diff --git a/SOURCES/kvm-Add-missing-brackets-to-CPUID-0x80000008-code.patch b/SOURCES/kvm-Add-missing-brackets-to-CPUID-0x80000008-code.patch
new file mode 100644
index 0000000..4fb8c36
--- /dev/null
+++ b/SOURCES/kvm-Add-missing-brackets-to-CPUID-0x80000008-code.patch
@@ -0,0 +1,54 @@
+From 23e038b8eb586dc19f1d653cd98d0cae109f359b Mon Sep 17 00:00:00 2001
+From: Eduardo Habkost <ehabkost@redhat.com>
+Date: Thu, 10 Oct 2019 22:18:07 +0200
+Subject: [PATCH 4/4] Add missing brackets to CPUID[0x80000008] code
+
+RH-Author: Eduardo Habkost <ehabkost@redhat.com>
+Message-id: <20191010221807.2953-1-ehabkost@redhat.com>
+Patchwork-id: 91713
+O-Subject: [RHEL-7.8 qemu-kvm PATCH] Add missing brackets to CPUID[0x80000008] code
+Bugzilla: 1760607
+RH-Acked-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
+RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
+RH-Acked-by: John Snow <jsnow@redhat.com>
+
+Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1760607
+Brew: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=23986041
+Upstream: not applicable
+
+I've made a mistake at downstream-only commit ba222e201e07
+("i386: Don't copy host virtual address limit"): I forgot to add
+brackets to the existing if statement. This expose an invalid
+physical address size to the guest if the host xlevel is less
+than 0x80000008.
+
+Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ target-i386/cpu.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/target-i386/cpu.c b/target-i386/cpu.c
+index b4839df..9283902 100644
+--- a/target-i386/cpu.c
++++ b/target-i386/cpu.c
+@@ -2978,7 +2978,7 @@ void cpu_x86_cpuid(CPUX86State *env, uint32_t index, uint32_t count,
+ if (kvm_enabled()) {
+ uint32_t _eax;
+ host_cpuid(0x80000000, 0, &_eax, NULL, NULL, NULL);
+- if (_eax >= 0x80000008)
++ if (_eax >= 0x80000008) {
+ host_cpuid(0x80000008, 0, &_eax, NULL, NULL, NULL);
+ /*
+ * Override physical size only, as RHEL-7 KVM only supports
+@@ -2986,6 +2986,7 @@ void cpu_x86_cpuid(CPUX86State *env, uint32_t index, uint32_t count,
+ */
+ *eax &= ~0xff;
+ *eax |= _eax & 0xff;
++ }
+ }
+ } else {
+ if (env->features[FEAT_1_EDX] & CPUID_PSE36) {
+--
+1.8.3.1
+
diff --git a/SOURCES/kvm-gluster-Handle-changed-glfs_ftruncate-signature.patch b/SOURCES/kvm-gluster-Handle-changed-glfs_ftruncate-signature.patch
new file mode 100644
index 0000000..f3ab197
--- /dev/null
+++ b/SOURCES/kvm-gluster-Handle-changed-glfs_ftruncate-signature.patch
@@ -0,0 +1,96 @@
+From b5c74112b314c185335de246c465d14ef68509a3 Mon Sep 17 00:00:00 2001
+From: Maxim Levitsky <mlevitsk@redhat.com>
+Date: Sun, 16 Feb 2020 16:02:24 +0100
+Subject: [PATCH 4/6] gluster: Handle changed glfs_ftruncate signature
+
+Message-id: <20200216160225.22498-2-mlevitsk@redhat.com>
+Patchwork-id: 93881
+O-Subject: [RHEL-7.9 qemu-kvm PATCH 1/2] gluster: Handle changed glfs_ftruncate signature
+Bugzilla: 1802215
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+RH-Acked-by: Max Reitz <mreitz@redhat.com>
+RH-Acked-by: Stefano Garzarella <sgarzare@redhat.com>
+
+From: Prasanna Kumar Kalever <prasanna.kalever@redhat.com>
+
+New versions of Glusters libgfapi.so have an updated glfs_ftruncate()
+function that returns additional 'struct stat' structures to enable
+advanced caching of attributes. This is useful for file servers, not so
+much for QEMU. Nevertheless, the API has changed and needs to be
+adopted.
+
+Signed-off-by: Prasanna Kumar Kalever <prasanna.kalever@redhat.com>
+Signed-off-by: Niels de Vos <ndevos@redhat.com>
+Signed-off-by: Kevin Wolf <kwolf@redhat.com>
+(cherry picked from commit e014dbe74e0484188164c61ff6843f8a04a8cb9d)
+Signed-off-by: Maxim Levitsky <mlevitsk@redhat.com>
+
+RHEL: fixed conflicts
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ block/gluster.c | 5 +++++
+ configure | 18 ++++++++++++++++++
+ 2 files changed, 23 insertions(+)
+
+diff --git a/block/gluster.c b/block/gluster.c
+index 86e136d..d6160af 100644
+--- a/block/gluster.c
++++ b/block/gluster.c
+@@ -20,6 +20,11 @@
+ #include "qemu/sockets.h"
+ #include "qemu/uri.h"
+
++#ifdef CONFIG_GLUSTERFS_FTRUNCATE_HAS_STAT
++# define glfs_ftruncate(fd, offset) glfs_ftruncate(fd, offset, NULL, NULL)
++#endif
++
++
+ typedef struct GlusterAIOCB {
+ BlockDriverAIOCB common;
+ int64_t size;
+diff --git a/configure b/configure
+index 5877e82..70fd06f 100755
+--- a/configure
++++ b/configure
+@@ -243,6 +243,7 @@ seccomp=""
+ glusterfs=""
+ glusterfs_discard="no"
+ virtio_blk_data_plane=""
++glusterfs_ftruncate_has_stat="no"
+ gtk=""
+ gtkabi="2.0"
+ tpm="no"
+@@ -2748,6 +2749,19 @@ EOF
+ if $pkg_config --atleast-version=5 glusterfs-api >/dev/null 2>&1; then
+ glusterfs_discard="yes"
+ fi
++ cat > $TMPC << EOF
++#include <glusterfs/api/glfs.h>
++
++int
++main(void)
++{
++ /* new glfs_ftruncate() passes two additional args */
++ return glfs_ftruncate(NULL, 0, NULL, NULL);
++}
++EOF
++ if compile_prog "$glusterfs_cflags" "$glusterfs_libs" ; then
++ glusterfs_ftruncate_has_stat="yes"
++ fi
+ else
+ if test "$glusterfs" = "yes" ; then
+ feature_not_found "GlusterFS backend support"
+@@ -4178,6 +4192,10 @@ if test "$live_block_ops" = "yes" ; then
+ echo "CONFIG_LIVE_BLOCK_OPS=y" >> $config_host_mak
+ fi
+
++if test "$glusterfs_ftruncate_has_stat" = "yes" ; then
++ echo "CONFIG_GLUSTERFS_FTRUNCATE_HAS_STAT=y" >> $config_host_mak
++fi
++
+ if test "$live_block_migration" = "yes" ; then
+ echo "CONFIG_LIVE_BLOCK_MIGRATION=y" >> $config_host_mak
+ fi
+--
+1.8.3.1
+
diff --git a/SOURCES/kvm-gluster-the-glfs_io_cbk-callback-function-pointer-ad.patch b/SOURCES/kvm-gluster-the-glfs_io_cbk-callback-function-pointer-ad.patch
new file mode 100644
index 0000000..8b3b12c
--- /dev/null
+++ b/SOURCES/kvm-gluster-the-glfs_io_cbk-callback-function-pointer-ad.patch
@@ -0,0 +1,109 @@
+From b9bf902e0a6739ba5db697fbd9b8f063dd130618 Mon Sep 17 00:00:00 2001
+From: Maxim Levitsky <mlevitsk@redhat.com>
+Date: Sun, 16 Feb 2020 16:02:25 +0100
+Subject: [PATCH 5/6] gluster: the glfs_io_cbk callback function pointer adds
+ pre/post stat args
+
+Message-id: <20200216160225.22498-3-mlevitsk@redhat.com>
+Patchwork-id: 93880
+O-Subject: [RHEL-7.9 qemu-kvm PATCH 2/2] gluster: the glfs_io_cbk callback function pointer adds pre/post stat args
+Bugzilla: 1802215
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+RH-Acked-by: Max Reitz <mreitz@redhat.com>
+RH-Acked-by: Stefano Garzarella <sgarzare@redhat.com>
+
+From: Niels de Vos <ndevos@redhat.com>
+
+The glfs_*_async() functions do a callback once finished. This callback
+has changed its arguments, pre- and post-stat structures have been
+added. This makes it possible to improve caching, which is useful for
+Samba and NFS-Ganesha, but not so much for QEMU. Gluster 6 is the first
+release that includes these new arguments.
+
+With an additional detection in ./configure, the new arguments can
+conditionally get included in the glfs_io_cbk handler.
+
+Signed-off-by: Niels de Vos <ndevos@redhat.com>
+Signed-off-by: Kevin Wolf <kwolf@redhat.com>
+(cherry picked from commit 0e3b891fefacc0e49f3c8ffa3a753b69eb7214d2)
+Signed-off-by: Maxim Levitsky <mlevitsk@redhat.com>
+
+RHEL: first chunk of the patch was applied manually due to very
+different context, for other chunks conficts were fixed.
