rpms/qemu-kvm
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import qemu-kvm-6.2.0-12.module+el8.7.0+14906+e959ebd7

Browse Source
This commit is contained in:
CentOS Sources 2022-05-03 14:03:48 +00:00 committed by Stepan Oksanichenko
parent 32fd672ace
commit d1ab2a85b4
50 changed files with 4753 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
SOURCES/kvm-Enable-SGX-RH-Only.patch Normal file
View File

@ -0,0 +1,28 @@
From db6e042fe4fdc1a1bbf562a46b15d4d8e33e2fa6 Mon Sep 17 00:00:00 2001
From: Paul Lai <plai@redhat.com>
Date: Tue, 25 Jan 2022 15:16:22 -0500
Subject: [PATCH 4/7] Enable SGX -- RH Only
RH-Author: Paul Lai <None>
RH-MergeRequest: 111: numa: Enable numa for SGX EPC sections
RH-Commit: [4/5] cea874f29984897ef1232fb7749c13203c888034
RH-Bugzilla: 1518984
RH-Acked-by: Paolo Bonzini <None>
RH-Acked-by: Bandan Das <None>
RH-Acked-by: Cornelia Huck <cohuck@redhat.com>
---
configs/devices/x86_64-softmmu/x86_64-rh-devices.mak | 1 +
1 file changed, 1 insertion(+)
diff --git a/configs/devices/x86_64-softmmu/x86_64-rh-devices.mak b/configs/devices/x86_64-softmmu/x86_64-rh-devices.mak
index ddf036f042..fdbbdf9742 100644
--- a/configs/devices/x86_64-softmmu/x86_64-rh-devices.mak
+++ b/configs/devices/x86_64-softmmu/x86_64-rh-devices.mak
@@ -102,3 +102,4 @@ CONFIG_TPM_CRB=y
CONFIG_TPM_TIS_ISA=y
CONFIG_TPM_EMULATOR=y
CONFIG_TPM_PASSTHROUGH=y
+CONFIG_SGX=y
--
2.27.0

