From cfe9adea3d8cfb8511cc26a6ef7228ad498fbc23 Mon Sep 17 00:00:00 2001
From: Miroslav Rezanina <mrezanin@redhat.com>
Date: Mon, 13 Nov 2023 02:38:53 -0500
Subject: [PATCH] * Mon Nov 13 2023 Miroslav Rezanina <mrezanin@redhat.com> -
 8.1.0-4

- kvm-hw-scsi-scsi-disk-Disallow-block-sizes-smaller-than-.patch [RHEL-2828]
- kvm-Enable-igb-on-x86_64.patch [RHEL-1308]
- kvm-host-include-generic-host-atomic128-Fix-compilation-.patch [RHEL-12991]
- kvm-Enable-qemu-kvm-device-usb-redirec-for-aarch64.patch [RHEL-7561]
- Resolves: RHEL-2828
  (CVE-2023-42467 qemu-kvm: qemu: denial of service due to division by zero [rhel-9])
- Resolves: RHEL-1308
  ([RFE] iGB: Add an emulated SR-IOV network card)
- Resolves: RHEL-12991
  (qemu-kvm fails to build on s390x with clang-17)
- Resolves: RHEL-7561
  (Missing the rpm package qemu-kvm-device-usb-redirect on Arm64 platform)
---
 kvm-Enable-igb-on-x86_64.patch                | 34 +++++++
 ...eric-host-atomic128-Fix-compilation-.patch | 89 +++++++++++++++++++
 ...k-Disallow-block-sizes-smaller-than-.patch | 63 +++++++++++++
 qemu-kvm.spec                                 | 24 ++++-
 4 files changed, 208 insertions(+), 2 deletions(-)
 create mode 100644 kvm-Enable-igb-on-x86_64.patch
 create mode 100644 kvm-host-include-generic-host-atomic128-Fix-compilation-.patch
 create mode 100644 kvm-hw-scsi-scsi-disk-Disallow-block-sizes-smaller-than-.patch

diff --git a/kvm-Enable-igb-on-x86_64.patch b/kvm-Enable-igb-on-x86_64.patch
new file mode 100644
index 0000000..2c66e0b
--- /dev/null
+++ b/kvm-Enable-igb-on-x86_64.patch
@@ -0,0 +1,34 @@
+From d22860e56e47f8d0a3ffc9ff3c3bbf13b4cc46e9 Mon Sep 17 00:00:00 2001
+From: Akihiko Odaki <aodaki@redhat.com>
+Date: Mon, 30 Oct 2023 21:25:23 +0900
+Subject: [PATCH 2/4] Enable igb on x86_64
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: 小田喜陽彦 <None>
+RH-MergeRequest: 205: Enable igb on x86_64
+RH-Jira: RHEL-1308
+RH-Commit: [1/1] e5079378c2e674d13b70c122096997c46ccc3dbf (akihiko.odaki/qemu-kvm)
+
+Resolves: RHEL-1308
+Signed-off-by: Akihiko Odaki <akihiko.odaki@redhat.com>
+---
+ configs/devices/x86_64-softmmu/x86_64-rh-devices.mak | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/configs/devices/x86_64-softmmu/x86_64-rh-devices.mak b/configs/devices/x86_64-softmmu/x86_64-rh-devices.mak
+index 6d16d81296..ef82f431cb 100644
+--- a/configs/devices/x86_64-softmmu/x86_64-rh-devices.mak
++++ b/configs/devices/x86_64-softmmu/x86_64-rh-devices.mak
+@@ -36,6 +36,7 @@ CONFIG_IDE_CORE=y
+ CONFIG_IDE_PCI=y
+ CONFIG_IDE_PIIX=y
+ CONFIG_IDE_QDEV=y
++CONFIG_IGB_PCI_EXPRESS=y
+ CONFIG_IOAPIC=y
+ CONFIG_IOH3420=y
+ CONFIG_ISA_BUS=y
+-- 
+2.39.3
+
diff --git a/kvm-host-include-generic-host-atomic128-Fix-compilation-.patch b/kvm-host-include-generic-host-atomic128-Fix-compilation-.patch
new file mode 100644
index 0000000..dd7cd37
--- /dev/null
+++ b/kvm-host-include-generic-host-atomic128-Fix-compilation-.patch
@@ -0,0 +1,89 @@
+From ea6970ef4413f0390778b58c633da931faa932c2 Mon Sep 17 00:00:00 2001
+From: Thomas Huth <thuth@redhat.com>
+Date: Wed, 18 Oct 2023 17:27:41 +0200
+Subject: [PATCH 3/4] host/include/generic/host/atomic128: Fix compilation
