From 9bf1785bf74d34541714d19f81263011e3567783 Mon Sep 17 00:00:00 2001 From: wanchao-xu Date: Tue, 9 Jan 2024 20:05:03 +0800 Subject: [PATCH] Remove imported patches from packaging. Change-Id: I55df320a869c984bdc7eb1f80aa5a4f3f0466d46 --- ...-Fully-restart-unreclaim-loop-CVE-20.patch | 76 - ...Reduce-number-of-threads-for-32bit-h.patch | 39 - packaging/Add-mtod_check.patch | 54 - ...itionalize-ui-bitmap-installation-be.patch | 29 - ...ot-apply-WORKAROUND_CFLAGS-for-host-.patch | 67 - packaging/Drop-bogus-IPv6-messages.patch | 34 - ...le-cross-compile-prefix-for-C-compil.patch | 30 - ...x-s-directive-argument-is-null-error.patch | 35 - ...x-headers-update-against-Linux-5.8-r.patch | 1359 ----------------- ...-char-muxer-more-robust-wrt-small-FI.patch | 118 -- ...-installed-scripts-explicitly-python.patch | 34 - ...-keycode-gen-output-reproducible-use.patch | 35 - .../PPC-KVM-Disable-mmu-notifier-check.patch | 33 - ...e-soft-address-space-limit-to-hard-l.patch | 54 - ...rt-meson-build-file-back-to-Make.obj.patch | 35 - ...ch-order-of-libraries-for-mpath-supp.patch | 36 - packaging/Sync-pv.patch | 91 -- ...around-compilation-error-with-gcc-9..patch | 53 - .../XXX-dont-dump-core-on-sigabort.patch | 33 - ...i_piix4-Fix-migration-from-SLE11-SP2.patch | 30 - ...wait-delegate-polling-of-main-AioCon.patch | 116 -- .../async-use-explicit-memory-barriers.patch | 168 -- ...i-check-x-y-display-parameter-values.patch | 48 - packaging/audio-fix-wavcapture-segfault.patch | 49 - ...k-add-max_hw_transfer-to-BlockLimits.patch | 125 -- ...k-backend-align-max_transfer-to-requ.patch | 41 - ...k-iscsi-fix-heap-buffer-overflow-in-.patch | 84 - ...kjob-Fix-crash-with-IOthread-when-bl.patch | 113 -- .../bootp-check-bootp_input-buffer-size.patch | 35 - ...p-limit-vendor-specific-area-to-inpu.patch | 159 -- ...nce_gem-switch-to-use-qemu_receive_p.patch | 39 - ...figure-only-populate-roms-if-softmmu.patch | 26 - ...igure-remove-pkgversion-from-CONFIG_.patch | 32 - ...ce-core-use-RCU-for-list-of-children.patch | 263 ---- ...ce-core-use-atomic_set-on-.realized-.patch | 83 - ...ce-plug-test-use-qtest_qmp-to-send-t.patch | 102 -- ...ce_core-use-drain_call_rcu-in-in-qmp.patch | 46 - ...-Always-send-DHCP_OPT_LEN-bytes-in-o.patch | 40 - ...93x-switch-to-use-qemu_receive_packe.patch | 36 - ...e1000-fail-early-for-evil-descriptor.patch | 50 - ...0-switch-to-use-qemu_receive_packet-.patch | 36 - .../enable-cross-compilation-on-ARM.patch | 22 - ...re-headers-included-are-compatible-w.patch | 52 - ...always-check-current_req-is-not-NULL.patch | 51 - ...don-t-reset-async_len-directly-in-es.patch | 45 - ...ensure-cmdfifo-is-not-empty-and-curr.patch | 44 - ...ensure-that-do_cmd-is-set-to-zero-be.patch | 53 - ...-set-map-length-to-zero-when-returni.patch | 54 - ...-posix-fix-max_iov-for-dev-sg-device.patch | 44 - ...-posix-try-BLKSECTGET-on-block-devic.patch | 134 -- packaging/gcc10-maybe-uninitialized.patch | 30 - ...-acpi-Build-Memory-Proximity-Domain-.patch | 258 ---- ...-acpi-Build-Memory-Side-Cache-Inform.patch | 122 -- ...-acpi-Build-System-Locality-Latency-.patch | 159 -- ...hci-check-return-value-of-usb_packet.patch | 46 - ...386-disable-smbus-migration-for-xenf.patch | 43 - ...ntc-arm_gic-Fix-interrupt-ID-in-GICD.patch | 65 - ...ntc-exynos4210_gic-provide-more-room.patch | 57 - ...sa-piix4-Migrate-Reset-Control-Regis.patch | 62 - ...et-e1000e-advance-desc_offset-in-cas.patch | 43 - ...et-net_tx_pkt-fix-assertion-failure-.patch | 40 - ...et-xgmac-Fix-buffer-overflow-in-xgma.patch | 58 - ...pci-host-add-pci-intack-write-method.patch | 49 - ...dma-Fix-possible-mremap-overflow-in-.patch | 43 - ...csi-megasas-check-for-NULL-frame-in-.patch | 31 - ...d-sdhci-Fix-DMA-Transfer-Block-Size-.patch | 44 - ...mbios-handle-both-file-formats-regar.patch | 93 -- ...-usb-dev-mtp-Fix-GCC-9-build-warning.patch | 45 - ...sb-hcd-ohci-check-for-processed-TD-b.patch | 37 - ...sb-hcd-ohci-check-len-and-frame_numb.patch | 96 -- ...usb-hcd-xhci-Fix-GCC-9-build-warning.patch | 41 - ...w-usb-host-stub-Remove-unused-header.patch | 31 - ...hci-check-return-value-of-usb_packet.patch | 74 - .../i386-Add-MSR-feature-bit-for-MDS-NO.patch | 32 - packaging/i386-Add-macro-for-stibp.patch | 35 - .../i386-Add-new-CPU-model-Cooperlake.patch | 94 -- ...-acpi-Remove-_HID-from-the-SMBus-ACP.patch | 37 - .../i8254-Fix-migration-from-SLE11-SP2.patch | 42 - ...atapi-assert-that-the-buffer-pointer.patch | 40 - ...x7-ccm-add-digprog-mmio-write-method.patch | 40 - .../increase-x86_64-physical-bits-to-42.patch | 32 - ...sts-Provide-a-function-for-checking-.patch | 82 - ...sts-Skip-test-060-if-it-is-not-possi.patch | 33 - ...sts-Skip-test-079-if-it-is-not-possi.patch | 34 - ...-Makefile-fix-issues-of-build-reprod.patch | 49 - ...118-switch-to-use-qemu_receive_packe.patch | 37 - ...x-headers-Update-against-Linux-5.5-1.patch | 217 --- ...x-headers-Update-against-Linux-5.5-r.patch | 278 ---- packaging/linux-headers-sync-to-5.9-rc4.patch | 827 ---------- packaging/linux-headers-sync-to-5.9-rc7.patch | 43 - ...inux-headers-update-against-5.10-rc1.patch | 738 --------- ...x-headers-update-against-Linux-5.6-r.patch | 335 ---- ...x-headers-update-against-Linux-5.7-r.patch | 600 -------- packaging/linux-user-Fake-proc-cpuinfo.patch | 64 - ...x-user-add-binfmt-wrapper-for-argv-0.patch | 140 -- ...ux-user-binfmt-support-host-binaries.patch | 56 - ...x-user-lseek-explicitly-cast-non-set.patch | 36 - ...x-user-properly-test-for-infinite-ti.patch | 29 - packaging/linux-user-use-target_ulong.patch | 79 - ...sas-use-unsigned-type-for-reply_queu.patch | 50 - ...ry-clamp-cached-translation-in-case-.patch | 67 - ...ation-migration.c-Fix-hang-in-ram_sa.patch | 39 - ...eepro100-validate-various-address-va.patch | 59 - .../net-introduce-qemu_receive_packet.patch | 171 --- ...remove-an-assert-call-in-eth_get_gso.patch | 44 - ...vmxnet3-validate-configuration-value.patch | 74 - ...-Extend-CLI-to-provide-initiator-inf.patch | 303 ---- ...-Extend-CLI-to-provide-memory-latenc.patch | 530 ------- ...-Extend-CLI-to-provide-memory-side-c.patch | 311 ---- ...vram-add-nrf51_soc-flash-read-method.patch | 49 - .../osdep-provide-ROUND_DOWN-macro.patch | 69 - ...ios-s390-ccw-break-loop-if-a-null-bl.patch | 34 - ...ios-s390-ccw-don-t-try-to-read-the-n.patch | 33 - ...c-bios-s390-ccw-fix-off-by-one-error.patch | 36 - ...ios-s390-ccw-net-avoid-warning-about.patch | 24 - ...host-designware-add-pcie-msi-read-me.patch | 65 - ...t-switch-to-use-qemu_receive_packet-.patch | 38 - .../prep-add-ppc-parity-write-method.patch | 49 - ...ma-Ensure-correct-input-on-ring-init.patch | 39 - ...ma-Fix-the-ring-init-error-flow-CVE-.patch | 39 - ...-add-check-if-address-free-callback-.patch | 868 ----------- ...qemu-binfmt-conf-Modify-default-path.patch | 27 - ...emu-binfmt-conf-use-qemu-ARCH-binfmt.patch | 38 - ...-bridge-helper-reduce-security-profi.patch | 80 - packaging/qemu-cvs-gettimeofday.patch | 26 - packaging/qemu-cvs-ioctl_debug.patch | 39 - packaging/qemu-cvs-ioctl_nodirection.patch | 43 - ...-iotests-qtest-rewrite-test-067-as-a.patch | 956 ------------ ...code-hardening-have-bound-checking-w.patch | 57 - ...make-object_ref-unref-use-a-void-ins.patch | 75 - ...t-Reintroduce-qtest_qmp_receive-with.patch | 159 -- ...t-check-that-drives-are-really-appea.patch | 80 - ...est-remove-qtest_qmp_receive_success.patch | 194 --- ...t-rename-qtest_qmp_receive-to-qtest_.patch | 258 ---- ...t-switch-users-back-to-qtest_qmp_rec.patch | 160 -- packaging/rcu-Implement-drain_call_rcu.patch | 100 -- ...-Makefile-enable-cross-compile-for-b.patch | 22 - ...-Makefile-pass-a-packaging-timestamp.patch | 72 - ...-change-cross-compiler-naming-to-be-.patch | 30 - ...-sgabios-Fix-csum8-to-be-built-by-ho.patch | 22 - ...139-switch-to-use-qemu_receive_packe.patch | 39 - packaging/s390x-Add-SIDA-memory-ops.patch | 135 -- ...90x-Add-missing-vcpu-reset-functions.patch | 159 -- ...x-Add-unpack-facility-feature-to-GA1.patch | 61 - .../s390x-Beautify-diag308-handling.patch | 113 -- ...x-Don-t-do-a-normal-reset-on-the-ini.patch | 35 - packaging/s390x-Move-clear-reset.patch | 129 -- ...x-Move-diagnose-308-subcodes-and-rcs.patch | 61 - packaging/s390x-Move-initial-reset.patch | 142 -- ...x-Move-reset-normal-to-shared-reset-.patch | 128 -- ...x-fix-build-for-without-default-devi.patch | 40 - ...x-ipl-Consolidate-iplb-validity-chec.patch | 64 - ...x-kvm-Make-kvm_sclp_service_call-voi.patch | 66 - ...x-pci-Add-routine-to-get-the-vfio-dm.patch | 111 -- ...90x-pci-Honor-DMA-limits-set-by-vfio.patch | 336 ---- ...s390x-protvirt-Add-migration-blocker.patch | 64 - ...x-protvirt-Disable-address-checks-fo.patch | 119 -- ...x-protvirt-Handle-SIGP-store-status-.patch | 44 - ...x-protvirt-Inhibit-balloon-when-swit.patch | 84 - ...s390x-protvirt-KVM-intercept-changes.patch | 60 - ...x-protvirt-Move-IO-control-structure.patch | 156 -- ...x-protvirt-Move-STSI-data-over-SIDAD.patch | 55 - ...x-protvirt-Move-diag-308-data-over-S.patch | 78 - .../s390x-protvirt-SCLP-interpretation.patch | 156 -- .../s390x-protvirt-Set-guest-IPL-PSW.patch | 45 - ...90x-protvirt-Support-unpack-facility.patch | 868 ----------- ...x-protvirt-allow-to-IPL-secure-guest.patch | 47 - ...x-s390-virtio-ccw-Fix-build-on-syste.patch | 129 -- ...x-s390-virtio-ccw-Reset-PCI-devices-.patch | 37 - .../scsi-add-tracing-for-SG_IO-commands.patch | 101 -- ...-disk-fold-SG_IO-errors-back-into-re.patch | 118 -- ...-disk-set-default-I-O-timeout-to-30-.patch | 61 - packaging/scsi-disk-trace-rw-errors.patch | 49 - ...-generic-check-for-additional-SG_IO-.patch | 45 - ...-generic-pass-max_segments-via-max_i.patch | 57 - packaging/scsi-make-io_timeout-settable.patch | 153 -- ...-scsi-bus-scsi_device_find-don-t-ret.patch | 133 -- .../scsi-scsi_bus-Add-scsi_device_get.patch | 56 - ...si-scsi_bus-fix-races-in-REPORT-LUNS.patch | 131 -- ...-scsi_bus-switch-search-direction-in.patch | 49 - .../scsi-switch-to-bus-check_address.patch | 199 --- .../seabios-switch-to-python3-as-needed.patch | 149 -- ...ios-use-python2-explicitly-as-needed.patch | 48 - ...ios-Makefile-fix-issues-of-build-rep.patch | 36 - ...p-check-pkt_len-before-reading-proto.patch | 59 - ...1-Clean-up-local-variables-in-sm501_.patch | 95 -- ...1-Convert-printf-abort-to-qemu_log_m.patch | 159 -- ...1-Replace-hand-written-implementatio.patch | 260 ---- ...1-Shorten-long-variable-names-in-sm5.patch | 134 -- ...1-Use-BIT-x-macro-to-shorten-constan.patch | 42 - .../spapr_pci-add-spapr-msi-read-method.patch | 60 - .../stub-out-the-SAN-req-s-in-int13.patch | 106 -- ...em-switch-to-use-qemu_receive_packet.patch | 38 - ...et-i386-Add-missed-features-to-Coope.patch | 88 -- ...et-i386-Add-new-bit-definitions-of-M.patch | 44 - ...target-i386-add-a-ucode-rev-property.patch | 114 -- ...et-i386-check-for-availability-of-MS.patch | 59 - ...et-i386-enable-monitor-and-ucode-rev.patch | 31 - ...target-i386-fix-TCG-UCODE_REV-access.patch | 59 - ...et-i386-kvm-initialize-microcode-rev.patch | 50 - ...-add-mapping-from-arch-of-i686-to-qe.patch | 25 - ...sts-Disable-some-block-tests-for-now.patch | 28 - ...s-Fix-block-tests-to-be-compatible-w.patch | 107 -- .../tests-add-migration-helpers-unit.patch | 550 ------- ...sts-change-error-message-in-test-162.patch | 27 - ...sts-numa-Add-case-for-QMP-build-HMAT.patch | 252 --- ...s-qemu-iotests-Triple-timeout-of-i-o.patch | 27 - .../tftp-check-tftp_input-buffer-size.patch | 36 - .../tftp-introduce-a-header-structure.patch | 248 --- ...kt-switch-to-use-qemu_receive_packet.patch | 36 - .../tz-ppc-add-dummy-read-write-methods.patch | 46 - .../uas-add-stream-number-sanity-checks.patch | 61 - .../udp-check-upd_input-buffer-size.patch | 35 - .../upd6-check-udp6_input-buffer-size.patch | 35 - ...sb-fix-setup_len-init-CVE-2020-14364.patch | 86 -- ...b-hid-avoid-dynamic-stack-allocation.patch | 48 - ...limit-combined-packets-to-1-MiB-CVE-.patch | 36 - ...b-mtp-avoid-dynamic-stack-allocation.patch | 35 - ...redir-avoid-dynamic-stack-allocation.patch | 53 - packaging/usbredir-fix-free-call.patch | 37 - ...-Create-shared-routine-for-scanning-.patch | 64 - .../vfio-Find-DMA-available-capability.patch | 77 - .../vfio-add-quirk-device-write-method.patch | 50 - ...Raise-VRAM-to-16-MiB-for-pc-0.15-and.patch | 61 - packaging/vga-fix-cirrus-bios.patch | 30 - ...t-correctly-turn-on-VIRTIO_F_IOMMU_P.patch | 56 - ...t-user-gpu-abstract-vg_cleanup_mappi.patch | 133 -- ...t-user-gpu-fix-OOB-write-in-virgl_cm.patch | 45 - ...t-user-gpu-fix-leak-in-virgl_cmd_res.patch | 55 - ...t-user-gpu-fix-leak-in-virgl_resourc.patch | 46 - ...t-user-gpu-fix-memory-disclosure-in-.patch | 39 - ...t-user-gpu-fix-memory-leak-in-vg_res.patch | 44 - ...t-user-gpu-fix-memory-leak-while-cal.patch | 46 - ...t-user-gpu-fix-resource-leak-in-vg_r.patch | 37 - ...io-don-t-enable-notifications-during.patch | 145 -- ...rtio-net-fix-rsc_ext-compat-handling.patch | 40 - ...io-net-fix-use-after-unmap-free-for-.patch | 122 -- ...tio-scsi-change-DID-TIMEOUT-handling.patch | 34 - packaging/virtio-scsi-trace-events.patch | 100 -- ...tio-scsi-translate-SG_IO-host-status.patch | 226 --- .../virtio-scsi-use-scsi_device_get.patch | 111 -- ...prioritize-ZRLE-compression-over-ZLI.patch | 59 - ...add-block-resize-support-for-xen-dis.patch | 30 - ...block-Fix-removal-of-backend-instanc.patch | 50 - ...ignore-live-parameter-from-xen-save-.patch | 41 - ...remove-BlockBackend-object-reference.patch | 32 - ...disk-Add-suse-specific-flush-disable.patch | 49 - 247 files changed, 25464 deletions(-) delete mode 100644 packaging/9pfs-Fully-restart-unreclaim-loop-CVE-20.patch delete mode 100644 packaging/AIO-Reduce-number-of-threads-for-32bit-h.patch delete mode 100644 packaging/Add-mtod_check.patch delete mode 100644 packaging/Conditionalize-ui-bitmap-installation-be.patch delete mode 100644 packaging/Do-not-apply-WORKAROUND_CFLAGS-for-host-.patch delete mode 100644 packaging/Drop-bogus-IPv6-messages.patch delete mode 100644 packaging/Enable-cross-compile-prefix-for-C-compil.patch delete mode 100644 packaging/Fix-s-directive-argument-is-null-error.patch delete mode 100644 packaging/Linux-headers-update-against-Linux-5.8-r.patch delete mode 100644 packaging/Make-char-muxer-more-robust-wrt-small-FI.patch delete mode 100644 packaging/Make-installed-scripts-explicitly-python.patch delete mode 100644 packaging/Make-keycode-gen-output-reproducible-use.patch delete mode 100644 packaging/PPC-KVM-Disable-mmu-notifier-check.patch delete mode 100644 packaging/Raise-soft-address-space-limit-to-hard-l.patch delete mode 100644 packaging/Revert-meson-build-file-back-to-Make.obj.patch delete mode 100644 packaging/Switch-order-of-libraries-for-mpath-supp.patch delete mode 100644 packaging/Sync-pv.patch delete mode 100644 packaging/Workaround-compilation-error-with-gcc-9..patch delete mode 100644 packaging/XXX-dont-dump-core-on-sigabort.patch delete mode 100644 packaging/acpi_piix4-Fix-migration-from-SLE11-SP2.patch delete mode 100644 packaging/aio-wait-delegate-polling-of-main-AioCon.patch delete mode 100644 packaging/async-use-explicit-memory-barriers.patch delete mode 100644 packaging/ati-check-x-y-display-parameter-values.patch delete mode 100644 packaging/audio-fix-wavcapture-segfault.patch delete mode 100644 packaging/block-add-max_hw_transfer-to-BlockLimits.patch delete mode 100644 packaging/block-backend-align-max_transfer-to-requ.patch delete mode 100644 packaging/block-iscsi-fix-heap-buffer-overflow-in-.patch delete mode 100644 packaging/blockjob-Fix-crash-with-IOthread-when-bl.patch delete mode 100644 packaging/bootp-check-bootp_input-buffer-size.patch delete mode 100644 packaging/bootp-limit-vendor-specific-area-to-inpu.patch delete mode 100644 packaging/cadence_gem-switch-to-use-qemu_receive_p.patch delete mode 100644 packaging/configure-only-populate-roms-if-softmmu.patch delete mode 100644 packaging/configure-remove-pkgversion-from-CONFIG_.patch delete mode 100644 packaging/device-core-use-RCU-for-list-of-children.patch delete mode 100644 packaging/device-core-use-atomic_set-on-.realized-.patch delete mode 100644 packaging/device-plug-test-use-qtest_qmp-to-send-t.patch delete mode 100644 packaging/device_core-use-drain_call_rcu-in-in-qmp.patch delete mode 100644 packaging/dhcp-Always-send-DHCP_OPT_LEN-bytes-in-o.patch delete mode 100644 packaging/dp8393x-switch-to-use-qemu_receive_packe.patch delete mode 100644 packaging/e1000-fail-early-for-evil-descriptor.patch delete mode 100644 packaging/e1000-switch-to-use-qemu_receive_packet-.patch delete mode 100644 packaging/enable-cross-compilation-on-ARM.patch delete mode 100644 packaging/ensure-headers-included-are-compatible-w.patch delete mode 100644 packaging/esp-always-check-current_req-is-not-NULL.patch delete mode 100644 packaging/esp-don-t-reset-async_len-directly-in-es.patch delete mode 100644 packaging/esp-ensure-cmdfifo-is-not-empty-and-curr.patch delete mode 100644 packaging/esp-ensure-that-do_cmd-is-set-to-zero-be.patch delete mode 100644 packaging/exec-set-map-length-to-zero-when-returni.patch delete mode 100644 packaging/file-posix-fix-max_iov-for-dev-sg-device.patch delete mode 100644 packaging/file-posix-try-BLKSECTGET-on-block-devic.patch delete mode 100644 packaging/gcc10-maybe-uninitialized.patch delete mode 100644 packaging/hmat-acpi-Build-Memory-Proximity-Domain-.patch delete mode 100644 packaging/hmat-acpi-Build-Memory-Side-Cache-Inform.patch delete mode 100644 packaging/hmat-acpi-Build-System-Locality-Latency-.patch delete mode 100644 packaging/hw-ehci-check-return-value-of-usb_packet.patch delete mode 100644 packaging/hw-i386-disable-smbus-migration-for-xenf.patch delete mode 100644 packaging/hw-intc-arm_gic-Fix-interrupt-ID-in-GICD.patch delete mode 100644 packaging/hw-intc-exynos4210_gic-provide-more-room.patch delete mode 100644 packaging/hw-isa-piix4-Migrate-Reset-Control-Regis.patch delete mode 100644 packaging/hw-net-e1000e-advance-desc_offset-in-cas.patch delete mode 100644 packaging/hw-net-net_tx_pkt-fix-assertion-failure-.patch delete mode 100644 packaging/hw-net-xgmac-Fix-buffer-overflow-in-xgma.patch delete mode 100644 packaging/hw-pci-host-add-pci-intack-write-method.patch delete mode 100644 packaging/hw-rdma-Fix-possible-mremap-overflow-in-.patch delete mode 100644 packaging/hw-scsi-megasas-check-for-NULL-frame-in-.patch delete mode 100644 packaging/hw-sd-sdhci-Fix-DMA-Transfer-Block-Size-.patch delete mode 100644 packaging/hw-smbios-handle-both-file-formats-regar.patch delete mode 100644 packaging/hw-usb-dev-mtp-Fix-GCC-9-build-warning.patch delete mode 100644 packaging/hw-usb-hcd-ohci-check-for-processed-TD-b.patch delete mode 100644 packaging/hw-usb-hcd-ohci-check-len-and-frame_numb.patch delete mode 100644 packaging/hw-usb-hcd-xhci-Fix-GCC-9-build-warning.patch delete mode 100644 packaging/hw-usb-host-stub-Remove-unused-header.patch delete mode 100644 packaging/hw-xhci-check-return-value-of-usb_packet.patch delete mode 100644 packaging/i386-Add-MSR-feature-bit-for-MDS-NO.patch delete mode 100644 packaging/i386-Add-macro-for-stibp.patch delete mode 100644 packaging/i386-Add-new-CPU-model-Cooperlake.patch delete mode 100644 packaging/i386-acpi-Remove-_HID-from-the-SMBus-ACP.patch delete mode 100644 packaging/i8254-Fix-migration-from-SLE11-SP2.patch delete mode 100644 packaging/ide-atapi-assert-that-the-buffer-pointer.patch delete mode 100644 packaging/imx7-ccm-add-digprog-mmio-write-method.patch delete mode 100644 packaging/increase-x86_64-physical-bits-to-42.patch delete mode 100644 packaging/iotests-Provide-a-function-for-checking-.patch delete mode 100644 packaging/iotests-Skip-test-060-if-it-is-not-possi.patch delete mode 100644 packaging/iotests-Skip-test-079-if-it-is-not-possi.patch delete mode 100644 packaging/ipxe-Makefile-fix-issues-of-build-reprod.patch delete mode 100644 packaging/lan9118-switch-to-use-qemu_receive_packe.patch delete mode 100644 packaging/linux-headers-Update-against-Linux-5.5-1.patch delete mode 100644 packaging/linux-headers-Update-against-Linux-5.5-r.patch delete mode 100644 packaging/linux-headers-sync-to-5.9-rc4.patch delete mode 100644 packaging/linux-headers-sync-to-5.9-rc7.patch delete mode 100644 packaging/linux-headers-update-against-5.10-rc1.patch delete mode 100644 packaging/linux-headers-update-against-Linux-5.6-r.patch delete mode 100644 packaging/linux-headers-update-against-Linux-5.7-r.patch delete mode 100644 packaging/linux-user-Fake-proc-cpuinfo.patch delete mode 100644 packaging/linux-user-add-binfmt-wrapper-for-argv-0.patch delete mode 100644 packaging/linux-user-binfmt-support-host-binaries.patch delete mode 100644 packaging/linux-user-lseek-explicitly-cast-non-set.patch delete mode 100644 packaging/linux-user-properly-test-for-infinite-ti.patch delete mode 100644 packaging/linux-user-use-target_ulong.patch delete mode 100644 packaging/megasas-use-unsigned-type-for-reply_queu.patch delete mode 100644 packaging/memory-clamp-cached-translation-in-case-.patch delete mode 100644 packaging/migration-migration.c-Fix-hang-in-ram_sa.patch delete mode 100644 packaging/net-eepro100-validate-various-address-va.patch delete mode 100644 packaging/net-introduce-qemu_receive_packet.patch delete mode 100644 packaging/net-remove-an-assert-call-in-eth_get_gso.patch delete mode 100644 packaging/net-vmxnet3-validate-configuration-value.patch delete mode 100644 packaging/numa-Extend-CLI-to-provide-initiator-inf.patch delete mode 100644 packaging/numa-Extend-CLI-to-provide-memory-latenc.patch delete mode 100644 packaging/numa-Extend-CLI-to-provide-memory-side-c.patch delete mode 100644 packaging/nvram-add-nrf51_soc-flash-read-method.patch delete mode 100644 packaging/osdep-provide-ROUND_DOWN-macro.patch delete mode 100644 packaging/pc-bios-s390-ccw-break-loop-if-a-null-bl.patch delete mode 100644 packaging/pc-bios-s390-ccw-don-t-try-to-read-the-n.patch delete mode 100644 packaging/pc-bios-s390-ccw-fix-off-by-one-error.patch delete mode 100644 packaging/pc-bios-s390-ccw-net-avoid-warning-about.patch delete mode 100644 packaging/pci-host-designware-add-pcie-msi-read-me.patch delete mode 100644 packaging/pcnet-switch-to-use-qemu_receive_packet-.patch delete mode 100644 packaging/prep-add-ppc-parity-write-method.patch delete mode 100644 packaging/pvrdma-Ensure-correct-input-on-ring-init.patch delete mode 100644 packaging/pvrdma-Fix-the-ring-init-error-flow-CVE-.patch delete mode 100644 packaging/qdev-add-check-if-address-free-callback-.patch delete mode 100644 packaging/qemu-binfmt-conf-Modify-default-path.patch delete mode 100644 packaging/qemu-binfmt-conf-use-qemu-ARCH-binfmt.patch delete mode 100644 packaging/qemu-bridge-helper-reduce-security-profi.patch delete mode 100644 packaging/qemu-cvs-gettimeofday.patch delete mode 100644 packaging/qemu-cvs-ioctl_debug.patch delete mode 100644 packaging/qemu-cvs-ioctl_nodirection.patch delete mode 100644 packaging/qemu-iotests-qtest-rewrite-test-067-as-a.patch delete mode 100644 packaging/qom-code-hardening-have-bound-checking-w.patch delete mode 100644 packaging/qom-make-object_ref-unref-use-a-void-ins.patch delete mode 100644 packaging/qtest-Reintroduce-qtest_qmp_receive-with.patch delete mode 100644 packaging/qtest-check-that-drives-are-really-appea.patch delete mode 100644 packaging/qtest-remove-qtest_qmp_receive_success.patch delete mode 100644 packaging/qtest-rename-qtest_qmp_receive-to-qtest_.patch delete mode 100644 packaging/qtest-switch-users-back-to-qtest_qmp_rec.patch delete mode 100644 packaging/rcu-Implement-drain_call_rcu.patch delete mode 100644 packaging/roms-Makefile-enable-cross-compile-for-b.patch delete mode 100644 packaging/roms-Makefile-pass-a-packaging-timestamp.patch delete mode 100644 packaging/roms-change-cross-compiler-naming-to-be-.patch delete mode 100644 packaging/roms-sgabios-Fix-csum8-to-be-built-by-ho.patch delete mode 100644 packaging/rtl8139-switch-to-use-qemu_receive_packe.patch delete mode 100644 packaging/s390x-Add-SIDA-memory-ops.patch delete mode 100644 packaging/s390x-Add-missing-vcpu-reset-functions.patch delete mode 100644 packaging/s390x-Add-unpack-facility-feature-to-GA1.patch delete mode 100644 packaging/s390x-Beautify-diag308-handling.patch delete mode 100644 packaging/s390x-Don-t-do-a-normal-reset-on-the-ini.patch delete mode 100644 packaging/s390x-Move-clear-reset.patch delete mode 100644 packaging/s390x-Move-diagnose-308-subcodes-and-rcs.patch delete mode 100644 packaging/s390x-Move-initial-reset.patch delete mode 100644 packaging/s390x-Move-reset-normal-to-shared-reset-.patch delete mode 100644 packaging/s390x-fix-build-for-without-default-devi.patch delete mode 100644 packaging/s390x-ipl-Consolidate-iplb-validity-chec.patch delete mode 100644 packaging/s390x-kvm-Make-kvm_sclp_service_call-voi.patch delete mode 100644 packaging/s390x-pci-Add-routine-to-get-the-vfio-dm.patch delete mode 100644 packaging/s390x-pci-Honor-DMA-limits-set-by-vfio.patch delete mode 100644 packaging/s390x-protvirt-Add-migration-blocker.patch delete mode 100644 packaging/s390x-protvirt-Disable-address-checks-fo.patch delete mode 100644 packaging/s390x-protvirt-Handle-SIGP-store-status-.patch delete mode 100644 packaging/s390x-protvirt-Inhibit-balloon-when-swit.patch delete mode 100644 packaging/s390x-protvirt-KVM-intercept-changes.patch delete mode 100644 packaging/s390x-protvirt-Move-IO-control-structure.patch delete mode 100644 packaging/s390x-protvirt-Move-STSI-data-over-SIDAD.patch delete mode 100644 packaging/s390x-protvirt-Move-diag-308-data-over-S.patch delete mode 100644 packaging/s390x-protvirt-SCLP-interpretation.patch delete mode 100644 packaging/s390x-protvirt-Set-guest-IPL-PSW.patch delete mode 100644 packaging/s390x-protvirt-Support-unpack-facility.patch delete mode 100644 packaging/s390x-protvirt-allow-to-IPL-secure-guest.patch delete mode 100644 packaging/s390x-s390-virtio-ccw-Fix-build-on-syste.patch delete mode 100644 packaging/s390x-s390-virtio-ccw-Reset-PCI-devices-.patch delete mode 100644 packaging/scsi-add-tracing-for-SG_IO-commands.patch delete mode 100644 packaging/scsi-disk-fold-SG_IO-errors-back-into-re.patch delete mode 100644 packaging/scsi-disk-set-default-I-O-timeout-to-30-.patch delete mode 100644 packaging/scsi-disk-trace-rw-errors.patch delete mode 100644 packaging/scsi-generic-check-for-additional-SG_IO-.patch delete mode 100644 packaging/scsi-generic-pass-max_segments-via-max_i.patch delete mode 100644 packaging/scsi-make-io_timeout-settable.patch delete mode 100644 packaging/scsi-scsi-bus-scsi_device_find-don-t-ret.patch delete mode 100644 packaging/scsi-scsi_bus-Add-scsi_device_get.patch delete mode 100644 packaging/scsi-scsi_bus-fix-races-in-REPORT-LUNS.patch delete mode 100644 packaging/scsi-scsi_bus-switch-search-direction-in.patch delete mode 100644 packaging/scsi-switch-to-bus-check_address.patch delete mode 100644 packaging/seabios-switch-to-python3-as-needed.patch delete mode 100644 packaging/seabios-use-python2-explicitly-as-needed.patch delete mode 100644 packaging/sgabios-Makefile-fix-issues-of-build-rep.patch delete mode 100644 packaging/slirp-check-pkt_len-before-reading-proto.patch delete mode 100644 packaging/sm501-Clean-up-local-variables-in-sm501_.patch delete mode 100644 packaging/sm501-Convert-printf-abort-to-qemu_log_m.patch delete mode 100644 packaging/sm501-Replace-hand-written-implementatio.patch delete mode 100644 packaging/sm501-Shorten-long-variable-names-in-sm5.patch delete mode 100644 packaging/sm501-Use-BIT-x-macro-to-shorten-constan.patch delete mode 100644 packaging/spapr_pci-add-spapr-msi-read-method.patch delete mode 100644 packaging/stub-out-the-SAN-req-s-in-int13.patch delete mode 100644 packaging/sungem-switch-to-use-qemu_receive_packet.patch delete mode 100644 packaging/target-i386-Add-missed-features-to-Coope.patch delete mode 100644 packaging/target-i386-Add-new-bit-definitions-of-M.patch delete mode 100644 packaging/target-i386-add-a-ucode-rev-property.patch delete mode 100644 packaging/target-i386-check-for-availability-of-MS.patch delete mode 100644 packaging/target-i386-enable-monitor-and-ucode-rev.patch delete mode 100644 packaging/target-i386-fix-TCG-UCODE_REV-access.patch delete mode 100644 packaging/target-i386-kvm-initialize-microcode-rev.patch delete mode 100644 packaging/test-add-mapping-from-arch-of-i686-to-qe.patch delete mode 100644 packaging/tests-Disable-some-block-tests-for-now.patch delete mode 100644 packaging/tests-Fix-block-tests-to-be-compatible-w.patch delete mode 100644 packaging/tests-add-migration-helpers-unit.patch delete mode 100644 packaging/tests-change-error-message-in-test-162.patch delete mode 100644 packaging/tests-numa-Add-case-for-QMP-build-HMAT.patch delete mode 100644 packaging/tests-qemu-iotests-Triple-timeout-of-i-o.patch delete mode 100644 packaging/tftp-check-tftp_input-buffer-size.patch delete mode 100644 packaging/tftp-introduce-a-header-structure.patch delete mode 100644 packaging/tx_pkt-switch-to-use-qemu_receive_packet.patch delete mode 100644 packaging/tz-ppc-add-dummy-read-write-methods.patch delete mode 100644 packaging/uas-add-stream-number-sanity-checks.patch delete mode 100644 packaging/udp-check-upd_input-buffer-size.patch delete mode 100644 packaging/upd6-check-udp6_input-buffer-size.patch delete mode 100644 packaging/usb-fix-setup_len-init-CVE-2020-14364.patch delete mode 100644 packaging/usb-hid-avoid-dynamic-stack-allocation.patch delete mode 100644 packaging/usb-limit-combined-packets-to-1-MiB-CVE-.patch delete mode 100644 packaging/usb-mtp-avoid-dynamic-stack-allocation.patch delete mode 100644 packaging/usb-redir-avoid-dynamic-stack-allocation.patch delete mode 100644 packaging/usbredir-fix-free-call.patch delete mode 100644 packaging/vfio-Create-shared-routine-for-scanning-.patch delete mode 100644 packaging/vfio-Find-DMA-available-capability.patch delete mode 100644 packaging/vfio-add-quirk-device-write-method.patch delete mode 100644 packaging/vga-Raise-VRAM-to-16-MiB-for-pc-0.15-and.patch delete mode 100644 packaging/vga-fix-cirrus-bios.patch delete mode 100644 packaging/vhost-correctly-turn-on-VIRTIO_F_IOMMU_P.patch delete mode 100644 packaging/vhost-user-gpu-abstract-vg_cleanup_mappi.patch delete mode 100644 packaging/vhost-user-gpu-fix-OOB-write-in-virgl_cm.patch delete mode 100644 packaging/vhost-user-gpu-fix-leak-in-virgl_cmd_res.patch delete mode 100644 packaging/vhost-user-gpu-fix-leak-in-virgl_resourc.patch delete mode 100644 packaging/vhost-user-gpu-fix-memory-disclosure-in-.patch delete mode 100644 packaging/vhost-user-gpu-fix-memory-leak-in-vg_res.patch delete mode 100644 packaging/vhost-user-gpu-fix-memory-leak-while-cal.patch delete mode 100644 packaging/vhost-user-gpu-fix-resource-leak-in-vg_r.patch delete mode 100644 packaging/virtio-don-t-enable-notifications-during.patch delete mode 100644 packaging/virtio-net-fix-rsc_ext-compat-handling.patch delete mode 100644 packaging/virtio-net-fix-use-after-unmap-free-for-.patch delete mode 100644 packaging/virtio-scsi-change-DID-TIMEOUT-handling.patch delete mode 100644 packaging/virtio-scsi-trace-events.patch delete mode 100644 packaging/virtio-scsi-translate-SG_IO-host-status.patch delete mode 100644 packaging/virtio-scsi-use-scsi_device_get.patch delete mode 100644 packaging/vnc-prioritize-ZRLE-compression-over-ZLI.patch delete mode 100644 packaging/xen-add-block-resize-support-for-xen-dis.patch delete mode 100644 packaging/xen-block-Fix-removal-of-backend-instanc.patch delete mode 100644 packaging/xen-ignore-live-parameter-from-xen-save-.patch delete mode 100644 packaging/xen-remove-BlockBackend-object-reference.patch delete mode 100644 packaging/xen_disk-Add-suse-specific-flush-disable.patch diff --git a/packaging/9pfs-Fully-restart-unreclaim-loop-CVE-20.patch b/packaging/9pfs-Fully-restart-unreclaim-loop-CVE-20.patch deleted file mode 100644 index 335259376..000000000 --- a/packaging/9pfs-Fully-restart-unreclaim-loop-CVE-20.patch +++ /dev/null @@ -1,76 +0,0 @@ -From: Greg Kurz -Date: Thu, 14 Jan 2021 17:04:12 +0100 -Subject: 9pfs: Fully restart unreclaim loop (CVE-2021-20181) - -Git-commit: 89fbea8737e8f7b954745a1ffc4238d377055305 -References: bsc#1182137 - -Depending on the client activity, the server can be asked to open a huge -number of file descriptors and eventually hit RLIMIT_NOFILE. This is -currently mitigated using a reclaim logic : the server closes the file -descriptors of idle fids, based on the assumption that it will be able -to re-open them later. This assumption doesn't hold of course if the -client requests the file to be unlinked. In this case, we loop on the -entire fid list and mark all related fids as unreclaimable (the reclaim -logic will just ignore them) and, of course, we open or re-open their -file descriptors if needed since we're about to unlink the file. - -This is the purpose of v9fs_mark_fids_unreclaim(). Since the actual -opening of a file can cause the coroutine to yield, another client -request could possibly add a new fid that we may want to mark as -non-reclaimable as well. The loop is thus restarted if the re-open -request was actually transmitted to the backend. This is achieved -by keeping a reference on the first fid (head) before traversing -the list. - -This is wrong in several ways: -- a potential clunk request from the client could tear the first - fid down and cause the reference to be stale. This leads to a - use-after-free error that can be detected with ASAN, using a - custom 9p client -- fids are added at the head of the list : restarting from the - previous head will always miss fids added by a some other - potential request - -All these problems could be avoided if fids were being added at the -end of the list. This can be achieved with a QSIMPLEQ, but this is -probably too much change for a bug fix. For now let's keep it -simple and just restart the loop from the current head. - -Fixes: CVE-2021-20181 -Buglink: https://bugs.launchpad.net/qemu/+bug/1911666 -Reported-by: Zero Day Initiative -Reviewed-by: Christian Schoenebeck -Reviewed-by: Stefano Stabellini -Message-Id: <161064025265.1838153.15185571283519390907.stgit@bahia.lan> -Signed-off-by: Greg Kurz -Signed-off-by: Bruce Rogers ---- - hw/9pfs/9p.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c -index 37e43d3f853afe4653afbec00964..7bcf27367fa02755304da6499503 100644 ---- a/hw/9pfs/9p.c -+++ b/hw/9pfs/9p.c -@@ -502,9 +502,9 @@ static int coroutine_fn v9fs_mark_fids_unreclaim(V9fsPDU *pdu, V9fsPath *path) - { - int err; - V9fsState *s = pdu->s; -- V9fsFidState *fidp, head_fid; -+ V9fsFidState *fidp; - -- head_fid.next = s->fid_list; -+again: - for (fidp = s->fid_list; fidp; fidp = fidp->next) { - if (fidp->path.size != path->size) { - continue; -@@ -524,7 +524,7 @@ static int coroutine_fn v9fs_mark_fids_unreclaim(V9fsPDU *pdu, V9fsPath *path) - * switched to the worker thread - */ - if (err == 0) { -- fidp = &head_fid; -+ goto again; - } - } - } diff --git a/packaging/AIO-Reduce-number-of-threads-for-32bit-h.patch b/packaging/AIO-Reduce-number-of-threads-for-32bit-h.patch deleted file mode 100644 index 843858cdc..000000000 --- a/packaging/AIO-Reduce-number-of-threads-for-32bit-h.patch +++ /dev/null @@ -1,39 +0,0 @@ -From: Alexander Graf -Date: Wed, 14 Jan 2015 01:32:11 +0100 -Subject: AIO: Reduce number of threads for 32bit hosts - -On hosts with limited virtual address space (32bit pointers), we can very -easily run out of virtual memory with big thread pools. - -Instead, we should limit ourselves to small pools to keep memory footprint -low on those systems. - -This patch fixes random VM stalls like - - (process:25114): GLib-ERROR **: gmem.c:103: failed to allocate 1048576 bytes - -on 32bit ARM systems for me. - -Signed-off-by: Alexander Graf ---- - util/thread-pool.c | 7 ++++++- - 1 file changed, 6 insertions(+), 1 deletion(-) - -diff --git a/util/thread-pool.c b/util/thread-pool.c -index 4ed9b89ab2d9c4e6d805ea47c2b2..697c989885ca8aa4dd1185b780df 100644 ---- a/util/thread-pool.c -+++ b/util/thread-pool.c -@@ -307,7 +307,12 @@ static void thread_pool_init_one(ThreadPool *pool, AioContext *ctx) - qemu_mutex_init(&pool->lock); - qemu_cond_init(&pool->worker_stopped); - qemu_sem_init(&pool->sem, 0); -- pool->max_threads = 64; -+ if (sizeof(pool) == 4) { -+ /* 32bit systems run out of virtual memory quickly */ -+ pool->max_threads = 4; -+ } else { -+ pool->max_threads = 64; -+ } - pool->new_thread_bh = aio_bh_new(ctx, spawn_thread_bh_fn, pool); - - QLIST_INIT(&pool->head); diff --git a/packaging/Add-mtod_check.patch b/packaging/Add-mtod_check.patch deleted file mode 100644 index 4f6298558..000000000 --- a/packaging/Add-mtod_check.patch +++ /dev/null @@ -1,54 +0,0 @@ -From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= -Date: Fri, 4 Jun 2021 15:58:25 +0400 -Subject: Add mtod_check() -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Git-commit: 93e645e72a056ec0b2c16e0299fc5c6b94e4ca17 -References: bsc#1187364, CVE-2021-3592 - bsc#1187367, CVE-2021-3594 - -Recent security issues demonstrate the lack of safety care when casting -a mbuf to a particular structure type. At least, it should check that -the buffer is large enough. The following patches will make use of this -function. - -Signed-off-by: Marc-André Lureau -Signed-off-by: Jose R Ziviani ---- - src/mbuf.c | 11 +++++++++++ - src/mbuf.h | 1 + - 2 files changed, 12 insertions(+) - -diff --git a/slirp/src/mbuf.c b/slirp/src/mbuf.c -index 54ec721eb5eb0247b19679cd8265..cb2e971083a9d30e25552ee91f29 100644 ---- a/slirp/src/mbuf.c -+++ b/slirp/src/mbuf.c -@@ -222,3 +222,14 @@ struct mbuf *dtom(Slirp *slirp, void *dat) - - return (struct mbuf *)0; - } -+ -+void *mtod_check(struct mbuf *m, size_t len) -+{ -+ if (m->m_len >= len) { -+ return m->m_data; -+ } -+ -+ DEBUG_ERROR("mtod failed"); -+ -+ return NULL; -+} -diff --git a/slirp/src/mbuf.h b/slirp/src/mbuf.h -index 546e7852c54583d3e22b1a0d84cf..2015e3232f1b7840dc14d1c6bdb3 100644 ---- a/slirp/src/mbuf.h -+++ b/slirp/src/mbuf.h -@@ -118,6 +118,7 @@ void m_inc(struct mbuf *, int); - void m_adj(struct mbuf *, int); - int m_copy(struct mbuf *, struct mbuf *, int, int); - struct mbuf *dtom(Slirp *, void *); -+void *mtod_check(struct mbuf *, size_t len); - - static inline void ifs_init(struct mbuf *ifm) - { diff --git a/packaging/Conditionalize-ui-bitmap-installation-be.patch b/packaging/Conditionalize-ui-bitmap-installation-be.patch deleted file mode 100644 index 3fe66faf7..000000000 --- a/packaging/Conditionalize-ui-bitmap-installation-be.patch +++ /dev/null @@ -1,29 +0,0 @@ -From: Bruce Rogers -Date: Wed, 23 Jan 2019 20:23:01 -0700 -Subject: Conditionalize ui bitmap installation better - -Signed-off-by: Bruce Rogers ---- - Makefile | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/Makefile b/Makefile -index 52881cbb12e7d980e0ed51f21174..edc3de72e6a94ef0503da640bbfe 100644 ---- a/Makefile -+++ b/Makefile -@@ -913,6 +913,7 @@ ifneq ($(DESCS),) - "$(DESTDIR)$(qemu_datadir)/firmware/$$x"; \ - done - endif -+ifneq ($(or $(CONFIG_GTK),$(CONFIG_SDL)),) - for s in $(ICON_SIZES); do \ - mkdir -p "$(DESTDIR)$(qemu_icondir)/hicolor/$${s}/apps"; \ - $(INSTALL_DATA) $(SRC_PATH)/ui/icons/qemu_$${s}.png \ -@@ -927,6 +928,7 @@ endif - mkdir -p "$(DESTDIR)$(qemu_desktopdir)" - $(INSTALL_DATA) $(SRC_PATH)/ui/qemu.desktop \ - "$(DESTDIR)$(qemu_desktopdir)/qemu.desktop" -+endif - ifdef CONFIG_GTK - $(MAKE) -C po $@ - endif diff --git a/packaging/Do-not-apply-WORKAROUND_CFLAGS-for-host-.patch b/packaging/Do-not-apply-WORKAROUND_CFLAGS-for-host-.patch deleted file mode 100644 index b39a20bc7..000000000 --- a/packaging/Do-not-apply-WORKAROUND_CFLAGS-for-host-.patch +++ /dev/null @@ -1,67 +0,0 @@ -From: Michael Brown -Date: Mon, 22 Jul 2019 14:51:28 +0100 -Subject: Do not apply WORKAROUND_CFLAGS for host compiler - -Git-commit: a4f8c6e31f6c62522cfc633bbbffa81b22f9d6f3 -Include-If: %ifarch aarch64 - -The WORKAROUND_CFLAGS list is constructed based on running tests on -the target compiler, and the results may not be valid for the host -compiler. - -The only relevant workaround required for the host compiler is --Wno-stringop-truncation, which is needed to avoid a spurious compiler -warning for a totally correct usage of strncpy() in util/elf2efi.c. - -Duplicating the workaround tests for the host compiler is messy, as is -conditionally applying __attribute__((nonstring)). Fix instead by -disapplying WORKAROUND_CFLAGS for the host compiler, and using -memcpy() with an explicitly calculated length instead of strncpy() in -util/elf2efi.c. - -Reported-by: Ignat Korchagin -Reported-by: Christopher Clark -Signed-off-by: Michael Brown -Signed-off-by: Bruce Rogers ---- - src/Makefile.housekeeping | 2 +- - src/util/elf2efi.c | 6 +++++- - 2 files changed, 6 insertions(+), 2 deletions(-) - -diff --git a/roms/ipxe/src/Makefile.housekeeping b/roms/ipxe/src/Makefile.housekeeping -index e5f6927de889167d286ccfcdda92..1ddbddd247d9929d63b1654d7206 100644 ---- a/roms/ipxe/src/Makefile.housekeeping -+++ b/roms/ipxe/src/Makefile.housekeeping -@@ -454,7 +454,7 @@ endif - CFLAGS += $(WORKAROUND_CFLAGS) $(EXTRA_CFLAGS) - ASFLAGS += $(WORKAROUND_ASFLAGS) $(EXTRA_ASFLAGS) - LDFLAGS += $(WORKAROUND_LDFLAGS) $(EXTRA_LDFLAGS) --HOST_CFLAGS += $(WORKAROUND_CFLAGS) -O2 -g -+HOST_CFLAGS += -O2 -g - - # Inhibit -Werror if NO_WERROR is specified on make command line - # -diff --git a/roms/ipxe/src/util/elf2efi.c b/roms/ipxe/src/util/elf2efi.c -index 2c5b9df8aae853bfce4d5d3bae89..bcd53c9afda7880d42ec80c07f17 100644 ---- a/roms/ipxe/src/util/elf2efi.c -+++ b/roms/ipxe/src/util/elf2efi.c -@@ -458,6 +458,7 @@ static struct pe_section * process_section ( struct elf_file *elf, - struct pe_header *pe_header ) { - struct pe_section *new; - const char *name; -+ size_t name_len; - size_t section_memsz; - size_t section_filesz; - unsigned long code_start; -@@ -494,7 +495,10 @@ static struct pe_section * process_section ( struct elf_file *elf, - memset ( new, 0, sizeof ( *new ) + section_filesz ); - - /* Fill in section header details */ -- strncpy ( ( char * ) new->hdr.Name, name, sizeof ( new->hdr.Name ) ); -+ name_len = strlen ( name ); -+ if ( name_len > sizeof ( new->hdr.Name ) ) -+ name_len = sizeof ( new->hdr.Name ); -+ memcpy ( new->hdr.Name, name, name_len ); - new->hdr.Misc.VirtualSize = section_memsz; - new->hdr.VirtualAddress = shdr->sh_addr; - new->hdr.SizeOfRawData = section_filesz; diff --git a/packaging/Drop-bogus-IPv6-messages.patch b/packaging/Drop-bogus-IPv6-messages.patch deleted file mode 100644 index 2065f615e..000000000 --- a/packaging/Drop-bogus-IPv6-messages.patch +++ /dev/null @@ -1,34 +0,0 @@ -From: Ralf Haferkamp -Date: Fri, 3 Jul 2020 14:51:16 +0200 -Subject: Drop bogus IPv6 messages - -Git-commit: c7ede54cbd2e2b25385325600958ba0124e31cc0 -References: bsc#1172380 CVE-2020-10756 - -Drop IPv6 message shorter than what's mentioned in the payload -length header (+ the size of the IPv6 header). They're invalid an could -lead to data leakage in icmp6_send_echoreply(). - -Signed-off-by: Jose R Ziviani ---- - src/ip6_input.c | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/slirp/src/ip6_input.c b/slirp/src/ip6_input.c -index dfcbfd6a78a8f78e45f89427f5a5..d88d1ab92355eda0f83970ba7f3b 100644 ---- a/slirp/src/ip6_input.c -+++ b/slirp/src/ip6_input.c -@@ -49,6 +49,13 @@ void ip6_input(struct mbuf *m) - goto bad; - } - -+ // Check if the message size is big enough to hold what's -+ // set in the payload length header. If not this is an invalid -+ // packet -+ if (m->m_len < ntohs(ip6->ip_pl) + sizeof(struct ip6)) { -+ goto bad; -+ } -+ - /* check ip_ttl for a correct ICMP reply */ - if (ip6->ip_hl == 0) { - icmp6_send_error(m, ICMP6_TIMXCEED, ICMP6_TIMXCEED_INTRANS); diff --git a/packaging/Enable-cross-compile-prefix-for-C-compil.patch b/packaging/Enable-cross-compile-prefix-for-C-compil.patch deleted file mode 100644 index a28169bcc..000000000 --- a/packaging/Enable-cross-compile-prefix-for-C-compil.patch +++ /dev/null @@ -1,30 +0,0 @@ -From: Bruce Rogers -Date: Fri, 1 Nov 2019 19:41:52 -0600 -Subject: Enable cross compile prefix for C compiler invocation - -Signed-off-by: Bruce Rogers ---- - Makefile | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/roms/qboot/Makefile b/roms/qboot/Makefile -index adbf1b319e4a7bee78e2f95c5e51..cdde20fc37b13a1877668cd20e2f 100644 ---- a/roms/qboot/Makefile -+++ b/roms/qboot/Makefile -@@ -1,3 +1,4 @@ -+CROSS_COMPILE ?= - obj-y = code16.o entry.o main.o string.o printf.o cstart.o fw_cfg.o - obj-y += linuxboot.o malloc.o tables.o hwsetup.o pci.o code32seg.o - obj-y += mptable.o -@@ -25,9 +26,9 @@ autodepend-flags = -MMD -MF .deps/cc-$(patsubst %/,%,$(dir $*))-$(notdir $*).d - - .PRECIOUS: %.o - %.o: %.c -- $(CC) $(CFLAGS) $(BIOS_CFLAGS) $($@-cflags) -c -s $< -o $@ -+ $(CROSS_COMPILE)$(CC) $(CFLAGS) $(BIOS_CFLAGS) $($@-cflags) -c -s $< -o $@ - %.o: %.S -- $(CC) $(CFLAGS) $(BIOS_CFLAGS) -c -s $< -o $@ -+ $(CROSS_COMPILE)$(CC) $(CFLAGS) $(BIOS_CFLAGS) -c -s $< -o $@ - - bios.bin.elf: $(obj-y) flat.lds - $(LD) -T flat.lds -o bios.bin.elf $(obj-y) diff --git a/packaging/Fix-s-directive-argument-is-null-error.patch b/packaging/Fix-s-directive-argument-is-null-error.patch deleted file mode 100644 index 813caf8fd..000000000 --- a/packaging/Fix-s-directive-argument-is-null-error.patch +++ /dev/null @@ -1,35 +0,0 @@ -From: Valentine Barshak -Date: Sun, 9 Jun 2019 13:30:11 +0300 -Subject: Fix "'%s' directive argument is null" error - -Git-commit: 412acd7854de10e7194f362a6b1a3257a17974f7 -References: bsc#1121464 - -Use '%p' directive, and print handle's address if the address is null -and the handle doesn't have a name. This fixes the following -compilation error: - - interface/efi/efi_debug.c:334:3: error: '%s' directive - argument is null [-Werror=format-overflow=] - -Signed-off-by: Valentine Barshak -Signed-off-by: Michael Brown -Signed-off-by: Bruce Rogers ---- - src/interface/efi/efi_debug.c | 3 +-- - 1 file changed, 1 insertion(+), 2 deletions(-) - -diff --git a/roms/ipxe/src/interface/efi/efi_debug.c b/roms/ipxe/src/interface/efi/efi_debug.c -index 8ea0a822d044caca088c64ca2407..de9b1af5579cfddba1b55788b7b6 100644 ---- a/roms/ipxe/src/interface/efi/efi_debug.c -+++ b/roms/ipxe/src/interface/efi/efi_debug.c -@@ -331,8 +331,7 @@ void dbg_efi_protocols ( EFI_HANDLE handle ) { - - /* Sanity check */ - if ( ! handle ) { -- printf ( "HANDLE %s could not retrieve protocols\n", -- efi_handle_name ( handle ) ); -+ printf ( "HANDLE %p could not retrieve protocols\n", handle ); - return; - } - diff --git a/packaging/Linux-headers-update-against-Linux-5.8-r.patch b/packaging/Linux-headers-update-against-Linux-5.8-r.patch deleted file mode 100644 index 96f80c169..000000000 --- a/packaging/Linux-headers-update-against-Linux-5.8-r.patch +++ /dev/null @@ -1,1359 +0,0 @@ -From: Cornelia Huck -Date: Tue, 9 Jun 2020 16:26:53 +0200 -Subject: Linux headers: update against Linux 5.8-rc1 - -Git-commit: f76b348ec78fb7316bbcc981127ae8894cfcc609 -References: bsc#1179719 - -Update against Linux 5.8-rc1. - -Signed-off-by: Cornelia Huck -Signed-off-by: Liang Yan ---- - include/standard-headers/asm-x86/kvm_para.h | 17 +- - include/standard-headers/drm/drm_fourcc.h | 140 +++++++- - include/standard-headers/linux/ethtool.h | 16 +- - include/standard-headers/linux/virtio_ids.h | 1 + - include/standard-headers/linux/virtio_mem.h | 211 ++++++++++++ - include/standard-headers/linux/virtio_ring.h | 48 ++- - linux-headers/asm-arm64/mman.h | 8 + - linux-headers/asm-generic/unistd.h | 4 +- - linux-headers/asm-mips/unistd_n32.h | 1 + - linux-headers/asm-mips/unistd_n64.h | 1 + - linux-headers/asm-mips/unistd_o32.h | 1 + - linux-headers/asm-powerpc/unistd_32.h | 1 + - linux-headers/asm-powerpc/unistd_64.h | 1 + - linux-headers/asm-s390/unistd_32.h | 1 + - linux-headers/asm-s390/unistd_64.h | 1 + - linux-headers/asm-x86/kvm.h | 20 +- - linux-headers/asm-x86/unistd.h | 11 +- - linux-headers/asm-x86/unistd_32.h | 1 + - linux-headers/asm-x86/unistd_64.h | 1 + - linux-headers/asm-x86/unistd_x32.h | 1 + - linux-headers/linux/kvm.h | 18 +- - linux-headers/linux/psp-sev.h | 2 + - linux-headers/linux/vfio.h | 322 +++++++++++++++++++ - linux-headers/linux/vfio_ccw.h | 19 ++ - linux-headers/linux/vhost.h | 4 + - 25 files changed, 818 insertions(+), 33 deletions(-) - -diff --git a/include/standard-headers/asm-x86/kvm_para.h b/include/standard-headers/asm-x86/kvm_para.h -index 90604a8fb77b43ac0bdf48a9f459..07877d3295f265760c6eddec2b5e 100644 ---- a/include/standard-headers/asm-x86/kvm_para.h -+++ b/include/standard-headers/asm-x86/kvm_para.h -@@ -31,6 +31,7 @@ - #define KVM_FEATURE_PV_SEND_IPI 11 - #define KVM_FEATURE_POLL_CONTROL 12 - #define KVM_FEATURE_PV_SCHED_YIELD 13 -+#define KVM_FEATURE_ASYNC_PF_INT 14 - - #define KVM_HINTS_REALTIME 0 - -@@ -50,6 +51,8 @@ - #define MSR_KVM_STEAL_TIME 0x4b564d03 - #define MSR_KVM_PV_EOI_EN 0x4b564d04 - #define MSR_KVM_POLL_CONTROL 0x4b564d05 -+#define MSR_KVM_ASYNC_PF_INT 0x4b564d06 -+#define MSR_KVM_ASYNC_PF_ACK 0x4b564d07 - - struct kvm_steal_time { - uint64_t steal; -@@ -81,6 +84,11 @@ struct kvm_clock_pairing { - #define KVM_ASYNC_PF_ENABLED (1 << 0) - #define KVM_ASYNC_PF_SEND_ALWAYS (1 << 1) - #define KVM_ASYNC_PF_DELIVERY_AS_PF_VMEXIT (1 << 2) -+#define KVM_ASYNC_PF_DELIVERY_AS_INT (1 << 3) -+ -+/* MSR_KVM_ASYNC_PF_INT */ -+#define KVM_ASYNC_PF_VEC_MASK GENMASK(7, 0) -+ - - /* Operations for KVM_HC_MMU_OP */ - #define KVM_MMU_OP_WRITE_PTE 1 -@@ -112,8 +120,13 @@ struct kvm_mmu_op_release_pt { - #define KVM_PV_REASON_PAGE_READY 2 - - struct kvm_vcpu_pv_apf_data { -- uint32_t reason; -- uint8_t pad[60]; -+ /* Used for 'page not present' events delivered via #PF */ -+ uint32_t flags; -+ -+ /* Used for 'page ready' events delivered via interrupt notification */ -+ uint32_t token; -+ -+ uint8_t pad[56]; - uint32_t enabled; - }; - -diff --git a/include/standard-headers/drm/drm_fourcc.h b/include/standard-headers/drm/drm_fourcc.h -index 66e838074c81c64d1d38f3fb815d..909a66753c03cdfca573f1fae6a2 100644 ---- a/include/standard-headers/drm/drm_fourcc.h -+++ b/include/standard-headers/drm/drm_fourcc.h -@@ -353,9 +353,12 @@ extern "C" { - * a platform-dependent stride. On top of that the memory can apply - * platform-depending swizzling of some higher address bits into bit6. - * -- * This format is highly platforms specific and not useful for cross-driver -- * sharing. It exists since on a given platform it does uniquely identify the -- * layout in a simple way for i915-specific userspace. -+ * Note that this layout is only accurate on intel gen 8+ or valleyview chipsets. -+ * On earlier platforms the is highly platforms specific and not useful for -+ * cross-driver sharing. It exists since on a given platform it does uniquely -+ * identify the layout in a simple way for i915-specific userspace, which -+ * facilitated conversion of userspace to modifiers. Additionally the exact -+ * format on some really old platforms is not known. - */ - #define I915_FORMAT_MOD_X_TILED fourcc_mod_code(INTEL, 1) - -@@ -368,9 +371,12 @@ extern "C" { - * memory can apply platform-depending swizzling of some higher address bits - * into bit6. - * -- * This format is highly platforms specific and not useful for cross-driver -- * sharing. It exists since on a given platform it does uniquely identify the -- * layout in a simple way for i915-specific userspace. -+ * Note that this layout is only accurate on intel gen 8+ or valleyview chipsets. -+ * On earlier platforms the is highly platforms specific and not useful for -+ * cross-driver sharing. It exists since on a given platform it does uniquely -+ * identify the layout in a simple way for i915-specific userspace, which -+ * facilitated conversion of userspace to modifiers. Additionally the exact -+ * format on some really old platforms is not known. - */ - #define I915_FORMAT_MOD_Y_TILED fourcc_mod_code(INTEL, 2) - -@@ -520,7 +526,113 @@ extern "C" { - #define DRM_FORMAT_MOD_NVIDIA_TEGRA_TILED fourcc_mod_code(NVIDIA, 1) - - /* -- * 16Bx2 Block Linear layout, used by desktop GPUs, and Tegra K1 and later -+ * Generalized Block Linear layout, used by desktop GPUs starting with NV50/G80, -+ * and Tegra GPUs starting with Tegra K1. -+ * -+ * Pixels are arranged in Groups of Bytes (GOBs). GOB size and layout varies -+ * based on the architecture generation. GOBs themselves are then arranged in -+ * 3D blocks, with the block dimensions (in terms of GOBs) always being a power -+ * of two, and hence expressible as their log2 equivalent (E.g., "2" represents -+ * a block depth or height of "4"). -+ * -+ * Chapter 20 "Pixel Memory Formats" of the Tegra X1 TRM describes this format -+ * in full detail. -+ * -+ * Macro -+ * Bits Param Description -+ * ---- ----- ----------------------------------------------------------------- -+ * -+ * 3:0 h log2(height) of each block, in GOBs. Placed here for -+ * compatibility with the existing -+ * DRM_FORMAT_MOD_NVIDIA_16BX2_BLOCK()-based modifiers. -+ * -+ * 4:4 - Must be 1, to indicate block-linear layout. Necessary for -+ * compatibility with the existing -+ * DRM_FORMAT_MOD_NVIDIA_16BX2_BLOCK()-based modifiers. -+ * -+ * 8:5 - Reserved (To support 3D-surfaces with variable log2(depth) block -+ * size). Must be zero. -+ * -+ * Note there is no log2(width) parameter. Some portions of the -+ * hardware support a block width of two gobs, but it is impractical -+ * to use due to lack of support elsewhere, and has no known -+ * benefits. -+ * -+ * 11:9 - Reserved (To support 2D-array textures with variable array stride -+ * in blocks, specified via log2(tile width in blocks)). Must be -+ * zero. -+ * -+ * 19:12 k Page Kind. This value directly maps to a field in the page -+ * tables of all GPUs >= NV50. It affects the exact layout of bits -+ * in memory and can be derived from the tuple -+ * -+ * (format, GPU model, compression type, samples per pixel) -+ * -+ * Where compression type is defined below. If GPU model were -+ * implied by the format modifier, format, or memory buffer, page -+ * kind would not need to be included in the modifier itself, but -+ * since the modifier should define the layout of the associated -+ * memory buffer independent from any device or other context, it -+ * must be included here. -+ * -+ * 21:20 g GOB Height and Page Kind Generation. The height of a GOB changed -+ * starting with Fermi GPUs. Additionally, the mapping between page -+ * kind and bit layout has changed at various points. -+ * -+ * 0 = Gob Height 8, Fermi - Volta, Tegra K1+ Page Kind mapping -+ * 1 = Gob Height 4, G80 - GT2XX Page Kind mapping -+ * 2 = Gob Height 8, Turing+ Page Kind mapping -+ * 3 = Reserved for future use. -+ * -+ * 22:22 s Sector layout. On Tegra GPUs prior to Xavier, there is a further -+ * bit remapping step that occurs at an even lower level than the -+ * page kind and block linear swizzles. This causes the layout of -+ * surfaces mapped in those SOC's GPUs to be incompatible with the -+ * equivalent mapping on other GPUs in the same system. -+ * -+ * 0 = Tegra K1 - Tegra Parker/TX2 Layout. -+ * 1 = Desktop GPU and Tegra Xavier+ Layout -+ * -+ * 25:23 c Lossless Framebuffer Compression type. -+ * -+ * 0 = none -+ * 1 = ROP/3D, layout 1, exact compression format implied by Page -+ * Kind field -+ * 2 = ROP/3D, layout 2, exact compression format implied by Page -+ * Kind field -+ * 3 = CDE horizontal -+ * 4 = CDE vertical -+ * 5 = Reserved for future use -+ * 6 = Reserved for future use -+ * 7 = Reserved for future use -+ * -+ * 55:25 - Reserved for future use. Must be zero. -+ */ -+#define DRM_FORMAT_MOD_NVIDIA_BLOCK_LINEAR_2D(c, s, g, k, h) \ -+ fourcc_mod_code(NVIDIA, (0x10 | \ -+ ((h) & 0xf) | \ -+ (((k) & 0xff) << 12) | \ -+ (((g) & 0x3) << 20) | \ -+ (((s) & 0x1) << 22) | \ -+ (((c) & 0x7) << 23))) -+ -+/* To grandfather in prior block linear format modifiers to the above layout, -+ * the page kind "0", which corresponds to "pitch/linear" and hence is unusable -+ * with block-linear layouts, is remapped within drivers to the value 0xfe, -+ * which corresponds to the "generic" kind used for simple single-sample -+ * uncompressed color formats on Fermi - Volta GPUs. -+ */ -+static inline uint64_t -+drm_fourcc_canonicalize_nvidia_format_mod(uint64_t modifier) -+{ -+ if (!(modifier & 0x10) || (modifier & (0xff << 12))) -+ return modifier; -+ else -+ return modifier | (0xfe << 12); -+} -+ -+/* -+ * 16Bx2 Block Linear layout, used by Tegra K1 and later - * - * Pixels are arranged in 64x8 Groups Of Bytes (GOBs). GOBs are then stacked - * vertically by a power of 2 (1 to 32 GOBs) to form a block. -@@ -541,20 +653,20 @@ extern "C" { - * in full detail. - */ - #define DRM_FORMAT_MOD_NVIDIA_16BX2_BLOCK(v) \ -- fourcc_mod_code(NVIDIA, 0x10 | ((v) & 0xf)) -+ DRM_FORMAT_MOD_NVIDIA_BLOCK_LINEAR_2D(0, 0, 0, 0, (v)) - - #define DRM_FORMAT_MOD_NVIDIA_16BX2_BLOCK_ONE_GOB \ -- fourcc_mod_code(NVIDIA, 0x10) -+ DRM_FORMAT_MOD_NVIDIA_16BX2_BLOCK(0) - #define DRM_FORMAT_MOD_NVIDIA_16BX2_BLOCK_TWO_GOB \ -- fourcc_mod_code(NVIDIA, 0x11) -+ DRM_FORMAT_MOD_NVIDIA_16BX2_BLOCK(1) - #define DRM_FORMAT_MOD_NVIDIA_16BX2_BLOCK_FOUR_GOB \ -- fourcc_mod_code(NVIDIA, 0x12) -+ DRM_FORMAT_MOD_NVIDIA_16BX2_BLOCK(2) - #define DRM_FORMAT_MOD_NVIDIA_16BX2_BLOCK_EIGHT_GOB \ -- fourcc_mod_code(NVIDIA, 0x13) -+ DRM_FORMAT_MOD_NVIDIA_16BX2_BLOCK(3) - #define DRM_FORMAT_MOD_NVIDIA_16BX2_BLOCK_SIXTEEN_GOB \ -- fourcc_mod_code(NVIDIA, 0x14) -+ DRM_FORMAT_MOD_NVIDIA_16BX2_BLOCK(4) - #define DRM_FORMAT_MOD_NVIDIA_16BX2_BLOCK_THIRTYTWO_GOB \ -- fourcc_mod_code(NVIDIA, 0x15) -+ DRM_FORMAT_MOD_NVIDIA_16BX2_BLOCK(5) - - /* - * Some Broadcom modifiers take parameters, for example the number of -diff --git a/include/standard-headers/linux/ethtool.h b/include/standard-headers/linux/ethtool.h -index 1200890c86088cb3c83368f18827..fd8d2cccfe89cb193d91439a62f5 100644 ---- a/include/standard-headers/linux/ethtool.h -+++ b/include/standard-headers/linux/ethtool.h -@@ -1666,6 +1666,18 @@ static inline int ethtool_validate_duplex(uint8_t duplex) - return 0; - } - -+#define MASTER_SLAVE_CFG_UNSUPPORTED 0 -+#define MASTER_SLAVE_CFG_UNKNOWN 1 -+#define MASTER_SLAVE_CFG_MASTER_PREFERRED 2 -+#define MASTER_SLAVE_CFG_SLAVE_PREFERRED 3 -+#define MASTER_SLAVE_CFG_MASTER_FORCE 4 -+#define MASTER_SLAVE_CFG_SLAVE_FORCE 5 -+#define MASTER_SLAVE_STATE_UNSUPPORTED 0 -+#define MASTER_SLAVE_STATE_UNKNOWN 1 -+#define MASTER_SLAVE_STATE_MASTER 2 -+#define MASTER_SLAVE_STATE_SLAVE 3 -+#define MASTER_SLAVE_STATE_ERR 4 -+ - /* Which connector port. */ - #define PORT_TP 0x00 - #define PORT_AUI 0x01 -@@ -1904,7 +1916,9 @@ struct ethtool_link_settings { - uint8_t eth_tp_mdix_ctrl; - int8_t link_mode_masks_nwords; - uint8_t transceiver; -- uint8_t reserved1[3]; -+ uint8_t master_slave_cfg; -+ uint8_t master_slave_state; -+ uint8_t reserved1[1]; - uint32_t reserved[7]; - uint32_t link_mode_masks[0]; - /* layout of link_mode_masks fields: -diff --git a/include/standard-headers/linux/virtio_ids.h b/include/standard-headers/linux/virtio_ids.h -index ecc27a17401a76b8ae8a907859d1..b052355ac7a324e173f4ea44c48d 100644 ---- a/include/standard-headers/linux/virtio_ids.h -+++ b/include/standard-headers/linux/virtio_ids.h -@@ -44,6 +44,7 @@ - #define VIRTIO_ID_VSOCK 19 /* virtio vsock transport */ - #define VIRTIO_ID_CRYPTO 20 /* virtio crypto */ - #define VIRTIO_ID_IOMMU 23 /* virtio IOMMU */ -+#define VIRTIO_ID_MEM 24 /* virtio mem */ - #define VIRTIO_ID_FS 26 /* virtio filesystem */ - #define VIRTIO_ID_PMEM 27 /* virtio pmem */ - #define VIRTIO_ID_MAC80211_HWSIM 29 /* virtio mac80211-hwsim */ -diff --git a/include/standard-headers/linux/virtio_mem.h b/include/standard-headers/linux/virtio_mem.h -new file mode 100644 -index 0000000000000000000000000000000000000000..05e5ade75d3d8d2533c63d4fb4fe1c9026d86751 ---- /dev/null -+++ b/include/standard-headers/linux/virtio_mem.h -@@ -0,0 +1,211 @@ -+/* SPDX-License-Identifier: BSD-3-Clause */ -+/* -+ * Virtio Mem Device -+ * -+ * Copyright Red Hat, Inc. 2020 -+ * -+ * Authors: -+ * David Hildenbrand -+ * -+ * This header is BSD licensed so anyone can use the definitions -+ * to implement compatible drivers/servers: -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in the -+ * documentation and/or other materials provided with the distribution. -+ * 3. Neither the name of IBM nor the names of its contributors -+ * may be used to endorse or promote products derived from this software -+ * without specific prior written permission. -+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS -+ * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT -+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS -+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL IBM OR -+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT -+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF -+ * USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND -+ * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, -+ * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT -+ * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -+ * SUCH DAMAGE. -+ */ -+ -+#ifndef _LINUX_VIRTIO_MEM_H -+#define _LINUX_VIRTIO_MEM_H -+ -+#include "standard-headers/linux/types.h" -+#include "standard-headers/linux/virtio_types.h" -+#include "standard-headers/linux/virtio_ids.h" -+#include "standard-headers/linux/virtio_config.h" -+ -+/* -+ * Each virtio-mem device manages a dedicated region in physical address -+ * space. Each device can belong to a single NUMA node, multiple devices -+ * for a single NUMA node are possible. A virtio-mem device is like a -+ * "resizable DIMM" consisting of small memory blocks that can be plugged -+ * or unplugged. The device driver is responsible for (un)plugging memory -+ * blocks on demand. -+ * -+ * Virtio-mem devices can only operate on their assigned memory region in -+ * order to (un)plug memory. A device cannot (un)plug memory belonging to -+ * other devices. -+ * -+ * The "region_size" corresponds to the maximum amount of memory that can -+ * be provided by a device. The "size" corresponds to the amount of memory -+ * that is currently plugged. "requested_size" corresponds to a request -+ * from the device to the device driver to (un)plug blocks. The -+ * device driver should try to (un)plug blocks in order to reach the -+ * "requested_size". It is impossible to plug more memory than requested. -+ * -+ * The "usable_region_size" represents the memory region that can actually -+ * be used to (un)plug memory. It is always at least as big as the -+ * "requested_size" and will grow dynamically. It will only shrink when -+ * explicitly triggered (VIRTIO_MEM_REQ_UNPLUG). -+ * -+ * There are no guarantees what will happen if unplugged memory is -+ * read/written. Such memory should, in general, not be touched. E.g., -+ * even writing might succeed, but the values will simply be discarded at -+ * random points in time. -+ * -+ * It can happen that the device cannot process a request, because it is -+ * busy. The device driver has to retry later. -+ * -+ * Usually, during system resets all memory will get unplugged, so the -+ * device driver can start with a clean state. However, in specific -+ * scenarios (if the device is busy) it can happen that the device still -+ * has memory plugged. The device driver can request to unplug all memory -+ * (VIRTIO_MEM_REQ_UNPLUG) - which might take a while to succeed if the -+ * device is busy. -+ */ -+ -+/* --- virtio-mem: feature bits --- */ -+ -+/* node_id is an ACPI PXM and is valid */ -+#define VIRTIO_MEM_F_ACPI_PXM 0 -+ -+ -+/* --- virtio-mem: guest -> host requests --- */ -+ -+/* request to plug memory blocks */ -+#define VIRTIO_MEM_REQ_PLUG 0 -+/* request to unplug memory blocks */ -+#define VIRTIO_MEM_REQ_UNPLUG 1 -+/* request to unplug all blocks and shrink the usable size */ -+#define VIRTIO_MEM_REQ_UNPLUG_ALL 2 -+/* request information about the plugged state of memory blocks */ -+#define VIRTIO_MEM_REQ_STATE 3 -+ -+struct virtio_mem_req_plug { -+ __virtio64 addr; -+ __virtio16 nb_blocks; -+ __virtio16 padding[3]; -+}; -+ -+struct virtio_mem_req_unplug { -+ __virtio64 addr; -+ __virtio16 nb_blocks; -+ __virtio16 padding[3]; -+}; -+ -+struct virtio_mem_req_state { -+ __virtio64 addr; -+ __virtio16 nb_blocks; -+ __virtio16 padding[3]; -+}; -+ -+struct virtio_mem_req { -+ __virtio16 type; -+ __virtio16 padding[3]; -+ -+ union { -+ struct virtio_mem_req_plug plug; -+ struct virtio_mem_req_unplug unplug; -+ struct virtio_mem_req_state state; -+ } u; -+}; -+ -+ -+/* --- virtio-mem: host -> guest response --- */ -+ -+/* -+ * Request processed successfully, applicable for -+ * - VIRTIO_MEM_REQ_PLUG -+ * - VIRTIO_MEM_REQ_UNPLUG -+ * - VIRTIO_MEM_REQ_UNPLUG_ALL -+ * - VIRTIO_MEM_REQ_STATE -+ */ -+#define VIRTIO_MEM_RESP_ACK 0 -+/* -+ * Request denied - e.g. trying to plug more than requested, applicable for -+ * - VIRTIO_MEM_REQ_PLUG -+ */ -+#define VIRTIO_MEM_RESP_NACK 1 -+/* -+ * Request cannot be processed right now, try again later, applicable for -+ * - VIRTIO_MEM_REQ_PLUG -+ * - VIRTIO_MEM_REQ_UNPLUG -+ * - VIRTIO_MEM_REQ_UNPLUG_ALL -+ */ -+#define VIRTIO_MEM_RESP_BUSY 2 -+/* -+ * Error in request (e.g. addresses/alignment), applicable for -+ * - VIRTIO_MEM_REQ_PLUG -+ * - VIRTIO_MEM_REQ_UNPLUG -+ * - VIRTIO_MEM_REQ_STATE -+ */ -+#define VIRTIO_MEM_RESP_ERROR 3 -+ -+ -+/* State of memory blocks is "plugged" */ -+#define VIRTIO_MEM_STATE_PLUGGED 0 -+/* State of memory blocks is "unplugged" */ -+#define VIRTIO_MEM_STATE_UNPLUGGED 1 -+/* State of memory blocks is "mixed" */ -+#define VIRTIO_MEM_STATE_MIXED 2 -+ -+struct virtio_mem_resp_state { -+ __virtio16 state; -+}; -+ -+struct virtio_mem_resp { -+ __virtio16 type; -+ __virtio16 padding[3]; -+ -+ union { -+ struct virtio_mem_resp_state state; -+ } u; -+}; -+ -+/* --- virtio-mem: configuration --- */ -+ -+struct virtio_mem_config { -+ /* Block size and alignment. Cannot change. */ -+ uint64_t block_size; -+ /* Valid with VIRTIO_MEM_F_ACPI_PXM. Cannot change. */ -+ uint16_t node_id; -+ uint8_t padding[6]; -+ /* Start address of the memory region. Cannot change. */ -+ uint64_t addr; -+ /* Region size (maximum). Cannot change. */ -+ uint64_t region_size; -+ /* -+ * Currently usable region size. Can grow up to region_size. Can -+ * shrink due to VIRTIO_MEM_REQ_UNPLUG_ALL (in which case no config -+ * update will be sent). -+ */ -+ uint64_t usable_region_size; -+ /* -+ * Currently used size. Changes due to plug/unplug requests, but no -+ * config updates will be sent. -+ */ -+ uint64_t plugged_size; -+ /* Requested size. New plug requests cannot exceed it. Can change. */ -+ uint64_t requested_size; -+}; -+ -+#endif /* _LINUX_VIRTIO_MEM_H */ -diff --git a/include/standard-headers/linux/virtio_ring.h b/include/standard-headers/linux/virtio_ring.h -index f230fed479601c06c40b1a82aae1..0fa0e1067ffe56c40a4034ed0368 100644 ---- a/include/standard-headers/linux/virtio_ring.h -+++ b/include/standard-headers/linux/virtio_ring.h -@@ -84,6 +84,13 @@ - * at the end of the used ring. Guest should ignore the used->flags field. */ - #define VIRTIO_RING_F_EVENT_IDX 29 - -+/* Alignment requirements for vring elements. -+ * When using pre-virtio 1.0 layout, these fall out naturally. -+ */ -+#define VRING_AVAIL_ALIGN_SIZE 2 -+#define VRING_USED_ALIGN_SIZE 4 -+#define VRING_DESC_ALIGN_SIZE 16 -+ - /* Virtio ring descriptors: 16 bytes. These can chain together via "next". */ - struct vring_desc { - /* Address (guest-physical). */ -@@ -110,28 +117,47 @@ struct vring_used_elem { - __virtio32 len; - }; - -+typedef struct vring_used_elem __attribute__((aligned(VRING_USED_ALIGN_SIZE))) -+ vring_used_elem_t; -+ - struct vring_used { - __virtio16 flags; - __virtio16 idx; -- struct vring_used_elem ring[]; -+ vring_used_elem_t ring[]; - }; - -+/* -+ * The ring element addresses are passed between components with different -+ * alignments assumptions. Thus, we might need to decrease the compiler-selected -+ * alignment, and so must use a typedef to make sure the aligned attribute -+ * actually takes hold: -+ * -+ * https://gcc.gnu.org/onlinedocs//gcc/Common-Type-Attributes.html#Common-Type-Attributes -+ * -+ * When used on a struct, or struct member, the aligned attribute can only -+ * increase the alignment; in order to decrease it, the packed attribute must -+ * be specified as well. When used as part of a typedef, the aligned attribute -+ * can both increase and decrease alignment, and specifying the packed -+ * attribute generates a warning. -+ */ -+typedef struct vring_desc __attribute__((aligned(VRING_DESC_ALIGN_SIZE))) -+ vring_desc_t; -+typedef struct vring_avail __attribute__((aligned(VRING_AVAIL_ALIGN_SIZE))) -+ vring_avail_t; -+typedef struct vring_used __attribute__((aligned(VRING_USED_ALIGN_SIZE))) -+ vring_used_t; -+ - struct vring { - unsigned int num; - -- struct vring_desc *desc; -+ vring_desc_t *desc; - -- struct vring_avail *avail; -+ vring_avail_t *avail; - -- struct vring_used *used; -+ vring_used_t *used; - }; - --/* Alignment requirements for vring elements. -- * When using pre-virtio 1.0 layout, these fall out naturally. -- */ --#define VRING_AVAIL_ALIGN_SIZE 2 --#define VRING_USED_ALIGN_SIZE 4 --#define VRING_DESC_ALIGN_SIZE 16 -+#ifndef VIRTIO_RING_NO_LEGACY - - /* The standard layout for the ring is a continuous chunk of memory which looks - * like this. We assume num is a power of 2. -@@ -179,6 +205,8 @@ static inline unsigned vring_size(unsigned int num, unsigned long align) - + sizeof(__virtio16) * 3 + sizeof(struct vring_used_elem) * num; - } - -+#endif /* VIRTIO_RING_NO_LEGACY */ -+ - /* The following is used with USED_EVENT_IDX and AVAIL_EVENT_IDX */ - /* Assuming a given event_idx value from the other side, if - * we have just incremented index from old to new_idx, -diff --git a/linux-headers/asm-arm64/mman.h b/linux-headers/asm-arm64/mman.h -index 8eebf89f5ab17884a98543f3b37a..e94b9af859842a952268c34cfd92 100644 ---- a/linux-headers/asm-arm64/mman.h -+++ b/linux-headers/asm-arm64/mman.h -@@ -1 +1,9 @@ -+/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */ -+#ifndef __ASM_MMAN_H -+#define __ASM_MMAN_H -+ - #include -+ -+#define PROT_BTI 0x10 /* BTI guarded page */ -+ -+#endif /* ! _UAPI__ASM_MMAN_H */ -diff --git a/linux-headers/asm-generic/unistd.h b/linux-headers/asm-generic/unistd.h -index 3a3201e4618ef8c7445895b26f6e..f4a01305d9a65c14fe46652970ec 100644 ---- a/linux-headers/asm-generic/unistd.h -+++ b/linux-headers/asm-generic/unistd.h -@@ -855,9 +855,11 @@ __SYSCALL(__NR_clone3, sys_clone3) - __SYSCALL(__NR_openat2, sys_openat2) - #define __NR_pidfd_getfd 438 - __SYSCALL(__NR_pidfd_getfd, sys_pidfd_getfd) -+#define __NR_faccessat2 439 -+__SYSCALL(__NR_faccessat2, sys_faccessat2) - - #undef __NR_syscalls --#define __NR_syscalls 439 -+#define __NR_syscalls 440 - - /* - * 32 bit systems traditionally used different -diff --git a/linux-headers/asm-mips/unistd_n32.h b/linux-headers/asm-mips/unistd_n32.h -index aec9f6081af7974a2f8fc075a70f..3b9eda7e7d8f7c7a2961192371f9 100644 ---- a/linux-headers/asm-mips/unistd_n32.h -+++ b/linux-headers/asm-mips/unistd_n32.h -@@ -367,6 +367,7 @@ - #define __NR_clone3 (__NR_Linux + 435) - #define __NR_openat2 (__NR_Linux + 437) - #define __NR_pidfd_getfd (__NR_Linux + 438) -+#define __NR_faccessat2 (__NR_Linux + 439) - - - #endif /* _ASM_MIPS_UNISTD_N32_H */ -diff --git a/linux-headers/asm-mips/unistd_n64.h b/linux-headers/asm-mips/unistd_n64.h -index 1c75d83df53f90aa386b8b919a3d..9cdf9b6c60dfde0e7f8c6f09bb48 100644 ---- a/linux-headers/asm-mips/unistd_n64.h -+++ b/linux-headers/asm-mips/unistd_n64.h -@@ -343,6 +343,7 @@ - #define __NR_clone3 (__NR_Linux + 435) - #define __NR_openat2 (__NR_Linux + 437) - #define __NR_pidfd_getfd (__NR_Linux + 438) -+#define __NR_faccessat2 (__NR_Linux + 439) - - - #endif /* _ASM_MIPS_UNISTD_N64_H */ -diff --git a/linux-headers/asm-mips/unistd_o32.h b/linux-headers/asm-mips/unistd_o32.h -index 660716e240ec10f7ccf3e65239dd..e3e5e238f026edbecf3835d1d887 100644 ---- a/linux-headers/asm-mips/unistd_o32.h -+++ b/linux-headers/asm-mips/unistd_o32.h -@@ -413,6 +413,7 @@ - #define __NR_clone3 (__NR_Linux + 435) - #define __NR_openat2 (__NR_Linux + 437) - #define __NR_pidfd_getfd (__NR_Linux + 438) -+#define __NR_faccessat2 (__NR_Linux + 439) - - - #endif /* _ASM_MIPS_UNISTD_O32_H */ -diff --git a/linux-headers/asm-powerpc/unistd_32.h b/linux-headers/asm-powerpc/unistd_32.h -index 4ba8e32f734445f6107d45044d08..862edb7448c5160b0ded92f32ede 100644 ---- a/linux-headers/asm-powerpc/unistd_32.h -+++ b/linux-headers/asm-powerpc/unistd_32.h -@@ -420,6 +420,7 @@ - #define __NR_clone3 435 - #define __NR_openat2 437 - #define __NR_pidfd_getfd 438 -+#define __NR_faccessat2 439 - - - #endif /* _ASM_POWERPC_UNISTD_32_H */ -diff --git a/linux-headers/asm-powerpc/unistd_64.h b/linux-headers/asm-powerpc/unistd_64.h -index ac20bb4f95b207d4875613b54c45..f553224ce408b2a721321d1b30b5 100644 ---- a/linux-headers/asm-powerpc/unistd_64.h -+++ b/linux-headers/asm-powerpc/unistd_64.h -@@ -392,6 +392,7 @@ - #define __NR_clone3 435 - #define __NR_openat2 437 - #define __NR_pidfd_getfd 438 -+#define __NR_faccessat2 439 - - - #endif /* _ASM_POWERPC_UNISTD_64_H */ -diff --git a/linux-headers/asm-s390/unistd_32.h b/linux-headers/asm-s390/unistd_32.h -index e4a6b654f10e1169e4fd62838282..e08233c0c37719a8a77caacf2f93 100644 ---- a/linux-headers/asm-s390/unistd_32.h -+++ b/linux-headers/asm-s390/unistd_32.h -@@ -410,5 +410,6 @@ - #define __NR_clone3 435 - #define __NR_openat2 437 - #define __NR_pidfd_getfd 438 -+#define __NR_faccessat2 439 - - #endif /* _ASM_S390_UNISTD_32_H */ -diff --git a/linux-headers/asm-s390/unistd_64.h b/linux-headers/asm-s390/unistd_64.h -index 472f732956e4d1047d95dd68c5de..560e19ae2bb4dc9dd734823016b1 100644 ---- a/linux-headers/asm-s390/unistd_64.h -+++ b/linux-headers/asm-s390/unistd_64.h -@@ -358,5 +358,6 @@ - #define __NR_clone3 435 - #define __NR_openat2 437 - #define __NR_pidfd_getfd 438 -+#define __NR_faccessat2 439 - - #endif /* _ASM_S390_UNISTD_64_H */ -diff --git a/linux-headers/asm-x86/kvm.h b/linux-headers/asm-x86/kvm.h -index 3f3f780c8c6500e1a1ea52bc0585..17c5a038f42d3978d1b06d7cec5f 100644 ---- a/linux-headers/asm-x86/kvm.h -+++ b/linux-headers/asm-x86/kvm.h -@@ -385,32 +385,48 @@ struct kvm_sync_regs { - #define KVM_X86_QUIRK_MISC_ENABLE_NO_MWAIT (1 << 4) - - #define KVM_STATE_NESTED_FORMAT_VMX 0 --#define KVM_STATE_NESTED_FORMAT_SVM 1 /* unused */ -+#define KVM_STATE_NESTED_FORMAT_SVM 1 - - #define KVM_STATE_NESTED_GUEST_MODE 0x00000001 - #define KVM_STATE_NESTED_RUN_PENDING 0x00000002 - #define KVM_STATE_NESTED_EVMCS 0x00000004 - #define KVM_STATE_NESTED_MTF_PENDING 0x00000008 -+#define KVM_STATE_NESTED_GIF_SET 0x00000100 - - #define KVM_STATE_NESTED_SMM_GUEST_MODE 0x00000001 - #define KVM_STATE_NESTED_SMM_VMXON 0x00000002 - - #define KVM_STATE_NESTED_VMX_VMCS_SIZE 0x1000 - -+#define KVM_STATE_NESTED_SVM_VMCB_SIZE 0x1000 -+ -+#define KVM_STATE_VMX_PREEMPTION_TIMER_DEADLINE 0x00000001 -+ - struct kvm_vmx_nested_state_data { - __u8 vmcs12[KVM_STATE_NESTED_VMX_VMCS_SIZE]; - __u8 shadow_vmcs12[KVM_STATE_NESTED_VMX_VMCS_SIZE]; - }; - - struct kvm_vmx_nested_state_hdr { -+ __u32 flags; - __u64 vmxon_pa; - __u64 vmcs12_pa; -+ __u64 preemption_timer_deadline; - - struct { - __u16 flags; - } smm; - }; - -+struct kvm_svm_nested_state_data { -+ /* Save area only used if KVM_STATE_NESTED_RUN_PENDING. */ -+ __u8 vmcb12[KVM_STATE_NESTED_SVM_VMCB_SIZE]; -+}; -+ -+struct kvm_svm_nested_state_hdr { -+ __u64 vmcb_pa; -+}; -+ - /* for KVM_CAP_NESTED_STATE */ - struct kvm_nested_state { - __u16 flags; -@@ -419,6 +435,7 @@ struct kvm_nested_state { - - union { - struct kvm_vmx_nested_state_hdr vmx; -+ struct kvm_svm_nested_state_hdr svm; - - /* Pad the header to 128 bytes. */ - __u8 pad[120]; -@@ -431,6 +448,7 @@ struct kvm_nested_state { - */ - union { - struct kvm_vmx_nested_state_data vmx[0]; -+ struct kvm_svm_nested_state_data svm[0]; - } data; - }; - -diff --git a/linux-headers/asm-x86/unistd.h b/linux-headers/asm-x86/unistd.h -index 498d1515c616b2b41675b79270dc..d2af42d61ded12e1f13748be46fa 100644 ---- a/linux-headers/asm-x86/unistd.h -+++ b/linux-headers/asm-x86/unistd.h -@@ -2,8 +2,15 @@ - #ifndef _ASM_X86_UNISTD_H - #define _ASM_X86_UNISTD_H - --/* x32 syscall flag bit */ --#define __X32_SYSCALL_BIT 0x40000000UL -+/* -+ * x32 syscall flag bit. Some user programs expect syscall NR macros -+ * and __X32_SYSCALL_BIT to have type int, even though syscall numbers -+ * are, for practical purposes, unsigned long. -+ * -+ * Fortunately, expressions like (nr & ~__X32_SYSCALL_BIT) do the right -+ * thing regardless. -+ */ -+#define __X32_SYSCALL_BIT 0x40000000 - - # ifdef __i386__ - # include -diff --git a/linux-headers/asm-x86/unistd_32.h b/linux-headers/asm-x86/unistd_32.h -index 1e6c1a586776181a3caba2bbba1f..c727981d4a3aa8a3578ab777d0cc 100644 ---- a/linux-headers/asm-x86/unistd_32.h -+++ b/linux-headers/asm-x86/unistd_32.h -@@ -428,6 +428,7 @@ - #define __NR_clone3 435 - #define __NR_openat2 437 - #define __NR_pidfd_getfd 438 -+#define __NR_faccessat2 439 - - - #endif /* _ASM_X86_UNISTD_32_H */ -diff --git a/linux-headers/asm-x86/unistd_64.h b/linux-headers/asm-x86/unistd_64.h -index 6daf0aecb2984b846595f8f3ea6e..843fa6274584c57a8825c1d39f85 100644 ---- a/linux-headers/asm-x86/unistd_64.h -+++ b/linux-headers/asm-x86/unistd_64.h -@@ -350,6 +350,7 @@ - #define __NR_clone3 435 - #define __NR_openat2 437 - #define __NR_pidfd_getfd 438 -+#define __NR_faccessat2 439 - - - #endif /* _ASM_X86_UNISTD_64_H */ -diff --git a/linux-headers/asm-x86/unistd_x32.h b/linux-headers/asm-x86/unistd_x32.h -index e3f17ef370fcfd16d26ea2709d16..7d63d703cab4227d9e631006852f 100644 ---- a/linux-headers/asm-x86/unistd_x32.h -+++ b/linux-headers/asm-x86/unistd_x32.h -@@ -303,6 +303,7 @@ - #define __NR_clone3 (__X32_SYSCALL_BIT + 435) - #define __NR_openat2 (__X32_SYSCALL_BIT + 437) - #define __NR_pidfd_getfd (__X32_SYSCALL_BIT + 438) -+#define __NR_faccessat2 (__X32_SYSCALL_BIT + 439) - #define __NR_rt_sigaction (__X32_SYSCALL_BIT + 512) - #define __NR_rt_sigreturn (__X32_SYSCALL_BIT + 513) - #define __NR_ioctl (__X32_SYSCALL_BIT + 514) -diff --git a/linux-headers/linux/kvm.h b/linux-headers/linux/kvm.h -index a56559baa0bbe2823d1d96d652dc..71f531771dd862c7f3cbd07ba376 100644 ---- a/linux-headers/linux/kvm.h -+++ b/linux-headers/linux/kvm.h -@@ -116,7 +116,7 @@ struct kvm_irq_level { - * ACPI gsi notion of irq. - * For IA-64 (APIC model) IOAPIC0: irq 0-23; IOAPIC1: irq 24-47.. - * For X86 (standard AT mode) PIC0/1: irq 0-15. IOAPIC0: 0-23.. -- * For ARM: See Documentation/virt/kvm/api.txt -+ * For ARM: See Documentation/virt/kvm/api.rst - */ - union { - __u32 irq; -@@ -188,10 +188,13 @@ struct kvm_s390_cmma_log { - struct kvm_hyperv_exit { - #define KVM_EXIT_HYPERV_SYNIC 1 - #define KVM_EXIT_HYPERV_HCALL 2 -+#define KVM_EXIT_HYPERV_SYNDBG 3 - __u32 type; -+ __u32 pad1; - union { - struct { - __u32 msr; -+ __u32 pad2; - __u64 control; - __u64 evt_page; - __u64 msg_page; -@@ -201,6 +204,15 @@ struct kvm_hyperv_exit { - __u64 result; - __u64 params[2]; - } hcall; -+ struct { -+ __u32 msr; -+ __u32 pad2; -+ __u64 control; -+ __u64 status; -+ __u64 send_page; -+ __u64 recv_page; -+ __u64 pending_page; -+ } syndbg; - } u; - }; - -@@ -1011,6 +1023,8 @@ struct kvm_ppc_resize_hpt { - #define KVM_CAP_ARM_INJECT_EXT_DABT 178 - #define KVM_CAP_S390_PROTECTED 180 - #define KVM_CAP_PPC_SECURE_GUEST 181 -+#define KVM_CAP_HALT_POLL 182 -+#define KVM_CAP_ASYNC_PF_INT 183 - - #ifdef KVM_CAP_IRQ_ROUTING - -@@ -1101,7 +1115,7 @@ struct kvm_xen_hvm_config { - * - * KVM_IRQFD_FLAG_RESAMPLE indicates resamplefd is valid and specifies - * the irqfd to operate in resampling mode for level triggered interrupt -- * emulation. See Documentation/virt/kvm/api.txt. -+ * emulation. See Documentation/virt/kvm/api.rst. - */ - #define KVM_IRQFD_FLAG_RESAMPLE (1 << 1) - -diff --git a/linux-headers/linux/psp-sev.h b/linux-headers/linux/psp-sev.h -index 31f971e89659b667eccc0d089599..51d8b3940e1448d1a3e2488279b1 100644 ---- a/linux-headers/linux/psp-sev.h -+++ b/linux-headers/linux/psp-sev.h -@@ -83,6 +83,8 @@ struct sev_user_data_status { - __u32 guest_count; /* Out */ - } __attribute__((packed)); - -+#define SEV_STATUS_FLAGS_CONFIG_ES 0x0100 -+ - /** - * struct sev_user_data_pek_csr - PEK_CSR command parameters - * -diff --git a/linux-headers/linux/vfio.h b/linux-headers/linux/vfio.h -index a41c45286511f083878c06b60d71..f09df262c4b52dfcef1d66ee0bdc 100644 ---- a/linux-headers/linux/vfio.h -+++ b/linux-headers/linux/vfio.h -@@ -305,6 +305,7 @@ struct vfio_region_info_cap_type { - #define VFIO_REGION_TYPE_PCI_VENDOR_MASK (0xffff) - #define VFIO_REGION_TYPE_GFX (1) - #define VFIO_REGION_TYPE_CCW (2) -+#define VFIO_REGION_TYPE_MIGRATION (3) - - /* sub-types for VFIO_REGION_TYPE_PCI_* */ - -@@ -378,6 +379,235 @@ struct vfio_region_gfx_edid { - - /* sub-types for VFIO_REGION_TYPE_CCW */ - #define VFIO_REGION_SUBTYPE_CCW_ASYNC_CMD (1) -+#define VFIO_REGION_SUBTYPE_CCW_SCHIB (2) -+#define VFIO_REGION_SUBTYPE_CCW_CRW (3) -+ -+/* sub-types for VFIO_REGION_TYPE_MIGRATION */ -+#define VFIO_REGION_SUBTYPE_MIGRATION (1) -+ -+/* -+ * The structure vfio_device_migration_info is placed at the 0th offset of -+ * the VFIO_REGION_SUBTYPE_MIGRATION region to get and set VFIO device related -+ * migration information. Field accesses from this structure are only supported -+ * at their native width and alignment. Otherwise, the result is undefined and -+ * vendor drivers should return an error. -+ * -+ * device_state: (read/write) -+ * - The user application writes to this field to inform the vendor driver -+ * about the device state to be transitioned to. -+ * - The vendor driver should take the necessary actions to change the -+ * device state. After successful transition to a given state, the -+ * vendor driver should return success on write(device_state, state) -+ * system call. If the device state transition fails, the vendor driver -+ * should return an appropriate -errno for the fault condition. -+ * - On the user application side, if the device state transition fails, -+ * that is, if write(device_state, state) returns an error, read -+ * device_state again to determine the current state of the device from -+ * the vendor driver. -+ * - The vendor driver should return previous state of the device unless -+ * the vendor driver has encountered an internal error, in which case -+ * the vendor driver may report the device_state VFIO_DEVICE_STATE_ERROR. -+ * - The user application must use the device reset ioctl to recover the -+ * device from VFIO_DEVICE_STATE_ERROR state. If the device is -+ * indicated to be in a valid device state by reading device_state, the -+ * user application may attempt to transition the device to any valid -+ * state reachable from the current state or terminate itself. -+ * -+ * device_state consists of 3 bits: -+ * - If bit 0 is set, it indicates the _RUNNING state. If bit 0 is clear, -+ * it indicates the _STOP state. When the device state is changed to -+ * _STOP, driver should stop the device before write() returns. -+ * - If bit 1 is set, it indicates the _SAVING state, which means that the -+ * driver should start gathering device state information that will be -+ * provided to the VFIO user application to save the device's state. -+ * - If bit 2 is set, it indicates the _RESUMING state, which means that -+ * the driver should prepare to resume the device. Data provided through -+ * the migration region should be used to resume the device. -+ * Bits 3 - 31 are reserved for future use. To preserve them, the user -+ * application should perform a read-modify-write operation on this -+ * field when modifying the specified bits. -+ * -+ * +------- _RESUMING -+ * |+------ _SAVING -+ * ||+----- _RUNNING -+ * ||| -+ * 000b => Device Stopped, not saving or resuming -+ * 001b => Device running, which is the default state -+ * 010b => Stop the device & save the device state, stop-and-copy state -+ * 011b => Device running and save the device state, pre-copy state -+ * 100b => Device stopped and the device state is resuming -+ * 101b => Invalid state -+ * 110b => Error state -+ * 111b => Invalid state -+ * -+ * State transitions: -+ * -+ * _RESUMING _RUNNING Pre-copy Stop-and-copy _STOP -+ * (100b) (001b) (011b) (010b) (000b) -+ * 0. Running or default state -+ * | -+ * -+ * 1. Normal Shutdown (optional) -+ * |------------------------------------->| -+ * -+ * 2. Save the state or suspend -+ * |------------------------->|---------->| -+ * -+ * 3. Save the state during live migration -+ * |----------->|------------>|---------->| -+ * -+ * 4. Resuming -+ * |<---------| -+ * -+ * 5. Resumed -+ * |--------->| -+ * -+ * 0. Default state of VFIO device is _RUNNNG when the user application starts. -+ * 1. During normal shutdown of the user application, the user application may -+ * optionally change the VFIO device state from _RUNNING to _STOP. This -+ * transition is optional. The vendor driver must support this transition but -+ * must not require it. -+ * 2. When the user application saves state or suspends the application, the -+ * device state transitions from _RUNNING to stop-and-copy and then to _STOP. -+ * On state transition from _RUNNING to stop-and-copy, driver must stop the -+ * device, save the device state and send it to the application through the -+ * migration region. The sequence to be followed for such transition is given -+ * below. -+ * 3. In live migration of user application, the state transitions from _RUNNING -+ * to pre-copy, to stop-and-copy, and to _STOP. -+ * On state transition from _RUNNING to pre-copy, the driver should start -+ * gathering the device state while the application is still running and send -+ * the device state data to application through the migration region. -+ * On state transition from pre-copy to stop-and-copy, the driver must stop -+ * the device, save the device state and send it to the user application -+ * through the migration region. -+ * Vendor drivers must support the pre-copy state even for implementations -+ * where no data is provided to the user before the stop-and-copy state. The -+ * user must not be required to consume all migration data before the device -+ * transitions to a new state, including the stop-and-copy state. -+ * The sequence to be followed for above two transitions is given below. -+ * 4. To start the resuming phase, the device state should be transitioned from -+ * the _RUNNING to the _RESUMING state. -+ * In the _RESUMING state, the driver should use the device state data -+ * received through the migration region to resume the device. -+ * 5. After providing saved device data to the driver, the application should -+ * change the state from _RESUMING to _RUNNING. -+ * -+ * reserved: -+ * Reads on this field return zero and writes are ignored. -+ * -+ * pending_bytes: (read only) -+ * The number of pending bytes still to be migrated from the vendor driver. -+ * -+ * data_offset: (read only) -+ * The user application should read data_offset field from the migration -+ * region. The user application should read the device data from this -+ * offset within the migration region during the _SAVING state or write -+ * the device data during the _RESUMING state. See below for details of -+ * sequence to be followed. -+ * -+ * data_size: (read/write) -+ * The user application should read data_size to get the size in bytes of -+ * the data copied in the migration region during the _SAVING state and -+ * write the size in bytes of the data copied in the migration region -+ * during the _RESUMING state. -+ * -+ * The format of the migration region is as follows: -+ * ------------------------------------------------------------------ -+ * |vfio_device_migration_info| data section | -+ * | | /////////////////////////////// | -+ * ------------------------------------------------------------------ -+ * ^ ^ -+ * offset 0-trapped part data_offset -+ * -+ * The structure vfio_device_migration_info is always followed by the data -+ * section in the region, so data_offset will always be nonzero. The offset -+ * from where the data is copied is decided by the kernel driver. The data -+ * section can be trapped, mmapped, or partitioned, depending on how the kernel -+ * driver defines the data section. The data section partition can be defined -+ * as mapped by the sparse mmap capability. If mmapped, data_offset must be -+ * page aligned, whereas initial section which contains the -+ * vfio_device_migration_info structure, might not end at the offset, which is -+ * page aligned. The user is not required to access through mmap regardless -+ * of the capabilities of the region mmap. -+ * The vendor driver should determine whether and how to partition the data -+ * section. The vendor driver should return data_offset accordingly. -+ * -+ * The sequence to be followed while in pre-copy state and stop-and-copy state -+ * is as follows: -+ * a. Read pending_bytes, indicating the start of a new iteration to get device -+ * data. Repeated read on pending_bytes at this stage should have no side -+ * effects. -+ * If pending_bytes == 0, the user application should not iterate to get data -+ * for that device. -+ * If pending_bytes > 0, perform the following steps. -+ * b. Read data_offset, indicating that the vendor driver should make data -+ * available through the data section. The vendor driver should return this -+ * read operation only after data is available from (region + data_offset) -+ * to (region + data_offset + data_size). -+ * c. Read data_size, which is the amount of data in bytes available through -+ * the migration region. -+ * Read on data_offset and data_size should return the offset and size of -+ * the current buffer if the user application reads data_offset and -+ * data_size more than once here. -+ * d. Read data_size bytes of data from (region + data_offset) from the -+ * migration region. -+ * e. Process the data. -+ * f. Read pending_bytes, which indicates that the data from the previous -+ * iteration has been read. If pending_bytes > 0, go to step b. -+ * -+ * The user application can transition from the _SAVING|_RUNNING -+ * (pre-copy state) to the _SAVING (stop-and-copy) state regardless of the -+ * number of pending bytes. The user application should iterate in _SAVING -+ * (stop-and-copy) until pending_bytes is 0. -+ * -+ * The sequence to be followed while _RESUMING device state is as follows: -+ * While data for this device is available, repeat the following steps: -+ * a. Read data_offset from where the user application should write data. -+ * b. Write migration data starting at the migration region + data_offset for -+ * the length determined by data_size from the migration source. -+ * c. Write data_size, which indicates to the vendor driver that data is -+ * written in the migration region. Vendor driver must return this write -+ * operations on consuming data. Vendor driver should apply the -+ * user-provided migration region data to the device resume state. -+ * -+ * If an error occurs during the above sequences, the vendor driver can return -+ * an error code for next read() or write() operation, which will terminate the -+ * loop. The user application should then take the next necessary action, for -+ * example, failing migration or terminating the user application. -+ * -+ * For the user application, data is opaque. The user application should write -+ * data in the same order as the data is received and the data should be of -+ * same transaction size at the source. -+ */ -+ -+struct vfio_device_migration_info { -+ __u32 device_state; /* VFIO device state */ -+#define VFIO_DEVICE_STATE_STOP (0) -+#define VFIO_DEVICE_STATE_RUNNING (1 << 0) -+#define VFIO_DEVICE_STATE_SAVING (1 << 1) -+#define VFIO_DEVICE_STATE_RESUMING (1 << 2) -+#define VFIO_DEVICE_STATE_MASK (VFIO_DEVICE_STATE_RUNNING | \ -+ VFIO_DEVICE_STATE_SAVING | \ -+ VFIO_DEVICE_STATE_RESUMING) -+ -+#define VFIO_DEVICE_STATE_VALID(state) \ -+ (state & VFIO_DEVICE_STATE_RESUMING ? \ -+ (state & VFIO_DEVICE_STATE_MASK) == VFIO_DEVICE_STATE_RESUMING : 1) -+ -+#define VFIO_DEVICE_STATE_IS_ERROR(state) \ -+ ((state & VFIO_DEVICE_STATE_MASK) == (VFIO_DEVICE_STATE_SAVING | \ -+ VFIO_DEVICE_STATE_RESUMING)) -+ -+#define VFIO_DEVICE_STATE_SET_ERROR(state) \ -+ ((state & ~VFIO_DEVICE_STATE_MASK) | VFIO_DEVICE_SATE_SAVING | \ -+ VFIO_DEVICE_STATE_RESUMING) -+ -+ __u32 reserved; -+ __u64 pending_bytes; -+ __u64 data_offset; -+ __u64 data_size; -+}; - - /* - * The MSIX mappable capability informs that MSIX data of a BAR can be mmapped -@@ -577,6 +807,7 @@ enum { - - enum { - VFIO_CCW_IO_IRQ_INDEX, -+ VFIO_CCW_CRW_IRQ_INDEX, - VFIO_CCW_NUM_IRQS - }; - -@@ -785,6 +1016,29 @@ struct vfio_iommu_type1_info_cap_iova_range { - struct vfio_iova_range iova_ranges[]; - }; - -+/* -+ * The migration capability allows to report supported features for migration. -+ * -+ * The structures below define version 1 of this capability. -+ * -+ * The existence of this capability indicates that IOMMU kernel driver supports -+ * dirty page logging. -+ * -+ * pgsize_bitmap: Kernel driver returns bitmap of supported page sizes for dirty -+ * page logging. -+ * max_dirty_bitmap_size: Kernel driver returns maximum supported dirty bitmap -+ * size in bytes that can be used by user applications when getting the dirty -+ * bitmap. -+ */ -+#define VFIO_IOMMU_TYPE1_INFO_CAP_MIGRATION 1 -+ -+struct vfio_iommu_type1_info_cap_migration { -+ struct vfio_info_cap_header header; -+ __u32 flags; -+ __u64 pgsize_bitmap; -+ __u64 max_dirty_bitmap_size; /* in bytes */ -+}; -+ - #define VFIO_IOMMU_GET_INFO _IO(VFIO_TYPE, VFIO_BASE + 12) - - /** -@@ -805,6 +1059,12 @@ struct vfio_iommu_type1_dma_map { - - #define VFIO_IOMMU_MAP_DMA _IO(VFIO_TYPE, VFIO_BASE + 13) - -+struct vfio_bitmap { -+ __u64 pgsize; /* page size for bitmap in bytes */ -+ __u64 size; /* in bytes */ -+ __u64 *data; /* one bit per page */ -+}; -+ - /** - * VFIO_IOMMU_UNMAP_DMA - _IOWR(VFIO_TYPE, VFIO_BASE + 14, - * struct vfio_dma_unmap) -@@ -814,12 +1074,23 @@ struct vfio_iommu_type1_dma_map { - * field. No guarantee is made to the user that arbitrary unmaps of iova - * or size different from those used in the original mapping call will - * succeed. -+ * VFIO_DMA_UNMAP_FLAG_GET_DIRTY_BITMAP should be set to get the dirty bitmap -+ * before unmapping IO virtual addresses. When this flag is set, the user must -+ * provide a struct vfio_bitmap in data[]. User must provide zero-allocated -+ * memory via vfio_bitmap.data and its size in the vfio_bitmap.size field. -+ * A bit in the bitmap represents one page, of user provided page size in -+ * vfio_bitmap.pgsize field, consecutively starting from iova offset. Bit set -+ * indicates that the page at that offset from iova is dirty. A Bitmap of the -+ * pages in the range of unmapped size is returned in the user-provided -+ * vfio_bitmap.data. - */ - struct vfio_iommu_type1_dma_unmap { - __u32 argsz; - __u32 flags; -+#define VFIO_DMA_UNMAP_FLAG_GET_DIRTY_BITMAP (1 << 0) - __u64 iova; /* IO virtual address */ - __u64 size; /* Size of mapping (bytes) */ -+ __u8 data[]; - }; - - #define VFIO_IOMMU_UNMAP_DMA _IO(VFIO_TYPE, VFIO_BASE + 14) -@@ -831,6 +1102,57 @@ struct vfio_iommu_type1_dma_unmap { - #define VFIO_IOMMU_ENABLE _IO(VFIO_TYPE, VFIO_BASE + 15) - #define VFIO_IOMMU_DISABLE _IO(VFIO_TYPE, VFIO_BASE + 16) - -+/** -+ * VFIO_IOMMU_DIRTY_PAGES - _IOWR(VFIO_TYPE, VFIO_BASE + 17, -+ * struct vfio_iommu_type1_dirty_bitmap) -+ * IOCTL is used for dirty pages logging. -+ * Caller should set flag depending on which operation to perform, details as -+ * below: -+ * -+ * Calling the IOCTL with VFIO_IOMMU_DIRTY_PAGES_FLAG_START flag set, instructs -+ * the IOMMU driver to log pages that are dirtied or potentially dirtied by -+ * the device; designed to be used when a migration is in progress. Dirty pages -+ * are logged until logging is disabled by user application by calling the IOCTL -+ * with VFIO_IOMMU_DIRTY_PAGES_FLAG_STOP flag. -+ * -+ * Calling the IOCTL with VFIO_IOMMU_DIRTY_PAGES_FLAG_STOP flag set, instructs -+ * the IOMMU driver to stop logging dirtied pages. -+ * -+ * Calling the IOCTL with VFIO_IOMMU_DIRTY_PAGES_FLAG_GET_BITMAP flag set -+ * returns the dirty pages bitmap for IOMMU container for a given IOVA range. -+ * The user must specify the IOVA range and the pgsize through the structure -+ * vfio_iommu_type1_dirty_bitmap_get in the data[] portion. This interface -+ * supports getting a bitmap of the smallest supported pgsize only and can be -+ * modified in future to get a bitmap of any specified supported pgsize. The -+ * user must provide a zeroed memory area for the bitmap memory and specify its -+ * size in bitmap.size. One bit is used to represent one page consecutively -+ * starting from iova offset. The user should provide page size in bitmap.pgsize -+ * field. A bit set in the bitmap indicates that the page at that offset from -+ * iova is dirty. The caller must set argsz to a value including the size of -+ * structure vfio_iommu_type1_dirty_bitmap_get, but excluding the size of the -+ * actual bitmap. If dirty pages logging is not enabled, an error will be -+ * returned. -+ * -+ * Only one of the flags _START, _STOP and _GET may be specified at a time. -+ * -+ */ -+struct vfio_iommu_type1_dirty_bitmap { -+ __u32 argsz; -+ __u32 flags; -+#define VFIO_IOMMU_DIRTY_PAGES_FLAG_START (1 << 0) -+#define VFIO_IOMMU_DIRTY_PAGES_FLAG_STOP (1 << 1) -+#define VFIO_IOMMU_DIRTY_PAGES_FLAG_GET_BITMAP (1 << 2) -+ __u8 data[]; -+}; -+ -+struct vfio_iommu_type1_dirty_bitmap_get { -+ __u64 iova; /* IO virtual address */ -+ __u64 size; /* Size of iova range */ -+ struct vfio_bitmap bitmap; -+}; -+ -+#define VFIO_IOMMU_DIRTY_PAGES _IO(VFIO_TYPE, VFIO_BASE + 17) -+ - /* -------- Additional API for SPAPR TCE (Server POWERPC) IOMMU -------- */ - - /* -diff --git a/linux-headers/linux/vfio_ccw.h b/linux-headers/linux/vfio_ccw.h -index fcc3e69ef526444601cb22d1765a..516496f1d482674a4a5f66133cb7 100644 ---- a/linux-headers/linux/vfio_ccw.h -+++ b/linux-headers/linux/vfio_ccw.h -@@ -34,4 +34,23 @@ struct ccw_cmd_region { - __u32 ret_code; - } __attribute__((packed)); - -+/* -+ * Used for processing commands that read the subchannel-information block -+ * Reading this region triggers a stsch() to hardware -+ * Note: this is controlled by a capability -+ */ -+struct ccw_schib_region { -+#define SCHIB_AREA_SIZE 52 -+ __u8 schib_area[SCHIB_AREA_SIZE]; -+} __attribute__((packed)); -+ -+/* -+ * Used for returning a Channel Report Word to userspace. -+ * Note: this is controlled by a capability -+ */ -+struct ccw_crw_region { -+ __u32 crw; -+ __u32 pad; -+} __attribute__((packed)); -+ - #endif -diff --git a/linux-headers/linux/vhost.h b/linux-headers/linux/vhost.h -index 9fe72e4b1373165d7a7aeff61410..0c2349612e776086a2ffd137d402 100644 ---- a/linux-headers/linux/vhost.h -+++ b/linux-headers/linux/vhost.h -@@ -15,6 +15,8 @@ - #include - #include - -+#define VHOST_FILE_UNBIND -1 -+ - /* ioctls */ - - #define VHOST_VIRTIO 0xAF -@@ -140,4 +142,6 @@ - /* Get the max ring size. */ - #define VHOST_VDPA_GET_VRING_NUM _IOR(VHOST_VIRTIO, 0x76, __u16) - -+/* Set event fd for config interrupt*/ -+#define VHOST_VDPA_SET_CONFIG_CALL _IOW(VHOST_VIRTIO, 0x77, int) - #endif diff --git a/packaging/Make-char-muxer-more-robust-wrt-small-FI.patch b/packaging/Make-char-muxer-more-robust-wrt-small-FI.patch deleted file mode 100644 index 22454b9f7..000000000 --- a/packaging/Make-char-muxer-more-robust-wrt-small-FI.patch +++ /dev/null @@ -1,118 +0,0 @@ -From: Alexander Graf -Date: Thu, 1 Apr 2010 17:36:23 +0200 -Subject: Make char muxer more robust wrt small FIFOs - -Virtio-Console can only process one character at a time. Using it on S390 -gave me strage "lags" where I got the character I pressed before when -pressing one. So I typed in "abc" and only received "a", then pressed "d" -but the guest received "b" and so on. - -While the stdio driver calls a poll function that just processes on its -queue in case virtio-console can't take multiple characters at once, the -muxer does not have such callbacks, so it can't empty its queue. - -To work around that limitation, I introduced a new timer that only gets -active when the guest can not receive any more characters. In that case -it polls again after a while to check if the guest is now receiving input. - -This patch fixes input when using -nographic on s390 for me. - -[AF: Rebased for v2.7.0-rc2] -[BR: minor edits to pass qemu's checkpatch script] -Signed-off-by: Bruce Rogers ---- - chardev/char-fe.c | 1 + - chardev/char-mux.c | 16 ++++++++++++++++ - chardev/char.c | 1 + - include/chardev/char-mux.h | 3 +++ - tests/test-char.c | 1 + - 5 files changed, 22 insertions(+) - -diff --git a/chardev/char-fe.c b/chardev/char-fe.c -index f3530a90e6364d813097105b6113..f8aa0daf31692810efc7d5ca32eb 100644 ---- a/chardev/char-fe.c -+++ b/chardev/char-fe.c -@@ -21,6 +21,7 @@ - * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN - * THE SOFTWARE. - */ -+#define HW_POISON_H /* avoid poison since we patch against rules it "enforces" */ - #include "qemu/osdep.h" - #include "qemu/error-report.h" - #include "qapi/error.h" -diff --git a/chardev/char-mux.c b/chardev/char-mux.c -index 200c62a0d08bd779de8efdc95aad..10acb4fce1d3bda0d9f818eeb5ee 100644 ---- a/chardev/char-mux.c -+++ b/chardev/char-mux.c -@@ -22,6 +22,7 @@ - * THE SOFTWARE. - */ - -+#define HW_POISON_H /* avoid poison since we patch against rules it "enforces" */ - #include "qemu/osdep.h" - #include "qapi/error.h" - #include "qemu/module.h" -@@ -191,6 +192,17 @@ static void mux_chr_accept_input(Chardev *chr) - be->chr_read(be->opaque, - &d->buffer[m][d->cons[m]++ & MUX_BUFFER_MASK], 1); - } -+ -+#if defined(TARGET_S390X) -+ /* -+ * We're still not able to sync producer and consumer, so let's wait a bit -+ * and try again by then. -+ */ -+ if (d->prod[m] != d->cons[m]) { -+ qemu_mod_timer(d->accept_timer, qemu_get_clock_ns(vm_clock) -+ + (int64_t)100000); -+ } -+#endif - } - - static int mux_chr_can_read(void *opaque) -@@ -325,6 +337,10 @@ static void qemu_chr_open_mux(Chardev *chr, - } - - d->focus = -1; -+#if defined(TARGET_S390X) -+ d->accept_timer = qemu_new_timer_ns(vm_clock, -+ (QEMUTimerCB *)mux_chr_accept_input, chr); -+#endif - /* only default to opened state if we've realized the initial - * set of muxes - */ -diff --git a/chardev/char.c b/chardev/char.c -index 7b6b2cb12300042c6adf257e188c..d2134d72f60e58f35ee9e7869db4 100644 ---- a/chardev/char.c -+++ b/chardev/char.c -@@ -22,6 +22,7 @@ - * THE SOFTWARE. - */ - -+#define HW_POISON_H /* avoid poison since we patch against rules it "enforces" */ - #include "qemu/osdep.h" - #include "qemu/cutils.h" - #include "monitor/monitor.h" -diff --git a/include/chardev/char-mux.h b/include/chardev/char-mux.h -index 572cefd517c8fa9d605cbd10fc21..6e80785bd9c12b85e747fa9f924e 100644 ---- a/include/chardev/char-mux.h -+++ b/include/chardev/char-mux.h -@@ -34,6 +34,9 @@ typedef struct MuxChardev { - Chardev parent; - CharBackend *backends[MAX_MUX]; - CharBackend chr; -+#if defined(TARGET_S390X) -+ QEMUTimer *accept_timer; -+#endif - int focus; - int mux_cnt; - int term_got_escape; -diff --git a/tests/test-char.c b/tests/test-char.c -index 45e42af290d4c55c0d8ed9358ef2..8e8c983dc0adce3dea739c9d85fc 100644 ---- a/tests/test-char.c -+++ b/tests/test-char.c -@@ -1,3 +1,4 @@ -+#define HW_POISON_H /* avoid poison since we patch against rules it "enforces" */ - #include "qemu/osdep.h" - #include - diff --git a/packaging/Make-installed-scripts-explicitly-python.patch b/packaging/Make-installed-scripts-explicitly-python.patch deleted file mode 100644 index 7bcbedce6..000000000 --- a/packaging/Make-installed-scripts-explicitly-python.patch +++ /dev/null @@ -1,34 +0,0 @@ -From: Bruce Rogers -Date: Thu, 25 Jan 2018 14:16:10 -0700 -Subject: Make installed scripts explicitly python3 - -References: bsc#1077564 - -We want to explicitly reference python3 in the scripts we install. - -Signed-off-by: Bruce Rogers ---- - scripts/analyze-migration.py | 2 +- - scripts/vmstate-static-checker.py | 2 +- - 2 files changed, 2 insertions(+), 2 deletions(-) - -diff --git a/scripts/analyze-migration.py b/scripts/analyze-migration.py -index e527eb168e9ce7c3944094ec6701..fd376eac71f73e6366a9e17a1c51 100755 ---- a/scripts/analyze-migration.py -+++ b/scripts/analyze-migration.py -@@ -1,4 +1,4 @@ --#!/usr/bin/env python -+#!/usr/bin/python3 - # - # Migration Stream Analyzer - # -diff --git a/scripts/vmstate-static-checker.py b/scripts/vmstate-static-checker.py -index f8b7b8f77252f2c03d6d7db9dc60..754159069dfae6838edaac14856f 100755 ---- a/scripts/vmstate-static-checker.py -+++ b/scripts/vmstate-static-checker.py -@@ -1,4 +1,4 @@ --#!/usr/bin/python -+#!/usr/bin/python3 - # - # Compares vmstate information stored in JSON format, obtained from - # the -dump-vmstate QEMU command. diff --git a/packaging/Make-keycode-gen-output-reproducible-use.patch b/packaging/Make-keycode-gen-output-reproducible-use.patch deleted file mode 100644 index c77ea0cf5..000000000 --- a/packaging/Make-keycode-gen-output-reproducible-use.patch +++ /dev/null @@ -1,35 +0,0 @@ -From: =?UTF-8?q?Stefan=20Br=C3=BCns?= -Date: Mon, 5 Aug 2019 20:03:11 +0000 -Subject: Make keycode-gen output reproducible (use SOURCE_DATE_EPOCH - timestamp) - -Signed-off-by: Bruce Rogers -Date: Fri, 6 Jan 2012 01:05:55 +0100 -Subject: PPC: KVM: Disable mmu notifier check - -When using hugetlbfs (which is required for HV mode KVM on 970), we -check for MMU notifiers that on 970 can not be implemented properly. - -So disable the check for mmu notifiers on PowerPC guests, making -KVM guests work there, even if possibly racy in some odd circumstances. - -Signed-off-by: Bruce Rogers ---- - exec.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/exec.c b/exec.c -index a240e3d338a32fb46b1dfe66d4af..ecd6f380f2d928e302cebc41f1c2 100644 ---- a/exec.c -+++ b/exec.c -@@ -2291,11 +2291,13 @@ RAMBlock *qemu_ram_alloc_from_fd(ram_addr_t size, MemoryRegion *mr, - return NULL; - } - -+#ifndef TARGET_PPC - if (kvm_enabled() && !kvm_has_sync_mmu()) { - error_setg(errp, - "host lacks kvm mmu notifiers, -mem-path unsupported"); - return NULL; - } -+#endif - - if (phys_mem_alloc != qemu_anon_ram_alloc) { - /* diff --git a/packaging/Raise-soft-address-space-limit-to-hard-l.patch b/packaging/Raise-soft-address-space-limit-to-hard-l.patch deleted file mode 100644 index cf942f3ad..000000000 --- a/packaging/Raise-soft-address-space-limit-to-hard-l.patch +++ /dev/null @@ -1,54 +0,0 @@ -From: =?UTF-8?q?Andreas=20F=C3=A4rber?= -Date: Sun, 15 Jan 2012 19:53:49 +0100 -Subject: Raise soft address space limit to hard limit -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -For SLES we want users to be able to use large memory configurations -with KVM without fiddling with ulimit -Sv. - -Signed-off-by: Andreas Färber -[BR: add include for sys/resource.h] -Signed-off-by: Bruce Rogers ---- - vl.c | 12 ++++++++++++ - 1 file changed, 12 insertions(+) - -diff --git a/vl.c b/vl.c -index bf0a6345d2394ad25adfe53c4006..68de8184f91c6ef3903859c70526 100644 ---- a/vl.c -+++ b/vl.c -@@ -33,6 +33,7 @@ - #include "qemu/uuid.h" - #include "sysemu/reset.h" - #include "sysemu/runstate.h" -+#include - #include "sysemu/seccomp.h" - #include "sysemu/tcg.h" - -@@ -2863,6 +2864,7 @@ int main(int argc, char **argv, char **envp) - char *dir, **dirs; - BlockdevOptionsQueue bdo_queue = QSIMPLEQ_HEAD_INITIALIZER(bdo_queue); - QemuPluginList plugin_list = QTAILQ_HEAD_INITIALIZER(plugin_list); -+ struct rlimit rlimit_as; - - os_set_line_buffering(); - -@@ -2874,6 +2876,16 @@ int main(int argc, char **argv, char **envp) - - qemu_mutex_lock_iothread(); - -+ /* -+ * Try to raise the soft address space limit. -+ * Default on SLES 11 SP2 is 80% of physical+swap memory. -+ */ -+ getrlimit(RLIMIT_AS, &rlimit_as); -+ if (rlimit_as.rlim_cur < rlimit_as.rlim_max) { -+ rlimit_as.rlim_cur = rlimit_as.rlim_max; -+ setrlimit(RLIMIT_AS, &rlimit_as); -+ } -+ - atexit(qemu_run_exit_notifiers); - qemu_init_exec_dir(argv[0]); - diff --git a/packaging/Revert-meson-build-file-back-to-Make.obj.patch b/packaging/Revert-meson-build-file-back-to-Make.obj.patch deleted file mode 100644 index c081e29e0..000000000 --- a/packaging/Revert-meson-build-file-back-to-Make.obj.patch +++ /dev/null @@ -1,35 +0,0 @@ -From: Liang Yan -Date: Tue, 19 Jan 2021 11:01:26 -0500 -Subject: Revert meson build file back to Make.objs - -References: bsc#1179719 - -Related commits: cd7498d07fbb 77280d33bc9c - -Signed-off-by: Liang Yan ---- - hw/s390x/Makefile.objs | 1 + - include/hw/s390x/s390-pci-vfio.h | 1 + - 2 files changed, 2 insertions(+) - -diff --git a/hw/s390x/Makefile.objs b/hw/s390x/Makefile.objs -index a46a1c7894e0f612a2d74cec74f6..37c071d78533bb326d7e25e757e0 100644 ---- a/hw/s390x/Makefile.objs -+++ b/hw/s390x/Makefile.objs -@@ -35,3 +35,4 @@ obj-$(CONFIG_KVM) += pv.o - obj-y += s390-ccw.o - obj-y += ap-device.o - obj-y += ap-bridge.o -+obj-$(CONFIG_VFIO) += s390-pci-vfio.o -diff --git a/include/hw/s390x/s390-pci-vfio.h b/include/hw/s390x/s390-pci-vfio.h -index a99499851f048ab04c2c1b45a4a2..55db22a9541812a1e7ba66d5dea3 100644 ---- a/include/hw/s390x/s390-pci-vfio.h -+++ b/include/hw/s390x/s390-pci-vfio.h -@@ -13,6 +13,7 @@ - #define HW_S390_PCI_VFIO_H - - #include "hw/s390x/s390-pci-bus.h" -+#include "config-devices.h" - - #ifdef CONFIG_VFIO - bool s390_pci_update_dma_avail(int fd, unsigned int *avail); diff --git a/packaging/Switch-order-of-libraries-for-mpath-supp.patch b/packaging/Switch-order-of-libraries-for-mpath-supp.patch deleted file mode 100644 index 05e8c9289..000000000 --- a/packaging/Switch-order-of-libraries-for-mpath-supp.patch +++ /dev/null @@ -1,36 +0,0 @@ -From: Bruce Rogers -Date: Fri, 3 Nov 2017 11:12:40 -0600 -Subject: Switch order of libraries for mpath support - -Signed-off-by: Bruce Rogers ---- - Makefile | 2 +- - configure | 2 +- - 2 files changed, 2 insertions(+), 2 deletions(-) - -diff --git a/Makefile b/Makefile -index b437a346d71a55d75f207f36e85b..52881cbb12e7d980e0ed51f21174 100644 ---- a/Makefile -+++ b/Makefile -@@ -579,7 +579,7 @@ fsdev/virtfs-proxy-helper$(EXESUF): LIBS += -lcap - - scsi/qemu-pr-helper$(EXESUF): scsi/qemu-pr-helper.o scsi/utils.o $(authz-obj-y) $(crypto-obj-y) $(io-obj-y) $(qom-obj-y) $(COMMON_LDADDS) - ifdef CONFIG_MPATH --scsi/qemu-pr-helper$(EXESUF): LIBS += -ludev -lmultipath -lmpathpersist -+scsi/qemu-pr-helper$(EXESUF): LIBS += -ludev -lmpathpersist -lmultipath - endif - - qemu-img-cmds.h: $(SRC_PATH)/qemu-img-cmds.hx $(SRC_PATH)/scripts/hxtool -diff --git a/configure b/configure -index 6099be1d848c7f52ea02694d6d86..09a33aecfd6ef543eeee8c5023b6 100755 ---- a/configure -+++ b/configure -@@ -3836,7 +3836,7 @@ int main(void) { - return 0; - } - EOF -- if compile_prog "" "-ludev -lmultipath -lmpathpersist" ; then -+ if compile_prog "" "-ludev -lmpathpersist -lmultipath" ; then - mpathpersist=yes - mpathpersist_new_api=yes - else diff --git a/packaging/Sync-pv.patch b/packaging/Sync-pv.patch deleted file mode 100644 index 53d66f11e..000000000 --- a/packaging/Sync-pv.patch +++ /dev/null @@ -1,91 +0,0 @@ -From: Janosch Frank -Date: Tue, 25 Feb 2020 06:09:23 -0500 -Subject: Sync pv - -References: bsc#1167075 - -Signed-off-by: Janosch Frank -(cherry picked from commit 6807f464961cfee1dd81c95e22ddd91fa352fcc4) -Signed-off-by: Bruce Rogers ---- - linux-headers/linux/kvm.h | 49 +++++++++++++++++++++++++++++++++++++-- - 1 file changed, 47 insertions(+), 2 deletions(-) - -diff --git a/linux-headers/linux/kvm.h b/linux-headers/linux/kvm.h -index 4ec5f9464c650dda5bdda131f6ba..11d7e7dc25b51b7a2ae99c78b870 100644 ---- a/linux-headers/linux/kvm.h -+++ b/linux-headers/linux/kvm.h -@@ -500,12 +500,17 @@ struct kvm_s390_mem_op { - __u32 size; /* amount of bytes */ - __u32 op; /* type of operation */ - __u64 buf; /* buffer in userspace */ -- __u8 ar; /* the access register number */ -- __u8 reserved[31]; /* should be set to 0 */ -+ union { -+ __u8 ar; /* the access register number */ -+ __u32 sida_offset; /* offset into the sida */ -+ __u8 reserved[32]; /* should be set to 0 */ -+ }; - }; - /* types for kvm_s390_mem_op->op */ - #define KVM_S390_MEMOP_LOGICAL_READ 0 - #define KVM_S390_MEMOP_LOGICAL_WRITE 1 -+#define KVM_S390_MEMOP_SIDA_READ 2 -+#define KVM_S390_MEMOP_SIDA_WRITE 3 - /* flags for kvm_s390_mem_op->flags */ - #define KVM_S390_MEMOP_F_CHECK_ONLY (1ULL << 0) - #define KVM_S390_MEMOP_F_INJECT_EXCEPTION (1ULL << 1) -@@ -1036,6 +1041,7 @@ struct kvm_ppc_resize_hpt { - #define KVM_CAP_PPC_GUEST_DEBUG_SSTEP 176 - #define KVM_CAP_ARM_NISV_TO_USER 177 - #define KVM_CAP_ARM_INJECT_EXT_DABT 178 -+#define KVM_CAP_S390_VCPU_RESETS 179 - #define KVM_CAP_S390_PROTECTED 180 - #define KVM_CAP_PPC_SECURE_GUEST 181 - #define KVM_CAP_HALT_POLL 182 -@@ -1511,6 +1517,45 @@ struct kvm_enc_region { - /* Available with KVM_CAP_ARM_SVE */ - #define KVM_ARM_VCPU_FINALIZE _IOW(KVMIO, 0xc2, int) - -+/* Available with KVM_CAP_S390_VCPU_RESETS */ -+#define KVM_S390_NORMAL_RESET _IO(KVMIO, 0xc3) -+#define KVM_S390_CLEAR_RESET _IO(KVMIO, 0xc4) -+ -+struct kvm_s390_pv_sec_parm { -+ __u64 origin; -+ __u64 length; -+}; -+ -+struct kvm_s390_pv_unp { -+ __u64 addr; -+ __u64 size; -+ __u64 tweak; -+}; -+ -+enum pv_cmd_id { -+ KVM_PV_ENABLE, -+ KVM_PV_DISABLE, -+ KVM_PV_VM_SET_SEC_PARMS, -+ KVM_PV_VM_UNPACK, -+ KVM_PV_VM_VERIFY, -+ KVM_PV_VM_PREP_RESET, -+ KVM_PV_VM_UNSHARE_ALL, -+ KVM_PV_VCPU_CREATE, -+ KVM_PV_VCPU_DESTROY, -+}; -+ -+struct kvm_pv_cmd { -+ __u32 cmd; /* Command to be executed */ -+ __u16 rc; /* Ultravisor return code */ -+ __u16 rrc; /* Ultravisor return reason code */ -+ __u64 data; /* Data or address */ -+ __u32 flags; /* flags for future extensions. Must be 0 for now */ -+ __u32 reserved[3]; -+}; -+ -+/* Available with KVM_CAP_S390_PROTECTED */ -+#define KVM_S390_PV_COMMAND _IOWR(KVMIO, 0xc5, struct kvm_pv_cmd) -+ - /* Available with KVM_CAP_X86_MSR_FILTER */ - #define KVM_X86_SET_MSR_FILTER _IOW(KVMIO, 0xc6, struct kvm_msr_filter) - diff --git a/packaging/Workaround-compilation-error-with-gcc-9..patch b/packaging/Workaround-compilation-error-with-gcc-9..patch deleted file mode 100644 index 69200afdc..000000000 --- a/packaging/Workaround-compilation-error-with-gcc-9..patch +++ /dev/null @@ -1,53 +0,0 @@ -From: Valentine Barshak -Date: Mon, 22 Jul 2019 10:47:50 +0100 -Subject: Workaround compilation error with gcc 9.1 - -References: bsc#1121464 - -Compiling with gcc 9.1 generates lots of "taking address of packed -member of ... may result in an unaligned pointer value" warnings. - -Some of these warnings are genuine, and indicate correctly that parts -of iPXE currently require the CPU (or runtime environment) to support -unaligned accesses. For example: the TCP/IP receive data path will -attempt to access 32-bit fields that may not be aligned to a 32-bit -boundary. - -Other warnings are either spurious (such as when the pointer is to a -variable-length byte array, which can have no alignment requirement -anyway) or unhelpful (such as when the pointer is used solely to -provide a debug colour value for the DBGC() macro). - -There appears to be no easy way to silence the spurious warnings. -Since the ability to perform unaligned accesses is already a -requirement for iPXE, work around the problem by silencing this class -of warnings. - -Signed-off-by: Valentine Barshak -Modified-by: Michael Brown -Signed-off-by: Michael Brown -Signed-off-by: Bruce Rogers ---- - src/Makefile.housekeeping | 9 +++++++++ - 1 file changed, 9 insertions(+) - -diff --git a/roms/ipxe/src/Makefile.housekeeping b/roms/ipxe/src/Makefile.housekeeping -index 97fa325bb52314e05192d0414436..e5f6927de889167d286ccfcdda92 100644 ---- a/roms/ipxe/src/Makefile.housekeeping -+++ b/roms/ipxe/src/Makefile.housekeeping -@@ -185,6 +185,15 @@ WNST_TEST = $(CC) -Wstringop-truncation -x c -c /dev/null -o /dev/null \ - >/dev/null 2>&1 - WNST_FLAGS := $(shell $(WNST_TEST) && $(ECHO) '-Wno-stringop-truncation') - WORKAROUND_CFLAGS += $(WNST_FLAGS) -+ -+# gcc 9.1 generates warnings for taking address of packed member which -+# may result in an unaligned pointer value. Inhibit the warnings. -+# -+WNAPM_TEST = $(CC) -Wno-address-of-packed-member -x c -c /dev/null \ -+ -o /dev/null >/dev/null 2>&1 -+WNAPM_FLAGS := $(shell $(WNAPM_TEST) && \ -+ $(ECHO) '-Wno-address-of-packed-member') -+WORKAROUND_CFLAGS += $(WNAPM_FLAGS) - endif - - # Some versions of gas choke on division operators, treating them as diff --git a/packaging/XXX-dont-dump-core-on-sigabort.patch b/packaging/XXX-dont-dump-core-on-sigabort.patch deleted file mode 100644 index 3e7d1fd29..000000000 --- a/packaging/XXX-dont-dump-core-on-sigabort.patch +++ /dev/null @@ -1,33 +0,0 @@ -From: Alexander Graf -Date: Mon, 21 Nov 2011 23:50:36 +0100 -Subject: XXX dont dump core on sigabort - -Signed-off-by: Bruce Rogers ---- - linux-user/signal.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/linux-user/signal.c b/linux-user/signal.c -index 5ca6d62b15d3e4d3faee3f554fff..1d6382ce881795b057ab229e4129 100644 ---- a/linux-user/signal.c -+++ b/linux-user/signal.c -@@ -581,6 +581,10 @@ static void QEMU_NORETURN dump_core_and_abort(int target_sig) - trace_user_force_sig(env, target_sig, host_sig); - gdb_signalled(env, target_sig); - -+ if (target_sig == 6) { -+ goto no_core; -+ } -+ - /* dump core if supported by target binary format */ - if (core_dump_signal(target_sig) && (ts->bprm->core_dump != NULL)) { - stop_all_tasks(); -@@ -598,6 +602,8 @@ static void QEMU_NORETURN dump_core_and_abort(int target_sig) - target_sig, strsignal(host_sig), "core dumped" ); - } - -+no_core: -+ - /* The proper exit code for dying from an uncaught signal is - * -. The kernel doesn't allow exit() or _exit() to pass - * a negative value. To get the proper exit code we need to diff --git a/packaging/acpi_piix4-Fix-migration-from-SLE11-SP2.patch b/packaging/acpi_piix4-Fix-migration-from-SLE11-SP2.patch deleted file mode 100644 index 98673b16b..000000000 --- a/packaging/acpi_piix4-Fix-migration-from-SLE11-SP2.patch +++ /dev/null @@ -1,30 +0,0 @@ -From: =?UTF-8?q?Andreas=20F=C3=A4rber?= -Date: Wed, 31 Jul 2013 17:32:35 +0200 -Subject: acpi_piix4: Fix migration from SLE11 SP2 -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -References: bnc#812836 - -qemu-kvm 0.15 uses the same GPE format as qemu 1.4, but as version 2 -rather than 3. - -Signed-off-by: Andreas Färber ---- - hw/acpi/piix4.