107
SOURCES/kvm-RHEL-disable-seqpacket-for-vhost-vsock-device-in-rhe.patch Normal file
View File

@ -0,0 +1,107 @@
From e0e4f01c6f4fb5881960f72ae4e80951b711131e Mon Sep 17 00:00:00 2001
From: Stefano Garzarella <sgarzare@redhat.com>
Date: Thu, 24 Mar 2022 16:04:57 +0100
Subject: [PATCH 1/5] RHEL: disable "seqpacket" for "vhost-vsock-device" in
rhel8.6.0
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
RH-Author: Stefano Garzarella <sgarzare@redhat.com>
RH-MergeRequest: 136: RHEL: disable "seqpacket" for "vhost-vsock-device" in rhel8.6.0 [rhel-8.7.0]
RH-Commit: [1/1] d82ea09e123679521503689f7d9af1c03dc71bfc
RH-Bugzilla: 2068202
RH-Acked-by: Jason Wang <None>
RH-Acked-by: Eugenio Pérez <None>
RH-Acked-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
vhost-vsock device in RHEL 8 kernels doesn't support seqpacket.
To avoid problems when migrating a VM from RHEL 9 host, we need to
disable it in rhel8-* machine types.
Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
---
hw/core/machine.c | 10 ++++++++++
hw/i386/pc_piix.c | 2 ++
hw/i386/pc_q35.c | 2 ++
hw/s390x/s390-virtio-ccw.c | 1 +
include/hw/boards.h | 3 +++
5 files changed, 18 insertions(+)
diff --git a/hw/core/machine.c b/hw/core/machine.c
index 024b025fc2..76fcabec7a 100644
--- a/hw/core/machine.c
+++ b/hw/core/machine.c
@@ -37,6 +37,16 @@
#include "hw/virtio/virtio.h"
#include "hw/virtio/virtio-pci.h"
+GlobalProperty hw_compat_rhel_8_6[] = {
+ /* hw_compat_rhel_8_6 bz 2068202 */
+ /*
+ * vhost-vsock device in RHEL 8 kernels doesn't support seqpacket, so
+ * we need do disable it downstream on the latest hw_compat_rhel_8.
+ */
+ { "vhost-vsock-device", "seqpacket", "off" },
+};
+const size_t hw_compat_rhel_8_6_len = G_N_ELEMENTS(hw_compat_rhel_8_6);
+
/*
* Mostly the same as hw_compat_6_0 and hw_compat_6_1
*/
diff --git a/hw/i386/pc_piix.c b/hw/i386/pc_piix.c
index f03a8f0db8..ab6d03e07a 100644
--- a/hw/i386/pc_piix.c
+++ b/hw/i386/pc_piix.c
@@ -998,6 +998,8 @@ static void pc_machine_rhel760_options(MachineClass *m)
pcmc->kvmclock_create_always = false;
/* From pc_i440fx_5_1_machine_options() */
pcmc->pci_root_uid = 1;
+ compat_props_add(m->compat_props, hw_compat_rhel_8_6,
+ hw_compat_rhel_8_6_len);
compat_props_add(m->compat_props, hw_compat_rhel_8_5,
hw_compat_rhel_8_5_len);
compat_props_add(m->compat_props, pc_rhel_8_5_compat,
diff --git a/hw/i386/pc_q35.c b/hw/i386/pc_q35.c
index 5559261d9e..882fe7a68d 100644
--- a/hw/i386/pc_q35.c
+++ b/hw/i386/pc_q35.c
@@ -658,6 +658,8 @@ static void pc_q35_machine_rhel860_options(MachineClass *m)
m->desc = "RHEL-8.6.0 PC (Q35 + ICH9, 2009)";
pcmc->smbios_stream_product = "RHEL-AV";
pcmc->smbios_stream_version = "8.6.0";
+ compat_props_add(m->compat_props, hw_compat_rhel_8_6,
+ hw_compat_rhel_8_6_len);
}
DEFINE_PC_MACHINE(q35_rhel860, "pc-q35-rhel8.6.0", pc_q35_init_rhel860,
diff --git a/hw/s390x/s390-virtio-ccw.c b/hw/s390x/s390-virtio-ccw.c
index 9795eb9406..bec270598b 100644
--- a/hw/s390x/s390-virtio-ccw.c
+++ b/hw/s390x/s390-virtio-ccw.c
@@ -1109,6 +1109,7 @@ static void ccw_machine_rhel860_instance_options(MachineState *machine)
static void ccw_machine_rhel860_class_options(MachineClass *mc)
{
+ compat_props_add(mc->compat_props, hw_compat_rhel_8_6, hw_compat_rhel_8_6_len);
}
DEFINE_CCW_MACHINE(rhel860, "rhel8.6.0", true);
diff --git a/include/hw/boards.h b/include/hw/boards.h
index 04e8759815..4ddb798144 100644
--- a/include/hw/boards.h
+++ b/include/hw/boards.h
@@ -443,6 +443,9 @@ extern const size_t hw_compat_2_2_len;
extern GlobalProperty hw_compat_2_1[];
extern const size_t hw_compat_2_1_len;
+extern GlobalProperty hw_compat_rhel_8_6[];
+extern const size_t hw_compat_rhel_8_6_len;
+
extern GlobalProperty hw_compat_rhel_8_5[];
extern const size_t hw_compat_rhel_8_5_len;
--
2.27.0

