rpms/qemu-kvm
5
0
Fork 0
Code Issues Pull Requests Releases Activity

* Sun Feb 23 2020 Danilo Cesar Lemes de Paula <ddepaula@redhat.com> - 4.2.0-11.el8

Browse Source 
- kvm-spapr-Enable-DD2.3-accelerated-count-cache-flush-in-.patch [bz#1796240]
- kvm-util-add-slirp_fmt-helpers.patch [bz#1798994]
- kvm-tcp_emu-fix-unsafe-snprintf-usages.patch [bz#1798994]
- kvm-virtio-add-ability-to-delete-vq-through-a-pointer.patch [bz#1791590]
- kvm-virtio-make-virtio_delete_queue-idempotent.patch [bz#1791590]
- kvm-virtio-reset-region-cache-when-on-queue-deletion.patch [bz#1791590]
- kvm-virtio-net-delete-also-control-queue-when-TX-RX-dele.patch [bz#1791590]
- Resolves: bz#1791590
  ([Q35] No "DEVICE_DELETED" event in qmp after unplug virtio-net-pci device)
- Resolves: bz#1796240
  (Enable hw accelerated cache-count-flush by default for POWER9 DD2.3 cpus)
- Resolves: bz#1798994
  (CVE-2020-8608 qemu-kvm: QEMU: Slirp: potential OOB access due to unsafe snprintf() usages [rhel-av-8.2.0])
This commit is contained in:
Danilo C. L. de Paula 2020-02-23 05:41:47 +00:00
parent fda7fbcd8d
commit 77ffa9e8e9
8 changed files with 671 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

135
kvm-spapr-Enable-DD2.3-accelerated-count-cache-flush-in-.patch Normal file
View File

