packages/qemu
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

QEMU update to version 6.2.0-98:

Browse Source 
- pci-host: designware: Limit value range of iATU viewport register
- hmat acpi: Fix out of bounds access due to missing use of indirection
- migration: Skip only empty block devices
- aspeed/hace: Initialize g_autofree pointer
- hw/net/vmxnet3: Fix guest-triggerable assert()
- qxl: don't assert() if device isn't yet initialized
- Avoid unaligned fetch in ladr_match()
- linux-user: Fix waitid return of siginfo_t and rusage
- hw/net/lan9118: Replace magic '2048' value by MIL_TXFIFO_SIZE definition
- stdvga: fix screen blanking
- virtio-net: drop too short packets early
- ebpf: replace deprecated bpf_program__set_socket_filter
- vhsot-user: only read reply of SET_LOG_BASE from vq 0
- cpu: add Tengyun S5000C cpu support
- hw/virtio: Fix obtain the buffer id from the last descriptor
- hw/core: ensure kernel_end never gets used undefined

Signed-off-by: Jiabo Feng <fengjiabo1@huawei.com>
(cherry picked from commit 1f9e476e96edb07e34e0133a312f478ddab4b6ff)
This commit is contained in:
Jiabo Feng 2024-08-21 15:14:18 +08:00 committed by openeuler-sync-bot
parent 90d8cf9d01
commit ae37a72f4c
17 changed files with 912 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
Avoid-unaligned-fetch-in-ladr_match.patch Normal file
View File

@ -0,0 +1,36 @@
From 7696f21456a2a42279efd3f9fca6df839bdbe441 Mon Sep 17 00:00:00 2001
From: Nick Briggs <nicholas.h.briggs@gmail.com>
Date: Thu, 1 Feb 2024 10:11:17 -0800
Subject: [PATCH] Avoid unaligned fetch in ladr_match()
There is no guarantee that the PCNetState is allocated such that
csr[8] is allocated on an 8-byte boundary. Since not all hosts are
capable of unaligned fetches the 16-bit elements need to be fetched
individually to avoid a potential fault. Closes issue #2143
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2143
Signed-off-by: Nick Briggs <nicholas.h.briggs@gmail.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Jason Wang <jasowang@redhat.com>
(cherry picked from commit 6a5287ce80470bb8df95901d73ee779a64e70c3a)
Signed-off-by: zhujun2 <zhujun2_yewu@cmss.chinamobile.com>
---
hw/net/pcnet.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c
index da910a70bf..9c475d5721 100644
--- a/hw/net/pcnet.c
+++ b/hw/net/pcnet.c
@@ -632,7 +632,7 @@ static inline int ladr_match(PCNetState *s, const uint8_t *buf, int size)
{
struct qemu_ether_header *hdr = (void *)buf;
if ((*(hdr->ether_dhost)&0x01) &&
- ((uint64_t *)&s->csr[8])[0] != 0LL) {
+ (s->csr[8] | s->csr[9] | s->csr[10] | s->csr[11]) != 0) {
uint8_t ladr[8] = {
s->csr[8] & 0xff, s->csr[8] >> 8,
s->csr[9] & 0xff, s->csr[9] >> 8,
--
2.41.0.windows.1

50
aspeed-hace-Initialize-g_autofree-pointer.patch Normal file
View File

@ -0,0 +1,50 @@
From 4f957cd7c79c7820e6218560efde3de142d1caf1 Mon Sep 17 00:00:00 2001
From: zhujun2 <zhujun2_yewu@cmss.chinamobile.com>
Date: Tue, 13 Aug 2024 23:24:29 -0700
Subject: [PATCH] aspeed/hace: Initialize g_autofree pointer
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
As mentioned in docs/devel/style.rst "Automatic memory deallocation":
* Variables declared with g_auto* MUST always be initialized,
otherwise the cleanup function will use uninitialized stack memory
This avoids QEMU to coredump when running the "hash test" command
under Zephyr.
Cc: Steven Lee <steven_lee@aspeedtech.com>
Cc: Joel Stanley <joel@jms.id.au>
Cc: qemu-stable@nongnu.org
Fixes: c5475b3f9a ("hw: Model ASPEED's Hash and Crypto Engine")
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Thomas Huth <thuth@redhat.com>
Reviewed-by: Francisco Iglesias <frasse.iglesias@gmail.com>
Message-Id: <20230421131547.2177449-1-clg@kaod.org>
Signed-off-by: Cédric Le Goater <clg@kaod.org>
Reviewed-by: Joel Stanley <joel@jms.id.au>
Signed-off-by: Cédric Le Goater <clg@kaod.org>
(cherry picked from commit c8f48b120b31f6bbe33135ef5d478e485c37e3c2)
Signed-off-by: zhujun2 <zhujun2_yewu@cmss.chinamobile.com>
---
hw/misc/aspeed_hace.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/misc/aspeed_hace.c b/hw/misc/aspeed_hace.c
index 10f00e65f4..1192322f0a 100644
--- a/hw/misc/aspeed_hace.c
+++ b/hw/misc/aspeed_hace.c
@@ -97,7 +97,7 @@ static int hash_algo_lookup(uint32_t reg)
static void do_hash_operation(AspeedHACEState *s, int algo, bool sg_mode)
{
struct iovec iov[ASPEED_HACE_MAX_SG];
- g_autofree uint8_t *digest_buf;
+ g_autofree uint8_t *digest_buf = NULL;
size_t digest_len = 0;
int i;
--
2.41.0.windows.1