93
SOURCES/kvm-Revert-redhat-Add-hw_compat_4_2_extra-and-apply-to-u.patch Normal file
View File

@ -0,0 +1,93 @@
From e626dc16d130c724c400b99a93daad0a9abeae59 Mon Sep 17 00:00:00 2001
From: Jon Maloy <jmaloy@redhat.com>
Date: Tue, 22 Mar 2022 19:23:36 -0400
Subject: [PATCH 01/18] Revert "redhat: Add hw_compat_4_2_extra and apply to
upstream machines"
RH-Author: Jon Maloy <jmaloy@redhat.com>
RH-MergeRequest: 131: Revert "redhat: Add hw_compat_4_2_extra and apply to upstream machines"
RH-Commit: [1/3] 47b7d9e5062f5e215d5ed1a3ecdc1a87ac3fa630 (jmaloy/qemu-kvm)
RH-Bugzilla: 2062613
RH-Acked-by: Peter Xu <peterx@redhat.com>
RH-Acked-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
BZ: https://bugzilla.redhat.com/2062613
UPSTREAM: no
BREW: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=44038000
commit dc2e9ec1e014950c7918e23a3e9b0096b34a4a92
Author: Dr. David Alan Gilbert <dgilbert@redhat.com>
Date: Wed Mar 9 10:31:53 2022 +0000
Revert "redhat: Add hw_compat_4_2_extra and apply to upstream machines"
This reverts commit 66882f9a3230246409f3918424aca26add5c034a.
We no longer need these compat machines it was added for.
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
(cherry picked from commit dc2e9ec1e014950c7918e23a3e9b0096b34a4a92)
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
---
hw/i386/pc.c | 12 ------------
hw/i386/pc_piix.c | 6 ------
include/hw/i386/pc.h | 3 ---
3 files changed, 21 deletions(-)
diff --git a/hw/i386/pc.c b/hw/i386/pc.c
index 4c08a1971c..357257349b 100644
--- a/hw/i386/pc.c
+++ b/hw/i386/pc.c
@@ -670,18 +670,6 @@ GlobalProperty pc_rhel_7_0_compat[] = {
};
const size_t pc_rhel_7_0_compat_len = G_N_ELEMENTS(pc_rhel_7_0_compat);
-/*
- * RHEL: These properties only apply to the RHEL exported machine types
- * pc-4.2/2.11 for the purpose to have a limited upstream machines support
- * which can be migrated to RHEL. Let's avoid touching hw_compat_4_2 directly
- * so that we can have some isolation against the upstream code.
- */
-GlobalProperty hw_compat_4_2_extra[] = {
- /* By default enlarge the default virtio-net-pci ROM to 512KB. */
- { "virtio-net-pci", "romsize", "0x80000" },
-};
-const size_t hw_compat_4_2_extra_len = G_N_ELEMENTS(hw_compat_4_2_extra);
-
GSIState *pc_gsi_create(qemu_irq **irqs, bool pci_enabled)
{
GSIState *s;
diff --git a/hw/i386/pc_piix.c b/hw/i386/pc_piix.c
index c30057c443..7b7076cbc7 100644
--- a/hw/i386/pc_piix.c
+++ b/hw/i386/pc_piix.c
@@ -531,12 +531,6 @@ static void pc_i440fx_4_2_machine_options(MachineClass *m)
* supported by RHEL, even if exported.
*/
m->deprecation_reason = "Not supported by RHEL";
- /*
- * RHEL: Specific compat properties to have limited support for upstream
- * machines exported.
- */
- compat_props_add(m->compat_props, hw_compat_4_2_extra,
- hw_compat_4_2_extra_len);
}
/* RHEL: Export pc-4.2 */
diff --git a/include/hw/i386/pc.h b/include/hw/i386/pc.h
index 9e8bfb69f8..4a593acb50 100644
--- a/include/hw/i386/pc.h
+++ b/include/hw/i386/pc.h
@@ -325,9 +325,6 @@ extern const size_t pc_rhel_7_1_compat_len;
extern GlobalProperty pc_rhel_7_0_compat[];
extern const size_t pc_rhel_7_0_compat_len;
-extern GlobalProperty hw_compat_4_2_extra[];
-extern const size_t hw_compat_4_2_extra_len;
-
/* Helper for setting model-id for CPU models that changed model-id
* depending on QEMU versions up to QEMU 2.4.
*/
--
2.27.0

53
SOURCES/kvm-Revert-redhat-Enable-FDC-device-for-upstream-machine.patch Normal file
View File

@ -0,0 +1,53 @@
From 5bf8f1d69fea1225e927fbb3efe549a2a9d47d92 Mon Sep 17 00:00:00 2001
From: Jon Maloy <jmaloy@redhat.com>
Date: Tue, 22 Mar 2022 19:23:36 -0400
Subject: [PATCH 02/18] Revert "redhat: Enable FDC device for upstream machines
too"
RH-Author: Jon Maloy <jmaloy@redhat.com>
RH-MergeRequest: 131: Revert "redhat: Add hw_compat_4_2_extra and apply to upstream machines"
RH-Commit: [2/3] 4e3c945e3de9bb9d9a6d24115f0719168c9669fe (jmaloy/qemu-kvm)
RH-Bugzilla: 2062613
RH-Acked-by: Peter Xu <peterx@redhat.com>
RH-Acked-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
BZ: https://bugzilla.redhat.com/2062613
UPSTREAM: no
BREW: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=44038000
commit 597cb6ca1da4a3eea77c1e4928f55203a1d5c70c
Author: Dr. David Alan Gilbert <dgilbert@redhat.com>
Date: Wed Mar 9 10:32:39 2022 +0000
Revert "redhat: Enable FDC device for upstream machines too"
This reverts commit c4d1aa8bf21fe98da94a9cff30b7c25bed12c17f.
We no longer need these compat machines it was added for.
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
(cherry picked from commit 597cb6ca1da4a3eea77c1e4928f55203a1d5c70c)
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
---
hw/block/fdc.c | 5 +----
1 file changed, 1 insertion(+), 4 deletions(-)
diff --git a/hw/block/fdc.c b/hw/block/fdc.c
index 63042ef030..97fa6de423 100644
--- a/hw/block/fdc.c
+++ b/hw/block/fdc.c
@@ -2341,10 +2341,7 @@ void fdctrl_realize_common(DeviceState *dev, FDCtrl *fdctrl, Error **errp)
/* Restricted for Red Hat Enterprise Linux: */
MachineClass *mc = MACHINE_GET_CLASS(qdev_get_machine());
- if (!strstr(mc->name, "-rhel7.") &&
- /* Exported two upstream machine types allows FDC too */
- strcmp(mc->name, "pc-i440fx-4.2") &&
- strcmp(mc->name, "pc-i440fx-2.11")) {
+ if (!strstr(mc->name, "-rhel7.")) {
error_setg(errp, "Device %s is not supported with machine type %s",
object_get_typename(OBJECT(dev)), mc->name);
return;
--
2.27.0

