packages/qemu
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

QEMU update to version 6.2.0-99:

Browse Source 
- target/i386: Introduce SapphireRapids-v3 to add missing features
- qtest/fuzz-lsi53c895a-test: set guest RAM to 2G
- hw/net/lan9118: Signal TSFL_INT flag when TX FIFO reaches specified level
- target/arm: Fix alignment for VLD4.32
- hw/microblaze: pass random seed to fdt
- tests/qtest: npcm7xx-emc-test: Skip checking MAC
- tests: mark io-command test as skipped if socat is missing
- tests: unit: add NULL-pointer check
- tests: test-qga: close socket on failure to connect
- vdpa:block device capacity expansion online support vdpa block device update capacity.
- virtio-net: Ensure queue index fits with RSS(CVE-2024-6505)
- nbd/server: CVE-2024-7409: Avoid use-after-free when closing server
- ppc/vof: Fix unaligned FDT property access
- vvfat: Fix reading files with non-continuous clusters
- vvfat: Fix bug in writing to middle of file
- savevm: Fix load_snapshot error path crash
- hw/dma/xilinx_axidma: Use semicolon at end of statement, not comma
- hw/remote/message.c: Don't directly invoke DeviceClass:reset
- crypto/tlscredspsk: Free username on finalize
- hw/display/vhost-user-gpu.c: fix vhost_user_gpu_chr_read()
- virtio: remove virtio_tswap16s() call in vring_packed_event_read()
- char-stdio: Restore blocking mode of stdout on exit
- hw/ppc: spapr: Use qemu_vfree() to free spapr->htab
- smbios: sanitize type from external type before checking have_fields_bitmap
- spapr_pci: fix leak in spapr_phb_vfio_get_loc_code
- KVM: use store-release to mark dirty pages as harvested
- monitor/hmp: print trace as option in help for log command
- tpm_crb: Avoid backend startup just before shutdown under Xen
- crypto/block-luks: make range overlap check more readable
- spapr: Free stdout path
- target/rx: Use target_ulong for address in LI
- virtio-pci: Fix the use of an uninitialized irqfd
- rtl8139: Fix behaviour for old kernels.
- virtio-rng: block max-bytes=0 MIME-Version: 1.0
- hw/audio/es1370: Clean up comment
- vhost-user-server: do not set memory fd non-blocking
- ui: reject extended clipboard message if not activated
- virtio-net: Fix vhost virtqueue notifiers for RSS
- hw/misc/applesmc: Fix memory leak in reset() handler

Signed-off-by: Jiabo Feng <fengjiabo1@huawei.com>
(cherry picked from commit db7a5d9a7239db307c8c1454fab5f8a92fd486b8)
This commit is contained in:
Jiabo Feng 2024-09-18 14:57:25 +08:00 committed by openeuler-sync-bot
parent eaa783e4aa
commit ab7fc8ee5b
40 changed files with 1960 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

91
KVM-use-store-release-to-mark-dirty-pages-as-harvest.patch Normal file
View File

@ -0,0 +1,91 @@
From e9fc6950c9d253ab9243f662d20da3021da3cb03 Mon Sep 17 00:00:00 2001
From: tangbinzy <tangbin_yewu@cmss.chinamobile.com>
Date: Wed, 4 Sep 2024 06:03:35 +0000
Subject: [PATCH] KVM: use store-release to mark dirty pages as harvested
mainline inclusion commit 52281c6d11ec68b802e8a264780df2c4b981e6bc category:
bugfix
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---------------------------------------------------------------
The following scenario can happen if QEMU sets more RESET flags while
the KVM_RESET_DIRTY_RINGS ioctl is ongoing on another host CPU:
CPU0 CPU1 CPU2
------------------------ ------------------ ------------------------
fill gfn0
store-rel flags for gfn0
fill gfn1
store-rel flags for gfn1
load-acq flags for gfn0
set RESET for gfn0
load-acq flags for gfn1
set RESET for gfn1
do ioctl! ----------->
ioctl(RESET_RINGS)
fill gfn2
store-rel flags for gfn2
load-acq flags for gfn2
set RESET for gfn2
process gfn0
process gfn1
process gfn2
do ioctl!
etc.
The three load-acquire in CPU0 synchronize with the three store-release
in CPU2, but CPU0 and CPU1 are only synchronized up to gfn1 and CPU1
may miss gfn2's fields other than flags.
The kernel must be able to cope with invalid values of the fields, and
userspace *will* invoke the ioctl once more. However, once the RESET flag
is cleared on gfn2, it is lost forever, therefore in the above scenario
CPU1 must read the correct value of gfn2's fields.
Therefore RESET must be set with a store-release, that will synchronize
with KVM's load-acquire in CPU1.
Cc: Gavin Shan <gshan@redhat.com>
Reviewed-by: Peter Xu <peterx@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: tangbinzy <tangbin_yewu@cmss.chinamobile.com>
---
accel/kvm/kvm-all.c | 18 +++++++++++++++++-
1 file changed, 17 insertions(+), 1 deletion(-)
diff --git a/accel/kvm/kvm-all.c b/accel/kvm/kvm-all.c
index 381e3c8552..3a09307a26 100644
--- a/accel/kvm/kvm-all.c
+++ b/accel/kvm/kvm-all.c
@@ -675,7 +675,23 @@ static bool dirty_gfn_is_dirtied(struct kvm_dirty_gfn *gfn)
static void dirty_gfn_set_collected(struct kvm_dirty_gfn *gfn)
{
- gfn->flags = KVM_DIRTY_GFN_F_RESET;
+ /*
+ * Use a store-release so that the CPU that executes KVM_RESET_DIRTY_RINGS
+ * sees the full content of the ring:
+ *
+ * CPU0 CPU1 CPU2
+ * ------------------------------------------------------------------------------
+ * fill gfn0
+ * store-rel flags for gfn0
+ * load-acq flags for gfn0
+ * store-rel RESET for gfn0
+ * ioctl(RESET_RINGS)
+ * load-acq flags for gfn0
+ * check if flags have RESET
+ *
+ * The synchronization goes from CPU2 to CPU0 to CPU1.
+ */
+ qatomic_store_release(&gfn->flags, KVM_DIRTY_GFN_F_RESET);
}
/*
--
2.41.0.windows.1

54
char-stdio-Restore-blocking-mode-of-stdout-on-exit.patch Normal file
View File

@ -0,0 +1,54 @@
From 17744d85df589f40e889639147889c98a50bc671 Mon Sep 17 00:00:00 2001
From: zhujun2 <zhujun2_yewu@cmss.chinamobile.com>
Date: Wed, 4 Sep 2024 23:25:17 -0700
Subject: [PATCH] char-stdio: Restore blocking mode of stdout on exit
qemu_chr_open_fd() sets stdout into non-blocking mode. Restore the old
fd flags on exit to avoid breaking unsuspecting applications that run on
the same terminal after qemu and don't expect to get EAGAIN.
While at at, also ensure term_exit is called once (at the moment it's
called both from char_stdio_finalize() and as the atexit() hook.
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2423
Signed-off-by: Maxim Mikityanskiy <maxtram95@gmail.com>
Link: https://lore.kernel.org/r/20240703190812.3459514-1-maxtram95@gmail.com
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit a0124e333e2176640f233e5ea57a2f413985d9b5)
Signed-off-by: zhujun2 <zhujun2_yewu@cmss.chinamobile.com>
---
chardev/char-stdio.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/chardev/char-stdio.c b/chardev/char-stdio.c
index 403da308c9..69bedca7f5 100644
--- a/chardev/char-stdio.c
+++ b/chardev/char-stdio.c
@@ -41,6 +41,7 @@
/* init terminal so that we can grab keys */
static struct termios oldtty;
static int old_fd0_flags;
+static int old_fd1_flags;
static bool stdio_in_use;
static bool stdio_allow_signal;
static bool stdio_echo_state;
@@ -50,6 +51,8 @@ static void term_exit(void)
if (stdio_in_use) {
tcsetattr(0, TCSANOW, &oldtty);
fcntl(0, F_SETFL, old_fd0_flags);
+ fcntl(1, F_SETFL, old_fd1_flags);
+ stdio_in_use = false;
}
}
@@ -102,6 +105,7 @@ static void qemu_chr_open_stdio(Chardev *chr,
stdio_in_use = true;
old_fd0_flags = fcntl(0, F_GETFL);
+ old_fd1_flags = fcntl(1, F_GETFL);
tcgetattr(0, &oldtty);
qemu_set_nonblock(0);
atexit(term_exit);
--
2.41.0.windows.1

47
crypto-block-luks-make-range-overlap-check-more-read.patch Normal file
View File

@ -0,0 +1,47 @@
From ca6f8348075be1839e87fa826a2719127ec64d41 Mon Sep 17 00:00:00 2001
From: dinglimin <dinglimin@cmss.chinamobile.com>
Date: Mon, 2 Sep 2024 17:40:40 +0800
Subject: [PATCH] crypto/block-luks: make range overlap check more readable
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
cheery-pick from 7cd9b9d476e729808f3c9b82a12f51a39673d5cb
use ranges_overlap() instead of open-coding the overlap check to improve the readability of the code.
Signed-off-by: Yao Xingtao <yaoxt.fnst@fujitsu.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Tested-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Message-ID: <20240722040742.11513-12-yaoxt.fnst@fujitsu.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Signed-off-by: dinglimin <dinglimin@cmss.chinamobile.com>
---
crypto/block-luks.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/crypto/block-luks.c b/crypto/block-luks.c
index fe8f04ffb2..2648719337 100644
--- a/crypto/block-luks.c
+++ b/crypto/block-luks.c
@@ -33,6 +33,7 @@
#include "qemu/coroutine.h"
#include "qemu/bitmap.h"
+#include "qemu/range.h"
/*
* Reference for the LUKS format implemented here is
@@ -591,7 +592,7 @@ qcrypto_block_luks_check_header(const QCryptoBlockLUKS *luks, Error **errp)
header_sectors,
slot2->stripes);
- if (start1 + len1 > start2 && start2 + len2 > start1) {
+ if (ranges_overlap(start1, len1, start2, len2)) {
error_setg(errp,
"Keyslots %zu and %zu are overlapping in the header",
i, j);
--
2.41.0.windows.1