82
cpu-add-Tengyun-S5000C-cpu-support.patch Normal file
View File

@ -0,0 +1,82 @@
From 38d4158a556f27c9ce7d9229d6a28cf57dd8de26 Mon Sep 17 00:00:00 2001
From: Jiakun Shuai <shuaijiakun1288@phytium.com.cn>
Date: Fri, 19 Jul 2024 15:29:13 +0800
Subject: [PATCH] cpu: add Tengyun S5000C cpu support
Add the Tengyun-S5000C CPU model.
Signed-off-by: pengmengguang <pengmengguang@phytium.com.cn>
Signed-off-by: Jiakun Shuai <shuaijiakun1288@phytium.com.cn>
---
hw/arm/virt.c | 1 +
target/arm/cpu64.c | 35 +++++++++++++++++++++++++++++++++++
2 files changed, 36 insertions(+)
diff --git a/hw/arm/virt.c b/hw/arm/virt.c
index dc119732f0..3394d3a6a6 100644
--- a/hw/arm/virt.c
+++ b/hw/arm/virt.c
@@ -210,6 +210,7 @@ static const char *valid_cpus[] = {
ARM_CPU_TYPE_NAME("Kunpeng-920"),
ARM_CPU_TYPE_NAME("FT-2000+"),
ARM_CPU_TYPE_NAME("Tengyun-S2500"),
+ ARM_CPU_TYPE_NAME("Tengyun-S5000C"),
ARM_CPU_TYPE_NAME("a64fx"),
ARM_CPU_TYPE_NAME("host"),
ARM_CPU_TYPE_NAME("max"),
diff --git a/target/arm/cpu64.c b/target/arm/cpu64.c
index 3ec788fc29..b4522a337f 100644
--- a/target/arm/cpu64.c
+++ b/target/arm/cpu64.c
@@ -724,6 +724,40 @@ static void aarch64_max_tengyun_s2500_initfn(Object *obj)
}
}
+static void aarch64_tengyun_s5000c_initfn(Object *obj)
+{
+ ARMCPU *cpu = ARM_CPU(obj);
+
+ aarch64_a72_initfn(obj);
+
+ cpu->midr = 0x700f8620;
+ cpu->ctr = 0x9444c004;
+ cpu->isar.regs[ID_ISAR0] = 0x2101110;
+ cpu->isar.regs[ID_ISAR1] = 0x1311211;
+ cpu->isar.regs[ID_ISAR2] = 0x21232042;
+ cpu->isar.regs[ID_ISAR3] = 0x1112131;
+ cpu->isar.regs[ID_ISAR4] = 0x10142;
+ cpu->isar.regs[ID_ISAR5] = 0x1011121;
+ cpu->isar.regs[ID_MMFR0] = 0x10201105;
+ cpu->isar.regs[ID_MMFR1] = 0x40000000;
+ cpu->isar.regs[ID_MMFR2] = 0x1260000;
+ cpu->isar.regs[ID_MMFR3] = 0x2122211;
+ cpu->isar.regs[ID_MMFR4] = 0x21110;
+ cpu->isar.regs[MVFR0] = 0x10110222;
+ cpu->isar.regs[MVFR1] = 0x13211111;
+ cpu->isar.regs[MVFR2] = 0x43;
+ cpu->isar.regs[ID_DFR0] = 0x4010088;
+ cpu->isar.regs[ID_PFR0] = 0x10131;
+ cpu->isar.regs[ID_PFR1] = 0x10010000;
+ cpu->isar.regs[ID_AA64PFR0] = 0x1100000011111112;
+ cpu->isar.regs[ID_AA64DFR0] = 0x10305408;
+ cpu->isar.regs[ID_AA64ISAR0] = 0x111110212120;
+ cpu->isar.regs[ID_AA64ISAR1] = 0x100001;
+ cpu->isar.regs[ID_AA64MMFR0] = 0x101125;
+ cpu->isar.regs[ID_AA64MMFR1] = 0x10212122;
+ cpu->isar.regs[ID_AA64MMFR2] = 0x1011;
+}
+
/* -cpu max: if KVM is enabled, like -cpu host (best possible with this host);
* otherwise, a CPU with as many features enabled as our emulation supports.
* The version of '-cpu max' for qemu-system-arm is defined in cpu.c;
@@ -964,6 +998,7 @@ static const ARMCPUInfo aarch64_cpus[] = {
{ .name = "Kunpeng-920", .initfn = aarch64_kunpeng_920_initfn},
{ .name = "FT-2000+", .initfn = aarch64_max_ft2000plus_initfn },
{ .name = "Tengyun-S2500", .initfn = aarch64_max_tengyun_s2500_initfn },
+ { .name = "Tengyun-S5000C", .initfn = aarch64_tengyun_s5000c_initfn },
{ .name = "a64fx", .initfn = aarch64_a64fx_initfn },
{ .name = "max", .initfn = aarch64_max_initfn },
};
--
2.41.0.windows.1

32
ebpf-replace-deprecated-bpf_program__set_socket_filt.patch Normal file
View File

