..729d6a3 --- /dev/null +++ b/SOURCES/kvm-i386-Disable-OSPKE-on-Cascadelake-Server.patch @@ -0,0 +1,76 @@ +From b082e420af608c6b060e29e392e0a7fa0655298d Mon Sep 17 00:00:00 2001 +From: Eduardo Habkost +Date: Thu, 3 Oct 2019 22:12:16 +0200 +Subject: [PATCH 2/4] i386: Disable OSPKE on Cascadelake-Server + +RH-Author: Eduardo Habkost +Message-id: <20191003221217.8527-3-ehabkost@redhat.com> +Patchwork-id: 90953 +O-Subject: [RHEL-7.8 qemu-kvm PATCH 2/3] i386: Disable OSPKE on Cascadelake-Server +Bugzilla: 1638471 +RH-Acked-by: Dr. David Alan Gilbert +RH-Acked-by: Paolo Bonzini +RH-Acked-by: Igor Mammedov + +This is a partial cherry pick of upstream commit: + +commit bb4928c7cafe50ab2137a0034e350ef1bfa044d9 +Author: Eduardo Habkost +Date: Tue Mar 19 17:05:15 2019 -0300 + + i386: Disable OSPKE on CPU model definitions + + Currently, the Cascadelake-Server, Icelake-Client, and + Icelake-Server are always generating the following warning: + + qemu-system-x86_64: warning: \ + host doesn't support requested feature: CPUID.07H:ECX [bit 4] + + This happens because OSPKE was never returned by + GET_SUPPORTED_CPUID or x86_cpu_get_supported_feature_word(). + OSPKE is a runtime flag automatically set by the KVM module or by + TCG code, was always cleared by x86_cpu_filter_features(), and + was not supposed to appear on the CPU model table. + + Remove the OSPKE flag from the CPU model table entries, to avoid + the bogus warning and avoid returning invalid feature data on + query-cpu-* QMP commands. As OSPKE was always cleared by + x86_cpu_filter_features(), this won't have any guest-visible + impact. + + Include a test case that should detect the problem if we introduce + a similar bug again. + + Fixes: c7a88b52f62b ("i386: Add new model of Cascadelake-Server") + Fixes: 8a11c62da914 ("i386: Add new CPU model Icelake-{Server,Client}") + Cc: Tao Xu + Cc: Robert Hoo + Signed-off-by: Eduardo Habkost + Message-Id: <20190319200515.14999-1-ehabkost@redhat.com> + Signed-off-by: Eduardo Habkost + +It includes only the Cascadelake-Server change, because Icelake* +is not present in the RHEL7 tree. + +Signed-off-by: Eduardo Habkost +Signed-off-by: Miroslav Rezanina +--- + target-i386/cpu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/target-i386/cpu.c b/target-i386/cpu.c +index 5b988c9..926373b 100644 +--- a/target-i386/cpu.c ++++ b/target-i386/cpu.c +@@ -1531,7 +1531,7 @@ static x86_def_t builtin_x86_defs[] = { + CPUID_7_0_EBX_AVX512VL | CPUID_7_0_EBX_CLFLUSHOPT | + CPUID_7_0_EBX_INTEL_PT, + .features[FEAT_7_0_ECX] = +- CPUID_7_0_ECX_PKU | CPUID_7_0_ECX_OSPKE | ++ CPUID_7_0_ECX_PKU | + CPUID_7_0_ECX_AVX512VNNI, + .features[FEAT_7_0_EDX] = + CPUID_7_0_EDX_SPEC_CTRL | CPUID_7_0_EDX_SPEC_CTRL_SSBD, +-- +1.8.3.1 + diff --git a/SOURCES/kvm-i386-remove-the-INTEL_PT-CPUID-bit-from-Cascadelake-.patch b/SOURCES/kvm-i386-remove-the-INTEL_PT-CPUID-bit-from-Cascadelake-.patch new file mode 100644 index 0000000..81ce3b7 --- /dev/null +++ b/SOURCES/kvm-i386-remove-the-INTEL_PT-CPUID-bit-from-Cascadelake-.patch @@ -0,0 +1,59 @@ +From 4d23f26f51e1a4b4a8c7aa2d105891e4589f913c Mon Sep 17 00:00:00 2001 +From: Eduardo Habkost +Date: Thu, 3 Oct 2019 22:12:17 +0200 +Subject: [PATCH 3/4] i386: remove the 'INTEL_PT' CPUID bit from + Cascadelake-Server + +RH-Author: Eduardo Habkost +Message-id: <20191003221217.8527-4-ehabkost@redhat.com> +Patchwork-id: 90954 +O-Subject: [RHEL-7.8 qemu-kvm PATCH 3/3] i386: remove the 'INTEL_PT' CPUID bit from Cascadelake-Server +Bugzilla: 1638471 +RH-Acked-by: Dr. David Alan Gilbert +RH-Acked-by: Paolo Bonzini +RH-Acked-by: Igor Mammedov + +From: Paolo Bonzini + +This is a partial cherry pick of upstream commit: + +commit 4c257911dcc7c4189768e9651755c849ce9db4e8 +Author: Paolo Bonzini +Date: Fri Dec 21 12:35:56 2018 +0100 + + i386: remove the 'INTEL_PT' CPUID bit from named CPU models + + Processor tracing is not yet implemented for KVM and it will be an + opt in feature requiring a special module parameter. + Disable it, because it is wrong to enable it by default and + it is impossible that no one has ever used it. + + Cc: qemu-stable@nongnu.org + Signed-off-by: Paolo Bonzini + +It includes only the Cascadelake-Server change, because the other +CPU models are not present in the RHEL7 tree. + +Signed-off-by: Eduardo Habkost +Signed-off-by: Miroslav Rezanina +--- + target-i386/cpu.