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/hw/acpi/piix4.c b/hw/acpi/piix4.c -index 93aec2dd2ce1767784076c3544b0..1f2a8ea850e9115b689af90bf708 100644 ---- a/hw/acpi/piix4.c -+++ b/hw/acpi/piix4.c -@@ -273,7 +273,7 @@ static bool piix4_vmstate_need_smbus(void *opaque, int version_id) - static const VMStateDescription vmstate_acpi = { - .name = "piix4_pm", - .version_id = 3, -- .minimum_version_id = 3, -+ .minimum_version_id = 2, /* qemu-kvm */ - .post_load = vmstate_acpi_post_load, - .fields = (VMStateField[]) { - VMSTATE_PCI_DEVICE(parent_obj, PIIX4PMState), diff --git a/packaging/aio-wait-delegate-polling-of-main-AioCon.patch b/packaging/aio-wait-delegate-polling-of-main-AioCon.patch deleted file mode 100644 index 0ba7dba5e..000000000 --- a/packaging/aio-wait-delegate-polling-of-main-AioCon.patch +++ /dev/null @@ -1,116 +0,0 @@ -From: Paolo Bonzini -Date: Tue, 7 Apr 2020 10:07:45 -0400 -Subject: aio-wait: delegate polling of main AioContext if BQL not held - -Git-commit: 3c18a92dc4b55ca8cc37a755ed119f11c0f34099 - -Any thread that is not a iothread returns NULL for qemu_get_current_aio_context(). -As a result, it would also return true for -in_aio_context_home_thread(qemu_get_aio_context()), causing -AIO_WAIT_WHILE to invoke aio_poll() directly. This is incorrect -if the BQL is not held, because aio_poll() does not expect to -run concurrently from multiple threads, and it can actually -happen when savevm writes to the vmstate file from the -migration thread. - -Therefore, restrict in_aio_context_home_thread to return true -for the main AioContext only if the BQL is held. - -The function is moved to aio-wait.h because it is mostly used -there and to avoid a circular reference between main-loop.h -and block/aio.h. - -Signed-off-by: Paolo Bonzini -Message-Id: <20200407140746.8041-5-pbonzini@redhat.com> -Signed-off-by: Stefan Hajnoczi -Signed-off-by: Bruce Rogers ---- - include/block/aio-wait.h | 22 ++++++++++++++++++++++ - include/block/aio.h | 29 ++++++++++------------------- - 2 files changed, 32 insertions(+), 19 deletions(-) - -diff --git a/include/block/aio-wait.h b/include/block/aio-wait.h -index afeeb18f95ebb593982b5d3f8917..716d2639df708f03e3f29d68315b 100644 ---- a/include/block/aio-wait.h -+++ b/include/block/aio-wait.h -@@ -26,6 +26,7 @@ - #define QEMU_AIO_WAIT_H - - #include "block/aio.h" -+#include "qemu/main-loop.h" - - /** - * AioWait: -@@ -124,4 +125,25 @@ void aio_wait_kick(void); - */ - void aio_wait_bh_oneshot(AioContext *ctx, QEMUBHFunc *cb, void *opaque); - -+/** -+ * in_aio_context_home_thread: -+ * @ctx: the aio context -+ * -+ * Return whether we are running in the thread that normally runs @ctx. Note -+ * that acquiring/releasing ctx does not affect the outcome, each AioContext -+ * still only has one home thread that is responsible for running it. -+ */ -+static inline bool in_aio_context_home_thread(AioContext *ctx) -+{ -+ if (ctx == qemu_get_current_aio_context()) { -+ return true; -+ } -+ -+ if (ctx == qemu_get_aio_context()) { -+ return qemu_mutex_iothread_locked(); -+ } else { -+ return false; -+ } -+} -+ - #endif /* QEMU_AIO_WAIT_H */ -diff --git a/include/block/aio.h b/include/block/aio.h -index 6b0d52f732b86caef07602281574..9d28e247df7f0d3a556644fcd9d1 100644 ---- a/include/block/aio.h -+++ b/include/block/aio.h -@@ -60,12 +60,16 @@ struct AioContext { - QLIST_HEAD(, AioHandler) aio_handlers; - - /* Used to avoid unnecessary event_notifier_set calls in aio_notify; -- * accessed with atomic primitives. If this field is 0, everything -- * (file descriptors, bottom halves, timers) will be re-evaluated -- * before the next blocking poll(), thus the event_notifier_set call -- * can be skipped. If it is non-zero, you may need to wake up a -- * concurrent aio_poll or the glib main event loop, making -- * event_notifier_set necessary. -+ * only written from the AioContext home thread, or under the BQL in -+ * the case of the main AioContext. However, it is read from any -+ * thread so it is still accessed with atomic primitives. -+ * -+ * If this field is 0, everything (file descriptors, bottom halves, -+ * timers) will be re-evaluated before the next blocking poll() or -+ * io_uring wait; therefore, the event_notifier_set call can be -+ * skipped. If it is non-zero, you may need to wake up a concurrent -+ * aio_poll or the glib main event loop, making event_notifier_set -+ * necessary. - * - * Bit 0 is reserved for GSource usage of the AioContext, and is 1 - * between a call to aio_ctx_prepare and the next call to aio_ctx_check. -@@ -580,19 +584,6 @@ void aio_co_enter(AioContext *ctx, struct Coroutine *co); - */ - AioContext *qemu_get_current_aio_context(void); - --/** -- * in_aio_context_home_thread: -- * @ctx: the aio context -- * -- * Return whether we are running in the thread that normally runs @ctx. Note -- * that acquiring/releasing ctx does not affect the outcome, each AioContext -- * still only has one home thread that is responsible for running it. -- */ --static inline bool in_aio_context_home_thread(AioContext *ctx) --{ -- return ctx == qemu_get_current_aio_context(); --} -- - /** - * aio_context_setup: - * @ctx: the aio context diff --git a/packaging/async-use-explicit-memory-barriers.patch b/packaging/async-use-explicit-memory-barriers.patch deleted file mode 100644 index 8a1673e4c..000000000 --- a/packaging/async-use-explicit-memory-barriers.patch +++ /dev/null @@ -1,168 +0,0 @@ -From: Paolo Bonzini -Date: Tue, 7 Apr 2020 10:07:46 -0400 -Subject: async: use explicit memory barriers - -Git-commit: 5710a3e09f9b85801e5ce70797a4a511e5fc9e2c - -When using C11 atomics, non-seqcst reads and writes do not participate -in the total order of seqcst operations. In util/async.c and util/aio-posix.c, -in particular, the pattern that we use - - write ctx->notify_me write bh->scheduled - read bh->scheduled read ctx->notify_me - if !bh->scheduled, sleep if ctx->notify_me, notify - -needs to use seqcst operations for both the write and the read. In -general this is something that we do not want, because there can be -many sources that are polled in addition to bottom halves. The -alternative is to place a seqcst memory barrier between the write -and the read. This also comes with a disadvantage, in that the -memory barrier is implicit on strongly-ordered architectures and -it wastes a few dozen clock cycles. - -Fortunately, ctx->notify_me is never written concurrently by two -threads, so we can assert that and relax the writes to ctx->notify_me. -The resulting solution works and performs well on both aarch64 and x86. - -Note that the atomic_set/atomic_read combination is not an atomic -read-modify-write, and therefore it is even weaker than C11 ATOMIC_RELAXED; -on x86, ATOMIC_RELAXED compiles to a locked operation. - -Analyzed-by: Ying Fang -Signed-off-by: Paolo Bonzini -Tested-by: Ying Fang -Message-Id: <20200407140746.8041-6-pbonzini@redhat.com> -Signed-off-by: Stefan Hajnoczi -Signed-off-by: Bruce Rogers ---- - util/aio-posix.c | 16 ++++++++++++++-- - util/aio-win32.c | 17 ++++++++++++++--- - util/async.c | 16 ++++++++++++---- - 3 files changed, 40 insertions(+), 9 deletions(-) - -diff --git a/util/aio-posix.c b/util/aio-posix.c -index a4977f538ef28d56178267a1795c..fe2a46c439fa1505f5f688274566 100644 ---- a/util/aio-posix.c -+++ b/util/aio-posix.c -@@ -616,6 +616,11 @@ bool aio_poll(AioContext *ctx, bool blocking) - int64_t timeout; - int64_t start = 0; - -+ /* -+ * There cannot be two concurrent aio_poll calls for the same AioContext (or -+ * an aio_poll concurrent with a GSource prepare/check/dispatch callback). -+ * We rely on this below to avoid slow locked accesses to ctx->notify_me. -+ */ - assert(in_aio_context_home_thread(ctx)); - - /* aio_notify can avoid the expensive event_notifier_set if -@@ -626,7 +631,13 @@ bool aio_poll(AioContext *ctx, bool blocking) - * so disable the optimization now. - */ - if (blocking) { -- atomic_add(&ctx->notify_me, 2); -+ atomic_set(&ctx->notify_me, atomic_read(&ctx->notify_me) + 2); -+ /* -+ * Write ctx->notify_me before computing the timeout -+ * (reading bottom half flags, etc.). Pairs with -+ * smp_mb in aio_notify(). -+ */ -+ smp_mb(); - } - - qemu_lockcnt_inc(&ctx->list_lock); -@@ -671,7 +682,8 @@ bool aio_poll(AioContext *ctx, bool blocking) - } - - if (blocking) { -- atomic_sub(&ctx->notify_me, 2); -+ /* Finish the poll before clearing the flag. */ -+ atomic_store_release(&ctx->notify_me, atomic_read(&ctx->notify_me) - 2); - aio_notify_accept(ctx); - } - -diff --git a/util/aio-win32.c b/util/aio-win32.c -index a23b9c364db3a764a3e00c6b62e9..729d533faf4d807e0a5388edd2af 100644 ---- a/util/aio-win32.c -+++ b/util/aio-win32.c -@@ -321,6 +321,12 @@ bool aio_poll(AioContext *ctx, bool blocking) - int count; - int timeout; - -+ /* -+ * There cannot be two concurrent aio_poll calls for the same AioContext (or -+ * an aio_poll concurrent with a GSource prepare/check/dispatch callback). -+ * We rely on this below to avoid slow locked accesses to ctx->notify_me. -+ */ -+ assert(in_aio_context_home_thread(ctx)); - progress = false; - - /* aio_notify can avoid the expensive event_notifier_set if -@@ -331,7 +337,13 @@ bool aio_poll(AioContext *ctx, bool blocking) - * so disable the optimization now. - */ - if (blocking) { -- atomic_add(&ctx->notify_me, 2); -+ atomic_set(&ctx->notify_me, atomic_read(&ctx->notify_me) + 2); -+ /* -+ * Write ctx->notify_me before computing the timeout -+ * (reading bottom half flags, etc.). Pairs with -+ * smp_mb in aio_notify(). -+ */ -+ smp_mb(); - } - - qemu_lockcnt_inc(&ctx->list_lock); -@@ -364,8 +376,7 @@ bool aio_poll(AioContext *ctx, bool blocking) - ret = WaitForMultipleObjects(count, events, FALSE, timeout); - if (blocking) { - assert(first); -- assert(in_aio_context_home_thread(ctx)); -- atomic_sub(&ctx->notify_me, 2); -+ atomic_store_release(&ctx->notify_me, atomic_read(&ctx->notify_me) - 2); - aio_notify_accept(ctx); - } - -diff --git a/util/async.c b/util/async.c -index b1fa5319e5bc7830d50108f91139..c65c58bbc9f57bf1bbdb6acd5fd1 100644 ---- a/util/async.c -+++ b/util/async.c -@@ -220,7 +220,14 @@ aio_ctx_prepare(GSource *source, gint *timeout) - { - AioContext *ctx = (AioContext *) source; - -- atomic_or(&ctx->notify_me, 1); -+ atomic_set(&ctx->notify_me, atomic_read(&ctx->notify_me) | 1); -+ -+ /* -+ * Write ctx->notify_me before computing the timeout -+ * (reading bottom half flags, etc.). Pairs with -+ * smp_mb in aio_notify(). -+ */ -+ smp_mb(); - - /* We assume there is no timeout already supplied */ - *timeout = qemu_timeout_ns_to_ms(aio_compute_timeout(ctx)); -@@ -238,7 +245,8 @@ aio_ctx_check(GSource *source) - AioContext *ctx = (AioContext *) source; - QEMUBH *bh; - -- atomic_and(&ctx->notify_me, ~1); -+ /* Finish computing the timeout before clearing the flag. */ -+ atomic_store_release(&ctx->notify_me, atomic_read(&ctx->notify_me) & ~1); - aio_notify_accept(ctx); - - for (bh = ctx->first_bh; bh; bh = bh->next) { -@@ -343,10 +351,10 @@ LinuxAioState *aio_get_linux_aio(AioContext *ctx) - void aio_notify(AioContext *ctx) - { - /* Write e.g. bh->scheduled before reading ctx->notify_me. Pairs -- * with atomic_or in aio_ctx_prepare or atomic_add in aio_poll. -+ * with smp_mb in aio_ctx_prepare or aio_poll. - */ - smp_mb(); -- if (ctx->notify_me) { -+ if (atomic_read(&ctx->notify_me)) { - event_notifier_set(&ctx->notifier); - atomic_mb_set(&ctx->notified, true); - } diff --git a/packaging/ati-check-x-y-display-parameter-values.patch b/packaging/ati-check-x-y-display-parameter-values.patch deleted file mode 100644 index def3faa11..000000000 --- a/packaging/ati-check-x-y-display-parameter-values.patch +++ /dev/null @@ -1,48 +0,0 @@ -From: Prasad J Pandit -Date: Wed, 21 Oct 2020 16:08:18 +0530 -Subject: ati: check x y display parameter values - -Git-commit: ca1f9cbfdce4d63b10d57de80fef89a89d92a540 -References: bsc#1178400, CVE-2020-27616 - -The source and destination x,y display parameters in ati_2d_blt() -may run off the vga limits if either of s->regs.[src|dst]_[xy] is -zero. Check the parameter values to avoid potential crash. - -Reported-by: Gaoning Pan -Signed-off-by: Prasad J Pandit -Message-id: 20201021103818.1704030-1-ppandit@redhat.com -Signed-off-by: Gerd Hoffmann -Signed-off-by: Bruce Rogers ---- - hw/display/ati_2d.c | 10 ++++++---- - 1 file changed, 6 insertions(+), 4 deletions(-) - -diff --git a/hw/display/ati_2d.c b/hw/display/ati_2d.c -index 23a8ae0cd8ceb7b59408c0709e2f..4dc10ea79529b354f6bdeb92e005 100644 ---- a/hw/display/ati_2d.c -+++ b/hw/display/ati_2d.c -@@ -75,8 +75,9 @@ void ati_2d_blt(ATIVGAState *s) - dst_stride *= bpp; - } - uint8_t *end = s->vga.vram_ptr + s->vga.vram_size; -- if (dst_bits >= end || dst_bits + dst_x + (dst_y + s->regs.dst_height) * -- dst_stride >= end) { -+ if (dst_x > 0x3fff || dst_y > 0x3fff || dst_bits >= end -+ || dst_bits + dst_x -+ + (dst_y + s->regs.dst_height) * dst_stride >= end) { - qemu_log_mask(LOG_UNIMP, "blt outside vram not implemented\n"); - return; - } -@@ -107,8 +108,9 @@ void ati_2d_blt(ATIVGAState *s) - src_bits += s->regs.crtc_offset & 0x07ffffff; - src_stride *= bpp; - } -- if (src_bits >= end || src_bits + src_x + -- (src_y + s->regs.dst_height) * src_stride >= end) { -+ if (src_x > 0x3fff || src_y > 0x3fff || src_bits >= end -+ || src_bits + src_x -+ + (src_y + s->regs.dst_height) * src_stride >= end) { - qemu_log_mask(LOG_UNIMP, "blt outside vram not implemented\n"); - return; - } diff --git a/packaging/audio-fix-wavcapture-segfault.patch b/packaging/audio-fix-wavcapture-segfault.patch deleted file mode 100644 index f4b85de24..000000000 --- a/packaging/audio-fix-wavcapture-segfault.patch +++ /dev/null @@ -1,49 +0,0 @@ -From: Bruce Rogers -Date: Thu, 21 May 2020 11:29:31 -0600 -Subject: audio: fix wavcapture segfault -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Git-commit: cbaf25d1f59ee13fc7542a06ea70784f2e000c04 -References: boo#1171712 - -Commit 571a8c522e caused the HMP wavcapture command to segfault when -processing audio data in audio_pcm_sw_write(), where a NULL -sw->hw->pcm_ops is dereferenced. This fix checks that the pointer is -valid before dereferincing it. A similar fix is also made in the -parallel function audio_pcm_sw_read(). - -Fixes: 571a8c522e (audio: split ctl_* functions into enable_* and -volume_*) -Signed-off-by: Bruce Rogers -Reviewed-by: Philippe Mathieu-Daudé -Message-id: 20200521172931.121903-1-brogers@suse.com -Signed-off-by: Gerd Hoffmann -Signed-off-by: Bruce Rogers ---- - audio/audio.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/audio/audio.c b/audio/audio.c -index 56fae55047103af9fb85aa47c905..566febf7d76eba61e4db472d0fd1 100644 ---- a/audio/audio.c -+++ b/audio/audio.c -@@ -634,7 +634,7 @@ static size_t audio_pcm_sw_read(SWVoiceIn *sw, void *buf, size_t size) - total += isamp; - } - -- if (!hw->pcm_ops->volume_in) { -+ if (hw->pcm_ops && !hw->pcm_ops->volume_in) { - mixeng_volume (sw->buf, ret, &sw->vol); - } - -@@ -721,7 +721,7 @@ static size_t audio_pcm_sw_write(SWVoiceOut *sw, void *buf, size_t size) - if (swlim) { - sw->conv (sw->buf, buf, swlim); - -- if (!sw->hw->pcm_ops->volume_out) { -+ if (sw->hw->pcm_ops && !sw->hw->pcm_ops->volume_out) { - mixeng_volume (sw->buf, swlim, &sw->vol); - } - } diff --git a/packaging/block-add-max_hw_transfer-to-BlockLimits.patch b/packaging/block-add-max_hw_transfer-to-BlockLimits.patch deleted file mode 100644 index 4ed0090f9..000000000 --- a/packaging/block-add-max_hw_transfer-to-BlockLimits.patch +++ /dev/null @@ -1,125 +0,0 @@ -From: Lin Ma -Date: Mon, 13 Sep 2021 17:07:57 +0800 -Subject: block: add max_hw_transfer to BlockLimits - -Git-commit: 24b36e9813ec15da7db62e3b3621730710c5f020 -References: bsc#1190425 - -For block host devices, I/O can happen through either the kernel file -descriptor I/O system calls (preadv/pwritev, io_submit, io_uring) -or the SCSI passthrough ioctl SG_IO. - -In the latter case, the size of each transfer can be limited by the -HBA, while for file descriptor I/O the kernel is able to split and -merge I/O in smaller pieces as needed. Applying the HBA limits to -file descriptor I/O results in more system calls and suboptimal -performance, so this patch splits the max_transfer limit in two: -max_transfer remains valid and is used in general, while max_hw_transfer -is limited to the maximum hardware size. max_hw_transfer can then be -included by the scsi-generic driver in the block limits page, to ensure -that the stricter hardware limit is used. - -Signed-off-by: Paolo Bonzini -Signed-off-by: Lin Ma ---- - block/block-backend.c | 13 +++++++++++++ - block/file-posix.c | 2 +- - block/io.c | 2 ++ - hw/scsi/scsi-generic.c | 2 +- - include/block/block_int.h | 7 +++++++ - include/sysemu/block-backend.h | 1 + - 6 files changed, 25 insertions(+), 2 deletions(-) - -diff --git a/block/block-backend.c b/block/block-backend.c -index 5344126d1ec81a0af792758da1ad..28908cd0bf3b11b7e1a3915df02d 100644 ---- a/block/block-backend.c -+++ b/block/block-backend.c -@@ -1825,6 +1825,19 @@ uint32_t blk_get_request_alignment(BlockBackend *blk) - return bs ? bs->bl.request_alignment : BDRV_SECTOR_SIZE; - } - -+/* Returns the maximum hardware transfer length, in bytes; guaranteed nonzero */ -+uint64_t blk_get_max_hw_transfer(BlockBackend *blk) -+{ -+ BlockDriverState *bs = blk_bs(blk); -+ uint64_t max = INT_MAX; -+ -+ if (bs) { -+ max = MIN_NON_ZERO(max, bs->bl.max_hw_transfer); -+ max = MIN_NON_ZERO(max, bs->bl.max_transfer); -+ } -+ return ROUND_DOWN(max, blk_get_request_alignment(blk)); -+} -+ - /* Returns the maximum transfer length, in bytes; guaranteed nonzero */ - uint32_t blk_get_max_transfer(BlockBackend *blk) - { -diff --git a/block/file-posix.c b/block/file-posix.c -index c0e8a60d501982db438db3cb8dba..59149186c6937907070a2683a82a 100644 ---- a/block/file-posix.c -+++ b/block/file-posix.c -@@ -1142,7 +1142,7 @@ static void raw_refresh_limits(BlockDriverState *bs, Error **errp) - int ret = sg_get_max_transfer_length(s->fd); - - if (ret > 0 && ret <= BDRV_REQUEST_MAX_BYTES) { -- bs->bl.max_transfer = pow2floor(ret); -+ bs->bl.max_hw_transfer = pow2floor(ret); - } - - ret = sg_get_max_segments(s->fd); -diff --git a/block/io.c b/block/io.c -index c2c3aab9ee3d1d4d494ce98a6d8b..c0e2c1c70d9aeef11ab1853f326e 100644 ---- a/block/io.c -+++ b/block/io.c -@@ -127,6 +127,8 @@ static void bdrv_merge_limits(BlockLimits *dst, const BlockLimits *src) - { - dst->opt_transfer = MAX(dst->opt_transfer, src->opt_transfer); - dst->max_transfer = MIN_NON_ZERO(dst->max_transfer, src->max_transfer); -+ dst->max_hw_transfer = MIN_NON_ZERO(dst->max_hw_transfer, -+ src->max_hw_transfer); - dst->opt_mem_alignment = MAX(dst->opt_mem_alignment, - src->opt_mem_alignment); - dst->min_mem_alignment = MAX(dst->min_mem_alignment, -diff --git a/hw/scsi/scsi-generic.c b/hw/scsi/scsi-generic.c -index a135d7087ecc8d73baeed0270d29..af05add799afadec1c17a62fe1e3 100644 ---- a/hw/scsi/scsi-generic.c -+++ b/hw/scsi/scsi-generic.c -@@ -172,7 +172,7 @@ static void scsi_handle_inquiry_reply(SCSIGenericReq *r, SCSIDevice *s) - if (s->type == TYPE_DISK && (r->req.cmd.buf[1] & 0x01)) { - page = r->req.cmd.buf[2]; - if (page == 0xb0) { -- uint32_t max_transfer = blk_get_max_transfer(s->conf.blk); -+ uint64_t max_transfer = blk_get_max_hw_transfer(s->conf.blk); - uint32_t max_iov = blk_get_max_iov(s->conf.blk); - - assert(max_transfer); -diff --git a/include/block/block_int.h b/include/block/block_int.h -index dd033d0b375a72de9ab9f01f8fb7..c8926f50194b7b8ca9f40a0901c6 100644 ---- a/include/block/block_int.h -+++ b/include/block/block_int.h -@@ -637,6 +637,13 @@ typedef struct BlockLimits { - * clamped down. */ - uint32_t max_transfer; - -+ /* Maximal hardware transfer length in bytes. Applies whenever -+ * transfers to the device bypass the kernel I/O scheduler, for -+ * example with SG_IO. If larger than max_transfer or if zero, -+ * blk_get_max_hw_transfer will fall back to max_transfer. -+ */ -+ uint64_t max_hw_transfer; -+ - /* memory alignment, in bytes so that no bounce buffer is needed */ - size_t min_mem_alignment; - -diff --git a/include/sysemu/block-backend.h b/include/sysemu/block-backend.h -index b198deca0b24aeb559442aa46cf9..8fd7258dae301c25279e69ee3fa6 100644 ---- a/include/sysemu/block-backend.h -+++ b/include/sysemu/block-backend.h -@@ -202,6 +202,7 @@ void blk_eject(BlockBackend *blk, bool eject_flag); - int blk_get_flags(BlockBackend *blk); - uint32_t blk_get_request_alignment(BlockBackend *blk); - uint32_t blk_get_max_transfer(BlockBackend *blk); -+uint64_t blk_get_max_hw_transfer(BlockBackend *blk); - int blk_get_max_iov(BlockBackend *blk); - void blk_set_guest_block_size(BlockBackend *blk, int align); - void *blk_try_blockalign(BlockBackend *blk, size_t size); diff --git a/packaging/block-backend-align-max_transfer-to-requ.patch b/packaging/block-backend-align-max_transfer-to-requ.patch deleted file mode 100644 index 0c0c8de5d..000000000 --- a/packaging/block-backend-align-max_transfer-to-requ.patch +++ /dev/null @@ -1,41 +0,0 @@ -From: Lin Ma -Date: Mon, 13 Sep 2021 17:07:37 +0800 -Subject: block-backend: align max_transfer to request alignment - -Git-commit: b99f7fa08a3df8b8a6a907642e5851cdcf43fa9f -References: bsc#1190425 - -Block device requests must be aligned to bs->bl.request_alignment. -It makes sense for drivers to align bs->bl.max_transfer the same -way; however when there is no specified limit, blk_get_max_transfer -just returns INT_MAX. Since the contract of the function does not -specify that INT_MAX means "no maximum", just align the outcome -of the function (whether INT_MAX or bs->bl.max_transfer) before -returning it. - -Signed-off-by: Paolo Bonzini -Signed-off-by: Lin Ma ---- - block/block-backend.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/block/block-backend.c b/block/block-backend.c -index 8b8f2a80a0d52635059e0315ae16..5344126d1ec81a0af792758da1ad 100644 ---- a/block/block-backend.c -+++ b/block/block-backend.c -@@ -1829,12 +1829,12 @@ uint32_t blk_get_request_alignment(BlockBackend *blk) - uint32_t blk_get_max_transfer(BlockBackend *blk) - { - BlockDriverState *bs = blk_bs(blk); -- uint32_t max = 0; -+ uint32_t max = INT_MAX; - - if (bs) { -- max = bs->bl.max_transfer; -+ max = MIN_NON_ZERO(max, bs->bl.max_transfer); - } -- return MIN_NON_ZERO(max, INT_MAX); -+ return ROUND_DOWN(max, blk_get_request_alignment(blk)); - } - - int blk_get_max_iov(BlockBackend *blk) diff --git a/packaging/block-iscsi-fix-heap-buffer-overflow-in-.patch b/packaging/block-iscsi-fix-heap-buffer-overflow-in-.patch deleted file mode 100644 index 0cfb025e8..000000000 --- a/packaging/block-iscsi-fix-heap-buffer-overflow-in-.patch +++ /dev/null @@ -1,84 +0,0 @@ -From: Chen Qun -Date: Sat, 18 Apr 2020 14:26:02 +0800 -Subject: block/iscsi:fix heap-buffer-overflow in iscsi_aio_ioctl_cb -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Git-commit: ff0507c239a246fd7215b31c5658fc6a3ee1e4c5 -References: bsc#1180523, CVE-2020-11947 - -There is an overflow, the source 'datain.data[2]' is 100 bytes, - but the 'ss' is 252 bytes.This may cause a security issue because - we can access a lot of unrelated memory data. - -The len for sbp copy data should take the minimum of mx_sb_len and - sb_len_wr, not the maximum. - -If we use iscsi device for VM backend storage, ASAN show stack: - -READ of size 252 at 0xfffd149dcfc4 thread T0 - #0 0xaaad433d0d34 in __asan_memcpy (aarch64-softmmu/qemu-system-aarch64+0x2cb0d34) - #1 0xaaad45f9d6d0 in iscsi_aio_ioctl_cb /qemu/block/iscsi.c:996:9 - #2 0xfffd1af0e2dc (/usr/lib64/iscsi/libiscsi.so.8+0xe2dc) - #3 0xfffd1af0d174 (/usr/lib64/iscsi/libiscsi.so.8+0xd174) - #4 0xfffd1af19fac (/usr/lib64/iscsi/libiscsi.so.8+0x19fac) - #5 0xaaad45f9acc8 in iscsi_process_read /qemu/block/iscsi.c:403:5 - #6 0xaaad4623733c in aio_dispatch_handler /qemu/util/aio-posix.c:467:9 - #7 0xaaad4622f350 in aio_dispatch_handlers /qemu/util/aio-posix.c:510:20 - #8 0xaaad4622f350 in aio_dispatch /qemu/util/aio-posix.c:520 - #9 0xaaad46215944 in aio_ctx_dispatch /qemu/util/async.c:298:5 - #10 0xfffd1bed12f4 in g_main_context_dispatch (/lib64/libglib-2.0.so.0+0x512f4) - #11 0xaaad46227de0 in glib_pollfds_poll /qemu/util/main-loop.c:219:9 - #12 0xaaad46227de0 in os_host_main_loop_wait /qemu/util/main-loop.c:242 - #13 0xaaad46227de0 in main_loop_wait /qemu/util/main-loop.c:518 - #14 0xaaad43d9d60c in qemu_main_loop /qemu/softmmu/vl.c:1662:9 - #15 0xaaad4607a5b0 in main /qemu/softmmu/main.c:49:5 - #16 0xfffd1a460b9c in __libc_start_main (/lib64/libc.so.6+0x20b9c) - #17 0xaaad43320740 in _start (aarch64-softmmu/qemu-system-aarch64+0x2c00740) - -0xfffd149dcfc4 is located 0 bytes to the right of 100-byte region [0xfffd149dcf60,0xfffd149dcfc4) -allocated by thread T0 here: - #0 0xaaad433d1e70 in __interceptor_malloc (aarch64-softmmu/qemu-system-aarch64+0x2cb1e70) - #1 0xfffd1af0e254 (/usr/lib64/iscsi/libiscsi.so.8+0xe254) - #2 0xfffd1af0d174 (/usr/lib64/iscsi/libiscsi.so.8+0xd174) - #3 0xfffd1af19fac (/usr/lib64/iscsi/libiscsi.so.8+0x19fac) - #4 0xaaad45f9acc8 in iscsi_process_read /qemu/block/iscsi.c:403:5 - #5 0xaaad4623733c in aio_dispatch_handler /qemu/util/aio-posix.c:467:9 - #6 0xaaad4622f350 in aio_dispatch_handlers /qemu/util/aio-posix.c:510:20 - #7 0xaaad4622f350 in aio_dispatch /qemu/util/aio-posix.c:520 - #8 0xaaad46215944 in aio_ctx_dispatch /qemu/util/async.c:298:5 - #9 0xfffd1bed12f4 in g_main_context_dispatch (/lib64/libglib-2.0.so.0+0x512f4) - #10 0xaaad46227de0 in glib_pollfds_poll /qemu/util/main-loop.c:219:9 - #11 0xaaad46227de0 in os_host_main_loop_wait /qemu/util/main-loop.c:242 - #12 0xaaad46227de0 in main_loop_wait /qemu/util/main-loop.c:518 - #13 0xaaad43d9d60c in qemu_main_loop /qemu/softmmu/vl.c:1662:9 - #14 0xaaad4607a5b0 in main /qemu/softmmu/main.c:49:5 - #15 0xfffd1a460b9c in __libc_start_main (/lib64/libc.so.6+0x20b9c) - #16 0xaaad43320740 in _start (aarch64-softmmu/qemu-system-aarch64+0x2c00740) - -Reported-by: Euler Robot -Signed-off-by: Chen Qun -Reviewed-by: Stefan Hajnoczi -Message-id: 20200418062602.10776-1-kuhn.chenqun@huawei.com -Reviewed-by: Daniel P. Berrangé -Signed-off-by: Peter Maydell -Signed-off-by: Bruce Rogers ---- - block/iscsi.c | 3 +-- - 1 file changed, 1 insertion(+), 2 deletions(-) - -diff --git a/block/iscsi.c b/block/iscsi.c -index cbd57294ab4417a33657af0fbce8..3a528c15ec9e17386569f604df86 100644 ---- a/block/iscsi.c -+++ b/block/iscsi.c -@@ -991,8 +991,7 @@ iscsi_aio_ioctl_cb(struct iscsi_context *iscsi, int status, - acb->ioh->driver_status |= SG_ERR_DRIVER_SENSE; - - acb->ioh->sb_len_wr = acb->task->datain.size - 2; -- ss = (acb->ioh->mx_sb_len >= acb->ioh->sb_len_wr) ? -- acb->ioh->mx_sb_len : acb->ioh->sb_len_wr; -+ ss = MIN(acb->ioh->mx_sb_len, acb->ioh->sb_len_wr); - memcpy(acb->ioh->sbp, &acb->task->datain.data[2], ss); - } - diff --git a/packaging/blockjob-Fix-crash-with-IOthread-when-bl.patch b/packaging/blockjob-Fix-crash-with-IOthread-when-bl.patch deleted file mode 100644 index 06248b20e..000000000 --- a/packaging/blockjob-Fix-crash-with-IOthread-when-bl.patch +++ /dev/null @@ -1,113 +0,0 @@ -From: Michael Qiu -Date: Wed, 3 Feb 2021 10:40:59 +0800 -Subject: blockjob: Fix crash with IOthread when block commit after snapshot - -Git-commit: 076d467aacdf6dc5d01e2e61740b1795f2aec2f6 -References: bsc#1187013 - -Currently, if guest has workloads, IO thread will acquire aio_context -lock before do io_submit, it leads to segmentfault when do block commit -after snapshot. Just like below: - -Program received signal SIGSEGV, Segmentation fault. - -[Switching to Thread 0x7f7c7d91f700 (LWP 99907)] -0x00005576d0f65aab in bdrv_mirror_top_pwritev at ../block/mirror.c:1437 -1437 ../block/mirror.c: No such file or directory. -(gdb) p s->job -$17 = (MirrorBlockJob *) 0x0 -(gdb) p s->stop -$18 = false - -Call trace of IO thread: -0 0x00005576d0f65aab in bdrv_mirror_top_pwritev at ../block/mirror.c:1437 -1 0x00005576d0f7f3ab in bdrv_driver_pwritev at ../block/io.c:1174 -2 0x00005576d0f8139d in bdrv_aligned_pwritev at ../block/io.c:1988 -3 0x00005576d0f81b65 in bdrv_co_pwritev_part at ../block/io.c:2156 -4 0x00005576d0f8e6b7 in blk_do_pwritev_part at ../block/block-backend.c:1260 -5 0x00005576d0f8e84d in blk_aio_write_entry at ../block/block-backend.c:1476 -... - -Switch to qemu main thread: -0 0x00007f903be704ed in __lll_lock_wait at -/lib/../lib64/libpthread.so.0 -1 0x00007f903be6bde6 in _L_lock_941 at /lib/../lib64/libpthread.so.0 -2 0x00007f903be6bcdf in pthread_mutex_lock at -/lib/../lib64/libpthread.so.0 -3 0x0000564b21456889 in qemu_mutex_lock_impl at -../util/qemu-thread-posix.c:79 -4 0x0000564b213af8a5 in block_job_add_bdrv at ../blockjob.c:224 -5 0x0000564b213b00ad in block_job_create at ../blockjob.c:440 -6 0x0000564b21357c0a in mirror_start_job at ../block/mirror.c:1622 -7 0x0000564b2135a9af in commit_active_start at ../block/mirror.c:1867 -8 0x0000564b2133d132 in qmp_block_commit at ../blockdev.c:2768 -9 0x0000564b2141fef3 in qmp_marshal_block_commit at -qapi/qapi-commands-block-core.c:346 -10 0x0000564b214503c9 in do_qmp_dispatch_bh at -../qapi/qmp-dispatch.c:110 -11 0x0000564b21451996 in aio_bh_poll at ../util/async.c:164 -12 0x0000564b2146018e in aio_dispatch at ../util/aio-posix.c:381 -13 0x0000564b2145187e in aio_ctx_dispatch at ../util/async.c:306 -14 0x00007f9040239049 in g_main_context_dispatch at -/lib/../lib64/libglib-2.0.so.0 -15 0x0000564b21447368 in main_loop_wait at ../util/main-loop.c:232 -16 0x0000564b21447368 in main_loop_wait at ../util/main-loop.c:255 -17 0x0000564b21447368 in main_loop_wait at ../util/main-loop.c:531 -18 0x0000564b212304e1 in qemu_main_loop at ../softmmu/runstate.c:721 -19 0x0000564b20f7975e in main at ../softmmu/main.c:50 - -In IO thread when do bdrv_mirror_top_pwritev, the job is NULL, and stop field -is false, this means the MirrorBDSOpaque "s" object has not been initialized -yet, and this object is initialized by block_job_create(), but the initialize -process is stuck in acquiring the lock. - -In this situation, IO thread come to bdrv_mirror_top_pwritev(),which means that -mirror-top node is already inserted into block graph, but its bs->opaque->job -is not initialized. - -The root cause is that qemu main thread do release/acquire when hold the lock, -at the same time, IO thread get the lock after release stage, and the crash -occured. - -Actually, in this situation, job->job.aio_context will not equal to -qemu_get_aio_context(), and will be the same as bs->aio_context, -thus, no need to release the lock, becasue bdrv_root_attach_child() -will not change the context. - -This patch fix this issue. - -Fixes: 132ada80 "block: Adjust AioContexts when attaching nodes" - -Signed-off-by: Michael Qiu -Message-Id: <20210203024059.52683-1-08005325@163.com> -Signed-off-by: Kevin Wolf -Signed-off-by: Lin Ma ---- - blockjob.c | 8 ++++++-- - 1 file changed, 6 insertions(+), 2 deletions(-) - -diff --git a/blockjob.c b/blockjob.c -index 701bd2588d5ca58826bad00e498d..37df602371d5b49b7372eb56e4e8 100644 ---- a/blockjob.c -+++ b/blockjob.c -@@ -212,14 +212,18 @@ int block_job_add_bdrv(BlockJob *job, const char *name, BlockDriverState *bs, - uint64_t perm, uint64_t shared_perm, Error **errp) - { - BdrvChild *c; -+ bool need_context_ops; - - bdrv_ref(bs); -- if (job->job.aio_context != qemu_get_aio_context()) { -+ -+ need_context_ops = bdrv_get_aio_context(bs) != job->job.aio_context; -+ -+ if (need_context_ops && job->job.aio_context != qemu_get_aio_context()) { - aio_context_release(job->job.aio_context); - } - c = bdrv_root_attach_child(bs, name, &child_job, job->job.aio_context, - perm, shared_perm, job, errp); -- if (job->job.aio_context != qemu_get_aio_context()) { -+ if (need_context_ops && job->job.aio_context != qemu_get_aio_context()) { - aio_context_acquire(job->job.aio_context); - } - if (c == NULL) { diff --git a/packaging/bootp-check-bootp_input-buffer-size.patch b/packaging/bootp-check-bootp_input-buffer-size.patch deleted file mode 100644 index 5f4a2e57d..000000000 --- a/packaging/bootp-check-bootp_input-buffer-size.patch +++ /dev/null @@ -1,35 +0,0 @@ -From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= -Date: Fri, 4 Jun 2021 16:15:14 +0400 -Subject: bootp: check bootp_input buffer size -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Git-commit: 2eca0838eee1da96204545e22cdaed860d9d7c6c -References: bsc#1187364, CVE-2021-3592 - -Fixes: CVE-2021-3592 -Fixes: https://gitlab.freedesktop.org/slirp/libslirp/-/issues/44 - -Signed-off-by: Marc-André Lureau -Signed-off-by: Jose R Ziviani ---- - src/bootp.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/slirp/src/bootp.c b/slirp/src/bootp.c -index e0db8d19689490e179a95f57e4dd..cafa1eb1f36ad010c36f2fbb343e 100644 ---- a/slirp/src/bootp.c -+++ b/slirp/src/bootp.c -@@ -365,9 +365,9 @@ static void bootp_reply(Slirp *slirp, - - void bootp_input(struct mbuf *m) - { -- struct bootp_t *bp = mtod(m, struct bootp_t *); -+ struct bootp_t *bp = mtod_check(m, sizeof(struct bootp_t)); - -- if (bp->bp_op == BOOTP_REQUEST) { -+ if (bp && bp->bp_op == BOOTP_REQUEST) { - bootp_reply(m->slirp, bp, m_end(m)); - } - } diff --git a/packaging/bootp-limit-vendor-specific-area-to-inpu.patch b/packaging/bootp-limit-vendor-specific-area-to-inpu.patch deleted file mode 100644 index aabc2d66d..000000000 --- a/packaging/bootp-limit-vendor-specific-area-to-inpu.patch +++ /dev/null @@ -1,159 +0,0 @@ -From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= -Date: Fri, 4 Jun 2021 19:25:28 +0400 -Subject: bootp: limit vendor-specific area to input packet memory buffer -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Git-commit: f13cad45b25d92760bb0ad67bec0300a4d7d5275 -References: bsc#1187364, CVE-2021-3592 - -sizeof(bootp_t) currently holds DHCP_OPT_LEN. Remove this optional field -from the structure, to help with the following patch checking for -minimal header size. Modify the bootp_reply() function to take the -buffer boundaries and avoiding potential buffer overflow. - -Related to CVE-2021-3592. - -https://gitlab.freedesktop.org/slirp/libslirp/-/issues/44 - -Signed-off-by: Marc-André Lureau -Signed-off-by: Jose R Ziviani ---- - src/bootp.c | 26 +++++++++++++++----------- - src/bootp.h | 2 +- - src/mbuf.c | 5 +++++ - src/mbuf.h | 1 + - 4 files changed, 22 insertions(+), 12 deletions(-) - -diff --git a/slirp/src/bootp.c b/slirp/src/bootp.c -index 46e96810ab1981957457135d1659..e0db8d19689490e179a95f57e4dd 100644 ---- a/slirp/src/bootp.c -+++ b/slirp/src/bootp.c -@@ -92,21 +92,22 @@ found: - return bc; - } - --static void dhcp_decode(const struct bootp_t *bp, int *pmsg_type, -+static void dhcp_decode(const struct bootp_t *bp, -+ const uint8_t *bp_end, -+ int *pmsg_type, - struct in_addr *preq_addr) - { -- const uint8_t *p, *p_end; -+ const uint8_t *p; - int len, tag; - - *pmsg_type = 0; - preq_addr->s_addr = htonl(0L); - - p = bp->bp_vend; -- p_end = p + DHCP_OPT_LEN; - if (memcmp(p, rfc1533_cookie, 4) != 0) - return; - p += 4; -- while (p < p_end) { -+ while (p < bp_end) { - tag = p[0]; - if (tag == RFC1533_PAD) { - p++; -@@ -114,10 +115,10 @@ static void dhcp_decode(const struct bootp_t *bp, int *pmsg_type, - break; - } else { - p++; -- if (p >= p_end) -+ if (p >= bp_end) - break; - len = *p++; -- if (p + len > p_end) { -+ if (p + len > bp_end) { - break; - } - DPRINTF("dhcp: tag=%d len=%d\n", tag, len); -@@ -144,7 +145,9 @@ static void dhcp_decode(const struct bootp_t *bp, int *pmsg_type, - } - } - --static void bootp_reply(Slirp *slirp, const struct bootp_t *bp) -+static void bootp_reply(Slirp *slirp, -+ const struct bootp_t *bp, -+ const uint8_t *bp_end) - { - BOOTPClient *bc = NULL; - struct mbuf *m; -@@ -157,7 +160,7 @@ static void bootp_reply(Slirp *slirp, const struct bootp_t *bp) - uint8_t client_ethaddr[ETH_ALEN]; - - /* extract exact DHCP msg type */ -- dhcp_decode(bp, &dhcp_msg_type, &preq_addr); -+ dhcp_decode(bp, bp_end, &dhcp_msg_type, &preq_addr); - DPRINTF("bootp packet op=%d msgtype=%d", bp->bp_op, dhcp_msg_type); - if (preq_addr.s_addr != htonl(0L)) - DPRINTF(" req_addr=%08" PRIx32 "\n", ntohl(preq_addr.s_addr)); -@@ -179,9 +182,10 @@ static void bootp_reply(Slirp *slirp, const struct bootp_t *bp) - return; - } - m->m_data += IF_MAXLINKHDR; -+ m_inc(m, sizeof(struct bootp_t) + DHCP_OPT_LEN); - rbp = (struct bootp_t *)m->m_data; - m->m_data += sizeof(struct udpiphdr); -- memset(rbp, 0, sizeof(struct bootp_t)); -+ memset(rbp, 0, sizeof(struct bootp_t) + DHCP_OPT_LEN); - - if (dhcp_msg_type == DHCPDISCOVER) { - if (preq_addr.s_addr != htonl(0L)) { -@@ -235,7 +239,7 @@ static void bootp_reply(Slirp *slirp, const struct bootp_t *bp) - rbp->bp_siaddr = saddr.sin_addr; /* Server IP address */ - - q = rbp->bp_vend; -- end = (uint8_t *)&rbp[1]; -+ end = rbp->bp_vend + DHCP_OPT_LEN; - memcpy(q, rfc1533_cookie, 4); - q += 4; - -@@ -364,6 +368,6 @@ void bootp_input(struct mbuf *m) - struct bootp_t *bp = mtod(m, struct bootp_t *); - - if (bp->bp_op == BOOTP_REQUEST) { -- bootp_reply(m->slirp, bp); -+ bootp_reply(m->slirp, bp, m_end(m)); - } - } -diff --git a/slirp/src/bootp.h b/slirp/src/bootp.h -index a57fa51bcb77f2e810e4e583d775..31ce5fd33f8d71d1af846ba09f45 100644 ---- a/slirp/src/bootp.h -+++ b/slirp/src/bootp.h -@@ -114,7 +114,7 @@ struct bootp_t { - uint8_t bp_hwaddr[16]; - uint8_t bp_sname[64]; - char bp_file[128]; -- uint8_t bp_vend[DHCP_OPT_LEN]; -+ uint8_t bp_vend[]; - }; - - typedef struct { -diff --git a/slirp/src/mbuf.c b/slirp/src/mbuf.c -index cb2e971083a9d30e25552ee91f29..0c1a530f105372146b9f04273aba 100644 ---- a/slirp/src/mbuf.c -+++ b/slirp/src/mbuf.c -@@ -233,3 +233,8 @@ void *mtod_check(struct mbuf *m, size_t len) - - return NULL; - } -+ -+void *m_end(struct mbuf *m) -+{ -+ return m->m_data + m->m_len; -+} -diff --git a/slirp/src/mbuf.h b/slirp/src/mbuf.h -index 2015e3232f1b7840dc14d1c6bdb3..a9752a36e0d8c3795c2c3dda8536 100644 ---- a/slirp/src/mbuf.h -+++ b/slirp/src/mbuf.h -@@ -119,6 +119,7 @@ void m_adj(struct mbuf *, int); - int m_copy(struct mbuf *, struct mbuf *, int, int); - struct mbuf *dtom(Slirp *, void *); - void *mtod_check(struct mbuf *, size_t len); -+void *m_end(struct mbuf *); - - static inline void ifs_init(struct mbuf *ifm) - { diff --git a/packaging/cadence_gem-switch-to-use-qemu_receive_p.patch b/packaging/cadence_gem-switch-to-use-qemu_receive_p.patch deleted file mode 100644 index 88d81a5a7..000000000 --- a/packaging/cadence_gem-switch-to-use-qemu_receive_p.patch +++ /dev/null @@ -1,39 +0,0 @@ -From: Alexander Bulekov -Date: Mon, 1 Mar 2021 14:33:43 -0500 -Subject: cadence_gem: switch to use qemu_receive_packet() for loopback -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Git-commit: e73adfbeec9d4e008630c814759052ed945c3fed - -This patch switches to use qemu_receive_packet() which can detect -reentrancy and return early. - -This is intended to address CVE-2021-3416. - -Cc: Prasad J Pandit -Cc: qemu-stable@nongnu.org -Reviewed-by: Philippe Mathieu-Daudé -Signed-off-by: Alexander Bulekov -Signed-off-by: Jason Wang -Signed-off-by: Bruce Rogers ---- - hw/net/cadence_gem.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/hw/net/cadence_gem.c b/hw/net/cadence_gem.c -index b8be73dc558071f907cf5a6d1c53..be7c91123bf9bf6f253b24f96ccc 100644 ---- a/hw/net/cadence_gem.c -+++ b/hw/net/cadence_gem.c -@@ -1225,8 +1225,8 @@ static void gem_transmit(CadenceGEMState *s) - /* Send the packet somewhere */ - if (s->phy_loop || (s->regs[GEM_NWCTRL] & - GEM_NWCTRL_LOCALLOOP)) { -- gem_receive(qemu_get_queue(s->nic), tx_packet, -- total_bytes); -+ qemu_receive_packet(qemu_get_queue(s->nic), tx_packet, -+ total_bytes); - } else { - qemu_send_packet(qemu_get_queue(s->nic), tx_packet, - total_bytes); diff --git a/packaging/configure-only-populate-roms-if-softmmu.patch b/packaging/configure-only-populate-roms-if-softmmu.patch deleted file mode 100644 index 8f7a29a25..000000000 --- a/packaging/configure-only-populate-roms-if-softmmu.patch +++ /dev/null @@ -1,26 +0,0 @@ -From: Bruce Rogers -Date: Tue, 28 May 2019 14:23:37 -0600 -Subject: configure: only populate roms if softmmu - -Currently roms are mistakenly getting built in a linux-user only -configuration. Add check for softmmu in all places where our list of -roms is being added to. - -Signed-off-by: Bruce Rogers ---- - configure | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/configure b/configure -index 09a33aecfd6ef543eeee8c5023b6..94984691ab378620ac2e0ae771ca 100755 ---- a/configure -+++ b/configure -@@ -6327,7 +6327,7 @@ if { test "$cpu" = "i386" || test "$cpu" = "x86_64"; } && \ - fi - - # Only build s390-ccw bios if we're on s390x and the compiler has -march=z900 --if test "$cpu" = "s390x" ; then -+if test "$cpu" = "s390x" && test "$softmmu" = yes ; then - write_c_skeleton - if compile_prog "-march=z900" ""; then - roms="$roms s390-ccw" diff --git a/packaging/configure-remove-pkgversion-from-CONFIG_.patch b/packaging/configure-remove-pkgversion-from-CONFIG_.patch deleted file mode 100644 index bfde74ab7..000000000 --- a/packaging/configure-remove-pkgversion-from-CONFIG_.patch +++ /dev/null @@ -1,32 +0,0 @@ -From: Bruce Rogers -Date: Fri, 17 Apr 2020 13:07:37 -0600 -Subject: configure: remove $pkgversion from CONFIG_STAMP input to broaden - compatibility - -As part of the effort to close the gap with Leap I think we are fine -removing the $pkgversion component to creating a unique CONFIG_STAMP. -This stamp is only used in creating a unique symbol used in ensuring the -dynamically loaded modules correspond correctly to the loading qemu. -The default inputs to producing this unique symbol are somewhat reasonable -as a generic mechanism, but specific packaging and maintenance practices -might require the default to be modified for best use. This is an example -of that. - -Signed-off-by: Bruce Rogers ---- - configure | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/configure b/configure -index 94984691ab378620ac2e0ae771ca..c68e378776336748b227013a1a3f 100755 ---- a/configure -+++ b/configure -@@ -6811,7 +6811,7 @@ fi - if test "$modules" = "yes"; then - # $shacmd can generate a hash started with digit, which the compiler doesn't - # like as an symbol. So prefix it with an underscore -- echo "CONFIG_STAMP=_$( (echo $qemu_version; echo $pkgversion; cat $0) | $shacmd - | cut -f1 -d\ )" >> $config_host_mak -+ echo "CONFIG_STAMP=_$( (echo $qemu_version; cat $0) | $shacmd - | cut -f1 -d\ )" >> $config_host_mak - echo "CONFIG_MODULES=y" >> $config_host_mak - fi - if test "$have_x11" = "yes" && test "$need_x11" = "yes"; then diff --git a/packaging/device-core-use-RCU-for-list-of-children.patch b/packaging/device-core-use-RCU-for-list-of-children.patch deleted file mode 100644 index df03094da..000000000 --- a/packaging/device-core-use-RCU-for-list-of-children.patch +++ /dev/null @@ -1,263 +0,0 @@ -From: Maxim Levitsky -Date: Tue, 6 Oct 2020 15:38:59 +0300 -Subject: device-core: use RCU for list of children of a bus - -Git-commit: 2d24a64661549732fc77f632928318dd52f5bce5 -References: bsc#1184574 - -This fixes the race between device emulation code that tries to find -a child device to dispatch the request to (e.g a scsi disk), -and hotplug of a new device to that bus. - -Note that this doesn't convert all the readers of the list -but only these that might go over that list without BQL held. - -This is a very small first step to make this code thread safe. - -Suggested-by: Paolo Bonzini -Signed-off-by: Maxim Levitsky -Reviewed-by: Stefan Hajnoczi -Message-Id: <20200913160259.32145-5-mlevitsk@redhat.com> -[Use RCU_READ_LOCK_GUARD in more places, adjust testcase now that - the delay in DEVICE_DELETED due to RCU is more consistent. - Paolo] -Signed-off-by: Paolo Bonzini -Message-Id: <20201006123904.610658-9-mlevitsk@redhat.com> -Signed-off-by: Paolo Bonzini -Signed-off-by: Lin Ma ---- - hw/core/bus.c | 28 ++++++++++++++++------------ - hw/core/qdev.c | 37 +++++++++++++++++++++++-------------- - hw/scsi/scsi-bus.c | 12 +++++++++--- - hw/scsi/virtio-scsi.c | 6 +++++- - include/hw/qdev-core.h | 9 +++++++++ - 5 files changed, 62 insertions(+), 30 deletions(-) - -diff --git a/hw/core/bus.c b/hw/core/bus.c -index 7f3d2a3dbda72fe0a5dfea3ff1f1..85bc9436e603c43813936f24aba9 100644 ---- a/hw/core/bus.c -+++ b/hw/core/bus.c -@@ -49,12 +49,14 @@ int qbus_walk_children(BusState *bus, - } - } - -- QTAILQ_FOREACH(kid, &bus->children, sibling) { -- err = qdev_walk_children(kid->child, -- pre_devfn, pre_busfn, -- post_devfn, post_busfn, opaque); -- if (err < 0) { -- return err; -+ WITH_RCU_READ_LOCK_GUARD() { -+ QTAILQ_FOREACH_RCU(kid, &bus->children, sibling) { -+ err = qdev_walk_children(kid->child, -+ pre_devfn, pre_busfn, -+ post_devfn, post_busfn, opaque); -+ if (err < 0) { -+ return err; -+ } - } - } - -@@ -158,12 +160,14 @@ static void bus_set_realized(Object *obj, bool value, Error **errp) - - /* TODO: recursive realization */ - } else if (!value && bus->realized) { -- QTAILQ_FOREACH(kid, &bus->children, sibling) { -- DeviceState *dev = kid->child; -- object_property_set_bool(OBJECT(dev), false, "realized", -- &local_err); -- if (local_err != NULL) { -- break; -+ WITH_RCU_READ_LOCK_GUARD() { -+ QTAILQ_FOREACH_RCU(kid, &bus->children, sibling) { -+ DeviceState *dev = kid->child; -+ object_property_set_bool(OBJECT(dev), false, "realized", -+ &local_err); -+ if (local_err != NULL) { -+ break; -+ } - } - } - if (bc->unrealize && local_err == NULL) { -diff --git a/hw/core/qdev.c b/hw/core/qdev.c -index 342ea8a3feb955c3318616252ead..917f3f6ae2efbcf01c8ed65a3d34 100644 ---- a/hw/core/qdev.c -+++ b/hw/core/qdev.c -@@ -49,6 +49,12 @@ const VMStateDescription *qdev_get_vmsd(DeviceState *dev) - return dc->vmsd; - } - -+static void bus_free_bus_child(BusChild *kid) -+{ -+ object_unref(OBJECT(kid->child)); -+ g_free(kid); -+} -+ - static void bus_remove_child(BusState *bus, DeviceState *child) - { - BusChild *kid; -@@ -58,15 +64,16 @@ static void bus_remove_child(BusState *bus, DeviceState *child) - char name[32]; - - snprintf(name, sizeof(name), "child[%d]", kid->index); -- QTAILQ_REMOVE(&bus->children, kid, sibling); -+ QTAILQ_REMOVE_RCU(&bus->children, kid, sibling); - - bus->num_children--; - - /* This gives back ownership of kid->child back to us. */ - object_property_del(OBJECT(bus), name, NULL); -- object_unref(OBJECT(kid->child)); -- g_free(kid); -- return; -+ -+ /* free the bus kid, when it is safe to do so*/ -+ call_rcu(kid, bus_free_bus_child, rcu); -+ break; - } - } - } -@@ -81,7 +88,7 @@ static void bus_add_child(BusState *bus, DeviceState *child) - kid->child = child; - object_ref(OBJECT(kid->child)); - -- QTAILQ_INSERT_HEAD(&bus->children, kid, sibling); -+ QTAILQ_INSERT_HEAD_RCU(&bus->children, kid, sibling); - - /* This transfers ownership of kid->child to the property. */ - snprintf(name, sizeof(name), "child[%d]", kid->index); -@@ -640,17 +647,19 @@ DeviceState *qdev_find_recursive(BusState *bus, const char *id) - DeviceState *ret; - BusState *child; - -- QTAILQ_FOREACH(kid, &bus->children, sibling) { -- DeviceState *dev = kid->child; -+ WITH_RCU_READ_LOCK_GUARD() { -+ QTAILQ_FOREACH_RCU(kid, &bus->children, sibling) { -+ DeviceState *dev = kid->child; - -- if (dev->id && strcmp(dev->id, id) == 0) { -- return dev; -- } -+ if (dev->id && strcmp(dev->id, id) == 0) { -+ return dev; -+ } - -- QLIST_FOREACH(child, &dev->child_bus, sibling) { -- ret = qdev_find_recursive(child, id); -- if (ret) { -- return ret; -+ QLIST_FOREACH(child, &dev->child_bus, sibling) { -+ ret = qdev_find_recursive(child, id); -+ if (ret) { -+ return ret; -+ } - } - } - } -diff --git a/hw/scsi/scsi-bus.c b/hw/scsi/scsi-bus.c -index 4f277985f64be532c8151a0ac09b..3c604bfe22e02a4e7b7f11f80769 100644 ---- a/hw/scsi/scsi-bus.c -+++ b/hw/scsi/scsi-bus.c -@@ -412,7 +412,10 @@ static bool scsi_target_emulate_report_luns(SCSITargetReq *r) - id = r->req.dev->id; - found_lun0 = false; - n = 0; -- QTAILQ_FOREACH(kid, &r->req.bus->qbus.children, sibling) { -+ -+ RCU_READ_LOCK_GUARD(); -+ -+ QTAILQ_FOREACH_RCU(kid, &r->req.bus->qbus.children, sibling) { - DeviceState *qdev = kid->child; - SCSIDevice *dev = SCSI_DEVICE(qdev); - -@@ -433,7 +436,7 @@ static bool scsi_target_emulate_report_luns(SCSITargetReq *r) - memset(r->buf, 0, len); - stl_be_p(&r->buf[0], n); - i = found_lun0 ? 8 : 16; -- QTAILQ_FOREACH(kid, &r->req.bus->qbus.children, sibling) { -+ QTAILQ_FOREACH_RCU(kid, &r->req.bus->qbus.children, sibling) { - DeviceState *qdev = kid->child; - SCSIDevice *dev = SCSI_DEVICE(qdev); - -@@ -442,6 +445,7 @@ static bool scsi_target_emulate_report_luns(SCSITargetReq *r) - i += 8; - } - } -+ - assert(i == n + 8); - r->len = len; - return true; -@@ -1584,7 +1588,8 @@ SCSIDevice *scsi_device_find(SCSIBus *bus, int channel, int id, int lun) - BusChild *kid; - SCSIDevice *target_dev = NULL; - -- QTAILQ_FOREACH(kid, &bus->qbus.children, sibling) { -+ RCU_READ_LOCK_GUARD(); -+ QTAILQ_FOREACH_RCU(kid, &bus->qbus.children, sibling) { - DeviceState *qdev = kid->child; - SCSIDevice *dev = SCSI_DEVICE(qdev); - -@@ -1603,6 +1608,7 @@ SCSIDevice *scsi_device_find(SCSIBus *bus, int channel, int id, int lun) - } - } - } -+ - return target_dev; - } - -diff --git a/hw/scsi/virtio-scsi.c b/hw/scsi/virtio-scsi.c -index 2e5bcf442384905d8d80fd487eea..52c3a964ecb112a9d1c00bfbe57d 100644 ---- a/hw/scsi/virtio-scsi.c -+++ b/hw/scsi/virtio-scsi.c -@@ -374,12 +374,16 @@ static int virtio_scsi_do_tmf(VirtIOSCSI *s, VirtIOSCSIReq *req) - case VIRTIO_SCSI_T_TMF_I_T_NEXUS_RESET: - target = req->req.tmf.lun[1]; - s->resetting++; -- QTAILQ_FOREACH(kid, &s->bus.qbus.children, sibling) { -+ -+ rcu_read_lock(); -+ QTAILQ_FOREACH_RCU(kid, &s->bus.qbus.children, sibling) { - d = SCSI_DEVICE(kid->child); - if (d->channel == 0 && d->id == target) { - qdev_reset_all(&d->qdev); - } - } -+ rcu_read_unlock(); -+ - s->resetting--; - break; - -diff --git a/include/hw/qdev-core.h b/include/hw/qdev-core.h -index 2b0186f0af593deee82a02693589..bcc0c572c5a4ed431219fd902ece 100644 ---- a/include/hw/qdev-core.h -+++ b/include/hw/qdev-core.h -@@ -3,6 +3,8 @@ - - #include "qemu/queue.h" - #include "qemu/bitmap.h" -+#include "qemu/rcu.h" -+#include "qemu/rcu_queue.h" - #include "qom/object.h" - #include "hw/hotplug.h" - -@@ -216,6 +218,7 @@ struct BusClass { - }; - - typedef struct BusChild { -+ struct rcu_head rcu; - DeviceState *child; - int index; - QTAILQ_ENTRY(BusChild) sibling; -@@ -235,6 +238,12 @@ struct BusState { - int max_index; - bool realized; - int num_children; -+ -+ /* -+ * children is a RCU QTAILQ, thus readers must use RCU to access it, -+ * and writers must hold the big qemu lock -+ */ -+ - QTAILQ_HEAD(, BusChild) children; - QLIST_ENTRY(BusState) sibling; - }; diff --git a/packaging/device-core-use-atomic_set-on-.realized-.patch b/packaging/device-core-use-atomic_set-on-.realized-.patch deleted file mode 100644 index ea7aad854..000000000 --- a/packaging/device-core-use-atomic_set-on-.realized-.patch +++ /dev/null @@ -1,83 +0,0 @@ -From: Maxim Levitsky -Date: Tue, 6 Oct 2020 15:39:00 +0300 -Subject: device-core: use atomic_set on .realized property - -Git-commit: a23151e8cc8cc08546252dc9c7671171d9c44615 -References: bsc#1184574 - -Some code might race with placement of new devices on a bus. -We currently first place a (unrealized) device on the bus -and then realize it. - -As a workaround, users that scan the child device list, can -check the realized property to see if it is safe to access such a device. -Use an atomic write here too to aid with this. - -A separate discussion is what to do with devices that are unrealized: -It looks like for this case we only call the hotplug handler's unplug -callback and its up to it to unrealize the device. -An atomic operation doesn't cause harm for this code path though. - -Signed-off-by: Maxim Levitsky -Reviewed-by: Stefan Hajnoczi -Message-Id: <20200913160259.32145-6-mlevitsk@redhat.com> -Signed-off-by: Paolo Bonzini -Message-Id: <20201006123904.610658-10-mlevitsk@redhat.com> -Signed-off-by: Paolo Bonzini -Signed-off-by: Lin Ma ---- - hw/core/qdev.c | 19 ++++++++++++++++++- - include/hw/qdev-core.h | 2 ++ - 2 files changed, 20 insertions(+), 1 deletion(-) - -diff --git a/hw/core/qdev.c b/hw/core/qdev.c -index 917f3f6ae2efbcf01c8ed65a3d34..d261c36e760db0cbabcda626d187 100644 ---- a/hw/core/qdev.c -+++ b/hw/core/qdev.c -@@ -937,7 +937,25 @@ static void device_set_realized(Object *obj, bool value, Error **errp) - } - } - -+ atomic_store_release(&dev->realized, value); -+ - } else if (!value && dev->realized) { -+ -+ /* -+ * Change the value so that any concurrent users are aware -+ * that the device is going to be unrealized -+ * -+ * TODO: change .realized property to enum that states -+ * each phase of the device realization/unrealization -+ */ -+ -+ atomic_set(&dev->realized, value); -+ /* -+ * Ensure that concurrent users see this update prior to -+ * any other changes done by unrealize. -+ */ -+ smp_wmb(); -+ - Error **local_errp = NULL; - QLIST_FOREACH(bus, &dev->child_bus, sibling) { - local_errp = local_err ? NULL : &local_err; -@@ -959,7 +977,6 @@ static void device_set_realized(Object *obj, bool value, Error **errp) - goto fail; - } - -- dev->realized = value; - return; - - child_realize_fail: -diff --git a/include/hw/qdev-core.h b/include/hw/qdev-core.h -index bcc0c572c5a4ed431219fd902ece..66d031683f461a5fa6b854057299 100644 ---- a/include/hw/qdev-core.h -+++ b/include/hw/qdev-core.h -@@ -143,6 +143,8 @@ struct NamedGPIOList { - /** - * DeviceState: - * @realized: Indicates whether the device has been fully constructed. -+ * When accessed outsize big qemu lock, must be accessed with -+ * atomic_load_acquire() - * - * This structure should not be accessed directly. We declare it here - * so that it can be embedded in individual device state structures. diff --git a/packaging/device-plug-test-use-qtest_qmp-to-send-t.patch b/packaging/device-plug-test-use-qtest_qmp-to-send-t.patch deleted file mode 100644 index 8ff2a77b8..000000000 --- a/packaging/device-plug-test-use-qtest_qmp-to-send-t.patch +++ /dev/null @@ -1,102 +0,0 @@ -From: Paolo Bonzini -Date: Wed, 7 Oct 2020 07:37:41 -0400 -Subject: device-plug-test: use qtest_qmp to send the device_del command - -Git-commit: c45a70d8c271056896a057fbcdc7743a2942d0ec -References: bsc#1184574 - -Simplify the code now that events are buffered. There is no need -anymore to separate sending the command and retrieving the response. - -Signed-off-by: Paolo Bonzini -Signed-off-by: Lin Ma ---- - tests/device-plug-test.c | 32 +++++++++----------------------- - 1 file changed, 9 insertions(+), 23 deletions(-) - -diff --git a/tests/device-plug-test.c b/tests/device-plug-test.c -index f44bf0bb8496819391821a7b71da..1eb587762b143d6470f3080e6371 100644 ---- a/tests/device-plug-test.c -+++ b/tests/device-plug-test.c -@@ -15,26 +15,17 @@ - #include "qapi/qmp/qdict.h" - #include "qapi/qmp/qstring.h" - --static void device_del_start(QTestState *qtest, const char *id) -+static void device_del(QTestState *qtest, const char *id) - { -- qtest_qmp_send(qtest, -- "{'execute': 'device_del', 'arguments': { 'id': %s } }", id); --} -+ QDict *resp; - --static void device_del_finish(QTestState *qtest) --{ -- QDict *resp = qtest_qmp_receive_dict(qtest); -+ resp = qtest_qmp(qtest, -+ "{'execute': 'device_del', 'arguments': { 'id': %s } }", id); - - g_assert(qdict_haskey(resp, "return")); - qobject_unref(resp); - } - --static void device_del_request(QTestState *qtest, const char *id) --{ -- device_del_start(qtest, id); -- device_del_finish(qtest); --} -- - static void system_reset(QTestState *qtest) - { - QDict *resp; -@@ -79,7 +70,7 @@ static void test_pci_unplug_request(void) - * be processed. However during system reset, the removal will be - * handled, removing the device. - */ -- device_del_request(qtest, "dev0"); -+ device_del(qtest, "dev0"); - system_reset(qtest); - wait_device_deleted_event(qtest, "dev0"); - -@@ -90,13 +81,8 @@ static void test_ccw_unplug(void) - { - QTestState *qtest = qtest_initf("-device virtio-balloon-ccw,id=dev0"); - -- /* -- * The DEVICE_DELETED events will be sent before the command -- * completes. -- */ -- device_del_start(qtest, "dev0"); -+ device_del(qtest, "dev0"); - wait_device_deleted_event(qtest, "dev0"); -- device_del_finish(qtest); - - qtest_quit(qtest); - } -@@ -109,7 +95,7 @@ static void test_spapr_cpu_unplug_request(void) - "-device power9_v2.0-spapr-cpu-core,core-id=1,id=dev0"); - - /* similar to test_pci_unplug_request */ -- device_del_request(qtest, "dev0"); -+ device_del(qtest, "dev0"); - system_reset(qtest); - wait_device_deleted_event(qtest, "dev0"); - -@@ -125,7 +111,7 @@ static void test_spapr_memory_unplug_request(void) - "-device pc-dimm,id=dev0,memdev=mem0"); - - /* similar to test_pci_unplug_request */ -- device_del_request(qtest, "dev0"); -+ device_del(qtest, "dev0"); - system_reset(qtest); - wait_device_deleted_event(qtest, "dev0"); - -@@ -139,7 +125,7 @@ static void test_spapr_phb_unplug_request(void) - qtest = qtest_initf("-device spapr-pci-host-bridge,index=1,id=dev0"); - - /* similar to test_pci_unplug_request */ -- device_del_request(qtest, "dev0"); -+ device_del(qtest, "dev0"); - system_reset(qtest); - wait_device_deleted_event(qtest, "dev0"); - diff --git a/packaging/device_core-use-drain_call_rcu-in-in-qmp.patch b/packaging/device_core-use-drain_call_rcu-in-in-qmp.patch deleted file mode 100644 index 2db79de8b..000000000 --- a/packaging/device_core-use-drain_call_rcu-in-in-qmp.patch +++ /dev/null @@ -1,46 +0,0 @@ -From: Maxim Levitsky -Date: Tue, 6 Oct 2020 14:38:58 +0200 -Subject: device_core: use drain_call_rcu in in qmp_device_add - -Git-commit: 7bed89958bfbf40df9ca681cefbdca63abdde39d -References: bsc#1184574 - -Soon, a device removal might only happen on RCU callback execution. -This is okay for device-del which provides a DEVICE_DELETED event, -but not for the failure case of device-add. To avoid changing -monitor semantics, just drain all pending RCU callbacks on error. - -Signed-off-by: Maxim Levitsky -Suggested-by: Stefan Hajnoczi -Reviewed-by: Stefan Hajnoczi -Message-Id: <20200913160259.32145-4-mlevitsk@redhat.com> -[Don't use it in qmp_device_del. - Paolo] -Signed-off-by: Paolo Bonzini -Signed-off-by: Lin Ma ---- - qdev-monitor.c | 12 ++++++++++++ - 1 file changed, 12 insertions(+) - -diff --git a/qdev-monitor.c b/qdev-monitor.c -index dc0323051e33833c4bcb638c7657..ade59c9ec6a54a258cc5ab21ace4 100644 ---- a/qdev-monitor.c -+++ b/qdev-monitor.c -@@ -796,6 +796,18 @@ void qmp_device_add(QDict *qdict, QObject **ret_data, Error **errp) - return; - } - dev = qdev_device_add(opts, &local_err); -+ -+ /* -+ * Drain all pending RCU callbacks. This is done because -+ * some bus related operations can delay a device removal -+ * (in this case this can happen if device is added and then -+ * removed due to a configuration error) -+ * to a RCU callback, but user might expect that this interface -+ * will finish its job completely once qmp command returns result -+ * to the user -+ */ -+ drain_call_rcu(); -+ - if (!dev) { - error_propagate(errp, local_err); - qemu_opts_del(opts); diff --git a/packaging/dhcp-Always-send-DHCP_OPT_LEN-bytes-in-o.patch b/packaging/dhcp-Always-send-DHCP_OPT_LEN-bytes-in-o.patch deleted file mode 100644 index 804e90a79..000000000 --- a/packaging/dhcp-Always-send-DHCP_OPT_LEN-bytes-in-o.patch +++ /dev/null @@ -1,40 +0,0 @@ -From: Samuel Thibault -Date: Mon, 21 Jun 2021 08:38:32 +0200 -Subject: dhcp: Always send DHCP_OPT_LEN bytes in options - -Git-commit: d7fb54218424c3b2517aee5b391ced0f75386a5d -References: bsc#1187364, CVE-2021-3592 - -RFC2131 suggests that the options field may be at least 312 bytes. -Some DHCP clients seem to assume that it has to be at least 312 bytes. - -Fixes #51 -Fixes: f13cad45b25d92760bb0ad67bec0300a4d7d5275 ("bootp: limit -vendor-specific area to input packet memory buffer") - -Signed-off-by: Samuel Thibault -Signed-off-by: Jose R Ziviani ---- - src/bootp.c | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - -diff --git a/slirp/src/bootp.c b/slirp/src/bootp.c -index cafa1eb1f36ad010c36f2fbb343e..d78d61b44cdcb47ba7f7019bdffb 100644 ---- a/slirp/src/bootp.c -+++ b/slirp/src/bootp.c -@@ -355,11 +355,13 @@ static void bootp_reply(Slirp *slirp, - q += sizeof(nak_msg) - 1; - } - assert(q < end); -- *q = RFC1533_END; -+ *q++ = RFC1533_END; - - daddr.sin_addr.s_addr = 0xffffffffu; - -- m->m_len = sizeof(struct bootp_t) - sizeof(struct ip) - sizeof(struct udphdr); -+ assert(q <= end); -+ -+ m->m_len = sizeof(struct bootp_t) + (end - rbp->bp_vend) - sizeof(struct ip) - sizeof(struct udphdr); - udp_output(NULL, m, &saddr, &daddr, IPTOS_LOWDELAY); - } - diff --git a/packaging/dp8393x-switch-to-use-qemu_receive_packe.patch b/packaging/dp8393x-switch-to-use-qemu_receive_packe.patch deleted file mode 100644 index bedc36811..000000000 --- a/packaging/dp8393x-switch-to-use-qemu_receive_packe.patch +++ /dev/null @@ -1,36 +0,0 @@ -From: Jason Wang -Date: Wed, 24 Feb 2021 12:57:40 +0800 -Subject: dp8393x: switch to use qemu_receive_packet() for loopback packet -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Git-commit: 331d2ac9ea307c990dc86e6493e8f0c48d14bb33 - -This patch switches to use qemu_receive_packet() which can detect -reentrancy and return early. - -This is intended to address CVE-2021-3416. - -Cc: Prasad J Pandit -Cc: qemu-stable@nongnu.org -Reviewed-by: Philippe Mathieu-Daudé -Signed-off-by: Bruce Rogers ---- - hw/net/dp8393x.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/hw/net/dp8393x.c b/hw/net/dp8393x.c -index 6433cae0f5947469e516ff2f5eeb..6bd5005dabaf6aa1ed2d254e4aec 100644 ---- a/hw/net/dp8393x.c -+++ b/hw/net/dp8393x.c -@@ -499,7 +499,7 @@ static void dp8393x_do_transmit_packets(dp8393xState *s) - s->regs[SONIC_TCR] |= SONIC_TCR_CRSL; - if (nc->info->can_receive(nc)) { - s->loopback_packet = 1; -- nc->info->receive(nc, s->tx_buffer, tx_len); -+ qemu_receive_packet(nc, s->tx_buffer, tx_len); - } - } else { - /* Transmit packet */ diff --git a/packaging/e1000-fail-early-for-evil-descriptor.patch b/packaging/e1000-fail-early-for-evil-descriptor.patch deleted file mode 100644 index 7cbf29322..000000000 --- a/packaging/e1000-fail-early-for-evil-descriptor.patch +++ /dev/null @@ -1,50 +0,0 @@ -From: Jason Wang -Date: Wed, 24 Feb 2021 13:45:28 +0800 -Subject: e1000: fail early for evil descriptor - -Git-commit: 3de46e6fc489c52c9431a8a832ad8170a7569bd8 -References: bsc#1182577, CVE-2021-20257 - -During procss_tx_desc(), driver can try to chain data descriptor with -legacy descriptor, when will lead underflow for the following -calculation in process_tx_desc() for bytes: - - if (tp->size + bytes > msh) - bytes = msh - tp->size; - -This will lead a infinite loop. So check and fail early if tp->size if -greater or equal to msh. - -Reported-by: Alexander Bulekov -Reported-by: Cheolwoo Myung -Reported-by: Ruhr-University Bochum -Cc: Prasad J Pandit -Cc: qemu-stable@nongnu.org -Signed-off-by: Jason Wang -Signed-off-by: Bruce Rogers ---- - hw/net/e1000.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/hw/net/e1000.c b/hw/net/e1000.c -index a73f8d404e6c75e90237fdbf2a05..d1404ea531936774516196445b33 100644 ---- a/hw/net/e1000.c -+++ b/hw/net/e1000.c -@@ -671,6 +671,9 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp) - msh = tp->tso_props.hdr_len + tp->tso_props.mss; - do { - bytes = split_size; -+ if (tp->size >= msh) { -+ goto eop; -+ } - if (tp->size + bytes > msh) - bytes = msh - tp->size; - -@@ -696,6 +699,7 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp) - tp->size += split_size; - } - -+eop: - if (!(txd_lower & E1000_TXD_CMD_EOP)) - return; - if (!(tp->cptse && tp->size < tp->tso_props.hdr_len)) { diff --git a/packaging/e1000-switch-to-use-qemu_receive_packet-.patch b/packaging/e1000-switch-to-use-qemu_receive_packet-.patch deleted file mode 100644 index 544b2ef2c..000000000 --- a/packaging/e1000-switch-to-use-qemu_receive_packet-.patch +++ /dev/null @@ -1,36 +0,0 @@ -From: Jason Wang -Date: Wed, 24 Feb 2021 12:13:22 +0800 -Subject: e1000: switch to use qemu_receive_packet() for loopback -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Git-commit: 1caff0340f49c93d535c6558a5138d20d475315c - -This patch switches to use qemu_receive_packet() which can detect -reentrancy and return early. - -This is intended to address CVE-2021-3416. - -Cc: Prasad J Pandit -Cc: qemu-stable@nongnu.org -Reviewed-by: Philippe Mathieu-Daudé -Signed-off-by: Jason Wang -Signed-off-by: Bruce Rogers ---- - hw/net/e1000.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/hw/net/e1000.c b/hw/net/e1000.c -index d1404ea531936774516196445b33..9c486038f4f41896b9779ab5fb1d 100644 ---- a/hw/net/e1000.c -+++ b/hw/net/e1000.c -@@ -547,7 +547,7 @@ e1000_send_packet(E1000State *s, const uint8_t *buf, int size) - - NetClientState *nc = qemu_get_queue(s->nic); - if (s->phy_reg[PHY_CTRL] & MII_CR_LOOPBACK) { -- nc->info->receive(nc, buf, size); -+ qemu_receive_packet(nc, buf, size); - } else { - qemu_send_packet(nc, buf, size); - } diff --git a/packaging/enable-cross-compilation-on-ARM.patch b/packaging/enable-cross-compilation-on-ARM.patch deleted file mode 100644 index 0ca1fb982..000000000 --- a/packaging/enable-cross-compilation-on-ARM.patch +++ /dev/null @@ -1,22 +0,0 @@ -From: Bruce Rogers -Date: Mon, 26 Aug 2019 13:28:57 -0600 -Subject: enable cross compilation on ARM - -Signed-off-by: Bruce Rogers ---- - Makefile | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/roms/seabios/Makefile b/roms/seabios/Makefile -index ca8d0283922bbfa931e85511e921..d807c558ef0f09b5975f6ccc38f1 100644 ---- a/roms/seabios/Makefile -+++ b/roms/seabios/Makefile -@@ -13,7 +13,7 @@ export CONFIG_SHELL := sh - export KCONFIG_AUTOHEADER := autoconf.h - export KCONFIG_CONFIG := $(CURDIR)/.config - export LC_ALL := C --CROSS_PREFIX= -+CROSS_PREFIX=$(CROSS_COMPILE) - ifneq ($(CROSS_PREFIX),) - CC=$(CROSS_PREFIX)gcc - endif diff --git a/packaging/ensure-headers-included-are-compatible-w.patch b/packaging/ensure-headers-included-are-compatible-w.patch deleted file mode 100644 index abb391103..000000000 --- a/packaging/ensure-headers-included-are-compatible-w.patch +++ /dev/null @@ -1,52 +0,0 @@ -From: Bruce Rogers -Date: Fri, 1 Nov 2019 19:32:57 -0600 -Subject: ensure headers included are compatible with freestanding mode - -Certain standard headers are designated for use in freestanding mode -while others are prohibited. To conform to these rules, use -instead of as well as switch one reference to -the "string.h" implemented in project. - -Signed-off-by: Bruce Rogers ---- - include/bios.h | 2 +- - malloc.c | 2 +- - pci.c | 2 +- - 3 files changed, 3 insertions(+), 3 deletions(-) - -diff --git a/roms/qboot/include/bios.h b/roms/qboot/include/bios.h -index f36638b977864c220bf3ed9a612f..7f8f677671d7b47e7c07f800646c 100644 ---- a/roms/qboot/include/bios.h -+++ b/roms/qboot/include/bios.h -@@ -1,7 +1,7 @@ - #ifndef BIOS_H_ - #define BIOS_H_ - --#include -+#include - #include - #include - -diff --git a/roms/qboot/malloc.c b/roms/qboot/malloc.c -index 8738373b774358425b2767fc7e9f..bd0ac0f23ee1e3c4a8f5e003ff1d 100644 ---- a/roms/qboot/malloc.c -+++ b/roms/qboot/malloc.c -@@ -1,4 +1,4 @@ --#include -+#include - #include "string.h" - #include "bios.h" - -diff --git a/roms/qboot/pci.c b/roms/qboot/pci.c -index 65c9e81793ab7aad9b5d1679e78e..63ebda6a0580463ea2b562317cec 100644 ---- a/roms/qboot/pci.c -+++ b/roms/qboot/pci.c -@@ -1,7 +1,7 @@ - #include "bios.h" - #include "ioport.h" - #include "pci.h" --#include -+#include "string.h" - - static uint16_t addend; - static uint8_t bus, bridge_head; diff --git a/packaging/esp-always-check-current_req-is-not-NULL.patch b/packaging/esp-always-check-current_req-is-not-NULL.patch deleted file mode 100644 index a82836b89..000000000 --- a/packaging/esp-always-check-current_req-is-not-NULL.patch +++ /dev/null @@ -1,51 +0,0 @@ -From: Mark Cave-Ayland -Date: Wed, 7 Apr 2021 20:57:50 +0100 -Subject: esp: always check current_req is not NULL before use in DMA callbacks - -Git-commit: 0db895361b8a82e1114372ff9f4857abea605701 -References: bsc#1180433, CVE-2020-35504 - bsc#1180434, CVE-2020-35505 - bsc#1180435, CVE-2020-35506 - -After issuing a SCSI command the SCSI layer can call the SCSIBusInfo .cancel -callback which resets both current_req and current_dev to NULL. If any data -is left in the transfer buffer (async_len != 0) then the next TI (Transfer -Information) command will attempt to reference the NULL pointer causing a -segfault. - -Buglink: https://bugs.launchpad.net/qemu/+bug/1910723 -Buglink: https://bugs.launchpad.net/qemu/+bug/1909247 -Signed-off-by: Mark Cave-Ayland -Tested-by: Alexander Bulekov -Message-Id: <20210407195801.685-2-mark.cave-ayland@ilande.co.uk> -Signed-off-by: Jose R Ziviani ---- - hw/scsi/esp.c | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c -index f8fc30cccbd4478482b8291ac103..b5e6a50f5cb731a9815b655c9ae0 100644 ---- a/hw/scsi/esp.c -+++ b/hw/scsi/esp.c -@@ -365,6 +365,11 @@ static void do_dma_pdma_cb(ESPState *s) - s->dma_left -= len; - s->async_buf += len; - s->async_len -= len; -+ -+ if (!s->current_req) { -+ return; -+ } -+ - if (to_device) { - s->ti_size += len; - } else { -@@ -415,6 +420,9 @@ static void esp_do_dma(ESPState *s) - do_cmd(s, s->cmdbuf); - return; - } -+ if (!s->current_req) { -+ return; -+ } - if (s->async_len == 0) { - /* Defer until data is available. */ - return; diff --git a/packaging/esp-don-t-reset-async_len-directly-in-es.patch b/packaging/esp-don-t-reset-async_len-directly-in-es.patch deleted file mode 100644 index 70ab6a528..000000000 --- a/packaging/esp-don-t-reset-async_len-directly-in-es.patch +++ /dev/null @@ -1,45 +0,0 @@ -From: Mark Cave-Ayland -Date: Wed, 7 Apr 2021 20:57:59 +0100 -Subject: esp: don't reset async_len directly in esp_select() if cancelling - request -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Git-commit: 324c8809897c8c53ad05c3a7147d272f1711cd5e -References: bsc#1180433, CVE-2020-35504 - bsc#1180434, CVE-2020-35505 - bsc#1180435, CVE-2020-35506 - -Instead let the SCSI layer invoke the .cancel callback itself to cancel and -reset the request state. - -Signed-off-by: Mark Cave-Ayland -Tested-by: Alexander Bulekov -Reviewed-by: Philippe Mathieu-Daudé -Message-Id: <20210407195801.685-11-mark.cave-ayland@ilande.co.uk> -Signed-off-by: Jose R Ziviani ---- - hw/scsi/esp.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c -index 0f88689eb8b0dfbec5654870f10b..8445ebdb1f14f911498289fb3c73 100644 ---- a/hw/scsi/esp.c -+++ b/hw/scsi/esp.c -@@ -93,6 +93,7 @@ void esp_request_cancelled(SCSIRequest *req) - scsi_req_unref(s->current_req); - s->current_req = NULL; - s->current_dev = NULL; -+ s->async_len = 0; - } - } - -@@ -133,7 +134,6 @@ static int get_cmd_cb(ESPState *s) - if (s->current_req) { - /* Started a new command before the old one finished. Cancel it. */ - scsi_req_cancel(s->current_req); -- s->async_len = 0; - } - - s->current_dev = scsi_device_find(&s->bus, 0, target, 0); diff --git a/packaging/esp-ensure-cmdfifo-is-not-empty-and-curr.patch b/packaging/esp-ensure-cmdfifo-is-not-empty-and-curr.patch deleted file mode 100644 index b360b4d15..000000000 --- a/packaging/esp-ensure-cmdfifo-is-not-empty-and-curr.patch +++ /dev/null @@ -1,44 +0,0 @@ -From: Mark Cave-Ayland -Date: Wed, 7 Apr 2021 20:57:55 +0100 -Subject: esp: ensure cmdfifo is not empty and current_dev is non-NULL -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Git-commit: 99545751734035b76bd372c4e7215bb337428d89 -References: bsc#1180433, CVE-2020-35504 - bsc#1180434, CVE-2020-35505 - bsc#1180435, CVE-2020-35506 - -When about to execute a SCSI command, ensure that cmdfifo is not empty and -current_dev is non-NULL. This can happen if the guest tries to execute a TI -(Transfer Information) command without issuing one of the select commands -first. - -Buglink: https://bugs.launchpad.net/qemu/+bug/1910723 -Buglink: https://bugs.launchpad.net/qemu/+bug/1909247 -Signed-off-by: Mark Cave-Ayland -Reviewed-by: Philippe Mathieu-Daudé -Tested-by: Alexander Bulekov -Message-Id: <20210407195801.685-7-mark.cave-ayland@ilande.co.uk> -Signed-off-by: Jose R Ziviani ---- - hw/scsi/esp.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c -index b5e6a50f5cb731a9815b655c9ae0..0f88689eb8b0dfbec5654870f10b 100644 ---- a/hw/scsi/esp.c -+++ b/hw/scsi/esp.c -@@ -193,6 +193,11 @@ static void do_busid_cmd(ESPState *s, uint8_t *buf, uint8_t busid) - - trace_esp_do_busid_cmd(busid); - lun = busid & 7; -+ -+ if (!s->current_dev) { -+ return; -+ } -+ - current_lun = scsi_device_find(&s->bus, 0, s->current_dev->id, lun); - s->current_req = scsi_req_new(current_lun, 0, lun, buf, s); - datalen = scsi_req_enqueue(s->current_req); diff --git a/packaging/esp-ensure-that-do_cmd-is-set-to-zero-be.patch b/packaging/esp-ensure-that-do_cmd-is-set-to-zero-be.patch deleted file mode 100644 index 985936552..000000000 --- a/packaging/esp-ensure-that-do_cmd-is-set-to-zero-be.patch +++ /dev/null @@ -1,53 +0,0 @@ -From: Mark Cave-Ayland -Date: Wed, 7 Apr 2021 20:58:00 +0100 -Subject: esp: ensure that do_cmd is set to zero before submitting an ESP - select command -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Git-commit: 607206948cacda4a80be5b976dba490970a18a76 -References: bsc#1180433, CVE-2020-35504 - bsc#1180434, CVE-2020-35505 - bsc#1180435, CVE-2020-35506 - -When a CDB has been received and is about to be submitted to the SCSI layer -via one of the ESP select commands, ensure that do_cmd is set to zero before -executing the command. - -Otherwise a guest executing 2 valid CDBs in quick sequence can invoke the SCSI -.transfer_data callback again before do_cmd is set to zero by the callback -function triggering an assert at the start of esp_transfer_data(). - -Signed-off-by: Mark Cave-Ayland -Reviewed-by: Philippe Mathieu-Daudé -Message-Id: <20210407195801.685-12-mark.cave-ayland@ilande.co.uk> -Signed-off-by: Jose R Ziviani ---- - hw/scsi/esp.c | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c -index 8445ebdb1f14f911498289fb3c73..e1072a3c5afca523b0ac2b51ae15 100644 ---- a/hw/scsi/esp.c -+++ b/hw/scsi/esp.c -@@ -246,8 +246,10 @@ static void handle_satn(ESPState *s) - } - s->pdma_cb = satn_pdma_cb; - len = get_cmd(s, buf, sizeof(buf)); -- if (len) -+ if (len) { -+ s->do_cmd = 0; - do_cmd(s, buf); -+ } - } - - static void s_without_satn_pdma_cb(ESPState *s) -@@ -272,6 +274,7 @@ static void handle_s_without_atn(ESPState *s) - s->pdma_cb = s_without_satn_pdma_cb; - len = get_cmd(s, buf, sizeof(buf)); - if (len) { -+ s->do_cmd = 0; - do_busid_cmd(s, buf, 0); - } - } diff --git a/packaging/exec-set-map-length-to-zero-when-returni.patch b/packaging/exec-set-map-length-to-zero-when-returni.patch deleted file mode 100644 index 27f94b58a..000000000 --- a/packaging/exec-set-map-length-to-zero-when-returni.patch +++ /dev/null @@ -1,54 +0,0 @@ -From: Prasad J Pandit -Date: Tue, 26 May 2020 16:47:43 +0530 -Subject: exec: set map length to zero when returning NULL -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Git-commit: 77f55eac6c433e23e82a1b88b2d74f385c4c7d82 -References: bsc#1172386, CVE-2020-13659 - -When mapping physical memory into host's virtual address space, -'address_space_map' may return NULL if BounceBuffer is in_use. -Set and return '*plen = 0' to avoid later NULL pointer dereference. - -Reported-by: Alexander Bulekov -Fixes: https://bugs.launchpad.net/qemu/+bug/1878259 -Suggested-by: Paolo Bonzini -Suggested-by: Peter Maydell -Signed-off-by: Prasad J Pandit -Message-Id: <20200526111743.428367-1-ppandit@redhat.com> -Reviewed-by: Philippe Mathieu-Daudé -Signed-off-by: Paolo Bonzini -Signed-off-by: Bruce Rogers ---- - exec.c | 1 + - include/exec/memory.h | 3 ++- - 2 files changed, 3 insertions(+), 1 deletion(-) - -diff --git a/exec.c b/exec.c -index ffdb5185353bdbacc613d4730228..43c70ffbfd37bbd20d9481d1f90b 100644 ---- a/exec.c -+++ b/exec.c -@@ -3528,6 +3528,7 @@ void *address_space_map(AddressSpace *as, - - if (!memory_access_is_direct(mr, is_write)) { - if (atomic_xchg(&bounce.in_use, true)) { -+ *plen = 0; - return NULL; - } - /* Avoid unbounded allocations */ -diff --git a/include/exec/memory.h b/include/exec/memory.h -index e499dc215b3021a11e981ff6d982..2b8bccdd8c1e641f092fcc9d8517 100644 ---- a/include/exec/memory.h -+++ b/include/exec/memory.h -@@ -2084,7 +2084,8 @@ bool address_space_access_valid(AddressSpace *as, hwaddr addr, hwaddr len, - /* address_space_map: map a physical memory region into a host virtual address - * - * May map a subset of the requested range, given by and returned in @plen. -- * May return %NULL if resources needed to perform the mapping are exhausted. -+ * May return %NULL and set *@plen to zero(0), if resources needed to perform -+ * the mapping are exhausted. - * Use only for reads OR writes - not for read-modify-write operations. - * Use cpu_register_map_client() to know when retrying the map operation is - * likely to succeed. diff --git a/packaging/file-posix-fix-max_iov-for-dev-sg-device.patch b/packaging/file-posix-fix-max_iov-for-dev-sg-device.patch deleted file mode 100644 index 838ff9f0b..000000000 --- a/packaging/file-posix-fix-max_iov-for-dev-sg-device.patch +++ /dev/null @@ -1,44 +0,0 @@ -From: Lin Ma -Date: Mon, 13 Sep 2021 17:06:36 +0800 -Subject: file-posix: fix max_iov for /dev/sg devices - -Git-commit: 8ad5ab6148dca8aad297c134c09c84b0b92d45ed -References: bsc#1190425 - -Even though it was only called for devices that have bs->sg set (which -must be character devices), sg_get_max_segments looked at /sys/dev/block -which only works for block devices. - -On Linux the sg driver has its own way to provide the maximum number of -iovecs in a scatter/gather list, so add support for it. The block device -path is kept because it will be reinstated in the next patches. - -Signed-off-by: Paolo Bonzini -Reviewed-by: Max Reitz -Signed-off-by: Lin Ma ---- - block/file-posix.c | 11 +++++++++++ - 1 file changed, 11 insertions(+) - -diff --git a/block/file-posix.c b/block/file-posix.c -index 1b805bd9381f2c8f057d6459fc62..e3cf5a160a46030b4e07b7b61203 100644 ---- a/block/file-posix.c -+++ b/block/file-posix.c -@@ -1088,6 +1088,17 @@ static int sg_get_max_segments(int fd) - goto out; - } - -+ if (S_ISCHR(st.st_mode)) { -+ if (ioctl(fd, SG_GET_SG_TABLESIZE, &ret) == 0) { -+ return ret; -+ } -+ return -ENOTSUP; -+ } -+ -+ if (!S_ISBLK(st.st_mode)) { -+ return -ENOTSUP; -+ } -+ - sysfspath = g_strdup_printf("/sys/dev/block/%u:%u/queue/max_segments", - major(st.st_rdev), minor(st.st_rdev)); - sysfd = open(sysfspath, O_RDONLY); diff --git a/packaging/file-posix-try-BLKSECTGET-on-block-devic.patch b/packaging/file-posix-try-BLKSECTGET-on-block-devic.patch deleted file mode 100644 index 20b7632e3..000000000 --- a/packaging/file-posix-try-BLKSECTGET-on-block-devic.patch +++ /dev/null @@ -1,134 +0,0 @@ -From: Lin Ma -Date: Mon, 13 Sep 2021 17:08:11 +0800 -Subject: file-posix: try BLKSECTGET on block devices too, do not round to - power of 2 - -Git-commit: 18473467d55a20d643b6c9b3a52de42f705b4d35 -References: bsc#1190425 - -bs->sg is only true for character devices, but block devices can also -be used with scsi-block and scsi-generic. Unfortunately BLKSECTGET -returns bytes in an int for /dev/sgN devices, and sectors in a short -for block devices, so account for that in the code. - -The maximum transfer also need not be a power of 2 (for example I have -seen disks with 1280 KiB maximum transfer) so there's no need to pass -the result through pow2floor. - -Signed-off-by: Paolo Bonzini -Signed-off-by: Lin Ma ---- - block/file-posix.c | 57 +++++++++++++++++++++++++++------------------- - 1 file changed, 33 insertions(+), 24 deletions(-) - -diff --git a/block/file-posix.c b/block/file-posix.c -index 59149186c6937907070a2683a82a..7dcd24c6fdb9618c527f2f884c32 100644 ---- a/block/file-posix.c -+++ b/block/file-posix.c -@@ -1057,22 +1057,27 @@ static void raw_reopen_abort(BDRVReopenState *state) - s->reopen_state = NULL; - } - --static int sg_get_max_transfer_length(int fd) -+static int hdev_get_max_hw_transfer(int fd, struct stat *st) - { - #ifdef BLKSECTGET -- int max_bytes = 0; -- -- if (ioctl(fd, BLKSECTGET, &max_bytes) == 0) { -- return max_bytes; -+ if (S_ISBLK(st->st_mode)) { -+ unsigned short max_sectors = 0; -+ if (ioctl(fd, BLKSECTGET, &max_sectors) == 0) { -+ return max_sectors * 512; -+ } - } else { -- return -errno; -+ int max_bytes = 0; -+ if (ioctl(fd, BLKSECTGET, &max_bytes) == 0) { -+ return max_bytes; -+ } - } -+ return -errno; - #else - return -ENOSYS; - #endif - } - --static int sg_get_max_segments(int fd) -+static int hdev_get_max_segments(int fd, struct stat *st) - { - #ifdef CONFIG_LINUX - char buf[32]; -@@ -1081,26 +1086,20 @@ static int sg_get_max_segments(int fd) - int ret; - int sysfd = -1; - long max_segments; -- struct stat st; - -- if (fstat(fd, &st)) { -- ret = -errno; -- goto out; -- } -- -- if (S_ISCHR(st.st_mode)) { -+ if (S_ISCHR(st->st_mode)) { - if (ioctl(fd, SG_GET_SG_TABLESIZE, &ret) == 0) { - return ret; - } - return -ENOTSUP; - } - -- if (!S_ISBLK(st.st_mode)) { -+ if (!S_ISBLK(st->st_mode)) { - return -ENOTSUP; - } - - sysfspath = g_strdup_printf("/sys/dev/block/%u:%u/queue/max_segments", -- major(st.st_rdev), minor(st.st_rdev)); -+ major(st->st_rdev), minor(st->st_rdev)); - sysfd = open(sysfspath, O_RDONLY); - if (sysfd == -1) { - ret = -errno; -@@ -1137,23 +1136,33 @@ out: - static void raw_refresh_limits(BlockDriverState *bs, Error **errp) - { - BDRVRawState *s = bs->opaque; -+ struct stat st; -+ -+ raw_probe_alignment(bs, s->fd, errp); -+ bs->bl.min_mem_alignment = s->buf_align; -+ bs->bl.opt_mem_alignment = MAX(s->buf_align, qemu_real_host_page_size); - -- if (bs->sg) { -- int ret = sg_get_max_transfer_length(s->fd); -+ /* -+ * Maximum transfers are best effort, so it is okay to ignore any -+ * errors. That said, based on the man page errors in fstat would be -+ * very much unexpected; the only possible case seems to be ENOMEM. -+ */ -+ if (fstat(s->fd, &st)) { -+ return; -+ } -+ -+ if (bs->sg || S_ISBLK(st.st_mode)) { -+ int ret = hdev_get_max_hw_transfer(s->fd, &st); - - if (ret > 0 && ret <= BDRV_REQUEST_MAX_BYTES) { -- bs->bl.max_hw_transfer = pow2floor(ret); -+ bs->bl.max_hw_transfer = ret; - } - -- ret = sg_get_max_segments(s->fd); -+ ret = hdev_get_max_segments(s->fd, &st); - if (ret > 0) { - bs->bl.max_iov = ret; - } - } -- -- raw_probe_alignment(bs, s->fd, errp); -- bs->bl.min_mem_alignment = s->buf_align; -- bs->bl.opt_mem_alignment = MAX(s->buf_align, qemu_real_host_page_size); - } - - static int check_for_dasd(int fd) diff --git a/packaging/gcc10-maybe-uninitialized.patch b/packaging/gcc10-maybe-uninitialized.patch deleted file mode 100644 index e979baeac..000000000 --- a/packaging/gcc10-maybe-uninitialized.patch +++ /dev/null @@ -1,30 +0,0 @@ -From: Bruce Rogers -Date: Wed, 22 Apr 2020 08:50:55 -0600 -Subject: gcc10: maybe-uninitialized -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -References: boo#1169728 - -gcc 10 needs some help to understand that indeed cpu_irqs[0] does get -initialized in all cases. In this case an assert is sufficient. - -Reported-by: Martin Liška -Signed-off-by: Bruce Rogers ---- - hw/openrisc/openrisc_sim.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/hw/openrisc/openrisc_sim.c b/hw/openrisc/openrisc_sim.c -index 79e70493fc77e50556a4a92a4231..bc4b71059ff6d922e3cdc83bfc79 100644 ---- a/hw/openrisc/openrisc_sim.c -+++ b/hw/openrisc/openrisc_sim.c -@@ -134,6 +134,7 @@ static void openrisc_sim_init(MachineState *machine) - int n; - unsigned int smp_cpus = machine->smp.cpus; - -+ assert(smp_cpus >= 1 && smp_cpus <= 2); - for (n = 0; n < smp_cpus; n++) { - cpu = OPENRISC_CPU(cpu_create(machine->cpu_type)); - if (cpu == NULL) { diff --git a/packaging/hmat-acpi-Build-Memory-Proximity-Domain-.patch b/packaging/hmat-acpi-Build-Memory-Proximity-Domain-.patch deleted file mode 100644 index bea56ab05..000000000 --- a/packaging/hmat-acpi-Build-Memory-Proximity-Domain-.patch +++ /dev/null @@ -1,258 +0,0 @@ -From: Liu Jingqi -Date: Fri, 13 Dec 2019 09:19:25 +0800 -Subject: hmat acpi: Build Memory Proximity Domain Attributes Structure(s) - -Git-commit: e6f123c3b81241be33f1b763d0ff8b36d1ae9c1e -References: jsc#SLE-8897 - -HMAT is defined in ACPI 6.3: 5.2.27 Heterogeneous Memory Attribute Table -(HMAT). The specification references below link: -http://www.uefi.org/sites/default/files/resources/ACPI_6_3_final_Jan30.pdf - -It describes the memory attributes, such as memory side cache -attributes and bandwidth and latency details, related to the -Memory Proximity Domain. The software is -expected to use this information as hint for optimization. - -This structure describes Memory Proximity Domain Attributes by memory -subsystem and its associativity with processor proximity domain as well as -hint for memory usage. - -In the linux kernel, the codes in drivers/acpi/hmat/hmat.c parse and report -the platform's HMAT tables. - -Acked-by: Markus Armbruster -Reviewed-by: Igor Mammedov -Reviewed-by: Daniel Black -Reviewed-by: Jonathan Cameron -Signed-off-by: Liu Jingqi -Signed-off-by: Tao Xu -Message-Id: <20191213011929.2520-5-tao3.xu@intel.com> -Reviewed-by: Michael S. Tsirkin -Signed-off-by: Michael S. Tsirkin -Signed-off-by: Bruce Rogers ---- - hw/acpi/Kconfig | 7 ++- - hw/acpi/Makefile.objs | 1 + - hw/acpi/hmat.c | 99 +++++++++++++++++++++++++++++++++++++++++++ - hw/acpi/hmat.h | 42 ++++++++++++++++++ - hw/i386/acpi-build.c | 5 +++ - 5 files changed, 152 insertions(+), 2 deletions(-) - -diff --git a/hw/acpi/Kconfig b/hw/acpi/Kconfig -index 12e3f1e86e62256bf274b554938b..54209c6f2f17d4ca0a737cb25403 100644 ---- a/hw/acpi/Kconfig -+++ b/hw/acpi/Kconfig -@@ -7,6 +7,7 @@ config ACPI_X86 - select ACPI_NVDIMM - select ACPI_CPU_HOTPLUG - select ACPI_MEMORY_HOTPLUG -+ select ACPI_HMAT - - config ACPI_X86_ICH - bool -@@ -23,6 +24,10 @@ config ACPI_NVDIMM - bool - depends on ACPI - -+config ACPI_HMAT -+ bool -+ depends on ACPI -+ - config ACPI_PCI - bool - depends on ACPI && PCI -@@ -33,5 +38,3 @@ config ACPI_VMGENID - depends on PC - - config ACPI_HW_REDUCED -- bool -- depends on ACPI -diff --git a/hw/acpi/Makefile.objs b/hw/acpi/Makefile.objs -index 655a9c197341fed6fcea2062a30c..517bd88704769d8605dde18a6776 100644 ---- a/hw/acpi/Makefile.objs -+++ b/hw/acpi/Makefile.objs -@@ -7,6 +7,7 @@ common-obj-$(CONFIG_ACPI_CPU_HOTPLUG) += cpu.o - common-obj-$(CONFIG_ACPI_NVDIMM) += nvdimm.o - common-obj-$(CONFIG_ACPI_VMGENID) += vmgenid.o - common-obj-$(CONFIG_ACPI_HW_REDUCED) += generic_event_device.o -+common-obj-$(CONFIG_ACPI_HMAT) += hmat.o - common-obj-$(call lnot,$(CONFIG_ACPI_X86)) += acpi-stub.o - - common-obj-y += acpi_interface.o -diff --git a/hw/acpi/hmat.c b/hw/acpi/hmat.c -new file mode 100644 -index 0000000000000000000000000000000000000000..9ff79308a497fe40a1b0a2f9a043ad3bebb2c3cb ---- /dev/null -+++ b/hw/acpi/hmat.c -@@ -0,0 +1,99 @@ -+/* -+ * HMAT ACPI Implementation -+ * -+ * Copyright(C) 2019 Intel Corporation. -+ * -+ * Author: -+ * Liu jingqi -+ * Tao Xu -+ * -+ * HMAT is defined in ACPI 6.3: 5.2.27 Heterogeneous Memory Attribute Table -+ * (HMAT) -+ * -+ * This library is free software; you can redistribute it and/or -+ * modify it under the terms of the GNU Lesser General Public -+ * License as published by the Free Software Foundation; either -+ * version 2 of the License, or (at your option) any later version. -+ * -+ * This library is distributed in the hope that it will be useful, -+ * but WITHOUT ANY WARRANTY; without even the implied warranty of -+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -+ * Lesser General Public License for more details. -+ * -+ * You should have received a copy of the GNU Lesser General Public -+ * License along with this library; if not, see -+ */ -+ -+#include "qemu/osdep.h" -+#include "sysemu/numa.h" -+#include "hw/acpi/hmat.h" -+ -+/* -+ * ACPI 6.3: -+ * 5.2.27.3 Memory Proximity Domain Attributes Structure: Table 5-145 -+ */ -+static void build_hmat_mpda(GArray *table_data, uint16_t flags, -+ uint32_t initiator, uint32_t mem_node) -+{ -+ -+ /* Memory Proximity Domain Attributes Structure */ -+ /* Type */ -+ build_append_int_noprefix(table_data, 0, 2); -+ /* Reserved */ -+ build_append_int_noprefix(table_data, 0, 2); -+ /* Length */ -+ build_append_int_noprefix(table_data, 40, 4); -+ /* Flags */ -+ build_append_int_noprefix(table_data, flags, 2); -+ /* Reserved */ -+ build_append_int_noprefix(table_data, 0, 2); -+ /* Proximity Domain for the Attached Initiator */ -+ build_append_int_noprefix(table_data, initiator, 4); -+ /* Proximity Domain for the Memory */ -+ build_append_int_noprefix(table_data, mem_node, 4); -+ /* Reserved */ -+ build_append_int_noprefix(table_data, 0, 4); -+ /* -+ * Reserved: -+ * Previously defined as the Start Address of the System Physical -+ * Address Range. Deprecated since ACPI Spec 6.3. -+ */ -+ build_append_int_noprefix(table_data, 0, 8); -+ /* -+ * Reserved: -+ * Previously defined as the Range Length of the region in bytes. -+ * Deprecated since ACPI Spec 6.3. -+ */ -+ build_append_int_noprefix(table_data, 0, 8); -+} -+ -+/* Build HMAT sub table structures */ -+static void hmat_build_table_structs(GArray *table_data, NumaState *numa_state) -+{ -+ uint16_t flags; -+ int i; -+ -+ for (i = 0; i < numa_state->num_nodes; i++) { -+ flags = 0; -+ -+ if (numa_state->nodes[i].initiator < MAX_NODES) { -+ flags |= HMAT_PROXIMITY_INITIATOR_VALID; -+ } -+ -+ build_hmat_mpda(table_data, flags, numa_state->nodes[i].initiator, i); -+ } -+} -+ -+void build_hmat(GArray *table_data, BIOSLinker *linker, NumaState *numa_state) -+{ -+ int hmat_start = table_data->len; -+ -+ /* reserve space for HMAT header */ -+ acpi_data_push(table_data, 40); -+ -+ hmat_build_table_structs(table_data, numa_state); -+ -+ build_header(linker, table_data, -+ (void *)(table_data->data + hmat_start), -+ "HMAT", table_data->len - hmat_start, 2, NULL, NULL); -+} -diff --git a/hw/acpi/hmat.h b/hw/acpi/hmat.h -new file mode 100644 -index 0000000000000000000000000000000000000000..437dbc6872e82e4c1ae42a9ff16299465eec052f ---- /dev/null -+++ b/hw/acpi/hmat.h -@@ -0,0 +1,42 @@ -+/* -+ * HMAT ACPI Implementation Header -+ * -+ * Copyright(C) 2019 Intel Corporation. -+ * -+ * Author: -+ * Liu jingqi -+ * Tao Xu -+ * -+ * HMAT is defined in ACPI 6.3: 5.2.27 Heterogeneous Memory Attribute Table -+ * (HMAT) -+ * -+ * This library is free software; you can redistribute it and/or -+ * modify it under the terms of the GNU Lesser General Public -+ * License as published by the Free Software Foundation; either -+ * version 2 of the License, or (at your option) any later version. -+ * -+ * This library is distributed in the hope that it will be useful, -+ * but WITHOUT ANY WARRANTY; without even the implied warranty of -+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -+ * Lesser General Public License for more details. -+ * -+ * You should have received a copy of the GNU Lesser General Public -+ * License along with this library; if not, see -+ */ -+ -+#ifndef HMAT_H -+#define HMAT_H -+ -+#include "hw/acpi/aml-build.h" -+ -+/* -+ * ACPI 6.3: 5.2.27.3 Memory Proximity Domain Attributes Structure, -+ * Table 5-145, Field "flag", Bit [0]: set to 1 to indicate that data in -+ * the Proximity Domain for the Attached Initiator field is valid. -+ * Other bits reserved. -+ */ -+#define HMAT_PROXIMITY_INITIATOR_VALID 0x1 -+ -+void build_hmat(GArray *table_data, BIOSLinker *linker, NumaState *numa_state); -+ -+#endif -diff --git a/hw/i386/acpi-build.c b/hw/i386/acpi-build.c -index 12ff55fcfb543208c18ba44d569e..90a9c2ce6f8c01221efc56f63f79 100644 ---- a/hw/i386/acpi-build.c -+++ b/hw/i386/acpi-build.c -@@ -67,6 +67,7 @@ - #include "hw/i386/intel_iommu.h" - - #include "hw/acpi/ipmi.h" -+#include "hw/acpi/hmat.h" - - /* These are used to size the ACPI tables for -M pc-i440fx-1.7 and - * -M pc-i440fx-2.0. Even if the actual amount of AML generated grows -@@ -2834,6 +2835,10 @@ void acpi_build(AcpiBuildTables *tables, MachineState *machine) - acpi_add_table(table_offsets, tables_blob); - build_slit(tables_blob, tables->linker, machine); - } -+ if (machine->numa_state->hmat_enabled) { -+ acpi_add_table(table_offsets, tables_blob); -+ build_hmat(tables_blob, tables->linker, machine->numa_state); -+ } - } - if (acpi_get_mcfg(&mcfg)) { - acpi_add_table(table_offsets, tables_blob); diff --git a/packaging/hmat-acpi-Build-Memory-Side-Cache-Inform.patch b/packaging/hmat-acpi-Build-Memory-Side-Cache-Inform.patch deleted file mode 100644 index 9cdac909d..000000000 --- a/packaging/hmat-acpi-Build-Memory-Side-Cache-Inform.patch +++ /dev/null @@ -1,122 +0,0 @@ -From: Liu Jingqi -Date: Fri, 13 Dec 2019 09:19:27 +0800 -Subject: hmat acpi: Build Memory Side Cache Information Structure(s) - -Git-commit: a9c2b841af002db6e21e1297c9026b63fc22c875 -References: jsc#SLE-8897 - -This structure describes memory side cache information for memory -proximity domains if the memory side cache is present and the -physical device forms the memory side cache. -The software could use this information to effectively place -the data in memory to maximize the performance of the system -memory that use the memory side cache. - -Acked-by: Markus Armbruster -Reviewed-by: Igor Mammedov -Reviewed-by: Daniel Black -Reviewed-by: Jonathan Cameron -Signed-off-by: Liu Jingqi -Signed-off-by: Tao Xu -Message-Id: <20191213011929.2520-7-tao3.xu@intel.com> -Reviewed-by: Michael S. Tsirkin -Signed-off-by: Michael S. Tsirkin -Signed-off-by: Bruce Rogers ---- - hw/acpi/hmat.c | 69 +++++++++++++++++++++++++++++++++++++++++++++++++- - 1 file changed, 68 insertions(+), 1 deletion(-) - -diff --git a/hw/acpi/hmat.c b/hw/acpi/hmat.c -index 4635d45deeccd34659f6c8325d66..7c24bb53719e497d5cc6cf3f262e 100644 ---- a/hw/acpi/hmat.c -+++ b/hw/acpi/hmat.c -@@ -143,14 +143,62 @@ static void build_hmat_lb(GArray *table_data, HMAT_LB_Info *hmat_lb, - g_free(entry_list); - } - -+/* ACPI 6.3: 5.2.27.5 Memory Side Cache Information Structure: Table 5-147 */ -+static void build_hmat_cache(GArray *table_data, uint8_t total_levels, -+ NumaHmatCacheOptions *hmat_cache) -+{ -+ /* -+ * Cache Attributes: Bits [3:0] – Total Cache Levels -+ * for this Memory Proximity Domain -+ */ -+ uint32_t cache_attr = total_levels; -+ -+ /* Bits [7:4] : Cache Level described in this structure */ -+ cache_attr |= (uint32_t) hmat_cache->level << 4; -+ -+ /* Bits [11:8] - Cache Associativity */ -+ cache_attr |= (uint32_t) hmat_cache->associativity << 8; -+ -+ /* Bits [15:12] - Write Policy */ -+ cache_attr |= (uint32_t) hmat_cache->policy << 12; -+ -+ /* Bits [31:16] - Cache Line size in bytes */ -+ cache_attr |= (uint32_t) hmat_cache->line << 16; -+ -+ /* Type */ -+ build_append_int_noprefix(table_data, 2, 2); -+ /* Reserved */ -+ build_append_int_noprefix(table_data, 0, 2); -+ /* Length */ -+ build_append_int_noprefix(table_data, 32, 4); -+ /* Proximity Domain for the Memory */ -+ build_append_int_noprefix(table_data, hmat_cache->node_id, 4); -+ /* Reserved */ -+ build_append_int_noprefix(table_data, 0, 4); -+ /* Memory Side Cache Size */ -+ build_append_int_noprefix(table_data, hmat_cache->size, 8); -+ /* Cache Attributes */ -+ build_append_int_noprefix(table_data, cache_attr, 4); -+ /* Reserved */ -+ build_append_int_noprefix(table_data, 0, 2); -+ /* -+ * Number of SMBIOS handles (n) -+ * Linux kernel uses Memory Side Cache Information Structure -+ * without SMBIOS entries for now, so set Number of SMBIOS handles -+ * as 0. -+ */ -+ build_append_int_noprefix(table_data, 0, 2); -+} -+ - /* Build HMAT sub table structures */ - static void hmat_build_table_structs(GArray *table_data, NumaState *numa_state) - { - uint16_t flags; - uint32_t num_initiator = 0; - uint32_t initiator_list[MAX_NODES]; -- int i, hierarchy, type; -+ int i, hierarchy, type, cache_level, total_levels; - HMAT_LB_Info *hmat_lb; -+ NumaHmatCacheOptions *hmat_cache; - - for (i = 0; i < numa_state->num_nodes; i++) { - flags = 0; -@@ -184,6 +232,25 @@ static void hmat_build_table_structs(GArray *table_data, NumaState *numa_state) - } - } - } -+ -+ /* -+ * ACPI 6.3: 5.2.27.5 Memory Side Cache Information Structure: -+ * Table 5-147 -+ */ -+ for (i = 0; i < numa_state->num_nodes; i++) { -+ total_levels = 0; -+ for (cache_level = 1; cache_level < HMAT_LB_LEVELS; cache_level++) { -+ if (numa_state->hmat_cache[i][cache_level]) { -+ total_levels++; -+ } -+ } -+ for (cache_level = 0; cache_level <= total_levels; cache_level++) { -+ hmat_cache = numa_state->hmat_cache[i][cache_level]; -+ if (hmat_cache) { -+ build_hmat_cache(table_data, total_levels, hmat_cache); -+ } -+ } -+ } - } - - void build_hmat(GArray *table_data, BIOSLinker *linker, NumaState *numa_state) diff --git a/packaging/hmat-acpi-Build-System-Locality-Latency-.patch b/packaging/hmat-acpi-Build-System-Locality-Latency-.patch deleted file mode 100644 index 78f8e3079..000000000 --- a/packaging/hmat-acpi-Build-System-Locality-Latency-.patch +++ /dev/null @@ -1,159 +0,0 @@ -From: Liu Jingqi -Date: Fri, 13 Dec 2019 09:19:26 +0800 -Subject: hmat acpi: Build System Locality Latency and Bandwidth Information - Structure(s) - -Git-commit: 4586a2cb833f80b19c80ebe364a005ac2fa0974a -References: jsc#SLE-8897 - -This structure describes the memory access latency and bandwidth -information from various memory access initiator proximity domains. -The latency and bandwidth numbers represented in this structure -correspond to rated latency and bandwidth for the platform. -The software could use this information as hint for optimization. - -Acked-by: Markus Armbruster -Reviewed-by: Igor Mammedov -Signed-off-by: Liu Jingqi -Signed-off-by: Tao Xu -Message-Id: <20191213011929.2520-6-tao3.xu@intel.com> -Reviewed-by: Michael S. Tsirkin -Signed-off-by: Michael S. Tsirkin -Signed-off-by: Bruce Rogers ---- - hw/acpi/hmat.c | 104 ++++++++++++++++++++++++++++++++++++++++++++++++- - 1 file changed, 103 insertions(+), 1 deletion(-) - -diff --git a/hw/acpi/hmat.c b/hw/acpi/hmat.c -index 9ff79308a497fe40a1b0a2f9a043..4635d45deeccd34659f6c8325d66 100644 ---- a/hw/acpi/hmat.c -+++ b/hw/acpi/hmat.c -@@ -25,6 +25,7 @@ - */ - - #include "qemu/osdep.h" -+#include "qemu/units.h" - #include "sysemu/numa.h" - #include "hw/acpi/hmat.h" - -@@ -67,11 +68,89 @@ static void build_hmat_mpda(GArray *table_data, uint16_t flags, - build_append_int_noprefix(table_data, 0, 8); - } - -+/* -+ * ACPI 6.3: 5.2.27.4 System Locality Latency and Bandwidth Information -+ * Structure: Table 5-146 -+ */ -+static void build_hmat_lb(GArray *table_data, HMAT_LB_Info *hmat_lb, -+ uint32_t num_initiator, uint32_t num_target, -+ uint32_t *initiator_list) -+{ -+ int i, index; -+ HMAT_LB_Data *lb_data; -+ uint16_t *entry_list; -+ uint32_t base; -+ /* Length in bytes for entire structure */ -+ uint32_t lb_length -+ = 32 /* Table length upto and including Entry Base Unit */ -+ + 4 * num_initiator /* Initiator Proximity Domain List */ -+ + 4 * num_target /* Target Proximity Domain List */ -+ + 2 * num_initiator * num_target; /* Latency or Bandwidth Entries */ -+ -+ /* Type */ -+ build_append_int_noprefix(table_data, 1, 2); -+ /* Reserved */ -+ build_append_int_noprefix(table_data, 0, 2); -+ /* Length */ -+ build_append_int_noprefix(table_data, lb_length, 4); -+ /* Flags: Bits [3:0] Memory Hierarchy, Bits[7:4] Reserved */ -+ assert(!(hmat_lb->hierarchy >> 4)); -+ build_append_int_noprefix(table_data, hmat_lb->hierarchy, 1); -+ /* Data Type */ -+ build_append_int_noprefix(table_data, hmat_lb->data_type, 1); -+ /* Reserved */ -+ build_append_int_noprefix(table_data, 0, 2); -+ /* Number of Initiator Proximity Domains (s) */ -+ build_append_int_noprefix(table_data, num_initiator, 4); -+ /* Number of Target Proximity Domains (t) */ -+ build_append_int_noprefix(table_data, num_target, 4); -+ /* Reserved */ -+ build_append_int_noprefix(table_data, 0, 4); -+ -+ /* Entry Base Unit */ -+ if (hmat_lb->data_type <= HMAT_LB_DATA_WRITE_LATENCY) { -+ /* Convert latency base from nanoseconds to picosecond */ -+ base = hmat_lb->base * 1000; -+ } else { -+ /* Convert bandwidth base from Byte to Megabyte */ -+ base = hmat_lb->base / MiB; -+ } -+ build_append_int_noprefix(table_data, base, 8); -+ -+ /* Initiator Proximity Domain List */ -+ for (i = 0; i < num_initiator; i++) { -+ build_append_int_noprefix(table_data, initiator_list[i], 4); -+ } -+ -+ /* Target Proximity Domain List */ -+ for (i = 0; i < num_target; i++) { -+ build_append_int_noprefix(table_data, i, 4); -+ } -+ -+ /* Latency or Bandwidth Entries */ -+ entry_list = g_malloc0(num_initiator * num_target * sizeof(uint16_t)); -+ for (i = 0; i < hmat_lb->list->len; i++) { -+ lb_data = &g_array_index(hmat_lb->list, HMAT_LB_Data, i); -+ index = lb_data->initiator * num_target + lb_data->target; -+ -+ entry_list[index] = (uint16_t)(lb_data->data / hmat_lb->base); -+ } -+ -+ for (i = 0; i < num_initiator * num_target; i++) { -+ build_append_int_noprefix(table_data, entry_list[i], 2); -+ } -+ -+ g_free(entry_list); -+} -+ - /* Build HMAT sub table structures */ - static void hmat_build_table_structs(GArray *table_data, NumaState *numa_state) - { - uint16_t flags; -- int i; -+ uint32_t num_initiator = 0; -+ uint32_t initiator_list[MAX_NODES]; -+ int i, hierarchy, type; -+ HMAT_LB_Info *hmat_lb; - - for (i = 0; i < numa_state->num_nodes; i++) { - flags = 0; -@@ -82,6 +161,29 @@ static void hmat_build_table_structs(GArray *table_data, NumaState *numa_state) - - build_hmat_mpda(table_data, flags, numa_state->nodes[i].initiator, i); - } -+ -+ for (i = 0; i < numa_state->num_nodes; i++) { -+ if (numa_state->nodes[i].has_cpu) { -+ initiator_list[num_initiator++] = i; -+ } -+ } -+ -+ /* -+ * ACPI 6.3: 5.2.27.4 System Locality Latency and Bandwidth Information -+ * Structure: Table 5-146 -+ */ -+ for (hierarchy = HMAT_LB_MEM_MEMORY; -+ hierarchy <= HMAT_LB_MEM_CACHE_3RD_LEVEL; hierarchy++) { -+ for (type = HMAT_LB_DATA_ACCESS_LATENCY; -+ type <= HMAT_LB_DATA_WRITE_BANDWIDTH; type++) { -+ hmat_lb = numa_state->hmat_lb[hierarchy][type]; -+ -+ if (hmat_lb && hmat_lb->list->len) { -+ build_hmat_lb(table_data, hmat_lb, num_initiator, -+ numa_state->num_nodes, initiator_list); -+ } -+ } -+ } - } - - void build_hmat(GArray *table_data, BIOSLinker *linker, NumaState *numa_state) diff --git a/packaging/hw-ehci-check-return-value-of-usb_packet.patch b/packaging/hw-ehci-check-return-value-of-usb_packet.patch deleted file mode 100644 index 97ebac930..000000000 --- a/packaging/hw-ehci-check-return-value-of-usb_packet.patch +++ /dev/null @@ -1,46 +0,0 @@ -From: Li Qiang -Date: Wed, 12 Aug 2020 09:17:27 -0700 -Subject: hw: ehci: check return value of 'usb_packet_map' - -Git-commit: 2fdb42d840400d58f2e706ecca82c142b97bcbd6 -References: bsc#1178934, CVE-2020-25723 - -If 'usb_packet_map' fails, we should stop to process the usb -request. - -Signed-off-by: Li Qiang -Message-Id: <20200812161727.29412-1-liq3ea@163.com> -Signed-off-by: Gerd Hoffmann -Signed-off-by: Bruce Rogers ---- - hw/usb/hcd-ehci.c | 10 ++++++++-- - 1 file changed, 8 insertions(+), 2 deletions(-) - -diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c -index 56ab2f457f4c139d9c38644fa1b5..024b1ed6b67f25b0d600b9077f50 100644 ---- a/hw/usb/hcd-ehci.c -+++ b/hw/usb/hcd-ehci.c -@@ -1374,7 +1374,10 @@ static int ehci_execute(EHCIPacket *p, const char *action) - spd = (p->pid == USB_TOKEN_IN && NLPTR_TBIT(p->qtd.altnext) == 0); - usb_packet_setup(&p->packet, p->pid, ep, 0, p->qtdaddr, spd, - (p->qtd.token & QTD_TOKEN_IOC) != 0); -- usb_packet_map(&p->packet, &p->sgl); -+ if (usb_packet_map(&p->packet, &p->sgl)) { -+ qemu_sglist_destroy(&p->sgl); -+ return -1; -+ } - p->async = EHCI_ASYNC_INITIALIZED; - } - -@@ -1453,7 +1456,10 @@ static int ehci_process_itd(EHCIState *ehci, - if (ep && ep->type == USB_ENDPOINT_XFER_ISOC) { - usb_packet_setup(&ehci->ipacket, pid, ep, 0, addr, false, - (itd->transact[i] & ITD_XACT_IOC) != 0); -- usb_packet_map(&ehci->ipacket, &ehci->isgl); -+ if (usb_packet_map(&ehci->ipacket, &ehci->isgl)) { -+ qemu_sglist_destroy(&ehci->isgl); -+ return -1; -+ } - usb_handle_packet(dev, &ehci->ipacket); - usb_packet_unmap(&ehci->ipacket, &ehci->isgl); - } else { diff --git a/packaging/hw-i386-disable-smbus-migration-for-xenf.patch b/packaging/hw-i386-disable-smbus-migration-for-xenf.patch deleted file mode 100644 index 5d26d5125..000000000 --- a/packaging/hw-i386-disable-smbus-migration-for-xenf.patch +++ /dev/null @@ -1,43 +0,0 @@ -From: Olaf Hering -Date: Wed, 19 Feb 2020 15:15:15 +0100 -Subject: hw/i386: disable smbus migration for xenfv - -References: bsc#1159755 - -With commit 7fccf2a06890e3bc3b30e29827ad3fb93fe88fea a new member -smbus_no_migration_support was added, and enabled in two places. -With commit 4ab2f2a8aabfea95cc53c64e13b3f67960b27fdf the vmstate_acpi -got new elements, which are conditionally filled. As a result, an -incoming migration expected smbus related data unless smbus migration -was disabled for a given MachineClass. - -Since commit 7fccf2a06890e3bc3b30e29827ad3fb93fe88fea forgot to handle -xenfv, live migration to receiving hosts using qemu-4.0 and later is broken. - -Adjust 'xenfv' to stay compatible with with 'pc-i440fx-3.1': - - the toolstack can not use '-M pc-i440fx-3.1,accel=xen -device xen-platform' - because this would move the PCI device from 00:02.0 to 00:04.0 - - disable pvh. - Running PVH may require dedicated device_model_args= options which select - 'pc-i440fx-4.x' - -Signed-off-by: Olaf Hering -Signed-off-by: Bruce Rogers -[BR: Adjust implementation to simply call pc_i440fx_3_1_machine_options] ---- - hw/i386/pc_piix.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/hw/i386/pc_piix.c b/hw/i386/pc_piix.c -index d760d3589607daf4997ea76854c4..000e692d0e5af449270214ea9345 100644 ---- a/hw/i386/pc_piix.c -+++ b/hw/i386/pc_piix.c -@@ -1043,6 +1043,8 @@ DEFINE_PC_MACHINE(isapc, "isapc", pc_init_isa, - #ifdef CONFIG_XEN - static void xenfv_machine_options(MachineClass *m) - { -+ /* compat with pc_i440fx_3_1_machine_options */ -+ pc_i440fx_3_1_machine_options(m); - m->desc = "Xen Fully-virtualized PC"; - m->max_cpus = HVM_MAX_VCPUS; - m->default_machine_opts = "accel=xen"; diff --git a/packaging/hw-intc-arm_gic-Fix-interrupt-ID-in-GICD.patch b/packaging/hw-intc-arm_gic-Fix-interrupt-ID-in-GICD.patch deleted file mode 100644 index b155965d4..000000000 --- a/packaging/hw-intc-arm_gic-Fix-interrupt-ID-in-GICD.patch +++ /dev/null @@ -1,65 +0,0 @@ -From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= -Date: Sun, 31 Jan 2021 11:34:01 +0100 -Subject: hw/intc/arm_gic: Fix interrupt ID in GICD_SGIR register -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Git-commit: edfe2eb4360cde4ed5d95bda7777edcb3510f76a -References: bsc#1181933 - -Per the ARM Generic Interrupt Controller Architecture specification -(document "ARM IHI 0048B.b (ID072613)"), the SGIINTID field is 4 bit, -not 10: - - - 4.3 Distributor register descriptions - - 4.3.15 Software Generated Interrupt Register, GICD_SG - - - Table 4-21 GICD_SGIR bit assignments - - The Interrupt ID of the SGI to forward to the specified CPU - interfaces. The value of this field is the Interrupt ID, in - the range 0-15, for example a value of 0b0011 specifies - Interrupt ID 3. - -Correct the irq mask to fix an undefined behavior (which eventually -lead to a heap-buffer-overflow, see [Buglink]): - - $ echo 'writel 0x8000f00 0xff4affb0' | qemu-system-aarch64 -M virt,accel=qtest -qtest stdio - [I 1612088147.116987] OPENED - [R +0.278293] writel 0x8000f00 0xff4affb0 - ../hw/intc/arm_gic.c:1498:13: runtime error: index 944 out of bounds for type 'uint8_t [16][8]' - SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../hw/intc/arm_gic.c:1498:13 - -This fixes a security issue when running with KVM on Arm with -kernel-irqchip=off. (The default is kernel-irqchip=on, which is -unaffected, and which is also the correct choice for performance.) - -Cc: qemu-stable@nongnu.org -Fixes: CVE-2021-20221 -Fixes: 9ee6e8bb853 ("ARMv7 support.") -Buglink: https://bugs.launchpad.net/qemu/+bug/1913916 -Buglink: https://bugs.launchpad.net/qemu/+bug/1913917 -Reported-by: Alexander Bulekov -Signed-off-by: Philippe Mathieu-Daudé -Message-id: 20210131103401.217160-1-f4bug@amsat.org -Reviewed-by: Peter Maydell -Signed-off-by: Peter Maydell -Signed-off-by: Bruce Rogers ---- - hw/intc/arm_gic.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/hw/intc/arm_gic.c b/hw/intc/arm_gic.c -index 1d7da7baa209323c143091599d57..df355f4d110dab290bea5154c7d4 100644 ---- a/hw/intc/arm_gic.c -+++ b/hw/intc/arm_gic.c -@@ -1455,7 +1455,7 @@ static void gic_dist_writel(void *opaque, hwaddr offset, - int target_cpu; - - cpu = gic_get_current_cpu(s); -- irq = value & 0x3ff; -+ irq = value & 0xf; - switch ((value >> 24) & 3) { - case 0: - mask = (value >> 16) & ALL_CPU_MASK; diff --git a/packaging/hw-intc-exynos4210_gic-provide-more-room.patch b/packaging/hw-intc-exynos4210_gic-provide-more-room.patch deleted file mode 100644 index 5b4e8ebe3..000000000 --- a/packaging/hw-intc-exynos4210_gic-provide-more-room.patch +++ /dev/null @@ -1,57 +0,0 @@ -From: Bruce Rogers -Date: Wed, 15 May 2019 13:32:01 -0600 -Subject: hw/intc/exynos4210_gic: provide more room when formatting alias names - -sprintf related parameter validation complains about the size of the -buffer being written to in exynos4210_gic_realize(). Provide a bit more -space to avoid the following warning: -/home/abuild/rpmbuild/BUILD/qemu-4.0.0/hw/intc/exynos4210_gic.c: In function 'exynos4210_gic_realize': -/home/abuild/rpmbuild/BUILD/qemu-4.0.0/hw/intc/exynos4210_gic.c:316:36: error: '%x' directive writing between 1 and 7 bytes into a region of size between 4 and 28 [-Werror=format-overflow=] - 316 | sprintf(cpu_alias_name, "%s%x", cpu_prefix, i); - | ^~ -/home/abuild/rpmbuild/BUILD/qemu-4.0.0/hw/intc/exynos4210_gic.c:316:33: note: directive argument in the range [0, 29020050] - 316 | sprintf(cpu_alias_name, "%s%x", cpu_prefix, i); - | ^~~~~~ -In file included from /usr/include/stdio.h:867, - from /home/abuild/rpmbuild/BUILD/qemu-4.0.0/include/qemu/osdep.h:99, - from /home/abuild/rpmbuild/BUILD/qemu-4.0.0/hw/intc/exynos4210_gic.c:23: -/usr/include/bits/stdio2.h:36:10: note: '__builtin___sprintf_chk' output between 2 and 32 bytes into a destination of size 28 - 36 | return __builtin___sprintf_chk (__s, __USE_FORTIFY_LEVEL - 1, - | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - 37 | __bos (__s), __fmt, __va_arg_pack ()); - | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -/home/abuild/rpmbuild/BUILD/qemu-4.0.0/hw/intc/exynos4210_gic.c:326:37: error: '%x' directive writing between 1 and 7 bytes into a region of size between 3 and 28 [-Werror=format-overflow=] - 326 | sprintf(dist_alias_name, "%s%x", dist_prefix, i); - | ^~ -/home/abuild/rpmbuild/BUILD/qemu-4.0.0/hw/intc/exynos4210_gic.c:326:34: note: directive argument in the range [0, 29020050] - 326 | sprintf(dist_alias_name, "%s%x", dist_prefix, i); - | ^~~~~~ -In file included from /usr/include/stdio.h:867, - from /home/abuild/rpmbuild/BUILD/qemu-4.0.0/include/qemu/osdep.h:99, - from /home/abuild/rpmbuild/BUILD/qemu-4.0.0/hw/intc/exynos4210_gic.c:23: -/usr/include/bits/stdio2.h:36:10: note: '__builtin___sprintf_chk' output between 2 and 33 bytes into a destination of size 28 - 36 | return __builtin___sprintf_chk (__s, __USE_FORTIFY_LEVEL - 1, - | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - 37 | __bos (__s), __fmt, __va_arg_pack ()); - | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -Signed-off-by: Bruce Rogers ---- - hw/intc/exynos4210_gic.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/hw/intc/exynos4210_gic.c b/hw/intc/exynos4210_gic.c -index a1b699b6babc3105bfd4ad9a8383..17317c961caa9a09c476e9ecbd3f 100644 ---- a/hw/intc/exynos4210_gic.c -+++ b/hw/intc/exynos4210_gic.c -@@ -290,8 +290,8 @@ static void exynos4210_gic_realize(DeviceState *dev, Error **errp) - SysBusDevice *sbd = SYS_BUS_DEVICE(obj); - const char cpu_prefix[] = "exynos4210-gic-alias_cpu"; - const char dist_prefix[] = "exynos4210-gic-alias_dist"; -- char cpu_alias_name[sizeof(cpu_prefix) + 3]; -- char dist_alias_name[sizeof(cpu_prefix) + 3]; -+ char cpu_alias_name[sizeof(cpu_prefix) + 7]; -+ char dist_alias_name[sizeof(cpu_prefix) + 8]; - SysBusDevice *gicbusdev; - uint32_t i; - diff --git a/packaging/hw-isa-piix4-Migrate-Reset-Control-Regis.patch b/packaging/hw-isa-piix4-Migrate-Reset-Control-Regis.patch deleted file mode 100644 index cdecc61a6..000000000 --- a/packaging/hw-isa-piix4-Migrate-Reset-Control-Regis.patch +++ /dev/null @@ -1,62 +0,0 @@ -From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= -Date: Wed, 24 Mar 2021 14:54:43 +0100 -Subject: hw/isa/piix4: Migrate Reset Control Register -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Git-commit: 62271205bcfaee440d06c06060ee79dac657caff - -When adding the Reset register in commit 5790b757cfb we -forgot to migrate it. - -While it is possible a VM using the PIIX4 is migrated just -after requesting a system shutdown, it is very unlikely. -However when restoring a migrated VM, we might have the -RCR bit #4 set on the stack and when the VM resume it -directly shutdowns. - -Add a post_load() migration handler and set the default -RCR value to 0 for earlier versions, assuming the VM was -not going to shutdown before migration. - -Fixes: 5790b757cfb ("piix4: Add the Reset Control Register") -Signed-off-by: Philippe Mathieu-Daudé -Reviewed-by: Dr. David Alan Gilbert -Message-Id: <20210324200334.729899-1-f4bug@amsat.org> -Signed-off-by: Bruce Rogers ---- - hw/isa/piix4.c | 15 ++++++++++++++- - 1 file changed, 14 insertions(+), 1 deletion(-) - -diff --git a/hw/isa/piix4.c b/hw/isa/piix4.c -index 86678e6829535f0e7981b3e53122..a7ed885dc8e49537c1241eaea7e1 100644 ---- a/hw/isa/piix4.c -+++ b/hw/isa/piix4.c -@@ -93,12 +93,25 @@ static void piix4_isa_reset(DeviceState *dev) - pci_conf[0xae] = 0x00; - } - -+static int piix4_ide_post_load(void *opaque, int version_id) -+{ -+ PIIX4State *s = opaque; -+ -+ if (version_id == 2) { -+ s->rcr = 0; -+ } -+ -+ return 0; -+} -+ - static const VMStateDescription vmstate_piix4 = { - .name = "PIIX4", -- .version_id = 2, -+ .version_id = 3, - .minimum_version_id = 2, -+ .post_load = piix4_ide_post_load, - .fields = (VMStateField[]) { - VMSTATE_PCI_DEVICE(dev, PIIX4State), -+ VMSTATE_UINT8_V(rcr, PIIX4State, 3), - VMSTATE_END_OF_LIST() - } - }; diff --git a/packaging/hw-net-e1000e-advance-desc_offset-in-cas.patch b/packaging/hw-net-e1000e-advance-desc_offset-in-cas.patch deleted file mode 100644 index 2b29eb019..000000000 --- a/packaging/hw-net-e1000e-advance-desc_offset-in-cas.patch +++ /dev/null @@ -1,43 +0,0 @@ -From: Prasad J Pandit -Date: Wed, 11 Nov 2020 18:36:36 +0530 -Subject: hw/net/e1000e: advance desc_offset in case of null descriptor - -Git-commit: c2cb511634012344e3d0fe49a037a33b12d8a98a -References: bsc#1179468, CVE-2020-28916 - -While receiving packets via e1000e_write_packet_to_guest() routine, -'desc_offset' is advanced only when RX descriptor is processed. And -RX descriptor is not processed if it has NULL buffer address. -This may lead to an infinite loop condition. Increament 'desc_offset' -to process next descriptor in the ring to avoid infinite loop. - -Reported-by: Cheol-woo Myung <330cjfdn@gmail.com> -Signed-off-by: Prasad J Pandit -Signed-off-by: Jason Wang -Signed-off-by: Bruce Rogers ---- - hw/net/e1000e_core.c | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/hw/net/e1000e_core.c b/hw/net/e1000e_core.c -index 9b76f82db5b83ed611f5007da009..166054f2e3f65159e28caecf2609 100644 ---- a/hw/net/e1000e_core.c -+++ b/hw/net/e1000e_core.c -@@ -1596,13 +1596,13 @@ e1000e_write_packet_to_guest(E1000ECore *core, struct NetRxPkt *pkt, - (const char *) &fcs_pad, e1000x_fcs_len(core->mac)); - } - } -- desc_offset += desc_size; -- if (desc_offset >= total_size) { -- is_last = true; -- } - } else { /* as per intel docs; skip descriptors with null buf addr */ - trace_e1000e_rx_null_descriptor(); - } -+ desc_offset += desc_size; -+ if (desc_offset >= total_size) { -+ is_last = true; -+ } - - e1000e_write_rx_descr(core, desc, is_last ? core->rx_pkt : NULL, - rss_info, do_ps ? ps_hdr_len : 0, &bastate.written); diff --git a/packaging/hw-net-net_tx_pkt-fix-assertion-failure-.patch b/packaging/hw-net-net_tx_pkt-fix-assertion-failure-.patch deleted file mode 100644 index 88fbb7750..000000000 --- a/packaging/hw-net-net_tx_pkt-fix-assertion-failure-.patch +++ /dev/null @@ -1,40 +0,0 @@ -From: Mauro Matteo Cascella -Date: Sat, 1 Aug 2020 18:42:38 +0200 -Subject: hw/net/net_tx_pkt: fix assertion failure in - net_tx_pkt_add_raw_fragment() - -Git-commit: 035e69b063835a5fd23cacabd63690a3d84532a8 -References: bsc#1174641, CVE-2020-16092 - -An assertion failure issue was found in the code that processes network packets -while adding data fragments into the packet context. It could be abused by a -malicious guest to abort the QEMU process on the host. This patch replaces the -affected assert() with a conditional statement, returning false if the current -data fragment exceeds max_raw_frags. - -Reported-by: Alexander Bulekov -Reported-by: Ziming Zhang -Reviewed-by: Dmitry Fleytman -Signed-off-by: Mauro Matteo Cascella -Signed-off-by: Jason Wang -Signed-off-by: Bruce Rogers ---- - hw/net/net_tx_pkt.c | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/hw/net/net_tx_pkt.c b/hw/net/net_tx_pkt.c -index 162f802dd77e09b89c0cb65583e8..54d4c3bbd02dccc33ee3c7e710b4 100644 ---- a/hw/net/net_tx_pkt.c -+++ b/hw/net/net_tx_pkt.c -@@ -379,7 +379,10 @@ bool net_tx_pkt_add_raw_fragment(struct NetTxPkt *pkt, hwaddr pa, - hwaddr mapped_len = 0; - struct iovec *ventry; - assert(pkt); -- assert(pkt->max_raw_frags > pkt->raw_frags); -+ -+ if (pkt->raw_frags >= pkt->max_raw_frags) { -+ return false; -+ } - - if (!len) { - return true; diff --git a/packaging/hw-net-xgmac-Fix-buffer-overflow-in-xgma.patch b/packaging/hw-net-xgmac-Fix-buffer-overflow-in-xgma.patch deleted file mode 100644 index 86f1d1dcc..000000000 --- a/packaging/hw-net-xgmac-Fix-buffer-overflow-in-xgma.patch +++ /dev/null @@ -1,58 +0,0 @@ -From: Mauro Matteo Cascella -Date: Fri, 10 Jul 2020 11:19:41 +0200 -Subject: hw/net/xgmac: Fix buffer overflow in xgmac_enet_send() - -Git-commit: 5519724a13664b43e225ca05351c60b4468e4555 -References: bsc#1174386 CVE-2020-15863 - -A buffer overflow issue was reported by Mr. Ziming Zhang, CC'd here. It -occurs while sending an Ethernet frame due to missing break statements -and improper checking of the buffer size. - -Reported-by: Ziming Zhang -Signed-off-by: Mauro Matteo Cascella -Reviewed-by: Peter Maydell -Signed-off-by: Jason Wang -Signed-off-by: Bruce Rogers ---- - hw/net/xgmac.c | 14 ++++++++++++-- - 1 file changed, 12 insertions(+), 2 deletions(-) - -diff --git a/hw/net/xgmac.c b/hw/net/xgmac.c -index 2ea8d2ec721632ecd13026eedf03..3b02b38f4e7ac9da650a6a02633d 100644 ---- a/hw/net/xgmac.c -+++ b/hw/net/xgmac.c -@@ -220,21 +220,31 @@ static void xgmac_enet_send(XgmacState *s) - } - len = (bd.buffer1_size & 0xfff) + (bd.buffer2_size & 0xfff); - -+ /* -+ * FIXME: these cases of malformed tx descriptors (bad sizes) -+ * should probably be reported back to the guest somehow -+ * rather than simply silently stopping processing, but we -+ * don't know what the hardware does in this situation. -+ * This will only happen for buggy guests anyway. -+ */ - if ((bd.buffer1_size & 0xfff) > 2048) { - DEBUGF_BRK("qemu:%s:ERROR...ERROR...ERROR... -- " - "xgmac buffer 1 len on send > 2048 (0x%x)\n", - __func__, bd.buffer1_size & 0xfff); -+ break; - } - if ((bd.buffer2_size & 0xfff) != 0) { - DEBUGF_BRK("qemu:%s:ERROR...ERROR...ERROR... -- " - "xgmac buffer 2 len on send != 0 (0x%x)\n", - __func__, bd.buffer2_size & 0xfff); -+ break; - } -- if (len >= sizeof(frame)) { -+ if (frame_size + len >= sizeof(frame)) { - DEBUGF_BRK("qemu:%s: buffer overflow %d read into %zu " -- "buffer\n" , __func__, len, sizeof(frame)); -+ "buffer\n" , __func__, frame_size + len, sizeof(frame)); - DEBUGF_BRK("qemu:%s: buffer1.size=%d; buffer2.size=%d\n", - __func__, bd.buffer1_size, bd.buffer2_size); -+ break; - } - - cpu_physical_memory_read(bd.buffer1_addr, ptr, len); diff --git a/packaging/hw-pci-host-add-pci-intack-write-method.patch b/packaging/hw-pci-host-add-pci-intack-write-method.patch deleted file mode 100644 index dab712c4d..000000000 --- a/packaging/hw-pci-host-add-pci-intack-write-method.patch +++ /dev/null @@ -1,49 +0,0 @@ -From: Prasad J Pandit -Date: Tue, 11 Aug 2020 17:11:25 +0530 -Subject: hw/pci-host: add pci-intack write method - -Git-commit: 520f26fc6d17b71a43eaf620e834b3bdf316f3d3 -References: bsc#1173612, CVE-2020-15469 - -Add pci-intack mmio write method to avoid NULL pointer dereference -issue. - -Reported-by: Lei Sun -Reviewed-by: Li Qiang -Reviewed-by: Peter Maydell -Signed-off-by: Prasad J Pandit -Message-Id: <20200811114133.672647-2-ppandit@redhat.com> -Signed-off-by: Paolo Bonzini -Signed-off-by: Bruce Rogers ---- - hw/pci-host/prep.c | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/hw/pci-host/prep.c b/hw/pci-host/prep.c -index 85d7ba90374b6b5a558155e4445b..7f366d9313d8824c52e5cb531b63 100644 ---- a/hw/pci-host/prep.c -+++ b/hw/pci-host/prep.c -@@ -26,6 +26,7 @@ - #include "qemu/osdep.h" - #include "qemu-common.h" - #include "qemu/units.h" -+#include "qemu/log.h" - #include "qapi/error.h" - #include "hw/pci/pci.h" - #include "hw/pci/pci_bus.h" -@@ -119,8 +120,15 @@ static uint64_t raven_intack_read(void *opaque, hwaddr addr, - return pic_read_irq(isa_pic); - } - -+static void raven_intack_write(void *opaque, hwaddr addr, -+ uint64_t data, unsigned size) -+{ -+ qemu_log_mask(LOG_UNIMP, "%s not implemented\n", __func__); -+} -+ - static const MemoryRegionOps raven_intack_ops = { - .read = raven_intack_read, -+ .write = raven_intack_write, - .valid = { - .max_access_size = 1, - }, diff --git a/packaging/hw-rdma-Fix-possible-mremap-overflow-in-.patch b/packaging/hw-rdma-Fix-possible-mremap-overflow-in-.patch deleted file mode 100644 index 8abcdf62a..000000000 --- a/packaging/hw-rdma-Fix-possible-mremap-overflow-in-.patch +++ /dev/null @@ -1,43 +0,0 @@ -From: Marcel Apfelbaum -Date: Wed, 16 Jun 2021 14:06:00 +0300 -Subject: hw/rdma: Fix possible mremap overflow in the pvrdma device - (CVE-2021-3582) - -Git-commit: 284f191b4abad213aed04cb0458e1600fd18d7c4 -References: CVE-2021-3582 bsc#1187499 - -Ensure mremap boundaries not trusting the guest kernel to -pass the correct buffer length. - -Fixes: CVE-2021-3582 -Reported-by: VictorV (Kunlun Lab) -Tested-by: VictorV (Kunlun Lab) -Signed-off-by: Marcel Apfelbaum -Message-Id: <20210616110600.20889-1-marcel.apfelbaum@gmail.com> -Reviewed-by: Yuval Shaia -Tested-by: Yuval Shaia -Reviewed-by: Prasad J Pandit -Signed-off-by: Marcel Apfelbaum -Signed-off-by: Jose R. Ziviani ---- - hw/rdma/vmw/pvrdma_cmd.c | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c -index 692125ac26815fc0d9180e69adbf..1df0b256fa88e092767e18c471cb 100644 ---- a/hw/rdma/vmw/pvrdma_cmd.c -+++ b/hw/rdma/vmw/pvrdma_cmd.c -@@ -38,6 +38,13 @@ static void *pvrdma_map_to_pdir(PCIDevice *pdev, uint64_t pdir_dma, - return NULL; - } - -+ length = ROUND_UP(length, TARGET_PAGE_SIZE); -+ if (nchunks * TARGET_PAGE_SIZE != length) { -+ rdma_error_report("Invalid nchunks/length (%u, %lu)", nchunks, -+ (unsigned long)length); -+ return NULL; -+ } -+ - dir = rdma_pci_dma_map(pdev, pdir_dma, TARGET_PAGE_SIZE); - if (!dir) { - rdma_error_report("Failed to map to page directory"); diff --git a/packaging/hw-scsi-megasas-check-for-NULL-frame-in-.patch b/packaging/hw-scsi-megasas-check-for-NULL-frame-in-.patch deleted file mode 100644 index 80c6aaf3e..000000000 --- a/packaging/hw-scsi-megasas-check-for-NULL-frame-in-.patch +++ /dev/null @@ -1,31 +0,0 @@ -From: Mauro Matteo Cascella -Date: Thu, 24 Dec 2020 18:54:41 +0100 -Subject: hw/scsi/megasas: check for NULL frame in megasas_command_cancelled() - -Git-commit: 00000000000000000000000000000000000000000000 -References: bsc#1180432, CVE-2020-35503 - -Ensure that 'cmd->frame' is not NULL before accessing the 'header' field. -This check prevents a potential NULL pointer dereference issue. - -RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1910346 -Signed-off-by: Mauro Matteo Cascella -Reported-by: Cheolwoo Myung -Acked-By: Jose R Ziviani ---- - hw/scsi/megasas.