rpms/qemu-kvm
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Update to enable edk2 as dependency and properly fix gcc 11 issues.

Browse Source
This commit is contained in:
Miroslav Rezanina 2021-01-15 12:15:19 +01:00
parent eea10ec917
commit 6c1454d3d0
21 changed files with 681 additions and 47 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
0012-Enable-make-check.patch
View File

@ -1,4 +1,4 @@
From 28d744b42d381b15254706f90fed3310ce4a5116 Mon Sep 17 00:00:00 2001
From 7b8ca8c1cbd3763900e3e472556116c9832e06f8 Mon Sep 17 00:00:00 2001
From: Miroslav Rezanina <mrezanin@redhat.com>
Date: Wed, 2 Sep 2020 09:39:41 +0200
Subject: Enable make check
@ -31,19 +31,16 @@ Rebase changes (5.2.0 rc0):
- Disable cdrom tests (unsupported devices) on x86_64
- disable fuzz test
Rebaes changes (RHEL 9):
- disable block-iothreads test
Merged patches (4.0.0):
- f7ffd13 Remove 7 qcow2 and luks iotests that are taking > 25 sec to run during the fast train build proce
Merged patches (4.1.0-rc0):
- 41288ff redhat: Remove raw iotest 205
Dissable problematic tests
Conflicts:
redhat/qemu-kvm.spec.template
---
redhat/qemu-kvm.spec.template | 4 ++--
tests/meson.build | 2 +-
tests/qemu-iotests/051 | 12 ++++++------
tests/qtest/boot-serial-test.c | 6 +++++-
tests/qtest/cdrom-test.c | 2 ++
@ -54,21 +51,8 @@ Dissable problematic tests
tests/qtest/prom-env-test.c | 4 ++++
tests/qtest/test-x86-cpuid-compat.c | 2 ++
tests/qtest/usb-hcd-xhci-test.c | 4 ++++
12 files changed, 36 insertions(+), 20 deletions(-)
11 files changed, 35 insertions(+), 19 deletions(-)
diff --git a/tests/meson.build b/tests/meson.build
index afeb6be689..e562a0499e 100644
--- a/tests/meson.build
+++ b/tests/meson.build
@@ -136,7 +136,7 @@ if have_block
'test-blockjob': [testblock],
'test-blockjob-txn': [testblock],
'test-block-backend': [testblock],
- 'test-block-iothread': [testblock],
+# 'test-block-iothread': [testblock],
'test-write-threshold': [testblock],
'test-crypto-hash': [crypto],
'test-crypto-hmac': [crypto],
diff --git a/tests/qemu-iotests/051 b/tests/qemu-iotests/051
index bee26075b2..61d25c4ed7 100755
--- a/tests/qemu-iotests/051

2
0013-vfio-cap-number-of-devices-that-can-be-assigned.patch
View File

@ -1,4 +1,4 @@
From 514eb840d98c8047e88fb503a4bba71455a2e8b0 Mon Sep 17 00:00:00 2001
From da70823afbdbb904950068fe5f0323ff75b0d4fc Mon Sep 17 00:00:00 2001
From: Bandan Das <bsd@redhat.com>
Date: Tue, 3 Dec 2013 20:05:13 +0100
Subject: vfio: cap number of devices that can be assigned

2
0014-Add-support-statement-to-help-output.patch
View File

@ -1,4 +1,4 @@
From f63ec823f8df7024f33c145b88a2b50c589cc633 Mon Sep 17 00:00:00 2001
From f69c3b855ec419b4afe240bbd039141a59aad808 Mon Sep 17 00:00:00 2001
From: Eduardo Habkost <ehabkost@redhat.com>
Date: Wed, 4 Dec 2013 18:53:17 +0100
Subject: Add support statement to -help output

2
0015-globally-limit-the-maximum-number-of-CPUs.patch
View File

@ -1,4 +1,4 @@
From 6eddce7d3e8cd95c4b848fe3f7c5ac27854dc0da Mon Sep 17 00:00:00 2001
From 9585c8927744d8b07b317063ef788e1f01773f0e Mon Sep 17 00:00:00 2001
From: Andrew Jones <drjones@redhat.com>
Date: Tue, 21 Jan 2014 10:46:52 +0100
Subject: globally limit the maximum number of CPUs

2
0016-Use-qemu-kvm-in-documentation-instead-of-qemu-system.patch
View File

@ -1,4 +1,4 @@
From c615fb7d219b7b88f6517d6772d92e233007aff3 Mon Sep 17 00:00:00 2001
From 091f9e47dc4609bfded5474cfe2797777cdd56f1 Mon Sep 17 00:00:00 2001
From: Miroslav Rezanina <mrezanin@redhat.com>
Date: Wed, 8 Jul 2020 08:35:50 +0200
Subject: Use qemu-kvm in documentation instead of qemu-system-<arch>

2
0017-virtio-scsi-Reject-scsi-cd-if-data-plane-enabled-RHE.patch
View File

@ -1,4 +1,4 @@
From 5095570936ccd71ac82bf441c36e85bd16b8e459 Mon Sep 17 00:00:00 2001
From 4d69dc90e66deec6bc6b46074ee44ef8c902266b Mon Sep 17 00:00:00 2001
From: Fam Zheng <famz@redhat.com>
Date: Wed, 14 Jun 2017 15:37:01 +0200
Subject: virtio-scsi: Reject scsi-cd if data plane enabled [RHEL only]