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/target-i386/cpu.c b/target-i386/cpu.c +index 926373b..b4839df 100644 +--- a/target-i386/cpu.c ++++ b/target-i386/cpu.c +@@ -1528,8 +1528,7 @@ static x86_def_t builtin_x86_defs[] = { + CPUID_7_0_EBX_SMAP | CPUID_7_0_EBX_MPX | CPUID_7_0_EBX_CLWB | + CPUID_7_0_EBX_AVX512F | CPUID_7_0_EBX_AVX512DQ | + CPUID_7_0_EBX_AVX512BW | CPUID_7_0_EBX_AVX512CD | +- CPUID_7_0_EBX_AVX512VL | CPUID_7_0_EBX_CLFLUSHOPT | +- CPUID_7_0_EBX_INTEL_PT, ++ CPUID_7_0_EBX_AVX512VL | CPUID_7_0_EBX_CLFLUSHOPT, + .features[FEAT_7_0_ECX] = + CPUID_7_0_ECX_PKU | + CPUID_7_0_ECX_AVX512VNNI, +-- +1.8.3.1 + diff --git a/SOURCES/kvm-seccomp-set-the-seccomp-filter-to-all-threads.patch b/SOURCES/kvm-seccomp-set-the-seccomp-filter-to-all-threads.patch new file mode 100644 index 0000000..ab471c9 --- /dev/null +++ b/SOURCES/kvm-seccomp-set-the-seccomp-filter-to-all-threads.patch @@ -0,0 +1,72 @@ +From d01fad2a8757f4e3b449a888b93a0ba9fda54daa Mon Sep 17 00:00:00 2001 +From: Eduardo Otubo +Date: Thu, 5 Mar 2020 13:49:51 +0100 +Subject: [PATCH 6/6] seccomp: set the seccomp filter to all threads +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Message-id: <20200305134951.23851-1-otubo@redhat.com> +Patchwork-id: 94161 +O-Subject: [RHEL-7.9 qemu-kvm PATCH] seccomp: set the seccomp filter to all threads +Bugzilla: 1618503 +RH-Acked-by: Philippe Mathieu-Daudé +RH-Acked-by: Stefan Hajnoczi +RH-Acked-by: Mohammed Gamal + +commit 70dfabeaa79ba4d7a3b699abe1a047c8012db114 +Author: Marc-André Lureau +Date: Wed Aug 22 19:02:50 2018 +0200 + + When using "-seccomp on", the seccomp policy is only applied to the + main thread, the vcpu worker thread and other worker threads created + after seccomp policy is applied; the seccomp policy is not applied to + e.g. the RCU thread because it is created before the seccomp policy is + applied and SECCOMP_FILTER_FLAG_TSYNC isn't used. + + This can be verified with + for task in /proc/`pidof qemu`/task/*; do cat $task/status | grep Secc ; done + Seccomp: 2 + Seccomp: 0 + Seccomp: 0 + Seccomp: 2 + Seccomp: 2 + Seccomp: 2 + + Starting with libseccomp 2.2.0 and kernel >= 3.17, we can use + seccomp_attr_set(ctx, > SCMP_FLTATR_CTL_TSYNC, 1) to update the policy + on all threads. + + libseccomp requirement was bumped to 2.2.0 in previous patch. + libseccomp should fail to set the filter if it can't honour + SCMP_FLTATR_CTL_TSYNC (untested), and thus -sandbox will now fail on + kernel < 3.17. + + Signed-off-by: Marc-André Lureau + Acked-by: Eduardo Otubo + +Signed-off-by: Eduardo Otubo +Signed-off-by: Miroslav Rezanina +--- + qemu-seccomp.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/qemu-seccomp.c b/qemu-seccomp.c +index e947909..828083b 100644 +--- a/qemu-seccomp.c ++++ b/qemu-seccomp.c +@@ -264,6 +264,11 @@ int seccomp_start(void) + goto seccomp_return; + } + ++ rc = seccomp_attr_set(ctx, SCMP_FLTATR_CTL_TSYNC, 1); ++ if (rc != 0) { ++ goto seccomp_return; ++ } ++ + for (i = 0; i < ARRAY_SIZE(seccomp_whitelist); i++) { + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, seccomp_whitelist[i].num, 0); + if (rc < 0) { +-- +1.8.3.1 + diff --git a/SOURCES/kvm-slirp-disable-tcp_emu.patch b/SOURCES/kvm-slirp-disable-tcp_emu.patch new file mode 100644 index 0000000..55d44d5 --- /dev/null +++ b/SOURCES/kvm-slirp-disable-tcp_emu.patch @@ -0,0 +1,69 @@ +From d4913063320e52d9c3716732d8c6b7396a2288b5 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= +Date: Tue, 28 Jan 2020 13:32:53 +0100 +Subject: [PATCH 3/6] slirp: disable tcp_emu() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Message-id: <20200128133253.794107-2-marcandre.lureau@redhat.com> +Patchwork-id: 93569 +O-Subject: [RHEL-8.2.0 qemu-kvm + RHEL-7.7 qemu-kvm + RHEL-6.11 qemu-kvm PATCH 1/1] slirp: disable tcp_emu() +Bugzilla: 1791679 +RH-Acked-by: Danilo de Paula +RH-Acked-by: Eduardo Habkost +RH-Acked-by: Stefan Hajnoczi + +Since libslirp 4.1, tcp_emu() is disabled by default because it is +known to cause several CVEs and is not useful today in most +cases. Qemu upstream doesn't have an option to enable it back at this +point, it's not clear if we ever want to expose that option anyway. + +See also upstream commit 07c2a44b67e ("emu: disable by default") + +Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1791677 +Signed-off-by: Marc-André Lureau +Signed-off-by: Miroslav Rezanina +--- + slirp/tcp_subr.c | 4 ++-- + slirp/udp.c | 2 +- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/slirp/tcp_subr.c b/slirp/tcp_subr.c +index 8dae0cc..0ca7f02 100644 +--- a/slirp/tcp_subr.c ++++ b/slirp/tcp_subr.c +@@ -516,7 +516,7 @@ tcp_tos(struct socket *so) + while(tcptos[i].tos) { + if ((tcptos[i].fport && (ntohs(so->so_fport) == tcptos[i].fport)) || + (tcptos[i].lport && (ntohs(so->so_lport) == tcptos[i].lport))) { +- so->so_emu = tcptos[i].emu; ++ so->so_emu = 0; /* disabled */ + return tcptos[i].tos; + } + i++; +@@ -526,7 +526,7 @@ tcp_tos(struct socket *so) + for (emup = tcpemu; emup; emup = emup->next) { + if ((emup->fport && (ntohs(so->so_fport) == emup->fport)) || + (emup->lport && (ntohs(so->so_lport) == emup->lport))) { +- so->so_emu = emup->emu; ++ so->so_emu = 0; /* disabled */ + return emup->tos; + } + } +diff --git a/slirp/udp.c b/slirp/udp.c +index 2188176..ee92790 100644 +--- a/slirp/udp.c ++++ b/slirp/udp.c +@@ -339,7 +339,7 @@ udp_tos(struct socket *so) + while(udptos[i].tos) { + if ((udptos[i].fport && ntohs(so->so_fport) == udptos[i].fport) || + (udptos[i].lport && ntohs(so->so_lport) == udptos[i].lport)) { +- so->so_emu = udptos[i].emu; ++ so->so_emu = 0; /* disabled */ + return udptos[i].tos; + } + i++; +-- +1.8.3.1 + diff --git