+
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ block/gluster.c | 7 ++++++-
+ configure | 24 ++++++++++++++++++++++++
+ 2 files changed, 30 insertions(+), 1 deletion(-)
+
+diff --git a/block/gluster.c b/block/gluster.c
+index d6160af..dba3e0a 100644
+--- a/block/gluster.c
++++ b/block/gluster.c
+@@ -571,7 +571,12 @@ static const AIOCBInfo gluster_aiocb_info = {
+ .cancel = qemu_gluster_aio_cancel,
+ };
+
+-static void gluster_finish_aiocb(struct glfs_fd *fd, ssize_t ret, void *arg)
++static void gluster_finish_aiocb(struct glfs_fd *fd, ssize_t ret,
++#ifdef CONFIG_GLUSTERFS_IOCB_HAS_STAT
++ struct glfs_stat *pre, struct glfs_stat *post,
++#endif
++ void *arg)
++
+ {
+ GlusterAIOCB *acb = (GlusterAIOCB *)arg;
+ BlockDriverState *bs = acb->common.bs;
+diff --git a/configure b/configure
+index 70fd06f..34e3acc 100755
+--- a/configure
++++ b/configure
+@@ -244,6 +244,7 @@ glusterfs=""
+ glusterfs_discard="no"
+ virtio_blk_data_plane=""
+ glusterfs_ftruncate_has_stat="no"
++glusterfs_iocb_has_stat="no"
+ gtk=""
+ gtkabi="2.0"
+ tpm="no"
+@@ -2762,6 +2763,25 @@ EOF
+ if compile_prog "$glusterfs_cflags" "$glusterfs_libs" ; then
+ glusterfs_ftruncate_has_stat="yes"
+ fi
++ cat > $TMPC << EOF
++#include <glusterfs/api/glfs.h>
++
++/* new glfs_io_cbk() passes two additional glfs_stat structs */
++static void
++glusterfs_iocb(glfs_fd_t *fd, ssize_t ret, struct glfs_stat *prestat, struct glfs_stat *poststat, void *data)
++{}
++
++int
++main(void)
++{
++ glfs_io_cbk iocb = &glusterfs_iocb;
++ iocb(NULL, 0 , NULL, NULL, NULL);
++ return 0;
++}
++EOF
++ if compile_prog "$glusterfs_cflags" "$glusterfs_libs" ; then
++ glusterfs_iocb_has_stat="yes"
++ fi
+ else
+ if test "$glusterfs" = "yes" ; then
+ feature_not_found "GlusterFS backend support"
+@@ -4196,6 +4216,10 @@ if test "$glusterfs_ftruncate_has_stat" = "yes" ; then
+ echo "CONFIG_GLUSTERFS_FTRUNCATE_HAS_STAT=y" >> $config_host_mak
+ fi
+
++if test "$glusterfs_iocb_has_stat" = "yes" ; then
++ echo "CONFIG_GLUSTERFS_IOCB_HAS_STAT=y" >> $config_host_mak
++fi
++
+ if test "$live_block_migration" = "yes" ; then
+ echo "CONFIG_LIVE_BLOCK_MIGRATION=y" >> $config_host_mak
+ fi
+--
+1.8.3.1
+
diff --git a/SOURCES/kvm-i386-Add-new-model-of-Cascadelake-Server.patch b/SOURCES/kvm-i386-Add-new-model-of-Cascadelake-Server.patch
new file mode 100644
index 0000000..526daaa
--- /dev/null
+++ b/SOURCES/kvm-i386-Add-new-model-of-Cascadelake-Server.patch
@@ -0,0 +1,118 @@
+From 4f73c145a24ba196d904234a1ea437af22c33240 Mon Sep 17 00:00:00 2001
+From: Eduardo Habkost <ehabkost@redhat.com>
+Date: Thu, 3 Oct 2019 22:12:15 +0200
+Subject: [PATCH 1/4] i386: Add new model of Cascadelake-Server
+
+RH-Author: Eduardo Habkost <ehabkost@redhat.com>
+Message-id: <20191003221217.8527-2-ehabkost@redhat.com>
+Patchwork-id: 90952
+O-Subject: [RHEL-7.8 qemu-kvm PATCH 1/3] i386: Add new model of Cascadelake-Server
+Bugzilla: 1638471
+RH-Acked-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
+RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
+RH-Acked-by: Igor Mammedov <imammedo@redhat.com>
+
+From: Tao Xu <tao3.xu@intel.com>
+
+New CPU models mostly inherit features from ancestor Skylake-Server,
+while addin new features: AVX512_VNNI, Intel PT.
+SSBD support for speculative execution
+side channel mitigations.
+
+Note:
+
+On Cascadelake, some capabilities (RDCL_NO, IBRS_ALL, RSBA,
+SKIP_L1DFL_VMENTRY and SSB_NO) are enumerated by MSR.
+These features rely on MSR based feature support patch.
+Will be added later after that patch's in.
+http://lists.nongnu.org/archive/html/qemu-devel/2018-09/msg00074.html
+
+Backport notes:
+* Like we already did in Skylake-Server and EPYC, ARAT is
+ not present in the CPU model (RHEL7-3+ and RHEL-8 already have
+ arat=off in PC_COMPAT_RHEL7_2)
+
+Signed-off-by: Tao Xu <tao3.xu@intel.com>
+Message-Id: <20180919031122.28487-2-tao3.xu@intel.com>
+Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
+(cherry picked from commit c7a88b52f62b30c04158eeb07f73e3f72221b6a8)
+Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ target-i386/cpu.c | 60 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 60 insertions(+)
+
+diff --git a/target-i386/cpu.c b/target-i386/cpu.c
+index f92cb62..5b988c9 100644
+--- a/target-i386/cpu.c
++++ b/target-i386/cpu.c
+@@ -1496,6 +1496,66 @@ static x86_def_t builtin_x86_defs[] = {
+ .model_id = "Intel Xeon Processor (Skylake, IBRS)",
+ },
+ {
++ .name = "Cascadelake-Server",
++ .level = 0xd,
++ .vendor = CPUID_VENDOR_INTEL,
++ .family = 6,
++ .model = 85,
++ .stepping = 5,
++ .features[FEAT_1_EDX] =
++ CPUID_VME | CPUID_SSE2 | CPUID_SSE | CPUID_FXSR | CPUID_MMX |
++ CPUID_CLFLUSH | CPUID_PSE36 | CPUID_PAT | CPUID_CMOV | CPUID_MCA |
++ CPUID_PGE | CPUID_MTRR | CPUID_SEP | CPUID_APIC | CPUID_CX8 |
++ CPUID_MCE | CPUID_PAE | CPUID_MSR | CPUID_TSC | CPUID_PSE |
++ CPUID_DE | CPUID_FP87,
++ .features[FEAT_1_ECX] =
++ CPUID_EXT_AVX | CPUID_EXT_XSAVE | CPUID_EXT_AES |
++ CPUID_EXT_POPCNT | CPUID_EXT_X2APIC | CPUID_EXT_SSE42 |
++ CPUID_EXT_SSE41 | CPUID_EXT_CX16 | CPUID_EXT_SSSE3 |
++ CPUID_EXT_PCLMULQDQ | CPUID_EXT_SSE3 |
++ CPUID_EXT_TSC_DEADLINE_TIMER | CPUID_EXT_FMA | CPUID_EXT_MOVBE |
++ CPUID_EXT_PCID | CPUID_EXT_F16C | CPUID_EXT_RDRAND,
++ .features[FEAT_8000_0001_EDX] =
++ CPUID_EXT2_LM | CPUID_EXT2_PDPE1GB | CPUID_EXT2_RDTSCP |
++ CPUID_EXT2_NX | CPUID_EXT2_SYSCALL,
++ .features[FEAT_8000_0001_ECX] =
++ CPUID_EXT3_ABM | CPUID_EXT3_LAHF_LM | CPUID_EXT3_3DNOWPREFETCH,
++ .features[FEAT_7_0_EBX] =
++ CPUID_7_0_EBX_FSGSBASE | CPUID_7_0_EBX_BMI1 |
++ CPUID_7_0_EBX_HLE | CPUID_7_0_EBX_AVX2 | CPUID_7_0_EBX_SMEP |
++ CPUID_7_0_EBX_BMI2 | CPUID_7_0_EBX_ERMS | CPUID_7_0_EBX_INVPCID |
++ CPUID_7_0_EBX_RTM | CPUID_7_0_EBX_RDSEED | CPUID_7_0_EBX_ADX |
++ CPUID_7_0_EBX_SMAP | CPUID_7_0_EBX_MPX | CPUID_7_0_EBX_CLWB |
++ CPUID_7_0_EBX_AVX512F | CPUID_7_0_EBX_AVX512DQ |
++ CPUID_7_0_EBX_AVX512BW | CPUID_7_0_EBX_AVX512CD |
++ CPUID_7_0_EBX_AVX512VL | CPUID_7_0_EBX_CLFLUSHOPT |
++ CPUID_7_0_EBX_INTEL_PT,
++ .features[FEAT_7_0_ECX] =
++ CPUID_7_0_ECX_PKU | CPUID_7_0_ECX_OSPKE |
++ CPUID_7_0_ECX_AVX512VNNI,
++ .features[FEAT_7_0_EDX] =
++ CPUID_7_0_EDX_SPEC_CTRL | CPUID_7_0_EDX_SPEC_CTRL_SSBD,
++ /* Missing: XSAVES (not supported by some Linux versions,
++ * including v4.1 to v4.12).
++ * KVM doesn't yet expose any XSAVES state save component,
++ * and the only one defined in Skylake (processor tracing)
++ * probably will block migration anyway.
