+++ /dev/null
-From: Greg Kurz <groug@kaod.org>
-Date: Thu, 14 Jan 2021 17:04:12 +0100
-Subject: 9pfs: Fully restart unreclaim loop (CVE-2021-20181)
-
-Git-commit: 89fbea8737e8f7b954745a1ffc4238d377055305
-References: bsc#1182137
-
-Depending on the client activity, the server can be asked to open a huge
-number of file descriptors and eventually hit RLIMIT_NOFILE. This is
-currently mitigated using a reclaim logic : the server closes the file
-descriptors of idle fids, based on the assumption that it will be able
-to re-open them later. This assumption doesn't hold of course if the
-client requests the file to be unlinked. In this case, we loop on the
-entire fid list and mark all related fids as unreclaimable (the reclaim
-logic will just ignore them) and, of course, we open or re-open their
-file descriptors if needed since we're about to unlink the file.
-
-This is the purpose of v9fs_mark_fids_unreclaim(). Since the actual
-opening of a file can cause the coroutine to yield, another client
-request could possibly add a new fid that we may want to mark as
-non-reclaimable as well. The loop is thus restarted if the re-open
-request was actually transmitted to the backend. This is achieved
-by keeping a reference on the first fid (head) before traversing
-the list.
-
-This is wrong in several ways:
-- a potential clunk request from the client could tear the first
- fid down and cause the reference to be stale. This leads to a
- use-after-free error that can be detected with ASAN, using a
- custom 9p client
-- fids are added at the head of the list : restarting from the
- previous head will always miss fids added by a some other
- potential request
-
-All these problems could be avoided if fids were being added at the
-end of the list. This can be achieved with a QSIMPLEQ, but this is
-probably too much change for a bug fix. For now let's keep it
-simple and just restart the loop from the current head.
-
-Fixes: CVE-2021-20181
-Buglink: https://bugs.launchpad.net/qemu/+bug/1911666
-Reported-by: Zero Day Initiative <zdi-disclosures@trendmicro.com>
-Reviewed-by: Christian Schoenebeck <qemu_oss@crudebyte.com>
-Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
-Message-Id: <161064025265.1838153.15185571283519390907.stgit@bahia.lan>
-Signed-off-by: Greg Kurz <groug@kaod.org>
-Signed-off-by: Bruce Rogers <brogers@suse.com>
----
- hw/9pfs/9p.c | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
-index 37e43d3f853afe4653afbec00964..7bcf27367fa02755304da6499503 100644
---- a/hw/9pfs/9p.c
-+++ b/hw/9pfs/9p.c
-@@ -502,9 +502,9 @@ static int coroutine_fn v9fs_mark_fids_unreclaim(V9fsPDU *pdu, V9fsPath *path)
- {
- int err;
- V9fsState *s = pdu->s;
-- V9fsFidState *fidp, head_fid;
-+ V9fsFidState *fidp;
-
-- head_fid.next = s->fid_list;
-+again:
- for (fidp = s->fid_list; fidp; fidp = fidp->next) {
- if (fidp->path.size != path->size) {
- continue;
-@@ -524,7 +524,7 @@ static int coroutine_fn v9fs_mark_fids_unreclaim(V9fsPDU *pdu, V9fsPath *path)
- * switched to the worker thread
- */
- if (err == 0) {
-- fidp = &head_fid;
-+ goto again;
- }
- }
- }
+++ /dev/null
-From: Alexander Graf <agraf@suse.de>
-Date: Wed, 14 Jan 2015 01:32:11 +0100
-Subject: AIO: Reduce number of threads for 32bit hosts
-
-On hosts with limited virtual address space (32bit pointers), we can very
-easily run out of virtual memory with big thread pools.
-
-Instead, we should limit ourselves to small pools to keep memory footprint
-low on those systems.
-
-This patch fixes random VM stalls like
-
- (process:25114): GLib-ERROR **: gmem.c:103: failed to allocate 1048576 bytes
-
-on 32bit ARM systems for me.
-
-Signed-off-by: Alexander Graf <agraf@suse.de>
----
- util/thread-pool.c | 7 ++++++-
- 1 file changed, 6 insertions(+), 1 deletion(-)
-
-diff --git a/util/thread-pool.c b/util/thread-pool.c
-index 4ed9b89ab2d9c4e6d805ea47c2b2..697c989885ca8aa4dd1185b780df 100644
---- a/util/thread-pool.c
-+++ b/util/thread-pool.c
-@@ -307,7 +307,12 @@ static void thread_pool_init_one(ThreadPool *pool, AioContext *ctx)
- qemu_mutex_init(&pool->lock);
- qemu_cond_init(&pool->worker_stopped);
- qemu_sem_init(&pool->sem, 0);
-- pool->max_threads = 64;
-+ if (sizeof(pool) == 4) {
-+ /* 32bit systems run out of virtual memory quickly */
-+ pool->max_threads = 4;
-+ } else {
-+ pool->max_threads = 64;
-+ }
- pool->new_thread_bh = aio_bh_new(ctx, spawn_thread_bh_fn, pool);
-
- QLIST_INIT(&pool->head);
+++ /dev/null
-From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
-Date: Fri, 4 Jun 2021 15:58:25 +0400
-Subject: Add mtod_check()
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Git-commit: 93e645e72a056ec0b2c16e0299fc5c6b94e4ca17
-References: bsc#1187364, CVE-2021-3592
- bsc#1187367, CVE-2021-3594
-
-Recent security issues demonstrate the lack of safety care when casting
-a mbuf to a particular structure type. At least, it should check that
-the buffer is large enough. The following patches will make use of this
-function.
-
-Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
-Signed-off-by: Jose R Ziviani <jose.ziviani@suse.com>
----
- src/mbuf.c | 11 +++++++++++
- src/mbuf.h | 1 +
- 2 files changed, 12 insertions(+)
-
-diff --git a/slirp/src/mbuf.c b/slirp/src/mbuf.c
-index 54ec721eb5eb0247b19679cd8265..cb2e971083a9d30e25552ee91f29 100644
---- a/slirp/src/mbuf.c
-+++ b/slirp/src/mbuf.c
-@@ -222,3 +222,14 @@ struct mbuf *dtom(Slirp *slirp, void *dat)
-
- return (struct mbuf *)0;
- }
-+
-+void *mtod_check(struct mbuf *m, size_t len)
-+{
-+ if (m->m_len >= len) {
-+ return m->m_data;
-+ }
-+
-+ DEBUG_ERROR("mtod failed");
-+
-+ return NULL;
-+}
-diff --git a/slirp/src/mbuf.h b/slirp/src/mbuf.h
-index 546e7852c54583d3e22b1a0d84cf..2015e3232f1b7840dc14d1c6bdb3 100644
---- a/slirp/src/mbuf.h
-+++ b/slirp/src/mbuf.h
-@@ -118,6 +118,7 @@ void m_inc(struct mbuf *, int);
- void m_adj(struct mbuf *, int);
- int m_copy(struct mbuf *, struct mbuf *, int, int);
- struct mbuf *dtom(Slirp *, void *);
-+void *mtod_check(struct mbuf *, size_t len);
-
- static inline void ifs_init(struct mbuf *ifm)
- {
+++ /dev/null
-From: Bruce Rogers <brogers@suse.com>
-Date: Wed, 23 Jan 2019 20:23:01 -0700
-Subject: Conditionalize ui bitmap installation better
-
-Signed-off-by: Bruce Rogers <brogers@suse.com>
----
- Makefile | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/Makefile b/Makefile
-index 52881cbb12e7d980e0ed51f21174..edc3de72e6a94ef0503da640bbfe 100644
---- a/Makefile
-+++ b/Makefile
-@@ -913,6 +913,7 @@ ifneq ($(DESCS),)
- "$(DESTDIR)$(qemu_datadir)/firmware/$$x"; \
- done
- endif
-+ifneq ($(or $(CONFIG_GTK),$(CONFIG_SDL)),)
- for s in $(ICON_SIZES); do \
- mkdir -p "$(DESTDIR)$(qemu_icondir)/hicolor/$${s}/apps"; \
- $(INSTALL_DATA) $(SRC_PATH)/ui/icons/qemu_$${s}.png \
-@@ -927,6 +928,7 @@ endif
- mkdir -p "$(DESTDIR)$(qemu_desktopdir)"
- $(INSTALL_DATA) $(SRC_PATH)/ui/qemu.desktop \
- "$(DESTDIR)$(qemu_desktopdir)/qemu.desktop"
-+endif
- ifdef CONFIG_GTK
- $(MAKE) -C po $@
- endif
+++ /dev/null
-From: Michael Brown <mcb30@ipxe.org>
-Date: Mon, 22 Jul 2019 14:51:28 +0100
-Subject: Do not apply WORKAROUND_CFLAGS for host compiler
-
-Git-commit: a4f8c6e31f6c62522cfc633bbbffa81b22f9d6f3
-Include-If: %ifarch aarch64
-
-The WORKAROUND_CFLAGS list is constructed based on running tests on
-the target compiler, and the results may not be valid for the host
-compiler.
-
-The only relevant workaround required for the host compiler is
--Wno-stringop-truncation, which is needed to avoid a spurious compiler
-warning for a totally correct usage of strncpy() in util/elf2efi.c.
-
-Duplicating the workaround tests for the host compiler is messy, as is
-conditionally applying __attribute__((nonstring)). Fix instead by
-disapplying WORKAROUND_CFLAGS for the host compiler, and using
-memcpy() with an explicitly calculated length instead of strncpy() in
-util/elf2efi.c.
-
-Reported-by: Ignat Korchagin <ignat@cloudflare.com>
-Reported-by: Christopher Clark <christopher.w.clark@gmail.com>
-Signed-off-by: Michael Brown <mcb30@ipxe.org>
-Signed-off-by: Bruce Rogers <brogers@suse.com>
----
- src/Makefile.housekeeping | 2 +-
- src/util/elf2efi.c | 6 +++++-
- 2 files changed, 6 insertions(+), 2 deletions(-)
-
-diff --git a/roms/ipxe/src/Makefile.housekeeping b/roms/ipxe/src/Makefile.housekeeping
-index e5f6927de889167d286ccfcdda92..1ddbddd247d9929d63b1654d7206 100644
---- a/roms/ipxe/src/Makefile.housekeeping
-+++ b/roms/ipxe/src/Makefile.housekeeping
-@@ -454,7 +454,7 @@ endif
- CFLAGS += $(WORKAROUND_CFLAGS) $(EXTRA_CFLAGS)
- ASFLAGS += $(WORKAROUND_ASFLAGS) $(EXTRA_ASFLAGS)
- LDFLAGS += $(WORKAROUND_LDFLAGS) $(EXTRA_LDFLAGS)
--HOST_CFLAGS += $(WORKAROUND_CFLAGS) -O2 -g
-+HOST_CFLAGS += -O2 -g
-
- # Inhibit -Werror if NO_WERROR is specified on make command line
- #
-diff --git a/roms/ipxe/src/util/elf2efi.c b/roms/ipxe/src/util/elf2efi.c
-index 2c5b9df8aae853bfce4d5d3bae89..bcd53c9afda7880d42ec80c07f17 100644
---- a/roms/ipxe/src/util/elf2efi.c
-+++ b/roms/ipxe/src/util/elf2efi.c
-@@ -458,6 +458,7 @@ static struct pe_section * process_section ( struct elf_file *elf,
- struct pe_header *pe_header ) {
- struct pe_section *new;
- const char *name;
-+ size_t name_len;
- size_t section_memsz;
- size_t section_filesz;
- unsigned long code_start;
-@@ -494,7 +495,10 @@ static struct pe_section * process_section ( struct elf_file *elf,
- memset ( new, 0, sizeof ( *new ) + section_filesz );
-
- /* Fill in section header details */
-- strncpy ( ( char * ) new->hdr.Name, name, sizeof ( new->hdr.Name ) );
-+ name_len = strlen ( name );
-+ if ( name_len > sizeof ( new->hdr.Name ) )
-+ name_len = sizeof ( new->hdr.Name );
-+ memcpy ( new->hdr.Name, name, name_len );
- new->hdr.Misc.VirtualSize = section_memsz;
- new->hdr.VirtualAddress = shdr->sh_addr;
- new->hdr.SizeOfRawData = section_filesz;
+++ /dev/null
-From: Ralf Haferkamp <rhafer@suse.com>
-Date: Fri, 3 Jul 2020 14:51:16 +0200
-Subject: Drop bogus IPv6 messages
-
-Git-commit: c7ede54cbd2e2b25385325600958ba0124e31cc0
-References: bsc#1172380 CVE-2020-10756
-
-Drop IPv6 message shorter than what's mentioned in the payload
-length header (+ the size of the IPv6 header). They're invalid an could
-lead to data leakage in icmp6_send_echoreply().
-
-Signed-off-by: Jose R Ziviani <jose.ziviani@suse.com>
----
- src/ip6_input.c | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/slirp/src/ip6_input.c b/slirp/src/ip6_input.c
-index dfcbfd6a78a8f78e45f89427f5a5..d88d1ab92355eda0f83970ba7f3b 100644
---- a/slirp/src/ip6_input.c
-+++ b/slirp/src/ip6_input.c
-@@ -49,6 +49,13 @@ void ip6_input(struct mbuf *m)
- goto bad;
- }
-
-+ // Check if the message size is big enough to hold what's
-+ // set in the payload length header. If not this is an invalid
-+ // packet
-+ if (m->m_len < ntohs(ip6->ip_pl) + sizeof(struct ip6)) {
-+ goto bad;
-+ }
-+
- /* check ip_ttl for a correct ICMP reply */
- if (ip6->ip_hl == 0) {
- icmp6_send_error(m, ICMP6_TIMXCEED, ICMP6_TIMXCEED_INTRANS);
+++ /dev/null
-From: Bruce Rogers <brogers@suse.com>
-Date: Fri, 1 Nov 2019 19:41:52 -0600
-Subject: Enable cross compile prefix for C compiler invocation
-
-Signed-off-by: Bruce Rogers <brogers@suse.com>
----
- Makefile | 5 +++--
- 1 file changed, 3 insertions(+), 2 deletions(-)
-
-diff --git a/roms/qboot/Makefile b/roms/qboot/Makefile
-index adbf1b319e4a7bee78e2f95c5e51..cdde20fc37b13a1877668cd20e2f 100644
---- a/roms/qboot/Makefile
-+++ b/roms/qboot/Makefile
-@@ -1,3 +1,4 @@
-+CROSS_COMPILE ?=
- obj-y = code16.o entry.o main.o string.o printf.o cstart.o fw_cfg.o
- obj-y += linuxboot.o malloc.o tables.o hwsetup.o pci.o code32seg.o
- obj-y += mptable.o
-@@ -25,9 +26,9 @@ autodepend-flags = -MMD -MF .deps/cc-$(patsubst %/,%,$(dir $*))-$(notdir $*).d
-
- .PRECIOUS: %.o
- %.o: %.c
-- $(CC) $(CFLAGS) $(BIOS_CFLAGS) $($@-cflags) -c -s $< -o $@
-+ $(CROSS_COMPILE)$(CC) $(CFLAGS) $(BIOS_CFLAGS) $($@-cflags) -c -s $< -o $@
- %.o: %.S
-- $(CC) $(CFLAGS) $(BIOS_CFLAGS) -c -s $< -o $@
-+ $(CROSS_COMPILE)$(CC) $(CFLAGS) $(BIOS_CFLAGS) -c -s $< -o $@
-
- bios.bin.elf: $(obj-y) flat.lds
- $(LD) -T flat.lds -o bios.bin.elf $(obj-y)
+++ /dev/null
-From: Valentine Barshak <gvaxon@gmail.com>
-Date: Sun, 9 Jun 2019 13:30:11 +0300
-Subject: Fix "'%s' directive argument is null" error
-
-Git-commit: 412acd7854de10e7194f362a6b1a3257a17974f7
-References: bsc#1121464
-
-Use '%p' directive, and print handle's address if the address is null
-and the handle doesn't have a name. This fixes the following
-compilation error:
-
- interface/efi/efi_debug.c:334:3: error: '%s' directive
- argument is null [-Werror=format-overflow=]
-
-Signed-off-by: Valentine Barshak <gvaxon@gmail.com>
-Signed-off-by: Michael Brown <mcb30@ipxe.org>
-Signed-off-by: Bruce Rogers <brogers@suse.com>
----
- src/interface/efi/efi_debug.c | 3 +--
- 1 file changed, 1 insertion(+), 2 deletions(-)
-
-diff --git a/roms/ipxe/src/interface/efi/efi_debug.c b/roms/ipxe/src/interface/efi/efi_debug.c
-index 8ea0a822d044caca088c64ca2407..de9b1af5579cfddba1b55788b7b6 100644
---- a/roms/ipxe/src/interface/efi/efi_debug.c
-+++ b/roms/ipxe/src/interface/efi/efi_debug.c
-@@ -331,8 +331,7 @@ void dbg_efi_protocols ( EFI_HANDLE handle ) {
-
- /* Sanity check */
- if ( ! handle ) {
-- printf ( "HANDLE %s could not retrieve protocols\n",
-- efi_handle_name ( handle ) );
-+ printf ( "HANDLE %p could not retrieve protocols\n", handle );
- return;
- }
-
+++ /dev/null
-From: Cornelia Huck <cohuck@redhat.com>
-Date: Tue, 9 Jun 2020 16:26:53 +0200
-Subject: Linux headers: update against Linux 5.8-rc1
-
-Git-commit: f76b348ec78fb7316bbcc981127ae8894cfcc609
-References: bsc#1179719
-
-Update against Linux 5.8-rc1.
-
-Signed-off-by: Cornelia Huck <cohuck@redhat.com>
-Signed-off-by: Liang Yan <lyan@suse.com>
----
- include/standard-headers/asm-x86/kvm_para.h | 17 +-
- include/standard-headers/drm/drm_fourcc.h | 140 +++++++-
- include/standard-headers/linux/ethtool.h | 16 +-
- include/standard-headers/linux/virtio_ids.h | 1 +
- include/standard-headers/linux/virtio_mem.h | 211 ++++++++++++
- include/standard-headers/linux/virtio_ring.h | 48 ++-
- linux-headers/asm-arm64/mman.h | 8 +
- linux-headers/asm-generic/unistd.h | 4 +-
- linux-headers/asm-mips/unistd_n32.h | 1 +
- linux-headers/asm-mips/unistd_n64.h | 1 +
- linux-headers/asm-mips/unistd_o32.h | 1 +
- linux-headers/asm-powerpc/unistd_32.h | 1 +
- linux-headers/asm-powerpc/unistd_64.h | 1 +
- linux-headers/asm-s390/unistd_32.h | 1 +
- linux-headers/asm-s390/unistd_64.h | 1 +
- linux-headers/asm-x86/kvm.h | 20 +-
- linux-headers/asm-x86/unistd.h | 11 +-
- linux-headers/asm-x86/unistd_32.h | 1 +
- linux-headers/asm-x86/unistd_64.h | 1 +
- linux-headers/asm-x86/unistd_x32.h | 1 +
- linux-headers/linux/kvm.h | 18 +-
- linux-headers/linux/psp-sev.h | 2 +
- linux-headers/linux/vfio.h | 322 +++++++++++++++++++
- linux-headers/linux/vfio_ccw.h | 19 ++
- linux-headers/linux/vhost.h | 4 +
- 25 files changed, 818 insertions(+), 33 deletions(-)
-
-diff --git a/include/standard-headers/asm-x86/kvm_para.h b/include/standard-headers/asm-x86/kvm_para.h
-index 90604a8fb77b43ac0bdf48a9f459..07877d3295f265760c6eddec2b5e 100644
---- a/include/standard-headers/asm-x86/kvm_para.h
-+++ b/include/standard-headers/asm-x86/kvm_para.h
-@@ -31,6 +31,7 @@
- #define KVM_FEATURE_PV_SEND_IPI 11
- #define KVM_FEATURE_POLL_CONTROL 12
- #define KVM_FEATURE_PV_SCHED_YIELD 13
-+#define KVM_FEATURE_ASYNC_PF_INT 14
-
- #define KVM_HINTS_REALTIME 0
-
-@@ -50,6 +51,8 @@
- #define MSR_KVM_STEAL_TIME 0x4b564d03
- #define MSR_KVM_PV_EOI_EN 0x4b564d04
- #define MSR_KVM_POLL_CONTROL 0x4b564d05
-+#define MSR_KVM_ASYNC_PF_INT 0x4b564d06
-+#define MSR_KVM_ASYNC_PF_ACK 0x4b564d07
-
- struct kvm_steal_time {
- uint64_t steal;
-@@ -81,6 +84,11 @@ struct kvm_clock_pairing {
- #define KVM_ASYNC_PF_ENABLED (1 << 0)
- #define KVM_ASYNC_PF_SEND_ALWAYS (1 << 1)
- #define KVM_ASYNC_PF_DELIVERY_AS_PF_VMEXIT (1 << 2)
-+#define KVM_ASYNC_PF_DELIVERY_AS_INT (1 << 3)
-+
-+/* MSR_KVM_ASYNC_PF_INT */
-+#define KVM_ASYNC_PF_VEC_MASK GENMASK(7, 0)
-+
-
- /* Operations for KVM_HC_MMU_OP */
- #define KVM_MMU_OP_WRITE_PTE 1
-@@ -112,8 +120,13 @@ struct kvm_mmu_op_release_pt {
- #define KVM_PV_REASON_PAGE_READY 2
-
- struct kvm_vcpu_pv_apf_data {
-- uint32_t reason;
-- uint8_t pad[60];
-+ /* Used for 'page not present' events delivered via #PF */
-+ uint32_t flags;
-+
-+ /* Used for 'page ready' events delivered via interrupt notification */
-+ uint32_t token;
-+
-+ uint8_t pad[56];
- uint32_t enabled;
- };
-
-diff --git a/include/standard-headers/drm/drm_fourcc.h b/include/standard-headers/drm/drm_fourcc.h
-index 66e838074c81c64d1d38f3fb815d..909a66753c03cdfca573f1fae6a2 100644
---- a/include/standard-headers/drm/drm_fourcc.h
-+++ b/include/standard-headers/drm/drm_fourcc.h
-@@ -353,9 +353,12 @@ extern "C" {
- * a platform-dependent stride. On top of that the memory can apply
- * platform-depending swizzling of some higher address bits into bit6.
- *
-- * This format is highly platforms specific and not useful for cross-driver
-- * sharing. It exists since on a given platform it does uniquely identify the
-- * layout in a simple way for i915-specific userspace.
-+ * Note that this layout is only accurate on intel gen 8+ or valleyview chipsets.
-+ * On earlier platforms the is highly platforms specific and not useful for
-+ * cross-driver sharing. It exists since on a given platform it does uniquely
-+ * identify the layout in a simple way for i915-specific userspace, which
-+ * facilitated conversion of userspace to modifiers. Additionally the exact
-+ * format on some really old platforms is not known.
- */
- #define I915_FORMAT_MOD_X_TILED fourcc_mod_code(INTEL, 1)
-
-@@ -368,9 +371,12 @@ extern "C" {
- * memory can apply platform-depending swizzling of some higher address bits
- * into bit6.
- *
-- * This format is highly platforms specific and not useful for cross-driver
-- * sharing. It exists since on a given platform it does uniquely identify the
-- * layout in a simple way for i915-specific userspace.
-+ * Note that this layout is only accurate on intel gen 8+ or valleyview chipsets.
-+ * On earlier platforms the is highly platforms specific and not useful for
-+ * cross-driver sharing. It exists since on a given platform it does uniquely
-+ * identify the layout in a simple way for i915-specific userspace, which
-+ * facilitated conversion of userspace to modifiers. Additionally the exact
-+ * format on some really old platforms is not known.
- */
- #define I915_FORMAT_MOD_Y_TILED fourcc_mod_code(INTEL, 2)
-
-@@ -520,7 +526,113 @@ extern "C" {
- #define DRM_FORMAT_MOD_NVIDIA_TEGRA_TILED fourcc_mod_code(NVIDIA, 1)
-
- /*
-- * 16Bx2 Block Linear layout, used by desktop GPUs, and Tegra K1 and later
-+ * Generalized Block Linear layout, used by desktop GPUs starting with NV50/G80,
-+ * and Tegra GPUs starting with Tegra K1.
-+ *
-+ * Pixels are arranged in Groups of Bytes (GOBs). GOB size and layout varies
-+ * based on the architecture generation. GOBs themselves are then arranged in
-+ * 3D blocks, with the block dimensions (in terms of GOBs) always being a power
-+ * of two, and hence expressible as their log2 equivalent (E.g., "2" represents
-+ * a block depth or height of "4").
-+ *
-+ * Chapter 20 "Pixel Memory Formats" of the Tegra X1 TRM describes this format
-+ * in full detail.
-+ *
-+ * Macro
-+ * Bits Param Description
-+ * ---- ----- -----------------------------------------------------------------
-+ *
-+ * 3:0 h log2(height) of each block, in GOBs. Placed here for
-+ * compatibility with the existing
-+ * DRM_FORMAT_MOD_NVIDIA_16BX2_BLOCK()-based modifiers.
-+ *
-+ * 4:4 - Must be 1, to indicate block-linear layout. Necessary for
-+ * compatibility with the existing
-+ * DRM_FORMAT_MOD_NVIDIA_16BX2_BLOCK()-based modifiers.
-+ *
-+ * 8:5 - Reserved (To support 3D-surfaces with variable log2(depth) block
-+ * size). Must be zero.
-+ *
-+ * Note there is no log2(width) parameter. Some portions of the
-+ * hardware support a block width of two gobs, but it is impractical
-+ * to use due to lack of support elsewhere, and has no known
-+ * benefits.
-+ *
-+ * 11:9 - Reserved (To support 2D-array textures with variable array stride
-+ * in blocks, specified via log2(tile width in blocks)). Must be
-+ * zero.
-+ *
-+ * 19:12 k Page Kind. This value directly maps to a field in the page
-+ * tables of all GPUs >= NV50. It affects the exact layout of bits
-+ * in memory and can be derived from the tuple
-+ *
-+ * (format, GPU model, compression type, samples per pixel)
-+ *
-+ * Where compression type is defined below. If GPU model were
-+ * implied by the format modifier, format, or memory buffer, page
-+ * kind would not need to be included in the modifier itself, but
-+ * since the modifier should define the layout of the associated
-+ * memory buffer independent from any device or other context, it
-+ * must be included here.
-+ *
-+ * 21:20 g GOB Height and Page Kind Generation. The height of a GOB changed
-+ * starting with Fermi GPUs. Additionally, the mapping between page
-+ * kind and bit layout has changed at various points.
-+ *
-+ * 0 = Gob Height 8, Fermi - Volta, Tegra K1+ Page Kind mapping
-+ * 1 = Gob Height 4, G80 - GT2XX Page Kind mapping
-+ * 2 = Gob Height 8, Turing+ Page Kind mapping
-+ * 3 = Reserved for future use.
-+ *
-+ * 22:22 s Sector layout. On Tegra GPUs prior to Xavier, there is a further
-+ * bit remapping step that occurs at an even lower level than the
-+ * page kind and block linear swizzles. This causes the layout of
-+ * surfaces mapped in those SOC's GPUs to be incompatible with the
-+ * equivalent mapping on other GPUs in the same system.
-+ *
-+ * 0 = Tegra K1 - Tegra Parker/TX2 Layout.
-+ * 1 = Desktop GPU and Tegra Xavier+ Layout
-+ *
-+ * 25:23 c Lossless Framebuffer Compression type.
-+ *
-+ * 0 = none
-+ * 1 = ROP/3D, layout 1, exact compression format implied by Page
-+ * Kind field
-+ * 2 = ROP/3D, layout 2, exact compression format implied by Page
-+ * Kind field
-+ * 3 = CDE horizontal
-+ * 4 = CDE vertical
-+ * 5 = Reserved for future use
-+ * 6 = Reserved for future use
-+ * 7 = Reserved for future use
-+ *
-+ * 55:25 - Reserved for future use. Must be zero.
-+ */
-+#define DRM_FORMAT_MOD_NVIDIA_BLOCK_LINEAR_2D(c, s, g, k, h) \
-+ fourcc_mod_code(NVIDIA, (0x10 | \
-+ ((h) & 0xf) | \
-+ (((k) & 0xff) << 12) | \
-+ (((g) & 0x3) << 20) | \
-+ (((s) & 0x1) << 22) | \
-+ (((c) & 0x7) << 23)))
-+
-+/* To grandfather in prior block linear format modifiers to the above layout,
-+ * the page kind "0", which corresponds to "pitch/linear" and hence is unusable
-+ * with block-linear layouts, is remapped within drivers to the value 0xfe,
-+ * which corresponds to the "generic" kind used for simple single-sample
-+ * uncompressed color formats on Fermi - Volta GPUs.
-+ */
-+static inline uint64_t
-+drm_fourcc_canonicalize_nvidia_format_mod(uint64_t modifier)
-+{
-+ if (!(modifier & 0x10) || (modifier & (0xff << 12)))
-+ return modifier;
-+ else
-+ return modifier | (0xfe << 12);
-+}
-+
-+/*
-+ * 16Bx2 Block Linear layout, used by Tegra K1 and later
- *
- * Pixels are arranged in 64x8 Groups Of Bytes (GOBs). GOBs are then stacked
- * vertically by a power of 2 (1 to 32 GOBs) to form a block.
-@@ -541,20 +653,20 @@ extern "C" {
- * in full detail.
- */
- #define DRM_FORMAT_MOD_NVIDIA_16BX2_BLOCK(v) \
-- fourcc_mod_code(NVIDIA, 0x10 | ((v) & 0xf))
-+ DRM_FORMAT_MOD_NVIDIA_BLOCK_LINEAR_2D(0, 0, 0, 0, (v))
-
- #define DRM_FORMAT_MOD_NVIDIA_16BX2_BLOCK_ONE_GOB \
-- fourcc_mod_code(NVIDIA, 0x10)
-+ DRM_FORMAT_MOD_NVIDIA_16BX2_BLOCK(0)
- #define DRM_FORMAT_MOD_NVIDIA_16BX2_BLOCK_TWO_GOB \
-- fourcc_mod_code(NVIDIA, 0x11)
-+ DRM_FORMAT_MOD_NVIDIA_16BX2_BLOCK(1)
- #define DRM_FORMAT_MOD_NVIDIA_16BX2_BLOCK_FOUR_GOB \
-- fourcc_mod_code(NVIDIA, 0x12)
-+ DRM_FORMAT_MOD_NVIDIA_16BX2_BLOCK(2)
- #define DRM_FORMAT_MOD_NVIDIA_16BX2_BLOCK_EIGHT_GOB \
-- fourcc_mod_code(NVIDIA, 0x13)
-+ DRM_FORMAT_MOD_NVIDIA_16BX2_BLOCK(3)
- #define DRM_FORMAT_MOD_NVIDIA_16BX2_BLOCK_SIXTEEN_GOB \
-- fourcc_mod_code(NVIDIA, 0x14)
-+ DRM_FORMAT_MOD_NVIDIA_16BX2_BLOCK(4)
- #define DRM_FORMAT_MOD_NVIDIA_16BX2_BLOCK_THIRTYTWO_GOB \
-- fourcc_mod_code(NVIDIA, 0x15)
-+ DRM_FORMAT_MOD_NVIDIA_16BX2_BLOCK(5)
-
- /*
- * Some Broadcom modifiers take parameters, for example the number of
-diff --git a/include/standard-headers/linux/ethtool.h b/include/standard-headers/linux/ethtool.h
-index 1200890c86088cb3c83368f18827..fd8d2cccfe89cb193d91439a62f5 100644
---- a/include/standard-headers/linux/ethtool.h
-+++ b/include/standard-headers/linux/ethtool.h
-@@ -1666,6 +1666,18 @@ static inline int ethtool_validate_duplex(uint8_t duplex)
- return 0;
- }
-
-+#define MASTER_SLAVE_CFG_UNSUPPORTED 0
-+#define MASTER_SLAVE_CFG_UNKNOWN 1
-+#define MASTER_SLAVE_CFG_MASTER_PREFERRED 2
-+#define MASTER_SLAVE_CFG_SLAVE_PREFERRED 3
-+#define MASTER_SLAVE_CFG_MASTER_FORCE 4
-+#define MASTER_SLAVE_CFG_SLAVE_FORCE 5
-+#define MASTER_SLAVE_STATE_UNSUPPORTED 0
-+#define MASTER_SLAVE_STATE_UNKNOWN 1
-+#define MASTER_SLAVE_STATE_MASTER 2
-+#define MASTER_SLAVE_STATE_SLAVE 3
-+#define MASTER_SLAVE_STATE_ERR 4
-+
- /* Which connector port. */
- #define PORT_TP 0x00
- #define PORT_AUI 0x01
-@@ -1904,7 +1916,9 @@ struct ethtool_link_settings {
- uint8_t eth_tp_mdix_ctrl;
- int8_t link_mode_masks_nwords;
- uint8_t transceiver;
-- uint8_t reserved1[3];
-+ uint8_t master_slave_cfg;
-+ uint8_t master_slave_state;
-+ uint8_t reserved1[1];
- uint32_t reserved[7];
- uint32_t link_mode_masks[0];
- /* layout of link_mode_masks fields:
-diff --git a/include/standard-headers/linux/virtio_ids.h b/include/standard-headers/linux/virtio_ids.h
-index ecc27a17401a76b8ae8a907859d1..b052355ac7a324e173f4ea44c48d 100644
---- a/include/standard-headers/linux/virtio_ids.h
-+++ b/include/standard-headers/linux/virtio_ids.h
-@@ -44,6 +44,7 @@
- #define VIRTIO_ID_VSOCK 19 /* virtio vsock transport */
- #define VIRTIO_ID_CRYPTO 20 /* virtio crypto */
- #define VIRTIO_ID_IOMMU 23 /* virtio IOMMU */
-+#define VIRTIO_ID_MEM 24 /* virtio mem */
- #define VIRTIO_ID_FS 26 /* virtio filesystem */
- #define VIRTIO_ID_PMEM 27 /* virtio pmem */
- #define VIRTIO_ID_MAC80211_HWSIM 29 /* virtio mac80211-hwsim */
-diff --git a/include/standard-headers/linux/virtio_mem.h b/include/standard-headers/linux/virtio_mem.h
-new file mode 100644
-index 0000000000000000000000000000000000000000..05e5ade75d3d8d2533c63d4fb4fe1c9026d86751
---- /dev/null
-+++ b/include/standard-headers/linux/virtio_mem.h
-@@ -0,0 +1,211 @@
-+/* SPDX-License-Identifier: BSD-3-Clause */
-+/*
-+ * Virtio Mem Device
-+ *
-+ * Copyright Red Hat, Inc. 2020
-+ *
-+ * Authors:
-+ * David Hildenbrand <david@redhat.com>
-+ *
-+ * This header is BSD licensed so anyone can use the definitions
-+ * to implement compatible drivers/servers:
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in the
-+ * documentation and/or other materials provided with the distribution.
-+ * 3. Neither the name of IBM nor the names of its contributors
-+ * may be used to endorse or promote products derived from this software
-+ * without specific prior written permission.
-+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
-+ * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
-+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
-+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL IBM OR
-+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
-+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
-+ * USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
-+ * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
-+ * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
-+ * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
-+ * SUCH DAMAGE.
-+ */
-+
-+#ifndef _LINUX_VIRTIO_MEM_H
-+#define _LINUX_VIRTIO_MEM_H
-+
-+#include "standard-headers/linux/types.h"
-+#include "standard-headers/linux/virtio_types.h"
-+#include "standard-headers/linux/virtio_ids.h"
-+#include "standard-headers/linux/virtio_config.h"
-+
-+/*
-+ * Each virtio-mem device manages a dedicated region in physical address
-+ * space. Each device can belong to a single NUMA node, multiple devices
-+ * for a single NUMA node are possible. A virtio-mem device is like a
-+ * "resizable DIMM" consisting of small memory blocks that can be plugged
-+ * or unplugged. The device driver is responsible for (un)plugging memory
-+ * blocks on demand.
-+ *
-+ * Virtio-mem devices can only operate on their assigned memory region in
-+ * order to (un)plug memory. A device cannot (un)plug memory belonging to
-+ * other devices.
-+ *
-+ * The "region_size" corresponds to the maximum amount of memory that can
-+ * be provided by a device. The "size" corresponds to the amount of memory
-+ * that is currently plugged. "requested_size" corresponds to a request
-+ * from the device to the device driver to (un)plug blocks. The
-+ * device driver should try to (un)plug blocks in order to reach the
-+ * "requested_size". It is impossible to plug more memory than requested.
-+ *
-+ * The "usable_region_size" represents the memory region that can actually
-+ * be used to (un)plug memory. It is always at least as big as the
-+ * "requested_size" and will grow dynamically. It will only shrink when
-+ * explicitly triggered (VIRTIO_MEM_REQ_UNPLUG).
-+ *
-+ * There are no guarantees what will happen if unplugged memory is
-+ * read/written. Such memory should, in general, not be touched. E.g.,
-+ * even writing might succeed, but the values will simply be discarded at
-+ * random points in time.
-+ *
-+ * It can happen that the device cannot process a request, because it is
-+ * busy. The device driver has to retry later.
-+ *
-+ * Usually, during system resets all memory will get unplugged, so the
-+ * device driver can start with a clean state. However, in specific
-+ * scenarios (if the device is busy) it can happen that the device still
-+ * has memory plugged. The device driver can request to unplug all memory
-+ * (VIRTIO_MEM_REQ_UNPLUG) - which might take a while to succeed if the
-+ * device is busy.
-+ */
-+
-+/* --- virtio-mem: feature bits --- */
-+
-+/* node_id is an ACPI PXM and is valid */
-+#define VIRTIO_MEM_F_ACPI_PXM 0
-+
-+
-+/* --- virtio-mem: guest -> host requests --- */
-+
-+/* request to plug memory blocks */
-+#define VIRTIO_MEM_REQ_PLUG 0
-+/* request to unplug memory blocks */
-+#define VIRTIO_MEM_REQ_UNPLUG 1
-+/* request to unplug all blocks and shrink the usable size */
-+#define VIRTIO_MEM_REQ_UNPLUG_ALL 2
-+/* request information about the plugged state of memory blocks */
-+#define VIRTIO_MEM_REQ_STATE 3
-+
-+struct virtio_mem_req_plug {
-+ __virtio64 addr;
-+ __virtio16 nb_blocks;
-+ __virtio16 padding[3];
-+};
-+
-+struct virtio_mem_req_unplug {
-+ __virtio64 addr;
-+ __virtio16 nb_blocks;
-+ __virtio16 padding[3];
-+};
-+
-+struct virtio_mem_req_state {
-+ __virtio64 addr;
-+ __virtio16 nb_blocks;
-+ __virtio16 padding[3];
-+};
-+
-+struct virtio_mem_req {
-+ __virtio16 type;
-+ __virtio16 padding[3];
-+
-+ union {
-+ struct virtio_mem_req_plug plug;
-+ struct virtio_mem_req_unplug unplug;
-+ struct virtio_mem_req_state state;
-+ } u;
-+};
-+
-+
-+/* --- virtio-mem: host -> guest response --- */
-+
-+/*
-+ * Request processed successfully, applicable for
-+ * - VIRTIO_MEM_REQ_PLUG
-+ * - VIRTIO_MEM_REQ_UNPLUG
-+ * - VIRTIO_MEM_REQ_UNPLUG_ALL
-+ * - VIRTIO_MEM_REQ_STATE
-+ */
-+#define VIRTIO_MEM_RESP_ACK 0
-+/*
-+ * Request denied - e.g. trying to plug more than requested, applicable for
-+ * - VIRTIO_MEM_REQ_PLUG
-+ */
-+#define VIRTIO_MEM_RESP_NACK 1
-+/*
-+ * Request cannot be processed right now, try again later, applicable for
-+ * - VIRTIO_MEM_REQ_PLUG
-+ * - VIRTIO_MEM_REQ_UNPLUG
-+ * - VIRTIO_MEM_REQ_UNPLUG_ALL
-+ */
-+#define VIRTIO_MEM_RESP_BUSY 2
-+/*
-+ * Error in request (e.g. addresses/alignment), applicable for
-+ * - VIRTIO_MEM_REQ_PLUG
-+ * - VIRTIO_MEM_REQ_UNPLUG
-+ * - VIRTIO_MEM_REQ_STATE
-+ */
-+#define VIRTIO_MEM_RESP_ERROR 3
-+
-+
-+/* State of memory blocks is "plugged" */
-+#define VIRTIO_MEM_STATE_PLUGGED 0
-+/* State of memory blocks is "unplugged" */
-+#define VIRTIO_MEM_STATE_UNPLUGGED 1
-+/* State of memory blocks is "mixed" */
-+#define VIRTIO_MEM_STATE_MIXED 2
-+
-+struct virtio_mem_resp_state {
-+ __virtio16 state;
-+};
-+
-+struct virtio_mem_resp {
-+ __virtio16 type;
-+ __virtio16 padding[3];
-+
-+ union {
-+ struct virtio_mem_resp_state state;
-+ } u;
-+};
-+
-+/* --- virtio-mem: configuration --- */
-+
-+struct virtio_mem_config {
-+ /* Block size and alignment. Cannot change. */
-+ uint64_t block_size;
-+ /* Valid with VIRTIO_MEM_F_ACPI_PXM. Cannot change. */
-+ uint16_t node_id;
-+ uint8_t padding[6];
-+ /* Start address of the memory region. Cannot change. */
-+ uint64_t addr;
-+ /* Region size (maximum). Cannot change. */
-+ uint64_t region_size;
-+ /*
-+ * Currently usable region size. Can grow up to region_size. Can
-+ * shrink due to VIRTIO_MEM_REQ_UNPLUG_ALL (in which case no config
-+ * update will be sent).
-+ */
-+ uint64_t usable_region_size;
-+ /*
-+ * Currently used size. Changes due to plug/unplug requests, but no
-+ * config updates will be sent.
-+ */
-+ uint64_t plugged_size;
-+ /* Requested size. New plug requests cannot exceed it. Can change. */
-+ uint64_t requested_size;
-+};
-+
-+#endif /* _LINUX_VIRTIO_MEM_H */
-diff --git a/include/standard-headers/linux/virtio_ring.h b/include/standard-headers/linux/virtio_ring.h
-index f230fed479601c06c40b1a82aae1..0fa0e1067ffe56c40a4034ed0368 100644
---- a/include/standard-headers/linux/virtio_ring.h
-+++ b/include/standard-headers/linux/virtio_ring.h
-@@ -84,6 +84,13 @@
- * at the end of the used ring. Guest should ignore the used->flags field. */
- #define VIRTIO_RING_F_EVENT_IDX 29
-
-+/* Alignment requirements for vring elements.
-+ * When using pre-virtio 1.0 layout, these fall out naturally.
-+ */
-+#define VRING_AVAIL_ALIGN_SIZE 2
-+#define VRING_USED_ALIGN_SIZE 4
-+#define VRING_DESC_ALIGN_SIZE 16
-+
- /* Virtio ring descriptors: 16 bytes. These can chain together via "next". */
- struct vring_desc {
- /* Address (guest-physical). */
-@@ -110,28 +117,47 @@ struct vring_used_elem {
- __virtio32 len;
- };
-
-+typedef struct vring_used_elem __attribute__((aligned(VRING_USED_ALIGN_SIZE)))
-+ vring_used_elem_t;
-+
- struct vring_used {
- __virtio16 flags;
- __virtio16 idx;
-- struct vring_used_elem ring[];
-+ vring_used_elem_t ring[];
- };
-
-+/*
-+ * The ring element addresses are passed between components with different
-+ * alignments assumptions. Thus, we might need to decrease the compiler-selected
-+ * alignment, and so must use a typedef to make sure the aligned attribute
-+ * actually takes hold:
-+ *
-+ * https://gcc.gnu.org/onlinedocs//gcc/Common-Type-Attributes.html#Common-Type-Attributes
-+ *
-+ * When used on a struct, or struct member, the aligned attribute can only
-+ * increase the alignment; in order to decrease it, the packed attribute must
-+ * be specified as well. When used as part of a typedef, the aligned attribute
-+ * can both increase and decrease alignment, and specifying the packed
-+ * attribute generates a warning.
-+ */
-+typedef struct vring_desc __attribute__((aligned(VRING_DESC_ALIGN_SIZE)))
-+ vring_desc_t;
-+typedef struct vring_avail __attribute__((aligned(VRING_AVAIL_ALIGN_SIZE)))
-+ vring_avail_t;
-+typedef struct vring_used __attribute__((aligned(VRING_USED_ALIGN_SIZE)))
-+ vring_used_t;
-+
- struct vring {
- unsigned int num;
-
-- struct vring_desc *desc;
-+ vring_desc_t *desc;
-
-- struct vring_avail *avail;
-+ vring_avail_t *avail;
-
-- struct vring_used *used;
-+ vring_used_t *used;
- };
-
--/* Alignment requirements for vring elements.
-- * When using pre-virtio 1.0 layout, these fall out naturally.
-- */
--#define VRING_AVAIL_ALIGN_SIZE 2
--#define VRING_USED_ALIGN_SIZE 4
--#define VRING_DESC_ALIGN_SIZE 16
-+#ifndef VIRTIO_RING_NO_LEGACY
-
- /* The standard layout for the ring is a continuous chunk of memory which looks
- * like this. We assume num is a power of 2.
-@@ -179,6 +205,8 @@ static inline unsigned vring_size(unsigned int num, unsigned long align)
- + sizeof(__virtio16) * 3 + sizeof(struct vring_used_elem) * num;
- }
-
-+#endif /* VIRTIO_RING_NO_LEGACY */
-+
- /* The following is used with USED_EVENT_IDX and AVAIL_EVENT_IDX */
- /* Assuming a given event_idx value from the other side, if
- * we have just incremented index from old to new_idx,
-diff --git a/linux-headers/asm-arm64/mman.h b/linux-headers/asm-arm64/mman.h
-index 8eebf89f5ab17884a98543f3b37a..e94b9af859842a952268c34cfd92 100644
---- a/linux-headers/asm-arm64/mman.h
-+++ b/linux-headers/asm-arm64/mman.h
-@@ -1 +1,9 @@
-+/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */
-+#ifndef __ASM_MMAN_H
-+#define __ASM_MMAN_H
-+
- #include <asm-generic/mman.h>
-+
-+#define PROT_BTI 0x10 /* BTI guarded page */
-+
-+#endif /* ! _UAPI__ASM_MMAN_H */
-diff --git a/linux-headers/asm-generic/unistd.h b/linux-headers/asm-generic/unistd.h
-index 3a3201e4618ef8c7445895b26f6e..f4a01305d9a65c14fe46652970ec 100644
---- a/linux-headers/asm-generic/unistd.h
-+++ b/linux-headers/asm-generic/unistd.h
-@@ -855,9 +855,11 @@ __SYSCALL(__NR_clone3, sys_clone3)
- __SYSCALL(__NR_openat2, sys_openat2)
- #define __NR_pidfd_getfd 438
- __SYSCALL(__NR_pidfd_getfd, sys_pidfd_getfd)
-+#define __NR_faccessat2 439
-+__SYSCALL(__NR_faccessat2, sys_faccessat2)
-
- #undef __NR_syscalls
--#define __NR_syscalls 439
-+#define __NR_syscalls 440
-
- /*
- * 32 bit systems traditionally used different
-diff --git a/linux-headers/asm-mips/unistd_n32.h b/linux-headers/asm-mips/unistd_n32.h
-index aec9f6081af7974a2f8fc075a70f..3b9eda7e7d8f7c7a2961192371f9 100644
---- a/linux-headers/asm-mips/unistd_n32.h
-+++ b/linux-headers/asm-mips/unistd_n32.h
-@@ -367,6 +367,7 @@
- #define __NR_clone3 (__NR_Linux + 435)
- #define __NR_openat2 (__NR_Linux + 437)
- #define __NR_pidfd_getfd (__NR_Linux + 438)
-+#define __NR_faccessat2 (__NR_Linux + 439)
-
-
- #endif /* _ASM_MIPS_UNISTD_N32_H */
-diff --git a/linux-headers/asm-mips/unistd_n64.h b/linux-headers/asm-mips/unistd_n64.h
-index 1c75d83df53f90aa386b8b919a3d..9cdf9b6c60dfde0e7f8c6f09bb48 100644
---- a/linux-headers/asm-mips/unistd_n64.h
-+++ b/linux-headers/asm-mips/unistd_n64.h
-@@ -343,6 +343,7 @@
- #define __NR_clone3 (__NR_Linux + 435)
- #define __NR_openat2 (__NR_Linux + 437)
- #define __NR_pidfd_getfd (__NR_Linux + 438)
-+#define __NR_faccessat2 (__NR_Linux + 439)
-
-
- #endif /* _ASM_MIPS_UNISTD_N64_H */
-diff --git a/linux-headers/asm-mips/unistd_o32.h b/linux-headers/asm-mips/unistd_o32.h
-index 660716e240ec10f7ccf3e65239dd..e3e5e238f026edbecf3835d1d887 100644
---- a/linux-headers/asm-mips/unistd_o32.h
-+++ b/linux-headers/asm-mips/unistd_o32.h
-@@ -413,6 +413,7 @@
- #define __NR_clone3 (__NR_Linux + 435)
- #define __NR_openat2 (__NR_Linux + 437)
- #define __NR_pidfd_getfd (__NR_Linux + 438)
-+#define __NR_faccessat2 (__NR_Linux + 439)
-
-
- #endif /* _ASM_MIPS_UNISTD_O32_H */
-diff --git a/linux-headers/asm-powerpc/unistd_32.h b/linux-headers/asm-powerpc/unistd_32.h
-index 4ba8e32f734445f6107d45044d08..862edb7448c5160b0ded92f32ede 100644
---- a/linux-headers/asm-powerpc/unistd_32.h
-+++ b/linux-headers/asm-powerpc/unistd_32.h
-@@ -420,6 +420,7 @@
- #define __NR_clone3 435
- #define __NR_openat2 437
- #define __NR_pidfd_getfd 438
-+#define __NR_faccessat2 439
-
-
- #endif /* _ASM_POWERPC_UNISTD_32_H */
-diff --git a/linux-headers/asm-powerpc/unistd_64.h b/linux-headers/asm-powerpc/unistd_64.h
-index ac20bb4f95b207d4875613b54c45..f553224ce408b2a721321d1b30b5 100644
---- a/linux-headers/asm-powerpc/unistd_64.h
-+++ b/linux-headers/asm-powerpc/unistd_64.h
-@@ -392,6 +392,7 @@
- #define __NR_clone3 435
- #define __NR_openat2 437
- #define __NR_pidfd_getfd 438
-+#define __NR_faccessat2 439
-
-
- #endif /* _ASM_POWERPC_UNISTD_64_H */
-diff --git a/linux-headers/asm-s390/unistd_32.h b/linux-headers/asm-s390/unistd_32.h
-index e4a6b654f10e1169e4fd62838282..e08233c0c37719a8a77caacf2f93 100644
---- a/linux-headers/asm-s390/unistd_32.h
-+++ b/linux-headers/asm-s390/unistd_32.h
-@@ -410,5 +410,6 @@
- #define __NR_clone3 435
- #define __NR_openat2 437
- #define __NR_pidfd_getfd 438
-+#define __NR_faccessat2 439
-
- #endif /* _ASM_S390_UNISTD_32_H */
-diff --git a/linux-headers/asm-s390/unistd_64.h b/linux-headers/asm-s390/unistd_64.h
-index 472f732956e4d1047d95dd68c5de..560e19ae2bb4dc9dd734823016b1 100644
---- a/linux-headers/asm-s390/unistd_64.h
-+++ b/linux-headers/asm-s390/unistd_64.h
-@@ -358,5 +358,6 @@
- #define __NR_clone3 435
- #define __NR_openat2 437
- #define __NR_pidfd_getfd 438
-+#define __NR_faccessat2 439
-
- #endif /* _ASM_S390_UNISTD_64_H */
-diff --git a/linux-headers/asm-x86/kvm.h b/linux-headers/asm-x86/kvm.h
-index 3f3f780c8c6500e1a1ea52bc0585..17c5a038f42d3978d1b06d7cec5f 100644
---- a/linux-headers/asm-x86/kvm.h
-+++ b/linux-headers/asm-x86/kvm.h
-@@ -385,32 +385,48 @@ struct kvm_sync_regs {
- #define KVM_X86_QUIRK_MISC_ENABLE_NO_MWAIT (1 << 4)
-
- #define KVM_STATE_NESTED_FORMAT_VMX 0
--#define KVM_STATE_NESTED_FORMAT_SVM 1 /* unused */
-+#define KVM_STATE_NESTED_FORMAT_SVM 1
-
- #define KVM_STATE_NESTED_GUEST_MODE 0x00000001
- #define KVM_STATE_NESTED_RUN_PENDING 0x00000002
- #define KVM_STATE_NESTED_EVMCS 0x00000004
- #define KVM_STATE_NESTED_MTF_PENDING 0x00000008
-+#define KVM_STATE_NESTED_GIF_SET 0x00000100
-
- #define KVM_STATE_NESTED_SMM_GUEST_MODE 0x00000001
- #define KVM_STATE_NESTED_SMM_VMXON 0x00000002
-
- #define KVM_STATE_NESTED_VMX_VMCS_SIZE 0x1000
-
-+#define KVM_STATE_NESTED_SVM_VMCB_SIZE 0x1000
-+
-+#define KVM_STATE_VMX_PREEMPTION_TIMER_DEADLINE 0x00000001
-+
- struct kvm_vmx_nested_state_data {
- __u8 vmcs12[KVM_STATE_NESTED_VMX_VMCS_SIZE];
- __u8 shadow_vmcs12[KVM_STATE_NESTED_VMX_VMCS_SIZE];
- };
-
- struct kvm_vmx_nested_state_hdr {
-+ __u32 flags;
- __u64 vmxon_pa;
- __u64 vmcs12_pa;
-+ __u64 preemption_timer_deadline;
-
- struct {
- __u16 flags;
- } smm;
- };
-
-+struct kvm_svm_nested_state_data {
-+ /* Save area only used if KVM_STATE_NESTED_RUN_PENDING. */
-+ __u8 vmcb12[KVM_STATE_NESTED_SVM_VMCB_SIZE];
-+};
-+
-+struct kvm_svm_nested_state_hdr {
-+ __u64 vmcb_pa;
-+};
-+
- /* for KVM_CAP_NESTED_STATE */
- struct kvm_nested_state {
- __u16 flags;
-@@ -419,6 +435,7 @@ struct kvm_nested_state {
-
- union {
- struct kvm_vmx_nested_state_hdr vmx;
-+ struct kvm_svm_nested_state_hdr svm;
-
- /* Pad the header to 128 bytes. */
- __u8 pad[120];
-@@ -431,6 +448,7 @@ struct kvm_nested_state {
- */
- union {
- struct kvm_vmx_nested_state_data vmx[0];
-+ struct kvm_svm_nested_state_data svm[0];
- } data;
- };
-
-diff --git a/linux-headers/asm-x86/unistd.h b/linux-headers/asm-x86/unistd.h
-index 498d1515c616b2b41675b79270dc..d2af42d61ded12e1f13748be46fa 100644
---- a/linux-headers/asm-x86/unistd.h
-+++ b/linux-headers/asm-x86/unistd.h
-@@ -2,8 +2,15 @@
- #ifndef _ASM_X86_UNISTD_H
- #define _ASM_X86_UNISTD_H
-
--/* x32 syscall flag bit */
--#define __X32_SYSCALL_BIT 0x40000000UL
-+/*
-+ * x32 syscall flag bit. Some user programs expect syscall NR macros
-+ * and __X32_SYSCALL_BIT to have type int, even though syscall numbers
-+ * are, for practical purposes, unsigned long.
-+ *
-+ * Fortunately, expressions like (nr & ~__X32_SYSCALL_BIT) do the right
-+ * thing regardless.
-+ */
-+#define __X32_SYSCALL_BIT 0x40000000
-
- # ifdef __i386__
- # include <asm/unistd_32.h>
-diff --git a/linux-headers/asm-x86/unistd_32.h b/linux-headers/asm-x86/unistd_32.h
-index 1e6c1a586776181a3caba2bbba1f..c727981d4a3aa8a3578ab777d0cc 100644
---- a/linux-headers/asm-x86/unistd_32.h
-+++ b/linux-headers/asm-x86/unistd_32.h
-@@ -428,6 +428,7 @@
- #define __NR_clone3 435
- #define __NR_openat2 437
- #define __NR_pidfd_getfd 438
-+#define __NR_faccessat2 439
-
-
- #endif /* _ASM_X86_UNISTD_32_H */
-diff --git a/linux-headers/asm-x86/unistd_64.h b/linux-headers/asm-x86/unistd_64.h
-index 6daf0aecb2984b846595f8f3ea6e..843fa6274584c57a8825c1d39f85 100644
---- a/linux-headers/asm-x86/unistd_64.h
-+++ b/linux-headers/asm-x86/unistd_64.h
-@@ -350,6 +350,7 @@
- #define __NR_clone3 435
- #define __NR_openat2 437
- #define __NR_pidfd_getfd 438
-+#define __NR_faccessat2 439
-
-
- #endif /* _ASM_X86_UNISTD_64_H */
-diff --git a/linux-headers/asm-x86/unistd_x32.h b/linux-headers/asm-x86/unistd_x32.h
-index e3f17ef370fcfd16d26ea2709d16..7d63d703cab4227d9e631006852f 100644
---- a/linux-headers/asm-x86/unistd_x32.h
-+++ b/linux-headers/asm-x86/unistd_x32.h
-@@ -303,6 +303,7 @@
- #define __NR_clone3 (__X32_SYSCALL_BIT + 435)
- #define __NR_openat2 (__X32_SYSCALL_BIT + 437)
- #define __NR_pidfd_getfd (__X32_SYSCALL_BIT + 438)
-+#define __NR_faccessat2 (__X32_SYSCALL_BIT + 439)
- #define __NR_rt_sigaction (__X32_SYSCALL_BIT + 512)
- #define __NR_rt_sigreturn (__X32_SYSCALL_BIT + 513)
- #define __NR_ioctl (__X32_SYSCALL_BIT + 514)
-diff --git a/linux-headers/linux/kvm.h b/linux-headers/linux/kvm.h
-index a56559baa0bbe2823d1d96d652dc..71f531771dd862c7f3cbd07ba376 100644
---- a/linux-headers/linux/kvm.h
-+++ b/linux-headers/linux/kvm.h
-@@ -116,7 +116,7 @@ struct kvm_irq_level {
- * ACPI gsi notion of irq.
- * For IA-64 (APIC model) IOAPIC0: irq 0-23; IOAPIC1: irq 24-47..
- * For X86 (standard AT mode) PIC0/1: irq 0-15. IOAPIC0: 0-23..
-- * For ARM: See Documentation/virt/kvm/api.txt
-+ * For ARM: See Documentation/virt/kvm/api.rst
- */
- union {
- __u32 irq;
-@@ -188,10 +188,13 @@ struct kvm_s390_cmma_log {
- struct kvm_hyperv_exit {
- #define KVM_EXIT_HYPERV_SYNIC 1
- #define KVM_EXIT_HYPERV_HCALL 2
-+#define KVM_EXIT_HYPERV_SYNDBG 3
- __u32 type;
-+ __u32 pad1;
- union {
- struct {
- __u32 msr;
-+ __u32 pad2;
- __u64 control;
- __u64 evt_page;
- __u64 msg_page;
-@@ -201,6 +204,15 @@ struct kvm_hyperv_exit {
- __u64 result;
- __u64 params[2];
- } hcall;
-+ struct {
-+ __u32 msr;
-+ __u32 pad2;
-+ __u64 control;
-+ __u64 status;
-+ __u64 send_page;
-+ __u64 recv_page;
-+ __u64 pending_page;
-+ } syndbg;
- } u;
- };
-
-@@ -1011,6 +1023,8 @@ struct kvm_ppc_resize_hpt {
- #define KVM_CAP_ARM_INJECT_EXT_DABT 178
- #define KVM_CAP_S390_PROTECTED 180
- #define KVM_CAP_PPC_SECURE_GUEST 181
-+#define KVM_CAP_HALT_POLL 182
-+#define KVM_CAP_ASYNC_PF_INT 183
-
- #ifdef KVM_CAP_IRQ_ROUTING
-
-@@ -1101,7 +1115,7 @@ struct kvm_xen_hvm_config {
- *
- * KVM_IRQFD_FLAG_RESAMPLE indicates resamplefd is valid and specifies
- * the irqfd to operate in resampling mode for level triggered interrupt
-- * emulation. See Documentation/virt/kvm/api.txt.
-+ * emulation. See Documentation/virt/kvm/api.rst.
- */
- #define KVM_IRQFD_FLAG_RESAMPLE (1 << 1)
-
-diff --git a/linux-headers/linux/psp-sev.h b/linux-headers/linux/psp-sev.h
-index 31f971e89659b667eccc0d089599..51d8b3940e1448d1a3e2488279b1 100644
---- a/linux-headers/linux/psp-sev.h
-+++ b/linux-headers/linux/psp-sev.h
-@@ -83,6 +83,8 @@ struct sev_user_data_status {
- __u32 guest_count; /* Out */
- } __attribute__((packed));
-
-+#define SEV_STATUS_FLAGS_CONFIG_ES 0x0100
-+
- /**
- * struct sev_user_data_pek_csr - PEK_CSR command parameters
- *
-diff --git a/linux-headers/linux/vfio.h b/linux-headers/linux/vfio.h
-index a41c45286511f083878c06b60d71..f09df262c4b52dfcef1d66ee0bdc 100644
---- a/linux-headers/linux/vfio.h
-+++ b/linux-headers/linux/vfio.h
-@@ -305,6 +305,7 @@ struct vfio_region_info_cap_type {
- #define VFIO_REGION_TYPE_PCI_VENDOR_MASK (0xffff)
- #define VFIO_REGION_TYPE_GFX (1)
- #define VFIO_REGION_TYPE_CCW (2)
-+#define VFIO_REGION_TYPE_MIGRATION (3)
-
- /* sub-types for VFIO_REGION_TYPE_PCI_* */
-
-@@ -378,6 +379,235 @@ struct vfio_region_gfx_edid {
-
- /* sub-types for VFIO_REGION_TYPE_CCW */
- #define VFIO_REGION_SUBTYPE_CCW_ASYNC_CMD (1)
-+#define VFIO_REGION_SUBTYPE_CCW_SCHIB (2)
-+#define VFIO_REGION_SUBTYPE_CCW_CRW (3)
-+
-+/* sub-types for VFIO_REGION_TYPE_MIGRATION */
-+#define VFIO_REGION_SUBTYPE_MIGRATION (1)
-+
-+/*
-+ * The structure vfio_device_migration_info is placed at the 0th offset of
-+ * the VFIO_REGION_SUBTYPE_MIGRATION region to get and set VFIO device related
-+ * migration information. Field accesses from this structure are only supported
-+ * at their native width and alignment. Otherwise, the result is undefined and
-+ * vendor drivers should return an error.
-+ *
-+ * device_state: (read/write)
-+ * - The user application writes to this field to inform the vendor driver
-+ * about the device state to be transitioned to.
-+ * - The vendor driver should take the necessary actions to change the
-+ * device state. After successful transition to a given state, the
-+ * vendor driver should return success on write(device_state, state)
-+ * system call. If the device state transition fails, the vendor driver
-+ * should return an appropriate -errno for the fault condition.
-+ * - On the user application side, if the device state transition fails,
-+ * that is, if write(device_state, state) returns an error, read
-+ * device_state again to determine the current state of the device from
-+ * the vendor driver.
-+ * - The vendor driver should return previous state of the device unless
-+ * the vendor driver has encountered an internal error, in which case
-+ * the vendor driver may report the device_state VFIO_DEVICE_STATE_ERROR.
-+ * - The user application must use the device reset ioctl to recover the
-+ * device from VFIO_DEVICE_STATE_ERROR state. If the device is
-+ * indicated to be in a valid device state by reading device_state, the
-+ * user application may attempt to transition the device to any valid
-+ * state reachable from the current state or terminate itself.
-+ *
-+ * device_state consists of 3 bits:
-+ * - If bit 0 is set, it indicates the _RUNNING state. If bit 0 is clear,
-+ * it indicates the _STOP state. When the device state is changed to
-+ * _STOP, driver should stop the device before write() returns.
-+ * - If bit 1 is set, it indicates the _SAVING state, which means that the
-+ * driver should start gathering device state information that will be
-+ * provided to the VFIO user application to save the device's state.
-+ * - If bit 2 is set, it indicates the _RESUMING state, which means that
-+ * the driver should prepare to resume the device. Data provided through
-+ * the migration region should be used to resume the device.
-+ * Bits 3 - 31 are reserved for future use. To preserve them, the user
-+ * application should perform a read-modify-write operation on this
-+ * field when modifying the specified bits.
-+ *
-+ * +------- _RESUMING
-+ * |+------ _SAVING
-+ * ||+----- _RUNNING
-+ * |||
-+ * 000b => Device Stopped, not saving or resuming
-+ * 001b => Device running, which is the default state
-+ * 010b => Stop the device & save the device state, stop-and-copy state
-+ * 011b => Device running and save the device state, pre-copy state
-+ * 100b => Device stopped and the device state is resuming
-+ * 101b => Invalid state
-+ * 110b => Error state
-+ * 111b => Invalid state
-+ *
-+ * State transitions:
-+ *
-+ * _RESUMING _RUNNING Pre-copy Stop-and-copy _STOP
-+ * (100b) (001b) (011b) (010b) (000b)
-+ * 0. Running or default state
-+ * |
-+ *
-+ * 1. Normal Shutdown (optional)
-+ * |------------------------------------->|
-+ *
-+ * 2. Save the state or suspend
-+ * |------------------------->|---------->|
-+ *
-+ * 3. Save the state during live migration
-+ * |----------->|------------>|---------->|
-+ *
-+ * 4. Resuming
-+ * |<---------|
-+ *
-+ * 5. Resumed
-+ * |--------->|
-+ *
-+ * 0. Default state of VFIO device is _RUNNNG when the user application starts.
-+ * 1. During normal shutdown of the user application, the user application may
-+ * optionally change the VFIO device state from _RUNNING to _STOP. This
-+ * transition is optional. The vendor driver must support this transition but
-+ * must not require it.
-+ * 2. When the user application saves state or suspends the application, the
-+ * device state transitions from _RUNNING to stop-and-copy and then to _STOP.
-+ * On state transition from _RUNNING to stop-and-copy, driver must stop the
-+ * device, save the device state and send it to the application through the
-+ * migration region. The sequence to be followed for such transition is given
-+ * below.
-+ * 3. In live migration of user application, the state transitions from _RUNNING
-+ * to pre-copy, to stop-and-copy, and to _STOP.
-+ * On state transition from _RUNNING to pre-copy, the driver should start
-+ * gathering the device state while the application is still running and send
-+ * the device state data to application through the migration region.
-+ * On state transition from pre-copy to stop-and-copy, the driver must stop
-+ * the device, save the device state and send it to the user application
-+ * through the migration region.
-+ * Vendor drivers must support the pre-copy state even for implementations
-+ * where no data is provided to the user before the stop-and-copy state. The
-+ * user must not be required to consume all migration data before the device
-+ * transitions to a new state, including the stop-and-copy state.
-+ * The sequence to be followed for above two transitions is given below.
-+ * 4. To start the resuming phase, the device state should be transitioned from
-+ * the _RUNNING to the _RESUMING state.
-+ * In the _RESUMING state, the driver should use the device state data
-+ * received through the migration region to resume the device.
-+ * 5. After providing saved device data to the driver, the application should
-+ * change the state from _RESUMING to _RUNNING.
-+ *
-+ * reserved:
-+ * Reads on this field return zero and writes are ignored.
-+ *
-+ * pending_bytes: (read only)
-+ * The number of pending bytes still to be migrated from the vendor driver.
-+ *
-+ * data_offset: (read only)
-+ * The user application should read data_offset field from the migration
-+ * region. The user application should read the device data from this
-+ * offset within the migration region during the _SAVING state or write
-+ * the device data during the _RESUMING state. See below for details of
-+ * sequence to be followed.
-+ *
-+ * data_size: (read/write)
-+ * The user application should read data_size to get the size in bytes of
-+ * the data copied in the migration region during the _SAVING state and
-+ * write the size in bytes of the data copied in the migration region
-+ * during the _RESUMING state.
-+ *
-+ * The format of the migration region is as follows:
-+ * ------------------------------------------------------------------
-+ * |vfio_device_migration_info| data section |
-+ * | | /////////////////////////////// |
-+ * ------------------------------------------------------------------
-+ * ^ ^
-+ * offset 0-trapped part data_offset
-+ *
-+ * The structure vfio_device_migration_info is always followed by the data
-+ * section in the region, so data_offset will always be nonzero. The offset
-+ * from where the data is copied is decided by the kernel driver. The data
-+ * section can be trapped, mmapped, or partitioned, depending on how the kernel
-+ * driver defines the data section. The data section partition can be defined
-+ * as mapped by the sparse mmap capability. If mmapped, data_offset must be
-+ * page aligned, whereas initial section which contains the
-+ * vfio_device_migration_info structure, might not end at the offset, which is
-+ * page aligned. The user is not required to access through mmap regardless
-+ * of the capabilities of the region mmap.
-+ * The vendor driver should determine whether and how to partition the data
-+ * section. The vendor driver should return data_offset accordingly.
-+ *
-+ * The sequence to be followed while in pre-copy state and stop-and-copy state
-+ * is as follows:
-+ * a. Read pending_bytes, indicating the start of a new iteration to get device
-+ * data. Repeated read on pending_bytes at this stage should have no side
-+ * effects.
-+ * If pending_bytes == 0, the user application should not iterate to get data
-+ * for that device.
-+ * If pending_bytes > 0, perform the following steps.
-+ * b. Read data_offset, indicating that the vendor driver should make data
-+ * available through the data section. The vendor driver should return this
-+ * read operation only after data is available from (region + data_offset)
-+ * to (region + data_offset + data_size).
-+ * c. Read data_size, which is the amount of data in bytes available through
-+ * the migration region.
-+ * Read on data_offset and data_size should return the offset and size of
-+ * the current buffer if the user application reads data_offset and
-+ * data_size more than once here.
-+ * d. Read data_size bytes of data from (region + data_offset) from the
-+ * migration region.
-+ * e. Process the data.
-+ * f. Read pending_bytes, which indicates that the data from the previous
-+ * iteration has been read. If pending_bytes > 0, go to step b.
-+ *
-+ * The user application can transition from the _SAVING|_RUNNING
-+ * (pre-copy state) to the _SAVING (stop-and-copy) state regardless of the
-+ * number of pending bytes. The user application should iterate in _SAVING
-+ * (stop-and-copy) until pending_bytes is 0.
-+ *
-+ * The sequence to be followed while _RESUMING device state is as follows:
-+ * While data for this device is available, repeat the following steps:
-+ * a. Read data_offset from where the user application should write data.
-+ * b. Write migration data starting at the migration region + data_offset for
-+ * the length determined by data_size from the migration source.
-+ * c. Write data_size, which indicates to the vendor driver that data is
-+ * written in the migration region. Vendor driver must return this write
-+ * operations on consuming data. Vendor driver should apply the
-+ * user-provided migration region data to the device resume state.
-+ *
-+ * If an error occurs during the above sequences, the vendor driver can return
-+ * an error code for next read() or write() operation, which will terminate the
-+ * loop. The user application should then take the next necessary action, for
-+ * example, failing migration or terminating the user application.
-+ *
-+ * For the user application, data is opaque. The user application should write
-+ * data in the same order as the data is received and the data should be of
-+ * same transaction size at the source.
-+ */
-+
-+struct vfio_device_migration_info {
-+ __u32 device_state; /* VFIO device state */
-+#define VFIO_DEVICE_STATE_STOP (0)
-+#define VFIO_DEVICE_STATE_RUNNING (1 << 0)
-+#define VFIO_DEVICE_STATE_SAVING (1 << 1)
-+#define VFIO_DEVICE_STATE_RESUMING (1 << 2)
-+#define VFIO_DEVICE_STATE_MASK (VFIO_DEVICE_STATE_RUNNING | \
-+ VFIO_DEVICE_STATE_SAVING | \
-+ VFIO_DEVICE_STATE_RESUMING)
-+
-+#define VFIO_DEVICE_STATE_VALID(state) \
-+ (state & VFIO_DEVICE_STATE_RESUMING ? \
-+ (state & VFIO_DEVICE_STATE_MASK) == VFIO_DEVICE_STATE_RESUMING : 1)
-+
-+#define VFIO_DEVICE_STATE_IS_ERROR(state) \
-+ ((state & VFIO_DEVICE_STATE_MASK) == (VFIO_DEVICE_STATE_SAVING | \
-+ VFIO_DEVICE_STATE_RESUMING))
-+
-+#define VFIO_DEVICE_STATE_SET_ERROR(state) \
-+ ((state & ~VFIO_DEVICE_STATE_MASK) | VFIO_DEVICE_SATE_SAVING | \
-+ VFIO_DEVICE_STATE_RESUMING)
-+
-+ __u32 reserved;
-+ __u64 pending_bytes;
-+ __u64 data_offset;
-+ __u64 data_size;
-+};
-
- /*
- * The MSIX mappable capability informs that MSIX data of a BAR can be mmapped
-@@ -577,6 +807,7 @@ enum {
-
- enum {
- VFIO_CCW_IO_IRQ_INDEX,
-+ VFIO_CCW_CRW_IRQ_INDEX,
- VFIO_CCW_NUM_IRQS
- };
-
-@@ -785,6 +1016,29 @@ struct vfio_iommu_type1_info_cap_iova_range {
- struct vfio_iova_range iova_ranges[];
- };
-
-+/*
-+ * The migration capability allows to report supported features for migration.
-+ *
-+ * The structures below define version 1 of this capability.
-+ *
-+ * The existence of this capability indicates that IOMMU kernel driver supports
-+ * dirty page logging.
-+ *
-+ * pgsize_bitmap: Kernel driver returns bitmap of supported page sizes for dirty
-+ * page logging.
-+ * max_dirty_bitmap_size: Kernel driver returns maximum supported dirty bitmap
-+ * size in bytes that can be used by user applications when getting the dirty
-+ * bitmap.
-+ */
-+#define VFIO_IOMMU_TYPE1_INFO_CAP_MIGRATION 1
-+
-+struct vfio_iommu_type1_info_cap_migration {
-+ struct vfio_info_cap_header header;
-+ __u32 flags;
-+ __u64 pgsize_bitmap;
-+ __u64 max_dirty_bitmap_size; /* in bytes */
-+};
-+
- #define VFIO_IOMMU_GET_INFO _IO(VFIO_TYPE, VFIO_BASE + 12)
-
- /**
-@@ -805,6 +1059,12 @@ struct vfio_iommu_type1_dma_map {
-
- #define VFIO_IOMMU_MAP_DMA _IO(VFIO_TYPE, VFIO_BASE + 13)
-
-+struct vfio_bitmap {
-+ __u64 pgsize; /* page size for bitmap in bytes */
-+ __u64 size; /* in bytes */
-+ __u64 *data; /* one bit per page */
-+};
-+
- /**
- * VFIO_IOMMU_UNMAP_DMA - _IOWR(VFIO_TYPE, VFIO_BASE + 14,
- * struct vfio_dma_unmap)
-@@ -814,12 +1074,23 @@ struct vfio_iommu_type1_dma_map {
- * field. No guarantee is made to the user that arbitrary unmaps of iova
- * or size different from those used in the original mapping call will
- * succeed.
-+ * VFIO_DMA_UNMAP_FLAG_GET_DIRTY_BITMAP should be set to get the dirty bitmap
-+ * before unmapping IO virtual addresses. When this flag is set, the user must
-+ * provide a struct vfio_bitmap in data[]. User must provide zero-allocated
-+ * memory via vfio_bitmap.data and its size in the vfio_bitmap.size field.
-+ * A bit in the bitmap represents one page, of user provided page size in
-+ * vfio_bitmap.pgsize field, consecutively starting from iova offset. Bit set
-+ * indicates that the page at that offset from iova is dirty. A Bitmap of the
-+ * pages in the range of unmapped size is returned in the user-provided
-+ * vfio_bitmap.data.
- */
- struct vfio_iommu_type1_dma_unmap {
- __u32 argsz;
- __u32 flags;
-+#define VFIO_DMA_UNMAP_FLAG_GET_DIRTY_BITMAP (1 << 0)
- __u64 iova; /* IO virtual address */
- __u64 size; /* Size of mapping (bytes) */
-+ __u8 data[];
- };
-
- #define VFIO_IOMMU_UNMAP_DMA _IO(VFIO_TYPE, VFIO_BASE + 14)
-@@ -831,6 +1102,57 @@ struct vfio_iommu_type1_dma_unmap {
- #define VFIO_IOMMU_ENABLE _IO(VFIO_TYPE, VFIO_BASE + 15)
- #define VFIO_IOMMU_DISABLE _IO(VFIO_TYPE, VFIO_BASE + 16)
-
-+/**
-+ * VFIO_IOMMU_DIRTY_PAGES - _IOWR(VFIO_TYPE, VFIO_BASE + 17,
-+ * struct vfio_iommu_type1_dirty_bitmap)
-+ * IOCTL is used for dirty pages logging.
-+ * Caller should set flag depending on which operation to perform, details as
-+ * below:
-+ *
-+ * Calling the IOCTL with VFIO_IOMMU_DIRTY_PAGES_FLAG_START flag set, instructs
-+ * the IOMMU driver to log pages that are dirtied or potentially dirtied by
-+ * the device; designed to be used when a migration is in progress. Dirty pages
-+ * are logged until logging is disabled by user application by calling the IOCTL
-+ * with VFIO_IOMMU_DIRTY_PAGES_FLAG_STOP flag.
-+ *
-+ * Calling the IOCTL with VFIO_IOMMU_DIRTY_PAGES_FLAG_STOP flag set, instructs
-+ * the IOMMU driver to stop logging dirtied pages.
-+ *
-+ * Calling the IOCTL with VFIO_IOMMU_DIRTY_PAGES_FLAG_GET_BITMAP flag set
-+ * returns the dirty pages bitmap for IOMMU container for a given IOVA range.
-+ * The user must specify the IOVA range and the pgsize through the structure
-+ * vfio_iommu_type1_dirty_bitmap_get in the data[] portion. This interface
-+ * supports getting a bitmap of the smallest supported pgsize only and can be
-+ * modified in future to get a bitmap of any specified supported pgsize. The
-+ * user must provide a zeroed memory area for the bitmap memory and specify its
-+ * size in bitmap.size. One bit is used to represent one page consecutively
-+ * starting from iova offset. The user should provide page size in bitmap.pgsize
-+ * field. A bit set in the bitmap indicates that the page at that offset from
-+ * iova is dirty. The caller must set argsz to a value including the size of
-+ * structure vfio_iommu_type1_dirty_bitmap_get, but excluding the size of the
-+ * actual bitmap. If dirty pages logging is not enabled, an error will be
-+ * returned.
-+ *
-+ * Only one of the flags _START, _STOP and _GET may be specified at a time.
-+ *
-+ */
-+struct vfio_iommu_type1_dirty_bitmap {
-+ __u32 argsz;
-+ __u32 flags;
-+#define VFIO_IOMMU_DIRTY_PAGES_FLAG_START (1 << 0)
-+#define VFIO_IOMMU_DIRTY_PAGES_FLAG_STOP (1 << 1)
-+#define VFIO_IOMMU_DIRTY_PAGES_FLAG_GET_BITMAP (1 << 2)
-+ __u8 data[];
-+};
-+
-+struct vfio_iommu_type1_dirty_bitmap_get {
-+ __u64 iova; /* IO virtual address */
-+ __u64 size; /* Size of iova range */
-+ struct vfio_bitmap bitmap;
-+};
-+
-+#define VFIO_IOMMU_DIRTY_PAGES _IO(VFIO_TYPE, VFIO_BASE + 17)
-+
- /* -------- Additional API for SPAPR TCE (Server POWERPC) IOMMU -------- */
-
- /*
-diff --git a/linux-headers/linux/vfio_ccw.h b/linux-headers/linux/vfio_ccw.h
-index fcc3e69ef526444601cb22d1765a..516496f1d482674a4a5f66133cb7 100644
---- a/linux-headers/linux/vfio_ccw.h
-+++ b/linux-headers/linux/vfio_ccw.h
-@@ -34,4 +34,23 @@ struct ccw_cmd_region {
- __u32 ret_code;
- } __attribute__((packed));
-
-+/*
-+ * Used for processing commands that read the subchannel-information block
-+ * Reading this region triggers a stsch() to hardware
-+ * Note: this is controlled by a capability
-+ */
-+struct ccw_schib_region {
-+#define SCHIB_AREA_SIZE 52
-+ __u8 schib_area[SCHIB_AREA_SIZE];
-+} __attribute__((packed));
-+
-+/*
-+ * Used for returning a Channel Report Word to userspace.
-+ * Note: this is controlled by a capability
-+ */
-+struct ccw_crw_region {
-+ __u32 crw;
-+ __u32 pad;
-+} __attribute__((packed));
-+
- #endif
-diff --git a/linux-headers/linux/vhost.h b/linux-headers/linux/vhost.h
-index 9fe72e4b1373165d7a7aeff61410..0c2349612e776086a2ffd137d402 100644
---- a/linux-headers/linux/vhost.h
-+++ b/linux-headers/linux/vhost.h
-@@ -15,6 +15,8 @@
- #include <linux/types.h>
- #include <linux/ioctl.h>
-
-+#define VHOST_FILE_UNBIND -1
-+
- /* ioctls */
-
- #define VHOST_VIRTIO 0xAF
-@@ -140,4 +142,6 @@
- /* Get the max ring size. */
- #define VHOST_VDPA_GET_VRING_NUM _IOR(VHOST_VIRTIO, 0x76, __u16)
-
-+/* Set event fd for config interrupt*/
-+#define VHOST_VDPA_SET_CONFIG_CALL _IOW(VHOST_VIRTIO, 0x77, int)
- #endif
+++ /dev/null
-From: Alexander Graf <agraf@suse.de>
-Date: Thu, 1 Apr 2010 17:36:23 +0200
-Subject: Make char muxer more robust wrt small FIFOs
-
-Virtio-Console can only process one character at a time. Using it on S390
-gave me strage "lags" where I got the character I pressed before when
-pressing one. So I typed in "abc" and only received "a", then pressed "d"
-but the guest received "b" and so on.
-
-While the stdio driver calls a poll function that just processes on its
-queue in case virtio-console can't take multiple characters at once, the
-muxer does not have such callbacks, so it can't empty its queue.
-
-To work around that limitation, I introduced a new timer that only gets
-active when the guest can not receive any more characters. In that case
-it polls again after a while to check if the guest is now receiving input.
-
-This patch fixes input when using -nographic on s390 for me.
-
-[AF: Rebased for v2.7.0-rc2]
-[BR: minor edits to pass qemu's checkpatch script]
-Signed-off-by: Bruce Rogers <brogers@suse.com>
----
- chardev/char-fe.c | 1 +
- chardev/char-mux.c | 16 ++++++++++++++++
- chardev/char.c | 1 +
- include/chardev/char-mux.h | 3 +++
- tests/test-char.c | 1 +
- 5 files changed, 22 insertions(+)
-
-diff --git a/chardev/char-fe.c b/chardev/char-fe.c
-index f3530a90e6364d813097105b6113..f8aa0daf31692810efc7d5ca32eb 100644
---- a/chardev/char-fe.c
-+++ b/chardev/char-fe.c
-@@ -21,6 +21,7 @@
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
- * THE SOFTWARE.
- */
-+#define HW_POISON_H /* avoid poison since we patch against rules it "enforces" */
- #include "qemu/osdep.h"
- #include "qemu/error-report.h"
- #include "qapi/error.h"
-diff --git a/chardev/char-mux.c b/chardev/char-mux.c
-index 200c62a0d08bd779de8efdc95aad..10acb4fce1d3bda0d9f818eeb5ee 100644
---- a/chardev/char-mux.c
-+++ b/chardev/char-mux.c
-@@ -22,6 +22,7 @@
- * THE SOFTWARE.
- */
-
-+#define HW_POISON_H /* avoid poison since we patch against rules it "enforces" */
- #include "qemu/osdep.h"
- #include "qapi/error.h"
- #include "qemu/module.h"
-@@ -191,6 +192,17 @@ static void mux_chr_accept_input(Chardev *chr)
- be->chr_read(be->opaque,
- &d->buffer[m][d->cons[m]++ & MUX_BUFFER_MASK], 1);
- }
-+
-+#if defined(TARGET_S390X)
-+ /*
-+ * We're still not able to sync producer and consumer, so let's wait a bit
-+ * and try again by then.
-+ */
-+ if (d->prod[m] != d->cons[m]) {
-+ qemu_mod_timer(d->accept_timer, qemu_get_clock_ns(vm_clock)
-+ + (int64_t)100000);
-+ }
-+#endif
- }
-
- static int mux_chr_can_read(void *opaque)
-@@ -325,6 +337,10 @@ static void qemu_chr_open_mux(Chardev *chr,
- }
-
- d->focus = -1;
-+#if defined(TARGET_S390X)
-+ d->accept_timer = qemu_new_timer_ns(vm_clock,
-+ (QEMUTimerCB *)mux_chr_accept_input, chr);
-+#endif
- /* only default to opened state if we've realized the initial
- * set of muxes
- */
-diff --git a/chardev/char.c b/chardev/char.c
-index 7b6b2cb12300042c6adf257e188c..d2134d72f60e58f35ee9e7869db4 100644
---- a/chardev/char.c
-+++ b/chardev/char.c
-@@ -22,6 +22,7 @@
- * THE SOFTWARE.
- */
-
-+#define HW_POISON_H /* avoid poison since we patch against rules it "enforces" */
- #include "qemu/osdep.h"
- #include "qemu/cutils.h"
- #include "monitor/monitor.h"
-diff --git a/include/chardev/char-mux.h b/include/chardev/char-mux.h
-index 572cefd517c8fa9d605cbd10fc21..6e80785bd9c12b85e747fa9f924e 100644
---- a/include/chardev/char-mux.h
-+++ b/include/chardev/char-mux.h
-@@ -34,6 +34,9 @@ typedef struct MuxChardev {
- Chardev parent;
- CharBackend *backends[MAX_MUX];
- CharBackend chr;
-+#if defined(TARGET_S390X)
-+ QEMUTimer *accept_timer;
-+#endif
- int focus;
- int mux_cnt;
- int term_got_escape;
-diff --git a/tests/test-char.c b/tests/test-char.c
-index 45e42af290d4c55c0d8ed9358ef2..8e8c983dc0adce3dea739c9d85fc 100644
---- a/tests/test-char.c
-+++ b/tests/test-char.c
-@@ -1,3 +1,4 @@
-+#define HW_POISON_H /* avoid poison since we patch against rules it "enforces" */
- #include "qemu/osdep.h"
- #include <glib/gstdio.h>
-
+++ /dev/null
-From: Bruce Rogers <brogers@suse.com>
-Date: Thu, 25 Jan 2018 14:16:10 -0700
-Subject: Make installed scripts explicitly python3
-
-References: bsc#1077564
-
-We want to explicitly reference python3 in the scripts we install.
-
-Signed-off-by: Bruce Rogers <brogers@suse.com>
----
- scripts/analyze-migration.py | 2 +-
- scripts/vmstate-static-checker.py | 2 +-
- 2 files changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/scripts/analyze-migration.py b/scripts/analyze-migration.py
-index e527eb168e9ce7c3944094ec6701..fd376eac71f73e6366a9e17a1c51 100755
---- a/scripts/analyze-migration.py
-+++ b/scripts/analyze-migration.py
-@@ -1,4 +1,4 @@
--#!/usr/bin/env python
-+#!/usr/bin/python3
- #
- # Migration Stream Analyzer
- #
-diff --git a/scripts/vmstate-static-checker.py b/scripts/vmstate-static-checker.py
-index f8b7b8f77252f2c03d6d7db9dc60..754159069dfae6838edaac14856f 100755
---- a/scripts/vmstate-static-checker.py
-+++ b/scripts/vmstate-static-checker.py
-@@ -1,4 +1,4 @@
--#!/usr/bin/python
-+#!/usr/bin/python3
- #
- # Compares vmstate information stored in JSON format, obtained from
- # the -dump-vmstate QEMU command.
+++ /dev/null
-From: =?UTF-8?q?Stefan=20Br=C3=BCns?= <stefan.bruens@rwth-aachen.de>
-Date: Mon, 5 Aug 2019 20:03:11 +0000
-Subject: Make keycode-gen output reproducible (use SOURCE_DATE_EPOCH
- timestamp)
-
-Signed-off-by: Bruce Rogers <brogers@suse.com
----
- tools/keymap-gen | 7 ++++++-
- 1 file changed, 6 insertions(+), 1 deletion(-)
-
-diff --git a/ui/keycodemapdb/tools/keymap-gen b/ui/keycodemapdb/tools/keymap-gen
-index f0269e3cabf57881bb41e2333143..a374eb255fb3c55b65b475e86461 100755
---- a/ui/keycodemapdb/tools/keymap-gen
-+++ b/ui/keycodemapdb/tools/keymap-gen
-@@ -20,6 +20,7 @@ except:
- sys.path.append(os.path.join(os.path.dirname(__file__), "../thirdparty"))
- import argparse
- import hashlib
-+import os
- import time
- import sys
-
-@@ -317,7 +318,11 @@ class LanguageGenerator(object):
- raise NotImplementedError()
-
- def generate_header(self, database, args):
-- today = time.strftime("%Y-%m-%d %H:%M")
-+ sde = os.getenv("SOURCE_DATE_EPOCH")
-+ if sde:
-+ today = time.strftime("%Y-%m-%d %H:%M", time.gmtime(int(sde)))
-+ else:
-+ today = time.strftime("%Y-%m-%d %H:%M")
- self._boilerplate([
- "This file is auto-generated from keymaps.csv on %s" % today,
- "Database checksum sha256(%s)" % database.mapchecksum,
+++ /dev/null
-From: Alexander Graf <agraf@suse.de>
-Date: Fri, 6 Jan 2012 01:05:55 +0100
-Subject: PPC: KVM: Disable mmu notifier check
-
-When using hugetlbfs (which is required for HV mode KVM on 970), we
-check for MMU notifiers that on 970 can not be implemented properly.
-
-So disable the check for mmu notifiers on PowerPC guests, making
-KVM guests work there, even if possibly racy in some odd circumstances.
-
-Signed-off-by: Bruce Rogers <brogers@suse.com>
----
- exec.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/exec.c b/exec.c
-index a240e3d338a32fb46b1dfe66d4af..ecd6f380f2d928e302cebc41f1c2 100644
---- a/exec.c
-+++ b/exec.c
-@@ -2291,11 +2291,13 @@ RAMBlock *qemu_ram_alloc_from_fd(ram_addr_t size, MemoryRegion *mr,
- return NULL;
- }
-
-+#ifndef TARGET_PPC
- if (kvm_enabled() && !kvm_has_sync_mmu()) {
- error_setg(errp,
- "host lacks kvm mmu notifiers, -mem-path unsupported");
- return NULL;
- }
-+#endif
-
- if (phys_mem_alloc != qemu_anon_ram_alloc) {
- /*
+++ /dev/null
-From: =?UTF-8?q?Andreas=20F=C3=A4rber?= <afaerber@suse.de>
-Date: Sun, 15 Jan 2012 19:53:49 +0100
-Subject: Raise soft address space limit to hard limit
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-For SLES we want users to be able to use large memory configurations
-with KVM without fiddling with ulimit -Sv.
-
-Signed-off-by: Andreas Färber <afaerber@suse.de>
-[BR: add include for sys/resource.h]
-Signed-off-by: Bruce Rogers <brogers@suse.com>
----
- vl.c | 12 ++++++++++++
- 1 file changed, 12 insertions(+)
-
-diff --git a/vl.c b/vl.c
-index bf0a6345d2394ad25adfe53c4006..68de8184f91c6ef3903859c70526 100644
---- a/vl.c
-+++ b/vl.c
-@@ -33,6 +33,7 @@
- #include "qemu/uuid.h"
- #include "sysemu/reset.h"
- #include "sysemu/runstate.h"
-+#include <sys/resource.h>
- #include "sysemu/seccomp.h"
- #include "sysemu/tcg.h"
-
-@@ -2863,6 +2864,7 @@ int main(int argc, char **argv, char **envp)
- char *dir, **dirs;
- BlockdevOptionsQueue bdo_queue = QSIMPLEQ_HEAD_INITIALIZER(bdo_queue);
- QemuPluginList plugin_list = QTAILQ_HEAD_INITIALIZER(plugin_list);
-+ struct rlimit rlimit_as;
-
- os_set_line_buffering();
-
-@@ -2874,6 +2876,16 @@ int main(int argc, char **argv, char **envp)
-
- qemu_mutex_lock_iothread();
-
-+ /*
-+ * Try to raise the soft address space limit.
-+ * Default on SLES 11 SP2 is 80% of physical+swap memory.
-+ */
-+ getrlimit(RLIMIT_AS, &rlimit_as);
-+ if (rlimit_as.rlim_cur < rlimit_as.rlim_max) {
-+ rlimit_as.rlim_cur = rlimit_as.rlim_max;
-+ setrlimit(RLIMIT_AS, &rlimit_as);
-+ }
-+
- atexit(qemu_run_exit_notifiers);
- qemu_init_exec_dir(argv[0]);
-
+++ /dev/null
-From: Liang Yan <lyan@suse.com>
-Date: Tue, 19 Jan 2021 11:01:26 -0500
-Subject: Revert meson build file back to Make.objs
-
-References: bsc#1179719
-
-Related commits: cd7498d07fbb 77280d33bc9c
-
-Signed-off-by: Liang Yan <lyan@suse.com>
----
- hw/s390x/Makefile.objs | 1 +
- include/hw/s390x/s390-pci-vfio.h | 1 +
- 2 files changed, 2 insertions(+)
-
-diff --git a/hw/s390x/Makefile.objs b/hw/s390x/Makefile.objs
-index a46a1c7894e0f612a2d74cec74f6..37c071d78533bb326d7e25e757e0 100644
---- a/hw/s390x/Makefile.objs
-+++ b/hw/s390x/Makefile.objs
-@@ -35,3 +35,4 @@ obj-$(CONFIG_KVM) += pv.o
- obj-y += s390-ccw.o
- obj-y += ap-device.o
- obj-y += ap-bridge.o
-+obj-$(CONFIG_VFIO) += s390-pci-vfio.o
-diff --git a/include/hw/s390x/s390-pci-vfio.h b/include/hw/s390x/s390-pci-vfio.h
-index a99499851f048ab04c2c1b45a4a2..55db22a9541812a1e7ba66d5dea3 100644
---- a/include/hw/s390x/s390-pci-vfio.h
-+++ b/include/hw/s390x/s390-pci-vfio.h
-@@ -13,6 +13,7 @@
- #define HW_S390_PCI_VFIO_H
-
- #include "hw/s390x/s390-pci-bus.h"
-+#include "config-devices.h"
-
- #ifdef CONFIG_VFIO
- bool s390_pci_update_dma_avail(int fd, unsigned int *avail);
+++ /dev/null
-From: Bruce Rogers <brogers@suse.com>
-Date: Fri, 3 Nov 2017 11:12:40 -0600
-Subject: Switch order of libraries for mpath support
-
-Signed-off-by: Bruce Rogers <brogers@suse.com>
----
- Makefile | 2 +-
- configure | 2 +-
- 2 files changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/Makefile b/Makefile
-index b437a346d71a55d75f207f36e85b..52881cbb12e7d980e0ed51f21174 100644
---- a/Makefile
-+++ b/Makefile
-@@ -579,7 +579,7 @@ fsdev/virtfs-proxy-helper$(EXESUF): LIBS += -lcap
-
- scsi/qemu-pr-helper$(EXESUF): scsi/qemu-pr-helper.o scsi/utils.o $(authz-obj-y) $(crypto-obj-y) $(io-obj-y) $(qom-obj-y) $(COMMON_LDADDS)
- ifdef CONFIG_MPATH
--scsi/qemu-pr-helper$(EXESUF): LIBS += -ludev -lmultipath -lmpathpersist
-+scsi/qemu-pr-helper$(EXESUF): LIBS += -ludev -lmpathpersist -lmultipath
- endif
-
- qemu-img-cmds.h: $(SRC_PATH)/qemu-img-cmds.hx $(SRC_PATH)/scripts/hxtool
-diff --git a/configure b/configure
-index 6099be1d848c7f52ea02694d6d86..09a33aecfd6ef543eeee8c5023b6 100755
---- a/configure
-+++ b/configure
-@@ -3836,7 +3836,7 @@ int main(void) {
- return 0;
- }
- EOF
-- if compile_prog "" "-ludev -lmultipath -lmpathpersist" ; then
-+ if compile_prog "" "-ludev -lmpathpersist -lmultipath" ; then
- mpathpersist=yes
- mpathpersist_new_api=yes
- else
+++ /dev/null
-From: Janosch Frank <frankja@linux.ibm.com>
-Date: Tue, 25 Feb 2020 06:09:23 -0500
-Subject: Sync pv
-
-References: bsc#1167075
-
-Signed-off-by: Janosch Frank <frankja@linux.ibm.com>
-(cherry picked from commit 6807f464961cfee1dd81c95e22ddd91fa352fcc4)
-Signed-off-by: Bruce Rogers <brogers@suse.com>
----
- linux-headers/linux/kvm.h | 49 +++++++++++++++++++++++++++++++++++++--
- 1 file changed, 47 insertions(+), 2 deletions(-)
-
-diff --git a/linux-headers/linux/kvm.h b/linux-headers/linux/kvm.h
-index 4ec5f9464c650dda5bdda131f6ba..11d7e7dc25b51b7a2ae99c78b870 100644
---- a/linux-headers/linux/kvm.h
-+++ b/linux-headers/linux/kvm.h
-@@ -500,12 +500,17 @@ struct kvm_s390_mem_op {
- __u32 size; /* amount of bytes */
- __u32 op; /* type of operation */
- __u64 buf; /* buffer in userspace */
-- __u8 ar; /* the access register number */
-- __u8 reserved[31]; /* should be set to 0 */
-+ union {
-+ __u8 ar; /* the access register number */
-+ __u32 sida_offset; /* offset into the sida */
-+ __u8 reserved[32]; /* should be set to 0 */
-+ };
- };
- /* types for kvm_s390_mem_op->op */
- #define KVM_S390_MEMOP_LOGICAL_READ 0
- #define KVM_S390_MEMOP_LOGICAL_WRITE 1
-+#define KVM_S390_MEMOP_SIDA_READ 2
-+#define KVM_S390_MEMOP_SIDA_WRITE 3
- /* flags for kvm_s390_mem_op->flags */
- #define KVM_S390_MEMOP_F_CHECK_ONLY (1ULL << 0)
- #define KVM_S390_MEMOP_F_INJECT_EXCEPTION (1ULL << 1)
-@@ -1036,6 +1041,7 @@ struct kvm_ppc_resize_hpt {
- #define KVM_CAP_PPC_GUEST_DEBUG_SSTEP 176
- #define KVM_CAP_ARM_NISV_TO_USER 177
- #define KVM_CAP_ARM_INJECT_EXT_DABT 178
-+#define KVM_CAP_S390_VCPU_RESETS 179
- #define KVM_CAP_S390_PROTECTED 180
- #define KVM_CAP_PPC_SECURE_GUEST 181
- #define KVM_CAP_HALT_POLL 182
-@@ -1511,6 +1517,45 @@ struct kvm_enc_region {
- /* Available with KVM_CAP_ARM_SVE */
- #define KVM_ARM_VCPU_FINALIZE _IOW(KVMIO, 0xc2, int)
-
-+/* Available with KVM_CAP_S390_VCPU_RESETS */
-+#define KVM_S390_NORMAL_RESET _IO(KVMIO, 0xc3)
-+#define KVM_S390_CLEAR_RESET _IO(KVMIO, 0xc4)
-+
-+struct kvm_s390_pv_sec_parm {
-+ __u64 origin;
-+ __u64 length;
-+};
-+
-+struct kvm_s390_pv_unp {
-+ __u64 addr;
-+ __u64 size;
-+ __u64 tweak;
-+};
-+
-+enum pv_cmd_id {
-+ KVM_PV_ENABLE,
-+ KVM_PV_DISABLE,
-+ KVM_PV_VM_SET_SEC_PARMS,
-+ KVM_PV_VM_UNPACK,
-+ KVM_PV_VM_VERIFY,
-+ KVM_PV_VM_PREP_RESET,
-+ KVM_PV_VM_UNSHARE_ALL,
-+ KVM_PV_VCPU_CREATE,
-+ KVM_PV_VCPU_DESTROY,
-+};
-+
-+struct kvm_pv_cmd {
-+ __u32 cmd; /* Command to be executed */
-+ __u16 rc; /* Ultravisor return code */
-+ __u16 rrc; /* Ultravisor return reason code */
-+ __u64 data; /* Data or address */
-+ __u32 flags; /* flags for future extensions. Must be 0 for now */
-+ __u32 reserved[3];
-+};
-+
-+/* Available with KVM_CAP_S390_PROTECTED */
-+#define KVM_S390_PV_COMMAND _IOWR(KVMIO, 0xc5, struct kvm_pv_cmd)
-+
- /* Available with KVM_CAP_X86_MSR_FILTER */
- #define KVM_X86_SET_MSR_FILTER _IOW(KVMIO, 0xc6, struct kvm_msr_filter)
-
+++ /dev/null
-From: Valentine Barshak <gvaxon@gmail.com>
-Date: Mon, 22 Jul 2019 10:47:50 +0100
-Subject: Workaround compilation error with gcc 9.1
-
-References: bsc#1121464
-
-Compiling with gcc 9.1 generates lots of "taking address of packed
-member of ... may result in an unaligned pointer value" warnings.
-
-Some of these warnings are genuine, and indicate correctly that parts
-of iPXE currently require the CPU (or runtime environment) to support
-unaligned accesses. For example: the TCP/IP receive data path will
-attempt to access 32-bit fields that may not be aligned to a 32-bit
-boundary.
-
-Other warnings are either spurious (such as when the pointer is to a
-variable-length byte array, which can have no alignment requirement
-anyway) or unhelpful (such as when the pointer is used solely to
-provide a debug colour value for the DBGC() macro).
-
-There appears to be no easy way to silence the spurious warnings.
-Since the ability to perform unaligned accesses is already a
-requirement for iPXE, work around the problem by silencing this class
-of warnings.
-
-Signed-off-by: Valentine Barshak <gvaxon@gmail.com>
-Modified-by: Michael Brown <mcb30@ipxe.org>
-Signed-off-by: Michael Brown <mcb30@ipxe.org>
-Signed-off-by: Bruce Rogers <brogers@suse.com>
----
- src/Makefile.housekeeping | 9 +++++++++
- 1 file changed, 9 insertions(+)
-
-diff --git a/roms/ipxe/src/Makefile.housekeeping b/roms/ipxe/src/Makefile.housekeeping
-index 97fa325bb52314e05192d0414436..e5f6927de889167d286ccfcdda92 100644
---- a/roms/ipxe/src/Makefile.housekeeping
-+++ b/roms/ipxe/src/Makefile.housekeeping
-@@ -185,6 +185,15 @@ WNST_TEST = $(CC) -Wstringop-truncation -x c -c /dev/null -o /dev/null \
- >/dev/null 2>&1
- WNST_FLAGS := $(shell $(WNST_TEST) && $(ECHO) '-Wno-stringop-truncation')
- WORKAROUND_CFLAGS += $(WNST_FLAGS)
-+
-+# gcc 9.1 generates warnings for taking address of packed member which
-+# may result in an unaligned pointer value. Inhibit the warnings.
-+#
-+WNAPM_TEST = $(CC) -Wno-address-of-packed-member -x c -c /dev/null \
-+ -o /dev/null >/dev/null 2>&1
-+WNAPM_FLAGS := $(shell $(WNAPM_TEST) && \
-+ $(ECHO) '-Wno-address-of-packed-member')
-+WORKAROUND_CFLAGS += $(WNAPM_FLAGS)
- endif
-
- # Some versions of gas choke on division operators, treating them as
+++ /dev/null
-From: Alexander Graf <agraf@suse.de>
-Date: Mon, 21 Nov 2011 23:50:36 +0100
-Subject: XXX dont dump core on sigabort
-
-Signed-off-by: Bruce Rogers <brogers@suse.com>
----
- linux-user/signal.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/linux-user/signal.c b/linux-user/signal.c
-index 5ca6d62b15d3e4d3faee3f554fff..1d6382ce881795b057ab229e4129 100644
---- a/linux-user/signal.c
-+++ b/linux-user/signal.c
-@@ -581,6 +581,10 @@ static void QEMU_NORETURN dump_core_and_abort(int target_sig)
- trace_user_force_sig(env, target_sig, host_sig);
- gdb_signalled(env, target_sig);
-
-+ if (target_sig == 6) {
-+ goto no_core;
-+ }
-+
- /* dump core if supported by target binary format */
- if (core_dump_signal(target_sig) && (ts->bprm->core_dump != NULL)) {
- stop_all_tasks();
-@@ -598,6 +602,8 @@ static void QEMU_NORETURN dump_core_and_abort(int target_sig)
- target_sig, strsignal(host_sig), "core dumped" );
- }
-
-+no_core:
-+
- /* The proper exit code for dying from an uncaught signal is
- * -<signal>. The kernel doesn't allow exit() or _exit() to pass
- * a negative value. To get the proper exit code we need to
+++ /dev/null
-From: =?UTF-8?q?Andreas=20F=C3=A4rber?= <afaerber@suse.de>
-Date: Wed, 31 Jul 2013 17:32:35 +0200
-Subject: acpi_piix4: Fix migration from SLE11 SP2
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-References: bnc#812836
-
-qemu-kvm 0.15 uses the same GPE format as qemu 1.4, but as version 2
-rather than 3.
-
-Signed-off-by: Andreas Färber <afaerber@suse.de>
----
- hw/acpi/piix4.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/hw/acpi/piix4.c b/hw/acpi/piix4.c
-index 93aec2dd2ce1767784076c3544b0..1f2a8ea850e9115b689af90bf708 100644
---- a/hw/acpi/piix4.c
-+++ b/hw/acpi/piix4.c
-@@ -273,7 +273,7 @@ static bool piix4_vmstate_need_smbus(void *opaque, int version_id)
- static const VMStateDescription vmstate_acpi = {
- .name = "piix4_pm",
- .version_id = 3,
-- .minimum_version_id = 3,
-+ .minimum_version_id = 2, /* qemu-kvm */
- .post_load = vmstate_acpi_post_load,
- .fields = (VMStateField[]) {
- VMSTATE_PCI_DEVICE(parent_obj, PIIX4PMState),
+++ /dev/null
-From: Paolo Bonzini <pbonzini@redhat.com>
-Date: Tue, 7 Apr 2020 10:07:45 -0400
-Subject: aio-wait: delegate polling of main AioContext if BQL not held
-
-Git-commit: 3c18a92dc4b55ca8cc37a755ed119f11c0f34099
-
-Any thread that is not a iothread returns NULL for qemu_get_current_aio_context().
-As a result, it would also return true for
-in_aio_context_home_thread(qemu_get_aio_context()), causing
-AIO_WAIT_WHILE to invoke aio_poll() directly. This is incorrect
-if the BQL is not held, because aio_poll() does not expect to
-run concurrently from multiple threads, and it can actually
-happen when savevm writes to the vmstate file from the
-migration thread.
-
-Therefore, restrict in_aio_context_home_thread to return true
-for the main AioContext only if the BQL is held.
-
-The function is moved to aio-wait.h because it is mostly used
-there and to avoid a circular reference between main-loop.h
-and block/aio.h.
-
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-Message-Id: <20200407140746.8041-5-pbonzini@redhat.com>
-Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
-Signed-off-by: Bruce Rogers <brogers@suse.com>
----
- include/block/aio-wait.h | 22 ++++++++++++++++++++++
- include/block/aio.h | 29 ++++++++++-------------------
- 2 files changed, 32 insertions(+), 19 deletions(-)
-
-diff --git a/include/block/aio-wait.h b/include/block/aio-wait.h
-index afeeb18f95ebb593982b5d3f8917..716d2639df708f03e3f29d68315b 100644
---- a/include/block/aio-wait.h
-+++ b/include/block/aio-wait.h
-@@ -26,6 +26,7 @@
- #define QEMU_AIO_WAIT_H
-
- #include "block/aio.h"
-+#include "qemu/main-loop.h"
-
- /**
- * AioWait:
-@@ -124,4 +125,25 @@ void aio_wait_kick(void);
- */
- void aio_wait_bh_oneshot(AioContext *ctx, QEMUBHFunc *cb, void *opaque);
-
-+/**
-+ * in_aio_context_home_thread:
-+ * @ctx: the aio context
-+ *
-+ * Return whether we are running in the thread that normally runs @ctx. Note
-+ * that acquiring/releasing ctx does not affect the outcome, each AioContext
-+ * still only has one home thread that is responsible for running it.
-+ */
-+static inline bool in_aio_context_home_thread(AioContext *ctx)
-+{
-+ if (ctx == qemu_get_current_aio_context()) {
-+ return true;
-+ }
-+
-+ if (ctx == qemu_get_aio_context()) {
-+ return qemu_mutex_iothread_locked();
-+ } else {
-+ return false;
-+ }
-+}
-+
- #endif /* QEMU_AIO_WAIT_H */
-diff --git a/include/block/aio.h b/include/block/aio.h
-index 6b0d52f732b86caef07602281574..9d28e247df7f0d3a556644fcd9d1 100644
---- a/include/block/aio.h
-+++ b/include/block/aio.h
-@@ -60,12 +60,16 @@ struct AioContext {
- QLIST_HEAD(, AioHandler) aio_handlers;
-
- /* Used to avoid unnecessary event_notifier_set calls in aio_notify;
-- * accessed with atomic primitives. If this field is 0, everything
-- * (file descriptors, bottom halves, timers) will be re-evaluated
-- * before the next blocking poll(), thus the event_notifier_set call
-- * can be skipped. If it is non-zero, you may need to wake up a
-- * concurrent aio_poll or the glib main event loop, making
-- * event_notifier_set necessary.
-+ * only written from the AioContext home thread, or under the BQL in
-+ * the case of the main AioContext. However, it is read from any
-+ * thread so it is still accessed with atomic primitives.
-+ *
-+ * If this field is 0, everything (file descriptors, bottom halves,
-+ * timers) will be re-evaluated before the next blocking poll() or
-+ * io_uring wait; therefore, the event_notifier_set call can be
-+ * skipped. If it is non-zero, you may need to wake up a concurrent
-+ * aio_poll or the glib main event loop, making event_notifier_set
-+ * necessary.
- *
- * Bit 0 is reserved for GSource usage of the AioContext, and is 1
- * between a call to aio_ctx_prepare and the next call to aio_ctx_check.
-@@ -580,19 +584,6 @@ void aio_co_enter(AioContext *ctx, struct Coroutine *co);
- */
- AioContext *qemu_get_current_aio_context(void);
-
--/**
-- * in_aio_context_home_thread:
-- * @ctx: the aio context
-- *
-- * Return whether we are running in the thread that normally runs @ctx. Note
-- * that acquiring/releasing ctx does not affect the outcome, each AioContext
-- * still only has one home thread that is responsible for running it.
-- */
--static inline bool in_aio_context_home_thread(AioContext *ctx)
--{
-- return ctx == qemu_get_current_aio_context();
--}
--
- /**
- * aio_context_setup:
- * @ctx: the aio context
+++ /dev/null
-From: Paolo Bonzini <pbonzini@redhat.com>
-Date: Tue, 7 Apr 2020 10:07:46 -0400
-Subject: async: use explicit memory barriers
-
-Git-commit: 5710a3e09f9b85801e5ce70797a4a511e5fc9e2c
-
-When using C11 atomics, non-seqcst reads and writes do not participate
-in the total order of seqcst operations. In util/async.c and util/aio-posix.c,
-in particular, the pattern that we use
-
- write ctx->notify_me write bh->scheduled
- read bh->scheduled read ctx->notify_me
- if !bh->scheduled, sleep if ctx->notify_me, notify
-
-needs to use seqcst operations for both the write and the read. In
-general this is something that we do not want, because there can be
-many sources that are polled in addition to bottom halves. The
-alternative is to place a seqcst memory barrier between the write
-and the read. This also comes with a disadvantage, in that the
-memory barrier is implicit on strongly-ordered architectures and
-it wastes a few dozen clock cycles.
-
-Fortunately, ctx->notify_me is never written concurrently by two
-threads, so we can assert that and relax the writes to ctx->notify_me.
-The resulting solution works and performs well on both aarch64 and x86.
-
-Note that the atomic_set/atomic_read combination is not an atomic
-read-modify-write, and therefore it is even weaker than C11 ATOMIC_RELAXED;
-on x86, ATOMIC_RELAXED compiles to a locked operation.
-
-Analyzed-by: Ying Fang <fangying1@huawei.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-Tested-by: Ying Fang <fangying1@huawei.com>
-Message-Id: <20200407140746.8041-6-pbonzini@redhat.com>
-Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
-Signed-off-by: Bruce Rogers <brogers@suse.com>
----
- util/aio-posix.c | 16 ++++++++++++++--
- util/aio-win32.c | 17 ++++++++++++++---
- util/async.c | 16 ++++++++++++----
- 3 files changed, 40 insertions(+), 9 deletions(-)
-
-diff --git a/util/aio-posix.c b/util/aio-posix.c
-index a4977f538ef28d56178267a1795c..fe2a46c439fa1505f5f688274566 100644
---- a/util/aio-posix.c
-+++ b/util/aio-posix.c
-@@ -616,6 +616,11 @@ bool aio_poll(AioContext *ctx, bool blocking)
- int64_t timeout;
- int64_t start = 0;
-
-+ /*
-+ * There cannot be two concurrent aio_poll calls for the same AioContext (or
-+ * an aio_poll concurrent with a GSource prepare/check/dispatch callback).
-+ * We rely on this below to avoid slow locked accesses to ctx->notify_me.
-+ */
- assert(in_aio_context_home_thread(ctx));
-
- /* aio_notify can avoid the expensive event_notifier_set if
-@@ -626,7 +631,13 @@ bool aio_poll(AioContext *ctx, bool blocking)
- * so disable the optimization now.
- */
- if (blocking) {
-- atomic_add(&ctx->notify_me, 2);
-+ atomic_set(&ctx->notify_me, atomic_read(&ctx->notify_me) + 2);
-+ /*
-+ * Write ctx->notify_me before computing the timeout
-+ * (reading bottom half flags, etc.). Pairs with
-+ * smp_mb in aio_notify().
-+ */
-+ smp_mb();
- }
-
- qemu_lockcnt_inc(&ctx->list_lock);
-@@ -671,7 +682,8 @@ bool aio_poll(AioContext *ctx, bool blocking)
- }
-
- if (blocking) {
-- atomic_sub(&ctx->notify_me, 2);
-+ /* Finish the poll before clearing the flag. */
-+ atomic_store_release(&ctx->notify_me, atomic_read(&ctx->notify_me) - 2);
- aio_notify_accept(ctx);
- }
-
-diff --git a/util/aio-win32.c b/util/aio-win32.c
-index a23b9c364db3a764a3e00c6b62e9..729d533faf4d807e0a5388edd2af 100644
---- a/util/aio-win32.c
-+++ b/util/aio-win32.c
-@@ -321,6 +321,12 @@ bool aio_poll(AioContext *ctx, bool blocking)
- int count;
- int timeout;
-
-+ /*
-+ * There cannot be two concurrent aio_poll calls for the same AioContext (or
-+ * an aio_poll concurrent with a GSource prepare/check/dispatch callback).
-+ * We rely on this below to avoid slow locked accesses to ctx->notify_me.
-+ */
-+ assert(in_aio_context_home_thread(ctx));
- progress = false;
-
- /* aio_notify can avoid the expensive event_notifier_set if
-@@ -331,7 +337,13 @@ bool aio_poll(AioContext *ctx, bool blocking)
- * so disable the optimization now.
- */
- if (blocking) {
-- atomic_add(&ctx->notify_me, 2);
-+ atomic_set(&ctx->notify_me, atomic_read(&ctx->notify_me) + 2);
-+ /*
-+ * Write ctx->notify_me before computing the timeout
-+ * (reading bottom half flags, etc.). Pairs with
-+ * smp_mb in aio_notify().
-+ */
-+ smp_mb();
- }
-
- qemu_lockcnt_inc(&ctx->list_lock);
-@@ -364,8 +376,7 @@ bool aio_poll(AioContext *ctx, bool blocking)
- ret = WaitForMultipleObjects(count, events, FALSE, timeout);
- if (blocking) {
- assert(first);
-- assert(in_aio_context_home_thread(ctx));
-- atomic_sub(&ctx->notify_me, 2);
-+ atomic_store_release(&ctx->notify_me, atomic_read(&ctx->notify_me) - 2);
- aio_notify_accept(ctx);
- }
-
-diff --git a/util/async.c b/util/async.c
-index b1fa5319e5bc7830d50108f91139..c65c58bbc9f57bf1bbdb6acd5fd1 100644
---- a/util/async.c
-+++ b/util/async.c
-@@ -220,7 +220,14 @@ aio_ctx_prepare(GSource *source, gint *timeout)
- {
- AioContext *ctx = (AioContext *) source;
-
-- atomic_or(&ctx->notify_me, 1);
-+ atomic_set(&ctx->notify_me, atomic_read(&ctx->notify_me) | 1);
-+
-+ /*
-+ * Write ctx->notify_me before computing the timeout
-+ * (reading bottom half flags, etc.). Pairs with
-+ * smp_mb in aio_notify().
-+ */
-+ smp_mb();
-
- /* We assume there is no timeout already supplied */
- *timeout = qemu_timeout_ns_to_ms(aio_compute_timeout(ctx));
-@@ -238,7 +245,8 @@ aio_ctx_check(GSource *source)
- AioContext *ctx = (AioContext *) source;
- QEMUBH *bh;
-
-- atomic_and(&ctx->notify_me, ~1);
-+ /* Finish computing the timeout before clearing the flag. */
-+ atomic_store_release(&ctx->notify_me, atomic_read(&ctx->notify_me) & ~1);
- aio_notify_accept(ctx);
-
- for (bh = ctx->first_bh; bh; bh = bh->next) {
-@@ -343,10 +351,10 @@ LinuxAioState *aio_get_linux_aio(AioContext *ctx)
- void aio_notify(AioContext *ctx)
- {
- /* Write e.g. bh->scheduled before reading ctx->notify_me. Pairs
-- * with atomic_or in aio_ctx_prepare or atomic_add in aio_poll.
-+ * with smp_mb in aio_ctx_prepare or aio_poll.
- */
- smp_mb();
-- if (ctx->notify_me) {
-+ if (atomic_read(&ctx->notify_me)) {
- event_notifier_set(&ctx->notifier);
- atomic_mb_set(&ctx->notified, true);
- }
+++ /dev/null
-From: Prasad J Pandit <pjp@fedoraproject.org>
-Date: Wed, 21 Oct 2020 16:08:18 +0530
-Subject: ati: check x y display parameter values
-
-Git-commit: ca1f9cbfdce4d63b10d57de80fef89a89d92a540
-References: bsc#1178400, CVE-2020-27616
-
-The source and destination x,y display parameters in ati_2d_blt()
-may run off the vga limits if either of s->regs.[src|dst]_[xy] is
-zero. Check the parameter values to avoid potential crash.
-
-Reported-by: Gaoning Pan <pgn@zju.edu.cn>
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
-Message-id: 20201021103818.1704030-1-ppandit@redhat.com
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
-Signed-off-by: Bruce Rogers <brogers@suse.com>
----
- hw/display/ati_2d.c | 10 ++++++----
- 1 file changed, 6 insertions(+), 4 deletions(-)
-
-diff --git a/hw/display/ati_2d.c b/hw/display/ati_2d.c
-index 23a8ae0cd8ceb7b59408c0709e2f..4dc10ea79529b354f6bdeb92e005 100644
---- a/hw/display/ati_2d.c
-+++ b/hw/display/ati_2d.c
-@@ -75,8 +75,9 @@ void ati_2d_blt(ATIVGAState *s)
- dst_stride *= bpp;
- }
- uint8_t *end = s->vga.vram_ptr + s->vga.vram_size;
-- if (dst_bits >= end || dst_bits + dst_x + (dst_y + s->regs.dst_height) *
-- dst_stride >= end) {
-+ if (dst_x > 0x3fff || dst_y > 0x3fff || dst_bits >= end
-+ || dst_bits + dst_x
-+ + (dst_y + s->regs.dst_height) * dst_stride >= end) {
- qemu_log_mask(LOG_UNIMP, "blt outside vram not implemented\n");
- return;
- }
-@@ -107,8 +108,9 @@ void ati_2d_blt(ATIVGAState *s)
- src_bits += s->regs.crtc_offset & 0x07ffffff;
- src_stride *= bpp;
- }
-- if (src_bits >= end || src_bits + src_x +
-- (src_y + s->regs.dst_height) * src_stride >= end) {
-+ if (src_x > 0x3fff || src_y > 0x3fff || src_bits >= end
-+ || src_bits + src_x
-+ + (src_y + s->regs.dst_height) * src_stride >= end) {
- qemu_log_mask(LOG_UNIMP, "blt outside vram not implemented\n");
- return;
- }
+++ /dev/null
-From: Bruce Rogers <brogers@suse.com>
-Date: Thu, 21 May 2020 11:29:31 -0600
-Subject: audio: fix wavcapture segfault
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Git-commit: cbaf25d1f59ee13fc7542a06ea70784f2e000c04
-References: boo#1171712
-
-Commit 571a8c522e caused the HMP wavcapture command to segfault when
-processing audio data in audio_pcm_sw_write(), where a NULL
-sw->hw->pcm_ops is dereferenced. This fix checks that the pointer is
-valid before dereferincing it. A similar fix is also made in the
-parallel function audio_pcm_sw_read().
-
-Fixes: 571a8c522e (audio: split ctl_* functions into enable_* and
-volume_*)
-Signed-off-by: Bruce Rogers <brogers@suse.com>
-Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Message-id: 20200521172931.121903-1-brogers@suse.com
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
-Signed-off-by: Bruce Rogers <brogers@suse.com>
----
- audio/audio.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/audio/audio.c b/audio/audio.c
-index 56fae55047103af9fb85aa47c905..566febf7d76eba61e4db472d0fd1 100644
---- a/audio/audio.c
-+++ b/audio/audio.c
-@@ -634,7 +634,7 @@ static size_t audio_pcm_sw_read(SWVoiceIn *sw, void *buf, size_t size)
- total += isamp;
- }
-
-- if (!hw->pcm_ops->volume_in) {
-+ if (hw->pcm_ops && !hw->pcm_ops->volume_in) {
- mixeng_volume (sw->buf, ret, &sw->vol);
- }
-
-@@ -721,7 +721,7 @@ static size_t audio_pcm_sw_write(SWVoiceOut *sw, void *buf, size_t size)
- if (swlim) {
- sw->conv (sw->buf, buf, swlim);
-
-- if (!sw->hw->pcm_ops->volume_out) {
-+ if (sw->hw->pcm_ops && !sw->hw->pcm_ops->volume_out) {
- mixeng_volume (sw->buf, swlim, &sw->vol);
- }
- }
+++ /dev/null
-From: Lin Ma <lma@suse.com>
-Date: Mon, 13 Sep 2021 17:07:57 +0800
-Subject: block: add max_hw_transfer to BlockLimits
-
-Git-commit: 24b36e9813ec15da7db62e3b3621730710c5f020
-References: bsc#1190425
-
-For block host devices, I/O can happen through either the kernel file
-descriptor I/O system calls (preadv/pwritev, io_submit, io_uring)
-or the SCSI passthrough ioctl SG_IO.
-
-In the latter case, the size of each transfer can be limited by the
-HBA, while for file descriptor I/O the kernel is able to split and
-merge I/O in smaller pieces as needed. Applying the HBA limits to
-file descriptor I/O results in more system calls and suboptimal
-performance, so this patch splits the max_transfer limit in two:
-max_transfer remains valid and is used in general, while max_hw_transfer
-is limited to the maximum hardware size. max_hw_transfer can then be
-included by the scsi-generic driver in the block limits page, to ensure
-that the stricter hardware limit is used.
-
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-Signed-off-by: Lin Ma <lma@suse.com>
----
- block/block-backend.c | 13 +++++++++++++
- block/file-posix.c | 2 +-
- block/io.c | 2 ++
- hw/scsi/scsi-generic.c | 2 +-
- include/block/block_int.h | 7 +++++++
- include/sysemu/block-backend.h | 1 +
- 6 files changed, 25 insertions(+), 2 deletions(-)
-
-diff --git a/block/block-backend.c b/block/block-backend.c
-index 5344126d1ec81a0af792758da1ad..28908cd0bf3b11b7e1a3915df02d 100644
---- a/block/block-backend.c
-+++ b/block/block-backend.c
-@@ -1825,6 +1825,19 @@ uint32_t blk_get_request_alignment(BlockBackend *blk)
- return bs ? bs->bl.request_alignment : BDRV_SECTOR_SIZE;
- }
-
-+/* Returns the maximum hardware transfer length, in bytes; guaranteed nonzero */
-+uint64_t blk_get_max_hw_transfer(BlockBackend *blk)
-+{
-+ BlockDriverState *bs = blk_bs(blk);
-+ uint64_t max = INT_MAX;
-+
-+ if (bs) {
-+ max = MIN_NON_ZERO(max, bs->bl.max_hw_transfer);
-+ max = MIN_NON_ZERO(max, bs->bl.max_transfer);
-+ }
-+ return ROUND_DOWN(max, blk_get_request_alignment(blk));
-+}
-+
- /* Returns the maximum transfer length, in bytes; guaranteed nonzero */
- uint32_t blk_get_max_transfer(BlockBackend *blk)
- {
-diff --git a/block/file-posix.c b/block/file-posix.c
-index c0e8a60d501982db438db3cb8dba..59149186c6937907070a2683a82a 100644
---- a/block/file-posix.c
-+++ b/block/file-posix.c
-@@ -1142,7 +1142,7 @@ static void raw_refresh_limits(BlockDriverState *bs, Error **errp)
- int ret = sg_get_max_transfer_length(s->fd);
-
- if (ret > 0 && ret <= BDRV_REQUEST_MAX_BYTES) {
-- bs->bl.max_transfer = pow2floor(ret);
-+ bs->bl.max_hw_transfer = pow2floor(ret);
- }
-
- ret = sg_get_max_segments(s->fd);
-diff --git a/block/io.c b/block/io.c
-index c2c3aab9ee3d1d4d494ce98a6d8b..c0e2c1c70d9aeef11ab1853f326e 100644
---- a/block/io.c
-+++ b/block/io.c
-@@ -127,6 +127,8 @@ static void bdrv_merge_limits(BlockLimits *dst, const BlockLimits *src)
- {
- dst->opt_transfer = MAX(dst->opt_transfer, src->opt_transfer);
- dst->max_transfer = MIN_NON_ZERO(dst->max_transfer, src->max_transfer);
-+ dst->max_hw_transfer = MIN_NON_ZERO(dst->max_hw_transfer,
-+ src->max_hw_transfer);
- dst->opt_mem_alignment = MAX(dst->opt_mem_alignment,
- src->opt_mem_alignment);
- dst->min_mem_alignment = MAX(dst->min_mem_alignment,
-diff --git a/hw/scsi/scsi-generic.c b/hw/scsi/scsi-generic.c
-index a135d7087ecc8d73baeed0270d29..af05add799afadec1c17a62fe1e3 100644
---- a/hw/scsi/scsi-generic.c
-+++ b/hw/scsi/scsi-generic.c
-@@ -172,7 +172,7 @@ static void scsi_handle_inquiry_reply(SCSIGenericReq *r, SCSIDevice *s)
- if (s->type == TYPE_DISK && (r->req.cmd.buf[1] & 0x01)) {
- page = r->req.cmd.buf[2];
- if (page == 0xb0) {
-- uint32_t max_transfer = blk_get_max_transfer(s->conf.blk);
-+ uint64_t max_transfer = blk_get_max_hw_transfer(s->conf.blk);
- uint32_t max_iov = blk_get_max_iov(s->conf.blk);
-
- assert(max_transfer);
-diff --git a/include/block/block_int.h b/include/block/block_int.h
-index dd033d0b375a72de9ab9f01f8fb7..c8926f50194b7b8ca9f40a0901c6 100644
---- a/include/block/block_int.h
-+++ b/include/block/block_int.h
-@@ -637,6 +637,13 @@ typedef struct BlockLimits {
- * clamped down. */
- uint32_t max_transfer;
-
-+ /* Maximal hardware transfer length in bytes. Applies whenever
-+ * transfers to the device bypass the kernel I/O scheduler, for
-+ * example with SG_IO. If larger than max_transfer or if zero,
-+ * blk_get_max_hw_transfer will fall back to max_transfer.
-+ */
-+ uint64_t max_hw_transfer;
-+
- /* memory alignment, in bytes so that no bounce buffer is needed */
- size_t min_mem_alignment;
-
-diff --git a/include/sysemu/block-backend.h b/include/sysemu/block-backend.h
-index b198deca0b24aeb559442aa46cf9..8fd7258dae301c25279e69ee3fa6 100644
---- a/include/sysemu/block-backend.h
-+++ b/include/sysemu/block-backend.h
-@@ -202,6 +202,7 @@ void blk_eject(BlockBackend *blk, bool eject_flag);
- int blk_get_flags(BlockBackend *blk);
- uint32_t blk_get_request_alignment(BlockBackend *blk);
- uint32_t blk_get_max_transfer(BlockBackend *blk);
-+uint64_t blk_get_max_hw_transfer(BlockBackend *blk);
- int blk_get_max_iov(BlockBackend *blk);
- void blk_set_guest_block_size(BlockBackend *blk, int align);
- void *blk_try_blockalign(BlockBackend *blk, size_t size);
+++ /dev/null
-From: Lin Ma <lma@suse.com>
-Date: Mon, 13 Sep 2021 17:07:37 +0800
-Subject: block-backend: align max_transfer to request alignment
-
-Git-commit: b99f7fa08a3df8b8a6a907642e5851cdcf43fa9f
-References: bsc#1190425
-
-Block device requests must be aligned to bs->bl.request_alignment.
-It makes sense for drivers to align bs->bl.max_transfer the same
-way; however when there is no specified limit, blk_get_max_transfer
-just returns INT_MAX. Since the contract of the function does not
-specify that INT_MAX means "no maximum", just align the outcome
-of the function (whether INT_MAX or bs->bl.max_transfer) before
-returning it.
-
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-Signed-off-by: Lin Ma <lma@suse.com>
----
- block/block-backend.c | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/block/block-backend.c b/block/block-backend.c
-index 8b8f2a80a0d52635059e0315ae16..5344126d1ec81a0af792758da1ad 100644
---- a/block/block-backend.c
-+++ b/block/block-backend.c
-@@ -1829,12 +1829,12 @@ uint32_t blk_get_request_alignment(BlockBackend *blk)
- uint32_t blk_get_max_transfer(BlockBackend *blk)
- {
- BlockDriverState *bs = blk_bs(blk);
-- uint32_t max = 0;
-+ uint32_t max = INT_MAX;
-
- if (bs) {
-- max = bs->bl.max_transfer;
-+ max = MIN_NON_ZERO(max, bs->bl.max_transfer);
- }
-- return MIN_NON_ZERO(max, INT_MAX);
-+ return ROUND_DOWN(max, blk_get_request_alignment(blk));
- }
-
- int blk_get_max_iov(BlockBackend *blk)
+++ /dev/null
-From: Chen Qun <kuhn.chenqun@huawei.com>
-Date: Sat, 18 Apr 2020 14:26:02 +0800
-Subject: block/iscsi:fix heap-buffer-overflow in iscsi_aio_ioctl_cb
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Git-commit: ff0507c239a246fd7215b31c5658fc6a3ee1e4c5
-References: bsc#1180523, CVE-2020-11947
-
-There is an overflow, the source 'datain.data[2]' is 100 bytes,
- but the 'ss' is 252 bytes.This may cause a security issue because
- we can access a lot of unrelated memory data.
-
-The len for sbp copy data should take the minimum of mx_sb_len and
- sb_len_wr, not the maximum.
-
-If we use iscsi device for VM backend storage, ASAN show stack:
-
-READ of size 252 at 0xfffd149dcfc4 thread T0
- #0 0xaaad433d0d34 in __asan_memcpy (aarch64-softmmu/qemu-system-aarch64+0x2cb0d34)
- #1 0xaaad45f9d6d0 in iscsi_aio_ioctl_cb /qemu/block/iscsi.c:996:9
- #2 0xfffd1af0e2dc (/usr/lib64/iscsi/libiscsi.so.8+0xe2dc)
- #3 0xfffd1af0d174 (/usr/lib64/iscsi/libiscsi.so.8+0xd174)
- #4 0xfffd1af19fac (/usr/lib64/iscsi/libiscsi.so.8+0x19fac)
- #5 0xaaad45f9acc8 in iscsi_process_read /qemu/block/iscsi.c:403:5
- #6 0xaaad4623733c in aio_dispatch_handler /qemu/util/aio-posix.c:467:9
- #7 0xaaad4622f350 in aio_dispatch_handlers /qemu/util/aio-posix.c:510:20
- #8 0xaaad4622f350 in aio_dispatch /qemu/util/aio-posix.c:520
- #9 0xaaad46215944 in aio_ctx_dispatch /qemu/util/async.c:298:5
- #10 0xfffd1bed12f4 in g_main_context_dispatch (/lib64/libglib-2.0.so.0+0x512f4)
- #11 0xaaad46227de0 in glib_pollfds_poll /qemu/util/main-loop.c:219:9
- #12 0xaaad46227de0 in os_host_main_loop_wait /qemu/util/main-loop.c:242
- #13 0xaaad46227de0 in main_loop_wait /qemu/util/main-loop.c:518
- #14 0xaaad43d9d60c in qemu_main_loop /qemu/softmmu/vl.c:1662:9
- #15 0xaaad4607a5b0 in main /qemu/softmmu/main.c:49:5
- #16 0xfffd1a460b9c in __libc_start_main (/lib64/libc.so.6+0x20b9c)
- #17 0xaaad43320740 in _start (aarch64-softmmu/qemu-system-aarch64+0x2c00740)
-
-0xfffd149dcfc4 is located 0 bytes to the right of 100-byte region [0xfffd149dcf60,0xfffd149dcfc4)
-allocated by thread T0 here:
- #0 0xaaad433d1e70 in __interceptor_malloc (aarch64-softmmu/qemu-system-aarch64+0x2cb1e70)
- #1 0xfffd1af0e254 (/usr/lib64/iscsi/libiscsi.so.8+0xe254)
- #2 0xfffd1af0d174 (/usr/lib64/iscsi/libiscsi.so.8+0xd174)
- #3 0xfffd1af19fac (/usr/lib64/iscsi/libiscsi.so.8+0x19fac)
- #4 0xaaad45f9acc8 in iscsi_process_read /qemu/block/iscsi.c:403:5
- #5 0xaaad4623733c in aio_dispatch_handler /qemu/util/aio-posix.c:467:9
- #6 0xaaad4622f350 in aio_dispatch_handlers /qemu/util/aio-posix.c:510:20
- #7 0xaaad4622f350 in aio_dispatch /qemu/util/aio-posix.c:520
- #8 0xaaad46215944 in aio_ctx_dispatch /qemu/util/async.c:298:5
- #9 0xfffd1bed12f4 in g_main_context_dispatch (/lib64/libglib-2.0.so.0+0x512f4)
- #10 0xaaad46227de0 in glib_pollfds_poll /qemu/util/main-loop.c:219:9
- #11 0xaaad46227de0 in os_host_main_loop_wait /qemu/util/main-loop.c:242
- #12 0xaaad46227de0 in main_loop_wait /qemu/util/main-loop.c:518
- #13 0xaaad43d9d60c in qemu_main_loop /qemu/softmmu/vl.c:1662:9
- #14 0xaaad4607a5b0 in main /qemu/softmmu/main.c:49:5
- #15 0xfffd1a460b9c in __libc_start_main (/lib64/libc.so.6+0x20b9c)
- #16 0xaaad43320740 in _start (aarch64-softmmu/qemu-system-aarch64+0x2c00740)
-
-Reported-by: Euler Robot <euler.robot@huawei.com>
-Signed-off-by: Chen Qun <kuhn.chenqun@huawei.com>
-Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
-Message-id: 20200418062602.10776-1-kuhn.chenqun@huawei.com
-Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Bruce Rogers <brogers@suse.com>
----
- block/iscsi.c | 3 +--
- 1 file changed, 1 insertion(+), 2 deletions(-)
-
-diff --git a/block/iscsi.c b/block/iscsi.c
-index cbd57294ab4417a33657af0fbce8..3a528c15ec9e17386569f604df86 100644
---- a/block/iscsi.c
-+++ b/block/iscsi.c
-@@ -991,8 +991,7 @@ iscsi_aio_ioctl_cb(struct iscsi_context *iscsi, int status,
- acb->ioh->driver_status |= SG_ERR_DRIVER_SENSE;
-
- acb->ioh->sb_len_wr = acb->task->datain.size - 2;
-- ss = (acb->ioh->mx_sb_len >= acb->ioh->sb_len_wr) ?
-- acb->ioh->mx_sb_len : acb->ioh->sb_len_wr;
-+ ss = MIN(acb->ioh->mx_sb_len, acb->ioh->sb_len_wr);
- memcpy(acb->ioh->sbp, &acb->task->datain.data[2], ss);
- }
-
+++ /dev/null
-From: Michael Qiu <qiudayu@huayun.com>
-Date: Wed, 3 Feb 2021 10:40:59 +0800
-Subject: blockjob: Fix crash with IOthread when block commit after snapshot
-
-Git-commit: 076d467aacdf6dc5d01e2e61740b1795f2aec2f6
-References: bsc#1187013
-
-Currently, if guest has workloads, IO thread will acquire aio_context
-lock before do io_submit, it leads to segmentfault when do block commit
-after snapshot. Just like below:
-
-Program received signal SIGSEGV, Segmentation fault.
-
-[Switching to Thread 0x7f7c7d91f700 (LWP 99907)]
-0x00005576d0f65aab in bdrv_mirror_top_pwritev at ../block/mirror.c:1437
-1437 ../block/mirror.c: No such file or directory.
-(gdb) p s->job
-$17 = (MirrorBlockJob *) 0x0
-(gdb) p s->stop
-$18 = false
-
-Call trace of IO thread:
-0 0x00005576d0f65aab in bdrv_mirror_top_pwritev at ../block/mirror.c:1437
-1 0x00005576d0f7f3ab in bdrv_driver_pwritev at ../block/io.c:1174
-2 0x00005576d0f8139d in bdrv_aligned_pwritev at ../block/io.c:1988
-3 0x00005576d0f81b65 in bdrv_co_pwritev_part at ../block/io.c:2156
-4 0x00005576d0f8e6b7 in blk_do_pwritev_part at ../block/block-backend.c:1260
-5 0x00005576d0f8e84d in blk_aio_write_entry at ../block/block-backend.c:1476
-...
-
-Switch to qemu main thread:
-0 0x00007f903be704ed in __lll_lock_wait at
-/lib/../lib64/libpthread.so.0
-1 0x00007f903be6bde6 in _L_lock_941 at /lib/../lib64/libpthread.so.0
-2 0x00007f903be6bcdf in pthread_mutex_lock at
-/lib/../lib64/libpthread.so.0
-3 0x0000564b21456889 in qemu_mutex_lock_impl at
-../util/qemu-thread-posix.c:79
-4 0x0000564b213af8a5 in block_job_add_bdrv at ../blockjob.c:224
-5 0x0000564b213b00ad in block_job_create at ../blockjob.c:440
-6 0x0000564b21357c0a in mirror_start_job at ../block/mirror.c:1622
-7 0x0000564b2135a9af in commit_active_start at ../block/mirror.c:1867
-8 0x0000564b2133d132 in qmp_block_commit at ../blockdev.c:2768
-9 0x0000564b2141fef3 in qmp_marshal_block_commit at
-qapi/qapi-commands-block-core.c:346
-10 0x0000564b214503c9 in do_qmp_dispatch_bh at
-../qapi/qmp-dispatch.c:110
-11 0x0000564b21451996 in aio_bh_poll at ../util/async.c:164
-12 0x0000564b2146018e in aio_dispatch at ../util/aio-posix.c:381
-13 0x0000564b2145187e in aio_ctx_dispatch at ../util/async.c:306
-14 0x00007f9040239049 in g_main_context_dispatch at
-/lib/../lib64/libglib-2.0.so.0
-15 0x0000564b21447368 in main_loop_wait at ../util/main-loop.c:232
-16 0x0000564b21447368 in main_loop_wait at ../util/main-loop.c:255
-17 0x0000564b21447368 in main_loop_wait at ../util/main-loop.c:531
-18 0x0000564b212304e1 in qemu_main_loop at ../softmmu/runstate.c:721
-19 0x0000564b20f7975e in main at ../softmmu/main.c:50
-
-In IO thread when do bdrv_mirror_top_pwritev, the job is NULL, and stop field
-is false, this means the MirrorBDSOpaque "s" object has not been initialized
-yet, and this object is initialized by block_job_create(), but the initialize
-process is stuck in acquiring the lock.
-
-In this situation, IO thread come to bdrv_mirror_top_pwritev(),which means that
-mirror-top node is already inserted into block graph, but its bs->opaque->job
-is not initialized.
-
-The root cause is that qemu main thread do release/acquire when hold the lock,
-at the same time, IO thread get the lock after release stage, and the crash
-occured.
-
-Actually, in this situation, job->job.aio_context will not equal to
-qemu_get_aio_context(), and will be the same as bs->aio_context,
-thus, no need to release the lock, becasue bdrv_root_attach_child()
-will not change the context.
-
-This patch fix this issue.
-
-Fixes: 132ada80 "block: Adjust AioContexts when attaching nodes"
-
-Signed-off-by: Michael Qiu <qiudayu@huayun.com>
-Message-Id: <20210203024059.52683-1-08005325@163.com>
-Signed-off-by: Kevin Wolf <kwolf@redhat.com>
-Signed-off-by: Lin Ma <lma@suse.com>
----
- blockjob.c | 8 ++++++--
- 1 file changed, 6 insertions(+), 2 deletions(-)
-
-diff --git a/blockjob.c b/blockjob.c
-index 701bd2588d5ca58826bad00e498d..37df602371d5b49b7372eb56e4e8 100644
---- a/blockjob.c
-+++ b/blockjob.c
-@@ -212,14 +212,18 @@ int block_job_add_bdrv(BlockJob *job, const char *name, BlockDriverState *bs,
- uint64_t perm, uint64_t shared_perm, Error **errp)
- {
- BdrvChild *c;
-+ bool need_context_ops;
-
- bdrv_ref(bs);
-- if (job->job.aio_context != qemu_get_aio_context()) {
-+
-+ need_context_ops = bdrv_get_aio_context(bs) != job->job.aio_context;
-+
-+ if (need_context_ops && job->job.aio_context != qemu_get_aio_context()) {
- aio_context_release(job->job.aio_context);
- }
- c = bdrv_root_attach_child(bs, name, &child_job, job->job.aio_context,
- perm, shared_perm, job, errp);
-- if (job->job.aio_context != qemu_get_aio_context()) {
-+ if (need_context_ops && job->job.aio_context != qemu_get_aio_context()) {
- aio_context_acquire(job->job.aio_context);
- }
- if (c == NULL) {
+++ /dev/null
-From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
-Date: Fri, 4 Jun 2021 16:15:14 +0400
-Subject: bootp: check bootp_input buffer size
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Git-commit: 2eca0838eee1da96204545e22cdaed860d9d7c6c
-References: bsc#1187364, CVE-2021-3592
-
-Fixes: CVE-2021-3592
-Fixes: https://gitlab.freedesktop.org/slirp/libslirp/-/issues/44
-
-Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
-Signed-off-by: Jose R Ziviani <jose.ziviani@suse.com>
----
- src/bootp.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/slirp/src/bootp.c b/slirp/src/bootp.c
-index e0db8d19689490e179a95f57e4dd..cafa1eb1f36ad010c36f2fbb343e 100644
---- a/slirp/src/bootp.c
-+++ b/slirp/src/bootp.c
-@@ -365,9 +365,9 @@ static void bootp_reply(Slirp *slirp,
-
- void bootp_input(struct mbuf *m)
- {
-- struct bootp_t *bp = mtod(m, struct bootp_t *);
-+ struct bootp_t *bp = mtod_check(m, sizeof(struct bootp_t));
-
-- if (bp->bp_op == BOOTP_REQUEST) {
-+ if (bp && bp->bp_op == BOOTP_REQUEST) {
- bootp_reply(m->slirp, bp, m_end(m));
- }
- }
+++ /dev/null
-From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
-Date: Fri, 4 Jun 2021 19:25:28 +0400
-Subject: bootp: limit vendor-specific area to input packet memory buffer
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Git-commit: f13cad45b25d92760bb0ad67bec0300a4d7d5275
-References: bsc#1187364, CVE-2021-3592
-
-sizeof(bootp_t) currently holds DHCP_OPT_LEN. Remove this optional field
-from the structure, to help with the following patch checking for
-minimal header size. Modify the bootp_reply() function to take the
-buffer boundaries and avoiding potential buffer overflow.
-
-Related to CVE-2021-3592.