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c -index 1bdd25e55684c7b6026381a97f3e..376ac1f0c238e7bf86a294fa10e1 100644 ---- a/hw/scsi/megasas.c -+++ b/hw/scsi/megasas.c -@@ -1884,7 +1884,7 @@ static void megasas_command_cancelled(SCSIRequest *req) - { - MegasasCmd *cmd = req->hba_private; - -- if (!cmd) { -+ if (!cmd || !cmd->frame) { - return; - } - cmd->frame->header.cmd_status = MFI_STAT_SCSI_IO_FAILED; diff --git a/packaging/hw-sd-sdhci-Fix-DMA-Transfer-Block-Size-.patch b/packaging/hw-sd-sdhci-Fix-DMA-Transfer-Block-Size-.patch deleted file mode 100644 index 4b4f8ba62..000000000 --- a/packaging/hw-sd-sdhci-Fix-DMA-Transfer-Block-Size-.patch +++ /dev/null @@ -1,44 +0,0 @@ -From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= -Date: Tue, 1 Sep 2020 15:22:06 +0200 -Subject: hw/sd/sdhci: Fix DMA Transfer Block Size field -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Git-commit: dfba99f17feb6d4a129da19d38df1bcd8579d1c3 -References: bsc#1176681 CVE-2020-25085 - -The 'Transfer Block Size' field is 12-bit wide. - -See section '2.2.2. Block Size Register (Offset 004h)' in datasheet. - -Two different bug reproducer available: -- https://bugs.launchpad.net/qemu/+bug/1892960 -- https://ruhr-uni-bochum.sciebo.de/s/NNWP2GfwzYKeKwE?path=%2Fsdhci_oob_write1 - -Cc: qemu-stable@nongnu.org -Buglink: https://bugs.launchpad.net/qemu/+bug/1892960 -Fixes: d7dfca0807a ("hw/sdhci: introduce standard SD host controller") -Reported-by: Alexander Bulekov -Signed-off-by: Philippe Mathieu-Daudé -Reviewed-by: Prasad J Pandit -Tested-by: Alexander Bulekov -Message-Id: <20200901140411.112150-3-f4bug@amsat.org> -Signed-off-by: Jose R Ziviani ---- - hw/sd/sdhci.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c -index 88404d0e9d5a0acafceec1933fce..c27bd0936505c9ae75aec7ab24d2 100644 ---- a/hw/sd/sdhci.c -+++ b/hw/sd/sdhci.c -@@ -1129,7 +1129,7 @@ sdhci_write(void *opaque, hwaddr offset, uint64_t val, unsigned size) - break; - case SDHC_BLKSIZE: - if (!TRANSFERRING_DATA(s->prnsts)) { -- MASKED_WRITE(s->blksize, mask, value); -+ MASKED_WRITE(s->blksize, mask, extract32(value, 0, 12)); - MASKED_WRITE(s->blkcnt, mask >> 16, value >> 16); - } - diff --git a/packaging/hw-smbios-handle-both-file-formats-regar.patch b/packaging/hw-smbios-handle-both-file-formats-regar.patch deleted file mode 100644 index d71741c38..000000000 --- a/packaging/hw-smbios-handle-both-file-formats-regar.patch +++ /dev/null @@ -1,93 +0,0 @@ -From: Bruce Rogers -Date: Fri, 5 Apr 2019 21:10:30 -0600 -Subject: hw/smbios: handle both file formats regardless of machine type - -References: bsc#994082, bsc#1084316, boo#1131894 - -It's easy enough to handle either per-spec or legacy smbios structures -in the smbios file input without regard to the machine type used, by -simply applying the basic smbios formatting rules. then depending on -what is detected. terminal numm bytes are added or removed for machine -type specific processing. - -Signed-off-by: Bruce Rogers ---- - hw/smbios/smbios.c | 43 +++++++++++++++++++++++++++++++++++++++---- - 1 file changed, 39 insertions(+), 4 deletions(-) - -diff --git a/hw/smbios/smbios.c b/hw/smbios/smbios.c -index 11d476c4a2cbdabc546c02b4f076..570ffa3acfa48b3721bdc578ee57 100644 ---- a/hw/smbios/smbios.c -+++ b/hw/smbios/smbios.c -@@ -964,6 +964,7 @@ void smbios_entry_add(QemuOpts *opts, Error **errp) - struct smbios_structure_header *header; - int size; - struct smbios_table *table; /* legacy mode only */ -+ uint8_t *dbl_nulls, *orig_end; - - qemu_opts_validate(opts, qemu_smbios_file_opts, &err); - if (err) { -@@ -978,11 +979,21 @@ void smbios_entry_add(QemuOpts *opts, Error **errp) - } - - /* -- * NOTE: standard double '\0' terminator expected, per smbios spec. -- * (except in legacy mode, where the second '\0' is implicit and -- * will be inserted by the BIOS). -+ * NOTE: standard double '\0' terminator expected, per smbios spec, -+ * unless the data is formatted for legacy mode, which is used by -+ * pc-i440fx-2.0 and earlier machine types. Legacy mode structures -+ * without strings have no '\0' terminators, and those with strings -+ * also don't have an additional '\0' terminator at the end of the -+ * final string '\0' terminator. The BIOS will add the '\0' terminators -+ * to comply with the smbios spec. -+ * For greater compatibility, regardless of the machine type used, -+ * either format is accepted. - */ -- smbios_tables = g_realloc(smbios_tables, smbios_tables_len + size); -+ smbios_tables = g_realloc(smbios_tables, smbios_tables_len + size + 2); -+ orig_end = smbios_tables + smbios_tables_len + size; -+ /* add extra null bytes to end in case of legacy file data */ -+ *orig_end = '\0'; -+ *(orig_end + 1) = '\0'; - header = (struct smbios_structure_header *)(smbios_tables + - smbios_tables_len); - -@@ -997,6 +1008,19 @@ void smbios_entry_add(QemuOpts *opts, Error **errp) - header->type); - return; - } -+ for (dbl_nulls = smbios_tables + smbios_tables_len + header->length; -+ dbl_nulls + 2 <= orig_end; dbl_nulls++) { -+ if (*dbl_nulls == '\0' && *(dbl_nulls + 1) == '\0') { -+ break; -+ } -+ } -+ if (dbl_nulls + 2 < orig_end) { -+ error_setg(errp, "SMBIOS file data malformed"); -+ return; -+ } -+ /* increase size by how many extra nulls were actually needed */ -+ size += dbl_nulls + 2 - orig_end; -+ smbios_tables = g_realloc(smbios_tables, smbios_tables_len + size); - set_bit(header->type, have_binfile_bitmap); - - if (header->type == 4) { -@@ -1017,6 +1041,17 @@ void smbios_entry_add(QemuOpts *opts, Error **errp) - * delete the one we don't need from smbios_set_defaults(), - * once we know which machine version has been requested. - */ -+ if (dbl_nulls + 2 == orig_end) { -+ /* chop off nulls to get legacy format */ -+ if (header->length + 2 == size) { -+ size -= 2; -+ } else { -+ size -= 1; -+ } -+ } else { -+ /* undo conversion from legacy format to per-spec format */ -+ size -= dbl_nulls + 2 - orig_end; -+ } - if (!smbios_entries) { - smbios_entries_len = sizeof(uint16_t); - smbios_entries = g_malloc0(smbios_entries_len); diff --git a/packaging/hw-usb-dev-mtp-Fix-GCC-9-build-warning.patch b/packaging/hw-usb-dev-mtp-Fix-GCC-9-build-warning.patch deleted file mode 100644 index bc3b5cdf3..000000000 --- a/packaging/hw-usb-dev-mtp-Fix-GCC-9-build-warning.patch +++ /dev/null @@ -1,45 +0,0 @@ -From: Alistair Francis -Date: Sat, 4 May 2019 07:58:55 -0600 -Subject: hw/usb/dev-mtp: Fix GCC 9 build warning -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Fix this warning with GCC 9 on Fedora 30: -hw/usb/dev-mtp.c:1715:36: error: taking address of packed member of ‘struct ’ may result in an unaligned pointer value [-Werror=address-of-packed-member] - 1715 | dataset->filename); - | ~~~~~~~^~~~~~~~~~ - -Signed-off-by: Alistair Francis -Signed-off-by: Bruce Rogers ---- - hw/usb/dev-mtp.c | 13 +++++++++++++ - 1 file changed, 13 insertions(+) - -diff --git a/hw/usb/dev-mtp.c b/hw/usb/dev-mtp.c -index 7c07295519d33d13fd3755ea7e0a..13815df4737ef8f46e6f857153b1 100644 ---- a/hw/usb/dev-mtp.c -+++ b/hw/usb/dev-mtp.c -@@ -1722,9 +1722,22 @@ static void usb_mtp_write_metadata(MTPState *s, uint64_t dlen) - assert(!s->write_pending); - assert(p != NULL); - -+/* -+ * We are about to access a packed struct. We are confident that the pointer -+ * address won't be unaligned, so we ignore GCC warnings. -+ */ -+#if defined(CONFIG_PRAGMA_DIAGNOSTIC_AVAILABLE) && QEMU_GNUC_PREREQ(9, 0) -+#pragma GCC diagnostic push -+#pragma GCC diagnostic ignored "-Waddress-of-packed-member" -+#endif -+ - filename = utf16_to_str(MIN(dataset->length, filename_chars), - dataset->filename); - -+#if defined(CONFIG_PRAGMA_DIAGNOSTIC_AVAILABLE) && QEMU_GNUC_PREREQ(9, 0) -+#pragma GCC diagnostic pop -+#endif -+ - if (strchr(filename, '/')) { - usb_mtp_queue_result(s, RES_PARAMETER_NOT_SUPPORTED, d->trans, - 0, 0, 0, 0); diff --git a/packaging/hw-usb-hcd-ohci-check-for-processed-TD-b.patch b/packaging/hw-usb-hcd-ohci-check-for-processed-TD-b.patch deleted file mode 100644 index 55b5e96ff..000000000 --- a/packaging/hw-usb-hcd-ohci-check-for-processed-TD-b.patch +++ /dev/null @@ -1,37 +0,0 @@ -From: Prasad J Pandit -Date: Tue, 15 Sep 2020 23:52:59 +0530 -Subject: hw: usb: hcd-ohci: check for processed TD before retire - -Git-commit: 1be90ebecc95b09a2ee5af3f60c412b45a766c4f -References: bsc#1176684, CVE-2020-25625 - -While servicing OHCI transfer descriptors(TD), ohci_service_iso_td -retires a TD if it has passed its time frame. It does not check if -the TD was already processed once and holds an error code in TD_CC. -It may happen if the TD list has a loop. Add check to avoid an -infinite loop condition. - -Signed-off-by: Prasad J Pandit -Reviewed-by: Li Qiang -Message-id: 20200915182259.68522-3-ppandit@redhat.com -Signed-off-by: Gerd Hoffmann -Signed-off-by: Bruce Rogers ---- - hw/usb/hcd-ohci.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/hw/usb/hcd-ohci.c b/hw/usb/hcd-ohci.c -index 13cf2953c803b54553768b471d86..9d305eed35cbb30164a2f6946407 100644 ---- a/hw/usb/hcd-ohci.c -+++ b/hw/usb/hcd-ohci.c -@@ -691,6 +691,10 @@ static int ohci_service_iso_td(OHCIState *ohci, struct ohci_ed *ed, - the next ISO TD of the same ED */ - trace_usb_ohci_iso_td_relative_frame_number_big(relative_frame_number, - frame_count); -+ if (OHCI_CC_DATAOVERRUN == OHCI_BM(iso_td.flags, TD_CC)) { -+ /* avoid infinite loop */ -+ return 1; -+ } - OHCI_SET_BM(iso_td.flags, TD_CC, OHCI_CC_DATAOVERRUN); - ed->head &= ~OHCI_DPTR_MASK; - ed->head |= (iso_td.next & OHCI_DPTR_MASK); diff --git a/packaging/hw-usb-hcd-ohci-check-len-and-frame_numb.patch b/packaging/hw-usb-hcd-ohci-check-len-and-frame_numb.patch deleted file mode 100644 index 1a62fa35e..000000000 --- a/packaging/hw-usb-hcd-ohci-check-len-and-frame_numb.patch +++ /dev/null @@ -1,96 +0,0 @@ -From: Prasad J Pandit -Date: Tue, 15 Sep 2020 23:52:58 +0530 -Subject: hw: usb: hcd-ohci: check len and frame_number variables - -Git-commit: 1328fe0c32d5474604105b8105310e944976b058 -References: bsc#1176682, CVE-2020-25624 - -While servicing the OHCI transfer descriptors(TD), OHCI host -controller derives variables 'start_addr', 'end_addr', 'len' -etc. from values supplied by the host controller driver. -Host controller driver may supply values such that using -above variables leads to out-of-bounds access issues. -Add checks to avoid them. - -AddressSanitizer: stack-buffer-overflow on address 0x7ffd53af76a0 - READ of size 2 at 0x7ffd53af76a0 thread T0 - #0 ohci_service_iso_td ../hw/usb/hcd-ohci.c:734 - #1 ohci_service_ed_list ../hw/usb/hcd-ohci.c:1180 - #2 ohci_process_lists ../hw/usb/hcd-ohci.c:1214 - #3 ohci_frame_boundary ../hw/usb/hcd-ohci.c:1257 - #4 timerlist_run_timers ../util/qemu-timer.c:572 - #5 qemu_clock_run_timers ../util/qemu-timer.c:586 - #6 qemu_clock_run_all_timers ../util/qemu-timer.c:672 - #7 main_loop_wait ../util/main-loop.c:527 - #8 qemu_main_loop ../softmmu/vl.c:1676 - #9 main ../softmmu/main.c:50 - -Reported-by: Gaoning Pan -Reported-by: Yongkang Jia -Reported-by: Yi Ren -Signed-off-by: Prasad J Pandit -Message-id: 20200915182259.68522-2-ppandit@redhat.com -Signed-off-by: Gerd Hoffmann -Signed-off-by: Bruce Rogers ---- - hw/usb/hcd-ohci.c | 24 ++++++++++++++++++++++-- - 1 file changed, 22 insertions(+), 2 deletions(-) - -diff --git a/hw/usb/hcd-ohci.c b/hw/usb/hcd-ohci.c -index 145ee21fd6aeffdaa6351332f005..13cf2953c803b54553768b471d86 100644 ---- a/hw/usb/hcd-ohci.c -+++ b/hw/usb/hcd-ohci.c -@@ -731,7 +731,11 @@ static int ohci_service_iso_td(OHCIState *ohci, struct ohci_ed *ed, - } - - start_offset = iso_td.offset[relative_frame_number]; -- next_offset = iso_td.offset[relative_frame_number + 1]; -+ if (relative_frame_number < frame_count) { -+ next_offset = iso_td.offset[relative_frame_number + 1]; -+ } else { -+ next_offset = iso_td.be; -+ } - - if (!(OHCI_BM(start_offset, TD_PSW_CC) & 0xe) || - ((relative_frame_number < frame_count) && -@@ -764,7 +768,12 @@ static int ohci_service_iso_td(OHCIState *ohci, struct ohci_ed *ed, - } - } else { - /* Last packet in the ISO TD */ -- end_addr = iso_td.be; -+ end_addr = next_offset; -+ } -+ -+ if (start_addr > end_addr) { -+ trace_usb_ohci_iso_td_bad_cc_overrun(start_addr, end_addr); -+ return 1; - } - - if ((start_addr & OHCI_PAGE_MASK) != (end_addr & OHCI_PAGE_MASK)) { -@@ -773,6 +782,9 @@ static int ohci_service_iso_td(OHCIState *ohci, struct ohci_ed *ed, - } else { - len = end_addr - start_addr + 1; - } -+ if (len > sizeof(ohci->usb_buf)) { -+ len = sizeof(ohci->usb_buf); -+ } - - if (len && dir != OHCI_TD_DIR_IN) { - if (ohci_copy_iso_td(ohci, start_addr, end_addr, ohci->usb_buf, len, -@@ -975,8 +987,16 @@ static int ohci_service_td(OHCIState *ohci, struct ohci_ed *ed) - if ((td.cbp & 0xfffff000) != (td.be & 0xfffff000)) { - len = (td.be & 0xfff) + 0x1001 - (td.cbp & 0xfff); - } else { -+ if (td.cbp > td.be) { -+ trace_usb_ohci_iso_td_bad_cc_overrun(td.cbp, td.be); -+ ohci_die(ohci); -+ return 1; -+ } - len = (td.be - td.cbp) + 1; - } -+ if (len > sizeof(ohci->usb_buf)) { -+ len = sizeof(ohci->usb_buf); -+ } - - pktlen = len; - if (len && dir != OHCI_TD_DIR_IN) { diff --git a/packaging/hw-usb-hcd-xhci-Fix-GCC-9-build-warning.patch b/packaging/hw-usb-hcd-xhci-Fix-GCC-9-build-warning.patch deleted file mode 100644 index b400a28a5..000000000 --- a/packaging/hw-usb-hcd-xhci-Fix-GCC-9-build-warning.patch +++ /dev/null @@ -1,41 +0,0 @@ -From: Alistair Francis -Date: Sat, 4 May 2019 07:58:35 -0600 -Subject: hw/usb/hcd-xhci: Fix GCC 9 build warning -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Fix this build warning with GCC 9 on Fedora 30: -hw/usb/hcd-xhci.c:3339:66: error: ‘%d’ directive output may be truncated writing between 1 and 10 bytes into a region of size 5 [-Werror=format-truncation=] - 3339 | snprintf(port->name, sizeof(port->name), "usb2 port #%d", i+1); - | ^~ -hw/usb/hcd-xhci.c:3339:54: note: directive argument in the range [1, 2147483647] - 3339 | snprintf(port->name, sizeof(port->name), "usb2 port #%d", i+1); - | ^~~~~~~~~~~~~~~ -In file included from /usr/include/stdio.h:867, - from /home/alistair/qemu/include/qemu/osdep.h:99, - from hw/usb/hcd-xhci.c:21: -/usr/include/bits/stdio2.h:67:10: note: ‘__builtin___snprintf_chk’ output between 13 and 22 bytes into a destination of size 16 - 67 | return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1, - | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - 68 | __bos (__s), __fmt, __va_arg_pack ()); - | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -Signed-off-by: Alistair Francis -Signed-off-by: Bruce Rogers ---- - hw/usb/hcd-xhci.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c -index c84d7d7d5707b1e04f06d01df55c..fd2b69001597c14fe13d7e88f947 100644 ---- a/hw/usb/hcd-xhci.c -+++ b/hw/usb/hcd-xhci.c -@@ -3333,6 +3333,7 @@ static void usb_xhci_init(XHCIState *xhci) - usb_bus_new(&xhci->bus, sizeof(xhci->bus), &xhci_bus_ops, dev); - - for (i = 0; i < usbports; i++) { -+ g_assert(i < MAX(MAXPORTS_2, MAXPORTS_3)); - speedmask = 0; - if (i < xhci->numports_2) { - if (xhci_get_flag(xhci, XHCI_FLAG_SS_FIRST)) { diff --git a/packaging/hw-usb-host-stub-Remove-unused-header.patch b/packaging/hw-usb-host-stub-Remove-unused-header.patch deleted file mode 100644 index 1403f3205..000000000 --- a/packaging/hw-usb-host-stub-Remove-unused-header.patch +++ /dev/null @@ -1,31 +0,0 @@ -From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= -Date: Sun, 25 Apr 2021 00:41:09 +0200 -Subject: hw/usb/host-stub: Remove unused header -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Git-commit: 1081607bfab94a0b6149c4a2195737107aed265f -References: bsc#1186012, CVE-2021-3527 - -Signed-off-by: Philippe Mathieu-Daudé -Reviewed-by: Richard Henderson -Message-Id: <20210424224110.3442424-2-f4bug@amsat.org> -Signed-off-by: Gerd Hoffmann -Signed-off-by: Jose R Ziviani ---- - hw/usb/host-stub.c | 1 - - 1 file changed, 1 deletion(-) - -diff --git a/hw/usb/host-stub.c b/hw/usb/host-stub.c -index 538ed29684cb7d3ed15df7a7b298..80809ceba54221818bd937ff01b6 100644 ---- a/hw/usb/host-stub.c -+++ b/hw/usb/host-stub.c -@@ -31,7 +31,6 @@ - */ - - #include "qemu/osdep.h" --#include "ui/console.h" - #include "hw/usb.h" - #include "monitor/monitor.h" - diff --git a/packaging/hw-xhci-check-return-value-of-usb_packet.patch b/packaging/hw-xhci-check-return-value-of-usb_packet.patch deleted file mode 100644 index c606fd443..000000000 --- a/packaging/hw-xhci-check-return-value-of-usb_packet.patch +++ /dev/null @@ -1,74 +0,0 @@ -From: Li Qiang -Date: Wed, 12 Aug 2020 08:31:39 -0700 -Subject: hw: xhci: check return value of 'usb_packet_map' - -Git-commit: 21bc31524e8ca487e976f713b878d7338ee00df2 -References: bsc#1176673, CVE-2020-25084 - -Currently we don't check the return value of 'usb_packet_map', -this will cause an UAF issue. This is LP#1891341. -Following is the reproducer provided in: --->https://bugs.launchpad.net/qemu/+bug/1891341 - -cat << EOF | ./i386-softmmu/qemu-system-i386 -device nec-usb-xhci \ --trace usb\* -device usb-audio -device usb-storage,drive=mydrive \ --drive id=mydrive,file=null-co://,size=2M,format=raw,if=none \ --nodefaults -nographic -qtest stdio -outl 0xcf8 0x80001016 -outl 0xcfc 0x3c009f0d -outl 0xcf8 0x80001004 -outl 0xcfc 0xc77695e -writel 0x9f0d000000000040 0xffff3655 -writeq 0x9f0d000000002000 0xff2f9e0000000000 -write 0x1d 0x1 0x27 -write 0x2d 0x1 0x2e -write 0x17232 0x1 0x03 -write 0x17254 0x1 0x06 -write 0x17278 0x1 0x34 -write 0x3d 0x1 0x27 -write 0x40 0x1 0x2e -write 0x41 0x1 0x72 -write 0x42 0x1 0x01 -write 0x4d 0x1 0x2e -write 0x4f 0x1 0x01 -writeq 0x9f0d000000002000 0x5c051a0100000000 -write 0x34001d 0x1 0x13 -write 0x340026 0x1 0x30 -write 0x340028 0x1 0x08 -write 0x34002c 0x1 0xfe -write 0x34002d 0x1 0x08 -write 0x340037 0x1 0x5e -write 0x34003a 0x1 0x05 -write 0x34003d 0x1 0x05 -write 0x34004d 0x1 0x13 -writeq 0x9f0d000000002000 0xff00010100400009 -EOF - -This patch fixes this. - -Buglink: https://bugs.launchpad.net/qemu/+bug/1891341 -Reported-by: Alexander Bulekov -Signed-off-by: Li Qiang -Message-id: 20200812153139.15146-1-liq3ea@163.com -Signed-off-by: Gerd Hoffmann -Signed-off-by: Bruce Rogers ---- - hw/usb/hcd-xhci.c | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c -index 80988bb305a149f2974d329576a0..c84d7d7d5707b1e04f06d01df55c 100644 ---- a/hw/usb/hcd-xhci.c -+++ b/hw/usb/hcd-xhci.c -@@ -1615,7 +1615,10 @@ static int xhci_setup_packet(XHCITransfer *xfer) - xhci_xfer_create_sgl(xfer, dir == USB_TOKEN_IN); /* Also sets int_req */ - usb_packet_setup(&xfer->packet, dir, ep, xfer->streamid, - xfer->trbs[0].addr, false, xfer->int_req); -- usb_packet_map(&xfer->packet, &xfer->sgl); -+ if (usb_packet_map(&xfer->packet, &xfer->sgl)) { -+ qemu_sglist_destroy(&xfer->sgl); -+ return -1; -+ } - DPRINTF("xhci: setup packet pid 0x%x addr %d ep %d\n", - xfer->packet.pid, ep->dev->addr, ep->nr); - return 0; diff --git a/packaging/i386-Add-MSR-feature-bit-for-MDS-NO.patch b/packaging/i386-Add-MSR-feature-bit-for-MDS-NO.patch deleted file mode 100644 index e2d4008cc..000000000 --- a/packaging/i386-Add-MSR-feature-bit-for-MDS-NO.patch +++ /dev/null @@ -1,32 +0,0 @@ -From: Cathy Zhang -Date: Tue, 22 Oct 2019 15:35:26 +0800 -Subject: i386: Add MSR feature bit for MDS-NO - -Git-commit: 77b168d221191156c47fcd8d1c47329dfdb9439e -References: jsc#SLE-7923 - -Define MSR_ARCH_CAP_MDS_NO in the IA32_ARCH_CAPABILITIES MSR to allow -CPU models to report the feature when host supports it. - -Signed-off-by: Cathy Zhang -Reviewed-by: Xiaoyao Li -Reviewed-by: Tao Xu -Message-Id: <1571729728-23284-2-git-send-email-cathy.zhang@intel.com> -Signed-off-by: Eduardo Habkost -Signed-off-by: Bruce Rogers ---- - target/i386/cpu.h | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/target/i386/cpu.h b/target/i386/cpu.h -index cde2a16b941adeb1123d5d7411f3..39d37e12256069b92c7998590849 100644 ---- a/target/i386/cpu.h -+++ b/target/i386/cpu.h -@@ -838,6 +838,7 @@ typedef uint64_t FeatureWordArray[FEATURE_WORDS]; - #define MSR_ARCH_CAP_RSBA (1U << 2) - #define MSR_ARCH_CAP_SKIP_L1DFL_VMENTRY (1U << 3) - #define MSR_ARCH_CAP_SSB_NO (1U << 4) -+#define MSR_ARCH_CAP_MDS_NO (1U << 5) - - #define MSR_CORE_CAP_SPLIT_LOCK_DETECT (1U << 5) - diff --git a/packaging/i386-Add-macro-for-stibp.patch b/packaging/i386-Add-macro-for-stibp.patch deleted file mode 100644 index a7103e82e..000000000 --- a/packaging/i386-Add-macro-for-stibp.patch +++ /dev/null @@ -1,35 +0,0 @@ -From: Cathy Zhang -Date: Tue, 22 Oct 2019 15:35:27 +0800 -Subject: i386: Add macro for stibp - -Git-commit: 5af514d0cb314f43bc53f2aefb437f6451d64d0c -References: jsc#SLE-7923 - -stibp feature is already added through the following commit. -https://github.com/qemu/qemu/commit/0e8916582991b9fd0b94850a8444b8b80d0a0955 - -Add a macro for it to allow CPU models to report it when host supports. - -Signed-off-by: Cathy Zhang -Reviewed-by: Xiaoyao Li -Reviewed-by: Tao Xu -Message-Id: <1571729728-23284-3-git-send-email-cathy.zhang@intel.com> -Signed-off-by: Eduardo Habkost -Signed-off-by: Bruce Rogers ---- - target/i386/cpu.h | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/target/i386/cpu.h b/target/i386/cpu.h -index 39d37e12256069b92c7998590849..af282936a785a25f651d0db1a8cf 100644 ---- a/target/i386/cpu.h -+++ b/target/i386/cpu.h -@@ -771,6 +771,8 @@ typedef uint64_t FeatureWordArray[FEATURE_WORDS]; - #define CPUID_7_0_EDX_AVX512_4FMAPS (1U << 3) - /* Speculation Control */ - #define CPUID_7_0_EDX_SPEC_CTRL (1U << 26) -+/* Single Thread Indirect Branch Predictors */ -+#define CPUID_7_0_EDX_STIBP (1U << 27) - /* Arch Capabilities */ - #define CPUID_7_0_EDX_ARCH_CAPABILITIES (1U << 29) - /* Core Capability */ diff --git a/packaging/i386-Add-new-CPU-model-Cooperlake.patch b/packaging/i386-Add-new-CPU-model-Cooperlake.patch deleted file mode 100644 index 24bcb4abc..000000000 --- a/packaging/i386-Add-new-CPU-model-Cooperlake.patch +++ /dev/null @@ -1,94 +0,0 @@ -From: Cathy Zhang -Date: Tue, 22 Oct 2019 15:35:28 +0800 -Subject: i386: Add new CPU model Cooperlake - -Git-commit: 22a866b6166db5caa4abaa6e656c2a431fa60726 -References: jsc#SLE-7923 - -Cooper Lake is intel's successor to Cascade Lake, the new -CPU model inherits features from Cascadelake-Server, while -add one platform associated new feature: AVX512_BF16. Meanwhile, -add STIBP for speculative execution. - -Signed-off-by: Cathy Zhang -Reviewed-by: Xiaoyao Li -Reviewed-by: Tao Xu -Message-Id: <1571729728-23284-4-git-send-email-cathy.zhang@intel.com> -Reviewed-by: Bruce Rogers -Signed-off-by: Eduardo Habkost -Signed-off-by: Bruce Rogers ---- - target/i386/cpu.c | 60 +++++++++++++++++++++++++++++++++++++++++++++++ - 1 file changed, 60 insertions(+) - -diff --git a/target/i386/cpu.c b/target/i386/cpu.c -index 54e7f18a098c102d53ac8c768641..8a1993ac64bd763b7bb70c98b8b8 100644 ---- a/target/i386/cpu.c -+++ b/target/i386/cpu.c -@@ -3159,6 +3159,66 @@ static X86CPUDefinition builtin_x86_defs[] = { - { /* end of list */ } - } - }, -+ { -+ .name = "Cooperlake", -+ .level = 0xd, -+ .vendor = CPUID_VENDOR_INTEL, -+ .family = 6, -+ .model = 85, -+ .stepping = 10, -+ .features[FEAT_1_EDX] = -+ CPUID_VME | CPUID_SSE2 | CPUID_SSE | CPUID_FXSR | CPUID_MMX | -+ CPUID_CLFLUSH | CPUID_PSE36 | CPUID_PAT | CPUID_CMOV | CPUID_MCA | -+ CPUID_PGE | CPUID_MTRR | CPUID_SEP | CPUID_APIC | CPUID_CX8 | -+ CPUID_MCE | CPUID_PAE | CPUID_MSR | CPUID_TSC | CPUID_PSE | -+ CPUID_DE | CPUID_FP87, -+ .features[FEAT_1_ECX] = -+ CPUID_EXT_AVX | CPUID_EXT_XSAVE | CPUID_EXT_AES | -+ CPUID_EXT_POPCNT | CPUID_EXT_X2APIC | CPUID_EXT_SSE42 | -+ CPUID_EXT_SSE41 | CPUID_EXT_CX16 | CPUID_EXT_SSSE3 | -+ CPUID_EXT_PCLMULQDQ | CPUID_EXT_SSE3 | -+ CPUID_EXT_TSC_DEADLINE_TIMER | CPUID_EXT_FMA | CPUID_EXT_MOVBE | -+ CPUID_EXT_PCID | CPUID_EXT_F16C | CPUID_EXT_RDRAND, -+ .features[FEAT_8000_0001_EDX] = -+ CPUID_EXT2_LM | CPUID_EXT2_PDPE1GB | CPUID_EXT2_RDTSCP | -+ CPUID_EXT2_NX | CPUID_EXT2_SYSCALL, -+ .features[FEAT_8000_0001_ECX] = -+ CPUID_EXT3_ABM | CPUID_EXT3_LAHF_LM | CPUID_EXT3_3DNOWPREFETCH, -+ .features[FEAT_7_0_EBX] = -+ CPUID_7_0_EBX_FSGSBASE | CPUID_7_0_EBX_BMI1 | -+ CPUID_7_0_EBX_HLE | CPUID_7_0_EBX_AVX2 | CPUID_7_0_EBX_SMEP | -+ CPUID_7_0_EBX_BMI2 | CPUID_7_0_EBX_ERMS | CPUID_7_0_EBX_INVPCID | -+ CPUID_7_0_EBX_RTM | CPUID_7_0_EBX_RDSEED | CPUID_7_0_EBX_ADX | -+ CPUID_7_0_EBX_SMAP | CPUID_7_0_EBX_CLWB | -+ CPUID_7_0_EBX_AVX512F | CPUID_7_0_EBX_AVX512DQ | -+ CPUID_7_0_EBX_AVX512BW | CPUID_7_0_EBX_AVX512CD | -+ CPUID_7_0_EBX_AVX512VL | CPUID_7_0_EBX_CLFLUSHOPT, -+ .features[FEAT_7_0_ECX] = -+ CPUID_7_0_ECX_PKU | -+ CPUID_7_0_ECX_AVX512VNNI, -+ .features[FEAT_7_0_EDX] = -+ CPUID_7_0_EDX_SPEC_CTRL | CPUID_7_0_EDX_STIBP | -+ CPUID_7_0_EDX_SPEC_CTRL_SSBD | CPUID_7_0_EDX_ARCH_CAPABILITIES, -+ .features[FEAT_ARCH_CAPABILITIES] = -+ MSR_ARCH_CAP_RDCL_NO | MSR_ARCH_CAP_IBRS_ALL | -+ MSR_ARCH_CAP_SKIP_L1DFL_VMENTRY | MSR_ARCH_CAP_MDS_NO, -+ .features[FEAT_7_1_EAX] = -+ CPUID_7_1_EAX_AVX512_BF16, -+ /* -+ * Missing: XSAVES (not supported by some Linux versions, -+ * including v4.1 to v4.12). -+ * KVM doesn't yet expose any XSAVES state save component, -+ * and the only one defined in Skylake (processor tracing) -+ * probably will block migration anyway. -+ */ -+ .features[FEAT_XSAVE] = -+ CPUID_XSAVE_XSAVEOPT | CPUID_XSAVE_XSAVEC | -+ CPUID_XSAVE_XGETBV1, -+ .features[FEAT_6_EAX] = -+ CPUID_6_EAX_ARAT, -+ .xlevel = 0x80000008, -+ .model_id = "Intel Xeon Processor (Cooperlake)", -+ }, - { - .name = "Icelake-Client", - .level = 0xd, diff --git a/packaging/i386-acpi-Remove-_HID-from-the-SMBus-ACP.patch b/packaging/i386-acpi-Remove-_HID-from-the-SMBus-ACP.patch deleted file mode 100644 index 3a6207bdb..000000000 --- a/packaging/i386-acpi-Remove-_HID-from-the-SMBus-ACP.patch +++ /dev/null @@ -1,37 +0,0 @@ -From: Corey Minyard -Date: Mon, 20 Jan 2020 11:07:25 -0600 -Subject: i386:acpi: Remove _HID from the SMBus ACPI entry - -Git-commit: aefcaf9d1b3ebb30981627bd08f595211a648a62 - -Per the ACPI spec (version 6.1, section 6.1.5 _HID) it is not required -on enumerated buses (like PCI in this case), _ADR is required (and is -already there). And the _HID value is wrong. Linux appears to ignore -the _HID entry, but Windows 10 detects it as 'Unknown Device' and there -is no driver available. See https://bugs.launchpad.net/qemu/+bug/1856724 - -Signed-off-by: Corey Minyard -Cc: Michael S. Tsirkin -Cc: Igor Mammedov -Reviewed-by: Igor Mammedov -Message-Id: <20200120170725.24935-6-minyard@acm.org> -Reviewed-by: Michael S. Tsirkin -Signed-off-by: Michael S. Tsirkin -Signed-off-by: Bruce Rogers -[BR: Binary patch part of commit was dropped] ---- - hw/i386/acpi-build.c | 1 - - 1 file changed, 1 deletion(-) - -diff --git a/hw/i386/acpi-build.c b/hw/i386/acpi-build.c -index 90a9c2ce6f8c01221efc56f63f79..b1ad2cb79c09e6c9ffb232acfff1 100644 ---- a/hw/i386/acpi-build.c -+++ b/hw/i386/acpi-build.c -@@ -1815,7 +1815,6 @@ static void build_smb0(Aml *table, I2CBus *smbus, int devnr, int func) - Aml *scope = aml_scope("_SB.PCI0"); - Aml *dev = aml_device("SMB0"); - -- aml_append(dev, aml_name_decl("_HID", aml_eisaid("APP0005"))); - aml_append(dev, aml_name_decl("_ADR", aml_int(devnr << 16 | func))); - build_acpi_ipmi_devices(dev, BUS(smbus), "\\_SB.PCI0.SMB0"); - aml_append(scope, dev); diff --git a/packaging/i8254-Fix-migration-from-SLE11-SP2.patch b/packaging/i8254-Fix-migration-from-SLE11-SP2.patch deleted file mode 100644 index a68241a43..000000000 --- a/packaging/i8254-Fix-migration-from-SLE11-SP2.patch +++ /dev/null @@ -1,42 +0,0 @@ -From: =?UTF-8?q?Andreas=20F=C3=A4rber?= -Date: Wed, 31 Jul 2013 17:05:29 +0200 -Subject: i8254: Fix migration from SLE11 SP2 -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -References: bnc#812836 - -qemu-kvm 0.15 had a VMSTATE_UINT32(flags, PITState) field that -qemu 1.4 does not have. - -Signed-off-by: Andreas Färber ---- - hw/timer/i8254_common.c | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/hw/timer/i8254_common.c b/hw/timer/i8254_common.c -index 050875b49738809ac586ba9ed259..59aa28b8a72590e7fdda0feecefe 100644 ---- a/hw/timer/i8254_common.c -+++ b/hw/timer/i8254_common.c -@@ -224,6 +224,12 @@ static int pit_dispatch_post_load(void *opaque, int version_id) - return 0; - } - -+static bool is_qemu_kvm(void *opaque, int version_id) -+{ -+ /* HACK: We ignore incoming migration from upstream qemu */ -+ return version_id < 3; -+} -+ - static const VMStateDescription vmstate_pit_common = { - .name = "i8254", - .version_id = 3, -@@ -231,6 +237,7 @@ static const VMStateDescription vmstate_pit_common = { - .pre_save = pit_dispatch_pre_save, - .post_load = pit_dispatch_post_load, - .fields = (VMStateField[]) { -+ VMSTATE_UNUSED_TEST(is_qemu_kvm, 4), - VMSTATE_UINT32_V(channels[0].irq_disabled, PITCommonState, 3), - VMSTATE_STRUCT_ARRAY(channels, PITCommonState, 3, 2, - vmstate_pit_channel, PITChannelState), diff --git a/packaging/ide-atapi-assert-that-the-buffer-pointer.patch b/packaging/ide-atapi-assert-that-the-buffer-pointer.patch deleted file mode 100644 index 41333805b..000000000 --- a/packaging/ide-atapi-assert-that-the-buffer-pointer.patch +++ /dev/null @@ -1,40 +0,0 @@ -From: Paolo Bonzini -Date: Tue, 1 Dec 2020 13:09:26 +0100 -Subject: ide: atapi: assert that the buffer pointer is in range - -Git-commit: 813212288970c39b1800f63e83ac6e96588095c6 -References: bsc#1181108, CVE-2020-29443 - -A case was reported where s->io_buffer_index can be out of range. -The report skimped on the details but it seems to be triggered -by s->lba == -1 on the READ/READ CD paths (e.g. by sending an -ATAPI command with LBA = 0xFFFFFFFF). For now paper over it -with assertions. The first one ensures that there is no overflow -when incrementing s->io_buffer_index, the second checks for the -buffer overrun. - -Note that the buffer overrun is only a read, so I am not sure -if the assertion failure is actually less harmful than the overrun. - -Signed-off-by: Paolo Bonzini -Message-id: 20201201120926.56559-1-pbonzini@redhat.com -Reviewed-by: Kevin Wolf -Signed-off-by: Peter Maydell -Signed-off-by: Bruce Rogers ---- - hw/ide/atapi.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/hw/ide/atapi.c b/hw/ide/atapi.c -index 17a9d635d8426684512d2a37bfa6..5e9a60c4595262a451cdacf75fdf 100644 ---- a/hw/ide/atapi.c -+++ b/hw/ide/atapi.c -@@ -276,6 +276,8 @@ void ide_atapi_cmd_reply_end(IDEState *s) - s->packet_transfer_size -= size; - s->elementary_transfer_size -= size; - s->io_buffer_index += size; -+ assert(size <= s->io_buffer_total_len); -+ assert(s->io_buffer_index <= s->io_buffer_total_len); - - /* Some adapters process PIO data right away. In that case, we need - * to avoid mutual recursion between ide_transfer_start diff --git a/packaging/imx7-ccm-add-digprog-mmio-write-method.patch b/packaging/imx7-ccm-add-digprog-mmio-write-method.patch deleted file mode 100644 index 440a83463..000000000 --- a/packaging/imx7-ccm-add-digprog-mmio-write-method.patch +++ /dev/null @@ -1,40 +0,0 @@ -From: Prasad J Pandit -Date: Tue, 11 Aug 2020 17:11:32 +0530 -Subject: imx7-ccm: add digprog mmio write method - -Git-commit: 735754aaa15a6ed46db51fd731e88331c446ea54 -References: bsc#1173612, CVE-2020-15469 - -Add digprog mmio write method to avoid assert failure during -initialisation. - -Reviewed-by: Li Qiang -Signed-off-by: Prasad J Pandit -Message-Id: <20200811114133.672647-9-ppandit@redhat.com> -Signed-off-by: Paolo Bonzini -Signed-off-by: Bruce Rogers ---- - hw/misc/imx7_ccm.c | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/hw/misc/imx7_ccm.c b/hw/misc/imx7_ccm.c -index 02fc1ae8d09e30e8caed6aebdca1..075159e497b1a76b14a9ed041ba0 100644 ---- a/hw/misc/imx7_ccm.c -+++ b/hw/misc/imx7_ccm.c -@@ -131,8 +131,16 @@ static const struct MemoryRegionOps imx7_set_clr_tog_ops = { - }, - }; - -+static void imx7_digprog_write(void *opaque, hwaddr addr, -+ uint64_t data, unsigned size) -+{ -+ qemu_log_mask(LOG_GUEST_ERROR, -+ "Guest write to read-only ANALOG_DIGPROG register\n"); -+} -+ - static const struct MemoryRegionOps imx7_digprog_ops = { - .read = imx7_set_clr_tog_read, -+ .write = imx7_digprog_write, - .endianness = DEVICE_NATIVE_ENDIAN, - .impl = { - .min_access_size = 4, diff --git a/packaging/increase-x86_64-physical-bits-to-42.patch b/packaging/increase-x86_64-physical-bits-to-42.patch deleted file mode 100644 index c637758bc..000000000 --- a/packaging/increase-x86_64-physical-bits-to-42.patch +++ /dev/null @@ -1,32 +0,0 @@ -From: Bruce Rogers -Date: Fri, 17 May 2013 16:49:58 -0600 -Subject: increase x86_64 physical bits to 42 -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Allow for guests with higher amounts of ram. The current thought -is that 2TB specified on qemu commandline would be an appropriate -limit. Note that this requires the next higher bit value since -the highest address is actually more than 2TB due to the pci -memory hole. - -Signed-off-by: Bruce Rogers -Signed-off-by: Andreas Färber ---- - target/i386/cpu.h | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/target/i386/cpu.h b/target/i386/cpu.h -index 7bfbf2a5e57d09dfbe8d02d0db1d..f89096d618bbc8433774769452ea 100644 ---- a/target/i386/cpu.h -+++ b/target/i386/cpu.h -@@ -1937,7 +1937,7 @@ uint64_t cpu_get_tsc(CPUX86State *env); - /* XXX: This value should match the one returned by CPUID - * and in exec.c */ - # if defined(TARGET_X86_64) --# define TCG_PHYS_ADDR_BITS 40 -+# define TCG_PHYS_ADDR_BITS 42 - # else - # define TCG_PHYS_ADDR_BITS 36 - # endif diff --git a/packaging/iotests-Provide-a-function-for-checking-.patch b/packaging/iotests-Provide-a-function-for-checking-.patch deleted file mode 100644 index 81d3cda27..000000000 --- a/packaging/iotests-Provide-a-function-for-checking-.patch +++ /dev/null @@ -1,82 +0,0 @@ -From: Thomas Huth -Date: Wed, 4 Dec 2019 16:46:12 +0100 -Subject: iotests: Provide a function for checking the creation of huge files -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Git-commit: 30729ae93b7e123e472a2d42792134ae39bf9df0 - -Some tests create huge (but sparse) files, and to be able to run those -tests in certain limited environments (like CI containers), we have to -check for the possibility to create such files first. Thus let's introduce -a common function to check for large files, and replace the already -existing checks in the iotests 005 and 220 with this function. - -Reviewed-by: Alex Bennée -Signed-off-by: Thomas Huth -Reviewed-by: Cleber Rosa -Tested-by: Cleber Rosa -Reviewed-by: Philippe Mathieu-Daudé -Message-Id: <20191204154618.23560-2-thuth@redhat.com> -Signed-off-by: Alex Bennée -Signed-off-by: Bruce Rogers ---- - tests/qemu-iotests/005 | 5 +---- - tests/qemu-iotests/220 | 6 ++---- - tests/qemu-iotests/common.rc | 10 ++++++++++ - 3 files changed, 13 insertions(+), 8 deletions(-) - -diff --git a/tests/qemu-iotests/005 b/tests/qemu-iotests/005 -index 58442762fe366d0f5eb9bf7a1860..b6d03ac37deabcbf6372ffb17113 100755 ---- a/tests/qemu-iotests/005 -+++ b/tests/qemu-iotests/005 -@@ -59,10 +59,7 @@ fi - # Sanity check: For raw, we require a file system that permits the creation - # of a HUGE (but very sparse) file. Check we can create it before continuing. - if [ "$IMGFMT" = "raw" ]; then -- if ! truncate --size=5T "$TEST_IMG"; then -- _notrun "file system on $TEST_DIR does not support large enough files" -- fi -- rm "$TEST_IMG" -+ _require_large_file 5T - fi - - echo -diff --git a/tests/qemu-iotests/220 b/tests/qemu-iotests/220 -index 2d62c5dcac2a258ed82cd4bca775..15159270d33550e4649a25fe772e 100755 ---- a/tests/qemu-iotests/220 -+++ b/tests/qemu-iotests/220 -@@ -42,10 +42,8 @@ echo "== Creating huge file ==" - - # Sanity check: We require a file system that permits the creation - # of a HUGE (but very sparse) file. tmpfs works, ext4 does not. --if ! truncate --size=513T "$TEST_IMG"; then -- _notrun "file system on $TEST_DIR does not support large enough files" --fi --rm "$TEST_IMG" -+_require_large_file 513T -+ - IMGOPTS='cluster_size=2M,refcount_bits=1' _make_test_img 513T - - echo "== Populating refcounts ==" -diff --git a/tests/qemu-iotests/common.rc b/tests/qemu-iotests/common.rc -index 538eb349e69e07d2401ef9aeef2a..315a9a8a4690d68abc0eb5fa83fd 100644 ---- a/tests/qemu-iotests/common.rc -+++ b/tests/qemu-iotests/common.rc -@@ -656,5 +656,15 @@ _require_drivers() - done - } - -+# Check that we have a file system that allows huge (but very sparse) files -+# -+_require_large_file() -+{ -+ if ! truncate --size="$1" "$TEST_IMG"; then -+ _notrun "file system on $TEST_DIR does not support large enough files" -+ fi -+ rm "$TEST_IMG" -+} -+ - # make sure this script returns success - true diff --git a/packaging/iotests-Skip-test-060-if-it-is-not-possi.patch b/packaging/iotests-Skip-test-060-if-it-is-not-possi.patch deleted file mode 100644 index 0e00de57f..000000000 --- a/packaging/iotests-Skip-test-060-if-it-is-not-possi.patch +++ /dev/null @@ -1,33 +0,0 @@ -From: Thomas Huth -Date: Mon, 2 Dec 2019 11:16:30 +0100 -Subject: iotests: Skip test 060 if it is not possible to create large files - -Git-commit: efd0e5a1215bbdfd28168485800f5cfec9735cf8 - -Test 060 fails in the arm64, s390x and ppc64le LXD containers on Travis -(which we will hopefully enable in our CI soon). These containers -apparently do not allow large files to be created. The repair process -in test 060 creates a file of 64 GiB, so test first whether such large -files are possible and skip the test if that's not the case. - -Signed-off-by: Thomas Huth -Signed-off-by: Kevin Wolf -Signed-off-by: Bruce Rogers ---- - tests/qemu-iotests/060 | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/tests/qemu-iotests/060 b/tests/qemu-iotests/060 -index b91d8321bb8d20d1033a3081acf4..d96f17a4846979aa3cb86c8388fa 100755 ---- a/tests/qemu-iotests/060 -+++ b/tests/qemu-iotests/060 -@@ -49,6 +49,9 @@ _supported_fmt qcow2 - _supported_proto file - _supported_os Linux - -+# The repair process will create a large file - so check for availability first -+_require_large_file 64G -+ - rt_offset=65536 # 0x10000 (XXX: just an assumption) - rb_offset=131072 # 0x20000 (XXX: just an assumption) - l1_offset=196608 # 0x30000 (XXX: just an assumption) diff --git a/packaging/iotests-Skip-test-079-if-it-is-not-possi.patch b/packaging/iotests-Skip-test-079-if-it-is-not-possi.patch deleted file mode 100644 index 6ed7aab52..000000000 --- a/packaging/iotests-Skip-test-079-if-it-is-not-possi.patch +++ /dev/null @@ -1,34 +0,0 @@ -From: Thomas Huth -Date: Mon, 2 Dec 2019 11:16:31 +0100 -Subject: iotests: Skip test 079 if it is not possible to create large files - -Git-commit: e28582fdb28b2e8b29a351c20b0c8f1af4120688 - -Test 079 fails in the arm64, s390x and ppc64le LXD containers on Travis -(which we will hopefully enable in our CI soon). These containers -apparently do not allow large files to be created. Test 079 tries to -create a 4G sparse file, which is apparently already too big for these -containers, so check first whether we can really create such files before -executing the test. - -Signed-off-by: Thomas Huth -Signed-off-by: Kevin Wolf -Signed-off-by: Bruce Rogers ---- - tests/qemu-iotests/079 | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/tests/qemu-iotests/079 b/tests/qemu-iotests/079 -index 81f0c21f530287b2c833eefd735d..78536d3bbfa01fc0575d31d1f680 100755 ---- a/tests/qemu-iotests/079 -+++ b/tests/qemu-iotests/079 -@@ -39,6 +39,9 @@ trap "_cleanup; exit \$status" 0 1 2 3 15 - _supported_fmt qcow2 - _supported_proto file nfs - -+# Some containers (e.g. non-x86 on Travis) do not allow large files -+_require_large_file 4G -+ - echo "=== Check option preallocation and cluster_size ===" - echo - cluster_sizes="16384 32768 65536 131072 262144 524288 1048576 2097152 4194304" diff --git a/packaging/ipxe-Makefile-fix-issues-of-build-reprod.patch b/packaging/ipxe-Makefile-fix-issues-of-build-reprod.patch deleted file mode 100644 index f5fe58a84..000000000 --- a/packaging/ipxe-Makefile-fix-issues-of-build-reprod.patch +++ /dev/null @@ -1,49 +0,0 @@ -From: Bruce Rogers -Date: Thu, 27 Jun 2019 10:15:24 -0600 -Subject: ipxe:Makefile: fix issues of build reproducibility - -References: bsc#1011213 - -It is desirable to produce the same bits on subsequent -builds when the actual code of the package doesn't -change. (bsc#1011213) - -Signed-off-by: Bruce Rogers ---- - src/Makefile.housekeeping | 13 ++++++++++--- - 1 file changed, 10 insertions(+), 3 deletions(-) - -diff --git a/roms/ipxe/src/Makefile.housekeeping b/roms/ipxe/src/Makefile.housekeeping -index f8334921b8b93cbd03f0a0de9910..97fa325bb52314e05192d0414436 100644 ---- a/roms/ipxe/src/Makefile.housekeeping -+++ b/roms/ipxe/src/Makefile.housekeeping -@@ -1162,11 +1162,18 @@ blib : $(BLIB) - # Command to generate build ID. Must be unique for each $(BIN)/%.tmp, - # even within the same build run. - # --BUILD_ID_CMD := perl -e 'printf "0x%08x", int ( rand ( 0xffffffff ) );' -+# NB: In the case of the SUSE qemu-ipxe package we want reproducible -+# builds, so we just use the TGT_ROM_NAME variable, which is already -+# a unique (in the context of the files we generate) hex value suitable -+# for specifying the build_id. We no longer define a BUILD_ID_CMD, as -+# we need to use the TGT_ROM_NAME variable directly in the link command - - # Build timestamp - # --BUILD_TIMESTAMP := $(shell date +%s) -+# NB: In the case of the SUSE qemu-ipxe package we want reproducible -+# builds, so we use a pre-determined timestamp, rather than the current -+# timestamp -+BUILD_TIMESTAMP := $(PACKAGING_TIMESTAMP) - - # Build version - # -@@ -1186,7 +1193,7 @@ $(BIN)/version.%.o : core/version.c $(MAKEDEPS) $(GIT_INDEX) - $(BIN)/%.tmp : $(BIN)/version.%.o $(BLIB) $(MAKEDEPS) $(LDSCRIPT) - $(QM)$(ECHO) " [LD] $@" - $(Q)$(LD) $(LDFLAGS) -T $(LDSCRIPT) $(TGT_LD_FLAGS) $< $(BLIB) -o $@ \ -- --defsym _build_id=`$(BUILD_ID_CMD)` \ -+ --defsym _build_id=`$(PRINTF) "0x%b" "$(TGT_ROM_NAME)"` \ - --defsym _build_timestamp=$(BUILD_TIMESTAMP) \ - -Map $(BIN)/$*.tmp.map - $(Q)$(OBJDUMP) -ht $@ | $(PERL) $(SORTOBJDUMP) >> $(BIN)/$*.tmp.map diff --git a/packaging/lan9118-switch-to-use-qemu_receive_packe.patch b/packaging/lan9118-switch-to-use-qemu_receive_packe.patch deleted file mode 100644 index e0416ea5d..000000000 --- a/packaging/lan9118-switch-to-use-qemu_receive_packe.patch +++ /dev/null @@ -1,37 +0,0 @@ -From: Alexander Bulekov -Date: Mon, 1 Mar 2021 14:35:30 -0500 -Subject: lan9118: switch to use qemu_receive_packet() for loopback -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Git-commit: 37cee01784ff0df13e5209517e1b3594a5e792d1 - -This patch switches to use qemu_receive_packet() which can detect -reentrancy and return early. - -This is intended to address CVE-2021-3416. - -Cc: Prasad J Pandit -Cc: qemu-stable@nongnu.org -Reviewed-by: Philippe Mathieu-Daudé -Signed-off-by: Jason Wang -Signed-off-by: Bruce Rogers ---- - hw/net/lan9118.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/hw/net/lan9118.c b/hw/net/lan9118.c -index ed551f2178b005864f3a53f1891c..7bb4633f0fb826cdb5ca63c68ce1 100644 ---- a/hw/net/lan9118.c -+++ b/hw/net/lan9118.c -@@ -667,7 +667,7 @@ static void do_tx_packet(lan9118_state *s) - /* FIXME: Honor TX disable, and allow queueing of packets. */ - if (s->phy_control & 0x4000) { - /* This assumes the receive routine doesn't touch the VLANClient. */ -- lan9118_receive(qemu_get_queue(s->nic), s->txp->data, s->txp->len); -+ qemu_receive_packet(qemu_get_queue(s->nic), s->txp->data, s->txp->len); - } else { - qemu_send_packet(qemu_get_queue(s->nic), s->txp->data, s->txp->len); - } diff --git a/packaging/linux-headers-Update-against-Linux-5.5-1.patch b/packaging/linux-headers-Update-against-Linux-5.5-1.patch deleted file mode 100644 index fbe33c8e3..000000000 --- a/packaging/linux-headers-Update-against-Linux-5.5-1.patch +++ /dev/null @@ -1,217 +0,0 @@ -From: Greg Kurz -Date: Tue, 26 Nov 2019 17:46:17 +0100 -Subject: linux-headers: Update against Linux 5.5-1 - -Git-commit: 2a886794f1969020845d0085a41a884e01b357df -References: bsc#1179719 - -Update to mainline commit be2eca94d144 ("Merge tag 'for-linus-5.5-1'` -of git://github.com/cminyard/linux-ipmi") - -Signed-off-by: Greg Kurz -Message-Id: <157478677756.67101.11558821804418331832.stgit@bahia.tlslab.ibm.com> -Signed-off-by: David Gibson -Signed-off-by: Liang Yan ---- - include/standard-headers/linux/ethtool.h | 6 ++++++ - include/standard-headers/linux/virtio_ring.h | 2 +- - linux-headers/asm-arm/kvm.h | 3 ++- - linux-headers/asm-arm64/kvm.h | 5 ++++- - linux-headers/asm-mips/unistd_n32.h | 1 + - linux-headers/asm-mips/unistd_n64.h | 1 + - linux-headers/asm-mips/unistd_o32.h | 1 + - linux-headers/asm-powerpc/kvm.h | 3 +++ - linux-headers/linux/kvm.h | 11 +++++++++++ - linux-headers/linux/psp-sev.h | 3 +++ - 10 files changed, 33 insertions(+), 3 deletions(-) - -diff --git a/include/standard-headers/linux/ethtool.h b/include/standard-headers/linux/ethtool.h -index 4ff422b635dbf02859b8665612cc..6e8a10ee10751b19ccaad191d38c 100644 ---- a/include/standard-headers/linux/ethtool.h -+++ b/include/standard-headers/linux/ethtool.h -@@ -1507,6 +1507,11 @@ enum ethtool_link_mode_bit_indices { - ETHTOOL_LINK_MODE_200000baseCR4_Full_BIT = 66, - ETHTOOL_LINK_MODE_100baseT1_Full_BIT = 67, - ETHTOOL_LINK_MODE_1000baseT1_Full_BIT = 68, -+ ETHTOOL_LINK_MODE_400000baseKR8_Full_BIT = 69, -+ ETHTOOL_LINK_MODE_400000baseSR8_Full_BIT = 70, -+ ETHTOOL_LINK_MODE_400000baseLR8_ER8_FR8_Full_BIT = 71, -+ ETHTOOL_LINK_MODE_400000baseDR8_Full_BIT = 72, -+ ETHTOOL_LINK_MODE_400000baseCR8_Full_BIT = 73, - - /* must be last entry */ - __ETHTOOL_LINK_MODE_MASK_NBITS -@@ -1618,6 +1623,7 @@ enum ethtool_link_mode_bit_indices { - #define SPEED_56000 56000 - #define SPEED_100000 100000 - #define SPEED_200000 200000 -+#define SPEED_400000 400000 - - #define SPEED_UNKNOWN -1 - -diff --git a/include/standard-headers/linux/virtio_ring.h b/include/standard-headers/linux/virtio_ring.h -index 306cd41147be7a21c1fa9db6a98e..f230fed479601c06c40b1a82aae1 100644 ---- a/include/standard-headers/linux/virtio_ring.h -+++ b/include/standard-headers/linux/virtio_ring.h -@@ -167,7 +167,7 @@ static inline void vring_init(struct vring *vr, unsigned int num, void *p, - { - vr->num = num; - vr->desc = p; -- vr->avail = p + num*sizeof(struct vring_desc); -+ vr->avail = (struct vring_avail *)((char *)p + num * sizeof(struct vring_desc)); - vr->used = (void *)(((uintptr_t)&vr->avail->ring[num] + sizeof(__virtio16) - + align-1) & ~(align - 1)); - } -diff --git a/linux-headers/asm-arm/kvm.h b/linux-headers/asm-arm/kvm.h -index 9d379d337298a8ac9025e2bf6078..0db5644e27afbe44012af7c3182c 100644 ---- a/linux-headers/asm-arm/kvm.h -+++ b/linux-headers/asm-arm/kvm.h -@@ -131,8 +131,9 @@ struct kvm_vcpu_events { - struct { - __u8 serror_pending; - __u8 serror_has_esr; -+ __u8 ext_dabt_pending; - /* Align it to 8 bytes */ -- __u8 pad[6]; -+ __u8 pad[5]; - __u64 serror_esr; - } exception; - __u32 reserved[12]; -diff --git a/linux-headers/asm-arm64/kvm.h b/linux-headers/asm-arm64/kvm.h -index 0ce6e49f3a19f1e5edb95c1b8a1f..920af01c8b9029db521c55e93aaa 100644 ---- a/linux-headers/asm-arm64/kvm.h -+++ b/linux-headers/asm-arm64/kvm.h -@@ -164,8 +164,9 @@ struct kvm_vcpu_events { - struct { - __u8 serror_pending; - __u8 serror_has_esr; -+ __u8 ext_dabt_pending; - /* Align it to 8 bytes */ -- __u8 pad[6]; -+ __u8 pad[5]; - __u64 serror_esr; - } exception; - __u32 reserved[12]; -@@ -323,6 +324,8 @@ struct kvm_vcpu_events { - #define KVM_ARM_VCPU_TIMER_CTRL 1 - #define KVM_ARM_VCPU_TIMER_IRQ_VTIMER 0 - #define KVM_ARM_VCPU_TIMER_IRQ_PTIMER 1 -+#define KVM_ARM_VCPU_PVTIME_CTRL 2 -+#define KVM_ARM_VCPU_PVTIME_IPA 0 - - /* KVM_IRQ_LINE irq field index values */ - #define KVM_ARM_IRQ_VCPU2_SHIFT 28 -diff --git a/linux-headers/asm-mips/unistd_n32.h b/linux-headers/asm-mips/unistd_n32.h -index 7dffe8e34e6316d8e05b37ee61fb..659d5c9ade4747959ec9b64c7ad7 100644 ---- a/linux-headers/asm-mips/unistd_n32.h -+++ b/linux-headers/asm-mips/unistd_n32.h -@@ -364,6 +364,7 @@ - #define __NR_fsmount (__NR_Linux + 432) - #define __NR_fspick (__NR_Linux + 433) - #define __NR_pidfd_open (__NR_Linux + 434) -+#define __NR_clone3 (__NR_Linux + 435) - - - #endif /* _ASM_MIPS_UNISTD_N32_H */ -diff --git a/linux-headers/asm-mips/unistd_n64.h b/linux-headers/asm-mips/unistd_n64.h -index f4592d6fc50c8624b299b489e47c..4b6310a05c235087cbf6f09b558d 100644 ---- a/linux-headers/asm-mips/unistd_n64.h -+++ b/linux-headers/asm-mips/unistd_n64.h -@@ -340,6 +340,7 @@ - #define __NR_fsmount (__NR_Linux + 432) - #define __NR_fspick (__NR_Linux + 433) - #define __NR_pidfd_open (__NR_Linux + 434) -+#define __NR_clone3 (__NR_Linux + 435) - - - #endif /* _ASM_MIPS_UNISTD_N64_H */ -diff --git a/linux-headers/asm-mips/unistd_o32.h b/linux-headers/asm-mips/unistd_o32.h -index 04c6728352a548f07f12fde93db2..4ce7b4e288a53503422a21719e92 100644 ---- a/linux-headers/asm-mips/unistd_o32.h -+++ b/linux-headers/asm-mips/unistd_o32.h -@@ -410,6 +410,7 @@ - #define __NR_fsmount (__NR_Linux + 432) - #define __NR_fspick (__NR_Linux + 433) - #define __NR_pidfd_open (__NR_Linux + 434) -+#define __NR_clone3 (__NR_Linux + 435) - - - #endif /* _ASM_MIPS_UNISTD_O32_H */ -diff --git a/linux-headers/asm-powerpc/kvm.h b/linux-headers/asm-powerpc/kvm.h -index b0f72dea8b11ac689c990971dbf7..264e266a85bf6a99c5b27b47733a 100644 ---- a/linux-headers/asm-powerpc/kvm.h -+++ b/linux-headers/asm-powerpc/kvm.h -@@ -667,6 +667,8 @@ struct kvm_ppc_cpu_char { - - /* PPC64 eXternal Interrupt Controller Specification */ - #define KVM_DEV_XICS_GRP_SOURCES 1 /* 64-bit source attributes */ -+#define KVM_DEV_XICS_GRP_CTRL 2 -+#define KVM_DEV_XICS_NR_SERVERS 1 - - /* Layout of 64-bit source attribute values */ - #define KVM_XICS_DESTINATION_SHIFT 0 -@@ -683,6 +685,7 @@ struct kvm_ppc_cpu_char { - #define KVM_DEV_XIVE_GRP_CTRL 1 - #define KVM_DEV_XIVE_RESET 1 - #define KVM_DEV_XIVE_EQ_SYNC 2 -+#define KVM_DEV_XIVE_NR_SERVERS 3 - #define KVM_DEV_XIVE_GRP_SOURCE 2 /* 64-bit source identifier */ - #define KVM_DEV_XIVE_GRP_SOURCE_CONFIG 3 /* 64-bit source identifier */ - #define KVM_DEV_XIVE_GRP_EQ_CONFIG 4 /* 64-bit EQ identifier */ -diff --git a/linux-headers/linux/kvm.h b/linux-headers/linux/kvm.h -index 3d9b18f7f871acd0d13a0c42f184..3b27a1ae85cc144fd92ecd0e2352 100644 ---- a/linux-headers/linux/kvm.h -+++ b/linux-headers/linux/kvm.h -@@ -235,6 +235,7 @@ struct kvm_hyperv_exit { - #define KVM_EXIT_S390_STSI 25 - #define KVM_EXIT_IOAPIC_EOI 26 - #define KVM_EXIT_HYPERV 27 -+#define KVM_EXIT_ARM_NISV 28 - - /* For KVM_EXIT_INTERNAL_ERROR */ - /* Emulate instruction failed. */ -@@ -394,6 +395,11 @@ struct kvm_run { - } eoi; - /* KVM_EXIT_HYPERV */ - struct kvm_hyperv_exit hyperv; -+ /* KVM_EXIT_ARM_NISV */ -+ struct { -+ __u64 esr_iss; -+ __u64 fault_ipa; -+ } arm_nisv; - /* Fix the size of the union. */ - char padding[256]; - }; -@@ -1000,6 +1006,9 @@ struct kvm_ppc_resize_hpt { - #define KVM_CAP_PMU_EVENT_FILTER 173 - #define KVM_CAP_ARM_IRQ_LINE_LAYOUT_2 174 - #define KVM_CAP_HYPERV_DIRECT_TLBFLUSH 175 -+#define KVM_CAP_PPC_GUEST_DEBUG_SSTEP 176 -+#define KVM_CAP_ARM_NISV_TO_USER 177 -+#define KVM_CAP_ARM_INJECT_EXT_DABT 178 - - #ifdef KVM_CAP_IRQ_ROUTING - -@@ -1227,6 +1236,8 @@ enum kvm_device_type { - #define KVM_DEV_TYPE_ARM_VGIC_ITS KVM_DEV_TYPE_ARM_VGIC_ITS - KVM_DEV_TYPE_XIVE, - #define KVM_DEV_TYPE_XIVE KVM_DEV_TYPE_XIVE -+ KVM_DEV_TYPE_ARM_PV_TIME, -+#define KVM_DEV_TYPE_ARM_PV_TIME KVM_DEV_TYPE_ARM_PV_TIME - KVM_DEV_TYPE_MAX, - }; - -diff --git a/linux-headers/linux/psp-sev.h b/linux-headers/linux/psp-sev.h -index 34c39690c09d61e88603f49ab5f1..31f971e89659b667eccc0d089599 100644 ---- a/linux-headers/linux/psp-sev.h -+++ b/linux-headers/linux/psp-sev.h -@@ -58,6 +58,9 @@ typedef enum { - SEV_RET_HWSEV_RET_PLATFORM, - SEV_RET_HWSEV_RET_UNSAFE, - SEV_RET_UNSUPPORTED, -+ SEV_RET_INVALID_PARAM, -+ SEV_RET_RESOURCE_LIMIT, -+ SEV_RET_SECURE_DATA_INVALID, - SEV_RET_MAX, - } sev_ret_code; - diff --git a/packaging/linux-headers-Update-against-Linux-5.5-r.patch b/packaging/linux-headers-Update-against-Linux-5.5-r.patch deleted file mode 100644 index 8dea10133..000000000 --- a/packaging/linux-headers-Update-against-Linux-5.5-r.patch +++ /dev/null @@ -1,278 +0,0 @@ -From: Bharata B Rao -Date: Thu, 19 Dec 2019 08:44:44 +0530 -Subject: linux-headers: Update against Linux 5.5-rc2 - -Git-commit: 50fd0c375bef09d22b6828972c4ed4f945c95ed8 -References: bsc#1179719 - -Update to mainline commit: d1eef1c61974 ("Linux 5.5-rc2") - -Signed-off-by: Bharata B Rao -Message-Id: <20191219031445.8949-2-bharata@linux.ibm.com> -Signed-off-by: David Gibson -Signed-off-by: Liang Yan ---- - include/standard-headers/asm-x86/bootparam.h | 7 +- - .../infiniband/hw/vmw_pvrdma/pvrdma_dev_api.h | 15 +++- - include/standard-headers/drm/drm_fourcc.h | 28 ++++++- - .../linux/input-event-codes.h | 77 +++++++++++++++++++ - include/standard-headers/linux/pci_regs.h | 3 + - .../standard-headers/rdma/vmw_pvrdma-abi.h | 5 ++ - linux-headers/linux/kvm.h | 1 + - 7 files changed, 132 insertions(+), 4 deletions(-) - -diff --git a/include/standard-headers/asm-x86/bootparam.h b/include/standard-headers/asm-x86/bootparam.h -index a6f7cf535e1efe94f6c1f43c99a7..072e2ed5463ce4d72b1944812536 100644 ---- a/include/standard-headers/asm-x86/bootparam.h -+++ b/include/standard-headers/asm-x86/bootparam.h -@@ -2,7 +2,7 @@ - #ifndef _ASM_X86_BOOTPARAM_H - #define _ASM_X86_BOOTPARAM_H - --/* setup_data types */ -+/* setup_data/setup_indirect types */ - #define SETUP_NONE 0 - #define SETUP_E820_EXT 1 - #define SETUP_DTB 2 -@@ -11,6 +11,11 @@ - #define SETUP_APPLE_PROPERTIES 5 - #define SETUP_JAILHOUSE 6 - -+#define SETUP_INDIRECT (1<<31) -+ -+/* SETUP_INDIRECT | max(SETUP_*) */ -+#define SETUP_TYPE_MAX (SETUP_INDIRECT | SETUP_JAILHOUSE) -+ - /* ram_size flags */ - #define RAMDISK_IMAGE_START_MASK 0x07FF - #define RAMDISK_PROMPT_FLAG 0x8000 -diff --git a/include/standard-headers/drivers/infiniband/hw/vmw_pvrdma/pvrdma_dev_api.h b/include/standard-headers/drivers/infiniband/hw/vmw_pvrdma/pvrdma_dev_api.h -index d019872608d504437b3dd8644284..a5a1c8234ef9fec923496a35c94c 100644 ---- a/include/standard-headers/drivers/infiniband/hw/vmw_pvrdma/pvrdma_dev_api.h -+++ b/include/standard-headers/drivers/infiniband/hw/vmw_pvrdma/pvrdma_dev_api.h -@@ -58,7 +58,8 @@ - #define PVRDMA_ROCEV1_VERSION 17 - #define PVRDMA_ROCEV2_VERSION 18 - #define PVRDMA_PPN64_VERSION 19 --#define PVRDMA_VERSION PVRDMA_PPN64_VERSION -+#define PVRDMA_QPHANDLE_VERSION 20 -+#define PVRDMA_VERSION PVRDMA_QPHANDLE_VERSION - - #define PVRDMA_BOARD_ID 1 - #define PVRDMA_REV_ID 1 -@@ -581,6 +582,17 @@ struct pvrdma_cmd_create_qp_resp { - uint32_t max_inline_data; - }; - -+struct pvrdma_cmd_create_qp_resp_v2 { -+ struct pvrdma_cmd_resp_hdr hdr; -+ uint32_t qpn; -+ uint32_t qp_handle; -+ uint32_t max_send_wr; -+ uint32_t max_recv_wr; -+ uint32_t max_send_sge; -+ uint32_t max_recv_sge; -+ uint32_t max_inline_data; -+}; -+ - struct pvrdma_cmd_modify_qp { - struct pvrdma_cmd_hdr hdr; - uint32_t qp_handle; -@@ -663,6 +675,7 @@ union pvrdma_cmd_resp { - struct pvrdma_cmd_create_cq_resp create_cq_resp; - struct pvrdma_cmd_resize_cq_resp resize_cq_resp; - struct pvrdma_cmd_create_qp_resp create_qp_resp; -+ struct pvrdma_cmd_create_qp_resp_v2 create_qp_resp_v2; - struct pvrdma_cmd_query_qp_resp query_qp_resp; - struct pvrdma_cmd_destroy_qp_resp destroy_qp_resp; - struct pvrdma_cmd_create_srq_resp create_srq_resp; -diff --git a/include/standard-headers/drm/drm_fourcc.h b/include/standard-headers/drm/drm_fourcc.h -index a308c91b4f543255334fd039c6d3..46d279f51586bcbc097cc7f67347 100644 ---- a/include/standard-headers/drm/drm_fourcc.h -+++ b/include/standard-headers/drm/drm_fourcc.h -@@ -68,7 +68,7 @@ extern "C" { - #define fourcc_code(a, b, c, d) ((uint32_t)(a) | ((uint32_t)(b) << 8) | \ - ((uint32_t)(c) << 16) | ((uint32_t)(d) << 24)) - --#define DRM_FORMAT_BIG_ENDIAN (1<<31) /* format is big endian instead of little endian */ -+#define DRM_FORMAT_BIG_ENDIAN (1U<<31) /* format is big endian instead of little endian */ - - /* Reserve 0 for the invalid format specifier */ - #define DRM_FORMAT_INVALID 0 -@@ -647,7 +647,21 @@ extern "C" { - * Further information on the use of AFBC modifiers can be found in - * Documentation/gpu/afbc.rst - */ --#define DRM_FORMAT_MOD_ARM_AFBC(__afbc_mode) fourcc_mod_code(ARM, __afbc_mode) -+ -+/* -+ * The top 4 bits (out of the 56 bits alloted for specifying vendor specific -+ * modifiers) denote the category for modifiers. Currently we have only two -+ * categories of modifiers ie AFBC and MISC. We can have a maximum of sixteen -+ * different categories. -+ */ -+#define DRM_FORMAT_MOD_ARM_CODE(__type, __val) \ -+ fourcc_mod_code(ARM, ((uint64_t)(__type) << 52) | ((__val) & 0x000fffffffffffffULL)) -+ -+#define DRM_FORMAT_MOD_ARM_TYPE_AFBC 0x00 -+#define DRM_FORMAT_MOD_ARM_TYPE_MISC 0x01 -+ -+#define DRM_FORMAT_MOD_ARM_AFBC(__afbc_mode) \ -+ DRM_FORMAT_MOD_ARM_CODE(DRM_FORMAT_MOD_ARM_TYPE_AFBC, __afbc_mode) - - /* - * AFBC superblock size -@@ -741,6 +755,16 @@ extern "C" { - */ - #define AFBC_FORMAT_MOD_BCH (1ULL << 11) - -+/* -+ * Arm 16x16 Block U-Interleaved modifier -+ * -+ * This is used by Arm Mali Utgard and Midgard GPUs. It divides the image -+ * into 16x16 pixel blocks. Blocks are stored linearly in order, but pixels -+ * in the block are reordered. -+ */ -+#define DRM_FORMAT_MOD_ARM_16X16_BLOCK_U_INTERLEAVED \ -+ DRM_FORMAT_MOD_ARM_CODE(DRM_FORMAT_MOD_ARM_TYPE_MISC, 1ULL) -+ - /* - * Allwinner tiled modifier - * -diff --git a/include/standard-headers/linux/input-event-codes.h b/include/standard-headers/linux/input-event-codes.h -index eb08cb8598106f97fe1fc3b44e2d..b484c252897fd1183f30249987e4 100644 ---- a/include/standard-headers/linux/input-event-codes.h -+++ b/include/standard-headers/linux/input-event-codes.h -@@ -649,6 +649,83 @@ - */ - #define KEY_DATA 0x277 - #define KEY_ONSCREEN_KEYBOARD 0x278 -+/* Electronic privacy screen control */ -+#define KEY_PRIVACY_SCREEN_TOGGLE 0x279 -+ -+/* -+ * Some keyboards have keys which do not have a defined meaning, these keys -+ * are intended to be programmed / bound to macros by the user. For most -+ * keyboards with these macro-keys the key-sequence to inject, or action to -+ * take, is all handled by software on the host side. So from the kernel's -+ * point of view these are just normal keys. -+ * -+ * The KEY_MACRO# codes below are intended for such keys, which may be labeled -+ * e.g. G1-G18, or S1 - S30. The KEY_MACRO# codes MUST NOT be used for keys -+ * where the marking on the key does indicate a defined meaning / purpose. -+ * -+ * The KEY_MACRO# codes MUST also NOT be used as fallback for when no existing -+ * KEY_FOO define matches the marking / purpose. In this case a new KEY_FOO -+ * define MUST be added. -+ */ -+#define KEY_MACRO1 0x290 -+#define KEY_MACRO2 0x291 -+#define KEY_MACRO3 0x292 -+#define KEY_MACRO4 0x293 -+#define KEY_MACRO5 0x294 -+#define KEY_MACRO6 0x295 -+#define KEY_MACRO7 0x296 -+#define KEY_MACRO8 0x297 -+#define KEY_MACRO9 0x298 -+#define KEY_MACRO10 0x299 -+#define KEY_MACRO11 0x29a -+#define KEY_MACRO12 0x29b -+#define KEY_MACRO13 0x29c -+#define KEY_MACRO14 0x29d -+#define KEY_MACRO15 0x29e -+#define KEY_MACRO16 0x29f -+#define KEY_MACRO17 0x2a0 -+#define KEY_MACRO18 0x2a1 -+#define KEY_MACRO19 0x2a2 -+#define KEY_MACRO20 0x2a3 -+#define KEY_MACRO21 0x2a4 -+#define KEY_MACRO22 0x2a5 -+#define KEY_MACRO23 0x2a6 -+#define KEY_MACRO24 0x2a7 -+#define KEY_MACRO25 0x2a8 -+#define KEY_MACRO26 0x2a9 -+#define KEY_MACRO27 0x2aa -+#define KEY_MACRO28 0x2ab -+#define KEY_MACRO29 0x2ac -+#define KEY_MACRO30 0x2ad -+ -+/* -+ * Some keyboards with the macro-keys described above have some extra keys -+ * for controlling the host-side software responsible for the macro handling: -+ * -A macro recording start/stop key. Note that not all keyboards which emit -+ * KEY_MACRO_RECORD_START will also emit KEY_MACRO_RECORD_STOP if -+ * KEY_MACRO_RECORD_STOP is not advertised, then KEY_MACRO_RECORD_START -+ * should be interpreted as a recording start/stop toggle; -+ * -Keys for switching between different macro (pre)sets, either a key for -+ * cycling through the configured presets or keys to directly select a preset. -+ */ -+#define KEY_MACRO_RECORD_START 0x2b0 -+#define KEY_MACRO_RECORD_STOP 0x2b1 -+#define KEY_MACRO_PRESET_CYCLE 0x2b2 -+#define KEY_MACRO_PRESET1 0x2b3 -+#define KEY_MACRO_PRESET2 0x2b4 -+#define KEY_MACRO_PRESET3 0x2b5 -+ -+/* -+ * Some keyboards have a buildin LCD panel where the contents are controlled -+ * by the host. Often these have a number of keys directly below the LCD -+ * intended for controlling a menu shown on the LCD. These keys often don't -+ * have any labeling so we just name them KEY_KBD_LCD_MENU# -+ */ -+#define KEY_KBD_LCD_MENU1 0x2b8 -+#define KEY_KBD_LCD_MENU2 0x2b9 -+#define KEY_KBD_LCD_MENU3 0x2ba -+#define KEY_KBD_LCD_MENU4 0x2bb -+#define KEY_KBD_LCD_MENU5 0x2bc - - #define BTN_TRIGGER_HAPPY 0x2c0 - #define BTN_TRIGGER_HAPPY1 0x2c0 -diff --git a/include/standard-headers/linux/pci_regs.h b/include/standard-headers/linux/pci_regs.h -index 29d6e93fd15e3616f5969d0dc0db..acb7d2bdb419a49f2e6ed999f9ff 100644 ---- a/include/standard-headers/linux/pci_regs.h -+++ b/include/standard-headers/linux/pci_regs.h -@@ -34,6 +34,7 @@ - * of which the first 64 bytes are standardized as follows: - */ - #define PCI_STD_HEADER_SIZEOF 64 -+#define PCI_STD_NUM_BARS 6 /* Number of standard BARs */ - #define PCI_VENDOR_ID 0x00 /* 16 bits */ - #define PCI_DEVICE_ID 0x02 /* 16 bits */ - #define PCI_COMMAND 0x04 /* 16 bits */ -@@ -673,6 +674,8 @@ - #define PCI_EXP_LNKCTL2_TLS_8_0GT 0x0003 /* Supported Speed 8GT/s */ - #define PCI_EXP_LNKCTL2_TLS_16_0GT 0x0004 /* Supported Speed 16GT/s */ - #define PCI_EXP_LNKCTL2_TLS_32_0GT 0x0005 /* Supported Speed 32GT/s */ -+#define PCI_EXP_LNKCTL2_ENTER_COMP 0x0010 /* Enter Compliance */ -+#define PCI_EXP_LNKCTL2_TX_MARGIN 0x0380 /* Transmit Margin */ - #define PCI_EXP_LNKSTA2 50 /* Link Status 2 */ - #define PCI_CAP_EXP_ENDPOINT_SIZEOF_V2 52 /* v2 endpoints with link end here */ - #define PCI_EXP_SLTCAP2 52 /* Slot Capabilities 2 */ -diff --git a/include/standard-headers/rdma/vmw_pvrdma-abi.h b/include/standard-headers/rdma/vmw_pvrdma-abi.h -index 336a8d596f2425479fd799d9d943..0989426a3f5288aab81693e5747e 100644 ---- a/include/standard-headers/rdma/vmw_pvrdma-abi.h -+++ b/include/standard-headers/rdma/vmw_pvrdma-abi.h -@@ -179,6 +179,11 @@ struct pvrdma_create_qp { - uint64_t __attribute__((aligned(8))) qp_addr; - }; - -+struct pvrdma_create_qp_resp { -+ uint32_t qpn; -+ uint32_t qp_handle; -+}; -+ - /* PVRDMA masked atomic compare and swap */ - struct pvrdma_ex_cmp_swap { - uint64_t __attribute__((aligned(8))) swap_val; -diff --git a/linux-headers/linux/kvm.h b/linux-headers/linux/kvm.h -index 3b27a1ae85cc144fd92ecd0e2352..9d647fad7648ede158cd9605270e 100644 ---- a/linux-headers/linux/kvm.h -+++ b/linux-headers/linux/kvm.h -@@ -1348,6 +1348,7 @@ struct kvm_s390_ucas_mapping { - #define KVM_PPC_GET_CPU_CHAR _IOR(KVMIO, 0xb1, struct kvm_ppc_cpu_char) - /* Available with KVM_CAP_PMU_EVENT_FILTER */ - #define KVM_SET_PMU_EVENT_FILTER _IOW(KVMIO, 0xb2, struct kvm_pmu_event_filter) -+#define KVM_PPC_SVM_OFF _IO(KVMIO, 0xb3) - - /* ioctl for vm fd */ - #define KVM_CREATE_DEVICE _IOWR(KVMIO, 0xe0, struct kvm_create_device) diff --git a/packaging/linux-headers-sync-to-5.9-rc4.patch b/packaging/linux-headers-sync-to-5.9-rc4.patch deleted file mode 100644 index 89ad72402..000000000 --- a/packaging/linux-headers-sync-to-5.9-rc4.patch +++ /dev/null @@ -1,827 +0,0 @@ -From: Jason Wang -Date: Mon, 7 Sep 2020 18:49:01 +0800 -Subject: linux headers: sync to 5.9-rc4 - -Git-commit: e6546342a830e520d14ef03aa95677611de0d90c -References: bsc#1179719 - -Update against Linux 5.9-rc4. - -Cc: Cornelia Huck -Cc: Paolo Bonzini -Signed-off-by: Jason Wang -Message-Id: <20200907104903.31551-2-jasowang@redhat.com> -Reviewed-by: Michael S. Tsirkin -Signed-off-by: Michael S. Tsirkin -Signed-off-by: Liang Yan ---- - include/standard-headers/drm/drm_fourcc.h | 140 ++++++++++++++++++ - include/standard-headers/linux/ethtool.h | 87 +++++++++++ - .../linux/input-event-codes.h | 3 +- - include/standard-headers/linux/vhost_types.h | 11 ++ - include/standard-headers/linux/virtio_9p.h | 4 +- - include/standard-headers/linux/virtio_blk.h | 26 ++-- - .../standard-headers/linux/virtio_config.h | 8 +- - .../standard-headers/linux/virtio_console.h | 8 +- - include/standard-headers/linux/virtio_net.h | 6 +- - include/standard-headers/linux/virtio_scsi.h | 20 +-- - linux-headers/asm-generic/unistd.h | 6 +- - linux-headers/asm-mips/unistd_n32.h | 1 + - linux-headers/asm-mips/unistd_n64.h | 1 + - linux-headers/asm-mips/unistd_o32.h | 1 + - linux-headers/asm-powerpc/kvm.h | 5 + - linux-headers/asm-powerpc/unistd_32.h | 1 + - linux-headers/asm-powerpc/unistd_64.h | 1 + - linux-headers/asm-s390/kvm.h | 7 +- - linux-headers/asm-s390/unistd_32.h | 1 + - linux-headers/asm-s390/unistd_64.h | 1 + - linux-headers/asm-x86/unistd_32.h | 1 + - linux-headers/asm-x86/unistd_64.h | 1 + - linux-headers/asm-x86/unistd_x32.h | 1 + - linux-headers/linux/kvm.h | 4 + - linux-headers/linux/vfio.h | 2 +- - linux-headers/linux/vhost.h | 2 + - 26 files changed, 308 insertions(+), 41 deletions(-) - -diff --git a/include/standard-headers/drm/drm_fourcc.h b/include/standard-headers/drm/drm_fourcc.h -index 909a66753c03cdfca573f1fae6a2..0de1a552cab235c00ff21de583f0 100644 ---- a/include/standard-headers/drm/drm_fourcc.h -+++ b/include/standard-headers/drm/drm_fourcc.h -@@ -235,6 +235,12 @@ extern "C" { - #define DRM_FORMAT_NV61 fourcc_code('N', 'V', '6', '1') /* 2x1 subsampled Cb:Cr plane */ - #define DRM_FORMAT_NV24 fourcc_code('N', 'V', '2', '4') /* non-subsampled Cr:Cb plane */ - #define DRM_FORMAT_NV42 fourcc_code('N', 'V', '4', '2') /* non-subsampled Cb:Cr plane */ -+/* -+ * 2 plane YCbCr -+ * index 0 = Y plane, [39:0] Y3:Y2:Y1:Y0 little endian -+ * index 1 = Cr:Cb plane, [39:0] Cr1:Cb1:Cr0:Cb0 little endian -+ */ -+#define DRM_FORMAT_NV15 fourcc_code('N', 'V', '1', '5') /* 2x2 subsampled Cr:Cb plane */ - - /* - * 2 plane YCbCr MSB aligned -@@ -264,6 +270,22 @@ extern "C" { - */ - #define DRM_FORMAT_P016 fourcc_code('P', '0', '1', '6') /* 2x2 subsampled Cr:Cb plane 16 bits per channel */ - -+/* 3 plane non-subsampled (444) YCbCr -+ * 16 bits per component, but only 10 bits are used and 6 bits are padded -+ * index 0: Y plane, [15:0] Y:x [10:6] little endian -+ * index 1: Cb plane, [15:0] Cb:x [10:6] little endian -+ * index 2: Cr plane, [15:0] Cr:x [10:6] little endian -+ */ -+#define DRM_FORMAT_Q410 fourcc_code('Q', '4', '1', '0') -+ -+/* 3 plane non-subsampled (444) YCrCb -+ * 16 bits per component, but only 10 bits are used and 6 bits are padded -+ * index 0: Y plane, [15:0] Y:x [10:6] little endian -+ * index 1: Cr plane, [15:0] Cr:x [10:6] little endian -+ * index 2: Cb plane, [15:0] Cb:x [10:6] little endian -+ */ -+#define DRM_FORMAT_Q401 fourcc_code('Q', '4', '0', '1') -+ - /* - * 3 plane YCbCr - * index 0: Y plane, [7:0] Y -@@ -308,6 +330,7 @@ extern "C" { - #define DRM_FORMAT_MOD_VENDOR_BROADCOM 0x07 - #define DRM_FORMAT_MOD_VENDOR_ARM 0x08 - #define DRM_FORMAT_MOD_VENDOR_ALLWINNER 0x09 -+#define DRM_FORMAT_MOD_VENDOR_AMLOGIC 0x0a - - /* add more to the end as needed */ - -@@ -322,8 +345,33 @@ extern "C" { - * When adding a new token please document the layout with a code comment, - * similar to the fourcc codes above. drm_fourcc.h is considered the - * authoritative source for all of these. -+ * -+ * Generic modifier names: -+ * -+ * DRM_FORMAT_MOD_GENERIC_* definitions are used to provide vendor-neutral names -+ * for layouts which are common across multiple vendors. To preserve -+ * compatibility, in cases where a vendor-specific definition already exists and -+ * a generic name for it is desired, the common name is a purely symbolic alias -+ * and must use the same numerical value as the original definition. -+ * -+ * Note that generic names should only be used for modifiers which describe -+ * generic layouts (such as pixel re-ordering), which may have -+ * independently-developed support across multiple vendors. -+ * -+ * In future cases where a generic layout is identified before merging with a -+ * vendor-specific modifier, a new 'GENERIC' vendor or modifier using vendor -+ * 'NONE' could be considered. This should only be for obvious, exceptional -+ * cases to avoid polluting the 'GENERIC' namespace with modifiers which only -+ * apply to a single vendor. -+ * -+ * Generic names should not be used for cases where multiple hardware vendors -+ * have implementations of the same standardised compression scheme (such as -+ * AFBC). In those cases, all implementations should use the same format -+ * modifier(s), reflecting the vendor of the standard. - */ - -+#define DRM_FORMAT_MOD_GENERIC_16_16_TILE DRM_FORMAT_MOD_SAMSUNG_16_16_TILE -+ - /* - * Invalid Modifier - * -@@ -891,6 +939,18 @@ drm_fourcc_canonicalize_nvidia_format_mod(uint64_t modifier) - */ - #define AFBC_FORMAT_MOD_BCH (1ULL << 11) - -+/* AFBC uncompressed storage mode -+ * -+ * Indicates that the buffer is using AFBC uncompressed storage mode. -+ * In this mode all superblock payloads in the buffer use the uncompressed -+ * storage mode, which is usually only used for data which cannot be compressed. -+ * The buffer layout is the same as for AFBC buffers without USM set, this only -+ * affects the storage mode of the individual superblocks. Note that even a -+ * buffer without USM set may use uncompressed storage mode for some or all -+ * superblocks, USM just guarantees it for all. -+ */ -+#define AFBC_FORMAT_MOD_USM (1ULL << 12) -+ - /* - * Arm 16x16 Block U-Interleaved modifier - * -@@ -915,6 +975,86 @@ drm_fourcc_canonicalize_nvidia_format_mod(uint64_t modifier) - */ - #define DRM_FORMAT_MOD_ALLWINNER_TILED fourcc_mod_code(ALLWINNER, 1) - -+/* -+ * Amlogic Video Framebuffer Compression modifiers -+ * -+ * Amlogic uses a proprietary lossless image compression protocol and format -+ * for their hardware video codec accelerators, either video decoders or -+ * video input encoders. -+ * -+ * It considerably reduces memory bandwidth while writing and reading -+ * frames in memory. -+ * -+ * The underlying storage is considered to be 3 components, 8bit or 10-bit -+ * per component YCbCr 420, single plane : -+ * - DRM_FORMAT_YUV420_8BIT -+ * - DRM_FORMAT_YUV420_10BIT -+ * -+ * The first 8 bits of the mode defines the layout, then the following 8 bits -+ * defines the options changing the layout. -+ * -+ * Not all combinations are valid, and different SoCs may support different -+ * combinations of layout and options. -+ */ -+#define __fourcc_mod_amlogic_layout_mask 0xf -+#define __fourcc_mod_amlogic_options_shift 8 -+#define __fourcc_mod_amlogic_options_mask 0xf -+ -+#define DRM_FORMAT_MOD_AMLOGIC_FBC(__layout, __options) \ -+ fourcc_mod_code(AMLOGIC, \ -+ ((__layout) & __fourcc_mod_amlogic_layout_mask) | \ -+ (((__options) & __fourcc_mod_amlogic_options_mask) \ -+ << __fourcc_mod_amlogic_options_shift)) -+ -+/* Amlogic FBC Layouts */ -+ -+/* -+ * Amlogic FBC Basic Layout -+ * -+ * The basic layout is composed of: -+ * - a body content organized in 64x32 superblocks with 4096 bytes per -+ * superblock in default mode. -+ * - a 32 bytes per 128x64 header block -+ * -+ * This layout is transferrable between Amlogic SoCs supporting this modifier. -+ */ -+#define AMLOGIC_FBC_LAYOUT_BASIC (1ULL) -+ -+/* -+ * Amlogic FBC Scatter Memory layout -+ * -+ * Indicates the header contains IOMMU references to the compressed -+ * frames content to optimize memory access and layout. -+ * -+ * In this mode, only the header memory address is needed, thus the -+ * content memory organization is tied to the current producer -+ * execution and cannot be saved/dumped neither transferrable between -+ * Amlogic SoCs supporting this modifier. -+ * -+ * Due to the nature of the layout, these buffers are not expected to -+ * be accessible by the user-space clients, but only accessible by the -+ * hardware producers and consumers. -+ * -+ * The user-space clients should expect a failure while trying to mmap -+ * the DMA-BUF handle returned by the producer. -+ */ -+#define AMLOGIC_FBC_LAYOUT_SCATTER (2ULL) -+ -+/* Amlogic FBC Layout Options Bit Mask */ -+ -+/* -+ * Amlogic FBC Memory Saving mode -+ * -+ * Indicates the storage is packed when pixel size is multiple of word -+ * boudaries, i.e. 8bit should be stored in this mode to save allocation -+ * memory. -+ * -+ * This mode reduces body layout to 3072 bytes per 64x32 superblock with -+ * the basic layout and 3200 bytes per 64x32 superblock combined with -+ * the scatter layout. -+ */ -+#define AMLOGIC_FBC_OPTION_MEM_SAVING (1ULL << 0) -+ - #if defined(__cplusplus) - } - #endif -diff --git a/include/standard-headers/linux/ethtool.h b/include/standard-headers/linux/ethtool.h -index fd8d2cccfe89cb193d91439a62f5..e13eff44882d69a8bb191d129f9e 100644 ---- a/include/standard-headers/linux/ethtool.h -+++ b/include/standard-headers/linux/ethtool.h -@@ -579,6 +579,76 @@ struct ethtool_pauseparam { - uint32_t tx_pause; - }; - -+/** -+ * enum ethtool_link_ext_state - link extended state -+ */ -+enum ethtool_link_ext_state { -+ ETHTOOL_LINK_EXT_STATE_AUTONEG, -+ ETHTOOL_LINK_EXT_STATE_LINK_TRAINING_FAILURE, -+ ETHTOOL_LINK_EXT_STATE_LINK_LOGICAL_MISMATCH, -+ ETHTOOL_LINK_EXT_STATE_BAD_SIGNAL_INTEGRITY, -+ ETHTOOL_LINK_EXT_STATE_NO_CABLE, -+ ETHTOOL_LINK_EXT_STATE_CABLE_ISSUE, -+ ETHTOOL_LINK_EXT_STATE_EEPROM_ISSUE, -+ ETHTOOL_LINK_EXT_STATE_CALIBRATION_FAILURE, -+ ETHTOOL_LINK_EXT_STATE_POWER_BUDGET_EXCEEDED, -+ ETHTOOL_LINK_EXT_STATE_OVERHEAT, -+}; -+ -+/** -+ * enum ethtool_link_ext_substate_autoneg - more information in addition to -+ * ETHTOOL_LINK_EXT_STATE_AUTONEG. -+ */ -+enum ethtool_link_ext_substate_autoneg { -+ ETHTOOL_LINK_EXT_SUBSTATE_AN_NO_PARTNER_DETECTED = 1, -+ ETHTOOL_LINK_EXT_SUBSTATE_AN_ACK_NOT_RECEIVED, -+ ETHTOOL_LINK_EXT_SUBSTATE_AN_NEXT_PAGE_EXCHANGE_FAILED, -+ ETHTOOL_LINK_EXT_SUBSTATE_AN_NO_PARTNER_DETECTED_FORCE_MODE, -+ ETHTOOL_LINK_EXT_SUBSTATE_AN_FEC_MISMATCH_DURING_OVERRIDE, -+ ETHTOOL_LINK_EXT_SUBSTATE_AN_NO_HCD, -+}; -+ -+/** -+ * enum ethtool_link_ext_substate_link_training - more information in addition to -+ * ETHTOOL_LINK_EXT_STATE_LINK_TRAINING_FAILURE. -+ */ -+enum ethtool_link_ext_substate_link_training { -+ ETHTOOL_LINK_EXT_SUBSTATE_LT_KR_FRAME_LOCK_NOT_ACQUIRED = 1, -+ ETHTOOL_LINK_EXT_SUBSTATE_LT_KR_LINK_INHIBIT_TIMEOUT, -+ ETHTOOL_LINK_EXT_SUBSTATE_LT_KR_LINK_PARTNER_DID_NOT_SET_RECEIVER_READY, -+ ETHTOOL_LINK_EXT_SUBSTATE_LT_REMOTE_FAULT, -+}; -+ -+/** -+ * enum ethtool_link_ext_substate_logical_mismatch - more information in addition -+ * to ETHTOOL_LINK_EXT_STATE_LINK_LOGICAL_MISMATCH. -+ */ -+enum ethtool_link_ext_substate_link_logical_mismatch { -+ ETHTOOL_LINK_EXT_SUBSTATE_LLM_PCS_DID_NOT_ACQUIRE_BLOCK_LOCK = 1, -+ ETHTOOL_LINK_EXT_SUBSTATE_LLM_PCS_DID_NOT_ACQUIRE_AM_LOCK, -+ ETHTOOL_LINK_EXT_SUBSTATE_LLM_PCS_DID_NOT_GET_ALIGN_STATUS, -+ ETHTOOL_LINK_EXT_SUBSTATE_LLM_FC_FEC_IS_NOT_LOCKED, -+ ETHTOOL_LINK_EXT_SUBSTATE_LLM_RS_FEC_IS_NOT_LOCKED, -+}; -+ -+/** -+ * enum ethtool_link_ext_substate_bad_signal_integrity - more information in -+ * addition to ETHTOOL_LINK_EXT_STATE_BAD_SIGNAL_INTEGRITY. -+ */ -+enum ethtool_link_ext_substate_bad_signal_integrity { -+ ETHTOOL_LINK_EXT_SUBSTATE_BSI_LARGE_NUMBER_OF_PHYSICAL_ERRORS = 1, -+ ETHTOOL_LINK_EXT_SUBSTATE_BSI_UNSUPPORTED_RATE, -+}; -+ -+/** -+ * enum ethtool_link_ext_substate_cable_issue - more information in -+ * addition to ETHTOOL_LINK_EXT_STATE_CABLE_ISSUE. -+ */ -+enum ethtool_link_ext_substate_cable_issue { -+ ETHTOOL_LINK_EXT_SUBSTATE_CI_UNSUPPORTED_CABLE = 1, -+ ETHTOOL_LINK_EXT_SUBSTATE_CI_CABLE_TEST_FAILURE, -+}; -+ - #define ETH_GSTRING_LEN 32 - - /** -@@ -599,6 +669,7 @@ struct ethtool_pauseparam { - * @ETH_SS_SOF_TIMESTAMPING: SOF_TIMESTAMPING_* flags - * @ETH_SS_TS_TX_TYPES: timestamping Tx types - * @ETH_SS_TS_RX_FILTERS: timestamping Rx filters -+ * @ETH_SS_UDP_TUNNEL_TYPES: UDP tunnel types - */ - enum ethtool_stringset { - ETH_SS_TEST = 0, -@@ -616,6 +687,7 @@ enum ethtool_stringset { - ETH_SS_SOF_TIMESTAMPING, - ETH_SS_TS_TX_TYPES, - ETH_SS_TS_RX_FILTERS, -+ ETH_SS_UDP_TUNNEL_TYPES, - - /* add new constants above here */ - ETH_SS_COUNT -@@ -1530,6 +1602,21 @@ enum ethtool_link_mode_bit_indices { - ETHTOOL_LINK_MODE_400000baseDR8_Full_BIT = 72, - ETHTOOL_LINK_MODE_400000baseCR8_Full_BIT = 73, - ETHTOOL_LINK_MODE_FEC_LLRS_BIT = 74, -+ ETHTOOL_LINK_MODE_100000baseKR_Full_BIT = 75, -+ ETHTOOL_LINK_MODE_100000baseSR_Full_BIT = 76, -+ ETHTOOL_LINK_MODE_100000baseLR_ER_FR_Full_BIT = 77, -+ ETHTOOL_LINK_MODE_100000baseCR_Full_BIT = 78, -+ ETHTOOL_LINK_MODE_100000baseDR_Full_BIT = 79, -+ ETHTOOL_LINK_MODE_200000baseKR2_Full_BIT = 80, -+ ETHTOOL_LINK_MODE_200000baseSR2_Full_BIT = 81, -+ ETHTOOL_LINK_MODE_200000baseLR2_ER2_FR2_Full_BIT = 82, -+ ETHTOOL_LINK_MODE_200000baseDR2_Full_BIT = 83, -+ ETHTOOL_LINK_MODE_200000baseCR2_Full_BIT = 84, -+ ETHTOOL_LINK_MODE_400000baseKR4_Full_BIT = 85, -+ ETHTOOL_LINK_MODE_400000baseSR4_Full_BIT = 86, -+ ETHTOOL_LINK_MODE_400000baseLR4_ER4_FR4_Full_BIT = 87, -+ ETHTOOL_LINK_MODE_400000baseDR4_Full_BIT = 88, -+ ETHTOOL_LINK_MODE_400000baseCR4_Full_BIT = 89, - /* must be last entry */ - __ETHTOOL_LINK_MODE_MASK_NBITS - }; -diff --git a/include/standard-headers/linux/input-event-codes.h b/include/standard-headers/linux/input-event-codes.h -index ebf72c10317b48bb9dc151f20a5b..e740ad9f2e0171ff86ddcf07232d 100644 ---- a/include/standard-headers/linux/input-event-codes.h -+++ b/include/standard-headers/linux/input-event-codes.h -@@ -888,7 +888,8 @@ - #define SW_LINEIN_INSERT 0x0d /* set = inserted */ - #define SW_MUTE_DEVICE 0x0e /* set = device disabled */ - #define SW_PEN_INSERTED 0x0f /* set = pen inserted */ --#define SW_MAX_ 0x0f -+#define SW_MACHINE_COVER 0x10 /* set = cover closed */ -+#define SW_MAX_ 0x10 - #define SW_CNT (SW_MAX_+1) - - /* -diff --git a/include/standard-headers/linux/vhost_types.h b/include/standard-headers/linux/vhost_types.h -index a678d8fbaa92717b2a60329796f6..486630b33287408183ce932564ad 100644 ---- a/include/standard-headers/linux/vhost_types.h -+++ b/include/standard-headers/linux/vhost_types.h -@@ -60,6 +60,17 @@ struct vhost_iotlb_msg { - #define VHOST_IOTLB_UPDATE 2 - #define VHOST_IOTLB_INVALIDATE 3 - #define VHOST_IOTLB_ACCESS_FAIL 4 -+/* -+ * VHOST_IOTLB_BATCH_BEGIN and VHOST_IOTLB_BATCH_END allow modifying -+ * multiple mappings in one go: beginning with -+ * VHOST_IOTLB_BATCH_BEGIN, followed by any number of -+ * VHOST_IOTLB_UPDATE messages, and ending with VHOST_IOTLB_BATCH_END. -+ * When one of these two values is used as the message type, the rest -+ * of the fields in the message are ignored. There's no guarantee that -+ * these changes take place automatically in the device. -+ */ -+#define VHOST_IOTLB_BATCH_BEGIN 5 -+#define VHOST_IOTLB_BATCH_END 6 - uint8_t type; - }; - -diff --git a/include/standard-headers/linux/virtio_9p.h b/include/standard-headers/linux/virtio_9p.h -index e68f71dbe6f43942f70bbf0e26a5..f5604fc5fb15acc1eef28cdbf58e 100644 ---- a/include/standard-headers/linux/virtio_9p.h -+++ b/include/standard-headers/linux/virtio_9p.h -@@ -25,7 +25,7 @@ - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. */ --#include "standard-headers/linux/types.h" -+#include "standard-headers/linux/virtio_types.h" - #include "standard-headers/linux/virtio_ids.h" - #include "standard-headers/linux/virtio_config.h" - -@@ -36,7 +36,7 @@ - - struct virtio_9p_config { - /* length of the tag name */ -- uint16_t tag_len; -+ __virtio16 tag_len; - /* non-NULL terminated tag name */ - uint8_t tag[0]; - } QEMU_PACKED; -diff --git a/include/standard-headers/linux/virtio_blk.h b/include/standard-headers/linux/virtio_blk.h -index 0229b0fbe42b68f2cb20a9a9c2c0..2dcc90826ae7d30ccc7169355b43 100644 ---- a/include/standard-headers/linux/virtio_blk.h -+++ b/include/standard-headers/linux/virtio_blk.h -@@ -55,20 +55,20 @@ - - struct virtio_blk_config { - /* The capacity (in 512-byte sectors). */ -- uint64_t capacity; -+ __virtio64 capacity; - /* The maximum segment size (if VIRTIO_BLK_F_SIZE_MAX) */ -- uint32_t size_max; -+ __virtio32 size_max; - /* The maximum number of segments (if VIRTIO_BLK_F_SEG_MAX) */ -- uint32_t seg_max; -+ __virtio32 seg_max; - /* geometry of the device (if VIRTIO_BLK_F_GEOMETRY) */ - struct virtio_blk_geometry { -- uint16_t cylinders; -+ __virtio16 cylinders; - uint8_t heads; - uint8_t sectors; - } geometry; - - /* block size of device (if VIRTIO_BLK_F_BLK_SIZE) */ -- uint32_t blk_size; -+ __virtio32 blk_size; - - /* the next 4 entries are guarded by VIRTIO_BLK_F_TOPOLOGY */ - /* exponent for physical block per logical block. */ -@@ -76,42 +76,42 @@ struct virtio_blk_config { - /* alignment offset in logical blocks. */ - uint8_t alignment_offset; - /* minimum I/O size without performance penalty in logical blocks. */ -- uint16_t min_io_size; -+ __virtio16 min_io_size; - /* optimal sustained I/O size in logical blocks. */ -- uint32_t opt_io_size; -+ __virtio32 opt_io_size; - - /* writeback mode (if VIRTIO_BLK_F_CONFIG_WCE) */ - uint8_t wce; - uint8_t unused; - - /* number of vqs, only available when VIRTIO_BLK_F_MQ is set */ -- uint16_t num_queues; -+ __virtio16 num_queues; - - /* the next 3 entries are guarded by VIRTIO_BLK_F_DISCARD */ - /* - * The maximum discard sectors (in 512-byte sectors) for - * one segment. - */ -- uint32_t max_discard_sectors; -+ __virtio32 max_discard_sectors; - /* - * The maximum number of discard segments in a - * discard command. - */ -- uint32_t max_discard_seg; -+ __virtio32 max_discard_seg; - /* Discard commands must be aligned to this number of sectors. */ -- uint32_t discard_sector_alignment; -+ __virtio32 discard_sector_alignment; - - /* the next 3 entries are guarded by VIRTIO_BLK_F_WRITE_ZEROES */ - /* - * The maximum number of write zeroes sectors (in 512-byte sectors) in - * one segment. - */ -- uint32_t max_write_zeroes_sectors; -+ __virtio32 max_write_zeroes_sectors; - /* - * The maximum number of segments in a write zeroes - * command. - */ -- uint32_t max_write_zeroes_seg; -+ __virtio32 max_write_zeroes_seg; - /* - * Set if a VIRTIO_BLK_T_WRITE_ZEROES request may result in the - * deallocation of one or more of the sectors. -diff --git a/include/standard-headers/linux/virtio_config.h b/include/standard-headers/linux/virtio_config.h -index 9a69d9e2420b85d4e1cc5dd24303..22e3a85f6760920cb3d3b49d064a 100644 ---- a/include/standard-headers/linux/virtio_config.h -+++ b/include/standard-headers/linux/virtio_config.h -@@ -67,13 +67,15 @@ - #define VIRTIO_F_VERSION_1 32 - - /* -- * If clear - device has the IOMMU bypass quirk feature. -- * If set - use platform tools to detect the IOMMU. -+ * If clear - device has the platform DMA (e.g. IOMMU) bypass quirk feature. -+ * If set - use platform DMA tools to access the memory. - * - * Note the reverse polarity (compared to most other features), - * this is for compatibility with legacy systems. - */ --#define VIRTIO_F_IOMMU_PLATFORM 33 -+#define VIRTIO_F_ACCESS_PLATFORM 33 -+/* Legacy name for VIRTIO_F_ACCESS_PLATFORM (for compatibility with old userspace) */ -+#define VIRTIO_F_IOMMU_PLATFORM VIRTIO_F_ACCESS_PLATFORM - - /* This feature indicates support for the packed virtqueue layout. */ - #define VIRTIO_F_RING_PACKED 34 -diff --git a/include/standard-headers/linux/virtio_console.h b/include/standard-headers/linux/virtio_console.h -index 0dedc9e6f5738a3924cd6ae52a9e..71f5f648e3ceac58b80c67d236fb 100644 ---- a/include/standard-headers/linux/virtio_console.h -+++ b/include/standard-headers/linux/virtio_console.h -@@ -45,13 +45,13 @@ - - struct virtio_console_config { - /* colums of the screens */ -- uint16_t cols; -+ __virtio16 cols; - /* rows of the screens */ -- uint16_t rows; -+ __virtio16 rows; - /* max. number of ports this device can hold */ -- uint32_t max_nr_ports; -+ __virtio32 max_nr_ports; - /* emergency write register */ -- uint32_t emerg_wr; -+ __virtio32 emerg_wr; - } QEMU_PACKED; - - /* -diff --git a/include/standard-headers/linux/virtio_net.h b/include/standard-headers/linux/virtio_net.h -index a90f79e1b17a9228353eac109f55..e0a070518f39d2b4b227e1a38a28 100644 ---- a/include/standard-headers/linux/virtio_net.h -+++ b/include/standard-headers/linux/virtio_net.h -@@ -87,14 +87,14 @@ struct virtio_net_config { - /* The config defining mac address (if VIRTIO_NET_F_MAC) */ - uint8_t mac[ETH_ALEN]; - /* See VIRTIO_NET_F_STATUS and VIRTIO_NET_S_* above */ -- uint16_t status; -+ __virtio16 status; - /* Maximum number of each of transmit and receive queues; - * see VIRTIO_NET_F_MQ and VIRTIO_NET_CTRL_MQ. - * Legal values are between 1 and 0x8000 - */ -- uint16_t max_virtqueue_pairs; -+ __virtio16 max_virtqueue_pairs; - /* Default maximum transmit unit advice */ -- uint16_t mtu; -+ __virtio16 mtu; - /* - * speed, in units of 1Mb. All values 0 to INT_MAX are legal. - * Any other value stands for unknown. -diff --git a/include/standard-headers/linux/virtio_scsi.h b/include/standard-headers/linux/virtio_scsi.h -index ab66166b6a78c2be680b82bdffba..663f36cbb769efae4408478d9d6a 100644 ---- a/include/standard-headers/linux/virtio_scsi.h -+++ b/include/standard-headers/linux/virtio_scsi.h -@@ -103,16 +103,16 @@ struct virtio_scsi_event { - } QEMU_PACKED; - - struct virtio_scsi_config { -- uint32_t num_queues; -- uint32_t seg_max; -- uint32_t max_sectors; -- uint32_t cmd_per_lun; -- uint32_t event_info_size; -- uint32_t sense_size; -- uint32_t cdb_size; -- uint16_t max_channel; -- uint16_t max_target; -- uint32_t max_lun; -+ __virtio32 num_queues; -+ __virtio32 seg_max; -+ __virtio32 max_sectors; -+ __virtio32 cmd_per_lun; -+ __virtio32 event_info_size; -+ __virtio32 sense_size; -+ __virtio32 cdb_size; -+ __virtio16 max_channel; -+ __virtio16 max_target; -+ __virtio32 max_lun; - } QEMU_PACKED; - - /* Feature Bits */ -diff --git a/linux-headers/asm-generic/unistd.h b/linux-headers/asm-generic/unistd.h -index f4a01305d9a65c14fe46652970ec..995b36c2ea7d8a4edbff1e79e555 100644 ---- a/linux-headers/asm-generic/unistd.h -+++ b/linux-headers/asm-generic/unistd.h -@@ -606,9 +606,9 @@ __SYSCALL(__NR_sendto, sys_sendto) - #define __NR_recvfrom 207 - __SC_COMP(__NR_recvfrom, sys_recvfrom, compat_sys_recvfrom) - #define __NR_setsockopt 208 --__SC_COMP(__NR_setsockopt, sys_setsockopt, compat_sys_setsockopt) -+__SC_COMP(__NR_setsockopt, sys_setsockopt, sys_setsockopt) - #define __NR_getsockopt 209 --__SC_COMP(__NR_getsockopt, sys_getsockopt, compat_sys_getsockopt) -+__SC_COMP(__NR_getsockopt, sys_getsockopt, sys_getsockopt) - #define __NR_shutdown 210 - __SYSCALL(__NR_shutdown, sys_shutdown) - #define __NR_sendmsg 211 -@@ -850,6 +850,8 @@ __SYSCALL(__NR_pidfd_open, sys_pidfd_open) - #define __NR_clone3 435 - __SYSCALL(__NR_clone3, sys_clone3) - #endif -+#define __NR_close_range 436 -+__SYSCALL(__NR_close_range, sys_close_range) - - #define __NR_openat2 437 - __SYSCALL(__NR_openat2, sys_openat2) -diff --git a/linux-headers/asm-mips/unistd_n32.h b/linux-headers/asm-mips/unistd_n32.h -index 3b9eda7e7d8f7c7a2961192371f9..246fbb6a7885638679b536b78e66 100644 ---- a/linux-headers/asm-mips/unistd_n32.h -+++ b/linux-headers/asm-mips/unistd_n32.h -@@ -365,6 +365,7 @@ - #define __NR_fspick (__NR_Linux + 433) - #define __NR_pidfd_open (__NR_Linux + 434) - #define __NR_clone3 (__NR_Linux + 435) -+#define __NR_close_range (__NR_Linux + 436) - #define __NR_openat2 (__NR_Linux + 437) - #define __NR_pidfd_getfd (__NR_Linux + 438) - #define __NR_faccessat2 (__NR_Linux + 439) -diff --git a/linux-headers/asm-mips/unistd_n64.h b/linux-headers/asm-mips/unistd_n64.h -index 9cdf9b6c60dfde0e7f8c6f09bb48..194d777dfd42582819f2d1e4342d 100644 ---- a/linux-headers/asm-mips/unistd_n64.h -+++ b/linux-headers/asm-mips/unistd_n64.h -@@ -341,6 +341,7 @@ - #define __NR_fspick (__NR_Linux + 433) - #define __NR_pidfd_open (__NR_Linux + 434) - #define __NR_clone3 (__NR_Linux + 435) -+#define __NR_close_range (__NR_Linux + 436) - #define __NR_openat2 (__NR_Linux + 437) - #define __NR_pidfd_getfd (__NR_Linux + 438) - #define __NR_faccessat2 (__NR_Linux + 439) -diff --git a/linux-headers/asm-mips/unistd_o32.h b/linux-headers/asm-mips/unistd_o32.h -index e3e5e238f026edbecf3835d1d887..3e093dd9134dc84a82778ace3c4d 100644 ---- a/linux-headers/asm-mips/unistd_o32.h -+++ b/linux-headers/asm-mips/unistd_o32.h -@@ -411,6 +411,7 @@ - #define __NR_fspick (__NR_Linux + 433) - #define __NR_pidfd_open (__NR_Linux + 434) - #define __NR_clone3 (__NR_Linux + 435) -+#define __NR_close_range (__NR_Linux + 436) - #define __NR_openat2 (__NR_Linux + 437) - #define __NR_pidfd_getfd (__NR_Linux + 438) - #define __NR_faccessat2 (__NR_Linux + 439) -diff --git a/linux-headers/asm-powerpc/kvm.h b/linux-headers/asm-powerpc/kvm.h -index 264e266a85bf6a99c5b27b47733a..c3af3f324c5ad14625baf14fa488 100644 ---- a/linux-headers/asm-powerpc/kvm.h -+++ b/linux-headers/asm-powerpc/kvm.h -@@ -640,6 +640,11 @@ struct kvm_ppc_cpu_char { - #define KVM_REG_PPC_ONLINE (KVM_REG_PPC | KVM_REG_SIZE_U32 | 0xbf) - #define KVM_REG_PPC_PTCR (KVM_REG_PPC | KVM_REG_SIZE_U64 | 0xc0) - -+/* POWER10 registers */ -+#define KVM_REG_PPC_MMCR3 (KVM_REG_PPC | KVM_REG_SIZE_U64 | 0xc1) -+#define KVM_REG_PPC_SIER2 (KVM_REG_PPC | KVM_REG_SIZE_U64 | 0xc2) -+#define KVM_REG_PPC_SIER3 (KVM_REG_PPC | KVM_REG_SIZE_U64 | 0xc3) -+ - /* Transactional Memory checkpointed state: - * This is all GPRs, all VSX regs and a subset of SPRs - */ -diff --git a/linux-headers/asm-powerpc/unistd_32.h b/linux-headers/asm-powerpc/unistd_32.h -index 862edb7448c5160b0ded92f32ede..0db9481d49629bde4402afcb0c18 100644 ---- a/linux-headers/asm-powerpc/unistd_32.h -+++ b/linux-headers/asm-powerpc/unistd_32.h -@@ -418,6 +418,7 @@ - #define __NR_fspick 433 - #define __NR_pidfd_open 434 - #define __NR_clone3 435 -+#define __NR_close_range 436 - #define __NR_openat2 437 - #define __NR_pidfd_getfd 438 - #define __NR_faccessat2 439 -diff --git a/linux-headers/asm-powerpc/unistd_64.h b/linux-headers/asm-powerpc/unistd_64.h -index f553224ce408b2a721321d1b30b5..9f74310988e1afca2bbe087ab83d 100644 ---- a/linux-headers/asm-powerpc/unistd_64.h -+++ b/linux-headers/asm-powerpc/unistd_64.h -@@ -390,6 +390,7 @@ - #define __NR_fspick 433 - #define __NR_pidfd_open 434 - #define __NR_clone3 435 -+#define __NR_close_range 436 - #define __NR_openat2 437 - #define __NR_pidfd_getfd 438 - #define __NR_faccessat2 439 -diff --git a/linux-headers/asm-s390/kvm.h b/linux-headers/asm-s390/kvm.h -index 0138ccb0d892b4e3cc0d5e9c6a60..f053b8304a85ae57e3e8cdbf9f32 100644 ---- a/linux-headers/asm-s390/kvm.h -+++ b/linux-headers/asm-s390/kvm.h -@@ -231,11 +231,13 @@ struct kvm_guest_debug_arch { - #define KVM_SYNC_GSCB (1UL << 9) - #define KVM_SYNC_BPBC (1UL << 10) - #define KVM_SYNC_ETOKEN (1UL << 11) -+#define KVM_SYNC_DIAG318 (1UL << 12) - - #define KVM_SYNC_S390_VALID_FIELDS \ - (KVM_SYNC_PREFIX | KVM_SYNC_GPRS | KVM_SYNC_ACRS | KVM_SYNC_CRS | \ - KVM_SYNC_ARCH0 | KVM_SYNC_PFAULT | KVM_SYNC_VRS | KVM_SYNC_RICCB | \ -- KVM_SYNC_FPRS | KVM_SYNC_GSCB | KVM_SYNC_BPBC | KVM_SYNC_ETOKEN) -+ KVM_SYNC_FPRS | KVM_SYNC_GSCB | KVM_SYNC_BPBC | KVM_SYNC_ETOKEN | \ -+ KVM_SYNC_DIAG318) - - /* length and alignment of the sdnx as a power of two */ - #define SDNXC 8 -@@ -264,7 +266,8 @@ struct kvm_sync_regs { - __u8 reserved2 : 7; - __u8 padding1[51]; /* riccb needs to be 64byte aligned */ - __u8 riccb[64]; /* runtime instrumentation controls block */ -- __u8 padding2[192]; /* sdnx needs to be 256byte aligned */ -+ __u64 diag318; /* diagnose 0x318 info */ -+ __u8 padding2[184]; /* sdnx needs to be 256byte aligned */ - union { - __u8 sdnx[SDNXL]; /* state description annex */ - struct { -diff --git a/linux-headers/asm-s390/unistd_32.h b/linux-headers/asm-s390/unistd_32.h -index e08233c0c37719a8a77caacf2f93..1803cd0c3ba638008c0463758951 100644 ---- a/linux-headers/asm-s390/unistd_32.h -+++ b/linux-headers/asm-s390/unistd_32.h -@@ -408,6 +408,7 @@ - #define __NR_fspick 433 - #define __NR_pidfd_open 434 - #define __NR_clone3 435 -+#define __NR_close_range 436 - #define __NR_openat2 437 - #define __NR_pidfd_getfd 438 - #define __NR_faccessat2 439 -diff --git a/linux-headers/asm-s390/unistd_64.h b/linux-headers/asm-s390/unistd_64.h -index 560e19ae2bb4dc9dd734823016b1..228d5004e5a88127a30d1fae6fb8 100644 ---- a/linux-headers/asm-s390/unistd_64.h -+++ b/linux-headers/asm-s390/unistd_64.h -@@ -356,6 +356,7 @@ - #define __NR_fspick 433 - #define __NR_pidfd_open 434 - #define __NR_clone3 435 -+#define __NR_close_range 436 - #define __NR_openat2 437 - #define __NR_pidfd_getfd 438 - #define __NR_faccessat2 439 -diff --git a/linux-headers/asm-x86/unistd_32.h b/linux-headers/asm-x86/unistd_32.h -index c727981d4a3aa8a3578ab777d0cc..356c12c2dbce1bf92f665c705a86 100644 ---- a/linux-headers/asm-x86/unistd_32.h -+++ b/linux-headers/asm-x86/unistd_32.h -@@ -426,6 +426,7 @@ - #define __NR_fspick 433 - #define __NR_pidfd_open 434 - #define __NR_clone3 435 -+#define __NR_close_range 436 - #define __NR_openat2 437 - #define __NR_pidfd_getfd 438 - #define __NR_faccessat2 439 -diff --git a/linux-headers/asm-x86/unistd_64.h b/linux-headers/asm-x86/unistd_64.h -index 843fa6274584c57a8825c1d39f85..ef70e1c7c93fc9f64edcc1d551a1 100644 ---- a/linux-headers/asm-x86/unistd_64.h -+++ b/linux-headers/asm-x86/unistd_64.h -@@ -348,6 +348,7 @@ - #define __NR_fspick 433 - #define __NR_pidfd_open 434 - #define __NR_clone3 435 -+#define __NR_close_range 436 - #define __NR_openat2 437 - #define __NR_pidfd_getfd 438 - #define __NR_faccessat2 439 -diff --git a/linux-headers/asm-x86/unistd_x32.h b/linux-headers/asm-x86/unistd_x32.h -index 7d63d703cab4227d9e631006852f..84ae8e9f5fca8679e279bdfbf5f3 100644 ---- a/linux-headers/asm-x86/unistd_x32.h -+++ b/linux-headers/asm-x86/unistd_x32.h -@@ -301,6 +301,7 @@ - #define __NR_fspick (__X32_SYSCALL_BIT + 433) - #define __NR_pidfd_open (__X32_SYSCALL_BIT + 434) - #define __NR_clone3 (__X32_SYSCALL_BIT + 435) -+#define __NR_close_range (__X32_SYSCALL_BIT + 436) - #define __NR_openat2 (__X32_SYSCALL_BIT + 437) - #define __NR_pidfd_getfd (__X32_SYSCALL_BIT + 438) - #define __NR_faccessat2 (__X32_SYSCALL_BIT + 439) -diff --git a/linux-headers/linux/kvm.h b/linux-headers/linux/kvm.h -index 71f531771dd862c7f3cbd07ba376..a748353df27bd84f2feea885d3dd 100644 ---- a/linux-headers/linux/kvm.h -+++ b/linux-headers/linux/kvm.h -@@ -289,6 +289,7 @@ struct kvm_run { - /* KVM_EXIT_FAIL_ENTRY */ - struct { - __u64 hardware_entry_failure_reason; -+ __u32 cpu; - } fail_entry; - /* KVM_EXIT_EXCEPTION */ - struct { -@@ -1025,6 +1026,9 @@ struct kvm_ppc_resize_hpt { - #define KVM_CAP_PPC_SECURE_GUEST 181 - #define KVM_CAP_HALT_POLL 182 - #define KVM_CAP_ASYNC_PF_INT 183 -+#define KVM_CAP_LAST_CPU 184 -+#define KVM_CAP_SMALLER_MAXPHYADDR 185 -+#define KVM_CAP_S390_DIAG318 186 - - #ifdef KVM_CAP_IRQ_ROUTING - -diff --git a/linux-headers/linux/vfio.h b/linux-headers/linux/vfio.h -index f09df262c4b52dfcef1d66ee0bdc..a90672494dc584fff35d3141e248 100644 ---- a/linux-headers/linux/vfio.h -+++ b/linux-headers/linux/vfio.h -@@ -1030,7 +1030,7 @@ struct vfio_iommu_type1_info_cap_iova_range { - * size in bytes that can be used by user applications when getting the dirty - * bitmap. - */ --#define VFIO_IOMMU_TYPE1_INFO_CAP_MIGRATION 1 -+#define VFIO_IOMMU_TYPE1_INFO_CAP_MIGRATION 2 - - struct vfio_iommu_type1_info_cap_migration { - struct vfio_info_cap_header header; -diff --git a/linux-headers/linux/vhost.h b/linux-headers/linux/vhost.h -index 0c2349612e776086a2ffd137d402..75232185324abb8bf16521b525ed 100644 ---- a/linux-headers/linux/vhost.h -+++ b/linux-headers/linux/vhost.h -@@ -91,6 +91,8 @@ - - /* Use message type V2 */ - #define VHOST_BACKEND_F_IOTLB_MSG_V2 0x1 -+/* IOTLB can accept batching hints */ -+#define VHOST_BACKEND_F_IOTLB_BATCH 0x2 - - #define VHOST_SET_BACKEND_FEATURES _IOW(VHOST_VIRTIO, 0x25, __u64) - #define VHOST_GET_BACKEND_FEATURES _IOR(VHOST_VIRTIO, 0x26, __u64) diff --git a/packaging/linux-headers-sync-to-5.9-rc7.patch b/packaging/linux-headers-sync-to-5.9-rc7.patch deleted file mode 100644 index 4a7c33bb3..000000000 --- a/packaging/linux-headers-sync-to-5.9-rc7.patch +++ /dev/null @@ -1,43 +0,0 @@ -From: Andrew Jones -Date: Thu, 1 Oct 2020 08:17:13 +0200 -Subject: linux headers: sync to 5.9-rc7 - -Git-commit: 94c7fefcb456b0b26f04b30e6df54a0c872e862d -References: bsc#1179719 - -Update against Linux 5.9-rc7. - -Cc: Paolo Bonzini -Signed-off-by: Andrew Jones -Message-id: 20201001061718.101915-2-drjones@redhat.com -Signed-off-by: Peter Maydell -Signed-off-by: Liang Yan ---- - linux-headers/linux/kvm.h | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - -diff --git a/linux-headers/linux/kvm.h b/linux-headers/linux/kvm.h -index a748353df27bd84f2feea885d3dd..d9860561985c537b70428a9fbfc0 100644 ---- a/linux-headers/linux/kvm.h -+++ b/linux-headers/linux/kvm.h -@@ -785,9 +785,10 @@ struct kvm_ppc_resize_hpt { - #define KVM_VM_PPC_HV 1 - #define KVM_VM_PPC_PR 2 - --/* on MIPS, 0 forces trap & emulate, 1 forces VZ ASE */ --#define KVM_VM_MIPS_TE 0 -+/* on MIPS, 0 indicates auto, 1 forces VZ ASE, 2 forces trap & emulate */ -+#define KVM_VM_MIPS_AUTO 0 - #define KVM_VM_MIPS_VZ 1 -+#define KVM_VM_MIPS_TE 2 - - #define KVM_S390_SIE_PAGE_OFFSET 1 - -@@ -1029,6 +1030,7 @@ struct kvm_ppc_resize_hpt { - #define KVM_CAP_LAST_CPU 184 - #define KVM_CAP_SMALLER_MAXPHYADDR 185 - #define KVM_CAP_S390_DIAG318 186 -+#define KVM_CAP_STEAL_TIME 187 - - #ifdef KVM_CAP_IRQ_ROUTING - diff --git a/packaging/linux-headers-update-against-5.10-rc1.patch b/packaging/linux-headers-update-against-5.10-rc1.patch deleted file mode 100644 index 58e1ee1e9..000000000 --- a/packaging/linux-headers-update-against-5.10-rc1.patch +++ /dev/null @@ -1,738 +0,0 @@ -From: Matthew Rosato -Date: Mon, 26 Oct 2020 11:34:30 -0400 -Subject: linux-headers: update against 5.10-rc1 - -Git-commit: 53ba2eee52bff5a746e96835539a1079f6bcadd1 -References: bsc#1179719 - -commit 3650b228f83adda7e5ee532e2b90429c03f7b9ec - -Signed-off-by: Matthew Rosato -[aw: drop pvrdma_ring.h changes to avoid revert of d73415a31547 ("qemu/atomic.h: rename atomic_ to qatomic_")] -Signed-off-by: Alex Williamson -Signed-off-by: Liang Yan ---- - .../infiniband/hw/vmw_pvrdma/pvrdma_verbs.h | 2 +- - include/standard-headers/linux/ethtool.h | 2 + - .../linux/input-event-codes.h | 4 + - include/standard-headers/linux/pci_regs.h | 6 +- - include/standard-headers/linux/virtio_fs.h | 3 + - include/standard-headers/linux/virtio_gpu.h | 19 +++++ - include/standard-headers/linux/virtio_mmio.h | 11 +++ - include/standard-headers/linux/virtio_pci.h | 11 ++- - linux-headers/asm-arm64/kvm.h | 25 ++++++ - linux-headers/asm-arm64/mman.h | 1 + - linux-headers/asm-generic/hugetlb_encode.h | 1 + - linux-headers/asm-generic/unistd.h | 18 ++--- - linux-headers/asm-mips/unistd_n32.h | 1 + - linux-headers/asm-mips/unistd_n64.h | 1 + - linux-headers/asm-mips/unistd_o32.h | 1 + - linux-headers/asm-powerpc/unistd_32.h | 1 + - linux-headers/asm-powerpc/unistd_64.h | 1 + - linux-headers/asm-s390/unistd_32.h | 1 + - linux-headers/asm-s390/unistd_64.h | 1 + - linux-headers/asm-x86/kvm.h | 20 +++++ - linux-headers/asm-x86/unistd_32.h | 1 + - linux-headers/asm-x86/unistd_64.h | 1 + - linux-headers/asm-x86/unistd_x32.h | 1 + - linux-headers/linux/kvm.h | 19 +++++ - linux-headers/linux/mman.h | 1 + - linux-headers/linux/vfio.h | 29 ++++++- - linux-headers/linux/vfio_zdev.h | 78 +++++++++++++++++++ - 27 files changed, 247 insertions(+), 13 deletions(-) - -diff --git a/include/standard-headers/drivers/infiniband/hw/vmw_pvrdma/pvrdma_verbs.h b/include/standard-headers/drivers/infiniband/hw/vmw_pvrdma/pvrdma_verbs.h -index 1677208a411fa575d490de6cce15..0a8c7c9311994e3a9c3fabdabea1 100644 ---- a/include/standard-headers/drivers/infiniband/hw/vmw_pvrdma/pvrdma_verbs.h -+++ b/include/standard-headers/drivers/infiniband/hw/vmw_pvrdma/pvrdma_verbs.h -@@ -176,7 +176,7 @@ struct pvrdma_port_attr { - uint8_t subnet_timeout; - uint8_t init_type_reply; - uint8_t active_width; -- uint8_t active_speed; -+ uint16_t active_speed; - uint8_t phys_state; - uint8_t reserved[2]; - }; -diff --git a/include/standard-headers/linux/ethtool.h b/include/standard-headers/linux/ethtool.h -index e13eff44882d69a8bb191d129f9e..0df22f7538e3227e9d2a07e5bca9 100644 ---- a/include/standard-headers/linux/ethtool.h -+++ b/include/standard-headers/linux/ethtool.h -@@ -1617,6 +1617,8 @@ enum ethtool_link_mode_bit_indices { - ETHTOOL_LINK_MODE_400000baseLR4_ER4_FR4_Full_BIT = 87, - ETHTOOL_LINK_MODE_400000baseDR4_Full_BIT = 88, - ETHTOOL_LINK_MODE_400000baseCR4_Full_BIT = 89, -+ ETHTOOL_LINK_MODE_100baseFX_Half_BIT = 90, -+ ETHTOOL_LINK_MODE_100baseFX_Full_BIT = 91, - /* must be last entry */ - __ETHTOOL_LINK_MODE_MASK_NBITS - }; -diff --git a/include/standard-headers/linux/input-event-codes.h b/include/standard-headers/linux/input-event-codes.h -index e740ad9f2e0171ff86ddcf07232d..c403b9cb0d4ed62fb0aedd2c1e77 100644 ---- a/include/standard-headers/linux/input-event-codes.h -+++ b/include/standard-headers/linux/input-event-codes.h -@@ -515,6 +515,9 @@ - #define KEY_10CHANNELSUP 0x1b8 /* 10 channels up (10+) */ - #define KEY_10CHANNELSDOWN 0x1b9 /* 10 channels down (10-) */ - #define KEY_IMAGES 0x1ba /* AL Image Browser */ -+#define KEY_NOTIFICATION_CENTER 0x1bc /* Show/hide the notification center */ -+#define KEY_PICKUP_PHONE 0x1bd /* Answer incoming call */ -+#define KEY_HANGUP_PHONE 0x1be /* Decline incoming call */ - - #define KEY_DEL_EOL 0x1c0 - #define KEY_DEL_EOS 0x1c1 -@@ -542,6 +545,7 @@ - #define KEY_FN_F 0x1e2 - #define KEY_FN_S 0x1e3 - #define KEY_FN_B 0x1e4 -+#define KEY_FN_RIGHT_SHIFT 0x1e5 - - #define KEY_BRL_DOT1 0x1f1 - #define KEY_BRL_DOT2 0x1f2 -diff --git a/include/standard-headers/linux/pci_regs.h b/include/standard-headers/linux/pci_regs.h -index f9701410d3b52b7cfc549c50f08a..a95d55f9f25761ab78c8ef529dc4 100644 ---- a/include/standard-headers/linux/pci_regs.h -+++ b/include/standard-headers/linux/pci_regs.h -@@ -76,6 +76,7 @@ - #define PCI_CACHE_LINE_SIZE 0x0c /* 8 bits */ - #define PCI_LATENCY_TIMER 0x0d /* 8 bits */ - #define PCI_HEADER_TYPE 0x0e /* 8 bits */ -+#define PCI_HEADER_TYPE_MASK 0x7f - #define PCI_HEADER_TYPE_NORMAL 0 - #define PCI_HEADER_TYPE_BRIDGE 1 - #define PCI_HEADER_TYPE_CARDBUS 2 -@@ -246,7 +247,7 @@ - #define PCI_PM_CAP_PME_D0 0x0800 /* PME# from D0 */ - #define PCI_PM_CAP_PME_D1 0x1000 /* PME# from D1 */ - #define PCI_PM_CAP_PME_D2 0x2000 /* PME# from D2 */ --#define PCI_PM_CAP_PME_D3 0x4000 /* PME# from D3 (hot) */ -+#define PCI_PM_CAP_PME_D3hot 0x4000 /* PME# from D3 (hot) */ - #define PCI_PM_CAP_PME_D3cold 0x8000 /* PME# from D3 (cold) */ - #define PCI_PM_CAP_PME_SHIFT 11 /* Start of the PME Mask in PMC */ - #define PCI_PM_CTRL 4 /* PM control and status register */ -@@ -532,6 +533,8 @@ - #define PCI_EXP_LNKCAP_SLS_32_0GB 0x00000005 /* LNKCAP2 SLS Vector bit 4 */ - #define PCI_EXP_LNKCAP_MLW 0x000003f0 /* Maximum Link Width */ - #define PCI_EXP_LNKCAP_ASPMS 0x00000c00 /* ASPM Support */ -+#define PCI_EXP_LNKCAP_ASPM_L0S 0x00000400 /* ASPM L0s Support */ -+#define PCI_EXP_LNKCAP_ASPM_L1 0x00000800 /* ASPM L1 Support */ - #define PCI_EXP_LNKCAP_L0SEL 0x00007000 /* L0s Exit Latency */ - #define PCI_EXP_LNKCAP_L1EL 0x00038000 /* L1 Exit Latency */ - #define PCI_EXP_LNKCAP_CLKPM 0x00040000 /* Clock Power Management */ -@@ -1056,6 +1059,7 @@ - #define PCI_L1SS_CTL1_PCIPM_L1_1 0x00000002 /* PCI-PM L1.1 Enable */ - #define PCI_L1SS_CTL1_ASPM_L1_2 0x00000004 /* ASPM L1.2 Enable */ - #define PCI_L1SS_CTL1_ASPM_L1_1 0x00000008 /* ASPM L1.1 Enable */ -+#define PCI_L1SS_CTL1_L1_2_MASK 0x00000005 - #define PCI_L1SS_CTL1_L1SS_MASK 0x0000000f - #define PCI_L1SS_CTL1_CM_RESTORE_TIME 0x0000ff00 /* Common_Mode_Restore_Time */ - #define PCI_L1SS_CTL1_LTR_L12_TH_VALUE 0x03ff0000 /* LTR_L1.2_THRESHOLD_Value */ -diff --git a/include/standard-headers/linux/virtio_fs.h b/include/standard-headers/linux/virtio_fs.h -index 9d88817a6b665193d3cf0c5faf93..a32fe8a64c76ccdef5c1057e39c8 100644 ---- a/include/standard-headers/linux/virtio_fs.h -+++ b/include/standard-headers/linux/virtio_fs.h -@@ -16,4 +16,7 @@ struct virtio_fs_config { - uint32_t num_request_queues; - } QEMU_PACKED; - -+/* For the id field in virtio_pci_shm_cap */ -+#define VIRTIO_FS_SHMCAP_ID_CACHE 0 -+ - #endif /* _LINUX_VIRTIO_FS_H */ -diff --git a/include/standard-headers/linux/virtio_gpu.h b/include/standard-headers/linux/virtio_gpu.h -index b8fa15f0ace75d207a098e1fb9d6..4183cdc74b33fc510a83f3c47293 100644 ---- a/include/standard-headers/linux/virtio_gpu.h -+++ b/include/standard-headers/linux/virtio_gpu.h -@@ -50,6 +50,10 @@ - * VIRTIO_GPU_CMD_GET_EDID - */ - #define VIRTIO_GPU_F_EDID 1 -+/* -+ * VIRTIO_GPU_CMD_RESOURCE_ASSIGN_UUID -+ */ -+#define VIRTIO_GPU_F_RESOURCE_UUID 2 - - enum virtio_gpu_ctrl_type { - VIRTIO_GPU_UNDEFINED = 0, -@@ -66,6 +70,7 @@ enum virtio_gpu_ctrl_type { - VIRTIO_GPU_CMD_GET_CAPSET_INFO, - VIRTIO_GPU_CMD_GET_CAPSET, - VIRTIO_GPU_CMD_GET_EDID, -+ VIRTIO_GPU_CMD_RESOURCE_ASSIGN_UUID, - - /* 3d commands */ - VIRTIO_GPU_CMD_CTX_CREATE = 0x0200, -@@ -87,6 +92,7 @@ enum virtio_gpu_ctrl_type { - VIRTIO_GPU_RESP_OK_CAPSET_INFO, - VIRTIO_GPU_RESP_OK_CAPSET, - VIRTIO_GPU_RESP_OK_EDID, -+ VIRTIO_GPU_RESP_OK_RESOURCE_UUID, - - /* error responses */ - VIRTIO_GPU_RESP_ERR_UNSPEC = 0x1200, -@@ -340,4 +346,17 @@ enum virtio_gpu_formats { - VIRTIO_GPU_FORMAT_R8G8B8X8_UNORM = 134, - }; - -+/* VIRTIO_GPU_CMD_RESOURCE_ASSIGN_UUID */ -+struct virtio_gpu_resource_assign_uuid { -+ struct virtio_gpu_ctrl_hdr hdr; -+ uint32_t resource_id; -+ uint32_t padding; -+}; -+ -+/* VIRTIO_GPU_RESP_OK_RESOURCE_UUID */ -+struct virtio_gpu_resp_resource_uuid { -+ struct virtio_gpu_ctrl_hdr hdr; -+ uint8_t uuid[16]; -+}; -+ - #endif -diff --git a/include/standard-headers/linux/virtio_mmio.h b/include/standard-headers/linux/virtio_mmio.h -index c4b09689ab644719d1aa28fdb951..0650f91bea6c70f935764070d825 100644 ---- a/include/standard-headers/linux/virtio_mmio.h -+++ b/include/standard-headers/linux/virtio_mmio.h -@@ -122,6 +122,17 @@ - #define VIRTIO_MMIO_QUEUE_USED_LOW 0x0a0 - #define VIRTIO_MMIO_QUEUE_USED_HIGH 0x0a4 - -+/* Shared memory region id */ -+#define VIRTIO_MMIO_SHM_SEL 0x0ac -+ -+/* Shared memory region length, 64 bits in two halves */ -+#define VIRTIO_MMIO_SHM_LEN_LOW 0x0b0 -+#define VIRTIO_MMIO_SHM_LEN_HIGH 0x0b4 -+ -+/* Shared memory region base address, 64 bits in two halves */ -+#define VIRTIO_MMIO_SHM_BASE_LOW 0x0b8 -+#define VIRTIO_MMIO_SHM_BASE_HIGH 0x0bc -+ - /* Configuration atomicity value */ - #define VIRTIO_MMIO_CONFIG_GENERATION 0x0fc - -diff --git a/include/standard-headers/linux/virtio_pci.h b/include/standard-headers/linux/virtio_pci.h -index 9262acd130c38b874eddf9254382..db7a8e2fcbf2639bdafa15d78693 100644 ---- a/include/standard-headers/linux/virtio_pci.h -+++ b/include/standard-headers/linux/virtio_pci.h -@@ -113,6 +113,8 @@ - #define VIRTIO_PCI_CAP_DEVICE_CFG 4 - /* PCI configuration access */ - #define VIRTIO_PCI_CAP_PCI_CFG 5 -+/* Additional shared memory capability */ -+#define VIRTIO_PCI_CAP_SHARED_MEMORY_CFG 8 - - /* This is the PCI capability header: */ - struct virtio_pci_cap { -@@ -121,11 +123,18 @@ struct virtio_pci_cap { - uint8_t cap_len; /* Generic PCI field: capability length */ - uint8_t cfg_type; /* Identifies the structure. */ - uint8_t bar; /* Where to find it. */ -- uint8_t padding[3]; /* Pad to full dword. */ -+ uint8_t id; /* Multiple capabilities of the same type */ -+ uint8_t padding[2]; /* Pad to full dword. */ - uint32_t offset; /* Offset within bar. */ - uint32_t length; /* Length of the structure, in bytes. */ - }; - -+struct virtio_pci_cap64 { -+ struct virtio_pci_cap cap; -+ uint32_t offset_hi; /* Most sig 32 bits of offset */ -+ uint32_t length_hi; /* Most sig 32 bits of length */ -+}; -+ - struct virtio_pci_notify_cap { - struct virtio_pci_cap cap; - uint32_t notify_off_multiplier; /* Multiplier for queue_notify_off. */ -diff --git a/linux-headers/asm-arm64/kvm.h b/linux-headers/asm-arm64/kvm.h -index 9e34f0f875a60a1dc7bb69e0db91..a72de1ae4cb5638b42ea7057a9cc 100644 ---- a/linux-headers/asm-arm64/kvm.h -+++ b/linux-headers/asm-arm64/kvm.h -@@ -159,6 +159,21 @@ struct kvm_sync_regs { - struct kvm_arch_memory_slot { - }; - -+/* -+ * PMU filter structure. Describe a range of events with a particular -+ * action. To be used with KVM_ARM_VCPU_PMU_V3_FILTER. -+ */ -+struct kvm_pmu_event_filter { -+ __u16 base_event; -+ __u16 nevents; -+ -+#define KVM_PMU_EVENT_ALLOW 0 -+#define KVM_PMU_EVENT_DENY 1 -+ -+ __u8 action; -+ __u8 pad[3]; -+}; -+ - /* for KVM_GET/SET_VCPU_EVENTS */ - struct kvm_vcpu_events { - struct { -@@ -242,6 +257,15 @@ struct kvm_vcpu_events { - #define KVM_REG_ARM_SMCCC_ARCH_WORKAROUND_1_NOT_AVAIL 0 - #define KVM_REG_ARM_SMCCC_ARCH_WORKAROUND_1_AVAIL 1 - #define KVM_REG_ARM_SMCCC_ARCH_WORKAROUND_1_NOT_REQUIRED 2 -+ -+/* -+ * Only two states can be presented by the host kernel: -+ * - NOT_REQUIRED: the guest doesn't need to do anything -+ * - NOT_AVAIL: the guest isn't mitigated (it can still use SSBS if available) -+ * -+ * All the other values are deprecated. The host still accepts all -+ * values (they are ABI), but will narrow them to the above two. -+ */ - #define KVM_REG_ARM_SMCCC_ARCH_WORKAROUND_2 KVM_REG_ARM_FW_REG(2) - #define KVM_REG_ARM_SMCCC_ARCH_WORKAROUND_2_NOT_AVAIL 0 - #define KVM_REG_ARM_SMCCC_ARCH_WORKAROUND_2_UNKNOWN 1 -@@ -329,6 +353,7 @@ struct kvm_vcpu_events { - #define KVM_ARM_VCPU_PMU_V3_CTRL 0 - #define KVM_ARM_VCPU_PMU_V3_IRQ 0 - #define KVM_ARM_VCPU_PMU_V3_INIT 1 -+#define KVM_ARM_VCPU_PMU_V3_FILTER 2 - #define KVM_ARM_VCPU_TIMER_CTRL 1 - #define KVM_ARM_VCPU_TIMER_IRQ_VTIMER 0 - #define KVM_ARM_VCPU_TIMER_IRQ_PTIMER 1 -diff --git a/linux-headers/asm-arm64/mman.h b/linux-headers/asm-arm64/mman.h -index e94b9af859842a952268c34cfd92..d0dbfe958789062e3f56406078aa 100644 ---- a/linux-headers/asm-arm64/mman.h -+++ b/linux-headers/asm-arm64/mman.h -@@ -5,5 +5,6 @@ - #include - - #define PROT_BTI 0x10 /* BTI guarded page */ -+#define PROT_MTE 0x20 /* Normal Tagged mapping */ - - #endif /* ! _UAPI__ASM_MMAN_H */ -diff --git a/linux-headers/asm-generic/hugetlb_encode.h b/linux-headers/asm-generic/hugetlb_encode.h -index b0f8e87235bdf4b599b52895637d..4f3d5aaa11f531164beab5a47bed 100644 ---- a/linux-headers/asm-generic/hugetlb_encode.h -+++ b/linux-headers/asm-generic/hugetlb_encode.h -@@ -20,6 +20,7 @@ - #define HUGETLB_FLAG_ENCODE_SHIFT 26 - #define HUGETLB_FLAG_ENCODE_MASK 0x3f - -+#define HUGETLB_FLAG_ENCODE_16KB (14 << HUGETLB_FLAG_ENCODE_SHIFT) - #define HUGETLB_FLAG_ENCODE_64KB (16 << HUGETLB_FLAG_ENCODE_SHIFT) - #define HUGETLB_FLAG_ENCODE_512KB (19 << HUGETLB_FLAG_ENCODE_SHIFT) - #define HUGETLB_FLAG_ENCODE_1MB (20 << HUGETLB_FLAG_ENCODE_SHIFT) -diff --git a/linux-headers/asm-generic/unistd.h b/linux-headers/asm-generic/unistd.h -index 995b36c2ea7d8a4edbff1e79e555..2056318988f774931c4e0a310414 100644 ---- a/linux-headers/asm-generic/unistd.h -+++ b/linux-headers/asm-generic/unistd.h -@@ -140,7 +140,7 @@ __SYSCALL(__NR_renameat, sys_renameat) - #define __NR_umount2 39 - __SYSCALL(__NR_umount2, sys_umount) - #define __NR_mount 40 --__SC_COMP(__NR_mount, sys_mount, compat_sys_mount) -+__SYSCALL(__NR_mount, sys_mount) - #define __NR_pivot_root 41 - __SYSCALL(__NR_pivot_root, sys_pivot_root) - -@@ -207,9 +207,9 @@ __SYSCALL(__NR_read, sys_read) - #define __NR_write 64 - __SYSCALL(__NR_write, sys_write) - #define __NR_readv 65 --__SC_COMP(__NR_readv, sys_readv, compat_sys_readv) -+__SC_COMP(__NR_readv, sys_readv, sys_readv) - #define __NR_writev 66 --__SC_COMP(__NR_writev, sys_writev, compat_sys_writev) -+__SC_COMP(__NR_writev, sys_writev, sys_writev) - #define __NR_pread64 67 - __SC_COMP(__NR_pread64, sys_pread64, compat_sys_pread64) - #define __NR_pwrite64 68 -@@ -237,7 +237,7 @@ __SC_COMP(__NR_signalfd4, sys_signalfd4, compat_sys_signalfd4) - - /* fs/splice.c */ - #define __NR_vmsplice 75 --__SC_COMP(__NR_vmsplice, sys_vmsplice, compat_sys_vmsplice) -+__SYSCALL(__NR_vmsplice, sys_vmsplice) - #define __NR_splice 76 - __SYSCALL(__NR_splice, sys_splice) - #define __NR_tee 77 -@@ -727,11 +727,9 @@ __SYSCALL(__NR_setns, sys_setns) - #define __NR_sendmmsg 269 - __SC_COMP(__NR_sendmmsg, sys_sendmmsg, compat_sys_sendmmsg) - #define __NR_process_vm_readv 270 --__SC_COMP(__NR_process_vm_readv, sys_process_vm_readv, \ -- compat_sys_process_vm_readv) -+__SYSCALL(__NR_process_vm_readv, sys_process_vm_readv) - #define __NR_process_vm_writev 271 --__SC_COMP(__NR_process_vm_writev, sys_process_vm_writev, \ -- compat_sys_process_vm_writev) -+__SYSCALL(__NR_process_vm_writev, sys_process_vm_writev) - #define __NR_kcmp 272 - __SYSCALL(__NR_kcmp, sys_kcmp) - #define __NR_finit_module 273 -@@ -859,9 +857,11 @@ __SYSCALL(__NR_openat2, sys_openat2) - __SYSCALL(__NR_pidfd_getfd, sys_pidfd_getfd) - #define __NR_faccessat2 439 - __SYSCALL(__NR_faccessat2, sys_faccessat2) -+#define __NR_process_madvise 440 -+__SYSCALL(__NR_process_madvise, sys_process_madvise) - - #undef __NR_syscalls --#define __NR_syscalls 440 -+#define __NR_syscalls 441 - - /* - * 32 bit systems traditionally used different -diff --git a/linux-headers/asm-mips/unistd_n32.h b/linux-headers/asm-mips/unistd_n32.h -index 246fbb6a7885638679b536b78e66..aba284d190a0f7b887943283bfb6 100644 ---- a/linux-headers/asm-mips/unistd_n32.h -+++ b/linux-headers/asm-mips/unistd_n32.h -@@ -369,6 +369,7 @@ - #define __NR_openat2 (__NR_Linux + 437) - #define __NR_pidfd_getfd (__NR_Linux + 438) - #define __NR_faccessat2 (__NR_Linux + 439) -+#define __NR_process_madvise (__NR_Linux + 440) - - - #endif /* _ASM_MIPS_UNISTD_N32_H */ -diff --git a/linux-headers/asm-mips/unistd_n64.h b/linux-headers/asm-mips/unistd_n64.h -index 194d777dfd42582819f2d1e4342d..0465ab94db8966b453f1e1863e00 100644 ---- a/linux-headers/asm-mips/unistd_n64.h -+++ b/linux-headers/asm-mips/unistd_n64.h -@@ -345,6 +345,7 @@ - #define __NR_openat2 (__NR_Linux + 437) - #define __NR_pidfd_getfd (__NR_Linux + 438) - #define __NR_faccessat2 (__NR_Linux + 439) -+#define __NR_process_madvise (__NR_Linux + 440) - - - #endif /* _ASM_MIPS_UNISTD_N64_H */ -diff --git a/linux-headers/asm-mips/unistd_o32.h b/linux-headers/asm-mips/unistd_o32.h -index 3e093dd9134dc84a82778ace3c4d..5222a0dd50e18b778dcc38f45af8 100644 ---- a/linux-headers/asm-mips/unistd_o32.h -+++ b/linux-headers/asm-mips/unistd_o32.h -@@ -415,6 +415,7 @@ - #define __NR_openat2 (__NR_Linux + 437) - #define __NR_pidfd_getfd (__NR_Linux + 438) - #define __NR_faccessat2 (__NR_Linux + 439) -+#define __NR_process_madvise (__NR_Linux + 440) - - - #endif /* _ASM_MIPS_UNISTD_O32_H */ -diff --git a/linux-headers/asm-powerpc/unistd_32.h b/linux-headers/asm-powerpc/unistd_32.h -index 0db9481d49629bde4402afcb0c18..21066a3d5f4a65bd2a1e09c002a3 100644 ---- a/linux-headers/asm-powerpc/unistd_32.h -+++ b/linux-headers/asm-powerpc/unistd_32.h -@@ -422,6 +422,7 @@ - #define __NR_openat2 437 - #define __NR_pidfd_getfd 438 - #define __NR_faccessat2 439 -+#define __NR_process_madvise 440 - - - #endif /* _ASM_POWERPC_UNISTD_32_H */ -diff --git a/linux-headers/asm-powerpc/unistd_64.h b/linux-headers/asm-powerpc/unistd_64.h -index 9f74310988e1afca2bbe087ab83d..c153da29f2362aa32b379a711ac8 100644 ---- a/linux-headers/asm-powerpc/unistd_64.h -+++ b/linux-headers/asm-powerpc/unistd_64.h -@@ -394,6 +394,7 @@ - #define __NR_openat2 437 - #define __NR_pidfd_getfd 438 - #define __NR_faccessat2 439 -+#define __NR_process_madvise 440 - - - #endif /* _ASM_POWERPC_UNISTD_64_H */ -diff --git a/linux-headers/asm-s390/unistd_32.h b/linux-headers/asm-s390/unistd_32.h -index 1803cd0c3ba638008c0463758951..3b4f2dda6049767ea56e3a29ecf6 100644 ---- a/linux-headers/asm-s390/unistd_32.h -+++ b/linux-headers/asm-s390/unistd_32.h -@@ -412,5 +412,6 @@ - #define __NR_openat2 437 - #define __NR_pidfd_getfd 438 - #define __NR_faccessat2 439 -+#define __NR_process_madvise 440 - - #endif /* _ASM_S390_UNISTD_32_H */ -diff --git a/linux-headers/asm-s390/unistd_64.h b/linux-headers/asm-s390/unistd_64.h -index 228d5004e5a88127a30d1fae6fb8..030a51fa3828b9a8ea64d42dc84b 100644 ---- a/linux-headers/asm-s390/unistd_64.h -+++ b/linux-headers/asm-s390/unistd_64.h -@@ -360,5 +360,6 @@ - #define __NR_openat2 437 - #define __NR_pidfd_getfd 438 - #define __NR_faccessat2 439 -+#define __NR_process_madvise 440 - - #endif /* _ASM_S390_UNISTD_64_H */ -diff --git a/linux-headers/asm-x86/kvm.h b/linux-headers/asm-x86/kvm.h -index 17c5a038f42d3978d1b06d7cec5f..5108cf3d01dd463bf1f89128ad43 100644 ---- a/linux-headers/asm-x86/kvm.h -+++ b/linux-headers/asm-x86/kvm.h -@@ -192,6 +192,26 @@ struct kvm_msr_list { - __u32 indices[0]; - }; - -+/* Maximum size of any access bitmap in bytes */ -+#define KVM_MSR_FILTER_MAX_BITMAP_SIZE 0x600 -+ -+/* for KVM_X86_SET_MSR_FILTER */ -+struct kvm_msr_filter_range { -+#define KVM_MSR_FILTER_READ (1 << 0) -+#define KVM_MSR_FILTER_WRITE (1 << 1) -+ __u32 flags; -+ __u32 nmsrs; /* number of msrs in bitmap */ -+ __u32 base; /* MSR index the bitmap starts at */ -+ __u8 *bitmap; /* a 1 bit allows the operations in flags, 0 denies */ -+}; -+ -+#define KVM_MSR_FILTER_MAX_RANGES 16 -+struct kvm_msr_filter { -+#define KVM_MSR_FILTER_DEFAULT_ALLOW (0 << 0) -+#define KVM_MSR_FILTER_DEFAULT_DENY (1 << 0) -+ __u32 flags; -+ struct kvm_msr_filter_range ranges[KVM_MSR_FILTER_MAX_RANGES]; -+}; - - struct kvm_cpuid_entry { - __u32 function; -diff --git a/linux-headers/asm-x86/unistd_32.h b/linux-headers/asm-x86/unistd_32.h -index 356c12c2dbce1bf92f665c705a86..cfba368f9dffa9ed90eeff567849 100644 ---- a/linux-headers/asm-x86/unistd_32.h -+++ b/linux-headers/asm-x86/unistd_32.h -@@ -430,6 +430,7 @@ - #define __NR_openat2 437 - #define __NR_pidfd_getfd 438 - #define __NR_faccessat2 439 -+#define __NR_process_madvise 440 - - - #endif /* _ASM_X86_UNISTD_32_H */ -diff --git a/linux-headers/asm-x86/unistd_64.h b/linux-headers/asm-x86/unistd_64.h -index ef70e1c7c93fc9f64edcc1d551a1..61af7250955feef3be80c70eeccc 100644 ---- a/linux-headers/asm-x86/unistd_64.h -+++ b/linux-headers/asm-x86/unistd_64.h -@@ -352,6 +352,7 @@ - #define __NR_openat2 437 - #define __NR_pidfd_getfd 438 - #define __NR_faccessat2 439 -+#define __NR_process_madvise 440 - - - #endif /* _ASM_X86_UNISTD_64_H */ -diff --git a/linux-headers/asm-x86/unistd_x32.h b/linux-headers/asm-x86/unistd_x32.h -index 84ae8e9f5fca8679e279bdfbf5f3..a6890cb1f5b534b152455e07e707 100644 ---- a/linux-headers/asm-x86/unistd_x32.h -+++ b/linux-headers/asm-x86/unistd_x32.h -@@ -305,6 +305,7 @@ - #define __NR_openat2 (__X32_SYSCALL_BIT + 437) - #define __NR_pidfd_getfd (__X32_SYSCALL_BIT + 438) - #define __NR_faccessat2 (__X32_SYSCALL_BIT + 439) -+#define __NR_process_madvise (__X32_SYSCALL_BIT + 440) - #define __NR_rt_sigaction (__X32_SYSCALL_BIT + 512) - #define __NR_rt_sigreturn (__X32_SYSCALL_BIT + 513) - #define __NR_ioctl (__X32_SYSCALL_BIT + 514) -diff --git a/linux-headers/linux/kvm.h b/linux-headers/linux/kvm.h -index d9860561985c537b70428a9fbfc0..4ec5f9464c650dda5bdda131f6ba 100644 ---- a/linux-headers/linux/kvm.h -+++ b/linux-headers/linux/kvm.h -@@ -248,6 +248,8 @@ struct kvm_hyperv_exit { - #define KVM_EXIT_IOAPIC_EOI 26 - #define KVM_EXIT_HYPERV 27 - #define KVM_EXIT_ARM_NISV 28 -+#define KVM_EXIT_X86_RDMSR 29 -+#define KVM_EXIT_X86_WRMSR 30 - - /* For KVM_EXIT_INTERNAL_ERROR */ - /* Emulate instruction failed. */ -@@ -413,6 +415,17 @@ struct kvm_run { - __u64 esr_iss; - __u64 fault_ipa; - } arm_nisv; -+ /* KVM_EXIT_X86_RDMSR / KVM_EXIT_X86_WRMSR */ -+ struct { -+ __u8 error; /* user -> kernel */ -+ __u8 pad[7]; -+#define KVM_MSR_EXIT_REASON_INVAL (1 << 0) -+#define KVM_MSR_EXIT_REASON_UNKNOWN (1 << 1) -+#define KVM_MSR_EXIT_REASON_FILTER (1 << 2) -+ __u32 reason; /* kernel -> user */ -+ __u32 index; /* kernel -> user */ -+ __u64 data; /* kernel <-> user */ -+ } msr; - /* Fix the size of the union. */ - char padding[256]; - }; -@@ -1031,6 +1044,9 @@ struct kvm_ppc_resize_hpt { - #define KVM_CAP_SMALLER_MAXPHYADDR 185 - #define KVM_CAP_S390_DIAG318 186 - #define KVM_CAP_STEAL_TIME 187 -+#define KVM_CAP_X86_USER_SPACE_MSR 188 -+#define KVM_CAP_X86_MSR_FILTER 189 -+#define KVM_CAP_ENFORCE_PV_FEATURE_CPUID 190 - - #ifdef KVM_CAP_IRQ_ROUTING - -@@ -1495,6 +1511,9 @@ struct kvm_enc_region { - /* Available with KVM_CAP_ARM_SVE */ - #define KVM_ARM_VCPU_FINALIZE _IOW(KVMIO, 0xc2, int) - -+/* Available with KVM_CAP_X86_MSR_FILTER */ -+#define KVM_X86_SET_MSR_FILTER _IOW(KVMIO, 0xc6, struct kvm_msr_filter) -+ - /* Secure Encrypted Virtualization command */ - enum sev_cmd_id { - /* Guest initialization commands */ -diff --git a/linux-headers/linux/mman.h b/linux-headers/linux/mman.h -index 51ea363759f021d964e23440cd82..434986fbe3071d1fd0c13d6a46a6 100644 ---- a/linux-headers/linux/mman.h -+++ b/linux-headers/linux/mman.h -@@ -27,6 +27,7 @@ - #define MAP_HUGE_SHIFT HUGETLB_FLAG_ENCODE_SHIFT - #define MAP_HUGE_MASK HUGETLB_FLAG_ENCODE_MASK - -+#define MAP_HUGE_16KB HUGETLB_FLAG_ENCODE_16KB - #define MAP_HUGE_64KB HUGETLB_FLAG_ENCODE_64KB - #define MAP_HUGE_512KB HUGETLB_FLAG_ENCODE_512KB - #define MAP_HUGE_1MB HUGETLB_FLAG_ENCODE_1MB -diff --git a/linux-headers/linux/vfio.h b/linux-headers/linux/vfio.h -index a90672494dc584fff35d3141e248..b92dcc4dafd5f00fd1ab89199aee 100644 ---- a/linux-headers/linux/vfio.h -+++ b/linux-headers/linux/vfio.h -@@ -201,8 +201,11 @@ struct vfio_device_info { - #define VFIO_DEVICE_FLAGS_AMBA (1 << 3) /* vfio-amba device */ - #define VFIO_DEVICE_FLAGS_CCW (1 << 4) /* vfio-ccw device */ - #define VFIO_DEVICE_FLAGS_AP (1 << 5) /* vfio-ap device */ -+#define VFIO_DEVICE_FLAGS_FSL_MC (1 << 6) /* vfio-fsl-mc device */ -+#define VFIO_DEVICE_FLAGS_CAPS (1 << 7) /* Info supports caps */ - __u32 num_regions; /* Max region index + 1 */ - __u32 num_irqs; /* Max IRQ index + 1 */ -+ __u32 cap_offset; /* Offset within info struct of first cap */ - }; - #define VFIO_DEVICE_GET_INFO _IO(VFIO_TYPE, VFIO_BASE + 7) - -@@ -218,6 +221,15 @@ struct vfio_device_info { - #define VFIO_DEVICE_API_CCW_STRING "vfio-ccw" - #define VFIO_DEVICE_API_AP_STRING "vfio-ap" - -+/* -+ * The following capabilities are unique to s390 zPCI devices. Their contents -+ * are further-defined in vfio_zdev.h -+ */ -+#define VFIO_DEVICE_INFO_CAP_ZPCI_BASE 1 -+#define VFIO_DEVICE_INFO_CAP_ZPCI_GROUP 2 -+#define VFIO_DEVICE_INFO_CAP_ZPCI_UTIL 3 -+#define VFIO_DEVICE_INFO_CAP_ZPCI_PFIP 4 -+ - /** - * VFIO_DEVICE_GET_REGION_INFO - _IOWR(VFIO_TYPE, VFIO_BASE + 8, - * struct vfio_region_info) -@@ -462,7 +474,7 @@ struct vfio_region_gfx_edid { - * 5. Resumed - * |--------->| - * -- * 0. Default state of VFIO device is _RUNNNG when the user application starts. -+ * 0. Default state of VFIO device is _RUNNING when the user application starts. - * 1. During normal shutdown of the user application, the user application may - * optionally change the VFIO device state from _RUNNING to _STOP. This - * transition is optional. The vendor driver must support this transition but -@@ -1039,6 +1051,21 @@ struct vfio_iommu_type1_info_cap_migration { - __u64 max_dirty_bitmap_size; /* in bytes */ - }; - -+/* -+ * The DMA available capability allows to report the current number of -+ * simultaneously outstanding DMA mappings that are allowed. -+ * -+ * The structure below defines version 1 of this capability. -+ * -+ * avail: specifies the current number of outstanding DMA mappings allowed. -+ */ -+#define VFIO_IOMMU_TYPE1_INFO_DMA_AVAIL 3 -+ -+struct vfio_iommu_type1_info_dma_avail { -+ struct vfio_info_cap_header header; -+ __u32 avail; -+}; -+ - #define VFIO_IOMMU_GET_INFO _IO(VFIO_TYPE, VFIO_BASE + 12) - - /** -diff --git a/linux-headers/linux/vfio_zdev.h b/linux-headers/linux/vfio_zdev.h -new file mode 100644 -index 0000000000000000000000000000000000000000..b4309397b6b273bb66e80cc53da769625cec939a ---- /dev/null -+++ b/linux-headers/linux/vfio_zdev.h -@@ -0,0 +1,78 @@ -+/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */ -+/* -+ * VFIO Region definitions for ZPCI devices -+ * -+ * Copyright IBM Corp. 2020 -+ * -+ * Author(s): Pierre Morel -+ * Matthew Rosato -+ */ -+ -+#ifndef _VFIO_ZDEV_H_ -+#define _VFIO_ZDEV_H_ -+ -+#include -+#include -+ -+/** -+ * VFIO_DEVICE_INFO_CAP_ZPCI_BASE - Base PCI Function information -+ * -+ * This capability provides a set of descriptive information about the -+ * associated PCI function. -+ */ -+struct vfio_device_info_cap_zpci_base { -+ struct vfio_info_cap_header header; -+ __u64 start_dma; /* Start of available DMA addresses */ -+ __u64 end_dma; /* End of available DMA addresses */ -+ __u16 pchid; /* Physical Channel ID */ -+ __u16 vfn; /* Virtual function number */ -+ __u16 fmb_length; /* Measurement Block Length (in bytes) */ -+ __u8 pft; /* PCI Function Type */ -+ __u8 gid; /* PCI function group ID */ -+}; -+ -+/** -+ * VFIO_DEVICE_INFO_CAP_ZPCI_GROUP - Base PCI Function Group information -+ * -+ * This capability provides a set of descriptive information about the group of -+ * PCI functions that the associated device belongs to. -+ */ -+struct vfio_device_info_cap_zpci_group { -+ struct vfio_info_cap_header header; -+ __u64 dasm; /* DMA Address space mask */ -+ __u64 msi_addr; /* MSI address */ -+ __u64 flags; -+#define VFIO_DEVICE_INFO_ZPCI_FLAG_REFRESH 1 /* Program-specified TLB refresh */ -+ __u16 mui; /* Measurement Block Update Interval */ -+ __u16 noi; /* Maximum number of MSIs */ -+ __u16 maxstbl; /* Maximum Store Block Length */ -+ __u8 version; /* Supported PCI Version */ -+}; -+ -+/** -+ * VFIO_DEVICE_INFO_CAP_ZPCI_UTIL - Utility String -+ * -+ * This capability provides the utility string for the associated device, which -+ * is a device identifier string made up of EBCDID characters. 