++ */
++ .features[FEAT_XSAVE] =
++ CPUID_XSAVE_XSAVEOPT | CPUID_XSAVE_XSAVEC |
++ CPUID_XSAVE_XGETBV1,
++ /* Missing: ARAT. not available in the qemu-kvm-1.5.3 tree (and
++ * disabled by compat code in pc-i440fx-rhel7.2.0 and older on
++ * qemu-kvm-rhev)
++ */
++#if 0
++ .features[FEAT_6_EAX] =
++ CPUID_6_EAX_ARAT,
++#endif
++ .xlevel = 0x80000008,
++ .model_id = "Intel Xeon Processor (Cascadelake)",
++ },
++ {
+ .name = "Opteron_G1",
+ .level = 5,
+ .vendor = CPUID_VENDOR_AMD,
+--
+1.8.3.1
+
diff --git a/SOURCES/kvm-i386-Disable-OSPKE-on-Cascadelake-Server.patch b/SOURCES/kvm-i386-Disable-OSPKE-on-Cascadelake-Server.patch
new file mode 100644
index 0000000..729d6a3
--- /dev/null
+++ b/SOURCES/kvm-i386-Disable-OSPKE-on-Cascadelake-Server.patch
@@ -0,0 +1,76 @@
+From b082e420af608c6b060e29e392e0a7fa0655298d Mon Sep 17 00:00:00 2001
+From: Eduardo Habkost <ehabkost@redhat.com>
+Date: Thu, 3 Oct 2019 22:12:16 +0200
+Subject: [PATCH 2/4] i386: Disable OSPKE on Cascadelake-Server
+
+RH-Author: Eduardo Habkost <ehabkost@redhat.com>
+Message-id: <20191003221217.8527-3-ehabkost@redhat.com>
+Patchwork-id: 90953
+O-Subject: [RHEL-7.8 qemu-kvm PATCH 2/3] i386: Disable OSPKE on Cascadelake-Server
+Bugzilla: 1638471
+RH-Acked-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
+RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
+RH-Acked-by: Igor Mammedov <imammedo@redhat.com>
+
+This is a partial cherry pick of upstream commit:
+
+commit bb4928c7cafe50ab2137a0034e350ef1bfa044d9
+Author: Eduardo Habkost <ehabkost@redhat.com>
+Date: Tue Mar 19 17:05:15 2019 -0300
+
+ i386: Disable OSPKE on CPU model definitions
+
+ Currently, the Cascadelake-Server, Icelake-Client, and
+ Icelake-Server are always generating the following warning:
+
+ qemu-system-x86_64: warning: \
+ host doesn't support requested feature: CPUID.07H:ECX [bit 4]
+
+ This happens because OSPKE was never returned by
+ GET_SUPPORTED_CPUID or x86_cpu_get_supported_feature_word().
+ OSPKE is a runtime flag automatically set by the KVM module or by
+ TCG code, was always cleared by x86_cpu_filter_features(), and
+ was not supposed to appear on the CPU model table.
+
+ Remove the OSPKE flag from the CPU model table entries, to avoid
+ the bogus warning and avoid returning invalid feature data on
+ query-cpu-* QMP commands. As OSPKE was always cleared by
+ x86_cpu_filter_features(), this won't have any guest-visible
+ impact.
+
+ Include a test case that should detect the problem if we introduce
+ a similar bug again.
+
+ Fixes: c7a88b52f62b ("i386: Add new model of Cascadelake-Server")
+ Fixes: 8a11c62da914 ("i386: Add new CPU model Icelake-{Server,Client}")
+ Cc: Tao Xu <tao3.xu@intel.com>
+ Cc: Robert Hoo <robert.hu@linux.intel.com>
+ Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
+ Message-Id: <20190319200515.14999-1-ehabkost@redhat.com>
+ Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
+
+It includes only the Cascadelake-Server change, because Icelake*
+is not present in the RHEL7 tree.
+
+Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ target-i386/cpu.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/target-i386/cpu.c b/target-i386/cpu.c
+index 5b988c9..926373b 100644
+--- a/target-i386/cpu.c
++++ b/target-i386/cpu.c
+@@ -1531,7 +1531,7 @@ static x86_def_t builtin_x86_defs[] = {
+ CPUID_7_0_EBX_AVX512VL | CPUID_7_0_EBX_CLFLUSHOPT |
+ CPUID_7_0_EBX_INTEL_PT,
+ .features[FEAT_7_0_ECX] =
+- CPUID_7_0_ECX_PKU | CPUID_7_0_ECX_OSPKE |
++ CPUID_7_0_ECX_PKU |
+ CPUID_7_0_ECX_AVX512VNNI,
+ .features[FEAT_7_0_EDX] =
+ CPUID_7_0_EDX_SPEC_CTRL | CPUID_7_0_EDX_SPEC_CTRL_SSBD,
+--
+1.8.3.1
+
diff --git a/SOURCES/kvm-i386-remove-the-INTEL_PT-CPUID-bit-from-Cascadelake-.patch b/SOURCES/kvm-i386-remove-the-INTEL_PT-CPUID-bit-from-Cascadelake-.patch
new file mode 100644
index 0000000..81ce3b7
--- /dev/null
+++ b/SOURCES/kvm-i386-remove-the-INTEL_PT-CPUID-bit-from-Cascadelake-.patch
@@ -0,0 +1,59 @@
+From 4d23f26f51e1a4b4a8c7aa2d105891e4589f913c Mon Sep 17 00:00:00 2001
+From: Eduardo Habkost <ehabkost@redhat.com>
+Date: Thu, 3 Oct 2019 22:12:17 +0200
+Subject: [PATCH 3/4] i386: remove the 'INTEL_PT' CPUID bit from
+ Cascadelake-Server
+
+RH-Author: Eduardo Habkost <ehabkost@redhat.com>
+Message-id: <20191003221217.8527-4-ehabkost@redhat.com>
+Patchwork-id: 90954
+O-Subject: [RHEL-7.8 qemu-kvm PATCH 3/3] i386: remove the 'INTEL_PT' CPUID bit from Cascadelake-Server
+Bugzilla: 1638471
+RH-Acked-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
+RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
+RH-Acked-by: Igor Mammedov <imammedo@redhat.com>
+
+From: Paolo Bonzini <pbonzini@redhat.com>
+
+This is a partial cherry pick of upstream commit:
+
+commit 4c257911dcc7c4189768e9651755c849ce9db4e8
+Author: Paolo Bonzini <pbonzini@redhat.com>
+Date: Fri Dec 21 12:35:56 2018 +0100
+
+ i386: remove the 'INTEL_PT' CPUID bit from named CPU models
+
+ Processor tracing is not yet implemented for KVM and it will be an
+ opt in feature requiring a special module parameter.
+ Disable it, because it is wrong to enable it by default and
+ it is impossible that no one has ever used it.
+
+ Cc: qemu-stable@nongnu.org
+ Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+
+It includes only the Cascadelake-Server change, because the other
+CPU models are not present in the RHEL7 tree.
+
+Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ target-i386/cpu.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/target-i386/cpu.c b/target-i386/cpu.c
+index 926373b..b4839df 100644
+--- a/target-i386/cpu.c
++++ b/target-i386/cpu.c
+@@ -1528,8 +1528,7 @@ static x86_def_t builtin_x86_defs[] = {
+ CPUID_7_0_EBX_SMAP | CPUID_7_0_EBX_MPX | CPUID_7_0_EBX_CLWB |
+ CPUID_7_0_EBX_AVX512F | CPUID_7_0_EBX_AVX512DQ |
+ CPUID_7_0_EBX_AVX512BW | CPUID_7_0_EBX_AVX512CD |
+- CPUID_7_0_EBX_AVX512VL | CPUID_7_0_EBX_CLFLUSHOPT |
+- CPUID_7_0_EBX_INTEL_PT,
++ CPUID_7_0_EBX_AVX512VL | CPUID_7_0_EBX_CLFLUSHOPT,
+ .features[FEAT_7_0_ECX] =
+ CPUID_7_0_ECX_PKU |
+ CPUID_7_0_ECX_AVX512VNNI,
+--
+1.8.3.1
+
diff --git a/SOURCES/kvm-seccomp-set-the-seccomp-filter-to-all-threads.patch b/SOURCES/kvm-seccomp-set-the-seccomp-filter-to-all-threads.patch
new file mode 100644
index 0000000..ab471c9
--- /dev/null
+++ b/SOURCES/kvm-seccomp-set-the-seccomp-filter-to-all-threads.patch
@@ -0,0 +1,72 @@
+From d01fad2a8757f4e3b449a888b93a0ba9fda54daa Mon Sep 17 00:00:00 2001
+From: Eduardo Otubo <otubo@redhat.com>
+Date: Thu, 5 Mar 2020 13:49:51 +0100
+Subject: [PATCH 6/6] seccomp: set the seccomp filter to all threads
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Message-id: <20200305134951.23851-1-otubo@redhat.com>
+Patchwork-id: 94161
+O-Subject: [RHEL-7.9 qemu-kvm PATCH] seccomp: set the seccomp filter to all threads
+Bugzilla: 1618503
+RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+RH-Acked-by: Mohammed Gamal <mgamal@redhat.com>
+
+commit 70dfabeaa79ba4d7a3b699abe1a047c8012db114
+Author: Marc-André Lureau <marcandre.lureau@redhat.com>
+Date: Wed Aug 22 19:02:50 2018 +0200
+
+ When using "-seccomp on", the seccomp policy is only applied to the
+ main thread, the vcpu worker thread and other worker threads created
+ after seccomp policy is applied; the seccomp policy is not applied to
+ e.g. the RCU thread because it is created before the seccomp policy is
+ applied and SECCOMP_FILTER_FLAG_TSYNC isn't used.
