import qemu-kvm-4.2.0-51.module+el8.5.0+11141+9dff516f

SOURCES/kvm-acpi-accept-byte-and-word-access-to-core-ACPI-regist.patch

@@ -0,0 +1,82 @@
+From dcac680adb6b8624f14eda3e812521bddbe8ecea Mon Sep 17 00:00:00 2001
+From: Jon Maloy <jmaloy@redhat.com>
+Date: Wed, 21 Apr 2021 22:30:04 -0400
+Subject: [PATCH 5/7] acpi: accept byte and word access to core ACPI registers
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Jon Maloy <jmaloy@redhat.com>
+Message-id: <20210421223006.19650-5-jmaloy@redhat.com>
+Patchwork-id: 101482
+O-Subject: [RHEL-8.5.0 qemu-kvm PATCH v2 4/6] acpi: accept byte and word access to core ACPI registers
+Bugzilla: 1842478
+RH-Acked-by: Stefano Garzarella <sgarzare@redhat.com>
+RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
+
+From: Michael Tokarev <mjt@tls.msk.ru>
+
+All ISA registers should be accessible as bytes, words or dwords
+(if wide enough).  Fix the access constraints for acpi-pm-evt,
+acpi-pm-tmr & acpi-cnt registers.
+
+Fixes: 5d971f9e67 (memory: Revert "memory: accept mismatching sizes in memory_region_access_valid")
+Fixes: afafe4bbe0 (apci: switch cnt to memory api)
+Fixes: 77d58b1e47 (apci: switch timer to memory api)
+Fixes: b5a7c024d2 (apci: switch evt to memory api)
+Buglink: https://lore.kernel.org/xen-devel/20200630170913.123646-1-anthony.perard@citrix.com/T/
+Buglink: https://bugs.debian.org/964793
+BugLink: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=964247
+BugLink: https://bugs.launchpad.net/bugs/1886318
+Reported-By: Simon John <git@the-jedi.co.uk>
+Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
+Message-Id: <20200720160627.15491-1-mjt@msgid.tls.msk.ru>
+Cc: qemu-stable@nongnu.org
+Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+
+(cherry picked from commit dba04c3488c4699f5afe96f66e448b1d447cf3fb)
+Signed-off-by: Jon Maloy <jmaloy@redhat.com>
+Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
+---
+ hw/acpi/core.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/hw/acpi/core.c b/hw/acpi/core.c
+index 45cbed49ab..d85052c34a 100644
+--- a/hw/acpi/core.c
++++ b/hw/acpi/core.c
+@@ -461,7 +461,8 @@ static void acpi_pm_evt_write(void *opaque, hwaddr addr, uint64_t val,
+ static const MemoryRegionOps acpi_pm_evt_ops = {
+     .read = acpi_pm_evt_read,
+     .write = acpi_pm_evt_write,
+-    .valid.min_access_size = 2,
++    .impl.min_access_size = 2,
++    .valid.min_access_size = 1,
+     .valid.max_access_size = 2,
+     .endianness = DEVICE_LITTLE_ENDIAN,
+ };
+@@ -530,7 +531,8 @@ static void acpi_pm_tmr_write(void *opaque, hwaddr addr, uint64_t val,
+ static const MemoryRegionOps acpi_pm_tmr_ops = {
+     .read = acpi_pm_tmr_read,
+     .write = acpi_pm_tmr_write,
+-    .valid.min_access_size = 4,
++    .impl.min_access_size = 4,
++    .valid.min_access_size = 1,
+     .valid.max_access_size = 4,
+     .endianness = DEVICE_LITTLE_ENDIAN,
+ };
+@@ -602,7 +604,8 @@ static void acpi_pm_cnt_write(void *opaque, hwaddr addr, uint64_t val,
+ static const MemoryRegionOps acpi_pm_cnt_ops = {
+     .read = acpi_pm_cnt_read,
+     .write = acpi_pm_cnt_write,
+-    .valid.min_access_size = 2,
++    .impl.min_access_size = 2,
++    .valid.min_access_size = 1,
+     .valid.max_access_size = 2,
+     .endianness = DEVICE_LITTLE_ENDIAN,
+ };
+-- 
+2.27.0
+

SOURCES/kvm-audio-audio_generic_get_buffer_in-should-honor-size.patch

@@ -0,0 +1,53 @@
+From 96c8fcafa7325cd0e8a23a743a55f0ad0aa9f79b Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Thu, 18 Mar 2021 09:13:42 -0400
+Subject: [PATCH 5/5] audio: audio_generic_get_buffer_in should honor *size
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Gerd Hoffmann <kraxel@redhat.com>
+Message-id: <20210318091342.3232471-2-kraxel@redhat.com>
+Patchwork-id: 101352
+O-Subject: [RHEL-8.4.0 qemu-kvm PATCH 1/1] audio: audio_generic_get_buffer_in should honor *size
+Bugzilla: 1932823
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+RH-Acked-by: Danilo de Paula <ddepaula@redhat.com>
+RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+
+From: Volker Rümelin <vr_qemu@t-online.de>
+
+The function generic_get_buffer_in currently ignores the *size
+parameter and may return a buffer larger than *size.
+
+As a result the variable samples in function
+audio_pcm_hw_run_in may underflow. The while loop then most
+likely will never termiate.
+
+Buglink: http://bugs.debian.org/948658
+Signed-off-by: Volker Rümelin <vr_qemu@t-online.de>
+Message-Id: <20200123074943.6699-9-vr_qemu@t-online.de>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+(cherry picked from commit 599eac4e5a41e828645594097daee39373acc3c0)
+Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
+---
+ audio/audio.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/audio/audio.c b/audio/audio.c
+index 56fae55047..39a62fc62a 100644
+--- a/audio/audio.c
++++ b/audio/audio.c
+@@ -1402,7 +1402,8 @@ void *audio_generic_get_buffer_in(HWVoiceIn *hw, size_t *size)
+     }
+     assert(start >= 0 && start < hw->size_emul);
+ 
+-    *size = MIN(hw->pending_emul, hw->size_emul - start);
++    *size = MIN(*size, hw->pending_emul);
++    *size = MIN(*size, hw->size_emul - start);
+     return hw->buf_emul + start;
+ }
+ 
+-- 
+2.27.0
+

SOURCES/kvm-e1000-fail-early-for-evil-descriptor.patch

@@ -0,0 +1,65 @@
+From 7bd3000cf22a91e6bc6afc1e7adbf0ae1b731104 Mon Sep 17 00:00:00 2001
+From: Jon Maloy <jmaloy@redhat.com>
+Date: Tue, 13 Apr 2021 22:45:17 -0400
+Subject: [PATCH 2/5] e1000: fail early for evil descriptor
+
+RH-Author: Jon Maloy <jmaloy@redhat.com>
+Message-id: <20210413224517.3841507-2-jmaloy@redhat.com>
+Patchwork-id: 101473
+O-Subject: [RHEL-8.5.0 qemu-kvm PATCH 1/1] e1000: fail early for evil descriptor
+Bugzilla: 1930092
+RH-Acked-by: Stefano Garzarella <sgarzare@redhat.com>
+RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+
+From: Jason Wang <jasowang@redhat.com>
+
+During procss_tx_desc(), driver can try to chain data descriptor with
+legacy descriptor, when will lead underflow for the following
+calculation in process_tx_desc() for bytes:
+
+            if (tp->size + bytes > msh)
+                bytes = msh - tp->size;
+
+This will lead a infinite loop. So check and fail early if tp->size if
+greater or equal to msh.
+
+Reported-by: Alexander Bulekov <alxndr@bu.edu>
+Reported-by: Cheolwoo Myung <cwmyung@snu.ac.kr>
+Reported-by: Ruhr-University Bochum <bugs-syssec@rub.de>
+Cc: Prasad J Pandit <ppandit@redhat.com>
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+
+(cherry picked from commit 3de46e6fc489c52c9431a8a832ad8170a7569bd8)
+Signed-off-by: Jon Maloy <jmaloy@redhat.com>
+Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
+---
+ hw/net/e1000.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/hw/net/e1000.c b/hw/net/e1000.c
+index fc73fdd6fa..fe56bccd52 100644
+--- a/hw/net/e1000.c
++++ b/hw/net/e1000.c
+@@ -671,6 +671,9 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp)
+         msh = tp->tso_props.hdr_len + tp->tso_props.mss;
+         do {
+             bytes = split_size;
++            if (tp->size >= msh) {
++                goto eop;
++            }
+             if (tp->size + bytes > msh)
+                 bytes = msh - tp->size;
+ 
+@@ -696,6 +699,7 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp)
+         tp->size += split_size;
+     }
+ 
++eop:
+     if (!(txd_lower & E1000_TXD_CMD_EOP))
+         return;
+     if (!(tp->cptse && tp->size < tp->tso_props.hdr_len)) {
+-- 
+2.27.0
+