-
-https://gitlab.freedesktop.org/slirp/libslirp/-/issues/44
-
-Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
-Signed-off-by: Jose R Ziviani <jose.ziviani@suse.com>
----
- src/bootp.c | 26 +++++++++++++++-----------
- src/bootp.h | 2 +-
- src/mbuf.c | 5 +++++
- src/mbuf.h | 1 +
- 4 files changed, 22 insertions(+), 12 deletions(-)
-
-diff --git a/slirp/src/bootp.c b/slirp/src/bootp.c
-index 46e96810ab1981957457135d1659..e0db8d19689490e179a95f57e4dd 100644
---- a/slirp/src/bootp.c
-+++ b/slirp/src/bootp.c
-@@ -92,21 +92,22 @@ found:
- return bc;
- }
-
--static void dhcp_decode(const struct bootp_t *bp, int *pmsg_type,
-+static void dhcp_decode(const struct bootp_t *bp,
-+ const uint8_t *bp_end,
-+ int *pmsg_type,
- struct in_addr *preq_addr)
- {
-- const uint8_t *p, *p_end;
-+ const uint8_t *p;
- int len, tag;
-
- *pmsg_type = 0;
- preq_addr->s_addr = htonl(0L);
-
- p = bp->bp_vend;
-- p_end = p + DHCP_OPT_LEN;
- if (memcmp(p, rfc1533_cookie, 4) != 0)
- return;
- p += 4;
-- while (p < p_end) {
-+ while (p < bp_end) {
- tag = p[0];
- if (tag == RFC1533_PAD) {
- p++;
-@@ -114,10 +115,10 @@ static void dhcp_decode(const struct bootp_t *bp, int *pmsg_type,
- break;
- } else {
- p++;
-- if (p >= p_end)
-+ if (p >= bp_end)
- break;
- len = *p++;
-- if (p + len > p_end) {
-+ if (p + len > bp_end) {
- break;
- }
- DPRINTF("dhcp: tag=%d len=%d\n", tag, len);
-@@ -144,7 +145,9 @@ static void dhcp_decode(const struct bootp_t *bp, int *pmsg_type,
- }
- }
-
--static void bootp_reply(Slirp *slirp, const struct bootp_t *bp)
-+static void bootp_reply(Slirp *slirp,
-+ const struct bootp_t *bp,
-+ const uint8_t *bp_end)
- {
- BOOTPClient *bc = NULL;
- struct mbuf *m;
-@@ -157,7 +160,7 @@ static void bootp_reply(Slirp *slirp, const struct bootp_t *bp)
- uint8_t client_ethaddr[ETH_ALEN];
-
- /* extract exact DHCP msg type */
-- dhcp_decode(bp, &dhcp_msg_type, &preq_addr);
-+ dhcp_decode(bp, bp_end, &dhcp_msg_type, &preq_addr);
- DPRINTF("bootp packet op=%d msgtype=%d", bp->bp_op, dhcp_msg_type);
- if (preq_addr.s_addr != htonl(0L))
- DPRINTF(" req_addr=%08" PRIx32 "\n", ntohl(preq_addr.s_addr));
-@@ -179,9 +182,10 @@ static void bootp_reply(Slirp *slirp, const struct bootp_t *bp)
- return;
- }
- m->m_data += IF_MAXLINKHDR;
-+ m_inc(m, sizeof(struct bootp_t) + DHCP_OPT_LEN);
- rbp = (struct bootp_t *)m->m_data;
- m->m_data += sizeof(struct udpiphdr);
-- memset(rbp, 0, sizeof(struct bootp_t));
-+ memset(rbp, 0, sizeof(struct bootp_t) + DHCP_OPT_LEN);
-
- if (dhcp_msg_type == DHCPDISCOVER) {
- if (preq_addr.s_addr != htonl(0L)) {
-@@ -235,7 +239,7 @@ static void bootp_reply(Slirp *slirp, const struct bootp_t *bp)
- rbp->bp_siaddr = saddr.sin_addr; /* Server IP address */
-
- q = rbp->bp_vend;
-- end = (uint8_t *)&rbp[1];
-+ end = rbp->bp_vend + DHCP_OPT_LEN;
- memcpy(q, rfc1533_cookie, 4);
- q += 4;
-
-@@ -364,6 +368,6 @@ void bootp_input(struct mbuf *m)
- struct bootp_t *bp = mtod(m, struct bootp_t *);
-
- if (bp->bp_op == BOOTP_REQUEST) {
-- bootp_reply(m->slirp, bp);
-+ bootp_reply(m->slirp, bp, m_end(m));
- }
- }
-diff --git a/slirp/src/bootp.h b/slirp/src/bootp.h
-index a57fa51bcb77f2e810e4e583d775..31ce5fd33f8d71d1af846ba09f45 100644
---- a/slirp/src/bootp.h
-+++ b/slirp/src/bootp.h
-@@ -114,7 +114,7 @@ struct bootp_t {
- uint8_t bp_hwaddr[16];
- uint8_t bp_sname[64];
- char bp_file[128];
-- uint8_t bp_vend[DHCP_OPT_LEN];
-+ uint8_t bp_vend[];
- };
-
- typedef struct {
-diff --git a/slirp/src/mbuf.c b/slirp/src/mbuf.c
-index cb2e971083a9d30e25552ee91f29..0c1a530f105372146b9f04273aba 100644
---- a/slirp/src/mbuf.c
-+++ b/slirp/src/mbuf.c
-@@ -233,3 +233,8 @@ void *mtod_check(struct mbuf *m, size_t len)
-
- return NULL;
- }
-+
-+void *m_end(struct mbuf *m)
-+{
-+ return m->m_data + m->m_len;
-+}
-diff --git a/slirp/src/mbuf.h b/slirp/src/mbuf.h
-index 2015e3232f1b7840dc14d1c6bdb3..a9752a36e0d8c3795c2c3dda8536 100644
---- a/slirp/src/mbuf.h
-+++ b/slirp/src/mbuf.h
-@@ -119,6 +119,7 @@ void m_adj(struct mbuf *, int);
- int m_copy(struct mbuf *, struct mbuf *, int, int);
- struct mbuf *dtom(Slirp *, void *);
- void *mtod_check(struct mbuf *, size_t len);
-+void *m_end(struct mbuf *);
-
- static inline void ifs_init(struct mbuf *ifm)
- {
+++ /dev/null
-From: Alexander Bulekov <alxndr@bu.edu>
-Date: Mon, 1 Mar 2021 14:33:43 -0500
-Subject: cadence_gem: switch to use qemu_receive_packet() for loopback
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Git-commit: e73adfbeec9d4e008630c814759052ed945c3fed
-
-This patch switches to use qemu_receive_packet() which can detect
-reentrancy and return early.
-
-This is intended to address CVE-2021-3416.
-
-Cc: Prasad J Pandit <ppandit@redhat.com>
-Cc: qemu-stable@nongnu.org
-Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
-Signed-off-by: Jason Wang <jasowang@redhat.com>
-Signed-off-by: Bruce Rogers <brogers@suse.com>
----
- hw/net/cadence_gem.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/hw/net/cadence_gem.c b/hw/net/cadence_gem.c
-index b8be73dc558071f907cf5a6d1c53..be7c91123bf9bf6f253b24f96ccc 100644
---- a/hw/net/cadence_gem.c
-+++ b/hw/net/cadence_gem.c
-@@ -1225,8 +1225,8 @@ static void gem_transmit(CadenceGEMState *s)
- /* Send the packet somewhere */
- if (s->phy_loop || (s->regs[GEM_NWCTRL] &
- GEM_NWCTRL_LOCALLOOP)) {
-- gem_receive(qemu_get_queue(s->nic), tx_packet,
-- total_bytes);
-+ qemu_receive_packet(qemu_get_queue(s->nic), tx_packet,
-+ total_bytes);
- } else {
- qemu_send_packet(qemu_get_queue(s->nic), tx_packet,
- total_bytes);
+++ /dev/null
-From: Bruce Rogers <brogers@suse.com>
-Date: Tue, 28 May 2019 14:23:37 -0600
-Subject: configure: only populate roms if softmmu
-
-Currently roms are mistakenly getting built in a linux-user only
-configuration. Add check for softmmu in all places where our list of
-roms is being added to.
-
-Signed-off-by: Bruce Rogers <brogers@suse.com>
----
- configure | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/configure b/configure
-index 09a33aecfd6ef543eeee8c5023b6..94984691ab378620ac2e0ae771ca 100755
---- a/configure
-+++ b/configure
-@@ -6327,7 +6327,7 @@ if { test "$cpu" = "i386" || test "$cpu" = "x86_64"; } && \
- fi
-
- # Only build s390-ccw bios if we're on s390x and the compiler has -march=z900
--if test "$cpu" = "s390x" ; then
-+if test "$cpu" = "s390x" && test "$softmmu" = yes ; then
- write_c_skeleton
- if compile_prog "-march=z900" ""; then
- roms="$roms s390-ccw"
+++ /dev/null
-From: Bruce Rogers <brogers@suse.com>
-Date: Fri, 17 Apr 2020 13:07:37 -0600
-Subject: configure: remove $pkgversion from CONFIG_STAMP input to broaden
- compatibility
-
-As part of the effort to close the gap with Leap I think we are fine
-removing the $pkgversion component to creating a unique CONFIG_STAMP.
-This stamp is only used in creating a unique symbol used in ensuring the
-dynamically loaded modules correspond correctly to the loading qemu.
-The default inputs to producing this unique symbol are somewhat reasonable
-as a generic mechanism, but specific packaging and maintenance practices
-might require the default to be modified for best use. This is an example
-of that.
-
-Signed-off-by: Bruce Rogers <brogers@suse.com>
----
- configure | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/configure b/configure
-index 94984691ab378620ac2e0ae771ca..c68e378776336748b227013a1a3f 100755
---- a/configure
-+++ b/configure
-@@ -6811,7 +6811,7 @@ fi
- if test "$modules" = "yes"; then
- # $shacmd can generate a hash started with digit, which the compiler doesn't
- # like as an symbol. So prefix it with an underscore
-- echo "CONFIG_STAMP=_$( (echo $qemu_version; echo $pkgversion; cat $0) | $shacmd - | cut -f1 -d\ )" >> $config_host_mak
-+ echo "CONFIG_STAMP=_$( (echo $qemu_version; cat $0) | $shacmd - | cut -f1 -d\ )" >> $config_host_mak
- echo "CONFIG_MODULES=y" >> $config_host_mak
- fi
- if test "$have_x11" = "yes" && test "$need_x11" = "yes"; then
+++ /dev/null
-From: Maxim Levitsky <mlevitsk@redhat.com>
-Date: Tue, 6 Oct 2020 15:38:59 +0300
-Subject: device-core: use RCU for list of children of a bus
-
-Git-commit: 2d24a64661549732fc77f632928318dd52f5bce5
-References: bsc#1184574
-
-This fixes the race between device emulation code that tries to find
-a child device to dispatch the request to (e.g a scsi disk),
-and hotplug of a new device to that bus.
-
-Note that this doesn't convert all the readers of the list
-but only these that might go over that list without BQL held.
-
-This is a very small first step to make this code thread safe.
-
-Suggested-by: Paolo Bonzini <pbonzini@redhat.com>
-Signed-off-by: Maxim Levitsky <mlevitsk@redhat.com>
-Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
-Message-Id: <20200913160259.32145-5-mlevitsk@redhat.com>
-[Use RCU_READ_LOCK_GUARD in more places, adjust testcase now that
- the delay in DEVICE_DELETED due to RCU is more consistent. - Paolo]
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-Message-Id: <20201006123904.610658-9-mlevitsk@redhat.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-Signed-off-by: Lin Ma <lma@suse.com>
----
- hw/core/bus.c | 28 ++++++++++++++++------------
- hw/core/qdev.c | 37 +++++++++++++++++++++++--------------
- hw/scsi/scsi-bus.c | 12 +++++++++---
- hw/scsi/virtio-scsi.c | 6 +++++-
- include/hw/qdev-core.h | 9 +++++++++
- 5 files changed, 62 insertions(+), 30 deletions(-)
-
-diff --git a/hw/core/bus.c b/hw/core/bus.c
-index 7f3d2a3dbda72fe0a5dfea3ff1f1..85bc9436e603c43813936f24aba9 100644
---- a/hw/core/bus.c
-+++ b/hw/core/bus.c
-@@ -49,12 +49,14 @@ int qbus_walk_children(BusState *bus,
- }
- }
-
-- QTAILQ_FOREACH(kid, &bus->children, sibling) {
-- err = qdev_walk_children(kid->child,
-- pre_devfn, pre_busfn,
-- post_devfn, post_busfn, opaque);
-- if (err < 0) {
-- return err;
-+ WITH_RCU_READ_LOCK_GUARD() {
-+ QTAILQ_FOREACH_RCU(kid, &bus->children, sibling) {
-+ err = qdev_walk_children(kid->child,
-+ pre_devfn, pre_busfn,
-+ post_devfn, post_busfn, opaque);
-+ if (err < 0) {
-+ return err;
-+ }
- }
- }
-
-@@ -158,12 +160,14 @@ static void bus_set_realized(Object *obj, bool value, Error **errp)
-
- /* TODO: recursive realization */
- } else if (!value && bus->realized) {
-- QTAILQ_FOREACH(kid, &bus->children, sibling) {
-- DeviceState *dev = kid->child;
-- object_property_set_bool(OBJECT(dev), false, "realized",
-- &local_err);
-- if (local_err != NULL) {
-- break;
-+ WITH_RCU_READ_LOCK_GUARD() {
-+ QTAILQ_FOREACH_RCU(kid, &bus->children, sibling) {
-+ DeviceState *dev = kid->child;
-+ object_property_set_bool(OBJECT(dev), false, "realized",
-+ &local_err);
-+ if (local_err != NULL) {
-+ break;
-+ }
- }
- }
- if (bc->unrealize && local_err == NULL) {
-diff --git a/hw/core/qdev.c b/hw/core/qdev.c
-index 342ea8a3feb955c3318616252ead..917f3f6ae2efbcf01c8ed65a3d34 100644
---- a/hw/core/qdev.c
-+++ b/hw/core/qdev.c
-@@ -49,6 +49,12 @@ const VMStateDescription *qdev_get_vmsd(DeviceState *dev)
- return dc->vmsd;
- }
-
-+static void bus_free_bus_child(BusChild *kid)
-+{
-+ object_unref(OBJECT(kid->child));
-+ g_free(kid);
-+}
-+
- static void bus_remove_child(BusState *bus, DeviceState *child)
- {
- BusChild *kid;
-@@ -58,15 +64,16 @@ static void bus_remove_child(BusState *bus, DeviceState *child)
- char name[32];
-
- snprintf(name, sizeof(name), "child[%d]", kid->index);
-- QTAILQ_REMOVE(&bus->children, kid, sibling);
-+ QTAILQ_REMOVE_RCU(&bus->children, kid, sibling);
-
- bus->num_children--;
-
- /* This gives back ownership of kid->child back to us. */
- object_property_del(OBJECT(bus), name, NULL);
-- object_unref(OBJECT(kid->child));
-- g_free(kid);
-- return;
-+
-+ /* free the bus kid, when it is safe to do so*/
-+ call_rcu(kid, bus_free_bus_child, rcu);
-+ break;
- }
- }
- }
-@@ -81,7 +88,7 @@ static void bus_add_child(BusState *bus, DeviceState *child)
- kid->child = child;
- object_ref(OBJECT(kid->child));
-
-- QTAILQ_INSERT_HEAD(&bus->children, kid, sibling);
-+ QTAILQ_INSERT_HEAD_RCU(&bus->children, kid, sibling);
-
- /* This transfers ownership of kid->child to the property. */
- snprintf(name, sizeof(name), "child[%d]", kid->index);
-@@ -640,17 +647,19 @@ DeviceState *qdev_find_recursive(BusState *bus, const char *id)
- DeviceState *ret;
- BusState *child;
-
-- QTAILQ_FOREACH(kid, &bus->children, sibling) {
-- DeviceState *dev = kid->child;
-+ WITH_RCU_READ_LOCK_GUARD() {
-+ QTAILQ_FOREACH_RCU(kid, &bus->children, sibling) {
-+ DeviceState *dev = kid->child;
-
-- if (dev->id && strcmp(dev->id, id) == 0) {
-- return dev;
-- }
-+ if (dev->id && strcmp(dev->id, id) == 0) {
-+ return dev;
-+ }
-
-- QLIST_FOREACH(child, &dev->child_bus, sibling) {
-- ret = qdev_find_recursive(child, id);
-- if (ret) {
-- return ret;
-+ QLIST_FOREACH(child, &dev->child_bus, sibling) {
-+ ret = qdev_find_recursive(child, id);
-+ if (ret) {
-+ return ret;
-+ }
- }
- }
- }
-diff --git a/hw/scsi/scsi-bus.c b/hw/scsi/scsi-bus.c
-index 4f277985f64be532c8151a0ac09b..3c604bfe22e02a4e7b7f11f80769 100644
---- a/hw/scsi/scsi-bus.c
-+++ b/hw/scsi/scsi-bus.c
-@@ -412,7 +412,10 @@ static bool scsi_target_emulate_report_luns(SCSITargetReq *r)
- id = r->req.dev->id;
- found_lun0 = false;
- n = 0;
-- QTAILQ_FOREACH(kid, &r->req.bus->qbus.children, sibling) {
-+
-+ RCU_READ_LOCK_GUARD();
-+
-+ QTAILQ_FOREACH_RCU(kid, &r->req.bus->qbus.children, sibling) {
- DeviceState *qdev = kid->child;
- SCSIDevice *dev = SCSI_DEVICE(qdev);
-
-@@ -433,7 +436,7 @@ static bool scsi_target_emulate_report_luns(SCSITargetReq *r)
- memset(r->buf, 0, len);
- stl_be_p(&r->buf[0], n);
- i = found_lun0 ? 8 : 16;
-- QTAILQ_FOREACH(kid, &r->req.bus->qbus.children, sibling) {
-+ QTAILQ_FOREACH_RCU(kid, &r->req.bus->qbus.children, sibling) {
- DeviceState *qdev = kid->child;
- SCSIDevice *dev = SCSI_DEVICE(qdev);
-
-@@ -442,6 +445,7 @@ static bool scsi_target_emulate_report_luns(SCSITargetReq *r)
- i += 8;
- }
- }
-+
- assert(i == n + 8);
- r->len = len;
- return true;
-@@ -1584,7 +1588,8 @@ SCSIDevice *scsi_device_find(SCSIBus *bus, int channel, int id, int lun)
- BusChild *kid;
- SCSIDevice *target_dev = NULL;
-
-- QTAILQ_FOREACH(kid, &bus->qbus.children, sibling) {
-+ RCU_READ_LOCK_GUARD();
-+ QTAILQ_FOREACH_RCU(kid, &bus->qbus.children, sibling) {
- DeviceState *qdev = kid->child;
- SCSIDevice *dev = SCSI_DEVICE(qdev);
-
-@@ -1603,6 +1608,7 @@ SCSIDevice *scsi_device_find(SCSIBus *bus, int channel, int id, int lun)
- }
- }
- }
-+
- return target_dev;
- }
-
-diff --git a/hw/scsi/virtio-scsi.c b/hw/scsi/virtio-scsi.c
-index 2e5bcf442384905d8d80fd487eea..52c3a964ecb112a9d1c00bfbe57d 100644
---- a/hw/scsi/virtio-scsi.c
-+++ b/hw/scsi/virtio-scsi.c
-@@ -374,12 +374,16 @@ static int virtio_scsi_do_tmf(VirtIOSCSI *s, VirtIOSCSIReq *req)
- case VIRTIO_SCSI_T_TMF_I_T_NEXUS_RESET:
- target = req->req.tmf.lun[1];
- s->resetting++;
-- QTAILQ_FOREACH(kid, &s->bus.qbus.children, sibling) {
-+
-+ rcu_read_lock();
-+ QTAILQ_FOREACH_RCU(kid, &s->bus.qbus.children, sibling) {
- d = SCSI_DEVICE(kid->child);
- if (d->channel == 0 && d->id == target) {
- qdev_reset_all(&d->qdev);
- }
- }
-+ rcu_read_unlock();
-+
- s->resetting--;
- break;
-
-diff --git a/include/hw/qdev-core.h b/include/hw/qdev-core.h
-index 2b0186f0af593deee82a02693589..bcc0c572c5a4ed431219fd902ece 100644
---- a/include/hw/qdev-core.h
-+++ b/include/hw/qdev-core.h
-@@ -3,6 +3,8 @@
-
- #include "qemu/queue.h"
- #include "qemu/bitmap.h"
-+#include "qemu/rcu.h"
-+#include "qemu/rcu_queue.h"
- #include "qom/object.h"
- #include "hw/hotplug.h"
-
-@@ -216,6 +218,7 @@ struct BusClass {
- };
-
- typedef struct BusChild {
-+ struct rcu_head rcu;
- DeviceState *child;
- int index;
- QTAILQ_ENTRY(BusChild) sibling;
-@@ -235,6 +238,12 @@ struct BusState {
- int max_index;
- bool realized;
- int num_children;
-+
-+ /*
-+ * children is a RCU QTAILQ, thus readers must use RCU to access it,
-+ * and writers must hold the big qemu lock
-+ */
-+
- QTAILQ_HEAD(, BusChild) children;
- QLIST_ENTRY(BusState) sibling;
- };
+++ /dev/null
-From: Maxim Levitsky <mlevitsk@redhat.com>
-Date: Tue, 6 Oct 2020 15:39:00 +0300
-Subject: device-core: use atomic_set on .realized property
-
-Git-commit: a23151e8cc8cc08546252dc9c7671171d9c44615
-References: bsc#1184574
-
-Some code might race with placement of new devices on a bus.
-We currently first place a (unrealized) device on the bus
-and then realize it.
-
-As a workaround, users that scan the child device list, can
-check the realized property to see if it is safe to access such a device.
-Use an atomic write here too to aid with this.
-
-A separate discussion is what to do with devices that are unrealized:
-It looks like for this case we only call the hotplug handler's unplug
-callback and its up to it to unrealize the device.
-An atomic operation doesn't cause harm for this code path though.
-
-Signed-off-by: Maxim Levitsky <mlevitsk@redhat.com>
-Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
-Message-Id: <20200913160259.32145-6-mlevitsk@redhat.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-Message-Id: <20201006123904.610658-10-mlevitsk@redhat.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-Signed-off-by: Lin Ma <lma@suse.com>
----
- hw/core/qdev.c | 19 ++++++++++++++++++-
- include/hw/qdev-core.h | 2 ++
- 2 files changed, 20 insertions(+), 1 deletion(-)
-
-diff --git a/hw/core/qdev.c b/hw/core/qdev.c
-index 917f3f6ae2efbcf01c8ed65a3d34..d261c36e760db0cbabcda626d187 100644
---- a/hw/core/qdev.c
-+++ b/hw/core/qdev.c
-@@ -937,7 +937,25 @@ static void device_set_realized(Object *obj, bool value, Error **errp)
- }
- }
-
-+ atomic_store_release(&dev->realized, value);
-+
- } else if (!value && dev->realized) {
-+
-+ /*
-+ * Change the value so that any concurrent users are aware
-+ * that the device is going to be unrealized
-+ *
-+ * TODO: change .realized property to enum that states
-+ * each phase of the device realization/unrealization
-+ */
-+
-+ atomic_set(&dev->realized, value);
-+ /*
-+ * Ensure that concurrent users see this update prior to
-+ * any other changes done by unrealize.
-+ */
-+ smp_wmb();
-+
- Error **local_errp = NULL;
- QLIST_FOREACH(bus, &dev->child_bus, sibling) {
- local_errp = local_err ? NULL : &local_err;
-@@ -959,7 +977,6 @@ static void device_set_realized(Object *obj, bool value, Error **errp)
- goto fail;
- }
-
-- dev->realized = value;
- return;
-
- child_realize_fail:
-diff --git a/include/hw/qdev-core.h b/include/hw/qdev-core.h
-index bcc0c572c5a4ed431219fd902ece..66d031683f461a5fa6b854057299 100644
---- a/include/hw/qdev-core.h
-+++ b/include/hw/qdev-core.h
-@@ -143,6 +143,8 @@ struct NamedGPIOList {
- /**
- * DeviceState:
- * @realized: Indicates whether the device has been fully constructed.
-+ * When accessed outsize big qemu lock, must be accessed with
-+ * atomic_load_acquire()
- *
- * This structure should not be accessed directly. We declare it here
- * so that it can be embedded in individual device state structures.
+++ /dev/null
-From: Paolo Bonzini <pbonzini@redhat.com>
-Date: Wed, 7 Oct 2020 07:37:41 -0400
-Subject: device-plug-test: use qtest_qmp to send the device_del command
-
-Git-commit: c45a70d8c271056896a057fbcdc7743a2942d0ec
-References: bsc#1184574
-
-Simplify the code now that events are buffered. There is no need
-anymore to separate sending the command and retrieving the response.
-
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-Signed-off-by: Lin Ma <lma@suse.com>
----
- tests/device-plug-test.c | 32 +++++++++-----------------------
- 1 file changed, 9 insertions(+), 23 deletions(-)
-
-diff --git a/tests/device-plug-test.c b/tests/device-plug-test.c
-index f44bf0bb8496819391821a7b71da..1eb587762b143d6470f3080e6371 100644
---- a/tests/device-plug-test.c
-+++ b/tests/device-plug-test.c
-@@ -15,26 +15,17 @@
- #include "qapi/qmp/qdict.h"
- #include "qapi/qmp/qstring.h"
-
--static void device_del_start(QTestState *qtest, const char *id)
-+static void device_del(QTestState *qtest, const char *id)
- {
-- qtest_qmp_send(qtest,
-- "{'execute': 'device_del', 'arguments': { 'id': %s } }", id);
--}
-+ QDict *resp;
-
--static void device_del_finish(QTestState *qtest)
--{
-- QDict *resp = qtest_qmp_receive_dict(qtest);
-+ resp = qtest_qmp(qtest,
-+ "{'execute': 'device_del', 'arguments': { 'id': %s } }", id);
-
- g_assert(qdict_haskey(resp, "return"));
- qobject_unref(resp);
- }
-
--static void device_del_request(QTestState *qtest, const char *id)
--{
-- device_del_start(qtest, id);
-- device_del_finish(qtest);
--}
--
- static void system_reset(QTestState *qtest)
- {
- QDict *resp;
-@@ -79,7 +70,7 @@ static void test_pci_unplug_request(void)
- * be processed. However during system reset, the removal will be
- * handled, removing the device.
- */
-- device_del_request(qtest, "dev0");
-+ device_del(qtest, "dev0");
- system_reset(qtest);
- wait_device_deleted_event(qtest, "dev0");
-
-@@ -90,13 +81,8 @@ static void test_ccw_unplug(void)
- {
- QTestState *qtest = qtest_initf("-device virtio-balloon-ccw,id=dev0");
-
-- /*
-- * The DEVICE_DELETED events will be sent before the command
-- * completes.
-- */
-- device_del_start(qtest, "dev0");
-+ device_del(qtest, "dev0");
- wait_device_deleted_event(qtest, "dev0");
-- device_del_finish(qtest);
-
- qtest_quit(qtest);
- }
-@@ -109,7 +95,7 @@ static void test_spapr_cpu_unplug_request(void)
- "-device power9_v2.0-spapr-cpu-core,core-id=1,id=dev0");
-
- /* similar to test_pci_unplug_request */
-- device_del_request(qtest, "dev0");
-+ device_del(qtest, "dev0");
- system_reset(qtest);
- wait_device_deleted_event(qtest, "dev0");
-
-@@ -125,7 +111,7 @@ static void test_spapr_memory_unplug_request(void)
- "-device pc-dimm,id=dev0,memdev=mem0");
-
- /* similar to test_pci_unplug_request */
-- device_del_request(qtest, "dev0");
-+ device_del(qtest, "dev0");
- system_reset(qtest);
- wait_device_deleted_event(qtest, "dev0");
-
-@@ -139,7 +125,7 @@ static void test_spapr_phb_unplug_request(void)
- qtest = qtest_initf("-device spapr-pci-host-bridge,index=1,id=dev0");
-
- /* similar to test_pci_unplug_request */
-- device_del_request(qtest, "dev0");
-+ device_del(qtest, "dev0");
- system_reset(qtest);
- wait_device_deleted_event(qtest, "dev0");
-
+++ /dev/null
-From: Maxim Levitsky <mlevitsk@redhat.com>
-Date: Tue, 6 Oct 2020 14:38:58 +0200
-Subject: device_core: use drain_call_rcu in in qmp_device_add
-
-Git-commit: 7bed89958bfbf40df9ca681cefbdca63abdde39d
-References: bsc#1184574
-
-Soon, a device removal might only happen on RCU callback execution.
-This is okay for device-del which provides a DEVICE_DELETED event,
-but not for the failure case of device-add. To avoid changing
-monitor semantics, just drain all pending RCU callbacks on error.
-
-Signed-off-by: Maxim Levitsky <mlevitsk@redhat.com>
-Suggested-by: Stefan Hajnoczi <stefanha@gmail.com>
-Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
-Message-Id: <20200913160259.32145-4-mlevitsk@redhat.com>
-[Don't use it in qmp_device_del. - Paolo]
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-Signed-off-by: Lin Ma <lma@suse.com>
----
- qdev-monitor.c | 12 ++++++++++++
- 1 file changed, 12 insertions(+)
-
-diff --git a/qdev-monitor.c b/qdev-monitor.c
-index dc0323051e33833c4bcb638c7657..ade59c9ec6a54a258cc5ab21ace4 100644
---- a/qdev-monitor.c
-+++ b/qdev-monitor.c
-@@ -796,6 +796,18 @@ void qmp_device_add(QDict *qdict, QObject **ret_data, Error **errp)
- return;
- }
- dev = qdev_device_add(opts, &local_err);
-+
-+ /*
-+ * Drain all pending RCU callbacks. This is done because
-+ * some bus related operations can delay a device removal
-+ * (in this case this can happen if device is added and then
-+ * removed due to a configuration error)
-+ * to a RCU callback, but user might expect that this interface
-+ * will finish its job completely once qmp command returns result
-+ * to the user
-+ */
-+ drain_call_rcu();
-+
- if (!dev) {
- error_propagate(errp, local_err);
- qemu_opts_del(opts);
+++ /dev/null
-From: Samuel Thibault <samuel.thibault@ens-lyon.org>
-Date: Mon, 21 Jun 2021 08:38:32 +0200
-Subject: dhcp: Always send DHCP_OPT_LEN bytes in options
-
-Git-commit: d7fb54218424c3b2517aee5b391ced0f75386a5d
-References: bsc#1187364, CVE-2021-3592
-
-RFC2131 suggests that the options field may be at least 312 bytes.
-Some DHCP clients seem to assume that it has to be at least 312 bytes.
-
-Fixes #51
-Fixes: f13cad45b25d92760bb0ad67bec0300a4d7d5275 ("bootp: limit
-vendor-specific area to input packet memory buffer")
-
-Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
-Signed-off-by: Jose R Ziviani <jose.ziviani@suse.com>
----
- src/bootp.c | 6 ++++--
- 1 file changed, 4 insertions(+), 2 deletions(-)
-
-diff --git a/slirp/src/bootp.c b/slirp/src/bootp.c
-index cafa1eb1f36ad010c36f2fbb343e..d78d61b44cdcb47ba7f7019bdffb 100644
---- a/slirp/src/bootp.c
-+++ b/slirp/src/bootp.c
-@@ -355,11 +355,13 @@ static void bootp_reply(Slirp *slirp,
- q += sizeof(nak_msg) - 1;
- }
- assert(q < end);
-- *q = RFC1533_END;
-+ *q++ = RFC1533_END;
-
- daddr.sin_addr.s_addr = 0xffffffffu;
-
-- m->m_len = sizeof(struct bootp_t) - sizeof(struct ip) - sizeof(struct udphdr);
-+ assert(q <= end);
-+
-+ m->m_len = sizeof(struct bootp_t) + (end - rbp->bp_vend) - sizeof(struct ip) - sizeof(struct udphdr);
- udp_output(NULL, m, &saddr, &daddr, IPTOS_LOWDELAY);
- }
-
+++ /dev/null
-From: Jason Wang <jasowang@redhat.com>
-Date: Wed, 24 Feb 2021 12:57:40 +0800
-Subject: dp8393x: switch to use qemu_receive_packet() for loopback packet
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Git-commit: 331d2ac9ea307c990dc86e6493e8f0c48d14bb33
-
-This patch switches to use qemu_receive_packet() which can detect
-reentrancy and return early.
-
-This is intended to address CVE-2021-3416.
-
-Cc: Prasad J Pandit <ppandit@redhat.com>
-Cc: qemu-stable@nongnu.org
-Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com
-Signed-off-by: Jason Wang <jasowang@redhat.com>
-Signed-off-by: Bruce Rogers <brogers@suse.com>
----
- hw/net/dp8393x.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/hw/net/dp8393x.c b/hw/net/dp8393x.c
-index 6433cae0f5947469e516ff2f5eeb..6bd5005dabaf6aa1ed2d254e4aec 100644
---- a/hw/net/dp8393x.c
-+++ b/hw/net/dp8393x.c
-@@ -499,7 +499,7 @@ static void dp8393x_do_transmit_packets(dp8393xState *s)
- s->regs[SONIC_TCR] |= SONIC_TCR_CRSL;
- if (nc->info->can_receive(nc)) {
- s->loopback_packet = 1;
-- nc->info->receive(nc, s->tx_buffer, tx_len);
-+ qemu_receive_packet(nc, s->tx_buffer, tx_len);
- }
- } else {
- /* Transmit packet */
+++ /dev/null
-From: Jason Wang <jasowang@redhat.com>
-Date: Wed, 24 Feb 2021 13:45:28 +0800
-Subject: e1000: fail early for evil descriptor
-
-Git-commit: 3de46e6fc489c52c9431a8a832ad8170a7569bd8
-References: bsc#1182577, CVE-2021-20257
-
-During procss_tx_desc(), driver can try to chain data descriptor with
-legacy descriptor, when will lead underflow for the following
-calculation in process_tx_desc() for bytes:
-
- if (tp->size + bytes > msh)
- bytes = msh - tp->size;
-
-This will lead a infinite loop. So check and fail early if tp->size if
-greater or equal to msh.
-
-Reported-by: Alexander Bulekov <alxndr@bu.edu>
-Reported-by: Cheolwoo Myung <cwmyung@snu.ac.kr>
-Reported-by: Ruhr-University Bochum <bugs-syssec@rub.de>
-Cc: Prasad J Pandit <ppandit@redhat.com>
-Cc: qemu-stable@nongnu.org
-Signed-off-by: Jason Wang <jasowang@redhat.com>
-Signed-off-by: Bruce Rogers <brogers@suse.com>
----
- hw/net/e1000.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/hw/net/e1000.c b/hw/net/e1000.c
-index a73f8d404e6c75e90237fdbf2a05..d1404ea531936774516196445b33 100644
---- a/hw/net/e1000.c
-+++ b/hw/net/e1000.c
-@@ -671,6 +671,9 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp)
- msh = tp->tso_props.hdr_len + tp->tso_props.mss;
- do {
- bytes = split_size;
-+ if (tp->size >= msh) {
-+ goto eop;
-+ }
- if (tp->size + bytes > msh)
- bytes = msh - tp->size;
-
-@@ -696,6 +699,7 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp)
- tp->size += split_size;
- }
-
-+eop:
- if (!(txd_lower & E1000_TXD_CMD_EOP))
- return;
- if (!(tp->cptse && tp->size < tp->tso_props.hdr_len)) {
+++ /dev/null
-From: Jason Wang <jasowang@redhat.com>
-Date: Wed, 24 Feb 2021 12:13:22 +0800
-Subject: e1000: switch to use qemu_receive_packet() for loopback
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Git-commit: 1caff0340f49c93d535c6558a5138d20d475315c
-
-This patch switches to use qemu_receive_packet() which can detect
-reentrancy and return early.
-
-This is intended to address CVE-2021-3416.
-
-Cc: Prasad J Pandit <ppandit@redhat.com>
-Cc: qemu-stable@nongnu.org
-Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Signed-off-by: Jason Wang <jasowang@redhat.com>
-Signed-off-by: Bruce Rogers <brogers@suse.com>
----
- hw/net/e1000.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/hw/net/e1000.c b/hw/net/e1000.c
-index d1404ea531936774516196445b33..9c486038f4f41896b9779ab5fb1d 100644
---- a/hw/net/e1000.c
-+++ b/hw/net/e1000.c
-@@ -547,7 +547,7 @@ e1000_send_packet(E1000State *s, const uint8_t *buf, int size)
-
- NetClientState *nc = qemu_get_queue(s->nic);
- if (s->phy_reg[PHY_CTRL] & MII_CR_LOOPBACK) {
-- nc->info->receive(nc, buf, size);
-+ qemu_receive_packet(nc, buf, size);
- } else {
- qemu_send_packet(nc, buf, size);
- }
+++ /dev/null
-From: Bruce Rogers <brogers@suse.com>
-Date: Mon, 26 Aug 2019 13:28:57 -0600
-Subject: enable cross compilation on ARM
-
-Signed-off-by: Bruce Rogers <brogers@suse.com>
----
- Makefile | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/roms/seabios/Makefile b/roms/seabios/Makefile
-index ca8d0283922bbfa931e85511e921..d807c558ef0f09b5975f6ccc38f1 100644
---- a/roms/seabios/Makefile
-+++ b/roms/seabios/Makefile
-@@ -13,7 +13,7 @@ export CONFIG_SHELL := sh
- export KCONFIG_AUTOHEADER := autoconf.h
- export KCONFIG_CONFIG := $(CURDIR)/.config
- export LC_ALL := C
--CROSS_PREFIX=
-+CROSS_PREFIX=$(CROSS_COMPILE)
- ifneq ($(CROSS_PREFIX),)
- CC=$(CROSS_PREFIX)gcc
- endif
+++ /dev/null
-From: Bruce Rogers <brogers@suse.com>
-Date: Fri, 1 Nov 2019 19:32:57 -0600
-Subject: ensure headers included are compatible with freestanding mode
-
-Certain standard headers are designated for use in freestanding mode
-while others are prohibited. To conform to these rules, use <stdint.h>
-instead of <inttypes.h> as well as switch one <string.h> reference to
-the "string.h" implemented in project.
-
-Signed-off-by: Bruce Rogers <brogers@suse.com>
----
- include/bios.h | 2 +-
- malloc.c | 2 +-
- pci.c | 2 +-
- 3 files changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/roms/qboot/include/bios.h b/roms/qboot/include/bios.h
-index f36638b977864c220bf3ed9a612f..7f8f677671d7b47e7c07f800646c 100644
---- a/roms/qboot/include/bios.h
-+++ b/roms/qboot/include/bios.h
-@@ -1,7 +1,7 @@
- #ifndef BIOS_H_
- #define BIOS_H_
-
--#include <inttypes.h>
-+#include <stdint.h>
- #include <stddef.h>
- #include <stdbool.h>
-
-diff --git a/roms/qboot/malloc.c b/roms/qboot/malloc.c
-index 8738373b774358425b2767fc7e9f..bd0ac0f23ee1e3c4a8f5e003ff1d 100644
---- a/roms/qboot/malloc.c
-+++ b/roms/qboot/malloc.c
-@@ -1,4 +1,4 @@
--#include <inttypes.h>
-+#include <stdint.h>
- #include "string.h"
- #include "bios.h"
-
-diff --git a/roms/qboot/pci.c b/roms/qboot/pci.c
-index 65c9e81793ab7aad9b5d1679e78e..63ebda6a0580463ea2b562317cec 100644
---- a/roms/qboot/pci.c
-+++ b/roms/qboot/pci.c
-@@ -1,7 +1,7 @@
- #include "bios.h"
- #include "ioport.h"
- #include "pci.h"
--#include <string.h>
-+#include "string.h"
-
- static uint16_t addend;
- static uint8_t bus, bridge_head;
+++ /dev/null
-From: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
-Date: Wed, 7 Apr 2021 20:57:50 +0100
-Subject: esp: always check current_req is not NULL before use in DMA callbacks
-
-Git-commit: 0db895361b8a82e1114372ff9f4857abea605701
-References: bsc#1180433, CVE-2020-35504
- bsc#1180434, CVE-2020-35505
- bsc#1180435, CVE-2020-35506
-
-After issuing a SCSI command the SCSI layer can call the SCSIBusInfo .cancel
-callback which resets both current_req and current_dev to NULL. If any data
-is left in the transfer buffer (async_len != 0) then the next TI (Transfer
-Information) command will attempt to reference the NULL pointer causing a
-segfault.
-
-Buglink: https://bugs.launchpad.net/qemu/+bug/1910723
-Buglink: https://bugs.launchpad.net/qemu/+bug/1909247
-Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
-Tested-by: Alexander Bulekov <alxndr@bu.edu>
-Message-Id: <20210407195801.685-2-mark.cave-ayland@ilande.co.uk>
-Signed-off-by: Jose R Ziviani <jose.ziviani@suse.com>
----
- hw/scsi/esp.c | 8 ++++++++
- 1 file changed, 8 insertions(+)
-
-diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c
-index f8fc30cccbd4478482b8291ac103..b5e6a50f5cb731a9815b655c9ae0 100644
---- a/hw/scsi/esp.c
-+++ b/hw/scsi/esp.c
-@@ -365,6 +365,11 @@ static void do_dma_pdma_cb(ESPState *s)
- s->dma_left -= len;
- s->async_buf += len;
- s->async_len -= len;
-+
-+ if (!s->current_req) {
-+ return;
-+ }
-+
- if (to_device) {
- s->ti_size += len;
- } else {
-@@ -415,6 +420,9 @@ static void esp_do_dma(ESPState *s)
- do_cmd(s, s->cmdbuf);
- return;
- }
-+ if (!s->current_req) {
-+ return;
-+ }
- if (s->async_len == 0) {
- /* Defer until data is available. */
- return;
+++ /dev/null
-From: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
-Date: Wed, 7 Apr 2021 20:57:59 +0100
-Subject: esp: don't reset async_len directly in esp_select() if cancelling
- request
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Git-commit: 324c8809897c8c53ad05c3a7147d272f1711cd5e
-References: bsc#1180433, CVE-2020-35504
- bsc#1180434, CVE-2020-35505
- bsc#1180435, CVE-2020-35506
-
-Instead let the SCSI layer invoke the .cancel callback itself to cancel and
-reset the request state.
-
-Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
-Tested-by: Alexander Bulekov <alxndr@bu.edu>
-Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
-Message-Id: <20210407195801.685-11-mark.cave-ayland@ilande.co.uk>
-Signed-off-by: Jose R Ziviani <jose.ziviani@suse.com>
----
- hw/scsi/esp.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c
-index 0f88689eb8b0dfbec5654870f10b..8445ebdb1f14f911498289fb3c73 100644
---- a/hw/scsi/esp.c
-+++ b/hw/scsi/esp.c
-@@ -93,6 +93,7 @@ void esp_request_cancelled(SCSIRequest *req)
- scsi_req_unref(s->current_req);
- s->current_req = NULL;
- s->current_dev = NULL;
-+ s->async_len = 0;
- }
- }
-
-@@ -133,7 +134,6 @@ static int get_cmd_cb(ESPState *s)
- if (s->current_req) {
- /* Started a new command before the old one finished. Cancel it. */
- scsi_req_cancel(s->current_req);
-- s->async_len = 0;
- }
-
- s->current_dev = scsi_device_find(&s->bus, 0, target, 0);
+++ /dev/null
-From: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
-Date: Wed, 7 Apr 2021 20:57:55 +0100
-Subject: esp: ensure cmdfifo is not empty and current_dev is non-NULL
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Git-commit: 99545751734035b76bd372c4e7215bb337428d89
-References: bsc#1180433, CVE-2020-35504
- bsc#1180434, CVE-2020-35505
- bsc#1180435, CVE-2020-35506
-
-When about to execute a SCSI command, ensure that cmdfifo is not empty and
-current_dev is non-NULL. This can happen if the guest tries to execute a TI
-(Transfer Information) command without issuing one of the select commands
-first.
-
-Buglink: https://bugs.launchpad.net/qemu/+bug/1910723
-Buglink: https://bugs.launchpad.net/qemu/+bug/1909247
-Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
-Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
-Tested-by: Alexander Bulekov <alxndr@bu.edu>
-Message-Id: <20210407195801.685-7-mark.cave-ayland@ilande.co.uk>
-Signed-off-by: Jose R Ziviani <jose.ziviani@suse.com>
----
- hw/scsi/esp.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c
-index b5e6a50f5cb731a9815b655c9ae0..0f88689eb8b0dfbec5654870f10b 100644
---- a/hw/scsi/esp.c
-+++ b/hw/scsi/esp.c
-@@ -193,6 +193,11 @@ static void do_busid_cmd(ESPState *s, uint8_t *buf, uint8_t busid)
-
- trace_esp_do_busid_cmd(busid);
- lun = busid & 7;
-+
-+ if (!s->current_dev) {
-+ return;
-+ }
-+
- current_lun = scsi_device_find(&s->bus, 0, s->current_dev->id, lun);
- s->current_req = scsi_req_new(current_lun, 0, lun, buf, s);
- datalen = scsi_req_enqueue(s->current_req);
+++ /dev/null
-From: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
-Date: Wed, 7 Apr 2021 20:58:00 +0100
-Subject: esp: ensure that do_cmd is set to zero before submitting an ESP
- select command
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Git-commit: 607206948cacda4a80be5b976dba490970a18a76
-References: bsc#1180433, CVE-2020-35504
- bsc#1180434, CVE-2020-35505
- bsc#1180435, CVE-2020-35506
-
-When a CDB has been received and is about to be submitted to the SCSI layer
-via one of the ESP select commands, ensure that do_cmd is set to zero before
-executing the command.
-
-Otherwise a guest executing 2 valid CDBs in quick sequence can invoke the SCSI
-.transfer_data callback again before do_cmd is set to zero by the callback
-function triggering an assert at the start of esp_transfer_data().
-
-Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
-Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
-Message-Id: <20210407195801.685-12-mark.cave-ayland@ilande.co.uk>
-Signed-off-by: Jose R Ziviani <jose.ziviani@suse.com>
----
- hw/scsi/esp.c | 5 ++++-
- 1 file changed, 4 insertions(+), 1 deletion(-)
-
-diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c
-index 8445ebdb1f14f911498289fb3c73..e1072a3c5afca523b0ac2b51ae15 100644
---- a/hw/scsi/esp.c
-+++ b/hw/scsi/esp.c
-@@ -246,8 +246,10 @@ static void handle_satn(ESPState *s)
- }
- s->pdma_cb = satn_pdma_cb;
- len = get_cmd(s, buf, sizeof(buf));
-- if (len)
-+ if (len) {
-+ s->do_cmd = 0;
- do_cmd(s, buf);
-+ }
- }
-
- static void s_without_satn_pdma_cb(ESPState *s)
-@@ -272,6 +274,7 @@ static void handle_s_without_atn(ESPState *s)
- s->pdma_cb = s_without_satn_pdma_cb;
- len = get_cmd(s, buf, sizeof(buf));
- if (len) {
-+ s->do_cmd = 0;
- do_busid_cmd(s, buf, 0);
- }
- }
+++ /dev/null
-From: Prasad J Pandit <pjp@fedoraproject.org>
-Date: Tue, 26 May 2020 16:47:43 +0530
-Subject: exec: set map length to zero when returning NULL
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Git-commit: 77f55eac6c433e23e82a1b88b2d74f385c4c7d82
-References: bsc#1172386, CVE-2020-13659
-
-When mapping physical memory into host's virtual address space,
-'address_space_map' may return NULL if BounceBuffer is in_use.
-Set and return '*plen = 0' to avoid later NULL pointer dereference.
-
-Reported-by: Alexander Bulekov <alxndr@bu.edu>
-Fixes: https://bugs.launchpad.net/qemu/+bug/1878259
-Suggested-by: Paolo Bonzini <pbonzini@redhat.com>
-Suggested-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
-Message-Id: <20200526111743.428367-1-ppandit@redhat.com>
-Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-Signed-off-by: Bruce Rogers <brogers@suse.com>
----
- exec.c | 1 +
- include/exec/memory.h | 3 ++-
- 2 files changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/exec.c b/exec.c
-index ffdb5185353bdbacc613d4730228..43c70ffbfd37bbd20d9481d1f90b 100644
---- a/exec.c
-+++ b/exec.c
-@@ -3528,6 +3528,7 @@ void *address_space_map(AddressSpace *as,
-
- if (!memory_access_is_direct(mr, is_write)) {
- if (atomic_xchg(&bounce.in_use, true)) {
-+ *plen = 0;
- return NULL;
- }
- /* Avoid unbounded allocations */
-diff --git a/include/exec/memory.h b/include/exec/memory.h
-index e499dc215b3021a11e981ff6d982..2b8bccdd8c1e641f092fcc9d8517 100644
---- a/include/exec/memory.h
-+++ b/include/exec/memory.h
-@@ -2084,7 +2084,8 @@ bool address_space_access_valid(AddressSpace *as, hwaddr addr, hwaddr len,
- /* address_space_map: map a physical memory region into a host virtual address
- *
- * May map a subset of the requested range, given by and returned in @plen.
-- * May return %NULL if resources needed to perform the mapping are exhausted.
-+ * May return %NULL and set *@plen to zero(0), if resources needed to perform
-+ * the mapping are exhausted.
- * Use only for reads OR writes - not for read-modify-write operations.
- * Use cpu_register_map_client() to know when retrying the map operation is
- * likely to succeed.
+++ /dev/null
-From: Lin Ma <lma@suse.com>
-Date: Mon, 13 Sep 2021 17:06:36 +0800
-Subject: file-posix: fix max_iov for /dev/sg devices
-
-Git-commit: 8ad5ab6148dca8aad297c134c09c84b0b92d45ed
-References: bsc#1190425
-
-Even though it was only called for devices that have bs->sg set (which
-must be character devices), sg_get_max_segments looked at /sys/dev/block
-which only works for block devices.
-
-On Linux the sg driver has its own way to provide the maximum number of
-iovecs in a scatter/gather list, so add support for it. The block device
-path is kept because it will be reinstated in the next patches.
-
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-Reviewed-by: Max Reitz <mreitz@redhat.com>
-Signed-off-by: Lin Ma <lma@suse.com>
----
- block/file-posix.c | 11 +++++++++++
- 1 file changed, 11 insertions(+)
-
-diff --git a/block/file-posix.c b/block/file-posix.c
-index 1b805bd9381f2c8f057d6459fc62..e3cf5a160a46030b4e07b7b61203 100644
---- a/block/file-posix.c
-+++ b/block/file-posix.c
-@@ -1088,6 +1088,17 @@ static int sg_get_max_segments(int fd)
- goto out;
- }
-
-+ if (S_ISCHR(st.st_mode)) {
-+ if (ioctl(fd, SG_GET_SG_TABLESIZE, &ret) == 0) {
-+ return ret;
-+ }
-+ return -ENOTSUP;
-+ }
-+
-+ if (!S_ISBLK(st.st_mode)) {
-+ return -ENOTSUP;
-+ }
-+
- sysfspath = g_strdup_printf("/sys/dev/block/%u:%u/queue/max_segments",
- major(st.st_rdev), minor(st.st_rdev));
- sysfd = open(sysfspath, O_RDONLY);
+++ /dev/null
-From: Lin Ma <lma@suse.com>
-Date: Mon, 13 Sep 2021 17:08:11 +0800
-Subject: file-posix: try BLKSECTGET on block devices too, do not round to
- power of 2
-
-Git-commit: 18473467d55a20d643b6c9b3a52de42f705b4d35
-References: bsc#1190425
-
-bs->sg is only true for character devices, but block devices can also
-be used with scsi-block and scsi-generic. Unfortunately BLKSECTGET
-returns bytes in an int for /dev/sgN devices, and sectors in a short
-for block devices, so account for that in the code.
-
-The maximum transfer also need not be a power of 2 (for example I have
-seen disks with 1280 KiB maximum transfer) so there's no need to pass
-the result through pow2floor.
-
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-Signed-off-by: Lin Ma <lma@suse.com>
----
- block/file-posix.c | 57 +++++++++++++++++++++++++++-------------------
- 1 file changed, 33 insertions(+), 24 deletions(-)
-
-diff --git a/block/file-posix.c b/block/file-posix.c
-index 59149186c6937907070a2683a82a..7dcd24c6fdb9618c527f2f884c32 100644
---- a/block/file-posix.c
-+++ b/block/file-posix.c
-@@ -1057,22 +1057,27 @@ static void raw_reopen_abort(BDRVReopenState *state)
- s->reopen_state = NULL;
- }
-
--static int sg_get_max_transfer_length(int fd)
-+static int hdev_get_max_hw_transfer(int fd, struct stat *st)
- {
- #ifdef BLKSECTGET
-- int max_bytes = 0;
--
-- if (ioctl(fd, BLKSECTGET, &max_bytes) == 0) {
-- return max_bytes;
-+ if (S_ISBLK(st->st_mode)) {
-+ unsigned short max_sectors = 0;
-+ if (ioctl(fd, BLKSECTGET, &max_sectors) == 0) {
-+ return max_sectors * 512;
-+ }
- } else {
-- return -errno;
-+ int max_bytes = 0;
-+ if (ioctl(fd, BLKSECTGET, &max_bytes) == 0) {
-+ return max_bytes;
-+ }
- }
-+ return -errno;
- #else
- return -ENOSYS;
- #endif
- }
-
--static int sg_get_max_segments(int fd)
-+static int hdev_get_max_segments(int fd, struct stat *st)
- {
- #ifdef CONFIG_LINUX
- char buf[32];
-@@ -1081,26 +1086,20 @@ static int sg_get_max_segments(int fd)
- int ret;
- int sysfd = -1;
- long max_segments;
-- struct stat st;
-
-- if (fstat(fd, &st)) {
-- ret = -errno;
-- goto out;
-- }
--
-- if (S_ISCHR(st.st_mode)) {
-+ if (S_ISCHR(st->st_mode)) {
- if (ioctl(fd, SG_GET_SG_TABLESIZE, &ret) == 0) {
- return ret;
- }
- return -ENOTSUP;
- }
-
-- if (!S_ISBLK(st.st_mode)) {
-+ if (!S_ISBLK(st->st_mode)) {
- return -ENOTSUP;
- }
-
- sysfspath = g_strdup_printf("/sys/dev/block/%u:%u/queue/max_segments",
-- major(st.st_rdev), minor(st.st_rdev));
-+ major(st->st_rdev), minor(st->st_rdev));
- sysfd = open(sysfspath, O_RDONLY);
- if (sysfd == -1) {
- ret = -errno;
-@@ -1137,23 +1136,33 @@ out:
- static void raw_refresh_limits(BlockDriverState *bs, Error **errp)
- {
- BDRVRawState *s = bs->opaque;
-+ struct stat st;
-+
-+ raw_probe_alignment(bs, s->fd, errp);
-+ bs->bl.min_mem_alignment = s->buf_align;
-+ bs->bl.opt_mem_alignment = MAX(s->buf_align, qemu_real_host_page_size);
-
-- if (bs->sg) {
-- int ret = sg_get_max_transfer_length(s->fd);
-+ /*
-+ * Maximum transfers are best effort, so it is okay to ignore any
-+ * errors. That said, based on the man page errors in fstat would be
-+ * very much unexpected; the only possible case seems to be ENOMEM.
-+ */
-+ if (fstat(s->fd, &st)) {
-+ return;
-+ }
-+
-+ if (bs->sg || S_ISBLK(st.st_mode)) {
-+ int ret = hdev_get_max_hw_transfer(s->fd, &st);
-
- if (ret > 0 && ret <= BDRV_REQUEST_MAX_BYTES) {
-- bs->bl.max_hw_transfer = pow2floor(ret);
-+ bs->bl.max_hw_transfer = ret;
- }
-
-- ret = sg_get_max_segments(s->fd);
-+ ret = hdev_get_max_segments(s->fd, &st);
- if (ret > 0) {
- bs->bl.max_iov = ret;
- }
- }
--
-- raw_probe_alignment(bs, s->fd, errp);
-- bs->bl.min_mem_alignment = s->buf_align;
-- bs->bl.opt_mem_alignment = MAX(s->buf_align, qemu_real_host_page_size);
- }
-
- static int check_for_dasd(int fd)
+++ /dev/null
-From: Bruce Rogers <brogers@suse.com>
-Date: Wed, 22 Apr 2020 08:50:55 -0600
-Subject: gcc10: maybe-uninitialized
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-References: boo#1169728
-
-gcc 10 needs some help to understand that indeed cpu_irqs[0] does get
-initialized in all cases. In this case an assert is sufficient.
-
-Reported-by: Martin Liška <mliska@suse.cz>
-Signed-off-by: Bruce Rogers <brogers@suse.com>
----
- hw/openrisc/openrisc_sim.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/hw/openrisc/openrisc_sim.c b/hw/openrisc/openrisc_sim.c
-index 79e70493fc77e50556a4a92a4231..bc4b71059ff6d922e3cdc83bfc79 100644
---- a/hw/openrisc/openrisc_sim.c
-+++ b/hw/openrisc/openrisc_sim.c
-@@ -134,6 +134,7 @@ static void openrisc_sim_init(MachineState *machine)
- int n;
- unsigned int smp_cpus = machine->smp.cpus;
-
-+ assert(smp_cpus >= 1 && smp_cpus <= 2);
- for (n = 0; n < smp_cpus; n++) {
- cpu = OPENRISC_CPU(cpu_create(machine->cpu_type));
- if (cpu == NULL) {
+++ /dev/null
-From: Liu Jingqi <jingqi.liu@intel.com>
-Date: Fri, 13 Dec 2019 09:19:25 +0800
-Subject: hmat acpi: Build Memory Proximity Domain Attributes Structure(s)
-
-Git-commit: e6f123c3b81241be33f1b763d0ff8b36d1ae9c1e
-References: jsc#SLE-8897
-
-HMAT is defined in ACPI 6.3: 5.2.27 Heterogeneous Memory Attribute Table
-(HMAT). The specification references below link:
-http://www.uefi.org/sites/default/files/resources/ACPI_6_3_final_Jan30.pdf
-
-It describes the memory attributes, such as memory side cache
-attributes and bandwidth and latency details, related to the
-Memory Proximity Domain. The software is
-expected to use this information as hint for optimization.
-
-This structure describes Memory Proximity Domain Attributes by memory
-subsystem and its associativity with processor proximity domain as well as
-hint for memory usage.
-
-In the linux kernel, the codes in drivers/acpi/hmat/hmat.c parse and report
-the platform's HMAT tables.
-
-Acked-by: Markus Armbruster <armbru@redhat.com>
-Reviewed-by: Igor Mammedov <imammedo@redhat.com>
-Reviewed-by: Daniel Black <daniel@linux.ibm.com>
-Reviewed-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
-Signed-off-by: Liu Jingqi <jingqi.liu@intel.com>
-Signed-off-by: Tao Xu <tao3.xu@intel.com>
-Message-Id: <20191213011929.2520-5-tao3.xu@intel.com>
-Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
-Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
-Signed-off-by: Bruce Rogers <brogers@suse.com>
----
- hw/acpi/Kconfig | 7 ++-
- hw/acpi/Makefile.objs | 1 +
- hw/acpi/hmat.c | 99 +++++++++++++++++++++++++++++++++++++++++++
- hw/acpi/hmat.h | 42 ++++++++++++++++++
- hw/i386/acpi-build.c | 5 +++
- 5 files changed, 152 insertions(+), 2 deletions(-)
-
-diff --git a/hw/acpi/Kconfig b/hw/acpi/Kconfig
-index 12e3f1e86e62256bf274b554938b..54209c6f2f17d4ca0a737cb25403 100644
---- a/hw/acpi/Kconfig
-+++ b/hw/acpi/Kconfig
-@@ -7,6 +7,7 @@ config ACPI_X86
- select ACPI_NVDIMM
- select ACPI_CPU_HOTPLUG
- select ACPI_MEMORY_HOTPLUG
-+ select ACPI_HMAT
-
- config ACPI_X86_ICH
- bool
-@@ -23,6 +24,10 @@ config ACPI_NVDIMM
- bool
- depends on ACPI
-
-+config ACPI_HMAT
-+ bool
-+ depends on ACPI
-+
- config ACPI_PCI
- bool
- depends on ACPI && PCI
-@@ -33,5 +38,3 @@ config ACPI_VMGENID
- depends on PC
-
- config ACPI_HW_REDUCED
-- bool
-- depends on ACPI
-diff --git a/hw/acpi/Makefile.objs b/hw/acpi/Makefile.objs
-index 655a9c197341fed6fcea2062a30c..517bd88704769d8605dde18a6776 100644
---- a/hw/acpi/Makefile.objs
-+++ b/hw/acpi/Makefile.objs
-@@ -7,6 +7,7 @@ common-obj-$(CONFIG_ACPI_CPU_HOTPLUG) += cpu.o
- common-obj-$(CONFIG_ACPI_NVDIMM) += nvdimm.o
- common-obj-$(CONFIG_ACPI_VMGENID) += vmgenid.o
- common-obj-$(CONFIG_ACPI_HW_REDUCED) += generic_event_device.o
-+common-obj-$(CONFIG_ACPI_HMAT) += hmat.o
- common-obj-$(call lnot,$(CONFIG_ACPI_X86)) += acpi-stub.o
-
- common-obj-y += acpi_interface.o
-diff --git a/hw/acpi/hmat.c b/hw/acpi/hmat.c
-new file mode 100644
-index 0000000000000000000000000000000000000000..9ff79308a497fe40a1b0a2f9a043ad3bebb2c3cb
---- /dev/null
-+++ b/hw/acpi/hmat.c
-@@ -0,0 +1,99 @@
-+/*
-+ * HMAT ACPI Implementation
-+ *
-+ * Copyright(C) 2019 Intel Corporation.
-+ *
-+ * Author:
-+ * Liu jingqi <jingqi.liu@linux.intel.com>
-+ * Tao Xu <tao3.xu@intel.com>
-+ *
-+ * HMAT is defined in ACPI 6.3: 5.2.27 Heterogeneous Memory Attribute Table
-+ * (HMAT)
-+ *
-+ * This library is free software; you can redistribute it and/or
-+ * modify it under the terms of the GNU Lesser General Public
-+ * License as published by the Free Software Foundation; either
-+ * version 2 of the License, or (at your option) any later version.
-+ *
-+ * This library is distributed in the hope that it will be useful,
-+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
-+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-+ * Lesser General Public License for more details.
-+ *
-+ * You should have received a copy of the GNU Lesser General Public
-+ * License along with this library; if not, see <http://www.gnu.org/licenses/>
-+ */
-+
-+#include "qemu/osdep.h"
-+#include "sysemu/numa.h"
-+#include "hw/acpi/hmat.h"
-+
-+/*
-+ * ACPI 6.3:
-+ * 5.2.27.3 Memory Proximity Domain Attributes Structure: Table 5-145
-+ */
-+static void build_hmat_mpda(GArray *table_data, uint16_t flags,
-+ uint32_t initiator, uint32_t mem_node)
-+{
-+
-+ /* Memory Proximity Domain Attributes Structure */
-+ /* Type */
-+ build_append_int_noprefix(table_data, 0, 2);
-+ /* Reserved */
-+ build_append_int_noprefix(table_data, 0, 2);
-+ /* Length */
-+ build_append_int_noprefix(table_data, 40, 4);
-+ /* Flags */
-+ build_append_int_noprefix(table_data, flags, 2);
-+ /* Reserved */
-+ build_append_int_noprefix(table_data, 0, 2);
-+ /* Proximity Domain for the Attached Initiator */
-+ build_append_int_noprefix(table_data, initiator, 4);
-+ /* Proximity Domain for the Memory */
-+ build_append_int_noprefix(table_data, mem_node, 4);
-+ /* Reserved */
-+ build_append_int_noprefix(table_data, 0, 4);
-+ /*
-+ * Reserved:
-+ * Previously defined as the Start Address of the System Physical
-+ * Address Range. Deprecated since ACPI Spec 6.3.
-+ */
-+ build_append_int_noprefix(table_data, 0, 8);
-+ /*
-+ * Reserved:
-+ * Previously defined as the Range Length of the region in bytes.
-+ * Deprecated since ACPI Spec 6.3.
-+ */
-+ build_append_int_noprefix(table_data, 0, 8);
-+}
-+
-+/* Build HMAT sub table structures */
-+static void hmat_build_table_structs(GArray *table_data, NumaState *numa_state)
-+{
-+ uint16_t flags;
-+ int i;
-+
-+ for (i = 0; i < numa_state->num_nodes; i++) {
-+ flags = 0;
-+
-+ if (numa_state->nodes[i].initiator < MAX_NODES) {
-+ flags |= HMAT_PROXIMITY_INITIATOR_VALID;
-+ }
-+
-+ build_hmat_mpda(table_data, flags, numa_state->nodes[i].initiator, i);
-+ }
-+}
-+
-+void build_hmat(GArray *table_data, BIOSLinker *linker, NumaState *numa_state)
-+{
-+ int hmat_start = table_data->len;
-+
-+ /* reserve space for HMAT header */
-+ acpi_data_push(table_data, 40);
-+
-+ hmat_build_table_structs(table_data, numa_state);
-+
-+ build_header(linker, table_data,
-+ (void *)(table_data->data + hmat_start),
-+ "HMAT", table_data->len - hmat_start, 2, NULL, NULL);
-+}
-diff --git a/hw/acpi/hmat.h b/hw/acpi/hmat.h
-new file mode 100644
-index 0000000000000000000000000000000000000000..437dbc6872e82e4c1ae42a9ff16299465eec052f
---- /dev/null
-+++ b/hw/acpi/hmat.h
-@@ -0,0 +1,42 @@
-+/*
-+ * HMAT ACPI Implementation Header
-+ *
-+ * Copyright(C) 2019 Intel Corporation.
-+ *
-+ * Author:
-+ * Liu jingqi <jingqi.liu@linux.intel.com>
-+ * Tao Xu <tao3.xu@intel.com>
-+ *
-+ * HMAT is defined in ACPI 6.3: 5.2.27 Heterogeneous Memory Attribute Table
-+ * (HMAT)
-+ *
-+ * This library is free software; you can redistribute it and/or
-+ * modify it under the terms of the GNU Lesser General Public
-+ * License as published by the Free Software Foundation; either
-+ * version 2 of the License, or (at your option) any later version.
-+ *
-+ * This library is distributed in the hope that it will be useful,
-+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
-+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-+ * Lesser General Public License for more details.
-+ *
-+ * You should have received a copy of the GNU Lesser General Public
-+ * License along with this library; if not, see <http://www.gnu.org/licenses/>
-+ */
-+
-+#ifndef HMAT_H
-+#define HMAT_H
-+
-+#include "hw/acpi/aml-build.h"
-+
-+/*
-+ * ACPI 6.3: 5.2.27.3 Memory Proximity Domain Attributes Structure,
-+ * Table 5-145, Field "flag", Bit [0]: set to 1 to indicate that data in
-+ * the Proximity Domain for the Attached Initiator field is valid.
-+ * Other bits reserved.
-+ */
-+#define HMAT_PROXIMITY_INITIATOR_VALID 0x1
-+
-+void build_hmat(GArray *table_data, BIOSLinker *linker, NumaState *numa_state);
-+
-+#endif
-diff --git a/hw/i386/acpi-build.c b/hw/i386/acpi-build.c
-index 12ff55fcfb543208c18ba44d569e..90a9c2ce6f8c01221efc56f63f79 100644
---- a/hw/i386/acpi-build.c
-+++ b/hw/i386/acpi-build.c
-@@ -67,6 +67,7 @@
- #include "hw/i386/intel_iommu.h"
-
- #include "hw/acpi/ipmi.h"
-+#include "hw/acpi/hmat.h"
-
- /* These are used to size the ACPI tables for -M pc-i440fx-1.7 and
- * -M pc-i440fx-2.0. Even if the actual amount of AML generated grows
-@@ -2834,6 +2835,10 @@ void acpi_build(AcpiBuildTables *tables, MachineState *machine)
- acpi_add_table(table_offsets, tables_blob);
- build_slit(tables_blob, tables->linker, machine);
- }
-+ if (machine->numa_state->hmat_enabled) {
-+ acpi_add_table(table_offsets, tables_blob);
-+ build_hmat(tables_blob, tables->linker, machine->numa_state);
-+ }
- }
- if (acpi_get_mcfg(&mcfg)) {
- acpi_add_table(table_offsets, tables_blob);
+++ /dev/null
-From: Liu Jingqi <jingqi.liu@intel.com>
-Date: Fri, 13 Dec 2019 09:19:27 +0800
-Subject: hmat acpi: Build Memory Side Cache Information Structure(s)
-
-Git-commit: a9c2b841af002db6e21e1297c9026b63fc22c875
-References: jsc#SLE-8897
-
-This structure describes memory side cache information for memory
-proximity domains if the memory side cache is present and the
-physical device forms the memory side cache.
-The software could use this information to effectively place
-the data in memory to maximize the performance of the system
-memory that use the memory side cache.
-
-Acked-by: Markus Armbruster <armbru@redhat.com>
-Reviewed-by: Igor Mammedov <imammedo@redhat.com>
-Reviewed-by: Daniel Black <daniel@linux.ibm.com>
-Reviewed-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
-Signed-off-by: Liu Jingqi <jingqi.liu@intel.com>
-Signed-off-by: Tao Xu <tao3.xu@intel.com>
-Message-Id: <20191213011929.2520-7-tao3.xu@intel.com>
-Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
-Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
-Signed-off-by: Bruce Rogers <brogers@suse.com>
----
- hw/acpi/hmat.c | 69 +++++++++++++++++++++++++++++++++++++++++++++++++-
- 1 file changed, 68 insertions(+), 1 deletion(-)
-
-diff --git a/hw/acpi/hmat.c b/hw/acpi/hmat.c
-index 4635d45deeccd34659f6c8325d66..7c24bb53719e497d5cc6cf3f262e 100644
---- a/hw/acpi/hmat.c
-+++ b/hw/acpi/hmat.c
-@@ -143,14 +143,62 @@ static void build_hmat_lb(GArray *table_data, HMAT_LB_Info *hmat_lb,
- g_free(entry_list);
- }
-
-+/* ACPI 6.3: 5.2.27.5 Memory Side Cache Information Structure: Table 5-147 */
-+static void build_hmat_cache(GArray *table_data, uint8_t total_levels,
-+ NumaHmatCacheOptions *hmat_cache)
-+{
-+ /*
-+ * Cache Attributes: Bits [3:0] – Total Cache Levels
-+ * for this Memory Proximity Domain
-+ */
-+ uint32_t cache_attr = total_levels;
-+
-+ /* Bits [7:4] : Cache Level described in this structure */
-+ cache_attr |= (uint32_t) hmat_cache->level << 4;
-+
-+ /* Bits [11:8] - Cache Associativity */
-+ cache_attr |= (uint32_t) hmat_cache->associativity << 8;
-+
-+ /* Bits [15:12] - Write Policy */
-+ cache_attr |= (uint32_t) hmat_cache->policy << 12;
-+
-+ /* Bits [31:16] - Cache Line size in bytes */
-+ cache_attr |= (uint32_t) hmat_cache->line << 16;
-+
-+ /* Type */
-+ build_append_int_noprefix(table_data, 2, 2);
-+ /* Reserved */
-+ build_append_int_noprefix(table_data, 0, 2);
-+ /* Length */
-+ build_append_int_noprefix(table_data, 32, 4);
-+ /* Proximity Domain for the Memory */
-+ build_append_int_noprefix(table_data, hmat_cache->node_id, 4);
-+ /* Reserved */
-+ build_append_int_noprefix(table_data, 0, 4);
-+ /* Memory Side Cache Size */
-+ build_append_int_noprefix(table_data, hmat_cache->size, 8);
-+ /* Cache Attributes */
-+ build_append_int_noprefix(table_data, cache_attr, 4);
-+ /* Reserved */
-+ build_append_int_noprefix(table_data, 0, 2);
-+ /*
-+ * Number of SMBIOS handles (n)
-+ * Linux kernel uses Memory Side Cache Information Structure
-+ * without SMBIOS entries for now, so set Number of SMBIOS handles
-+ * as 0.
-+ */
-+ build_append_int_noprefix(table_data, 0, 2);
-+}
-+
- /* Build HMAT sub table structures */
- static void hmat_build_table_structs(GArray *table_data, NumaState *numa_state)
- {
- uint16_t flags;
- uint32_t num_initiator = 0;
- uint32_t initiator_list[MAX_NODES];
-- int i, hierarchy, type;
-+ int i, hierarchy, type, cache_level, total_levels;
- HMAT_LB_Info *hmat_lb;
-+ NumaHmatCacheOptions *hmat_cache;
-
- for (i = 0; i < numa_state->num_nodes; i++) {
- flags = 0;
-@@ -184,6 +232,25 @@ static void hmat_build_table_structs(GArray *table_data, NumaState *numa_state)
- }
- }
- }
-+
-+ /*
-+ * ACPI 6.3: 5.2.27.5 Memory Side Cache Information Structure:
-+ * Table 5-147
-+ */
-+ for (i = 0; i < numa_state->num_nodes; i++) {
-+ total_levels = 0;
-+ for (cache_level = 1; cache_level < HMAT_LB_LEVELS; cache_level++) {
-+ if (numa_state->hmat_cache[i][cache_level]) {
-+ total_levels++;
-+ }
-+ }
-+ for (cache_level = 0; cache_level <= total_levels; cache_level++) {
-+ hmat_cache = numa_state->hmat_cache[i][cache_level];
-+ if (hmat_cache) {
-+ build_hmat_cache(table_data, total_levels, hmat_cache);
-+ }
-+ }
-+ }
- }
-
- void build_hmat(GArray *table_data, BIOSLinker *linker, NumaState *numa_state)
+++ /dev/null
-From: Liu Jingqi <jingqi.liu@intel.com>
-Date: Fri, 13 Dec 2019 09:19:26 +0800
-Subject: hmat acpi: Build System Locality Latency and Bandwidth Information
- Structure(s)
-
-Git-commit: 4586a2cb833f80b19c80ebe364a005ac2fa0974a
-References: jsc#SLE-8897
-
-This structure describes the memory access latency and bandwidth
-information from various memory access initiator proximity domains.
-The latency and bandwidth numbers represented in this structure
-correspond to rated latency and bandwidth for the platform.
-The software could use this information as hint for optimization.
-
-Acked-by: Markus Armbruster <armbru@redhat.com>
-Reviewed-by: Igor Mammedov <imammedo@redhat.com>
-Signed-off-by: Liu Jingqi <jingqi.liu@intel.com>
-Signed-off-by: Tao Xu <tao3.xu@intel.com>
-Message-Id: <20191213011929.2520-6-tao3.xu@intel.com>
-Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
-Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
-Signed-off-by: Bruce Rogers <brogers@suse.com>
----
- hw/acpi/hmat.c | 104 ++++++++++++++++++++++++++++++++++++++++++++++++-
- 1 file changed, 103 insertions(+), 1 deletion(-)
-
-diff --git a/hw/acpi/hmat.c b/hw/acpi/hmat.c
-index 9ff79308a497fe40a1b0a2f9a043..4635d45deeccd34659f6c8325d66 100644
---- a/hw/acpi/hmat.c
-+++ b/hw/acpi/hmat.c
-@@ -25,6 +25,7 @@
- */
-
- #include "qemu/osdep.h"
-+#include "qemu/units.h"
- #include "sysemu/numa.h"
- #include "hw/acpi/hmat.h"
-
-@@ -67,11 +68,89 @@ static void build_hmat_mpda(GArray *table_data, uint16_t flags,
- build_append_int_noprefix(table_data, 0, 8);
- }
-
-+/*
-+ * ACPI 6.3: 5.2.27.4 System Locality Latency and Bandwidth Information
-+ * Structure: Table 5-146
-+ */
-+static void build_hmat_lb(GArray *table_data, HMAT_LB_Info *hmat_lb,
-+ uint32_t num_initiator, uint32_t num_target,
-+ uint32_t *initiator_list)
-+{
-+ int i, index;
-+ HMAT_LB_Data *lb_data;
-+ uint16_t *entry_list;
-+ uint32_t base;
-+ /* Length in bytes for entire structure */
-+ uint32_t lb_length
-+ = 32 /* Table length upto and including Entry Base Unit */
-+ + 4 * num_initiator /* Initiator Proximity Domain List */
-+ + 4 * num_target /* Target Proximity Domain List */
-+ + 2 * num_initiator * num_target; /* Latency or Bandwidth Entries */
-+
-+ /* Type */
-+ build_append_int_noprefix(table_data, 1, 2);
-+ /* Reserved */
-+ build_append_int_noprefix(table_data, 0, 2);
-+ /* Length */
-+ build_append_int_noprefix(table_data, lb_length, 4);
-+ /* Flags: Bits [3:0] Memory Hierarchy, Bits[7:4] Reserved */
-+ assert(!(hmat_lb->hierarchy >> 4));
-+ build_append_int_noprefix(table_data, hmat_lb->hierarchy, 1);
-+ /* Data Type */
-+ build_append_int_noprefix(table_data, hmat_lb->data_type, 1);
-+ /* Reserved */
-+ build_append_int_noprefix(table_data, 0, 2);
-+ /* Number of Initiator Proximity Domains (s) */
-+ build_append_int_noprefix(table_data, num_initiator, 4);
-+ /* Number of Target Proximity Domains (t) */
-+ build_append_int_noprefix(table_data, num_target, 4);
-+ /* Reserved */
-+ build_append_int_noprefix(table_data, 0, 4);
-+
-+ /* Entry Base Unit */
-+ if (hmat_lb->data_type <= HMAT_LB_DATA_WRITE_LATENCY) {
-+ /* Convert latency base from nanoseconds to picosecond */
-+ base = hmat_lb->base * 1000;
-+ } else {
-+ /* Convert bandwidth base from Byte to Megabyte */
-+ base = hmat_lb->base / MiB;
-+ }
-+ build_append_int_noprefix(table_data, base, 8);
-+
-+ /* Initiator Proximity Domain List */
-+ for (i = 0; i < num_initiator; i++) {
-+ build_append_int_noprefix(table_data, initiator_list[i], 4);
-+ }
-+
-+ /* Target Proximity Domain List */
-+ for (i = 0; i < num_target; i++) {
-+ build_append_int_noprefix(table_data, i, 4);
-+ }
-+
-+ /* Latency or Bandwidth Entries */
-+ entry_list = g_malloc0(num_initiator * num_target * sizeof(uint16_t));
-+ for (i = 0; i < hmat_lb->list->len; i++) {
-+ lb_data = &g_array_index(hmat_lb->list, HMAT_LB_Data, i);
-+ index = lb_data->initiator * num_target + lb_data->target;
-+
-+ entry_list[index] = (uint16_t)(lb_data->data / hmat_lb->base);
-+ }
-+
-+ for (i = 0; i < num_initiator * num_target; i++) {
-+ build_append_int_noprefix(table_data, entry_list[i], 2);
-+ }
-+
-+ g_free(entry_list);
-+}
-+
- /* Build HMAT sub table structures */
- static void hmat_build_table_structs(GArray *table_data, NumaState *numa_state)
- {
- uint16_t flags;
-- int i;
-+ uint32_t num_initiator = 0;
-+ uint32_t initiator_list[MAX_NODES];
-+ int i, hierarchy, type;
-+ HMAT_LB_Info *hmat_lb;
-
- for (i = 0; i < numa_state->num_nodes; i++) {
- flags = 0;
-@@ -82,6 +161,29 @@ static void hmat_build_table_structs(GArray *table_data, NumaState *numa_state)
-
- build_hmat_mpda(table_data, flags, numa_state->nodes[i].initiator, i);
- }
-+
-+ for (i = 0; i < numa_state->num_nodes; i++) {
-+ if (numa_state->nodes[i].has_cpu) {
-+ initiator_list[num_initiator++] = i;
-+ }
-+ }
-+
-+ /*
-+ * ACPI 6.3: 5.2.27.4 System Locality Latency and Bandwidth Information
-+ * Structure: Table 5-146
-+ */
-+ for (hierarchy = HMAT_LB_MEM_MEMORY;
-+ hierarchy <= HMAT_LB_MEM_CACHE_3RD_LEVEL; hierarchy++) {
-+ for (type = HMAT_LB_DATA_ACCESS_LATENCY;
-+ type <= HMAT_LB_DATA_WRITE_BANDWIDTH; type++) {
-+ hmat_lb = numa_state->hmat_lb[hierarchy][type];
-+
-+ if (hmat_lb && hmat_lb->list->len) {
-+ build_hmat_lb(table_data, hmat_lb, num_initiator,
-+ numa_state->num_nodes, initiator_list);
-+ }
-+ }
-+ }
- }
-
- void build_hmat(GArray *table_data, BIOSLinker *linker, NumaState *numa_state)
+++ /dev/null
-From: Li Qiang <liq3ea@163.com>
-Date: Wed, 12 Aug 2020 09:17:27 -0700
-Subject: hw: ehci: check return value of 'usb_packet_map'
-
-Git-commit: 2fdb42d840400d58f2e706ecca82c142b97bcbd6
-References: bsc#1178934, CVE-2020-25723
-
-If 'usb_packet_map' fails, we should stop to process the usb
-request.
-
-Signed-off-by: Li Qiang <liq3ea@163.com>
-Message-Id: <20200812161727.29412-1-liq3ea@163.com>
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
-Signed-off-by: Bruce Rogers <brogers@suse.com>
----
- hw/usb/hcd-ehci.c | 10 ++++++++--
- 1 file changed, 8 insertions(+), 2 deletions(-)
-
-diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c
-index 56ab2f457f4c139d9c38644fa1b5..024b1ed6b67f25b0d600b9077f50 100644
---- a/hw/usb/hcd-ehci.c
-+++ b/hw/usb/hcd-ehci.c
-@@ -1374,7 +1374,10 @@ static int ehci_execute(EHCIPacket *p, const char *action)
- spd = (p->pid == USB_TOKEN_IN && NLPTR_TBIT(p->qtd.altnext) == 0);
- usb_packet_setup(&p->packet, p->pid, ep, 0, p->qtdaddr, spd,
- (p->qtd.token & QTD_TOKEN_IOC) != 0);
-- usb_packet_map(&p->packet, &p->sgl);
-+ if (usb_packet_map(&p->packet, &p->sgl)) {
-+ qemu_sglist_destroy(&p->sgl);
-+ return -1;
-+ }
- p->async = EHCI_ASYNC_INITIALIZED;
- }
-
-@@ -1453,7 +1456,10 @@ static int ehci_process_itd(EHCIState *ehci,
- if (ep && ep->type == USB_ENDPOINT_XFER_ISOC) {
- usb_packet_setup(&ehci->ipacket, pid, ep, 0, addr, false,
- (itd->transact[i] & ITD_XACT_IOC) != 0);
-- usb_packet_map(&ehci->ipacket, &ehci->isgl);
-+ if (usb_packet_map(&ehci->ipacket, &ehci->isgl)) {
-+ qemu_sglist_destroy(&ehci->isgl);
-+ return -1;
-+ }
- usb_handle_packet(dev, &ehci->ipacket);
- usb_packet_unmap(&ehci->ipacket, &ehci->isgl);
- } else {
+++ /dev/null
-From: Olaf Hering <olaf@aepfle.de>
-Date: Wed, 19 Feb 2020 15:15:15 +0100
-Subject: hw/i386: disable smbus migration for xenfv
-
-References: bsc#1159755
-
-With commit 7fccf2a06890e3bc3b30e29827ad3fb93fe88fea a new member
-smbus_no_migration_support was added, and enabled in two places.
-With commit 4ab2f2a8aabfea95cc53c64e13b3f67960b27fdf the vmstate_acpi
-got new elements, which are conditionally filled. As a result, an
-incoming migration expected smbus related data unless smbus migration
-was disabled for a given MachineClass.
-
-Since commit 7fccf2a06890e3bc3b30e29827ad3fb93fe88fea forgot to handle
-xenfv, live migration to receiving hosts using qemu-4.0 and later is broken.
-
-Adjust 'xenfv' to stay compatible with with 'pc-i440fx-3.1':
- - the toolstack can not use '-M pc-i440fx-3.1,accel=xen -device xen-platform'
- because this would move the PCI device from 00:02.0 to 00:04.0
- - disable pvh.
- Running PVH may require dedicated device_model_args= options which select
- 'pc-i440fx-4.x'
-
-Signed-off-by: Olaf Hering <olaf@aepfle.de>
-Signed-off-by: Bruce Rogers <brogers@suse.com>
-[BR: Adjust implementation to simply call pc_i440fx_3_1_machine_options]
----
- hw/i386/pc_piix.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/hw/i386/pc_piix.c b/hw/i386/pc_piix.c
-index d760d3589607daf4997ea76854c4..000e692d0e5af449270214ea9345 100644
---- a/hw/i386/pc_piix.c
-+++ b/hw/i386/pc_piix.c
-@@ -1043,6 +1043,8 @@ DEFINE_PC_MACHINE(isapc, "isapc", pc_init_isa,
- #ifdef CONFIG_XEN
- static void xenfv_machine_options(MachineClass *m)
- {
-+ /* compat with pc_i440fx_3_1_machine_options */
-+ pc_i440fx_3_1_machine_options(m);
- m->desc = "Xen Fully-virtualized PC";
- m->max_cpus = HVM_MAX_VCPUS;
- m->default_machine_opts = "accel=xen";
+++ /dev/null
-From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <f4bug@amsat.org>
-Date: Sun, 31 Jan 2021 11:34:01 +0100
-Subject: hw/intc/arm_gic: Fix interrupt ID in GICD_SGIR register
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Git-commit: edfe2eb4360cde4ed5d95bda7777edcb3510f76a
-References: bsc#1181933
-
-Per the ARM Generic Interrupt Controller Architecture specification
-(document "ARM IHI 0048B.b (ID072613)"), the SGIINTID field is 4 bit,
-not 10:
-
- - 4.3 Distributor register descriptions
- - 4.3.15 Software Generated Interrupt Register, GICD_SG
-
- - Table 4-21 GICD_SGIR bit assignments
-
- The Interrupt ID of the SGI to forward to the specified CPU
- interfaces. The value of this field is the Interrupt ID, in
- the range 0-15, for example a value of 0b0011 specifies
- Interrupt ID 3.
-
-Correct the irq mask to fix an undefined behavior (which eventually
-lead to a heap-buffer-overflow, see [Buglink]):
-
- $ echo 'writel 0x8000f00 0xff4affb0' | qemu-system-aarch64 -M virt,accel=qtest -qtest stdio
- [I 1612088147.116987] OPENED
- [R +0.278293] writel 0x8000f00 0xff4affb0
- ../hw/intc/arm_gic.c:1498:13: runtime error: index 944 out of bounds for type 'uint8_t [16][8]'
- SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../hw/intc/arm_gic.c:1498:13
-
-This fixes a security issue when running with KVM on Arm with
-kernel-irqchip=off. (The default is kernel-irqchip=on, which is
-unaffected, and which is also the correct choice for performance.)
-
-Cc: qemu-stable@nongnu.org
-Fixes: CVE-2021-20221
-Fixes: 9ee6e8bb853 ("ARMv7 support.")
-Buglink: https://bugs.launchpad.net/qemu/+bug/1913916
-Buglink: https://bugs.launchpad.net/qemu/+bug/1913917
-Reported-by: Alexander Bulekov <alxndr@bu.edu>
-Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
-Message-id: 20210131103401.217160-1-f4bug@amsat.org
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Bruce Rogers <brogers@suse.com>
----
- hw/intc/arm_gic.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/hw/intc/arm_gic.c b/hw/intc/arm_gic.c
-index 1d7da7baa209323c143091599d57..df355f4d110dab290bea5154c7d4 100644
---- a/hw/intc/arm_gic.c
-+++ b/hw/intc/arm_gic.c
-@@ -1455,7 +1455,7 @@ static void gic_dist_writel(void *opaque, hwaddr offset,
- int target_cpu;
-
- cpu = gic_get_current_cpu(s);
-- irq = value & 0x3ff;
-+ irq = value & 0xf;
- switch ((value >> 24) & 3) {
- case 0:
- mask = (value >> 16) & ALL_CPU_MASK;
+++ /dev/null
-From: Bruce Rogers <brogers@suse.com>
-Date: Wed, 15 May 2019 13:32:01 -0600
-Subject: hw/intc/exynos4210_gic: provide more room when formatting alias names
-
-sprintf related parameter validation complains about the size of the
-buffer being written to in exynos4210_gic_realize(). Provide a bit more
-space to avoid the following warning:
-/home/abuild/rpmbuild/BUILD/qemu-4.0.0/hw/intc/exynos4210_gic.c: In function 'exynos4210_gic_realize':
-/home/abuild/rpmbuild/BUILD/qemu-4.0.0/hw/intc/exynos4210_gic.c:316:36: error: '%x' directive writing between 1 and 7 bytes into a region of size between 4 and 28 [-Werror=format-overflow=]
- 316 | sprintf(cpu_alias_name, "%s%x", cpu_prefix, i);
- | ^~
-/home/abuild/rpmbuild/BUILD/qemu-4.0.0/hw/intc/exynos4210_gic.c:316:33: note: directive argument in the range [0, 29020050]
- 316 | sprintf(cpu_alias_name, "%s%x", cpu_prefix, i);
- | ^~~~~~
-In file included from /usr/include/stdio.h:867,
- from /home/abuild/rpmbuild/BUILD/qemu-4.0.0/include/qemu/osdep.h:99,
- from /home/abuild/rpmbuild/BUILD/qemu-4.0.0/hw/intc/exynos4210_gic.c:23:
-/usr/include/bits/stdio2.h:36:10: note: '__builtin___sprintf_chk' output between 2 and 32 bytes into a destination of size 28
- 36 | return __builtin___sprintf_chk (__s, __USE_FORTIFY_LEVEL - 1,
- | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- 37 | __bos (__s), __fmt, __va_arg_pack ());
- | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-/home/abuild/rpmbuild/BUILD/qemu-4.0.0/hw/intc/exynos4210_gic.c:326:37: error: '%x' directive writing between 1 and 7 bytes into a region of size between 3 and 28 [-Werror=format-overflow=]
- 326 | sprintf(dist_alias_name, "%s%x", dist_prefix, i);
- | ^~
-/home/abuild/rpmbuild/BUILD/qemu-4.0.0/hw/intc/exynos4210_gic.c:326:34: note: directive argument in the range [0, 29020050]
- 326 | sprintf(dist_alias_name, "%s%x", dist_prefix, i);
- | ^~~~~~
-In file included from /usr/include/stdio.h:867,
- from /home/abuild/rpmbuild/BUILD/qemu-4.0.0/include/qemu/osdep.h:99,
- from /home/abuild/rpmbuild/BUILD/qemu-4.0.0/hw/intc/exynos4210_gic.c:23:
-/usr/include/bits/stdio2.h:36:10: note: '__builtin___sprintf_chk' output between 2 and 33 bytes into a destination of size 28
- 36 | return __builtin___sprintf_chk (__s, __USE_FORTIFY_LEVEL - 1,
- | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- 37 | __bos (__s), __fmt, __va_arg_pack ());
- | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-Signed-off-by: Bruce Rogers <brogers@suse.com>
----
- hw/intc/exynos4210_gic.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/hw/intc/exynos4210_gic.c b/hw/intc/exynos4210_gic.c
-index a1b699b6babc3105bfd4ad9a8383..17317c961caa9a09c476e9ecbd3f 100644
---- a/hw/intc/exynos4210_gic.c
-+++ b/hw/intc/exynos4210_gic.c
-@@ -290,8 +290,8 @@ static void exynos4210_gic_realize(DeviceState *dev, Error **errp)
- SysBusDevice *sbd = SYS_BUS_DEVICE(obj);
- const char cpu_prefix[] = "exynos4210-gic-alias_cpu";
- const char dist_prefix[] = "exynos4210-gic-alias_dist";
-- char cpu_alias_name[sizeof(cpu_prefix) + 3];
-- char dist_alias_name[sizeof(cpu_prefix) + 3];
-+ char cpu_alias_name[sizeof(cpu_prefix) + 7];
-+ char dist_alias_name[sizeof(cpu_prefix) + 8];
- SysBusDevice *gicbusdev;
- uint32_t i;
-
+++ /dev/null
-From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <f4bug@amsat.org>
-Date: Wed, 24 Mar 2021 14:54:43 +0100
-Subject: hw/isa/piix4: Migrate Reset Control Register
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Git-commit: 62271205bcfaee440d06c06060ee79dac657caff
-
-When adding the Reset register in commit 5790b757cfb we
-forgot to migrate it.
-
-While it is possible a VM using the PIIX4 is migrated just
-after requesting a system shutdown, it is very unlikely.
-However when restoring a migrated VM, we might have the
-RCR bit #4 set on the stack and when the VM resume it
-directly shutdowns.
-
-Add a post_load() migration handler and set the default
-RCR value to 0 for earlier versions, assuming the VM was
-not going to shutdown before migration.
-
-Fixes: 5790b757cfb ("piix4: Add the Reset Control Register")
-Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
-Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
-Message-Id: <20210324200334.729899-1-f4bug@amsat.org>
-Signed-off-by: Bruce Rogers <brogers@suse.com>
----
- hw/isa/piix4.c | 15 ++++++++++++++-
- 1 file changed, 14 insertions(+), 1 deletion(-)
-
-diff --git a/hw/isa/piix4.c b/hw/isa/piix4.c
-index 86678e6829535f0e7981b3e53122..a7ed885dc8e49537c1241eaea7e1 100644
---- a/hw/isa/piix4.c
-+++ b/hw/isa/piix4.c
-@@ -93,12 +93,25 @@ static void piix4_isa_reset(DeviceState *dev)
- pci_conf[0xae] = 0x00;
- }
-
-+static int piix4_ide_post_load(void *opaque, int version_id)
-+{
-+ PIIX4State *s = opaque;
-+
-+ if (version_id == 2) {
-+ s->rcr = 0;
-+ }
-+
-+ return 0;
-+}
-+
- static const VMStateDescription vmstate_piix4 = {
- .name = "PIIX4",
-- .version_id = 2,
-+ .version_id = 3,
- .minimum_version_id = 2,
-+ .post_load = piix4_ide_post_load,
- .fields = (VMStateField[]) {
- VMSTATE_PCI_DEVICE(dev, PIIX4State),
-+ VMSTATE_UINT8_V(rcr, PIIX4State, 3),
- VMSTATE_END_OF_LIST()
- }
- };
+++ /dev/null
-From: Prasad J Pandit <pjp@fedoraproject.org>
-Date: Wed, 11 Nov 2020 18:36:36 +0530
-Subject: hw/net/e1000e: advance desc_offset in case of null descriptor
-
-Git-commit: c2cb511634012344e3d0fe49a037a33b12d8a98a
-References: bsc#1179468, CVE-2020-28916
-
-While receiving packets via e1000e_write_packet_to_guest() routine,
-'desc_offset' is advanced only when RX descriptor is processed. And
-RX descriptor is not processed if it has NULL buffer address.
-This may lead to an infinite loop condition. Increament 'desc_offset'
-to process next descriptor in the ring to avoid infinite loop.
-
-Reported-by: Cheol-woo Myung <330cjfdn@gmail.com>
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
-Signed-off-by: Jason Wang <jasowang@redhat.com>
-Signed-off-by: Bruce Rogers <brogers@suse.com>
----
- hw/net/e1000e_core.c | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/hw/net/e1000e_core.c b/hw/net/e1000e_core.c
-index 9b76f82db5b83ed611f5007da009..166054f2e3f65159e28caecf2609 100644
---- a/hw/net/e1000e_core.c
-+++ b/hw/net/e1000e_core.c
-@@ -1596,13 +1596,13 @@ e1000e_write_packet_to_guest(E1000ECore *core, struct NetRxPkt *pkt,
- (const char *) &fcs_pad, e1000x_fcs_len(core->mac));
- }
- }
-- desc_offset += desc_size;
-- if (desc_offset >= total_size) {
-- is_last = true;
-- }
- } else { /* as per intel docs; skip descriptors with null buf addr */
- trace_e1000e_rx_null_descriptor();
- }
-+ desc_offset += desc_size;
-+ if (desc_offset >= total_size) {
-+ is_last = true;
-+ }
-
- e1000e_write_rx_descr(core, desc, is_last ? core->rx_pkt : NULL,
- rss_info, do_ps ? ps_hdr_len : 0, &bastate.written);
+++ /dev/null
-From: Mauro Matteo Cascella <mcascell@redhat.com>
-Date: Sat, 1 Aug 2020 18:42:38 +0200
-Subject: hw/net/net_tx_pkt: fix assertion failure in
- net_tx_pkt_add_raw_fragment()
-
-Git-commit: 035e69b063835a5fd23cacabd63690a3d84532a8
-References: bsc#1174641, CVE-2020-16092
-
-An assertion failure issue was found in the code that processes network packets
-while adding data fragments into the packet context. It could be abused by a
-malicious guest to abort the QEMU process on the host. This patch replaces the
-affected assert() with a conditional statement, returning false if the current
-data fragment exceeds max_raw_frags.
-
-Reported-by: Alexander Bulekov <alxndr@bu.edu>
-Reported-by: Ziming Zhang <ezrakiez@gmail.com>
-Reviewed-by: Dmitry Fleytman <dmitry.fleytman@gmail.com>
-Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
-Signed-off-by: Jason Wang <jasowang@redhat.com>
-Signed-off-by: Bruce Rogers <brogers@suse.com>
----
- hw/net/net_tx_pkt.c | 5 ++++-
- 1 file changed, 4 insertions(+), 1 deletion(-)
-
-diff --git a/hw/net/net_tx_pkt.c b/hw/net/net_tx_pkt.c
-index 162f802dd77e09b89c0cb65583e8..54d4c3bbd02dccc33ee3c7e710b4 100644
---- a/hw/net/net_tx_pkt.c
-+++ b/hw/net/net_tx_pkt.c
-@@ -379,7 +379,10 @@ bool net_tx_pkt_add_raw_fragment(struct NetTxPkt *pkt, hwaddr pa,
- hwaddr mapped_len = 0;
- struct iovec *ventry;
- assert(pkt);
-- assert(pkt->max_raw_frags > pkt->raw_frags);
-+
-+ if (pkt->raw_frags >= pkt->max_raw_frags) {
-+ return false;
-+ }
-
- if (!len) {
- return true;
+++ /dev/null
-From: Mauro Matteo Cascella <mcascell@redhat.com>
-Date: Fri, 10 Jul 2020 11:19:41 +0200
-Subject: hw/net/xgmac: Fix buffer overflow in xgmac_enet_send()
-
-Git-commit: 5519724a13664b43e225ca05351c60b4468e4555
-References: bsc#1174386 CVE-2020-15863
-
-A buffer overflow issue was reported by Mr. Ziming Zhang, CC'd here. It
-occurs while sending an Ethernet frame due to missing break statements
-and improper checking of the buffer size.
-
-Reported-by: Ziming Zhang <ezrakiez@gmail.com>
-Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Jason Wang <jasowang@redhat.com>
-Signed-off-by: Bruce Rogers <brogers@suse.com>
----
- hw/net/xgmac.c | 14 ++++++++++++--
- 1 file changed, 12 insertions(+), 2 deletions(-)
-
-diff --git a/hw/net/xgmac.c b/hw/net/xgmac.c
-index 2ea8d2ec721632ecd13026eedf03..3b02b38f4e7ac9da650a6a02633d 100644
---- a/hw/net/xgmac.c
-+++ b/hw/net/xgmac.c
-@@ -220,21 +220,31 @@ static void xgmac_enet_send(XgmacState *s)
- }
- len = (bd.buffer1_size & 0xfff) + (bd.buffer2_size & 0xfff);
-
-+ /*
-+ * FIXME: these cases of malformed tx descriptors (bad sizes)
-+ * should probably be reported back to the guest somehow
-+ * rather than simply silently stopping processing, but we
-+ * don't know what the hardware does in this situation.
-+ * This will only happen for buggy guests anyway.
-+ */
- if ((bd.buffer1_size & 0xfff) > 2048) {
- DEBUGF_BRK("qemu:%s:ERROR...ERROR...ERROR... -- "
- "xgmac buffer 1 len on send > 2048 (0x%x)\n",
- __func__, bd.buffer1_size & 0xfff);
-+ break;
- }
- if ((bd.buffer2_size & 0xfff) != 0) {
- DEBUGF_BRK("qemu:%s:ERROR...ERROR...ERROR... -- "
- "xgmac buffer 2 len on send != 0 (0x%x)\n",
- __func__, bd.buffer2_size & 0xfff);
-+ break;
- }
-- if (len >= sizeof(frame)) {
-+ if (frame_size + len >= sizeof(frame)) {
- DEBUGF_BRK("qemu:%s: buffer overflow %d read into %zu "
-- "buffer\n" , __func__, len, sizeof(frame));
-+ "buffer\n" , __func__, frame_size + len, sizeof(frame));
- DEBUGF_BRK("qemu:%s: buffer1.size=%d; buffer2.size=%d\n",
- __func__, bd.buffer1_size, bd.buffer2_size);
-+ break;
- }
-
- cpu_physical_memory_read(bd.buffer1_addr, ptr, len);
+++ /dev/null
-From: Prasad J Pandit <pjp@fedoraproject.org>
-Date: Tue, 11 Aug 2020 17:11:25 +0530
-Subject: hw/pci-host: add pci-intack write method
-
-Git-commit: 520f26fc6d17b71a43eaf620e834b3bdf316f3d3
-References: bsc#1173612, CVE-2020-15469
-
-Add pci-intack mmio write method to avoid NULL pointer dereference
-issue.
-
-Reported-by: Lei Sun <slei.casper@gmail.com>
-Reviewed-by: Li Qiang <liq3ea@gmail.com>
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
-Message-Id: <20200811114133.672647-2-ppandit@redhat.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-Signed-off-by: Bruce Rogers <brogers@suse.com>
----
- hw/pci-host/prep.c | 8 ++++++++
- 1 file changed, 8 insertions(+)
-
-diff --git a/hw/pci-host/prep.c b/hw/pci-host/prep.c
-index 85d7ba90374b6b5a558155e4445b..7f366d9313d8824c52e5cb531b63 100644
---- a/hw/pci-host/prep.c
-+++ b/hw/pci-host/prep.c
-@@ -26,6 +26,7 @@
- #include "qemu/osdep.h"
- #include "qemu-common.h"
- #include "qemu/units.h"
-+#include "qemu/log.h"
- #include "qapi/error.h"
- #include "hw/pci/pci.h"
- #include "hw/pci/pci_bus.h"
-@@ -119,8 +120,15 @@ static uint64_t raven_intack_read(void *opaque, hwaddr addr,
- return pic_read_irq(isa_pic);
- }
-
-+static void raven_intack_write(void *opaque, hwaddr addr,
-+ uint64_t data, unsigned size)
-+{
-+ qemu_log_mask(LOG_UNIMP, "%s not implemented\n", __func__);
-+}
-+
- static const MemoryRegionOps raven_intack_ops = {
- .read = raven_intack_read,
-+ .write = raven_intack_write,
- .valid = {
- .max_access_size = 1,
- },
+++ /dev/null
-From: Marcel Apfelbaum <marcel@redhat.com>
-Date: Wed, 16 Jun 2021 14:06:00 +0300
-Subject: hw/rdma: Fix possible mremap overflow in the pvrdma device
- (CVE-2021-3582)
-
-Git-commit: 284f191b4abad213aed04cb0458e1600fd18d7c4
-References: CVE-2021-3582 bsc#1187499
-
-Ensure mremap boundaries not trusting the guest kernel to
-pass the correct buffer length.
-
-Fixes: CVE-2021-3582
-Reported-by: VictorV (Kunlun Lab) <vv474172261@gmail.com>
-Tested-by: VictorV (Kunlun Lab) <vv474172261@gmail.com>
-Signed-off-by: Marcel Apfelbaum <marcel@redhat.com>
-Message-Id: <20210616110600.20889-1-marcel.apfelbaum@gmail.com>
-Reviewed-by: Yuval Shaia <yuval.shaia.ml@gmail.com>
-Tested-by: Yuval Shaia <yuval.shaia.ml@gmail.com>
-Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org>
-Signed-off-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
-Signed-off-by: Jose R. Ziviani <jziviani@suse.de>
----
- hw/rdma/vmw/pvrdma_cmd.c | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c
-index 692125ac26815fc0d9180e69adbf..1df0b256fa88e092767e18c471cb 100644
---- a/hw/rdma/vmw/pvrdma_cmd.c
-+++ b/hw/rdma/vmw/pvrdma_cmd.c
-@@ -38,6 +38,13 @@ static void *pvrdma_map_to_pdir(PCIDevice *pdev, uint64_t pdir_dma,
- return NULL;
- }
-
-+ length = ROUND_UP(length, TARGET_PAGE_SIZE);
-+ if (nchunks * TARGET_PAGE_SIZE != length) {
-+ rdma_error_report("Invalid nchunks/length (%u, %lu)", nchunks,
-+ (unsigned long)length);
-+ return NULL;
-+ }
-+
- dir = rdma_pci_dma_map(pdev, pdir_dma, TARGET_PAGE_SIZE);
- if (!dir) {
- rdma_error_report("Failed to map to page directory");
+++ /dev/null
-From: Mauro Matteo Cascella <mcascell@redhat.com>
-Date: Thu, 24 Dec 2020 18:54:41 +0100
-Subject: hw/scsi/megasas: check for NULL frame in megasas_command_cancelled()
-
-Git-commit: 00000000000000000000000000000000000000000000
-References: bsc#1180432, CVE-2020-35503
-
-Ensure that 'cmd->frame' is not NULL before accessing the 'header' field.
-This check prevents a potential NULL pointer dereference issue.
-
-RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1910346
-Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
-Reported-by: Cheolwoo Myung <cwmyung@snu.ac.kr>
-Acked-By: Jose R Ziviani <jose.ziviani@suse.com>
----
- hw/scsi/megasas.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
-index 1bdd25e55684c7b6026381a97f3e..376ac1f0c238e7bf86a294fa10e1 100644
---- a/hw/scsi/megasas.c
-+++ b/hw/scsi/megasas.c
-@@ -1884,7 +1884,7 @@ static void megasas_command_cancelled(SCSIRequest *req)
- {
- MegasasCmd *cmd = req->hba_private;
-
-- if (!cmd) {
-+ if (!cmd || !cmd->frame) {
- return;
- }
- cmd->frame->header.cmd_status = MFI_STAT_SCSI_IO_FAILED;
+++ /dev/null
-From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <f4bug@amsat.org>
-Date: Tue, 1 Sep 2020 15:22:06 +0200
-Subject: hw/sd/sdhci: Fix DMA Transfer Block Size field
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Git-commit: dfba99f17feb6d4a129da19d38df1bcd8579d1c3
-References: bsc#1176681 CVE-2020-25085
-
-The 'Transfer Block Size' field is 12-bit wide.
-
-See section '2.2.2. Block Size Register (Offset 004h)' in datasheet.
-
-Two different bug reproducer available:
-- https://bugs.launchpad.net/qemu/+bug/1892960
-- https://ruhr-uni-bochum.sciebo.de/s/NNWP2GfwzYKeKwE?path=%2Fsdhci_oob_write1
-
-Cc: qemu-stable@nongnu.org
-Buglink: https://bugs.launchpad.net/qemu/+bug/1892960
-Fixes: d7dfca0807a ("hw/sdhci: introduce standard SD host controller")
-Reported-by: Alexander Bulekov <alxndr@bu.edu>
-Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
-Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org>
-Tested-by: Alexander Bulekov <alxndr@bu.edu>
-Message-Id: <20200901140411.112150-3-f4bug@amsat.org>
-Signed-off-by: Jose R Ziviani <jose.ziviani@suse.com>
----
- hw/sd/sdhci.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c
-index 88404d0e9d5a0acafceec1933fce..c27bd0936505c9ae75aec7ab24d2 100644
---- a/hw/sd/sdhci.c
-+++ b/hw/sd/sdhci.c
-@@ -1129,7 +1129,7 @@ sdhci_write(void *opaque, hwaddr offset, uint64_t val, unsigned size)
- break;
- case SDHC_BLKSIZE:
- if (!TRANSFERRING_DATA(s->prnsts)) {
-- MASKED_WRITE(s->blksize, mask, value);
-+ MASKED_WRITE(s->blksize, mask, extract32(value, 0, 12));
- MASKED_WRITE(s->blkcnt, mask >> 16, value >> 16);
- }
-
+++ /dev/null
-From: Bruce Rogers <brogers@suse.com>
-Date: Fri, 5 Apr 2019 21:10:30 -0600
-Subject: hw/smbios: handle both file formats regardless of machine type
-
-References: bsc#994082, bsc#1084316, boo#1131894
-
-It's easy enough to handle either per-spec or legacy smbios structures
-in the smbios file input without regard to the machine type used, by
-simply applying the basic smbios formatting rules. then depending on
-what is detected. terminal numm bytes are added or removed for machine
-type specific processing.
-
-Signed-off-by: Bruce Rogers <brogers@suse.com>
----
- hw/smbios/smbios.c | 43 +++++++++++++++++++++++++++++++++++++++----
- 1 file changed, 39 insertions(+), 4 deletions(-)
-
-diff --git a/hw/smbios/smbios.c b/hw/smbios/smbios.c
-index 11d476c4a2cbdabc546c02b4f076..570ffa3acfa48b3721bdc578ee57 100644
---- a/hw/smbios/smbios.c
-+++ b/hw/smbios/smbios.c
-@@ -964,6 +964,7 @@ void smbios_entry_add(QemuOpts *opts, Error **errp)
- struct smbios_structure_header *header;
- int size;
- struct smbios_table *table; /* legacy mode only */
-+ uint8_t *dbl_nulls, *orig_end;
-
- qemu_opts_validate(opts, qemu_smbios_file_opts, &err);
- if (err) {
-@@ -978,11 +979,21 @@ void smbios_entry_add(QemuOpts *opts, Error **errp)
- }
-
- /*
-- * NOTE: standard double '\0' terminator expected, per smbios spec.
-- * (except in legacy mode, where the second '\0' is implicit and
-- * will be inserted by the BIOS).
-+ * NOTE: standard double '\0' terminator expected, per smbios spec,
-+ * unless the data is formatted for legacy mode, which is used by
-+ * pc-i440fx-2.0 and earlier machine types. Legacy mode structures
-+ * without strings have no '\0' terminators, and those with strings
-+ * also don't have an additional '\0' terminator at the end of the
-+ * final string '\0' terminator. The BIOS will add the '\0' terminators
-+ * to comply with the smbios spec.
-+ * For greater compatibility, regardless of the machine type used,
-+ * either format is accepted.
- */
-- smbios_tables = g_realloc(smbios_tables, smbios_tables_len + size);
-+ smbios_tables = g_realloc(smbios_tables, smbios_tables_len + size + 2);
-+ orig_end = smbios_tables + smbios_tables_len + size;
-+ /* add extra null bytes to end in case of legacy file data */
-+ *orig_end = '\0';
-+ *(orig_end + 1) = '\0';
- header = (struct smbios_structure_header *)(smbios_tables +
- smbios_tables_len);
-
-@@ -997,6 +1008,19 @@ void smbios_entry_add(QemuOpts *opts, Error **errp)
- header->type);
- return;
- }
-+ for (dbl_nulls = smbios_tables + smbios_tables_len + header->length;
-+ dbl_nulls + 2 <= orig_end; dbl_nulls++) {
-+ if (*dbl_nulls == '\0' && *(dbl_nulls + 1) == '\0') {
-+ break;
-+ }
-+ }
-+ if (dbl_nulls + 2 < orig_end) {
-+ error_setg(errp, "SMBIOS file data malformed");
-+ return;
-+ }
-+ /* increase size by how many extra nulls were actually needed */
-+ size += dbl_nulls + 2 - orig_end;
-+ smbios_tables = g_realloc(smbios_tables, smbios_tables_len + size);
- set_bit(header->type, have_binfile_bitmap);
-
- if (header->type == 4) {
-@@ -1017,6 +1041,17 @@ void smbios_entry_add(QemuOpts *opts, Error **errp)
- * delete the one we don't need from smbios_set_defaults(),
- * once we know which machine version has been requested.
- */
-+ if (dbl_nulls + 2 == orig_end) {
-+ /* chop off nulls to get legacy format */
-+ if (header->length + 2 == size) {
-+ size -= 2;
-+ } else {
-+ size -= 1;
-+ }
-+ } else {
-+ /* undo conversion from legacy format to per-spec format */
-+ size -= dbl_nulls + 2 - orig_end;
-+ }
- if (!smbios_entries) {
- smbios_entries_len = sizeof(uint16_t);
- smbios_entries = g_malloc0(smbios_entries_len);
+++ /dev/null
-From: Alistair Francis <Alistair.Francis@wdc.com>
-Date: Sat, 4 May 2019 07:58:55 -0600
-Subject: hw/usb/dev-mtp: Fix GCC 9 build warning
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Fix this warning with GCC 9 on Fedora 30:
-hw/usb/dev-mtp.c:1715:36: error: taking address of packed member of
\91struct <anonymous>
\92 may result in an unaligned pointer value [-Werror=address-of-packed-member]
- 1715 | dataset->filename);
- | ~~~~~~~^~~~~~~~~~
-
-Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
-Signed-off-by: Bruce Rogers <brogers@suse.com>
----
- hw/usb/dev-mtp.c | 13 +++++++++++++
- 1 file changed, 13 insertions(+)
-
-diff --git a/hw/usb/dev-mtp.c b/hw/usb/dev-mtp.c
-index 7c07295519d33d13fd3755ea7e0a..13815df4737ef8f46e6f857153b1 100644
---- a/hw/usb/dev-mtp.c
-+++ b/hw/usb/dev-mtp.c
-@@ -1722,9 +1722,22 @@ static void usb_mtp_write_metadata(MTPState *s, uint64_t dlen)
- assert(!s->write_pending);
- assert(p != NULL);
-
-+/*
-+ * We are about to access a packed struct. We are confident that the pointer
-+ * address won't be unaligned, so we ignore GCC warnings.
-+ */
-+#if defined(CONFIG_PRAGMA_DIAGNOSTIC_AVAILABLE) && QEMU_GNUC_PREREQ(9, 0)
-+#pragma GCC diagnostic push
-+#pragma GCC diagnostic ignored "-Waddress-of-packed-member"
-+#endif
-+
- filename = utf16_to_str(MIN(dataset->length, filename_chars),
- dataset->filename);
-
-+#if defined(CONFIG_PRAGMA_DIAGNOSTIC_AVAILABLE) && QEMU_GNUC_PREREQ(9, 0)
-+#pragma GCC diagnostic pop
-+#endif
-+
- if (strchr(filename, '/')) {
- usb_mtp_queue_result(s, RES_PARAMETER_NOT_SUPPORTED, d->trans,
- 0, 0, 0, 0);
+++ /dev/null
-From: Prasad J Pandit <pjp@fedoraproject.org>
-Date: Tue, 15 Sep 2020 23:52:59 +0530
-Subject: hw: usb: hcd-ohci: check for processed TD before retire
-
-Git-commit: 1be90ebecc95b09a2ee5af3f60c412b45a766c4f
-References: bsc#1176684, CVE-2020-25625
-
-While servicing OHCI transfer descriptors(TD), ohci_service_iso_td
-retires a TD if it has passed its time frame. It does not check if
-the TD was already processed once and holds an error code in TD_CC.
-It may happen if the TD list has a loop. Add check to avoid an
-infinite loop condition.
-
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
-Reviewed-by: Li Qiang <liq3ea@gmail.com>
-Message-id: 20200915182259.68522-3-ppandit@redhat.com
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
-Signed-off-by: Bruce Rogers <brogers@suse.com>
----
- hw/usb/hcd-ohci.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/hw/usb/hcd-ohci.c b/hw/usb/hcd-ohci.c
-index 13cf2953c803b54553768b471d86..9d305eed35cbb30164a2f6946407 100644
---- a/hw/usb/hcd-ohci.c
-+++ b/hw/usb/hcd-ohci.c
-@@ -691,6 +691,10 @@ static int ohci_service_iso_td(OHCIState *ohci, struct ohci_ed *ed,
- the next ISO TD of the same ED */
- trace_usb_ohci_iso_td_relative_frame_number_big(relative_frame_number,
- frame_count);
-+ if (OHCI_CC_DATAOVERRUN == OHCI_BM(iso_td.flags, TD_CC)) {
-+ /* avoid infinite loop */
-+ return 1;
-+ }
- OHCI_SET_BM(iso_td.flags, TD_CC, OHCI_CC_DATAOVERRUN);
- ed->head &= ~OHCI_DPTR_MASK;
- ed->head |= (iso_td.next & OHCI_DPTR_MASK);
+++ /dev/null
-From: Prasad J Pandit <pjp@fedoraproject.org>
-Date: Tue, 15 Sep 2020 23:52:58 +0530
-Subject: hw: usb: hcd-ohci: check len and frame_number variables
-
-Git-commit: 1328fe0c32d5474604105b8105310e944976b058
-References: bsc#1176682, CVE-2020-25624
-
-While servicing the OHCI transfer descriptors(TD), OHCI host
-controller derives variables 'start_addr', 'end_addr', 'len'
-etc. from values supplied by the host controller driver.
-Host controller driver may supply values such that using
-above variables leads to out-of-bounds access issues.
-Add checks to avoid them.
-
-AddressSanitizer: stack-buffer-overflow on address 0x7ffd53af76a0
- READ of size 2 at 0x7ffd53af76a0 thread T0
- #0 ohci_service_iso_td ../hw/usb/hcd-ohci.c:734
- #1 ohci_service_ed_list ../hw/usb/hcd-ohci.c:1180
- #2 ohci_process_lists ../hw/usb/hcd-ohci.c:1214
- #3 ohci_frame_boundary ../hw/usb/hcd-ohci.c:1257
- #4 timerlist_run_timers ../util/qemu-timer.c:572
- #5 qemu_clock_run_timers ../util/qemu-timer.c:586
- #6 qemu_clock_run_all_timers ../util/qemu-timer.c:672
- #7 main_loop_wait ../util/main-loop.c:527
- #8 qemu_main_loop ../softmmu/vl.c:1676
- #9 main ../softmmu/main.c:50
-
-Reported-by: Gaoning Pan <pgn@zju.edu.cn>
-Reported-by: Yongkang Jia <j_kangel@163.com>
-Reported-by: Yi Ren <yunye.ry@alibaba-inc.com>
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
-Message-id: 20200915182259.68522-2-ppandit@redhat.com
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
-Signed-off-by: Bruce Rogers <brogers@suse.com>
----
- hw/usb/hcd-ohci.c | 24 ++++++++++++++++++++++--
- 1 file changed, 22 insertions(+), 2 deletions(-)
-
-diff --git a/hw/usb/hcd-ohci.c b/hw/usb/hcd-ohci.c
-index 145ee21fd6aeffdaa6351332f005..13cf2953c803b54553768b471d86 100644
---- a/hw/usb/hcd-ohci.c
-+++ b/hw/usb/hcd-ohci.c
-@@ -731,7 +731,11 @@ static int ohci_service_iso_td(OHCIState *ohci, struct ohci_ed *ed,
- }
-
- start_offset = iso_td.offset[relative_frame_number];
-- next_offset = iso_td.offset[relative_frame_number + 1];
-+ if (relative_frame_number < frame_count) {
-+ next_offset = iso_td.offset[relative_frame_number + 1];
-+ } else {
-+ next_offset = iso_td.be;
-+ }
-
- if (!(OHCI_BM(start_offset, TD_PSW_CC) & 0xe) ||
- ((relative_frame_number < frame_count) &&
-@@ -764,7 +768,12 @@ static int ohci_service_iso_td(OHCIState *ohci, struct ohci_ed *ed,
- }
- } else {
- /* Last packet in the ISO TD */
-- end_addr = iso_td.be;
-+ end_addr = next_offset;
-+ }
-+
-+ if (start_addr > end_addr) {
-+ trace_usb_ohci_iso_td_bad_cc_overrun(start_addr, end_addr);
-+ return 1;
- }
-
- if ((start_addr & OHCI_PAGE_MASK) != (end_addr & OHCI_PAGE_MASK)) {
-@@ -773,6 +782,9 @@ static int ohci_service_iso_td(OHCIState *ohci, struct ohci_ed *ed,
- } else {
- len = end_addr - start_addr + 1;
- }
-+ if (len > sizeof(ohci->usb_buf)) {
-+ len = sizeof(ohci->usb_buf);
-+ }
-
- if (len && dir != OHCI_TD_DIR_IN) {
- if (ohci_copy_iso_td(ohci, start_addr, end_addr, ohci->usb_buf, len,
-@@ -975,8 +987,16 @@ static int ohci_service_td(OHCIState *ohci, struct ohci_ed *ed)
- if ((td.cbp & 0xfffff000) != (td.be & 0xfffff000)) {
- len = (td.be & 0xfff) + 0x1001 - (td.cbp & 0xfff);
- } else {
-+ if (td.cbp > td.be) {
-+ trace_usb_ohci_iso_td_bad_cc_overrun(td.cbp, td.be);
-+ ohci_die(ohci);
-+ return 1;
-+ }
- len = (td.be - td.cbp) + 1;
- }
-+ if (len > sizeof(ohci->usb_buf)) {
-+ len = sizeof(ohci->usb_buf);
-+ }
-
- pktlen = len;
- if (len && dir != OHCI_TD_DIR_IN) {
+++ /dev/null
-From: Alistair Francis <Alistair.Francis@wdc.com>
-Date: Sat, 4 May 2019 07:58:35 -0600
-Subject: hw/usb/hcd-xhci: Fix GCC 9 build warning
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Fix this build warning with GCC 9 on Fedora 30:
-hw/usb/hcd-xhci.c:3339:66: error: \91%d\92 directive output may be truncated writing between 1 and 10 bytes into a region of size 5 [-Werror=format-truncation=]
- 3339 | snprintf(port->name, sizeof(port->name), "usb2 port #%d", i+1);
- | ^~
-hw/usb/hcd-xhci.c:3339:54: note: directive argument in the range [1, 2147483647]
- 3339 | snprintf(port->name, sizeof(port->name), "usb2 port #%d", i+1);
- | ^~~~~~~~~~~~~~~
-In file included from /usr/include/stdio.h:867,
- from /home/alistair/qemu/include/qemu/osdep.h:99,
- from hw/usb/hcd-xhci.c:21:
-/usr/include/bits/stdio2.h:67:10: note: \91__builtin___snprintf_chk\92 output between 13 and 22 bytes into a destination of size 16
- 67 | return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1,
- | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- 68 | __bos (__s), __fmt, __va_arg_pack ());
- | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
-Signed-off-by: Bruce Rogers <brogers@suse.com>
----
- hw/usb/hcd-xhci.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c
-index c84d7d7d5707b1e04f06d01df55c..fd2b69001597c14fe13d7e88f947 100644
---- a/hw/usb/hcd-xhci.c
-+++ b/hw/usb/hcd-xhci.c
-@@ -3333,6 +3333,7 @@ static void usb_xhci_init(XHCIState *xhci)
- usb_bus_new(&xhci->bus, sizeof(xhci->bus), &xhci_bus_ops, dev);
-
- for (i = 0; i < usbports; i++) {
-+ g_assert(i < MAX(MAXPORTS_2, MAXPORTS_3));
- speedmask = 0;
- if (i < xhci->numports_2) {
- if (xhci_get_flag(xhci, XHCI_FLAG_SS_FIRST)) {
+++ /dev/null
-From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <f4bug@amsat.org>
-Date: Sun, 25 Apr 2021 00:41:09 +0200
-Subject: hw/usb/host-stub: Remove unused header
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Git-commit: 1081607bfab94a0b6149c4a2195737107aed265f
-References: bsc#1186012, CVE-2021-3527
-
-Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Message-Id: <20210424224110.3442424-2-f4bug@amsat.org>
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
-Signed-off-by: Jose R Ziviani <jose.ziviani@suse.com>
----
- hw/usb/host-stub.c | 1 -
- 1 file changed, 1 deletion(-)
-
-diff --git a/hw/usb/host-stub.c b/hw/usb/host-stub.c
-index 538ed29684cb7d3ed15df7a7b298..80809ceba54221818bd937ff01b6 100644
---- a/hw/usb/host-stub.c
-+++ b/hw/usb/host-stub.c
-@@ -31,7 +31,6 @@
- */
-
- #include "qemu/osdep.h"
--#include "ui/console.h"
- #include "hw/usb.h"
- #include "monitor/monitor.h"
-
+++ /dev/null
-From: Li Qiang <liq3ea@163.com>
-Date: Wed, 12 Aug 2020 08:31:39 -0700
-Subject: hw: xhci: check return value of 'usb_packet_map'
-
-Git-commit: 21bc31524e8ca487e976f713b878d7338ee00df2
-References: bsc#1176673, CVE-2020-25084
-
-Currently we don't check the return value of 'usb_packet_map',
-this will cause an UAF issue. This is LP#1891341.
-Following is the reproducer provided in:
--->https://bugs.launchpad.net/qemu/+bug/1891341
-
-cat << EOF | ./i386-softmmu/qemu-system-i386 -device nec-usb-xhci \
--trace usb\* -device usb-audio -device usb-storage,drive=mydrive \
--drive id=mydrive,file=null-co://,size=2M,format=raw,if=none \
--nodefaults -nographic -qtest stdio
-outl 0xcf8 0x80001016
-outl 0xcfc 0x3c009f0d
-outl 0xcf8 0x80001004
-outl 0xcfc 0xc77695e
-writel 0x9f0d000000000040 0xffff3655
-writeq 0x9f0d000000002000 0xff2f9e0000000000
-write 0x1d 0x1 0x27
-write 0x2d 0x1 0x2e
-write 0x17232 0x1 0x03
-write 0x17254 0x1 0x06
-write 0x17278 0x1 0x34
-write 0x3d 0x1 0x27
-write 0x40 0x1 0x2e
-write 0x41 0x1 0x72
-write 0x42 0x1 0x01
-write 0x4d 0x1 0x2e
-write 0x4f 0x1 0x01
-writeq 0x9f0d000000002000 0x5c051a0100000000
-write 0x34001d 0x1 0x13
-write 0x340026 0x1 0x30
-write 0x340028 0x1 0x08
-write 0x34002c 0x1 0xfe
-write 0x34002d 0x1 0x08
-write 0x340037 0x1 0x5e
-write 0x34003a 0x1 0x05
-write 0x34003d 0x1 0x05
-write 0x34004d 0x1 0x13
-writeq 0x9f0d000000002000 0xff00010100400009
-EOF
-
-This patch fixes this.
-
-Buglink: https://bugs.launchpad.net/qemu/+bug/1891341
-Reported-by: Alexander Bulekov <alxndr@bu.edu>
-Signed-off-by: Li Qiang <liq3ea@163.com>
-Message-id: 20200812153139.15146-1-liq3ea@163.com
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
-Signed-off-by: Bruce Rogers <brogers@suse.com>
----
- hw/usb/hcd-xhci.c | 5 ++++-
- 1 file changed, 4 insertions(+), 1 deletion(-)
-
-diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c
-index 80988bb305a149f2974d329576a0..c84d7d7d5707b1e04f06d01df55c 100644
---- a/hw/usb/hcd-xhci.c
-+++ b/hw/usb/hcd-xhci.c
-@@ -1615,7 +1615,10 @@ static int xhci_setup_packet(XHCITransfer *xfer)
- xhci_xfer_create_sgl(xfer, dir == USB_TOKEN_IN); /* Also sets int_req */
- usb_packet_setup(&xfer->packet, dir, ep, xfer->streamid,
- xfer->trbs[0].addr, false, xfer->int_req);
-- usb_packet_map(&xfer->packet, &xfer->sgl);
-+ if (usb_packet_map(&xfer->packet, &xfer->sgl)) {
-+ qemu_sglist_destroy(&xfer->sgl);
-+ return -1;
-+ }
- DPRINTF("xhci: setup packet pid 0x%x addr %d ep %d\n",
- xfer->packet.pid, ep->dev->addr, ep->nr);
- return 0;
+++ /dev/null
-From: Cathy Zhang <cathy.zhang@intel.com>
-Date: Tue, 22 Oct 2019 15:35:26 +0800
-Subject: i386: Add MSR feature bit for MDS-NO
-
-Git-commit: 77b168d221191156c47fcd8d1c47329dfdb9439e
-References: jsc#SLE-7923
-
-Define MSR_ARCH_CAP_MDS_NO in the IA32_ARCH_CAPABILITIES MSR to allow
-CPU models to report the feature when host supports it.
-
-Signed-off-by: Cathy Zhang <cathy.zhang@intel.com>
-Reviewed-by: Xiaoyao Li <xiaoyao.li@intel.com>
-Reviewed-by: Tao Xu <tao3.xu@intel.com>
-Message-Id: <1571729728-23284-2-git-send-email-cathy.zhang@intel.com>
-Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
-Signed-off-by: Bruce Rogers <brogers@suse.com>
----
- target/i386/cpu.h | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/target/i386/cpu.h b/target/i386/cpu.h
-index cde2a16b941adeb1123d5d7411f3..39d37e12256069b92c7998590849 100644
---- a/target/i386/cpu.h
-+++ b/target/i386/cpu.h
-@@ -838,6 +838,7 @@ typedef uint64_t FeatureWordArray[FEATURE_WORDS];
- #define MSR_ARCH_CAP_RSBA (1U << 2)
- #define MSR_ARCH_CAP_SKIP_L1DFL_VMENTRY (1U << 3)
- #define MSR_ARCH_CAP_SSB_NO (1U << 4)
-+#define MSR_ARCH_CAP_MDS_NO (1U << 5)
-
- #define MSR_CORE_CAP_SPLIT_LOCK_DETECT (1U << 5)
-
+++ /dev/null
-From: Cathy Zhang <cathy.zhang@intel.com>
-Date: Tue, 22 Oct 2019 15:35:27 +0800
-Subject: i386: Add macro for stibp
-
-Git-commit: 5af514d0cb314f43bc53f2aefb437f6451d64d0c
-References: jsc#SLE-7923
-
-stibp feature is already added through the following commit.
-https://github.com/qemu/qemu/commit/0e8916582991b9fd0b94850a8444b8b80d0a0955
-
-Add a macro for it to allow CPU models to report it when host supports.
-
-Signed-off-by: Cathy Zhang <cathy.zhang@intel.com>
-Reviewed-by: Xiaoyao Li <xiaoyao.li@intel.com>
-Reviewed-by: Tao Xu <tao3.xu@intel.com>
-Message-Id: <1571729728-23284-3-git-send-email-cathy.zhang@intel.com>
-Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
-Signed-off-by: Bruce Rogers <brogers@suse.com>
----
- target/i386/cpu.h | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/target/i386/cpu.h b/target/i386/cpu.h
-index 39d37e12256069b92c7998590849..af282936a785a25f651d0db1a8cf 100644
---- a/target/i386/cpu.h
-+++ b/target/i386/cpu.h
-@@ -771,6 +771,8 @@ typedef uint64_t FeatureWordArray[FEATURE_WORDS];
- #define CPUID_7_0_EDX_AVX512_4FMAPS (1U << 3)
- /* Speculation Control */
- #define CPUID_7_0_EDX_SPEC_CTRL (1U << 26)
-+/* Single Thread Indirect Branch Predictors */
-+#define CPUID_7_0_EDX_STIBP (1U << 27)
- /* Arch Capabilities */
- #define CPUID_7_0_EDX_ARCH_CAPABILITIES (1U << 29)
- /* Core Capability */
+++ /dev/null
-From: Cathy Zhang <cathy.zhang@intel.com>
-Date: Tue, 22 Oct 2019 15:35:28 +0800
-Subject: i386: Add new CPU model Cooperlake
-
-Git-commit: 22a866b6166db5caa4abaa6e656c2a431fa60726
-References: jsc#SLE-7923
-
-Cooper Lake is intel's successor to Cascade Lake, the new
-CPU model inherits features from Cascadelake-Server, while
-add one platform associated new feature: AVX512_BF16. Meanwhile,
-add STIBP for speculative execution.
-
-Signed-off-by: Cathy Zhang <cathy.zhang@intel.com>
-Reviewed-by: Xiaoyao Li <xiaoyao.li@intel.com>
-Reviewed-by: Tao Xu <tao3.xu@intel.com>
-Message-Id: <1571729728-23284-4-git-send-email-cathy.zhang@intel.com>
-Reviewed-by: Bruce Rogers <brogers@suse.com>
-Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
-Signed-off-by: Bruce Rogers <brogers@suse.com>
----
- target/i386/cpu.c | 60 +++++++++++++++++++++++++++++++++++++++++++++++
- 1 file changed, 60 insertions(+)
-
-diff --git a/target/i386/cpu.c b/target/i386/cpu.c
-index 54e7f18a098c102d53ac8c768641..8a1993ac64bd763b7bb70c98b8b8 100644
---- a/target/i386/cpu.c
-+++ b/target/i386/cpu.c
-@@ -3159,6 +3159,66 @@ static X86CPUDefinition builtin_x86_defs[] = {
- { /* end of list */ }
- }
- },
-+ {
-+ .name = "Cooperlake",
-+ .level = 0xd,
-+ .vendor = CPUID_VENDOR_INTEL,
-+ .family = 6,
-+ .model = 85,
-+ .stepping = 10,
-+ .features[FEAT_1_EDX] =
-+ CPUID_VME | CPUID_SSE2 | CPUID_SSE | CPUID_FXSR | CPUID_MMX |
-+ CPUID_CLFLUSH | CPUID_PSE36 | CPUID_PAT | CPUID_CMOV | CPUID_MCA |
-+ CPUID_PGE | CPUID_MTRR | CPUID_SEP | CPUID_APIC | CPUID_CX8 |
-+ CPUID_MCE | CPUID_PAE | CPUID_MSR | CPUID_TSC | CPUID_PSE |
-+ CPUID_DE | CPUID_FP87,
-+ .features[FEAT_1_ECX] =
-+ CPUID_EXT_AVX | CPUID_EXT_XSAVE | CPUID_EXT_AES |
-+ CPUID_EXT_POPCNT | CPUID_EXT_X2APIC | CPUID_EXT_SSE42 |
-+ CPUID_EXT_SSE41 | CPUID_EXT_CX16 | CPUID_EXT_SSSE3 |
-+ CPUID_EXT_PCLMULQDQ | CPUID_EXT_SSE3 |
-+ CPUID_EXT_TSC_DEADLINE_TIMER | CPUID_EXT_FMA | CPUID_EXT_MOVBE |
-+ CPUID_EXT_PCID | CPUID_EXT_F16C | CPUID_EXT_RDRAND,
-+ .features[FEAT_8000_0001_EDX] =
-+ CPUID_EXT2_LM | CPUID_EXT2_PDPE1GB | CPUID_EXT2_RDTSCP |
-+ CPUID_EXT2_NX | CPUID_EXT2_SYSCALL,
-+ .features[FEAT_8000_0001_ECX] =
-+ CPUID_EXT3_ABM | CPUID_EXT3_LAHF_LM | CPUID_EXT3_3DNOWPREFETCH,
-+ .features[FEAT_7_0_EBX] =
-+ CPUID_7_0_EBX_FSGSBASE | CPUID_7_0_EBX_BMI1 |
-+ CPUID_7_0_EBX_HLE | CPUID_7_0_EBX_AVX2 | CPUID_7_0_EBX_SMEP |
-+ CPUID_7_0_EBX_BMI2 | CPUID_7_0_EBX_ERMS | CPUID_7_0_EBX_INVPCID |
-+ CPUID_7_0_EBX_RTM | CPUID_7_0_EBX_RDSEED | CPUID_7_0_EBX_ADX |
-+ CPUID_7_0_EBX_SMAP | CPUID_7_0_EBX_CLWB |
-+ CPUID_7_0_EBX_AVX512F | CPUID_7_0_EBX_AVX512DQ |
-+ CPUID_7_0_EBX_AVX512BW | CPUID_7_0_EBX_AVX512CD |
-+ CPUID_7_0_EBX_AVX512VL | CPUID_7_0_EBX_CLFLUSHOPT,
-+ .features[FEAT_7_0_ECX] =
-+ CPUID_7_0_ECX_PKU |
-+ CPUID_7_0_ECX_AVX512VNNI,
-+ .features[FEAT_7_0_EDX] =
-+ CPUID_7_0_EDX_SPEC_CTRL | CPUID_7_0_EDX_STIBP |
-+ CPUID_7_0_EDX_SPEC_CTRL_SSBD | CPUID_7_0_EDX_ARCH_CAPABILITIES,
-+ .features[FEAT_ARCH_CAPABILITIES] =
-+ MSR_ARCH_CAP_RDCL_NO | MSR_ARCH_CAP_IBRS_ALL |
-+ MSR_ARCH_CAP_SKIP_L1DFL_VMENTRY | MSR_ARCH_CAP_MDS_NO,
-+ .features[FEAT_7_1_EAX] =
-+ CPUID_7_1_EAX_AVX512_BF16,
-+ /*
-+ * Missing: XSAVES (not supported by some Linux versions,
-+ * including v4.1 to v4.12).
-+ * KVM doesn't yet expose any XSAVES state save component,
-+ * and the only one defined in Skylake (processor tracing)
-+ * probably will block migration anyway.
-+ */
-+ .features[FEAT_XSAVE] =
-+ CPUID_XSAVE_XSAVEOPT | CPUID_XSAVE_XSAVEC |
-+ CPUID_XSAVE_XGETBV1,
-+ .features[FEAT_6_EAX] =
-+ CPUID_6_EAX_ARAT,
-+ .xlevel = 0x80000008,
-+ .model_id = "Intel Xeon Processor (Cooperlake)",
-+ },
- {
- .name = "Icelake-Client",
- .level = 0xd,
+++ /dev/null
-From: Corey Minyard <cminyard@mvista.com>
-Date: Mon, 20 Jan 2020 11:07:25 -0600
-Subject: i386:acpi: Remove _HID from the SMBus ACPI entry
-
-Git-commit: aefcaf9d1b3ebb30981627bd08f595211a648a62
-
-Per the ACPI spec (version 6.1, section 6.1.5 _HID) it is not required
-on enumerated buses (like PCI in this case), _ADR is required (and is
-already there). And the _HID value is wrong. Linux appears to ignore
-the _HID entry, but Windows 10 detects it as 'Unknown Device' and there
-is no driver available. See https://bugs.launchpad.net/qemu/+bug/1856724
-
-Signed-off-by: Corey Minyard <cminyard@mvista.com>
-Cc: Michael S. Tsirkin <mst@redhat.com>
-Cc: Igor Mammedov <imammedo@redhat.com>
-Reviewed-by: Igor Mammedov <imammedo@redhat.com>
-Message-Id: <20200120170725.24935-6-minyard@acm.org>
-Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
-Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
-Signed-off-by: Bruce Rogers <brogers@suse.com>
-[BR: Binary patch part of commit was dropped]
----
- hw/i386/acpi-build.c | 1 -
- 1 file changed, 1 deletion(-)
-
-diff --git a/hw/i386/acpi-build.c b/hw/i386/acpi-build.c
-index 90a9c2ce6f8c01221efc56f63f79..b1ad2cb79c09e6c9ffb232acfff1 100644
---- a/hw/i386/acpi-build.c
-+++ b/hw/i386/acpi-build.c
-@@ -1815,7 +1815,6 @@ static void build_smb0(Aml *table, I2CBus *smbus, int devnr, int func)
- Aml *scope = aml_scope("_SB.PCI0");
- Aml *dev = aml_device("SMB0");
-
-- aml_append(dev, aml_name_decl("_HID", aml_eisaid("APP0005")));
- aml_append(dev, aml_name_decl("_ADR", aml_int(devnr << 16 | func)));
- build_acpi_ipmi_devices(dev, BUS(smbus), "\\_SB.PCI0.SMB0");
- aml_append(scope, dev);
+++ /dev/null
-From: =?UTF-8?q?Andreas=20F=C3=A4rber?= <afaerber@suse.de>
-Date: Wed, 31 Jul 2013 17:05:29 +0200
-Subject: i8254: Fix migration from SLE11 SP2
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-References: bnc#812836
-
-qemu-kvm 0.15 had a VMSTATE_UINT32(flags, PITState) field that
-qemu 1.4 does not have.
-
-Signed-off-by: Andreas Färber <afaerber@suse.de>
----
- hw/timer/i8254_common.c | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/hw/timer/i8254_common.c b/hw/timer/i8254_common.c
-index 050875b49738809ac586ba9ed259..59aa28b8a72590e7fdda0feecefe 100644
---- a/hw/timer/i8254_common.c
-+++ b/hw/timer/i8254_common.c
-@@ -224,6 +224,12 @@ static int pit_dispatch_post_load(void *opaque, int version_id)
- return 0;
- }
-
-+static bool is_qemu_kvm(void *opaque, int version_id)
-+{
-+ /* HACK: We ignore incoming migration from upstream qemu */
-+ return version_id < 3;
-+}
-+
- static const VMStateDescription vmstate_pit_common = {
- .name = "i8254",
- .version_id = 3,
-@@ -231,6 +237,7 @@ static const VMStateDescription vmstate_pit_common = {
- .pre_save = pit_dispatch_pre_save,
- .post_load = pit_dispatch_post_load,
- .fields = (VMStateField[]) {
-+ VMSTATE_UNUSED_TEST(is_qemu_kvm, 4),
- VMSTATE_UINT32_V(channels[0].irq_disabled, PITCommonState, 3),
- VMSTATE_STRUCT_ARRAY(channels, PITCommonState, 3, 2,
- vmstate_pit_channel, PITChannelState),
+++ /dev/null
-From: Paolo Bonzini <pbonzini@redhat.com>
-Date: Tue, 1 Dec 2020 13:09:26 +0100
-Subject: ide: atapi: assert that the buffer pointer is in range
-
-Git-commit: 813212288970c39b1800f63e83ac6e96588095c6
-References: bsc#1181108, CVE-2020-29443
-
-A case was reported where s->io_buffer_index can be out of range.
-The report skimped on the details but it seems to be triggered
-by s->lba == -1 on the READ/READ CD paths (e.g. by sending an
-ATAPI command with LBA = 0xFFFFFFFF). For now paper over it
-with assertions. The first one ensures that there is no overflow
-when incrementing s->io_buffer_index, the second checks for the
-buffer overrun.
-
-Note that the buffer overrun is only a read, so I am not sure
-if the assertion failure is actually less harmful than the overrun.
-
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-Message-id: 20201201120926.56559-1-pbonzini@redhat.com
-Reviewed-by: Kevin Wolf <kwolf@redhat.com>
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Bruce Rogers <brogers@suse.com>
----
- hw/ide/atapi.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/hw/ide/atapi.c b/hw/ide/atapi.c
-index 17a9d635d8426684512d2a37bfa6..5e9a60c4595262a451cdacf75fdf 100644
---- a/hw/ide/atapi.c
-+++ b/hw/ide/atapi.c
-@@ -276,6 +276,8 @@ void ide_atapi_cmd_reply_end(IDEState *s)
- s->packet_transfer_size -= size;
- s->elementary_transfer_size -= size;
- s->io_buffer_index += size;
-+ assert(size <= s->io_buffer_total_len);
-+ assert(s->io_buffer_index <= s->io_buffer_total_len);
-
- /* Some adapters process PIO data right away. In that case, we need
- * to avoid mutual recursion between ide_transfer_start
+++ /dev/null
-From: Prasad J Pandit <pjp@fedoraproject.org>
-Date: Tue, 11 Aug 2020 17:11:32 +0530
-Subject: imx7-ccm: add digprog mmio write method
-
-Git-commit: 735754aaa15a6ed46db51fd731e88331c446ea54
-References: bsc#1173612, CVE-2020-15469
-
-Add digprog mmio write method to avoid assert failure during
-initialisation.
-
-Reviewed-by: Li Qiang <liq3ea@gmail.com>
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
-Message-Id: <20200811114133.672647-9-ppandit@redhat.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-Signed-off-by: Bruce Rogers <brogers@suse.com>
----
- hw/misc/imx7_ccm.c | 8 ++++++++
- 1 file changed, 8 insertions(+)
-
-diff --git a/hw/misc/imx7_ccm.c b/hw/misc/imx7_ccm.c
-index 02fc1ae8d09e30e8caed6aebdca1..075159e497b1a76b14a9ed041ba0 100644
---- a/hw/misc/imx7_ccm.c
-+++ b/hw/misc/imx7_ccm.c
-@@ -131,8 +131,16 @@ static const struct MemoryRegionOps imx7_set_clr_tog_ops = {
- },
- };
-
-+static void imx7_digprog_write(void *opaque, hwaddr addr,
-+ uint64_t data, unsigned size)
-+{
-+ qemu_log_mask(LOG_GUEST_ERROR,
-+ "Guest write to read-only ANALOG_DIGPROG register\n");
-+}
-+
- static const struct MemoryRegionOps imx7_digprog_ops = {
- .read = imx7_set_clr_tog_read,
-+ .write = imx7_digprog_write,
- .endianness = DEVICE_NATIVE_ENDIAN,
- .impl = {
- .min_access_size = 4,
+++ /dev/null
-From: Bruce Rogers <brogers@suse.com>
-Date: Fri, 17 May 2013 16:49:58 -0600
-Subject: increase x86_64 physical bits to 42
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Allow for guests with higher amounts of ram. The current thought
-is that 2TB specified on qemu commandline would be an appropriate
-limit. Note that this requires the next higher bit value since
-the highest address is actually more than 2TB due to the pci
-memory hole.
-
-Signed-off-by: Bruce Rogers <brogers@suse.com>
-Signed-off-by: Andreas Färber <afaerber@suse.de>
----
- target/i386/cpu.h | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/target/i386/cpu.h b/target/i386/cpu.h
-index 7bfbf2a5e57d09dfbe8d02d0db1d..f89096d618bbc8433774769452ea 100644
---- a/target/i386/cpu.h
-+++ b/target/i386/cpu.h
-@@ -1937,7 +1937,7 @@ uint64_t cpu_get_tsc(CPUX86State *env);
- /* XXX: This value should match the one returned by CPUID
- * and in exec.c */
- # if defined(TARGET_X86_64)
--# define TCG_PHYS_ADDR_BITS 40
-+# define TCG_PHYS_ADDR_BITS 42
- # else
- # define TCG_PHYS_ADDR_BITS 36
- # endif
+++ /dev/null
-From: Thomas Huth <thuth@redhat.com>
-Date: Wed, 4 Dec 2019 16:46:12 +0100
-Subject: iotests: Provide a function for checking the creation of huge files
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Git-commit: 30729ae93b7e123e472a2d42792134ae39bf9df0
-
-Some tests create huge (but sparse) files, and to be able to run those
-tests in certain limited environments (like CI containers), we have to
-check for the possibility to create such files first. Thus let's introduce
-a common function to check for large files, and replace the already
-existing checks in the iotests 005 and 220 with this function.
-
-Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
-Signed-off-by: Thomas Huth <thuth@redhat.com>
-Reviewed-by: Cleber Rosa <crosa@redhat.com>
-Tested-by: Cleber Rosa <crosa@redhat.com>
-Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Message-Id: <20191204154618.23560-2-thuth@redhat.com>
-Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
-Signed-off-by: Bruce Rogers <brogers@suse.com>
----
- tests/qemu-iotests/005 | 5 +----
- tests/qemu-iotests/220 | 6 ++----
- tests/qemu-iotests/common.rc | 10 ++++++++++
- 3 files changed, 13 insertions(+), 8 deletions(-)
-
-diff --git a/tests/qemu-iotests/005 b/tests/qemu-iotests/005
-index 58442762fe366d0f5eb9bf7a1860..b6d03ac37deabcbf6372ffb17113 100755
---- a/tests/qemu-iotests/005
-+++ b/tests/qemu-iotests/005
-@@ -59,10 +59,7 @@ fi
- # Sanity check: For raw, we require a file system that permits the creation
- # of a HUGE (but very sparse) file. Check we can create it before continuing.
- if [ "$IMGFMT" = "raw" ]; then
-- if ! truncate --size=5T "$TEST_IMG"; then
-- _notrun "file system on $TEST_DIR does not support large enough files"
-- fi
-- rm "$TEST_IMG"
-+ _require_large_file 5T
- fi
-
- echo
-diff --git a/tests/qemu-iotests/220 b/tests/qemu-iotests/220
-index 2d62c5dcac2a258ed82cd4bca775..15159270d33550e4649a25fe772e 100755
---- a/tests/qemu-iotests/220
-+++ b/tests/qemu-iotests/220
-@@ -42,10 +42,8 @@ echo "== Creating huge file =="
-
- # Sanity check: We require a file system that permits the creation
- # of a HUGE (but very sparse) file. tmpfs works, ext4 does not.
--if ! truncate --size=513T "$TEST_IMG"; then
-- _notrun "file system on $TEST_DIR does not support large enough files"
--fi
--rm "$TEST_IMG"
-+_require_large_file 513T
-+
- IMGOPTS='cluster_size=2M,refcount_bits=1' _make_test_img 513T
-
- echo "== Populating refcounts =="
-diff --git a/tests/qemu-iotests/common.rc b/tests/qemu-iotests/common.rc
-index 538eb349e69e07d2401ef9aeef2a..315a9a8a4690d68abc0eb5fa83fd 100644
---- a/tests/qemu-iotests/common.rc
-+++ b/tests/qemu-iotests/common.rc
-@@ -656,5 +656,15 @@ _require_drivers()
- done
- }
-
-+# Check that we have a file system that allows huge (but very sparse) files
-+#
-+_require_large_file()
-+{
-+ if ! truncate --size="$1" "$TEST_IMG"; then
-+ _notrun "file system on $TEST_DIR does not support large enough files"
-+ fi
-+ rm "$TEST_IMG"
-+}
-+
- # make sure this script returns success
- true
+++ /dev/null
-From: Thomas Huth <thuth@redhat.com>
-Date: Mon, 2 Dec 2019 11:16:30 +0100
-Subject: iotests: Skip test 060 if it is not possible to create large files
-
-Git-commit: efd0e5a1215bbdfd28168485800f5cfec9735cf8
-
-Test 060 fails in the arm64, s390x and ppc64le LXD containers on Travis
-(which we will hopefully enable in our CI soon). These containers
-apparently do not allow large files to be created. The repair process
-in test 060 creates a file of 64 GiB, so test first whether such large
-files are possible and skip the test if that's not the case.
-
-Signed-off-by: Thomas Huth <thuth@redhat.com>
-Signed-off-by: Kevin Wolf <kwolf@redhat.com>
-Signed-off-by: Bruce Rogers <brogers@suse.com>
----
- tests/qemu-iotests/060 | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/tests/qemu-iotests/060 b/tests/qemu-iotests/060
-index b91d8321bb8d20d1033a3081acf4..d96f17a4846979aa3cb86c8388fa 100755
---- a/tests/qemu-iotests/060
-+++ b/tests/qemu-iotests/060
-@@ -49,6 +49,9 @@ _supported_fmt qcow2
- _supported_proto file
- _supported_os Linux
-
-+# The repair process will create a large file - so check for availability first
-+_require_large_file 64G
-+
- rt_offset=65536 # 0x10000 (XXX: just an assumption)
- rb_offset=131072 # 0x20000 (XXX: just an assumption)
- l1_offset=196608 # 0x30000 (XXX: just an assumption)
+++ /dev/null
-From: Thomas Huth <thuth@redhat.com>
-Date: Mon, 2 Dec 2019 11:16:31 +0100
-Subject: iotests: Skip test 079 if it is not possible to create large files
-
-Git-commit: e28582fdb28b2e8b29a351c20b0c8f1af4120688
-
-Test 079 fails in the arm64, s390x and ppc64le LXD containers on Travis
-(which we will hopefully enable in our CI soon). These containers
-apparently do not allow large files to be created. Test 079 tries to
-create a 4G sparse file, which is apparently already too big for these
-containers, so check first whether we can really create such files before
-executing the test.