2
0018-BZ1653590-Require-at-least-64kiB-pages-for-downstrea.patch
View File

@ -1,4 +1,4 @@
From 0619f89b5e0eb713e4d426c869e7a6a826a13728 Mon Sep 17 00:00:00 2001
From 18c5a8c24e22b7c2ba9f7e26cac190cefc7ecf26 Mon Sep 17 00:00:00 2001
From: David Gibson <dgibson@redhat.com>
Date: Wed, 6 Feb 2019 03:58:56 +0000
Subject: BZ1653590: Require at least 64kiB pages for downstream guests & hosts

2
0019-block-Versioned-x-blockdev-reopen-API-with-feature-f.patch
View File

@ -1,4 +1,4 @@
From e7321dc3f2159d2f4b7f93bd0f7ebb89752e8604 Mon Sep 17 00:00:00 2001
From 989cfded8fdd5df3b6b1f1a304ca16c128d7561b Mon Sep 17 00:00:00 2001
From: Kevin Wolf <kwolf@redhat.com>
Date: Fri, 13 Mar 2020 12:34:32 +0000
Subject: block: Versioned x-blockdev-reopen API with feature flag

2
0021-redhat-Define-hw_compat_8_3.patch
View File

@ -1,4 +1,4 @@
From bd9e5c1703ef16727db863ba79f46ae9cb81cbfd Mon Sep 17 00:00:00 2001
From fa0063ba67071384d8c749cee8f4f4e5bbc8ef91 Mon Sep 17 00:00:00 2001
From: Greg Kurz <gkurz@redhat.com>
Date: Fri, 20 Nov 2020 14:00:31 -0500
Subject: redhat: Define hw_compat_8_3

2
0022-redhat-Add-spapr_machine_rhel_default_class_options.patch
View File

@ -1,4 +1,4 @@
From e5c00782e6f609b4f25dc214825c6491def46e15 Mon Sep 17 00:00:00 2001
From 943c936df3b6b5c3197ad727f2105e61778e749a Mon Sep 17 00:00:00 2001
From: Greg Kurz <gkurz@redhat.com>
Date: Fri, 20 Nov 2020 14:00:32 -0500
Subject: redhat: Add spapr_machine_rhel_default_class_options()

2
0023-redhat-Define-pseries-rhel8.4.0-machine-type.patch
View File

@ -1,4 +1,4 @@
From e5f8c128550c8e6020095152a9fa171cccc6aa18 Mon Sep 17 00:00:00 2001
From 030b5e6fba510b8b9f8c8690ef6ea63f71628d25 Mon Sep 17 00:00:00 2001
From: Greg Kurz <gkurz@redhat.com>
Date: Fri, 20 Nov 2020 14:00:33 -0500
Subject: redhat: Define pseries-rhel8.4.0 machine type

2
0024-redhat-s390x-add-rhel-8.4.0-compat-machine.patch
View File

@ -1,4 +1,4 @@
From a4ce96735ad8f1e07ded93e39e32e22bd9ac00ba Mon Sep 17 00:00:00 2001
From a6ae745cceee1acc3667f5ba5e007ca6c083f8a8 Mon Sep 17 00:00:00 2001
From: Cornelia Huck <cohuck@redhat.com>
Date: Tue, 1 Dec 2020 17:53:41 -0500
Subject: redhat: s390x: add rhel-8.4.0 compat machine

2
0027-block-vpc-Make-vpc_open-read-the-full-dynamic-header.patch
View File

@ -1,4 +1,4 @@
From 8d3c826bca23d64cbb2f71bd3b506b43fc2b1c70 Mon Sep 17 00:00:00 2001
From 974af930d4e5cae5611bb2e3a5ac18d3bda15a68 Mon Sep 17 00:00:00 2001
From: Miroslav Rezanina <mrezanin@redhat.com>
Date: Thu, 17 Dec 2020 17:58:43 +0100
Subject: block/vpc: Make vpc_open() read the full dynamic header

2
0028-GCC-11-warnings-hacks.patch
View File

@ -1,4 +1,4 @@
From 0db17b3fa57012894e9e410f139703baf21f590a Mon Sep 17 00:00:00 2001
From 6e9564986a00456c6748cf888d9ba9f7f0db01bf Mon Sep 17 00:00:00 2001
From: Miroslav Rezanina <mrezanin@redhat.com>
Date: Mon, 4 Jan 2021 07:47:03 +0100
Subject: GCC 11 warnings hacks

18
0029-Disable-problematic-tests-for-initial-build.patch
View File

@ -1,12 +1,26 @@
From 6d129eac73fdc94b2712af5d402c0f2debd65600 Mon Sep 17 00:00:00 2001
From bb42f8a495aa0da2410109de14aca901b8c4ac4f Mon Sep 17 00:00:00 2001
From: Miroslav Rezanina <mrezanin@redhat.com>
Date: Tue, 5 Jan 2021 07:40:08 +0100
Subject: Disable problematic tests for initial build
---
tests/meson.build | 2 +-
tests/qtest/meson.build | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/tests/meson.build b/tests/meson.build
index afeb6be689..e562a0499e 100644
--- a/tests/meson.build
+++ b/tests/meson.build
@@ -136,7 +136,7 @@ if have_block
'test-blockjob': [testblock],
'test-blockjob-txn': [testblock],
'test-block-backend': [testblock],
- 'test-block-iothread': [testblock],
+# 'test-block-iothread': [testblock],
'test-write-threshold': [testblock],
'test-crypto-hash': [crypto],
'test-crypto-hmac': [crypto],
diff --git a/tests/qtest/meson.build b/tests/qtest/meson.build
index 15ed460ff0..70ef8c236c 100644
--- a/tests/qtest/meson.build