@ -0,0 +1,32 @@
From 6824dd870cde75d4ef1e8c74d3d596ff94ce5a26 Mon Sep 17 00:00:00 2001
From: Haochen Tong <i@hexchain.org>
Date: Sat, 28 May 2022 03:06:58 +0800
Subject: [PATCH] ebpf: replace deprecated bpf_program__set_socket_filter
bpf_program__set_<TYPE> functions have been deprecated since libbpf 0.8.
Replace with the equivalent bpf_program__set_type call to avoid a
deprecation warning.
Signed-off-by: Haochen Tong <i@hexchain.org>
Reviewed-by: Zhang Chen <chen.zhang@intel.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
---
ebpf/ebpf_rss.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ebpf/ebpf_rss.c b/ebpf/ebpf_rss.c
index 118c68da83..cee658c158 100644
--- a/ebpf/ebpf_rss.c
+++ b/ebpf/ebpf_rss.c
@@ -49,7 +49,7 @@ bool ebpf_rss_load(struct EBPFRSSContext *ctx)
goto error;
}
- bpf_program__set_socket_filter(rss_bpf_ctx->progs.tun_rss_steering_prog);
+ bpf_program__set_type(rss_bpf_ctx->progs.tun_rss_steering_prog, BPF_PROG_TYPE_SOCKET_FILTER);
if (rss_bpf__load(rss_bpf_ctx)) {
trace_ebpf_error("eBPF RSS", "can not load RSS program");
--
2.41.0.windows.1

64
hmat-acpi-Fix-out-of-bounds-access-due-to-missing-us.patch Normal file
View File

@ -0,0 +1,64 @@
From a47cccd44f4f97238fc2877bf38fdb5ae72b65a6 Mon Sep 17 00:00:00 2001
From: zhujun2 <zhujun2_yewu@cmss.chinamobile.com>
Date: Wed, 14 Aug 2024 19:14:40 -0700
Subject: [PATCH] hmat acpi: Fix out of bounds access due to missing use of
indirection
With a numa set up such as
-numa nodeid=0,cpus=0 \
-numa nodeid=1,memdev=mem \
-numa nodeid=2,cpus=1
and appropriate hmat_lb entries the initiator list is correctly
computed and writen to HMAT as 0,2 but then the LB data is accessed
using the node id (here 2), landing outside the entry_list array.
Stash the reverse lookup when writing the initiator list and use
it to get the correct array index index.
Fixes: 4586a2cb83 ("hmat acpi: Build System Locality Latency and Bandwidth Information Structure(s)")
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Message-Id: <20240307160326.31570-3-Jonathan.Cameron@huawei.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
(cherry picked from commit 74e2845c5f95b0c139c79233ddb65bb17f2dd679)
Signed-off-by: zhujun2 <zhujun2_yewu@cmss.chinamobile.com>
---
hw/acpi/hmat.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/hw/acpi/hmat.c b/hw/acpi/hmat.c
index 6913ebf730..8af753c67b 100644
--- a/hw/acpi/hmat.c
+++ b/hw/acpi/hmat.c
@@ -77,6 +77,7 @@ static void build_hmat_lb(GArray *table_data, HMAT_LB_Info *hmat_lb,
uint32_t *initiator_list)
{
int i, index;
+ uint32_t initiator_to_index[MAX_NODES] = {};
HMAT_LB_Data *lb_data;
uint16_t *entry_list;
uint32_t base;
@@ -120,6 +121,8 @@ static void build_hmat_lb(GArray *table_data, HMAT_LB_Info *hmat_lb,
/* Initiator Proximity Domain List */
for (i = 0; i < num_initiator; i++) {
build_append_int_noprefix(table_data, initiator_list[i], 4);
+ /* Reverse mapping for array possitions */
+ initiator_to_index[initiator_list[i]] = i;
}
/* Target Proximity Domain List */
@@ -131,7 +134,8 @@ static void build_hmat_lb(GArray *table_data, HMAT_LB_Info *hmat_lb,
entry_list = g_malloc0(num_initiator * num_target * sizeof(uint16_t));
for (i = 0; i < hmat_lb->list->len; i++) {
lb_data = &g_array_index(hmat_lb->list, HMAT_LB_Data, i);
- index = lb_data->initiator * num_target + lb_data->target;
+ index = initiator_to_index[lb_data->initiator] * num_target +
+ lb_data->target;
entry_list[index] = (uint16_t)(lb_data->data / hmat_lb->base);
}
--
2.41.0.windows.1

51
hw-core-ensure-kernel_end-never-gets-used-undefined.patch Normal file
View File

@ -0,0 +1,51 @@
From 26faf838c837c09bf22ef6dc1621adc4e207fc8c Mon Sep 17 00:00:00 2001
From: guping <guping_yewu@cmss.chinamobile.com>
Date: Tue, 9 Jul 2024 11:56:12 +0000
Subject: [PATCH] hw/core: ensure kernel_end never gets used undefined
cherry-pick from f5fcc648083e71cfb9394894903f8ea108ff8831
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Really the problem here is the return values of fit_load_[kernel|fdt]() are a
little all over the place. However we don't want to somehow get
through not having set kernel_end and having it just be random unused
data.
The compiler complained on an --enable-gcov build:
In file included from ../../hw/core/loader-fit.c:20:
/home/alex/lsrc/qemu.git/include/qemu/osdep.h: In function load_fit:
/home/alex/lsrc/qemu.git/include/qemu/osdep.h:486:45: error: kernel_end may be used uninitialized [-Werror=maybe-uninitialized]
486 | #define ROUND_UP(n, d) ROUND_DOWN((n) + (d) - 1, (d))
| ^
../../hw/core/loader-fit.c:270:12: note: kernel_end was declared here
270 | hwaddr kernel_end;
| ^~~~~~~~~~
Reviewed-by: default avatarManos Pitsidianakis <manos.pitsidianakis@linaro.org>
Signed-off-by: default avatarAlex Bennée <alex.bennee@linaro.org>
Reviewed-by: default avatarAleksandar Rikalo <arikalo@gmail.com>
Message-Id: <20240705084047.857176-5-alex.bennee@linaro.org>
Signed-off-by: guping <guping_yewu@cmss.chinamobile.com>
---
hw/core/loader-fit.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/core/loader-fit.c b/hw/core/loader-fit.c
index b7c7b3ba94..4a9a74cf3a 100644
--- a/hw/core/loader-fit.c
+++ b/hw/core/loader-fit.c
@@ -265,7 +265,7 @@ int load_fit(const struct fit_loader *ldr, const char *filename, void *opaque)
const char *def_cfg_name;
char path[FIT_LOADER_MAX_PATH];
int itb_size, configs, cfg_off, off;
- hwaddr kernel_end;
+ hwaddr kernel_end = 0;
int ret;
itb = load_device_tree(filename, &itb_size);
--
2.41.0.windows.1

