import qemu-kvm-6.2.0-11.el9_0.3

SOURCES/kvm-RHEL-disable-seqpacket-for-vhost-vsock-device-in-rhe.patch

@@ -0,0 +1,107 @@
+From 5688fdb9a3ed192b85dca84c47a7ddfd325778d9 Mon Sep 17 00:00:00 2001
+From: Stefano Garzarella <sgarzare@redhat.com>
+Date: Thu, 24 Mar 2022 16:04:57 +0100
+Subject: [PATCH 1/3] RHEL: disable "seqpacket" for "vhost-vsock-device" in
+ rhel8.6.0
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Stefano Garzarella <sgarzare@redhat.com>
+RH-MergeRequest: 135: RHEL: disable "seqpacket" for "vhost-vsock-device" in rhel8.6.0  [rhel-9.0.0.z]
+RH-Commit: [1/1] 5ee0de3110deaa0222c9783c00168b536b0c8934
+RH-Bugzilla: 2071102
+RH-Acked-by: Jason Wang <jasowang@redhat.com>
+RH-Acked-by: Eugenio Pérez <eperezma@redhat.com>
+RH-Acked-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+
+vhost-vsock device in RHEL 8 kernels doesn't support seqpacket.
+To avoid problems when migrating a VM from RHEL 9 host, we need to
+disable it in rhel8-* machine types.
+
+Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
+---
+ hw/core/machine.c          | 10 ++++++++++
+ hw/i386/pc_piix.c          |  2 ++
+ hw/i386/pc_q35.c           |  2 ++
+ hw/s390x/s390-virtio-ccw.c |  1 +
+ include/hw/boards.h        |  3 +++
+ 5 files changed, 18 insertions(+)
+
+diff --git a/hw/core/machine.c b/hw/core/machine.c
+index 5fae55d6cd..7dcceb904a 100644
+--- a/hw/core/machine.c
++++ b/hw/core/machine.c
+@@ -43,6 +43,16 @@
+ const char *rhel_old_machine_deprecation =
+     "machine types for previous major releases are deprecated";
+ 
++GlobalProperty hw_compat_rhel_8_6[] = {
++    /* hw_compat_rhel_8_6 bz 2065589 */
++    /*
++     * vhost-vsock device in RHEL 8 kernels doesn't support seqpacket, so
++     * we need do disable it downstream on the latest hw_compat_rhel_8.
++     */
++    { "vhost-vsock-device", "seqpacket", "off" },
++};
++const size_t hw_compat_rhel_8_6_len = G_N_ELEMENTS(hw_compat_rhel_8_6);
++
+ /*
+  * Mostly the same as hw_compat_6_0 and hw_compat_6_1
+  */
+diff --git a/hw/i386/pc_piix.c b/hw/i386/pc_piix.c
+index cf68d7498c..08579366b6 100644
+--- a/hw/i386/pc_piix.c
++++ b/hw/i386/pc_piix.c
+@@ -998,6 +998,8 @@ static void pc_machine_rhel760_options(MachineClass *m)
+     pcmc->kvmclock_create_always = false;
+     /* From pc_i440fx_5_1_machine_options() */
+     pcmc->pci_root_uid = 1;
++    compat_props_add(m->compat_props, hw_compat_rhel_8_6,
++                     hw_compat_rhel_8_6_len);
+     compat_props_add(m->compat_props, hw_compat_rhel_8_5,
+                      hw_compat_rhel_8_5_len);
+     compat_props_add(m->compat_props, pc_rhel_8_5_compat,
+diff --git a/hw/i386/pc_q35.c b/hw/i386/pc_q35.c
+index c8e06da084..23dacdd923 100644
+--- a/hw/i386/pc_q35.c
++++ b/hw/i386/pc_q35.c
+@@ -680,6 +680,8 @@ static void pc_q35_machine_rhel860_options(MachineClass *m)
+ 
+     pcmc->smbios_stream_product = "RHEL-AV";
+     pcmc->smbios_stream_version = "8.6.0";
++    compat_props_add(m->compat_props, hw_compat_rhel_8_6,
++                     hw_compat_rhel_8_6_len);
+ }
+ 
+ DEFINE_PC_MACHINE(q35_rhel860, "pc-q35-rhel8.6.0", pc_q35_init_rhel860,
+diff --git a/hw/s390x/s390-virtio-ccw.c b/hw/s390x/s390-virtio-ccw.c
+index cc78a315e3..13bfa4253e 100644
+--- a/hw/s390x/s390-virtio-ccw.c
++++ b/hw/s390x/s390-virtio-ccw.c
+@@ -1121,6 +1121,7 @@ static void ccw_machine_rhel860_instance_options(MachineState *machine)
+ static void ccw_machine_rhel860_class_options(MachineClass *mc)
+ {
+     ccw_machine_rhel900_class_options(mc);
++    compat_props_add(mc->compat_props, hw_compat_rhel_8_6, hw_compat_rhel_8_6_len);
+ 
+     /* All RHEL machines for prior major releases are deprecated */
+     mc->deprecation_reason = rhel_old_machine_deprecation;
+diff --git a/include/hw/boards.h b/include/hw/boards.h
+index 21d8d5528e..b9c12c4bf2 100644
+--- a/include/hw/boards.h
++++ b/include/hw/boards.h
+@@ -443,6 +443,9 @@ extern const size_t hw_compat_2_2_len;
+ extern GlobalProperty hw_compat_2_1[];
+ extern const size_t hw_compat_2_1_len;
+ 
++extern GlobalProperty hw_compat_rhel_8_6[];
++extern const size_t hw_compat_rhel_8_6_len;
++
+ extern GlobalProperty hw_compat_rhel_8_5[];
+ extern const size_t hw_compat_rhel_8_5_len;
+ 
+-- 
+2.31.1
+