+ problem with Clang 17
+
+RH-Author: Thomas Huth <thuth@redhat.com>
+RH-MergeRequest: 207: Fix compilation problem with Clang 17
+RH-Jira: RHEL-12991
+RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
+RH-Commit: [1/1] db90fc8c1c67b7c401cb1e061f6fa5fd14d91717 (thuth/qemu-kvm-cs9)
+
+Upstream Status: proposed (https://lore.kernel.org/qemu-devel/20231108085954.313071-1-thuth@redhat.com/)
+
+When compiling QEMU with Clang 17 on a s390x, the compilation fails:
+
+In file included from ../accel/tcg/cputlb.c:32:
+In file included from /root/qemu/include/exec/helper-proto-common.h:10:
+In file included from /root/qemu/include/qemu/atomic128.h:62:
+/root/qemu/host/include/generic/host/atomic128-ldst.h:68:15: error:
+ __sync builtin operation MUST have natural alignment (consider using __
+atomic). [-Werror,-Wsync-alignment]
+   68 |     } while (!__sync_bool_compare_and_swap_16(ptr_align, old, new.i));
+      |               ^
+In file included from ../accel/tcg/cputlb.c:32:
+In file included from /root/qemu/include/exec/helper-proto-common.h:10:
+In file included from /root/qemu/include/qemu/atomic128.h:61:
+/root/qemu/host/include/generic/host/atomic128-cas.h:36:11: error:
+ __sync builtin operation MUST have natural alignment (consider using __a
+tomic). [-Werror,-Wsync-alignment]
+   36 |     r.i = __sync_val_compare_and_swap_16(ptr_align, c.i, n.i);
+      |           ^
+2 errors generated.
+
+It's arguably a bug in Clang since we already use __builtin_assume_aligned()
+to tell the compiler that the pointer is properly aligned. But according to
+https://github.com/llvm/llvm-project/issues/69146 it seems like the Clang
+folks don't see an easy fix on their side and recommend to use a type
+declared with __attribute__((aligned(16))) to work around this problem.
+
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1934
+Signed-off-by: Thomas Huth <thuth@redhat.com>
+---
+ host/include/generic/host/atomic128-cas.h  | 2 +-
+ host/include/generic/host/atomic128-ldst.h | 2 +-
+ include/qemu/int128.h                      | 1 +
+ 3 files changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/host/include/generic/host/atomic128-cas.h b/host/include/generic/host/atomic128-cas.h
+index 991d3da082..6b40cc2271 100644
+--- a/host/include/generic/host/atomic128-cas.h
++++ b/host/include/generic/host/atomic128-cas.h
+@@ -28,7 +28,7 @@ atomic16_cmpxchg(Int128 *ptr, Int128 cmp, Int128 new)
+ static inline Int128 ATTRIBUTE_ATOMIC128_OPT
+ atomic16_cmpxchg(Int128 *ptr, Int128 cmp, Int128 new)
+ {
+-    __int128_t *ptr_align = __builtin_assume_aligned(ptr, 16);
++    Int128Aligned *ptr_align = __builtin_assume_aligned(ptr, 16);
+     Int128Alias r, c, n;
+ 
+     c.s = cmp;
+diff --git a/host/include/generic/host/atomic128-ldst.h b/host/include/generic/host/atomic128-ldst.h
+index 80fff0643a..691e6a8531 100644
+--- a/host/include/generic/host/atomic128-ldst.h
++++ b/host/include/generic/host/atomic128-ldst.h
+@@ -58,7 +58,7 @@ atomic16_read_rw(Int128 *ptr)
+ static inline void ATTRIBUTE_ATOMIC128_OPT
+ atomic16_set(Int128 *ptr, Int128 val)
+ {
+-    __int128_t *ptr_align = __builtin_assume_aligned(ptr, 16);