75
hw-net-lan9118-Replace-magic-2048-value-by-MIL_TXFIF.patch Normal file
View File

@ -0,0 +1,75 @@
From c85a85a2c5eb5f26f9c713c010e2ca3408cb8ce4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@linaro.org>
Date: Mon, 8 Apr 2024 12:44:22 +0200
Subject: [PATCH] hw/net/lan9118: Replace magic '2048' value by MIL_TXFIFO_SIZE
definition
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The magic 2048 is explained in the LAN9211 datasheet (DS00002414A)
in chapter 1.4, "10/100 Ethernet MAC":
The MAC Interface Layer (MIL), within the MAC, contains a
2K Byte transmit and a 128 Byte receive FIFO which is separate
from the TX and RX FIFOs. [...]
Note, the use of the constant in lan9118_receive() reveals that
our implementation is using the same buffer for both tx and rx.
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-Id: <20240409133801.23503-2-philmd@linaro.org>
(cherry picked from commit a45223467e4e185fff1c76a6483784fa379ded77)
Signed-off-by: zhujun2 <zhujun2_yewu@cmss.chinamobile.com>
---
hw/net/lan9118.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
diff --git a/hw/net/lan9118.c b/hw/net/lan9118.c
index 942bce9ae6..fa43758105 100644
--- a/hw/net/lan9118.c
+++ b/hw/net/lan9118.c
@@ -155,6 +155,12 @@ do { fprintf(stderr, "lan9118: error: " fmt , ## __VA_ARGS__);} while (0)
#define GPT_TIMER_EN 0x20000000
+/*
+ * The MAC Interface Layer (MIL), within the MAC, contains a 2K Byte transmit
+ * and a 128 Byte receive FIFO which is separate from the TX and RX FIFOs.
+ */
+#define MIL_TXFIFO_SIZE 2048
+
enum tx_state {
TX_IDLE,
TX_B,
@@ -171,7 +177,7 @@ typedef struct {
int32_t pad;
int32_t fifo_used;
int32_t len;
- uint8_t data[2048];
+ uint8_t data[MIL_TXFIFO_SIZE];
} LAN9118Packet;
static const VMStateDescription vmstate_lan9118_packet = {
@@ -187,7 +193,7 @@ static const VMStateDescription vmstate_lan9118_packet = {
VMSTATE_INT32(pad, LAN9118Packet),
VMSTATE_INT32(fifo_used, LAN9118Packet),
VMSTATE_INT32(len, LAN9118Packet),
- VMSTATE_UINT8_ARRAY(data, LAN9118Packet, 2048),
+ VMSTATE_UINT8_ARRAY(data, LAN9118Packet, MIL_TXFIFO_SIZE),
VMSTATE_END_OF_LIST()
}
};
@@ -549,7 +555,7 @@ static ssize_t lan9118_receive(NetClientState *nc, const uint8_t *buf,
return -1;
}
- if (size >= 2048 || size < 14) {
+ if (size >= MIL_TXFIFO_SIZE || size < 14) {
return -1;
}
--
2.41.0.windows.1

45
hw-net-vmxnet3-Fix-guest-triggerable-assert.patch Normal file
View File

@ -0,0 +1,45 @@
From 2c4d30134778dc9219a883243d207f9dff9f0a7e Mon Sep 17 00:00:00 2001
From: Thomas Huth <thuth@redhat.com>
Date: Thu, 17 Aug 2023 14:56:00 +0200
Subject: [PATCH] hw/net/vmxnet3: Fix guest-triggerable assert()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The assert() that checks for valid MTU sizes can be triggered by
the guest (e.g. with the reproducer code from the bug ticket
https://gitlab.com/qemu-project/qemu/-/issues/517 ). Let's avoid
this problem by simply logging the error and refusing to activate
the device instead.
Fixes: d05dcd94ae ("net: vmxnet3: validate configuration values during activate")
Signed-off-by: Thomas Huth <thuth@redhat.com>
Cc: qemu-stable@nongnu.org
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
[Mjt: change format specifier from %d to %u for uint32_t argument]
(cherry picked from commit 90a0778421acdf4ca903be64c8ed19378183c944)
Signed-off-by: zhujun2 <zhujun2_yewu@cmss.chinamobile.com>
---
hw/net/vmxnet3.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c
index 2a32ab32ea..674b3a6946 100644
--- a/hw/net/vmxnet3.c
+++ b/hw/net/vmxnet3.c
@@ -1441,7 +1441,10 @@ static void vmxnet3_activate_device(VMXNET3State *s)
vmxnet3_setup_rx_filtering(s);
/* Cache fields from shared memory */
s->mtu = VMXNET3_READ_DRV_SHARED32(d, s->drv_shmem, devRead.misc.mtu);
- assert(VMXNET3_MIN_MTU <= s->mtu && s->mtu <= VMXNET3_MAX_MTU);
+ if (s->mtu < VMXNET3_MIN_MTU || s->mtu > VMXNET3_MAX_MTU) {
+ qemu_log_mask(LOG_GUEST_ERROR, "vmxnet3: Bad MTU size: %u\n", s->mtu);
+ return;
+ }
VMW_CFPRN("MTU is %u", s->mtu);
s->max_rx_frags =
--
2.41.0.windows.1