'size' specifies -+ * the length of 'util_str'. -+ */ -+struct vfio_device_info_cap_zpci_util { -+ struct vfio_info_cap_header header; -+ __u32 size; -+ __u8 util_str[]; -+}; -+ -+/** -+ * VFIO_DEVICE_INFO_CAP_ZPCI_PFIP - PCI Function Path -+ * -+ * This capability provides the PCI function path string, which is an identifier -+ * that describes the internal hardware path of the device. 'size' specifies -+ * the length of 'pfip'. -+ */ -+struct vfio_device_info_cap_zpci_pfip { -+ struct vfio_info_cap_header header; -+ __u32 size; -+ __u8 pfip[]; -+}; -+ -+#endif diff --git a/packaging/linux-headers-update-against-Linux-5.6-r.patch b/packaging/linux-headers-update-against-Linux-5.6-r.patch deleted file mode 100644 index 23d7f74f3..000000000 --- a/packaging/linux-headers-update-against-Linux-5.6-r.patch +++ /dev/null @@ -1,335 +0,0 @@ -From: Cornelia Huck -Date: Tue, 18 Feb 2020 15:44:59 +0100 -Subject: linux-headers: update against Linux 5.6-rc3 - -Git-commit: ddda37483dd17c9936fdde9ebf8f6ca2692b3842 -References: bsc#1179719 - -Update to commit b1da3acc781c ("Merge tag 'ecryptfs-5.6-rc3-fixes' of -git://git.kernel.org/pub/scm/linux/kernel/git/tyhicks/ecryptfs") - -Signed-off-by: Cornelia Huck -Signed-off-by: Liang Yan ---- - include/standard-headers/drm/drm_fourcc.h | 24 +++++++++++++++++++++++ - include/standard-headers/linux/ethtool.h | 11 +++++++++++ - include/standard-headers/linux/input.h | 1 + - include/standard-headers/linux/pci_regs.h | 1 + - linux-headers/asm-arm/unistd-common.h | 2 ++ - linux-headers/asm-arm64/kvm.h | 12 ++++++++++-- - linux-headers/asm-arm64/unistd.h | 1 + - linux-headers/asm-generic/mman-common.h | 2 ++ - linux-headers/asm-generic/unistd.h | 7 ++++++- - linux-headers/asm-mips/unistd_n32.h | 2 ++ - linux-headers/asm-mips/unistd_n64.h | 2 ++ - linux-headers/asm-mips/unistd_o32.h | 2 ++ - linux-headers/asm-powerpc/unistd_32.h | 2 ++ - linux-headers/asm-powerpc/unistd_64.h | 2 ++ - linux-headers/asm-s390/unistd_32.h | 2 ++ - linux-headers/asm-s390/unistd_64.h | 2 ++ - linux-headers/asm-x86/unistd_32.h | 2 ++ - linux-headers/asm-x86/unistd_64.h | 2 ++ - linux-headers/asm-x86/unistd_x32.h | 2 ++ - 19 files changed, 78 insertions(+), 3 deletions(-) - -diff --git a/include/standard-headers/drm/drm_fourcc.h b/include/standard-headers/drm/drm_fourcc.h -index 46d279f51586bcbc097cc7f67347..66e838074c81c64d1d38f3fb815d 100644 ---- a/include/standard-headers/drm/drm_fourcc.h -+++ b/include/standard-headers/drm/drm_fourcc.h -@@ -409,6 +409,30 @@ extern "C" { - #define I915_FORMAT_MOD_Y_TILED_CCS fourcc_mod_code(INTEL, 4) - #define I915_FORMAT_MOD_Yf_TILED_CCS fourcc_mod_code(INTEL, 5) - -+/* -+ * Intel color control surfaces (CCS) for Gen-12 render compression. -+ * -+ * The main surface is Y-tiled and at plane index 0, the CCS is linear and -+ * at index 1. A 64B CCS cache line corresponds to an area of 4x1 tiles in -+ * main surface. In other words, 4 bits in CCS map to a main surface cache -+ * line pair. The main surface pitch is required to be a multiple of four -+ * Y-tile widths. -+ */ -+#define I915_FORMAT_MOD_Y_TILED_GEN12_RC_CCS fourcc_mod_code(INTEL, 6) -+ -+/* -+ * Intel color control surfaces (CCS) for Gen-12 media compression -+ * -+ * The main surface is Y-tiled and at plane index 0, the CCS is linear and -+ * at index 1. A 64B CCS cache line corresponds to an area of 4x1 tiles in -+ * main surface. In other words, 4 bits in CCS map to a main surface cache -+ * line pair. The main surface pitch is required to be a multiple of four -+ * Y-tile widths. For semi-planar formats like NV12, CCS planes follow the -+ * Y and UV planes i.e., planes 0 and 1 are used for Y and UV surfaces, -+ * planes 2 and 3 for the respective CCS. -+ */ -+#define I915_FORMAT_MOD_Y_TILED_GEN12_MC_CCS fourcc_mod_code(INTEL, 7) -+ - /* - * Tiled, NV12MT, grouped in 64 (pixels) x 32 (lines) -sized macroblocks - * -diff --git a/include/standard-headers/linux/ethtool.h b/include/standard-headers/linux/ethtool.h -index 6e8a10ee10751b19ccaad191d38c..8adf3b018b95f2e6e0dc0960810d 100644 ---- a/include/standard-headers/linux/ethtool.h -+++ b/include/standard-headers/linux/ethtool.h -@@ -593,6 +593,9 @@ struct ethtool_pauseparam { - * @ETH_SS_RSS_HASH_FUNCS: RSS hush function names - * @ETH_SS_PHY_STATS: Statistic names, for use with %ETHTOOL_GPHYSTATS - * @ETH_SS_PHY_TUNABLES: PHY tunable names -+ * @ETH_SS_LINK_MODES: link mode names -+ * @ETH_SS_MSG_CLASSES: debug message class names -+ * @ETH_SS_WOL_MODES: wake-on-lan modes - */ - enum ethtool_stringset { - ETH_SS_TEST = 0, -@@ -604,6 +607,12 @@ enum ethtool_stringset { - ETH_SS_TUNABLES, - ETH_SS_PHY_STATS, - ETH_SS_PHY_TUNABLES, -+ ETH_SS_LINK_MODES, -+ ETH_SS_MSG_CLASSES, -+ ETH_SS_WOL_MODES, -+ -+ /* add new constants above here */ -+ ETH_SS_COUNT - }; - - /** -@@ -1688,6 +1697,8 @@ static inline int ethtool_validate_duplex(uint8_t duplex) - #define WAKE_MAGICSECURE (1 << 6) /* only meaningful if WAKE_MAGIC */ - #define WAKE_FILTER (1 << 7) - -+#define WOL_MODE_COUNT 8 -+ - /* L2-L4 network traffic flow types */ - #define TCP_V4_FLOW 0x01 /* hash or spec (tcp_ip4_spec) */ - #define UDP_V4_FLOW 0x02 /* hash or spec (udp_ip4_spec) */ -diff --git a/include/standard-headers/linux/input.h b/include/standard-headers/linux/input.h -index d8914f25a5e0de3a864d8f6fdd66..f89c986190de9b8810d73cd65481 100644 ---- a/include/standard-headers/linux/input.h -+++ b/include/standard-headers/linux/input.h -@@ -31,6 +31,7 @@ struct input_event { - unsigned long __sec; - #if defined(__sparc__) && defined(__arch64__) - unsigned int __usec; -+ unsigned int __pad; - #else - unsigned long __usec; - #endif -diff --git a/include/standard-headers/linux/pci_regs.h b/include/standard-headers/linux/pci_regs.h -index acb7d2bdb419a49f2e6ed999f9ff..5437690483cded0999edd48eb7d7 100644 ---- a/include/standard-headers/linux/pci_regs.h -+++ b/include/standard-headers/linux/pci_regs.h -@@ -676,6 +676,7 @@ - #define PCI_EXP_LNKCTL2_TLS_32_0GT 0x0005 /* Supported Speed 32GT/s */ - #define PCI_EXP_LNKCTL2_ENTER_COMP 0x0010 /* Enter Compliance */ - #define PCI_EXP_LNKCTL2_TX_MARGIN 0x0380 /* Transmit Margin */ -+#define PCI_EXP_LNKCTL2_HASD 0x0020 /* HW Autonomous Speed Disable */ - #define PCI_EXP_LNKSTA2 50 /* Link Status 2 */ - #define PCI_CAP_EXP_ENDPOINT_SIZEOF_V2 52 /* v2 endpoints with link end here */ - #define PCI_EXP_SLTCAP2 52 /* Slot Capabilities 2 */ -diff --git a/linux-headers/asm-arm/unistd-common.h b/linux-headers/asm-arm/unistd-common.h -index eb5d361b117bd21fc5c565f59e7c..23de64e44c44fbf4e00ceef0f505 100644 ---- a/linux-headers/asm-arm/unistd-common.h -+++ b/linux-headers/asm-arm/unistd-common.h -@@ -390,5 +390,7 @@ - #define __NR_fspick (__NR_SYSCALL_BASE + 433) - #define __NR_pidfd_open (__NR_SYSCALL_BASE + 434) - #define __NR_clone3 (__NR_SYSCALL_BASE + 435) -+#define __NR_openat2 (__NR_SYSCALL_BASE + 437) -+#define __NR_pidfd_getfd (__NR_SYSCALL_BASE + 438) - - #endif /* _ASM_ARM_UNISTD_COMMON_H */ -diff --git a/linux-headers/asm-arm64/kvm.h b/linux-headers/asm-arm64/kvm.h -index 920af01c8b9029db521c55e93aaa..9e34f0f875a60a1dc7bb69e0db91 100644 ---- a/linux-headers/asm-arm64/kvm.h -+++ b/linux-headers/asm-arm64/kvm.h -@@ -220,10 +220,18 @@ struct kvm_vcpu_events { - #define KVM_REG_ARM_PTIMER_CVAL ARM64_SYS_REG(3, 3, 14, 2, 2) - #define KVM_REG_ARM_PTIMER_CNT ARM64_SYS_REG(3, 3, 14, 0, 1) - --/* EL0 Virtual Timer Registers */ -+/* -+ * EL0 Virtual Timer Registers -+ * -+ * WARNING: -+ * KVM_REG_ARM_TIMER_CVAL and KVM_REG_ARM_TIMER_CNT are not defined -+ * with the appropriate register encodings. Their values have been -+ * accidentally swapped. As this is set API, the definitions here -+ * must be used, rather than ones derived from the encodings. -+ */ - #define KVM_REG_ARM_TIMER_CTL ARM64_SYS_REG(3, 3, 14, 3, 1) --#define KVM_REG_ARM_TIMER_CNT ARM64_SYS_REG(3, 3, 14, 3, 2) - #define KVM_REG_ARM_TIMER_CVAL ARM64_SYS_REG(3, 3, 14, 0, 2) -+#define KVM_REG_ARM_TIMER_CNT ARM64_SYS_REG(3, 3, 14, 3, 2) - - /* KVM-as-firmware specific pseudo-registers */ - #define KVM_REG_ARM_FW (0x0014 << KVM_REG_ARM_COPROC_SHIFT) -diff --git a/linux-headers/asm-arm64/unistd.h b/linux-headers/asm-arm64/unistd.h -index 4703d218663a2ad81e7c8d4fd074..f83a70e07df85ca5029a1e91cde9 100644 ---- a/linux-headers/asm-arm64/unistd.h -+++ b/linux-headers/asm-arm64/unistd.h -@@ -19,5 +19,6 @@ - #define __ARCH_WANT_NEW_STAT - #define __ARCH_WANT_SET_GET_RLIMIT - #define __ARCH_WANT_TIME32_SYSCALLS -+#define __ARCH_WANT_SYS_CLONE3 - - #include -diff --git a/linux-headers/asm-generic/mman-common.h b/linux-headers/asm-generic/mman-common.h -index c160a5354eb62b3b17de564be439..f94f65d429bea3c26bdcdc319737 100644 ---- a/linux-headers/asm-generic/mman-common.h -+++ b/linux-headers/asm-generic/mman-common.h -@@ -11,6 +11,8 @@ - #define PROT_WRITE 0x2 /* page can be written */ - #define PROT_EXEC 0x4 /* page can be executed */ - #define PROT_SEM 0x8 /* page may be used for atomic ops */ -+/* 0x10 reserved for arch-specific use */ -+/* 0x20 reserved for arch-specific use */ - #define PROT_NONE 0x0 /* page can not be accessed */ - #define PROT_GROWSDOWN 0x01000000 /* mprotect flag: extend change to start of growsdown vma */ - #define PROT_GROWSUP 0x02000000 /* mprotect flag: extend change to end of growsup vma */ -diff --git a/linux-headers/asm-generic/unistd.h b/linux-headers/asm-generic/unistd.h -index 1fc8faa6e97306dfa95335ecba91..3a3201e4618ef8c7445895b26f6e 100644 ---- a/linux-headers/asm-generic/unistd.h -+++ b/linux-headers/asm-generic/unistd.h -@@ -851,8 +851,13 @@ __SYSCALL(__NR_pidfd_open, sys_pidfd_open) - __SYSCALL(__NR_clone3, sys_clone3) - #endif - -+#define __NR_openat2 437 -+__SYSCALL(__NR_openat2, sys_openat2) -+#define __NR_pidfd_getfd 438 -+__SYSCALL(__NR_pidfd_getfd, sys_pidfd_getfd) -+ - #undef __NR_syscalls --#define __NR_syscalls 436 -+#define __NR_syscalls 439 - - /* - * 32 bit systems traditionally used different -diff --git a/linux-headers/asm-mips/unistd_n32.h b/linux-headers/asm-mips/unistd_n32.h -index 659d5c9ade4747959ec9b64c7ad7..aec9f6081af7974a2f8fc075a70f 100644 ---- a/linux-headers/asm-mips/unistd_n32.h -+++ b/linux-headers/asm-mips/unistd_n32.h -@@ -365,6 +365,8 @@ - #define __NR_fspick (__NR_Linux + 433) - #define __NR_pidfd_open (__NR_Linux + 434) - #define __NR_clone3 (__NR_Linux + 435) -+#define __NR_openat2 (__NR_Linux + 437) -+#define __NR_pidfd_getfd (__NR_Linux + 438) - - - #endif /* _ASM_MIPS_UNISTD_N32_H */ -diff --git a/linux-headers/asm-mips/unistd_n64.h b/linux-headers/asm-mips/unistd_n64.h -index 4b6310a05c235087cbf6f09b558d..1c75d83df53f90aa386b8b919a3d 100644 ---- a/linux-headers/asm-mips/unistd_n64.h -+++ b/linux-headers/asm-mips/unistd_n64.h -@@ -341,6 +341,8 @@ - #define __NR_fspick (__NR_Linux + 433) - #define __NR_pidfd_open (__NR_Linux + 434) - #define __NR_clone3 (__NR_Linux + 435) -+#define __NR_openat2 (__NR_Linux + 437) -+#define __NR_pidfd_getfd (__NR_Linux + 438) - - - #endif /* _ASM_MIPS_UNISTD_N64_H */ -diff --git a/linux-headers/asm-mips/unistd_o32.h b/linux-headers/asm-mips/unistd_o32.h -index 4ce7b4e288a53503422a21719e92..660716e240ec10f7ccf3e65239dd 100644 ---- a/linux-headers/asm-mips/unistd_o32.h -+++ b/linux-headers/asm-mips/unistd_o32.h -@@ -411,6 +411,8 @@ - #define __NR_fspick (__NR_Linux + 433) - #define __NR_pidfd_open (__NR_Linux + 434) - #define __NR_clone3 (__NR_Linux + 435) -+#define __NR_openat2 (__NR_Linux + 437) -+#define __NR_pidfd_getfd (__NR_Linux + 438) - - - #endif /* _ASM_MIPS_UNISTD_O32_H */ -diff --git a/linux-headers/asm-powerpc/unistd_32.h b/linux-headers/asm-powerpc/unistd_32.h -index 5584cc1b4fc1dd4c9f540f392e6c..4ba8e32f734445f6107d45044d08 100644 ---- a/linux-headers/asm-powerpc/unistd_32.h -+++ b/linux-headers/asm-powerpc/unistd_32.h -@@ -418,6 +418,8 @@ - #define __NR_fspick 433 - #define __NR_pidfd_open 434 - #define __NR_clone3 435 -+#define __NR_openat2 437 -+#define __NR_pidfd_getfd 438 - - - #endif /* _ASM_POWERPC_UNISTD_32_H */ -diff --git a/linux-headers/asm-powerpc/unistd_64.h b/linux-headers/asm-powerpc/unistd_64.h -index 251bcff77ea4b6cc8e9bc1b3fd4a..ac20bb4f95b207d4875613b54c45 100644 ---- a/linux-headers/asm-powerpc/unistd_64.h -+++ b/linux-headers/asm-powerpc/unistd_64.h -@@ -390,6 +390,8 @@ - #define __NR_fspick 433 - #define __NR_pidfd_open 434 - #define __NR_clone3 435 -+#define __NR_openat2 437 -+#define __NR_pidfd_getfd 438 - - - #endif /* _ASM_POWERPC_UNISTD_64_H */ -diff --git a/linux-headers/asm-s390/unistd_32.h b/linux-headers/asm-s390/unistd_32.h -index 7cce3ee296093aa8e96139e642a2..e4a6b654f10e1169e4fd62838282 100644 ---- a/linux-headers/asm-s390/unistd_32.h -+++ b/linux-headers/asm-s390/unistd_32.h -@@ -408,5 +408,7 @@ - #define __NR_fspick 433 - #define __NR_pidfd_open 434 - #define __NR_clone3 435 -+#define __NR_openat2 437 -+#define __NR_pidfd_getfd 438 - - #endif /* _ASM_S390_UNISTD_32_H */ -diff --git a/linux-headers/asm-s390/unistd_64.h b/linux-headers/asm-s390/unistd_64.h -index 2371ff1e7a79a2c237b72a941351..472f732956e4d1047d95dd68c5de 100644 ---- a/linux-headers/asm-s390/unistd_64.h -+++ b/linux-headers/asm-s390/unistd_64.h -@@ -356,5 +356,7 @@ - #define __NR_fspick 433 - #define __NR_pidfd_open 434 - #define __NR_clone3 435 -+#define __NR_openat2 437 -+#define __NR_pidfd_getfd 438 - - #endif /* _ASM_S390_UNISTD_64_H */ -diff --git a/linux-headers/asm-x86/unistd_32.h b/linux-headers/asm-x86/unistd_32.h -index e8ebec1cdc99b76c129a781ee830..f6e06fcfbdcf796df4336b83fe33 100644 ---- a/linux-headers/asm-x86/unistd_32.h -+++ b/linux-headers/asm-x86/unistd_32.h -@@ -426,5 +426,7 @@ - #define __NR_fspick 433 - #define __NR_pidfd_open 434 - #define __NR_clone3 435 -+#define __NR_openat2 437 -+#define __NR_pidfd_getfd 438 - - #endif /* _ASM_X86_UNISTD_32_H */ -diff --git a/linux-headers/asm-x86/unistd_64.h b/linux-headers/asm-x86/unistd_64.h -index a2f863d5493ff31b2661721f3e0d..924f826d2d48396621ab67c66942 100644 ---- a/linux-headers/asm-x86/unistd_64.h -+++ b/linux-headers/asm-x86/unistd_64.h -@@ -348,5 +348,7 @@ - #define __NR_fspick 433 - #define __NR_pidfd_open 434 - #define __NR_clone3 435 -+#define __NR_openat2 437 -+#define __NR_pidfd_getfd 438 - - #endif /* _ASM_X86_UNISTD_64_H */ -diff --git a/linux-headers/asm-x86/unistd_x32.h b/linux-headers/asm-x86/unistd_x32.h -index 4cdc67d8481069799fc44bbc07b7..010307757b1bb935299af66e88a3 100644 ---- a/linux-headers/asm-x86/unistd_x32.h -+++ b/linux-headers/asm-x86/unistd_x32.h -@@ -301,6 +301,8 @@ - #define __NR_fspick (__X32_SYSCALL_BIT + 433) - #define __NR_pidfd_open (__X32_SYSCALL_BIT + 434) - #define __NR_clone3 (__X32_SYSCALL_BIT + 435) -+#define __NR_openat2 (__X32_SYSCALL_BIT + 437) -+#define __NR_pidfd_getfd (__X32_SYSCALL_BIT + 438) - #define __NR_rt_sigaction (__X32_SYSCALL_BIT + 512) - #define __NR_rt_sigreturn (__X32_SYSCALL_BIT + 513) - #define __NR_ioctl (__X32_SYSCALL_BIT + 514) diff --git a/packaging/linux-headers-update-against-Linux-5.7-r.patch b/packaging/linux-headers-update-against-Linux-5.7-r.patch deleted file mode 100644 index 35b9d369c..000000000 --- a/packaging/linux-headers-update-against-Linux-5.7-r.patch +++ /dev/null @@ -1,600 +0,0 @@ -From: Cornelia Huck -Date: Mon, 27 Apr 2020 12:24:14 +0200 -Subject: linux-headers: update against Linux 5.7-rc3 - -Git-commit: dc6f8d458a4ccc360723993f31d310d06469f55f -References: bsc#1179719 - -commit 6a8b55ed4056ea5559ebe4f6a4b247f627870d4c - -Reviewed-by: Michael S. Tsirkin # virtio/vhost parts -Signed-off-by: Cornelia Huck -Message-Id: <20200427102415.10915-3-cohuck@redhat.com> -Signed-off-by: Liang Yan ---- - include/standard-headers/linux/ethtool.h | 10 +- - .../linux/input-event-codes.h | 5 +- - include/standard-headers/linux/pci_regs.h | 2 + - include/standard-headers/linux/vhost_types.h | 8 ++ - .../standard-headers/linux/virtio_balloon.h | 12 ++- - include/standard-headers/linux/virtio_ids.h | 1 + - include/standard-headers/linux/virtio_net.h | 102 +++++++++++++++++- - linux-headers/COPYING | 2 + - linux-headers/asm-x86/kvm.h | 1 + - linux-headers/asm-x86/unistd_32.h | 1 + - linux-headers/asm-x86/unistd_64.h | 1 + - linux-headers/asm-x86/unistd_x32.h | 1 + - linux-headers/linux/kvm.h | 5 + - linux-headers/linux/mman.h | 5 +- - linux-headers/linux/userfaultfd.h | 40 +++++-- - linux-headers/linux/vfio.h | 37 +++++++ - linux-headers/linux/vhost.h | 24 +++++ - 17 files changed, 240 insertions(+), 17 deletions(-) - -diff --git a/include/standard-headers/linux/ethtool.h b/include/standard-headers/linux/ethtool.h -index 8adf3b018b95f2e6e0dc0960810d..1200890c86088cb3c83368f18827 100644 ---- a/include/standard-headers/linux/ethtool.h -+++ b/include/standard-headers/linux/ethtool.h -@@ -596,6 +596,9 @@ struct ethtool_pauseparam { - * @ETH_SS_LINK_MODES: link mode names - * @ETH_SS_MSG_CLASSES: debug message class names - * @ETH_SS_WOL_MODES: wake-on-lan modes -+ * @ETH_SS_SOF_TIMESTAMPING: SOF_TIMESTAMPING_* flags -+ * @ETH_SS_TS_TX_TYPES: timestamping Tx types -+ * @ETH_SS_TS_RX_FILTERS: timestamping Rx filters - */ - enum ethtool_stringset { - ETH_SS_TEST = 0, -@@ -610,6 +613,9 @@ enum ethtool_stringset { - ETH_SS_LINK_MODES, - ETH_SS_MSG_CLASSES, - ETH_SS_WOL_MODES, -+ ETH_SS_SOF_TIMESTAMPING, -+ ETH_SS_TS_TX_TYPES, -+ ETH_SS_TS_RX_FILTERS, - - /* add new constants above here */ - ETH_SS_COUNT -@@ -1330,6 +1336,7 @@ enum ethtool_fec_config_bits { - ETHTOOL_FEC_OFF_BIT, - ETHTOOL_FEC_RS_BIT, - ETHTOOL_FEC_BASER_BIT, -+ ETHTOOL_FEC_LLRS_BIT, - }; - - #define ETHTOOL_FEC_NONE (1 << ETHTOOL_FEC_NONE_BIT) -@@ -1337,6 +1344,7 @@ enum ethtool_fec_config_bits { - #define ETHTOOL_FEC_OFF (1 << ETHTOOL_FEC_OFF_BIT) - #define ETHTOOL_FEC_RS (1 << ETHTOOL_FEC_RS_BIT) - #define ETHTOOL_FEC_BASER (1 << ETHTOOL_FEC_BASER_BIT) -+#define ETHTOOL_FEC_LLRS (1 << ETHTOOL_FEC_LLRS_BIT) - - /* CMDs currently supported */ - #define ETHTOOL_GSET 0x00000001 /* DEPRECATED, Get settings. -@@ -1521,7 +1529,7 @@ enum ethtool_link_mode_bit_indices { - ETHTOOL_LINK_MODE_400000baseLR8_ER8_FR8_Full_BIT = 71, - ETHTOOL_LINK_MODE_400000baseDR8_Full_BIT = 72, - ETHTOOL_LINK_MODE_400000baseCR8_Full_BIT = 73, -- -+ ETHTOOL_LINK_MODE_FEC_LLRS_BIT = 74, - /* must be last entry */ - __ETHTOOL_LINK_MODE_MASK_NBITS - }; -diff --git a/include/standard-headers/linux/input-event-codes.h b/include/standard-headers/linux/input-event-codes.h -index b484c252897fd1183f30249987e4..ebf72c10317b48bb9dc151f20a5b 100644 ---- a/include/standard-headers/linux/input-event-codes.h -+++ b/include/standard-headers/linux/input-event-codes.h -@@ -1,4 +1,4 @@ --/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */ -+/* SPDX-License-Identifier: GPL-2.0-only WITH Linux-syscall-note */ - /* - * Input event codes - * -@@ -652,6 +652,9 @@ - /* Electronic privacy screen control */ - #define KEY_PRIVACY_SCREEN_TOGGLE 0x279 - -+/* Select an area of screen to be copied */ -+#define KEY_SELECTIVE_SCREENSHOT 0x27a -+ - /* - * Some keyboards have keys which do not have a defined meaning, these keys - * are intended to be programmed / bound to macros by the user. For most -diff --git a/include/standard-headers/linux/pci_regs.h b/include/standard-headers/linux/pci_regs.h -index 5437690483cded0999edd48eb7d7..f9701410d3b52b7cfc549c50f08a 100644 ---- a/include/standard-headers/linux/pci_regs.h -+++ b/include/standard-headers/linux/pci_regs.h -@@ -605,6 +605,7 @@ - #define PCI_EXP_SLTCTL_PWR_OFF 0x0400 /* Power Off */ - #define PCI_EXP_SLTCTL_EIC 0x0800 /* Electromechanical Interlock Control */ - #define PCI_EXP_SLTCTL_DLLSCE 0x1000 /* Data Link Layer State Changed Enable */ -+#define PCI_EXP_SLTCTL_IBPD_DISABLE 0x4000 /* In-band PD disable */ - #define PCI_EXP_SLTSTA 26 /* Slot Status */ - #define PCI_EXP_SLTSTA_ABP 0x0001 /* Attention Button Pressed */ - #define PCI_EXP_SLTSTA_PFD 0x0002 /* Power Fault Detected */ -@@ -680,6 +681,7 @@ - #define PCI_EXP_LNKSTA2 50 /* Link Status 2 */ - #define PCI_CAP_EXP_ENDPOINT_SIZEOF_V2 52 /* v2 endpoints with link end here */ - #define PCI_EXP_SLTCAP2 52 /* Slot Capabilities 2 */ -+#define PCI_EXP_SLTCAP2_IBPD 0x00000001 /* In-band PD Disable Supported */ - #define PCI_EXP_SLTCTL2 56 /* Slot Control 2 */ - #define PCI_EXP_SLTSTA2 58 /* Slot Status 2 */ - -diff --git a/include/standard-headers/linux/vhost_types.h b/include/standard-headers/linux/vhost_types.h -index 5351fe172d7e6de44a168ad9444c..a678d8fbaa92717b2a60329796f6 100644 ---- a/include/standard-headers/linux/vhost_types.h -+++ b/include/standard-headers/linux/vhost_types.h -@@ -119,6 +119,14 @@ struct vhost_scsi_target { - unsigned short reserved; - }; - -+/* VHOST_VDPA specific definitions */ -+ -+struct vhost_vdpa_config { -+ uint32_t off; -+ uint32_t len; -+ uint8_t buf[0]; -+}; -+ - /* Feature bits */ - /* Log all write descriptors. Can be changed while device is active. */ - #define VHOST_F_LOG_ALL 26 -diff --git a/include/standard-headers/linux/virtio_balloon.h b/include/standard-headers/linux/virtio_balloon.h -index 9375ca2a70deba201d3139a40e0e..f343bfefd82c3a3776472980faee 100644 ---- a/include/standard-headers/linux/virtio_balloon.h -+++ b/include/standard-headers/linux/virtio_balloon.h -@@ -36,6 +36,7 @@ - #define VIRTIO_BALLOON_F_DEFLATE_ON_OOM 2 /* Deflate balloon on OOM */ - #define VIRTIO_BALLOON_F_FREE_PAGE_HINT 3 /* VQ to report free pages */ - #define VIRTIO_BALLOON_F_PAGE_POISON 4 /* Guest is using page poisoning */ -+#define VIRTIO_BALLOON_F_REPORTING 5 /* Page reporting virtqueue */ - - /* Size of a PFN in the balloon interface. */ - #define VIRTIO_BALLOON_PFN_SHIFT 12 -@@ -47,8 +48,15 @@ struct virtio_balloon_config { - uint32_t num_pages; - /* Number of pages we've actually got in balloon. */ - uint32_t actual; -- /* Free page report command id, readonly by guest */ -- uint32_t free_page_report_cmd_id; -+ /* -+ * Free page hint command id, readonly by guest. -+ * Was previously named free_page_report_cmd_id so we -+ * need to carry that name for legacy support. -+ */ -+ union { -+ uint32_t free_page_hint_cmd_id; -+ uint32_t free_page_report_cmd_id; /* deprecated */ -+ }; - /* Stores PAGE_POISON if page poisoning is in use */ - uint32_t poison_val; - }; -diff --git a/include/standard-headers/linux/virtio_ids.h b/include/standard-headers/linux/virtio_ids.h -index 585e07b273335b8e406827eed4e5..ecc27a17401a76b8ae8a907859d1 100644 ---- a/include/standard-headers/linux/virtio_ids.h -+++ b/include/standard-headers/linux/virtio_ids.h -@@ -46,5 +46,6 @@ - #define VIRTIO_ID_IOMMU 23 /* virtio IOMMU */ - #define VIRTIO_ID_FS 26 /* virtio filesystem */ - #define VIRTIO_ID_PMEM 27 /* virtio pmem */ -+#define VIRTIO_ID_MAC80211_HWSIM 29 /* virtio mac80211-hwsim */ - - #endif /* _LINUX_VIRTIO_IDS_H */ -diff --git a/include/standard-headers/linux/virtio_net.h b/include/standard-headers/linux/virtio_net.h -index 260c3681d70d5eacca595764a8a6..a90f79e1b17a9228353eac109f55 100644 ---- a/include/standard-headers/linux/virtio_net.h -+++ b/include/standard-headers/linux/virtio_net.h -@@ -57,6 +57,9 @@ - * Steering */ - #define VIRTIO_NET_F_CTRL_MAC_ADDR 23 /* Set MAC address */ - -+#define VIRTIO_NET_F_HASH_REPORT 57 /* Supports hash report */ -+#define VIRTIO_NET_F_RSS 60 /* Supports RSS RX steering */ -+#define VIRTIO_NET_F_RSC_EXT 61 /* extended coalescing info */ - #define VIRTIO_NET_F_STANDBY 62 /* Act as standby for another device - * with the same MAC. - */ -@@ -69,6 +72,17 @@ - #define VIRTIO_NET_S_LINK_UP 1 /* Link is up */ - #define VIRTIO_NET_S_ANNOUNCE 2 /* Announcement is needed */ - -+/* supported/enabled hash types */ -+#define VIRTIO_NET_RSS_HASH_TYPE_IPv4 (1 << 0) -+#define VIRTIO_NET_RSS_HASH_TYPE_TCPv4 (1 << 1) -+#define VIRTIO_NET_RSS_HASH_TYPE_UDPv4 (1 << 2) -+#define VIRTIO_NET_RSS_HASH_TYPE_IPv6 (1 << 3) -+#define VIRTIO_NET_RSS_HASH_TYPE_TCPv6 (1 << 4) -+#define VIRTIO_NET_RSS_HASH_TYPE_UDPv6 (1 << 5) -+#define VIRTIO_NET_RSS_HASH_TYPE_IP_EX (1 << 6) -+#define VIRTIO_NET_RSS_HASH_TYPE_TCP_EX (1 << 7) -+#define VIRTIO_NET_RSS_HASH_TYPE_UDP_EX (1 << 8) -+ - struct virtio_net_config { - /* The config defining mac address (if VIRTIO_NET_F_MAC) */ - uint8_t mac[ETH_ALEN]; -@@ -92,6 +106,12 @@ struct virtio_net_config { - * Any other value stands for unknown. - */ - uint8_t duplex; -+ /* maximum size of RSS key */ -+ uint8_t rss_max_key_size; -+ /* maximum number of indirection table entries */ -+ uint16_t rss_max_indirection_table_length; -+ /* bitmask of supported VIRTIO_NET_RSS_HASH_ types */ -+ uint32_t supported_hash_types; - } QEMU_PACKED; - - /* -@@ -104,6 +124,7 @@ struct virtio_net_config { - struct virtio_net_hdr_v1 { - #define VIRTIO_NET_HDR_F_NEEDS_CSUM 1 /* Use csum_start, csum_offset */ - #define VIRTIO_NET_HDR_F_DATA_VALID 2 /* Csum is valid */ -+#define VIRTIO_NET_HDR_F_RSC_INFO 4 /* rsc info in csum_ fields */ - uint8_t flags; - #define VIRTIO_NET_HDR_GSO_NONE 0 /* Not a GSO frame */ - #define VIRTIO_NET_HDR_GSO_TCPV4 1 /* GSO frame, IPv4 TCP (TSO) */ -@@ -113,11 +134,46 @@ struct virtio_net_hdr_v1 { - uint8_t gso_type; - __virtio16 hdr_len; /* Ethernet + IP + tcp/udp hdrs */ - __virtio16 gso_size; /* Bytes to append to hdr_len per frame */ -- __virtio16 csum_start; /* Position to start checksumming from */ -- __virtio16 csum_offset; /* Offset after that to place checksum */ -+ union { -+ struct { -+ __virtio16 csum_start; -+ __virtio16 csum_offset; -+ }; -+ /* Checksum calculation */ -+ struct { -+ /* Position to start checksumming from */ -+ __virtio16 start; -+ /* Offset after that to place checksum */ -+ __virtio16 offset; -+ } csum; -+ /* Receive Segment Coalescing */ -+ struct { -+ /* Number of coalesced segments */ -+ uint16_t segments; -+ /* Number of duplicated acks */ -+ uint16_t dup_acks; -+ } rsc; -+ }; - __virtio16 num_buffers; /* Number of merged rx buffers */ - }; - -+struct virtio_net_hdr_v1_hash { -+ struct virtio_net_hdr_v1 hdr; -+ uint32_t hash_value; -+#define VIRTIO_NET_HASH_REPORT_NONE 0 -+#define VIRTIO_NET_HASH_REPORT_IPv4 1 -+#define VIRTIO_NET_HASH_REPORT_TCPv4 2 -+#define VIRTIO_NET_HASH_REPORT_UDPv4 3 -+#define VIRTIO_NET_HASH_REPORT_IPv6 4 -+#define VIRTIO_NET_HASH_REPORT_TCPv6 5 -+#define VIRTIO_NET_HASH_REPORT_UDPv6 6 -+#define VIRTIO_NET_HASH_REPORT_IPv6_EX 7 -+#define VIRTIO_NET_HASH_REPORT_TCPv6_EX 8 -+#define VIRTIO_NET_HASH_REPORT_UDPv6_EX 9 -+ uint16_t hash_report; -+ uint16_t padding; -+}; -+ - #ifndef VIRTIO_NET_NO_LEGACY - /* This header comes first in the scatter-gather list. - * For legacy virtio, if VIRTIO_F_ANY_LAYOUT is not negotiated, it must -@@ -228,7 +284,9 @@ struct virtio_net_ctrl_mac { - - /* - * Control Receive Flow Steering -- * -+ */ -+#define VIRTIO_NET_CTRL_MQ 4 -+/* - * The command VIRTIO_NET_CTRL_MQ_VQ_PAIRS_SET - * enables Receive Flow Steering, specifying the number of the transmit and - * receive queues that will be used. After the command is consumed and acked by -@@ -241,11 +299,47 @@ struct virtio_net_ctrl_mq { - __virtio16 virtqueue_pairs; - }; - --#define VIRTIO_NET_CTRL_MQ 4 - #define VIRTIO_NET_CTRL_MQ_VQ_PAIRS_SET 0 - #define VIRTIO_NET_CTRL_MQ_VQ_PAIRS_MIN 1 - #define VIRTIO_NET_CTRL_MQ_VQ_PAIRS_MAX 0x8000 - -+/* -+ * The command VIRTIO_NET_CTRL_MQ_RSS_CONFIG has the same effect as -+ * VIRTIO_NET_CTRL_MQ_VQ_PAIRS_SET does and additionally configures -+ * the receive steering to use a hash calculated for incoming packet -+ * to decide on receive virtqueue to place the packet. The command -+ * also provides parameters to calculate a hash and receive virtqueue. -+ */ -+struct virtio_net_rss_config { -+ uint32_t hash_types; -+ uint16_t indirection_table_mask; -+ uint16_t unclassified_queue; -+ uint16_t indirection_table[1/* + indirection_table_mask */]; -+ uint16_t max_tx_vq; -+ uint8_t hash_key_length; -+ uint8_t hash_key_data[/* hash_key_length */]; -+}; -+ -+ #define VIRTIO_NET_CTRL_MQ_RSS_CONFIG 1 -+ -+/* -+ * The command VIRTIO_NET_CTRL_MQ_HASH_CONFIG requests the device -+ * to include in the virtio header of the packet the value of the -+ * calculated hash and the report type of hash. It also provides -+ * parameters for hash calculation. The command requires feature -+ * VIRTIO_NET_F_HASH_REPORT to be negotiated to extend the -+ * layout of virtio header as defined in virtio_net_hdr_v1_hash. -+ */ -+struct virtio_net_hash_config { -+ uint32_t hash_types; -+ /* for compatibility with virtio_net_rss_config */ -+ uint16_t reserved[4]; -+ uint8_t hash_key_length; -+ uint8_t hash_key_data[/* hash_key_length */]; -+}; -+ -+ #define VIRTIO_NET_CTRL_MQ_HASH_CONFIG 2 -+ - /* - * Control network offloads - * -diff --git a/linux-headers/COPYING b/linux-headers/COPYING -index da4cb28febe66172a9fdf1a23552..a635a38ef9405fdfcfe97f3a4353 100644 ---- a/linux-headers/COPYING -+++ b/linux-headers/COPYING -@@ -16,3 +16,5 @@ In addition, other licenses may also apply. Please see: - Documentation/process/license-rules.rst - - for more details. -+ -+All contributions to the Linux Kernel are subject to this COPYING file. -diff --git a/linux-headers/asm-x86/kvm.h b/linux-headers/asm-x86/kvm.h -index 503d3f42da1676791d2c4f4a70bf..3f3f780c8c6500e1a1ea52bc0585 100644 ---- a/linux-headers/asm-x86/kvm.h -+++ b/linux-headers/asm-x86/kvm.h -@@ -390,6 +390,7 @@ struct kvm_sync_regs { - #define KVM_STATE_NESTED_GUEST_MODE 0x00000001 - #define KVM_STATE_NESTED_RUN_PENDING 0x00000002 - #define KVM_STATE_NESTED_EVMCS 0x00000004 -+#define KVM_STATE_NESTED_MTF_PENDING 0x00000008 - - #define KVM_STATE_NESTED_SMM_GUEST_MODE 0x00000001 - #define KVM_STATE_NESTED_SMM_VMXON 0x00000002 -diff --git a/linux-headers/asm-x86/unistd_32.h b/linux-headers/asm-x86/unistd_32.h -index f6e06fcfbdcf796df4336b83fe33..1e6c1a586776181a3caba2bbba1f 100644 ---- a/linux-headers/asm-x86/unistd_32.h -+++ b/linux-headers/asm-x86/unistd_32.h -@@ -429,4 +429,5 @@ - #define __NR_openat2 437 - #define __NR_pidfd_getfd 438 - -+ - #endif /* _ASM_X86_UNISTD_32_H */ -diff --git a/linux-headers/asm-x86/unistd_64.h b/linux-headers/asm-x86/unistd_64.h -index 924f826d2d48396621ab67c66942..6daf0aecb2984b846595f8f3ea6e 100644 ---- a/linux-headers/asm-x86/unistd_64.h -+++ b/linux-headers/asm-x86/unistd_64.h -@@ -351,4 +351,5 @@ - #define __NR_openat2 437 - #define __NR_pidfd_getfd 438 - -+ - #endif /* _ASM_X86_UNISTD_64_H */ -diff --git a/linux-headers/asm-x86/unistd_x32.h b/linux-headers/asm-x86/unistd_x32.h -index 010307757b1bb935299af66e88a3..e3f17ef370fcfd16d26ea2709d16 100644 ---- a/linux-headers/asm-x86/unistd_x32.h -+++ b/linux-headers/asm-x86/unistd_x32.h -@@ -340,4 +340,5 @@ - #define __NR_preadv2 (__X32_SYSCALL_BIT + 546) - #define __NR_pwritev2 (__X32_SYSCALL_BIT + 547) - -+ - #endif /* _ASM_X86_UNISTD_X32_H */ -diff --git a/linux-headers/linux/kvm.h b/linux-headers/linux/kvm.h -index 9d647fad7648ede158cd9605270e..a56559baa0bbe2823d1d96d652dc 100644 ---- a/linux-headers/linux/kvm.h -+++ b/linux-headers/linux/kvm.h -@@ -1009,6 +1009,8 @@ struct kvm_ppc_resize_hpt { - #define KVM_CAP_PPC_GUEST_DEBUG_SSTEP 176 - #define KVM_CAP_ARM_NISV_TO_USER 177 - #define KVM_CAP_ARM_INJECT_EXT_DABT 178 -+#define KVM_CAP_S390_PROTECTED 180 -+#define KVM_CAP_PPC_SECURE_GUEST 181 - - #ifdef KVM_CAP_IRQ_ROUTING - -@@ -1623,4 +1625,7 @@ struct kvm_hyperv_eventfd { - #define KVM_HYPERV_CONN_ID_MASK 0x00ffffff - #define KVM_HYPERV_EVENTFD_DEASSIGN (1 << 0) - -+#define KVM_DIRTY_LOG_MANUAL_PROTECT_ENABLE (1 << 0) -+#define KVM_DIRTY_LOG_INITIALLY_SET (1 << 1) -+ - #endif /* __LINUX_KVM_H */ -diff --git a/linux-headers/linux/mman.h b/linux-headers/linux/mman.h -index 1f6e2cd89ccb97b7a790133f9a82..51ea363759f021d964e23440cd82 100644 ---- a/linux-headers/linux/mman.h -+++ b/linux-headers/linux/mman.h -@@ -5,8 +5,9 @@ - #include - #include - --#define MREMAP_MAYMOVE 1 --#define MREMAP_FIXED 2 -+#define MREMAP_MAYMOVE 1 -+#define MREMAP_FIXED 2 -+#define MREMAP_DONTUNMAP 4 - - #define OVERCOMMIT_GUESS 0 - #define OVERCOMMIT_ALWAYS 1 -diff --git a/linux-headers/linux/userfaultfd.h b/linux-headers/linux/userfaultfd.h -index ce78878d127e62968cd3139e5fd8..8d3996eb8285583ba11952bc85e5 100644 ---- a/linux-headers/linux/userfaultfd.h -+++ b/linux-headers/linux/userfaultfd.h -@@ -19,7 +19,8 @@ - * means the userland is reading). - */ - #define UFFD_API ((__u64)0xAA) --#define UFFD_API_FEATURES (UFFD_FEATURE_EVENT_FORK | \ -+#define UFFD_API_FEATURES (UFFD_FEATURE_PAGEFAULT_FLAG_WP | \ -+ UFFD_FEATURE_EVENT_FORK | \ - UFFD_FEATURE_EVENT_REMAP | \ - UFFD_FEATURE_EVENT_REMOVE | \ - UFFD_FEATURE_EVENT_UNMAP | \ -@@ -34,7 +35,8 @@ - #define UFFD_API_RANGE_IOCTLS \ - ((__u64)1 << _UFFDIO_WAKE | \ - (__u64)1 << _UFFDIO_COPY | \ -- (__u64)1 << _UFFDIO_ZEROPAGE) -+ (__u64)1 << _UFFDIO_ZEROPAGE | \ -+ (__u64)1 << _UFFDIO_WRITEPROTECT) - #define UFFD_API_RANGE_IOCTLS_BASIC \ - ((__u64)1 << _UFFDIO_WAKE | \ - (__u64)1 << _UFFDIO_COPY) -@@ -52,6 +54,7 @@ - #define _UFFDIO_WAKE (0x02) - #define _UFFDIO_COPY (0x03) - #define _UFFDIO_ZEROPAGE (0x04) -+#define _UFFDIO_WRITEPROTECT (0x06) - #define _UFFDIO_API (0x3F) - - /* userfaultfd ioctl ids */ -@@ -68,6 +71,8 @@ - struct uffdio_copy) - #define UFFDIO_ZEROPAGE _IOWR(UFFDIO, _UFFDIO_ZEROPAGE, \ - struct uffdio_zeropage) -+#define UFFDIO_WRITEPROTECT _IOWR(UFFDIO, _UFFDIO_WRITEPROTECT, \ -+ struct uffdio_writeprotect) - - /* read() structure */ - struct uffd_msg { -@@ -203,13 +208,14 @@ struct uffdio_copy { - __u64 dst; - __u64 src; - __u64 len; -+#define UFFDIO_COPY_MODE_DONTWAKE ((__u64)1<<0) - /* -- * There will be a wrprotection flag later that allows to map -- * pages wrprotected on the fly. And such a flag will be -- * available if the wrprotection ioctl are implemented for the -- * range according to the uffdio_register.ioctls. -+ * UFFDIO_COPY_MODE_WP will map the page write protected on -+ * the fly. UFFDIO_COPY_MODE_WP is available only if the -+ * write protected ioctl is implemented for the range -+ * according to the uffdio_register.ioctls. - */ --#define UFFDIO_COPY_MODE_DONTWAKE ((__u64)1<<0) -+#define UFFDIO_COPY_MODE_WP ((__u64)1<<1) - __u64 mode; - - /* -@@ -231,4 +237,24 @@ struct uffdio_zeropage { - __s64 zeropage; - }; - -+struct uffdio_writeprotect { -+ struct uffdio_range range; -+/* -+ * UFFDIO_WRITEPROTECT_MODE_WP: set the flag to write protect a range, -+ * unset the flag to undo protection of a range which was previously -+ * write protected. -+ * -+ * UFFDIO_WRITEPROTECT_MODE_DONTWAKE: set the flag to avoid waking up -+ * any wait thread after the operation succeeds. -+ * -+ * NOTE: Write protecting a region (WP=1) is unrelated to page faults, -+ * therefore DONTWAKE flag is meaningless with WP=1. Removing write -+ * protection (WP=0) in response to a page fault wakes the faulting -+ * task unless DONTWAKE is set. -+ */ -+#define UFFDIO_WRITEPROTECT_MODE_WP ((__u64)1<<0) -+#define UFFDIO_WRITEPROTECT_MODE_DONTWAKE ((__u64)1<<1) -+ __u64 mode; -+}; -+ - #endif /* _LINUX_USERFAULTFD_H */ -diff --git a/linux-headers/linux/vfio.h b/linux-headers/linux/vfio.h -index fb10370d2928e0a26934bd02bc64..a41c45286511f083878c06b60d71 100644 ---- a/linux-headers/linux/vfio.h -+++ b/linux-headers/linux/vfio.h -@@ -707,6 +707,43 @@ struct vfio_device_ioeventfd { - - #define VFIO_DEVICE_IOEVENTFD _IO(VFIO_TYPE, VFIO_BASE + 16) - -+/** -+ * VFIO_DEVICE_FEATURE - _IORW(VFIO_TYPE, VFIO_BASE + 17, -+ * struct vfio_device_feature) -+ * -+ * Get, set, or probe feature data of the device. The feature is selected -+ * using the FEATURE_MASK portion of the flags field. Support for a feature -+ * can be probed by setting both the FEATURE_MASK and PROBE bits. A probe -+ * may optionally include the GET and/or SET bits to determine read vs write -+ * access of the feature respectively. Probing a feature will return success -+ * if the feature is supported and all of the optionally indicated GET/SET -+ * methods are supported. The format of the data portion of the structure is -+ * specific to the given feature. The data portion is not required for -+ * probing. GET and SET are mutually exclusive, except for use with PROBE. -+ * -+ * Return 0 on success, -errno on failure. -+ */ -+struct vfio_device_feature { -+ __u32 argsz; -+ __u32 flags; -+#define VFIO_DEVICE_FEATURE_MASK (0xffff) /* 16-bit feature index */ -+#define VFIO_DEVICE_FEATURE_GET (1 << 16) /* Get feature into data[] */ -+#define VFIO_DEVICE_FEATURE_SET (1 << 17) /* Set feature from data[] */ -+#define VFIO_DEVICE_FEATURE_PROBE (1 << 18) /* Probe feature support */ -+ __u8 data[]; -+}; -+ -+#define VFIO_DEVICE_FEATURE _IO(VFIO_TYPE, VFIO_BASE + 17) -+ -+/* -+ * Provide support for setting a PCI VF Token, which is used as a shared -+ * secret between PF and VF drivers. This feature may only be set on a -+ * PCI SR-IOV PF when SR-IOV is enabled on the PF and there are no existing -+ * open VFs. Data provided when setting this feature is a 16-byte array -+ * (__u8 b[16]), representing a UUID. -+ */ -+#define VFIO_DEVICE_FEATURE_PCI_VF_TOKEN (0) -+ - /* -------- API for Type1 VFIO IOMMU -------- */ - - /** -diff --git a/linux-headers/linux/vhost.h b/linux-headers/linux/vhost.h -index 40d028eed645954cbc3e4699aa2c..9fe72e4b1373165d7a7aeff61410 100644 ---- a/linux-headers/linux/vhost.h -+++ b/linux-headers/linux/vhost.h -@@ -116,4 +116,28 @@ - #define VHOST_VSOCK_SET_GUEST_CID _IOW(VHOST_VIRTIO, 0x60, __u64) - #define VHOST_VSOCK_SET_RUNNING _IOW(VHOST_VIRTIO, 0x61, int) - -+/* VHOST_VDPA specific defines */ -+ -+/* Get the device id. The device ids follow the same definition of -+ * the device id defined in virtio-spec. -+ */ -+#define VHOST_VDPA_GET_DEVICE_ID _IOR(VHOST_VIRTIO, 0x70, __u32) -+/* Get and set the status. The status bits follow the same definition -+ * of the device status defined in virtio-spec. -+ */ -+#define VHOST_VDPA_GET_STATUS _IOR(VHOST_VIRTIO, 0x71, __u8) -+#define VHOST_VDPA_SET_STATUS _IOW(VHOST_VIRTIO, 0x72, __u8) -+/* Get and set the device config. The device config follows the same -+ * definition of the device config defined in virtio-spec. -+ */ -+#define VHOST_VDPA_GET_CONFIG _IOR(VHOST_VIRTIO, 0x73, \ -+ struct vhost_vdpa_config) -+#define VHOST_VDPA_SET_CONFIG _IOW(VHOST_VIRTIO, 0x74, \ -+ struct vhost_vdpa_config) -+/* Enable/disable the ring. */ -+#define VHOST_VDPA_SET_VRING_ENABLE _IOW(VHOST_VIRTIO, 0x75, \ -+ struct vhost_vring_state) -+/* Get the max ring size. */ -+#define VHOST_VDPA_GET_VRING_NUM _IOR(VHOST_VIRTIO, 0x76, __u16) -+ - #endif diff --git a/packaging/linux-user-Fake-proc-cpuinfo.patch b/packaging/linux-user-Fake-proc-cpuinfo.patch deleted file mode 100644 index ea1390f2f..000000000 --- a/packaging/linux-user-Fake-proc-cpuinfo.patch +++ /dev/null @@ -1,64 +0,0 @@ -From: Alexander Graf -Date: Mon, 23 Jul 2012 10:24:14 +0200 -Subject: linux-user: Fake /proc/cpuinfo -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Fedora 17 for ARM reads /proc/cpuinfo and fails if it doesn't contain -ARM related contents. This patch implements a quick hack to expose real -/proc/cpuinfo data taken from a real world machine. - -The real fix would be to generate at least the flags automatically based -on the selected CPU. Please do not submit this patch upstream until this -has happened. - -Signed-off-by: Alexander Graf -[AF: Rebased for v1.6 and v1.7] -Signed-off-by: Andreas Färber ---- - linux-user/syscall.c | 24 ++++++++++++++++++++++++ - 1 file changed, 24 insertions(+) - -diff --git a/linux-user/syscall.c b/linux-user/syscall.c -index 57be4c98555e50f2263811cd11f4..243ec2a1e3bde8e6b3ac48989554 100644 ---- a/linux-user/syscall.c -+++ b/linux-user/syscall.c -@@ -7068,6 +7068,27 @@ static int open_self_stat(void *cpu_env, int fd) - return 0; - } - -+#if defined(TARGET_ARM) -+static int open_cpuinfo(void *cpu_env, int fd) -+{ -+ dprintf(fd, -+"Processor : ARMv7 Processor rev 5 (v7l)\n" -+"BogoMIPS : 799.53\n" -+"Features : swp half thumb fastmult vfp edsp thumbee neon vfpv3\n" -+"CPU implementer : 0x41\n" -+"CPU architecture: 7\n" -+"CPU variant : 0x2\n" -+"CPU part : 0xc08\n" -+"CPU revision : 5\n" -+"\n" -+"Hardware : Genesi Efika MX (Smarttop)\n" -+"Revision : 51030\n" -+"Serial : 0000000000000000\n"); -+ -+ return 0; -+} -+#endif -+ - static int open_self_auxv(void *cpu_env, int fd) - { - CPUState *cpu = env_cpu((CPUArchState *)cpu_env); -@@ -7210,6 +7231,9 @@ static int do_openat(void *cpu_env, int dirfd, const char *pathname, int flags, - #if defined(TARGET_SPARC) - { "/proc/cpuinfo", open_cpuinfo, is_proc }, - #endif -+#if defined(TARGET_ARM) -+ { "cpuinfo", open_cpuinfo, is_proc_myself }, -+#endif - #if defined(TARGET_M68K) - { "/proc/hardware", open_hardware, is_proc }, - #endif diff --git a/packaging/linux-user-add-binfmt-wrapper-for-argv-0.patch b/packaging/linux-user-add-binfmt-wrapper-for-argv-0.patch deleted file mode 100644 index daf821a15..000000000 --- a/packaging/linux-user-add-binfmt-wrapper-for-argv-0.patch +++ /dev/null @@ -1,140 +0,0 @@ -From: Alexander Graf -Date: Fri, 30 Sep 2011 19:40:36 +0200 -Subject: linux-user: add binfmt wrapper for argv[0] handling -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -When using qemu's linux-user binaries through binfmt, argv[0] gets lost -along the execution because qemu only gets passed in the full file name -to the executable while argv[0] can be something completely different. - -This breaks in some subtile situations, such as the grep and make test -suites. - -This patch adds a wrapper binary called qemu-$TARGET-binfmt that can be -used with binfmt's P flag which passes the full path _and_ argv[0] to -the binfmt handler. - -The binary would be smart enough to be versatile and only exist in the -system once, creating the qemu binary path names from its own argv[0]. -However, this seemed like it didn't fit the make system too well, so -we're currently creating a new binary for each target archictecture. - -CC: Reinhard Max -Signed-off-by: Alexander Graf -[AF: Rebased onto new Makefile infrastructure, twice] -[AF: Updated for aarch64 for v2.0.0-rc1] -[AF: Rebased onto Makefile changes for v2.1.0-rc0] -[AF: Rebased onto script rewrite for v2.7.0-rc2 - to be fixed] -Signed-off-by: Andreas Färber ---- - Makefile.target | 13 +++++++++++++ - linux-user/Makefile.objs | 2 ++ - linux-user/binfmt.c | 42 ++++++++++++++++++++++++++++++++++++++++ - 3 files changed, 57 insertions(+) - -diff --git a/Makefile.target b/Makefile.target -index 24d79d26ebd00034bd97309fe5a7..1e9600834a25544063c313eba92a 100644 ---- a/Makefile.target -+++ b/Makefile.target -@@ -39,6 +39,10 @@ endif - PROGS=$(QEMU_PROG) $(QEMU_PROGW) - STPFILES= - -+ifdef CONFIG_LINUX_USER -+PROGS+=$(QEMU_PROG)-binfmt -+endif -+ - config-target.h: config-target.h-timestamp - config-target.h-timestamp: config-target.mak - -@@ -133,6 +137,8 @@ QEMU_CFLAGS+=-I$(SRC_PATH)/linux-user/$(TARGET_ABI_DIR) \ - obj-y += linux-user/ - obj-y += gdbstub.o thunk.o - -+obj-binfmt-y += linux-user/ -+ - endif #CONFIG_LINUX_USER - - ######################################################### -@@ -174,7 +180,11 @@ generated-files-y += config-devices.h - - endif # CONFIG_SOFTMMU - -+ifdef CONFIG_LINUX_USER -+dummy := $(call unnest-vars,,obj-y obj-binfmt-y) -+else - dummy := $(call unnest-vars,,obj-y) -+endif - all-obj-y := $(obj-y) - - include $(SRC_PATH)/Makefile.objs -@@ -211,6 +221,9 @@ ifdef CONFIG_DARWIN - $(call quiet-command,SetFile -a C $@,"SETFILE","$(TARGET_DIR)$@") - endif - -+$(QEMU_PROG)-binfmt: $(obj-binfmt-y) -+ $(call LINK,$^) -+ - gdbstub-xml.c: $(TARGET_XML_FILES) $(SRC_PATH)/scripts/feature_to_c.sh - $(call quiet-command,rm -f $@ && $(SHELL) $(SRC_PATH)/scripts/feature_to_c.sh $@ $(TARGET_XML_FILES),"GEN","$(TARGET_DIR)$@") - -diff --git a/linux-user/Makefile.objs b/linux-user/Makefile.objs -index d2f33beb5e52efce6adc7fb85b7f..ffc6b095e253d4c448000a974d4d 100644 ---- a/linux-user/Makefile.objs -+++ b/linux-user/Makefile.objs -@@ -8,3 +8,5 @@ obj-$(TARGET_I386) += vm86.o - obj-$(TARGET_ARM) += arm/nwfpe/ - obj-$(TARGET_ARM) += arm/semihost.o - obj-$(TARGET_AARCH64) += arm/semihost.o -+ -+obj-binfmt-y = binfmt.o -diff --git a/linux-user/binfmt.c b/linux-user/binfmt.c -new file mode 100644 -index 0000000000000000000000000000000000000000..cd1f513b334f3b263d9e4b5adb1981e376429fa6 ---- /dev/null -+++ b/linux-user/binfmt.c -@@ -0,0 +1,42 @@ -+#include -+#include -+#include -+#include -+#include -+#include -+ -+ -+int main(int argc, char **argv, char **envp) -+{ -+ char *binfmt; -+ char **new_argv; -+ -+ /* -+ * Check if our file name ends with -binfmt -+ */ -+ binfmt = argv[0] + strlen(argv[0]) - strlen("-binfmt"); -+ if (strcmp(binfmt, "-binfmt")) { -+ fprintf(stderr, "%s: Invalid executable name\n", argv[0]); -+ exit(1); -+ } -+ if (argc < 3) { -+ fprintf(stderr, "%s: Please use me through binfmt with P flag\n", -+ argv[0]); -+ exit(1); -+ } -+ -+ binfmt[0] = '\0'; -+ /* Now argv[0] is the real qemu binary name */ -+ -+ new_argv = (char **)malloc((argc + 2) * sizeof(*new_argv)); -+ if (argc > 3) { -+ memcpy(&new_argv[4], &argv[3], (argc - 3) * sizeof(*new_argv)); -+ } -+ new_argv[0] = argv[0]; -+ new_argv[1] = (char *)"-0"; -+ new_argv[2] = argv[2]; -+ new_argv[3] = argv[1]; -+ new_argv[argc + 1] = NULL; -+ -+ return execve(new_argv[0], new_argv, envp); -+} diff --git a/packaging/linux-user-binfmt-support-host-binaries.patch b/packaging/linux-user-binfmt-support-host-binaries.patch deleted file mode 100644 index ca08bed94..000000000 --- a/packaging/linux-user-binfmt-support-host-binaries.patch +++ /dev/null @@ -1,56 +0,0 @@ -From: Alexander Graf -Date: Thu, 2 Feb 2012 18:02:33 +0100 -Subject: linux-user: binfmt: support host binaries - -When we have a working host binary equivalent for the guest binary we're -trying to run, let's just use that instead as it will be a lot faster. - -Signed-off-by: Alexander Graf ---- - linux-user/binfmt.c | 26 ++++++++++++++++++++++++++ - 1 file changed, 26 insertions(+) - -diff --git a/linux-user/binfmt.c b/linux-user/binfmt.c -index cd1f513b334f3b263d9e4b5adb19..458f136fb41727702854cae4e542 100644 ---- a/linux-user/binfmt.c -+++ b/linux-user/binfmt.c -@@ -5,6 +5,9 @@ - #include - #include - -+#ifdef __x86_64__ -+#define ARCH_NAME "x86_64" -+#endif - - int main(int argc, char **argv, char **envp) - { -@@ -28,6 +31,29 @@ int main(int argc, char **argv, char **envp) - binfmt[0] = '\0'; - /* Now argv[0] is the real qemu binary name */ - -+#ifdef ARCH_NAME -+ { -+ char *hostbin; -+ char *guestarch; -+ int r; -+ -+ guestarch = strrchr(argv[0], '-') ; -+ if (!guestarch) { -+ goto skip; -+ } -+ guestarch++; -+ r = asprintf(&hostbin, "/emul/" ARCH_NAME "-for-%s/%s", guestarch, argv[1]); -+ if ((r > 0) && !access(hostbin, X_OK)) { -+ /* -+ * We found a host binary replacement for the non-host binary. Let's -+ * use that instead! -+ */ -+ return execve(hostbin, &argv[2], envp); -+ } -+ } -+skip: -+#endif -+ - new_argv = (char **)malloc((argc + 2) * sizeof(*new_argv)); - if (argc > 3) { - memcpy(&new_argv[4], &argv[3], (argc - 3) * sizeof(*new_argv)); diff --git a/packaging/linux-user-lseek-explicitly-cast-non-set.patch b/packaging/linux-user-lseek-explicitly-cast-non-set.patch deleted file mode 100644 index 115fe7095..000000000 --- a/packaging/linux-user-lseek-explicitly-cast-non-set.patch +++ /dev/null @@ -1,36 +0,0 @@ -From: Alexander Graf -Date: Thu, 13 Dec 2012 14:29:22 +0100 -Subject: linux-user: lseek: explicitly cast non-set offsets to signed - -When doing lseek, SEEK_SET indicates that the offset is an unsigned variable. -Other seek types have parameters that can be negative. - -When converting from 32bit to 64bit parameters, we need to take this into -account and enable SEEK_END and SEEK_CUR to be negative, while SEEK_SET stays -absolute positioned which we need to maintain as unsigned. - -Signed-off-by: Alexander Graf ---- - linux-user/syscall.c | 9 +++++++-- - 1 file changed, 7 insertions(+), 2 deletions(-) - -diff --git a/linux-user/syscall.c b/linux-user/syscall.c -index 61d976cca146a6deb2d74c95ec59..926a7dd587b39d0615cbbb077ef2 100644 ---- a/linux-user/syscall.c -+++ b/linux-user/syscall.c -@@ -7729,8 +7729,13 @@ static abi_long do_syscall1(void *cpu_env, int num, abi_ulong arg1, - return ret; - #endif - #ifdef TARGET_NR_lseek -- case TARGET_NR_lseek: -- return get_errno(lseek(arg1, arg2, arg3)); -+ case TARGET_NR_lseek: { -+ off_t off = arg2; -+ if (arg3 != SEEK_SET) { -+ off = (abi_long)arg2; -+ } -+ return get_errno(lseek(arg1, off, arg3)); -+ } - #endif - #if defined(TARGET_NR_getxpid) && defined(TARGET_ALPHA) - /* Alpha specific */ diff --git a/packaging/linux-user-properly-test-for-infinite-ti.patch b/packaging/linux-user-properly-test-for-infinite-ti.patch deleted file mode 100644 index c1fc8a316..000000000 --- a/packaging/linux-user-properly-test-for-infinite-ti.patch +++ /dev/null @@ -1,29 +0,0 @@ -From: Andreas Schwab -Date: Thu, 8 Sep 2016 11:21:05 +0200 -Subject: linux-user: properly test for infinite timeout in poll (#8) - -After "linux-user: use target_ulong" the poll syscall was no longer -handling infinite timeout. - -/home/abuild/rpmbuild/BUILD/qemu-2.7.0-rc5/linux-user/syscall.c:9773:26: warning: comparison of unsigned expression >= 0 is always true [-Wtype-limits] - if (arg3 >= 0) { - ^~ - -Signed-off-by: Andreas Schwab ---- - linux-user/syscall.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/linux-user/syscall.c b/linux-user/syscall.c -index 926a7dd587b39d0615cbbb077ef2..9330a1ec6a15f16e4f7fd0f825c2 100644 ---- a/linux-user/syscall.c -+++ b/linux-user/syscall.c -@@ -9758,7 +9758,7 @@ static abi_long do_syscall1(void *cpu_env, int num, abi_ulong arg1, - { - struct timespec ts, *pts; - -- if (arg3 >= 0) { -+ if ((abi_long)arg3 >= 0) { - /* Convert ms to secs, ns */ - ts.tv_sec = arg3 / 1000; - ts.tv_nsec = (arg3 % 1000) * 1000000LL; diff --git a/packaging/linux-user-use-target_ulong.patch b/packaging/linux-user-use-target_ulong.patch deleted file mode 100644 index f33d00b06..000000000 --- a/packaging/linux-user-use-target_ulong.patch +++ /dev/null @@ -1,79 +0,0 @@ -From: Alexander Graf -Date: Tue, 9 Oct 2012 09:06:49 +0200 -Subject: linux-user: use target_ulong - -Linux syscalls pass pointers or data length or other information of that sort -to the kernel. This is all stuff you don't want to have sign extended. -Otherwise a host 64bit variable parameter with a size parameter will extend -it to a negative number, breaking lseek for example. - -Pass syscall arguments as ulong always. - -Signed-off-by: Alexander Graf ---- - linux-user/qemu.h | 8 ++++---- - linux-user/syscall.c | 18 +++++++++--------- - 2 files changed, 13 insertions(+), 13 deletions(-) - -diff --git a/linux-user/qemu.h b/linux-user/qemu.h -index f6f5fe5fbb553c151cb57146350c..b45b68221434e29636bb34c9f0b0 100644 ---- a/linux-user/qemu.h -+++ b/linux-user/qemu.h -@@ -206,10 +206,10 @@ abi_long memcpy_to_target(abi_ulong dest, const void *src, - void target_set_brk(abi_ulong new_brk); - abi_long do_brk(abi_ulong new_brk); - void syscall_init(void); --abi_long do_syscall(void *cpu_env, int num, abi_long arg1, -- abi_long arg2, abi_long arg3, abi_long arg4, -- abi_long arg5, abi_long arg6, abi_long arg7, -- abi_long arg8); -+abi_long do_syscall(void *cpu_env, int num, abi_ulong arg1, -+ abi_ulong arg2, abi_ulong arg3, abi_ulong arg4, -+ abi_ulong arg5, abi_ulong arg6, abi_ulong arg7, -+ abi_ulong arg8); - void gemu_log(const char *fmt, ...) GCC_FMT_ATTR(1, 2); - extern __thread CPUState *thread_cpu; - void cpu_loop(CPUArchState *env); -diff --git a/linux-user/syscall.c b/linux-user/syscall.c -index 243ec2a1e3bde8e6b3ac48989554..61d976cca146a6deb2d74c95ec59 100644 ---- a/linux-user/syscall.c -+++ b/linux-user/syscall.c -@@ -7374,10 +7374,10 @@ static int host_to_target_cpu_mask(const unsigned long *host_mask, - * of syscall results, can be performed. - * All errnos that do_syscall() returns must be -TARGET_. - */ --static abi_long do_syscall1(void *cpu_env, int num, abi_long arg1, -- abi_long arg2, abi_long arg3, abi_long arg4, -- abi_long arg5, abi_long arg6, abi_long arg7, -- abi_long arg8) -+static abi_long do_syscall1(void *cpu_env, int num, abi_ulong arg1, -+ abi_ulong arg2, abi_ulong arg3, abi_ulong arg4, -+ abi_ulong arg5, abi_ulong arg6, abi_ulong arg7, -+ abi_ulong arg8) - { - CPUState *cpu = env_cpu(cpu_env); - abi_long ret; -@@ -10125,7 +10125,7 @@ static abi_long do_syscall1(void *cpu_env, int num, abi_long arg1, - */ - ret = -TARGET_EINVAL; - if (cpu_isar_feature(aa64_sve, env_archcpu(cpu_env)) -- && arg2 >= 0 && arg2 <= 512 * 16 && !(arg2 & 15)) { -+ && arg2 <= 512 * 16 && !(arg2 & 15)) { - CPUARMState *env = cpu_env; - ARMCPU *cpu = env_archcpu(env); - uint32_t vq, old_vq; -@@ -12116,10 +12116,10 @@ static abi_long do_syscall1(void *cpu_env, int num, abi_long arg1, - return ret; - } - --abi_long do_syscall(void *cpu_env, int num, abi_long arg1, -- abi_long arg2, abi_long arg3, abi_long arg4, -- abi_long arg5, abi_long arg6, abi_long arg7, -- abi_long arg8) -+abi_long do_syscall(void *cpu_env, int num, abi_ulong arg1, -+ abi_ulong arg2, abi_ulong arg3, abi_ulong arg4, -+ abi_ulong arg5, abi_ulong arg6, abi_ulong arg7, -+ abi_ulong arg8) - { - CPUState *cpu = env_cpu(cpu_env); - abi_long ret; diff --git a/packaging/megasas-use-unsigned-type-for-reply_queu.patch b/packaging/megasas-use-unsigned-type-for-reply_queu.patch deleted file mode 100644 index b92dd7cc3..000000000 --- a/packaging/megasas-use-unsigned-type-for-reply_queu.patch +++ /dev/null @@ -1,50 +0,0 @@ -From: Prasad J Pandit -Date: Thu, 14 May 2020 00:55:38 +0530 -Subject: megasas: use unsigned type for reply_queue_head and check index - -Git-commit: f50ab86a2620bd7e8507af865b164655ee921661 -References: bsc#1172383, CVE-2020-13362 - -A guest user may set 'reply_queue_head' field of MegasasState to -a negative value. Later in 'megasas_lookup_frame' it is used to -index into s->frames[] array. Use unsigned type to avoid OOB -access issue. - -Also check that 'index' value stays within s->frames[] bounds -through the while() loop in 'megasas_lookup_frame' to avoid OOB -access. - -Reported-by: Ren Ding -Reported-by: Hanqing Zhao -Reported-by: Alexander Bulekov -Signed-off-by: Prasad J Pandit -Acked-by: Alexander Bulekov -Message-Id: <20200513192540.1583887-2-ppandit@redhat.com> -Signed-off-by: Paolo Bonzini -Signed-off-by: Bruce Rogers ---- - hw/scsi/megasas.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c -index de9bd2088707ab89a5023e89e9aa..1bdd25e55684c7b6026381a97f3e 100644 ---- a/hw/scsi/megasas.c -+++ b/hw/scsi/megasas.c -@@ -112,7 +112,7 @@ typedef struct MegasasState { - uint64_t reply_queue_pa; - void *reply_queue; - int reply_queue_len; -- int reply_queue_head; -+ uint16_t reply_queue_head; - int reply_queue_tail; - uint64_t consumer_pa; - uint64_t producer_pa; -@@ -445,7 +445,7 @@ static MegasasCmd *megasas_lookup_frame(MegasasState *s, - - index = s->reply_queue_head; - -- while (num < s->fw_cmds) { -+ while (num < s->fw_cmds && index < MEGASAS_MAX_FRAMES) { - if (s->frames[index].pa && s->frames[index].pa == frame) { - cmd = &s->frames[index]; - break; diff --git a/packaging/memory-clamp-cached-translation-in-case-.patch b/packaging/memory-clamp-cached-translation-in-case-.patch deleted file mode 100644 index cf8798f01..000000000 --- a/packaging/memory-clamp-cached-translation-in-case-.patch +++ /dev/null @@ -1,67 +0,0 @@ -From: Paolo Bonzini -Date: Tue, 1 Dec 2020 09:29:56 -0500 -Subject: memory: clamp cached translation in case it points to an MMIO region - -Git-commit: 4bfb024bc76973d40a359476dc0291f46e435442 -References: bsc#1179686, CVE-2020-27821 - -In using the address_space_translate_internal API, address_space_cache_init -forgot one piece of advice that can be found in the code for -address_space_translate_internal: - - /* MMIO registers can be expected to perform full-width accesses based only - * on their address, without considering adjacent registers that could - * decode to completely different MemoryRegions. When such registers - * exist (e.g. I/O ports 0xcf8 and 0xcf9 on most PC chipsets), MMIO - * regions overlap wildly. For this reason we cannot clamp the accesses - * here. - * - * If the length is small (as is the case for address_space_ldl/stl), - * everything works fine. If the incoming length is large, however, - * the caller really has to do the clamping through memory_access_size. - */ - -address_space_cache_init is exactly one such case where "the incoming length -is large", therefore we need to clamp the resulting length---not to -memory_access_size though, since we are not doing an access yet, but to -the size of the resulting section. This ensures that subsequent accesses -to the cached MemoryRegionSection will be in range. - -With this patch, the enclosed testcase notices that the used ring does -not fit into the MSI-X table and prints a "qemu-system-x86_64: Cannot map used" -error. - -Signed-off-by: Paolo Bonzini -Signed-off-by: Bruce Rogers ---- - exec.c | 10 ++++++++++ - 1 file changed, 10 insertions(+) - -diff --git a/exec.c b/exec.c -index 43c70ffbfd37bbd20d9481d1f90b..a240e3d338a32fb46b1dfe66d4af 100644 ---- a/exec.c -+++ b/exec.c -@@ -3621,6 +3621,7 @@ int64_t address_space_cache_init(MemoryRegionCache *cache, - AddressSpaceDispatch *d; - hwaddr l; - MemoryRegion *mr; -+ Int128 diff; - - assert(len > 0); - -@@ -3629,6 +3630,15 @@ int64_t address_space_cache_init(MemoryRegionCache *cache, - d = flatview_to_dispatch(cache->fv); - cache->mrs = *address_space_translate_internal(d, addr, &cache->xlat, &l, true); - -+ /* -+ * cache->xlat is now relative to cache->mrs.mr, not to the section itself. -+ * Take that into account to compute how many bytes are there between -+ * cache->xlat and the end of the section. -+ */ -+ diff = int128_sub(cache->mrs.size, -+ int128_make64(cache->xlat - cache->mrs.offset_within_region)); -+ l = int128_get64(int128_min(diff, int128_make64(l))); -+ - mr = cache->mrs.mr; - memory_region_ref(mr); - if (memory_access_is_direct(mr, is_write)) { diff --git a/packaging/migration-migration.c-Fix-hang-in-ram_sa.patch b/packaging/migration-migration.c-Fix-hang-in-ram_sa.patch deleted file mode 100644 index 87fff2556..000000000 --- a/packaging/migration-migration.c-Fix-hang-in-ram_sa.patch +++ /dev/null @@ -1,39 +0,0 @@ -From: Lukas Straub -Date: Wed, 20 May 2020 22:42:32 +0200 -Subject: migration/migration.c: Fix hang in ram_save_host_page - -Git-commit: 773861274ad75a62c7ecf70ecc8e4ba31ed62190 -References: bsc#1185591 - -migration_rate_limit will erroneously ratelimit a shutdown socket, -which causes the migration thread to hang in ram_save_host_page -if the socket is shutdown. - -Fix this by explicitly testing if the socket has errors or was -shutdown in migration_rate_limit. - -Signed-off-by: Lukas Straub -Message-Id: -Reviewed-by: Dr. David Alan Gilbert -Signed-off-by: Dr. David Alan Gilbert -(cherry picked from commit 773861274ad75a62c7ecf70ecc8e4ba31ed62190) -Signed-off-by: Lin Ma ---- - migration/migration.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/migration/migration.c b/migration/migration.c -index 27500d09a94a8615c935245e23ed..eecb9b54f90b155d20f007290b44 100644 ---- a/migration/migration.c -+++ b/migration/migration.c -@@ -3233,6 +3233,10 @@ bool migration_rate_limit(void) - bool urgent = false; - migration_update_counters(s, now); - if (qemu_file_rate_limit(s->to_dst_file)) { -+ -+ if (qemu_file_get_error(s->to_dst_file)) { -+ return false; -+ } - /* - * Wait for a delay to do rate limiting OR - * something urgent to post the semaphore. diff --git a/packaging/net-eepro100-validate-various-address-va.patch b/packaging/net-eepro100-validate-various-address-va.patch deleted file mode 100644 index 505923d97..000000000 --- a/packaging/net-eepro100-validate-various-address-va.patch +++ /dev/null @@ -1,59 +0,0 @@ -From: Jose R Ziviani -Date: Thu, 29 Jul 2021 15:56:08 -0600 -Subject: net: eepro100: validate various address values - -Git-commit: 000000000000000000000000000000000000000000000 -References: bsc#1182651, CVE-2021-20255 - -Patch based on discussion: -https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg06098.html - -While processing controller commands, eepro100 emulator gets -command unit(CU) base address OR receive unit (RU) base address -OR command block (CB) address from guest. If these values are not -checked, it may lead to an infinite loop kind of issues. Add checks -to avoid it. - -Reported-by: Ruhr-University Bochum -Signed-off-by: Prasad J Pandit -Acked-By: Jose R Ziviani ---- - hw/net/eepro100.c | 11 +++++++++++ - 1 file changed, 11 insertions(+) - -diff --git a/hw/net/eepro100.c b/hw/net/eepro100.c -index cc2dd8b1c997e864d2ec6bf74051..de235e863731e3abb6956fd02739 100644 ---- a/hw/net/eepro100.c -+++ b/hw/net/eepro100.c -@@ -279,6 +279,9 @@ typedef struct { - /* Quasi static device properties (no need to save them). */ - uint16_t stats_size; - bool has_extended_tcb_support; -+ -+ /* Flag to avoid recursions. */ -+ bool busy; - } EEPRO100State; - - /* Word indices in EEPROM. */ -@@ -837,6 +840,13 @@ static void action_command(EEPRO100State *s) - Therefore we limit the number of iterations. */ - unsigned max_loop_count = 16; - -+ if (s->busy) { -+ /* Prevent recursions. */ -+ logout("recursion in %s:%u\n", __FILE__, __LINE__); -+ return; -+ } -+ s->busy = true; -+ - for (;;) { - bool bit_el; - bool bit_s; -@@ -933,6 +943,7 @@ static void action_command(EEPRO100State *s) - } - TRACE(OTHER, logout("CU list empty\n")); - /* List is empty. Now CU is idle or suspended. */ -+ s->busy = false; - } - - static void eepro100_cu_command(EEPRO100State * s, uint8_t val) diff --git a/packaging/net-introduce-qemu_receive_packet.patch b/packaging/net-introduce-qemu_receive_packet.patch deleted file mode 100644 index 29a375720..000000000 --- a/packaging/net-introduce-qemu_receive_packet.patch +++ /dev/null @@ -1,171 +0,0 @@ -From: Jason Wang -Date: Wed, 24 Feb 2021 11:44:36 +0800 -Subject: net: introduce qemu_receive_packet() -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Git-commit: 705df5466c98f3efdd2b68d3b31dad86858acad7 -References: bsc#1182968, CVE-2021-3416 -Some NIC supports loopback mode and this is done by calling -nc->info->receive() directly which in fact suppresses the effort of -reentrancy check that is done in qemu_net_queue_send(). - -Unfortunately we can't use qemu_net_queue_send() here since for -loopback there's no sender as peer, so this patch introduce a -qemu_receive_packet() which is used for implementing loopback mode -for a NIC with this check. - -NIC that supports loopback mode will be converted to this helper. - -This is intended to address CVE-2021-3416. - -Cc: Prasad J Pandit -Reviewed-by: Philippe Mathieu-Daudé -Cc: qemu-stable@nongnu.org -Signed-off-by: Jason Wang -Signed-off-by: Bruce Rogers ---- - include/net/net.h | 5 +++++ - include/net/queue.h | 8 ++++++++ - net/net.c | 38 +++++++++++++++++++++++++++++++------- - net/queue.c | 22 ++++++++++++++++++++++ - 4 files changed, 66 insertions(+), 7 deletions(-) - -diff --git a/include/net/net.h b/include/net/net.h -index e175ba9677dc09402bdc99f90fa2..1b32a8aaecf2a23d30c55f1a61dd 100644 ---- a/include/net/net.h -+++ b/include/net/net.h -@@ -142,12 +142,17 @@ void *qemu_get_nic_opaque(NetClientState *nc); - void qemu_del_net_client(NetClientState *nc); - typedef void (*qemu_nic_foreach)(NICState *nic, void *opaque); - void qemu_foreach_nic(qemu_nic_foreach func, void *opaque); -+int qemu_can_receive_packet(NetClientState *nc); - int qemu_can_send_packet(NetClientState *nc); - ssize_t qemu_sendv_packet(NetClientState *nc, const struct iovec *iov, - int iovcnt); - ssize_t qemu_sendv_packet_async(NetClientState *nc, const struct iovec *iov, - int iovcnt, NetPacketSent *sent_cb); - ssize_t qemu_send_packet(NetClientState *nc, const uint8_t *buf, int size); -+ssize_t qemu_receive_packet(NetClientState *nc, const uint8_t *buf, int size); -+ssize_t qemu_receive_packet_iov(NetClientState *nc, -+ const struct iovec *iov, -+ int iovcnt); - ssize_t qemu_send_packet_raw(NetClientState *nc, const uint8_t *buf, int size); - ssize_t qemu_send_packet_async(NetClientState *nc, const uint8_t *buf, - int size, NetPacketSent *sent_cb); -diff --git a/include/net/queue.h b/include/net/queue.h -index c0269bb1dc436a912e2abc75db3b..9f2f289d7719ca1ed78604c37b65 100644 ---- a/include/net/queue.h -+++ b/include/net/queue.h -@@ -55,6 +55,14 @@ void qemu_net_queue_append_iov(NetQueue *queue, - - void qemu_del_net_queue(NetQueue *queue); - -+ssize_t qemu_net_queue_receive(NetQueue *queue, -+ const uint8_t *data, -+ size_t size); -+ -+ssize_t qemu_net_queue_receive_iov(NetQueue *queue, -+ const struct iovec *iov, -+ int iovcnt); -+ - ssize_t qemu_net_queue_send(NetQueue *queue, - NetClientState *sender, - unsigned flags, -diff --git a/net/net.c b/net/net.c -index 58adaafba93686a061e27a888ad9..95fb9e1439ad9666426e0e03d253 100644 ---- a/net/net.c -+++ b/net/net.c -@@ -516,6 +516,17 @@ int qemu_set_vnet_be(NetClientState *nc, bool is_be) - #endif - } - -+int qemu_can_receive_packet(NetClientState *nc) -+{ -+ if (nc->receive_disabled) { -+ return 0; -+ } else if (nc->info->can_receive && -+ !nc->info->can_receive(nc)) { -+ return 0; -+ } -+ return 1; -+} -+ - int qemu_can_send_packet(NetClientState *sender) - { - int vm_running = runstate_is_running(); -@@ -528,13 +539,7 @@ int qemu_can_send_packet(NetClientState *sender) - return 1; - } - -- if (sender->peer->receive_disabled) { -- return 0; -- } else if (sender->peer->info->can_receive && -- !sender->peer->info->can_receive(sender->peer)) { -- return 0; -- } -- return 1; -+ return qemu_can_receive_packet(sender->peer); - } - - static ssize_t filter_receive_iov(NetClientState *nc, -@@ -667,6 +672,25 @@ ssize_t qemu_send_packet(NetClientState *nc, const uint8_t *buf, int size) - return qemu_send_packet_async(nc, buf, size, NULL); - } - -+ssize_t qemu_receive_packet(NetClientState *nc, const uint8_t *buf, int size) -+{ -+ if (!qemu_can_receive_packet(nc)) { -+ return 0; -+ } -+ -+ return qemu_net_queue_receive(nc->incoming_queue, buf, size); -+} -+ -+ssize_t qemu_receive_packet_iov(NetClientState *nc, const struct iovec *iov, -+ int iovcnt) -+{ -+ if (!qemu_can_receive_packet(nc)) { -+ return 0; -+ } -+ -+ return qemu_net_queue_receive_iov(nc->incoming_queue, iov, iovcnt); -+} -+ - ssize_t qemu_send_packet_raw(NetClientState *nc, const uint8_t *buf, int size) - { - return qemu_send_packet_async_with_flags(nc, QEMU_NET_PACKET_FLAG_RAW, -diff --git a/net/queue.c b/net/queue.c -index 61276ca4be6f203765b9058873eb..7c0b72c8effceddd5edbfc1c92a3 100644 ---- a/net/queue.c -+++ b/net/queue.c -@@ -182,6 +182,28 @@ static ssize_t qemu_net_queue_deliver_iov(NetQueue *queue, - return ret; - } - -+ssize_t qemu_net_queue_receive(NetQueue *queue, -+ const uint8_t *data, -+ size_t size) -+{ -+ if (queue->delivering) { -+ return 0; -+ } -+ -+ return qemu_net_queue_deliver(queue, NULL, 0, data, size); -+} -+ -+ssize_t qemu_net_queue_receive_iov(NetQueue *queue, -+ const struct iovec *iov, -+ int iovcnt) -+{ -+ if (queue->delivering) { -+ return 0; -+ } -+ -+ return qemu_net_queue_deliver_iov(queue, NULL, 0, iov, iovcnt); -+} -+ - ssize_t qemu_net_queue_send(NetQueue *queue, - NetClientState *sender, - unsigned flags, diff --git a/packaging/net-remove-an-assert-call-in-eth_get_gso.patch b/packaging/net-remove-an-assert-call-in-eth_get_gso.patch deleted file mode 100644 index f7d86e81f..000000000 --- a/packaging/net-remove-an-assert-call-in-eth_get_gso.patch +++ /dev/null @@ -1,44 +0,0 @@ -From: Prasad J Pandit -Date: Wed, 21 Oct 2020 11:35:50 +0530 -Subject: net: remove an assert call in eth_get_gso_type - -Git-commit: 7564bf7701f00214cdc8a678a9f7df765244def1 -References: bsc#1178174, CVE-2020-27617 - -eth_get_gso_type() routine returns segmentation offload type based on -L3 protocol type. It calls g_assert_not_reached if L3 protocol is -unknown, making the following return statement unreachable. Remove the -g_assert call, it maybe triggered by a guest user. - -Reported-by: Gaoning Pan -Signed-off-by: Prasad J Pandit -Signed-off-by: Jason Wang -Signed-off-by: Bruce Rogers ---- - net/eth.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/net/eth.c b/net/eth.c -index 0c1d413ee26e31d4ac6b622a9aa9..1e0821c5f81b59536edc5ef498e9 100644 ---- a/net/eth.c -+++ b/net/eth.c -@@ -16,6 +16,7 @@ - */ - - #include "qemu/osdep.h" -+#include "qemu/log.h" - #include "net/eth.h" - #include "net/checksum.h" - #include "net/tap.h" -@@ -71,9 +72,8 @@ eth_get_gso_type(uint16_t l3_proto, uint8_t *l3_hdr, uint8_t l4proto) - return VIRTIO_NET_HDR_GSO_TCPV6 | ecn_state; - } - } -- -- /* Unsupported offload */ -- g_assert_not_reached(); -+ qemu_log_mask(LOG_UNIMP, "%s: probably not GSO frame, " -+ "unknown L3 protocol: 0x%04"PRIx16"\n", __func__, l3_proto); - - return VIRTIO_NET_HDR_GSO_NONE | ecn_state; - } diff --git a/packaging/net-vmxnet3-validate-configuration-value.patch b/packaging/net-vmxnet3-validate-configuration-value.patch deleted file mode 100644 index d4a5c3255..000000000 --- a/packaging/net-vmxnet3-validate-configuration-value.patch +++ /dev/null @@ -1,74 +0,0 @@ -From: Prasad J Pandit -Date: Sat, 30 Jan 2021 18:46:52 +0530 -Subject: net: vmxnet3: validate configuration values during activate - (CVE-2021-20203) - -Git-commit: 0000000000000000000000000000000000000000 -References: bsc#1181639 - -While activating device in vmxnet3_acticate_device(), it does not -validate guest supplied configuration values against predefined -minimum - maximum limits. This may lead to integer overflow or -OOB access issues. Add checks to avoid it. - -Fixes: CVE-2021-20203 -Buglink: https://bugs.launchpad.net/qemu/+bug/1913873 -Reported-by: Gaoning Pan -Signed-off-by: Prasad J Pandit -Signed-off-by: Bruce Rogers ---- - hw/net/vmxnet3.c | 13 +++++++++++++ - 1 file changed, 13 insertions(+) - -diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c -index 39ff6624c5c39479b1f341ddab9e..28a69ef615b1c2a6add5f7b554e7 100644 ---- a/hw/net/vmxnet3.c -+++ b/hw/net/vmxnet3.c -@@ -1420,6 +1420,7 @@ static void vmxnet3_activate_device(VMXNET3State *s) - vmxnet3_setup_rx_filtering(s); - /* Cache fields from shared memory */ - s->mtu = VMXNET3_READ_DRV_SHARED32(d, s->drv_shmem, devRead.misc.mtu); -+ assert(VMXNET3_MIN_MTU <= s->mtu && s->mtu < VMXNET3_MAX_MTU); - VMW_CFPRN("MTU is %u", s->mtu); - - s->max_rx_frags = -@@ -1473,6 +1474,9 @@ static void vmxnet3_activate_device(VMXNET3State *s) - /* Read rings memory locations for TX queues */ - pa = VMXNET3_READ_TX_QUEUE_DESCR64(d, qdescr_pa, conf.txRingBasePA); - size = VMXNET3_READ_TX_QUEUE_DESCR32(d, qdescr_pa, conf.txRingSize); -+ if (size > VMXNET3_TX_RING_MAX_SIZE) { -+ size = VMXNET3_TX_RING_MAX_SIZE; -+ } - - vmxnet3_ring_init(d, &s->txq_descr[i].tx_ring, pa, size, - sizeof(struct Vmxnet3_TxDesc), false); -@@ -1483,6 +1487,9 @@ static void vmxnet3_activate_device(VMXNET3State *s) - /* TXC ring */ - pa = VMXNET3_READ_TX_QUEUE_DESCR64(d, qdescr_pa, conf.compRingBasePA); - size = VMXNET3_READ_TX_QUEUE_DESCR32(d, qdescr_pa, conf.compRingSize); -+ if (size > VMXNET3_TC_RING_MAX_SIZE) { -+ size = VMXNET3_TC_RING_MAX_SIZE; -+ } - vmxnet3_ring_init(d, &s->txq_descr[i].comp_ring, pa, size, - sizeof(struct Vmxnet3_TxCompDesc), true); - VMXNET3_RING_DUMP(VMW_CFPRN, "TXC", i, &s->txq_descr[i].comp_ring); -@@ -1524,6 +1531,9 @@ static void vmxnet3_activate_device(VMXNET3State *s) - /* RX rings */ - pa = VMXNET3_READ_RX_QUEUE_DESCR64(d, qd_pa, conf.rxRingBasePA[j]); - size = VMXNET3_READ_RX_QUEUE_DESCR32(d, qd_pa, conf.rxRingSize[j]); -+ if (size > VMXNET3_RX_RING_MAX_SIZE) { -+ size = VMXNET3_RX_RING_MAX_SIZE; -+ } - vmxnet3_ring_init(d, &s->rxq_descr[i].rx_ring[j], pa, size, - sizeof(struct Vmxnet3_RxDesc), false); - VMW_CFPRN("RX queue %d:%d: Base: %" PRIx64 ", Size: %d", -@@ -1533,6 +1543,9 @@ static void vmxnet3_activate_device(VMXNET3State *s) - /* RXC ring */ - pa = VMXNET3_READ_RX_QUEUE_DESCR64(d, qd_pa, conf.compRingBasePA); - size = VMXNET3_READ_RX_QUEUE_DESCR32(d, qd_pa, conf.compRingSize); -+ if (size > VMXNET3_RC_RING_MAX_SIZE) { -+ size = VMXNET3_RC_RING_MAX_SIZE; -+ } - vmxnet3_ring_init(d, &s->rxq_descr[i].comp_ring, pa, size, - sizeof(struct Vmxnet3_RxCompDesc), true); - VMW_CFPRN("RXC queue %d: Base: %" PRIx64 ", Size: %d", i, pa, size); diff --git a/packaging/numa-Extend-CLI-to-provide-initiator-inf.patch b/packaging/numa-Extend-CLI-to-provide-initiator-inf.patch deleted file mode 100644 index bcf9d0115..000000000 --- a/packaging/numa-Extend-CLI-to-provide-initiator-inf.patch +++ /dev/null @@ -1,303 +0,0 @@ -From: Tao Xu -Date: Fri, 13 Dec 2019 09:19:22 +0800 -Subject: numa: Extend CLI to provide initiator information for numa nodes - -Git-commit: 244b3f4485a07c7ce4b7123d6ce9d8c6012756e8 -References: jsc#SLE-8897 - -In ACPI 6.3 chapter 5.2.27 Heterogeneous Memory Attribute Table (HMAT), -The initiator represents processor which access to memory. And in 5.2.27.3 -Memory Proximity Domain Attributes Structure, the attached initiator is -defined as where the memory controller responsible for a memory proximity -domain. With attached initiator information, the topology of heterogeneous -memory can be described. Add new machine property 'hmat' to enable all -HMAT specific options. - -Extend CLI of "-numa node" option to indicate the initiator numa node-id. -In the linux kernel, the codes in drivers/acpi/hmat/hmat.c parse and report -the platform's HMAT tables. Before using initiator option, enable HMAT with --machine hmat=on. - -Acked-by: Markus Armbruster -Reviewed-by: Igor Mammedov -Reviewed-by: Jingqi Liu -Suggested-by: Dan Williams -Signed-off-by: Tao Xu -Message-Id: <20191213011929.2520-2-tao3.xu@intel.com> -Reviewed-by: Michael S. Tsirkin -Signed-off-by: Michael S. Tsirkin -Signed-off-by: Bruce Rogers ---- - hw/core/machine.c | 64 +++++++++++++++++++++++++++++++++++++++++++ - hw/core/numa.c | 23 ++++++++++++++++ - include/sysemu/numa.h | 5 ++++ - qapi/machine.json | 10 ++++++- - qemu-options.hx | 35 +++++++++++++++++++---- - 5 files changed, 131 insertions(+), 6 deletions(-) - -diff --git a/hw/core/machine.c b/hw/core/machine.c -index 1872263bf0397bbf1d515f56a627..cfab784b02ce6076c827c10c9e9c 100644 ---- a/hw/core/machine.c -+++ b/hw/core/machine.c -@@ -518,6 +518,20 @@ static void machine_set_nvdimm(Object *obj, bool value, Error **errp) - ms->nvdimms_state->is_enabled = value; - } - -+static bool machine_get_hmat(Object *obj, Error **errp) -+{ -+ MachineState *ms = MACHINE(obj); -+ -+ return ms->numa_state->hmat_enabled; -+} -+ -+static void machine_set_hmat(Object *obj, bool value, Error **errp) -+{ -+ MachineState *ms = MACHINE(obj); -+ -+ ms->numa_state->hmat_enabled = value; -+} -+ - static char *machine_get_nvdimm_persistence(Object *obj, Error **errp) - { - MachineState *ms = MACHINE(obj); -@@ -645,6 +659,7 @@ void machine_set_cpu_numa_node(MachineState *machine, - const CpuInstanceProperties *props, Error **errp) - { - MachineClass *mc = MACHINE_GET_CLASS(machine); -+ NodeInfo *numa_info = machine->numa_state->nodes; - bool match = false; - int i; - -@@ -714,6 +729,17 @@ void machine_set_cpu_numa_node(MachineState *machine, - match = true; - slot->props.node_id = props->node_id; - slot->props.has_node_id = props->has_node_id; -+ -+ if (machine->numa_state->hmat_enabled) { -+ if ((numa_info[props->node_id].initiator < MAX_NODES) && -+ (props->node_id != numa_info[props->node_id].initiator)) { -+ error_setg(errp, "The initiator of CPU NUMA node %" PRId64 -+ " should be itself", props->node_id); -+ return; -+ } -+ numa_info[props->node_id].has_cpu = true; -+ numa_info[props->node_id].initiator = props->node_id; -+ } - } - - if (!match) { -@@ -960,6 +986,13 @@ static void machine_initfn(Object *obj) - - if (mc->cpu_index_to_instance_props && mc->get_default_cpu_node_id) { - ms->numa_state = g_new0(NumaState, 1); -+ object_property_add_bool(obj, "hmat", -+ machine_get_hmat, machine_set_hmat, -+ &error_abort); -+ object_property_set_description(obj, "hmat", -+ "Set on/off to enable/disable " -+ "ACPI Heterogeneous Memory Attribute " -+ "Table (HMAT)", NULL); - } - - /* Register notifier when init is done for sysbus sanity checks */ -@@ -1048,6 +1081,32 @@ static char *cpu_slot_to_string(const CPUArchId *cpu) - return g_string_free(s, false); - } - -+static void numa_validate_initiator(NumaState *numa_state) -+{ -+ int i; -+ NodeInfo *numa_info = numa_state->nodes; -+ -+ for (i = 0; i < numa_state->num_nodes; i++) { -+ if (numa_info[i].initiator == MAX_NODES) { -+ error_report("The initiator of NUMA node %d is missing, use " -+ "'-numa node,initiator' option to declare it", i); -+ exit(1); -+ } -+ -+ if (!numa_info[numa_info[i].initiator].present) { -+ error_report("NUMA node %" PRIu16 " is missing, use " -+ "'-numa node' option to declare it first", -+ numa_info[i].initiator); -+ exit(1); -+ } -+ -+ if (!numa_info[numa_info[i].initiator].has_cpu) { -+ error_report("The initiator of NUMA node %d is invalid", i); -+ exit(1); -+ } -+ } -+} -+ - static void machine_numa_finish_cpu_init(MachineState *machine) - { - int i; -@@ -1088,6 +1147,11 @@ static void machine_numa_finish_cpu_init(MachineState *machine) - machine_set_cpu_numa_node(machine, &props, &error_fatal); - } - } -+ -+ if (machine->numa_state->hmat_enabled) { -+ numa_validate_initiator(machine->numa_state); -+ } -+ - if (s->len && !qtest_enabled()) { - warn_report("CPU(s) not present in any NUMA nodes: %s", - s->str); -diff --git a/hw/core/numa.c b/hw/core/numa.c -index 19f082de128ddcc743d1d5ea8254..a07eef93dc3f104b6c0199040338 100644 ---- a/hw/core/numa.c -+++ b/hw/core/numa.c -@@ -129,6 +129,29 @@ static void parse_numa_node(MachineState *ms, NumaNodeOptions *node, - numa_info[nodenr].node_mem = object_property_get_uint(o, "size", NULL); - numa_info[nodenr].node_memdev = MEMORY_BACKEND(o); - } -+ -+ /* -+ * If not set the initiator, set it to MAX_NODES. And if -+ * HMAT is enabled and this node has no cpus, QEMU will raise error. -+ */ -+ numa_info[nodenr].initiator = MAX_NODES; -+ if (node->has_initiator) { -+ if (!ms->numa_state->hmat_enabled) { -+ error_setg(errp, "ACPI Heterogeneous Memory Attribute Table " -+ "(HMAT) is disabled, enable it with -machine hmat=on " -+ "before using any of hmat specific options"); -+ return; -+ } -+ -+ if (node->initiator >= MAX_NODES) { -+ error_report("The initiator id %" PRIu16 " expects an integer " -+ "between 0 and %d", node->initiator, -+ MAX_NODES - 1); -+ return; -+ } -+ -+ numa_info[nodenr].initiator = node->initiator; -+ } - numa_info[nodenr].present = true; - max_numa_nodeid = MAX(max_numa_nodeid, nodenr + 1); - ms->numa_state->num_nodes++; -diff --git a/include/sysemu/numa.h b/include/sysemu/numa.h -index ae9c41d02ba47c089d19d74b3a4f..788cbec7a2096e262555ac6e83cb 100644 ---- a/include/sysemu/numa.h -+++ b/include/sysemu/numa.h -@@ -18,6 +18,8 @@ struct NodeInfo { - uint64_t node_mem; - struct HostMemoryBackend *node_memdev; - bool present; -+ bool has_cpu; -+ uint16_t initiator; - uint8_t distance[MAX_NODES]; - }; - -@@ -33,6 +35,9 @@ struct NumaState { - /* Allow setting NUMA distance for different NUMA nodes */ - bool have_numa_distance; - -+ /* Detect if HMAT support is enabled. */ -+ bool hmat_enabled; -+ - /* NUMA nodes information */ - NodeInfo nodes[MAX_NODES]; - }; -diff --git a/qapi/machine.json b/qapi/machine.json -index ca26779f1a3623e86befc00ee8d8..27d0e375342a502c7676d23837a7 100644 ---- a/qapi/machine.json -+++ b/qapi/machine.json -@@ -463,6 +463,13 @@ - # @memdev: memory backend object. If specified for one node, - # it must be specified for all nodes. - # -+# @initiator: defined in ACPI 6.3 Chapter 5.2.27.3 Table 5-145, -+# points to the nodeid which has the memory controller -+# responsible for this NUMA node. This field provides -+# additional information as to the initiator node that -+# is closest (as in directly attached) to this node, and -+# therefore has the best performance (since 5.0) -+# - # Since: 2.1 - ## - { 'struct': 'NumaNodeOptions', -@@ -470,7 +477,8 @@ - '*nodeid': 'uint16', - '*cpus': ['uint16'], - '*mem': 'size', -- '*memdev': 'str' }} -+ '*memdev': 'str', -+ '*initiator': 'uint16' }} - - ## - # @NumaDistOptions: -diff --git a/qemu-options.hx b/qemu-options.hx -index e14d88e9b2f3a3c13a4c20db0b36..9b1618cd34d9fe1d8374d6abb954 100644 ---- a/qemu-options.hx -+++ b/qemu-options.hx -@@ -43,7 +43,8 @@ DEF("machine", HAS_ARG, QEMU_OPTION_machine, \ - " suppress-vmdesc=on|off disables self-describing migration (default=off)\n" - " nvdimm=on|off controls NVDIMM support (default=off)\n" - " enforce-config-section=on|off enforce configuration section migration (default=off)\n" -- " memory-encryption=@var{} memory encryption object to use (default=none)\n", -+ " memory-encryption=@var{} memory encryption object to use (default=none)\n" -+ " hmat=on|off controls ACPI HMAT support (default=off)\n", - QEMU_ARCH_ALL) - STEXI - @item -machine [type=]@var{name}[,prop=@var{value}[,...]] -@@ -103,6 +104,9 @@ NOTE: this parameter is deprecated. Please use @option{-global} - @option{migration.send-configuration}=@var{on|off} instead. - @item memory-encryption=@var{} - Memory encryption object to use. The default is none. -+@item hmat=on|off -+Enables or disables ACPI Heterogeneous Memory Attribute Table (HMAT) support. -+The default is off. - @end table - ETEXI - -@@ -161,14 +165,14 @@ If any on the three values is given, the total number of CPUs @var{n} can be omi - ETEXI - - DEF("numa", HAS_ARG, QEMU_OPTION_numa, -- "-numa node[,mem=size][,cpus=firstcpu[-lastcpu]][,nodeid=node]\n" -- "-numa node[,memdev=id][,cpus=firstcpu[-lastcpu]][,nodeid=node]\n" -+ "-numa node[,mem=size][,cpus=firstcpu[-lastcpu]][,nodeid=node][,initiator=node]\n" -+ "-numa node[,memdev=id][,cpus=firstcpu[-lastcpu]][,nodeid=node][,initiator=node]\n" - "-numa dist,src=source,dst=destination,val=distance\n" - "-numa cpu,node-id=node[,socket-id=x][,core-id=y][,thread-id=z]\n", - QEMU_ARCH_ALL) - STEXI --@item -numa node[,mem=@var{size}][,cpus=@var{firstcpu}[-@var{lastcpu}]][,nodeid=@var{node}] --@itemx -numa node[,memdev=@var{id}][,cpus=@var{firstcpu}[-@var{lastcpu}]][,nodeid=@var{node}] -+@item -numa node[,mem=@var{size}][,cpus=@var{firstcpu}[-@var{lastcpu}]][,nodeid=@var{node}][,initiator=@var{initiator}] -+@itemx -numa node[,memdev=@var{id}][,cpus=@var{firstcpu}[-@var{lastcpu}]][,nodeid=@var{node}][,initiator=@var{initiator}] - @itemx -numa dist,src=@var{source},dst=@var{destination},val=@var{distance} - @itemx -numa cpu,node-id=@var{node}[,socket-id=@var{x}][,core-id=@var{y}][,thread-id=@var{z}] - @findex -numa -@@ -215,6 +219,27 @@ split equally between them. - @samp{mem} and @samp{memdev} are mutually exclusive. Furthermore, - if one node uses @samp{memdev}, all of them have to use it. - -+@samp{initiator} is an additional option that points to an @var{initiator} -+NUMA node that has best performance (the lowest latency or largest bandwidth) -+to this NUMA @var{node}. Note that this option can be set only when -+the machine property 'hmat' is set to 'on'. -+ -+Following example creates a machine with 2 NUMA nodes, node 0 has CPU. -+node 1 has only memory, and its initiator is node 0. Note that because -+node 0 has CPU, by default the initiator of node 0 is itself and must be -+itself. -+@example -+-machine hmat=on \ -+-m 2G,slots=2,maxmem=4G \ -+-object memory-backend-ram,size=1G,id=m0 \ -+-object memory-backend-ram,size=1G,id=m1 \ -+-numa node,nodeid=0,memdev=m0 \ -+-numa node,nodeid=1,memdev=m1,initiator=0 \ -+-smp 2,sockets=2,maxcpus=2 \ -+-numa cpu,node-id=0,socket-id=0 \ -+-numa cpu,node-id=0,socket-id=1 -+@end example -+ - @var{source} and @var{destination} are NUMA node IDs. - @var{distance} is the NUMA distance from @var{source} to @var{destination}. - The distance from a node to itself is always 10. If any pair of nodes is diff --git a/packaging/numa-Extend-CLI-to-provide-memory-latenc.patch b/packaging/numa-Extend-CLI-to-provide-memory-latenc.patch deleted file mode 100644 index 2eb8e9f0d..000000000 --- a/packaging/numa-Extend-CLI-to-provide-memory-latenc.patch +++ /dev/null @@ -1,530 +0,0 @@ -From: Liu Jingqi -Date: Fri, 13 Dec 2019 09:19:23 +0800 -Subject: numa: Extend CLI to provide memory latency and bandwidth information - -Git-commit: 9b12dfa03a94d7f7a4b54eb67229a31e58193384 -References: jsc#SLE-8897 - -Add -numa hmat-lb option to provide System Locality Latency and -Bandwidth Information. These memory attributes help to build -System Locality Latency and Bandwidth Information Structure(s) -in ACPI Heterogeneous Memory Attribute Table (HMAT). Before using -hmat-lb option, enable HMAT with -machine hmat=on. - -Acked-by: Markus Armbruster -Signed-off-by: Liu Jingqi -Signed-off-by: Tao Xu -Message-Id: <20191213011929.2520-3-tao3.xu@intel.com> -Reviewed-by: Michael S. Tsirkin -Signed-off-by: Michael S. Tsirkin -Reviewed-by: Igor Mammedov -Signed-off-by: Bruce Rogers ---- - hw/core/numa.c | 194 ++++++++++++++++++++++++++++++++++++++++++ - include/sysemu/numa.h | 53 ++++++++++++ - qapi/machine.json | 93 +++++++++++++++++++- - qemu-options.hx | 47 +++++++++- - 4 files changed, 384 insertions(+), 3 deletions(-) - -diff --git a/hw/core/numa.c b/hw/core/numa.c -index a07eef93dc3f104b6c0199040338..58fe7138b290f8b8cbc340d3d1ec 100644 ---- a/hw/core/numa.c -+++ b/hw/core/numa.c -@@ -23,6 +23,7 @@ - */ - - #include "qemu/osdep.h" -+#include "qemu/units.h" - #include "sysemu/hostmem.h" - #include "sysemu/numa.h" - #include "sysemu/sysemu.h" -@@ -194,6 +195,186 @@ void parse_numa_distance(MachineState *ms, NumaDistOptions *dist, Error **errp) - ms->numa_state->have_numa_distance = true; - } - -+void parse_numa_hmat_lb(NumaState *numa_state, NumaHmatLBOptions *node, -+ Error **errp) -+{ -+ int i, first_bit, last_bit; -+ uint64_t max_entry, temp_base, bitmap_copy; -+ NodeInfo *numa_info = numa_state->nodes; -+ HMAT_LB_Info *hmat_lb = -+ numa_state->hmat_lb[node->hierarchy][node->data_type]; -+ HMAT_LB_Data lb_data = {}; -+ HMAT_LB_Data *lb_temp; -+ -+ /* Error checking */ -+ if (node->initiator > numa_state->num_nodes) { -+ error_setg(errp, "Invalid initiator=%d, it should be less than %d", -+ node->initiator, numa_state->num_nodes); -+ return; -+ } -+ if (node->target > numa_state->num_nodes) { -+ error_setg(errp, "Invalid target=%d, it should be less than %d", -+ node->target, numa_state->num_nodes); -+ return; -+ } -+ if (!numa_info[node->initiator].has_cpu) { -+ error_setg(errp, "Invalid initiator=%d, it isn't an " -+ "initiator proximity domain", node->initiator); -+ return; -+ } -+ if (!numa_info[node->target].present) { -+ error_setg(errp, "The target=%d should point to an existing node", -+ node->target); -+ return; -+ } -+ -+ if (!hmat_lb) { -+ hmat_lb = g_malloc0(sizeof(*hmat_lb)); -+ numa_state->hmat_lb[node->hierarchy][node->data_type] = hmat_lb; -+ hmat_lb->list = g_array_new(false, true, sizeof(HMAT_LB_Data)); -+ } -+ hmat_lb->hierarchy = node->hierarchy; -+ hmat_lb->data_type = node->data_type; -+ lb_data.initiator = node->initiator; -+ lb_data.target = node->target; -+ -+ if (node->data_type <= HMATLB_DATA_TYPE_WRITE_LATENCY) { -+ /* Input latency data */ -+ -+ if (!node->has_latency) { -+ error_setg(errp, "Missing 'latency' option"); -+ return; -+ } -+ if (node->has_bandwidth) { -+ error_setg(errp, "Invalid option 'bandwidth' since " -+ "the data type is latency"); -+ return; -+ } -+ -+ /* Detect duplicate configuration */ -+ for (i = 0; i < hmat_lb->list->len; i++) { -+ lb_temp = &g_array_index(hmat_lb->list, HMAT_LB_Data, i); -+ -+ if (node->initiator == lb_temp->initiator && -+ node->target == lb_temp->target) { -+ error_setg(errp, "Duplicate configuration of the latency for " -+ "initiator=%d and target=%d", node->initiator, -+ node->target); -+ return; -+ } -+ } -+ -+ hmat_lb->base = hmat_lb->base ? hmat_lb->base : UINT64_MAX; -+ -+ if (node->latency) { -+ /* Calculate the temporary base and compressed latency */ -+ max_entry = node->latency; -+ temp_base = 1; -+ while (QEMU_IS_ALIGNED(max_entry, 10)) { -+ max_entry /= 10; -+ temp_base *= 10; -+ } -+ -+ /* Calculate the max compressed latency */ -+ temp_base = MIN(hmat_lb->base, temp_base); -+ max_entry = node->latency / hmat_lb->base; -+ max_entry = MAX(hmat_lb->range_bitmap, max_entry); -+ -+ /* -+ * For latency hmat_lb->range_bitmap record the max compressed -+ * latency which should be less than 0xFFFF (UINT16_MAX) -+ */ -+ if (max_entry >= UINT16_MAX) { -+ error_setg(errp, "Latency %" PRIu64 " between initiator=%d and " -+ "target=%d should not differ from previously entered " -+ "min or max values on more than %d", node->latency, -+ node->initiator, node->target, UINT16_MAX - 1); -+ return; -+ } else { -+ hmat_lb->base = temp_base; -+ hmat_lb->range_bitmap = max_entry; -+ } -+ -+ /* -+ * Set lb_info_provided bit 0 as 1, -+ * latency information is provided -+ */ -+ numa_info[node->target].lb_info_provided |= BIT(0); -+ } -+ lb_data.data = node->latency; -+ } else if (node->data_type >= HMATLB_DATA_TYPE_ACCESS_BANDWIDTH) { -+ /* Input bandwidth data */ -+ if (!node->has_bandwidth) { -+ error_setg(errp, "Missing 'bandwidth' option"); -+ return; -+ } -+ if (node->has_latency) { -+ error_setg(errp, "Invalid option 'latency' since " -+ "the data type is bandwidth"); -+ return; -+ } -+ if (!QEMU_IS_ALIGNED(node->bandwidth, MiB)) { -+ error_setg(errp, "Bandwidth %" PRIu64 " between initiator=%d and " -+ "target=%d should be 1MB aligned", node->bandwidth, -+ node->initiator, node->target); -+ return; -+ } -+ -+ /* Detect duplicate configuration */ -+ for (i = 0; i < hmat_lb->list->len; i++) { -+ lb_temp = &g_array_index(hmat_lb->list, HMAT_LB_Data, i); -+ -+ if (node->initiator == lb_temp->initiator && -+ node->target == lb_temp->target) { -+ error_setg(errp, "Duplicate configuration of the bandwidth for " -+ "initiator=%d and target=%d", node->initiator, -+ node->target); -+ return; -+ } -+ } -+ -+ hmat_lb->base = hmat_lb->base ? hmat_lb->base : 1; -+ -+ if (node->bandwidth) { -+ /* Keep bitmap unchanged when bandwidth out of range */ -+ bitmap_copy = hmat_lb->range_bitmap; -+ bitmap_copy |= node->bandwidth; -+ first_bit = ctz64(bitmap_copy); -+ temp_base = UINT64_C(1) << first_bit; -+ max_entry = node->bandwidth / temp_base; -+ last_bit = 64 - clz64(bitmap_copy); -+ -+ /* -+ * For bandwidth, first_bit record the base unit of bandwidth bits, -+ * last_bit record the last bit of the max bandwidth. The max -+ * compressed bandwidth should be less than 0xFFFF (UINT16_MAX) -+ */ -+ if ((last_bit - first_bit) > UINT16_BITS || -+ max_entry >= UINT16_MAX) { -+ error_setg(errp, "Bandwidth %" PRIu64 " between initiator=%d " -+ "and target=%d should not differ from previously " -+ "entered values on more than %d", node->bandwidth, -+ node->initiator, node->target, UINT16_MAX - 1); -+ return; -+ } else { -+ hmat_lb->base = temp_base; -+ hmat_lb->range_bitmap = bitmap_copy; -+ } -+ -+ /* -+ * Set lb_info_provided bit 1 as 1, -+ * bandwidth information is provided -+ */ -+ numa_info[node->target].lb_info_provided |= BIT(1); -+ } -+ lb_data.data = node->bandwidth; -+ } else { -+ assert(0); -+ } -+ -+ g_array_append_val(hmat_lb->list, lb_data); -+} -+ - void set_numa_options(MachineState *ms, NumaOptions *object, Error **errp) - { - Error *err = NULL; -@@ -231,6 +412,19 @@ void set_numa_options(MachineState *ms, NumaOptions *object, Error **errp) - machine_set_cpu_numa_node(ms, qapi_NumaCpuOptions_base(&object->u.cpu), - &err); - break; -+ case NUMA_OPTIONS_TYPE_HMAT_LB: -+ if (!ms->numa_state->hmat_enabled) { -+ error_setg(errp, "ACPI Heterogeneous Memory Attribute Table " -+ "(HMAT) is disabled, enable it with -machine hmat=on " -+ "before using any of hmat specific options"); -+ return; -+ } -+ -+ parse_numa_hmat_lb(ms->numa_state, &object->u.hmat_lb, &err); -+ if (err) { -+ goto end; -+ } -+ break; - default: - abort(); - } -diff --git a/include/sysemu/numa.h b/include/sysemu/numa.h -index 788cbec7a2096e262555ac6e83cb..70f93c83d71eb2cdab5bf1dde422 100644 ---- a/include/sysemu/numa.h -+++ b/include/sysemu/numa.h -@@ -14,11 +14,34 @@ struct CPUArchId; - #define NUMA_DISTANCE_MAX 254 - #define NUMA_DISTANCE_UNREACHABLE 255 - -+/* the value of AcpiHmatLBInfo flags */ -+enum { -+ HMAT_LB_MEM_MEMORY = 0, -+ HMAT_LB_MEM_CACHE_1ST_LEVEL = 1, -+ HMAT_LB_MEM_CACHE_2ND_LEVEL = 2, -+ HMAT_LB_MEM_CACHE_3RD_LEVEL = 3, -+ HMAT_LB_LEVELS /* must be the last entry */ -+}; -+ -+/* the value of AcpiHmatLBInfo data type */ -+enum { -+ HMAT_LB_DATA_ACCESS_LATENCY = 0, -+ HMAT_LB_DATA_READ_LATENCY = 1, -+ HMAT_LB_DATA_WRITE_LATENCY = 2, -+ HMAT_LB_DATA_ACCESS_BANDWIDTH = 3, -+ HMAT_LB_DATA_READ_BANDWIDTH = 4, -+ HMAT_LB_DATA_WRITE_BANDWIDTH = 5, -+ HMAT_LB_TYPES /* must be the last entry */ -+}; -+ -+#define UINT16_BITS 16 -+ - struct NodeInfo { - uint64_t node_mem; - struct HostMemoryBackend *node_memdev; - bool present; - bool has_cpu; -+ uint8_t lb_info_provided; - uint16_t initiator; - uint8_t distance[MAX_NODES]; - }; -@@ -28,6 +51,31 @@ struct NumaNodeMem { - uint64_t node_plugged_mem; - }; - -+struct HMAT_LB_Data { -+ uint8_t initiator; -+ uint8_t target; -+ uint64_t data; -+}; -+typedef struct HMAT_LB_Data HMAT_LB_Data; -+ -+struct HMAT_LB_Info { -+ /* Indicates it's memory or the specified level memory side cache. */ -+ uint8_t hierarchy; -+ -+ /* Present the type of data, access/read/write latency or bandwidth. */ -+ uint8_t data_type; -+ -+ /* The range bitmap of bandwidth for calculating common base */ -+ uint64_t range_bitmap; -+ -+ /* The common base unit for latencies or bandwidths */ -+ uint64_t base; -+ -+ /* Array to store the latencies or bandwidths */ -+ GArray *list; -+}; -+typedef struct HMAT_LB_Info HMAT_LB_Info; -+ - struct NumaState { - /* Number of NUMA nodes */ - int num_nodes; -@@ -40,11 +88,16 @@ struct NumaState { - - /* NUMA nodes information */ - NodeInfo nodes[MAX_NODES]; -+ -+ /* NUMA nodes HMAT Locality Latency and Bandwidth Information */ -+ HMAT_LB_Info *hmat_lb[HMAT_LB_LEVELS][HMAT_LB_TYPES]; - }; - typedef struct NumaState NumaState; - - void set_numa_options(MachineState *ms, NumaOptions *object, Error **errp); - void parse_numa_opts(MachineState *ms); -+void parse_numa_hmat_lb(NumaState *numa_state, NumaHmatLBOptions *node, -+ Error **errp); - void numa_complete_configuration(MachineState *ms); - void query_numa_node_mem(NumaNodeMem node_mem[], MachineState *ms); - extern QemuOptsList qemu_numa_opts; -diff --git a/qapi/machine.json b/qapi/machine.json -index 27d0e375342a502c7676d23837a7..cf8faf5a2a4929560c852bf8d50c 100644 ---- a/qapi/machine.json -+++ b/qapi/machine.json -@@ -426,10 +426,12 @@ - # - # @cpu: property based CPU(s) to node mapping (Since: 2.10) - # -+# @hmat-lb: memory latency and bandwidth information (Since: 5.0) -+# - # Since: 2.1 - ## - { 'enum': 'NumaOptionsType', -- 'data': [ 'node', 'dist', 'cpu' ] } -+ 'data': [ 'node', 'dist', 'cpu', 'hmat-lb' ] } - - ## - # @NumaOptions: -@@ -444,7 +446,8 @@ - 'data': { - 'node': 'NumaNodeOptions', - 'dist': 'NumaDistOptions', -- 'cpu': 'NumaCpuOptions' }} -+ 'cpu': 'NumaCpuOptions', -+ 'hmat-lb': 'NumaHmatLBOptions' }} - - ## - # @NumaNodeOptions: -@@ -557,6 +560,92 @@ - 'base': 'CpuInstanceProperties', - 'data' : {} } - -+## -+# @HmatLBMemoryHierarchy: -+# -+# The memory hierarchy in the System Locality Latency and Bandwidth -+# Information Structure of HMAT (Heterogeneous Memory Attribute Table) -+# -+# For more information about @HmatLBMemoryHierarchy, see chapter -+# 5.2.27.4: Table 5-146: Field "Flags" of ACPI 6.3 spec. -+# -+# @memory: the structure represents the memory performance -+# -+# @first-level: first level of memory side cache -+# -+# @second-level: second level of memory side cache -+# -+# @third-level: third level of memory side cache -+# -+# Since: 5.0 -+## -+{ 'enum': 'HmatLBMemoryHierarchy', -+ 'data': [ 'memory', 'first-level', 'second-level', 'third-level' ] } -+ -+## -+# @HmatLBDataType: -+# -+# Data type in the System Locality Latency and Bandwidth -+# Information Structure of HMAT (Heterogeneous Memory Attribute Table) -+# -+# For more information about @HmatLBDataType, see chapter -+# 5.2.27.4: Table 5-146: Field "Data Type" of ACPI 6.3 spec. -+# -+# @access-latency: access latency (nanoseconds) -+# -+# @read-latency: read latency (nanoseconds) -+# -+# @write-latency: write latency (nanoseconds) -+# -+# @access-bandwidth: access bandwidth (Bytes per second) -+# -+# @read-bandwidth: read bandwidth (Bytes per second) -+# -+# @write-bandwidth: write bandwidth (Bytes per second) -+# -+# Since: 5.0 -+## -+{ 'enum': 'HmatLBDataType', -+ 'data': [ 'access-latency', 'read-latency', 'write-latency', -+ 'access-bandwidth', 'read-bandwidth', 'write-bandwidth' ] } -+ -+## -+# @NumaHmatLBOptions: -+# -+# Set the system locality latency and bandwidth information -+# between Initiator and Target proximity Domains. -+# -+# For more information about @NumaHmatLBOptions, see chapter -+# 5.2.27.4: Table 5-146 of ACPI 6.3 spec. -+# -+# @initiator: the Initiator Proximity Domain. -+# -+# @target: the Target Proximity Domain. -+# -+# @hierarchy: the Memory Hierarchy. Indicates the performance -+# of memory or side cache. -+# -+# @data-type: presents the type of data, access/read/write -+# latency or hit latency. -+# -+# @latency: the value of latency from @initiator to @target -+# proximity domain, the latency unit is "ns(nanosecond)". -+# -+# @bandwidth: the value of bandwidth between @initiator and @target -+# proximity domain, the bandwidth unit is -+# "Bytes per second". -+# -+# Since: 5.0 -+## -+{ 'struct': 'NumaHmatLBOptions', -+ 'data': { -+ 'initiator': 'uint16', -+ 'target': 'uint16', -+ 'hierarchy': 'HmatLBMemoryHierarchy', -+ 'data-type': 'HmatLBDataType', -+ '*latency': 'uint64', -+ '*bandwidth': 'size' }} -+ - ## - # @HostMemPolicy: - # -diff --git a/qemu-options.hx b/qemu-options.hx -index 9b1618cd34d9fe1d8374d6abb954..5f7f31457ab6a8640698f6913b07 100644 ---- a/qemu-options.hx -+++ b/qemu-options.hx -@@ -168,16 +168,19 @@ DEF("numa", HAS_ARG, QEMU_OPTION_numa, - "-numa node[,mem=size][,cpus=firstcpu[-lastcpu]][,nodeid=node][,initiator=node]\n" - "-numa node[,memdev=id][,cpus=firstcpu[-lastcpu]][,nodeid=node][,initiator=node]\n" - "-numa dist,src=source,dst=destination,val=distance\n" -- "-numa cpu,node-id=node[,socket-id=x][,core-id=y][,thread-id=z]\n", -+ "-numa cpu,node-id=node[,socket-id=x][,core-id=y][,thread-id=z]\n" -+ "-numa hmat-lb,initiator=node,target=node,hierarchy=memory|first-level|second-level|third-level,data-type=access-latency|read-latency|write-latency[,latency=lat][,bandwidth=bw]\n", - QEMU_ARCH_ALL) - STEXI - @item -numa node[,mem=@var{size}][,cpus=@var{firstcpu}[-@var{lastcpu}]][,nodeid=@var{node}][,initiator=@var{initiator}] - @itemx -numa node[,memdev=@var{id}][,cpus=@var{firstcpu}[-@var{lastcpu}]][,nodeid=@var{node}][,initiator=@var{initiator}] - @itemx -numa dist,src=@var{source},dst=@var{destination},val=@var{distance} - @itemx -numa cpu,node-id=@var{node}[,socket-id=@var{x}][,core-id=@var{y}][,thread-id=@var{z}] -+@itemx -numa hmat-lb,initiator=@var{node},target=@var{node},hierarchy=@var{hierarchy},data-type=@var{tpye}[,latency=@var{lat}][,bandwidth=@var{bw}] - @findex -numa - Define a NUMA node and assign RAM and VCPUs to it. - Set the NUMA distance from a source node to a destination node. -+Set the ACPI Heterogeneous Memory Attributes for the given nodes. - - Legacy VCPU assignment uses @samp{cpus} option where - @var{firstcpu} and @var{lastcpu} are CPU indexes. Each -@@ -256,6 +259,48 @@ specified resources, it just assigns existing resources to NUMA - nodes. This means that one still has to use the @option{-m}, - @option{-smp} options to allocate RAM and VCPUs respectively. - -+Use @samp{hmat-lb} to set System Locality Latency and Bandwidth Information -+between initiator and target NUMA nodes in ACPI Heterogeneous Attribute Memory Table (HMAT). -+Initiator NUMA node can create memory requests, usually it has one or more processors. -+Target NUMA node contains addressable memory. -+ -+In @samp{hmat-lb} option, @var{node} are NUMA node IDs. @var{hierarchy} is the memory -+hierarchy of the target NUMA node: if @var{hierarchy} is 'memory', the structure -+represents the memory performance; if @var{hierarchy} is 'first-level|second-level|third-level', -+this structure represents aggregated performance of memory side caches for each domain. -+@var{type} of 'data-type' is type of data represented by this structure instance: -+if 'hierarchy' is 'memory', 'data-type' is 'access|read|write' latency or 'access|read|write' -+bandwidth of the target memory; if 'hierarchy' is 'first-level|second-level|third-level', -+'data-type' is 'access|read|write' hit latency or 'access|read|write' hit bandwidth of the -+target memory side cache. -+ -+@var{lat} is latency value in nanoseconds. @var{bw} is bandwidth value, -+the possible value and units are NUM[M|G|T], mean that the bandwidth value are -+NUM byte per second (or MB/s, GB/s or TB/s depending on used suffix). -+Note that if latency or bandwidth value is 0, means the corresponding latency or -+bandwidth information is not provided. -+ -+For example, the following options describe 2 NUMA nodes. Node 0 has 2 cpus and -+a ram, node 1 has only a ram. The processors in node 0 access memory in node -+0 with access-latency 5 nanoseconds, access-bandwidth is 200 MB/s; -+The processors in NUMA node 0 access memory in NUMA node 1 with access-latency 10 -+nanoseconds, access-bandwidth is 100 MB/s. -+@example -+-machine hmat=on \ -+-m 2G \ -+-object memory-backend-ram,size=1G,id=m0 \ -+-object memory-backend-ram,size=1G,id=m1 \ -+-smp 2 \ -+-numa node,nodeid=0,memdev=m0 \ -+-numa node,nodeid=1,memdev=m1,initiator=0 \ -+-numa cpu,node-id=0,socket-id=0 \ -+-numa cpu,node-id=0,socket-id=1 \ -+-numa hmat-lb,initiator=0,target=0,hierarchy=memory,data-type=access-latency,latency=5 \ -+-numa hmat-lb,initiator=0,target=0,hierarchy=memory,data-type=access-bandwidth,bandwidth=200M \ -+-numa hmat-lb,initiator=0,target=1,hierarchy=memory,data-type=access-latency,latency=10 \ -+-numa hmat-lb,initiator=0,target=1,hierarchy=memory,data-type=access-bandwidth,bandwidth=100M -+@end example -+ - ETEXI - - DEF("add-fd", HAS_ARG, QEMU_OPTION_add_fd, diff --git a/packaging/numa-Extend-CLI-to-provide-memory-side-c.patch b/packaging/numa-Extend-CLI-to-provide-memory-side-c.patch deleted file mode 100644 index 74f8a0a9b..000000000 --- a/packaging/numa-Extend-CLI-to-provide-memory-side-c.patch +++ /dev/null @@ -1,311 +0,0 @@ -From: Liu Jingqi -Date: Fri, 13 Dec 2019 09:19:24 +0800 -Subject: numa: Extend CLI to provide memory side cache information - -Git-commit: c412a48d4d91e8f8b89aae02de0f44f1f0b729e5 -References: jsc#SLE-8897 - -Add -numa hmat-cache option to provide Memory Side Cache Information. -These memory attributes help to build Memory Side Cache Information -Structure(s) in ACPI Heterogeneous Memory Attribute Table (HMAT). -Before using hmat-cache option, enable HMAT with -machine hmat=on. - -Acked-by: Markus Armbruster -Signed-off-by: Liu Jingqi -Signed-off-by: Tao Xu -Message-Id: <20191213011929.2520-4-tao3.xu@intel.com> -Reviewed-by: Michael S. Tsirkin -Signed-off-by: Michael S. Tsirkin -Reviewed-by: Igor Mammedov -Signed-off-by: Bruce Rogers brogers@suse.com> ---- - hw/core/numa.c | 80 ++++++++++++++++++++++++++++++++++++++++++ - include/sysemu/numa.h | 5 +++ - qapi/machine.json | 81 +++++++++++++++++++++++++++++++++++++++++-- - qemu-options.hx | 17 +++++++-- - 4 files changed, 179 insertions(+), 4 deletions(-) - -diff --git a/hw/core/numa.c b/hw/core/numa.c -index 58fe7138b290f8b8cbc340d3d1ec..0d1b4be76a69fe7baba48f928f2f 100644 ---- a/hw/core/numa.c -+++ b/hw/core/numa.c -@@ -375,6 +375,73 @@ void parse_numa_hmat_lb(NumaState *numa_state, NumaHmatLBOptions *node, - g_array_append_val(hmat_lb->list, lb_data); - } - -+void parse_numa_hmat_cache(MachineState *ms, NumaHmatCacheOptions *node, -+ Error **errp) -+{ -+ int nb_numa_nodes = ms->numa_state->num_nodes; -+ NodeInfo *numa_info = ms->numa_state->nodes; -+ NumaHmatCacheOptions *hmat_cache = NULL; -+ -+ if (node->node_id >= nb_numa_nodes) { -+ error_setg(errp, "Invalid node-id=%" PRIu32 ", it should be less " -+ "than %d", node->node_id, nb_numa_nodes); -+ return; -+ } -+ -+ if (numa_info[node->node_id].lb_info_provided != (BIT(0) | BIT(1))) { -+ error_setg(errp, "The latency and bandwidth information of " -+ "node-id=%" PRIu32 " should be provided before memory side " -+ "cache attributes", node->node_id); -+ return; -+ } -+ -+ if (node->level < 1 || node->level >= HMAT_LB_LEVELS) { -+ error_setg(errp, "Invalid level=%" PRIu8 ", it should be larger than 0 " -+ "and less than or equal to %d", node->level, -+ HMAT_LB_LEVELS - 1); -+ return; -+ } -+ -+ assert(node->associativity < HMAT_CACHE_ASSOCIATIVITY__MAX); -+ assert(node->policy < HMAT_CACHE_WRITE_POLICY__MAX); -+ if (ms->numa_state->hmat_cache[node->node_id][node->level]) { -+ error_setg(errp, "Duplicate configuration of the side cache for " -+ "node-id=%" PRIu32 " and level=%" PRIu8, -+ node->node_id, node->level); -+ return; -+ } -+ -+ if ((node->level > 1) && -+ ms->numa_state->hmat_cache[node->node_id][node->level - 1] && -+ (node->size >= -+ ms->numa_state->hmat_cache[node->node_id][node->level - 1]->size)) { -+ error_setg(errp, "Invalid size=%" PRIu64 ", the size of level=%" PRIu8 -+ " should be less than the size(%" PRIu64 ") of " -+ "level=%u", node->size, node->level, -+ ms->numa_state->hmat_cache[node->node_id] -+ [node->level - 1]->size, -+ node->level - 1); -+ return; -+ } -+ -+ if ((node->level < HMAT_LB_LEVELS - 1) && -+ ms->numa_state->hmat_cache[node->node_id][node->level + 1] && -+ (node->size <= -+ ms->numa_state->hmat_cache[node->node_id][node->level + 1]->size)) { -+ error_setg(errp, "Invalid size=%" PRIu64 ", the size of level=%" PRIu8 -+ " should be larger than the size(%" PRIu64 ") of " -+ "level=%u", node->size, node->level, -+ ms->numa_state->hmat_cache[node->node_id] -+ [node->level + 1]->size, -+ node->level + 1); -+ return; -+ } -+ -+ hmat_cache = g_malloc0(sizeof(*hmat_cache)); -+ memcpy(hmat_cache, node, sizeof(*hmat_cache)); -+ ms->numa_state->hmat_cache[node->node_id][node->level] = hmat_cache; -+} -+ - void set_numa_options(MachineState *ms, NumaOptions *object, Error **errp) - { - Error *err = NULL; -@@ -425,6 +492,19 @@ void set_numa_options(MachineState *ms, NumaOptions *object, Error **errp) - goto end; - } - break; -+ case NUMA_OPTIONS_TYPE_HMAT_CACHE: -+ if (!ms->numa_state->hmat_enabled) { -+ error_setg(errp, "ACPI Heterogeneous Memory Attribute Table " -+ "(HMAT) is disabled, enable it with -machine hmat=on " -+ "before using any of hmat specific options"); -+ return; -+ } -+ -+ parse_numa_hmat_cache(ms, &object->u.hmat_cache, &err); -+ if (err) { -+ goto end; -+ } -+ break; - default: - abort(); - } -diff --git a/include/sysemu/numa.h b/include/sysemu/numa.h -index 70f93c83d71eb2cdab5bf1dde422..ba693cc80b780ecccd49a4fa9145 100644 ---- a/include/sysemu/numa.h -+++ b/include/sysemu/numa.h -@@ -91,6 +91,9 @@ struct NumaState { - - /* NUMA nodes HMAT Locality Latency and Bandwidth Information */ - HMAT_LB_Info *hmat_lb[HMAT_LB_LEVELS][HMAT_LB_TYPES]; -+ -+ /* Memory Side Cache Information Structure */ -+ NumaHmatCacheOptions *hmat_cache[MAX_NODES][HMAT_LB_LEVELS]; - }; - typedef struct NumaState NumaState; - -@@ -98,6 +101,8 @@ void set_numa_options(MachineState *ms, NumaOptions *object, Error **errp); - void parse_numa_opts(MachineState *ms); - void parse_numa_hmat_lb(NumaState *numa_state, NumaHmatLBOptions *node, - Error **errp); -+void parse_numa_hmat_cache(MachineState *ms, NumaHmatCacheOptions *node, -+ Error **errp); - void numa_complete_configuration(MachineState *ms); - void query_numa_node_mem(NumaNodeMem node_mem[], MachineState *ms); - extern QemuOptsList qemu_numa_opts; -diff --git a/qapi/machine.json b/qapi/machine.json -index cf8faf5a2a4929560c852bf8d50c..b3d30bc8162da9a0b60005fdd86b 100644 ---- a/qapi/machine.json -+++ b/qapi/machine.json -@@ -428,10 +428,12 @@ - # - # @hmat-lb: memory latency and bandwidth information (Since: 5.0) - # -+# @hmat-cache: memory side cache information (Since: 5.0) -+# - # Since: 2.1 - ## - { 'enum': 'NumaOptionsType', -- 'data': [ 'node', 'dist', 'cpu', 'hmat-lb' ] } -+ 'data': [ 'node', 'dist', 'cpu', 'hmat-lb', 'hmat-cache' ] } - - ## - # @NumaOptions: -@@ -447,7 +449,8 @@ - 'node': 'NumaNodeOptions', - 'dist': 'NumaDistOptions', - 'cpu': 'NumaCpuOptions', -- 'hmat-lb': 'NumaHmatLBOptions' }} -+ 'hmat-lb': 'NumaHmatLBOptions', -+ 'hmat-cache': 'NumaHmatCacheOptions' }} - - ## - # @NumaNodeOptions: -@@ -646,6 +649,80 @@ - '*latency': 'uint64', - '*bandwidth': 'size' }} - -+## -+# @HmatCacheAssociativity: -+# -+# Cache associativity in the Memory Side Cache Information Structure -+# of HMAT -+# -+# For more information of @HmatCacheAssociativity, see chapter -+# 5.2.27.5: Table 5-147 of ACPI 6.3 spec. -+# -+# @none: None (no memory side cache in this proximity domain, -+# or cache associativity unknown) -+# -+# @direct: Direct Mapped -+# -+# @complex: Complex Cache Indexing (implementation specific) -+# -+# Since: 5.0 -+## -+{ 'enum': 'HmatCacheAssociativity', -+ 'data': [ 'none', 'direct', 'complex' ] } -+ -+## -+# @HmatCacheWritePolicy: -+# -+# Cache write policy in the Memory Side Cache Information Structure -+# of HMAT -+# -+# For more information of @HmatCacheWritePolicy, see chapter -+# 5.2.27.5: Table 5-147: Field "Cache Attributes" of ACPI 6.3 spec. -+# -+# @none: None (no memory side cache in this proximity domain, -+# or cache write policy unknown) -+# -+# @write-back: Write Back (WB) -+# -+# @write-through: Write Through (WT) -+# -+# Since: 5.0 -+## -+{ 'enum': 'HmatCacheWritePolicy', -+ 'data': [ 'none', 'write-back', 'write-through' ] } -+ -+## -+# @NumaHmatCacheOptions: -+# -+# Set the memory side cache information for a given memory domain. -+# -+# For more information of @NumaHmatCacheOptions, see chapter -+# 5.2.27.5: Table 5-147: Field "Cache Attributes" of ACPI 6.3 spec. -+# -+# @node-id: the memory proximity domain to which the memory belongs. -+# -+# @size: the size of memory side cache in bytes. -+# -+# @level: the cache level described in this structure. -+# -+# @associativity: the cache associativity, -+# none/direct-mapped/complex(complex cache indexing). -+# -+# @policy: the write policy, none/write-back/write-through. -+# -+# @line: the cache Line size in bytes. -+# -+# Since: 5.0 -+## -+{ 'struct': 'NumaHmatCacheOptions', -+ 'data': { -+ 'node-id': 'uint32', -+ 'size': 'size', -+ 'level': 'uint8', -+ 'associativity': 'HmatCacheAssociativity', -+ 'policy': 'HmatCacheWritePolicy', -+ 'line': 'uint16' }} -+ - ## - # @HostMemPolicy: - # -diff --git a/qemu-options.hx b/qemu-options.hx -index 5f7f31457ab6a8640698f6913b07..b0471ed152d77c9e0512c842149f 100644 ---- a/qemu-options.hx -+++ b/qemu-options.hx -@@ -169,7 +169,8 @@ DEF("numa", HAS_ARG, QEMU_OPTION_numa, - "-numa node[,memdev=id][,cpus=firstcpu[-lastcpu]][,nodeid=node][,initiator=node]\n" - "-numa dist,src=source,dst=destination,val=distance\n" - "-numa cpu,node-id=node[,socket-id=x][,core-id=y][,thread-id=z]\n" -- "-numa hmat-lb,initiator=node,target=node,hierarchy=memory|first-level|second-level|third-level,data-type=access-latency|read-latency|write-latency[,latency=lat][,bandwidth=bw]\n", -+ "-numa hmat-lb,initiator=node,target=node,hierarchy=memory|first-level|second-level|third-level,data-type=access-latency|read-latency|write-latency[,latency=lat][,bandwidth=bw]\n" -+ "-numa hmat-cache,node-id=node,size=size,level=level[,associativity=none|direct|complex][,policy=none|write-back|write-through][,line=size]\n", - QEMU_ARCH_ALL) - STEXI - @item -numa node[,mem=@var{size}][,cpus=@var{firstcpu}[-@var{lastcpu}]][,nodeid=@var{node}][,initiator=@var{initiator}] -@@ -177,6 +178,7 @@ STEXI - @itemx -numa dist,src=@var{source},dst=@var{destination},val=@var{distance} - @itemx -numa cpu,node-id=@var{node}[,socket-id=@var{x}][,core-id=@var{y}][,thread-id=@var{z}] - @itemx -numa hmat-lb,initiator=@var{node},target=@var{node},hierarchy=@var{hierarchy},data-type=@var{tpye}[,latency=@var{lat}][,bandwidth=@var{bw}] -+@itemx -numa hmat-cache,node-id=@var{node},size=@var{size},level=@var{level}[,associativity=@var{str}][,policy=@var{str}][,line=@var{size}] - @findex -numa - Define a NUMA node and assign RAM and VCPUs to it. - Set the NUMA distance from a source node to a destination node. -@@ -280,11 +282,20 @@ NUM byte per second (or MB/s, GB/s or TB/s depending on used suffix). - Note that if latency or bandwidth value is 0, means the corresponding latency or - bandwidth information is not provided. - -+In @samp{hmat-cache} option, @var{node-id} is the NUMA-id of the memory belongs. -+@var{size} is the size of memory side cache in bytes. @var{level} is the cache -+level described in this structure, note that the cache level 0 should not be used -+with @samp{hmat-cache} option. @var{associativity} is the cache associativity, -+the possible value is 'none/direct(direct-mapped)/complex(complex cache indexing)'. -+@var{policy} is the write policy. @var{line} is the cache Line size in bytes. -+ - For example, the following options describe 2 NUMA nodes. Node 0 has 2 cpus and - a ram, node 1 has only a ram. The processors in node 0 access memory in node - 0 with access-latency 5 nanoseconds, access-bandwidth is 200 MB/s; - The processors in NUMA node 0 access memory in NUMA node 1 with access-latency 10 - nanoseconds, access-bandwidth is 100 MB/s. -+And for memory side cache information, NUMA node 0 and 1 both have 1 level memory -+cache, size is 10KB, policy is write-back, the cache Line size is 8 bytes: - @example - -machine hmat=on \ - -m 2G \ -@@ -298,7 +309,9 @@ nanoseconds, access-bandwidth is 100 MB/s. - -numa hmat-lb,initiator=0,target=0,hierarchy=memory,data-type=access-latency,latency=5 \ - -numa hmat-lb,initiator=0,target=0,hierarchy=memory,data-type=access-bandwidth,bandwidth=200M \ - -numa hmat-lb,initiator=0,target=1,hierarchy=memory,data-type=access-latency,latency=10 \ ---numa hmat-lb,initiator=0,target=1,hierarchy=memory,data-type=access-bandwidth,bandwidth=100M -+-numa hmat-lb,initiator=0,target=1,hierarchy=memory,data-type=access-bandwidth,bandwidth=100M \ -+-numa hmat-cache,node-id=0,size=10K,level=1,associativity=direct,policy=write-back,line=8 \ -+-numa hmat-cache,node-id=1,size=10K,level=1,associativity=direct,policy=write-back,line=8 - @end example - - ETEXI diff --git a/packaging/nvram-add-nrf51_soc-flash-read-method.patch b/packaging/nvram-add-nrf51_soc-flash-read-method.patch deleted file mode 100644 index 1e1062d95..000000000 --- a/packaging/nvram-add-nrf51_soc-flash-read-method.patch +++ /dev/null @@ -1,49 +0,0 @@ -From: Prasad J Pandit -Date: Tue, 11 Aug 2020 17:11:29 +0530 -Subject: nvram: add nrf51_soc flash read method - -Git-commit: b5bf601f364e1a14ca4c3276f88dfec024acf613 -References: bsc#1173612, CVE-2020-15469 - -Add nrf51_soc mmio read method to avoid NULL pointer dereference -issue. - -Reported-by: Lei Sun -Reviewed-by: Peter Maydell -Signed-off-by: Prasad J Pandit -Reviewed-by: Li Qiang -Message-Id: <20200811114133.672647-6-ppandit@redhat.com> -Signed-off-by: Paolo Bonzini -Signed-off-by: Bruce Rogers ---- - hw/nvram/nrf51_nvm.c | 10 ++++++++++ - 1 file changed, 10 insertions(+) - -diff --git a/hw/nvram/nrf51_nvm.c b/hw/nvram/nrf51_nvm.c -index 4d678f994e7d7579d6328aeb5d9a..61365e9174b7e3328c748da329fb 100644 ---- a/hw/nvram/nrf51_nvm.c -+++ b/hw/nvram/nrf51_nvm.c -@@ -273,6 +273,15 @@ static const MemoryRegionOps io_ops = { - .endianness = DEVICE_LITTLE_ENDIAN, - }; - -+static uint64_t flash_read(void *opaque, hwaddr offset, unsigned size) -+{ -+ /* -+ * This is a rom_device MemoryRegion which is always in -+ * romd_mode (we never put it in MMIO mode), so reads always -+ * go directly to RAM and never come here. -+ */ -+ g_assert_not_reached(); -+} - - static void flash_write(void *opaque, hwaddr offset, uint64_t value, - unsigned int size) -@@ -300,6 +309,7 @@ static void flash_write(void *opaque, hwaddr offset, uint64_t value, - - - static const MemoryRegionOps flash_ops = { -+ .read = flash_read, - .write = flash_write, - .valid.min_access_size = 4, - .valid.max_access_size = 4, diff --git a/packaging/osdep-provide-ROUND_DOWN-macro.patch b/packaging/osdep-provide-ROUND_DOWN-macro.patch deleted file mode 100644 index db1d8fc80..000000000 --- a/packaging/osdep-provide-ROUND_DOWN-macro.patch +++ /dev/null @@ -1,69 +0,0 @@ -From: Lin Ma -Date: Mon, 13 Sep 2021 17:07:19 +0800 -Subject: osdep: provide ROUND_DOWN macro - -Git-commit: c9797456f64ce72c03eb2969d97ac1dd4698d91e -References: bsc#1190425 - -osdep.h provides a ROUND_UP macro to hide bitwise operations for the -purpose of rounding a number up to a power of two; add a ROUND_DOWN -macro that does the same with truncation towards zero. - -While at it, change the formatting of some comments. - -Signed-off-by: Paolo Bonzini -Signed-off-by: Lin Ma ---- - include/qemu/osdep.h | 28 ++++++++++++++++++++++------ - 1 file changed, 22 insertions(+), 6 deletions(-) - -diff --git a/include/qemu/osdep.h b/include/qemu/osdep.h -index 0f97d68586add1396cbe3c647c51..6cb89df3f2b79018413b26ee58e0 100644 ---- a/include/qemu/osdep.h -+++ b/include/qemu/osdep.h -@@ -264,11 +264,16 @@ extern int daemon(int, int); - ((b) == 0 ? (a) : (MIN(a, b)))) - #endif - --/* Round number down to multiple */ -+/* -+ * Round number down to multiple. Safe when m is not a power of 2 (see -+ * ROUND_DOWN for a faster version when a power of 2 is guaranteed). -+ */ - #define QEMU_ALIGN_DOWN(n, m) ((n) / (m) * (m)) - --/* Round number up to multiple. Safe when m is not a power of 2 (see -- * ROUND_UP for a faster version when a power of 2 is guaranteed) */ -+/* -+ * Round number up to multiple. Safe when m is not a power of 2 (see -+ * ROUND_UP for a faster version when a power of 2 is guaranteed). -+ */ - #define QEMU_ALIGN_UP(n, m) QEMU_ALIGN_DOWN((n) + (m) - 1, (m)) - - /* Check if n is a multiple of m */ -@@ -285,11 +290,22 @@ extern int daemon(int, int); - /* Check if pointer p is n-bytes aligned */ - #define QEMU_PTR_IS_ALIGNED(p, n) QEMU_IS_ALIGNED((uintptr_t)(p), (n)) - --/* Round number up to multiple. Requires that d be a power of 2 (see -+/* -+ * Round number down to multiple. Requires that d be a power of 2 (see - * QEMU_ALIGN_UP for a safer but slower version on arbitrary -- * numbers); works even if d is a smaller type than n. */ -+ * numbers); works even if d is a smaller type than n. -+ */ -+#ifndef ROUND_DOWN -+#define ROUND_DOWN(n, d) ((n) & -(0 ? (n) : (d))) -+#endif -+ -+/* -+ * Round number up to multiple. Requires that d be a power of 2 (see -+ * QEMU_ALIGN_UP for a safer but slower version on arbitrary -+ * numbers); works even if d is a smaller type than n. -+ */ - #ifndef ROUND_UP --#define ROUND_UP(n, d) (((n) + (d) - 1) & -(0 ? (n) : (d))) -+#define ROUND_UP(n, d) ROUND_DOWN((n) + (d) - 1, (d)) - #endif - - #ifndef DIV_ROUND_UP diff --git a/packaging/pc-bios-s390-ccw-break-loop-if-a-null-bl.patch b/packaging/pc-bios-s390-ccw-break-loop-if-a-null-bl.patch deleted file mode 100644 index 499be9e10..000000000 --- a/packaging/pc-bios-s390-ccw-break-loop-if-a-null-bl.patch +++ /dev/null @@ -1,34 +0,0 @@ -From: Marc Hartmayer -Date: Thu, 24 Sep 2020 10:59:25 +0200 -Subject: pc-bios/s390-ccw: break loop if a null block number is reached - -Git-commit: 468184ec9024f4f7b55247f70ec57554e8a500d7 -References: bsc#1183979 - -Break the loop if `cur_block_nr` is a null block number because this -means that the end of chunk is reached. In this case we will try to -boot the default entry. - -Fixes: ba831b25262a ("s390-ccw: read stage2 boot loader data to find menu") -Reviewed-by: Collin Walling -Signed-off-by: Marc Hartmayer -Message-Id: <20200924085926.21709-3-mhartmay@linux.ibm.com> -Signed-off-by: Thomas Huth -Signed-off-by: Bruce Rogers ---- - pc-bios/s390-ccw/bootmap.