diff --git a/SOURCES/kvm-balloon-fix-segfault-and-harden-the-stats-queue.patch b/SOURCES/kvm-balloon-fix-segfault-and-harden-the-stats-queue.patch deleted file mode 100644 index 9540f26..0000000 --- a/SOURCES/kvm-balloon-fix-segfault-and-harden-the-stats-queue.patch +++ /dev/null @@ -1,138 +0,0 @@ -From 75255574498fad12727529c4ecbd4ccdabe86839 Mon Sep 17 00:00:00 2001 -From: Ladi Prosek -Date: Wed, 5 Oct 2016 17:22:26 +0200 -Subject: [PATCH 4/8] balloon: fix segfault and harden the stats queue - -RH-Author: Ladi Prosek -Message-id: <1475666548-9186-5-git-send-email-lprosek@redhat.com> -Patchwork-id: 72483 -O-Subject: [RHEL-7.4 qemu-kvm v2 PATCH 4/6] balloon: fix segfault and harden the stats queue -Bugzilla: 1393484 -RH-Acked-by: Paolo Bonzini -RH-Acked-by: Michael S. Tsirkin -RH-Acked-by: Stefan Hajnoczi - -The segfault here is triggered by the driver notifying the stats queue -twice after adding a buffer to it. This effectively resets stats_vq_elem -back to NULL and QEMU crashes on the next stats timer tick in -balloon_stats_poll_cb. - -This is a regression introduced in 51b19ebe4320f3dc, although admittedly -the device assumed too much about the stats queue protocol even before -that commit. This commit adds a few more checks and ensures that the one -stats buffer gets deallocated on device reset. - -Cc: qemu-stable@nongnu.org -Signed-off-by: Ladi Prosek -Reviewed-by: Michael S. Tsirkin -Signed-off-by: Michael S. Tsirkin -(cherry picked from commit 4eae2a657d1ff5ada56eb9b4966eae0eff333b0b) -Signed-off-by: Ladi Prosek -Signed-off-by: Miroslav Rezanina - -Conflicts: - * 1.5.3 does not return pointers from virtqueue_pop so only the - "harden the stats queue" part of the upstream patch description - applies - * a new field stats_vq_elem_pending is introduced to keep track - of the state of stats_vq_elem in lieu of its nullness upstream - * virtio_balloon_device_reset only resets stats_vq_elem_pending - because there is nothing to free ---- - hw/virtio/virtio-balloon.c | 27 +++++++++++++++++++++++---- - include/hw/virtio/virtio-balloon.h | 1 + - 2 files changed, 24 insertions(+), 4 deletions(-) - -diff --git a/hw/virtio/virtio-balloon.c b/hw/virtio/virtio-balloon.c -index 016dc60..17b3029 100644 ---- a/hw/virtio/virtio-balloon.c -+++ b/hw/virtio/virtio-balloon.c -@@ -95,13 +95,14 @@ static void balloon_stats_poll_cb(void *opaque) - VirtIOBalloon *s = opaque; - VirtIODevice *vdev = VIRTIO_DEVICE(s); - -- if (!balloon_stats_supported(s)) { -+ if (!s->stats_vq_elem_pending || !balloon_stats_supported(s)) { - /* re-schedule */ - balloon_stats_change_timer(s, s->stats_poll_interval); - return; - } - - virtqueue_push(s->svq, &s->stats_vq_elem, s->stats_vq_offset); -+ s->stats_vq_elem_pending = false; - virtio_notify(vdev, s->svq); - } - -@@ -220,14 +221,22 @@ static void virtio_balloon_handle_output(VirtIODevice *vdev, VirtQueue *vq) - static void virtio_balloon_receive_stats(VirtIODevice *vdev, VirtQueue *vq) - { - VirtIOBalloon *s = VIRTIO_BALLOON(vdev); -- VirtQueueElement *elem = &s->stats_vq_elem; -+ VirtQueueElement elem; - VirtIOBalloonStat stat; - size_t offset = 0; - qemu_timeval tv; - -- if (!virtqueue_pop(vq, elem)) { -+ if (!virtqueue_pop(vq, &elem)) { - goto out; - } -+ if (s->stats_vq_elem_pending) { -+ /* This should never happen if the driver follows the spec. */ -+ virtqueue_push(vq, &s->stats_vq_elem, 0); -+ virtio_notify(vdev, vq); -+ } -+ -+ s->stats_vq_elem = elem; -+ s->stats_vq_elem_pending = true; - - /* Initialize the stats to get rid of any stale values. This is only - * needed to handle the case where a guest supports fewer stats than it -@@ -235,7 +244,7 @@ static void virtio_balloon_receive_stats(VirtIODevice *vdev, VirtQueue *vq) - */ - reset_stats(s); - -- while (iov_to_buf(elem->out_sg, elem->out_num, offset, &stat, sizeof(stat)) -+ while (iov_to_buf(elem.out_sg, elem.out_num, offset, &stat, sizeof(stat)) - == sizeof(stat)) { - uint16_t tag = tswap16(stat.tag); - uint64_t val = tswap64(stat.val); -@@ -384,6 +393,15 @@ static void virtio_balloon_device_exit(VirtIODevice *vdev) - virtio_cleanup(vdev); - } - -+static void virtio_balloon_device_reset(VirtIODevice *vdev) -+{ -+ VirtIOBalloon *s = VIRTIO_BALLOON(vdev); -+ -+ if (s->stats_vq_elem_pending) { -+ s->stats_vq_elem_pending = false; -+ } -+} -+ - static Property virtio_balloon_properties[] = { - DEFINE_PROP_END_OF_LIST(), - }; -@@ -396,6 +414,7 @@ static void virtio_balloon_class_init(ObjectClass *klass, void *data) - set_bit(DEVICE_CATEGORY_MISC, dc->categories); - vdc->init = virtio_balloon_device_init; - vdc->exit = virtio_balloon_device_exit; -+ vdc->reset = virtio_balloon_device_reset; - vdc->get_config = virtio_balloon_get_config; - vdc->set_config = virtio_balloon_set_config; - vdc->get_features = virtio_balloon_get_features; -diff --git a/include/hw/virtio/virtio-balloon.h b/include/hw/virtio/virtio-balloon.h -index f863bfe..a84736b 100644 ---- a/include/hw/virtio/virtio-balloon.h -+++ b/include/hw/virtio/virtio-balloon.h -@@ -63,6 +63,7 @@ typedef struct VirtIOBalloon { - uint32_t actual; - uint64_t stats[VIRTIO_BALLOON_S_NR]; - VirtQueueElement stats_vq_elem; -+ bool stats_vq_elem_pending; - size_t stats_vq_offset; - QEMUTimer *stats_timer; - int64_t stats_last_update; --- -1.8.3.1 - diff --git a/SOURCES/kvm-net-check-packet-payload-length.patch b/SOURCES/kvm-net-check-packet-payload-length.patch deleted file mode 100644 index 5ef1070..0000000 --- a/SOURCES/kvm-net-check-packet-payload-length.patch +++ /dev/null @@ -1,64 +0,0 @@ -From 6d126da8f958c57413a4505d98cb4a3ff48cbbfe Mon Sep 17 00:00:00 2001 -From: "wexu@redhat.com" -Date: Wed, 21 Dec 2016 06:04:24 +0100 -Subject: [PATCH] net: check packet payload length - -RH-Author: wexu@redhat.com -Message-id: <1482300264-29708-2-git-send-email-wexu@redhat.com> -Patchwork-id: 73088 -O-Subject: [RHEL-7.4/7.3.z qemu-kvm Patch v2] net: check packet payload length -Bugzilla: 1398217 -RH-Acked-by: Laurent Vivier -RH-Acked-by: Michael S. Tsirkin -RH-Acked-by: Stefan Hajnoczi - -From: Prasad J Pandit - -While computing IP checksum, 'net_checksum_calculate' reads -payload length from the packet. It could exceed the given 'data' -buffer size. Add a check to avoid it. - -This patch is to fix CVE-2016-2857. -https://access.redhat.com/security/cve/CVE-2016-2857 - -Reported-by: Liu Ling -Signed-off-by: Prasad J Pandit -Signed-off-by: Jason Wang -(cherry picked from commit 362786f14a753d8a5256ef97d7c10ed576d6572b) -Signed-off-by: Wei Xu -Signed-off-by: Miroslav Rezanina ---- - net/checksum.c | 10 ++++++++-- - 1 file changed, 8 insertions(+), 2 deletions(-) - -diff --git a/net/checksum.c b/net/checksum.c -index 14c0855..0942437 100644 ---- a/net/checksum.c -+++ b/net/checksum.c -@@ -59,6 +59,11 @@ void net_checksum_calculate(uint8_t *data, int length) - int hlen, plen, proto, csum_offset; - uint16_t csum; - -+ /* Ensure data has complete L2 & L3 headers. */ -+ if (length < 14 + 20) { -+ return; -+ } -+ - if ((data[14] & 0xf0) != 0x40) - return; /* not IPv4 */ - hlen = (data[14] & 0x0f) * 4; -@@ -76,8 +81,9 @@ void net_checksum_calculate(uint8_t *data, int length) - return; - } - -- if (plen < csum_offset+2) -- return; -+ if (plen < csum_offset + 2 || 14 + hlen + plen > length) { -+ return; -+ } - - data[14+hlen+csum_offset] = 0; - data[14+hlen+csum_offset+1] = 0; --- -1.8.3.1 - diff --git a/SOURCES/kvm-virtio-add-virtqueue_rewind.patch b/SOURCES/kvm-virtio-add-virtqueue_rewind.patch deleted file mode 100644 index 1915e93..0000000 --- a/SOURCES/kvm-virtio-add-virtqueue_rewind.patch +++ /dev/null @@ -1,86 +0,0 @@ -From f7d6a76475d29e0edb5456e62492117b87f4bc41 Mon Sep 17 00:00:00 2001 -From: Ladi Prosek -Date: Thu, 10 Nov 2016 23:00:50 +0100 -Subject: [PATCH 7/8] virtio: add virtqueue_rewind() - -RH-Author: Ladi Prosek -Message-id: <1478797251-10302-1-git-send-email-lprosek@redhat.com> -Patchwork-id: 72818 -O-Subject: [PATCH v2 7/6] virtio: add virtqueue_rewind() -Bugzilla: 1393484 -RH-Acked-by: Paolo Bonzini -RH-Acked-by: Michael S. Tsirkin -RH-Acked-by: Miroslav Rezanina - -From: Stefan Hajnoczi - -virtqueue_discard() requires a VirtQueueElement but virtio-balloon does -not migrate its in-use element. Introduce a new function that is -similar to virtqueue_discard() but doesn't require a VirtQueueElement. - -This will allow virtio-balloon to access element again after migration -with the usual proviso that the guest may have modified the vring since -last time. - -Cc: Michael S. Tsirkin -Cc: Roman Kagan -Cc: Stefan Hajnoczi -Signed-off-by: Ladi Prosek -Reviewed-by: Michael S. Tsirkin -Signed-off-by: Michael S. Tsirkin -(cherry picked from commit 297a75e6c55d91db2704a3d6e4029d99c7df51fd) -Signed-off-by: Ladi Prosek -Signed-off-by: Miroslav Rezanina ---- - hw/virtio/virtio.c | 22 ++++++++++++++++++++++ - include/hw/virtio/virtio.h | 1 + - 2 files changed, 23 insertions(+) - -diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c -index cdb21b1..fe6b032 100644 ---- a/hw/virtio/virtio.c -+++ b/hw/virtio/virtio.c -@@ -259,6 +259,28 @@ void virtqueue_discard(VirtQueue *vq, const VirtQueueElement *elem, - virtqueue_unmap_sg(vq, elem, len); - } - -+/* virtqueue_rewind: -+ * @vq: The #VirtQueue -+ * @num: Number of elements to push back -+ * -+ * Pretend that elements weren't popped from the virtqueue. The next -+ * virtqueue_pop() will refetch the oldest element. -+ * -+ * Use virtqueue_discard() instead if you have a VirtQueueElement. -+ * -+ * Returns: true on success, false if @num is greater than the number of in use -+ * elements. -+ */ -+bool virtqueue_rewind(VirtQueue *vq, unsigned int num) -+{ -+ if (num > vq->inuse) { -+ return false; -+ } -+ vq->last_avail_idx -= num; -+ vq->inuse -= num; -+ return true; -+} -+ - void virtqueue_fill(VirtQueue *vq, const VirtQueueElement *elem, - unsigned int len, unsigned int idx) - { -diff --git a/include/hw/virtio/virtio.h b/include/hw/virtio/virtio.h -index de32425..d9bfe4c 100644 ---- a/include/hw/virtio/virtio.h -+++ b/include/hw/virtio/virtio.h -@@ -167,6 +167,7 @@ void virtqueue_push(VirtQueue *vq, const VirtQueueElement *elem, - void virtqueue_flush(VirtQueue *vq, unsigned int count); - void virtqueue_discard(VirtQueue *vq, const VirtQueueElement *elem, - unsigned int len); -+bool virtqueue_rewind(VirtQueue *vq, unsigned int num); - void virtqueue_fill(VirtQueue *vq, const VirtQueueElement *elem, - unsigned int len, unsigned int idx); - --- -1.8.3.1 - diff --git a/SOURCES/kvm-virtio-balloon-discard-virtqueue-element-on-reset.patch b/SOURCES/kvm-virtio-balloon-discard-virtqueue-element-on-reset.patch deleted file mode 100644 index a076d4e..0000000 --- a/SOURCES/kvm-virtio-balloon-discard-virtqueue-element-on-reset.patch +++ /dev/null @@ -1,54 +0,0 @@ -From a1c91f04449eea0e678aeef78914213f092b7a19 Mon Sep 17 00:00:00 2001 -From: Ladi Prosek -Date: Wed, 5 Oct 2016 17:22:27 +0200 -Subject: [PATCH 5/8] virtio-balloon: discard virtqueue element on reset - -RH-Author: Ladi Prosek -Message-id: <1475666548-9186-6-git-send-email-lprosek@redhat.com> -Patchwork-id: 72484 -O-Subject: [RHEL-7.4 qemu-kvm v2 PATCH 5/6] virtio-balloon: discard virtqueue element on reset -Bugzilla: 1393484 -RH-Acked-by: Paolo Bonzini -RH-Acked-by: Michael S. Tsirkin -RH-Acked-by: Stefan Hajnoczi - -The one pending element is being freed but not discarded on device -reset, which causes svq->inuse to creep up, eventually hitting the -"Virtqueue size exceeded" error. - -Properly discarding the element on device reset makes sure that its -buffers are unmapped and the inuse counter stays balanced. - -Cc: Michael S. Tsirkin -Cc: Roman Kagan -Cc: Stefan Hajnoczi -Signed-off-by: Ladi Prosek -Reviewed-by: Stefan Hajnoczi -Reviewed-by: Michael S. Tsirkin -Signed-off-by: Michael S. Tsirkin -(cherry picked from commit 104e70cae78bd4afd95d948c6aff188f10508a9c) -Signed-off-by: Ladi Prosek -Signed-off-by: Miroslav Rezanina - -Conflicts: - * s->stats_vq_elem => &s->stats_vq_elem because the field is not - s pointer in 1.5.3 ---- - hw/virtio/virtio-balloon.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/hw/virtio/virtio-balloon.c b/hw/virtio/virtio-balloon.c -index 17b3029..faf93f7 100644 ---- a/hw/virtio/virtio-balloon.c -+++ b/hw/virtio/virtio-balloon.c -@@ -398,6 +398,7 @@ static void virtio_balloon_device_reset(VirtIODevice *vdev) - VirtIOBalloon *s = VIRTIO_BALLOON(vdev); - - if (s->stats_vq_elem_pending) { -+ virtqueue_discard(s->svq, &s->stats_vq_elem, 0); - s->stats_vq_elem_pending = false; - } - } --- -1.8.3.1 - diff --git a/SOURCES/kvm-virtio-balloon-fix-stats-vq-migration.patch b/SOURCES/kvm-virtio-balloon-fix-stats-vq-migration.patch deleted file mode 100644 index bd3b2e7..0000000 --- a/SOURCES/kvm-virtio-balloon-fix-stats-vq-migration.patch +++ /dev/null @@ -1,75 +0,0 @@ -From 6d5c0e0e98907244d72e7828337d7ff6160b6b80 Mon Sep 17 00:00:00 2001 -From: Ladi Prosek -Date: Thu, 10 Nov 2016 23:00:51 +0100 -Subject: [PATCH 8/8] virtio-balloon: fix stats vq migration - -RH-Author: Ladi Prosek -Message-id: <1478797251-10302-2-git-send-email-lprosek@redhat.com> -Patchwork-id: 72819 -O-Subject: [PATCH v2 8/6] virtio-balloon: fix stats vq migration -Bugzilla: 1393484 -RH-Acked-by: Paolo Bonzini -RH-Acked-by: Michael S. Tsirkin -RH-Acked-by: Miroslav Rezanina - -The statistics virtqueue is not migrated properly because virtio-balloon -does not include s->stats_vq_elem in the migration stream. - -After migration the statistics virtqueue hangs because the host never -completes the last element (s->stats_vq_elem is NULL on the destination -QEMU). Therefore the guest never submits new elements and the virtqueue -is hung. - -Instead of changing the migration stream format in an incompatible way, -detect the migration case and rewind the virtqueue so the last element -can be completed. - -Cc: Michael S. Tsirkin -Cc: Roman Kagan -Cc: Stefan Hajnoczi -Suggested-by: Roman Kagan -Signed-off-by: Ladi Prosek -Reviewed-by: Stefan Hajnoczi -Reviewed-by: Michael S. Tsirkin -Signed-off-by: Michael S. Tsirkin -(cherry picked from commit 4a1e48becab81020adfb74b22c76a595f2d02a01) -Signed-off-by: Ladi Prosek -Signed-off-by: Miroslav Rezanina ---- - hw/virtio/virtio-balloon.c | 13 +++++++++++++ - 1 file changed, 13 insertions(+) - -diff --git a/hw/virtio/virtio-balloon.c b/hw/virtio/virtio-balloon.c -index faf93f7..1a60d3c 100644 ---- a/hw/virtio/virtio-balloon.c -+++ b/hw/virtio/virtio-balloon.c -@@ -403,6 +403,18 @@ static void virtio_balloon_device_reset(VirtIODevice *vdev) - } - } - -+static void virtio_balloon_set_status(VirtIODevice *vdev, uint8_t status) -+{ -+ VirtIOBalloon *s = VIRTIO_BALLOON(vdev); -+ -+ if (!s->stats_vq_elem_pending && vdev->vm_running && -+ (status & VIRTIO_CONFIG_S_DRIVER_OK) && virtqueue_rewind(s->svq, 1)) { -+ /* poll stats queue for the element we have discarded when the VM -+ * was stopped */ -+ virtio_balloon_receive_stats(vdev, s->svq); -+ } -+} -+ - static Property virtio_balloon_properties[] = { - DEFINE_PROP_END_OF_LIST(), - }; -@@ -419,6 +431,7 @@ static void virtio_balloon_class_init(ObjectClass *klass, void *data) - vdc->get_config = virtio_balloon_get_config; - vdc->set_config = virtio_balloon_set_config; - vdc->get_features = virtio_balloon_get_features; -+ vdc->set_status = virtio_balloon_set_status; - } - - static const TypeInfo virtio_balloon_info = { --- -1.8.3.1 - diff --git a/SOURCES/kvm-virtio-decrement-vq-inuse-in-virtqueue_discard.patch b/SOURCES/kvm-virtio-decrement-vq-inuse-in-virtqueue_discard.patch deleted file mode 100644 index 1822127..0000000 --- a/SOURCES/kvm-virtio-decrement-vq-inuse-in-virtqueue_discard.patch +++ /dev/null @@ -1,48 +0,0 @@ -From c24e1c927bad95d84e0ffab665baff98d91fb916 Mon Sep 17 00:00:00 2001 -From: Ladi Prosek -Date: Wed, 5 Oct 2016 17:22:25 +0200 -Subject: [PATCH 3/8] virtio: decrement vq->inuse in virtqueue_discard() - -RH-Author: Ladi Prosek -Message-id: <1475666548-9186-4-git-send-email-lprosek@redhat.com> -Patchwork-id: 72482 -O-Subject: [RHEL-7.4 qemu-kvm v2 PATCH 3/6] virtio: decrement vq->inuse in virtqueue_discard() -Bugzilla: 1393484 -RH-Acked-by: Paolo Bonzini -RH-Acked-by: Michael S. Tsirkin -RH-Acked-by: Stefan Hajnoczi - -From: Stefan Hajnoczi - -virtqueue_discard() moves vq->last_avail_idx back so the element can be -popped again. It's necessary to decrement vq->inuse to avoid "leaking" -the element count. - -Cc: qemu-stable@nongnu.org -Signed-off-by: Stefan Hajnoczi -Reviewed-by: Michael S. Tsirkin -Reviewed-by: Cornelia Huck -Reviewed-by: Michael S. Tsirkin -Signed-off-by: Michael S. Tsirkin -(cherry picked from commit 58a83c61496eeb0d31571a07a51bc1947e3379ac) -Signed-off-by: Ladi Prosek -Signed-off-by: Miroslav Rezanina ---- - hw/virtio/virtio.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c -index 91c9642..87a7639 100644 ---- a/hw/virtio/virtio.c -+++ b/hw/virtio/virtio.c -@@ -255,6 +255,7 @@ void virtqueue_discard(VirtQueue *vq, const VirtQueueElement *elem, - unsigned int len) - { - vq->last_avail_idx--; -+ vq->inuse--; - virtqueue_unmap_sg(vq, elem, len); - } - --- -1.8.3.1 - diff --git a/SOURCES/kvm-virtio-introduce-virtqueue_discard.patch b/SOURCES/kvm-virtio-introduce-virtqueue_discard.patch deleted file mode 100644 index 8f233c6..0000000 --- a/SOURCES/kvm-virtio-introduce-virtqueue_discard.patch +++ /dev/null @@ -1,66 +0,0 @@ -From b5c6f7a910c5c16ac34ef2436d0a56991e0166e3 Mon Sep 17 00:00:00 2001 -From: Ladi