77
crypto-tlscredspsk-Free-username-on-finalize.patch Normal file
View File

@ -0,0 +1,77 @@
From 58fb7b6216c6b2c8204e1046dd788f18eeb3b45f Mon Sep 17 00:00:00 2001
From: Peter Maydell <peter.maydell@linaro.org>
Date: Mon, 19 Aug 2024 15:50:21 +0100
Subject: [PATCH] crypto/tlscredspsk: Free username on finalize
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
When the creds->username property is set we allocate memory
for it in qcrypto_tls_creds_psk_prop_set_username(), but
we never free this when the QCryptoTLSCredsPSK is destroyed.
Free the memory in finalize.
This fixes a LeakSanitizer complaint in migration-test:
$ (cd build/asan; ASAN_OPTIONS="fast_unwind_on_malloc=0" QTEST_QEMU_BINARY=./qemu-system-x86_64 ./tests/qtest/migration-test --tap -k -p /x86_64/migration/precopy/unix/tls/psk)
=================================================================
==3867512==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 5 byte(s) in 1 object(s) allocated from:
#0 0x5624e5c99dee in malloc (/mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/asan/qemu-system-x86_64+0x218edee) (BuildId: a9e623fa1009a9435c0142c037cd7b8c1ad04ce3)
#1 0x7fb199ae9738 in g_malloc debian/build/deb/../../../glib/gmem.c:128:13
#2 0x7fb199afe583 in g_strdup debian/build/deb/../../../glib/gstrfuncs.c:361:17
#3 0x5624e82ea919 in qcrypto_tls_creds_psk_prop_set_username /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/asan/../../crypto/tlscredspsk.c:255:23
#4 0x5624e812c6b5 in property_set_str /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/asan/../../qom/object.c:2277:5
#5 0x5624e8125ce5 in object_property_set /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/asan/../../qom/object.c:1463:5
#6 0x5624e8136e7c in object_set_properties_from_qdict /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/asan/../../qom/object_interfaces.c:55:14
#7 0x5624e81372d2 in user_creatable_add_type /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/asan/../../qom/object_interfaces.c:112:5
#8 0x5624e8137964 in user_creatable_add_qapi /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/asan/../../qom/object_interfaces.c:157:11
#9 0x5624e891ba3c in qmp_object_add /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/asan/../../qom/qom-qmp-cmds.c:227:5
#10 0x5624e8af9118 in qmp_marshal_object_add /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/asan/qapi/qapi-commands-qom.c:337:5
#11 0x5624e8bd1d49 in do_qmp_dispatch_bh /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/asan/../../qapi/qmp-dispatch.c:128:5
#12 0x5624e8cb2531 in aio_bh_call /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/asan/../../util/async.c:171:5
#13 0x5624e8cb340c in aio_bh_poll /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/asan/../../util/async.c:218:13
#14 0x5624e8c0be98 in aio_dispatch /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/asan/../../util/aio-posix.c:423:5
#15 0x5624e8cba3ce in aio_ctx_dispatch /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/asan/../../util/async.c:360:5
#16 0x7fb199ae0d3a in g_main_dispatch debian/build/deb/../../../glib/gmain.c:3419:28
#17 0x7fb199ae0d3a in g_main_context_dispatch debian/build/deb/../../../glib/gmain.c:4137:7
#18 0x5624e8cbe1d9 in glib_pollfds_poll /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/asan/../../util/main-loop.c:287:9
#19 0x5624e8cbcb13 in os_host_main_loop_wait /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/asan/../../util/main-loop.c:310:5
#20 0x5624e8cbc6dc in main_loop_wait /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/asan/../../util/main-loop.c:589:11
#21 0x5624e6f3f917 in qemu_main_loop /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/asan/../../system/runstate.c:801:9
#22 0x5624e893379c in qemu_default_main /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/asan/../../system/main.c:37:14
#23 0x5624e89337e7 in main /mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/asan/../../system/main.c:48:12
#24 0x7fb197972d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#25 0x7fb197972e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#26 0x5624e5c16fa4 in _start (/mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/asan/qemu-system-x86_64+0x210bfa4) (BuildId: a9e623fa1009a9435c0142c037cd7b8c1ad04ce3)
SUMMARY: AddressSanitizer: 5 byte(s) leaked in 1 allocation(s).
Cc: qemu-stable@nongnu.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Message-ID: <20240819145021.38524-1-peter.maydell@linaro.org>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org
(cherry picked from commit 87e012f29f2e47dcd8c385ff8bb8188f9e06d4ea)
Signed-off-by: zhujun2 <zhujun2_yewu@cmss.chinamobile.com>
---
crypto/tlscredspsk.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/crypto/tlscredspsk.c b/crypto/tlscredspsk.c
index 752f2d92be..9ab62b411d 100644
--- a/crypto/tlscredspsk.c
+++ b/crypto/tlscredspsk.c
@@ -245,6 +245,7 @@ qcrypto_tls_creds_psk_finalize(Object *obj)
QCryptoTLSCredsPSK *creds = QCRYPTO_TLS_CREDS_PSK(obj);
qcrypto_tls_creds_psk_unload(creds);
+ g_free(creds->username);
}
static void
--
2.41.0.windows.1

44
hw-audio-es1370-Clean-up-comment.patch Normal file
View File

@ -0,0 +1,44 @@
From 25a18f3ade8c4c412d21b9147f018fc7c55558d4 Mon Sep 17 00:00:00 2001
From: zhujun2 <zhujun2_yewu@cmss.chinamobile.com>
Date: Thu, 15 Aug 2024 23:59:42 -0700
Subject: [PATCH] hw/audio/es1370: Clean up comment
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Replace a sweary comment with one that's a bit more helpful to
future readers of the code.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Volker Rümelin <vr_qemu@t-online.de>
Message-ID: <20231110164318.2197569-1-peter.maydell@linaro.org>
Signed-off-by: Thomas Huth <thuth@redhat.com>
(cherry picked from commit 4409a6d85522925df580554d476161a570bb1ed9)
Signed-off-by: zhujun2 <zhujun2_yewu@cmss.chinamobile.com>
---
hw/audio/es1370.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/hw/audio/es1370.c b/hw/audio/es1370.c
index 6904589814..72de110e0b 100644
--- a/hw/audio/es1370.c
+++ b/hw/audio/es1370.c
@@ -702,8 +702,13 @@ static void es1370_transfer_audio (ES1370State *s, struct chan *d, int loop_sel,
cnt += (transferred + d->leftover) >> 2;
if (s->sctl & loop_sel) {
- /* Bah, how stupid is that having a 0 represent true value?
- i just spent few hours on this shit */
+ /*
+ * loop_sel tells us which bit in the SCTL register to look at
+ * (either P1_LOOP_SEL, P2_LOOP_SEL or R1_LOOP_SEL). The sense
+ * of these bits is 0 for loop mode (set interrupt and keep recording
+ * when the sample count reaches zero) or 1 for stop mode (set
+ * interrupt and stop recording).
+ */
AUD_log ("es1370: warning", "non looping mode\n");
}
else {
--
2.41.0.windows.1

38
hw-display-vhost-user-gpu.c-fix-vhost_user_gpu_chr_r.patch Normal file
View File

@ -0,0 +1,38 @@
From a5e9442e8e386e62c043fa0b5fba469251fa5d4d Mon Sep 17 00:00:00 2001
From: Haoran Zhang <wh1sper@zju.edu.cn>
Date: Thu, 22 Aug 2024 11:07:58 +0800
Subject: [PATCH] hw/display/vhost-user-gpu.c: fix vhost_user_gpu_chr_read()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
fix vhost_user_gpu_chr_read() where `size` was incorrectly passed to `msg->flags`.
Fixes: 267f664658 ("hw/display: add vhost-user-vga & gpu-pci")
Signed-off-by: Haoran Zhang <wh1sper@zju.edu.cn>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Michael Tokarev <mjt@tls.msk.ru>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
(cherry picked from commit d6192f3f7593536a4285e8ab6c6cf3f34973ce62)
Signed-off-by: zhujun2 <zhujun2_yewu@cmss.chinamobile.com>
---
hw/display/vhost-user-gpu.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/display/vhost-user-gpu.c b/hw/display/vhost-user-gpu.c
index 4363e34db1..b2d89cd54e 100644
--- a/hw/display/vhost-user-gpu.c
+++ b/hw/display/vhost-user-gpu.c
@@ -334,7 +334,7 @@ vhost_user_gpu_chr_read(void *opaque)
}
msg->request = request;
- msg->flags = size;
+ msg->flags = flags;
msg->size = size;
if (request == VHOST_USER_GPU_CURSOR_UPDATE ||
--
2.41.0.windows.1

42
hw-dma-xilinx_axidma-Use-semicolon-at-end-of-stateme.patch Normal file
View File

@ -0,0 +1,42 @@
From 1816af81d099d0ab7dc434a42e7218184894e3ef Mon Sep 17 00:00:00 2001
From: Peter Maydell <peter.maydell@linaro.org>
Date: Tue, 13 Aug 2024 17:52:45 +0100
Subject: [PATCH] hw/dma/xilinx_axidma: Use semicolon at end of statement, not
comma
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
In axidma_class_init() we accidentally used a comma at the end of
a statement rather than a semicolon. This has no ill effects, but
it's obviously not intended and it means that Coccinelle scripts
for instance will fail to match on the two statements. Use a
semicolon instead.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Thomas Huth <thuth@redhat.com>
Message-ID: <20240813165250.2717650-6-peter.maydell@linaro.org>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org
(cherry picked from commit dfad8421af474a38e272cdb19ae3c8e778acf820)
Signed-off-by: zhujun2 <zhujun2_yewu@cmss.chinamobile.com>
---
hw/dma/xilinx_axidma.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/dma/xilinx_axidma.c b/hw/dma/xilinx_axidma.c
index bc383f53cc..5044fb146d 100644
--- a/hw/dma/xilinx_axidma.c
+++ b/hw/dma/xilinx_axidma.c
@@ -598,7 +598,7 @@ static void axidma_class_init(ObjectClass *klass, void *data)
{
DeviceClass *dc = DEVICE_CLASS(klass);
- dc->realize = xilinx_axidma_realize,
+ dc->realize = xilinx_axidma_realize;
dc->reset = xilinx_axidma_reset;
device_class_set_props(dc, axidma_properties);
}
--
2.41.0.windows.1

54
hw-microblaze-pass-random-seed-to-fdt.patch Normal file
View File

@ -0,0 +1,54 @@
From 74e95f7071c8d8f40b352992b19c967655459b31 Mon Sep 17 00:00:00 2001
From: tangbinzy <tangbin_yewu@cmss.chinamobile.com>
Date: Mon, 9 Sep 2024 08:20:28 +0000
Subject: [PATCH] hw/microblaze: pass random seed to fdt mainline inclusion
commit b91b6b5a2cd83a096116929dfc8e016091080adc category: bugfix
---------------------------------------------------------------
If the FDT contains /chosen/rng-seed, then the Linux RNG will use it to
initialize early. Set this using the usual guest random number
generation function. This FDT node is part of the DT specification.
Reviewed-by: Edgar E. Iglesias <edgar.iglesias@gmail.com>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Signed-off-by: Edgar E. Iglesias <edgar.iglesias@amd.com>
Signed-off-by: tangbinzy <tangbin_yewu@cmss.chinamobile.com>
---
hw/microblaze/boot.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/hw/microblaze/boot.c b/hw/microblaze/boot.c
index 8821d009f1..26f315aaea 100644
--- a/hw/microblaze/boot.c
+++ b/hw/microblaze/boot.c
@@ -31,6 +31,7 @@
#include "qemu/option.h"
#include "qemu/config-file.h"
#include "qemu/error-report.h"
+#include "qemu/guest-random.h"
#include "sysemu/device_tree.h"
#include "sysemu/reset.h"
#include "hw/boards.h"
@@ -76,6 +77,7 @@ static int microblaze_load_dtb(hwaddr addr,
int fdt_size;
void *fdt = NULL;
int r;
+ uint8_t rng_seed[32];
if (dtb_filename) {
fdt = load_device_tree(dtb_filename, &fdt_size);
@@ -84,6 +86,9 @@ static int microblaze_load_dtb(hwaddr addr,
return 0;
}
+ qemu_guest_getrandom_nofail(rng_seed, sizeof(rng_seed));
+ qemu_fdt_setprop(fdt, "/chosen", "rng-seed", rng_seed, sizeof(rng_seed));
+
if (kernel_cmdline) {
r = qemu_fdt_setprop_string(fdt, "/chosen", "bootargs",
kernel_cmdline);
--
2.41.0.windows.1