++    Int128Aligned *ptr_align = __builtin_assume_aligned(ptr, 16);
+     __int128_t old;
+     Int128Alias new;
+ 
+diff --git a/include/qemu/int128.h b/include/qemu/int128.h
+index 73624e8be7..44530d3e10 100644
+--- a/include/qemu/int128.h
++++ b/include/qemu/int128.h
+@@ -10,6 +10,7 @@
+  */
+ #if defined(CONFIG_INT128) && !defined(CONFIG_TCG_INTERPRETER)
+ typedef __int128_t Int128;
++typedef __int128_t __attribute__((aligned(16))) Int128Aligned;
+ 
+ static inline Int128 int128_make64(uint64_t a)
+ {
+-- 
+2.39.3
+
diff --git a/kvm-hw-scsi-scsi-disk-Disallow-block-sizes-smaller-than-.patch b/kvm-hw-scsi-scsi-disk-Disallow-block-sizes-smaller-than-.patch
new file mode 100644
index 0000000..7081dfd
--- /dev/null
+++ b/kvm-hw-scsi-scsi-disk-Disallow-block-sizes-smaller-than-.patch
@@ -0,0 +1,63 @@
+From 3e9164c9c80be093d7c9c590a643bf1aecf23496 Mon Sep 17 00:00:00 2001
+From: Jon Maloy <jmaloy@redhat.com>
+Date: Wed, 18 Oct 2023 11:31:15 -0400
+Subject: [PATCH 1/4] hw/scsi/scsi-disk: Disallow block sizes smaller than 512
+ [CVE-2023-42467]
+
+RH-Author: Jon Maloy <jmaloy@redhat.com>
+RH-MergeRequest: 204: hw/scsi/scsi-disk: Disallow block sizes smaller than 512 [CVE-2023-42467]
+RH-Jira: RHEL-2828
+RH-Acked-by: Thomas Huth <thuth@redhat.com>
+RH-Acked-by: Kevin Wolf <kwolf@redhat.com>
+RH-Commit: [1/1] 7b5306fdadb000216505b8f47a6ab8e4c4336506 (jmaloy/jmaloy-qemu-kvm-2)
+
+Jira: https://issues.redhat.com/browse/RHEL-2828
+CVE: CVE-2023-42467
+Upstream: Merged
+
+commit 7cfcc79b0ab800959716738aff9419f53fc68c9c
+Author: Thomas Huth <thuth@redhat.com>
+Date:   Mon Sep 25 11:18:54 2023 +0200
+
+    hw/scsi/scsi-disk: Disallow block sizes smaller than 512 [CVE-2023-42467]
+
+    We are doing things like
+
+        nb_sectors /= (s->qdev.blocksize / BDRV_SECTOR_SIZE);
+
+    in the code here (e.g. in scsi_disk_emulate_mode_sense()), so if
+    the blocksize is smaller than BDRV_SECTOR_SIZE (=512), this crashes
+    with a division by 0 exception. Thus disallow block sizes of 256
+    bytes to avoid this situation.
+
+    Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1813
+    CVE: 2023-42467
+    Signed-off-by: Thomas Huth <thuth@redhat.com>
+    Message-ID: <20230925091854.49198-1-thuth@redhat.com>
+    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+
+Signed-off-by: Jon Maloy <jmaloy@redhat.com>
+---
+ hw/scsi/scsi-disk.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/hw/scsi/scsi-disk.c b/hw/scsi/scsi-disk.c
+index e0d79c7966..477ee2bcd4 100644
+--- a/hw/scsi/scsi-disk.c
++++ b/hw/scsi/scsi-disk.c
+@@ -1628,9 +1628,10 @@ static void scsi_disk_emulate_mode_select(SCSIDiskReq *r, uint8_t *inbuf)
+          * Since the existing code only checks/updates bits 8-15 of the block
+          * size, restrict ourselves to the same requirement for now to ensure
+          * that a block size set by a block descriptor and then read back by
+-         * a subsequent SCSI command will be the same
++         * a subsequent SCSI command will be the same. Also disallow a block
++         * size of 256 since we cannot handle anything below BDRV_SECTOR_SIZE.