Prosek -Date: Wed, 5 Oct 2016 17:22:24 +0200 -Subject: [PATCH 2/8] virtio: introduce virtqueue_discard() - -RH-Author: Ladi Prosek -Message-id: <1475666548-9186-3-git-send-email-lprosek@redhat.com> -Patchwork-id: 72481 -O-Subject: [RHEL-7.4 qemu-kvm v2 PATCH 2/6] virtio: introduce virtqueue_discard() -Bugzilla: 1393484 -RH-Acked-by: Paolo Bonzini -RH-Acked-by: Michael S. Tsirkin -RH-Acked-by: Stefan Hajnoczi - -From: Jason Wang - -This patch introduces virtqueue_discard() to discard a descriptor and -unmap the sgs. This will be used by the patch that will discard -descriptor when packet is truncated. - -Cc: Michael S. Tsirkin -Signed-off-by: Jason Wang -Reviewed-by: Michael S. Tsirkin -Signed-off-by: Michael S. Tsirkin -(cherry picked from commit 29b9f5efd78ae0f9cc02dd169b6e80d2c404bade) -Signed-off-by: Ladi Prosek -Signed-off-by: Miroslav Rezanina ---- - hw/virtio/virtio.c | 7 +++++++ - include/hw/virtio/virtio.h | 2 ++ - 2 files changed, 9 insertions(+) - -diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c -index 5ee899a..91c9642 100644 ---- a/hw/virtio/virtio.c -+++ b/hw/virtio/virtio.c -@@ -251,6 +251,13 @@ static void virtqueue_unmap_sg(VirtQueue *vq, const VirtQueueElement *elem, - 0, elem->out_sg[i].iov_len); - } - -+void virtqueue_discard(VirtQueue *vq, const VirtQueueElement *elem, -+ unsigned int len) -+{ -+ vq->last_avail_idx--; -+ virtqueue_unmap_sg(vq, elem, len); -+} -+ - void virtqueue_fill(VirtQueue *vq, const VirtQueueElement *elem, - unsigned int len, unsigned int idx) - { -diff --git a/include/hw/virtio/virtio.h b/include/hw/virtio/virtio.h -index 9e22865..de32425 100644 ---- a/include/hw/virtio/virtio.h -+++ b/include/hw/virtio/virtio.h -@@ -165,6 +165,8 @@ void virtio_del_queue(VirtIODevice *vdev, int n); - void virtqueue_push(VirtQueue *vq, const VirtQueueElement *elem, - unsigned int len); - void virtqueue_flush(VirtQueue *vq, unsigned int count); -+void virtqueue_discard(VirtQueue *vq, const VirtQueueElement *elem, -+ unsigned int len); - void virtqueue_fill(VirtQueue *vq, const VirtQueueElement *elem, - unsigned int len, unsigned int idx); - --- -1.8.3.1 - diff --git a/SOURCES/kvm-virtio-introduce-virtqueue_unmap_sg.patch b/SOURCES/kvm-virtio-introduce-virtqueue_unmap_sg.patch deleted file mode 100644 index 77d40c9..0000000 --- a/SOURCES/kvm-virtio-introduce-virtqueue_unmap_sg.patch +++ /dev/null @@ -1,70 +0,0 @@ -From fc6f666f00182fe587068bd45e4e9e6d135d03fb Mon Sep 17 00:00:00 2001 -From: Ladi Prosek -Date: Wed, 5 Oct 2016 17:22:23 +0200 -Subject: [PATCH 1/8] virtio: introduce virtqueue_unmap_sg() - -RH-Author: Ladi Prosek -Message-id: <1475666548-9186-2-git-send-email-lprosek@redhat.com> -Patchwork-id: 72480 -O-Subject: [RHEL-7.4 qemu-kvm v2 PATCH 1/6] virtio: introduce virtqueue_unmap_sg() -Bugzilla: 1393484 -RH-Acked-by: Paolo Bonzini -RH-Acked-by: Michael S. Tsirkin -RH-Acked-by: Stefan Hajnoczi - -From: Jason Wang - -Factor out sg unmapping logic. This will be reused by the patch that -can discard descriptor. - -Cc: Michael S. Tsirkin -Cc: Andrew James -Signed-off-by: Jason Wang -Reviewed-by: Michael S. Tsirkin -Signed-off-by: Michael S. Tsirkin -(cherry picked from commit ce317461573bac12b10d67699b4ddf1f97cf066c) -Signed-off-by: Ladi Prosek -Signed-off-by: Miroslav Rezanina ---- - hw/virtio/virtio.c | 14 ++++++++++---- - 1 file changed, 10 insertions(+), 4 deletions(-) - -diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c -index 0df4ed3..5ee899a 100644 ---- a/hw/virtio/virtio.c -+++ b/hw/virtio/virtio.c -@@ -228,14 +228,12 @@ int virtio_queue_empty(VirtQueue *vq) - return vring_avail_idx(vq) == vq->last_avail_idx; - } - --void virtqueue_fill(VirtQueue *vq, const VirtQueueElement *elem, -- unsigned int len, unsigned int idx) -+static void virtqueue_unmap_sg(VirtQueue *vq, const VirtQueueElement *elem, -+ unsigned int len) - { - unsigned int offset; - int i; - -- trace_virtqueue_fill(vq, elem, len, idx); -- - offset = 0; - for (i = 0; i < elem->in_num; i++) { - size_t size = MIN(len - offset, elem->in_sg[i].iov_len); -@@ -251,6 +249,14 @@ void virtqueue_fill(VirtQueue *vq, const VirtQueueElement *elem, - cpu_physical_memory_unmap(elem->out_sg[i].iov_base, - elem->out_sg[i].iov_len, - 0, elem->out_sg[i].iov_len); -+} -+ -+void virtqueue_fill(VirtQueue *vq, const VirtQueueElement *elem, -+ unsigned int len, unsigned int idx) -+{ -+ trace_virtqueue_fill(vq, elem, len, idx); -+ -+ virtqueue_unmap_sg(vq, elem, len); - - idx = (idx + vring_used_idx(vq)) % vq->vring.num; - --- -1.8.3.1 - diff --git a/SOURCES/kvm-virtio-zero-vq-inuse-in-virtio_reset.patch b/SOURCES/kvm-virtio-zero-vq-inuse-in-virtio_reset.patch deleted file mode 100644 index e231a0a..0000000 --- a/SOURCES/kvm-virtio-zero-vq-inuse-in-virtio_reset.patch +++ /dev/null @@ -1,63 +0,0 @@ -From e3e5226d8ed3907bb818eb8db74175c08c011459 Mon Sep 17 00:00:00 2001 -From: Ladi Prosek -Date: Wed, 5 Oct 2016 17:22:28 +0200 -Subject: [PATCH 6/8] virtio: zero vq->inuse in virtio_reset() - -RH-Author: Ladi Prosek -Message-id: <1475666548-9186-7-git-send-email-lprosek@redhat.com> -Patchwork-id: 72485 -O-Subject: [RHEL-7.4 qemu-kvm v2 PATCH 6/6] virtio: zero vq->inuse in virtio_reset() -Bugzilla: 1393484 -RH-Acked-by: Paolo Bonzini -RH-Acked-by: Michael S. Tsirkin -RH-Acked-by: Stefan Hajnoczi - -From: Stefan Hajnoczi - -vq->inuse must be zeroed upon device reset like most other virtqueue -fields. - -In theory, virtio_reset() just needs assert(vq->inuse == 0) since -devices must clean up in-flight requests during reset (requests cannot -not be leaked!). - -In practice, it is difficult to achieve vq->inuse == 0 across reset -because balloon, blk, 9p, etc implement various different strategies for -cleaning up requests. Most devices call g_free(elem) directly without -telling virtio.c that the VirtQueueElement is cleaned up. Therefore -vq->inuse is not decremented during reset. - -This patch zeroes vq->inuse and trusts that devices are not leaking -VirtQueueElements across reset. - -I will send a follow-up series that refactors request life-cycle across -all devices and converts vq->inuse = 0 into assert(vq->inuse == 0) but -this more invasive approach is not appropriate for stable trees. - -Signed-off-by: Stefan Hajnoczi -Cc: qemu-stable -Reviewed-by: Michael S. Tsirkin -Signed-off-by: Michael S. Tsirkin -Reviewed-by: Ladi Prosek -(cherry picked from commit 4b7f91ed0270a371e1933efa21ba600b6da23ab9) -Signed-off-by: Ladi Prosek -Signed-off-by: Miroslav Rezanina ---- - hw/virtio/virtio.