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/pc-bios/s390-ccw/bootmap.c b/pc-bios/s390-ccw/bootmap.c -index ba6b25fb982cca53e1f8bab1f344..fd72714de4997947dc0063f8c183 100644 ---- a/pc-bios/s390-ccw/bootmap.c -+++ b/pc-bios/s390-ccw/bootmap.c -@@ -192,7 +192,7 @@ static int eckd_get_boot_menu_index(block_number_t s1b_block_nr) - for (i = 0; i < STAGE2_BLK_CNT_MAX; i++) { - cur_block_nr = eckd_block_num(&s1b->seek[i].chs); - -- if (!cur_block_nr) { -+ if (!cur_block_nr || is_null_block_number(cur_block_nr)) { - break; - } - diff --git a/packaging/pc-bios-s390-ccw-don-t-try-to-read-the-n.patch b/packaging/pc-bios-s390-ccw-don-t-try-to-read-the-n.patch deleted file mode 100644 index 3b316647c..000000000 --- a/packaging/pc-bios-s390-ccw-don-t-try-to-read-the-n.patch +++ /dev/null @@ -1,33 +0,0 @@ -From: Marc Hartmayer -Date: Fri, 16 Apr 2021 09:47:36 +0200 -Subject: pc-bios/s390-ccw: don't try to read the next block if end of chunk is - reached - -Git-commit: a6625d38cce3901a7c1cba069f0abcf743a293f1 -References: bsc#1186290 - -Don't read the block if a null block number is reached, because this means that -the end of chunk is reached. - -Reviewed-by: Collin Walling -Signed-off-by: Marc Hartmayer -Message-Id: <20210416074736.17409-1-mhartmay@linux.ibm.com> -Signed-off-by: Thomas Huth -Signed-off-by: Cho, Yu-Chen ---- - pc-bios/s390-ccw/bootmap.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/pc-bios/s390-ccw/bootmap.c b/pc-bios/s390-ccw/bootmap.c -index fd72714de4997947dc0063f8c183..babe7ac9381518eec730c20f1d03 100644 ---- a/pc-bios/s390-ccw/bootmap.c -+++ b/pc-bios/s390-ccw/bootmap.c -@@ -212,7 +212,7 @@ static int eckd_get_boot_menu_index(block_number_t s1b_block_nr) - next_block_nr = eckd_block_num(&s1b->seek[i + 1].chs); - } - -- if (next_block_nr) { -+ if (next_block_nr && !is_null_block_number(next_block_nr)) { - read_block(next_block_nr, s2_next_blk, - "Cannot read stage2 boot loader"); - } diff --git a/packaging/pc-bios-s390-ccw-fix-off-by-one-error.patch b/packaging/pc-bios-s390-ccw-fix-off-by-one-error.patch deleted file mode 100644 index 7a2b7500d..000000000 --- a/packaging/pc-bios-s390-ccw-fix-off-by-one-error.patch +++ /dev/null @@ -1,36 +0,0 @@ -From: Marc Hartmayer -Date: Thu, 24 Sep 2020 10:59:24 +0200 -Subject: pc-bios/s390-ccw: fix off-by-one error - -Git-commit: 5f97ba0c74ccace0a4014460de9751ff3c6f454a -References: bsc#1183979 - -This error takes effect when the magic value "zIPL" is located at the -end of a block. For example if s2_cur_blk = 0x7fe18000 and the magic -value "zIPL" is located at 0x7fe18ffc - 0x7fe18fff. - -Fixes: ba831b25262a ("s390-ccw: read stage2 boot loader data to find menu") -Reviewed-by: Collin Walling -Signed-off-by: Marc Hartmayer -Message-Id: <20200924085926.21709-2-mhartmay@linux.ibm.com> -Reviewed-by: Thomas Huth -[thuth: Use "<= ... - 4" instead of "< ... - 3"] -Signed-off-by: Thomas Huth -Signed-off-by: Bruce Rogers ---- - pc-bios/s390-ccw/bootmap.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/pc-bios/s390-ccw/bootmap.c b/pc-bios/s390-ccw/bootmap.c -index d13b7cbd1597bf2e531efcf8f54e..ba6b25fb982cca53e1f8bab1f344 100644 ---- a/pc-bios/s390-ccw/bootmap.c -+++ b/pc-bios/s390-ccw/bootmap.c -@@ -163,7 +163,7 @@ static bool find_zipl_boot_menu_banner(int *offset) - int i; - - /* Menu banner starts with "zIPL" */ -- for (i = 0; i < virtio_get_block_size() - 4; i++) { -+ for (i = 0; i <= virtio_get_block_size() - 4; i++) { - if (magic_match(s2_cur_blk + i, ZIPL_MAGIC_EBCDIC)) { - *offset = i; - return true; diff --git a/packaging/pc-bios-s390-ccw-net-avoid-warning-about.patch b/packaging/pc-bios-s390-ccw-net-avoid-warning-about.patch deleted file mode 100644 index e67089bd1..000000000 --- a/packaging/pc-bios-s390-ccw-net-avoid-warning-about.patch +++ /dev/null @@ -1,24 +0,0 @@ -From: Bruce Rogers -Date: Wed, 29 May 2019 09:59:02 -0600 -Subject: pc-bios/s390-ccw/net: avoid warning about packed structure members - -This is hopefully temporary. Simply disable the warning about taking -the address of packed structure members which is new in gcc9. - -Signed-off-by: Bruce Rogers ---- - pc-bios/s390-ccw/netboot.mak | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/pc-bios/s390-ccw/netboot.mak b/pc-bios/s390-ccw/netboot.mak -index 5eefb7c289395ca37fcd241ce53d..ea2994722cde7e8a65796d374dc7 100644 ---- a/pc-bios/s390-ccw/netboot.mak -+++ b/pc-bios/s390-ccw/netboot.mak -@@ -53,6 +53,7 @@ libc.a: $(LIBCOBJS) - LIBNETOBJS := args.o dhcp.o dns.o icmpv6.o ipv6.o tcp.o udp.o bootp.o \ - dhcpv6.o ethernet.o ipv4.o ndp.o tftp.o pxelinux.o - LIBNETCFLAGS := $(QEMU_CFLAGS) $(CFLAGS) -DDHCPARCH=0x1F $(LIBC_INC) $(LIBNET_INC) -+LIBNETCFLAGS += -Wno-address-of-packed-member - - %.o : $(SLOF_DIR)/lib/libnet/%.c - $(call quiet-command,$(CC) $(LIBNETCFLAGS) -c -o $@ $<,"CC","$(TARGET_DIR)$@") diff --git a/packaging/pci-host-designware-add-pcie-msi-read-me.patch b/packaging/pci-host-designware-add-pcie-msi-read-me.patch deleted file mode 100644 index 56342cf23..000000000 --- a/packaging/pci-host-designware-add-pcie-msi-read-me.patch +++ /dev/null @@ -1,65 +0,0 @@ -From: Prasad J Pandit -Date: Tue, 11 Aug 2020 17:11:26 +0530 -Subject: pci-host: designware: add pcie-msi read method - -Git-commit: 4f2a5202a05fc1612954804a2482f07bff105ea2 -References: bsc#1173612, CVE-2020-15469 - -Add pcie-msi mmio read method to avoid NULL pointer dereference -issue. - -Reported-by: Lei Sun -Reviewed-by: Li Qiang -Reviewed-by: Peter Maydell -Signed-off-by: Prasad J Pandit -Message-Id: <20200811114133.672647-3-ppandit@redhat.com> -Signed-off-by: Paolo Bonzini -Signed-off-by: Bruce Rogers ---- - hw/pci-host/designware.c | 19 +++++++++++++++++++ - 1 file changed, 19 insertions(+) - -diff --git a/hw/pci-host/designware.c b/hw/pci-host/designware.c -index 71e9b0d9b548549d200cc6854cf6..f9c5d29d13c86509a3198d214dc6 100644 ---- a/hw/pci-host/designware.c -+++ b/hw/pci-host/designware.c -@@ -21,6 +21,7 @@ - #include "qemu/osdep.h" - #include "qapi/error.h" - #include "qemu/module.h" -+#include "qemu/log.h" - #include "hw/pci/msi.h" - #include "hw/pci/pci_bridge.h" - #include "hw/pci/pci_host.h" -@@ -63,6 +64,23 @@ designware_pcie_root_to_host(DesignwarePCIERoot *root) - return DESIGNWARE_PCIE_HOST(bus->parent); - } - -+static uint64_t designware_pcie_root_msi_read(void *opaque, hwaddr addr, -+ unsigned size) -+{ -+ /* -+ * Attempts to read from the MSI address are undefined in -+ * the PCI specifications. For this hardware, the datasheet -+ * specifies that a read from the magic address is simply not -+ * intercepted by the MSI controller, and will go out to the -+ * AHB/AXI bus like any other PCI-device-initiated DMA read. -+ * This is not trivial to implement in QEMU, so since -+ * well-behaved guests won't ever ask a PCI device to DMA from -+ * this address we just log the missing functionality. -+ */ -+ qemu_log_mask(LOG_UNIMP, "%s not implemented\n", __func__); -+ return 0; -+} -+ - static void designware_pcie_root_msi_write(void *opaque, hwaddr addr, - uint64_t val, unsigned len) - { -@@ -77,6 +95,7 @@ static void designware_pcie_root_msi_write(void *opaque, hwaddr addr, - } - - static const MemoryRegionOps designware_pci_host_msi_ops = { -+ .read = designware_pcie_root_msi_read, - .write = designware_pcie_root_msi_write, - .endianness = DEVICE_LITTLE_ENDIAN, - .valid = { diff --git a/packaging/pcnet-switch-to-use-qemu_receive_packet-.patch b/packaging/pcnet-switch-to-use-qemu_receive_packet-.patch deleted file mode 100644 index 4c54af031..000000000 --- a/packaging/pcnet-switch-to-use-qemu_receive_packet-.patch +++ /dev/null @@ -1,38 +0,0 @@ -From: Alexander Bulekov -Date: Mon, 1 Mar 2021 10:33:34 -0500 -Subject: pcnet: switch to use qemu_receive_packet() for loopback -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Git-commit: 99ccfaa1edafd79f7a3a0ff7b58ae4da7c514928 - -This patch switches to use qemu_receive_packet() which can detect -reentrancy and return early. - -This is intended to address CVE-2021-3416. - -Cc: Prasad J Pandit -Cc: qemu-stable@nongnu.org -Buglink: https://bugs.launchpad.net/qemu/+bug/1917085 -Reviewed-by: Philippe Mathieu-Daudé -Signed-off-by: Jason Wang -Signed-off-by: Bruce Rogers ---- - hw/net/pcnet.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c -index f3f18d8598c43aca02ca138aa46e..dcd3fc49481b46a6d4bb7c726572 100644 ---- a/hw/net/pcnet.c -+++ b/hw/net/pcnet.c -@@ -1250,7 +1250,7 @@ txagain: - if (BCR_SWSTYLE(s) == 1) - add_crc = !GET_FIELD(tmd.status, TMDS, NOFCS); - s->looptest = add_crc ? PCNET_LOOPTEST_CRC : PCNET_LOOPTEST_NOCRC; -- pcnet_receive(qemu_get_queue(s->nic), s->buffer, s->xmit_pos); -+ qemu_receive_packet(qemu_get_queue(s->nic), s->buffer, s->xmit_pos); - s->looptest = 0; - } else { - if (s->nic) { diff --git a/packaging/prep-add-ppc-parity-write-method.patch b/packaging/prep-add-ppc-parity-write-method.patch deleted file mode 100644 index 2994296ad..000000000 --- a/packaging/prep-add-ppc-parity-write-method.patch +++ /dev/null @@ -1,49 +0,0 @@ -From: Prasad J Pandit -Date: Tue, 11 Aug 2020 17:11:28 +0530 -Subject: prep: add ppc-parity write method - -Git-commit: f867cebaedbc9c43189f102e4cdfdff05e88df7f -References: bsc#1173612, CVE-2020-15469 - -Add ppc-parity mmio write method to avoid NULL pointer dereference -issue. - -Reported-by: Lei Sun -Acked-by: David Gibson -Signed-off-by: Prasad J Pandit -Reviewed-by: Li Qiang -Message-Id: <20200811114133.672647-5-ppandit@redhat.com> -Signed-off-by: Paolo Bonzini -Signed-off-by: Bruce Rogers ---- - hw/ppc/prep_systemio.c | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/hw/ppc/prep_systemio.c b/hw/ppc/prep_systemio.c -index 86e83e278fcc733c8db60a46ce57..ae65e50cfbc63392bb7ce3c88064 100644 ---- a/hw/ppc/prep_systemio.c -+++ b/hw/ppc/prep_systemio.c -@@ -23,6 +23,7 @@ - */ - - #include "qemu/osdep.h" -+#include "qemu/log.h" - #include "hw/irq.h" - #include "hw/isa/isa.h" - #include "hw/qdev-properties.h" -@@ -235,8 +236,15 @@ static uint64_t ppc_parity_error_readl(void *opaque, hwaddr addr, - return val; - } - -+static void ppc_parity_error_writel(void *opaque, hwaddr addr, -+ uint64_t data, unsigned size) -+{ -+ qemu_log_mask(LOG_GUEST_ERROR, "%s: invalid access\n", __func__); -+} -+ - static const MemoryRegionOps ppc_parity_error_ops = { - .read = ppc_parity_error_readl, -+ .write = ppc_parity_error_writel, - .valid = { - .min_access_size = 4, - .max_access_size = 4, diff --git a/packaging/pvrdma-Ensure-correct-input-on-ring-init.patch b/packaging/pvrdma-Ensure-correct-input-on-ring-init.patch deleted file mode 100644 index 1055e6a7e..000000000 --- a/packaging/pvrdma-Ensure-correct-input-on-ring-init.patch +++ /dev/null @@ -1,39 +0,0 @@ -From: Marcel Apfelbaum -Date: Wed, 30 Jun 2021 14:46:34 +0300 -Subject: pvrdma: Ensure correct input on ring init (CVE-2021-3607) - -Git-commit: 32e5703cfea07c91e6e84bcb0313f633bb146534 -References: CVE-2021-3607 bsc#1187539 - -Check the guest passed a non zero page count -for pvrdma device ring buffers. - -Fixes: CVE-2021-3607 -Reported-by: VictorV (Kunlun Lab) -Reviewed-by: VictorV (Kunlun Lab) -Signed-off-by: Marcel Apfelbaum -Message-Id: <20210630114634.2168872-1-marcel@redhat.com> -Reviewed-by: Yuval Shaia -Tested-by: Yuval Shaia -Signed-off-by: Marcel Apfelbaum -Signed-off-by: Jose R. Ziviani ---- - hw/rdma/vmw/pvrdma_main.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/hw/rdma/vmw/pvrdma_main.c b/hw/rdma/vmw/pvrdma_main.c -index 6f0fc405c77395fc80cc35af89f6..4aa1a467cea641a8ab17cedbba6c 100644 ---- a/hw/rdma/vmw/pvrdma_main.c -+++ b/hw/rdma/vmw/pvrdma_main.c -@@ -91,6 +91,11 @@ static int init_dev_ring(PvrdmaRing *ring, struct pvrdma_ring **ring_state, - uint64_t *dir, *tbl; - int rc = 0; - -+ if (!num_pages) { -+ rdma_error_report("Ring pages count must be strictly positive"); -+ return -EINVAL; -+ } -+ - dir = rdma_pci_dma_map(pci_dev, dir_addr, TARGET_PAGE_SIZE); - if (!dir) { - rdma_error_report("Failed to map to page directory (ring %s)", name); diff --git a/packaging/pvrdma-Fix-the-ring-init-error-flow-CVE-.patch b/packaging/pvrdma-Fix-the-ring-init-error-flow-CVE-.patch deleted file mode 100644 index cf4b1502e..000000000 --- a/packaging/pvrdma-Fix-the-ring-init-error-flow-CVE-.patch +++ /dev/null @@ -1,39 +0,0 @@ -From: Marcel Apfelbaum -Date: Wed, 30 Jun 2021 14:52:46 +0300 -Subject: pvrdma: Fix the ring init error flow (CVE-2021-3608) -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Git-commit: 66ae37d8cc313f89272e711174a846a229bcdbd3 -References: CVE-2021-3608 bsc#1187538 - -Do not unmap uninitialized dma addresses. - -Fixes: CVE-2021-3608 -Reviewed-by: VictorV (Kunlun Lab) -Tested-by: VictorV (Kunlun Lab) -Signed-off-by: Marcel Apfelbaum -Message-Id: <20210630115246.2178219-1-marcel@redhat.com> -Tested-by: Yuval Shaia -Reviewed-by: Yuval Shaia -Reviewed-by: Philippe Mathieu-Daudé -Signed-off-by: Marcel Apfelbaum -Signed-off-by: Jose R. Ziviani ---- - hw/rdma/vmw/pvrdma_dev_ring.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/hw/rdma/vmw/pvrdma_dev_ring.c b/hw/rdma/vmw/pvrdma_dev_ring.c -index d7bc7f5ccc8afaec536ce59545fe..2a620ad5bc5d312af3861f09c6ab 100644 ---- a/hw/rdma/vmw/pvrdma_dev_ring.c -+++ b/hw/rdma/vmw/pvrdma_dev_ring.c -@@ -41,7 +41,7 @@ int pvrdma_ring_init(PvrdmaRing *ring, const char *name, PCIDevice *dev, - atomic_set(&ring->ring_state->cons_head, 0); - */ - ring->npages = npages; -- ring->pages = g_malloc(npages * sizeof(void *)); -+ ring->pages = g_malloc0(npages * sizeof(void *)); - - for (i = 0; i < npages; i++) { - if (!tbl[i]) { diff --git a/packaging/qdev-add-check-if-address-free-callback-.patch b/packaging/qdev-add-check-if-address-free-callback-.patch deleted file mode 100644 index 871ce68c8..000000000 --- a/packaging/qdev-add-check-if-address-free-callback-.patch +++ /dev/null @@ -1,868 +0,0 @@ -From: Paolo Bonzini -Date: Tue, 6 Oct 2020 15:38:55 +0300 -Subject: qdev: add "check if address free" callback for buses - -Git-commit: bb755ba47f3747251c0eadf681ee68b9033309b8 -References: bsc#1184574 - -Check if an address is free on the bus before plugging in the -device. This makes it possible to do the check without any -side effects, and to detect the problem early without having -to do it in the realize callback. - -Signed-off-by: Paolo Bonzini -Message-Id: <20201006123904.610658-5-mlevitsk@redhat.com> -Signed-off-by: Paolo Bonzini -Signed-off-by: Lin Ma ---- - hw/core/qdev.c | 15 +++++++++++++-- - hw/core/sysbus.c | 2 +- - hw/display/virtio-gpu-pci.c | 2 +- - hw/display/virtio-vga.c | 2 +- - hw/i386/amd_iommu.c | 2 +- - hw/isa/piix4.c | 2 +- - hw/misc/auxbus.c | 4 ++-- - hw/misc/macio/macio.c | 6 +++--- - hw/net/virtio-net.c | 2 +- - hw/pci-host/designware.c | 2 +- - hw/pci-host/gpex.c | 2 +- - hw/pci-host/prep.c | 2 +- - hw/pci-host/q35.c | 2 +- - hw/pci-host/versatile.c | 3 ++- - hw/pci-host/xilinx-pcie.c | 2 +- - hw/s390x/event-facility.c | 4 ++-- - hw/s390x/sclp.c | 2 +- - hw/s390x/vhost-vsock-ccw.c | 2 +- - hw/s390x/virtio-ccw-9p.c | 2 +- - hw/s390x/virtio-ccw-balloon.c | 2 +- - hw/s390x/virtio-ccw-blk.c | 2 +- - hw/s390x/virtio-ccw-crypto.c | 2 +- - hw/s390x/virtio-ccw-gpu.c | 2 +- - hw/s390x/virtio-ccw-input.c | 2 +- - hw/s390x/virtio-ccw-net.c | 2 +- - hw/s390x/virtio-ccw-rng.c | 2 +- - hw/s390x/virtio-ccw-scsi.c | 4 ++-- - hw/s390x/virtio-ccw-serial.c | 3 ++- - hw/sd/core.c | 3 ++- - hw/ssi/ssi.c | 3 ++- - hw/virtio/vhost-scsi-pci.c | 2 +- - hw/virtio/vhost-user-blk-pci.c | 2 +- - hw/virtio/vhost-user-fs-pci.c | 3 ++- - hw/virtio/vhost-user-scsi-pci.c | 2 +- - hw/virtio/vhost-vsock-pci.c | 3 ++- - hw/virtio/virtio-9p-pci.c | 3 ++- - hw/virtio/virtio-balloon-pci.c | 2 +- - hw/virtio/virtio-blk-pci.c | 2 +- - hw/virtio/virtio-crypto-pci.c | 2 +- - hw/virtio/virtio-input-pci.c | 3 ++- - hw/virtio/virtio-net-pci.c | 2 +- - hw/virtio/virtio-pmem-pci.c | 2 +- - hw/virtio/virtio-rng-pci.c | 2 +- - hw/virtio/virtio-scsi-pci.c | 3 ++- - hw/virtio/virtio-serial-pci.c | 3 ++- - hw/xen/xen-legacy-backend.c | 2 +- - include/hw/qdev-core.h | 13 ++++++++++++- - qdev-monitor.c | 2 +- - 48 files changed, 86 insertions(+), 54 deletions(-) - -diff --git a/hw/core/qdev.c b/hw/core/qdev.c -index cf1ba28fe35346618cb71120576c..342ea8a3feb955c3318616252ead 100644 ---- a/hw/core/qdev.c -+++ b/hw/core/qdev.c -@@ -93,10 +93,20 @@ static void bus_add_child(BusState *bus, DeviceState *child) - NULL); - } - --void qdev_set_parent_bus(DeviceState *dev, BusState *bus) -+static bool bus_check_address(BusState *bus, DeviceState *child, Error **errp) -+{ -+ BusClass *bc = BUS_GET_CLASS(bus); -+ return !bc->check_address || bc->check_address(bus, child, errp); -+} -+ -+bool qdev_set_parent_bus(DeviceState *dev, BusState *bus, Error **errp) - { - bool replugging = dev->parent_bus != NULL; - -+ if (!bus_check_address(bus, dev, errp)) { -+ return false; -+ } -+ - if (replugging) { - /* Keep a reference to the device while it's not plugged into - * any bus, to avoid it potentially evaporating when it is -@@ -112,6 +122,7 @@ void qdev_set_parent_bus(DeviceState *dev, BusState *bus) - if (replugging) { - object_unref(OBJECT(dev)); - } -+ return true; - } - - /* Create a new device. This only initializes the device state -@@ -157,7 +168,7 @@ DeviceState *qdev_try_create(BusState *bus, const char *type) - bus = sysbus_get_default(); - } - -- qdev_set_parent_bus(dev, bus); -+ qdev_set_parent_bus(dev, bus, &error_abort); - object_unref(OBJECT(dev)); - return dev; - } -diff --git a/hw/core/sysbus.c b/hw/core/sysbus.c -index 9e69c83aedfe8578e9988ba93e79..1d79960bbaaeba984d0fb7937002 100644 ---- a/hw/core/sysbus.c -+++ b/hw/core/sysbus.c -@@ -383,7 +383,7 @@ void sysbus_init_child_obj(Object *parent, const char *childname, void *child, - { - object_initialize_child(parent, childname, child, childsize, childtype, - &error_abort, NULL); -- qdev_set_parent_bus(DEVICE(child), sysbus_get_default()); -+ qdev_set_parent_bus(DEVICE(child), sysbus_get_default(), &error_abort); - } - - static void sysbus_register_types(void) -diff --git a/hw/display/virtio-gpu-pci.c b/hw/display/virtio-gpu-pci.c -index 25e4038874ed091d5d74311cf118..67021040bec57e41ce3e4f9e2986 100644 ---- a/hw/display/virtio-gpu-pci.c -+++ b/hw/display/virtio-gpu-pci.c -@@ -33,7 +33,7 @@ static void virtio_gpu_pci_base_realize(VirtIOPCIProxy *vpci_dev, Error **errp) - int i; - Error *local_error = NULL; - -- qdev_set_parent_bus(vdev, BUS(&vpci_dev->bus)); -+ qdev_set_parent_bus(vdev, BUS(&vpci_dev->bus), &error_abort); - virtio_pci_force_virtio_1(vpci_dev); - object_property_set_bool(OBJECT(vdev), true, "realized", &local_error); - -diff --git a/hw/display/virtio-vga.c b/hw/display/virtio-vga.c -index cc6e66ea1c2cfe1f76c05ceebbbf..adca75d7cd055d5442873ed610d6 100644 ---- a/hw/display/virtio-vga.c -+++ b/hw/display/virtio-vga.c -@@ -136,7 +136,7 @@ static void virtio_vga_base_realize(VirtIOPCIProxy *vpci_dev, Error **errp) - vpci_dev->common.offset = offset; - - /* init virtio bits */ -- qdev_set_parent_bus(DEVICE(g), BUS(&vpci_dev->bus)); -+ qdev_set_parent_bus(DEVICE(g), BUS(&vpci_dev->bus), &error_abort); - virtio_pci_force_virtio_1(vpci_dev); - object_property_set_bool(OBJECT(g), true, "realized", &err); - if (err) { -diff --git a/hw/i386/amd_iommu.c b/hw/i386/amd_iommu.c -index ac5f2fddc5463e4c8776ac2f5036..ff1c870b41bcbb1865d00512504d 100644 ---- a/hw/i386/amd_iommu.c -+++ b/hw/i386/amd_iommu.c -@@ -1548,7 +1548,7 @@ static void amdvi_realize(DeviceState *dev, Error **err) - - /* This device should take care of IOMMU PCI properties */ - x86_iommu->type = TYPE_AMD; -- qdev_set_parent_bus(DEVICE(&s->pci), &bus->qbus); -+ qdev_set_parent_bus(DEVICE(&s->pci), &bus->qbus, &error_abort); - object_property_set_bool(OBJECT(&s->pci), true, "realized", err); - ret = pci_add_capability(&s->pci.dev, AMDVI_CAPAB_ID_SEC, 0, - AMDVI_CAPAB_SIZE, err); -diff --git a/hw/isa/piix4.c b/hw/isa/piix4.c -index a7ed885dc8e49537c1241eaea7e1..0c09c195fe17cc27ba4b7164ab79 100644 ---- a/hw/isa/piix4.c -+++ b/hw/isa/piix4.c -@@ -195,7 +195,7 @@ static void piix4_realize(PCIDevice *dev, Error **errp) - i8257_dma_init(isa_bus, 0); - - /* RTC */ -- qdev_set_parent_bus(DEVICE(&s->rtc), BUS(isa_bus)); -+ qdev_set_parent_bus(DEVICE(&s->rtc), BUS(isa_bus), &error_abort); - qdev_prop_set_int32(DEVICE(&s->rtc), "base_year", 2000); - object_property_set_bool(OBJECT(&s->rtc), true, "realized", &err); - if (err) { -diff --git a/hw/misc/auxbus.c b/hw/misc/auxbus.c -index f8e7b979712571cdf66565cf4ba2..b35439e3640e4d4981a569ea58ea 100644 ---- a/hw/misc/auxbus.c -+++ b/hw/misc/auxbus.c -@@ -70,7 +70,7 @@ AUXBus *aux_init_bus(DeviceState *parent, const char *name) - bus = AUX_BUS(qbus_create(TYPE_AUX_BUS, parent, name)); - auxtoi2c = object_new_with_props(TYPE_AUXTOI2C, OBJECT(bus), "i2c", - &error_abort, NULL); -- qdev_set_parent_bus(DEVICE(auxtoi2c), BUS(bus)); -+ qdev_set_parent_bus(DEVICE(auxtoi2c), BUS(bus), &error_abort); - - bus->bridge = AUXTOI2C(auxtoi2c); - -@@ -275,7 +275,7 @@ DeviceState *aux_create_slave(AUXBus *bus, const char *type) - - dev = DEVICE(object_new(type)); - assert(dev); -- qdev_set_parent_bus(dev, &bus->qbus); -+ qdev_set_parent_bus(dev, &bus->qbus, &error_abort); - return dev; - } - -diff --git a/hw/misc/macio/macio.c b/hw/misc/macio/macio.c -index 50f20d82066143bedd6c30f4d3be..b22c8597ec238ef90c157993a54b 100644 ---- a/hw/misc/macio/macio.c -+++ b/hw/misc/macio/macio.c -@@ -100,7 +100,7 @@ static void macio_init_child_obj(MacIOState *s, const char *childname, - { - object_initialize_child(OBJECT(s), childname, child, childsize, childtype, - &error_abort, NULL); -- qdev_set_parent_bus(DEVICE(child), BUS(&s->macio_bus)); -+ qdev_set_parent_bus(DEVICE(child), BUS(&s->macio_bus), &error_abort); - } - - static void macio_common_realize(PCIDevice *d, Error **errp) -@@ -355,7 +355,7 @@ static void macio_newworld_realize(PCIDevice *d, Error **errp) - object_property_set_link(OBJECT(&s->pmu), OBJECT(sysbus_dev), "gpio", - &error_abort); - qdev_prop_set_bit(DEVICE(&s->pmu), "has-adb", ns->has_adb); -- qdev_set_parent_bus(DEVICE(&s->pmu), BUS(&s->macio_bus)); -+ qdev_set_parent_bus(DEVICE(&s->pmu), BUS(&s->macio_bus), &error_abort); - - object_property_set_bool(OBJECT(&s->pmu), true, "realized", &err); - if (err) { -@@ -371,7 +371,7 @@ static void macio_newworld_realize(PCIDevice *d, Error **errp) - /* CUDA */ - object_initialize_child(OBJECT(s), "cuda", &s->cuda, sizeof(s->cuda), - TYPE_CUDA, &error_abort, NULL); -- qdev_set_parent_bus(DEVICE(&s->cuda), BUS(&s->macio_bus)); -+ qdev_set_parent_bus(DEVICE(&s->cuda), BUS(&s->macio_bus), &error_abort); - qdev_prop_set_uint64(DEVICE(&s->cuda), "timebase-frequency", - s->frequency); - -diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c -index 7483d11ec2300f483899c24b53bf..4764b83d568dcd5efdd9a95d829e 100644 ---- a/hw/net/virtio-net.c -+++ b/hw/net/virtio-net.c -@@ -2815,7 +2815,7 @@ static bool failover_replug_primary(VirtIONet *n, Error **errp) - error_setg(errp, "virtio_net: couldn't find primary bus"); - return false; - } -- qdev_set_parent_bus(n->primary_dev, n->primary_bus); -+ qdev_set_parent_bus(n->primary_dev, n->primary_bus, &error_abort); - n->primary_should_be_hidden = false; - qemu_opt_set_bool(n->primary_device_opts, - "partially_hotplugged", true, &err); -diff --git a/hw/pci-host/designware.c b/hw/pci-host/designware.c -index f9c5d29d13c86509a3198d214dc6..6a5e677a0c59542937b5c7a73c2f 100644 ---- a/hw/pci-host/designware.c -+++ b/hw/pci-host/designware.c -@@ -707,7 +707,7 @@ static void designware_pcie_host_realize(DeviceState *dev, Error **errp) - "pcie-bus-address-space"); - pci_setup_iommu(pci->bus, designware_pcie_host_set_iommu, s); - -- qdev_set_parent_bus(DEVICE(&s->root), BUS(pci->bus)); -+ qdev_set_parent_bus(DEVICE(&s->root), BUS(pci->bus), &error_abort); - qdev_init_nofail(DEVICE(&s->root)); - } - -diff --git a/hw/pci-host/gpex.c b/hw/pci-host/gpex.c -index 0ca604dc628ebccc3f622625bb18..a76587c7f3d0c573325d7fd83a2a 100644 ---- a/hw/pci-host/gpex.c -+++ b/hw/pci-host/gpex.c -@@ -98,7 +98,7 @@ static void gpex_host_realize(DeviceState *dev, Error **errp) - pci_swizzle_map_irq_fn, s, &s->io_mmio, - &s->io_ioport, 0, 4, TYPE_PCIE_BUS); - -- qdev_set_parent_bus(DEVICE(&s->gpex_root), BUS(pci->bus)); -+ qdev_set_parent_bus(DEVICE(&s->gpex_root), BUS(pci->bus), &error_abort); - pci_bus_set_route_irq_fn(pci->bus, gpex_route_intx_pin_to_irq); - qdev_init_nofail(DEVICE(&s->gpex_root)); - } -diff --git a/hw/pci-host/prep.c b/hw/pci-host/prep.c -index 7f366d9313d8824c52e5cb531b63..ceff1a8e0fe4d8c8aa8023c3bd0c 100644 ---- a/hw/pci-host/prep.c -+++ b/hw/pci-host/prep.c -@@ -317,7 +317,7 @@ static void raven_pcihost_initfn(Object *obj) - - object_initialize(&s->pci_dev, sizeof(s->pci_dev), TYPE_RAVEN_PCI_DEVICE); - pci_dev = DEVICE(&s->pci_dev); -- qdev_set_parent_bus(pci_dev, BUS(&s->pci_bus)); -+ qdev_set_parent_bus(pci_dev, BUS(&s->pci_bus), &error_abort); - object_property_set_int(OBJECT(&s->pci_dev), PCI_DEVFN(0, 0), "addr", - NULL); - qdev_prop_set_bit(pci_dev, "multifunction", false); -diff --git a/hw/pci-host/q35.c b/hw/pci-host/q35.c -index 158d270b9f0c94490acb57932985..b27a058e50a49d0e3e8f103501ab 100644 ---- a/hw/pci-host/q35.c -+++ b/hw/pci-host/q35.c -@@ -63,7 +63,7 @@ static void q35_host_realize(DeviceState *dev, Error **errp) - s->mch.address_space_io, - 0, TYPE_PCIE_BUS); - PC_MACHINE(qdev_get_machine())->bus = pci->bus; -- qdev_set_parent_bus(DEVICE(&s->mch), BUS(pci->bus)); -+ qdev_set_parent_bus(DEVICE(&s->mch), BUS(pci->bus), &error_abort); - qdev_init_nofail(DEVICE(&s->mch)); - } - -diff --git a/hw/pci-host/versatile.c b/hw/pci-host/versatile.c -index b731d0544fa163100fe5f7d128a0..e68a1e1b3c7c510882289ae04a1e 100644 ---- a/hw/pci-host/versatile.c -+++ b/hw/pci-host/versatile.c -@@ -17,6 +17,7 @@ - #include "hw/qdev-properties.h" - #include "qemu/log.h" - #include "qemu/module.h" -+#include "qapi/error.h" - - /* Old and buggy versions of QEMU used the wrong mapping from - * PCI IRQs to system interrupt lines. Unfortunately the Linux -@@ -408,7 +409,7 @@ static void pci_vpb_realize(DeviceState *dev, Error **errp) - h->bus = &s->pci_bus; - - object_initialize(&s->pci_dev, sizeof(s->pci_dev), TYPE_VERSATILE_PCI_HOST); -- qdev_set_parent_bus(DEVICE(&s->pci_dev), BUS(&s->pci_bus)); -+ qdev_set_parent_bus(DEVICE(&s->pci_dev), BUS(&s->pci_bus), &error_abort); - - for (i = 0; i < 4; i++) { - sysbus_init_irq(sbd, &s->irq[i]); -diff --git a/hw/pci-host/xilinx-pcie.c b/hw/pci-host/xilinx-pcie.c -index 17d502434956e9c6a609d95907b4..56aa94016459566e2fb522ab8d7e 100644 ---- a/hw/pci-host/xilinx-pcie.c -+++ b/hw/pci-host/xilinx-pcie.c -@@ -137,7 +137,7 @@ static void xilinx_pcie_host_realize(DeviceState *dev, Error **errp) - pci_swizzle_map_irq_fn, s, &s->mmio, - &s->io, 0, 4, TYPE_PCIE_BUS); - -- qdev_set_parent_bus(DEVICE(&s->root), BUS(pci->bus)); -+ qdev_set_parent_bus(DEVICE(&s->root), BUS(pci->bus), &error_abort); - qdev_init_nofail(DEVICE(&s->root)); - } - -diff --git a/hw/s390x/event-facility.c b/hw/s390x/event-facility.c -index 66205697ae7597a328e97b408e48..17e77fb17390f3f3f1954d47055b 100644 ---- a/hw/s390x/event-facility.c -+++ b/hw/s390x/event-facility.c -@@ -464,12 +464,12 @@ static void init_event_facility(Object *obj) - new = object_new(TYPE_SCLP_QUIESCE); - object_property_add_child(obj, TYPE_SCLP_QUIESCE, new, NULL); - object_unref(new); -- qdev_set_parent_bus(DEVICE(new), BUS(&event_facility->sbus)); -+ qdev_set_parent_bus(DEVICE(new), BUS(&event_facility->sbus), &error_abort); - - new = object_new(TYPE_SCLP_CPU_HOTPLUG); - object_property_add_child(obj, TYPE_SCLP_CPU_HOTPLUG, new, NULL); - object_unref(new); -- qdev_set_parent_bus(DEVICE(new), BUS(&event_facility->sbus)); -+ qdev_set_parent_bus(DEVICE(new), BUS(&event_facility->sbus), &error_abort); - /* the facility will automatically realize the devices via the bus */ - } - -diff --git a/hw/s390x/sclp.c b/hw/s390x/sclp.c -index 1c380a49cc7140687329e43e9745..ade09fc9d35cf372d1abeb2a29f7 100644 ---- a/hw/s390x/sclp.c -+++ b/hw/s390x/sclp.c -@@ -350,7 +350,7 @@ static void sclp_realize(DeviceState *dev, Error **errp) - * as we can't find a fitting bus via the qom tree, we have to add the - * event facility to the sysbus, so e.g. a sclp console can be created. - */ -- qdev_set_parent_bus(DEVICE(sclp->event_facility), sysbus_get_default()); -+ qdev_set_parent_bus(DEVICE(sclp->event_facility), sysbus_get_default(), &error_abort); - - ret = s390_set_memory_limit(machine->maxram_size, &hw_limit); - if (ret == -E2BIG) { -diff --git a/hw/s390x/vhost-vsock-ccw.c b/hw/s390x/vhost-vsock-ccw.c -index 1835812bd11a7c4c275206f3905c..23c5491223fbb7fffa6effa43954 100644 ---- a/hw/s390x/vhost-vsock-ccw.c -+++ b/hw/s390x/vhost-vsock-ccw.c -@@ -24,7 +24,7 @@ static void vhost_vsock_ccw_realize(VirtioCcwDevice *ccw_dev, Error **errp) - VHostVSockCCWState *dev = VHOST_VSOCK_CCW(ccw_dev); - DeviceState *vdev = DEVICE(&dev->vdev); - -- qdev_set_parent_bus(vdev, BUS(&ccw_dev->bus)); -+ qdev_set_parent_bus(vdev, BUS(&ccw_dev->bus), &error_abort); - object_property_set_bool(OBJECT(vdev), true, "realized", errp); - } - -diff --git a/hw/s390x/virtio-ccw-9p.c b/hw/s390x/virtio-ccw-9p.c -index 5453a964d2dc3f5943f492c2c4e6..f7db31e4f3d23653a1216dca0c30 100644 ---- a/hw/s390x/virtio-ccw-9p.c -+++ b/hw/s390x/virtio-ccw-9p.c -@@ -21,7 +21,7 @@ static void virtio_ccw_9p_realize(VirtioCcwDevice *ccw_dev, Error **errp) - V9fsCCWState *dev = VIRTIO_9P_CCW(ccw_dev); - DeviceState *vdev = DEVICE(&dev->vdev); - -- qdev_set_parent_bus(vdev, BUS(&ccw_dev->bus)); -+ qdev_set_parent_bus(vdev, BUS(&ccw_dev->bus), &error_abort); - object_property_set_bool(OBJECT(vdev), true, "realized", errp); - } - -diff --git a/hw/s390x/virtio-ccw-balloon.c b/hw/s390x/virtio-ccw-balloon.c -index 7088612f6bce233b18574ad63121..92ebd7bcfbda7da5bc7e6af4a55c 100644 ---- a/hw/s390x/virtio-ccw-balloon.c -+++ b/hw/s390x/virtio-ccw-balloon.c -@@ -21,7 +21,7 @@ static void virtio_ccw_balloon_realize(VirtioCcwDevice *ccw_dev, Error **errp) - VirtIOBalloonCcw *dev = VIRTIO_BALLOON_CCW(ccw_dev); - DeviceState *vdev = DEVICE(&dev->vdev); - -- qdev_set_parent_bus(vdev, BUS(&ccw_dev->bus)); -+ qdev_set_parent_bus(vdev, BUS(&ccw_dev->bus), &error_abort); - object_property_set_bool(OBJECT(vdev), true, "realized", errp); - } - -diff --git a/hw/s390x/virtio-ccw-blk.c b/hw/s390x/virtio-ccw-blk.c -index 1512af8974dff0b303cda91e9ad8..9b12fa9e219b808e83e831894252 100644 ---- a/hw/s390x/virtio-ccw-blk.c -+++ b/hw/s390x/virtio-ccw-blk.c -@@ -21,7 +21,7 @@ static void virtio_ccw_blk_realize(VirtioCcwDevice *ccw_dev, Error **errp) - VirtIOBlkCcw *dev = VIRTIO_BLK_CCW(ccw_dev); - DeviceState *vdev = DEVICE(&dev->vdev); - -- qdev_set_parent_bus(vdev, BUS(&ccw_dev->bus)); -+ qdev_set_parent_bus(vdev, BUS(&ccw_dev->bus), &error_abort); - object_property_set_bool(OBJECT(vdev), true, "realized", errp); - } - -diff --git a/hw/s390x/virtio-ccw-crypto.c b/hw/s390x/virtio-ccw-crypto.c -index 086b397ad274e11a69465dc69929..95fd93d5cb6d6f76a947f75a58ba 100644 ---- a/hw/s390x/virtio-ccw-crypto.c -+++ b/hw/s390x/virtio-ccw-crypto.c -@@ -21,7 +21,7 @@ static void virtio_ccw_crypto_realize(VirtioCcwDevice *ccw_dev, Error **errp) - DeviceState *vdev = DEVICE(&dev->vdev); - Error *err = NULL; - -- qdev_set_parent_bus(vdev, BUS(&ccw_dev->bus)); -+ qdev_set_parent_bus(vdev, BUS(&ccw_dev->bus), &error_abort); - object_property_set_bool(OBJECT(vdev), true, "realized", &err); - if (err) { - error_propagate(errp, err); -diff --git a/hw/s390x/virtio-ccw-gpu.c b/hw/s390x/virtio-ccw-gpu.c -index be46ca7a968c2b9baa44569be689..afa30e330fb9b6bc3559baf82949 100644 ---- a/hw/s390x/virtio-ccw-gpu.c -+++ b/hw/s390x/virtio-ccw-gpu.c -@@ -20,7 +20,7 @@ static void virtio_ccw_gpu_realize(VirtioCcwDevice *ccw_dev, Error **errp) - VirtIOGPUCcw *dev = VIRTIO_GPU_CCW(ccw_dev); - DeviceState *vdev = DEVICE(&dev->vdev); - -- qdev_set_parent_bus(vdev, BUS(&ccw_dev->bus)); -+ qdev_set_parent_bus(vdev, BUS(&ccw_dev->bus), &error_abort); - object_property_set_bool(OBJECT(vdev), true, "realized", errp); - } - -diff --git a/hw/s390x/virtio-ccw-input.c b/hw/s390x/virtio-ccw-input.c -index 370b776790c8bca383e78ea4df34..5adfdc3ee47cf364bd701d6ce518 100644 ---- a/hw/s390x/virtio-ccw-input.c -+++ b/hw/s390x/virtio-ccw-input.c -@@ -20,7 +20,7 @@ static void virtio_ccw_input_realize(VirtioCcwDevice *ccw_dev, Error **errp) - VirtIOInputCcw *dev = VIRTIO_INPUT_CCW(ccw_dev); - DeviceState *vdev = DEVICE(&dev->vdev); - -- qdev_set_parent_bus(vdev, BUS(&ccw_dev->bus)); -+ qdev_set_parent_bus(vdev, BUS(&ccw_dev->bus), &error_abort); - object_property_set_bool(OBJECT(vdev), true, "realized", errp); - } - -diff --git a/hw/s390x/virtio-ccw-net.c b/hw/s390x/virtio-ccw-net.c -index 12c03d73c4dcc081514cac3bc1af..756069b3dfc17963703573dd050c 100644 ---- a/hw/s390x/virtio-ccw-net.c -+++ b/hw/s390x/virtio-ccw-net.c -@@ -24,7 +24,7 @@ static void virtio_ccw_net_realize(VirtioCcwDevice *ccw_dev, Error **errp) - - virtio_net_set_netclient_name(&dev->vdev, qdev->id, - object_get_typename(OBJECT(qdev))); -- qdev_set_parent_bus(vdev, BUS(&ccw_dev->bus)); -+ qdev_set_parent_bus(vdev, BUS(&ccw_dev->bus), &error_abort); - object_property_set_bool(OBJECT(vdev), true, "realized", errp); - } - -diff --git a/hw/s390x/virtio-ccw-rng.c b/hw/s390x/virtio-ccw-rng.c -index 854254dd50f5e9bc0e45f5d53571..6a5c2dd9b938966be7ee9249168a 100644 ---- a/hw/s390x/virtio-ccw-rng.c -+++ b/hw/s390x/virtio-ccw-rng.c -@@ -22,7 +22,7 @@ static void virtio_ccw_rng_realize(VirtioCcwDevice *ccw_dev, Error **errp) - DeviceState *vdev = DEVICE(&dev->vdev); - Error *err = NULL; - -- qdev_set_parent_bus(vdev, BUS(&ccw_dev->bus)); -+ qdev_set_parent_bus(vdev, BUS(&ccw_dev->bus), &error_abort); - object_property_set_bool(OBJECT(vdev), true, "realized", &err); - if (err) { - error_propagate(errp, err); -diff --git a/hw/s390x/virtio-ccw-scsi.c b/hw/s390x/virtio-ccw-scsi.c -index 4662288b5b009da0b2ecf74eaff9..9a01a027210f7d1c372d88a51963 100644 ---- a/hw/s390x/virtio-ccw-scsi.c -+++ b/hw/s390x/virtio-ccw-scsi.c -@@ -33,7 +33,7 @@ static void virtio_ccw_scsi_realize(VirtioCcwDevice *ccw_dev, Error **errp) - g_free(bus_name); - } - -- qdev_set_parent_bus(vdev, BUS(&ccw_dev->bus)); -+ qdev_set_parent_bus(vdev, BUS(&ccw_dev->bus), &error_abort); - object_property_set_bool(OBJECT(vdev), true, "realized", errp); - } - -@@ -78,7 +78,7 @@ static void vhost_ccw_scsi_realize(VirtioCcwDevice *ccw_dev, Error **errp) - VHostSCSICcw *dev = VHOST_SCSI_CCW(ccw_dev); - DeviceState *vdev = DEVICE(&dev->vdev); - -- qdev_set_parent_bus(vdev, BUS(&ccw_dev->bus)); -+ qdev_set_parent_bus(vdev, BUS(&ccw_dev->bus), &error_abort); - object_property_set_bool(OBJECT(vdev), true, "realized", errp); - } - -diff --git a/hw/s390x/virtio-ccw-serial.c b/hw/s390x/virtio-ccw-serial.c -index eafb7d5c1f4c799d33980a6db021..c7f4d47aa426f9357e899cef8c88 100644 ---- a/hw/s390x/virtio-ccw-serial.c -+++ b/hw/s390x/virtio-ccw-serial.c -@@ -15,6 +15,7 @@ - #include "hw/qdev-properties.h" - #include "hw/virtio/virtio-serial.h" - #include "virtio-ccw.h" -+#include "qapi/error.h" - - static void virtio_ccw_serial_realize(VirtioCcwDevice *ccw_dev, Error **errp) - { -@@ -33,7 +34,7 @@ static void virtio_ccw_serial_realize(VirtioCcwDevice *ccw_dev, Error **errp) - g_free(bus_name); - } - -- qdev_set_parent_bus(vdev, BUS(&ccw_dev->bus)); -+ qdev_set_parent_bus(vdev, BUS(&ccw_dev->bus), &error_abort); - object_property_set_bool(OBJECT(vdev), true, "realized", errp); - } - -diff --git a/hw/sd/core.c b/hw/sd/core.c -index abec48bccb80a92cf3c8e6dee397..371122c120e04268e9ba6644625b 100644 ---- a/hw/sd/core.c -+++ b/hw/sd/core.c -@@ -23,6 +23,7 @@ - #include "hw/qdev-core.h" - #include "hw/sd/sd.h" - #include "qemu/module.h" -+#include "qapi/error.h" - #include "trace.h" - - static inline const char *sdbus_name(SDBus *sdbus) -@@ -210,7 +211,7 @@ void sdbus_reparent_card(SDBus *from, SDBus *to) - readonly = sc->get_readonly(card); - - sdbus_set_inserted(from, false); -- qdev_set_parent_bus(DEVICE(card), &to->qbus); -+ qdev_set_parent_bus(DEVICE(card), &to->qbus, &error_abort); - sdbus_set_inserted(to, true); - sdbus_set_readonly(to, readonly); - } -diff --git a/hw/ssi/ssi.c b/hw/ssi/ssi.c -index c6415eb6e329ee78f822f6723192..49e79254ebf703a53ac22197f517 100644 ---- a/hw/ssi/ssi.c -+++ b/hw/ssi/ssi.c -@@ -16,6 +16,7 @@ - #include "hw/ssi/ssi.h" - #include "migration/vmstate.h" - #include "qemu/module.h" -+#include "qapi/error.h" - - struct SSIBus { - BusState parent_obj; -@@ -159,7 +160,7 @@ static int ssi_auto_connect_slave(Object *child, void *opaque) - } - - cs_line = qdev_get_gpio_in_named(DEVICE(dev), SSI_GPIO_CS, 0); -- qdev_set_parent_bus(DEVICE(dev), BUS(arg->bus)); -+ qdev_set_parent_bus(DEVICE(dev), BUS(arg->bus), &error_abort); - **arg->cs_linep = cs_line; - (*arg->cs_linep)++; - return 0; -diff --git a/hw/virtio/vhost-scsi-pci.c b/hw/virtio/vhost-scsi-pci.c -index e8dfbfc60f9a5f25b4d7214872d1..9e454801e7a1b66b17eef996f30f 100644 ---- a/hw/virtio/vhost-scsi-pci.c -+++ b/hw/virtio/vhost-scsi-pci.c -@@ -53,7 +53,7 @@ static void vhost_scsi_pci_realize(VirtIOPCIProxy *vpci_dev, Error **errp) - vpci_dev->nvectors = vs->conf.num_queues + 3; - } - -- qdev_set_parent_bus(vdev, BUS(&vpci_dev->bus)); -+ qdev_set_parent_bus(vdev, BUS(&vpci_dev->bus), &error_abort); - object_property_set_bool(OBJECT(vdev), true, "realized", errp); - } - -diff --git a/hw/virtio/vhost-user-blk-pci.c b/hw/virtio/vhost-user-blk-pci.c -index 1dc834a3ff153719100cd0fca891..fb4f321acff7c44b941bbaf836f0 100644 ---- a/hw/virtio/vhost-user-blk-pci.c -+++ b/hw/virtio/vhost-user-blk-pci.c -@@ -58,7 +58,7 @@ static void vhost_user_blk_pci_realize(VirtIOPCIProxy *vpci_dev, Error **errp) - vpci_dev->nvectors = dev->vdev.num_queues + 1; - } - -- qdev_set_parent_bus(vdev, BUS(&vpci_dev->bus)); -+ qdev_set_parent_bus(vdev, BUS(&vpci_dev->bus), &error_abort); - object_property_set_bool(OBJECT(vdev), true, "realized", errp); - } - -diff --git a/hw/virtio/vhost-user-fs-pci.c b/hw/virtio/vhost-user-fs-pci.c -index 933a3f265b6a9657d3404a0aa311..65ce9fda95f9dd23de2ae2406973 100644 ---- a/hw/virtio/vhost-user-fs-pci.c -+++ b/hw/virtio/vhost-user-fs-pci.c -@@ -15,6 +15,7 @@ - #include "hw/qdev-properties.h" - #include "hw/virtio/vhost-user-fs.h" - #include "virtio-pci.h" -+#include "qapi/error.h" - - struct VHostUserFSPCI { - VirtIOPCIProxy parent_obj; -@@ -43,7 +44,7 @@ static void vhost_user_fs_pci_realize(VirtIOPCIProxy *vpci_dev, Error **errp) - vpci_dev->nvectors = dev->vdev.conf.num_request_queues + 1; - } - -- qdev_set_parent_bus(vdev, BUS(&vpci_dev->bus)); -+ qdev_set_parent_bus(vdev, BUS(&vpci_dev->bus), &error_abort); - object_property_set_bool(OBJECT(vdev), true, "realized", errp); - } - -diff --git a/hw/virtio/vhost-user-scsi-pci.c b/hw/virtio/vhost-user-scsi-pci.c -index ff13af70308f7ddadd7874cca185..011afba8582c8f61dbb5176d2944 100644 ---- a/hw/virtio/vhost-user-scsi-pci.c -+++ b/hw/virtio/vhost-user-scsi-pci.c -@@ -59,7 +59,7 @@ static void vhost_user_scsi_pci_realize(VirtIOPCIProxy *vpci_dev, Error **errp) - vpci_dev->nvectors = vs->conf.num_queues + 3; - } - -- qdev_set_parent_bus(vdev, BUS(&vpci_dev->bus)); -+ qdev_set_parent_bus(vdev, BUS(&vpci_dev->bus), &error_abort); - object_property_set_bool(OBJECT(vdev), true, "realized", errp); - } - -diff --git a/hw/virtio/vhost-vsock-pci.c b/hw/virtio/vhost-vsock-pci.c -index 4ca097ffff5a8569245332800ba8..beaee685524608208147ba51fdce 100644 ---- a/hw/virtio/vhost-vsock-pci.c -+++ b/hw/virtio/vhost-vsock-pci.c -@@ -17,6 +17,7 @@ - #include "hw/qdev-properties.h" - #include "hw/virtio/vhost-vsock.h" - #include "qemu/module.h" -+#include "qapi/error.h" - - typedef struct VHostVSockPCI VHostVSockPCI; - -@@ -44,7 +45,7 @@ static void vhost_vsock_pci_realize(VirtIOPCIProxy *vpci_dev, Error **errp) - VHostVSockPCI *dev = VHOST_VSOCK_PCI(vpci_dev); - DeviceState *vdev = DEVICE(&dev->vdev); - -- qdev_set_parent_bus(vdev, BUS(&vpci_dev->bus)); -+ qdev_set_parent_bus(vdev, BUS(&vpci_dev->bus), &error_abort); - object_property_set_bool(OBJECT(vdev), true, "realized", errp); - } - -diff --git a/hw/virtio/virtio-9p-pci.c b/hw/virtio/virtio-9p-pci.c -index 22a183cca7e5292f2c90e7938e4d..9d2bc7cd857fd48e681998a2d55e 100644 ---- a/hw/virtio/virtio-9p-pci.c -+++ b/hw/virtio/virtio-9p-pci.c -@@ -19,6 +19,7 @@ - #include "hw/9pfs/virtio-9p.h" - #include "hw/qdev-properties.h" - #include "qemu/module.h" -+#include "qapi/error.h" - - /* - * virtio-9p-pci: This extends VirtioPCIProxy. -@@ -38,7 +39,7 @@ static void virtio_9p_pci_realize(VirtIOPCIProxy *vpci_dev, Error **errp) - V9fsPCIState *dev = VIRTIO_9P_PCI(vpci_dev); - DeviceState *vdev = DEVICE(&dev->vdev); - -- qdev_set_parent_bus(vdev, BUS(&vpci_dev->bus)); -+ qdev_set_parent_bus(vdev, BUS(&vpci_dev->bus), &error_abort); - object_property_set_bool(OBJECT(vdev), true, "realized", errp); - } - -diff --git a/hw/virtio/virtio-balloon-pci.c b/hw/virtio/virtio-balloon-pci.c -index 69ca0579110f66bc70464caadbac..894513fbed1b8d0029d049fc07d6 100644 ---- a/hw/virtio/virtio-balloon-pci.c -+++ b/hw/virtio/virtio-balloon-pci.c -@@ -48,7 +48,7 @@ static void virtio_balloon_pci_realize(VirtIOPCIProxy *vpci_dev, Error **errp) - vpci_dev->class_code = PCI_CLASS_OTHERS; - } - -- qdev_set_parent_bus(vdev, BUS(&vpci_dev->bus)); -+ qdev_set_parent_bus(vdev, BUS(&vpci_dev->bus), &error_abort); - object_property_set_bool(OBJECT(vdev), true, "realized", errp); - } - -diff --git a/hw/virtio/virtio-blk-pci.c b/hw/virtio/virtio-blk-pci.c -index d9b69a5af351df5c52a6cba1bbc4..6b9e03ef5bec673179c953e53e84 100644 ---- a/hw/virtio/virtio-blk-pci.c -+++ b/hw/virtio/virtio-blk-pci.c -@@ -55,7 +55,7 @@ static void virtio_blk_pci_realize(VirtIOPCIProxy *vpci_dev, Error **errp) - vpci_dev->nvectors = dev->vdev.conf.num_queues + 1; - } - -- qdev_set_parent_bus(vdev, BUS(&vpci_dev->bus)); -+ qdev_set_parent_bus(vdev, BUS(&vpci_dev->bus), &error_abort); - object_property_set_bool(OBJECT(vdev), true, "realized", errp); - } - -diff --git a/hw/virtio/virtio-crypto-pci.c b/hw/virtio/virtio-crypto-pci.c -index d853dc460cc5144a8735b3d332b6..46e96ccccf3b0121954869771bce 100644 ---- a/hw/virtio/virtio-crypto-pci.c -+++ b/hw/virtio/virtio-crypto-pci.c -@@ -53,7 +53,7 @@ static void virtio_crypto_pci_realize(VirtIOPCIProxy *vpci_dev, Error **errp) - return; - } - -- qdev_set_parent_bus(vdev, BUS(&vpci_dev->bus)); -+ qdev_set_parent_bus(vdev, BUS(&vpci_dev->bus), &error_abort); - virtio_pci_force_virtio_1(vpci_dev); - object_property_set_bool(OBJECT(vdev), true, "realized", errp); - object_property_set_link(OBJECT(vcrypto), -diff --git a/hw/virtio/virtio-input-pci.c b/hw/virtio/virtio-input-pci.c -index 80b1172c90b0d37cb8f23b650069..b7fe75938f5cd0f9f58a1a227d7b 100644 ---- a/hw/virtio/virtio-input-pci.c -+++ b/hw/virtio/virtio-input-pci.c -@@ -12,6 +12,7 @@ - #include "hw/qdev-properties.h" - #include "hw/virtio/virtio-input.h" - #include "qemu/module.h" -+#include "qapi/error.h" - - typedef struct VirtIOInputPCI VirtIOInputPCI; - typedef struct VirtIOInputHIDPCI VirtIOInputHIDPCI; -@@ -49,7 +50,7 @@ static void virtio_input_pci_realize(VirtIOPCIProxy *vpci_dev, Error **errp) - VirtIOInputPCI *vinput = VIRTIO_INPUT_PCI(vpci_dev); - DeviceState *vdev = DEVICE(&vinput->vdev); - -- qdev_set_parent_bus(vdev, BUS(&vpci_dev->bus)); -+ qdev_set_parent_bus(vdev, BUS(&vpci_dev->bus), &error_abort); - virtio_pci_force_virtio_1(vpci_dev); - object_property_set_bool(OBJECT(vdev), true, "realized", errp); - } -diff --git a/hw/virtio/virtio-net-pci.c b/hw/virtio/virtio-net-pci.c -index f670aed0a77b47da99fdf02440dd..dd7d4b74845aa587cd6ade447543 100644 ---- a/hw/virtio/virtio-net-pci.c -+++ b/hw/virtio/virtio-net-pci.c -@@ -52,7 +52,7 @@ static void virtio_net_pci_realize(VirtIOPCIProxy *vpci_dev, Error **errp) - - virtio_net_set_netclient_name(&dev->vdev, qdev->id, - object_get_typename(OBJECT(qdev))); -- qdev_set_parent_bus(vdev, BUS(&vpci_dev->bus)); -+ qdev_set_parent_bus(vdev, BUS(&vpci_dev->bus), &error_abort); - object_property_set_bool(OBJECT(vdev), true, "realized", errp); - } - -diff --git a/hw/virtio/virtio-pmem-pci.c b/hw/virtio/virtio-pmem-pci.c -index fe2af00fa1652a7ee9ff20de8d0c..3c5dd1b87d564af18bf3f2bd220d 100644 ---- a/hw/virtio/virtio-pmem-pci.c -+++ b/hw/virtio/virtio-pmem-pci.c -@@ -22,7 +22,7 @@ static void virtio_pmem_pci_realize(VirtIOPCIProxy *vpci_dev, Error **errp) - VirtIOPMEMPCI *pmem_pci = VIRTIO_PMEM_PCI(vpci_dev); - DeviceState *vdev = DEVICE(&pmem_pci->vdev); - -- qdev_set_parent_bus(vdev, BUS(&vpci_dev->bus)); -+ qdev_set_parent_bus(vdev, BUS(&vpci_dev->bus), &error_abort); - object_property_set_bool(OBJECT(vdev), true, "realized", errp); - } - -diff --git a/hw/virtio/virtio-rng-pci.c b/hw/virtio/virtio-rng-pci.c -index 8aaf54b781d6545d0597912f29f4..048c2aa85b12d51c03eb404e4647 100644 ---- a/hw/virtio/virtio-rng-pci.c -+++ b/hw/virtio/virtio-rng-pci.c -@@ -36,7 +36,7 @@ static void virtio_rng_pci_realize(VirtIOPCIProxy *vpci_dev, Error **errp) - DeviceState *vdev = DEVICE(&vrng->vdev); - Error *err = NULL; - -- qdev_set_parent_bus(vdev, BUS(&vpci_dev->bus)); -+ qdev_set_parent_bus(vdev, BUS(&vpci_dev->bus), &error_abort); - object_property_set_bool(OBJECT(vdev), true, "realized", &err); - if (err) { - error_propagate(errp, err); -diff --git a/hw/virtio/virtio-scsi-pci.c b/hw/virtio/virtio-scsi-pci.c -index 3c55dc19a105dd562a505c64d14c..b4e81ceb46c3a8d5306cf4b29e66 100644 ---- a/hw/virtio/virtio-scsi-pci.c -+++ b/hw/virtio/virtio-scsi-pci.c -@@ -19,6 +19,7 @@ - #include "hw/virtio/virtio-scsi.h" - #include "qemu/module.h" - #include "virtio-pci.h" -+#include "qapi/error.h" - - typedef struct VirtIOSCSIPCI VirtIOSCSIPCI; - -@@ -64,7 +65,7 @@ static void virtio_scsi_pci_realize(VirtIOPCIProxy *vpci_dev, Error **errp) - g_free(bus_name); - } - -- qdev_set_parent_bus(vdev, BUS(&vpci_dev->bus)); -+ qdev_set_parent_bus(vdev, BUS(&vpci_dev->bus), &error_abort); - object_property_set_bool(OBJECT(vdev), true, "realized", errp); - } - -diff --git a/hw/virtio/virtio-serial-pci.c b/hw/virtio/virtio-serial-pci.c -index 953abbd13ab7f0ffca6a5af539ce..1f02930002fa4c833a75c64187a0 100644 ---- a/hw/virtio/virtio-serial-pci.c -+++ b/hw/virtio/virtio-serial-pci.c -@@ -21,6 +21,7 @@ - #include "hw/virtio/virtio-serial.h" - #include "qemu/module.h" - #include "virtio-pci.h" -+#include "qapi/error.h" - - typedef struct VirtIOSerialPCI VirtIOSerialPCI; - -@@ -65,7 +66,7 @@ static void virtio_serial_pci_realize(VirtIOPCIProxy *vpci_dev, Error **errp) - g_free(bus_name); - } - -- qdev_set_parent_bus(vdev, BUS(&vpci_dev->bus)); -+ qdev_set_parent_bus(vdev, BUS(&vpci_dev->bus), &error_abort); - object_property_set_bool(OBJECT(vdev), true, "realized", errp); - } - -diff --git a/hw/xen/xen-legacy-backend.c b/hw/xen/xen-legacy-backend.c -index 4412d7aa7639c00b6f54bdd5f532..d38095acca6766cda2aa3413c2b4 100644 ---- a/hw/xen/xen-legacy-backend.c -+++ b/hw/xen/xen-legacy-backend.c -@@ -278,7 +278,7 @@ static struct XenLegacyDevice *xen_be_get_xendev(const char *type, int dom, - xendev = g_malloc0(ops->size); - object_initialize(&xendev->qdev, ops->size, TYPE_XENBACKEND); - OBJECT(xendev)->free = g_free; -- qdev_set_parent_bus(DEVICE(xendev), xen_sysbus); -+ qdev_set_parent_bus(DEVICE(xendev), xen_sysbus, &error_abort); - qdev_set_id(DEVICE(xendev), g_strdup_printf("xen-%s-%d", type, dev)); - qdev_init_nofail(DEVICE(xendev)); - object_unref(OBJECT(xendev)); -diff --git a/include/hw/qdev-core.h b/include/hw/qdev-core.h -index 1518495b1e0a953fa1547889f5dc..2b0186f0af593deee82a02693589 100644 ---- a/include/hw/qdev-core.h -+++ b/include/hw/qdev-core.h -@@ -188,13 +188,24 @@ struct BusClass { - /* FIXME first arg should be BusState */ - void (*print_dev)(Monitor *mon, DeviceState *dev, int indent); - char *(*get_dev_path)(DeviceState *dev); -+ - /* - * This callback is used to create Open Firmware device path in accordance - * with OF spec http://forthworks.com/standards/of1275.pdf. Individual bus - * bindings can be found at http://playground.sun.com/1275/bindings/. - */ - char *(*get_fw_dev_path)(DeviceState *dev); -+ - void (*reset)(BusState *bus); -+ -+ /* -+ * Return whether the device can be added to @bus, -+ * based on the address that was set (via device properties) -+ * before realize. If not, on return @errp contains the -+ * human-readable error message. -+ */ -+ bool (*check_address)(BusState *bus, DeviceState *dev, Error **errp); -+ - BusRealize realize; - BusUnrealize unrealize; - -@@ -450,7 +461,7 @@ const char *qdev_fw_name(DeviceState *dev); - Object *qdev_get_machine(void); - - /* FIXME: make this a link<> */ --void qdev_set_parent_bus(DeviceState *dev, BusState *bus); -+bool qdev_set_parent_bus(DeviceState *dev, BusState *bus, Error **errp); - - extern bool qdev_hotplug; - extern bool qdev_hot_removed; -diff --git a/qdev-monitor.c b/qdev-monitor.c -index e6b112eb0ab0252ecb1d585d3784..dc0323051e33833c4bcb638c7657 100644 ---- a/qdev-monitor.c -+++ b/qdev-monitor.c -@@ -654,7 +654,7 @@ DeviceState *qdev_device_add(QemuOpts *opts, Error **errp) - } - - if (bus) { -- qdev_set_parent_bus(dev, bus); -+ qdev_set_parent_bus(dev, bus, &error_abort); - } else if (qdev_hotplug && !qdev_get_machine_hotplug_handler(dev)) { - /* No bus, no machine hotplug handler --> device is not hotpluggable */ - error_setg(&err, "Device '%s' can not be hotplugged on this machine", diff --git a/packaging/qemu-binfmt-conf-Modify-default-path.patch b/packaging/qemu-binfmt-conf-Modify-default-path.patch deleted file mode 100644 index 1294bc2ba..000000000 --- a/packaging/qemu-binfmt-conf-Modify-default-path.patch +++ /dev/null @@ -1,27 +0,0 @@ -From: =?UTF-8?q?Andreas=20F=C3=A4rber?= -Date: Wed, 10 Aug 2016 19:00:24 +0200 -Subject: qemu-binfmt-conf: Modify default path -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Change QEMU_PATH from /usr/local/bin to /usr/bin prefix. - -Signed-off-by: Andreas Färber ---- - scripts/qemu-binfmt-conf.sh | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/scripts/qemu-binfmt-conf.sh b/scripts/qemu-binfmt-conf.sh -index 9f1580a91c7d3ad64120fe8ee66d..246546b10ca5df38035e5ba46a09 100755 ---- a/scripts/qemu-binfmt-conf.sh -+++ b/scripts/qemu-binfmt-conf.sh -@@ -323,7 +323,7 @@ BINFMT_SET=qemu_register_interpreter - SYSTEMDDIR="/etc/binfmt.d" - DEBIANDIR="/usr/share/binfmts" - --QEMU_PATH=/usr/local/bin -+QEMU_PATH=/usr/bin - CREDENTIAL=no - PERSISTENT=no - QEMU_SUFFIX="" diff --git a/packaging/qemu-binfmt-conf-use-qemu-ARCH-binfmt.patch b/packaging/qemu-binfmt-conf-use-qemu-ARCH-binfmt.patch deleted file mode 100644 index 08ca9035a..000000000 --- a/packaging/qemu-binfmt-conf-use-qemu-ARCH-binfmt.patch +++ /dev/null @@ -1,38 +0,0 @@ -From: Andreas Schwab -Date: Fri, 12 Aug 2016 18:20:49 +0200 -Subject: qemu-binfmt-conf: use qemu-ARCH-binfmt -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Signed-off-by: Andreas Schwab -Signed-off-by: Andreas Färber ---- - scripts/qemu-binfmt-conf.sh | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/scripts/qemu-binfmt-conf.sh b/scripts/qemu-binfmt-conf.sh -index 246546b10ca5df38035e5ba46a09..e0666a3afdc81f0f8277a53f3e1e 100755 ---- a/scripts/qemu-binfmt-conf.sh -+++ b/scripts/qemu-binfmt-conf.sh -@@ -266,7 +266,7 @@ qemu_generate_register() { - flags="${flags}F" - fi - -- echo ":qemu-$cpu:M::$magic:$mask:$qemu:$flags" -+ echo ":qemu-$cpu:M::$magic:$mask:$qemu:P$flags" - } - - qemu_register_interpreter() { -@@ -305,9 +305,9 @@ qemu_set_binfmts() { - continue - fi - -- qemu="$QEMU_PATH/qemu-$cpu" -+ qemu="$QEMU_PATH/qemu-$cpu-binfmt" - if [ "$cpu" = "i486" ] ; then -- qemu="$QEMU_PATH/qemu-i386" -+ qemu="$QEMU_PATH/qemu-i386-binfmt" - fi - - qemu="$qemu$QEMU_SUFFIX" diff --git a/packaging/qemu-bridge-helper-reduce-security-profi.patch b/packaging/qemu-bridge-helper-reduce-security-profi.patch deleted file mode 100644 index fa2e6dc9e..000000000 --- a/packaging/qemu-bridge-helper-reduce-security-profi.patch +++ /dev/null @@ -1,80 +0,0 @@ -From: Bruce Rogers -Date: Tue, 2 Aug 2016 11:36:02 -0600 -Subject: qemu-bridge-helper: reduce security profile -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -References: boo#988279 - -Change from using glib alloc and free routines to those -from libc. Also perform safety measure of dropping privs -to user if configured no-caps. - -Signed-off-by: Bruce Rogers -[AF: Rebased for v2.7.0-rc2] -Signed-off-by: Andreas Färber ---- - qemu-bridge-helper.c | 28 +++++++++++++++++++++++++--- - 1 file changed, 25 insertions(+), 3 deletions(-) - -diff --git a/qemu-bridge-helper.c b/qemu-bridge-helper.c -index 3d50ec094c794b9c0835628f10c5..f2291b398f8e4589f649af226dba 100644 ---- a/qemu-bridge-helper.c -+++ b/qemu-bridge-helper.c -@@ -123,7 +123,12 @@ static int parse_acl_file(const char *filename, ACLList *acl_list) - } - - if (strcmp(cmd, "deny") == 0) { -- acl_rule = g_malloc(sizeof(*acl_rule)); -+ acl_rule = calloc(1, sizeof(*acl_rule)); -+ if (!acl_rule) { -+ fclose(f); -+ errno = ENOMEM; -+ return -1; -+ } - if (strcmp(arg, "all") == 0) { - acl_rule->type = ACL_DENY_ALL; - } else { -@@ -132,7 +137,12 @@ static int parse_acl_file(const char *filename, ACLList *acl_list) - } - QSIMPLEQ_INSERT_TAIL(acl_list, acl_rule, entry); - } else if (strcmp(cmd, "allow") == 0) { -- acl_rule = g_malloc(sizeof(*acl_rule)); -+ acl_rule = calloc(1, sizeof(*acl_rule)); -+ if (!acl_rule) { -+ fclose(f); -+ errno = ENOMEM; -+ return -1; -+ } - if (strcmp(arg, "all") == 0) { - acl_rule->type = ACL_ALLOW_ALL; - } else { -@@ -433,6 +443,18 @@ int main(int argc, char **argv) - goto cleanup; - } - -+#ifndef CONFIG_LIBCAP -+ /* -+ * avoid sending the fd as root user if running suid to not fool -+ * peer credentials to daemons that dont expect that -+ */ -+ if (setuid(getuid()) < 0) { -+ fprintf(stderr, "Failed to drop privileges.\n"); -+ ret = EXIT_FAILURE; -+ goto cleanup; -+ } -+#endif -+ - /* write fd to the domain socket */ - if (send_fd(unixfd, fd) == -1) { - fprintf(stderr, "failed to write fd to unix socket: %s\n", -@@ -454,7 +476,7 @@ cleanup: - } - while ((acl_rule = QSIMPLEQ_FIRST(&acl_list)) != NULL) { - QSIMPLEQ_REMOVE_HEAD(&acl_list, entry); -- g_free(acl_rule); -+ free(acl_rule); - } - - return ret; diff --git a/packaging/qemu-cvs-gettimeofday.patch b/packaging/qemu-cvs-gettimeofday.patch deleted file mode 100644 index 0c909149c..000000000 --- a/packaging/qemu-cvs-gettimeofday.patch +++ /dev/null @@ -1,26 +0,0 @@ -From: Ulrich Hecht -Date: Tue, 14 Apr 2009 16:25:41 +0200 -Subject: qemu-cvs-gettimeofday - -No clue what this is for. - -[BR: minor edits to pass qemu's checkpatch script] -Signed-off-by: Bruce Rogers ---- - linux-user/syscall.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/linux-user/syscall.c b/linux-user/syscall.c -index 171c0caef3a191c861e76493ccfc..25b0f3bba38b8629cb4bc027be96 100644 ---- a/linux-user/syscall.c -+++ b/linux-user/syscall.c -@@ -8558,6 +8558,9 @@ static abi_long do_syscall1(void *cpu_env, int num, abi_long arg1, - case TARGET_NR_gettimeofday: - { - struct timeval tv; -+ if (copy_from_user_timeval(&tv, arg1)) { -+ return -TARGET_EFAULT; -+ } - ret = get_errno(gettimeofday(&tv, NULL)); - if (!is_error(ret)) { - if (copy_to_user_timeval(arg1, &tv)) diff --git a/packaging/qemu-cvs-ioctl_debug.patch b/packaging/qemu-cvs-ioctl_debug.patch deleted file mode 100644 index 0ba2c3164..000000000 --- a/packaging/qemu-cvs-ioctl_debug.patch +++ /dev/null @@ -1,39 +0,0 @@ -From: Alexander Graf -Date: Tue, 14 Apr 2009 16:26:33 +0200 -Subject: qemu-cvs-ioctl_debug - -Extends unsupported ioctl debug output. - -Signed-off-by: Alexander Graf -Signed-off-by: Ulrich Hecht -[BR: minor edits to pass qemu's checkpatch script] -Signed-off-by: Bruce Rogers ---- - linux-user/syscall.c | 14 +++++++++++++- - 1 file changed, 13 insertions(+), 1 deletion(-) - -diff --git a/linux-user/syscall.c b/linux-user/syscall.c -index 25b0f3bba38b8629cb4bc027be96..49db231f031015265f6d8cead831 100644 ---- a/linux-user/syscall.c -+++ b/linux-user/syscall.c -@@ -5151,7 +5151,19 @@ static abi_long do_ioctl(int fd, int cmd, abi_long arg) - ie = ioctl_entries; - for(;;) { - if (ie->target_cmd == 0) { -- gemu_log("Unsupported ioctl: cmd=0x%04lx\n", (long)cmd); -+ int i; -+ gemu_log("Unsupported ioctl: cmd=0x%04lx (%x)\n", (unsigned long)cmd, -+ (unsigned int)(cmd & (TARGET_IOC_SIZEMASK << TARGET_IOC_SIZESHIFT)) -+ >> TARGET_IOC_SIZESHIFT); -+ for (i = 0; ioctl_entries[i].target_cmd; i++) { -+ if ((ioctl_entries[i].target_cmd & ~(TARGET_IOC_SIZEMASK -+ << TARGET_IOC_SIZESHIFT)) == (cmd & ~(TARGET_IOC_SIZEMASK << -+ TARGET_IOC_SIZESHIFT))) -+ gemu_log("%p\t->\t%s (%x)\n", (void *)(unsigned long) -+ ioctl_entries[i].host_cmd, ioctl_entries[i].name, -+ (ioctl_entries[i].target_cmd & (TARGET_IOC_SIZEMASK -+ << TARGET_IOC_SIZESHIFT)) >> TARGET_IOC_SIZESHIFT); -+ } - return -TARGET_ENOSYS; - } - if (ie->target_cmd == cmd) diff --git a/packaging/qemu-cvs-ioctl_nodirection.patch b/packaging/qemu-cvs-ioctl_nodirection.patch deleted file mode 100644 index 06edfbcbd..000000000 --- a/packaging/qemu-cvs-ioctl_nodirection.patch +++ /dev/null @@ -1,43 +0,0 @@ -From: Alexander Graf -Date: Tue, 14 Apr 2009 16:27:36 +0200 -Subject: qemu-cvs-ioctl_nodirection - -the direction given in the ioctl should be correct so we can assume the -communication is uni-directional. The alsa developers did not like this -concept though and declared ioctls IOC_R and IOC_W even though they were -IOC_RW. - -Signed-off-by: Alexander Graf -Signed-off-by: Ulrich Hecht -[BR: minor edits to pass qemu's checkpatch script] -Signed-off-by: Bruce Rogers ---- - linux-user/syscall.c | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/linux-user/syscall.c b/linux-user/syscall.c -index 49db231f031015265f6d8cead831..57be4c98555e50f2263811cd11f4 100644 ---- a/linux-user/syscall.c -+++ b/linux-user/syscall.c -@@ -5192,6 +5192,13 @@ static abi_long do_ioctl(int fd, int cmd, abi_long arg) - arg_type++; - target_size = thunk_type_size(arg_type, 0); - switch(ie->access) { -+ /* -+ * FIXME: actually the direction given in the ioctl should be -+ * correct so we can assume the communication is uni-directional. -+ * The alsa developers did not like this concept though and -+ * declared ioctls IOC_R and IOC_W even though they were IOC_RW. -+ */ -+/* - case IOC_R: - ret = get_errno(safe_ioctl(fd, ie->host_cmd, buf_temp)); - if (!is_error(ret)) { -@@ -5210,6 +5217,7 @@ static abi_long do_ioctl(int fd, int cmd, abi_long arg) - unlock_user(argptr, arg, 0); - ret = get_errno(safe_ioctl(fd, ie->host_cmd, buf_temp)); - break; -+*/ - default: - case IOC_RW: - argptr = lock_user(VERIFY_READ, arg, target_size, 1); diff --git a/packaging/qemu-iotests-qtest-rewrite-test-067-as-a.patch b/packaging/qemu-iotests-qtest-rewrite-test-067-as-a.patch deleted file mode 100644 index 294207a8c..000000000 --- a/packaging/qemu-iotests-qtest-rewrite-test-067-as-a.patch +++ /dev/null @@ -1,956 +0,0 @@ -From: Paolo Bonzini -Date: Wed, 7 Oct 2020 06:43:03 -0400 -Subject: qemu-iotests, qtest: rewrite test 067 as a qtest - -Git-commit: d8a18da56df93b7f778fb97ba370031597d19ffd -References: bsc#1184574 - -Test 067 from qemu-iotests is executing QMP commands to hotplug -and hot-unplug disks, devices and blockdevs. Because the power -of the text-based test harness is limited, it is actually limiting -the checks that it does, for example by skipping DEVICE_DELETED -events. - -tests/qtest already has a similar test, drive_del-test.c. -We can merge them, and even reuse some of the existing code in -drive_del-test.c. This will improve the quality of the test by -covering DEVICE_DELETED events and testing multiple architectures -(therefore covering multiple PCI hotplug mechanisms as well as s390x -virtio-ccw). - -The only difference is that the new test will always use null-co:// for -the medium rather than qcow2 or raw, but this should be irrelevant for -what the test is covering. For example there are no "qemu-img check" -runs in 067 that would check that the file is properly closed. - -The new tests requires PCI hot-plug support, so drive_del-test -is moved from qemu-system-ppc to qemu-system-ppc64. - -Reviewed-by: Kevin Wolf -Signed-off-by: Paolo Bonzini -Signed-off-by: Lin Ma ---- - .gitlab-ci.yml | 2 +- - tests/Makefile.include | 2 +- - tests/drive_del-test.c | 211 ++++++++++++++++--- - tests/qemu-iotests/067 | 155 -------------- - tests/qemu-iotests/067.out | 414 ------------------------------------- - tests/qemu-iotests/group | 2 +- - 6 files changed, 190 insertions(+), 596 deletions(-) - -diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml -index be57c6a454a5e83b2a433dbe0d8d..aa19ee9c80f444a9b7e97d3b3563 100644 ---- a/.gitlab-ci.yml -+++ b/.gitlab-ci.yml -@@ -45,7 +45,7 @@ build-tcg-disabled: - - ./check -raw 001 002 003 004 005 008 009 010 011 012 021 025 032 033 048 - 052 063 077 086 101 104 106 113 147 148 150 151 152 157 159 160 - 163 170 171 183 184 192 194 197 205 208 215 221 222 226 227 236 -- - ./check -qcow2 028 040 051 056 057 058 065 067 068 082 085 091 095 096 102 -+ - ./check -qcow2 028 040 051 056 057 058 065 068 082 085 091 095 096 102 - 122 124 127 129 132 139 142 144 145 147 151 152 155 157 165 194 - 196 197 200 202 203 205 208 209 215 216 218 222 227 234 246 247 - 248 250 254 255 256 -diff --git a/tests/Makefile.include b/tests/Makefile.include -index e8bb416ddb89e99c956d224de844..ff1a1282485049f12463c545e074 100644 ---- a/tests/Makefile.include -+++ b/tests/Makefile.include -@@ -232,7 +232,6 @@ check-qtest-moxie-y += tests/boot-serial-test$(EXESUF) - check-qtest-ppc-$(CONFIG_ISA_TESTDEV) = tests/endianness-test$(EXESUF) - check-qtest-ppc-y += tests/boot-order-test$(EXESUF) - check-qtest-ppc-y += tests/prom-env-test$(EXESUF) --check-qtest-ppc-y += tests/drive_del-test$(EXESUF) - check-qtest-ppc-y += tests/boot-serial-test$(EXESUF) - check-qtest-ppc-$(CONFIG_M48T59) += tests/m48t59-test$(EXESUF) - -@@ -249,6 +248,7 @@ check-qtest-ppc64-$(CONFIG_POSIX) += tests/test-filter-mirror$(EXESUF) - check-qtest-ppc64-$(CONFIG_RTL8139_PCI) += tests/test-filter-redirector$(EXESUF) - check-qtest-ppc64-$(CONFIG_VGA) += tests/display-vga-test$(EXESUF) - check-qtest-ppc64-y += tests/numa-test$(EXESUF) -+check-qtest-ppc64-y += tests/drive_del-test$(EXESUF) - check-qtest-ppc64-$(CONFIG_IVSHMEM_DEVICE) += tests/ivshmem-test$(EXESUF) - check-qtest-ppc64-y += tests/cpu-plug-test$(EXESUF) - -diff --git a/tests/drive_del-test.c b/tests/drive_del-test.c -index de0dc6f5bedff9989740b31325e6..b032e98b236857b3d39842349873 100644 ---- a/tests/drive_del-test.c -+++ b/tests/drive_del-test.c -@@ -16,21 +16,21 @@ - #include "qapi/qmp/qdict.h" - #include "qapi/qmp/qlist.h" - --static bool has_drive(QTestState *qts) -+static bool look_for_drive0(QTestState *qts, const char *command, const char *key) - { - QDict *response; - QList *ret; - QListEntry *entry; - bool found; - -- response = qtest_qmp(qts, "{'execute': 'query-block'}"); -+ response = qtest_qmp(qts, "{'execute': %s}", command); - g_assert(response && qdict_haskey(response, "return")); - ret = qdict_get_qlist(response, "return"); - - found = false; - QLIST_FOREACH_ENTRY(ret, entry) { - QDict *entry_dict = qobject_to(QDict, entry->value); -- if (!strcmp(qdict_get_str(entry_dict, "device"), "drive0")) { -+ if (!strcmp(qdict_get_str(entry_dict, key), "drive0")) { - found = true; - break; - } -@@ -40,6 +40,38 @@ static bool has_drive(QTestState *qts) - return found; - } - -+static bool has_drive(QTestState *qts) -+{ -+ return look_for_drive0(qts, "query-block", "device"); -+} -+ -+static bool has_blockdev(QTestState *qts) -+{ -+ return look_for_drive0(qts, "query-named-block-nodes", "node-name"); -+} -+ -+static void blockdev_add_with_media(QTestState *qts) -+{ -+ QDict *response; -+ -+ response = qtest_qmp(qts, -+ "{ 'execute': 'blockdev-add'," -+ " 'arguments': {" -+ " 'driver': 'raw'," -+ " 'node-name': 'drive0'," -+ " 'file': {" -+ " 'driver': 'null-co'," -+ " 'read-zeroes': true" -+ " }" -+ " }" -+ "}"); -+ -+ g_assert(response); -+ g_assert(qdict_haskey(response, "return")); -+ qobject_unref(response); -+ g_assert(has_blockdev(qts)); -+} -+ - static void drive_add(QTestState *qts) - { - char *resp = qtest_hmp(qts, "drive_add 0 if=none,id=drive0"); -@@ -49,6 +81,17 @@ static void drive_add(QTestState *qts) - g_free(resp); - } - -+static void drive_add_with_media(QTestState *qts) -+{ -+ char *resp = qtest_hmp(qts, -+ "drive_add 0 if=none,id=drive0,file=null-co://," -+ "file.read-zeroes=on,format=raw"); -+ -+ g_assert_cmpstr(resp, ==, "OK\r\n"); -+ g_assert(has_drive(qts)); -+ g_free(resp); -+} -+ - static void drive_del(QTestState *qts) - { - char *resp; -@@ -60,7 +103,43 @@ static void drive_del(QTestState *qts) - g_free(resp); - } - --static void device_del(QTestState *qts) -+/* -+ * qvirtio_get_dev_type: -+ * Returns: the preferred virtio bus/device type for the current architecture. -+ * TODO: delete this -+ */ -+static const char *qvirtio_get_dev_type(void) -+{ -+ const char *arch = qtest_get_arch(); -+ -+ if (g_str_equal(arch, "arm") || g_str_equal(arch, "aarch64")) { -+ return "device"; /* for virtio-mmio */ -+ } else if (g_str_equal(arch, "s390x")) { -+ return "ccw"; -+ } else { -+ return "pci"; -+ } -+} -+ -+static void device_add(QTestState *qts) -+{ -+ QDict *response; -+ char driver[32]; -+ snprintf(driver, sizeof(driver), "virtio-blk-%s", -+ qvirtio_get_dev_type()); -+ -+ response = qtest_qmp(qts, "{'execute': 'device_add'," -+ " 'arguments': {" -+ " 'driver': %s," -+ " 'drive': 'drive0'," -+ " 'id': 'dev0'" -+ "}}", driver); -+ g_assert(response); -+ g_assert(qdict_haskey(response, "return")); -+ qobject_unref(response); -+} -+ -+static void device_del(QTestState *qts, bool and_reset) - { - QDict *response; - -@@ -70,6 +149,13 @@ static void device_del(QTestState *qts) - g_assert(qdict_haskey(response, "return")); - qobject_unref(response); - -+ if (and_reset) { -+ response = qtest_qmp(qts, "{'execute': 'system_reset' }"); -+ g_assert(response); -+ g_assert(qdict_haskey(response, "return")); -+ qobject_unref(response); -+ } -+ - qtest_qmp_eventwait(qts, "DEVICE_DELETED"); - } - -@@ -91,24 +177,6 @@ static void test_drive_without_dev(void) - qtest_quit(qts); - } - --/* -- * qvirtio_get_dev_type: -- * Returns: the preferred virtio bus/device type for the current architecture. -- * TODO: delete this -- */ --static const char *qvirtio_get_dev_type(void) --{ -- const char *arch = qtest_get_arch(); -- -- if (g_str_equal(arch, "arm") || g_str_equal(arch, "aarch64")) { -- return "device"; /* for virtio-mmio */ -- } else if (g_str_equal(arch, "s390x")) { -- return "ccw"; -- } else { -- return "pci"; -- } --} -- - static void test_after_failed_device_add(void) - { - char driver[32]; -@@ -158,12 +226,97 @@ static void test_drive_del_device_del(void) - * Doing it in this order takes notoriously tricky special paths - */ - drive_del(qts); -- device_del(qts); -+ device_del(qts, false); - g_assert(!has_drive(qts)); - - qtest_quit(qts); - } - -+static void test_cli_device_del(void) -+{ -+ QTestState *qts; -+ -+ /* -+ * -drive/-device and device_del. Start with a drive used by a -+ * device that unplugs after reset. -+ */ -+ qts = qtest_initf("-drive if=none,id=drive0,file=null-co://," -+ "file.read-zeroes=on,format=raw" -+ " -device virtio-blk-%s,drive=drive0,id=dev0", -+ qvirtio_get_dev_type()); -+ -+ device_del(qts, true); -+ g_assert(!has_drive(qts)); -+ -+ qtest_quit(qts); -+} -+ -+static void test_empty_device_del(void) -+{ -+ QTestState *qts; -+ -+ /* device_del with no drive plugged. */ -+ qts = qtest_initf("-device virtio-scsi-%s -device scsi-cd,id=dev0", -+ qvirtio_get_dev_type()); -+ -+ device_del(qts, false); -+ qtest_quit(qts); -+} -+ -+static void test_device_add_and_del(void) -+{ -+ QTestState *qts; -+ -+ /* -+ * -drive/device_add and device_del. Start with a drive used by a -+ * device that unplugs after reset. -+ */ -+ qts = qtest_init("-drive if=none,id=drive0,file=null-co://," -+ "file.read-zeroes=on,format=raw"); -+ -+ device_add(qts); -+ device_del(qts, true); -+ g_assert(!has_drive(qts)); -+ -+ qtest_quit(qts); -+} -+ -+static void test_drive_add_device_add_and_del(void) -+{ -+ QTestState *qts; -+ -+ qts = qtest_init(""); -+ -+ /* -+ * drive_add/device_add and device_del. The drive is used by a -+ * device that unplugs after reset. -+ */ -+ drive_add_with_media(qts); -+ device_add(qts); -+ device_del(qts, true); -+ g_assert(!has_drive(qts)); -+ -+ qtest_quit(qts); -+} -+ -+static void test_blockdev_add_device_add_and_del(void) -+{ -+ QTestState *qts; -+ -+ qts = qtest_init(""); -+ -+ /* -+ * blockdev_add/device_add and device_del. The it drive is used by a -+ * device that unplugs after reset, but it doesn't go away. -+ */ -+ blockdev_add_with_media(qts); -+ device_add(qts); -+ device_del(qts, true); -+ g_assert(has_blockdev(qts)); -+ -+ qtest_quit(qts); -+} -+ - int main(int argc, char **argv) - { - g_test_init(&argc, &argv, NULL); -@@ -173,8 +326,18 @@ int main(int argc, char **argv) - if (qvirtio_get_dev_type() != NULL) { - qtest_add_func("/drive_del/after_failed_device_add", - test_after_failed_device_add); -- qtest_add_func("/blockdev/drive_del_device_del", -+ qtest_add_func("/drive_del/drive_del_device_del", - test_drive_del_device_del); -+ qtest_add_func("/device_del/drive/cli_device", -+ test_cli_device_del); -+ qtest_add_func("/device_del/drive/device_add", -+ test_device_add_and_del); -+ qtest_add_func("/device_del/drive/drive_add_device_add", -+ test_drive_add_device_add_and_del); -+ qtest_add_func("/device_del/empty", -+ test_empty_device_del); -+ qtest_add_func("/device_del/blockdev", -+ test_blockdev_add_device_add_and_del); - } - - return g_test_run(); -diff --git a/tests/qemu-iotests/067 b/tests/qemu-iotests/067 -deleted file mode 100755 -index 926c79b37c45703f7140e9d0eabe10bc87dd969f..0000000000000000000000000000000000000000 ---- a/tests/qemu-iotests/067 -+++ /dev/null -@@ -1,155 +0,0 @@ --#!/usr/bin/env bash --# --# Test automatic deletion of BDSes created by -drive/drive_add --# --# Copyright (C) 2013 Red Hat, Inc. --# --# This program is free software; you can redistribute it and/or modify --# it under the terms of the GNU General Public License as published by --# the Free Software Foundation; either version 2 of the License, or --# (at your option) any later version. --# --# This program is distributed in the hope that it will be useful, --# but WITHOUT ANY WARRANTY; without even the implied warranty of --# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the --# GNU General Public License for more details. --# --# You should have received a copy of the GNU General Public License --# along with this program. If not, see . --# -- --# creator --owner=kwolf@redhat.com -- --seq=`basename $0` --echo "QA output created by $seq" -- --status=1 # failure is the default! -- --# get standard environment, filters and checks --. ./common.rc --. ./common.filter -- --_supported_fmt qcow2 --_supported_proto file --# Because anything other than 16 would change the output of query-block --_unsupported_imgopts 'refcount_bits=\([^1]\|.\([^6]\|$\)\)' -- --do_run_qemu() --{ -- echo Testing: "$@" -- $QEMU -nographic -qmp-pretty stdio -serial none "$@" -- echo --} -- --# Remove QMP events from (pretty-printed) output. Doesn't handle --# nested dicts correctly, but we don't get any of those in this test. --_filter_qmp_events() --{ -- tr '\n' '\t' | sed -e \ -- 's/{\s*"timestamp":\s*{[^}]*},\s*"event":[^,}]*\(,\s*"data":\s*{[^}]*}\)\?\s*}\s*//g' \ -- | tr '\t' '\n' --} -- --run_qemu() --{ -- do_run_qemu "$@" 2>&1 | _filter_testdir | _filter_qmp | _filter_qemu \ -- | _filter_actual_image_size \ -- | _filter_generated_node_ids | _filter_qmp_events \ -- | _filter_img_info --} -- --size=128M -- --_make_test_img $size -- --echo --echo === -drive/-device and device_del === --echo -- --run_qemu -drive file=$TEST_IMG,format=$IMGFMT,if=none,id=disk -device virtio-blk,drive=disk,id=virtio0 < -Date: Mon, 21 Sep 2020 15:03:25 +0530 -Subject: qom: code hardening - have bound checking while looping with integer - value -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Git-commit: 1bf8b88f144bee747e386c88d45d772e066bbb36 -References: bsc#1187529 CVE-2021-3611 - -Object property insertion code iterates over an integer to get an unused -index that can be used as an unique name for an object property. This loop -increments the integer value indefinitely. Although very unlikely, this can -still cause an integer overflow. -In this change, we fix the above code by checking against INT16_MAX and making -sure that the interger index does not overflow beyond that value. If no -available index is found, the code would cause an assertion failure. This -assertion failure is necessary because the callers of the function do not check -the return value for NULL. - -Signed-off-by: Ani Sinha -Signed-off-by: Eduardo Habkost -Reviewed-by: Daniel P. Berrangé -Message-Id: <20200921093325.25617-1-ani@anisinha.ca> -Signed-off-by: Eduardo Habkost -Signed-off-by: Cho, Yu-Chen ---- - qom/object.c | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/qom/object.c b/qom/object.c -index 6bff8782dcff40588f2191dadcb0..39d978df6a551b091ae9718cfd40 100644 ---- a/qom/object.c -+++ b/qom/object.c -@@ -1089,11 +1089,11 @@ object_property_add(Object *obj, const char *name, const char *type, - - if (name_len >= 3 && !memcmp(name + name_len - 3, "[*]", 4)) { - int i; -- ObjectProperty *ret; -+ ObjectProperty *ret = NULL; - char *name_no_array = g_strdup(name); - - name_no_array[name_len - 3] = '\0'; -- for (i = 0; ; ++i) { -+ for (i = 0; i < INT16_MAX; ++i) { - char *full_name = g_strdup_printf("%s[%d]", name_no_array, i); - - ret = object_property_add(obj, full_name, type, get, set, -@@ -1104,6 +1104,7 @@ object_property_add(Object *obj, const char *name, const char *type, - } - } - g_free(name_no_array); -+ assert(ret); - return ret; - } - diff --git a/packaging/qom-make-object_ref-unref-use-a-void-ins.patch b/packaging/qom-make-object_ref-unref-use-a-void-ins.patch deleted file mode 100644 index 3eceae2bc..000000000 --- a/packaging/qom-make-object_ref-unref-use-a-void-ins.patch +++ /dev/null @@ -1,75 +0,0 @@ -From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= -Date: Mon, 31 Aug 2020 17:07:23 -0400 -Subject: qom: make object_ref/unref use a void * instead of Object *. -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Git-commit: c5a61e5a3c68144a421117916aef04f2c0fab84b -References: bsc#1184574 - -The object_ref/unref methods are intended for use with any subclass of -the base Object. Using "Object *" in the signature is not adding any -meaningful level of type safety, since callers simply use "OBJECT(ptr)" -and this expands to an unchecked cast "(Object *)". - -By using "void *" we enable the object_unref() method to be used to -provide support for g_autoptr() with any subclass. - -Signed-off-by: Daniel P. Berrangé -Message-Id: <20200723181410.3145233-2-berrange@redhat.com> -Message-Id: <20200831210740.126168-2-ehabkost@redhat.com> -Signed-off-by: Eduardo Habkost -Signed-off-by: Lin Ma ---- - include/qom/object.h | 4 ++-- - qom/object.c | 6 ++++-- - 2 files changed, 6 insertions(+), 4 deletions(-) - -diff --git a/include/qom/object.h b/include/qom/object.h -index 128d00c77fd6597c4b70bd5f124f..d1e4c2e11524fd3d26520331c3d6 100644 ---- a/include/qom/object.h -+++ b/include/qom/object.h -@@ -974,7 +974,7 @@ GSList *object_class_get_list_sorted(const char *implements_type, - * Increase the reference count of a object. A object cannot be freed as long - * as its reference count is greater than zero. - */ --void object_ref(Object *obj); -+void object_ref(void *obj); - - /** - * object_unref: -@@ -983,7 +983,7 @@ void object_ref(Object *obj); - * Decrease the reference count of a object. A object cannot be freed as long - * as its reference count is greater than zero. - */ --void object_unref(Object *obj); -+void object_unref(void *obj); - - /** - * object_property_add: -diff --git a/qom/object.c b/qom/object.c -index d51b57fba11e335b9dab056327ef..6bff8782dcff40588f2191dadcb0 100644 ---- a/qom/object.c -+++ b/qom/object.c -@@ -1054,16 +1054,18 @@ GSList *object_class_get_list_sorted(const char *implements_type, - object_class_cmp); - } - --void object_ref(Object *obj) -+void object_ref(void *objptr) - { -+ Object *obj = OBJECT(objptr); - if (!obj) { - return; - } - atomic_inc(&obj->ref); - } - --void object_unref(Object *obj) -+void object_unref(void *objptr) - { -+ Object *obj = OBJECT(objptr); - if (!obj) { - return; - } diff --git a/packaging/qtest-Reintroduce-qtest_qmp_receive-with.patch b/packaging/qtest-Reintroduce-qtest_qmp_receive-with.patch deleted file mode 100644 index 681dcd2a2..000000000 --- a/packaging/qtest-Reintroduce-qtest_qmp_receive-with.patch +++ /dev/null @@ -1,159 +0,0 @@ -From: Maxim Levitsky -Date: Tue, 6 Oct 2020 15:38:53 +0300 -Subject: qtest: Reintroduce qtest_qmp_receive with QMP event buffering - -Git-commit: c22045bfe6d5ceebd414ff53ff23fff7ad5930d1 -References: bsc#1184574 - -The new qtest_qmp_receive buffers all the received qmp events, allowing -qtest_qmp_eventwait_ref to return them. - -This is intended to solve the race in regard to ordering of qmp events -vs qmp responses, as soon as the callers start using the new interface. - -In addition to that, define qtest_qmp_event_ref a function which only scans -the buffer that qtest_qmp_receive stores the events to. This is intended -for callers that are only interested in events that were received during -the last call to the qtest_qmp_receive. - -Suggested-by: Paolo Bonzini -Signed-off-by: Maxim Levitsky -Message-Id: <20201006123904.610658-3-mlevitsk@redhat.com> -Signed-off-by: Paolo Bonzini -Signed-off-by: Lin Ma ---- - tests/libqtest.c | 48 +++++++++++++++++++++++++++++++++++++++++++++++- - tests/libqtest.h | 23 +++++++++++++++++++++++ - 2 files changed, 70 insertions(+), 1 deletion(-) - -diff --git a/tests/libqtest.c b/tests/libqtest.c -index a6c446237f06a379880849012103..80476fef3edb1e6bd7ceff832859 100644 ---- a/tests/libqtest.c -+++ b/tests/libqtest.c -@@ -45,6 +45,7 @@ struct QTestState - bool big_endian; - bool irq_level[MAX_IRQ]; - GString *rx; -+ GList *pending_events; - }; - - static GHookList abrt_hooks; -@@ -250,6 +251,7 @@ QTestState *qtest_init_without_qmp_handshake(const char *extra_args) - - g_test_message("starting QEMU: %s", command); - -+ s->pending_events = NULL; - s->wstatus = 0; - s->expected_status = 0; - s->qemu_pid = fork(); -@@ -357,6 +359,13 @@ void qtest_quit(QTestState *s) - close(s->fd); - close(s->qmp_fd); - g_string_free(s->rx, true); -+ -+ for (GList *it = s->pending_events; it != NULL; it = it->next) { -+ qobject_unref((QDict *)it->data); -+ } -+ -+ g_list_free(s->pending_events); -+ - g_free(s); - } - -@@ -575,6 +584,19 @@ QDict *qmp_fd_receive(int fd) - return qmp.response; - } - -+QDict *qtest_qmp_receive(QTestState *s) -+{ -+ while (true) { -+ QDict *response = qtest_qmp_receive_dict(s); -+ -+ if (!qdict_get_try_str(response, "event")) { -+ return response; -+ } -+ /* Stash the event for a later consumption */ -+ s->pending_events = g_list_prepend(s->pending_events, response); -+ } -+} -+ - QDict *qtest_qmp_receive_dict(QTestState *s) - { - return qmp_fd_receive(s->qmp_fd); -@@ -743,10 +765,34 @@ void qtest_qmp_send_raw(QTestState *s, const char *fmt, ...) - va_end(ap); - } - --QDict *qtest_qmp_eventwait_ref(QTestState *s, const char *event) -+QDict *qtest_qmp_event_ref(QTestState *s, const char *event) - { -+ GList *next = NULL; - QDict *response; - -+ for (GList *it = s->pending_events; it != NULL; it = next) { -+ -+ next = it->next; -+ response = (QDict *)it->data; -+ -+ s->pending_events = g_list_remove_link(s->pending_events, it); -+ -+ if (!strcmp(qdict_get_str(response, "event"), event)) { -+ return response; -+ } -+ qobject_unref(response); -+ } -+ return NULL; -+} -+ -+QDict *qtest_qmp_eventwait_ref(QTestState *s, const char *event) -+{ -+ QDict *response = qtest_qmp_event_ref(s, event); -+ -+ if (response) { -+ return response; -+ } -+ - for (;;) { - response = qtest_qmp_receive_dict(s); - if ((qdict_haskey(response, "event")) && -diff --git a/tests/libqtest.h b/tests/libqtest.h -index 63818d0d607765cdafe5ed0354e2..a8d0aea4d4e871ef35bbaf481fcb 100644 ---- a/tests/libqtest.h -+++ b/tests/libqtest.h -@@ -198,6 +198,16 @@ void qtest_qmp_vsend(QTestState *s, const char *fmt, va_list ap) - */ - QDict *qtest_qmp_receive_dict(QTestState *s); - -+/** -+ * qtest_qmp_receive: -+ * @s: #QTestState instance to operate on. -+ * -+ * Reads a QMP message from QEMU and returns the response. -+ * Buffers all the events received meanwhile, until a -+ * call to qtest_qmp_eventwait -+ */ -+QDict *qtest_qmp_receive(QTestState *s); -+ - /** - * qtest_qmp_eventwait: - * @s: #QTestState instance to operate on. -@@ -217,6 +227,19 @@ void qtest_qmp_eventwait(QTestState *s, const char *event); - */ - QDict *qtest_qmp_eventwait_ref(QTestState *s, const char *event); - -+/** -+ * qtest_qmp_event_ref: -+ * @s: #QTestState instance to operate on. -+ * @event: event to return. -+ * -+ * Removes non-matching events from the buffer that was set by -+ * qtest_qmp_receive, until an event bearing the given name is found, -+ * and returns it. -+ * If no event matches, clears the buffer and returns NULL. -+ * -+ */ -+QDict *qtest_qmp_event_ref(QTestState *s, const char *event); -+ - /** - * qtest_qmp_receive_success: - * @s: #QTestState instance to operate on diff --git a/packaging/qtest-check-that-drives-are-really-appea.patch b/packaging/qtest-check-that-drives-are-really-appea.patch deleted file mode 100644 index 6fece9562..000000000 --- a/packaging/qtest-check-that-drives-are-really-appea.patch +++ /dev/null @@ -1,80 +0,0 @@ -From: Paolo Bonzini -Date: Wed, 7 Oct 2020 05:50:22 -0400 -Subject: qtest: check that drives are really appearing and disappearing - -Git-commit: 9a613ddccce125e4cc3a4a23c294837c906440d6 -References: bsc#1184574 - -Do not just trust the HMP commands to create and delete the drive, use -query-block to check that this is actually the case. - -Reviewed-by: Kevin Wolf -Signed-off-by: Paolo Bonzini -Signed-off-by: Lin Ma ---- - tests/drive_del-test.c | 32 +++++++++++++++++++++++++++++++- - 1 file changed, 31 insertions(+), 1 deletion(-) - -diff --git a/tests/drive_del-test.c b/tests/drive_del-test.c -index 64c0fe242bed07073b7a3dcf635d..de0dc6f5bedff9989740b31325e6 100644 ---- a/tests/drive_del-test.c -+++ b/tests/drive_del-test.c -@@ -14,20 +14,49 @@ - #include "libqtest.h" - #include "libqos/virtio.h" - #include "qapi/qmp/qdict.h" -+#include "qapi/qmp/qlist.h" -+ -+static bool has_drive(QTestState *qts) -+{ -+ QDict *response; -+ QList *ret; -+ QListEntry *entry; -+ bool found; -+ -+ response = qtest_qmp(qts, "{'execute': 'query-block'}"); -+ g_assert(response && qdict_haskey(response, "return")); -+ ret = qdict_get_qlist(response, "return"); -+ -+ found = false; -+ QLIST_FOREACH_ENTRY(ret, entry) { -+ QDict *entry_dict = qobject_to(QDict, entry->value); -+ if (!strcmp(qdict_get_str(entry_dict, "device"), "drive0")) { -+ found = true; -+ break; -+ } -+ } -+ -+ qobject_unref(response); -+ return found; -+} - - static void drive_add(QTestState *qts) - { - char *resp = qtest_hmp(qts, "drive_add 0 if=none,id=drive0"); - - g_assert_cmpstr(resp, ==, "OK\r\n"); -+ g_assert(has_drive(qts)); - g_free(resp); - } - - static void drive_del(QTestState *qts) - { -- char *resp = qtest_hmp(qts, "drive_del drive0"); -+ char *resp; - -+ g_assert(has_drive(qts)); -+ resp = qtest_hmp(qts, "drive_del drive0"); - g_assert_cmpstr(resp, ==, ""); -+ g_assert(!has_drive(qts)); - g_free(resp); - } - -@@ -130,6 +159,7 @@ static void test_drive_del_device_del(void) - */ - drive_del(qts); - device_del(qts); -+ g_assert(!has_drive(qts)); - - qtest_quit(qts); - } diff --git a/packaging/qtest-remove-qtest_qmp_receive_success.patch b/packaging/qtest-remove-qtest_qmp_receive_success.patch deleted file mode 100644 index 3ee8a3a85..000000000 --- a/packaging/qtest-remove-qtest_qmp_receive_success.patch +++ /dev/null @@ -1,194 +0,0 @@ -From: Maxim Levitsky -Date: Tue, 6 Oct 2020 08:59:32 -0400 -Subject: qtest: remove qtest_qmp_receive_success - -Git-commit: 5e34005571af53b73e4a10cb2c6e0712cf6b8d2c -References: bsc#1184574 - -The purpose of qtest_qmp_receive_success was mostly to process events -that arrived between the issueing of a command and the "return" -line from QMP. This is now handled by the buffering of events -that libqtest performs automatically. - -Signed-off-by: Paolo Bonzini -Signed-off-by: Maxim Levitsky -Signed-off-by: Lin Ma ---- - tests/libqtest.c | 53 ++++----------------------------------- - tests/libqtest.h | 17 ------------- - tests/migration-helpers.c | 25 ++++++++++++++---- - 3 files changed, 25 insertions(+), 70 deletions(-) - -diff --git a/tests/libqtest.c b/tests/libqtest.c -index 80476fef3edb1e6bd7ceff832859..e9bca67b5e7bae026039822d979d 100644 ---- a/tests/libqtest.c -+++ b/tests/libqtest.c -@@ -1259,35 +1259,6 @@ void qtest_cb_for_every_machine(void (*cb)(const char *machine), - qobject_unref(response); - } - --QDict *qtest_qmp_receive_success(QTestState *s, -- void (*event_cb)(void *opaque, -- const char *event, -- QDict *data), -- void *opaque) --{ -- QDict *response, *ret, *data; -- const char *event; -- -- for (;;) { -- response = qtest_qmp_receive_dict(s); -- g_assert(!qdict_haskey(response, "error")); -- ret = qdict_get_qdict(response, "return"); -- if (ret) { -- break; -- } -- event = qdict_get_str(response, "event"); -- data = qdict_get_qdict(response, "data"); -- if (event_cb) { -- event_cb(opaque, event, data); -- } -- qobject_unref(response); -- } -- -- qobject_ref(ret); -- qobject_unref(response); -- return ret; --} -- - /* - * Generic hot-plugging test via the device_add QMP commands. - */ -@@ -1323,13 +1294,6 @@ void qtest_qmp_device_add(QTestState *qts, const char *driver, const char *id, - qobject_unref(args); - } - --static void device_deleted_cb(void *opaque, const char *name, QDict *data) --{ -- bool *got_event = opaque; -- -- g_assert_cmpstr(name, ==, "DEVICE_DELETED"); -- *got_event = true; --} - - /* - * Generic hot-unplugging test via the device_del QMP command. -@@ -1346,24 +1310,17 @@ static void device_deleted_cb(void *opaque, const char *name, QDict *data) - * and this one: - * - * {"return": {}} -- * -- * But the order of arrival may vary - so we've got to detect both. - */ - void qtest_qmp_device_del(QTestState *qts, const char *id) - { -- bool got_event = false; - QDict *rsp; - -- qtest_qmp_send(qts, "{'execute': 'device_del', 'arguments': {'id': %s}}", -- id); -- rsp = qtest_qmp_receive_success(qts, device_deleted_cb, &got_event); -+ rsp = qtest_qmp(qts, "{'execute': 'device_del', 'arguments': {'id': %s}}", -+ id); -+ -+ g_assert(qdict_haskey(rsp, "return")); - qobject_unref(rsp); -- if (!got_event) { -- rsp = qtest_qmp_receive_dict(qts); -- g_assert_cmpstr(qdict_get_try_str(rsp, "event"), -- ==, "DEVICE_DELETED"); -- qobject_unref(rsp); -- } -+ qtest_qmp_eventwait(qts, "DEVICE_DELETED"); - } - - bool qmp_rsp_is_err(QDict *rsp) -diff --git a/tests/libqtest.h b/tests/libqtest.h -index a8d0aea4d4e871ef35bbaf481fcb..2ac3c107c00aff0641b261fe0d24 100644 ---- a/tests/libqtest.h -+++ b/tests/libqtest.h -@@ -240,23 +240,6 @@ QDict *qtest_qmp_eventwait_ref(QTestState *s, const char *event); - */ - QDict *qtest_qmp_event_ref(QTestState *s, const char *event); - --/** -- * qtest_qmp_receive_success: -- * @s: #QTestState instance to operate on -- * @event_cb: Event callback -- * @opaque: Argument for @event_cb -- * -- * Poll QMP messages until a command success response is received. -- * If @event_cb, call it for each event received, passing @opaque, -- * the event's name and data. -- * Return the success response's "return" member. -- */ --QDict *qtest_qmp_receive_success(QTestState *s, -- void (*event_cb)(void *opaque, -- const char *name, -- QDict *data), -- void *opaque); -- - /** - * qtest_hmp: - * @s: #QTestState instance to operate on. -diff --git a/tests/migration-helpers.c b/tests/migration-helpers.c -index 516093b39a9e79f06a02ede44080..b799dbafb711fcd9e994631e73bb 100644 ---- a/tests/migration-helpers.c -+++ b/tests/migration-helpers.c -@@ -17,10 +17,12 @@ - - bool got_stop; - --static void stop_cb(void *opaque, const char *name, QDict *data) -+static void check_stop_event(QTestState *who) - { -- if (!strcmp(name, "STOP")) { -+ QDict *event = qtest_qmp_event_ref(who, "STOP"); -+ if (event) { - got_stop = true; -+ qobject_unref(event); - } - } - -@@ -30,12 +32,19 @@ static void stop_cb(void *opaque, const char *name, QDict *data) - QDict *wait_command_fd(QTestState *who, int fd, const char *command, ...) - { - va_list ap; -+ QDict *resp; - - va_start(ap, command); - qtest_qmp_vsend_fds(who, &fd, 1, command, ap); - va_end(ap); - -- return qtest_qmp_receive_success(who, stop_cb, NULL); -+ resp = qtest_qmp_receive(who); -+ check_stop_event(who); -+ -+ g_assert(!qdict_haskey(resp, "error")); -+ g_assert(qdict_haskey(resp, "return")); -+ -+ return qdict_get_qdict(resp, "return"); - } - - /* -@@ -44,12 +53,18 @@ QDict *wait_command_fd(QTestState *who, int fd, const char *command, ...) - QDict *wait_command(QTestState *who, const char *command, ...) - { - va_list ap; -+ QDict *resp; - - va_start(ap, command); -- qtest_qmp_vsend(who, command, ap); -+ resp = qtest_vqmp(who, command, ap); - va_end(ap); - -- return qtest_qmp_receive_success(who, stop_cb, NULL); -+ check_stop_event(who); -+ -+ g_assert(!qdict_haskey(resp, "error")); -+ g_assert(qdict_haskey(resp, "return")); -+ -+ return qdict_get_qdict(resp, "return"); - } - - /* diff --git a/packaging/qtest-rename-qtest_qmp_receive-to-qtest_.patch b/packaging/qtest-rename-qtest_qmp_receive-to-qtest_.patch deleted file mode 100644 index f7ea828c1..000000000 --- a/packaging/qtest-rename-qtest_qmp_receive-to-qtest_.patch +++ /dev/null @@ -1,258 +0,0 @@ -From: Maxim Levitsky -Date: Tue, 6 Oct 2020 14:38:52 +0200 -Subject: qtest: rename qtest_qmp_receive to qtest_qmp_receive_dict - -Git-commit: 1c3e2a38de4e3094dfaf1e4dd73b1e5a91df8fe9 -References: bsc#1184574 - -In the next patch a new version of qtest_qmp_receive will be -reintroduced that will buffer received qmp events for later -consumption in qtest_qmp_eventwait_ref - -No functional change intended. - -Suggested-by: Paolo Bonzini -Signed-off-by: Maxim Levitsky -Signed-off-by: Paolo Bonzini -Signed-off-by: Lin Ma ---- - tests/ahci-test.c | 4 ++-- - tests/device-plug-test.c | 2 +- - tests/drive_del-test.c | 2 +- - tests/libqtest.c | 16 ++++++++-------- - tests/libqtest.h | 4 ++-- - tests/pvpanic-test.c | 2 +- - tests/qmp-test.c | 18 +++++++++--------- - 7 files changed, 24 insertions(+), 24 deletions(-) - -diff --git a/tests/ahci-test.c b/tests/ahci-test.c -index c8d42ceea0575db645ce62ec2f0b..39c14f60f046fb8cf7522e2a1204 100644 ---- a/tests/ahci-test.c -+++ b/tests/ahci-test.c -@@ -1589,7 +1589,7 @@ static void test_atapi_tray(void) - qtest_qmp_send(ahci->parent->qts, "{'execute': 'blockdev-open-tray', " - "'arguments': {'id': 'cd0'}}"); - atapi_wait_tray(ahci, true); -- rsp = qtest_qmp_receive(ahci->parent->qts); -+ rsp = qtest_qmp_receive_dict(ahci->parent->qts); - qobject_unref(rsp); - - qmp_discard_response(ahci->parent->qts, -@@ -1619,7 +1619,7 @@ static void test_atapi_tray(void) - qtest_qmp_send(ahci->parent->qts, "{'execute': 'blockdev-close-tray', " - "'arguments': {'id': 'cd0'}}"); - atapi_wait_tray(ahci, false); -- rsp = qtest_qmp_receive(ahci->parent->qts); -+ rsp = qtest_qmp_receive_dict(ahci->parent->qts); - qobject_unref(rsp); - - /* Now, to convince ATAPI we understand the media has changed... */ -diff --git a/tests/device-plug-test.c b/tests/device-plug-test.c -index 318e422d518c012c2b303d0ec0c1..f44bf0bb8496819391821a7b71da 100644 ---- a/tests/device-plug-test.c -+++ b/tests/device-plug-test.c -@@ -23,7 +23,7 @@ static void device_del_start(QTestState *qtest, const char *id) - - static void device_del_finish(QTestState *qtest) - { -- QDict *resp = qtest_qmp_receive(qtest); -+ QDict *resp = qtest_qmp_receive_dict(qtest); - - g_assert(qdict_haskey(resp, "return")); - qobject_unref(resp); -diff --git a/tests/drive_del-test.c b/tests/drive_del-test.c -index 5f8839b2320f42d2659e2a58e15f..f15ffdf018f9fac6fc10d3b42fe0 100644 ---- a/tests/drive_del-test.c -+++ b/tests/drive_del-test.c -@@ -41,7 +41,7 @@ static void device_del(QTestState *qts) - /* Complication: ignore DEVICE_DELETED event */ - qmp_discard_response(qts, "{'execute': 'device_del'," - " 'arguments': { 'id': 'dev0' } }"); -- response = qtest_qmp_receive(qts); -+ response = qtest_qmp_receive_dict(qts); - g_assert(response); - g_assert(qdict_haskey(response, "return")); - qobject_unref(response); -diff --git a/tests/libqtest.c b/tests/libqtest.c -index 91e9cb220c59caf8bb35b057d346..a6c446237f06a379880849012103 100644 ---- a/tests/libqtest.c -+++ b/tests/libqtest.c -@@ -293,7 +293,7 @@ QTestState *qtest_init(const char *extra_args) - QDict *greeting; - - /* Read the QMP greeting and then do the handshake */ -- greeting = qtest_qmp_receive(s); -+ greeting = qtest_qmp_receive_dict(s); - qobject_unref(greeting); - qobject_unref(qtest_qmp(s, "{ 'execute': 'qmp_capabilities' }")); - -@@ -575,7 +575,7 @@ QDict *qmp_fd_receive(int fd) - return qmp.response; - } - --QDict *qtest_qmp_receive(QTestState *s) -+QDict *qtest_qmp_receive_dict(QTestState *s) - { - return qmp_fd_receive(s->qmp_fd); - } -@@ -650,7 +650,7 @@ QDict *qtest_vqmp_fds(QTestState *s, int *fds, size_t fds_num, - qtest_qmp_vsend_fds(s, fds, fds_num, fmt, ap); - - /* Receive reply */ -- return qtest_qmp_receive(s); -+ return qtest_qmp_receive_dict(s); - } - - QDict *qtest_vqmp(QTestState *s, const char *fmt, va_list ap) -@@ -658,7 +658,7 @@ QDict *qtest_vqmp(QTestState *s, const char *fmt, va_list ap) - qtest_qmp_vsend(s, fmt, ap); - - /* Receive reply */ -- return qtest_qmp_receive(s); -+ return qtest_qmp_receive_dict(s); - } - - QDict *qmp_fd(int fd, const char *fmt, ...) -@@ -748,7 +748,7 @@ QDict *qtest_qmp_eventwait_ref(QTestState *s, const char *event) - QDict *response; - - for (;;) { -- response = qtest_qmp_receive(s); -+ response = qtest_qmp_receive_dict(s); - if ((qdict_haskey(response, "event")) && - (strcmp(qdict_get_str(response, "event"), event) == 0)) { - return response; -@@ -779,7 +779,7 @@ char *qtest_vhmp(QTestState *s, const char *fmt, va_list ap) - while (ret == NULL && qdict_get_try_str(resp, "event")) { - /* Ignore asynchronous QMP events */ - qobject_unref(resp); -- resp = qtest_qmp_receive(s); -+ resp = qtest_qmp_receive_dict(s); - ret = g_strdup(qdict_get_try_str(resp, "return")); - } - g_assert(ret); -@@ -1223,7 +1223,7 @@ QDict *qtest_qmp_receive_success(QTestState *s, - const char *event; - - for (;;) { -- response = qtest_qmp_receive(s); -+ response = qtest_qmp_receive_dict(s); - g_assert(!qdict_haskey(response, "error")); - ret = qdict_get_qdict(response, "return"); - if (ret) { -@@ -1313,7 +1313,7 @@ void qtest_qmp_device_del(QTestState *qts, const char *id) - rsp = qtest_qmp_receive_success(qts, device_deleted_cb, &got_event); - qobject_unref(rsp); - if (!got_event) { -- rsp = qtest_qmp_receive(qts); -+ rsp = qtest_qmp_receive_dict(qts); - g_assert_cmpstr(qdict_get_try_str(rsp, "event"), - ==, "DEVICE_DELETED"); - qobject_unref(rsp); -diff --git a/tests/libqtest.h b/tests/libqtest.h -index c9e21e05b37a0efe65ee31f9d66a..63818d0d607765cdafe5ed0354e2 100644 ---- a/tests/libqtest.h -+++ b/tests/libqtest.h -@@ -191,12 +191,12 @@ void qtest_qmp_vsend(QTestState *s, const char *fmt, va_list ap) - GCC_FMT_ATTR(2, 0); - - /** -- * qtest_receive: -+ * qtest_qmp_receive_dict: - * @s: #QTestState instance to operate on. - * - * Reads a QMP message from QEMU and returns the response. - */ --QDict *qtest_qmp_receive(QTestState *s); -+QDict *qtest_qmp_receive_dict(QTestState *s); - - /** - * qtest_qmp_eventwait: -diff --git a/tests/pvpanic-test.c b/tests/pvpanic-test.c -index ff9176adf3ce2ddb60ce7a44b56b..15fd98db626fc9d58126f05bdbfa 100644 ---- a/tests/pvpanic-test.c -+++ b/tests/pvpanic-test.c -@@ -24,7 +24,7 @@ static void test_panic(void) - - qtest_outb(qts, 0x505, 0x1); - -- response = qtest_qmp_receive(qts); -+ response = qtest_qmp_receive_dict(qts); - g_assert(qdict_haskey(response, "event")); - g_assert_cmpstr(qdict_get_str(response, "event"), ==, "GUEST_PANICKED"); - g_assert(qdict_haskey(response, "data")); -diff --git a/tests/qmp-test.c b/tests/qmp-test.c -index 1b0eb698324efa60d30a0ec289c2..42f4255499a6a9605050c1c441f3 100644 ---- a/tests/qmp-test.c -+++ b/tests/qmp-test.c -@@ -47,37 +47,37 @@ static void test_malformed(QTestState *qts) - - /* syntax error */ - qtest_qmp_send_raw(qts, "{]\n"); -- resp = qtest_qmp_receive(qts); -+ resp = qtest_qmp_receive_dict(qts); - qmp_assert_error_class(resp, "GenericError"); - assert_recovered(qts); - - /* lexical error: impossible byte outside string */ - qtest_qmp_send_raw(qts, "{\xFF"); -- resp = qtest_qmp_receive(qts); -+ resp = qtest_qmp_receive_dict(qts); - qmp_assert_error_class(resp, "GenericError"); - assert_recovered(qts); - - /* lexical error: funny control character outside string */ - qtest_qmp_send_raw(qts, "{\x01"); -- resp = qtest_qmp_receive(qts); -+ resp = qtest_qmp_receive_dict(qts); - qmp_assert_error_class(resp, "GenericError"); - assert_recovered(qts); - - /* lexical error: impossible byte in string */ - qtest_qmp_send_raw(qts, "{'bad \xFF"); -- resp = qtest_qmp_receive(qts); -+ resp = qtest_qmp_receive_dict(qts); - qmp_assert_error_class(resp, "GenericError"); - assert_recovered(qts); - - /* lexical error: control character in string */ - qtest_qmp_send_raw(qts, "{'execute': 'nonexistent', 'id':'\n"); -- resp = qtest_qmp_receive(qts); -+ resp = qtest_qmp_receive_dict(qts); - qmp_assert_error_class(resp, "GenericError"); - assert_recovered(qts); - - /* lexical error: interpolation */ - qtest_qmp_send_raw(qts, "%%p"); -- resp = qtest_qmp_receive(qts); -+ resp = qtest_qmp_receive_dict(qts); - qmp_assert_error_class(resp, "GenericError"); - assert_recovered(qts); - -@@ -111,7 +111,7 @@ static void test_qmp_protocol(void) - qts = qtest_init_without_qmp_handshake(common_args); - - /* Test greeting */ -- resp = qtest_qmp_receive(qts); -+ resp = qtest_qmp_receive_dict(qts); - q = qdict_get_qdict(resp, "QMP"); - g_assert(q); - test_version(qdict_get(q, "version")); -@@ -205,7 +205,7 @@ static void send_oob_cmd_that_fails(QTestState *s, const char *id) - - static void recv_cmd_id(QTestState *s, const char *id) - { -- QDict *resp = qtest_qmp_receive(s); -+ QDict *resp = qtest_qmp_receive_dict(s); - - g_assert_cmpstr(qdict_get_try_str(resp, "id"), ==, id); - qobject_unref(resp); -@@ -222,7 +222,7 @@ static void test_qmp_oob(void) - qts = qtest_init_without_qmp_handshake(common_args); - - /* Check the greeting message. */ -- resp = qtest_qmp_receive(qts); -+ resp = qtest_qmp_receive_dict(qts); - q = qdict_get_qdict(resp, "QMP"); - g_assert(q); - capabilities = qdict_get_qlist(q, "capabilities"); diff --git a/packaging/qtest-switch-users-back-to-qtest_qmp_rec.patch b/packaging/qtest-switch-users-back-to-qtest_qmp_rec.patch deleted file mode 100644 index 04c281304..000000000 --- a/packaging/qtest-switch-users-back-to-qtest_qmp_rec.patch +++ /dev/null @@ -1,160 +0,0 @@ -From: Maxim Levitsky -Date: Tue, 6 Oct 2020 15:38:53 +0300 -Subject: qtest: switch users back to qtest_qmp_receive - -Git-commit: bb1a5b97f75ae209d8707f698da23088d7b9bbb5 -References: bsc#1184574 - -Let test use the new functionality for buffering events. -The only remaining users of qtest_qmp_receive_dict are tests -that fuzz the QMP protocol. - -Tested with 'make check-qtest'. - -Signed-off-by: Maxim Levitsky -Message-Id: <20201006123904.610658-4-mlevitsk@redhat.com> -Signed-off-by: Paolo Bonzini -Signed-off-by: Lin Ma ---- - tests/ahci-test.c | 4 ++-- - tests/drive_del-test.c | 9 +++------ - tests/libqtest.c | 12 +++--------- - tests/pvpanic-test.c | 4 +--- - tests/tpm-util.c | 8 ++++++-- - 5 files changed, 15 insertions(+), 22 deletions(-) - -diff --git a/tests/ahci-test.c b/tests/ahci-test.c -index 39c14f60f046fb8cf7522e2a1204..c8d42ceea0575db645ce62ec2f0b 100644 ---- a/tests/ahci-test.c -+++ b/tests/ahci-test.c -@@ -1589,7 +1589,7 @@ static void test_atapi_tray(void) - qtest_qmp_send(ahci->parent->qts, "{'execute': 'blockdev-open-tray', " - "'arguments': {'id': 'cd0'}}"); - atapi_wait_tray(ahci, true); -- rsp = qtest_qmp_receive_dict(ahci->parent->qts); -+ rsp = qtest_qmp_receive(ahci->parent->qts); - qobject_unref(rsp); - - qmp_discard_response(ahci->parent->qts, -@@ -1619,7 +1619,7 @@ static void test_atapi_tray(void) - qtest_qmp_send(ahci->parent->qts, "{'execute': 'blockdev-close-tray', " - "'arguments': {'id': 'cd0'}}"); - atapi_wait_tray(ahci, false); -- rsp = qtest_qmp_receive_dict(ahci->parent->qts); -+ rsp = qtest_qmp_receive(ahci->parent->qts); - qobject_unref(rsp); - - /* Now, to convince ATAPI we understand the media has changed... */ -diff --git a/tests/drive_del-test.c b/tests/drive_del-test.c -index f15ffdf018f9fac6fc10d3b42fe0..64c0fe242bed07073b7a3dcf635d 100644 ---- a/tests/drive_del-test.c -+++ b/tests/drive_del-test.c -@@ -15,9 +15,6 @@ - #include "libqos/virtio.h" - #include "qapi/qmp/qdict.h" - --/* TODO actually test the results and get rid of this */ --#define qmp_discard_response(q, ...) qobject_unref(qtest_qmp(q, __VA_ARGS__)) -- - static void drive_add(QTestState *qts) - { - char *resp = qtest_hmp(qts, "drive_add 0 if=none,id=drive0"); -@@ -38,13 +35,13 @@ static void device_del(QTestState *qts) - { - QDict *response; - -- /* Complication: ignore DEVICE_DELETED event */ -- qmp_discard_response(qts, "{'execute': 'device_del'," -+ response = qtest_qmp(qts, "{'execute': 'device_del'," - " 'arguments': { 'id': 'dev0' } }"); -- response = qtest_qmp_receive_dict(qts); - g_assert(response); - g_assert(qdict_haskey(response, "return")); - qobject_unref(response); -+ -+ qtest_qmp_eventwait(qts, "DEVICE_DELETED"); - } - - static void test_drive_without_dev(void) -diff --git a/tests/libqtest.c b/tests/libqtest.c -index e9bca67b5e7bae026039822d979d..fe82b11e046fef5eea32ac602463 100644 ---- a/tests/libqtest.c -+++ b/tests/libqtest.c -@@ -295,7 +295,7 @@ QTestState *qtest_init(const char *extra_args) - QDict *greeting; - - /* Read the QMP greeting and then do the handshake */ -- greeting = qtest_qmp_receive_dict(s); -+ greeting = qtest_qmp_receive(s); - qobject_unref(greeting); - qobject_unref(qtest_qmp(s, "{ 'execute': 'qmp_capabilities' }")); - -@@ -672,7 +672,7 @@ QDict *qtest_vqmp_fds(QTestState *s, int *fds, size_t fds_num, - qtest_qmp_vsend_fds(s, fds, fds_num, fmt, ap); - - /* Receive reply */ -- return qtest_qmp_receive_dict(s); -+ return qtest_qmp_receive(s); - } - - QDict *qtest_vqmp(QTestState *s, const char *fmt, va_list ap) -@@ -680,7 +680,7 @@ QDict *qtest_vqmp(QTestState *s, const char *fmt, va_list ap) - qtest_qmp_vsend(s, fmt, ap); - - /* Receive reply */ -- return qtest_qmp_receive_dict(s); -+ return qtest_qmp_receive(s); - } - - QDict *qmp_fd(int fd, const char *fmt, ...) -@@ -822,12 +822,6 @@ char *qtest_vhmp(QTestState *s, const char *fmt, va_list ap) - " 'arguments': {'command-line': %s}}", - cmd); - ret = g_strdup(qdict_get_try_str(resp, "return")); -- while (ret == NULL && qdict_get_try_str(resp, "event")) { -- /* Ignore asynchronous QMP events */ -- qobject_unref(resp); -- resp = qtest_qmp_receive_dict(s); -- ret = g_strdup(qdict_get_try_str(resp, "return")); -- } - g_assert(ret); - qobject_unref(resp); - g_free(cmd); -diff --git a/tests/pvpanic-test.c b/tests/pvpanic-test.c -index 15fd98db626fc9d58126f05bdbfa..dd724cbdc882ad59e2ecf8984f95 100644 ---- a/tests/pvpanic-test.c -+++ b/tests/pvpanic-test.c -@@ -24,9 +24,7 @@ static void test_panic(void) - - qtest_outb(qts, 0x505, 0x1); - -- response = qtest_qmp_receive_dict(qts); -- g_assert(qdict_haskey(response, "event")); -- g_assert_cmpstr(qdict_get_str(response, "event"), ==, "GUEST_PANICKED"); -+ response = qtest_qmp_eventwait_ref(qts, "GUEST_PANICKED"); - g_assert(qdict_haskey(response, "data")); - data = qdict_get_qdict(response, "data"); - g_assert(qdict_haskey(data, "action")); -diff --git a/tests/tpm-util.c b/tests/tpm-util.c -index e08b13765148f3c44e8a97564a03..f814a1cf7d2c82721eb1104ee4e0 100644 ---- a/tests/tpm-util.c -+++ b/tests/tpm-util.c -@@ -236,12 +236,16 @@ void tpm_util_migrate(QTestState *who, const char *uri) - void tpm_util_wait_for_migration_complete(QTestState *who) - { - while (true) { -+ QDict *rsp; - QDict *rsp_return; - bool completed; - const char *status; - -- qtest_qmp_send(who, "{ 'execute': 'query-migrate' }"); -- rsp_return = qtest_qmp_receive_success(who, NULL, NULL); -+ rsp = qtest_qmp(who, "{ 'execute': 'query-migrate' }"); -+ g_assert(qdict_haskey(rsp, "return")); -+ rsp_return = qdict_get_qdict(rsp, "return"); -+ -+ g_assert(!qdict_haskey(rsp_return, "error")); - status = qdict_get_str(rsp_return, "status"); - completed = strcmp(status, "completed") == 0; - g_assert_cmpstr(status, !=, "failed"); diff --git a/packaging/rcu-Implement-drain_call_rcu.patch b/packaging/rcu-Implement-drain_call_rcu.patch deleted file mode 100644 index dd5a50fb4..000000000 --- a/packaging/rcu-Implement-drain_call_rcu.patch +++ /dev/null @@ -1,100 +0,0 @@ -From: Maxim Levitsky -Date: Tue, 15 Sep 2020 20:12:53 +0800 -Subject: rcu: Implement drain_call_rcu - -Git-commit: d816614ca4f5af89a2b6d50ac840d7b77973f2fc -References: bsc#1184574 - -This will allow is to preserve the semantics of hmp_device_del, -that the device is deleted immediatly which was changed by previos -patch that delayed this to RCU callback - -Signed-off-by: Maxim Levitsky -Suggested-by: Stefan Hajnoczi -Reviewed-by: Stefan Hajnoczi -Message-Id: <20200915121318.247-2-luoyonggang@gmail.com> -Signed-off-by: Thomas Huth -Signed-off-by: Lin Ma ---- - include/qemu/rcu.h | 1 + - util/rcu.c | 55 ++++++++++++++++++++++++++++++++++++++++++++++ - 2 files changed, 56 insertions(+) - -diff --git a/include/qemu/rcu.h b/include/qemu/rcu.h -index 9c82683e3727d788eb39c9596f09..0fd6588fb44c1225d1d760b239f7 100644 ---- a/include/qemu/rcu.h -+++ b/include/qemu/rcu.h -@@ -133,6 +133,7 @@ struct rcu_head { - }; - - extern void call_rcu1(struct rcu_head *head, RCUCBFunc *func); -+extern void drain_call_rcu(void); - - /* The operands of the minus operator must have the same type, - * which must be the one that we specify in the cast. -diff --git a/util/rcu.c b/util/rcu.c -index 177a67561961d637ffde0a052b71..067a4cb6b4d192fbb7421ff47b5b 100644 ---- a/util/rcu.c -+++ b/util/rcu.c -@@ -295,6 +295,61 @@ void call_rcu1(struct rcu_head *node, void (*func)(struct rcu_head *node)) - qemu_event_set(&rcu_call_ready_event); - } - -+ -+struct rcu_drain { -+ struct rcu_head rcu; -+ QemuEvent drain_complete_event; -+}; -+ -+static void drain_rcu_callback(struct rcu_head *node) -+{ -+ struct rcu_drain *event = (struct rcu_drain *)node; -+ qemu_event_set(&event->drain_complete_event); -+} -+ -+/* -+ * This function ensures that all pending RCU callbacks -+ * on the current thread are done executing -+ -+ * drops big qemu lock during the wait to allow RCU thread -+ * to process the callbacks -+ * -+ */ -+ -+void drain_call_rcu(void) -+{ -+ struct rcu_drain rcu_drain; -+ bool locked = qemu_mutex_iothread_locked(); -+ -+ memset(&rcu_drain, 0, sizeof(struct rcu_drain)); -+ qemu_event_init(&rcu_drain.drain_complete_event, false); -+ -+ if (locked) { -+ qemu_mutex_unlock_iothread(); -+ } -+ -+ -+ /* -+ * RCU callbacks are invoked in the same order as in which they -+ * are registered, thus we can be sure that when 'drain_rcu_callback' -+ * is called, all RCU callbacks that were registered on this thread -+ * prior to calling this function are completed. -+ * -+ * Note that since we have only one global queue of the RCU callbacks, -+ * we also end up waiting for most of RCU callbacks that were registered -+ * on the other threads, but this is a side effect that shoudn't be -+ * assumed. -+ */ -+ -+ call_rcu1(&rcu_drain.rcu, drain_rcu_callback); -+ qemu_event_wait(&rcu_drain.drain_complete_event); -+ -+ if (locked) { -+ qemu_mutex_lock_iothread(); -+ } -+ -+} -+ - void rcu_register_thread(void) - { - assert(rcu_reader.ctr == 0); diff --git a/packaging/roms-Makefile-enable-cross-compile-for-b.patch b/packaging/roms-Makefile-enable-cross-compile-for-b.patch deleted file mode 100644 index 16e78021e..000000000 --- a/packaging/roms-Makefile-enable-cross-compile-for-b.patch +++ /dev/null @@ -1,22 +0,0 @@ -From: Bruce Rogers -Date: Sun, 3 Nov 2019 07:21:40 -0700 -Subject: roms/Makefile: enable cross compile for building microvm bios - -Signed-off-by: Bruce Rogers ---- - roms/Makefile | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/roms/Makefile b/roms/Makefile -index 091ad51c1e91a2b9709c5810e562..a6f084820f489bef42c6f487a6b2 100644 ---- a/roms/Makefile -+++ b/roms/Makefile -@@ -198,7 +198,7 @@ opensbi64-sifive_u: - cp opensbi/build/platform/sifive/fu540/firmware/fw_jump.bin ../pc-bios/opensbi-riscv64-sifive_u-fw_jump.bin - - bios-microvm: -- $(MAKE) -C qboot -+ $(MAKE) -C qboot CROSS_COMPILE=$(x86_64_cross_prefix) CC=gcc - cp qboot/bios.bin ../pc-bios/bios-microvm.bin - - clean: diff --git a/packaging/roms-Makefile-pass-a-packaging-timestamp.patch b/packaging/roms-Makefile-pass-a-packaging-timestamp.patch deleted file mode 100644 index f3fc691fc..000000000 --- a/packaging/roms-Makefile-pass-a-packaging-timestamp.patch +++ /dev/null @@ -1,72 +0,0 @@ -From: Bruce Rogers -Date: Sat, 19 Nov 2016 08:06:30 -0700 -Subject: roms/Makefile: pass a packaging timestamp to subpackages with date - info - -References: bsc#1011213 - -Certain rom subpackages build from qemu git-submodules call the date -program to include date information in the packaged binaries. This -causes repeated builds of the package to be different, wkere the only -real difference is due to the fact that time build timestamp has -changed. To promote reproducible builds and avoid customers being -prompted to update packages needlessly, we'll use the timestamp of the -VERSION file as the packaging timestamp for all packages that build in a -timestamp for whatever reason. - -Signed-off-by: Bruce Rogers ---- - roms/Makefile | 14 ++++++++++++-- - 1 file changed, 12 insertions(+), 2 deletions(-) - -diff --git a/roms/Makefile b/roms/Makefile -index 28e1e557b0763cabe6da3d07602d..091ad51c1e91a2b9709c5810e562 100644 ---- a/roms/Makefile -+++ b/roms/Makefile -@@ -51,6 +51,12 @@ SEABIOS_EXTRAVERSION="-prebuilt.qemu.org" - # - EDK2_EFIROM = edk2/BaseTools/Source/C/bin/EfiRom - -+# NB: Certain SUSE qemu subpackages use date information, but we want -+# reproducible builds, so we use a pre-determined timestamp, rather -+# than the current timestamp to acheive consistent results build to -+# build. -+PACKAGING_TIMESTAMP = $(shell date -r ../VERSION +%s) -+ - default help: - @echo "nothing is build by default" - @echo "available build targets:" -@@ -100,7 +106,7 @@ build-seabios-config-%: config.