166
0030-Revert-GCC-11-warnings-hacks.patch Normal file
View File

@ -0,0 +1,166 @@
From f488becdbb12c6001a2524d049371196a05f5256 Mon Sep 17 00:00:00 2001
From: Miroslav Rezanina <mrezanin@redhat.com>
Date: Fri, 15 Jan 2021 09:27:40 +0100
Subject: Revert "GCC 11 warnings hacks"
This reverts commit 6e9564986a00456c6748cf888d9ba9f7f0db01bf.
Hacks solved upstream. Going to import upstream solutions.
---
hw/scsi/scsi-disk.c | 13 ++++++-------
net/eth.c | 4 +---
target/s390x/kvm.c | 2 +-
target/s390x/misc_helper.c | 2 +-
tcg/aarch64/tcg-target.c.inc | 3 ++-
tests/test-block-iothread.c | 12 ++++++------
6 files changed, 17 insertions(+), 19 deletions(-)
diff --git a/hw/scsi/scsi-disk.c b/hw/scsi/scsi-disk.c
index 8ce77777d3..90841ad791 100644
--- a/hw/scsi/scsi-disk.c
+++ b/hw/scsi/scsi-disk.c
@@ -2578,15 +2578,14 @@ static void scsi_disk_new_request_dump(uint32_t lun, uint32_t tag, uint8_t *buf)
int len = scsi_cdb_length(buf);
char *line_buffer, *p;
- if (len > 0) {
- line_buffer = g_malloc(len * 5 + 1);
- for (i = 0, p = line_buffer; i < len; i++) {
- p += sprintf(p, " 0x%02x", buf[i]);
- }
- trace_scsi_disk_new_request(lun, tag, line_buffer);
+ line_buffer = g_malloc(len * 5 + 1);
- g_free(line_buffer);
+ for (i = 0, p = line_buffer; i < len; i++) {
+ p += sprintf(p, " 0x%02x", buf[i]);
}
+ trace_scsi_disk_new_request(lun, tag, line_buffer);
+
+ g_free(line_buffer);
}
static SCSIRequest *scsi_new_request(SCSIDevice *d, uint32_t tag, uint32_t lun,
diff --git a/net/eth.c b/net/eth.c
index 041ac4865a..1e0821c5f8 100644
--- a/net/eth.c
+++ b/net/eth.c
@@ -405,8 +405,6 @@ _eth_get_rss_ex_dst_addr(const struct iovec *pkt, int pkt_frags,
struct ip6_ext_hdr *ext_hdr,
struct in6_address *dst_addr)
{
-#pragma GCC diagnostic push
-#pragma GCC diagnostic ignored "-Warray-bounds"
struct ip6_ext_hdr_routing *rthdr = (struct ip6_ext_hdr_routing *) ext_hdr;
if ((rthdr->rtype == 2) &&
@@ -426,7 +424,7 @@ _eth_get_rss_ex_dst_addr(const struct iovec *pkt, int pkt_frags,
return bytes_read == sizeof(*dst_addr);
}
-#pragma GCC diagnostic pop
+
return false;
}
diff --git a/target/s390x/kvm.c b/target/s390x/kvm.c
index ab1ca6b1bf..1839cc6648 100644
--- a/target/s390x/kvm.c
+++ b/target/s390x/kvm.c
@@ -1918,7 +1918,7 @@ static void insert_stsi_3_2_2(S390CPU *cpu, __u64 addr, uint8_t ar)
*/
if (qemu_name) {
strncpy((char *)sysib.ext_names[0], qemu_name,
- sizeof(sysib.ext_names[0])-1);
+ sizeof(sysib.ext_names[0]));
} else {
strcpy((char *)sysib.ext_names[0], "KVMguest");
}
diff --git a/target/s390x/misc_helper.c b/target/s390x/misc_helper.c
index adaf4145e6..58dbc023eb 100644
--- a/target/s390x/misc_helper.c
+++ b/target/s390x/misc_helper.c
@@ -370,7 +370,7 @@ uint32_t HELPER(stsi)(CPUS390XState *env, uint64_t a0, uint64_t r0, uint64_t r1)
MIN(sizeof(sysib.sysib_322.vm[0].name),
strlen(qemu_name)));
strncpy((char *)sysib.sysib_322.ext_names[0], qemu_name,
- sizeof(sysib.sysib_322.ext_names[0])-1);
+ sizeof(sysib.sysib_322.ext_names[0]));
} else {
ebcdic_put(sysib.sysib_322.vm[0].name, "TCGguest", 8);
strcpy((char *)sysib.sysib_322.ext_names[0], "TCGguest");
diff --git a/tcg/aarch64/tcg-target.c.inc b/tcg/aarch64/tcg-target.c.inc
index fe6bdbf721..26f71cb599 100644
--- a/tcg/aarch64/tcg-target.c.inc
+++ b/tcg/aarch64/tcg-target.c.inc
@@ -1852,7 +1852,8 @@ static void tcg_out_qemu_st(TCGContext *s, TCGReg data_reg, TCGReg addr_reg,
static tcg_insn_unit *tb_ret_addr;
static void tcg_out_op(TCGContext *s, TCGOpcode opc,
- const TCGArg *args, const int *const_args)
+ const TCGArg args[TCG_MAX_OP_ARGS],
+ const int const_args[TCG_MAX_OP_ARGS])
{
/* 99% of the time, we can signal the use of extension registers
by looking to see if the opcode handles 64-bit data. */
diff --git a/tests/test-block-iothread.c b/tests/test-block-iothread.c
index bc64b50e66..3f866a35c6 100644
--- a/tests/test-block-iothread.c
+++ b/tests/test-block-iothread.c
@@ -75,7 +75,7 @@ static BlockDriver bdrv_test = {
static void test_sync_op_pread(BdrvChild *c)
{
- uint8_t buf[512] = {0};
+ uint8_t buf[512];
int ret;
/* Success */
@@ -89,7 +89,7 @@ static void test_sync_op_pread(BdrvChild *c)
static void test_sync_op_pwrite(BdrvChild *c)
{
- uint8_t buf[512] = {0};
+ uint8_t buf[512];
int ret;
/* Success */
@@ -103,7 +103,7 @@ static void test_sync_op_pwrite(BdrvChild *c)
static void test_sync_op_blk_pread(BlockBackend *blk)
{
- uint8_t buf[512] = {0};
+ uint8_t buf[512];
int ret;
/* Success */
@@ -117,7 +117,7 @@ static void test_sync_op_blk_pread(BlockBackend *blk)
static void test_sync_op_blk_pwrite(BlockBackend *blk)
{
- uint8_t buf[512] = {0};
+ uint8_t buf[512];
int ret;
/* Success */
@@ -131,7 +131,7 @@ static void test_sync_op_blk_pwrite(BlockBackend *blk)
static void test_sync_op_load_vmstate(BdrvChild *c)
{
- uint8_t buf[512] = {0};
+ uint8_t buf[512];
int ret;
/* Error: Driver does not support snapshots */
@@ -141,7 +141,7 @@ static void test_sync_op_load_vmstate(BdrvChild *c)
static void test_sync_op_save_vmstate(BdrvChild *c)
{
- uint8_t buf[512] = {0};
+ uint8_t buf[512];
int ret;
/* Error: Driver does not support snapshots */
--
2.18.4