+
+ This can be verified with
+ for task in /proc/`pidof qemu`/task/*; do cat $task/status | grep Secc ; done
+ Seccomp: 2
+ Seccomp: 0
+ Seccomp: 0
+ Seccomp: 2
+ Seccomp: 2
+ Seccomp: 2
+
+ Starting with libseccomp 2.2.0 and kernel >= 3.17, we can use
+ seccomp_attr_set(ctx, > SCMP_FLTATR_CTL_TSYNC, 1) to update the policy
+ on all threads.
+
+ libseccomp requirement was bumped to 2.2.0 in previous patch.
+ libseccomp should fail to set the filter if it can't honour
+ SCMP_FLTATR_CTL_TSYNC (untested), and thus -sandbox will now fail on
+ kernel < 3.17.
+
+ Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+ Acked-by: Eduardo Otubo <otubo@redhat.com>
+
+Signed-off-by: Eduardo Otubo <otubo@redhat.com>
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ qemu-seccomp.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/qemu-seccomp.c b/qemu-seccomp.c
+index e947909..828083b 100644
+--- a/qemu-seccomp.c
++++ b/qemu-seccomp.c
+@@ -264,6 +264,11 @@ int seccomp_start(void)
+ goto seccomp_return;
+ }
+
++ rc = seccomp_attr_set(ctx, SCMP_FLTATR_CTL_TSYNC, 1);
++ if (rc != 0) {
++ goto seccomp_return;
++ }
++
+ for (i = 0; i < ARRAY_SIZE(seccomp_whitelist); i++) {
+ rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, seccomp_whitelist[i].num, 0);
+ if (rc < 0) {
+--
+1.8.3.1
+
diff --git a/SOURCES/kvm-slirp-disable-tcp_emu.patch b/SOURCES/kvm-slirp-disable-tcp_emu.patch
new file mode 100644
index 0000000..55d44d5
--- /dev/null
+++ b/SOURCES/kvm-slirp-disable-tcp_emu.patch
@@ -0,0 +1,69 @@
+From d4913063320e52d9c3716732d8c6b7396a2288b5 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
+Date: Tue, 28 Jan 2020 13:32:53 +0100
+Subject: [PATCH 3/6] slirp: disable tcp_emu()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Message-id: <20200128133253.794107-2-marcandre.lureau@redhat.com>
+Patchwork-id: 93569
+O-Subject: [RHEL-8.2.0 qemu-kvm + RHEL-7.7 qemu-kvm + RHEL-6.11 qemu-kvm PATCH 1/1] slirp: disable tcp_emu()
+Bugzilla: 1791679
+RH-Acked-by: Danilo de Paula <ddepaula@redhat.com>
+RH-Acked-by: Eduardo Habkost <ehabkost@redhat.com>
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+
+Since libslirp 4.1, tcp_emu() is disabled by default because it is
+known to cause several CVEs and is not useful today in most
+cases. Qemu upstream doesn't have an option to enable it back at this
+point, it's not clear if we ever want to expose that option anyway.
+
+See also upstream commit 07c2a44b67e ("emu: disable by default")
+
+Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1791677
+Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ slirp/tcp_subr.c | 4 ++--
+ slirp/udp.c | 2 +-
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/slirp/tcp_subr.c b/slirp/tcp_subr.c
+index 8dae0cc..0ca7f02 100644
+--- a/slirp/tcp_subr.c
++++ b/slirp/tcp_subr.c
+@@ -516,7 +516,7 @@ tcp_tos(struct socket *so)
+ while(tcptos[i].tos) {
+ if ((tcptos[i].fport && (ntohs(so->so_fport) == tcptos[i].fport)) ||
+ (tcptos[i].lport && (ntohs(so->so_lport) == tcptos[i].lport))) {
+- so->so_emu = tcptos[i].emu;
++ so->so_emu = 0; /* disabled */
+ return tcptos[i].tos;
+ }
+ i++;
+@@ -526,7 +526,7 @@ tcp_tos(struct socket *so)
+ for (emup = tcpemu; emup; emup = emup->next) {
+ if ((emup->fport && (ntohs(so->so_fport) == emup->fport)) ||
+ (emup->lport && (ntohs(so->so_lport) == emup->lport))) {
+- so->so_emu = emup->emu;
++ so->so_emu = 0; /* disabled */
+ return emup->tos;
+ }
+ }
+diff --git a/slirp/udp.c b/slirp/udp.c
+index 2188176..ee92790 100644
+--- a/slirp/udp.c
++++ b/slirp/udp.c
+@@ -339,7 +339,7 @@ udp_tos(struct socket *so)
+ while(udptos[i].tos) {
+ if ((udptos[i].fport && ntohs(so->so_fport) == udptos[i].fport) ||
+ (udptos[i].lport && ntohs(so->so_lport) == udptos[i].lport)) {
+- so->so_emu = udptos[i].emu;
++ so->so_emu = 0; /* disabled */
+ return udptos[i].tos;
+ }
+ i++;
+--
+1.8.3.1
+
diff --git a/SOURCES/kvm-slirp-use-correct-size-while-emulating-IRC-commands.patch b/SOURCES/kvm-slirp-use-correct-size-while-emulating-IRC-commands.patch
new file mode 100644
index 0000000..6ccb8c4
--- /dev/null
+++ b/SOURCES/kvm-slirp-use-correct-size-while-emulating-IRC-commands.patch
@@ -0,0 +1,71 @@
+From 896665af83060fb673fc12081083f53a10a19dc5 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
+Date: Fri, 17 Jan 2020 12:00:36 +0100
+Subject: [PATCH 2/3] slirp: use correct size while emulating IRC commands
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Philippe Mathieu-Daudé <philmd@redhat.com>
+Message-id: <20200117120037.12800-3-philmd@redhat.com>
+Patchwork-id: 93396
+O-Subject: [RHEL-7.7.z qemu-kvm + RHEL-7.8 qemu-kvm + RHEL-7.9 qemu-kvm PATCH v2 2/3] slirp: use correct size while emulating IRC commands
+Bugzilla: 1791560
+RH-Acked-by: Stefano Garzarella <sgarzare@redhat.com>
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+RH-Acked-by: Thomas Huth <thuth@redhat.com>
+
+From: Prasad J Pandit <pjp@fedoraproject.org>
+
+While emulating IRC DCC commands, tcp_emu() uses 'mbuf' size
+'m->m_size' to write DCC commands via snprintf(3). This may
+lead to OOB write access, because 'bptr' points somewhere in
+the middle of 'mbuf' buffer, not at the start. Use M_FREEROOM(m)
+size to avoid OOB access.
+
+Reported-by: Vishnu Dev TJ <vishnudevtj@gmail.com>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
+Message-Id: <20200109094228.79764-2-ppandit@redhat.com>
+(cherry picked from libslirp commit ce131029d6d4a405cb7d3ac6716d03e58fb4a5d9)
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ slirp/tcp_subr.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/slirp/tcp_subr.c b/slirp/tcp_subr.c
+index 70a4c83..321c2a4 100644
+--- a/slirp/tcp_subr.c
++++ b/slirp/tcp_subr.c
+@@ -728,7 +728,7 @@ tcp_emu(struct socket *so, struct mbuf *m)
+ return 1;
+ }
+ m->m_len = bptr - m->m_data; /* Adjust length */
+- m->m_len += snprintf(bptr, m->m_size,
++ m->m_len += snprintf(bptr, M_FREEROOM(m),
+ "DCC CHAT chat %lu %u%c\n",
+ (unsigned long)ntohl(so->so_faddr.s_addr),
+ ntohs(so->so_fport), 1);
+@@ -739,7 +739,7 @@ tcp_emu(struct socket *so, struct mbuf *m)
+ return 1;
+ }
+ m->m_len = bptr - m->m_data; /* Adjust length */
+- m->m_len += snprintf(bptr, m->m_size,
++ m->m_len += snprintf(bptr, M_FREEROOM(m),
+ "DCC SEND %s %lu %u %u%c\n", buff,
+ (unsigned long)ntohl(so->so_faddr.s_addr),
+ ntohs(so->so_fport), n1, 1);
+@@ -750,7 +750,7 @@ tcp_emu(struct socket *so, struct mbuf *m)
+ return 1;
+ }
+ m->m_len = bptr - m->m_data; /* Adjust length */
+- m->m_len += snprintf(bptr, m->m_size,
++ m->m_len += snprintf(bptr, M_FREEROOM(m),
+ "DCC MOVE %s %lu %u %u%c\n", buff,
+ (unsigned long)ntohl(so->so_faddr.s_addr),
+ ntohs(so->so_fport), n1, 1);
+--
+1.8.3.1
+
diff --git a/SOURCES/kvm-slirp-use-correct-size-while-emulating-commands.patch b/SOURCES/kvm-slirp-use-correct-size-while-emulating-commands.patch
new file mode 100644
index 0000000..ae5466d
--- /dev/null
+++ b/SOURCES/kvm-slirp-use-correct-size-while-emulating-commands.patch
@@ -0,0 +1,70 @@
+From 95cf6abd88bedca0533ababfdb6480c3174f3b81 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
+Date: Fri, 17 Jan 2020 12:00:37 +0100
+Subject: [PATCH 3/3] slirp: use correct size while emulating commands
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Philippe Mathieu-Daudé <philmd@redhat.com>
+Message-id: <20200117120037.12800-4-philmd@redhat.com>
+Patchwork-id: 93397
+O-Subject: [RHEL-7.7.z qemu-kvm + RHEL-7.8 qemu-kvm + RHEL-7.9 qemu-kvm PATCH v2 3/3] slirp: use correct size while emulating commands
+Bugzilla: 1791560
+RH-Acked-by: Stefano Garzarella <sgarzare@redhat.com>
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+RH-Acked-by: Thomas Huth <thuth@redhat.com>
+
+From: Prasad J Pandit <pjp@fedoraproject.org>
+
+While emulating services in tcp_emu(), it uses 'mbuf' size
+'m->m_size' to write commands via snprintf(3). Use M_FREEROOM(m)
+size to avoid possible OOB access.