% - - .PHONY: sgabios skiboot - sgabios: -- $(MAKE) -C sgabios -+ $(MAKE) -C sgabios PACKAGING_TIMESTAMP=$(PACKAGING_TIMESTAMP) - cp sgabios/sgabios.bin ../pc-bios - - -@@ -120,11 +126,13 @@ efi-rom-%: build-pxe-roms build-efi-roms edk2-basetools - - build-pxe-roms: - $(MAKE) -C ipxe/src CONFIG=qemu \ -+ PACKAGING_TIMESTAMP=$(PACKAGING_TIMESTAMP) \ - CROSS_COMPILE=$(x86_64_cross_prefix) \ - $(patsubst %,bin/%.rom,$(pxerom_targets)) - - build-efi-roms: build-pxe-roms - $(MAKE) -C ipxe/src CONFIG=qemu \ -+ PACKAGING_TIMESTAMP=$(PACKAGING_TIMESTAMP) \ - CROSS_COMPILE=$(x86_64_cross_prefix) \ - $(patsubst %,bin-i386-efi/%.efidrv,$(pxerom_targets)) \ - $(patsubst %,bin-x86_64-efi/%.efidrv,$(pxerom_targets)) -@@ -147,7 +155,9 @@ edk2-basetools: - EXTRA_LDFLAGS='$(EDK2_BASETOOLS_LDFLAGS)' - - slof: -- $(MAKE) -C SLOF CROSS=$(powerpc64_cross_prefix) qemu -+ $(MAKE) -C SLOF CROSS=$(powerpc64_cross_prefix) \ -+ PACKAGING_TIMESTAMP=$(PACKAGING_TIMESTAMP) \ -+ qemu - cp SLOF/boot_rom.bin ../pc-bios/slof.bin - - u-boot.e500: diff --git a/packaging/roms-change-cross-compiler-naming-to-be-.patch b/packaging/roms-change-cross-compiler-naming-to-be-.patch deleted file mode 100644 index 24ec57c21..000000000 --- a/packaging/roms-change-cross-compiler-naming-to-be-.patch +++ /dev/null @@ -1,30 +0,0 @@ -From: Bruce Rogers -Date: Thu, 20 Jun 2019 17:58:37 -0600 -Subject: roms: change cross compiler naming to be suse specific - -Signed-off-by: Bruce Rogers ---- - roms/edk2-funcs.sh | 10 +++++++++- - 1 file changed, 9 insertions(+), 1 deletion(-) - -diff --git a/roms/edk2-funcs.sh b/roms/edk2-funcs.sh -index 3f4485b201f1f6f8cff47a9933da..5a3a8d885c9138d3c857d8b1e6d0 100644 ---- a/roms/edk2-funcs.sh -+++ b/roms/edk2-funcs.sh -@@ -113,7 +113,15 @@ qemu_edk2_get_cross_prefix() - # no cross-compiler needed - : - else -- printf '%s-linux-gnu-\n' "$gcc_arch" -+ if [ "$emulation_target" == arm ]; then -+ printf '%s-suse-linux-gnueabi-\n' "$gcc_arch" -+ else -+ if [ "$gcc_arch" == i686 ]; then -+ printf '%s-suse-linux-\n' "i586" -+ else -+ printf '%s-suse-linux-\n' "$gcc_arch" -+ fi -+ fi - fi - } - diff --git a/packaging/roms-sgabios-Fix-csum8-to-be-built-by-ho.patch b/packaging/roms-sgabios-Fix-csum8-to-be-built-by-ho.patch deleted file mode 100644 index 5b311cedc..000000000 --- a/packaging/roms-sgabios-Fix-csum8-to-be-built-by-ho.patch +++ /dev/null @@ -1,22 +0,0 @@ -From: Bruce Rogers -Date: Thu, 27 Jun 2019 09:38:43 -0600 -Subject: roms/sgabios: Fix csum8 to be built by host compiler - -Signed-off-by: Bruce Rogers -Date: Fri, 26 Feb 2021 13:47:53 -0500 -Subject: rtl8139: switch to use qemu_receive_packet() for loopback -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Git-commit: 5311fb805a4403bba024e83886fa0e7572265de4 -References: bsc#1182968, CVE-2021-3416 - -This patch switches to use qemu_receive_packet() which can detect -reentrancy and return early. - -This is intended to address CVE-2021-3416. - -Cc: Prasad J Pandit -Cc: qemu-stable@nongnu.org -Buglink: https://bugs.launchpad.net/qemu/+bug/1910826 -Reviewed-by: Philippe Mathieu-Daudé -Signed-off-by: Jason Wang -Signed-off-by: Bruce Rogers ---- - hw/net/rtl8139.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/hw/net/rtl8139.c b/hw/net/rtl8139.c -index 88a97d756d6b6cb4bd22a8c1b616..1c7e51468b16242542c957a873e1 100644 ---- a/hw/net/rtl8139.c -+++ b/hw/net/rtl8139.c -@@ -1793,7 +1793,7 @@ static void rtl8139_transfer_frame(RTL8139State *s, uint8_t *buf, int size, - } - - DPRINTF("+++ transmit loopback mode\n"); -- rtl8139_do_receive(qemu_get_queue(s->nic), buf, size, do_interrupt); -+ qemu_receive_packet(qemu_get_queue(s->nic), buf, size); - - if (iov) { - g_free(buf2); diff --git a/packaging/s390x-Add-SIDA-memory-ops.patch b/packaging/s390x-Add-SIDA-memory-ops.patch deleted file mode 100644 index ad6e570ce..000000000 --- a/packaging/s390x-Add-SIDA-memory-ops.patch +++ /dev/null @@ -1,135 +0,0 @@ -From: Janosch Frank -Date: Wed, 5 Feb 2020 06:57:35 -0500 -Subject: s390x: Add SIDA memory ops - -References: bsc#1167075 - -Protected guests save the instruction control blocks in the SIDA -instead of QEMU/KVM directly accessing the guest's memory. - -Let's introduce new functions to access the SIDA. - -The memops for doing so are available with KVM_CAP_S390_PROTECTED, so -let's check for that. - -Signed-off-by: Janosch Frank -Reviewed-by: David Hildenbrand -Reviewed-by: Christian Borntraeger -Reviewed-by: Claudio Imbrenda -Reviewed-by: Cornelia Huck -(cherry picked from commit a9f21cec3bc9c86062c7c24bb2143d22cb3c2950) -Signed-off-by: Bruce Rogers ---- - target/s390x/cpu.h | 7 ++++++- - target/s390x/kvm.c | 26 ++++++++++++++++++++++++++ - target/s390x/kvm_s390x.h | 2 ++ - target/s390x/mmu_helper.c | 14 ++++++++++++++ - 4 files changed, 48 insertions(+), 1 deletion(-) - -diff --git a/target/s390x/cpu.h b/target/s390x/cpu.h -index d2af13b345ccd9094f82385cd528..2ec0f78b48ee15978b62f5fdc1b2 100644 ---- a/target/s390x/cpu.h -+++ b/target/s390x/cpu.h -@@ -821,7 +821,12 @@ int s390_cpu_virt_mem_rw(S390CPU *cpu, vaddr laddr, uint8_t ar, void *hostbuf, - #define s390_cpu_virt_mem_check_write(cpu, laddr, ar, len) \ - s390_cpu_virt_mem_rw(cpu, laddr, ar, NULL, len, true) - void s390_cpu_virt_mem_handle_exc(S390CPU *cpu, uintptr_t ra); -- -+int s390_cpu_pv_mem_rw(S390CPU *cpu, unsigned int offset, void *hostbuf, -+ int len, bool is_write); -+#define s390_cpu_pv_mem_read(cpu, offset, dest, len) \ -+ s390_cpu_pv_mem_rw(cpu, offset, dest, len, false) -+#define s390_cpu_pv_mem_write(cpu, offset, dest, len) \ -+ s390_cpu_pv_mem_rw(cpu, offset, dest, len, true) - - /* sigp.c */ - int s390_cpu_restart(S390CPU *cpu); -diff --git a/target/s390x/kvm.c b/target/s390x/kvm.c -index abeeaaa67452b0b938557b0d0dea..941e4df630ad9b3dc780d3c92e6b 100644 ---- a/target/s390x/kvm.c -+++ b/target/s390x/kvm.c -@@ -154,6 +154,7 @@ static int cap_ri; - static int cap_gs; - static int cap_hpage_1m; - static int cap_vcpu_resets; -+static int cap_protected; - - static int active_cmma; - -@@ -351,6 +352,7 @@ int kvm_arch_init(MachineState *ms, KVMState *s) - cap_mem_op = kvm_check_extension(s, KVM_CAP_S390_MEM_OP); - cap_s390_irq = kvm_check_extension(s, KVM_CAP_S390_INJECT_IRQ); - cap_vcpu_resets = kvm_check_extension(s, KVM_CAP_S390_VCPU_RESETS); -+ cap_protected = kvm_check_extension(s, KVM_CAP_S390_PROTECTED); - - if (!kvm_check_extension(s, KVM_CAP_S390_GMAP) - || !kvm_check_extension(s, KVM_CAP_S390_COW)) { -@@ -848,6 +850,30 @@ int kvm_s390_mem_op(S390CPU *cpu, vaddr addr, uint8_t ar, void *hostbuf, - return ret; - } - -+int kvm_s390_mem_op_pv(S390CPU *cpu, uint64_t offset, void *hostbuf, -+ int len, bool is_write) -+{ -+ struct kvm_s390_mem_op mem_op = { -+ .sida_offset = offset, -+ .size = len, -+ .op = is_write ? KVM_S390_MEMOP_SIDA_WRITE -+ : KVM_S390_MEMOP_SIDA_READ, -+ .buf = (uint64_t)hostbuf, -+ }; -+ int ret; -+ -+ if (!cap_mem_op || !cap_protected) { -+ return -ENOSYS; -+ } -+ -+ ret = kvm_vcpu_ioctl(CPU(cpu), KVM_S390_MEM_OP, &mem_op); -+ if (ret < 0) { -+ error_report("KVM_S390_MEM_OP failed: %s", strerror(-ret)); -+ abort(); -+ } -+ return ret; -+} -+ - /* - * Legacy layout for s390: - * Older S390 KVM requires the topmost vma of the RAM to be -diff --git a/target/s390x/kvm_s390x.h b/target/s390x/kvm_s390x.h -index dea813f450153c34e1269424772d..6ab17c81b73a0011e32213552698 100644 ---- a/target/s390x/kvm_s390x.h -+++ b/target/s390x/kvm_s390x.h -@@ -19,6 +19,8 @@ void kvm_s390_vcpu_interrupt(S390CPU *cpu, struct kvm_s390_irq *irq); - void kvm_s390_access_exception(S390CPU *cpu, uint16_t code, uint64_t te_code); - int kvm_s390_mem_op(S390CPU *cpu, vaddr addr, uint8_t ar, void *hostbuf, - int len, bool is_write); -+int kvm_s390_mem_op_pv(S390CPU *cpu, vaddr addr, void *hostbuf, int len, -+ bool is_write); - void kvm_s390_program_interrupt(S390CPU *cpu, uint16_t code); - int kvm_s390_set_cpu_state(S390CPU *cpu, uint8_t cpu_state); - void kvm_s390_vcpu_interrupt_pre_save(S390CPU *cpu); -diff --git a/target/s390x/mmu_helper.c b/target/s390x/mmu_helper.c -index c9f3f347501097b894333a36cac3..ec8befbdc87d4c88d83baeeab20e 100644 ---- a/target/s390x/mmu_helper.c -+++ b/target/s390x/mmu_helper.c -@@ -474,6 +474,20 @@ static int translate_pages(S390CPU *cpu, vaddr addr, int nr_pages, - return 0; - } - -+int s390_cpu_pv_mem_rw(S390CPU *cpu, unsigned int offset, void *hostbuf, -+ int len, bool is_write) -+{ -+ int ret; -+ -+ if (kvm_enabled()) { -+ ret = kvm_s390_mem_op_pv(cpu, offset, hostbuf, len, is_write); -+ } else { -+ /* Protected Virtualization is a KVM/Hardware only feature */ -+ g_assert_not_reached(); -+ } -+ return ret; -+} -+ - /** - * s390_cpu_virt_mem_rw: - * @laddr: the logical start address diff --git a/packaging/s390x-Add-missing-vcpu-reset-functions.patch b/packaging/s390x-Add-missing-vcpu-reset-functions.patch deleted file mode 100644 index a237e2d21..000000000 --- a/packaging/s390x-Add-missing-vcpu-reset-functions.patch +++ /dev/null @@ -1,159 +0,0 @@ -From: Janosch Frank -Date: Fri, 14 Feb 2020 10:16:21 -0500 -Subject: s390x: Add missing vcpu reset functions - -References: bsc#1167075 - -Up to now we only had an ioctl to reset vcpu data QEMU couldn't reach -for the initial reset, which was also called for the clear reset. To -be architecture compliant, we also need to clear local interrupts on a -normal reset. - -Because of this and the upcoming protvirt support we need to add -ioctls for the missing clear and normal resets. - -Signed-off-by: Janosch Frank -Reviewed-by: Thomas Huth -Acked-by: David Hildenbrand -Message-Id: <20200214151636.8764-3-frankja@linux.ibm.com> -Signed-off-by: Cornelia Huck -(cherry picked from commit b91a03946e0f65ddd22927dd80ca1276bf89c5af) -Signed-off-by: Bruce Rogers ---- - target/s390x/cpu.c | 14 ++++++++++++-- - target/s390x/kvm-stub.c | 10 +++++++++- - target/s390x/kvm.c | 42 ++++++++++++++++++++++++++++++++-------- - target/s390x/kvm_s390x.h | 4 +++- - 4 files changed, 58 insertions(+), 12 deletions(-) - -diff --git a/target/s390x/cpu.c b/target/s390x/cpu.c -index bd39cb54b7aa3fa8edba5d9975a4..52fefa1586caa3cbd366fe230630 100644 ---- a/target/s390x/cpu.c -+++ b/target/s390x/cpu.c -@@ -131,8 +131,18 @@ static void s390_cpu_reset(CPUState *s, cpu_reset_type type) - } - - /* Reset state inside the kernel that we cannot access yet from QEMU. */ -- if (kvm_enabled() && type != S390_CPU_RESET_NORMAL) { -- kvm_s390_reset_vcpu(cpu); -+ if (kvm_enabled()) { -+ switch (type) { -+ case S390_CPU_RESET_CLEAR: -+ kvm_s390_reset_vcpu_clear(cpu); -+ break; -+ case S390_CPU_RESET_INITIAL: -+ kvm_s390_reset_vcpu_initial(cpu); -+ break; -+ case S390_CPU_RESET_NORMAL: -+ kvm_s390_reset_vcpu_normal(cpu); -+ break; -+ } - } - } - -diff --git a/target/s390x/kvm-stub.c b/target/s390x/kvm-stub.c -index 5152e2bdf19b2661330a1da80c5d..c4cd497f850eb9c7a859932b0f1f 100644 ---- a/target/s390x/kvm-stub.c -+++ b/target/s390x/kvm-stub.c -@@ -83,7 +83,15 @@ void kvm_s390_cmma_reset(void) - { - } - --void kvm_s390_reset_vcpu(S390CPU *cpu) -+void kvm_s390_reset_vcpu_initial(S390CPU *cpu) -+{ -+} -+ -+void kvm_s390_reset_vcpu_clear(S390CPU *cpu) -+{ -+} -+ -+void kvm_s390_reset_vcpu_normal(S390CPU *cpu) - { - } - -diff --git a/target/s390x/kvm.c b/target/s390x/kvm.c -index ad6e38c8761be7e0cad57771f49b..f633472980b48757989db245fb1f 100644 ---- a/target/s390x/kvm.c -+++ b/target/s390x/kvm.c -@@ -151,6 +151,7 @@ static int cap_s390_irq; - static int cap_ri; - static int cap_gs; - static int cap_hpage_1m; -+static int cap_vcpu_resets; - - static int active_cmma; - -@@ -342,6 +343,7 @@ int kvm_arch_init(MachineState *ms, KVMState *s) - cap_async_pf = kvm_check_extension(s, KVM_CAP_ASYNC_PF); - cap_mem_op = kvm_check_extension(s, KVM_CAP_S390_MEM_OP); - cap_s390_irq = kvm_check_extension(s, KVM_CAP_S390_INJECT_IRQ); -+ cap_vcpu_resets = kvm_check_extension(s, KVM_CAP_S390_VCPU_RESETS); - - if (!kvm_check_extension(s, KVM_CAP_S390_GMAP) - || !kvm_check_extension(s, KVM_CAP_S390_COW)) { -@@ -403,17 +405,41 @@ int kvm_arch_destroy_vcpu(CPUState *cs) - return 0; - } - --void kvm_s390_reset_vcpu(S390CPU *cpu) -+static void kvm_s390_reset_vcpu(S390CPU *cpu, unsigned long type) - { - CPUState *cs = CPU(cpu); - -- /* The initial reset call is needed here to reset in-kernel -- * vcpu data that we can't access directly from QEMU -- * (i.e. with older kernels which don't support sync_regs/ONE_REG). -- * Before this ioctl cpu_synchronize_state() is called in common kvm -- * code (kvm-all) */ -- if (kvm_vcpu_ioctl(cs, KVM_S390_INITIAL_RESET, NULL)) { -- error_report("Initial CPU reset failed on CPU %i", cs->cpu_index); -+ /* -+ * The reset call is needed here to reset in-kernel vcpu data that -+ * we can't access directly from QEMU (i.e. with older kernels -+ * which don't support sync_regs/ONE_REG). Before this ioctl -+ * cpu_synchronize_state() is called in common kvm code -+ * (kvm-all). -+ */ -+ if (kvm_vcpu_ioctl(cs, type)) { -+ error_report("CPU reset failed on CPU %i type %lx", -+ cs->cpu_index, type); -+ } -+} -+ -+void kvm_s390_reset_vcpu_initial(S390CPU *cpu) -+{ -+ kvm_s390_reset_vcpu(cpu, KVM_S390_INITIAL_RESET); -+} -+ -+void kvm_s390_reset_vcpu_clear(S390CPU *cpu) -+{ -+ if (cap_vcpu_resets) { -+ kvm_s390_reset_vcpu(cpu, KVM_S390_CLEAR_RESET); -+ } else { -+ kvm_s390_reset_vcpu(cpu, KVM_S390_INITIAL_RESET); -+ } -+} -+ -+void kvm_s390_reset_vcpu_normal(S390CPU *cpu) -+{ -+ if (cap_vcpu_resets) { -+ kvm_s390_reset_vcpu(cpu, KVM_S390_NORMAL_RESET); - } - } - -diff --git a/target/s390x/kvm_s390x.h b/target/s390x/kvm_s390x.h -index caf985955ba5da4e2cda021ed1b5..0b21789796d7c462bdc72160166f 100644 ---- a/target/s390x/kvm_s390x.h -+++ b/target/s390x/kvm_s390x.h -@@ -34,7 +34,9 @@ int kvm_s390_assign_subch_ioeventfd(EventNotifier *notifier, uint32_t sch, - int vq, bool assign); - int kvm_s390_cmma_active(void); - void kvm_s390_cmma_reset(void); --void kvm_s390_reset_vcpu(S390CPU *cpu); -+void kvm_s390_reset_vcpu_clear(S390CPU *cpu); -+void kvm_s390_reset_vcpu_normal(S390CPU *cpu); -+void kvm_s390_reset_vcpu_initial(S390CPU *cpu); - int kvm_s390_set_mem_limit(uint64_t new_limit, uint64_t *hw_limit); - void kvm_s390_set_max_pagesize(uint64_t pagesize, Error **errp); - void kvm_s390_crypto_reset(void); diff --git a/packaging/s390x-Add-unpack-facility-feature-to-GA1.patch b/packaging/s390x-Add-unpack-facility-feature-to-GA1.patch deleted file mode 100644 index ce89612e3..000000000 --- a/packaging/s390x-Add-unpack-facility-feature-to-GA1.patch +++ /dev/null @@ -1,61 +0,0 @@ -From: Christian Borntraeger -Date: Tue, 25 Feb 2020 06:28:51 -0500 -Subject: s390x: Add unpack facility feature to GA1 - -References: bsc#1167075 - -The unpack facility is an indication that diagnose 308 subcodes 8-10 -are available to the guest. That means, that the guest can put itself -into protected mode. - -Once it is in protected mode, the hardware stops any attempt of VM -introspection by the hypervisor. - -Some features are currently not supported in protected mode: - * vfio devices - * Migration - * Huge page backings - -Signed-off-by: Christian Borntraeger -Reviewed-by: David Hildenbrand -Reviewed-by: Claudio Imbrenda -Reviewed-by: Cornelia Huck -Signed-off-by: Janosch Frank -(cherry picked from commit 3034eaac3b2970ba85a1d77814ceef1352d05357) -Signed-off-by: Bruce Rogers ---- - target/s390x/gen-features.c | 1 + - target/s390x/kvm.c | 8 ++++++++ - 2 files changed, 9 insertions(+) - -diff --git a/target/s390x/gen-features.c b/target/s390x/gen-features.c -index 6278845b12b8dee84c086413c60a..8ddeebc54419a3e2481e21916389 100644 ---- a/target/s390x/gen-features.c -+++ b/target/s390x/gen-features.c -@@ -562,6 +562,7 @@ static uint16_t full_GEN15_GA1[] = { - S390_FEAT_GROUP_MSA_EXT_9, - S390_FEAT_GROUP_MSA_EXT_9_PCKMO, - S390_FEAT_ETOKEN, -+ S390_FEAT_UNPACK, - }; - - /* Default features (in order of release) -diff --git a/target/s390x/kvm.c b/target/s390x/kvm.c -index d94b915da419c3ad0a1f9622ca13..8b82e4c93dfa7e89127bce74cde7 100644 ---- a/target/s390x/kvm.c -+++ b/target/s390x/kvm.c -@@ -2407,6 +2407,14 @@ void kvm_s390_get_host_cpu_model(S390CPUModel *model, Error **errp) - clear_bit(S390_FEAT_BPB, model->features); - } - -+ /* -+ * If we have support for protected virtualization, indicate -+ * the protected virtualization IPL unpack facility. -+ */ -+ if (cap_protected) { -+ set_bit(S390_FEAT_UNPACK, model->features); -+ } -+ - /* We emulate a zPCI bus and AEN, therefore we don't need HW support */ - set_bit(S390_FEAT_ZPCI, model->features); - set_bit(S390_FEAT_ADAPTER_EVENT_NOTIFICATION, model->features); diff --git a/packaging/s390x-Beautify-diag308-handling.patch b/packaging/s390x-Beautify-diag308-handling.patch deleted file mode 100644 index 061f442ea..000000000 --- a/packaging/s390x-Beautify-diag308-handling.patch +++ /dev/null @@ -1,113 +0,0 @@ -From: Janosch Frank -Date: Wed, 27 Nov 2019 12:50:45 -0500 -Subject: s390x: Beautify diag308 handling - -References: bsc#1167075 - -Let's improve readability by: -* Using constants for the subcodes -* Moving parameter checking into a function -* Removing subcode > 6 check as the default case catches that - -Signed-off-by: Janosch Frank -Reviewed-by: Cornelia Huck -Reviewed-by: Thomas Huth -Reviewed-by: David Hildenbrand -Message-Id: <20191127175046.4911-6-frankja@linux.ibm.com> -Signed-off-by: Cornelia Huck -(cherry picked from commit 0b7fd817e0f383760e37ca9286150d5816cf0594) -Signed-off-by: Bruce Rogers ---- - target/s390x/diag.c | 54 +++++++++++++++++++++++++++------------------ - 1 file changed, 32 insertions(+), 22 deletions(-) - -diff --git a/target/s390x/diag.c b/target/s390x/diag.c -index 0c81d8e1efbfe37a384199488a72..54e5670b3fd6d960bd3fb4baca8b 100644 ---- a/target/s390x/diag.c -+++ b/target/s390x/diag.c -@@ -53,6 +53,29 @@ int handle_diag_288(CPUS390XState *env, uint64_t r1, uint64_t r3) - #define DIAG_308_RC_NO_CONF 0x0102 - #define DIAG_308_RC_INVALID 0x0402 - -+#define DIAG308_RESET_MOD_CLR 0 -+#define DIAG308_RESET_LOAD_NORM 1 -+#define DIAG308_LOAD_CLEAR 3 -+#define DIAG308_LOAD_NORMAL_DUMP 4 -+#define DIAG308_SET 5 -+#define DIAG308_STORE 6 -+ -+static int diag308_parm_check(CPUS390XState *env, uint64_t r1, uint64_t addr, -+ uintptr_t ra, bool write) -+{ -+ if ((r1 & 1) || (addr & ~TARGET_PAGE_MASK)) { -+ s390_program_interrupt(env, PGM_SPECIFICATION, ra); -+ return -1; -+ } -+ if (!address_space_access_valid(&address_space_memory, addr, -+ sizeof(IplParameterBlock), write, -+ MEMTXATTRS_UNSPECIFIED)) { -+ s390_program_interrupt(env, PGM_ADDRESSING, ra); -+ return -1; -+ } -+ return 0; -+} -+ - void handle_diag_308(CPUS390XState *env, uint64_t r1, uint64_t r3, uintptr_t ra) - { - CPUState *cs = env_cpu(env); -@@ -65,30 +88,24 @@ void handle_diag_308(CPUS390XState *env, uint64_t r1, uint64_t r3, uintptr_t ra) - return; - } - -- if ((subcode & ~0x0ffffULL) || (subcode > 6)) { -+ if (subcode & ~0x0ffffULL) { - s390_program_interrupt(env, PGM_SPECIFICATION, ra); - return; - } - - switch (subcode) { -- case 0: -+ case DIAG308_RESET_MOD_CLR: - s390_ipl_reset_request(cs, S390_RESET_MODIFIED_CLEAR); - break; -- case 1: -+ case DIAG308_RESET_LOAD_NORM: - s390_ipl_reset_request(cs, S390_RESET_LOAD_NORMAL); - break; -- case 3: -+ case DIAG308_LOAD_CLEAR: -+ /* Well we still lack the clearing bit... */ - s390_ipl_reset_request(cs, S390_RESET_REIPL); - break; -- case 5: -- if ((r1 & 1) || (addr & 0x0fffULL)) { -- s390_program_interrupt(env, PGM_SPECIFICATION, ra); -- return; -- } -- if (!address_space_access_valid(&address_space_memory, addr, -- sizeof(IplParameterBlock), false, -- MEMTXATTRS_UNSPECIFIED)) { -- s390_program_interrupt(env, PGM_ADDRESSING, ra); -+ case DIAG308_SET: -+ if (diag308_parm_check(env, r1, addr, ra, false)) { - return; - } - iplb = g_new0(IplParameterBlock, 1); -@@ -110,15 +127,8 @@ void handle_diag_308(CPUS390XState *env, uint64_t r1, uint64_t r3, uintptr_t ra) - out: - g_free(iplb); - return; -- case 6: -- if ((r1 & 1) || (addr & 0x0fffULL)) { -- s390_program_interrupt(env, PGM_SPECIFICATION, ra); -- return; -- } -- if (!address_space_access_valid(&address_space_memory, addr, -- sizeof(IplParameterBlock), true, -- MEMTXATTRS_UNSPECIFIED)) { -- s390_program_interrupt(env, PGM_ADDRESSING, ra); -+ case DIAG308_STORE: -+ if (diag308_parm_check(env, r1, addr, ra, true)) { - return; - } - iplb = s390_ipl_get_iplb(); diff --git a/packaging/s390x-Don-t-do-a-normal-reset-on-the-ini.patch b/packaging/s390x-Don-t-do-a-normal-reset-on-the-ini.patch deleted file mode 100644 index fa2f42e15..000000000 --- a/packaging/s390x-Don-t-do-a-normal-reset-on-the-ini.patch +++ /dev/null @@ -1,35 +0,0 @@ -From: Janosch Frank -Date: Wed, 27 Nov 2019 12:50:41 -0500 -Subject: s390x: Don't do a normal reset on the initial cpu - -References: bsc#1167075 - -The initiating cpu needs to be reset with an initial reset. While -doing a normal reset followed by a initial reset is not wrong per se, -the Ultravisor will only allow the correct reset to be performed. - -Signed-off-by: Janosch Frank -Reviewed-by: David Hildenbrand -Reviewed-by: Cornelia Huck -Message-Id: <20191127175046.4911-2-frankja@linux.ibm.com> -Signed-off-by: Cornelia Huck -(cherry picked from commit ec9227339fce99412830d44a37eb0bd2fadd5f75) -Signed-off-by: Bruce Rogers ---- - hw/s390x/s390-virtio-ccw.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/hw/s390x/s390-virtio-ccw.c b/hw/s390x/s390-virtio-ccw.c -index 6134f30508f88737cd5e885ffab6..fcd8203cd11d9068de52b7ef695d 100644 ---- a/hw/s390x/s390-virtio-ccw.c -+++ b/hw/s390x/s390-virtio-ccw.c -@@ -349,6 +349,9 @@ static void s390_machine_reset(MachineState *machine) - break; - case S390_RESET_LOAD_NORMAL: - CPU_FOREACH(t) { -+ if (t == cs) { -+ continue; -+ } - run_on_cpu(t, s390_do_cpu_reset, RUN_ON_CPU_NULL); - } - subsystem_reset(); diff --git a/packaging/s390x-Move-clear-reset.patch b/packaging/s390x-Move-clear-reset.patch deleted file mode 100644 index 17c45d06a..000000000 --- a/packaging/s390x-Move-clear-reset.patch +++ /dev/null @@ -1,129 +0,0 @@ -From: Janosch Frank -Date: Wed, 27 Nov 2019 12:50:44 -0500 -Subject: s390x: Move clear reset - -References: bsc#1167075 - -Let's also move the clear reset function into the reset handler. - -Signed-off-by: Janosch Frank -Message-Id: <20191127175046.4911-5-frankja@linux.ibm.com> -Reviewed-by: David Hildenbrand -Reviewed-by: Thomas Huth -Signed-off-by: Cornelia Huck -(cherry picked from commit eb8adcc3e9e3b8405c104ede72cf9f3bb2a5e226) -Signed-off-by: Bruce Rogers ---- - target/s390x/cpu-qom.h | 1 + - target/s390x/cpu.c | 58 +++++++++++++----------------------------- - 2 files changed, 18 insertions(+), 41 deletions(-) - -diff --git a/target/s390x/cpu-qom.h b/target/s390x/cpu-qom.h -index 6f0a12042ed4802de7da08d63612..dbe5346ec9019f4f5939598b7a83 100644 ---- a/target/s390x/cpu-qom.h -+++ b/target/s390x/cpu-qom.h -@@ -37,6 +37,7 @@ typedef struct S390CPUDef S390CPUDef; - typedef enum cpu_reset_type { - S390_CPU_RESET_NORMAL, - S390_CPU_RESET_INITIAL, -+ S390_CPU_RESET_CLEAR, - } cpu_reset_type; - - /** -diff --git a/target/s390x/cpu.c b/target/s390x/cpu.c -index ca62fe768569b992bbf41b064734..bd39cb54b7aa3fa8edba5d9975a4 100644 ---- a/target/s390x/cpu.c -+++ b/target/s390x/cpu.c -@@ -94,6 +94,9 @@ static void s390_cpu_reset(CPUState *s, cpu_reset_type type) - s390_cpu_set_state(S390_CPU_STATE_STOPPED, cpu); - - switch (type) { -+ case S390_CPU_RESET_CLEAR: -+ memset(env, 0, offsetof(CPUS390XState, start_initial_reset_fields)); -+ /* fall through */ - case S390_CPU_RESET_INITIAL: - /* initial reset does not clear everything! */ - memset(&env->start_initial_reset_fields, 0, -@@ -107,6 +110,14 @@ static void s390_cpu_reset(CPUState *s, cpu_reset_type type) - env->cregs[0] = CR0_RESET; - env->cregs[14] = CR14_RESET; - -+#if defined(CONFIG_USER_ONLY) -+ /* user mode should always be allowed to use the full FPU */ -+ env->cregs[0] |= CR0_AFP; -+ if (s390_has_feat(S390_FEAT_VECTOR)) { -+ env->cregs[0] |= CR0_VECTOR; -+ } -+#endif -+ - /* tininess for underflow is detected before rounding */ - set_float_detect_tininess(float_tininess_before_rounding, - &env->fpu_status); -@@ -125,46 +136,6 @@ static void s390_cpu_reset(CPUState *s, cpu_reset_type type) - } - } - --/* CPUClass:reset() */ --static void s390_cpu_full_reset(CPUState *s) --{ -- S390CPU *cpu = S390_CPU(s); -- S390CPUClass *scc = S390_CPU_GET_CLASS(cpu); -- CPUS390XState *env = &cpu->env; -- -- scc->parent_reset(s); -- cpu->env.sigp_order = 0; -- s390_cpu_set_state(S390_CPU_STATE_STOPPED, cpu); -- -- memset(env, 0, offsetof(CPUS390XState, end_reset_fields)); -- -- /* architectured initial values for CR 0 and 14 */ -- env->cregs[0] = CR0_RESET; -- env->cregs[14] = CR14_RESET; -- --#if defined(CONFIG_USER_ONLY) -- /* user mode should always be allowed to use the full FPU */ -- env->cregs[0] |= CR0_AFP; -- if (s390_has_feat(S390_FEAT_VECTOR)) { -- env->cregs[0] |= CR0_VECTOR; -- } --#endif -- -- /* architectured initial value for Breaking-Event-Address register */ -- env->gbea = 1; -- -- env->pfault_token = -1UL; -- -- /* tininess for underflow is detected before rounding */ -- set_float_detect_tininess(float_tininess_before_rounding, -- &env->fpu_status); -- -- /* Reset state inside the kernel that we cannot access yet from QEMU. */ -- if (kvm_enabled()) { -- kvm_s390_reset_vcpu(cpu); -- } --} -- - #if !defined(CONFIG_USER_ONLY) - static void s390_cpu_machine_reset_cb(void *opaque) - { -@@ -456,6 +427,11 @@ static Property s390x_cpu_properties[] = { - DEFINE_PROP_END_OF_LIST() - }; - -+static void s390_cpu_reset_full(CPUState *s) -+{ -+ return s390_cpu_reset(s, S390_CPU_RESET_CLEAR); -+} -+ - static void s390_cpu_class_init(ObjectClass *oc, void *data) - { - S390CPUClass *scc = S390_CPU_CLASS(oc); -@@ -472,7 +448,7 @@ static void s390_cpu_class_init(ObjectClass *oc, void *data) - scc->load_normal = s390_cpu_load_normal; - #endif - scc->reset = s390_cpu_reset; -- cc->reset = s390_cpu_full_reset; -+ cc->reset = s390_cpu_reset_full; - cc->class_by_name = s390_cpu_class_by_name, - cc->has_work = s390_cpu_has_work; - #ifdef CONFIG_TCG diff --git a/packaging/s390x-Move-diagnose-308-subcodes-and-rcs.patch b/packaging/s390x-Move-diagnose-308-subcodes-and-rcs.patch deleted file mode 100644 index 6fb14001d..000000000 --- a/packaging/s390x-Move-diagnose-308-subcodes-and-rcs.patch +++ /dev/null @@ -1,61 +0,0 @@ -From: Janosch Frank -Date: Fri, 13 Mar 2020 10:35:02 -0400 -Subject: s390x: Move diagnose 308 subcodes and rcs into ipl.h - -References: bsc#1167075 - -They are part of the IPL process, so let's put them into the ipl -header. - -Signed-off-by: Janosch Frank -(cherry picked from commit 284bc3dd6e9a978e6e34b00777ce72007a88d6d9) -Signed-off-by: Bruce Rogers ---- - hw/s390x/ipl.h | 11 +++++++++++ - target/s390x/diag.c | 11 ----------- - 2 files changed, 11 insertions(+), 11 deletions(-) - -diff --git a/hw/s390x/ipl.h b/hw/s390x/ipl.h -index 3e44abe1c651d8a01f4708c2801c..a5665e6bfde2e8cfbb1b2e6c7234 100644 ---- a/hw/s390x/ipl.h -+++ b/hw/s390x/ipl.h -@@ -159,6 +159,17 @@ struct S390IPLState { - typedef struct S390IPLState S390IPLState; - QEMU_BUILD_BUG_MSG(offsetof(S390IPLState, iplb) & 3, "alignment of iplb wrong"); - -+#define DIAG_308_RC_OK 0x0001 -+#define DIAG_308_RC_NO_CONF 0x0102 -+#define DIAG_308_RC_INVALID 0x0402 -+ -+#define DIAG308_RESET_MOD_CLR 0 -+#define DIAG308_RESET_LOAD_NORM 1 -+#define DIAG308_LOAD_CLEAR 3 -+#define DIAG308_LOAD_NORMAL_DUMP 4 -+#define DIAG308_SET 5 -+#define DIAG308_STORE 6 -+ - #define S390_IPL_TYPE_FCP 0x00 - #define S390_IPL_TYPE_CCW 0x02 - #define S390_IPL_TYPE_QEMU_SCSI 0xff -diff --git a/target/s390x/diag.c b/target/s390x/diag.c -index 54e5670b3fd6d960bd3fb4baca8b..8aba6341f94848e1ce8fff420ed8 100644 ---- a/target/s390x/diag.c -+++ b/target/s390x/diag.c -@@ -49,17 +49,6 @@ int handle_diag_288(CPUS390XState *env, uint64_t r1, uint64_t r3) - return diag288_class->handle_timer(diag288, func, timeout); - } - --#define DIAG_308_RC_OK 0x0001 --#define DIAG_308_RC_NO_CONF 0x0102 --#define DIAG_308_RC_INVALID 0x0402 -- --#define DIAG308_RESET_MOD_CLR 0 --#define DIAG308_RESET_LOAD_NORM 1 --#define DIAG308_LOAD_CLEAR 3 --#define DIAG308_LOAD_NORMAL_DUMP 4 --#define DIAG308_SET 5 --#define DIAG308_STORE 6 -- - static int diag308_parm_check(CPUS390XState *env, uint64_t r1, uint64_t addr, - uintptr_t ra, bool write) - { diff --git a/packaging/s390x-Move-initial-reset.patch b/packaging/s390x-Move-initial-reset.patch deleted file mode 100644 index 073aba3f0..000000000 --- a/packaging/s390x-Move-initial-reset.patch +++ /dev/null @@ -1,142 +0,0 @@ -From: Janosch Frank -Date: Thu, 28 Nov 2019 03:37:23 -0500 -Subject: s390x: Move initial reset - -References: bsc#1167075 - -Let's move the intial reset into the reset handler and cleanup -afterwards. - -Signed-off-by: Janosch Frank -Reviewed-by: David Hildenbrand -Message-Id: <20191128083723.11937-1-frankja@linux.ibm.com> -Reviewed-by: Thomas Huth -Signed-off-by: Cornelia Huck -(cherry picked from commit 81b9222358e5c8f666f0d86057c75e40531d804c) -Signed-off-by: Bruce Rogers ---- - target/s390x/cpu-qom.h | 2 +- - target/s390x/cpu.c | 46 +++++++++++++++++------------------------- - target/s390x/cpu.h | 2 +- - target/s390x/sigp.c | 2 +- - 4 files changed, 21 insertions(+), 31 deletions(-) - -diff --git a/target/s390x/cpu-qom.h b/target/s390x/cpu-qom.h -index f3b71bac67c91c9e307fa250b47a..6f0a12042ed4802de7da08d63612 100644 ---- a/target/s390x/cpu-qom.h -+++ b/target/s390x/cpu-qom.h -@@ -36,6 +36,7 @@ typedef struct S390CPUDef S390CPUDef; - - typedef enum cpu_reset_type { - S390_CPU_RESET_NORMAL, -+ S390_CPU_RESET_INITIAL, - } cpu_reset_type; - - /** -@@ -62,7 +63,6 @@ typedef struct S390CPUClass { - void (*parent_reset)(CPUState *cpu); - void (*load_normal)(CPUState *cpu); - void (*reset)(CPUState *cpu, cpu_reset_type type); -- void (*initial_cpu_reset)(CPUState *cpu); - } S390CPUClass; - - typedef struct S390CPU S390CPU; -diff --git a/target/s390x/cpu.c b/target/s390x/cpu.c -index 67d6fbfa4401720aa24f2ace8e3c..ca62fe768569b992bbf41b064734 100644 ---- a/target/s390x/cpu.c -+++ b/target/s390x/cpu.c -@@ -94,6 +94,23 @@ static void s390_cpu_reset(CPUState *s, cpu_reset_type type) - s390_cpu_set_state(S390_CPU_STATE_STOPPED, cpu); - - switch (type) { -+ case S390_CPU_RESET_INITIAL: -+ /* initial reset does not clear everything! */ -+ memset(&env->start_initial_reset_fields, 0, -+ offsetof(CPUS390XState, end_reset_fields) - -+ offsetof(CPUS390XState, start_initial_reset_fields)); -+ -+ /* architectured initial value for Breaking-Event-Address register */ -+ env->gbea = 1; -+ -+ /* architectured initial values for CR 0 and 14 */ -+ env->cregs[0] = CR0_RESET; -+ env->cregs[14] = CR14_RESET; -+ -+ /* tininess for underflow is detected before rounding */ -+ set_float_detect_tininess(float_tininess_before_rounding, -+ &env->fpu_status); -+ /* fall through */ - case S390_CPU_RESET_NORMAL: - env->pfault_token = -1UL; - env->bpbc = false; -@@ -101,35 +118,9 @@ static void s390_cpu_reset(CPUState *s, cpu_reset_type type) - default: - g_assert_not_reached(); - } --} -- --/* S390CPUClass::initial_reset() */ --static void s390_cpu_initial_reset(CPUState *s) --{ -- S390CPU *cpu = S390_CPU(s); -- CPUS390XState *env = &cpu->env; -- -- s390_cpu_reset(s, S390_CPU_RESET_NORMAL); -- /* initial reset does not clear everything! */ -- memset(&env->start_initial_reset_fields, 0, -- offsetof(CPUS390XState, end_reset_fields) - -- offsetof(CPUS390XState, start_initial_reset_fields)); -- -- /* architectured initial values for CR 0 and 14 */ -- env->cregs[0] = CR0_RESET; -- env->cregs[14] = CR14_RESET; -- -- /* architectured initial value for Breaking-Event-Address register */ -- env->gbea = 1; -- -- env->pfault_token = -1UL; -- -- /* tininess for underflow is detected before rounding */ -- set_float_detect_tininess(float_tininess_before_rounding, -- &env->fpu_status); - - /* Reset state inside the kernel that we cannot access yet from QEMU. */ -- if (kvm_enabled()) { -+ if (kvm_enabled() && type != S390_CPU_RESET_NORMAL) { - kvm_s390_reset_vcpu(cpu); - } - } -@@ -481,7 +472,6 @@ static void s390_cpu_class_init(ObjectClass *oc, void *data) - scc->load_normal = s390_cpu_load_normal; - #endif - scc->reset = s390_cpu_reset; -- scc->initial_cpu_reset = s390_cpu_initial_reset; - cc->reset = s390_cpu_full_reset; - cc->class_by_name = s390_cpu_class_by_name, - cc->has_work = s390_cpu_has_work; -diff --git a/target/s390x/cpu.h b/target/s390x/cpu.h -index 18123dfd5bd13f530fcc3f8c54c4..d2af13b345ccd9094f82385cd528 100644 ---- a/target/s390x/cpu.h -+++ b/target/s390x/cpu.h -@@ -748,7 +748,7 @@ static inline void s390_do_cpu_initial_reset(CPUState *cs, run_on_cpu_data arg) - { - S390CPUClass *scc = S390_CPU_GET_CLASS(cs); - -- scc->initial_cpu_reset(cs); -+ scc->reset(cs, S390_CPU_RESET_INITIAL); - } - - static inline void s390_do_cpu_load_normal(CPUState *cs, run_on_cpu_data arg) -diff --git a/target/s390x/sigp.c b/target/s390x/sigp.c -index 850139b9cd544c4bb34497fec554..727875bb4ab9b6c6f606e4ba8afb 100644 ---- a/target/s390x/sigp.c -+++ b/target/s390x/sigp.c -@@ -254,7 +254,7 @@ static void sigp_initial_cpu_reset(CPUState *cs, run_on_cpu_data arg) - SigpInfo *si = arg.host_ptr; - - cpu_synchronize_state(cs); -- scc->initial_cpu_reset(cs); -+ scc->reset(cs, S390_CPU_RESET_INITIAL); - cpu_synchronize_post_reset(cs); - si->cc = SIGP_CC_ORDER_CODE_ACCEPTED; - } diff --git a/packaging/s390x-Move-reset-normal-to-shared-reset-.patch b/packaging/s390x-Move-reset-normal-to-shared-reset-.patch deleted file mode 100644 index 64daf3418..000000000 --- a/packaging/s390x-Move-reset-normal-to-shared-reset-.patch +++ /dev/null @@ -1,128 +0,0 @@ -From: Janosch Frank -Date: Wed, 27 Nov 2019 12:50:42 -0500 -Subject: s390x: Move reset normal to shared reset handler - -References: bsc#1167075 - -Let's start moving the cpu reset functions into a single function with -a switch/case, so we can later use fallthroughs and share more code -between resets. - -This patch introduces the reset function by renaming cpu_reset(). - -Signed-off-by: Janosch Frank -Reviewed-by: David Hildenbrand -Message-Id: <20191127175046.4911-3-frankja@linux.ibm.com> -Reviewed-by: Thomas Huth -Signed-off-by: Cornelia Huck -(cherry picked from commit eac4f82791f1807c423e85670837db103b9d59b3) -Signed-off-by: Bruce Rogers ---- - target/s390x/cpu-qom.h | 6 +++++- - target/s390x/cpu.c | 19 +++++++++++++------ - target/s390x/cpu.h | 2 +- - target/s390x/sigp.c | 2 +- - 4 files changed, 20 insertions(+), 9 deletions(-) - -diff --git a/target/s390x/cpu-qom.h b/target/s390x/cpu-qom.h -index b809ec8418e016cf8b227489f905..f3b71bac67c91c9e307fa250b47a 100644 ---- a/target/s390x/cpu-qom.h -+++ b/target/s390x/cpu-qom.h -@@ -34,6 +34,10 @@ - typedef struct S390CPUModel S390CPUModel; - typedef struct S390CPUDef S390CPUDef; - -+typedef enum cpu_reset_type { -+ S390_CPU_RESET_NORMAL, -+} cpu_reset_type; -+ - /** - * S390CPUClass: - * @parent_realize: The parent class' realize handler. -@@ -57,7 +61,7 @@ typedef struct S390CPUClass { - DeviceRealize parent_realize; - void (*parent_reset)(CPUState *cpu); - void (*load_normal)(CPUState *cpu); -- void (*cpu_reset)(CPUState *cpu); -+ void (*reset)(CPUState *cpu, cpu_reset_type type); - void (*initial_cpu_reset)(CPUState *cpu); - } S390CPUClass; - -diff --git a/target/s390x/cpu.c b/target/s390x/cpu.c -index 3abe7e80fd0a067a95545c7c3b9b..67d6fbfa4401720aa24f2ace8e3c 100644 ---- a/target/s390x/cpu.c -+++ b/target/s390x/cpu.c -@@ -82,18 +82,25 @@ static void s390_cpu_load_normal(CPUState *s) - } - #endif - --/* S390CPUClass::cpu_reset() */ --static void s390_cpu_reset(CPUState *s) -+/* S390CPUClass::reset() */ -+static void s390_cpu_reset(CPUState *s, cpu_reset_type type) - { - S390CPU *cpu = S390_CPU(s); - S390CPUClass *scc = S390_CPU_GET_CLASS(cpu); - CPUS390XState *env = &cpu->env; - -- env->pfault_token = -1UL; -- env->bpbc = false; - scc->parent_reset(s); - cpu->env.sigp_order = 0; - s390_cpu_set_state(S390_CPU_STATE_STOPPED, cpu); -+ -+ switch (type) { -+ case S390_CPU_RESET_NORMAL: -+ env->pfault_token = -1UL; -+ env->bpbc = false; -+ break; -+ default: -+ g_assert_not_reached(); -+ } - } - - /* S390CPUClass::initial_reset() */ -@@ -102,7 +109,7 @@ static void s390_cpu_initial_reset(CPUState *s) - S390CPU *cpu = S390_CPU(s); - CPUS390XState *env = &cpu->env; - -- s390_cpu_reset(s); -+ s390_cpu_reset(s, S390_CPU_RESET_NORMAL); - /* initial reset does not clear everything! */ - memset(&env->start_initial_reset_fields, 0, - offsetof(CPUS390XState, end_reset_fields) - -@@ -473,7 +480,7 @@ static void s390_cpu_class_init(ObjectClass *oc, void *data) - #if !defined(CONFIG_USER_ONLY) - scc->load_normal = s390_cpu_load_normal; - #endif -- scc->cpu_reset = s390_cpu_reset; -+ scc->reset = s390_cpu_reset; - scc->initial_cpu_reset = s390_cpu_initial_reset; - cc->reset = s390_cpu_full_reset; - cc->class_by_name = s390_cpu_class_by_name, -diff --git a/target/s390x/cpu.h b/target/s390x/cpu.h -index 17460ed7b381070b4d8206e2c4cb..18123dfd5bd13f530fcc3f8c54c4 100644 ---- a/target/s390x/cpu.h -+++ b/target/s390x/cpu.h -@@ -741,7 +741,7 @@ static inline void s390_do_cpu_reset(CPUState *cs, run_on_cpu_data arg) - { - S390CPUClass *scc = S390_CPU_GET_CLASS(cs); - -- scc->cpu_reset(cs); -+ scc->reset(cs, S390_CPU_RESET_NORMAL); - } - - static inline void s390_do_cpu_initial_reset(CPUState *cs, run_on_cpu_data arg) -diff --git a/target/s390x/sigp.c b/target/s390x/sigp.c -index 2ce22d4dc18bb764948f0abe1084..850139b9cd544c4bb34497fec554 100644 ---- a/target/s390x/sigp.c -+++ b/target/s390x/sigp.c -@@ -266,7 +266,7 @@ static void sigp_cpu_reset(CPUState *cs, run_on_cpu_data arg) - SigpInfo *si = arg.host_ptr; - - cpu_synchronize_state(cs); -- scc->cpu_reset(cs); -+ scc->reset(cs, S390_CPU_RESET_NORMAL); - cpu_synchronize_post_reset(cs); - si->cc = SIGP_CC_ORDER_CODE_ACCEPTED; - } diff --git a/packaging/s390x-fix-build-for-without-default-devi.patch b/packaging/s390x-fix-build-for-without-default-devi.patch deleted file mode 100644 index 0fad683a5..000000000 --- a/packaging/s390x-fix-build-for-without-default-devi.patch +++ /dev/null @@ -1,40 +0,0 @@ -From: Cornelia Huck -Date: Tue, 3 Nov 2020 13:32:37 +0100 -Subject: s390x: fix build for --without-default-devices -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Git-commit: 77280d33bc9cfdbfb5b5d462259d644f5aefe9b3 -References: bsc#1179719 - -s390-pci-vfio.c calls into the vfio code, so we need it to be -built conditionally on vfio (which implies CONFIG_LINUX). - -Fixes: cd7498d07fbb ("s390x/pci: Add routine to get the vfio dma available count") -Reported-by: Philippe Mathieu-Daudé -Tested-by: Philippe Mathieu-Daudé -Reviewed-by: Philippe Mathieu-Daudé -Reviewed-by: Matthew Rosato -Message-Id: <20201103123237.718242-1-cohuck@redhat.com> -Acked-by: Greg Kurz -Tested-by: Greg Kurz -Signed-off-by: Cornelia Huck -Signed-off-by: Liang Yan ---- - include/hw/s390x/s390-pci-vfio.h | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/include/hw/s390x/s390-pci-vfio.h b/include/hw/s390x/s390-pci-vfio.h -index 539bcf04eb5bcc29f0f54ef0cda2..a99499851f048ab04c2c1b45a4a2 100644 ---- a/include/hw/s390x/s390-pci-vfio.h -+++ b/include/hw/s390x/s390-pci-vfio.h -@@ -14,7 +14,7 @@ - - #include "hw/s390x/s390-pci-bus.h" - --#ifdef CONFIG_LINUX -+#ifdef CONFIG_VFIO - bool s390_pci_update_dma_avail(int fd, unsigned int *avail); - S390PCIDMACount *s390_pci_start_dma_count(S390pciState *s, - S390PCIBusDevice *pbdev); diff --git a/packaging/s390x-ipl-Consolidate-iplb-validity-chec.patch b/packaging/s390x-ipl-Consolidate-iplb-validity-chec.patch deleted file mode 100644 index 481adf6c5..000000000 --- a/packaging/s390x-ipl-Consolidate-iplb-validity-chec.patch +++ /dev/null @@ -1,64 +0,0 @@ -From: Janosch Frank -Date: Tue, 10 Mar 2020 05:09:50 -0400 -Subject: s390x: ipl: Consolidate iplb validity check into one function - -References: bsc#1167075 - -It's nicer to just call one function than calling a function for each -possible iplb type. - -Signed-off-by: Janosch Frank -Reviewed-by: David Hildenbrand -Message-Id: <20200310090950.61172-1-frankja@linux.ibm.com> -Reviewed-by: Christian Borntraeger -Signed-off-by: Christian Borntraeger -(cherry picked from commit 94c21436e5a89143f8b9cb4d089d1a2f3f4fd377) -Signed-off-by: Bruce Rogers ---- - hw/s390x/ipl.h | 18 +++++++++--------- - target/s390x/diag.c | 2 +- - 2 files changed, 10 insertions(+), 10 deletions(-) - -diff --git a/hw/s390x/ipl.h b/hw/s390x/ipl.h -index d4813105db33253fd1eba53cd7e3..3e44abe1c651d8a01f4708c2801c 100644 ---- a/hw/s390x/ipl.h -+++ b/hw/s390x/ipl.h -@@ -173,16 +173,16 @@ static inline bool iplb_valid_len(IplParameterBlock *iplb) - return be32_to_cpu(iplb->len) <= sizeof(IplParameterBlock); - } - --static inline bool iplb_valid_ccw(IplParameterBlock *iplb) -+static inline bool iplb_valid(IplParameterBlock *iplb) - { -- return be32_to_cpu(iplb->len) >= S390_IPLB_MIN_CCW_LEN && -- iplb->pbt == S390_IPL_TYPE_CCW; --} -- --static inline bool iplb_valid_fcp(IplParameterBlock *iplb) --{ -- return be32_to_cpu(iplb->len) >= S390_IPLB_MIN_FCP_LEN && -- iplb->pbt == S390_IPL_TYPE_FCP; -+ switch (iplb->pbt) { -+ case S390_IPL_TYPE_FCP: -+ return be32_to_cpu(iplb->len) >= S390_IPLB_MIN_FCP_LEN; -+ case S390_IPL_TYPE_CCW: -+ return be32_to_cpu(iplb->len) >= S390_IPLB_MIN_CCW_LEN; -+ default: -+ return false; -+ } - } - - #endif -diff --git a/target/s390x/diag.c b/target/s390x/diag.c -index 53c2f81f2a1aad58d417bc3dc79c..0c81d8e1efbfe37a384199488a72 100644 ---- a/target/s390x/diag.c -+++ b/target/s390x/diag.c -@@ -100,7 +100,7 @@ void handle_diag_308(CPUS390XState *env, uint64_t r1, uint64_t r3, uintptr_t ra) - - cpu_physical_memory_read(addr, iplb, be32_to_cpu(iplb->len)); - -- if (!iplb_valid_ccw(iplb) && !iplb_valid_fcp(iplb)) { -+ if (!iplb_valid(iplb)) { - env->regs[r1 + 1] = DIAG_308_RC_INVALID; - goto out; - } diff --git a/packaging/s390x-kvm-Make-kvm_sclp_service_call-voi.patch b/packaging/s390x-kvm-Make-kvm_sclp_service_call-voi.patch deleted file mode 100644 index a4ff0aabd..000000000 --- a/packaging/s390x-kvm-Make-kvm_sclp_service_call-voi.patch +++ /dev/null @@ -1,66 +0,0 @@ -From: Janosch Frank -Date: Fri, 29 Nov 2019 04:17:13 -0500 -Subject: s390x: kvm: Make kvm_sclp_service_call void - -References: bsc#1167075 - -It defaults to returning 0 anyway and that return value is not -necessary, as 0 is also the default rc that the caller would return. - -While doing that we can simplify the logic a bit and return early if -we inject a PGM exception. - -Signed-off-by: Janosch Frank -Reviewed-by: Thomas Huth -Message-Id: <20191129091713.4582-1-frankja@linux.ibm.com> -Reviewed-by: David Hildenbrand -Signed-off-by: Cornelia Huck -(cherry picked from commit 15b6c0370c3e2774fd9ffda5c10c6e36952e8eb6) -Signed-off-by: Bruce Rogers ---- - target/s390x/kvm.c | 12 +++++------- - 1 file changed, 5 insertions(+), 7 deletions(-) - -diff --git a/target/s390x/kvm.c b/target/s390x/kvm.c -index 0c9d14b4b115de974e21af3f0f47..ad6e38c8761be7e0cad57771f49b 100644 ---- a/target/s390x/kvm.c -+++ b/target/s390x/kvm.c -@@ -1159,13 +1159,13 @@ void kvm_s390_access_exception(S390CPU *cpu, uint16_t code, uint64_t te_code) - kvm_s390_vcpu_interrupt(cpu, &irq); - } - --static int kvm_sclp_service_call(S390CPU *cpu, struct kvm_run *run, -+static void kvm_sclp_service_call(S390CPU *cpu, struct kvm_run *run, - uint16_t ipbh0) - { - CPUS390XState *env = &cpu->env; - uint64_t sccb; - uint32_t code; -- int r = 0; -+ int r; - - sccb = env->regs[ipbh0 & 0xf]; - code = env->regs[(ipbh0 & 0xf0) >> 4]; -@@ -1173,11 +1173,9 @@ static int kvm_sclp_service_call(S390CPU *cpu, struct kvm_run *run, - r = sclp_service_call(env, sccb, code); - if (r < 0) { - kvm_s390_program_interrupt(cpu, -r); -- } else { -- setcc(cpu, r); -+ return; - } -- -- return 0; -+ setcc(cpu, r); - } - - static int handle_b2(S390CPU *cpu, struct kvm_run *run, uint8_t ipa1) -@@ -1240,7 +1238,7 @@ static int handle_b2(S390CPU *cpu, struct kvm_run *run, uint8_t ipa1) - setcc(cpu, 3); - break; - case PRIV_B2_SCLP_CALL: -- rc = kvm_sclp_service_call(cpu, run, ipbh0); -+ kvm_sclp_service_call(cpu, run, ipbh0); - break; - default: - rc = -1; diff --git a/packaging/s390x-pci-Add-routine-to-get-the-vfio-dm.patch b/packaging/s390x-pci-Add-routine-to-get-the-vfio-dm.patch deleted file mode 100644 index 482803c5b..000000000 --- a/packaging/s390x-pci-Add-routine-to-get-the-vfio-dm.patch +++ /dev/null @@ -1,111 +0,0 @@ -From: Matthew Rosato -Date: Mon, 26 Oct 2020 11:34:34 -0400 -Subject: s390x/pci: Add routine to get the vfio dma available count - -Git-commit: cd7498d07fbb20fa04790ff7ee168a8a8d01cb30 -References: bsc#1179719 - -Create new files for separating out vfio-specific work for s390 -pci. Add the first such routine, which issues VFIO_IOMMU_GET_INFO -ioctl to collect the current dma available count. - -Signed-off-by: Matthew Rosato -Reviewed-by: Cornelia Huck -[aw: Fix non-Linux build with CONFIG_LINUX] -Signed-off-by: Alex Williamson -Signed-off-by: Liang Yan ---- - hw/s390x/s390-pci-vfio.c | 54 ++++++++++++++++++++++++++++++++ - include/hw/s390x/s390-pci-vfio.h | 24 ++++++++++++++ - 2 files changed, 78 insertions(+) - -diff --git a/hw/s390x/s390-pci-vfio.c b/hw/s390x/s390-pci-vfio.c -new file mode 100644 -index 0000000000000000000000000000000000000000..cb3f4d98adf8e7f1b104ce1e775e37a486ef8ddd ---- /dev/null -+++ b/hw/s390x/s390-pci-vfio.c -@@ -0,0 +1,54 @@ -+/* -+ * s390 vfio-pci interfaces -+ * -+ * Copyright 2020 IBM Corp. -+ * Author(s): Matthew Rosato -+ * -+ * This work is licensed under the terms of the GNU GPL, version 2 or (at -+ * your option) any later version. See the COPYING file in the top-level -+ * directory. -+ */ -+ -+#include -+ -+#include "qemu/osdep.h" -+#include "hw/s390x/s390-pci-vfio.h" -+#include "hw/vfio/vfio-common.h" -+ -+/* -+ * Get the current DMA available count from vfio. Returns true if vfio is -+ * limiting DMA requests, false otherwise. The current available count read -+ * from vfio is returned in avail. -+ */ -+bool s390_pci_update_dma_avail(int fd, unsigned int *avail) -+{ -+ g_autofree struct vfio_iommu_type1_info *info; -+ uint32_t argsz; -+ -+ assert(avail); -+ -+ argsz = sizeof(struct vfio_iommu_type1_info); -+ info = g_malloc0(argsz); -+ -+ /* -+ * If the specified argsz is not large enough to contain all capabilities -+ * it will be updated upon return from the ioctl. Retry until we have -+ * a big enough buffer to hold the entire capability chain. -+ */ -+retry: -+ info->argsz = argsz; -+ -+ if (ioctl(fd, VFIO_IOMMU_GET_INFO, info)) { -+ return false; -+ } -+ -+ if (info->argsz > argsz) { -+ argsz = info->argsz; -+ info = g_realloc(info, argsz); -+ goto retry; -+ } -+ -+ /* If the capability exists, update with the current value */ -+ return vfio_get_info_dma_avail(info, avail); -+} -+ -diff --git a/include/hw/s390x/s390-pci-vfio.h b/include/hw/s390x/s390-pci-vfio.h -new file mode 100644 -index 0000000000000000000000000000000000000000..1727292e9b5d019ac2218a54eac244640a06d2ae ---- /dev/null -+++ b/include/hw/s390x/s390-pci-vfio.h -@@ -0,0 +1,24 @@ -+/* -+ * s390 vfio-pci interfaces -+ * -+ * Copyright 2020 IBM Corp. -+ * Author(s): Matthew Rosato -+ * -+ * This work is licensed under the terms of the GNU GPL, version 2 or (at -+ * your option) any later version. See the COPYING file in the top-level -+ * directory. -+ */ -+ -+#ifndef HW_S390_PCI_VFIO_H -+#define HW_S390_PCI_VFIO_H -+ -+#ifdef CONFIG_LINUX -+bool s390_pci_update_dma_avail(int fd, unsigned int *avail); -+#else -+static inline bool s390_pci_update_dma_avail(int fd, unsigned int *avail) -+{ -+ return false; -+} -+#endif -+ -+#endif diff --git a/packaging/s390x-pci-Honor-DMA-limits-set-by-vfio.patch b/packaging/s390x-pci-Honor-DMA-limits-set-by-vfio.patch deleted file mode 100644 index 6bad7e09b..000000000 --- a/packaging/s390x-pci-Honor-DMA-limits-set-by-vfio.patch +++ /dev/null @@ -1,336 +0,0 @@ -From: Matthew Rosato -Date: Mon, 26 Oct 2020 11:34:35 -0400 -Subject: s390x/pci: Honor DMA limits set by vfio - -Git-commit: 37fa32de707340f3a93959ad5a1ebc41ba1520ee -References: bsc#1179719 - -When an s390 guest is using lazy unmapping, it can result in a very -large number of oustanding DMA requests, far beyond the default -limit configured for vfio. Let's track DMA usage similar to vfio -in the host, and trigger the guest to flush their DMA mappings -before vfio runs out. - -Signed-off-by: Matthew Rosato -Reviewed-by: Cornelia Huck -[aw: non-Linux build fixes] -Signed-off-by: Alex Williamson -Signed-off-by: Liang Yan ---- - hw/s390x/s390-pci-bus.c | 20 +++++++++----- - hw/s390x/s390-pci-bus.h | 10 +++++++ - hw/s390x/s390-pci-inst.c | 45 +++++++++++++++++++++++++++----- - hw/s390x/s390-pci-inst.h | 3 +++ - hw/s390x/s390-pci-vfio.c | 42 +++++++++++++++++++++++++++++ - include/hw/s390x/s390-pci-vfio.h | 12 +++++++++ - 6 files changed, 119 insertions(+), 13 deletions(-) - -diff --git a/hw/s390x/s390-pci-bus.c b/hw/s390x/s390-pci-bus.c -index 2d2f4a7c419c63e0e1fa7d26e399..a9f6f55047273e235d3ba89ba5f0 100644 ---- a/hw/s390x/s390-pci-bus.c -+++ b/hw/s390x/s390-pci-bus.c -@@ -15,8 +15,9 @@ - #include "qapi/error.h" - #include "qapi/visitor.h" - #include "cpu.h" --#include "s390-pci-bus.h" --#include "s390-pci-inst.h" -+#include "hw/s390x/s390-pci-bus.h" -+#include "hw/s390x/s390-pci-inst.h" -+#include "hw/s390x/s390-pci-vfio.h" - #include "hw/pci/pci_bus.h" - #include "hw/qdev-properties.h" - #include "hw/pci/pci_bridge.h" -@@ -771,6 +772,7 @@ static void s390_pcihost_realize(DeviceState *dev, Error **errp) - s->bus_no = 0; - QTAILQ_INIT(&s->pending_sei); - QTAILQ_INIT(&s->zpci_devs); -+ QTAILQ_INIT(&s->zpci_dma_limit); - - css_register_io_adapters(CSS_IO_ADAPTER_PCI, true, false, - S390_ADAPTER_SUPPRESSIBLE, &local_err); -@@ -951,17 +953,18 @@ static void s390_pcihost_plug(HotplugHandler *hotplug_dev, DeviceState *dev, - } - } - -+ pbdev->pdev = pdev; -+ pbdev->iommu = s390_pci_get_iommu(s, pci_get_bus(pdev), pdev->devfn); -+ pbdev->iommu->pbdev = pbdev; -+ pbdev->state = ZPCI_FS_DISABLED; -+ - if (object_dynamic_cast(OBJECT(dev), "vfio-pci")) { - pbdev->fh |= FH_SHM_VFIO; -+ pbdev->iommu->dma_limit = s390_pci_start_dma_count(s, pbdev); - } else { - pbdev->fh |= FH_SHM_EMUL; - } - -- pbdev->pdev = pdev; -- pbdev->iommu = s390_pci_get_iommu(s, pci_get_bus(pdev), pdev->devfn); -- pbdev->iommu->pbdev = pbdev; -- pbdev->state = ZPCI_FS_DISABLED; -- - if (s390_pci_msix_init(pbdev)) { - error_setg(errp, "MSI-X support is mandatory " - "in the S390 architecture"); -@@ -1014,6 +1017,9 @@ static void s390_pcihost_unplug(HotplugHandler *hotplug_dev, DeviceState *dev, - pbdev->fid = 0; - QTAILQ_REMOVE(&s->zpci_devs, pbdev, link); - g_hash_table_remove(s->zpci_table, &pbdev->idx); -+ if (pbdev->iommu->dma_limit) { -+ s390_pci_end_dma_count(s, pbdev->iommu->dma_limit); -+ } - object_property_set_bool(OBJECT(dev), false, "realized", NULL); - } - } -diff --git a/hw/s390x/s390-pci-bus.h b/hw/s390x/s390-pci-bus.h -index 550f3cc5e92076cdb8a28b932265..c554aa951ace4e293854e716b05a 100644 ---- a/hw/s390x/s390-pci-bus.h -+++ b/hw/s390x/s390-pci-bus.h -@@ -266,6 +266,14 @@ typedef struct S390IOTLBEntry { - } S390IOTLBEntry; - - typedef struct S390PCIBusDevice S390PCIBusDevice; -+ -+typedef struct S390PCIDMACount { -+ int id; -+ int users; -+ uint32_t avail; -+ QTAILQ_ENTRY(S390PCIDMACount) link; -+} S390PCIDMACount; -+ - typedef struct S390PCIIOMMU { - Object parent_obj; - S390PCIBusDevice *pbdev; -@@ -277,6 +285,7 @@ typedef struct S390PCIIOMMU { - uint64_t pba; - uint64_t pal; - GHashTable *iotlb; -+ S390PCIDMACount *dma_limit; - } S390PCIIOMMU; - - typedef struct S390PCIIOMMUTable { -@@ -352,6 +361,7 @@ typedef struct S390pciState { - GHashTable *zpci_table; - QTAILQ_HEAD(, SeiContainer) pending_sei; - QTAILQ_HEAD(, S390PCIBusDevice) zpci_devs; -+ QTAILQ_HEAD(, S390PCIDMACount) zpci_dma_limit; - } S390pciState; - - S390pciState *s390_get_phb(void); -diff --git a/hw/s390x/s390-pci-inst.c b/hw/s390x/s390-pci-inst.c -index 92c7e45df5f5c421dfb043ef7dbb..a683749df713892a068986ca01be 100644 ---- a/hw/s390x/s390-pci-inst.c -+++ b/hw/s390x/s390-pci-inst.c -@@ -32,6 +32,20 @@ - } \ - } while (0) - -+static inline void inc_dma_avail(S390PCIIOMMU *iommu) -+{ -+ if (iommu->dma_limit) { -+ iommu->dma_limit->avail++; -+ } -+} -+ -+static inline void dec_dma_avail(S390PCIIOMMU *iommu) -+{ -+ if (iommu->dma_limit) { -+ iommu->dma_limit->avail--; -+ } -+} -+ - static void s390_set_status_code(CPUS390XState *env, - uint8_t r, uint64_t status_code) - { -@@ -572,7 +586,8 @@ int pcistg_service_call(S390CPU *cpu, uint8_t r1, uint8_t r2, uintptr_t ra) - return 0; - } - --static void s390_pci_update_iotlb(S390PCIIOMMU *iommu, S390IOTLBEntry *entry) -+static uint32_t s390_pci_update_iotlb(S390PCIIOMMU *iommu, -+ S390IOTLBEntry *entry) - { - S390IOTLBEntry *cache = g_hash_table_lookup(iommu->iotlb, &entry->iova); - IOMMUTLBEntry notify = { -@@ -585,14 +600,15 @@ static void s390_pci_update_iotlb(S390PCIIOMMU *iommu, S390IOTLBEntry *entry) - - if (entry->perm == IOMMU_NONE) { - if (!cache) { -- return; -+ goto out; - } - g_hash_table_remove(iommu->iotlb, &entry->iova); -+ inc_dma_avail(iommu); - } else { - if (cache) { - if (cache->perm == entry->perm && - cache->translated_addr == entry->translated_addr) { -- return; -+ goto out; - } - - notify.perm = IOMMU_NONE; -@@ -606,9 +622,13 @@ static void s390_pci_update_iotlb(S390PCIIOMMU *iommu, S390IOTLBEntry *entry) - cache->len = PAGE_SIZE; - cache->perm = entry->perm; - g_hash_table_replace(iommu->iotlb, &cache->iova, cache); -+ dec_dma_avail(iommu); - } - - memory_region_notify_iommu(&iommu->iommu_mr, 0, notify); -+ -+out: -+ return iommu->dma_limit ? iommu->dma_limit->avail : 1; - } - - int rpcit_service_call(S390CPU *cpu, uint8_t r1, uint8_t r2, uintptr_t ra) -@@ -620,6 +640,7 @@ int rpcit_service_call(S390CPU *cpu, uint8_t r1, uint8_t r2, uintptr_t ra) - S390PCIIOMMU *iommu; - S390IOTLBEntry entry; - hwaddr start, end; -+ uint32_t dma_avail; - - if (env->psw.mask & PSW_MASK_PSTATE) { - s390_program_interrupt(env, PGM_PRIVILEGED, ra); -@@ -658,6 +679,11 @@ int rpcit_service_call(S390CPU *cpu, uint8_t r1, uint8_t r2, uintptr_t ra) - } - - iommu = pbdev->iommu; -+ if (iommu->dma_limit) { -+ dma_avail = iommu->dma_limit->avail; -+ } else { -+ dma_avail = 1; -+ } - if (!iommu->g_iota) { - error = ERR_EVENT_INVALAS; - goto err; -@@ -675,8 +701,9 @@ int rpcit_service_call(S390CPU *cpu, uint8_t r1, uint8_t r2, uintptr_t ra) - } - - start += entry.len; -- while (entry.iova < start && entry.iova < end) { -- s390_pci_update_iotlb(iommu, &entry); -+ while (entry.iova < start && entry.iova < end && -+ (dma_avail > 0 || entry.perm == IOMMU_NONE)) { -+ dma_avail = s390_pci_update_iotlb(iommu, &entry); - entry.iova += PAGE_SIZE; - entry.translated_addr += PAGE_SIZE; - } -@@ -689,7 +716,13 @@ err: - s390_pci_generate_error_event(error, pbdev->fh, pbdev->fid, start, 0); - } else { - pbdev->fmb.counter[ZPCI_FMB_CNT_RPCIT]++; -- setcc(cpu, ZPCI_PCI_LS_OK); -+ if (dma_avail > 0) { -+ setcc(cpu, ZPCI_PCI_LS_OK); -+ } else { -+ /* vfio DMA mappings are exhausted, trigger a RPCIT */ -+ setcc(cpu, ZPCI_PCI_LS_ERR); -+ s390_set_status_code(env, r1, ZPCI_RPCIT_ST_INSUFF_RES); -+ } - } - return 0; - } -diff --git a/hw/s390x/s390-pci-inst.h b/hw/s390x/s390-pci-inst.h -index fa3bf8b5aad11e03376774f8fa41..8ee3a3c237576757f99dc1adef14 100644 ---- a/hw/s390x/s390-pci-inst.h -+++ b/hw/s390x/s390-pci-inst.h -@@ -254,6 +254,9 @@ typedef struct ClpReqRspQueryPciGrp { - #define ZPCI_STPCIFC_ST_INVAL_DMAAS 28 - #define ZPCI_STPCIFC_ST_ERROR_RECOVER 40 - -+/* Refresh PCI Translations status codes */ -+#define ZPCI_RPCIT_ST_INSUFF_RES 16 -+ - /* FIB function controls */ - #define ZPCI_FIB_FC_ENABLED 0x80 - #define ZPCI_FIB_FC_ERROR 0x40 -diff --git a/hw/s390x/s390-pci-vfio.c b/hw/s390x/s390-pci-vfio.c -index cb3f4d98adf8e7f1b104ce1e775e..0621fa386cedf3feb14f448aae91 100644 ---- a/hw/s390x/s390-pci-vfio.c -+++ b/hw/s390x/s390-pci-vfio.c -@@ -12,7 +12,9 @@ - #include - - #include "qemu/osdep.h" -+#include "hw/s390x/s390-pci-bus.h" - #include "hw/s390x/s390-pci-vfio.h" -+#include "hw/vfio/pci.h" - #include "hw/vfio/vfio-common.h" - - /* -@@ -52,3 +54,43 @@ retry: - return vfio_get_info_dma_avail(info, avail); - } - -+S390PCIDMACount *s390_pci_start_dma_count(S390pciState *s, -+ S390PCIBusDevice *pbdev) -+{ -+ S390PCIDMACount *cnt; -+ uint32_t avail; -+ VFIOPCIDevice *vpdev = container_of(pbdev->pdev, VFIOPCIDevice, pdev); -+ int id; -+ -+ assert(vpdev); -+ -+ id = vpdev->vbasedev.group->container->fd; -+ -+ if (!s390_pci_update_dma_avail(id, &avail)) { -+ return NULL; -+ } -+ -+ QTAILQ_FOREACH(cnt, &s->zpci_dma_limit, link) { -+ if (cnt->id == id) { -+ cnt->users++; -+ return cnt; -+ } -+ } -+ -+ cnt = g_new0(S390PCIDMACount, 1); -+ cnt->id = id; -+ cnt->users = 1; -+ cnt->avail = avail; -+ QTAILQ_INSERT_TAIL(&s->zpci_dma_limit, cnt, link); -+ return cnt; -+} -+ -+void s390_pci_end_dma_count(S390pciState *s, S390PCIDMACount *cnt) -+{ -+ assert(cnt); -+ -+ cnt->users--; -+ if (cnt->users == 0) { -+ QTAILQ_REMOVE(&s->zpci_dma_limit, cnt, link); -+ } -+} -diff --git a/include/hw/s390x/s390-pci-vfio.h b/include/hw/s390x/s390-pci-vfio.h -index 1727292e9b5d019ac2218a54eac2..539bcf04eb5bcc29f0f54ef0cda2 100644 ---- a/include/hw/s390x/s390-pci-vfio.h -+++ b/include/hw/s390x/s390-pci-vfio.h -@@ -12,13 +12,25 @@ - #ifndef HW_S390_PCI_VFIO_H - #define HW_S390_PCI_VFIO_H - -+#include "hw/s390x/s390-pci-bus.h" -+ - #ifdef CONFIG_LINUX - bool s390_pci_update_dma_avail(int fd, unsigned int *avail); -+S390PCIDMACount *s390_pci_start_dma_count(S390pciState *s, -+ S390PCIBusDevice *pbdev); -+void s390_pci_end_dma_count(S390pciState *s, S390PCIDMACount *cnt); - #else - static inline bool s390_pci_update_dma_avail(int fd, unsigned int *avail) - { - return false; - } -+static inline S390PCIDMACount *s390_pci_start_dma_count(S390pciState *s, -+ S390PCIBusDevice *pbdev) -+{ -+ return NULL; -+} -+static inline void s390_pci_end_dma_count(S390pciState *s, -+ S390PCIDMACount *cnt) { } - #endif - - #endif diff --git a/packaging/s390x-protvirt-Add-migration-blocker.patch b/packaging/s390x-protvirt-Add-migration-blocker.patch deleted file mode 100644 index 5a95c867c..000000000 --- a/packaging/s390x-protvirt-Add-migration-blocker.patch +++ /dev/null @@ -1,64 +0,0 @@ -From: Janosch Frank -Date: Fri, 6 Mar 2020 06:40:13 -0500 -Subject: s390x: protvirt: Add migration blocker - -References: bsc#1167075 - -Migration is not yet supported. - -Signed-off-by: Janosch Frank -Reviewed-by: David Hildenbrand -Reviewed-by: Christian Borntraeger -Reviewed-by: Claudio Imbrenda -Reviewed-by: Cornelia Huck -(cherry picked from commit e721e55a3dabb2897081614b17dd4565e85249ac) -Signed-off-by: Bruce Rogers ---- - hw/s390x/s390-virtio-ccw.c | 18 ++++++++++++++++++ - 1 file changed, 18 insertions(+) - -diff --git a/hw/s390x/s390-virtio-ccw.c b/hw/s390x/s390-virtio-ccw.c -index e408612729a8cb0fe2de58308767..c9d1edaae43bc231bbcfbc8bb043 100644 ---- a/hw/s390x/s390-virtio-ccw.c -+++ b/hw/s390x/s390-virtio-ccw.c -@@ -44,6 +44,9 @@ - #include "sysemu/sysemu.h" - #include "hw/s390x/pv.h" - #include -+#include "migration/blocker.h" -+ -+static Error *pv_mig_blocker; - - S390CPU *s390_cpu_addr2state(uint16_t cpu_addr) - { -@@ -326,15 +329,30 @@ static void s390_machine_unprotect(S390CcwMachineState *ms) - { - s390_pv_vm_disable(); - ms->pv = false; -+ migrate_del_blocker(pv_mig_blocker); -+ error_free_or_abort(&pv_mig_blocker); - } - - static int s390_machine_protect(S390CcwMachineState *ms) - { -+ Error *local_err = NULL; - int rc; - -+ error_setg(&pv_mig_blocker, -+ "protected VMs are currently not migrateable."); -+ rc = migrate_add_blocker(pv_mig_blocker, &local_err); -+ if (rc) { -+ error_report_err(local_err); -+ error_free_or_abort(&pv_mig_blocker); -+ return rc; -+ } -+ - /* Create SE VM */ - rc = s390_pv_vm_enable(); - if (rc) { -+ error_report_err(local_err); -+ migrate_del_blocker(pv_mig_blocker); -+ error_free_or_abort(&pv_mig_blocker); - return rc; - } - diff --git a/packaging/s390x-protvirt-Disable-address-checks-fo.patch b/packaging/s390x-protvirt-Disable-address-checks-fo.patch deleted file mode 100644 index 47d2643c7..000000000 --- a/packaging/s390x-protvirt-Disable-address-checks-fo.patch +++ /dev/null @@ -1,119 +0,0 @@ -From: Janosch Frank -Date: Fri, 29 Nov 2019 04:22:41 -0500 -Subject: s390x: protvirt: Disable address checks for PV guest IO emulation - -References: bsc#1167075 - -IO instruction data is routed through SIDAD for protected guests, so -adresses do not need to be checked, as this is kernel memory which is -always available. - -Also the instruction data always starts at offset 0 of the SIDAD. - -Signed-off-by: Janosch Frank -Reviewed-by: Thomas Huth -Reviewed-by: David Hildenbrand -Reviewed-by: Christian Borntraeger -Reviewed-by: Claudio Imbrenda -Reviewed-by: Cornelia Huck -(cherry picked from commit f658bf14295ad49caf8d1b21033982ce69423fb7) -Signed-off-by: Bruce Rogers ---- - target/s390x/ioinst.c | 35 ++++++++++++++++++++++++++++------- - 1 file changed, 28 insertions(+), 7 deletions(-) - -diff --git a/target/s390x/ioinst.c b/target/s390x/ioinst.c -index c437a1d8c6afed80199034ab6f6a..bbcccf6be23456393282287bf116 100644 ---- a/target/s390x/ioinst.c -+++ b/target/s390x/ioinst.c -@@ -16,6 +16,25 @@ - #include "hw/s390x/ioinst.h" - #include "trace.h" - #include "hw/s390x/s390-pci-bus.h" -+#include "hw/s390x/pv.h" -+ -+/* All I/O instructions but chsc use the s format */ -+static uint64_t get_address_from_regs(CPUS390XState *env, uint32_t ipb, -+ uint8_t *ar) -+{ -+ /* -+ * Addresses for protected guests are all offsets into the -+ * satellite block which holds the IO control structures. Those -+ * control structures are always starting at offset 0 and are -+ * always aligned and accessible. So we can return 0 here which -+ * will pass the following address checks. -+ */ -+ if (s390_is_pv()) { -+ *ar = 0; -+ return 0; -+ } -+ return decode_basedisp_s(env, ipb, ar); -+} - - int ioinst_disassemble_sch_ident(uint32_t value, int *m, int *cssid, int *ssid, - int *schid) -@@ -114,7 +133,7 @@ void ioinst_handle_msch(S390CPU *cpu, uint64_t reg1, uint32_t ipb, uintptr_t ra) - CPUS390XState *env = &cpu->env; - uint8_t ar; - -- addr = decode_basedisp_s(env, ipb, &ar); -+ addr = get_address_from_regs(env, ipb, &ar); - if (addr & 3) { - s390_program_interrupt(env, PGM_SPECIFICATION, ra); - return; -@@ -171,7 +190,7 @@ void ioinst_handle_ssch(S390CPU *cpu, uint64_t reg1, uint32_t ipb, uintptr_t ra) - CPUS390XState *env = &cpu->env; - uint8_t ar; - -- addr = decode_basedisp_s(env, ipb, &ar); -+ addr = get_address_from_regs(env, ipb, &ar); - if (addr & 3) { - s390_program_interrupt(env, PGM_SPECIFICATION, ra); - return; -@@ -203,7 +222,7 @@ void ioinst_handle_stcrw(S390CPU *cpu, uint32_t ipb, uintptr_t ra) - CPUS390XState *env = &cpu->env; - uint8_t ar; - -- addr = decode_basedisp_s(env, ipb, &ar); -+ addr = get_address_from_regs(env, ipb, &ar); - if (addr & 3) { - s390_program_interrupt(env, PGM_SPECIFICATION, ra); - return; -@@ -234,7 +253,7 @@ void ioinst_handle_stsch(S390CPU *cpu, uint64_t reg1, uint32_t ipb, - CPUS390XState *env = &cpu->env; - uint8_t ar; - -- addr = decode_basedisp_s(env, ipb, &ar); -+ addr = get_address_from_regs(env, ipb, &ar); - if (addr & 3) { - s390_program_interrupt(env, PGM_SPECIFICATION, ra); - return; -@@ -303,7 +322,7 @@ int ioinst_handle_tsch(S390CPU *cpu, uint64_t reg1, uint32_t ipb, uintptr_t ra) - return -EIO; - } - trace_ioinst_sch_id("tsch", cssid, ssid, schid); -- addr = decode_basedisp_s(env, ipb, &ar); -+ addr = get_address_from_regs(env, ipb, &ar); - if (addr & 3) { - s390_program_interrupt(env, PGM_SPECIFICATION, ra); - return -EIO; -@@ -601,7 +620,7 @@ void ioinst_handle_chsc(S390CPU *cpu, uint32_t ipb, uintptr_t ra) - { - ChscReq *req; - ChscResp *res; -- uint64_t addr; -+ uint64_t addr = 0; - int reg; - uint16_t len; - uint16_t command; -@@ -610,7 +629,9 @@ void ioinst_handle_chsc(S390CPU *cpu, uint32_t ipb, uintptr_t ra) - - trace_ioinst("chsc"); - reg = (ipb >> 20) & 0x00f; -- addr = env->regs[reg]; -+ if (!s390_is_pv()) { -+ addr = env->regs[reg]; -+ } - /* Page boundary? */ - if (addr & 0xfff) { - s390_program_interrupt(env, PGM_SPECIFICATION, ra); diff --git a/packaging/s390x-protvirt-Handle-SIGP-store-status-.patch b/packaging/s390x-protvirt-Handle-SIGP-store-status-.patch deleted file mode 100644 index 7fb6e9ee6..000000000 --- a/packaging/s390x-protvirt-Handle-SIGP-store-status-.patch +++ /dev/null @@ -1,44 +0,0 @@ -From: Janosch Frank -Date: Tue, 6 Aug 2019 15:40:05 +0200 -Subject: s390x: protvirt: Handle SIGP store status correctly - -References: bsc#1167075 - -For protected VMs status storing is not done by QEMU anymore. - -Signed-off-by: Janosch Frank -Reviewed-by: Thomas Huth -Reviewed-by: David Hildenbrand -Reviewed-by: Christian Borntraeger -Reviewed-by: Claudio Imbrenda -Reviewed-by: Cornelia Huck -(cherry picked from commit 398fc6874438c320407449d1c9560925aba2280b) -Signed-off-by: Bruce Rogers ---- - target/s390x/helper.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/target/s390x/helper.c b/target/s390x/helper.c -index 6808dfda01f42acbaa1d36ef787b..36b6d3d9d1bca9db90aac1c7bec6 100644 ---- a/target/s390x/helper.c -+++ b/target/s390x/helper.c -@@ -25,6 +25,7 @@ - #include "qemu/timer.h" - #include "qemu/qemu-print.h" - #include "hw/s390x/ioinst.h" -+#include "hw/s390x/pv.h" - #include "sysemu/hw_accel.h" - #include "sysemu/runstate.h" - #ifndef CONFIG_USER_ONLY -@@ -246,6 +247,11 @@ int s390_store_status(S390CPU *cpu, hwaddr addr, bool store_arch) - hwaddr len = sizeof(*sa); - int i; - -+ /* For PVMs storing will occur when this cpu enters SIE again */ -+ if (s390_is_pv()) { -+ return 0; -+ } -+ - sa = cpu_physical_memory_map(addr, &len, 1); - if (!sa) { - return -EFAULT; diff --git a/packaging/s390x-protvirt-Inhibit-balloon-when-swit.patch b/packaging/s390x-protvirt-Inhibit-balloon-when-swit.patch deleted file mode 100644 index f7af278a1..000000000 --- a/packaging/s390x-protvirt-Inhibit-balloon-when-swit.patch +++ /dev/null @@ -1,84 +0,0 @@ -From: Janosch Frank -Date: Mon, 24 Feb 2020 07:49:06 -0500 -Subject: s390x: protvirt: Inhibit balloon when switching to protected mode - -References: bsc#1167075 - -Ballooning in protected VMs can only be done when the guest shares the -pages it gives to the host. If pages are not shared, the integrity -checks will fail once those pages have been altered and are given back -to the guest. - -As we currently do not yet have a solution for this we will continue -like this: - -1. We block ballooning now in QEMU (with this patch). - -2. Later we will provide a change to virtio that removes the blocker -and adds VIRTIO_F_IOMMU_PLATFORM automatically by QEMU when doing the -protvirt switch. This is OK, as the balloon driver in Linux (the only -supported guest) will refuse to work with the IOMMU_PLATFORM feature -bit set. - -3. Later, we can fix the guest balloon driver to accept the IOMMU -feature bit and correctly exercise sharing and unsharing of balloon -pages. - -Signed-off-by: Janosch Frank -Reviewed-by: David Hildenbrand -Reviewed-by: Christian Borntraeger -Reviewed-by: Claudio Imbrenda -Reviewed-by: Cornelia Huck -(cherry picked from commit 59dc32a3494d6afdd420f3e401f1f324a1179256) -Signed-off-by: Bruce Rogers ---- - hw/s390x/s390-virtio-ccw.c | 11 +++++++++++ - 1 file changed, 11 insertions(+) - -diff --git a/hw/s390x/s390-virtio-ccw.c b/hw/s390x/s390-virtio-ccw.c -index c9d1edaae43bc231bbcfbc8bb043..91b2cea0822b41bd6af17be93193 100644 ---- a/hw/s390x/s390-virtio-ccw.c -+++ b/hw/s390x/s390-virtio-ccw.c -@@ -42,6 +42,7 @@ - #include "hw/qdev-properties.h" - #include "hw/s390x/tod.h" - #include "sysemu/sysemu.h" -+#include "sysemu/balloon.h" - #include "hw/s390x/pv.h" - #include - #include "migration/blocker.h" -@@ -331,6 +332,7 @@ static void s390_machine_unprotect(S390CcwMachineState *ms) - ms->pv = false; - migrate_del_blocker(pv_mig_blocker); - error_free_or_abort(&pv_mig_blocker); -+ qemu_balloon_inhibit(false); - } - - static int s390_machine_protect(S390CcwMachineState *ms) -@@ -338,10 +340,18 @@ static int s390_machine_protect(S390CcwMachineState *ms) - Error *local_err = NULL; - int rc; - -+ /* -+ * Ballooning on protected VMs needs support in the guest for -+ * sharing and unsharing balloon pages. Block ballooning for -+ * now, until we have a solution to make at least Linux guests -+ * either support it or fail gracefully. -+ */ -+ qemu_balloon_inhibit(true); - error_setg(&pv_mig_blocker, - "protected VMs are currently not migrateable."); - rc = migrate_add_blocker(pv_mig_blocker, &local_err); - if (rc) { -+ qemu_balloon_inhibit(false); - error_report_err(local_err); - error_free_or_abort(&pv_mig_blocker); - return rc; -@@ -350,6 +360,7 @@ static int s390_machine_protect(S390CcwMachineState *ms) - /* Create SE VM */ - rc = s390_pv_vm_enable(); - if (rc) { -+ qemu_balloon_inhibit(false); - error_report_err(local_err); - migrate_del_blocker(pv_mig_blocker); - error_free_or_abort(&pv_mig_blocker); diff --git a/packaging/s390x-protvirt-KVM-intercept-changes.patch b/packaging/s390x-protvirt-KVM-intercept-changes.patch deleted file mode 100644 index 737ef998a..000000000 --- a/packaging/s390x-protvirt-KVM-intercept-changes.patch +++ /dev/null @@ -1,60 +0,0 @@ -From: Janosch Frank -Date: Mon, 13 May 2019 10:35:27 +0200 -Subject: s390x: protvirt: KVM intercept changes - -References: bsc#1167075 - -Protected VMs no longer intercept with code 4 for an instruction -interception. Instead they have codes 104 and 108 for protected -instruction interception and protected instruction notification -respectively. - -The 104 mirrors the 4 interception. - -The 108 is a notification interception to let KVM and QEMU know that -something changed and we need to update tracking information or -perform specific tasks. It's currently taken for the following -instructions: - -* spx (To inform about the changed prefix location) -* sclp (On incorrect SCCB values, so we can inject a IRQ) -* sigp (All but "stop and store status") -* diag308 (Subcodes 0/1) - -Of these exits only sclp errors, state changing sigps and diag308 will -reach QEMU. QEMU will do its parts of the job, while the ultravisor -has done the instruction part of the job. - -Signed-off-by: Janosch Frank -Reviewed-by: David Hildenbrand -Reviewed-by: Christian Borntraeger -Reviewed-by: Claudio Imbrenda -Reviewed-by: Cornelia Huck -(cherry picked from commit fd70eb764f176c200d6723c2ad88362f23536bfa) -Signed-off-by: Bruce Rogers ---- - target/s390x/kvm.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/target/s390x/kvm.c b/target/s390x/kvm.c -index d8d02ff34f4fc942cb7935deec58..abeeaaa67452b0b938557b0d0dea 100644 ---- a/target/s390x/kvm.c -+++ b/target/s390x/kvm.c -@@ -115,6 +115,8 @@ - #define ICPT_CPU_STOP 0x28 - #define ICPT_OPEREXC 0x2c - #define ICPT_IO 0x40 -+#define ICPT_PV_INSTR 0x68 -+#define ICPT_PV_INSTR_NOTIFICATION 0x6c - - #define NR_LOCAL_IRQS 32 - /* -@@ -1695,6 +1697,8 @@ static int handle_intercept(S390CPU *cpu) - (long)cs->kvm_run->psw_addr); - switch (icpt_code) { - case ICPT_INSTRUCTION: -+ case ICPT_PV_INSTR: -+ case ICPT_PV_INSTR_NOTIFICATION: - r = handle_instruction(cpu, run); - break; - case ICPT_PROGRAM: diff --git a/packaging/s390x-protvirt-Move-IO-control-structure.patch b/packaging/s390x-protvirt-Move-IO-control-structure.patch deleted file mode 100644 index e840f6fd3..000000000 --- a/packaging/s390x-protvirt-Move-IO-control-structure.patch +++ /dev/null @@ -1,156 +0,0 @@ -From: Janosch Frank -Date: Wed, 5 Feb 2020 07:02:33 -0500 -Subject: s390x: protvirt: Move IO control structures over SIDA - -References: bsc#1167075 - -For protected guests, we need to put the IO emulation results into the -SIDA, so SIE will write them into the guest at the next entry. - -Signed-off-by: Janosch Frank -Reviewed-by: David Hildenbrand -Reviewed-by: Cornelia Huck -(cherry picked from commit 4989e18cbe5621df39020ef812316f479d8f5246) -Signed-off-by: Bruce Rogers ---- - target/s390x/ioinst.c | 61 +++++++++++++++++++++++++++++++------------ - 1 file changed, 45 insertions(+), 16 deletions(-) - -diff --git a/target/s390x/ioinst.c b/target/s390x/ioinst.c -index bbcccf6be23456393282287bf116..f40c35c6ff58315622510ae72103 100644 ---- a/target/s390x/ioinst.c -+++ b/target/s390x/ioinst.c -@@ -138,7 +138,9 @@ void ioinst_handle_msch(S390CPU *cpu, uint64_t reg1, uint32_t ipb, uintptr_t ra) - s390_program_interrupt(env, PGM_SPECIFICATION, ra); - return; - } -- if (s390_cpu_virt_mem_read(cpu, addr, ar, &schib, sizeof(schib))) { -+ if (s390_is_pv()) { -+ s390_cpu_pv_mem_read(cpu, addr, &schib, sizeof(schib)); -+ } else if (s390_cpu_virt_mem_read(cpu, addr, ar, &schib, sizeof(schib))) { - s390_cpu_virt_mem_handle_exc(cpu, ra); - return; - } -@@ -195,7 +197,9 @@ void ioinst_handle_ssch(S390CPU *cpu, uint64_t reg1, uint32_t ipb, uintptr_t ra) - s390_program_interrupt(env, PGM_SPECIFICATION, ra); - return; - } -- if (s390_cpu_virt_mem_read(cpu, addr, ar, &orig_orb, sizeof(orb))) { -+ if (s390_is_pv()) { -+ s390_cpu_pv_mem_read(cpu, addr, &orig_orb, sizeof(orb)); -+ } else if (s390_cpu_virt_mem_read(cpu, addr, ar, &orig_orb, sizeof(orb))) { - s390_cpu_virt_mem_handle_exc(cpu, ra); - return; - } -@@ -231,14 +235,19 @@ void ioinst_handle_stcrw(S390CPU *cpu, uint32_t ipb, uintptr_t ra) - cc = css_do_stcrw(&crw); - /* 0 - crw stored, 1 - zeroes stored */ - -- if (s390_cpu_virt_mem_write(cpu, addr, ar, &crw, sizeof(crw)) == 0) { -+ if (s390_is_pv()) { -+ s390_cpu_pv_mem_write(cpu, addr, &crw, sizeof(crw)); - setcc(cpu, cc); - } else { -- if (cc == 0) { -- /* Write failed: requeue CRW since STCRW is suppressing */ -- css_undo_stcrw(&crw); -+ if (s390_cpu_virt_mem_write(cpu, addr, ar, &crw, sizeof(crw)) == 0) { -+ setcc(cpu, cc); -+ } else { -+ if (cc == 0) { -+ /* Write failed: requeue CRW since STCRW is suppressing */ -+ css_undo_stcrw(&crw); -+ } -+ s390_cpu_virt_mem_handle_exc(cpu, ra); - } -- s390_cpu_virt_mem_handle_exc(cpu, ra); - } - } - -@@ -260,6 +269,13 @@ void ioinst_handle_stsch(S390CPU *cpu, uint64_t reg1, uint32_t ipb, - } - - if (ioinst_disassemble_sch_ident(reg1, &m, &cssid, &ssid, &schid)) { -+ /* -+ * The Ultravisor checks schid bit 16 to be one and bits 0-12 -+ * to be 0 and injects a operand exception itself. -+ * -+ * Hence we should never end up here. -+ */ -+ g_assert(!s390_is_pv()); - /* - * As operand exceptions have a lower priority than access exceptions, - * we check whether the memory area is writeable (injecting the -@@ -292,14 +308,17 @@ void ioinst_handle_stsch(S390CPU *cpu, uint64_t reg1, uint32_t ipb, - } - } - if (cc != 3) { -- if (s390_cpu_virt_mem_write(cpu, addr, ar, &schib, -- sizeof(schib)) != 0) { -+ if (s390_is_pv()) { -+ s390_cpu_pv_mem_write(cpu, addr, &schib, sizeof(schib)); -+ } else if (s390_cpu_virt_mem_write(cpu, addr, ar, &schib, -+ sizeof(schib)) != 0) { - s390_cpu_virt_mem_handle_exc(cpu, ra); - return; - } - } else { - /* Access exceptions have a higher priority than cc3 */ -- if (s390_cpu_virt_mem_check_write(cpu, addr, ar, sizeof(schib)) != 0) { -+ if (!s390_is_pv() && -+ s390_cpu_virt_mem_check_write(cpu, addr, ar, sizeof(schib)) != 0) { - s390_cpu_virt_mem_handle_exc(cpu, ra); - return; - } -@@ -336,7 +355,9 @@ int ioinst_handle_tsch(S390CPU *cpu, uint64_t reg1, uint32_t ipb, uintptr_t ra) - } - /* 0 - status pending, 1 - not status pending, 3 - not operational */ - if (cc != 3) { -- if (s390_cpu_virt_mem_write(cpu, addr, ar, &irb, irb_len) != 0) { -+ if (s390_is_pv()) { -+ s390_cpu_pv_mem_write(cpu, addr, &irb, irb_len); -+ } else if (s390_cpu_virt_mem_write(cpu, addr, ar, &irb, irb_len) != 0) { - s390_cpu_virt_mem_handle_exc(cpu, ra); - return -EFAULT; - } -@@ -344,7 +365,8 @@ int ioinst_handle_tsch(S390CPU *cpu, uint64_t reg1, uint32_t ipb, uintptr_t ra) - } else { - irb_len = sizeof(irb) - sizeof(irb.emw); - /* Access exceptions have a higher priority than cc3 */ -- if (s390_cpu_virt_mem_check_write(cpu, addr, ar, irb_len) != 0) { -+ if (!s390_is_pv() && -+ s390_cpu_virt_mem_check_write(cpu, addr, ar, irb_len) != 0) { - s390_cpu_virt_mem_handle_exc(cpu, ra); - return -EFAULT; - } -@@ -642,7 +664,9 @@ void ioinst_handle_chsc(S390CPU *cpu, uint32_t ipb, uintptr_t ra) - * present CHSC sub-handlers ... if we ever need more, we should take - * care of req->len here first. - */ -- if (s390_cpu_virt_mem_read(cpu, addr, reg, buf, sizeof(ChscReq))) { -+ if (s390_is_pv()) { -+ s390_cpu_pv_mem_read(cpu, addr, buf, sizeof(ChscReq)); -+ } else if (s390_cpu_virt_mem_read(cpu, addr, reg, buf, sizeof(ChscReq))) { - s390_cpu_virt_mem_handle_exc(cpu, ra); - return; - } -@@ -675,11 +699,16 @@ void ioinst_handle_chsc(S390CPU *cpu, uint32_t ipb, uintptr_t ra) - break; - } - -- if (!s390_cpu_virt_mem_write(cpu, addr + len, reg, res, -- be16_to_cpu(res->len))) { -+ if (s390_is_pv()) { -+ s390_cpu_pv_mem_write(cpu, addr + len, res, be16_to_cpu(res->len)); - setcc(cpu, 0); /* Command execution complete */ - } else { -- s390_cpu_virt_mem_handle_exc(cpu, ra); -+ if (!s390_cpu_virt_mem_write(cpu, addr + len, reg, res, -+ be16_to_cpu(res->len))) { -+ setcc(cpu, 0); /* Command execution complete */ -+ } else { -+ s390_cpu_virt_mem_handle_exc(cpu, ra); -+ } - } - } - diff --git a/packaging/s390x-protvirt-Move-STSI-data-over-SIDAD.patch b/packaging/s390x-protvirt-Move-STSI-data-over-SIDAD.patch deleted file mode 100644 index 9c69155c3..000000000 --- a/packaging/s390x-protvirt-Move-STSI-data-over-SIDAD.patch +++ /dev/null @@ -1,55 +0,0 @@ -From: Janosch Frank -Date: Wed, 5 Feb 2020 07:02:51 -0500 -Subject: s390x: protvirt: Move STSI data over SIDAD - -References: bsc#1167075 - -For protected guests, we need to put the STSI emulation results into -the SIDA, so SIE will write them into the guest at the next entry. - -Signed-off-by: Janosch Frank -Reviewed-by: David Hildenbrand -Reviewed-by: Claudio Imbrenda -Reviewed-by: Cornelia Huck -(cherry picked from commit ccce7a654911ae507c962aff5f41004a7a88fad6) -Signed-off-by: Bruce Rogers ---- - target/s390x/kvm.c | 11 +++++++++-- - 1 file changed, 9 insertions(+), 2 deletions(-) - -diff --git a/target/s390x/kvm.c b/target/s390x/kvm.c -index 941e4df630ad9b3dc780d3c92e6b..d00e05cc10d274790a215d0f4359 100644 ---- a/target/s390x/kvm.c -+++ b/target/s390x/kvm.c -@@ -50,6 +50,7 @@ - #include "exec/memattrs.h" - #include "hw/s390x/s390-virtio-ccw.h" - #include "hw/s390x/s390-virtio-hcall.h" -+#include "hw/s390x/pv.h" - - #ifndef DEBUG_KVM - #define DEBUG_KVM 0 -@@ -1803,7 +1804,9 @@ static void insert_stsi_3_2_2(S390CPU *cpu, __u64 addr, uint8_t ar) - SysIB_322 sysib; - int del; - -- if (s390_cpu_virt_mem_read(cpu, addr, ar, &sysib, sizeof(sysib))) { -+ if (s390_is_pv()) { -+ s390_cpu_pv_mem_read(cpu, 0, &sysib, sizeof(sysib)); -+ } else if (s390_cpu_virt_mem_read(cpu, addr, ar, &sysib, sizeof(sysib))) { - return; - } - /* Shift the stack of Extended Names to prepare for our own data */ -@@ -1843,7 +1846,11 @@ static void insert_stsi_3_2_2(S390CPU *cpu, __u64 addr, uint8_t ar) - /* Insert UUID */ - memcpy(sysib.vm[0].uuid, &qemu_uuid, sizeof(sysib.vm[0].uuid)); - -- s390_cpu_virt_mem_write(cpu, addr, ar, &sysib, sizeof(sysib)); -+ if (s390_is_pv()) { -+ s390_cpu_pv_mem_write(cpu, 0, &sysib, sizeof(sysib)); -+ } else { -+ s390_cpu_virt_mem_write(cpu, addr, ar, &sysib, sizeof(sysib)); -+ } - } - - static int handle_stsi(S390CPU *cpu) diff --git a/packaging/s390x-protvirt-Move-diag-308-data-over-S.patch b/packaging/s390x-protvirt-Move-diag-308-data-over-S.patch deleted file mode 100644 index 3a8de6056..000000000 --- a/packaging/s390x-protvirt-Move-diag-308-data-over-S.patch +++ /dev/null @@ -1,78 +0,0 @@ -From: Janosch Frank -Date: Wed, 31 Jul 2019 17:49:08 +0200 -Subject: s390x: protvirt: Move diag 308 data over SIDA - -References: bsc#1167075 - -For protected guests the IPIB is written/read to/from the SIDA, so we -need those accesses to go through s390_cpu_pv_mem_read/write(). - -Signed-off-by: Janosch Frank -Reviewed-by: David Hildenbrand -Reviewed-by: Christian Borntraeger -Reviewed-by: Claudio Imbrenda -Reviewed-by: Cornelia Huck -(cherry picked from commit 258da1c7736d3aa4604ceea6cce00995c6f30058) -Signed-off-by: Bruce Rogers ---- - target/s390x/diag.c | 25 ++++++++++++++++++++----- - 1 file changed, 20 insertions(+), 5 deletions(-) - -diff --git a/target/s390x/diag.c b/target/s390x/diag.c -index b2cbefb8cfe4e5a244219e761fb4..1a4842956402e308426c0ed5ce5c 100644 ---- a/target/s390x/diag.c -+++ b/target/s390x/diag.c -@@ -75,6 +75,7 @@ void handle_diag_308(CPUS390XState *env, uint64_t r1, uint64_t r3, uintptr_t ra) - { - bool valid; - CPUState *cs = env_cpu(env); -+ S390CPU *cpu = S390_CPU(cs); - uint64_t addr = env->regs[r1]; - uint64_t subcode = env->regs[r3]; - IplParameterBlock *iplb; -@@ -111,13 +112,22 @@ void handle_diag_308(CPUS390XState *env, uint64_t r1, uint64_t r3, uintptr_t ra) - return; - } - iplb = g_new0(IplParameterBlock, 1); -- cpu_physical_memory_read(addr, iplb, sizeof(iplb->len)); -+ if (!s390_is_pv()) { -+ cpu_physical_memory_read(addr, iplb, sizeof(iplb->len)); -+ } else { -+ s390_cpu_pv_mem_read(cpu, 0, iplb, sizeof(iplb->len)); -+ } -+ - if (!iplb_valid_len(iplb)) { - env->regs[r1 + 1] = DIAG_308_RC_INVALID; - goto out; - } - -- cpu_physical_memory_read(addr, iplb, be32_to_cpu(iplb->len)); -+ if (!s390_is_pv()) { -+ cpu_physical_memory_read(addr, iplb, be32_to_cpu(iplb->len)); -+ } else { -+ s390_cpu_pv_mem_read(cpu, 0, iplb, be32_to_cpu(iplb->len)); -+ } - - valid = subcode == DIAG308_PV_SET ? iplb_valid_pv(iplb) : iplb_valid(iplb); - if (!valid) { -@@ -140,12 +150,17 @@ out: - } else { - iplb = s390_ipl_get_iplb(); - } -- if (iplb) { -+ if (!iplb) { -+ env->regs[r1 + 1] = DIAG_308_RC_NO_CONF; -+ return; -+ } -+ -+ if (!s390_is_pv()) { - cpu_physical_memory_write(addr, iplb, be32_to_cpu(iplb->len)); -- env->regs[r1 + 1] = DIAG_308_RC_OK; - } else { -- env->regs[r1 + 1] = DIAG_308_RC_NO_CONF; -+ s390_cpu_pv_mem_write(cpu, 0, iplb, be32_to_cpu(iplb->len)); - } -+ env->regs[r1 + 1] = DIAG_308_RC_OK; - return; - case DIAG308_PV_START: - iplb = s390_ipl_get_iplb_pv(); diff --git a/packaging/s390x-protvirt-SCLP-interpretation.patch b/packaging/s390x-protvirt-SCLP-interpretation.patch deleted file mode 100644 index b0921df65..000000000 --- a/packaging/s390x-protvirt-SCLP-interpretation.patch +++ /dev/null @@ -1,156 +0,0 @@ -From: Janosch Frank -Date: Mon, 3 Jun 2019 16:40:29 +0200 -Subject: s390x: protvirt: SCLP interpretation - -References: bsc#1167075 - -SCLP for a protected guest is done over the SIDAD, so we need to use -the s390_cpu_pv_mem_* functions to access the SIDAD instead of guest -memory when reading/writing SCBs. - -To not confuse the sclp emulation, we set 0x4000 as the SCCB address, -since the function that injects the sclp external interrupt would -reject a zero sccb address. - -Signed-off-by: Janosch Frank -Reviewed-by: David Hildenbrand -Reviewed-by: Claudio Imbrenda -Reviewed-by: Cornelia Huck -(cherry picked from commit 32633cf4539341180dbc7a92c2655c711b4a6996) -Signed-off-by: Bruce Rogers ---- - hw/s390x/sclp.c | 56 +++++++++++++++++++++++++++++++++-------- - include/hw/s390x/sclp.h | 2 ++ - target/s390x/kvm.c | 25 ++++++++++++++---- - 3 files changed, 67 insertions(+), 16 deletions(-) - -diff --git a/hw/s390x/sclp.c b/hw/s390x/sclp.c -index f57ce7b73943564f4d44dcbe0cf0..1c380a49cc7140687329e43e9745 100644 ---- a/hw/s390x/sclp.c -+++ b/hw/s390x/sclp.c -@@ -33,6 +33,22 @@ static inline SCLPDevice *get_sclp_device(void) - return sclp; - } - -+static inline bool sclp_command_code_valid(uint32_t code) -+{ -+ switch (code & SCLP_CMD_CODE_MASK) { -+ case SCLP_CMDW_READ_SCP_INFO: -+ case SCLP_CMDW_READ_SCP_INFO_FORCED: -+ case SCLP_CMDW_READ_CPU_INFO: -+ case SCLP_CMDW_CONFIGURE_IOA: -+ case SCLP_CMDW_DECONFIGURE_IOA: -+ case SCLP_CMD_READ_EVENT_DATA: -+ case SCLP_CMD_WRITE_EVENT_DATA: -+ case SCLP_CMD_WRITE_EVENT_MASK: -+ return true; -+ } -+ return false; -+} -+ - static void prepare_cpu_entries(SCLPDevice *sclp, CPUEntry *entry, int *count) - { - MachineState *ms = MACHINE(qdev_get_machine()); -@@ -193,6 +209,34 @@ static void sclp_execute(SCLPDevice *sclp, SCCB *sccb, uint32_t code) - } - } - -+/* -+ * We only need the address to have something valid for the -+ * service_interrupt call. -+ */ -+#define SCLP_PV_DUMMY_ADDR 0x4000 -+int sclp_service_call_protected(CPUS390XState *env, uint64_t sccb, -+ uint32_t code) -+{ -+ SCLPDevice *sclp = get_sclp_device(); -+ SCLPDeviceClass *sclp_c = SCLP_GET_CLASS(sclp); -+ SCCB work_sccb; -+ hwaddr sccb_len = sizeof(SCCB); -+ -+ s390_cpu_pv_mem_read(env_archcpu(env), 0, &work_sccb, sccb_len); -+ -+ if (!sclp_command_code_valid(code)) { -+ work_sccb.h.response_code = cpu_to_be16(SCLP_RC_INVALID_SCLP_COMMAND); -+ goto out_write; -+ } -+ -+ sclp_c->execute(sclp, &work_sccb, code); -+out_write: -+ s390_cpu_pv_mem_write(env_archcpu(env), 0, &work_sccb, -+ be16_to_cpu(work_sccb.h.length)); -+ sclp_c->service_interrupt(sclp, SCLP_PV_DUMMY_ADDR); -+ return 0; -+} -+ - int sclp_service_call(CPUS390XState *env, uint64_t sccb, uint32_t code) - { - SCLPDevice *sclp = get_sclp_device(); -@@ -230,17 +274,7 @@ int sclp_service_call(CPUS390XState *env, uint64_t sccb, uint32_t code) - goto out; - } - -- switch (code & SCLP_CMD_CODE_MASK) { -- case SCLP_CMDW_READ_SCP_INFO: -- case SCLP_CMDW_READ_SCP_INFO_FORCED: -- case SCLP_CMDW_READ_CPU_INFO: -- case SCLP_CMDW_CONFIGURE_IOA: -- case SCLP_CMDW_DECONFIGURE_IOA: -- case SCLP_CMD_READ_EVENT_DATA: -- case SCLP_CMD_WRITE_EVENT_DATA: -- case SCLP_CMD_WRITE_EVENT_MASK: -- break; -- default: -+ if (!sclp_command_code_valid(code)) { - work_sccb.h.response_code = cpu_to_be16(SCLP_RC_INVALID_SCLP_COMMAND); - goto out_write; - } -diff --git a/include/hw/s390x/sclp.h b/include/hw/s390x/sclp.h -index c54413b78cf01b274cc249b1409b..c0a3faa37d7304536e75d32f2050 100644 ---- a/include/hw/s390x/sclp.h -+++ b/include/hw/s390x/sclp.h -@@ -217,5 +217,7 @@ void s390_sclp_init(void); - void sclp_service_interrupt(uint32_t sccb); - void raise_irq_cpu_hotplug(void); - int sclp_service_call(CPUS390XState *env, uint64_t sccb, uint32_t code); -+int sclp_service_call_protected(CPUS390XState *env, uint64_t sccb, -+ uint32_t code); - - #endif -diff --git a/target/s390x/kvm.c b/target/s390x/kvm.c -index d00e05cc10d274790a215d0f4359..d94b915da419c3ad0a1f9622ca13 100644 ---- a/target/s390x/kvm.c -+++ b/target/s390x/kvm.c -@@ -1230,12 +1230,27 @@ static void kvm_sclp_service_call(S390CPU *cpu, struct kvm_run *run, - sccb = env->regs[ipbh0 & 0xf]; - code = env->regs[(ipbh0 & 0xf0) >> 4]; - -- r = sclp_service_call(env, sccb, code); -- if (r < 0) { -- kvm_s390_program_interrupt(cpu, -r); -- return; -+ switch (run->s390_sieic.icptcode) { -+ case ICPT_PV_INSTR_NOTIFICATION: -+ g_assert(s390_is_pv()); -+ /* The notification intercepts are currently handled by KVM */ -+ error_report("unexpected SCLP PV notification"); -+ exit(1); -+ break; -+ case ICPT_PV_INSTR: -+ g_assert(s390_is_pv()); -+ sclp_service_call_protected(env, sccb, code); -+ /* Setting the CC is done by the Ultravisor. */ -+ break; -+ case ICPT_INSTRUCTION: -+ g_assert(!s390_is_pv()); -+ r = sclp_service_call(env, sccb, code); -+ if (r < 0) { -+ kvm_s390_program_interrupt(cpu, -r); -+ return; -+ } -+ setcc(cpu, r); - } -- setcc(cpu, r); - } - - static int handle_b2(S390CPU *cpu, struct kvm_run *run, uint8_t ipa1) diff --git a/packaging/s390x-protvirt-Set-guest-IPL-PSW.patch b/packaging/s390x-protvirt-Set-guest-IPL-PSW.patch deleted file mode 100644 index de6dc6bfa..000000000 --- a/packaging/s390x-protvirt-Set-guest-IPL-PSW.patch +++ /dev/null @@ -1,45 +0,0 @@ -From: Janosch Frank -Date: Tue, 23 Jul 2019 13:17:32 +0200 -Subject: s390x: protvirt: Set guest IPL PSW - -References: bsc#1167075 - -Handling of CPU reset and setting of the IPL psw from guest storage at -offset 0 is done by a Ultravisor call. Let's only fetch it if -necessary. - -Signed-off-by: Janosch Frank -Reviewed-by: Thomas Huth -Reviewed-by: David Hildenbrand -Reviewed-by: Christian Borntraeger -Reviewed-by: Claudio Imbrenda -Reviewed-by: Cornelia Huck -(cherry picked from commit e8686d9849f1625f4f4b28403f0555181b72d1b6) -Signed-off-by: Bruce Rogers ---- - target/s390x/cpu.c | 12 ++++++++++-- - 1 file changed, 10 insertions(+), 2 deletions(-) - -diff --git a/target/s390x/cpu.c b/target/s390x/cpu.c -index 479f1978c974722ceeb72ac5fb32..6da0c3f15530310fba5f609b8c7f 100644 ---- a/target/s390x/cpu.c -+++ b/target/s390x/cpu.c -@@ -77,8 +77,16 @@ static bool s390_cpu_has_work(CPUState *cs) - static void s390_cpu_load_normal(CPUState *s) - { - S390CPU *cpu = S390_CPU(s); -- cpu->env.psw.addr = ldl_phys(s->as, 4) & PSW_MASK_ESA_ADDR; -- cpu->env.psw.mask = PSW_MASK_32 | PSW_MASK_64; -+ if (!s390_is_pv()) { -+ cpu->env.psw.addr = ldl_phys(s->as, 4) & PSW_MASK_ESA_ADDR; -+ cpu->env.psw.mask = PSW_MASK_32 | PSW_MASK_64; -+ } else { -+ /* -+ * Firmware requires us to set the load state before we set -+ * the cpu to operating on protected guests. -+ */ -+ s390_cpu_set_state(S390_CPU_STATE_LOAD, cpu); -+ } - s390_cpu_set_state(S390_CPU_STATE_OPERATING, cpu); - } - #endif diff --git a/packaging/s390x-protvirt-Support-unpack-facility.patch b/packaging/s390x-protvirt-Support-unpack-facility.patch deleted file mode 100644 index 6da2ef46d..000000000 --- a/packaging/s390x-protvirt-Support-unpack-facility.patch +++ /dev/null @@ -1,868 +0,0 @@ -From: Janosch Frank -Date: Mon, 11 Feb 2019 16:07:19 +0100 -Subject: s390x: protvirt: Support unpack facility - -References: bsc#1167075 - -The unpack facility provides the means to setup a protected guest. A -protected guest cannot be introspected by the hypervisor or any -user/administrator of the machine it is running on. - -Protected guests are encrypted at rest and need a special boot -mechanism via diag308 subcode 8 and 10. - -Code 8 sets the PV specific IPLB which is retained separately from -those set via code 5. - -Code 10 is used to unpack the VM into protected memory, verify its -integrity and start it. - -Signed-off-by: Janosch Frank -Co-developed-by: Christian Borntraeger [Changes -to machine] -Reviewed-by: David Hildenbrand -Reviewed-by: Claudio Imbrenda -Reviewed-by: Cornelia Huck -(cherry picked from commit 2150c92b9b7d12b5fbdd2c59e5b17197d28f53db) -[BR: Needed to fix a compiler warning on i586 in hw/s390x/ipl.c] -Signed-off-by: Bruce Rogers ---- - MAINTAINERS | 2 + - hw/s390x/Makefile.objs | 1 + - hw/s390x/ipl.c | 59 +++++++++++++- - hw/s390x/ipl.h | 91 ++++++++++++++++++++- - hw/s390x/pv.c | 98 +++++++++++++++++++++++ - hw/s390x/s390-virtio-ccw.c | 119 +++++++++++++++++++++++++++- - include/hw/s390x/pv.h | 55 +++++++++++++ - include/hw/s390x/s390-virtio-ccw.h | 1 + - target/s390x/cpu.c | 1 + - target/s390x/cpu_features_def.inc.h | 1 + - target/s390x/diag.c | 39 ++++++++- - target/s390x/kvm-stub.c | 5 ++ - target/s390x/kvm.c | 5 ++ - target/s390x/kvm_s390x.h | 1 + - 14 files changed, 468 insertions(+), 10 deletions(-) - -diff --git a/MAINTAINERS b/MAINTAINERS -index 5e5e3e52d614d05e7d6e8225e3b7..1dbe9345a022a25b7b40a5b5e9c8 100644 ---- a/MAINTAINERS -+++ b/MAINTAINERS -@@ -385,6 +385,8 @@ F: target/s390x/machine.c - F: target/s390x/sigp.c - F: target/s390x/cpu_features*.[ch] - F: target/s390x/cpu_models.[ch] -+F: hw/s390x/pv.c -+F: include/hw/s390x/pv.h - F: hw/intc/s390_flic.c - F: hw/intc/s390_flic_kvm.c - F: include/hw/s390x/s390_flic.h -diff --git a/hw/s390x/Makefile.objs b/hw/s390x/Makefile.objs -index e02ed80b6829a511362abc3525ec..a46a1c7894e0f612a2d74cec74f6 100644 ---- a/hw/s390x/Makefile.objs -+++ b/hw/s390x/Makefile.objs -@@ -31,6 +31,7 @@ obj-y += tod-qemu.o - obj-$(CONFIG_KVM) += tod-kvm.o - obj-$(CONFIG_KVM) += s390-skeys-kvm.o - obj-$(CONFIG_KVM) += s390-stattrib-kvm.o -+obj-$(CONFIG_KVM) += pv.o - obj-y += s390-ccw.o - obj-y += ap-device.o - obj-y += ap-bridge.o -diff --git a/hw/s390x/ipl.c b/hw/s390x/ipl.c -index 6cb4a1575c370d391f216a359c5d..25139655a565fc33a40ef61e343e 100644 ---- a/hw/s390x/ipl.c -+++ b/hw/s390x/ipl.c -@@ -1,10 +1,11 @@ - /* - * bootloader support - * -- * Copyright IBM, Corp. 2012 -+ * Copyright IBM, Corp. 2012, 2020 - * - * Authors: - * Christian Borntraeger -+ * Janosch Frank - * - * This work is licensed under the terms of the GNU GPL, version 2 or (at your - * option) any later version. See the COPYING file in the top-level directory. -@@ -27,6 +28,7 @@ - #include "hw/s390x/vfio-ccw.h" - #include "hw/s390x/css.h" - #include "hw/s390x/ebcdic.h" -+#include "hw/s390x/pv.h" - #include "ipl.h" - #include "qemu/error-report.h" - #include "qemu/config-file.h" -@@ -533,11 +535,30 @@ void s390_ipl_update_diag308(IplParameterBlock *iplb) - { - S390IPLState *ipl = get_ipl_device(); - -- ipl->iplb = *iplb; -- ipl->iplb_valid = true; -+ /* -+ * The IPLB set and retrieved by subcodes 8/9 is completely -+ * separate from the one managed via subcodes 5/6. -+ */ -+ if (iplb->pbt == S390_IPL_TYPE_PV) { -+ ipl->iplb_pv = *iplb; -+ ipl->iplb_valid_pv = true; -+ } else { -+ ipl->iplb = *iplb; -+ ipl->iplb_valid = true; -+ } - ipl->netboot = is_virtio_net_device(iplb); - } - -+IplParameterBlock *s390_ipl_get_iplb_pv(void) -+{ -+ S390IPLState *ipl = get_ipl_device(); -+ -+ if (!ipl->iplb_valid_pv) { -+ return NULL; -+ } -+ return &ipl->iplb_pv; -+} -+ - IplParameterBlock *s390_ipl_get_iplb(void) - { - S390IPLState *ipl = get_ipl_device(); -@@ -627,6 +648,38 @@ static void s390_ipl_prepare_qipl(S390CPU *cpu) - cpu_physical_memory_unmap(addr, len, 1, len); - } - -+int s390_ipl_prepare_pv_header(void) -+{ -+ IplParameterBlock *ipib = s390_ipl_get_iplb_pv(); -+ IPLBlockPV *ipib_pv = &ipib->pv; -+ void *hdr = g_malloc(ipib_pv->pv_header_len); -+ int rc; -+ -+ cpu_physical_memory_read(ipib_pv->pv_header_addr, hdr, -+ ipib_pv->pv_header_len); -+ rc = s390_pv_set_sec_parms((uintptr_t)hdr, -+ ipib_pv->pv_header_len); -+ g_free(hdr); -+ return rc; -+} -+ -+int s390_ipl_pv_unpack(void) -+{ -+ IplParameterBlock *ipib = s390_ipl_get_iplb_pv(); -+ IPLBlockPV *ipib_pv = &ipib->pv; -+ int i, rc = 0; -+ -+ for (i = 0; i < ipib_pv->num_comp; i++) { -+ rc = s390_pv_unpack(ipib_pv->components[i].addr, -+ TARGET_PAGE_ALIGN(ipib_pv->components[i].size), -+ ipib_pv->components[i].tweak_pref); -+ if (rc) { -+ break; -+ } -+ } -+ return rc; -+} -+ - void s390_ipl_prepare_cpu(S390CPU *cpu) - { - S390IPLState *ipl = get_ipl_device(); -diff --git a/hw/s390x/ipl.h b/hw/s390x/ipl.h -index a5665e6bfde2e8cfbb1b2e6c7234..89b3044d7a2ee54014daa8eeafc9 100644 ---- a/hw/s390x/ipl.h -+++ b/hw/s390x/ipl.h -@@ -1,8 +1,9 @@ - /* - * s390 IPL device - * -- * Copyright 2015 IBM Corp. -+ * Copyright 2015, 2020 IBM Corp. - * Author(s): Zhang Fan -+ * Janosch Frank - * - * This work is licensed under the terms of the GNU GPL, version 2 or (at - * your option) any later version. See the COPYING file in the top-level -@@ -15,6 +16,24 @@ - #include "cpu.h" - #include "hw/qdev-core.h" - -+struct IPLBlockPVComp { -+ uint64_t tweak_pref; -+ uint64_t addr; -+ uint64_t size; -+} QEMU_PACKED; -+typedef struct IPLBlockPVComp IPLBlockPVComp; -+ -+struct IPLBlockPV { -+ uint8_t reserved18[87]; /* 0x18 */ -+ uint8_t version; /* 0x6f */ -+ uint32_t reserved70; /* 0x70 */ -+ uint32_t num_comp; /* 0x74 */ -+ uint64_t pv_header_addr; /* 0x78 */ -+ uint64_t pv_header_len; /* 0x80 */ -+ struct IPLBlockPVComp components[]; -+} QEMU_PACKED; -+typedef struct IPLBlockPV IPLBlockPV; -+ - struct IplBlockCcw { - uint8_t reserved0[85]; - uint8_t ssid; -@@ -71,6 +90,7 @@ union IplParameterBlock { - union { - IplBlockCcw ccw; - IplBlockFcp fcp; -+ IPLBlockPV pv; - IplBlockQemuScsi scsi; - }; - } QEMU_PACKED; -@@ -85,8 +105,11 @@ typedef union IplParameterBlock IplParameterBlock; - - int s390_ipl_set_loadparm(uint8_t *loadparm); - void s390_ipl_update_diag308(IplParameterBlock *iplb); -+int s390_ipl_prepare_pv_header(void); -+int s390_ipl_pv_unpack(void); - void s390_ipl_prepare_cpu(S390CPU *cpu); - IplParameterBlock *s390_ipl_get_iplb(void); -+IplParameterBlock *s390_ipl_get_iplb_pv(void); - - enum s390_reset { - /* default is a reset not triggered by a CPU e.g. issued by QMP */ -@@ -94,6 +117,7 @@ enum s390_reset { - S390_RESET_REIPL, - S390_RESET_MODIFIED_CLEAR, - S390_RESET_LOAD_NORMAL, -+ S390_RESET_PV, - }; - void s390_ipl_reset_request(CPUState *cs, enum s390_reset reset_type); - void s390_ipl_get_reset_request(CPUState **cs, enum s390_reset *reset_type); -@@ -133,6 +157,7 @@ struct S390IPLState { - /*< private >*/ - DeviceState parent_obj; - IplParameterBlock iplb; -+ IplParameterBlock iplb_pv; - QemuIplParameters qipl; - uint64_t start_addr; - uint64_t compat_start_addr; -@@ -140,6 +165,7 @@ struct S390IPLState { - uint64_t compat_bios_start_addr; - bool enforce_bios; - bool iplb_valid; -+ bool iplb_valid_pv; - bool netboot; - /* reset related properties don't have to be migrated or reset */ - enum s390_reset reset_type; -@@ -162,6 +188,8 @@ QEMU_BUILD_BUG_MSG(offsetof(S390IPLState, iplb) & 3, "alignment of iplb wrong"); - #define DIAG_308_RC_OK 0x0001 - #define DIAG_308_RC_NO_CONF 0x0102 - #define DIAG_308_RC_INVALID 0x0402 -+#define DIAG_308_RC_NO_PV_CONF 0x0902 -+#define DIAG_308_RC_INVAL_FOR_PV 0x0a02 - - #define DIAG308_RESET_MOD_CLR 0 - #define DIAG308_RESET_LOAD_NORM 1 -@@ -169,12 +197,17 @@ QEMU_BUILD_BUG_MSG(offsetof(S390IPLState, iplb) & 3, "alignment of iplb wrong"); - #define DIAG308_LOAD_NORMAL_DUMP 4 - #define DIAG308_SET 5 - #define DIAG308_STORE 6 -+#define DIAG308_PV_SET 8 -+#define DIAG308_PV_STORE 9 -+#define DIAG308_PV_START 10 - - #define S390_IPL_TYPE_FCP 0x00 - #define S390_IPL_TYPE_CCW 0x02 -+#define S390_IPL_TYPE_PV 0x05 - #define S390_IPL_TYPE_QEMU_SCSI 0xff - - #define S390_IPLB_HEADER_LEN 8 -+#define S390_IPLB_MIN_PV_LEN 148 - #define S390_IPLB_MIN_CCW_LEN 200 - #define S390_IPLB_MIN_FCP_LEN 384 - #define S390_IPLB_MIN_QEMU_SCSI_LEN 200 -@@ -184,6 +217,62 @@ static inline bool iplb_valid_len(IplParameterBlock *iplb) - return be32_to_cpu(iplb->len) <= sizeof(IplParameterBlock); - } - -+static inline bool ipl_valid_pv_components(IplParameterBlock *iplb) -+{ -+ IPLBlockPV *ipib_pv = &iplb->pv; -+ int i; -+ -+ if (ipib_pv->num_comp == 0) { -+ return false; -+ } -+ -+ for (i = 0; i < ipib_pv->num_comp; i++) { -+ /* Addr must be 4k aligned */ -+ if (ipib_pv->components[i].addr & ~TARGET_PAGE_MASK) { -+ return false; -+ } -+ -+ /* Tweak prefix is monotonically increasing with each component */ -+ if (i < ipib_pv->num_comp - 1 && -+ ipib_pv->components[i].tweak_pref >= -+ ipib_pv->components[i + 1].tweak_pref) { -+ return false; -+ } -+ } -+ return true; -+} -+ -+static inline bool ipl_valid_pv_header(IplParameterBlock *iplb) -+{ -+ IPLBlockPV *ipib_pv = &iplb->pv; -+ -+ if (ipib_pv->pv_header_len > 2 * TARGET_PAGE_SIZE) { -+ return false; -+ } -+ -+ if (!address_space_access_valid(&address_space_memory, -+ ipib_pv->pv_header_addr, -+ ipib_pv->pv_header_len, -+ false, -+ MEMTXATTRS_UNSPECIFIED)) { -+ return false; -+ } -+ -+ return true; -+} -+ -+static inline bool iplb_valid_pv(IplParameterBlock *iplb) -+{ -+ if (iplb->pbt != S390_IPL_TYPE_PV || -+ be32_to_cpu(iplb->len) < S390_IPLB_MIN_PV_LEN) { -+ return false; -+ } -+ if (!ipl_valid_pv_header(iplb)) { -+ return false; -+ } -+ return ipl_valid_pv_components(iplb); -+} -+ - static inline bool iplb_valid(IplParameterBlock *iplb) - { - switch (iplb->pbt) { -diff --git a/hw/s390x/pv.c b/hw/s390x/pv.c -new file mode 100644 -index 0000000000000000000000000000000000000000..8cf5cd2c9bcd48b03af1e546fb3a85cdc7ac28bb ---- /dev/null -+++ b/hw/s390x/pv.c -@@ -0,0 +1,98 @@ -+/* -+ * Protected Virtualization functions -+ * -+ * Copyright IBM Corp. 2020 -+ * Author(s): -+ * Janosch Frank -+ * -+ * This work is licensed under the terms of the GNU GPL, version 2 or (at -+ * your option) any later version. See the COPYING file in the top-level -+ * directory. -+ */ -+#include "qemu/osdep.h" -+ -+#include -+ -+#include "qemu/error-report.h" -+#include "sysemu/kvm.h" -+#include "hw/s390x/pv.h" -+ -+static int __s390_pv_cmd(uint32_t cmd, const char *cmdname, void *data) -+{ -+ struct kvm_pv_cmd pv_cmd = { -+ .cmd = cmd, -+ .data = (uint64_t)data, -+ }; -+ int rc = kvm_vm_ioctl(kvm_state, KVM_S390_PV_COMMAND, &pv_cmd); -+ -+ if (rc) { -+ error_report("KVM PV command %d (%s) failed: header rc %x rrc %x " -+ "IOCTL rc: %d", cmd, cmdname, pv_cmd.rc, pv_cmd.rrc, -+ rc); -+ } -+ return rc; -+} -+ -+/* -+ * This macro lets us pass the command as a string to the function so -+ * we can print it on an error. -+ */ -+#define s390_pv_cmd(cmd, data) __s390_pv_cmd(cmd, #cmd, data); -+#define s390_pv_cmd_exit(cmd, data) \ -+{ \ -+ int rc; \ -+ \ -+ rc = __s390_pv_cmd(cmd, #cmd, data);\ -+ if (rc) { \ -+ exit(1); \ -+ } \ -+} -+ -+int s390_pv_vm_enable(void) -+{ -+ return s390_pv_cmd(KVM_PV_ENABLE, NULL); -+} -+ -+void s390_pv_vm_disable(void) -+{ -+ s390_pv_cmd_exit(KVM_PV_DISABLE, NULL); -+} -+ -+int s390_pv_set_sec_parms(uint64_t origin, uint64_t length) -+{ -+ struct kvm_s390_pv_sec_parm args = { -+ .origin = origin, -+ .length = length, -+ }; -+ -+ return s390_pv_cmd(KVM_PV_VM_SET_SEC_PARMS, &args); -+} -+ -+/* -+ * Called for each component in the SE type IPL parameter block 0. -+ */ -+int s390_pv_unpack(uint64_t addr, uint64_t size, uint64_t tweak) -+{ -+ struct kvm_s390_pv_unp args = { -+ .addr = addr, -+ .size = size, -+ .tweak = tweak, -+ }; -+ -+ return s390_pv_cmd(KVM_PV_VM_UNPACK, &args); -+} -+ -+void s390_pv_perf_clear_reset(void) -+{ -+ s390_pv_cmd_exit(KVM_PV_VM_PREP_RESET, NULL); -+} -+ -+int s390_pv_verify(void) -+{ -+ return s390_pv_cmd(KVM_PV_VM_VERIFY, NULL); -+} -+ -+void s390_pv_unshare(void) -+{ -+ s390_pv_cmd_exit(KVM_PV_VM_UNSHARE_ALL, NULL); -+} -diff --git a/hw/s390x/s390-virtio-ccw.c b/hw/s390x/s390-virtio-ccw.c -index fcd8203cd11d9068de52b7ef695d..e408612729a8cb0fe2de58308767 100644 ---- a/hw/s390x/s390-virtio-ccw.c -+++ b/hw/s390x/s390-virtio-ccw.c -@@ -1,9 +1,10 @@ - /* - * virtio ccw machine - * -- * Copyright 2012 IBM Corp. -+ * Copyright 2012, 2020 IBM Corp. - * Copyright (c) 2009 Alexander Graf - * Author(s): Cornelia Huck -+ * Janosch Frank - * - * This work is licensed under the terms of the GNU GPL, version 2 or (at - * your option) any later version. See the COPYING file in the top-level -@@ -41,6 +42,8 @@ - #include "hw/qdev-properties.h" - #include "hw/s390x/tod.h" - #include "sysemu/sysemu.h" -+#include "hw/s390x/pv.h" -+#include - - S390CPU *s390_cpu_addr2state(uint16_t cpu_addr) - { -@@ -319,10 +322,78 @@ static inline void s390_do_cpu_ipl(CPUState *cs, run_on_cpu_data arg) - s390_cpu_set_state(S390_CPU_STATE_OPERATING, cpu); - } - -+static void s390_machine_unprotect(S390CcwMachineState *ms) -+{ -+ s390_pv_vm_disable(); -+ ms->pv = false; -+} -+ -+static int s390_machine_protect(S390CcwMachineState *ms) -+{ -+ int rc; -+ -+ /* Create SE VM */ -+ rc = s390_pv_vm_enable(); -+ if (rc) { -+ return rc; -+ } -+ -+ ms->pv = true; -+ -+ /* Set SE header and unpack */ -+ rc = s390_ipl_prepare_pv_header(); -+ if (rc) { -+ goto out_err; -+ } -+ -+ /* Decrypt image */ -+ rc = s390_ipl_pv_unpack(); -+ if (rc) { -+ goto out_err; -+ } -+ -+ /* Verify integrity */ -+ rc = s390_pv_verify(); -+ if (rc) { -+ goto out_err; -+ } -+ return rc; -+ -+out_err: -+ s390_machine_unprotect(ms); -+ return rc; -+} -+ -+static void s390_machine_inject_pv_error(CPUState *cs) -+{ -+ int r1 = (cs->kvm_run->s390_sieic.ipa & 0x00f0) >> 4; -+ CPUS390XState *env = &S390_CPU(cs)->env; -+ -+ /* Report that we are unable to enter protected mode */ -+ env->regs[r1 + 1] = DIAG_308_RC_INVAL_FOR_PV; -+} -+ -+static void s390_pv_prepare_reset(S390CcwMachineState *ms) -+{ -+ CPUState *cs; -+ -+ if (!s390_is_pv()) { -+ return; -+ } -+ /* Unsharing requires all cpus to be stopped */ -+ CPU_FOREACH(cs) { -+ s390_cpu_set_state(S390_CPU_STATE_STOPPED, S390_CPU(cs)); -+ } -+ s390_pv_unshare(); -+ s390_pv_perf_clear_reset(); -+} -+ - static void s390_machine_reset(MachineState *machine) - { -+ S390CcwMachineState *ms = S390_CCW_MACHINE(machine); - enum s390_reset reset_type; - CPUState *cs, *t; -+ S390CPU *cpu; - - /* get the reset parameters, reset them once done */ - s390_ipl_get_reset_request(&cs, &reset_type); -@@ -330,9 +401,15 @@ static void s390_machine_reset(MachineState *machine) - /* all CPUs are paused and synchronized at this point */ - s390_cmma_reset(); - -+ cpu = S390_CPU(cs); -+ - switch (reset_type) { - case S390_RESET_EXTERNAL: - case S390_RESET_REIPL: -+ if (s390_is_pv()) { -+ s390_machine_unprotect(ms); -+ } -+ - qemu_devices_reset(); - s390_crypto_reset(); - -@@ -340,22 +417,56 @@ static void s390_machine_reset(MachineState *machine) - run_on_cpu(cs, s390_do_cpu_ipl, RUN_ON_CPU_NULL); - break; - case S390_RESET_MODIFIED_CLEAR: -+ /* -+ * Susbsystem reset needs to be done before we unshare memory -+ * and lose access to VIRTIO structures in guest memory. -+ */ -+ subsystem_reset(); -+ s390_crypto_reset(); -+ s390_pv_prepare_reset(ms); - CPU_FOREACH(t) { - run_on_cpu(t, s390_do_cpu_full_reset, RUN_ON_CPU_NULL); - } -- subsystem_reset(); -- s390_crypto_reset(); - run_on_cpu(cs, s390_do_cpu_load_normal, RUN_ON_CPU_NULL); - break; - case S390_RESET_LOAD_NORMAL: -+ /* -+ * Susbsystem reset needs to be done before we unshare memory -+ * and lose access to VIRTIO structures in guest memory. -+ */ -+ subsystem_reset(); -+ s390_pv_prepare_reset(ms); - CPU_FOREACH(t) { - if (t == cs) { - continue; - } - run_on_cpu(t, s390_do_cpu_reset, RUN_ON_CPU_NULL); - } -- subsystem_reset(); - run_on_cpu(cs, s390_do_cpu_initial_reset, RUN_ON_CPU_NULL); -+ run_on_cpu(cs, s390_do_cpu_load_normal, RUN_ON_CPU_NULL); -+ break; -+ case S390_RESET_PV: /* Subcode 10 */ -+ subsystem_reset(); -+ s390_crypto_reset(); -+ -+ CPU_FOREACH(t) { -+ if (t == cs) { -+ continue; -+ } -+ run_on_cpu(t, s390_do_cpu_full_reset, RUN_ON_CPU_NULL); -+ } -+ run_on_cpu(cs, s390_do_cpu_reset, RUN_ON_CPU_NULL); -+ -+ if (s390_machine_protect(ms)) { -+ s390_machine_inject_pv_error(cs); -+ /* -+ * Continue after the diag308 so the guest knows something -+ * went wrong. -+ */ -+ s390_cpu_set_state(S390_CPU_STATE_OPERATING, cpu); -+ return; -+ } -+ - run_on_cpu(cs, s390_do_cpu_load_normal, RUN_ON_CPU_NULL); - break; - default: -diff --git a/include/hw/s390x/pv.h b/include/hw/s390x/pv.h -new file mode 100644 -index 0000000000000000000000000000000000000000..c6cb360f2f6a0a32a37970769e1bf2eb0220b199 ---- /dev/null -+++ b/include/hw/s390x/pv.h -@@ -0,0 +1,55 @@ -+/* -+ * Protected Virtualization header -+ * -+ * Copyright IBM Corp. 2020 -+ * Author(s): -+ * Janosch Frank -+ * -+ * This work is licensed under the terms of the GNU GPL, version 2 or (at -+ * your option) any later version. See the COPYING file in the top-level -+ * directory. -+ */ -+#ifndef HW_S390_PV_H -+#define HW_S390_PV_H -+ -+#ifdef CONFIG_KVM -+#include "hw/s390x/s390-virtio-ccw.h" -+ -+static inline bool s390_is_pv(void) -+{ -+ static S390CcwMachineState *ccw; -+ Object *obj; -+ -+ if (ccw) { -+ return ccw->pv; -+ } -+ -+ /* we have to bail out for the "none" machine */ -+ obj = object_dynamic_cast(qdev_get_machine(), -+ TYPE_S390_CCW_MACHINE); -+ if (!obj) { -+ return false; -+ } -+ ccw = S390_CCW_MACHINE(obj); -+ return ccw->pv; -+} -+ -+int s390_pv_vm_enable(void); -+void s390_pv_vm_disable(void); -+int s390_pv_set_sec_parms(uint64_t origin, uint64_t length); -+int s390_pv_unpack(uint64_t addr, uint64_t size, uint64_t tweak); -+void s390_pv_perf_clear_reset(void); -+int s390_pv_verify(void); -+void s390_pv_unshare(void); -+#else /* CONFIG_KVM */ -+static inline bool s390_is_pv(void) { return false; } -+static inline int s390_pv_vm_enable(void) { return 0; } -+static inline void s390_pv_vm_disable(void) {} -+static inline int s390_pv_set_sec_parms(uint64_t origin, uint64_t length) { return 0; } -+static inline int s390_pv_unpack(uint64_t addr, uint64_t size, uint64_t tweak) { return 0; } -+static inline void s390_pv_perf_clear_reset(void) {} -+static inline int s390_pv_verify(void) { return 0; } -+static inline void s390_pv_unshare(void) {} -+#endif /* CONFIG_KVM */ -+ -+#endif /* HW_S390_PV_H */ -diff --git a/include/hw/s390x/s390-virtio-ccw.h b/include/hw/s390x/s390-virtio-ccw.h -index 8aa27199c9123bab03d3450313a5..cd1dccc6e3ba86455a9de5eb41cb 100644 ---- a/include/hw/s390x/s390-virtio-ccw.h -+++ b/include/hw/s390x/s390-virtio-ccw.h -@@ -28,6 +28,7 @@ typedef struct S390CcwMachineState { - /*< public >*/ - bool aes_key_wrap; - bool dea_key_wrap; -+ bool pv; - uint8_t loadparm[8]; - } S390CcwMachineState; - -diff --git a/target/s390x/cpu.c b/target/s390x/cpu.c -index 52fefa1586caa3cbd366fe230630..479f1978c974722ceeb72ac5fb32 100644 ---- a/target/s390x/cpu.c -+++ b/target/s390x/cpu.c -@@ -37,6 +37,7 @@ - #include "sysemu/hw_accel.h" - #include "hw/qdev-properties.h" - #ifndef CONFIG_USER_ONLY -+#include "hw/s390x/pv.h" - #include "hw/boards.h" - #include "sysemu/arch_init.h" - #include "sysemu/sysemu.h" -diff --git a/target/s390x/cpu_features_def.inc.h b/target/s390x/cpu_features_def.inc.h -index 31dff0d84e9724513b1945f8d447..60db28351d059091b6e05fd62c37 100644 ---- a/target/s390x/cpu_features_def.inc.h -+++ b/target/s390x/cpu_features_def.inc.h -@@ -107,6 +107,7 @@ DEF_FEAT(DEFLATE_BASE, "deflate-base", STFL, 151, "Deflate-conversion facility ( - DEF_FEAT(VECTOR_PACKED_DECIMAL_ENH, "vxpdeh", STFL, 152, "Vector-Packed-Decimal-Enhancement Facility") - DEF_FEAT(MSA_EXT_9, "msa9-base", STFL, 155, "Message-security-assist-extension-9 facility (excluding subfunctions)") - DEF_FEAT(ETOKEN, "etoken", STFL, 156, "Etoken facility") -+DEF_FEAT(UNPACK, "unpack", STFL, 161, "Unpack facility") - - /* Features exposed via SCLP SCCB Byte 80 - 98 (bit numbers relative to byte-80) */ - DEF_FEAT(SIE_GSLS, "gsls", SCLP_CONF_CHAR, 40, "SIE: Guest-storage-limit-suppression facility") -diff --git a/target/s390x/diag.c b/target/s390x/diag.c -index 8aba6341f94848e1ce8fff420ed8..b2cbefb8cfe4e5a244219e761fb4 100644 ---- a/target/s390x/diag.c -+++ b/target/s390x/diag.c -@@ -20,6 +20,8 @@ - #include "sysemu/cpus.h" - #include "hw/s390x/ipl.h" - #include "hw/s390x/s390-virtio-ccw.h" -+#include "hw/s390x/pv.h" -+#include "kvm_s390x.h" - - int handle_diag_288(CPUS390XState *env, uint64_t r1, uint64_t r3) - { -@@ -52,6 +54,10 @@ int handle_diag_288(CPUS390XState *env, uint64_t r1, uint64_t r3) - static int diag308_parm_check(CPUS390XState *env, uint64_t r1, uint64_t addr, - uintptr_t ra, bool write) - { -+ /* Handled by the Ultravisor */ -+ if (s390_is_pv()) { -+ return 0; -+ } - if ((r1 & 1) || (addr & ~TARGET_PAGE_MASK)) { - s390_program_interrupt(env, PGM_SPECIFICATION, ra); - return -1; -@@ -67,6 +73,7 @@ static int diag308_parm_check(CPUS390XState *env, uint64_t r1, uint64_t addr, - - void handle_diag_308(CPUS390XState *env, uint64_t r1, uint64_t r3, uintptr_t ra) - { -+ bool valid; - CPUState *cs = env_cpu(env); - uint64_t addr = env->regs[r1]; - uint64_t subcode = env->regs[r3]; -@@ -82,6 +89,11 @@ void handle_diag_308(CPUS390XState *env, uint64_t r1, uint64_t r3, uintptr_t ra) - return; - } - -+ if (subcode >= DIAG308_PV_SET && !s390_has_feat(S390_FEAT_UNPACK)) { -+ s390_program_interrupt(env, PGM_SPECIFICATION, ra); -+ return; -+ } -+ - switch (subcode) { - case DIAG308_RESET_MOD_CLR: - s390_ipl_reset_request(cs, S390_RESET_MODIFIED_CLEAR); -@@ -94,6 +106,7 @@ void handle_diag_308(CPUS390XState *env, uint64_t r1, uint64_t r3, uintptr_t ra) - s390_ipl_reset_request(cs, S390_RESET_REIPL); - break; - case DIAG308_SET: -+ case DIAG308_PV_SET: - if (diag308_parm_check(env, r1, addr, ra, false)) { - return; - } -@@ -106,7 +119,8 @@ void handle_diag_308(CPUS390XState *env, uint64_t r1, uint64_t r3, uintptr_t ra) - - cpu_physical_memory_read(addr, iplb, be32_to_cpu(iplb->len)); - -- if (!iplb_valid(iplb)) { -+ valid = subcode == DIAG308_PV_SET ? iplb_valid_pv(iplb) : iplb_valid(iplb); -+ if (!valid) { - env->regs[r1 + 1] = DIAG_308_RC_INVALID; - goto out; - } -@@ -117,10 +131,15 @@ out: - g_free(iplb); - return; - case DIAG308_STORE: -+ case DIAG308_PV_STORE: - if (diag308_parm_check(env, r1, addr, ra, true)) { - return; - } -- iplb = s390_ipl_get_iplb(); -+ if (subcode == DIAG308_PV_STORE) { -+ iplb = s390_ipl_get_iplb_pv(); -+ } else { -+ iplb = s390_ipl_get_iplb(); -+ } - if (iplb) { - cpu_physical_memory_write(addr, iplb, be32_to_cpu(iplb->len)); - env->regs[r1 + 1] = DIAG_308_RC_OK; -@@ -128,6 +147,22 @@ out: - env->regs[r1 + 1] = DIAG_308_RC_NO_CONF; - } - return; -+ case DIAG308_PV_START: -+ iplb = s390_ipl_get_iplb_pv(); -+ if (!iplb) { -+ env->regs[r1 + 1] = DIAG_308_RC_NO_PV_CONF; -+ return; -+ } -+ -+ if (kvm_s390_get_hpage_1m()) { -+ error_report("Protected VMs can currently not be backed with " -+ "huge pages"); -+ env->regs[r1 + 1] = DIAG_308_RC_INVAL_FOR_PV; -+ return; -+ } -+ -+ s390_ipl_reset_request(cs, S390_RESET_PV); -+ break; - default: - s390_program_interrupt(env, PGM_SPECIFICATION, ra); - break; -diff --git a/target/s390x/kvm-stub.c b/target/s390x/kvm-stub.c -index c4cd497f850eb9c7a859932b0f1f..aa185017a2a886ca300fa75747ed 100644 ---- a/target/s390x/kvm-stub.c -+++ b/target/s390x/kvm-stub.c -@@ -39,6 +39,11 @@ int kvm_s390_vcpu_interrupt_post_load(S390CPU *cpu) - return 0; - } - -+int kvm_s390_get_hpage_1m(void) -+{ -+ return 0; -+} -+ - int kvm_s390_get_ri(void) - { - return 0; -diff --git a/target/s390x/kvm.c b/target/s390x/kvm.c -index f633472980b48757989db245fb1f..d8d02ff34f4fc942cb7935deec58 100644 ---- a/target/s390x/kvm.c -+++ b/target/s390x/kvm.c -@@ -321,6 +321,11 @@ void kvm_s390_set_max_pagesize(uint64_t pagesize, Error **errp) - cap_hpage_1m = 1; - } - -+int kvm_s390_get_hpage_1m(void) -+{ -+ return cap_hpage_1m; -+} -+ - static void ccw_machine_class_foreach(ObjectClass *oc, void *opaque) - { - MachineClass *mc = MACHINE_CLASS(oc); -diff --git a/target/s390x/kvm_s390x.h b/target/s390x/kvm_s390x.h -index 0b21789796d7c462bdc72160166f..dea813f450153c34e1269424772d 100644 ---- a/target/s390x/kvm_s390x.h -+++ b/target/s390x/kvm_s390x.h -@@ -23,6 +23,7 @@ void kvm_s390_program_interrupt(S390CPU *cpu, uint16_t code); - int kvm_s390_set_cpu_state(S390CPU *cpu, uint8_t cpu_state); - void kvm_s390_vcpu_interrupt_pre_save(S390CPU *cpu); - int kvm_s390_vcpu_interrupt_post_load(S390CPU *cpu); -+int kvm_s390_get_hpage_1m(void); - int kvm_s390_get_ri(void); - int kvm_s390_get_gs(void); - int kvm_s390_get_clock(uint8_t *tod_high, uint64_t *tod_clock); diff --git a/packaging/s390x-protvirt-allow-to-IPL-secure-guest.patch b/packaging/s390x-protvirt-allow-to-IPL-secure-guest.patch deleted file mode 100644 index 78087ab4c..000000000 --- a/packaging/s390x-protvirt-allow-to-IPL-secure-guest.patch +++ /dev/null @@ -1,47 +0,0 @@ -From: Christian Borntraeger -Date: Tue, 21 Jul 2020 06:32:02 -0400 -Subject: s390x/protvirt: allow to IPL secure guests with -no-reboot - -Git-commit: d1bb69db4ceb6897ef6a17bf263146b53a123632 -References: bsc#1174863 - -Right now, -no-reboot prevents secure guests from running. This is -correct from an implementation point of view, as we have modeled the -transition from non-secure to secure as a program directed IPL. From -a user perspective, this is not the behavior of least surprise. - -We should implement the IPL into protected mode similar to the -functions that we use for kdump/kexec. In other words, we do not stop -here when -no-reboot is specified on the command line. Like function 0 -or function 1, function 10 is not a classic reboot. For example, it -can only be called once. Before calling it a second time, a real -reboot/reset must happen in-between. So function code 10 is more or -less a state transition reset, but not a "standard" reset or reboot. - -Fixes: 4d226deafc44 ("s390x: protvirt: Support unpack facility") -Signed-off-by: Christian Borntraeger -Reviewed-by: Janosch Frank -Reviewed-by: David Hildenbrand -Acked-by: Viktor Mihajlovski -Message-Id: <20200721103202.30610-1-borntraeger@de.ibm.com> -[CH: tweaked description] -Signed-off-by: Cornelia Huck -Signed-off-by: Liang Yan ---- - hw/s390x/ipl.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/hw/s390x/ipl.c b/hw/s390x/ipl.c -index ca544d64c5e04782fb49d12521d5..6cb4a1575c370d391f216a359c5d 100644 ---- a/hw/s390x/ipl.c -+++ b/hw/s390x/ipl.c -@@ -578,7 +578,8 @@ void s390_ipl_reset_request(CPUState *cs, enum s390_reset reset_type) - } - } - if (reset_type == S390_RESET_MODIFIED_CLEAR || -- reset_type == S390_RESET_LOAD_NORMAL) { -+ reset_type == S390_RESET_LOAD_NORMAL || -+ reset_type == S390_RESET_PV) { - /* ignore -no-reboot, send no event */ - qemu_system_reset_request(SHUTDOWN_CAUSE_SUBSYSTEM_RESET); - } else { diff --git a/packaging/s390x-s390-virtio-ccw-Fix-build-on-syste.patch b/packaging/s390x-s390-virtio-ccw-Fix-build-on-syste.patch deleted file mode 100644 index 6c62a645b..000000000 --- a/packaging/s390x-s390-virtio-ccw-Fix-build-on-syste.patch +++ /dev/null @@ -1,129 +0,0 @@ -From: Christian Borntraeger -Date: Mon, 6 Apr 2020 06:01:58 -0400 -Subject: s390x/s390-virtio-ccw: Fix build on systems without KVM - -References: bsc#1167075 - -linux/kvm.h is not available on all platforms. Let us move -s390_machine_inject_pv_error into pv.c as it uses KVM structures. -Also rename the function to s390_pv_inject_reset_error. - -While at it, ipl.h needs an include for "exec/address-spaces.h" -as it uses address_space_memory. - -Fixes: 49fc3220175e ("s390x: protvirt: Support unpack facility") -Reported-by: Bruce Rogers -Signed-off-by: Christian Borntraeger -Signed-off-by: Bruce Rogers ---- - hw/s390x/ipl.h | 1 + - hw/s390x/pv.c | 11 +++++++++++ - hw/s390x/s390-virtio-ccw.c | 12 +----------- - include/hw/s390x/pv.h | 3 +++ - 4 files changed, 16 insertions(+), 11 deletions(-) - -diff --git a/hw/s390x/ipl.h b/hw/s390x/ipl.h -index 89b3044d7a2ee54014daa8eeafc9..53cc9eb5ac4d326b2b61bf1668a8 100644 ---- a/hw/s390x/ipl.h -+++ b/hw/s390x/ipl.h -@@ -14,6 +14,7 @@ - #define HW_S390_IPL_H - - #include "cpu.h" -+#include "exec/address-spaces.h" - #include "hw/qdev-core.h" - - struct IPLBlockPVComp { -diff --git a/hw/s390x/pv.c b/hw/s390x/pv.c -index 8cf5cd2c9bcd48b03af1e546fb3a..2c4d5e89890b7d21abdcd718c2f2 100644 ---- a/hw/s390x/pv.c -+++ b/hw/s390x/pv.c -@@ -13,8 +13,10 @@ - - #include - -+#include "cpu.h" - #include "qemu/error-report.h" - #include "sysemu/kvm.h" -+#include "hw/s390x/ipl.h" - #include "hw/s390x/pv.h" - - static int __s390_pv_cmd(uint32_t cmd, const char *cmdname, void *data) -@@ -96,3 +98,12 @@ void s390_pv_unshare(void) - { - s390_pv_cmd_exit(KVM_PV_VM_UNSHARE_ALL, NULL); - } -+ -+void s390_pv_inject_reset_error(CPUState *cs) -+{ -+ int r1 = (cs->kvm_run->s390_sieic.ipa & 0x00f0) >> 4; -+ CPUS390XState *env = &S390_CPU(cs)->env; -+ -+ /* Report that we are unable to enter protected mode */ -+ env->regs[r1 + 1] = DIAG_308_RC_INVAL_FOR_PV; -+} -diff --git a/hw/s390x/s390-virtio-ccw.c b/hw/s390x/s390-virtio-ccw.c -index 91b2cea0822b41bd6af17be93193..13cff79695bf75884cb86c378884 100644 ---- a/hw/s390x/s390-virtio-ccw.c -+++ b/hw/s390x/s390-virtio-ccw.c -@@ -44,7 +44,6 @@ - #include "sysemu/sysemu.h" - #include "sysemu/balloon.h" - #include "hw/s390x/pv.h" --#include - #include "migration/blocker.h" - - static Error *pv_mig_blocker; -@@ -393,15 +392,6 @@ out_err: - return rc; - } - --static void s390_machine_inject_pv_error(CPUState *cs) --{ -- int r1 = (cs->kvm_run->s390_sieic.ipa & 0x00f0) >> 4; -- CPUS390XState *env = &S390_CPU(cs)->env; -- -- /* Report that we are unable to enter protected mode */ -- env->regs[r1 + 1] = DIAG_308_RC_INVAL_FOR_PV; --} -- - static void s390_pv_prepare_reset(S390CcwMachineState *ms) - { - CPUState *cs; -@@ -487,7 +477,7 @@ static void s390_machine_reset(MachineState *machine) - run_on_cpu(cs, s390_do_cpu_reset, RUN_ON_CPU_NULL); - - if (s390_machine_protect(ms)) { -- s390_machine_inject_pv_error(cs); -+ s390_pv_inject_reset_error(cs); - /* - * Continue after the diag308 so the guest knows something - * went wrong. -diff --git a/include/hw/s390x/pv.h b/include/hw/s390x/pv.h -index c6cb360f2f6a0a32a37970769e1b..522ca6a04ee877940ff1de9f410b 100644 ---- a/include/hw/s390x/pv.h -+++ b/include/hw/s390x/pv.h -@@ -13,6 +13,7 @@ - #define HW_S390_PV_H - - #ifdef CONFIG_KVM -+#include "cpu.h" - #include "hw/s390x/s390-virtio-ccw.h" - - static inline bool s390_is_pv(void) -@@ -41,6 +42,7 @@ int s390_pv_unpack(uint64_t addr, uint64_t size, uint64_t tweak); - void s390_pv_perf_clear_reset(void); - int s390_pv_verify(void); - void s390_pv_unshare(void); -+void s390_pv_inject_reset_error(CPUState *cs); - #else /* CONFIG_KVM */ - static inline bool s390_is_pv(void) { return false; } - static inline int s390_pv_vm_enable(void) { return 0; } -@@ -50,6 +52,7 @@ static inline int s390_pv_unpack(uint64_t addr, uint64_t size, uint64_t tweak) { - static inline void s390_pv_perf_clear_reset(void) {} - static inline int s390_pv_verify(void) { return 0; } - static inline void s390_pv_unshare(void) {} -+static inline void s390_pv_inject_reset_error(CPUState *cs) {}; - #endif /* CONFIG_KVM */ - - #endif /* HW_S390_PV_H */ diff --git a/packaging/s390x-s390-virtio-ccw-Reset-PCI-devices-.patch b/packaging/s390x-s390-virtio-ccw-Reset-PCI-devices-.patch deleted file mode 100644 index 32f66e4ac..000000000 --- a/packaging/s390x-s390-virtio-ccw-Reset-PCI-devices-.patch +++ /dev/null @@ -1,37 +0,0 @@ -From: Matthew Rosato -Date: Thu, 15 Oct 2020 09:16:07 -0400 -Subject: s390x/s390-virtio-ccw: Reset PCI devices during subsystem reset - -Git-commit: db08244a3a7ec312dfed3fd9b88e114281215458 -References: bsc#1179717 - -Currently, a subsystem reset event leaves PCI devices enabled, causing -issues post-reset in the guest (an example would be after a kexec). These -devices need to be reset during a subsystem reset, allowing them to be -properly re-enabled afterwards. Add the S390 PCI host bridge to the list -of qdevs to be reset during subsystem reset. - -Signed-off-by: Matthew Rosato -Reviewed-by: Eric Farman -Acked-by: Halil Pasic -Acked-by: Christian Borntraeger -Cc: qemu-stable@nongnu.org -Message-Id: <1602767767-32713-1-git-send-email-mjrosato@linux.ibm.com> -Signed-off-by: Cornelia Huck -Signed-off-by: Liang Yan ---- - hw/s390x/s390-virtio-ccw.