84
0031-s390x-Use-strpadcpy-for-copying-vm-name.patch Normal file
View File

@ -0,0 +1,84 @@
From adbabd33e81f46c6b29c4b940c053e562e4f55fd Mon Sep 17 00:00:00 2001
From: Miroslav Rezanina <mrezanin@redhat.com>
Date: Fri, 15 Jan 2021 09:28:59 +0100
Subject: s390x: Use strpadcpy for copying vm name
Using strncpy with length equal to the size of target array, GCC 11
reports following warning:
warning: '__builtin_strncpy' specified bound 256 equals destination size [-Wstringop-truncation]
We can prevent this warning by using strpadcpy that copies string
up to specified length, zeroes target array after copied string
and does not raise warning when length is equal to target array
size (and ending '\0' is discarded).
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
---
target/s390x/kvm.c | 12 +++++-------
target/s390x/misc_helper.c | 7 +++++--
2 files changed, 10 insertions(+), 9 deletions(-)
diff --git a/target/s390x/kvm.c b/target/s390x/kvm.c
index 1839cc6648..c08b5bc2de 100644
--- a/target/s390x/kvm.c
+++ b/target/s390x/kvm.c
@@ -29,6 +29,7 @@
#include "internal.h"
#include "kvm_s390x.h"
#include "sysemu/kvm_int.h"
+#include "qemu/cutils.h"
#include "qapi/error.h"
#include "qemu/error-report.h"
#include "qemu/timer.h"
@@ -1910,18 +1911,15 @@ static void insert_stsi_3_2_2(S390CPU *cpu, __u64 addr, uint8_t ar)
strlen(qemu_name)));
}
sysib.vm[0].ext_name_encoding = 2; /* 2 = UTF-8 */
- memset(sysib.ext_names[0], 0, sizeof(sysib.ext_names[0]));
/* If hypervisor specifies zero Extended Name in STSI322 SYSIB, it's
* considered by s390 as not capable of providing any Extended Name.
* Therefore if no name was specified on qemu invocation, we go with the
* same "KVMguest" default, which KVM has filled into short name field.
*/
- if (qemu_name) {
- strncpy((char *)sysib.ext_names[0], qemu_name,
- sizeof(sysib.ext_names[0]));
- } else {
- strcpy((char *)sysib.ext_names[0], "KVMguest");
- }
+ strpadcpy((char *)sysib.ext_names[0],
+ sizeof(sysib.ext_names[0]),
+ qemu_name ?: "KVMguest", '\0');
+
/* Insert UUID */
memcpy(sysib.vm[0].uuid, &qemu_uuid, sizeof(sysib.vm[0].uuid));
diff --git a/target/s390x/misc_helper.c b/target/s390x/misc_helper.c
index 58dbc023eb..7ea90d414a 100644
--- a/target/s390x/misc_helper.c
+++ b/target/s390x/misc_helper.c
@@ -19,6 +19,7 @@
*/
#include "qemu/osdep.h"
+#include "qemu/cutils.h"
#include "qemu/main-loop.h"
#include "cpu.h"
#include "internal.h"
@@ -369,8 +370,10 @@ uint32_t HELPER(stsi)(CPUS390XState *env, uint64_t a0, uint64_t r0, uint64_t r1)
ebcdic_put(sysib.sysib_322.vm[0].name, qemu_name,
MIN(sizeof(sysib.sysib_322.vm[0].name),
strlen(qemu_name)));
- strncpy((char *)sysib.sysib_322.ext_names[0], qemu_name,
- sizeof(sysib.sysib_322.ext_names[0]));
+ strpadcpy((char *)sysib.sysib_322.ext_names[0],
+ sizeof(sysib.sysib_322.ext_names[0]),
+ qemu_name, '\0');
+
} else {
ebcdic_put(sysib.sysib_322.vm[0].name, "TCGguest", 8);
strcpy((char *)sysib.sysib_322.ext_names[0], "TCGguest");
--
2.18.4