+
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
+Message-Id: <20200109094228.79764-3-ppandit@redhat.com>
+(cherry picked from libslirp commit 82ebe9c370a0e2970fb5695aa19aa5214a6a1c80)
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ slirp/tcp_subr.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/slirp/tcp_subr.c b/slirp/tcp_subr.c
+index 321c2a4..19e2245 100644
+--- a/slirp/tcp_subr.c
++++ b/slirp/tcp_subr.c
+@@ -648,7 +648,7 @@ tcp_emu(struct socket *so, struct mbuf *m)
+ n4 = (laddr & 0xff);
+
+ m->m_len = bptr - m->m_data; /* Adjust length */
+- m->m_len += snprintf(bptr, m->m_size - m->m_len,
++ m->m_len += snprintf(bptr, M_FREEROOM(m),
+ "ORT %d,%d,%d,%d,%d,%d\r\n%s",
+ n1, n2, n3, n4, n5, n6, x==7?buff:"");
+ return 1;
+@@ -681,7 +681,7 @@ tcp_emu(struct socket *so, struct mbuf *m)
+ n4 = (laddr & 0xff);
+
+ m->m_len = bptr - m->m_data; /* Adjust length */
+- m->m_len += snprintf(bptr, m->m_size - m->m_len,
++ m->m_len += snprintf(bptr, M_FREEROOM(m),
+ "27 Entering Passive Mode (%d,%d,%d,%d,%d,%d)\r\n%s",
+ n1, n2, n3, n4, n5, n6, x==7?buff:"");
+
+@@ -707,8 +707,8 @@ tcp_emu(struct socket *so, struct mbuf *m)
+ if (m->m_data[m->m_len-1] == '\0' && lport != 0 &&
+ (so = tcp_listen(slirp, INADDR_ANY, 0, so->so_laddr.s_addr,
+ htons(lport), SS_FACCEPTONCE)) != NULL)
+- m->m_len = snprintf(m->m_data, m->m_size, "%d",
+- ntohs(so->so_fport)) + 1;
++ m->m_len = snprintf(m->m_data, M_ROOM(m),
++ "%d", ntohs(so->so_fport)) + 1;
+ return 1;
+
+ case EMU_IRC:
+--
+1.8.3.1
+
diff --git a/SOURCES/kvm-target-i386-Export-TAA_NO-bit-to-guests.patch b/SOURCES/kvm-target-i386-Export-TAA_NO-bit-to-guests.patch
new file mode 100644
index 0000000..8b34363
--- /dev/null
+++ b/SOURCES/kvm-target-i386-Export-TAA_NO-bit-to-guests.patch
@@ -0,0 +1,48 @@
+From 2ce01dcb0add24ad6ba0a703b63d00fb9d95ee5f Mon Sep 17 00:00:00 2001
+From: Eduardo Habkost <ehabkost@redhat.com>
+Date: Wed, 4 Dec 2019 01:48:28 +0100
+Subject: [PATCH 1/2] target/i386: Export TAA_NO bit to guests
+
+RH-Author: Eduardo Habkost <ehabkost@redhat.com>
+Message-id: <20191204014829.608318-2-ehabkost@redhat.com>
+Patchwork-id: 92853
+O-Subject: [RHEL-7.8 qemu-kvm PATCH 1/2] target/i386: Export TAA_NO bit to guests
+Bugzilla: 1771961
+RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
+RH-Acked-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
+RH-Acked-by: Igor Mammedov <imammedo@redhat.com>
+
+From: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
+
+TSX Async Abort (TAA) is a side channel attack on internal buffers in
+some Intel processors similar to Microachitectural Data Sampling (MDS).
+
+Some future Intel processors will use the ARCH_CAP_TAA_NO bit in the
+IA32_ARCH_CAPABILITIES MSR to report that they are not vulnerable to
+TAA. Make this bit available to guests.
+
+Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+(cherry picked from commit 7fac38635e1cc5ebae34eb6530da1009bd5808e4)
+Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ target-i386/cpu.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/target-i386/cpu.c b/target-i386/cpu.c
+index 9283902..120df73 100644
+--- a/target-i386/cpu.c
++++ b/target-i386/cpu.c
+@@ -212,7 +212,7 @@ static const char *cpuid_apm_edx_feature_name[] = {
+ static const char *cpuid_arch_capabilities_feature_name[] = {
+ "rdctl-no", "ibrs-all", "rsba", "skip-l1dfl-vmentry",
+ "ssb-no", "mds-no", NULL, NULL,
+- NULL, NULL, NULL, NULL,
++ "taa-no", NULL, NULL, NULL,
+ NULL, NULL, NULL, NULL,
+ NULL, NULL, NULL, NULL,
+ NULL, NULL, NULL, NULL,
+--
+1.8.3.1
+
diff --git a/SOURCES/kvm-target-i386-add-support-for-MSR_IA32_TSX_CTRL.patch b/SOURCES/kvm-target-i386-add-support-for-MSR_IA32_TSX_CTRL.patch
new file mode 100644
index 0000000..62c3002
--- /dev/null
+++ b/SOURCES/kvm-target-i386-add-support-for-MSR_IA32_TSX_CTRL.patch
@@ -0,0 +1,170 @@
+From 73fac9c9beb00cc462eaae8589b4b2261142a8b2 Mon Sep 17 00:00:00 2001
+From: Eduardo Habkost <ehabkost@redhat.com>
+Date: Wed, 4 Dec 2019 01:48:29 +0100
+Subject: [PATCH 2/2] target/i386: add support for MSR_IA32_TSX_CTRL
+
+RH-Author: Eduardo Habkost <ehabkost@redhat.com>
+Message-id: <20191204014829.608318-3-ehabkost@redhat.com>
+Patchwork-id: 92854
+O-Subject: [RHEL-7.8 qemu-kvm PATCH 2/2] target/i386: add support for MSR_IA32_TSX_CTRL
+Bugzilla: 1771961
+RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
+RH-Acked-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
+RH-Acked-by: Igor Mammedov <imammedo@redhat.com>
+
+From: Paolo Bonzini <pbonzini@redhat.com>
+
+The MSR_IA32_TSX_CTRL MSR can be used to hide TSX (also known as the
+Trusty Side-channel Extension). By virtualizing the MSR, KVM guests
+can disable TSX and avoid paying the price of mitigating TSX-based
+attacks on microarchitectural side channels.