40
hw-misc-applesmc-Fix-memory-leak-in-reset-handler.patch Normal file
View File

@ -0,0 +1,40 @@
From dd51b99923c20a289f4b2c9de0cba5d272fbb493 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@linaro.org>
Date: Mon, 8 Apr 2024 11:41:59 +0200
Subject: [PATCH] hw/misc/applesmc: Fix memory leak in reset() handler
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
AppleSMCData is allocated with g_new0() in applesmc_add_key():
release it with g_free().
Leaked since commit 1ddda5cd36 ("AppleSMC device emulation").
Cc: qemu-stable@nongnu.org
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2272
Reported-by: Zheyu Ma <zheyuma97@gmail.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-Id: <20240408095217.57239-3-philmd@linaro.org>
(cherry picked from commit fc09ff2979defdcf8d00c2db94022d5d610e36ba)
Signed-off-by: zhujun2 <zhujun2_yewu@cmss.chinamobile.com>
---
hw/misc/applesmc.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/hw/misc/applesmc.c b/hw/misc/applesmc.c
index 1b9acaf1d3..e17229025f 100644
--- a/hw/misc/applesmc.c
+++ b/hw/misc/applesmc.c
@@ -269,6 +269,7 @@ static void qdev_applesmc_isa_reset(DeviceState *dev)
/* Remove existing entries */
QLIST_FOREACH_SAFE(d, &s->data_def, node, next) {
QLIST_REMOVE(d, node);
+ g_free(d);
}
s->status = 0x00;
s->status_1e = 0x00;
--
2.41.0.windows.1

49
hw-net-lan9118-Signal-TSFL_INT-flag-when-TX-FIFO-rea.patch Normal file
View File

@ -0,0 +1,49 @@
From 8b72b72180276e4f0af962e60fead6bdbe0e0577 Mon Sep 17 00:00:00 2001
From: tangbinzy <tangbin_yewu@cmss.chinamobile.com>
Date: Tue, 10 Sep 2024 11:42:12 +0000
Subject: [PATCH] hw/net/lan9118: Signal TSFL_INT flag when TX FIFO reaches
specified level mainline inclusion commit
895a803ce91704f28c9b49621a4f589273289f1e category: bugfix
---------------------------------------------------------------
The LAN9118 allows the guest to specify a level for both the TX and
RX FIFOs at which an interrupt will be generated. We implement the
RSFL_INT interrupt for the RX FIFO but are missing the handling of
the equivalent TSFL_INT for the TX FIFO. Add the missing test to set
the interrupt if the TX FIFO has exceeded the guest-specified level.
This flag is required for Micrium lan911x ethernet driver to work.
Signed-off-by: Lucas Dietrich <ld.adecy@gmail.com>
[PMM: Tweaked commit message and comment]
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: tangbinzy <tangbin_yewu@cmss.chinamobile.com>
---
hw/net/lan9118.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/hw/net/lan9118.c b/hw/net/lan9118.c
index fa43758105..9897296c21 100644
--- a/hw/net/lan9118.c
+++ b/hw/net/lan9118.c
@@ -702,6 +702,14 @@ static void do_tx_packet(lan9118_state *s)
n = (s->tx_status_fifo_head + s->tx_status_fifo_used) & 511;
s->tx_status_fifo[n] = status;
s->tx_status_fifo_used++;
+
+ /*
+ * Generate TSFL interrupt if TX FIFO level exceeds the level
+ * specified in the FIFO_INT TX Status Level field.
+ */
+ if (s->tx_status_fifo_used > ((s->fifo_int >> 16) & 0xff)) {
+ s->int_sts |= TSFL_INT;
+ }
if (s->tx_status_fifo_used == 512) {
s->int_sts |= TSFF_INT;
/* TODO: Stop transmission. */
--
2.41.0.windows.1

44
hw-ppc-spapr-Use-qemu_vfree-to-free-spapr-htab.patch Normal file
View File

@ -0,0 +1,44 @@
From 814378bd1174b4cb9f98e5ed0cac4f4d700c893d Mon Sep 17 00:00:00 2001
From: tangbinzy <tangbin_yewu@cmss.chinamobile.com>
Date: Wed, 4 Sep 2024 08:25:49 +0000
Subject: [PATCH] hw/ppc: spapr: Use qemu_vfree() to free spapr->htab mainline
inclusion commit cb5b5ab9a516ce5ecddfc50971bf6f690300fd74 category: bugfix
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---------------------------------------------------------------
spapr->htab is allocated by qemu_memalign(), hence we should use
qemu_vfree() to free it.
Fixes: c5f54f3e31bf ("pseries: Move hash page table allocation to reset time")
Fixes: b4db54132ffe ("target/ppc: Implement H_REGISTER_PROCESS_TABLE H_CALL"")
Signed-off-by: Xuzhou Cheng <xuzhou.cheng@windriver.com>
Signed-off-by: Bin Meng <bin.meng@windriver.com>
Reviewed-by: Daniel Henrique Barboza <danielhb413@gmail.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-Id: <20220920103159.1865256-28-bmeng.cn@gmail.com>
Signed-off-by: Daniel Henrique Barboza <danielhb413@gmail.com>
Signed-off-by: tangbinzy <tangbin_yewu@cmss.chinamobile.com>
---
hw/ppc/spapr.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/ppc/spapr.c b/hw/ppc/spapr.c
index d1fbea16e3..6727ea7118 100644
--- a/hw/ppc/spapr.c
+++ b/hw/ppc/spapr.c
@@ -1482,7 +1482,7 @@ int spapr_hpt_shift_for_ramsize(uint64_t ramsize)
void spapr_free_hpt(SpaprMachineState *spapr)
{
- g_free(spapr->htab);
+ qemu_vfree(spapr->htab);
spapr->htab = NULL;
spapr->htab_shift = 0;
close_htab_fd(spapr);
--
2.41.0.windows.1

48
hw-remote-message.c-Don-t-directly-invoke-DeviceClas.patch Normal file
View File

@ -0,0 +1,48 @@
From ea0169b5de433426e863f162f7a299fc29b9ff8d Mon Sep 17 00:00:00 2001
From: Peter Maydell <peter.maydell@linaro.org>
Date: Tue, 13 Aug 2024 17:52:46 +0100
Subject: [PATCH] hw/remote/message.c: Don't directly invoke DeviceClass:reset
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Directly invoking the DeviceClass::reset method is a bad idea,
because if the device is using three-phase reset then it relies on
transitional reset machinery which is likely to disappear at some
point.
Reset the device in the standard way, by calling device_cold_reset().
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-ID: <20240813165250.2717650-7-peter.maydell@linaro.org>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org
(cherry picked from commit 7d3a421feab29c03601813c8a0f98d5b2fd4420a)
Signed-off-by: zhujun2 <zhujun2_yewu@cmss.chinamobile.com>
---
hw/remote/message.c | 5 +----
1 file changed, 1 insertion(+), 4 deletions(-)
diff --git a/hw/remote/message.c b/hw/remote/message.c
index 11d729845c..83b91c8762 100644
--- a/hw/remote/message.c
+++ b/hw/remote/message.c
@@ -216,13 +216,10 @@ fail:
static void process_device_reset_msg(QIOChannel *ioc, PCIDevice *dev,
Error **errp)
{
- DeviceClass *dc = DEVICE_GET_CLASS(dev);
DeviceState *s = DEVICE(dev);
MPQemuMsg ret = { 0 };
- if (dc->reset) {
- dc->reset(s);
- }
+ device_cold_reset(s);
ret.cmd = MPQEMU_CMD_RET;
--
2.41.0.windows.1

60
monitor-hmp-print-trace-as-option-in-help-for-log-co.patch Normal file
View File

@ -0,0 +1,60 @@
From 0807b94d2cb88f1253d90f649604f0110b33f9b4 Mon Sep 17 00:00:00 2001
From: tangbinzy <tangbin_yewu@cmss.chinamobile.com>
Date: Tue, 3 Sep 2024 02:12:05 +0000
Subject: [PATCH] monitor/hmp: print trace as option in help for log command
mainline inclusion commit 3183bb3f441ba5b9da570f7f5f9abdc3313ba311 category:
bugfix
---------------------------------------------------------------
The below is printed when printing help information in qemu-system-x86_64
command line, and when CONFIG_TRACE_LOG is enabled:
----------------------------
$ qemu-system-x86_64 -d help
... ...
trace:PATTERN enable trace events
Use "-d trace:help" to get a list of trace events.
----------------------------
However, the options of "trace:PATTERN" are only printed by
"qemu-system-x86_64 -d help", but missing in hmp "help log" command.
Fixes: c84ea00dc2 ("log: add "-d trace:PATTERN"")
Cc: Joe Jin <joe.jin@oracle.com>
Signed-off-by: Dongli Zhang <dongli.zhang@oracle.com>
Message-Id: <20220831213943.8155-1-dongli.zhang@oracle.com>
Reviewed-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Signed-off-by: tangbinzy <tangbin_yewu@cmss.chinamobile.com>
---
monitor/hmp.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/monitor/hmp.c b/monitor/hmp.c
index b20737e63c..9cbbe52812 100644
--- a/monitor/hmp.c
+++ b/monitor/hmp.c
@@ -285,10 +285,15 @@ void help_cmd(Monitor *mon, const char *name)
if (!strcmp(name, "log")) {
const QEMULogItem *item;
monitor_printf(mon, "Log items (comma separated):\n");
- monitor_printf(mon, "%-10s %s\n", "none", "remove all logs");
+ monitor_printf(mon, "%-15s %s\n", "none", "remove all logs");
for (item = qemu_log_items; item->mask != 0; item++) {
- monitor_printf(mon, "%-10s %s\n", item->name, item->help);
+ monitor_printf(mon, "%-15s %s\n", item->name, item->help);
}
+#ifdef CONFIG_TRACE_LOG
+ monitor_printf(mon, "trace:PATTERN enable trace events\n");
+ monitor_printf(mon, "\nUse \"log trace:help\" to get a list of "
+ "trace events.\n\n");
+#endif
return;
}
--
2.41.0.windows.1

90
nbd-server-CVE-2024-7409-Avoid-use-after-free-when-c.patch Normal file
View File