57
hw-virtio-Fix-obtain-the-buffer-id-from-the-last-des.patch Normal file
View File

@ -0,0 +1,57 @@
From 1937c00107f7598d5b0632f2eb6045e5bb46f6db Mon Sep 17 00:00:00 2001
From: guping <guping_yewu@cmss.chinamobile.com>
Date: Tue, 9 Jul 2024 12:39:01 +0000
Subject: [PATCH] hw/virtio: Fix obtain the buffer id from the last descriptor
cherry-pick from 33abfea239592a706e98269b01c0096249612ea4
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The virtio-1.3 specification
<https://docs.oasis-open.org/virtio/virtio/v1.3/virtio-v1.3.html> writes:
2.8.6 Next Flag: Descriptor Chaining
Buffer ID is included in the last descriptor in the list.
If the feature (_F_INDIRECT_DESC) has been negotiated, install only
one descriptor in the virtqueue.
Therefor the buffer id should be obtained from the first descriptor.
In descriptor chaining scenarios, the buffer id should be obtained
from the last descriptor.
Fixes: 86044b24
("virtio: basic packed virtqueue support")
Signed-off-by: default avatarWafer <wafer@jaguarmicro.com>
Reviewed-by: Jason Wang's avatarJason Wang <jasowang@redhat.com>
Reviewed-by: default avatarEugenio Pérez <eperezma@redhat.com>
Acked-by: Jason Wang's avatarJason Wang <jasowang@redhat.com>
Message-Id: <20240510072753.26158-2-wafer@jaguarmicro.com>
Reviewed-by: MST's avatarMichael S. Tsirkin <mst@redhat.com>
Signed-off-by: MST's avatarMichael S. Tsirkin <mst@redhat.com>
Signed-off-by: guping <guping_yewu@cmss.chinamobile.com>
---
hw/virtio/virtio.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
index 80156bfbd5..913b40e1f8 100644
--- a/hw/virtio/virtio.c
+++ b/hw/virtio/virtio.c
@@ -1635,6 +1635,11 @@ static void *virtqueue_packed_pop(VirtQueue *vq, size_t sz)
&indirect_desc_cache);
} while (rc == VIRTQUEUE_READ_DESC_MORE);
+ if (desc_cache != &indirect_desc_cache) {
+ /* Buffer ID is included in the last descriptor in the list. */
+ id = desc.id;
+ }
+
/* Now copy what we have collected and mapped */
elem = virtqueue_alloc_element(sz, out_num, in_num);
for (i = 0; i < out_num; i++) {
--
2.41.0.windows.1

60
linux-user-Fix-waitid-return-of-siginfo_t-and-rusage.patch Normal file
View File

@ -0,0 +1,60 @@
From 828944a7eb5d67f81aa3bc7158860466dc1f1325 Mon Sep 17 00:00:00 2001
From: Richard Henderson <richard.henderson@linaro.org>
Date: Fri, 5 Apr 2024 11:58:14 -1000
Subject: [PATCH] linux-user: Fix waitid return of siginfo_t and rusage
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The copy back to siginfo_t should be conditional only on arg3,
not the specific values that might have been written.
The copy back to rusage was missing entirely.
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2262
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Tested-by: Alex Fan <alex.fan.q@gmail.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
(cherry picked from commit f0907ff4cae743f1a4ef3d0a55a047029eed06ff)
Signed-off-by: zhujun2 <zhujun2_yewu@cmss.chinamobile.com>
---
linux-user/syscall.c | 22 ++++++++++++++++------
1 file changed, 16 insertions(+), 6 deletions(-)
diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index a5fe399277..c4951d449f 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -8460,14 +8460,24 @@ static abi_long do_syscall1(void *cpu_env, int num, abi_long arg1,
#ifdef TARGET_NR_waitid
case TARGET_NR_waitid:
{
+ struct rusage ru;
siginfo_t info;
- info.si_pid = 0;
- ret = get_errno(safe_waitid(arg1, arg2, &info, arg4, NULL));
- if (!is_error(ret) && arg3 && info.si_pid != 0) {
- if (!(p = lock_user(VERIFY_WRITE, arg3, sizeof(target_siginfo_t), 0)))
+
+ ret = get_errno(safe_waitid(arg1, arg2, (arg3 ? &info : NULL),
+ arg4, (arg5 ? &ru : NULL)));
+ if (!is_error(ret)) {
+ if (arg3) {
+ p = lock_user(VERIFY_WRITE, arg3,
+ sizeof(target_siginfo_t), 0);
+ if (!p) {
+ return -TARGET_EFAULT;
+ }
+ host_to_target_siginfo(p, &info);
+ unlock_user(p, arg3, sizeof(target_siginfo_t));
+ }
+ if (arg5 && host_to_target_rusage(arg5, &ru)) {
return -TARGET_EFAULT;
- host_to_target_siginfo(p, &info);
- unlock_user(p, arg3, sizeof(target_siginfo_t));
+ }
}
}
return ret;
--
2.41.0.windows.1