+
+Backport notes:
+* MSR code had to be rewritten
+* .needed is inside VMStateSubsection
+
+Reviewed-by: Eduardo Habkost <ehabkost@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
+(cherry picked from commit 2a9758c51e2c2d13fc3845c3d603c11df98b8823)
+Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ target-i386/cpu.c | 2 +-
+ target-i386/cpu.h | 5 +++++
+ target-i386/kvm.c | 14 ++++++++++++++
+ target-i386/machine.c | 21 +++++++++++++++++++++
+ 4 files changed, 41 insertions(+), 1 deletion(-)
+
+diff --git a/target-i386/cpu.c b/target-i386/cpu.c
+index 120df73..57f5364 100644
+--- a/target-i386/cpu.c
++++ b/target-i386/cpu.c
+@@ -211,7 +211,7 @@ static const char *cpuid_apm_edx_feature_name[] = {
+
+ static const char *cpuid_arch_capabilities_feature_name[] = {
+ "rdctl-no", "ibrs-all", "rsba", "skip-l1dfl-vmentry",
+- "ssb-no", "mds-no", NULL, NULL,
++ "ssb-no", "mds-no", NULL, "tsx-ctrl",
+ "taa-no", NULL, NULL, NULL,
+ NULL, NULL, NULL, NULL,
+ NULL, NULL, NULL, NULL,
+diff --git a/target-i386/cpu.h b/target-i386/cpu.h
+index 8f73af7..c9bcdd5 100644
+--- a/target-i386/cpu.h
++++ b/target-i386/cpu.h
+@@ -307,7 +307,11 @@
+ #define MSR_IA32_SPEC_CTRL 0x48
+ #define MSR_VIRT_SSBD 0xc001011f
+ #define MSR_IA32_PRED_CMD 0x49
++
+ #define MSR_IA32_ARCH_CAPABILITIES 0x10a
++#define ARCH_CAP_TSX_CTRL_MSR (1<<7)
++
++#define MSR_IA32_TSX_CTRL 0x122
+ #define MSR_IA32_TSCDEADLINE 0x6e0
+
+ #define MSR_P6_PERFCTR0 0xc1
+@@ -1067,6 +1071,7 @@ typedef struct CPUX86State {
+ uint64_t xss;
+
+ uint32_t pkru;
++ uint32_t tsx_ctrl;
+
+ uint64_t spec_ctrl;
+ uint64_t virt_ssbd;
+diff --git a/target-i386/kvm.c b/target-i386/kvm.c
+index c79b0ea..7df2b28 100644
+--- a/target-i386/kvm.c
++++ b/target-i386/kvm.c
+@@ -80,6 +80,7 @@ static bool has_msr_hv_tsc;
+ static bool has_msr_mtrr;
+ static bool has_msr_xss;
+ static bool has_msr_spec_ctrl;
++static bool has_msr_tsx_ctrl;
+ static bool has_msr_virt_ssbd;
+ static bool has_msr_arch_capabs;
+
+@@ -908,6 +909,10 @@ static int kvm_get_supported_msrs(KVMState *s)
+ has_msr_spec_ctrl = true;
+ continue;
+ }
++ if (kvm_msr_list->indices[i] == MSR_IA32_TSX_CTRL) {
++ has_msr_tsx_ctrl = true;
++ continue;
++ }
+ if (kvm_msr_list->indices[i] == MSR_VIRT_SSBD) {
+ has_msr_virt_ssbd = true;
+ continue;
+@@ -1330,6 +1335,9 @@ static int kvm_put_msrs(X86CPU *cpu, int level)
+ if (has_msr_spec_ctrl) {
+ kvm_msr_entry_set(&msrs[n++], MSR_IA32_SPEC_CTRL, env->spec_ctrl);
+ }
++ if (has_msr_tsx_ctrl) {
++ kvm_msr_entry_set(&msrs[n++], MSR_IA32_TSX_CTRL, env->tsx_ctrl);
++ }
+ if (has_msr_virt_ssbd) {
+ kvm_msr_entry_set(&msrs[n++], MSR_VIRT_SSBD, env->virt_ssbd);
+ }
+@@ -1699,6 +1707,9 @@ static int kvm_get_msrs(X86CPU *cpu)
+ if (has_msr_spec_ctrl) {
+ msrs[n++].index = MSR_IA32_SPEC_CTRL;
+ }
++ if (has_msr_tsx_ctrl) {
++ msrs[n++].index = MSR_IA32_TSX_CTRL;
++ }
+ if (has_msr_virt_ssbd) {
+ msrs[n++].index = MSR_VIRT_SSBD;
+ }
+@@ -1945,6 +1956,9 @@ static int kvm_get_msrs(X86CPU *cpu)
+ case MSR_IA32_SPEC_CTRL:
+ env->spec_ctrl = msrs[i].data;
+ break;
++ case MSR_IA32_TSX_CTRL:
++ env->tsx_ctrl = msrs[i].data;
++ break;
+ case MSR_VIRT_SSBD:
+ env->virt_ssbd = msrs[i].data;
+ break;
+diff --git a/target-i386/machine.c b/target-i386/machine.c
+index cd2cf6f..892c8f4 100644
+--- a/target-i386/machine.c
++++ b/target-i386/machine.c
+@@ -778,6 +778,24 @@ static const VMStateDescription vmstate_msr_virt_ssbd = {
+ }
+ };
+
++static bool msr_tsx_ctrl_needed(void *opaque)
++{
++ X86CPU *cpu = opaque;
++ CPUX86State *env = &cpu->env;
++
++ return env->features[FEAT_ARCH_CAPABILITIES] & ARCH_CAP_TSX_CTRL_MSR;
++}
++
++static const VMStateDescription vmstate_msr_tsx_ctrl = {
++ .name = "cpu/msr_tsx_ctrl",
++ .version_id = 1,
++ .minimum_version_id = 1,
++ .fields = (VMStateField[]) {
++ VMSTATE_UINT32(env.tsx_ctrl, X86CPU),
++ VMSTATE_END_OF_LIST()
++ }
++};
++
+ VMStateDescription vmstate_x86_cpu = {
+ .name = "cpu",
+ .version_id = 12,
+@@ -938,6 +956,9 @@ VMStateDescription vmstate_x86_cpu = {
+ }, {
+ .vmsd = &vmstate_msr_virt_ssbd,
+ .needed = virt_ssbd_needed,
++ }, {
++ .vmsd = &vmstate_msr_tsx_ctrl,
++ .needed = msr_tsx_ctrl_needed,
+ } , {
+ /* empty */
+ }
+--
+1.8.3.1
+
diff --git a/SOURCES/kvm-tcp_emu-Fix-oob-access.patch b/SOURCES/kvm-tcp_emu-Fix-oob-access.patch
new file mode 100644
index 0000000..55119f9
--- /dev/null
+++ b/SOURCES/kvm-tcp_emu-Fix-oob-access.patch
@@ -0,0 +1,60 @@
+From dea2f95979cc0ba0c36f07b8e9cc709bd1ef1eb4 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
+Date: Fri, 17 Jan 2020 12:00:35 +0100
+Subject: [PATCH 1/3] tcp_emu: Fix oob access
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Philippe Mathieu-Daudé <philmd@redhat.com>
+Message-id: <20200117120037.12800-2-philmd@redhat.com>
+Patchwork-id: 93395
+O-Subject: [RHEL-7.7.z qemu-kvm + RHEL-7.8 qemu-kvm + RHEL-7.9 qemu-kvm PATCH v2 1/3] tcp_emu: Fix oob access
+Bugzilla: 1791560
+RH-Acked-by: Stefano Garzarella <sgarzare@redhat.com>
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+RH-Acked-by: Thomas Huth <thuth@redhat.com>
+
+From: Samuel Thibault <samuel.thibault@ens-lyon.org>
+
+The main loop only checks for one available byte, while we sometimes
+need two bytes.
+
+(cherry picked from libslirp commit 2655fffed7a9e765bcb4701dd876e9dab975f289)
+[PMD: backported with style conflicts,
+ CHANGELOG.md absent in downstream]
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ slirp/tcp_subr.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/slirp/tcp_subr.c b/slirp/tcp_subr.c
+index d49a366..70a4c83 100644
+--- a/slirp/tcp_subr.c
++++ b/slirp/tcp_subr.c
+@@ -837,6 +837,9 @@ tcp_emu(struct socket *so, struct mbuf *m)
+ break;
+
+ case 5:
++ if (bptr == m->m_data + m->m_len - 1)
++ return 1; /* We need two bytes */
++
+ /*
+ * The difference between versions 1.0 and
+ * 2.0 is here. For future versions of
+@@ -852,6 +855,10 @@ tcp_emu(struct socket *so, struct mbuf *m)
+ /* This is the field containing the port
+ * number that RA-player is listening to.
+ */
++
++ if (bptr == m->m_data + m->m_len - 1)
++ return 1; /* We need two bytes */
++
+ lport = (((u_char*)bptr)[0] << 8)
+ + ((u_char *)bptr)[1];
+ if (lport < 6970)
+--
+1.8.3.1
+
diff --git a/SOURCES/kvm-tcp_emu-fix-unsafe-snprintf-usages2.patch b/SOURCES/kvm-tcp_emu-fix-unsafe-snprintf-usages2.patch
new file mode 100644
index 0000000..5bcfa9c
--- /dev/null
+++ b/SOURCES/kvm-tcp_emu-fix-unsafe-snprintf-usages2.patch
@@ -0,0 +1,150 @@
+From 7617de175ec7d3004aa276ffca3f41d721bc4ae5 Mon Sep 17 00:00:00 2001
+From: jmaloy <jmaloy@redhat.com>
+Date: Thu, 13 Feb 2020 21:08:18 +0100
+Subject: [PATCH 2/6] tcp_emu: fix unsafe snprintf() usages
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Message-id: <20200213210818.9090-3-jmaloy@redhat.com>
+Patchwork-id: 93832
+O-Subject: [RHEL-7.8 qemu-kvm PATCH 2/2] tcp_emu: fix unsafe snprintf() usages
+Bugzilla: 1800515
+RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+RH-Acked-by: Eduardo Habkost <ehabkost@redhat.com>
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+
+From: Marc-André Lureau <marcandre.lureau@redhat.com>
+
+Various calls to snprintf() assume that snprintf() returns "only" the
+number of bytes written (excluding terminating NUL).
+
+https://pubs.opengroup.org/onlinepubs/9699919799/functions/snprintf.html#tag_16_159_04
+
+"Upon successful completion, the snprintf() function shall return the
+number of bytes that would be written to s had n been sufficiently
+large excluding the terminating null byte."
+
+Before patch ce131029, if there isn't enough room in "m_data" for the
+"DCC ..." message, we overflow "m_data".
+
+After the patch, if there isn't enough room for the same, we don't
+overflow "m_data", but we set "m_len" out-of-bounds. The next time an
+access is bounded by "m_len", we'll have a buffer overflow then.
+
+Use slirp_fmt*() to fix potential OOB memory access.
+
+Reported-by: Laszlo Ersek <lersek@redhat.com>
+Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
+Message-Id: <20200127092414.169796-7-marcandre.lureau@redhat.com>
+(cherry picked from commit 68ccb8021a838066f0951d4b2817eb6b6f10a843)
+
+Manually re-adapted since the cherry-pick didn't apply cleanly.