191
SOURCES/kvm-Revert-redhat-Expose-upstream-machines-pc-4.2-and-pc.patch Normal file
View File

@ -0,0 +1,191 @@
From ee3cae3bb349469edcf725a1c5161521e95dcb9f Mon Sep 17 00:00:00 2001
From: Jon Maloy <jmaloy@redhat.com>
Date: Tue, 22 Mar 2022 19:23:36 -0400
Subject: [PATCH 03/18] Revert "redhat: Expose upstream machines pc-4.2 and
pc-2.11"
RH-Author: Jon Maloy <jmaloy@redhat.com>
RH-MergeRequest: 131: Revert "redhat: Add hw_compat_4_2_extra and apply to upstream machines"
RH-Commit: [3/3] 35cee68034580f81b3aa916921eecd2fdfa7dd15 (jmaloy/qemu-kvm)
RH-Bugzilla: 2062613
RH-Acked-by: Peter Xu <peterx@redhat.com>
RH-Acked-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
BZ: https://bugzilla.redhat.com/2062613
UPSTREAM: no
BREW: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=44038000
commit f3b50d6d4ae0be9e64aafe6a15f5423bab4899e9
Author: Dr. David Alan Gilbert <dgilbert@redhat.com>
Date: Wed Mar 9 10:34:58 2022 +0000
Revert "redhat: Expose upstream machines pc-4.2 and pc-2.11"
This reverts commit 618e2424edba499d52cd26cf8363bc2dd85ef149.
We no longer need these compat machines.
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
(cherry picked from commit f3b50d6d4ae0be9e64aafe6a15f5423bab4899e9)
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
---
hw/i386/pc_piix.c | 37 -------------------------------------
1 file changed, 37 deletions(-)
diff --git a/hw/i386/pc_piix.c b/hw/i386/pc_piix.c
index 7b7076cbc7..f03a8f0db8 100644
--- a/hw/i386/pc_piix.c
+++ b/hw/i386/pc_piix.c
@@ -315,14 +315,6 @@ static void pc_init1(MachineState *machine,
* hw_compat_*, pc_compat_*, or * pc_*_machine_options().
*/
-/*
- * NOTE! Not all the upstream machine types are disabled for RHEL. For
- * providing a very limited support for upstream machine types, pc machines
- * 2.11 and 4.2 are exposed explicitly. This will make the below "#if" macros
- * a bit messed up, but please read this comment first so that we can have a
- * rough understanding of what we're going to do.
- */
-
#if 0 /* Disabled for Red Hat Enterprise Linux */
static void pc_compat_2_3_fn(MachineState *machine)
{
@@ -399,8 +391,6 @@ static void pc_xen_hvm_init(MachineState *machine)
}
#endif
-#endif /* Disabled for Red Hat Enterprise Linux */
-
#define DEFINE_I440FX_MACHINE(suffix, name, compatfn, optionfn) \
static void pc_init_##suffix(MachineState *machine) \
{ \
@@ -465,10 +455,8 @@ static void pc_i440fx_6_0_machine_options(MachineClass *m)
compat_props_add(m->compat_props, pc_compat_6_0, pc_compat_6_0_len);
}
-#if 0 /* Disabled for Red Hat Enterprise Linux */
DEFINE_I440FX_MACHINE(v6_0, "pc-i440fx-6.0", NULL,
pc_i440fx_6_0_machine_options);
-#endif /* Disabled for Red Hat Enterprise Linux */
static void pc_i440fx_5_2_machine_options(MachineClass *m)
{
@@ -479,10 +467,8 @@ static void pc_i440fx_5_2_machine_options(MachineClass *m)
compat_props_add(m->compat_props, pc_compat_5_2, pc_compat_5_2_len);
}
-#if 0 /* Disabled for Red Hat Enterprise Linux */
DEFINE_I440FX_MACHINE(v5_2, "pc-i440fx-5.2", NULL,
pc_i440fx_5_2_machine_options);
-#endif /* Disabled for Red Hat Enterprise Linux */
static void pc_i440fx_5_1_machine_options(MachineClass *m)
{
@@ -497,10 +483,8 @@ static void pc_i440fx_5_1_machine_options(MachineClass *m)
pcmc->pci_root_uid = 1;
}
-#if 0 /* Disabled for Red Hat Enterprise Linux */
DEFINE_I440FX_MACHINE(v5_1, "pc-i440fx-5.1", NULL,
pc_i440fx_5_1_machine_options);