51
migration-Skip-only-empty-block-devices.patch Normal file
View File

@ -0,0 +1,51 @@
From 3fce4b6eed6f37140ff94ea119dd47caaf8eba10 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?C=C3=A9dric=20Le=20Goater?= <clg@redhat.com>
Date: Tue, 12 Mar 2024 13:04:31 +0100
Subject: [PATCH] migration: Skip only empty block devices
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The block .save_setup() handler calls a helper routine
init_blk_migration() which builds a list of block devices to take into
account for migration. When one device is found to be empty (sectors
== 0), the loop exits and all the remaining devices are ignored. This
is a regression introduced when bdrv_iterate() was removed.
Change that by skipping only empty devices.
Cc: Markus Armbruster <armbru@redhat.com>
Cc: qemu-stable <qemu-stable@nongnu.org>
Suggested-by: Kevin Wolf <kwolf@redhat.com>
Fixes: fea68bb6e9fa ("block: Eliminate bdrv_iterate(), use bdrv_next()")
Signed-off-by: Cédric Le Goater <clg@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Kevin Wolf <kwolf@redhat.com>
Link: https://lore.kernel.org/r/20240312120431.550054-1-clg@redhat.com
[peterx: fix "Suggested-by:"]
Signed-off-by: Peter Xu <peterx@redhat.com>
(cherry picked from commit 2e128776dc56f502c2ee41750afe83938f389528)
Signed-off-by: zhujun2 <zhujun2_yewu@cmss.chinamobile.com>
---
migration/block.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/migration/block.c b/migration/block.c
index 391f8169fd..4055a6bb60 100644
--- a/migration/block.c
+++ b/migration/block.c
@@ -415,7 +415,10 @@ static int init_blk_migration(QEMUFile *f)
}
sectors = bdrv_nb_sectors(bs);
- if (sectors <= 0) {
+ if (sectors == 0) {
+ continue;
+ }
+ if (sectors < 0) {
ret = sectors;
bdrv_next_cleanup(&it);
goto out;
--
2.41.0.windows.1

54
pci-host-designware-Limit-value-range-of-iATU-viewpo.patch Normal file
View File

@ -0,0 +1,54 @@
From 13ece9fb57c74aafdb785b80d7a09b2d90c54cfd Mon Sep 17 00:00:00 2001
From: Guenter Roeck <linux@roeck-us.net>
Date: Sun, 28 Jan 2024 22:00:55 -0800
Subject: [PATCH] pci-host: designware: Limit value range of iATU viewport
register
The latest version of qemu (v8.2.0-869-g7a1dc45af5) crashes when booting
the mcimx7d-sabre emulation with Linux v5.11 and later.
qemu-system-arm: ../system/memory.c:2750: memory_region_set_alias_offset: Assertion `mr->alias' failed.
Problem is that the Designware PCIe emulation accepts the full value range
for the iATU Viewport Register. However, both hardware and emulation only
support four inbound and four outbound viewports.
The Linux kernel determines the number of supported viewports by writing
0xff into the viewport register and reading the value back. The expected
value when reading the register is the highest supported viewport index.
Match that code by masking the supported viewport value range when the
register is written. With this change, the Linux kernel reports
imx6q-pcie 33800000.pcie: iATU: unroll F, 4 ob, 4 ib, align 0K, limit 4G
as expected and supported.
Fixes: d64e5eabc4c7 ("pci: Add support for Designware IP block")
Cc: Andrey Smirnov <andrew.smirnov@gmail.com>
Cc: Nikita Ostrenkov <n.ostrenkov@gmail.com>
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Message-id: 20240129060055.2616989-1-linux@roeck-us.net
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
(cherry picked from commit 8a73152020337a7fbf34daf0a006d4d89ec1494e)
Signed-off-by: zhujun2 <zhujun2_yewu@cmss.chinamobile.com>
---
hw/pci-host/designware.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/hw/pci-host/designware.c b/hw/pci-host/designware.c
index bde3a343a2..c235b9daa3 100644
--- a/hw/pci-host/designware.c
+++ b/hw/pci-host/designware.c
@@ -340,6 +340,8 @@ static void designware_pcie_root_config_write(PCIDevice *d, uint32_t address,
break;
case DESIGNWARE_PCIE_ATU_VIEWPORT:
+ val &= DESIGNWARE_PCIE_ATU_REGION_INBOUND |
+ (DESIGNWARE_PCIE_NUM_VIEWPORTS - 1);
root->atu_viewport = val;
break;
--
2.41.0.windows.1