SOURCES/kvm-vhost-vsock-detach-the-virqueue-element-in-case-of-e.patch

@@ -0,0 +1,77 @@
+From 3a8dff1446aaa9a3b93a16ea027214064e84a582 Mon Sep 17 00:00:00 2001
+From: Jon Maloy <jmaloy@rehat.com>
+Date: Thu, 14 Apr 2022 10:38:26 -0400
+Subject: [PATCH 3/3] vhost-vsock: detach the virqueue element in case of error
+
+RH-Author: Jon Maloy <jmaloy@redhat.com>
+RH-MergeRequest: 179: vhost-vsock: detach the virqueue element in case of error
+RH-Commit: [1/1] 9275dbff40eb3c7be2abca8369055ca4a1e1e52d (jmaloy/qemu-kvm)
+RH-Bugzilla: 2075640
+RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
+RH-Acked-by: Stefano Garzarella <sgarzare@redhat.com>
+RH-Acked-by: Laurent Vivier <lvivier@redhat.com>
+
+Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2075640
+Upstream: Merged
+CVE: CVE-2022-26354
+
+commit 8d1b247f3748ac4078524130c6d7ae42b6140aaf
+Author: Stefano Garzarella <sgarzare@redhat.com>
+Date:   Mon Feb 28 10:50:58 2022 +0100
+
+    vhost-vsock: detach the virqueue element in case of error
+
+    In vhost_vsock_common_send_transport_reset(), if an element popped from
+    the virtqueue is invalid, we should call virtqueue_detach_element() to
+    detach it from the virtqueue before freeing its memory.
+
+    Fixes: fc0b9b0e1c ("vhost-vsock: add virtio sockets device")
+    Fixes: CVE-2022-26354
+    Cc: qemu-stable@nongnu.org
+    Reported-by: VictorV <vv474172261@gmail.com>
+    Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
+    Message-Id: <20220228095058.27899-1-sgarzare@redhat.com>
+    Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
+    Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
+    Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+
+(cherry picked from commit 8d1b247f3748ac4078524130c6d7ae42b6140aaf)
+Signed-off-by: Jon Maloy <jmaloy@redhat.com>
+---
+ hw/virtio/vhost-vsock-common.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/hw/virtio/vhost-vsock-common.c b/hw/virtio/vhost-vsock-common.c
+index 3f3771274e..ed706681ac 100644
+--- a/hw/virtio/vhost-vsock-common.c
++++ b/hw/virtio/vhost-vsock-common.c
+@@ -153,19 +153,23 @@ static void vhost_vsock_common_send_transport_reset(VHostVSockCommon *vvc)
+     if (elem->out_num) {
+         error_report("invalid vhost-vsock event virtqueue element with "
+                      "out buffers");
+-        goto out;
++        goto err;
+     }
+ 
+     if (iov_from_buf(elem->in_sg, elem->in_num, 0,
+                      &event, sizeof(event)) != sizeof(event)) {
+         error_report("vhost-vsock event virtqueue element is too short");
+-        goto out;
++        goto err;
+     }
+ 
+     virtqueue_push(vq, elem, sizeof(event));
+     virtio_notify(VIRTIO_DEVICE(vvc), vq);
+ 
+-out:
++    g_free(elem);
++    return;
++
++err:
++    virtqueue_detach_element(vq, elem, 0);
+     g_free(elem);
+ }
+ 
+-- 
+2.31.1
+