-
-Signed-off-by: Thomas Huth <thuth@redhat.com>
-Signed-off-by: Kevin Wolf <kwolf@redhat.com>
-Signed-off-by: Bruce Rogers <brogers@suse.com>
----
- tests/qemu-iotests/079 | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/tests/qemu-iotests/079 b/tests/qemu-iotests/079
-index 81f0c21f530287b2c833eefd735d..78536d3bbfa01fc0575d31d1f680 100755
---- a/tests/qemu-iotests/079
-+++ b/tests/qemu-iotests/079
-@@ -39,6 +39,9 @@ trap "_cleanup; exit \$status" 0 1 2 3 15
- _supported_fmt qcow2
- _supported_proto file nfs
-
-+# Some containers (e.g. non-x86 on Travis) do not allow large files
-+_require_large_file 4G
-+
- echo "=== Check option preallocation and cluster_size ==="
- echo
- cluster_sizes="16384 32768 65536 131072 262144 524288 1048576 2097152 4194304"
+++ /dev/null
-From: Bruce Rogers <brogers@suse.com>
-Date: Thu, 27 Jun 2019 10:15:24 -0600
-Subject: ipxe:Makefile: fix issues of build reproducibility
-
-References: bsc#1011213
-
-It is desirable to produce the same bits on subsequent
-builds when the actual code of the package doesn't
-change. (bsc#1011213)
-
-Signed-off-by: Bruce Rogers <brogers@suse.com>
----
- src/Makefile.housekeeping | 13 ++++++++++---
- 1 file changed, 10 insertions(+), 3 deletions(-)
-
-diff --git a/roms/ipxe/src/Makefile.housekeeping b/roms/ipxe/src/Makefile.housekeeping
-index f8334921b8b93cbd03f0a0de9910..97fa325bb52314e05192d0414436 100644
---- a/roms/ipxe/src/Makefile.housekeeping
-+++ b/roms/ipxe/src/Makefile.housekeeping
-@@ -1162,11 +1162,18 @@ blib : $(BLIB)
- # Command to generate build ID. Must be unique for each $(BIN)/%.tmp,
- # even within the same build run.
- #
--BUILD_ID_CMD := perl -e 'printf "0x%08x", int ( rand ( 0xffffffff ) );'
-+# NB: In the case of the SUSE qemu-ipxe package we want reproducible
-+# builds, so we just use the TGT_ROM_NAME variable, which is already
-+# a unique (in the context of the files we generate) hex value suitable
-+# for specifying the build_id. We no longer define a BUILD_ID_CMD, as
-+# we need to use the TGT_ROM_NAME variable directly in the link command
-
- # Build timestamp
- #
--BUILD_TIMESTAMP := $(shell date +%s)
-+# NB: In the case of the SUSE qemu-ipxe package we want reproducible
-+# builds, so we use a pre-determined timestamp, rather than the current
-+# timestamp
-+BUILD_TIMESTAMP := $(PACKAGING_TIMESTAMP)
-
- # Build version
- #
-@@ -1186,7 +1193,7 @@ $(BIN)/version.%.o : core/version.c $(MAKEDEPS) $(GIT_INDEX)
- $(BIN)/%.tmp : $(BIN)/version.%.o $(BLIB) $(MAKEDEPS) $(LDSCRIPT)
- $(QM)$(ECHO) " [LD] $@"
- $(Q)$(LD) $(LDFLAGS) -T $(LDSCRIPT) $(TGT_LD_FLAGS) $< $(BLIB) -o $@ \
-- --defsym _build_id=`$(BUILD_ID_CMD)` \
-+ --defsym _build_id=`$(PRINTF) "0x%b" "$(TGT_ROM_NAME)"` \
- --defsym _build_timestamp=$(BUILD_TIMESTAMP) \
- -Map $(BIN)/$*.tmp.map
- $(Q)$(OBJDUMP) -ht $@ | $(PERL) $(SORTOBJDUMP) >> $(BIN)/$*.tmp.map
+++ /dev/null
-From: Alexander Bulekov <alxndr@bu.edu>
-Date: Mon, 1 Mar 2021 14:35:30 -0500
-Subject: lan9118: switch to use qemu_receive_packet() for loopback
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Git-commit: 37cee01784ff0df13e5209517e1b3594a5e792d1
-
-This patch switches to use qemu_receive_packet() which can detect
-reentrancy and return early.
-
-This is intended to address CVE-2021-3416.
-
-Cc: Prasad J Pandit <ppandit@redhat.com>
-Cc: qemu-stable@nongnu.org
-Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com
-Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
-Signed-off-by: Jason Wang <jasowang@redhat.com>
-Signed-off-by: Bruce Rogers <brogers@suse.com>
----
- hw/net/lan9118.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/hw/net/lan9118.c b/hw/net/lan9118.c
-index ed551f2178b005864f3a53f1891c..7bb4633f0fb826cdb5ca63c68ce1 100644
---- a/hw/net/lan9118.c
-+++ b/hw/net/lan9118.c
-@@ -667,7 +667,7 @@ static void do_tx_packet(lan9118_state *s)
- /* FIXME: Honor TX disable, and allow queueing of packets. */
- if (s->phy_control & 0x4000) {
- /* This assumes the receive routine doesn't touch the VLANClient. */
-- lan9118_receive(qemu_get_queue(s->nic), s->txp->data, s->txp->len);
-+ qemu_receive_packet(qemu_get_queue(s->nic), s->txp->data, s->txp->len);
- } else {
- qemu_send_packet(qemu_get_queue(s->nic), s->txp->data, s->txp->len);
- }
+++ /dev/null
-From: Greg Kurz <groug@kaod.org>
-Date: Tue, 26 Nov 2019 17:46:17 +0100
-Subject: linux-headers: Update against Linux 5.5-1
-
-Git-commit: 2a886794f1969020845d0085a41a884e01b357df
-References: bsc#1179719
-
-Update to mainline commit be2eca94d144 ("Merge tag 'for-linus-5.5-1'`
-of git://github.com/cminyard/linux-ipmi")
-
-Signed-off-by: Greg Kurz <groug@kaod.org>
-Message-Id: <157478677756.67101.11558821804418331832.stgit@bahia.tlslab.ibm.com>
-Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
-Signed-off-by: Liang Yan <lyan@suse.com>
----
- include/standard-headers/linux/ethtool.h | 6 ++++++
- include/standard-headers/linux/virtio_ring.h | 2 +-
- linux-headers/asm-arm/kvm.h | 3 ++-
- linux-headers/asm-arm64/kvm.h | 5 ++++-
- linux-headers/asm-mips/unistd_n32.h | 1 +
- linux-headers/asm-mips/unistd_n64.h | 1 +
- linux-headers/asm-mips/unistd_o32.h | 1 +
- linux-headers/asm-powerpc/kvm.h | 3 +++
- linux-headers/linux/kvm.h | 11 +++++++++++
- linux-headers/linux/psp-sev.h | 3 +++
- 10 files changed, 33 insertions(+), 3 deletions(-)
-
-diff --git a/include/standard-headers/linux/ethtool.h b/include/standard-headers/linux/ethtool.h
-index 4ff422b635dbf02859b8665612cc..6e8a10ee10751b19ccaad191d38c 100644
---- a/include/standard-headers/linux/ethtool.h
-+++ b/include/standard-headers/linux/ethtool.h
-@@ -1507,6 +1507,11 @@ enum ethtool_link_mode_bit_indices {
- ETHTOOL_LINK_MODE_200000baseCR4_Full_BIT = 66,
- ETHTOOL_LINK_MODE_100baseT1_Full_BIT = 67,
- ETHTOOL_LINK_MODE_1000baseT1_Full_BIT = 68,
-+ ETHTOOL_LINK_MODE_400000baseKR8_Full_BIT = 69,
-+ ETHTOOL_LINK_MODE_400000baseSR8_Full_BIT = 70,
-+ ETHTOOL_LINK_MODE_400000baseLR8_ER8_FR8_Full_BIT = 71,
-+ ETHTOOL_LINK_MODE_400000baseDR8_Full_BIT = 72,
-+ ETHTOOL_LINK_MODE_400000baseCR8_Full_BIT = 73,
-
- /* must be last entry */
- __ETHTOOL_LINK_MODE_MASK_NBITS
-@@ -1618,6 +1623,7 @@ enum ethtool_link_mode_bit_indices {
- #define SPEED_56000 56000
- #define SPEED_100000 100000
- #define SPEED_200000 200000
-+#define SPEED_400000 400000
-
- #define SPEED_UNKNOWN -1
-
-diff --git a/include/standard-headers/linux/virtio_ring.h b/include/standard-headers/linux/virtio_ring.h
-index 306cd41147be7a21c1fa9db6a98e..f230fed479601c06c40b1a82aae1 100644
---- a/include/standard-headers/linux/virtio_ring.h
-+++ b/include/standard-headers/linux/virtio_ring.h
-@@ -167,7 +167,7 @@ static inline void vring_init(struct vring *vr, unsigned int num, void *p,
- {
- vr->num = num;
- vr->desc = p;
-- vr->avail = p + num*sizeof(struct vring_desc);
-+ vr->avail = (struct vring_avail *)((char *)p + num * sizeof(struct vring_desc));
- vr->used = (void *)(((uintptr_t)&vr->avail->ring[num] + sizeof(__virtio16)
- + align-1) & ~(align - 1));
- }
-diff --git a/linux-headers/asm-arm/kvm.h b/linux-headers/asm-arm/kvm.h
-index 9d379d337298a8ac9025e2bf6078..0db5644e27afbe44012af7c3182c 100644
---- a/linux-headers/asm-arm/kvm.h
-+++ b/linux-headers/asm-arm/kvm.h
-@@ -131,8 +131,9 @@ struct kvm_vcpu_events {
- struct {
- __u8 serror_pending;
- __u8 serror_has_esr;
-+ __u8 ext_dabt_pending;
- /* Align it to 8 bytes */
-- __u8 pad[6];
-+ __u8 pad[5];
- __u64 serror_esr;
- } exception;
- __u32 reserved[12];
-diff --git a/linux-headers/asm-arm64/kvm.h b/linux-headers/asm-arm64/kvm.h
-index 0ce6e49f3a19f1e5edb95c1b8a1f..920af01c8b9029db521c55e93aaa 100644
---- a/linux-headers/asm-arm64/kvm.h
-+++ b/linux-headers/asm-arm64/kvm.h
-@@ -164,8 +164,9 @@ struct kvm_vcpu_events {
- struct {
- __u8 serror_pending;
- __u8 serror_has_esr;
-+ __u8 ext_dabt_pending;
- /* Align it to 8 bytes */
-- __u8 pad[6];
-+ __u8 pad[5];
- __u64 serror_esr;
- } exception;
- __u32 reserved[12];
-@@ -323,6 +324,8 @@ struct kvm_vcpu_events {
- #define KVM_ARM_VCPU_TIMER_CTRL 1
- #define KVM_ARM_VCPU_TIMER_IRQ_VTIMER 0
- #define KVM_ARM_VCPU_TIMER_IRQ_PTIMER 1
-+#define KVM_ARM_VCPU_PVTIME_CTRL 2
-+#define KVM_ARM_VCPU_PVTIME_IPA 0
-
- /* KVM_IRQ_LINE irq field index values */
- #define KVM_ARM_IRQ_VCPU2_SHIFT 28
-diff --git a/linux-headers/asm-mips/unistd_n32.h b/linux-headers/asm-mips/unistd_n32.h
-index 7dffe8e34e6316d8e05b37ee61fb..659d5c9ade4747959ec9b64c7ad7 100644
---- a/linux-headers/asm-mips/unistd_n32.h
-+++ b/linux-headers/asm-mips/unistd_n32.h
-@@ -364,6 +364,7 @@
- #define __NR_fsmount (__NR_Linux + 432)
- #define __NR_fspick (__NR_Linux + 433)
- #define __NR_pidfd_open (__NR_Linux + 434)
-+#define __NR_clone3 (__NR_Linux + 435)
-
-
- #endif /* _ASM_MIPS_UNISTD_N32_H */
-diff --git a/linux-headers/asm-mips/unistd_n64.h b/linux-headers/asm-mips/unistd_n64.h
-index f4592d6fc50c8624b299b489e47c..4b6310a05c235087cbf6f09b558d 100644
---- a/linux-headers/asm-mips/unistd_n64.h
-+++ b/linux-headers/asm-mips/unistd_n64.h
-@@ -340,6 +340,7 @@
- #define __NR_fsmount (__NR_Linux + 432)
- #define __NR_fspick (__NR_Linux + 433)
- #define __NR_pidfd_open (__NR_Linux + 434)
-+#define __NR_clone3 (__NR_Linux + 435)
-
-
- #endif /* _ASM_MIPS_UNISTD_N64_H */
-diff --git a/linux-headers/asm-mips/unistd_o32.h b/linux-headers/asm-mips/unistd_o32.h
-index 04c6728352a548f07f12fde93db2..4ce7b4e288a53503422a21719e92 100644
---- a/linux-headers/asm-mips/unistd_o32.h
-+++ b/linux-headers/asm-mips/unistd_o32.h
-@@ -410,6 +410,7 @@
- #define __NR_fsmount (__NR_Linux + 432)
- #define __NR_fspick (__NR_Linux + 433)
- #define __NR_pidfd_open (__NR_Linux + 434)
-+#define __NR_clone3 (__NR_Linux + 435)
-
-
- #endif /* _ASM_MIPS_UNISTD_O32_H */
-diff --git a/linux-headers/asm-powerpc/kvm.h b/linux-headers/asm-powerpc/kvm.h
-index b0f72dea8b11ac689c990971dbf7..264e266a85bf6a99c5b27b47733a 100644
---- a/linux-headers/asm-powerpc/kvm.h
-+++ b/linux-headers/asm-powerpc/kvm.h
-@@ -667,6 +667,8 @@ struct kvm_ppc_cpu_char {
-
- /* PPC64 eXternal Interrupt Controller Specification */
- #define KVM_DEV_XICS_GRP_SOURCES 1 /* 64-bit source attributes */
-+#define KVM_DEV_XICS_GRP_CTRL 2
-+#define KVM_DEV_XICS_NR_SERVERS 1
-
- /* Layout of 64-bit source attribute values */
- #define KVM_XICS_DESTINATION_SHIFT 0
-@@ -683,6 +685,7 @@ struct kvm_ppc_cpu_char {
- #define KVM_DEV_XIVE_GRP_CTRL 1
- #define KVM_DEV_XIVE_RESET 1
- #define KVM_DEV_XIVE_EQ_SYNC 2
-+#define KVM_DEV_XIVE_NR_SERVERS 3
- #define KVM_DEV_XIVE_GRP_SOURCE 2 /* 64-bit source identifier */
- #define KVM_DEV_XIVE_GRP_SOURCE_CONFIG 3 /* 64-bit source identifier */
- #define KVM_DEV_XIVE_GRP_EQ_CONFIG 4 /* 64-bit EQ identifier */
-diff --git a/linux-headers/linux/kvm.h b/linux-headers/linux/kvm.h
-index 3d9b18f7f871acd0d13a0c42f184..3b27a1ae85cc144fd92ecd0e2352 100644
---- a/linux-headers/linux/kvm.h
-+++ b/linux-headers/linux/kvm.h
-@@ -235,6 +235,7 @@ struct kvm_hyperv_exit {
- #define KVM_EXIT_S390_STSI 25
- #define KVM_EXIT_IOAPIC_EOI 26
- #define KVM_EXIT_HYPERV 27
-+#define KVM_EXIT_ARM_NISV 28
-
- /* For KVM_EXIT_INTERNAL_ERROR */
- /* Emulate instruction failed. */
-@@ -394,6 +395,11 @@ struct kvm_run {
- } eoi;
- /* KVM_EXIT_HYPERV */
- struct kvm_hyperv_exit hyperv;
-+ /* KVM_EXIT_ARM_NISV */
-+ struct {
-+ __u64 esr_iss;
-+ __u64 fault_ipa;
-+ } arm_nisv;
- /* Fix the size of the union. */
- char padding[256];
- };
-@@ -1000,6 +1006,9 @@ struct kvm_ppc_resize_hpt {
- #define KVM_CAP_PMU_EVENT_FILTER 173
- #define KVM_CAP_ARM_IRQ_LINE_LAYOUT_2 174
- #define KVM_CAP_HYPERV_DIRECT_TLBFLUSH 175
-+#define KVM_CAP_PPC_GUEST_DEBUG_SSTEP 176
-+#define KVM_CAP_ARM_NISV_TO_USER 177
-+#define KVM_CAP_ARM_INJECT_EXT_DABT 178
-
- #ifdef KVM_CAP_IRQ_ROUTING
-
-@@ -1227,6 +1236,8 @@ enum kvm_device_type {
- #define KVM_DEV_TYPE_ARM_VGIC_ITS KVM_DEV_TYPE_ARM_VGIC_ITS
- KVM_DEV_TYPE_XIVE,
- #define KVM_DEV_TYPE_XIVE KVM_DEV_TYPE_XIVE
-+ KVM_DEV_TYPE_ARM_PV_TIME,
-+#define KVM_DEV_TYPE_ARM_PV_TIME KVM_DEV_TYPE_ARM_PV_TIME
- KVM_DEV_TYPE_MAX,
- };
-
-diff --git a/linux-headers/linux/psp-sev.h b/linux-headers/linux/psp-sev.h
-index 34c39690c09d61e88603f49ab5f1..31f971e89659b667eccc0d089599 100644
---- a/linux-headers/linux/psp-sev.h
-+++ b/linux-headers/linux/psp-sev.h
-@@ -58,6 +58,9 @@ typedef enum {
- SEV_RET_HWSEV_RET_PLATFORM,
- SEV_RET_HWSEV_RET_UNSAFE,
- SEV_RET_UNSUPPORTED,
-+ SEV_RET_INVALID_PARAM,
-+ SEV_RET_RESOURCE_LIMIT,
-+ SEV_RET_SECURE_DATA_INVALID,
- SEV_RET_MAX,
- } sev_ret_code;
-
+++ /dev/null
-From: Bharata B Rao <bharata@linux.ibm.com>
-Date: Thu, 19 Dec 2019 08:44:44 +0530
-Subject: linux-headers: Update against Linux 5.5-rc2
-
-Git-commit: 50fd0c375bef09d22b6828972c4ed4f945c95ed8
-References: bsc#1179719
-
-Update to mainline commit: d1eef1c61974 ("Linux 5.5-rc2")
-
-Signed-off-by: Bharata B Rao <bharata@linux.ibm.com>
-Message-Id: <20191219031445.8949-2-bharata@linux.ibm.com>
-Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
-Signed-off-by: Liang Yan <lyan@suse.com>
----
- include/standard-headers/asm-x86/bootparam.h | 7 +-
- .../infiniband/hw/vmw_pvrdma/pvrdma_dev_api.h | 15 +++-
- include/standard-headers/drm/drm_fourcc.h | 28 ++++++-
- .../linux/input-event-codes.h | 77 +++++++++++++++++++
- include/standard-headers/linux/pci_regs.h | 3 +
- .../standard-headers/rdma/vmw_pvrdma-abi.h | 5 ++
- linux-headers/linux/kvm.h | 1 +
- 7 files changed, 132 insertions(+), 4 deletions(-)
-
-diff --git a/include/standard-headers/asm-x86/bootparam.h b/include/standard-headers/asm-x86/bootparam.h
-index a6f7cf535e1efe94f6c1f43c99a7..072e2ed5463ce4d72b1944812536 100644
---- a/include/standard-headers/asm-x86/bootparam.h
-+++ b/include/standard-headers/asm-x86/bootparam.h
-@@ -2,7 +2,7 @@
- #ifndef _ASM_X86_BOOTPARAM_H
- #define _ASM_X86_BOOTPARAM_H
-
--/* setup_data types */
-+/* setup_data/setup_indirect types */
- #define SETUP_NONE 0
- #define SETUP_E820_EXT 1
- #define SETUP_DTB 2
-@@ -11,6 +11,11 @@
- #define SETUP_APPLE_PROPERTIES 5
- #define SETUP_JAILHOUSE 6
-
-+#define SETUP_INDIRECT (1<<31)
-+
-+/* SETUP_INDIRECT | max(SETUP_*) */
-+#define SETUP_TYPE_MAX (SETUP_INDIRECT | SETUP_JAILHOUSE)
-+
- /* ram_size flags */
- #define RAMDISK_IMAGE_START_MASK 0x07FF
- #define RAMDISK_PROMPT_FLAG 0x8000
-diff --git a/include/standard-headers/drivers/infiniband/hw/vmw_pvrdma/pvrdma_dev_api.h b/include/standard-headers/drivers/infiniband/hw/vmw_pvrdma/pvrdma_dev_api.h
-index d019872608d504437b3dd8644284..a5a1c8234ef9fec923496a35c94c 100644
---- a/include/standard-headers/drivers/infiniband/hw/vmw_pvrdma/pvrdma_dev_api.h
-+++ b/include/standard-headers/drivers/infiniband/hw/vmw_pvrdma/pvrdma_dev_api.h
-@@ -58,7 +58,8 @@
- #define PVRDMA_ROCEV1_VERSION 17
- #define PVRDMA_ROCEV2_VERSION 18
- #define PVRDMA_PPN64_VERSION 19
--#define PVRDMA_VERSION PVRDMA_PPN64_VERSION
-+#define PVRDMA_QPHANDLE_VERSION 20
-+#define PVRDMA_VERSION PVRDMA_QPHANDLE_VERSION
-
- #define PVRDMA_BOARD_ID 1
- #define PVRDMA_REV_ID 1
-@@ -581,6 +582,17 @@ struct pvrdma_cmd_create_qp_resp {
- uint32_t max_inline_data;
- };
-
-+struct pvrdma_cmd_create_qp_resp_v2 {
-+ struct pvrdma_cmd_resp_hdr hdr;
-+ uint32_t qpn;
-+ uint32_t qp_handle;
-+ uint32_t max_send_wr;
-+ uint32_t max_recv_wr;
-+ uint32_t max_send_sge;
-+ uint32_t max_recv_sge;
-+ uint32_t max_inline_data;
-+};
-+
- struct pvrdma_cmd_modify_qp {
- struct pvrdma_cmd_hdr hdr;
- uint32_t qp_handle;
-@@ -663,6 +675,7 @@ union pvrdma_cmd_resp {
- struct pvrdma_cmd_create_cq_resp create_cq_resp;
- struct pvrdma_cmd_resize_cq_resp resize_cq_resp;
- struct pvrdma_cmd_create_qp_resp create_qp_resp;
-+ struct pvrdma_cmd_create_qp_resp_v2 create_qp_resp_v2;
- struct pvrdma_cmd_query_qp_resp query_qp_resp;
- struct pvrdma_cmd_destroy_qp_resp destroy_qp_resp;
- struct pvrdma_cmd_create_srq_resp create_srq_resp;
-diff --git a/include/standard-headers/drm/drm_fourcc.h b/include/standard-headers/drm/drm_fourcc.h
-index a308c91b4f543255334fd039c6d3..46d279f51586bcbc097cc7f67347 100644
---- a/include/standard-headers/drm/drm_fourcc.h
-+++ b/include/standard-headers/drm/drm_fourcc.h
-@@ -68,7 +68,7 @@ extern "C" {
- #define fourcc_code(a, b, c, d) ((uint32_t)(a) | ((uint32_t)(b) << 8) | \
- ((uint32_t)(c) << 16) | ((uint32_t)(d) << 24))
-
--#define DRM_FORMAT_BIG_ENDIAN (1<<31) /* format is big endian instead of little endian */
-+#define DRM_FORMAT_BIG_ENDIAN (1U<<31) /* format is big endian instead of little endian */
-
- /* Reserve 0 for the invalid format specifier */
- #define DRM_FORMAT_INVALID 0
-@@ -647,7 +647,21 @@ extern "C" {
- * Further information on the use of AFBC modifiers can be found in
- * Documentation/gpu/afbc.rst
- */
--#define DRM_FORMAT_MOD_ARM_AFBC(__afbc_mode) fourcc_mod_code(ARM, __afbc_mode)
-+
-+/*
-+ * The top 4 bits (out of the 56 bits alloted for specifying vendor specific
-+ * modifiers) denote the category for modifiers. Currently we have only two
-+ * categories of modifiers ie AFBC and MISC. We can have a maximum of sixteen
-+ * different categories.
-+ */
-+#define DRM_FORMAT_MOD_ARM_CODE(__type, __val) \
-+ fourcc_mod_code(ARM, ((uint64_t)(__type) << 52) | ((__val) & 0x000fffffffffffffULL))
-+
-+#define DRM_FORMAT_MOD_ARM_TYPE_AFBC 0x00
-+#define DRM_FORMAT_MOD_ARM_TYPE_MISC 0x01
-+
-+#define DRM_FORMAT_MOD_ARM_AFBC(__afbc_mode) \
-+ DRM_FORMAT_MOD_ARM_CODE(DRM_FORMAT_MOD_ARM_TYPE_AFBC, __afbc_mode)
-
- /*
- * AFBC superblock size
-@@ -741,6 +755,16 @@ extern "C" {
- */
- #define AFBC_FORMAT_MOD_BCH (1ULL << 11)
-
-+/*
-+ * Arm 16x16 Block U-Interleaved modifier
-+ *
-+ * This is used by Arm Mali Utgard and Midgard GPUs. It divides the image
-+ * into 16x16 pixel blocks. Blocks are stored linearly in order, but pixels
-+ * in the block are reordered.
-+ */
-+#define DRM_FORMAT_MOD_ARM_16X16_BLOCK_U_INTERLEAVED \
-+ DRM_FORMAT_MOD_ARM_CODE(DRM_FORMAT_MOD_ARM_TYPE_MISC, 1ULL)
-+
- /*
- * Allwinner tiled modifier
- *
-diff --git a/include/standard-headers/linux/input-event-codes.h b/include/standard-headers/linux/input-event-codes.h
-index eb08cb8598106f97fe1fc3b44e2d..b484c252897fd1183f30249987e4 100644
---- a/include/standard-headers/linux/input-event-codes.h
-+++ b/include/standard-headers/linux/input-event-codes.h
-@@ -649,6 +649,83 @@
- */
- #define KEY_DATA 0x277
- #define KEY_ONSCREEN_KEYBOARD 0x278
-+/* Electronic privacy screen control */
-+#define KEY_PRIVACY_SCREEN_TOGGLE 0x279
-+
-+/*
-+ * Some keyboards have keys which do not have a defined meaning, these keys
-+ * are intended to be programmed / bound to macros by the user. For most
-+ * keyboards with these macro-keys the key-sequence to inject, or action to
-+ * take, is all handled by software on the host side. So from the kernel's
-+ * point of view these are just normal keys.
-+ *
-+ * The KEY_MACRO# codes below are intended for such keys, which may be labeled
-+ * e.g. G1-G18, or S1 - S30. The KEY_MACRO# codes MUST NOT be used for keys
-+ * where the marking on the key does indicate a defined meaning / purpose.
-+ *
-+ * The KEY_MACRO# codes MUST also NOT be used as fallback for when no existing
-+ * KEY_FOO define matches the marking / purpose. In this case a new KEY_FOO
-+ * define MUST be added.
-+ */
-+#define KEY_MACRO1 0x290
-+#define KEY_MACRO2 0x291
-+#define KEY_MACRO3 0x292
-+#define KEY_MACRO4 0x293
-+#define KEY_MACRO5 0x294
-+#define KEY_MACRO6 0x295
-+#define KEY_MACRO7 0x296
-+#define KEY_MACRO8 0x297
-+#define KEY_MACRO9 0x298
-+#define KEY_MACRO10 0x299
-+#define KEY_MACRO11 0x29a
-+#define KEY_MACRO12 0x29b
-+#define KEY_MACRO13 0x29c
-+#define KEY_MACRO14 0x29d
-+#define KEY_MACRO15 0x29e
-+#define KEY_MACRO16 0x29f
-+#define KEY_MACRO17 0x2a0
-+#define KEY_MACRO18 0x2a1
-+#define KEY_MACRO19 0x2a2
-+#define KEY_MACRO20 0x2a3
-+#define KEY_MACRO21 0x2a4
-+#define KEY_MACRO22 0x2a5
-+#define KEY_MACRO23 0x2a6
-+#define KEY_MACRO24 0x2a7
-+#define KEY_MACRO25 0x2a8
-+#define KEY_MACRO26 0x2a9
-+#define KEY_MACRO27 0x2aa
-+#define KEY_MACRO28 0x2ab
-+#define KEY_MACRO29 0x2ac
-+#define KEY_MACRO30 0x2ad
-+
-+/*
-+ * Some keyboards with the macro-keys described above have some extra keys
-+ * for controlling the host-side software responsible for the macro handling:
-+ * -A macro recording start/stop key. Note that not all keyboards which emit
-+ * KEY_MACRO_RECORD_START will also emit KEY_MACRO_RECORD_STOP if
-+ * KEY_MACRO_RECORD_STOP is not advertised, then KEY_MACRO_RECORD_START
-+ * should be interpreted as a recording start/stop toggle;
-+ * -Keys for switching between different macro (pre)sets, either a key for
-+ * cycling through the configured presets or keys to directly select a preset.
-+ */
-+#define KEY_MACRO_RECORD_START 0x2b0
-+#define KEY_MACRO_RECORD_STOP 0x2b1
-+#define KEY_MACRO_PRESET_CYCLE 0x2b2
-+#define KEY_MACRO_PRESET1 0x2b3
-+#define KEY_MACRO_PRESET2 0x2b4
-+#define KEY_MACRO_PRESET3 0x2b5
-+
-+/*
-+ * Some keyboards have a buildin LCD panel where the contents are controlled
-+ * by the host. Often these have a number of keys directly below the LCD
-+ * intended for controlling a menu shown on the LCD. These keys often don't
-+ * have any labeling so we just name them KEY_KBD_LCD_MENU#
-+ */
-+#define KEY_KBD_LCD_MENU1 0x2b8
-+#define KEY_KBD_LCD_MENU2 0x2b9
-+#define KEY_KBD_LCD_MENU3 0x2ba
-+#define KEY_KBD_LCD_MENU4 0x2bb
-+#define KEY_KBD_LCD_MENU5 0x2bc
-
- #define BTN_TRIGGER_HAPPY 0x2c0
- #define BTN_TRIGGER_HAPPY1 0x2c0
-diff --git a/include/standard-headers/linux/pci_regs.h b/include/standard-headers/linux/pci_regs.h
-index 29d6e93fd15e3616f5969d0dc0db..acb7d2bdb419a49f2e6ed999f9ff 100644
---- a/include/standard-headers/linux/pci_regs.h
-+++ b/include/standard-headers/linux/pci_regs.h
-@@ -34,6 +34,7 @@
- * of which the first 64 bytes are standardized as follows:
- */
- #define PCI_STD_HEADER_SIZEOF 64
-+#define PCI_STD_NUM_BARS 6 /* Number of standard BARs */
- #define PCI_VENDOR_ID 0x00 /* 16 bits */
- #define PCI_DEVICE_ID 0x02 /* 16 bits */
- #define PCI_COMMAND 0x04 /* 16 bits */
-@@ -673,6 +674,8 @@
- #define PCI_EXP_LNKCTL2_TLS_8_0GT 0x0003 /* Supported Speed 8GT/s */
- #define PCI_EXP_LNKCTL2_TLS_16_0GT 0x0004 /* Supported Speed 16GT/s */
- #define PCI_EXP_LNKCTL2_TLS_32_0GT 0x0005 /* Supported Speed 32GT/s */
-+#define PCI_EXP_LNKCTL2_ENTER_COMP 0x0010 /* Enter Compliance */
-+#define PCI_EXP_LNKCTL2_TX_MARGIN 0x0380 /* Transmit Margin */
- #define PCI_EXP_LNKSTA2 50 /* Link Status 2 */
- #define PCI_CAP_EXP_ENDPOINT_SIZEOF_V2 52 /* v2 endpoints with link end here */
- #define PCI_EXP_SLTCAP2 52 /* Slot Capabilities 2 */
-diff --git a/include/standard-headers/rdma/vmw_pvrdma-abi.h b/include/standard-headers/rdma/vmw_pvrdma-abi.h
-index 336a8d596f2425479fd799d9d943..0989426a3f5288aab81693e5747e 100644
---- a/include/standard-headers/rdma/vmw_pvrdma-abi.h
-+++ b/include/standard-headers/rdma/vmw_pvrdma-abi.h
-@@ -179,6 +179,11 @@ struct pvrdma_create_qp {
- uint64_t __attribute__((aligned(8))) qp_addr;
- };
-
-+struct pvrdma_create_qp_resp {
-+ uint32_t qpn;
-+ uint32_t qp_handle;
-+};
-+
- /* PVRDMA masked atomic compare and swap */
- struct pvrdma_ex_cmp_swap {
- uint64_t __attribute__((aligned(8))) swap_val;
-diff --git a/linux-headers/linux/kvm.h b/linux-headers/linux/kvm.h
-index 3b27a1ae85cc144fd92ecd0e2352..9d647fad7648ede158cd9605270e 100644
---- a/linux-headers/linux/kvm.h
-+++ b/linux-headers/linux/kvm.h
-@@ -1348,6 +1348,7 @@ struct kvm_s390_ucas_mapping {
- #define KVM_PPC_GET_CPU_CHAR _IOR(KVMIO, 0xb1, struct kvm_ppc_cpu_char)
- /* Available with KVM_CAP_PMU_EVENT_FILTER */
- #define KVM_SET_PMU_EVENT_FILTER _IOW(KVMIO, 0xb2, struct kvm_pmu_event_filter)
-+#define KVM_PPC_SVM_OFF _IO(KVMIO, 0xb3)
-
- /* ioctl for vm fd */
- #define KVM_CREATE_DEVICE _IOWR(KVMIO, 0xe0, struct kvm_create_device)
+++ /dev/null
-From: Jason Wang <jasowang@redhat.com>
-Date: Mon, 7 Sep 2020 18:49:01 +0800
-Subject: linux headers: sync to 5.9-rc4
-
-Git-commit: e6546342a830e520d14ef03aa95677611de0d90c
-References: bsc#1179719
-
-Update against Linux 5.9-rc4.
-
-Cc: Cornelia Huck <cohuck@redhat.com>
-Cc: Paolo Bonzini <pbonzini@redhat.com>
-Signed-off-by: Jason Wang <jasowang@redhat.com>
-Message-Id: <20200907104903.31551-2-jasowang@redhat.com>
-Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
-Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
-Signed-off-by: Liang Yan <lyan@suse.com>
----
- include/standard-headers/drm/drm_fourcc.h | 140 ++++++++++++++++++
- include/standard-headers/linux/ethtool.h | 87 +++++++++++
- .../linux/input-event-codes.h | 3 +-
- include/standard-headers/linux/vhost_types.h | 11 ++
- include/standard-headers/linux/virtio_9p.h | 4 +-
- include/standard-headers/linux/virtio_blk.h | 26 ++--
- .../standard-headers/linux/virtio_config.h | 8 +-
- .../standard-headers/linux/virtio_console.h | 8 +-
- include/standard-headers/linux/virtio_net.h | 6 +-
- include/standard-headers/linux/virtio_scsi.h | 20 +--
- linux-headers/asm-generic/unistd.h | 6 +-
- linux-headers/asm-mips/unistd_n32.h | 1 +
- linux-headers/asm-mips/unistd_n64.h | 1 +
- linux-headers/asm-mips/unistd_o32.h | 1 +
- linux-headers/asm-powerpc/kvm.h | 5 +
- linux-headers/asm-powerpc/unistd_32.h | 1 +
- linux-headers/asm-powerpc/unistd_64.h | 1 +
- linux-headers/asm-s390/kvm.h | 7 +-
- linux-headers/asm-s390/unistd_32.h | 1 +
- linux-headers/asm-s390/unistd_64.h | 1 +
- linux-headers/asm-x86/unistd_32.h | 1 +
- linux-headers/asm-x86/unistd_64.h | 1 +
- linux-headers/asm-x86/unistd_x32.h | 1 +
- linux-headers/linux/kvm.h | 4 +
- linux-headers/linux/vfio.h | 2 +-
- linux-headers/linux/vhost.h | 2 +
- 26 files changed, 308 insertions(+), 41 deletions(-)
-
-diff --git a/include/standard-headers/drm/drm_fourcc.h b/include/standard-headers/drm/drm_fourcc.h
-index 909a66753c03cdfca573f1fae6a2..0de1a552cab235c00ff21de583f0 100644
---- a/include/standard-headers/drm/drm_fourcc.h
-+++ b/include/standard-headers/drm/drm_fourcc.h
-@@ -235,6 +235,12 @@ extern "C" {
- #define DRM_FORMAT_NV61 fourcc_code('N', 'V', '6', '1') /* 2x1 subsampled Cb:Cr plane */
- #define DRM_FORMAT_NV24 fourcc_code('N', 'V', '2', '4') /* non-subsampled Cr:Cb plane */
- #define DRM_FORMAT_NV42 fourcc_code('N', 'V', '4', '2') /* non-subsampled Cb:Cr plane */
-+/*
-+ * 2 plane YCbCr
-+ * index 0 = Y plane, [39:0] Y3:Y2:Y1:Y0 little endian
-+ * index 1 = Cr:Cb plane, [39:0] Cr1:Cb1:Cr0:Cb0 little endian
-+ */
-+#define DRM_FORMAT_NV15 fourcc_code('N', 'V', '1', '5') /* 2x2 subsampled Cr:Cb plane */
-
- /*
- * 2 plane YCbCr MSB aligned
-@@ -264,6 +270,22 @@ extern "C" {
- */
- #define DRM_FORMAT_P016 fourcc_code('P', '0', '1', '6') /* 2x2 subsampled Cr:Cb plane 16 bits per channel */
-
-+/* 3 plane non-subsampled (444) YCbCr
-+ * 16 bits per component, but only 10 bits are used and 6 bits are padded
-+ * index 0: Y plane, [15:0] Y:x [10:6] little endian
-+ * index 1: Cb plane, [15:0] Cb:x [10:6] little endian
-+ * index 2: Cr plane, [15:0] Cr:x [10:6] little endian
-+ */
-+#define DRM_FORMAT_Q410 fourcc_code('Q', '4', '1', '0')
-+
-+/* 3 plane non-subsampled (444) YCrCb
-+ * 16 bits per component, but only 10 bits are used and 6 bits are padded
-+ * index 0: Y plane, [15:0] Y:x [10:6] little endian
-+ * index 1: Cr plane, [15:0] Cr:x [10:6] little endian
-+ * index 2: Cb plane, [15:0] Cb:x [10:6] little endian
-+ */
-+#define DRM_FORMAT_Q401 fourcc_code('Q', '4', '0', '1')
-+
- /*
- * 3 plane YCbCr
- * index 0: Y plane, [7:0] Y
-@@ -308,6 +330,7 @@ extern "C" {
- #define DRM_FORMAT_MOD_VENDOR_BROADCOM 0x07
- #define DRM_FORMAT_MOD_VENDOR_ARM 0x08
- #define DRM_FORMAT_MOD_VENDOR_ALLWINNER 0x09
-+#define DRM_FORMAT_MOD_VENDOR_AMLOGIC 0x0a
-
- /* add more to the end as needed */
-
-@@ -322,8 +345,33 @@ extern "C" {
- * When adding a new token please document the layout with a code comment,
- * similar to the fourcc codes above. drm_fourcc.h is considered the
- * authoritative source for all of these.
-+ *
-+ * Generic modifier names:
-+ *
-+ * DRM_FORMAT_MOD_GENERIC_* definitions are used to provide vendor-neutral names
-+ * for layouts which are common across multiple vendors. To preserve
-+ * compatibility, in cases where a vendor-specific definition already exists and
-+ * a generic name for it is desired, the common name is a purely symbolic alias
-+ * and must use the same numerical value as the original definition.
-+ *
-+ * Note that generic names should only be used for modifiers which describe
-+ * generic layouts (such as pixel re-ordering), which may have
-+ * independently-developed support across multiple vendors.
-+ *
-+ * In future cases where a generic layout is identified before merging with a
-+ * vendor-specific modifier, a new 'GENERIC' vendor or modifier using vendor
-+ * 'NONE' could be considered. This should only be for obvious, exceptional
-+ * cases to avoid polluting the 'GENERIC' namespace with modifiers which only
-+ * apply to a single vendor.
-+ *
-+ * Generic names should not be used for cases where multiple hardware vendors
-+ * have implementations of the same standardised compression scheme (such as
-+ * AFBC). In those cases, all implementations should use the same format
-+ * modifier(s), reflecting the vendor of the standard.
- */
-
-+#define DRM_FORMAT_MOD_GENERIC_16_16_TILE DRM_FORMAT_MOD_SAMSUNG_16_16_TILE
-+
- /*
- * Invalid Modifier
- *
-@@ -891,6 +939,18 @@ drm_fourcc_canonicalize_nvidia_format_mod(uint64_t modifier)
- */
- #define AFBC_FORMAT_MOD_BCH (1ULL << 11)
-
-+/* AFBC uncompressed storage mode
-+ *
-+ * Indicates that the buffer is using AFBC uncompressed storage mode.
-+ * In this mode all superblock payloads in the buffer use the uncompressed
-+ * storage mode, which is usually only used for data which cannot be compressed.
-+ * The buffer layout is the same as for AFBC buffers without USM set, this only
-+ * affects the storage mode of the individual superblocks. Note that even a
-+ * buffer without USM set may use uncompressed storage mode for some or all
-+ * superblocks, USM just guarantees it for all.
-+ */
-+#define AFBC_FORMAT_MOD_USM (1ULL << 12)
-+
- /*
- * Arm 16x16 Block U-Interleaved modifier
- *
-@@ -915,6 +975,86 @@ drm_fourcc_canonicalize_nvidia_format_mod(uint64_t modifier)
- */
- #define DRM_FORMAT_MOD_ALLWINNER_TILED fourcc_mod_code(ALLWINNER, 1)
-
-+/*
-+ * Amlogic Video Framebuffer Compression modifiers
-+ *
-+ * Amlogic uses a proprietary lossless image compression protocol and format
-+ * for their hardware video codec accelerators, either video decoders or
-+ * video input encoders.
-+ *
-+ * It considerably reduces memory bandwidth while writing and reading
-+ * frames in memory.
-+ *
-+ * The underlying storage is considered to be 3 components, 8bit or 10-bit
-+ * per component YCbCr 420, single plane :
-+ * - DRM_FORMAT_YUV420_8BIT
-+ * - DRM_FORMAT_YUV420_10BIT
-+ *
-+ * The first 8 bits of the mode defines the layout, then the following 8 bits
-+ * defines the options changing the layout.
-+ *
-+ * Not all combinations are valid, and different SoCs may support different
-+ * combinations of layout and options.
-+ */
-+#define __fourcc_mod_amlogic_layout_mask 0xf
-+#define __fourcc_mod_amlogic_options_shift 8
-+#define __fourcc_mod_amlogic_options_mask 0xf
-+
-+#define DRM_FORMAT_MOD_AMLOGIC_FBC(__layout, __options) \
-+ fourcc_mod_code(AMLOGIC, \
-+ ((__layout) & __fourcc_mod_amlogic_layout_mask) | \
-+ (((__options) & __fourcc_mod_amlogic_options_mask) \
-+ << __fourcc_mod_amlogic_options_shift))
-+
-+/* Amlogic FBC Layouts */
-+
-+/*
-+ * Amlogic FBC Basic Layout
-+ *
-+ * The basic layout is composed of:
-+ * - a body content organized in 64x32 superblocks with 4096 bytes per
-+ * superblock in default mode.
-+ * - a 32 bytes per 128x64 header block
-+ *
-+ * This layout is transferrable between Amlogic SoCs supporting this modifier.
-+ */
-+#define AMLOGIC_FBC_LAYOUT_BASIC (1ULL)
-+
-+/*
-+ * Amlogic FBC Scatter Memory layout
-+ *
-+ * Indicates the header contains IOMMU references to the compressed
-+ * frames content to optimize memory access and layout.
-+ *
-+ * In this mode, only the header memory address is needed, thus the
-+ * content memory organization is tied to the current producer
-+ * execution and cannot be saved/dumped neither transferrable between
-+ * Amlogic SoCs supporting this modifier.
-+ *
-+ * Due to the nature of the layout, these buffers are not expected to
-+ * be accessible by the user-space clients, but only accessible by the
-+ * hardware producers and consumers.
-+ *
-+ * The user-space clients should expect a failure while trying to mmap
-+ * the DMA-BUF handle returned by the producer.
-+ */
-+#define AMLOGIC_FBC_LAYOUT_SCATTER (2ULL)
-+
-+/* Amlogic FBC Layout Options Bit Mask */
-+
-+/*
-+ * Amlogic FBC Memory Saving mode
-+ *
-+ * Indicates the storage is packed when pixel size is multiple of word
-+ * boudaries, i.e. 8bit should be stored in this mode to save allocation
-+ * memory.
-+ *
-+ * This mode reduces body layout to 3072 bytes per 64x32 superblock with
-+ * the basic layout and 3200 bytes per 64x32 superblock combined with
-+ * the scatter layout.
-+ */
-+#define AMLOGIC_FBC_OPTION_MEM_SAVING (1ULL << 0)
-+
- #if defined(__cplusplus)
- }
- #endif
-diff --git a/include/standard-headers/linux/ethtool.h b/include/standard-headers/linux/ethtool.h
-index fd8d2cccfe89cb193d91439a62f5..e13eff44882d69a8bb191d129f9e 100644
---- a/include/standard-headers/linux/ethtool.h
-+++ b/include/standard-headers/linux/ethtool.h
-@@ -579,6 +579,76 @@ struct ethtool_pauseparam {
- uint32_t tx_pause;
- };
-
-+/**
-+ * enum ethtool_link_ext_state - link extended state
-+ */
-+enum ethtool_link_ext_state {
-+ ETHTOOL_LINK_EXT_STATE_AUTONEG,
-+ ETHTOOL_LINK_EXT_STATE_LINK_TRAINING_FAILURE,
-+ ETHTOOL_LINK_EXT_STATE_LINK_LOGICAL_MISMATCH,
-+ ETHTOOL_LINK_EXT_STATE_BAD_SIGNAL_INTEGRITY,
-+ ETHTOOL_LINK_EXT_STATE_NO_CABLE,
-+ ETHTOOL_LINK_EXT_STATE_CABLE_ISSUE,
-+ ETHTOOL_LINK_EXT_STATE_EEPROM_ISSUE,
-+ ETHTOOL_LINK_EXT_STATE_CALIBRATION_FAILURE,
-+ ETHTOOL_LINK_EXT_STATE_POWER_BUDGET_EXCEEDED,
-+ ETHTOOL_LINK_EXT_STATE_OVERHEAT,
-+};
-+
-+/**
-+ * enum ethtool_link_ext_substate_autoneg - more information in addition to
-+ * ETHTOOL_LINK_EXT_STATE_AUTONEG.
-+ */
-+enum ethtool_link_ext_substate_autoneg {
-+ ETHTOOL_LINK_EXT_SUBSTATE_AN_NO_PARTNER_DETECTED = 1,
-+ ETHTOOL_LINK_EXT_SUBSTATE_AN_ACK_NOT_RECEIVED,
-+ ETHTOOL_LINK_EXT_SUBSTATE_AN_NEXT_PAGE_EXCHANGE_FAILED,
-+ ETHTOOL_LINK_EXT_SUBSTATE_AN_NO_PARTNER_DETECTED_FORCE_MODE,
-+ ETHTOOL_LINK_EXT_SUBSTATE_AN_FEC_MISMATCH_DURING_OVERRIDE,
-+ ETHTOOL_LINK_EXT_SUBSTATE_AN_NO_HCD,
-+};
-+
-+/**
-+ * enum ethtool_link_ext_substate_link_training - more information in addition to
-+ * ETHTOOL_LINK_EXT_STATE_LINK_TRAINING_FAILURE.
-+ */
-+enum ethtool_link_ext_substate_link_training {
-+ ETHTOOL_LINK_EXT_SUBSTATE_LT_KR_FRAME_LOCK_NOT_ACQUIRED = 1,
-+ ETHTOOL_LINK_EXT_SUBSTATE_LT_KR_LINK_INHIBIT_TIMEOUT,
-+ ETHTOOL_LINK_EXT_SUBSTATE_LT_KR_LINK_PARTNER_DID_NOT_SET_RECEIVER_READY,
-+ ETHTOOL_LINK_EXT_SUBSTATE_LT_REMOTE_FAULT,
-+};
-+
-+/**
-+ * enum ethtool_link_ext_substate_logical_mismatch - more information in addition
-+ * to ETHTOOL_LINK_EXT_STATE_LINK_LOGICAL_MISMATCH.
-+ */
-+enum ethtool_link_ext_substate_link_logical_mismatch {
-+ ETHTOOL_LINK_EXT_SUBSTATE_LLM_PCS_DID_NOT_ACQUIRE_BLOCK_LOCK = 1,
-+ ETHTOOL_LINK_EXT_SUBSTATE_LLM_PCS_DID_NOT_ACQUIRE_AM_LOCK,
-+ ETHTOOL_LINK_EXT_SUBSTATE_LLM_PCS_DID_NOT_GET_ALIGN_STATUS,
-+ ETHTOOL_LINK_EXT_SUBSTATE_LLM_FC_FEC_IS_NOT_LOCKED,
-+ ETHTOOL_LINK_EXT_SUBSTATE_LLM_RS_FEC_IS_NOT_LOCKED,
-+};
-+
-+/**
-+ * enum ethtool_link_ext_substate_bad_signal_integrity - more information in
-+ * addition to ETHTOOL_LINK_EXT_STATE_BAD_SIGNAL_INTEGRITY.
-+ */
-+enum ethtool_link_ext_substate_bad_signal_integrity {
-+ ETHTOOL_LINK_EXT_SUBSTATE_BSI_LARGE_NUMBER_OF_PHYSICAL_ERRORS = 1,
-+ ETHTOOL_LINK_EXT_SUBSTATE_BSI_UNSUPPORTED_RATE,
-+};
-+
-+/**
-+ * enum ethtool_link_ext_substate_cable_issue - more information in
-+ * addition to ETHTOOL_LINK_EXT_STATE_CABLE_ISSUE.
-+ */
-+enum ethtool_link_ext_substate_cable_issue {
-+ ETHTOOL_LINK_EXT_SUBSTATE_CI_UNSUPPORTED_CABLE = 1,
-+ ETHTOOL_LINK_EXT_SUBSTATE_CI_CABLE_TEST_FAILURE,
-+};
-+
- #define ETH_GSTRING_LEN 32
-
- /**
-@@ -599,6 +669,7 @@ struct ethtool_pauseparam {
- * @ETH_SS_SOF_TIMESTAMPING: SOF_TIMESTAMPING_* flags
- * @ETH_SS_TS_TX_TYPES: timestamping Tx types
- * @ETH_SS_TS_RX_FILTERS: timestamping Rx filters
-+ * @ETH_SS_UDP_TUNNEL_TYPES: UDP tunnel types
- */
- enum ethtool_stringset {
- ETH_SS_TEST = 0,
-@@ -616,6 +687,7 @@ enum ethtool_stringset {
- ETH_SS_SOF_TIMESTAMPING,
- ETH_SS_TS_TX_TYPES,
- ETH_SS_TS_RX_FILTERS,
-+ ETH_SS_UDP_TUNNEL_TYPES,
-
- /* add new constants above here */
- ETH_SS_COUNT
-@@ -1530,6 +1602,21 @@ enum ethtool_link_mode_bit_indices {
- ETHTOOL_LINK_MODE_400000baseDR8_Full_BIT = 72,
- ETHTOOL_LINK_MODE_400000baseCR8_Full_BIT = 73,
- ETHTOOL_LINK_MODE_FEC_LLRS_BIT = 74,
-+ ETHTOOL_LINK_MODE_100000baseKR_Full_BIT = 75,
-+ ETHTOOL_LINK_MODE_100000baseSR_Full_BIT = 76,
-+ ETHTOOL_LINK_MODE_100000baseLR_ER_FR_Full_BIT = 77,
-+ ETHTOOL_LINK_MODE_100000baseCR_Full_BIT = 78,
-+ ETHTOOL_LINK_MODE_100000baseDR_Full_BIT = 79,
-+ ETHTOOL_LINK_MODE_200000baseKR2_Full_BIT = 80,
-+ ETHTOOL_LINK_MODE_200000baseSR2_Full_BIT = 81,
-+ ETHTOOL_LINK_MODE_200000baseLR2_ER2_FR2_Full_BIT = 82,
-+ ETHTOOL_LINK_MODE_200000baseDR2_Full_BIT = 83,
-+ ETHTOOL_LINK_MODE_200000baseCR2_Full_BIT = 84,
-+ ETHTOOL_LINK_MODE_400000baseKR4_Full_BIT = 85,
-+ ETHTOOL_LINK_MODE_400000baseSR4_Full_BIT = 86,
-+ ETHTOOL_LINK_MODE_400000baseLR4_ER4_FR4_Full_BIT = 87,
-+ ETHTOOL_LINK_MODE_400000baseDR4_Full_BIT = 88,
-+ ETHTOOL_LINK_MODE_400000baseCR4_Full_BIT = 89,
- /* must be last entry */
- __ETHTOOL_LINK_MODE_MASK_NBITS
- };
-diff --git a/include/standard-headers/linux/input-event-codes.h b/include/standard-headers/linux/input-event-codes.h
-index ebf72c10317b48bb9dc151f20a5b..e740ad9f2e0171ff86ddcf07232d 100644
---- a/include/standard-headers/linux/input-event-codes.h
-+++ b/include/standard-headers/linux/input-event-codes.h
-@@ -888,7 +888,8 @@
- #define SW_LINEIN_INSERT 0x0d /* set = inserted */
- #define SW_MUTE_DEVICE 0x0e /* set = device disabled */
- #define SW_PEN_INSERTED 0x0f /* set = pen inserted */
--#define SW_MAX_ 0x0f
-+#define SW_MACHINE_COVER 0x10 /* set = cover closed */
-+#define SW_MAX_ 0x10
- #define SW_CNT (SW_MAX_+1)
-
- /*
-diff --git a/include/standard-headers/linux/vhost_types.h b/include/standard-headers/linux/vhost_types.h
-index a678d8fbaa92717b2a60329796f6..486630b33287408183ce932564ad 100644
---- a/include/standard-headers/linux/vhost_types.h
-+++ b/include/standard-headers/linux/vhost_types.h
-@@ -60,6 +60,17 @@ struct vhost_iotlb_msg {
- #define VHOST_IOTLB_UPDATE 2
- #define VHOST_IOTLB_INVALIDATE 3
- #define VHOST_IOTLB_ACCESS_FAIL 4
-+/*
-+ * VHOST_IOTLB_BATCH_BEGIN and VHOST_IOTLB_BATCH_END allow modifying
-+ * multiple mappings in one go: beginning with
-+ * VHOST_IOTLB_BATCH_BEGIN, followed by any number of
-+ * VHOST_IOTLB_UPDATE messages, and ending with VHOST_IOTLB_BATCH_END.
-+ * When one of these two values is used as the message type, the rest
-+ * of the fields in the message are ignored. There's no guarantee that
-+ * these changes take place automatically in the device.
-+ */
-+#define VHOST_IOTLB_BATCH_BEGIN 5
-+#define VHOST_IOTLB_BATCH_END 6
- uint8_t type;
- };
-
-diff --git a/include/standard-headers/linux/virtio_9p.h b/include/standard-headers/linux/virtio_9p.h
-index e68f71dbe6f43942f70bbf0e26a5..f5604fc5fb15acc1eef28cdbf58e 100644
---- a/include/standard-headers/linux/virtio_9p.h
-+++ b/include/standard-headers/linux/virtio_9p.h
-@@ -25,7 +25,7 @@
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE. */
--#include "standard-headers/linux/types.h"
-+#include "standard-headers/linux/virtio_types.h"
- #include "standard-headers/linux/virtio_ids.h"
- #include "standard-headers/linux/virtio_config.h"
-
-@@ -36,7 +36,7 @@
-
- struct virtio_9p_config {
- /* length of the tag name */
-- uint16_t tag_len;
-+ __virtio16 tag_len;
- /* non-NULL terminated tag name */
- uint8_t tag[0];
- } QEMU_PACKED;
-diff --git a/include/standard-headers/linux/virtio_blk.h b/include/standard-headers/linux/virtio_blk.h
-index 0229b0fbe42b68f2cb20a9a9c2c0..2dcc90826ae7d30ccc7169355b43 100644
---- a/include/standard-headers/linux/virtio_blk.h
-+++ b/include/standard-headers/linux/virtio_blk.h
-@@ -55,20 +55,20 @@
-
- struct virtio_blk_config {
- /* The capacity (in 512-byte sectors). */
-- uint64_t capacity;
-+ __virtio64 capacity;
- /* The maximum segment size (if VIRTIO_BLK_F_SIZE_MAX) */
-- uint32_t size_max;
-+ __virtio32 size_max;
- /* The maximum number of segments (if VIRTIO_BLK_F_SEG_MAX) */
-- uint32_t seg_max;
-+ __virtio32 seg_max;
- /* geometry of the device (if VIRTIO_BLK_F_GEOMETRY) */
- struct virtio_blk_geometry {
-- uint16_t cylinders;
-+ __virtio16 cylinders;
- uint8_t heads;
- uint8_t sectors;
- } geometry;
-
- /* block size of device (if VIRTIO_BLK_F_BLK_SIZE) */
-- uint32_t blk_size;
-+ __virtio32 blk_size;
-
- /* the next 4 entries are guarded by VIRTIO_BLK_F_TOPOLOGY */
- /* exponent for physical block per logical block. */
-@@ -76,42 +76,42 @@ struct virtio_blk_config {
- /* alignment offset in logical blocks. */
- uint8_t alignment_offset;
- /* minimum I/O size without performance penalty in logical blocks. */
-- uint16_t min_io_size;
-+ __virtio16 min_io_size;
- /* optimal sustained I/O size in logical blocks. */
-- uint32_t opt_io_size;
-+ __virtio32 opt_io_size;
-
- /* writeback mode (if VIRTIO_BLK_F_CONFIG_WCE) */
- uint8_t wce;
- uint8_t unused;
-
- /* number of vqs, only available when VIRTIO_BLK_F_MQ is set */
-- uint16_t num_queues;
-+ __virtio16 num_queues;
-
- /* the next 3 entries are guarded by VIRTIO_BLK_F_DISCARD */
- /*
- * The maximum discard sectors (in 512-byte sectors) for
- * one segment.
- */
-- uint32_t max_discard_sectors;
-+ __virtio32 max_discard_sectors;
- /*
- * The maximum number of discard segments in a
- * discard command.
- */
-- uint32_t max_discard_seg;
-+ __virtio32 max_discard_seg;
- /* Discard commands must be aligned to this number of sectors. */
-- uint32_t discard_sector_alignment;
-+ __virtio32 discard_sector_alignment;
-
- /* the next 3 entries are guarded by VIRTIO_BLK_F_WRITE_ZEROES */
- /*
- * The maximum number of write zeroes sectors (in 512-byte sectors) in
- * one segment.
- */
-- uint32_t max_write_zeroes_sectors;
-+ __virtio32 max_write_zeroes_sectors;
- /*
- * The maximum number of segments in a write zeroes
- * command.
- */
-- uint32_t max_write_zeroes_seg;
-+ __virtio32 max_write_zeroes_seg;
- /*
- * Set if a VIRTIO_BLK_T_WRITE_ZEROES request may result in the
- * deallocation of one or more of the sectors.
-diff --git a/include/standard-headers/linux/virtio_config.h b/include/standard-headers/linux/virtio_config.h
-index 9a69d9e2420b85d4e1cc5dd24303..22e3a85f6760920cb3d3b49d064a 100644
---- a/include/standard-headers/linux/virtio_config.h
-+++ b/include/standard-headers/linux/virtio_config.h
-@@ -67,13 +67,15 @@
- #define VIRTIO_F_VERSION_1 32
-
- /*
-- * If clear - device has the IOMMU bypass quirk feature.
-- * If set - use platform tools to detect the IOMMU.
-+ * If clear - device has the platform DMA (e.g. IOMMU) bypass quirk feature.
-+ * If set - use platform DMA tools to access the memory.
- *
- * Note the reverse polarity (compared to most other features),
- * this is for compatibility with legacy systems.
- */
--#define VIRTIO_F_IOMMU_PLATFORM 33
-+#define VIRTIO_F_ACCESS_PLATFORM 33
-+/* Legacy name for VIRTIO_F_ACCESS_PLATFORM (for compatibility with old userspace) */
-+#define VIRTIO_F_IOMMU_PLATFORM VIRTIO_F_ACCESS_PLATFORM
-
- /* This feature indicates support for the packed virtqueue layout. */
- #define VIRTIO_F_RING_PACKED 34
-diff --git a/include/standard-headers/linux/virtio_console.h b/include/standard-headers/linux/virtio_console.h
-index 0dedc9e6f5738a3924cd6ae52a9e..71f5f648e3ceac58b80c67d236fb 100644
---- a/include/standard-headers/linux/virtio_console.h
-+++ b/include/standard-headers/linux/virtio_console.h
-@@ -45,13 +45,13 @@
-
- struct virtio_console_config {
- /* colums of the screens */
-- uint16_t cols;
-+ __virtio16 cols;
- /* rows of the screens */
-- uint16_t rows;
-+ __virtio16 rows;
- /* max. number of ports this device can hold */
-- uint32_t max_nr_ports;
-+ __virtio32 max_nr_ports;
- /* emergency write register */
-- uint32_t emerg_wr;
-+ __virtio32 emerg_wr;
- } QEMU_PACKED;
-
- /*
-diff --git a/include/standard-headers/linux/virtio_net.h b/include/standard-headers/linux/virtio_net.h
-index a90f79e1b17a9228353eac109f55..e0a070518f39d2b4b227e1a38a28 100644
---- a/include/standard-headers/linux/virtio_net.h
-+++ b/include/standard-headers/linux/virtio_net.h
-@@ -87,14 +87,14 @@ struct virtio_net_config {
- /* The config defining mac address (if VIRTIO_NET_F_MAC) */
- uint8_t mac[ETH_ALEN];
- /* See VIRTIO_NET_F_STATUS and VIRTIO_NET_S_* above */
-- uint16_t status;
-+ __virtio16 status;
- /* Maximum number of each of transmit and receive queues;
- * see VIRTIO_NET_F_MQ and VIRTIO_NET_CTRL_MQ.
- * Legal values are between 1 and 0x8000
- */
-- uint16_t max_virtqueue_pairs;
-+ __virtio16 max_virtqueue_pairs;
- /* Default maximum transmit unit advice */
-- uint16_t mtu;
-+ __virtio16 mtu;
- /*
- * speed, in units of 1Mb. All values 0 to INT_MAX are legal.
- * Any other value stands for unknown.
-diff --git a/include/standard-headers/linux/virtio_scsi.h b/include/standard-headers/linux/virtio_scsi.h
-index ab66166b6a78c2be680b82bdffba..663f36cbb769efae4408478d9d6a 100644
---- a/include/standard-headers/linux/virtio_scsi.h
-+++ b/include/standard-headers/linux/virtio_scsi.h
-@@ -103,16 +103,16 @@ struct virtio_scsi_event {
- } QEMU_PACKED;
-
- struct virtio_scsi_config {
-- uint32_t num_queues;
-- uint32_t seg_max;
-- uint32_t max_sectors;
-- uint32_t cmd_per_lun;
-- uint32_t event_info_size;
-- uint32_t sense_size;
-- uint32_t cdb_size;
-- uint16_t max_channel;
-- uint16_t max_target;
-- uint32_t max_lun;
-+ __virtio32 num_queues;
-+ __virtio32 seg_max;
-+ __virtio32 max_sectors;
-+ __virtio32 cmd_per_lun;
-+ __virtio32 event_info_size;
-+ __virtio32 sense_size;
-+ __virtio32 cdb_size;
-+ __virtio16 max_channel;
-+ __virtio16 max_target;
-+ __virtio32 max_lun;
- } QEMU_PACKED;
-
- /* Feature Bits */
-diff --git a/linux-headers/asm-generic/unistd.h b/linux-headers/asm-generic/unistd.h
-index f4a01305d9a65c14fe46652970ec..995b36c2ea7d8a4edbff1e79e555 100644
---- a/linux-headers/asm-generic/unistd.h
-+++ b/linux-headers/asm-generic/unistd.h
-@@ -606,9 +606,9 @@ __SYSCALL(__NR_sendto, sys_sendto)
- #define __NR_recvfrom 207
- __SC_COMP(__NR_recvfrom, sys_recvfrom, compat_sys_recvfrom)
- #define __NR_setsockopt 208
--__SC_COMP(__NR_setsockopt, sys_setsockopt, compat_sys_setsockopt)
-+__SC_COMP(__NR_setsockopt, sys_setsockopt, sys_setsockopt)
- #define __NR_getsockopt 209
--__SC_COMP(__NR_getsockopt, sys_getsockopt, compat_sys_getsockopt)
-+__SC_COMP(__NR_getsockopt, sys_getsockopt, sys_getsockopt)
- #define __NR_shutdown 210
- __SYSCALL(__NR_shutdown, sys_shutdown)
- #define __NR_sendmsg 211
-@@ -850,6 +850,8 @@ __SYSCALL(__NR_pidfd_open, sys_pidfd_open)
- #define __NR_clone3 435
- __SYSCALL(__NR_clone3, sys_clone3)
- #endif
-+#define __NR_close_range 436
-+__SYSCALL(__NR_close_range, sys_close_range)
-
- #define __NR_openat2 437
- __SYSCALL(__NR_openat2, sys_openat2)
-diff --git a/linux-headers/asm-mips/unistd_n32.h b/linux-headers/asm-mips/unistd_n32.h
-index 3b9eda7e7d8f7c7a2961192371f9..246fbb6a7885638679b536b78e66 100644
---- a/linux-headers/asm-mips/unistd_n32.h
-+++ b/linux-headers/asm-mips/unistd_n32.h
-@@ -365,6 +365,7 @@
- #define __NR_fspick (__NR_Linux + 433)
- #define __NR_pidfd_open (__NR_Linux + 434)
- #define __NR_clone3 (__NR_Linux + 435)
-+#define __NR_close_range (__NR_Linux + 436)
- #define __NR_openat2 (__NR_Linux + 437)
- #define __NR_pidfd_getfd (__NR_Linux + 438)
- #define __NR_faccessat2 (__NR_Linux + 439)
-diff --git a/linux-headers/asm-mips/unistd_n64.h b/linux-headers/asm-mips/unistd_n64.h
-index 9cdf9b6c60dfde0e7f8c6f09bb48..194d777dfd42582819f2d1e4342d 100644
---- a/linux-headers/asm-mips/unistd_n64.h
-+++ b/linux-headers/asm-mips/unistd_n64.h
-@@ -341,6 +341,7 @@
- #define __NR_fspick (__NR_Linux + 433)
- #define __NR_pidfd_open (__NR_Linux + 434)
- #define __NR_clone3 (__NR_Linux + 435)
-+#define __NR_close_range (__NR_Linux + 436)
- #define __NR_openat2 (__NR_Linux + 437)
- #define __NR_pidfd_getfd (__NR_Linux + 438)
- #define __NR_faccessat2 (__NR_Linux + 439)
-diff --git a/linux-headers/asm-mips/unistd_o32.h b/linux-headers/asm-mips/unistd_o32.h
-index e3e5e238f026edbecf3835d1d887..3e093dd9134dc84a82778ace3c4d 100644
---- a/linux-headers/asm-mips/unistd_o32.h
-+++ b/linux-headers/asm-mips/unistd_o32.h
-@@ -411,6 +411,7 @@
- #define __NR_fspick (__NR_Linux + 433)
- #define __NR_pidfd_open (__NR_Linux + 434)
- #define __NR_clone3 (__NR_Linux + 435)
-+#define __NR_close_range (__NR_Linux + 436)
- #define __NR_openat2 (__NR_Linux + 437)
- #define __NR_pidfd_getfd (__NR_Linux + 438)
- #define __NR_faccessat2 (__NR_Linux + 439)
-diff --git a/linux-headers/asm-powerpc/kvm.h b/linux-headers/asm-powerpc/kvm.h
-index 264e266a85bf6a99c5b27b47733a..c3af3f324c5ad14625baf14fa488 100644
---- a/linux-headers/asm-powerpc/kvm.h
-+++ b/linux-headers/asm-powerpc/kvm.h
-@@ -640,6 +640,11 @@ struct kvm_ppc_cpu_char {
- #define KVM_REG_PPC_ONLINE (KVM_REG_PPC | KVM_REG_SIZE_U32 | 0xbf)
- #define KVM_REG_PPC_PTCR (KVM_REG_PPC | KVM_REG_SIZE_U64 | 0xc0)
-
-+/* POWER10 registers */
-+#define KVM_REG_PPC_MMCR3 (KVM_REG_PPC | KVM_REG_SIZE_U64 | 0xc1)
-+#define KVM_REG_PPC_SIER2 (KVM_REG_PPC | KVM_REG_SIZE_U64 | 0xc2)
-+#define KVM_REG_PPC_SIER3 (KVM_REG_PPC | KVM_REG_SIZE_U64 | 0xc3)
-+
- /* Transactional Memory checkpointed state:
- * This is all GPRs, all VSX regs and a subset of SPRs
- */
-diff --git a/linux-headers/asm-powerpc/unistd_32.h b/linux-headers/asm-powerpc/unistd_32.h
-index 862edb7448c5160b0ded92f32ede..0db9481d49629bde4402afcb0c18 100644
---- a/linux-headers/asm-powerpc/unistd_32.h
-+++ b/linux-headers/asm-powerpc/unistd_32.h
-@@ -418,6 +418,7 @@
- #define __NR_fspick 433
- #define __NR_pidfd_open 434
- #define __NR_clone3 435
-+#define __NR_close_range 436
- #define __NR_openat2 437
- #define __NR_pidfd_getfd 438
- #define __NR_faccessat2 439
-diff --git a/linux-headers/asm-powerpc/unistd_64.h b/linux-headers/asm-powerpc/unistd_64.h
-index f553224ce408b2a721321d1b30b5..9f74310988e1afca2bbe087ab83d 100644
---- a/linux-headers/asm-powerpc/unistd_64.h
-+++ b/linux-headers/asm-powerpc/unistd_64.h
-@@ -390,6 +390,7 @@
- #define __NR_fspick 433
- #define __NR_pidfd_open 434
- #define __NR_clone3 435
-+#define __NR_close_range 436
- #define __NR_openat2 437
- #define __NR_pidfd_getfd 438
- #define __NR_faccessat2 439
-diff --git a/linux-headers/asm-s390/kvm.h b/linux-headers/asm-s390/kvm.h
-index 0138ccb0d892b4e3cc0d5e9c6a60..f053b8304a85ae57e3e8cdbf9f32 100644
---- a/linux-headers/asm-s390/kvm.h
-+++ b/linux-headers/asm-s390/kvm.h
-@@ -231,11 +231,13 @@ struct kvm_guest_debug_arch {
- #define KVM_SYNC_GSCB (1UL << 9)
- #define KVM_SYNC_BPBC (1UL << 10)
- #define KVM_SYNC_ETOKEN (1UL << 11)
-+#define KVM_SYNC_DIAG318 (1UL << 12)
-
- #define KVM_SYNC_S390_VALID_FIELDS \
- (KVM_SYNC_PREFIX | KVM_SYNC_GPRS | KVM_SYNC_ACRS | KVM_SYNC_CRS | \
- KVM_SYNC_ARCH0 | KVM_SYNC_PFAULT | KVM_SYNC_VRS | KVM_SYNC_RICCB | \
-- KVM_SYNC_FPRS | KVM_SYNC_GSCB | KVM_SYNC_BPBC | KVM_SYNC_ETOKEN)
-+ KVM_SYNC_FPRS | KVM_SYNC_GSCB | KVM_SYNC_BPBC | KVM_SYNC_ETOKEN | \
-+ KVM_SYNC_DIAG318)
-
- /* length and alignment of the sdnx as a power of two */
- #define SDNXC 8
-@@ -264,7 +266,8 @@ struct kvm_sync_regs {
- __u8 reserved2 : 7;
- __u8 padding1[51]; /* riccb needs to be 64byte aligned */
- __u8 riccb[64]; /* runtime instrumentation controls block */
-- __u8 padding2[192]; /* sdnx needs to be 256byte aligned */
-+ __u64 diag318; /* diagnose 0x318 info */
-+ __u8 padding2[184]; /* sdnx needs to be 256byte aligned */
- union {
- __u8 sdnx[SDNXL]; /* state description annex */
- struct {
-diff --git a/linux-headers/asm-s390/unistd_32.h b/linux-headers/asm-s390/unistd_32.h
-index e08233c0c37719a8a77caacf2f93..1803cd0c3ba638008c0463758951 100644
---- a/linux-headers/asm-s390/unistd_32.h
-+++ b/linux-headers/asm-s390/unistd_32.h
-@@ -408,6 +408,7 @@
- #define __NR_fspick 433
- #define __NR_pidfd_open 434
- #define __NR_clone3 435
-+#define __NR_close_range 436
- #define __NR_openat2 437
- #define __NR_pidfd_getfd 438
- #define __NR_faccessat2 439
-diff --git a/linux-headers/asm-s390/unistd_64.h b/linux-headers/asm-s390/unistd_64.h
-index 560e19ae2bb4dc9dd734823016b1..228d5004e5a88127a30d1fae6fb8 100644
---- a/linux-headers/asm-s390/unistd_64.h
-+++ b/linux-headers/asm-s390/unistd_64.h
-@@ -356,6 +356,7 @@
- #define __NR_fspick 433
- #define __NR_pidfd_open 434
- #define __NR_clone3 435
-+#define __NR_close_range 436
- #define __NR_openat2 437
- #define __NR_pidfd_getfd 438
- #define __NR_faccessat2 439
-diff --git a/linux-headers/asm-x86/unistd_32.h b/linux-headers/asm-x86/unistd_32.h
-index c727981d4a3aa8a3578ab777d0cc..356c12c2dbce1bf92f665c705a86 100644
---- a/linux-headers/asm-x86/unistd_32.h
-+++ b/linux-headers/asm-x86/unistd_32.h
-@@ -426,6 +426,7 @@
- #define __NR_fspick 433
- #define __NR_pidfd_open 434
- #define __NR_clone3 435
-+#define __NR_close_range 436
- #define __NR_openat2 437
- #define __NR_pidfd_getfd 438
- #define __NR_faccessat2 439
-diff --git a/linux-headers/asm-x86/unistd_64.h b/linux-headers/asm-x86/unistd_64.h
-index 843fa6274584c57a8825c1d39f85..ef70e1c7c93fc9f64edcc1d551a1 100644
---- a/linux-headers/asm-x86/unistd_64.h
-+++ b/linux-headers/asm-x86/unistd_64.h
-@@ -348,6 +348,7 @@
- #define __NR_fspick 433
- #define __NR_pidfd_open 434
- #define __NR_clone3 435
-+#define __NR_close_range 436
- #define __NR_openat2 437
- #define __NR_pidfd_getfd 438
- #define __NR_faccessat2 439
-diff --git a/linux-headers/asm-x86/unistd_x32.h b/linux-headers/asm-x86/unistd_x32.h
-index 7d63d703cab4227d9e631006852f..84ae8e9f5fca8679e279bdfbf5f3 100644
---- a/linux-headers/asm-x86/unistd_x32.h
-+++ b/linux-headers/asm-x86/unistd_x32.h
-@@ -301,6 +301,7 @@
- #define __NR_fspick (__X32_SYSCALL_BIT + 433)
- #define __NR_pidfd_open (__X32_SYSCALL_BIT + 434)
- #define __NR_clone3 (__X32_SYSCALL_BIT + 435)
-+#define __NR_close_range (__X32_SYSCALL_BIT + 436)
- #define __NR_openat2 (__X32_SYSCALL_BIT + 437)
- #define __NR_pidfd_getfd (__X32_SYSCALL_BIT + 438)
- #define __NR_faccessat2 (__X32_SYSCALL_BIT + 439)
-diff --git a/linux-headers/linux/kvm.h b/linux-headers/linux/kvm.h
-index 71f531771dd862c7f3cbd07ba376..a748353df27bd84f2feea885d3dd 100644
---- a/linux-headers/linux/kvm.h
-+++ b/linux-headers/linux/kvm.h
-@@ -289,6 +289,7 @@ struct kvm_run {
- /* KVM_EXIT_FAIL_ENTRY */
- struct {
- __u64 hardware_entry_failure_reason;
-+ __u32 cpu;
- } fail_entry;
- /* KVM_EXIT_EXCEPTION */
- struct {
-@@ -1025,6 +1026,9 @@ struct kvm_ppc_resize_hpt {
- #define KVM_CAP_PPC_SECURE_GUEST 181
- #define KVM_CAP_HALT_POLL 182
- #define KVM_CAP_ASYNC_PF_INT 183
-+#define KVM_CAP_LAST_CPU 184
-+#define KVM_CAP_SMALLER_MAXPHYADDR 185
-+#define KVM_CAP_S390_DIAG318 186
-
- #ifdef KVM_CAP_IRQ_ROUTING
-
-diff --git a/linux-headers/linux/vfio.h b/linux-headers/linux/vfio.h
-index f09df262c4b52dfcef1d66ee0bdc..a90672494dc584fff35d3141e248 100644
---- a/linux-headers/linux/vfio.h
-+++ b/linux-headers/linux/vfio.h
-@@ -1030,7 +1030,7 @@ struct vfio_iommu_type1_info_cap_iova_range {
- * size in bytes that can be used by user applications when getting the dirty
- * bitmap.
- */
--#define VFIO_IOMMU_TYPE1_INFO_CAP_MIGRATION 1
-+#define VFIO_IOMMU_TYPE1_INFO_CAP_MIGRATION 2
-
- struct vfio_iommu_type1_info_cap_migration {
- struct vfio_info_cap_header header;
-diff --git a/linux-headers/linux/vhost.h b/linux-headers/linux/vhost.h
-index 0c2349612e776086a2ffd137d402..75232185324abb8bf16521b525ed 100644
---- a/linux-headers/linux/vhost.h
-+++ b/linux-headers/linux/vhost.h
-@@ -91,6 +91,8 @@
-
- /* Use message type V2 */
- #define VHOST_BACKEND_F_IOTLB_MSG_V2 0x1
-+/* IOTLB can accept batching hints */
-+#define VHOST_BACKEND_F_IOTLB_BATCH 0x2
-
- #define VHOST_SET_BACKEND_FEATURES _IOW(VHOST_VIRTIO, 0x25, __u64)
- #define VHOST_GET_BACKEND_FEATURES _IOR(VHOST_VIRTIO, 0x26, __u64)
+++ /dev/null
-From: Andrew Jones <drjones@redhat.com>
-Date: Thu, 1 Oct 2020 08:17:13 +0200
-Subject: linux headers: sync to 5.9-rc7
-
-Git-commit: 94c7fefcb456b0b26f04b30e6df54a0c872e862d
-References: bsc#1179719
-
-Update against Linux 5.9-rc7.
-
-Cc: Paolo Bonzini <pbonzini@redhat.com>
-Signed-off-by: Andrew Jones <drjones@redhat.com>
-Message-id: 20201001061718.101915-2-drjones@redhat.com
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Liang Yan <lyan@suse.com>
----
- linux-headers/linux/kvm.h | 6 ++++--
- 1 file changed, 4 insertions(+), 2 deletions(-)
-
-diff --git a/linux-headers/linux/kvm.h b/linux-headers/linux/kvm.h
-index a748353df27bd84f2feea885d3dd..d9860561985c537b70428a9fbfc0 100644
---- a/linux-headers/linux/kvm.h
-+++ b/linux-headers/linux/kvm.h
-@@ -785,9 +785,10 @@ struct kvm_ppc_resize_hpt {
- #define KVM_VM_PPC_HV 1
- #define KVM_VM_PPC_PR 2
-
--/* on MIPS, 0 forces trap & emulate, 1 forces VZ ASE */
--#define KVM_VM_MIPS_TE 0
-+/* on MIPS, 0 indicates auto, 1 forces VZ ASE, 2 forces trap & emulate */
-+#define KVM_VM_MIPS_AUTO 0
- #define KVM_VM_MIPS_VZ 1
-+#define KVM_VM_MIPS_TE 2
-
- #define KVM_S390_SIE_PAGE_OFFSET 1
-
-@@ -1029,6 +1030,7 @@ struct kvm_ppc_resize_hpt {
- #define KVM_CAP_LAST_CPU 184
- #define KVM_CAP_SMALLER_MAXPHYADDR 185
- #define KVM_CAP_S390_DIAG318 186
-+#define KVM_CAP_STEAL_TIME 187
-
- #ifdef KVM_CAP_IRQ_ROUTING
-
+++ /dev/null
-From: Matthew Rosato <mjrosato@linux.ibm.com>
-Date: Mon, 26 Oct 2020 11:34:30 -0400
-Subject: linux-headers: update against 5.10-rc1
-
-Git-commit: 53ba2eee52bff5a746e96835539a1079f6bcadd1
-References: bsc#1179719
-
-commit 3650b228f83adda7e5ee532e2b90429c03f7b9ec
-
-Signed-off-by: Matthew Rosato <mjrosato@linux.ibm.com>
-[aw: drop pvrdma_ring.h changes to avoid revert of d73415a31547 ("qemu/atomic.h: rename atomic_ to qatomic_")]
-Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
-Signed-off-by: Liang Yan <lyan@suse.com>
----
- .../infiniband/hw/vmw_pvrdma/pvrdma_verbs.h | 2 +-
- include/standard-headers/linux/ethtool.h | 2 +
- .../linux/input-event-codes.h | 4 +
- include/standard-headers/linux/pci_regs.h | 6 +-
- include/standard-headers/linux/virtio_fs.h | 3 +
- include/standard-headers/linux/virtio_gpu.h | 19 +++++
- include/standard-headers/linux/virtio_mmio.h | 11 +++
- include/standard-headers/linux/virtio_pci.h | 11 ++-
- linux-headers/asm-arm64/kvm.h | 25 ++++++
- linux-headers/asm-arm64/mman.h | 1 +
- linux-headers/asm-generic/hugetlb_encode.h | 1 +
- linux-headers/asm-generic/unistd.h | 18 ++---
- linux-headers/asm-mips/unistd_n32.h | 1 +
- linux-headers/asm-mips/unistd_n64.h | 1 +
- linux-headers/asm-mips/unistd_o32.h | 1 +
- linux-headers/asm-powerpc/unistd_32.h | 1 +
- linux-headers/asm-powerpc/unistd_64.h | 1 +
- linux-headers/asm-s390/unistd_32.h | 1 +
- linux-headers/asm-s390/unistd_64.h | 1 +
- linux-headers/asm-x86/kvm.h | 20 +++++
- linux-headers/asm-x86/unistd_32.h | 1 +
- linux-headers/asm-x86/unistd_64.h | 1 +
- linux-headers/asm-x86/unistd_x32.h | 1 +
- linux-headers/linux/kvm.h | 19 +++++
- linux-headers/linux/mman.h | 1 +
- linux-headers/linux/vfio.h | 29 ++++++-
- linux-headers/linux/vfio_zdev.h | 78 +++++++++++++++++++
- 27 files changed, 247 insertions(+), 13 deletions(-)
-
-diff --git a/include/standard-headers/drivers/infiniband/hw/vmw_pvrdma/pvrdma_verbs.h b/include/standard-headers/drivers/infiniband/hw/vmw_pvrdma/pvrdma_verbs.h
-index 1677208a411fa575d490de6cce15..0a8c7c9311994e3a9c3fabdabea1 100644
---- a/include/standard-headers/drivers/infiniband/hw/vmw_pvrdma/pvrdma_verbs.h
-+++ b/include/standard-headers/drivers/infiniband/hw/vmw_pvrdma/pvrdma_verbs.h
-@@ -176,7 +176,7 @@ struct pvrdma_port_attr {
- uint8_t subnet_timeout;
- uint8_t init_type_reply;
- uint8_t active_width;
-- uint8_t active_speed;
-+ uint16_t active_speed;
- uint8_t phys_state;
- uint8_t reserved[2];
- };
-diff --git a/include/standard-headers/linux/ethtool.h b/include/standard-headers/linux/ethtool.h
-index e13eff44882d69a8bb191d129f9e..0df22f7538e3227e9d2a07e5bca9 100644
---- a/include/standard-headers/linux/ethtool.h
-+++ b/include/standard-headers/linux/ethtool.h
-@@ -1617,6 +1617,8 @@ enum ethtool_link_mode_bit_indices {
- ETHTOOL_LINK_MODE_400000baseLR4_ER4_FR4_Full_BIT = 87,
- ETHTOOL_LINK_MODE_400000baseDR4_Full_BIT = 88,
- ETHTOOL_LINK_MODE_400000baseCR4_Full_BIT = 89,
-+ ETHTOOL_LINK_MODE_100baseFX_Half_BIT = 90,
-+ ETHTOOL_LINK_MODE_100baseFX_Full_BIT = 91,
- /* must be last entry */
- __ETHTOOL_LINK_MODE_MASK_NBITS
- };
-diff --git a/include/standard-headers/linux/input-event-codes.h b/include/standard-headers/linux/input-event-codes.h
-index e740ad9f2e0171ff86ddcf07232d..c403b9cb0d4ed62fb0aedd2c1e77 100644
---- a/include/standard-headers/linux/input-event-codes.h
-+++ b/include/standard-headers/linux/input-event-codes.h
-@@ -515,6 +515,9 @@
- #define KEY_10CHANNELSUP 0x1b8 /* 10 channels up (10+) */
- #define KEY_10CHANNELSDOWN 0x1b9 /* 10 channels down (10-) */
- #define KEY_IMAGES 0x1ba /* AL Image Browser */
-+#define KEY_NOTIFICATION_CENTER 0x1bc /* Show/hide the notification center */
-+#define KEY_PICKUP_PHONE 0x1bd /* Answer incoming call */
-+#define KEY_HANGUP_PHONE 0x1be /* Decline incoming call */
-
- #define KEY_DEL_EOL 0x1c0
- #define KEY_DEL_EOS 0x1c1
-@@ -542,6 +545,7 @@
- #define KEY_FN_F 0x1e2
- #define KEY_FN_S 0x1e3
- #define KEY_FN_B 0x1e4
-+#define KEY_FN_RIGHT_SHIFT 0x1e5
-
- #define KEY_BRL_DOT1 0x1f1
- #define KEY_BRL_DOT2 0x1f2
-diff --git a/include/standard-headers/linux/pci_regs.h b/include/standard-headers/linux/pci_regs.h
-index f9701410d3b52b7cfc549c50f08a..a95d55f9f25761ab78c8ef529dc4 100644
---- a/include/standard-headers/linux/pci_regs.h
-+++ b/include/standard-headers/linux/pci_regs.h
-@@ -76,6 +76,7 @@
- #define PCI_CACHE_LINE_SIZE 0x0c /* 8 bits */
- #define PCI_LATENCY_TIMER 0x0d /* 8 bits */
- #define PCI_HEADER_TYPE 0x0e /* 8 bits */
-+#define PCI_HEADER_TYPE_MASK 0x7f
- #define PCI_HEADER_TYPE_NORMAL 0
- #define PCI_HEADER_TYPE_BRIDGE 1
- #define PCI_HEADER_TYPE_CARDBUS 2
-@@ -246,7 +247,7 @@
- #define PCI_PM_CAP_PME_D0 0x0800 /* PME# from D0 */
- #define PCI_PM_CAP_PME_D1 0x1000 /* PME# from D1 */
- #define PCI_PM_CAP_PME_D2 0x2000 /* PME# from D2 */
--#define PCI_PM_CAP_PME_D3 0x4000 /* PME# from D3 (hot) */
-+#define PCI_PM_CAP_PME_D3hot 0x4000 /* PME# from D3 (hot) */
- #define PCI_PM_CAP_PME_D3cold 0x8000 /* PME# from D3 (cold) */
- #define PCI_PM_CAP_PME_SHIFT 11 /* Start of the PME Mask in PMC */
- #define PCI_PM_CTRL 4 /* PM control and status register */
-@@ -532,6 +533,8 @@
- #define PCI_EXP_LNKCAP_SLS_32_0GB 0x00000005 /* LNKCAP2 SLS Vector bit 4 */
- #define PCI_EXP_LNKCAP_MLW 0x000003f0 /* Maximum Link Width */
- #define PCI_EXP_LNKCAP_ASPMS 0x00000c00 /* ASPM Support */
-+#define PCI_EXP_LNKCAP_ASPM_L0S 0x00000400 /* ASPM L0s Support */
-+#define PCI_EXP_LNKCAP_ASPM_L1 0x00000800 /* ASPM L1 Support */
- #define PCI_EXP_LNKCAP_L0SEL 0x00007000 /* L0s Exit Latency */
- #define PCI_EXP_LNKCAP_L1EL 0x00038000 /* L1 Exit Latency */
- #define PCI_EXP_LNKCAP_CLKPM 0x00040000 /* Clock Power Management */
-@@ -1056,6 +1059,7 @@
- #define PCI_L1SS_CTL1_PCIPM_L1_1 0x00000002 /* PCI-PM L1.1 Enable */
- #define PCI_L1SS_CTL1_ASPM_L1_2 0x00000004 /* ASPM L1.2 Enable */
- #define PCI_L1SS_CTL1_ASPM_L1_1 0x00000008 /* ASPM L1.1 Enable */
-+#define PCI_L1SS_CTL1_L1_2_MASK 0x00000005
- #define PCI_L1SS_CTL1_L1SS_MASK 0x0000000f
- #define PCI_L1SS_CTL1_CM_RESTORE_TIME 0x0000ff00 /* Common_Mode_Restore_Time */
- #define PCI_L1SS_CTL1_LTR_L12_TH_VALUE 0x03ff0000 /* LTR_L1.2_THRESHOLD_Value */
-diff --git a/include/standard-headers/linux/virtio_fs.h b/include/standard-headers/linux/virtio_fs.h
-index 9d88817a6b665193d3cf0c5faf93..a32fe8a64c76ccdef5c1057e39c8 100644
---- a/include/standard-headers/linux/virtio_fs.h
-+++ b/include/standard-headers/linux/virtio_fs.h
-@@ -16,4 +16,7 @@ struct virtio_fs_config {
- uint32_t num_request_queues;
- } QEMU_PACKED;
-
-+/* For the id field in virtio_pci_shm_cap */
-+#define VIRTIO_FS_SHMCAP_ID_CACHE 0
-+
- #endif /* _LINUX_VIRTIO_FS_H */
-diff --git a/include/standard-headers/linux/virtio_gpu.h b/include/standard-headers/linux/virtio_gpu.h
-index b8fa15f0ace75d207a098e1fb9d6..4183cdc74b33fc510a83f3c47293 100644
---- a/include/standard-headers/linux/virtio_gpu.h
-+++ b/include/standard-headers/linux/virtio_gpu.h
-@@ -50,6 +50,10 @@
- * VIRTIO_GPU_CMD_GET_EDID
- */
- #define VIRTIO_GPU_F_EDID 1
-+/*
-+ * VIRTIO_GPU_CMD_RESOURCE_ASSIGN_UUID
-+ */
-+#define VIRTIO_GPU_F_RESOURCE_UUID 2
-
- enum virtio_gpu_ctrl_type {
- VIRTIO_GPU_UNDEFINED = 0,
-@@ -66,6 +70,7 @@ enum virtio_gpu_ctrl_type {
- VIRTIO_GPU_CMD_GET_CAPSET_INFO,
- VIRTIO_GPU_CMD_GET_CAPSET,
- VIRTIO_GPU_CMD_GET_EDID,
-+ VIRTIO_GPU_CMD_RESOURCE_ASSIGN_UUID,
-
- /* 3d commands */
- VIRTIO_GPU_CMD_CTX_CREATE = 0x0200,
-@@ -87,6 +92,7 @@ enum virtio_gpu_ctrl_type {
- VIRTIO_GPU_RESP_OK_CAPSET_INFO,
- VIRTIO_GPU_RESP_OK_CAPSET,
- VIRTIO_GPU_RESP_OK_EDID,
-+ VIRTIO_GPU_RESP_OK_RESOURCE_UUID,
-
- /* error responses */
- VIRTIO_GPU_RESP_ERR_UNSPEC = 0x1200,
-@@ -340,4 +346,17 @@ enum virtio_gpu_formats {
- VIRTIO_GPU_FORMAT_R8G8B8X8_UNORM = 134,
- };
-
-+/* VIRTIO_GPU_CMD_RESOURCE_ASSIGN_UUID */
-+struct virtio_gpu_resource_assign_uuid {
-+ struct virtio_gpu_ctrl_hdr hdr;
-+ uint32_t resource_id;
-+ uint32_t padding;
-+};
-+
-+/* VIRTIO_GPU_RESP_OK_RESOURCE_UUID */
-+struct virtio_gpu_resp_resource_uuid {
-+ struct virtio_gpu_ctrl_hdr hdr;
-+ uint8_t uuid[16];
-+};
-+
- #endif
-diff --git a/include/standard-headers/linux/virtio_mmio.h b/include/standard-headers/linux/virtio_mmio.h
-index c4b09689ab644719d1aa28fdb951..0650f91bea6c70f935764070d825 100644
---- a/include/standard-headers/linux/virtio_mmio.h
-+++ b/include/standard-headers/linux/virtio_mmio.h
-@@ -122,6 +122,17 @@
- #define VIRTIO_MMIO_QUEUE_USED_LOW 0x0a0
- #define VIRTIO_MMIO_QUEUE_USED_HIGH 0x0a4
-
-+/* Shared memory region id */
-+#define VIRTIO_MMIO_SHM_SEL 0x0ac
-+
-+/* Shared memory region length, 64 bits in two halves */
-+#define VIRTIO_MMIO_SHM_LEN_LOW 0x0b0
-+#define VIRTIO_MMIO_SHM_LEN_HIGH 0x0b4
-+
-+/* Shared memory region base address, 64 bits in two halves */
-+#define VIRTIO_MMIO_SHM_BASE_LOW 0x0b8
-+#define VIRTIO_MMIO_SHM_BASE_HIGH 0x0bc
-+
- /* Configuration atomicity value */
- #define VIRTIO_MMIO_CONFIG_GENERATION 0x0fc
-
-diff --git a/include/standard-headers/linux/virtio_pci.h b/include/standard-headers/linux/virtio_pci.h
-index 9262acd130c38b874eddf9254382..db7a8e2fcbf2639bdafa15d78693 100644
---- a/include/standard-headers/linux/virtio_pci.h
-+++ b/include/standard-headers/linux/virtio_pci.h
-@@ -113,6 +113,8 @@
- #define VIRTIO_PCI_CAP_DEVICE_CFG 4
- /* PCI configuration access */
- #define VIRTIO_PCI_CAP_PCI_CFG 5
-+/* Additional shared memory capability */
-+#define VIRTIO_PCI_CAP_SHARED_MEMORY_CFG 8
-
- /* This is the PCI capability header: */
- struct virtio_pci_cap {
-@@ -121,11 +123,18 @@ struct virtio_pci_cap {
- uint8_t cap_len; /* Generic PCI field: capability length */
- uint8_t cfg_type; /* Identifies the structure. */
- uint8_t bar; /* Where to find it. */
-- uint8_t padding[3]; /* Pad to full dword. */
-+ uint8_t id; /* Multiple capabilities of the same type */
-+ uint8_t padding[2]; /* Pad to full dword. */
- uint32_t offset; /* Offset within bar. */
- uint32_t length; /* Length of the structure, in bytes. */
- };
-
-+struct virtio_pci_cap64 {
-+ struct virtio_pci_cap cap;
-+ uint32_t offset_hi; /* Most sig 32 bits of offset */
-+ uint32_t length_hi; /* Most sig 32 bits of length */
-+};
-+
- struct virtio_pci_notify_cap {
- struct virtio_pci_cap cap;
- uint32_t notify_off_multiplier; /* Multiplier for queue_notify_off. */
-diff --git a/linux-headers/asm-arm64/kvm.h b/linux-headers/asm-arm64/kvm.h
-index 9e34f0f875a60a1dc7bb69e0db91..a72de1ae4cb5638b42ea7057a9cc 100644
---- a/linux-headers/asm-arm64/kvm.h
-+++ b/linux-headers/asm-arm64/kvm.h
-@@ -159,6 +159,21 @@ struct kvm_sync_regs {
- struct kvm_arch_memory_slot {
- };
-
-+/*
-+ * PMU filter structure. Describe a range of events with a particular
-+ * action. To be used with KVM_ARM_VCPU_PMU_V3_FILTER.
-+ */
-+struct kvm_pmu_event_filter {
-+ __u16 base_event;
-+ __u16 nevents;
-+
-+#define KVM_PMU_EVENT_ALLOW 0
-+#define KVM_PMU_EVENT_DENY 1
-+
-+ __u8 action;
-+ __u8 pad[3];
-+};
-+
- /* for KVM_GET/SET_VCPU_EVENTS */
- struct kvm_vcpu_events {
- struct {
-@@ -242,6 +257,15 @@ struct kvm_vcpu_events {
- #define KVM_REG_ARM_SMCCC_ARCH_WORKAROUND_1_NOT_AVAIL 0
- #define KVM_REG_ARM_SMCCC_ARCH_WORKAROUND_1_AVAIL 1
- #define KVM_REG_ARM_SMCCC_ARCH_WORKAROUND_1_NOT_REQUIRED 2
-+
-+/*
-+ * Only two states can be presented by the host kernel:
-+ * - NOT_REQUIRED: the guest doesn't need to do anything
-+ * - NOT_AVAIL: the guest isn't mitigated (it can still use SSBS if available)
-+ *
-+ * All the other values are deprecated. The host still accepts all
-+ * values (they are ABI), but will narrow them to the above two.
-+ */
- #define KVM_REG_ARM_SMCCC_ARCH_WORKAROUND_2 KVM_REG_ARM_FW_REG(2)
- #define KVM_REG_ARM_SMCCC_ARCH_WORKAROUND_2_NOT_AVAIL 0
- #define KVM_REG_ARM_SMCCC_ARCH_WORKAROUND_2_UNKNOWN 1
-@@ -329,6 +353,7 @@ struct kvm_vcpu_events {
- #define KVM_ARM_VCPU_PMU_V3_CTRL 0
- #define KVM_ARM_VCPU_PMU_V3_IRQ 0
- #define KVM_ARM_VCPU_PMU_V3_INIT 1
-+#define KVM_ARM_VCPU_PMU_V3_FILTER 2
- #define KVM_ARM_VCPU_TIMER_CTRL 1
- #define KVM_ARM_VCPU_TIMER_IRQ_VTIMER 0
- #define KVM_ARM_VCPU_TIMER_IRQ_PTIMER 1
-diff --git a/linux-headers/asm-arm64/mman.h b/linux-headers/asm-arm64/mman.h
-index e94b9af859842a952268c34cfd92..d0dbfe958789062e3f56406078aa 100644
---- a/linux-headers/asm-arm64/mman.h
-+++ b/linux-headers/asm-arm64/mman.h
-@@ -5,5 +5,6 @@
- #include <asm-generic/mman.h>
-
- #define PROT_BTI 0x10 /* BTI guarded page */
-+#define PROT_MTE 0x20 /* Normal Tagged mapping */
-
- #endif /* ! _UAPI__ASM_MMAN_H */
-diff --git a/linux-headers/asm-generic/hugetlb_encode.h b/linux-headers/asm-generic/hugetlb_encode.h
-index b0f8e87235bdf4b599b52895637d..4f3d5aaa11f531164beab5a47bed 100644
---- a/linux-headers/asm-generic/hugetlb_encode.h
-+++ b/linux-headers/asm-generic/hugetlb_encode.h
-@@ -20,6 +20,7 @@
- #define HUGETLB_FLAG_ENCODE_SHIFT 26
- #define HUGETLB_FLAG_ENCODE_MASK 0x3f
-
-+#define HUGETLB_FLAG_ENCODE_16KB (14 << HUGETLB_FLAG_ENCODE_SHIFT)
- #define HUGETLB_FLAG_ENCODE_64KB (16 << HUGETLB_FLAG_ENCODE_SHIFT)
- #define HUGETLB_FLAG_ENCODE_512KB (19 << HUGETLB_FLAG_ENCODE_SHIFT)
- #define HUGETLB_FLAG_ENCODE_1MB (20 << HUGETLB_FLAG_ENCODE_SHIFT)
-diff --git a/linux-headers/asm-generic/unistd.h b/linux-headers/asm-generic/unistd.h
-index 995b36c2ea7d8a4edbff1e79e555..2056318988f774931c4e0a310414 100644
---- a/linux-headers/asm-generic/unistd.h
-+++ b/linux-headers/asm-generic/unistd.h
-@@ -140,7 +140,7 @@ __SYSCALL(__NR_renameat, sys_renameat)
- #define __NR_umount2 39
- __SYSCALL(__NR_umount2, sys_umount)
- #define __NR_mount 40
--__SC_COMP(__NR_mount, sys_mount, compat_sys_mount)
-+__SYSCALL(__NR_mount, sys_mount)
- #define __NR_pivot_root 41
- __SYSCALL(__NR_pivot_root, sys_pivot_root)
-
-@@ -207,9 +207,9 @@ __SYSCALL(__NR_read, sys_read)
- #define __NR_write 64
- __SYSCALL(__NR_write, sys_write)
- #define __NR_readv 65
--__SC_COMP(__NR_readv, sys_readv, compat_sys_readv)
-+__SC_COMP(__NR_readv, sys_readv, sys_readv)
- #define __NR_writev 66
--__SC_COMP(__NR_writev, sys_writev, compat_sys_writev)
-+__SC_COMP(__NR_writev, sys_writev, sys_writev)
- #define __NR_pread64 67
- __SC_COMP(__NR_pread64, sys_pread64, compat_sys_pread64)
- #define __NR_pwrite64 68
-@@ -237,7 +237,7 @@ __SC_COMP(__NR_signalfd4, sys_signalfd4, compat_sys_signalfd4)
-
- /* fs/splice.c */
- #define __NR_vmsplice 75
--__SC_COMP(__NR_vmsplice, sys_vmsplice, compat_sys_vmsplice)
-+__SYSCALL(__NR_vmsplice, sys_vmsplice)
- #define __NR_splice 76
- __SYSCALL(__NR_splice, sys_splice)
- #define __NR_tee 77
-@@ -727,11 +727,9 @@ __SYSCALL(__NR_setns, sys_setns)
- #define __NR_sendmmsg 269
- __SC_COMP(__NR_sendmmsg, sys_sendmmsg, compat_sys_sendmmsg)
- #define __NR_process_vm_readv 270
--__SC_COMP(__NR_process_vm_readv, sys_process_vm_readv, \
-- compat_sys_process_vm_readv)
-+__SYSCALL(__NR_process_vm_readv, sys_process_vm_readv)
- #define __NR_process_vm_writev 271
--__SC_COMP(__NR_process_vm_writev, sys_process_vm_writev, \
-- compat_sys_process_vm_writev)
-+__SYSCALL(__NR_process_vm_writev, sys_process_vm_writev)
- #define __NR_kcmp 272
- __SYSCALL(__NR_kcmp, sys_kcmp)
- #define __NR_finit_module 273
-@@ -859,9 +857,11 @@ __SYSCALL(__NR_openat2, sys_openat2)
- __SYSCALL(__NR_pidfd_getfd, sys_pidfd_getfd)
- #define __NR_faccessat2 439
- __SYSCALL(__NR_faccessat2, sys_faccessat2)
-+#define __NR_process_madvise 440
-+__SYSCALL(__NR_process_madvise, sys_process_madvise)
-
- #undef __NR_syscalls
--#define __NR_syscalls 440
-+#define __NR_syscalls 441
-
- /*
- * 32 bit systems traditionally used different
-diff --git a/linux-headers/asm-mips/unistd_n32.h b/linux-headers/asm-mips/unistd_n32.h
-index 246fbb6a7885638679b536b78e66..aba284d190a0f7b887943283bfb6 100644
---- a/linux-headers/asm-mips/unistd_n32.h
-+++ b/linux-headers/asm-mips/unistd_n32.h
-@@ -369,6 +369,7 @@
- #define __NR_openat2 (__NR_Linux + 437)
- #define __NR_pidfd_getfd (__NR_Linux + 438)
- #define __NR_faccessat2 (__NR_Linux + 439)
-+#define __NR_process_madvise (__NR_Linux + 440)
-
-
- #endif /* _ASM_MIPS_UNISTD_N32_H */
-diff --git a/linux-headers/asm-mips/unistd_n64.h b/linux-headers/asm-mips/unistd_n64.h
-index 194d777dfd42582819f2d1e4342d..0465ab94db8966b453f1e1863e00 100644
---- a/linux-headers/asm-mips/unistd_n64.h
-+++ b/linux-headers/asm-mips/unistd_n64.h
-@@ -345,6 +345,7 @@
- #define __NR_openat2 (__NR_Linux + 437)
- #define __NR_pidfd_getfd (__NR_Linux + 438)
- #define __NR_faccessat2 (__NR_Linux + 439)
-+#define __NR_process_madvise (__NR_Linux + 440)
-
-
- #endif /* _ASM_MIPS_UNISTD_N64_H */
-diff --git a/linux-headers/asm-mips/unistd_o32.h b/linux-headers/asm-mips/unistd_o32.h
-index 3e093dd9134dc84a82778ace3c4d..5222a0dd50e18b778dcc38f45af8 100644
---- a/linux-headers/asm-mips/unistd_o32.h
-+++ b/linux-headers/asm-mips/unistd_o32.h
-@@ -415,6 +415,7 @@
- #define __NR_openat2 (__NR_Linux + 437)
- #define __NR_pidfd_getfd (__NR_Linux + 438)
- #define __NR_faccessat2 (__NR_Linux + 439)
-+#define __NR_process_madvise (__NR_Linux + 440)
-
-
- #endif /* _ASM_MIPS_UNISTD_O32_H */
-diff --git a/linux-headers/asm-powerpc/unistd_32.h b/linux-headers/asm-powerpc/unistd_32.h
-index 0db9481d49629bde4402afcb0c18..21066a3d5f4a65bd2a1e09c002a3 100644
---- a/linux-headers/asm-powerpc/unistd_32.h
-+++ b/linux-headers/asm-powerpc/unistd_32.h
-@@ -422,6 +422,7 @@
- #define __NR_openat2 437
- #define __NR_pidfd_getfd 438
- #define __NR_faccessat2 439
-+#define __NR_process_madvise 440
-
-
- #endif /* _ASM_POWERPC_UNISTD_32_H */
-diff --git a/linux-headers/asm-powerpc/unistd_64.h b/linux-headers/asm-powerpc/unistd_64.h
-index 9f74310988e1afca2bbe087ab83d..c153da29f2362aa32b379a711ac8 100644
---- a/linux-headers/asm-powerpc/unistd_64.h
-+++ b/linux-headers/asm-powerpc/unistd_64.h
-@@ -394,6 +394,7 @@
- #define __NR_openat2 437
- #define __NR_pidfd_getfd 438
- #define __NR_faccessat2 439
-+#define __NR_process_madvise 440
-
-
- #endif /* _ASM_POWERPC_UNISTD_64_H */
-diff --git a/linux-headers/asm-s390/unistd_32.h b/linux-headers/asm-s390/unistd_32.h
-index 1803cd0c3ba638008c0463758951..3b4f2dda6049767ea56e3a29ecf6 100644
---- a/linux-headers/asm-s390/unistd_32.h
-+++ b/linux-headers/asm-s390/unistd_32.h
-@@ -412,5 +412,6 @@
- #define __NR_openat2 437
- #define __NR_pidfd_getfd 438
- #define __NR_faccessat2 439
-+#define __NR_process_madvise 440
-
- #endif /* _ASM_S390_UNISTD_32_H */
-diff --git a/linux-headers/asm-s390/unistd_64.h b/linux-headers/asm-s390/unistd_64.h
-index 228d5004e5a88127a30d1fae6fb8..030a51fa3828b9a8ea64d42dc84b 100644
---- a/linux-headers/asm-s390/unistd_64.h
-+++ b/linux-headers/asm-s390/unistd_64.h
-@@ -360,5 +360,6 @@
- #define __NR_openat2 437
- #define __NR_pidfd_getfd 438
- #define __NR_faccessat2 439
-+#define __NR_process_madvise 440
-
- #endif /* _ASM_S390_UNISTD_64_H */
-diff --git a/linux-headers/asm-x86/kvm.h b/linux-headers/asm-x86/kvm.h
-index 17c5a038f42d3978d1b06d7cec5f..5108cf3d01dd463bf1f89128ad43 100644
---- a/linux-headers/asm-x86/kvm.h
-+++ b/linux-headers/asm-x86/kvm.h
-@@ -192,6 +192,26 @@ struct kvm_msr_list {
- __u32 indices[0];
- };
-
-+/* Maximum size of any access bitmap in bytes */
-+#define KVM_MSR_FILTER_MAX_BITMAP_SIZE 0x600
-+
-+/* for KVM_X86_SET_MSR_FILTER */
-+struct kvm_msr_filter_range {
-+#define KVM_MSR_FILTER_READ (1 << 0)
-+#define KVM_MSR_FILTER_WRITE (1 << 1)
-+ __u32 flags;
-+ __u32 nmsrs; /* number of msrs in bitmap */
-+ __u32 base; /* MSR index the bitmap starts at */
-+ __u8 *bitmap; /* a 1 bit allows the operations in flags, 0 denies */
-+};
-+
-+#define KVM_MSR_FILTER_MAX_RANGES 16
-+struct kvm_msr_filter {
-+#define KVM_MSR_FILTER_DEFAULT_ALLOW (0 << 0)
-+#define KVM_MSR_FILTER_DEFAULT_DENY (1 << 0)
-+ __u32 flags;
-+ struct kvm_msr_filter_range ranges[KVM_MSR_FILTER_MAX_RANGES];
-+};
-
- struct kvm_cpuid_entry {
- __u32 function;
-diff --git a/linux-headers/asm-x86/unistd_32.h b/linux-headers/asm-x86/unistd_32.h
-index 356c12c2dbce1bf92f665c705a86..cfba368f9dffa9ed90eeff567849 100644
---- a/linux-headers/asm-x86/unistd_32.h
-+++ b/linux-headers/asm-x86/unistd_32.h
-@@ -430,6 +430,7 @@
- #define __NR_openat2 437
- #define __NR_pidfd_getfd 438
- #define __NR_faccessat2 439
-+#define __NR_process_madvise 440
-
-
- #endif /* _ASM_X86_UNISTD_32_H */
-diff --git a/linux-headers/asm-x86/unistd_64.h b/linux-headers/asm-x86/unistd_64.h
-index ef70e1c7c93fc9f64edcc1d551a1..61af7250955feef3be80c70eeccc 100644
---- a/linux-headers/asm-x86/unistd_64.h
-+++ b/linux-headers/asm-x86/unistd_64.h
-@@ -352,6 +352,7 @@
- #define __NR_openat2 437
- #define __NR_pidfd_getfd 438
- #define __NR_faccessat2 439
-+#define __NR_process_madvise 440
-
-
- #endif /* _ASM_X86_UNISTD_64_H */
-diff --git a/linux-headers/asm-x86/unistd_x32.h b/linux-headers/asm-x86/unistd_x32.h
-index 84ae8e9f5fca8679e279bdfbf5f3..a6890cb1f5b534b152455e07e707 100644
---- a/linux-headers/asm-x86/unistd_x32.h
-+++ b/linux-headers/asm-x86/unistd_x32.h
-@@ -305,6 +305,7 @@
- #define __NR_openat2 (__X32_SYSCALL_BIT + 437)
- #define __NR_pidfd_getfd (__X32_SYSCALL_BIT + 438)
- #define __NR_faccessat2 (__X32_SYSCALL_BIT + 439)
-+#define __NR_process_madvise (__X32_SYSCALL_BIT + 440)
- #define __NR_rt_sigaction (__X32_SYSCALL_BIT + 512)
- #define __NR_rt_sigreturn (__X32_SYSCALL_BIT + 513)
- #define __NR_ioctl (__X32_SYSCALL_BIT + 514)
-diff --git a/linux-headers/linux/kvm.h b/linux-headers/linux/kvm.h
-index d9860561985c537b70428a9fbfc0..4ec5f9464c650dda5bdda131f6ba 100644
---- a/linux-headers/linux/kvm.h
-+++ b/linux-headers/linux/kvm.h
-@@ -248,6 +248,8 @@ struct kvm_hyperv_exit {
- #define KVM_EXIT_IOAPIC_EOI 26
- #define KVM_EXIT_HYPERV 27
- #define KVM_EXIT_ARM_NISV 28
-+#define KVM_EXIT_X86_RDMSR 29
-+#define KVM_EXIT_X86_WRMSR 30
-
- /* For KVM_EXIT_INTERNAL_ERROR */
- /* Emulate instruction failed. */
-@@ -413,6 +415,17 @@ struct kvm_run {
- __u64 esr_iss;
- __u64 fault_ipa;
- } arm_nisv;
-+ /* KVM_EXIT_X86_RDMSR / KVM_EXIT_X86_WRMSR */
-+ struct {
-+ __u8 error; /* user -> kernel */
-+ __u8 pad[7];
-+#define KVM_MSR_EXIT_REASON_INVAL (1 << 0)
-+#define KVM_MSR_EXIT_REASON_UNKNOWN (1 << 1)
-+#define KVM_MSR_EXIT_REASON_FILTER (1 << 2)
-+ __u32 reason; /* kernel -> user */
-+ __u32 index; /* kernel -> user */
-+ __u64 data; /* kernel <-> user */
-+ } msr;
- /* Fix the size of the union. */
- char padding[256];
- };
-@@ -1031,6 +1044,9 @@ struct kvm_ppc_resize_hpt {
- #define KVM_CAP_SMALLER_MAXPHYADDR 185
- #define KVM_CAP_S390_DIAG318 186
- #define KVM_CAP_STEAL_TIME 187
-+#define KVM_CAP_X86_USER_SPACE_MSR 188
-+#define KVM_CAP_X86_MSR_FILTER 189
-+#define KVM_CAP_ENFORCE_PV_FEATURE_CPUID 190
-
- #ifdef KVM_CAP_IRQ_ROUTING
-
-@@ -1495,6 +1511,9 @@ struct kvm_enc_region {
- /* Available with KVM_CAP_ARM_SVE */
- #define KVM_ARM_VCPU_FINALIZE _IOW(KVMIO, 0xc2, int)
-
-+/* Available with KVM_CAP_X86_MSR_FILTER */
-+#define KVM_X86_SET_MSR_FILTER _IOW(KVMIO, 0xc6, struct kvm_msr_filter)
-+
- /* Secure Encrypted Virtualization command */
- enum sev_cmd_id {
- /* Guest initialization commands */
-diff --git a/linux-headers/linux/mman.h b/linux-headers/linux/mman.h
-index 51ea363759f021d964e23440cd82..434986fbe3071d1fd0c13d6a46a6 100644
---- a/linux-headers/linux/mman.h
-+++ b/linux-headers/linux/mman.h
-@@ -27,6 +27,7 @@
- #define MAP_HUGE_SHIFT HUGETLB_FLAG_ENCODE_SHIFT
- #define MAP_HUGE_MASK HUGETLB_FLAG_ENCODE_MASK
-
-+#define MAP_HUGE_16KB HUGETLB_FLAG_ENCODE_16KB
- #define MAP_HUGE_64KB HUGETLB_FLAG_ENCODE_64KB
- #define MAP_HUGE_512KB HUGETLB_FLAG_ENCODE_512KB
- #define MAP_HUGE_1MB HUGETLB_FLAG_ENCODE_1MB
-diff --git a/linux-headers/linux/vfio.h b/linux-headers/linux/vfio.h
-index a90672494dc584fff35d3141e248..b92dcc4dafd5f00fd1ab89199aee 100644
---- a/linux-headers/linux/vfio.h
-+++ b/linux-headers/linux/vfio.h
-@@ -201,8 +201,11 @@ struct vfio_device_info {
- #define VFIO_DEVICE_FLAGS_AMBA (1 << 3) /* vfio-amba device */
- #define VFIO_DEVICE_FLAGS_CCW (1 << 4) /* vfio-ccw device */
- #define VFIO_DEVICE_FLAGS_AP (1 << 5) /* vfio-ap device */
-+#define VFIO_DEVICE_FLAGS_FSL_MC (1 << 6) /* vfio-fsl-mc device */
-+#define VFIO_DEVICE_FLAGS_CAPS (1 << 7) /* Info supports caps */
- __u32 num_regions; /* Max region index + 1 */
- __u32 num_irqs; /* Max IRQ index + 1 */
-+ __u32 cap_offset; /* Offset within info struct of first cap */
- };
- #define VFIO_DEVICE_GET_INFO _IO(VFIO_TYPE, VFIO_BASE + 7)
-
-@@ -218,6 +221,15 @@ struct vfio_device_info {
- #define VFIO_DEVICE_API_CCW_STRING "vfio-ccw"
- #define VFIO_DEVICE_API_AP_STRING "vfio-ap"
-
-+/*
-+ * The following capabilities are unique to s390 zPCI devices. Their contents
-+ * are further-defined in vfio_zdev.h
-+ */
-+#define VFIO_DEVICE_INFO_CAP_ZPCI_BASE 1
-+#define VFIO_DEVICE_INFO_CAP_ZPCI_GROUP 2
-+#define VFIO_DEVICE_INFO_CAP_ZPCI_UTIL 3
-+#define VFIO_DEVICE_INFO_CAP_ZPCI_PFIP 4
-+
- /**
- * VFIO_DEVICE_GET_REGION_INFO - _IOWR(VFIO_TYPE, VFIO_BASE + 8,
- * struct vfio_region_info)
-@@ -462,7 +474,7 @@ struct vfio_region_gfx_edid {
- * 5. Resumed
- * |--------->|
- *
-- * 0. Default state of VFIO device is _RUNNNG when the user application starts.
-+ * 0. Default state of VFIO device is _RUNNING when the user application starts.
- * 1. During normal shutdown of the user application, the user application may
- * optionally change the VFIO device state from _RUNNING to _STOP. This
- * transition is optional. The vendor driver must support this transition but
-@@ -1039,6 +1051,21 @@ struct vfio_iommu_type1_info_cap_migration {
- __u64 max_dirty_bitmap_size; /* in bytes */
- };
-
-+/*
-+ * The DMA available capability allows to report the current number of
-+ * simultaneously outstanding DMA mappings that are allowed.
-+ *
-+ * The structure below defines version 1 of this capability.
-+ *
-+ * avail: specifies the current number of outstanding DMA mappings allowed.
-+ */
-+#define VFIO_IOMMU_TYPE1_INFO_DMA_AVAIL 3
-+
-+struct vfio_iommu_type1_info_dma_avail {
-+ struct vfio_info_cap_header header;
-+ __u32 avail;
-+};
-+
- #define VFIO_IOMMU_GET_INFO _IO(VFIO_TYPE, VFIO_BASE + 12)
-
- /**
-diff --git a/linux-headers/linux/vfio_zdev.h b/linux-headers/linux/vfio_zdev.h
-new file mode 100644
-index 0000000000000000000000000000000000000000..b4309397b6b273bb66e80cc53da769625cec939a
---- /dev/null
-+++ b/linux-headers/linux/vfio_zdev.h
-@@ -0,0 +1,78 @@
-+/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */
-+/*
-+ * VFIO Region definitions for ZPCI devices
-+ *
-+ * Copyright IBM Corp. 2020
-+ *
-+ * Author(s): Pierre Morel <pmorel@linux.ibm.com>
-+ * Matthew Rosato <mjrosato@linux.ibm.com>
-+ */
-+
-+#ifndef _VFIO_ZDEV_H_
-+#define _VFIO_ZDEV_H_
-+
-+#include <linux/types.h>
-+#include <linux/vfio.h>
-+
-+/**
-+ * VFIO_DEVICE_INFO_CAP_ZPCI_BASE - Base PCI Function information
-+ *
-+ * This capability provides a set of descriptive information about the
-+ * associated PCI function.
-+ */
-+struct vfio_device_info_cap_zpci_base {
-+ struct vfio_info_cap_header header;
-+ __u64 start_dma; /* Start of available DMA addresses */
-+ __u64 end_dma; /* End of available DMA addresses */
-+ __u16 pchid; /* Physical Channel ID */
-+ __u16 vfn; /* Virtual function number */
-+ __u16 fmb_length; /* Measurement Block Length (in bytes) */
-+ __u8 pft; /* PCI Function Type */
-+ __u8 gid; /* PCI function group ID */
-+};
-+
-+/**
-+ * VFIO_DEVICE_INFO_CAP_ZPCI_GROUP - Base PCI Function Group information
-+ *
-+ * This capability provides a set of descriptive information about the group of
-+ * PCI functions that the associated device belongs to.
-+ */
-+struct vfio_device_info_cap_zpci_group {
-+ struct vfio_info_cap_header header;
-+ __u64 dasm; /* DMA Address space mask */
-+ __u64 msi_addr; /* MSI address */
-+ __u64 flags;
-+#define VFIO_DEVICE_INFO_ZPCI_FLAG_REFRESH 1 /* Program-specified TLB refresh */
-+ __u16 mui; /* Measurement Block Update Interval */
-+ __u16 noi; /* Maximum number of MSIs */
-+ __u16 maxstbl; /* Maximum Store Block Length */
-+ __u8 version; /* Supported PCI Version */
-+};
-+
-+/**
-+ * VFIO_DEVICE_INFO_CAP_ZPCI_UTIL - Utility String
-+ *
-+ * This capability provides the utility string for the associated device, which
-+ * is a device identifier string made up of EBCDID characters. 'size' specifies
-+ * the length of 'util_str'.
-+ */
-+struct vfio_device_info_cap_zpci_util {
-+ struct vfio_info_cap_header header;
-+ __u32 size;
-+ __u8 util_str[];
-+};
-+
-+/**
-+ * VFIO_DEVICE_INFO_CAP_ZPCI_PFIP - PCI Function Path
-+ *
-+ * This capability provides the PCI function path string, which is an identifier
-+ * that describes the internal hardware path of the device. 'size' specifies
-+ * the length of 'pfip'.
-+ */
-+struct vfio_device_info_cap_zpci_pfip {
-+ struct vfio_info_cap_header header;
-+ __u32 size;
-+ __u8 pfip[];
-+};
-+
-+#endif
+++ /dev/null
-From: Cornelia Huck <cohuck@redhat.com>
-Date: Tue, 18 Feb 2020 15:44:59 +0100
-Subject: linux-headers: update against Linux 5.6-rc3
-
-Git-commit: ddda37483dd17c9936fdde9ebf8f6ca2692b3842
-References: bsc#1179719
-
-Update to commit b1da3acc781c ("Merge tag 'ecryptfs-5.6-rc3-fixes' of
-git://git.kernel.org/pub/scm/linux/kernel/git/tyhicks/ecryptfs")
-
-Signed-off-by: Cornelia Huck <cohuck@redhat.com>
-Signed-off-by: Liang Yan <lyan@suse.com>
----
- include/standard-headers/drm/drm_fourcc.h | 24 +++++++++++++++++++++++
- include/standard-headers/linux/ethtool.h | 11 +++++++++++
- include/standard-headers/linux/input.h | 1 +
- include/standard-headers/linux/pci_regs.h | 1 +
- linux-headers/asm-arm/unistd-common.h | 2 ++
- linux-headers/asm-arm64/kvm.h | 12 ++++++++++--
- linux-headers/asm-arm64/unistd.h | 1 +
- linux-headers/asm-generic/mman-common.h | 2 ++
- linux-headers/asm-generic/unistd.h | 7 ++++++-
- linux-headers/asm-mips/unistd_n32.h | 2 ++
- linux-headers/asm-mips/unistd_n64.h | 2 ++
- linux-headers/asm-mips/unistd_o32.h | 2 ++
- linux-headers/asm-powerpc/unistd_32.h | 2 ++
- linux-headers/asm-powerpc/unistd_64.h | 2 ++
- linux-headers/asm-s390/unistd_32.h | 2 ++
- linux-headers/asm-s390/unistd_64.h | 2 ++
- linux-headers/asm-x86/unistd_32.h | 2 ++
- linux-headers/asm-x86/unistd_64.h | 2 ++
- linux-headers/asm-x86/unistd_x32.h | 2 ++
- 19 files changed, 78 insertions(+), 3 deletions(-)
-
-diff --git a/include/standard-headers/drm/drm_fourcc.h b/include/standard-headers/drm/drm_fourcc.h
-index 46d279f51586bcbc097cc7f67347..66e838074c81c64d1d38f3fb815d 100644
---- a/include/standard-headers/drm/drm_fourcc.h
-+++ b/include/standard-headers/drm/drm_fourcc.h
-@@ -409,6 +409,30 @@ extern "C" {
- #define I915_FORMAT_MOD_Y_TILED_CCS fourcc_mod_code(INTEL, 4)
- #define I915_FORMAT_MOD_Yf_TILED_CCS fourcc_mod_code(INTEL, 5)
-
-+/*
-+ * Intel color control surfaces (CCS) for Gen-12 render compression.
-+ *
-+ * The main surface is Y-tiled and at plane index 0, the CCS is linear and
-+ * at index 1. A 64B CCS cache line corresponds to an area of 4x1 tiles in
-+ * main surface. In other words, 4 bits in CCS map to a main surface cache
-+ * line pair. The main surface pitch is required to be a multiple of four
-+ * Y-tile widths.
-+ */
-+#define I915_FORMAT_MOD_Y_TILED_GEN12_RC_CCS fourcc_mod_code(INTEL, 6)
-+
-+/*
-+ * Intel color control surfaces (CCS) for Gen-12 media compression
-+ *
-+ * The main surface is Y-tiled and at plane index 0, the CCS is linear and
-+ * at index 1. A 64B CCS cache line corresponds to an area of 4x1 tiles in
-+ * main surface. In other words, 4 bits in CCS map to a main surface cache
-+ * line pair. The main surface pitch is required to be a multiple of four
-+ * Y-tile widths. For semi-planar formats like NV12, CCS planes follow the
-+ * Y and UV planes i.e., planes 0 and 1 are used for Y and UV surfaces,
-+ * planes 2 and 3 for the respective CCS.
-+ */
-+#define I915_FORMAT_MOD_Y_TILED_GEN12_MC_CCS fourcc_mod_code(INTEL, 7)
-+
- /*
- * Tiled, NV12MT, grouped in 64 (pixels) x 32 (lines) -sized macroblocks
- *
-diff --git a/include/standard-headers/linux/ethtool.h b/include/standard-headers/linux/ethtool.h
-index 6e8a10ee10751b19ccaad191d38c..8adf3b018b95f2e6e0dc0960810d 100644
---- a/include/standard-headers/linux/ethtool.h
-+++ b/include/standard-headers/linux/ethtool.h
-@@ -593,6 +593,9 @@ struct ethtool_pauseparam {
- * @ETH_SS_RSS_HASH_FUNCS: RSS hush function names
- * @ETH_SS_PHY_STATS: Statistic names, for use with %ETHTOOL_GPHYSTATS
- * @ETH_SS_PHY_TUNABLES: PHY tunable names
-+ * @ETH_SS_LINK_MODES: link mode names
-+ * @ETH_SS_MSG_CLASSES: debug message class names
-+ * @ETH_SS_WOL_MODES: wake-on-lan modes
- */
- enum ethtool_stringset {
- ETH_SS_TEST = 0,
-@@ -604,6 +607,12 @@ enum ethtool_stringset {
- ETH_SS_TUNABLES,
- ETH_SS_PHY_STATS,
- ETH_SS_PHY_TUNABLES,
-+ ETH_SS_LINK_MODES,
-+ ETH_SS_MSG_CLASSES,
-+ ETH_SS_WOL_MODES,
-+
-+ /* add new constants above here */
-+ ETH_SS_COUNT
- };
-
- /**
-@@ -1688,6 +1697,8 @@ static inline int ethtool_validate_duplex(uint8_t duplex)
- #define WAKE_MAGICSECURE (1 << 6) /* only meaningful if WAKE_MAGIC */
- #define WAKE_FILTER (1 << 7)
-
-+#define WOL_MODE_COUNT 8
-+
- /* L2-L4 network traffic flow types */
- #define TCP_V4_FLOW 0x01 /* hash or spec (tcp_ip4_spec) */
- #define UDP_V4_FLOW 0x02 /* hash or spec (udp_ip4_spec) */
-diff --git a/include/standard-headers/linux/input.h b/include/standard-headers/linux/input.h
-index d8914f25a5e0de3a864d8f6fdd66..f89c986190de9b8810d73cd65481 100644
---- a/include/standard-headers/linux/input.h
-+++ b/include/standard-headers/linux/input.h
-@@ -31,6 +31,7 @@ struct input_event {
- unsigned long __sec;
- #if defined(__sparc__) && defined(__arch64__)
- unsigned int __usec;
-+ unsigned int __pad;
- #else
- unsigned long __usec;
- #endif
-diff --git a/include/standard-headers/linux/pci_regs.h b/include/standard-headers/linux/pci_regs.h
-index acb7d2bdb419a49f2e6ed999f9ff..5437690483cded0999edd48eb7d7 100644
---- a/include/standard-headers/linux/pci_regs.h
-+++ b/include/standard-headers/linux/pci_regs.h
-@@ -676,6 +676,7 @@
- #define PCI_EXP_LNKCTL2_TLS_32_0GT 0x0005 /* Supported Speed 32GT/s */
- #define PCI_EXP_LNKCTL2_ENTER_COMP 0x0010 /* Enter Compliance */
- #define PCI_EXP_LNKCTL2_TX_MARGIN 0x0380 /* Transmit Margin */
-+#define PCI_EXP_LNKCTL2_HASD 0x0020 /* HW Autonomous Speed Disable */
- #define PCI_EXP_LNKSTA2 50 /* Link Status 2 */
- #define PCI_CAP_EXP_ENDPOINT_SIZEOF_V2 52 /* v2 endpoints with link end here */
- #define PCI_EXP_SLTCAP2 52 /* Slot Capabilities 2 */
-diff --git a/linux-headers/asm-arm/unistd-common.h b/linux-headers/asm-arm/unistd-common.h
-index eb5d361b117bd21fc5c565f59e7c..23de64e44c44fbf4e00ceef0f505 100644
---- a/linux-headers/asm-arm/unistd-common.h
-+++ b/linux-headers/asm-arm/unistd-common.h
-@@ -390,5 +390,7 @@
- #define __NR_fspick (__NR_SYSCALL_BASE + 433)
- #define __NR_pidfd_open (__NR_SYSCALL_BASE + 434)
- #define __NR_clone3 (__NR_SYSCALL_BASE + 435)
-+#define __NR_openat2 (__NR_SYSCALL_BASE + 437)
-+#define __NR_pidfd_getfd (__NR_SYSCALL_BASE + 438)
-
- #endif /* _ASM_ARM_UNISTD_COMMON_H */
-diff --git a/linux-headers/asm-arm64/kvm.h b/linux-headers/asm-arm64/kvm.h
-index 920af01c8b9029db521c55e93aaa..9e34f0f875a60a1dc7bb69e0db91 100644
---- a/linux-headers/asm-arm64/kvm.h
-+++ b/linux-headers/asm-arm64/kvm.h
-@@ -220,10 +220,18 @@ struct kvm_vcpu_events {
- #define KVM_REG_ARM_PTIMER_CVAL ARM64_SYS_REG(3, 3, 14, 2, 2)
- #define KVM_REG_ARM_PTIMER_CNT ARM64_SYS_REG(3, 3, 14, 0, 1)
-
--/* EL0 Virtual Timer Registers */
-+/*
-+ * EL0 Virtual Timer Registers
-+ *
-+ * WARNING:
-+ * KVM_REG_ARM_TIMER_CVAL and KVM_REG_ARM_TIMER_CNT are not defined
-+ * with the appropriate register encodings. Their values have been
-+ * accidentally swapped. As this is set API, the definitions here
-+ * must be used, rather than ones derived from the encodings.
-+ */
- #define KVM_REG_ARM_TIMER_CTL ARM64_SYS_REG(3, 3, 14, 3, 1)
--#define KVM_REG_ARM_TIMER_CNT ARM64_SYS_REG(3, 3, 14, 3, 2)
- #define KVM_REG_ARM_TIMER_CVAL ARM64_SYS_REG(3, 3, 14, 0, 2)
-+#define KVM_REG_ARM_TIMER_CNT ARM64_SYS_REG(3, 3, 14, 3, 2)
-
- /* KVM-as-firmware specific pseudo-registers */
- #define KVM_REG_ARM_FW (0x0014 << KVM_REG_ARM_COPROC_SHIFT)
-diff --git a/linux-headers/asm-arm64/unistd.h b/linux-headers/asm-arm64/unistd.h
-index 4703d218663a2ad81e7c8d4fd074..f83a70e07df85ca5029a1e91cde9 100644
---- a/linux-headers/asm-arm64/unistd.h
-+++ b/linux-headers/asm-arm64/unistd.h
-@@ -19,5 +19,6 @@
- #define __ARCH_WANT_NEW_STAT
- #define __ARCH_WANT_SET_GET_RLIMIT
- #define __ARCH_WANT_TIME32_SYSCALLS
-+#define __ARCH_WANT_SYS_CLONE3
-
- #include <asm-generic/unistd.h>
-diff --git a/linux-headers/asm-generic/mman-common.h b/linux-headers/asm-generic/mman-common.h
-index c160a5354eb62b3b17de564be439..f94f65d429bea3c26bdcdc319737 100644
---- a/linux-headers/asm-generic/mman-common.h
-+++ b/linux-headers/asm-generic/mman-common.h
-@@ -11,6 +11,8 @@
- #define PROT_WRITE 0x2 /* page can be written */
- #define PROT_EXEC 0x4 /* page can be executed */
- #define PROT_SEM 0x8 /* page may be used for atomic ops */
-+/* 0x10 reserved for arch-specific use */
-+/* 0x20 reserved for arch-specific use */
- #define PROT_NONE 0x0 /* page can not be accessed */
- #define PROT_GROWSDOWN 0x01000000 /* mprotect flag: extend change to start of growsdown vma */
- #define PROT_GROWSUP 0x02000000 /* mprotect flag: extend change to end of growsup vma */
-diff --git a/linux-headers/asm-generic/unistd.h b/linux-headers/asm-generic/unistd.h
-index 1fc8faa6e97306dfa95335ecba91..3a3201e4618ef8c7445895b26f6e 100644
---- a/linux-headers/asm-generic/unistd.h
-+++ b/linux-headers/asm-generic/unistd.h
-@@ -851,8 +851,13 @@ __SYSCALL(__NR_pidfd_open, sys_pidfd_open)
- __SYSCALL(__NR_clone3, sys_clone3)
- #endif
-
-+#define __NR_openat2 437
-+__SYSCALL(__NR_openat2, sys_openat2)
-+#define __NR_pidfd_getfd 438
-+__SYSCALL(__NR_pidfd_getfd, sys_pidfd_getfd)
-+
- #undef __NR_syscalls
--#define __NR_syscalls 436
-+#define __NR_syscalls 439
-
- /*
- * 32 bit systems traditionally used different
-diff --git a/linux-headers/asm-mips/unistd_n32.h b/linux-headers/asm-mips/unistd_n32.h
-index 659d5c9ade4747959ec9b64c7ad7..aec9f6081af7974a2f8fc075a70f 100644
---- a/linux-headers/asm-mips/unistd_n32.h
-+++ b/linux-headers/asm-mips/unistd_n32.h
-@@ -365,6 +365,8 @@
- #define __NR_fspick (__NR_Linux + 433)
- #define __NR_pidfd_open (__NR_Linux + 434)
- #define __NR_clone3 (__NR_Linux + 435)
-+#define __NR_openat2 (__NR_Linux + 437)
-+#define __NR_pidfd_getfd (__NR_Linux + 438)
-
-
- #endif /* _ASM_MIPS_UNISTD_N32_H */
-diff --git a/linux-headers/asm-mips/unistd_n64.h b/linux-headers/asm-mips/unistd_n64.h
-index 4b6310a05c235087cbf6f09b558d..1c75d83df53f90aa386b8b919a3d 100644
---- a/linux-headers/asm-mips/unistd_n64.h
-+++ b/linux-headers/asm-mips/unistd_n64.h
-@@ -341,6 +341,8 @@
- #define __NR_fspick (__NR_Linux + 433)
- #define __NR_pidfd_open (__NR_Linux + 434)
- #define __NR_clone3 (__NR_Linux + 435)
-+#define __NR_openat2 (__NR_Linux + 437)
-+#define __NR_pidfd_getfd (__NR_Linux + 438)
-
-
- #endif /* _ASM_MIPS_UNISTD_N64_H */
-diff --git a/linux-headers/asm-mips/unistd_o32.h b/linux-headers/asm-mips/unistd_o32.h
-index 4ce7b4e288a53503422a21719e92..660716e240ec10f7ccf3e65239dd 100644
---- a/linux-headers/asm-mips/unistd_o32.h
-+++ b/linux-headers/asm-mips/unistd_o32.h
-@@ -411,6 +411,8 @@
- #define __NR_fspick (__NR_Linux + 433)
- #define __NR_pidfd_open (__NR_Linux + 434)
- #define __NR_clone3 (__NR_Linux + 435)
-+#define __NR_openat2 (__NR_Linux + 437)
-+#define __NR_pidfd_getfd (__NR_Linux + 438)
-
-
- #endif /* _ASM_MIPS_UNISTD_O32_H */
-diff --git a/linux-headers/asm-powerpc/unistd_32.h b/linux-headers/asm-powerpc/unistd_32.h
-index 5584cc1b4fc1dd4c9f540f392e6c..4ba8e32f734445f6107d45044d08 100644
---- a/linux-headers/asm-powerpc/unistd_32.h
-+++ b/linux-headers/asm-powerpc/unistd_32.h
-@@ -418,6 +418,8 @@
- #define __NR_fspick 433
- #define __NR_pidfd_open 434
- #define __NR_clone3 435
-+#define __NR_openat2 437
-+#define __NR_pidfd_getfd 438
-
-
- #endif /* _ASM_POWERPC_UNISTD_32_H */
-diff --git a/linux-headers/asm-powerpc/unistd_64.h b/linux-headers/asm-powerpc/unistd_64.h
-index 251bcff77ea4b6cc8e9bc1b3fd4a..ac20bb4f95b207d4875613b54c45 100644
---- a/linux-headers/asm-powerpc/unistd_64.h
-+++ b/linux-headers/asm-powerpc/unistd_64.h
-@@ -390,6 +390,8 @@
- #define __NR_fspick 433
- #define __NR_pidfd_open 434
- #define __NR_clone3 435
-+#define __NR_openat2 437
-+#define __NR_pidfd_getfd 438
-
-
- #endif /* _ASM_POWERPC_UNISTD_64_H */
-diff --git a/linux-headers/asm-s390/unistd_32.h b/linux-headers/asm-s390/unistd_32.h
-index 7cce3ee296093aa8e96139e642a2..e4a6b654f10e1169e4fd62838282 100644
---- a/linux-headers/asm-s390/unistd_32.h
-+++ b/linux-headers/asm-s390/unistd_32.h
-@@ -408,5 +408,7 @@
- #define __NR_fspick 433
- #define __NR_pidfd_open 434
- #define __NR_clone3 435
-+#define __NR_openat2 437
-+#define __NR_pidfd_getfd 438
-
- #endif /* _ASM_S390_UNISTD_32_H */
-diff --git a/linux-headers/asm-s390/unistd_64.h b/linux-headers/asm-s390/unistd_64.h
-index 2371ff1e7a79a2c237b72a941351..472f732956e4d1047d95dd68c5de 100644
---- a/linux-headers/asm-s390/unistd_64.h
-+++ b/linux-headers/asm-s390/unistd_64.h
-@@ -356,5 +356,7 @@
- #define __NR_fspick 433
- #define __NR_pidfd_open 434
- #define __NR_clone3 435
-+#define __NR_openat2 437
-+#define __NR_pidfd_getfd 438
-
- #endif /* _ASM_S390_UNISTD_64_H */
-diff --git a/linux-headers/asm-x86/unistd_32.h b/linux-headers/asm-x86/unistd_32.h
-index e8ebec1cdc99b76c129a781ee830..f6e06fcfbdcf796df4336b83fe33 100644
---- a/linux-headers/asm-x86/unistd_32.h
-+++ b/linux-headers/asm-x86/unistd_32.h
-@@ -426,5 +426,7 @@
- #define __NR_fspick 433
- #define __NR_pidfd_open 434
- #define __NR_clone3 435
-+#define __NR_openat2 437
-+#define __NR_pidfd_getfd 438
-
- #endif /* _ASM_X86_UNISTD_32_H */
-diff --git a/linux-headers/asm-x86/unistd_64.h b/linux-headers/asm-x86/unistd_64.h
-index a2f863d5493ff31b2661721f3e0d..924f826d2d48396621ab67c66942 100644
---- a/linux-headers/asm-x86/unistd_64.h
-+++ b/linux-headers/asm-x86/unistd_64.h
-@@ -348,5 +348,7 @@
- #define __NR_fspick 433
- #define __NR_pidfd_open 434
- #define __NR_clone3 435
-+#define __NR_openat2 437
-+#define __NR_pidfd_getfd 438
-
- #endif /* _ASM_X86_UNISTD_64_H */
-diff --git a/linux-headers/asm-x86/unistd_x32.h b/linux-headers/asm-x86/unistd_x32.h
-index 4cdc67d8481069799fc44bbc07b7..010307757b1bb935299af66e88a3 100644
---- a/linux-headers/asm-x86/unistd_x32.h
-+++ b/linux-headers/asm-x86/unistd_x32.h
-@@ -301,6 +301,8 @@
- #define __NR_fspick (__X32_SYSCALL_BIT + 433)
- #define __NR_pidfd_open (__X32_SYSCALL_BIT + 434)
- #define __NR_clone3 (__X32_SYSCALL_BIT + 435)
-+#define __NR_openat2 (__X32_SYSCALL_BIT + 437)
-+#define __NR_pidfd_getfd (__X32_SYSCALL_BIT + 438)
- #define __NR_rt_sigaction (__X32_SYSCALL_BIT + 512)
- #define __NR_rt_sigreturn (__X32_SYSCALL_BIT + 513)
- #define __NR_ioctl (__X32_SYSCALL_BIT + 514)
+++ /dev/null
-From: Cornelia Huck <cohuck@redhat.com>
-Date: Mon, 27 Apr 2020 12:24:14 +0200
-Subject: linux-headers: update against Linux 5.7-rc3
-
-Git-commit: dc6f8d458a4ccc360723993f31d310d06469f55f
-References: bsc#1179719
-
-commit 6a8b55ed4056ea5559ebe4f6a4b247f627870d4c
-
-Reviewed-by: Michael S. Tsirkin <mst@redhat.com> # virtio/vhost parts
-Signed-off-by: Cornelia Huck <cohuck@redhat.com>
-Message-Id: <20200427102415.10915-3-cohuck@redhat.com>
-Signed-off-by: Liang Yan <lyan@suse.com>
----
- include/standard-headers/linux/ethtool.h | 10 +-
- .../linux/input-event-codes.h | 5 +-
- include/standard-headers/linux/pci_regs.h | 2 +
- include/standard-headers/linux/vhost_types.h | 8 ++
- .../standard-headers/linux/virtio_balloon.h | 12 ++-
- include/standard-headers/linux/virtio_ids.h | 1 +
- include/standard-headers/linux/virtio_net.h | 102 +++++++++++++++++-
- linux-headers/COPYING | 2 +
- linux-headers/asm-x86/kvm.h | 1 +
- linux-headers/asm-x86/unistd_32.h | 1 +
- linux-headers/asm-x86/unistd_64.h | 1 +
- linux-headers/asm-x86/unistd_x32.h | 1 +
- linux-headers/linux/kvm.h | 5 +
- linux-headers/linux/mman.h | 5 +-
- linux-headers/linux/userfaultfd.h | 40 +++++--
- linux-headers/linux/vfio.h | 37 +++++++
- linux-headers/linux/vhost.h | 24 +++++
- 17 files changed, 240 insertions(+), 17 deletions(-)
-
-diff --git a/include/standard-headers/linux/ethtool.h b/include/standard-headers/linux/ethtool.h
-index 8adf3b018b95f2e6e0dc0960810d..1200890c86088cb3c83368f18827 100644
---- a/include/standard-headers/linux/ethtool.h
-+++ b/include/standard-headers/linux/ethtool.h
-@@ -596,6 +596,9 @@ struct ethtool_pauseparam {
- * @ETH_SS_LINK_MODES: link mode names
- * @ETH_SS_MSG_CLASSES: debug message class names
- * @ETH_SS_WOL_MODES: wake-on-lan modes
-+ * @ETH_SS_SOF_TIMESTAMPING: SOF_TIMESTAMPING_* flags
-+ * @ETH_SS_TS_TX_TYPES: timestamping Tx types
-+ * @ETH_SS_TS_RX_FILTERS: timestamping Rx filters
- */
- enum ethtool_stringset {
- ETH_SS_TEST = 0,
-@@ -610,6 +613,9 @@ enum ethtool_stringset {
- ETH_SS_LINK_MODES,
- ETH_SS_MSG_CLASSES,
- ETH_SS_WOL_MODES,
-+ ETH_SS_SOF_TIMESTAMPING,
-+ ETH_SS_TS_TX_TYPES,
-+ ETH_SS_TS_RX_FILTERS,
-
- /* add new constants above here */
- ETH_SS_COUNT
-@@ -1330,6 +1336,7 @@ enum ethtool_fec_config_bits {
- ETHTOOL_FEC_OFF_BIT,
- ETHTOOL_FEC_RS_BIT,
- ETHTOOL_FEC_BASER_BIT,
-+ ETHTOOL_FEC_LLRS_BIT,
- };
-
- #define ETHTOOL_FEC_NONE (1 << ETHTOOL_FEC_NONE_BIT)
-@@ -1337,6 +1344,7 @@ enum ethtool_fec_config_bits {
- #define ETHTOOL_FEC_OFF (1 << ETHTOOL_FEC_OFF_BIT)
- #define ETHTOOL_FEC_RS (1 << ETHTOOL_FEC_RS_BIT)
- #define ETHTOOL_FEC_BASER (1 << ETHTOOL_FEC_BASER_BIT)
-+#define ETHTOOL_FEC_LLRS (1 << ETHTOOL_FEC_LLRS_BIT)
-
- /* CMDs currently supported */
- #define ETHTOOL_GSET 0x00000001 /* DEPRECATED, Get settings.