-#endif /* Disabled for Red Hat Enterprise Linux */
static void pc_i440fx_5_0_machine_options(MachineClass *m)
{
@@ -513,10 +497,8 @@ static void pc_i440fx_5_0_machine_options(MachineClass *m)
m->auto_enable_numa_with_memdev = false;
}
-#if 0 /* Disabled for Red Hat Enterprise Linux */
DEFINE_I440FX_MACHINE(v5_0, "pc-i440fx-5.0", NULL,
pc_i440fx_5_0_machine_options);
-#endif /* Disabled for Red Hat Enterprise Linux */
static void pc_i440fx_4_2_machine_options(MachineClass *m)
{
@@ -525,15 +507,8 @@ static void pc_i440fx_4_2_machine_options(MachineClass *m)
m->is_default = false;
compat_props_add(m->compat_props, hw_compat_4_2, hw_compat_4_2_len);
compat_props_add(m->compat_props, pc_compat_4_2, pc_compat_4_2_len);
-
- /*
- * RHEL: Mark all upstream machines as deprecated because they're not
- * supported by RHEL, even if exported.
- */
- m->deprecation_reason = "Not supported by RHEL";
}
-/* RHEL: Export pc-4.2 */
DEFINE_I440FX_MACHINE(v4_2, "pc-i440fx-4.2", NULL,
pc_i440fx_4_2_machine_options);
@@ -546,10 +521,8 @@ static void pc_i440fx_4_1_machine_options(MachineClass *m)
compat_props_add(m->compat_props, pc_compat_4_1, pc_compat_4_1_len);
}
-#if 0 /* Disabled for Red Hat Enterprise Linux */
DEFINE_I440FX_MACHINE(v4_1, "pc-i440fx-4.1", NULL,
pc_i440fx_4_1_machine_options);
-#endif /* Disabled for Red Hat Enterprise Linux */
static void pc_i440fx_4_0_machine_options(MachineClass *m)
{
@@ -562,10 +535,8 @@ static void pc_i440fx_4_0_machine_options(MachineClass *m)
compat_props_add(m->compat_props, pc_compat_4_0, pc_compat_4_0_len);
}
-#if 0 /* Disabled for Red Hat Enterprise Linux */
DEFINE_I440FX_MACHINE(v4_0, "pc-i440fx-4.0", NULL,
pc_i440fx_4_0_machine_options);
-#endif /* Disabled for Red Hat Enterprise Linux */
static void pc_i440fx_3_1_machine_options(MachineClass *m)
{
@@ -581,10 +552,8 @@ static void pc_i440fx_3_1_machine_options(MachineClass *m)
compat_props_add(m->compat_props, pc_compat_3_1, pc_compat_3_1_len);
}
-#if 0 /* Disabled for Red Hat Enterprise Linux */
DEFINE_I440FX_MACHINE(v3_1, "pc-i440fx-3.1", NULL,
pc_i440fx_3_1_machine_options);
-#endif /* Disabled for Red Hat Enterprise Linux */
static void pc_i440fx_3_0_machine_options(MachineClass *m)
{
@@ -593,10 +562,8 @@ static void pc_i440fx_3_0_machine_options(MachineClass *m)
compat_props_add(m->compat_props, pc_compat_3_0, pc_compat_3_0_len);
}
-#if 0 /* Disabled for Red Hat Enterprise Linux */
DEFINE_I440FX_MACHINE(v3_0, "pc-i440fx-3.0", NULL,
pc_i440fx_3_0_machine_options);
-#endif /* Disabled for Red Hat Enterprise Linux */
static void pc_i440fx_2_12_machine_options(MachineClass *m)
{
@@ -605,10 +572,8 @@ static void pc_i440fx_2_12_machine_options(MachineClass *m)
compat_props_add(m->compat_props, pc_compat_2_12, pc_compat_2_12_len);
}
-#if 0 /* Disabled for Red Hat Enterprise Linux */
DEFINE_I440FX_MACHINE(v2_12, "pc-i440fx-2.12", NULL,
pc_i440fx_2_12_machine_options);
-#endif /* Disabled for Red Hat Enterprise Linux */
static void pc_i440fx_2_11_machine_options(MachineClass *m)
{
@@ -617,11 +582,9 @@ static void pc_i440fx_2_11_machine_options(MachineClass *m)
compat_props_add(m->compat_props, pc_compat_2_11, pc_compat_2_11_len);
}
-/* RHEL: Export pc-2.11 */
DEFINE_I440FX_MACHINE(v2_11, "pc-i440fx-2.11", NULL,
pc_i440fx_2_11_machine_options);
-#if 0 /* Disabled for Red Hat Enterprise Linux */
static void pc_i440fx_2_10_machine_options(MachineClass *m)
{
pc_i440fx_2_11_machine_options(m);
--
2.27.0