138
0032-tcg-Restrict-tcg_out_op-to-arrays-of-TCG_MAX_OP_ARGS.patch Normal file
View File

@ -0,0 +1,138 @@
From 8773f3688ca87e5e7da2e1a5170d0bde9a54eae0 Mon Sep 17 00:00:00 2001
From: Miroslav Rezanina <mrezanin@redhat.com>
Date: Fri, 15 Jan 2021 09:38:53 +0100
Subject: tcg: Restrict tcg_out_op() to arrays of TCG_MAX_OP_ARGS elements
---
tcg/aarch64/tcg-target.c.inc | 3 ++-
tcg/i386/tcg-target.c.inc | 6 ++++--
tcg/ppc/tcg-target.c.inc | 8 +++++---
tcg/s390/tcg-target.c.inc | 3 ++-
tcg/tcg.c | 19 +++++++++++--------
5 files changed, 24 insertions(+), 15 deletions(-)
diff --git a/tcg/aarch64/tcg-target.c.inc b/tcg/aarch64/tcg-target.c.inc
index 26f71cb599..ce8689e889 100644
--- a/tcg/aarch64/tcg-target.c.inc
+++ b/tcg/aarch64/tcg-target.c.inc
@@ -2271,7 +2271,8 @@ static void tcg_out_op(TCGContext *s, TCGOpcode opc,
static void tcg_out_vec_op(TCGContext *s, TCGOpcode opc,
unsigned vecl, unsigned vece,
- const TCGArg *args, const int *const_args)
+ const TCGArg args[TCG_MAX_OP_ARGS],
+ const int const_args[TCG_MAX_OP_ARGS])
{
static const AArch64Insn cmp_insn[16] = {
[TCG_COND_EQ] = I3616_CMEQ,
diff --git a/tcg/i386/tcg-target.c.inc b/tcg/i386/tcg-target.c.inc
index d8797ed398..0e557d177a 100644
--- a/tcg/i386/tcg-target.c.inc
+++ b/tcg/i386/tcg-target.c.inc
@@ -2242,7 +2242,8 @@ static void tcg_out_qemu_st(TCGContext *s, const TCGArg *args, bool is64)
}
static inline void tcg_out_op(TCGContext *s, TCGOpcode opc,
- const TCGArg *args, const int *const_args)
+ const TCGArg args[TCG_MAX_OP_ARGS],
+ const int const_args[TCG_MAX_OP_ARGS])
{
TCGArg a0, a1, a2;
int c, const_a2, vexop, rexw = 0;
@@ -2679,7 +2680,8 @@ static inline void tcg_out_op(TCGContext *s, TCGOpcode opc,
static void tcg_out_vec_op(TCGContext *s, TCGOpcode opc,
unsigned vecl, unsigned vece,
- const TCGArg *args, const int *const_args)
+ const TCGArg args[TCG_MAX_OP_ARGS],
+ const int const_args[TCG_MAX_OP_ARGS])
{
static int const add_insn[4] = {
OPC_PADDB, OPC_PADDW, OPC_PADDD, OPC_PADDQ
diff --git a/tcg/ppc/tcg-target.c.inc b/tcg/ppc/tcg-target.c.inc
index 18ee989f95..b2bc1fc0c4 100644
--- a/tcg/ppc/tcg-target.c.inc
+++ b/tcg/ppc/tcg-target.c.inc
@@ -2353,8 +2353,9 @@ static void tcg_target_qemu_prologue(TCGContext *s)
tcg_out32(s, BCLR | BO_ALWAYS);
}
-static void tcg_out_op(TCGContext *s, TCGOpcode opc, const TCGArg *args,
- const int *const_args)
+static void tcg_out_op(TCGContext *s, TCGOpcode opc,
+ const TCGArg args[TCG_MAX_OP_ARGS],
+ const int const_args[TCG_MAX_OP_ARGS])
{
TCGArg a0, a1, a2;
int c;
@@ -3151,7 +3152,8 @@ static bool tcg_out_dupm_vec(TCGContext *s, TCGType type, unsigned vece,
static void tcg_out_vec_op(TCGContext *s, TCGOpcode opc,
unsigned vecl, unsigned vece,
- const TCGArg *args, const int *const_args)
+ const TCGArg args[TCG_MAX_OP_ARGS],
+ const int const_args[TCG_MAX_OP_ARGS])
{
static const uint32_t
add_op[4] = { VADDUBM, VADDUHM, VADDUWM, VADDUDM },
diff --git a/tcg/s390/tcg-target.c.inc b/tcg/s390/tcg-target.c.inc
index c5e096449b..79753c8af7 100644
--- a/tcg/s390/tcg-target.c.inc
+++ b/tcg/s390/tcg-target.c.inc
@@ -1746,7 +1746,8 @@ static void tcg_out_qemu_st(TCGContext* s, TCGReg data_reg, TCGReg addr_reg,
case glue(glue(INDEX_op_,x),_i64)
static inline void tcg_out_op(TCGContext *s, TCGOpcode opc,
- const TCGArg *args, const int *const_args)
+ const TCGArg args[TCG_MAX_OP_ARGS],
+ const int const_args[TCG_MAX_OP_ARGS])
{
S390Opcode op, op2;
TCGArg a0, a1, a2;
diff --git a/tcg/tcg.c b/tcg/tcg.c
index 43c6cf8f52..2d0116d29f 100644
--- a/tcg/tcg.c
+++ b/tcg/tcg.c
@@ -109,8 +109,9 @@ static void tcg_out_ld(TCGContext *s, TCGType type, TCGReg ret, TCGReg arg1,
static bool tcg_out_mov(TCGContext *s, TCGType type, TCGReg ret, TCGReg arg);
static void tcg_out_movi(TCGContext *s, TCGType type,
TCGReg ret, tcg_target_long arg);
-static void tcg_out_op(TCGContext *s, TCGOpcode opc, const TCGArg *args,
- const int *const_args);
+static void tcg_out_op(TCGContext *s, TCGOpcode opc,
+ const TCGArg args[TCG_MAX_OP_ARGS],
+ const int const_args[TCG_MAX_OP_ARGS]);
#if TCG_TARGET_MAYBE_vec
static bool tcg_out_dup_vec(TCGContext *s, TCGType type, unsigned vece,
TCGReg dst, TCGReg src);
@@ -118,9 +119,10 @@ static bool tcg_out_dupm_vec(TCGContext *s, TCGType type, unsigned vece,
TCGReg dst, TCGReg base, intptr_t offset);
static void tcg_out_dupi_vec(TCGContext *s, TCGType type,
TCGReg dst, tcg_target_long arg);
-static void tcg_out_vec_op(TCGContext *s, TCGOpcode opc, unsigned vecl,
- unsigned vece, const TCGArg *args,
- const int *const_args);
+static void tcg_out_vec_op(TCGContext *s, TCGOpcode opc,
+ unsigned vecl, unsigned vece,
+ const TCGArg args[TCG_MAX_OP_ARGS],
+ const int const_args[TCG_MAX_OP_ARGS]);
#else
static inline bool tcg_out_dup_vec(TCGContext *s, TCGType type, unsigned vece,
TCGReg dst, TCGReg src)
@@ -137,9 +139,10 @@ static inline void tcg_out_dupi_vec(TCGContext *s, TCGType type,
{
g_assert_not_reached();
}
-static inline void tcg_out_vec_op(TCGContext *s, TCGOpcode opc, unsigned vecl,
- unsigned vece, const TCGArg *args,
- const int *const_args)
+static inline void tcg_out_vec_op(TCGContext *s, TCGOpcode opc,
+ unsigned vecl, unsigned vece,
+ const TCGArg args[TCG_MAX_OP_ARGS],
+ const int const_args[TCG_MAX_OP_ARGS])
{
g_assert_not_reached();
}
--
2.18.4