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/hw/s390x/s390-virtio-ccw.c b/hw/s390x/s390-virtio-ccw.c -index d3edeef0ad924af160eb83ea6724..6134f30508f88737cd5e885ffab6 100644 ---- a/hw/s390x/s390-virtio-ccw.c -+++ b/hw/s390x/s390-virtio-ccw.c -@@ -97,6 +97,7 @@ static const char *const reset_dev_types[] = { - "s390-sclp-event-facility", - "s390-flic", - "diag288", -+ TYPE_S390_PCI_HOST_BRIDGE, - }; - - static void subsystem_reset(void) diff --git a/packaging/scsi-add-tracing-for-SG_IO-commands.patch b/packaging/scsi-add-tracing-for-SG_IO-commands.patch deleted file mode 100644 index bc196b2b1..000000000 --- a/packaging/scsi-add-tracing-for-SG_IO-commands.patch +++ /dev/null @@ -1,101 +0,0 @@ -From: Hannes Reinecke -Date: Thu, 12 Nov 2020 14:02:24 +0100 -Subject: scsi: add tracing for SG_IO commands - -References: bsc#1178049 - -Add tracepoints for SG_IO commands to get a grip on the timeout -settings. - -Signed-off-by: Hannes Reinecke -Signed-off-by: Bruce Rogers ---- - hw/scsi/scsi-disk.c | 3 ++- - hw/scsi/scsi-generic.c | 12 +++++++++--- - hw/scsi/trace-events | 8 ++++++-- - 3 files changed, 17 insertions(+), 6 deletions(-) - -diff --git a/hw/scsi/scsi-disk.c b/hw/scsi/scsi-disk.c -index 29eb2e6629297342f34bac5d98bd..2240478deb6488d2947e7e9e56ef 100644 ---- a/hw/scsi/scsi-disk.c -+++ b/hw/scsi/scsi-disk.c -@@ -2775,7 +2775,8 @@ static BlockAIOCB *scsi_block_do_sgio(SCSIBlockReq *req, - io_header->timeout = s->qdev.io_timeout; - io_header->usr_ptr = r; - io_header->flags |= SG_FLAG_DIRECT_IO; -- -+ trace_scsi_disk_aio_sgio_command(r->req.tag, req->cdb[0], lba, -+ nb_logical_blocks, io_header->timeout); - aiocb = blk_aio_ioctl(s->qdev.conf.blk, SG_IO, io_header, cb, opaque); - assert(aiocb != NULL); - return aiocb; -diff --git a/hw/scsi/scsi-generic.c b/hw/scsi/scsi-generic.c -index 3027885538ad20f8cddbad8c4026..6ea04de98c04aa36aa68230a6b87 100644 ---- a/hw/scsi/scsi-generic.c -+++ b/hw/scsi/scsi-generic.c -@@ -128,6 +128,8 @@ static int execute_command(BlockBackend *blk, - r->io_header.usr_ptr = r; - r->io_header.flags |= SG_FLAG_DIRECT_IO; - -+ trace_scsi_generic_aio_sgio_command(r->req.tag, r->req.cmd.buf[0], -+ r->io_header.timeout); - r->req.aiocb = blk_aio_ioctl(blk, SG_IO, &r->io_header, complete, r); - if (r->req.aiocb == NULL) { - return -EIO; -@@ -334,7 +336,7 @@ static void scsi_read_data(SCSIRequest *req) - SCSIDevice *s = r->req.dev; - int ret; - -- trace_scsi_generic_read_data(req->tag); -+ trace_scsi_generic_read_data(req->tag, s->io_timeout); - - /* The request is used as the AIO opaque value, so add a ref. */ - scsi_req_ref(&r->req); -@@ -387,7 +389,7 @@ static void scsi_write_data(SCSIRequest *req) - SCSIDevice *s = r->req.dev; - int ret; - -- trace_scsi_generic_write_data(req->tag); -+ trace_scsi_generic_write_data(req->tag, s->io_timeout); - if (r->len == 0) { - r->len = r->buflen; - scsi_req_data(&r->req, r->len); -@@ -522,8 +524,12 @@ int scsi_SG_IO_FROM_DEV(BlockBackend *blk, uint8_t *cmd, uint8_t cmd_size, - io_header.sbp = sensebuf; - io_header.timeout = timeout; - -+ trace_scsi_generic_ioctl_sgio_command(cmd[0], io_header.timeout); - ret = blk_ioctl(blk, SG_IO, &io_header); -- if (ret < 0 || io_header.driver_status || io_header.host_status) { -+ if (ret < 0 || io_header.status || -+ io_header.driver_status || io_header.host_status) { -+ trace_scsi_generic_ioctl_sgio_done(cmd[0], ret, io_header.status, -+ io_header.host_status); - return -1; - } - return 0; -diff --git a/hw/scsi/trace-events b/hw/scsi/trace-events -index 9e1196f2117982c5bbc5db3bfffb..13babd26dff43d5052886cf955a5 100644 ---- a/hw/scsi/trace-events -+++ b/hw/scsi/trace-events -@@ -327,14 +327,18 @@ scsi_disk_emulate_command_UNKNOWN(int cmd, const char *name) "Unknown SCSI comma - scsi_disk_dma_command_READ(uint64_t lba, uint32_t len) "Read (sector %" PRId64 ", count %u)" - scsi_disk_dma_command_WRITE(const char *cmd, uint64_t lba, int len) "Write %s(sector %" PRId64 ", count %u)" - scsi_disk_new_request(uint32_t lun, uint32_t tag, const char *line) "Command: lun=%d tag=0x%x data=%s" -+scsi_disk_aio_sgio_command(uint32_t tag, uint8_t cmd, uint64_t lba, int len, uint32_t timeout) "disk aio sgio: tag=0x%x cmd 0x%x (sector %" PRId64 ", count %d) timeout %u" - - # scsi-generic.c - scsi_generic_command_complete_noio(void *req, uint32_t tag, int statuc) "Command complete %p tag=0x%x status=%d" - scsi_generic_read_complete(uint32_t tag, int len) "Data ready tag=0x%x len=%d" --scsi_generic_read_data(uint32_t tag) "scsi_read_data tag=0x%x" -+scsi_generic_read_data(uint32_t tag, uint32_t timeout) "scsi_read_data tag=0x%x timeout %u" - scsi_generic_write_complete(int ret) "scsi_write_complete() ret = %d" - scsi_generic_write_complete_blocksize(int blocksize) "block size %d" --scsi_generic_write_data(uint32_t tag) "scsi_write_data tag=0x%x" -+scsi_generic_write_data(uint32_t tag, uint32_t timeout) "scsi_write_data tag=0x%x timeout %u" - scsi_generic_send_command(const char *line) "Command: data=%s" - scsi_generic_realize_type(int type) "device type %d" - scsi_generic_realize_blocksize(int blocksize) "block size %d" -+scsi_generic_aio_sgio_command(uint32_t tag, uint8_t cmd, uint32_t timeout) "generic aio sgio: tag=0x%x cmd 0x%x, timeout %u" -+scsi_generic_ioctl_sgio_command(uint8_t cmd, uint32_t timeout) "generic ioctl sgio: cmd 0x%x timeout %u" -+scsi_generic_ioctl_sgio_done(uint8_t cmd, int ret, uint8_t status, uint8_t host_status) "generic ioctl sgio: cmd 0x%x ret %d status 0x%x host_status 0x%x" diff --git a/packaging/scsi-disk-fold-SG_IO-errors-back-into-re.patch b/packaging/scsi-disk-fold-SG_IO-errors-back-into-re.patch deleted file mode 100644 index e9fa55404..000000000 --- a/packaging/scsi-disk-fold-SG_IO-errors-back-into-re.patch +++ /dev/null @@ -1,118 +0,0 @@ -From: Hannes Reinecke -Date: Wed, 11 Nov 2020 17:34:45 +0100 -Subject: scsi-disk: fold SG_IO errors back into request status - -References: bsc#1178049 - -When SG_IO returns with a non-zero 'host_status' or 'status' we -should be folding these values into the request status to allow -any drivers to signal them back to the guest. - -Signed-off-by: Hannes Reinecke -Signed-off-by: Bruce Rogers ---- - hw/scsi/scsi-disk.c | 37 ++++++++++++++++++++++++++++++------- - hw/scsi/trace-events | 1 + - 2 files changed, 31 insertions(+), 7 deletions(-) - -diff --git a/hw/scsi/scsi-disk.c b/hw/scsi/scsi-disk.c -index c672e521bb2d4a1703d3b2b78adc..0c1befa2ddffd3b95153a44a743d 100644 ---- a/hw/scsi/scsi-disk.c -+++ b/hw/scsi/scsi-disk.c -@@ -81,7 +81,7 @@ typedef struct SCSIDiskReq { - struct iovec iov; - QEMUIOVector qiov; - BlockAcctCookie acct; -- unsigned char *status; -+ uint32_t status; - } SCSIDiskReq; - - #define SCSI_DISK_F_REMOVABLE 0 -@@ -194,7 +194,7 @@ static bool scsi_disk_req_check_error(SCSIDiskReq *r, int ret, bool acct_failed) - return true; - } - -- if (ret < 0 || (r->status && *r->status)) { -+ if (ret < 0 || r->status) { - return scsi_handle_rw_error(r, -ret, acct_failed); - } - -@@ -458,11 +458,12 @@ static bool scsi_handle_rw_error(SCSIDiskReq *r, int error, bool acct_failed) - * whether the error has to be handled by the guest or should rather - * pause the host. - */ -- assert(r->status && *r->status); -- if (scsi_sense_buf_is_guest_recoverable(r->req.sense, sizeof(r->req.sense))) { -+ assert(r->status); -+ if ((r->status >> 8) || -+ scsi_sense_buf_is_guest_recoverable(r->req.sense, sizeof(r->req.sense))) { - /* These errors are handled by guest. */ - sdc->update_sense(&r->req); -- scsi_req_complete(&r->req, *r->status); -+ scsi_req_complete(&r->req, r->status); - return true; - } - error = scsi_sense_buf_to_errno(r->req.sense, sizeof(r->req.sense)); -@@ -2695,8 +2696,26 @@ typedef struct SCSIBlockReq { - - /* CDB passed to SG_IO. */ - uint8_t cdb[16]; -+ BlockCompletionFunc *cb; -+ void *cb_opaque; - } SCSIBlockReq; - -+static void sgio_aio_complete(void *opaque, int ret) -+{ -+ SCSIBlockReq *req = (SCSIBlockReq *)opaque; -+ SCSIDiskReq *r = &req->req; -+ SCSISense sense; -+ -+ trace_scsi_disk_aio_sgio_done(r->req.tag, ret, req->io_header.status, -+ req->io_header.host_status); -+ r->status = sg_io_sense_from_errno(-ret, &req->io_header, &sense); -+ if ((r->status & 0xff) == CHECK_CONDITION && -+ req->io_header.status != CHECK_CONDITION) -+ scsi_req_build_sense(&r->req, sense); -+ -+ req->cb(req->cb_opaque, ret); -+} -+ - static BlockAIOCB *scsi_block_do_sgio(SCSIBlockReq *req, - int64_t offset, QEMUIOVector *iov, - int direction, -@@ -2777,9 +2796,14 @@ static BlockAIOCB *scsi_block_do_sgio(SCSIBlockReq *req, - io_header->timeout = 5000; - io_header->usr_ptr = r; - io_header->flags |= SG_FLAG_DIRECT_IO; -+ -+ req->cb = cb; -+ req->cb_opaque = opaque; -+ - trace_scsi_disk_aio_sgio_command(r->req.tag, req->cdb[0], lba, - nb_logical_blocks, io_header->timeout); -- aiocb = blk_aio_ioctl(s->qdev.conf.blk, SG_IO, io_header, cb, opaque); -+ aiocb = blk_aio_ioctl(s->qdev.conf.blk, SG_IO, io_header, -+ sgio_aio_complete, req); - assert(aiocb != NULL); - return aiocb; - } -@@ -2893,7 +2917,6 @@ static int32_t scsi_block_dma_command(SCSIRequest *req, uint8_t *buf) - return 0; - } - -- r->req.status = &r->io_header.status; - return scsi_disk_dma_command(req, buf); - } - -diff --git a/hw/scsi/trace-events b/hw/scsi/trace-events -index bce865c2222b0ece52d16ab1d90a..beae309d3000c0a401cec55be37d 100644 ---- a/hw/scsi/trace-events -+++ b/hw/scsi/trace-events -@@ -328,6 +328,7 @@ scsi_disk_dma_command_READ(uint64_t lba, uint32_t len) "Read (sector %" PRId64 " - scsi_disk_dma_command_WRITE(const char *cmd, uint64_t lba, int len) "Write %s(sector %" PRId64 ", count %u)" - scsi_disk_new_request(uint32_t lun, uint32_t tag, const char *line) "Command: lun=%d tag=0x%x data=%s" - scsi_disk_aio_sgio_command(uint32_t tag, uint8_t cmd, uint64_t lba, int len, uint32_t timeout) "disk aio sgio: tag=0x%x cmd 0x%x (sector %" PRId64 ", count %d) timeout %u" -+scsi_disk_aio_sgio_done(uint32_t tag, int ret, uint8_t status, uint8_t host_status) "disk aio sgio: cmd 0x%x ret %d status 0x%x host_status 0x%x" - - # scsi-generic.c - scsi_generic_command_complete_noio(void *req, uint32_t tag, uint8_t status, uint8_t host_status) "Command complete %p tag=0x%x status=0x%x host_status=0x%x" diff --git a/packaging/scsi-disk-set-default-I-O-timeout-to-30-.patch b/packaging/scsi-disk-set-default-I-O-timeout-to-30-.patch deleted file mode 100644 index b9fc958cf..000000000 --- a/packaging/scsi-disk-set-default-I-O-timeout-to-30-.patch +++ /dev/null @@ -1,61 +0,0 @@ -From: Hannes Reinecke -Date: Tue, 10 Nov 2020 15:06:58 +0100 -Subject: scsi-disk: set default I/O timeout to 30 seconds - -References: bsc#1178049 - -To align with standard linux settings we should be setting the -default I/O timeout to 30 seconds, and add a lower bound of -5 seconds to avoid spurious I/O failures. - -Signed-off-by: Hannes Reinecke -Signed-off-by: Bruce Rogers ---- - hw/scsi/scsi-disk.c | 4 +++- - hw/scsi/scsi-generic.c | 4 ++++ - 2 files changed, 7 insertions(+), 1 deletion(-) - -diff --git a/hw/scsi/scsi-disk.c b/hw/scsi/scsi-disk.c -index 2240478deb6488d2947e7e9e56ef..c672e521bb2d4a1703d3b2b78adc 100644 ---- a/hw/scsi/scsi-disk.c -+++ b/hw/scsi/scsi-disk.c -@@ -50,7 +50,7 @@ - - #define DEFAULT_DISCARD_GRANULARITY (4 * KiB) - #define DEFAULT_MAX_UNMAP_SIZE (1 * GiB) --#define DEFAULT_IO_TIMEOUT UINT_MAX /* Infinity */ -+#define DEFAULT_IO_TIMEOUT 30000 /* 30 seconds */ - #define DEFAULT_MAX_IO_SIZE INT_MAX /* 2 GB - 1 block */ - - #define TYPE_SCSI_DISK_BASE "scsi-disk-base" -@@ -2773,6 +2773,8 @@ static BlockAIOCB *scsi_block_do_sgio(SCSIBlockReq *req, - io_header->mx_sb_len = sizeof(r->req.sense); - io_header->sbp = r->req.sense; - io_header->timeout = s->qdev.io_timeout; -+ if (io_header->timeout < 5000) -+ io_header->timeout = 5000; - io_header->usr_ptr = r; - io_header->flags |= SG_FLAG_DIRECT_IO; - trace_scsi_disk_aio_sgio_command(r->req.tag, req->cdb[0], lba, -diff --git a/hw/scsi/scsi-generic.c b/hw/scsi/scsi-generic.c -index 6ea04de98c04aa36aa68230a6b87..32875bedaedf25e7b0cea8363887 100644 ---- a/hw/scsi/scsi-generic.c -+++ b/hw/scsi/scsi-generic.c -@@ -125,6 +125,8 @@ static int execute_command(BlockBackend *blk, - r->io_header.mx_sb_len = sizeof(r->req.sense); - r->io_header.sbp = r->req.sense; - r->io_header.timeout = s->io_timeout; -+ if (r->io_header.timeout < 5000) -+ r->io_header.timeout = 5000; - r->io_header.usr_ptr = r; - r->io_header.flags |= SG_FLAG_DIRECT_IO; - -@@ -523,6 +525,8 @@ int scsi_SG_IO_FROM_DEV(BlockBackend *blk, uint8_t *cmd, uint8_t cmd_size, - io_header.mx_sb_len = sizeof(sensebuf); - io_header.sbp = sensebuf; - io_header.timeout = timeout; -+ if (io_header.timeout < 5000) -+ io_header.timeout = 5000; - - trace_scsi_generic_ioctl_sgio_command(cmd[0], io_header.timeout); - ret = blk_ioctl(blk, SG_IO, &io_header); diff --git a/packaging/scsi-disk-trace-rw-errors.patch b/packaging/scsi-disk-trace-rw-errors.patch deleted file mode 100644 index c27000355..000000000 --- a/packaging/scsi-disk-trace-rw-errors.patch +++ /dev/null @@ -1,49 +0,0 @@ -From: Hannes Reinecke -Date: Thu, 12 Nov 2020 17:26:14 +0100 -Subject: scsi-disk: trace rw errors - -References: bsc#1178049 - -Add a tracepoints for R/W errors. - -Signed-off-by: Hannes Reinecke -Signed-off-by: Bruce Rogers ---- - hw/scsi/scsi-disk.c | 2 ++ - hw/scsi/trace-events | 3 ++- - 2 files changed, 4 insertions(+), 1 deletion(-) - -diff --git a/hw/scsi/scsi-disk.c b/hw/scsi/scsi-disk.c -index 0c1befa2ddffd3b95153a44a743d..7657a0f1980d9d1696145457e46d 100644 ---- a/hw/scsi/scsi-disk.c -+++ b/hw/scsi/scsi-disk.c -@@ -448,6 +448,8 @@ static bool scsi_handle_rw_error(SCSIDiskReq *r, int error, bool acct_failed) - BlockErrorAction action = blk_get_error_action(s->qdev.conf.blk, - is_read, error); - -+ trace_scsi_disk_rw_error(r->req.tag, (r->status & 0xff), (r->status >> 8), -+ error, action); - if (action == BLOCK_ERROR_ACTION_REPORT) { - if (acct_failed) { - block_acct_failed(blk_get_stats(s->qdev.conf.blk), &r->acct); -diff --git a/hw/scsi/trace-events b/hw/scsi/trace-events -index beae309d3000c0a401cec55be37d..99556e585af30ccaae133459b9d8 100644 ---- a/hw/scsi/trace-events -+++ b/hw/scsi/trace-events -@@ -301,6 +301,7 @@ virtio_scsi_tmf_resp(int lun, uint32_t tag, int response) "virtio_scsi_tmf_resp - - # scsi-disk.c - scsi_disk_check_condition(uint32_t tag, uint8_t key, uint8_t asc, uint8_t ascq) "Command complete tag=0x%x sense=%d/%d/%d" -+scsi_disk_rw_error(uint32_t tag, uint8_t status, uint8_t host_status, int error, int action) "rw error tag=0x%x status=0x%x host_status=0x%x error=%d action=%d" - scsi_disk_read_complete(uint32_t tag, size_t size) "Data ready tag=0x%x len=%zd" - scsi_disk_read_data_count(uint32_t sector_count) "Read sector_count=%d" - scsi_disk_read_data_invalid(void) "Data transfer direction invalid" -@@ -328,7 +329,7 @@ scsi_disk_dma_command_READ(uint64_t lba, uint32_t len) "Read (sector %" PRId64 " - scsi_disk_dma_command_WRITE(const char *cmd, uint64_t lba, int len) "Write %s(sector %" PRId64 ", count %u)" - scsi_disk_new_request(uint32_t lun, uint32_t tag, const char *line) "Command: lun=%d tag=0x%x data=%s" - scsi_disk_aio_sgio_command(uint32_t tag, uint8_t cmd, uint64_t lba, int len, uint32_t timeout) "disk aio sgio: tag=0x%x cmd 0x%x (sector %" PRId64 ", count %d) timeout %u" --scsi_disk_aio_sgio_done(uint32_t tag, int ret, uint8_t status, uint8_t host_status) "disk aio sgio: cmd 0x%x ret %d status 0x%x host_status 0x%x" -+scsi_disk_aio_sgio_done(uint32_t tag, int ret, uint8_t status, uint8_t host_status) "disk aio sgio: tag=0x%x ret %d status 0x%x host_status 0x%x" - - # scsi-generic.c - scsi_generic_command_complete_noio(void *req, uint32_t tag, uint8_t status, uint8_t host_status) "Command complete %p tag=0x%x status=0x%x host_status=0x%x" diff --git a/packaging/scsi-generic-check-for-additional-SG_IO-.patch b/packaging/scsi-generic-check-for-additional-SG_IO-.patch deleted file mode 100644 index 4c17e3fef..000000000 --- a/packaging/scsi-generic-check-for-additional-SG_IO-.patch +++ /dev/null @@ -1,45 +0,0 @@ -From: Hannes Reinecke -Date: Wed, 11 Nov 2020 15:40:52 +0100 -Subject: scsi-generic: check for additional SG_IO status on completion - -References: bsc#1178049 - -SG_IO may return additional status in the 'status', 'driver_status', -and 'host_status' fields. When either of these fields are set the -command has not been executed normally, so we should not continue -processing this command but rather return an error. - -Signed-off-by: Hannes Reinecke -Signed-off-by: Bruce Rogers ---- - hw/scsi/scsi-generic.c | 10 ++++++++-- - 1 file changed, 8 insertions(+), 2 deletions(-) - -diff --git a/hw/scsi/scsi-generic.c b/hw/scsi/scsi-generic.c -index b3ea492beedc2a075157957e0595..2379ca9e91b4e775080d4246ba2a 100644 ---- a/hw/scsi/scsi-generic.c -+++ b/hw/scsi/scsi-generic.c -@@ -254,7 +254,10 @@ static void scsi_read_complete(void * opaque, int ret) - - aio_context_acquire(blk_get_aio_context(s->conf.blk)); - -- if (ret || r->req.io_canceled) { -+ if (ret || r->req.io_canceled || -+ r->io_header.status || -+ r->io_header.driver_status || -+ r->io_header.host_status) { - scsi_command_complete_noio(r, ret); - goto done; - } -@@ -368,7 +371,10 @@ static void scsi_write_complete(void * opaque, int ret) - - aio_context_acquire(blk_get_aio_context(s->conf.blk)); - -- if (ret || r->req.io_canceled) { -+ if (ret || r->req.io_canceled || -+ r->io_header.status || -+ r->io_header.driver_status || -+ r->io_header.host_status) { - scsi_command_complete_noio(r, ret); - goto done; - } diff --git a/packaging/scsi-generic-pass-max_segments-via-max_i.patch b/packaging/scsi-generic-pass-max_segments-via-max_i.patch deleted file mode 100644 index 03e01b782..000000000 --- a/packaging/scsi-generic-pass-max_segments-via-max_i.patch +++ /dev/null @@ -1,57 +0,0 @@ -From: Lin Ma -Date: Mon, 13 Sep 2021 17:06:59 +0800 -Subject: scsi-generic: pass max_segments via max_iov field in BlockLimits - -Git-commit: 01ef8185b809af9d287e1a03a3f9d8ea8231118a -References: bsc#1190425 - -I/O to a disk via read/write is not limited by the number of segments allowed -by the host adapter; the kernel can split requests if needed, and the limit -imposed by the host adapter can be very low (256k or so) to avoid that SG_IO -returns EINVAL if memory is heavily fragmented. - -Since this value is only interesting for SG_IO-based I/O, do not include -it in the max_transfer and only take it into account when patching the -block limits VPD page in the scsi-generic device. - -Signed-off-by: Paolo Bonzini -Reviewed-by: Max Reitz -Signed-off-by: Lin Ma ---- - block/file-posix.c | 3 +-- - hw/scsi/scsi-generic.c | 6 ++++-- - 2 files changed, 5 insertions(+), 4 deletions(-) - -diff --git a/block/file-posix.c b/block/file-posix.c -index e3cf5a160a46030b4e07b7b61203..c0e8a60d501982db438db3cb8dba 100644 ---- a/block/file-posix.c -+++ b/block/file-posix.c -@@ -1147,8 +1147,7 @@ static void raw_refresh_limits(BlockDriverState *bs, Error **errp) - - ret = sg_get_max_segments(s->fd); - if (ret > 0) { -- bs->bl.max_transfer = MIN(bs->bl.max_transfer, -- ret * qemu_real_host_page_size); -+ bs->bl.max_iov = ret; - } - } - -diff --git a/hw/scsi/scsi-generic.c b/hw/scsi/scsi-generic.c -index 2379ca9e91b4e775080d4246ba2a..a135d7087ecc8d73baeed0270d29 100644 ---- a/hw/scsi/scsi-generic.c -+++ b/hw/scsi/scsi-generic.c -@@ -172,10 +172,12 @@ static void scsi_handle_inquiry_reply(SCSIGenericReq *r, SCSIDevice *s) - if (s->type == TYPE_DISK && (r->req.cmd.buf[1] & 0x01)) { - page = r->req.cmd.buf[2]; - if (page == 0xb0) { -- uint32_t max_transfer = -- blk_get_max_transfer(s->conf.blk) / s->blocksize; -+ uint32_t max_transfer = blk_get_max_transfer(s->conf.blk); -+ uint32_t max_iov = blk_get_max_iov(s->conf.blk); - - assert(max_transfer); -+ max_transfer = MIN_NON_ZERO(max_transfer, max_iov * qemu_real_host_page_size) -+ / s->blocksize; - stl_be_p(&r->buf[8], max_transfer); - /* Also take care of the opt xfer len. */ - stl_be_p(&r->buf[12], diff --git a/packaging/scsi-make-io_timeout-settable.patch b/packaging/scsi-make-io_timeout-settable.patch deleted file mode 100644 index 52761f43d..000000000 --- a/packaging/scsi-make-io_timeout-settable.patch +++ /dev/null @@ -1,153 +0,0 @@ -From: Hannes Reinecke -Date: Thu, 29 Oct 2020 12:41:21 +0100 -Subject: scsi: make io_timeout settable - -References: bsc#1178049 - -Add an 'io_timeout' parameter for SCSIDevice to allow -SG_IO ioctls to pass in a timeout, avoiding infinite -guest stalls if the host needs to abort a command. - -Signed-off-by: Hannes Reinecke -Signed-off-by: Bruce Rogers ---- - hw/scsi/scsi-disk.c | 7 +++++-- - hw/scsi/scsi-generic.c | 15 +++++++++------ - include/hw/scsi/scsi.h | 3 ++- - 3 files changed, 16 insertions(+), 9 deletions(-) - -diff --git a/hw/scsi/scsi-disk.c b/hw/scsi/scsi-disk.c -index e44c61eeb46f72989a7bc42bb8fa..29eb2e6629297342f34bac5d98bd 100644 ---- a/hw/scsi/scsi-disk.c -+++ b/hw/scsi/scsi-disk.c -@@ -50,6 +50,7 @@ - - #define DEFAULT_DISCARD_GRANULARITY (4 * KiB) - #define DEFAULT_MAX_UNMAP_SIZE (1 * GiB) -+#define DEFAULT_IO_TIMEOUT UINT_MAX /* Infinity */ - #define DEFAULT_MAX_IO_SIZE INT_MAX /* 2 GB - 1 block */ - - #define TYPE_SCSI_DISK_BASE "scsi-disk-base" -@@ -2610,7 +2611,7 @@ static int get_device_type(SCSIDiskState *s) - cmd[4] = sizeof(buf); - - ret = scsi_SG_IO_FROM_DEV(s->qdev.conf.blk, cmd, sizeof(cmd), -- buf, sizeof(buf)); -+ buf, sizeof(buf), s->qdev.io_timeout); - if (ret < 0) { - return -1; - } -@@ -2771,7 +2772,7 @@ static BlockAIOCB *scsi_block_do_sgio(SCSIBlockReq *req, - /* The rest is as in scsi-generic.c. */ - io_header->mx_sb_len = sizeof(r->req.sense); - io_header->sbp = r->req.sense; -- io_header->timeout = UINT_MAX; -+ io_header->timeout = s->qdev.io_timeout; - io_header->usr_ptr = r; - io_header->flags |= SG_FLAG_DIRECT_IO; - -@@ -3089,6 +3090,8 @@ static Property scsi_block_properties[] = { - DEFAULT_MAX_IO_SIZE), - DEFINE_PROP_INT32("scsi_version", SCSIDiskState, qdev.default_scsi_version, - -1), -+ DEFINE_PROP_UINT32("io_timeout", SCSIDiskState, qdev.io_timeout, -+ DEFAULT_IO_TIMEOUT), - DEFINE_PROP_END_OF_LIST(), - }; - -diff --git a/hw/scsi/scsi-generic.c b/hw/scsi/scsi-generic.c -index e7798ebcd0d41f13b4cf28f9a40f..3027885538ad20f8cddbad8c4026 100644 ---- a/hw/scsi/scsi-generic.c -+++ b/hw/scsi/scsi-generic.c -@@ -114,6 +114,8 @@ static int execute_command(BlockBackend *blk, - SCSIGenericReq *r, int direction, - BlockCompletionFunc *complete) - { -+ SCSIDevice *s = r->req.dev; -+ - r->io_header.interface_id = 'S'; - r->io_header.dxfer_direction = direction; - r->io_header.dxferp = r->buf; -@@ -122,7 +124,7 @@ static int execute_command(BlockBackend *blk, - r->io_header.cmd_len = r->req.cmd.len; - r->io_header.mx_sb_len = sizeof(r->req.sense); - r->io_header.sbp = r->req.sense; -- r->io_header.timeout = MAX_UINT; -+ r->io_header.timeout = s->io_timeout; - r->io_header.usr_ptr = r; - r->io_header.flags |= SG_FLAG_DIRECT_IO; - -@@ -503,7 +505,7 @@ static int read_naa_id(const uint8_t *p, uint64_t *p_wwn) - } - - int scsi_SG_IO_FROM_DEV(BlockBackend *blk, uint8_t *cmd, uint8_t cmd_size, -- uint8_t *buf, uint8_t buf_size) -+ uint8_t *buf, uint8_t buf_size, uint32_t timeout) - { - sg_io_hdr_t io_header; - uint8_t sensebuf[8]; -@@ -518,7 +520,7 @@ int scsi_SG_IO_FROM_DEV(BlockBackend *blk, uint8_t *cmd, uint8_t cmd_size, - io_header.cmd_len = cmd_size; - io_header.mx_sb_len = sizeof(sensebuf); - io_header.sbp = sensebuf; -- io_header.timeout = 6000; /* XXX */ -+ io_header.timeout = timeout; - - ret = blk_ioctl(blk, SG_IO, &io_header); - if (ret < 0 || io_header.driver_status || io_header.host_status) { -@@ -548,7 +550,7 @@ static void scsi_generic_set_vpd_bl_emulation(SCSIDevice *s) - cmd[4] = sizeof(buf); - - ret = scsi_SG_IO_FROM_DEV(s->conf.blk, cmd, sizeof(cmd), -- buf, sizeof(buf)); -+ buf, sizeof(buf), s->io_timeout); - if (ret < 0) { - /* - * Do not assume anything if we can't retrieve the -@@ -584,7 +586,7 @@ static void scsi_generic_read_device_identification(SCSIDevice *s) - cmd[4] = sizeof(buf); - - ret = scsi_SG_IO_FROM_DEV(s->conf.blk, cmd, sizeof(cmd), -- buf, sizeof(buf)); -+ buf, sizeof(buf), s->io_timeout); - if (ret < 0) { - return; - } -@@ -635,7 +637,7 @@ static int get_stream_blocksize(BlockBackend *blk) - cmd[0] = MODE_SENSE; - cmd[4] = sizeof(buf); - -- ret = scsi_SG_IO_FROM_DEV(blk, cmd, sizeof(cmd), buf, sizeof(buf)); -+ ret = scsi_SG_IO_FROM_DEV(blk, cmd, sizeof(cmd), buf, sizeof(buf), 60); - if (ret < 0) { - return -1; - } -@@ -725,6 +727,7 @@ static void scsi_generic_realize(SCSIDevice *s, Error **errp) - - /* Only used by scsi-block, but initialize it nevertheless to be clean. */ - s->default_scsi_version = -1; -+ s->io_timeout = 30000; - scsi_generic_read_device_inquiry(s); - } - -diff --git a/include/hw/scsi/scsi.h b/include/hw/scsi/scsi.h -index 332ef602f41385fbab533143dbbc..ead723690114f847d0d3638c3c2e 100644 ---- a/include/hw/scsi/scsi.h -+++ b/include/hw/scsi/scsi.h -@@ -88,6 +88,7 @@ struct SCSIDevice - uint64_t port_wwn; - int scsi_version; - int default_scsi_version; -+ uint32_t io_timeout; - bool needs_vpd_bl_emulation; - bool hba_supports_iothread; - }; -@@ -192,7 +193,7 @@ void scsi_device_unit_attention_reported(SCSIDevice *dev); - void scsi_generic_read_device_inquiry(SCSIDevice *dev); - int scsi_device_get_sense(SCSIDevice *dev, uint8_t *buf, int len, bool fixed); - int scsi_SG_IO_FROM_DEV(BlockBackend *blk, uint8_t *cmd, uint8_t cmd_size, -- uint8_t *buf, uint8_t buf_size); -+ uint8_t *buf, uint8_t buf_size, uint32_t timeout); - SCSIDevice *scsi_device_find(SCSIBus *bus, int channel, int target, int lun); - - /* scsi-generic.c. */ diff --git a/packaging/scsi-scsi-bus-scsi_device_find-don-t-ret.patch b/packaging/scsi-scsi-bus-scsi_device_find-don-t-ret.patch deleted file mode 100644 index 0759467bf..000000000 --- a/packaging/scsi-scsi-bus-scsi_device_find-don-t-ret.patch +++ /dev/null @@ -1,133 +0,0 @@ -From: Paolo Bonzini -Date: Tue, 6 Oct 2020 15:39:01 +0300 -Subject: scsi/scsi-bus: scsi_device_find: don't return unrealized devices - -Git-commit: 8ddf958e8d62ada6395460b91ec5964ef21fed12 -References: bsc#1184574 - -The device core first places a device on the bus and then realizes it. -Make scsi_device_find avoid returing such devices to avoid -races in drivers that use an iothread (currently virtio-scsi) - -Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1812399 - -Suggested-by: Paolo Bonzini -Signed-off-by: Maxim Levitsky -Reviewed-by: Stefan Hajnoczi -Message-Id: <20200913160259.32145-7-mlevitsk@redhat.com> -Signed-off-by: Paolo Bonzini -Message-Id: <20201006123904.610658-11-mlevitsk@redhat.com> -Signed-off-by: Paolo Bonzini -Signed-off-by: Lin Ma ---- - hw/scsi/scsi-bus.c | 83 +++++++++++++++++++++++++++++----------------- - 1 file changed, 53 insertions(+), 30 deletions(-) - -diff --git a/hw/scsi/scsi-bus.c b/hw/scsi/scsi-bus.c -index 57dc025225f6bc1558516168a062..643d87966c88f0575404f0927856 100644 ---- a/hw/scsi/scsi-bus.c -+++ b/hw/scsi/scsi-bus.c -@@ -24,6 +24,55 @@ static void scsi_target_free_buf(SCSIRequest *req); - - static int next_scsi_bus; - -+static SCSIDevice *do_scsi_device_find(SCSIBus *bus, -+ int channel, int id, int lun, -+ bool include_unrealized) -+{ -+ BusChild *kid; -+ SCSIDevice *retval = NULL; -+ -+ QTAILQ_FOREACH_RCU(kid, &bus->qbus.children, sibling) { -+ DeviceState *qdev = kid->child; -+ SCSIDevice *dev = SCSI_DEVICE(qdev); -+ -+ if (dev->channel == channel && dev->id == id) { -+ if (dev->lun == lun) { -+ retval = dev; -+ break; -+ } -+ -+ /* -+ * If we don't find exact match (channel/bus/lun), -+ * we will return the first device which matches channel/bus -+ */ -+ -+ if (!retval) { -+ retval = dev; -+ } -+ } -+ } -+ -+ /* -+ * This function might run on the IO thread and we might race against -+ * main thread hot-plugging the device. -+ * We assume that as soon as .realized is set to true we can let -+ * the user access the device. -+ */ -+ -+ if (retval && !include_unrealized && -+ !atomic_load_acquire(&retval->qdev.realized)) { -+ retval = NULL; -+ } -+ -+ return retval; -+} -+ -+SCSIDevice *scsi_device_find(SCSIBus *bus, int channel, int id, int lun) -+{ -+ RCU_READ_LOCK_GUARD(); -+ return do_scsi_device_find(bus, channel, id, lun, false); -+} -+ - static void scsi_device_realize(SCSIDevice *s, Error **errp) - { - SCSIDeviceClass *sc = SCSI_DEVICE_GET_CLASS(s); -@@ -137,7 +186,10 @@ static bool scsi_bus_is_address_free(SCSIBus *bus, - int channel, int target, int lun, - SCSIDevice **p_dev) - { -- SCSIDevice *d = scsi_device_find(bus, channel, target, lun); -+ SCSIDevice *d; -+ -+ RCU_READ_LOCK_GUARD(); -+ d = do_scsi_device_find(bus, channel, target, lun, true); - if (d && d->lun == lun) { - if (p_dev) { - *p_dev = d; -@@ -1582,35 +1634,6 @@ static char *scsibus_get_fw_dev_path(DeviceState *dev) - qdev_fw_name(dev), d->id, d->lun); - } - --SCSIDevice *scsi_device_find(SCSIBus *bus, int channel, int id, int lun) --{ -- BusChild *kid; -- SCSIDevice *target_dev = NULL; -- -- RCU_READ_LOCK_GUARD(); -- QTAILQ_FOREACH_RCU(kid, &bus->qbus.children, sibling) { -- DeviceState *qdev = kid->child; -- SCSIDevice *dev = SCSI_DEVICE(qdev); -- -- if (dev->channel == channel && dev->id == id) { -- if (dev->lun == lun) { -- return dev; -- } -- -- /* -- * If we don't find exact match (channel/bus/lun), -- * we will return the first device which matches channel/bus -- */ -- -- if (!target_dev) { -- target_dev = dev; -- } -- } -- } -- -- return target_dev; --} -- - /* SCSI request list. For simplicity, pv points to the whole device */ - - static int put_scsi_requests(QEMUFile *f, void *pv, size_t size, diff --git a/packaging/scsi-scsi_bus-Add-scsi_device_get.patch b/packaging/scsi-scsi_bus-Add-scsi_device_get.patch deleted file mode 100644 index bcf8d46f3..000000000 --- a/packaging/scsi-scsi_bus-Add-scsi_device_get.patch +++ /dev/null @@ -1,56 +0,0 @@ -From: Maxim Levitsky -Date: Tue, 6 Oct 2020 15:39:02 +0300 -Subject: scsi/scsi_bus: Add scsi_device_get - -Git-commit: 8ff34495601067d02edb54b4346cace84ec4e1df -References: bsc#1184574 - -Add scsi_device_get which finds the scsi device -and takes a reference to it. - -Suggested-by: Stefan Hajnoczi -Signed-off-by: Maxim Levitsky -Message-Id: <20200913160259.32145-8-mlevitsk@redhat.com> -Signed-off-by: Paolo Bonzini -Message-Id: <20201006123904.610658-12-mlevitsk@redhat.com> -Signed-off-by: Paolo Bonzini -Signed-off-by: Lin Ma ---- - hw/scsi/scsi-bus.c | 11 +++++++++++ - include/hw/scsi/scsi.h | 1 + - 2 files changed, 12 insertions(+) - -diff --git a/hw/scsi/scsi-bus.c b/hw/scsi/scsi-bus.c -index 643d87966c88f0575404f0927856..856148399c720c58cfda01ff6920 100644 ---- a/hw/scsi/scsi-bus.c -+++ b/hw/scsi/scsi-bus.c -@@ -73,6 +73,17 @@ SCSIDevice *scsi_device_find(SCSIBus *bus, int channel, int id, int lun) - return do_scsi_device_find(bus, channel, id, lun, false); - } - -+SCSIDevice *scsi_device_get(SCSIBus *bus, int channel, int id, int lun) -+{ -+ SCSIDevice *d; -+ RCU_READ_LOCK_GUARD(); -+ d = do_scsi_device_find(bus, channel, id, lun, false); -+ if (d) { -+ object_ref(d); -+ } -+ return d; -+} -+ - static void scsi_device_realize(SCSIDevice *s, Error **errp) - { - SCSIDeviceClass *sc = SCSI_DEVICE_GET_CLASS(s); -diff --git a/include/hw/scsi/scsi.h b/include/hw/scsi/scsi.h -index ead723690114f847d0d3638c3c2e..b695e5e6ec6bd9ac60ec99a529ed 100644 ---- a/include/hw/scsi/scsi.h -+++ b/include/hw/scsi/scsi.h -@@ -195,6 +195,7 @@ int scsi_device_get_sense(SCSIDevice *dev, uint8_t *buf, int len, bool fixed); - int scsi_SG_IO_FROM_DEV(BlockBackend *blk, uint8_t *cmd, uint8_t cmd_size, - uint8_t *buf, uint8_t buf_size, uint32_t timeout); - SCSIDevice *scsi_device_find(SCSIBus *bus, int channel, int target, int lun); -+SCSIDevice *scsi_device_get(SCSIBus *bus, int channel, int target, int lun); - - /* scsi-generic.c. */ - extern const SCSIReqOps scsi_generic_req_ops; diff --git a/packaging/scsi-scsi_bus-fix-races-in-REPORT-LUNS.patch b/packaging/scsi-scsi_bus-fix-races-in-REPORT-LUNS.patch deleted file mode 100644 index 242d8abd1..000000000 --- a/packaging/scsi-scsi_bus-fix-races-in-REPORT-LUNS.patch +++ /dev/null @@ -1,131 +0,0 @@ -From: Maxim Levitsky -Date: Tue, 6 Oct 2020 15:39:04 +0300 -Subject: scsi/scsi_bus: fix races in REPORT LUNS - -Git-commit: 8cfe8013baec2a6f66240ffd767fad2699d85144 -References: bsc#1184574 - -Currently scsi_target_emulate_report_luns iterates over the child device list -twice, and there is no guarantee that this list is the same in both iterations. - -The reason for iterating twice is that the first iteration calculates -how much memory to allocate. However if we use a dynamic array we can -avoid iterating twice, and therefore we avoid this race. - -Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1866707 - -Signed-off-by: Maxim Levitsky -Reviewed-by: Stefan Hajnoczi -Message-Id: <20200913160259.32145-10-mlevitsk@redhat.com> -Signed-off-by: Paolo Bonzini -Message-Id: <20201006123904.610658-14-mlevitsk@redhat.com> -Signed-off-by: Paolo Bonzini -Signed-off-by: Lin Ma ---- - hw/scsi/scsi-bus.c | 68 ++++++++++++++++++++++------------------------ - 1 file changed, 33 insertions(+), 35 deletions(-) - -diff --git a/hw/scsi/scsi-bus.c b/hw/scsi/scsi-bus.c -index 856148399c720c58cfda01ff6920..2d112d3cb291ddd7a30f66f0c1d2 100644 ---- a/hw/scsi/scsi-bus.c -+++ b/hw/scsi/scsi-bus.c -@@ -450,19 +450,23 @@ struct SCSITargetReq { - static void store_lun(uint8_t *outbuf, int lun) - { - if (lun < 256) { -+ /* Simple logical unit addressing method*/ -+ outbuf[0] = 0; - outbuf[1] = lun; -- return; -+ } else { -+ /* Flat space addressing method */ -+ outbuf[0] = 0x40 | (lun >> 8); -+ outbuf[1] = (lun & 255); - } -- outbuf[1] = (lun & 255); -- outbuf[0] = (lun >> 8) | 0x40; - } - - static bool scsi_target_emulate_report_luns(SCSITargetReq *r) - { - BusChild *kid; -- int i, len, n; - int channel, id; -- bool found_lun0; -+ uint8_t tmp[8] = {0}; -+ int len = 0; -+ GByteArray *buf; - - if (r->req.cmd.xfer < 16) { - return false; -@@ -470,46 +474,40 @@ static bool scsi_target_emulate_report_luns(SCSITargetReq *r) - if (r->req.cmd.buf[2] > 2) { - return false; - } -+ -+ /* reserve space for 63 LUNs*/ -+ buf = g_byte_array_sized_new(512); -+ - channel = r->req.dev->channel; - id = r->req.dev->id; -- found_lun0 = false; -- n = 0; - -- RCU_READ_LOCK_GUARD(); -+ /* add size (will be updated later to correct value */ -+ g_byte_array_append(buf, tmp, 8); -+ len += 8; - -- QTAILQ_FOREACH_RCU(kid, &r->req.bus->qbus.children, sibling) { -- DeviceState *qdev = kid->child; -- SCSIDevice *dev = SCSI_DEVICE(qdev); -+ /* add LUN0 */ -+ g_byte_array_append(buf, tmp, 8); -+ len += 8; - -- if (dev->channel == channel && dev->id == id) { -- if (dev->lun == 0) { -- found_lun0 = true; -+ WITH_RCU_READ_LOCK_GUARD() { -+ QTAILQ_FOREACH_RCU(kid, &r->req.bus->qbus.children, sibling) { -+ DeviceState *qdev = kid->child; -+ SCSIDevice *dev = SCSI_DEVICE(qdev); -+ -+ if (dev->channel == channel && dev->id == id && dev->lun != 0) { -+ store_lun(tmp, dev->lun); -+ g_byte_array_append(buf, tmp, 8); -+ len += 8; - } -- n += 8; - } - } -- if (!found_lun0) { -- n += 8; -- } -- -- scsi_target_alloc_buf(&r->req, n + 8); -- -- len = MIN(n + 8, r->req.cmd.xfer & ~7); -- memset(r->buf, 0, len); -- stl_be_p(&r->buf[0], n); -- i = found_lun0 ? 8 : 16; -- QTAILQ_FOREACH_RCU(kid, &r->req.bus->qbus.children, sibling) { -- DeviceState *qdev = kid->child; -- SCSIDevice *dev = SCSI_DEVICE(qdev); - -- if (dev->channel == channel && dev->id == id) { -- store_lun(&r->buf[i], dev->lun); -- i += 8; -- } -- } -+ r->buf_len = len; -+ r->buf = g_byte_array_free(buf, FALSE); -+ r->len = MIN(len, r->req.cmd.xfer & ~7); - -- assert(i == n + 8); -- r->len = len; -+ /* store the LUN list length */ -+ stl_be_p(&r->buf[0], len - 8); - return true; - } - diff --git a/packaging/scsi-scsi_bus-switch-search-direction-in.patch b/packaging/scsi-scsi_bus-switch-search-direction-in.patch deleted file mode 100644 index 4f753e4c3..000000000 --- a/packaging/scsi-scsi_bus-switch-search-direction-in.patch +++ /dev/null @@ -1,49 +0,0 @@ -From: Maxim Levitsky -Date: Tue, 6 Oct 2020 14:38:57 +0200 -Subject: scsi/scsi_bus: switch search direction in scsi_device_find - -Git-commit: 7a8202c521a5d1ac9e289d5c2b5125a9310af178 -References: bsc#1184574 - -This change will allow us to convert the bus children list to RCU, -while not changing the logic of this function - -Signed-off-by: Maxim Levitsky -Reviewed-by: Stefan Hajnoczi -Message-Id: <20200913160259.32145-2-mlevitsk@redhat.com> -Signed-off-by: Paolo Bonzini -Signed-off-by: Lin Ma ---- - hw/scsi/scsi-bus.c | 12 ++++++++++-- - 1 file changed, 10 insertions(+), 2 deletions(-) - -diff --git a/hw/scsi/scsi-bus.c b/hw/scsi/scsi-bus.c -index ad0e7f6d8895690fefbaa4207816..4f277985f64be532c8151a0ac09b 100644 ---- a/hw/scsi/scsi-bus.c -+++ b/hw/scsi/scsi-bus.c -@@ -1584,7 +1584,7 @@ SCSIDevice *scsi_device_find(SCSIBus *bus, int channel, int id, int lun) - BusChild *kid; - SCSIDevice *target_dev = NULL; - -- QTAILQ_FOREACH_REVERSE(kid, &bus->qbus.children, sibling) { -+ QTAILQ_FOREACH(kid, &bus->qbus.children, sibling) { - DeviceState *qdev = kid->child; - SCSIDevice *dev = SCSI_DEVICE(qdev); - -@@ -1592,7 +1592,15 @@ SCSIDevice *scsi_device_find(SCSIBus *bus, int channel, int id, int lun) - if (dev->lun == lun) { - return dev; - } -- target_dev = dev; -+ -+ /* -+ * If we don't find exact match (channel/bus/lun), -+ * we will return the first device which matches channel/bus -+ */ -+ -+ if (!target_dev) { -+ target_dev = dev; -+ } - } - } - return target_dev; diff --git a/packaging/scsi-switch-to-bus-check_address.patch b/packaging/scsi-switch-to-bus-check_address.patch deleted file mode 100644 index 0455c385f..000000000 --- a/packaging/scsi-switch-to-bus-check_address.patch +++ /dev/null @@ -1,199 +0,0 @@ -From: Paolo Bonzini -Date: Tue, 6 Oct 2020 15:38:56 +0300 -Subject: scsi: switch to bus->check_address - -Git-commit: 42a90a899e70f5fbef2b5a117535acaa0bc1f5ad -References: bsc#1184574 - -Signed-off-by: Paolo Bonzini -Message-Id: <20201006123904.610658-6-mlevitsk@redhat.com> -Signed-off-by: Paolo Bonzini -Signed-off-by: Lin Ma ---- - hw/scsi/scsi-bus.c | 122 ++++++++++++++++++++++++++++----------------- - 1 file changed, 75 insertions(+), 47 deletions(-) - -diff --git a/hw/scsi/scsi-bus.c b/hw/scsi/scsi-bus.c -index 3c604bfe22e02a4e7b7f11f80769..57dc025225f6bc1558516168a062 100644 ---- a/hw/scsi/scsi-bus.c -+++ b/hw/scsi/scsi-bus.c -@@ -22,33 +22,6 @@ static void scsi_req_dequeue(SCSIRequest *req); - static uint8_t *scsi_target_alloc_buf(SCSIRequest *req, size_t len); - static void scsi_target_free_buf(SCSIRequest *req); - --static Property scsi_props[] = { -- DEFINE_PROP_UINT32("channel", SCSIDevice, channel, 0), -- DEFINE_PROP_UINT32("scsi-id", SCSIDevice, id, -1), -- DEFINE_PROP_UINT32("lun", SCSIDevice, lun, -1), -- DEFINE_PROP_END_OF_LIST(), --}; -- --static void scsi_bus_class_init(ObjectClass *klass, void *data) --{ -- BusClass *k = BUS_CLASS(klass); -- HotplugHandlerClass *hc = HOTPLUG_HANDLER_CLASS(klass); -- -- k->get_dev_path = scsibus_get_dev_path; -- k->get_fw_dev_path = scsibus_get_fw_dev_path; -- hc->unplug = qdev_simple_device_unplug_cb; --} -- --static const TypeInfo scsi_bus_info = { -- .name = TYPE_SCSI_BUS, -- .parent = TYPE_BUS, -- .instance_size = sizeof(SCSIBus), -- .class_init = scsi_bus_class_init, -- .interfaces = (InterfaceInfo[]) { -- { TYPE_HOTPLUG_HANDLER }, -- { } -- } --}; - static int next_scsi_bus; - - static void scsi_device_realize(SCSIDevice *s, Error **errp) -@@ -160,35 +133,68 @@ static void scsi_dma_restart_cb(void *opaque, int running, RunState state) - } - } - --static void scsi_qdev_realize(DeviceState *qdev, Error **errp) -+static bool scsi_bus_is_address_free(SCSIBus *bus, -+ int channel, int target, int lun, -+ SCSIDevice **p_dev) -+{ -+ SCSIDevice *d = scsi_device_find(bus, channel, target, lun); -+ if (d && d->lun == lun) { -+ if (p_dev) { -+ *p_dev = d; -+ } -+ return false; -+ } -+ if (p_dev) { -+ *p_dev = NULL; -+ } -+ return true; -+} -+ -+static bool scsi_bus_check_address(BusState *qbus, DeviceState *qdev, Error **errp) - { - SCSIDevice *dev = SCSI_DEVICE(qdev); -- SCSIBus *bus = DO_UPCAST(SCSIBus, qbus, dev->qdev.parent_bus); -- SCSIDevice *d; -- Error *local_err = NULL; -+ SCSIBus *bus = SCSI_BUS(qbus); - - if (dev->channel > bus->info->max_channel) { - error_setg(errp, "bad scsi channel id: %d", dev->channel); -- return; -+ return false; - } - if (dev->id != -1 && dev->id > bus->info->max_target) { - error_setg(errp, "bad scsi device id: %d", dev->id); -- return; -+ return false; - } - if (dev->lun != -1 && dev->lun > bus->info->max_lun) { - error_setg(errp, "bad scsi device lun: %d", dev->lun); -- return; -+ return false; -+ } -+ -+ if (dev->id != -1 && dev->lun != -1) { -+ SCSIDevice *d; -+ if (!scsi_bus_is_address_free(bus, dev->channel, dev->id, dev->lun, &d)) { -+ error_setg(errp, "lun already used by '%s'", d->qdev.id); -+ return false; -+ } - } - -+ return true; -+} -+ -+static void scsi_qdev_realize(DeviceState *qdev, Error **errp) -+{ -+ SCSIDevice *dev = SCSI_DEVICE(qdev); -+ SCSIBus *bus = DO_UPCAST(SCSIBus, qbus, dev->qdev.parent_bus); -+ bool is_free; -+ Error *local_err = NULL; -+ - if (dev->id == -1) { - int id = -1; - if (dev->lun == -1) { - dev->lun = 0; - } - do { -- d = scsi_device_find(bus, dev->channel, ++id, dev->lun); -- } while (d && d->lun == dev->lun && id < bus->info->max_target); -- if (d && d->lun == dev->lun) { -+ is_free = scsi_bus_is_address_free(bus, dev->channel, ++id, dev->lun, NULL); -+ } while (!is_free && id < bus->info->max_target); -+ if (!is_free) { - error_setg(errp, "no free target"); - return; - } -@@ -196,20 +202,13 @@ static void scsi_qdev_realize(DeviceState *qdev, Error **errp) - } else if (dev->lun == -1) { - int lun = -1; - do { -- d = scsi_device_find(bus, dev->channel, dev->id, ++lun); -- } while (d && d->lun == lun && lun < bus->info->max_lun); -- if (d && d->lun == lun) { -+ is_free = scsi_bus_is_address_free(bus, dev->channel, dev->id, ++lun, NULL); -+ } while (!is_free && lun < bus->info->max_lun); -+ if (!is_free) { - error_setg(errp, "no free lun"); - return; - } - dev->lun = lun; -- } else { -- d = scsi_device_find(bus, dev->channel, dev->id, dev->lun); -- assert(d); -- if (d->lun == dev->lun && dev != d) { -- error_setg(errp, "lun already used by '%s'", d->qdev.id); -- return; -- } - } - - QTAILQ_INIT(&dev->requests); -@@ -1735,6 +1734,13 @@ const VMStateDescription vmstate_scsi_device = { - } - }; - -+static Property scsi_props[] = { -+ DEFINE_PROP_UINT32("channel", SCSIDevice, channel, 0), -+ DEFINE_PROP_UINT32("scsi-id", SCSIDevice, id, -1), -+ DEFINE_PROP_UINT32("lun", SCSIDevice, lun, -1), -+ DEFINE_PROP_END_OF_LIST(), -+}; -+ - static void scsi_device_class_init(ObjectClass *klass, void *data) - { - DeviceClass *k = DEVICE_CLASS(klass); -@@ -1765,6 +1771,28 @@ static const TypeInfo scsi_device_type_info = { - .instance_init = scsi_dev_instance_init, - }; - -+static void scsi_bus_class_init(ObjectClass *klass, void *data) -+{ -+ BusClass *k = BUS_CLASS(klass); -+ HotplugHandlerClass *hc = HOTPLUG_HANDLER_CLASS(klass); -+ -+ k->get_dev_path = scsibus_get_dev_path; -+ k->get_fw_dev_path = scsibus_get_fw_dev_path; -+ k->check_address = scsi_bus_check_address; -+ hc->unplug = qdev_simple_device_unplug_cb; -+} -+ -+static const TypeInfo scsi_bus_info = { -+ .name = TYPE_SCSI_BUS, -+ .parent = TYPE_BUS, -+ .instance_size = sizeof(SCSIBus), -+ .class_init = scsi_bus_class_init, -+ .interfaces = (InterfaceInfo[]) { -+ { TYPE_HOTPLUG_HANDLER }, -+ { } -+ } -+}; -+ - static void scsi_register_types(void) - { - type_register_static(&scsi_bus_info); diff --git a/packaging/seabios-switch-to-python3-as-needed.patch b/packaging/seabios-switch-to-python3-as-needed.patch deleted file mode 100644 index 5b1c44008..000000000 --- a/packaging/seabios-switch-to-python3-as-needed.patch +++ /dev/null @@ -1,149 +0,0 @@ -From: Bruce Rogers -Date: Thu, 27 Jun 2019 10:15:24 -0600 -Subject: seabios: switch to python3 as needed - -Switch to python3 the places where "python2" is explicitly referenced. -(Ignore the uses of #!/usr/bin/env python, since that usage does the -right thing in our build environment). -Include changes proposed by the python3 2to3 tool. - -Signed-off-by: Bruce Rogers ---- - Makefile | 2 +- - scripts/acpi_extract.py | 4 ++-- - scripts/acpi_extract_preprocess.py | 2 +- - scripts/layoutrom.py | 28 ++++++++++++++-------------- - scripts/vgafixup.py | 2 +- - 5 files changed, 19 insertions(+), 19 deletions(-) - -diff --git a/roms/seabios/Makefile b/roms/seabios/Makefile -index de1fa90035b82ef3608d68d62f59..ca8d0283922bbfa931e85511e921 100644 ---- a/roms/seabios/Makefile -+++ b/roms/seabios/Makefile -@@ -22,7 +22,7 @@ LD=$(CROSS_PREFIX)ld - OBJCOPY=$(CROSS_PREFIX)objcopy - OBJDUMP=$(CROSS_PREFIX)objdump - STRIP=$(CROSS_PREFIX)strip --PYTHON=python2 -+PYTHON=python3 - CPP=cpp - IASL:=iasl - LD32BIT_FLAG:=-melf_i386 -diff --git a/roms/seabios/scripts/acpi_extract.py b/roms/seabios/scripts/acpi_extract.py -index 86c6226c0f9aae4e4687cf216369..7ac054e626780253fcec78414b17 100755 ---- a/roms/seabios/scripts/acpi_extract.py -+++ b/roms/seabios/scripts/acpi_extract.py -@@ -1,4 +1,4 @@ --#!/usr/bin/python2 -+#!/usr/bin/python3 - # Copyright (C) 2011 Red Hat, Inc., Michael S. Tsirkin - # - # This file may be distributed under the terms of the GNU GPLv3 license. -@@ -348,7 +348,7 @@ def main(): - # Pretty print output - outstrs = ["/* DO NOT EDIT! This is an autogenerated file." - " See scripts/acpi_extract.py. */"] -- for array in output.keys(): -+ for array in list(output.keys()): - otype = get_value_type(max(output[array])) - outstrs.append("static unsigned %s %s[] = {" % (otype, array)) - odata = [] -diff --git a/roms/seabios/scripts/acpi_extract_preprocess.py b/roms/seabios/scripts/acpi_extract_preprocess.py -index b8e92a525730442815a0dce78f45..6963847a8b5d3e4bf9340a67afe2 100755 ---- a/roms/seabios/scripts/acpi_extract_preprocess.py -+++ b/roms/seabios/scripts/acpi_extract_preprocess.py -@@ -1,4 +1,4 @@ --#!/usr/bin/python2 -+#!/usr/bin/python3 - # Copyright (C) 2011 Red Hat, Inc., Michael S. Tsirkin - # - # This file may be distributed under the terms of the GNU GPLv3 license. -diff --git a/roms/seabios/scripts/layoutrom.py b/roms/seabios/scripts/layoutrom.py -index 6616721d1b584892074491b292ba..c6d003273990ae66ca62bc36fe07 100755 ---- a/roms/seabios/scripts/layoutrom.py -+++ b/roms/seabios/scripts/layoutrom.py -@@ -81,8 +81,8 @@ def fitSections(sections, fillsections): - section.finalsegloc = addr - fixedsections.append((addr, section)) - if section.align != 1: -- print("Error: Fixed section %s has non-zero alignment (%d)" % ( -- section.name, section.align)) -+ print(("Error: Fixed section %s has non-zero alignment (%d)" % ( -+ section.name, section.align))) - sys.exit(1) - fixedsections.sort(key=operator.itemgetter(0)) - firstfixed = fixedsections[0][0] -@@ -142,10 +142,10 @@ def fitSections(sections, fillsections): - # Report stats - total = BUILD_BIOS_SIZE-firstfixed - slack = total - totalused -- print ("Fixed space: 0x%x-0x%x total: %d slack: %d" -+ print(("Fixed space: 0x%x-0x%x total: %d slack: %d" - " Percent slack: %.1f%%" % ( - firstfixed, BUILD_BIOS_SIZE, total, slack, -- (float(slack) / total) * 100.0)) -+ (float(slack) / total) * 100.0))) - - return firstfixed + BUILD_BIOS_ADDR - -@@ -288,12 +288,12 @@ def doLayout(sections, config, genreloc): - size32flat = sec32fseg_start - sec32flat_start - size32init = sec32flat_start - sec32init_start - sizelow = li.sec32low_end - li.sec32low_start -- print("16bit size: %d" % size16) -- print("32bit segmented size: %d" % size32seg) -- print("32bit flat size: %d" % (size32flat + size32textfseg)) -- print("32bit flat init size: %d" % size32init) -- print("Lowmem size: %d" % sizelow) -- print("f-segment var size: %d" % size32fseg) -+ print(("16bit size: %d" % size16)) -+ print(("32bit segmented size: %d" % size32seg)) -+ print(("32bit flat size: %d" % (size32flat + size32textfseg))) -+ print(("32bit flat init size: %d" % size32init)) -+ print(("Lowmem size: %d" % sizelow)) -+ print(("f-segment var size: %d" % size32fseg)) - return li - - -@@ -312,7 +312,7 @@ def outXRefs(sections, useseg=0, exportsyms=[], forcedelta=0): - and (symbol.section.fileid != section.fileid - or symbol.name != reloc.symbolname)): - xrefs[reloc.symbolname] = symbol -- for symbolname, symbol in xrefs.items(): -+ for symbolname, symbol in list(xrefs.items()): - loc = symbol.section.finalloc - if useseg: - loc = symbol.section.finalsegloc -@@ -482,8 +482,8 @@ def checkRuntime(reloc, rsection, data, chain): - if section is None or '.init.' in section.name: - return 0 - if '.data.varinit.' in section.name: -- print("ERROR: %s is VARVERIFY32INIT but used from %s" % ( -- section.name, chain)) -+ print(("ERROR: %s is VARVERIFY32INIT but used from %s" % ( -+ section.name, chain))) - sys.exit(1) - return 1 - -@@ -691,7 +691,7 @@ def main(): - li = doLayout(sections, config, genreloc) - - # Exported symbols -- li.varlowsyms = [symbol for symbol in symbols['32flat'].values() -+ li.varlowsyms = [symbol for symbol in list(symbols['32flat'].values()) - if (symbol.section is not None - and symbol.section.finalloc is not None - and '.data.varlow.' in symbol.section.name -diff --git a/roms/seabios/scripts/vgafixup.py b/roms/seabios/scripts/vgafixup.py -index 2053cd5d78e5935658e1fecec074..dc662480f909e27958fa906d73b1 100644 ---- a/roms/seabios/scripts/vgafixup.py -+++ b/roms/seabios/scripts/vgafixup.py -@@ -29,7 +29,7 @@ re_leal = re.compile( - def handle_leal(sline): - m = re_leal.match(sline[5:]) - if m is None or m.group('index') == '%esp': -- print("Unable to fixup leal instruction: %s" % (sline,)) -+ print(("Unable to fixup leal instruction: %s" % (sline,))) - sys.exit(-1) - offset, base, index, scale, dest = m.group( - 'offset', 'base', 'index', 'scale', 'dest') diff --git a/packaging/seabios-use-python2-explicitly-as-needed.patch b/packaging/seabios-use-python2-explicitly-as-needed.patch deleted file mode 100644 index 8897043f0..000000000 --- a/packaging/seabios-use-python2-explicitly-as-needed.patch +++ /dev/null @@ -1,48 +0,0 @@ -From: Bruce Rogers -Date: Thu, 27 Jun 2019 10:15:24 -0600 -Subject: seabios: use python2 explicitly as needed - -Switch to python2 the places where "python" is explicitly referenced. -(Ignore the uses of #!/usr/bin/env python, since that usage does the -right thing in our build environment). - -Signed-off-by: Bruce Rogers ---- - Makefile | 2 +- - scripts/acpi_extract.py | 2 +- - scripts/acpi_extract_preprocess.py | 2 +- - 3 files changed, 3 insertions(+), 3 deletions(-) - -diff --git a/roms/seabios/Makefile b/roms/seabios/Makefile -index 5f7d5370198abac950b24e08a7aa..de1fa90035b82ef3608d68d62f59 100644 ---- a/roms/seabios/Makefile -+++ b/roms/seabios/Makefile -@@ -22,7 +22,7 @@ LD=$(CROSS_PREFIX)ld - OBJCOPY=$(CROSS_PREFIX)objcopy - OBJDUMP=$(CROSS_PREFIX)objdump - STRIP=$(CROSS_PREFIX)strip --PYTHON=python -+PYTHON=python2 - CPP=cpp - IASL:=iasl - LD32BIT_FLAG:=-melf_i386 -diff --git a/roms/seabios/scripts/acpi_extract.py b/roms/seabios/scripts/acpi_extract.py -index 3ed863b6a79412a1276bb905d08f..86c6226c0f9aae4e4687cf216369 100755 ---- a/roms/seabios/scripts/acpi_extract.py -+++ b/roms/seabios/scripts/acpi_extract.py -@@ -1,4 +1,4 @@ --#!/usr/bin/python -+#!/usr/bin/python2 - # Copyright (C) 2011 Red Hat, Inc., Michael S. Tsirkin - # - # This file may be distributed under the terms of the GNU GPLv3 license. -diff --git a/roms/seabios/scripts/acpi_extract_preprocess.py b/roms/seabios/scripts/acpi_extract_preprocess.py -index 2698118406d97c164783335c7fb6..b8e92a525730442815a0dce78f45 100755 ---- a/roms/seabios/scripts/acpi_extract_preprocess.py -+++ b/roms/seabios/scripts/acpi_extract_preprocess.py -@@ -1,4 +1,4 @@ --#!/usr/bin/python -+#!/usr/bin/python2 - # Copyright (C) 2011 Red Hat, Inc., Michael S. Tsirkin - # - # This file may be distributed under the terms of the GNU GPLv3 license. diff --git a/packaging/sgabios-Makefile-fix-issues-of-build-rep.patch b/packaging/sgabios-Makefile-fix-issues-of-build-rep.patch deleted file mode 100644 index 0f9e350e8..000000000 --- a/packaging/sgabios-Makefile-fix-issues-of-build-rep.patch +++ /dev/null @@ -1,36 +0,0 @@ -From: Bruce Rogers -Date: Thu, 27 Jun 2019 10:15:24 -0600 -Subject: sgabios:Makefile: fix issues of build reproducibility -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -It is desirable to produce the same bits on subsequent -builds when the actual code of the package doesn't -change. (bsc#1011213) - -Signed-off-by: Bruce Rogers -Signed-off-by: Andreas Färber ---- - Makefile | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/roms/sgabios/Makefile b/roms/sgabios/Makefile -index 970b0ff37a1ae58e98d0527da215..d2934c9f678dadfae5201b8507e9 100644 ---- a/roms/sgabios/Makefile -+++ b/roms/sgabios/Makefile -@@ -14,10 +14,10 @@ - # - # $Id$ - --BUILD_DATE = \"$(shell date -u)\" --BUILD_SHORT_DATE = \"$(shell date -u +%D)\" --BUILD_HOST = \"$(shell hostname)\" --BUILD_USER = \"$(shell whoami)\" -+BUILD_DATE = \"$(shell date --date='@$(PACKAGING_TIMESTAMP)' -u)\" -+BUILD_SHORT_DATE = \"$(shell date --date='@$(PACKAGING_TIMESTAMP)' -u +%D)\" -+BUILD_HOST = \"buildhost\" -+BUILD_USER = \"geeko\" - - CFLAGS := -Wall -Os -m32 -nostdlib - diff --git a/packaging/slirp-check-pkt_len-before-reading-proto.patch b/packaging/slirp-check-pkt_len-before-reading-proto.patch deleted file mode 100644 index 2f6c41736..000000000 --- a/packaging/slirp-check-pkt_len-before-reading-proto.patch +++ /dev/null @@ -1,59 +0,0 @@ -From: Prasad J Pandit -Date: Thu, 26 Nov 2020 19:27:06 +0530 -Subject: slirp: check pkt_len before reading protocol header -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Git-commit: 2e1dcbc0c2af64fcb17009eaf2ceedd81be2b27f -References: bsc#1179466, bsc#1179467 - -While processing ARP/NCSI packets in 'arp_input' or 'ncsi_input' -routines, ensure that pkt_len is large enough to accommodate the -respective protocol headers, lest it should do an OOB access. -Add check to avoid it. - -CVE-2020-29129 CVE-2020-29130 - QEMU: slirp: out-of-bounds access while processing ARP/NCSI packets - -> https://www.openwall.com/lists/oss-security/2020/11/27/1 - -Reported-by: Qiuhao Li -Signed-off-by: Prasad J Pandit -Message-Id: <20201126135706.273950-1-ppandit@redhat.com> -Reviewed-by: Marc-André Lureau -Signed-off-by: Bruce Rogers ---- - src/ncsi.c | 4 ++++ - src/slirp.c | 4 ++++ - 2 files changed, 8 insertions(+) - -diff --git a/slirp/src/ncsi.c b/slirp/src/ncsi.c -index ddd980d869546d314df6f6441475..4bc1d07faadc94ec578d51e58c2c 100644 ---- a/slirp/src/ncsi.c -+++ b/slirp/src/ncsi.c -@@ -147,6 +147,10 @@ void ncsi_input(Slirp *slirp, const uint8_t *pkt, int pkt_len) - uint32_t checksum; - uint32_t *pchecksum; - -+ if (pkt_len < ETH_HLEN + sizeof(struct ncsi_pkt_hdr)) { -+ return; /* packet too short */ -+ } -+ - memset(ncsi_reply, 0, sizeof(ncsi_reply)); - - memset(reh->h_dest, 0xff, ETH_ALEN); -diff --git a/slirp/src/slirp.c b/slirp/src/slirp.c -index 14458e8510e7ca2d704577030524..ef359c862b34c75bf5454320c5d1 100644 ---- a/slirp/src/slirp.c -+++ b/slirp/src/slirp.c -@@ -755,6 +755,10 @@ static void arp_input(Slirp *slirp, const uint8_t *pkt, int pkt_len) - return; - } - -+ if (pkt_len < ETH_HLEN + sizeof(struct slirp_arphdr)) { -+ return; /* packet too short */ -+ } -+ - ar_op = ntohs(ah->ar_op); - switch (ar_op) { - case ARPOP_REQUEST: diff --git a/packaging/sm501-Clean-up-local-variables-in-sm501_.patch b/packaging/sm501-Clean-up-local-variables-in-sm501_.patch deleted file mode 100644 index 4374a51d7..000000000 --- a/packaging/sm501-Clean-up-local-variables-in-sm501_.patch +++ /dev/null @@ -1,95 +0,0 @@ -From: BALATON Zoltan -Date: Thu, 21 May 2020 21:39:44 +0200 -Subject: sm501: Clean up local variables in sm501_2d_operation -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Git-commit: 3d0b096298b5579a7fa0753ad90968b27bc65372 -References: bsc#1172385, CVE-2020-12829 - -Make variables local to the block they are used in to make it clearer -which operation they are needed for. - -Signed-off-by: BALATON Zoltan -Reviewed-by: Philippe Mathieu-Daudé -Message-id: ae59f8138afe7f6a5a4a82539d0f61496a906b06.1590089984.git.balaton@eik.bme.hu -Signed-off-by: Gerd Hoffmann -Signed-off-by: Bruce Rogers ---- - hw/display/sm501.c | 31 ++++++++++++++++--------------- - 1 file changed, 16 insertions(+), 15 deletions(-) - -diff --git a/hw/display/sm501.c b/hw/display/sm501.c -index d0e92fff336de06e99577a5ded96..4204b80f988815200120852d64ec 100644 ---- a/hw/display/sm501.c -+++ b/hw/display/sm501.c -@@ -699,28 +699,19 @@ static inline void hwc_invalidate(SM501State *s, int crt) - - static void sm501_2d_operation(SM501State *s) - { -- /* obtain operation parameters */ - int cmd = (s->twoD_control >> 16) & 0x1F; - int rtl = s->twoD_control & BIT(27); -- int src_x = (s->twoD_source >> 16) & 0x01FFF; -- int src_y = s->twoD_source & 0xFFFF; -- int dst_x = (s->twoD_destination >> 16) & 0x01FFF; -- int dst_y = s->twoD_destination & 0xFFFF; -- int width = (s->twoD_dimension >> 16) & 0x1FFF; -- int height = s->twoD_dimension & 0xFFFF; -- uint32_t color = s->twoD_foreground; - int format = (s->twoD_stretch >> 20) & 0x3; - int rop_mode = (s->twoD_control >> 15) & 0x1; /* 1 for rop2, else rop3 */ - /* 1 if rop2 source is the pattern, otherwise the source is the bitmap */ - int rop2_source_is_pattern = (s->twoD_control >> 14) & 0x1; - int rop = s->twoD_control & 0xFF; -- uint32_t src_base = s->twoD_source_base & 0x03FFFFFF; -+ int dst_x = (s->twoD_destination >> 16) & 0x01FFF; -+ int dst_y = s->twoD_destination & 0xFFFF; -+ int width = (s->twoD_dimension >> 16) & 0x1FFF; -+ int height = s->twoD_dimension & 0xFFFF; - uint32_t dst_base = s->twoD_destination_base & 0x03FFFFFF; -- -- /* get frame buffer info */ -- uint8_t *src = s->local_mem + src_base; - uint8_t *dst = s->local_mem + dst_base; -- int src_pitch = s->twoD_pitch & 0x1FFF; - int dst_pitch = (s->twoD_pitch >> 16) & 0x1FFF; - int crt = (s->dc_crt_control & SM501_DC_CRT_CONTROL_SEL) ? 1 : 0; - int fb_len = get_width(s, crt) * get_height(s, crt) * get_bpp(s, crt); -@@ -758,6 +749,13 @@ static void sm501_2d_operation(SM501State *s) - - switch (cmd) { - case 0x00: /* copy area */ -+ { -+ int src_x = (s->twoD_source >> 16) & 0x01FFF; -+ int src_y = s->twoD_source & 0xFFFF; -+ uint32_t src_base = s->twoD_source_base & 0x03FFFFFF; -+ uint8_t *src = s->local_mem + src_base; -+ int src_pitch = s->twoD_pitch & 0x1FFF; -+ - #define COPY_AREA(_bpp, _pixel_type, rtl) { \ - int y, x, index_d, index_s; \ - for (y = 0; y < height; y++) { \ -@@ -793,8 +791,11 @@ static void sm501_2d_operation(SM501State *s) - break; - } - break; -- -+ } - case 0x01: /* fill rectangle */ -+ { -+ uint32_t color = s->twoD_foreground; -+ - #define FILL_RECT(_bpp, _pixel_type) { \ - int y, x; \ - for (y = 0; y < height; y++) { \ -@@ -819,7 +820,7 @@ static void sm501_2d_operation(SM501State *s) - break; - } - break; -- -+ } - default: - qemu_log_mask(LOG_UNIMP, "sm501: not implemented 2D operation: %d\n", - cmd); diff --git a/packaging/sm501-Convert-printf-abort-to-qemu_log_m.patch b/packaging/sm501-Convert-printf-abort-to-qemu_log_m.patch deleted file mode 100644 index e7f6124a2..000000000 --- a/packaging/sm501-Convert-printf-abort-to-qemu_log_m.patch +++ /dev/null @@ -1,159 +0,0 @@ -From: BALATON Zoltan -Date: Thu, 21 May 2020 21:39:44 +0200 -Subject: sm501: Convert printf + abort to qemu_log_mask -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Git-commit: e29da77e5fddf6480e3a0e80b63d703edaec751b -References: bsc#1172385, CVE-2020-12829 - -Some places already use qemu_log_mask() to log unimplemented features -or errors but some others have printf() then abort(). Convert these to -qemu_log_mask() and avoid aborting to prevent guests to easily cause -denial of service. - -Signed-off-by: BALATON Zoltan -Reviewed-by: Philippe Mathieu-Daudé -Message-id: 305af87f59d81e92f2aaff09eb8a3603b8baa322.1590089984.git.balaton@eik.bme.hu -Signed-off-by: Gerd Hoffmann -Signed-off-by: Bruce Rogers ---- - hw/display/sm501.c | 57 ++++++++++++++++++++++------------------------ - 1 file changed, 27 insertions(+), 30 deletions(-) - -diff --git a/hw/display/sm501.c b/hw/display/sm501.c -index 1f33c87e654e4c8993d3fe894d2f..880c2f0469bb1cee63c115932ab0 100644 ---- a/hw/display/sm501.c -+++ b/hw/display/sm501.c -@@ -727,8 +727,8 @@ static void sm501_2d_operation(SM501State *s) - int fb_len = get_width(s, crt) * get_height(s, crt) * get_bpp(s, crt); - - if (addressing != 0x0) { -- printf("%s: only XY addressing is supported.\n", __func__); -- abort(); -+ qemu_log_mask(LOG_UNIMP, "sm501: only XY addressing is supported.\n"); -+ return; - } - - if (rop_mode == 0) { -@@ -754,8 +754,8 @@ static void sm501_2d_operation(SM501State *s) - - if ((s->twoD_source_base & 0x08000000) || - (s->twoD_destination_base & 0x08000000)) { -- printf("%s: only local memory is supported.\n", __func__); -- abort(); -+ qemu_log_mask(LOG_UNIMP, "sm501: only local memory is supported.\n"); -+ return; - } - - switch (operation) { -@@ -823,9 +823,9 @@ static void sm501_2d_operation(SM501State *s) - break; - - default: -- printf("non-implemented SM501 2D operation. %d\n", operation); -- abort(); -- break; -+ qemu_log_mask(LOG_UNIMP, "sm501: not implemented 2D operation: %d\n", -+ operation); -+ return; - } - - if (dst_base >= get_fb_addr(s, crt) && -@@ -892,9 +892,8 @@ static uint64_t sm501_system_config_read(void *opaque, hwaddr addr, - break; - - default: -- printf("sm501 system config : not implemented register read." -- " addr=%x\n", (int)addr); -- abort(); -+ qemu_log_mask(LOG_UNIMP, "sm501: not implemented system config" -+ "register read. addr=%" HWADDR_PRIx "\n", addr); - } - - return ret; -@@ -948,15 +947,15 @@ static void sm501_system_config_write(void *opaque, hwaddr addr, - break; - case SM501_ENDIAN_CONTROL: - if (value & 0x00000001) { -- printf("sm501 system config : big endian mode not implemented.\n"); -- abort(); -+ qemu_log_mask(LOG_UNIMP, "sm501: system config big endian mode not" -+ " implemented.\n"); - } - break; - - default: -- printf("sm501 system config : not implemented register write." -- " addr=%x, val=%x\n", (int)addr, (uint32_t)value); -- abort(); -+ qemu_log_mask(LOG_UNIMP, "sm501: not implemented system config" -+ "register write. addr=%" HWADDR_PRIx -+ ", val=%" PRIx64 "\n", addr, value); - } - } - -@@ -1207,9 +1206,8 @@ static uint64_t sm501_disp_ctrl_read(void *opaque, hwaddr addr, - break; - - default: -- printf("sm501 disp ctrl : not implemented register read." -- " addr=%x\n", (int)addr); -- abort(); -+ qemu_log_mask(LOG_UNIMP, "sm501: not implemented disp ctrl register " -+ "read. addr=%" HWADDR_PRIx "\n", addr); - } - - return ret; -@@ -1345,9 +1343,9 @@ static void sm501_disp_ctrl_write(void *opaque, hwaddr addr, - break; - - default: -- printf("sm501 disp ctrl : not implemented register write." -- " addr=%x, val=%x\n", (int)addr, (unsigned)value); -- abort(); -+ qemu_log_mask(LOG_UNIMP, "sm501: not implemented disp ctrl register " -+ "write. addr=%" HWADDR_PRIx -+ ", val=%" PRIx64 "\n", addr, value); - } - } - -@@ -1433,9 +1431,8 @@ static uint64_t sm501_2d_engine_read(void *opaque, hwaddr addr, - ret = 0; /* Should return interrupt status */ - break; - default: -- printf("sm501 disp ctrl : not implemented register read." -- " addr=%x\n", (int)addr); -- abort(); -+ qemu_log_mask(LOG_UNIMP, "sm501: not implemented disp ctrl register " -+ "read. addr=%" HWADDR_PRIx "\n", addr); - } - - return ret; -@@ -1520,9 +1517,9 @@ static void sm501_2d_engine_write(void *opaque, hwaddr addr, - /* ignored, writing 0 should clear interrupt status */ - break; - default: -- printf("sm501 2d engine : not implemented register write." -- " addr=%x, val=%x\n", (int)addr, (unsigned)value); -- abort(); -+ qemu_log_mask(LOG_UNIMP, "sm501: not implemented 2d engine register " -+ "write. addr=%" HWADDR_PRIx -+ ", val=%" PRIx64 "\n", addr, value); - } - } - -@@ -1670,9 +1667,9 @@ static void sm501_update_display(void *opaque) - draw_line = draw_line32_funcs[dst_depth_index]; - break; - default: -- printf("sm501 update display : invalid control register value.\n"); -- abort(); -- break; -+ qemu_log_mask(LOG_GUEST_ERROR, "sm501: update display" -+ "invalid control register value.\n"); -+ return; - } - - /* set up to draw hardware cursor */ diff --git a/packaging/sm501-Replace-hand-written-implementatio.patch b/packaging/sm501-Replace-hand-written-implementatio.patch deleted file mode 100644 index bdd9c2870..000000000 --- a/packaging/sm501-Replace-hand-written-implementatio.patch +++ /dev/null @@ -1,260 +0,0 @@ -From: BALATON Zoltan -Date: Thu, 21 May 2020 21:39:44 +0200 -Subject: sm501: Replace hand written implementation with pixman where possible - -Git-commit: b15a22bbcbe6a78dc3d88fe3134985e4cdd87de4 -References: bsc#1172385, CVE-2020-12829 - -Besides being faster this should also prevent malicious guests to -abuse 2D engine to overwrite data or cause a crash. - -Signed-off-by: BALATON Zoltan -Message-id: 58666389b6cae256e4e972a32c05cf8aa51bffc0.1590089984.git.balaton@eik.bme.hu -Signed-off-by: Gerd Hoffmann -Signed-off-by: Bruce Rogers ---- - hw/display/sm501.c | 207 ++++++++++++++++++++++++++------------------- - 1 file changed, 119 insertions(+), 88 deletions(-) - -diff --git a/hw/display/sm501.c b/hw/display/sm501.c -index 4204b80f988815200120852d64ec..745d25c2fb248baf3f01970bbb61 100644 ---- a/hw/display/sm501.c -+++ b/hw/display/sm501.c -@@ -706,13 +706,12 @@ static void sm501_2d_operation(SM501State *s) - /* 1 if rop2 source is the pattern, otherwise the source is the bitmap */ - int rop2_source_is_pattern = (s->twoD_control >> 14) & 0x1; - int rop = s->twoD_control & 0xFF; -- int dst_x = (s->twoD_destination >> 16) & 0x01FFF; -- int dst_y = s->twoD_destination & 0xFFFF; -- int width = (s->twoD_dimension >> 16) & 0x1FFF; -- int height = s->twoD_dimension & 0xFFFF; -+ unsigned int dst_x = (s->twoD_destination >> 16) & 0x01FFF; -+ unsigned int dst_y = s->twoD_destination & 0xFFFF; -+ unsigned int width = (s->twoD_dimension >> 16) & 0x1FFF; -+ unsigned int height = s->twoD_dimension & 0xFFFF; - uint32_t dst_base = s->twoD_destination_base & 0x03FFFFFF; -- uint8_t *dst = s->local_mem + dst_base; -- int dst_pitch = (s->twoD_pitch >> 16) & 0x1FFF; -+ unsigned int dst_pitch = (s->twoD_pitch >> 16) & 0x1FFF; - int crt = (s->dc_crt_control & SM501_DC_CRT_CONTROL_SEL) ? 1 : 0; - int fb_len = get_width(s, crt) * get_height(s, crt) * get_bpp(s, crt); - -@@ -721,104 +720,136 @@ static void sm501_2d_operation(SM501State *s) - return; - } - -- if (rop_mode == 0) { -- if (rop != 0xcc) { -- /* Anything other than plain copies are not supported */ -- qemu_log_mask(LOG_UNIMP, "sm501: rop3 mode with rop %x is not " -- "supported.\n", rop); -- } -- } else { -- if (rop2_source_is_pattern && rop != 0x5) { -- /* For pattern source, we support only inverse dest */ -- qemu_log_mask(LOG_UNIMP, "sm501: rop2 source being the pattern and " -- "rop %x is not supported.\n", rop); -- } else { -- if (rop != 0x5 && rop != 0xc) { -- /* Anything other than plain copies or inverse dest is not -- * supported */ -- qemu_log_mask(LOG_UNIMP, "sm501: rop mode %x is not " -- "supported.\n", rop); -- } -- } -- } -- - if (s->twoD_source_base & BIT(27) || s->twoD_destination_base & BIT(27)) { - qemu_log_mask(LOG_UNIMP, "sm501: only local memory is supported.\n"); - return; - } - -+ if (!dst_pitch) { -+ qemu_log_mask(LOG_GUEST_ERROR, "sm501: Zero dest pitch.\n"); -+ return; -+ } -+ -+ if (!width || !height) { -+ qemu_log_mask(LOG_GUEST_ERROR, "sm501: Zero size 2D op.\n"); -+ return; -+ } -+ -+ if (rtl) { -+ dst_x -= width - 1; -+ dst_y -= height - 1; -+ } -+ -+ if (dst_base >= get_local_mem_size(s) || dst_base + -+ (dst_x + width + (dst_y + height) * (dst_pitch + width)) * -+ (1 << format) >= get_local_mem_size(s)) { -+ qemu_log_mask(LOG_GUEST_ERROR, "sm501: 2D op dest is outside vram.\n"); -+ return; -+ } -+ - switch (cmd) { -- case 0x00: /* copy area */ -+ case 0: /* BitBlt */ - { -- int src_x = (s->twoD_source >> 16) & 0x01FFF; -- int src_y = s->twoD_source & 0xFFFF; -+ unsigned int src_x = (s->twoD_source >> 16) & 0x01FFF; -+ unsigned int src_y = s->twoD_source & 0xFFFF; - uint32_t src_base = s->twoD_source_base & 0x03FFFFFF; -- uint8_t *src = s->local_mem + src_base; -- int src_pitch = s->twoD_pitch & 0x1FFF; -- --#define COPY_AREA(_bpp, _pixel_type, rtl) { \ -- int y, x, index_d, index_s; \ -- for (y = 0; y < height; y++) { \ -- for (x = 0; x < width; x++) { \ -- _pixel_type val; \ -- \ -- if (rtl) { \ -- index_s = ((src_y - y) * src_pitch + src_x - x) * _bpp; \ -- index_d = ((dst_y - y) * dst_pitch + dst_x - x) * _bpp; \ -- } else { \ -- index_s = ((src_y + y) * src_pitch + src_x + x) * _bpp; \ -- index_d = ((dst_y + y) * dst_pitch + dst_x + x) * _bpp; \ -- } \ -- if (rop_mode == 1 && rop == 5) { \ -- /* Invert dest */ \ -- val = ~*(_pixel_type *)&dst[index_d]; \ -- } else { \ -- val = *(_pixel_type *)&src[index_s]; \ -- } \ -- *(_pixel_type *)&dst[index_d] = val; \ -- } \ -- } \ -- } -- switch (format) { -- case 0: -- COPY_AREA(1, uint8_t, rtl); -- break; -- case 1: -- COPY_AREA(2, uint16_t, rtl); -- break; -- case 2: -- COPY_AREA(4, uint32_t, rtl); -- break; -+ unsigned int src_pitch = s->twoD_pitch & 0x1FFF; -+ -+ if (!src_pitch) { -+ qemu_log_mask(LOG_GUEST_ERROR, "sm501: Zero src pitch.\n"); -+ return; -+ } -+ -+ if (rtl) { -+ src_x -= width - 1; -+ src_y -= height - 1; -+ } -+ -+ if (src_base >= get_local_mem_size(s) || src_base + -+ (src_x + width + (src_y + height) * (src_pitch + width)) * -+ (1 << format) >= get_local_mem_size(s)) { -+ qemu_log_mask(LOG_GUEST_ERROR, -+ "sm501: 2D op src is outside vram.\n"); -+ return; -+ } -+ -+ if ((rop_mode && rop == 0x5) || (!rop_mode && rop == 0x55)) { -+ /* Invert dest, is there a way to do this with pixman? */ -+ unsigned int x, y, i; -+ uint8_t *d = s->local_mem + dst_base; -+ -+ for (y = 0; y < height; y++) { -+ i = (dst_x + (dst_y + y) * dst_pitch) * (1 << format); -+ for (x = 0; x < width; x++, i += (1 << format)) { -+ switch (format) { -+ case 0: -+ d[i] = ~d[i]; -+ break; -+ case 1: -+ *(uint16_t *)&d[i] = ~*(uint16_t *)&d[i]; -+ break; -+ case 2: -+ *(uint32_t *)&d[i] = ~*(uint32_t *)&d[i]; -+ break; -+ } -+ } -+ } -+ } else { -+ /* Do copy src for unimplemented ops, better than unpainted area */ -+ if ((rop_mode && (rop != 0xc || rop2_source_is_pattern)) || -+ (!rop_mode && rop != 0xcc)) { -+ qemu_log_mask(LOG_UNIMP, -+ "sm501: rop%d op %x%s not implemented\n", -+ (rop_mode ? 2 : 3), rop, -+ (rop2_source_is_pattern ? -+ " with pattern source" : "")); -+ } -+ /* Check for overlaps, this could be made more exact */ -+ uint32_t sb, se, db, de; -+ sb = src_base + src_x + src_y * (width + src_pitch); -+ se = sb + width + height * (width + src_pitch); -+ db = dst_base + dst_x + dst_y * (width + dst_pitch); -+ de = db + width + height * (width + dst_pitch); -+ if (rtl && ((db >= sb && db <= se) || (de >= sb && de <= se))) { -+ /* regions may overlap: copy via temporary */ -+ int llb = width * (1 << format); -+ int tmp_stride = DIV_ROUND_UP(llb, sizeof(uint32_t)); -+ uint32_t *tmp = g_malloc(tmp_stride * sizeof(uint32_t) * -+ height); -+ pixman_blt((uint32_t *)&s->local_mem[src_base], tmp, -+ src_pitch * (1 << format) / sizeof(uint32_t), -+ tmp_stride, 8 * (1 << format), 8 * (1 << format), -+ src_x, src_y, 0, 0, width, height); -+ pixman_blt(tmp, (uint32_t *)&s->local_mem[dst_base], -+ tmp_stride, -+ dst_pitch * (1 << format) / sizeof(uint32_t), -+ 8 * (1 << format), 8 * (1 << format), -+ 0, 0, dst_x, dst_y, width, height); -+ g_free(tmp); -+ } else { -+ pixman_blt((uint32_t *)&s->local_mem[src_base], -+ (uint32_t *)&s->local_mem[dst_base], -+ src_pitch * (1 << format) / sizeof(uint32_t), -+ dst_pitch * (1 << format) / sizeof(uint32_t), -+ 8 * (1 << format), 8 * (1 << format), -+ src_x, src_y, dst_x, dst_y, width, height); -+ } - } - break; - } -- case 0x01: /* fill rectangle */ -+ case 1: /* Rectangle Fill */ - { - uint32_t color = s->twoD_foreground; - --#define FILL_RECT(_bpp, _pixel_type) { \ -- int y, x; \ -- for (y = 0; y < height; y++) { \ -- for (x = 0; x < width; x++) { \ -- int index = ((dst_y + y) * dst_pitch + dst_x + x) * _bpp; \ -- *(_pixel_type *)&dst[index] = (_pixel_type)color; \ -- } \ -- } \ -- } -- -- switch (format) { -- case 0: -- FILL_RECT(1, uint8_t); -- break; -- case 1: -- color = cpu_to_le16(color); -- FILL_RECT(2, uint16_t); -- break; -- case 2: -+ if (format == 2) { - color = cpu_to_le32(color); -- FILL_RECT(4, uint32_t); -- break; -+ } else if (format == 1) { -+ color = cpu_to_le16(color); - } -+ -+ pixman_fill((uint32_t *)&s->local_mem[dst_base], -+ dst_pitch * (1 << format) / sizeof(uint32_t), -+ 8 * (1 << format), dst_x, dst_y, width, height, color); - break; - } - default: diff --git a/packaging/sm501-Shorten-long-variable-names-in-sm5.patch b/packaging/sm501-Shorten-long-variable-names-in-sm5.patch deleted file mode 100644 index 4b271c70a..000000000 --- a/packaging/sm501-Shorten-long-variable-names-in-sm5.patch +++ /dev/null @@ -1,134 +0,0 @@ -From: BALATON Zoltan -Date: Thu, 21 May 2020 21:39:44 +0200 -Subject: sm501: Shorten long variable names in sm501_2d_operation - -Git-commit: 6f8183b5dc5b309378687830a25e85ea8fb860ea -References: bsc#1172385, CVE-2020-12829 - -This increases readability and cleans up some confusing naming. - -Signed-off-by: BALATON Zoltan -Message-id: b9b67b94c46e945252a73c77dfd117132c63c4fb.1590089984.git.balaton@eik.bme.hu -Signed-off-by: Gerd Hoffmann -Signed-off-by: Bruce Rogers ---- - hw/display/sm501.c | 45 ++++++++++++++++++++++----------------------- - 1 file changed, 22 insertions(+), 23 deletions(-) - -diff --git a/hw/display/sm501.c b/hw/display/sm501.c -index 880c2f0469bb1cee63c115932ab0..bb2672c9a30a83ea8a0b2c436438 100644 ---- a/hw/display/sm501.c -+++ b/hw/display/sm501.c -@@ -700,17 +700,16 @@ static inline void hwc_invalidate(SM501State *s, int crt) - static void sm501_2d_operation(SM501State *s) - { - /* obtain operation parameters */ -- int operation = (s->twoD_control >> 16) & 0x1f; -+ int cmd = (s->twoD_control >> 16) & 0x1F; - int rtl = s->twoD_control & 0x8000000; - int src_x = (s->twoD_source >> 16) & 0x01FFF; - int src_y = s->twoD_source & 0xFFFF; - int dst_x = (s->twoD_destination >> 16) & 0x01FFF; - int dst_y = s->twoD_destination & 0xFFFF; -- int operation_width = (s->twoD_dimension >> 16) & 0x1FFF; -- int operation_height = s->twoD_dimension & 0xFFFF; -+ int width = (s->twoD_dimension >> 16) & 0x1FFF; -+ int height = s->twoD_dimension & 0xFFFF; - uint32_t color = s->twoD_foreground; -- int format_flags = (s->twoD_stretch >> 20) & 0x3; -- int addressing = (s->twoD_stretch >> 16) & 0xF; -+ int format = (s->twoD_stretch >> 20) & 0x3; - int rop_mode = (s->twoD_control >> 15) & 0x1; /* 1 for rop2, else rop3 */ - /* 1 if rop2 source is the pattern, otherwise the source is the bitmap */ - int rop2_source_is_pattern = (s->twoD_control >> 14) & 0x1; -@@ -721,12 +720,12 @@ static void sm501_2d_operation(SM501State *s) - /* get frame buffer info */ - uint8_t *src = s->local_mem + src_base; - uint8_t *dst = s->local_mem + dst_base; -- int src_width = s->twoD_pitch & 0x1FFF; -- int dst_width = (s->twoD_pitch >> 16) & 0x1FFF; -+ int src_pitch = s->twoD_pitch & 0x1FFF; -+ int dst_pitch = (s->twoD_pitch >> 16) & 0x1FFF; - int crt = (s->dc_crt_control & SM501_DC_CRT_CONTROL_SEL) ? 1 : 0; - int fb_len = get_width(s, crt) * get_height(s, crt) * get_bpp(s, crt); - -- if (addressing != 0x0) { -+ if ((s->twoD_stretch >> 16) & 0xF) { - qemu_log_mask(LOG_UNIMP, "sm501: only XY addressing is supported.\n"); - return; - } -@@ -758,20 +757,20 @@ static void sm501_2d_operation(SM501State *s) - return; - } - -- switch (operation) { -+ switch (cmd) { - case 0x00: /* copy area */ - #define COPY_AREA(_bpp, _pixel_type, rtl) { \ - int y, x, index_d, index_s; \ -- for (y = 0; y < operation_height; y++) { \ -- for (x = 0; x < operation_width; x++) { \ -+ for (y = 0; y < height; y++) { \ -+ for (x = 0; x < width; x++) { \ - _pixel_type val; \ - \ - if (rtl) { \ -- index_s = ((src_y - y) * src_width + src_x - x) * _bpp; \ -- index_d = ((dst_y - y) * dst_width + dst_x - x) * _bpp; \ -+ index_s = ((src_y - y) * src_pitch + src_x - x) * _bpp; \ -+ index_d = ((dst_y - y) * dst_pitch + dst_x - x) * _bpp; \ - } else { \ -- index_s = ((src_y + y) * src_width + src_x + x) * _bpp; \ -- index_d = ((dst_y + y) * dst_width + dst_x + x) * _bpp; \ -+ index_s = ((src_y + y) * src_pitch + src_x + x) * _bpp; \ -+ index_d = ((dst_y + y) * dst_pitch + dst_x + x) * _bpp; \ - } \ - if (rop_mode == 1 && rop == 5) { \ - /* Invert dest */ \ -@@ -783,7 +782,7 @@ static void sm501_2d_operation(SM501State *s) - } \ - } \ - } -- switch (format_flags) { -+ switch (format) { - case 0: - COPY_AREA(1, uint8_t, rtl); - break; -@@ -799,15 +798,15 @@ static void sm501_2d_operation(SM501State *s) - case 0x01: /* fill rectangle */ - #define FILL_RECT(_bpp, _pixel_type) { \ - int y, x; \ -- for (y = 0; y < operation_height; y++) { \ -- for (x = 0; x < operation_width; x++) { \ -- int index = ((dst_y + y) * dst_width + dst_x + x) * _bpp; \ -+ for (y = 0; y < height; y++) { \ -+ for (x = 0; x < width; x++) { \ -+ int index = ((dst_y + y) * dst_pitch + dst_x + x) * _bpp; \ - *(_pixel_type *)&dst[index] = (_pixel_type)color; \ - } \ - } \ - } - -- switch (format_flags) { -+ switch (format) { - case 0: - FILL_RECT(1, uint8_t); - break; -@@ -824,14 +823,14 @@ static void sm501_2d_operation(SM501State *s) - - default: - qemu_log_mask(LOG_UNIMP, "sm501: not implemented 2D operation: %d\n", -- operation); -+ cmd); - return; - } - - if (dst_base >= get_fb_addr(s, crt) && - dst_base <= get_fb_addr(s, crt) + fb_len) { -- int dst_len = MIN(fb_len, ((dst_y + operation_height - 1) * dst_width + -- dst_x + operation_width) * (1 << format_flags)); -+ int dst_len = MIN(fb_len, ((dst_y + height - 1) * dst_pitch + -+ dst_x + width) * (1 << format)); - if (dst_len) { - memory_region_set_dirty(&s->local_mem_region, dst_base, dst_len); - } diff --git a/packaging/sm501-Use-BIT-x-macro-to-shorten-constan.patch b/packaging/sm501-Use-BIT-x-macro-to-shorten-constan.patch deleted file mode 100644 index 319b97779..000000000 --- a/packaging/sm501-Use-BIT-x-macro-to-shorten-constan.patch +++ /dev/null @@ -1,42 +0,0 @@ -From: BALATON Zoltan -Date: Thu, 21 May 2020 21:39:44 +0200 -Subject: sm501: Use BIT(x) macro to shorten constant -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Git-commit: 2824809b7f8f03ddc6e2b7e33e78c06022424298 -References: bsc#1172385, CVE-2020-12829 - -Signed-off-by: BALATON Zoltan -Reviewed-by: Philippe Mathieu-Daudé -Message-id: 124bf5de8d7cf503b32b377d0445029a76bfbd49.1590089984.git.balaton@eik.bme.hu -Signed-off-by: Gerd Hoffmann -Signed-off-by: Bruce Rogers ---- - hw/display/sm501.c | 5 ++--- - 1 file changed, 2 insertions(+), 3 deletions(-) - -diff --git a/hw/display/sm501.c b/hw/display/sm501.c -index bb2672c9a30a83ea8a0b2c436438..d0e92fff336de06e99577a5ded96 100644 ---- a/hw/display/sm501.c -+++ b/hw/display/sm501.c -@@ -701,7 +701,7 @@ static void sm501_2d_operation(SM501State *s) - { - /* obtain operation parameters */ - int cmd = (s->twoD_control >> 16) & 0x1F; -- int rtl = s->twoD_control & 0x8000000; -+ int rtl = s->twoD_control & BIT(27); - int src_x = (s->twoD_source >> 16) & 0x01FFF; - int src_y = s->twoD_source & 0xFFFF; - int dst_x = (s->twoD_destination >> 16) & 0x01FFF; -@@ -751,8 +751,7 @@ static void sm501_2d_operation(SM501State *s) - } - } - -- if ((s->twoD_source_base & 0x08000000) || -- (s->twoD_destination_base & 0x08000000)) { -+ if (s->twoD_source_base & BIT(27) || s->twoD_destination_base & BIT(27)) { - qemu_log_mask(LOG_UNIMP, "sm501: only local memory is supported.\n"); - return; - } diff --git a/packaging/spapr_pci-add-spapr-msi-read-method.patch b/packaging/spapr_pci-add-spapr-msi-read-method.patch deleted file mode 100644 index 432b8053b..000000000 --- a/packaging/spapr_pci-add-spapr-msi-read-method.patch +++ /dev/null @@ -1,60 +0,0 @@ -From: Prasad J Pandit -Date: Tue, 11 Aug 2020 17:11:30 +0530 -Subject: spapr_pci: add spapr msi read method - -Git-commit: 921604e175b8ec06c39503310e7b3ec1e3eafe9e -References: bsc#1173612, CVE-2020-15469 - -Add spapr msi mmio read method to avoid NULL pointer dereference -issue. - -Reported-by: Lei Sun -Acked-by: David Gibson -Reviewed-by: Li Qiang -Signed-off-by: Prasad J Pandit -Message-Id: <20200811114133.672647-7-ppandit@redhat.com> -Signed-off-by: Paolo Bonzini -Signed-off-by: Bruce Rogers ---- - hw/ppc/spapr_pci.c | 14 ++++++++++++-- - 1 file changed, 12 insertions(+), 2 deletions(-) - -diff --git a/hw/ppc/spapr_pci.c b/hw/ppc/spapr_pci.c -index 5b544adb4a4d7868cf17d6534e19..74debaddfb0574f95ba71957a304 100644 ---- a/hw/ppc/spapr_pci.c -+++ b/hw/ppc/spapr_pci.c -@@ -52,6 +52,7 @@ - #include "sysemu/kvm.h" - #include "sysemu/hostmem.h" - #include "sysemu/numa.h" -+#include "qemu/log.h" - - /* Copied from the kernel arch/powerpc/platforms/pseries/msi.c */ - #define RTAS_QUERY_FN 0 -@@ -738,6 +739,12 @@ static PCIINTxRoute spapr_route_intx_pin_to_irq(void *opaque, int pin) - return route; - } - -+static uint64_t spapr_msi_read(void *opaque, hwaddr addr, unsigned size) -+{ -+ qemu_log_mask(LOG_GUEST_ERROR, "%s: invalid access\n", __func__); -+ return 0; -+} -+ - /* - * MSI/MSIX memory region implementation. - * The handler handles both MSI and MSIX. -@@ -755,8 +762,11 @@ static void spapr_msi_write(void *opaque, hwaddr addr, - } - - static const MemoryRegionOps spapr_msi_ops = { -- /* There is no .read as the read result is undefined by PCI spec */ -- .read = NULL, -+ /* -+ * .read result is undefined by PCI spec. -+ * define .read method to avoid assert failure in memory_region_init_io -+ */ -+ .read = spapr_msi_read, - .write = spapr_msi_write, - .endianness = DEVICE_LITTLE_ENDIAN - }; diff --git a/packaging/stub-out-the-SAN-req-s-in-int13.patch b/packaging/stub-out-the-SAN-req-s-in-int13.patch deleted file mode 100644 index 5032eb9af..000000000 --- a/packaging/stub-out-the-SAN-req-s-in-int13.patch +++ /dev/null @@ -1,106 +0,0 @@ -From: Bruce Rogers -Date: Mon, 24 Jul 2017 10:44:24 -0600 -Subject: stub out the SAN req's in int13 - -Include-If: %if 0%{?patch-possibly-applied-elsewhere} - -We need to find some code or data to change so we can make the rom fit -into the legacy size requirements. Comment out SAN support, and -hopefully nobody will be impacted. - -Signed-off-by: Bruce Rogers ---- - src/arch/x86/interface/pcbios/int13.c | 21 +++++++++++++++++++++ - 1 file changed, 21 insertions(+) - -diff --git a/roms/ipxe/src/arch/x86/interface/pcbios/int13.c b/roms/ipxe/src/arch/x86/interface/pcbios/int13.c -index ca789a0d154e1fe3c2508a3aefea..40c61419c0c134120d1ce7c81a1e 100644 ---- a/roms/ipxe/src/arch/x86/interface/pcbios/int13.c -+++ b/roms/ipxe/src/arch/x86/interface/pcbios/int13.c -@@ -23,6 +23,12 @@ - - FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL ); - -+#define INCLUDE_SAN_HOOKS 0 -+#pragma GCC diagnostic push -+#pragma GCC diagnostic ignored "-Wunused-parameter" -+#pragma GCC diagnostic ignored "-Wunused-function" -+#pragma GCC diagnostic ignored "-Wunused-variable" -+ - #include - #include - #include -@@ -1243,6 +1249,7 @@ static void int13_unhook_vector ( void ) { - */ - static int int13_hook ( unsigned int drive, struct uri **uris, - unsigned int count, unsigned int flags ) { -+#if INCLUDE_SAN_HOOKS - struct san_device *sandev; - struct int13_data *int13; - unsigned int natural_drive; -@@ -1315,6 +1322,9 @@ static int int13_hook ( unsigned int drive, struct uri **uris, - sandev_put ( sandev ); - err_alloc: - return rc; -+#else -+ return -1; -+#endif - } - - /** -@@ -1328,6 +1338,7 @@ static int int13_hook ( unsigned int drive, struct uri **uris, - */ - static void int13_unhook ( unsigned int drive ) { - struct san_device *sandev; -+#if INCLUDE_SAN_HOOKS - - /* Find drive */ - sandev = sandev_find ( drive ); -@@ -1353,6 +1364,7 @@ static void int13_unhook ( unsigned int drive ) { - - /* Drop reference to drive */ - sandev_put ( sandev ); -+#endif - } - - /** -@@ -1514,6 +1526,7 @@ static int int13_load_eltorito ( unsigned int drive, struct segoff *address ) { - * Note that this function can never return success, by definition. - */ - static int int13_boot ( unsigned int drive, const char *filename __unused ) { -+#if INCLUDE_SAN_HOOKS - struct memory_map memmap; - struct segoff address; - int rc; -@@ -1539,6 +1552,9 @@ static int int13_boot ( unsigned int drive, const char *filename __unused ) { - } - - return -ECANCELED; /* -EIMPOSSIBLE */ -+#else -+ return -1; -+#endif - } - - /** Maximum size of boot firmware table(s) */ -@@ -1605,6 +1621,7 @@ static int int13_install ( struct acpi_header *acpi ) { - * @ret rc Return status code - */ - static int int13_describe ( void ) { -+#if INCLUDE_SAN_HOOKS - int rc; - - /* Clear tables */ -@@ -1619,9 +1636,13 @@ static int int13_describe ( void ) { - } - - return 0; -+#else -+ return -1; -+#endif - } - - PROVIDE_SANBOOT ( pcbios, san_hook, int13_hook ); - PROVIDE_SANBOOT ( pcbios, san_unhook, int13_unhook ); - PROVIDE_SANBOOT ( pcbios, san_boot, int13_boot ); - PROVIDE_SANBOOT ( pcbios, san_describe, int13_describe ); -+#pragma GCC diagnostic pop diff --git a/packaging/sungem-switch-to-use-qemu_receive_packet.patch b/packaging/sungem-switch-to-use-qemu_receive_packet.patch deleted file mode 100644 index fdd9a4a41..000000000 --- a/packaging/sungem-switch-to-use-qemu_receive_packet.patch +++ /dev/null @@ -1,38 +0,0 @@ -From: Jason Wang -Date: Wed, 24 Feb 2021 13:14:35 +0800 -Subject: sungem: switch to use qemu_receive_packet() for loopback -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Git-commit: 8c92060d3c0248bd4d515719a35922cd2391b9b4 - -This patch switches to use qemu_receive_packet() which can detect -reentrancy and return early. - -This is intended to address CVE-2021-3416. - -Cc: Prasad J Pandit -Cc: qemu-stable@nongnu.org -Reviewed-by: Mark Cave-Ayland -Reviewed-by: Philippe Mathieu-Daudé -Reviewed-by: Alistair Francis -Signed-off-by: Jason Wang -Signed-off-by: Bruce Rogers ---- - hw/net/sungem.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/hw/net/sungem.c b/hw/net/sungem.c -index f31d41ac5b87ae9e1b5a45d6e084..8b202b5c15d5562416a71ce4c0ea 100644 ---- a/hw/net/sungem.c -+++ b/hw/net/sungem.c -@@ -305,7 +305,7 @@ static void sungem_send_packet(SunGEMState *s, const uint8_t *buf, - NetClientState *nc = qemu_get_queue(s->nic); - - if (s->macregs[MAC_XIFCFG >> 2] & MAC_XIFCFG_LBCK) { -- nc->info->receive(nc, buf, size); -+ qemu_receive_packet(nc, buf, size); - } else { - qemu_send_packet(nc, buf, size); - } diff --git a/packaging/target-i386-Add-missed-features-to-Coope.patch b/packaging/target-i386-Add-missed-features-to-Coope.patch deleted file mode 100644 index b90246597..000000000 --- a/packaging/target-i386-Add-missed-features-to-Coope.patch +++ /dev/null @@ -1,88 +0,0 @@ -From: Xiaoyao Li -Date: Wed, 8 Jan 2020 13:32:40 +0100 -Subject: target/i386: Add missed features to Cooperlake CPU model - -Git-commit: 2dea9d9ca4ea7e9afe83d0b4153b21a16987e866 -References: jsc#SLE-7923 - -It lacks VMX features and two security feature bits (disclosed recently) in -MSR_IA32_ARCH_CAPABILITIES in current Cooperlake CPU model, so add them. - -Fixes: 22a866b6166d ("i386: Add new CPU model Cooperlake") -Signed-off-by: Xiaoyao Li -Message-Id: <20191225063018.20038-3-xiaoyao.li@intel.com> -Signed-off-by: Paolo Bonzini -Signed-off-by: Bruce Rogers ---- - target/i386/cpu.c | 51 ++++++++++++++++++++++++++++++++++++++++++++++- - 1 file changed, 50 insertions(+), 1 deletion(-) - -diff --git a/target/i386/cpu.c b/target/i386/cpu.c -index 8a1993ac64bd763b7bb70c98b8b8..876bd166652365397514ada0dec7 100644 ---- a/target/i386/cpu.c -+++ b/target/i386/cpu.c -@@ -3201,7 +3201,8 @@ static X86CPUDefinition builtin_x86_defs[] = { - CPUID_7_0_EDX_SPEC_CTRL_SSBD | CPUID_7_0_EDX_ARCH_CAPABILITIES, - .features[FEAT_ARCH_CAPABILITIES] = - MSR_ARCH_CAP_RDCL_NO | MSR_ARCH_CAP_IBRS_ALL | -- MSR_ARCH_CAP_SKIP_L1DFL_VMENTRY | MSR_ARCH_CAP_MDS_NO, -+ MSR_ARCH_CAP_SKIP_L1DFL_VMENTRY | MSR_ARCH_CAP_MDS_NO | -+ MSR_ARCH_CAP_PSCHANGE_MC_NO | MSR_ARCH_CAP_TAA_NO, - .features[FEAT_7_1_EAX] = - CPUID_7_1_EAX_AVX512_BF16, - /* -@@ -3216,6 +3217,54 @@ static X86CPUDefinition builtin_x86_defs[] = { - CPUID_XSAVE_XGETBV1, - .features[FEAT_6_EAX] = - CPUID_6_EAX_ARAT, -+ /* Missing: Mode-based execute control (XS/XU), processor tracing, TSC scaling */ -+ .features[FEAT_VMX_BASIC] = MSR_VMX_BASIC_INS_OUTS | -+ MSR_VMX_BASIC_TRUE_CTLS, -+ .features[FEAT_VMX_ENTRY_CTLS] = VMX_VM_ENTRY_IA32E_MODE | -+ VMX_VM_ENTRY_LOAD_IA32_PERF_GLOBAL_CTRL | VMX_VM_ENTRY_LOAD_IA32_PAT | -+ VMX_VM_ENTRY_LOAD_DEBUG_CONTROLS | VMX_VM_ENTRY_LOAD_IA32_EFER, -+ .features[FEAT_VMX_EPT_VPID_CAPS] = MSR_VMX_EPT_EXECONLY | -+ MSR_VMX_EPT_PAGE_WALK_LENGTH_4 | MSR_VMX_EPT_WB | MSR_VMX_EPT_2MB | -+ MSR_VMX_EPT_1GB | MSR_VMX_EPT_INVEPT | -+ MSR_VMX_EPT_INVEPT_SINGLE_CONTEXT | MSR_VMX_EPT_INVEPT_ALL_CONTEXT | -+ MSR_VMX_EPT_INVVPID | MSR_VMX_EPT_INVVPID_SINGLE_ADDR | -+ MSR_VMX_EPT_INVVPID_SINGLE_CONTEXT | MSR_VMX_EPT_INVVPID_ALL_CONTEXT | -+ MSR_VMX_EPT_INVVPID_SINGLE_CONTEXT_NOGLOBALS | MSR_VMX_EPT_AD_BITS, -+ .features[FEAT_VMX_EXIT_CTLS] = -+ VMX_VM_EXIT_ACK_INTR_ON_EXIT | VMX_VM_EXIT_SAVE_DEBUG_CONTROLS | -+ VMX_VM_EXIT_LOAD_IA32_PERF_GLOBAL_CTRL | -+ VMX_VM_EXIT_LOAD_IA32_PAT | VMX_VM_EXIT_LOAD_IA32_EFER | -+ VMX_VM_EXIT_SAVE_IA32_PAT | VMX_VM_EXIT_SAVE_IA32_EFER | -+ VMX_VM_EXIT_SAVE_VMX_PREEMPTION_TIMER, -+ .features[FEAT_VMX_MISC] = MSR_VMX_MISC_ACTIVITY_HLT | -+ MSR_VMX_MISC_STORE_LMA | MSR_VMX_MISC_VMWRITE_VMEXIT, -+ .features[FEAT_VMX_PINBASED_CTLS] = VMX_PIN_BASED_EXT_INTR_MASK | -+ VMX_PIN_BASED_NMI_EXITING | VMX_PIN_BASED_VIRTUAL_NMIS | -+ VMX_PIN_BASED_VMX_PREEMPTION_TIMER | VMX_PIN_BASED_POSTED_INTR, -+ .features[FEAT_VMX_PROCBASED_CTLS] = VMX_CPU_BASED_VIRTUAL_INTR_PENDING | -+ VMX_CPU_BASED_USE_TSC_OFFSETING | VMX_CPU_BASED_HLT_EXITING | -+ VMX_CPU_BASED_INVLPG_EXITING | VMX_CPU_BASED_MWAIT_EXITING | -+ VMX_CPU_BASED_RDPMC_EXITING | VMX_CPU_BASED_RDTSC_EXITING | -+ VMX_CPU_BASED_CR8_LOAD_EXITING | VMX_CPU_BASED_CR8_STORE_EXITING | -+ VMX_CPU_BASED_TPR_SHADOW | VMX_CPU_BASED_MOV_DR_EXITING | -+ VMX_CPU_BASED_UNCOND_IO_EXITING | VMX_CPU_BASED_USE_IO_BITMAPS | -+ VMX_CPU_BASED_MONITOR_EXITING | VMX_CPU_BASED_PAUSE_EXITING | -+ VMX_CPU_BASED_VIRTUAL_NMI_PENDING | VMX_CPU_BASED_USE_MSR_BITMAPS | -+ VMX_CPU_BASED_CR3_LOAD_EXITING | VMX_CPU_BASED_CR3_STORE_EXITING | -+ VMX_CPU_BASED_MONITOR_TRAP_FLAG | -+ VMX_CPU_BASED_ACTIVATE_SECONDARY_CONTROLS, -+ .features[FEAT_VMX_SECONDARY_CTLS] = -+ VMX_SECONDARY_EXEC_VIRTUALIZE_APIC_ACCESSES | -+ VMX_SECONDARY_EXEC_WBINVD_EXITING | VMX_SECONDARY_EXEC_ENABLE_EPT | -+ VMX_SECONDARY_EXEC_DESC | VMX_SECONDARY_EXEC_RDTSCP | -+ VMX_SECONDARY_EXEC_VIRTUALIZE_X2APIC_MODE | -+ VMX_SECONDARY_EXEC_ENABLE_VPID | VMX_SECONDARY_EXEC_UNRESTRICTED_GUEST | -+ VMX_SECONDARY_EXEC_APIC_REGISTER_VIRT | -+ VMX_SECONDARY_EXEC_VIRTUAL_INTR_DELIVERY | -+ VMX_SECONDARY_EXEC_RDRAND_EXITING | VMX_SECONDARY_EXEC_ENABLE_INVPCID | -+ VMX_SECONDARY_EXEC_ENABLE_VMFUNC | VMX_SECONDARY_EXEC_SHADOW_VMCS | -+ VMX_SECONDARY_EXEC_RDSEED_EXITING | VMX_SECONDARY_EXEC_ENABLE_PML, -+ .features[FEAT_VMX_VMFUNC] = MSR_VMX_VMFUNC_EPT_SWITCHING, - .xlevel = 0x80000008, - .model_id = "Intel Xeon Processor (Cooperlake)", - }, diff --git a/packaging/target-i386-Add-new-bit-definitions-of-M.patch b/packaging/target-i386-Add-new-bit-definitions-of-M.patch deleted file mode 100644 index 7db2d291f..000000000 --- a/packaging/target-i386-Add-new-bit-definitions-of-M.patch +++ /dev/null @@ -1,44 +0,0 @@ -From: Xiaoyao Li -Date: Wed, 8 Jan 2020 13:32:39 +0100 -Subject: target/i386: Add new bit definitions of MSR_IA32_ARCH_CAPABILITIES - -Git-commit: 6c997b4adb300788d61d72e2b8bc67c03a584956 -References: jsc#SLE-7923 - -The bit 6, 7 and 8 of MSR_IA32_ARCH_CAPABILITIES are recently disclosed -for some security issues. Add the definitions for them to be used by named -CPU models. - -Signed-off-by: Xiaoyao Li -Message-Id: <20191225063018.20038-2-xiaoyao.li@intel.com> -Signed-off-by: Paolo Bonzini -Signed-off-by: Bruce Rogers ---- - target/i386/cpu.h | 13 ++++++++----- - 1 file changed, 8 insertions(+), 5 deletions(-) - -diff --git a/target/i386/cpu.h b/target/i386/cpu.h -index af282936a785a25f651d0db1a8cf..594326a7946798aba6ac42415164 100644 ---- a/target/i386/cpu.h -+++ b/target/i386/cpu.h -@@ -835,12 +835,15 @@ typedef uint64_t FeatureWordArray[FEATURE_WORDS]; - #define CPUID_TOPOLOGY_LEVEL_DIE (5U << 8) - - /* MSR Feature Bits */ --#define MSR_ARCH_CAP_RDCL_NO (1U << 0) --#define MSR_ARCH_CAP_IBRS_ALL (1U << 1) --#define MSR_ARCH_CAP_RSBA (1U << 2) -+#define MSR_ARCH_CAP_RDCL_NO (1U << 0) -+#define MSR_ARCH_CAP_IBRS_ALL (1U << 1) -+#define MSR_ARCH_CAP_RSBA (1U << 2) - #define MSR_ARCH_CAP_SKIP_L1DFL_VMENTRY (1U << 3) --#define MSR_ARCH_CAP_SSB_NO (1U << 4) --#define MSR_ARCH_CAP_MDS_NO (1U << 5) -+#define MSR_ARCH_CAP_SSB_NO (1U << 4) -+#define MSR_ARCH_CAP_MDS_NO (1U << 5) -+#define MSR_ARCH_CAP_PSCHANGE_MC_NO (1U << 6) -+#define MSR_ARCH_CAP_TSX_CTRL_MSR (1U << 7) -+#define MSR_ARCH_CAP_TAA_NO (1U << 8) - - #define MSR_CORE_CAP_SPLIT_LOCK_DETECT (1U << 5) - diff --git a/packaging/target-i386-add-a-ucode-rev-property.patch b/packaging/target-i386-add-a-ucode-rev-property.patch deleted file mode 100644 index 383dede36..000000000 --- a/packaging/target-i386-add-a-ucode-rev-property.patch +++ /dev/null @@ -1,114 +0,0 @@ -From: Paolo Bonzini -Date: Mon, 20 Jan 2020 19:21:43 +0100 -Subject: target/i386: add a ucode-rev property - -Git-commit: 4e45aff398cd1542c2a384a2a3b8600f23337d86 -References: jsc#SLE-17785 - -Add the property and plumb it in TCG and HVF (the latter of which -tried to support returning a constant value but used the wrong MSR). - -Signed-off-by: Paolo Bonzini -Message-Id: <1579544504-3616-3-git-send-email-pbonzini@redhat.com> -Signed-off-by: Paolo Bonzini -Signed-off-by: Dario Faggioli ---- - target/i386/cpu.c | 10 ++++++++++ - target/i386/cpu.h | 3 +++ - target/i386/hvf/x86_emu.c | 4 +--- - target/i386/misc_helper.c | 4 ++++ - 4 files changed, 18 insertions(+), 3 deletions(-) - -diff --git a/target/i386/cpu.c b/target/i386/cpu.c -index 876bd166652365397514ada0dec7..88f4ad18300d3d1311282e7d8b15 100644 ---- a/target/i386/cpu.c -+++ b/target/i386/cpu.c -@@ -6432,6 +6432,15 @@ static void x86_cpu_realizefn(DeviceState *dev, Error **errp) - } - } - -+ if (cpu->ucode_rev == 0) { -+ /* The default is the same as KVM's. */ -+ if (IS_AMD_CPU(env)) { -+ cpu->ucode_rev = 0x01000065; -+ } else { -+ cpu->ucode_rev = 0x100000000ULL; -+ } -+ } -+ - /* mwait extended info: needed for Core compatibility */ - /* We always wake on interrupt even if host does not have the capability */ - cpu->mwait.ecx |= CPUID_MWAIT_EMX | CPUID_MWAIT_IBE; -@@ -7115,6 +7124,7 @@ static Property x86_cpu_properties[] = { - DEFINE_PROP_UINT32("min-level", X86CPU, env.cpuid_min_level, 0), - DEFINE_PROP_UINT32("min-xlevel", X86CPU, env.cpuid_min_xlevel, 0), - DEFINE_PROP_UINT32("min-xlevel2", X86CPU, env.cpuid_min_xlevel2, 0), -+ DEFINE_PROP_UINT64("ucode-rev", X86CPU, ucode_rev, 0), - DEFINE_PROP_BOOL("full-cpuid-auto-level", X86CPU, full_cpuid_auto_level, true), - DEFINE_PROP_STRING("hv-vendor-id", X86CPU, hyperv_vendor_id), - DEFINE_PROP_BOOL("cpuid-0xb", X86CPU, enable_cpuid_0xb, true), -diff --git a/target/i386/cpu.h b/target/i386/cpu.h -index 594326a7946798aba6ac42415164..7bfbf2a5e57d09dfbe8d02d0db1d 100644 ---- a/target/i386/cpu.h -+++ b/target/i386/cpu.h -@@ -348,6 +348,7 @@ typedef enum X86Seg { - #define MSR_IA32_SPEC_CTRL 0x48 - #define MSR_VIRT_SSBD 0xc001011f - #define MSR_IA32_PRED_CMD 0x49 -+#define MSR_IA32_UCODE_REV 0x8b - #define MSR_IA32_CORE_CAPABILITY 0xcf - - #define MSR_IA32_ARCH_CAPABILITIES 0x10a -@@ -1627,6 +1628,8 @@ struct X86CPU { - CPUNegativeOffsetState neg; - CPUX86State env; - -+ uint64_t ucode_rev; -+ - uint32_t hyperv_spinlock_attempts; - char *hyperv_vendor_id; - bool hyperv_synic_kvm_only; -diff --git a/target/i386/hvf/x86_emu.c b/target/i386/hvf/x86_emu.c -index 3df767209df5516d684f46ca300c..92ab815f5d6262b41cf3bbb43f0a 100644 ---- a/target/i386/hvf/x86_emu.c -+++ b/target/i386/hvf/x86_emu.c -@@ -664,8 +664,6 @@ static void exec_lods(struct CPUX86State *env, struct x86_decode *decode) - RIP(env) += decode->len; - } - --#define MSR_IA32_UCODE_REV 0x00000017 -- - void simulate_rdmsr(struct CPUState *cpu) - { - X86CPU *x86_cpu = X86_CPU(cpu); -@@ -681,7 +679,7 @@ void simulate_rdmsr(struct CPUState *cpu) - val = cpu_get_apic_base(X86_CPU(cpu)->apic_state); - break; - case MSR_IA32_UCODE_REV: -- val = (0x100000000ULL << 32) | 0x100000000ULL; -+ val = x86_cpu->ucode_rev; - break; - case MSR_EFER: - val = rvmcs(cpu->hvf_fd, VMCS_GUEST_IA32_EFER); -diff --git a/target/i386/misc_helper.c b/target/i386/misc_helper.c -index 3eff6885f8a63ff525008bc02477..aed16fe3f0255323f8dfc146078b 100644 ---- a/target/i386/misc_helper.c -+++ b/target/i386/misc_helper.c -@@ -229,6 +229,7 @@ void helper_rdmsr(CPUX86State *env) - #else - void helper_wrmsr(CPUX86State *env) - { -+ X86CPU *x86_cpu = env_archcpu(env); - uint64_t val; - - cpu_svm_check_intercept_param(env, SVM_EXIT_MSR, 1, GETPC()); -@@ -371,6 +372,9 @@ void helper_wrmsr(CPUX86State *env) - env->msr_bndcfgs = val; - cpu_sync_bndcs_hflags(env); - break; -+ case MSR_IA32_UCODE_REV: -+ val = x86_cpu->ucode_rev; -+ break; - default: - if ((uint32_t)env->regs[R_ECX] >= MSR_MC0_CTL - && (uint32_t)env->regs[R_ECX] < MSR_MC0_CTL + diff --git a/packaging/target-i386-check-for-availability-of-MS.patch b/packaging/target-i386-check-for-availability-of-MS.patch deleted file mode 100644 index b83e80d86..000000000 --- a/packaging/target-i386-check-for-availability-of-MS.patch +++ /dev/null @@ -1,59 +0,0 @@ -From: Paolo Bonzini -Date: Tue, 11 Feb 2020 18:55:16 +0100 -Subject: target/i386: check for availability of MSR_IA32_UCODE_REV as an - emulated MSR - -Git-commit: 6702514814c7e7b4cbf179624539b5f38c72740b -References: jsc#SLE-17785 - -Even though MSR_IA32_UCODE_REV has been available long before Linux 5.6, -which added it to the emulated MSR list, a bug caused the microcode -version to revert to 0x100000000 on INIT. As a result, processors other -than the bootstrap processor would not see the host microcode revision; -some Windows version complain loudly about this and crash with a -fairly explicit MICROCODE REVISION MISMATCH error. - -[If running 5.6 prereleases, the kernel fix "KVM: x86: do not reset - microcode version on INIT or RESET" should also be applied.] - -Reported-by: Alex Williamson -Message-id: <20200211175516.10716-1-pbonzini@redhat.com> -Signed-off-by: Paolo Bonzini -[Dependant kernel patch is bsc#1183412, commit 16ce873] -Signed-off-by: Dario Faggioli ---- - target/i386/kvm.c | 7 +++++-- - 1 file changed, 5 insertions(+), 2 deletions(-) - -diff --git a/target/i386/kvm.c b/target/i386/kvm.c -index a735ce031810a5f122720a13a052..991052fa09c377d7ece7170e02f9 100644 ---- a/target/i386/kvm.c -+++ b/target/i386/kvm.c -@@ -105,6 +105,7 @@ static bool has_msr_smi_count; - static bool has_msr_arch_capabs; - static bool has_msr_core_capabs; - static bool has_msr_vmx_vmfunc; -+static bool has_msr_ucode_rev; - static bool has_msr_vmx_procbased_ctls2; - - static uint32_t has_architectural_pmu_version; -@@ -2064,6 +2065,9 @@ static int kvm_get_supported_msrs(KVMState *s) - case MSR_IA32_VMX_VMFUNC: - has_msr_vmx_vmfunc = true; - break; -+ case MSR_IA32_UCODE_REV: -+ has_msr_ucode_rev = true; -+ break; - case MSR_IA32_VMX_PROCBASED_CTLS2: - has_msr_vmx_procbased_ctls2 = true; - break; -@@ -2707,8 +2711,7 @@ static void kvm_init_msrs(X86CPU *cpu) - env->features[FEAT_CORE_CAPABILITY]); - } - -- if (kvm_arch_get_supported_msr_feature(kvm_state, -- MSR_IA32_UCODE_REV)) { -+ if (has_msr_ucode_rev) { - kvm_msr_entry_add(cpu, MSR_IA32_UCODE_REV, cpu->ucode_rev); - } - diff --git a/packaging/target-i386-enable-monitor-and-ucode-rev.patch b/packaging/target-i386-enable-monitor-and-ucode-rev.patch deleted file mode 100644 index 09a1ac741..000000000 --- a/packaging/target-i386-enable-monitor-and-ucode-rev.patch +++ /dev/null @@ -1,31 +0,0 @@ -From: Paolo Bonzini -Date: Tue, 11 Feb 2020 18:47:48 +0100 -Subject: target/i386: enable monitor and ucode revision with -cpu max - -Git-commit: be02cda3afde60d219786e23c3f8edb53aec8e17 -References: jsc#SLE-17785 - -These two features were incorrectly tied to host_cpuid_required rather than -cpu->max_features. As a result, -cpu max was not enabling either MONITOR -features or ucode revision. - -Signed-off-by: Paolo Bonzini -Signed-off-by: Dario Faggioli ---- - target/i386/cpu.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/target/i386/cpu.c b/target/i386/cpu.c -index 17cc1e9a71f5bedc8917071be12b..53b72368d7de0ec2d5112ee4bd7f 100644 ---- a/target/i386/cpu.c -+++ b/target/i386/cpu.c -@@ -6424,7 +6424,9 @@ static void x86_cpu_realizefn(DeviceState *dev, Error **errp) - g_free(name); - goto out; - } -+ } - -+ if (cpu->max_features && accel_uses_host_cpuid()) { - if (enable_cpu_pm) { - host_cpuid(5, 0, &cpu->mwait.eax, &cpu->mwait.ebx, - &cpu->mwait.ecx, &cpu->mwait.edx); diff --git a/packaging/target-i386-fix-TCG-UCODE_REV-access.patch b/packaging/target-i386-fix-TCG-UCODE_REV-access.patch deleted file mode 100644 index c7a2e414b..000000000 --- a/packaging/target-i386-fix-TCG-UCODE_REV-access.patch +++ /dev/null @@ -1,59 +0,0 @@ -From: Paolo Bonzini -Date: Thu, 6 Feb 2020 18:10:22 +0100 -Subject: target/i386: fix TCG UCODE_REV access - -Git-commit: 9028c75c9d08be303ccc425bfe3d3b23d8f4cac7 -References: jsc#SLE-17785 - -This was a very interesting semantic conflict that caused git to move -the MSR_IA32_UCODE_REV read to helper_wrmsr. Not a big deal, but -still should be fixed... - -Fixes: 4e45aff398 ("target/i386: add a ucode-rev property", 2020-01-24) -Message-id: <20200206171022.9289-1-pbonzini@redhat.com> -Signed-off-by: Paolo Bonzini -Signed-off-by: Dario Faggioli ---- - target/i386/misc_helper.c | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/target/i386/misc_helper.c b/target/i386/misc_helper.c -index aed16fe3f0255323f8dfc146078b..7d612210244af4aa6d36611da6de 100644 ---- a/target/i386/misc_helper.c -+++ b/target/i386/misc_helper.c -@@ -229,7 +229,6 @@ void helper_rdmsr(CPUX86State *env) - #else - void helper_wrmsr(CPUX86State *env) - { -- X86CPU *x86_cpu = env_archcpu(env); - uint64_t val; - - cpu_svm_check_intercept_param(env, SVM_EXIT_MSR, 1, GETPC()); -@@ -372,9 +371,6 @@ void helper_wrmsr(CPUX86State *env) - env->msr_bndcfgs = val; - cpu_sync_bndcs_hflags(env); - break; -- case MSR_IA32_UCODE_REV: -- val = x86_cpu->ucode_rev; -- break; - default: - if ((uint32_t)env->regs[R_ECX] >= MSR_MC0_CTL - && (uint32_t)env->regs[R_ECX] < MSR_MC0_CTL + -@@ -393,6 +389,7 @@ void helper_wrmsr(CPUX86State *env) - - void helper_rdmsr(CPUX86State *env) - { -+ X86CPU *x86_cpu = env_archcpu(env); - uint64_t val; - - cpu_svm_check_intercept_param(env, SVM_EXIT_MSR, 0, GETPC()); -@@ -526,6 +523,9 @@ void helper_rdmsr(CPUX86State *env) - case MSR_IA32_BNDCFGS: - val = env->msr_bndcfgs; - break; -+ case MSR_IA32_UCODE_REV: -+ val = x86_cpu->ucode_rev; -+ break; - default: - if ((uint32_t)env->regs[R_ECX] >= MSR_MC0_CTL - && (uint32_t)env->regs[R_ECX] < MSR_MC0_CTL + diff --git a/packaging/target-i386-kvm-initialize-microcode-rev.patch b/packaging/target-i386-kvm-initialize-microcode-rev.patch deleted file mode 100644 index be765be6f..000000000 --- a/packaging/target-i386-kvm-initialize-microcode-rev.patch +++ /dev/null @@ -1,50 +0,0 @@ -From: Paolo Bonzini -Date: Mon, 20 Jan 2020 19:21:44 +0100 -Subject: target/i386: kvm: initialize microcode revision from KVM - -Git-commit: 32c87d70ff55b96741f08c35108935cac6f40fe4 -Reference: jsc#SLE-17785 - -KVM can return the host microcode revision as a feature MSR. -Use it as the default value for -cpu host. - -Signed-off-by: Paolo Bonzini -Message-Id: <1579544504-3616-4-git-send-email-pbonzini@redhat.com> -Signed-off-by: Paolo Bonzini -Signed-off-by: Dario Faggioli ---- - target/i386/cpu.c | 4 ++++ - target/i386/kvm.c | 5 +++++ - 2 files changed, 9 insertions(+) - -diff --git a/target/i386/cpu.c b/target/i386/cpu.c -index 88f4ad18300d3d1311282e7d8b15..17cc1e9a71f5bedc8917071be12b 100644 ---- a/target/i386/cpu.c -+++ b/target/i386/cpu.c -@@ -6430,6 +6430,10 @@ static void x86_cpu_realizefn(DeviceState *dev, Error **errp) - &cpu->mwait.ecx, &cpu->mwait.edx); - env->features[FEAT_1_ECX] |= CPUID_EXT_MONITOR; - } -+ if (kvm_enabled() && cpu->ucode_rev == 0) { -+ cpu->ucode_rev = kvm_arch_get_supported_msr_feature(kvm_state, -+ MSR_IA32_UCODE_REV); -+ } - } - - if (cpu->ucode_rev == 0) { -diff --git a/target/i386/kvm.c b/target/i386/kvm.c -index 91cd4976e262ad6bbb83206114b3..a735ce031810a5f122720a13a052 100644 ---- a/target/i386/kvm.c -+++ b/target/i386/kvm.c -@@ -2707,6 +2707,11 @@ static void kvm_init_msrs(X86CPU *cpu) - env->features[FEAT_CORE_CAPABILITY]); - } - -+ if (kvm_arch_get_supported_msr_feature(kvm_state, -+ MSR_IA32_UCODE_REV)) { -+ kvm_msr_entry_add(cpu, MSR_IA32_UCODE_REV, cpu->ucode_rev); -+ } -+ - /* - * Older kernels do not include VMX MSRs in KVM_GET_MSR_INDEX_LIST, but - * all kernels with MSR features should have them. diff --git a/packaging/test-add-mapping-from-arch-of-i686-to-qe.patch b/packaging/test-add-mapping-from-arch-of-i686-to-qe.patch deleted file mode 100644 index 4e848b8f9..000000000 --- a/packaging/test-add-mapping-from-arch-of-i686-to-qe.patch +++ /dev/null @@ -1,25 +0,0 @@ -From: Bruce Rogers -Date: Sat, 5 Oct 2019 09:09:42 -0600 -Subject: test: add mapping from arch of i686 to qemu_arch=i386 - -While we don't specifically set QEMU_PROG, the code which detects the -host architecture needs a little help mapping the output of uname -m to -what the qemu project uses to reference that architecture. - -Signed-off-by: Bruce Rogers ---- - tests/qemu-iotests/common.config | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/tests/qemu-iotests/common.config b/tests/qemu-iotests/common.config -index 9bd1a5a6fc8367c336e9f51fe22f..e1c6ffa0cca3a8f14feeb38d6da8 100644 ---- a/tests/qemu-iotests/common.config -+++ b/tests/qemu-iotests/common.config -@@ -24,6 +24,7 @@ PATH=".:$PATH" - HOSTOS=$(uname -s) - arch=$(uname -m) - [[ "$arch" =~ "ppc64" ]] && qemu_arch=ppc64 || qemu_arch="$arch" -+[[ "$arch" = "i686" ]] && qemu_arch=i386 - - # make sure we have a standard umask - umask 022 diff --git a/packaging/tests-Disable-some-block-tests-for-now.patch b/packaging/tests-Disable-some-block-tests-for-now.patch deleted file mode 100644 index 679233567..000000000 --- a/packaging/tests-Disable-some-block-tests-for-now.patch +++ /dev/null @@ -1,28 +0,0 @@ -From: Bruce Rogers -Date: Wed, 2 Oct 2019 07:28:04 -0600 -Subject: tests: Disable some block tests for now - -Most tests previously disabled for qemu-testsuite to be able to complete -successfully are no longer (as of v4.1) listed as auto, and therefore -do not get run anymore. - -27NOV2019 - added 161 since it is failing on s390x and ppc consistently - -Signed-off-by: Bruce Rogers ---- - tests/qemu-iotests/group | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/tests/qemu-iotests/group b/tests/qemu-iotests/group -index f5e0bf86ce179a56791961f1d5c6..206b45071ee14ac0c3e2e4883a23 100644 ---- a/tests/qemu-iotests/group -+++ b/tests/qemu-iotests/group -@@ -182,7 +182,7 @@ - 158 rw auto quick - 159 rw auto quick - 160 rw quick --161 rw auto quick -+#DISABLE FOR NOW 161 rw auto quick - 162 quick - 163 rw - 165 rw quick diff --git a/packaging/tests-Fix-block-tests-to-be-compatible-w.patch b/packaging/tests-Fix-block-tests-to-be-compatible-w.patch deleted file mode 100644 index 0cc056fd9..000000000 --- a/packaging/tests-Fix-block-tests-to-be-compatible-w.patch +++ /dev/null @@ -1,107 +0,0 @@ -From: Bruce Rogers -Date: Tue, 15 Oct 2019 11:16:14 -0600 -Subject: tests: Fix block tests to be compatible with membarrier configuration - -The use of membarriers collides with the block test's practice of -SIGKILLing test vm's. Have them quit politely. Tests: 130, 153 - and -though test 161 seems to have the same issue, it is not yet fixed, but -just marked here as possibly needing a fix. - -Signed-off-by: Bruce Rogers ---- - tests/qemu-iotests/130 | 6 ++++-- - tests/qemu-iotests/130.out | 2 ++ - tests/qemu-iotests/153 | 6 ++++-- - tests/qemu-iotests/153.out | 4 ++++ - 4 files changed, 14 insertions(+), 4 deletions(-) - -diff --git a/tests/qemu-iotests/130 b/tests/qemu-iotests/130 -index 77ad2aa13a06094f26d2c8991e48..fd84a4c77d192e15ee961b07994b 100755 ---- a/tests/qemu-iotests/130 -+++ b/tests/qemu-iotests/130 -@@ -64,7 +64,8 @@ echo - _launch_qemu -drive id=testdisk,file="$TEST_IMG",backing.file.filename="$TEST_IMG.base" - _send_qemu_cmd $QEMU_HANDLE "commit testdisk" "(qemu)" - _send_qemu_cmd $QEMU_HANDLE '' '(qemu)' --_cleanup_qemu -+_send_qemu_cmd $QEMU_HANDLE 'quit' '' -+wait=1 _cleanup_qemu - _img_info | _filter_img_info - - # Make sure that if there was a backing file that was just overridden on the -@@ -73,7 +74,8 @@ _make_test_img -F raw -b "$TEST_IMG.orig" 64M - _launch_qemu -drive id=testdisk,file="$TEST_IMG",backing.file.filename="$TEST_IMG.base",backing.driver=$IMGFMT - _send_qemu_cmd $QEMU_HANDLE "commit testdisk" "(qemu)" - _send_qemu_cmd $QEMU_HANDLE '' '(qemu)' --_cleanup_qemu -+_send_qemu_cmd $QEMU_HANDLE 'quit' '' -+wait=1 _cleanup_qemu - _img_info | _filter_img_info - - echo -diff --git a/tests/qemu-iotests/130.out b/tests/qemu-iotests/130.out -index e45285ccc311522481ac1b27ba99..7168bdf70c3eb32d4de0d28bb947 100644 ---- a/tests/qemu-iotests/130.out -+++ b/tests/qemu-iotests/130.out -@@ -11,6 +11,7 @@ virtual size: 64 MiB (67108864 bytes) - QEMU X.Y.Z monitor - type 'help' for more information - (qemu) commit testdisk - (qemu) -+(qemu) quit - image: TEST_DIR/t.IMGFMT - file format: IMGFMT - virtual size: 64 MiB (67108864 bytes) -@@ -18,6 +19,7 @@ Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=67108864 backing_file=TEST_DIR/t - QEMU X.Y.Z monitor - type 'help' for more information - (qemu) commit testdisk - (qemu) -+(qemu) quit - image: TEST_DIR/t.IMGFMT - file format: IMGFMT - virtual size: 64 MiB (67108864 bytes) -diff --git a/tests/qemu-iotests/153 b/tests/qemu-iotests/153 -index c969a1a16ff8382b9bb69252f6de..39d6da725bff3932a7cb88acff8e 100755 ---- a/tests/qemu-iotests/153 -+++ b/tests/qemu-iotests/153 -@@ -206,7 +206,8 @@ _send_qemu_cmd $QEMU_HANDLE \ - 'return' - _run_cmd $QEMU_IMG commit -b "${TEST_IMG}.b" "${TEST_IMG}.c" - --_cleanup_qemu -+_send_qemu_cmd $QEMU_HANDLE "{ 'execute': 'quit' }" '' -+wait=1 _cleanup_qemu - - _launch_qemu - -@@ -258,7 +259,8 @@ _send_qemu_cmd $QEMU_HANDLE \ - - _run_cmd $QEMU_IO "${TEST_IMG}" -c 'write 0 512' - --_cleanup_qemu -+_send_qemu_cmd $QEMU_HANDLE "{ 'execute': 'quit' }" '' -+wait=1 _cleanup_qemu - - echo - echo "== Detecting -U and force-share conflicts ==" -diff --git a/tests/qemu-iotests/153.out b/tests/qemu-iotests/153.out -index f7464dd8d345a853f7b64a67c6d0..8bc14f6abf94662473d6d93b5672 100644 ---- a/tests/qemu-iotests/153.out -+++ b/tests/qemu-iotests/153.out -@@ -421,6 +421,8 @@ Is another process using the image [TEST_DIR/t.qcow2]? - _qemu_img_wrapper commit -b TEST_DIR/t.qcow2.b TEST_DIR/t.qcow2.c - { 'execute': 'qmp_capabilities' } - {"return": {}} -+{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "SHUTDOWN", "data": {"guest": false, "reason": "host-qmp-quit"}} -+{"return": {}} - Adding drive - { 'execute': 'human-monitor-command', 'arguments': { 'command-line': 'drive_add 0 if=none,id=d0,file=TEST_DIR/t.IMGFMT' } } - {"return": "OKrn"} -@@ -454,6 +456,8 @@ Closing the other - {"return": ""} - - _qemu_io_wrapper TEST_DIR/t.qcow2 -c write 0 512 -+{"return": {}} -+{"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "SHUTDOWN", "data": {"guest": false, "reason": "host-qmp-quit"}} - - == Detecting -U and force-share conflicts == - diff --git a/packaging/tests-add-migration-helpers-unit.patch b/packaging/tests-add-migration-helpers-unit.patch deleted file mode 100644 index 2979554ce..000000000 --- a/packaging/tests-add-migration-helpers-unit.patch +++ /dev/null @@ -1,550 +0,0 @@ -From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= -Date: Mon, 16 Dec 2019 14:59:44 +0400 -Subject: tests: add migration-helpers unit -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Git-commit: d77799ccda4baca822308ed1648a3c72d46cf74e -References: bsc#1184574 - -Move a few helper functions from migration-test.c to migration-helpers.c - -Signed-off-by: Marc-André Lureau -Reviewed-by: Daniel P. Berrangé -Signed-off-by: Lin Ma ---- - tests/Makefile.include | 2 +- - tests/migration-helpers.c | 167 ++++++++++++++++++++++++++++++++++++ - tests/migration-helpers.h | 37 ++++++++ - tests/migration-test.c | 176 +++----------------------------------- - 4 files changed, 216 insertions(+), 166 deletions(-) - -diff --git a/tests/Makefile.include b/tests/Makefile.include -index 8566f5f119dd3e668abd06aa45ef..e8bb416ddb89e99c956d224de844 100644 ---- a/tests/Makefile.include -+++ b/tests/Makefile.include -@@ -828,7 +828,7 @@ tests/usb-hcd-uhci-test$(EXESUF): tests/usb-hcd-uhci-test.o $(libqos-usb-obj-y) - tests/usb-hcd-ehci-test$(EXESUF): tests/usb-hcd-ehci-test.o $(libqos-usb-obj-y) - tests/usb-hcd-xhci-test$(EXESUF): tests/usb-hcd-xhci-test.o $(libqos-usb-obj-y) - tests/cpu-plug-test$(EXESUF): tests/cpu-plug-test.o --tests/migration-test$(EXESUF): tests/migration-test.o -+tests/migration-test$(EXESUF): tests/migration-test.o tests/migration-helpers.o - tests/qemu-iotests/socket_scm_helper$(EXESUF): tests/qemu-iotests/socket_scm_helper.o - tests/test-qemu-opts$(EXESUF): tests/test-qemu-opts.o $(test-util-obj-y) - tests/test-keyval$(EXESUF): tests/test-keyval.o $(test-util-obj-y) $(test-qapi-obj-y) -diff --git a/tests/migration-helpers.c b/tests/migration-helpers.c -new file mode 100644 -index 0000000000000000000000000000000000000000..516093b39a9e79f06a02ede440802ebe75729047 ---- /dev/null -+++ b/tests/migration-helpers.c -@@ -0,0 +1,167 @@ -+/* -+ * QTest migration helpers -+ * -+ * Copyright (c) 2016-2018 Red Hat, Inc. and/or its affiliates -+ * based on the vhost-user-test.c that is: -+ * Copyright (c) 2014 Virtual Open Systems Sarl. -+ * -+ * This work is licensed under the terms of the GNU GPL, version 2 or later. -+ * See the COPYING file in the top-level directory. -+ * -+ */ -+ -+#include "qemu/osdep.h" -+#include "qapi/qmp/qjson.h" -+ -+#include "migration-helpers.h" -+ -+bool got_stop; -+ -+static void stop_cb(void *opaque, const char *name, QDict *data) -+{ -+ if (!strcmp(name, "STOP")) { -+ got_stop = true; -+ } -+} -+ -+/* -+ * Events can get in the way of responses we are actually waiting for. -+ */ -+QDict *wait_command_fd(QTestState *who, int fd, const char *command, ...) -+{ -+ va_list ap; -+ -+ va_start(ap, command); -+ qtest_qmp_vsend_fds(who, &fd, 1, command, ap); -+ va_end(ap); -+ -+ return qtest_qmp_receive_success(who, stop_cb, NULL); -+} -+ -+/* -+ * Events can get in the way of responses we are actually waiting for. -+ */ -+QDict *wait_command(QTestState *who, const char *command, ...) -+{ -+ va_list ap; -+ -+ va_start(ap, command); -+ qtest_qmp_vsend(who, command, ap); -+ va_end(ap); -+ -+ return qtest_qmp_receive_success(who, stop_cb, NULL); -+} -+ -+/* -+ * Send QMP command "migrate". -+ * Arguments are built from @fmt... (formatted like -+ * qobject_from_jsonf_nofail()) with "uri": @uri spliced in. -+ */ -+void migrate_qmp(QTestState *who, const char *uri, const char *fmt, ...) -+{ -+ va_list ap; -+ QDict *args, *rsp; -+ -+ va_start(ap, fmt); -+ args = qdict_from_vjsonf_nofail(fmt, ap); -+ va_end(ap); -+ -+ g_assert(!qdict_haskey(args, "uri")); -+ qdict_put_str(args, "uri", uri); -+ -+ rsp = qtest_qmp(who, "{ 'execute': 'migrate', 'arguments': %p}", args); -+ -+ g_assert(qdict_haskey(rsp, "return")); -+ qobject_unref(rsp); -+} -+ -+/* -+ * Note: caller is responsible to free the returned object via -+ * qobject_unref() after use -+ */ -+QDict *migrate_query(QTestState *who) -+{ -+ return wait_command(who, "{ 'execute': 'query-migrate' }"); -+} -+ -+/* -+ * Note: caller is responsible to free the returned object via -+ * g_free() after use -+ */ -+static gchar *migrate_query_status(QTestState *who) -+{ -+ QDict *rsp_return = migrate_query(who); -+ gchar *status = g_strdup(qdict_get_str(rsp_return, "status")); -+ -+ g_assert(status); -+ qobject_unref(rsp_return); -+ -+ return status; -+} -+ -+static bool check_migration_status(QTestState *who, const char *goal, -+ const char **ungoals) -+{ -+ bool ready; -+ char *current_status; -+ const char **ungoal; -+ -+ current_status = migrate_query_status(who); -+ ready = strcmp(current_status, goal) == 0; -+ if (!ungoals) { -+ g_assert_cmpstr(current_status, !=, "failed"); -+ /* -+ * If looking for a state other than completed, -+ * completion of migration would cause the test to -+ * hang. -+ */ -+ if (strcmp(goal, "completed") != 0) { -+ g_assert_cmpstr(current_status, !=, "completed"); -+ } -+ } else { -+ for (ungoal = ungoals; *ungoal; ungoal++) { -+ g_assert_cmpstr(current_status, !