36
qemu.spec
View File

@ -3,7 +3,7 @@
Name: qemu
Version: 6.2.0
Release: 97
Release: 98
Epoch: 10
Summary: QEMU is a generic and open source machine emulator and virtualizer
License: GPLv2 and BSD and MIT and CC-BY-SA-4.0
@ -989,6 +989,22 @@ Patch0974: nbd-server-CVE-2024-7409-Drop-non-negotiating-client.patch
Patch0975: aio-wait.h-introduce-AIO_WAIT_WHILE_UNLOCKED.patch
Patch0976: main-loop.h-introduce-qemu_in_main_thread.patch
Patch0977: nbd-server-CVE-2024-7409-Close-stray-clients-at-serv.patch
Patch0978: hw-core-ensure-kernel_end-never-gets-used-undefined.patch
Patch0979: hw-virtio-Fix-obtain-the-buffer-id-from-the-last-des.patch
Patch0980: cpu-add-Tengyun-S5000C-cpu-support.patch
Patch0981: vhsot-user-only-read-reply-of-SET_LOG_BASE-from-vq-0.patch
Patch0982: ebpf-replace-deprecated-bpf_program__set_socket_filt.patch
Patch0983: virtio-net-drop-too-short-packets-early.patch
Patch0984: stdvga-fix-screen-blanking.patch
Patch0985: hw-net-lan9118-Replace-magic-2048-value-by-MIL_TXFIF.patch
Patch0986: linux-user-Fix-waitid-return-of-siginfo_t-and-rusage.patch
Patch0987: Avoid-unaligned-fetch-in-ladr_match.patch
Patch0988: qxl-don-t-assert-if-device-isn-t-yet-initialized.patch
Patch0989: hw-net-vmxnet3-Fix-guest-triggerable-assert.patch
Patch0990: aspeed-hace-Initialize-g_autofree-pointer.patch
Patch0991: migration-Skip-only-empty-block-devices.patch
Patch0992: hmat-acpi-Fix-out-of-bounds-access-due-to-missing-us.patch
Patch0993: pci-host-designware-Limit-value-range-of-iATU-viewpo.patch
BuildRequires: flex
BuildRequires: gcc
@ -1587,6 +1603,24 @@ getent passwd qemu >/dev/null || \
%endif
%changelog
* Wed Aug 21 2024 <fengjiabo1@huawei.com> - 10:6.2.0-98
- pci-host: designware: Limit value range of iATU viewport register
- hmat acpi: Fix out of bounds access due to missing use of indirection
- migration: Skip only empty block devices
- aspeed/hace: Initialize g_autofree pointer
- hw/net/vmxnet3: Fix guest-triggerable assert()
- qxl: don't assert() if device isn't yet initialized
- Avoid unaligned fetch in ladr_match()
- linux-user: Fix waitid return of siginfo_t and rusage
- hw/net/lan9118: Replace magic '2048' value by MIL_TXFIFO_SIZE definition
- stdvga: fix screen blanking
- virtio-net: drop too short packets early
- ebpf: replace deprecated bpf_program__set_socket_filter
- vhsot-user: only read reply of SET_LOG_BASE from vq 0
- cpu: add Tengyun S5000C cpu support
- hw/virtio: Fix obtain the buffer id from the last descriptor
- hw/core: ensure kernel_end never gets used undefined
* Tue Aug 13 2024 <fengjiabo1@huawei.com> - 10:6.2.0-97
- nbd/server: CVE-2024-7409: Close stray clients at server-stop
- main-loop.h: introduce qemu_in_main_thread()

52
qxl-don-t-assert-if-device-isn-t-yet-initialized.patch Normal file
View File

@ -0,0 +1,52 @@
From 5cb26fdba648f1347f0746cf5c8f619427e4c2b5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
Date: Mon, 14 Aug 2023 23:33:30 +0400
Subject: [PATCH] qxl: don't assert() if device isn't yet initialized
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
If the PCI BAR isn't yet mapped or was unmapped, QXL_IO_SET_MODE will
assert(). Instead, report a guest bug and keep going.
This can be reproduced with:
cat << EOF | ./qemu-system-x86_64 -vga qxl -m 2048 -nodefaults -qtest stdio
outl 0xcf8 0x8000101c
outl 0xcfc 0xc000
outl 0xcf8 0x80001001
outl 0xcfc 0x01000000
outl 0xc006 0x00
EOF
Fixes: https://gitlab.com/qemu-project/qemu/-/issues/1829
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Thomas Huth <thuth@redhat.com>
Cc: qemu-stable@nongnu.org
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
(cherry picked from commit 95bef686e490bc3afc3f51f5fc6e20bf260b938c)
Signed-off-by: zhujun2 <zhujun2_yewu@cmss.chinamobile.com>
---
hw/display/qxl.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/hw/display/qxl.c b/hw/display/qxl.c
index 0f663b9912..d7673b8169 100644
--- a/hw/display/qxl.c
+++ b/hw/display/qxl.c
@@ -1601,7 +1601,10 @@ static void qxl_set_mode(PCIQXLDevice *d, unsigned int modenr, int loadvm)
}
d->guest_slots[0].slot = slot;
- assert(qxl_add_memslot(d, 0, devmem, QXL_SYNC) == 0);
+ if (qxl_add_memslot(d, 0, devmem, QXL_SYNC) != 0) {
+ qxl_set_guest_bug(d, "device isn't initialized yet");
+ return;
+ }
d->guest_primary.surface = surface;
qxl_create_guest_primary(d, 0, QXL_SYNC);
--
2.41.0.windows.1

47
stdvga-fix-screen-blanking.patch Normal file
View File

@ -0,0 +1,47 @@
From 5e725ce433c562e1e7fbcd1918305846303689fd Mon Sep 17 00:00:00 2001
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Wed, 5 Jun 2024 15:14:41 +0200
Subject: [PATCH] stdvga: fix screen blanking
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
In case the display surface uses a shared buffer (i.e. uses vga vram
directly instead of a shadow) go unshare the buffer before clearing it.
This avoids vga memory corruption, which in turn fixes unblanking not
working properly with X11.
Cc: qemu-stable@nongnu.org
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2067
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-ID: <20240605131444.797896-2-kraxel@redhat.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
(cherry picked from commit b1cf266c82cb1211ee2785f1813a6a3f3e693390)
Signed-off-by: zhujun2 <zhujun2_yewu@cmss.chinamobile.com>
---
hw/display/vga.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/hw/display/vga.c b/hw/display/vga.c
index 33765148d9..5e5fdf67d7 100644
--- a/hw/display/vga.c
+++ b/hw/display/vga.c
@@ -1745,6 +1745,13 @@ static void vga_draw_blank(VGACommonState *s, int full_update)
if (s->last_scr_width <= 0 || s->last_scr_height <= 0)
return;
+ if (is_buffer_shared(surface)) {
+ /* unshare buffer, otherwise the blanking corrupts vga vram */
+ surface = qemu_create_displaysurface(s->last_scr_width,
+ s->last_scr_height);
+ dpy_gfx_replace_surface(s->con, surface);
+ }
+
w = s->last_scr_width * surface_bytes_per_pixel(surface);
d = surface_data(surface);
for(i = 0; i < s->last_scr_height; i++) {
--
2.41.0.windows.1