@ -0,0 +1,90 @@
From fa58315ae2b81ea8b5b352bf19ff6bc1d3a4c684 Mon Sep 17 00:00:00 2001
From: Eric Blake <eblake@redhat.com>
Date: Thu, 22 Aug 2024 09:35:29 -0500
Subject: [PATCH] nbd/server: CVE-2024-7409: Avoid use-after-free when closing
server
Commit 3e7ef738 plugged the use-after-free of the global nbd_server
object, but overlooked a use-after-free of nbd_server->listener.
Although this race is harder to hit, notice that our shutdown path
first drops the reference count of nbd_server->listener, then triggers
actions that can result in a pending client reaching the
nbd_blockdev_client_closed() callback, which in turn calls
qio_net_listener_set_client_func on a potentially stale object.
If we know we don't want any more clients to connect, and have already
told the listener socket to shut down, then we should not be trying to
update the listener socket's associated function.
Reproducer:
> #!/usr/bin/python3
>
> import os
> from threading import Thread
>
> def start_stop():
> while 1:
> os.system('virsh qemu-monitor-command VM \'{"execute": "nbd-server-start",
+"arguments":{"addr":{"type":"unix","data":{"path":"/tmp/nbd-sock"}}}}\'')
> os.system('virsh qemu-monitor-command VM \'{"execute": "nbd-server-stop"}\'')
>
> def nbd_list():
> while 1:
> os.system('/path/to/build/qemu-nbd -L -k /tmp/nbd-sock')
>
> def test():
> sst = Thread(target=start_stop)
> sst.start()
> nlt = Thread(target=nbd_list)
> nlt.start()
>
> sst.join()
> nlt.join()
>
> test()
Fixes: CVE-2024-7409
Fixes: 3e7ef738c8 ("nbd/server: CVE-2024-7409: Close stray clients at server-stop")
CC: qemu-stable@nongnu.org
Reported-by: Andrey Drobyshev <andrey.drobyshev@virtuozzo.com>
Signed-off-by: Eric Blake <eblake@redhat.com>
Message-ID: <20240822143617.800419-2-eblake@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
---
blockdev-nbd.c | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
diff --git a/blockdev-nbd.c b/blockdev-nbd.c
index c71ca38d29..94e9eddc3c 100644
--- a/blockdev-nbd.c
+++ b/blockdev-nbd.c
@@ -87,10 +87,13 @@ static void nbd_accept(QIONetListener *listener, QIOChannelSocket *cioc,
static void nbd_update_server_watch(NBDServerData *s)
{
- if (!s->max_connections || s->connections < s->max_connections) {
- qio_net_listener_set_client_func(s->listener, nbd_accept, NULL, NULL);
- } else {
- qio_net_listener_set_client_func(s->listener, NULL, NULL, NULL);
+ if (s->listener) {
+ if (!s->max_connections || s->connections < s->max_connections) {
+ qio_net_listener_set_client_func(s->listener, nbd_accept, NULL,
+ NULL);
+ } else {
+ qio_net_listener_set_client_func(s->listener, NULL, NULL, NULL);
+ }
}
}
@@ -108,6 +111,7 @@ static void nbd_server_free(NBDServerData *server)
*/
qio_net_listener_disconnect(server->listener);
object_unref(OBJECT(server->listener));
+ server->listener = NULL;
QLIST_FOREACH_SAFE(conn, &server->conns, next, tmp) {
qio_channel_shutdown(QIO_CHANNEL(conn->cioc), QIO_CHANNEL_SHUTDOWN_BOTH,
NULL);
--
2.41.0.windows.1

33
ppc-vof-Fix-unaligned-FDT-property-access.patch Normal file
View File

@ -0,0 +1,33 @@
From 387b359dd8713cdf5e234bdbc41bc6546934c160 Mon Sep 17 00:00:00 2001
From: Akihiko Odaki <akihiko.odaki@daynix.com>
Date: Mon, 8 Jul 2024 15:55:13 +0900
Subject: [PATCH] ppc/vof: Fix unaligned FDT property access
FDT properties are aligned by 4 bytes, not 8 bytes.
Signed-off-by: Akihiko Odaki <akihiko.odaki@daynix.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
(cherry picked from commit 785c8637f9d2362a8addf4ded853d975955a9d6b)
Signed-off-by: zhujun2 <zhujun2_yewu@cmss.chinamobile.com>
---
hw/ppc/vof.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/ppc/vof.c b/hw/ppc/vof.c
index b1aa0ceb8b..cb1ae6fabf 100644
--- a/hw/ppc/vof.c
+++ b/hw/ppc/vof.c
@@ -648,7 +648,7 @@ static void vof_dt_memory_available(void *fdt, GArray *claimed, uint64_t base)
mem0_reg = fdt_getprop(fdt, offset, "reg", &proplen);
g_assert(mem0_reg && proplen == sizeof(uint32_t) * (ac + sc));
if (sc == 2) {
- mem0_end = be64_to_cpu(*(uint64_t *)(mem0_reg + sizeof(uint32_t) * ac));
+ mem0_end = ldq_be_p(mem0_reg + sizeof(uint32_t) * ac);
} else {
mem0_end = be32_to_cpu(*(uint32_t *)(mem0_reg + sizeof(uint32_t) * ac));
}
--
2.41.0.windows.1

82
qemu.spec
View File

@ -3,7 +3,7 @@
Name: qemu
Version: 6.2.0
Release: 98
Release: 99
Epoch: 10
Summary: QEMU is a generic and open source machine emulator and virtualizer
License: GPLv2 and BSD and MIT and CC-BY-SA-4.0
@ -1005,6 +1005,45 @@ Patch0990: aspeed-hace-Initialize-g_autofree-pointer.patch
Patch0991: migration-Skip-only-empty-block-devices.patch
Patch0992: hmat-acpi-Fix-out-of-bounds-access-due-to-missing-us.patch
Patch0993: pci-host-designware-Limit-value-range-of-iATU-viewpo.patch
Patch0994: hw-misc-applesmc-Fix-memory-leak-in-reset-handler.patch
Patch0995: virtio-net-Fix-vhost-virtqueue-notifiers-for-RSS.patch
Patch0996: ui-reject-extended-clipboard-message-if-not-activate.patch
Patch0997: vhost-user-server-do-not-set-memory-fd-non-blocking.patch
Patch0998: hw-audio-es1370-Clean-up-comment.patch
Patch0999: virtio-rng-block-max-bytes-0-MIME-Version-1.0.patch
Patch1000: rtl8139-Fix-behaviour-for-old-kernels.patch
Patch1001: virtio-pci-Fix-the-use-of-an-uninitialized-irqfd.patch
Patch1002: target-rx-Use-target_ulong-for-address-in-LI.patch
Patch1003: spapr-Free-stdout-path.patch
Patch1004: crypto-block-luks-make-range-overlap-check-more-read.patch
Patch1005: tpm_crb-Avoid-backend-startup-just-before-shutdown-u.patch
Patch1006: monitor-hmp-print-trace-as-option-in-help-for-log-co.patch
Patch1007: KVM-use-store-release-to-mark-dirty-pages-as-harvest.patch
Patch1008: spapr_pci-fix-leak-in-spapr_phb_vfio_get_loc_code.patch
Patch1009: smbios-sanitize-type-from-external-type-before-check.patch
Patch1010: hw-ppc-spapr-Use-qemu_vfree-to-free-spapr-htab.patch
Patch1011: char-stdio-Restore-blocking-mode-of-stdout-on-exit.patch
Patch1012: virtio-remove-virtio_tswap16s-call-in-vring_packed_e.patch
Patch1013: hw-display-vhost-user-gpu.c-fix-vhost_user_gpu_chr_r.patch
Patch1014: crypto-tlscredspsk-Free-username-on-finalize.patch
Patch1015: hw-remote-message.c-Don-t-directly-invoke-DeviceClas.patch
Patch1016: hw-dma-xilinx_axidma-Use-semicolon-at-end-of-stateme.patch
Patch1017: savevm-Fix-load_snapshot-error-path-crash.patch
Patch1018: vvfat-Fix-bug-in-writing-to-middle-of-file.patch
Patch1019: vvfat-Fix-reading-files-with-non-continuous-clusters.patch
Patch1020: ppc-vof-Fix-unaligned-FDT-property-access.patch
Patch1021: nbd-server-CVE-2024-7409-Avoid-use-after-free-when-c.patch
Patch1022: virtio-net-Ensure-queue-index-fits-with-RSS-CVE-2024.patch
Patch1023: vdpa-block-device-capacity-expansion-online.patch
Patch1024: tests-test-qga-close-socket-on-failure-to-connect.patch
Patch1025: tests-unit-add-NULL-pointer-check.patch
Patch1026: tests-mark-io-command-test-as-skipped-if-socat-is-mi.patch
Patch1027: tests-qtest-npcm7xx-emc-test-Skip-checking-MAC.patch
Patch1028: hw-microblaze-pass-random-seed-to-fdt.patch
Patch1029: target-arm-Fix-alignment-for-VLD4.32.patch
Patch1030: hw-net-lan9118-Signal-TSFL_INT-flag-when-TX-FIFO-rea.patch
Patch1031: qtest-fuzz-lsi53c895a-test-set-guest-RAM-to-2G.patch
Patch1032: target-i386-Introduce-SapphireRapids-v3-to-add-missi.patch
BuildRequires: flex
BuildRequires: gcc
@ -1603,6 +1642,47 @@ getent passwd qemu >/dev/null || \
%endif
%changelog
* Wed Sep 18 2024 <fengjiabo1@huawei.com> - 10:6.2.0-99
- target/i386: Introduce SapphireRapids-v3 to add missing features
- qtest/fuzz-lsi53c895a-test: set guest RAM to 2G
- hw/net/lan9118: Signal TSFL_INT flag when TX FIFO reaches specified level
- target/arm: Fix alignment for VLD4.32
- hw/microblaze: pass random seed to fdt
- tests/qtest: npcm7xx-emc-test: Skip checking MAC
- tests: mark io-command test as skipped if socat is missing
- tests: unit: add NULL-pointer check
- tests: test-qga: close socket on failure to connect
- vdpa:block device capacity expansion online support vdpa block device update capacity.
- virtio-net: Ensure queue index fits with RSS(CVE-2024-6505)
- nbd/server: CVE-2024-7409: Avoid use-after-free when closing server
- ppc/vof: Fix unaligned FDT property access
- vvfat: Fix reading files with non-continuous clusters
- vvfat: Fix bug in writing to middle of file
- savevm: Fix load_snapshot error path crash
- hw/dma/xilinx_axidma: Use semicolon at end of statement, not comma
- hw/remote/message.c: Don't directly invoke DeviceClass:reset
- crypto/tlscredspsk: Free username on finalize
- hw/display/vhost-user-gpu.c: fix vhost_user_gpu_chr_read()
- virtio: remove virtio_tswap16s() call in vring_packed_event_read()
- char-stdio: Restore blocking mode of stdout on exit
- hw/ppc: spapr: Use qemu_vfree() to free spapr->htab
- smbios: sanitize type from external type before checking have_fields_bitmap
- spapr_pci: fix leak in spapr_phb_vfio_get_loc_code
- KVM: use store-release to mark dirty pages as harvested
- monitor/hmp: print trace as option in help for log command
- tpm_crb: Avoid backend startup just before shutdown under Xen
- crypto/block-luks: make range overlap check more readable
- spapr: Free stdout path
- target/rx: Use target_ulong for address in LI
- virtio-pci: Fix the use of an uninitialized irqfd
- rtl8139: Fix behaviour for old kernels.
- virtio-rng: block max-bytes=0 MIME-Version: 1.0
- hw/audio/es1370: Clean up comment
- vhost-user-server: do not set memory fd non-blocking
- ui: reject extended clipboard message if not activated
- virtio-net: Fix vhost virtqueue notifiers for RSS
- hw/misc/applesmc: Fix memory leak in reset() handler
* Wed Aug 21 2024 <fengjiabo1@huawei.com> - 10:6.2.0-98
- pci-host: designware: Limit value range of iATU viewport register
- hmat acpi: Fix out of bounds access due to missing use of indirection