@ -0,0 +1,135 @@
From eb121ffa97c1c25d7853d51b4c8209c0bb521deb Mon Sep 17 00:00:00 2001
From: David Gibson <dgibson@redhat.com>
Date: Fri, 7 Feb 2020 00:57:04 +0000
Subject: [PATCH 1/7] spapr: Enable DD2.3 accelerated count cache flush in
pseries-5.0 machine
RH-Author: David Gibson <dgibson@redhat.com>
Message-id: <20200207005704.194428-1-dgibson@redhat.com>
Patchwork-id: 93737
O-Subject: [RHEL-AV-8.2 qemu-kvm PATCHv2] spapr: Enable DD2.3 accelerated count cache flush in pseries-5.0 machine
Bugzilla: 1796240
RH-Acked-by: Danilo de Paula <ddepaula@redhat.com>
RH-Acked-by: Laurent Vivier <lvivier@redhat.com>
RH-Acked-by: Thomas Huth <thuth@redhat.com>
From: David Gibson <david@gibson.dropbear.id.au>
For POWER9 DD2.2 cpus, the best current Spectre v2 indirect branch
mitigation is "count cache disabled", which is configured with:
-machine cap-ibs=fixed-ccd
However, this option isn't available on DD2.3 CPUs with KVM, because they
don't have the count cache disabled.
For POWER9 DD2.3 cpus, it is "count cache flush with assist", configured
with:
-machine cap-ibs=workaround,cap-ccf-assist=on
However this option isn't available on DD2.2 CPUs with KVM, because they
don't have the special CCF assist instruction this relies on.
On current machine types, we default to "count cache flush w/o assist",
that is:
-machine cap-ibs=workaround,cap-ccf-assist=off
This runs, with mitigation on both DD2.2 and DD2.3 host cpus, but has a
fairly significant performance impact.
It turns out we can do better. The special instruction that CCF assist
uses to trigger a count cache flush is a no-op on earlier CPUs, rather than
trapping or causing other badness. It doesn't, of itself, implement the
mitigation, but *if* we have count-cache-disabled, then the count cache
flush is unnecessary, and so using the count cache flush mitigation is
harmless.
Therefore for the new pseries-5.0 machine type, enable cap-ccf-assist by
default. Along with that, suppress throwing an error if cap-ccf-assist
is selected but KVM doesn't support it, as long as KVM *is* giving us
count-cache-disabled. To allow TCG to work out of the box, even though it
doesn't implement the ccf flush assist, downgrade the error in that case to
a warning. This matches several Spectre mitigations where we allow TCG
to operate for debugging, since we don't really make guarantees about TCG
security properties anyway.
While we're there, make the TCG warning for this case match that for other
mitigations.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Tested-by: Michael Ellerman <mpe@ellerman.id.au>
(cherry picked from commit 37965dfe4dffa3ac49438337417608e7f346b58a)
Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
Conflicts:
hw/ppc/spapr.c
Adjusted machine version compatibility code to the RHEL machine types
rather than the upstream machine types.
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1796240
Brew: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=26285002
Branch: rhel-av-8.2.0
Upstream: Merged for qemu-5.0
Signed-off-by: David Gibson <dgibson@redhat.com>
Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
---
hw/ppc/spapr.c | 4 +++-
hw/ppc/spapr_caps.c | 21 +++++++++++++++++----
2 files changed, 20 insertions(+), 5 deletions(-)
diff --git a/hw/ppc/spapr.c b/hw/ppc/spapr.c
index c12862d..a330f03 100644
--- a/hw/ppc/spapr.c
+++ b/hw/ppc/spapr.c
@@ -4440,7 +4440,7 @@ static void spapr_machine_class_init(ObjectClass *oc, void *data)
smc->default_caps.caps[SPAPR_CAP_HPT_MAXPAGESIZE] = 16; /* 64kiB */
smc->default_caps.caps[SPAPR_CAP_NESTED_KVM_HV] = SPAPR_CAP_OFF;
smc->default_caps.caps[SPAPR_CAP_LARGE_DECREMENTER] = SPAPR_CAP_ON;
- smc->default_caps.caps[SPAPR_CAP_CCF_ASSIST] = SPAPR_CAP_OFF;
+ smc->default_caps.caps[SPAPR_CAP_CCF_ASSIST] = SPAPR_CAP_ON;
spapr_caps_add_properties(smc, &error_abort);
smc->irq = &spapr_irq_dual;
smc->dr_phb_enabled = true;
@@ -4904,6 +4904,8 @@ static void spapr_machine_rhel810_class_options(MachineClass *mc)
hw_compat_rhel_8_1_len);
compat_props_add(mc->compat_props, compat, G_N_ELEMENTS(compat));
+ /* from pseries-4.2 */
+ smc->default_caps.caps[SPAPR_CAP_CCF_ASSIST] = SPAPR_CAP_OFF;
}
DEFINE_SPAPR_MACHINE(rhel810, "rhel8.1.0", false);
diff --git a/hw/ppc/spapr_caps.c b/hw/ppc/spapr_caps.c
index 805f385..6e6fb28 100644
--- a/hw/ppc/spapr_caps.c
+++ b/hw/ppc/spapr_caps.c
@@ -492,11 +492,24 @@ static void cap_ccf_assist_apply(SpaprMachineState *spapr, uint8_t val,
uint8_t kvm_val = kvmppc_get_cap_count_cache_flush_assist();
if (tcg_enabled() && val) {
- /* TODO - for now only allow broken for TCG */
- error_setg(errp,
-"Requested count cache flush assist capability level not supported by tcg,"
- " try appending -machine cap-ccf-assist=off");
+ /* TCG doesn't implement anything here, but allow with a warning */
+ warn_report("TCG doesn't support requested feature, cap-ccf-assist=on");
} else if (kvm_enabled() && (val > kvm_val)) {
+ uint8_t kvm_ibs = kvmppc_get_cap_safe_indirect_branch();
+
+ if (kvm_ibs == SPAPR_CAP_FIXED_CCD) {
+ /*
+ * If we don't have CCF assist on the host, the assist
+ * instruction is a harmless no-op. It won't correctly
+ * implement the cache count flush *but* if we have
+ * count-cache-disabled in the host, that flush is
+ * unnnecessary. So, specifically allow this case. This
+ * allows us to have better performance on POWER9 DD2.3,
+ * while still working on POWER9 DD2.2 and POWER8 host
+ * cpus.
+ */
+ return;
+ }
error_setg(errp,
"Requested count cache flush assist capability level not supported by kvm,"
" try appending -machine cap-ccf-assist=off");
--
1.8.3.1