SOURCES/kvm-virtio-net-fix-map-leaking-on-error-during-receive.patch

@@ -0,0 +1,61 @@
+From d1a64781c4f7fa698a359ea078a98029f4f67c1b Mon Sep 17 00:00:00 2001
+From: Jason Wang <jasowang@redhat.com>
+Date: Tue, 8 Mar 2022 10:42:51 +0800
+Subject: [PATCH 2/3] virtio-net: fix map leaking on error during receive
+
+RH-Author: Jon Maloy <jmaloy@redhat.com>
+RH-MergeRequest: 178: virtio-net: fix map leaking on error during receive
+RH-Commit: [1/1] afdfa3198fcf815de59915136222f73711efd292 (jmaloy/qemu-kvm)
+RH-Bugzilla: 2075635
+RH-Acked-by: Jason Wang <jasowang@redhat.com>
+RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
+RH-Acked-by: Kevin Wolf <kwolf@redhat.com>
+RH-Acked-by: Laurent Vivier <lvivier@redhat.com>
+
+Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2075635
+Upstream: Merged
+CVE: CVE-2022-26353
+
+commit abe300d9d894f7138e1af7c8e9c88c04bfe98b37
+Author: Jason Wang <jasowang@redhat.com>
+Date:   Tue Mar 8 10:42:51 2022 +0800
+
+    virtio-net: fix map leaking on error during receive
+
+    Commit bedd7e93d0196 ("virtio-net: fix use after unmap/free for sg")
+    tries to fix the use after free of the sg by caching the virtqueue
+    elements in an array and unmap them at once after receiving the
+    packets, But it forgot to unmap the cached elements on error which
+    will lead to leaking of mapping and other unexpected results.
+
+    Fixing this by detaching the cached elements on error. This addresses
+    CVE-2022-26353.
+
+    Reported-by: Victor Tom <vv474172261@gmail.com>
+    Cc: qemu-stable@nongnu.org
+    Fixes: CVE-2022-26353
+    Fixes: bedd7e93d0196 ("virtio-net: fix use after unmap/free for sg")
+    Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
+    Signed-off-by: Jason Wang <jasowang@redhat.com>
+
+(cherry picked from commit abe300d9d894f7138e1af7c8e9c88c04bfe98b37)
+Signed-off-by: Jon Maloy <jmaloy@redhat.com>
+---
+ hw/net/virtio-net.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c
+index f2014d5ea0..e1f4748831 100644
+--- a/hw/net/virtio-net.c
++++ b/hw/net/virtio-net.c
+@@ -1862,6 +1862,7 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf,
+ 
+ err:
+     for (j = 0; j < i; j++) {
++        virtqueue_detach_element(q->rx_vq, elems[j], lens[j]);
+         g_free(elems[j]);
+     }
+ 
+-- 
+2.31.1
+