52
0033-net-eth-Simplify-_eth_get_rss_ex_dst_addr.patch Normal file
View File

@ -0,0 +1,52 @@
From 76ed390a52769c5ca64db5496a2adcb43df72035 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
Date: Fri, 15 Jan 2021 09:42:33 +0100
Subject: net/eth: Simplify _eth_get_rss_ex_dst_addr()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The length field is already contained in the ip6_ext_hdr structure.
Check it direcly in eth_parse_ipv6_hdr() before calling
_eth_get_rss_ex_dst_addr(), which gets a bit simplified.
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
---
net/eth.c | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/net/eth.c b/net/eth.c
index 1e0821c5f8..7d4dd48c1f 100644
--- a/net/eth.c
+++ b/net/eth.c
@@ -407,9 +407,7 @@ _eth_get_rss_ex_dst_addr(const struct iovec *pkt, int pkt_frags,
{
struct ip6_ext_hdr_routing *rthdr = (struct ip6_ext_hdr_routing *) ext_hdr;
- if ((rthdr->rtype == 2) &&
- (rthdr->len == sizeof(struct in6_address) / 8) &&
- (rthdr->segleft == 1)) {
+ if ((rthdr->rtype == 2) && (rthdr->segleft == 1)) {
size_t input_size = iov_size(pkt, pkt_frags);
size_t bytes_read;
@@ -528,10 +526,12 @@ bool eth_parse_ipv6_hdr(const struct iovec *pkt, int pkt_frags,
}
if (curr_ext_hdr_type == IP6_ROUTING) {
- info->rss_ex_dst_valid =
- _eth_get_rss_ex_dst_addr(pkt, pkt_frags,
- ip6hdr_off + info->full_hdr_len,
- &ext_hdr, &info->rss_ex_dst);
+ if (ext_hdr.ip6r_len == sizeof(struct in6_address) / 8) {
+ info->rss_ex_dst_valid =
+ _eth_get_rss_ex_dst_addr(pkt, pkt_frags,
+ ip6hdr_off + info->full_hdr_len,
+ &ext_hdr, &info->rss_ex_dst);
+ }
} else if (curr_ext_hdr_type == IP6_DESTINATON) {
info->rss_ex_src_valid =
_eth_get_rss_ex_src_addr(pkt, pkt_frags,
--
2.18.4