-@@ -1521,7 +1529,7 @@ enum ethtool_link_mode_bit_indices {
- ETHTOOL_LINK_MODE_400000baseLR8_ER8_FR8_Full_BIT = 71,
- ETHTOOL_LINK_MODE_400000baseDR8_Full_BIT = 72,
- ETHTOOL_LINK_MODE_400000baseCR8_Full_BIT = 73,
--
-+ ETHTOOL_LINK_MODE_FEC_LLRS_BIT = 74,
- /* must be last entry */
- __ETHTOOL_LINK_MODE_MASK_NBITS
- };
-diff --git a/include/standard-headers/linux/input-event-codes.h b/include/standard-headers/linux/input-event-codes.h
-index b484c252897fd1183f30249987e4..ebf72c10317b48bb9dc151f20a5b 100644
---- a/include/standard-headers/linux/input-event-codes.h
-+++ b/include/standard-headers/linux/input-event-codes.h
-@@ -1,4 +1,4 @@
--/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */
-+/* SPDX-License-Identifier: GPL-2.0-only WITH Linux-syscall-note */
- /*
- * Input event codes
- *
-@@ -652,6 +652,9 @@
- /* Electronic privacy screen control */
- #define KEY_PRIVACY_SCREEN_TOGGLE 0x279
-
-+/* Select an area of screen to be copied */
-+#define KEY_SELECTIVE_SCREENSHOT 0x27a
-+
- /*
- * Some keyboards have keys which do not have a defined meaning, these keys
- * are intended to be programmed / bound to macros by the user. For most
-diff --git a/include/standard-headers/linux/pci_regs.h b/include/standard-headers/linux/pci_regs.h
-index 5437690483cded0999edd48eb7d7..f9701410d3b52b7cfc549c50f08a 100644
---- a/include/standard-headers/linux/pci_regs.h
-+++ b/include/standard-headers/linux/pci_regs.h
-@@ -605,6 +605,7 @@
- #define PCI_EXP_SLTCTL_PWR_OFF 0x0400 /* Power Off */
- #define PCI_EXP_SLTCTL_EIC 0x0800 /* Electromechanical Interlock Control */
- #define PCI_EXP_SLTCTL_DLLSCE 0x1000 /* Data Link Layer State Changed Enable */
-+#define PCI_EXP_SLTCTL_IBPD_DISABLE 0x4000 /* In-band PD disable */
- #define PCI_EXP_SLTSTA 26 /* Slot Status */
- #define PCI_EXP_SLTSTA_ABP 0x0001 /* Attention Button Pressed */
- #define PCI_EXP_SLTSTA_PFD 0x0002 /* Power Fault Detected */
-@@ -680,6 +681,7 @@
- #define PCI_EXP_LNKSTA2 50 /* Link Status 2 */
- #define PCI_CAP_EXP_ENDPOINT_SIZEOF_V2 52 /* v2 endpoints with link end here */
- #define PCI_EXP_SLTCAP2 52 /* Slot Capabilities 2 */
-+#define PCI_EXP_SLTCAP2_IBPD 0x00000001 /* In-band PD Disable Supported */
- #define PCI_EXP_SLTCTL2 56 /* Slot Control 2 */
- #define PCI_EXP_SLTSTA2 58 /* Slot Status 2 */
-
-diff --git a/include/standard-headers/linux/vhost_types.h b/include/standard-headers/linux/vhost_types.h
-index 5351fe172d7e6de44a168ad9444c..a678d8fbaa92717b2a60329796f6 100644
---- a/include/standard-headers/linux/vhost_types.h
-+++ b/include/standard-headers/linux/vhost_types.h
-@@ -119,6 +119,14 @@ struct vhost_scsi_target {
- unsigned short reserved;
- };
-
-+/* VHOST_VDPA specific definitions */
-+
-+struct vhost_vdpa_config {
-+ uint32_t off;
-+ uint32_t len;
-+ uint8_t buf[0];
-+};
-+
- /* Feature bits */
- /* Log all write descriptors. Can be changed while device is active. */
- #define VHOST_F_LOG_ALL 26
-diff --git a/include/standard-headers/linux/virtio_balloon.h b/include/standard-headers/linux/virtio_balloon.h
-index 9375ca2a70deba201d3139a40e0e..f343bfefd82c3a3776472980faee 100644
---- a/include/standard-headers/linux/virtio_balloon.h
-+++ b/include/standard-headers/linux/virtio_balloon.h
-@@ -36,6 +36,7 @@
- #define VIRTIO_BALLOON_F_DEFLATE_ON_OOM 2 /* Deflate balloon on OOM */
- #define VIRTIO_BALLOON_F_FREE_PAGE_HINT 3 /* VQ to report free pages */
- #define VIRTIO_BALLOON_F_PAGE_POISON 4 /* Guest is using page poisoning */
-+#define VIRTIO_BALLOON_F_REPORTING 5 /* Page reporting virtqueue */
-
- /* Size of a PFN in the balloon interface. */
- #define VIRTIO_BALLOON_PFN_SHIFT 12
-@@ -47,8 +48,15 @@ struct virtio_balloon_config {
- uint32_t num_pages;
- /* Number of pages we've actually got in balloon. */
- uint32_t actual;
-- /* Free page report command id, readonly by guest */
-- uint32_t free_page_report_cmd_id;
-+ /*
-+ * Free page hint command id, readonly by guest.
-+ * Was previously named free_page_report_cmd_id so we
-+ * need to carry that name for legacy support.
-+ */
-+ union {
-+ uint32_t free_page_hint_cmd_id;
-+ uint32_t free_page_report_cmd_id; /* deprecated */
-+ };
- /* Stores PAGE_POISON if page poisoning is in use */
- uint32_t poison_val;
- };
-diff --git a/include/standard-headers/linux/virtio_ids.h b/include/standard-headers/linux/virtio_ids.h
-index 585e07b273335b8e406827eed4e5..ecc27a17401a76b8ae8a907859d1 100644
---- a/include/standard-headers/linux/virtio_ids.h
-+++ b/include/standard-headers/linux/virtio_ids.h
-@@ -46,5 +46,6 @@
- #define VIRTIO_ID_IOMMU 23 /* virtio IOMMU */
- #define VIRTIO_ID_FS 26 /* virtio filesystem */
- #define VIRTIO_ID_PMEM 27 /* virtio pmem */
-+#define VIRTIO_ID_MAC80211_HWSIM 29 /* virtio mac80211-hwsim */
-
- #endif /* _LINUX_VIRTIO_IDS_H */
-diff --git a/include/standard-headers/linux/virtio_net.h b/include/standard-headers/linux/virtio_net.h
-index 260c3681d70d5eacca595764a8a6..a90f79e1b17a9228353eac109f55 100644
---- a/include/standard-headers/linux/virtio_net.h
-+++ b/include/standard-headers/linux/virtio_net.h
-@@ -57,6 +57,9 @@
- * Steering */
- #define VIRTIO_NET_F_CTRL_MAC_ADDR 23 /* Set MAC address */
-
-+#define VIRTIO_NET_F_HASH_REPORT 57 /* Supports hash report */
-+#define VIRTIO_NET_F_RSS 60 /* Supports RSS RX steering */
-+#define VIRTIO_NET_F_RSC_EXT 61 /* extended coalescing info */
- #define VIRTIO_NET_F_STANDBY 62 /* Act as standby for another device
- * with the same MAC.
- */
-@@ -69,6 +72,17 @@
- #define VIRTIO_NET_S_LINK_UP 1 /* Link is up */
- #define VIRTIO_NET_S_ANNOUNCE 2 /* Announcement is needed */
-
-+/* supported/enabled hash types */
-+#define VIRTIO_NET_RSS_HASH_TYPE_IPv4 (1 << 0)
-+#define VIRTIO_NET_RSS_HASH_TYPE_TCPv4 (1 << 1)
-+#define VIRTIO_NET_RSS_HASH_TYPE_UDPv4 (1 << 2)
-+#define VIRTIO_NET_RSS_HASH_TYPE_IPv6 (1 << 3)
-+#define VIRTIO_NET_RSS_HASH_TYPE_TCPv6 (1 << 4)
-+#define VIRTIO_NET_RSS_HASH_TYPE_UDPv6 (1 << 5)
-+#define VIRTIO_NET_RSS_HASH_TYPE_IP_EX (1 << 6)
-+#define VIRTIO_NET_RSS_HASH_TYPE_TCP_EX (1 << 7)
-+#define VIRTIO_NET_RSS_HASH_TYPE_UDP_EX (1 << 8)
-+
- struct virtio_net_config {
- /* The config defining mac address (if VIRTIO_NET_F_MAC) */
- uint8_t mac[ETH_ALEN];
-@@ -92,6 +106,12 @@ struct virtio_net_config {
- * Any other value stands for unknown.
- */
- uint8_t duplex;
-+ /* maximum size of RSS key */
-+ uint8_t rss_max_key_size;
-+ /* maximum number of indirection table entries */
-+ uint16_t rss_max_indirection_table_length;
-+ /* bitmask of supported VIRTIO_NET_RSS_HASH_ types */
-+ uint32_t supported_hash_types;
- } QEMU_PACKED;
-
- /*
-@@ -104,6 +124,7 @@ struct virtio_net_config {
- struct virtio_net_hdr_v1 {
- #define VIRTIO_NET_HDR_F_NEEDS_CSUM 1 /* Use csum_start, csum_offset */
- #define VIRTIO_NET_HDR_F_DATA_VALID 2 /* Csum is valid */
-+#define VIRTIO_NET_HDR_F_RSC_INFO 4 /* rsc info in csum_ fields */
- uint8_t flags;
- #define VIRTIO_NET_HDR_GSO_NONE 0 /* Not a GSO frame */
- #define VIRTIO_NET_HDR_GSO_TCPV4 1 /* GSO frame, IPv4 TCP (TSO) */
-@@ -113,11 +134,46 @@ struct virtio_net_hdr_v1 {
- uint8_t gso_type;
- __virtio16 hdr_len; /* Ethernet + IP + tcp/udp hdrs */
- __virtio16 gso_size; /* Bytes to append to hdr_len per frame */
-- __virtio16 csum_start; /* Position to start checksumming from */
-- __virtio16 csum_offset; /* Offset after that to place checksum */
-+ union {
-+ struct {
-+ __virtio16 csum_start;
-+ __virtio16 csum_offset;
-+ };
-+ /* Checksum calculation */
-+ struct {
-+ /* Position to start checksumming from */
-+ __virtio16 start;
-+ /* Offset after that to place checksum */
-+ __virtio16 offset;
-+ } csum;
-+ /* Receive Segment Coalescing */
-+ struct {
-+ /* Number of coalesced segments */
-+ uint16_t segments;
-+ /* Number of duplicated acks */
-+ uint16_t dup_acks;
-+ } rsc;
-+ };
- __virtio16 num_buffers; /* Number of merged rx buffers */
- };
-
-+struct virtio_net_hdr_v1_hash {
-+ struct virtio_net_hdr_v1 hdr;
-+ uint32_t hash_value;
-+#define VIRTIO_NET_HASH_REPORT_NONE 0
-+#define VIRTIO_NET_HASH_REPORT_IPv4 1
-+#define VIRTIO_NET_HASH_REPORT_TCPv4 2
-+#define VIRTIO_NET_HASH_REPORT_UDPv4 3
-+#define VIRTIO_NET_HASH_REPORT_IPv6 4
-+#define VIRTIO_NET_HASH_REPORT_TCPv6 5
-+#define VIRTIO_NET_HASH_REPORT_UDPv6 6
-+#define VIRTIO_NET_HASH_REPORT_IPv6_EX 7
-+#define VIRTIO_NET_HASH_REPORT_TCPv6_EX 8
-+#define VIRTIO_NET_HASH_REPORT_UDPv6_EX 9
-+ uint16_t hash_report;
-+ uint16_t padding;
-+};
-+
- #ifndef VIRTIO_NET_NO_LEGACY
- /* This header comes first in the scatter-gather list.
- * For legacy virtio, if VIRTIO_F_ANY_LAYOUT is not negotiated, it must
-@@ -228,7 +284,9 @@ struct virtio_net_ctrl_mac {
-
- /*
- * Control Receive Flow Steering
-- *
-+ */
-+#define VIRTIO_NET_CTRL_MQ 4
-+/*
- * The command VIRTIO_NET_CTRL_MQ_VQ_PAIRS_SET
- * enables Receive Flow Steering, specifying the number of the transmit and
- * receive queues that will be used. After the command is consumed and acked by
-@@ -241,11 +299,47 @@ struct virtio_net_ctrl_mq {
- __virtio16 virtqueue_pairs;
- };
-
--#define VIRTIO_NET_CTRL_MQ 4
- #define VIRTIO_NET_CTRL_MQ_VQ_PAIRS_SET 0
- #define VIRTIO_NET_CTRL_MQ_VQ_PAIRS_MIN 1
- #define VIRTIO_NET_CTRL_MQ_VQ_PAIRS_MAX 0x8000
-
-+/*
-+ * The command VIRTIO_NET_CTRL_MQ_RSS_CONFIG has the same effect as
-+ * VIRTIO_NET_CTRL_MQ_VQ_PAIRS_SET does and additionally configures
-+ * the receive steering to use a hash calculated for incoming packet
-+ * to decide on receive virtqueue to place the packet. The command
-+ * also provides parameters to calculate a hash and receive virtqueue.
-+ */
-+struct virtio_net_rss_config {
-+ uint32_t hash_types;
-+ uint16_t indirection_table_mask;
-+ uint16_t unclassified_queue;
-+ uint16_t indirection_table[1/* + indirection_table_mask */];
-+ uint16_t max_tx_vq;
-+ uint8_t hash_key_length;
-+ uint8_t hash_key_data[/* hash_key_length */];
-+};
-+
-+ #define VIRTIO_NET_CTRL_MQ_RSS_CONFIG 1
-+
-+/*
-+ * The command VIRTIO_NET_CTRL_MQ_HASH_CONFIG requests the device
-+ * to include in the virtio header of the packet the value of the
-+ * calculated hash and the report type of hash. It also provides
-+ * parameters for hash calculation. The command requires feature
-+ * VIRTIO_NET_F_HASH_REPORT to be negotiated to extend the
-+ * layout of virtio header as defined in virtio_net_hdr_v1_hash.
-+ */
-+struct virtio_net_hash_config {
-+ uint32_t hash_types;
-+ /* for compatibility with virtio_net_rss_config */
-+ uint16_t reserved[4];
-+ uint8_t hash_key_length;
-+ uint8_t hash_key_data[/* hash_key_length */];
-+};
-+
-+ #define VIRTIO_NET_CTRL_MQ_HASH_CONFIG 2
-+
- /*
- * Control network offloads
- *
-diff --git a/linux-headers/COPYING b/linux-headers/COPYING
-index da4cb28febe66172a9fdf1a23552..a635a38ef9405fdfcfe97f3a4353 100644
---- a/linux-headers/COPYING
-+++ b/linux-headers/COPYING
-@@ -16,3 +16,5 @@ In addition, other licenses may also apply. Please see:
- Documentation/process/license-rules.rst
-
- for more details.
-+
-+All contributions to the Linux Kernel are subject to this COPYING file.
-diff --git a/linux-headers/asm-x86/kvm.h b/linux-headers/asm-x86/kvm.h
-index 503d3f42da1676791d2c4f4a70bf..3f3f780c8c6500e1a1ea52bc0585 100644
---- a/linux-headers/asm-x86/kvm.h
-+++ b/linux-headers/asm-x86/kvm.h
-@@ -390,6 +390,7 @@ struct kvm_sync_regs {
- #define KVM_STATE_NESTED_GUEST_MODE 0x00000001
- #define KVM_STATE_NESTED_RUN_PENDING 0x00000002
- #define KVM_STATE_NESTED_EVMCS 0x00000004
-+#define KVM_STATE_NESTED_MTF_PENDING 0x00000008
-
- #define KVM_STATE_NESTED_SMM_GUEST_MODE 0x00000001
- #define KVM_STATE_NESTED_SMM_VMXON 0x00000002
-diff --git a/linux-headers/asm-x86/unistd_32.h b/linux-headers/asm-x86/unistd_32.h
-index f6e06fcfbdcf796df4336b83fe33..1e6c1a586776181a3caba2bbba1f 100644
---- a/linux-headers/asm-x86/unistd_32.h
-+++ b/linux-headers/asm-x86/unistd_32.h
-@@ -429,4 +429,5 @@
- #define __NR_openat2 437
- #define __NR_pidfd_getfd 438
-
-+
- #endif /* _ASM_X86_UNISTD_32_H */
-diff --git a/linux-headers/asm-x86/unistd_64.h b/linux-headers/asm-x86/unistd_64.h
-index 924f826d2d48396621ab67c66942..6daf0aecb2984b846595f8f3ea6e 100644
---- a/linux-headers/asm-x86/unistd_64.h
-+++ b/linux-headers/asm-x86/unistd_64.h
-@@ -351,4 +351,5 @@
- #define __NR_openat2 437
- #define __NR_pidfd_getfd 438
-
-+
- #endif /* _ASM_X86_UNISTD_64_H */
-diff --git a/linux-headers/asm-x86/unistd_x32.h b/linux-headers/asm-x86/unistd_x32.h
-index 010307757b1bb935299af66e88a3..e3f17ef370fcfd16d26ea2709d16 100644
---- a/linux-headers/asm-x86/unistd_x32.h
-+++ b/linux-headers/asm-x86/unistd_x32.h
-@@ -340,4 +340,5 @@
- #define __NR_preadv2 (__X32_SYSCALL_BIT + 546)
- #define __NR_pwritev2 (__X32_SYSCALL_BIT + 547)
-
-+
- #endif /* _ASM_X86_UNISTD_X32_H */
-diff --git a/linux-headers/linux/kvm.h b/linux-headers/linux/kvm.h
-index 9d647fad7648ede158cd9605270e..a56559baa0bbe2823d1d96d652dc 100644
---- a/linux-headers/linux/kvm.h
-+++ b/linux-headers/linux/kvm.h
-@@ -1009,6 +1009,8 @@ struct kvm_ppc_resize_hpt {
- #define KVM_CAP_PPC_GUEST_DEBUG_SSTEP 176
- #define KVM_CAP_ARM_NISV_TO_USER 177
- #define KVM_CAP_ARM_INJECT_EXT_DABT 178
-+#define KVM_CAP_S390_PROTECTED 180
-+#define KVM_CAP_PPC_SECURE_GUEST 181
-
- #ifdef KVM_CAP_IRQ_ROUTING
-
-@@ -1623,4 +1625,7 @@ struct kvm_hyperv_eventfd {
- #define KVM_HYPERV_CONN_ID_MASK 0x00ffffff
- #define KVM_HYPERV_EVENTFD_DEASSIGN (1 << 0)
-
-+#define KVM_DIRTY_LOG_MANUAL_PROTECT_ENABLE (1 << 0)
-+#define KVM_DIRTY_LOG_INITIALLY_SET (1 << 1)
-+
- #endif /* __LINUX_KVM_H */
-diff --git a/linux-headers/linux/mman.h b/linux-headers/linux/mman.h
-index 1f6e2cd89ccb97b7a790133f9a82..51ea363759f021d964e23440cd82 100644
---- a/linux-headers/linux/mman.h
-+++ b/linux-headers/linux/mman.h
-@@ -5,8 +5,9 @@
- #include <asm/mman.h>
- #include <asm-generic/hugetlb_encode.h>
-
--#define MREMAP_MAYMOVE 1
--#define MREMAP_FIXED 2
-+#define MREMAP_MAYMOVE 1
-+#define MREMAP_FIXED 2
-+#define MREMAP_DONTUNMAP 4
-
- #define OVERCOMMIT_GUESS 0
- #define OVERCOMMIT_ALWAYS 1
-diff --git a/linux-headers/linux/userfaultfd.h b/linux-headers/linux/userfaultfd.h
-index ce78878d127e62968cd3139e5fd8..8d3996eb8285583ba11952bc85e5 100644
---- a/linux-headers/linux/userfaultfd.h
-+++ b/linux-headers/linux/userfaultfd.h
-@@ -19,7 +19,8 @@
- * means the userland is reading).
- */
- #define UFFD_API ((__u64)0xAA)
--#define UFFD_API_FEATURES (UFFD_FEATURE_EVENT_FORK | \
-+#define UFFD_API_FEATURES (UFFD_FEATURE_PAGEFAULT_FLAG_WP | \
-+ UFFD_FEATURE_EVENT_FORK | \
- UFFD_FEATURE_EVENT_REMAP | \
- UFFD_FEATURE_EVENT_REMOVE | \
- UFFD_FEATURE_EVENT_UNMAP | \
-@@ -34,7 +35,8 @@
- #define UFFD_API_RANGE_IOCTLS \
- ((__u64)1 << _UFFDIO_WAKE | \
- (__u64)1 << _UFFDIO_COPY | \
-- (__u64)1 << _UFFDIO_ZEROPAGE)
-+ (__u64)1 << _UFFDIO_ZEROPAGE | \
-+ (__u64)1 << _UFFDIO_WRITEPROTECT)
- #define UFFD_API_RANGE_IOCTLS_BASIC \
- ((__u64)1 << _UFFDIO_WAKE | \
- (__u64)1 << _UFFDIO_COPY)
-@@ -52,6 +54,7 @@
- #define _UFFDIO_WAKE (0x02)
- #define _UFFDIO_COPY (0x03)
- #define _UFFDIO_ZEROPAGE (0x04)
-+#define _UFFDIO_WRITEPROTECT (0x06)
- #define _UFFDIO_API (0x3F)
-
- /* userfaultfd ioctl ids */
-@@ -68,6 +71,8 @@
- struct uffdio_copy)
- #define UFFDIO_ZEROPAGE _IOWR(UFFDIO, _UFFDIO_ZEROPAGE, \
- struct uffdio_zeropage)
-+#define UFFDIO_WRITEPROTECT _IOWR(UFFDIO, _UFFDIO_WRITEPROTECT, \
-+ struct uffdio_writeprotect)
-
- /* read() structure */
- struct uffd_msg {
-@@ -203,13 +208,14 @@ struct uffdio_copy {
- __u64 dst;
- __u64 src;
- __u64 len;
-+#define UFFDIO_COPY_MODE_DONTWAKE ((__u64)1<<0)
- /*
-- * There will be a wrprotection flag later that allows to map
-- * pages wrprotected on the fly. And such a flag will be
-- * available if the wrprotection ioctl are implemented for the
-- * range according to the uffdio_register.ioctls.
-+ * UFFDIO_COPY_MODE_WP will map the page write protected on
-+ * the fly. UFFDIO_COPY_MODE_WP is available only if the
-+ * write protected ioctl is implemented for the range
-+ * according to the uffdio_register.ioctls.
- */
--#define UFFDIO_COPY_MODE_DONTWAKE ((__u64)1<<0)
-+#define UFFDIO_COPY_MODE_WP ((__u64)1<<1)
- __u64 mode;
-
- /*
-@@ -231,4 +237,24 @@ struct uffdio_zeropage {
- __s64 zeropage;
- };
-
-+struct uffdio_writeprotect {
-+ struct uffdio_range range;
-+/*
-+ * UFFDIO_WRITEPROTECT_MODE_WP: set the flag to write protect a range,
-+ * unset the flag to undo protection of a range which was previously
-+ * write protected.
-+ *
-+ * UFFDIO_WRITEPROTECT_MODE_DONTWAKE: set the flag to avoid waking up
-+ * any wait thread after the operation succeeds.
-+ *
-+ * NOTE: Write protecting a region (WP=1) is unrelated to page faults,
-+ * therefore DONTWAKE flag is meaningless with WP=1. Removing write
-+ * protection (WP=0) in response to a page fault wakes the faulting
-+ * task unless DONTWAKE is set.
-+ */
-+#define UFFDIO_WRITEPROTECT_MODE_WP ((__u64)1<<0)
-+#define UFFDIO_WRITEPROTECT_MODE_DONTWAKE ((__u64)1<<1)
-+ __u64 mode;
-+};
-+
- #endif /* _LINUX_USERFAULTFD_H */
-diff --git a/linux-headers/linux/vfio.h b/linux-headers/linux/vfio.h
-index fb10370d2928e0a26934bd02bc64..a41c45286511f083878c06b60d71 100644
---- a/linux-headers/linux/vfio.h
-+++ b/linux-headers/linux/vfio.h
-@@ -707,6 +707,43 @@ struct vfio_device_ioeventfd {
-
- #define VFIO_DEVICE_IOEVENTFD _IO(VFIO_TYPE, VFIO_BASE + 16)
-
-+/**
-+ * VFIO_DEVICE_FEATURE - _IORW(VFIO_TYPE, VFIO_BASE + 17,
-+ * struct vfio_device_feature)
-+ *
-+ * Get, set, or probe feature data of the device. The feature is selected
-+ * using the FEATURE_MASK portion of the flags field. Support for a feature
-+ * can be probed by setting both the FEATURE_MASK and PROBE bits. A probe
-+ * may optionally include the GET and/or SET bits to determine read vs write
-+ * access of the feature respectively. Probing a feature will return success
-+ * if the feature is supported and all of the optionally indicated GET/SET
-+ * methods are supported. The format of the data portion of the structure is
-+ * specific to the given feature. The data portion is not required for
-+ * probing. GET and SET are mutually exclusive, except for use with PROBE.
-+ *
-+ * Return 0 on success, -errno on failure.
-+ */
-+struct vfio_device_feature {
-+ __u32 argsz;
-+ __u32 flags;
-+#define VFIO_DEVICE_FEATURE_MASK (0xffff) /* 16-bit feature index */
-+#define VFIO_DEVICE_FEATURE_GET (1 << 16) /* Get feature into data[] */
-+#define VFIO_DEVICE_FEATURE_SET (1 << 17) /* Set feature from data[] */
-+#define VFIO_DEVICE_FEATURE_PROBE (1 << 18) /* Probe feature support */
-+ __u8 data[];
-+};
-+
-+#define VFIO_DEVICE_FEATURE _IO(VFIO_TYPE, VFIO_BASE + 17)
-+
-+/*
-+ * Provide support for setting a PCI VF Token, which is used as a shared
-+ * secret between PF and VF drivers. This feature may only be set on a
-+ * PCI SR-IOV PF when SR-IOV is enabled on the PF and there are no existing
-+ * open VFs. Data provided when setting this feature is a 16-byte array
-+ * (__u8 b[16]), representing a UUID.
-+ */
-+#define VFIO_DEVICE_FEATURE_PCI_VF_TOKEN (0)
-+
- /* -------- API for Type1 VFIO IOMMU -------- */
-
- /**
-diff --git a/linux-headers/linux/vhost.h b/linux-headers/linux/vhost.h
-index 40d028eed645954cbc3e4699aa2c..9fe72e4b1373165d7a7aeff61410 100644
---- a/linux-headers/linux/vhost.h
-+++ b/linux-headers/linux/vhost.h
-@@ -116,4 +116,28 @@
- #define VHOST_VSOCK_SET_GUEST_CID _IOW(VHOST_VIRTIO, 0x60, __u64)
- #define VHOST_VSOCK_SET_RUNNING _IOW(VHOST_VIRTIO, 0x61, int)
-
-+/* VHOST_VDPA specific defines */
-+
-+/* Get the device id. The device ids follow the same definition of
-+ * the device id defined in virtio-spec.
-+ */
-+#define VHOST_VDPA_GET_DEVICE_ID _IOR(VHOST_VIRTIO, 0x70, __u32)
-+/* Get and set the status. The status bits follow the same definition
-+ * of the device status defined in virtio-spec.
-+ */
-+#define VHOST_VDPA_GET_STATUS _IOR(VHOST_VIRTIO, 0x71, __u8)
-+#define VHOST_VDPA_SET_STATUS _IOW(VHOST_VIRTIO, 0x72, __u8)
-+/* Get and set the device config. The device config follows the same
-+ * definition of the device config defined in virtio-spec.
-+ */
-+#define VHOST_VDPA_GET_CONFIG _IOR(VHOST_VIRTIO, 0x73, \
-+ struct vhost_vdpa_config)
-+#define VHOST_VDPA_SET_CONFIG _IOW(VHOST_VIRTIO, 0x74, \
-+ struct vhost_vdpa_config)
-+/* Enable/disable the ring. */
-+#define VHOST_VDPA_SET_VRING_ENABLE _IOW(VHOST_VIRTIO, 0x75, \
-+ struct vhost_vring_state)
-+/* Get the max ring size. */
-+#define VHOST_VDPA_GET_VRING_NUM _IOR(VHOST_VIRTIO, 0x76, __u16)
-+
- #endif
+++ /dev/null
-From: Alexander Graf <agraf@suse.de>
-Date: Mon, 23 Jul 2012 10:24:14 +0200
-Subject: linux-user: Fake /proc/cpuinfo
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Fedora 17 for ARM reads /proc/cpuinfo and fails if it doesn't contain
-ARM related contents. This patch implements a quick hack to expose real
-/proc/cpuinfo data taken from a real world machine.
-
-The real fix would be to generate at least the flags automatically based
-on the selected CPU. Please do not submit this patch upstream until this
-has happened.
-
-Signed-off-by: Alexander Graf <agraf@suse.de>
-[AF: Rebased for v1.6 and v1.7]
-Signed-off-by: Andreas Färber <afaerber@suse.de>
----
- linux-user/syscall.c | 24 ++++++++++++++++++++++++
- 1 file changed, 24 insertions(+)
-
-diff --git a/linux-user/syscall.c b/linux-user/syscall.c
-index 57be4c98555e50f2263811cd11f4..243ec2a1e3bde8e6b3ac48989554 100644
---- a/linux-user/syscall.c
-+++ b/linux-user/syscall.c
-@@ -7068,6 +7068,27 @@ static int open_self_stat(void *cpu_env, int fd)
- return 0;
- }
-
-+#if defined(TARGET_ARM)
-+static int open_cpuinfo(void *cpu_env, int fd)
-+{
-+ dprintf(fd,
-+"Processor : ARMv7 Processor rev 5 (v7l)\n"
-+"BogoMIPS : 799.53\n"
-+"Features : swp half thumb fastmult vfp edsp thumbee neon vfpv3\n"
-+"CPU implementer : 0x41\n"
-+"CPU architecture: 7\n"
-+"CPU variant : 0x2\n"
-+"CPU part : 0xc08\n"
-+"CPU revision : 5\n"
-+"\n"
-+"Hardware : Genesi Efika MX (Smarttop)\n"
-+"Revision : 51030\n"
-+"Serial : 0000000000000000\n");
-+
-+ return 0;
-+}
-+#endif
-+
- static int open_self_auxv(void *cpu_env, int fd)
- {
- CPUState *cpu = env_cpu((CPUArchState *)cpu_env);
-@@ -7210,6 +7231,9 @@ static int do_openat(void *cpu_env, int dirfd, const char *pathname, int flags,
- #if defined(TARGET_SPARC)
- { "/proc/cpuinfo", open_cpuinfo, is_proc },
- #endif
-+#if defined(TARGET_ARM)
-+ { "cpuinfo", open_cpuinfo, is_proc_myself },
-+#endif
- #if defined(TARGET_M68K)
- { "/proc/hardware", open_hardware, is_proc },
- #endif
+++ /dev/null
-From: Alexander Graf <agraf@suse.de>
-Date: Fri, 30 Sep 2011 19:40:36 +0200
-Subject: linux-user: add binfmt wrapper for argv[0] handling
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-When using qemu's linux-user binaries through binfmt, argv[0] gets lost
-along the execution because qemu only gets passed in the full file name
-to the executable while argv[0] can be something completely different.
-
-This breaks in some subtile situations, such as the grep and make test
-suites.
-
-This patch adds a wrapper binary called qemu-$TARGET-binfmt that can be
-used with binfmt's P flag which passes the full path _and_ argv[0] to
-the binfmt handler.
-
-The binary would be smart enough to be versatile and only exist in the
-system once, creating the qemu binary path names from its own argv[0].
-However, this seemed like it didn't fit the make system too well, so
-we're currently creating a new binary for each target archictecture.
-
-CC: Reinhard Max <max@suse.de>
-Signed-off-by: Alexander Graf <agraf@suse.de>
-[AF: Rebased onto new Makefile infrastructure, twice]
-[AF: Updated for aarch64 for v2.0.0-rc1]
-[AF: Rebased onto Makefile changes for v2.1.0-rc0]
-[AF: Rebased onto script rewrite for v2.7.0-rc2 - to be fixed]
-Signed-off-by: Andreas Färber <afaerber@suse.de>
----
- Makefile.target | 13 +++++++++++++
- linux-user/Makefile.objs | 2 ++
- linux-user/binfmt.c | 42 ++++++++++++++++++++++++++++++++++++++++
- 3 files changed, 57 insertions(+)
-
-diff --git a/Makefile.target b/Makefile.target
-index 24d79d26ebd00034bd97309fe5a7..1e9600834a25544063c313eba92a 100644
---- a/Makefile.target
-+++ b/Makefile.target
-@@ -39,6 +39,10 @@ endif
- PROGS=$(QEMU_PROG) $(QEMU_PROGW)
- STPFILES=
-
-+ifdef CONFIG_LINUX_USER
-+PROGS+=$(QEMU_PROG)-binfmt
-+endif
-+
- config-target.h: config-target.h-timestamp
- config-target.h-timestamp: config-target.mak
-
-@@ -133,6 +137,8 @@ QEMU_CFLAGS+=-I$(SRC_PATH)/linux-user/$(TARGET_ABI_DIR) \
- obj-y += linux-user/
- obj-y += gdbstub.o thunk.o
-
-+obj-binfmt-y += linux-user/
-+
- endif #CONFIG_LINUX_USER
-
- #########################################################
-@@ -174,7 +180,11 @@ generated-files-y += config-devices.h
-
- endif # CONFIG_SOFTMMU
-
-+ifdef CONFIG_LINUX_USER
-+dummy := $(call unnest-vars,,obj-y obj-binfmt-y)
-+else
- dummy := $(call unnest-vars,,obj-y)
-+endif
- all-obj-y := $(obj-y)
-
- include $(SRC_PATH)/Makefile.objs
-@@ -211,6 +221,9 @@ ifdef CONFIG_DARWIN
- $(call quiet-command,SetFile -a C $@,"SETFILE","$(TARGET_DIR)$@")
- endif
-
-+$(QEMU_PROG)-binfmt: $(obj-binfmt-y)
-+ $(call LINK,$^)
-+
- gdbstub-xml.c: $(TARGET_XML_FILES) $(SRC_PATH)/scripts/feature_to_c.sh
- $(call quiet-command,rm -f $@ && $(SHELL) $(SRC_PATH)/scripts/feature_to_c.sh $@ $(TARGET_XML_FILES),"GEN","$(TARGET_DIR)$@")
-
-diff --git a/linux-user/Makefile.objs b/linux-user/Makefile.objs
-index d2f33beb5e52efce6adc7fb85b7f..ffc6b095e253d4c448000a974d4d 100644
---- a/linux-user/Makefile.objs
-+++ b/linux-user/Makefile.objs
-@@ -8,3 +8,5 @@ obj-$(TARGET_I386) += vm86.o
- obj-$(TARGET_ARM) += arm/nwfpe/
- obj-$(TARGET_ARM) += arm/semihost.o
- obj-$(TARGET_AARCH64) += arm/semihost.o
-+
-+obj-binfmt-y = binfmt.o
-diff --git a/linux-user/binfmt.c b/linux-user/binfmt.c
-new file mode 100644
-index 0000000000000000000000000000000000000000..cd1f513b334f3b263d9e4b5adb1981e376429fa6
---- /dev/null
-+++ b/linux-user/binfmt.c
-@@ -0,0 +1,42 @@
-+#include <stdio.h>
-+#include <stdarg.h>
-+#include <unistd.h>
-+#include <libgen.h>
-+#include <string.h>
-+#include <stdlib.h>
-+
-+
-+int main(int argc, char **argv, char **envp)
-+{
-+ char *binfmt;
-+ char **new_argv;
-+
-+ /*
-+ * Check if our file name ends with -binfmt
-+ */
-+ binfmt = argv[0] + strlen(argv[0]) - strlen("-binfmt");
-+ if (strcmp(binfmt, "-binfmt")) {
-+ fprintf(stderr, "%s: Invalid executable name\n", argv[0]);
-+ exit(1);
-+ }
-+ if (argc < 3) {
-+ fprintf(stderr, "%s: Please use me through binfmt with P flag\n",
-+ argv[0]);
-+ exit(1);
-+ }
-+
-+ binfmt[0] = '\0';
-+ /* Now argv[0] is the real qemu binary name */
-+
-+ new_argv = (char **)malloc((argc + 2) * sizeof(*new_argv));
-+ if (argc > 3) {
-+ memcpy(&new_argv[4], &argv[3], (argc - 3) * sizeof(*new_argv));
-+ }
-+ new_argv[0] = argv[0];
-+ new_argv[1] = (char *)"-0";
-+ new_argv[2] = argv[2];
-+ new_argv[3] = argv[1];
-+ new_argv[argc + 1] = NULL;
-+
-+ return execve(new_argv[0], new_argv, envp);
-+}
+++ /dev/null
-From: Alexander Graf <agraf@suse.de>
-Date: Thu, 2 Feb 2012 18:02:33 +0100
-Subject: linux-user: binfmt: support host binaries
-
-When we have a working host binary equivalent for the guest binary we're
-trying to run, let's just use that instead as it will be a lot faster.
-
-Signed-off-by: Alexander Graf <agraf@suse.de>
----
- linux-user/binfmt.c | 26 ++++++++++++++++++++++++++
- 1 file changed, 26 insertions(+)
-
-diff --git a/linux-user/binfmt.c b/linux-user/binfmt.c
-index cd1f513b334f3b263d9e4b5adb19..458f136fb41727702854cae4e542 100644
---- a/linux-user/binfmt.c
-+++ b/linux-user/binfmt.c
-@@ -5,6 +5,9 @@
- #include <string.h>
- #include <stdlib.h>
-
-+#ifdef __x86_64__
-+#define ARCH_NAME "x86_64"
-+#endif
-
- int main(int argc, char **argv, char **envp)
- {
-@@ -28,6 +31,29 @@ int main(int argc, char **argv, char **envp)
- binfmt[0] = '\0';
- /* Now argv[0] is the real qemu binary name */
-
-+#ifdef ARCH_NAME
-+ {
-+ char *hostbin;
-+ char *guestarch;
-+ int r;
-+
-+ guestarch = strrchr(argv[0], '-') ;
-+ if (!guestarch) {
-+ goto skip;
-+ }
-+ guestarch++;
-+ r = asprintf(&hostbin, "/emul/" ARCH_NAME "-for-%s/%s", guestarch, argv[1]);
-+ if ((r > 0) && !access(hostbin, X_OK)) {
-+ /*
-+ * We found a host binary replacement for the non-host binary. Let's
-+ * use that instead!
-+ */
-+ return execve(hostbin, &argv[2], envp);
-+ }
-+ }
-+skip:
-+#endif
-+
- new_argv = (char **)malloc((argc + 2) * sizeof(*new_argv));
- if (argc > 3) {
- memcpy(&new_argv[4], &argv[3], (argc - 3) * sizeof(*new_argv));
+++ /dev/null
-From: Alexander Graf <agraf@suse.de>
-Date: Thu, 13 Dec 2012 14:29:22 +0100
-Subject: linux-user: lseek: explicitly cast non-set offsets to signed
-
-When doing lseek, SEEK_SET indicates that the offset is an unsigned variable.
-Other seek types have parameters that can be negative.
-
-When converting from 32bit to 64bit parameters, we need to take this into
-account and enable SEEK_END and SEEK_CUR to be negative, while SEEK_SET stays
-absolute positioned which we need to maintain as unsigned.
-
-Signed-off-by: Alexander Graf <agraf@suse.de>
----
- linux-user/syscall.c | 9 +++++++--
- 1 file changed, 7 insertions(+), 2 deletions(-)
-
-diff --git a/linux-user/syscall.c b/linux-user/syscall.c
-index 61d976cca146a6deb2d74c95ec59..926a7dd587b39d0615cbbb077ef2 100644
---- a/linux-user/syscall.c
-+++ b/linux-user/syscall.c
-@@ -7729,8 +7729,13 @@ static abi_long do_syscall1(void *cpu_env, int num, abi_ulong arg1,
- return ret;
- #endif
- #ifdef TARGET_NR_lseek
-- case TARGET_NR_lseek:
-- return get_errno(lseek(arg1, arg2, arg3));
-+ case TARGET_NR_lseek: {
-+ off_t off = arg2;
-+ if (arg3 != SEEK_SET) {
-+ off = (abi_long)arg2;
-+ }
-+ return get_errno(lseek(arg1, off, arg3));
-+ }
- #endif
- #if defined(TARGET_NR_getxpid) && defined(TARGET_ALPHA)
- /* Alpha specific */
+++ /dev/null
-From: Andreas Schwab <schwab@linux-m68k.org>
-Date: Thu, 8 Sep 2016 11:21:05 +0200
-Subject: linux-user: properly test for infinite timeout in poll (#8)
-
-After "linux-user: use target_ulong" the poll syscall was no longer
-handling infinite timeout.
-
-/home/abuild/rpmbuild/BUILD/qemu-2.7.0-rc5/linux-user/syscall.c:9773:26: warning: comparison of unsigned expression >= 0 is always true [-Wtype-limits]
- if (arg3 >= 0) {
- ^~
-
-Signed-off-by: Andreas Schwab <schwab@suse.de>
----
- linux-user/syscall.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/linux-user/syscall.c b/linux-user/syscall.c
-index 926a7dd587b39d0615cbbb077ef2..9330a1ec6a15f16e4f7fd0f825c2 100644
---- a/linux-user/syscall.c
-+++ b/linux-user/syscall.c
-@@ -9758,7 +9758,7 @@ static abi_long do_syscall1(void *cpu_env, int num, abi_ulong arg1,
- {
- struct timespec ts, *pts;
-
-- if (arg3 >= 0) {
-+ if ((abi_long)arg3 >= 0) {
- /* Convert ms to secs, ns */
- ts.tv_sec = arg3 / 1000;
- ts.tv_nsec = (arg3 % 1000) * 1000000LL;
+++ /dev/null
-From: Alexander Graf <agraf@suse.de>
-Date: Tue, 9 Oct 2012 09:06:49 +0200
-Subject: linux-user: use target_ulong
-
-Linux syscalls pass pointers or data length or other information of that sort
-to the kernel. This is all stuff you don't want to have sign extended.
-Otherwise a host 64bit variable parameter with a size parameter will extend
-it to a negative number, breaking lseek for example.
-
-Pass syscall arguments as ulong always.
-
-Signed-off-by: Alexander Graf <agraf@suse.de>
----
- linux-user/qemu.h | 8 ++++----
- linux-user/syscall.c | 18 +++++++++---------
- 2 files changed, 13 insertions(+), 13 deletions(-)
-
-diff --git a/linux-user/qemu.h b/linux-user/qemu.h
-index f6f5fe5fbb553c151cb57146350c..b45b68221434e29636bb34c9f0b0 100644
---- a/linux-user/qemu.h
-+++ b/linux-user/qemu.h
-@@ -206,10 +206,10 @@ abi_long memcpy_to_target(abi_ulong dest, const void *src,
- void target_set_brk(abi_ulong new_brk);
- abi_long do_brk(abi_ulong new_brk);
- void syscall_init(void);
--abi_long do_syscall(void *cpu_env, int num, abi_long arg1,
-- abi_long arg2, abi_long arg3, abi_long arg4,
-- abi_long arg5, abi_long arg6, abi_long arg7,
-- abi_long arg8);
-+abi_long do_syscall(void *cpu_env, int num, abi_ulong arg1,
-+ abi_ulong arg2, abi_ulong arg3, abi_ulong arg4,
-+ abi_ulong arg5, abi_ulong arg6, abi_ulong arg7,
-+ abi_ulong arg8);
- void gemu_log(const char *fmt, ...) GCC_FMT_ATTR(1, 2);
- extern __thread CPUState *thread_cpu;
- void cpu_loop(CPUArchState *env);
-diff --git a/linux-user/syscall.c b/linux-user/syscall.c
-index 243ec2a1e3bde8e6b3ac48989554..61d976cca146a6deb2d74c95ec59 100644
---- a/linux-user/syscall.c
-+++ b/linux-user/syscall.c
-@@ -7374,10 +7374,10 @@ static int host_to_target_cpu_mask(const unsigned long *host_mask,
- * of syscall results, can be performed.
- * All errnos that do_syscall() returns must be -TARGET_<errcode>.
- */
--static abi_long do_syscall1(void *cpu_env, int num, abi_long arg1,
-- abi_long arg2, abi_long arg3, abi_long arg4,
-- abi_long arg5, abi_long arg6, abi_long arg7,
-- abi_long arg8)
-+static abi_long do_syscall1(void *cpu_env, int num, abi_ulong arg1,
-+ abi_ulong arg2, abi_ulong arg3, abi_ulong arg4,
-+ abi_ulong arg5, abi_ulong arg6, abi_ulong arg7,
-+ abi_ulong arg8)
- {
- CPUState *cpu = env_cpu(cpu_env);
- abi_long ret;
-@@ -10125,7 +10125,7 @@ static abi_long do_syscall1(void *cpu_env, int num, abi_long arg1,
- */
- ret = -TARGET_EINVAL;
- if (cpu_isar_feature(aa64_sve, env_archcpu(cpu_env))
-- && arg2 >= 0 && arg2 <= 512 * 16 && !(arg2 & 15)) {
-+ && arg2 <= 512 * 16 && !(arg2 & 15)) {
- CPUARMState *env = cpu_env;
- ARMCPU *cpu = env_archcpu(env);
- uint32_t vq, old_vq;
-@@ -12116,10 +12116,10 @@ static abi_long do_syscall1(void *cpu_env, int num, abi_long arg1,
- return ret;
- }
-
--abi_long do_syscall(void *cpu_env, int num, abi_long arg1,
-- abi_long arg2, abi_long arg3, abi_long arg4,
-- abi_long arg5, abi_long arg6, abi_long arg7,
-- abi_long arg8)
-+abi_long do_syscall(void *cpu_env, int num, abi_ulong arg1,
-+ abi_ulong arg2, abi_ulong arg3, abi_ulong arg4,
-+ abi_ulong arg5, abi_ulong arg6, abi_ulong arg7,
-+ abi_ulong arg8)
- {
- CPUState *cpu = env_cpu(cpu_env);
- abi_long ret;
+++ /dev/null
-From: Prasad J Pandit <pjp@fedoraproject.org>
-Date: Thu, 14 May 2020 00:55:38 +0530
-Subject: megasas: use unsigned type for reply_queue_head and check index
-
-Git-commit: f50ab86a2620bd7e8507af865b164655ee921661
-References: bsc#1172383, CVE-2020-13362
-
-A guest user may set 'reply_queue_head' field of MegasasState to
-a negative value. Later in 'megasas_lookup_frame' it is used to
-index into s->frames[] array. Use unsigned type to avoid OOB
-access issue.
-
-Also check that 'index' value stays within s->frames[] bounds
-through the while() loop in 'megasas_lookup_frame' to avoid OOB
-access.
-
-Reported-by: Ren Ding <rding@gatech.edu>
-Reported-by: Hanqing Zhao <hanqing@gatech.edu>
-Reported-by: Alexander Bulekov <alxndr@bu.edu>
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
-Acked-by: Alexander Bulekov <alxndr@bu.edu>
-Message-Id: <20200513192540.1583887-2-ppandit@redhat.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-Signed-off-by: Bruce Rogers <brogers@suse.com>
----
- hw/scsi/megasas.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
-index de9bd2088707ab89a5023e89e9aa..1bdd25e55684c7b6026381a97f3e 100644
---- a/hw/scsi/megasas.c
-+++ b/hw/scsi/megasas.c
-@@ -112,7 +112,7 @@ typedef struct MegasasState {
- uint64_t reply_queue_pa;
- void *reply_queue;
- int reply_queue_len;
-- int reply_queue_head;
-+ uint16_t reply_queue_head;
- int reply_queue_tail;
- uint64_t consumer_pa;
- uint64_t producer_pa;
-@@ -445,7 +445,7 @@ static MegasasCmd *megasas_lookup_frame(MegasasState *s,
-
- index = s->reply_queue_head;
-
-- while (num < s->fw_cmds) {
-+ while (num < s->fw_cmds && index < MEGASAS_MAX_FRAMES) {
- if (s->frames[index].pa && s->frames[index].pa == frame) {
- cmd = &s->frames[index];
- break;
+++ /dev/null
-From: Paolo Bonzini <pbonzini@redhat.com>
-Date: Tue, 1 Dec 2020 09:29:56 -0500
-Subject: memory: clamp cached translation in case it points to an MMIO region
-
-Git-commit: 4bfb024bc76973d40a359476dc0291f46e435442
-References: bsc#1179686, CVE-2020-27821
-
-In using the address_space_translate_internal API, address_space_cache_init
-forgot one piece of advice that can be found in the code for
-address_space_translate_internal:
-
- /* MMIO registers can be expected to perform full-width accesses based only
- * on their address, without considering adjacent registers that could
- * decode to completely different MemoryRegions. When such registers
- * exist (e.g. I/O ports 0xcf8 and 0xcf9 on most PC chipsets), MMIO
- * regions overlap wildly. For this reason we cannot clamp the accesses
- * here.
- *
- * If the length is small (as is the case for address_space_ldl/stl),
- * everything works fine. If the incoming length is large, however,
- * the caller really has to do the clamping through memory_access_size.
- */
-
-address_space_cache_init is exactly one such case where "the incoming length
-is large", therefore we need to clamp the resulting length---not to
-memory_access_size though, since we are not doing an access yet, but to
-the size of the resulting section. This ensures that subsequent accesses
-to the cached MemoryRegionSection will be in range.
-
-With this patch, the enclosed testcase notices that the used ring does
-not fit into the MSI-X table and prints a "qemu-system-x86_64: Cannot map used"
-error.
-
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-Signed-off-by: Bruce Rogers <brogers@suse.com>
----
- exec.c | 10 ++++++++++
- 1 file changed, 10 insertions(+)
-
-diff --git a/exec.c b/exec.c
-index 43c70ffbfd37bbd20d9481d1f90b..a240e3d338a32fb46b1dfe66d4af 100644
---- a/exec.c
-+++ b/exec.c
-@@ -3621,6 +3621,7 @@ int64_t address_space_cache_init(MemoryRegionCache *cache,
- AddressSpaceDispatch *d;
- hwaddr l;
- MemoryRegion *mr;
-+ Int128 diff;
-
- assert(len > 0);
-
-@@ -3629,6 +3630,15 @@ int64_t address_space_cache_init(MemoryRegionCache *cache,
- d = flatview_to_dispatch(cache->fv);
- cache->mrs = *address_space_translate_internal(d, addr, &cache->xlat, &l, true);
-
-+ /*
-+ * cache->xlat is now relative to cache->mrs.mr, not to the section itself.
-+ * Take that into account to compute how many bytes are there between
-+ * cache->xlat and the end of the section.
-+ */
-+ diff = int128_sub(cache->mrs.size,
-+ int128_make64(cache->xlat - cache->mrs.offset_within_region));
-+ l = int128_get64(int128_min(diff, int128_make64(l)));
-+
- mr = cache->mrs.mr;
- memory_region_ref(mr);
- if (memory_access_is_direct(mr, is_write)) {
+++ /dev/null
-From: Lukas Straub <lukasstraub2@web.de>
-Date: Wed, 20 May 2020 22:42:32 +0200
-Subject: migration/migration.c: Fix hang in ram_save_host_page
-
-Git-commit: 773861274ad75a62c7ecf70ecc8e4ba31ed62190
-References: bsc#1185591
-
-migration_rate_limit will erroneously ratelimit a shutdown socket,
-which causes the migration thread to hang in ram_save_host_page
-if the socket is shutdown.
-
-Fix this by explicitly testing if the socket has errors or was
-shutdown in migration_rate_limit.
-
-Signed-off-by: Lukas Straub <lukasstraub2@web.de>
-Message-Id: <e79085bbe2d46dfa007dd41820194d5e2d4fcd80.1590007004.git.lukasstraub2@web.de>
-Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
-Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
-(cherry picked from commit 773861274ad75a62c7ecf70ecc8e4ba31ed62190)
-Signed-off-by: Lin Ma <lma@suse.com>
----
- migration/migration.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/migration/migration.c b/migration/migration.c
-index 27500d09a94a8615c935245e23ed..eecb9b54f90b155d20f007290b44 100644
---- a/migration/migration.c
-+++ b/migration/migration.c
-@@ -3233,6 +3233,10 @@ bool migration_rate_limit(void)
- bool urgent = false;
- migration_update_counters(s, now);
- if (qemu_file_rate_limit(s->to_dst_file)) {
-+
-+ if (qemu_file_get_error(s->to_dst_file)) {
-+ return false;
-+ }
- /*
- * Wait for a delay to do rate limiting OR
- * something urgent to post the semaphore.
+++ /dev/null
-From: Jose R Ziviani <jose.ziviani@suse.com>
-Date: Thu, 29 Jul 2021 15:56:08 -0600
-Subject: net: eepro100: validate various address values
-
-Git-commit: 000000000000000000000000000000000000000000000
-References: bsc#1182651, CVE-2021-20255
-
-Patch based on discussion:
-https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg06098.html
-
-While processing controller commands, eepro100 emulator gets
-command unit(CU) base address OR receive unit (RU) base address
-OR command block (CB) address from guest. If these values are not
-checked, it may lead to an infinite loop kind of issues. Add checks
-to avoid it.
-
-Reported-by: Ruhr-University Bochum <bugs-syssec@rub.de>
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
-Acked-By: Jose R Ziviani <jose.ziviani@suse.com>
----
- hw/net/eepro100.c | 11 +++++++++++
- 1 file changed, 11 insertions(+)
-
-diff --git a/hw/net/eepro100.c b/hw/net/eepro100.c
-index cc2dd8b1c997e864d2ec6bf74051..de235e863731e3abb6956fd02739 100644
---- a/hw/net/eepro100.c
-+++ b/hw/net/eepro100.c
-@@ -279,6 +279,9 @@ typedef struct {
- /* Quasi static device properties (no need to save them). */
- uint16_t stats_size;
- bool has_extended_tcb_support;
-+
-+ /* Flag to avoid recursions. */
-+ bool busy;
- } EEPRO100State;
-
- /* Word indices in EEPROM. */
-@@ -837,6 +840,13 @@ static void action_command(EEPRO100State *s)
- Therefore we limit the number of iterations. */
- unsigned max_loop_count = 16;
-
-+ if (s->busy) {
-+ /* Prevent recursions. */
-+ logout("recursion in %s:%u\n", __FILE__, __LINE__);
-+ return;
-+ }
-+ s->busy = true;
-+
- for (;;) {
- bool bit_el;
- bool bit_s;
-@@ -933,6 +943,7 @@ static void action_command(EEPRO100State *s)
- }
- TRACE(OTHER, logout("CU list empty\n"));
- /* List is empty. Now CU is idle or suspended. */
-+ s->busy = false;
- }
-
- static void eepro100_cu_command(EEPRO100State * s, uint8_t val)
+++ /dev/null
-From: Jason Wang <jasowang@redhat.com>
-Date: Wed, 24 Feb 2021 11:44:36 +0800
-Subject: net: introduce qemu_receive_packet()
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Git-commit: 705df5466c98f3efdd2b68d3b31dad86858acad7
-References: bsc#1182968, CVE-2021-3416
-Some NIC supports loopback mode and this is done by calling
-nc->info->receive() directly which in fact suppresses the effort of
-reentrancy check that is done in qemu_net_queue_send().
-
-Unfortunately we can't use qemu_net_queue_send() here since for
-loopback there's no sender as peer, so this patch introduce a
-qemu_receive_packet() which is used for implementing loopback mode
-for a NIC with this check.
-
-NIC that supports loopback mode will be converted to this helper.
-
-This is intended to address CVE-2021-3416.
-
-Cc: Prasad J Pandit <ppandit@redhat.com>
-Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Cc: qemu-stable@nongnu.org
-Signed-off-by: Jason Wang <jasowang@redhat.com>
-Signed-off-by: Bruce Rogers <brogers@suse.com>
----
- include/net/net.h | 5 +++++
- include/net/queue.h | 8 ++++++++
- net/net.c | 38 +++++++++++++++++++++++++++++++-------
- net/queue.c | 22 ++++++++++++++++++++++
- 4 files changed, 66 insertions(+), 7 deletions(-)
-
-diff --git a/include/net/net.h b/include/net/net.h
-index e175ba9677dc09402bdc99f90fa2..1b32a8aaecf2a23d30c55f1a61dd 100644
---- a/include/net/net.h
-+++ b/include/net/net.h
-@@ -142,12 +142,17 @@ void *qemu_get_nic_opaque(NetClientState *nc);
- void qemu_del_net_client(NetClientState *nc);
- typedef void (*qemu_nic_foreach)(NICState *nic, void *opaque);
- void qemu_foreach_nic(qemu_nic_foreach func, void *opaque);
-+int qemu_can_receive_packet(NetClientState *nc);
- int qemu_can_send_packet(NetClientState *nc);
- ssize_t qemu_sendv_packet(NetClientState *nc, const struct iovec *iov,
- int iovcnt);
- ssize_t qemu_sendv_packet_async(NetClientState *nc, const struct iovec *iov,
- int iovcnt, NetPacketSent *sent_cb);
- ssize_t qemu_send_packet(NetClientState *nc, const uint8_t *buf, int size);
-+ssize_t qemu_receive_packet(NetClientState *nc, const uint8_t *buf, int size);
-+ssize_t qemu_receive_packet_iov(NetClientState *nc,
-+ const struct iovec *iov,
-+ int iovcnt);
- ssize_t qemu_send_packet_raw(NetClientState *nc, const uint8_t *buf, int size);
- ssize_t qemu_send_packet_async(NetClientState *nc, const uint8_t *buf,
- int size, NetPacketSent *sent_cb);
-diff --git a/include/net/queue.h b/include/net/queue.h
-index c0269bb1dc436a912e2abc75db3b..9f2f289d7719ca1ed78604c37b65 100644
---- a/include/net/queue.h
-+++ b/include/net/queue.h
-@@ -55,6 +55,14 @@ void qemu_net_queue_append_iov(NetQueue *queue,
-
- void qemu_del_net_queue(NetQueue *queue);
-
-+ssize_t qemu_net_queue_receive(NetQueue *queue,
-+ const uint8_t *data,
-+ size_t size);
-+
-+ssize_t qemu_net_queue_receive_iov(NetQueue *queue,
-+ const struct iovec *iov,
-+ int iovcnt);
-+
- ssize_t qemu_net_queue_send(NetQueue *queue,
- NetClientState *sender,
- unsigned flags,
-diff --git a/net/net.c b/net/net.c
-index 58adaafba93686a061e27a888ad9..95fb9e1439ad9666426e0e03d253 100644
---- a/net/net.c
-+++ b/net/net.c
-@@ -516,6 +516,17 @@ int qemu_set_vnet_be(NetClientState *nc, bool is_be)
- #endif
- }
-
-+int qemu_can_receive_packet(NetClientState *nc)
-+{
-+ if (nc->receive_disabled) {
-+ return 0;
-+ } else if (nc->info->can_receive &&
-+ !nc->info->can_receive(nc)) {
-+ return 0;
-+ }
-+ return 1;
-+}
-+
- int qemu_can_send_packet(NetClientState *sender)
- {
- int vm_running = runstate_is_running();
-@@ -528,13 +539,7 @@ int qemu_can_send_packet(NetClientState *sender)
- return 1;
- }
-
-- if (sender->peer->receive_disabled) {
-- return 0;
-- } else if (sender->peer->info->can_receive &&
-- !sender->peer->info->can_receive(sender->peer)) {
-- return 0;
-- }
-- return 1;
-+ return qemu_can_receive_packet(sender->peer);
- }
-
- static ssize_t filter_receive_iov(NetClientState *nc,
-@@ -667,6 +672,25 @@ ssize_t qemu_send_packet(NetClientState *nc, const uint8_t *buf, int size)
- return qemu_send_packet_async(nc, buf, size, NULL);
- }
-
-+ssize_t qemu_receive_packet(NetClientState *nc, const uint8_t *buf, int size)
-+{
-+ if (!qemu_can_receive_packet(nc)) {
-+ return 0;
-+ }
-+
-+ return qemu_net_queue_receive(nc->incoming_queue, buf, size);
-+}
-+
-+ssize_t qemu_receive_packet_iov(NetClientState *nc, const struct iovec *iov,
-+ int iovcnt)
-+{
-+ if (!qemu_can_receive_packet(nc)) {
-+ return 0;
-+ }
-+
-+ return qemu_net_queue_receive_iov(nc->incoming_queue, iov, iovcnt);
-+}
-+
- ssize_t qemu_send_packet_raw(NetClientState *nc, const uint8_t *buf, int size)
- {
- return qemu_send_packet_async_with_flags(nc, QEMU_NET_PACKET_FLAG_RAW,
-diff --git a/net/queue.c b/net/queue.c
-index 61276ca4be6f203765b9058873eb..7c0b72c8effceddd5edbfc1c92a3 100644
---- a/net/queue.c
-+++ b/net/queue.c
-@@ -182,6 +182,28 @@ static ssize_t qemu_net_queue_deliver_iov(NetQueue *queue,
- return ret;
- }
-
-+ssize_t qemu_net_queue_receive(NetQueue *queue,
-+ const uint8_t *data,
-+ size_t size)
-+{
-+ if (queue->delivering) {
-+ return 0;
-+ }
-+
-+ return qemu_net_queue_deliver(queue, NULL, 0, data, size);
-+}
-+
-+ssize_t qemu_net_queue_receive_iov(NetQueue *queue,
-+ const struct iovec *iov,
-+ int iovcnt)
-+{
-+ if (queue->delivering) {
-+ return 0;
-+ }
-+
-+ return qemu_net_queue_deliver_iov(queue, NULL, 0, iov, iovcnt);
-+}
-+
- ssize_t qemu_net_queue_send(NetQueue *queue,
- NetClientState *sender,
- unsigned flags,
+++ /dev/null
-From: Prasad J Pandit <pjp@fedoraproject.org>
-Date: Wed, 21 Oct 2020 11:35:50 +0530
-Subject: net: remove an assert call in eth_get_gso_type
-
-Git-commit: 7564bf7701f00214cdc8a678a9f7df765244def1
-References: bsc#1178174, CVE-2020-27617
-
-eth_get_gso_type() routine returns segmentation offload type based on
-L3 protocol type. It calls g_assert_not_reached if L3 protocol is
-unknown, making the following return statement unreachable. Remove the
-g_assert call, it maybe triggered by a guest user.
-
-Reported-by: Gaoning Pan <pgn@zju.edu.cn>
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
-Signed-off-by: Jason Wang <jasowang@redhat.com>
-Signed-off-by: Bruce Rogers <brogers@suse.com>
----
- net/eth.c | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/net/eth.c b/net/eth.c
-index 0c1d413ee26e31d4ac6b622a9aa9..1e0821c5f81b59536edc5ef498e9 100644
---- a/net/eth.c
-+++ b/net/eth.c
-@@ -16,6 +16,7 @@
- */
-
- #include "qemu/osdep.h"
-+#include "qemu/log.h"
- #include "net/eth.h"
- #include "net/checksum.h"
- #include "net/tap.h"
-@@ -71,9 +72,8 @@ eth_get_gso_type(uint16_t l3_proto, uint8_t *l3_hdr, uint8_t l4proto)
- return VIRTIO_NET_HDR_GSO_TCPV6 | ecn_state;
- }
- }
--
-- /* Unsupported offload */
-- g_assert_not_reached();
-+ qemu_log_mask(LOG_UNIMP, "%s: probably not GSO frame, "
-+ "unknown L3 protocol: 0x%04"PRIx16"\n", __func__, l3_proto);
-
- return VIRTIO_NET_HDR_GSO_NONE | ecn_state;
- }
+++ /dev/null
-From: Prasad J Pandit <pjp@fedoraproject.org>
-Date: Sat, 30 Jan 2021 18:46:52 +0530
-Subject: net: vmxnet3: validate configuration values during activate
- (CVE-2021-20203)
-
-Git-commit: 0000000000000000000000000000000000000000
-References: bsc#1181639
-
-While activating device in vmxnet3_acticate_device(), it does not
-validate guest supplied configuration values against predefined
-minimum - maximum limits. This may lead to integer overflow or
-OOB access issues. Add checks to avoid it.
-
-Fixes: CVE-2021-20203
-Buglink: https://bugs.launchpad.net/qemu/+bug/1913873
-Reported-by: Gaoning Pan <pgn@zju.edu.cn>
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
-Signed-off-by: Bruce Rogers <brogers@suse.com>
----
- hw/net/vmxnet3.c | 13 +++++++++++++
- 1 file changed, 13 insertions(+)
-
-diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c
-index 39ff6624c5c39479b1f341ddab9e..28a69ef615b1c2a6add5f7b554e7 100644
---- a/hw/net/vmxnet3.c
-+++ b/hw/net/vmxnet3.c
-@@ -1420,6 +1420,7 @@ static void vmxnet3_activate_device(VMXNET3State *s)
- vmxnet3_setup_rx_filtering(s);
- /* Cache fields from shared memory */
- s->mtu = VMXNET3_READ_DRV_SHARED32(d, s->drv_shmem, devRead.misc.mtu);
-+ assert(VMXNET3_MIN_MTU <= s->mtu && s->mtu < VMXNET3_MAX_MTU);
- VMW_CFPRN("MTU is %u", s->mtu);
-
- s->max_rx_frags =
-@@ -1473,6 +1474,9 @@ static void vmxnet3_activate_device(VMXNET3State *s)
- /* Read rings memory locations for TX queues */
- pa = VMXNET3_READ_TX_QUEUE_DESCR64(d, qdescr_pa, conf.txRingBasePA);
- size = VMXNET3_READ_TX_QUEUE_DESCR32(d, qdescr_pa, conf.txRingSize);
-+ if (size > VMXNET3_TX_RING_MAX_SIZE) {
-+ size = VMXNET3_TX_RING_MAX_SIZE;
-+ }
-
- vmxnet3_ring_init(d, &s->txq_descr[i].tx_ring, pa, size,
- sizeof(struct Vmxnet3_TxDesc), false);
-@@ -1483,6 +1487,9 @@ static void vmxnet3_activate_device(VMXNET3State *s)
- /* TXC ring */
- pa = VMXNET3_READ_TX_QUEUE_DESCR64(d, qdescr_pa, conf.compRingBasePA);
- size = VMXNET3_READ_TX_QUEUE_DESCR32(d, qdescr_pa, conf.compRingSize);
-+ if (size > VMXNET3_TC_RING_MAX_SIZE) {
-+ size = VMXNET3_TC_RING_MAX_SIZE;
-+ }
- vmxnet3_ring_init(d, &s->txq_descr[i].comp_ring, pa, size,
- sizeof(struct Vmxnet3_TxCompDesc), true);
- VMXNET3_RING_DUMP(VMW_CFPRN, "TXC", i, &s->txq_descr[i].comp_ring);
-@@ -1524,6 +1531,9 @@ static void vmxnet3_activate_device(VMXNET3State *s)
- /* RX rings */
- pa = VMXNET3_READ_RX_QUEUE_DESCR64(d, qd_pa, conf.rxRingBasePA[j]);
- size = VMXNET3_READ_RX_QUEUE_DESCR32(d, qd_pa, conf.rxRingSize[j]);
-+ if (size > VMXNET3_RX_RING_MAX_SIZE) {
-+ size = VMXNET3_RX_RING_MAX_SIZE;
-+ }
- vmxnet3_ring_init(d, &s->rxq_descr[i].rx_ring[j], pa, size,
- sizeof(struct Vmxnet3_RxDesc), false);
- VMW_CFPRN("RX queue %d:%d: Base: %" PRIx64 ", Size: %d",
-@@ -1533,6 +1543,9 @@ static void vmxnet3_activate_device(VMXNET3State *s)
- /* RXC ring */
- pa = VMXNET3_READ_RX_QUEUE_DESCR64(d, qd_pa, conf.compRingBasePA);
- size = VMXNET3_READ_RX_QUEUE_DESCR32(d, qd_pa, conf.compRingSize);
-+ if (size > VMXNET3_RC_RING_MAX_SIZE) {
-+ size = VMXNET3_RC_RING_MAX_SIZE;
-+ }
- vmxnet3_ring_init(d, &s->rxq_descr[i].comp_ring, pa, size,
- sizeof(struct Vmxnet3_RxCompDesc), true);
- VMW_CFPRN("RXC queue %d: Base: %" PRIx64 ", Size: %d", i, pa, size);
+++ /dev/null
-From: Tao Xu <tao3.xu@intel.com>
-Date: Fri, 13 Dec 2019 09:19:22 +0800
-Subject: numa: Extend CLI to provide initiator information for numa nodes
-
-Git-commit: 244b3f4485a07c7ce4b7123d6ce9d8c6012756e8
-References: jsc#SLE-8897
-
-In ACPI 6.3 chapter 5.2.27 Heterogeneous Memory Attribute Table (HMAT),
-The initiator represents processor which access to memory. And in 5.2.27.3
-Memory Proximity Domain Attributes Structure, the attached initiator is
-defined as where the memory controller responsible for a memory proximity
-domain. With attached initiator information, the topology of heterogeneous
-memory can be described. Add new machine property 'hmat' to enable all
-HMAT specific options.
-
-Extend CLI of "-numa node" option to indicate the initiator numa node-id.
-In the linux kernel, the codes in drivers/acpi/hmat/hmat.c parse and report
-the platform's HMAT tables. Before using initiator option, enable HMAT with
--machine hmat=on.
-
-Acked-by: Markus Armbruster <armbru@redhat.com>
-Reviewed-by: Igor Mammedov <imammedo@redhat.com>
-Reviewed-by: Jingqi Liu <jingqi.liu@intel.com>
-Suggested-by: Dan Williams <dan.j.williams@intel.com>
-Signed-off-by: Tao Xu <tao3.xu@intel.com>
-Message-Id: <20191213011929.2520-2-tao3.xu@intel.com>
-Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
-Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
-Signed-off-by: Bruce Rogers <brogers@suse.com>
----
- hw/core/machine.c | 64 +++++++++++++++++++++++++++++++++++++++++++
- hw/core/numa.c | 23 ++++++++++++++++
- include/sysemu/numa.h | 5 ++++
- qapi/machine.json | 10 ++++++-
- qemu-options.hx | 35 +++++++++++++++++++----
- 5 files changed, 131 insertions(+), 6 deletions(-)
-
-diff --git a/hw/core/machine.c b/hw/core/machine.c
-index 1872263bf0397bbf1d515f56a627..cfab784b02ce6076c827c10c9e9c 100644
---- a/hw/core/machine.c
-+++ b/hw/core/machine.c
-@@ -518,6 +518,20 @@ static void machine_set_nvdimm(Object *obj, bool value, Error **errp)
- ms->nvdimms_state->is_enabled = value;
- }
-
-+static bool machine_get_hmat(Object *obj, Error **errp)
-+{
-+ MachineState *ms = MACHINE(obj);
-+
-+ return ms->numa_state->hmat_enabled;
-+}
-+
-+static void machine_set_hmat(Object *obj, bool value, Error **errp)
-+{
-+ MachineState *ms = MACHINE(obj);
-+
-+ ms->numa_state->hmat_enabled = value;
-+}
-+
- static char *machine_get_nvdimm_persistence(Object *obj, Error **errp)
- {
- MachineState *ms = MACHINE(obj);
-@@ -645,6 +659,7 @@ void machine_set_cpu_numa_node(MachineState *machine,
- const CpuInstanceProperties *props, Error **errp)
- {
- MachineClass *mc = MACHINE_GET_CLASS(machine);
-+ NodeInfo *numa_info = machine->numa_state->nodes;
- bool match = false;
- int i;
-
-@@ -714,6 +729,17 @@ void machine_set_cpu_numa_node(MachineState *machine,
- match = true;
- slot->props.node_id = props->node_id;
- slot->props.has_node_id = props->has_node_id;
-+
-+ if (machine->numa_state->hmat_enabled) {
-+ if ((numa_info[props->node_id].initiator < MAX_NODES) &&
-+ (props->node_id != numa_info[props->node_id].initiator)) {
-+ error_setg(errp, "The initiator of CPU NUMA node %" PRId64
-+ " should be itself", props->node_id);
-+ return;
-+ }
-+ numa_info[props->node_id].has_cpu = true;
-+ numa_info[props->node_id].initiator = props->node_id;
-+ }
- }
-
- if (!match) {
-@@ -960,6 +986,13 @@ static void machine_initfn(Object *obj)
-
- if (mc->cpu_index_to_instance_props && mc->get_default_cpu_node_id) {
- ms->numa_state = g_new0(NumaState, 1);
-+ object_property_add_bool(obj, "hmat",
-+ machine_get_hmat, machine_set_hmat,
-+ &error_abort);
-+ object_property_set_description(obj, "hmat",
-+ "Set on/off to enable/disable "
-+ "ACPI Heterogeneous Memory Attribute "
-+ "Table (HMAT)", NULL);
- }
-
- /* Register notifier when init is done for sysbus sanity checks */
-@@ -1048,6 +1081,32 @@ static char *cpu_slot_to_string(const CPUArchId *cpu)
- return g_string_free(s, false);
- }
-
-+static void numa_validate_initiator(NumaState *numa_state)
-+{
-+ int i;
-+ NodeInfo *numa_info = numa_state->nodes;
-+
-+ for (i = 0; i < numa_state->num_nodes; i++) {
-+ if (numa_info[i].initiator == MAX_NODES) {
-+ error_report("The initiator of NUMA node %d is missing, use "
-+ "'-numa node,initiator' option to declare it", i);
-+ exit(1);
-+ }
-+
-+ if (!numa_info[numa_info[i].initiator].present) {
-+ error_report("NUMA node %" PRIu16 " is missing, use "
-+ "'-numa node' option to declare it first",
-+ numa_info[i].initiator);
-+ exit(1);
-+ }
-+
-+ if (!numa_info[numa_info[i].initiator].has_cpu) {
-+ error_report("The initiator of NUMA node %d is invalid", i);
-+ exit(1);
-+ }
-+ }
-+}
-+
- static void machine_numa_finish_cpu_init(MachineState *machine)
- {
- int i;
-@@ -1088,6 +1147,11 @@ static void machine_numa_finish_cpu_init(MachineState *machine)
- machine_set_cpu_numa_node(machine, &props, &error_fatal);
- }
- }
-+
-+ if (machine->numa_state->hmat_enabled) {
-+ numa_validate_initiator(machine->numa_state);
-+ }
-+
- if (s->len && !qtest_enabled()) {
- warn_report("CPU(s) not present in any NUMA nodes: %s",
- s->str);
-diff --git a/hw/core/numa.c b/hw/core/numa.c
-index 19f082de128ddcc743d1d5ea8254..a07eef93dc3f104b6c0199040338 100644
---- a/hw/core/numa.c
-+++ b/hw/core/numa.c
-@@ -129,6 +129,29 @@ static void parse_numa_node(MachineState *ms, NumaNodeOptions *node,
- numa_info[nodenr].node_mem = object_property_get_uint(o, "size", NULL);
- numa_info[nodenr].node_memdev = MEMORY_BACKEND(o);
- }
-+
-+ /*
-+ * If not set the initiator, set it to MAX_NODES. And if
-+ * HMAT is enabled and this node has no cpus, QEMU will raise error.
-+ */
-+ numa_info[nodenr].initiator = MAX_NODES;
-+ if (node->has_initiator) {
-+ if (!ms->numa_state->hmat_enabled) {
-+ error_setg(errp, "ACPI Heterogeneous Memory Attribute Table "
-+ "(HMAT) is disabled, enable it with -machine hmat=on "
-+ "before using any of hmat specific options");
-+ return;
-+ }
-+
-+ if (node->initiator >= MAX_NODES) {
-+ error_report("The initiator id %" PRIu16 " expects an integer "
-+ "between 0 and %d", node->initiator,
-+ MAX_NODES - 1);
-+ return;
-+ }
-+
-+ numa_info[nodenr].initiator = node->initiator;
-+ }
- numa_info[nodenr].present = true;
- max_numa_nodeid = MAX(max_numa_nodeid, nodenr + 1);
- ms->numa_state->num_nodes++;
-diff --git a/include/sysemu/numa.h b/include/sysemu/numa.h
-index ae9c41d02ba47c089d19d74b3a4f..788cbec7a2096e262555ac6e83cb 100644
---- a/include/sysemu/numa.h
-+++ b/include/sysemu/numa.h
-@@ -18,6 +18,8 @@ struct NodeInfo {
- uint64_t node_mem;
- struct HostMemoryBackend *node_memdev;
- bool present;
-+ bool has_cpu;
-+ uint16_t initiator;
- uint8_t distance[MAX_NODES];
- };
-
-@@ -33,6 +35,9 @@ struct NumaState {
- /* Allow setting NUMA distance for different NUMA nodes */
- bool have_numa_distance;
-
-+ /* Detect if HMAT support is enabled. */
-+ bool hmat_enabled;
-+
- /* NUMA nodes information */
- NodeInfo nodes[MAX_NODES];
- };
-diff --git a/qapi/machine.json b/qapi/machine.json
-index ca26779f1a3623e86befc00ee8d8..27d0e375342a502c7676d23837a7 100644
---- a/qapi/machine.json
-+++ b/qapi/machine.json
-@@ -463,6 +463,13 @@
- # @memdev: memory backend object. If specified for one node,
- # it must be specified for all nodes.
- #
-+# @initiator: defined in ACPI 6.3 Chapter 5.2.27.3 Table 5-145,
-+# points to the nodeid which has the memory controller
-+# responsible for this NUMA node. This field provides
-+# additional information as to the initiator node that
-+# is closest (as in directly attached) to this node, and
-+# therefore has the best performance (since 5.0)
-+#
- # Since: 2.1
- ##
- { 'struct': 'NumaNodeOptions',
-@@ -470,7 +477,8 @@
- '*nodeid': 'uint16',
- '*cpus': ['uint16'],
- '*mem': 'size',
-- '*memdev': 'str' }}
-+ '*memdev': 'str',
-+ '*initiator': 'uint16' }}
-
- ##
- # @NumaDistOptions:
-diff --git a/qemu-options.hx b/qemu-options.hx
-index e14d88e9b2f3a3c13a4c20db0b36..9b1618cd34d9fe1d8374d6abb954 100644
---- a/qemu-options.hx
-+++ b/qemu-options.hx
-@@ -43,7 +43,8 @@ DEF("machine", HAS_ARG, QEMU_OPTION_machine, \
- " suppress-vmdesc=on|off disables self-describing migration (default=off)\n"
- " nvdimm=on|off controls NVDIMM support (default=off)\n"
- " enforce-config-section=on|off enforce configuration section migration (default=off)\n"
-- " memory-encryption=@var{} memory encryption object to use (default=none)\n",
-+ " memory-encryption=@var{} memory encryption object to use (default=none)\n"
-+ " hmat=on|off controls ACPI HMAT support (default=off)\n",
- QEMU_ARCH_ALL)
- STEXI
- @item -machine [type=]@var{name}[,prop=@var{value}[,...]]
-@@ -103,6 +104,9 @@ NOTE: this parameter is deprecated. Please use @option{-global}
- @option{migration.send-configuration}=@var{on|off} instead.
- @item memory-encryption=@var{}
- Memory encryption object to use. The default is none.
-+@item hmat=on|off
-+Enables or disables ACPI Heterogeneous Memory Attribute Table (HMAT) support.
-+The default is off.
- @end table
- ETEXI
-
-@@ -161,14 +165,14 @@ If any on the three values is given, the total number of CPUs @var{n} can be omi
- ETEXI
-
- DEF("numa", HAS_ARG, QEMU_OPTION_numa,
-- "-numa node[,mem=size][,cpus=firstcpu[-lastcpu]][,nodeid=node]\n"
-- "-numa node[,memdev=id][,cpus=firstcpu[-lastcpu]][,nodeid=node]\n"
-+ "-numa node[,mem=size][,cpus=firstcpu[-lastcpu]][,nodeid=node][,initiator=node]\n"
-+ "-numa node[,memdev=id][,cpus=firstcpu[-lastcpu]][,nodeid=node][,initiator=node]\n"
- "-numa dist,src=source,dst=destination,val=distance\n"
- "-numa cpu,node-id=node[,socket-id=x][,core-id=y][,thread-id=z]\n",
- QEMU_ARCH_ALL)
- STEXI
--@item -numa node[,mem=@var{size}][,cpus=@var{firstcpu}[-@var{lastcpu}]][,nodeid=@var{node}]
--@itemx -numa node[,memdev=@var{id}][,cpus=@var{firstcpu}[-@var{lastcpu}]][,nodeid=@var{node}]
-+@item -numa node[,mem=@var{size}][,cpus=@var{firstcpu}[-@var{lastcpu}]][,nodeid=@var{node}][,initiator=@var{initiator}]
-+@itemx -numa node[,memdev=@var{id}][,cpus=@var{firstcpu}[-@var{lastcpu}]][,nodeid=@var{node}][,initiator=@var{initiator}]
- @itemx -numa dist,src=@var{source},dst=@var{destination},val=@var{distance}
- @itemx -numa cpu,node-id=@var{node}[,socket-id=@var{x}][,core-id=@var{y}][,thread-id=@var{z}]
- @findex -numa
-@@ -215,6 +219,27 @@ split equally between them.
- @samp{mem} and @samp{memdev} are mutually exclusive. Furthermore,
- if one node uses @samp{memdev}, all of them have to use it.
-
-+@samp{initiator} is an additional option that points to an @var{initiator}
-+NUMA node that has best performance (the lowest latency or largest bandwidth)
-+to this NUMA @var{node}. Note that this option can be set only when
-+the machine property 'hmat' is set to 'on'.
-+
-+Following example creates a machine with 2 NUMA nodes, node 0 has CPU.
-+node 1 has only memory, and its initiator is node 0. Note that because
-+node 0 has CPU, by default the initiator of node 0 is itself and must be
-+itself.
-+@example
-+-machine hmat=on \
-+-m 2G,slots=2,maxmem=4G \
-+-object memory-backend-ram,size=1G,id=m0 \
-+-object memory-backend-ram,size=1G,id=m1 \
-+-numa node,nodeid=0,memdev=m0 \
-+-numa node,nodeid=1,memdev=m1,initiator=0 \
-+-smp 2,sockets=2,maxcpus=2 \
-+-numa cpu,node-id=0,socket-id=0 \
-+-numa cpu,node-id=0,socket-id=1
-+@end example
-+
- @var{source} and @var{destination} are NUMA node IDs.
- @var{distance} is the NUMA distance from @var{source} to @var{destination}.
- The distance from a node to itself is always 10. If any pair of nodes is
+++ /dev/null
-From: Liu Jingqi <jingqi.liu@intel.com>
-Date: Fri, 13 Dec 2019 09:19:23 +0800
-Subject: numa: Extend CLI to provide memory latency and bandwidth information
-
-Git-commit: 9b12dfa03a94d7f7a4b54eb67229a31e58193384
-References: jsc#SLE-8897
-
-Add -numa hmat-lb option to provide System Locality Latency and
-Bandwidth Information. These memory attributes help to build
-System Locality Latency and Bandwidth Information Structure(s)
-in ACPI Heterogeneous Memory Attribute Table (HMAT). Before using
-hmat-lb option, enable HMAT with -machine hmat=on.
-
-Acked-by: Markus Armbruster <armbru@redhat.com>
-Signed-off-by: Liu Jingqi <jingqi.liu@intel.com>
-Signed-off-by: Tao Xu <tao3.xu@intel.com>
-Message-Id: <20191213011929.2520-3-tao3.xu@intel.com>
-Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
-Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
-Reviewed-by: Igor Mammedov <imammedo@redhat.com>
-Signed-off-by: Bruce Rogers <brogers@suse.com>
----
- hw/core/numa.c | 194 ++++++++++++++++++++++++++++++++++++++++++
- include/sysemu/numa.h | 53 ++++++++++++
- qapi/machine.json | 93 +++++++++++++++++++-
- qemu-options.hx | 47 +++++++++-
- 4 files changed, 384 insertions(+), 3 deletions(-)
-
-diff --git a/hw/core/numa.c b/hw/core/numa.c
-index a07eef93dc3f104b6c0199040338..58fe7138b290f8b8cbc340d3d1ec 100644
---- a/hw/core/numa.c
-+++ b/hw/core/numa.c
-@@ -23,6 +23,7 @@
- */
-
- #include "qemu/osdep.h"
-+#include "qemu/units.h"
- #include "sysemu/hostmem.h"
- #include "sysemu/numa.h"
- #include "sysemu/sysemu.h"
-@@ -194,6 +195,186 @@ void parse_numa_distance(MachineState *ms, NumaDistOptions *dist, Error **errp)
- ms->numa_state->have_numa_distance = true;
- }
-
-+void parse_numa_hmat_lb(NumaState *numa_state, NumaHmatLBOptions *node,
-+ Error **errp)
-+{
-+ int i, first_bit, last_bit;
-+ uint64_t max_entry, temp_base, bitmap_copy;
-+ NodeInfo *numa_info = numa_state->nodes;
-+ HMAT_LB_Info *hmat_lb =
-+ numa_state->hmat_lb[node->hierarchy][node->data_type];
-+ HMAT_LB_Data lb_data = {};
-+ HMAT_LB_Data *lb_temp;
-+
-+ /* Error checking */
-+ if (node->initiator > numa_state->num_nodes) {
-+ error_setg(errp, "Invalid initiator=%d, it should be less than %d",
-+ node->initiator, numa_state->num_nodes);
-+ return;
-+ }
-+ if (node->target > numa_state->num_nodes) {
-+ error_setg(errp, "Invalid target=%d, it should be less than %d",
-+ node->target, numa_state->num_nodes);
-+ return;
-+ }
-+ if (!numa_info[node->initiator].has_cpu) {
-+ error_setg(errp, "Invalid initiator=%d, it isn't an "
-+ "initiator proximity domain", node->initiator);
-+ return;
-+ }
-+ if (!numa_info[node->target].present) {
-+ error_setg(errp, "The target=%d should point to an existing node",
-+ node->target);
-+ return;
-+ }
-+
-+ if (!hmat_lb) {
-+ hmat_lb = g_malloc0(sizeof(*hmat_lb));
-+ numa_state->hmat_lb[node->hierarchy][node->data_type] = hmat_lb;
-+ hmat_lb->list = g_array_new(false, true, sizeof(HMAT_LB_Data));
-+ }
-+ hmat_lb->hierarchy = node->hierarchy;
-+ hmat_lb->data_type = node->data_type;
-+ lb_data.initiator = node->initiator;
-+ lb_data.target = node->target;
-+
-+ if (node->data_type <= HMATLB_DATA_TYPE_WRITE_LATENCY) {
-+ /* Input latency data */
-+
-+ if (!node->has_latency) {
-+ error_setg(errp, "Missing 'latency' option");
-+ return;
-+ }
-+ if (node->has_bandwidth) {
-+ error_setg(errp, "Invalid option 'bandwidth' since "
-+ "the data type is latency");
-+ return;
-+ }
-+
-+ /* Detect duplicate configuration */
-+ for (i = 0; i < hmat_lb->list->len; i++) {
-+ lb_temp = &g_array_index(hmat_lb->list, HMAT_LB_Data, i);
-+
-+ if (node->initiator == lb_temp->initiator &&
-+ node->target == lb_temp->target) {
-+ error_setg(errp, "Duplicate configuration of the latency for "
-+ "initiator=%d and target=%d", node->initiator,
-+ node->target);
-+ return;
-+ }
-+ }
-+
-+ hmat_lb->base = hmat_lb->base ? hmat_lb->base : UINT64_MAX;
-+
-+ if (node->latency) {
-+ /* Calculate the temporary base and compressed latency */
-+ max_entry = node->latency;
-+ temp_base = 1;
-+ while (QEMU_IS_ALIGNED(max_entry, 10)) {
-+ max_entry /= 10;
-+ temp_base *= 10;
-+ }
-+
-+ /* Calculate the max compressed latency */
-+ temp_base = MIN(hmat_lb->base, temp_base);
-+ max_entry = node->latency / hmat_lb->base;
-+ max_entry = MAX(hmat_lb->range_bitmap, max_entry);
-+
-+ /*
-+ * For latency hmat_lb->range_bitmap record the max compressed
-+ * latency which should be less than 0xFFFF (UINT16_MAX)
-+ */
-+ if (max_entry >= UINT16_MAX) {
-+ error_setg(errp, "Latency %" PRIu64 " between initiator=%d and "
-+ "target=%d should not differ from previously entered "
-+ "min or max values on more than %d", node->latency,
-+ node->initiator, node->target, UINT16_MAX - 1);
-+ return;
-+ } else {
-+ hmat_lb->base = temp_base;
-+ hmat_lb->range_bitmap = max_entry;
-+ }
-+
-+ /*
-+ * Set lb_info_provided bit 0 as 1,
-+ * latency information is provided
-+ */
-+ numa_info[node->target].lb_info_provided |= BIT(0);
-+ }
-+ lb_data.data = node->latency;
-+ } else if (node->data_type >= HMATLB_DATA_TYPE_ACCESS_BANDWIDTH) {
-+ /* Input bandwidth data */
-+ if (!node->has_bandwidth) {
-+ error_setg(errp, "Missing 'bandwidth' option");
-+ return;
-+ }
-+ if (node->has_latency) {
-+ error_setg(errp, "Invalid option 'latency' since "
-+ "the data type is bandwidth");
-+ return;
-+ }
-+ if (!QEMU_IS_ALIGNED(node->bandwidth, MiB)) {
-+ error_setg(errp, "Bandwidth %" PRIu64 " between initiator=%d and "
-+ "target=%d should be 1MB aligned", node->bandwidth,
-+ node->initiator, node->target);
-+ return;
-+ }
-+
-+ /* Detect duplicate configuration */
-+ for (i = 0; i < hmat_lb->list->len; i++) {
-+ lb_temp = &g_array_index(hmat_lb->list, HMAT_LB_Data, i);
-+
-+ if (node->initiator == lb_temp->initiator &&
-+ node->target == lb_temp->target) {
-+ error_setg(errp, "Duplicate configuration of the bandwidth for "
-+ "initiator=%d and target=%d", node->initiator,
-+ node->target);
-+ return;
-+ }
-+ }
-+
-+ hmat_lb->base = hmat_lb->base ? hmat_lb->base : 1;
-+
-+ if (node->bandwidth) {
-+ /* Keep bitmap unchanged when bandwidth out of range */
-+ bitmap_copy = hmat_lb->range_bitmap;
-+ bitmap_copy |= node->bandwidth;
-+ first_bit = ctz64(bitmap_copy);
-+ temp_base = UINT64_C(1) << first_bit;
-+ max_entry = node->bandwidth / temp_base;
-+ last_bit = 64 - clz64(bitmap_copy);
-+
-+ /*
-+ * For bandwidth, first_bit record the base unit of bandwidth bits,
-+ * last_bit record the last bit of the max bandwidth. The max
-+ * compressed bandwidth should be less than 0xFFFF (UINT16_MAX)
-+ */
-+ if ((last_bit - first_bit) > UINT16_BITS ||
-+ max_entry >= UINT16_MAX) {
-+ error_setg(errp, "Bandwidth %" PRIu64 " between initiator=%d "
-+ "and target=%d should not differ from previously "
-+ "entered values on more than %d", node->bandwidth,
-+ node->initiator, node->target, UINT16_MAX - 1);
-+ return;
-+ } else {
-+ hmat_lb->base = temp_base;
-+ hmat_lb->range_bitmap = bitmap_copy;
-+ }
-+
-+ /*
-+ * Set lb_info_provided bit 1 as 1,
-+ * bandwidth information is provided
-+ */
-+ numa_info[node->target].lb_info_provided |= BIT(1);
-+ }
-+ lb_data.data = node->bandwidth;
-+ } else {
-+ assert(0);
-+ }
-+
-+ g_array_append_val(hmat_lb->list, lb_data);
-+}
-+
- void set_numa_options(MachineState *ms, NumaOptions *object, Error **errp)
- {
- Error *err = NULL;
-@@ -231,6 +412,19 @@ void set_numa_options(MachineState *ms, NumaOptions *object, Error **errp)
- machine_set_cpu_numa_node(ms, qapi_NumaCpuOptions_base(&object->u.cpu),
- &err);
- break;
-+ case NUMA_OPTIONS_TYPE_HMAT_LB:
-+ if (!ms->numa_state->hmat_enabled) {
-+ error_setg(errp, "ACPI Heterogeneous Memory Attribute Table "
-+ "(HMAT) is disabled, enable it with -machine hmat=on "
-+ "before using any of hmat specific options");
-+ return;
-+ }
-+
-+ parse_numa_hmat_lb(ms->numa_state, &object->u.hmat_lb, &err);
-+ if (err) {
-+ goto end;
-+ }
-+ break;
- default:
- abort();
- }
-diff --git a/include/sysemu/numa.h b/include/sysemu/numa.h
-index 788cbec7a2096e262555ac6e83cb..70f93c83d71eb2cdab5bf1dde422 100644
---- a/include/sysemu/numa.h
-+++ b/include/sysemu/numa.h
-@@ -14,11 +14,34 @@ struct CPUArchId;
- #define NUMA_DISTANCE_MAX 254
- #define NUMA_DISTANCE_UNREACHABLE 255
-
-+/* the value of AcpiHmatLBInfo flags */
-+enum {
-+ HMAT_LB_MEM_MEMORY = 0,
-+ HMAT_LB_MEM_CACHE_1ST_LEVEL = 1,
-+ HMAT_LB_MEM_CACHE_2ND_LEVEL = 2,
-+ HMAT_LB_MEM_CACHE_3RD_LEVEL = 3,
-+ HMAT_LB_LEVELS /* must be the last entry */
-+};
-+
-+/* the value of AcpiHmatLBInfo data type */
-+enum {
-+ HMAT_LB_DATA_ACCESS_LATENCY = 0,
-+ HMAT_LB_DATA_READ_LATENCY = 1,
-+ HMAT_LB_DATA_WRITE_LATENCY = 2,
-+ HMAT_LB_DATA_ACCESS_BANDWIDTH = 3,
-+ HMAT_LB_DATA_READ_BANDWIDTH = 4,
-+ HMAT_LB_DATA_WRITE_BANDWIDTH = 5,
-+ HMAT_LB_TYPES /* must be the last entry */
-+};
-+
-+#define UINT16_BITS 16
-+
- struct NodeInfo {
- uint64_t node_mem;
- struct HostMemoryBackend *node_memdev;
- bool present;
- bool has_cpu;
-+ uint8_t lb_info_provided;
- uint16_t initiator;
- uint8_t distance[MAX_NODES];
- };
-@@ -28,6 +51,31 @@ struct NumaNodeMem {
- uint64_t node_plugged_mem;
- };
-
-+struct HMAT_LB_Data {
-+ uint8_t initiator;
-+ uint8_t target;
-+ uint64_t data;
-+};
-+typedef struct HMAT_LB_Data HMAT_LB_Data;
-+
-+struct HMAT_LB_Info {
-+ /* Indicates it's memory or the specified level memory side cache. */
-+ uint8_t hierarchy;
-+
-+ /* Present the type of data, access/read/write latency or bandwidth. */
-+ uint8_t data_type;
-+
-+ /* The range bitmap of bandwidth for calculating common base */
-+ uint64_t range_bitmap;
-+
-+ /* The common base unit for latencies or bandwidths */
-+ uint64_t base;
-+
-+ /* Array to store the latencies or bandwidths */
-+ GArray *list;
-+};
-+typedef struct HMAT_LB_Info HMAT_LB_Info;
-+
- struct NumaState {
- /* Number of NUMA nodes */
- int num_nodes;
-@@ -40,11 +88,16 @@ struct NumaState {
-
- /* NUMA nodes information */
- NodeInfo nodes[MAX_NODES];
-+
-+ /* NUMA nodes HMAT Locality Latency and Bandwidth Information */
-+ HMAT_LB_Info *hmat_lb[HMAT_LB_LEVELS][HMAT_LB_TYPES];
- };
- typedef struct NumaState NumaState;
-
- void set_numa_options(MachineState *ms, NumaOptions *object, Error **errp);
- void parse_numa_opts(MachineState *ms);
-+void parse_numa_hmat_lb(NumaState *numa_state, NumaHmatLBOptions *node,
-+ Error **errp);
- void numa_complete_configuration(MachineState *ms);
- void query_numa_node_mem(NumaNodeMem node_mem[], MachineState *ms);
- extern QemuOptsList qemu_numa_opts;
-diff --git a/qapi/machine.json b/qapi/machine.json
-index 27d0e375342a502c7676d23837a7..cf8faf5a2a4929560c852bf8d50c 100644
---- a/qapi/machine.json
-+++ b/qapi/machine.json
-@@ -426,10 +426,12 @@
- #
- # @cpu: property based CPU(s) to node mapping (Since: 2.10)
- #
-+# @hmat-lb: memory latency and bandwidth information (Since: 5.0)
-+#
- # Since: 2.1
- ##
- { 'enum': 'NumaOptionsType',
-- 'data': [ 'node', 'dist', 'cpu' ] }
-+ 'data': [ 'node', 'dist', 'cpu', 'hmat-lb' ] }
-
- ##
- # @NumaOptions:
-@@ -444,7 +446,8 @@
- 'data': {
- 'node': 'NumaNodeOptions',
- 'dist': 'NumaDistOptions',
-- 'cpu': 'NumaCpuOptions' }}
-+ 'cpu': 'NumaCpuOptions',
-+ 'hmat-lb': 'NumaHmatLBOptions' }}
-
- ##
- # @NumaNodeOptions:
-@@ -557,6 +560,92 @@
- 'base': 'CpuInstanceProperties',
- 'data' : {} }
-
-+##
-+# @HmatLBMemoryHierarchy:
-+#
-+# The memory hierarchy in the System Locality Latency and Bandwidth
-+# Information Structure of HMAT (Heterogeneous Memory Attribute Table)
-+#
-+# For more information about @HmatLBMemoryHierarchy, see chapter
-+# 5.2.27.4: Table 5-146: Field "Flags" of ACPI 6.3 spec.
-+#
-+# @memory: the structure represents the memory performance
-+#
-+# @first-level: first level of memory side cache
-+#
-+# @second-level: second level of memory side cache
-+#
-+# @third-level: third level of memory side cache
-+#
-+# Since: 5.0
-+##
-+{ 'enum': 'HmatLBMemoryHierarchy',
-+ 'data': [ 'memory', 'first-level', 'second-level', 'third-level' ] }
-+
-+##
-+# @HmatLBDataType:
-+#
-+# Data type in the System Locality Latency and Bandwidth
-+# Information Structure of HMAT (Heterogeneous Memory Attribute Table)
-+#
-+# For more information about @HmatLBDataType, see chapter
-+# 5.2.27.4: Table 5-146: Field "Data Type" of ACPI 6.3 spec.
-+#
-+# @access-latency: access latency (nanoseconds)
-+#
-+# @read-latency: read latency (nanoseconds)
-+#
-+# @write-latency: write latency (nanoseconds)
-+#
-+# @access-bandwidth: access bandwidth (Bytes per second)
-+#
-+# @read-bandwidth: read bandwidth (Bytes per second)
-+#
-+# @write-bandwidth: write bandwidth (Bytes per second)
-+#
-+# Since: 5.0
-+##
-+{ 'enum': 'HmatLBDataType',
-+ 'data': [ 'access-latency', 'read-latency', 'write-latency',
-+ 'access-bandwidth', 'read-bandwidth', 'write-bandwidth' ] }
-+
-+##
-+# @NumaHmatLBOptions:
-+#
-+# Set the system locality latency and bandwidth information
-+# between Initiator and Target proximity Domains.
-+#
-+# For more information about @NumaHmatLBOptions, see chapter
-+# 5.2.27.4: Table 5-146 of ACPI 6.3 spec.
-+#
-+# @initiator: the Initiator Proximity Domain.
-+#
-+# @target: the Target Proximity Domain.
-+#
-+# @hierarchy: the Memory Hierarchy. Indicates the performance
-+# of memory or side cache.
-+#
-+# @data-type: presents the type of data, access/read/write
-+# latency or hit latency.
-+#
-+# @latency: the value of latency from @initiator to @target
-+# proximity domain, the latency unit is "ns(nanosecond)".
-+#
-+# @bandwidth: the value of bandwidth between @initiator and @target
-+# proximity domain, the bandwidth unit is
-+# "Bytes per second".
-+#
-+# Since: 5.0
-+##
-+{ 'struct': 'NumaHmatLBOptions',
-+ 'data': {
-+ 'initiator': 'uint16',
-+ 'target': 'uint16',
-+ 'hierarchy': 'HmatLBMemoryHierarchy',
-+ 'data-type': 'HmatLBDataType',
-+ '*latency': 'uint64',
-+ '*bandwidth': 'size' }}
-+
- ##
- # @HostMemPolicy:
- #
-diff --git a/qemu-options.hx b/qemu-options.hx
-index 9b1618cd34d9fe1d8374d6abb954..5f7f31457ab6a8640698f6913b07 100644
---- a/qemu-options.hx
-+++ b/qemu-options.hx
-@@ -168,16 +168,19 @@ DEF("numa", HAS_ARG, QEMU_OPTION_numa,
- "-numa node[,mem=size][,cpus=firstcpu[-lastcpu]][,nodeid=node][,initiator=node]\n"
- "-numa node[,memdev=id][,cpus=firstcpu[-lastcpu]][,nodeid=node][,initiator=node]\n"
- "-numa dist,src=source,dst=destination,val=distance\n"
-- "-numa cpu,node-id=node[,socket-id=x][,core-id=y][,thread-id=z]\n",
-+ "-numa cpu,node-id=node[,socket-id=x][,core-id=y][,thread-id=z]\n"
-+ "-numa hmat-lb,initiator=node,target=node,hierarchy=memory|first-level|second-level|third-level,data-type=access-latency|read-latency|write-latency[,latency=lat][,bandwidth=bw]\n",
- QEMU_ARCH_ALL)
- STEXI
- @item -numa node[,mem=@var{size}][,cpus=@var{firstcpu}[-@var{lastcpu}]][,nodeid=@var{node}][,initiator=@var{initiator}]
- @itemx -numa node[,memdev=@var{id}][,cpus=@var{firstcpu}[-@var{lastcpu}]][,nodeid=@var{node}][,initiator=@var{initiator}]
- @itemx -numa dist,src=@var{source},dst=@var{destination},val=@var{distance}
- @itemx -numa cpu,node-id=@var{node}[,socket-id=@var{x}][,core-id=@var{y}][,thread-id=@var{z}]
-+@itemx -numa hmat-lb,initiator=@var{node},target=@var{node},hierarchy=@var{hierarchy},data-type=@var{tpye}[,latency=@var{lat}][,bandwidth=@var{bw}]
- @findex -numa
- Define a NUMA node and assign RAM and VCPUs to it.
- Set the NUMA distance from a source node to a destination node.
-+Set the ACPI Heterogeneous Memory Attributes for the given nodes.
-
- Legacy VCPU assignment uses @samp{cpus} option where
- @var{firstcpu} and @var{lastcpu} are CPU indexes. Each
-@@ -256,6 +259,48 @@ specified resources, it just assigns existing resources to NUMA
- nodes. This means that one still has to use the @option{-m},
- @option{-smp} options to allocate RAM and VCPUs respectively.
-
-+Use @samp{hmat-lb} to set System Locality Latency and Bandwidth Information
-+between initiator and target NUMA nodes in ACPI Heterogeneous Attribute Memory Table (HMAT).
-+Initiator NUMA node can create memory requests, usually it has one or more processors.
-+Target NUMA node contains addressable memory.
-+
-+In @samp{hmat-lb} option, @var{node} are NUMA node IDs. @var{hierarchy} is the memory
-+hierarchy of the target NUMA node: if @var{hierarchy} is 'memory', the structure
-+represents the memory performance; if @var{hierarchy} is 'first-level|second-level|third-level',
-+this structure represents aggregated performance of memory side caches for each domain.
-+@var{type} of 'data-type' is type of data represented by this structure instance:
-+if 'hierarchy' is 'memory', 'data-type' is 'access|read|write' latency or 'access|read|write'
-+bandwidth of the target memory; if 'hierarchy' is 'first-level|second-level|third-level',
-+'data-type' is 'access|read|write' hit latency or 'access|read|write' hit bandwidth of the
-+target memory side cache.
-+
-+@var{lat} is latency value in nanoseconds. @var{bw} is bandwidth value,
-+the possible value and units are NUM[M|G|T], mean that the bandwidth value are
-+NUM byte per second (or MB/s, GB/s or TB/s depending on used suffix).
-+Note that if latency or bandwidth value is 0, means the corresponding latency or
-+bandwidth information is not provided.
-+
-+For example, the following options describe 2 NUMA nodes. Node 0 has 2 cpus and
-+a ram, node 1 has only a ram. The processors in node 0 access memory in node
-+0 with access-latency 5 nanoseconds, access-bandwidth is 200 MB/s;
-+The processors in NUMA node 0 access memory in NUMA node 1 with access-latency 10
-+nanoseconds, access-bandwidth is 100 MB/s.
-+@example
-+-machine hmat=on \
-+-m 2G \
-+-object memory-backend-ram,size=1G,id=m0 \
-+-object memory-backend-ram,size=1G,id=m1 \
-+-smp 2 \
-+-numa node,nodeid=0,memdev=m0 \
-+-numa node,nodeid=1,memdev=m1,initiator=0 \
-+-numa cpu,node-id=0,socket-id=0 \
-+-numa cpu,node-id=0,socket-id=1 \
-+-numa hmat-lb,initiator=0,target=0,hierarchy=memory,data-type=access-latency,latency=5 \
-+-numa hmat-lb,initiator=0,target=0,hierarchy=memory,data-type=access-bandwidth,bandwidth=200M \
-+-numa hmat-lb,initiator=0,target=1,hierarchy=memory,data-type=access-latency,latency=10 \
-+-numa hmat-lb,initiator=0,target=1,hierarchy=memory,data-type=access-bandwidth,bandwidth=100M
-+@end example
-+
- ETEXI
-
- DEF("add-fd", HAS_ARG, QEMU_OPTION_add_fd,
+++ /dev/null
-From: Liu Jingqi <jingqi.liu@intel.com>
-Date: Fri, 13 Dec 2019 09:19:24 +0800
-Subject: numa: Extend CLI to provide memory side cache information
-
-Git-commit: c412a48d4d91e8f8b89aae02de0f44f1f0b729e5
-References: jsc#SLE-8897
-
-Add -numa hmat-cache option to provide Memory Side Cache Information.
-These memory attributes help to build Memory Side Cache Information
-Structure(s) in ACPI Heterogeneous Memory Attribute Table (HMAT).
-Before using hmat-cache option, enable HMAT with -machine hmat=on.
-
-Acked-by: Markus Armbruster <armbru@redhat.com>
-Signed-off-by: Liu Jingqi <jingqi.liu@intel.com>
-Signed-off-by: Tao Xu <tao3.xu@intel.com>
-Message-Id: <20191213011929.2520-4-tao3.xu@intel.com>
-Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
-Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
-Reviewed-by: Igor Mammedov <imammedo@redhat.com>
-Signed-off-by: Bruce Rogers brogers@suse.com>
----
- hw/core/numa.c | 80 ++++++++++++++++++++++++++++++++++++++++++
- include/sysemu/numa.h | 5 +++
- qapi/machine.json | 81 +++++++++++++++++++++++++++++++++++++++++--
- qemu-options.hx | 17 +++++++--
- 4 files changed, 179 insertions(+), 4 deletions(-)
-
-diff --git a/hw/core/numa.c b/hw/core/numa.c
-index 58fe7138b290f8b8cbc340d3d1ec..0d1b4be76a69fe7baba48f928f2f 100644
---- a/hw/core/numa.c
-+++ b/hw/core/numa.c
-@@ -375,6 +375,73 @@ void parse_numa_hmat_lb(NumaState *numa_state, NumaHmatLBOptions *node,
- g_array_append_val(hmat_lb->list, lb_data);
- }
-
-+void parse_numa_hmat_cache(MachineState *ms, NumaHmatCacheOptions *node,
-+ Error **errp)
-+{
-+ int nb_numa_nodes = ms->numa_state->num_nodes;
-+ NodeInfo *numa_info = ms->numa_state->nodes;
-+ NumaHmatCacheOptions *hmat_cache = NULL;
-+
-+ if (node->node_id >= nb_numa_nodes) {
-+ error_setg(errp, "Invalid node-id=%" PRIu32 ", it should be less "
-+ "than %d", node->node_id, nb_numa_nodes);
-+ return;
-+ }
-+
-+ if (numa_info[node->node_id].lb_info_provided != (BIT(0) | BIT(1))) {
-+ error_setg(errp, "The latency and bandwidth information of "
-+ "node-id=%" PRIu32 " should be provided before memory side "
-+ "cache attributes", node->node_id);
-+ return;
-+ }
-+
-+ if (node->level < 1 || node->level >= HMAT_LB_LEVELS) {
-+ error_setg(errp, "Invalid level=%" PRIu8 ", it should be larger than 0 "
-+ "and less than or equal to %d", node->level,
-+ HMAT_LB_LEVELS - 1);
-+ return;
-+ }
-+
-+ assert(node->associativity < HMAT_CACHE_ASSOCIATIVITY__MAX);
-+ assert(node->policy < HMAT_CACHE_WRITE_POLICY__MAX);
-+ if (ms->numa_state->hmat_cache[node->node_id][node->level]) {
-+ error_setg(errp, "Duplicate configuration of the side cache for "
-+ "node-id=%" PRIu32 " and level=%" PRIu8,
-+ node->node_id, node->level);
-+ return;
-+ }
-+
-+ if ((node->level > 1) &&
-+ ms->numa_state->hmat_cache[node->node_id][node->level - 1] &&
-+ (node->size >=
-+ ms->numa_state->hmat_cache[node->node_id][node->level - 1]->size)) {
-+ error_setg(errp, "Invalid size=%" PRIu64 ", the size of level=%" PRIu8
-+ " should be less than the size(%" PRIu64 ") of "
-+ "level=%u", node->size, node->level,
-+ ms->numa_state->hmat_cache[node->node_id]
-+ [node->level - 1]->size,
-+ node->level - 1);
-+ return;
-+ }
-+
-+ if ((node->level < HMAT_LB_LEVELS - 1) &&
-+ ms->numa_state->hmat_cache[node->node_id][node->level + 1] &&
-+ (node->size <=
-+ ms->numa_state->hmat_cache[node->node_id][node->level + 1]->size)) {
-+ error_setg(errp, "Invalid size=%" PRIu64 ", the size of level=%" PRIu8
-+ " should be larger than the size(%" PRIu64 ") of "
-+ "level=%u", node->size, node->level,
-+ ms->numa_state->hmat_cache[node->node_id]
-+ [node->level + 1]->size,
-+ node->level + 1);
-+ return;
-+ }
-+
-+ hmat_cache = g_malloc0(sizeof(*hmat_cache));
-+ memcpy(hmat_cache, node, sizeof(*hmat_cache));
-+ ms->numa_state->hmat_cache[node->node_id][node->level] = hmat_cache;
-+}
-+
- void set_numa_options(MachineState *ms, NumaOptions *object, Error **errp)
- {
- Error *err = NULL;
-@@ -425,6 +492,19 @@ void set_numa_options(MachineState *ms, NumaOptions *object, Error **errp)
- goto end;
- }
- break;
-+ case NUMA_OPTIONS_TYPE_HMAT_CACHE:
-+ if (!ms->numa_state->hmat_enabled) {
-+ error_setg(errp, "ACPI Heterogeneous Memory Attribute Table "
-+ "(HMAT) is disabled, enable it with -machine hmat=on "
-+ "before using any of hmat specific options");
-+ return;
-+ }
-+
-+ parse_numa_hmat_cache(ms, &object->u.hmat_cache, &err);
-+ if (err) {
-+ goto end;
-+ }
-+ break;
- default:
- abort();
- }
-diff --git a/include/sysemu/numa.h b/include/sysemu/numa.h
-index 70f93c83d71eb2cdab5bf1dde422..ba693cc80b780ecccd49a4fa9145 100644
---- a/include/sysemu/numa.h
-+++ b/include/sysemu/numa.h
-@@ -91,6 +91,9 @@ struct NumaState {
-
- /* NUMA nodes HMAT Locality Latency and Bandwidth Information */
- HMAT_LB_Info *hmat_lb[HMAT_LB_LEVELS][HMAT_LB_TYPES];
-+
-+ /* Memory Side Cache Information Structure */
-+ NumaHmatCacheOptions *hmat_cache[MAX_NODES][HMAT_LB_LEVELS];
- };
- typedef struct NumaState NumaState;
-
-@@ -98,6 +101,8 @@ void set_numa_options(MachineState *ms, NumaOptions *object, Error **errp);
- void parse_numa_opts(MachineState *ms);
- void parse_numa_hmat_lb(NumaState *numa_state, NumaHmatLBOptions *node,
- Error **errp);
-+void parse_numa_hmat_cache(MachineState *ms, NumaHmatCacheOptions *node,
-+ Error **errp);
- void numa_complete_configuration(MachineState *ms);
- void query_numa_node_mem(NumaNodeMem node_mem[], MachineState *ms);
- extern QemuOptsList qemu_numa_opts;
-diff --git a/qapi/machine.json b/qapi/machine.json
-index cf8faf5a2a4929560c852bf8d50c..b3d30bc8162da9a0b60005fdd86b 100644
---- a/qapi/machine.json
-+++ b/qapi/machine.json
-@@ -428,10 +428,12 @@
- #
- # @hmat-lb: memory latency and bandwidth information (Since: 5.0)
- #
-+# @hmat-cache: memory side cache information (Since: 5.0)
-+#
- # Since: 2.1
- ##
- { 'enum': 'NumaOptionsType',
-- 'data': [ 'node', 'dist', 'cpu', 'hmat-lb' ] }
-+ 'data': [ 'node', 'dist', 'cpu', 'hmat-lb', 'hmat-cache' ] }
-
- ##
- # @NumaOptions:
-@@ -447,7 +449,8 @@
- 'node': 'NumaNodeOptions',
- 'dist': 'NumaDistOptions',
- 'cpu': 'NumaCpuOptions',
-- 'hmat-lb': 'NumaHmatLBOptions' }}
-+ 'hmat-lb': 'NumaHmatLBOptions',
-+ 'hmat-cache': 'NumaHmatCacheOptions' }}
-
- ##
- # @NumaNodeOptions:
-@@ -646,6 +649,80 @@
- '*latency': 'uint64',
- '*bandwidth': 'size' }}
-
-+##
-+# @HmatCacheAssociativity:
-+#
-+# Cache associativity in the Memory Side Cache Information Structure
-+# of HMAT
-+#
-+# For more information of @HmatCacheAssociativity, see chapter
-+# 5.2.27.5: Table 5-147 of ACPI 6.3 spec.
-+#
-+# @none: None (no memory side cache in this proximity domain,
-+# or cache associativity unknown)
-+#
-+# @direct: Direct Mapped
-+#
-+# @complex: Complex Cache Indexing (implementation specific)
-+#
-+# Since: 5.0
-+##
-+{ 'enum': 'HmatCacheAssociativity',
-+ 'data': [ 'none', 'direct', 'complex' ] }
-+
-+##
-+# @HmatCacheWritePolicy:
-+#
-+# Cache write policy in the Memory Side Cache Information Structure
-+# of HMAT
-+#
-+# For more information of @HmatCacheWritePolicy, see chapter
-+# 5.2.27.5: Table 5-147: Field "Cache Attributes" of ACPI 6.3 spec.
-+#
-+# @none: None (no memory side cache in this proximity domain,
-+# or cache write policy unknown)
-+#
-+# @write-back: Write Back (WB)
-+#
-+# @write-through: Write Through (WT)
-+#
-+# Since: 5.0
-+##
-+{ 'enum': 'HmatCacheWritePolicy',
-+ 'data': [ 'none', 'write-back', 'write-through' ] }
-+
-+##
-+# @NumaHmatCacheOptions:
-+#
-+# Set the memory side cache information for a given memory domain.
-+#
-+# For more information of @NumaHmatCacheOptions, see chapter
-+# 5.2.27.5: Table 5-147: Field "Cache Attributes" of ACPI 6.3 spec.
-+#
-+# @node-id: the memory proximity domain to which the memory belongs.
-+#
-+# @size: the size of memory side cache in bytes.
-+#
-+# @level: the cache level described in this structure.
-+#
-+# @associativity: the cache associativity,
-+# none/direct-mapped/complex(complex cache indexing).
-+#
-+# @policy: the write policy, none/write-back/write-through.
-+#
-+# @line: the cache Line size in bytes.
-+#
-+# Since: 5.0
-+##
-+{ 'struct': 'NumaHmatCacheOptions',
-+ 'data': {
-+ 'node-id': 'uint32',
-+ 'size': 'size',
-+ 'level': 'uint8',
-+ 'associativity': 'HmatCacheAssociativity',
-+ 'policy': 'HmatCacheWritePolicy',
-+ 'line': 'uint16' }}
-+
- ##
- # @HostMemPolicy:
- #
-diff --git a/qemu-options.hx b/qemu-options.hx
-index 5f7f31457ab6a8640698f6913b07..b0471ed152d77c9e0512c842149f 100644
---- a/qemu-options.hx
-+++ b/qemu-options.hx
-@@ -169,7 +169,8 @@ DEF("numa", HAS_ARG, QEMU_OPTION_numa,
- "-numa node[,memdev=id][,cpus=firstcpu[-lastcpu]][,nodeid=node][,initiator=node]\n"
- "-numa dist,src=source,dst=destination,val=distance\n"
- "-numa cpu,node-id=node[,socket-id=x][,core-id=y][,thread-id=z]\n"
-- "-numa hmat-lb,initiator=node,target=node,hierarchy=memory|first-level|second-level|third-level,data-type=access-latency|read-latency|write-latency[,latency=lat][,bandwidth=bw]\n",
-+ "-numa hmat-lb,initiator=node,target=node,hierarchy=memory|first-level|second-level|third-level,data-type=access-latency|read-latency|write-latency[,latency=lat][,bandwidth=bw]\n"
-+ "-numa hmat-cache,node-id=node,size=size,level=level[,associativity=none|direct|complex][,policy=none|write-back|write-through][,line=size]\n",
- QEMU_ARCH_ALL)
- STEXI
- @item -numa node[,mem=@var{size}][,cpus=@var{firstcpu}[-@var{lastcpu}]][,nodeid=@var{node}][,initiator=@var{initiator}]
-@@ -177,6 +178,7 @@ STEXI
- @itemx -numa dist,src=@var{source},dst=@var{destination},val=@var{distance}
- @itemx -numa cpu,node-id=@var{node}[,socket-id=@var{x}][,core-id=@var{y}][,thread-id=@var{z}]
- @itemx -numa hmat-lb,initiator=@var{node},target=@var{node},hierarchy=@var{hierarchy},data-type=@var{tpye}[,latency=@var{lat}][,bandwidth=@var{bw}]
-+@itemx -numa hmat-cache,node-id=@var{node},size=@var{size},level=@var{level}[,associativity=@var{str}][,policy=@var{str}][,line=@var{size}]
- @findex -numa
- Define a NUMA node and assign RAM and VCPUs to it.
- Set the NUMA distance from a source node to a destination node.
-@@ -280,11 +282,20 @@ NUM byte per second (or MB/s, GB/s or TB/s depending on used suffix).
- Note that if latency or bandwidth value is 0, means the corresponding latency or
- bandwidth information is not provided.
-
-+In @samp{hmat-cache} option, @var{node-id} is the NUMA-id of the memory belongs.
-+@var{size} is the size of memory side cache in bytes. @var{level} is the cache
-+level described in this structure, note that the cache level 0 should not be used
-+with @samp{hmat-cache} option. @var{associativity} is the cache associativity,
-+the possible value is 'none/direct(direct-mapped)/complex(complex cache indexing)'.
-+@var{policy} is the write policy. @var{line} is the cache Line size in bytes.
-+
- For example, the following options describe 2 NUMA nodes. Node 0 has 2 cpus and
- a ram, node 1 has only a ram. The processors in node 0 access memory in node
- 0 with access-latency 5 nanoseconds, access-bandwidth is 200 MB/s;
- The processors in NUMA node 0 access memory in NUMA node 1 with access-latency 10
- nanoseconds, access-bandwidth is 100 MB/s.
-+And for memory side cache information, NUMA node 0 and 1 both have 1 level memory
-+cache, size is 10KB, policy is write-back, the cache Line size is 8 bytes:
- @example
- -machine hmat=on \
- -m 2G \
-@@ -298,7 +309,9 @@ nanoseconds, access-bandwidth is 100 MB/s.
- -numa hmat-lb,initiator=0,target=0,hierarchy=memory,data-type=access-latency,latency=5 \
- -numa hmat-lb,initiator=0,target=0,hierarchy=memory,data-type=access-bandwidth,bandwidth=200M \
- -numa hmat-lb,initiator=0,target=1,hierarchy=memory,data-type=access-latency,latency=10 \
---numa hmat-lb,initiator=0,target=1,hierarchy=memory,data-type=access-bandwidth,bandwidth=100M
-+-numa hmat-lb,initiator=0,target=1,hierarchy=memory,data-type=access-bandwidth,bandwidth=100M \
-+-numa hmat-cache,node-id=0,size=10K,level=1,associativity=direct,policy=write-back,line=8 \
-+-numa hmat-cache,node-id=1,size=10K,level=1,associativity=direct,policy=write-back,line=8
- @end example
-
- ETEXI
+++ /dev/null
-From: Prasad J Pandit <pjp@fedoraproject.org>
-Date: Tue, 11 Aug 2020 17:11:29 +0530
-Subject: nvram: add nrf51_soc flash read method
-
-Git-commit: b5bf601f364e1a14ca4c3276f88dfec024acf613
-References: bsc#1173612, CVE-2020-15469
-
-Add nrf51_soc mmio read method to avoid NULL pointer dereference
-issue.
-
-Reported-by: Lei Sun <slei.casper@gmail.com>
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
-Reviewed-by: Li Qiang <liq3ea@gmail.com>
-Message-Id: <20200811114133.672647-6-ppandit@redhat.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-Signed-off-by: Bruce Rogers <brogers@suse.com>
----
- hw/nvram/nrf51_nvm.c | 10 ++++++++++
- 1 file changed, 10 insertions(+)
-
-diff --git a/hw/nvram/nrf51_nvm.c b/hw/nvram/nrf51_nvm.c
-index 4d678f994e7d7579d6328aeb5d9a..61365e9174b7e3328c748da329fb 100644
---- a/hw/nvram/nrf51_nvm.c
-+++ b/hw/nvram/nrf51_nvm.c
-@@ -273,6 +273,15 @@ static const MemoryRegionOps io_ops = {
- .endianness = DEVICE_LITTLE_ENDIAN,
- };
-
-+static uint64_t flash_read(void *opaque, hwaddr offset, unsigned size)
-+{
-+ /*
-+ * This is a rom_device MemoryRegion which is always in
-+ * romd_mode (we never put it in MMIO mode), so reads always
-+ * go directly to RAM and never come here.
-+ */
-+ g_assert_not_reached();
-+}
-
- static void flash_write(void *opaque, hwaddr offset, uint64_t value,
- unsigned int size)
-@@ -300,6 +309,7 @@ static void flash_write(void *opaque, hwaddr offset, uint64_t value,
-
-
- static const MemoryRegionOps flash_ops = {
-+ .read = flash_read,
- .write = flash_write,
- .valid.min_access_size = 4,
- .valid.max_access_size = 4,
+++ /dev/null
-From: Lin Ma <lma@suse.com>
-Date: Mon, 13 Sep 2021 17:07:19 +0800
-Subject: osdep: provide ROUND_DOWN macro
-
-Git-commit: c9797456f64ce72c03eb2969d97ac1dd4698d91e
-References: bsc#1190425
-
-osdep.h provides a ROUND_UP macro to hide bitwise operations for the
-purpose of rounding a number up to a power of two; add a ROUND_DOWN
-macro that does the same with truncation towards zero.
-
-While at it, change the formatting of some comments.
-
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-Signed-off-by: Lin Ma <lma@suse.com>
----
- include/qemu/osdep.h | 28 ++++++++++++++++++++++------
- 1 file changed, 22 insertions(+), 6 deletions(-)
-
-diff --git a/include/qemu/osdep.h b/include/qemu/osdep.h
-index 0f97d68586add1396cbe3c647c51..6cb89df3f2b79018413b26ee58e0 100644
---- a/include/qemu/osdep.h
-+++ b/include/qemu/osdep.h
-@@ -264,11 +264,16 @@ extern int daemon(int, int);
- ((b) == 0 ? (a) : (MIN(a, b))))
- #endif
-
--/* Round number down to multiple */
-+/*
-+ * Round number down to multiple. Safe when m is not a power of 2 (see
-+ * ROUND_DOWN for a faster version when a power of 2 is guaranteed).
-+ */
- #define QEMU_ALIGN_DOWN(n, m) ((n) / (m) * (m))
-
--/* Round number up to multiple. Safe when m is not a power of 2 (see
-- * ROUND_UP for a faster version when a power of 2 is guaranteed) */
-+/*
-+ * Round number up to multiple. Safe when m is not a power of 2 (see
-+ * ROUND_UP for a faster version when a power of 2 is guaranteed).
-+ */
- #define QEMU_ALIGN_UP(n, m) QEMU_ALIGN_DOWN((n) + (m) - 1, (m))
-
- /* Check if n is a multiple of m */
-@@ -285,11 +290,22 @@ extern int daemon(int, int);
- /* Check if pointer p is n-bytes aligned */
- #define QEMU_PTR_IS_ALIGNED(p, n) QEMU_IS_ALIGNED((uintptr_t)(p), (n))
-
--/* Round number up to multiple. Requires that d be a power of 2 (see
-+/*
-+ * Round number down to multiple. Requires that d be a power of 2 (see
- * QEMU_ALIGN_UP for a safer but slower version on arbitrary
-- * numbers); works even if d is a smaller type than n. */
-+ * numbers); works even if d is a smaller type than n.
-+ */
-+#ifndef ROUND_DOWN
-+#define ROUND_DOWN(n, d) ((n) & -(0 ? (n) : (d)))
-+#endif
-+
-+/*
-+ * Round number up to multiple. Requires that d be a power of 2 (see
-+ * QEMU_ALIGN_UP for a safer but slower version on arbitrary
-+ * numbers); works even if d is a smaller type than n.
-+ */
- #ifndef ROUND_UP
--#define ROUND_UP(n, d) (((n) + (d) - 1) & -(0 ? (n) : (d)))
-+#define ROUND_UP(n, d) ROUND_DOWN((n) + (d) - 1, (d))
- #endif
-
- #ifndef DIV_ROUND_UP
+++ /dev/null
-From: Marc Hartmayer <mhartmay@linux.ibm.com>
-Date: Thu, 24 Sep 2020 10:59:25 +0200
-Subject: pc-bios/s390-ccw: break loop if a null block number is reached
-
-Git-commit: 468184ec9024f4f7b55247f70ec57554e8a500d7
-References: bsc#1183979
-
-Break the loop if `cur_block_nr` is a null block number because this
-means that the end of chunk is reached. In this case we will try to
-boot the default entry.
-
-Fixes: ba831b25262a ("s390-ccw: read stage2 boot loader data to find menu")
-Reviewed-by: Collin Walling <walling@linux.ibm.com>
-Signed-off-by: Marc Hartmayer <mhartmay@linux.ibm.com>
-Message-Id: <20200924085926.21709-3-mhartmay@linux.ibm.com>
-Signed-off-by: Thomas Huth <thuth@redhat.com>
-Signed-off-by: Bruce Rogers <brogers@suse.com>
----
- pc-bios/s390-ccw/bootmap.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/pc-bios/s390-ccw/bootmap.c b/pc-bios/s390-ccw/bootmap.c
-index ba6b25fb982cca53e1f8bab1f344..fd72714de4997947dc0063f8c183 100644
---- a/pc-bios/s390-ccw/bootmap.c
-+++ b/pc-bios/s390-ccw/bootmap.c
-@@ -192,7 +192,7 @@ static int eckd_get_boot_menu_index(block_number_t s1b_block_nr)
- for (i = 0; i < STAGE2_BLK_CNT_MAX; i++) {
- cur_block_nr = eckd_block_num(&s1b->seek[i].chs);
-
-- if (!cur_block_nr) {
-+ if (!cur_block_nr || is_null_block_number(cur_block_nr)) {
- break;
- }
-
+++ /dev/null
-From: Marc Hartmayer <mhartmay@linux.ibm.com>
-Date: Fri, 16 Apr 2021 09:47:36 +0200
-Subject: pc-bios/s390-ccw: don't try to read the next block if end of chunk is
- reached
-
-Git-commit: a6625d38cce3901a7c1cba069f0abcf743a293f1
-References: bsc#1186290
-
-Don't read the block if a null block number is reached, because this means that
-the end of chunk is reached.
-
-Reviewed-by: Collin Walling <walling@linux.ibm.com>
-Signed-off-by: Marc Hartmayer <mhartmay@linux.ibm.com>
-Message-Id: <20210416074736.17409-1-mhartmay@linux.ibm.com>
-Signed-off-by: Thomas Huth <thuth@redhat.com>
-Signed-off-by: Cho, Yu-Chen <acho@suse.com>
----
- pc-bios/s390-ccw/bootmap.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/pc-bios/s390-ccw/bootmap.c b/pc-bios/s390-ccw/bootmap.c
-index fd72714de4997947dc0063f8c183..babe7ac9381518eec730c20f1d03 100644
---- a/pc-bios/s390-ccw/bootmap.c
-+++ b/pc-bios/s390-ccw/bootmap.c
-@@ -212,7 +212,7 @@ static int eckd_get_boot_menu_index(block_number_t s1b_block_nr)
- next_block_nr = eckd_block_num(&s1b->seek[i + 1].chs);
- }
-
-- if (next_block_nr) {
-+ if (next_block_nr && !is_null_block_number(next_block_nr)) {
- read_block(next_block_nr, s2_next_blk,
- "Cannot read stage2 boot loader");
- }
+++ /dev/null
-From: Marc Hartmayer <mhartmay@linux.ibm.com>
-Date: Thu, 24 Sep 2020 10:59:24 +0200
-Subject: pc-bios/s390-ccw: fix off-by-one error
-
-Git-commit: 5f97ba0c74ccace0a4014460de9751ff3c6f454a
-References: bsc#1183979
-
-This error takes effect when the magic value "zIPL" is located at the
-end of a block. For example if s2_cur_blk = 0x7fe18000 and the magic
-value "zIPL" is located at 0x7fe18ffc - 0x7fe18fff.
-
-Fixes: ba831b25262a ("s390-ccw: read stage2 boot loader data to find menu")
-Reviewed-by: Collin Walling <walling@linux.ibm.com>
-Signed-off-by: Marc Hartmayer <mhartmay@linux.ibm.com>
-Message-Id: <20200924085926.21709-2-mhartmay@linux.ibm.com>
-Reviewed-by: Thomas Huth <thuth@redhat.com>
-[thuth: Use "<= ... - 4" instead of "< ... - 3"]
-Signed-off-by: Thomas Huth <thuth@redhat.com>
-Signed-off-by: Bruce Rogers <brogers@suse.com>
----
- pc-bios/s390-ccw/bootmap.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/pc-bios/s390-ccw/bootmap.c b/pc-bios/s390-ccw/bootmap.c
-index d13b7cbd1597bf2e531efcf8f54e..ba6b25fb982cca53e1f8bab1f344 100644
---- a/pc-bios/s390-ccw/bootmap.c
-+++ b/pc-bios/s390-ccw/bootmap.c
-@@ -163,7 +163,7 @@ static bool find_zipl_boot_menu_banner(int *offset)
- int i;
-
- /* Menu banner starts with "zIPL" */
-- for (i = 0; i < virtio_get_block_size() - 4; i++) {
-+ for (i = 0; i <= virtio_get_block_size() - 4; i++) {
- if (magic_match(s2_cur_blk + i, ZIPL_MAGIC_EBCDIC)) {
- *offset = i;
- return true;
+++ /dev/null
-From: Bruce Rogers <brogers@suse.com>
-Date: Wed, 29 May 2019 09:59:02 -0600
-Subject: pc-bios/s390-ccw/net: avoid warning about packed structure members
-
-This is hopefully temporary. Simply disable the warning about taking
-the address of packed structure members which is new in gcc9.
-
-Signed-off-by: Bruce Rogers <brogers@suse.com>
----
- pc-bios/s390-ccw/netboot.mak | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/pc-bios/s390-ccw/netboot.mak b/pc-bios/s390-ccw/netboot.mak
-index 5eefb7c289395ca37fcd241ce53d..ea2994722cde7e8a65796d374dc7 100644
---- a/pc-bios/s390-ccw/netboot.mak
-+++ b/pc-bios/s390-ccw/netboot.mak
-@@ -53,6 +53,7 @@ libc.a: $(LIBCOBJS)
- LIBNETOBJS := args.o dhcp.o dns.o icmpv6.o ipv6.o tcp.o udp.o bootp.o \
- dhcpv6.o ethernet.o ipv4.o ndp.o tftp.o pxelinux.o
- LIBNETCFLAGS := $(QEMU_CFLAGS) $(CFLAGS) -DDHCPARCH=0x1F $(LIBC_INC) $(LIBNET_INC)
-+LIBNETCFLAGS += -Wno-address-of-packed-member
-
- %.o : $(SLOF_DIR)/lib/libnet/%.c
- $(call quiet-command,$(CC) $(LIBNETCFLAGS) -c -o $@ $<,"CC","$(TARGET_DIR)$@")
+++ /dev/null
-From: Prasad J Pandit <pjp@fedoraproject.org>
-Date: Tue, 11 Aug 2020 17:11:26 +0530
-Subject: pci-host: designware: add pcie-msi read method
-
-Git-commit: 4f2a5202a05fc1612954804a2482f07bff105ea2
-References: bsc#1173612, CVE-2020-15469
-
-Add pcie-msi mmio read method to avoid NULL pointer dereference
-issue.
-
-Reported-by: Lei Sun <slei.casper@gmail.com>
-Reviewed-by: Li Qiang <liq3ea@gmail.com>
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
-Message-Id: <20200811114133.672647-3-ppandit@redhat.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-Signed-off-by: Bruce Rogers <brogers@suse.com>
----
- hw/pci-host/designware.c | 19 +++++++++++++++++++
- 1 file changed, 19 insertions(+)
-
-diff --git a/hw/pci-host/designware.c b/hw/pci-host/designware.c
-index 71e9b0d9b548549d200cc6854cf6..f9c5d29d13c86509a3198d214dc6 100644
---- a/hw/pci-host/designware.c
-+++ b/hw/pci-host/designware.c
-@@ -21,6 +21,7 @@
- #include "qemu/osdep.h"
- #include "qapi/error.h"
- #include "qemu/module.h"
-+#include "qemu/log.h"
- #include "hw/pci/msi.h"
- #include "hw/pci/pci_bridge.h"
- #include "hw/pci/pci_host.h"
-@@ -63,6 +64,23 @@ designware_pcie_root_to_host(DesignwarePCIERoot *root)
- return DESIGNWARE_PCIE_HOST(bus->parent);
- }
-
-+static uint64_t designware_pcie_root_msi_read(void *opaque, hwaddr addr,
-+ unsigned size)
-+{
-+ /*
-+ * Attempts to read from the MSI address are undefined in
-+ * the PCI specifications. For this hardware, the datasheet
-+ * specifies that a read from the magic address is simply not
-+ * intercepted by the MSI controller, and will go out to the
-+ * AHB/AXI bus like any other PCI-device-initiated DMA read.
-+ * This is not trivial to implement in QEMU, so since
-+ * well-behaved guests won't ever ask a PCI device to DMA from
-+ * this address we just log the missing functionality.
-+ */
-+ qemu_log_mask(LOG_UNIMP, "%s not implemented\n", __func__);
-+ return 0;
-+}
-+
- static void designware_pcie_root_msi_write(void *opaque, hwaddr addr,
- uint64_t val, unsigned len)
- {
-@@ -77,6 +95,7 @@ static void designware_pcie_root_msi_write(void *opaque, hwaddr addr,
- }
-
- static const MemoryRegionOps designware_pci_host_msi_ops = {
-+ .read = designware_pcie_root_msi_read,
- .write = designware_pcie_root_msi_write,
- .endianness = DEVICE_LITTLE_ENDIAN,
- .valid = {
+++ /dev/null
-From: Alexander Bulekov <alxndr@bu.edu>
-Date: Mon, 1 Mar 2021 10:33:34 -0500
-Subject: pcnet: switch to use qemu_receive_packet() for loopback
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Git-commit: 99ccfaa1edafd79f7a3a0ff7b58ae4da7c514928
-
-This patch switches to use qemu_receive_packet() which can detect
-reentrancy and return early.
-
-This is intended to address CVE-2021-3416.
-
-Cc: Prasad J Pandit <ppandit@redhat.com>
-Cc: qemu-stable@nongnu.org
-Buglink: https://bugs.launchpad.net/qemu/+bug/1917085
-Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com
-Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
-Signed-off-by: Jason Wang <jasowang@redhat.com>
-Signed-off-by: Bruce Rogers <brogers@suse.com>
----
- hw/net/pcnet.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c
-index f3f18d8598c43aca02ca138aa46e..dcd3fc49481b46a6d4bb7c726572 100644
---- a/hw/net/pcnet.c
-+++ b/hw/net/pcnet.c
-@@ -1250,7 +1250,7 @@ txagain:
- if (BCR_SWSTYLE(s) == 1)
- add_crc = !GET_FIELD(tmd.status, TMDS, NOFCS);
- s->looptest = add_crc ? PCNET_LOOPTEST_CRC : PCNET_LOOPTEST_NOCRC;
-- pcnet_receive(qemu_get_queue(s->nic), s->buffer, s->xmit_pos);
-+ qemu_receive_packet(qemu_get_queue(s->nic), s->buffer, s->xmit_pos);
- s->looptest = 0;
- } else {
- if (s->nic) {
+++ /dev/null
-From: Prasad J Pandit <pjp@fedoraproject.org>
-Date: Tue, 11 Aug 2020 17:11:28 +0530
-Subject: prep: add ppc-parity write method
-
-Git-commit: f867cebaedbc9c43189f102e4cdfdff05e88df7f
-References: bsc#1173612, CVE-2020-15469
-
-Add ppc-parity mmio write method to avoid NULL pointer dereference
-issue.
-
-Reported-by: Lei Sun <slei.casper@gmail.com>
-Acked-by: David Gibson <david@gibson.dropbear.id.au>
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
-Reviewed-by: Li Qiang <liq3ea@gmail.com>
-Message-Id: <20200811114133.672647-5-ppandit@redhat.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-Signed-off-by: Bruce Rogers <brogers@suse.com>
----
- hw/ppc/prep_systemio.c | 8 ++++++++
- 1 file changed, 8 insertions(+)
-
-diff --git a/hw/ppc/prep_systemio.c b/hw/ppc/prep_systemio.c
-index 86e83e278fcc733c8db60a46ce57..ae65e50cfbc63392bb7ce3c88064 100644
---- a/hw/ppc/prep_systemio.c
-+++ b/hw/ppc/prep_systemio.c
-@@ -23,6 +23,7 @@
- */
-
- #include "qemu/osdep.h"
-+#include "qemu/log.h"
- #include "hw/irq.h"
- #include "hw/isa/isa.h"
- #include "hw/qdev-properties.h"
-@@ -235,8 +236,15 @@ static uint64_t ppc_parity_error_readl(void *opaque, hwaddr addr,
- return val;
- }
-
-+static void ppc_parity_error_writel(void *opaque, hwaddr addr,
-+ uint64_t data, unsigned size)
-+{
-+ qemu_log_mask(LOG_GUEST_ERROR, "%s: invalid access\n", __func__);
-+}
-+
- static const MemoryRegionOps ppc_parity_error_ops = {
- .read = ppc_parity_error_readl,
-+ .write = ppc_parity_error_writel,
- .valid = {
- .min_access_size = 4,
- .max_access_size = 4,
+++ /dev/null
-From: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
-Date: Wed, 30 Jun 2021 14:46:34 +0300
-Subject: pvrdma: Ensure correct input on ring init (CVE-2021-3607)
-
-Git-commit: 32e5703cfea07c91e6e84bcb0313f633bb146534
-References: CVE-2021-3607 bsc#1187539
-
-Check the guest passed a non zero page count
-for pvrdma device ring buffers.
-
-Fixes: CVE-2021-3607
-Reported-by: VictorV (Kunlun Lab) <vv474172261@gmail.com>
-Reviewed-by: VictorV (Kunlun Lab) <vv474172261@gmail.com>
-Signed-off-by: Marcel Apfelbaum <marcel@redhat.com>
-Message-Id: <20210630114634.2168872-1-marcel@redhat.com>
-Reviewed-by: Yuval Shaia <yuval.shaia.ml@gmail.com>
-Tested-by: Yuval Shaia <yuval.shaia.ml@gmail.com>
-Signed-off-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
-Signed-off-by: Jose R. Ziviani <jziviani@suse.de>
----
- hw/rdma/vmw/pvrdma_main.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/hw/rdma/vmw/pvrdma_main.c b/hw/rdma/vmw/pvrdma_main.c
-index 6f0fc405c77395fc80cc35af89f6..4aa1a467cea641a8ab17cedbba6c 100644
---- a/hw/rdma/vmw/pvrdma_main.c
-+++ b/hw/rdma/vmw/pvrdma_main.c
-@@ -91,6 +91,11 @@ static int init_dev_ring(PvrdmaRing *ring, struct pvrdma_ring **ring_state,
- uint64_t *dir, *tbl;
- int rc = 0;
-
-+ if (!num_pages) {
-+ rdma_error_report("Ring pages count must be strictly positive");
-+ return -EINVAL;
-+ }
-+
- dir = rdma_pci_dma_map(pci_dev, dir_addr, TARGET_PAGE_SIZE);
- if (!dir) {
- rdma_error_report("Failed to map to page directory (ring %s)", name);
+++ /dev/null
-From: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
-Date: Wed, 30 Jun 2021 14:52:46 +0300
-Subject: pvrdma: Fix the ring init error flow (CVE-2021-3608)
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Git-commit: 66ae37d8cc313f89272e711174a846a229bcdbd3
-References: CVE-2021-3608 bsc#1187538
-
-Do not unmap uninitialized dma addresses.
-
-Fixes: CVE-2021-3608
-Reviewed-by: VictorV (Kunlun Lab) <vv474172261@gmail.com>
-Tested-by: VictorV (Kunlun Lab) <vv474172261@gmail.com>
-Signed-off-by: Marcel Apfelbaum <marcel@redhat.com>
-Message-Id: <20210630115246.2178219-1-marcel@redhat.com>
-Tested-by: Yuval Shaia <yuval.shaia.ml@gmail.com>
-Reviewed-by: Yuval Shaia <yuval.shaia.ml@gmail.com>
-Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Signed-off-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
-Signed-off-by: Jose R. Ziviani <jziviani@suse.de>
----
- hw/rdma/vmw/pvrdma_dev_ring.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/hw/rdma/vmw/pvrdma_dev_ring.c b/hw/rdma/vmw/pvrdma_dev_ring.c
-index d7bc7f5ccc8afaec536ce59545fe..2a620ad5bc5d312af3861f09c6ab 100644
---- a/hw/rdma/vmw/pvrdma_dev_ring.c
-+++ b/hw/rdma/vmw/pvrdma_dev_ring.c
-@@ -41,7 +41,7 @@ int pvrdma_ring_init(PvrdmaRing *ring, const char *name, PCIDevice *dev,
- atomic_set(&ring->ring_state->cons_head, 0);
- */
- ring->npages = npages;
-- ring->pages = g_malloc(npages * sizeof(void *));
-+ ring->pages = g_malloc0(npages * sizeof(void *));
-
- for (i = 0; i < npages; i++) {
- if (!tbl[i]) {
+++ /dev/null
-From: Paolo Bonzini <pbonzini@redhat.com>
-Date: Tue, 6 Oct 2020 15:38:55 +0300
-Subject: qdev: add "check if address free" callback for buses
-
-Git-commit: bb755ba47f3747251c0eadf681ee68b9033309b8
-References: bsc#1184574
-
-Check if an address is free on the bus before plugging in the
-device. This makes it possible to do the check without any
-side effects, and to detect the problem early without having
-to do it in the realize callback.