149
kvm-tcp_emu-fix-unsafe-snprintf-usages.patch Normal file
View File

@ -0,0 +1,149 @@
From 9a7810c257711ce02627916d886fc1029f7a8190 Mon Sep 17 00:00:00 2001
From: jmaloy <jmaloy@redhat.com>
Date: Thu, 13 Feb 2020 15:50:49 +0000
Subject: [PATCH 3/7] tcp_emu: fix unsafe snprintf() usages
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
RH-Author: jmaloy <jmaloy@redhat.com>
Message-id: <20200213155049.3936-3-jmaloy@redhat.com>
Patchwork-id: 93826
O-Subject: [RHEL-AV-8.2.0 qemu-kvm PATCH 2/2] tcp_emu: fix unsafe snprintf() usages
Bugzilla: 1798994
RH-Acked-by: Eduardo Habkost <ehabkost@redhat.com>
RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
From: Marc-André Lureau <marcandre.lureau@redhat.com>
Various calls to snprintf() assume that snprintf() returns "only" the
number of bytes written (excluding terminating NUL).
https://pubs.opengroup.org/onlinepubs/9699919799/functions/snprintf.html#tag_16_159_04
"Upon successful completion, the snprintf() function shall return the
number of bytes that would be written to s had n been sufficiently
large excluding the terminating null byte."
Before patch ce131029, if there isn't enough room in "m_data" for the
"DCC ..." message, we overflow "m_data".
After the patch, if there isn't enough room for the same, we don't
overflow "m_data", but we set "m_len" out-of-bounds. The next time an
access is bounded by "m_len", we'll have a buffer overflow then.
Use slirp_fmt*() to fix potential OOB memory access.
Reported-by: Laszlo Ersek <lersek@redhat.com>
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
Message-Id: <20200127092414.169796-7-marcandre.lureau@redhat.com>
(cherry picked from libslirp commit 68ccb8021a838066f0951d4b2817eb6b6f10a843)
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
---
slirp/src/tcp_subr.c | 44 +++++++++++++++++++++-----------------------
1 file changed, 21 insertions(+), 23 deletions(-)
diff --git a/slirp/src/tcp_subr.c b/slirp/src/tcp_subr.c
index 954d1a6..26d4ead 100644
--- a/slirp/src/tcp_subr.c
+++ b/slirp/src/tcp_subr.c
@@ -655,8 +655,7 @@ int tcp_emu(struct socket *so, struct mbuf *m)
NTOHS(n1);
NTOHS(n2);
m_inc(m, snprintf(NULL, 0, "%d,%d\r\n", n1, n2) + 1);
- m->m_len = snprintf(m->m_data, M_ROOM(m), "%d,%d\r\n", n1, n2);
- assert(m->m_len < M_ROOM(m));
+ m->m_len = slirp_fmt(m->m_data, M_ROOM(m), "%d,%d\r\n", n1, n2);
} else {
*eol = '\r';
}
@@ -696,9 +695,9 @@ int tcp_emu(struct socket *so, struct mbuf *m)
n4 = (laddr & 0xff);
m->m_len = bptr - m->m_data; /* Adjust length */
- m->m_len += snprintf(bptr, M_FREEROOM(m),
- "ORT %d,%d,%d,%d,%d,%d\r\n%s", n1, n2, n3, n4,
- n5, n6, x == 7 ? buff : "");
+ m->m_len += slirp_fmt(bptr, M_FREEROOM(m),