SOURCES/kvm-hw-intc-arm_gic-Fix-interrupt-ID-in-GICD_SGIR-regist.patch

@@ -0,0 +1,80 @@
+From dad4f9beaa3fd1eec1e0dd46c3d5cd2f444c0f48 Mon Sep 17 00:00:00 2001
+From: Jon Maloy <jmaloy@redhat.com>
+Date: Tue, 13 Apr 2021 20:05:51 -0400
+Subject: [PATCH 1/7] hw/intc/arm_gic: Fix interrupt ID in GICD_SGIR register
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Jon Maloy <jmaloy@redhat.com>
+Message-id: <20210413200551.3825495-2-jmaloy@redhat.com>
+Patchwork-id: 101471
+O-Subject: [RHEL-8.5.0 qemu-kvm PATCH 1/1] hw/intc/arm_gic: Fix interrupt ID in GICD_SGIR register
+Bugzilla: 1925430
+RH-Acked-by: Andrew Jones <drjones@redhat.com>
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+
+From: Philippe Mathieu-Daudé <f4bug@amsat.org>
+
+Per the ARM Generic Interrupt Controller Architecture specification
+(document "ARM IHI 0048B.b (ID072613)"), the SGIINTID field is 4 bit,
+not 10:
+
+  - 4.3 Distributor register descriptions
+  - 4.3.15 Software Generated Interrupt Register, GICD_SG
+
+    - Table 4-21 GICD_SGIR bit assignments
+
+    The Interrupt ID of the SGI to forward to the specified CPU
+    interfaces. The value of this field is the Interrupt ID, in
+    the range 0-15, for example a value of 0b0011 specifies
+    Interrupt ID 3.
+
+Correct the irq mask to fix an undefined behavior (which eventually
+lead to a heap-buffer-overflow, see [Buglink]):
+
+   $ echo 'writel 0x8000f00 0xff4affb0' | qemu-system-aarch64 -M virt,accel=qtest -qtest stdio
+   [I 1612088147.116987] OPENED
+  [R +0.278293] writel 0x8000f00 0xff4affb0
+  ../hw/intc/arm_gic.c:1498:13: runtime error: index 944 out of bounds for type 'uint8_t [16][8]'
+  SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../hw/intc/arm_gic.c:1498:13
+
+This fixes a security issue when running with KVM on Arm with
+kernel-irqchip=off. (The default is kernel-irqchip=on, which is
+unaffected, and which is also the correct choice for performance.)
+
+Cc: qemu-stable@nongnu.org
+Fixes: CVE-2021-20221
+Fixes: 9ee6e8bb853 ("ARMv7 support.")
+Buglink: https://bugs.launchpad.net/qemu/+bug/1913916
+Buglink: https://bugs.launchpad.net/qemu/+bug/1913917
+Reported-by: Alexander Bulekov <alxndr@bu.edu>
+Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Message-id: 20210131103401.217160-1-f4bug@amsat.org
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+
+(cherry picked from commit edfe2eb4360cde4ed5d95bda7777edcb3510f76a)
+Signed-off-by: Jon Maloy <jmaloy@redhat.com>
+Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
+---
+ hw/intc/arm_gic.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/intc/arm_gic.c b/hw/intc/arm_gic.c
+index 1d7da7baa2..df355f4d11 100644
+--- a/hw/intc/arm_gic.c
++++ b/hw/intc/arm_gic.c
+@@ -1455,7 +1455,7 @@ static void gic_dist_writel(void *opaque, hwaddr offset,
+         int target_cpu;
+ 
+         cpu = gic_get_current_cpu(s);
+-        irq = value & 0x3ff;
++        irq = value & 0xf;
+         switch ((value >> 24) & 3) {
+         case 0:
+             mask = (value >> 16) & ALL_CPU_MASK;
+-- 
+2.27.0
+

SOURCES/kvm-libqos-pci-pc-use-32-bit-write-for-EJ-register.patch

@@ -0,0 +1,47 @@
+From 2687e0348e3e4d377b4f5356e46948dc2b371b6d Mon Sep 17 00:00:00 2001
+From: Jon Maloy <jmaloy@redhat.com>
+Date: Wed, 21 Apr 2021 22:30:02 -0400
+Subject: [PATCH 3/7] libqos: pci-pc: use 32-bit write for EJ register
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Jon Maloy <jmaloy@redhat.com>
+Message-id: <20210421223006.19650-3-jmaloy@redhat.com>
+Patchwork-id: 101484
+O-Subject: [RHEL-8.5.0 qemu-kvm PATCH v2 2/6] libqos: pci-pc: use 32-bit write for EJ register
+Bugzilla: 1842478
+RH-Acked-by: Stefano Garzarella <sgarzare@redhat.com>
+RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
+
+From: Paolo Bonzini <pbonzini@redhat.com>
+
+The memory region ops have min_access_size == 4 so obey it.
+
+Tested-by: Thomas Huth <thuth@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+
+(cherry picked from commit 4b7c06837ae0b1ff56473202a42e7e386f53d6db)
+Signed-off-by: Jon Maloy <jmaloy@redhat.com>
+Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
+---
+ tests/libqos/pci-pc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tests/libqos/pci-pc.c b/tests/libqos/pci-pc.c
+index 0bc591d1da..3bb2eb3ba8 100644
+--- a/tests/libqos/pci-pc.c
++++ b/tests/libqos/pci-pc.c
+@@ -186,7 +186,7 @@ void qpci_unplug_acpi_device_test(QTestState *qts, const char *id, uint8_t slot)
+     g_assert(!qdict_haskey(response, "error"));
+     qobject_unref(response);
+ 
+-    qtest_outb(qts, ACPI_PCIHP_ADDR + PCI_EJ_BASE, 1 << slot);
++    qtest_outl(qts, ACPI_PCIHP_ADDR + PCI_EJ_BASE, 1 << slot);
+ 
+     qtest_qmp_eventwait(qts, "DEVICE_DELETED");
+ }
+-- 
+2.27.0
+