78
SOURCES/kvm-acpi-fix-OEM-ID-OEM-Table-ID-padding.patch Normal file
View File

@ -0,0 +1,78 @@
From af082f3499de265d123157d097b5c84981e0aa63 Mon Sep 17 00:00:00 2001
From: Jon Maloy <jmaloy@redhat.com>
Date: Wed, 30 Mar 2022 14:52:34 -0400
Subject: [PATCH 15/18] acpi: fix OEM ID/OEM Table ID padding
RH-Author: Jon Maloy <jmaloy@redhat.com>
RH-MergeRequest: 141: acpi: fix QEMU crash when started with SLIC table
RH-Commit: [7/10] 51ea859cbe12b5a902d529ab589d18757d98f71d (jmaloy/qemu-kvm)
RH-Bugzilla: 2062611
RH-Acked-by: Igor Mammedov <imammedo@redhat.com>
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2062611
Upstream: Merged
commit 748c030f360a940fe0c9382c8ca1649096c3a80d
Author: Igor Mammedov <imammedo@redhat.com>
Date: Wed Jan 12 08:03:31 2022 -0500
acpi: fix OEM ID/OEM Table ID padding
Commit [2] broke original '\0' padding of OEM ID and OEM Table ID
fields in headers of ACPI tables. While it doesn't have impact on
default values since QEMU uses 6 and 8 characters long values
respectively, it broke usecase where IDs are provided on QEMU CLI.
It shouldn't affect guest (but may cause licensing verification
issues in guest OS).
One of the broken usecases is user supplied SLIC table with IDs
shorter than max possible length, where [2] mangles IDs with extra
spaces in RSDT and FADT tables whereas guest OS expects those to
mirror the respective values of the used SLIC table.
Fix it by replacing whitespace padding with '\0' padding in
accordance with [1] and expectations of guest OS
1) ACPI spec, v2.0b
17.2 AML Grammar Definition
...
//OEM ID of up to 6 characters. If the OEM ID is
//shorter than 6 characters, it can be terminated
//with a NULL character.
2)
Fixes: 602b458201 ("acpi: Permit OEM ID and OEM table ID fields to be changed")
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/707
Reported-by: Dmitry V. Orekhov <dima.orekhov@gmail.com>
Signed-off-by: Igor Mammedov <imammedo@redhat.com>
Cc: qemu-stable@nongnu.org
Message-Id: <20220112130332.1648664-4-imammedo@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Ani Sinha <ani@anisinha.ca>
Tested-by: Dmitry V. Orekhov dima.orekhov@gmail.com
(cherry picked from commit 748c030f360a940fe0c9382c8ca1649096c3a80d)
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
---
hw/acpi/aml-build.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/hw/acpi/aml-build.c b/hw/acpi/aml-build.c
index b3b3310df3..65148d5b9d 100644
--- a/hw/acpi/aml-build.c
+++ b/hw/acpi/aml-build.c
@@ -1724,9 +1724,9 @@ void acpi_table_begin(AcpiTable *desc, GArray *array)
build_append_int_noprefix(array, 0, 4); /* Length */
build_append_int_noprefix(array, desc->rev, 1); /* Revision */
build_append_int_noprefix(array, 0, 1); /* Checksum */
- build_append_padded_str(array, desc->oem_id, 6, ' '); /* OEMID */
+ build_append_padded_str(array, desc->oem_id, 6, '\0'); /* OEMID */
/* OEM Table ID */
- build_append_padded_str(array, desc->oem_table_id, 8, ' ');
+ build_append_padded_str(array, desc->oem_table_id, 8, '\0');
build_append_int_noprefix(array, 1, 4); /* OEM Revision */
g_array_append_vals(array, ACPI_BUILD_APPNAME8, 4); /* Creator ID */
build_append_int_noprefix(array, 1, 4); /* Creator Revision */
--
2.27.0