+ "ORT %d,%d,%d,%d,%d,%d\r\n%s",
+ n1, n2, n3, n4, n5, n6, x == 7 ? buff : "");
return 1;
} else if ((bptr = (char *)strstr(m->m_data, "27 Entering")) != NULL) {
/*
@@ -731,10 +730,9 @@ int tcp_emu(struct socket *so, struct mbuf *m)
n4 = (laddr & 0xff);
m->m_len = bptr - m->m_data; /* Adjust length */
- m->m_len += snprintf(bptr, M_FREEROOM(m),
- "27 Entering Passive Mode (%d,%d,%d,%d,%d,%d)\r\n%s",
- n1, n2, n3, n4, n5, n6, x == 7 ? buff : "");
-
+ m->m_len += slirp_fmt(bptr, M_FREEROOM(m),
+ "27 Entering Passive Mode (%d,%d,%d,%d,%d,%d)\r\n%s",
+ n1, n2, n3, n4, n5, n6, x == 7 ? buff : "");
return 1;
}
@@ -757,8 +755,8 @@ int tcp_emu(struct socket *so, struct mbuf *m)
if (m->m_data[m->m_len - 1] == '\0' && lport != 0 &&
(so = tcp_listen(slirp, INADDR_ANY, 0, so->so_laddr.s_addr,
htons(lport), SS_FACCEPTONCE)) != NULL)
- m->m_len = snprintf(m->m_data, M_ROOM(m),
- "%d", ntohs(so->so_fport)) + 1;
+ m->m_len = slirp_fmt0(m->m_data, M_ROOM(m),
+ "%d", ntohs(so->so_fport));
return 1;
case EMU_IRC:
@@ -777,10 +775,10 @@ int tcp_emu(struct socket *so, struct mbuf *m)
return 1;
}
m->m_len = bptr - m->m_data; /* Adjust length */
- m->m_len += snprintf(bptr, M_FREEROOM(m),
- "DCC CHAT chat %lu %u%c\n",
- (unsigned long)ntohl(so->so_faddr.s_addr),
- ntohs(so->so_fport), 1);
+ m->m_len += slirp_fmt(bptr, M_FREEROOM(m),
+ "DCC CHAT chat %lu %u%c\n",
+ (unsigned long)ntohl(so->so_faddr.s_addr),
+ ntohs(so->so_fport), 1);
} else if (sscanf(bptr, "DCC SEND %256s %u %u %u", buff, &laddr, &lport,
&n1) == 4) {
if ((so = tcp_listen(slirp, INADDR_ANY, 0, htonl(laddr),
@@ -788,10 +786,10 @@ int tcp_emu(struct socket *so, struct mbuf *m)
return 1;
}
m->m_len = bptr - m->m_data; /* Adjust length */
- m->m_len += snprintf(bptr, M_FREEROOM(m),
- "DCC SEND %s %lu %u %u%c\n", buff,
- (unsigned long)ntohl(so->so_faddr.s_addr),
- ntohs(so->so_fport), n1, 1);
+ m->m_len += slirp_fmt(bptr, M_FREEROOM(m),
+ "DCC SEND %s %lu %u %u%c\n", buff,
+ (unsigned long)ntohl(so->so_faddr.s_addr),
+ ntohs(so->so_fport), n1, 1);
} else if (sscanf(bptr, "DCC MOVE %256s %u %u %u", buff, &laddr, &lport,
&n1) == 4) {
if ((so = tcp_listen(slirp, INADDR_ANY, 0, htonl(laddr),
@@ -799,10 +797,10 @@ int tcp_emu(struct socket *so, struct mbuf *m)
return 1;
}
m->m_len = bptr - m->m_data; /* Adjust length */
- m->m_len += snprintf(bptr, M_FREEROOM(m),
- "DCC MOVE %s %lu %u %u%c\n", buff,
- (unsigned long)ntohl(so->so_faddr.s_addr),
- ntohs(so->so_fport), n1, 1);
+ m->m_len += slirp_fmt(bptr, M_FREEROOM(m),
+ "DCC MOVE %s %lu %u %u%c\n", buff,
+ (unsigned long)ntohl(so->so_faddr.s_addr),
+ ntohs(so->so_fport), n1, 1);
}
return 1;
--
1.8.3.1