SPECS/qemu-kvm.spec

@@ -151,7 +151,7 @@ Obsoletes: %{name}-block-ssh <= %{epoch}:%{version}                    \
 Summary: QEMU is a machine emulator and virtualizer
 Name: qemu-kvm
 Version: 6.2.0
-Release: 11%{?rcrel}%{?dist}%{?cc_suffix}.2
+Release: 11%{?rcrel}%{?dist}%{?cc_suffix}.3
 # Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped
 # Epoch 15 used for RHEL 8
 # Epoch 17 used for RHEL 9 (due to release versioning offset in RHEL 8.5)
@@ -320,6 +320,12 @@ Patch82: kvm-acpi-fix-OEM-ID-OEM-Table-ID-padding.patch
 Patch83: kvm-tests-acpi-update-expected-blobs.patch
 # For bz#2043531 - Guest can not start with SLIC acpi table
 Patch84: kvm-tests-acpi-test-short-OEM_ID-OEM_TABLE_ID-values-in-.patch
+# For bz#2071102 - RHEL 9.0 guest with vsock device migration failed from RHEL 9.0 > RHEL 8.6 [rhel-9.0.0.z]
+Patch85: kvm-RHEL-disable-seqpacket-for-vhost-vsock-device-in-rhe.patch
+# For bz#2075635 - CVE-2022-26353 qemu-kvm: QEMU: virtio-net: map leaking on error during receive [rhel-9] [rhel-9.0.0.z]
+Patch86: kvm-virtio-net-fix-map-leaking-on-error-during-receive.patch
+# For bz#2075640 - CVE-2022-26354 qemu-kvm: QEMU: vhost-vsock: missing virtqueue detach on error can lead to memory leak [rhel-9] [rhel-9.0.0.z]
+Patch87: kvm-vhost-vsock-detach-the-virqueue-element-in-case-of-e.patch
 
 # Source-git patches
 
@@ -1370,6 +1376,17 @@ useradd -r -u 107 -g qemu -G kvm -d / -s /sbin/nologin \
 %endif
 
 %changelog
+* Mon May 09 2022 Miroslav Rezanina <mrezanin@redhat.com> - 6.2.0-11.el9_0.3
+- kvm-RHEL-disable-seqpacket-for-vhost-vsock-device-in-rhe.patch [bz#2071102]
+- kvm-virtio-net-fix-map-leaking-on-error-during-receive.patch [bz#2075635]
+- kvm-vhost-vsock-detach-the-virqueue-element-in-case-of-e.patch [bz#2075640]
+- Resolves: bz#2071102
+  (RHEL 9.0 guest with vsock device migration failed from RHEL 9.0 > RHEL 8.6 [rhel-9.0.0.z])
+- Resolves: bz#2075635
+  (CVE-2022-26353 qemu-kvm: QEMU: virtio-net: map leaking on error during receive [rhel-9] [rhel-9.0.0.z])
+- Resolves: bz#2075640
+  (CVE-2022-26354 qemu-kvm: QEMU: vhost-vsock: missing virtqueue detach on error can lead to memory leak [rhel-9] [rhel-9.0.0.z])
+
 * Tue Mar 22 2022  <cconte@redhat.com> - 6.2.0-11.el9_0.2
 - kvm-pci-expose-TYPE_XIO3130_DOWNSTREAM-name.patch [bz#2053584]
 - kvm-acpi-pcihp-pcie-set-power-on-cap-on-parent-slot.patch [bz#2053584]