+          */
+-        if (bs && !(bs & ~0xff00) && bs != s->qdev.blocksize) {
++        if (bs && !(bs & ~0xfe00) && bs != s->qdev.blocksize) {
+             s->qdev.blocksize = bs;
+             trace_scsi_disk_mode_select_set_blocksize(s->qdev.blocksize);
+         }
+-- 
+2.39.3
+
diff --git a/qemu-kvm.spec b/qemu-kvm.spec
index 9def42c..7ffee41 100644
--- a/qemu-kvm.spec
+++ b/qemu-kvm.spec
@@ -58,7 +58,7 @@
     %global tools_only 1
 %endif
 
-%ifnarch %{ix86} x86_64
+%ifnarch %{ix86} x86_64 aarch64
     %global have_usbredir 0
 %endif
 
@@ -149,7 +149,7 @@ Obsoletes: %{name}-block-ssh <= %{epoch}:%{version}                    \
 Summary: QEMU is a machine emulator and virtualizer
 Name: qemu-kvm
 Version: 8.1.0
-Release: 3%{?rcrel}%{?dist}%{?cc_suffix}
+Release: 4%{?rcrel}%{?dist}%{?cc_suffix}
 # Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped
 # Epoch 15 used for RHEL 8
 # Epoch 17 used for RHEL 9 (due to release versioning offset in RHEL 8.5)
@@ -221,6 +221,12 @@ Patch34: kvm-file-posix-Fix-zone-update-in-I-O-error-path.patch
 Patch35: kvm-file-posix-Simplify-raw_co_prw-s-out-zone-code.patch
 # For RHEL-7360 - Qemu Core Dumped When Writing Larger Size Than The Size of A Data Disk
 Patch36: kvm-tests-file-io-error-New-test.patch
+# For RHEL-2828 - CVE-2023-42467 qemu-kvm: qemu: denial of service due to division by zero [rhel-9]
+Patch37: kvm-hw-scsi-scsi-disk-Disallow-block-sizes-smaller-than-.patch
+# For RHEL-1308 - [RFE] iGB: Add an emulated SR-IOV network card
+Patch38: kvm-Enable-igb-on-x86_64.patch
+# For RHEL-12991 - qemu-kvm fails to build on s390x with clang-17
+Patch39: kvm-host-include-generic-host-atomic128-Fix-compilation-.patch
 
 %if %{have_clang}
 BuildRequires: clang
@@ -1280,6 +1286,20 @@ useradd -r -u 107 -g qemu -G kvm -d / -s /sbin/nologin \
 %endif
 
 %changelog
+* Mon Nov 13 2023 Miroslav Rezanina <mrezanin@redhat.com> - 8.1.0-4
+- kvm-hw-scsi-scsi-disk-Disallow-block-sizes-smaller-than-.patch [RHEL-2828]
+- kvm-Enable-igb-on-x86_64.patch [RHEL-1308]
+- kvm-host-include-generic-host-atomic128-Fix-compilation-.patch [RHEL-12991]
+- kvm-Enable-qemu-kvm-device-usb-redirec-for-aarch64.patch [RHEL-7561]
+- Resolves: RHEL-2828
+  (CVE-2023-42467 qemu-kvm: qemu: denial of service due to division by zero [rhel-9])
+- Resolves: RHEL-1308
+  ([RFE] iGB: Add an emulated SR-IOV network card)
+- Resolves: RHEL-12991
+  (qemu-kvm fails to build on s390x with clang-17)
+- Resolves: RHEL-7561
+  (Missing the rpm package qemu-kvm-device-usb-redirect on Arm64 platform)
+
 * Mon Oct 16 2023 Miroslav Rezanina <mrezanin@redhat.com> - 8.1.0-3
 - kvm-migration-Fix-race-that-dest-preempt-thread-close-to.patch [RHEL-11219]
 - kvm-migration-Fix-possible-race-when-setting-rp_state.er.patch [RHEL-11219]