140
kvm-util-add-slirp_fmt-helpers.patch Normal file
View File

@ -0,0 +1,140 @@
From 5dc50c6bca059a9cda6677b1fd0187df1de78ed7 Mon Sep 17 00:00:00 2001
From: jmaloy <jmaloy@redhat.com>
Date: Thu, 13 Feb 2020 15:50:48 +0000
Subject: [PATCH 2/7] util: add slirp_fmt() helpers
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
RH-Author: jmaloy <jmaloy@redhat.com>
Message-id: <20200213155049.3936-2-jmaloy@redhat.com>
Patchwork-id: 93824
O-Subject: [RHEL-AV-8.2.0 qemu-kvm PATCH 1/2] util: add slirp_fmt() helpers
Bugzilla: 1798994
RH-Acked-by: Eduardo Habkost <ehabkost@redhat.com>
RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
From: Marc-André Lureau <marcandre.lureau@redhat.com>
Various calls to snprintf() in libslirp assume that snprintf() returns
"only" the number of bytes written (excluding terminating NUL).
https://pubs.opengroup.org/onlinepubs/9699919799/functions/snprintf.html#tag_16_159_04
"Upon successful completion, the snprintf() function shall return the
number of bytes that would be written to s had n been sufficiently
large excluding the terminating null byte."
Introduce slirp_fmt() that handles several pathological cases the
way libslirp usually expect:
- treat error as fatal (instead of silently returning -1)
- fmt0() will always \0 end
- return the number of bytes actually written (instead of what would
have been written, which would usually result in OOB later), including
the ending \0 for fmt0()
- warn if truncation happened (instead of ignoring)
Other less common cases can still be handled with strcpy/snprintf() etc.
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
Message-Id: <20200127092414.169796-2-marcandre.lureau@redhat.com>
(cherry picked from libslirp commit 30648c03b27fb8d9611b723184216cd3174b6775)
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
---
slirp/src/util.c | 62 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++
slirp/src/util.h | 3 +++
2 files changed, 65 insertions(+)
diff --git a/slirp/src/util.c b/slirp/src/util.c
index e596087..e3b6257 100644
--- a/slirp/src/util.c
+++ b/slirp/src/util.c
@@ -364,3 +364,65 @@ void slirp_pstrcpy(char *buf, int buf_size, const char *str)
}
*q = '\0';
}
+
+static int slirp_vsnprintf(char *str, size_t size,
+ const char *format, va_list args)
+{
+ int rv = vsnprintf(str, size, format, args);
+
+ if (rv < 0) {
+ g_error("vsnprintf() failed: %s", g_strerror(errno));
+ }
+
+ return rv;
+}
+
+/*
+ * A snprintf()-like function that:
+ * - returns the number of bytes written (excluding optional \0-ending)
+ * - dies on error
+ * - warn on truncation
+ */
+int slirp_fmt(char *str, size_t size, const char *format, ...)
+{
+ va_list args;
+ int rv;
+
+ va_start(args, format);
+ rv = slirp_vsnprintf(str, size, format, args);
+ va_end(args);
+
+ if (rv > size) {
+ g_critical("vsnprintf() truncation");
+ }
+
+ return MIN(rv, size);
+}
+
+/*
+ * A snprintf()-like function that:
+ * - always \0-end (unless size == 0)
+ * - returns the number of bytes actually written, including \0 ending
+ * - dies on error
+ * - warn on truncation
+ */
+int slirp_fmt0(char *str, size_t size, const char *format, ...)
+{
+ va_list args;
+ int rv;
+
+ va_start(args, format);
+ rv = slirp_vsnprintf(str, size, format, args);
+ va_end(args);
+
+ if (rv >= size) {
+ g_critical("vsnprintf() truncation");
+ if (size > 0)
+ str[size - 1] = '\0';
+ rv = size;
+ } else {
+ rv += 1; /* include \0 */
+ }
+
+ return rv;
+}
diff --git a/slirp/src/util.h b/slirp/src/util.h
index 3c6223c..0558dfc 100644
--- a/slirp/src/util.h
+++ b/slirp/src/util.h
@@ -177,4 +177,7 @@ static inline int slirp_socket_set_fast_reuse(int fd)
void slirp_pstrcpy(char *buf, int buf_size, const char *str);
+int slirp_fmt(char *str, size_t size, const char *format, ...);
+int slirp_fmt0(char *str, size_t size, const char *format, ...);
+
#endif
--
1.8.3.1

80
kvm-virtio-add-ability-to-delete-vq-through-a-pointer.patch Normal file
View File