=, *ungoal); -+ } -+ } -+ g_free(current_status); -+ return ready; -+} -+ -+void wait_for_migration_status(QTestState *who, -+ const char *goal, const char **ungoals) -+{ -+ while (!check_migration_status(who, goal, ungoals)) { -+ usleep(1000); -+ } -+} -+ -+void wait_for_migration_complete(QTestState *who) -+{ -+ wait_for_migration_status(who, "completed", NULL); -+} -+ -+void wait_for_migration_fail(QTestState *from, bool allow_active) -+{ -+ QDict *rsp_return; -+ char *status; -+ bool failed; -+ -+ do { -+ status = migrate_query_status(from); -+ bool result = !strcmp(status, "setup") || !strcmp(status, "failed") || -+ (allow_active && !strcmp(status, "active")); -+ if (!result) { -+ fprintf(stderr, "%s: unexpected status status=%s allow_active=%d\n", -+ __func__, status, allow_active); -+ } -+ g_assert(result); -+ failed = !strcmp(status, "failed"); -+ g_free(status); -+ } while (!failed); -+ -+ /* Is the machine currently running? */ -+ rsp_return = wait_command(from, "{ 'execute': 'query-status' }"); -+ g_assert(qdict_haskey(rsp_return, "running")); -+ g_assert(qdict_get_bool(rsp_return, "running")); -+ qobject_unref(rsp_return); -+} -diff --git a/tests/migration-helpers.h b/tests/migration-helpers.h -new file mode 100644 -index 0000000000000000000000000000000000000000..a11808b3b77c4901cc25904282d2946cd360fbc9 ---- /dev/null -+++ b/tests/migration-helpers.h -@@ -0,0 +1,37 @@ -+/* -+ * QTest migration helpers -+ * -+ * Copyright (c) 2016-2018 Red Hat, Inc. and/or its affiliates -+ * based on the vhost-user-test.c that is: -+ * Copyright (c) 2014 Virtual Open Systems Sarl. -+ * -+ * This work is licensed under the terms of the GNU GPL, version 2 or later. -+ * See the COPYING file in the top-level directory. -+ * -+ */ -+#ifndef MIGRATION_HELPERS_H_ -+#define MIGRATION_HELPERS_H_ -+ -+#include "libqtest.h" -+ -+extern bool got_stop; -+ -+GCC_FMT_ATTR(3, 4) -+QDict *wait_command_fd(QTestState *who, int fd, const char *command, ...); -+ -+GCC_FMT_ATTR(2, 3) -+QDict *wait_command(QTestState *who, const char *command, ...); -+ -+GCC_FMT_ATTR(3, 4) -+void migrate_qmp(QTestState *who, const char *uri, const char *fmt, ...); -+ -+QDict *migrate_query(QTestState *who); -+ -+void wait_for_migration_status(QTestState *who, -+ const char *goal, const char **ungoals); -+ -+void wait_for_migration_complete(QTestState *who); -+ -+void wait_for_migration_fail(QTestState *from, bool allow_active); -+ -+#endif /* MIGRATION_HELPERS_H_ */ -diff --git a/tests/migration-test.c b/tests/migration-test.c -index df5101760b18d767251842386b9c..65982bb249f42c4995795bbac23c 100644 ---- a/tests/migration-test.c -+++ b/tests/migration-test.c -@@ -14,7 +14,6 @@ - - #include "libqtest.h" - #include "qapi/qmp/qdict.h" --#include "qapi/qmp/qjson.h" - #include "qemu/module.h" - #include "qemu/option.h" - #include "qemu/range.h" -@@ -24,6 +23,7 @@ - #include "qapi/qobject-input-visitor.h" - #include "qapi/qobject-output-visitor.h" - -+#include "migration-helpers.h" - #include "migration/migration-test.h" - - /* TODO actually test the results and get rid of this */ -@@ -31,7 +31,6 @@ - - unsigned start_address; - unsigned end_address; --bool got_stop; - static bool uffd_feature_thread_id; - - #if defined(__linux__) -@@ -157,67 +156,6 @@ static void wait_for_serial(const char *side) - } while (true); - } - --static void stop_cb(void *opaque, const char *name, QDict *data) --{ -- if (!strcmp(name, "STOP")) { -- got_stop = true; -- } --} -- --/* -- * Events can get in the way of responses we are actually waiting for. -- */ --GCC_FMT_ATTR(3, 4) --static QDict *wait_command_fd(QTestState *who, int fd, const char *command, ...) --{ -- va_list ap; -- -- va_start(ap, command); -- qtest_qmp_vsend_fds(who, &fd, 1, command, ap); -- va_end(ap); -- -- return qtest_qmp_receive_success(who, stop_cb, NULL); --} -- --/* -- * Events can get in the way of responses we are actually waiting for. -- */ --GCC_FMT_ATTR(2, 3) --static QDict *wait_command(QTestState *who, const char *command, ...) --{ -- va_list ap; -- -- va_start(ap, command); -- qtest_qmp_vsend(who, command, ap); -- va_end(ap); -- -- return qtest_qmp_receive_success(who, stop_cb, NULL); --} -- --/* -- * Note: caller is responsible to free the returned object via -- * qobject_unref() after use -- */ --static QDict *migrate_query(QTestState *who) --{ -- return wait_command(who, "{ 'execute': 'query-migrate' }"); --} -- --/* -- * Note: caller is responsible to free the returned object via -- * g_free() after use -- */ --static gchar *migrate_query_status(QTestState *who) --{ -- QDict *rsp_return = migrate_query(who); -- gchar *status = g_strdup(qdict_get_str(rsp_return, "status")); -- -- g_assert(status); -- qobject_unref(rsp_return); -- -- return status; --} -- - /* - * It's tricky to use qemu's migration event capability with qtest, - * events suddenly appearing confuse the qmp()/hmp() responses. -@@ -265,48 +203,6 @@ static void read_blocktime(QTestState *who) - qobject_unref(rsp_return); - } - --static bool check_migration_status(QTestState *who, const char *goal, -- const char **ungoals) --{ -- bool ready; -- char *current_status; -- const char **ungoal; -- -- current_status = migrate_query_status(who); -- ready = strcmp(current_status, goal) == 0; -- if (!ungoals) { -- g_assert_cmpstr(current_status, !=, "failed"); -- /* -- * If looking for a state other than completed, -- * completion of migration would cause the test to -- * hang. -- */ -- if (strcmp(goal, "completed") != 0) { -- g_assert_cmpstr(current_status, !=, "completed"); -- } -- } else { -- for (ungoal = ungoals; *ungoal; ungoal++) { -- g_assert_cmpstr(current_status, !=, *ungoal); -- } -- } -- g_free(current_status); -- return ready; --} -- --static void wait_for_migration_status(QTestState *who, -- const char *goal, -- const char **ungoals) --{ -- while (!check_migration_status(who, goal, ungoals)) { -- usleep(1000); -- } --} -- --static void wait_for_migration_complete(QTestState *who) --{ -- wait_for_migration_status(who, "completed", NULL); --} -- - static void wait_for_migration_pass(QTestState *who) - { - uint64_t initial_pass = get_migration_pass(who); -@@ -513,30 +409,6 @@ static void migrate_set_capability(QTestState *who, const char *capability, - qobject_unref(rsp); - } - --/* -- * Send QMP command "migrate". -- * Arguments are built from @fmt... (formatted like -- * qobject_from_jsonf_nofail()) with "uri": @uri spliced in. -- */ --GCC_FMT_ATTR(3, 4) --static void migrate(QTestState *who, const char *uri, const char *fmt, ...) --{ -- va_list ap; -- QDict *args, *rsp; -- -- va_start(ap, fmt); -- args = qdict_from_vjsonf_nofail(fmt, ap); -- va_end(ap); -- -- g_assert(!qdict_haskey(args, "uri")); -- qdict_put_str(args, "uri", uri); -- -- rsp = qtest_qmp(who, "{ 'execute': 'migrate', 'arguments': %p}", args); -- -- g_assert(qdict_haskey(rsp, "return")); -- qobject_unref(rsp); --} -- - static void migrate_postcopy_start(QTestState *from, QTestState *to) - { - QDict *rsp; -@@ -794,7 +666,7 @@ static int migrate_postcopy_prepare(QTestState **from_ptr, - /* Wait for the first serial output from the source */ - wait_for_serial("src_serial"); - -- migrate(from, uri, "{}"); -+ migrate_qmp(from, uri, "{}"); - g_free(uri); - - wait_for_migration_pass(from); -@@ -881,7 +753,7 @@ static void test_postcopy_recovery(void) - wait_for_migration_status(from, "postcopy-paused", - (const char * []) { "failed", "active", - "completed", NULL }); -- migrate(from, uri, "{'resume': true}"); -+ migrate_qmp(from, uri, "{'resume': true}"); - g_free(uri); - - /* Restore the postcopy bandwidth to unlimited */ -@@ -890,32 +762,6 @@ static void test_postcopy_recovery(void) - migrate_postcopy_complete(from, to); - } - --static void wait_for_migration_fail(QTestState *from, bool allow_active) --{ -- QDict *rsp_return; -- char *status; -- bool failed; -- -- do { -- status = migrate_query_status(from); -- bool result = !strcmp(status, "setup") || !strcmp(status, "failed") || -- (allow_active && !strcmp(status, "active")); -- if (!result) { -- fprintf(stderr, "%s: unexpected status status=%s allow_active=%d\n", -- __func__, status, allow_active); -- } -- g_assert(result); -- failed = !strcmp(status, "failed"); -- g_free(status); -- } while (!failed); -- -- /* Is the machine currently running? */ -- rsp_return = wait_command(from, "{ 'execute': 'query-status' }"); -- g_assert(qdict_haskey(rsp_return, "running")); -- g_assert(qdict_get_bool(rsp_return, "running")); -- qobject_unref(rsp_return); --} -- - static void test_baddest(void) - { - QTestState *from, *to; -@@ -923,7 +769,7 @@ static void test_baddest(void) - if (test_migrate_start(&from, &to, "tcp:0:0", true, false, NULL, NULL)) { - return; - } -- migrate(from, "tcp:0:0", "{}"); -+ migrate_qmp(from, "tcp:0:0", "{}"); - wait_for_migration_fail(from, false); - test_migrate_end(from, to, false); - } -@@ -949,7 +795,7 @@ static void test_precopy_unix(void) - /* Wait for the first serial output from the source */ - wait_for_serial("src_serial"); - -- migrate(from, uri, "{}"); -+ migrate_qmp(from, uri, "{}"); - - wait_for_migration_pass(from); - -@@ -986,7 +832,7 @@ static void test_ignore_shared(void) - /* Wait for the first serial output from the source */ - wait_for_serial("src_serial"); - -- migrate(from, uri, "{}"); -+ migrate_qmp(from, uri, "{}"); - - wait_for_migration_pass(from); - -@@ -1032,7 +878,7 @@ static void test_xbzrle(const char *uri) - /* Wait for the first serial output from the source */ - wait_for_serial("src_serial"); - -- migrate(from, uri, "{}"); -+ migrate_qmp(from, uri, "{}"); - - wait_for_migration_pass(from); - -@@ -1083,7 +929,7 @@ static void test_precopy_tcp(void) - - uri = migrate_get_socket_address(to, "socket-address"); - -- migrate(from, uri, "{}"); -+ migrate_qmp(from, uri, "{}"); - - wait_for_migration_pass(from); - -@@ -1151,7 +997,7 @@ static void test_migrate_fd_proto(void) - close(pair[1]); - - /* Start migration to the 2nd socket*/ -- migrate(from, "fd:fd-mig", "{}"); -+ migrate_qmp(from, "fd:fd-mig", "{}"); - - wait_for_migration_pass(from); - -@@ -1209,7 +1055,7 @@ static void do_test_validate_uuid(const char *uuid_arg_src, - /* Wait for the first serial output from the source */ - wait_for_serial("src_serial"); - -- migrate(from, uri, "{}"); -+ migrate_qmp(from, uri, "{}"); - - if (should_fail) { - qtest_set_expected_status(to, 1); -@@ -1291,7 +1137,7 @@ static void test_migrate_auto_converge(void) - /* Wait for the first serial output from the source */ - wait_for_serial("src_serial"); - -- migrate(from, uri, "{}"); -+ migrate_qmp(from, uri, "{}"); - - /* Wait for throttling begins */ - percentage = 0; diff --git a/packaging/tests-change-error-message-in-test-162.patch b/packaging/tests-change-error-message-in-test-162.patch deleted file mode 100644 index 2b5375e06..000000000 --- a/packaging/tests-change-error-message-in-test-162.patch +++ /dev/null @@ -1,27 +0,0 @@ -From: Bruce Rogers -Date: Mon, 11 Mar 2019 22:02:37 -0600 -Subject: tests: change error message in test 162 - -Since we have a quite restricted execution environment, as far as -networking is concerned, we need to change the error message we expect -in test 162. There is actually no routing set up so the error we get is -"Network is unreachable". Change the expected output accordingly. - -Signed-off-by: Bruce Rogers ---- - tests/qemu-iotests/162.out | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/tests/qemu-iotests/162.out b/tests/qemu-iotests/162.out -index 5a00d36d17878376380430dad705..390cca9027e918f1a0d252753ce5 100644 ---- a/tests/qemu-iotests/162.out -+++ b/tests/qemu-iotests/162.out -@@ -1,7 +1,7 @@ - QA output created by 162 - - === NBD === --qemu-img: Could not open 'json:{"driver": "nbd", "host": -1}': address resolution failed for -1:10809: Name or service not known -+qemu-img: Could not open 'json:{"driver": "nbd", "host": 42}': Failed to connect socket: Network is unreachable - image: nbd://localhost:PORT - image: nbd+unix://?socket=42 - diff --git a/packaging/tests-numa-Add-case-for-QMP-build-HMAT.patch b/packaging/tests-numa-Add-case-for-QMP-build-HMAT.patch deleted file mode 100644 index bde41e7e4..000000000 --- a/packaging/tests-numa-Add-case-for-QMP-build-HMAT.patch +++ /dev/null @@ -1,252 +0,0 @@ -From: Tao Xu -Date: Fri, 13 Dec 2019 09:19:28 +0800 -Subject: tests/numa: Add case for QMP build HMAT - -Git-commit: d00817c944ed15fbe4a61d44fe7f9fe166c7df88 -References: jsc#SLE-8897 - -Check configuring HMAT usecase - -Acked-by: Markus Armbruster -Suggested-by: Igor Mammedov -Signed-off-by: Tao Xu -Message-Id: <20191213011929.2520-8-tao3.xu@intel.com> -Reviewed-by: Michael S. Tsirkin -Signed-off-by: Michael S. Tsirkin -Reviewed-by: Igor Mammedov -Signed-off-by: Bruce Rogers ---- - tests/numa-test.c | 213 ++++++++++++++++++++++++++++++++++++++++++++++ - 1 file changed, 213 insertions(+) - -diff --git a/tests/numa-test.c b/tests/numa-test.c -index 8de8581231dd3e3299bc61d40d8d..17dd807d2a4329aea2e96a845edd 100644 ---- a/tests/numa-test.c -+++ b/tests/numa-test.c -@@ -327,6 +327,216 @@ static void pc_dynamic_cpu_cfg(const void *data) - qtest_quit(qs); - } - -+static void pc_hmat_build_cfg(const void *data) -+{ -+ QTestState *qs = qtest_initf("%s -nodefaults --preconfig -machine hmat=on " -+ "-smp 2,sockets=2 " -+ "-m 128M,slots=2,maxmem=1G " -+ "-object memory-backend-ram,size=64M,id=m0 " -+ "-object memory-backend-ram,size=64M,id=m1 " -+ "-numa node,nodeid=0,memdev=m0 " -+ "-numa node,nodeid=1,memdev=m1,initiator=0 " -+ "-numa cpu,node-id=0,socket-id=0 " -+ "-numa cpu,node-id=0,socket-id=1", -+ data ? (char *)data : ""); -+ -+ /* Fail: Initiator should be less than the number of nodes */ -+ g_assert_true(qmp_rsp_is_err(qtest_qmp(qs, "{ 'execute': 'set-numa-node'," -+ " 'arguments': { 'type': 'hmat-lb', 'initiator': 2, 'target': 0," -+ " 'hierarchy': \"memory\", 'data-type': \"access-latency\" } }"))); -+ -+ /* Fail: Target should be less than the number of nodes */ -+ g_assert_true(qmp_rsp_is_err(qtest_qmp(qs, "{ 'execute': 'set-numa-node'," -+ " 'arguments': { 'type': 'hmat-lb', 'initiator': 0, 'target': 2," -+ " 'hierarchy': \"memory\", 'data-type': \"access-latency\" } }"))); -+ -+ /* Fail: Initiator should contain cpu */ -+ g_assert_true(qmp_rsp_is_err(qtest_qmp(qs, "{ 'execute': 'set-numa-node'," -+ " 'arguments': { 'type': 'hmat-lb', 'initiator': 1, 'target': 0," -+ " 'hierarchy': \"memory\", 'data-type': \"access-latency\" } }"))); -+ -+ /* Fail: Data-type mismatch */ -+ g_assert_true(qmp_rsp_is_err(qtest_qmp(qs, "{ 'execute': 'set-numa-node'," -+ " 'arguments': { 'type': 'hmat-lb', 'initiator': 0, 'target': 0," -+ " 'hierarchy': \"memory\", 'data-type': \"write-latency\"," -+ " 'bandwidth': 524288000 } }"))); -+ g_assert_true(qmp_rsp_is_err(qtest_qmp(qs, "{ 'execute': 'set-numa-node'," -+ " 'arguments': { 'type': 'hmat-lb', 'initiator': 0, 'target': 0," -+ " 'hierarchy': \"memory\", 'data-type': \"read-bandwidth\"," -+ " 'latency': 5 } }"))); -+ -+ /* Fail: Bandwidth should be 1MB (1048576) aligned */ -+ g_assert_true(qmp_rsp_is_err(qtest_qmp(qs, "{ 'execute': 'set-numa-node'," -+ " 'arguments': { 'type': 'hmat-lb', 'initiator': 0, 'target': 0," -+ " 'hierarchy': \"memory\", 'data-type': \"access-bandwidth\"," -+ " 'bandwidth': 1048575 } }"))); -+ -+ /* Configuring HMAT bandwidth and latency details */ -+ g_assert_false(qmp_rsp_is_err(qtest_qmp(qs, "{ 'execute': 'set-numa-node'," -+ " 'arguments': { 'type': 'hmat-lb', 'initiator': 0, 'target': 0," -+ " 'hierarchy': \"memory\", 'data-type': \"access-latency\"," -+ " 'latency': 1 } }"))); /* 1 ns */ -+ g_assert_true(qmp_rsp_is_err(qtest_qmp(qs, "{ 'execute': 'set-numa-node'," -+ " 'arguments': { 'type': 'hmat-lb', 'initiator': 0, 'target': 0," -+ " 'hierarchy': \"memory\", 'data-type': \"access-latency\"," -+ " 'latency': 5 } }"))); /* Fail: Duplicate configuration */ -+ g_assert_false(qmp_rsp_is_err(qtest_qmp(qs, "{ 'execute': 'set-numa-node'," -+ " 'arguments': { 'type': 'hmat-lb', 'initiator': 0, 'target': 0," -+ " 'hierarchy': \"memory\", 'data-type': \"access-bandwidth\"," -+ " 'bandwidth': 68717379584 } }"))); /* 65534 MB/s */ -+ g_assert_false(qmp_rsp_is_err(qtest_qmp(qs, "{ 'execute': 'set-numa-node'," -+ " 'arguments': { 'type': 'hmat-lb', 'initiator': 0, 'target': 1," -+ " 'hierarchy': \"memory\", 'data-type': \"access-latency\"," -+ " 'latency': 65534 } }"))); /* 65534 ns */ -+ g_assert_false(qmp_rsp_is_err(qtest_qmp(qs, "{ 'execute': 'set-numa-node'," -+ " 'arguments': { 'type': 'hmat-lb', 'initiator': 0, 'target': 1," -+ " 'hierarchy': \"memory\", 'data-type': \"access-bandwidth\"," -+ " 'bandwidth': 34358689792 } }"))); /* 32767 MB/s */ -+ -+ /* Fail: node_id should be less than the number of nodes */ -+ g_assert_true(qmp_rsp_is_err(qtest_qmp(qs, "{ 'execute': 'set-numa-node'," -+ " 'arguments': { 'type': 'hmat-cache', 'node-id': 2, 'size': 10240," -+ " 'level': 1, 'associativity': \"direct\", 'policy': \"write-back\"," -+ " 'line': 8 } }"))); -+ -+ /* Fail: level should be less than HMAT_LB_LEVELS (4) */ -+ g_assert_true(qmp_rsp_is_err(qtest_qmp(qs, "{ 'execute': 'set-numa-node'," -+ " 'arguments': { 'type': 'hmat-cache', 'node-id': 0, 'size': 10240," -+ " 'level': 4, 'associativity': \"direct\", 'policy': \"write-back\"," -+ " 'line': 8 } }"))); -+ -+ /* Fail: associativity option should be 'none', if level is 0 */ -+ g_assert_true(qmp_rsp_is_err(qtest_qmp(qs, "{ 'execute': 'set-numa-node'," -+ " 'arguments': { 'type': 'hmat-cache', 'node-id': 0, 'size': 10240," -+ " 'level': 0, 'associativity': \"direct\", 'policy': \"none\"," -+ " 'line': 0 } }"))); -+ /* Fail: policy option should be 'none', if level is 0 */ -+ g_assert_true(qmp_rsp_is_err(qtest_qmp(qs, "{ 'execute': 'set-numa-node'," -+ " 'arguments': { 'type': 'hmat-cache', 'node-id': 0, 'size': 10240," -+ " 'level': 0, 'associativity': \"none\", 'policy': \"write-back\"," -+ " 'line': 0 } }"))); -+ /* Fail: line option should be 0, if level is 0 */ -+ g_assert_true(qmp_rsp_is_err(qtest_qmp(qs, "{ 'execute': 'set-numa-node'," -+ " 'arguments': { 'type': 'hmat-cache', 'node-id': 0, 'size': 10240," -+ " 'level': 0, 'associativity': \"none\", 'policy': \"none\"," -+ " 'line': 8 } }"))); -+ -+ /* Configuring HMAT memory side cache attributes */ -+ g_assert_false(qmp_rsp_is_err(qtest_qmp(qs, "{ 'execute': 'set-numa-node'," -+ " 'arguments': { 'type': 'hmat-cache', 'node-id': 0, 'size': 10240," -+ " 'level': 1, 'associativity': \"direct\", 'policy': \"write-back\"," -+ " 'line': 8 } }"))); -+ g_assert_true(qmp_rsp_is_err(qtest_qmp(qs, "{ 'execute': 'set-numa-node'," -+ " 'arguments': { 'type': 'hmat-cache', 'node-id': 0, 'size': 10240," -+ " 'level': 1, 'associativity': \"direct\", 'policy': \"write-back\"," -+ " 'line': 8 } }"))); /* Fail: Duplicate configuration */ -+ /* Fail: The size of level 2 size should be small than level 1 */ -+ g_assert_true(qmp_rsp_is_err(qtest_qmp(qs, "{ 'execute': 'set-numa-node'," -+ " 'arguments': { 'type': 'hmat-cache', 'node-id': 0, 'size': 10240," -+ " 'level': 2, 'associativity': \"direct\", 'policy': \"write-back\"," -+ " 'line': 8 } }"))); -+ /* Fail: The size of level 0 size should be larger than level 1 */ -+ g_assert_true(qmp_rsp_is_err(qtest_qmp(qs, "{ 'execute': 'set-numa-node'," -+ " 'arguments': { 'type': 'hmat-cache', 'node-id': 0, 'size': 10240," -+ " 'level': 0, 'associativity': \"direct\", 'policy': \"write-back\"," -+ " 'line': 8 } }"))); -+ g_assert_false(qmp_rsp_is_err(qtest_qmp(qs, "{ 'execute': 'set-numa-node'," -+ " 'arguments': { 'type': 'hmat-cache', 'node-id': 1, 'size': 10240," -+ " 'level': 1, 'associativity': \"direct\", 'policy': \"write-back\"," -+ " 'line': 8 } }"))); -+ -+ /* let machine initialization to complete and run */ -+ g_assert_false(qmp_rsp_is_err(qtest_qmp(qs, -+ "{ 'execute': 'x-exit-preconfig' }"))); -+ qtest_qmp_eventwait(qs, "RESUME"); -+ -+ qtest_quit(qs); -+} -+ -+static void pc_hmat_off_cfg(const void *data) -+{ -+ QTestState *qs = qtest_initf("%s -nodefaults --preconfig " -+ "-smp 2,sockets=2 " -+ "-m 128M,slots=2,maxmem=1G " -+ "-object memory-backend-ram,size=64M,id=m0 " -+ "-object memory-backend-ram,size=64M,id=m1 " -+ "-numa node,nodeid=0,memdev=m0", -+ data ? (char *)data : ""); -+ -+ /* -+ * Fail: Enable HMAT with -machine hmat=on -+ * before using any of hmat specific options -+ */ -+ g_assert_true(qmp_rsp_is_err(qtest_qmp(qs, "{ 'execute': 'set-numa-node'," -+ " 'arguments': { 'type': 'node', 'nodeid': 1, 'memdev': \"m1\"," -+ " 'initiator': 0 } }"))); -+ g_assert_false(qmp_rsp_is_err(qtest_qmp(qs, "{ 'execute': 'set-numa-node'," -+ " 'arguments': { 'type': 'node', 'nodeid': 1, 'memdev': \"m1\" } }"))); -+ g_assert_true(qmp_rsp_is_err(qtest_qmp(qs, "{ 'execute': 'set-numa-node'," -+ " 'arguments': { 'type': 'hmat-lb', 'initiator': 0, 'target': 0," -+ " 'hierarchy': \"memory\", 'data-type': \"access-latency\"," -+ " 'latency': 1 } }"))); -+ g_assert_true(qmp_rsp_is_err(qtest_qmp(qs, "{ 'execute': 'set-numa-node'," -+ " 'arguments': { 'type': 'hmat-cache', 'node-id': 0, 'size': 10240," -+ " 'level': 1, 'associativity': \"direct\", 'policy': \"write-back\"," -+ " 'line': 8 } }"))); -+ -+ /* let machine initialization to complete and run */ -+ g_assert_false(qmp_rsp_is_err(qtest_qmp(qs, -+ "{ 'execute': 'x-exit-preconfig' }"))); -+ qtest_qmp_eventwait(qs, "RESUME"); -+ -+ qtest_quit(qs); -+} -+ -+static void pc_hmat_erange_cfg(const void *data) -+{ -+ QTestState *qs = qtest_initf("%s -nodefaults --preconfig -machine hmat=on " -+ "-smp 2,sockets=2 " -+ "-m 128M,slots=2,maxmem=1G " -+ "-object memory-backend-ram,size=64M,id=m0 " -+ "-object memory-backend-ram,size=64M,id=m1 " -+ "-numa node,nodeid=0,memdev=m0 " -+ "-numa node,nodeid=1,memdev=m1,initiator=0 " -+ "-numa cpu,node-id=0,socket-id=0 " -+ "-numa cpu,node-id=0,socket-id=1", -+ data ? (char *)data : ""); -+ -+ /* Can't store the compressed latency */ -+ g_assert_false(qmp_rsp_is_err(qtest_qmp(qs, "{ 'execute': 'set-numa-node'," -+ " 'arguments': { 'type': 'hmat-lb', 'initiator': 0, 'target': 0," -+ " 'hierarchy': \"memory\", 'data-type': \"access-latency\"," -+ " 'latency': 1 } }"))); /* 1 ns */ -+ g_assert_true(qmp_rsp_is_err(qtest_qmp(qs, "{ 'execute': 'set-numa-node'," -+ " 'arguments': { 'type': 'hmat-lb', 'initiator': 0, 'target': 1," -+ " 'hierarchy': \"memory\", 'data-type': \"access-latency\"," -+ " 'latency': 65535 } }"))); /* 65535 ns */ -+ -+ /* Test the 0 input (bandwidth not provided) */ -+ g_assert_false(qmp_rsp_is_err(qtest_qmp(qs, "{ 'execute': 'set-numa-node'," -+ " 'arguments': { 'type': 'hmat-lb', 'initiator': 0, 'target': 0," -+ " 'hierarchy': \"memory\", 'data-type': \"access-bandwidth\"," -+ " 'bandwidth': 0 } }"))); /* 0 MB/s */ -+ /* Fail: bandwidth should be provided before memory side cache attributes */ -+ g_assert_true(qmp_rsp_is_err(qtest_qmp(qs, "{ 'execute': 'set-numa-node'," -+ " 'arguments': { 'type': 'hmat-cache', 'node-id': 0, 'size': 10240," -+ " 'level': 1, 'associativity': \"direct\", 'policy': \"write-back\"," -+ " 'line': 8 } }"))); -+ -+ /* Can't store the compressed bandwidth */ -+ g_assert_true(qmp_rsp_is_err(qtest_qmp(qs, "{ 'execute': 'set-numa-node'," -+ " 'arguments': { 'type': 'hmat-lb', 'initiator': 0, 'target': 1," -+ " 'hierarchy': \"memory\", 'data-type': \"access-bandwidth\"," -+ " 'bandwidth': 68718428160 } }"))); /* 65535 MB/s */ -+ -+ /* let machine initialization to complete and run */ -+ g_assert_false(qmp_rsp_is_err(qtest_qmp(qs, -+ "{ 'execute': 'x-exit-preconfig' }"))); -+ qtest_qmp_eventwait(qs, "RESUME"); -+ -+ qtest_quit(qs); -+} -+ - int main(int argc, char **argv) - { - const char *args = NULL; -@@ -346,6 +556,9 @@ int main(int argc, char **argv) - if (!strcmp(arch, "i386") || !strcmp(arch, "x86_64")) { - qtest_add_data_func("/numa/pc/cpu/explicit", args, pc_numa_cpu); - qtest_add_data_func("/numa/pc/dynamic/cpu", args, pc_dynamic_cpu_cfg); -+ qtest_add_data_func("/numa/pc/hmat/build", args, pc_hmat_build_cfg); -+ qtest_add_data_func("/numa/pc/hmat/off", args, pc_hmat_off_cfg); -+ qtest_add_data_func("/numa/pc/hmat/erange", args, pc_hmat_erange_cfg); - } - - if (!strcmp(arch, "ppc64")) { diff --git a/packaging/tests-qemu-iotests-Triple-timeout-of-i-o.patch b/packaging/tests-qemu-iotests-Triple-timeout-of-i-o.patch deleted file mode 100644 index 4677f6c23..000000000 --- a/packaging/tests-qemu-iotests-Triple-timeout-of-i-o.patch +++ /dev/null @@ -1,27 +0,0 @@ -From: Bruce Rogers -Date: Tue, 20 Nov 2018 15:46:41 -0700 -Subject: tests/qemu-iotests: Triple timeout of i/o tests due to obs - environment - -Executing tests in obs is very fickle, since you aren't guaranteed -reliable cpu time. Triple the timeout for each test to help ensure -we don't fail a test because the stars align against us. - -Signed-off-by: Bruce Rogers ---- - tests/qemu-iotests/common.qemu | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/tests/qemu-iotests/common.qemu b/tests/qemu-iotests/common.qemu -index de680cf1c7c92e50b82aa2bc0262..4f2557cc568beed038223af7660b 100644 ---- a/tests/qemu-iotests/common.qemu -+++ b/tests/qemu-iotests/common.qemu -@@ -76,7 +76,7 @@ _timed_wait_for() - timeout=yes - - QEMU_STATUS[$h]=0 -- while IFS= read -t ${QEMU_COMM_TIMEOUT} resp <&${QEMU_OUT[$h]} -+ while IFS= read -t $((${QEMU_COMM_TIMEOUT}*3)) resp <&${QEMU_OUT[$h]} - do - if [ -z "${silent}" ] && [ -z "${mismatch_only}" ]; then - echo "${resp}" | _filter_testdir | _filter_qemu \ diff --git a/packaging/tftp-check-tftp_input-buffer-size.patch b/packaging/tftp-check-tftp_input-buffer-size.patch deleted file mode 100644 index 4ff786ab6..000000000 --- a/packaging/tftp-check-tftp_input-buffer-size.patch +++ /dev/null @@ -1,36 +0,0 @@ -From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= -Date: Fri, 4 Jun 2021 16:34:30 +0400 -Subject: tftp: check tftp_input buffer size -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Git-commmit: 3f17948137155f025f7809fdc38576d5d2451c3d -References: bsc#1187366, CVE-2021-3595 - -Fixes: CVE-2021-3595 -Fixes: https://gitlab.freedesktop.org/slirp/libslirp/-/issues/46 - -Signed-off-by: Marc-André Lureau -Signed-off-by: Jose R Ziviani ---- - src/tftp.c | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - -diff --git a/slirp/src/tftp.c b/slirp/src/tftp.c -index c209145282fac8afdf57dc17bcf5..5a6279396684ef809742bbbd0ee3 100644 ---- a/slirp/src/tftp.c -+++ b/slirp/src/tftp.c -@@ -444,7 +444,11 @@ static void tftp_handle_error(Slirp *slirp, struct sockaddr_storage *srcsas, - - void tftp_input(struct sockaddr_storage *srcsas, struct mbuf *m) - { -- struct tftp_t *tp = (struct tftp_t *)m->m_data; -+ struct tftp_t *tp = mtod_check(m, offsetof(struct tftp_t, x.tp_buf)); -+ -+ if (tp == NULL) { -+ return; -+ } - - switch (ntohs(tp->tp_op)) { - case TFTP_RRQ: diff --git a/packaging/tftp-introduce-a-header-structure.patch b/packaging/tftp-introduce-a-header-structure.patch deleted file mode 100644 index 102bd08e3..000000000 --- a/packaging/tftp-introduce-a-header-structure.patch +++ /dev/null @@ -1,248 +0,0 @@ -From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= -Date: Fri, 4 Jun 2021 20:01:20 +0400 -Subject: tftp: introduce a header structure -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Git-commit: 990163cf3ac86b7875559f49602c4d76f46f6f30 -References: bsc#1187366, CVE-2021-3595 - -Instead of using a composed structure and potentially reading past the -incoming buffer, use a different structure for the header. - -Signed-off-by: Marc-André Lureau -Signed-off-by: Jose R Ziviani ---- - src/tftp.c | 60 ++++++++++++++++++++++++++++-------------------------- - src/tftp.h | 6 +++++- - 2 files changed, 36 insertions(+), 30 deletions(-) - -diff --git a/slirp/src/tftp.c b/slirp/src/tftp.c -index 5a6279396684ef809742bbbd0ee3..42c6c7a23c3f8290bba52a9458e7 100644 ---- a/slirp/src/tftp.c -+++ b/slirp/src/tftp.c -@@ -50,7 +50,7 @@ static void tftp_session_terminate(struct tftp_session *spt) - } - - static int tftp_session_allocate(Slirp *slirp, struct sockaddr_storage *srcsas, -- struct tftp_t *tp) -+ struct tftphdr *hdr) - { - struct tftp_session *spt; - int k; -@@ -75,7 +75,7 @@ found: - memcpy(&spt->client_addr, srcsas, sockaddr_size(srcsas)); - spt->fd = -1; - spt->block_size = 512; -- spt->client_port = tp->udp.uh_sport; -+ spt->client_port = hdr->udp.uh_sport; - spt->slirp = slirp; - - tftp_session_update(spt); -@@ -84,7 +84,7 @@ found: - } - - static int tftp_session_find(Slirp *slirp, struct sockaddr_storage *srcsas, -- struct tftp_t *tp) -+ struct tftphdr *hdr) - { - struct tftp_session *spt; - int k; -@@ -94,7 +94,7 @@ static int tftp_session_find(Slirp *slirp, struct sockaddr_storage *srcsas, - - if (tftp_session_in_use(spt)) { - if (sockaddr_equal(&spt->client_addr, srcsas)) { -- if (spt->client_port == tp->udp.uh_sport) { -+ if (spt->client_port == hdr->udp.uh_sport) { - return k; - } - } -@@ -146,13 +146,13 @@ static struct tftp_t *tftp_prep_mbuf_data(struct tftp_session *spt, - } - - static void tftp_udp_output(struct tftp_session *spt, struct mbuf *m, -- struct tftp_t *recv_tp) -+ struct tftphdr *hdr) - { - if (spt->client_addr.ss_family == AF_INET6) { - struct sockaddr_in6 sa6, da6; - - sa6.sin6_addr = spt->slirp->vhost_addr6; -- sa6.sin6_port = recv_tp->udp.uh_dport; -+ sa6.sin6_port = hdr->udp.uh_dport; - da6.sin6_addr = ((struct sockaddr_in6 *)&spt->client_addr)->sin6_addr; - da6.sin6_port = spt->client_port; - -@@ -161,7 +161,7 @@ static void tftp_udp_output(struct tftp_session *spt, struct mbuf *m, - struct sockaddr_in sa4, da4; - - sa4.sin_addr = spt->slirp->vhost_addr; -- sa4.sin_port = recv_tp->udp.uh_dport; -+ sa4.sin_port = hdr->udp.uh_dport; - da4.sin_addr = ((struct sockaddr_in *)&spt->client_addr)->sin_addr; - da4.sin_port = spt->client_port; - -@@ -183,14 +183,14 @@ static int tftp_send_oack(struct tftp_session *spt, const char *keys[], - - tp = tftp_prep_mbuf_data(spt, m); - -- tp->tp_op = htons(TFTP_OACK); -+ tp->hdr.tp_op = htons(TFTP_OACK); - for (i = 0; i < nb; i++) { - n += slirp_fmt0(tp->x.tp_buf + n, sizeof(tp->x.tp_buf) - n, "%s", keys[i]); - n += slirp_fmt0(tp->x.tp_buf + n, sizeof(tp->x.tp_buf) - n, "%u", values[i]); - } - -- m->m_len = G_SIZEOF_MEMBER(struct tftp_t, tp_op) + n; -- tftp_udp_output(spt, m, recv_tp); -+ m->m_len = G_SIZEOF_MEMBER(struct tftp_t, hdr.tp_op) + n; -+ tftp_udp_output(spt, m, &recv_tp->hdr); - - return 0; - } -@@ -211,21 +211,21 @@ static void tftp_send_error(struct tftp_session *spt, uint16_t errorcode, - - tp = tftp_prep_mbuf_data(spt, m); - -- tp->tp_op = htons(TFTP_ERROR); -+ tp->hdr.tp_op = htons(TFTP_ERROR); - tp->x.tp_error.tp_error_code = htons(errorcode); - slirp_pstrcpy((char *)tp->x.tp_error.tp_msg, sizeof(tp->x.tp_error.tp_msg), - msg); - - m->m_len = sizeof(struct tftp_t) - (TFTP_BLOCKSIZE_MAX + 2) + 3 + - strlen(msg) - sizeof(struct udphdr); -- tftp_udp_output(spt, m, recv_tp); -+ tftp_udp_output(spt, m, &recv_tp->hdr); - - out: - tftp_session_terminate(spt); - } - - static void tftp_send_next_block(struct tftp_session *spt, -- struct tftp_t *recv_tp) -+ struct tftphdr *hdr) - { - struct mbuf *m; - struct tftp_t *tp; -@@ -239,7 +239,7 @@ static void tftp_send_next_block(struct tftp_session *spt, - - tp = tftp_prep_mbuf_data(spt, m); - -- tp->tp_op = htons(TFTP_DATA); -+ tp->hdr.tp_op = htons(TFTP_DATA); - tp->x.tp_data.tp_block_nr = htons((spt->block_nr + 1) & 0xffff); - - nobytes = tftp_read_data(spt, spt->block_nr, tp->x.tp_data.tp_buf, -@@ -257,7 +257,7 @@ static void tftp_send_next_block(struct tftp_session *spt, - - m->m_len = sizeof(struct tftp_t) - (TFTP_BLOCKSIZE_MAX - nobytes) - - sizeof(struct udphdr); -- tftp_udp_output(spt, m, recv_tp); -+ tftp_udp_output(spt, m, hdr); - - if (nobytes == spt->block_size) { - tftp_session_update(spt); -@@ -280,12 +280,12 @@ static void tftp_handle_rrq(Slirp *slirp, struct sockaddr_storage *srcsas, - int nb_options = 0; - - /* check if a session already exists and if so terminate it */ -- s = tftp_session_find(slirp, srcsas, tp); -+ s = tftp_session_find(slirp, srcsas, &tp->hdr); - if (s >= 0) { - tftp_session_terminate(&slirp->tftp_sessions[s]); - } - -- s = tftp_session_allocate(slirp, srcsas, tp); -+ s = tftp_session_allocate(slirp, srcsas, &tp->hdr); - - if (s < 0) { - return; -@@ -411,29 +411,29 @@ static void tftp_handle_rrq(Slirp *slirp, struct sockaddr_storage *srcsas, - } - - spt->block_nr = 0; -- tftp_send_next_block(spt, tp); -+ tftp_send_next_block(spt, &tp->hdr); - } - - static void tftp_handle_ack(Slirp *slirp, struct sockaddr_storage *srcsas, -- struct tftp_t *tp, int pktlen) -+ struct tftphdr *hdr) - { - int s; - -- s = tftp_session_find(slirp, srcsas, tp); -+ s = tftp_session_find(slirp, srcsas, hdr); - - if (s < 0) { - return; - } - -- tftp_send_next_block(&slirp->tftp_sessions[s], tp); -+ tftp_send_next_block(&slirp->tftp_sessions[s], hdr); - } - - static void tftp_handle_error(Slirp *slirp, struct sockaddr_storage *srcsas, -- struct tftp_t *tp, int pktlen) -+ struct tftphdr *hdr) - { - int s; - -- s = tftp_session_find(slirp, srcsas, tp); -+ s = tftp_session_find(slirp, srcsas, hdr); - - if (s < 0) { - return; -@@ -444,23 +444,25 @@ static void tftp_handle_error(Slirp *slirp, struct sockaddr_storage *srcsas, - - void tftp_input(struct sockaddr_storage *srcsas, struct mbuf *m) - { -- struct tftp_t *tp = mtod_check(m, offsetof(struct tftp_t, x.tp_buf)); -+ struct tftphdr *hdr = mtod_check(m, sizeof(struct tftphdr)); - -- if (tp == NULL) { -+ if (hdr == NULL) { - return; - } - -- switch (ntohs(tp->tp_op)) { -+ switch (ntohs(hdr->tp_op)) { - case TFTP_RRQ: -- tftp_handle_rrq(m->slirp, srcsas, tp, m->m_len); -+ tftp_handle_rrq(m->slirp, srcsas, -+ mtod(m, struct tftp_t *), -+ m->m_len); - break; - - case TFTP_ACK: -- tftp_handle_ack(m->slirp, srcsas, tp, m->m_len); -+ tftp_handle_ack(m->slirp, srcsas, hdr); - break; - - case TFTP_ERROR: -- tftp_handle_error(m->slirp, srcsas, tp, m->m_len); -+ tftp_handle_error(m->slirp, srcsas, hdr); - break; - } - } -diff --git a/slirp/src/tftp.h b/slirp/src/tftp.h -index c47bb43c7d0875e0df5fa50d6ed3..021f6cf109bca7dc17d3b30fa6e9 100644 ---- a/slirp/src/tftp.h -+++ b/slirp/src/tftp.h -@@ -18,9 +18,13 @@ - #define TFTP_FILENAME_MAX 512 - #define TFTP_BLOCKSIZE_MAX 1428 - --struct tftp_t { -+struct tftphdr { - struct udphdr udp; - uint16_t tp_op; -+} SLIRP_PACKED; -+ -+struct tftp_t { -+ struct tftphdr hdr; - union { - struct { - uint16_t tp_block_nr; diff --git a/packaging/tx_pkt-switch-to-use-qemu_receive_packet.patch b/packaging/tx_pkt-switch-to-use-qemu_receive_packet.patch deleted file mode 100644 index 268b4b2e8..000000000 --- a/packaging/tx_pkt-switch-to-use-qemu_receive_packet.patch +++ /dev/null @@ -1,36 +0,0 @@ -From: Jason Wang -Date: Wed, 24 Feb 2021 13:27:52 +0800 -Subject: tx_pkt: switch to use qemu_receive_packet_iov() for loopback -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Git-commit: 8c552542b81e56ff532dd27ec6e5328954bdda73 - -This patch switches to use qemu_receive_receive_iov() which can detect -reentrancy and return early. - -This is intended to address CVE-2021-3416. - -Cc: Prasad J Pandit -Cc: qemu-stable@nongnu.org -Reviewed-by: Philippe Mathieu-Daudé -Signed-off-by: Jason Wang -Signed-off-by: Bruce Rogers ---- - hw/net/net_tx_pkt.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/hw/net/net_tx_pkt.c b/hw/net/net_tx_pkt.c -index 54d4c3bbd02dccc33ee3c7e710b4..646cdfaf4d1275806661deaa9e02 100644 ---- a/hw/net/net_tx_pkt.c -+++ b/hw/net/net_tx_pkt.c -@@ -544,7 +544,7 @@ static inline void net_tx_pkt_sendv(struct NetTxPkt *pkt, - NetClientState *nc, const struct iovec *iov, int iov_cnt) - { - if (pkt->is_loopback) { -- nc->info->receive_iov(nc, iov, iov_cnt); -+ qemu_receive_packet_iov(nc, iov, iov_cnt); - } else { - qemu_sendv_packet(nc, iov, iov_cnt); - } diff --git a/packaging/tz-ppc-add-dummy-read-write-methods.patch b/packaging/tz-ppc-add-dummy-read-write-methods.patch deleted file mode 100644 index 9dd94a6d9..000000000 --- a/packaging/tz-ppc-add-dummy-read-write-methods.patch +++ /dev/null @@ -1,46 +0,0 @@ -From: Prasad J Pandit -Date: Tue, 11 Aug 2020 17:11:31 +0530 -Subject: tz-ppc: add dummy read/write methods - -Git-commit: 2c9fb3b784000c1df32231e1c2464bb2e3fc4620 -References: bsc#1173612, CVE-2020-15469 - -Add tz-ppc-dummy mmio read/write methods to avoid assert failure -during initialisation. - -Reviewed-by: Peter Maydell -Signed-off-by: Prasad J Pandit -Reviewed-by: Li Qiang -Message-Id: <20200811114133.672647-8-ppandit@redhat.com> -Signed-off-by: Paolo Bonzini -Signed-off-by: Bruce Rogers ---- - hw/misc/tz-ppc.c | 14 ++++++++++++++ - 1 file changed, 14 insertions(+) - -diff --git a/hw/misc/tz-ppc.c b/hw/misc/tz-ppc.c -index 181a5f1e8126732e8682b7702eaa..350ada85374c0df95ac815d41c57 100644 ---- a/hw/misc/tz-ppc.c -+++ b/hw/misc/tz-ppc.c -@@ -196,7 +196,21 @@ static bool tz_ppc_dummy_accepts(void *opaque, hwaddr addr, - g_assert_not_reached(); - } - -+static uint64_t tz_ppc_dummy_read(void *opaque, hwaddr addr, unsigned size) -+{ -+ g_assert_not_reached(); -+} -+ -+static void tz_ppc_dummy_write(void *opaque, hwaddr addr, -+ uint64_t data, unsigned size) -+{ -+ g_assert_not_reached(); -+} -+ - static const MemoryRegionOps tz_ppc_dummy_ops = { -+ /* define r/w methods to avoid assert failure in memory_region_init_io */ -+ .read = tz_ppc_dummy_read, -+ .write = tz_ppc_dummy_write, - .valid.accepts = tz_ppc_dummy_accepts, - }; - diff --git a/packaging/uas-add-stream-number-sanity-checks.patch b/packaging/uas-add-stream-number-sanity-checks.patch deleted file mode 100644 index 46f1710d1..000000000 --- a/packaging/uas-add-stream-number-sanity-checks.patch +++ /dev/null @@ -1,61 +0,0 @@ -From: Gerd Hoffmann -Date: Wed, 18 Aug 2021 14:05:05 +0200 -Subject: uas: add stream number sanity checks. -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Git-commit: 13b250b12ad3c59114a6a17d59caf073ce45b33a -References: bsc#1189702 CVE-2021-3713 - -The device uses the guest-supplied stream number unchecked, which can -lead to guest-triggered out-of-band access to the UASDevice->data3 and -UASDevice->status3 fields. Add the missing checks. - -Fixes: CVE-2021-3713 -Signed-off-by: Gerd Hoffmann -Reported-by: Chen Zhe -Reported-by: Tan Jingguo -Reviewed-by: Philippe Mathieu-Daudé -Message-Id: <20210818120505.1258262-2-kraxel@redhat.com> -Signed-off-by: Jose R Ziviani ---- - hw/usb/dev-uas.c | 11 +++++++++++ - 1 file changed, 11 insertions(+) - -diff --git a/hw/usb/dev-uas.c b/hw/usb/dev-uas.c -index 6d6d1073b90776d075b6ec7de8ec..0b8cd4dd5293339973613cb6ec0b 100644 ---- a/hw/usb/dev-uas.c -+++ b/hw/usb/dev-uas.c -@@ -830,6 +830,9 @@ static void usb_uas_handle_data(USBDevice *dev, USBPacket *p) - } - break; - case UAS_PIPE_ID_STATUS: -+ if (p->stream > UAS_MAX_STREAMS) { -+ goto err_stream; -+ } - if (p->stream) { - QTAILQ_FOREACH(st, &uas->results, next) { - if (st->stream == p->stream) { -@@ -857,6 +860,9 @@ static void usb_uas_handle_data(USBDevice *dev, USBPacket *p) - break; - case UAS_PIPE_ID_DATA_IN: - case UAS_PIPE_ID_DATA_OUT: -+ if (p->stream > UAS_MAX_STREAMS) { -+ goto err_stream; -+ } - if (p->stream) { - req = usb_uas_find_request(uas, p->stream); - } else { -@@ -892,6 +898,11 @@ static void usb_uas_handle_data(USBDevice *dev, USBPacket *p) - p->status = USB_RET_STALL; - break; - } -+ -+err_stream: -+ error_report("%s: invalid stream %d", __func__, p->stream); -+ p->status = USB_RET_STALL; -+ return; - } - - static void usb_uas_unrealize(USBDevice *dev, Error **errp) diff --git a/packaging/udp-check-upd_input-buffer-size.patch b/packaging/udp-check-upd_input-buffer-size.patch deleted file mode 100644 index 9470824d4..000000000 --- a/packaging/udp-check-upd_input-buffer-size.patch +++ /dev/null @@ -1,35 +0,0 @@ -From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= -Date: Fri, 4 Jun 2021 16:40:23 +0400 -Subject: udp: check upd_input buffer size -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Git-commit: 74572be49247c8c5feae7c6e0b50c4f569ca9824 -References: bsc#1187367, CVE-2021-3594 - -Fixes: CVE-2021-3594 -Fixes: https://gitlab.freedesktop.org/slirp/libslirp/-/issues/47 - -Signed-off-by: Marc-André Lureau -Signed-off-by: Jose R Ziviani ---- - src/udp.c | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/slirp/src/udp.c b/slirp/src/udp.c -index 6bde20fafab5695eedd48eb37590..c2d2f40b10880ccf677b5f10bb75 100644 ---- a/slirp/src/udp.c -+++ b/slirp/src/udp.c -@@ -90,7 +90,10 @@ void udp_input(register struct mbuf *m, int iphlen) - /* - * Get IP and UDP header together in first mbuf. - */ -- ip = mtod(m, struct ip *); -+ ip = mtod_check(m, iphlen + sizeof(struct udphdr)); -+ if (ip == NULL) { -+ goto bad; -+ } - uh = (struct udphdr *)((char *)ip + iphlen); - - /* diff --git a/packaging/upd6-check-udp6_input-buffer-size.patch b/packaging/upd6-check-udp6_input-buffer-size.patch deleted file mode 100644 index a2eecaadf..000000000 --- a/packaging/upd6-check-udp6_input-buffer-size.patch +++ /dev/null @@ -1,35 +0,0 @@ -From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= -Date: Fri, 4 Jun 2021 16:32:55 +0400 -Subject: upd6: check udp6_input buffer size -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Git-commit: de71c15de66ba9350bf62c45b05f8fbff166517b -References: bsc#1187365, CVE-2021-3593 - -Fixes: CVE-2021-3593 -Fixes: https://gitlab.freedesktop.org/slirp/libslirp/-/issues/45 - -Signed-off-by: Marc-André Lureau -Signed-off-by: Jose R Ziviani ---- - src/udp6.c | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/slirp/src/udp6.c b/slirp/src/udp6.c -index 6f9486bbcae904542547c590b0c3..8c490e4d10abecc536ce4405e223 100644 ---- a/slirp/src/udp6.c -+++ b/slirp/src/udp6.c -@@ -28,7 +28,10 @@ void udp6_input(struct mbuf *m) - ip = mtod(m, struct ip6 *); - m->m_len -= iphlen; - m->m_data += iphlen; -- uh = mtod(m, struct udphdr *); -+ uh = mtod_check(m, sizeof(struct udphdr)); -+ if (uh == NULL) { -+ goto bad; -+ } - m->m_len += iphlen; - m->m_data -= iphlen; - diff --git a/packaging/usb-fix-setup_len-init-CVE-2020-14364.patch b/packaging/usb-fix-setup_len-init-CVE-2020-14364.patch deleted file mode 100644 index 9391a5c31..000000000 --- a/packaging/usb-fix-setup_len-init-CVE-2020-14364.patch +++ /dev/null @@ -1,86 +0,0 @@ -From: Gerd Hoffmann -Date: Tue, 25 Aug 2020 07:36:36 +0200 -Subject: usb: fix setup_len init (CVE-2020-14364) - -Git-commit: b946434f2659a182afc17e155be6791ebfb302eb -References: bsc#1175441, CVE-2020-14364 - -Store calculated setup_len in a local variable, verify it, and only -write it to the struct (USBDevice->setup_len) in case it passed the -sanity checks. - -This prevents other code (do_token_{in,out} functions specifically) -from working with invalid USBDevice->setup_len values and overrunning -the USBDevice->setup_buf[] buffer. - -Fixes: CVE-2020-14364 -Signed-off-by: Gerd Hoffmann -Tested-by: Gonglei -Signed-off-by: Bruce Rogers ---- - hw/usb/core.c | 16 ++++++++++------ - 1 file changed, 10 insertions(+), 6 deletions(-) - -diff --git a/hw/usb/core.c b/hw/usb/core.c -index 5abd128b6bc5f5440e18b143fe41..5234dcc73fea6012f7143f307640 100644 ---- a/hw/usb/core.c -+++ b/hw/usb/core.c -@@ -129,6 +129,7 @@ void usb_wakeup(USBEndpoint *ep, unsigned int stream) - static void do_token_setup(USBDevice *s, USBPacket *p) - { - int request, value, index; -+ unsigned int setup_len; - - if (p->iov.size != 8) { - p->status = USB_RET_STALL; -@@ -138,14 +139,15 @@ static void do_token_setup(USBDevice *s, USBPacket *p) - usb_packet_copy(p, s->setup_buf, p->iov.size); - s->setup_index = 0; - p->actual_length = 0; -- s->setup_len = (s->setup_buf[7] << 8) | s->setup_buf[6]; -- if (s->setup_len > sizeof(s->data_buf)) { -+ setup_len = (s->setup_buf[7] << 8) | s->setup_buf[6]; -+ if (setup_len > sizeof(s->data_buf)) { - fprintf(stderr, - "usb_generic_handle_packet: ctrl buffer too small (%d > %zu)\n", -- s->setup_len, sizeof(s->data_buf)); -+ setup_len, sizeof(s->data_buf)); - p->status = USB_RET_STALL; - return; - } -+ s->setup_len = setup_len; - - request = (s->setup_buf[0] << 8) | s->setup_buf[1]; - value = (s->setup_buf[3] << 8) | s->setup_buf[2]; -@@ -259,26 +261,28 @@ static void do_token_out(USBDevice *s, USBPacket *p) - static void do_parameter(USBDevice *s, USBPacket *p) - { - int i, request, value, index; -+ unsigned int setup_len; - - for (i = 0; i < 8; i++) { - s->setup_buf[i] = p->parameter >> (i*8); - } - - s->setup_state = SETUP_STATE_PARAM; -- s->setup_len = (s->setup_buf[7] << 8) | s->setup_buf[6]; - s->setup_index = 0; - - request = (s->setup_buf[0] << 8) | s->setup_buf[1]; - value = (s->setup_buf[3] << 8) | s->setup_buf[2]; - index = (s->setup_buf[5] << 8) | s->setup_buf[4]; - -- if (s->setup_len > sizeof(s->data_buf)) { -+ setup_len = (s->setup_buf[7] << 8) | s->setup_buf[6]; -+ if (setup_len > sizeof(s->data_buf)) { - fprintf(stderr, - "usb_generic_handle_packet: ctrl buffer too small (%d > %zu)\n", -- s->setup_len, sizeof(s->data_buf)); -+ setup_len, sizeof(s->data_buf)); - p->status = USB_RET_STALL; - return; - } -+ s->setup_len = setup_len; - - if (p->pid == USB_TOKEN_OUT) { - usb_packet_copy(p, s->data_buf, s->setup_len); diff --git a/packaging/usb-hid-avoid-dynamic-stack-allocation.patch b/packaging/usb-hid-avoid-dynamic-stack-allocation.patch deleted file mode 100644 index 0be5fb318..000000000 --- a/packaging/usb-hid-avoid-dynamic-stack-allocation.patch +++ /dev/null @@ -1,48 +0,0 @@ -From: Gerd Hoffmann -Date: Mon, 3 May 2021 15:29:11 +0200 -Subject: usb/hid: avoid dynamic stack allocation -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Git-commit: 3f67e2e7f135b8be4117f3c2960e78d894feaa03 -References: bsc#1186012, CVE-2021-3527 - -Use autofree heap allocation instead. - -Signed-off-by: Gerd Hoffmann -Reviewed-by: Philippe Mathieu-Daudé -Tested-by: Philippe Mathieu-Daudé -Message-Id: <20210503132915.2335822-2-kraxel@redhat.com> -Signed-off-by: Jose R Ziviani ---- - hw/usb/dev-hid.c | 2 +- - hw/usb/dev-wacom.c | 2 +- - 2 files changed, 2 insertions(+), 2 deletions(-) - -diff --git a/hw/usb/dev-hid.c b/hw/usb/dev-hid.c -index 88492f26e64682f73978fa0358b7..7f5762adb252a31f4c2f7b18bb60 100644 ---- a/hw/usb/dev-hid.c -+++ b/hw/usb/dev-hid.c -@@ -667,7 +667,7 @@ static void usb_hid_handle_data(USBDevice *dev, USBPacket *p) - { - USBHIDState *us = USB_HID(dev); - HIDState *hs = &us->hid; -- uint8_t buf[p->iov.size]; -+ g_autofree uint8_t *buf = g_malloc(p->iov.size); - int len = 0; - - switch (p->pid) { -diff --git a/hw/usb/dev-wacom.c b/hw/usb/dev-wacom.c -index 8ed57b3b44444ad0e07e65ae0929..022e44a758e3d458f0159c3b874e 100644 ---- a/hw/usb/dev-wacom.c -+++ b/hw/usb/dev-wacom.c -@@ -306,7 +306,7 @@ static void usb_wacom_handle_control(USBDevice *dev, USBPacket *p, - static void usb_wacom_handle_data(USBDevice *dev, USBPacket *p) - { - USBWacomState *s = (USBWacomState *) dev; -- uint8_t buf[p->iov.size]; -+ g_autofree uint8_t *buf = g_malloc(p->iov.size); - int len = 0; - - switch (p->pid) { diff --git a/packaging/usb-limit-combined-packets-to-1-MiB-CVE-.patch b/packaging/usb-limit-combined-packets-to-1-MiB-CVE-.patch deleted file mode 100644 index d0539ac06..000000000 --- a/packaging/usb-limit-combined-packets-to-1-MiB-CVE-.patch +++ /dev/null @@ -1,36 +0,0 @@ -From: Gerd Hoffmann -Date: Mon, 3 May 2021 15:29:15 +0200 -Subject: usb: limit combined packets to 1 MiB (CVE-2021-3527) - -Git-commit: 05a40b172e4d691371534828078be47e7fff524c -References: bsc#1186012, CVE-2021-3527 - -usb-host and usb-redirect try to batch bulk transfers by combining many -small usb packets into a single, large transfer request, to reduce the -overhead and improve performance. - -This patch adds a size limit of 1 MiB for those combined packets to -restrict the host resources the guest can bind that way. - -Signed-off-by: Gerd Hoffmann -Message-Id: <20210503132915.2335822-6-kraxel@redhat.com> -Signed-off-by: Jose R Ziviani ---- - hw/usb/combined-packet.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/hw/usb/combined-packet.c b/hw/usb/combined-packet.c -index 5d57e883dcb515c9b8acc58d97b4..e56802f89a32f44bc94f3b3dbda2 100644 ---- a/hw/usb/combined-packet.c -+++ b/hw/usb/combined-packet.c -@@ -171,7 +171,9 @@ void usb_ep_combine_input_packets(USBEndpoint *ep) - if ((p->iov.size % ep->max_packet_size) != 0 || !p->short_not_ok || - next == NULL || - /* Work around for Linux usbfs bulk splitting + migration */ -- (totalsize == (16 * KiB - 36) && p->int_req)) { -+ (totalsize == (16 * KiB - 36) && p->int_req) || -+ /* Next package may grow combined package over 1MiB */ -+ totalsize > 1 * MiB - ep->max_packet_size) { - usb_device_handle_data(ep->dev, first); - assert(first->status == USB_RET_ASYNC); - if (first->combined) { diff --git a/packaging/usb-mtp-avoid-dynamic-stack-allocation.patch b/packaging/usb-mtp-avoid-dynamic-stack-allocation.patch deleted file mode 100644 index 654fcd8f7..000000000 --- a/packaging/usb-mtp-avoid-dynamic-stack-allocation.patch +++ /dev/null @@ -1,35 +0,0 @@ -From: Gerd Hoffmann -Date: Mon, 3 May 2021 15:29:13 +0200 -Subject: usb/mtp: avoid dynamic stack allocation -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Git-commit: 06aa50c06c6392084244f8169d34b8e2d9c43ef2 -References: bsc#1186012, CVE-2021-3527 - -Use autofree heap allocation instead. - -Signed-off-by: Gerd Hoffmann -Reviewed-by: Philippe Mathieu-Daudé -Tested-by: Philippe Mathieu-Daudé -Message-Id: <20210503132915.2335822-4-kraxel@redhat.com> -Signed-off-by: Jose R Ziviani ---- - hw/usb/dev-mtp.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/hw/usb/dev-mtp.c b/hw/usb/dev-mtp.c -index 13815df4737ef8f46e6f857153b1..02bcb377f6f1cd0053808ad80ee5 100644 ---- a/hw/usb/dev-mtp.c -+++ b/hw/usb/dev-mtp.c -@@ -906,7 +906,8 @@ static MTPData *usb_mtp_get_object_handles(MTPState *s, MTPControl *c, - MTPObject *o) - { - MTPData *d = usb_mtp_data_alloc(c); -- uint32_t i = 0, handles[o->nchildren]; -+ uint32_t i = 0; -+ g_autofree uint32_t *handles = g_new(uint32_t, o->nchildren); - MTPObject *iter; - - trace_usb_mtp_op_get_object_handles(s->dev.addr, o->handle, o->path); diff --git a/packaging/usb-redir-avoid-dynamic-stack-allocation.patch b/packaging/usb-redir-avoid-dynamic-stack-allocation.patch deleted file mode 100644 index 26fe40fea..000000000 --- a/packaging/usb-redir-avoid-dynamic-stack-allocation.patch +++ /dev/null @@ -1,53 +0,0 @@ -From: Gerd Hoffmann -Date: Mon, 3 May 2021 15:29:12 +0200 -Subject: usb/redir: avoid dynamic stack allocation (CVE-2021-3527) -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Git-commit: 7ec54f9eb62b5d177e30eb8b1cad795a5f8d8986 -References: bsc#1186012, CVE-2021-3527 - -Use autofree heap allocation instead. - -Fixes: 4f4321c11ff ("usb: use iovecs in USBPacket") -Reviewed-by: Philippe Mathieu-Daudé -Signed-off-by: Gerd Hoffmann -Tested-by: Philippe Mathieu-Daudé -Message-Id: <20210503132915.2335822-3-kraxel@redhat.com> -Signed-off-by: Jose R Ziviani ---- - hw/usb/redirect.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/hw/usb/redirect.c b/hw/usb/redirect.c -index e0f5ca6f818b28eac0f838b6c172..dd779c45d2faa91eaeb107ca6398 100644 ---- a/hw/usb/redirect.c -+++ b/hw/usb/redirect.c -@@ -607,7 +607,7 @@ static void usbredir_handle_iso_data(USBRedirDevice *dev, USBPacket *p, - .endpoint = ep, - .length = p->iov.size - }; -- uint8_t buf[p->iov.size]; -+ g_autofree uint8_t *buf = g_malloc(p->iov.size); - /* No id, we look at the ep when receiving a status back */ - usb_packet_copy(p, buf, p->iov.size); - usbredirparser_send_iso_packet(dev->parser, 0, &iso_packet, -@@ -805,7 +805,7 @@ static void usbredir_handle_bulk_data(USBRedirDevice *dev, USBPacket *p, - usbredirparser_send_bulk_packet(dev->parser, p->id, - &bulk_packet, NULL, 0); - } else { -- uint8_t buf[size]; -+ g_autofree uint8_t *buf = g_malloc(size); - usb_packet_copy(p, buf, size); - usbredir_log_data(dev, "bulk data out:", buf, size); - usbredirparser_send_bulk_packet(dev->parser, p->id, -@@ -910,7 +910,7 @@ static void usbredir_handle_interrupt_out_data(USBRedirDevice *dev, - USBPacket *p, uint8_t ep) - { - struct usb_redir_interrupt_packet_header interrupt_packet; -- uint8_t buf[p->iov.size]; -+ g_autofree uint8_t *buf = g_malloc(p->iov.size); - - DPRINTF("interrupt-out ep %02X len %zd id %"PRIu64"\n", ep, - p->iov.size, p->id); diff --git a/packaging/usbredir-fix-free-call.patch b/packaging/usbredir-fix-free-call.patch deleted file mode 100644 index d2637eec1..000000000 --- a/packaging/usbredir-fix-free-call.patch +++ /dev/null @@ -1,37 +0,0 @@ -From: Gerd Hoffmann -Date: Thu, 22 Jul 2021 09:27:56 +0200 -Subject: usbredir: fix free call -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Git-commit: 5e796671e6b8d5de4b0b423dce1b3eba144a92c9 -References: bsc#1189145 CVE-2021-3682 - -data might point into the middle of a larger buffer, there is a separate -free_on_destroy pointer passed into bufp_alloc() to handle that. It is -only used in the normal workflow though, not when dropping packets due -to the queue being full. Fix that. - -Resolves: https://gitlab.com/qemu-project/qemu/-/issues/491 -Signed-off-by: Gerd Hoffmann -Reviewed-by: Marc-André Lureau -Message-Id: <20210722072756.647673-1-kraxel@redhat.com> -Signed-off-by: Jose R Ziviani ---- - hw/usb/redirect.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/hw/usb/redirect.c b/hw/usb/redirect.c -index dd779c45d2faa91eaeb107ca6398..7efff2b28766f92d03a0e1d1f8bf 100644 ---- a/hw/usb/redirect.c -+++ b/hw/usb/redirect.c -@@ -463,7 +463,7 @@ static int bufp_alloc(USBRedirDevice *dev, uint8_t *data, uint16_t len, - if (dev->endpoint[EP2I(ep)].bufpq_dropping_packets) { - if (dev->endpoint[EP2I(ep)].bufpq_size > - dev->endpoint[EP2I(ep)].bufpq_target_size) { -- free(data); -+ free(free_on_destroy); - return -1; - } - dev->endpoint[EP2I(ep)].bufpq_dropping_packets = 0; diff --git a/packaging/vfio-Create-shared-routine-for-scanning-.patch b/packaging/vfio-Create-shared-routine-for-scanning-.patch deleted file mode 100644 index 08c895a0b..000000000 --- a/packaging/vfio-Create-shared-routine-for-scanning-.patch +++ /dev/null @@ -1,64 +0,0 @@ -From: Matthew Rosato -Date: Mon, 26 Oct 2020 11:34:32 -0400 -Subject: vfio: Create shared routine for scanning info capabilities -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Git-commit: 3ab7a0b40d4be5ade3b61d4afd1518193b199423 -References: bsc#1179719 - -Rather than duplicating the same loop in multiple locations, -create a static function to do the work. - -Signed-off-by: Matthew Rosato -Reviewed-by: Philippe Mathieu-Daudé -Reviewed-by: Cornelia Huck -Signed-off-by: Alex Williamson -Signed-off-by: Liang Yan ---- - hw/vfio/common.c | 21 +++++++++++++-------- - 1 file changed, 13 insertions(+), 8 deletions(-) - -diff --git a/hw/vfio/common.c b/hw/vfio/common.c -index 5ca11488d67635c09088b3f5b789..77d62d2dcdf67516c3e5b42e7def 100644 ---- a/hw/vfio/common.c -+++ b/hw/vfio/common.c -@@ -826,17 +826,12 @@ static void vfio_listener_release(VFIOContainer *container) - } - } - --struct vfio_info_cap_header * --vfio_get_region_info_cap(struct vfio_region_info *info, uint16_t id) -+static struct vfio_info_cap_header * -+vfio_get_cap(void *ptr, uint32_t cap_offset, uint16_t id) - { - struct vfio_info_cap_header *hdr; -- void *ptr = info; -- -- if (!(info->flags & VFIO_REGION_INFO_FLAG_CAPS)) { -- return NULL; -- } - -- for (hdr = ptr + info->cap_offset; hdr != ptr; hdr = ptr + hdr->next) { -+ for (hdr = ptr + cap_offset; hdr != ptr; hdr = ptr + hdr->next) { - if (hdr->id == id) { - return hdr; - } -@@ -845,6 +840,16 @@ vfio_get_region_info_cap(struct vfio_region_info *info, uint16_t id) - return NULL; - } - -+struct vfio_info_cap_header * -+vfio_get_region_info_cap(struct vfio_region_info *info, uint16_t id) -+{ -+ if (!(info->flags & VFIO_REGION_INFO_FLAG_CAPS)) { -+ return NULL; -+ } -+ -+ return vfio_get_cap((void *)info, info->cap_offset, id); -+} -+ - static int vfio_setup_region_sparse_mmaps(VFIORegion *region, - struct vfio_region_info *info) - { diff --git a/packaging/vfio-Find-DMA-available-capability.patch b/packaging/vfio-Find-DMA-available-capability.patch deleted file mode 100644 index f374afbc8..000000000 --- a/packaging/vfio-Find-DMA-available-capability.patch +++ /dev/null @@ -1,77 +0,0 @@ -From: Matthew Rosato -Date: Mon, 26 Oct 2020 11:34:33 -0400 -Subject: vfio: Find DMA available capability - -Git-commit: 7486a62845b1e12011dd99973e4739f69d57cd38 -References: bsc#1179719 - -The underlying host may be limiting the number of outstanding DMA -requests for type 1 IOMMU. Add helper functions to check for the -DMA available capability and retrieve the current number of DMA -mappings allowed. - -Signed-off-by: Matthew Rosato -Reviewed-by: Cornelia Huck -[aw: vfio_get_info_dma_avail moved inside CONFIG_LINUX] -Signed-off-by: Alex Williamson -Signed-off-by: Liang Yan ---- - hw/vfio/common.c | 31 +++++++++++++++++++++++++++++++ - include/hw/vfio/vfio-common.h | 2 ++ - 2 files changed, 33 insertions(+) - -diff --git a/hw/vfio/common.c b/hw/vfio/common.c -index 77d62d2dcdf67516c3e5b42e7def..23efdfadebd0db3c8b7bf03e9b07 100644 ---- a/hw/vfio/common.c -+++ b/hw/vfio/common.c -@@ -850,6 +850,37 @@ vfio_get_region_info_cap(struct vfio_region_info *info, uint16_t id) - return vfio_get_cap((void *)info, info->cap_offset, id); - } - -+static struct vfio_info_cap_header * -+vfio_get_iommu_type1_info_cap(struct vfio_iommu_type1_info *info, uint16_t id) -+{ -+ if (!(info->flags & VFIO_IOMMU_INFO_CAPS)) { -+ return NULL; -+ } -+ -+ return vfio_get_cap((void *)info, info->cap_offset, id); -+} -+ -+bool vfio_get_info_dma_avail(struct vfio_iommu_type1_info *info, -+ unsigned int *avail) -+{ -+ struct vfio_info_cap_header *hdr; -+ struct vfio_iommu_type1_info_dma_avail *cap; -+ -+ /* If the capability cannot be found, assume no DMA limiting */ -+ hdr = vfio_get_iommu_type1_info_cap(info, -+ VFIO_IOMMU_TYPE1_INFO_DMA_AVAIL); -+ if (hdr == NULL) { -+ return false; -+ } -+ -+ if (avail != NULL) { -+ cap = (void *) hdr; -+ *avail = cap->avail; -+ } -+ -+ return true; -+} -+ - static int vfio_setup_region_sparse_mmaps(VFIORegion *region, - struct vfio_region_info *info) - { -diff --git a/include/hw/vfio/vfio-common.h b/include/hw/vfio/vfio-common.h -index fd564209ac710afb15325a452b8f..aa6cbe4a99890a229aa7a1e0c39c 100644 ---- a/include/hw/vfio/vfio-common.h -+++ b/include/hw/vfio/vfio-common.h -@@ -191,6 +191,8 @@ int vfio_get_dev_region_info(VFIODevice *vbasedev, uint32_t type, - bool vfio_has_region_cap(VFIODevice *vbasedev, int region, uint16_t cap_type); - struct vfio_info_cap_header * - vfio_get_region_info_cap(struct vfio_region_info *info, uint16_t id); -+bool vfio_get_info_dma_avail(struct vfio_iommu_type1_info *info, -+ unsigned int *avail); - #endif - extern const MemoryListener vfio_prereg_listener; - diff --git a/packaging/vfio-add-quirk-device-write-method.patch b/packaging/vfio-add-quirk-device-write-method.patch deleted file mode 100644 index cb78f4799..000000000 --- a/packaging/vfio-add-quirk-device-write-method.patch +++ /dev/null @@ -1,50 +0,0 @@ -From: Prasad J Pandit -Date: Tue, 11 Aug 2020 17:11:27 +0530 -Subject: vfio: add quirk device write method - -Git-commit: 24202d2b561c3b4c48bd28383c8c34b4ac66c2bf -References: bsc#1173612, CVE-2020-15469 - -Add vfio quirk device mmio write method to avoid NULL pointer -dereference issue. - -Reported-by: Lei Sun -Reviewed-by: Li Qiang -Reviewed-by: Peter Maydell -Acked-by: Alex Williamson -Signed-off-by: Prasad J Pandit -Message-Id: <20200811114133.672647-4-ppandit@redhat.com> -Signed-off-by: Paolo Bonzini -Signed-off-by: Bruce Rogers ---- - hw/vfio/pci-quirks.c | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/hw/vfio/pci-quirks.c b/hw/vfio/pci-quirks.c -index 136f3a9ad6e560a0f8a31c7b2b3a..a9656c0deec36a04440f1d8fcb83 100644 ---- a/hw/vfio/pci-quirks.c -+++ b/hw/vfio/pci-quirks.c -@@ -13,6 +13,7 @@ - #include "qemu/osdep.h" - #include "exec/memop.h" - #include "qemu/units.h" -+#include "qemu/log.h" - #include "qemu/error-report.h" - #include "qemu/main-loop.h" - #include "qemu/module.h" -@@ -278,8 +279,15 @@ static uint64_t vfio_ati_3c3_quirk_read(void *opaque, - return data; - } - -+static void vfio_ati_3c3_quirk_write(void *opaque, hwaddr addr, -+ uint64_t data, unsigned size) -+{ -+ qemu_log_mask(LOG_GUEST_ERROR, "%s: invalid access\n", __func__); -+} -+ - static const MemoryRegionOps vfio_ati_3c3_quirk = { - .read = vfio_ati_3c3_quirk_read, -+ .write = vfio_ati_3c3_quirk_write, - .endianness = DEVICE_LITTLE_ENDIAN, - }; - diff --git a/packaging/vga-Raise-VRAM-to-16-MiB-for-pc-0.15-and.patch b/packaging/vga-Raise-VRAM-to-16-MiB-for-pc-0.15-and.patch deleted file mode 100644 index bccace1f4..000000000 --- a/packaging/vga-Raise-VRAM-to-16-MiB-for-pc-0.15-and.patch +++ /dev/null @@ -1,61 +0,0 @@ -From: =?UTF-8?q?Andreas=20F=C3=A4rber?= -Date: Wed, 12 Jun 2013 19:26:37 +0200 -Subject: vga: Raise VRAM to 16 MiB for pc-0.15 and below -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -References: bnc#812836 - -qemu-kvm.git commit a7fe0297840908a4fd65a1cf742481ccd45960eb -(Extend vram size to 16MB) deviated from qemu.git since kvm-61, and only -in commit 9e56edcf8dd1d4bc7ba2b1efb3641f36c0fad8ba (vga: raise default -vgamem size) did qemu.git adjust the VRAM size for v1.2. - -Add compatibility properties so that up to and including pc-0.15 we -maintain migration compatibility with qemu-kvm rather than QEMU and -from pc-1.0 on with QEMU (last qemu-kvm release was 1.2). - -Signed-off-by: Andreas Färber -[BR: adjust comma position in list in macro for v2.5.0 compat] -Signed-off-by: Bruce Rogers ---- - hw/i386/pc_piix.c | 25 +++++++++++++++++++++++++ - 1 file changed, 25 insertions(+) - -diff --git a/hw/i386/pc_piix.c b/hw/i386/pc_piix.c -index 1bd70d1abbc434edb8b5ca69ee5d..d760d3589607daf4997ea76854c4 100644 ---- a/hw/i386/pc_piix.c -+++ b/hw/i386/pc_piix.c -@@ -804,6 +804,31 @@ static void pc_i440fx_0_15_machine_options(MachineClass *m) - { - static GlobalProperty compat[] = { - PC_CPU_MODEL_IDS("0.15") -+ { -+ .driver = "VGA", -+ .property = "vgamem_mb", -+ .value = stringify(16), -+ },{ -+ .driver = "vmware-svga", -+ .property = "vgamem_mb", -+ .value = stringify(16), -+ },{ -+ .driver = "qxl-vga", -+ .property = "vgamem_mb", -+ .value = stringify(16), -+ },{ -+ .driver = "qxl", -+ .property = "vgamem_mb", -+ .value = stringify(16), -+ },{ -+ .driver = "isa-cirrus-vga", -+ .property = "vgamem_mb", -+ .value = stringify(16), -+ },{ -+ .driver = "cirrus-vga", -+ .property = "vgamem_mb", -+ .value = stringify(16), -+ }, - }; - - pc_i440fx_1_0_machine_options(m); diff --git a/packaging/vga-fix-cirrus-bios.patch b/packaging/vga-fix-cirrus-bios.patch deleted file mode 100644 index c123d2cb1..000000000 --- a/packaging/vga-fix-cirrus-bios.patch +++ /dev/null @@ -1,30 +0,0 @@ -From: Gerd Hoffmann -Date: Thu, 25 Jun 2020 11:17:09 +0200 -Subject: vga: fix cirrus bios - -Git-commit: d11c75185276ded944f2ea0277532b7fee849bbc - -Little mistake, big effect. The patch adding the ati driver broke -cirrus due to a missing "else", which effectively downgrades cirrus -to standard vga. - -Fixes: 34b6ecc16074 ("vga: add atiext driver") -Signed-off-by: Gerd Hoffmann -Signed-off-by: Bruce Rogers ---- - vgasrc/vgahw.h | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/roms/seabios/vgasrc/vgahw.h b/roms/seabios/vgasrc/vgahw.h -index c774f4f2c6b7c8012096bac2f0ed..8b64660e5ef70d71b440013300bc 100644 ---- a/roms/seabios/vgasrc/vgahw.h -+++ b/roms/seabios/vgasrc/vgahw.h -@@ -36,7 +36,7 @@ static inline int vgahw_set_mode(struct vgamode_s *vmode_g, int flags) { - static inline void vgahw_list_modes(u16 seg, u16 *dest, u16 *last) { - if (CONFIG_VGA_CIRRUS) - clext_list_modes(seg, dest, last); -- if (CONFIG_VGA_ATI) -+ else if (CONFIG_VGA_ATI) - ati_list_modes(seg, dest, last); - else if (CONFIG_VGA_BOCHS) - bochsvga_list_modes(seg, dest, last); diff --git a/packaging/vhost-correctly-turn-on-VIRTIO_F_IOMMU_P.patch b/packaging/vhost-correctly-turn-on-VIRTIO_F_IOMMU_P.patch deleted file mode 100644 index 690f01b14..000000000 --- a/packaging/vhost-correctly-turn-on-VIRTIO_F_IOMMU_P.patch +++ /dev/null @@ -1,56 +0,0 @@ -From: Jason Wang -Date: Mon, 2 Mar 2020 12:24:54 +0800 -Subject: vhost: correctly turn on VIRTIO_F_IOMMU_PLATFORM - -References: bsc#1167075, bsc#1167445 - -We turn on device IOTLB via VIRTIO_F_IOMMU_PLATFORM unconditionally on -platform without IOMMU support. This can lead unnecessary IOTLB -transactions which will damage the performance. - -Fixing this by check whether the device is backed by IOMMU and disable -device IOTLB. - -Reported-by: Halil Pasic -Tested-by: Halil Pasic -Reviewed-by: Halil Pasic -Signed-off-by: Jason Wang -Message-Id: <20200302042454.24814-1-jasowang@redhat.com> -Reviewed-by: Michael S. Tsirkin -Signed-off-by: Michael S. Tsirkin -(cherry picked from commit f7ef7e6e3ba6e994e070cc609eb154339d1c4a11) -Signed-off-by: Bruce Rogers ---- - hw/virtio/vhost.c | 12 +++++++++++- - 1 file changed, 11 insertions(+), 1 deletion(-) - -diff --git a/hw/virtio/vhost.c b/hw/virtio/vhost.c -index 4da0d5a6c5867325cb8cacab4894..554e76434ffaf2dc9ada0d4bdd7a 100644 ---- a/hw/virtio/vhost.c -+++ b/hw/virtio/vhost.c -@@ -290,7 +290,14 @@ static int vhost_dev_has_iommu(struct vhost_dev *dev) - { - VirtIODevice *vdev = dev->vdev; - -- return virtio_host_has_feature(vdev, VIRTIO_F_IOMMU_PLATFORM); -+ /* -+ * For vhost, VIRTIO_F_IOMMU_PLATFORM means the backend support -+ * incremental memory mapping API via IOTLB API. For platform that -+ * does not have IOMMU, there's no need to enable this feature -+ * which may cause unnecessary IOTLB miss/update trnasactions. -+ */ -+ return vdev->dma_as != &address_space_memory && -+ virtio_host_has_feature(vdev, VIRTIO_F_IOMMU_PLATFORM); - } - - static void *vhost_memory_map(struct vhost_dev *dev, hwaddr addr, -@@ -762,6 +769,9 @@ static int vhost_dev_set_features(struct vhost_dev *dev, - if (enable_log) { - features |= 0x1ULL << VHOST_F_LOG_ALL; - } -+ if (!vhost_dev_has_iommu(dev)) { -+ features &= ~(0x1ULL << VIRTIO_F_IOMMU_PLATFORM); -+ } - r = dev->vhost_ops->vhost_set_features(dev, features); - if (r < 0) { - VHOST_OPS_DEBUG("vhost_set_features failed"); diff --git a/packaging/vhost-user-gpu-abstract-vg_cleanup_mappi.patch b/packaging/vhost-user-gpu-abstract-vg_cleanup_mappi.patch deleted file mode 100644 index c334da8ab..000000000 --- a/packaging/vhost-user-gpu-abstract-vg_cleanup_mappi.patch +++ /dev/null @@ -1,133 +0,0 @@ -From: Li Qiang -Date: Sat, 15 May 2021 20:04:03 -0700 -Subject: vhost-user-gpu: abstract vg_cleanup_mapping_iov -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Git-commit: 3ea32d1355d446057c17458238db2749c52ee8f0 -References: CVE-2021-3546 bsc#1185981 - CVE-2021-3545 bsc#1185990 - CVE-2021-3544 - -Currently in vhost-user-gpu, we free resource directly in -the cleanup case of resource. If we change the cleanup logic -we need to change several places, also abstruct a -'vg_create_mapping_iov' can be symmetry with the -'vg_create_mapping_iov'. This is like what virtio-gpu does, -no function changed. - -Signed-off-by: Li Qiang -Reviewed-by: Marc-André Lureau -Message-Id: <20210516030403.107723-9-liq3ea@163.com> -Signed-off-by: Gerd Hoffmann -Signed-off-by: Jose R. Ziviani ---- - contrib/vhost-user-gpu/main.c | 24 ++++++++++++++++++++---- - contrib/vhost-user-gpu/virgl.c | 9 +++++---- - contrib/vhost-user-gpu/vugpu.h | 2 +- - 3 files changed, 26 insertions(+), 9 deletions(-) - -diff --git a/contrib/vhost-user-gpu/main.c b/contrib/vhost-user-gpu/main.c -index 9554e8984b878711e5f3dd043101..75c1aa6ed54f08b3d8c141f854aa 100644 ---- a/contrib/vhost-user-gpu/main.c -+++ b/contrib/vhost-user-gpu/main.c -@@ -49,6 +49,8 @@ static char *opt_render_node; - static gboolean opt_virgl; - - static void vg_handle_ctrl(VuDev *dev, int qidx); -+static void vg_cleanup_mapping(VuGpu *g, -+ struct virtio_gpu_simple_resource *res); - - static const char * - vg_cmd_to_string(int cmd) -@@ -379,7 +381,7 @@ vg_resource_destroy(VuGpu *g, - } - - vugbm_buffer_destroy(&res->buffer); -- g_free(res->iov); -+ vg_cleanup_mapping(g, res); - pixman_image_unref(res->image); - QTAILQ_REMOVE(&g->reslist, res, next); - g_free(res); -@@ -483,6 +485,22 @@ vg_resource_attach_backing(VuGpu *g, - res->iov_cnt = ab.nr_entries; - } - -+/* Though currently only free iov, maybe later will do more work. */ -+void vg_cleanup_mapping_iov(VuGpu *g, -+ struct iovec *iov, uint32_t count) -+{ -+ g_free(iov); -+} -+ -+static void -+vg_cleanup_mapping(VuGpu *g, -+ struct virtio_gpu_simple_resource *res) -+{ -+ vg_cleanup_mapping_iov(g, res->iov, res->iov_cnt); -+ res->iov = NULL; -+ res->iov_cnt = 0; -+} -+ - static void - vg_resource_detach_backing(VuGpu *g, - struct virtio_gpu_ctrl_command *cmd) -@@ -501,9 +519,7 @@ vg_resource_detach_backing(VuGpu *g, - return; - } - -- g_free(res->iov); -- res->iov = NULL; -- res->iov_cnt = 0; -+ vg_cleanup_mapping(g, res); - } - - static void -diff --git a/contrib/vhost-user-gpu/virgl.c b/contrib/vhost-user-gpu/virgl.c -index 1f7678ecb82432640401636f1276..031e10e8b9f1aa666ab0a8c3ca62 100644 ---- a/contrib/vhost-user-gpu/virgl.c -+++ b/contrib/vhost-user-gpu/virgl.c -@@ -113,8 +113,9 @@ virgl_cmd_resource_unref(VuGpu *g, - virgl_renderer_resource_detach_iov(unref.resource_id, - &res_iovs, - &num_iovs); -- g_free(res_iovs); -- -+ if (res_iovs != NULL && num_iovs != 0) { -+ vg_cleanup_mapping_iov(g, res_iovs, num_iovs); -+ } - virgl_renderer_resource_unref(unref.resource_id); - } - -@@ -291,7 +292,7 @@ virgl_resource_attach_backing(VuGpu *g, - ret = virgl_renderer_resource_attach_iov(att_rb.resource_id, - res_iovs, att_rb.nr_entries); - if (ret != 0) { -- g_free(res_iovs); -+ vg_cleanup_mapping_iov(g, res_iovs, att_rb.nr_entries); - } - } - -@@ -311,7 +312,7 @@ virgl_resource_detach_backing(VuGpu *g, - if (res_iovs == NULL || num_iovs == 0) { - return; - } -- g_free(res_iovs); -+ vg_cleanup_mapping_iov(g, res_iovs, num_iovs); - } - - static void -diff --git a/contrib/vhost-user-gpu/vugpu.h b/contrib/vhost-user-gpu/vugpu.h -index 3153c9a6de1409b8a0f0bc16b287..284e19aeb86f5b0e01f11b7d1ab7 100644 ---- a/contrib/vhost-user-gpu/vugpu.h -+++ b/contrib/vhost-user-gpu/vugpu.h -@@ -164,7 +164,7 @@ int vg_create_mapping_iov(VuGpu *g, - struct virtio_gpu_resource_attach_backing *ab, - struct virtio_gpu_ctrl_command *cmd, - struct iovec **iov); -- -+void vg_cleanup_mapping_iov(VuGpu *g, struct iovec *iov, uint32_t count); - void vg_get_display_info(VuGpu *vg, struct virtio_gpu_ctrl_command *cmd); - - void vg_wait_ok(VuGpu *g); diff --git a/packaging/vhost-user-gpu-fix-OOB-write-in-virgl_cm.patch b/packaging/vhost-user-gpu-fix-OOB-write-in-virgl_cm.patch deleted file mode 100644 index d0991da47..000000000 --- a/packaging/vhost-user-gpu-fix-OOB-write-in-virgl_cm.patch +++ /dev/null @@ -1,45 +0,0 @@ -From: Li Qiang -Date: Sat, 15 May 2021 20:04:02 -0700 -Subject: vhost-user-gpu: fix OOB write in 'virgl_cmd_get_capset' - (CVE-2021-3546) -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Git-commit: 9f22893adcb02580aee5968f32baa2cd109b3ec2 -References: CVE-2021-3546 bsc#1185981 - -If 'virgl_cmd_get_capset' set 'max_size' to 0, -the 'virgl_renderer_fill_caps' will write the data after the 'resp'. -This patch avoid this by checking the returned 'max_size'. - -virtio-gpu fix: abd7f08b23 ("display: virtio-gpu-3d: check -virgl capabilities max_size") - -Fixes: CVE-2021-3546 -Reported-by: Li Qiang -Reviewed-by: Prasad J Pandit -Signed-off-by: Li Qiang -Reviewed-by: Marc-André Lureau -Message-Id: <20210516030403.107723-8-liq3ea@163.com> -Signed-off-by: Gerd Hoffmann -Signed-off-by: Jose R. Ziviani ---- - contrib/vhost-user-gpu/virgl.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/contrib/vhost-user-gpu/virgl.c b/contrib/vhost-user-gpu/virgl.c -index 305caceba71e371d1534ad8237da..1f7678ecb82432640401636f1276 100644 ---- a/contrib/vhost-user-gpu/virgl.c -+++ b/contrib/vhost-user-gpu/virgl.c -@@ -174,6 +174,10 @@ virgl_cmd_get_capset(VuGpu *g, - - virgl_renderer_get_cap_set(gc.capset_id, &max_ver, - &max_size); -+ if (!max_size) { -+ cmd->error = VIRTIO_GPU_RESP_ERR_INVALID_PARAMETER; -+ return; -+ } - resp = g_malloc0(sizeof(*resp) + max_size); - - resp->hdr.type = VIRTIO_GPU_RESP_OK_CAPSET; diff --git a/packaging/vhost-user-gpu-fix-leak-in-virgl_cmd_res.patch b/packaging/vhost-user-gpu-fix-leak-in-virgl_cmd_res.patch deleted file mode 100644 index 1f080e4c5..000000000 --- a/packaging/vhost-user-gpu-fix-leak-in-virgl_cmd_res.patch +++ /dev/null @@ -1,55 +0,0 @@ -From: Li Qiang -Date: Sat, 15 May 2021 20:04:00 -0700 -Subject: vhost-user-gpu: fix leak in 'virgl_cmd_resource_unref' - (CVE-2021-3544) -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Git-comit: f6091d86ba9ea05f4e111b9b42ee0005c37a6779 -References: CVE-2021-3544 - -The 'res->iov' will be leaked if the guest trigger following sequences: - - virgl_cmd_create_resource_2d - virgl_resource_attach_backing - virgl_cmd_resource_unref - -This patch fixes this. - -Fixes: CVE-2021-3544 -Reported-by: Li Qiang -virtio-gpu fix: 5e8e3c4c75 ("virtio-gpu: fix resource leak -in virgl_cmd_resource_unref" - -Signed-off-by: Li Qiang -Reviewed-by: Marc-André Lureau -Message-Id: <20210516030403.107723-6-liq3ea@163.com> -Signed-off-by: Gerd Hoffmann -Signed-off-by: Jose R. Ziviani -[jrz: tweaked title to not break spec file] ---- - contrib/vhost-user-gpu/virgl.c | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/contrib/vhost-user-gpu/virgl.c b/contrib/vhost-user-gpu/virgl.c -index a26fb96325ac2a459bbea8cc4240..ec8caca72f08026bf3cf859d2a55 100644 ---- a/contrib/vhost-user-gpu/virgl.c -+++ b/contrib/vhost-user-gpu/virgl.c -@@ -105,9 +105,16 @@ virgl_cmd_resource_unref(VuGpu *g, - struct virtio_gpu_ctrl_command *cmd) - { - struct virtio_gpu_resource_unref unref; -+ struct iovec *res_iovs = NULL; -+ int num_iovs = 0; - - VUGPU_FILL_CMD(unref); - -+ virgl_renderer_resource_detach_iov(unref.resource_id, -+ &res_iovs, -+ &num_iovs); -+ g_free(res_iovs); -+ - virgl_renderer_resource_unref(unref.resource_id); - } - diff --git a/packaging/vhost-user-gpu-fix-leak-in-virgl_resourc.patch b/packaging/vhost-user-gpu-fix-leak-in-virgl_resourc.patch deleted file mode 100644 index 4add06e67..000000000 --- a/packaging/vhost-user-gpu-fix-leak-in-virgl_resourc.patch +++ /dev/null @@ -1,46 +0,0 @@ -From: Li Qiang -Date: Sat, 15 May 2021 20:04:01 -0700 -Subject: vhost-user-gpu: fix leak in 'virgl_resource_attach_backing' - (CVE-2021-3544) -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Git-commit: 63736af5a6571d9def93769431e0d7e38c6677bf -References: CVE-2021-3544 - -If 'virgl_renderer_resource_attach_iov' failed, the 'res_iovs' will -be leaked. - -Fixes: CVE-2021-3544 -Reported-by: Li Qiang -virtio-gpu fix: 33243031da ("virtio-gpu-3d: fix memory leak -in resource attach backing") - -Signed-off-by: Li Qiang -Reviewed-by: Marc-André Lureau -Message-Id: <20210516030403.107723-7-liq3ea@163.com> -Signed-off-by: Gerd Hoffmann -Signed-off-by: Jose R. Ziviani -[jrz: tweak title to not break spec file] ---- - contrib/vhost-user-gpu/virgl.c | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/contrib/vhost-user-gpu/virgl.c b/contrib/vhost-user-gpu/virgl.c -index ec8caca72f08026bf3cf859d2a55..305caceba71e371d1534ad8237da 100644 ---- a/contrib/vhost-user-gpu/virgl.c -+++ b/contrib/vhost-user-gpu/virgl.c -@@ -284,8 +284,11 @@ virgl_resource_attach_backing(VuGpu *g, - return; - } - -- virgl_renderer_resource_attach_iov(att_rb.resource_id, -+ ret = virgl_renderer_resource_attach_iov(att_rb.resource_id, - res_iovs, att_rb.nr_entries); -+ if (ret != 0) { -+ g_free(res_iovs); -+ } - } - - static void diff --git a/packaging/vhost-user-gpu-fix-memory-disclosure-in-.patch b/packaging/vhost-user-gpu-fix-memory-disclosure-in-.patch deleted file mode 100644 index 3b070d2ed..000000000 --- a/packaging/vhost-user-gpu-fix-memory-disclosure-in-.patch +++ /dev/null @@ -1,39 +0,0 @@ -From: Li Qiang -Date: Sat, 15 May 2021 20:03:56 -0700 -Subject: vhost-user-gpu: fix memory disclosure in virgl_cmd_get_capset_info - (CVE-2021-3545) -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Git-commit: 121841b25d72d13f8cad554363138c360f1250ea -References: CVE-2021-3545 bsc#1185990 - -Otherwise some of the 'resp' will be leaked to guest. - -Fixes: CVE-2021-3545 -Reported-by: Li Qiang -virtio-gpu fix: 42a8dadc74 ("virtio-gpu: fix information leak -in getting capset info dispatch") - -Signed-off-by: Li Qiang -Reviewed-by: Marc-André Lureau -Message-Id: <20210516030403.107723-2-liq3ea@163.com> -Signed-off-by: Gerd Hoffmann -Signed-off-by: Jose R. Ziviani ---- - contrib/vhost-user-gpu/virgl.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/contrib/vhost-user-gpu/virgl.c b/contrib/vhost-user-gpu/virgl.c -index b0bc22c3c13db0e8b0b450dac19d..a26fb96325ac2a459bbea8cc4240 100644 ---- a/contrib/vhost-user-gpu/virgl.c -+++ b/contrib/vhost-user-gpu/virgl.c -@@ -125,6 +125,7 @@ virgl_cmd_get_capset_info(VuGpu *g, - - VUGPU_FILL_CMD(info); - -+ memset(&resp, 0, sizeof(resp)); - if (info.capset_index == 0) { - resp.capset_id = VIRTIO_GPU_CAPSET_VIRGL; - virgl_renderer_get_cap_set(resp.capset_id, diff --git a/packaging/vhost-user-gpu-fix-memory-leak-in-vg_res.patch b/packaging/vhost-user-gpu-fix-memory-leak-in-vg_res.patch deleted file mode 100644 index 6fcc432ac..000000000 --- a/packaging/vhost-user-gpu-fix-memory-leak-in-vg_res.patch +++ /dev/null @@ -1,44 +0,0 @@ -From: Li Qiang -Date: Sat, 15 May 2021 20:03:58 -0700 -Subject: vhost-user-gpu: fix memory leak in vg_resource_attach_backing - (CVE-2021-3544) -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Git-commit: b9f79858a614d95f5de875d0ca31096eaab72c3b -References: CVE-2021-3544 - -Check whether the 'res' has already been attach_backing to avoid -memory leak. - -Fixes: CVE-2021-3544 -Reported-by: Li Qiang -virtio-gpu fix: 204f01b309 ("virtio-gpu: fix memory leak -in resource attach backing") - -Signed-off-by: Li Qiang -Reviewed-by: Marc-André Lureau -Message-Id: <20210516030403.107723-4-liq3ea@163.com> -Signed-off-by: Gerd Hoffmann -Signed-off-by: Jose R. Ziviani ---- - contrib/vhost-user-gpu/main.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/contrib/vhost-user-gpu/main.c b/contrib/vhost-user-gpu/main.c -index 74c97c1585f6bd2e9cef94cde3af..e728237858d279a32698c0fc0de7 100644 ---- a/contrib/vhost-user-gpu/main.c -+++ b/contrib/vhost-user-gpu/main.c -@@ -468,6 +468,11 @@ vg_resource_attach_backing(VuGpu *g, - return; - } - -+ if (res->iov) { -+ cmd->error = VIRTIO_GPU_RESP_ERR_UNSPEC; -+ return; -+ } -+ - ret = vg_create_mapping_iov(g, &ab, cmd, &res->iov); - if (ret != 0) { - cmd->error = VIRTIO_GPU_RESP_ERR_UNSPEC; diff --git a/packaging/vhost-user-gpu-fix-memory-leak-while-cal.patch b/packaging/vhost-user-gpu-fix-memory-leak-while-cal.patch deleted file mode 100644 index 619264b8c..000000000 --- a/packaging/vhost-user-gpu-fix-memory-leak-while-cal.patch +++ /dev/null @@ -1,46 +0,0 @@ -From: Li Qiang -Date: Sat, 15 May 2021 20:03:59 -0700 -Subject: vhost-user-gpu: fix memory leak while calling 'vg_resource_unref' - (CVE-2021-3544) -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Git-commit: b7afebcf9e6ecf3cf9b5a9b9b731ed04bca6aa3e -References: CVE-2021-3544 - -If the guest trigger following sequences, the attach_backing will be leaked: - - vg_resource_create_2d - vg_resource_attach_backing - vg_resource_unref - -This patch fix this by freeing 'res->iov' in vg_resource_destroy. - -Fixes: CVE-2021-3544 -Reported-by: Li Qiang -virtio-gpu fix: 5e8e3c4c75 ("virtio-gpu: fix resource leak -in virgl_cmd_resource_unref") - -Reviewed-by: Prasad J Pandit -Signed-off-by: Li Qiang -Reviewed-by: Marc-André Lureau -Message-Id: <20210516030403.107723-5-liq3ea@163.com> -Signed-off-by: Gerd Hoffmann -Signed-off-by: Jose R. Ziviani ---- - contrib/vhost-user-gpu/main.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/contrib/vhost-user-gpu/main.c b/contrib/vhost-user-gpu/main.c -index e728237858d279a32698c0fc0de7..9554e8984b878711e5f3dd043101 100644 ---- a/contrib/vhost-user-gpu/main.c -+++ b/contrib/vhost-user-gpu/main.c -@@ -379,6 +379,7 @@ vg_resource_destroy(VuGpu *g, - } - - vugbm_buffer_destroy(&res->buffer); -+ g_free(res->iov); - pixman_image_unref(res->image); - QTAILQ_REMOVE(&g->reslist, res, next); - g_free(res); diff --git a/packaging/vhost-user-gpu-fix-resource-leak-in-vg_r.patch b/packaging/vhost-user-gpu-fix-resource-leak-in-vg_r.patch deleted file mode 100644 index 84d2b1ef1..000000000 --- a/packaging/vhost-user-gpu-fix-resource-leak-in-vg_r.patch +++ /dev/null @@ -1,37 +0,0 @@ -From: Li Qiang -Date: Sat, 15 May 2021 20:03:57 -0700 -Subject: vhost-user-gpu: fix resource leak in 'vg_resource_create_2d' - (CVE-2021-3544) -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Git-commit: 86dd8fac2acc366930a5dc08d3fb1b1e816f4e1e -References: CVE-2021-3544 - -Call 'vugbm_buffer_destroy' in error path to avoid resource leak. - -Fixes: CVE-2021-3544 -Reported-by: Li Qiang -Reviewed-by: Prasad J Pandit -Signed-off-by: Li Qiang -Reviewed-by: Marc-André Lureau -Message-Id: <20210516030403.107723-3-liq3ea@163.com> -Signed-off-by: Gerd Hoffmann -Signed-off-by: Jose R. Ziviani ---- - contrib/vhost-user-gpu/main.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/contrib/vhost-user-gpu/main.c b/contrib/vhost-user-gpu/main.c -index a019d0a9acea61a7629f1c74c79a..74c97c1585f6bd2e9cef94cde3af 100644 ---- a/contrib/vhost-user-gpu/main.c -+++ b/contrib/vhost-user-gpu/main.c -@@ -328,6 +328,7 @@ vg_resource_create_2d(VuGpu *g, - g_critical("%s: resource creation failed %d %d %d", - __func__, c2d.resource_id, c2d.width, c2d.height); - g_free(res); -+ vugbm_buffer_destroy(&res->buffer); - cmd->error = VIRTIO_GPU_RESP_ERR_OUT_OF_MEMORY; - return; - } diff --git a/packaging/virtio-don-t-enable-notifications-during.patch b/packaging/virtio-don-t-enable-notifications-during.patch deleted file mode 100644 index 590ffeba2..000000000 --- a/packaging/virtio-don-t-enable-notifications-during.patch +++ /dev/null @@ -1,145 +0,0 @@ -From: Stefan Hajnoczi -Date: Mon, 9 Dec 2019 21:09:57 +0000 -Subject: virtio: don't enable notifications during polling - -Git-commit: d0435bc513e23a4961b6af20164d1c6c219eb4ea - -Virtqueue notifications are not necessary during polling, so we disable -them. This allows the guest driver to avoid MMIO vmexits. -Unfortunately the virtio-blk and virtio-scsi handler functions re-enable -notifications, defeating this optimization. - -Fix virtio-blk and virtio-scsi emulation so they leave notifications -disabled. The key thing to remember for correctness is that polling -always checks one last time after ending its loop, therefore it's safe -to lose the race when re-enabling notifications at the end of polling. - -There is a measurable performance improvement of 5-10% with the null-co -block driver. Real-life storage configurations will see a smaller -improvement because the MMIO vmexit overhead contributes less to -latency. - -Signed-off-by: Stefan Hajnoczi -Message-Id: <20191209210957.65087-1-stefanha@redhat.com> -Reviewed-by: Michael S. Tsirkin -Signed-off-by: Michael S. Tsirkin -Signed-off-by: Bruce Rogers ---- - hw/block/virtio-blk.c | 9 +++++++-- - hw/scsi/virtio-scsi.c | 9 +++++++-- - hw/virtio/virtio.c | 12 ++++++------ - include/hw/virtio/virtio.h | 1 + - 4 files changed, 21 insertions(+), 10 deletions(-) - -diff --git a/hw/block/virtio-blk.c b/hw/block/virtio-blk.c -index 4c357d2928ff1cfe94a601c93ffa..c4e55fb3defb711dbc39b67e00a1 100644 ---- a/hw/block/virtio-blk.c -+++ b/hw/block/virtio-blk.c -@@ -764,13 +764,16 @@ bool virtio_blk_handle_vq(VirtIOBlock *s, VirtQueue *vq) - { - VirtIOBlockReq *req; - MultiReqBuffer mrb = {}; -+ bool suppress_notifications = virtio_queue_get_notification(vq); - bool progress = false; - - aio_context_acquire(blk_get_aio_context(s->blk)); - blk_io_plug(s->blk); - - do { -- virtio_queue_set_notification(vq, 0); -+ if (suppress_notifications) { -+ virtio_queue_set_notification(vq, 0); -+ } - - while ((req = virtio_blk_get_request(s, vq))) { - progress = true; -@@ -781,7 +784,9 @@ bool virtio_blk_handle_vq(VirtIOBlock *s, VirtQueue *vq) - } - } - -- virtio_queue_set_notification(vq, 1); -+ if (suppress_notifications) { -+ virtio_queue_set_notification(vq, 1); -+ } - } while (!virtio_queue_empty(vq)); - - if (mrb.num_reqs) { -diff --git a/hw/scsi/virtio-scsi.c b/hw/scsi/virtio-scsi.c -index e8b2b64d09fb185404fa83882ba9..f080545f48e6a3e411caf641b935 100644 ---- a/hw/scsi/virtio-scsi.c -+++ b/hw/scsi/virtio-scsi.c -@@ -597,12 +597,15 @@ bool virtio_scsi_handle_cmd_vq(VirtIOSCSI *s, VirtQueue *vq) - { - VirtIOSCSIReq *req, *next; - int ret = 0; -+ bool suppress_notifications = virtio_queue_get_notification(vq); - bool progress = false; - - QTAILQ_HEAD(, VirtIOSCSIReq) reqs = QTAILQ_HEAD_INITIALIZER(reqs); - - do { -- virtio_queue_set_notification(vq, 0); -+ if (suppress_notifications) { -+ virtio_queue_set_notification(vq, 0); -+ } - - while ((req = virtio_scsi_pop_req(s, vq))) { - progress = true; -@@ -622,7 +625,9 @@ bool virtio_scsi_handle_cmd_vq(VirtIOSCSI *s, VirtQueue *vq) - } - } - -- virtio_queue_set_notification(vq, 1); -+ if (suppress_notifications) { -+ virtio_queue_set_notification(vq, 1); -+ } - } while (ret != -EINVAL && !virtio_queue_empty(vq)); - - QTAILQ_FOREACH_SAFE(req, &reqs, next, next) { -diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c -index 6c71141ed13506e2218f09ca5e0c..dd74fd83d2e9171f983a73d375c5 100644 ---- a/hw/virtio/virtio.c -+++ b/hw/virtio/virtio.c -@@ -478,6 +478,11 @@ static void virtio_queue_packed_set_notification(VirtQueue *vq, int enable) - } - } - -+bool virtio_queue_get_notification(VirtQueue *vq) -+{ -+ return vq->notification; -+} -+ - void virtio_queue_set_notification(VirtQueue *vq, int enable) - { - vq->notification = enable; -@@ -3474,17 +3479,12 @@ static bool virtio_queue_host_notifier_aio_poll(void *opaque) - { - EventNotifier *n = opaque; - VirtQueue *vq = container_of(n, VirtQueue, host_notifier); -- bool progress; - - if (!vq->vring.desc || virtio_queue_empty(vq)) { - return false; - } - -- progress = virtio_queue_notify_aio_vq(vq); -- -- /* In case the handler function re-enabled notifications */ -- virtio_queue_set_notification(vq, 0); -- return progress; -+ return virtio_queue_notify_aio_vq(vq); - } - - static void virtio_queue_host_notifier_aio_poll_end(EventNotifier *n) -diff --git a/include/hw/virtio/virtio.h b/include/hw/virtio/virtio.h -index e18756d50d21259dda81bf1d1b1d..91167f609aca8f50948b1b28fdf2 100644 ---- a/include/hw/virtio/virtio.h -+++ b/include/hw/virtio/virtio.h -@@ -226,6 +226,7 @@ int virtio_load(VirtIODevice *vdev, QEMUFile *f, int version_id); - - void virtio_notify_config(VirtIODevice *vdev); - -+bool virtio_queue_get_notification(VirtQueue *vq); - void virtio_queue_set_notification(VirtQueue *vq, int enable); - - int virtio_queue_ready(VirtQueue *vq); diff --git a/packaging/virtio-net-fix-rsc_ext-compat-handling.patch b/packaging/virtio-net-fix-rsc_ext-compat-handling.patch deleted file mode 100644 index 3dee6f65a..000000000 --- a/packaging/virtio-net-fix-rsc_ext-compat-handling.patch +++ /dev/null @@ -1,40 +0,0 @@ -From: Cornelia Huck -Date: Mon, 27 Apr 2020 12:24:13 +0200 -Subject: virtio-net: fix rsc_ext compat handling - -Git-commit: 9904adfaca139581d6b03947a7e23c7e2cb64339 -References: bsc#1179719 - -virtio_net_rsc_ext_num_{packets,dupacks} needs to be available -independently of the presence of VIRTIO_NET_HDR_F_RSC_INFO. - -Fixes: 2974e916df87 ("virtio-net: support RSC v4/v6 tcp traffic for Windows HCK") -Signed-off-by: Cornelia Huck -Message-Id: <20200427102415.10915-2-cohuck@redhat.com> -Signed-off-by: Liang Yan ---- - hw/net/virtio-net.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c -index f325440d0144d3388ad255b71178..7483d11ec2300f483899c24b53bf 100644 ---- a/hw/net/virtio-net.c -+++ b/hw/net/virtio-net.c -@@ -83,6 +83,8 @@ - #define VIRTIO_NET_HDR_F_RSC_INFO 4 /* rsc_ext data in csum_ fields */ - #define VIRTIO_NET_F_RSC_EXT 61 - -+#endif -+ - static inline __virtio16 *virtio_net_rsc_ext_num_packets( - struct virtio_net_hdr *hdr) - { -@@ -95,8 +97,6 @@ static inline __virtio16 *virtio_net_rsc_ext_num_dupacks( - return &hdr->csum_offset; - } - --#endif -- - static VirtIOFeature feature_sizes[] = { - {.flags = 1ULL << VIRTIO_NET_F_MAC, - .end = endof(struct virtio_net_config, mac)}, diff --git a/packaging/virtio-net-fix-use-after-unmap-free-for-.patch b/packaging/virtio-net-fix-use-after-unmap-free-for-.patch deleted file mode 100644 index 7886c03ff..000000000 --- a/packaging/virtio-net-fix-use-after-unmap-free-for-.patch +++ /dev/null @@ -1,122 +0,0 @@ -From: Jason Wang -Date: Thu, 2 Sep 2021 13:44:12 +0800 -Subject: virtio-net: fix use after unmap/free for sg - -Git-commit: bedd7e93d01961fcb16a97ae45d93acf357e11f6 -References: bsc#1189938 CVE-2021-3748 - -When mergeable buffer is enabled, we try to set the num_buffers after -the virtqueue elem has been unmapped. This will lead several issues, -E.g a use after free when the descriptor has an address which belongs -to the non direct access region. In this case we use bounce buffer -that is allocated during address_space_map() and freed during -address_space_unmap(). - -Fixing this by storing the elems temporarily in an array and delay the -unmap after we set the the num_buffers. - -This addresses CVE-2021-3748. - -Reported-by: Alexander Bulekov -Fixes: fbe78f4f55c6 ("virtio-net support") -Cc: qemu-stable@nongnu.org -Signed-off-by: Jason Wang -Signed-off-by: Jose R Ziviani ---- - hw/net/virtio-net.c | 39 ++++++++++++++++++++++++++++++++------- - 1 file changed, 32 insertions(+), 7 deletions(-) - -diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c -index 4764b83d568dcd5efdd9a95d829e..b46dba81ca1f9b0580d98726ae1e 100644 ---- a/hw/net/virtio-net.c -+++ b/hw/net/virtio-net.c -@@ -1393,10 +1393,13 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf, - VirtIONet *n = qemu_get_nic_opaque(nc); - VirtIONetQueue *q = virtio_net_get_subqueue(nc); - VirtIODevice *vdev = VIRTIO_DEVICE(n); -+ VirtQueueElement *elems[VIRTQUEUE_MAX_SIZE]; -+ size_t lens[VIRTQUEUE_MAX_SIZE]; - struct iovec mhdr_sg[VIRTQUEUE_MAX_SIZE]; - struct virtio_net_hdr_mrg_rxbuf mhdr; - unsigned mhdr_cnt = 0; -- size_t offset, i, guest_offset; -+ size_t offset, i, guest_offset, j; -+ ssize_t err; - - if (!virtio_net_can_receive(nc)) { - return -1; -@@ -1419,6 +1422,12 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf, - - total = 0; - -+ if (i == VIRTQUEUE_MAX_SIZE) { -+ virtio_error(vdev, "virtio-net unexpected long buffer chain"); -+ err = size; -+ goto err; -+ } -+ - elem = virtqueue_pop(q->rx_vq, sizeof(VirtQueueElement)); - if (!elem) { - if (i) { -@@ -1430,7 +1439,8 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf, - n->guest_hdr_len, n->host_hdr_len, - vdev->guest_features); - } -- return -1; -+ err = -1; -+ goto err; - } - - if (elem->in_num < 1) { -@@ -1438,7 +1448,8 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf, - "virtio-net receive queue contains no in buffers"); - virtqueue_detach_element(q->rx_vq, elem, 0); - g_free(elem); -- return -1; -+ err = -1; -+ goto err; - } - - sg = elem->in_sg; -@@ -1470,12 +1481,13 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf, - if (!n->mergeable_rx_bufs && offset < size) { - virtqueue_unpop(q->rx_vq, elem, total); - g_free(elem); -- return size; -+ err = size; -+ goto err; - } - -- /* signal other side */ -- virtqueue_fill(q->rx_vq, elem, total, i++); -- g_free(elem); -+ elems[i] = elem; -+ lens[i] = total; -+ i++; - } - - if (mhdr_cnt) { -@@ -1485,10 +1497,23 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf, - &mhdr.num_buffers, sizeof mhdr.num_buffers); - } - -+ for (j = 0; j < i; j++) { -+ /* signal other side */ -+ virtqueue_fill(q->rx_vq, elems[j], lens[j], j); -+ g_free(elems[j]); -+ } -+ - virtqueue_flush(q->rx_vq, i); - virtio_notify(vdev, q->rx_vq); - - return size; -+ -+err: -+ for (j = 0; j < i; j++) { -+ g_free(elems[j]); -+ } -+ -+ return err; - } - - static ssize_t virtio_net_do_receive(NetClientState *nc, const uint8_t *buf, diff --git a/packaging/virtio-scsi-change-DID-TIMEOUT-handling.patch b/packaging/virtio-scsi-change-DID-TIMEOUT-handling.patch deleted file mode 100644 index 11f52ff3c..000000000 --- a/packaging/virtio-scsi-change-DID-TIMEOUT-handling.patch +++ /dev/null @@ -1,34 +0,0 @@ -From: Bruce Rogers -Date: Wed, 3 Feb 2021 14:25:38 -0700 -Subject: virtio-scsi: change DID TIMEOUT handling - -This patch implements a change of SG_ERR_DID_TIME_OUT handling as -suggested in -https://bugzilla.suse.com/show_bug.cgi?id=1178049#c145 - -Suggested-by: Hannes Reinecke -Signed-off-by: Bruce Rogers ---- - hw/scsi/virtio-scsi.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/hw/scsi/virtio-scsi.c b/hw/scsi/virtio-scsi.c -index 3155658db33f95a572a4c7ff495e..2e5bcf442384905d8d80fd487eea 100644 ---- a/hw/scsi/virtio-scsi.c -+++ b/hw/scsi/virtio-scsi.c -@@ -507,7 +507,6 @@ static void virtio_scsi_command_complete(SCSIRequest *r, uint32_t status, - req->resp.cmd.response = VIRTIO_SCSI_S_INCORRECT_LUN; - break; - case SG_ERR_DID_ABORT: -- case SG_ERR_DID_TIME_OUT: - req->resp.cmd.response = VIRTIO_SCSI_S_ABORTED; - break; - case SG_ERR_DID_BAD_TARGET: -@@ -517,6 +516,7 @@ static void virtio_scsi_command_complete(SCSIRequest *r, uint32_t status, - req->resp.cmd.response = VIRTIO_SCSI_S_RESET; - break; - case SG_ERR_DID_BUS_BUSY: -+ case SG_ERR_DID_TIME_OUT: - req->resp.cmd.response = VIRTIO_SCSI_S_BUSY; - break; - case SG_ERR_DID_TRANSPORT_DISRUPTED: diff --git a/packaging/virtio-scsi-trace-events.patch b/packaging/virtio-scsi-trace-events.patch deleted file mode 100644 index 684e8fb53..000000000 --- a/packaging/virtio-scsi-trace-events.patch +++ /dev/null @@ -1,100 +0,0 @@ -From: Hannes Reinecke -Date: Wed, 11 Nov 2020 13:09:27 +0100 -Subject: virtio-scsi: trace events - -Git-commit: eb8cb3d9dcfbcc74ebaabed4ef0d915eeffa4da1 -References: bsc#1178049 - -Add trace events for SCSI and TMF command tracing. - -Signed-off-by: Hannes Reinecke -BR: Includes minor tweaks that came from the PTF patch as opposed to the -one upstreamed. -Signed-off-by: Bruce Rogers ---- - hw/scsi/trace-events | 6 ++++++ - hw/scsi/virtio-scsi.c | 19 ++++++++++++++++++- - 2 files changed, 24 insertions(+), 1 deletion(-) - -diff --git a/hw/scsi/trace-events b/hw/scsi/trace-events -index b0820052f825a476b3e455aad7a4..9e1196f2117982c5bbc5db3bfffb 100644 ---- a/hw/scsi/trace-events -+++ b/hw/scsi/trace-events -@@ -293,6 +293,12 @@ lsi_awoken(void) "Woken by SIGP" - lsi_reg_read(const char *name, int offset, uint8_t ret) "Read reg %s 0x%x = 0x%02x" - lsi_reg_write(const char *name, int offset, uint8_t val) "Write reg %s 0x%x = 0x%02x" - -+# hw/scsi/virtio-scsi.c -+virtio_scsi_cmd_req(int lun, uint32_t tag, uint8_t cmd) "virtio_scsi_cmd_req lun=%u tag=0x%x cmd=0x%x" -+virtio_scsi_cmd_resp(int lun, uint32_t tag, int response, uint8_t status) "virtio_scsi_cmd_resp lun=%u tag=0x%x response=%d status=0x%x" -+virtio_scsi_tmf_req(int lun, uint32_t tag, int subtype) "virtio_scsi_tmf_req lun=%u tag=0x%x subtype=%d" -+virtio_scsi_tmf_resp(int lun, uint32_t tag, int response) "virtio_scsi_tmf_resp lun=%u tag=0x%x response=%d" -+ - # scsi-disk.c - scsi_disk_check_condition(uint32_t tag, uint8_t key, uint8_t asc, uint8_t ascq) "Command complete tag=0x%x sense=%d/%d/%d" - scsi_disk_read_complete(uint32_t tag, size_t size) "Data ready tag=0x%x len=%zd" -diff --git a/hw/scsi/virtio-scsi.c b/hw/scsi/virtio-scsi.c -index f080545f48e6a3e411caf641b935..de25a1c21d84f38eca9aaf1114d4 100644 ---- a/hw/scsi/virtio-scsi.c -+++ b/hw/scsi/virtio-scsi.c -@@ -27,6 +27,7 @@ - #include "scsi/constants.h" - #include "hw/virtio/virtio-bus.h" - #include "hw/virtio/virtio-access.h" -+#include "trace.h" - - static inline int virtio_scsi_get_lun(uint8_t *lun) - { -@@ -239,7 +240,11 @@ static void virtio_scsi_cancel_notify(Notifier *notifier, void *data) - notifier); - - if (--n->tmf_req->remaining == 0) { -- virtio_scsi_complete_req(n->tmf_req); -+ VirtIOSCSIReq *req = n->tmf_req; -+ -+ trace_virtio_scsi_tmf_resp(virtio_scsi_get_lun(req->req.tmf.lun), -+ req->req.tmf.tag, req->resp.tmf.response); -+ virtio_scsi_complete_req(req); - } - g_free(n); - } -@@ -273,6 +278,8 @@ static int virtio_scsi_do_tmf(VirtIOSCSI *s, VirtIOSCSIReq *req) - req->req.tmf.subtype = - virtio_tswap32(VIRTIO_DEVICE(s), req->req.tmf.subtype); - -+ trace_virtio_scsi_tmf_req(virtio_scsi_get_lun(req->req.tmf.lun), -+ req->req.tmf.tag, req->req.tmf.subtype); - switch (req->req.tmf.subtype) { - case VIRTIO_SCSI_T_TMF_ABORT_TASK: - case VIRTIO_SCSI_T_TMF_QUERY_TASK: -@@ -427,6 +434,10 @@ static void virtio_scsi_handle_ctrl_req(VirtIOSCSI *s, VirtIOSCSIReq *req) - } - } - if (r == 0) { -+ if (type == VIRTIO_SCSI_T_TMF) -+ trace_virtio_scsi_tmf_resp(virtio_scsi_get_lun(req->req.tmf.lun), -+ req->req.tmf.tag, -+ req->resp.tmf.response); - virtio_scsi_complete_req(req); - } else { - assert(r == -EINPROGRESS); -@@ -462,6 +473,10 @@ static void virtio_scsi_handle_ctrl(VirtIODevice *vdev, VirtQueue *vq) - - static void virtio_scsi_complete_cmd_req(VirtIOSCSIReq *req) - { -+ trace_virtio_scsi_cmd_resp(virtio_scsi_get_lun(req->req.cmd.lun), -+ req->req.cmd.tag, -+ req->resp.cmd.response, -+ req->resp.cmd.status); - /* Sense data is not in req->resp and is copied separately - * in virtio_scsi_command_complete. - */ -@@ -559,6 +574,8 @@ static int virtio_scsi_handle_cmd_req_prepare(VirtIOSCSI *s, VirtIOSCSIReq *req) - return -EINVAL; - } - } -+ trace_virtio_scsi_cmd_req(virtio_scsi_get_lun(req->req.cmd.lun), -+ req->req.cmd.tag, req->req.cmd.cdb[0]); - - d = virtio_scsi_device_find(s, req->req.cmd.lun); - if (!d) { diff --git a/packaging/virtio-scsi-translate-SG_IO-host-status.patch b/packaging/virtio-scsi-translate-SG_IO-host-status.patch deleted file mode 100644 index 5ab334205..000000000 --- a/packaging/virtio-scsi-translate-SG_IO-host-status.patch +++ /dev/null @@ -1,226 +0,0 @@ -From: Hannes Reinecke -Date: Tue, 10 Nov 2020 10:41:55 +0100 -Subject: virtio-scsi: translate SG_IO host status - -References: bsc#1178049 - -when running with an SG_IO backend we might be getting a SCSI host -status back, which should be translated into a virtio scsi status -to avoid having a silent data corruption if the status isn't -translated properly. - -Signed-off-by: Hannes Reinecke -Signed-off-by: Bruce Rogers ---- - hw/scsi/scsi-generic.c | 8 +++++--- - hw/scsi/trace-events | 2 +- - hw/scsi/virtio-scsi.c | 43 +++++++++++++++++++++++++++++++++++++++--- - include/scsi/utils.h | 12 +++++++++--- - scsi/qemu-pr-helper.c | 6 +++--- - scsi/utils.c | 23 +++++++++------------- - 6 files changed, 67 insertions(+), 27 deletions(-) - -diff --git a/hw/scsi/scsi-generic.c b/hw/scsi/scsi-generic.c -index 32875bedaedf25e7b0cea8363887..b3ea492beedc2a075157957e0595 100644 ---- a/hw/scsi/scsi-generic.c -+++ b/hw/scsi/scsi-generic.c -@@ -72,7 +72,7 @@ static void scsi_free_request(SCSIRequest *req) - /* Helper function for command completion. */ - static void scsi_command_complete_noio(SCSIGenericReq *r, int ret) - { -- int status; -+ uint32_t status; - SCSISense sense; - - assert(r->req.aiocb == NULL); -@@ -82,7 +82,7 @@ static void scsi_command_complete_noio(SCSIGenericReq *r, int ret) - goto done; - } - status = sg_io_sense_from_errno(-ret, &r->io_header, &sense); -- if (status == CHECK_CONDITION) { -+ if ((status & 0xff) == CHECK_CONDITION) { - if (r->io_header.driver_status & SG_ERR_DRIVER_SENSE) { - r->req.sense_len = r->io_header.sb_len_wr; - } else { -@@ -90,7 +90,8 @@ static void scsi_command_complete_noio(SCSIGenericReq *r, int ret) - } - } - -- trace_scsi_generic_command_complete_noio(r, r->req.tag, status); -+ trace_scsi_generic_command_complete_noio(r, r->req.tag, status & 0xff, -+ (status >> 8) & 0xff); - - scsi_req_complete(&r->req, status); - done: -@@ -235,6 +236,7 @@ static int scsi_generic_emulate_block_limits(SCSIGenericReq *r, SCSIDevice *s) - * the hardware in scsi_command_complete_noio. Clean - * up the io_header to avoid reporting it. - */ -+ r->io_header.host_status = 0; - r->io_header.driver_status = 0; - r->io_header.status = 0; - -diff --git a/hw/scsi/trace-events b/hw/scsi/trace-events -index 13babd26dff43d5052886cf955a5..bce865c2222b0ece52d16ab1d90a 100644 ---- a/hw/scsi/trace-events -+++ b/hw/scsi/trace-events -@@ -330,7 +330,7 @@ scsi_disk_new_request(uint32_t lun, uint32_t tag, const char *line) "Command: lu - scsi_disk_aio_sgio_command(uint32_t tag, uint8_t cmd, uint64_t lba, int len, uint32_t timeout) "disk aio sgio: tag=0x%x cmd 0x%x (sector %" PRId64 ", count %d) timeout %u" - - # scsi-generic.c --scsi_generic_command_complete_noio(void *req, uint32_t tag, int statuc) "Command complete %p tag=0x%x status=%d" -+scsi_generic_command_complete_noio(void *req, uint32_t tag, uint8_t status, uint8_t host_status) "Command complete %p tag=0x%x status=0x%x host_status=0x%x" - scsi_generic_read_complete(uint32_t tag, int len) "Data ready tag=0x%x len=%d" - scsi_generic_read_data(uint32_t tag, uint32_t timeout) "scsi_read_data tag=0x%x timeout %u" - scsi_generic_write_complete(int ret) "scsi_write_complete() ret = %d" -diff --git a/hw/scsi/virtio-scsi.c b/hw/scsi/virtio-scsi.c -index de25a1c21d84f38eca9aaf1114d4..3155658db33f95a572a4c7ff495e 100644 ---- a/hw/scsi/virtio-scsi.c -+++ b/hw/scsi/virtio-scsi.c -@@ -496,9 +496,46 @@ static void virtio_scsi_command_complete(SCSIRequest *r, uint32_t status, - return; - } - -- req->resp.cmd.response = VIRTIO_SCSI_S_OK; -- req->resp.cmd.status = status; -- if (req->resp.cmd.status == GOOD) { -+ switch ((status >> 8) & 0xff) { -+ case SG_ERR_DID_OK: -+ req->resp.cmd.response = VIRTIO_SCSI_S_OK; -+ break; -+ case SG_ERR_DID_ERROR: -+ req->resp.cmd.response = VIRTIO_SCSI_S_OVERRUN; -+ break; -+ case SG_ERR_DID_NO_CONNECT: -+ req->resp.cmd.response = VIRTIO_SCSI_S_INCORRECT_LUN; -+ break; -+ case SG_ERR_DID_ABORT: -+ case SG_ERR_DID_TIME_OUT: -+ req->resp.cmd.response = VIRTIO_SCSI_S_ABORTED; -+ break; -+ case SG_ERR_DID_BAD_TARGET: -+ req->resp.cmd.response = VIRTIO_SCSI_S_BAD_TARGET; -+ break; -+ case SG_ERR_DID_RESET: -+ req->resp.cmd.response = VIRTIO_SCSI_S_RESET; -+ break; -+ case SG_ERR_DID_BUS_BUSY: -+ req->resp.cmd.response = VIRTIO_SCSI_S_BUSY; -+ break; -+ case SG_ERR_DID_TRANSPORT_DISRUPTED: -+ req->resp.cmd.response = VIRTIO_SCSI_S_TRANSPORT_FAILURE; -+ break; -+ case SG_ERR_DID_TARGET_FAILURE: -+ req->resp.cmd.response = VIRTIO_SCSI_S_TARGET_FAILURE; -+ break; -+ case SG_ERR_DID_NEXUS_FAILURE: -+ req->resp.cmd.response = VIRTIO_SCSI_S_NEXUS_FAILURE; -+ break; -+ default: -+ req->resp.cmd.response = VIRTIO_SCSI_S_FAILURE; -+ break; -+ } -+ -+ req->resp.cmd.status = (status & 0xff); -+ if (req->resp.cmd.status == GOOD && -+ req->resp.cmd.response == VIRTIO_SCSI_S_OK) { - req->resp.cmd.resid = virtio_tswap32(vdev, resid); - } else { - req->resp.cmd.resid = 0; -diff --git a/include/scsi/utils.h b/include/scsi/utils.h -index fbc5588279939d70a5e31627bd2a..92f6c47944cfd1fb6284b4e2b210 100644 ---- a/include/scsi/utils.h -+++ b/include/scsi/utils.h -@@ -126,11 +126,17 @@ int scsi_cdb_length(uint8_t *buf); - #define SG_ERR_DID_NO_CONNECT 0x01 - #define SG_ERR_DID_BUS_BUSY 0x02 - #define SG_ERR_DID_TIME_OUT 0x03 -- -+#define SG_ERR_DID_BAD_TARGET 0x04 -+#define SG_ERR_DID_ABORT 0x05 -+#define SG_ERR_DID_ERROR 0x07 -+#define SG_ERR_DID_RESET 0x08 -+#define SG_ERR_DID_TRANSPORT_DISRUPTED 0x0e -+#define SG_ERR_DID_TARGET_FAILURE 0x10 -+#define SG_ERR_DID_NEXUS_FAILURE 0x11 - #define SG_ERR_DRIVER_SENSE 0x08 - --int sg_io_sense_from_errno(int errno_value, struct sg_io_hdr *io_hdr, -- SCSISense *sense); -+uint32_t sg_io_sense_from_errno(int errno_value, struct sg_io_hdr *io_hdr, -+ SCSISense *sense); - #endif - - #endif -diff --git a/scsi/qemu-pr-helper.c b/scsi/qemu-pr-helper.c -index 38c273de19573ad8421da6439153..3c474bdd5688fe9d6e2b64e53637 100644 ---- a/scsi/qemu-pr-helper.c -+++ b/scsi/qemu-pr-helper.c -@@ -134,7 +134,7 @@ static int do_sgio_worker(void *opaque) - PRHelperSGIOData *data = opaque; - struct sg_io_hdr io_hdr; - int ret; -- int status; -+ uint32_t status; - SCSISense sense_code; - - memset(data->sense, 0, PR_HELPER_SENSE_SIZE); -@@ -151,13 +151,13 @@ static int do_sgio_worker(void *opaque) - ret = ioctl(data->fd, SG_IO, &io_hdr); - status = sg_io_sense_from_errno(ret < 0 ? errno : 0, &io_hdr, - &sense_code); -- if (status == GOOD) { -+ if ((status & 0xff) == GOOD) { - data->sz -= io_hdr.resid; - } else { - data->sz = 0; - } - -- if (status == CHECK_CONDITION && -+ if ((status & 0xff) == CHECK_CONDITION && - !(io_hdr.driver_status & SG_ERR_DRIVER_SENSE)) { - scsi_build_sense(data->sense, sense_code); - } -diff --git a/scsi/utils.c b/scsi/utils.c -index c50e81fdb87f535e6f49dd31699e..c09f4aff21e34860c1b41612cd0d 100644 ---- a/scsi/utils.c -+++ b/scsi/utils.c -@@ -565,7 +565,7 @@ const char *scsi_command_name(uint8_t cmd) - } - - #ifdef CONFIG_LINUX --int sg_io_sense_from_errno(int errno_value, struct sg_io_hdr *io_hdr, -+uint32_t sg_io_sense_from_errno(int errno_value, struct sg_io_hdr *io_hdr, - SCSISense *sense) - { - if (errno_value != 0) { -@@ -580,21 +580,16 @@ int sg_io_sense_from_errno(int errno_value, struct sg_io_hdr *io_hdr, - return CHECK_CONDITION; - } - } else { -- if (io_hdr->host_status == SG_ERR_DID_NO_CONNECT || -- io_hdr->host_status == SG_ERR_DID_BUS_BUSY || -- io_hdr->host_status == SG_ERR_DID_TIME_OUT || -- (io_hdr->driver_status & SG_ERR_DRIVER_TIMEOUT)) { -- return BUSY; -- } else if (io_hdr->host_status) { -- *sense = SENSE_CODE(I_T_NEXUS_LOSS); -- return CHECK_CONDITION; -- } else if (io_hdr->status) { -- return io_hdr->status; -+ uint32_t status = GOOD; -+ -+ if (io_hdr->status) { -+ status = io_hdr->status; - } else if (io_hdr->driver_status & SG_ERR_DRIVER_SENSE) { -- return CHECK_CONDITION; -- } else { -- return GOOD; -+ status = CHECK_CONDITION; - } -+ if (io_hdr->host_status) -+ status |= (io_hdr->host_status << 8); -+ return status; - } - } - #endif diff --git a/packaging/virtio-scsi-use-scsi_device_get.patch b/packaging/virtio-scsi-use-scsi_device_get.patch deleted file mode 100644 index 922899c8b..000000000 --- a/packaging/virtio-scsi-use-scsi_device_get.patch +++ /dev/null @@ -1,111 +0,0 @@ -From: Maxim Levitsky -Date: Tue, 6 Oct 2020 15:39:03 +0300 -Subject: virtio-scsi: use scsi_device_get - -Git-commit: 07a47d4a1879370009baab44f1f387610d88a299 -References: bsc#1184574 - -This will help us to avoid the scsi device disappearing -after we took a reference to it. - -It doesn't by itself forbid case when we try to access -an unrealized device - -Suggested-by: Stefan Hajnoczi -Signed-off-by: Maxim Levitsky -Reviewed-by: Stefan Hajnoczi -Message-Id: <20200913160259.32145-9-mlevitsk@redhat.com> -Signed-off-by: Paolo Bonzini -Message-Id: <20201006123904.610658-13-mlevitsk@redhat.com> -Signed-off-by: Paolo Bonzini -Signed-off-by: Lin Ma ---- - hw/scsi/virtio-scsi.c | 21 +++++++++++++-------- - 1 file changed, 13 insertions(+), 8 deletions(-) - -diff --git a/hw/scsi/virtio-scsi.c b/hw/scsi/virtio-scsi.c -index 52c3a964ecb112a9d1c00bfbe57d..57789f40d040096d163f2a9986da 100644 ---- a/hw/scsi/virtio-scsi.c -+++ b/hw/scsi/virtio-scsi.c -@@ -34,7 +34,7 @@ static inline int virtio_scsi_get_lun(uint8_t *lun) - return ((lun[2] << 8) | lun[3]) & 0x3FFF; - } - --static inline SCSIDevice *virtio_scsi_device_find(VirtIOSCSI *s, uint8_t *lun) -+static inline SCSIDevice *virtio_scsi_device_get(VirtIOSCSI *s, uint8_t *lun) - { - if (lun[0] != 1) { - return NULL; -@@ -42,7 +42,7 @@ static inline SCSIDevice *virtio_scsi_device_find(VirtIOSCSI *s, uint8_t *lun) - if (lun[2] != 0 && !(lun[2] >= 0x40 && lun[2] < 0x80)) { - return NULL; - } -- return scsi_device_find(&s->bus, 0, lun[1], virtio_scsi_get_lun(lun)); -+ return scsi_device_get(&s->bus, 0, lun[1], virtio_scsi_get_lun(lun)); - } - - void virtio_scsi_init_req(VirtIOSCSI *s, VirtQueue *vq, VirtIOSCSIReq *req) -@@ -261,7 +261,7 @@ static inline void virtio_scsi_ctx_check(VirtIOSCSI *s, SCSIDevice *d) - * case of async cancellation. */ - static int virtio_scsi_do_tmf(VirtIOSCSI *s, VirtIOSCSIReq *req) - { -- SCSIDevice *d = virtio_scsi_device_find(s, req->req.tmf.lun); -+ SCSIDevice *d = virtio_scsi_device_get(s, req->req.tmf.lun); - SCSIRequest *r, *next; - BusChild *kid; - int target; -@@ -377,10 +377,10 @@ static int virtio_scsi_do_tmf(VirtIOSCSI *s, VirtIOSCSIReq *req) - - rcu_read_lock(); - QTAILQ_FOREACH_RCU(kid, &s->bus.qbus.children, sibling) { -- d = SCSI_DEVICE(kid->child); -- if (d->channel == 0 && d->id == target) { -- qdev_reset_all(&d->qdev); -- } -+ SCSIDevice *d1 = SCSI_DEVICE(kid->child); -+ if (d1->channel == 0 && d1->id == target) { -+ qdev_reset_all(&d1->qdev); -+ } - } - rcu_read_unlock(); - -@@ -393,14 +393,17 @@ static int virtio_scsi_do_tmf(VirtIOSCSI *s, VirtIOSCSIReq *req) - break; - } - -+ object_unref(OBJECT(d)); - return ret; - - incorrect_lun: - req->resp.tmf.response = VIRTIO_SCSI_S_INCORRECT_LUN; -+ object_unref(OBJECT(d)); - return ret; - - fail: - req->resp.tmf.response = VIRTIO_SCSI_S_BAD_TARGET; -+ object_unref(OBJECT(d)); - return ret; - } - -@@ -618,7 +621,7 @@ static int virtio_scsi_handle_cmd_req_prepare(VirtIOSCSI *s, VirtIOSCSIReq *req) - trace_virtio_scsi_cmd_req(virtio_scsi_get_lun(req->req.cmd.lun), - req->req.cmd.tag, req->req.cmd.cdb[0]); - -- d = virtio_scsi_device_find(s, req->req.cmd.lun); -+ d = virtio_scsi_device_get(s, req->req.cmd.lun); - if (!d) { - req->resp.cmd.response = VIRTIO_SCSI_S_BAD_TARGET; - virtio_scsi_complete_cmd_req(req); -@@ -634,10 +637,12 @@ static int virtio_scsi_handle_cmd_req_prepare(VirtIOSCSI *s, VirtIOSCSIReq *req) - req->sreq->cmd.xfer > req->qsgl.size)) { - req->resp.cmd.response = VIRTIO_SCSI_S_OVERRUN; - virtio_scsi_complete_cmd_req(req); -+ object_unref(OBJECT(d)); - return -ENOBUFS; - } - scsi_req_ref(req->sreq); - blk_io_plug(d->conf.blk); -+ object_unref(OBJECT(d)); - return 0; - } - diff --git a/packaging/vnc-prioritize-ZRLE-compression-over-ZLI.patch b/packaging/vnc-prioritize-ZRLE-compression-over-ZLI.patch deleted file mode 100644 index c06ab1554..000000000 --- a/packaging/vnc-prioritize-ZRLE-compression-over-ZLI.patch +++ /dev/null @@ -1,59 +0,0 @@ -From: Cameron Esfahani -Date: Mon, 20 Jan 2020 21:00:52 -0800 -Subject: vnc: prioritize ZRLE compression over ZLIB - -Git-commit: 557ba0e57200014bd4f453f6516f02b61bdfc782 - -In my investigation, ZRLE always compresses better than ZLIB so -prioritize ZRLE over ZLIB, even if the client hints that ZLIB is -preferred. - -zlib buffer is always reset in zrle_compress_data(), so using offset to -calculate next_out and avail_out is useless. - -Signed-off-by: Cameron Esfahani -Message-Id: -Signed-off-by: Gerd Hoffmann -Signed-off-by: Bruce Rogers ---- - ui/vnc-enc-zrle.c | 4 ++-- - ui/vnc.c | 11 +++++++++-- - 2 files changed, 11 insertions(+), 4 deletions(-) - -diff --git a/ui/vnc-enc-zrle.c b/ui/vnc-enc-zrle.c -index 17fd28a2e2b078bd135496e75c6b..b4f71e32cfe8ca3dd645103f999d 100644 ---- a/ui/vnc-enc-zrle.c -+++ b/ui/vnc-enc-zrle.c -@@ -98,8 +98,8 @@ static int zrle_compress_data(VncState *vs, int level) - /* set pointers */ - zstream->next_in = vs->zrle->zrle.buffer; - zstream->avail_in = vs->zrle->zrle.offset; -- zstream->next_out = vs->zrle->zlib.buffer + vs->zrle->zlib.offset; -- zstream->avail_out = vs->zrle->zlib.capacity - vs->zrle->zlib.offset; -+ zstream->next_out = vs->zrle->zlib.buffer; -+ zstream->avail_out = vs->zrle->zlib.capacity; - zstream->data_type = Z_BINARY; - - /* start encoding */ -diff --git a/ui/vnc.c b/ui/vnc.c -index f94b3a257ee3add364a0b0bd5101..70bd8bf05d163e2ef0911c3b19fd 100644 ---- a/ui/vnc.c -+++ b/ui/vnc.c -@@ -2077,8 +2077,15 @@ static void set_encodings(VncState *vs, int32_t *encodings, size_t n_encodings) - break; - #endif - case VNC_ENCODING_ZLIB: -- vs->features |= VNC_FEATURE_ZLIB_MASK; -- vs->vnc_encoding = enc; -+ /* -+ * VNC_ENCODING_ZRLE compresses better than VNC_ENCODING_ZLIB. -+ * So prioritize ZRLE, even if the client hints that it prefers -+ * ZLIB. -+ */ -+ if ((vs->features & VNC_FEATURE_ZRLE_MASK) == 0) { -+ vs->features |= VNC_FEATURE_ZLIB_MASK; -+ vs->vnc_encoding = enc; -+ } - break; - case VNC_ENCODING_ZRLE: - vs->features |= VNC_FEATURE_ZRLE_MASK; diff --git a/packaging/xen-add-block-resize-support-for-xen-dis.patch b/packaging/xen-add-block-resize-support-for-xen-dis.patch deleted file mode 100644 index 0e494bd80..000000000 --- a/packaging/xen-add-block-resize-support-for-xen-dis.patch +++ /dev/null @@ -1,30 +0,0 @@ -From: Bruce Rogers -Date: Wed, 16 Jan 2019 16:29:36 -0700 -Subject: xen: add block resize support for xen disks - -Provide monitor naming of xen disks, and plumb guest driver -notification through xenstore of resizing instigated via the -monitor. - -[BR: minor edits to pass qemu's checkpatch script] -[BR: significant rework needed due to upstream xen disk qdevification] -[BR: At this point, monitor_add_blk call is all we need to add!] -Signed-off-by: Bruce Rogers ---- - hw/block/xen-block.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/hw/block/xen-block.c b/hw/block/xen-block.c -index 0007ee64c75f38a2a3256f0b9462..86de57f9c6f7405bc26303065d2c 100644 ---- a/hw/block/xen-block.c -+++ b/hw/block/xen-block.c -@@ -274,6 +274,9 @@ static void xen_block_realize(XenDevice *xendev, Error **errp) - - xen_block_set_size(blockdev); - -+ if (!monitor_add_blk(conf->blk, blockdev->drive->id, errp)) { -+ return; -+ } - blockdev->dataplane = - xen_block_dataplane_create(xendev, blk, conf->logical_block_size, - blockdev->props.iothread); diff --git a/packaging/xen-block-Fix-removal-of-backend-instanc.patch b/packaging/xen-block-Fix-removal-of-backend-instanc.patch deleted file mode 100644 index 70ca0f5d6..000000000 --- a/packaging/xen-block-Fix-removal-of-backend-instanc.patch +++ /dev/null @@ -1,50 +0,0 @@ -From: Anthony PERARD -Date: Mon, 8 Mar 2021 14:32:32 +0000 -Subject: xen-block: Fix removal of backend instance via xenstore - -Git-commit: b807ca3fa0ca29ec015adcf4045e716337cd3635 -References: bsc#1184574 - -Whenever a Xen block device is detach via xenstore, the image -associated with it remained open by the backend QEMU and an error is -logged: - qemu-system-i386: failed to destroy drive: Node xvdz-qcow2 is in use - -This happened since object_unparent() doesn't immediately frees the -object and thus keep a reference to the node we are trying to free. -The reference is hold by the "drive" property and the call -xen_block_drive_destroy() fails. - -In order to fix that, we call drain_call_rcu() to run the callback -setup by bus_remove_child() via object_unparent(). - -Fixes: 2d24a6466154 ("device-core: use RCU for list of children of a bus") - -Signed-off-by: Anthony PERARD -Reviewed-by: Paul Durrant -Message-Id: <20210308143232.83388-1-anthony.perard@citrix.com> -Signed-off-by: Lin Ma ---- - hw/block/xen-block.c | 9 +++++++++ - 1 file changed, 9 insertions(+) - -diff --git a/hw/block/xen-block.c b/hw/block/xen-block.c -index 86de57f9c6f7405bc26303065d2c..a06251da2fb61ab7253676183b60 100644 ---- a/hw/block/xen-block.c -+++ b/hw/block/xen-block.c -@@ -1009,6 +1009,15 @@ static void xen_block_device_destroy(XenBackendInstance *backend, - - object_unparent(OBJECT(xendev)); - -+ /* -+ * Drain all pending RCU callbacks as object_unparent() frees `xendev' -+ * in a RCU callback. -+ * And due to the property "drive" still existing in `xendev', we -+ * can't destroy the XenBlockDrive associated with `xendev' with -+ * xen_block_drive_destroy() below. -+ */ -+ drain_call_rcu(); -+ - if (iothread) { - Error *local_err = NULL; - diff --git a/packaging/xen-ignore-live-parameter-from-xen-save-.patch b/packaging/xen-ignore-live-parameter-from-xen-save-.patch deleted file mode 100644 index d11ada03c..000000000 --- a/packaging/xen-ignore-live-parameter-from-xen-save-.patch +++ /dev/null @@ -1,41 +0,0 @@ -From: Olaf Hering -Date: Tue, 8 Jan 2019 14:20:08 +0100 -Subject: xen: ignore live parameter from xen-save-devices-state - -References: bsc#1079730, bsc#1101982, bsc#1063993 - -The final step of xl migrate|save for an HVM domU is saving the state of -qemu. This also involves releasing all block devices. While releasing -backends ought to be a separate step, such functionality is not -implemented. - -Unfortunately, releasing the block devices depends on the optional -'live' option. This breaks offline migration with 'virsh migrate domU -dom0' because the sending side does not release the disks, as a result -the receiving side can not properly claim write access to the disks. - -As a minimal fix, remove the dependency on the 'live' option. Upstream -may fix this in a different way, like removing the newly added 'live' -parameter entirely. - -Fixes: 5d6c599fe1 ("migration, xen: Fix block image lock issue on live migration") - -Signed-off-by: Olaf Hering -Signed-off-by: Bruce Rogers ---- - migration/savevm.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/migration/savevm.c b/migration/savevm.c -index a71b930b91f71ed9763fcb07b525..c5cc5fed211e693723538e19850b 100644 ---- a/migration/savevm.c -+++ b/migration/savevm.c -@@ -2774,7 +2774,7 @@ void qmp_xen_save_devices_state(const char *filename, bool has_live, bool live, - * So call bdrv_inactivate_all (release locks) here to let the other - * side of the migration take controle of the images. - */ -- if (live && !saved_vm_running) { -+ if (!saved_vm_running) { - ret = bdrv_inactivate_all(); - if (ret) { - error_setg(errp, "%s: bdrv_inactivate_all() failed (%d)", diff --git a/packaging/xen-remove-BlockBackend-object-reference.patch b/packaging/xen-remove-BlockBackend-object-reference.patch deleted file mode 100644 index 9578053a3..000000000 --- a/packaging/xen-remove-BlockBackend-object-reference.patch +++ /dev/null @@ -1,32 +0,0 @@ -From: Lin Ma -Date: Fri, 3 Sep 2021 12:05:09 +0800 -Subject: xen: remove BlockBackend object reference in xen_block_unrealize - -References: bsc#1189234 - -Signed-off-by: Lin Ma ---- - hw/block/xen-block.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/hw/block/xen-block.c b/hw/block/xen-block.c -index a06251da2fb61ab7253676183b60..7667076ffd490f382516a6258f08 100644 ---- a/hw/block/xen-block.c -+++ b/hw/block/xen-block.c -@@ -142,6 +142,7 @@ static void xen_block_unrealize(XenDevice *xendev, Error **errp) - XEN_BLOCK_DEVICE_GET_CLASS(xendev); - const char *type = object_get_typename(OBJECT(blockdev)); - XenBlockVdev *vdev = &blockdev->props.vdev; -+ BlockConf *conf = &blockdev->props.conf; - - if (vdev->type == XEN_BLOCK_VDEV_TYPE_INVALID) { - return; -@@ -155,6 +156,8 @@ static void xen_block_unrealize(XenDevice *xendev, Error **errp) - xen_block_dataplane_destroy(blockdev->dataplane); - blockdev->dataplane = NULL; - -+ monitor_remove_blk(conf->blk); -+ - if (blockdev_class->unrealize) { - blockdev_class->unrealize(blockdev, errp); - } diff --git a/packaging/xen_disk-Add-suse-specific-flush-disable.patch b/packaging/xen_disk-Add-suse-specific-flush-disable.patch deleted file mode 100644 index c5c9a5c9d..000000000 --- a/packaging/xen_disk-Add-suse-specific-flush-disable.patch +++ /dev/null @@ -1,49 +0,0 @@ -From: Bruce Rogers -Date: Wed, 9 Mar 2016 15:18:11 -0700 -Subject: xen_disk: Add suse specific flush disable handling and map to QEMU - equiv - -Add code to read the suse specific suse-diskcache-disable-flush flag out -of xenstore, and set the equivalent flag within QEMU. - -Patch taken from Xen's patch queue, Olaf Hering being the original author. -[bsc#879425] - -[BR: minor edits to pass qemu's checkpatch script] -[BR: With qdevification of xen-block, code has changed significantly] -Signed-off-by: Bruce Rogers -Signed-off-by: Olaf Hering ---- - hw/block/xen-block.c | 12 ++++++++++++ - 1 file changed, 12 insertions(+) - -diff --git a/hw/block/xen-block.c b/hw/block/xen-block.c -index 879fc310a4c5dfa4a7d8936f7d8e..0007ee64c75f38a2a3256f0b9462 100644 ---- a/hw/block/xen-block.c -+++ b/hw/block/xen-block.c -@@ -743,6 +743,8 @@ static XenBlockDrive *xen_block_drive_create(const char *id, - const char *mode = qdict_get_try_str(opts, "mode"); - const char *direct_io_safe = qdict_get_try_str(opts, "direct-io-safe"); - const char *discard_enable = qdict_get_try_str(opts, "discard-enable"); -+ const char *suse_diskcache_disable_flush = qdict_get_try_str(opts, -+ "suse-diskcache-disable-flush"); - char *driver = NULL; - char *filename = NULL; - XenBlockDrive *drive = NULL; -@@ -812,6 +814,16 @@ static XenBlockDrive *xen_block_drive_create(const char *id, - } - } - -+ if (suse_diskcache_disable_flush) { -+ unsigned long value; -+ if (!qemu_strtoul(suse_diskcache_disable_flush, NULL, 2, &value) && !!value) { -+ QDict *cache_qdict = qdict_new(); -+ -+ qdict_put_bool(cache_qdict, "no-flush", true); -+ qdict_put_obj(file_layer, "cache", QOBJECT(cache_qdict)); -+ } -+ } -+ - /* - * It is necessary to turn file locking off as an emulated device - * may have already opened the same image file. -- 2.34.1