SOURCES/kvm-libqos-usb-hcd-ehci-use-32-bit-write-for-config-regi.patch

@@ -0,0 +1,48 @@
+From 6320b4e76965b1cf64da4307f4d313fe6b2aa971 Mon Sep 17 00:00:00 2001
+From: Jon Maloy <jmaloy@redhat.com>
+Date: Wed, 21 Apr 2021 22:30:01 -0400
+Subject: [PATCH 2/7] libqos: usb-hcd-ehci: use 32-bit write for config
+ register
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Jon Maloy <jmaloy@redhat.com>
+Message-id: <20210421223006.19650-2-jmaloy@redhat.com>
+Patchwork-id: 101478
+O-Subject: [RHEL-8.5.0 qemu-kvm PATCH v2 1/6] libqos: usb-hcd-ehci: use 32-bit write for config register
+Bugzilla: 1842478
+RH-Acked-by: Stefano Garzarella <sgarzare@redhat.com>
+RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
+
+From: Paolo Bonzini <pbonzini@redhat.com>
+
+The memory region ops have min_access_size == 4 so obey it.
+
+Tested-by: Thomas Huth <thuth@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+
+(cherry picked from commit 89ed83d8b23c11d250c290593cad3ca839d5b053)
+Signed-off-by: Jon Maloy <jmaloy@redhat.com>
+Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
+---
+ tests/usb-hcd-ehci-test.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tests/usb-hcd-ehci-test.c b/tests/usb-hcd-ehci-test.c
+index 5251d539e9..c51e8bb223 100644
+--- a/tests/usb-hcd-ehci-test.c
++++ b/tests/usb-hcd-ehci-test.c
+@@ -96,7 +96,7 @@ static void pci_ehci_port_1(void)
+ static void pci_ehci_config(void)
+ {
+     /* hands over all ports from companion uhci to ehci */
+-    qpci_io_writew(ehci1.dev, ehci1.bar, 0x60, 1);
++    qpci_io_writel(ehci1.dev, ehci1.bar, 0x60, 1);
+ }
+ 
+ static void pci_uhci_port_2(void)
+-- 
+2.27.0
+

SOURCES/kvm-linux-headers-Add-VFIO_CCW_REQ_IRQ_INDEX.patch

@@ -0,0 +1,43 @@
+From f844ca939adb619cce8426e104b0039a7eba70a6 Mon Sep 17 00:00:00 2001
+From: Thomas Huth <thuth@redhat.com>
+Date: Tue, 11 May 2021 11:24:04 -0400
+Subject: [PATCH 1/5] linux-headers: Add VFIO_CCW_REQ_IRQ_INDEX
+
+RH-Author: Thomas Huth <thuth@redhat.com>
+Message-id: <20210511112405.297037-2-thuth@redhat.com>
+Patchwork-id: 101537
+O-Subject: [RHEL-8.5.0 qemu-kvm PATCH 1/2] linux-headers: Add VFIO_CCW_REQ_IRQ_INDEX
+Bugzilla: 1940450
+RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
+RH-Acked-by: Cornelia Huck <cohuck@redhat.com>
+RH-Acked-by: David Hildenbrand <david@redhat.com>
+
+Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1940450
+Upstream-status: N/A
+
+This is based on upstream commit b3c818a47f ("Update linux headers to
+5.11-rc2"), but has been reduced to the single hunk that is required
+for the next patch (there were too many unrelated conflicts in the other
+files for doing full backport of the original upstream commit).
+
+Signed-off-by: Thomas Huth <thuth@redhat.com>
+Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
+---
+ linux-headers/linux/vfio.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/linux-headers/linux/vfio.h b/linux-headers/linux/vfio.h
+index f660bd7bac..9c8810bef4 100644
+--- a/linux-headers/linux/vfio.h
++++ b/linux-headers/linux/vfio.h
+@@ -580,6 +580,7 @@ enum {
+ enum {
+ 	VFIO_CCW_IO_IRQ_INDEX,
+ 	VFIO_CCW_CRW_IRQ_INDEX,
++	VFIO_CCW_REQ_IRQ_INDEX,
+ 	VFIO_CCW_NUM_IRQS
+ };
+ 
+-- 
+2.27.0
+

SOURCES/kvm-memory-Revert-memory-accept-mismatching-sizes-in-mem.patch

@@ -0,0 +1,104 @@
+From 13f4ebe4708f4f4dc20d710e475a42d520459860 Mon Sep 17 00:00:00 2001
+From: Jon Maloy <jmaloy@redhat.com>
+Date: Wed, 21 Apr 2021 22:30:03 -0400
+Subject: [PATCH 4/7] memory: Revert "memory: accept mismatching sizes in
+ memory_region_access_valid"
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Jon Maloy <jmaloy@redhat.com>
+Message-id: <20210421223006.19650-4-jmaloy@redhat.com>
+Patchwork-id: 101480
+O-Subject: [RHEL-8.5.0 qemu-kvm PATCH v2 3/6] memory: Revert "memory: accept mismatching sizes in memory_region_access_valid"
+Bugzilla: 1842478
+RH-Acked-by: Stefano Garzarella <sgarzare@redhat.com>
+RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
+
+From: "Michael S. Tsirkin" <mst@redhat.com>
+
+Memory API documentation documents valid .min_access_size and .max_access_size
+fields and explains that any access outside these boundaries is blocked.
+
+This is what devices seem to assume.
+
+However this is not what the implementation does: it simply
+ignores the boundaries unless there's an "accepts" callback.
+
+Naturally, this breaks a bunch of devices.
+
+Revert to the documented behaviour.
+
+Devices that want to allow any access can just drop the valid field,
+or add the impl field to have accesses converted to appropriate
+length.
+
+Cc: qemu-stable@nongnu.org
+Reviewed-by: Richard Henderson <rth@twiddle.net>
+Fixes: CVE-2020-13754
+Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1842363
+Fixes: a014ed07bd5a ("memory: accept mismatching sizes in memory_region_access_valid")
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Message-Id: <20200610134731.1514409-1-mst@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+
+(cherry picked from commit 5d971f9e672507210e77d020d89e0e89165c8fc9)
+Signed-off-by: Jon Maloy <jmaloy@redhat.com>
+Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
+---
+ memory.c | 29 +++++++++--------------------
+ 1 file changed, 9 insertions(+), 20 deletions(-)
+
+diff --git a/memory.c b/memory.c
+index 5a4a80842d..0cfcb72a5a 100644
+--- a/memory.c
++++ b/memory.c
+@@ -1351,35 +1351,24 @@ bool memory_region_access_valid(MemoryRegion *mr,
+                                 bool is_write,
+                                 MemTxAttrs attrs)
+ {
+-    int access_size_min, access_size_max;
+-    int access_size, i;
+-
+-    if (!mr->ops->valid.unaligned && (addr & (size - 1))) {
++    if (mr->ops->valid.accepts
++        && !mr->ops->valid.accepts(mr->opaque, addr, size, is_write, attrs)) {
+         return false;
+     }
+ 
+-    if (!mr->ops->valid.accepts) {
+-        return true;
+-    }
+-
+-    access_size_min = mr->ops->valid.min_access_size;
+-    if (!mr->ops->valid.min_access_size) {
+-        access_size_min = 1;
++    if (!mr->ops->valid.unaligned && (addr & (size - 1))) {
++        return false;
+     }
+ 
+-    access_size_max = mr->ops->valid.max_access_size;
++    /* Treat zero as compatibility all valid */
+     if (!mr->ops->valid.max_access_size) {
+-        access_size_max = 4;
++        return true;
+     }
+ 
+-    access_size = MAX(MIN(size, access_size_max), access_size_min);
+-    for (i = 0; i < size; i += access_size) {
+-        if (!mr->ops->valid.accepts(mr->opaque, addr + i, access_size,
+-                                    is_write, attrs)) {
+-            return false;
+-        }
++    if (size > mr->ops->valid.max_access_size
++        || size < mr->ops->valid.min_access_size) {
++        return false;
+     }
+-
+     return true;
+ }
+ 
+-- 
+2.27.0
+