30
vhsot-user-only-read-reply-of-SET_LOG_BASE-from-vq-0.patch Normal file
View File

@ -0,0 +1,30 @@
From 840318752f3d4611f46378395d67add885f422e0 Mon Sep 17 00:00:00 2001
From: BillXiang <1373760142@qq.com>
Date: Thu, 18 Jul 2024 15:29:07 +0800
Subject: [PATCH] vhsot-user: only read reply of SET_LOG_BASE from vq 0
We have added VHOST_USER_SET_LOG_BASE to vhost_user_one_time_request
in https://gitee.com/openeuler/qemu/pulls/913
and will not send this message for other vqs.
Signed-off-by: BillXiang <1373760142@qq.com>
---
hw/virtio/vhost-user.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/virtio/vhost-user.c b/hw/virtio/vhost-user.c
index c97ea2544d..f10620494b 100644
--- a/hw/virtio/vhost-user.c
+++ b/hw/virtio/vhost-user.c
@@ -534,7 +534,7 @@ static int vhost_user_set_log_base(struct vhost_dev *dev, uint64_t base,
return ret;
}
- if (shmfd) {
+ if (shmfd && (dev->vq_index == 0)) {
msg.hdr.size = 0;
ret = vhost_user_read(dev, &msg);
if (ret < 0) {
--
2.41.0.windows.1

91
virtio-net-drop-too-short-packets-early.patch Normal file
View File

@ -0,0 +1,91 @@
From b808292dbbb5e49db4b54123010ed2832d0ac548 Mon Sep 17 00:00:00 2001
From: zhujun2 <zhujun2_yewu@cmss.chinamobile.com>
Date: Tue, 13 Aug 2024 00:30:30 -0700
Subject: [PATCH] virtio-net: drop too short packets early
Reproducer from https://gitlab.com/qemu-project/qemu/-/issues/1451
creates small packet (1 segment, len = 10 == n->guest_hdr_len),
then destroys queue.
"if (n->host_hdr_len != n->guest_hdr_len)" is triggered, if body creates
zero length/zero segment packet as there is nothing after guest header.
qemu_sendv_packet_async() tries to send it.
slirp discards it because it is smaller than Ethernet header,
but returns 0 because tx hooks are supposed to return total length of data.
0 is propagated upwards and is interpreted as "packet has been sent"
which is terrible because queue is being destroyed, nobody is waiting for TX
to complete and assert it triggered.
Fix is discard such empty packets instead of sending them.
Length 1 packets will go via different codepath:
virtqueue_push(q->tx_vq, elem, 0);
virtio_notify(vdev, q->tx_vq);
g_free(elem);
and aren't problematic.
Signed-off-by: Alexey Dobriyan <adobriyan@yandex-team.ru>
Signed-off-by: Jason Wang <jasowang@redhat.com>
(cherry picked from commit 2c3e4e2de699cd4d9f6c71f30a22d8f125cd6164)
Signed-off-by: zhujun2 <zhujun2_yewu@cmss.chinamobile.com>
---
hw/net/virtio-net.c | 18 ++++++++++++------
1 file changed, 12 insertions(+), 6 deletions(-)
diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c
index f3fb9393b3..ab794ee789 100644
--- a/hw/net/virtio-net.c
+++ b/hw/net/virtio-net.c
@@ -2602,18 +2602,14 @@ static int32_t virtio_net_flush_tx(VirtIONetQueue *q)
out_sg = elem->out_sg;
if (out_num < 1) {
virtio_error(vdev, "virtio-net header not in first element");
- virtqueue_detach_element(q->tx_vq, elem, 0);
- g_free(elem);
- return -EINVAL;
+ goto detach;
}
if (n->has_vnet_hdr) {
if (iov_to_buf(out_sg, out_num, 0, &vhdr, n->guest_hdr_len) <
n->guest_hdr_len) {
virtio_error(vdev, "virtio-net header incorrect");
- virtqueue_detach_element(q->tx_vq, elem, 0);
- g_free(elem);
- return -EINVAL;
+ goto detach;
}
if (n->needs_vnet_hdr_swap) {
virtio_net_hdr_swap(vdev, (void *) &vhdr);
@@ -2644,6 +2640,11 @@ static int32_t virtio_net_flush_tx(VirtIONetQueue *q)
n->guest_hdr_len, -1);
out_num = sg_num;
out_sg = sg;
+
+ if (out_num < 1) {
+ virtio_error(vdev, "virtio-net nothing to send");
+ goto detach;
+ }
}
ret = qemu_sendv_packet_async(qemu_get_subqueue(n->nic, queue_index),
@@ -2664,6 +2665,11 @@ drop:
}
}
return num_packets;
+
+detach:
+ virtqueue_detach_element(q->tx_vq, elem, 0);
+ g_free(elem);
+ return -EINVAL;
}
static void virtio_net_handle_tx_timer(VirtIODevice *vdev, VirtQueue *vq)
--
2.41.0.windows.1