@ -0,0 +1,80 @@
From b395ad369278d0923a590975fabbb99ec7716c6b Mon Sep 17 00:00:00 2001
From: Julia Suvorova <jusual@redhat.com>
Date: Wed, 19 Feb 2020 21:34:28 +0000
Subject: [PATCH 4/7] virtio: add ability to delete vq through a pointer
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
RH-Author: Julia Suvorova <jusual@redhat.com>
Message-id: <20200219213431.11913-2-jusual@redhat.com>
Patchwork-id: 93980
O-Subject: [RHEL-AV-8.2.0 qemu-kvm PATCH 1/4] virtio: add ability to delete vq through a pointer
Bugzilla: 1791590
RH-Acked-by: Danilo de Paula <ddepaula@redhat.com>
RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
RH-Acked-by: Stefano Garzarella <sgarzare@redhat.com>
RH-Acked-by: Michael S. Tsirkin <mst@redhat.com>
From: "Michael S. Tsirkin" <mst@redhat.com>
Devices tend to maintain vq pointers, allow deleting them trough a vq pointer.
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: David Hildenbrand <david@redhat.com>
Reviewed-by: David Hildenbrand <david@redhat.com>
(cherry picked from commit 722f8c51d8af223751dfb1d02de40043e8ba067e)
Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
---
hw/virtio/virtio.c | 15 ++++++++++-----
include/hw/virtio/virtio.h | 2 ++
2 files changed, 12 insertions(+), 5 deletions(-)
diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
index 3211135..d63a369 100644
--- a/hw/virtio/virtio.c
+++ b/hw/virtio/virtio.c
@@ -2335,17 +2335,22 @@ VirtQueue *virtio_add_queue(VirtIODevice *vdev, int queue_size,
return &vdev->vq[i];
}
+void virtio_delete_queue(VirtQueue *vq)
+{
+ vq->vring.num = 0;
+ vq->vring.num_default = 0;
+ vq->handle_output = NULL;
+ vq->handle_aio_output = NULL;
+ g_free(vq->used_elems);
+}
+
void virtio_del_queue(VirtIODevice *vdev, int n)
{
if (n < 0 || n >= VIRTIO_QUEUE_MAX) {
abort();
}
- vdev->vq[n].vring.num = 0;
- vdev->vq[n].vring.num_default = 0;
- vdev->vq[n].handle_output = NULL;
- vdev->vq[n].handle_aio_output = NULL;
- g_free(vdev->vq[n].used_elems);
+ virtio_delete_queue(&vdev->vq[n]);
}
static void virtio_set_isr(VirtIODevice *vdev, int value)
diff --git a/include/hw/virtio/virtio.h b/include/hw/virtio/virtio.h
index 6a20442..91167f6 100644
--- a/include/hw/virtio/virtio.h
+++ b/include/hw/virtio/virtio.h
@@ -183,6 +183,8 @@ VirtQueue *virtio_add_queue(VirtIODevice *vdev, int queue_size,
void virtio_del_queue(VirtIODevice *vdev, int n);
+void virtio_delete_queue(VirtQueue *vq);
+
void virtqueue_push(VirtQueue *vq, const VirtQueueElement *elem,
unsigned int len);
void virtqueue_flush(VirtQueue *vq, unsigned int count);
--
1.8.3.1

42
kvm-virtio-make-virtio_delete_queue-idempotent.patch Normal file
View File

@ -0,0 +1,42 @@
From 901e65fa6ccbadeacd6c585cf49a0a7cdafb4737 Mon Sep 17 00:00:00 2001
From: Julia Suvorova <jusual@redhat.com>
Date: Wed, 19 Feb 2020 21:34:29 +0000
Subject: [PATCH 5/7] virtio: make virtio_delete_queue idempotent
RH-Author: Julia Suvorova <jusual@redhat.com>
Message-id: <20200219213431.11913-3-jusual@redhat.com>
Patchwork-id: 93981
O-Subject: [RHEL-AV-8.2.0 qemu-kvm PATCH 2/4] virtio: make virtio_delete_queue idempotent
Bugzilla: 1791590
RH-Acked-by: Danilo de Paula <ddepaula@redhat.com>
RH-Acked-by: Stefano Garzarella <sgarzare@redhat.com>
RH-Acked-by: Michael S. Tsirkin <mst@redhat.com>
From: "Michael S. Tsirkin" <mst@redhat.com>
Let's make sure calling this twice is harmless -
no known instances, but seems safer.
Suggested-by: Pan Nengyuan <pannengyuan@huawei.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
(cherry picked from commit 8cd353ea0fbf0e334e015d833f612799be642296)
Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
---
hw/virtio/virtio.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
index d63a369..e6a9ba4 100644
--- a/hw/virtio/virtio.c
+++ b/hw/virtio/virtio.c
@@ -2342,6 +2342,7 @@ void virtio_delete_queue(VirtQueue *vq)
vq->handle_output = NULL;
vq->handle_aio_output = NULL;
g_free(vq->used_elems);
+ vq->used_elems = NULL;
}
void virtio_del_queue(VirtIODevice *vdev, int n)
--
1.8.3.1