SOURCES/kvm-net-forbid-the-reentrant-RX.patch

@@ -0,0 +1,50 @@
+From 1e01e2f96fd5e903394eab59365d5363394c8b18 Mon Sep 17 00:00:00 2001
+From: Jon Maloy <jmaloy@redhat.com>
+Date: Tue, 13 Apr 2021 18:59:12 -0400
+Subject: [PATCH 3/5] net: forbid the reentrant RX
+
+RH-Author: Jon Maloy <jmaloy@redhat.com>
+Message-id: <20210413185912.3811035-2-jmaloy@redhat.com>
+Patchwork-id: 101467
+O-Subject: [RHEL-8.5.0 qemu-kvm PATCH 1/1] net: forbid the reentrant RX
+Bugzilla: 1859175
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+RH-Acked-by: Thomas Huth <thuth@redhat.com>
+RH-Acked-by: Xiao Wang <jasowang@redhat.com>
+
+From: Jason Wang <jasowang@redhat.com>
+
+The memory API allows DMA into NIC's MMIO area. This means the NIC's
+RX routine must be reentrant. Instead of auditing all the NIC, we can
+simply detect the reentrancy and return early. The queue->delivering
+is set and cleared by qemu_net_queue_deliver() for other queue helpers
+to know whether the delivering in on going (NIC's receive is being
+called). We can check it and return early in qemu_net_queue_flush() to
+forbid reentrant RX.
+
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+
+(cherry picked from commit 22dc8663d9fc7baa22100544c600b6285a63c7a3)
+Signed-off-by: Jon Maloy <jmaloy@redhat.com>
+Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
+---
+ net/queue.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/queue.c b/net/queue.c
+index 61276ca4be..c679d79f4b 100644
+--- a/net/queue.c
++++ b/net/queue.c
+@@ -250,6 +250,9 @@ void qemu_net_queue_purge(NetQueue *queue, NetClientState *from)
+ 
+ bool qemu_net_queue_flush(NetQueue *queue)
+ {
++    if (queue->delivering)
++        return false;
++
+     while (!QTAILQ_EMPTY(&queue->packets)) {
+         NetPacket *packet;
+         int ret;
+-- 
+2.27.0
+

SOURCES/kvm-net-remove-an-assert-call-in-eth_get_gso_type.patch

@@ -0,0 +1,59 @@
+From b7de63e72c479df42c324c058a487517210fa069 Mon Sep 17 00:00:00 2001
+From: Jon Maloy <jmaloy@redhat.com>
+Date: Tue, 13 Apr 2021 19:21:50 -0400
+Subject: [PATCH 1/5] net: remove an assert call in eth_get_gso_type
+
+RH-Author: Jon Maloy <jmaloy@redhat.com>
+Message-id: <20210413192150.3817133-2-jmaloy@redhat.com>
+Patchwork-id: 101469
+O-Subject: [RHEL-8.5.0 qemu-kvm PATCH 1/1] net: remove an assert call in eth_get_gso_type
+Bugzilla: 1892350
+RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+RH-Acked-by: Xiao Wang <jasowang@redhat.com>
+
+From: Prasad J Pandit <pjp@fedoraproject.org>
+
+eth_get_gso_type() routine returns segmentation offload type based on
+L3 protocol type. It calls g_assert_not_reached if L3 protocol is
+unknown, making the following return statement unreachable. Remove the
+g_assert call, it maybe triggered by a guest user.
+
+Reported-by: Gaoning Pan <pgn@zju.edu.cn>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+
+(cherry picked from commit 7564bf7701f00214cdc8a678a9f7df765244def1)
+Signed-off-by: Jon Maloy <jmaloy@redhat.com>
+Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
+---
+ net/eth.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/net/eth.c b/net/eth.c
+index 0c1d413ee2..1e0821c5f8 100644
+--- a/net/eth.c
++++ b/net/eth.c
+@@ -16,6 +16,7 @@
+  */
+ 
+ #include "qemu/osdep.h"
++#include "qemu/log.h"
+ #include "net/eth.h"
+ #include "net/checksum.h"
+ #include "net/tap.h"
+@@ -71,9 +72,8 @@ eth_get_gso_type(uint16_t l3_proto, uint8_t *l3_hdr, uint8_t l4proto)
+             return VIRTIO_NET_HDR_GSO_TCPV6 | ecn_state;
+         }
+     }
+-
+-    /* Unsupported offload */
+-    g_assert_not_reached();
++    qemu_log_mask(LOG_UNIMP, "%s: probably not GSO frame, "
++        "unknown L3 protocol: 0x%04"PRIx16"\n", __func__, l3_proto);
+ 
+     return VIRTIO_NET_HDR_GSO_NONE | ecn_state;
+ }
+-- 
+2.27.0
+

SOURCES/kvm-pc-bios-s390-ccw-break-loop-if-a-null-block-number-i.patch

@@ -0,0 +1,50 @@
+From 56ae2d8a1ee3a35e2eed4f4baa61f97184189b47 Mon Sep 17 00:00:00 2001
+From: Thomas Huth <thuth@redhat.com>
+Date: Tue, 18 May 2021 13:51:24 -0400
+Subject: [PATCH 4/5] pc-bios/s390-ccw: break loop if a null block number is
+ reached
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Thomas Huth <thuth@redhat.com>
+Message-id: <20210518135125.191329-3-thuth@redhat.com>
+Patchwork-id: 101549
+O-Subject: [RHEL-8.5.0 qemu-kvm PATCH 2/3] pc-bios/s390-ccw: break loop if a null block number is reached
+Bugzilla: 1942880
+RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+RH-Acked-by: David Hildenbrand <david@redhat.com>
+RH-Acked-by: Cornelia Huck <cohuck@redhat.com>
+
+Break the loop if `cur_block_nr` is a null block number because this
+means that the end of chunk is reached. In this case we will try to
+boot the default entry.
+
+Fixes: ba831b25262a ("s390-ccw: read stage2 boot loader data to find menu")
+Reviewed-by: Collin Walling <walling@linux.ibm.com>
+Signed-off-by: Marc Hartmayer <mhartmay@linux.ibm.com>
+Message-Id: <20200924085926.21709-3-mhartmay@linux.ibm.com>
+Signed-off-by: Thomas Huth <thuth@redhat.com>
+(cherry picked from commit 468184ec9024f4f7b55247f70ec57554e8a500d7)
+Signed-off-by: Thomas Huth <thuth@redhat.com>
+Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
+---
+ pc-bios/s390-ccw/bootmap.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/pc-bios/s390-ccw/bootmap.c b/pc-bios/s390-ccw/bootmap.c
+index bb6e003270..624f524331 100644
+--- a/pc-bios/s390-ccw/bootmap.c
++++ b/pc-bios/s390-ccw/bootmap.c
+@@ -192,7 +192,7 @@ static int eckd_get_boot_menu_index(block_number_t s1b_block_nr)
+     for (i = 0; i < STAGE2_BLK_CNT_MAX; i++) {
+         cur_block_nr = eckd_block_num(&s1b->seek[i].chs);
+ 
+-        if (!cur_block_nr) {
++        if (!cur_block_nr || is_null_block_number(cur_block_nr)) {
+             break;
+         }
+ 
+-- 
+2.27.0
+