43
qtest-fuzz-lsi53c895a-test-set-guest-RAM-to-2G.patch Normal file
View File

@ -0,0 +1,43 @@
From c113a6e7135eb5f3676c59f733dd109a8be95b44 Mon Sep 17 00:00:00 2001
From: tangbinzy <tangbin_yewu@cmss.chinamobile.com>
Date: Tue, 10 Sep 2024 11:48:29 +0000
Subject: [PATCH] qtest/fuzz-lsi53c895a-test: set guest RAM to 2G mainline
inclusion commit a772ddc1c013c3ff54cd6bc5f1e4a9107093fc01 category: bugfix
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---------------------------------------------------------------
test_lsi_do_msgout_cancel_req does not run on machines with small size
memory. Reduce guest memory from 4G to 2G to alleviate the problem.
Reported-by: Bin Meng <bmeng.cn@gmail.com>
Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
Message-Id: <20220902133853.834065-1-mcascell@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Tested-by: Bin Meng <bmeng.cn@gmail.com>
Reviewed-by: Alexander Bulekov <alxndr@bu.edu>
Signed-off-by: Thomas Huth <thuth@redhat.com>
Signed-off-by: tangbinzy <tangbin_yewu@cmss.chinamobile.com>
---
tests/qtest/fuzz-lsi53c895a-test.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tests/qtest/fuzz-lsi53c895a-test.c b/tests/qtest/fuzz-lsi53c895a-test.c
index 9c50958796..bd18e8622e 100644
--- a/tests/qtest/fuzz-lsi53c895a-test.c
+++ b/tests/qtest/fuzz-lsi53c895a-test.c
@@ -51,7 +51,7 @@ static void test_lsi_do_msgout_cancel_req(void)
return;
}
- s = qtest_init("-M q35 -m 4G -display none -nodefaults "
+ s = qtest_init("-M q35 -m 2G -display none -nodefaults "
"-device lsi53c895a,id=scsi "
"-device scsi-hd,drive=disk0 "
"-drive file=null-co://,id=disk0,if=none,format=raw");
--
2.41.0.windows.1

35
rtl8139-Fix-behaviour-for-old-kernels.patch Normal file
View File

@ -0,0 +1,35 @@
From b5bcfc82399f2651e8370fe25e07104327ed5ae4 Mon Sep 17 00:00:00 2001
From: dinglimin <dinglimin@cmss.chinamobile.com>
Date: Mon, 26 Aug 2024 18:27:47 +0800
Subject: [PATCH] rtl8139: Fix behaviour for old kernels.
Old linux kernel rtl8139 drivers (ex. debian 2.1) uses outb to set the rx
mode for RxConfig. Unfortunatelly qemu does not support outb for RxConfig.
Signed-off-by: Hans <sungdgdhtryrt@gmail.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: dinglimin <dinglimin@cmss.chinamobile.com>
---
hw/net/rtl8139.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/hw/net/rtl8139.c b/hw/net/rtl8139.c
index 8af396cf06..7bcc05e2a5 100644
--- a/hw/net/rtl8139.c
+++ b/hw/net/rtl8139.c
@@ -2746,7 +2746,11 @@ static void rtl8139_io_writeb(void *opaque, uint8_t addr, uint32_t val)
}
break;
-
+ case RxConfig:
+ DPRINTF("RxConfig write(b) val=0x%02x\n", val);
+ rtl8139_RxConfig_write(s,
+ (rtl8139_RxConfig_read(s) & 0xFFFFFF00) | val);
+ break;
default:
DPRINTF("not implemented write(b) addr=0x%x val=0x%02x\n", addr,
val);
--
2.41.0.windows.1

36
savevm-Fix-load_snapshot-error-path-crash.patch Normal file
View File

@ -0,0 +1,36 @@
From 9c5278b1cb8c4f524f519e4f54332c5333a8e4a2 Mon Sep 17 00:00:00 2001
From: zhujun2 <zhujun2_yewu@cmss.chinamobile.com>
Date: Thu, 5 Sep 2024 04:13:36 -0700
Subject: [PATCH] savevm: Fix load_snapshot error path crash
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
An error path missed setting *errp, which can cause a NULL deref.
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
Message-Id: <20240813050638.446172-11-npiggin@gmail.com>
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Message-Id: <20240813202329.1237572-19-alex.bennee@linaro.org>
(cherry picked from commit 97d2b66dcd8c771065807b4acfd0002dac4385be)
Signed-off-by: zhujun2 <zhujun2_yewu@cmss.chinamobile.com>
---
migration/savevm.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/migration/savevm.c b/migration/savevm.c
index d59e976d50..b501504bd5 100644
--- a/migration/savevm.c
+++ b/migration/savevm.c
@@ -3022,6 +3022,7 @@ bool load_snapshot(const char *name, const char *vmstate,
ret = bdrv_snapshot_find(bs_vm_state, &sn, name);
aio_context_release(aio_context);
if (ret < 0) {
+ error_setg(errp, "Snapshot can not be found");
return false;
} else if (sn.vm_state_size == 0) {
error_setg(errp, "This is a disk-only snapshot. Revert to it "
--
2.41.0.windows.1

51
smbios-sanitize-type-from-external-type-before-check.patch Normal file
View File

@ -0,0 +1,51 @@
From 27179c493623b7758aead29955e96a6c52248502 Mon Sep 17 00:00:00 2001
From: tangbinzy <tangbin_yewu@cmss.chinamobile.com>
Date: Wed, 4 Sep 2024 07:56:16 +0000
Subject: [PATCH] smbios: sanitize type from external type before checking
have_fields_bitmap mainline inclusion commit
57e3069641d057a9ca90bb603c86477d5b331ecd category: bugfix
---------------------------------------------------------------
test_bit uses header->type as an offset; if the file incorrectly specifies a
type greater than 127, smbios_entry_add will read and write garbage.
To fix this, just pass the smbios data through, assuming the user knows what
to do. Reported by Coverity as CID 1487255.
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: tangbinzy <tangbin_yewu@cmss.chinamobile.com>
---
hw/smbios/smbios.c | 14 ++++++++------
1 file changed, 8 insertions(+), 6 deletions(-)
diff --git a/hw/smbios/smbios.c b/hw/smbios/smbios.c
index f73b9417c8..d506fd4e7e 100644
--- a/hw/smbios/smbios.c
+++ b/hw/smbios/smbios.c
@@ -1171,13 +1171,15 @@ void smbios_entry_add(QemuOpts *opts, Error **errp)
return;
}
- if (test_bit(header->type, have_fields_bitmap)) {
- error_setg(errp,
- "can't load type %d struct, fields already specified!",
- header->type);
- return;
+ if (header->type <= SMBIOS_MAX_TYPE) {
+ if (test_bit(header->type, have_fields_bitmap)) {
+ error_setg(errp,
+ "can't load type %d struct, fields already specified!",
+ header->type);
+ return;
+ }
+ set_bit(header->type, have_binfile_bitmap);
}
- set_bit(header->type, have_binfile_bitmap);
if (header->type == 4) {
smbios_type4_count++;
--
2.41.0.windows.1

30
spapr-Free-stdout-path.patch Normal file
View File

@ -0,0 +1,30 @@
From 3dd770cfc6a59b45c3a960177f36e57612cf8818 Mon Sep 17 00:00:00 2001
From: dinglimin <dinglimin@cmss.chinamobile.com>
Date: Mon, 2 Sep 2024 16:47:04 +0800
Subject: [PATCH] spapr: Free stdout path
cheery-pick from 8af863f2bd976b937f7e3d38b2ab1813b2fa1d9d
This fixes LeakSanitizer warnings.
Signed-off-by: dinglimin <dinglimin@cmss.chinamobile.com>
---
hw/ppc/spapr_vof.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/ppc/spapr_vof.c b/hw/ppc/spapr_vof.c
index 40ce8fe003..e437cab642 100644
--- a/hw/ppc/spapr_vof.c
+++ b/hw/ppc/spapr_vof.c
@@ -29,7 +29,7 @@ target_ulong spapr_h_vof_client(PowerPCCPU *cpu, SpaprMachineState *spapr,
void spapr_vof_client_dt_finalize(SpaprMachineState *spapr, void *fdt)
{
- char *stdout_path = spapr_vio_stdout_path(spapr->vio_bus);
+ g_autofree char *stdout_path = spapr_vio_stdout_path(spapr->vio_bus);
vof_build_dt(fdt, spapr->vof);
--
2.41.0.windows.1

35
spapr_pci-fix-leak-in-spapr_phb_vfio_get_loc_code.patch Normal file
View File

@ -0,0 +1,35 @@
From 401dbfbce0b9acbc59f953d80461781afca4b0f7 Mon Sep 17 00:00:00 2001
From: tangbinzy <tangbin_yewu@cmss.chinamobile.com>
Date: Wed, 4 Sep 2024 06:53:37 +0000
Subject: [PATCH] spapr_pci: fix leak in spapr_phb_vfio_get_loc_code mainline
inclusion commit c4ef328bdc5dac319c8a1bdbe6d4108382b41584 category: bugfix
---------------------------------------------------------------
Overwriting "path" in the second call to g_strdup_printf() causes a memory leak,
even if the variable itself is g_autofree.
Reported by Coverity as CID 1460454.
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: tangbinzy <tangbin_yewu@cmss.chinamobile.com>
---
hw/ppc/spapr_pci.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/hw/ppc/spapr_pci.c b/hw/ppc/spapr_pci.c
index 3b518f1be9..567bc8481c 100644
--- a/hw/ppc/spapr_pci.c
+++ b/hw/ppc/spapr_pci.c
@@ -800,6 +800,7 @@ static char *spapr_phb_vfio_get_loc_code(SpaprPhbState *sphb, PCIDevice *pdev)
}
/* Construct and read from host device tree the loc-code */
+ g_free(path);
path = g_strdup_printf("/proc/device-tree%s/ibm,loc-code", devspec);
if (!g_file_get_contents(path, &buf, NULL, NULL)) {
return NULL;
--
2.41.0.windows.1

50
target-arm-Fix-alignment-for-VLD4.32.patch Normal file
View File

@ -0,0 +1,50 @@
From 6a071b8797f06850073b3a095a622117e554f302 Mon Sep 17 00:00:00 2001
From: tangbinzy <tangbin_yewu@cmss.chinamobile.com>
Date: Mon, 9 Sep 2024 08:29:05 +0000
Subject: [PATCH] target/arm: Fix alignment for VLD4.32 mainline inclusion
commit 3a661024cc680104ce2cd21f8f5466dacba6f405 category: bugfix
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---------------------------------------------------------------
When requested, the alignment for VLD4.32 is 8 and not 16.
See ARM documentation about VLD4 encoding:
ebytes = 1 << UInt(size);
if size == '10' then
alignment = if a == '0' then 1 else 8;
else
alignment = if a == '0' then 1 else 4*ebytes;
Signed-off-by: Clément Chigot <chigot@adacore.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220914105058.2787404-1-chigot@adacore.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: tangbinzy <tangbin_yewu@cmss.chinamobile.com>
---
target/arm/translate-neon.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/target/arm/translate-neon.c b/target/arm/translate-neon.c
index dd43de558e..761fd6a755 100644
--- a/target/arm/translate-neon.c
+++ b/target/arm/translate-neon.c
@@ -586,7 +586,11 @@ static bool trans_VLD_all_lanes(DisasContext *s, arg_VLD_all_lanes *a)
case 3:
return false;
case 4:
- align = pow2_align(size + 2);
+ if (size == 2) {
+ align = pow2_align(3);
+ } else {
+ align = pow2_align(size + 2);
+ }
break;
default:
g_assert_not_reached();
--
2.41.0.windows.1

48
target-i386-Introduce-SapphireRapids-v3-to-add-missi.patch Normal file
View File