49
kvm-virtio-net-delete-also-control-queue-when-TX-RX-dele.patch Normal file
View File

@ -0,0 +1,49 @@
From 2f494c41715193522c52eafc6af2a5e33f88ceb9 Mon Sep 17 00:00:00 2001
From: Julia Suvorova <jusual@redhat.com>
Date: Wed, 19 Feb 2020 21:34:31 +0000
Subject: [PATCH 7/7] virtio-net: delete also control queue when TX/RX deleted
RH-Author: Julia Suvorova <jusual@redhat.com>
Message-id: <20200219213431.11913-5-jusual@redhat.com>
Patchwork-id: 93983
O-Subject: [RHEL-AV-8.2.0 qemu-kvm PATCH 4/4] virtio-net: delete also control queue when TX/RX deleted
Bugzilla: 1791590
RH-Acked-by: Danilo de Paula <ddepaula@redhat.com>
RH-Acked-by: Stefano Garzarella <sgarzare@redhat.com>
RH-Acked-by: Michael S. Tsirkin <mst@redhat.com>
From: Yuri Benditovich <yuri.benditovich@daynix.com>
https://bugzilla.redhat.com/show_bug.cgi?id=1708480
If the control queue is not deleted together with TX/RX, it
later will be ignored in freeing cache resources and hot
unplug will not be completed.
Cc: qemu-stable@nongnu.org
Signed-off-by: Yuri Benditovich <yuri.benditovich@daynix.com>
Message-Id: <20191226043649.14481-3-yuri.benditovich@daynix.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
(cherry picked from commit d945d9f1731244ef341f74ede93120fc9de35913)
Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
---
hw/net/virtio-net.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c
index db3d7c3..f325440 100644
--- a/hw/net/virtio-net.c
+++ b/hw/net/virtio-net.c
@@ -3101,7 +3101,8 @@ static void virtio_net_device_unrealize(DeviceState *dev, Error **errp)
for (i = 0; i < max_queues; i++) {
virtio_net_del_queue(n, i);
}
-
+ /* delete also control vq */
+ virtio_del_queue(vdev, max_queues * 2);
qemu_announce_timer_del(&n->announce_timer, false);
g_free(n->vqs);
qemu_del_nic(n->nic);
--
1.8.3.1

46
kvm-virtio-reset-region-cache-when-on-queue-deletion.patch Normal file
View File

@ -0,0 +1,46 @@
From 8bf4f561262d9282cebdb3418cdb9a69c92216a0 Mon Sep 17 00:00:00 2001
From: Julia Suvorova <jusual@redhat.com>
Date: Wed, 19 Feb 2020 21:34:30 +0000
Subject: [PATCH 6/7] virtio: reset region cache when on queue deletion
RH-Author: Julia Suvorova <jusual@redhat.com>
Message-id: <20200219213431.11913-4-jusual@redhat.com>
Patchwork-id: 93982
O-Subject: [RHEL-AV-8.2.0 qemu-kvm PATCH 3/4] virtio: reset region cache when on queue deletion
Bugzilla: 1791590
RH-Acked-by: Danilo de Paula <ddepaula@redhat.com>
RH-Acked-by: Stefano Garzarella <sgarzare@redhat.com>
RH-Acked-by: Michael S. Tsirkin <mst@redhat.com>
From: Yuri Benditovich <yuri.benditovich@daynix.com>
https://bugzilla.redhat.com/show_bug.cgi?id=1708480
Fix leak of region reference that prevents complete
device deletion on hot unplug.
Cc: qemu-stable@nongnu.org
Signed-off-by: Yuri Benditovich <yuri.benditovich@daynix.com>
Message-Id: <20191226043649.14481-2-yuri.benditovich@daynix.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
(cherry picked from commit 421afd2fe8dd4603216cbf36081877c391f5a2a4)
Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
---
hw/virtio/virtio.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
index e6a9ba4..f644d9a 100644
--- a/hw/virtio/virtio.c
+++ b/hw/virtio/virtio.c
@@ -2343,6 +2343,7 @@ void virtio_delete_queue(VirtQueue *vq)
vq->handle_aio_output = NULL;
g_free(vq->used_elems);
vq->used_elems = NULL;
+ virtio_virtqueue_reset_region_cache(vq);
}
void virtio_del_queue(VirtIODevice *vdev, int n)
--
1.8.3.1