a/SOURCES/kvm-slirp-use-correct-size-while-emulating-IRC-commands.patch b/SOURCES/kvm-slirp-use-correct-size-while-emulating-IRC-commands.patch new file mode 100644 index 0000000..6ccb8c4 --- /dev/null +++ b/SOURCES/kvm-slirp-use-correct-size-while-emulating-IRC-commands.patch @@ -0,0 +1,71 @@ +From 896665af83060fb673fc12081083f53a10a19dc5 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= +Date: Fri, 17 Jan 2020 12:00:36 +0100 +Subject: [PATCH 2/3] slirp: use correct size while emulating IRC commands +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Philippe Mathieu-Daudé +Message-id: <20200117120037.12800-3-philmd@redhat.com> +Patchwork-id: 93396 +O-Subject: [RHEL-7.7.z qemu-kvm + RHEL-7.8 qemu-kvm + RHEL-7.9 qemu-kvm PATCH v2 2/3] slirp: use correct size while emulating IRC commands +Bugzilla: 1791560 +RH-Acked-by: Stefano Garzarella +RH-Acked-by: Stefan Hajnoczi +RH-Acked-by: Thomas Huth + +From: Prasad J Pandit + +While emulating IRC DCC commands, tcp_emu() uses 'mbuf' size +'m->m_size' to write DCC commands via snprintf(3). This may +lead to OOB write access, because 'bptr' points somewhere in +the middle of 'mbuf' buffer, not at the start. Use M_FREEROOM(m) +size to avoid OOB access. + +Reported-by: Vishnu Dev TJ +Signed-off-by: Prasad J Pandit +Reviewed-by: Samuel Thibault +Message-Id: <20200109094228.79764-2-ppandit@redhat.com> +(cherry picked from libslirp commit ce131029d6d4a405cb7d3ac6716d03e58fb4a5d9) +Signed-off-by: Philippe Mathieu-Daudé + +Signed-off-by: Miroslav Rezanina +--- + slirp/tcp_subr.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/slirp/tcp_subr.c b/slirp/tcp_subr.c +index 70a4c83..321c2a4 100644 +--- a/slirp/tcp_subr.c ++++ b/slirp/tcp_subr.c +@@ -728,7 +728,7 @@ tcp_emu(struct socket *so, struct mbuf *m) + return 1; + } + m->m_len = bptr - m->m_data; /* Adjust length */ +- m->m_len += snprintf(bptr, m->m_size, ++ m->m_len += snprintf(bptr, M_FREEROOM(m), + "DCC CHAT chat %lu %u%c\n", + (unsigned long)ntohl(so->so_faddr.s_addr), + ntohs(so->so_fport), 1); +@@ -739,7 +739,7 @@ tcp_emu(struct socket *so, struct mbuf *m) + return 1; + } + m->m_len = bptr - m->m_data; /* Adjust length */ +- m->m_len += snprintf(bptr, m->m_size, ++ m->m_len += snprintf(bptr, M_FREEROOM(m), + "DCC SEND %s %lu %u %u%c\n", buff, + (unsigned long)ntohl(so->so_faddr.s_addr), + ntohs(so->so_fport), n1, 1); +@@ -750,7 +750,7 @@ tcp_emu(struct socket *so, struct mbuf *m) + return 1; + } + m->m_len = bptr - m->m_data; /* Adjust length */ +- m->m_len += snprintf(bptr, m->m_size, ++ m->m_len += snprintf(bptr, M_FREEROOM(m), + "DCC MOVE %s %lu %u %u%c\n", buff, + (unsigned long)ntohl(so->so_faddr.s_addr), + ntohs(so->so_fport), n1, 1); +-- +1.8.3.1 + diff --git a/SOURCES/kvm-slirp-use-correct-size-while-emulating-commands.patch b/SOURCES/kvm-slirp-use-correct-size-while-emulating-commands.patch new file mode 100644 index 0000000..ae5466d --- /dev/null +++ b/SOURCES/kvm-slirp-use-correct-size-while-emulating-commands.patch @@ -0,0 +1,70 @@ +From 95cf6abd88bedca0533ababfdb6480c3174f3b81 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= +Date: Fri, 17 Jan 2020 12:00:37 +0100 +Subject: [PATCH 3/3] slirp: use correct size while emulating commands +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Philippe Mathieu-Daudé +Message-id: <20200117120037.12800-4-philmd@redhat.com> +Patchwork-id: 93397 +O-Subject: [RHEL-7.7.z qemu-kvm + RHEL-7.8 qemu-kvm + RHEL-7.9 qemu-kvm PATCH v2 3/3] slirp: use correct size while emulating commands +Bugzilla: 1791560 +RH-Acked-by: Stefano Garzarella +RH-Acked-by: Stefan Hajnoczi +RH-Acked-by: Thomas Huth + +From: Prasad J Pandit + +While emulating services in tcp_emu(), it uses 'mbuf' size +'m->m_size' to write commands via snprintf(3). Use M_FREEROOM(m) +size to avoid possible OOB access. + +Signed-off-by: Prasad J Pandit +Signed-off-by: Samuel Thibault +Message-Id: <20200109094228.79764-3-ppandit@redhat.com> +(cherry picked from libslirp commit 82ebe9c370a0e2970fb5695aa19aa5214a6a1c80) +Signed-off-by: Philippe Mathieu-Daudé + +Signed-off-by: Miroslav Rezanina +--- + slirp/tcp_subr.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/slirp/tcp_subr.c b/slirp/tcp_subr.c +index 321c2a4..19e2245 100644 +--- a/slirp/tcp_subr.c ++++ b/slirp/tcp_subr.c +@@ -648,7 +648,7 @@ tcp_emu(struct socket *so, struct mbuf *m) + n4 = (laddr & 0xff); + + m->m_len = bptr - m->m_data; /* Adjust length */ +- m->m_len += snprintf(bptr, m->m_size - m->m_len, ++ m->m_len += snprintf(bptr, M_FREEROOM(m), + "ORT %d,%d,%d,%d,%d,%d\r\n%s", + n1, n2, n3, n4, n5, n6, x==7?buff:""); + return 1; +@@ -681,7 +681,7 @@ tcp_emu(struct socket *so, struct mbuf *m) + n4 = (laddr & 0xff); + + m->m_len = bptr - m->m_data; /* Adjust length */ +- m->m_len += snprintf(bptr, m->m_size - m->m_len, ++ m->m_len += snprintf(bptr, M_FREEROOM(m), + "27 Entering Passive Mode (%d,%d,%d,%d,%d,%d)\r\n%s", + n1, n2, n3, n4, n5, n6, x==7?buff:""); + +@@ -707,8 +707,8 @@ tcp_emu(struct socket *so, struct mbuf *m) + if (m->m_data[m->m_len-1] == '\0' && lport != 0 && + (so = tcp_listen(slirp, INADDR_ANY, 0, so->so_laddr.s_addr, + htons(lport), SS_FACCEPTONCE)) != NULL) +- m->m_len = snprintf(m->m_data, m->m_size, "%d", +- ntohs(so->so_fport)) + 1; ++ m->m_len = snprintf(m->m_data, M_ROOM(m), ++ "%d", ntohs(so->so_fport)) + 1; + return 1; + + case EMU_IRC: +-- +1.8.3.1 + diff --git a/SOURCES/kvm-target-i386-Export-TAA_NO-bit-to-guests.patch b/SOURCES/kvm-target-i386-Export-TAA_NO-bit-to-guests.patch new file mode 100644 index 0000000..8b34363 --- /dev/null +++ b/SOURCES/kvm-target-i386-Export-TAA_NO-bit-to-guests.patch @@ -0,0 +1,48 @@ +From 2ce01dcb0add24ad6ba0a703b63d00fb9d95ee5f Mon Sep 17 00:00:00 2001 +From: Eduardo Habkost +Date: Wed, 4 Dec 2019 01:48:28 +0100 +Subject: [PATCH 1/2] target/i386: Export TAA_NO bit to guests + +RH-Author: Eduardo Habkost +Message-id: <20191204014829.608318-2-ehabkost@redhat.com> +Patchwork-id: 92853 +O-Subject: [RHEL-7.8 qemu-kvm PATCH 1/2] target/i386: Export TAA_NO bit to guests +Bugzilla: 1771961 +RH-Acked-by: Paolo Bonzini +RH-Acked-by: Dr. David Alan Gilbert +RH-Acked-by: Igor Mammedov + +From: Pawan Gupta + +TSX Async Abort (TAA) is a side channel attack on internal buffers in +some Intel processors similar to Microachitectural Data Sampling (MDS). + +Some future Intel processors will use the ARCH_CAP_TAA_NO bit in the +IA32_ARCH_CAPABILITIES MSR to report that they are not vulnerable to +TAA. Make this bit available to guests. + +Signed-off-by: Pawan Gupta +Signed-off-by: Paolo Bonzini +(cherry picked from commit 7fac38635e1cc5ebae34eb6530da1009bd5808e4) +Signed-off-by: Eduardo Habkost +Signed-off-by: Miroslav Rezanina +--- + target-i386/cpu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/target-i386/cpu.c b/target-i386/cpu.c +index 9283902..120df73 100644 +--- a/target-i386/cpu.c ++++ b/target-i386/cpu.c +@@ -212,7 +212,7 @@ static const char *cpuid_apm_edx_feature_name[] = { + static const char *cpuid_arch_capabilities_feature_name[] = { + "rdctl-no", "ibrs-all", "rsba", "skip-l1dfl-vmentry", + "ssb-no", "mds-no", NULL, NULL, +- NULL, NULL, NULL, NULL, ++ "taa-no", NULL, NULL, NULL, + NULL, NULL, NULL, NULL, + NULL, NULL, NULL, NULL, + NULL, NULL, NULL, NULL, +-- +1.8.3.1 + diff --git a/SOURCES/kvm-target-i386-add-support-for-MSR_IA32_TSX_CTRL.patch b/SOURCES/kvm-target-i386-add-support-for-MSR_IA32_TSX_CTRL.patch new file mode 100644 index 0000000..62c3002 --- /dev/null +++ b/SOURCES/kvm-target-i386-add-support-for-MSR_IA32_TSX_CTRL.patch @@ -0,0 +1,170 @@ +From 73fac9c9beb00cc462eaae8589b4b2261142a8b2 Mon Sep 17 00:00:00 2001 +From: Eduardo Habkost +Date: Wed, 4 Dec 2019 01:48:29 +0100 +Subject: [PATCH 2/2] target/i386: add support for MSR_IA32_TSX_CTRL + +RH-Author: Eduardo Habkost +Message-id: <20191204014829.608318-3-ehabkost@redhat.com> +Patchwork-id: 92854 +O-Subject: [RHEL-7.8 qemu-kvm PATCH 2/2] target/i386: add support for MSR_IA32_TSX_CTRL +Bugzilla: 1771961 +RH-Acked-by: Paolo Bonzini +RH-Acked-by: Dr. David Alan Gilbert +RH-Acked-by: Igor Mammedov + +From: Paolo Bonzini + +The MSR_IA32_TSX_CTRL MSR can be used to hide TSX (also known as the +Trusty Side-channel Extension). By virtualizing the MSR, KVM guests +can disable TSX and avoid paying the price of mitigating TSX-based +attacks on microarchitectural side channels. + +Backport notes: +* MSR code had to be rewritten +* .needed is inside VMStateSubsection + +Reviewed-by: Eduardo Habkost +Signed-off-by: Paolo Bonzini +Signed-off-by: Eduardo Habkost +(cherry picked from commit 2a9758c51e2c2d13fc3845c3d603c11df98b8823) +Signed-off-by: Eduardo Habkost +Signed-off-by: Miroslav Rezanina +--- + target-i386/cpu.c | 2 +- + target-i386/cpu.h | 5 +++++ + target-i386/kvm.c | 14 ++++++++++++++ + target-i386/machine.c | 21 +++++++++++++++++++++ + 4 files changed, 41 insertions(+), 1 deletion(-) + +diff --git a/target-i386/cpu.c b/target-i386/cpu.c +index 120df73..57f5364 100644 +--- a/target-i386/cpu.c ++++ b/target-i386/cpu.c +@@ -211,7 +211,7 @@ static const char *cpuid_apm_edx_feature_name[] = { + + static const char *cpuid_arch_capabilities_feature_name[] = { + "rdctl-no", "ibrs-all", "rsba", "skip-l1dfl-vmentry", +- "ssb-no", "mds-no", NULL, NULL, ++ "ssb-no", "mds-no", NULL, "tsx-ctrl", + "taa-no", NULL, NULL, NULL, + NULL, NULL, NULL, NULL, + NULL, NULL, NULL, NULL, +diff --git a/target-i386/cpu.h b/target-i386/cpu.h +index 8f73af7..c9bcdd5 100644 +--- a/target-i386/cpu.h ++++ b/target-i386/cpu.h +@@ -307,7 +307,11 @@ + #define MSR_IA32_SPEC_CTRL 0x48 + #define MSR_VIRT_SSBD 0xc001011f + #define MSR_IA32_PRED_CMD 0x49 ++ + #define MSR_IA32_ARCH_CAPABILITIES 0x10a ++#define ARCH_CAP_TSX_CTRL_MSR (1<<7) ++ ++#define MSR_IA32_TSX_CTRL 0x122 + #define MSR_IA32_TSCDEADLINE 0x6e0 + + #define MSR_P6_PERFCTR0 0xc1 +@@ -1067,6 +1071,7 @@ typedef struct CPUX86State { + uint64_t xss; + + uint32_t pkru; ++ uint32_t tsx_ctrl; + + uint64_t spec_ctrl; + uint64_t virt_ssbd; +diff --git a/target-i386/kvm.c b/target-i386/kvm.c +index c79b0ea..7df2b28 