@ -0,0 +1,48 @@
From 147ca6c521c4b59a5dd610e3a2bcd9553901ba6a Mon Sep 17 00:00:00 2001
From: Lei Wang <lei4.wang@intel.com>
Date: Wed, 24 Apr 2024 03:29:12 -0400
Subject: [PATCH] target/i386: Introduce SapphireRapids-v3 to add missing
features
commit b10b2481738304db13d28252e86c10555121a5b3 upstream.
Add the missing features(ss, tsc-adjust, cldemote, movdiri, movdir64b) in
the SapphireRapids-v3 CPU model.
Intel-SIG: commit b10b24817383 target/i386: Introduce SapphireRapids-v3 to add missing features.
6.2-SPR new model support
Signed-off-by: Lei Wang <lei4.wang@intel.com>
Message-ID: <20240424072912.43188-1-lei4.wang@intel.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
[ Quanxian Wang: amend commit log ]
Signed-off-by: Quanxian Wang <quanxian.wang@intel.com>
---
target/i386/cpu.c | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/target/i386/cpu.c b/target/i386/cpu.c
index 4c8453e0df..4473e0923e 100644
--- a/target/i386/cpu.c
+++ b/target/i386/cpu.c
@@ -3754,6 +3754,17 @@ static const X86CPUDefinition builtin_x86_defs[] = {
{ /* end of list */ }
}
},
+ {
+ .version = 3,
+ .props = (PropValue[]) {
+ { "ss", "on" },
+ { "tsc-adjust", "on" },
+ { "cldemote", "on" },
+ { "movdiri", "on" },
+ { "movdir64b", "on" },
+ { /* end of list */ }
+ }
+ },
{ /* end of list */ }
}
},
--
2.41.0.windows.1

35
target-rx-Use-target_ulong-for-address-in-LI.patch Normal file
View File

@ -0,0 +1,35 @@
From 3d5808bb00ec5cf2f2e78aa570a202af2ed3e201 Mon Sep 17 00:00:00 2001
From: dinglimin <dinglimin@cmss.chinamobile.com>
Date: Mon, 2 Sep 2024 14:42:51 +0800
Subject: [PATCH] target/rx: Use target_ulong for address in LI
cheery-pick from 83340193b991e7a974f117baa86a04db1fd835a9
Using int32_t meant that the address was sign-extended to uint64_t
when passing to translator_ld*, triggering an assert.
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2453
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Tested-by: Thomas Huth <thuth@redhat.com>
Signed-off-by: dinglimin <dinglimin@cmss.chinamobile.com>
---
target/rx/translate.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/target/rx/translate.c b/target/rx/translate.c
index 5db8f79a82..aacf59d5cb 100644
--- a/target/rx/translate.c
+++ b/target/rx/translate.c
@@ -82,7 +82,8 @@ static uint32_t decode_load_bytes(DisasContext *ctx, uint32_t insn,
static uint32_t li(DisasContext *ctx, int sz)
{
- int32_t tmp, addr;
+ target_ulong addr;
+ uint32_t tmp;
CPURXState *env = ctx->env;
addr = ctx->base.pc_next;
--
2.41.0.windows.1

39
tests-mark-io-command-test-as-skipped-if-socat-is-mi.patch Normal file
View File

@ -0,0 +1,39 @@
From 62e1305aa46d91915aa987aca125db7f32845cd9 Mon Sep 17 00:00:00 2001
From: tangbinzy <tangbin_yewu@cmss.chinamobile.com>
Date: Mon, 9 Sep 2024 07:57:18 +0000
Subject: [PATCH] tests: mark io-command test as skipped if socat is missing
mainline inclusion commit 525207cd77adb181b4ef61d0b7669f52f737e9d0 category:
bugfix
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---------------------------------------------------------------
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Message-Id: <20220901110414.2892954-1-marcandre.lureau@redhat.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>
Signed-off-by: tangbinzy <tangbin_yewu@cmss.chinamobile.com>
---
tests/unit/test-io-channel-command.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/tests/unit/test-io-channel-command.c b/tests/unit/test-io-channel-command.c
index 99056e07c0..aa09c559cd 100644
--- a/tests/unit/test-io-channel-command.c
+++ b/tests/unit/test-io-channel-command.c
@@ -41,7 +41,8 @@ static void test_io_channel_command_fifo(bool async)
unlink(TEST_FIFO);
if (access("/bin/socat", X_OK) < 0) {
- return; /* Pretend success if socat is not present */
+ g_test_skip("socat is missing");
+ return;
}
if (mkfifo(TEST_FIFO, 0600) < 0) {
abort();
--
2.41.0.windows.1

39
tests-qtest-npcm7xx-emc-test-Skip-checking-MAC.patch Normal file
View File

@ -0,0 +1,39 @@
From 00edc3a590c95bce8c4fa96dd682edd533280c3e Mon Sep 17 00:00:00 2001
From: tangbinzy <tangbin_yewu@cmss.chinamobile.com>
Date: Mon, 9 Sep 2024 08:15:19 +0000
Subject: [PATCH] tests/qtest: npcm7xx-emc-test: Skip checking MAC mainline
inclusion commit d1592cbe07fa7b653aa9dde2eb8dafbe1de16885 category: bugfix
---------------------------------------------------------------
The register tests walks all the registers to verify they are initially
0 when appropriate. However, if the MAC address is set in the register
space, this should not be checked against 0.
Reviewed-by: Hao Wu <wuhaotsh@google.com>
Signed-off-by: Patrick Venture <venture@google.com>
Message-Id: <20220906163138.2831353-1-venture@google.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>
Signed-off-by: tangbinzy <tangbin_yewu@cmss.chinamobile.com>
---
tests/qtest/npcm7xx_emc-test.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/tests/qtest/npcm7xx_emc-test.c b/tests/qtest/npcm7xx_emc-test.c
index 9eec71d87c..1bc1d821c5 100644
--- a/tests/qtest/npcm7xx_emc-test.c
+++ b/tests/qtest/npcm7xx_emc-test.c
@@ -378,7 +378,8 @@ static void test_init(gconstpointer test_data)
#undef CHECK_REG
- for (i = 0; i < NUM_CAMML_REGS; ++i) {
+ /* Skip over the MAC address registers, which is BASE+0 */
+ for (i = 1; i < NUM_CAMML_REGS; ++i) {
g_assert_cmpuint(emc_read(qts, mod, REG_CAMM_BASE + i * 2), ==,
0);
g_assert_cmpuint(emc_read(qts, mod, REG_CAML_BASE + i * 2), ==,
--
2.41.0.windows.1

32
tests-test-qga-close-socket-on-failure-to-connect.patch Normal file
View File

@ -0,0 +1,32 @@
From 18e9e427e2355afab0c17ffaa85d3120837e292c Mon Sep 17 00:00:00 2001
From: tangbinzy <tangbin_yewu@cmss.chinamobile.com>
Date: Mon, 9 Sep 2024 07:41:17 +0000
Subject: [PATCH] tests: test-qga: close socket on failure to connect mainline
inclusion commit 5dc51100394206b4ca3fdcafb008de8f99fc4676 category: bugfix
---------------------------------------------------------------
Reported by Coverity as CID 1432543.
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: tangbinzy <tangbin_yewu@cmss.chinamobile.com>
---
tests/unit/test-qga.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/tests/unit/test-qga.c b/tests/unit/test-qga.c
index 5cb140d1b5..e6564c673b 100644
--- a/tests/unit/test-qga.c
+++ b/tests/unit/test-qga.c
@@ -32,6 +32,7 @@ static int connect_qga(char *path)
g_usleep(G_USEC_PER_SEC);
}
if (i++ == 10) {
+ close(s);
return -1;
}
} while (ret == -1);
--
2.41.0.windows.1

39
tests-unit-add-NULL-pointer-check.patch Normal file
View File

@ -0,0 +1,39 @@
From f2f914e1868a83ffef1580465988557df0257bc6 Mon Sep 17 00:00:00 2001
From: tangbinzy <tangbin_yewu@cmss.chinamobile.com>
Date: Mon, 9 Sep 2024 07:54:12 +0000
Subject: [PATCH] tests: unit: add NULL-pointer check mainline inclusion commit
b3a58a6ae346f14075af0df7f9903ad389c33dbd category: bugfix
---------------------------------------------------------------
In CID 1432593, Coverity complains that the result of qdict_crumple()
might leak if it is not a dictionary. This is not a practical concern
since the test would fail immediately with a NULL pointer dereference
in qdict_size().
However, it is not nice to depend on qdict_size() crashing, so add an
explicit assertion that that the crumpled object was indeed a dictionary.
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: tangbinzy <tangbin_yewu@cmss.chinamobile.com>
---
tests/unit/check-block-qdict.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tests/unit/check-block-qdict.c b/tests/unit/check-block-qdict.c
index 5a25825093..751c58e737 100644
--- a/tests/unit/check-block-qdict.c
+++ b/tests/unit/check-block-qdict.c
@@ -504,7 +504,7 @@ static void qdict_crumple_test_empty(void)
src = qdict_new();
dst = qobject_to(QDict, qdict_crumple(src, &error_abort));
-
+ g_assert(dst);
g_assert_cmpint(qdict_size(dst), ==, 0);
qobject_unref(src);
--
2.41.0.windows.1

58
tpm_crb-Avoid-backend-startup-just-before-shutdown-u.patch Normal file
View File

@ -0,0 +1,58 @@
From 5cafaebb7f31713b826a678e79eef976beb8caf6 Mon Sep 17 00:00:00 2001
From: tangbinzy <tangbin_yewu@cmss.chinamobile.com>
Date: Tue, 3 Sep 2024 01:56:25 +0000
Subject: [PATCH] tpm_crb: Avoid backend startup just before shutdown under Xen
mainline inclusion commit f0ccce6a95f6ff947040692ef941230918181562 category:
bugfix
---------------------------------------------------------------
When running under Xen and the guest reboots, it boots into a new domain
with a new QEMU process (and a new swtpm process if using the emulator
backend). The existing reset function is triggered just before the old
QEMU process exists which causes QEMU to startup the TPM backend and
then immediately shut it down. This is probably harmless but when using
the emulated backend, it wastes CPU and IO time reloading state, etc.
Fix this by calling the reset function directly from realize() when
running under Xen. During a reboot, this will be called by the QEMU
process for the new domain.
Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com>
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Message-id: 20220826143841.1515326-1-ross.lagerwall@citrix.com
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: tangbinzy <tangbin_yewu@cmss.chinamobile.com>
---
hw/tpm/tpm_crb.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/hw/tpm/tpm_crb.c b/hw/tpm/tpm_crb.c
index c05972736a..ed89ab4afe 100644
--- a/hw/tpm/tpm_crb.c
+++ b/hw/tpm/tpm_crb.c
@@ -25,6 +25,7 @@
#include "sysemu/tpm_backend.h"
#include "sysemu/tpm_util.h"
#include "sysemu/reset.h"
+#include "sysemu/xen.h"
#include "tpm_prop.h"
#include "tpm_ppi.h"
#include "trace.h"
@@ -307,7 +308,11 @@ static void tpm_crb_realize(DeviceState *dev, Error **errp)
TPM_PPI_ADDR_BASE, OBJECT(s));
}
- qemu_register_reset(tpm_crb_reset, dev);
+ if (xen_enabled()) {
+ tpm_crb_reset(dev);
+ } else {
+ qemu_register_reset(tpm_crb_reset, dev);
+ }
}
static void tpm_crb_class_init(ObjectClass *klass, void *data)
--
2.41.0.windows.1

41
ui-reject-extended-clipboard-message-if-not-activate.patch Normal file
View File