108
SOURCES/kvm-acpi-fix-QEMU-crash-when-started-with-SLIC-table.patch Normal file
View File

@ -0,0 +1,108 @@
From 4e8fb957a349558648d5cddb80a89460bc97439e Mon Sep 17 00:00:00 2001
From: Jon Maloy <jmaloy@redhat.com>
Date: Wed, 30 Mar 2022 14:52:34 -0400
Subject: [PATCH 09/18] acpi: fix QEMU crash when started with SLIC table
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
RH-Author: Jon Maloy <jmaloy@redhat.com>
RH-MergeRequest: 141: acpi: fix QEMU crash when started with SLIC table
RH-Commit: [1/10] 0c34e80346c33da4f220d9c486b120c35005144e (jmaloy/qemu-kvm)
RH-Bugzilla: 2062611
RH-Acked-by: Igor Mammedov <imammedo@redhat.com>
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2062611
Upstream: Merged
commit 8cdb99af45365727ac17f45239a9b8c1d5155c6d)
Author: Igor Mammedov <imammedo@redhat.com>
Date: Mon Dec 27 14:31:17 2021 -0500
acpi: fix QEMU crash when started with SLIC table
if QEMU is started with used provided SLIC table blob,
-acpitable sig=SLIC,oem_id='CRASH ',oem_table_id="ME",oem_rev=00002210,asl_compiler_id="",asl_compiler_rev=00000000,data=/dev/null
it will assert with:
hw/acpi/aml-build.c:61:build_append_padded_str: assertion failed: (len <= maxlen)
and following backtrace:
...
build_append_padded_str (array=0x555556afe320, str=0x555556afdb2e "CRASH ME", maxlen=0x6, pad=0x20) at hw/acpi/aml-build.c:61
acpi_table_begin (desc=0x7fffffffd1b0, array=0x555556afe320) at hw/acpi/aml-build.c:1727
build_fadt (tbl=0x555556afe320, linker=0x555557ca3830, f=0x7fffffffd318, oem_id=0x555556afdb2e "CRASH ME", oem_table_id=0x555556afdb34 "ME") at hw/acpi/aml-build.c:2064
...
which happens due to acpi_table_begin() expecting NULL terminated
oem_id and oem_table_id strings, which is normally the case, but
in case of user provided SLIC table, oem_id points to table's blob
directly and as result oem_id became longer than expected.
Fix issue by handling oem_id consistently and make acpi_get_slic_oem()
return NULL terminated strings.
PS:
After [1] refactoring, oem_id semantics became inconsistent, where
NULL terminated string was coming from machine and old way pointer
into byte array coming from -acpitable option. That used to work
since build_header() wasn't expecting NULL terminated string and
blindly copied the 1st 6 bytes only.
However commit [2] broke that by replacing build_header() with
acpi_table_begin(), which was expecting NULL terminated string
and was checking oem_id size.
1) 602b45820 ("acpi: Permit OEM ID and OEM table ID fields to be changed")
2)
Fixes: 4b56e1e4eb08 ("acpi: build_fadt: use acpi_table_begin()/acpi_table_end() instead of build_header()")
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/786
Signed-off-by: Igor Mammedov <imammedo@redhat.com>
Message-Id: <20211227193120.1084176-2-imammedo@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Tested-by: Denis Lisov <dennis.lissov@gmail.com>
Tested-by: Alexander Tsoy <alexander@tsoy.me>
Cc: qemu-stable@nongnu.org
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
(cherry picked from commit 8cdb99af45365727ac17f45239a9b8c1d5155c6d)
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
---
hw/acpi/core.c | 4 ++--
hw/i386/acpi-build.c | 2 ++
2 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/hw/acpi/core.c b/hw/acpi/core.c
index 1e004d0078..3e811bf03c 100644
--- a/hw/acpi/core.c
+++ b/hw/acpi/core.c
@@ -345,8 +345,8 @@ int acpi_get_slic_oem(AcpiSlicOem *oem)
struct acpi_table_header *hdr = (void *)(u - sizeof(hdr->_length));
if (memcmp(hdr->sig, "SLIC", 4) == 0) {
- oem->id = hdr->oem_id;
- oem->table_id = hdr->oem_table_id;
+ oem->id = g_strndup(hdr->oem_id, 6);
+ oem->table_id = g_strndup(hdr->oem_table_id, 8);
return 0;
}
}
diff --git a/hw/i386/acpi-build.c b/hw/i386/acpi-build.c
index a4478e77b7..acc4869db0 100644
--- a/hw/i386/acpi-build.c
+++ b/hw/i386/acpi-build.c
@@ -2726,6 +2726,8 @@ void acpi_build(AcpiBuildTables *tables, MachineState *machine)
/* Cleanup memory that's no longer used. */
g_array_free(table_offsets, true);
+ g_free(slic_oem.id);
+ g_free(slic_oem.table_id);
}
static void acpi_ram_update(MemoryRegion *mr, GArray *data)
--
2.27.0