SOURCES/kvm-pc-bios-s390-ccw-don-t-try-to-read-the-next-block-if.patch

@@ -0,0 +1,48 @@
+From 52ba1903b2c8ce69e8cd1de2a78c2c63cc60383b Mon Sep 17 00:00:00 2001
+From: Thomas Huth <thuth@redhat.com>
+Date: Tue, 18 May 2021 13:51:25 -0400
+Subject: [PATCH 5/5] pc-bios/s390-ccw: don't try to read the next block if end
+ of chunk is reached
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Thomas Huth <thuth@redhat.com>
+Message-id: <20210518135125.191329-4-thuth@redhat.com>
+Patchwork-id: 101550
+O-Subject: [RHEL-8.5.0 qemu-kvm PATCH 3/3] pc-bios/s390-ccw: don't try to read the next block if end of chunk is reached
+Bugzilla: 1942880
+RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+RH-Acked-by: David Hildenbrand <david@redhat.com>
+RH-Acked-by: Cornelia Huck <cohuck@redhat.com>
+
+Don't read the block if a null block number is reached, because this means that
+the end of chunk is reached.
+
+Reviewed-by: Collin Walling <walling@linux.ibm.com>
+Signed-off-by: Marc Hartmayer <mhartmay@linux.ibm.com>
+Message-Id: <20210416074736.17409-1-mhartmay@linux.ibm.com>
+Signed-off-by: Thomas Huth <thuth@redhat.com>
+(cherry picked from commit a6625d38cce3901a7c1cba069f0abcf743a293f1)
+Signed-off-by: Thomas Huth <thuth@redhat.com>
+Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
+---
+ pc-bios/s390-ccw/bootmap.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/pc-bios/s390-ccw/bootmap.c b/pc-bios/s390-ccw/bootmap.c
+index 624f524331..8458b15cb6 100644
+--- a/pc-bios/s390-ccw/bootmap.c
++++ b/pc-bios/s390-ccw/bootmap.c
+@@ -212,7 +212,7 @@ static int eckd_get_boot_menu_index(block_number_t s1b_block_nr)
+                 next_block_nr = eckd_block_num(&s1b->seek[i + 1].chs);
+             }
+ 
+-            if (next_block_nr) {
++            if (next_block_nr && !is_null_block_number(next_block_nr)) {
+                 read_block(next_block_nr, s2_next_blk,
+                            "Cannot read stage2 boot loader");
+             }
+-- 
+2.27.0
+

SOURCES/kvm-pc-bios-s390-ccw-fix-off-by-one-error.patch

@@ -0,0 +1,51 @@
+From 0e9bdb960045f98d70f765bbb585f1647e5fea08 Mon Sep 17 00:00:00 2001
+From: Thomas Huth <thuth@redhat.com>
+Date: Tue, 18 May 2021 13:51:23 -0400
+Subject: [PATCH 3/5] pc-bios/s390-ccw: fix off-by-one error
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Thomas Huth <thuth@redhat.com>
+Message-id: <20210518135125.191329-2-thuth@redhat.com>
+Patchwork-id: 101548
+O-Subject: [RHEL-8.5.0 qemu-kvm PATCH 1/3] pc-bios/s390-ccw: fix off-by-one error
+Bugzilla: 1942880
+RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+RH-Acked-by: David Hildenbrand <david@redhat.com>
+RH-Acked-by: Cornelia Huck <cohuck@redhat.com>
+
+This error takes effect when the magic value "zIPL" is located at the
+end of a block. For example if s2_cur_blk = 0x7fe18000 and the magic
+value "zIPL" is located at 0x7fe18ffc - 0x7fe18fff.
+
+Fixes: ba831b25262a ("s390-ccw: read stage2 boot loader data to find menu")
+Reviewed-by: Collin Walling <walling@linux.ibm.com>
+Signed-off-by: Marc Hartmayer <mhartmay@linux.ibm.com>
+Message-Id: <20200924085926.21709-2-mhartmay@linux.ibm.com>
+Reviewed-by: Thomas Huth <thuth@redhat.com>
+[thuth: Use "<= ... - 4" instead of "< ... - 3"]
+Signed-off-by: Thomas Huth <thuth@redhat.com>
+(cherry picked from commit 5f97ba0c74ccace0a4014460de9751ff3c6f454a)
+Signed-off-by: Thomas Huth <thuth@redhat.com>
+Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
+---
+ pc-bios/s390-ccw/bootmap.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/pc-bios/s390-ccw/bootmap.c b/pc-bios/s390-ccw/bootmap.c
+index e91ea719ff..bb6e003270 100644
+--- a/pc-bios/s390-ccw/bootmap.c
++++ b/pc-bios/s390-ccw/bootmap.c
+@@ -163,7 +163,7 @@ static bool find_zipl_boot_menu_banner(int *offset)
+     int i;
+ 
+     /* Menu banner starts with "zIPL" */
+-    for (i = 0; i < virtio_get_block_size() - 4; i++) {
++    for (i = 0; i <= virtio_get_block_size() - 4; i++) {
+         if (magic_match(s2_cur_blk + i, ZIPL_MAGIC_EBCDIC)) {
+             *offset = i;
+             return true;
+-- 
+2.27.0
+

SOURCES/kvm-qemu-img-convert-Don-t-pre-zero-images.patch

@@ -0,0 +1,73 @@
+From eea45924903f03dc6d8f20576be0a4a84d5acce4 Mon Sep 17 00:00:00 2001
+From: Kevin Wolf <kwolf@redhat.com>
+Date: Wed, 10 Feb 2021 10:16:11 -0500
+Subject: [PATCH 4/5] qemu-img convert: Don't pre-zero images
+
+RH-Author: Kevin Wolf <kwolf@redhat.com>
+Message-id: <20210210101611.137928-2-kwolf@redhat.com>
+Patchwork-id: 101030
+O-Subject: [RHEL-8.4.0 qemu-kvm PATCH 1/1] qemu-img convert: Don't pre-zero images
+Bugzilla: 1855250
+RH-Acked-by: Stefano Garzarella <sgarzare@redhat.com>
+RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
+RH-Acked-by: Max Reitz <mreitz@redhat.com>
+
+Since commit 5a37b60a61c, qemu-img create will pre-zero the target image
+if it isn't already zero-initialised (most importantly, for host block
+devices, but also iscsi etc.), so that writing explicit zeros wouldn't
+be necessary later.
+
+This could speed up the operation significantly, in particular when the
+source image file was only sparsely populated. However, it also means
+that some block are written twice: Once when pre-zeroing them, and then
+when they are overwritten with actual data. On a full image, the
+pre-zeroing is wasted work because everything will be overwritten.
+
+In practice, write_zeroes typically turns out faster than writing
+explicit zero buffers, but slow enough that first zeroing everything and
+then overwriting parts can be a significant net loss.
+
+Meanwhile, qemu-img convert was rewritten in 690c7301600 and zero blocks
+are now written to the target using bdrv_co_pwrite_zeroes() if the
+target could be pre-zeroed. This way we already make use of the faster
+write_zeroes operation, but avoid writing any blocks twice.
+
+Remove the pre-zeroing because these days this former optimisation has
+actually turned into a pessimisation in the common case.
+
+Reported-by: Nir Soffer <nsoffer@redhat.com>
+Signed-off-by: Kevin Wolf <kwolf@redhat.com>
+Message-Id: <20200622151203.35624-1-kwolf@redhat.com>
+Tested-by:  Nir Soffer <nsoffer@redhat.com>
+Reviewed-by: Eric Blake <eblake@redhat.com>
+Signed-off-by: Kevin Wolf <kwolf@redhat.com>
+(cherry picked from commit edafc70c0c8510862f2f213a3acf7067113bcd08)
+Signed-off-by: Kevin Wolf <kwolf@redhat.com>
+Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
+---
+ qemu-img.c | 9 ---------
+ 1 file changed, 9 deletions(-)
+
+diff --git a/qemu-img.c b/qemu-img.c
+index a27ad70851..b10dc5129b 100644
+--- a/qemu-img.c
++++ b/qemu-img.c
+@@ -2029,15 +2029,6 @@ static int convert_do_copy(ImgConvertState *s)
+         s->has_zero_init = false;
+     }
+ 
+-    if (!s->has_zero_init && !s->target_has_backing &&
+-        bdrv_can_write_zeroes_with_unmap(blk_bs(s->target)))
+-    {
+-        ret = blk_make_zero(s->target, BDRV_REQ_MAY_UNMAP | BDRV_REQ_NO_FALLBACK);
+-        if (ret == 0) {
+-            s->has_zero_init = true;
+-        }
+-    }
+-
+     /* Allocate buffer for copied data. For compressed images, only one cluster
+      * can be copied at a time. */
+     if (s->compressed) {
+-- 
+2.27.0
+