@ -0,0 +1,41 @@
From 5dc2ba3fa793407b1dd6ee1920808a729990abf7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Mon, 15 Jan 2024 09:51:19 +0000
Subject: [PATCH] ui: reject extended clipboard message if not activated
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The extended clipboard message protocol requires that the client
activate the extension by requesting a psuedo encoding. If this
is not done, then any extended clipboard messages from the client
should be considered invalid and the client dropped.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-Id: <20240115095119.654271-1-berrange@redhat.com>
(cherry picked from commit 4cba8388968b70fe20e290221dc421c717051fdd)
Signed-off-by: zhujun2 <zhujun2_yewu@cmss.chinamobile.com>
---
ui/vnc.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/ui/vnc.c b/ui/vnc.c
index 3cb24badf6..667db3b990 100644
--- a/ui/vnc.c
+++ b/ui/vnc.c
@@ -2458,6 +2458,11 @@ static int protocol_client_msg(VncState *vs, uint8_t *data, size_t len)
}
if (read_s32(data, 4) < 0) {
+ if (!vnc_has_feature(vs, VNC_FEATURE_CLIPBOARD_EXT)) {
+ error_report("vnc: extended clipboard message while disabled");
+ vnc_client_error(vs);
+ break;
+ }
if (dlen < 4) {
error_report("vnc: malformed payload (header less than 4 bytes)"
" in extended clipboard pseudo-encoding.");
--
2.41.0.windows.1

50
vdpa-block-device-capacity-expansion-online.patch Normal file
View File

@ -0,0 +1,50 @@
From cec9c300b0a2ede77fa12f242ee7fd672546940c Mon Sep 17 00:00:00 2001
From: jiangdongxu <jiangdongxu1@huawei.com>
Date: Sat, 7 Sep 2024 07:11:07 +0000
Subject: [PATCH] vdpa:block device capacity expansion online support vdpa
block device update capacity.
Signed-off-by: jiangdongxu <jiangdongxu1@huawei.com>
---
hw/virtio/vdpa-dev.c | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
diff --git a/hw/virtio/vdpa-dev.c b/hw/virtio/vdpa-dev.c
index 04d8e96a5d..fa3a4dc8bc 100644
--- a/hw/virtio/vdpa-dev.c
+++ b/hw/virtio/vdpa-dev.c
@@ -32,6 +32,7 @@
#include "hw/virtio/vdpa-dev-mig.h"
#include "migration/migration.h"
#include "exec/address-spaces.h"
+#include "standard-headers/linux/virtio_ids.h"
static void
vhost_vdpa_device_dummy_handle_output(VirtIODevice *vdev, VirtQueue *vq)
@@ -202,7 +203,23 @@ static void
vhost_vdpa_device_get_config(VirtIODevice *vdev, uint8_t *config)
{
VhostVdpaDevice *s = VHOST_VDPA_DEVICE(vdev);
+ uint8_t *new_config;
+ int ret;
+
+ if (s->vdev_id != VIRTIO_ID_BLOCK) {
+ goto out;
+ }
+ new_config = g_malloc0(s->config_size);
+ ret = vhost_dev_get_config(&s->dev, new_config, s->config_size, NULL);
+ if (ret < 0) {
+ error_report("vhost-vdpa-device: get config failed(%d)\n", ret);
+ goto free;
+ }
+ memcpy(s->config, new_config, s->config_size);
+free:
+ g_free(new_config);
+out:
memcpy(config, s->config, s->config_size);
}
--
2.41.0.windows.1

59
vhost-user-server-do-not-set-memory-fd-non-blocking.patch Normal file
View File

@ -0,0 +1,59 @@
From 4b38d60e4a4a1fc4b7191ec94959f304b222b604 Mon Sep 17 00:00:00 2001
From: zhujun2 <zhujun2_yewu@cmss.chinamobile.com>
Date: Thu, 15 Aug 2024 20:20:35 -0700
Subject: [PATCH] vhost-user-server: do not set memory fd non-blocking
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
In vhost-user-server we set all fd received from the other peer
in non-blocking mode. For some of them (e.g. memfd, shm_open, etc.)
it's not really needed, because we don't use these fd with blocking
operations, but only to map memory.
In addition, in some systems this operation can fail (e.g. in macOS
setting an fd returned by shm_open() non-blocking fails with errno
= ENOTTY).
So, let's avoid setting fd non-blocking for those messages that we
know carry memory fd (e.g. VHOST_USER_ADD_MEM_REG,
VHOST_USER_SET_MEM_TABLE).
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: David Hildenbrand <david@redhat.com>
Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
Message-Id: <20240618100043.144657-6-sgarzare@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
(cherry picked from commit 4c58843e5d3192c67394b28a3330144ea56eefac)
Signed-off-by: zhujun2 <zhujun2_yewu@cmss.chinamobile.com>
---
util/vhost-user-server.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/util/vhost-user-server.c b/util/vhost-user-server.c
index 783d847a6d..eda82447bd 100644
--- a/util/vhost-user-server.c
+++ b/util/vhost-user-server.c
@@ -64,6 +64,18 @@ static void vmsg_close_fds(VhostUserMsg *vmsg)
static void vmsg_unblock_fds(VhostUserMsg *vmsg)
{
int i;
+
+ /*
+ * These messages carry fd used to map memory, not to send/receive messages,
+ * so this operation is useless. In addition, in some systems this
+ * operation can fail (e.g. in macOS setting an fd returned by shm_open()
+ * non-blocking fails with errno = ENOTTY)
+ */
+ if (vmsg->request == VHOST_USER_ADD_MEM_REG ||
+ vmsg->request == VHOST_USER_SET_MEM_TABLE) {
+ return;
+ }
+
for (i = 0; i < vmsg->fd_num; i++) {
qemu_set_nonblock(vmsg->fds[i]);
}
--
2.41.0.windows.1

36
virtio-net-Ensure-queue-index-fits-with-RSS-CVE-2024.patch Normal file
View File

@ -0,0 +1,36 @@
From 8cd5679908e7af9353c8c4e9198aef2fbb3256ec Mon Sep 17 00:00:00 2001
From: Akihiko Odaki <akihiko.odaki@daynix.com>
Date: Mon, 1 Jul 2024 20:58:04 +0900
Subject: [PATCH] virtio-net: Ensure queue index fits with RSS(CVE-2024-6505)
Ensure the queue index points to a valid queue when software RSS
enabled. The new calculation matches with the behavior of Linux's TAP
device with the RSS eBPF program.
Fixes: 4474e37a5b3a ("virtio-net: implement RX RSS processing")
Reported-by: Zhibin Hu <huzhibin5@huawei.com>
Cc: qemu-stable@nongnu.org
Signed-off-by: Akihiko Odaki <akihiko.odaki@daynix.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
---
hw/net/virtio-net.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c
index f7248fc2e2..cef7fc0aa0 100644
--- a/hw/net/virtio-net.c
+++ b/hw/net/virtio-net.c
@@ -1818,7 +1818,8 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf,
if (!no_rss && n->rss_data.enabled && n->rss_data.enabled_software_rss) {
int index = virtio_net_process_rss(nc, buf, size);
if (index >= 0) {
- NetClientState *nc2 = qemu_get_subqueue(n->nic, index);
+ NetClientState *nc2 =
+ qemu_get_subqueue(n->nic, index % n->curr_queue_pairs);
return virtio_net_receive_rcu(nc2, buf, size, true);
}
}
--
2.41.0.windows.1

45
virtio-net-Fix-vhost-virtqueue-notifiers-for-RSS.patch Normal file
View File

@ -0,0 +1,45 @@
From 24140cab0cc08a239c6df320c6da59b8ce638055 Mon Sep 17 00:00:00 2001
From: Akihiko Odaki <akihiko.odaki@daynix.com>
Date: Wed, 27 Mar 2024 11:05:09 +0900
Subject: [PATCH] virtio-net: Fix vhost virtqueue notifiers for RSS
virtio_net_guest_notifier_pending() and virtio_net_guest_notifier_mask()
checked VIRTIO_NET_F_MQ to know there are multiple queues, but
VIRTIO_NET_F_RSS also enables multiple queues. Refer to n->multiqueue,
which is set to true either of VIRTIO_NET_F_MQ or VIRTIO_NET_F_RSS is
enabled.
Fixes: 68b0a6395f36 ("virtio-net: align ctrl_vq index for non-mq guest for vhost_vdpa")
Signed-off-by: Akihiko Odaki <akihiko.odaki@daynix.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
(cherry picked from commit 1c188fc8cbffc5f05cc616cab4e1372fb6e6f11f)
Signed-off-by: zhujun2 <zhujun2_yewu@cmss.chinamobile.com>
---
hw/net/virtio-net.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c
index f3fb9393b3..f72fe61dda 100644
--- a/hw/net/virtio-net.c
+++ b/hw/net/virtio-net.c
@@ -3239,7 +3239,7 @@ static bool virtio_net_guest_notifier_pending(VirtIODevice *vdev, int idx)
VirtIONet *n = VIRTIO_NET(vdev);
NetClientState *nc;
assert(n->vhost_started);
- if (!virtio_vdev_has_feature(vdev, VIRTIO_NET_F_MQ) && idx == 2) {
+ if (!n->multiqueue && idx == 2) {
/* Must guard against invalid features and bogus queue index
* from being set by malicious guest, or penetrated through
* buggy migration stream.
@@ -3271,7 +3271,7 @@ static void virtio_net_guest_notifier_mask(VirtIODevice *vdev, int idx,
VirtIONet *n = VIRTIO_NET(vdev);
NetClientState *nc;
assert(n->vhost_started);
- if (!virtio_vdev_has_feature(vdev, VIRTIO_NET_F_MQ) && idx == 2) {
+ if (!n->multiqueue && idx == 2) {
/* Must guard against invalid features and bogus queue index
* from being set by malicious guest, or penetrated through
* buggy migration stream.
--
2.41.0.windows.1