196
0034-net-eth-Fix-stack-buffer-overflow-in.patch Normal file
View File

@ -0,0 +1,196 @@
From 9abf30d739cfe5a7808f1e30ec85c0cfd73b67cb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
Date: Fri, 15 Jan 2021 09:43:31 +0100
Subject: net/eth: Fix stack-buffer-overflow in
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
QEMU fuzzer reported a buffer overflow in _eth_get_rss_ex_dst_addr()
reproducible as:
$ cat << EOF | ./qemu-system-i386 -M pc-q35-5.0 \
-accel qtest -monitor none \
-serial none -nographic -qtest stdio
outl 0xcf8 0x80001010
outl 0xcfc 0xe1020000
outl 0xcf8 0x80001004
outw 0xcfc 0x7
write 0x25 0x1 0x86
write 0x26 0x1 0xdd
write 0x4f 0x1 0x2b
write 0xe1020030 0x4 0x190002e1
write 0xe102003a 0x2 0x0807
write 0xe1020048 0x4 0x12077cdd
write 0xe1020400 0x4 0xba077cdd
write 0xe1020420 0x4 0x190002e1
write 0xe1020428 0x4 0x3509d807
write 0xe1020438 0x1 0xe2
EOF
=================================================================
==2859770==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffdef904902 at pc 0x561ceefa78de bp 0x7ffdef904820 sp 0x7ffdef904818
READ of size 1 at 0x7ffdef904902 thread T0
#0 0x561ceefa78dd in _eth_get_rss_ex_dst_addr net/eth.c:410:17
#1 0x561ceefa41fb in eth_parse_ipv6_hdr net/eth.c:532:17
#2 0x561cef7de639 in net_tx_pkt_parse_headers hw/net/net_tx_pkt.c:228:14
#3 0x561cef7dbef4 in net_tx_pkt_parse hw/net/net_tx_pkt.c:273:9
#4 0x561ceec29f22 in e1000e_process_tx_desc hw/net/e1000e_core.c:730:29
#5 0x561ceec28eac in e1000e_start_xmit hw/net/e1000e_core.c:927:9
#6 0x561ceec1baab in e1000e_set_tdt hw/net/e1000e_core.c:2444:9
#7 0x561ceebf300e in e1000e_core_write hw/net/e1000e_core.c:3256:9
#8 0x561cef3cd4cd in e1000e_mmio_write hw/net/e1000e.c:110:5
Address 0x7ffdef904902 is located in stack of thread T0 at offset 34 in frame
#0 0x561ceefa320f in eth_parse_ipv6_hdr net/eth.c:486
This frame has 1 object(s):
[32, 34) 'ext_hdr' (line 487) <== Memory access at offset 34 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow net/eth.c:410:17 in _eth_get_rss_ex_dst_addr
Shadow bytes around the buggy address:
0x10003df188d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10003df188e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10003df188f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10003df18900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10003df18910: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
=>0x10003df18920:[02]f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
0x10003df18930: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10003df18940: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10003df18950: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10003df18960: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10003df18970: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Stack left redzone: f1
Stack right redzone: f3
==2859770==ABORTING
Similarly GCC 11 reports:
net/eth.c: In function 'eth_parse_ipv6_hdr':
net/eth.c:410:15: error: array subscript 'struct ip6_ext_hdr_routing[0]' is partly outside array bounds of 'struct ip6_ext_hdr[1]' [-Werror=array-bounds]
410 | if ((rthdr->rtype == 2) && (rthdr->segleft == 1)) {
| ~~~~~^~~~~~~
net/eth.c:485:24: note: while referencing 'ext_hdr'
485 | struct ip6_ext_hdr ext_hdr;
| ^~~~~~~
net/eth.c:410:38: error: array subscript 'struct ip6_ext_hdr_routing[0]' is partly outside array bounds of 'struct ip6_ext_hdr[1]' [-Werror=array-bounds]
410 | if ((rthdr->rtype == 2) && (rthdr->segleft == 1)) {
| ~~~~~^~~~~~~~~
net/eth.c:485:24: note: while referencing 'ext_hdr'
485 | struct ip6_ext_hdr ext_hdr;
| ^~~~~~~
In eth_parse_ipv6_hdr() we called iov_to_buf() to fill the 2 bytes of
the 'ext_hdr' buffer, then _eth_get_rss_ex_dst_addr() tries to access
beside the 2 filled bytes.
Fix by reworking the function, filling the full rt_hdr buffer on the
stack calling iov_to_buf() again.
Cc: qemu-stable@nongnu.org
Buglink: https://bugs.launchpad.net/qemu/+bug/1879531
Reported-by: Alexander Bulekov <alxndr@bu.edu>
Reported-by: Miroslav Rezanina <mrezanin@redhat.com>
Fixes: eb700029c78 ("net_pkt: Extend packet abstraction as required by e1000e functionality")
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
---
net/eth.c | 25 +++++++++++--------------
tests/qtest/fuzz-test.c | 29 +++++++++++++++++++++++++++++
2 files changed, 40 insertions(+), 14 deletions(-)
diff --git a/net/eth.c b/net/eth.c
index 7d4dd48c1f..ae4db37888 100644
--- a/net/eth.c
+++ b/net/eth.c
@@ -401,26 +401,23 @@ eth_is_ip6_extension_header_type(uint8_t hdr_type)
static bool
_eth_get_rss_ex_dst_addr(const struct iovec *pkt, int pkt_frags,
- size_t rthdr_offset,
+ size_t ext_hdr_offset,
struct ip6_ext_hdr *ext_hdr,
struct in6_address *dst_addr)
{
- struct ip6_ext_hdr_routing *rthdr = (struct ip6_ext_hdr_routing *) ext_hdr;
-
- if ((rthdr->rtype == 2) && (rthdr->segleft == 1)) {
-
- size_t input_size = iov_size(pkt, pkt_frags);
- size_t bytes_read;
+ struct ip6_ext_hdr_routing rt_hdr;
+ size_t input_size = iov_size(pkt, pkt_frags);
+ size_t bytes_read;
- if (input_size < rthdr_offset + sizeof(*ext_hdr)) {
- return false;
- }
+ if (input_size < ext_hdr_offset + sizeof(rt_hdr)) {
+ return false;
+ }
- bytes_read = iov_to_buf(pkt, pkt_frags,
- rthdr_offset + sizeof(*ext_hdr),
- dst_addr, sizeof(*dst_addr));
+ bytes_read = iov_to_buf(pkt, pkt_frags, ext_hdr_offset,
+ &rt_hdr, sizeof(rt_hdr));
- return bytes_read == sizeof(*dst_addr);
+ if ((rt_hdr.rtype == 2) && (rt_hdr.segleft == 1)) {
+ return bytes_read == sizeof(*ext_hdr) + sizeof(*dst_addr);
}
return false;
diff --git a/tests/qtest/fuzz-test.c b/tests/qtest/fuzz-test.c
index 9cb4c42bde..2692d556d9 100644
--- a/tests/qtest/fuzz-test.c
+++ b/tests/qtest/fuzz-test.c
@@ -47,6 +47,32 @@ static void test_lp1878642_pci_bus_get_irq_level_assert(void)
qtest_outl(s, 0x5d02, 0xebed205d);
}
+/*
+ * https://bugs.launchpad.net/qemu/+bug/1879531
+ */
+static void test_lp1879531_eth_get_rss_ex_dst_addr(void)
+{
+ QTestState *s;
+
+ s = qtest_init("-nographic -monitor none -serial none -M pc-q35-5.0");
+
+ qtest_outl(s, 0xcf8 0x80001010);
+ qtest_outl(s, 0xcfc 0xe1020000);
+ qtest_outl(s, 0xcf8 0x80001004);
+ qtest_outw(s, 0xcfc 0x7);
+ qtest_writeb(s, 0x25 0x1 0x86);
+ qtest_writeb(s, 0x26 0x1 0xdd);
+ qtest_writeb(s, 0x4f 0x1 0x2b);
+ qtest_writel(s, 0xe1020030, 0x190002e1);
+ qtest_writew(s, 0xe102003a, 0x0807);
+ qtest_writel(s, 0xe1020048, 0x12077cdd);
+ qtest_writel(s, 0xe1020400, 0xba077cdd);
+ qtest_writel(s, 0xe1020420, 0x190002e1);
+ qtest_writel(s, 0xe1020428, 0x3509d807);
+ qtest_writeb(s, 0xe1020438, 0xe2);
+ qtest_quit(s);
+}
+
int main(int argc, char **argv)
{
const char *arch = qtest_get_arch();
@@ -58,6 +84,9 @@ int main(int argc, char **argv)
test_lp1878263_megasas_zero_iov_cnt);
qtest_add_func("fuzz/test_lp1878642_pci_bus_get_irq_level_assert",
test_lp1878642_pci_bus_get_irq_level_assert);
+ qtest_add_func("fuzz/test_lp1879531_eth_get_rss_ex_dst_addr",
+ test_lp1879531_eth_get_rss_ex_dst_addr);
+
}
return g_test_run();
--
2.18.4