+
+Signed-off-by: Jon Maloy <jmaloy@redhat.com>
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ slirp/tcp_subr.c | 44 +++++++++++++++++++++-----------------------
+ 1 file changed, 21 insertions(+), 23 deletions(-)
+
+diff --git a/slirp/tcp_subr.c b/slirp/tcp_subr.c
+index e83575e..8dae0cc 100644
+--- a/slirp/tcp_subr.c
++++ b/slirp/tcp_subr.c
+@@ -610,8 +610,7 @@ tcp_emu(struct socket *so, struct mbuf *m)
+ NTOHS(n1);
+ NTOHS(n2);
+ m_inc(m, snprintf(NULL, 0, "%d,%d\r\n", n1, n2) + 1);
+- m->m_len = snprintf(m->m_data, M_ROOM(m), "%d,%d\r\n", n1, n2);
+- assert(m->m_len < M_ROOM(m));
++ m->m_len = slirp_fmt(m->m_data, M_ROOM(m), "%d,%d\r\n", n1, n2);
+ } else {
+ *eol = '\r';
+ }
+@@ -651,9 +650,9 @@ tcp_emu(struct socket *so, struct mbuf *m)
+ n4 = (laddr & 0xff);
+
+ m->m_len = bptr - m->m_data; /* Adjust length */
+- m->m_len += snprintf(bptr, M_FREEROOM(m),
+- "ORT %d,%d,%d,%d,%d,%d\r\n%s",
+- n1, n2, n3, n4, n5, n6, x==7?buff:"");
++ m->m_len += slirp_fmt(bptr, M_FREEROOM(m),
++ "ORT %d,%d,%d,%d,%d,%d\r\n%s",
++ n1, n2, n3, n4, n5, n6, x == 7 ? buff : "");
+ return 1;
+ } else if ((bptr = (char *)strstr(m->m_data, "27 Entering")) != NULL) {
+ /*
+@@ -684,10 +683,9 @@ tcp_emu(struct socket *so, struct mbuf *m)
+ n4 = (laddr & 0xff);
+
+ m->m_len = bptr - m->m_data; /* Adjust length */
+- m->m_len += snprintf(bptr, M_FREEROOM(m),
+- "27 Entering Passive Mode (%d,%d,%d,%d,%d,%d)\r\n%s",
+- n1, n2, n3, n4, n5, n6, x==7?buff:"");
+-
++ m->m_len += slirp_fmt(bptr, M_FREEROOM(m),
++ "27 Entering Passive Mode (%d,%d,%d,%d,%d,%d)\r\n%s",
++ n1, n2, n3, n4, n5, n6, x == 7 ? buff : "");
+ return 1;
+ }
+
+@@ -710,8 +708,8 @@ tcp_emu(struct socket *so, struct mbuf *m)
+ if (m->m_data[m->m_len-1] == '\0' && lport != 0 &&
+ (so = tcp_listen(slirp, INADDR_ANY, 0, so->so_laddr.s_addr,
+ htons(lport), SS_FACCEPTONCE)) != NULL)
+- m->m_len = snprintf(m->m_data, M_ROOM(m),
+- "%d", ntohs(so->so_fport)) + 1;
++ m->m_len = slirp_fmt0(m->m_data, M_ROOM(m),
++ "%d", ntohs(so->so_fport));
+ return 1;
+
+ case EMU_IRC:
+@@ -731,10 +729,10 @@ tcp_emu(struct socket *so, struct mbuf *m)
+ return 1;
+ }
+ m->m_len = bptr - m->m_data; /* Adjust length */
+- m->m_len += snprintf(bptr, M_FREEROOM(m),
+- "DCC CHAT chat %lu %u%c\n",
+- (unsigned long)ntohl(so->so_faddr.s_addr),
+- ntohs(so->so_fport), 1);
++ m->m_len += slirp_fmt(bptr, M_FREEROOM(m),
++ "DCC CHAT chat %lu %u%c\n",
++ (unsigned long)ntohl(so->so_faddr.s_addr),
++ ntohs(so->so_fport), 1);
+ } else if (sscanf(bptr, "DCC SEND %256s %u %u %u", buff, &laddr, &lport, &n1) == 4) {
+ if ((so = tcp_listen(slirp, INADDR_ANY, 0,
+ htonl(laddr), htons(lport),
+@@ -742,10 +740,10 @@ tcp_emu(struct socket *so, struct mbuf *m)
+ return 1;
+ }
+ m->m_len = bptr - m->m_data; /* Adjust length */
+- m->m_len += snprintf(bptr, M_FREEROOM(m),
+- "DCC SEND %s %lu %u %u%c\n", buff,
+- (unsigned long)ntohl(so->so_faddr.s_addr),
+- ntohs(so->so_fport), n1, 1);
++ m->m_len += slirp_fmt(bptr, M_FREEROOM(m),
++ "DCC SEND %s %lu %u %u%c\n", buff,
++ (unsigned long)ntohl(so->so_faddr.s_addr),
++ ntohs(so->so_fport), n1, 1);
+ } else if (sscanf(bptr, "DCC MOVE %256s %u %u %u", buff, &laddr, &lport, &n1) == 4) {
+ if ((so = tcp_listen(slirp, INADDR_ANY, 0,
+ htonl(laddr), htons(lport),
+@@ -753,10 +751,10 @@ tcp_emu(struct socket *so, struct mbuf *m)
+ return 1;
+ }
+ m->m_len = bptr - m->m_data; /* Adjust length */
+- m->m_len += snprintf(bptr, M_FREEROOM(m),
+- "DCC MOVE %s %lu %u %u%c\n", buff,
+- (unsigned long)ntohl(so->so_faddr.s_addr),
+- ntohs(so->so_fport), n1, 1);
++ m->m_len += slirp_fmt(bptr, M_FREEROOM(m),
++ "DCC MOVE %s %lu %u %u%c\n", buff,
++ (unsigned long)ntohl(so->so_faddr.s_addr),
++ ntohs(so->so_fport), n1, 1);
+ }
+ return 1;
+
+--
+1.8.3.1
+
diff --git a/SOURCES/kvm-util-add-slirp_fmt-helpers2.patch b/SOURCES/kvm-util-add-slirp_fmt-helpers2.patch
new file mode 100644
index 0000000..763eb2a
--- /dev/null
+++ b/SOURCES/kvm-util-add-slirp_fmt-helpers2.patch
@@ -0,0 +1,140 @@
+From cf712371da839a8655506aacc2908f7ffc3988ab Mon Sep 17 00:00:00 2001
+From: jmaloy <jmaloy@redhat.com>
+Date: Thu, 13 Feb 2020 21:08:17 +0100
+Subject: [PATCH 1/6] util: add slirp_fmt() helpers
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Message-id: <20200213210818.9090-2-jmaloy@redhat.com>
+Patchwork-id: 93831
+O-Subject: [RHEL-7.8 qemu-kvm PATCH 1/2] util: add slirp_fmt() helpers
+Bugzilla: 1800515
+RH-Acked-by: Maxim Levitsky <mlevitsk@redhat.com>
+RH-Acked-by: Eduardo Habkost <ehabkost@redhat.com>
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+
+From: Marc-André Lureau <marcandre.lureau@redhat.com>
+
+Various calls to snprintf() in libslirp assume that snprintf() returns
+"only" the number of bytes written (excluding terminating NUL).
+
+https://pubs.opengroup.org/onlinepubs/9699919799/functions/snprintf.html#tag_16_159_04
+
+"Upon successful completion, the snprintf() function shall return the
+number of bytes that would be written to s had n been sufficiently
+large excluding the terminating null byte."
+
+Introduce slirp_fmt() that handles several pathological cases the
+way libslirp usually expect:
+
+- treat error as fatal (instead of silently returning -1)
+
+- fmt0() will always \0 end
+
+- return the number of bytes actually written (instead of what would
+ have been written, which would usually result in OOB later), including
+ the ending \0 for fmt0()
+
+- warn if truncation happened (instead of ignoring)
+
+ Other less common cases can still be handled with strcpy/snprintf() etc.
+
+Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
+Message-Id: <20200127092414.169796-2-marcandre.lureau@redhat.com>
+
+Manually re-adapted from 30648c03b27fb8d9611b723184216cd3174b6775
+since cerry-pick cannot be used here. There is no util.c file in this
+code version, so we add the two new functions as static functions in
+the file where they are going to be used.
+
+Signed-off-by: Jon Maloy <jmaloy@redhat.com>
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ slirp/tcp_subr.c | 65 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 65 insertions(+)
+
+diff --git a/slirp/tcp_subr.c b/slirp/tcp_subr.c
+index 19e2245..e83575e 100644
+--- a/slirp/tcp_subr.c
++++ b/slirp/tcp_subr.c
+@@ -44,6 +44,9 @@
+ /* Don't do rfc1323 performance enhancements */
+ #define TCP_DO_RFC1323 0
+
++static int slirp_fmt(char *str, size_t size, const char *format, ...);
++static int slirp_fmt0(char *str, size_t size, const char *format, ...);
++
+ /*
+ * Tcp initialization
+ */
+@@ -935,3 +938,65 @@ int tcp_ctl(struct socket *so)
+ sb->sb_wptr += sb->sb_cc;
+ return 0;
+ }
++
++static int slirp_vsnprintf(char *str, size_t size,
++ const char *format, va_list args)
++{
++ int rv = vsnprintf(str, size, format, args);
++
++ if (rv < 0) {
++ g_error("vsnprintf() failed: %s", g_strerror(errno));
++ }
++
++ return rv;
++}
++
++/*
++ * A snprintf()-like function that:
++ * - returns the number of bytes written (excluding optional \0-ending)
++ * - dies on error
++ * - warn on truncation
++ */
++static int slirp_fmt(char *str, size_t size, const char *format, ...)
++{
++ va_list args;
++ int rv;
++
++ va_start(args, format);
++ rv = slirp_vsnprintf(str, size, format, args);
++ va_end(args);
++
++ if (rv > size) {
++ g_critical("vsnprintf() truncation");
++ }
++
++ return MIN(rv, size);
++}
++
++/*
++ * A snprintf()-like function that:
++ * - always \0-end (unless size == 0)
++ * - returns the number of bytes actually written, including \0 ending
++ * - dies on error
++ * - warn on truncation
++ */
++static int slirp_fmt0(char *str, size_t size, const char *format, ...)