-
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-Message-Id: <20201006123904.610658-5-mlevitsk@redhat.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-Signed-off-by: Lin Ma <lma@suse.com>
----
- hw/core/qdev.c | 15 +++++++++++++--
- hw/core/sysbus.c | 2 +-
- hw/display/virtio-gpu-pci.c | 2 +-
- hw/display/virtio-vga.c | 2 +-
- hw/i386/amd_iommu.c | 2 +-
- hw/isa/piix4.c | 2 +-
- hw/misc/auxbus.c | 4 ++--
- hw/misc/macio/macio.c | 6 +++---
- hw/net/virtio-net.c | 2 +-
- hw/pci-host/designware.c | 2 +-
- hw/pci-host/gpex.c | 2 +-
- hw/pci-host/prep.c | 2 +-
- hw/pci-host/q35.c | 2 +-
- hw/pci-host/versatile.c | 3 ++-
- hw/pci-host/xilinx-pcie.c | 2 +-
- hw/s390x/event-facility.c | 4 ++--
- hw/s390x/sclp.c | 2 +-
- hw/s390x/vhost-vsock-ccw.c | 2 +-
- hw/s390x/virtio-ccw-9p.c | 2 +-
- hw/s390x/virtio-ccw-balloon.c | 2 +-
- hw/s390x/virtio-ccw-blk.c | 2 +-
- hw/s390x/virtio-ccw-crypto.c | 2 +-
- hw/s390x/virtio-ccw-gpu.c | 2 +-
- hw/s390x/virtio-ccw-input.c | 2 +-
- hw/s390x/virtio-ccw-net.c | 2 +-
- hw/s390x/virtio-ccw-rng.c | 2 +-
- hw/s390x/virtio-ccw-scsi.c | 4 ++--
- hw/s390x/virtio-ccw-serial.c | 3 ++-
- hw/sd/core.c | 3 ++-
- hw/ssi/ssi.c | 3 ++-
- hw/virtio/vhost-scsi-pci.c | 2 +-
- hw/virtio/vhost-user-blk-pci.c | 2 +-
- hw/virtio/vhost-user-fs-pci.c | 3 ++-
- hw/virtio/vhost-user-scsi-pci.c | 2 +-
- hw/virtio/vhost-vsock-pci.c | 3 ++-
- hw/virtio/virtio-9p-pci.c | 3 ++-
- hw/virtio/virtio-balloon-pci.c | 2 +-
- hw/virtio/virtio-blk-pci.c | 2 +-
- hw/virtio/virtio-crypto-pci.c | 2 +-
- hw/virtio/virtio-input-pci.c | 3 ++-
- hw/virtio/virtio-net-pci.c | 2 +-
- hw/virtio/virtio-pmem-pci.c | 2 +-
- hw/virtio/virtio-rng-pci.c | 2 +-
- hw/virtio/virtio-scsi-pci.c | 3 ++-
- hw/virtio/virtio-serial-pci.c | 3 ++-
- hw/xen/xen-legacy-backend.c | 2 +-
- include/hw/qdev-core.h | 13 ++++++++++++-
- qdev-monitor.c | 2 +-
- 48 files changed, 86 insertions(+), 54 deletions(-)
-
-diff --git a/hw/core/qdev.c b/hw/core/qdev.c
-index cf1ba28fe35346618cb71120576c..342ea8a3feb955c3318616252ead 100644
---- a/hw/core/qdev.c
-+++ b/hw/core/qdev.c
-@@ -93,10 +93,20 @@ static void bus_add_child(BusState *bus, DeviceState *child)
- NULL);
- }
-
--void qdev_set_parent_bus(DeviceState *dev, BusState *bus)
-+static bool bus_check_address(BusState *bus, DeviceState *child, Error **errp)
-+{
-+ BusClass *bc = BUS_GET_CLASS(bus);
-+ return !bc->check_address || bc->check_address(bus, child, errp);
-+}
-+
-+bool qdev_set_parent_bus(DeviceState *dev, BusState *bus, Error **errp)
- {
- bool replugging = dev->parent_bus != NULL;
-
-+ if (!bus_check_address(bus, dev, errp)) {
-+ return false;
-+ }
-+
- if (replugging) {
- /* Keep a reference to the device while it's not plugged into
- * any bus, to avoid it potentially evaporating when it is
-@@ -112,6 +122,7 @@ void qdev_set_parent_bus(DeviceState *dev, BusState *bus)
- if (replugging) {
- object_unref(OBJECT(dev));
- }
-+ return true;
- }
-
- /* Create a new device. This only initializes the device state
-@@ -157,7 +168,7 @@ DeviceState *qdev_try_create(BusState *bus, const char *type)
- bus = sysbus_get_default();
- }
-
-- qdev_set_parent_bus(dev, bus);
-+ qdev_set_parent_bus(dev, bus, &error_abort);
- object_unref(OBJECT(dev));
- return dev;
- }
-diff --git a/hw/core/sysbus.c b/hw/core/sysbus.c
-index 9e69c83aedfe8578e9988ba93e79..1d79960bbaaeba984d0fb7937002 100644
---- a/hw/core/sysbus.c
-+++ b/hw/core/sysbus.c
-@@ -383,7 +383,7 @@ void sysbus_init_child_obj(Object *parent, const char *childname, void *child,
- {
- object_initialize_child(parent, childname, child, childsize, childtype,
- &error_abort, NULL);
-- qdev_set_parent_bus(DEVICE(child), sysbus_get_default());
-+ qdev_set_parent_bus(DEVICE(child), sysbus_get_default(), &error_abort);
- }
-
- static void sysbus_register_types(void)
-diff --git a/hw/display/virtio-gpu-pci.c b/hw/display/virtio-gpu-pci.c
-index 25e4038874ed091d5d74311cf118..67021040bec57e41ce3e4f9e2986 100644
---- a/hw/display/virtio-gpu-pci.c
-+++ b/hw/display/virtio-gpu-pci.c
-@@ -33,7 +33,7 @@ static void virtio_gpu_pci_base_realize(VirtIOPCIProxy *vpci_dev, Error **errp)
- int i;
- Error *local_error = NULL;
-
-- qdev_set_parent_bus(vdev, BUS(&vpci_dev->bus));
-+ qdev_set_parent_bus(vdev, BUS(&vpci_dev->bus), &error_abort);
- virtio_pci_force_virtio_1(vpci_dev);
- object_property_set_bool(OBJECT(vdev), true, "realized", &local_error);
-
-diff --git a/hw/display/virtio-vga.c b/hw/display/virtio-vga.c
-index cc6e66ea1c2cfe1f76c05ceebbbf..adca75d7cd055d5442873ed610d6 100644
---- a/hw/display/virtio-vga.c
-+++ b/hw/display/virtio-vga.c
-@@ -136,7 +136,7 @@ static void virtio_vga_base_realize(VirtIOPCIProxy *vpci_dev, Error **errp)
- vpci_dev->common.offset = offset;
-
- /* init virtio bits */
-- qdev_set_parent_bus(DEVICE(g), BUS(&vpci_dev->bus));
-+ qdev_set_parent_bus(DEVICE(g), BUS(&vpci_dev->bus), &error_abort);
- virtio_pci_force_virtio_1(vpci_dev);
- object_property_set_bool(OBJECT(g), true, "realized", &err);
- if (err) {
-diff --git a/hw/i386/amd_iommu.c b/hw/i386/amd_iommu.c
-index ac5f2fddc5463e4c8776ac2f5036..ff1c870b41bcbb1865d00512504d 100644
---- a/hw/i386/amd_iommu.c
-+++ b/hw/i386/amd_iommu.c
-@@ -1548,7 +1548,7 @@ static void amdvi_realize(DeviceState *dev, Error **err)
-
- /* This device should take care of IOMMU PCI properties */
- x86_iommu->type = TYPE_AMD;
-- qdev_set_parent_bus(DEVICE(&s->pci), &bus->qbus);
-+ qdev_set_parent_bus(DEVICE(&s->pci), &bus->qbus, &error_abort);
- object_property_set_bool(OBJECT(&s->pci), true, "realized", err);
- ret = pci_add_capability(&s->pci.dev, AMDVI_CAPAB_ID_SEC, 0,
- AMDVI_CAPAB_SIZE, err);
-diff --git a/hw/isa/piix4.c b/hw/isa/piix4.c
-index a7ed885dc8e49537c1241eaea7e1..0c09c195fe17cc27ba4b7164ab79 100644
---- a/hw/isa/piix4.c
-+++ b/hw/isa/piix4.c
-@@ -195,7 +195,7 @@ static void piix4_realize(PCIDevice *dev, Error **errp)
- i8257_dma_init(isa_bus, 0);
-
- /* RTC */
-- qdev_set_parent_bus(DEVICE(&s->rtc), BUS(isa_bus));
-+ qdev_set_parent_bus(DEVICE(&s->rtc), BUS(isa_bus), &error_abort);
- qdev_prop_set_int32(DEVICE(&s->rtc), "base_year", 2000);
- object_property_set_bool(OBJECT(&s->rtc), true, "realized", &err);
- if (err) {
-diff --git a/hw/misc/auxbus.c b/hw/misc/auxbus.c
-index f8e7b979712571cdf66565cf4ba2..b35439e3640e4d4981a569ea58ea 100644
---- a/hw/misc/auxbus.c
-+++ b/hw/misc/auxbus.c
-@@ -70,7 +70,7 @@ AUXBus *aux_init_bus(DeviceState *parent, const char *name)
- bus = AUX_BUS(qbus_create(TYPE_AUX_BUS, parent, name));
- auxtoi2c = object_new_with_props(TYPE_AUXTOI2C, OBJECT(bus), "i2c",
- &error_abort, NULL);
-- qdev_set_parent_bus(DEVICE(auxtoi2c), BUS(bus));
-+ qdev_set_parent_bus(DEVICE(auxtoi2c), BUS(bus), &error_abort);
-
- bus->bridge = AUXTOI2C(auxtoi2c);
-
-@@ -275,7 +275,7 @@ DeviceState *aux_create_slave(AUXBus *bus, const char *type)
-
- dev = DEVICE(object_new(type));
- assert(dev);
-- qdev_set_parent_bus(dev, &bus->qbus);
-+ qdev_set_parent_bus(dev, &bus->qbus, &error_abort);
- return dev;
- }
-
-diff --git a/hw/misc/macio/macio.c b/hw/misc/macio/macio.c
-index 50f20d82066143bedd6c30f4d3be..b22c8597ec238ef90c157993a54b 100644
---- a/hw/misc/macio/macio.c
-+++ b/hw/misc/macio/macio.c
-@@ -100,7 +100,7 @@ static void macio_init_child_obj(MacIOState *s, const char *childname,
- {
- object_initialize_child(OBJECT(s), childname, child, childsize, childtype,
- &error_abort, NULL);
-- qdev_set_parent_bus(DEVICE(child), BUS(&s->macio_bus));
-+ qdev_set_parent_bus(DEVICE(child), BUS(&s->macio_bus), &error_abort);
- }
-
- static void macio_common_realize(PCIDevice *d, Error **errp)
-@@ -355,7 +355,7 @@ static void macio_newworld_realize(PCIDevice *d, Error **errp)
- object_property_set_link(OBJECT(&s->pmu), OBJECT(sysbus_dev), "gpio",
- &error_abort);
- qdev_prop_set_bit(DEVICE(&s->pmu), "has-adb", ns->has_adb);
-- qdev_set_parent_bus(DEVICE(&s->pmu), BUS(&s->macio_bus));
-+ qdev_set_parent_bus(DEVICE(&s->pmu), BUS(&s->macio_bus), &error_abort);
-
- object_property_set_bool(OBJECT(&s->pmu), true, "realized", &err);
- if (err) {
-@@ -371,7 +371,7 @@ static void macio_newworld_realize(PCIDevice *d, Error **errp)
- /* CUDA */
- object_initialize_child(OBJECT(s), "cuda", &s->cuda, sizeof(s->cuda),
- TYPE_CUDA, &error_abort, NULL);
-- qdev_set_parent_bus(DEVICE(&s->cuda), BUS(&s->macio_bus));
-+ qdev_set_parent_bus(DEVICE(&s->cuda), BUS(&s->macio_bus), &error_abort);
- qdev_prop_set_uint64(DEVICE(&s->cuda), "timebase-frequency",
- s->frequency);
-
-diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c
-index 7483d11ec2300f483899c24b53bf..4764b83d568dcd5efdd9a95d829e 100644
---- a/hw/net/virtio-net.c
-+++ b/hw/net/virtio-net.c
-@@ -2815,7 +2815,7 @@ static bool failover_replug_primary(VirtIONet *n, Error **errp)
- error_setg(errp, "virtio_net: couldn't find primary bus");
- return false;
- }
-- qdev_set_parent_bus(n->primary_dev, n->primary_bus);
-+ qdev_set_parent_bus(n->primary_dev, n->primary_bus, &error_abort);
- n->primary_should_be_hidden = false;
- qemu_opt_set_bool(n->primary_device_opts,
- "partially_hotplugged", true, &err);
-diff --git a/hw/pci-host/designware.c b/hw/pci-host/designware.c
-index f9c5d29d13c86509a3198d214dc6..6a5e677a0c59542937b5c7a73c2f 100644
---- a/hw/pci-host/designware.c
-+++ b/hw/pci-host/designware.c
-@@ -707,7 +707,7 @@ static void designware_pcie_host_realize(DeviceState *dev, Error **errp)
- "pcie-bus-address-space");
- pci_setup_iommu(pci->bus, designware_pcie_host_set_iommu, s);
-
-- qdev_set_parent_bus(DEVICE(&s->root), BUS(pci->bus));
-+ qdev_set_parent_bus(DEVICE(&s->root), BUS(pci->bus), &error_abort);
- qdev_init_nofail(DEVICE(&s->root));
- }
-
-diff --git a/hw/pci-host/gpex.c b/hw/pci-host/gpex.c
-index 0ca604dc628ebccc3f622625bb18..a76587c7f3d0c573325d7fd83a2a 100644
---- a/hw/pci-host/gpex.c
-+++ b/hw/pci-host/gpex.c
-@@ -98,7 +98,7 @@ static void gpex_host_realize(DeviceState *dev, Error **errp)
- pci_swizzle_map_irq_fn, s, &s->io_mmio,
- &s->io_ioport, 0, 4, TYPE_PCIE_BUS);
-
-- qdev_set_parent_bus(DEVICE(&s->gpex_root), BUS(pci->bus));
-+ qdev_set_parent_bus(DEVICE(&s->gpex_root), BUS(pci->bus), &error_abort);
- pci_bus_set_route_irq_fn(pci->bus, gpex_route_intx_pin_to_irq);
- qdev_init_nofail(DEVICE(&s->gpex_root));
- }
-diff --git a/hw/pci-host/prep.c b/hw/pci-host/prep.c
-index 7f366d9313d8824c52e5cb531b63..ceff1a8e0fe4d8c8aa8023c3bd0c 100644
---- a/hw/pci-host/prep.c
-+++ b/hw/pci-host/prep.c
-@@ -317,7 +317,7 @@ static void raven_pcihost_initfn(Object *obj)
-
- object_initialize(&s->pci_dev, sizeof(s->pci_dev), TYPE_RAVEN_PCI_DEVICE);
- pci_dev = DEVICE(&s->pci_dev);
-- qdev_set_parent_bus(pci_dev, BUS(&s->pci_bus));
-+ qdev_set_parent_bus(pci_dev, BUS(&s->pci_bus), &error_abort);
- object_property_set_int(OBJECT(&s->pci_dev), PCI_DEVFN(0, 0), "addr",
- NULL);
- qdev_prop_set_bit(pci_dev, "multifunction", false);
-diff --git a/hw/pci-host/q35.c b/hw/pci-host/q35.c
-index 158d270b9f0c94490acb57932985..b27a058e50a49d0e3e8f103501ab 100644
---- a/hw/pci-host/q35.c
-+++ b/hw/pci-host/q35.c
-@@ -63,7 +63,7 @@ static void q35_host_realize(DeviceState *dev, Error **errp)
- s->mch.address_space_io,
- 0, TYPE_PCIE_BUS);
- PC_MACHINE(qdev_get_machine())->bus = pci->bus;
-- qdev_set_parent_bus(DEVICE(&s->mch), BUS(pci->bus));
-+ qdev_set_parent_bus(DEVICE(&s->mch), BUS(pci->bus), &error_abort);
- qdev_init_nofail(DEVICE(&s->mch));
- }
-
-diff --git a/hw/pci-host/versatile.c b/hw/pci-host/versatile.c
-index b731d0544fa163100fe5f7d128a0..e68a1e1b3c7c510882289ae04a1e 100644
---- a/hw/pci-host/versatile.c
-+++ b/hw/pci-host/versatile.c
-@@ -17,6 +17,7 @@
- #include "hw/qdev-properties.h"
- #include "qemu/log.h"
- #include "qemu/module.h"
-+#include "qapi/error.h"
-
- /* Old and buggy versions of QEMU used the wrong mapping from
- * PCI IRQs to system interrupt lines. Unfortunately the Linux
-@@ -408,7 +409,7 @@ static void pci_vpb_realize(DeviceState *dev, Error **errp)
- h->bus = &s->pci_bus;
-
- object_initialize(&s->pci_dev, sizeof(s->pci_dev), TYPE_VERSATILE_PCI_HOST);
-- qdev_set_parent_bus(DEVICE(&s->pci_dev), BUS(&s->pci_bus));
-+ qdev_set_parent_bus(DEVICE(&s->pci_dev), BUS(&s->pci_bus), &error_abort);
-
- for (i = 0; i < 4; i++) {
- sysbus_init_irq(sbd, &s->irq[i]);
-diff --git a/hw/pci-host/xilinx-pcie.c b/hw/pci-host/xilinx-pcie.c
-index 17d502434956e9c6a609d95907b4..56aa94016459566e2fb522ab8d7e 100644
---- a/hw/pci-host/xilinx-pcie.c
-+++ b/hw/pci-host/xilinx-pcie.c
-@@ -137,7 +137,7 @@ static void xilinx_pcie_host_realize(DeviceState *dev, Error **errp)
- pci_swizzle_map_irq_fn, s, &s->mmio,
- &s->io, 0, 4, TYPE_PCIE_BUS);
-
-- qdev_set_parent_bus(DEVICE(&s->root), BUS(pci->bus));
-+ qdev_set_parent_bus(DEVICE(&s->root), BUS(pci->bus), &error_abort);
- qdev_init_nofail(DEVICE(&s->root));
- }
-
-diff --git a/hw/s390x/event-facility.c b/hw/s390x/event-facility.c
-index 66205697ae7597a328e97b408e48..17e77fb17390f3f3f1954d47055b 100644
---- a/hw/s390x/event-facility.c
-+++ b/hw/s390x/event-facility.c
-@@ -464,12 +464,12 @@ static void init_event_facility(Object *obj)
- new = object_new(TYPE_SCLP_QUIESCE);
- object_property_add_child(obj, TYPE_SCLP_QUIESCE, new, NULL);
- object_unref(new);
-- qdev_set_parent_bus(DEVICE(new), BUS(&event_facility->sbus));
-+ qdev_set_parent_bus(DEVICE(new), BUS(&event_facility->sbus), &error_abort);
-
- new = object_new(TYPE_SCLP_CPU_HOTPLUG);
- object_property_add_child(obj, TYPE_SCLP_CPU_HOTPLUG, new, NULL);
- object_unref(new);
-- qdev_set_parent_bus(DEVICE(new), BUS(&event_facility->sbus));
-+ qdev_set_parent_bus(DEVICE(new), BUS(&event_facility->sbus), &error_abort);
- /* the facility will automatically realize the devices via the bus */
- }
-
-diff --git a/hw/s390x/sclp.c b/hw/s390x/sclp.c
-index 1c380a49cc7140687329e43e9745..ade09fc9d35cf372d1abeb2a29f7 100644
---- a/hw/s390x/sclp.c
-+++ b/hw/s390x/sclp.c
-@@ -350,7 +350,7 @@ static void sclp_realize(DeviceState *dev, Error **errp)
- * as we can't find a fitting bus via the qom tree, we have to add the
- * event facility to the sysbus, so e.g. a sclp console can be created.
- */
-- qdev_set_parent_bus(DEVICE(sclp->event_facility), sysbus_get_default());
-+ qdev_set_parent_bus(DEVICE(sclp->event_facility), sysbus_get_default(), &error_abort);
-
- ret = s390_set_memory_limit(machine->maxram_size, &hw_limit);
- if (ret == -E2BIG) {
-diff --git a/hw/s390x/vhost-vsock-ccw.c b/hw/s390x/vhost-vsock-ccw.c
-index 1835812bd11a7c4c275206f3905c..23c5491223fbb7fffa6effa43954 100644
---- a/hw/s390x/vhost-vsock-ccw.c
-+++ b/hw/s390x/vhost-vsock-ccw.c
-@@ -24,7 +24,7 @@ static void vhost_vsock_ccw_realize(VirtioCcwDevice *ccw_dev, Error **errp)
- VHostVSockCCWState *dev = VHOST_VSOCK_CCW(ccw_dev);
- DeviceState *vdev = DEVICE(&dev->vdev);
-
-- qdev_set_parent_bus(vdev, BUS(&ccw_dev->bus));
-+ qdev_set_parent_bus(vdev, BUS(&ccw_dev->bus), &error_abort);
- object_property_set_bool(OBJECT(vdev), true, "realized", errp);
- }
-
-diff --git a/hw/s390x/virtio-ccw-9p.c b/hw/s390x/virtio-ccw-9p.c
-index 5453a964d2dc3f5943f492c2c4e6..f7db31e4f3d23653a1216dca0c30 100644
---- a/hw/s390x/virtio-ccw-9p.c
-+++ b/hw/s390x/virtio-ccw-9p.c
-@@ -21,7 +21,7 @@ static void virtio_ccw_9p_realize(VirtioCcwDevice *ccw_dev, Error **errp)
- V9fsCCWState *dev = VIRTIO_9P_CCW(ccw_dev);
- DeviceState *vdev = DEVICE(&dev->vdev);
-
-- qdev_set_parent_bus(vdev, BUS(&ccw_dev->bus));
-+ qdev_set_parent_bus(vdev, BUS(&ccw_dev->bus), &error_abort);
- object_property_set_bool(OBJECT(vdev), true, "realized", errp);
- }
-
-diff --git a/hw/s390x/virtio-ccw-balloon.c b/hw/s390x/virtio-ccw-balloon.c
-index 7088612f6bce233b18574ad63121..92ebd7bcfbda7da5bc7e6af4a55c 100644
---- a/hw/s390x/virtio-ccw-balloon.c
-+++ b/hw/s390x/virtio-ccw-balloon.c
-@@ -21,7 +21,7 @@ static void virtio_ccw_balloon_realize(VirtioCcwDevice *ccw_dev, Error **errp)
- VirtIOBalloonCcw *dev = VIRTIO_BALLOON_CCW(ccw_dev);
- DeviceState *vdev = DEVICE(&dev->vdev);
-
-- qdev_set_parent_bus(vdev, BUS(&ccw_dev->bus));
-+ qdev_set_parent_bus(vdev, BUS(&ccw_dev->bus), &error_abort);
- object_property_set_bool(OBJECT(vdev), true, "realized", errp);
- }
-
-diff --git a/hw/s390x/virtio-ccw-blk.c b/hw/s390x/virtio-ccw-blk.c
-index 1512af8974dff0b303cda91e9ad8..9b12fa9e219b808e83e831894252 100644
---- a/hw/s390x/virtio-ccw-blk.c
-+++ b/hw/s390x/virtio-ccw-blk.c
-@@ -21,7 +21,7 @@ static void virtio_ccw_blk_realize(VirtioCcwDevice *ccw_dev, Error **errp)
- VirtIOBlkCcw *dev = VIRTIO_BLK_CCW(ccw_dev);
- DeviceState *vdev = DEVICE(&dev->vdev);
-
-- qdev_set_parent_bus(vdev, BUS(&ccw_dev->bus));
-+ qdev_set_parent_bus(vdev, BUS(&ccw_dev->bus), &error_abort);
- object_property_set_bool(OBJECT(vdev), true, "realized", errp);
- }
-
-diff --git a/hw/s390x/virtio-ccw-crypto.c b/hw/s390x/virtio-ccw-crypto.c
-index 086b397ad274e11a69465dc69929..95fd93d5cb6d6f76a947f75a58ba 100644
---- a/hw/s390x/virtio-ccw-crypto.c
-+++ b/hw/s390x/virtio-ccw-crypto.c
-@@ -21,7 +21,7 @@ static void virtio_ccw_crypto_realize(VirtioCcwDevice *ccw_dev, Error **errp)
- DeviceState *vdev = DEVICE(&dev->vdev);
- Error *err = NULL;
-
-- qdev_set_parent_bus(vdev, BUS(&ccw_dev->bus));
-+ qdev_set_parent_bus(vdev, BUS(&ccw_dev->bus), &error_abort);
- object_property_set_bool(OBJECT(vdev), true, "realized", &err);
- if (err) {
- error_propagate(errp, err);
-diff --git a/hw/s390x/virtio-ccw-gpu.c b/hw/s390x/virtio-ccw-gpu.c
-index be46ca7a968c2b9baa44569be689..afa30e330fb9b6bc3559baf82949 100644
---- a/hw/s390x/virtio-ccw-gpu.c
-+++ b/hw/s390x/virtio-ccw-gpu.c
-@@ -20,7 +20,7 @@ static void virtio_ccw_gpu_realize(VirtioCcwDevice *ccw_dev, Error **errp)
- VirtIOGPUCcw *dev = VIRTIO_GPU_CCW(ccw_dev);
- DeviceState *vdev = DEVICE(&dev->vdev);
-
-- qdev_set_parent_bus(vdev, BUS(&ccw_dev->bus));
-+ qdev_set_parent_bus(vdev, BUS(&ccw_dev->bus), &error_abort);
- object_property_set_bool(OBJECT(vdev), true, "realized", errp);
- }
-
-diff --git a/hw/s390x/virtio-ccw-input.c b/hw/s390x/virtio-ccw-input.c
-index 370b776790c8bca383e78ea4df34..5adfdc3ee47cf364bd701d6ce518 100644
---- a/hw/s390x/virtio-ccw-input.c
-+++ b/hw/s390x/virtio-ccw-input.c
-@@ -20,7 +20,7 @@ static void virtio_ccw_input_realize(VirtioCcwDevice *ccw_dev, Error **errp)
- VirtIOInputCcw *dev = VIRTIO_INPUT_CCW(ccw_dev);
- DeviceState *vdev = DEVICE(&dev->vdev);
-
-- qdev_set_parent_bus(vdev, BUS(&ccw_dev->bus));
-+ qdev_set_parent_bus(vdev, BUS(&ccw_dev->bus), &error_abort);
- object_property_set_bool(OBJECT(vdev), true, "realized", errp);
- }
-
-diff --git a/hw/s390x/virtio-ccw-net.c b/hw/s390x/virtio-ccw-net.c
-index 12c03d73c4dcc081514cac3bc1af..756069b3dfc17963703573dd050c 100644
---- a/hw/s390x/virtio-ccw-net.c
-+++ b/hw/s390x/virtio-ccw-net.c
-@@ -24,7 +24,7 @@ static void virtio_ccw_net_realize(VirtioCcwDevice *ccw_dev, Error **errp)
-
- virtio_net_set_netclient_name(&dev->vdev, qdev->id,
- object_get_typename(OBJECT(qdev)));
-- qdev_set_parent_bus(vdev, BUS(&ccw_dev->bus));
-+ qdev_set_parent_bus(vdev, BUS(&ccw_dev->bus), &error_abort);
- object_property_set_bool(OBJECT(vdev), true, "realized", errp);
- }
-
-diff --git a/hw/s390x/virtio-ccw-rng.c b/hw/s390x/virtio-ccw-rng.c
-index 854254dd50f5e9bc0e45f5d53571..6a5c2dd9b938966be7ee9249168a 100644
---- a/hw/s390x/virtio-ccw-rng.c
-+++ b/hw/s390x/virtio-ccw-rng.c
-@@ -22,7 +22,7 @@ static void virtio_ccw_rng_realize(VirtioCcwDevice *ccw_dev, Error **errp)
- DeviceState *vdev = DEVICE(&dev->vdev);
- Error *err = NULL;
-
-- qdev_set_parent_bus(vdev, BUS(&ccw_dev->bus));
-+ qdev_set_parent_bus(vdev, BUS(&ccw_dev->bus), &error_abort);
- object_property_set_bool(OBJECT(vdev), true, "realized", &err);
- if (err) {
- error_propagate(errp, err);
-diff --git a/hw/s390x/virtio-ccw-scsi.c b/hw/s390x/virtio-ccw-scsi.c
-index 4662288b5b009da0b2ecf74eaff9..9a01a027210f7d1c372d88a51963 100644
---- a/hw/s390x/virtio-ccw-scsi.c
-+++ b/hw/s390x/virtio-ccw-scsi.c
-@@ -33,7 +33,7 @@ static void virtio_ccw_scsi_realize(VirtioCcwDevice *ccw_dev, Error **errp)
- g_free(bus_name);
- }
-
-- qdev_set_parent_bus(vdev, BUS(&ccw_dev->bus));
-+ qdev_set_parent_bus(vdev, BUS(&ccw_dev->bus), &error_abort);
- object_property_set_bool(OBJECT(vdev), true, "realized", errp);
- }
-
-@@ -78,7 +78,7 @@ static void vhost_ccw_scsi_realize(VirtioCcwDevice *ccw_dev, Error **errp)
- VHostSCSICcw *dev = VHOST_SCSI_CCW(ccw_dev);
- DeviceState *vdev = DEVICE(&dev->vdev);
-
-- qdev_set_parent_bus(vdev, BUS(&ccw_dev->bus));
-+ qdev_set_parent_bus(vdev, BUS(&ccw_dev->bus), &error_abort);
- object_property_set_bool(OBJECT(vdev), true, "realized", errp);
- }
-
-diff --git a/hw/s390x/virtio-ccw-serial.c b/hw/s390x/virtio-ccw-serial.c
-index eafb7d5c1f4c799d33980a6db021..c7f4d47aa426f9357e899cef8c88 100644
---- a/hw/s390x/virtio-ccw-serial.c
-+++ b/hw/s390x/virtio-ccw-serial.c
-@@ -15,6 +15,7 @@
- #include "hw/qdev-properties.h"
- #include "hw/virtio/virtio-serial.h"
- #include "virtio-ccw.h"
-+#include "qapi/error.h"
-
- static void virtio_ccw_serial_realize(VirtioCcwDevice *ccw_dev, Error **errp)
- {
-@@ -33,7 +34,7 @@ static void virtio_ccw_serial_realize(VirtioCcwDevice *ccw_dev, Error **errp)
- g_free(bus_name);
- }
-
-- qdev_set_parent_bus(vdev, BUS(&ccw_dev->bus));
-+ qdev_set_parent_bus(vdev, BUS(&ccw_dev->bus), &error_abort);
- object_property_set_bool(OBJECT(vdev), true, "realized", errp);
- }
-
-diff --git a/hw/sd/core.c b/hw/sd/core.c
-index abec48bccb80a92cf3c8e6dee397..371122c120e04268e9ba6644625b 100644
---- a/hw/sd/core.c
-+++ b/hw/sd/core.c
-@@ -23,6 +23,7 @@
- #include "hw/qdev-core.h"
- #include "hw/sd/sd.h"
- #include "qemu/module.h"
-+#include "qapi/error.h"
- #include "trace.h"
-
- static inline const char *sdbus_name(SDBus *sdbus)
-@@ -210,7 +211,7 @@ void sdbus_reparent_card(SDBus *from, SDBus *to)
- readonly = sc->get_readonly(card);
-
- sdbus_set_inserted(from, false);
-- qdev_set_parent_bus(DEVICE(card), &to->qbus);
-+ qdev_set_parent_bus(DEVICE(card), &to->qbus, &error_abort);
- sdbus_set_inserted(to, true);
- sdbus_set_readonly(to, readonly);
- }
-diff --git a/hw/ssi/ssi.c b/hw/ssi/ssi.c
-index c6415eb6e329ee78f822f6723192..49e79254ebf703a53ac22197f517 100644
---- a/hw/ssi/ssi.c
-+++ b/hw/ssi/ssi.c
-@@ -16,6 +16,7 @@
- #include "hw/ssi/ssi.h"
- #include "migration/vmstate.h"
- #include "qemu/module.h"
-+#include "qapi/error.h"
-
- struct SSIBus {
- BusState parent_obj;
-@@ -159,7 +160,7 @@ static int ssi_auto_connect_slave(Object *child, void *opaque)
- }
-
- cs_line = qdev_get_gpio_in_named(DEVICE(dev), SSI_GPIO_CS, 0);
-- qdev_set_parent_bus(DEVICE(dev), BUS(arg->bus));
-+ qdev_set_parent_bus(DEVICE(dev), BUS(arg->bus), &error_abort);
- **arg->cs_linep = cs_line;
- (*arg->cs_linep)++;
- return 0;
-diff --git a/hw/virtio/vhost-scsi-pci.c b/hw/virtio/vhost-scsi-pci.c
-index e8dfbfc60f9a5f25b4d7214872d1..9e454801e7a1b66b17eef996f30f 100644
---- a/hw/virtio/vhost-scsi-pci.c
-+++ b/hw/virtio/vhost-scsi-pci.c
-@@ -53,7 +53,7 @@ static void vhost_scsi_pci_realize(VirtIOPCIProxy *vpci_dev, Error **errp)
- vpci_dev->nvectors = vs->conf.num_queues + 3;
- }
-
-- qdev_set_parent_bus(vdev, BUS(&vpci_dev->bus));
-+ qdev_set_parent_bus(vdev, BUS(&vpci_dev->bus), &error_abort);
- object_property_set_bool(OBJECT(vdev), true, "realized", errp);
- }
-
-diff --git a/hw/virtio/vhost-user-blk-pci.c b/hw/virtio/vhost-user-blk-pci.c
-index 1dc834a3ff153719100cd0fca891..fb4f321acff7c44b941bbaf836f0 100644
---- a/hw/virtio/vhost-user-blk-pci.c
-+++ b/hw/virtio/vhost-user-blk-pci.c
-@@ -58,7 +58,7 @@ static void vhost_user_blk_pci_realize(VirtIOPCIProxy *vpci_dev, Error **errp)
- vpci_dev->nvectors = dev->vdev.num_queues + 1;
- }
-
-- qdev_set_parent_bus(vdev, BUS(&vpci_dev->bus));
-+ qdev_set_parent_bus(vdev, BUS(&vpci_dev->bus), &error_abort);
- object_property_set_bool(OBJECT(vdev), true, "realized", errp);
- }
-
-diff --git a/hw/virtio/vhost-user-fs-pci.c b/hw/virtio/vhost-user-fs-pci.c
-index 933a3f265b6a9657d3404a0aa311..65ce9fda95f9dd23de2ae2406973 100644
---- a/hw/virtio/vhost-user-fs-pci.c
-+++ b/hw/virtio/vhost-user-fs-pci.c
-@@ -15,6 +15,7 @@
- #include "hw/qdev-properties.h"
- #include "hw/virtio/vhost-user-fs.h"
- #include "virtio-pci.h"
-+#include "qapi/error.h"
-
- struct VHostUserFSPCI {
- VirtIOPCIProxy parent_obj;
-@@ -43,7 +44,7 @@ static void vhost_user_fs_pci_realize(VirtIOPCIProxy *vpci_dev, Error **errp)
- vpci_dev->nvectors = dev->vdev.conf.num_request_queues + 1;
- }
-
-- qdev_set_parent_bus(vdev, BUS(&vpci_dev->bus));
-+ qdev_set_parent_bus(vdev, BUS(&vpci_dev->bus), &error_abort);
- object_property_set_bool(OBJECT(vdev), true, "realized", errp);
- }
-
-diff --git a/hw/virtio/vhost-user-scsi-pci.c b/hw/virtio/vhost-user-scsi-pci.c
-index ff13af70308f7ddadd7874cca185..011afba8582c8f61dbb5176d2944 100644
---- a/hw/virtio/vhost-user-scsi-pci.c
-+++ b/hw/virtio/vhost-user-scsi-pci.c
-@@ -59,7 +59,7 @@ static void vhost_user_scsi_pci_realize(VirtIOPCIProxy *vpci_dev, Error **errp)
- vpci_dev->nvectors = vs->conf.num_queues + 3;
- }
-
-- qdev_set_parent_bus(vdev, BUS(&vpci_dev->bus));
-+ qdev_set_parent_bus(vdev, BUS(&vpci_dev->bus), &error_abort);
- object_property_set_bool(OBJECT(vdev), true, "realized", errp);
- }
-
-diff --git a/hw/virtio/vhost-vsock-pci.c b/hw/virtio/vhost-vsock-pci.c
-index 4ca097ffff5a8569245332800ba8..beaee685524608208147ba51fdce 100644
---- a/hw/virtio/vhost-vsock-pci.c
-+++ b/hw/virtio/vhost-vsock-pci.c
-@@ -17,6 +17,7 @@
- #include "hw/qdev-properties.h"
- #include "hw/virtio/vhost-vsock.h"
- #include "qemu/module.h"
-+#include "qapi/error.h"
-
- typedef struct VHostVSockPCI VHostVSockPCI;
-
-@@ -44,7 +45,7 @@ static void vhost_vsock_pci_realize(VirtIOPCIProxy *vpci_dev, Error **errp)
- VHostVSockPCI *dev = VHOST_VSOCK_PCI(vpci_dev);
- DeviceState *vdev = DEVICE(&dev->vdev);
-
-- qdev_set_parent_bus(vdev, BUS(&vpci_dev->bus));
-+ qdev_set_parent_bus(vdev, BUS(&vpci_dev->bus), &error_abort);
- object_property_set_bool(OBJECT(vdev), true, "realized", errp);
- }
-
-diff --git a/hw/virtio/virtio-9p-pci.c b/hw/virtio/virtio-9p-pci.c
-index 22a183cca7e5292f2c90e7938e4d..9d2bc7cd857fd48e681998a2d55e 100644
---- a/hw/virtio/virtio-9p-pci.c
-+++ b/hw/virtio/virtio-9p-pci.c
-@@ -19,6 +19,7 @@
- #include "hw/9pfs/virtio-9p.h"
- #include "hw/qdev-properties.h"
- #include "qemu/module.h"
-+#include "qapi/error.h"
-
- /*
- * virtio-9p-pci: This extends VirtioPCIProxy.
-@@ -38,7 +39,7 @@ static void virtio_9p_pci_realize(VirtIOPCIProxy *vpci_dev, Error **errp)
- V9fsPCIState *dev = VIRTIO_9P_PCI(vpci_dev);
- DeviceState *vdev = DEVICE(&dev->vdev);
-
-- qdev_set_parent_bus(vdev, BUS(&vpci_dev->bus));
-+ qdev_set_parent_bus(vdev, BUS(&vpci_dev->bus), &error_abort);
- object_property_set_bool(OBJECT(vdev), true, "realized", errp);
- }
-
-diff --git a/hw/virtio/virtio-balloon-pci.c b/hw/virtio/virtio-balloon-pci.c
-index 69ca0579110f66bc70464caadbac..894513fbed1b8d0029d049fc07d6 100644
---- a/hw/virtio/virtio-balloon-pci.c
-+++ b/hw/virtio/virtio-balloon-pci.c
-@@ -48,7 +48,7 @@ static void virtio_balloon_pci_realize(VirtIOPCIProxy *vpci_dev, Error **errp)
- vpci_dev->class_code = PCI_CLASS_OTHERS;
- }
-
-- qdev_set_parent_bus(vdev, BUS(&vpci_dev->bus));
-+ qdev_set_parent_bus(vdev, BUS(&vpci_dev->bus), &error_abort);
- object_property_set_bool(OBJECT(vdev), true, "realized", errp);
- }
-
-diff --git a/hw/virtio/virtio-blk-pci.c b/hw/virtio/virtio-blk-pci.c
-index d9b69a5af351df5c52a6cba1bbc4..6b9e03ef5bec673179c953e53e84 100644
---- a/hw/virtio/virtio-blk-pci.c
-+++ b/hw/virtio/virtio-blk-pci.c
-@@ -55,7 +55,7 @@ static void virtio_blk_pci_realize(VirtIOPCIProxy *vpci_dev, Error **errp)
- vpci_dev->nvectors = dev->vdev.conf.num_queues + 1;
- }
-
-- qdev_set_parent_bus(vdev, BUS(&vpci_dev->bus));
-+ qdev_set_parent_bus(vdev, BUS(&vpci_dev->bus), &error_abort);
- object_property_set_bool(OBJECT(vdev), true, "realized", errp);
- }
-
-diff --git a/hw/virtio/virtio-crypto-pci.c b/hw/virtio/virtio-crypto-pci.c
-index d853dc460cc5144a8735b3d332b6..46e96ccccf3b0121954869771bce 100644
---- a/hw/virtio/virtio-crypto-pci.c
-+++ b/hw/virtio/virtio-crypto-pci.c
-@@ -53,7 +53,7 @@ static void virtio_crypto_pci_realize(VirtIOPCIProxy *vpci_dev, Error **errp)
- return;
- }
-
-- qdev_set_parent_bus(vdev, BUS(&vpci_dev->bus));
-+ qdev_set_parent_bus(vdev, BUS(&vpci_dev->bus), &error_abort);
- virtio_pci_force_virtio_1(vpci_dev);
- object_property_set_bool(OBJECT(vdev), true, "realized", errp);
- object_property_set_link(OBJECT(vcrypto),
-diff --git a/hw/virtio/virtio-input-pci.c b/hw/virtio/virtio-input-pci.c
-index 80b1172c90b0d37cb8f23b650069..b7fe75938f5cd0f9f58a1a227d7b 100644
---- a/hw/virtio/virtio-input-pci.c
-+++ b/hw/virtio/virtio-input-pci.c
-@@ -12,6 +12,7 @@
- #include "hw/qdev-properties.h"
- #include "hw/virtio/virtio-input.h"
- #include "qemu/module.h"
-+#include "qapi/error.h"
-
- typedef struct VirtIOInputPCI VirtIOInputPCI;
- typedef struct VirtIOInputHIDPCI VirtIOInputHIDPCI;
-@@ -49,7 +50,7 @@ static void virtio_input_pci_realize(VirtIOPCIProxy *vpci_dev, Error **errp)
- VirtIOInputPCI *vinput = VIRTIO_INPUT_PCI(vpci_dev);
- DeviceState *vdev = DEVICE(&vinput->vdev);
-
-- qdev_set_parent_bus(vdev, BUS(&vpci_dev->bus));
-+ qdev_set_parent_bus(vdev, BUS(&vpci_dev->bus), &error_abort);
- virtio_pci_force_virtio_1(vpci_dev);
- object_property_set_bool(OBJECT(vdev), true, "realized", errp);
- }
-diff --git a/hw/virtio/virtio-net-pci.c b/hw/virtio/virtio-net-pci.c
-index f670aed0a77b47da99fdf02440dd..dd7d4b74845aa587cd6ade447543 100644
---- a/hw/virtio/virtio-net-pci.c
-+++ b/hw/virtio/virtio-net-pci.c
-@@ -52,7 +52,7 @@ static void virtio_net_pci_realize(VirtIOPCIProxy *vpci_dev, Error **errp)
-
- virtio_net_set_netclient_name(&dev->vdev, qdev->id,
- object_get_typename(OBJECT(qdev)));
-- qdev_set_parent_bus(vdev, BUS(&vpci_dev->bus));
-+ qdev_set_parent_bus(vdev, BUS(&vpci_dev->bus), &error_abort);
- object_property_set_bool(OBJECT(vdev), true, "realized", errp);
- }
-
-diff --git a/hw/virtio/virtio-pmem-pci.c b/hw/virtio/virtio-pmem-pci.c
-index fe2af00fa1652a7ee9ff20de8d0c..3c5dd1b87d564af18bf3f2bd220d 100644
---- a/hw/virtio/virtio-pmem-pci.c
-+++ b/hw/virtio/virtio-pmem-pci.c
-@@ -22,7 +22,7 @@ static void virtio_pmem_pci_realize(VirtIOPCIProxy *vpci_dev, Error **errp)
- VirtIOPMEMPCI *pmem_pci = VIRTIO_PMEM_PCI(vpci_dev);
- DeviceState *vdev = DEVICE(&pmem_pci->vdev);
-
-- qdev_set_parent_bus(vdev, BUS(&vpci_dev->bus));
-+ qdev_set_parent_bus(vdev, BUS(&vpci_dev->bus), &error_abort);
- object_property_set_bool(OBJECT(vdev), true, "realized", errp);
- }
-
-diff --git a/hw/virtio/virtio-rng-pci.c b/hw/virtio/virtio-rng-pci.c
-index 8aaf54b781d6545d0597912f29f4..048c2aa85b12d51c03eb404e4647 100644
---- a/hw/virtio/virtio-rng-pci.c
-+++ b/hw/virtio/virtio-rng-pci.c
-@@ -36,7 +36,7 @@ static void virtio_rng_pci_realize(VirtIOPCIProxy *vpci_dev, Error **errp)
- DeviceState *vdev = DEVICE(&vrng->vdev);
- Error *err = NULL;
-
-- qdev_set_parent_bus(vdev, BUS(&vpci_dev->bus));
-+ qdev_set_parent_bus(vdev, BUS(&vpci_dev->bus), &error_abort);
- object_property_set_bool(OBJECT(vdev), true, "realized", &err);
- if (err) {
- error_propagate(errp, err);
-diff --git a/hw/virtio/virtio-scsi-pci.c b/hw/virtio/virtio-scsi-pci.c
-index 3c55dc19a105dd562a505c64d14c..b4e81ceb46c3a8d5306cf4b29e66 100644
---- a/hw/virtio/virtio-scsi-pci.c
-+++ b/hw/virtio/virtio-scsi-pci.c
-@@ -19,6 +19,7 @@
- #include "hw/virtio/virtio-scsi.h"
- #include "qemu/module.h"
- #include "virtio-pci.h"
-+#include "qapi/error.h"
-
- typedef struct VirtIOSCSIPCI VirtIOSCSIPCI;
-
-@@ -64,7 +65,7 @@ static void virtio_scsi_pci_realize(VirtIOPCIProxy *vpci_dev, Error **errp)
- g_free(bus_name);
- }
-
-- qdev_set_parent_bus(vdev, BUS(&vpci_dev->bus));
-+ qdev_set_parent_bus(vdev, BUS(&vpci_dev->bus), &error_abort);
- object_property_set_bool(OBJECT(vdev), true, "realized", errp);
- }
-
-diff --git a/hw/virtio/virtio-serial-pci.c b/hw/virtio/virtio-serial-pci.c
-index 953abbd13ab7f0ffca6a5af539ce..1f02930002fa4c833a75c64187a0 100644
---- a/hw/virtio/virtio-serial-pci.c
-+++ b/hw/virtio/virtio-serial-pci.c
-@@ -21,6 +21,7 @@
- #include "hw/virtio/virtio-serial.h"
- #include "qemu/module.h"
- #include "virtio-pci.h"
-+#include "qapi/error.h"
-
- typedef struct VirtIOSerialPCI VirtIOSerialPCI;
-
-@@ -65,7 +66,7 @@ static void virtio_serial_pci_realize(VirtIOPCIProxy *vpci_dev, Error **errp)
- g_free(bus_name);
- }
-
-- qdev_set_parent_bus(vdev, BUS(&vpci_dev->bus));
-+ qdev_set_parent_bus(vdev, BUS(&vpci_dev->bus), &error_abort);
- object_property_set_bool(OBJECT(vdev), true, "realized", errp);
- }
-
-diff --git a/hw/xen/xen-legacy-backend.c b/hw/xen/xen-legacy-backend.c
-index 4412d7aa7639c00b6f54bdd5f532..d38095acca6766cda2aa3413c2b4 100644
---- a/hw/xen/xen-legacy-backend.c
-+++ b/hw/xen/xen-legacy-backend.c
-@@ -278,7 +278,7 @@ static struct XenLegacyDevice *xen_be_get_xendev(const char *type, int dom,
- xendev = g_malloc0(ops->size);
- object_initialize(&xendev->qdev, ops->size, TYPE_XENBACKEND);
- OBJECT(xendev)->free = g_free;
-- qdev_set_parent_bus(DEVICE(xendev), xen_sysbus);
-+ qdev_set_parent_bus(DEVICE(xendev), xen_sysbus, &error_abort);
- qdev_set_id(DEVICE(xendev), g_strdup_printf("xen-%s-%d", type, dev));
- qdev_init_nofail(DEVICE(xendev));
- object_unref(OBJECT(xendev));
-diff --git a/include/hw/qdev-core.h b/include/hw/qdev-core.h
-index 1518495b1e0a953fa1547889f5dc..2b0186f0af593deee82a02693589 100644
---- a/include/hw/qdev-core.h
-+++ b/include/hw/qdev-core.h
-@@ -188,13 +188,24 @@ struct BusClass {
- /* FIXME first arg should be BusState */
- void (*print_dev)(Monitor *mon, DeviceState *dev, int indent);
- char *(*get_dev_path)(DeviceState *dev);
-+
- /*
- * This callback is used to create Open Firmware device path in accordance
- * with OF spec http://forthworks.com/standards/of1275.pdf. Individual bus
- * bindings can be found at http://playground.sun.com/1275/bindings/.
- */
- char *(*get_fw_dev_path)(DeviceState *dev);
-+
- void (*reset)(BusState *bus);
-+
-+ /*
-+ * Return whether the device can be added to @bus,
-+ * based on the address that was set (via device properties)
-+ * before realize. If not, on return @errp contains the
-+ * human-readable error message.
-+ */
-+ bool (*check_address)(BusState *bus, DeviceState *dev, Error **errp);
-+
- BusRealize realize;
- BusUnrealize unrealize;
-
-@@ -450,7 +461,7 @@ const char *qdev_fw_name(DeviceState *dev);
- Object *qdev_get_machine(void);
-
- /* FIXME: make this a link<> */
--void qdev_set_parent_bus(DeviceState *dev, BusState *bus);
-+bool qdev_set_parent_bus(DeviceState *dev, BusState *bus, Error **errp);
-
- extern bool qdev_hotplug;
- extern bool qdev_hot_removed;
-diff --git a/qdev-monitor.c b/qdev-monitor.c
-index e6b112eb0ab0252ecb1d585d3784..dc0323051e33833c4bcb638c7657 100644
---- a/qdev-monitor.c
-+++ b/qdev-monitor.c
-@@ -654,7 +654,7 @@ DeviceState *qdev_device_add(QemuOpts *opts, Error **errp)
- }
-
- if (bus) {
-- qdev_set_parent_bus(dev, bus);
-+ qdev_set_parent_bus(dev, bus, &error_abort);
- } else if (qdev_hotplug && !qdev_get_machine_hotplug_handler(dev)) {
- /* No bus, no machine hotplug handler --> device is not hotpluggable */
- error_setg(&err, "Device '%s' can not be hotplugged on this machine",
+++ /dev/null
-From: =?UTF-8?q?Andreas=20F=C3=A4rber?= <afaerber@suse.de>
-Date: Wed, 10 Aug 2016 19:00:24 +0200
-Subject: qemu-binfmt-conf: Modify default path
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Change QEMU_PATH from /usr/local/bin to /usr/bin prefix.
-
-Signed-off-by: Andreas Färber <afaerber@suse.de>
----
- scripts/qemu-binfmt-conf.sh | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/scripts/qemu-binfmt-conf.sh b/scripts/qemu-binfmt-conf.sh
-index 9f1580a91c7d3ad64120fe8ee66d..246546b10ca5df38035e5ba46a09 100755
---- a/scripts/qemu-binfmt-conf.sh
-+++ b/scripts/qemu-binfmt-conf.sh
-@@ -323,7 +323,7 @@ BINFMT_SET=qemu_register_interpreter
- SYSTEMDDIR="/etc/binfmt.d"
- DEBIANDIR="/usr/share/binfmts"
-
--QEMU_PATH=/usr/local/bin
-+QEMU_PATH=/usr/bin
- CREDENTIAL=no
- PERSISTENT=no
- QEMU_SUFFIX=""
+++ /dev/null
-From: Andreas Schwab <schwab@suse.de>
-Date: Fri, 12 Aug 2016 18:20:49 +0200
-Subject: qemu-binfmt-conf: use qemu-ARCH-binfmt
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Signed-off-by: Andreas Schwab <schwab@suse.de>
-Signed-off-by: Andreas Färber <afaerber@suse.de>
----
- scripts/qemu-binfmt-conf.sh | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/scripts/qemu-binfmt-conf.sh b/scripts/qemu-binfmt-conf.sh
-index 246546b10ca5df38035e5ba46a09..e0666a3afdc81f0f8277a53f3e1e 100755
---- a/scripts/qemu-binfmt-conf.sh
-+++ b/scripts/qemu-binfmt-conf.sh
-@@ -266,7 +266,7 @@ qemu_generate_register() {
- flags="${flags}F"
- fi
-
-- echo ":qemu-$cpu:M::$magic:$mask:$qemu:$flags"
-+ echo ":qemu-$cpu:M::$magic:$mask:$qemu:P$flags"
- }
-
- qemu_register_interpreter() {
-@@ -305,9 +305,9 @@ qemu_set_binfmts() {
- continue
- fi
-
-- qemu="$QEMU_PATH/qemu-$cpu"
-+ qemu="$QEMU_PATH/qemu-$cpu-binfmt"
- if [ "$cpu" = "i486" ] ; then
-- qemu="$QEMU_PATH/qemu-i386"
-+ qemu="$QEMU_PATH/qemu-i386-binfmt"
- fi
-
- qemu="$qemu$QEMU_SUFFIX"
+++ /dev/null
-From: Bruce Rogers <brogers@suse.com>
-Date: Tue, 2 Aug 2016 11:36:02 -0600
-Subject: qemu-bridge-helper: reduce security profile
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-References: boo#988279
-
-Change from using glib alloc and free routines to those
-from libc. Also perform safety measure of dropping privs
-to user if configured no-caps.
-
-Signed-off-by: Bruce Rogers <brogers@suse.com>
-[AF: Rebased for v2.7.0-rc2]
-Signed-off-by: Andreas Färber <afaerber@suse.de>
----
- qemu-bridge-helper.c | 28 +++++++++++++++++++++++++---
- 1 file changed, 25 insertions(+), 3 deletions(-)
-
-diff --git a/qemu-bridge-helper.c b/qemu-bridge-helper.c
-index 3d50ec094c794b9c0835628f10c5..f2291b398f8e4589f649af226dba 100644
---- a/qemu-bridge-helper.c
-+++ b/qemu-bridge-helper.c
-@@ -123,7 +123,12 @@ static int parse_acl_file(const char *filename, ACLList *acl_list)
- }
-
- if (strcmp(cmd, "deny") == 0) {
-- acl_rule = g_malloc(sizeof(*acl_rule));
-+ acl_rule = calloc(1, sizeof(*acl_rule));
-+ if (!acl_rule) {
-+ fclose(f);
-+ errno = ENOMEM;
-+ return -1;
-+ }
- if (strcmp(arg, "all") == 0) {
- acl_rule->type = ACL_DENY_ALL;
- } else {
-@@ -132,7 +137,12 @@ static int parse_acl_file(const char *filename, ACLList *acl_list)
- }
- QSIMPLEQ_INSERT_TAIL(acl_list, acl_rule, entry);
- } else if (strcmp(cmd, "allow") == 0) {
-- acl_rule = g_malloc(sizeof(*acl_rule));
-+ acl_rule = calloc(1, sizeof(*acl_rule));
-+ if (!acl_rule) {
-+ fclose(f);
-+ errno = ENOMEM;
-+ return -1;
-+ }
- if (strcmp(arg, "all") == 0) {
- acl_rule->type = ACL_ALLOW_ALL;
- } else {
-@@ -433,6 +443,18 @@ int main(int argc, char **argv)
- goto cleanup;
- }
-
-+#ifndef CONFIG_LIBCAP
-+ /*
-+ * avoid sending the fd as root user if running suid to not fool
-+ * peer credentials to daemons that dont expect that
-+ */
-+ if (setuid(getuid()) < 0) {
-+ fprintf(stderr, "Failed to drop privileges.\n");
-+ ret = EXIT_FAILURE;
-+ goto cleanup;
-+ }
-+#endif
-+
- /* write fd to the domain socket */
- if (send_fd(unixfd, fd) == -1) {
- fprintf(stderr, "failed to write fd to unix socket: %s\n",
-@@ -454,7 +476,7 @@ cleanup:
- }
- while ((acl_rule = QSIMPLEQ_FIRST(&acl_list)) != NULL) {
- QSIMPLEQ_REMOVE_HEAD(&acl_list, entry);
-- g_free(acl_rule);
-+ free(acl_rule);
- }
-
- return ret;
+++ /dev/null
-From: Ulrich Hecht <uli@suse.de>
-Date: Tue, 14 Apr 2009 16:25:41 +0200
-Subject: qemu-cvs-gettimeofday
-
-No clue what this is for.
-
-[BR: minor edits to pass qemu's checkpatch script]
-Signed-off-by: Bruce Rogers <brogers@suse.com>
----
- linux-user/syscall.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/linux-user/syscall.c b/linux-user/syscall.c
-index 171c0caef3a191c861e76493ccfc..25b0f3bba38b8629cb4bc027be96 100644
---- a/linux-user/syscall.c
-+++ b/linux-user/syscall.c
-@@ -8558,6 +8558,9 @@ static abi_long do_syscall1(void *cpu_env, int num, abi_long arg1,
- case TARGET_NR_gettimeofday:
- {
- struct timeval tv;
-+ if (copy_from_user_timeval(&tv, arg1)) {
-+ return -TARGET_EFAULT;
-+ }
- ret = get_errno(gettimeofday(&tv, NULL));
- if (!is_error(ret)) {
- if (copy_to_user_timeval(arg1, &tv))
+++ /dev/null
-From: Alexander Graf <agraf@suse.de>
-Date: Tue, 14 Apr 2009 16:26:33 +0200
-Subject: qemu-cvs-ioctl_debug
-
-Extends unsupported ioctl debug output.
-
-Signed-off-by: Alexander Graf <agraf@suse.de>
-Signed-off-by: Ulrich Hecht <uli@suse.de>
-[BR: minor edits to pass qemu's checkpatch script]
-Signed-off-by: Bruce Rogers <brogers@suse.com>
----
- linux-user/syscall.c | 14 +++++++++++++-
- 1 file changed, 13 insertions(+), 1 deletion(-)
-
-diff --git a/linux-user/syscall.c b/linux-user/syscall.c
-index 25b0f3bba38b8629cb4bc027be96..49db231f031015265f6d8cead831 100644
---- a/linux-user/syscall.c
-+++ b/linux-user/syscall.c
-@@ -5151,7 +5151,19 @@ static abi_long do_ioctl(int fd, int cmd, abi_long arg)
- ie = ioctl_entries;
- for(;;) {
- if (ie->target_cmd == 0) {
-- gemu_log("Unsupported ioctl: cmd=0x%04lx\n", (long)cmd);
-+ int i;
-+ gemu_log("Unsupported ioctl: cmd=0x%04lx (%x)\n", (unsigned long)cmd,
-+ (unsigned int)(cmd & (TARGET_IOC_SIZEMASK << TARGET_IOC_SIZESHIFT))
-+ >> TARGET_IOC_SIZESHIFT);
-+ for (i = 0; ioctl_entries[i].target_cmd; i++) {
-+ if ((ioctl_entries[i].target_cmd & ~(TARGET_IOC_SIZEMASK
-+ << TARGET_IOC_SIZESHIFT)) == (cmd & ~(TARGET_IOC_SIZEMASK <<
-+ TARGET_IOC_SIZESHIFT)))
-+ gemu_log("%p\t->\t%s (%x)\n", (void *)(unsigned long)
-+ ioctl_entries[i].host_cmd, ioctl_entries[i].name,
-+ (ioctl_entries[i].target_cmd & (TARGET_IOC_SIZEMASK
-+ << TARGET_IOC_SIZESHIFT)) >> TARGET_IOC_SIZESHIFT);
-+ }
- return -TARGET_ENOSYS;
- }
- if (ie->target_cmd == cmd)
+++ /dev/null
-From: Alexander Graf <agraf@suse.de>
-Date: Tue, 14 Apr 2009 16:27:36 +0200
-Subject: qemu-cvs-ioctl_nodirection
-
-the direction given in the ioctl should be correct so we can assume the
-communication is uni-directional. The alsa developers did not like this
-concept though and declared ioctls IOC_R and IOC_W even though they were
-IOC_RW.
-
-Signed-off-by: Alexander Graf <agraf@suse.de>
-Signed-off-by: Ulrich Hecht <uli@suse.de>
-[BR: minor edits to pass qemu's checkpatch script]
-Signed-off-by: Bruce Rogers <brogers@suse.com>
----
- linux-user/syscall.c | 8 ++++++++
- 1 file changed, 8 insertions(+)
-
-diff --git a/linux-user/syscall.c b/linux-user/syscall.c
-index 49db231f031015265f6d8cead831..57be4c98555e50f2263811cd11f4 100644
---- a/linux-user/syscall.c
-+++ b/linux-user/syscall.c
-@@ -5192,6 +5192,13 @@ static abi_long do_ioctl(int fd, int cmd, abi_long arg)
- arg_type++;
- target_size = thunk_type_size(arg_type, 0);
- switch(ie->access) {
-+ /*
-+ * FIXME: actually the direction given in the ioctl should be
-+ * correct so we can assume the communication is uni-directional.
-+ * The alsa developers did not like this concept though and
-+ * declared ioctls IOC_R and IOC_W even though they were IOC_RW.
-+ */
-+/*
- case IOC_R:
- ret = get_errno(safe_ioctl(fd, ie->host_cmd, buf_temp));
- if (!is_error(ret)) {
-@@ -5210,6 +5217,7 @@ static abi_long do_ioctl(int fd, int cmd, abi_long arg)
- unlock_user(argptr, arg, 0);
- ret = get_errno(safe_ioctl(fd, ie->host_cmd, buf_temp));
- break;
-+*/
- default:
- case IOC_RW:
- argptr = lock_user(VERIFY_READ, arg, target_size, 1);
+++ /dev/null
-From: Paolo Bonzini <pbonzini@redhat.com>
-Date: Wed, 7 Oct 2020 06:43:03 -0400
-Subject: qemu-iotests, qtest: rewrite test 067 as a qtest
-
-Git-commit: d8a18da56df93b7f778fb97ba370031597d19ffd
-References: bsc#1184574
-
-Test 067 from qemu-iotests is executing QMP commands to hotplug
-and hot-unplug disks, devices and blockdevs. Because the power
-of the text-based test harness is limited, it is actually limiting
-the checks that it does, for example by skipping DEVICE_DELETED
-events.
-
-tests/qtest already has a similar test, drive_del-test.c.
-We can merge them, and even reuse some of the existing code in
-drive_del-test.c. This will improve the quality of the test by
-covering DEVICE_DELETED events and testing multiple architectures
-(therefore covering multiple PCI hotplug mechanisms as well as s390x
-virtio-ccw).
-
-The only difference is that the new test will always use null-co:// for
-the medium rather than qcow2 or raw, but this should be irrelevant for
-what the test is covering. For example there are no "qemu-img check"
-runs in 067 that would check that the file is properly closed.
-
-The new tests requires PCI hot-plug support, so drive_del-test
-is moved from qemu-system-ppc to qemu-system-ppc64.
-
-Reviewed-by: Kevin Wolf <kwolf@redhat.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-Signed-off-by: Lin Ma <lma@suse.com>
----
- .gitlab-ci.yml | 2 +-
- tests/Makefile.include | 2 +-
- tests/drive_del-test.c | 211 ++++++++++++++++---
- tests/qemu-iotests/067 | 155 --------------
- tests/qemu-iotests/067.out | 414 -------------------------------------
- tests/qemu-iotests/group | 2 +-
- 6 files changed, 190 insertions(+), 596 deletions(-)
-
-diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
-index be57c6a454a5e83b2a433dbe0d8d..aa19ee9c80f444a9b7e97d3b3563 100644
---- a/.gitlab-ci.yml
-+++ b/.gitlab-ci.yml
-@@ -45,7 +45,7 @@ build-tcg-disabled:
- - ./check -raw 001 002 003 004 005 008 009 010 011 012 021 025 032 033 048
- 052 063 077 086 101 104 106 113 147 148 150 151 152 157 159 160
- 163 170 171 183 184 192 194 197 205 208 215 221 222 226 227 236
-- - ./check -qcow2 028 040 051 056 057 058 065 067 068 082 085 091 095 096 102
-+ - ./check -qcow2 028 040 051 056 057 058 065 068 082 085 091 095 096 102
- 122 124 127 129 132 139 142 144 145 147 151 152 155 157 165 194
- 196 197 200 202 203 205 208 209 215 216 218 222 227 234 246 247
- 248 250 254 255 256
-diff --git a/tests/Makefile.include b/tests/Makefile.include
-index e8bb416ddb89e99c956d224de844..ff1a1282485049f12463c545e074 100644
---- a/tests/Makefile.include
-+++ b/tests/Makefile.include
-@@ -232,7 +232,6 @@ check-qtest-moxie-y += tests/boot-serial-test$(EXESUF)
- check-qtest-ppc-$(CONFIG_ISA_TESTDEV) = tests/endianness-test$(EXESUF)
- check-qtest-ppc-y += tests/boot-order-test$(EXESUF)
- check-qtest-ppc-y += tests/prom-env-test$(EXESUF)
--check-qtest-ppc-y += tests/drive_del-test$(EXESUF)
- check-qtest-ppc-y += tests/boot-serial-test$(EXESUF)
- check-qtest-ppc-$(CONFIG_M48T59) += tests/m48t59-test$(EXESUF)
-
-@@ -249,6 +248,7 @@ check-qtest-ppc64-$(CONFIG_POSIX) += tests/test-filter-mirror$(EXESUF)
- check-qtest-ppc64-$(CONFIG_RTL8139_PCI) += tests/test-filter-redirector$(EXESUF)
- check-qtest-ppc64-$(CONFIG_VGA) += tests/display-vga-test$(EXESUF)
- check-qtest-ppc64-y += tests/numa-test$(EXESUF)
-+check-qtest-ppc64-y += tests/drive_del-test$(EXESUF)
- check-qtest-ppc64-$(CONFIG_IVSHMEM_DEVICE) += tests/ivshmem-test$(EXESUF)
- check-qtest-ppc64-y += tests/cpu-plug-test$(EXESUF)
-
-diff --git a/tests/drive_del-test.c b/tests/drive_del-test.c
-index de0dc6f5bedff9989740b31325e6..b032e98b236857b3d39842349873 100644
---- a/tests/drive_del-test.c
-+++ b/tests/drive_del-test.c
-@@ -16,21 +16,21 @@
- #include "qapi/qmp/qdict.h"
- #include "qapi/qmp/qlist.h"
-
--static bool has_drive(QTestState *qts)
-+static bool look_for_drive0(QTestState *qts, const char *command, const char *key)
- {
- QDict *response;
- QList *ret;
- QListEntry *entry;
- bool found;
-
-- response = qtest_qmp(qts, "{'execute': 'query-block'}");
-+ response = qtest_qmp(qts, "{'execute': %s}", command);
- g_assert(response && qdict_haskey(response, "return"));
- ret = qdict_get_qlist(response, "return");
-
- found = false;
- QLIST_FOREACH_ENTRY(ret, entry) {
- QDict *entry_dict = qobject_to(QDict, entry->value);
-- if (!strcmp(qdict_get_str(entry_dict, "device"), "drive0")) {
-+ if (!strcmp(qdict_get_str(entry_dict, key), "drive0")) {
- found = true;
- break;
- }
-@@ -40,6 +40,38 @@ static bool has_drive(QTestState *qts)
- return found;
- }
-
-+static bool has_drive(QTestState *qts)
-+{
-+ return look_for_drive0(qts, "query-block", "device");
-+}
-+
-+static bool has_blockdev(QTestState *qts)
-+{
-+ return look_for_drive0(qts, "query-named-block-nodes", "node-name");
-+}
-+
-+static void blockdev_add_with_media(QTestState *qts)
-+{
-+ QDict *response;
-+
-+ response = qtest_qmp(qts,
-+ "{ 'execute': 'blockdev-add',"
-+ " 'arguments': {"
-+ " 'driver': 'raw',"
-+ " 'node-name': 'drive0',"
-+ " 'file': {"
-+ " 'driver': 'null-co',"
-+ " 'read-zeroes': true"
-+ " }"
-+ " }"
-+ "}");
-+
-+ g_assert(response);
-+ g_assert(qdict_haskey(response, "return"));
-+ qobject_unref(response);
-+ g_assert(has_blockdev(qts));
-+}
-+
- static void drive_add(QTestState *qts)
- {
- char *resp = qtest_hmp(qts, "drive_add 0 if=none,id=drive0");
-@@ -49,6 +81,17 @@ static void drive_add(QTestState *qts)
- g_free(resp);
- }
-
-+static void drive_add_with_media(QTestState *qts)
-+{
-+ char *resp = qtest_hmp(qts,
-+ "drive_add 0 if=none,id=drive0,file=null-co://,"
-+ "file.read-zeroes=on,format=raw");
-+
-+ g_assert_cmpstr(resp, ==, "OK\r\n");
-+ g_assert(has_drive(qts));
-+ g_free(resp);
-+}
-+
- static void drive_del(QTestState *qts)
- {
- char *resp;
-@@ -60,7 +103,43 @@ static void drive_del(QTestState *qts)
- g_free(resp);
- }
-
--static void device_del(QTestState *qts)
-+/*
-+ * qvirtio_get_dev_type:
-+ * Returns: the preferred virtio bus/device type for the current architecture.
-+ * TODO: delete this
-+ */
-+static const char *qvirtio_get_dev_type(void)
-+{
-+ const char *arch = qtest_get_arch();
-+
-+ if (g_str_equal(arch, "arm") || g_str_equal(arch, "aarch64")) {
-+ return "device"; /* for virtio-mmio */
-+ } else if (g_str_equal(arch, "s390x")) {
-+ return "ccw";
-+ } else {
-+ return "pci";
-+ }
-+}
-+
-+static void device_add(QTestState *qts)
-+{
-+ QDict *response;
-+ char driver[32];
-+ snprintf(driver, sizeof(driver), "virtio-blk-%s",
-+ qvirtio_get_dev_type());
-+
-+ response = qtest_qmp(qts, "{'execute': 'device_add',"
-+ " 'arguments': {"
-+ " 'driver': %s,"
-+ " 'drive': 'drive0',"
-+ " 'id': 'dev0'"
-+ "}}", driver);
-+ g_assert(response);
-+ g_assert(qdict_haskey(response, "return"));
-+ qobject_unref(response);
-+}
-+
-+static void device_del(QTestState *qts, bool and_reset)
- {
- QDict *response;
-
-@@ -70,6 +149,13 @@ static void device_del(QTestState *qts)
- g_assert(qdict_haskey(response, "return"));
- qobject_unref(response);
-
-+ if (and_reset) {
-+ response = qtest_qmp(qts, "{'execute': 'system_reset' }");
-+ g_assert(response);
-+ g_assert(qdict_haskey(response, "return"));
-+ qobject_unref(response);
-+ }
-+
- qtest_qmp_eventwait(qts, "DEVICE_DELETED");
- }
-
-@@ -91,24 +177,6 @@ static void test_drive_without_dev(void)
- qtest_quit(qts);
- }
-
--/*
-- * qvirtio_get_dev_type:
-- * Returns: the preferred virtio bus/device type for the current architecture.
-- * TODO: delete this
-- */
--static const char *qvirtio_get_dev_type(void)
--{
-- const char *arch = qtest_get_arch();
--
-- if (g_str_equal(arch, "arm") || g_str_equal(arch, "aarch64")) {
-- return "device"; /* for virtio-mmio */
-- } else if (g_str_equal(arch, "s390x")) {
-- return "ccw";
-- } else {
-- return "pci";
-- }
--}
--
- static void test_after_failed_device_add(void)
- {
- char driver[32];
-@@ -158,12 +226,97 @@ static void test_drive_del_device_del(void)
- * Doing it in this order takes notoriously tricky special paths
- */
- drive_del(qts);
-- device_del(qts);
-+ device_del(qts, false);
- g_assert(!has_drive(qts));
-
- qtest_quit(qts);
- }
-
-+static void test_cli_device_del(void)
-+{
-+ QTestState *qts;
-+
-+ /*
-+ * -drive/-device and device_del. Start with a drive used by a
-+ * device that unplugs after reset.
-+ */
-+ qts = qtest_initf("-drive if=none,id=drive0,file=null-co://,"
-+ "file.read-zeroes=on,format=raw"
-+ " -device virtio-blk-%s,drive=drive0,id=dev0",
-+ qvirtio_get_dev_type());
-+
-+ device_del(qts, true);
-+ g_assert(!has_drive(qts));
-+
-+ qtest_quit(qts);
-+}
-+
-+static void test_empty_device_del(void)
-+{
-+ QTestState *qts;
-+
-+ /* device_del with no drive plugged. */
-+ qts = qtest_initf("-device virtio-scsi-%s -device scsi-cd,id=dev0",
-+ qvirtio_get_dev_type());
-+
-+ device_del(qts, false);
-+ qtest_quit(qts);
-+}
-+
-+static void test_device_add_and_del(void)
-+{
-+ QTestState *qts;
-+
-+ /*
-+ * -drive/device_add and device_del. Start with a drive used by a
-+ * device that unplugs after reset.
-+ */
-+ qts = qtest_init("-drive if=none,id=drive0,file=null-co://,"
-+ "file.read-zeroes=on,format=raw");
-+
-+ device_add(qts);
-+ device_del(qts, true);
-+ g_assert(!has_drive(qts));
-+
-+ qtest_quit(qts);
-+}
-+
-+static void test_drive_add_device_add_and_del(void)
-+{
-+ QTestState *qts;
-+
-+ qts = qtest_init("");
-+
-+ /*
-+ * drive_add/device_add and device_del. The drive is used by a
-+ * device that unplugs after reset.
-+ */
-+ drive_add_with_media(qts);
-+ device_add(qts);
-+ device_del(qts, true);
-+ g_assert(!has_drive(qts));
-+
-+ qtest_quit(qts);
-+}
-+
-+static void test_blockdev_add_device_add_and_del(void)
-+{
-+ QTestState *qts;
-+
-+ qts = qtest_init("");
-+
-+ /*
-+ * blockdev_add/device_add and device_del. The it drive is used by a
-+ * device that unplugs after reset, but it doesn't go away.
-+ */
-+ blockdev_add_with_media(qts);
-+ device_add(qts);
-+ device_del(qts, true);
-+ g_assert(has_blockdev(qts));
-+
-+ qtest_quit(qts);
-+}
-+
- int main(int argc, char **argv)
- {
- g_test_init(&argc, &argv, NULL);
-@@ -173,8 +326,18 @@ int main(int argc, char **argv)
- if (qvirtio_get_dev_type() != NULL) {
- qtest_add_func("/drive_del/after_failed_device_add",
- test_after_failed_device_add);
-- qtest_add_func("/blockdev/drive_del_device_del",
-+ qtest_add_func("/drive_del/drive_del_device_del",
- test_drive_del_device_del);
-+ qtest_add_func("/device_del/drive/cli_device",
-+ test_cli_device_del);
-+ qtest_add_func("/device_del/drive/device_add",
-+ test_device_add_and_del);
-+ qtest_add_func("/device_del/drive/drive_add_device_add",
-+ test_drive_add_device_add_and_del);
-+ qtest_add_func("/device_del/empty",
-+ test_empty_device_del);
-+ qtest_add_func("/device_del/blockdev",
-+ test_blockdev_add_device_add_and_del);
- }
-
- return g_test_run();
-diff --git a/tests/qemu-iotests/067 b/tests/qemu-iotests/067
-deleted file mode 100755
-index 926c79b37c45703f7140e9d0eabe10bc87dd969f..0000000000000000000000000000000000000000
---- a/tests/qemu-iotests/067
-+++ /dev/null
-@@ -1,155 +0,0 @@
--#!/usr/bin/env bash
--#
--# Test automatic deletion of BDSes created by -drive/drive_add
--#
--# Copyright (C) 2013 Red Hat, Inc.
--#
--# This program is free software; you can redistribute it and/or modify
--# it under the terms of the GNU General Public License as published by
--# the Free Software Foundation; either version 2 of the License, or
--# (at your option) any later version.
--#
--# This program is distributed in the hope that it will be useful,
--# but WITHOUT ANY WARRANTY; without even the implied warranty of
--# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
--# GNU General Public License for more details.
--#
--# You should have received a copy of the GNU General Public License
--# along with this program. If not, see <http://www.gnu.org/licenses/>.
--#
--
--# creator
--owner=kwolf@redhat.com
--
--seq=`basename $0`
--echo "QA output created by $seq"
--
--status=1 # failure is the default!
--
--# get standard environment, filters and checks
--. ./common.rc
--. ./common.filter
--
--_supported_fmt qcow2
--_supported_proto file
--# Because anything other than 16 would change the output of query-block
--_unsupported_imgopts 'refcount_bits=\([^1]\|.\([^6]\|$\)\)'
--
--do_run_qemu()
--{
-- echo Testing: "$@"
-- $QEMU -nographic -qmp-pretty stdio -serial none "$@"
-- echo
--}
--
--# Remove QMP events from (pretty-printed) output. Doesn't handle
--# nested dicts correctly, but we don't get any of those in this test.
--_filter_qmp_events()
--{
-- tr '\n' '\t' | sed -e \
-- 's/{\s*"timestamp":\s*{[^}]*},\s*"event":[^,}]*\(,\s*"data":\s*{[^}]*}\)\?\s*}\s*//g' \
-- | tr '\t' '\n'
--}
--
--run_qemu()
--{
-- do_run_qemu "$@" 2>&1 | _filter_testdir | _filter_qmp | _filter_qemu \
-- | _filter_actual_image_size \
-- | _filter_generated_node_ids | _filter_qmp_events \
-- | _filter_img_info
--}
--
--size=128M
--
--_make_test_img $size
--
--echo
--echo === -drive/-device and device_del ===
--echo
--
--run_qemu -drive file=$TEST_IMG,format=$IMGFMT,if=none,id=disk -device virtio-blk,drive=disk,id=virtio0 <<EOF
--{ "execute": "qmp_capabilities" }
--{ "execute": "query-block" }
--{ "execute": "device_del", "arguments": { "id": "virtio0" } }
--{ "execute": "system_reset" }
--{ "execute": "query-block" }
--{ "execute": "quit" }
--EOF
--
--echo
--echo === -drive/device_add and device_del ===
--echo
--
--run_qemu -drive file=$TEST_IMG,format=$IMGFMT,if=none,id=disk <<EOF
--{ "execute": "qmp_capabilities" }
--{ "execute": "query-block" }
--{ "execute": "device_add",
-- "arguments": { "driver": "virtio-blk", "drive": "disk",
-- "id": "virtio0" } }
--{ "execute": "device_del", "arguments": { "id": "virtio0" } }
--{ "execute": "system_reset" }
--{ "execute": "query-block" }
--{ "execute": "quit" }
--EOF
--
--echo
--echo === drive_add/device_add and device_del ===
--echo
--
--run_qemu <<EOF
--{ "execute": "qmp_capabilities" }
--{ "execute": "human-monitor-command",
-- "arguments": { "command-line": "drive_add 0 file=$TEST_IMG,format=$IMGFMT,if=none,id=disk" } }
--{ "execute": "query-block" }
--{ "execute": "device_add",
-- "arguments": { "driver": "virtio-blk", "drive": "disk",
-- "id": "virtio0" } }
--{ "execute": "device_del", "arguments": { "id": "virtio0" } }
--{ "execute": "system_reset" }
--{ "execute": "query-block" }
--{ "execute": "quit" }
--EOF
--
--echo
--echo === blockdev_add/device_add and device_del ===
--echo
--
--run_qemu <<EOF
--{ "execute": "qmp_capabilities" }
--{ "execute": "blockdev-add",
-- "arguments": {
-- "driver": "$IMGFMT",
-- "node-name": "disk",
-- "file": {
-- "driver": "file",
-- "filename": "$TEST_IMG"
-- }
-- }
-- }
--{ "execute": "query-named-block-nodes" }
--{ "execute": "device_add",
-- "arguments": { "driver": "virtio-blk", "drive": "disk",
-- "id": "virtio0" } }
--{ "execute": "device_del", "arguments": { "id": "virtio0" } }
--{ "execute": "system_reset" }
--{ "execute": "query-named-block-nodes" }
--{ "execute": "quit" }
--EOF
--
--echo
--echo === Empty drive with -device and device_del ===
--echo
--
--run_qemu -device virtio-scsi -device scsi-cd,id=cd0 <<EOF
--{ "execute": "qmp_capabilities" }
--{ "execute": "query-block" }
--{ "execute": "device_del", "arguments": { "id": "cd0" } }
--{ "execute": "system_reset" }
--{ "execute": "query-block" }
--{ "execute": "quit" }
--EOF
--
--# success, all done
--echo "*** done"
--rm -f $seq.full
--status=0
-diff --git a/tests/qemu-iotests/067.out b/tests/qemu-iotests/067.out
-deleted file mode 100644
-index b10c71db03c82071374459de8479b28fe24cff8a..0000000000000000000000000000000000000000
---- a/tests/qemu-iotests/067.out
-+++ /dev/null
-@@ -1,414 +0,0 @@
--QA output created by 067
--Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=134217728
--
--=== -drive/-device and device_del ===
--
--Testing: -drive file=TEST_DIR/t.IMGFMT,format=IMGFMT,if=none,id=disk -device virtio-blk,drive=disk,id=virtio0
--{
-- QMP_VERSION
--}
--{
-- "return": {
-- }
--}
--{
-- "return": [
-- {
-- "io-status": "ok",
-- "device": "disk",
-- "locked": false,
-- "removable": false,
-- "inserted": {
-- "iops_rd": 0,
-- "detect_zeroes": "off",
-- "image": {
-- "virtual-size": 134217728,
-- "filename": "TEST_DIR/t.IMGFMT",
-- "cluster-size": 65536,
-- "format": "IMGFMT",
-- "actual-size": SIZE,
-- "dirty-flag": false
-- },
-- "iops_wr": 0,
-- "ro": false,
-- "node-name": "NODE_NAME",
-- "backing_file_depth": 0,
-- "drv": "IMGFMT",
-- "iops": 0,
-- "bps_wr": 0,
-- "write_threshold": 0,
-- "encrypted": false,
-- "bps": 0,
-- "bps_rd": 0,
-- "cache": {
-- "no-flush": false,
-- "direct": false,
-- "writeback": true
-- },
-- "file": "TEST_DIR/t.IMGFMT",
-- "encryption_key_missing": false
-- },
-- "qdev": "/machine/peripheral/virtio0/virtio-backend",
-- "type": "unknown"
-- }
-- ]
--}
--{
-- "return": {
-- }
--}
--{
-- "return": {
-- }
--}
--{
-- "return": [
-- ]
--}
--{
-- "return": {
-- }
--}
--
--=== -drive/device_add and device_del ===
--
--Testing: -drive file=TEST_DIR/t.IMGFMT,format=IMGFMT,if=none,id=disk
--{
-- QMP_VERSION
--}
--{
-- "return": {
-- }
--}
--{
-- "return": [
-- {
-- "device": "disk",
-- "locked": false,
-- "removable": true,
-- "inserted": {
-- "iops_rd": 0,
-- "detect_zeroes": "off",
-- "image": {
-- "virtual-size": 134217728,
-- "filename": "TEST_DIR/t.IMGFMT",
-- "cluster-size": 65536,
-- "format": "IMGFMT",
-- "actual-size": SIZE,
-- "dirty-flag": false
-- },
-- "iops_wr": 0,
-- "ro": false,
-- "node-name": "NODE_NAME",
-- "backing_file_depth": 0,
-- "drv": "IMGFMT",
-- "iops": 0,
-- "bps_wr": 0,
-- "write_threshold": 0,
-- "encrypted": false,
-- "bps": 0,
-- "bps_rd": 0,
-- "cache": {
-- "no-flush": false,
-- "direct": false,
-- "writeback": true
-- },
-- "file": "TEST_DIR/t.IMGFMT",
-- "encryption_key_missing": false
-- },
-- "type": "unknown"
-- }
-- ]
--}
--{
-- "return": {
-- }
--}
--{
-- "return": {
-- }
--}
--{
-- "return": {
-- }
--}
--{
-- "return": [
-- ]
--}
--{
-- "return": {
-- }
--}
--
--=== drive_add/device_add and device_del ===
--
--Testing:
--{
-- QMP_VERSION
--}
--{
-- "return": {
-- }
--}
--{
-- "return": "OK\r\n"
--}
--{
-- "return": [
-- {
-- "device": "disk",
-- "locked": false,
-- "removable": true,
-- "inserted": {
-- "iops_rd": 0,
-- "detect_zeroes": "off",
-- "image": {
-- "virtual-size": 134217728,
-- "filename": "TEST_DIR/t.IMGFMT",
-- "cluster-size": 65536,
-- "format": "IMGFMT",
-- "actual-size": SIZE,
-- "dirty-flag": false
-- },
-- "iops_wr": 0,
-- "ro": false,
-- "node-name": "NODE_NAME",
-- "backing_file_depth": 0,
-- "drv": "IMGFMT",
-- "iops": 0,
-- "bps_wr": 0,
-- "write_threshold": 0,
-- "encrypted": false,
-- "bps": 0,
-- "bps_rd": 0,
-- "cache": {
-- "no-flush": false,
-- "direct": false,
-- "writeback": true
-- },
-- "file": "TEST_DIR/t.IMGFMT",
-- "encryption_key_missing": false
-- },
-- "type": "unknown"
-- }
-- ]
--}
--{
-- "return": {
-- }
--}
--{
-- "return": {
-- }
--}
--{
-- "return": {
-- }
--}
--{
-- "return": [
-- ]
--}
--{
-- "return": {
-- }
--}
--
--=== blockdev_add/device_add and device_del ===
--
--Testing:
--{
-- QMP_VERSION
--}
--{
-- "return": {
-- }
--}
--{
-- "return": {
-- }
--}
--{
-- "return": [
-- {
-- "iops_rd": 0,
-- "detect_zeroes": "off",
-- "image": {
-- "virtual-size": 134217728,
-- "filename": "TEST_DIR/t.IMGFMT",
-- "cluster-size": 65536,
-- "format": "IMGFMT",
-- "actual-size": SIZE,
-- "dirty-flag": false
-- },
-- "iops_wr": 0,
-- "ro": false,
-- "node-name": "disk",
-- "backing_file_depth": 0,
-- "drv": "IMGFMT",
-- "iops": 0,
-- "bps_wr": 0,
-- "write_threshold": 0,
-- "encrypted": false,
-- "bps": 0,
-- "bps_rd": 0,
-- "cache": {
-- "no-flush": false,
-- "direct": false,
-- "writeback": true
-- },
-- "file": "TEST_DIR/t.IMGFMT",
-- "encryption_key_missing": false
-- },
-- {
-- "iops_rd": 0,
-- "detect_zeroes": "off",
-- "image": {
-- "virtual-size": 197120,
-- "filename": "TEST_DIR/t.IMGFMT",
-- "format": "file",
-- "actual-size": SIZE,
-- "dirty-flag": false
-- },
-- "iops_wr": 0,
-- "ro": false,
-- "node-name": "NODE_NAME",
-- "backing_file_depth": 0,
-- "drv": "file",
-- "iops": 0,
-- "bps_wr": 0,
-- "write_threshold": 0,
-- "encrypted": false,
-- "bps": 0,
-- "bps_rd": 0,
-- "cache": {
-- "no-flush": false,
-- "direct": false,
-- "writeback": true
-- },
-- "file": "TEST_DIR/t.IMGFMT",
-- "encryption_key_missing": false
-- }
-- ]
--}
--{
-- "return": {
-- }
--}
--{
-- "return": {
-- }
--}
--{
-- "return": {
-- }
--}
--{
-- "return": [
-- {
-- "iops_rd": 0,
-- "detect_zeroes": "off",
-- "image": {
-- "virtual-size": 134217728,
-- "filename": "TEST_DIR/t.IMGFMT",
-- "cluster-size": 65536,
-- "format": "IMGFMT",
-- "actual-size": SIZE,
-- "dirty-flag": false
-- },
-- "iops_wr": 0,
-- "ro": false,
-- "node-name": "disk",
-- "backing_file_depth": 0,
-- "drv": "IMGFMT",
-- "iops": 0,
-- "bps_wr": 0,
-- "write_threshold": 0,
-- "encrypted": false,
-- "bps": 0,
-- "bps_rd": 0,
-- "cache": {
-- "no-flush": false,
-- "direct": false,
-- "writeback": true
-- },
-- "file": "TEST_DIR/t.IMGFMT",
-- "encryption_key_missing": false
-- },
-- {
-- "iops_rd": 0,
-- "detect_zeroes": "off",
-- "image": {
-- "virtual-size": 197120,
-- "filename": "TEST_DIR/t.IMGFMT",
-- "format": "file",
-- "actual-size": SIZE,
-- "dirty-flag": false
-- },
-- "iops_wr": 0,
-- "ro": false,
-- "node-name": "NODE_NAME",
-- "backing_file_depth": 0,
-- "drv": "file",
-- "iops": 0,
-- "bps_wr": 0,
-- "write_threshold": 0,
-- "encrypted": false,
-- "bps": 0,
-- "bps_rd": 0,
-- "cache": {
-- "no-flush": false,
-- "direct": false,
-- "writeback": true
-- },
-- "file": "TEST_DIR/t.IMGFMT",
-- "encryption_key_missing": false
-- }
-- ]
--}
--{
-- "return": {
-- }
--}
--
--=== Empty drive with -device and device_del ===
--
--Testing: -device virtio-scsi -device scsi-cd,id=cd0
--{
-- QMP_VERSION
--}
--{
-- "return": {
-- }
--}
--{
-- "return": [
-- {
-- "io-status": "ok",
-- "device": "",
-- "locked": false,
-- "removable": true,
-- "qdev": "cd0",
-- "tray_open": false,
-- "type": "unknown"
-- }
-- ]
--}
--{
-- "return": {
-- }
--}
--{
-- "return": {
-- }
--}
--{
-- "return": [
-- ]
--}
--{
-- "return": {
-- }
--}
--*** done
-diff --git a/tests/qemu-iotests/group b/tests/qemu-iotests/group
-index 206b45071ee14ac0c3e2e4883a23..2da2620a78456653a5bfc211e37a 100644
---- a/tests/qemu-iotests/group
-+++ b/tests/qemu-iotests/group
-@@ -88,7 +88,7 @@
- 064 rw quick
- 065 rw quick
- 066 rw auto quick
--067 rw quick
-+# 067 was removed, do not reuse
- 068 rw quick
- 069 rw auto quick
- 070 rw quick
+++ /dev/null
-From: Ani Sinha <ani@anisinha.ca>
-Date: Mon, 21 Sep 2020 15:03:25 +0530
-Subject: qom: code hardening - have bound checking while looping with integer
- value
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Git-commit: 1bf8b88f144bee747e386c88d45d772e066bbb36
-References: bsc#1187529 CVE-2021-3611
-
-Object property insertion code iterates over an integer to get an unused
-index that can be used as an unique name for an object property. This loop
-increments the integer value indefinitely. Although very unlikely, this can
-still cause an integer overflow.
-In this change, we fix the above code by checking against INT16_MAX and making
-sure that the interger index does not overflow beyond that value. If no
-available index is found, the code would cause an assertion failure. This
-assertion failure is necessary because the callers of the function do not check
-the return value for NULL.
-
-Signed-off-by: Ani Sinha <ani@anisinha.ca>
-Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
-Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
-Message-Id: <20200921093325.25617-1-ani@anisinha.ca>
-Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
-Signed-off-by: Cho, Yu-Chen <acho@suse.com>
----
- qom/object.c | 5 +++--
- 1 file changed, 3 insertions(+), 2 deletions(-)
-
-diff --git a/qom/object.c b/qom/object.c
-index 6bff8782dcff40588f2191dadcb0..39d978df6a551b091ae9718cfd40 100644
---- a/qom/object.c
-+++ b/qom/object.c
-@@ -1089,11 +1089,11 @@ object_property_add(Object *obj, const char *name, const char *type,
-
- if (name_len >= 3 && !memcmp(name + name_len - 3, "[*]", 4)) {
- int i;
-- ObjectProperty *ret;
-+ ObjectProperty *ret = NULL;
- char *name_no_array = g_strdup(name);
-
- name_no_array[name_len - 3] = '\0';
-- for (i = 0; ; ++i) {
-+ for (i = 0; i < INT16_MAX; ++i) {
- char *full_name = g_strdup_printf("%s[%d]", name_no_array, i);
-
- ret = object_property_add(obj, full_name, type, get, set,
-@@ -1104,6 +1104,7 @@ object_property_add(Object *obj, const char *name, const char *type,
- }
- }
- g_free(name_no_array);
-+ assert(ret);
- return ret;
- }
-
+++ /dev/null
-From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
-Date: Mon, 31 Aug 2020 17:07:23 -0400
-Subject: qom: make object_ref/unref use a void * instead of Object *.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Git-commit: c5a61e5a3c68144a421117916aef04f2c0fab84b
-References: bsc#1184574
-
-The object_ref/unref methods are intended for use with any subclass of
-the base Object. Using "Object *" in the signature is not adding any
-meaningful level of type safety, since callers simply use "OBJECT(ptr)"
-and this expands to an unchecked cast "(Object *)".
-
-By using "void *" we enable the object_unref() method to be used to
-provide support for g_autoptr() with any subclass.
-
-Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
-Message-Id: <20200723181410.3145233-2-berrange@redhat.com>
-Message-Id: <20200831210740.126168-2-ehabkost@redhat.com>
-Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
-Signed-off-by: Lin Ma <lma@suse.com>
----
- include/qom/object.h | 4 ++--
- qom/object.c | 6 ++++--
- 2 files changed, 6 insertions(+), 4 deletions(-)
-
-diff --git a/include/qom/object.h b/include/qom/object.h
-index 128d00c77fd6597c4b70bd5f124f..d1e4c2e11524fd3d26520331c3d6 100644
---- a/include/qom/object.h
-+++ b/include/qom/object.h
-@@ -974,7 +974,7 @@ GSList *object_class_get_list_sorted(const char *implements_type,
- * Increase the reference count of a object. A object cannot be freed as long
- * as its reference count is greater than zero.
- */
--void object_ref(Object *obj);
-+void object_ref(void *obj);
-
- /**
- * object_unref:
-@@ -983,7 +983,7 @@ void object_ref(Object *obj);
- * Decrease the reference count of a object. A object cannot be freed as long
- * as its reference count is greater than zero.
- */
--void object_unref(Object *obj);
-+void object_unref(void *obj);
-
- /**
- * object_property_add:
-diff --git a/qom/object.c b/qom/object.c
-index d51b57fba11e335b9dab056327ef..6bff8782dcff40588f2191dadcb0 100644
---- a/qom/object.c
-+++ b/qom/object.c
-@@ -1054,16 +1054,18 @@ GSList *object_class_get_list_sorted(const char *implements_type,
- object_class_cmp);
- }
-
--void object_ref(Object *obj)
-+void object_ref(void *objptr)
- {
-+ Object *obj = OBJECT(objptr);
- if (!obj) {
- return;
- }
- atomic_inc(&obj->ref);
- }
-
--void object_unref(Object *obj)
-+void object_unref(void *objptr)
- {
-+ Object *obj = OBJECT(objptr);
- if (!obj) {
- return;
- }
+++ /dev/null
-From: Maxim Levitsky <mlevitsk@redhat.com>
-Date: Tue, 6 Oct 2020 15:38:53 +0300
-Subject: qtest: Reintroduce qtest_qmp_receive with QMP event buffering
-
-Git-commit: c22045bfe6d5ceebd414ff53ff23fff7ad5930d1
-References: bsc#1184574
-
-The new qtest_qmp_receive buffers all the received qmp events, allowing
-qtest_qmp_eventwait_ref to return them.
-
-This is intended to solve the race in regard to ordering of qmp events
-vs qmp responses, as soon as the callers start using the new interface.
-
-In addition to that, define qtest_qmp_event_ref a function which only scans
-the buffer that qtest_qmp_receive stores the events to. This is intended
-for callers that are only interested in events that were received during
-the last call to the qtest_qmp_receive.
-
-Suggested-by: Paolo Bonzini <pbonzini@redhat.com>
-Signed-off-by: Maxim Levitsky <mlevitsk@redhat.com>
-Message-Id: <20201006123904.610658-3-mlevitsk@redhat.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-Signed-off-by: Lin Ma <lma@suse.com>
----
- tests/libqtest.c | 48 +++++++++++++++++++++++++++++++++++++++++++++++-
- tests/libqtest.h | 23 +++++++++++++++++++++++
- 2 files changed, 70 insertions(+), 1 deletion(-)
-
-diff --git a/tests/libqtest.c b/tests/libqtest.c
-index a6c446237f06a379880849012103..80476fef3edb1e6bd7ceff832859 100644
---- a/tests/libqtest.c
-+++ b/tests/libqtest.c
-@@ -45,6 +45,7 @@ struct QTestState
- bool big_endian;
- bool irq_level[MAX_IRQ];
- GString *rx;
-+ GList *pending_events;
- };
-
- static GHookList abrt_hooks;
-@@ -250,6 +251,7 @@ QTestState *qtest_init_without_qmp_handshake(const char *extra_args)
-
- g_test_message("starting QEMU: %s", command);
-
-+ s->pending_events = NULL;
- s->wstatus = 0;
- s->expected_status = 0;
- s->qemu_pid = fork();
-@@ -357,6 +359,13 @@ void qtest_quit(QTestState *s)
- close(s->fd);
- close(s->qmp_fd);
- g_string_free(s->rx, true);
-+
-+ for (GList *it = s->pending_events; it != NULL; it = it->next) {
-+ qobject_unref((QDict *)it->data);
-+ }
-+
-+ g_list_free(s->pending_events);
-+
- g_free(s);
- }
-
-@@ -575,6 +584,19 @@ QDict *qmp_fd_receive(int fd)
- return qmp.response;
- }
-
-+QDict *qtest_qmp_receive(QTestState *s)
-+{
-+ while (true) {
-+ QDict *response = qtest_qmp_receive_dict(s);
-+
-+ if (!qdict_get_try_str(response, "event")) {
-+ return response;
-+ }
-+ /* Stash the event for a later consumption */
-+ s->pending_events = g_list_prepend(s->pending_events, response);
-+ }
-+}
-+
- QDict *qtest_qmp_receive_dict(QTestState *s)
- {
- return qmp_fd_receive(s->qmp_fd);
-@@ -743,10 +765,34 @@ void qtest_qmp_send_raw(QTestState *s, const char *fmt, ...)
- va_end(ap);
- }
-
--QDict *qtest_qmp_eventwait_ref(QTestState *s, const char *event)
-+QDict *qtest_qmp_event_ref(QTestState *s, const char *event)
- {
-+ GList *next = NULL;
- QDict *response;
-
-+ for (GList *it = s->pending_events; it != NULL; it = next) {
-+
-+ next = it->next;
-+ response = (QDict *)it->data;
-+
-+ s->pending_events = g_list_remove_link(s->pending_events, it);
-+
-+ if (!strcmp(qdict_get_str(response, "event"), event)) {
-+ return response;
-+ }
-+ qobject_unref(response);
-+ }
-+ return NULL;
-+}
-+
-+QDict *qtest_qmp_eventwait_ref(QTestState *s, const char *event)
-+{
-+ QDict *response = qtest_qmp_event_ref(s, event);
-+
-+ if (response) {
-+ return response;
-+ }
-+
- for (;;) {
- response = qtest_qmp_receive_dict(s);
- if ((qdict_haskey(response, "event")) &&
-diff --git a/tests/libqtest.h b/tests/libqtest.h
-index 63818d0d607765cdafe5ed0354e2..a8d0aea4d4e871ef35bbaf481fcb 100644
---- a/tests/libqtest.h
-+++ b/tests/libqtest.h
-@@ -198,6 +198,16 @@ void qtest_qmp_vsend(QTestState *s, const char *fmt, va_list ap)
- */
- QDict *qtest_qmp_receive_dict(QTestState *s);
-
-+/**
-+ * qtest_qmp_receive:
-+ * @s: #QTestState instance to operate on.
-+ *
-+ * Reads a QMP message from QEMU and returns the response.
-+ * Buffers all the events received meanwhile, until a
-+ * call to qtest_qmp_eventwait
-+ */
-+QDict *qtest_qmp_receive(QTestState *s);
-+
- /**
- * qtest_qmp_eventwait:
- * @s: #QTestState instance to operate on.
-@@ -217,6 +227,19 @@ void qtest_qmp_eventwait(QTestState *s, const char *event);
- */
- QDict *qtest_qmp_eventwait_ref(QTestState *s, const char *event);
-
-+/**
-+ * qtest_qmp_event_ref:
-+ * @s: #QTestState instance to operate on.
-+ * @event: event to return.
-+ *
-+ * Removes non-matching events from the buffer that was set by
-+ * qtest_qmp_receive, until an event bearing the given name is found,
-+ * and returns it.
-+ * If no event matches, clears the buffer and returns NULL.
-+ *
-+ */
-+QDict *qtest_qmp_event_ref(QTestState *s, const char *event);
-+
- /**
- * qtest_qmp_receive_success:
- * @s: #QTestState instance to operate on
+++ /dev/null
-From: Paolo Bonzini <pbonzini@redhat.com>
-Date: Wed, 7 Oct 2020 05:50:22 -0400
-Subject: qtest: check that drives are really appearing and disappearing
-
-Git-commit: 9a613ddccce125e4cc3a4a23c294837c906440d6
-References: bsc#1184574
-
-Do not just trust the HMP commands to create and delete the drive, use
-query-block to check that this is actually the case.
-
-Reviewed-by: Kevin Wolf <kwolf@redhat.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-Signed-off-by: Lin Ma <lma@suse.com>
----
- tests/drive_del-test.c | 32 +++++++++++++++++++++++++++++++-
- 1 file changed, 31 insertions(+), 1 deletion(-)
-
-diff --git a/tests/drive_del-test.c b/tests/drive_del-test.c
-index 64c0fe242bed07073b7a3dcf635d..de0dc6f5bedff9989740b31325e6 100644
---- a/tests/drive_del-test.c
-+++ b/tests/drive_del-test.c
-@@ -14,20 +14,49 @@
- #include "libqtest.h"
- #include "libqos/virtio.h"
- #include "qapi/qmp/qdict.h"
-+#include "qapi/qmp/qlist.h"
-+
-+static bool has_drive(QTestState *qts)
-+{
-+ QDict *response;
-+ QList *ret;
-+ QListEntry *entry;
-+ bool found;
-+
-+ response = qtest_qmp(qts, "{'execute': 'query-block'}");
-+ g_assert(response && qdict_haskey(response, "return"));
-+ ret = qdict_get_qlist(response, "return");
-+
-+ found = false;
-+ QLIST_FOREACH_ENTRY(ret, entry) {
-+ QDict *entry_dict = qobject_to(QDict, entry->value);
-+ if (!strcmp(qdict_get_str(entry_dict, "device"), "drive0")) {
-+ found = true;
-+ break;
-+ }
-+ }
-+
-+ qobject_unref(response);
-+ return found;
-+}
-
- static void drive_add(QTestState *qts)
- {
- char *resp = qtest_hmp(qts, "drive_add 0 if=none,id=drive0");
-
- g_assert_cmpstr(resp, ==, "OK\r\n");
-+ g_assert(has_drive(qts));
- g_free(resp);
- }
-
- static void drive_del(QTestState *qts)
- {
-- char *resp = qtest_hmp(qts, "drive_del drive0");
-+ char *resp;
-
-+ g_assert(has_drive(qts));
-+ resp = qtest_hmp(qts, "drive_del drive0");
- g_assert_cmpstr(resp, ==, "");
-+ g_assert(!has_drive(qts));
- g_free(resp);
- }
-
-@@ -130,6 +159,7 @@ static void test_drive_del_device_del(void)
- */
- drive_del(qts);
- device_del(qts);
-+ g_assert(!has_drive(qts));
-
- qtest_quit(qts);
- }
+++ /dev/null
-From: Maxim Levitsky <mlevitsk@redhat.com>
-Date: Tue, 6 Oct 2020 08:59:32 -0400
-Subject: qtest: remove qtest_qmp_receive_success
-
-Git-commit: 5e34005571af53b73e4a10cb2c6e0712cf6b8d2c
-References: bsc#1184574
-
-The purpose of qtest_qmp_receive_success was mostly to process events
-that arrived between the issueing of a command and the "return"
-line from QMP. This is now handled by the buffering of events
-that libqtest performs automatically.
-
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-Signed-off-by: Maxim Levitsky <mlevitsk@redhat.com>
-Signed-off-by: Lin Ma <lma@suse.com>
----
- tests/libqtest.c | 53 ++++-----------------------------------
- tests/libqtest.h | 17 -------------
- tests/migration-helpers.c | 25 ++++++++++++++----
- 3 files changed, 25 insertions(+), 70 deletions(-)
-
-diff --git a/tests/libqtest.c b/tests/libqtest.c
-index 80476fef3edb1e6bd7ceff832859..e9bca67b5e7bae026039822d979d 100644
---- a/tests/libqtest.c
-+++ b/tests/libqtest.c
-@@ -1259,35 +1259,6 @@ void qtest_cb_for_every_machine(void (*cb)(const char *machine),
- qobject_unref(response);
- }
-
--QDict *qtest_qmp_receive_success(QTestState *s,
-- void (*event_cb)(void *opaque,
-- const char *event,
-- QDict *data),
-- void *opaque)
--{
-- QDict *response, *ret, *data;
-- const char *event;
--
-- for (;;) {
-- response = qtest_qmp_receive_dict(s);
-- g_assert(!qdict_haskey(response, "error"));
-- ret = qdict_get_qdict(response, "return");
-- if (ret) {
-- break;
-- }
-- event = qdict_get_str(response, "event");
-- data = qdict_get_qdict(response, "data");
-- if (event_cb) {
-- event_cb(opaque, event, data);
-- }
-- qobject_unref(response);
-- }
--
-- qobject_ref(ret);
-- qobject_unref(response);
-- return ret;
--}
--
- /*
- * Generic hot-plugging test via the device_add QMP commands.
- */
-@@ -1323,13 +1294,6 @@ void qtest_qmp_device_add(QTestState *qts, const char *driver, const char *id,
- qobject_unref(args);
- }
-
--static void device_deleted_cb(void *opaque, const char *name, QDict *data)
--{
-- bool *got_event = opaque;
--
-- g_assert_cmpstr(name, ==, "DEVICE_DELETED");
-- *got_event = true;
--}
-
- /*
- * Generic hot-unplugging test via the device_del QMP command.
-@@ -1346,24 +1310,17 @@ static void device_deleted_cb(void *opaque, const char *name, QDict *data)
- * and this one:
- *
- * {"return": {}}
-- *
-- * But the order of arrival may vary - so we've got to detect both.
- */
- void qtest_qmp_device_del(QTestState *qts, const char *id)
- {
-- bool got_event = false;
- QDict *rsp;
-
-- qtest_qmp_send(qts, "{'execute': 'device_del', 'arguments': {'id': %s}}",
-- id);
-- rsp = qtest_qmp_receive_success(qts, device_deleted_cb, &got_event);
-+ rsp = qtest_qmp(qts, "{'execute': 'device_del', 'arguments': {'id': %s}}",
-+ id);
-+
-+ g_assert(qdict_haskey(rsp, "return"));
- qobject_unref(rsp);
-- if (!got_event) {
-- rsp = qtest_qmp_receive_dict(qts);
-- g_assert_cmpstr(qdict_get_try_str(rsp, "event"),
-- ==, "DEVICE_DELETED");
-- qobject_unref(rsp);
-- }
-+ qtest_qmp_eventwait(qts, "DEVICE_DELETED");
- }
-
- bool qmp_rsp_is_err(QDict *rsp)
-diff --git a/tests/libqtest.h b/tests/libqtest.h
-index a8d0aea4d4e871ef35bbaf481fcb..2ac3c107c00aff0641b261fe0d24 100644
---- a/tests/libqtest.h
-+++ b/tests/libqtest.h
-@@ -240,23 +240,6 @@ QDict *qtest_qmp_eventwait_ref(QTestState *s, const char *event);
- */
- QDict *qtest_qmp_event_ref(QTestState *s, const char *event);
-
--/**
-- * qtest_qmp_receive_success:
-- * @s: #QTestState instance to operate on
-- * @event_cb: Event callback
-- * @opaque: Argument for @event_cb
-- *
-- * Poll QMP messages until a command success response is received.
-- * If @event_cb, call it for each event received, passing @opaque,
-- * the event's name and data.
-- * Return the success response's "return" member.
-- */
--QDict *qtest_qmp_receive_success(QTestState *s,
-- void (*event_cb)(void *opaque,
-- const char *name,
-- QDict *data),
-- void *opaque);
--
- /**
- * qtest_hmp:
- * @s: #QTestState instance to operate on.
-diff --git a/tests/migration-helpers.c b/tests/migration-helpers.c
-index 516093b39a9e79f06a02ede44080..b799dbafb711fcd9e994631e73bb 100644
---- a/tests/migration-helpers.c
-+++ b/tests/migration-helpers.c
-@@ -17,10 +17,12 @@
-
- bool got_stop;
-
--static void stop_cb(void *opaque, const char *name, QDict *data)
-+static void check_stop_event(QTestState *who)
- {
-- if (!strcmp(name, "STOP")) {
-+ QDict *event = qtest_qmp_event_ref(who, "STOP");
-+ if (event) {
- got_stop = true;
-+ qobject_unref(event);
- }
- }
-
-@@ -30,12 +32,19 @@ static void stop_cb(void *opaque, const char *name, QDict *data)
- QDict *wait_command_fd(QTestState *who, int fd, const char *command, ...)
- {
- va_list ap;
-+ QDict *resp;
-
- va_start(ap, command);
- qtest_qmp_vsend_fds(who, &fd, 1, command, ap);
- va_end(ap);
-
-- return qtest_qmp_receive_success(who, stop_cb, NULL);
-+ resp = qtest_qmp_receive(who);
-+ check_stop_event(who);
-+
-+ g_assert(!qdict_haskey(resp, "error"));
-+ g_assert(qdict_haskey(resp, "return"));
-+
-+ return qdict_get_qdict(resp, "return");
- }
-
- /*
-@@ -44,12 +53,18 @@ QDict *wait_command_fd(QTestState *who, int fd, const char *command, ...)
- QDict *wait_command(QTestState *who, const char *command, ...)
- {
- va_list ap;
-+ QDict *resp;
-
- va_start(ap, command);
-- qtest_qmp_vsend(who, command, ap);
-+ resp = qtest_vqmp(who, command, ap);
- va_end(ap);
-
-- return qtest_qmp_receive_success(who, stop_cb, NULL);
-+ check_stop_event(who);
-+
-+ g_assert(!qdict_haskey(resp, "error"));
-+ g_assert(qdict_haskey(resp, "return"));
-+
-+ return qdict_get_qdict(resp, "return");
- }
-
- /*
+++ /dev/null
-From: Maxim Levitsky <mlevitsk@redhat.com>
-Date: Tue, 6 Oct 2020 14:38:52 +0200
-Subject: qtest: rename qtest_qmp_receive to qtest_qmp_receive_dict
-
-Git-commit: 1c3e2a38de4e3094dfaf1e4dd73b1e5a91df8fe9
-References: bsc#1184574
-
-In the next patch a new version of qtest_qmp_receive will be
-reintroduced that will buffer received qmp events for later
-consumption in qtest_qmp_eventwait_ref
-
-No functional change intended.
-
-Suggested-by: Paolo Bonzini <pbonzini@redhat.com>
-Signed-off-by: Maxim Levitsky <mlevitsk@redhat.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-Signed-off-by: Lin Ma <lma@suse.com>
----
- tests/ahci-test.c | 4 ++--
- tests/device-plug-test.c | 2 +-
- tests/drive_del-test.c | 2 +-
- tests/libqtest.c | 16 ++++++++--------
- tests/libqtest.h | 4 ++--
- tests/pvpanic-test.c | 2 +-
- tests/qmp-test.c | 18 +++++++++---------
- 7 files changed, 24 insertions(+), 24 deletions(-)
-
-diff --git a/tests/ahci-test.c b/tests/ahci-test.c
-index c8d42ceea0575db645ce62ec2f0b..39c14f60f046fb8cf7522e2a1204 100644
---- a/tests/ahci-test.c
-+++ b/tests/ahci-test.c
-@@ -1589,7 +1589,7 @@ static void test_atapi_tray(void)
- qtest_qmp_send(ahci->parent->qts, "{'execute': 'blockdev-open-tray', "
- "'arguments': {'id': 'cd0'}}");
- atapi_wait_tray(ahci, true);
-- rsp = qtest_qmp_receive(ahci->parent->qts);
-+ rsp = qtest_qmp_receive_dict(ahci->parent->qts);
- qobject_unref(rsp);
-
- qmp_discard_response(ahci->parent->qts,
-@@ -1619,7 +1619,7 @@ static void test_atapi_tray(void)
- qtest_qmp_send(ahci->parent->qts, "{'execute': 'blockdev-close-tray', "
- "'arguments': {'id': 'cd0'}}");
- atapi_wait_tray(ahci, false);
-- rsp = qtest_qmp_receive(ahci->parent->qts);
-+ rsp = qtest_qmp_receive_dict(ahci->parent->qts);
- qobject_unref(rsp);
-
- /* Now, to convince ATAPI we understand the media has changed... */
-diff --git a/tests/device-plug-test.c b/tests/device-plug-test.c
-index 318e422d518c012c2b303d0ec0c1..f44bf0bb8496819391821a7b71da 100644
---- a/tests/device-plug-test.c
-+++ b/tests/device-plug-test.c
-@@ -23,7 +23,7 @@ static void device_del_start(QTestState *qtest, const char *id)
-
- static void device_del_finish(QTestState *qtest)
- {
-- QDict *resp = qtest_qmp_receive(qtest);
-+ QDict *resp = qtest_qmp_receive_dict(qtest);
-
- g_assert(qdict_haskey(resp, "return"));
- qobject_unref(resp);
-diff --git a/tests/drive_del-test.c b/tests/drive_del-test.c
-index 5f8839b2320f42d2659e2a58e15f..f15ffdf018f9fac6fc10d3b42fe0 100644
---- a/tests/drive_del-test.c
-+++ b/tests/drive_del-test.c
-@@ -41,7 +41,7 @@ static void device_del(QTestState *qts)
- /* Complication: ignore DEVICE_DELETED event */
- qmp_discard_response(qts, "{'execute': 'device_del',"
- " 'arguments': { 'id': 'dev0' } }");
-- response = qtest_qmp_receive(qts);
-+ response = qtest_qmp_receive_dict(qts);
- g_assert(response);
- g_assert(qdict_haskey(response, "return"));
- qobject_unref(response);
-diff --git a/tests/libqtest.c b/tests/libqtest.c
-index 91e9cb220c59caf8bb35b057d346..a6c446237f06a379880849012103 100644
---- a/tests/libqtest.c
-+++ b/tests/libqtest.c
-@@ -293,7 +293,7 @@ QTestState *qtest_init(const char *extra_args)
- QDict *greeting;
-
- /* Read the QMP greeting and then do the handshake */
-- greeting = qtest_qmp_receive(s);
-+ greeting = qtest_qmp_receive_dict(s);
- qobject_unref(greeting);
- qobject_unref(qtest_qmp(s, "{ 'execute': 'qmp_capabilities' }"));
-
-@@ -575,7 +575,7 @@ QDict *qmp_fd_receive(int fd)
- return qmp.response;
- }
-
--QDict *qtest_qmp_receive(QTestState *s)
-+QDict *qtest_qmp_receive_dict(QTestState *s)
- {
- return qmp_fd_receive(s->qmp_fd);
- }
-@@ -650,7 +650,7 @@ QDict *qtest_vqmp_fds(QTestState *s, int *fds, size_t fds_num,
- qtest_qmp_vsend_fds(s, fds, fds_num, fmt, ap);
-
- /* Receive reply */
-- return qtest_qmp_receive(s);
-+ return qtest_qmp_receive_dict(s);
- }
-
- QDict *qtest_vqmp(QTestState *s, const char *fmt, va_list ap)
-@@ -658,7 +658,7 @@ QDict *qtest_vqmp(QTestState *s, const char *fmt, va_list ap)
- qtest_qmp_vsend(s, fmt, ap);
-
- /* Receive reply */
-- return qtest_qmp_receive(s);
-+ return qtest_qmp_receive_dict(s);
- }
-
- QDict *qmp_fd(int fd, const char *fmt, ...)
-@@ -748,7 +748,7 @@ QDict *qtest_qmp_eventwait_ref(QTestState *s, const char *event)
- QDict *response;
-
- for (;;) {
-- response = qtest_qmp_receive(s);
-+ response = qtest_qmp_receive_dict(s);
- if ((qdict_haskey(response, "event")) &&
- (strcmp(qdict_get_str(response, "event"), event) == 0)) {
- return response;
-@@ -779,7 +779,7 @@ char *qtest_vhmp(QTestState *s, const char *fmt, va_list ap)
- while (ret == NULL && qdict_get_try_str(resp, "event")) {
- /* Ignore asynchronous QMP events */
- qobject_unref(resp);
-- resp = qtest_qmp_receive(s);
-+ resp = qtest_qmp_receive_dict(s);
- ret = g_strdup(qdict_get_try_str(resp, "return"));
- }
- g_assert(ret);
-@@ -1223,7 +1223,7 @@ QDict *qtest_qmp_receive_success(QTestState *s,
- const char *event;
-
- for (;;) {
-- response = qtest_qmp_receive(s);
-+ response = qtest_qmp_receive_dict(s);
- g_assert(!qdict_haskey(response, "error"));
- ret = qdict_get_qdict(response, "return");
- if (ret) {
-@@ -1313,7 +1313,7 @@ void qtest_qmp_device_del(QTestState *qts, const char *id)
- rsp = qtest_qmp_receive_success(qts, device_deleted_cb, &got_event);
- qobject_unref(rsp);
- if (!got_event) {
-- rsp = qtest_qmp_receive(qts);
-+ rsp = qtest_qmp_receive_dict(qts);
- g_assert_cmpstr(qdict_get_try_str(rsp, "event"),
- ==, "DEVICE_DELETED");
- qobject_unref(rsp);
-diff --git a/tests/libqtest.h b/tests/libqtest.h
-index c9e21e05b37a0efe65ee31f9d66a..63818d0d607765cdafe5ed0354e2 100644
---- a/tests/libqtest.h
-+++ b/tests/libqtest.h
-@@ -191,12 +191,12 @@ void qtest_qmp_vsend(QTestState *s, const char *fmt, va_list ap)
- GCC_FMT_ATTR(2, 0);
-
- /**
-- * qtest_receive:
-+ * qtest_qmp_receive_dict:
- * @s: #QTestState instance to operate on.
- *
- * Reads a QMP message from QEMU and returns the response.
- */
--QDict *qtest_qmp_receive(QTestState *s);
-+QDict *qtest_qmp_receive_dict(QTestState *s);
-
- /**
- * qtest_qmp_eventwait:
-diff --git a/tests/pvpanic-test.c b/tests/pvpanic-test.c
-index ff9176adf3ce2ddb60ce7a44b56b..15fd98db626fc9d58126f05bdbfa 100644
---- a/tests/pvpanic-test.c
-+++ b/tests/pvpanic-test.c
-@@ -24,7 +24,7 @@ static void test_panic(void)
-
- qtest_outb(qts, 0x505, 0x1);
-
-- response = qtest_qmp_receive(qts);
-+ response = qtest_qmp_receive_dict(qts);
- g_assert(qdict_haskey(response, "event"));
- g_assert_cmpstr(qdict_get_str(response, "event"), ==, "GUEST_PANICKED");
- g_assert(qdict_haskey(response, "data"));
-diff --git a/tests/qmp-test.c b/tests/qmp-test.c
-index 1b0eb698324efa60d30a0ec289c2..42f4255499a6a9605050c1c441f3 100644
---- a/tests/qmp-test.c
-+++ b/tests/qmp-test.c
-@@ -47,37 +47,37 @@ static void test_malformed(QTestState *qts)
-
- /* syntax error */
- qtest_qmp_send_raw(qts, "{]\n");
-- resp = qtest_qmp_receive(qts);
-+ resp = qtest_qmp_receive_dict(qts);
- qmp_assert_error_class(resp, "GenericError");
- assert_recovered(qts);
-
- /* lexical error: impossible byte outside string */
- qtest_qmp_send_raw(qts, "{\xFF");
-- resp = qtest_qmp_receive(qts);
-+ resp = qtest_qmp_receive_dict(qts);
- qmp_assert_error_class(resp, "GenericError");
- assert_recovered(qts);
-
- /* lexical error: funny control character outside string */
- qtest_qmp_send_raw(qts, "{\x01");
-- resp = qtest_qmp_receive(qts);
-+ resp = qtest_qmp_receive_dict(qts);
- qmp_assert_error_class(resp, "GenericError");
- assert_recovered(qts);
-
- /* lexical error: impossible byte in string */
- qtest_qmp_send_raw(qts, "{'bad \xFF");
-- resp = qtest_qmp_receive(qts);
-+ resp = qtest_qmp_receive_dict(qts);
- qmp_assert_error_class(resp, "GenericError");
- assert_recovered(qts);
-
- /* lexical error: control character in string */
- qtest_qmp_send_raw(qts, "{'execute': 'nonexistent', 'id':'\n");
-- resp = qtest_qmp_receive(qts);
-+ resp = qtest_qmp_receive_dict(qts);
- qmp_assert_error_class(resp, "GenericError");
- assert_recovered(qts);
-
- /* lexical error: interpolation */
- qtest_qmp_send_raw(qts, "%%p");
-- resp = qtest_qmp_receive(qts);
-+ resp = qtest_qmp_receive_dict(qts);
- qmp_assert_error_class(resp, "GenericError");
- assert_recovered(qts);
-
-@@ -111,7 +111,7 @@ static void test_qmp_protocol(void)
- qts = qtest_init_without_qmp_handshake(common_args);
-
- /* Test greeting */
-- resp = qtest_qmp_receive(qts);
-+ resp = qtest_qmp_receive_dict(qts);
- q = qdict_get_qdict(resp, "QMP");
- g_assert(q);
- test_version(qdict_get(q, "version"));
-@@ -205,7 +205,7 @@ static void send_oob_cmd_that_fails(QTestState *s, const char *id)
-
- static void recv_cmd_id(QTestState *s, const char *id)
- {
-- QDict *resp = qtest_qmp_receive(s);
-+ QDict *resp = qtest_qmp_receive_dict(s);
-
- g_assert_cmpstr(qdict_get_try_str(resp, "id"), ==, id);
- qobject_unref(resp);
-@@ -222,7 +222,7 @@ static void test_qmp_oob(void)
- qts = qtest_init_without_qmp_handshake(common_args);
-
- /* Check the greeting message. */
-- resp = qtest_qmp_receive(qts);
-+ resp = qtest_qmp_receive_dict(qts);
- q = qdict_get_qdict(resp, "QMP");
- g_assert(q);
- capabilities = qdict_get_qlist(q, "capabilities");
+++ /dev/null
-From: Maxim Levitsky <mlevitsk@redhat.com>
-Date: Tue, 6 Oct 2020 15:38:53 +0300
-Subject: qtest: switch users back to qtest_qmp_receive
-
-Git-commit: bb1a5b97f75ae209d8707f698da23088d7b9bbb5
-References: bsc#1184574
-
-Let test use the new functionality for buffering events.
-The only remaining users of qtest_qmp_receive_dict are tests
-that fuzz the QMP protocol.
-
-Tested with 'make check-qtest'.
-
-Signed-off-by: Maxim Levitsky <mlevitsk@redhat.com>
-Message-Id: <20201006123904.610658-4-mlevitsk@redhat.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-Signed-off-by: Lin Ma <lma@suse.com>
----
- tests/ahci-test.c | 4 ++--
- tests/drive_del-test.c | 9 +++------
- tests/libqtest.c | 12 +++---------
- tests/pvpanic-test.c | 4 +---
- tests/tpm-util.c | 8 ++++++--
- 5 files changed, 15 insertions(+), 22 deletions(-)
-
-diff --git a/tests/ahci-test.c b/tests/ahci-test.c
-index 39c14f60f046fb8cf7522e2a1204..c8d42ceea0575db645ce62ec2f0b 100644
---- a/tests/ahci-test.c
-+++ b/tests/ahci-test.c
-@@ -1589,7 +1589,7 @@ static void test_atapi_tray(void)
- qtest_qmp_send(ahci->parent->qts, "{'execute': 'blockdev-open-tray', "
- "'arguments': {'id': 'cd0'}}");
- atapi_wait_tray(ahci, true);
-- rsp = qtest_qmp_receive_dict(ahci->parent->qts);
-+ rsp = qtest_qmp_receive(ahci->parent->qts);
- qobject_unref(rsp);
-
- qmp_discard_response(ahci->parent->qts,
-@@ -1619,7 +1619,7 @@ static void test_atapi_tray(void)
- qtest_qmp_send(ahci->parent->qts, "{'execute': 'blockdev-close-tray', "
- "'arguments': {'id': 'cd0'}}");
- atapi_wait_tray(ahci, false);
-- rsp = qtest_qmp_receive_dict(ahci->parent->qts);
-+ rsp = qtest_qmp_receive(ahci->parent->qts);
- qobject_unref(rsp);
-
- /* Now, to convince ATAPI we understand the media has changed... */
-diff --git a/tests/drive_del-test.c b/tests/drive_del-test.c
-index f15ffdf018f9fac6fc10d3b42fe0..64c0fe242bed07073b7a3dcf635d 100644
---- a/tests/drive_del-test.c
-+++ b/tests/drive_del-test.c
-@@ -15,9 +15,6 @@
- #include "libqos/virtio.h"
- #include "qapi/qmp/qdict.h"
-
--/* TODO actually test the results and get rid of this */
--#define qmp_discard_response(q, ...) qobject_unref(qtest_qmp(q, __VA_ARGS__))
--
- static void drive_add(QTestState *qts)
- {
- char *resp = qtest_hmp(qts, "drive_add 0 if=none,id=drive0");
-@@ -38,13 +35,13 @@ static void device_del(QTestState *qts)
- {
- QDict *response;
-
-- /* Complication: ignore DEVICE_DELETED event */
-- qmp_discard_response(qts, "{'execute': 'device_del',"
-+ response = qtest_qmp(qts, "{'execute': 'device_del',"
- " 'arguments': { 'id': 'dev0' } }");
-- response = qtest_qmp_receive_dict(qts);
- g_assert(response);
- g_assert(qdict_haskey(response, "return"));
- qobject_unref(response);
-+
-+ qtest_qmp_eventwait(qts, "DEVICE_DELETED");
- }
-
- static void test_drive_without_dev(void)
-diff --git a/tests/libqtest.c b/tests/libqtest.c
-index e9bca67b5e7bae026039822d979d..fe82b11e046fef5eea32ac602463 100644
---- a/tests/libqtest.c
-+++ b/tests/libqtest.c
-@@ -295,7 +295,7 @@ QTestState *qtest_init(const char *extra_args)
- QDict *greeting;
-
- /* Read the QMP greeting and then do the handshake */
-- greeting = qtest_qmp_receive_dict(s);
-+ greeting = qtest_qmp_receive(s);
- qobject_unref(greeting);
- qobject_unref(qtest_qmp(s, "{ 'execute': 'qmp_capabilities' }"));
-
-@@ -672,7 +672,7 @@ QDict *qtest_vqmp_fds(QTestState *s, int *fds, size_t fds_num,
- qtest_qmp_vsend_fds(s, fds, fds_num, fmt, ap);
-
- /* Receive reply */
-- return qtest_qmp_receive_dict(s);
-+ return qtest_qmp_receive(s);
- }
-
- QDict *qtest_vqmp(QTestState *s, const char *fmt, va_list ap)
-@@ -680,7 +680,7 @@ QDict *qtest_vqmp(QTestState *s, const char *fmt, va_list ap)
- qtest_qmp_vsend(s, fmt, ap);
-
- /* Receive reply */
-- return qtest_qmp_receive_dict(s);
-+ return qtest_qmp_receive(s);
- }
-
- QDict *qmp_fd(int fd, const char *fmt, ...)
-@@ -822,12 +822,6 @@ char *qtest_vhmp(QTestState *s, const char *fmt, va_list ap)
- " 'arguments': {'command-line': %s}}",
- cmd);
- ret = g_strdup(qdict_get_try_str(resp, "return"));
-- while (ret == NULL && qdict_get_try_str(resp, "event")) {
-- /* Ignore asynchronous QMP events */
-- qobject_unref(resp);
-- resp = qtest_qmp_receive_dict(s);
-- ret = g_strdup(qdict_get_try_str(resp, "return"));
-- }
- g_assert(ret);
- qobject_unref(resp);
- g_free(cmd);
-diff --git a/tests/pvpanic-test.c b/tests/pvpanic-test.c
-index 15fd98db626fc9d58126f05bdbfa..dd724cbdc882ad59e2ecf8984f95 100644
---- a/tests/pvpanic-test.c
-+++ b/tests/pvpanic-test.c
-@@ -24,9 +24,7 @@ static void test_panic(void)
-
- qtest_outb(qts, 0x505, 0x1);
-
-- response = qtest_qmp_receive_dict(qts);
-- g_assert(qdict_haskey(response, "event"));
-- g_assert_cmpstr(qdict_get_str(response, "event"), ==, "GUEST_PANICKED");
-+ response = qtest_qmp_eventwait_ref(qts, "GUEST_PANICKED");
- g_assert(qdict_haskey(response, "data"));
- data = qdict_get_qdict(response, "data");
- g_assert(qdict_haskey(data, "action"));
-diff --git a/tests/tpm-util.c b/tests/tpm-util.c
-index e08b13765148f3c44e8a97564a03..f814a1cf7d2c82721eb1104ee4e0 100644
---- a/tests/tpm-util.c
-+++ b/tests/tpm-util.c
-@@ -236,12 +236,16 @@ void tpm_util_migrate(QTestState *who, const char *uri)
- void tpm_util_wait_for_migration_complete(QTestState *who)
- {
- while (true) {
-+ QDict *rsp;
- QDict *rsp_return;
- bool completed;
- const char *status;
-
-- qtest_qmp_send(who, "{ 'execute': 'query-migrate' }");
-- rsp_return = qtest_qmp_receive_success(who, NULL, NULL);
-+ rsp = qtest_qmp(who, "{ 'execute': 'query-migrate' }");
-+ g_assert(qdict_haskey(rsp, "return"));
-+ rsp_return = qdict_get_qdict(rsp, "return");
-+
-+ g_assert(!qdict_haskey(rsp_return, "error"));
- status = qdict_get_str(rsp_return, "status");
- completed = strcmp(status, "completed") == 0;
- g_assert_cmpstr(status, !=, "failed");
+++ /dev/null
-From: Maxim Levitsky <mlevitsk@redhat.com>
-Date: Tue, 15 Sep 2020 20:12:53 +0800
-Subject: rcu: Implement drain_call_rcu
-
-Git-commit: d816614ca4f5af89a2b6d50ac840d7b77973f2fc
-References: bsc#1184574
-
-This will allow is to preserve the semantics of hmp_device_del,
-that the device is deleted immediatly which was changed by previos
-patch that delayed this to RCU callback
-
-Signed-off-by: Maxim Levitsky <mlevitsk@redhat.com>
-Suggested-by: Stefan Hajnoczi <stefanha@gmail.com>
-Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
-Message-Id: <20200915121318.247-2-luoyonggang@gmail.com>
-Signed-off-by: Thomas Huth <thuth@redhat.com>
-Signed-off-by: Lin Ma <lma@suse.com>
----
- include/qemu/rcu.h | 1 +
- util/rcu.c | 55 ++++++++++++++++++++++++++++++++++++++++++++++
- 2 files changed, 56 insertions(+)
-
-diff --git a/include/qemu/rcu.h b/include/qemu/rcu.h
-index 9c82683e3727d788eb39c9596f09..0fd6588fb44c1225d1d760b239f7 100644
---- a/include/qemu/rcu.h
-+++ b/include/qemu/rcu.h
-@@ -133,6 +133,7 @@ struct rcu_head {
- };
-
- extern void call_rcu1(struct rcu_head *head, RCUCBFunc *func);
-+extern void drain_call_rcu(void);
-
- /* The operands of the minus operator must have the same type,
- * which must be the one that we specify in the cast.
-diff --git a/util/rcu.c b/util/rcu.c
-index 177a67561961d637ffde0a052b71..067a4cb6b4d192fbb7421ff47b5b 100644
---- a/util/rcu.c
-+++ b/util/rcu.c
-@@ -295,6 +295,61 @@ void call_rcu1(struct rcu_head *node, void (*func)(struct rcu_head *node))
- qemu_event_set(&rcu_call_ready_event);
- }
-
-+
-+struct rcu_drain {
-+ struct rcu_head rcu;
-+ QemuEvent drain_complete_event;
-+};
-+
-+static void drain_rcu_callback(struct rcu_head *node)
-+{
-+ struct rcu_drain *event = (struct rcu_drain *)node;
-+ qemu_event_set(&event->drain_complete_event);
-+}
-+
-+/*
-+ * This function ensures that all pending RCU callbacks
-+ * on the current thread are done executing
-+
-+ * drops big qemu lock during the wait to allow RCU thread
-+ * to process the callbacks
-+ *
-+ */
-+
-+void drain_call_rcu(void)
-+{
-+ struct rcu_drain rcu_drain;
-+ bool locked = qemu_mutex_iothread_locked();
-+
-+ memset(&rcu_drain, 0, sizeof(struct rcu_drain));
-+ qemu_event_init(&rcu_drain.drain_complete_event, false);
-+
-+ if (locked) {
-+ qemu_mutex_unlock_iothread();
-+ }
-+
-+
-+ /*
-+ * RCU callbacks are invoked in the same order as in which they
-+ * are registered, thus we can be sure that when 'drain_rcu_callback'
-+ * is called, all RCU callbacks that were registered on this thread
-+ * prior to calling this function are completed.
-+ *
-+ * Note that since we have only one global queue of the RCU callbacks,
-+ * we also end up waiting for most of RCU callbacks that were registered
-+ * on the other threads, but this is a side effect that shoudn't be
-+ * assumed.
-+ */
-+
-+ call_rcu1(&rcu_drain.rcu, drain_rcu_callback);
-+ qemu_event_wait(&rcu_drain.drain_complete_event);
-+
-+ if (locked) {
-+ qemu_mutex_lock_iothread();
-+ }
-+
-+}
-+
- void rcu_register_thread(void)
- {
- assert(rcu_reader.ctr == 0);
+++ /dev/null
-From: Bruce Rogers <brogers@suse.com>
-Date: Sun, 3 Nov 2019 07:21:40 -0700
-Subject: roms/Makefile: enable cross compile for building microvm bios
-
-Signed-off-by: Bruce Rogers <brogers@suse.com>
----
- roms/Makefile | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/roms/Makefile b/roms/Makefile
-index 091ad51c1e91a2b9709c5810e562..a6f084820f489bef42c6f487a6b2 100644
---- a/roms/Makefile
-+++ b/roms/Makefile
-@@ -198,7 +198,7 @@ opensbi64-sifive_u:
- cp opensbi/build/platform/sifive/fu540/firmware/fw_jump.bin ../pc-bios/opensbi-riscv64-sifive_u-fw_jump.bin
-
- bios-microvm:
-- $(MAKE) -C qboot
-+ $(MAKE) -C qboot CROSS_COMPILE=$(x86_64_cross_prefix) CC=gcc
- cp qboot/bios.bin ../pc-bios/bios-microvm.bin
-
- clean:
+++ /dev/null
-From: Bruce Rogers <brogers@suse.com>
-Date: Sat, 19 Nov 2016 08:06:30 -0700
-Subject: roms/Makefile: pass a packaging timestamp to subpackages with date
- info
-
-References: bsc#1011213
-
-Certain rom subpackages build from qemu git-submodules call the date
-program to include date information in the packaged binaries. This
-causes repeated builds of the package to be different, wkere the only
-real difference is due to the fact that time build timestamp has
-changed. To promote reproducible builds and avoid customers being
-prompted to update packages needlessly, we'll use the timestamp of the
-VERSION file as the packaging timestamp for all packages that build in a
-timestamp for whatever reason.
-
-Signed-off-by: Bruce Rogers <brogers@suse.com>
----
- roms/Makefile | 14 ++++++++++++--
- 1 file changed, 12 insertions(+), 2 deletions(-)
-
-diff --git a/roms/Makefile b/roms/Makefile
-index 28e1e557b0763cabe6da3d07602d..091ad51c1e91a2b9709c5810e562 100644
---- a/roms/Makefile
-+++ b/roms/Makefile
-@@ -51,6 +51,12 @@ SEABIOS_EXTRAVERSION="-prebuilt.qemu.org"
- #
- EDK2_EFIROM = edk2/BaseTools/Source/C/bin/EfiRom
-
-+# NB: Certain SUSE qemu subpackages use date information, but we want
-+# reproducible builds, so we use a pre-determined timestamp, rather
-+# than the current timestamp to acheive consistent results build to
-+# build.
-+PACKAGING_TIMESTAMP = $(shell date -r ../VERSION +%s)
-+
- default help:
- @echo "nothing is build by default"
- @echo "available build targets:"
-@@ -100,7 +106,7 @@ build-seabios-config-%: config.%
-
- .PHONY: sgabios skiboot
- sgabios:
-- $(MAKE) -C sgabios
-+ $(MAKE) -C sgabios PACKAGING_TIMESTAMP=$(PACKAGING_TIMESTAMP)
- cp sgabios/sgabios.bin ../pc-bios
-
-
-@@ -120,11 +126,13 @@ efi-rom-%: build-pxe-roms build-efi-roms edk2-basetools
-
- build-pxe-roms:
- $(MAKE) -C ipxe/src CONFIG=qemu \
-+ PACKAGING_TIMESTAMP=$(PACKAGING_TIMESTAMP) \
- CROSS_COMPILE=$(x86_64_cross_prefix) \
- $(patsubst %,bin/%.rom,$(pxerom_targets))
-
- build-efi-roms: build-pxe-roms
- $(MAKE) -C ipxe/src CONFIG=qemu \
-+ PACKAGING_TIMESTAMP=$(PACKAGING_TIMESTAMP) \
- CROSS_COMPILE=$(x86_64_cross_prefix) \
- $(patsubst %,bin-i386-efi/%.efidrv,$(pxerom_targets)) \
- $(patsubst %,bin-x86_64-efi/%.efidrv,$(pxerom_targets))
-@@ -147,7 +155,9 @@ edk2-basetools:
- EXTRA_LDFLAGS='$(EDK2_BASETOOLS_LDFLAGS)'
-
- slof:
-- $(MAKE) -C SLOF CROSS=$(powerpc64_cross_prefix) qemu
-+ $(MAKE) -C SLOF CROSS=$(powerpc64_cross_prefix) \
-+ PACKAGING_TIMESTAMP=$(PACKAGING_TIMESTAMP) \
-+ qemu
- cp SLOF/boot_rom.bin ../pc-bios/slof.bin
-
- u-boot.e500:
+++ /dev/null
-From: Bruce Rogers <brogers@suse.com>
-Date: Thu, 20 Jun 2019 17:58:37 -0600
-Subject: roms: change cross compiler naming to be suse specific
-
-Signed-off-by: Bruce Rogers <brogers@suse.com>
----
- roms/edk2-funcs.sh | 10 +++++++++-
- 1 file changed, 9 insertions(+), 1 deletion(-)
-
-diff --git a/roms/edk2-funcs.sh b/roms/edk2-funcs.sh
-index 3f4485b201f1f6f8cff47a9933da..5a3a8d885c9138d3c857d8b1e6d0 100644
---- a/roms/edk2-funcs.sh
-+++ b/roms/edk2-funcs.sh
-@@ -113,7 +113,15 @@ qemu_edk2_get_cross_prefix()
- # no cross-compiler needed
- :
- else
-- printf '%s-linux-gnu-\n' "$gcc_arch"
-+ if [ "$emulation_target" == arm ]; then
-+ printf '%s-suse-linux-gnueabi-\n' "$gcc_arch"
-+ else
-+ if [ "$gcc_arch" == i686 ]; then
-+ printf '%s-suse-linux-\n' "i586"
-+ else
-+ printf '%s-suse-linux-\n' "$gcc_arch"
-+ fi
-+ fi
- fi
- }
-
+++ /dev/null
-From: Bruce Rogers <brogers@suse.com>
-Date: Thu, 27 Jun 2019 09:38:43 -0600
-Subject: roms/sgabios: Fix csum8 to be built by host compiler
-
-Signed-off-by: Bruce Rogers <brogers@suse.com
----
- Makefile | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/roms/sgabios/Makefile b/roms/sgabios/Makefile
-index d2934c9f678dadfae5201b8507e9..d7e108faf69007056ddc08c4e63c 100644
---- a/roms/sgabios/Makefile
-+++ b/roms/sgabios/Makefile
-@@ -55,7 +55,7 @@ sgabios.elf: .depend $(OBJS) $(LDSCRIPT) csum8
- $(LD) $(LDFLAGS) $(OBJS) -o $@
-
- csum8: csum8.c
-- $(CC) -Wall -O2 -o $@ $<
-+ $(HOSTCC) -Wall -O2 -o $@ $<
-
- sgabios.o: buildinfo
-
+++ /dev/null
-From: Alexander Bulekov <alxndr@bu.edu>
-Date: Fri, 26 Feb 2021 13:47:53 -0500
-Subject: rtl8139: switch to use qemu_receive_packet() for loopback
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Git-commit: 5311fb805a4403bba024e83886fa0e7572265de4
-References: bsc#1182968, CVE-2021-3416
-
-This patch switches to use qemu_receive_packet() which can detect
-reentrancy and return early.
-
-This is intended to address CVE-2021-3416.
-
-Cc: Prasad J Pandit <ppandit@redhat.com>
-Cc: qemu-stable@nongnu.org
-Buglink: https://bugs.launchpad.net/qemu/+bug/1910826
-Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com
-Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
-Signed-off-by: Jason Wang <jasowang@redhat.com>
-Signed-off-by: Bruce Rogers <brogers@suse.com>
----
- hw/net/rtl8139.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/hw/net/rtl8139.c b/hw/net/rtl8139.c
-index 88a97d756d6b6cb4bd22a8c1b616..1c7e51468b16242542c957a873e1 100644
---- a/hw/net/rtl8139.c
-+++ b/hw/net/rtl8139.c
-@@ -1793,7 +1793,7 @@ static void rtl8139_transfer_frame(RTL8139State *s, uint8_t *buf, int size,
- }
-
- DPRINTF("+++ transmit loopback mode\n");
-- rtl8139_do_receive(qemu_get_queue(s->nic), buf, size, do_interrupt);
-+ qemu_receive_packet(qemu_get_queue(s->nic), buf, size);
-
- if (iov) {
- g_free(buf2);
+++ /dev/null
-From: Janosch Frank <frankja@linux.ibm.com>
-Date: Wed, 5 Feb 2020 06:57:35 -0500
-Subject: s390x: Add SIDA memory ops
-
-References: bsc#1167075
-
-Protected guests save the instruction control blocks in the SIDA
-instead of QEMU/KVM directly accessing the guest's memory.
-
-Let's introduce new functions to access the SIDA.
-
-The memops for doing so are available with KVM_CAP_S390_PROTECTED, so
-let's check for that.
-
-Signed-off-by: Janosch Frank <frankja@linux.ibm.com>
-Reviewed-by: David Hildenbrand <david@redhat.com>
-Reviewed-by: Christian Borntraeger <borntraeger@de.ibm.com>
-Reviewed-by: Claudio Imbrenda <imbrenda@linux.ibm.com>
-Reviewed-by: Cornelia Huck <cohuck@redhat.com>
-(cherry picked from commit a9f21cec3bc9c86062c7c24bb2143d22cb3c2950)
-Signed-off-by: Bruce Rogers <brogers@suse.com>
----
- target/s390x/cpu.h | 7 ++++++-
- target/s390x/kvm.c | 26 ++++++++++++++++++++++++++
- target/s390x/kvm_s390x.h | 2 ++
- target/s390x/mmu_helper.c | 14 ++++++++++++++
- 4 files changed, 48 insertions(+), 1 deletion(-)
-
-diff --git a/target/s390x/cpu.h b/target/s390x/cpu.h
-index d2af13b345ccd9094f82385cd528..2ec0f78b48ee15978b62f5fdc1b2 100644
---- a/target/s390x/cpu.h
-+++ b/target/s390x/cpu.h
-@@ -821,7 +821,12 @@ int s390_cpu_virt_mem_rw(S390CPU *cpu, vaddr laddr, uint8_t ar, void *hostbuf,
- #define s390_cpu_virt_mem_check_write(cpu, laddr, ar, len) \
- s390_cpu_virt_mem_rw(cpu, laddr, ar, NULL, len, true)
- void s390_cpu_virt_mem_handle_exc(S390CPU *cpu, uintptr_t ra);
--
-+int s390_cpu_pv_mem_rw(S390CPU *cpu, unsigned int offset, void *hostbuf,
-+ int len, bool is_write);
-+#define s390_cpu_pv_mem_read(cpu, offset, dest, len) \
-+ s390_cpu_pv_mem_rw(cpu, offset, dest, len, false)
-+#define s390_cpu_pv_mem_write(cpu, offset, dest, len) \
-+ s390_cpu_pv_mem_rw(cpu, offset, dest, len, true)
-
- /* sigp.c */
- int s390_cpu_restart(S390CPU *cpu);
-diff --git a/target/s390x/kvm.c b/target/s390x/kvm.c
-index abeeaaa67452b0b938557b0d0dea..941e4df630ad9b3dc780d3c92e6b 100644
---- a/target/s390x/kvm.c
-+++ b/target/s390x/kvm.c
-@@ -154,6 +154,7 @@ static int cap_ri;
- static int cap_gs;
- static int cap_hpage_1m;
- static int cap_vcpu_resets;
-+static int cap_protected;
-
- static int active_cmma;
-
-@@ -351,6 +352,7 @@ int kvm_arch_init(MachineState *ms, KVMState *s)
- cap_mem_op = kvm_check_extension(s, KVM_CAP_S390_MEM_OP);
- cap_s390_irq = kvm_check_extension(s, KVM_CAP_S390_INJECT_IRQ);
- cap_vcpu_resets = kvm_check_extension(s, KVM_CAP_S390_VCPU_RESETS);
-+ cap_protected = kvm_check_extension(s, KVM_CAP_S390_PROTECTED);
-
- if (!kvm_check_extension(s, KVM_CAP_S390_GMAP)
- || !kvm_check_extension(s, KVM_CAP_S390_COW)) {
-@@ -848,6 +850,30 @@ int kvm_s390_mem_op(S390CPU *cpu, vaddr addr, uint8_t ar, void *hostbuf,
- return ret;
- }
-
-+int kvm_s390_mem_op_pv(S390CPU *cpu, uint64_t offset, void *hostbuf,
-+ int len, bool is_write)
-+{
-+ struct kvm_s390_mem_op mem_op = {
-+ .sida_offset = offset,
-+ .size = len,
-+ .op = is_write ? KVM_S390_MEMOP_SIDA_WRITE
-+ : KVM_S390_MEMOP_SIDA_READ,
-+ .buf = (uint64_t)hostbuf,
-+ };
-+ int ret;
-+
-+ if (!cap_mem_op || !cap_protected) {
-+ return -ENOSYS;
-+ }
-+
-+ ret = kvm_vcpu_ioctl(CPU(cpu), KVM_S390_MEM_OP, &mem_op);
-+ if (ret < 0) {
-+ error_report("KVM_S390_MEM_OP failed: %s", strerror(-ret));
-+ abort();
-+ }
-+ return ret;
-+}
-+
- /*
- * Legacy layout for s390:
- * Older S390 KVM requires the topmost vma of the RAM to be
-diff --git a/target/s390x/kvm_s390x.h b/target/s390x/kvm_s390x.h
-index dea813f450153c34e1269424772d..6ab17c81b73a0011e32213552698 100644
---- a/target/s390x/kvm_s390x.h
-+++ b/target/s390x/kvm_s390x.h
-@@ -19,6 +19,8 @@ void kvm_s390_vcpu_interrupt(S390CPU *cpu, struct kvm_s390_irq *irq);
- void kvm_s390_access_exception(S390CPU *cpu, uint16_t code, uint64_t te_code);
- int kvm_s390_mem_op(S390CPU *cpu, vaddr addr, uint8_t ar, void *hostbuf,
- int len, bool is_write);
-+int kvm_s390_mem_op_pv(S390CPU *cpu, vaddr addr, void *hostbuf, int len,
-+ bool is_write);
- void kvm_s390_program_interrupt(S390CPU *cpu, uint16_t code);
- int kvm_s390_set_cpu_state(S390CPU *cpu, uint8_t cpu_state);
- void kvm_s390_vcpu_interrupt_pre_save(S390CPU *cpu);
-diff --git a/target/s390x/mmu_helper.c b/target/s390x/mmu_helper.c
-index c9f3f347501097b894333a36cac3..ec8befbdc87d4c88d83baeeab20e 100644
---- a/target/s390x/mmu_helper.c
-+++ b/target/s390x/mmu_helper.c
-@@ -474,6 +474,20 @@ static int translate_pages(S390CPU *cpu, vaddr addr, int nr_pages,
- return 0;
- }
-
-+int s390_cpu_pv_mem_rw(S390CPU *cpu, unsigned int offset, void *hostbuf,
-+ int len, bool is_write)
-+{
-+ int ret;
-+
-+ if (kvm_enabled()) {
-+ ret = kvm_s390_mem_op_pv(cpu, offset, hostbuf, len, is_write);
-+ } else {
-+ /* Protected Virtualization is a KVM/Hardware only feature */
-+ g_assert_not_reached();
-+ }
-+ return ret;
-+}
-+
- /**
- * s390_cpu_virt_mem_rw:
- * @laddr: the logical start address
+++ /dev/null
-From: Janosch Frank <frankja@linux.ibm.com>
-Date: Fri, 14 Feb 2020 10:16:21 -0500
-Subject: s390x: Add missing vcpu reset functions
-
-References: bsc#1167075
-
-Up to now we only had an ioctl to reset vcpu data QEMU couldn't reach
-for the initial reset, which was also called for the clear reset. To
-be architecture compliant, we also need to clear local interrupts on a
-normal reset.
-
-Because of this and the upcoming protvirt support we need to add
-ioctls for the missing clear and normal resets.
-
-Signed-off-by: Janosch Frank <frankja@linux.ibm.com>
-Reviewed-by: Thomas Huth <thuth@redhat.com>
-Acked-by: David Hildenbrand <david@redhat.com>
-Message-Id: <20200214151636.8764-3-frankja@linux.ibm.com>
-Signed-off-by: Cornelia Huck <cohuck@redhat.com>
-(cherry picked from commit b91a03946e0f65ddd22927dd80ca1276bf89c5af)
-Signed-off-by: Bruce Rogers <brogers@suse.com>
----
- target/s390x/cpu.c | 14 ++++++++++++--
- target/s390x/kvm-stub.c | 10 +++++++++-
- target/s390x/kvm.c | 42 ++++++++++++++++++++++++++++++++--------
- target/s390x/kvm_s390x.h | 4 +++-
- 4 files changed, 58 insertions(+), 12 deletions(-)
-
-diff --git a/target/s390x/cpu.c b/target/s390x/cpu.c
-index bd39cb54b7aa3fa8edba5d9975a4..52fefa1586caa3cbd366fe230630 100644
---- a/target/s390x/cpu.c
-+++ b/target/s390x/cpu.c
-@@ -131,8 +131,18 @@ static void s390_cpu_reset(CPUState *s, cpu_reset_type type)
- }
-
- /* Reset state inside the kernel that we cannot access yet from QEMU. */
-- if (kvm_enabled() && type != S390_CPU_RESET_NORMAL) {
-- kvm_s390_reset_vcpu(cpu);
-+ if (kvm_enabled()) {
-+ switch (type) {
-+ case S390_CPU_RESET_CLEAR:
-+ kvm_s390_reset_vcpu_clear(cpu);
-+ break;
-+ case S390_CPU_RESET_INITIAL:
-+ kvm_s390_reset_vcpu_initial(cpu);
-+ break;
-+ case S390_CPU_RESET_NORMAL:
-+ kvm_s390_reset_vcpu_normal(cpu);
-+ break;
-+ }
- }
- }
-
-diff --git a/target/s390x/kvm-stub.c b/target/s390x/kvm-stub.c
-index 5152e2bdf19b2661330a1da80c5d..c4cd497f850eb9c7a859932b0f1f 100644
---- a/target/s390x/kvm-stub.c
-+++ b/target/s390x/kvm-stub.c
-@@ -83,7 +83,15 @@ void kvm_s390_cmma_reset(void)
- {
- }
-
--void kvm_s390_reset_vcpu(S390CPU *cpu)
-+void kvm_s390_reset_vcpu_initial(S390CPU *cpu)
-+{
-+}
-+
-+void kvm_s390_reset_vcpu_clear(S390CPU *cpu)
-+{
-+}
-+
-+void kvm_s390_reset_vcpu_normal(S390CPU *cpu)
- {
- }
-
-diff --git a/target/s390x/kvm.c b/target/s390x/kvm.c
-index ad6e38c8761be7e0cad57771f49b..f633472980b48757989db245fb1f 100644
---- a/target/s390x/kvm.c
-+++ b/target/s390x/kvm.c
-@@ -151,6 +151,7 @@ static int cap_s390_irq;
- static int cap_ri;
- static int cap_gs;
- static int cap_hpage_1m;
-+static int cap_vcpu_resets;
-
- static int active_cmma;
-
-@@ -342,6 +343,7 @@ int kvm_arch_init(MachineState *ms, KVMState *s)
- cap_async_pf = kvm_check_extension(s, KVM_CAP_ASYNC_PF);
- cap_mem_op = kvm_check_extension(s, KVM_CAP_S390_MEM_OP);
- cap_s390_irq = kvm_check_extension(s, KVM_CAP_S390_INJECT_IRQ);
-+ cap_vcpu_resets = kvm_check_extension(s, KVM_CAP_S390_VCPU_RESETS);
-
- if (!kvm_check_extension(s, KVM_CAP_S390_GMAP)
- || !kvm_check_extension(s, KVM_CAP_S390_COW)) {
-@@ -403,17 +405,41 @@ int kvm_arch_destroy_vcpu(CPUState *cs)
- return 0;
- }
-
--void kvm_s390_reset_vcpu(S390CPU *cpu)
-+static void kvm_s390_reset_vcpu(S390CPU *cpu, unsigned long type)
- {
- CPUState *cs = CPU(cpu);
-
-- /* The initial reset call is needed here to reset in-kernel
-- * vcpu data that we can't access directly from QEMU
-- * (i.e. with older kernels which don't support sync_regs/ONE_REG).