83
virtio-pci-Fix-the-use-of-an-uninitialized-irqfd.patch Normal file
View File

@ -0,0 +1,83 @@
From f57991f3f88e281d3c9bcf7c1d1e2b15651c6262 Mon Sep 17 00:00:00 2001
From: guping <guping_yewu@cmss.chinamobile.com>
Date: Mon, 2 Sep 2024 09:29:45 +0000
Subject: [PATCH] virtio-pci: Fix the use of an uninitialized irqfd chery-pick
from a8e63ff289d137197ad7a701a587cc432872d798
The crash was reported in MAC OS and NixOS, here is the link for this bug
#2334
#2321
In this bug, they are using the virtio_input device. The guest notifier was
not supported for this device, The function virtio_pci_set_guest_notifiers()
was not called, and the vector_irqfd was not initialized.
So the fix is adding the check for vector_irqfd in virtio_pci_get_notifier()
The function virtio_pci_get_notifier() can be used in various devices.
It could also be called when VIRTIO_CONFIG_S_DRIVER_OK is not set. In this situation,
the vector_irqfd being NULL is acceptable. We can allow the device continue to boot
If the vector_irqfd still hasn't been initialized after VIRTIO_CONFIG_S_DRIVER_OK
is set, it means that the function set_guest_notifiers was not called before the
driver started. This indicates that the device is not using the notifier.
At this point, we will let the check fail.
This fix is verified in vyatta,MacOS,NixOS,fedora system.
The bt tree for this bug is:
Thread 6 "CPU 0/KVM" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7c817be006c0 (LWP 1269146)]
kvm_virtio_pci_vq_vector_use () at ../qemu-9.0.0/hw/virtio/virtio-pci.c:817
817 if (irqfd->users == 0) {
(gdb) thread apply all bt
...
Thread 6 (Thread 0x7c817be006c0 (LWP 1269146) "CPU 0/KVM"):
0 kvm_virtio_pci_vq_vector_use () at ../qemu-9.0.0/hw/virtio/virtio-pci.c:817
1 kvm_virtio_pci_vector_use_one () at ../qemu-9.0.0/hw/virtio/virtio-pci.c:893
2 0x00005983657045e2 in memory_region_write_accessor () at ../qemu-9.0.0/system/memory.c:497
3 0x0000598365704ba6 in access_with_adjusted_size () at ../qemu-9.0.0/system/memory.c:573
4 0x0000598365705059 in memory_region_dispatch_write () at ../qemu-9.0.0/system/memory.c:1528
5 0x00005983659b8e1f in flatview_write_continue_step.isra.0 () at ../qemu-9.0.0/system/physmem.c:2713
6 0x000059836570ba7d in flatview_write_continue () at ../qemu-9.0.0/system/physmem.c:2743
7 flatview_write () at ../qemu-9.0.0/system/physmem.c:2774
8 0x000059836570bb76 in address_space_write () at ../qemu-9.0.0/system/physmem.c:2894
9 0x0000598365763afe in address_space_rw () at ../qemu-9.0.0/system/physmem.c:2904
10 kvm_cpu_exec () at ../qemu-9.0.0/accel/kvm/kvm-all.c:2917
11 0x000059836576656e in kvm_vcpu_thread_fn () at ../qemu-9.0.0/accel/kvm/kvm-accel-ops.c:50
12 0x0000598365926ca8 in qemu_thread_start () at ../qemu-9.0.0/util/qemu-thread-posix.c:541
13 0x00007c8185bcd1cf in ??? () at /usr/lib/libc.so.6
14 0x00007c8185c4e504 in clone () at /usr/lib/libc.so.6
Fixes: 2ce6cff9
("virtio-pci: fix use of a released vector")
Cc: qemu-stable@nongnu.org
Signed-off-by: Cindy Lu's avatarCindy Lu <lulu@redhat.com>
Message-Id: <20240806093715.65105-1-lulu@redhat.com>
Acked-by: Jason Wang's avatarJason Wang <jasowang@redhat.com>
Reviewed-by: MST's avatarMichael S. Tsirkin <mst@redhat.com>
Signed-off-by: MST's avatarMichael S. Tsirkin <mst@redhat.com>
Signed-off-by: guping <guping_yewu@cmss.chinamobile.com>
---
hw/virtio/virtio-pci.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/hw/virtio/virtio-pci.c b/hw/virtio/virtio-pci.c
index d675526016..1e4661bebd 100644
--- a/hw/virtio/virtio-pci.c
+++ b/hw/virtio/virtio-pci.c
@@ -811,6 +811,9 @@ static int virtio_pci_get_notifier(VirtIOPCIProxy *proxy, int queue_no,
VirtIODevice *vdev = virtio_bus_get_device(&proxy->bus);
VirtQueue *vq;
+ if (!proxy->vector_irqfd && vdev->status & VIRTIO_CONFIG_S_DRIVER_OK)
+ return -1;
+
if (queue_no == VIRTIO_CONFIG_IRQ_IDX) {
*n = virtio_config_get_guest_notifier(vdev);
*vector = vdev->config_vector;
--
2.41.0.windows.1

52
virtio-remove-virtio_tswap16s-call-in-vring_packed_e.patch Normal file
View File

@ -0,0 +1,52 @@
From f91ab1b5dc0a3b9713472a0f0762b189c33334d0 Mon Sep 17 00:00:00 2001
From: Stefano Garzarella <sgarzare@redhat.com>
Date: Mon, 1 Jul 2024 09:52:08 +0200
Subject: [PATCH] virtio: remove virtio_tswap16s() call in
vring_packed_event_read()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Commit d152cdd6f6 ("virtio: use virtio accessor to access packed event")
switched using of address_space_read_cached() to virito_lduw_phys_cached()
to access packed descriptor event.
When we used address_space_read_cached(), we needed to call
virtio_tswap16s() to handle the endianess of the field, but
virito_lduw_phys_cached() already handles it internally, so we no longer
need to call virtio_tswap16s() (as the commit had done for `off_wrap`,
but forgot for `flags`).
Fixes: d152cdd6f6 ("virtio: use virtio accessor to access packed event")
Cc: jasowang@redhat.com
Cc: qemu-stable@nongnu.org
Reported-by: Xoykie <xoykie@gmail.com>
Link: https://lore.kernel.org/qemu-devel/CAFU8RB_pjr77zMLsM0Unf9xPNxfr_--Tjr49F_eX32ZBc5o2zQ@mail.gmail.com
Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
Message-Id: <20240701075208.19634-1-sgarzare@redhat.com>
Acked-by: Jason Wang <jasowang@redhat.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Eugenio Pérez <eperezma@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
(cherry picked from commit 7aa6492401e95fb296dec7cda81e67d91f6037d7)
Signed-off-by: zhujun2 <zhujun2_yewu@cmss.chinamobile.com>
---
hw/virtio/virtio.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
index 913b40e1f8..9c40d565bb 100644
--- a/hw/virtio/virtio.c
+++ b/hw/virtio/virtio.c
@@ -251,7 +251,6 @@ static void vring_packed_event_read(VirtIODevice *vdev,
/* Make sure flags is seen before off_wrap */
smp_rmb();
e->off_wrap = virtio_lduw_phys_cached(vdev, cache, off_off);
- virtio_tswap16s(vdev, &e->flags);
}
static void vring_packed_off_wrap_write(VirtIODevice *vdev,
--
2.41.0.windows.1

40
virtio-rng-block-max-bytes-0-MIME-Version-1.0.patch Normal file
View File

@ -0,0 +1,40 @@
From 38b34a054490d7dd8a3ed6ee313c1ee501363688 Mon Sep 17 00:00:00 2001
From: dinglimin <dinglimin@cmss.chinamobile.com>
Date: Mon, 26 Aug 2024 15:27:20 +0800
Subject: [PATCH] virtio-rng: block max-bytes=0 MIME-Version: 1.0
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
cheery-pick from 024d046bf41b5256adec671085bcee767a6da125
with max-bytes set to 0, quota is 0 and so device does not work.
block this to avoid user confusion
Message-Id: <73a89a42d82ec8b47358f25119b87063e4a6ea57.1721818306.git.mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Signed-off-by: dinglimin <dinglimin@cmss.chinamobile.com>
---
hw/virtio/virtio-rng.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/hw/virtio/virtio-rng.c b/hw/virtio/virtio-rng.c
index cc8e9f775d..e0f71ddd0f 100644
--- a/hw/virtio/virtio-rng.c
+++ b/hw/virtio/virtio-rng.c
@@ -184,8 +184,9 @@ static void virtio_rng_device_realize(DeviceState *dev, Error **errp)
/* Workaround: Property parsing does not enforce unsigned integers,
* So this is a hack to reject such numbers. */
- if (vrng->conf.max_bytes > INT64_MAX) {
- error_setg(errp, "'max-bytes' parameter must be non-negative, "
+ if (vrng->conf.max_bytes == 0 ||
+ vrng->conf.max_bytes > INT64_MAX) {
+ error_setg(errp, "'max-bytes' parameter must be positive, "
"and less than 2^63");
return;
}
--
2.41.0.windows.1

42
vvfat-Fix-bug-in-writing-to-middle-of-file.patch Normal file
View File

@ -0,0 +1,42 @@
From f0f408c65fc606cb5a4dfce2f5b051519820d967 Mon Sep 17 00:00:00 2001
From: Amjad Alsharafi <amjadsharafi10@gmail.com>
Date: Sat, 20 Jul 2024 18:13:30 +0800
Subject: [PATCH] vvfat: Fix bug in writing to middle of file
Before this commit, the behavior when calling `commit_one_file` for
example with `offset=0x2000` (second cluster), what will happen is that
we won't fetch the next cluster from the fat, and instead use the first
cluster for the read operation.
This is due to off-by-one error here, where `i=0x2000 !< offset=0x2000`,
thus not fetching the next cluster.
Signed-off-by: Amjad Alsharafi <amjadsharafi10@gmail.com>
Reviewed-by: Kevin Wolf <kwolf@redhat.com>
Tested-by: Kevin Wolf <kwolf@redhat.com>
Message-ID: <b97c1e1f1bc2f776061ae914f95d799d124fcd73.1721470238.git.amjadsharafi10@gmail.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit b881cf00c99e03bc8a3648581f97736ff275b18b)
Signed-off-by: zhujun2 <zhujun2_yewu@cmss.chinamobile.com>
---
block/vvfat.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/block/vvfat.c b/block/vvfat.c
index 5dacc6cfac..2d9c4ff6a4 100644
--- a/block/vvfat.c
+++ b/block/vvfat.c
@@ -2521,8 +2521,9 @@ static int commit_one_file(BDRVVVFATState* s,
return -1;
}
- for (i = s->cluster_size; i < offset; i += s->cluster_size)
+ for (i = 0; i < offset; i += s->cluster_size) {
c = modified_fat_get(s, c);
+ }
fd = qemu_open_old(mapping->path, O_RDWR | O_CREAT | O_BINARY, 0666);
if (fd < 0) {
--
2.41.0.windows.1

50
vvfat-Fix-reading-files-with-non-continuous-clusters.patch Normal file
View File

@ -0,0 +1,50 @@
From 9399660f4ef94129f4f8ba9277a316bd6e7151b5 Mon Sep 17 00:00:00 2001
From: Amjad Alsharafi <amjadsharafi10@gmail.com>
Date: Sat, 20 Jul 2024 18:13:33 +0800
Subject: [PATCH] vvfat: Fix reading files with non-continuous clusters
When reading with `read_cluster` we get the `mapping` with
`find_mapping_for_cluster` and then we call `open_file` for this
mapping.
The issue appear when its the same file, but a second cluster that is
not immediately after it, imagine clusters `500 -> 503`, this will give
us 2 mappings one has the range `500..501` and another `503..504`, both
point to the same file, but different offsets.
When we don't open the file since the path is the same, we won't assign
`s->current_mapping` and thus accessing way out of bound of the file.
From our example above, after `open_file` (that didn't open anything) we
will get the offset into the file with
`s->cluster_size*(cluster_num-s->current_mapping->begin)`, which will
give us `0x2000 * (504-500)`, which is out of bound for this mapping and
will produce some issues.
Signed-off-by: Amjad Alsharafi <amjadsharafi10@gmail.com>
Message-ID: <1f3ea115779abab62ba32c788073cdc99f9ad5dd.1721470238.git.amjadsharafi10@gmail.com>
[kwolf: Simplified the patch based on Amjad's analysis and input]
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit 5eed3db336506b529b927ba221fe0d836e5b8819)
Signed-off-by: zhujun2 <zhujun2_yewu@cmss.chinamobile.com>
---
block/vvfat.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/block/vvfat.c b/block/vvfat.c
index 5dacc6cfac..9af817088f 100644
--- a/block/vvfat.c
+++ b/block/vvfat.c
@@ -1368,8 +1368,9 @@ static int open_file(BDRVVVFATState* s,mapping_t* mapping)
return -1;
vvfat_close_current_file(s);
s->current_fd = fd;
- s->current_mapping = mapping;
}
+
+ s->current_mapping = mapping;
return 0;
}
--
2.41.0.windows.1