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c -index 87a7639..cdb21b1 100644 ---- a/hw/virtio/virtio.c -+++ b/hw/virtio/virtio.c -@@ -585,6 +585,7 @@ void virtio_reset(void *opaque) - vdev->vq[i].signalled_used = 0; - vdev->vq[i].signalled_used_valid = false; - vdev->vq[i].notification = true; -+ vdev->vq[i].inuse = 0; - } - } - --- -1.8.3.1 - diff --git a/SPECS/qemu-kvm.spec b/SPECS/qemu-kvm.spec index 490bffe..0d88afb 100644 --- a/SPECS/qemu-kvm.spec +++ b/SPECS/qemu-kvm.spec @@ -76,7 +76,7 @@ Obsoletes: %1 < %{obsoletes_version} \ Summary: QEMU is a FAST! processor emulator Name: %{pkgname}%{?pkgsuffix} Version: 1.5.3 -Release: 126%{?dist}.3 +Release: 126%{?dist}.1 # Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped Epoch: 10 License: GPLv2+ and LGPLv2+ and BSD @@ -3392,24 +3392,6 @@ Patch1666: kvm-virtio-recalculate-vq-inuse-after-migration.patch Patch1667: kvm-ide-fix-halted-IO-segfault-at-reset.patch # For bz#1392027 - shutdown rhel 5.11 guest failed and stop at "system halted" Patch1668: kvm-hw-i386-regenerate-checked-in-AML-payload-RHEL-only.patch -# For bz#1393484 - [RHEL7.3] KVM guest shuts itself down after 128th reboot -Patch1669: kvm-virtio-introduce-virtqueue_unmap_sg.patch -# For bz#1393484 - [RHEL7.3] KVM guest shuts itself down after 128th reboot -Patch1670: kvm-virtio-introduce-virtqueue_discard.patch -# For bz#1393484 - [RHEL7.3] KVM guest shuts itself down after 128th reboot -Patch1671: kvm-virtio-decrement-vq-inuse-in-virtqueue_discard.patch -# For bz#1393484 - [RHEL7.3] KVM guest shuts itself down after 128th reboot -Patch1672: kvm-balloon-fix-segfault-and-harden-the-stats-queue.patch -# For bz#1393484 - [RHEL7.3] KVM guest shuts itself down after 128th reboot -Patch1673: kvm-virtio-balloon-discard-virtqueue-element-on-reset.patch -# For bz#1393484 - [RHEL7.3] KVM guest shuts itself down after 128th reboot -Patch1674: kvm-virtio-zero-vq-inuse-in-virtio_reset.patch -# For bz#1393484 - [RHEL7.3] KVM guest shuts itself down after 128th reboot -Patch1675: kvm-virtio-add-virtqueue_rewind.patch -# For bz#1393484 - [RHEL7.3] KVM guest shuts itself down after 128th reboot -Patch1676: kvm-virtio-balloon-fix-stats-vq-migration.patch -# For bz#1398217 - CVE-2016-2857 qemu-kvm: Qemu: net: out of bounds read in net_checksum_calculate() [rhel-7.3.z] -Patch1677: kvm-net-check-packet-payload-length.patch BuildRequires: zlib-devel @@ -5258,15 +5240,6 @@ cp %{SOURCE18} pc-bios # keep "make check" happy %patch1666 -p1 %patch1667 -p1 %patch1668 -p1 -%patch1669 -p1 -%patch1670 -p1 -%patch1671 -p1 -%patch1672 -p1 -%patch1673 -p1 -%patch1674 -p1 -%patch1675 -p1 -%patch1676 -p1 -%patch1677 -p1 %build buildarch="%{kvm_target}-softmmu" @@ -5712,23 +5685,6 @@ sh %{_sysconfdir}/sysconfig/modules/kvm.modules &> /dev/null || : %{_mandir}/man8/qemu-nbd.8* %changelog -* Wed Jan 04 2017 Miroslav Rezanina - 1.5.3-126.el7_3.3 -- kvm-net-check-packet-payload-length.patch [bz#1398217] -- Resolves: bz#1398217 - (CVE-2016-2857 qemu-kvm: Qemu: net: out of bounds read in net_checksum_calculate() [rhel-7.3.z]) - -* Thu Nov 24 2016 Miroslav Rezanina - 1.5.3-126.el7_3.2 -- kvm-virtio-introduce-virtqueue_unmap_sg.patch [bz#1393484] -- kvm-virtio-introduce-virtqueue_discard.patch [bz#1393484] -- kvm-virtio-decrement-vq-inuse-in-virtqueue_discard.patch [bz#1393484] -- kvm-balloon-fix-segfault-and-harden-the-stats-queue.patch [bz#1393484] -- kvm-virtio-balloon-discard-virtqueue-element-on-reset.patch [bz#1393484] -- kvm-virtio-zero-vq-inuse-in-virtio_reset.patch [bz#1393484] -- kvm-virtio-add-virtqueue_rewind.patch [bz#1393484] -- kvm-virtio-balloon-fix-stats-vq-migration.patch [bz#1393484] -- Resolves: bz#1393484 - ([RHEL7.3] KVM guest shuts itself down after 128th reboot) - * Fri Nov 11 2016 Miroslav Rezanina - 1.5.3-126.el7_3.1 - kvm-ide-fix-halted-IO-segfault-at-reset.patch [bz#1393042] - kvm-hw-i386-regenerate-checked-in-AML-payload-RHEL-only.patch [bz#1392027]