-- * Before this ioctl cpu_synchronize_state() is called in common kvm
-- * code (kvm-all) */
-- if (kvm_vcpu_ioctl(cs, KVM_S390_INITIAL_RESET, NULL)) {
-- error_report("Initial CPU reset failed on CPU %i", cs->cpu_index);
-+ /*
-+ * The reset call is needed here to reset in-kernel vcpu data that
-+ * we can't access directly from QEMU (i.e. with older kernels
-+ * which don't support sync_regs/ONE_REG). Before this ioctl
-+ * cpu_synchronize_state() is called in common kvm code
-+ * (kvm-all).
-+ */
-+ if (kvm_vcpu_ioctl(cs, type)) {
-+ error_report("CPU reset failed on CPU %i type %lx",
-+ cs->cpu_index, type);
-+ }
-+}
-+
-+void kvm_s390_reset_vcpu_initial(S390CPU *cpu)
-+{
-+ kvm_s390_reset_vcpu(cpu, KVM_S390_INITIAL_RESET);
-+}
-+
-+void kvm_s390_reset_vcpu_clear(S390CPU *cpu)
-+{
-+ if (cap_vcpu_resets) {
-+ kvm_s390_reset_vcpu(cpu, KVM_S390_CLEAR_RESET);
-+ } else {
-+ kvm_s390_reset_vcpu(cpu, KVM_S390_INITIAL_RESET);
-+ }
-+}
-+
-+void kvm_s390_reset_vcpu_normal(S390CPU *cpu)
-+{
-+ if (cap_vcpu_resets) {
-+ kvm_s390_reset_vcpu(cpu, KVM_S390_NORMAL_RESET);
- }
- }
-
-diff --git a/target/s390x/kvm_s390x.h b/target/s390x/kvm_s390x.h
-index caf985955ba5da4e2cda021ed1b5..0b21789796d7c462bdc72160166f 100644
---- a/target/s390x/kvm_s390x.h
-+++ b/target/s390x/kvm_s390x.h
-@@ -34,7 +34,9 @@ int kvm_s390_assign_subch_ioeventfd(EventNotifier *notifier, uint32_t sch,
- int vq, bool assign);
- int kvm_s390_cmma_active(void);
- void kvm_s390_cmma_reset(void);
--void kvm_s390_reset_vcpu(S390CPU *cpu);
-+void kvm_s390_reset_vcpu_clear(S390CPU *cpu);
-+void kvm_s390_reset_vcpu_normal(S390CPU *cpu);
-+void kvm_s390_reset_vcpu_initial(S390CPU *cpu);
- int kvm_s390_set_mem_limit(uint64_t new_limit, uint64_t *hw_limit);
- void kvm_s390_set_max_pagesize(uint64_t pagesize, Error **errp);
- void kvm_s390_crypto_reset(void);
+++ /dev/null
-From: Christian Borntraeger <borntraeger@de.ibm.com>
-Date: Tue, 25 Feb 2020 06:28:51 -0500
-Subject: s390x: Add unpack facility feature to GA1
-
-References: bsc#1167075
-
-The unpack facility is an indication that diagnose 308 subcodes 8-10
-are available to the guest. That means, that the guest can put itself
-into protected mode.
-
-Once it is in protected mode, the hardware stops any attempt of VM
-introspection by the hypervisor.
-
-Some features are currently not supported in protected mode:
- * vfio devices
- * Migration
- * Huge page backings
-
-Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
-Reviewed-by: David Hildenbrand <david@redhat.com>
-Reviewed-by: Claudio Imbrenda <imbrenda@linux.ibm.com>
-Reviewed-by: Cornelia Huck <cohuck@redhat.com>
-Signed-off-by: Janosch Frank <frankja@linux.ibm.com>
-(cherry picked from commit 3034eaac3b2970ba85a1d77814ceef1352d05357)
-Signed-off-by: Bruce Rogers <brogers@suse.com>
----
- target/s390x/gen-features.c | 1 +
- target/s390x/kvm.c | 8 ++++++++
- 2 files changed, 9 insertions(+)
-
-diff --git a/target/s390x/gen-features.c b/target/s390x/gen-features.c
-index 6278845b12b8dee84c086413c60a..8ddeebc54419a3e2481e21916389 100644
---- a/target/s390x/gen-features.c
-+++ b/target/s390x/gen-features.c
-@@ -562,6 +562,7 @@ static uint16_t full_GEN15_GA1[] = {
- S390_FEAT_GROUP_MSA_EXT_9,
- S390_FEAT_GROUP_MSA_EXT_9_PCKMO,
- S390_FEAT_ETOKEN,
-+ S390_FEAT_UNPACK,
- };
-
- /* Default features (in order of release)
-diff --git a/target/s390x/kvm.c b/target/s390x/kvm.c
-index d94b915da419c3ad0a1f9622ca13..8b82e4c93dfa7e89127bce74cde7 100644
---- a/target/s390x/kvm.c
-+++ b/target/s390x/kvm.c
-@@ -2407,6 +2407,14 @@ void kvm_s390_get_host_cpu_model(S390CPUModel *model, Error **errp)
- clear_bit(S390_FEAT_BPB, model->features);
- }
-
-+ /*
-+ * If we have support for protected virtualization, indicate
-+ * the protected virtualization IPL unpack facility.
-+ */
-+ if (cap_protected) {
-+ set_bit(S390_FEAT_UNPACK, model->features);
-+ }
-+
- /* We emulate a zPCI bus and AEN, therefore we don't need HW support */
- set_bit(S390_FEAT_ZPCI, model->features);
- set_bit(S390_FEAT_ADAPTER_EVENT_NOTIFICATION, model->features);
+++ /dev/null
-From: Janosch Frank <frankja@linux.ibm.com>
-Date: Wed, 27 Nov 2019 12:50:45 -0500
-Subject: s390x: Beautify diag308 handling
-
-References: bsc#1167075
-
-Let's improve readability by:
-* Using constants for the subcodes
-* Moving parameter checking into a function
-* Removing subcode > 6 check as the default case catches that
-
-Signed-off-by: Janosch Frank <frankja@linux.ibm.com>
-Reviewed-by: Cornelia Huck <cohuck@redhat.com>
-Reviewed-by: Thomas Huth <thuth@redhat.com>
-Reviewed-by: David Hildenbrand <david@redhat.com>
-Message-Id: <20191127175046.4911-6-frankja@linux.ibm.com>
-Signed-off-by: Cornelia Huck <cohuck@redhat.com>
-(cherry picked from commit 0b7fd817e0f383760e37ca9286150d5816cf0594)
-Signed-off-by: Bruce Rogers <brogers@suse.com>
----
- target/s390x/diag.c | 54 +++++++++++++++++++++++++++------------------
- 1 file changed, 32 insertions(+), 22 deletions(-)
-
-diff --git a/target/s390x/diag.c b/target/s390x/diag.c
-index 0c81d8e1efbfe37a384199488a72..54e5670b3fd6d960bd3fb4baca8b 100644
---- a/target/s390x/diag.c
-+++ b/target/s390x/diag.c
-@@ -53,6 +53,29 @@ int handle_diag_288(CPUS390XState *env, uint64_t r1, uint64_t r3)
- #define DIAG_308_RC_NO_CONF 0x0102
- #define DIAG_308_RC_INVALID 0x0402
-
-+#define DIAG308_RESET_MOD_CLR 0
-+#define DIAG308_RESET_LOAD_NORM 1
-+#define DIAG308_LOAD_CLEAR 3
-+#define DIAG308_LOAD_NORMAL_DUMP 4
-+#define DIAG308_SET 5
-+#define DIAG308_STORE 6
-+
-+static int diag308_parm_check(CPUS390XState *env, uint64_t r1, uint64_t addr,
-+ uintptr_t ra, bool write)
-+{
-+ if ((r1 & 1) || (addr & ~TARGET_PAGE_MASK)) {
-+ s390_program_interrupt(env, PGM_SPECIFICATION, ra);
-+ return -1;
-+ }
-+ if (!address_space_access_valid(&address_space_memory, addr,
-+ sizeof(IplParameterBlock), write,
-+ MEMTXATTRS_UNSPECIFIED)) {
-+ s390_program_interrupt(env, PGM_ADDRESSING, ra);
-+ return -1;
-+ }
-+ return 0;
-+}
-+
- void handle_diag_308(CPUS390XState *env, uint64_t r1, uint64_t r3, uintptr_t ra)
- {
- CPUState *cs = env_cpu(env);
-@@ -65,30 +88,24 @@ void handle_diag_308(CPUS390XState *env, uint64_t r1, uint64_t r3, uintptr_t ra)
- return;
- }
-
-- if ((subcode & ~0x0ffffULL) || (subcode > 6)) {
-+ if (subcode & ~0x0ffffULL) {
- s390_program_interrupt(env, PGM_SPECIFICATION, ra);
- return;
- }
-
- switch (subcode) {
-- case 0:
-+ case DIAG308_RESET_MOD_CLR:
- s390_ipl_reset_request(cs, S390_RESET_MODIFIED_CLEAR);
- break;
-- case 1:
-+ case DIAG308_RESET_LOAD_NORM:
- s390_ipl_reset_request(cs, S390_RESET_LOAD_NORMAL);
- break;
-- case 3:
-+ case DIAG308_LOAD_CLEAR:
-+ /* Well we still lack the clearing bit... */
- s390_ipl_reset_request(cs, S390_RESET_REIPL);
- break;
-- case 5:
-- if ((r1 & 1) || (addr & 0x0fffULL)) {
-- s390_program_interrupt(env, PGM_SPECIFICATION, ra);
-- return;
-- }
-- if (!address_space_access_valid(&address_space_memory, addr,
-- sizeof(IplParameterBlock), false,
-- MEMTXATTRS_UNSPECIFIED)) {
-- s390_program_interrupt(env, PGM_ADDRESSING, ra);
-+ case DIAG308_SET:
-+ if (diag308_parm_check(env, r1, addr, ra, false)) {
- return;
- }
- iplb = g_new0(IplParameterBlock, 1);
-@@ -110,15 +127,8 @@ void handle_diag_308(CPUS390XState *env, uint64_t r1, uint64_t r3, uintptr_t ra)
- out:
- g_free(iplb);
- return;
-- case 6:
-- if ((r1 & 1) || (addr & 0x0fffULL)) {
-- s390_program_interrupt(env, PGM_SPECIFICATION, ra);
-- return;
-- }
-- if (!address_space_access_valid(&address_space_memory, addr,
-- sizeof(IplParameterBlock), true,
-- MEMTXATTRS_UNSPECIFIED)) {
-- s390_program_interrupt(env, PGM_ADDRESSING, ra);
-+ case DIAG308_STORE:
-+ if (diag308_parm_check(env, r1, addr, ra, true)) {
- return;
- }
- iplb = s390_ipl_get_iplb();
+++ /dev/null
-From: Janosch Frank <frankja@linux.ibm.com>
-Date: Wed, 27 Nov 2019 12:50:41 -0500
-Subject: s390x: Don't do a normal reset on the initial cpu
-
-References: bsc#1167075
-
-The initiating cpu needs to be reset with an initial reset. While
-doing a normal reset followed by a initial reset is not wrong per se,
-the Ultravisor will only allow the correct reset to be performed.
-
-Signed-off-by: Janosch Frank <frankja@linux.ibm.com>
-Reviewed-by: David Hildenbrand <david@redhat.com>
-Reviewed-by: Cornelia Huck <cohuck@redhat.com>
-Message-Id: <20191127175046.4911-2-frankja@linux.ibm.com>
-Signed-off-by: Cornelia Huck <cohuck@redhat.com>
-(cherry picked from commit ec9227339fce99412830d44a37eb0bd2fadd5f75)
-Signed-off-by: Bruce Rogers <brogers@suse.com>
----
- hw/s390x/s390-virtio-ccw.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/hw/s390x/s390-virtio-ccw.c b/hw/s390x/s390-virtio-ccw.c
-index 6134f30508f88737cd5e885ffab6..fcd8203cd11d9068de52b7ef695d 100644
---- a/hw/s390x/s390-virtio-ccw.c
-+++ b/hw/s390x/s390-virtio-ccw.c
-@@ -349,6 +349,9 @@ static void s390_machine_reset(MachineState *machine)
- break;
- case S390_RESET_LOAD_NORMAL:
- CPU_FOREACH(t) {
-+ if (t == cs) {
-+ continue;
-+ }
- run_on_cpu(t, s390_do_cpu_reset, RUN_ON_CPU_NULL);
- }
- subsystem_reset();
+++ /dev/null
-From: Janosch Frank <frankja@linux.ibm.com>
-Date: Wed, 27 Nov 2019 12:50:44 -0500
-Subject: s390x: Move clear reset
-
-References: bsc#1167075
-
-Let's also move the clear reset function into the reset handler.
-
-Signed-off-by: Janosch Frank <frankja@linux.ibm.com>
-Message-Id: <20191127175046.4911-5-frankja@linux.ibm.com>
-Reviewed-by: David Hildenbrand <david@redhat.com>
-Reviewed-by: Thomas Huth <thuth@redhat.com>
-Signed-off-by: Cornelia Huck <cohuck@redhat.com>
-(cherry picked from commit eb8adcc3e9e3b8405c104ede72cf9f3bb2a5e226)
-Signed-off-by: Bruce Rogers <brogers@suse.com>
----
- target/s390x/cpu-qom.h | 1 +
- target/s390x/cpu.c | 58 +++++++++++++-----------------------------
- 2 files changed, 18 insertions(+), 41 deletions(-)
-
-diff --git a/target/s390x/cpu-qom.h b/target/s390x/cpu-qom.h
-index 6f0a12042ed4802de7da08d63612..dbe5346ec9019f4f5939598b7a83 100644
---- a/target/s390x/cpu-qom.h
-+++ b/target/s390x/cpu-qom.h
-@@ -37,6 +37,7 @@ typedef struct S390CPUDef S390CPUDef;
- typedef enum cpu_reset_type {
- S390_CPU_RESET_NORMAL,
- S390_CPU_RESET_INITIAL,
-+ S390_CPU_RESET_CLEAR,
- } cpu_reset_type;
-
- /**
-diff --git a/target/s390x/cpu.c b/target/s390x/cpu.c
-index ca62fe768569b992bbf41b064734..bd39cb54b7aa3fa8edba5d9975a4 100644
---- a/target/s390x/cpu.c
-+++ b/target/s390x/cpu.c
-@@ -94,6 +94,9 @@ static void s390_cpu_reset(CPUState *s, cpu_reset_type type)
- s390_cpu_set_state(S390_CPU_STATE_STOPPED, cpu);
-
- switch (type) {
-+ case S390_CPU_RESET_CLEAR:
-+ memset(env, 0, offsetof(CPUS390XState, start_initial_reset_fields));
-+ /* fall through */
- case S390_CPU_RESET_INITIAL:
- /* initial reset does not clear everything! */
- memset(&env->start_initial_reset_fields, 0,
-@@ -107,6 +110,14 @@ static void s390_cpu_reset(CPUState *s, cpu_reset_type type)
- env->cregs[0] = CR0_RESET;
- env->cregs[14] = CR14_RESET;
-
-+#if defined(CONFIG_USER_ONLY)
-+ /* user mode should always be allowed to use the full FPU */
-+ env->cregs[0] |= CR0_AFP;
-+ if (s390_has_feat(S390_FEAT_VECTOR)) {
-+ env->cregs[0] |= CR0_VECTOR;
-+ }
-+#endif
-+
- /* tininess for underflow is detected before rounding */
- set_float_detect_tininess(float_tininess_before_rounding,
- &env->fpu_status);
-@@ -125,46 +136,6 @@ static void s390_cpu_reset(CPUState *s, cpu_reset_type type)
- }
- }
-
--/* CPUClass:reset() */
--static void s390_cpu_full_reset(CPUState *s)
--{
-- S390CPU *cpu = S390_CPU(s);
-- S390CPUClass *scc = S390_CPU_GET_CLASS(cpu);
-- CPUS390XState *env = &cpu->env;
--
-- scc->parent_reset(s);
-- cpu->env.sigp_order = 0;
-- s390_cpu_set_state(S390_CPU_STATE_STOPPED, cpu);
--
-- memset(env, 0, offsetof(CPUS390XState, end_reset_fields));
--
-- /* architectured initial values for CR 0 and 14 */
-- env->cregs[0] = CR0_RESET;
-- env->cregs[14] = CR14_RESET;
--
--#if defined(CONFIG_USER_ONLY)
-- /* user mode should always be allowed to use the full FPU */
-- env->cregs[0] |= CR0_AFP;
-- if (s390_has_feat(S390_FEAT_VECTOR)) {
-- env->cregs[0] |= CR0_VECTOR;
-- }
--#endif
--
-- /* architectured initial value for Breaking-Event-Address register */
-- env->gbea = 1;
--
-- env->pfault_token = -1UL;
--
-- /* tininess for underflow is detected before rounding */
-- set_float_detect_tininess(float_tininess_before_rounding,
-- &env->fpu_status);
--
-- /* Reset state inside the kernel that we cannot access yet from QEMU. */
-- if (kvm_enabled()) {
-- kvm_s390_reset_vcpu(cpu);
-- }
--}
--
- #if !defined(CONFIG_USER_ONLY)
- static void s390_cpu_machine_reset_cb(void *opaque)
- {
-@@ -456,6 +427,11 @@ static Property s390x_cpu_properties[] = {
- DEFINE_PROP_END_OF_LIST()
- };
-
-+static void s390_cpu_reset_full(CPUState *s)
-+{
-+ return s390_cpu_reset(s, S390_CPU_RESET_CLEAR);
-+}
-+
- static void s390_cpu_class_init(ObjectClass *oc, void *data)
- {
- S390CPUClass *scc = S390_CPU_CLASS(oc);
-@@ -472,7 +448,7 @@ static void s390_cpu_class_init(ObjectClass *oc, void *data)
- scc->load_normal = s390_cpu_load_normal;
- #endif
- scc->reset = s390_cpu_reset;
-- cc->reset = s390_cpu_full_reset;
-+ cc->reset = s390_cpu_reset_full;
- cc->class_by_name = s390_cpu_class_by_name,
- cc->has_work = s390_cpu_has_work;
- #ifdef CONFIG_TCG
+++ /dev/null
-From: Janosch Frank <frankja@linux.ibm.com>
-Date: Fri, 13 Mar 2020 10:35:02 -0400
-Subject: s390x: Move diagnose 308 subcodes and rcs into ipl.h
-
-References: bsc#1167075
-
-They are part of the IPL process, so let's put them into the ipl
-header.
-
-Signed-off-by: Janosch Frank <frankja@linux.ibm.com>
-(cherry picked from commit 284bc3dd6e9a978e6e34b00777ce72007a88d6d9)
-Signed-off-by: Bruce Rogers <brogers@suse.com>
----
- hw/s390x/ipl.h | 11 +++++++++++
- target/s390x/diag.c | 11 -----------
- 2 files changed, 11 insertions(+), 11 deletions(-)
-
-diff --git a/hw/s390x/ipl.h b/hw/s390x/ipl.h
-index 3e44abe1c651d8a01f4708c2801c..a5665e6bfde2e8cfbb1b2e6c7234 100644
---- a/hw/s390x/ipl.h
-+++ b/hw/s390x/ipl.h
-@@ -159,6 +159,17 @@ struct S390IPLState {
- typedef struct S390IPLState S390IPLState;
- QEMU_BUILD_BUG_MSG(offsetof(S390IPLState, iplb) & 3, "alignment of iplb wrong");
-
-+#define DIAG_308_RC_OK 0x0001
-+#define DIAG_308_RC_NO_CONF 0x0102
-+#define DIAG_308_RC_INVALID 0x0402
-+
-+#define DIAG308_RESET_MOD_CLR 0
-+#define DIAG308_RESET_LOAD_NORM 1
-+#define DIAG308_LOAD_CLEAR 3
-+#define DIAG308_LOAD_NORMAL_DUMP 4
-+#define DIAG308_SET 5
-+#define DIAG308_STORE 6
-+
- #define S390_IPL_TYPE_FCP 0x00
- #define S390_IPL_TYPE_CCW 0x02
- #define S390_IPL_TYPE_QEMU_SCSI 0xff
-diff --git a/target/s390x/diag.c b/target/s390x/diag.c
-index 54e5670b3fd6d960bd3fb4baca8b..8aba6341f94848e1ce8fff420ed8 100644
---- a/target/s390x/diag.c
-+++ b/target/s390x/diag.c
-@@ -49,17 +49,6 @@ int handle_diag_288(CPUS390XState *env, uint64_t r1, uint64_t r3)
- return diag288_class->handle_timer(diag288, func, timeout);
- }
-
--#define DIAG_308_RC_OK 0x0001
--#define DIAG_308_RC_NO_CONF 0x0102
--#define DIAG_308_RC_INVALID 0x0402
--
--#define DIAG308_RESET_MOD_CLR 0
--#define DIAG308_RESET_LOAD_NORM 1
--#define DIAG308_LOAD_CLEAR 3
--#define DIAG308_LOAD_NORMAL_DUMP 4
--#define DIAG308_SET 5
--#define DIAG308_STORE 6
--
- static int diag308_parm_check(CPUS390XState *env, uint64_t r1, uint64_t addr,
- uintptr_t ra, bool write)
- {
+++ /dev/null
-From: Janosch Frank <frankja@linux.ibm.com>
-Date: Thu, 28 Nov 2019 03:37:23 -0500
-Subject: s390x: Move initial reset
-
-References: bsc#1167075
-
-Let's move the intial reset into the reset handler and cleanup
-afterwards.
-
-Signed-off-by: Janosch Frank <frankja@linux.ibm.com>
-Reviewed-by: David Hildenbrand <david@redhat.com>
-Message-Id: <20191128083723.11937-1-frankja@linux.ibm.com>
-Reviewed-by: Thomas Huth <thuth@redhat.com>
-Signed-off-by: Cornelia Huck <cohuck@redhat.com>
-(cherry picked from commit 81b9222358e5c8f666f0d86057c75e40531d804c)
-Signed-off-by: Bruce Rogers <brogers@suse.com>
----
- target/s390x/cpu-qom.h | 2 +-
- target/s390x/cpu.c | 46 +++++++++++++++++-------------------------
- target/s390x/cpu.h | 2 +-
- target/s390x/sigp.c | 2 +-
- 4 files changed, 21 insertions(+), 31 deletions(-)
-
-diff --git a/target/s390x/cpu-qom.h b/target/s390x/cpu-qom.h
-index f3b71bac67c91c9e307fa250b47a..6f0a12042ed4802de7da08d63612 100644
---- a/target/s390x/cpu-qom.h
-+++ b/target/s390x/cpu-qom.h
-@@ -36,6 +36,7 @@ typedef struct S390CPUDef S390CPUDef;
-
- typedef enum cpu_reset_type {
- S390_CPU_RESET_NORMAL,
-+ S390_CPU_RESET_INITIAL,
- } cpu_reset_type;
-
- /**
-@@ -62,7 +63,6 @@ typedef struct S390CPUClass {
- void (*parent_reset)(CPUState *cpu);
- void (*load_normal)(CPUState *cpu);
- void (*reset)(CPUState *cpu, cpu_reset_type type);
-- void (*initial_cpu_reset)(CPUState *cpu);
- } S390CPUClass;
-
- typedef struct S390CPU S390CPU;
-diff --git a/target/s390x/cpu.c b/target/s390x/cpu.c
-index 67d6fbfa4401720aa24f2ace8e3c..ca62fe768569b992bbf41b064734 100644
---- a/target/s390x/cpu.c
-+++ b/target/s390x/cpu.c
-@@ -94,6 +94,23 @@ static void s390_cpu_reset(CPUState *s, cpu_reset_type type)
- s390_cpu_set_state(S390_CPU_STATE_STOPPED, cpu);
-
- switch (type) {
-+ case S390_CPU_RESET_INITIAL:
-+ /* initial reset does not clear everything! */
-+ memset(&env->start_initial_reset_fields, 0,
-+ offsetof(CPUS390XState, end_reset_fields) -
-+ offsetof(CPUS390XState, start_initial_reset_fields));
-+
-+ /* architectured initial value for Breaking-Event-Address register */
-+ env->gbea = 1;
-+
-+ /* architectured initial values for CR 0 and 14 */
-+ env->cregs[0] = CR0_RESET;
-+ env->cregs[14] = CR14_RESET;
-+
-+ /* tininess for underflow is detected before rounding */
-+ set_float_detect_tininess(float_tininess_before_rounding,
-+ &env->fpu_status);
-+ /* fall through */
- case S390_CPU_RESET_NORMAL:
- env->pfault_token = -1UL;
- env->bpbc = false;
-@@ -101,35 +118,9 @@ static void s390_cpu_reset(CPUState *s, cpu_reset_type type)
- default:
- g_assert_not_reached();
- }
--}
--
--/* S390CPUClass::initial_reset() */
--static void s390_cpu_initial_reset(CPUState *s)
--{
-- S390CPU *cpu = S390_CPU(s);
-- CPUS390XState *env = &cpu->env;
--
-- s390_cpu_reset(s, S390_CPU_RESET_NORMAL);
-- /* initial reset does not clear everything! */
-- memset(&env->start_initial_reset_fields, 0,
-- offsetof(CPUS390XState, end_reset_fields) -
-- offsetof(CPUS390XState, start_initial_reset_fields));
--
-- /* architectured initial values for CR 0 and 14 */
-- env->cregs[0] = CR0_RESET;
-- env->cregs[14] = CR14_RESET;
--
-- /* architectured initial value for Breaking-Event-Address register */
-- env->gbea = 1;
--
-- env->pfault_token = -1UL;
--
-- /* tininess for underflow is detected before rounding */
-- set_float_detect_tininess(float_tininess_before_rounding,
-- &env->fpu_status);
-
- /* Reset state inside the kernel that we cannot access yet from QEMU. */
-- if (kvm_enabled()) {
-+ if (kvm_enabled() && type != S390_CPU_RESET_NORMAL) {
- kvm_s390_reset_vcpu(cpu);
- }
- }
-@@ -481,7 +472,6 @@ static void s390_cpu_class_init(ObjectClass *oc, void *data)
- scc->load_normal = s390_cpu_load_normal;
- #endif
- scc->reset = s390_cpu_reset;
-- scc->initial_cpu_reset = s390_cpu_initial_reset;
- cc->reset = s390_cpu_full_reset;
- cc->class_by_name = s390_cpu_class_by_name,
- cc->has_work = s390_cpu_has_work;
-diff --git a/target/s390x/cpu.h b/target/s390x/cpu.h
-index 18123dfd5bd13f530fcc3f8c54c4..d2af13b345ccd9094f82385cd528 100644
---- a/target/s390x/cpu.h
-+++ b/target/s390x/cpu.h
-@@ -748,7 +748,7 @@ static inline void s390_do_cpu_initial_reset(CPUState *cs, run_on_cpu_data arg)
- {
- S390CPUClass *scc = S390_CPU_GET_CLASS(cs);
-
-- scc->initial_cpu_reset(cs);
-+ scc->reset(cs, S390_CPU_RESET_INITIAL);
- }
-
- static inline void s390_do_cpu_load_normal(CPUState *cs, run_on_cpu_data arg)
-diff --git a/target/s390x/sigp.c b/target/s390x/sigp.c
-index 850139b9cd544c4bb34497fec554..727875bb4ab9b6c6f606e4ba8afb 100644
---- a/target/s390x/sigp.c
-+++ b/target/s390x/sigp.c
-@@ -254,7 +254,7 @@ static void sigp_initial_cpu_reset(CPUState *cs, run_on_cpu_data arg)
- SigpInfo *si = arg.host_ptr;
-
- cpu_synchronize_state(cs);
-- scc->initial_cpu_reset(cs);
-+ scc->reset(cs, S390_CPU_RESET_INITIAL);
- cpu_synchronize_post_reset(cs);
- si->cc = SIGP_CC_ORDER_CODE_ACCEPTED;
- }
+++ /dev/null
-From: Janosch Frank <frankja@linux.ibm.com>
-Date: Wed, 27 Nov 2019 12:50:42 -0500
-Subject: s390x: Move reset normal to shared reset handler
-
-References: bsc#1167075
-
-Let's start moving the cpu reset functions into a single function with
-a switch/case, so we can later use fallthroughs and share more code
-between resets.
-
-This patch introduces the reset function by renaming cpu_reset().
-
-Signed-off-by: Janosch Frank <frankja@linux.ibm.com>
-Reviewed-by: David Hildenbrand <david@redhat.com>
-Message-Id: <20191127175046.4911-3-frankja@linux.ibm.com>
-Reviewed-by: Thomas Huth <thuth@redhat.com>
-Signed-off-by: Cornelia Huck <cohuck@redhat.com>
-(cherry picked from commit eac4f82791f1807c423e85670837db103b9d59b3)
-Signed-off-by: Bruce Rogers <brogers@suse.com>
----
- target/s390x/cpu-qom.h | 6 +++++-
- target/s390x/cpu.c | 19 +++++++++++++------
- target/s390x/cpu.h | 2 +-
- target/s390x/sigp.c | 2 +-
- 4 files changed, 20 insertions(+), 9 deletions(-)
-
-diff --git a/target/s390x/cpu-qom.h b/target/s390x/cpu-qom.h
-index b809ec8418e016cf8b227489f905..f3b71bac67c91c9e307fa250b47a 100644
---- a/target/s390x/cpu-qom.h
-+++ b/target/s390x/cpu-qom.h
-@@ -34,6 +34,10 @@
- typedef struct S390CPUModel S390CPUModel;
- typedef struct S390CPUDef S390CPUDef;
-
-+typedef enum cpu_reset_type {
-+ S390_CPU_RESET_NORMAL,
-+} cpu_reset_type;
-+
- /**
- * S390CPUClass:
- * @parent_realize: The parent class' realize handler.
-@@ -57,7 +61,7 @@ typedef struct S390CPUClass {
- DeviceRealize parent_realize;
- void (*parent_reset)(CPUState *cpu);
- void (*load_normal)(CPUState *cpu);
-- void (*cpu_reset)(CPUState *cpu);
-+ void (*reset)(CPUState *cpu, cpu_reset_type type);
- void (*initial_cpu_reset)(CPUState *cpu);
- } S390CPUClass;
-
-diff --git a/target/s390x/cpu.c b/target/s390x/cpu.c
-index 3abe7e80fd0a067a95545c7c3b9b..67d6fbfa4401720aa24f2ace8e3c 100644
---- a/target/s390x/cpu.c
-+++ b/target/s390x/cpu.c
-@@ -82,18 +82,25 @@ static void s390_cpu_load_normal(CPUState *s)
- }
- #endif
-
--/* S390CPUClass::cpu_reset() */
--static void s390_cpu_reset(CPUState *s)
-+/* S390CPUClass::reset() */
-+static void s390_cpu_reset(CPUState *s, cpu_reset_type type)
- {
- S390CPU *cpu = S390_CPU(s);
- S390CPUClass *scc = S390_CPU_GET_CLASS(cpu);
- CPUS390XState *env = &cpu->env;
-
-- env->pfault_token = -1UL;
-- env->bpbc = false;
- scc->parent_reset(s);
- cpu->env.sigp_order = 0;
- s390_cpu_set_state(S390_CPU_STATE_STOPPED, cpu);
-+
-+ switch (type) {
-+ case S390_CPU_RESET_NORMAL:
-+ env->pfault_token = -1UL;
-+ env->bpbc = false;
-+ break;
-+ default:
-+ g_assert_not_reached();
-+ }
- }
-
- /* S390CPUClass::initial_reset() */
-@@ -102,7 +109,7 @@ static void s390_cpu_initial_reset(CPUState *s)
- S390CPU *cpu = S390_CPU(s);
- CPUS390XState *env = &cpu->env;
-
-- s390_cpu_reset(s);
-+ s390_cpu_reset(s, S390_CPU_RESET_NORMAL);
- /* initial reset does not clear everything! */
- memset(&env->start_initial_reset_fields, 0,
- offsetof(CPUS390XState, end_reset_fields) -
-@@ -473,7 +480,7 @@ static void s390_cpu_class_init(ObjectClass *oc, void *data)
- #if !defined(CONFIG_USER_ONLY)
- scc->load_normal = s390_cpu_load_normal;
- #endif
-- scc->cpu_reset = s390_cpu_reset;
-+ scc->reset = s390_cpu_reset;
- scc->initial_cpu_reset = s390_cpu_initial_reset;
- cc->reset = s390_cpu_full_reset;
- cc->class_by_name = s390_cpu_class_by_name,
-diff --git a/target/s390x/cpu.h b/target/s390x/cpu.h
-index 17460ed7b381070b4d8206e2c4cb..18123dfd5bd13f530fcc3f8c54c4 100644
---- a/target/s390x/cpu.h
-+++ b/target/s390x/cpu.h
-@@ -741,7 +741,7 @@ static inline void s390_do_cpu_reset(CPUState *cs, run_on_cpu_data arg)
- {
- S390CPUClass *scc = S390_CPU_GET_CLASS(cs);
-
-- scc->cpu_reset(cs);
-+ scc->reset(cs, S390_CPU_RESET_NORMAL);
- }
-
- static inline void s390_do_cpu_initial_reset(CPUState *cs, run_on_cpu_data arg)
-diff --git a/target/s390x/sigp.c b/target/s390x/sigp.c
-index 2ce22d4dc18bb764948f0abe1084..850139b9cd544c4bb34497fec554 100644
---- a/target/s390x/sigp.c
-+++ b/target/s390x/sigp.c
-@@ -266,7 +266,7 @@ static void sigp_cpu_reset(CPUState *cs, run_on_cpu_data arg)
- SigpInfo *si = arg.host_ptr;
-
- cpu_synchronize_state(cs);
-- scc->cpu_reset(cs);
-+ scc->reset(cs, S390_CPU_RESET_NORMAL);
- cpu_synchronize_post_reset(cs);
- si->cc = SIGP_CC_ORDER_CODE_ACCEPTED;
- }
+++ /dev/null
-From: Cornelia Huck <cohuck@redhat.com>
-Date: Tue, 3 Nov 2020 13:32:37 +0100
-Subject: s390x: fix build for --without-default-devices
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Git-commit: 77280d33bc9cfdbfb5b5d462259d644f5aefe9b3
-References: bsc#1179719
-
-s390-pci-vfio.c calls into the vfio code, so we need it to be
-built conditionally on vfio (which implies CONFIG_LINUX).
-
-Fixes: cd7498d07fbb ("s390x/pci: Add routine to get the vfio dma available count")
-Reported-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Tested-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Reviewed-by: Matthew Rosato <mjrosato@linux.ibm.com>
-Message-Id: <20201103123237.718242-1-cohuck@redhat.com>
-Acked-by: Greg Kurz <groug@kaod.org>
-Tested-by: Greg Kurz <groug@kaod.org>
-Signed-off-by: Cornelia Huck <cohuck@redhat.com>
-Signed-off-by: Liang Yan <lyan@suse.com>
----
- include/hw/s390x/s390-pci-vfio.h | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/include/hw/s390x/s390-pci-vfio.h b/include/hw/s390x/s390-pci-vfio.h
-index 539bcf04eb5bcc29f0f54ef0cda2..a99499851f048ab04c2c1b45a4a2 100644
---- a/include/hw/s390x/s390-pci-vfio.h
-+++ b/include/hw/s390x/s390-pci-vfio.h
-@@ -14,7 +14,7 @@
-
- #include "hw/s390x/s390-pci-bus.h"
-
--#ifdef CONFIG_LINUX
-+#ifdef CONFIG_VFIO
- bool s390_pci_update_dma_avail(int fd, unsigned int *avail);
- S390PCIDMACount *s390_pci_start_dma_count(S390pciState *s,
- S390PCIBusDevice *pbdev);
+++ /dev/null
-From: Janosch Frank <frankja@linux.ibm.com>
-Date: Tue, 10 Mar 2020 05:09:50 -0400
-Subject: s390x: ipl: Consolidate iplb validity check into one function
-
-References: bsc#1167075
-
-It's nicer to just call one function than calling a function for each
-possible iplb type.
-
-Signed-off-by: Janosch Frank <frankja@linux.ibm.com>
-Reviewed-by: David Hildenbrand <david@redhat.com>
-Message-Id: <20200310090950.61172-1-frankja@linux.ibm.com>
-Reviewed-by: Christian Borntraeger <borntraeger@de.ibm.com>
-Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
-(cherry picked from commit 94c21436e5a89143f8b9cb4d089d1a2f3f4fd377)
-Signed-off-by: Bruce Rogers <brogers@suse.com>
----
- hw/s390x/ipl.h | 18 +++++++++---------
- target/s390x/diag.c | 2 +-
- 2 files changed, 10 insertions(+), 10 deletions(-)
-
-diff --git a/hw/s390x/ipl.h b/hw/s390x/ipl.h
-index d4813105db33253fd1eba53cd7e3..3e44abe1c651d8a01f4708c2801c 100644
---- a/hw/s390x/ipl.h
-+++ b/hw/s390x/ipl.h
-@@ -173,16 +173,16 @@ static inline bool iplb_valid_len(IplParameterBlock *iplb)
- return be32_to_cpu(iplb->len) <= sizeof(IplParameterBlock);
- }
-
--static inline bool iplb_valid_ccw(IplParameterBlock *iplb)
-+static inline bool iplb_valid(IplParameterBlock *iplb)
- {
-- return be32_to_cpu(iplb->len) >= S390_IPLB_MIN_CCW_LEN &&
-- iplb->pbt == S390_IPL_TYPE_CCW;
--}
--
--static inline bool iplb_valid_fcp(IplParameterBlock *iplb)
--{
-- return be32_to_cpu(iplb->len) >= S390_IPLB_MIN_FCP_LEN &&
-- iplb->pbt == S390_IPL_TYPE_FCP;
-+ switch (iplb->pbt) {
-+ case S390_IPL_TYPE_FCP:
-+ return be32_to_cpu(iplb->len) >= S390_IPLB_MIN_FCP_LEN;
-+ case S390_IPL_TYPE_CCW:
-+ return be32_to_cpu(iplb->len) >= S390_IPLB_MIN_CCW_LEN;
-+ default:
-+ return false;
-+ }
- }
-
- #endif
-diff --git a/target/s390x/diag.c b/target/s390x/diag.c
-index 53c2f81f2a1aad58d417bc3dc79c..0c81d8e1efbfe37a384199488a72 100644
---- a/target/s390x/diag.c
-+++ b/target/s390x/diag.c
-@@ -100,7 +100,7 @@ void handle_diag_308(CPUS390XState *env, uint64_t r1, uint64_t r3, uintptr_t ra)
-
- cpu_physical_memory_read(addr, iplb, be32_to_cpu(iplb->len));
-
-- if (!iplb_valid_ccw(iplb) && !iplb_valid_fcp(iplb)) {
-+ if (!iplb_valid(iplb)) {
- env->regs[r1 + 1] = DIAG_308_RC_INVALID;
- goto out;
- }
+++ /dev/null
-From: Janosch Frank <frankja@linux.ibm.com>
-Date: Fri, 29 Nov 2019 04:17:13 -0500
-Subject: s390x: kvm: Make kvm_sclp_service_call void
-
-References: bsc#1167075
-
-It defaults to returning 0 anyway and that return value is not
-necessary, as 0 is also the default rc that the caller would return.
-
-While doing that we can simplify the logic a bit and return early if
-we inject a PGM exception.
-
-Signed-off-by: Janosch Frank <frankja@linux.ibm.com>
-Reviewed-by: Thomas Huth <thuth@redhat.com>
-Message-Id: <20191129091713.4582-1-frankja@linux.ibm.com>
-Reviewed-by: David Hildenbrand <david@redhat.com>
-Signed-off-by: Cornelia Huck <cohuck@redhat.com>
-(cherry picked from commit 15b6c0370c3e2774fd9ffda5c10c6e36952e8eb6)
-Signed-off-by: Bruce Rogers <brogers@suse.com>
----
- target/s390x/kvm.c | 12 +++++-------
- 1 file changed, 5 insertions(+), 7 deletions(-)
-
-diff --git a/target/s390x/kvm.c b/target/s390x/kvm.c
-index 0c9d14b4b115de974e21af3f0f47..ad6e38c8761be7e0cad57771f49b 100644
---- a/target/s390x/kvm.c
-+++ b/target/s390x/kvm.c
-@@ -1159,13 +1159,13 @@ void kvm_s390_access_exception(S390CPU *cpu, uint16_t code, uint64_t te_code)
- kvm_s390_vcpu_interrupt(cpu, &irq);
- }
-
--static int kvm_sclp_service_call(S390CPU *cpu, struct kvm_run *run,
-+static void kvm_sclp_service_call(S390CPU *cpu, struct kvm_run *run,
- uint16_t ipbh0)
- {
- CPUS390XState *env = &cpu->env;
- uint64_t sccb;
- uint32_t code;
-- int r = 0;
-+ int r;
-
- sccb = env->regs[ipbh0 & 0xf];
- code = env->regs[(ipbh0 & 0xf0) >> 4];
-@@ -1173,11 +1173,9 @@ static int kvm_sclp_service_call(S390CPU *cpu, struct kvm_run *run,
- r = sclp_service_call(env, sccb, code);
- if (r < 0) {
- kvm_s390_program_interrupt(cpu, -r);
-- } else {
-- setcc(cpu, r);
-+ return;
- }
--
-- return 0;
-+ setcc(cpu, r);
- }
-
- static int handle_b2(S390CPU *cpu, struct kvm_run *run, uint8_t ipa1)
-@@ -1240,7 +1238,7 @@ static int handle_b2(S390CPU *cpu, struct kvm_run *run, uint8_t ipa1)
- setcc(cpu, 3);
- break;
- case PRIV_B2_SCLP_CALL:
-- rc = kvm_sclp_service_call(cpu, run, ipbh0);
-+ kvm_sclp_service_call(cpu, run, ipbh0);
- break;
- default:
- rc = -1;
+++ /dev/null
-From: Matthew Rosato <mjrosato@linux.ibm.com>
-Date: Mon, 26 Oct 2020 11:34:34 -0400
-Subject: s390x/pci: Add routine to get the vfio dma available count
-
-Git-commit: cd7498d07fbb20fa04790ff7ee168a8a8d01cb30
-References: bsc#1179719
-
-Create new files for separating out vfio-specific work for s390
-pci. Add the first such routine, which issues VFIO_IOMMU_GET_INFO
-ioctl to collect the current dma available count.
-
-Signed-off-by: Matthew Rosato <mjrosato@linux.ibm.com>
-Reviewed-by: Cornelia Huck <cohuck@redhat.com>
-[aw: Fix non-Linux build with CONFIG_LINUX]
-Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
-Signed-off-by: Liang Yan <lyan@suse.com>
----
- hw/s390x/s390-pci-vfio.c | 54 ++++++++++++++++++++++++++++++++
- include/hw/s390x/s390-pci-vfio.h | 24 ++++++++++++++
- 2 files changed, 78 insertions(+)
-
-diff --git a/hw/s390x/s390-pci-vfio.c b/hw/s390x/s390-pci-vfio.c
-new file mode 100644
-index 0000000000000000000000000000000000000000..cb3f4d98adf8e7f1b104ce1e775e37a486ef8ddd
---- /dev/null
-+++ b/hw/s390x/s390-pci-vfio.c
-@@ -0,0 +1,54 @@
-+/*
-+ * s390 vfio-pci interfaces
-+ *
-+ * Copyright 2020 IBM Corp.
-+ * Author(s): Matthew Rosato <mjrosato@linux.ibm.com>
-+ *
-+ * This work is licensed under the terms of the GNU GPL, version 2 or (at
-+ * your option) any later version. See the COPYING file in the top-level
-+ * directory.
-+ */
-+
-+#include <sys/ioctl.h>
-+
-+#include "qemu/osdep.h"
-+#include "hw/s390x/s390-pci-vfio.h"
-+#include "hw/vfio/vfio-common.h"
-+
-+/*
-+ * Get the current DMA available count from vfio. Returns true if vfio is
-+ * limiting DMA requests, false otherwise. The current available count read
-+ * from vfio is returned in avail.
-+ */
-+bool s390_pci_update_dma_avail(int fd, unsigned int *avail)
-+{
-+ g_autofree struct vfio_iommu_type1_info *info;
-+ uint32_t argsz;
-+
-+ assert(avail);
-+
-+ argsz = sizeof(struct vfio_iommu_type1_info);
-+ info = g_malloc0(argsz);
-+
-+ /*
-+ * If the specified argsz is not large enough to contain all capabilities
-+ * it will be updated upon return from the ioctl. Retry until we have
-+ * a big enough buffer to hold the entire capability chain.
-+ */
-+retry:
-+ info->argsz = argsz;
-+
-+ if (ioctl(fd, VFIO_IOMMU_GET_INFO, info)) {
-+ return false;
-+ }
-+
-+ if (info->argsz > argsz) {
-+ argsz = info->argsz;
-+ info = g_realloc(info, argsz);
-+ goto retry;
-+ }
-+
-+ /* If the capability exists, update with the current value */
-+ return vfio_get_info_dma_avail(info, avail);
-+}
-+
-diff --git a/include/hw/s390x/s390-pci-vfio.h b/include/hw/s390x/s390-pci-vfio.h
-new file mode 100644
-index 0000000000000000000000000000000000000000..1727292e9b5d019ac2218a54eac244640a06d2ae
---- /dev/null
-+++ b/include/hw/s390x/s390-pci-vfio.h
-@@ -0,0 +1,24 @@
-+/*
-+ * s390 vfio-pci interfaces
-+ *
-+ * Copyright 2020 IBM Corp.
-+ * Author(s): Matthew Rosato <mjrosato@linux.ibm.com>
-+ *
-+ * This work is licensed under the terms of the GNU GPL, version 2 or (at
-+ * your option) any later version. See the COPYING file in the top-level
-+ * directory.
-+ */
-+
-+#ifndef HW_S390_PCI_VFIO_H
-+#define HW_S390_PCI_VFIO_H
-+
-+#ifdef CONFIG_LINUX
-+bool s390_pci_update_dma_avail(int fd, unsigned int *avail);
-+#else
-+static inline bool s390_pci_update_dma_avail(int fd, unsigned int *avail)
-+{
-+ return false;
-+}
-+#endif
-+
-+#endif
+++ /dev/null
-From: Matthew Rosato <mjrosato@linux.ibm.com>
-Date: Mon, 26 Oct 2020 11:34:35 -0400
-Subject: s390x/pci: Honor DMA limits set by vfio
-
-Git-commit: 37fa32de707340f3a93959ad5a1ebc41ba1520ee
-References: bsc#1179719
-
-When an s390 guest is using lazy unmapping, it can result in a very
-large number of oustanding DMA requests, far beyond the default
-limit configured for vfio. Let's track DMA usage similar to vfio
-in the host, and trigger the guest to flush their DMA mappings
-before vfio runs out.
-
-Signed-off-by: Matthew Rosato <mjrosato@linux.ibm.com>
-Reviewed-by: Cornelia Huck <cohuck@redhat.com>
-[aw: non-Linux build fixes]
-Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
-Signed-off-by: Liang Yan <lyan@suse.com>
----
- hw/s390x/s390-pci-bus.c | 20 +++++++++-----
- hw/s390x/s390-pci-bus.h | 10 +++++++
- hw/s390x/s390-pci-inst.c | 45 +++++++++++++++++++++++++++-----
- hw/s390x/s390-pci-inst.h | 3 +++
- hw/s390x/s390-pci-vfio.c | 42 +++++++++++++++++++++++++++++
- include/hw/s390x/s390-pci-vfio.h | 12 +++++++++
- 6 files changed, 119 insertions(+), 13 deletions(-)
-
-diff --git a/hw/s390x/s390-pci-bus.c b/hw/s390x/s390-pci-bus.c
-index 2d2f4a7c419c63e0e1fa7d26e399..a9f6f55047273e235d3ba89ba5f0 100644
---- a/hw/s390x/s390-pci-bus.c
-+++ b/hw/s390x/s390-pci-bus.c
-@@ -15,8 +15,9 @@
- #include "qapi/error.h"
- #include "qapi/visitor.h"
- #include "cpu.h"
--#include "s390-pci-bus.h"
--#include "s390-pci-inst.h"
-+#include "hw/s390x/s390-pci-bus.h"
-+#include "hw/s390x/s390-pci-inst.h"
-+#include "hw/s390x/s390-pci-vfio.h"
- #include "hw/pci/pci_bus.h"
- #include "hw/qdev-properties.h"
- #include "hw/pci/pci_bridge.h"
-@@ -771,6 +772,7 @@ static void s390_pcihost_realize(DeviceState *dev, Error **errp)
- s->bus_no = 0;
- QTAILQ_INIT(&s->pending_sei);
- QTAILQ_INIT(&s->zpci_devs);
-+ QTAILQ_INIT(&s->zpci_dma_limit);
-
- css_register_io_adapters(CSS_IO_ADAPTER_PCI, true, false,
- S390_ADAPTER_SUPPRESSIBLE, &local_err);
-@@ -951,17 +953,18 @@ static void s390_pcihost_plug(HotplugHandler *hotplug_dev, DeviceState *dev,
- }
- }
-
-+ pbdev->pdev = pdev;
-+ pbdev->iommu = s390_pci_get_iommu(s, pci_get_bus(pdev), pdev->devfn);
-+ pbdev->iommu->pbdev = pbdev;
-+ pbdev->state = ZPCI_FS_DISABLED;
-+
- if (object_dynamic_cast(OBJECT(dev), "vfio-pci")) {
- pbdev->fh |= FH_SHM_VFIO;
-+ pbdev->iommu->dma_limit = s390_pci_start_dma_count(s, pbdev);
- } else {
- pbdev->fh |= FH_SHM_EMUL;
- }
-
-- pbdev->pdev = pdev;
-- pbdev->iommu = s390_pci_get_iommu(s, pci_get_bus(pdev), pdev->devfn);
-- pbdev->iommu->pbdev = pbdev;
-- pbdev->state = ZPCI_FS_DISABLED;
--
- if (s390_pci_msix_init(pbdev)) {
- error_setg(errp, "MSI-X support is mandatory "
- "in the S390 architecture");
-@@ -1014,6 +1017,9 @@ static void s390_pcihost_unplug(HotplugHandler *hotplug_dev, DeviceState *dev,
- pbdev->fid = 0;
- QTAILQ_REMOVE(&s->zpci_devs, pbdev, link);
- g_hash_table_remove(s->zpci_table, &pbdev->idx);
-+ if (pbdev->iommu->dma_limit) {
-+ s390_pci_end_dma_count(s, pbdev->iommu->dma_limit);
-+ }
- object_property_set_bool(OBJECT(dev), false, "realized", NULL);
- }
- }
-diff --git a/hw/s390x/s390-pci-bus.h b/hw/s390x/s390-pci-bus.h
-index 550f3cc5e92076cdb8a28b932265..c554aa951ace4e293854e716b05a 100644
---- a/hw/s390x/s390-pci-bus.h
-+++ b/hw/s390x/s390-pci-bus.h
-@@ -266,6 +266,14 @@ typedef struct S390IOTLBEntry {
- } S390IOTLBEntry;
-
- typedef struct S390PCIBusDevice S390PCIBusDevice;
-+
-+typedef struct S390PCIDMACount {
-+ int id;
-+ int users;
-+ uint32_t avail;
-+ QTAILQ_ENTRY(S390PCIDMACount) link;
-+} S390PCIDMACount;
-+
- typedef struct S390PCIIOMMU {
- Object parent_obj;
- S390PCIBusDevice *pbdev;
-@@ -277,6 +285,7 @@ typedef struct S390PCIIOMMU {
- uint64_t pba;
- uint64_t pal;
- GHashTable *iotlb;
-+ S390PCIDMACount *dma_limit;
- } S390PCIIOMMU;
-
- typedef struct S390PCIIOMMUTable {
-@@ -352,6 +361,7 @@ typedef struct S390pciState {
- GHashTable *zpci_table;
- QTAILQ_HEAD(, SeiContainer) pending_sei;
- QTAILQ_HEAD(, S390PCIBusDevice) zpci_devs;
-+ QTAILQ_HEAD(, S390PCIDMACount) zpci_dma_limit;
- } S390pciState;
-
- S390pciState *s390_get_phb(void);
-diff --git a/hw/s390x/s390-pci-inst.c b/hw/s390x/s390-pci-inst.c
-index 92c7e45df5f5c421dfb043ef7dbb..a683749df713892a068986ca01be 100644
---- a/hw/s390x/s390-pci-inst.c
-+++ b/hw/s390x/s390-pci-inst.c
-@@ -32,6 +32,20 @@
- } \
- } while (0)
-
-+static inline void inc_dma_avail(S390PCIIOMMU *iommu)
-+{
-+ if (iommu->dma_limit) {
-+ iommu->dma_limit->avail++;
-+ }
-+}
-+
-+static inline void dec_dma_avail(S390PCIIOMMU *iommu)
-+{
-+ if (iommu->dma_limit) {
-+ iommu->dma_limit->avail--;
-+ }
-+}
-+
- static void s390_set_status_code(CPUS390XState *env,
- uint8_t r, uint64_t status_code)
- {
-@@ -572,7 +586,8 @@ int pcistg_service_call(S390CPU *cpu, uint8_t r1, uint8_t r2, uintptr_t ra)
- return 0;
- }
-
--static void s390_pci_update_iotlb(S390PCIIOMMU *iommu, S390IOTLBEntry *entry)
-+static uint32_t s390_pci_update_iotlb(S390PCIIOMMU *iommu,
-+ S390IOTLBEntry *entry)
- {
- S390IOTLBEntry *cache = g_hash_table_lookup(iommu->iotlb, &entry->iova);
- IOMMUTLBEntry notify = {
-@@ -585,14 +600,15 @@ static void s390_pci_update_iotlb(S390PCIIOMMU *iommu, S390IOTLBEntry *entry)
-
- if (entry->perm == IOMMU_NONE) {
- if (!cache) {
-- return;
-+ goto out;
- }
- g_hash_table_remove(iommu->iotlb, &entry->iova);
-+ inc_dma_avail(iommu);
- } else {
- if (cache) {
- if (cache->perm == entry->perm &&
- cache->translated_addr == entry->translated_addr) {
-- return;
-+ goto out;
- }
-
- notify.perm = IOMMU_NONE;
-@@ -606,9 +622,13 @@ static void s390_pci_update_iotlb(S390PCIIOMMU *iommu, S390IOTLBEntry *entry)
- cache->len = PAGE_SIZE;
- cache->perm = entry->perm;
- g_hash_table_replace(iommu->iotlb, &cache->iova, cache);
-+ dec_dma_avail(iommu);
- }
-
- memory_region_notify_iommu(&iommu->iommu_mr, 0, notify);
-+
-+out:
-+ return iommu->dma_limit ? iommu->dma_limit->avail : 1;
- }
-
- int rpcit_service_call(S390CPU *cpu, uint8_t r1, uint8_t r2, uintptr_t ra)
-@@ -620,6 +640,7 @@ int rpcit_service_call(S390CPU *cpu, uint8_t r1, uint8_t r2, uintptr_t ra)
- S390PCIIOMMU *iommu;
- S390IOTLBEntry entry;
- hwaddr start, end;
-+ uint32_t dma_avail;
-
- if (env->psw.mask & PSW_MASK_PSTATE) {
- s390_program_interrupt(env, PGM_PRIVILEGED, ra);
-@@ -658,6 +679,11 @@ int rpcit_service_call(S390CPU *cpu, uint8_t r1, uint8_t r2, uintptr_t ra)
- }
-
- iommu = pbdev->iommu;
-+ if (iommu->dma_limit) {
-+ dma_avail = iommu->dma_limit->avail;
-+ } else {
-+ dma_avail = 1;
-+ }
- if (!iommu->g_iota) {
- error = ERR_EVENT_INVALAS;
- goto err;
-@@ -675,8 +701,9 @@ int rpcit_service_call(S390CPU *cpu, uint8_t r1, uint8_t r2, uintptr_t ra)
- }
-
- start += entry.len;
-- while (entry.iova < start && entry.iova < end) {
-- s390_pci_update_iotlb(iommu, &entry);
-+ while (entry.iova < start && entry.iova < end &&
-+ (dma_avail > 0 || entry.perm == IOMMU_NONE)) {
-+ dma_avail = s390_pci_update_iotlb(iommu, &entry);
- entry.iova += PAGE_SIZE;
- entry.translated_addr += PAGE_SIZE;
- }
-@@ -689,7 +716,13 @@ err:
- s390_pci_generate_error_event(error, pbdev->fh, pbdev->fid, start, 0);
- } else {
- pbdev->fmb.counter[ZPCI_FMB_CNT_RPCIT]++;
-- setcc(cpu, ZPCI_PCI_LS_OK);
-+ if (dma_avail > 0) {
-+ setcc(cpu, ZPCI_PCI_LS_OK);
-+ } else {
-+ /* vfio DMA mappings are exhausted, trigger a RPCIT */
-+ setcc(cpu, ZPCI_PCI_LS_ERR);
-+ s390_set_status_code(env, r1, ZPCI_RPCIT_ST_INSUFF_RES);
-+ }
- }
- return 0;
- }
-diff --git a/hw/s390x/s390-pci-inst.h b/hw/s390x/s390-pci-inst.h
-index fa3bf8b5aad11e03376774f8fa41..8ee3a3c237576757f99dc1adef14 100644
---- a/hw/s390x/s390-pci-inst.h
-+++ b/hw/s390x/s390-pci-inst.h
-@@ -254,6 +254,9 @@ typedef struct ClpReqRspQueryPciGrp {
- #define ZPCI_STPCIFC_ST_INVAL_DMAAS 28
- #define ZPCI_STPCIFC_ST_ERROR_RECOVER 40
-
-+/* Refresh PCI Translations status codes */
-+#define ZPCI_RPCIT_ST_INSUFF_RES 16
-+
- /* FIB function controls */
- #define ZPCI_FIB_FC_ENABLED 0x80
- #define ZPCI_FIB_FC_ERROR 0x40
-diff --git a/hw/s390x/s390-pci-vfio.c b/hw/s390x/s390-pci-vfio.c
-index cb3f4d98adf8e7f1b104ce1e775e..0621fa386cedf3feb14f448aae91 100644
---- a/hw/s390x/s390-pci-vfio.c
-+++ b/hw/s390x/s390-pci-vfio.c
-@@ -12,7 +12,9 @@
- #include <sys/ioctl.h>
-
- #include "qemu/osdep.h"
-+#include "hw/s390x/s390-pci-bus.h"
- #include "hw/s390x/s390-pci-vfio.h"
-+#include "hw/vfio/pci.h"
- #include "hw/vfio/vfio-common.h"
-
- /*
-@@ -52,3 +54,43 @@ retry:
- return vfio_get_info_dma_avail(info, avail);
- }
-
-+S390PCIDMACount *s390_pci_start_dma_count(S390pciState *s,
-+ S390PCIBusDevice *pbdev)
-+{
-+ S390PCIDMACount *cnt;
-+ uint32_t avail;
-+ VFIOPCIDevice *vpdev = container_of(pbdev->pdev, VFIOPCIDevice, pdev);
-+ int id;
-+
-+ assert(vpdev);
-+
-+ id = vpdev->vbasedev.group->container->fd;
-+
-+ if (!s390_pci_update_dma_avail(id, &avail)) {
-+ return NULL;
-+ }
-+
-+ QTAILQ_FOREACH(cnt, &s->zpci_dma_limit, link) {
-+ if (cnt->id == id) {
-+ cnt->users++;
-+ return cnt;
-+ }
-+ }
-+
-+ cnt = g_new0(S390PCIDMACount, 1);
-+ cnt->id = id;
-+ cnt->users = 1;
-+ cnt->avail = avail;
-+ QTAILQ_INSERT_TAIL(&s->zpci_dma_limit, cnt, link);
-+ return cnt;
-+}
-+
-+void s390_pci_end_dma_count(S390pciState *s, S390PCIDMACount *cnt)
-+{
-+ assert(cnt);
-+
-+ cnt->users--;
-+ if (cnt->users == 0) {
-+ QTAILQ_REMOVE(&s->zpci_dma_limit, cnt, link);
-+ }
-+}
-diff --git a/include/hw/s390x/s390-pci-vfio.h b/include/hw/s390x/s390-pci-vfio.h
-index 1727292e9b5d019ac2218a54eac2..539bcf04eb5bcc29f0f54ef0cda2 100644
---- a/include/hw/s390x/s390-pci-vfio.h
-+++ b/include/hw/s390x/s390-pci-vfio.h
-@@ -12,13 +12,25 @@
- #ifndef HW_S390_PCI_VFIO_H
- #define HW_S390_PCI_VFIO_H
-
-+#include "hw/s390x/s390-pci-bus.h"
-+
- #ifdef CONFIG_LINUX
- bool s390_pci_update_dma_avail(int fd, unsigned int *avail);
-+S390PCIDMACount *s390_pci_start_dma_count(S390pciState *s,
-+ S390PCIBusDevice *pbdev);
-+void s390_pci_end_dma_count(S390pciState *s, S390PCIDMACount *cnt);
- #else
- static inline bool s390_pci_update_dma_avail(int fd, unsigned int *avail)
- {
- return false;
- }
-+static inline S390PCIDMACount *s390_pci_start_dma_count(S390pciState *s,
-+ S390PCIBusDevice *pbdev)
-+{
-+ return NULL;
-+}
-+static inline void s390_pci_end_dma_count(S390pciState *s,
-+ S390PCIDMACount *cnt) { }
- #endif
-
- #endif
+++ /dev/null
-From: Janosch Frank <frankja@linux.ibm.com>
-Date: Fri, 6 Mar 2020 06:40:13 -0500
-Subject: s390x: protvirt: Add migration blocker
-
-References: bsc#1167075
-
-Migration is not yet supported.
-
-Signed-off-by: Janosch Frank <frankja@linux.ibm.com>
-Reviewed-by: David Hildenbrand <david@redhat.com>
-Reviewed-by: Christian Borntraeger <borntraeger@de.ibm.com>
-Reviewed-by: Claudio Imbrenda <imbrenda@linux.ibm.com>
-Reviewed-by: Cornelia Huck <cohuck@redhat.com>
-(cherry picked from commit e721e55a3dabb2897081614b17dd4565e85249ac)
-Signed-off-by: Bruce Rogers <brogers@suse.com>
----
- hw/s390x/s390-virtio-ccw.c | 18 ++++++++++++++++++
- 1 file changed, 18 insertions(+)
-
-diff --git a/hw/s390x/s390-virtio-ccw.c b/hw/s390x/s390-virtio-ccw.c
-index e408612729a8cb0fe2de58308767..c9d1edaae43bc231bbcfbc8bb043 100644
---- a/hw/s390x/s390-virtio-ccw.c
-+++ b/hw/s390x/s390-virtio-ccw.c
-@@ -44,6 +44,9 @@
- #include "sysemu/sysemu.h"
- #include "hw/s390x/pv.h"
- #include <linux/kvm.h>
-+#include "migration/blocker.h"
-+
-+static Error *pv_mig_blocker;
-
- S390CPU *s390_cpu_addr2state(uint16_t cpu_addr)
- {
-@@ -326,15 +329,30 @@ static void s390_machine_unprotect(S390CcwMachineState *ms)
- {
- s390_pv_vm_disable();
- ms->pv = false;
-+ migrate_del_blocker(pv_mig_blocker);
-+ error_free_or_abort(&pv_mig_blocker);
- }
-
- static int s390_machine_protect(S390CcwMachineState *ms)
- {
-+ Error *local_err = NULL;
- int rc;
-
-+ error_setg(&pv_mig_blocker,
-+ "protected VMs are currently not migrateable.");
-+ rc = migrate_add_blocker(pv_mig_blocker, &local_err);
-+ if (rc) {
-+ error_report_err(local_err);
-+ error_free_or_abort(&pv_mig_blocker);
-+ return rc;
-+ }
-+
- /* Create SE VM */
- rc = s390_pv_vm_enable();
- if (rc) {
-+ error_report_err(local_err);
-+ migrate_del_blocker(pv_mig_blocker);
-+ error_free_or_abort(&pv_mig_blocker);
- return rc;
- }
-
+++ /dev/null
-From: Janosch Frank <frankja@linux.ibm.com>
-Date: Fri, 29 Nov 2019 04:22:41 -0500
-Subject: s390x: protvirt: Disable address checks for PV guest IO emulation
-
-References: bsc#1167075
-
-IO instruction data is routed through SIDAD for protected guests, so
-adresses do not need to be checked, as this is kernel memory which is
-always available.
-
-Also the instruction data always starts at offset 0 of the SIDAD.
-
-Signed-off-by: Janosch Frank <frankja@linux.ibm.com>
-Reviewed-by: Thomas Huth <thuth@redhat.com>
-Reviewed-by: David Hildenbrand <david@redhat.com>
-Reviewed-by: Christian Borntraeger <borntraeger@de.ibm.com>
-Reviewed-by: Claudio Imbrenda <imbrenda@linux.ibm.com>
-Reviewed-by: Cornelia Huck <cohuck@redhat.com>
-(cherry picked from commit f658bf14295ad49caf8d1b21033982ce69423fb7)
-Signed-off-by: Bruce Rogers <brogers@suse.com>
----
- target/s390x/ioinst.c | 35 ++++++++++++++++++++++++++++-------
- 1 file changed, 28 insertions(+), 7 deletions(-)
-
-diff --git a/target/s390x/ioinst.c b/target/s390x/ioinst.c
-index c437a1d8c6afed80199034ab6f6a..bbcccf6be23456393282287bf116 100644
---- a/target/s390x/ioinst.c
-+++ b/target/s390x/ioinst.c
-@@ -16,6 +16,25 @@
- #include "hw/s390x/ioinst.h"
- #include "trace.h"
- #include "hw/s390x/s390-pci-bus.h"
-+#include "hw/s390x/pv.h"
-+
-+/* All I/O instructions but chsc use the s format */
-+static uint64_t get_address_from_regs(CPUS390XState *env, uint32_t ipb,
-+ uint8_t *ar)
-+{
-+ /*
-+ * Addresses for protected guests are all offsets into the
-+ * satellite block which holds the IO control structures. Those
-+ * control structures are always starting at offset 0 and are
-+ * always aligned and accessible. So we can return 0 here which
-+ * will pass the following address checks.
-+ */
-+ if (s390_is_pv()) {
-+ *ar = 0;
-+ return 0;
-+ }
-+ return decode_basedisp_s(env, ipb, ar);
-+}
-
- int ioinst_disassemble_sch_ident(uint32_t value, int *m, int *cssid, int *ssid,
- int *schid)
-@@ -114,7 +133,7 @@ void ioinst_handle_msch(S390CPU *cpu, uint64_t reg1, uint32_t ipb, uintptr_t ra)
- CPUS390XState *env = &cpu->env;
- uint8_t ar;
-
-- addr = decode_basedisp_s(env, ipb, &ar);
-+ addr = get_address_from_regs(env, ipb, &ar);
- if (addr & 3) {
- s390_program_interrupt(env, PGM_SPECIFICATION, ra);
- return;
-@@ -171,7 +190,7 @@ void ioinst_handle_ssch(S390CPU *cpu, uint64_t reg1, uint32_t ipb, uintptr_t ra)
- CPUS390XState *env = &cpu->env;
- uint8_t ar;
-
-- addr = decode_basedisp_s(env, ipb, &ar);
-+ addr = get_address_from_regs(env, ipb, &ar);
- if (addr & 3) {
- s390_program_interrupt(env, PGM_SPECIFICATION, ra);
- return;
-@@ -203,7 +222,7 @@ void ioinst_handle_stcrw(S390CPU *cpu, uint32_t ipb, uintptr_t ra)
- CPUS390XState *env = &cpu->env;
- uint8_t ar;
-
-- addr = decode_basedisp_s(env, ipb, &ar);
-+ addr = get_address_from_regs(env, ipb, &ar);
- if (addr & 3) {
- s390_program_interrupt(env, PGM_SPECIFICATION, ra);
- return;
-@@ -234,7 +253,7 @@ void ioinst_handle_stsch(S390CPU *cpu, uint64_t reg1, uint32_t ipb,
- CPUS390XState *env = &cpu->env;
- uint8_t ar;
-
-- addr = decode_basedisp_s(env, ipb, &ar);
-+ addr = get_address_from_regs(env, ipb, &ar);
- if (addr & 3) {
- s390_program_interrupt(env, PGM_SPECIFICATION, ra);
- return;
-@@ -303,7 +322,7 @@ int ioinst_handle_tsch(S390CPU *cpu, uint64_t reg1, uint32_t ipb, uintptr_t ra)
- return -EIO;
- }
- trace_ioinst_sch_id("tsch", cssid, ssid, schid);
-- addr = decode_basedisp_s(env, ipb, &ar);
-+ addr = get_address_from_regs(env, ipb, &ar);
- if (addr & 3) {
- s390_program_interrupt(env, PGM_SPECIFICATION, ra);
- return -EIO;
-@@ -601,7 +620,7 @@ void ioinst_handle_chsc(S390CPU *cpu, uint32_t ipb, uintptr_t ra)
- {
- ChscReq *req;
- ChscResp *res;
-- uint64_t addr;
-+ uint64_t addr = 0;
- int reg;
- uint16_t len;
- uint16_t command;
-@@ -610,7 +629,9 @@ void ioinst_handle_chsc(S390CPU *cpu, uint32_t ipb, uintptr_t ra)
-
- trace_ioinst("chsc");
- reg = (ipb >> 20) & 0x00f;
-- addr = env->regs[reg];
-+ if (!s390_is_pv()) {
-+ addr = env->regs[reg];
-+ }
- /* Page boundary? */
- if (addr & 0xfff) {
- s390_program_interrupt(env, PGM_SPECIFICATION, ra);
+++ /dev/null
-From: Janosch Frank <frankja@linux.ibm.com>
-Date: Tue, 6 Aug 2019 15:40:05 +0200
-Subject: s390x: protvirt: Handle SIGP store status correctly
-
-References: bsc#1167075
-
-For protected VMs status storing is not done by QEMU anymore.
-
-Signed-off-by: Janosch Frank <frankja@linux.ibm.com>
-Reviewed-by: Thomas Huth <thuth@redhat.com>
-Reviewed-by: David Hildenbrand <david@redhat.com>
-Reviewed-by: Christian Borntraeger <borntraeger@de.ibm.com>
-Reviewed-by: Claudio Imbrenda <imbrenda@linux.ibm.com>
-Reviewed-by: Cornelia Huck <cohuck@redhat.com>
-(cherry picked from commit 398fc6874438c320407449d1c9560925aba2280b)
-Signed-off-by: Bruce Rogers <brogers@suse.com>
----
- target/s390x/helper.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/target/s390x/helper.c b/target/s390x/helper.c
-index 6808dfda01f42acbaa1d36ef787b..36b6d3d9d1bca9db90aac1c7bec6 100644
---- a/target/s390x/helper.c
-+++ b/target/s390x/helper.c
-@@ -25,6 +25,7 @@
- #include "qemu/timer.h"
- #include "qemu/qemu-print.h"
- #include "hw/s390x/ioinst.h"
-+#include "hw/s390x/pv.h"
- #include "sysemu/hw_accel.h"
- #include "sysemu/runstate.h"
- #ifndef CONFIG_USER_ONLY
-@@ -246,6 +247,11 @@ int s390_store_status(S390CPU *cpu, hwaddr addr, bool store_arch)
- hwaddr len = sizeof(*sa);
- int i;
-
-+ /* For PVMs storing will occur when this cpu enters SIE again */
-+ if (s390_is_pv()) {
-+ return 0;
-+ }
-+
- sa = cpu_physical_memory_map(addr, &len, 1);
- if (!sa) {
- return -EFAULT;
+++ /dev/null
-From: Janosch Frank <frankja@linux.ibm.com>
-Date: Mon, 24 Feb 2020 07:49:06 -0500
-Subject: s390x: protvirt: Inhibit balloon when switching to protected mode
-
-References: bsc#1167075
-
-Ballooning in protected VMs can only be done when the guest shares the
-pages it gives to the host. If pages are not shared, the integrity
-checks will fail once those pages have been altered and are given back
-to the guest.
-
-As we currently do not yet have a solution for this we will continue
-like this:
-
-1. We block ballooning now in QEMU (with this patch).
-
-2. Later we will provide a change to virtio that removes the blocker
-and adds VIRTIO_F_IOMMU_PLATFORM automatically by QEMU when doing the
-protvirt switch. This is OK, as the balloon driver in Linux (the only
-supported guest) will refuse to work with the IOMMU_PLATFORM feature
-bit set.
-
-3. Later, we can fix the guest balloon driver to accept the IOMMU
-feature bit and correctly exercise sharing and unsharing of balloon
-pages.
-
-Signed-off-by: Janosch Frank <frankja@linux.ibm.com>
-Reviewed-by: David Hildenbrand <david@redhat.com>
-Reviewed-by: Christian Borntraeger <borntraeger@de.ibm.com>
-Reviewed-by: Claudio Imbrenda <imbrenda@linux.ibm.com>
-Reviewed-by: Cornelia Huck <cohuck@redhat.com>
-(cherry picked from commit 59dc32a3494d6afdd420f3e401f1f324a1179256)
-Signed-off-by: Bruce Rogers <brogers@suse.com>
----
- hw/s390x/s390-virtio-ccw.c | 11 +++++++++++
- 1 file changed, 11 insertions(+)
-
-diff --git a/hw/s390x/s390-virtio-ccw.c b/hw/s390x/s390-virtio-ccw.c
-index c9d1edaae43bc231bbcfbc8bb043..91b2cea0822b41bd6af17be93193 100644
---- a/hw/s390x/s390-virtio-ccw.c
-+++ b/hw/s390x/s390-virtio-ccw.c
-@@ -42,6 +42,7 @@
- #include "hw/qdev-properties.h"
- #include "hw/s390x/tod.h"
- #include "sysemu/sysemu.h"
-+#include "sysemu/balloon.h"
- #include "hw/s390x/pv.h"
- #include <linux/kvm.h>
- #include "migration/blocker.h"
-@@ -331,6 +332,7 @@ static void s390_machine_unprotect(S390CcwMachineState *ms)
- ms->pv = false;
- migrate_del_blocker(pv_mig_blocker);
- error_free_or_abort(&pv_mig_blocker);
-+ qemu_balloon_inhibit(false);
- }
-
- static int s390_machine_protect(S390CcwMachineState *ms)
-@@ -338,10 +340,18 @@ static int s390_machine_protect(S390CcwMachineState *ms)
- Error *local_err = NULL;
- int rc;
-
-+ /*
-+ * Ballooning on protected VMs needs support in the guest for
-+ * sharing and unsharing balloon pages. Block ballooning for
-+ * now, until we have a solution to make at least Linux guests
-+ * either support it or fail gracefully.
-+ */
-+ qemu_balloon_inhibit(true);
- error_setg(&pv_mig_blocker,
- "protected VMs are currently not migrateable.");
- rc = migrate_add_blocker(pv_mig_blocker, &local_err);
- if (rc) {
-+ qemu_balloon_inhibit(false);
- error_report_err(local_err);
- error_free_or_abort(&pv_mig_blocker);
- return rc;
-@@ -350,6 +360,7 @@ static int s390_machine_protect(S390CcwMachineState *ms)
- /* Create SE VM */
- rc = s390_pv_vm_enable();
- if (rc) {
-+ qemu_balloon_inhibit(false);
- error_report_err(local_err);
- migrate_del_blocker(pv_mig_blocker);
- error_free_or_abort(&pv_mig_blocker);
+++ /dev/null
-From: Janosch Frank <frankja@linux.ibm.com>
-Date: Mon, 13 May 2019 10:35:27 +0200
-Subject: s390x: protvirt: KVM intercept changes
-
-References: bsc#1167075
-
-Protected VMs no longer intercept with code 4 for an instruction
-interception. Instead they have codes 104 and 108 for protected
-instruction interception and protected instruction notification
-respectively.
-
-The 104 mirrors the 4 interception.
-
-The 108 is a notification interception to let KVM and QEMU know that
-something changed and we need to update tracking information or
-perform specific tasks. It's currently taken for the following
-instructions:
-
-* spx (To inform about the changed prefix location)
-* sclp (On incorrect SCCB values, so we can inject a IRQ)
-* sigp (All but "stop and store status")
-* diag308 (Subcodes 0/1)
-
-Of these exits only sclp errors, state changing sigps and diag308 will
-reach QEMU. QEMU will do its parts of the job, while the ultravisor
-has done the instruction part of the job.
-
-Signed-off-by: Janosch Frank <frankja@linux.ibm.com>
-Reviewed-by: David Hildenbrand <david@redhat.com>
-Reviewed-by: Christian Borntraeger <borntraeger@de.ibm.com>
-Reviewed-by: Claudio Imbrenda <imbrenda@linux.ibm.com>
-Reviewed-by: Cornelia Huck <cohuck@redhat.com>
-(cherry picked from commit fd70eb764f176c200d6723c2ad88362f23536bfa)
-Signed-off-by: Bruce Rogers <brogers@suse.com>
----
- target/s390x/kvm.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/target/s390x/kvm.c b/target/s390x/kvm.c
-index d8d02ff34f4fc942cb7935deec58..abeeaaa67452b0b938557b0d0dea 100644
---- a/target/s390x/kvm.c
-+++ b/target/s390x/kvm.c
-@@ -115,6 +115,8 @@
- #define ICPT_CPU_STOP 0x28
- #define ICPT_OPEREXC 0x2c
- #define ICPT_IO 0x40
-+#define ICPT_PV_INSTR 0x68
-+#define ICPT_PV_INSTR_NOTIFICATION 0x6c
-
- #define NR_LOCAL_IRQS 32
- /*
-@@ -1695,6 +1697,8 @@ static int handle_intercept(S390CPU *cpu)
- (long)cs->kvm_run->psw_addr);
- switch (icpt_code) {
- case ICPT_INSTRUCTION:
-+ case ICPT_PV_INSTR:
-+ case ICPT_PV_INSTR_NOTIFICATION:
- r = handle_instruction(cpu, run);
- break;
- case ICPT_PROGRAM:
+++ /dev/null
-From: Janosch Frank <frankja@linux.ibm.com>
-Date: Wed, 5 Feb 2020 07:02:33 -0500
-Subject: s390x: protvirt: Move IO control structures over SIDA
-
-References: bsc#1167075
-
-For protected guests, we need to put the IO emulation results into the
-SIDA, so SIE will write them into the guest at the next entry.
-
-Signed-off-by: Janosch Frank <frankja@linux.ibm.com>
-Reviewed-by: David Hildenbrand <david@redhat.com>
-Reviewed-by: Cornelia Huck <cohuck@redhat.com>
-(cherry picked from commit 4989e18cbe5621df39020ef812316f479d8f5246)
-Signed-off-by: Bruce Rogers <brogers@suse.com>
----
- target/s390x/ioinst.c | 61 +++++++++++++++++++++++++++++++------------
- 1 file changed, 45 insertions(+), 16 deletions(-)
-
-diff --git a/target/s390x/ioinst.c b/target/s390x/ioinst.c
-index bbcccf6be23456393282287bf116..f40c35c6ff58315622510ae72103 100644
---- a/target/s390x/ioinst.c
-+++ b/target/s390x/ioinst.c
-@@ -138,7 +138,9 @@ void ioinst_handle_msch(S390CPU *cpu, uint64_t reg1, uint32_t ipb, uintptr_t ra)
- s390_program_interrupt(env, PGM_SPECIFICATION, ra);
- return;
- }
-- if (s390_cpu_virt_mem_read(cpu, addr, ar, &schib, sizeof(schib))) {
-+ if (s390_is_pv()) {
-+ s390_cpu_pv_mem_read(cpu, addr, &schib, sizeof(schib));
-+ } else if (s390_cpu_virt_mem_read(cpu, addr, ar, &schib, sizeof(schib))) {
- s390_cpu_virt_mem_handle_exc(cpu, ra);
- return;
- }
-@@ -195,7 +197,9 @@ void ioinst_handle_ssch(S390CPU *cpu, uint64_t reg1, uint32_t ipb, uintptr_t ra)
- s390_program_interrupt(env, PGM_SPECIFICATION, ra);
- return;
- }
-- if (s390_cpu_virt_mem_read(cpu, addr, ar, &orig_orb, sizeof(orb))) {
-+ if (s390_is_pv()) {
-+ s390_cpu_pv_mem_read(cpu, addr, &orig_orb, sizeof(orb));
-+ } else if (s390_cpu_virt_mem_read(cpu, addr, ar, &orig_orb, sizeof(orb))) {
- s390_cpu_virt_mem_handle_exc(cpu, ra);
- return;
- }
-@@ -231,14 +235,19 @@ void ioinst_handle_stcrw(S390CPU *cpu, uint32_t ipb, uintptr_t ra)
- cc = css_do_stcrw(&crw);
- /* 0 - crw stored, 1 - zeroes stored */
-
-- if (s390_cpu_virt_mem_write(cpu, addr, ar, &crw, sizeof(crw)) == 0) {
-+ if (s390_is_pv()) {
-+ s390_cpu_pv_mem_write(cpu, addr, &crw, sizeof(crw));
- setcc(cpu, cc);
- } else {
-- if (cc == 0) {
-- /* Write failed: requeue CRW since STCRW is suppressing */
-- css_undo_stcrw(&crw);
-+ if (s390_cpu_virt_mem_write(cpu, addr, ar, &crw, sizeof(crw)) == 0) {
-+ setcc(cpu, cc);
-+ } else {
-+ if (cc == 0) {
-+ /* Write failed: requeue CRW since STCRW is suppressing */
-+ css_undo_stcrw(&crw);
-+ }
-+ s390_cpu_virt_mem_handle_exc(cpu, ra);
- }
-- s390_cpu_virt_mem_handle_exc(cpu, ra);
- }
- }
-
-@@ -260,6 +269,13 @@ void ioinst_handle_stsch(S390CPU *cpu, uint64_t reg1, uint32_t ipb,
- }
-
- if (ioinst_disassemble_sch_ident(reg1, &m, &cssid, &ssid, &schid)) {
-+ /*
-+ * The Ultravisor checks schid bit 16 to be one and bits 0-12
-+ * to be 0 and injects a operand exception itself.
-+ *
-+ * Hence we should never end up here.
-+ */
-+ g_assert(!s390_is_pv());
- /*
- * As operand exceptions have a lower priority than access exceptions,
- * we check whether the memory area is writeable (injecting the
-@@ -292,14 +308,17 @@ void ioinst_handle_stsch(S390CPU *cpu, uint64_t reg1, uint32_t ipb,
- }
- }
- if (cc != 3) {
-- if (s390_cpu_virt_mem_write(cpu, addr, ar, &schib,
-- sizeof(schib)) != 0) {
-+ if (s390_is_pv()) {
-+ s390_cpu_pv_mem_write(cpu, addr, &schib, sizeof(schib));
-+ } else if (s390_cpu_virt_mem_write(cpu, addr, ar, &schib,
-+ sizeof(schib)) != 0) {
- s390_cpu_virt_mem_handle_exc(cpu, ra);
- return;
- }
- } else {
- /* Access exceptions have a higher priority than cc3 */
-- if (s390_cpu_virt_mem_check_write(cpu, addr, ar, sizeof(schib)) != 0) {
-+ if (!s390_is_pv() &&
-+ s390_cpu_virt_mem_check_write(cpu, addr, ar, sizeof(schib)) != 0) {
- s390_cpu_virt_mem_handle_exc(cpu, ra);
- return;
- }
-@@ -336,7 +355,9 @@ int ioinst_handle_tsch(S390CPU *cpu, uint64_t reg1, uint32_t ipb, uintptr_t ra)
- }
- /* 0 - status pending, 1 - not status pending, 3 - not operational */
- if (cc != 3) {
-- if (s390_cpu_virt_mem_write(cpu, addr, ar, &irb, irb_len) != 0) {
-+ if (s390_is_pv()) {
-+ s390_cpu_pv_mem_write(cpu, addr, &irb, irb_len);
-+ } else if (s390_cpu_virt_mem_write(cpu, addr, ar, &irb, irb_len) != 0) {
- s390_cpu_virt_mem_handle_exc(cpu, ra);
- return -EFAULT;
- }
-@@ -344,7 +365,8 @@ int ioinst_handle_tsch(S390CPU *cpu, uint64_t reg1, uint32_t ipb, uintptr_t ra)
- } else {
- irb_len = sizeof(irb) - sizeof(irb.emw);
- /* Access exceptions have a higher priority than cc3 */
-- if (s390_cpu_virt_mem_check_write(cpu, addr, ar, irb_len) != 0) {
-+ if (!s390_is_pv() &&
-+ s390_cpu_virt_mem_check_write(cpu, addr, ar, irb_len) != 0) {
- s390_cpu_virt_mem_handle_exc(cpu, ra);
- return -EFAULT;
- }
-@@ -642,7 +664,9 @@ void ioinst_handle_chsc(S390CPU *cpu, uint32_t ipb, uintptr_t ra)
- * present CHSC sub-handlers ... if we ever need more, we should take
- * care of req->len here first.
- */
-- if (s390_cpu_virt_mem_read(cpu, addr, reg, buf, sizeof(ChscReq))) {
-+ if (s390_is_pv()) {
-+ s390_cpu_pv_mem_read(cpu, addr, buf, sizeof(ChscReq));
-+ } else if (s390_cpu_virt_mem_read(cpu, addr, reg, buf, sizeof(ChscReq))) {
- s390_cpu_virt_mem_handle_exc(cpu, ra);
- return;
- }
-@@ -675,11 +699,16 @@ void ioinst_handle_chsc(S390CPU *cpu, uint32_t ipb, uintptr_t ra)
- break;
- }
-
-- if (!s390_cpu_virt_mem_write(cpu, addr + len, reg, res,
-- be16_to_cpu(res->len))) {
-+ if (s390_is_pv()) {
-+ s390_cpu_pv_mem_write(cpu, addr + len, res, be16_to_cpu(res->len));
- setcc(cpu, 0); /* Command execution complete */
- } else {
-- s390_cpu_virt_mem_handle_exc(cpu, ra);
-+ if (!s390_cpu_virt_mem_write(cpu, addr + len, reg, res,
-+ be16_to_cpu(res->len))) {
-+ setcc(cpu, 0); /* Command execution complete */
-+ } else {
-+ s390_cpu_virt_mem_handle_exc(cpu, ra);
-+ }
- }
- }
-
+++ /dev/null
-From: Janosch Frank <frankja@linux.ibm.com>
-Date: Wed, 5 Feb 2020 07:02:51 -0500
-Subject: s390x: protvirt: Move STSI data over SIDAD
-
-References: bsc#1167075
-
-For protected guests, we need to put the STSI emulation results into
-the SIDA, so SIE will write them into the guest at the next entry.
-
-Signed-off-by: Janosch Frank <frankja@linux.ibm.com>
-Reviewed-by: David Hildenbrand <david@redhat.com>
-Reviewed-by: Claudio Imbrenda <imbrenda@linux.ibm.com>
-Reviewed-by: Cornelia Huck <cohuck@redhat.com>
-(cherry picked from commit ccce7a654911ae507c962aff5f41004a7a88fad6)
-Signed-off-by: Bruce Rogers <brogers@suse.com>
----
- target/s390x/kvm.c | 11 +++++++++--
- 1 file changed, 9 insertions(+), 2 deletions(-)
-
-diff --git a/target/s390x/kvm.c b/target/s390x/kvm.c
-index 941e4df630ad9b3dc780d3c92e6b..d00e05cc10d274790a215d0f4359 100644
---- a/target/s390x/kvm.c
-+++ b/target/s390x/kvm.c
-@@ -50,6 +50,7 @@
- #include "exec/memattrs.h"
- #include "hw/s390x/s390-virtio-ccw.h"
- #include "hw/s390x/s390-virtio-hcall.h"
-+#include "hw/s390x/pv.h"
-
- #ifndef DEBUG_KVM
- #define DEBUG_KVM 0
-@@ -1803,7 +1804,9 @@ static void insert_stsi_3_2_2(S390CPU *cpu, __u64 addr, uint8_t ar)
- SysIB_322 sysib;
- int del;
-
-- if (s390_cpu_virt_mem_read(cpu, addr, ar, &sysib, sizeof(sysib))) {
-+ if (s390_is_pv()) {
-+ s390_cpu_pv_mem_read(cpu, 0, &sysib, sizeof(sysib));
-+ } else if (s390_cpu_virt_mem_read(cpu, addr, ar, &sysib, sizeof(sysib))) {
- return;
- }
- /* Shift the stack of Extended Names to prepare for our own data */
-@@ -1843,7 +1846,11 @@ static void insert_stsi_3_2_2(S390CPU *cpu, __u64 addr, uint8_t ar)
- /* Insert UUID */
- memcpy(sysib.vm[0].uuid, &qemu_uuid, sizeof(sysib.vm[0].uuid));
-
-- s390_cpu_virt_mem_write(cpu, addr, ar, &sysib, sizeof(sysib));
-+ if (s390_is_pv()) {
-+ s390_cpu_pv_mem_write(cpu, 0, &sysib, sizeof(sysib));
-+ } else {
-+ s390_cpu_virt_mem_write(cpu, addr, ar, &sysib, sizeof(sysib));
-+ }
- }
-
- static int handle_stsi(S390CPU *cpu)
+++ /dev/null
-From: Janosch Frank <frankja@linux.ibm.com>
-Date: Wed, 31 Jul 2019 17:49:08 +0200
-Subject: s390x: protvirt: Move diag 308 data over SIDA
-
-References: bsc#1167075
-
-For protected guests the IPIB is written/read to/from the SIDA, so we
-need those accesses to go through s390_cpu_pv_mem_read/write().
-
-Signed-off-by: Janosch Frank <frankja@linux.ibm.com>
-Reviewed-by: David Hildenbrand <david@redhat.com>
-Reviewed-by: Christian Borntraeger <borntraeger@de.ibm.com>
-Reviewed-by: Claudio Imbrenda <imbrenda@linux.ibm.com>
-Reviewed-by: Cornelia Huck <cohuck@redhat.com>
-(cherry picked from commit 258da1c7736d3aa4604ceea6cce00995c6f30058)
-Signed-off-by: Bruce Rogers <brogers@suse.com>
----
- target/s390x/diag.c | 25 ++++++++++++++++++++-----
- 1 file changed, 20 insertions(+), 5 deletions(-)
-
-diff --git a/target/s390x/diag.c b/target/s390x/diag.c
-index b2cbefb8cfe4e5a244219e761fb4..1a4842956402e308426c0ed5ce5c 100644
---- a/target/s390x/diag.c
-+++ b/target/s390x/diag.c
-@@ -75,6 +75,7 @@ void handle_diag_308(CPUS390XState *env, uint64_t r1, uint64_t r3, uintptr_t ra)
- {
- bool valid;
- CPUState *cs = env_cpu(env);
-+ S390CPU *cpu = S390_CPU(cs);
- uint64_t addr = env->regs[r1];
- uint64_t subcode = env->regs[r3];
- IplParameterBlock *iplb;
-@@ -111,13 +112,22 @@ void handle_diag_308(CPUS390XState *env, uint64_t r1, uint64_t r3, uintptr_t ra)
- return;
- }
- iplb = g_new0(IplParameterBlock, 1);
-- cpu_physical_memory_read(addr, iplb, sizeof(iplb->len));
-+ if (!s390_is_pv()) {
-+ cpu_physical_memory_read(addr, iplb, sizeof(iplb->len));
-+ } else {
-+ s390_cpu_pv_mem_read(cpu, 0, iplb, sizeof(iplb->len));
-+ }
-+
- if (!iplb_valid_len(iplb)) {
- env->regs[r1 + 1] = DIAG_308_RC_INVALID;
- goto out;
- }
-
-- cpu_physical_memory_read(addr, iplb, be32_to_cpu(iplb->len));
-+ if (!s390_is_pv()) {
-+ cpu_physical_memory_read(addr, iplb, be32_to_cpu(iplb->len));
-+ } else {
-+ s390_cpu_pv_mem_read(cpu, 0, iplb, be32_to_cpu(iplb->len));
-+ }
-
- valid = subcode == DIAG308_PV_SET ? iplb_valid_pv(iplb) : iplb_valid(iplb);
- if (!valid) {
-@@ -140,12 +150,17 @@ out:
- } else {
- iplb = s390_ipl_get_iplb();
- }
-- if (iplb) {
-+ if (!iplb) {
-+ env->regs[r1 + 1] = DIAG_308_RC_NO_CONF;
-+ return;
-+ }
-+
-+ if (!s390_is_pv()) {
- cpu_physical_memory_write(addr, iplb, be32_to_cpu(iplb->len));
-- env->regs[r1 + 1] = DIAG_308_RC_OK;
- } else {
-- env->regs[r1 + 1] = DIAG_308_RC_NO_CONF;
-+ s390_cpu_pv_mem_write(cpu, 0, iplb, be32_to_cpu(iplb->len));
- }
-+ env->regs[r1 + 1] = DIAG_308_RC_OK;
- return;
- case DIAG308_PV_START:
- iplb = s390_ipl_get_iplb_pv();
+++ /dev/null
-From: Janosch Frank <frankja@linux.ibm.com>
-Date: Mon, 3 Jun 2019 16:40:29 +0200
-Subject: s390x: protvirt: SCLP interpretation
-
-References: bsc#1167075
-
-SCLP for a protected guest is done over the SIDAD, so we need to use
-the s390_cpu_pv_mem_* functions to access the SIDAD instead of guest
-memory when reading/writing SCBs.
-
-To not confuse the sclp emulation, we set 0x4000 as the SCCB address,
-since the function that injects the sclp external interrupt would
-reject a zero sccb address.
-
-Signed-off-by: Janosch Frank <frankja@linux.ibm.com>
-Reviewed-by: David Hildenbrand <david@redhat.com>
-Reviewed-by: Claudio Imbrenda <imbrenda@linux.ibm.com>
-Reviewed-by: Cornelia Huck <cohuck@redhat.com>
-(cherry picked from commit 32633cf4539341180dbc7a92c2655c711b4a6996)
-Signed-off-by: Bruce Rogers <brogers@suse.com>
----
- hw/s390x/sclp.c | 56 +++++++++++++++++++++++++++++++++--------
- include/hw/s390x/sclp.h | 2 ++
- target/s390x/kvm.c | 25 ++++++++++++++----
- 3 files changed, 67 insertions(+), 16 deletions(-)
-
-diff --git a/hw/s390x/sclp.c b/hw/s390x/sclp.c
-index f57ce7b73943564f4d44dcbe0cf0..1c380a49cc7140687329e43e9745 100644
---- a/hw/s390x/sclp.c
-+++ b/hw/s390x/sclp.c
-@@ -33,6 +33,22 @@ static inline SCLPDevice *get_sclp_device(void)
- return sclp;
- }
-
-+static inline bool sclp_command_code_valid(uint32_t code)
-+{
-+ switch (code & SCLP_CMD_CODE_MASK) {
-+ case SCLP_CMDW_READ_SCP_INFO:
-+ case SCLP_CMDW_READ_SCP_INFO_FORCED:
-+ case SCLP_CMDW_READ_CPU_INFO:
-+ case SCLP_CMDW_CONFIGURE_IOA:
-+ case SCLP_CMDW_DECONFIGURE_IOA:
-+ case SCLP_CMD_READ_EVENT_DATA:
-+ case SCLP_CMD_WRITE_EVENT_DATA:
-+ case SCLP_CMD_WRITE_EVENT_MASK:
-+ return true;
-+ }
-+ return false;
-+}
-+
- static void prepare_cpu_entries(SCLPDevice *sclp, CPUEntry *entry, int *count)
- {
- MachineState *ms = MACHINE(qdev_get_machine());
-@@ -193,6 +209,34 @@ static void sclp_execute(SCLPDevice *sclp, SCCB *sccb, uint32_t code)
- }
- }
-
-+/*
-+ * We only need the address to have something valid for the
-+ * service_interrupt call.
-+ */
-+#define SCLP_PV_DUMMY_ADDR 0x4000
-+int sclp_service_call_protected(CPUS390XState *env, uint64_t sccb,
-+ uint32_t code)
-+{
-+ SCLPDevice *sclp = get_sclp_device();
-+ SCLPDeviceClass *sclp_c = SCLP_GET_CLASS(sclp);
-+ SCCB work_sccb;
-+ hwaddr sccb_len = sizeof(SCCB);
-+
-+ s390_cpu_pv_mem_read(env_archcpu(env), 0, &work_sccb, sccb_len);
-+
-+ if (!sclp_command_code_valid(code)) {
-+ work_sccb.h.response_code = cpu_to_be16(SCLP_RC_INVALID_SCLP_COMMAND);
-+ goto out_write;
-+ }
-+
-+ sclp_c->execute(sclp, &work_sccb, code);
-+out_write:
-+ s390_cpu_pv_mem_write(env_archcpu(env), 0, &work_sccb,
-+ be16_to_cpu(work_sccb.h.length));
-+ sclp_c->service_interrupt(sclp, SCLP_PV_DUMMY_ADDR);
-+ return 0;
-+}
-+
- int sclp_service_call(CPUS390XState *env, uint64_t sccb, uint32_t code)
- {
- SCLPDevice *sclp = get_sclp_device();
-@@ -230,17 +274,7 @@ int sclp_service_call(CPUS390XState *env, uint64_t sccb, uint32_t code)
- goto out;
- }
-
-- switch (code & SCLP_CMD_CODE_MASK) {
-- case SCLP_CMDW_READ_SCP_INFO:
-- case SCLP_CMDW_READ_SCP_INFO_FORCED:
-- case SCLP_CMDW_READ_CPU_INFO:
-- case SCLP_CMDW_CONFIGURE_IOA:
-- case SCLP_CMDW_DECONFIGURE_IOA:
-- case SCLP_CMD_READ_EVENT_DATA:
-- case SCLP_CMD_WRITE_EVENT_DATA:
-- case SCLP_CMD_WRITE_EVENT_MASK:
-- break;
-- default:
-+ if (!sclp_command_code_valid(code)) {
- work_sccb.h.response_code = cpu_to_be16(SCLP_RC_INVALID_SCLP_COMMAND);
- goto out_write;
- }
-diff --git a/include/hw/s390x/sclp.h b/include/hw/s390x/sclp.h
-index c54413b78cf01b274cc249b1409b..c0a3faa37d7304536e75d32f2050 100644
---- a/include/hw/s390x/sclp.h
-+++ b/include/hw/s390x/sclp.h
-@@ -217,5 +217,7 @@ void s390_sclp_init(void);
- void sclp_service_interrupt(uint32_t sccb);
- void raise_irq_cpu_hotplug(void);
- int sclp_service_call(CPUS390XState *env, uint64_t sccb, uint32_t code);
-+int sclp_service_call_protected(CPUS390XState *env, uint64_t sccb,
-+ uint32_t code);
-
- #endif
-diff --git a/target/s390x/kvm.c b/target/s390x/kvm.c
-index d00e05cc10d274790a215d0f4359..d94b915da419c3ad0a1f9622ca13 100644
---- a/target/s390x/kvm.c
-+++ b/target/s390x/kvm.c
-@@ -1230,12 +1230,27 @@ static void kvm_sclp_service_call(S390CPU *cpu, struct kvm_run *run,
- sccb = env->regs[ipbh0 & 0xf];
- code = env->regs[(ipbh0 & 0xf0) >> 4];
-
-- r = sclp_service_call(env, sccb, code);
-- if (r < 0) {
-- kvm_s390_program_interrupt(cpu, -r);
-- return;
-+ switch (run->s390_sieic.icptcode) {
-+ case ICPT_PV_INSTR_NOTIFICATION:
-+ g_assert(s390_is_pv());
-+ /* The notification intercepts are currently handled by KVM */
-+ error_report("unexpected SCLP PV notification");
-+ exit(1);
-+ break;
-+ case ICPT_PV_INSTR:
-+ g_assert(s390_is_pv());
-+ sclp_service_call_protected(env, sccb, code);
-+ /* Setting the CC is done by the Ultravisor. */
-+ break;
-+ case ICPT_INSTRUCTION:
-+ g_assert(!s390_is_pv());
-+ r = sclp_service_call(env, sccb, code);
-+ if (r < 0) {
-+ kvm_s390_program_interrupt(cpu, -r);
-+ return;
-+ }
-+ setcc(cpu, r);
- }
-- setcc(cpu, r);
- }
-
- static int handle_b2(S390CPU *cpu, struct kvm_run *run, uint8_t ipa1)
+++ /dev/null
-From: Janosch Frank <frankja@linux.ibm.com>
-Date: Tue, 23 Jul 2019 13:17:32 +0200
-Subject: s390x: protvirt: Set guest IPL PSW
-
-References: bsc#1167075
-
-Handling of CPU reset and setting of the IPL psw from guest storage at
-offset 0 is done by a Ultravisor call. Let's only fetch it if
-necessary.
-
-Signed-off-by: Janosch Frank <frankja@linux.ibm.com>
-Reviewed-by: Thomas Huth <thuth@redhat.com>
-Reviewed-by: David Hildenbrand <david@redhat.com>
-Reviewed-by: Christian Borntraeger <borntraeger@de.ibm.com>
-Reviewed-by: Claudio Imbrenda <imbrenda@linux.ibm.com>
-Reviewed-by: Cornelia Huck <cohuck@redhat.com>
-(cherry picked from commit e8686d9849f1625f4f4b28403f0555181b72d1b6)
-Signed-off-by: Bruce Rogers <brogers@suse.com>
----
- target/s390x/cpu.c | 12 ++++++++++--
- 1 file changed, 10 insertions(+), 2 deletions(-)
-
-diff --git a/target/s390x/cpu.c b/target/s390x/cpu.c
-index 479f1978c974722ceeb72ac5fb32..6da0c3f15530310fba5f609b8c7f 100644
---- a/target/s390x/cpu.c
-+++ b/target/s390x/cpu.c
-@@ -77,8 +77,16 @@ static bool s390_cpu_has_work(CPUState *cs)
- static void s390_cpu_load_normal(CPUState *s)
- {
- S390CPU *cpu = S390_CPU(s);
-- cpu->env.psw.addr = ldl_phys(s->as, 4) & PSW_MASK_ESA_ADDR;
-- cpu->env.psw.mask = PSW_MASK_32 | PSW_MASK_64;
-+ if (!s390_is_pv()) {
-+ cpu->env.psw.addr = ldl_phys(s->as, 4) & PSW_MASK_ESA_ADDR;
-+ cpu->env.psw.mask = PSW_MASK_32 | PSW_MASK_64;
-+ } else {
-+ /*
-+ * Firmware requires us to set the load state before we set
-+ * the cpu to operating on protected guests.
-+ */
-+ s390_cpu_set_state(S390_CPU_STATE_LOAD, cpu);
-+ }
- s390_cpu_set_state(S390_CPU_STATE_OPERATING, cpu);
- }
- #endif
+++ /dev/null
-From: Janosch Frank <frankja@linux.ibm.com>
-Date: Mon, 11 Feb 2019 16:07:19 +0100
-Subject: s390x: protvirt: Support unpack facility
-
-References: bsc#1167075
-
-The unpack facility provides the means to setup a protected guest. A
-protected guest cannot be introspected by the hypervisor or any
-user/administrator of the machine it is running on.
-
-Protected guests are encrypted at rest and need a special boot
-mechanism via diag308 subcode 8 and 10.
-
-Code 8 sets the PV specific IPLB which is retained separately from
-those set via code 5.
-
-Code 10 is used to unpack the VM into protected memory, verify its
-integrity and start it.
-
-Signed-off-by: Janosch Frank <frankja@linux.ibm.com>
-Co-developed-by: Christian Borntraeger <borntraeger@de.ibm.com> [Changes
-to machine]
-Reviewed-by: David Hildenbrand <david@redhat.com>
-Reviewed-by: Claudio Imbrenda <imbrenda@linux.ibm.com>
-Reviewed-by: Cornelia Huck <cohuck@redhat.com>
-(cherry picked from commit 2150c92b9b7d12b5fbdd2c59e5b17197d28f53db)
-[BR: Needed to fix a compiler warning on i586 in hw/s390x/ipl.c]
-Signed-off-by: Bruce Rogers <brogers@suse.com>
----
- MAINTAINERS | 2 +
- hw/s390x/Makefile.objs | 1 +
- hw/s390x/ipl.c | 59 +++++++++++++-
- hw/s390x/ipl.h | 91 ++++++++++++++++++++-
- hw/s390x/pv.c | 98 +++++++++++++++++++++++
- hw/s390x/s390-virtio-ccw.c | 119 +++++++++++++++++++++++++++-
- include/hw/s390x/pv.h | 55 +++++++++++++
- include/hw/s390x/s390-virtio-ccw.h | 1 +
- target/s390x/cpu.c | 1 +
- target/s390x/cpu_features_def.inc.h | 1 +
- target/s390x/diag.c | 39 ++++++++-
- target/s390x/kvm-stub.c | 5 ++
- target/s390x/kvm.c | 5 ++
- target/s390x/kvm_s390x.h | 1 +
- 14 files changed, 468 insertions(+), 10 deletions(-)
-
-diff --git a/MAINTAINERS b/MAINTAINERS
-index 5e5e3e52d614d05e7d6e8225e3b7..1dbe9345a022a25b7b40a5b5e9c8 100644
---- a/MAINTAINERS
-+++ b/MAINTAINERS
-@@ -385,6 +385,8 @@ F: target/s390x/machine.c
- F: target/s390x/sigp.c
- F: target/s390x/cpu_features*.[ch]
- F: target/s390x/cpu_models.[ch]
-+F: hw/s390x/pv.c
-+F: include/hw/s390x/pv.h
- F: hw/intc/s390_flic.c
- F: hw/intc/s390_flic_kvm.c
- F: include/hw/s390x/s390_flic.h
-diff --git a/hw/s390x/Makefile.objs b/hw/s390x/Makefile.objs
-index e02ed80b6829a511362abc3525ec..a46a1c7894e0f612a2d74cec74f6 100644
---- a/hw/s390x/Makefile.objs
-+++ b/hw/s390x/Makefile.objs
-@@ -31,6 +31,7 @@ obj-y += tod-qemu.o
- obj-$(CONFIG_KVM) += tod-kvm.o
- obj-$(CONFIG_KVM) += s390-skeys-kvm.o
- obj-$(CONFIG_KVM) += s390-stattrib-kvm.o
-+obj-$(CONFIG_KVM) += pv.o
- obj-y += s390-ccw.o
- obj-y += ap-device.o
- obj-y += ap-bridge.o
-diff --git a/hw/s390x/ipl.c b/hw/s390x/ipl.c
-index 6cb4a1575c370d391f216a359c5d..25139655a565fc33a40ef61e343e 100644
---- a/hw/s390x/ipl.c
-+++ b/hw/s390x/ipl.c
-@@ -1,10 +1,11 @@
- /*
- * bootloader support
- *
-- * Copyright IBM, Corp. 2012
-+ * Copyright IBM, Corp. 2012, 2020
- *
- * Authors:
- * Christian Borntraeger <borntraeger@de.ibm.com>
-+ * Janosch Frank <frankja@linux.ibm.com>
- *
- * This work is licensed under the terms of the GNU GPL, version 2 or (at your
- * option) any later version. See the COPYING file in the top-level directory.
-@@ -27,6 +28,7 @@
- #include "hw/s390x/vfio-ccw.h"
- #include "hw/s390x/css.h"
- #include "hw/s390x/ebcdic.h"
-+#include "hw/s390x/pv.h"
- #include "ipl.h"
- #include "qemu/error-report.h"
- #include "qemu/config-file.h"
-@@ -533,11 +535,30 @@ void s390_ipl_update_diag308(IplParameterBlock *iplb)
- {
- S390IPLState *ipl = get_ipl_device();
-
-- ipl->iplb = *iplb;
-- ipl->iplb_valid = true;
-+ /*
-+ * The IPLB set and retrieved by subcodes 8/9 is completely
-+ * separate from the one managed via subcodes 5/6.
-+ */
-+ if (iplb->pbt == S390_IPL_TYPE_PV) {
-+ ipl->iplb_pv = *iplb;
-+ ipl->iplb_valid_pv = true;
-+ } else {
-+ ipl->iplb = *iplb;
-+ ipl->iplb_valid = true;
-+ }
- ipl->netboot = is_virtio_net_device(iplb);
- }
-
-+IplParameterBlock *s390_ipl_get_iplb_pv(void)
-+{
-+ S390IPLState *ipl = get_ipl_device();
-+
-+ if (!ipl->iplb_valid_pv) {
-+ return NULL;
-+ }
-+ return &ipl->iplb_pv;
-+}
-+
- IplParameterBlock *s390_ipl_get_iplb(void)
- {
- S390IPLState *ipl = get_ipl_device();
-@@ -627,6 +648,38 @@ static void s390_ipl_prepare_qipl(S390CPU *cpu)
- cpu_physical_memory_unmap(addr, len, 1, len);
- }
-
-+int s390_ipl_prepare_pv_header(void)
-+{
-+ IplParameterBlock *ipib = s390_ipl_get_iplb_pv();
-+ IPLBlockPV *ipib_pv = &ipib->pv;
-+ void *hdr = g_malloc(ipib_pv->pv_header_len);
-+ int rc;
-+
-+ cpu_physical_memory_read(ipib_pv->pv_header_addr, hdr,
-+ ipib_pv->pv_header_len);
-+ rc = s390_pv_set_sec_parms((uintptr_t)hdr,
-+ ipib_pv->pv_header_len);
-+ g_free(hdr);
-+ return rc;
-+}
-+
-+int s390_ipl_pv_unpack(void)
-+{
-+ IplParameterBlock *ipib = s390_ipl_get_iplb_pv();
-+ IPLBlockPV *ipib_pv = &ipib->pv;
-+ int i, rc = 0;
-+
-+ for (i = 0; i < ipib_pv->num_comp; i++) {
-+ rc = s390_pv_unpack(ipib_pv->components[i].addr,
-+ TARGET_PAGE_ALIGN(ipib_pv->components[i].size),
-+ ipib_pv->components[i].tweak_pref);
-+ if (rc) {
-+ break;
-+ }
-+ }
-+ return rc;
-+}
-+
- void s390_ipl_prepare_cpu(S390CPU *cpu)
- {
- S390IPLState *ipl = get_ipl_device();
-diff --git a/hw/s390x/ipl.h b/hw/s390x/ipl.h
-index a5665e6bfde2e8cfbb1b2e6c7234..89b3044d7a2ee54014daa8eeafc9 100644
---- a/hw/s390x/ipl.h
-+++ b/hw/s390x/ipl.h
-@@ -1,8 +1,9 @@
- /*
- * s390 IPL device
- *
-- * Copyright 2015 IBM Corp.
-+ * Copyright 2015, 2020 IBM Corp.
- * Author(s): Zhang Fan <bjfanzh@cn.ibm.com>
-+ * Janosch Frank <frankja@linux.ibm.com>
- *
- * This work is licensed under the terms of the GNU GPL, version 2 or (at
- * your option) any later version. See the COPYING file in the top-level
-@@ -15,6 +16,24 @@
- #include "cpu.h"
- #include "hw/qdev-core.h"
-
-+struct IPLBlockPVComp {
-+ uint64_t tweak_pref;
-+ uint64_t addr;
-+ uint64_t size;
-+} QEMU_PACKED;
-+typedef struct IPLBlockPVComp IPLBlockPVComp;
-+
-+struct IPLBlockPV {
-+ uint8_t reserved18[87]; /* 0x18 */
-+ uint8_t version; /* 0x6f */
-+ uint32_t reserved70; /* 0x70 */
-+ uint32_t num_comp; /* 0x74 */
-+ uint64_t pv_header_addr; /* 0x78 */
-+ uint64_t pv_header_len; /* 0x80 */
-+ struct IPLBlockPVComp components[];
-+} QEMU_PACKED;
-+typedef struct IPLBlockPV IPLBlockPV;
-+
- struct IplBlockCcw {
- uint8_t reserved0[85];
- uint8_t ssid;
-@@ -71,6 +90,7 @@ union IplParameterBlock {
- union {
- IplBlockCcw ccw;
- IplBlockFcp fcp;
-+ IPLBlockPV pv;
- IplBlockQemuScsi scsi;
- };
- } QEMU_PACKED;
-@@ -85,8 +105,11 @@ typedef union IplParameterBlock IplParameterBlock;
-
- int s390_ipl_set_loadparm(uint8_t *loadparm);
- void s390_ipl_update_diag308(IplParameterBlock *iplb);
-+int s390_ipl_prepare_pv_header(void);
-+int s390_ipl_pv_unpack(void);
- void s390_ipl_prepare_cpu(S390CPU *cpu);
- IplParameterBlock *s390_ipl_get_iplb(void);
-+IplParameterBlock *s390_ipl_get_iplb_pv(void);
-
- enum s390_reset {
- /* default is a reset not triggered by a CPU e.g. issued by QMP */
-@@ -94,6 +117,7 @@ enum s390_reset {
- S390_RESET_REIPL,
- S390_RESET_MODIFIED_CLEAR,
- S390_RESET_LOAD_NORMAL,
-+ S390_RESET_PV,
- };
- void s390_ipl_reset_request(CPUState *cs, enum s390_reset reset_type);
- void s390_ipl_get_reset_request(CPUState **cs, enum s390_reset *reset_type);
-@@ -133,6 +157,7 @@ struct S390IPLState {
- /*< private >*/
- DeviceState parent_obj;
- IplParameterBlock iplb;
-+ IplParameterBlock iplb_pv;
- QemuIplParameters qipl;
- uint64_t start_addr;
- uint64_t compat_start_addr;
-@@ -140,6 +165,7 @@ struct S390IPLState {
- uint64_t compat_bios_start_addr;
- bool enforce_bios;
- bool iplb_valid;
-+ bool iplb_valid_pv;
- bool netboot;
- /* reset related properties don't have to be migrated or reset */
- enum s390_reset reset_type;
-@@ -162,6 +188,8 @@ QEMU_BUILD_BUG_MSG(offsetof(S390IPLState, iplb) & 3, "alignment of iplb wrong");
- #define DIAG_308_RC_OK 0x0001
- #define DIAG_308_RC_NO_CONF 0x0102
- #define DIAG_308_RC_INVALID 0x0402
-+#define DIAG_308_RC_NO_PV_CONF 0x0902
-+#define DIAG_308_RC_INVAL_FOR_PV 0x0a02
-
- #define DIAG308_RESET_MOD_CLR 0
- #define DIAG308_RESET_LOAD_NORM 1
-@@ -169,12 +197,17 @@ QEMU_BUILD_BUG_MSG(offsetof(S390IPLState, iplb) & 3, "alignment of iplb wrong");
- #define DIAG308_LOAD_NORMAL_DUMP 4
- #define DIAG308_SET 5
- #define DIAG308_STORE 6
-+#define DIAG308_PV_SET 8
-+#define DIAG308_PV_STORE 9
-+#define DIAG308_PV_START 10
-
- #define S390_IPL_TYPE_FCP 0x00
- #define S390_IPL_TYPE_CCW 0x02
-+#define S390_IPL_TYPE_PV 0x05
- #define S390_IPL_TYPE_QEMU_SCSI 0xff
-
- #define S390_IPLB_HEADER_LEN 8
-+#define S390_IPLB_MIN_PV_LEN 148
- #define S390_IPLB_MIN_CCW_LEN 200
- #define S390_IPLB_MIN_FCP_LEN 384
- #define S390_IPLB_MIN_QEMU_SCSI_LEN 200
-@@ -184,6 +217,62 @@ static inline bool iplb_valid_len(IplParameterBlock *iplb)
- return be32_to_cpu(iplb->len) <= sizeof(IplParameterBlock);
- }
-
-+static inline bool ipl_valid_pv_components(IplParameterBlock *iplb)
-+{
-+ IPLBlockPV *ipib_pv = &iplb->pv;
-+ int i;
-+
-+ if (ipib_pv->num_comp == 0) {
-+ return false;
-+ }
-+
-+ for (i = 0; i < ipib_pv->num_comp; i++) {
-+ /* Addr must be 4k aligned */
-+ if (ipib_pv->components[i].addr & ~TARGET_PAGE_MASK) {
-+ return false;
-+ }
-+
-+ /* Tweak prefix is monotonically increasing with each component */
-+ if (i < ipib_pv->num_comp - 1 &&
-+ ipib_pv->components[i].tweak_pref >=
-+ ipib_pv->components[i + 1].tweak_pref) {
-+ return false;
-+ }
-+ }
-+ return true;
-+}
-+
-+static inline bool ipl_valid_pv_header(IplParameterBlock *iplb)
-+{
-+ IPLBlockPV *ipib_pv = &iplb->pv;
-+
-+ if (ipib_pv->pv_header_len > 2 * TARGET_PAGE_SIZE) {
-+ return false;
-+ }
-+
-+ if (!address_space_access_valid(&address_space_memory,
-+ ipib_pv->pv_header_addr,
-+ ipib_pv->pv_header_len,
-+ false,
-+ MEMTXATTRS_UNSPECIFIED)) {
-+ return false;
-+ }
-+
-+ return true;
-+}
-+
-+static inline bool iplb_valid_pv(IplParameterBlock *iplb)
-+{
-+ if (iplb->pbt != S390_IPL_TYPE_PV ||
-+ be32_to_cpu(iplb->len) < S390_IPLB_MIN_PV_LEN) {
-+ return false;
-+ }
-+ if (!ipl_valid_pv_header(iplb)) {
-+ return false;
-+ }
-+ return ipl_valid_pv_components(iplb);
-+}
-+
- static inline bool iplb_valid(IplParameterBlock *iplb)
- {
- switch (iplb->pbt) {
-diff --git a/hw/s390x/pv.c b/hw/s390x/pv.c
-new file mode 100644
-index 0000000000000000000000000000000000000000..8cf5cd2c9bcd48b03af1e546fb3a85cdc7ac28bb
---- /dev/null
-+++ b/hw/s390x/pv.c
-@@ -0,0 +1,98 @@
-+/*
-+ * Protected Virtualization functions
-+ *
-+ * Copyright IBM Corp. 2020
-+ * Author(s):
-+ * Janosch Frank <frankja@linux.ibm.com>
-+ *
-+ * This work is licensed under the terms of the GNU GPL, version 2 or (at
-+ * your option) any later version. See the COPYING file in the top-level
-+ * directory.
-+ */
-+#include "qemu/osdep.h"
-+
-+#include <linux/kvm.h>
-+
-+#include "qemu/error-report.h"
-+#include "sysemu/kvm.h"
-+#include "hw/s390x/pv.h"
-+
-+static int __s390_pv_cmd(uint32_t cmd, const char *cmdname, void *data)
-+{
-+ struct kvm_pv_cmd pv_cmd = {
-+ .cmd = cmd,
-+ .data = (uint64_t)data,
-+ };
-+ int rc = kvm_vm_ioctl(kvm_state, KVM_S390_PV_COMMAND, &pv_cmd);
-+
-+ if (rc) {
-+ error_report("KVM PV command %d (%s) failed: header rc %x rrc %x "
-+ "IOCTL rc: %d", cmd, cmdname, pv_cmd.rc, pv_cmd.rrc,
-+ rc);
-+ }
-+ return rc;
-+}
-+
-+/*
-+ * This macro lets us pass the command as a string to the function so
-+ * we can print it on an error.
-+ */
-+#define s390_pv_cmd(cmd, data) __s390_pv_cmd(cmd, #cmd, data);
-+#define s390_pv_cmd_exit(cmd, data) \
-+{ \
-+ int rc; \
-+ \
-+ rc = __s390_pv_cmd(cmd, #cmd, data);\
-+ if (rc) { \
-+ exit(1); \
-+ } \
-+}
-+
-+int s390_pv_vm_enable(void)
-+{
-+ return s390_pv_cmd(KVM_PV_ENABLE, NULL);
-+}
-+
-+void s390_pv_vm_disable(void)
-+{
-+ s390_pv_cmd_exit(KVM_PV_DISABLE, NULL);
-+}
-+
-+int s390_pv_set_sec_parms(uint64_t origin, uint64_t length)
-+{
-+ struct kvm_s390_pv_sec_parm args = {
-+ .origin = origin,
-+ .length = length,
-+ };
-+
-+ return s390_pv_cmd(KVM_PV_VM_SET_SEC_PARMS, &args);
-+}
-+
-+/*
-+ * Called for each component in the SE type IPL parameter block 0.
-+ */
-+int s390_pv_unpack(uint64_t addr, uint64_t size, uint64_t tweak)
-+{
-+ struct kvm_s390_pv_unp args = {
-+ .addr = addr,
-+ .size = size,
-+ .tweak = tweak,
-+ };
-+
-+ return s390_pv_cmd(KVM_PV_VM_UNPACK, &args);
-+}
-+
-+void s390_pv_perf_clear_reset(void)
-+{
-+ s390_pv_cmd_exit(KVM_PV_VM_PREP_RESET, NULL);
-+}
-+
-+int s390_pv_verify(void)
-+{
-+ return s390_pv_cmd(KVM_PV_VM_VERIFY, NULL);
-+}
-+
-+void s390_pv_unshare(void)
-+{
-+ s390_pv_cmd_exit(KVM_PV_VM_UNSHARE_ALL, NULL);
-+}
-diff --git a/hw/s390x/s390-virtio-ccw.c b/hw/s390x/s390-virtio-ccw.c
-index fcd8203cd11d9068de52b7ef695d..e408612729a8cb0fe2de58308767 100644
---- a/hw/s390x/s390-virtio-ccw.c
-+++ b/hw/s390x/s390-virtio-ccw.c
-@@ -1,9 +1,10 @@
- /*
- * virtio ccw machine
- *
-- * Copyright 2012 IBM Corp.
-+ * Copyright 2012, 2020 IBM Corp.
- * Copyright (c) 2009 Alexander Graf <agraf@suse.de>
- * Author(s): Cornelia Huck <cornelia.huck@de.ibm.com>
-+ * Janosch Frank <frankja@linux.ibm.com>
- *
- * This work is licensed under the terms of the GNU GPL, version 2 or (at
- * your option) any later version. See the COPYING file in the top-level
-@@ -41,6 +42,8 @@
- #include "hw/qdev-properties.h"
- #include "hw/s390x/tod.h"
- #include "sysemu/sysemu.h"
-+#include "hw/s390x/pv.h"
-+#include <linux/kvm.h>
-
- S390CPU *s390_cpu_addr2state(uint16_t cpu_addr)
- {
-@@ -319,10 +322,78 @@ static inline void s390_do_cpu_ipl(CPUState *cs, run_on_cpu_data arg)
- s390_cpu_set_state(S390_CPU_STATE_OPERATING, cpu);
- }
-
-+static void s390_machine_unprotect(S390CcwMachineState *ms)
-+{
-+ s390_pv_vm_disable();
-+ ms->pv = false;
-+}
-+
-+static int s390_machine_protect(S390CcwMachineState *ms)
-+{
-+ int rc;
-+
-+ /* Create SE VM */
-+ rc = s390_pv_vm_enable();
-+ if (rc) {
-+ return rc;
-+ }
-+
-+ ms->pv = true;
-+
-+ /* Set SE header and unpack */
-+ rc = s390_ipl_prepare_pv_header();
-+ if (rc) {
-+ goto out_err;
-+ }
-+
-+ /* Decrypt image */
-+ rc = s390_ipl_pv_unpack();
-+ if (rc) {
-+ goto out_err;
-+ }
-+
-+ /* Verify integrity */
-+ rc = s390_pv_verify();
-+ if (rc) {
-+ goto out_err;
-+ }
-+ return rc;
-+
-+out_err:
-+ s390_machine_unprotect(ms);
-+ return rc;
-+}
-+
-+static void s390_machine_inject_pv_error(CPUState *cs)
-+{
-+ int r1 = (cs->kvm_run->s390_sieic.ipa & 0x00f0) >> 4;
-+ CPUS390XState *env = &S390_CPU(cs)->env;
-+
-+ /* Report that we are unable to enter protected mode */
-+ env->regs[r1 + 1] = DIAG_308_RC_INVAL_FOR_PV;
-+}
-+
-+static void s390_pv_prepare_reset(S390CcwMachineState *ms)
-+{
-+ CPUState *cs;
-+
-+ if (!s390_is_pv()) {
-+ return;
-+ }
-+ /* Unsharing requires all cpus to be stopped */
-+ CPU_FOREACH(cs) {
-+ s390_cpu_set_state(S390_CPU_STATE_STOPPED, S390_CPU(cs));
-+ }
-+ s390_pv_unshare();
-+ s390_pv_perf_clear_reset();
-+}
-+
- static void s390_machine_reset(MachineState *machine)
- {
-+ S390CcwMachineState *ms = S390_CCW_MACHINE(machine);
- enum s390_reset reset_type;
- CPUState *cs, *t;
-+ S390CPU *cpu;
-
- /* get the reset parameters, reset them once done */
- s390_ipl_get_reset_request(&cs, &reset_type);
-@@ -330,9 +401,15 @@ static void s390_machine_reset(MachineState *machine)
- /* all CPUs are paused and synchronized at this point */
- s390_cmma_reset();
-
-+ cpu = S390_CPU(cs);
-+
- switch (reset_type) {
- case S390_RESET_EXTERNAL:
- case S390_RESET_REIPL:
-+ if (s390_is_pv()) {
-+ s390_machine_unprotect(ms);
-+ }
-+
- qemu_devices_reset();
- s390_crypto_reset();
-
-@@ -340,22 +417,56 @@ static void s390_machine_reset(MachineState *machine)
- run_on_cpu(cs, s390_do_cpu_ipl, RUN_ON_CPU_NULL);
- break;
- case S390_RESET_MODIFIED_CLEAR:
-+ /*
-+ * Susbsystem reset needs to be done before we unshare memory
-+ * and lose access to VIRTIO structures in guest memory.
-+ */
-+ subsystem_reset();
-+ s390_crypto_reset();
-+ s390_pv_prepare_reset(ms);
- CPU_FOREACH(t) {
- run_on_cpu(t, s390_do_cpu_full_reset, RUN_ON_CPU_NULL);
- }
-- subsystem_reset();
-- s390_crypto_reset();
- run_on_cpu(cs, s390_do_cpu_load_normal, RUN_ON_CPU_NULL);
- break;
- case S390_RESET_LOAD_NORMAL:
-+ /*
-+ * Susbsystem reset needs to be done before we unshare memory
-+ * and lose access to VIRTIO structures in guest memory.
-+ */
-+ subsystem_reset();
-+ s390_pv_prepare_reset(ms);
- CPU_FOREACH(t) {
- if (t == cs) {
- continue;
- }
- run_on_cpu(t, s390_do_cpu_reset, RUN_ON_CPU_NULL);
- }
-- subsystem_reset();
- run_on_cpu(cs, s390_do_cpu_initial_reset, RUN_ON_CPU_NULL);
-+ run_on_cpu(cs, s390_do_cpu_load_normal, RUN_ON_CPU_NULL);
-+ break;
-+ case S390_RESET_PV: /* Subcode 10 */
-+ subsystem_reset();
-+ s390_crypto_reset();
-+
-+ CPU_FOREACH(t) {
-+ if (t == cs) {
-+ continue;
-+ }
-+ run_on_cpu(t, s390_do_cpu_full_reset, RUN_ON_CPU_NULL);
-+ }
-+ run_on_cpu(cs, s390_do_cpu_reset, RUN_ON_CPU_NULL);
-+
-+ if (s390_machine_protect(ms)) {
-+ s390_machine_inject_pv_error(cs);
-+ /*
-+ * Continue after the diag308 so the guest knows something
-+ * went wrong.
-+ */
-+ s390_cpu_set_state(S390_CPU_STATE_OPERATING, cpu);
-+ return;
-+ }
-+
- run_on_cpu(cs, s390_do_cpu_load_normal, RUN_ON_CPU_NULL);
- break;
- default:
-diff --git a/include/hw/s390x/pv.h b/include/hw/s390x/pv.h
-new file mode 100644
-index 0000000000000000000000000000000000000000..c6cb360f2f6a0a32a37970769e1bf2eb0220b199
---- /dev/null
-+++ b/include/hw/s390x/pv.h
-@@ -0,0 +1,55 @@
-+/*
-+ * Protected Virtualization header
-+ *
-+ * Copyright IBM Corp. 2020
-+ * Author(s):
-+ * Janosch Frank <frankja@linux.ibm.com>
-+ *
-+ * This work is licensed under the terms of the GNU GPL, version 2 or (at
-+ * your option) any later version. See the COPYING file in the top-level
-+ * directory.
-+ */
-+#ifndef HW_S390_PV_H
-+#define HW_S390_PV_H
-+
-+#ifdef CONFIG_KVM
-+#include "hw/s390x/s390-virtio-ccw.h"
-+
-+static inline bool s390_is_pv(void)
-+{
-+ static S390CcwMachineState *ccw;
-+ Object *obj;
-+
-+ if (ccw) {
-+ return ccw->pv;
-+ }
-+
-+ /* we have to bail out for the "none" machine */
-+ obj = object_dynamic_cast(qdev_get_machine(),
-+ TYPE_S390_CCW_MACHINE);
-+ if (!obj) {
-+ return false;
-+ }
-+ ccw = S390_CCW_MACHINE(obj);
-+ return ccw->pv;
-+}
-+
-+int s390_pv_vm_enable(void);
-+void s390_pv_vm_disable(void);
-+int s390_pv_set_sec_parms(uint64_t origin, uint64_t length);
-+int s390_pv_unpack(uint64_t addr, uint64_t size, uint64_t tweak);
-+void s390_pv_perf_clear_reset(void);
-+int s390_pv_verify(void);
-+void s390_pv_unshare(void);
-+#else /* CONFIG_KVM */
-+static inline bool s390_is_pv(void) { return false; }
-+static inline int s390_pv_vm_enable(void) { return 0; }
-+static inline void s390_pv_vm_disable(void) {}
-+static inline int s390_pv_set_sec_parms(uint64_t origin, uint64_t length) { return 0; }
-+static inline int s390_pv_unpack(uint64_t addr, uint64_t size, uint64_t tweak) { return 0; }
-+static inline void s390_pv_perf_clear_reset(void) {}
-+static inline int s390_pv_verify(void) { return 0; }
-+static inline void s390_pv_unshare(void) {}
-+#endif /* CONFIG_KVM */
-+
-+#endif /* HW_S390_PV_H */
-diff --git a/include/hw/s390x/s390-virtio-ccw.h b/include/hw/s390x/s390-virtio-ccw.h
-index 8aa27199c9123bab03d3450313a5..cd1dccc6e3ba86455a9de5eb41cb 100644
---- a/include/hw/s390x/s390-virtio-ccw.h
-+++ b/include/hw/s390x/s390-virtio-ccw.h
-@@ -28,6 +28,7 @@ typedef struct S390CcwMachineState {
- /*< public >*/
- bool aes_key_wrap;
- bool dea_key_wrap;
-+ bool pv;
- uint8_t loadparm[8];
- } S390CcwMachineState;
-
-diff --git a/target/s390x/cpu.c b/target/s390x/cpu.c
-index 52fefa1586caa3cbd366fe230630..479f1978c974722ceeb72ac5fb32 100644
---- a/target/s390x/cpu.c
-+++ b/target/s390x/cpu.c
-@@ -37,6 +37,7 @@
- #include "sysemu/hw_accel.h"
- #include "hw/qdev-properties.h"
- #ifndef CONFIG_USER_ONLY
-+#include "hw/s390x/pv.h"
- #include "hw/boards.h"
- #include "sysemu/arch_init.h"
- #include "sysemu/sysemu.h"
-diff --git a/target/s390x/cpu_features_def.inc.h b/target/s390x/cpu_features_def.inc.h
-index 31dff0d84e9724513b1945f8d447..60db28351d059091b6e05fd62c37 100644
---- a/target/s390x/cpu_features_def.inc.h
-+++ b/target/s390x/cpu_features_def.inc.h
-@@ -107,6 +107,7 @@ DEF_FEAT(DEFLATE_BASE, "deflate-base", STFL, 151, "Deflate-conversion facility (
- DEF_FEAT(VECTOR_PACKED_DECIMAL_ENH, "vxpdeh", STFL, 152, "Vector-Packed-Decimal-Enhancement Facility")
- DEF_FEAT(MSA_EXT_9, "msa9-base", STFL, 155, "Message-security-assist-extension-9 facility (excluding subfunctions)")
- DEF_FEAT(ETOKEN, "etoken", STFL, 156, "Etoken facility")
-+DEF_FEAT(UNPACK, "unpack", STFL, 161, "Unpack facility")
-
- /* Features exposed via SCLP SCCB Byte 80 - 98 (bit numbers relative to byte-80) */
- DEF_FEAT(SIE_GSLS, "gsls", SCLP_CONF_CHAR, 40, "SIE: Guest-storage-limit-suppression facility")
-diff --git a/target/s390x/diag.c b/target/s390x/diag.c
-index 8aba6341f94848e1ce8fff420ed8..b2cbefb8cfe4e5a244219e761fb4 100644
---- a/target/s390x/diag.c
-+++ b/target/s390x/diag.c
-@@ -20,6 +20,8 @@
- #include "sysemu/cpus.h"
- #include "hw/s390x/ipl.h"
- #include "hw/s390x/s390-virtio-ccw.h"
-+#include "hw/s390x/pv.h"
-+#include "kvm_s390x.h"
-
- int handle_diag_288(CPUS390XState *env, uint64_t r1, uint64_t r3)
- {
-@@ -52,6 +54,10 @@ int handle_diag_288(CPUS390XState *env, uint64_t r1, uint64_t r3)
- static int diag308_parm_check(CPUS390XState *env, uint64_t r1, uint64_t addr,
- uintptr_t ra, bool write)
- {
-+ /* Handled by the Ultravisor */
-+ if (s390_is_pv()) {
-+ return 0;
-+ }
- if ((r1 & 1) || (addr & ~TARGET_PAGE_MASK)) {
- s390_program_interrupt(env, PGM_SPECIFICATION, ra);
- return -1;
-@@ -67,6 +73,7 @@ static int diag308_parm_check(CPUS390XState *env, uint64_t r1, uint64_t addr,
-
- void handle_diag_308(CPUS390XState *env, uint64_t r1, uint64_t r3, uintptr_t ra)
- {
-+ bool valid;
- CPUState *cs = env_cpu(env);
- uint64_t addr = env->regs[r1];
- uint64_t subcode = env->regs[r3];
-@@ -82,6 +89,11 @@ void handle_diag_308(CPUS390XState *env, uint64_t r1, uint64_t r3, uintptr_t ra)
- return;
- }
-
-+ if (subcode >= DIAG308_PV_SET && !s390_has_feat(S390_FEAT_UNPACK)) {
-+ s390_program_interrupt(env, PGM_SPECIFICATION, ra);
-+ return;
-+ }
-+
- switch (subcode) {
- case DIAG308_RESET_MOD_CLR:
- s390_ipl_reset_request(cs, S390_RESET_MODIFIED_CLEAR);
-@@ -94,6 +106,7 @@ void handle_diag_308(CPUS390XState *env, uint64_t r1, uint64_t r3, uintptr_t ra)
- s390_ipl_reset_request(cs, S390_RESET_REIPL);
- break;
- case DIAG308_SET:
-+ case DIAG308_PV_SET:
- if (diag308_parm_check(env, r1, addr, ra, false)) {
- return;
- }
-@@ -106,7 +119,8 @@ void handle_diag_308(CPUS390XState *env, uint64_t r1, uint64_t r3, uintptr_t ra)
-
- cpu_physical_memory_read(addr, iplb, be32_to_cpu(iplb->len));
-
-- if (!iplb_valid(iplb)) {
-+ valid = subcode == DIAG308_PV_SET ? iplb_valid_pv(iplb) : iplb_valid(iplb);
-+ if (!valid) {
- env->regs[r1 + 1] = DIAG_308_RC_INVALID;
- goto out;
- }
-@@ -117,10 +131,15 @@ out:
- g_free(iplb);
- return;
- case DIAG308_STORE:
-+ case DIAG308_PV_STORE:
- if (diag308_parm_check(env, r1, addr, ra, true)) {
- return;
- }
-- iplb = s390_ipl_get_iplb();
-+ if (subcode == DIAG308_PV_STORE) {
-+ iplb = s390_ipl_get_iplb_pv();
-+ } else {
-+ iplb = s390_ipl_get_iplb();
-+ }
- if (iplb) {
- cpu_physical_memory_write(addr, iplb, be32_to_cpu(iplb->len));
- env->regs[r1 + 1] = DIAG_308_RC_OK;
-@@ -128,6 +147,22 @@ out:
- env->regs[r1 + 1] = DIAG_308_RC_NO_CONF;
- }
- return;
-+ case DIAG308_PV_START:
-+ iplb = s390_ipl_get_iplb_pv();
-+ if (!iplb) {
-+ env->regs[r1 + 1] = DIAG_308_RC_NO_PV_CONF;
-+ return;
-+ }
-+
-+ if (kvm_s390_get_hpage_1m()) {
-+ error_report("Protected VMs can currently not be backed with "
-+ "huge pages");
-+ env->regs[r1 + 1] = DIAG_308_RC_INVAL_FOR_PV;
-+ return;
-+ }
-+
-+ s390_ipl_reset_request(cs, S390_RESET_PV);
-+ break;
- default:
- s390_program_interrupt(env, PGM_SPECIFICATION, ra);
- break;
-diff --git a/target/s390x/kvm-stub.c b/target/s390x/kvm-stub.c
-index c4cd497f850eb9c7a859932b0f1f..aa185017a2a886ca300fa75747ed 100644
---- a/target/s390x/kvm-stub.c
-+++ b/target/s390x/kvm-stub.c
-@@ -39,6 +39,11 @@ int kvm_s390_vcpu_interrupt_post_load(S390CPU *cpu)
- return 0;
- }
-
-+int kvm_s390_get_hpage_1m(void)
-+{
-+ return 0;
-+}
-+
- int kvm_s390_get_ri(void)
- {
- return 0;
-diff --git a/target/s390x/kvm.c b/target/s390x/kvm.c
-index f633472980b48757989db245fb1f..d8d02ff34f4fc942cb7935deec58 100644
---- a/target/s390x/kvm.c
-+++ b/target/s390x/kvm.c
-@@ -321,6 +321,11 @@ void kvm_s390_set_max_pagesize(uint64_t pagesize, Error **errp)
- cap_hpage_1m = 1;
- }
-
-+int kvm_s390_get_hpage_1m(void)
-+{
-+ return cap_hpage_1m;
-+}
-+
- static void ccw_machine_class_foreach(ObjectClass *oc, void *opaque)
- {
- MachineClass *mc = MACHINE_CLASS(oc);
-diff --git a/target/s390x/kvm_s390x.h b/target/s390x/kvm_s390x.h
-index 0b21789796d7c462bdc72160166f..dea813f450153c34e1269424772d 100644
---- a/target/s390x/kvm_s390x.h
-+++ b/target/s390x/kvm_s390x.h
-@@ -23,6 +23,7 @@ void kvm_s390_program_interrupt(S390CPU *cpu, uint16_t code);
- int kvm_s390_set_cpu_state(S390CPU *cpu, uint8_t cpu_state);
- void kvm_s390_vcpu_interrupt_pre_save(S390CPU *cpu);
- int kvm_s390_vcpu_interrupt_post_load(S390CPU *cpu);
-+int kvm_s390_get_hpage_1m(void);
- int kvm_s390_get_ri(void);
- int kvm_s390_get_gs(void);
- int kvm_s390_get_clock(uint8_t *tod_high, uint64_t *tod_clock);
+++ /dev/null
-From: Christian Borntraeger <borntraeger@de.ibm.com>
-Date: Tue, 21 Jul 2020 06:32:02 -0400
-Subject: s390x/protvirt: allow to IPL secure guests with -no-reboot
-
-Git-commit: d1bb69db4ceb6897ef6a17bf263146b53a123632
-References: bsc#1174863
-
-Right now, -no-reboot prevents secure guests from running. This is
-correct from an implementation point of view, as we have modeled the
-transition from non-secure to secure as a program directed IPL. From
-a user perspective, this is not the behavior of least surprise.
-
-We should implement the IPL into protected mode similar to the
-functions that we use for kdump/kexec. In other words, we do not stop
-here when -no-reboot is specified on the command line. Like function 0
-or function 1, function 10 is not a classic reboot. For example, it
-can only be called once. Before calling it a second time, a real
-reboot/reset must happen in-between. So function code 10 is more or
-less a state transition reset, but not a "standard" reset or reboot.
-
-Fixes: 4d226deafc44 ("s390x: protvirt: Support unpack facility")
-Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
-Reviewed-by: Janosch Frank <frankja@linux.ibm.com>
-Reviewed-by: David Hildenbrand <david@redhat.com>
-Acked-by: Viktor Mihajlovski <mihajlov@linux.ibm.com>
-Message-Id: <20200721103202.30610-1-borntraeger@de.ibm.com>
-[CH: tweaked description]
-Signed-off-by: Cornelia Huck <cohuck@redhat.com>
-Signed-off-by: Liang Yan <lyan@suse.com>
----
- hw/s390x/ipl.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/hw/s390x/ipl.c b/hw/s390x/ipl.c
-index ca544d64c5e04782fb49d12521d5..6cb4a1575c370d391f216a359c5d 100644
---- a/hw/s390x/ipl.c
-+++ b/hw/s390x/ipl.c
-@@ -578,7 +578,8 @@ void s390_ipl_reset_request(CPUState *cs, enum s390_reset reset_type)
- }
- }
- if (reset_type == S390_RESET_MODIFIED_CLEAR ||
-- reset_type == S390_RESET_LOAD_NORMAL) {
-+ reset_type == S390_RESET_LOAD_NORMAL ||
-+ reset_type == S390_RESET_PV) {
- /* ignore -no-reboot, send no event */
- qemu_system_reset_request(SHUTDOWN_CAUSE_SUBSYSTEM_RESET);
- } else {
+++ /dev/null
-From: Christian Borntraeger <borntraeger@de.ibm.com>
-Date: Mon, 6 Apr 2020 06:01:58 -0400
-Subject: s390x/s390-virtio-ccw: Fix build on systems without KVM
-
-References: bsc#1167075
-
-linux/kvm.h is not available on all platforms. Let us move
-s390_machine_inject_pv_error into pv.c as it uses KVM structures.
-Also rename the function to s390_pv_inject_reset_error.
-
-While at it, ipl.h needs an include for "exec/address-spaces.h"
-as it uses address_space_memory.
-
-Fixes: 49fc3220175e ("s390x: protvirt: Support unpack facility")
-Reported-by: Bruce Rogers <brogers@suse.com>
-Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
-Signed-off-by: Bruce Rogers <brogers@suse.com>
----
- hw/s390x/ipl.h | 1 +
- hw/s390x/pv.c | 11 +++++++++++
- hw/s390x/s390-virtio-ccw.c | 12 +-----------
- include/hw/s390x/pv.h | 3 +++
- 4 files changed, 16 insertions(+), 11 deletions(-)
-
-diff --git a/hw/s390x/ipl.h b/hw/s390x/ipl.h
-index 89b3044d7a2ee54014daa8eeafc9..53cc9eb5ac4d326b2b61bf1668a8 100644
---- a/hw/s390x/ipl.h
-+++ b/hw/s390x/ipl.h
-@@ -14,6 +14,7 @@
- #define HW_S390_IPL_H
-
- #include "cpu.h"
-+#include "exec/address-spaces.h"
- #include "hw/qdev-core.h"
-
- struct IPLBlockPVComp {
-diff --git a/hw/s390x/pv.c b/hw/s390x/pv.c
-index 8cf5cd2c9bcd48b03af1e546fb3a..2c4d5e89890b7d21abdcd718c2f2 100644
---- a/hw/s390x/pv.c
-+++ b/hw/s390x/pv.c
-@@ -13,8 +13,10 @@
-
- #include <linux/kvm.h>
-
-+#include "cpu.h"
- #include "qemu/error-report.h"
- #include "sysemu/kvm.h"
-+#include "hw/s390x/ipl.h"
- #include "hw/s390x/pv.h"
-
- static int __s390_pv_cmd(uint32_t cmd, const char *cmdname, void *data)
-@@ -96,3 +98,12 @@ void s390_pv_unshare(void)
- {
- s390_pv_cmd_exit(KVM_PV_VM_UNSHARE_ALL, NULL);
- }
-+
-+void s390_pv_inject_reset_error(CPUState *cs)
-+{
-+ int r1 = (cs->kvm_run->s390_sieic.ipa & 0x00f0) >> 4;
-+ CPUS390XState *env = &S390_CPU(cs)->env;
-+
-+ /* Report that we are unable to enter protected mode */
-+ env->regs[r1 + 1] = DIAG_308_RC_INVAL_FOR_PV;
-+}
-diff --git a/hw/s390x/s390-virtio-ccw.c b/hw/s390x/s390-virtio-ccw.c
-index 91b2cea0822b41bd6af17be93193..13cff79695bf75884cb86c378884 100644
---- a/hw/s390x/s390-virtio-ccw.c
-+++ b/hw/s390x/s390-virtio-ccw.c
-@@ -44,7 +44,6 @@
- #include "sysemu/sysemu.h"
- #include "sysemu/balloon.h"
- #include "hw/s390x/pv.h"
--#include <linux/kvm.h>
- #include "migration/blocker.h"
-
- static Error *pv_mig_blocker;
-@@ -393,15 +392,6 @@ out_err:
- return rc;
- }
-
--static void s390_machine_inject_pv_error(CPUState *cs)
--{
-- int r1 = (cs->kvm_run->s390_sieic.ipa & 0x00f0) >> 4;
-- CPUS390XState *env = &S390_CPU(cs)->env;
--
-- /* Report that we are unable to enter protected mode */
-- env->regs[r1 + 1] = DIAG_308_RC_INVAL_FOR_PV;
--}
--
- static void s390_pv_prepare_reset(S390CcwMachineState *ms)
- {
- CPUState *cs;
-@@ -487,7 +477,7 @@ static void s390_machine_reset(MachineState *machine)
- run_on_cpu(cs, s390_do_cpu_reset, RUN_ON_CPU_NULL);
-
- if (s390_machine_protect(ms)) {
-- s390_machine_inject_pv_error(cs);
-+ s390_pv_inject_reset_error(cs);
- /*
- * Continue after the diag308 so the guest knows something
- * went wrong.
-diff --git a/include/hw/s390x/pv.h b/include/hw/s390x/pv.h
-index c6cb360f2f6a0a32a37970769e1b..522ca6a04ee877940ff1de9f410b 100644
---- a/include/hw/s390x/pv.h
-+++ b/include/hw/s390x/pv.h
-@@ -13,6 +13,7 @@
- #define HW_S390_PV_H
-
- #ifdef CONFIG_KVM
-+#include "cpu.h"
- #include "hw/s390x/s390-virtio-ccw.h"
-
- static inline bool s390_is_pv(void)
-@@ -41,6 +42,7 @@ int s390_pv_unpack(uint64_t addr, uint64_t size, uint64_t tweak);
- void s390_pv_perf_clear_reset(void);
- int s390_pv_verify(void);
- void s390_pv_unshare(void);
-+void s390_pv_inject_reset_error(CPUState *cs);
- #else /* CONFIG_KVM */
- static inline bool s390_is_pv(void) { return false; }
- static inline int s390_pv_vm_enable(void) { return 0; }
-@@ -50,6 +52,7 @@ static inline int s390_pv_unpack(uint64_t addr, uint64_t size, uint64_t tweak) {
- static inline void s390_pv_perf_clear_reset(void) {}
- static inline int s390_pv_verify(void) { return 0; }
- static inline void s390_pv_unshare(void) {}
-+static inline void s390_pv_inject_reset_error(CPUState *cs) {};
- #endif /* CONFIG_KVM */
-
- #endif /* HW_S390_PV_H */
+++ /dev/null
-From: Matthew Rosato <mjrosato@linux.ibm.com>
-Date: Thu, 15 Oct 2020 09:16:07 -0400
-Subject: s390x/s390-virtio-ccw: Reset PCI devices during subsystem reset
-
-Git-commit: db08244a3a7ec312dfed3fd9b88e114281215458
-References: bsc#1179717
-
-Currently, a subsystem reset event leaves PCI devices enabled, causing
-issues post-reset in the guest (an example would be after a kexec). These
-devices need to be reset during a subsystem reset, allowing them to be
-properly re-enabled afterwards. Add the S390 PCI host bridge to the list
-of qdevs to be reset during subsystem reset.