100644 +--- a/target-i386/kvm.c ++++ b/target-i386/kvm.c +@@ -80,6 +80,7 @@ static bool has_msr_hv_tsc; + static bool has_msr_mtrr; + static bool has_msr_xss; + static bool has_msr_spec_ctrl; ++static bool has_msr_tsx_ctrl; + static bool has_msr_virt_ssbd; + static bool has_msr_arch_capabs; + +@@ -908,6 +909,10 @@ static int kvm_get_supported_msrs(KVMState *s) + has_msr_spec_ctrl = true; + continue; + } ++ if (kvm_msr_list->indices[i] == MSR_IA32_TSX_CTRL) { ++ has_msr_tsx_ctrl = true; ++ continue; ++ } + if (kvm_msr_list->indices[i] == MSR_VIRT_SSBD) { + has_msr_virt_ssbd = true; + continue; +@@ -1330,6 +1335,9 @@ static int kvm_put_msrs(X86CPU *cpu, int level) + if (has_msr_spec_ctrl) { + kvm_msr_entry_set(&msrs[n++], MSR_IA32_SPEC_CTRL, env->spec_ctrl); + } ++ if (has_msr_tsx_ctrl) { ++ kvm_msr_entry_set(&msrs[n++], MSR_IA32_TSX_CTRL, env->tsx_ctrl); ++ } + if (has_msr_virt_ssbd) { + kvm_msr_entry_set(&msrs[n++], MSR_VIRT_SSBD, env->virt_ssbd); + } +@@ -1699,6 +1707,9 @@ static int kvm_get_msrs(X86CPU *cpu) + if (has_msr_spec_ctrl) { + msrs[n++].index = MSR_IA32_SPEC_CTRL; + } ++ if (has_msr_tsx_ctrl) { ++ msrs[n++].index = MSR_IA32_TSX_CTRL; ++ } + if (has_msr_virt_ssbd) { + msrs[n++].index = MSR_VIRT_SSBD; + } +@@ -1945,6 +1956,9 @@ static int kvm_get_msrs(X86CPU *cpu) + case MSR_IA32_SPEC_CTRL: + env->spec_ctrl = msrs[i].data; + break; ++ case MSR_IA32_TSX_CTRL: ++ env->tsx_ctrl = msrs[i].data; ++ break; + case MSR_VIRT_SSBD: + env->virt_ssbd = msrs[i].data; + break; +diff --git a/target-i386/machine.c b/target-i386/machine.c +index cd2cf6f..892c8f4 100644 +--- a/target-i386/machine.c ++++ b/target-i386/machine.c +@@ -778,6 +778,24 @@ static const VMStateDescription vmstate_msr_virt_ssbd = { + } + }; + ++static bool msr_tsx_ctrl_needed(void *opaque) ++{ ++ X86CPU *cpu = opaque; ++ CPUX86State *env = &cpu->env; ++ ++ return env->features[FEAT_ARCH_CAPABILITIES] & ARCH_CAP_TSX_CTRL_MSR; ++} ++ ++static const VMStateDescription vmstate_msr_tsx_ctrl = { ++ .name = "cpu/msr_tsx_ctrl", ++ .version_id = 1, ++ .minimum_version_id = 1, ++ .fields = (VMStateField[]) { ++ VMSTATE_UINT32(env.tsx_ctrl, X86CPU), ++ VMSTATE_END_OF_LIST() ++ } ++}; ++ + VMStateDescription vmstate_x86_cpu = { + .name = "cpu", + .version_id = 12, +@@ -938,6 +956,9 @@ VMStateDescription vmstate_x86_cpu = { + }, { + .vmsd = &vmstate_msr_virt_ssbd, + .needed = virt_ssbd_needed, ++ }, { ++ .vmsd = &vmstate_msr_tsx_ctrl, ++ .needed = msr_tsx_ctrl_needed, + } , { + /* empty */ + } +-- +1.8.3.1 + diff --git a/SOURCES/kvm-tcp_emu-Fix-oob-access.patch b/SOURCES/kvm-tcp_emu-Fix-oob-access.patch new file mode 100644 index 0000000..55119f9 --- /dev/null +++ b/SOURCES/kvm-tcp_emu-Fix-oob-access.patch @@ -0,0 +1,60 @@ +From dea2f95979cc0ba0c36f07b8e9cc709bd1ef1eb4 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= +Date: Fri, 17 Jan 2020 12:00:35 +0100 +Subject: [PATCH 1/3] tcp_emu: Fix oob access +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Philippe Mathieu-Daudé +Message-id: <20200117120037.12800-2-philmd@redhat.com> +Patchwork-id: 93395 +O-Subject: [RHEL-7.7.z qemu-kvm + RHEL-7.8 qemu-kvm + RHEL-7.9 qemu-kvm PATCH v2 1/3] tcp_emu: Fix oob access +Bugzilla: 1791560 +RH-Acked-by: Stefano Garzarella +RH-Acked-by: Stefan Hajnoczi +RH-Acked-by: Thomas Huth + +From: Samuel Thibault + +The main loop only checks for one available byte, while we sometimes +need two bytes. + +(cherry picked from libslirp commit 2655fffed7a9e765bcb4701dd876e9dab975f289) +[PMD: backported with style conflicts, + CHANGELOG.md absent in downstream] +Signed-off-by: Philippe Mathieu-Daudé + +Signed-off-by: Miroslav Rezanina +--- + slirp/tcp_subr.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/slirp/tcp_subr.c b/slirp/tcp_subr.c +index d49a366..70a4c83 100644 +--- a/slirp/tcp_subr.c ++++ b/slirp/tcp_subr.c +@@ -837,6 +837,9 @@ tcp_emu(struct socket *so, struct mbuf *m) + break; + + case 5: ++ if (bptr == m->m_data + m->m_len - 1) ++ return 1; /* We need two bytes */ ++ + /* + * The difference between versions 1.0 and + * 2.0 is here. For future versions of +@@ -852,6 +855,10 @@ tcp_emu(struct socket *so, struct mbuf *m) + /* This is the field containing the port + * number that RA-player is listening to. + */ ++ ++ if (bptr == m->m_data + m->m_len - 1) ++ return 1; /* We need two bytes */ ++ + lport = (((u_char*)bptr)[0] << 8) + + ((u_char *)bptr)[1]; + if (lport < 6970) +-- +1.8.3.1 + diff --git a/SOURCES/kvm-tcp_emu-fix-unsafe-snprintf-usages2.patch b/SOURCES/kvm-tcp_emu-fix-unsafe-snprintf-usages2.patch new file mode 100644 index 0000000..5bcfa9c --- /dev/null +++ b/SOURCES/kvm-tcp_emu-fix-unsafe-snprintf-usages2.patch @@ -0,0 +1,150 @@ +From 7617de175ec7d3004aa276ffca3f41d721bc4ae5 Mon Sep 17 00:00:00 2001 +From: jmaloy +Date: Thu, 13 Feb 2020 21:08:18 +0100 +Subject: [PATCH 2/6] tcp_emu: fix unsafe snprintf() usages +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Message-id: <20200213210818.9090-3-jmaloy@redhat.com> +Patchwork-id: 93832 +O-Subject: [RHEL-7.8 qemu-kvm PATCH 2/2] tcp_emu: fix unsafe snprintf() usages +Bugzilla: 1800515 +RH-Acked-by: Philippe Mathieu-Daudé +RH-Acked-by: Eduardo Habkost +RH-Acked-by: Stefan Hajnoczi + +From: Marc-André Lureau + +Various calls to snprintf() assume that snprintf() returns "only" the +number of bytes written (excluding terminating NUL). + +https://pubs.opengroup.org/onlinepubs/9699919799/functions/snprintf.html#tag_16_159_04 + +"Upon successful completion, the snprintf() function shall return the +number of bytes that would be written to s had n been sufficiently +large excluding the terminating null byte." + +Before patch ce131029, if there isn't enough room in "m_data" for the +"DCC ..." message, we overflow "m_data". + +After the patch, if there isn't enough room for the same, we don't +overflow "m_data", but we set "m_len" out-of-bounds. The next time an +access is bounded by "m_len", we'll have a buffer overflow then. + +Use slirp_fmt*() to fix potential OOB memory access. + +Reported-by: Laszlo Ersek +Signed-off-by: Marc-André Lureau +Reviewed-by: Samuel Thibault +Message-Id: <20200127092414.169796-7-marcandre.lureau@redhat.com> +(cherry picked from commit 68ccb8021a838066f0951d4b2817eb6b6f10a843) + +Manually re-adapted since the cherry-pick didn't apply cleanly. + +Signed-off-by: Jon Maloy +Signed-off-by: Miroslav Rezanina +--- + slirp/tcp_subr.c | 44 +++++++++++++++++++++----------------------- + 1 file changed, 21 insertions(+), 23 deletions(-) + +diff --git a/slirp/tcp_subr.c b/slirp/tcp_subr.c +index e83575e..8dae0cc 100644 +--- a/slirp/tcp_subr.c ++++ b/slirp/tcp_subr.c +@@ -610,8 +610,7 @@ tcp_emu(struct socket *so, struct mbuf *m) + NTOHS(n1); + NTOHS(n2); + m_inc(m, snprintf(NULL, 0, "%d,%d\r\n", n1, n2) + 1); +- m->m_len = snprintf(m->m_data, M_ROOM(m), "%d,%d\r\n", n1, n2); +- assert(m->m_len < M_ROOM(m)); ++ m->m_len = slirp_fmt(m->m_data, M_ROOM(m), "%d,%d\r\n", n1, n2); + } else { + *eol = '\r'; + } +@@ -651,9 +650,9 @@ tcp_emu(struct socket *so, struct mbuf *m) + n4 = (laddr & 0xff); + + m->m_len = bptr - m->m_data; /* Adjust length */ +- m->m_len += snprintf(bptr, M_FREEROOM(m), +- "ORT %d,%d,%d,%d,%d,%d\r\n%s", +- n1, n2, n3, n4, n5, n6, x==7?buff:""); ++ m->m_len += slirp_fmt(bptr, M_FREEROOM(m), ++ "ORT %d,%d,%d,%d,%d,%d\r\n%s", ++ n1, n2, n3, n4, n5, n6, x == 7 ? buff : ""); + return 1; + } else if ((bptr = (char *)strstr(m->m_data, "27 Entering")) != NULL) { + /* +@@ -684,10 +683,9 @@ tcp_emu(struct socket *so, struct mbuf *m) + n4 = (laddr & 0xff); + + m->m_len = bptr - m->m_data; /* Adjust length */ +- m->m_len += snprintf(bptr, M_FREEROOM(m), +- "27 Entering Passive Mode (%d,%d,%d,%d,%d,%d)\r\n%s", +- n1, n2, n3, n4, n5, n6, x==7?buff:""); +- ++ m->m_len += slirp_fmt(bptr, M_FREEROOM(m), ++ "27 Entering Passive Mode (%d,%d,%d,%d,%d,%d)\r\n%s", ++ n1, n2, n3, n4, n5, n6, x == 7 ? buff : ""); + return 1; + } + +@@ -710,8 +708,8 @@ tcp_emu(struct socket *so, struct mbuf *m) + if (m->m_data[m->m_len-1] == '\0' && lport != 0 && + (so = tcp_listen(slirp, INADDR_ANY, 0, so->so_laddr.s_addr, + htons(lport), SS_FACCEPTONCE)) != NULL) +- m->m_len = snprintf(m->m_data, M_ROOM(m), +- "%d", ntohs(so->so_fport)) + 1; ++ m->m_len = slirp_fmt0(m->m_data, M_ROOM(m), ++ "%d", ntohs(so->so_fport)); + return 1; + + case EMU_IRC: +@@ -731,10 +729,10 @@ tcp_emu(struct socket *so, struct mbuf *m) + return 1; + } + m->m_len = bptr - m->m_data; /* Adjust length */ +- m->m_len += snprintf(bptr, M_FREEROOM(m), +- "DCC CHAT chat %lu %u%c\n", +- (unsigned long)ntohl(so->so_faddr.s_addr), +- ntohs(so->so_fport), 1); ++ m->m_len += slirp_fmt(bptr, M_FREEROOM(m), ++ "DCC CHAT chat %lu %u%c\n", ++ (unsigned long)ntohl(so->so_faddr.s_addr), ++ ntohs(so->so_fport), 1); + } else if (sscanf(bptr, "DCC SEND %256s %u %u %u", buff, &laddr, &lport, &n1) == 4) { + if ((so = tcp_listen(slirp, INADDR_ANY, 0, + htonl(laddr), htons(lport), +@@ -742,10 +740,10 @@ tcp_emu(struct socket *so, struct mbuf *m) + return 1; + } + m->m_len = bptr - m->m_data; /* Adjust length */ +- m->m_len += snprintf(bptr, M_FREEROOM(m), +- "DCC SEND %s %lu %u %u%c\n", buff, +- (unsigned long)ntohl(so->so_faddr.s_addr), +- ntohs(so->so_fport), n1, 1); ++ m->m_len += slirp_fmt(bptr, M_FREEROOM(m), ++ "DCC SEND %s %lu %u %u%c\n", buff, ++ (unsigned long)ntohl(so->so_faddr.s_addr), ++ ntohs(so->so_fport), n1, 1); + } else if (sscanf(bptr, "DCC MOVE %256s %u %u %u", buff, &laddr, &lport, &n1) == 4) { + if ((so = tcp_listen(slirp, INADDR_ANY, 0, + htonl(laddr), htons(lport), +@@ -753,10 +751,10 @@ tcp_emu(struct socket *so, struct mbuf *m) + return 1; + } + m->m_len = bptr - m->m_data; /* Adjust length */ +- m->m_len += snprintf(bptr, M_FREEROOM(m), +- "DCC MOVE %s %lu %u %u%c\n", buff, +- (unsigned long)ntohl(so->so_faddr.s_addr), +- ntohs(so->so_fport), n1, 1); ++ m->m_len += slirp_fmt(bptr, M_FREEROOM(m), ++ "DCC MOVE %s %lu %u %u%c\n", buff, ++ (unsigned long)ntohl(so->so_faddr.s_addr), ++ ntohs(so->so_fport), n1, 1); + } + return 1; + +-- +1.8.3.1 + diff --git a/SOURCES/kvm-util-add-slirp_fmt-helpers2.patch b/SOURCES/kvm-util-add-slirp_fmt-helpers2.patch new file mode 100644 index 0000000..763eb2a --- /dev/null +++ b/SOURCES/kvm-util-add-slirp_fmt-helpers2.patch @@ -0,0 +1,140 @@ +From cf712371da839a8655506aacc2908f7ffc3988ab Mon Sep 17 00:00:00 2001 +From: jmaloy +Date: Thu, 13 Feb 2020 21:08:17 +0100 +Subject: [PATCH 1/6] util: add slirp_fmt() helpers +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Message-id: <20200213210818.9090-2-jmaloy@redhat.com> +Patchwork-id: 93831 +O-Subject: [RHEL-7.8 qemu-kvm PATCH 1/2] util: add slirp_fmt() helpers +Bugzilla: 1800515 +RH-Acked-by: Maxim Levitsky +RH-Acked-by: Eduardo Habkost +RH-Acked-by: Stefan Hajnoczi + +From: Marc-André Lureau + +Various calls to snprintf() in libslirp assume that snprintf() returns +"only" the number of bytes written (excluding terminating NUL). + +https://pubs.opengroup.org/onlinepubs/9699919799/functions/snprintf.html#tag_16_159_04 + +"Upon successful completion, the snprintf() function shall return the +number of bytes that would be written to s had n been sufficiently +large excluding the terminating null byte." + +Introduce slirp_fmt() that handles several pathological cases the +way libslirp usually expect: + +- treat error as fatal (instead of silently returning -1) + +- fmt0() will always \0 end + +- return the number of bytes actually written (instead of what would + have been written, which would usually result in OOB later), including + the ending \0 for fmt0() + +- warn if truncation happened (instead of ignoring) + + Other less common cases can still be handled with strcpy/snprintf() etc. + +Signed-off-by: Marc-André Lureau +Reviewed-by: Samuel Thibault +Message-Id: <20200127092414.169796-2-marcandre.lureau@redhat.com> + +Manually re-adapted from 30648c03b27fb8d9611b723184216cd3174b6775 +since cerry-pick cannot be used here. There is no util.c file in this +code version, so we add the two new functions as static functions in +the file where they are going to be used. + +Signed-off-by: Jon Maloy +Signed-off-by: Miroslav Rezanina +--- + slirp/tcp_subr.c | 65 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 65 insertions(+) + +diff --git a/slirp/tcp_subr.c b/slirp/tcp_subr.c +index 19e2245..e83575e 100644 +--- a/slirp/tcp_subr.c ++++ b/slirp/tcp_subr.c +@@ -44,6 +44,9 @@ + /* Don't do rfc1323 performance enhancements */ + #define TCP_DO_RFC1323 0 + ++static int slirp_fmt(char *str, size_t size, const char *format, ...); ++static int slirp_fmt0(char *str, size_t size, const char *format, ...); ++ + /* + * Tcp initialization + */ +@@ -935,3 +938,65 @@ int tcp_ctl(struct socket *so) + sb->sb_wptr += sb->sb_cc; + return 0; + } ++ ++static int slirp_vsnprintf(char *str, size_t size, ++ const char *format, va_list args) ++{ ++ int rv = vsnprintf(str, size, format, args); ++ ++ if (rv < 0) { ++ g_error("vsnprintf() failed: %s", g_strerror(errno)); ++ } ++ ++ return rv; ++} ++ ++/* ++ * A snprintf()-like function that: ++ * - returns the number of bytes written (excluding optional \0-ending) ++ * - dies on error ++ * - warn on truncation ++ */ ++static int slirp_fmt(char *str, size_t size, const char *format, ...) ++{ ++ va_list args; ++ int rv; ++ ++ va_start(args, format); ++ rv = slirp_vsnprintf(str, size, format, args); ++ va_end(args); ++ ++ if (rv > size) { ++ g_critical("vsnprintf() truncation"); ++ } ++ ++ return MIN(rv, size); ++} ++ ++/* ++ * A snprintf()-like function that: ++ * - always \0-end (unless size == 0) ++ * - returns the number of bytes actually written, including \0 ending ++ * - dies on error ++ * - warn on truncation ++ */ ++static int slirp_fmt0(char *str, size_t size, const char *format, ...) ++{ ++ va_list args; ++ int rv; ++ ++ va_start(args, format); ++ rv = slirp_vsnprintf(str, size, format, args); ++ va_end(args); ++ ++ if (rv >= size) { ++ g_critical("vsnprintf() truncation"); ++ if (size > 0) ++ str[size - 1] = '\0'; ++ rv = size; ++ } else { ++ rv += 1; /* include \0 */ ++ } ++ ++ return rv; ++} +-- +1.8.3.1 + diff --git a/SPECS/qemu-kvm.spec b/SPECS/qemu-kvm.spec index c13d876..bd127d2 100644 --- a/SPECS/qemu-kvm.spec +++ b/SPECS/qemu-kvm.spec @@ -76,7 +76,7 @@ Obsoletes: %1 < %{obsoletes_version} \ Summary: QEMU is a machine emulator and virtualizer Name: %{pkgname}%{?pkgsuffix} Version: 1.5.3 -Release: 170%{?dist} +Release: 174%{?dist} # Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped Epoch: 10 License: GPLv2 and GPLv2+ and CC-BY @@ -4007,6 +4007,36 @@ Patch1974: kvm-i386-kvm-Disable-arch_capabilities-if-MSR-can-t-be-s.patch Patch1975: kvm-Remove-arch-capabilities-deprecation.patch # For bz#1714791 - [Intel 7.8 FEAT] MDS_NO exposure to guest - qemu-kvm Patch1976: kvm-target-i386-add-MDS-NO-feature.patch +# For bz#1638471 - [Intel 7.8 Feat] qemu-kvm Introduce Cascade Lake (CLX) cpu model +Patch1977: kvm-i386-Add-new-model-of-Cascadelake-Server.patch +# For bz#1638471 - [Intel 7.8 Feat] qemu-kvm Introduce Cascade Lake (CLX) cpu model +Patch1978: kvm-i386-Disable-OSPKE-on-Cascadelake-Server.patch +# For bz#1638471 - [Intel 7.8 Feat] qemu-kvm Introduce Cascade Lake (CLX) cpu model +Patch1979: kvm-i386-remove-the-INTEL_PT-CPUID-bit-from-Cascadelake-.patch +# For bz#1760607 - Corrupted EAX values due to missing brackets at CPUID[0x800000008] code +Patch1980: kvm-Add-missing-brackets-to-CPUID-0x80000008-code.patch +# For bz#1771961 - CVE-2019-11135 qemu-kvm: hw: TSX Transaction Asynchronous Abort (TAA) [rhel-7.8] +Patch1981: kvm-target-i386-Export-TAA_NO-bit-to-guests.patch +# For bz#1771961 - CVE-2019-11135 qemu-kvm: hw: TSX Transaction Asynchronous Abort (TAA) [rhel-7.8] +Patch1982: kvm-target-i386-add-support-for-MSR_IA32_TSX_CTRL.patch +# For bz#1791560 - CVE-2020-7039 qemu-kvm: QEMU: slirp: OOB buffer access while emulating tcp protocols in tcp_emu() [rhel-7.8] +Patch1983: kvm-tcp_emu-Fix-oob-access.patch +# For bz#1791560 - CVE-2020-7039 qemu-kvm: QEMU: slirp: OOB buffer access while emulating tcp protocols in tcp_emu() [rhel-7.8] +Patch1984: kvm-slirp-use-correct-size-while-emulating-IRC-commands.patch +# For bz#1791560 - CVE-2020-7039 qemu-kvm: QEMU: slirp: OOB buffer access while emulating tcp protocols in tcp_emu() [rhel-7.8] +Patch1985: kvm-slirp-use-correct-size-while-emulating-commands.patch +# For bz#1800515 - CVE-2020-8608 qemu-kvm: QEMU: Slirp: potential OOB access due to unsafe snprintf() usages [rhel-7.9] +Patch1986: kvm-util-add-slirp_fmt-helpers2.patch +# For bz#1800515 - CVE-2020-8608 qemu-kvm: QEMU: Slirp: potential OOB access due to unsafe snprintf() usages [rhel-7.9] +Patch1987: kvm-tcp_emu-fix-unsafe-snprintf-usages2.patch +# For bz#1791679 - QEMU: Slirp: disable emulation of tcp programs like ftp IRC etc. [rhel-7] +Patch1988: kvm-slirp-disable-tcp_emu.patch +# For bz#1802215 - Add support for newer glusterfs +Patch1989: kvm-gluster-Handle-changed-glfs_ftruncate-signature.patch +# For bz#1802215 - Add support for newer glusterfs +Patch1990: kvm-gluster-the-glfs_io_cbk-callback-function-pointer-ad.patch +# For bz#1618503 - qemu-kvm: Qemu: seccomp: blacklist is not applied to all threads [rhel-7] +Patch1991: kvm-seccomp-set-the-seccomp-filter-to-all-threads.patch BuildRequires: zlib-devel @@ -6161,6 +6191,21 @@ tar -xf %{SOURCE21} %patch1974 -p1 %patch1975 -p1 %patch1976 -p1 +%patch1977 -p1 +%patch1978 -p1 +%patch1979 -p1 +%patch1980 -p1 +%patch1981 -p1 +%patch1982 -p1 +%patch1983 -p1 +%patch1984 -p1 +%patch1985 -p1 +%patch1986 -p1 +%patch1987 -p1 +%patch1988 -p1 +%patch1989 -p1 +%patch1990 -p1 +%patch1991 -p1 %build buildarch="%{kvm_target}-softmmu" @@ -6606,6 +6651,45 @@ sh %{_sysconfdir}/sysconfig/modules/kvm.modules &> /dev/null || : %{_mandir}/man8/qemu-nbd.8* %changelog +* Thu Mar 19 2020 Miroslav Rezanina - 1.5.3-174.el7 +- kvm-util-add-slirp_fmt-helpers2.patch [bz#1800515] +- kvm-tcp_emu-fix-unsafe-snprintf-usages2.patch [bz#1800515] +- kvm-slirp-disable-tcp_emu.patch [bz#1791679] +- kvm-gluster-Handle-changed-glfs_ftruncate-signature.patch [bz#1802215] +- kvm-gluster-the-glfs_io_cbk-callback-function-pointer-ad.patch [bz#1802215] +- kvm-seccomp-set-the-seccomp-filter-to-all-threads.patch [bz#1618503] +- Resolves: bz#1618503 + (qemu-kvm: Qemu: seccomp: blacklist is not applied to all threads [rhel-7]) +- Resolves: bz#1791679 + (QEMU: Slirp: disable emulation of tcp programs like ftp IRC etc. [rhel-7]) +- Resolves: bz#1800515 + (CVE-2020-8608 qemu-kvm: QEMU: Slirp: potential OOB access due to unsafe snprintf() usages [rhel-7.9]) +- Resolves: bz#1802215 + (Add support for newer glusterfs) + +* Thu Jan 23 2020 Miroslav Rezanina - 1.5.3-173.el7 +- kvm-tcp_emu-Fix-oob-access.patch [bz#1791560] +- kvm-slirp-use-correct-size-while-emulating-IRC-commands.patch [bz#1791560] +- kvm-slirp-use-correct-size-while-emulating-commands.patch [bz#1791560] +- Resolves: bz#1791560 + (CVE-2020-7039 qemu-kvm: QEMU: slirp: OOB buffer access while emulating tcp protocols in tcp_emu() [rhel-7.8]) + +* Thu Dec 05 2019 Miroslav Rezanina - 1.5.3-172.el7 +- kvm-target-i386-Export-TAA_NO-bit-to-guests.patch [bz#1771961] +- kvm-target-i386-add-support-for-MSR_IA32_TSX_CTRL.patch [bz#1771961] +- Resolves: bz#1771961 + (CVE-2019-11135 qemu-kvm: hw: TSX Transaction Asynchronous Abort (TAA) [rhel-7.8]) + +* Tue Oct 15 2019 Miroslav Rezanina - 1.5.3-171.el7 +- kvm-i386-Add-new-model-of-Cascadelake-Server.patch [bz#1638471] +- kvm-i386-Disable-OSPKE-on-Cascadelake-Server.patch [bz#1638471] +- kvm-i386-remove-the-INTEL_PT-CPUID-bit-from-Cascadelake-.patch [bz#1638471] +- kvm-Add-missing-brackets-to-CPUID-0x80000008-code.patch [bz#1760607] +- Resolves: bz#1638471 + ([Intel 7.8 Feat] qemu-kvm Introduce Cascade Lake (CLX) cpu model) +- Resolves: bz#1760607 + (Corrupted EAX values due to missing brackets at CPUID[0x800000008] code) + * Wed Oct 02 2019 Miroslav Rezanina - 1.5.3-170.el7 - kvm-Using-ip_deq-after-m_free-might-read-pointers-from-a.patch [bz#1749735] - kvm-target-i386-Merge-feature-filtering-checking-functio.patch [bz#1709971]