SOURCES/kvm-softmmu-memory-Log-invalid-memory-accesses.patch

@@ -0,0 +1,84 @@
+From be0a190e3c5c4ff84f7c53630ed5a55644d18acc Mon Sep 17 00:00:00 2001
+From: Jon Maloy <jmaloy@redhat.com>
+Date: Wed, 21 Apr 2021 22:30:06 -0400
+Subject: [PATCH 7/7] softmmu/memory: Log invalid memory accesses
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Jon Maloy <jmaloy@redhat.com>
+Message-id: <20210421223006.19650-7-jmaloy@redhat.com>
+Patchwork-id: 101481
+O-Subject: [RHEL-8.5.0 qemu-kvm PATCH v2 6/6] softmmu/memory: Log invalid memory accesses
+Bugzilla: 1842478
+RH-Acked-by: Stefano Garzarella <sgarzare@redhat.com>
+RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
+
+From: Philippe Mathieu-Daudé <philmd@redhat.com>
+
+Log invalid memory accesses with as GUEST_ERROR.
+
+This is particularly useful since commit 5d971f9e67 which reverted
+("memory: accept mismatching sizes in memory_region_access_valid").
+
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
+Message-Id: <20201005152725.2143444-1-philmd@redhat.com>
+Signed-off-by: Laurent Vivier <laurent@vivier.eu>
+
+(cherry picked from commit 21786c7e59847b1612406ff394958f22e5b323f8)
+Signed-off-by: Jon Maloy <jmaloy@redhat.com>
+Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
+---
+ memory.c | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+diff --git a/memory.c b/memory.c
+index 0cfcb72a5a..660df8159a 100644
+--- a/memory.c
++++ b/memory.c
+@@ -14,6 +14,7 @@
+  */
+ 
+ #include "qemu/osdep.h"
++#include "qemu/log.h"
+ #include "qapi/error.h"
+ #include "cpu.h"
+ #include "exec/memory.h"
+@@ -1353,10 +1354,18 @@ bool memory_region_access_valid(MemoryRegion *mr,
+ {
+     if (mr->ops->valid.accepts
+         && !mr->ops->valid.accepts(mr->opaque, addr, size, is_write, attrs)) {
++        qemu_log_mask(LOG_GUEST_ERROR, "Invalid access at addr "
++                                       "0x%" HWADDR_PRIX ", size %u, "
++                                       "region '%s', reason: rejected\n",
++                      addr, size, memory_region_name(mr));
+         return false;
+     }
+ 
+     if (!mr->ops->valid.unaligned && (addr & (size - 1))) {
++        qemu_log_mask(LOG_GUEST_ERROR, "Invalid access at addr "
++                                       "0x%" HWADDR_PRIX ", size %u, "
++                                       "region '%s', reason: unaligned\n",
++                      addr, size, memory_region_name(mr));
+         return false;
+     }
+ 
+@@ -1367,6 +1376,13 @@ bool memory_region_access_valid(MemoryRegion *mr,
+ 
+     if (size > mr->ops->valid.max_access_size
+         || size < mr->ops->valid.min_access_size) {
++        qemu_log_mask(LOG_GUEST_ERROR, "Invalid access at addr "
++                                       "0x%" HWADDR_PRIX ", size %u, "
++                                       "region '%s', reason: invalid size "
++                                       "(min:%u max:%u)\n",
++                      addr, size, memory_region_name(mr),
++                      mr->ops->valid.min_access_size,
++                      mr->ops->valid.max_access_size);
+         return false;
+     }
+     return true;
+-- 
+2.27.0
+

SOURCES/kvm-vfio-ccw-Connect-the-device-request-notifier.patch

@@ -0,0 +1,128 @@
+From db6a782f8b9ba062f195ff504b4d2f93e471fecc Mon Sep 17 00:00:00 2001
+From: Thomas Huth <thuth@redhat.com>
+Date: Tue, 11 May 2021 11:24:05 -0400
+Subject: [PATCH 2/5] vfio-ccw: Connect the device request notifier
+
+RH-Author: Thomas Huth <thuth@redhat.com>
+Message-id: <20210511112405.297037-3-thuth@redhat.com>
+Patchwork-id: 101536
+O-Subject: [RHEL-8.5.0 qemu-kvm PATCH 2/2] vfio-ccw: Connect the device request notifier
+Bugzilla: 1940450
+RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
+RH-Acked-by: Cornelia Huck <cohuck@redhat.com>
+RH-Acked-by: David Hildenbrand <david@redhat.com>
+
+Now that the vfio-ccw code has a notifier interface to request that
+a device be unplugged, let's wire that together.
+
+Signed-off-by: Eric Farman <farman@linux.ibm.com>
+Reviewed-by: Cornelia Huck <cohuck@redhat.com>
+Message-Id: <20210104202057.48048-4-farman@linux.ibm.com>
+Signed-off-by: Cornelia Huck <cohuck@redhat.com>
+(cherry picked from commit b2f96f9e4f5fbc8f2770a436191cb328da4d5350)
+Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1940450
+Signed-off-by: Thomas Huth <thuth@redhat.com>
+Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
+---
+ hw/vfio/ccw.c | 40 ++++++++++++++++++++++++++++++++++++----
+ 1 file changed, 36 insertions(+), 4 deletions(-)
+
+diff --git a/hw/vfio/ccw.c b/hw/vfio/ccw.c
+index b72a505893..3d450fe1c9 100644
+--- a/hw/vfio/ccw.c
++++ b/hw/vfio/ccw.c
+@@ -49,6 +49,7 @@ struct VFIOCCWDevice {
+     struct ccw_crw_region *crw_region;
+     EventNotifier io_notifier;
+     EventNotifier crw_notifier;
++    EventNotifier req_notifier;
+     bool force_orb_pfch;
+     bool warned_orb_pfch;
+ };
+@@ -287,6 +288,21 @@ static void vfio_ccw_crw_read(VFIOCCWDevice *vcdev)
+     } while (1);
+ }
+ 
++static void vfio_ccw_req_notifier_handler(void *opaque)
++{
++    VFIOCCWDevice *vcdev = opaque;
++    Error *err = NULL;
++
++    if (!event_notifier_test_and_clear(&vcdev->req_notifier)) {
++        return;
++    }
++
++    qdev_unplug(DEVICE(vcdev), &err);
++    if (err) {
++        warn_reportf_err(err, VFIO_MSG_PREFIX, vcdev->vdev.name);
++    }
++}
++
+ static void vfio_ccw_crw_notifier_handler(void *opaque)
+ {
+     VFIOCCWDevice *vcdev = opaque;
+@@ -386,6 +402,10 @@ static void vfio_ccw_register_irq_notifier(VFIOCCWDevice *vcdev,
+         notifier = &vcdev->crw_notifier;
+         fd_read = vfio_ccw_crw_notifier_handler;
+         break;
++    case VFIO_CCW_REQ_IRQ_INDEX:
++        notifier = &vcdev->req_notifier;
++        fd_read = vfio_ccw_req_notifier_handler;
++        break;
+     default:
+         error_setg(errp, "vfio: Unsupported device irq(%d)", irq);
+         return;
+@@ -440,6 +460,9 @@ static void vfio_ccw_unregister_irq_notifier(VFIOCCWDevice *vcdev,
+     case VFIO_CCW_CRW_IRQ_INDEX:
+         notifier = &vcdev->crw_notifier;
+         break;
++    case VFIO_CCW_REQ_IRQ_INDEX:
++        notifier = &vcdev->req_notifier;
++        break;
+     default:
+         error_report("vfio: Unsupported device irq(%d)", irq);
+         return;
+@@ -657,20 +680,28 @@ static void vfio_ccw_realize(DeviceState *dev, Error **errp)
+ 
+     vfio_ccw_register_irq_notifier(vcdev, VFIO_CCW_IO_IRQ_INDEX, &err);
+     if (err) {
+-        goto out_notifier_err;
++        goto out_io_notifier_err;
+     }
+ 
+     if (vcdev->crw_region) {
+         vfio_ccw_register_irq_notifier(vcdev, VFIO_CCW_CRW_IRQ_INDEX, &err);
+         if (err) {
+-            vfio_ccw_unregister_irq_notifier(vcdev, VFIO_CCW_IO_IRQ_INDEX);
+-            goto out_notifier_err;
++            goto out_crw_notifier_err;
+         }
+     }
+ 
++    vfio_ccw_register_irq_notifier(vcdev, VFIO_CCW_REQ_IRQ_INDEX, &err);
++    if (err) {
++        goto out_req_notifier_err;
++    }
++
+     return;
+ 
+-out_notifier_err:
++out_req_notifier_err:
++    vfio_ccw_unregister_irq_notifier(vcdev, VFIO_CCW_CRW_IRQ_INDEX);
++out_crw_notifier_err:
++    vfio_ccw_unregister_irq_notifier(vcdev, VFIO_CCW_IO_IRQ_INDEX);
++out_io_notifier_err:
+     vfio_ccw_put_region(vcdev);
+ out_region_err:
+     vfio_ccw_put_device(vcdev);
+@@ -692,6 +723,7 @@ static void vfio_ccw_unrealize(DeviceState *dev, Error **errp)
+     S390CCWDeviceClass *cdc = S390_CCW_DEVICE_GET_CLASS(cdev);
+     VFIOGroup *group = vcdev->vdev.group;
+ 
++    vfio_ccw_unregister_irq_notifier(vcdev, VFIO_CCW_REQ_IRQ_INDEX);
+     vfio_ccw_unregister_irq_notifier(vcdev, VFIO_CCW_CRW_IRQ_INDEX);
+     vfio_ccw_unregister_irq_notifier(vcdev, VFIO_CCW_IO_IRQ_INDEX);
+     vfio_ccw_put_region(vcdev);
+-- 
+2.27.0
+