++{
++ va_list args;
++ int rv;
++
++ va_start(args, format);
++ rv = slirp_vsnprintf(str, size, format, args);
++ va_end(args);
++
++ if (rv >= size) {
++ g_critical("vsnprintf() truncation");
++ if (size > 0)
++ str[size - 1] = '\0';
++ rv = size;
++ } else {
++ rv += 1; /* include \0 */
++ }
++
++ return rv;
++}
+--
+1.8.3.1
+
diff --git a/SPECS/qemu-kvm.spec b/SPECS/qemu-kvm.spec
index c13d876..bd127d2 100644
--- a/SPECS/qemu-kvm.spec
+++ b/SPECS/qemu-kvm.spec
@@ -76,7 +76,7 @@ Obsoletes: %1 < %{obsoletes_version} \
Summary: QEMU is a machine emulator and virtualizer
Name: %{pkgname}%{?pkgsuffix}
Version: 1.5.3
-Release: 170%{?dist}
+Release: 174%{?dist}
# Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped
Epoch: 10
License: GPLv2 and GPLv2+ and CC-BY
@@ -4007,6 +4007,36 @@ Patch1974: kvm-i386-kvm-Disable-arch_capabilities-if-MSR-can-t-be-s.patch
Patch1975: kvm-Remove-arch-capabilities-deprecation.patch
# For bz#1714791 - [Intel 7.8 FEAT] MDS_NO exposure to guest - qemu-kvm
Patch1976: kvm-target-i386-add-MDS-NO-feature.patch
+# For bz#1638471 - [Intel 7.8 Feat] qemu-kvm Introduce Cascade Lake (CLX) cpu model
+Patch1977: kvm-i386-Add-new-model-of-Cascadelake-Server.patch
+# For bz#1638471 - [Intel 7.8 Feat] qemu-kvm Introduce Cascade Lake (CLX) cpu model
+Patch1978: kvm-i386-Disable-OSPKE-on-Cascadelake-Server.patch
+# For bz#1638471 - [Intel 7.8 Feat] qemu-kvm Introduce Cascade Lake (CLX) cpu model
+Patch1979: kvm-i386-remove-the-INTEL_PT-CPUID-bit-from-Cascadelake-.patch
+# For bz#1760607 - Corrupted EAX values due to missing brackets at CPUID[0x800000008] code
+Patch1980: kvm-Add-missing-brackets-to-CPUID-0x80000008-code.patch
+# For bz#1771961 - CVE-2019-11135 qemu-kvm: hw: TSX Transaction Asynchronous Abort (TAA) [rhel-7.8]
+Patch1981: kvm-target-i386-Export-TAA_NO-bit-to-guests.patch
+# For bz#1771961 - CVE-2019-11135 qemu-kvm: hw: TSX Transaction Asynchronous Abort (TAA) [rhel-7.8]
+Patch1982: kvm-target-i386-add-support-for-MSR_IA32_TSX_CTRL.patch
+# For bz#1791560 - CVE-2020-7039 qemu-kvm: QEMU: slirp: OOB buffer access while emulating tcp protocols in tcp_emu() [rhel-7.8]
+Patch1983: kvm-tcp_emu-Fix-oob-access.patch
+# For bz#1791560 - CVE-2020-7039 qemu-kvm: QEMU: slirp: OOB buffer access while emulating tcp protocols in tcp_emu() [rhel-7.8]
+Patch1984: kvm-slirp-use-correct-size-while-emulating-IRC-commands.patch
+# For bz#1791560 - CVE-2020-7039 qemu-kvm: QEMU: slirp: OOB buffer access while emulating tcp protocols in tcp_emu() [rhel-7.8]
+Patch1985: kvm-slirp-use-correct-size-while-emulating-commands.patch
+# For bz#1800515 - CVE-2020-8608 qemu-kvm: QEMU: Slirp: potential OOB access due to unsafe snprintf() usages [rhel-7.9]
+Patch1986: kvm-util-add-slirp_fmt-helpers2.patch
+# For bz#1800515 - CVE-2020-8608 qemu-kvm: QEMU: Slirp: potential OOB access due to unsafe snprintf() usages [rhel-7.9]
+Patch1987: kvm-tcp_emu-fix-unsafe-snprintf-usages2.patch
+# For bz#1791679 - QEMU: Slirp: disable emulation of tcp programs like ftp IRC etc. [rhel-7]
+Patch1988: kvm-slirp-disable-tcp_emu.patch
+# For bz#1802215 - Add support for newer glusterfs
+Patch1989: kvm-gluster-Handle-changed-glfs_ftruncate-signature.patch
+# For bz#1802215 - Add support for newer glusterfs
+Patch1990: kvm-gluster-the-glfs_io_cbk-callback-function-pointer-ad.patch
+# For bz#1618503 - qemu-kvm: Qemu: seccomp: blacklist is not applied to all threads [rhel-7]
+Patch1991: kvm-seccomp-set-the-seccomp-filter-to-all-threads.patch
BuildRequires: zlib-devel
@@ -6161,6 +6191,21 @@ tar -xf %{SOURCE21}
%patch1974 -p1
%patch1975 -p1
%patch1976 -p1
+%patch1977 -p1
+%patch1978 -p1
+%patch1979 -p1
+%patch1980 -p1
+%patch1981 -p1
+%patch1982 -p1
+%patch1983 -p1
+%patch1984 -p1
+%patch1985 -p1
+%patch1986 -p1
+%patch1987 -p1
+%patch1988 -p1
+%patch1989 -p1
+%patch1990 -p1
+%patch1991 -p1
%build
buildarch="%{kvm_target}-softmmu"
@@ -6606,6 +6651,45 @@ sh %{_sysconfdir}/sysconfig/modules/kvm.modules &> /dev/null || :
%{_mandir}/man8/qemu-nbd.8*
%changelog
+* Thu Mar 19 2020 Miroslav Rezanina <mrezanin@redhat.com> - 1.5.3-174.el7
+- kvm-util-add-slirp_fmt-helpers2.patch [bz#1800515]
+- kvm-tcp_emu-fix-unsafe-snprintf-usages2.patch [bz#1800515]
+- kvm-slirp-disable-tcp_emu.patch [bz#1791679]
+- kvm-gluster-Handle-changed-glfs_ftruncate-signature.patch [bz#1802215]
+- kvm-gluster-the-glfs_io_cbk-callback-function-pointer-ad.patch [bz#1802215]
+- kvm-seccomp-set-the-seccomp-filter-to-all-threads.patch [bz#1618503]
+- Resolves: bz#1618503
+ (qemu-kvm: Qemu: seccomp: blacklist is not applied to all threads [rhel-7])
+- Resolves: bz#1791679
+ (QEMU: Slirp: disable emulation of tcp programs like ftp IRC etc. [rhel-7])
+- Resolves: bz#1800515
+ (CVE-2020-8608 qemu-kvm: QEMU: Slirp: potential OOB access due to unsafe snprintf() usages [rhel-7.9])
+- Resolves: bz#1802215
+ (Add support for newer glusterfs)
+
+* Thu Jan 23 2020 Miroslav Rezanina <mrezanin@redhat.com> - 1.5.3-173.el7
+- kvm-tcp_emu-Fix-oob-access.patch [bz#1791560]
+- kvm-slirp-use-correct-size-while-emulating-IRC-commands.patch [bz#1791560]
+- kvm-slirp-use-correct-size-while-emulating-commands.patch [bz#1791560]
+- Resolves: bz#1791560
+ (CVE-2020-7039 qemu-kvm: QEMU: slirp: OOB buffer access while emulating tcp protocols in tcp_emu() [rhel-7.8])
+
+* Thu Dec 05 2019 Miroslav Rezanina <mrezanin@redhat.com> - 1.5.3-172.el7
+- kvm-target-i386-Export-TAA_NO-bit-to-guests.patch [bz#1771961]
+- kvm-target-i386-add-support-for-MSR_IA32_TSX_CTRL.patch [bz#1771961]
+- Resolves: bz#1771961
+ (CVE-2019-11135 qemu-kvm: hw: TSX Transaction Asynchronous Abort (TAA) [rhel-7.8])
+
+* Tue Oct 15 2019 Miroslav Rezanina <mrezanin@redhat.com> - 1.5.3-171.el7
+- kvm-i386-Add-new-model-of-Cascadelake-Server.patch [bz#1638471]
+- kvm-i386-Disable-OSPKE-on-Cascadelake-Server.patch [bz#1638471]
+- kvm-i386-remove-the-INTEL_PT-CPUID-bit-from-Cascadelake-.patch [bz#1638471]
+- kvm-Add-missing-brackets-to-CPUID-0x80000008-code.patch [bz#1760607]
+- Resolves: bz#1638471
+ ([Intel 7.8 Feat] qemu-kvm Introduce Cascade Lake (CLX) cpu model)
+- Resolves: bz#1760607
+ (Corrupted EAX values due to missing brackets at CPUID[0x800000008] code)
+
* Wed Oct 02 2019 Miroslav Rezanina <mrezanin@redhat.com> - 1.5.3-170.el7
- kvm-Using-ip_deq-after-m_free-might-read-pointers-from-a.patch [bz#1749735]
- kvm-target-i386-Merge-feature-filtering-checking-functio.patch [bz#1709971]