24
qemu-kvm.spec
View File

@ -64,7 +64,7 @@ Requires: %{name}-block-ssh = %{epoch}:%{version}-%{release}
Summary: QEMU is a machine emulator and virtualizer
Name: qemu-kvm
Version: 5.2.0
Release: 2%{?dist}
Release: 2.1%{?dist}
# Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped
Epoch: 15
License: GPLv2 and GPLv2+ and CC-BY
@ -124,6 +124,11 @@ Patch0024: 0024-redhat-s390x-add-rhel-8.4.0-compat-machine.patch
Patch0027: 0027-block-vpc-Make-vpc_open-read-the-full-dynamic-header.patch
Patch0028: 0028-GCC-11-warnings-hacks.patch
Patch0029: 0029-Disable-problematic-tests-for-initial-build.patch
Patch0030: 0030-Revert-GCC-11-warnings-hacks.patch
Patch0031: 0031-s390x-Use-strpadcpy-for-copying-vm-name.patch
Patch0032: 0032-tcg-Restrict-tcg_out_op-to-arrays-of-TCG_MAX_OP_ARGS.patch
Patch0033: 0033-net-eth-Simplify-_eth_get_rss_ex_dst_addr.patch
Patch0034: 0034-net-eth-Fix-stack-buffer-overflow-in.patch
BuildRequires: wget
BuildRequires: rpm-build
@ -253,14 +258,12 @@ hardware for a full system such as a PC and its associated peripherals.
Summary: qemu-kvm core components
Requires: %{name}-common = %{epoch}:%{version}-%{release}
Requires: qemu-img = %{epoch}:%{version}-%{release}
# Temporary disable edk2 dependency as there's no edk2 available yet
#%ifarch %{ix86} x86_64
#Requires: edk2-ovmf
#%endif
#%ifarch aarch64
#Requires: edk2-aarch64
#%endif
%ifarch %{ix86} x86_64
Requires: edk2-ovmf
%endif
%ifarch aarch64
Requires: edk2-aarch64
%endif
%ifarch %{power64}
Requires: SLOF >= %{SLOF_gittagdate}-1.git%{SLOF_gittagcommit}
@ -1306,9 +1309,6 @@ sh %{_sysconfdir}/sysconfig/modules/kvm.modules &> /dev/null || :
%changelog
* Tue Jan 05 2021 Miroslav Rezanina <mrezanin@redhat.com> - 5.2.0-2.el9
- Rebuild for RHEL 9
* Tue Dec 15 2020 Danilo Cesar Lemes de Paula <ddepaula@redhat.com> - 5.2.0-2.el8
- kvm-redhat-Define-hw_compat_8_3.patch [bz#1893935]
- kvm-redhat-Add-spapr_machine_rhel_default_class_options.patch [bz#1893935]