SOURCES/kvm-xhci-fix-valid.max_access_size-to-access-address-reg.patch

@@ -0,0 +1,76 @@
+From f38f51d422e82d1241b678960dd6a033ffa398da Mon Sep 17 00:00:00 2001
+From: Jon Maloy <jmaloy@redhat.com>
+Date: Wed, 21 Apr 2021 22:30:05 -0400
+Subject: [PATCH 6/7] xhci: fix valid.max_access_size to access address
+ registers
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Jon Maloy <jmaloy@redhat.com>
+Message-id: <20210421223006.19650-6-jmaloy@redhat.com>
+Patchwork-id: 101483
+O-Subject: [RHEL-8.5.0 qemu-kvm PATCH v2 5/6] xhci: fix valid.max_access_size to access address registers
+Bugzilla: 1842478
+RH-Acked-by: Stefano Garzarella <sgarzare@redhat.com>
+RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
+
+From: Laurent Vivier <lvivier@redhat.com>
+
+QEMU XHCI advertises AC64 (64-bit addressing) but doesn't allow
+64-bit mode access in "runtime" and "operational" MemoryRegionOps.
+
+Set the max_access_size based on sizeof(dma_addr_t) as AC64 is set.
+
+XHCI specs:
+"If the xHC supports 64-bit addressing (AC64 = ‘1’), then software
+should write 64-bit registers using only Qword accesses.  If a
+system is incapable of issuing Qword accesses, then writes to the
+64-bit address fields shall be performed using 2 Dword accesses;
+low Dword-first, high-Dword second.  If the xHC supports 32-bit
+addressing (AC64 = ‘0’), then the high Dword of registers containing
+64-bit address fields are unused and software should write addresses
+using only Dword accesses"
+
+The problem has been detected with SLOF, as linux kernel always accesses
+registers using 32-bit access even if AC64 is set and revealed by
+5d971f9e6725 ("memory: Revert "memory: accept mismatching sizes in memory_region_access_valid"")
+
+Suggested-by: Alexey Kardashevskiy <aik@au1.ibm.com>
+Signed-off-by: Laurent Vivier <lvivier@redhat.com>
+Message-id: 20200721083322.90651-1-lvivier@redhat.com
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+
+(cherry picked from commit 8e67fda2dd6202ccec093fda561107ba14830a17)
+Signed-off-by: Jon Maloy <jmaloy@redhat.com>
+Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
+---
+ hw/usb/hcd-xhci.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c
+index 646c78cde9..ab449bb003 100644
+--- a/hw/usb/hcd-xhci.c
++++ b/hw/usb/hcd-xhci.c
+@@ -3183,7 +3183,7 @@ static const MemoryRegionOps xhci_oper_ops = {
+     .read = xhci_oper_read,
+     .write = xhci_oper_write,
+     .valid.min_access_size = 4,
+-    .valid.max_access_size = 4,
++    .valid.max_access_size = sizeof(dma_addr_t),
+     .endianness = DEVICE_LITTLE_ENDIAN,
+ };
+ 
+@@ -3199,7 +3199,7 @@ static const MemoryRegionOps xhci_runtime_ops = {
+     .read = xhci_runtime_read,
+     .write = xhci_runtime_write,
+     .valid.min_access_size = 4,
+-    .valid.max_access_size = 4,
++    .valid.max_access_size = sizeof(dma_addr_t),
+     .endianness = DEVICE_LITTLE_ENDIAN,
+ };
+ 
+-- 
+2.27.0
+