31
qemu-kvm.spec
View File

@ -67,7 +67,7 @@ Obsoletes: %1-rhev
Summary: QEMU is a machine emulator and virtualizer
Name: qemu-kvm
Version: 4.2.0
Release: 10%{?dist}
Release: 11%{?dist}
# Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped
Epoch: 15
License: GPLv2 and GPLv2+ and CC-BY
@ -494,6 +494,20 @@ Patch178: kvm-iotests-Test-handling-of-AioContexts-with-some-block.patch
Patch179: kvm-target-arm-monitor-query-cpu-model-expansion-crashed.patch
# For bz#1801320 - aarch64: backport query-cpu-model-expansion and adjvtime document fixes
Patch180: kvm-docs-arm-cpu-features-Make-kvm-no-adjvtime-comment-c.patch
# For bz#1796240 - Enable hw accelerated cache-count-flush by default for POWER9 DD2.3 cpus
Patch181: kvm-spapr-Enable-DD2.3-accelerated-count-cache-flush-in-.patch
# For bz#1798994 - CVE-2020-8608 qemu-kvm: QEMU: Slirp: potential OOB access due to unsafe snprintf() usages [rhel-av-8.2.0]
Patch182: kvm-util-add-slirp_fmt-helpers.patch
# For bz#1798994 - CVE-2020-8608 qemu-kvm: QEMU: Slirp: potential OOB access due to unsafe snprintf() usages [rhel-av-8.2.0]
Patch183: kvm-tcp_emu-fix-unsafe-snprintf-usages.patch
# For bz#1791590 - [Q35] No "DEVICE_DELETED" event in qmp after unplug virtio-net-pci device
Patch184: kvm-virtio-add-ability-to-delete-vq-through-a-pointer.patch
# For bz#1791590 - [Q35] No "DEVICE_DELETED" event in qmp after unplug virtio-net-pci device
Patch185: kvm-virtio-make-virtio_delete_queue-idempotent.patch
# For bz#1791590 - [Q35] No "DEVICE_DELETED" event in qmp after unplug virtio-net-pci device
Patch186: kvm-virtio-reset-region-cache-when-on-queue-deletion.patch
# For bz#1791590 - [Q35] No "DEVICE_DELETED" event in qmp after unplug virtio-net-pci device
Patch187: kvm-virtio-net-delete-also-control-queue-when-TX-RX-dele.patch
BuildRequires: wget
BuildRequires: rpm-build
@ -1427,6 +1441,21 @@ useradd -r -u 107 -g qemu -G kvm -d / -s /sbin/nologin \
%changelog
* Sun Feb 23 2020 Danilo Cesar Lemes de Paula <ddepaula@redhat.com> - 4.2.0-11.el8
- kvm-spapr-Enable-DD2.3-accelerated-count-cache-flush-in-.patch [bz#1796240]
- kvm-util-add-slirp_fmt-helpers.patch [bz#1798994]
- kvm-tcp_emu-fix-unsafe-snprintf-usages.patch [bz#1798994]
- kvm-virtio-add-ability-to-delete-vq-through-a-pointer.patch [bz#1791590]
- kvm-virtio-make-virtio_delete_queue-idempotent.patch [bz#1791590]
- kvm-virtio-reset-region-cache-when-on-queue-deletion.patch [bz#1791590]
- kvm-virtio-net-delete-also-control-queue-when-TX-RX-dele.patch [bz#1791590]
- Resolves: bz#1791590
([Q35] No "DEVICE_DELETED" event in qmp after unplug virtio-net-pci device)
- Resolves: bz#1796240
(Enable hw accelerated cache-count-flush by default for POWER9 DD2.3 cpus)
- Resolves: bz#1798994
(CVE-2020-8608 qemu-kvm: QEMU: Slirp: potential OOB access due to unsafe snprintf() usages [rhel-av-8.2.0])
* Fri Feb 14 2020 Danilo Cesar Lemes de Paula <ddepaula@redhat.com> - 4.2.0-10.el8
- kvm-i386-Resolve-CPU-models-to-v1-by-default.patch [bz#1779078 bz#1787291 bz#1779078 bz#1779078]
- kvm-iotests-Support-job-complete-in-run_job.patch [bz#1781637]