-
-Signed-off-by: Matthew Rosato <mjrosato@linux.ibm.com>
-Reviewed-by: Eric Farman <farman@linux.ibm.com>
-Acked-by: Halil Pasic <pasic@linux.ibm.com>
-Acked-by: Christian Borntraeger <borntraeger@de.ibm.com>
-Cc: qemu-stable@nongnu.org
-Message-Id: <1602767767-32713-1-git-send-email-mjrosato@linux.ibm.com>
-Signed-off-by: Cornelia Huck <cohuck@redhat.com>
-Signed-off-by: Liang Yan <lyan@suse.com>
----
- hw/s390x/s390-virtio-ccw.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/hw/s390x/s390-virtio-ccw.c b/hw/s390x/s390-virtio-ccw.c
-index d3edeef0ad924af160eb83ea6724..6134f30508f88737cd5e885ffab6 100644
---- a/hw/s390x/s390-virtio-ccw.c
-+++ b/hw/s390x/s390-virtio-ccw.c
-@@ -97,6 +97,7 @@ static const char *const reset_dev_types[] = {
- "s390-sclp-event-facility",
- "s390-flic",
- "diag288",
-+ TYPE_S390_PCI_HOST_BRIDGE,
- };
-
- static void subsystem_reset(void)
+++ /dev/null
-From: Hannes Reinecke <hare@suse.de>
-Date: Thu, 12 Nov 2020 14:02:24 +0100
-Subject: scsi: add tracing for SG_IO commands
-
-References: bsc#1178049
-
-Add tracepoints for SG_IO commands to get a grip on the timeout
-settings.
-
-Signed-off-by: Hannes Reinecke <hare@suse.de>
-Signed-off-by: Bruce Rogers <brogers@suse.com>
----
- hw/scsi/scsi-disk.c | 3 ++-
- hw/scsi/scsi-generic.c | 12 +++++++++---
- hw/scsi/trace-events | 8 ++++++--
- 3 files changed, 17 insertions(+), 6 deletions(-)
-
-diff --git a/hw/scsi/scsi-disk.c b/hw/scsi/scsi-disk.c
-index 29eb2e6629297342f34bac5d98bd..2240478deb6488d2947e7e9e56ef 100644
---- a/hw/scsi/scsi-disk.c
-+++ b/hw/scsi/scsi-disk.c
-@@ -2775,7 +2775,8 @@ static BlockAIOCB *scsi_block_do_sgio(SCSIBlockReq *req,
- io_header->timeout = s->qdev.io_timeout;
- io_header->usr_ptr = r;
- io_header->flags |= SG_FLAG_DIRECT_IO;
--
-+ trace_scsi_disk_aio_sgio_command(r->req.tag, req->cdb[0], lba,
-+ nb_logical_blocks, io_header->timeout);
- aiocb = blk_aio_ioctl(s->qdev.conf.blk, SG_IO, io_header, cb, opaque);
- assert(aiocb != NULL);
- return aiocb;
-diff --git a/hw/scsi/scsi-generic.c b/hw/scsi/scsi-generic.c
-index 3027885538ad20f8cddbad8c4026..6ea04de98c04aa36aa68230a6b87 100644
---- a/hw/scsi/scsi-generic.c
-+++ b/hw/scsi/scsi-generic.c
-@@ -128,6 +128,8 @@ static int execute_command(BlockBackend *blk,
- r->io_header.usr_ptr = r;
- r->io_header.flags |= SG_FLAG_DIRECT_IO;
-
-+ trace_scsi_generic_aio_sgio_command(r->req.tag, r->req.cmd.buf[0],
-+ r->io_header.timeout);
- r->req.aiocb = blk_aio_ioctl(blk, SG_IO, &r->io_header, complete, r);
- if (r->req.aiocb == NULL) {
- return -EIO;
-@@ -334,7 +336,7 @@ static void scsi_read_data(SCSIRequest *req)
- SCSIDevice *s = r->req.dev;
- int ret;
-
-- trace_scsi_generic_read_data(req->tag);
-+ trace_scsi_generic_read_data(req->tag, s->io_timeout);
-
- /* The request is used as the AIO opaque value, so add a ref. */
- scsi_req_ref(&r->req);
-@@ -387,7 +389,7 @@ static void scsi_write_data(SCSIRequest *req)
- SCSIDevice *s = r->req.dev;
- int ret;
-
-- trace_scsi_generic_write_data(req->tag);
-+ trace_scsi_generic_write_data(req->tag, s->io_timeout);
- if (r->len == 0) {
- r->len = r->buflen;
- scsi_req_data(&r->req, r->len);
-@@ -522,8 +524,12 @@ int scsi_SG_IO_FROM_DEV(BlockBackend *blk, uint8_t *cmd, uint8_t cmd_size,
- io_header.sbp = sensebuf;
- io_header.timeout = timeout;
-
-+ trace_scsi_generic_ioctl_sgio_command(cmd[0], io_header.timeout);
- ret = blk_ioctl(blk, SG_IO, &io_header);
-- if (ret < 0 || io_header.driver_status || io_header.host_status) {
-+ if (ret < 0 || io_header.status ||
-+ io_header.driver_status || io_header.host_status) {
-+ trace_scsi_generic_ioctl_sgio_done(cmd[0], ret, io_header.status,
-+ io_header.host_status);
- return -1;
- }
- return 0;
-diff --git a/hw/scsi/trace-events b/hw/scsi/trace-events
-index 9e1196f2117982c5bbc5db3bfffb..13babd26dff43d5052886cf955a5 100644
---- a/hw/scsi/trace-events
-+++ b/hw/scsi/trace-events
-@@ -327,14 +327,18 @@ scsi_disk_emulate_command_UNKNOWN(int cmd, const char *name) "Unknown SCSI comma
- scsi_disk_dma_command_READ(uint64_t lba, uint32_t len) "Read (sector %" PRId64 ", count %u)"
- scsi_disk_dma_command_WRITE(const char *cmd, uint64_t lba, int len) "Write %s(sector %" PRId64 ", count %u)"
- scsi_disk_new_request(uint32_t lun, uint32_t tag, const char *line) "Command: lun=%d tag=0x%x data=%s"
-+scsi_disk_aio_sgio_command(uint32_t tag, uint8_t cmd, uint64_t lba, int len, uint32_t timeout) "disk aio sgio: tag=0x%x cmd 0x%x (sector %" PRId64 ", count %d) timeout %u"
-
- # scsi-generic.c
- scsi_generic_command_complete_noio(void *req, uint32_t tag, int statuc) "Command complete %p tag=0x%x status=%d"
- scsi_generic_read_complete(uint32_t tag, int len) "Data ready tag=0x%x len=%d"
--scsi_generic_read_data(uint32_t tag) "scsi_read_data tag=0x%x"
-+scsi_generic_read_data(uint32_t tag, uint32_t timeout) "scsi_read_data tag=0x%x timeout %u"
- scsi_generic_write_complete(int ret) "scsi_write_complete() ret = %d"
- scsi_generic_write_complete_blocksize(int blocksize) "block size %d"
--scsi_generic_write_data(uint32_t tag) "scsi_write_data tag=0x%x"
-+scsi_generic_write_data(uint32_t tag, uint32_t timeout) "scsi_write_data tag=0x%x timeout %u"
- scsi_generic_send_command(const char *line) "Command: data=%s"
- scsi_generic_realize_type(int type) "device type %d"
- scsi_generic_realize_blocksize(int blocksize) "block size %d"
-+scsi_generic_aio_sgio_command(uint32_t tag, uint8_t cmd, uint32_t timeout) "generic aio sgio: tag=0x%x cmd 0x%x, timeout %u"
-+scsi_generic_ioctl_sgio_command(uint8_t cmd, uint32_t timeout) "generic ioctl sgio: cmd 0x%x timeout %u"
-+scsi_generic_ioctl_sgio_done(uint8_t cmd, int ret, uint8_t status, uint8_t host_status) "generic ioctl sgio: cmd 0x%x ret %d status 0x%x host_status 0x%x"
+++ /dev/null
-From: Hannes Reinecke <hare@suse.de>
-Date: Wed, 11 Nov 2020 17:34:45 +0100
-Subject: scsi-disk: fold SG_IO errors back into request status
-
-References: bsc#1178049
-
-When SG_IO returns with a non-zero 'host_status' or 'status' we
-should be folding these values into the request status to allow
-any drivers to signal them back to the guest.
-
-Signed-off-by: Hannes Reinecke <hare@suse.de>
-Signed-off-by: Bruce Rogers <brogers@suse.com>
----
- hw/scsi/scsi-disk.c | 37 ++++++++++++++++++++++++++++++-------
- hw/scsi/trace-events | 1 +
- 2 files changed, 31 insertions(+), 7 deletions(-)
-
-diff --git a/hw/scsi/scsi-disk.c b/hw/scsi/scsi-disk.c
-index c672e521bb2d4a1703d3b2b78adc..0c1befa2ddffd3b95153a44a743d 100644
---- a/hw/scsi/scsi-disk.c
-+++ b/hw/scsi/scsi-disk.c
-@@ -81,7 +81,7 @@ typedef struct SCSIDiskReq {
- struct iovec iov;
- QEMUIOVector qiov;
- BlockAcctCookie acct;
-- unsigned char *status;
-+ uint32_t status;
- } SCSIDiskReq;
-
- #define SCSI_DISK_F_REMOVABLE 0
-@@ -194,7 +194,7 @@ static bool scsi_disk_req_check_error(SCSIDiskReq *r, int ret, bool acct_failed)
- return true;
- }
-
-- if (ret < 0 || (r->status && *r->status)) {
-+ if (ret < 0 || r->status) {
- return scsi_handle_rw_error(r, -ret, acct_failed);
- }
-
-@@ -458,11 +458,12 @@ static bool scsi_handle_rw_error(SCSIDiskReq *r, int error, bool acct_failed)
- * whether the error has to be handled by the guest or should rather
- * pause the host.
- */
-- assert(r->status && *r->status);
-- if (scsi_sense_buf_is_guest_recoverable(r->req.sense, sizeof(r->req.sense))) {
-+ assert(r->status);
-+ if ((r->status >> 8) ||
-+ scsi_sense_buf_is_guest_recoverable(r->req.sense, sizeof(r->req.sense))) {
- /* These errors are handled by guest. */
- sdc->update_sense(&r->req);
-- scsi_req_complete(&r->req, *r->status);
-+ scsi_req_complete(&r->req, r->status);
- return true;
- }
- error = scsi_sense_buf_to_errno(r->req.sense, sizeof(r->req.sense));
-@@ -2695,8 +2696,26 @@ typedef struct SCSIBlockReq {
-
- /* CDB passed to SG_IO. */
- uint8_t cdb[16];
-+ BlockCompletionFunc *cb;
-+ void *cb_opaque;
- } SCSIBlockReq;
-
-+static void sgio_aio_complete(void *opaque, int ret)
-+{
-+ SCSIBlockReq *req = (SCSIBlockReq *)opaque;
-+ SCSIDiskReq *r = &req->req;
-+ SCSISense sense;
-+
-+ trace_scsi_disk_aio_sgio_done(r->req.tag, ret, req->io_header.status,
-+ req->io_header.host_status);
-+ r->status = sg_io_sense_from_errno(-ret, &req->io_header, &sense);
-+ if ((r->status & 0xff) == CHECK_CONDITION &&
-+ req->io_header.status != CHECK_CONDITION)
-+ scsi_req_build_sense(&r->req, sense);
-+
-+ req->cb(req->cb_opaque, ret);
-+}
-+
- static BlockAIOCB *scsi_block_do_sgio(SCSIBlockReq *req,
- int64_t offset, QEMUIOVector *iov,
- int direction,
-@@ -2777,9 +2796,14 @@ static BlockAIOCB *scsi_block_do_sgio(SCSIBlockReq *req,
- io_header->timeout = 5000;
- io_header->usr_ptr = r;
- io_header->flags |= SG_FLAG_DIRECT_IO;
-+
-+ req->cb = cb;
-+ req->cb_opaque = opaque;
-+
- trace_scsi_disk_aio_sgio_command(r->req.tag, req->cdb[0], lba,
- nb_logical_blocks, io_header->timeout);
-- aiocb = blk_aio_ioctl(s->qdev.conf.blk, SG_IO, io_header, cb, opaque);
-+ aiocb = blk_aio_ioctl(s->qdev.conf.blk, SG_IO, io_header,
-+ sgio_aio_complete, req);
- assert(aiocb != NULL);
- return aiocb;
- }
-@@ -2893,7 +2917,6 @@ static int32_t scsi_block_dma_command(SCSIRequest *req, uint8_t *buf)
- return 0;
- }
-
-- r->req.status = &r->io_header.status;
- return scsi_disk_dma_command(req, buf);
- }
-
-diff --git a/hw/scsi/trace-events b/hw/scsi/trace-events
-index bce865c2222b0ece52d16ab1d90a..beae309d3000c0a401cec55be37d 100644
---- a/hw/scsi/trace-events
-+++ b/hw/scsi/trace-events
-@@ -328,6 +328,7 @@ scsi_disk_dma_command_READ(uint64_t lba, uint32_t len) "Read (sector %" PRId64 "
- scsi_disk_dma_command_WRITE(const char *cmd, uint64_t lba, int len) "Write %s(sector %" PRId64 ", count %u)"
- scsi_disk_new_request(uint32_t lun, uint32_t tag, const char *line) "Command: lun=%d tag=0x%x data=%s"
- scsi_disk_aio_sgio_command(uint32_t tag, uint8_t cmd, uint64_t lba, int len, uint32_t timeout) "disk aio sgio: tag=0x%x cmd 0x%x (sector %" PRId64 ", count %d) timeout %u"
-+scsi_disk_aio_sgio_done(uint32_t tag, int ret, uint8_t status, uint8_t host_status) "disk aio sgio: cmd 0x%x ret %d status 0x%x host_status 0x%x"
-
- # scsi-generic.c
- scsi_generic_command_complete_noio(void *req, uint32_t tag, uint8_t status, uint8_t host_status) "Command complete %p tag=0x%x status=0x%x host_status=0x%x"
+++ /dev/null
-From: Hannes Reinecke <hare@suse.de>
-Date: Tue, 10 Nov 2020 15:06:58 +0100
-Subject: scsi-disk: set default I/O timeout to 30 seconds
-
-References: bsc#1178049
-
-To align with standard linux settings we should be setting the
-default I/O timeout to 30 seconds, and add a lower bound of
-5 seconds to avoid spurious I/O failures.
-
-Signed-off-by: Hannes Reinecke <hare@suse.de>
-Signed-off-by: Bruce Rogers <brogers@suse.com>
----
- hw/scsi/scsi-disk.c | 4 +++-
- hw/scsi/scsi-generic.c | 4 ++++
- 2 files changed, 7 insertions(+), 1 deletion(-)
-
-diff --git a/hw/scsi/scsi-disk.c b/hw/scsi/scsi-disk.c
-index 2240478deb6488d2947e7e9e56ef..c672e521bb2d4a1703d3b2b78adc 100644
---- a/hw/scsi/scsi-disk.c
-+++ b/hw/scsi/scsi-disk.c
-@@ -50,7 +50,7 @@
-
- #define DEFAULT_DISCARD_GRANULARITY (4 * KiB)
- #define DEFAULT_MAX_UNMAP_SIZE (1 * GiB)
--#define DEFAULT_IO_TIMEOUT UINT_MAX /* Infinity */
-+#define DEFAULT_IO_TIMEOUT 30000 /* 30 seconds */
- #define DEFAULT_MAX_IO_SIZE INT_MAX /* 2 GB - 1 block */
-
- #define TYPE_SCSI_DISK_BASE "scsi-disk-base"
-@@ -2773,6 +2773,8 @@ static BlockAIOCB *scsi_block_do_sgio(SCSIBlockReq *req,
- io_header->mx_sb_len = sizeof(r->req.sense);
- io_header->sbp = r->req.sense;
- io_header->timeout = s->qdev.io_timeout;
-+ if (io_header->timeout < 5000)
-+ io_header->timeout = 5000;
- io_header->usr_ptr = r;
- io_header->flags |= SG_FLAG_DIRECT_IO;
- trace_scsi_disk_aio_sgio_command(r->req.tag, req->cdb[0], lba,
-diff --git a/hw/scsi/scsi-generic.c b/hw/scsi/scsi-generic.c
-index 6ea04de98c04aa36aa68230a6b87..32875bedaedf25e7b0cea8363887 100644
---- a/hw/scsi/scsi-generic.c
-+++ b/hw/scsi/scsi-generic.c
-@@ -125,6 +125,8 @@ static int execute_command(BlockBackend *blk,
- r->io_header.mx_sb_len = sizeof(r->req.sense);
- r->io_header.sbp = r->req.sense;
- r->io_header.timeout = s->io_timeout;
-+ if (r->io_header.timeout < 5000)
-+ r->io_header.timeout = 5000;
- r->io_header.usr_ptr = r;
- r->io_header.flags |= SG_FLAG_DIRECT_IO;
-
-@@ -523,6 +525,8 @@ int scsi_SG_IO_FROM_DEV(BlockBackend *blk, uint8_t *cmd, uint8_t cmd_size,
- io_header.mx_sb_len = sizeof(sensebuf);
- io_header.sbp = sensebuf;
- io_header.timeout = timeout;
-+ if (io_header.timeout < 5000)
-+ io_header.timeout = 5000;
-
- trace_scsi_generic_ioctl_sgio_command(cmd[0], io_header.timeout);
- ret = blk_ioctl(blk, SG_IO, &io_header);
+++ /dev/null
-From: Hannes Reinecke <hare@suse.de>
-Date: Thu, 12 Nov 2020 17:26:14 +0100
-Subject: scsi-disk: trace rw errors
-
-References: bsc#1178049
-
-Add a tracepoints for R/W errors.
-
-Signed-off-by: Hannes Reinecke <hare@suse.de>
-Signed-off-by: Bruce Rogers <brogers@suse.com>
----
- hw/scsi/scsi-disk.c | 2 ++
- hw/scsi/trace-events | 3 ++-
- 2 files changed, 4 insertions(+), 1 deletion(-)
-
-diff --git a/hw/scsi/scsi-disk.c b/hw/scsi/scsi-disk.c
-index 0c1befa2ddffd3b95153a44a743d..7657a0f1980d9d1696145457e46d 100644
---- a/hw/scsi/scsi-disk.c
-+++ b/hw/scsi/scsi-disk.c
-@@ -448,6 +448,8 @@ static bool scsi_handle_rw_error(SCSIDiskReq *r, int error, bool acct_failed)
- BlockErrorAction action = blk_get_error_action(s->qdev.conf.blk,
- is_read, error);
-
-+ trace_scsi_disk_rw_error(r->req.tag, (r->status & 0xff), (r->status >> 8),
-+ error, action);
- if (action == BLOCK_ERROR_ACTION_REPORT) {
- if (acct_failed) {
- block_acct_failed(blk_get_stats(s->qdev.conf.blk), &r->acct);
-diff --git a/hw/scsi/trace-events b/hw/scsi/trace-events
-index beae309d3000c0a401cec55be37d..99556e585af30ccaae133459b9d8 100644
---- a/hw/scsi/trace-events
-+++ b/hw/scsi/trace-events
-@@ -301,6 +301,7 @@ virtio_scsi_tmf_resp(int lun, uint32_t tag, int response) "virtio_scsi_tmf_resp
-
- # scsi-disk.c
- scsi_disk_check_condition(uint32_t tag, uint8_t key, uint8_t asc, uint8_t ascq) "Command complete tag=0x%x sense=%d/%d/%d"
-+scsi_disk_rw_error(uint32_t tag, uint8_t status, uint8_t host_status, int error, int action) "rw error tag=0x%x status=0x%x host_status=0x%x error=%d action=%d"
- scsi_disk_read_complete(uint32_t tag, size_t size) "Data ready tag=0x%x len=%zd"
- scsi_disk_read_data_count(uint32_t sector_count) "Read sector_count=%d"
- scsi_disk_read_data_invalid(void) "Data transfer direction invalid"
-@@ -328,7 +329,7 @@ scsi_disk_dma_command_READ(uint64_t lba, uint32_t len) "Read (sector %" PRId64 "
- scsi_disk_dma_command_WRITE(const char *cmd, uint64_t lba, int len) "Write %s(sector %" PRId64 ", count %u)"
- scsi_disk_new_request(uint32_t lun, uint32_t tag, const char *line) "Command: lun=%d tag=0x%x data=%s"
- scsi_disk_aio_sgio_command(uint32_t tag, uint8_t cmd, uint64_t lba, int len, uint32_t timeout) "disk aio sgio: tag=0x%x cmd 0x%x (sector %" PRId64 ", count %d) timeout %u"
--scsi_disk_aio_sgio_done(uint32_t tag, int ret, uint8_t status, uint8_t host_status) "disk aio sgio: cmd 0x%x ret %d status 0x%x host_status 0x%x"
-+scsi_disk_aio_sgio_done(uint32_t tag, int ret, uint8_t status, uint8_t host_status) "disk aio sgio: tag=0x%x ret %d status 0x%x host_status 0x%x"
-
- # scsi-generic.c
- scsi_generic_command_complete_noio(void *req, uint32_t tag, uint8_t status, uint8_t host_status) "Command complete %p tag=0x%x status=0x%x host_status=0x%x"
+++ /dev/null
-From: Hannes Reinecke <hare@suse.de>
-Date: Wed, 11 Nov 2020 15:40:52 +0100
-Subject: scsi-generic: check for additional SG_IO status on completion
-
-References: bsc#1178049
-
-SG_IO may return additional status in the 'status', 'driver_status',
-and 'host_status' fields. When either of these fields are set the
-command has not been executed normally, so we should not continue
-processing this command but rather return an error.
-
-Signed-off-by: Hannes Reinecke <hare@suse.de>
-Signed-off-by: Bruce Rogers <brogers@suse.com>
----
- hw/scsi/scsi-generic.c | 10 ++++++++--
- 1 file changed, 8 insertions(+), 2 deletions(-)
-
-diff --git a/hw/scsi/scsi-generic.c b/hw/scsi/scsi-generic.c
-index b3ea492beedc2a075157957e0595..2379ca9e91b4e775080d4246ba2a 100644
---- a/hw/scsi/scsi-generic.c
-+++ b/hw/scsi/scsi-generic.c
-@@ -254,7 +254,10 @@ static void scsi_read_complete(void * opaque, int ret)
-
- aio_context_acquire(blk_get_aio_context(s->conf.blk));
-
-- if (ret || r->req.io_canceled) {
-+ if (ret || r->req.io_canceled ||
-+ r->io_header.status ||
-+ r->io_header.driver_status ||
-+ r->io_header.host_status) {
- scsi_command_complete_noio(r, ret);
- goto done;
- }
-@@ -368,7 +371,10 @@ static void scsi_write_complete(void * opaque, int ret)
-
- aio_context_acquire(blk_get_aio_context(s->conf.blk));
-
-- if (ret || r->req.io_canceled) {
-+ if (ret || r->req.io_canceled ||
-+ r->io_header.status ||
-+ r->io_header.driver_status ||
-+ r->io_header.host_status) {
- scsi_command_complete_noio(r, ret);
- goto done;
- }
+++ /dev/null
-From: Lin Ma <lma@suse.com>
-Date: Mon, 13 Sep 2021 17:06:59 +0800
-Subject: scsi-generic: pass max_segments via max_iov field in BlockLimits
-
-Git-commit: 01ef8185b809af9d287e1a03a3f9d8ea8231118a
-References: bsc#1190425
-
-I/O to a disk via read/write is not limited by the number of segments allowed
-by the host adapter; the kernel can split requests if needed, and the limit
-imposed by the host adapter can be very low (256k or so) to avoid that SG_IO
-returns EINVAL if memory is heavily fragmented.
-
-Since this value is only interesting for SG_IO-based I/O, do not include
-it in the max_transfer and only take it into account when patching the
-block limits VPD page in the scsi-generic device.
-
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-Reviewed-by: Max Reitz <mreitz@redhat.com>
-Signed-off-by: Lin Ma <lma@suse.com>
----
- block/file-posix.c | 3 +--
- hw/scsi/scsi-generic.c | 6 ++++--
- 2 files changed, 5 insertions(+), 4 deletions(-)
-
-diff --git a/block/file-posix.c b/block/file-posix.c
-index e3cf5a160a46030b4e07b7b61203..c0e8a60d501982db438db3cb8dba 100644
---- a/block/file-posix.c
-+++ b/block/file-posix.c
-@@ -1147,8 +1147,7 @@ static void raw_refresh_limits(BlockDriverState *bs, Error **errp)
-
- ret = sg_get_max_segments(s->fd);
- if (ret > 0) {
-- bs->bl.max_transfer = MIN(bs->bl.max_transfer,
-- ret * qemu_real_host_page_size);
-+ bs->bl.max_iov = ret;
- }
- }
-
-diff --git a/hw/scsi/scsi-generic.c b/hw/scsi/scsi-generic.c
-index 2379ca9e91b4e775080d4246ba2a..a135d7087ecc8d73baeed0270d29 100644
---- a/hw/scsi/scsi-generic.c
-+++ b/hw/scsi/scsi-generic.c
-@@ -172,10 +172,12 @@ static void scsi_handle_inquiry_reply(SCSIGenericReq *r, SCSIDevice *s)
- if (s->type == TYPE_DISK && (r->req.cmd.buf[1] & 0x01)) {
- page = r->req.cmd.buf[2];
- if (page == 0xb0) {
-- uint32_t max_transfer =
-- blk_get_max_transfer(s->conf.blk) / s->blocksize;
-+ uint32_t max_transfer = blk_get_max_transfer(s->conf.blk);
-+ uint32_t max_iov = blk_get_max_iov(s->conf.blk);
-
- assert(max_transfer);
-+ max_transfer = MIN_NON_ZERO(max_transfer, max_iov * qemu_real_host_page_size)
-+ / s->blocksize;
- stl_be_p(&r->buf[8], max_transfer);
- /* Also take care of the opt xfer len. */
- stl_be_p(&r->buf[12],
+++ /dev/null
-From: Hannes Reinecke <hare@suse.de>
-Date: Thu, 29 Oct 2020 12:41:21 +0100
-Subject: scsi: make io_timeout settable
-
-References: bsc#1178049
-
-Add an 'io_timeout' parameter for SCSIDevice to allow
-SG_IO ioctls to pass in a timeout, avoiding infinite
-guest stalls if the host needs to abort a command.
-
-Signed-off-by: Hannes Reinecke <hare@suse.de>
-Signed-off-by: Bruce Rogers <brogers@suse.com>
----
- hw/scsi/scsi-disk.c | 7 +++++--
- hw/scsi/scsi-generic.c | 15 +++++++++------
- include/hw/scsi/scsi.h | 3 ++-
- 3 files changed, 16 insertions(+), 9 deletions(-)
-
-diff --git a/hw/scsi/scsi-disk.c b/hw/scsi/scsi-disk.c
-index e44c61eeb46f72989a7bc42bb8fa..29eb2e6629297342f34bac5d98bd 100644
---- a/hw/scsi/scsi-disk.c
-+++ b/hw/scsi/scsi-disk.c
-@@ -50,6 +50,7 @@
-
- #define DEFAULT_DISCARD_GRANULARITY (4 * KiB)
- #define DEFAULT_MAX_UNMAP_SIZE (1 * GiB)
-+#define DEFAULT_IO_TIMEOUT UINT_MAX /* Infinity */
- #define DEFAULT_MAX_IO_SIZE INT_MAX /* 2 GB - 1 block */
-
- #define TYPE_SCSI_DISK_BASE "scsi-disk-base"
-@@ -2610,7 +2611,7 @@ static int get_device_type(SCSIDiskState *s)
- cmd[4] = sizeof(buf);
-
- ret = scsi_SG_IO_FROM_DEV(s->qdev.conf.blk, cmd, sizeof(cmd),
-- buf, sizeof(buf));
-+ buf, sizeof(buf), s->qdev.io_timeout);
- if (ret < 0) {
- return -1;
- }
-@@ -2771,7 +2772,7 @@ static BlockAIOCB *scsi_block_do_sgio(SCSIBlockReq *req,
- /* The rest is as in scsi-generic.c. */
- io_header->mx_sb_len = sizeof(r->req.sense);
- io_header->sbp = r->req.sense;
-- io_header->timeout = UINT_MAX;
-+ io_header->timeout = s->qdev.io_timeout;
- io_header->usr_ptr = r;
- io_header->flags |= SG_FLAG_DIRECT_IO;
-
-@@ -3089,6 +3090,8 @@ static Property scsi_block_properties[] = {
- DEFAULT_MAX_IO_SIZE),
- DEFINE_PROP_INT32("scsi_version", SCSIDiskState, qdev.default_scsi_version,
- -1),
-+ DEFINE_PROP_UINT32("io_timeout", SCSIDiskState, qdev.io_timeout,
-+ DEFAULT_IO_TIMEOUT),
- DEFINE_PROP_END_OF_LIST(),
- };
-
-diff --git a/hw/scsi/scsi-generic.c b/hw/scsi/scsi-generic.c
-index e7798ebcd0d41f13b4cf28f9a40f..3027885538ad20f8cddbad8c4026 100644
---- a/hw/scsi/scsi-generic.c
-+++ b/hw/scsi/scsi-generic.c
-@@ -114,6 +114,8 @@ static int execute_command(BlockBackend *blk,
- SCSIGenericReq *r, int direction,
- BlockCompletionFunc *complete)
- {
-+ SCSIDevice *s = r->req.dev;
-+
- r->io_header.interface_id = 'S';
- r->io_header.dxfer_direction = direction;
- r->io_header.dxferp = r->buf;
-@@ -122,7 +124,7 @@ static int execute_command(BlockBackend *blk,
- r->io_header.cmd_len = r->req.cmd.len;
- r->io_header.mx_sb_len = sizeof(r->req.sense);
- r->io_header.sbp = r->req.sense;
-- r->io_header.timeout = MAX_UINT;
-+ r->io_header.timeout = s->io_timeout;
- r->io_header.usr_ptr = r;
- r->io_header.flags |= SG_FLAG_DIRECT_IO;
-
-@@ -503,7 +505,7 @@ static int read_naa_id(const uint8_t *p, uint64_t *p_wwn)
- }
-
- int scsi_SG_IO_FROM_DEV(BlockBackend *blk, uint8_t *cmd, uint8_t cmd_size,
-- uint8_t *buf, uint8_t buf_size)
-+ uint8_t *buf, uint8_t buf_size, uint32_t timeout)
- {
- sg_io_hdr_t io_header;
- uint8_t sensebuf[8];
-@@ -518,7 +520,7 @@ int scsi_SG_IO_FROM_DEV(BlockBackend *blk, uint8_t *cmd, uint8_t cmd_size,
- io_header.cmd_len = cmd_size;
- io_header.mx_sb_len = sizeof(sensebuf);
- io_header.sbp = sensebuf;
-- io_header.timeout = 6000; /* XXX */
-+ io_header.timeout = timeout;
-
- ret = blk_ioctl(blk, SG_IO, &io_header);
- if (ret < 0 || io_header.driver_status || io_header.host_status) {
-@@ -548,7 +550,7 @@ static void scsi_generic_set_vpd_bl_emulation(SCSIDevice *s)
- cmd[4] = sizeof(buf);
-
- ret = scsi_SG_IO_FROM_DEV(s->conf.blk, cmd, sizeof(cmd),
-- buf, sizeof(buf));
-+ buf, sizeof(buf), s->io_timeout);
- if (ret < 0) {
- /*
- * Do not assume anything if we can't retrieve the
-@@ -584,7 +586,7 @@ static void scsi_generic_read_device_identification(SCSIDevice *s)
- cmd[4] = sizeof(buf);
-
- ret = scsi_SG_IO_FROM_DEV(s->conf.blk, cmd, sizeof(cmd),
-- buf, sizeof(buf));
-+ buf, sizeof(buf), s->io_timeout);
- if (ret < 0) {
- return;
- }
-@@ -635,7 +637,7 @@ static int get_stream_blocksize(BlockBackend *blk)
- cmd[0] = MODE_SENSE;
- cmd[4] = sizeof(buf);
-
-- ret = scsi_SG_IO_FROM_DEV(blk, cmd, sizeof(cmd), buf, sizeof(buf));
-+ ret = scsi_SG_IO_FROM_DEV(blk, cmd, sizeof(cmd), buf, sizeof(buf), 60);
- if (ret < 0) {
- return -1;
- }
-@@ -725,6 +727,7 @@ static void scsi_generic_realize(SCSIDevice *s, Error **errp)
-
- /* Only used by scsi-block, but initialize it nevertheless to be clean. */
- s->default_scsi_version = -1;
-+ s->io_timeout = 30000;
- scsi_generic_read_device_inquiry(s);
- }
-
-diff --git a/include/hw/scsi/scsi.h b/include/hw/scsi/scsi.h
-index 332ef602f41385fbab533143dbbc..ead723690114f847d0d3638c3c2e 100644
---- a/include/hw/scsi/scsi.h
-+++ b/include/hw/scsi/scsi.h
-@@ -88,6 +88,7 @@ struct SCSIDevice
- uint64_t port_wwn;
- int scsi_version;
- int default_scsi_version;
-+ uint32_t io_timeout;
- bool needs_vpd_bl_emulation;
- bool hba_supports_iothread;
- };
-@@ -192,7 +193,7 @@ void scsi_device_unit_attention_reported(SCSIDevice *dev);
- void scsi_generic_read_device_inquiry(SCSIDevice *dev);
- int scsi_device_get_sense(SCSIDevice *dev, uint8_t *buf, int len, bool fixed);
- int scsi_SG_IO_FROM_DEV(BlockBackend *blk, uint8_t *cmd, uint8_t cmd_size,
-- uint8_t *buf, uint8_t buf_size);
-+ uint8_t *buf, uint8_t buf_size, uint32_t timeout);
- SCSIDevice *scsi_device_find(SCSIBus *bus, int channel, int target, int lun);
-
- /* scsi-generic.c. */
+++ /dev/null
-From: Paolo Bonzini <pbonzini@redhat.com>
-Date: Tue, 6 Oct 2020 15:39:01 +0300
-Subject: scsi/scsi-bus: scsi_device_find: don't return unrealized devices
-
-Git-commit: 8ddf958e8d62ada6395460b91ec5964ef21fed12
-References: bsc#1184574
-
-The device core first places a device on the bus and then realizes it.
-Make scsi_device_find avoid returing such devices to avoid
-races in drivers that use an iothread (currently virtio-scsi)
-
-Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1812399
-
-Suggested-by: Paolo Bonzini <pbonzini@redhat.com>
-Signed-off-by: Maxim Levitsky <mlevitsk@redhat.com>
-Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
-Message-Id: <20200913160259.32145-7-mlevitsk@redhat.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-Message-Id: <20201006123904.610658-11-mlevitsk@redhat.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-Signed-off-by: Lin Ma <lma@suse.com>
----
- hw/scsi/scsi-bus.c | 83 +++++++++++++++++++++++++++++-----------------
- 1 file changed, 53 insertions(+), 30 deletions(-)
-
-diff --git a/hw/scsi/scsi-bus.c b/hw/scsi/scsi-bus.c
-index 57dc025225f6bc1558516168a062..643d87966c88f0575404f0927856 100644
---- a/hw/scsi/scsi-bus.c
-+++ b/hw/scsi/scsi-bus.c
-@@ -24,6 +24,55 @@ static void scsi_target_free_buf(SCSIRequest *req);
-
- static int next_scsi_bus;
-
-+static SCSIDevice *do_scsi_device_find(SCSIBus *bus,
-+ int channel, int id, int lun,
-+ bool include_unrealized)
-+{
-+ BusChild *kid;
-+ SCSIDevice *retval = NULL;
-+
-+ QTAILQ_FOREACH_RCU(kid, &bus->qbus.children, sibling) {
-+ DeviceState *qdev = kid->child;
-+ SCSIDevice *dev = SCSI_DEVICE(qdev);
-+
-+ if (dev->channel == channel && dev->id == id) {
-+ if (dev->lun == lun) {
-+ retval = dev;
-+ break;
-+ }
-+
-+ /*
-+ * If we don't find exact match (channel/bus/lun),
-+ * we will return the first device which matches channel/bus
-+ */
-+
-+ if (!retval) {
-+ retval = dev;
-+ }
-+ }
-+ }
-+
-+ /*
-+ * This function might run on the IO thread and we might race against
-+ * main thread hot-plugging the device.
-+ * We assume that as soon as .realized is set to true we can let
-+ * the user access the device.
-+ */
-+
-+ if (retval && !include_unrealized &&
-+ !atomic_load_acquire(&retval->qdev.realized)) {
-+ retval = NULL;
-+ }
-+
-+ return retval;
-+}
-+
-+SCSIDevice *scsi_device_find(SCSIBus *bus, int channel, int id, int lun)
-+{
-+ RCU_READ_LOCK_GUARD();
-+ return do_scsi_device_find(bus, channel, id, lun, false);
-+}
-+
- static void scsi_device_realize(SCSIDevice *s, Error **errp)
- {
- SCSIDeviceClass *sc = SCSI_DEVICE_GET_CLASS(s);
-@@ -137,7 +186,10 @@ static bool scsi_bus_is_address_free(SCSIBus *bus,
- int channel, int target, int lun,
- SCSIDevice **p_dev)
- {
-- SCSIDevice *d = scsi_device_find(bus, channel, target, lun);
-+ SCSIDevice *d;
-+
-+ RCU_READ_LOCK_GUARD();
-+ d = do_scsi_device_find(bus, channel, target, lun, true);
- if (d && d->lun == lun) {
- if (p_dev) {
- *p_dev = d;
-@@ -1582,35 +1634,6 @@ static char *scsibus_get_fw_dev_path(DeviceState *dev)
- qdev_fw_name(dev), d->id, d->lun);
- }
-
--SCSIDevice *scsi_device_find(SCSIBus *bus, int channel, int id, int lun)
--{
-- BusChild *kid;
-- SCSIDevice *target_dev = NULL;
--
-- RCU_READ_LOCK_GUARD();
-- QTAILQ_FOREACH_RCU(kid, &bus->qbus.children, sibling) {
-- DeviceState *qdev = kid->child;
-- SCSIDevice *dev = SCSI_DEVICE(qdev);
--
-- if (dev->channel == channel && dev->id == id) {
-- if (dev->lun == lun) {
-- return dev;
-- }
--
-- /*
-- * If we don't find exact match (channel/bus/lun),
-- * we will return the first device which matches channel/bus
-- */
--
-- if (!target_dev) {
-- target_dev = dev;
-- }
-- }
-- }
--
-- return target_dev;
--}
--
- /* SCSI request list. For simplicity, pv points to the whole device */
-
- static int put_scsi_requests(QEMUFile *f, void *pv, size_t size,
+++ /dev/null
-From: Maxim Levitsky <mlevitsk@redhat.com>
-Date: Tue, 6 Oct 2020 15:39:02 +0300
-Subject: scsi/scsi_bus: Add scsi_device_get
-
-Git-commit: 8ff34495601067d02edb54b4346cace84ec4e1df
-References: bsc#1184574
-
-Add scsi_device_get which finds the scsi device
-and takes a reference to it.
-
-Suggested-by: Stefan Hajnoczi <stefanha@gmail.com>
-Signed-off-by: Maxim Levitsky <mlevitsk@redhat.com>
-Message-Id: <20200913160259.32145-8-mlevitsk@redhat.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-Message-Id: <20201006123904.610658-12-mlevitsk@redhat.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-Signed-off-by: Lin Ma <lma@suse.com>
----
- hw/scsi/scsi-bus.c | 11 +++++++++++
- include/hw/scsi/scsi.h | 1 +
- 2 files changed, 12 insertions(+)
-
-diff --git a/hw/scsi/scsi-bus.c b/hw/scsi/scsi-bus.c
-index 643d87966c88f0575404f0927856..856148399c720c58cfda01ff6920 100644
---- a/hw/scsi/scsi-bus.c
-+++ b/hw/scsi/scsi-bus.c
-@@ -73,6 +73,17 @@ SCSIDevice *scsi_device_find(SCSIBus *bus, int channel, int id, int lun)
- return do_scsi_device_find(bus, channel, id, lun, false);
- }
-
-+SCSIDevice *scsi_device_get(SCSIBus *bus, int channel, int id, int lun)
-+{
-+ SCSIDevice *d;
-+ RCU_READ_LOCK_GUARD();
-+ d = do_scsi_device_find(bus, channel, id, lun, false);
-+ if (d) {
-+ object_ref(d);
-+ }
-+ return d;
-+}
-+
- static void scsi_device_realize(SCSIDevice *s, Error **errp)
- {
- SCSIDeviceClass *sc = SCSI_DEVICE_GET_CLASS(s);
-diff --git a/include/hw/scsi/scsi.h b/include/hw/scsi/scsi.h
-index ead723690114f847d0d3638c3c2e..b695e5e6ec6bd9ac60ec99a529ed 100644
---- a/include/hw/scsi/scsi.h
-+++ b/include/hw/scsi/scsi.h
-@@ -195,6 +195,7 @@ int scsi_device_get_sense(SCSIDevice *dev, uint8_t *buf, int len, bool fixed);
- int scsi_SG_IO_FROM_DEV(BlockBackend *blk, uint8_t *cmd, uint8_t cmd_size,
- uint8_t *buf, uint8_t buf_size, uint32_t timeout);
- SCSIDevice *scsi_device_find(SCSIBus *bus, int channel, int target, int lun);
-+SCSIDevice *scsi_device_get(SCSIBus *bus, int channel, int target, int lun);
-
- /* scsi-generic.c. */
- extern const SCSIReqOps scsi_generic_req_ops;
+++ /dev/null
-From: Maxim Levitsky <mlevitsk@redhat.com>
-Date: Tue, 6 Oct 2020 15:39:04 +0300
-Subject: scsi/scsi_bus: fix races in REPORT LUNS
-
-Git-commit: 8cfe8013baec2a6f66240ffd767fad2699d85144
-References: bsc#1184574
-
-Currently scsi_target_emulate_report_luns iterates over the child device list
-twice, and there is no guarantee that this list is the same in both iterations.
-
-The reason for iterating twice is that the first iteration calculates
-how much memory to allocate. However if we use a dynamic array we can
-avoid iterating twice, and therefore we avoid this race.
-
-Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1866707
-
-Signed-off-by: Maxim Levitsky <mlevitsk@redhat.com>
-Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
-Message-Id: <20200913160259.32145-10-mlevitsk@redhat.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-Message-Id: <20201006123904.610658-14-mlevitsk@redhat.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-Signed-off-by: Lin Ma <lma@suse.com>
----
- hw/scsi/scsi-bus.c | 68 ++++++++++++++++++++++------------------------
- 1 file changed, 33 insertions(+), 35 deletions(-)
-
-diff --git a/hw/scsi/scsi-bus.c b/hw/scsi/scsi-bus.c
-index 856148399c720c58cfda01ff6920..2d112d3cb291ddd7a30f66f0c1d2 100644
---- a/hw/scsi/scsi-bus.c
-+++ b/hw/scsi/scsi-bus.c
-@@ -450,19 +450,23 @@ struct SCSITargetReq {
- static void store_lun(uint8_t *outbuf, int lun)
- {
- if (lun < 256) {
-+ /* Simple logical unit addressing method*/
-+ outbuf[0] = 0;
- outbuf[1] = lun;
-- return;
-+ } else {
-+ /* Flat space addressing method */
-+ outbuf[0] = 0x40 | (lun >> 8);
-+ outbuf[1] = (lun & 255);
- }
-- outbuf[1] = (lun & 255);
-- outbuf[0] = (lun >> 8) | 0x40;
- }
-
- static bool scsi_target_emulate_report_luns(SCSITargetReq *r)
- {
- BusChild *kid;
-- int i, len, n;
- int channel, id;
-- bool found_lun0;
-+ uint8_t tmp[8] = {0};
-+ int len = 0;
-+ GByteArray *buf;
-
- if (r->req.cmd.xfer < 16) {
- return false;
-@@ -470,46 +474,40 @@ static bool scsi_target_emulate_report_luns(SCSITargetReq *r)
- if (r->req.cmd.buf[2] > 2) {
- return false;
- }
-+
-+ /* reserve space for 63 LUNs*/
-+ buf = g_byte_array_sized_new(512);
-+
- channel = r->req.dev->channel;
- id = r->req.dev->id;
-- found_lun0 = false;
-- n = 0;
-
-- RCU_READ_LOCK_GUARD();
-+ /* add size (will be updated later to correct value */
-+ g_byte_array_append(buf, tmp, 8);
-+ len += 8;
-
-- QTAILQ_FOREACH_RCU(kid, &r->req.bus->qbus.children, sibling) {
-- DeviceState *qdev = kid->child;
-- SCSIDevice *dev = SCSI_DEVICE(qdev);
-+ /* add LUN0 */
-+ g_byte_array_append(buf, tmp, 8);
-+ len += 8;
-
-- if (dev->channel == channel && dev->id == id) {
-- if (dev->lun == 0) {
-- found_lun0 = true;
-+ WITH_RCU_READ_LOCK_GUARD() {
-+ QTAILQ_FOREACH_RCU(kid, &r->req.bus->qbus.children, sibling) {
-+ DeviceState *qdev = kid->child;
-+ SCSIDevice *dev = SCSI_DEVICE(qdev);
-+
-+ if (dev->channel == channel && dev->id == id && dev->lun != 0) {
-+ store_lun(tmp, dev->lun);
-+ g_byte_array_append(buf, tmp, 8);
-+ len += 8;
- }
-- n += 8;
- }
- }
-- if (!found_lun0) {
-- n += 8;
-- }
--
-- scsi_target_alloc_buf(&r->req, n + 8);
--
-- len = MIN(n + 8, r->req.cmd.xfer & ~7);
-- memset(r->buf, 0, len);
-- stl_be_p(&r->buf[0], n);
-- i = found_lun0 ? 8 : 16;
-- QTAILQ_FOREACH_RCU(kid, &r->req.bus->qbus.children, sibling) {
-- DeviceState *qdev = kid->child;
-- SCSIDevice *dev = SCSI_DEVICE(qdev);
-
-- if (dev->channel == channel && dev->id == id) {
-- store_lun(&r->buf[i], dev->lun);
-- i += 8;
-- }
-- }
-+ r->buf_len = len;
-+ r->buf = g_byte_array_free(buf, FALSE);
-+ r->len = MIN(len, r->req.cmd.xfer & ~7);
-
-- assert(i == n + 8);
-- r->len = len;
-+ /* store the LUN list length */
-+ stl_be_p(&r->buf[0], len - 8);
- return true;
- }
-
+++ /dev/null
-From: Maxim Levitsky <mlevitsk@redhat.com>
-Date: Tue, 6 Oct 2020 14:38:57 +0200
-Subject: scsi/scsi_bus: switch search direction in scsi_device_find
-
-Git-commit: 7a8202c521a5d1ac9e289d5c2b5125a9310af178
-References: bsc#1184574
-
-This change will allow us to convert the bus children list to RCU,
-while not changing the logic of this function
-
-Signed-off-by: Maxim Levitsky <mlevitsk@redhat.com>
-Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
-Message-Id: <20200913160259.32145-2-mlevitsk@redhat.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-Signed-off-by: Lin Ma <lma@suse.com>
----
- hw/scsi/scsi-bus.c | 12 ++++++++++--
- 1 file changed, 10 insertions(+), 2 deletions(-)
-
-diff --git a/hw/scsi/scsi-bus.c b/hw/scsi/scsi-bus.c
-index ad0e7f6d8895690fefbaa4207816..4f277985f64be532c8151a0ac09b 100644
---- a/hw/scsi/scsi-bus.c
-+++ b/hw/scsi/scsi-bus.c
-@@ -1584,7 +1584,7 @@ SCSIDevice *scsi_device_find(SCSIBus *bus, int channel, int id, int lun)
- BusChild *kid;
- SCSIDevice *target_dev = NULL;
-
-- QTAILQ_FOREACH_REVERSE(kid, &bus->qbus.children, sibling) {
-+ QTAILQ_FOREACH(kid, &bus->qbus.children, sibling) {
- DeviceState *qdev = kid->child;
- SCSIDevice *dev = SCSI_DEVICE(qdev);
-
-@@ -1592,7 +1592,15 @@ SCSIDevice *scsi_device_find(SCSIBus *bus, int channel, int id, int lun)
- if (dev->lun == lun) {
- return dev;
- }
-- target_dev = dev;
-+
-+ /*
-+ * If we don't find exact match (channel/bus/lun),
-+ * we will return the first device which matches channel/bus
-+ */
-+
-+ if (!target_dev) {
-+ target_dev = dev;
-+ }
- }
- }
- return target_dev;
+++ /dev/null
-From: Paolo Bonzini <pbonzini@redhat.com>
-Date: Tue, 6 Oct 2020 15:38:56 +0300
-Subject: scsi: switch to bus->check_address
-
-Git-commit: 42a90a899e70f5fbef2b5a117535acaa0bc1f5ad
-References: bsc#1184574
-
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-Message-Id: <20201006123904.610658-6-mlevitsk@redhat.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-Signed-off-by: Lin Ma <lma@suse.com>
----
- hw/scsi/scsi-bus.c | 122 ++++++++++++++++++++++++++++-----------------
- 1 file changed, 75 insertions(+), 47 deletions(-)
-
-diff --git a/hw/scsi/scsi-bus.c b/hw/scsi/scsi-bus.c
-index 3c604bfe22e02a4e7b7f11f80769..57dc025225f6bc1558516168a062 100644
---- a/hw/scsi/scsi-bus.c
-+++ b/hw/scsi/scsi-bus.c
-@@ -22,33 +22,6 @@ static void scsi_req_dequeue(SCSIRequest *req);
- static uint8_t *scsi_target_alloc_buf(SCSIRequest *req, size_t len);
- static void scsi_target_free_buf(SCSIRequest *req);
-
--static Property scsi_props[] = {
-- DEFINE_PROP_UINT32("channel", SCSIDevice, channel, 0),
-- DEFINE_PROP_UINT32("scsi-id", SCSIDevice, id, -1),
-- DEFINE_PROP_UINT32("lun", SCSIDevice, lun, -1),
-- DEFINE_PROP_END_OF_LIST(),
--};
--
--static void scsi_bus_class_init(ObjectClass *klass, void *data)
--{
-- BusClass *k = BUS_CLASS(klass);
-- HotplugHandlerClass *hc = HOTPLUG_HANDLER_CLASS(klass);
--
-- k->get_dev_path = scsibus_get_dev_path;
-- k->get_fw_dev_path = scsibus_get_fw_dev_path;
-- hc->unplug = qdev_simple_device_unplug_cb;
--}
--
--static const TypeInfo scsi_bus_info = {
-- .name = TYPE_SCSI_BUS,
-- .parent = TYPE_BUS,
-- .instance_size = sizeof(SCSIBus),
-- .class_init = scsi_bus_class_init,
-- .interfaces = (InterfaceInfo[]) {
-- { TYPE_HOTPLUG_HANDLER },
-- { }
-- }
--};
- static int next_scsi_bus;
-
- static void scsi_device_realize(SCSIDevice *s, Error **errp)
-@@ -160,35 +133,68 @@ static void scsi_dma_restart_cb(void *opaque, int running, RunState state)
- }
- }
-
--static void scsi_qdev_realize(DeviceState *qdev, Error **errp)
-+static bool scsi_bus_is_address_free(SCSIBus *bus,
-+ int channel, int target, int lun,
-+ SCSIDevice **p_dev)
-+{
-+ SCSIDevice *d = scsi_device_find(bus, channel, target, lun);
-+ if (d && d->lun == lun) {
-+ if (p_dev) {
-+ *p_dev = d;
-+ }
-+ return false;
-+ }
-+ if (p_dev) {
-+ *p_dev = NULL;
-+ }
-+ return true;
-+}
-+
-+static bool scsi_bus_check_address(BusState *qbus, DeviceState *qdev, Error **errp)
- {
- SCSIDevice *dev = SCSI_DEVICE(qdev);
-- SCSIBus *bus = DO_UPCAST(SCSIBus, qbus, dev->qdev.parent_bus);
-- SCSIDevice *d;
-- Error *local_err = NULL;
-+ SCSIBus *bus = SCSI_BUS(qbus);
-
- if (dev->channel > bus->info->max_channel) {
- error_setg(errp, "bad scsi channel id: %d", dev->channel);
-- return;
-+ return false;
- }
- if (dev->id != -1 && dev->id > bus->info->max_target) {
- error_setg(errp, "bad scsi device id: %d", dev->id);
-- return;
-+ return false;
- }
- if (dev->lun != -1 && dev->lun > bus->info->max_lun) {
- error_setg(errp, "bad scsi device lun: %d", dev->lun);
-- return;
-+ return false;
-+ }
-+
-+ if (dev->id != -1 && dev->lun != -1) {
-+ SCSIDevice *d;
-+ if (!scsi_bus_is_address_free(bus, dev->channel, dev->id, dev->lun, &d)) {
-+ error_setg(errp, "lun already used by '%s'", d->qdev.id);
-+ return false;
-+ }
- }
-
-+ return true;
-+}
-+
-+static void scsi_qdev_realize(DeviceState *qdev, Error **errp)
-+{
-+ SCSIDevice *dev = SCSI_DEVICE(qdev);
-+ SCSIBus *bus = DO_UPCAST(SCSIBus, qbus, dev->qdev.parent_bus);
-+ bool is_free;
-+ Error *local_err = NULL;
-+
- if (dev->id == -1) {
- int id = -1;
- if (dev->lun == -1) {
- dev->lun = 0;
- }
- do {
-- d = scsi_device_find(bus, dev->channel, ++id, dev->lun);
-- } while (d && d->lun == dev->lun && id < bus->info->max_target);
-- if (d && d->lun == dev->lun) {
-+ is_free = scsi_bus_is_address_free(bus, dev->channel, ++id, dev->lun, NULL);
-+ } while (!is_free && id < bus->info->max_target);
-+ if (!is_free) {
- error_setg(errp, "no free target");
- return;
- }
-@@ -196,20 +202,13 @@ static void scsi_qdev_realize(DeviceState *qdev, Error **errp)
- } else if (dev->lun == -1) {
- int lun = -1;
- do {
-- d = scsi_device_find(bus, dev->channel, dev->id, ++lun);
-- } while (d && d->lun == lun && lun < bus->info->max_lun);
-- if (d && d->lun == lun) {
-+ is_free = scsi_bus_is_address_free(bus, dev->channel, dev->id, ++lun, NULL);
-+ } while (!is_free && lun < bus->info->max_lun);
-+ if (!is_free) {
- error_setg(errp, "no free lun");
- return;
- }
- dev->lun = lun;
-- } else {
-- d = scsi_device_find(bus, dev->channel, dev->id, dev->lun);
-- assert(d);
-- if (d->lun == dev->lun && dev != d) {
-- error_setg(errp, "lun already used by '%s'", d->qdev.id);
-- return;
-- }
- }
-
- QTAILQ_INIT(&dev->requests);
-@@ -1735,6 +1734,13 @@ const VMStateDescription vmstate_scsi_device = {
- }
- };
-
-+static Property scsi_props[] = {
-+ DEFINE_PROP_UINT32("channel", SCSIDevice, channel, 0),
-+ DEFINE_PROP_UINT32("scsi-id", SCSIDevice, id, -1),
-+ DEFINE_PROP_UINT32("lun", SCSIDevice, lun, -1),
-+ DEFINE_PROP_END_OF_LIST(),
-+};
-+
- static void scsi_device_class_init(ObjectClass *klass, void *data)
- {
- DeviceClass *k = DEVICE_CLASS(klass);
-@@ -1765,6 +1771,28 @@ static const TypeInfo scsi_device_type_info = {
- .instance_init = scsi_dev_instance_init,
- };
-
-+static void scsi_bus_class_init(ObjectClass *klass, void *data)
-+{
-+ BusClass *k = BUS_CLASS(klass);
-+ HotplugHandlerClass *hc = HOTPLUG_HANDLER_CLASS(klass);
-+
-+ k->get_dev_path = scsibus_get_dev_path;
-+ k->get_fw_dev_path = scsibus_get_fw_dev_path;
-+ k->check_address = scsi_bus_check_address;
-+ hc->unplug = qdev_simple_device_unplug_cb;
-+}
-+
-+static const TypeInfo scsi_bus_info = {
-+ .name = TYPE_SCSI_BUS,
-+ .parent = TYPE_BUS,
-+ .instance_size = sizeof(SCSIBus),
-+ .class_init = scsi_bus_class_init,
-+ .interfaces = (InterfaceInfo[]) {
-+ { TYPE_HOTPLUG_HANDLER },
-+ { }
-+ }
-+};
-+
- static void scsi_register_types(void)
- {
- type_register_static(&scsi_bus_info);
+++ /dev/null
-From: Bruce Rogers <brogers@suse.com>
-Date: Thu, 27 Jun 2019 10:15:24 -0600
-Subject: seabios: switch to python3 as needed
-
-Switch to python3 the places where "python2" is explicitly referenced.
-(Ignore the uses of #!/usr/bin/env python, since that usage does the
-right thing in our build environment).
-Include changes proposed by the python3 2to3 tool.
-
-Signed-off-by: Bruce Rogers <brogers@suse.com>
----
- Makefile | 2 +-
- scripts/acpi_extract.py | 4 ++--
- scripts/acpi_extract_preprocess.py | 2 +-
- scripts/layoutrom.py | 28 ++++++++++++++--------------
- scripts/vgafixup.py | 2 +-
- 5 files changed, 19 insertions(+), 19 deletions(-)
-
-diff --git a/roms/seabios/Makefile b/roms/seabios/Makefile
-index de1fa90035b82ef3608d68d62f59..ca8d0283922bbfa931e85511e921 100644
---- a/roms/seabios/Makefile
-+++ b/roms/seabios/Makefile
-@@ -22,7 +22,7 @@ LD=$(CROSS_PREFIX)ld
- OBJCOPY=$(CROSS_PREFIX)objcopy
- OBJDUMP=$(CROSS_PREFIX)objdump
- STRIP=$(CROSS_PREFIX)strip
--PYTHON=python2
-+PYTHON=python3
- CPP=cpp
- IASL:=iasl
- LD32BIT_FLAG:=-melf_i386
-diff --git a/roms/seabios/scripts/acpi_extract.py b/roms/seabios/scripts/acpi_extract.py
-index 86c6226c0f9aae4e4687cf216369..7ac054e626780253fcec78414b17 100755
---- a/roms/seabios/scripts/acpi_extract.py
-+++ b/roms/seabios/scripts/acpi_extract.py
-@@ -1,4 +1,4 @@
--#!/usr/bin/python2
-+#!/usr/bin/python3
- # Copyright (C) 2011 Red Hat, Inc., Michael S. Tsirkin <mst@redhat.com>
- #
- # This file may be distributed under the terms of the GNU GPLv3 license.
-@@ -348,7 +348,7 @@ def main():
- # Pretty print output
- outstrs = ["/* DO NOT EDIT! This is an autogenerated file."
- " See scripts/acpi_extract.py. */"]
-- for array in output.keys():
-+ for array in list(output.keys()):
- otype = get_value_type(max(output[array]))
- outstrs.append("static unsigned %s %s[] = {" % (otype, array))
- odata = []
-diff --git a/roms/seabios/scripts/acpi_extract_preprocess.py b/roms/seabios/scripts/acpi_extract_preprocess.py
-index b8e92a525730442815a0dce78f45..6963847a8b5d3e4bf9340a67afe2 100755
---- a/roms/seabios/scripts/acpi_extract_preprocess.py
-+++ b/roms/seabios/scripts/acpi_extract_preprocess.py
-@@ -1,4 +1,4 @@
--#!/usr/bin/python2
-+#!/usr/bin/python3
- # Copyright (C) 2011 Red Hat, Inc., Michael S. Tsirkin <mst@redhat.com>
- #
- # This file may be distributed under the terms of the GNU GPLv3 license.
-diff --git a/roms/seabios/scripts/layoutrom.py b/roms/seabios/scripts/layoutrom.py
-index 6616721d1b584892074491b292ba..c6d003273990ae66ca62bc36fe07 100755
---- a/roms/seabios/scripts/layoutrom.py
-+++ b/roms/seabios/scripts/layoutrom.py
-@@ -81,8 +81,8 @@ def fitSections(sections, fillsections):
- section.finalsegloc = addr
- fixedsections.append((addr, section))
- if section.align != 1:
-- print("Error: Fixed section %s has non-zero alignment (%d)" % (
-- section.name, section.align))
-+ print(("Error: Fixed section %s has non-zero alignment (%d)" % (
-+ section.name, section.align)))
- sys.exit(1)
- fixedsections.sort(key=operator.itemgetter(0))
- firstfixed = fixedsections[0][0]
-@@ -142,10 +142,10 @@ def fitSections(sections, fillsections):
- # Report stats
- total = BUILD_BIOS_SIZE-firstfixed
- slack = total - totalused
-- print ("Fixed space: 0x%x-0x%x total: %d slack: %d"
-+ print(("Fixed space: 0x%x-0x%x total: %d slack: %d"
- " Percent slack: %.1f%%" % (
- firstfixed, BUILD_BIOS_SIZE, total, slack,
-- (float(slack) / total) * 100.0))
-+ (float(slack) / total) * 100.0)))
-
- return firstfixed + BUILD_BIOS_ADDR
-
-@@ -288,12 +288,12 @@ def doLayout(sections, config, genreloc):
- size32flat = sec32fseg_start - sec32flat_start
- size32init = sec32flat_start - sec32init_start
- sizelow = li.sec32low_end - li.sec32low_start
-- print("16bit size: %d" % size16)
-- print("32bit segmented size: %d" % size32seg)
-- print("32bit flat size: %d" % (size32flat + size32textfseg))
-- print("32bit flat init size: %d" % size32init)
-- print("Lowmem size: %d" % sizelow)
-- print("f-segment var size: %d" % size32fseg)
-+ print(("16bit size: %d" % size16))
-+ print(("32bit segmented size: %d" % size32seg))
-+ print(("32bit flat size: %d" % (size32flat + size32textfseg)))
-+ print(("32bit flat init size: %d" % size32init))
-+ print(("Lowmem size: %d" % sizelow))
-+ print(("f-segment var size: %d" % size32fseg))
- return li
-
-
-@@ -312,7 +312,7 @@ def outXRefs(sections, useseg=0, exportsyms=[], forcedelta=0):
- and (symbol.section.fileid != section.fileid
- or symbol.name != reloc.symbolname)):
- xrefs[reloc.symbolname] = symbol
-- for symbolname, symbol in xrefs.items():
-+ for symbolname, symbol in list(xrefs.items()):
- loc = symbol.section.finalloc
- if useseg:
- loc = symbol.section.finalsegloc
-@@ -482,8 +482,8 @@ def checkRuntime(reloc, rsection, data, chain):
- if section is None or '.init.' in section.name:
- return 0
- if '.data.varinit.' in section.name:
-- print("ERROR: %s is VARVERIFY32INIT but used from %s" % (
-- section.name, chain))
-+ print(("ERROR: %s is VARVERIFY32INIT but used from %s" % (
-+ section.name, chain)))
- sys.exit(1)
- return 1
-
-@@ -691,7 +691,7 @@ def main():
- li = doLayout(sections, config, genreloc)
-
- # Exported symbols
-- li.varlowsyms = [symbol for symbol in symbols['32flat'].values()
-+ li.varlowsyms = [symbol for symbol in list(symbols['32flat'].values())
- if (symbol.section is not None
- and symbol.section.finalloc is not None
- and '.data.varlow.' in symbol.section.name
-diff --git a/roms/seabios/scripts/vgafixup.py b/roms/seabios/scripts/vgafixup.py
-index 2053cd5d78e5935658e1fecec074..dc662480f909e27958fa906d73b1 100644
---- a/roms/seabios/scripts/vgafixup.py
-+++ b/roms/seabios/scripts/vgafixup.py
-@@ -29,7 +29,7 @@ re_leal = re.compile(
- def handle_leal(sline):
- m = re_leal.match(sline[5:])
- if m is None or m.group('index') == '%esp':
-- print("Unable to fixup leal instruction: %s" % (sline,))
-+ print(("Unable to fixup leal instruction: %s" % (sline,)))
- sys.exit(-1)
- offset, base, index, scale, dest = m.group(
- 'offset', 'base', 'index', 'scale', 'dest')
+++ /dev/null
-From: Bruce Rogers <brogers@suse.com>
-Date: Thu, 27 Jun 2019 10:15:24 -0600
-Subject: seabios: use python2 explicitly as needed
-
-Switch to python2 the places where "python" is explicitly referenced.
-(Ignore the uses of #!/usr/bin/env python, since that usage does the
-right thing in our build environment).
-
-Signed-off-by: Bruce Rogers <brogers@suse.com>
----
- Makefile | 2 +-
- scripts/acpi_extract.py | 2 +-
- scripts/acpi_extract_preprocess.py | 2 +-
- 3 files changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/roms/seabios/Makefile b/roms/seabios/Makefile
-index 5f7d5370198abac950b24e08a7aa..de1fa90035b82ef3608d68d62f59 100644
---- a/roms/seabios/Makefile
-+++ b/roms/seabios/Makefile
-@@ -22,7 +22,7 @@ LD=$(CROSS_PREFIX)ld
- OBJCOPY=$(CROSS_PREFIX)objcopy
- OBJDUMP=$(CROSS_PREFIX)objdump
- STRIP=$(CROSS_PREFIX)strip
--PYTHON=python
-+PYTHON=python2
- CPP=cpp
- IASL:=iasl
- LD32BIT_FLAG:=-melf_i386
-diff --git a/roms/seabios/scripts/acpi_extract.py b/roms/seabios/scripts/acpi_extract.py
-index 3ed863b6a79412a1276bb905d08f..86c6226c0f9aae4e4687cf216369 100755
---- a/roms/seabios/scripts/acpi_extract.py
-+++ b/roms/seabios/scripts/acpi_extract.py
-@@ -1,4 +1,4 @@
--#!/usr/bin/python
-+#!/usr/bin/python2
- # Copyright (C) 2011 Red Hat, Inc., Michael S. Tsirkin <mst@redhat.com>
- #
- # This file may be distributed under the terms of the GNU GPLv3 license.
-diff --git a/roms/seabios/scripts/acpi_extract_preprocess.py b/roms/seabios/scripts/acpi_extract_preprocess.py
-index 2698118406d97c164783335c7fb6..b8e92a525730442815a0dce78f45 100755
---- a/roms/seabios/scripts/acpi_extract_preprocess.py
-+++ b/roms/seabios/scripts/acpi_extract_preprocess.py
-@@ -1,4 +1,4 @@
--#!/usr/bin/python
-+#!/usr/bin/python2
- # Copyright (C) 2011 Red Hat, Inc., Michael S. Tsirkin <mst@redhat.com>
- #
- # This file may be distributed under the terms of the GNU GPLv3 license.
+++ /dev/null
-From: Bruce Rogers <brogers@suse.com>
-Date: Thu, 27 Jun 2019 10:15:24 -0600
-Subject: sgabios:Makefile: fix issues of build reproducibility
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-It is desirable to produce the same bits on subsequent
-builds when the actual code of the package doesn't
-change. (bsc#1011213)
-
-Signed-off-by: Bruce Rogers <brogers@suse.com>
-Signed-off-by: Andreas Färber <afaerber@suse.de>
----
- Makefile | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/roms/sgabios/Makefile b/roms/sgabios/Makefile
-index 970b0ff37a1ae58e98d0527da215..d2934c9f678dadfae5201b8507e9 100644
---- a/roms/sgabios/Makefile
-+++ b/roms/sgabios/Makefile
-@@ -14,10 +14,10 @@
- #
- # $Id$
-
--BUILD_DATE = \"$(shell date -u)\"
--BUILD_SHORT_DATE = \"$(shell date -u +%D)\"
--BUILD_HOST = \"$(shell hostname)\"
--BUILD_USER = \"$(shell whoami)\"
-+BUILD_DATE = \"$(shell date --date='@$(PACKAGING_TIMESTAMP)' -u)\"
-+BUILD_SHORT_DATE = \"$(shell date --date='@$(PACKAGING_TIMESTAMP)' -u +%D)\"
-+BUILD_HOST = \"buildhost\"
-+BUILD_USER = \"geeko\"
-
- CFLAGS := -Wall -Os -m32 -nostdlib
-
+++ /dev/null
-From: Prasad J Pandit <pjp@fedoraproject.org>
-Date: Thu, 26 Nov 2020 19:27:06 +0530
-Subject: slirp: check pkt_len before reading protocol header
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Git-commit: 2e1dcbc0c2af64fcb17009eaf2ceedd81be2b27f
-References: bsc#1179466, bsc#1179467
-
-While processing ARP/NCSI packets in 'arp_input' or 'ncsi_input'
-routines, ensure that pkt_len is large enough to accommodate the
-respective protocol headers, lest it should do an OOB access.
-Add check to avoid it.
-
-CVE-2020-29129 CVE-2020-29130
- QEMU: slirp: out-of-bounds access while processing ARP/NCSI packets
- -> https://www.openwall.com/lists/oss-security/2020/11/27/1
-
-Reported-by: Qiuhao Li <Qiuhao.Li@outlook.com>
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
-Message-Id: <20201126135706.273950-1-ppandit@redhat.com>
-Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
-Signed-off-by: Bruce Rogers <brogers@suse.com>
----
- src/ncsi.c | 4 ++++
- src/slirp.c | 4 ++++
- 2 files changed, 8 insertions(+)
-
-diff --git a/slirp/src/ncsi.c b/slirp/src/ncsi.c
-index ddd980d869546d314df6f6441475..4bc1d07faadc94ec578d51e58c2c 100644
---- a/slirp/src/ncsi.c
-+++ b/slirp/src/ncsi.c
-@@ -147,6 +147,10 @@ void ncsi_input(Slirp *slirp, const uint8_t *pkt, int pkt_len)
- uint32_t checksum;
- uint32_t *pchecksum;
-
-+ if (pkt_len < ETH_HLEN + sizeof(struct ncsi_pkt_hdr)) {
-+ return; /* packet too short */
-+ }
-+
- memset(ncsi_reply, 0, sizeof(ncsi_reply));
-
- memset(reh->h_dest, 0xff, ETH_ALEN);
-diff --git a/slirp/src/slirp.c b/slirp/src/slirp.c
-index 14458e8510e7ca2d704577030524..ef359c862b34c75bf5454320c5d1 100644
---- a/slirp/src/slirp.c
-+++ b/slirp/src/slirp.c
-@@ -755,6 +755,10 @@ static void arp_input(Slirp *slirp, const uint8_t *pkt, int pkt_len)
- return;
- }
-
-+ if (pkt_len < ETH_HLEN + sizeof(struct slirp_arphdr)) {
-+ return; /* packet too short */
-+ }
-+
- ar_op = ntohs(ah->ar_op);
- switch (ar_op) {
- case ARPOP_REQUEST:
+++ /dev/null
-From: BALATON Zoltan <balaton@eik.bme.hu>
-Date: Thu, 21 May 2020 21:39:44 +0200
-Subject: sm501: Clean up local variables in sm501_2d_operation
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Git-commit: 3d0b096298b5579a7fa0753ad90968b27bc65372
-References: bsc#1172385, CVE-2020-12829
-
-Make variables local to the block they are used in to make it clearer
-which operation they are needed for.
-
-Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu>
-Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Message-id: ae59f8138afe7f6a5a4a82539d0f61496a906b06.1590089984.git.balaton@eik.bme.hu
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
-Signed-off-by: Bruce Rogers <brogers@suse.com>
----
- hw/display/sm501.c | 31 ++++++++++++++++---------------
- 1 file changed, 16 insertions(+), 15 deletions(-)
-
-diff --git a/hw/display/sm501.c b/hw/display/sm501.c
-index d0e92fff336de06e99577a5ded96..4204b80f988815200120852d64ec 100644
---- a/hw/display/sm501.c
-+++ b/hw/display/sm501.c
-@@ -699,28 +699,19 @@ static inline void hwc_invalidate(SM501State *s, int crt)
-
- static void sm501_2d_operation(SM501State *s)
- {
-- /* obtain operation parameters */
- int cmd = (s->twoD_control >> 16) & 0x1F;
- int rtl = s->twoD_control & BIT(27);
-- int src_x = (s->twoD_source >> 16) & 0x01FFF;
-- int src_y = s->twoD_source & 0xFFFF;
-- int dst_x = (s->twoD_destination >> 16) & 0x01FFF;
-- int dst_y = s->twoD_destination & 0xFFFF;
-- int width = (s->twoD_dimension >> 16) & 0x1FFF;
-- int height = s->twoD_dimension & 0xFFFF;
-- uint32_t color = s->twoD_foreground;
- int format = (s->twoD_stretch >> 20) & 0x3;
- int rop_mode = (s->twoD_control >> 15) & 0x1; /* 1 for rop2, else rop3 */
- /* 1 if rop2 source is the pattern, otherwise the source is the bitmap */
- int rop2_source_is_pattern = (s->twoD_control >> 14) & 0x1;
- int rop = s->twoD_control & 0xFF;
-- uint32_t src_base = s->twoD_source_base & 0x03FFFFFF;
-+ int dst_x = (s->twoD_destination >> 16) & 0x01FFF;
-+ int dst_y = s->twoD_destination & 0xFFFF;
-+ int width = (s->twoD_dimension >> 16) & 0x1FFF;
-+ int height = s->twoD_dimension & 0xFFFF;
- uint32_t dst_base = s->twoD_destination_base & 0x03FFFFFF;
--
-- /* get frame buffer info */
-- uint8_t *src = s->local_mem + src_base;
- uint8_t *dst = s->local_mem + dst_base;
-- int src_pitch = s->twoD_pitch & 0x1FFF;
- int dst_pitch = (s->twoD_pitch >> 16) & 0x1FFF;
- int crt = (s->dc_crt_control & SM501_DC_CRT_CONTROL_SEL) ? 1 : 0;
- int fb_len = get_width(s, crt) * get_height(s, crt) * get_bpp(s, crt);
-@@ -758,6 +749,13 @@ static void sm501_2d_operation(SM501State *s)
-
- switch (cmd) {
- case 0x00: /* copy area */
-+ {
-+ int src_x = (s->twoD_source >> 16) & 0x01FFF;
-+ int src_y = s->twoD_source & 0xFFFF;
-+ uint32_t src_base = s->twoD_source_base & 0x03FFFFFF;
-+ uint8_t *src = s->local_mem + src_base;
-+ int src_pitch = s->twoD_pitch & 0x1FFF;
-+
- #define COPY_AREA(_bpp, _pixel_type, rtl) { \
- int y, x, index_d, index_s; \
- for (y = 0; y < height; y++) { \
-@@ -793,8 +791,11 @@ static void sm501_2d_operation(SM501State *s)
- break;
- }
- break;
--
-+ }
- case 0x01: /* fill rectangle */
-+ {
-+ uint32_t color = s->twoD_foreground;
-+
- #define FILL_RECT(_bpp, _pixel_type) { \
- int y, x; \
- for (y = 0; y < height; y++) { \
-@@ -819,7 +820,7 @@ static void sm501_2d_operation(SM501State *s)
- break;
- }
- break;
--
-+ }
- default:
- qemu_log_mask(LOG_UNIMP, "sm501: not implemented 2D operation: %d\n",
- cmd);
+++ /dev/null
-From: BALATON Zoltan <balaton@eik.bme.hu>
-Date: Thu, 21 May 2020 21:39:44 +0200
-Subject: sm501: Convert printf + abort to qemu_log_mask
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Git-commit: e29da77e5fddf6480e3a0e80b63d703edaec751b
-References: bsc#1172385, CVE-2020-12829
-
-Some places already use qemu_log_mask() to log unimplemented features
-or errors but some others have printf() then abort(). Convert these to
-qemu_log_mask() and avoid aborting to prevent guests to easily cause
-denial of service.
-
-Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu>
-Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Message-id: 305af87f59d81e92f2aaff09eb8a3603b8baa322.1590089984.git.balaton@eik.bme.hu
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
-Signed-off-by: Bruce Rogers <brogers@suse.com>
----
- hw/display/sm501.c | 57 ++++++++++++++++++++++------------------------
- 1 file changed, 27 insertions(+), 30 deletions(-)
-
-diff --git a/hw/display/sm501.c b/hw/display/sm501.c
-index 1f33c87e654e4c8993d3fe894d2f..880c2f0469bb1cee63c115932ab0 100644
---- a/hw/display/sm501.c
-+++ b/hw/display/sm501.c
-@@ -727,8 +727,8 @@ static void sm501_2d_operation(SM501State *s)
- int fb_len = get_width(s, crt) * get_height(s, crt) * get_bpp(s, crt);
-
- if (addressing != 0x0) {
-- printf("%s: only XY addressing is supported.\n", __func__);
-- abort();
-+ qemu_log_mask(LOG_UNIMP, "sm501: only XY addressing is supported.\n");
-+ return;
- }
-
- if (rop_mode == 0) {
-@@ -754,8 +754,8 @@ static void sm501_2d_operation(SM501State *s)
-
- if ((s->twoD_source_base & 0x08000000) ||
- (s->twoD_destination_base & 0x08000000)) {
-- printf("%s: only local memory is supported.\n", __func__);
-- abort();
-+ qemu_log_mask(LOG_UNIMP, "sm501: only local memory is supported.\n");
-+ return;
- }
-
- switch (operation) {
-@@ -823,9 +823,9 @@ static void sm501_2d_operation(SM501State *s)
- break;
-
- default:
-- printf("non-implemented SM501 2D operation. %d\n", operation);
-- abort();
-- break;
-+ qemu_log_mask(LOG_UNIMP, "sm501: not implemented 2D operation: %d\n",
-+ operation);
-+ return;
- }
-
- if (dst_base >= get_fb_addr(s, crt) &&
-@@ -892,9 +892,8 @@ static uint64_t sm501_system_config_read(void *opaque, hwaddr addr,
- break;
-
- default:
-- printf("sm501 system config : not implemented register read."
-- " addr=%x\n", (int)addr);
-- abort();
-+ qemu_log_mask(LOG_UNIMP, "sm501: not implemented system config"
-+ "register read. addr=%" HWADDR_PRIx "\n", addr);
- }
-
- return ret;
-@@ -948,15 +947,15 @@ static void sm501_system_config_write(void *opaque, hwaddr addr,
- break;
- case SM501_ENDIAN_CONTROL:
- if (value & 0x00000001) {
-- printf("sm501 system config : big endian mode not implemented.\n");
-- abort();
-+ qemu_log_mask(LOG_UNIMP, "sm501: system config big endian mode not"
-+ " implemented.\n");
- }
- break;
-
- default:
-- printf("sm501 system config : not implemented register write."
-- " addr=%x, val=%x\n", (int)addr, (uint32_t)value);
-- abort();
-+ qemu_log_mask(LOG_UNIMP, "sm501: not implemented system config"
-+ "register write. addr=%" HWADDR_PRIx
-+ ", val=%" PRIx64 "\n", addr, value);
- }
- }
-
-@@ -1207,9 +1206,8 @@ static uint64_t sm501_disp_ctrl_read(void *opaque, hwaddr addr,
- break;
-
- default:
-- printf("sm501 disp ctrl : not implemented register read."
-- " addr=%x\n", (int)addr);
-- abort();
-+ qemu_log_mask(LOG_UNIMP, "sm501: not implemented disp ctrl register "
-+ "read. addr=%" HWADDR_PRIx "\n", addr);
- }
-
- return ret;
-@@ -1345,9 +1343,9 @@ static void sm501_disp_ctrl_write(void *opaque, hwaddr addr,
- break;
-
- default:
-- printf("sm501 disp ctrl : not implemented register write."
-- " addr=%x, val=%x\n", (int)addr, (unsigned)value);
-- abort();
-+ qemu_log_mask(LOG_UNIMP, "sm501: not implemented disp ctrl register "
-+ "write. addr=%" HWADDR_PRIx
-+ ", val=%" PRIx64 "\n", addr, value);
- }
- }
-
-@@ -1433,9 +1431,8 @@ static uint64_t sm501_2d_engine_read(void *opaque, hwaddr addr,
- ret = 0; /* Should return interrupt status */
- break;
- default:
-- printf("sm501 disp ctrl : not implemented register read."
-- " addr=%x\n", (int)addr);
-- abort();
-+ qemu_log_mask(LOG_UNIMP, "sm501: not implemented disp ctrl register "
-+ "read. addr=%" HWADDR_PRIx "\n", addr);
- }
-
- return ret;
-@@ -1520,9 +1517,9 @@ static void sm501_2d_engine_write(void *opaque, hwaddr addr,
- /* ignored, writing 0 should clear interrupt status */
- break;
- default:
-- printf("sm501 2d engine : not implemented register write."
-- " addr=%x, val=%x\n", (int)addr, (unsigned)value);
-- abort();
-+ qemu_log_mask(LOG_UNIMP, "sm501: not implemented 2d engine register "
-+ "write. addr=%" HWADDR_PRIx
-+ ", val=%" PRIx64 "\n", addr, value);
- }
- }
-
-@@ -1670,9 +1667,9 @@ static void sm501_update_display(void *opaque)
- draw_line = draw_line32_funcs[dst_depth_index];
- break;
- default:
-- printf("sm501 update display : invalid control register value.\n");
-- abort();
-- break;
-+ qemu_log_mask(LOG_GUEST_ERROR, "sm501: update display"
-+ "invalid control register value.\n");
-+ return;
- }
-
- /* set up to draw hardware cursor */
+++ /dev/null
-From: BALATON Zoltan <balaton@eik.bme.hu>
-Date: Thu, 21 May 2020 21:39:44 +0200
-Subject: sm501: Replace hand written implementation with pixman where possible
-
-Git-commit: b15a22bbcbe6a78dc3d88fe3134985e4cdd87de4
-References: bsc#1172385, CVE-2020-12829
-
-Besides being faster this should also prevent malicious guests to
-abuse 2D engine to overwrite data or cause a crash.
-
-Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu>
-Message-id: 58666389b6cae256e4e972a32c05cf8aa51bffc0.1590089984.git.balaton@eik.bme.hu
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
-Signed-off-by: Bruce Rogers <brogers@suse.com>
----
- hw/display/sm501.c | 207 ++++++++++++++++++++++++++-------------------
- 1 file changed, 119 insertions(+), 88 deletions(-)
-
-diff --git a/hw/display/sm501.c b/hw/display/sm501.c
-index 4204b80f988815200120852d64ec..745d25c2fb248baf3f01970bbb61 100644
---- a/hw/display/sm501.c
-+++ b/hw/display/sm501.c
-@@ -706,13 +706,12 @@ static void sm501_2d_operation(SM501State *s)
- /* 1 if rop2 source is the pattern, otherwise the source is the bitmap */
- int rop2_source_is_pattern = (s->twoD_control >> 14) & 0x1;
- int rop = s->twoD_control & 0xFF;
-- int dst_x = (s->twoD_destination >> 16) & 0x01FFF;
-- int dst_y = s->twoD_destination & 0xFFFF;
-- int width = (s->twoD_dimension >> 16) & 0x1FFF;
-- int height = s->twoD_dimension & 0xFFFF;
-+ unsigned int dst_x = (s->twoD_destination >> 16) & 0x01FFF;
-+ unsigned int dst_y = s->twoD_destination & 0xFFFF;
-+ unsigned int width = (s->twoD_dimension >> 16) & 0x1FFF;
-+ unsigned int height = s->twoD_dimension & 0xFFFF;
- uint32_t dst_base = s->twoD_destination_base & 0x03FFFFFF;
-- uint8_t *dst = s->local_mem + dst_base;
-- int dst_pitch = (s->twoD_pitch >> 16) & 0x1FFF;
-+ unsigned int dst_pitch = (s->twoD_pitch >> 16) & 0x1FFF;
- int crt = (s->dc_crt_control & SM501_DC_CRT_CONTROL_SEL) ? 1 : 0;
- int fb_len = get_width(s, crt) * get_height(s, crt) * get_bpp(s, crt);
-
-@@ -721,104 +720,136 @@ static void sm501_2d_operation(SM501State *s)
- return;
- }
-
-- if (rop_mode == 0) {
-- if (rop != 0xcc) {
-- /* Anything other than plain copies are not supported */
-- qemu_log_mask(LOG_UNIMP, "sm501: rop3 mode with rop %x is not "
-- "supported.\n", rop);
-- }
-- } else {
-- if (rop2_source_is_pattern && rop != 0x5) {
-- /* For pattern source, we support only inverse dest */
-- qemu_log_mask(LOG_UNIMP, "sm501: rop2 source being the pattern and "
-- "rop %x is not supported.\n", rop);
-- } else {
-- if (rop != 0x5 && rop != 0xc) {
-- /* Anything other than plain copies or inverse dest is not
-- * supported */
-- qemu_log_mask(LOG_UNIMP, "sm501: rop mode %x is not "
-- "supported.\n", rop);
-- }
-- }
-- }
--
- if (s->twoD_source_base & BIT(27) || s->twoD_destination_base & BIT(27)) {
- qemu_log_mask(LOG_UNIMP, "sm501: only local memory is supported.\n");
- return;
- }
-
-+ if (!dst_pitch) {
-+ qemu_log_mask(LOG_GUEST_ERROR, "sm501: Zero dest pitch.\n");
-+ return;
-+ }
-+
-+ if (!width || !height) {
-+ qemu_log_mask(LOG_GUEST_ERROR, "sm501: Zero size 2D op.\n");
-+ return;
-+ }
-+
-+ if (rtl) {
-+ dst_x -= width - 1;
-+ dst_y -= height - 1;
-+ }
-+
-+ if (dst_base >= get_local_mem_size(s) || dst_base +
-+ (dst_x + width + (dst_y + height) * (dst_pitch + width)) *
-+ (1 << format) >= get_local_mem_size(s)) {
-+ qemu_log_mask(LOG_GUEST_ERROR, "sm501: 2D op dest is outside vram.\n");
-+ return;
-+ }
-+
- switch (cmd) {
-- case 0x00: /* copy area */
-+ case 0: /* BitBlt */
- {
-- int src_x = (s->twoD_source >> 16) & 0x01FFF;
-- int src_y = s->twoD_source & 0xFFFF;
-+ unsigned int src_x = (s->twoD_source >> 16) & 0x01FFF;
-+ unsigned int src_y = s->twoD_source & 0xFFFF;
- uint32_t src_base = s->twoD_source_base & 0x03FFFFFF;
-- uint8_t *src = s->local_mem + src_base;
-- int src_pitch = s->twoD_pitch & 0x1FFF;
--
--#define COPY_AREA(_bpp, _pixel_type, rtl) { \
-- int y, x, index_d, index_s; \
-- for (y = 0; y < height; y++) { \
-- for (x = 0; x < width; x++) { \
-- _pixel_type val; \
-- \
-- if (rtl) { \
-- index_s = ((src_y - y) * src_pitch + src_x - x) * _bpp; \
-- index_d = ((dst_y - y) * dst_pitch + dst_x - x) * _bpp; \
-- } else { \
-- index_s = ((src_y + y) * src_pitch + src_x + x) * _bpp; \
-- index_d = ((dst_y + y) * dst_pitch + dst_x + x) * _bpp; \
-- } \
-- if (rop_mode == 1 && rop == 5) { \
-- /* Invert dest */ \
-- val = ~*(_pixel_type *)&dst[index_d]; \
-- } else { \
-- val = *(_pixel_type *)&src[index_s]; \
-- } \
-- *(_pixel_type *)&dst[index_d] = val; \
-- } \
-- } \
-- }
-- switch (format) {
-- case 0:
-- COPY_AREA(1, uint8_t, rtl);
-- break;
-- case 1:
-- COPY_AREA(2, uint16_t, rtl);
-- break;
-- case 2:
-- COPY_AREA(4, uint32_t, rtl);
-- break;
-+ unsigned int src_pitch = s->twoD_pitch & 0x1FFF;
-+
-+ if (!src_pitch) {
-+ qemu_log_mask(LOG_GUEST_ERROR, "sm501: Zero src pitch.\n");
-+ return;
-+ }
-+
-+ if (rtl) {
-+ src_x -= width - 1;
-+ src_y -= height - 1;
-+ }
-+
-+ if (src_base >= get_local_mem_size(s) || src_base +
-+ (src_x + width + (src_y + height) * (src_pitch + width)) *
-+ (1 << format) >= get_local_mem_size(s)) {
-+ qemu_log_mask(LOG_GUEST_ERROR,
-+ "sm501: 2D op src is outside vram.\n");
-+ return;
-+ }
-+
-+ if ((rop_mode && rop == 0x5) || (!rop_mode && rop == 0x55)) {
-+ /* Invert dest, is there a way to do this with pixman? */
-+ unsigned int x, y, i;
-+ uint8_t *d = s->local_mem + dst_base;
-+
-+ for (y = 0; y < height; y++) {
-+ i = (dst_x + (dst_y + y) * dst_pitch) * (1 << format);
-+ for (x = 0; x < width; x++, i += (1 << format)) {
-+ switch (format) {
-+ case 0:
-+ d[i] = ~d[i];
-+ break;
-+ case 1:
-+ *(uint16_t *)&d[i] = ~*(uint16_t *)&d[i];
-+ break;
-+ case 2:
-+ *(uint32_t *)&d[i] = ~*(uint32_t *)&d[i];
-+ break;
-+ }
-+ }
-+ }
-+ } else {
-+ /* Do copy src for unimplemented ops, better than unpainted area */
-+ if ((rop_mode && (rop != 0xc || rop2_source_is_pattern)) ||
-+ (!rop_mode && rop != 0xcc)) {
-+ qemu_log_mask(LOG_UNIMP,
-+ "sm501: rop%d op %x%s not implemented\n",
-+ (rop_mode ? 2 : 3), rop,
-+ (rop2_source_is_pattern ?
-+ " with pattern source" : ""));
-+ }
-+ /* Check for overlaps, this could be made more exact */
-+ uint32_t sb, se, db, de;
-+ sb = src_base + src_x + src_y * (width + src_pitch);
-+ se = sb + width + height * (width + src_pitch);
-+ db = dst_base + dst_x + dst_y * (width + dst_pitch);
-+ de = db + width + height * (width + dst_pitch);
-+ if (rtl && ((db >= sb && db <= se) || (de >= sb && de <= se))) {
-+ /* regions may overlap: copy via temporary */
-+ int llb = width * (1 << format);
-+ int tmp_stride = DIV_ROUND_UP(llb, sizeof(uint32_t));
-+ uint32_t *tmp = g_malloc(tmp_stride * sizeof(uint32_t) *
-+ height);
-+ pixman_blt((uint32_t *)&s->local_mem[src_base], tmp,
-+ src_pitch * (1 << format) / sizeof(uint32_t),
-+ tmp_stride, 8 * (1 << format), 8 * (1 << format),
-+ src_x, src_y, 0, 0, width, height);
-+ pixman_blt(tmp, (uint32_t *)&s->local_mem[dst_base],
-+ tmp_stride,
-+ dst_pitch * (1 << format) / sizeof(uint32_t),
-+ 8 * (1 << format), 8 * (1 << format),
-+ 0, 0, dst_x, dst_y, width, height);
-+ g_free(tmp);
-+ } else {
-+ pixman_blt((uint32_t *)&s->local_mem[src_base],
-+ (uint32_t *)&s->local_mem[dst_base],
-+ src_pitch * (1 << format) / sizeof(uint32_t),
-+ dst_pitch * (1 << format) / sizeof(uint32_t),
-+ 8 * (1 << format), 8 * (1 << format),
-+ src_x, src_y, dst_x, dst_y, width, height);
-+ }
- }
- break;
- }
-- case 0x01: /* fill rectangle */
-+ case 1: /* Rectangle Fill */
- {
- uint32_t color = s->twoD_foreground;
-
--#define FILL_RECT(_bpp, _pixel_type) { \
-- int y, x; \
-- for (y = 0; y < height; y++) { \
-- for (x = 0; x < width; x++) { \
-- int index = ((dst_y + y) * dst_pitch + dst_x + x) * _bpp; \
-- *(_pixel_type *)&dst[index] = (_pixel_type)color; \
-- } \
-- } \
-- }
--
-- switch (format) {
-- case 0:
-- FILL_RECT(1, uint8_t);
-- break;
-- case 1:
-- color = cpu_to_le16(color);
-- FILL_RECT(2, uint16_t);
-- break;
-- case 2:
-+ if (format == 2) {
- color = cpu_to_le32(color);
-- FILL_RECT(4, uint32_t);
-- break;
-+ } else if (format == 1) {
-+ color = cpu_to_le16(color);
- }
-+
-+ pixman_fill((uint32_t *)&s->local_mem[dst_base],
-+ dst_pitch * (1 << format) / sizeof(uint32_t),
-+ 8 * (1 << format), dst_x, dst_y, width, height, color);
- break;
- }
- default:
+++ /dev/null
-From: BALATON Zoltan <balaton@eik.bme.hu>
-Date: Thu, 21 May 2020 21:39:44 +0200
-Subject: sm501: Shorten long variable names in sm501_2d_operation
-
-Git-commit: 6f8183b5dc5b309378687830a25e85ea8fb860ea
-References: bsc#1172385, CVE-2020-12829
-
-This increases readability and cleans up some confusing naming.
-
-Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu>
-Message-id: b9b67b94c46e945252a73c77dfd117132c63c4fb.1590089984.git.balaton@eik.bme.hu
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
-Signed-off-by: Bruce Rogers <brogers@suse.com>
----
- hw/display/sm501.c | 45 ++++++++++++++++++++++-----------------------
- 1 file changed, 22 insertions(+), 23 deletions(-)
-
-diff --git a/hw/display/sm501.c b/hw/display/sm501.c
-index 880c2f0469bb1cee63c115932ab0..bb2672c9a30a83ea8a0b2c436438 100644
---- a/hw/display/sm501.c
-+++ b/hw/display/sm501.c
-@@ -700,17 +700,16 @@ static inline void hwc_invalidate(SM501State *s, int crt)
- static void sm501_2d_operation(SM501State *s)
- {
- /* obtain operation parameters */
-- int operation = (s->twoD_control >> 16) & 0x1f;
-+ int cmd = (s->twoD_control >> 16) & 0x1F;
- int rtl = s->twoD_control & 0x8000000;
- int src_x = (s->twoD_source >> 16) & 0x01FFF;
- int src_y = s->twoD_source & 0xFFFF;
- int dst_x = (s->twoD_destination >> 16) & 0x01FFF;
- int dst_y = s->twoD_destination & 0xFFFF;
-- int operation_width = (s->twoD_dimension >> 16) & 0x1FFF;
-- int operation_height = s->twoD_dimension & 0xFFFF;
-+ int width = (s->twoD_dimension >> 16) & 0x1FFF;
-+ int height = s->twoD_dimension & 0xFFFF;
- uint32_t color = s->twoD_foreground;
-- int format_flags = (s->twoD_stretch >> 20) & 0x3;
-- int addressing = (s->twoD_stretch >> 16) & 0xF;
-+ int format = (s->twoD_stretch >> 20) & 0x3;
- int rop_mode = (s->twoD_control >> 15) & 0x1; /* 1 for rop2, else rop3 */
- /* 1 if rop2 source is the pattern, otherwise the source is the bitmap */
- int rop2_source_is_pattern = (s->twoD_control >> 14) & 0x1;
-@@ -721,12 +720,12 @@ static void sm501_2d_operation(SM501State *s)
- /* get frame buffer info */
- uint8_t *src = s->local_mem + src_base;
- uint8_t *dst = s->local_mem + dst_base;
-- int src_width = s->twoD_pitch & 0x1FFF;
-- int dst_width = (s->twoD_pitch >> 16) & 0x1FFF;
-+ int src_pitch = s->twoD_pitch & 0x1FFF;
-+ int dst_pitch = (s->twoD_pitch >> 16) & 0x1FFF;
- int crt = (s->dc_crt_control & SM501_DC_CRT_CONTROL_SEL) ? 1 : 0;
- int fb_len = get_width(s, crt) * get_height(s, crt) * get_bpp(s, crt);
-
-- if (addressing != 0x0) {
-+ if ((s->twoD_stretch >> 16) & 0xF) {
- qemu_log_mask(LOG_UNIMP, "sm501: only XY addressing is supported.\n");
- return;
- }
-@@ -758,20 +757,20 @@ static void sm501_2d_operation(SM501State *s)
- return;
- }
-
-- switch (operation) {
-+ switch (cmd) {
- case 0x00: /* copy area */
- #define COPY_AREA(_bpp, _pixel_type, rtl) { \
- int y, x, index_d, index_s; \
-- for (y = 0; y < operation_height; y++) { \
-- for (x = 0; x < operation_width; x++) { \
-+ for (y = 0; y < height; y++) { \
-+ for (x = 0; x < width; x++) { \
- _pixel_type val; \
- \
- if (rtl) { \
-- index_s = ((src_y - y) * src_width + src_x - x) * _bpp; \
-- index_d = ((dst_y - y) * dst_width + dst_x - x) * _bpp; \
-+ index_s = ((src_y - y) * src_pitch + src_x - x) * _bpp; \
-+ index_d = ((dst_y - y) * dst_pitch + dst_x - x) * _bpp; \
- } else { \
-- index_s = ((src_y + y) * src_width + src_x + x) * _bpp; \
-- index_d = ((dst_y + y) * dst_width + dst_x + x) * _bpp; \
-+ index_s = ((src_y + y) * src_pitch + src_x + x) * _bpp; \
-+ index_d = ((dst_y + y) * dst_pitch + dst_x + x) * _bpp; \
- } \
- if (rop_mode == 1 && rop == 5) { \
- /* Invert dest */ \
-@@ -783,7 +782,7 @@ static void sm501_2d_operation(SM501State *s)
- } \
- } \
- }
-- switch (format_flags) {
-+ switch (format) {
- case 0:
- COPY_AREA(1, uint8_t, rtl);
- break;
-@@ -799,15 +798,15 @@ static void sm501_2d_operation(SM501State *s)
- case 0x01: /* fill rectangle */
- #define FILL_RECT(_bpp, _pixel_type) { \
- int y, x; \
-- for (y = 0; y < operation_height; y++) { \
-- for (x = 0; x < operation_width; x++) { \
-- int index = ((dst_y + y) * dst_width + dst_x + x) * _bpp; \
-+ for (y = 0; y < height; y++) { \
-+ for (x = 0; x < width; x++) { \
-+ int index = ((dst_y + y) * dst_pitch + dst_x + x) * _bpp; \
- *(_pixel_type *)&dst[index] = (_pixel_type)color; \
- } \
- } \
- }
-
-- switch (format_flags) {
-+ switch (format) {
- case 0:
- FILL_RECT(1, uint8_t);
- break;
-@@ -824,14 +823,14 @@ static void sm501_2d_operation(SM501State *s)
-
- default:
- qemu_log_mask(LOG_UNIMP, "sm501: not implemented 2D operation: %d\n",
-- operation);
-+ cmd);
- return;
- }
-
- if (dst_base >= get_fb_addr(s, crt) &&
- dst_base <= get_fb_addr(s, crt) + fb_len) {
-- int dst_len = MIN(fb_len, ((dst_y + operation_height - 1) * dst_width +
-- dst_x + operation_width) * (1 << format_flags));
-+ int dst_len = MIN(fb_len, ((dst_y + height - 1) * dst_pitch +
-+ dst_x + width) * (1 << format));
- if (dst_len) {
- memory_region_set_dirty(&s->local_mem_region, dst_base, dst_len);
- }
+++ /dev/null
-From: BALATON Zoltan <balaton@eik.bme.hu>
-Date: Thu, 21 May 2020 21:39:44 +0200
-Subject: sm501: Use BIT(x) macro to shorten constant
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Git-commit: 2824809b7f8f03ddc6e2b7e33e78c06022424298
-References: bsc#1172385, CVE-2020-12829
-
-Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu>
-Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Message-id: 124bf5de8d7cf503b32b377d0445029a76bfbd49.1590089984.git.balaton@eik.bme.hu
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
-Signed-off-by: Bruce Rogers <brogers@suse.com>
----
- hw/display/sm501.c | 5 ++---
- 1 file changed, 2 insertions(+), 3 deletions(-)
-
-diff --git a/hw/display/sm501.c b/hw/display/sm501.c
-index bb2672c9a30a83ea8a0b2c436438..d0e92fff336de06e99577a5ded96 100644
---- a/hw/display/sm501.c
-+++ b/hw/display/sm501.c
-@@ -701,7 +701,7 @@ static void sm501_2d_operation(SM501State *s)
- {
- /* obtain operation parameters */
- int cmd = (s->twoD_control >> 16) & 0x1F;
-- int rtl = s->twoD_control & 0x8000000;
-+ int rtl = s->twoD_control & BIT(27);
- int src_x = (s->twoD_source >> 16) & 0x01FFF;
- int src_y = s->twoD_source & 0xFFFF;
- int dst_x = (s->twoD_destination >> 16) & 0x01FFF;
-@@ -751,8 +751,7 @@ static void sm501_2d_operation(SM501State *s)
- }
- }
-
-- if ((s->twoD_source_base & 0x08000000) ||
-- (s->twoD_destination_base & 0x08000000)) {
-+ if (s->twoD_source_base & BIT(27) || s->twoD_destination_base & BIT(27)) {
- qemu_log_mask(LOG_UNIMP, "sm501: only local memory is supported.\n");
- return;
- }
+++ /dev/null
-From: Prasad J Pandit <pjp@fedoraproject.org>
-Date: Tue, 11 Aug 2020 17:11:30 +0530
-Subject: spapr_pci: add spapr msi read method
-
-Git-commit: 921604e175b8ec06c39503310e7b3ec1e3eafe9e
-References: bsc#1173612, CVE-2020-15469
-
-Add spapr msi mmio read method to avoid NULL pointer dereference
-issue.
-
-Reported-by: Lei Sun <slei.casper@gmail.com>
-Acked-by: David Gibson <david@gibson.dropbear.id.au>
-Reviewed-by: Li Qiang <liq3ea@gmail.com>
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
-Message-Id: <20200811114133.672647-7-ppandit@redhat.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-Signed-off-by: Bruce Rogers <brogers@suse.com>
----
- hw/ppc/spapr_pci.c | 14 ++++++++++++--
- 1 file changed, 12 insertions(+), 2 deletions(-)
-
-diff --git a/hw/ppc/spapr_pci.c b/hw/ppc/spapr_pci.c
-index 5b544adb4a4d7868cf17d6534e19..74debaddfb0574f95ba71957a304 100644
---- a/hw/ppc/spapr_pci.c
-+++ b/hw/ppc/spapr_pci.c
-@@ -52,6 +52,7 @@
- #include "sysemu/kvm.h"
- #include "sysemu/hostmem.h"
- #include "sysemu/numa.h"
-+#include "qemu/log.h"
-
- /* Copied from the kernel arch/powerpc/platforms/pseries/msi.c */
- #define RTAS_QUERY_FN 0
-@@ -738,6 +739,12 @@ static PCIINTxRoute spapr_route_intx_pin_to_irq(void *opaque, int pin)
- return route;
- }
-
-+static uint64_t spapr_msi_read(void *opaque, hwaddr addr, unsigned size)
-+{
-+ qemu_log_mask(LOG_GUEST_ERROR, "%s: invalid access\n", __func__);
-+ return 0;
-+}
-+
- /*
- * MSI/MSIX memory region implementation.
- * The handler handles both MSI and MSIX.
-@@ -755,8 +762,11 @@ static void spapr_msi_write(void *opaque, hwaddr addr,
- }
-
- static const MemoryRegionOps spapr_msi_ops = {
-- /* There is no .read as the read result is undefined by PCI spec */
-- .read = NULL,
-+ /*
-+ * .read result is undefined by PCI spec.
-+ * define .read method to avoid assert failure in memory_region_init_io
-+ */
-+ .read = spapr_msi_read,
- .write = spapr_msi_write,
- .endianness = DEVICE_LITTLE_ENDIAN
- };
+++ /dev/null
-From: Bruce Rogers <brogers@suse.com>
-Date: Mon, 24 Jul 2017 10:44:24 -0600
-Subject: stub out the SAN req's in int13
-
-Include-If: %if 0%{?patch-possibly-applied-elsewhere}
-
-We need to find some code or data to change so we can make the rom fit
-into the legacy size requirements. Comment out SAN support, and
-hopefully nobody will be impacted.
-
-Signed-off-by: Bruce Rogers <brogers@suse.com>
----
- src/arch/x86/interface/pcbios/int13.c | 21 +++++++++++++++++++++
- 1 file changed, 21 insertions(+)
-
-diff --git a/roms/ipxe/src/arch/x86/interface/pcbios/int13.c b/roms/ipxe/src/arch/x86/interface/pcbios/int13.c
-index ca789a0d154e1fe3c2508a3aefea..40c61419c0c134120d1ce7c81a1e 100644
---- a/roms/ipxe/src/arch/x86/interface/pcbios/int13.c
-+++ b/roms/ipxe/src/arch/x86/interface/pcbios/int13.c
-@@ -23,6 +23,12 @@
-
- FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
-
-+#define INCLUDE_SAN_HOOKS 0
-+#pragma GCC diagnostic push
-+#pragma GCC diagnostic ignored "-Wunused-parameter"
-+#pragma GCC diagnostic ignored "-Wunused-function"
-+#pragma GCC diagnostic ignored "-Wunused-variable"
-+
- #include <stdint.h>
- #include <stdlib.h>
- #include <limits.h>
-@@ -1243,6 +1249,7 @@ static void int13_unhook_vector ( void ) {
- */
- static int int13_hook ( unsigned int drive, struct uri **uris,
- unsigned int count, unsigned int flags ) {
-+#if INCLUDE_SAN_HOOKS
- struct san_device *sandev;
- struct int13_data *int13;
- unsigned int natural_drive;
-@@ -1315,6 +1322,9 @@ static int int13_hook ( unsigned int drive, struct uri **uris,
- sandev_put ( sandev );
- err_alloc:
- return rc;
-+#else
-+ return -1;
-+#endif
- }
-
- /**
-@@ -1328,6 +1338,7 @@ static int int13_hook ( unsigned int drive, struct uri **uris,
- */
- static void int13_unhook ( unsigned int drive ) {
- struct san_device *sandev;
-+#if INCLUDE_SAN_HOOKS
-
- /* Find drive */
- sandev = sandev_find ( drive );
-@@ -1353,6 +1364,7 @@ static void int13_unhook ( unsigned int drive ) {
-
- /* Drop reference to drive */
- sandev_put ( sandev );
-+#endif
- }
-
- /**
-@@ -1514,6 +1526,7 @@ static int int13_load_eltorito ( unsigned int drive, struct segoff *address ) {
- * Note that this function can never return success, by definition.
- */
- static int int13_boot ( unsigned int drive, const char *filename __unused ) {
-+#if INCLUDE_SAN_HOOKS
- struct memory_map memmap;
- struct segoff address;
- int rc;
-@@ -1539,6 +1552,9 @@ static int int13_boot ( unsigned int drive, const char *filename __unused ) {
- }
-
- return -ECANCELED; /* -EIMPOSSIBLE */
-+#else
-+ return -1;
-+#endif
- }
-
- /** Maximum size of boot firmware table(s) */
-@@ -1605,6 +1621,7 @@ static int int13_install ( struct acpi_header *acpi ) {
- * @ret rc Return status code
- */
- static int int13_describe ( void ) {
-+#if INCLUDE_SAN_HOOKS
- int rc;
-
- /* Clear tables */
-@@ -1619,9 +1636,13 @@ static int int13_describe ( void ) {
- }
-
- return 0;
-+#else
-+ return -1;
-+#endif
- }
-
- PROVIDE_SANBOOT ( pcbios, san_hook, int13_hook );
- PROVIDE_SANBOOT ( pcbios, san_unhook, int13_unhook );
- PROVIDE_SANBOOT ( pcbios, san_boot, int13_boot );
- PROVIDE_SANBOOT ( pcbios, san_describe, int13_describe );
-+#pragma GCC diagnostic pop
+++ /dev/null
-From: Jason Wang <jasowang@redhat.com>
-Date: Wed, 24 Feb 2021 13:14:35 +0800
-Subject: sungem: switch to use qemu_receive_packet() for loopback
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Git-commit: 8c92060d3c0248bd4d515719a35922cd2391b9b4
-
-This patch switches to use qemu_receive_packet() which can detect
-reentrancy and return early.
-
-This is intended to address CVE-2021-3416.
-
-Cc: Prasad J Pandit <ppandit@redhat.com>
-Cc: qemu-stable@nongnu.org
-Reviewed-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
-Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
-Signed-off-by: Jason Wang <jasowang@redhat.com>
-Signed-off-by: Bruce Rogers <brogers@suse.com>
----
- hw/net/sungem.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/hw/net/sungem.c b/hw/net/sungem.c
-index f31d41ac5b87ae9e1b5a45d6e084..8b202b5c15d5562416a71ce4c0ea 100644
---- a/hw/net/sungem.c
-+++ b/hw/net/sungem.c
-@@ -305,7 +305,7 @@ static void sungem_send_packet(SunGEMState *s, const uint8_t *buf,
- NetClientState *nc = qemu_get_queue(s->nic);
-
- if (s->macregs[MAC_XIFCFG >> 2] & MAC_XIFCFG_LBCK) {
-- nc->info->receive(nc, buf, size);
-+ qemu_receive_packet(nc, buf, size);
- } else {
- qemu_send_packet(nc, buf, size);
- }
+++ /dev/null
-From: Xiaoyao Li <xiaoyao.li@intel.com>
-Date: Wed, 8 Jan 2020 13:32:40 +0100
-Subject: target/i386: Add missed features to Cooperlake CPU model
-
-Git-commit: 2dea9d9ca4ea7e9afe83d0b4153b21a16987e866
-References: jsc#SLE-7923
-
-It lacks VMX features and two security feature bits (disclosed recently) in
-MSR_IA32_ARCH_CAPABILITIES in current Cooperlake CPU model, so add them.
-
-Fixes: 22a866b6166d ("i386: Add new CPU model Cooperlake")
-Signed-off-by: Xiaoyao Li <xiaoyao.li@intel.com>
-Message-Id: <20191225063018.20038-3-xiaoyao.li@intel.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-Signed-off-by: Bruce Rogers <brogers@suse.com>
----
- target/i386/cpu.c | 51 ++++++++++++++++++++++++++++++++++++++++++++++-
- 1 file changed, 50 insertions(+), 1 deletion(-)
-
-diff --git a/target/i386/cpu.c b/target/i386/cpu.c
-index 8a1993ac64bd763b7bb70c98b8b8..876bd166652365397514ada0dec7 100644
---- a/target/i386/cpu.c
-+++ b/target/i386/cpu.c
-@@ -3201,7 +3201,8 @@ static X86CPUDefinition builtin_x86_defs[] = {
- CPUID_7_0_EDX_SPEC_CTRL_SSBD | CPUID_7_0_EDX_ARCH_CAPABILITIES,
- .features[FEAT_ARCH_CAPABILITIES] =
- MSR_ARCH_CAP_RDCL_NO | MSR_ARCH_CAP_IBRS_ALL |
-- MSR_ARCH_CAP_SKIP_L1DFL_VMENTRY | MSR_ARCH_CAP_MDS_NO,
-+ MSR_ARCH_CAP_SKIP_L1DFL_VMENTRY | MSR_ARCH_CAP_MDS_NO |
-+ MSR_ARCH_CAP_PSCHANGE_MC_NO | MSR_ARCH_CAP_TAA_NO,
- .features[FEAT_7_1_EAX] =
- CPUID_7_1_EAX_AVX512_BF16,
- /*
-@@ -3216,6 +3217,54 @@ static X86CPUDefinition builtin_x86_defs[] = {
- CPUID_XSAVE_XGETBV1,
- .features[FEAT_6_EAX] =
- CPUID_6_EAX_ARAT,
-+ /* Missing: Mode-based execute control (XS/XU), processor tracing, TSC scaling */
-+ .features[FEAT_VMX_BASIC] = MSR_VMX_BASIC_INS_OUTS |
-+ MSR_VMX_BASIC_TRUE_CTLS,
-+ .features[FEAT_VMX_ENTRY_CTLS] = VMX_VM_ENTRY_IA32E_MODE |
-+ VMX_VM_ENTRY_LOAD_IA32_PERF_GLOBAL_CTRL | VMX_VM_ENTRY_LOAD_IA32_PAT |
-+ VMX_VM_ENTRY_LOAD_DEBUG_CONTROLS | VMX_VM_ENTRY_LOAD_IA32_EFER,
-+ .features[FEAT_VMX_EPT_VPID_CAPS] = MSR_VMX_EPT_EXECONLY |
-+ MSR_VMX_EPT_PAGE_WALK_LENGTH_4 | MSR_VMX_EPT_WB | MSR_VMX_EPT_2MB |
-+ MSR_VMX_EPT_1GB | MSR_VMX_EPT_INVEPT |
-+ MSR_VMX_EPT_INVEPT_SINGLE_CONTEXT | MSR_VMX_EPT_INVEPT_ALL_CONTEXT |
-+ MSR_VMX_EPT_INVVPID | MSR_VMX_EPT_INVVPID_SINGLE_ADDR |
-+ MSR_VMX_EPT_INVVPID_SINGLE_CONTEXT | MSR_VMX_EPT_INVVPID_ALL_CONTEXT |
-+ MSR_VMX_EPT_INVVPID_SINGLE_CONTEXT_NOGLOBALS | MSR_VMX_EPT_AD_BITS,
-+ .features[FEAT_VMX_EXIT_CTLS] =
-+ VMX_VM_EXIT_ACK_INTR_ON_EXIT | VMX_VM_EXIT_SAVE_DEBUG_CONTROLS |
-+ VMX_VM_EXIT_LOAD_IA32_PERF_GLOBAL_CTRL |
-+ VMX_VM_EXIT_LOAD_IA32_PAT | VMX_VM_EXIT_LOAD_IA32_EFER |
-+ VMX_VM_EXIT_SAVE_IA32_PAT | VMX_VM_EXIT_SAVE_IA32_EFER |
-+ VMX_VM_EXIT_SAVE_VMX_PREEMPTION_TIMER,
-+ .features[FEAT_VMX_MISC] = MSR_VMX_MISC_ACTIVITY_HLT |
-+ MSR_VMX_MISC_STORE_LMA | MSR_VMX_MISC_VMWRITE_VMEXIT,
-+ .features[FEAT_VMX_PINBASED_CTLS] = VMX_PIN_BASED_EXT_INTR_MASK |
-+ VMX_PIN_BASED_NMI_EXITING | VMX_PIN_BASED_VIRTUAL_NMIS |
-+ VMX_PIN_BASED_VMX_PREEMPTION_TIMER | VMX_PIN_BASED_POSTED_INTR,
-+ .features[FEAT_VMX_PROCBASED_CTLS] = VMX_CPU_BASED_VIRTUAL_INTR_PENDING |
-+ VMX_CPU_BASED_USE_TSC_OFFSETING | VMX_CPU_BASED_HLT_EXITING |
-+ VMX_CPU_BASED_INVLPG_EXITING | VMX_CPU_BASED_MWAIT_EXITING |
-+ VMX_CPU_BASED_RDPMC_EXITING | VMX_CPU_BASED_RDTSC_EXITING |
-+ VMX_CPU_BASED_CR8_LOAD_EXITING | VMX_CPU_BASED_CR8_STORE_EXITING |
-+ VMX_CPU_BASED_TPR_SHADOW | VMX_CPU_BASED_MOV_DR_EXITING |
-+ VMX_CPU_BASED_UNCOND_IO_EXITING | VMX_CPU_BASED_USE_IO_BITMAPS |
-+ VMX_CPU_BASED_MONITOR_EXITING | VMX_CPU_BASED_PAUSE_EXITING |
-+ VMX_CPU_BASED_VIRTUAL_NMI_PENDING | VMX_CPU_BASED_USE_MSR_BITMAPS |
-+ VMX_CPU_BASED_CR3_LOAD_EXITING | VMX_CPU_BASED_CR3_STORE_EXITING |
-+ VMX_CPU_BASED_MONITOR_TRAP_FLAG |
-+ VMX_CPU_BASED_ACTIVATE_SECONDARY_CONTROLS,
-+ .features[FEAT_VMX_SECONDARY_CTLS] =
-+ VMX_SECONDARY_EXEC_VIRTUALIZE_APIC_ACCESSES |
-+ VMX_SECONDARY_EXEC_WBINVD_EXITING | VMX_SECONDARY_EXEC_ENABLE_EPT |
-+ VMX_SECONDARY_EXEC_DESC | VMX_SECONDARY_EXEC_RDTSCP |
-+ VMX_SECONDARY_EXEC_VIRTUALIZE_X2APIC_MODE |
-+ VMX_SECONDARY_EXEC_ENABLE_VPID | VMX_SECONDARY_EXEC_UNRESTRICTED_GUEST |
-+ VMX_SECONDARY_EXEC_APIC_REGISTER_VIRT |
-+ VMX_SECONDARY_EXEC_VIRTUAL_INTR_DELIVERY |
-+ VMX_SECONDARY_EXEC_RDRAND_EXITING | VMX_SECONDARY_EXEC_ENABLE_INVPCID |
-+ VMX_SECONDARY_EXEC_ENABLE_VMFUNC | VMX_SECONDARY_EXEC_SHADOW_VMCS |
-+ VMX_SECONDARY_EXEC_RDSEED_EXITING | VMX_SECONDARY_EXEC_ENABLE_PML,
-+ .features[FEAT_VMX_VMFUNC] = MSR_VMX_VMFUNC_EPT_SWITCHING,
- .xlevel = 0x80000008,
- .model_id = "Intel Xeon Processor (Cooperlake)",
- },
+++ /dev/null
-From: Xiaoyao Li <xiaoyao.li@intel.com>
-Date: Wed, 8 Jan 2020 13:32:39 +0100
-Subject: target/i386: Add new bit definitions of MSR_IA32_ARCH_CAPABILITIES
-
-Git-commit: 6c997b4adb300788d61d72e2b8bc67c03a584956
-References: jsc#SLE-7923
-
-The bit 6, 7 and 8 of MSR_IA32_ARCH_CAPABILITIES are recently disclosed
-for some security issues. Add the definitions for them to be used by named
-CPU models.
-
-Signed-off-by: Xiaoyao Li <xiaoyao.li@intel.com>
-Message-Id: <20191225063018.20038-2-xiaoyao.li@intel.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-Signed-off-by: Bruce Rogers <brogers@suse.com>
----
- target/i386/cpu.h | 13 ++++++++-----
- 1 file changed, 8 insertions(+), 5 deletions(-)
-
-diff --git a/target/i386/cpu.h b/target/i386/cpu.h
-index af282936a785a25f651d0db1a8cf..594326a7946798aba6ac42415164 100644
---- a/target/i386/cpu.h
-+++ b/target/i386/cpu.h
-@@ -835,12 +835,15 @@ typedef uint64_t FeatureWordArray[FEATURE_WORDS];
- #define CPUID_TOPOLOGY_LEVEL_DIE (5U << 8)
-
- /* MSR Feature Bits */
--#define MSR_ARCH_CAP_RDCL_NO (1U << 0)
--#define MSR_ARCH_CAP_IBRS_ALL (1U << 1)
--#define MSR_ARCH_CAP_RSBA (1U << 2)
-+#define MSR_ARCH_CAP_RDCL_NO (1U << 0)
-+#define MSR_ARCH_CAP_IBRS_ALL (1U << 1)
-+#define MSR_ARCH_CAP_RSBA (1U << 2)
- #define MSR_ARCH_CAP_SKIP_L1DFL_VMENTRY (1U << 3)
--#define MSR_ARCH_CAP_SSB_NO (1U << 4)
--#define MSR_ARCH_CAP_MDS_NO (1U << 5)
-+#define MSR_ARCH_CAP_SSB_NO (1U << 4)
-+#define MSR_ARCH_CAP_MDS_NO (1U << 5)
-+#define MSR_ARCH_CAP_PSCHANGE_MC_NO (1U << 6)
-+#define MSR_ARCH_CAP_TSX_CTRL_MSR (1U << 7)
-+#define MSR_ARCH_CAP_TAA_NO (1U << 8)
-
- #define MSR_CORE_CAP_SPLIT_LOCK_DETECT (1U << 5)
-
+++ /dev/null
-From: Paolo Bonzini <pbonzini@redhat.com>
-Date: Mon, 20 Jan 2020 19:21:43 +0100
-Subject: target/i386: add a ucode-rev property
-
-Git-commit: 4e45aff398cd1542c2a384a2a3b8600f23337d86
-References: jsc#SLE-17785
-
-Add the property and plumb it in TCG and HVF (the latter of which
-tried to support returning a constant value but used the wrong MSR).
-
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-Message-Id: <1579544504-3616-3-git-send-email-pbonzini@redhat.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-Signed-off-by: Dario Faggioli <dfaggioli@suse.com>
----
- target/i386/cpu.c | 10 ++++++++++
- target/i386/cpu.h | 3 +++
- target/i386/hvf/x86_emu.c | 4 +---
- target/i386/misc_helper.c | 4 ++++
- 4 files changed, 18 insertions(+), 3 deletions(-)
-
-diff --git a/target/i386/cpu.c b/target/i386/cpu.c
-index 876bd166652365397514ada0dec7..88f4ad18300d3d1311282e7d8b15 100644
---- a/target/i386/cpu.c
-+++ b/target/i386/cpu.c
-@@ -6432,6 +6432,15 @@ static void x86_cpu_realizefn(DeviceState *dev, Error **errp)
- }
- }
-
-+ if (cpu->ucode_rev == 0) {
-+ /* The default is the same as KVM's. */
-+ if (IS_AMD_CPU(env)) {
-+ cpu->ucode_rev = 0x01000065;
-+ } else {
-+ cpu->ucode_rev = 0x100000000ULL;
-+ }
-+ }
-+
- /* mwait extended info: needed for Core compatibility */
- /* We always wake on interrupt even if host does not have the capability */
- cpu->mwait.ecx |= CPUID_MWAIT_EMX | CPUID_MWAIT_IBE;
-@@ -7115,6 +7124,7 @@ static Property x86_cpu_properties[] = {
- DEFINE_PROP_UINT32("min-level", X86CPU, env.cpuid_min_level, 0),
- DEFINE_PROP_UINT32("min-xlevel", X86CPU, env.cpuid_min_xlevel, 0),
- DEFINE_PROP_UINT32("min-xlevel2", X86CPU, env.cpuid_min_xlevel2, 0),
-+ DEFINE_PROP_UINT64("ucode-rev", X86CPU, ucode_rev, 0),
- DEFINE_PROP_BOOL("full-cpuid-auto-level", X86CPU, full_cpuid_auto_level, true),
- DEFINE_PROP_STRING("hv-vendor-id", X86CPU, hyperv_vendor_id),
- DEFINE_PROP_BOOL("cpuid-0xb", X86CPU, enable_cpuid_0xb, true),
-diff --git a/target/i386/cpu.h b/target/i386/cpu.h
-index 594326a7946798aba6ac42415164..7bfbf2a5e57d09dfbe8d02d0db1d 100644
---- a/target/i386/cpu.h
-+++ b/target/i386/cpu.h
-@@ -348,6 +348,7 @@ typedef enum X86Seg {
- #define MSR_IA32_SPEC_CTRL 0x48
- #define MSR_VIRT_SSBD 0xc001011f
- #define MSR_IA32_PRED_CMD 0x49
-+#define MSR_IA32_UCODE_REV 0x8b
- #define MSR_IA32_CORE_CAPABILITY 0xcf
-
- #define MSR_IA32_ARCH_CAPABILITIES 0x10a
-@@ -1627,6 +1628,8 @@ struct X86CPU {
- CPUNegativeOffsetState neg;
- CPUX86State env;
-
-+ uint64_t ucode_rev;
-+
- uint32_t hyperv_spinlock_attempts;
- char *hyperv_vendor_id;
- bool hyperv_synic_kvm_only;
-diff --git a/target/i386/hvf/x86_emu.c b/target/i386/hvf/x86_emu.c
-index 3df767209df5516d684f46ca300c..92ab815f5d6262b41cf3bbb43f0a 100644
---- a/target/i386/hvf/x86_emu.c
-+++ b/target/i386/hvf/x86_emu.c
-@@ -664,8 +664,6 @@ static void exec_lods(struct CPUX86State *env, struct x86_decode *decode)
- RIP(env) += decode->len;
- }
-
--#define MSR_IA32_UCODE_REV 0x00000017
--
- void simulate_rdmsr(struct CPUState *cpu)
- {
- X86CPU *x86_cpu = X86_CPU(cpu);
-@@ -681,7 +679,7 @@ void simulate_rdmsr(struct CPUState *cpu)
- val = cpu_get_apic_base(X86_CPU(cpu)->apic_state);
- break;
- case MSR_IA32_UCODE_REV:
-- val = (0x100000000ULL << 32) | 0x100000000ULL;
-+ val = x86_cpu->ucode_rev;
- break;
- case MSR_EFER:
- val = rvmcs(cpu->hvf_fd, VMCS_GUEST_IA32_EFER);
-diff --git a/target/i386/misc_helper.c b/target/i386/misc_helper.c
-index 3eff6885f8a63ff525008bc02477..aed16fe3f0255323f8dfc146078b 100644
---- a/target/i386/misc_helper.c
-+++ b/target/i386/misc_helper.c
-@@ -229,6 +229,7 @@ void helper_rdmsr(CPUX86State *env)
- #else
- void helper_wrmsr(CPUX86State *env)
- {
-+ X86CPU *x86_cpu = env_archcpu(env);
- uint64_t val;
-
- cpu_svm_check_intercept_param(env, SVM_EXIT_MSR, 1, GETPC());
-@@ -371,6 +372,9 @@ void helper_wrmsr(CPUX86State *env)
- env->msr_bndcfgs = val;
- cpu_sync_bndcs_hflags(env);
- break;
-+ case MSR_IA32_UCODE_REV:
-+ val = x86_cpu->ucode_rev;
-+ break;
- default:
- if ((uint32_t)env->regs[R_ECX] >= MSR_MC0_CTL
- && (uint32_t)env->regs[R_ECX] < MSR_MC0_CTL +
+++ /dev/null
-From: Paolo Bonzini <pbonzini@redhat.com>
-Date: Tue, 11 Feb 2020 18:55:16 +0100
-Subject: target/i386: check for availability of MSR_IA32_UCODE_REV as an
- emulated MSR
-
-Git-commit: 6702514814c7e7b4cbf179624539b5f38c72740b
-References: jsc#SLE-17785
-
-Even though MSR_IA32_UCODE_REV has been available long before Linux 5.6,
-which added it to the emulated MSR list, a bug caused the microcode
-version to revert to 0x100000000 on INIT. As a result, processors other
-than the bootstrap processor would not see the host microcode revision;
-some Windows version complain loudly about this and crash with a
-fairly explicit MICROCODE REVISION MISMATCH error.
-
-[If running 5.6 prereleases, the kernel fix "KVM: x86: do not reset
- microcode version on INIT or RESET" should also be applied.]
-
-Reported-by: Alex Williamson <alex.williamson@redhat.com>
-Message-id: <20200211175516.10716-1-pbonzini@redhat.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-[Dependant kernel patch is bsc#1183412, commit 16ce873]
-Signed-off-by: Dario Faggioli <dfaggioli@suse.com>
----
- target/i386/kvm.c | 7 +++++--
- 1 file changed, 5 insertions(+), 2 deletions(-)
-
-diff --git a/target/i386/kvm.c b/target/i386/kvm.c
-index a735ce031810a5f122720a13a052..991052fa09c377d7ece7170e02f9 100644
---- a/target/i386/kvm.c
-+++ b/target/i386/kvm.c
-@@ -105,6 +105,7 @@ static bool has_msr_smi_count;
- static bool has_msr_arch_capabs;
- static bool has_msr_core_capabs;
- static bool has_msr_vmx_vmfunc;
-+static bool has_msr_ucode_rev;
- static bool has_msr_vmx_procbased_ctls2;
-
- static uint32_t has_architectural_pmu_version;
-@@ -2064,6 +2065,9 @@ static int kvm_get_supported_msrs(KVMState *s)
- case MSR_IA32_VMX_VMFUNC:
- has_msr_vmx_vmfunc = true;
- break;
-+ case MSR_IA32_UCODE_REV:
-+ has_msr_ucode_rev = true;
-+ break;
- case MSR_IA32_VMX_PROCBASED_CTLS2:
- has_msr_vmx_procbased_ctls2 = true;
- break;
-@@ -2707,8 +2711,7 @@ static void kvm_init_msrs(X86CPU *cpu)
- env->features[FEAT_CORE_CAPABILITY]);
- }
-
-- if (kvm_arch_get_supported_msr_feature(kvm_state,
-- MSR_IA32_UCODE_REV)) {
-+ if (has_msr_ucode_rev) {
- kvm_msr_entry_add(cpu, MSR_IA32_UCODE_REV, cpu->ucode_rev);
- }
-
+++ /dev/null
-From: Paolo Bonzini <pbonzini@redhat.com>
-Date: Tue, 11 Feb 2020 18:47:48 +0100
-Subject: target/i386: enable monitor and ucode revision with -cpu max
-
-Git-commit: be02cda3afde60d219786e23c3f8edb53aec8e17
-References: jsc#SLE-17785
-
-These two features were incorrectly tied to host_cpuid_required rather than
-cpu->max_features. As a result, -cpu max was not enabling either MONITOR
-features or ucode revision.
-
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-Signed-off-by: Dario Faggioli <dfaggioli@suse.com>
----
- target/i386/cpu.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/target/i386/cpu.c b/target/i386/cpu.c
-index 17cc1e9a71f5bedc8917071be12b..53b72368d7de0ec2d5112ee4bd7f 100644
---- a/target/i386/cpu.c
-+++ b/target/i386/cpu.c
-@@ -6424,7 +6424,9 @@ static void x86_cpu_realizefn(DeviceState *dev, Error **errp)
- g_free(name);
- goto out;
- }
-+ }
-
-+ if (cpu->max_features && accel_uses_host_cpuid()) {
- if (enable_cpu_pm) {
- host_cpuid(5, 0, &cpu->mwait.eax, &cpu->mwait.ebx,
- &cpu->mwait.ecx, &cpu->mwait.edx);
+++ /dev/null
-From: Paolo Bonzini <pbonzini@redhat.com>
-Date: Thu, 6 Feb 2020 18:10:22 +0100
-Subject: target/i386: fix TCG UCODE_REV access
-
-Git-commit: 9028c75c9d08be303ccc425bfe3d3b23d8f4cac7
-References: jsc#SLE-17785
-
-This was a very interesting semantic conflict that caused git to move
-the MSR_IA32_UCODE_REV read to helper_wrmsr. Not a big deal, but
-still should be fixed...
-
-Fixes: 4e45aff398 ("target/i386: add a ucode-rev property", 2020-01-24)
-Message-id: <20200206171022.9289-1-pbonzini@redhat.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-Signed-off-by: Dario Faggioli <dfaggioli@suse.com>
----
- target/i386/misc_helper.c | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/target/i386/misc_helper.c b/target/i386/misc_helper.c
-index aed16fe3f0255323f8dfc146078b..7d612210244af4aa6d36611da6de 100644
---- a/target/i386/misc_helper.c
-+++ b/target/i386/misc_helper.c
-@@ -229,7 +229,6 @@ void helper_rdmsr(CPUX86State *env)
- #else
- void helper_wrmsr(CPUX86State *env)
- {
-- X86CPU *x86_cpu = env_archcpu(env);
- uint64_t val;
-
- cpu_svm_check_intercept_param(env, SVM_EXIT_MSR, 1, GETPC());
-@@ -372,9 +371,6 @@ void helper_wrmsr(CPUX86State *env)
- env->msr_bndcfgs = val;
- cpu_sync_bndcs_hflags(env);
- break;
-- case MSR_IA32_UCODE_REV:
-- val = x86_cpu->ucode_rev;
-- break;
- default:
- if ((uint32_t)env->regs[R_ECX] >= MSR_MC0_CTL
- && (uint32_t)env->regs[R_ECX] < MSR_MC0_CTL +
-@@ -393,6 +389,7 @@ void helper_wrmsr(CPUX86State *env)
-
- void helper_rdmsr(CPUX86State *env)
- {
-+ X86CPU *x86_cpu = env_archcpu(env);
- uint64_t val;
-
- cpu_svm_check_intercept_param(env, SVM_EXIT_MSR, 0, GETPC());
-@@ -526,6 +523,9 @@ void helper_rdmsr(CPUX86State *env)
- case MSR_IA32_BNDCFGS:
- val = env->msr_bndcfgs;
- break;
-+ case MSR_IA32_UCODE_REV:
-+ val = x86_cpu->ucode_rev;
-+ break;
- default:
- if ((uint32_t)env->regs[R_ECX] >= MSR_MC0_CTL
- && (uint32_t)env->regs[R_ECX] < MSR_MC0_CTL +
+++ /dev/null
-From: Paolo Bonzini <pbonzini@redhat.com>
-Date: Mon, 20 Jan 2020 19:21:44 +0100
-Subject: target/i386: kvm: initialize microcode revision from KVM
-
-Git-commit: 32c87d70ff55b96741f08c35108935cac6f40fe4
-Reference: jsc#SLE-17785
-
-KVM can return the host microcode revision as a feature MSR.
-Use it as the default value for -cpu host.
-
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-Message-Id: <1579544504-3616-4-git-send-email-pbonzini@redhat.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-Signed-off-by: Dario Faggioli <dfaggioli@suse.com>
----
- target/i386/cpu.c | 4 ++++
- target/i386/kvm.c | 5 +++++
- 2 files changed, 9 insertions(+)
-
-diff --git a/target/i386/cpu.c b/target/i386/cpu.c
-index 88f4ad18300d3d1311282e7d8b15..17cc1e9a71f5bedc8917071be12b 100644
---- a/target/i386/cpu.c
-+++ b/target/i386/cpu.c
-@@ -6430,6 +6430,10 @@ static void x86_cpu_realizefn(DeviceState *dev, Error **errp)
- &cpu->mwait.ecx, &cpu->mwait.edx);
- env->features[FEAT_1_ECX] |= CPUID_EXT_MONITOR;
- }
-+ if (kvm_enabled() && cpu->ucode_rev == 0) {
-+ cpu->ucode_rev = kvm_arch_get_supported_msr_feature(kvm_state,
-+ MSR_IA32_UCODE_REV);
-+ }
- }
-
- if (cpu->ucode_rev == 0) {
-diff --git a/target/i386/kvm.c b/target/i386/kvm.c
-index 91cd4976e262ad6bbb83206114b3..a735ce031810a5f122720a13a052 100644
---- a/target/i386/kvm.c
-+++ b/target/i386/kvm.c
-@@ -2707,6 +2707,11 @@ static void kvm_init_msrs(X86CPU *cpu)
- env->features[FEAT_CORE_CAPABILITY]);
- }
-
-+ if (kvm_arch_get_supported_msr_feature(kvm_state,
-+ MSR_IA32_UCODE_REV)) {
-+ kvm_msr_entry_add(cpu, MSR_IA32_UCODE_REV, cpu->ucode_rev);
-+ }
-+
- /*
- * Older kernels do not include VMX MSRs in KVM_GET_MSR_INDEX_LIST, but
- * all kernels with MSR features should have them.
+++ /dev/null
-From: Bruce Rogers <brogers@suse.com>
-Date: Sat, 5 Oct 2019 09:09:42 -0600
-Subject: test: add mapping from arch of i686 to qemu_arch=i386
-
-While we don't specifically set QEMU_PROG, the code which detects the
-host architecture needs a little help mapping the output of uname -m to
-what the qemu project uses to reference that architecture.
-
-Signed-off-by: Bruce Rogers <brogers@suse.com>
----
- tests/qemu-iotests/common.config | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/tests/qemu-iotests/common.config b/tests/qemu-iotests/common.config
-index 9bd1a5a6fc8367c336e9f51fe22f..e1c6ffa0cca3a8f14feeb38d6da8 100644
---- a/tests/qemu-iotests/common.config
-+++ b/tests/qemu-iotests/common.config
-@@ -24,6 +24,7 @@ PATH=".:$PATH"
- HOSTOS=$(uname -s)
- arch=$(uname -m)
- [[ "$arch" =~ "ppc64" ]] && qemu_arch=ppc64 || qemu_arch="$arch"
-+[[ "$arch" = "i686" ]] && qemu_arch=i386
-
- # make sure we have a standard umask
- umask 022
+++ /dev/null
-From: Bruce Rogers <brogers@suse.com>
-Date: Wed, 2 Oct 2019 07:28:04 -0600
-Subject: tests: Disable some block tests for now
-
-Most tests previously disabled for qemu-testsuite to be able to complete
-successfully are no longer (as of v4.1) listed as auto, and therefore
-do not get run anymore.
-
-27NOV2019 - added 161 since it is failing on s390x and ppc consistently
-
-Signed-off-by: Bruce Rogers <brogers@suse.com>
----
- tests/qemu-iotests/group | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/tests/qemu-iotests/group b/tests/qemu-iotests/group
-index f5e0bf86ce179a56791961f1d5c6..206b45071ee14ac0c3e2e4883a23 100644
---- a/tests/qemu-iotests/group
-+++ b/tests/qemu-iotests/group
-@@ -182,7 +182,7 @@
- 158 rw auto quick
- 159 rw auto quick
- 160 rw quick
--161 rw auto quick
-+#DISABLE FOR NOW 161 rw auto quick
- 162 quick
- 163 rw
- 165 rw quick
+++ /dev/null
-From: Bruce Rogers <brogers@suse.com>
-Date: Tue, 15 Oct 2019 11:16:14 -0600
-Subject: tests: Fix block tests to be compatible with membarrier configuration
-
-The use of membarriers collides with the block test's practice of
-SIGKILLing test vm's. Have them quit politely. Tests: 130, 153 - and
-though test 161 seems to have the same issue, it is not yet fixed, but
-just marked here as possibly needing a fix.
-
-Signed-off-by: Bruce Rogers <brogers@suse.com>
----
- tests/qemu-iotests/130 | 6 ++++--
- tests/qemu-iotests/130.out | 2 ++
- tests/qemu-iotests/153 | 6 ++++--
- tests/qemu-iotests/153.out | 4 ++++
- 4 files changed, 14 insertions(+), 4 deletions(-)
-
-diff --git a/tests/qemu-iotests/130 b/tests/qemu-iotests/130
-index 77ad2aa13a06094f26d2c8991e48..fd84a4c77d192e15ee961b07994b 100755
---- a/tests/qemu-iotests/130
-+++ b/tests/qemu-iotests/130
-@@ -64,7 +64,8 @@ echo
- _launch_qemu -drive id=testdisk,file="$TEST_IMG",backing.file.filename="$TEST_IMG.base"
- _send_qemu_cmd $QEMU_HANDLE "commit testdisk" "(qemu)"
- _send_qemu_cmd $QEMU_HANDLE '' '(qemu)'
--_cleanup_qemu
-+_send_qemu_cmd $QEMU_HANDLE 'quit' ''
-+wait=1 _cleanup_qemu
- _img_info | _filter_img_info
-
- # Make sure that if there was a backing file that was just overridden on the
-@@ -73,7 +74,8 @@ _make_test_img -F raw -b "$TEST_IMG.orig" 64M
- _launch_qemu -drive id=testdisk,file="$TEST_IMG",backing.file.filename="$TEST_IMG.base",backing.driver=$IMGFMT
- _send_qemu_cmd $QEMU_HANDLE "commit testdisk" "(qemu)"
- _send_qemu_cmd $QEMU_HANDLE '' '(qemu)'
--_cleanup_qemu
-+_send_qemu_cmd $QEMU_HANDLE 'quit' ''
-+wait=1 _cleanup_qemu
- _img_info | _filter_img_info
-
- echo
-diff --git a/tests/qemu-iotests/130.out b/tests/qemu-iotests/130.out
-index e45285ccc311522481ac1b27ba99..7168bdf70c3eb32d4de0d28bb947 100644
---- a/tests/qemu-iotests/130.out
-+++ b/tests/qemu-iotests/130.out
-@@ -11,6 +11,7 @@ virtual size: 64 MiB (67108864 bytes)
- QEMU X.Y.Z monitor - type 'help' for more information
- (qemu) commit testdisk
- (qemu)
-+(qemu) quit
- image: TEST_DIR/t.IMGFMT
- file format: IMGFMT
- virtual size: 64 MiB (67108864 bytes)
-@@ -18,6 +19,7 @@ Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=67108864 backing_file=TEST_DIR/t
- QEMU X.Y.Z monitor - type 'help' for more information
- (qemu) commit testdisk
- (qemu)
-+(qemu) quit
- image: TEST_DIR/t.IMGFMT
- file format: IMGFMT
- virtual size: 64 MiB (67108864 bytes)
-diff --git a/tests/qemu-iotests/153 b/tests/qemu-iotests/153
-index c969a1a16ff8382b9bb69252f6de..39d6da725bff3932a7cb88acff8e 100755
---- a/tests/qemu-iotests/153
-+++ b/tests/qemu-iotests/153
-@@ -206,7 +206,8 @@ _send_qemu_cmd $QEMU_HANDLE \
- 'return'
- _run_cmd $QEMU_IMG commit -b "${TEST_IMG}.b" "${TEST_IMG}.c"
-
--_cleanup_qemu
-+_send_qemu_cmd $QEMU_HANDLE "{ 'execute': 'quit' }" ''
-+wait=1 _cleanup_qemu
-
- _launch_qemu
-
-@@ -258,7 +259,8 @@ _send_qemu_cmd $QEMU_HANDLE \
-
- _run_cmd $QEMU_IO "${TEST_IMG}" -c 'write 0 512'
-
--_cleanup_qemu
-+_send_qemu_cmd $QEMU_HANDLE "{ 'execute': 'quit' }" ''
-+wait=1 _cleanup_qemu
-
- echo
- echo "== Detecting -U and force-share conflicts =="
-diff --git a/tests/qemu-iotests/153.out b/tests/qemu-iotests/153.out
-index f7464dd8d345a853f7b64a67c6d0..8bc14f6abf94662473d6d93b5672 100644
---- a/tests/qemu-iotests/153.out
-+++ b/tests/qemu-iotests/153.out
-@@ -421,6 +421,8 @@ Is another process using the image [TEST_DIR/t.qcow2]?
- _qemu_img_wrapper commit -b TEST_DIR/t.qcow2.b TEST_DIR/t.qcow2.c
- { 'execute': 'qmp_capabilities' }
- {"return": {}}
-+{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "SHUTDOWN", "data": {"guest": false, "reason": "host-qmp-quit"}}
-+{"return": {}}
- Adding drive
- { 'execute': 'human-monitor-command', 'arguments': { 'command-line': 'drive_add 0 if=none,id=d0,file=TEST_DIR/t.IMGFMT' } }
- {"return": "OKrn"}
-@@ -454,6 +456,8 @@ Closing the other
- {"return": ""}
-
- _qemu_io_wrapper TEST_DIR/t.qcow2 -c write 0 512
-+{"return": {}}
-+{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "SHUTDOWN", "data": {"guest": false, "reason": "host-qmp-quit"}}
-
- == Detecting -U and force-share conflicts ==
-
+++ /dev/null
-From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
-Date: Mon, 16 Dec 2019 14:59:44 +0400
-Subject: tests: add migration-helpers unit
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Git-commit: d77799ccda4baca822308ed1648a3c72d46cf74e
-References: bsc#1184574
-
-Move a few helper functions from migration-test.c to migration-helpers.c
-
-Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
-Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
-Signed-off-by: Lin Ma <lma@suse.com>
----
- tests/Makefile.include | 2 +-
- tests/migration-helpers.c | 167 ++++++++++++++++++++++++++++++++++++
- tests/migration-helpers.h | 37 ++++++++
- tests/migration-test.c | 176 +++-----------------------------------
- 4 files changed, 216 insertions(+), 166 deletions(-)
-
-diff --git a/tests/Makefile.include b/tests/Makefile.include
-index 8566f5f119dd3e668abd06aa45ef..e8bb416ddb89e99c956d224de844 100644
---- a/tests/Makefile.include
-+++ b/tests/Makefile.include
-@@ -828,7 +828,7 @@ tests/usb-hcd-uhci-test$(EXESUF): tests/usb-hcd-uhci-test.o $(libqos-usb-obj-y)
- tests/usb-hcd-ehci-test$(EXESUF): tests/usb-hcd-ehci-test.o $(libqos-usb-obj-y)
- tests/usb-hcd-xhci-test$(EXESUF): tests/usb-hcd-xhci-test.o $(libqos-usb-obj-y)
- tests/cpu-plug-test$(EXESUF): tests/cpu-plug-test.o
--tests/migration-test$(EXESUF): tests/migration-test.o
-+tests/migration-test$(EXESUF): tests/migration-test.o tests/migration-helpers.o
- tests/qemu-iotests/socket_scm_helper$(EXESUF): tests/qemu-iotests/socket_scm_helper.o
- tests/test-qemu-opts$(EXESUF): tests/test-qemu-opts.o $(test-util-obj-y)
- tests/test-keyval$(EXESUF): tests/test-keyval.o $(test-util-obj-y) $(test-qapi-obj-y)
-diff --git a/tests/migration-helpers.c b/tests/migration-helpers.c
-new file mode 100644
-index 0000000000000000000000000000000000000000..516093b39a9e79f06a02ede440802ebe75729047
---- /dev/null
-+++ b/tests/migration-helpers.c
-@@ -0,0 +1,167 @@
-+/*
-+ * QTest migration helpers
-+ *
-+ * Copyright (c) 2016-2018 Red Hat, Inc. and/or its affiliates
-+ * based on the vhost-user-test.c that is:
-+ * Copyright (c) 2014 Virtual Open Systems Sarl.
-+ *
-+ * This work is licensed under the terms of the GNU GPL, version 2 or later.
-+ * See the COPYING file in the top-level directory.
-+ *
-+ */
-+
-+#include "qemu/osdep.h"
-+#include "qapi/qmp/qjson.h"
-+
-+#include "migration-helpers.h"
-+
-+bool got_stop;
-+
-+static void stop_cb(void *opaque, const char *name, QDict *data)
-+{
-+ if (!strcmp(name, "STOP")) {
-+ got_stop = true;
-+ }
-+}
-+
-+/*
-+ * Events can get in the way of responses we are actually waiting for.
-+ */
-+QDict *wait_command_fd(QTestState *who, int fd, const char *command, ...)
-+{
-+ va_list ap;
-+
-+ va_start(ap, command);
-+ qtest_qmp_vsend_fds(who, &fd, 1, command, ap);
-+ va_end(ap);
-+
-+ return qtest_qmp_receive_success(who, stop_cb, NULL);
-+}
-+
-+/*
-+ * Events can get in the way of responses we are actually waiting for.
-+ */
-+QDict *wait_command(QTestState *who, const char *command, ...)
-+{
-+ va_list ap;
-+
-+ va_start(ap, command);
-+ qtest_qmp_vsend(who, command, ap);
-+ va_end(ap);
-+
-+ return qtest_qmp_receive_success(who, stop_cb, NULL);
-+}
-+
-+/*
-+ * Send QMP command "migrate".
-+ * Arguments are built from @fmt... (formatted like
-+ * qobject_from_jsonf_nofail()) with "uri": @uri spliced in.
-+ */
-+void migrate_qmp(QTestState *who, const char *uri, const char *fmt, ...)
-+{
-+ va_list ap;
-+ QDict *args, *rsp;
-+
-+ va_start(ap, fmt);
-+ args = qdict_from_vjsonf_nofail(fmt, ap);
-+ va_end(ap);
-+
-+ g_assert(!qdict_haskey(args, "uri"));
-+ qdict_put_str(args, "uri", uri);
-+
-+ rsp = qtest_qmp(who, "{ 'execute': 'migrate', 'arguments': %p}", args);
-+
-+ g_assert(qdict_haskey(rsp, "return"));
-+ qobject_unref(rsp);
-+}
-+
-+/*
-+ * Note: caller is responsible to free the returned object via
-+ * qobject_unref() after use
-+ */
-+QDict *migrate_query(QTestState *who)
-+{
-+ return wait_command(who, "{ 'execute': 'query-migrate' }");
-+}
-+
-+/*
-+ * Note: caller is responsible to free the returned object via
-+ * g_free() after use
-+ */
-+static gchar *migrate_query_status(QTestState *who)
-+{
-+ QDict *rsp_return = migrate_query(who);
-+ gchar *status = g_strdup(qdict_get_str(rsp_return, "status"));
-+
-+ g_assert(status);
-+ qobject_unref(rsp_return);
-+
-+ return status;
-+}
-+
-+static bool check_migration_status(QTestState *who, const char *goal,
-+ const char **ungoals)
-+{
-+ bool ready;
-+ char *current_status;
-+ const char **ungoal;
-+
-+ current_status = migrate_query_status(who);
-+ ready = strcmp(current_status, goal) == 0;
-+ if (!ungoals) {
-+ g_assert_cmpstr(current_status, !=, "failed");
-+ /*
-+ * If looking for a state other than completed,
-+ * completion of migration would cause the test to
-+ * hang.