SPECS/qemu-kvm.spec

@@ -67,7 +67,7 @@ Obsoletes: %1-rhev
 Summary: QEMU is a machine emulator and virtualizer
 Name: qemu-kvm
 Version: 4.2.0
-Release: 48%{?dist}
+Release: 51%{?dist}
 # Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped
 Epoch: 15
 License: GPLv2 and GPLv2+ and CC-BY
@@ -1130,6 +1130,40 @@ Patch489: kvm-x86-cpu-Populate-SVM-CPUID-feature-bits.patch
 Patch490: kvm-i386-Add-the-support-for-AMD-EPYC-3rd-generation-pro.patch
 # For bz#1917451 - CVE-2020-29443 virt:rhel/qemu-kvm: QEMU: ide: atapi: OOB access while processing read commands [rhel-8.4.0]
 Patch491: kvm-ide-atapi-check-logical-block-address-and-read-size-.patch
+# For bz#1892350 - CVE-2020-27617 virt:rhel/qemu-kvm: QEMU: net: an assert failure via eth_get_gso_type [rhel-8.5.0]
+Patch492: kvm-net-remove-an-assert-call-in-eth_get_gso_type.patch
+# For bz#1930092 - CVE-2021-20257 virt:rhel/qemu-kvm: QEMU: net: e1000: infinite loop while processing transmit descriptors [rhel-8.5.0]
+Patch493: kvm-e1000-fail-early-for-evil-descriptor.patch
+# For bz#1859175 - CVE-2020-15859 virt:rhel/qemu-kvm: QEMU: net: e1000e: use-after-free while sending packets [rhel-8]
+Patch494: kvm-net-forbid-the-reentrant-RX.patch
+# For bz#1855250 - qemu-img convert uses possibly slow pre-zeroing on block storage
+Patch495: kvm-qemu-img-convert-Don-t-pre-zero-images.patch
+# For bz#1932823 - after upgrade from 4.3 to 4.4 audio stops working in guests after couple of seconds
+Patch496: kvm-audio-audio_generic_get_buffer_in-should-honor-size.patch
+# For bz#1925430 - CVE-2021-20221 virt:rhel/qemu-kvm: qemu: out-of-bound heap buffer access via an interrupt ID field [rhel-8.5.0]
+Patch497: kvm-hw-intc-arm_gic-Fix-interrupt-ID-in-GICD_SGIR-regist.patch
+# For bz#1842478 - CVE-2020-13754 virt:rhel/qemu-kvm: QEMU: msix: OOB access during mmio operations may lead to DoS [rhel-8.5.0]
+Patch498: kvm-libqos-usb-hcd-ehci-use-32-bit-write-for-config-regi.patch
+# For bz#1842478 - CVE-2020-13754 virt:rhel/qemu-kvm: QEMU: msix: OOB access during mmio operations may lead to DoS [rhel-8.5.0]
+Patch499: kvm-libqos-pci-pc-use-32-bit-write-for-EJ-register.patch
+# For bz#1842478 - CVE-2020-13754 virt:rhel/qemu-kvm: QEMU: msix: OOB access during mmio operations may lead to DoS [rhel-8.5.0]
+Patch500: kvm-memory-Revert-memory-accept-mismatching-sizes-in-mem.patch
+# For bz#1842478 - CVE-2020-13754 virt:rhel/qemu-kvm: QEMU: msix: OOB access during mmio operations may lead to DoS [rhel-8.5.0]
+Patch501: kvm-acpi-accept-byte-and-word-access-to-core-ACPI-regist.patch
+# For bz#1842478 - CVE-2020-13754 virt:rhel/qemu-kvm: QEMU: msix: OOB access during mmio operations may lead to DoS [rhel-8.5.0]
+Patch502: kvm-xhci-fix-valid.max_access_size-to-access-address-reg.patch
+# For bz#1842478 - CVE-2020-13754 virt:rhel/qemu-kvm: QEMU: msix: OOB access during mmio operations may lead to DoS [rhel-8.5.0]
+Patch503: kvm-softmmu-memory-Log-invalid-memory-accesses.patch
+# For bz#1940450 - RHEL8.5 - Mediated Device already in use by same domain we are booting (vfio-ccw/Multipath Testing) (kvm) - qemu-kvm part (also has kernel and libvirt parts)
+Patch504: kvm-linux-headers-Add-VFIO_CCW_REQ_IRQ_INDEX.patch
+# For bz#1940450 - RHEL8.5 - Mediated Device already in use by same domain we are booting (vfio-ccw/Multipath Testing) (kvm) - qemu-kvm part (also has kernel and libvirt parts)
+Patch505: kvm-vfio-ccw-Connect-the-device-request-notifier.patch
+# For bz#1942880 - RHEL8.4 Nightly[0322] - KVM guest fails to find zipl boot menu index (qemu-kvm)
+Patch506: kvm-pc-bios-s390-ccw-fix-off-by-one-error.patch
+# For bz#1942880 - RHEL8.4 Nightly[0322] - KVM guest fails to find zipl boot menu index (qemu-kvm)
+Patch507: kvm-pc-bios-s390-ccw-break-loop-if-a-null-block-number-i.patch
+# For bz#1942880 - RHEL8.4 Nightly[0322] - KVM guest fails to find zipl boot menu index (qemu-kvm)
+Patch508: kvm-pc-bios-s390-ccw-don-t-try-to-read-the-next-block-if.patch
 
 BuildRequires: wget
 BuildRequires: rpm-build
@@ -2078,6 +2112,47 @@ useradd -r -u 107 -g qemu -G kvm -d / -s /sbin/nologin \
 
 
 %changelog
+* Tue May 25 2021 Danilo Cesar Lemes de Paula <ddepaula@redhat.com> - 4.2.0-51.el8
+- kvm-linux-headers-Add-VFIO_CCW_REQ_IRQ_INDEX.patch [bz#1940450]
+- kvm-vfio-ccw-Connect-the-device-request-notifier.patch [bz#1940450]
+- kvm-pc-bios-s390-ccw-fix-off-by-one-error.patch [bz#1942880]
+- kvm-pc-bios-s390-ccw-break-loop-if-a-null-block-number-i.patch [bz#1942880]
+- kvm-pc-bios-s390-ccw-don-t-try-to-read-the-next-block-if.patch [bz#1942880]
+- Resolves: bz#1940450
+  (RHEL8.5 - Mediated Device already in use by same domain we are booting (vfio-ccw/Multipath Testing) (kvm) - qemu-kvm part (also has kernel and libvirt parts))
+- Resolves: bz#1942880
+  (RHEL8.4 Nightly[0322] - KVM guest fails to find zipl boot menu index (qemu-kvm))
+
+* Wed May 05 2021 Danilo Cesar Lemes de Paula <ddepaula@redhat.com> - 4.2.0-50.el8
+- kvm-hw-intc-arm_gic-Fix-interrupt-ID-in-GICD_SGIR-regist.patch [bz#1925430]
+- kvm-libqos-usb-hcd-ehci-use-32-bit-write-for-config-regi.patch [bz#1842478]
+- kvm-libqos-pci-pc-use-32-bit-write-for-EJ-register.patch [bz#1842478]
+- kvm-memory-Revert-memory-accept-mismatching-sizes-in-mem.patch [bz#1842478]
+- kvm-acpi-accept-byte-and-word-access-to-core-ACPI-regist.patch [bz#1842478]
+- kvm-xhci-fix-valid.max_access_size-to-access-address-reg.patch [bz#1842478]
+- kvm-softmmu-memory-Log-invalid-memory-accesses.patch [bz#1842478]
+- Resolves: bz#1925430
+  (CVE-2021-20221 virt:rhel/qemu-kvm: qemu: out-of-bound heap buffer access via an interrupt ID field [rhel-8.5.0])
+- Resolves: bz#1842478
+  (CVE-2020-13754 virt:rhel/qemu-kvm: QEMU: msix: OOB access during mmio operations may lead to DoS [rhel-8.5.0])
+
+* Wed Apr 28 2021 Danilo Cesar Lemes de Paula <ddepaula@redhat.com> - 4.2.0-49.el8
+- kvm-net-remove-an-assert-call-in-eth_get_gso_type.patch [bz#1892350]
+- kvm-e1000-fail-early-for-evil-descriptor.patch [bz#1930092]
+- kvm-net-forbid-the-reentrant-RX.patch [bz#1859175]
+- kvm-qemu-img-convert-Don-t-pre-zero-images.patch [bz#1855250]
+- kvm-audio-audio_generic_get_buffer_in-should-honor-size.patch [bz#1932823]
+- Resolves: bz#1892350
+  (CVE-2020-27617 virt:rhel/qemu-kvm: QEMU: net: an assert failure via eth_get_gso_type [rhel-8.5.0])
+- Resolves: bz#1930092
+  (CVE-2021-20257 virt:rhel/qemu-kvm: QEMU: net: e1000: infinite loop while processing transmit descriptors [rhel-8.5.0])
+- Resolves: bz#1859175
+  (CVE-2020-15859 virt:rhel/qemu-kvm: QEMU: net: e1000e: use-after-free while sending packets [rhel-8])
+- Resolves: bz#1855250
+  (qemu-img convert uses possibly slow pre-zeroing on block storage)
+- Resolves: bz#1932823
+  (after upgrade from 4.3 to 4.4 audio stops working in guests after couple of seconds)
+
 * Tue Mar 16 2021 Danilo Cesar Lemes de Paula <ddepaula@redhat.com> - 4.2.0-48.el8
 - kvm-ide-atapi-check-logical-block-address-and-read-size-.patch [bz#1917451]
 - Resolves: bz#1917451