-+ */
-+ if (strcmp(goal, "completed") != 0) {
-+ g_assert_cmpstr(current_status, !=, "completed");
-+ }
-+ } else {
-+ for (ungoal = ungoals; *ungoal; ungoal++) {
-+ g_assert_cmpstr(current_status, !=, *ungoal);
-+ }
-+ }
-+ g_free(current_status);
-+ return ready;
-+}
-+
-+void wait_for_migration_status(QTestState *who,
-+ const char *goal, const char **ungoals)
-+{
-+ while (!check_migration_status(who, goal, ungoals)) {
-+ usleep(1000);
-+ }
-+}
-+
-+void wait_for_migration_complete(QTestState *who)
-+{
-+ wait_for_migration_status(who, "completed", NULL);
-+}
-+
-+void wait_for_migration_fail(QTestState *from, bool allow_active)
-+{
-+ QDict *rsp_return;
-+ char *status;
-+ bool failed;
-+
-+ do {
-+ status = migrate_query_status(from);
-+ bool result = !strcmp(status, "setup") || !strcmp(status, "failed") ||
-+ (allow_active && !strcmp(status, "active"));
-+ if (!result) {
-+ fprintf(stderr, "%s: unexpected status status=%s allow_active=%d\n",
-+ __func__, status, allow_active);
-+ }
-+ g_assert(result);
-+ failed = !strcmp(status, "failed");
-+ g_free(status);
-+ } while (!failed);
-+
-+ /* Is the machine currently running? */
-+ rsp_return = wait_command(from, "{ 'execute': 'query-status' }");
-+ g_assert(qdict_haskey(rsp_return, "running"));
-+ g_assert(qdict_get_bool(rsp_return, "running"));
-+ qobject_unref(rsp_return);
-+}
-diff --git a/tests/migration-helpers.h b/tests/migration-helpers.h
-new file mode 100644
-index 0000000000000000000000000000000000000000..a11808b3b77c4901cc25904282d2946cd360fbc9
---- /dev/null
-+++ b/tests/migration-helpers.h
-@@ -0,0 +1,37 @@
-+/*
-+ * QTest migration helpers
-+ *
-+ * Copyright (c) 2016-2018 Red Hat, Inc. and/or its affiliates
-+ * based on the vhost-user-test.c that is:
-+ * Copyright (c) 2014 Virtual Open Systems Sarl.
-+ *
-+ * This work is licensed under the terms of the GNU GPL, version 2 or later.
-+ * See the COPYING file in the top-level directory.
-+ *
-+ */
-+#ifndef MIGRATION_HELPERS_H_
-+#define MIGRATION_HELPERS_H_
-+
-+#include "libqtest.h"
-+
-+extern bool got_stop;
-+
-+GCC_FMT_ATTR(3, 4)
-+QDict *wait_command_fd(QTestState *who, int fd, const char *command, ...);
-+
-+GCC_FMT_ATTR(2, 3)
-+QDict *wait_command(QTestState *who, const char *command, ...);
-+
-+GCC_FMT_ATTR(3, 4)
-+void migrate_qmp(QTestState *who, const char *uri, const char *fmt, ...);
-+
-+QDict *migrate_query(QTestState *who);
-+
-+void wait_for_migration_status(QTestState *who,
-+ const char *goal, const char **ungoals);
-+
-+void wait_for_migration_complete(QTestState *who);
-+
-+void wait_for_migration_fail(QTestState *from, bool allow_active);
-+
-+#endif /* MIGRATION_HELPERS_H_ */
-diff --git a/tests/migration-test.c b/tests/migration-test.c
-index df5101760b18d767251842386b9c..65982bb249f42c4995795bbac23c 100644
---- a/tests/migration-test.c
-+++ b/tests/migration-test.c
-@@ -14,7 +14,6 @@
-
- #include "libqtest.h"
- #include "qapi/qmp/qdict.h"
--#include "qapi/qmp/qjson.h"
- #include "qemu/module.h"
- #include "qemu/option.h"
- #include "qemu/range.h"
-@@ -24,6 +23,7 @@
- #include "qapi/qobject-input-visitor.h"
- #include "qapi/qobject-output-visitor.h"
-
-+#include "migration-helpers.h"
- #include "migration/migration-test.h"
-
- /* TODO actually test the results and get rid of this */
-@@ -31,7 +31,6 @@
-
- unsigned start_address;
- unsigned end_address;
--bool got_stop;
- static bool uffd_feature_thread_id;
-
- #if defined(__linux__)
-@@ -157,67 +156,6 @@ static void wait_for_serial(const char *side)
- } while (true);
- }
-
--static void stop_cb(void *opaque, const char *name, QDict *data)
--{
-- if (!strcmp(name, "STOP")) {
-- got_stop = true;
-- }
--}
--
--/*
-- * Events can get in the way of responses we are actually waiting for.
-- */
--GCC_FMT_ATTR(3, 4)
--static QDict *wait_command_fd(QTestState *who, int fd, const char *command, ...)
--{
-- va_list ap;
--
-- va_start(ap, command);
-- qtest_qmp_vsend_fds(who, &fd, 1, command, ap);
-- va_end(ap);
--
-- return qtest_qmp_receive_success(who, stop_cb, NULL);
--}
--
--/*
-- * Events can get in the way of responses we are actually waiting for.
-- */
--GCC_FMT_ATTR(2, 3)
--static QDict *wait_command(QTestState *who, const char *command, ...)
--{
-- va_list ap;
--
-- va_start(ap, command);
-- qtest_qmp_vsend(who, command, ap);
-- va_end(ap);
--
-- return qtest_qmp_receive_success(who, stop_cb, NULL);
--}
--
--/*
-- * Note: caller is responsible to free the returned object via
-- * qobject_unref() after use
-- */
--static QDict *migrate_query(QTestState *who)
--{
-- return wait_command(who, "{ 'execute': 'query-migrate' }");
--}
--
--/*
-- * Note: caller is responsible to free the returned object via
-- * g_free() after use
-- */
--static gchar *migrate_query_status(QTestState *who)
--{
-- QDict *rsp_return = migrate_query(who);
-- gchar *status = g_strdup(qdict_get_str(rsp_return, "status"));
--
-- g_assert(status);
-- qobject_unref(rsp_return);
--
-- return status;
--}
--
- /*
- * It's tricky to use qemu's migration event capability with qtest,
- * events suddenly appearing confuse the qmp()/hmp() responses.
-@@ -265,48 +203,6 @@ static void read_blocktime(QTestState *who)
- qobject_unref(rsp_return);
- }
-
--static bool check_migration_status(QTestState *who, const char *goal,
-- const char **ungoals)
--{
-- bool ready;
-- char *current_status;
-- const char **ungoal;
--
-- current_status = migrate_query_status(who);
-- ready = strcmp(current_status, goal) == 0;
-- if (!ungoals) {
-- g_assert_cmpstr(current_status, !=, "failed");
-- /*
-- * If looking for a state other than completed,
-- * completion of migration would cause the test to
-- * hang.
-- */
-- if (strcmp(goal, "completed") != 0) {
-- g_assert_cmpstr(current_status, !=, "completed");
-- }
-- } else {
-- for (ungoal = ungoals; *ungoal; ungoal++) {
-- g_assert_cmpstr(current_status, !=, *ungoal);
-- }
-- }
-- g_free(current_status);
-- return ready;
--}
--
--static void wait_for_migration_status(QTestState *who,
-- const char *goal,
-- const char **ungoals)
--{
-- while (!check_migration_status(who, goal, ungoals)) {
-- usleep(1000);
-- }
--}
--
--static void wait_for_migration_complete(QTestState *who)
--{
-- wait_for_migration_status(who, "completed", NULL);
--}
--
- static void wait_for_migration_pass(QTestState *who)
- {
- uint64_t initial_pass = get_migration_pass(who);
-@@ -513,30 +409,6 @@ static void migrate_set_capability(QTestState *who, const char *capability,
- qobject_unref(rsp);
- }
-
--/*
-- * Send QMP command "migrate".
-- * Arguments are built from @fmt... (formatted like
-- * qobject_from_jsonf_nofail()) with "uri": @uri spliced in.
-- */
--GCC_FMT_ATTR(3, 4)
--static void migrate(QTestState *who, const char *uri, const char *fmt, ...)
--{
-- va_list ap;
-- QDict *args, *rsp;
--
-- va_start(ap, fmt);
-- args = qdict_from_vjsonf_nofail(fmt, ap);
-- va_end(ap);
--
-- g_assert(!qdict_haskey(args, "uri"));
-- qdict_put_str(args, "uri", uri);
--
-- rsp = qtest_qmp(who, "{ 'execute': 'migrate', 'arguments': %p}", args);
--
-- g_assert(qdict_haskey(rsp, "return"));
-- qobject_unref(rsp);
--}
--
- static void migrate_postcopy_start(QTestState *from, QTestState *to)
- {
- QDict *rsp;
-@@ -794,7 +666,7 @@ static int migrate_postcopy_prepare(QTestState **from_ptr,
- /* Wait for the first serial output from the source */
- wait_for_serial("src_serial");
-
-- migrate(from, uri, "{}");
-+ migrate_qmp(from, uri, "{}");
- g_free(uri);
-
- wait_for_migration_pass(from);
-@@ -881,7 +753,7 @@ static void test_postcopy_recovery(void)
- wait_for_migration_status(from, "postcopy-paused",
- (const char * []) { "failed", "active",
- "completed", NULL });
-- migrate(from, uri, "{'resume': true}");
-+ migrate_qmp(from, uri, "{'resume': true}");
- g_free(uri);
-
- /* Restore the postcopy bandwidth to unlimited */
-@@ -890,32 +762,6 @@ static void test_postcopy_recovery(void)
- migrate_postcopy_complete(from, to);
- }
-
--static void wait_for_migration_fail(QTestState *from, bool allow_active)
--{
-- QDict *rsp_return;
-- char *status;
-- bool failed;
--
-- do {
-- status = migrate_query_status(from);
-- bool result = !strcmp(status, "setup") || !strcmp(status, "failed") ||
-- (allow_active && !strcmp(status, "active"));
-- if (!result) {
-- fprintf(stderr, "%s: unexpected status status=%s allow_active=%d\n",
-- __func__, status, allow_active);
-- }
-- g_assert(result);
-- failed = !strcmp(status, "failed");
-- g_free(status);
-- } while (!failed);
--
-- /* Is the machine currently running? */
-- rsp_return = wait_command(from, "{ 'execute': 'query-status' }");
-- g_assert(qdict_haskey(rsp_return, "running"));
-- g_assert(qdict_get_bool(rsp_return, "running"));
-- qobject_unref(rsp_return);
--}
--
- static void test_baddest(void)
- {
- QTestState *from, *to;
-@@ -923,7 +769,7 @@ static void test_baddest(void)
- if (test_migrate_start(&from, &to, "tcp:0:0", true, false, NULL, NULL)) {
- return;
- }
-- migrate(from, "tcp:0:0", "{}");
-+ migrate_qmp(from, "tcp:0:0", "{}");
- wait_for_migration_fail(from, false);
- test_migrate_end(from, to, false);
- }
-@@ -949,7 +795,7 @@ static void test_precopy_unix(void)
- /* Wait for the first serial output from the source */
- wait_for_serial("src_serial");
-
-- migrate(from, uri, "{}");
-+ migrate_qmp(from, uri, "{}");
-
- wait_for_migration_pass(from);
-
-@@ -986,7 +832,7 @@ static void test_ignore_shared(void)
- /* Wait for the first serial output from the source */
- wait_for_serial("src_serial");
-
-- migrate(from, uri, "{}");
-+ migrate_qmp(from, uri, "{}");
-
- wait_for_migration_pass(from);
-
-@@ -1032,7 +878,7 @@ static void test_xbzrle(const char *uri)
- /* Wait for the first serial output from the source */
- wait_for_serial("src_serial");
-
-- migrate(from, uri, "{}");
-+ migrate_qmp(from, uri, "{}");
-
- wait_for_migration_pass(from);
-
-@@ -1083,7 +929,7 @@ static void test_precopy_tcp(void)
-
- uri = migrate_get_socket_address(to, "socket-address");
-
-- migrate(from, uri, "{}");
-+ migrate_qmp(from, uri, "{}");
-
- wait_for_migration_pass(from);
-
-@@ -1151,7 +997,7 @@ static void test_migrate_fd_proto(void)
- close(pair[1]);
-
- /* Start migration to the 2nd socket*/
-- migrate(from, "fd:fd-mig", "{}");
-+ migrate_qmp(from, "fd:fd-mig", "{}");
-
- wait_for_migration_pass(from);
-
-@@ -1209,7 +1055,7 @@ static void do_test_validate_uuid(const char *uuid_arg_src,
- /* Wait for the first serial output from the source */
- wait_for_serial("src_serial");
-
-- migrate(from, uri, "{}");
-+ migrate_qmp(from, uri, "{}");
-
- if (should_fail) {
- qtest_set_expected_status(to, 1);
-@@ -1291,7 +1137,7 @@ static void test_migrate_auto_converge(void)
- /* Wait for the first serial output from the source */
- wait_for_serial("src_serial");
-
-- migrate(from, uri, "{}");
-+ migrate_qmp(from, uri, "{}");
-
- /* Wait for throttling begins */
- percentage = 0;
+++ /dev/null
-From: Bruce Rogers <brogers@suse.com>
-Date: Mon, 11 Mar 2019 22:02:37 -0600
-Subject: tests: change error message in test 162
-
-Since we have a quite restricted execution environment, as far as
-networking is concerned, we need to change the error message we expect
-in test 162. There is actually no routing set up so the error we get is
-"Network is unreachable". Change the expected output accordingly.
-
-Signed-off-by: Bruce Rogers <brogers@suse.com>
----
- tests/qemu-iotests/162.out | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/tests/qemu-iotests/162.out b/tests/qemu-iotests/162.out
-index 5a00d36d17878376380430dad705..390cca9027e918f1a0d252753ce5 100644
---- a/tests/qemu-iotests/162.out
-+++ b/tests/qemu-iotests/162.out
-@@ -1,7 +1,7 @@
- QA output created by 162
-
- === NBD ===
--qemu-img: Could not open 'json:{"driver": "nbd", "host": -1}': address resolution failed for -1:10809: Name or service not known
-+qemu-img: Could not open 'json:{"driver": "nbd", "host": 42}': Failed to connect socket: Network is unreachable
- image: nbd://localhost:PORT
- image: nbd+unix://?socket=42
-
+++ /dev/null
-From: Tao Xu <tao3.xu@intel.com>
-Date: Fri, 13 Dec 2019 09:19:28 +0800
-Subject: tests/numa: Add case for QMP build HMAT
-
-Git-commit: d00817c944ed15fbe4a61d44fe7f9fe166c7df88
-References: jsc#SLE-8897
-
-Check configuring HMAT usecase
-
-Acked-by: Markus Armbruster <armbru@redhat.com>
-Suggested-by: Igor Mammedov <imammedo@redhat.com>
-Signed-off-by: Tao Xu <tao3.xu@intel.com>
-Message-Id: <20191213011929.2520-8-tao3.xu@intel.com>
-Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
-Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
-Reviewed-by: Igor Mammedov <imammedo@redhat.com>
-Signed-off-by: Bruce Rogers <brogers@suse.com>
----
- tests/numa-test.c | 213 ++++++++++++++++++++++++++++++++++++++++++++++
- 1 file changed, 213 insertions(+)
-
-diff --git a/tests/numa-test.c b/tests/numa-test.c
-index 8de8581231dd3e3299bc61d40d8d..17dd807d2a4329aea2e96a845edd 100644
---- a/tests/numa-test.c
-+++ b/tests/numa-test.c
-@@ -327,6 +327,216 @@ static void pc_dynamic_cpu_cfg(const void *data)
- qtest_quit(qs);
- }
-
-+static void pc_hmat_build_cfg(const void *data)
-+{
-+ QTestState *qs = qtest_initf("%s -nodefaults --preconfig -machine hmat=on "
-+ "-smp 2,sockets=2 "
-+ "-m 128M,slots=2,maxmem=1G "
-+ "-object memory-backend-ram,size=64M,id=m0 "
-+ "-object memory-backend-ram,size=64M,id=m1 "
-+ "-numa node,nodeid=0,memdev=m0 "
-+ "-numa node,nodeid=1,memdev=m1,initiator=0 "
-+ "-numa cpu,node-id=0,socket-id=0 "
-+ "-numa cpu,node-id=0,socket-id=1",
-+ data ? (char *)data : "");
-+
-+ /* Fail: Initiator should be less than the number of nodes */
-+ g_assert_true(qmp_rsp_is_err(qtest_qmp(qs, "{ 'execute': 'set-numa-node',"
-+ " 'arguments': { 'type': 'hmat-lb', 'initiator': 2, 'target': 0,"
-+ " 'hierarchy': \"memory\", 'data-type': \"access-latency\" } }")));
-+
-+ /* Fail: Target should be less than the number of nodes */
-+ g_assert_true(qmp_rsp_is_err(qtest_qmp(qs, "{ 'execute': 'set-numa-node',"
-+ " 'arguments': { 'type': 'hmat-lb', 'initiator': 0, 'target': 2,"
-+ " 'hierarchy': \"memory\", 'data-type': \"access-latency\" } }")));
-+
-+ /* Fail: Initiator should contain cpu */
-+ g_assert_true(qmp_rsp_is_err(qtest_qmp(qs, "{ 'execute': 'set-numa-node',"
-+ " 'arguments': { 'type': 'hmat-lb', 'initiator': 1, 'target': 0,"
-+ " 'hierarchy': \"memory\", 'data-type': \"access-latency\" } }")));
-+
-+ /* Fail: Data-type mismatch */
-+ g_assert_true(qmp_rsp_is_err(qtest_qmp(qs, "{ 'execute': 'set-numa-node',"
-+ " 'arguments': { 'type': 'hmat-lb', 'initiator': 0, 'target': 0,"
-+ " 'hierarchy': \"memory\", 'data-type': \"write-latency\","
-+ " 'bandwidth': 524288000 } }")));
-+ g_assert_true(qmp_rsp_is_err(qtest_qmp(qs, "{ 'execute': 'set-numa-node',"
-+ " 'arguments': { 'type': 'hmat-lb', 'initiator': 0, 'target': 0,"
-+ " 'hierarchy': \"memory\", 'data-type': \"read-bandwidth\","
-+ " 'latency': 5 } }")));
-+
-+ /* Fail: Bandwidth should be 1MB (1048576) aligned */
-+ g_assert_true(qmp_rsp_is_err(qtest_qmp(qs, "{ 'execute': 'set-numa-node',"
-+ " 'arguments': { 'type': 'hmat-lb', 'initiator': 0, 'target': 0,"
-+ " 'hierarchy': \"memory\", 'data-type': \"access-bandwidth\","
-+ " 'bandwidth': 1048575 } }")));
-+
-+ /* Configuring HMAT bandwidth and latency details */
-+ g_assert_false(qmp_rsp_is_err(qtest_qmp(qs, "{ 'execute': 'set-numa-node',"
-+ " 'arguments': { 'type': 'hmat-lb', 'initiator': 0, 'target': 0,"
-+ " 'hierarchy': \"memory\", 'data-type': \"access-latency\","
-+ " 'latency': 1 } }"))); /* 1 ns */
-+ g_assert_true(qmp_rsp_is_err(qtest_qmp(qs, "{ 'execute': 'set-numa-node',"
-+ " 'arguments': { 'type': 'hmat-lb', 'initiator': 0, 'target': 0,"
-+ " 'hierarchy': \"memory\", 'data-type': \"access-latency\","
-+ " 'latency': 5 } }"))); /* Fail: Duplicate configuration */
-+ g_assert_false(qmp_rsp_is_err(qtest_qmp(qs, "{ 'execute': 'set-numa-node',"
-+ " 'arguments': { 'type': 'hmat-lb', 'initiator': 0, 'target': 0,"
-+ " 'hierarchy': \"memory\", 'data-type': \"access-bandwidth\","
-+ " 'bandwidth': 68717379584 } }"))); /* 65534 MB/s */
-+ g_assert_false(qmp_rsp_is_err(qtest_qmp(qs, "{ 'execute': 'set-numa-node',"
-+ " 'arguments': { 'type': 'hmat-lb', 'initiator': 0, 'target': 1,"
-+ " 'hierarchy': \"memory\", 'data-type': \"access-latency\","
-+ " 'latency': 65534 } }"))); /* 65534 ns */
-+ g_assert_false(qmp_rsp_is_err(qtest_qmp(qs, "{ 'execute': 'set-numa-node',"
-+ " 'arguments': { 'type': 'hmat-lb', 'initiator': 0, 'target': 1,"
-+ " 'hierarchy': \"memory\", 'data-type': \"access-bandwidth\","
-+ " 'bandwidth': 34358689792 } }"))); /* 32767 MB/s */
-+
-+ /* Fail: node_id should be less than the number of nodes */
-+ g_assert_true(qmp_rsp_is_err(qtest_qmp(qs, "{ 'execute': 'set-numa-node',"
-+ " 'arguments': { 'type': 'hmat-cache', 'node-id': 2, 'size': 10240,"
-+ " 'level': 1, 'associativity': \"direct\", 'policy': \"write-back\","
-+ " 'line': 8 } }")));
-+
-+ /* Fail: level should be less than HMAT_LB_LEVELS (4) */
-+ g_assert_true(qmp_rsp_is_err(qtest_qmp(qs, "{ 'execute': 'set-numa-node',"
-+ " 'arguments': { 'type': 'hmat-cache', 'node-id': 0, 'size': 10240,"
-+ " 'level': 4, 'associativity': \"direct\", 'policy': \"write-back\","
-+ " 'line': 8 } }")));
-+
-+ /* Fail: associativity option should be 'none', if level is 0 */
-+ g_assert_true(qmp_rsp_is_err(qtest_qmp(qs, "{ 'execute': 'set-numa-node',"
-+ " 'arguments': { 'type': 'hmat-cache', 'node-id': 0, 'size': 10240,"
-+ " 'level': 0, 'associativity': \"direct\", 'policy': \"none\","
-+ " 'line': 0 } }")));
-+ /* Fail: policy option should be 'none', if level is 0 */
-+ g_assert_true(qmp_rsp_is_err(qtest_qmp(qs, "{ 'execute': 'set-numa-node',"
-+ " 'arguments': { 'type': 'hmat-cache', 'node-id': 0, 'size': 10240,"
-+ " 'level': 0, 'associativity': \"none\", 'policy': \"write-back\","
-+ " 'line': 0 } }")));
-+ /* Fail: line option should be 0, if level is 0 */
-+ g_assert_true(qmp_rsp_is_err(qtest_qmp(qs, "{ 'execute': 'set-numa-node',"
-+ " 'arguments': { 'type': 'hmat-cache', 'node-id': 0, 'size': 10240,"
-+ " 'level': 0, 'associativity': \"none\", 'policy': \"none\","
-+ " 'line': 8 } }")));
-+
-+ /* Configuring HMAT memory side cache attributes */
-+ g_assert_false(qmp_rsp_is_err(qtest_qmp(qs, "{ 'execute': 'set-numa-node',"
-+ " 'arguments': { 'type': 'hmat-cache', 'node-id': 0, 'size': 10240,"
-+ " 'level': 1, 'associativity': \"direct\", 'policy': \"write-back\","
-+ " 'line': 8 } }")));
-+ g_assert_true(qmp_rsp_is_err(qtest_qmp(qs, "{ 'execute': 'set-numa-node',"
-+ " 'arguments': { 'type': 'hmat-cache', 'node-id': 0, 'size': 10240,"
-+ " 'level': 1, 'associativity': \"direct\", 'policy': \"write-back\","
-+ " 'line': 8 } }"))); /* Fail: Duplicate configuration */
-+ /* Fail: The size of level 2 size should be small than level 1 */
-+ g_assert_true(qmp_rsp_is_err(qtest_qmp(qs, "{ 'execute': 'set-numa-node',"
-+ " 'arguments': { 'type': 'hmat-cache', 'node-id': 0, 'size': 10240,"
-+ " 'level': 2, 'associativity': \"direct\", 'policy': \"write-back\","
-+ " 'line': 8 } }")));
-+ /* Fail: The size of level 0 size should be larger than level 1 */
-+ g_assert_true(qmp_rsp_is_err(qtest_qmp(qs, "{ 'execute': 'set-numa-node',"
-+ " 'arguments': { 'type': 'hmat-cache', 'node-id': 0, 'size': 10240,"
-+ " 'level': 0, 'associativity': \"direct\", 'policy': \"write-back\","
-+ " 'line': 8 } }")));
-+ g_assert_false(qmp_rsp_is_err(qtest_qmp(qs, "{ 'execute': 'set-numa-node',"
-+ " 'arguments': { 'type': 'hmat-cache', 'node-id': 1, 'size': 10240,"
-+ " 'level': 1, 'associativity': \"direct\", 'policy': \"write-back\","
-+ " 'line': 8 } }")));
-+
-+ /* let machine initialization to complete and run */
-+ g_assert_false(qmp_rsp_is_err(qtest_qmp(qs,
-+ "{ 'execute': 'x-exit-preconfig' }")));
-+ qtest_qmp_eventwait(qs, "RESUME");
-+
-+ qtest_quit(qs);
-+}
-+
-+static void pc_hmat_off_cfg(const void *data)
-+{
-+ QTestState *qs = qtest_initf("%s -nodefaults --preconfig "
-+ "-smp 2,sockets=2 "
-+ "-m 128M,slots=2,maxmem=1G "
-+ "-object memory-backend-ram,size=64M,id=m0 "
-+ "-object memory-backend-ram,size=64M,id=m1 "
-+ "-numa node,nodeid=0,memdev=m0",
-+ data ? (char *)data : "");
-+
-+ /*
-+ * Fail: Enable HMAT with -machine hmat=on
-+ * before using any of hmat specific options
-+ */
-+ g_assert_true(qmp_rsp_is_err(qtest_qmp(qs, "{ 'execute': 'set-numa-node',"
-+ " 'arguments': { 'type': 'node', 'nodeid': 1, 'memdev': \"m1\","
-+ " 'initiator': 0 } }")));
-+ g_assert_false(qmp_rsp_is_err(qtest_qmp(qs, "{ 'execute': 'set-numa-node',"
-+ " 'arguments': { 'type': 'node', 'nodeid': 1, 'memdev': \"m1\" } }")));
-+ g_assert_true(qmp_rsp_is_err(qtest_qmp(qs, "{ 'execute': 'set-numa-node',"
-+ " 'arguments': { 'type': 'hmat-lb', 'initiator': 0, 'target': 0,"
-+ " 'hierarchy': \"memory\", 'data-type': \"access-latency\","
-+ " 'latency': 1 } }")));
-+ g_assert_true(qmp_rsp_is_err(qtest_qmp(qs, "{ 'execute': 'set-numa-node',"
-+ " 'arguments': { 'type': 'hmat-cache', 'node-id': 0, 'size': 10240,"
-+ " 'level': 1, 'associativity': \"direct\", 'policy': \"write-back\","
-+ " 'line': 8 } }")));
-+
-+ /* let machine initialization to complete and run */
-+ g_assert_false(qmp_rsp_is_err(qtest_qmp(qs,
-+ "{ 'execute': 'x-exit-preconfig' }")));
-+ qtest_qmp_eventwait(qs, "RESUME");
-+
-+ qtest_quit(qs);
-+}
-+
-+static void pc_hmat_erange_cfg(const void *data)
-+{
-+ QTestState *qs = qtest_initf("%s -nodefaults --preconfig -machine hmat=on "
-+ "-smp 2,sockets=2 "
-+ "-m 128M,slots=2,maxmem=1G "
-+ "-object memory-backend-ram,size=64M,id=m0 "
-+ "-object memory-backend-ram,size=64M,id=m1 "
-+ "-numa node,nodeid=0,memdev=m0 "
-+ "-numa node,nodeid=1,memdev=m1,initiator=0 "
-+ "-numa cpu,node-id=0,socket-id=0 "
-+ "-numa cpu,node-id=0,socket-id=1",
-+ data ? (char *)data : "");
-+
-+ /* Can't store the compressed latency */
-+ g_assert_false(qmp_rsp_is_err(qtest_qmp(qs, "{ 'execute': 'set-numa-node',"
-+ " 'arguments': { 'type': 'hmat-lb', 'initiator': 0, 'target': 0,"
-+ " 'hierarchy': \"memory\", 'data-type': \"access-latency\","
-+ " 'latency': 1 } }"))); /* 1 ns */
-+ g_assert_true(qmp_rsp_is_err(qtest_qmp(qs, "{ 'execute': 'set-numa-node',"
-+ " 'arguments': { 'type': 'hmat-lb', 'initiator': 0, 'target': 1,"
-+ " 'hierarchy': \"memory\", 'data-type': \"access-latency\","
-+ " 'latency': 65535 } }"))); /* 65535 ns */
-+
-+ /* Test the 0 input (bandwidth not provided) */
-+ g_assert_false(qmp_rsp_is_err(qtest_qmp(qs, "{ 'execute': 'set-numa-node',"
-+ " 'arguments': { 'type': 'hmat-lb', 'initiator': 0, 'target': 0,"
-+ " 'hierarchy': \"memory\", 'data-type': \"access-bandwidth\","
-+ " 'bandwidth': 0 } }"))); /* 0 MB/s */
-+ /* Fail: bandwidth should be provided before memory side cache attributes */
-+ g_assert_true(qmp_rsp_is_err(qtest_qmp(qs, "{ 'execute': 'set-numa-node',"
-+ " 'arguments': { 'type': 'hmat-cache', 'node-id': 0, 'size': 10240,"
-+ " 'level': 1, 'associativity': \"direct\", 'policy': \"write-back\","
-+ " 'line': 8 } }")));
-+
-+ /* Can't store the compressed bandwidth */
-+ g_assert_true(qmp_rsp_is_err(qtest_qmp(qs, "{ 'execute': 'set-numa-node',"
-+ " 'arguments': { 'type': 'hmat-lb', 'initiator': 0, 'target': 1,"
-+ " 'hierarchy': \"memory\", 'data-type': \"access-bandwidth\","
-+ " 'bandwidth': 68718428160 } }"))); /* 65535 MB/s */
-+
-+ /* let machine initialization to complete and run */
-+ g_assert_false(qmp_rsp_is_err(qtest_qmp(qs,
-+ "{ 'execute': 'x-exit-preconfig' }")));
-+ qtest_qmp_eventwait(qs, "RESUME");
-+
-+ qtest_quit(qs);
-+}
-+
- int main(int argc, char **argv)
- {
- const char *args = NULL;
-@@ -346,6 +556,9 @@ int main(int argc, char **argv)
- if (!strcmp(arch, "i386") || !strcmp(arch, "x86_64")) {
- qtest_add_data_func("/numa/pc/cpu/explicit", args, pc_numa_cpu);
- qtest_add_data_func("/numa/pc/dynamic/cpu", args, pc_dynamic_cpu_cfg);
-+ qtest_add_data_func("/numa/pc/hmat/build", args, pc_hmat_build_cfg);
-+ qtest_add_data_func("/numa/pc/hmat/off", args, pc_hmat_off_cfg);
-+ qtest_add_data_func("/numa/pc/hmat/erange", args, pc_hmat_erange_cfg);
- }
-
- if (!strcmp(arch, "ppc64")) {
+++ /dev/null
-From: Bruce Rogers <brogers@suse.com>
-Date: Tue, 20 Nov 2018 15:46:41 -0700
-Subject: tests/qemu-iotests: Triple timeout of i/o tests due to obs
- environment
-
-Executing tests in obs is very fickle, since you aren't guaranteed
-reliable cpu time. Triple the timeout for each test to help ensure
-we don't fail a test because the stars align against us.
-
-Signed-off-by: Bruce Rogers <brogers@suse.com>
----
- tests/qemu-iotests/common.qemu | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/tests/qemu-iotests/common.qemu b/tests/qemu-iotests/common.qemu
-index de680cf1c7c92e50b82aa2bc0262..4f2557cc568beed038223af7660b 100644
---- a/tests/qemu-iotests/common.qemu
-+++ b/tests/qemu-iotests/common.qemu
-@@ -76,7 +76,7 @@ _timed_wait_for()
- timeout=yes
-
- QEMU_STATUS[$h]=0
-- while IFS= read -t ${QEMU_COMM_TIMEOUT} resp <&${QEMU_OUT[$h]}
-+ while IFS= read -t $((${QEMU_COMM_TIMEOUT}*3)) resp <&${QEMU_OUT[$h]}
- do
- if [ -z "${silent}" ] && [ -z "${mismatch_only}" ]; then
- echo "${resp}" | _filter_testdir | _filter_qemu \
+++ /dev/null
-From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
-Date: Fri, 4 Jun 2021 16:34:30 +0400
-Subject: tftp: check tftp_input buffer size
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Git-commmit: 3f17948137155f025f7809fdc38576d5d2451c3d
-References: bsc#1187366, CVE-2021-3595
-
-Fixes: CVE-2021-3595
-Fixes: https://gitlab.freedesktop.org/slirp/libslirp/-/issues/46
-
-Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
-Signed-off-by: Jose R Ziviani <jose.ziviani@suse.com>
----
- src/tftp.c | 6 +++++-
- 1 file changed, 5 insertions(+), 1 deletion(-)
-
-diff --git a/slirp/src/tftp.c b/slirp/src/tftp.c
-index c209145282fac8afdf57dc17bcf5..5a6279396684ef809742bbbd0ee3 100644
---- a/slirp/src/tftp.c
-+++ b/slirp/src/tftp.c
-@@ -444,7 +444,11 @@ static void tftp_handle_error(Slirp *slirp, struct sockaddr_storage *srcsas,
-
- void tftp_input(struct sockaddr_storage *srcsas, struct mbuf *m)
- {
-- struct tftp_t *tp = (struct tftp_t *)m->m_data;
-+ struct tftp_t *tp = mtod_check(m, offsetof(struct tftp_t, x.tp_buf));
-+
-+ if (tp == NULL) {
-+ return;
-+ }
-
- switch (ntohs(tp->tp_op)) {
- case TFTP_RRQ:
+++ /dev/null
-From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
-Date: Fri, 4 Jun 2021 20:01:20 +0400
-Subject: tftp: introduce a header structure
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Git-commit: 990163cf3ac86b7875559f49602c4d76f46f6f30
-References: bsc#1187366, CVE-2021-3595
-
-Instead of using a composed structure and potentially reading past the
-incoming buffer, use a different structure for the header.
-
-Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
-Signed-off-by: Jose R Ziviani <jose.ziviani@suse.com>
----
- src/tftp.c | 60 ++++++++++++++++++++++++++++--------------------------
- src/tftp.h | 6 +++++-
- 2 files changed, 36 insertions(+), 30 deletions(-)
-
-diff --git a/slirp/src/tftp.c b/slirp/src/tftp.c
-index 5a6279396684ef809742bbbd0ee3..42c6c7a23c3f8290bba52a9458e7 100644
---- a/slirp/src/tftp.c
-+++ b/slirp/src/tftp.c
-@@ -50,7 +50,7 @@ static void tftp_session_terminate(struct tftp_session *spt)
- }
-
- static int tftp_session_allocate(Slirp *slirp, struct sockaddr_storage *srcsas,
-- struct tftp_t *tp)
-+ struct tftphdr *hdr)
- {
- struct tftp_session *spt;
- int k;
-@@ -75,7 +75,7 @@ found:
- memcpy(&spt->client_addr, srcsas, sockaddr_size(srcsas));
- spt->fd = -1;
- spt->block_size = 512;
-- spt->client_port = tp->udp.uh_sport;
-+ spt->client_port = hdr->udp.uh_sport;
- spt->slirp = slirp;
-
- tftp_session_update(spt);
-@@ -84,7 +84,7 @@ found:
- }
-
- static int tftp_session_find(Slirp *slirp, struct sockaddr_storage *srcsas,
-- struct tftp_t *tp)
-+ struct tftphdr *hdr)
- {
- struct tftp_session *spt;
- int k;
-@@ -94,7 +94,7 @@ static int tftp_session_find(Slirp *slirp, struct sockaddr_storage *srcsas,
-
- if (tftp_session_in_use(spt)) {
- if (sockaddr_equal(&spt->client_addr, srcsas)) {
-- if (spt->client_port == tp->udp.uh_sport) {
-+ if (spt->client_port == hdr->udp.uh_sport) {
- return k;
- }
- }
-@@ -146,13 +146,13 @@ static struct tftp_t *tftp_prep_mbuf_data(struct tftp_session *spt,
- }
-
- static void tftp_udp_output(struct tftp_session *spt, struct mbuf *m,
-- struct tftp_t *recv_tp)
-+ struct tftphdr *hdr)
- {
- if (spt->client_addr.ss_family == AF_INET6) {
- struct sockaddr_in6 sa6, da6;
-
- sa6.sin6_addr = spt->slirp->vhost_addr6;
-- sa6.sin6_port = recv_tp->udp.uh_dport;
-+ sa6.sin6_port = hdr->udp.uh_dport;
- da6.sin6_addr = ((struct sockaddr_in6 *)&spt->client_addr)->sin6_addr;
- da6.sin6_port = spt->client_port;
-
-@@ -161,7 +161,7 @@ static void tftp_udp_output(struct tftp_session *spt, struct mbuf *m,
- struct sockaddr_in sa4, da4;
-
- sa4.sin_addr = spt->slirp->vhost_addr;
-- sa4.sin_port = recv_tp->udp.uh_dport;
-+ sa4.sin_port = hdr->udp.uh_dport;
- da4.sin_addr = ((struct sockaddr_in *)&spt->client_addr)->sin_addr;
- da4.sin_port = spt->client_port;
-
-@@ -183,14 +183,14 @@ static int tftp_send_oack(struct tftp_session *spt, const char *keys[],
-
- tp = tftp_prep_mbuf_data(spt, m);
-
-- tp->tp_op = htons(TFTP_OACK);
-+ tp->hdr.tp_op = htons(TFTP_OACK);
- for (i = 0; i < nb; i++) {
- n += slirp_fmt0(tp->x.tp_buf + n, sizeof(tp->x.tp_buf) - n, "%s", keys[i]);
- n += slirp_fmt0(tp->x.tp_buf + n, sizeof(tp->x.tp_buf) - n, "%u", values[i]);
- }
-
-- m->m_len = G_SIZEOF_MEMBER(struct tftp_t, tp_op) + n;
-- tftp_udp_output(spt, m, recv_tp);
-+ m->m_len = G_SIZEOF_MEMBER(struct tftp_t, hdr.tp_op) + n;
-+ tftp_udp_output(spt, m, &recv_tp->hdr);
-
- return 0;
- }
-@@ -211,21 +211,21 @@ static void tftp_send_error(struct tftp_session *spt, uint16_t errorcode,
-
- tp = tftp_prep_mbuf_data(spt, m);
-
-- tp->tp_op = htons(TFTP_ERROR);
-+ tp->hdr.tp_op = htons(TFTP_ERROR);
- tp->x.tp_error.tp_error_code = htons(errorcode);
- slirp_pstrcpy((char *)tp->x.tp_error.tp_msg, sizeof(tp->x.tp_error.tp_msg),
- msg);
-
- m->m_len = sizeof(struct tftp_t) - (TFTP_BLOCKSIZE_MAX + 2) + 3 +
- strlen(msg) - sizeof(struct udphdr);
-- tftp_udp_output(spt, m, recv_tp);
-+ tftp_udp_output(spt, m, &recv_tp->hdr);
-
- out:
- tftp_session_terminate(spt);
- }
-
- static void tftp_send_next_block(struct tftp_session *spt,
-- struct tftp_t *recv_tp)
-+ struct tftphdr *hdr)
- {
- struct mbuf *m;
- struct tftp_t *tp;
-@@ -239,7 +239,7 @@ static void tftp_send_next_block(struct tftp_session *spt,
-
- tp = tftp_prep_mbuf_data(spt, m);
-
-- tp->tp_op = htons(TFTP_DATA);
-+ tp->hdr.tp_op = htons(TFTP_DATA);
- tp->x.tp_data.tp_block_nr = htons((spt->block_nr + 1) & 0xffff);
-
- nobytes = tftp_read_data(spt, spt->block_nr, tp->x.tp_data.tp_buf,
-@@ -257,7 +257,7 @@ static void tftp_send_next_block(struct tftp_session *spt,
-
- m->m_len = sizeof(struct tftp_t) - (TFTP_BLOCKSIZE_MAX - nobytes) -
- sizeof(struct udphdr);
-- tftp_udp_output(spt, m, recv_tp);
-+ tftp_udp_output(spt, m, hdr);
-
- if (nobytes == spt->block_size) {
- tftp_session_update(spt);
-@@ -280,12 +280,12 @@ static void tftp_handle_rrq(Slirp *slirp, struct sockaddr_storage *srcsas,
- int nb_options = 0;
-
- /* check if a session already exists and if so terminate it */
-- s = tftp_session_find(slirp, srcsas, tp);
-+ s = tftp_session_find(slirp, srcsas, &tp->hdr);
- if (s >= 0) {
- tftp_session_terminate(&slirp->tftp_sessions[s]);
- }
-
-- s = tftp_session_allocate(slirp, srcsas, tp);
-+ s = tftp_session_allocate(slirp, srcsas, &tp->hdr);
-
- if (s < 0) {
- return;
-@@ -411,29 +411,29 @@ static void tftp_handle_rrq(Slirp *slirp, struct sockaddr_storage *srcsas,
- }
-
- spt->block_nr = 0;
-- tftp_send_next_block(spt, tp);
-+ tftp_send_next_block(spt, &tp->hdr);
- }
-
- static void tftp_handle_ack(Slirp *slirp, struct sockaddr_storage *srcsas,
-- struct tftp_t *tp, int pktlen)
-+ struct tftphdr *hdr)
- {
- int s;
-
-- s = tftp_session_find(slirp, srcsas, tp);
-+ s = tftp_session_find(slirp, srcsas, hdr);
-
- if (s < 0) {
- return;
- }
-
-- tftp_send_next_block(&slirp->tftp_sessions[s], tp);
-+ tftp_send_next_block(&slirp->tftp_sessions[s], hdr);
- }
-
- static void tftp_handle_error(Slirp *slirp, struct sockaddr_storage *srcsas,
-- struct tftp_t *tp, int pktlen)
-+ struct tftphdr *hdr)
- {
- int s;
-
-- s = tftp_session_find(slirp, srcsas, tp);
-+ s = tftp_session_find(slirp, srcsas, hdr);
-
- if (s < 0) {
- return;
-@@ -444,23 +444,25 @@ static void tftp_handle_error(Slirp *slirp, struct sockaddr_storage *srcsas,
-
- void tftp_input(struct sockaddr_storage *srcsas, struct mbuf *m)
- {
-- struct tftp_t *tp = mtod_check(m, offsetof(struct tftp_t, x.tp_buf));
-+ struct tftphdr *hdr = mtod_check(m, sizeof(struct tftphdr));
-
-- if (tp == NULL) {
-+ if (hdr == NULL) {
- return;
- }
-
-- switch (ntohs(tp->tp_op)) {
-+ switch (ntohs(hdr->tp_op)) {
- case TFTP_RRQ:
-- tftp_handle_rrq(m->slirp, srcsas, tp, m->m_len);
-+ tftp_handle_rrq(m->slirp, srcsas,
-+ mtod(m, struct tftp_t *),
-+ m->m_len);
- break;
-
- case TFTP_ACK:
-- tftp_handle_ack(m->slirp, srcsas, tp, m->m_len);
-+ tftp_handle_ack(m->slirp, srcsas, hdr);
- break;
-
- case TFTP_ERROR:
-- tftp_handle_error(m->slirp, srcsas, tp, m->m_len);
-+ tftp_handle_error(m->slirp, srcsas, hdr);
- break;
- }
- }
-diff --git a/slirp/src/tftp.h b/slirp/src/tftp.h
-index c47bb43c7d0875e0df5fa50d6ed3..021f6cf109bca7dc17d3b30fa6e9 100644
---- a/slirp/src/tftp.h
-+++ b/slirp/src/tftp.h
-@@ -18,9 +18,13 @@
- #define TFTP_FILENAME_MAX 512
- #define TFTP_BLOCKSIZE_MAX 1428
-
--struct tftp_t {
-+struct tftphdr {
- struct udphdr udp;
- uint16_t tp_op;
-+} SLIRP_PACKED;
-+
-+struct tftp_t {
-+ struct tftphdr hdr;
- union {
- struct {
- uint16_t tp_block_nr;
+++ /dev/null
-From: Jason Wang <jasowang@redhat.com>
-Date: Wed, 24 Feb 2021 13:27:52 +0800
-Subject: tx_pkt: switch to use qemu_receive_packet_iov() for loopback
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Git-commit: 8c552542b81e56ff532dd27ec6e5328954bdda73
-
-This patch switches to use qemu_receive_receive_iov() which can detect
-reentrancy and return early.
-
-This is intended to address CVE-2021-3416.
-
-Cc: Prasad J Pandit <ppandit@redhat.com>
-Cc: qemu-stable@nongnu.org
-Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Signed-off-by: Jason Wang <jasowang@redhat.com>
-Signed-off-by: Bruce Rogers <brogers@suse.com>
----
- hw/net/net_tx_pkt.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/hw/net/net_tx_pkt.c b/hw/net/net_tx_pkt.c
-index 54d4c3bbd02dccc33ee3c7e710b4..646cdfaf4d1275806661deaa9e02 100644
---- a/hw/net/net_tx_pkt.c
-+++ b/hw/net/net_tx_pkt.c
-@@ -544,7 +544,7 @@ static inline void net_tx_pkt_sendv(struct NetTxPkt *pkt,
- NetClientState *nc, const struct iovec *iov, int iov_cnt)
- {
- if (pkt->is_loopback) {
-- nc->info->receive_iov(nc, iov, iov_cnt);
-+ qemu_receive_packet_iov(nc, iov, iov_cnt);
- } else {
- qemu_sendv_packet(nc, iov, iov_cnt);
- }
+++ /dev/null
-From: Prasad J Pandit <pjp@fedoraproject.org>
-Date: Tue, 11 Aug 2020 17:11:31 +0530
-Subject: tz-ppc: add dummy read/write methods
-
-Git-commit: 2c9fb3b784000c1df32231e1c2464bb2e3fc4620
-References: bsc#1173612, CVE-2020-15469
-
-Add tz-ppc-dummy mmio read/write methods to avoid assert failure
-during initialisation.
-
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
-Reviewed-by: Li Qiang <liq3ea@gmail.com>
-Message-Id: <20200811114133.672647-8-ppandit@redhat.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-Signed-off-by: Bruce Rogers <brogers@suse.com>
----
- hw/misc/tz-ppc.c | 14 ++++++++++++++
- 1 file changed, 14 insertions(+)
-
-diff --git a/hw/misc/tz-ppc.c b/hw/misc/tz-ppc.c
-index 181a5f1e8126732e8682b7702eaa..350ada85374c0df95ac815d41c57 100644
---- a/hw/misc/tz-ppc.c
-+++ b/hw/misc/tz-ppc.c
-@@ -196,7 +196,21 @@ static bool tz_ppc_dummy_accepts(void *opaque, hwaddr addr,
- g_assert_not_reached();
- }
-
-+static uint64_t tz_ppc_dummy_read(void *opaque, hwaddr addr, unsigned size)
-+{
-+ g_assert_not_reached();
-+}
-+
-+static void tz_ppc_dummy_write(void *opaque, hwaddr addr,
-+ uint64_t data, unsigned size)
-+{
-+ g_assert_not_reached();
-+}
-+
- static const MemoryRegionOps tz_ppc_dummy_ops = {
-+ /* define r/w methods to avoid assert failure in memory_region_init_io */
-+ .read = tz_ppc_dummy_read,
-+ .write = tz_ppc_dummy_write,
- .valid.accepts = tz_ppc_dummy_accepts,
- };
-
+++ /dev/null
-From: Gerd Hoffmann <kraxel@redhat.com>
-Date: Wed, 18 Aug 2021 14:05:05 +0200
-Subject: uas: add stream number sanity checks.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Git-commit: 13b250b12ad3c59114a6a17d59caf073ce45b33a
-References: bsc#1189702 CVE-2021-3713
-
-The device uses the guest-supplied stream number unchecked, which can
-lead to guest-triggered out-of-band access to the UASDevice->data3 and
-UASDevice->status3 fields. Add the missing checks.
-
-Fixes: CVE-2021-3713
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
-Reported-by: Chen Zhe <chenzhe@huawei.com>
-Reported-by: Tan Jingguo <tanjingguo@huawei.com>
-Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Message-Id: <20210818120505.1258262-2-kraxel@redhat.com>
-Signed-off-by: Jose R Ziviani <jose.ziviani@suse.com>
----
- hw/usb/dev-uas.c | 11 +++++++++++
- 1 file changed, 11 insertions(+)
-
-diff --git a/hw/usb/dev-uas.c b/hw/usb/dev-uas.c
-index 6d6d1073b90776d075b6ec7de8ec..0b8cd4dd5293339973613cb6ec0b 100644
---- a/hw/usb/dev-uas.c
-+++ b/hw/usb/dev-uas.c
-@@ -830,6 +830,9 @@ static void usb_uas_handle_data(USBDevice *dev, USBPacket *p)
- }
- break;
- case UAS_PIPE_ID_STATUS:
-+ if (p->stream > UAS_MAX_STREAMS) {
-+ goto err_stream;
-+ }
- if (p->stream) {
- QTAILQ_FOREACH(st, &uas->results, next) {
- if (st->stream == p->stream) {
-@@ -857,6 +860,9 @@ static void usb_uas_handle_data(USBDevice *dev, USBPacket *p)
- break;
- case UAS_PIPE_ID_DATA_IN:
- case UAS_PIPE_ID_DATA_OUT:
-+ if (p->stream > UAS_MAX_STREAMS) {
-+ goto err_stream;
-+ }
- if (p->stream) {
- req = usb_uas_find_request(uas, p->stream);
- } else {
-@@ -892,6 +898,11 @@ static void usb_uas_handle_data(USBDevice *dev, USBPacket *p)
- p->status = USB_RET_STALL;
- break;
- }
-+
-+err_stream:
-+ error_report("%s: invalid stream %d", __func__, p->stream);
-+ p->status = USB_RET_STALL;
-+ return;
- }
-
- static void usb_uas_unrealize(USBDevice *dev, Error **errp)
+++ /dev/null
-From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
-Date: Fri, 4 Jun 2021 16:40:23 +0400
-Subject: udp: check upd_input buffer size
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Git-commit: 74572be49247c8c5feae7c6e0b50c4f569ca9824
-References: bsc#1187367, CVE-2021-3594
-
-Fixes: CVE-2021-3594
-Fixes: https://gitlab.freedesktop.org/slirp/libslirp/-/issues/47
-
-Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
-Signed-off-by: Jose R Ziviani <jose.ziviani@suse.com>
----
- src/udp.c | 5 ++++-
- 1 file changed, 4 insertions(+), 1 deletion(-)
-
-diff --git a/slirp/src/udp.c b/slirp/src/udp.c
-index 6bde20fafab5695eedd48eb37590..c2d2f40b10880ccf677b5f10bb75 100644
---- a/slirp/src/udp.c
-+++ b/slirp/src/udp.c
-@@ -90,7 +90,10 @@ void udp_input(register struct mbuf *m, int iphlen)
- /*
- * Get IP and UDP header together in first mbuf.
- */
-- ip = mtod(m, struct ip *);
-+ ip = mtod_check(m, iphlen + sizeof(struct udphdr));
-+ if (ip == NULL) {
-+ goto bad;
-+ }
- uh = (struct udphdr *)((char *)ip + iphlen);
-
- /*
+++ /dev/null
-From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
-Date: Fri, 4 Jun 2021 16:32:55 +0400
-Subject: upd6: check udp6_input buffer size
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Git-commit: de71c15de66ba9350bf62c45b05f8fbff166517b
-References: bsc#1187365, CVE-2021-3593
-
-Fixes: CVE-2021-3593
-Fixes: https://gitlab.freedesktop.org/slirp/libslirp/-/issues/45
-
-Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
-Signed-off-by: Jose R Ziviani <jose.ziviani@suse.com>
----
- src/udp6.c | 5 ++++-
- 1 file changed, 4 insertions(+), 1 deletion(-)
-
-diff --git a/slirp/src/udp6.c b/slirp/src/udp6.c
-index 6f9486bbcae904542547c590b0c3..8c490e4d10abecc536ce4405e223 100644
---- a/slirp/src/udp6.c
-+++ b/slirp/src/udp6.c
-@@ -28,7 +28,10 @@ void udp6_input(struct mbuf *m)
- ip = mtod(m, struct ip6 *);
- m->m_len -= iphlen;
- m->m_data += iphlen;
-- uh = mtod(m, struct udphdr *);
-+ uh = mtod_check(m, sizeof(struct udphdr));
-+ if (uh == NULL) {
-+ goto bad;
-+ }
- m->m_len += iphlen;
- m->m_data -= iphlen;
-
+++ /dev/null
-From: Gerd Hoffmann <kraxel@redhat.com>
-Date: Tue, 25 Aug 2020 07:36:36 +0200
-Subject: usb: fix setup_len init (CVE-2020-14364)
-
-Git-commit: b946434f2659a182afc17e155be6791ebfb302eb
-References: bsc#1175441, CVE-2020-14364
-
-Store calculated setup_len in a local variable, verify it, and only
-write it to the struct (USBDevice->setup_len) in case it passed the
-sanity checks.
-
-This prevents other code (do_token_{in,out} functions specifically)
-from working with invalid USBDevice->setup_len values and overrunning
-the USBDevice->setup_buf[] buffer.
-
-Fixes: CVE-2020-14364
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
-Tested-by: Gonglei <arei.gonglei@huawei.com>
-Signed-off-by: Bruce Rogers <brogers@suse.com>
----
- hw/usb/core.c | 16 ++++++++++------
- 1 file changed, 10 insertions(+), 6 deletions(-)
-
-diff --git a/hw/usb/core.c b/hw/usb/core.c
-index 5abd128b6bc5f5440e18b143fe41..5234dcc73fea6012f7143f307640 100644
---- a/hw/usb/core.c
-+++ b/hw/usb/core.c
-@@ -129,6 +129,7 @@ void usb_wakeup(USBEndpoint *ep, unsigned int stream)
- static void do_token_setup(USBDevice *s, USBPacket *p)
- {
- int request, value, index;
-+ unsigned int setup_len;
-
- if (p->iov.size != 8) {
- p->status = USB_RET_STALL;
-@@ -138,14 +139,15 @@ static void do_token_setup(USBDevice *s, USBPacket *p)
- usb_packet_copy(p, s->setup_buf, p->iov.size);
- s->setup_index = 0;
- p->actual_length = 0;
-- s->setup_len = (s->setup_buf[7] << 8) | s->setup_buf[6];
-- if (s->setup_len > sizeof(s->data_buf)) {
-+ setup_len = (s->setup_buf[7] << 8) | s->setup_buf[6];
-+ if (setup_len > sizeof(s->data_buf)) {
- fprintf(stderr,
- "usb_generic_handle_packet: ctrl buffer too small (%d > %zu)\n",
-- s->setup_len, sizeof(s->data_buf));
-+ setup_len, sizeof(s->data_buf));
- p->status = USB_RET_STALL;
- return;
- }
-+ s->setup_len = setup_len;
-
- request = (s->setup_buf[0] << 8) | s->setup_buf[1];
- value = (s->setup_buf[3] << 8) | s->setup_buf[2];
-@@ -259,26 +261,28 @@ static void do_token_out(USBDevice *s, USBPacket *p)
- static void do_parameter(USBDevice *s, USBPacket *p)
- {
- int i, request, value, index;
-+ unsigned int setup_len;
-
- for (i = 0; i < 8; i++) {
- s->setup_buf[i] = p->parameter >> (i*8);
- }
-
- s->setup_state = SETUP_STATE_PARAM;
-- s->setup_len = (s->setup_buf[7] << 8) | s->setup_buf[6];
- s->setup_index = 0;
-
- request = (s->setup_buf[0] << 8) | s->setup_buf[1];
- value = (s->setup_buf[3] << 8) | s->setup_buf[2];
- index = (s->setup_buf[5] << 8) | s->setup_buf[4];
-
-- if (s->setup_len > sizeof(s->data_buf)) {
-+ setup_len = (s->setup_buf[7] << 8) | s->setup_buf[6];
-+ if (setup_len > sizeof(s->data_buf)) {
- fprintf(stderr,
- "usb_generic_handle_packet: ctrl buffer too small (%d > %zu)\n",
-- s->setup_len, sizeof(s->data_buf));
-+ setup_len, sizeof(s->data_buf));
- p->status = USB_RET_STALL;
- return;
- }
-+ s->setup_len = setup_len;
-
- if (p->pid == USB_TOKEN_OUT) {
- usb_packet_copy(p, s->data_buf, s->setup_len);
+++ /dev/null
-From: Gerd Hoffmann <kraxel@redhat.com>
-Date: Mon, 3 May 2021 15:29:11 +0200
-Subject: usb/hid: avoid dynamic stack allocation
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Git-commit: 3f67e2e7f135b8be4117f3c2960e78d894feaa03
-References: bsc#1186012, CVE-2021-3527
-
-Use autofree heap allocation instead.
-
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
-Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Tested-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Message-Id: <20210503132915.2335822-2-kraxel@redhat.com>
-Signed-off-by: Jose R Ziviani <jose.ziviani@suse.com>
----
- hw/usb/dev-hid.c | 2 +-
- hw/usb/dev-wacom.c | 2 +-
- 2 files changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/hw/usb/dev-hid.c b/hw/usb/dev-hid.c
-index 88492f26e64682f73978fa0358b7..7f5762adb252a31f4c2f7b18bb60 100644
---- a/hw/usb/dev-hid.c
-+++ b/hw/usb/dev-hid.c
-@@ -667,7 +667,7 @@ static void usb_hid_handle_data(USBDevice *dev, USBPacket *p)
- {
- USBHIDState *us = USB_HID(dev);
- HIDState *hs = &us->hid;
-- uint8_t buf[p->iov.size];
-+ g_autofree uint8_t *buf = g_malloc(p->iov.size);
- int len = 0;
-
- switch (p->pid) {
-diff --git a/hw/usb/dev-wacom.c b/hw/usb/dev-wacom.c
-index 8ed57b3b44444ad0e07e65ae0929..022e44a758e3d458f0159c3b874e 100644
---- a/hw/usb/dev-wacom.c
-+++ b/hw/usb/dev-wacom.c
-@@ -306,7 +306,7 @@ static void usb_wacom_handle_control(USBDevice *dev, USBPacket *p,
- static void usb_wacom_handle_data(USBDevice *dev, USBPacket *p)
- {
- USBWacomState *s = (USBWacomState *) dev;
-- uint8_t buf[p->iov.size];
-+ g_autofree uint8_t *buf = g_malloc(p->iov.size);
- int len = 0;
-
- switch (p->pid) {
+++ /dev/null
-From: Gerd Hoffmann <kraxel@redhat.com>
-Date: Mon, 3 May 2021 15:29:15 +0200
-Subject: usb: limit combined packets to 1 MiB (CVE-2021-3527)
-
-Git-commit: 05a40b172e4d691371534828078be47e7fff524c
-References: bsc#1186012, CVE-2021-3527
-
-usb-host and usb-redirect try to batch bulk transfers by combining many
-small usb packets into a single, large transfer request, to reduce the
-overhead and improve performance.
-
-This patch adds a size limit of 1 MiB for those combined packets to
-restrict the host resources the guest can bind that way.
-
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
-Message-Id: <20210503132915.2335822-6-kraxel@redhat.com>
-Signed-off-by: Jose R Ziviani <jose.ziviani@suse.com>
----
- hw/usb/combined-packet.c | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/hw/usb/combined-packet.c b/hw/usb/combined-packet.c
-index 5d57e883dcb515c9b8acc58d97b4..e56802f89a32f44bc94f3b3dbda2 100644
---- a/hw/usb/combined-packet.c
-+++ b/hw/usb/combined-packet.c
-@@ -171,7 +171,9 @@ void usb_ep_combine_input_packets(USBEndpoint *ep)
- if ((p->iov.size % ep->max_packet_size) != 0 || !p->short_not_ok ||
- next == NULL ||
- /* Work around for Linux usbfs bulk splitting + migration */
-- (totalsize == (16 * KiB - 36) && p->int_req)) {
-+ (totalsize == (16 * KiB - 36) && p->int_req) ||
-+ /* Next package may grow combined package over 1MiB */
-+ totalsize > 1 * MiB - ep->max_packet_size) {
- usb_device_handle_data(ep->dev, first);
- assert(first->status == USB_RET_ASYNC);
- if (first->combined) {
+++ /dev/null
-From: Gerd Hoffmann <kraxel@redhat.com>
-Date: Mon, 3 May 2021 15:29:13 +0200
-Subject: usb/mtp: avoid dynamic stack allocation
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Git-commit: 06aa50c06c6392084244f8169d34b8e2d9c43ef2
-References: bsc#1186012, CVE-2021-3527
-
-Use autofree heap allocation instead.
-
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
-Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Tested-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Message-Id: <20210503132915.2335822-4-kraxel@redhat.com>
-Signed-off-by: Jose R Ziviani <jose.ziviani@suse.com>
----
- hw/usb/dev-mtp.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/hw/usb/dev-mtp.c b/hw/usb/dev-mtp.c
-index 13815df4737ef8f46e6f857153b1..02bcb377f6f1cd0053808ad80ee5 100644
---- a/hw/usb/dev-mtp.c
-+++ b/hw/usb/dev-mtp.c
-@@ -906,7 +906,8 @@ static MTPData *usb_mtp_get_object_handles(MTPState *s, MTPControl *c,
- MTPObject *o)
- {
- MTPData *d = usb_mtp_data_alloc(c);
-- uint32_t i = 0, handles[o->nchildren];
-+ uint32_t i = 0;
-+ g_autofree uint32_t *handles = g_new(uint32_t, o->nchildren);
- MTPObject *iter;
-
- trace_usb_mtp_op_get_object_handles(s->dev.addr, o->handle, o->path);
+++ /dev/null
-From: Gerd Hoffmann <kraxel@redhat.com>
-Date: Mon, 3 May 2021 15:29:12 +0200
-Subject: usb/redir: avoid dynamic stack allocation (CVE-2021-3527)
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Git-commit: 7ec54f9eb62b5d177e30eb8b1cad795a5f8d8986
-References: bsc#1186012, CVE-2021-3527
-
-Use autofree heap allocation instead.
-
-Fixes: 4f4321c11ff ("usb: use iovecs in USBPacket")
-Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
-Tested-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Message-Id: <20210503132915.2335822-3-kraxel@redhat.com>
-Signed-off-by: Jose R Ziviani <jose.ziviani@suse.com>
----
- hw/usb/redirect.c | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/hw/usb/redirect.c b/hw/usb/redirect.c
-index e0f5ca6f818b28eac0f838b6c172..dd779c45d2faa91eaeb107ca6398 100644
---- a/hw/usb/redirect.c
-+++ b/hw/usb/redirect.c
-@@ -607,7 +607,7 @@ static void usbredir_handle_iso_data(USBRedirDevice *dev, USBPacket *p,
- .endpoint = ep,
- .length = p->iov.size
- };
-- uint8_t buf[p->iov.size];
-+ g_autofree uint8_t *buf = g_malloc(p->iov.size);
- /* No id, we look at the ep when receiving a status back */
- usb_packet_copy(p, buf, p->iov.size);
- usbredirparser_send_iso_packet(dev->parser, 0, &iso_packet,
-@@ -805,7 +805,7 @@ static void usbredir_handle_bulk_data(USBRedirDevice *dev, USBPacket *p,
- usbredirparser_send_bulk_packet(dev->parser, p->id,
- &bulk_packet, NULL, 0);
- } else {
-- uint8_t buf[size];
-+ g_autofree uint8_t *buf = g_malloc(size);
- usb_packet_copy(p, buf, size);
- usbredir_log_data(dev, "bulk data out:", buf, size);
- usbredirparser_send_bulk_packet(dev->parser, p->id,
-@@ -910,7 +910,7 @@ static void usbredir_handle_interrupt_out_data(USBRedirDevice *dev,
- USBPacket *p, uint8_t ep)
- {
- struct usb_redir_interrupt_packet_header interrupt_packet;
-- uint8_t buf[p->iov.size];
-+ g_autofree uint8_t *buf = g_malloc(p->iov.size);
-
- DPRINTF("interrupt-out ep %02X len %zd id %"PRIu64"\n", ep,
- p->iov.size, p->id);
+++ /dev/null
-From: Gerd Hoffmann <kraxel@redhat.com>
-Date: Thu, 22 Jul 2021 09:27:56 +0200
-Subject: usbredir: fix free call
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Git-commit: 5e796671e6b8d5de4b0b423dce1b3eba144a92c9
-References: bsc#1189145 CVE-2021-3682
-
-data might point into the middle of a larger buffer, there is a separate
-free_on_destroy pointer passed into bufp_alloc() to handle that. It is
-only used in the normal workflow though, not when dropping packets due
-to the queue being full. Fix that.
-
-Resolves: https://gitlab.com/qemu-project/qemu/-/issues/491
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
-Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
-Message-Id: <20210722072756.647673-1-kraxel@redhat.com>
-Signed-off-by: Jose R Ziviani <jose.ziviani@suse.com>
----
- hw/usb/redirect.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/hw/usb/redirect.c b/hw/usb/redirect.c
-index dd779c45d2faa91eaeb107ca6398..7efff2b28766f92d03a0e1d1f8bf 100644
---- a/hw/usb/redirect.c
-+++ b/hw/usb/redirect.c
-@@ -463,7 +463,7 @@ static int bufp_alloc(USBRedirDevice *dev, uint8_t *data, uint16_t len,
- if (dev->endpoint[EP2I(ep)].bufpq_dropping_packets) {
- if (dev->endpoint[EP2I(ep)].bufpq_size >
- dev->endpoint[EP2I(ep)].bufpq_target_size) {
-- free(data);
-+ free(free_on_destroy);
- return -1;
- }
- dev->endpoint[EP2I(ep)].bufpq_dropping_packets = 0;
+++ /dev/null
-From: Matthew Rosato <mjrosato@linux.ibm.com>
-Date: Mon, 26 Oct 2020 11:34:32 -0400
-Subject: vfio: Create shared routine for scanning info capabilities
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Git-commit: 3ab7a0b40d4be5ade3b61d4afd1518193b199423
-References: bsc#1179719
-
-Rather than duplicating the same loop in multiple locations,
-create a static function to do the work.
-
-Signed-off-by: Matthew Rosato <mjrosato@linux.ibm.com>
-Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Reviewed-by: Cornelia Huck <cohuck@redhat.com>
-Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
-Signed-off-by: Liang Yan <lyan@suse.com>
----
- hw/vfio/common.c | 21 +++++++++++++--------
- 1 file changed, 13 insertions(+), 8 deletions(-)
-
-diff --git a/hw/vfio/common.c b/hw/vfio/common.c
-index 5ca11488d67635c09088b3f5b789..77d62d2dcdf67516c3e5b42e7def 100644
---- a/hw/vfio/common.c
-+++ b/hw/vfio/common.c
-@@ -826,17 +826,12 @@ static void vfio_listener_release(VFIOContainer *container)
- }
- }
-
--struct vfio_info_cap_header *
--vfio_get_region_info_cap(struct vfio_region_info *info, uint16_t id)
-+static struct vfio_info_cap_header *
-+vfio_get_cap(void *ptr, uint32_t cap_offset, uint16_t id)
- {
- struct vfio_info_cap_header *hdr;
-- void *ptr = info;
--
-- if (!(info->flags & VFIO_REGION_INFO_FLAG_CAPS)) {
-- return NULL;
-- }
-
-- for (hdr = ptr + info->cap_offset; hdr != ptr; hdr = ptr + hdr->next) {
-+ for (hdr = ptr + cap_offset; hdr != ptr; hdr = ptr + hdr->next) {
- if (hdr->id == id) {
- return hdr;
- }
-@@ -845,6 +840,16 @@ vfio_get_region_info_cap(struct vfio_region_info *info, uint16_t id)
- return NULL;
- }
-
-+struct vfio_info_cap_header *
-+vfio_get_region_info_cap(struct vfio_region_info *info, uint16_t id)
-+{
-+ if (!(info->flags & VFIO_REGION_INFO_FLAG_CAPS)) {
-+ return NULL;
-+ }
-+
-+ return vfio_get_cap((void *)info, info->cap_offset, id);
-+}
-+
- static int vfio_setup_region_sparse_mmaps(VFIORegion *region,
- struct vfio_region_info *info)
- {
+++ /dev/null
-From: Matthew Rosato <mjrosato@linux.ibm.com>
-Date: Mon, 26 Oct 2020 11:34:33 -0400
-Subject: vfio: Find DMA available capability
-
-Git-commit: 7486a62845b1e12011dd99973e4739f69d57cd38
-References: bsc#1179719
-
-The underlying host may be limiting the number of outstanding DMA
-requests for type 1 IOMMU. Add helper functions to check for the
-DMA available capability and retrieve the current number of DMA
-mappings allowed.
-
-Signed-off-by: Matthew Rosato <mjrosato@linux.ibm.com>
-Reviewed-by: Cornelia Huck <cohuck@redhat.com>
-[aw: vfio_get_info_dma_avail moved inside CONFIG_LINUX]
-Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
-Signed-off-by: Liang Yan <lyan@suse.com>
----
- hw/vfio/common.c | 31 +++++++++++++++++++++++++++++++
- include/hw/vfio/vfio-common.h | 2 ++
- 2 files changed, 33 insertions(+)
-
-diff --git a/hw/vfio/common.c b/hw/vfio/common.c
-index 77d62d2dcdf67516c3e5b42e7def..23efdfadebd0db3c8b7bf03e9b07 100644
---- a/hw/vfio/common.c
-+++ b/hw/vfio/common.c
-@@ -850,6 +850,37 @@ vfio_get_region_info_cap(struct vfio_region_info *info, uint16_t id)
- return vfio_get_cap((void *)info, info->cap_offset, id);
- }
-
-+static struct vfio_info_cap_header *
-+vfio_get_iommu_type1_info_cap(struct vfio_iommu_type1_info *info, uint16_t id)
-+{
-+ if (!(info->flags & VFIO_IOMMU_INFO_CAPS)) {
-+ return NULL;
-+ }
-+
-+ return vfio_get_cap((void *)info, info->cap_offset, id);
-+}
-+
-+bool vfio_get_info_dma_avail(struct vfio_iommu_type1_info *info,
-+ unsigned int *avail)
-+{
-+ struct vfio_info_cap_header *hdr;
-+ struct vfio_iommu_type1_info_dma_avail *cap;
-+
-+ /* If the capability cannot be found, assume no DMA limiting */
-+ hdr = vfio_get_iommu_type1_info_cap(info,
-+ VFIO_IOMMU_TYPE1_INFO_DMA_AVAIL);
-+ if (hdr == NULL) {
-+ return false;
-+ }
-+
-+ if (avail != NULL) {
-+ cap = (void *) hdr;
-+ *avail = cap->avail;
-+ }
-+
-+ return true;
-+}
-+
- static int vfio_setup_region_sparse_mmaps(VFIORegion *region,
- struct vfio_region_info *info)
- {
-diff --git a/include/hw/vfio/vfio-common.h b/include/hw/vfio/vfio-common.h
-index fd564209ac710afb15325a452b8f..aa6cbe4a99890a229aa7a1e0c39c 100644
---- a/include/hw/vfio/vfio-common.h
-+++ b/include/hw/vfio/vfio-common.h
-@@ -191,6 +191,8 @@ int vfio_get_dev_region_info(VFIODevice *vbasedev, uint32_t type,
- bool vfio_has_region_cap(VFIODevice *vbasedev, int region, uint16_t cap_type);
- struct vfio_info_cap_header *
- vfio_get_region_info_cap(struct vfio_region_info *info, uint16_t id);
-+bool vfio_get_info_dma_avail(struct vfio_iommu_type1_info *info,
-+ unsigned int *avail);
- #endif
- extern const MemoryListener vfio_prereg_listener;
-
+++ /dev/null
-From: Prasad J Pandit <pjp@fedoraproject.org>
-Date: Tue, 11 Aug 2020 17:11:27 +0530
-Subject: vfio: add quirk device write method
-
-Git-commit: 24202d2b561c3b4c48bd28383c8c34b4ac66c2bf
-References: bsc#1173612, CVE-2020-15469
-
-Add vfio quirk device mmio write method to avoid NULL pointer
-dereference issue.
-
-Reported-by: Lei Sun <slei.casper@gmail.com>
-Reviewed-by: Li Qiang <liq3ea@gmail.com>
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Acked-by: Alex Williamson <alex.williamson@redhat.com>
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
-Message-Id: <20200811114133.672647-4-ppandit@redhat.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-Signed-off-by: Bruce Rogers <brogers@suse.com>
----
- hw/vfio/pci-quirks.c | 8 ++++++++
- 1 file changed, 8 insertions(+)
-
-diff --git a/hw/vfio/pci-quirks.c b/hw/vfio/pci-quirks.c
-index 136f3a9ad6e560a0f8a31c7b2b3a..a9656c0deec36a04440f1d8fcb83 100644
---- a/hw/vfio/pci-quirks.c
-+++ b/hw/vfio/pci-quirks.c
-@@ -13,6 +13,7 @@
- #include "qemu/osdep.h"
- #include "exec/memop.h"
- #include "qemu/units.h"
-+#include "qemu/log.h"
- #include "qemu/error-report.h"
- #include "qemu/main-loop.h"
- #include "qemu/module.h"
-@@ -278,8 +279,15 @@ static uint64_t vfio_ati_3c3_quirk_read(void *opaque,
- return data;
- }
-
-+static void vfio_ati_3c3_quirk_write(void *opaque, hwaddr addr,
-+ uint64_t data, unsigned size)
-+{
-+ qemu_log_mask(LOG_GUEST_ERROR, "%s: invalid access\n", __func__);
-+}
-+
- static const MemoryRegionOps vfio_ati_3c3_quirk = {
- .read = vfio_ati_3c3_quirk_read,
-+ .write = vfio_ati_3c3_quirk_write,
- .endianness = DEVICE_LITTLE_ENDIAN,
- };
-
+++ /dev/null
-From: =?UTF-8?q?Andreas=20F=C3=A4rber?= <afaerber@suse.de>
-Date: Wed, 12 Jun 2013 19:26:37 +0200
-Subject: vga: Raise VRAM to 16 MiB for pc-0.15 and below
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-References: bnc#812836
-
-qemu-kvm.git commit a7fe0297840908a4fd65a1cf742481ccd45960eb
-(Extend vram size to 16MB) deviated from qemu.git since kvm-61, and only
-in commit 9e56edcf8dd1d4bc7ba2b1efb3641f36c0fad8ba (vga: raise default
-vgamem size) did qemu.git adjust the VRAM size for v1.2.
-
-Add compatibility properties so that up to and including pc-0.15 we
-maintain migration compatibility with qemu-kvm rather than QEMU and
-from pc-1.0 on with QEMU (last qemu-kvm release was 1.2).
-
-Signed-off-by: Andreas Färber <afaerber@suse.de>
-[BR: adjust comma position in list in macro for v2.5.0 compat]
-Signed-off-by: Bruce Rogers <brogers@suse.com>
----
- hw/i386/pc_piix.c | 25 +++++++++++++++++++++++++
- 1 file changed, 25 insertions(+)
-
-diff --git a/hw/i386/pc_piix.c b/hw/i386/pc_piix.c
-index 1bd70d1abbc434edb8b5ca69ee5d..d760d3589607daf4997ea76854c4 100644
---- a/hw/i386/pc_piix.c
-+++ b/hw/i386/pc_piix.c
-@@ -804,6 +804,31 @@ static void pc_i440fx_0_15_machine_options(MachineClass *m)
- {
- static GlobalProperty compat[] = {
- PC_CPU_MODEL_IDS("0.15")
-+ {
-+ .driver = "VGA",
-+ .property = "vgamem_mb",
-+ .value = stringify(16),
-+ },{
-+ .driver = "vmware-svga",
-+ .property = "vgamem_mb",
-+ .value = stringify(16),
-+ },{
-+ .driver = "qxl-vga",
-+ .property = "vgamem_mb",
-+ .value = stringify(16),
-+ },{
-+ .driver = "qxl",
-+ .property = "vgamem_mb",
-+ .value = stringify(16),
-+ },{
-+ .driver = "isa-cirrus-vga",
-+ .property = "vgamem_mb",
-+ .value = stringify(16),
-+ },{
-+ .driver = "cirrus-vga",
-+ .property = "vgamem_mb",
-+ .value = stringify(16),
-+ },
- };
-
- pc_i440fx_1_0_machine_options(m);
+++ /dev/null
-From: Gerd Hoffmann <kraxel@redhat.com>
-Date: Thu, 25 Jun 2020 11:17:09 +0200
-Subject: vga: fix cirrus bios
-
-Git-commit: d11c75185276ded944f2ea0277532b7fee849bbc
-
-Little mistake, big effect. The patch adding the ati driver broke
-cirrus due to a missing "else", which effectively downgrades cirrus
-to standard vga.
-
-Fixes: 34b6ecc16074 ("vga: add atiext driver")
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
-Signed-off-by: Bruce Rogers <brogers@suse.com>
----
- vgasrc/vgahw.h | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/roms/seabios/vgasrc/vgahw.h b/roms/seabios/vgasrc/vgahw.h
-index c774f4f2c6b7c8012096bac2f0ed..8b64660e5ef70d71b440013300bc 100644
---- a/roms/seabios/vgasrc/vgahw.h
-+++ b/roms/seabios/vgasrc/vgahw.h
-@@ -36,7 +36,7 @@ static inline int vgahw_set_mode(struct vgamode_s *vmode_g, int flags) {
- static inline void vgahw_list_modes(u16 seg, u16 *dest, u16 *last) {
- if (CONFIG_VGA_CIRRUS)
- clext_list_modes(seg, dest, last);
-- if (CONFIG_VGA_ATI)
-+ else if (CONFIG_VGA_ATI)
- ati_list_modes(seg, dest, last);
- else if (CONFIG_VGA_BOCHS)
- bochsvga_list_modes(seg, dest, last);
+++ /dev/null
-From: Jason Wang <jasowang@redhat.com>
-Date: Mon, 2 Mar 2020 12:24:54 +0800
-Subject: vhost: correctly turn on VIRTIO_F_IOMMU_PLATFORM
-
-References: bsc#1167075, bsc#1167445
-
-We turn on device IOTLB via VIRTIO_F_IOMMU_PLATFORM unconditionally on
-platform without IOMMU support. This can lead unnecessary IOTLB
-transactions which will damage the performance.
-
-Fixing this by check whether the device is backed by IOMMU and disable
-device IOTLB.
-
-Reported-by: Halil Pasic <pasic@linux.ibm.com>
-Tested-by: Halil Pasic <pasic@linux.ibm.com>
-Reviewed-by: Halil Pasic <pasic@linux.ibm.com>
-Signed-off-by: Jason Wang <jasowang@redhat.com>
-Message-Id: <20200302042454.24814-1-jasowang@redhat.com>
-Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
-Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
-(cherry picked from commit f7ef7e6e3ba6e994e070cc609eb154339d1c4a11)
-Signed-off-by: Bruce Rogers <brogers@suse.com>
----
- hw/virtio/vhost.c | 12 +++++++++++-
- 1 file changed, 11 insertions(+), 1 deletion(-)
-
-diff --git a/hw/virtio/vhost.c b/hw/virtio/vhost.c
-index 4da0d5a6c5867325cb8cacab4894..554e76434ffaf2dc9ada0d4bdd7a 100644
---- a/hw/virtio/vhost.c
-+++ b/hw/virtio/vhost.c
-@@ -290,7 +290,14 @@ static int vhost_dev_has_iommu(struct vhost_dev *dev)
- {
- VirtIODevice *vdev = dev->vdev;
-
-- return virtio_host_has_feature(vdev, VIRTIO_F_IOMMU_PLATFORM);
-+ /*
-+ * For vhost, VIRTIO_F_IOMMU_PLATFORM means the backend support
-+ * incremental memory mapping API via IOTLB API. For platform that
-+ * does not have IOMMU, there's no need to enable this feature
-+ * which may cause unnecessary IOTLB miss/update trnasactions.
-+ */
-+ return vdev->dma_as != &address_space_memory &&
-+ virtio_host_has_feature(vdev, VIRTIO_F_IOMMU_PLATFORM);
- }
-
- static void *vhost_memory_map(struct vhost_dev *dev, hwaddr addr,
-@@ -762,6 +769,9 @@ static int vhost_dev_set_features(struct vhost_dev *dev,
- if (enable_log) {
- features |= 0x1ULL << VHOST_F_LOG_ALL;
- }
-+ if (!vhost_dev_has_iommu(dev)) {
-+ features &= ~(0x1ULL << VIRTIO_F_IOMMU_PLATFORM);
-+ }
- r = dev->vhost_ops->vhost_set_features(dev, features);
- if (r < 0) {
- VHOST_OPS_DEBUG("vhost_set_features failed");
+++ /dev/null
-From: Li Qiang <liq3ea@163.com>
-Date: Sat, 15 May 2021 20:04:03 -0700
-Subject: vhost-user-gpu: abstract vg_cleanup_mapping_iov
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Git-commit: 3ea32d1355d446057c17458238db2749c52ee8f0
-References: CVE-2021-3546 bsc#1185981
- CVE-2021-3545 bsc#1185990
- CVE-2021-3544
-
-Currently in vhost-user-gpu, we free resource directly in
-the cleanup case of resource. If we change the cleanup logic
-we need to change several places, also abstruct a
-'vg_create_mapping_iov' can be symmetry with the
-'vg_create_mapping_iov'. This is like what virtio-gpu does,
-no function changed.
-
-Signed-off-by: Li Qiang <liq3ea@163.com>
-Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
-Message-Id: <20210516030403.107723-9-liq3ea@163.com>
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
-Signed-off-by: Jose R. Ziviani <jziviani@suse.de>
----
- contrib/vhost-user-gpu/main.c | 24 ++++++++++++++++++++----
- contrib/vhost-user-gpu/virgl.c | 9 +++++----
- contrib/vhost-user-gpu/vugpu.h | 2 +-
- 3 files changed, 26 insertions(+), 9 deletions(-)
-
-diff --git a/contrib/vhost-user-gpu/main.c b/contrib/vhost-user-gpu/main.c
-index 9554e8984b878711e5f3dd043101..75c1aa6ed54f08b3d8c141f854aa 100644
---- a/contrib/vhost-user-gpu/main.c
-+++ b/contrib/vhost-user-gpu/main.c
-@@ -49,6 +49,8 @@ static char *opt_render_node;
- static gboolean opt_virgl;
-
- static void vg_handle_ctrl(VuDev *dev, int qidx);
-+static void vg_cleanup_mapping(VuGpu *g,
-+ struct virtio_gpu_simple_resource *res);
-
- static const char *
- vg_cmd_to_string(int cmd)
-@@ -379,7 +381,7 @@ vg_resource_destroy(VuGpu *g,
- }
-
- vugbm_buffer_destroy(&res->buffer);
-- g_free(res->iov);
-+ vg_cleanup_mapping(g, res);
- pixman_image_unref(res->image);
- QTAILQ_REMOVE(&g->reslist, res, next);
- g_free(res);
-@@ -483,6 +485,22 @@ vg_resource_attach_backing(VuGpu *g,
- res->iov_cnt = ab.nr_entries;
- }
-
-+/* Though currently only free iov, maybe later will do more work. */
-+void vg_cleanup_mapping_iov(VuGpu *g,
-+ struct iovec *iov, uint32_t count)
-+{
-+ g_free(iov);
-+}
-+
-+static void
-+vg_cleanup_mapping(VuGpu *g,
-+ struct virtio_gpu_simple_resource *res)
-+{
-+ vg_cleanup_mapping_iov(g, res->iov, res->iov_cnt);
-+ res->iov = NULL;
-+ res->iov_cnt = 0;
-+}
-+
- static void
- vg_resource_detach_backing(VuGpu *g,
- struct virtio_gpu_ctrl_command *cmd)
-@@ -501,9 +519,7 @@ vg_resource_detach_backing(VuGpu *g,
- return;
- }
-
-- g_free(res->iov);
-- res->iov = NULL;
-- res->iov_cnt = 0;
-+ vg_cleanup_mapping(g, res);
- }
-
- static void
-diff --git a/contrib/vhost-user-gpu/virgl.c b/contrib/vhost-user-gpu/virgl.c
-index 1f7678ecb82432640401636f1276..031e10e8b9f1aa666ab0a8c3ca62 100644
---- a/contrib/vhost-user-gpu/virgl.c
-+++ b/contrib/vhost-user-gpu/virgl.c
-@@ -113,8 +113,9 @@ virgl_cmd_resource_unref(VuGpu *g,
- virgl_renderer_resource_detach_iov(unref.resource_id,
- &res_iovs,
- &num_iovs);
-- g_free(res_iovs);
--
-+ if (res_iovs != NULL && num_iovs != 0) {
-+ vg_cleanup_mapping_iov(g, res_iovs, num_iovs);
-+ }
- virgl_renderer_resource_unref(unref.resource_id);
- }
-
-@@ -291,7 +292,7 @@ virgl_resource_attach_backing(VuGpu *g,
- ret = virgl_renderer_resource_attach_iov(att_rb.resource_id,
- res_iovs, att_rb.nr_entries);
- if (ret != 0) {
-- g_free(res_iovs);
-+ vg_cleanup_mapping_iov(g, res_iovs, att_rb.nr_entries);
- }
- }
-
-@@ -311,7 +312,7 @@ virgl_resource_detach_backing(VuGpu *g,
- if (res_iovs == NULL || num_iovs == 0) {
- return;
- }
-- g_free(res_iovs);
-+ vg_cleanup_mapping_iov(g, res_iovs, num_iovs);
- }
-
- static void
-diff --git a/contrib/vhost-user-gpu/vugpu.h b/contrib/vhost-user-gpu/vugpu.h
-index 3153c9a6de1409b8a0f0bc16b287..284e19aeb86f5b0e01f11b7d1ab7 100644
---- a/contrib/vhost-user-gpu/vugpu.h
-+++ b/contrib/vhost-user-gpu/vugpu.h
-@@ -164,7 +164,7 @@ int vg_create_mapping_iov(VuGpu *g,
- struct virtio_gpu_resource_attach_backing *ab,
- struct virtio_gpu_ctrl_command *cmd,
- struct iovec **iov);
--
-+void vg_cleanup_mapping_iov(VuGpu *g, struct iovec *iov, uint32_t count);
- void vg_get_display_info(VuGpu *vg, struct virtio_gpu_ctrl_command *cmd);
-
- void vg_wait_ok(VuGpu *g);
+++ /dev/null
-From: Li Qiang <liq3ea@163.com>
-Date: Sat, 15 May 2021 20:04:02 -0700
-Subject: vhost-user-gpu: fix OOB write in 'virgl_cmd_get_capset'
- (CVE-2021-3546)
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Git-commit: 9f22893adcb02580aee5968f32baa2cd109b3ec2
-References: CVE-2021-3546 bsc#1185981
-
-If 'virgl_cmd_get_capset' set 'max_size' to 0,
-the 'virgl_renderer_fill_caps' will write the data after the 'resp'.
-This patch avoid this by checking the returned 'max_size'.
-
-virtio-gpu fix: abd7f08b23 ("display: virtio-gpu-3d: check
-virgl capabilities max_size")
-
-Fixes: CVE-2021-3546
-Reported-by: Li Qiang <liq3ea@163.com>
-Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org>
-Signed-off-by: Li Qiang <liq3ea@163.com>
-Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
-Message-Id: <20210516030403.107723-8-liq3ea@163.com>
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
-Signed-off-by: Jose R. Ziviani <jziviani@suse.de>
----
- contrib/vhost-user-gpu/virgl.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/contrib/vhost-user-gpu/virgl.c b/contrib/vhost-user-gpu/virgl.c
-index 305caceba71e371d1534ad8237da..1f7678ecb82432640401636f1276 100644
---- a/contrib/vhost-user-gpu/virgl.c
-+++ b/contrib/vhost-user-gpu/virgl.c
-@@ -174,6 +174,10 @@ virgl_cmd_get_capset(VuGpu *g,
-
- virgl_renderer_get_cap_set(gc.capset_id, &max_ver,
- &max_size);
-+ if (!max_size) {
-+ cmd->error = VIRTIO_GPU_RESP_ERR_INVALID_PARAMETER;
-+ return;
-+ }
- resp = g_malloc0(sizeof(*resp) + max_size);
-
- resp->hdr.type = VIRTIO_GPU_RESP_OK_CAPSET;
+++ /dev/null
-From: Li Qiang <liq3ea@163.com>
-Date: Sat, 15 May 2021 20:04:00 -0700
-Subject: vhost-user-gpu: fix leak in 'virgl_cmd_resource_unref'
- (CVE-2021-3544)
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Git-comit: f6091d86ba9ea05f4e111b9b42ee0005c37a6779
-References: CVE-2021-3544
-
-The 'res->iov' will be leaked if the guest trigger following sequences:
-
- virgl_cmd_create_resource_2d
- virgl_resource_attach_backing
- virgl_cmd_resource_unref
-
-This patch fixes this.
-
-Fixes: CVE-2021-3544
-Reported-by: Li Qiang <liq3ea@163.com>
-virtio-gpu fix: 5e8e3c4c75 ("virtio-gpu: fix resource leak
-in virgl_cmd_resource_unref"
-
-Signed-off-by: Li Qiang <liq3ea@163.com>
-Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
-Message-Id: <20210516030403.107723-6-liq3ea@163.com>
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
-Signed-off-by: Jose R. Ziviani <jziviani@suse.de>
-[jrz: tweaked title to not break spec file]
----
- contrib/vhost-user-gpu/virgl.c | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/contrib/vhost-user-gpu/virgl.c b/contrib/vhost-user-gpu/virgl.c
-index a26fb96325ac2a459bbea8cc4240..ec8caca72f08026bf3cf859d2a55 100644
---- a/contrib/vhost-user-gpu/virgl.c
-+++ b/contrib/vhost-user-gpu/virgl.c
-@@ -105,9 +105,16 @@ virgl_cmd_resource_unref(VuGpu *g,
- struct virtio_gpu_ctrl_command *cmd)
- {
- struct virtio_gpu_resource_unref unref;
-+ struct iovec *res_iovs = NULL;
-+ int num_iovs = 0;
-
- VUGPU_FILL_CMD(unref);
-
-+ virgl_renderer_resource_detach_iov(unref.resource_id,
-+ &res_iovs,
-+ &num_iovs);
-+ g_free(res_iovs);
-+
- virgl_renderer_resource_unref(unref.resource_id);
- }
-
+++ /dev/null
-From: Li Qiang <liq3ea@163.com>
-Date: Sat, 15 May 2021 20:04:01 -0700
-Subject: vhost-user-gpu: fix leak in 'virgl_resource_attach_backing'
- (CVE-2021-3544)
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Git-commit: 63736af5a6571d9def93769431e0d7e38c6677bf
-References: CVE-2021-3544
-
-If 'virgl_renderer_resource_attach_iov' failed, the 'res_iovs' will
-be leaked.
-
-Fixes: CVE-2021-3544
-Reported-by: Li Qiang <liq3ea@163.com>
-virtio-gpu fix: 33243031da ("virtio-gpu-3d: fix memory leak
-in resource attach backing")
-
-Signed-off-by: Li Qiang <liq3ea@163.com>
-Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
-Message-Id: <20210516030403.107723-7-liq3ea@163.com>
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
-Signed-off-by: Jose R. Ziviani <jziviani@suse.de>
-[jrz: tweak title to not break spec file]
----
- contrib/vhost-user-gpu/virgl.c | 5 ++++-
- 1 file changed, 4 insertions(+), 1 deletion(-)
-
-diff --git a/contrib/vhost-user-gpu/virgl.c b/contrib/vhost-user-gpu/virgl.c
-index ec8caca72f08026bf3cf859d2a55..305caceba71e371d1534ad8237da 100644
---- a/contrib/vhost-user-gpu/virgl.c
-+++ b/contrib/vhost-user-gpu/virgl.c
-@@ -284,8 +284,11 @@ virgl_resource_attach_backing(VuGpu *g,
- return;
- }
-
-- virgl_renderer_resource_attach_iov(att_rb.resource_id,
-+ ret = virgl_renderer_resource_attach_iov(att_rb.resource_id,
- res_iovs, att_rb.nr_entries);
-+ if (ret != 0) {
-+ g_free(res_iovs);
-+ }
- }
-
- static void
+++ /dev/null
-From: Li Qiang <liq3ea@163.com>
-Date: Sat, 15 May 2021 20:03:56 -0700
-Subject: vhost-user-gpu: fix memory disclosure in virgl_cmd_get_capset_info
- (CVE-2021-3545)
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Git-commit: 121841b25d72d13f8cad554363138c360f1250ea
-References: CVE-2021-3545 bsc#1185990
-
-Otherwise some of the 'resp' will be leaked to guest.
-
-Fixes: CVE-2021-3545
-Reported-by: Li Qiang <liq3ea@163.com>
-virtio-gpu fix: 42a8dadc74 ("virtio-gpu: fix information leak
-in getting capset info dispatch")
-
-Signed-off-by: Li Qiang <liq3ea@163.com>
-Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
-Message-Id: <20210516030403.107723-2-liq3ea@163.com>
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
-Signed-off-by: Jose R. Ziviani <jziviani@suse.de>
----
- contrib/vhost-user-gpu/virgl.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/contrib/vhost-user-gpu/virgl.c b/contrib/vhost-user-gpu/virgl.c
-index b0bc22c3c13db0e8b0b450dac19d..a26fb96325ac2a459bbea8cc4240 100644
---- a/contrib/vhost-user-gpu/virgl.c
-+++ b/contrib/vhost-user-gpu/virgl.c
-@@ -125,6 +125,7 @@ virgl_cmd_get_capset_info(VuGpu *g,
-
- VUGPU_FILL_CMD(info);
-
-+ memset(&resp, 0, sizeof(resp));
- if (info.capset_index == 0) {
- resp.capset_id = VIRTIO_GPU_CAPSET_VIRGL;
- virgl_renderer_get_cap_set(resp.capset_id,
+++ /dev/null
-From: Li Qiang <liq3ea@163.com>
-Date: Sat, 15 May 2021 20:03:58 -0700
-Subject: vhost-user-gpu: fix memory leak in vg_resource_attach_backing
- (CVE-2021-3544)
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Git-commit: b9f79858a614d95f5de875d0ca31096eaab72c3b
-References: CVE-2021-3544
-
-Check whether the 'res' has already been attach_backing to avoid
-memory leak.
-
-Fixes: CVE-2021-3544
-Reported-by: Li Qiang <liq3ea@163.com>
-virtio-gpu fix: 204f01b309 ("virtio-gpu: fix memory leak
-in resource attach backing")
-
-Signed-off-by: Li Qiang <liq3ea@163.com>
-Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
-Message-Id: <20210516030403.107723-4-liq3ea@163.com>
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
-Signed-off-by: Jose R. Ziviani <jziviani@suse.de>
----
- contrib/vhost-user-gpu/main.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/contrib/vhost-user-gpu/main.c b/contrib/vhost-user-gpu/main.c
-index 74c97c1585f6bd2e9cef94cde3af..e728237858d279a32698c0fc0de7 100644
---- a/contrib/vhost-user-gpu/main.c
-+++ b/contrib/vhost-user-gpu/main.c
-@@ -468,6 +468,11 @@ vg_resource_attach_backing(VuGpu *g,
- return;
- }
-
-+ if (res->iov) {
-+ cmd->error = VIRTIO_GPU_RESP_ERR_UNSPEC;
-+ return;
-+ }
-+
- ret = vg_create_mapping_iov(g, &ab, cmd, &res->iov);
- if (ret != 0) {
- cmd->error = VIRTIO_GPU_RESP_ERR_UNSPEC;
+++ /dev/null
-From: Li Qiang <liq3ea@163.com>
-Date: Sat, 15 May 2021 20:03:59 -0700
-Subject: vhost-user-gpu: fix memory leak while calling 'vg_resource_unref'
- (CVE-2021-3544)
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Git-commit: b7afebcf9e6ecf3cf9b5a9b9b731ed04bca6aa3e
-References: CVE-2021-3544
-
-If the guest trigger following sequences, the attach_backing will be leaked:
-
- vg_resource_create_2d
- vg_resource_attach_backing
- vg_resource_unref
-
-This patch fix this by freeing 'res->iov' in vg_resource_destroy.
-
-Fixes: CVE-2021-3544
-Reported-by: Li Qiang <liq3ea@163.com>
-virtio-gpu fix: 5e8e3c4c75 ("virtio-gpu: fix resource leak
-in virgl_cmd_resource_unref")
-
-Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org>
-Signed-off-by: Li Qiang <liq3ea@163.com>
-Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
-Message-Id: <20210516030403.107723-5-liq3ea@163.com>
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
-Signed-off-by: Jose R. Ziviani <jziviani@suse.de>
----
- contrib/vhost-user-gpu/main.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/contrib/vhost-user-gpu/main.c b/contrib/vhost-user-gpu/main.c
-index e728237858d279a32698c0fc0de7..9554e8984b878711e5f3dd043101 100644
---- a/contrib/vhost-user-gpu/main.c
-+++ b/contrib/vhost-user-gpu/main.c
-@@ -379,6 +379,7 @@ vg_resource_destroy(VuGpu *g,
- }
-
- vugbm_buffer_destroy(&res->buffer);
-+ g_free(res->iov);
- pixman_image_unref(res->image);
- QTAILQ_REMOVE(&g->reslist, res, next);
- g_free(res);
+++ /dev/null
-From: Li Qiang <liq3ea@163.com>
-Date: Sat, 15 May 2021 20:03:57 -0700
-Subject: vhost-user-gpu: fix resource leak in 'vg_resource_create_2d'
- (CVE-2021-3544)
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Git-commit: 86dd8fac2acc366930a5dc08d3fb1b1e816f4e1e
-References: CVE-2021-3544
-
-Call 'vugbm_buffer_destroy' in error path to avoid resource leak.
-
-Fixes: CVE-2021-3544
-Reported-by: Li Qiang <liq3ea@163.com>
-Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org>
-Signed-off-by: Li Qiang <liq3ea@163.com>
-Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
-Message-Id: <20210516030403.107723-3-liq3ea@163.com>
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
-Signed-off-by: Jose R. Ziviani <jziviani@suse.de>
----
- contrib/vhost-user-gpu/main.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/contrib/vhost-user-gpu/main.c b/contrib/vhost-user-gpu/main.c
-index a019d0a9acea61a7629f1c74c79a..74c97c1585f6bd2e9cef94cde3af 100644
---- a/contrib/vhost-user-gpu/main.c
-+++ b/contrib/vhost-user-gpu/main.c
-@@ -328,6 +328,7 @@ vg_resource_create_2d(VuGpu *g,
- g_critical("%s: resource creation failed %d %d %d",
- __func__, c2d.resource_id, c2d.width, c2d.height);
- g_free(res);
-+ vugbm_buffer_destroy(&res->buffer);
- cmd->error = VIRTIO_GPU_RESP_ERR_OUT_OF_MEMORY;
- return;
- }
+++ /dev/null
-From: Stefan Hajnoczi <stefanha@redhat.com>
-Date: Mon, 9 Dec 2019 21:09:57 +0000
-Subject: virtio: don't enable notifications during polling
-
-Git-commit: d0435bc513e23a4961b6af20164d1c6c219eb4ea
-
-Virtqueue notifications are not necessary during polling, so we disable
-them. This allows the guest driver to avoid MMIO vmexits.
-Unfortunately the virtio-blk and virtio-scsi handler functions re-enable
-notifications, defeating this optimization.
-
-Fix virtio-blk and virtio-scsi emulation so they leave notifications
-disabled. The key thing to remember for correctness is that polling
-always checks one last time after ending its loop, therefore it's safe
-to lose the race when re-enabling notifications at the end of polling.
-
-There is a measurable performance improvement of 5-10% with the null-co
-block driver. Real-life storage configurations will see a smaller
-improvement because the MMIO vmexit overhead contributes less to
-latency.
-
-Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
-Message-Id: <20191209210957.65087-1-stefanha@redhat.com>
-Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
-Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
-Signed-off-by: Bruce Rogers <brogers@suse.com>
----
- hw/block/virtio-blk.c | 9 +++++++--
- hw/scsi/virtio-scsi.c | 9 +++++++--
- hw/virtio/virtio.c | 12 ++++++------
- include/hw/virtio/virtio.h | 1 +
- 4 files changed, 21 insertions(+), 10 deletions(-)
-
-diff --git a/hw/block/virtio-blk.c b/hw/block/virtio-blk.c
-index 4c357d2928ff1cfe94a601c93ffa..c4e55fb3defb711dbc39b67e00a1 100644
---- a/hw/block/virtio-blk.c
-+++ b/hw/block/virtio-blk.c
-@@ -764,13 +764,16 @@ bool virtio_blk_handle_vq(VirtIOBlock *s, VirtQueue *vq)
- {
- VirtIOBlockReq *req;
- MultiReqBuffer mrb = {};
-+ bool suppress_notifications = virtio_queue_get_notification(vq);
- bool progress = false;
-
- aio_context_acquire(blk_get_aio_context(s->blk));
- blk_io_plug(s->blk);
-
- do {
-- virtio_queue_set_notification(vq, 0);
-+ if (suppress_notifications) {
-+ virtio_queue_set_notification(vq, 0);
-+ }
-
- while ((req = virtio_blk_get_request(s, vq))) {
- progress = true;
-@@ -781,7 +784,9 @@ bool virtio_blk_handle_vq(VirtIOBlock *s, VirtQueue *vq)
- }
- }
-
-- virtio_queue_set_notification(vq, 1);
-+ if (suppress_notifications) {
-+ virtio_queue_set_notification(vq, 1);
-+ }
- } while (!virtio_queue_empty(vq));
-
- if (mrb.num_reqs) {
-diff --git a/hw/scsi/virtio-scsi.c b/hw/scsi/virtio-scsi.c
-index e8b2b64d09fb185404fa83882ba9..f080545f48e6a3e411caf641b935 100644
---- a/hw/scsi/virtio-scsi.c
-+++ b/hw/scsi/virtio-scsi.c
-@@ -597,12 +597,15 @@ bool virtio_scsi_handle_cmd_vq(VirtIOSCSI *s, VirtQueue *vq)
- {
- VirtIOSCSIReq *req, *next;
- int ret = 0;
-+ bool suppress_notifications = virtio_queue_get_notification(vq);
- bool progress = false;
-
- QTAILQ_HEAD(, VirtIOSCSIReq) reqs = QTAILQ_HEAD_INITIALIZER(reqs);
-
- do {
-- virtio_queue_set_notification(vq, 0);
-+ if (suppress_notifications) {
-+ virtio_queue_set_notification(vq, 0);
-+ }
-
- while ((req = virtio_scsi_pop_req(s, vq))) {
- progress = true;
-@@ -622,7 +625,9 @@ bool virtio_scsi_handle_cmd_vq(VirtIOSCSI *s, VirtQueue *vq)
- }
- }
-
-- virtio_queue_set_notification(vq, 1);
-+ if (suppress_notifications) {
-+ virtio_queue_set_notification(vq, 1);
-+ }
- } while (ret != -EINVAL && !virtio_queue_empty(vq));
-
- QTAILQ_FOREACH_SAFE(req, &reqs, next, next) {
-diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
-index 6c71141ed13506e2218f09ca5e0c..dd74fd83d2e9171f983a73d375c5 100644
---- a/hw/virtio/virtio.c
-+++ b/hw/virtio/virtio.c
-@@ -478,6 +478,11 @@ static void virtio_queue_packed_set_notification(VirtQueue *vq, int enable)
- }
- }
-
-+bool virtio_queue_get_notification(VirtQueue *vq)
-+{
-+ return vq->notification;
-+}
-+
- void virtio_queue_set_notification(VirtQueue *vq, int enable)
- {
- vq->notification = enable;
-@@ -3474,17 +3479,12 @@ static bool virtio_queue_host_notifier_aio_poll(void *opaque)
- {
- EventNotifier *n = opaque;
- VirtQueue *vq = container_of(n, VirtQueue, host_notifier);
-- bool progress;
-
- if (!vq->vring.desc || virtio_queue_empty(vq)) {
- return false;
- }
-
-- progress = virtio_queue_notify_aio_vq(vq);
--
-- /* In case the handler function re-enabled notifications */
-- virtio_queue_set_notification(vq, 0);
-- return progress;
-+ return virtio_queue_notify_aio_vq(vq);
- }
-
- static void virtio_queue_host_notifier_aio_poll_end(EventNotifier *n)
-diff --git a/include/hw/virtio/virtio.h b/include/hw/virtio/virtio.h
-index e18756d50d21259dda81bf1d1b1d..91167f609aca8f50948b1b28fdf2 100644
---- a/include/hw/virtio/virtio.h
-+++ b/include/hw/virtio/virtio.h
-@@ -226,6 +226,7 @@ int virtio_load(VirtIODevice *vdev, QEMUFile *f, int version_id);
-
- void virtio_notify_config(VirtIODevice *vdev);
-
-+bool virtio_queue_get_notification(VirtQueue *vq);
- void virtio_queue_set_notification(VirtQueue *vq, int enable);
-
- int virtio_queue_ready(VirtQueue *vq);
+++ /dev/null
-From: Cornelia Huck <cohuck@redhat.com>
-Date: Mon, 27 Apr 2020 12:24:13 +0200
-Subject: virtio-net: fix rsc_ext compat handling
-
-Git-commit: 9904adfaca139581d6b03947a7e23c7e2cb64339
-References: bsc#1179719
-
-virtio_net_rsc_ext_num_{packets,dupacks} needs to be available
-independently of the presence of VIRTIO_NET_HDR_F_RSC_INFO.
-
-Fixes: 2974e916df87 ("virtio-net: support RSC v4/v6 tcp traffic for Windows HCK")
-Signed-off-by: Cornelia Huck <cohuck@redhat.com>
-Message-Id: <20200427102415.10915-2-cohuck@redhat.com>
-Signed-off-by: Liang Yan <lyan@suse.com>
----
- hw/net/virtio-net.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c
-index f325440d0144d3388ad255b71178..7483d11ec2300f483899c24b53bf 100644
---- a/hw/net/virtio-net.c
-+++ b/hw/net/virtio-net.c
-@@ -83,6 +83,8 @@
- #define VIRTIO_NET_HDR_F_RSC_INFO 4 /* rsc_ext data in csum_ fields */
- #define VIRTIO_NET_F_RSC_EXT 61
-
-+#endif
-+
- static inline __virtio16 *virtio_net_rsc_ext_num_packets(
- struct virtio_net_hdr *hdr)
- {
-@@ -95,8 +97,6 @@ static inline __virtio16 *virtio_net_rsc_ext_num_dupacks(
- return &hdr->csum_offset;
- }
-
--#endif
--
- static VirtIOFeature feature_sizes[] = {
- {.flags = 1ULL << VIRTIO_NET_F_MAC,
- .end = endof(struct virtio_net_config, mac)},
+++ /dev/null
-From: Jason Wang <jasowang@redhat.com>
-Date: Thu, 2 Sep 2021 13:44:12 +0800
-Subject: virtio-net: fix use after unmap/free for sg
-
-Git-commit: bedd7e93d01961fcb16a97ae45d93acf357e11f6
-References: bsc#1189938 CVE-2021-3748
-
-When mergeable buffer is enabled, we try to set the num_buffers after
-the virtqueue elem has been unmapped. This will lead several issues,
-E.g a use after free when the descriptor has an address which belongs
-to the non direct access region. In this case we use bounce buffer
-that is allocated during address_space_map() and freed during
-address_space_unmap().
-
-Fixing this by storing the elems temporarily in an array and delay the
-unmap after we set the the num_buffers.
-
-This addresses CVE-2021-3748.
-
-Reported-by: Alexander Bulekov <alxndr@bu.edu>
-Fixes: fbe78f4f55c6 ("virtio-net support")
-Cc: qemu-stable@nongnu.org
-Signed-off-by: Jason Wang <jasowang@redhat.com>
-Signed-off-by: Jose R Ziviani <jose.ziviani@suse.com>
----
- hw/net/virtio-net.c | 39 ++++++++++++++++++++++++++++++++-------
- 1 file changed, 32 insertions(+), 7 deletions(-)
-
-diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c
-index 4764b83d568dcd5efdd9a95d829e..b46dba81ca1f9b0580d98726ae1e 100644
---- a/hw/net/virtio-net.c
-+++ b/hw/net/virtio-net.c
-@@ -1393,10 +1393,13 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf,
- VirtIONet *n = qemu_get_nic_opaque(nc);
- VirtIONetQueue *q = virtio_net_get_subqueue(nc);
- VirtIODevice *vdev = VIRTIO_DEVICE(n);
-+ VirtQueueElement *elems[VIRTQUEUE_MAX_SIZE];
-+ size_t lens[VIRTQUEUE_MAX_SIZE];
- struct iovec mhdr_sg[VIRTQUEUE_MAX_SIZE];
- struct virtio_net_hdr_mrg_rxbuf mhdr;
- unsigned mhdr_cnt = 0;
-- size_t offset, i, guest_offset;
-+ size_t offset, i, guest_offset, j;
-+ ssize_t err;
-
- if (!virtio_net_can_receive(nc)) {
- return -1;
-@@ -1419,6 +1422,12 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf,
-
- total = 0;
-
-+ if (i == VIRTQUEUE_MAX_SIZE) {
-+ virtio_error(vdev, "virtio-net unexpected long buffer chain");
-+ err = size;
-+ goto err;
-+ }
-+
- elem = virtqueue_pop(q->rx_vq, sizeof(VirtQueueElement));
- if (!elem) {
- if (i) {
-@@ -1430,7 +1439,8 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf,
- n->guest_hdr_len, n->host_hdr_len,
- vdev->guest_features);
- }
-- return -1;
-+ err = -1;
-+ goto err;
- }
-
- if (elem->in_num < 1) {
-@@ -1438,7 +1448,8 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf,
- "virtio-net receive queue contains no in buffers");
- virtqueue_detach_element(q->rx_vq, elem, 0);
- g_free(elem);
-- return -1;
-+ err = -1;
-+ goto err;
- }
-
- sg = elem->in_sg;
-@@ -1470,12 +1481,13 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf,
- if (!n->mergeable_rx_bufs && offset < size) {
- virtqueue_unpop(q->rx_vq, elem, total);
- g_free(elem);
-- return size;
-+ err = size;
-+ goto err;
- }
-
-- /* signal other side */
-- virtqueue_fill(q->rx_vq, elem, total, i++);
-- g_free(elem);
-+ elems[i] = elem;
-+ lens[i] = total;
-+ i++;
- }
-
- if (mhdr_cnt) {
-@@ -1485,10 +1497,23 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf,
- &mhdr.num_buffers, sizeof mhdr.num_buffers);
- }
-
-+ for (j = 0; j < i; j++) {
-+ /* signal other side */
-+ virtqueue_fill(q->rx_vq, elems[j], lens[j], j);
-+ g_free(elems[j]);
-+ }
-+
- virtqueue_flush(q->rx_vq, i);
- virtio_notify(vdev, q->rx_vq);
-
- return size;
-+
-+err:
-+ for (j = 0; j < i; j++) {
-+ g_free(elems[j]);
-+ }
-+
-+ return err;
- }
-
- static ssize_t virtio_net_do_receive(NetClientState *nc, const uint8_t *buf,
+++ /dev/null
-From: Bruce Rogers <brogers@suse.com>
-Date: Wed, 3 Feb 2021 14:25:38 -0700
-Subject: virtio-scsi: change DID TIMEOUT handling
-
-This patch implements a change of SG_ERR_DID_TIME_OUT handling as
-suggested in
-https://bugzilla.suse.com/show_bug.cgi?id=1178049#c145
-
-Suggested-by: Hannes Reinecke <hare@suse.de>
-Signed-off-by: Bruce Rogers <brogers@suse.com>
----
- hw/scsi/virtio-scsi.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/hw/scsi/virtio-scsi.c b/hw/scsi/virtio-scsi.c
-index 3155658db33f95a572a4c7ff495e..2e5bcf442384905d8d80fd487eea 100644
---- a/hw/scsi/virtio-scsi.c
-+++ b/hw/scsi/virtio-scsi.c
-@@ -507,7 +507,6 @@ static void virtio_scsi_command_complete(SCSIRequest *r, uint32_t status,
- req->resp.cmd.response = VIRTIO_SCSI_S_INCORRECT_LUN;
- break;
- case SG_ERR_DID_ABORT:
-- case SG_ERR_DID_TIME_OUT:
- req->resp.cmd.response = VIRTIO_SCSI_S_ABORTED;
- break;
- case SG_ERR_DID_BAD_TARGET:
-@@ -517,6 +516,7 @@ static void virtio_scsi_command_complete(SCSIRequest *r, uint32_t status,
- req->resp.cmd.response = VIRTIO_SCSI_S_RESET;
- break;
- case SG_ERR_DID_BUS_BUSY:
-+ case SG_ERR_DID_TIME_OUT:
- req->resp.cmd.response = VIRTIO_SCSI_S_BUSY;
- break;
- case SG_ERR_DID_TRANSPORT_DISRUPTED:
+++ /dev/null
-From: Hannes Reinecke <hare@suse.de>
-Date: Wed, 11 Nov 2020 13:09:27 +0100
-Subject: virtio-scsi: trace events
-
-Git-commit: eb8cb3d9dcfbcc74ebaabed4ef0d915eeffa4da1
-References: bsc#1178049
-
-Add trace events for SCSI and TMF command tracing.
-
-Signed-off-by: Hannes Reinecke <hare@suse.de>
-BR: Includes minor tweaks that came from the PTF patch as opposed to the
-one upstreamed.
-Signed-off-by: Bruce Rogers <brogers@suse.com>
----
- hw/scsi/trace-events | 6 ++++++
- hw/scsi/virtio-scsi.c | 19 ++++++++++++++++++-
- 2 files changed, 24 insertions(+), 1 deletion(-)
-
-diff --git a/hw/scsi/trace-events b/hw/scsi/trace-events
-index b0820052f825a476b3e455aad7a4..9e1196f2117982c5bbc5db3bfffb 100644
---- a/hw/scsi/trace-events
-+++ b/hw/scsi/trace-events
-@@ -293,6 +293,12 @@ lsi_awoken(void) "Woken by SIGP"
- lsi_reg_read(const char *name, int offset, uint8_t ret) "Read reg %s 0x%x = 0x%02x"
- lsi_reg_write(const char *name, int offset, uint8_t val) "Write reg %s 0x%x = 0x%02x"
-
-+# hw/scsi/virtio-scsi.c
-+virtio_scsi_cmd_req(int lun, uint32_t tag, uint8_t cmd) "virtio_scsi_cmd_req lun=%u tag=0x%x cmd=0x%x"
-+virtio_scsi_cmd_resp(int lun, uint32_t tag, int response, uint8_t status) "virtio_scsi_cmd_resp lun=%u tag=0x%x response=%d status=0x%x"
-+virtio_scsi_tmf_req(int lun, uint32_t tag, int subtype) "virtio_scsi_tmf_req lun=%u tag=0x%x subtype=%d"
-+virtio_scsi_tmf_resp(int lun, uint32_t tag, int response) "virtio_scsi_tmf_resp lun=%u tag=0x%x response=%d"
-+
- # scsi-disk.c
- scsi_disk_check_condition(uint32_t tag, uint8_t key, uint8_t asc, uint8_t ascq) "Command complete tag=0x%x sense=%d/%d/%d"
- scsi_disk_read_complete(uint32_t tag, size_t size) "Data ready tag=0x%x len=%zd"
-diff --git a/hw/scsi/virtio-scsi.c b/hw/scsi/virtio-scsi.c
-index f080545f48e6a3e411caf641b935..de25a1c21d84f38eca9aaf1114d4 100644
---- a/hw/scsi/virtio-scsi.c
-+++ b/hw/scsi/virtio-scsi.c
-@@ -27,6 +27,7 @@
- #include "scsi/constants.h"
- #include "hw/virtio/virtio-bus.h"
- #include "hw/virtio/virtio-access.h"
-+#include "trace.h"
-
- static inline int virtio_scsi_get_lun(uint8_t *lun)
- {
-@@ -239,7 +240,11 @@ static void virtio_scsi_cancel_notify(Notifier *notifier, void *data)
- notifier);
-
- if (--n->tmf_req->remaining == 0) {
-- virtio_scsi_complete_req(n->tmf_req);
-+ VirtIOSCSIReq *req = n->tmf_req;
-+
-+ trace_virtio_scsi_tmf_resp(virtio_scsi_get_lun(req->req.tmf.lun),
-+ req->req.tmf.tag, req->resp.tmf.response);
-+ virtio_scsi_complete_req(req);
- }
- g_free(n);
- }
-@@ -273,6 +278,8 @@ static int virtio_scsi_do_tmf(VirtIOSCSI *s, VirtIOSCSIReq *req)
- req->req.tmf.subtype =
- virtio_tswap32(VIRTIO_DEVICE(s), req->req.tmf.subtype);
-
-+ trace_virtio_scsi_tmf_req(virtio_scsi_get_lun(req->req.tmf.lun),
-+ req->req.tmf.tag, req->req.tmf.subtype);
- switch (req->req.tmf.subtype) {
- case VIRTIO_SCSI_T_TMF_ABORT_TASK:
- case VIRTIO_SCSI_T_TMF_QUERY_TASK:
-@@ -427,6 +434,10 @@ static void virtio_scsi_handle_ctrl_req(VirtIOSCSI *s, VirtIOSCSIReq *req)
- }
- }
- if (r == 0) {
-+ if (type == VIRTIO_SCSI_T_TMF)
-+ trace_virtio_scsi_tmf_resp(virtio_scsi_get_lun(req->req.tmf.lun),
-+ req->req.tmf.tag,
-+ req->resp.tmf.response);
- virtio_scsi_complete_req(req);
- } else {
- assert(r == -EINPROGRESS);
-@@ -462,6 +473,10 @@ static void virtio_scsi_handle_ctrl(VirtIODevice *vdev, VirtQueue *vq)
-
- static void virtio_scsi_complete_cmd_req(VirtIOSCSIReq *req)
- {
-+ trace_virtio_scsi_cmd_resp(virtio_scsi_get_lun(req->req.cmd.lun),
-+ req->req.cmd.tag,
-+ req->resp.cmd.response,
-+ req->resp.cmd.status);
- /* Sense data is not in req->resp and is copied separately
- * in virtio_scsi_command_complete.
- */
-@@ -559,6 +574,8 @@ static int virtio_scsi_handle_cmd_req_prepare(VirtIOSCSI *s, VirtIOSCSIReq *req)
- return -EINVAL;
- }
- }
-+ trace_virtio_scsi_cmd_req(virtio_scsi_get_lun(req->req.cmd.lun),
-+ req->req.cmd.tag, req->req.cmd.cdb[0]);
-
- d = virtio_scsi_device_find(s, req->req.cmd.lun);
- if (!d) {
+++ /dev/null
-From: Hannes Reinecke <hare@suse.de>
-Date: Tue, 10 Nov 2020 10:41:55 +0100
-Subject: virtio-scsi: translate SG_IO host status
-
-References: bsc#1178049
-
-when running with an SG_IO backend we might be getting a SCSI host
-status back, which should be translated into a virtio scsi status
-to avoid having a silent data corruption if the status isn't
-translated properly.
-
-Signed-off-by: Hannes Reinecke <hare@suse.de>
-Signed-off-by: Bruce Rogers <brogers@suse.com>
----
- hw/scsi/scsi-generic.c | 8 +++++---
- hw/scsi/trace-events | 2 +-
- hw/scsi/virtio-scsi.c | 43 +++++++++++++++++++++++++++++++++++++++---
- include/scsi/utils.h | 12 +++++++++---
- scsi/qemu-pr-helper.c | 6 +++---
- scsi/utils.c | 23 +++++++++-------------
- 6 files changed, 67 insertions(+), 27 deletions(-)
-
-diff --git a/hw/scsi/scsi-generic.c b/hw/scsi/scsi-generic.c
-index 32875bedaedf25e7b0cea8363887..b3ea492beedc2a075157957e0595 100644
---- a/hw/scsi/scsi-generic.c
-+++ b/hw/scsi/scsi-generic.c
-@@ -72,7 +72,7 @@ static void scsi_free_request(SCSIRequest *req)
- /* Helper function for command completion. */
- static void scsi_command_complete_noio(SCSIGenericReq *r, int ret)
- {
-- int status;
-+ uint32_t status;
- SCSISense sense;
-
- assert(r->req.aiocb == NULL);
-@@ -82,7 +82,7 @@ static void scsi_command_complete_noio(SCSIGenericReq *r, int ret)
- goto done;
- }
- status = sg_io_sense_from_errno(-ret, &r->io_header, &sense);
-- if (status == CHECK_CONDITION) {
-+ if ((status & 0xff) == CHECK_CONDITION) {
- if (r->io_header.driver_status & SG_ERR_DRIVER_SENSE) {
- r->req.sense_len = r->io_header.sb_len_wr;
- } else {
-@@ -90,7 +90,8 @@ static void scsi_command_complete_noio(SCSIGenericReq *r, int ret)
- }
- }
-
-- trace_scsi_generic_command_complete_noio(r, r->req.tag, status);
-+ trace_scsi_generic_command_complete_noio(r, r->req.tag, status & 0xff,
-+ (status >> 8) & 0xff);
-
- scsi_req_complete(&r->req, status);
- done:
-@@ -235,6 +236,7 @@ static int scsi_generic_emulate_block_limits(SCSIGenericReq *r, SCSIDevice *s)
- * the hardware in scsi_command_complete_noio. Clean
- * up the io_header to avoid reporting it.
- */
-+ r->io_header.host_status = 0;
- r->io_header.driver_status = 0;
- r->io_header.status = 0;
-
-diff --git a/hw/scsi/trace-events b/hw/scsi/trace-events
-index 13babd26dff43d5052886cf955a5..bce865c2222b0ece52d16ab1d90a 100644
---- a/hw/scsi/trace-events
-+++ b/hw/scsi/trace-events
-@@ -330,7 +330,7 @@ scsi_disk_new_request(uint32_t lun, uint32_t tag, const char *line) "Command: lu
- scsi_disk_aio_sgio_command(uint32_t tag, uint8_t cmd, uint64_t lba, int len, uint32_t timeout) "disk aio sgio: tag=0x%x cmd 0x%x (sector %" PRId64 ", count %d) timeout %u"
-
- # scsi-generic.c
--scsi_generic_command_complete_noio(void *req, uint32_t tag, int statuc) "Command complete %p tag=0x%x status=%d"
-+scsi_generic_command_complete_noio(void *req, uint32_t tag, uint8_t status, uint8_t host_status) "Command complete %p tag=0x%x status=0x%x host_status=0x%x"
- scsi_generic_read_complete(uint32_t tag, int len) "Data ready tag=0x%x len=%d"
- scsi_generic_read_data(uint32_t tag, uint32_t timeout) "scsi_read_data tag=0x%x timeout %u"
- scsi_generic_write_complete(int ret) "scsi_write_complete() ret = %d"
-diff --git a/hw/scsi/virtio-scsi.c b/hw/scsi/virtio-scsi.c
-index de25a1c21d84f38eca9aaf1114d4..3155658db33f95a572a4c7ff495e 100644
---- a/hw/scsi/virtio-scsi.c
-+++ b/hw/scsi/virtio-scsi.c
-@@ -496,9 +496,46 @@ static void virtio_scsi_command_complete(SCSIRequest *r, uint32_t status,
- return;
- }
-
-- req->resp.cmd.response = VIRTIO_SCSI_S_OK;
-- req->resp.cmd.status = status;
-- if (req->resp.cmd.status == GOOD) {
-+ switch ((status >> 8) & 0xff) {
-+ case SG_ERR_DID_OK:
-+ req->resp.cmd.response = VIRTIO_SCSI_S_OK;
-+ break;
-+ case SG_ERR_DID_ERROR:
-+ req->resp.cmd.response = VIRTIO_SCSI_S_OVERRUN;
-+ break;
-+ case SG_ERR_DID_NO_CONNECT:
-+ req->resp.cmd.response = VIRTIO_SCSI_S_INCORRECT_LUN;
-+ break;
-+ case SG_ERR_DID_ABORT:
-+ case SG_ERR_DID_TIME_OUT:
-+ req->resp.cmd.response = VIRTIO_SCSI_S_ABORTED;
-+ break;
-+ case SG_ERR_DID_BAD_TARGET:
-+ req->resp.cmd.response = VIRTIO_SCSI_S_BAD_TARGET;
-+ break;
-+ case SG_ERR_DID_RESET:
-+ req->resp.cmd.response = VIRTIO_SCSI_S_RESET;
-+ break;
-+ case SG_ERR_DID_BUS_BUSY:
-+ req->resp.cmd.response = VIRTIO_SCSI_S_BUSY;
-+ break;
-+ case SG_ERR_DID_TRANSPORT_DISRUPTED:
-+ req->resp.cmd.response = VIRTIO_SCSI_S_TRANSPORT_FAILURE;
-+ break;
-+ case SG_ERR_DID_TARGET_FAILURE:
-+ req->resp.cmd.response = VIRTIO_SCSI_S_TARGET_FAILURE;
-+ break;
-+ case SG_ERR_DID_NEXUS_FAILURE:
-+ req->resp.cmd.response = VIRTIO_SCSI_S_NEXUS_FAILURE;
-+ break;
-+ default:
-+ req->resp.cmd.response = VIRTIO_SCSI_S_FAILURE;
-+ break;
-+ }
-+
-+ req->resp.cmd.status = (status & 0xff);
-+ if (req->resp.cmd.status == GOOD &&
-+ req->resp.cmd.response == VIRTIO_SCSI_S_OK) {
- req->resp.cmd.resid = virtio_tswap32(vdev, resid);
- } else {
- req->resp.cmd.resid = 0;
-diff --git a/include/scsi/utils.h b/include/scsi/utils.h
-index fbc5588279939d70a5e31627bd2a..92f6c47944cfd1fb6284b4e2b210 100644
---- a/include/scsi/utils.h
-+++ b/include/scsi/utils.h
-@@ -126,11 +126,17 @@ int scsi_cdb_length(uint8_t *buf);
- #define SG_ERR_DID_NO_CONNECT 0x01
- #define SG_ERR_DID_BUS_BUSY 0x02
- #define SG_ERR_DID_TIME_OUT 0x03
--
-+#define SG_ERR_DID_BAD_TARGET 0x04
-+#define SG_ERR_DID_ABORT 0x05
-+#define SG_ERR_DID_ERROR 0x07
-+#define SG_ERR_DID_RESET 0x08
-+#define SG_ERR_DID_TRANSPORT_DISRUPTED 0x0e
-+#define SG_ERR_DID_TARGET_FAILURE 0x10
-+#define SG_ERR_DID_NEXUS_FAILURE 0x11
- #define SG_ERR_DRIVER_SENSE 0x08
-
--int sg_io_sense_from_errno(int errno_value, struct sg_io_hdr *io_hdr,
-- SCSISense *sense);
-+uint32_t sg_io_sense_from_errno(int errno_value, struct sg_io_hdr *io_hdr,
-+ SCSISense *sense);
- #endif
-
- #endif
-diff --git a/scsi/qemu-pr-helper.c b/scsi/qemu-pr-helper.c
-index 38c273de19573ad8421da6439153..3c474bdd5688fe9d6e2b64e53637 100644
---- a/scsi/qemu-pr-helper.c
-+++ b/scsi/qemu-pr-helper.c
-@@ -134,7 +134,7 @@ static int do_sgio_worker(void *opaque)
- PRHelperSGIOData *data = opaque;
- struct sg_io_hdr io_hdr;
- int ret;
-- int status;
-+ uint32_t status;
- SCSISense sense_code;
-
- memset(data->sense, 0, PR_HELPER_SENSE_SIZE);
-@@ -151,13 +151,13 @@ static int do_sgio_worker(void *opaque)
- ret = ioctl(data->fd, SG_IO, &io_hdr);
- status = sg_io_sense_from_errno(ret < 0 ? errno : 0, &io_hdr,
- &sense_code);
-- if (status == GOOD) {
-+ if ((status & 0xff) == GOOD) {
- data->sz -= io_hdr.resid;
- } else {
- data->sz = 0;
- }
-
-- if (status == CHECK_CONDITION &&
-+ if ((status & 0xff) == CHECK_CONDITION &&
- !(io_hdr.driver_status & SG_ERR_DRIVER_SENSE)) {
- scsi_build_sense(data->sense, sense_code);
- }
-diff --git a/scsi/utils.c b/scsi/utils.c
-index c50e81fdb87f535e6f49dd31699e..c09f4aff21e34860c1b41612cd0d 100644
---- a/scsi/utils.c
-+++ b/scsi/utils.c
-@@ -565,7 +565,7 @@ const char *scsi_command_name(uint8_t cmd)
- }
-
- #ifdef CONFIG_LINUX
--int sg_io_sense_from_errno(int errno_value, struct sg_io_hdr *io_hdr,
-+uint32_t sg_io_sense_from_errno(int errno_value, struct sg_io_hdr *io_hdr,
- SCSISense *sense)
- {
- if (errno_value != 0) {
-@@ -580,21 +580,16 @@ int sg_io_sense_from_errno(int errno_value, struct sg_io_hdr *io_hdr,
- return CHECK_CONDITION;
- }
- } else {
-- if (io_hdr->host_status == SG_ERR_DID_NO_CONNECT ||
-- io_hdr->host_status == SG_ERR_DID_BUS_BUSY ||
-- io_hdr->host_status == SG_ERR_DID_TIME_OUT ||
-- (io_hdr->driver_status & SG_ERR_DRIVER_TIMEOUT)) {
-- return BUSY;
-- } else if (io_hdr->host_status) {
-- *sense = SENSE_CODE(I_T_NEXUS_LOSS);
-- return CHECK_CONDITION;
-- } else if (io_hdr->status) {
-- return io_hdr->status;
-+ uint32_t status = GOOD;
-+
-+ if (io_hdr->status) {
-+ status = io_hdr->status;
- } else if (io_hdr->driver_status & SG_ERR_DRIVER_SENSE) {
-- return CHECK_CONDITION;
-- } else {
-- return GOOD;
-+ status = CHECK_CONDITION;
- }
-+ if (io_hdr->host_status)
-+ status |= (io_hdr->host_status << 8);
-+ return status;
- }
- }
- #endif
+++ /dev/null
-From: Maxim Levitsky <mlevitsk@redhat.com>
-Date: Tue, 6 Oct 2020 15:39:03 +0300
-Subject: virtio-scsi: use scsi_device_get
-
-Git-commit: 07a47d4a1879370009baab44f1f387610d88a299
-References: bsc#1184574
-
-This will help us to avoid the scsi device disappearing
-after we took a reference to it.
-
-It doesn't by itself forbid case when we try to access
-an unrealized device
-
-Suggested-by: Stefan Hajnoczi <stefanha@gmail.com>
-Signed-off-by: Maxim Levitsky <mlevitsk@redhat.com>
-Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
-Message-Id: <20200913160259.32145-9-mlevitsk@redhat.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-Message-Id: <20201006123904.610658-13-mlevitsk@redhat.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-Signed-off-by: Lin Ma <lma@suse.com>
----
- hw/scsi/virtio-scsi.c | 21 +++++++++++++--------
- 1 file changed, 13 insertions(+), 8 deletions(-)
-
-diff --git a/hw/scsi/virtio-scsi.c b/hw/scsi/virtio-scsi.c
-index 52c3a964ecb112a9d1c00bfbe57d..57789f40d040096d163f2a9986da 100644
---- a/hw/scsi/virtio-scsi.c
-+++ b/hw/scsi/virtio-scsi.c
-@@ -34,7 +34,7 @@ static inline int virtio_scsi_get_lun(uint8_t *lun)
- return ((lun[2] << 8) | lun[3]) & 0x3FFF;
- }
-
--static inline SCSIDevice *virtio_scsi_device_find(VirtIOSCSI *s, uint8_t *lun)
-+static inline SCSIDevice *virtio_scsi_device_get(VirtIOSCSI *s, uint8_t *lun)
- {
- if (lun[0] != 1) {
- return NULL;
-@@ -42,7 +42,7 @@ static inline SCSIDevice *virtio_scsi_device_find(VirtIOSCSI *s, uint8_t *lun)
- if (lun[2] != 0 && !(lun[2] >= 0x40 && lun[2] < 0x80)) {
- return NULL;
- }
-- return scsi_device_find(&s->bus, 0, lun[1], virtio_scsi_get_lun(lun));
-+ return scsi_device_get(&s->bus, 0, lun[1], virtio_scsi_get_lun(lun));
- }
-
- void virtio_scsi_init_req(VirtIOSCSI *s, VirtQueue *vq, VirtIOSCSIReq *req)
-@@ -261,7 +261,7 @@ static inline void virtio_scsi_ctx_check(VirtIOSCSI *s, SCSIDevice *d)
- * case of async cancellation. */
- static int virtio_scsi_do_tmf(VirtIOSCSI *s, VirtIOSCSIReq *req)
- {
-- SCSIDevice *d = virtio_scsi_device_find(s, req->req.tmf.lun);
-+ SCSIDevice *d = virtio_scsi_device_get(s, req->req.tmf.lun);
- SCSIRequest *r, *next;
- BusChild *kid;
- int target;
-@@ -377,10 +377,10 @@ static int virtio_scsi_do_tmf(VirtIOSCSI *s, VirtIOSCSIReq *req)
-
- rcu_read_lock();
- QTAILQ_FOREACH_RCU(kid, &s->bus.qbus.children, sibling) {
-- d = SCSI_DEVICE(kid->child);
-- if (d->channel == 0 && d->id == target) {
-- qdev_reset_all(&d->qdev);
-- }
-+ SCSIDevice *d1 = SCSI_DEVICE(kid->child);
-+ if (d1->channel == 0 && d1->id == target) {
-+ qdev_reset_all(&d1->qdev);
-+ }
- }
- rcu_read_unlock();
-
-@@ -393,14 +393,17 @@ static int virtio_scsi_do_tmf(VirtIOSCSI *s, VirtIOSCSIReq *req)
- break;
- }
-
-+ object_unref(OBJECT(d));
- return ret;
-
- incorrect_lun:
- req->resp.tmf.response = VIRTIO_SCSI_S_INCORRECT_LUN;
-+ object_unref(OBJECT(d));
- return ret;
-
- fail:
- req->resp.tmf.response = VIRTIO_SCSI_S_BAD_TARGET;
-+ object_unref(OBJECT(d));
- return ret;
- }
-
-@@ -618,7 +621,7 @@ static int virtio_scsi_handle_cmd_req_prepare(VirtIOSCSI *s, VirtIOSCSIReq *req)
- trace_virtio_scsi_cmd_req(virtio_scsi_get_lun(req->req.cmd.lun),
- req->req.cmd.tag, req->req.cmd.cdb[0]);
-
-- d = virtio_scsi_device_find(s, req->req.cmd.lun);
-+ d = virtio_scsi_device_get(s, req->req.cmd.lun);
- if (!d) {
- req->resp.cmd.response = VIRTIO_SCSI_S_BAD_TARGET;
- virtio_scsi_complete_cmd_req(req);
-@@ -634,10 +637,12 @@ static int virtio_scsi_handle_cmd_req_prepare(VirtIOSCSI *s, VirtIOSCSIReq *req)
- req->sreq->cmd.xfer > req->qsgl.size)) {
- req->resp.cmd.response = VIRTIO_SCSI_S_OVERRUN;
- virtio_scsi_complete_cmd_req(req);
-+ object_unref(OBJECT(d));
- return -ENOBUFS;
- }
- scsi_req_ref(req->sreq);
- blk_io_plug(d->conf.blk);
-+ object_unref(OBJECT(d));
- return 0;
- }
-
+++ /dev/null
-From: Cameron Esfahani <dirty@apple.com>
-Date: Mon, 20 Jan 2020 21:00:52 -0800
-Subject: vnc: prioritize ZRLE compression over ZLIB
-
-Git-commit: 557ba0e57200014bd4f453f6516f02b61bdfc782
-
-In my investigation, ZRLE always compresses better than ZLIB so
-prioritize ZRLE over ZLIB, even if the client hints that ZLIB is
-preferred.
-
-zlib buffer is always reset in zrle_compress_data(), so using offset to
-calculate next_out and avail_out is useless.
-
-Signed-off-by: Cameron Esfahani <dirty@apple.com>
-Message-Id: <b5d129895d08a90d0a2a6183b95875bacfa998b8.1579582674.git.dirty@apple.com>
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
-Signed-off-by: Bruce Rogers <brogers@suse.com>
----
- ui/vnc-enc-zrle.c | 4 ++--
- ui/vnc.c | 11 +++++++++--
- 2 files changed, 11 insertions(+), 4 deletions(-)
-
-diff --git a/ui/vnc-enc-zrle.c b/ui/vnc-enc-zrle.c
-index 17fd28a2e2b078bd135496e75c6b..b4f71e32cfe8ca3dd645103f999d 100644
---- a/ui/vnc-enc-zrle.c
-+++ b/ui/vnc-enc-zrle.c
-@@ -98,8 +98,8 @@ static int zrle_compress_data(VncState *vs, int level)
- /* set pointers */
- zstream->next_in = vs->zrle->zrle.buffer;
- zstream->avail_in = vs->zrle->zrle.offset;
-- zstream->next_out = vs->zrle->zlib.buffer + vs->zrle->zlib.offset;
-- zstream->avail_out = vs->zrle->zlib.capacity - vs->zrle->zlib.offset;
-+ zstream->next_out = vs->zrle->zlib.buffer;
-+ zstream->avail_out = vs->zrle->zlib.capacity;
- zstream->data_type = Z_BINARY;
-
- /* start encoding */
-diff --git a/ui/vnc.c b/ui/vnc.c
-index f94b3a257ee3add364a0b0bd5101..70bd8bf05d163e2ef0911c3b19fd 100644
---- a/ui/vnc.c
-+++ b/ui/vnc.c
-@@ -2077,8 +2077,15 @@ static void set_encodings(VncState *vs, int32_t *encodings, size_t n_encodings)
- break;
- #endif
- case VNC_ENCODING_ZLIB:
-- vs->features |= VNC_FEATURE_ZLIB_MASK;
-- vs->vnc_encoding = enc;
-+ /*
-+ * VNC_ENCODING_ZRLE compresses better than VNC_ENCODING_ZLIB.
-+ * So prioritize ZRLE, even if the client hints that it prefers
-+ * ZLIB.
-+ */
-+ if ((vs->features & VNC_FEATURE_ZRLE_MASK) == 0) {
-+ vs->features |= VNC_FEATURE_ZLIB_MASK;
-+ vs->vnc_encoding = enc;
-+ }
- break;
- case VNC_ENCODING_ZRLE:
- vs->features |= VNC_FEATURE_ZRLE_MASK;
+++ /dev/null
-From: Bruce Rogers <brogers@suse.com>
-Date: Wed, 16 Jan 2019 16:29:36 -0700
-Subject: xen: add block resize support for xen disks
-
-Provide monitor naming of xen disks, and plumb guest driver
-notification through xenstore of resizing instigated via the
-monitor.
-
-[BR: minor edits to pass qemu's checkpatch script]
-[BR: significant rework needed due to upstream xen disk qdevification]
-[BR: At this point, monitor_add_blk call is all we need to add!]
-Signed-off-by: Bruce Rogers <brogers@suse.com>
----
- hw/block/xen-block.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/hw/block/xen-block.c b/hw/block/xen-block.c
-index 0007ee64c75f38a2a3256f0b9462..86de57f9c6f7405bc26303065d2c 100644
---- a/hw/block/xen-block.c
-+++ b/hw/block/xen-block.c
-@@ -274,6 +274,9 @@ static void xen_block_realize(XenDevice *xendev, Error **errp)
-
- xen_block_set_size(blockdev);
-
-+ if (!monitor_add_blk(conf->blk, blockdev->drive->id, errp)) {
-+ return;
-+ }
- blockdev->dataplane =
- xen_block_dataplane_create(xendev, blk, conf->logical_block_size,
- blockdev->props.iothread);
+++ /dev/null
-From: Anthony PERARD <anthony.perard@citrix.com>
-Date: Mon, 8 Mar 2021 14:32:32 +0000
-Subject: xen-block: Fix removal of backend instance via xenstore
-
-Git-commit: b807ca3fa0ca29ec015adcf4045e716337cd3635
-References: bsc#1184574
-
-Whenever a Xen block device is detach via xenstore, the image
-associated with it remained open by the backend QEMU and an error is
-logged:
- qemu-system-i386: failed to destroy drive: Node xvdz-qcow2 is in use
-
-This happened since object_unparent() doesn't immediately frees the
-object and thus keep a reference to the node we are trying to free.
-The reference is hold by the "drive" property and the call
-xen_block_drive_destroy() fails.
-
-In order to fix that, we call drain_call_rcu() to run the callback
-setup by bus_remove_child() via object_unparent().
-
-Fixes: 2d24a6466154 ("device-core: use RCU for list of children of a bus")
-
-Signed-off-by: Anthony PERARD <anthony.perard@citrix.com>
-Reviewed-by: Paul Durrant <paul@xen.org>
-Message-Id: <20210308143232.83388-1-anthony.perard@citrix.com>
-Signed-off-by: Lin Ma <lma@suse.com>
----
- hw/block/xen-block.c | 9 +++++++++
- 1 file changed, 9 insertions(+)
-
-diff --git a/hw/block/xen-block.c b/hw/block/xen-block.c
-index 86de57f9c6f7405bc26303065d2c..a06251da2fb61ab7253676183b60 100644
---- a/hw/block/xen-block.c
-+++ b/hw/block/xen-block.c
-@@ -1009,6 +1009,15 @@ static void xen_block_device_destroy(XenBackendInstance *backend,
-
- object_unparent(OBJECT(xendev));
-
-+ /*
-+ * Drain all pending RCU callbacks as object_unparent() frees `xendev'
-+ * in a RCU callback.
-+ * And due to the property "drive" still existing in `xendev', we
-+ * can't destroy the XenBlockDrive associated with `xendev' with
-+ * xen_block_drive_destroy() below.
-+ */
-+ drain_call_rcu();
-+
- if (iothread) {
- Error *local_err = NULL;
-
+++ /dev/null
-From: Olaf Hering <olaf@aepfle.de>
-Date: Tue, 8 Jan 2019 14:20:08 +0100
-Subject: xen: ignore live parameter from xen-save-devices-state
-
-References: bsc#1079730, bsc#1101982, bsc#1063993
-
-The final step of xl migrate|save for an HVM domU is saving the state of
-qemu. This also involves releasing all block devices. While releasing
-backends ought to be a separate step, such functionality is not
-implemented.
-
-Unfortunately, releasing the block devices depends on the optional
-'live' option. This breaks offline migration with 'virsh migrate domU
-dom0' because the sending side does not release the disks, as a result
-the receiving side can not properly claim write access to the disks.
-
-As a minimal fix, remove the dependency on the 'live' option. Upstream
-may fix this in a different way, like removing the newly added 'live'
-parameter entirely.
-
-Fixes: 5d6c599fe1 ("migration, xen: Fix block image lock issue on live migration")
-
-Signed-off-by: Olaf Hering <olaf@aepfle.de>
-Signed-off-by: Bruce Rogers <brogers@suse.com>
----
- migration/savevm.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/migration/savevm.c b/migration/savevm.c
-index a71b930b91f71ed9763fcb07b525..c5cc5fed211e693723538e19850b 100644
---- a/migration/savevm.c
-+++ b/migration/savevm.c
-@@ -2774,7 +2774,7 @@ void qmp_xen_save_devices_state(const char *filename, bool has_live, bool live,
- * So call bdrv_inactivate_all (release locks) here to let the other
- * side of the migration take controle of the images.
- */
-- if (live && !saved_vm_running) {
-+ if (!saved_vm_running) {
- ret = bdrv_inactivate_all();
- if (ret) {
- error_setg(errp, "%s: bdrv_inactivate_all() failed (%d)",
+++ /dev/null
-From: Lin Ma <lma@suse.com>
-Date: Fri, 3 Sep 2021 12:05:09 +0800
-Subject: xen: remove BlockBackend object reference in xen_block_unrealize
-
-References: bsc#1189234
-
-Signed-off-by: Lin Ma <lma@suse.com>
----
- hw/block/xen-block.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/hw/block/xen-block.c b/hw/block/xen-block.c
-index a06251da2fb61ab7253676183b60..7667076ffd490f382516a6258f08 100644
---- a/hw/block/xen-block.c
-+++ b/hw/block/xen-block.c
-@@ -142,6 +142,7 @@ static void xen_block_unrealize(XenDevice *xendev, Error **errp)
- XEN_BLOCK_DEVICE_GET_CLASS(xendev);
- const char *type = object_get_typename(OBJECT(blockdev));
- XenBlockVdev *vdev = &blockdev->props.vdev;
-+ BlockConf *conf = &blockdev->props.conf;
-
- if (vdev->type == XEN_BLOCK_VDEV_TYPE_INVALID) {
- return;
-@@ -155,6 +156,8 @@ static void xen_block_unrealize(XenDevice *xendev, Error **errp)
- xen_block_dataplane_destroy(blockdev->dataplane);
- blockdev->dataplane = NULL;
-
-+ monitor_remove_blk(conf->blk);
-+
- if (blockdev_class->unrealize) {
- blockdev_class->unrealize(blockdev, errp);
- }
+++ /dev/null
-From: Bruce Rogers <brogers@suse.com>
-Date: Wed, 9 Mar 2016 15:18:11 -0700
-Subject: xen_disk: Add suse specific flush disable handling and map to QEMU
- equiv
-
-Add code to read the suse specific suse-diskcache-disable-flush flag out
-of xenstore, and set the equivalent flag within QEMU.
-
-Patch taken from Xen's patch queue, Olaf Hering being the original author.
-[bsc#879425]
-
-[BR: minor edits to pass qemu's checkpatch script]
-[BR: With qdevification of xen-block, code has changed significantly]
-Signed-off-by: Bruce Rogers <brogers@suse.com>
-Signed-off-by: Olaf Hering <olaf@aepfle.de>
----
- hw/block/xen-block.c | 12 ++++++++++++
- 1 file changed, 12 insertions(+)
-
-diff --git a/hw/block/xen-block.c b/hw/block/xen-block.c
-index 879fc310a4c5dfa4a7d8936f7d8e..0007ee64c75f38a2a3256f0b9462 100644
---- a/hw/block/xen-block.c
-+++ b/hw/block/xen-block.c
-@@ -743,6 +743,8 @@ static XenBlockDrive *xen_block_drive_create(const char *id,
- const char *mode = qdict_get_try_str(opts, "mode");
- const char *direct_io_safe = qdict_get_try_str(opts, "direct-io-safe");
- const char *discard_enable = qdict_get_try_str(opts, "discard-enable");
-+ const char *suse_diskcache_disable_flush = qdict_get_try_str(opts,
-+ "suse-diskcache-disable-flush");
- char *driver = NULL;
- char *filename = NULL;
- XenBlockDrive *drive = NULL;
-@@ -812,6 +814,16 @@ static XenBlockDrive *xen_block_drive_create(const char *id,
- }
- }
-
-+ if (suse_diskcache_disable_flush) {
-+ unsigned long value;
-+ if (!qemu_strtoul(suse_diskcache_disable_flush, NULL, 2, &value) && !!value) {
-+ QDict *cache_qdict = qdict_new();
-+
-+ qdict_put_bool(cache_qdict, "no-flush", true);
-+ qdict_put_obj(file_layer, "cache", QOBJECT(cache_qdict));
-+ }
-+ }
-+
- /*
- * It is necessary to turn file locking off as an emulated device
- * may have already opened the same image file.
projects / tools / qemu-arm-static.git / commitdiff