140
SOURCES/kvm-acpi-pcihp-pcie-set-power-on-cap-on-parent-slot.patch Normal file
View File

@ -0,0 +1,140 @@
From c9ceb175667cdeead59384a97a812367ae19c570 Mon Sep 17 00:00:00 2001
From: Jon Maloy <jmaloy@redhat.com>
Date: Wed, 23 Mar 2022 13:21:40 -0400
Subject: [PATCH 06/18] acpi: pcihp: pcie: set power on cap on parent slot
RH-Author: Jon Maloy <jmaloy@redhat.com>
RH-MergeRequest: 134: pci: expose TYPE_XIO3130_DOWNSTREAM name
RH-Commit: [2/2] d883872647a6e90ec573140b2c171f3f53b600ab (jmaloy/qemu-kvm)
RH-Bugzilla: 2062610
RH-Acked-by: Igor Mammedov <imammedo@redhat.com>
RH-Acked-by: Gerd Hoffmann <kraxel@redhat.com>
BZ: https://bugzilla.redhat.com/2062610
UPSTREAM: merged
BREW: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=44038138
commit 6b0969f1ec825984cd74619f0730be421b0c46fb
Author: Igor Mammedov <imammedo@redhat.com>
Date: Tue Mar 1 10:11:59 2022 -0500
acpi: pcihp: pcie: set power on cap on parent slot
on creation a PCIDevice has power turned on at the end of pci_qdev_realize()
however later on if PCIe slot isn't populated with any children
it's power is turned off. It's fine if native hotplug is used
as plug callback will power slot on among other things.
However when ACPI hotplug is enabled it replaces native PCIe plug
callbacks with ACPI specific ones (acpi_pcihp_device_*plug_cb) and
as result slot stays powered off. It works fine as ACPI hotplug
on guest side takes care of enumerating/initializing hotplugged
device. But when later guest is migrated, call chain introduced by]
commit d5daff7d312 (pcie: implement slot power control for pcie root ports)
pcie_cap_slot_post_load()
-> pcie_cap_update_power()
-> pcie_set_power_device()
-> pci_set_power()
-> pci_update_mappings()
will disable earlier initialized BARs for the hotplugged device
in powered off slot due to commit 23786d13441 (pci: implement power state)
which disables BARs if power is off.
Fix it by setting PCI_EXP_SLTCTL_PCC to PCI_EXP_SLTCTL_PWR_ON
on slot (root port/downstream port) at the time a device
hotplugged into it. As result PCI_EXP_SLTCTL_PWR_ON is migrated
to target and above call chain keeps device plugged into it
powered on.
Fixes: d5daff7d312 ("pcie: implement slot power control for pcie root ports")
Fixes: 23786d13441 ("pci: implement power state")
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2053584
Suggested-by: "Michael S. Tsirkin" <mst@redhat.com>
Signed-off-by: Igor Mammedov <imammedo@redhat.com>
Message-Id: <20220301151200.3507298-3-imammedo@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
(cherry picked from commit 6b0969f1ec825984cd74619f0730be421b0c46fb)
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
---
hw/acpi/pcihp.c | 12 +++++++++++-
hw/pci/pcie.c | 11 +++++++++++
include/hw/pci/pcie.h | 1 +
3 files changed, 23 insertions(+), 1 deletion(-)
diff --git a/hw/acpi/pcihp.c b/hw/acpi/pcihp.c
index a5e182dd3a..be0e846b34 100644
--- a/hw/acpi/pcihp.c
+++ b/hw/acpi/pcihp.c
@@ -32,6 +32,7 @@
#include "hw/pci/pci_bridge.h"
#include "hw/pci/pci_host.h"
#include "hw/pci/pcie_port.h"
+#include "hw/pci-bridge/xio3130_downstream.h"
#include "hw/i386/acpi-build.h"
#include "hw/acpi/acpi.h"
#include "hw/pci/pci_bus.h"
@@ -341,6 +342,8 @@ void acpi_pcihp_device_plug_cb(HotplugHandler *hotplug_dev, AcpiPciHpState *s,
{
PCIDevice *pdev = PCI_DEVICE(dev);
int slot = PCI_SLOT(pdev->devfn);
+ PCIDevice *bridge;
+ PCIBus *bus;
int bsel;
/* Don't send event when device is enabled during qemu machine creation:
@@ -370,7 +373,14 @@ void acpi_pcihp_device_plug_cb(HotplugHandler *hotplug_dev, AcpiPciHpState *s,
return;
}
- bsel = acpi_pcihp_get_bsel(pci_get_bus(pdev));
+ bus = pci_get_bus(pdev);
+ bridge = pci_bridge_get_device(bus);
+ if (object_dynamic_cast(OBJECT(bridge), TYPE_PCIE_ROOT_PORT) ||
+ object_dynamic_cast(OBJECT(bridge), TYPE_XIO3130_DOWNSTREAM)) {
+ pcie_cap_slot_enable_power(bridge);
+ }
+
+ bsel = acpi_pcihp_get_bsel(bus);
g_assert(bsel >= 0);
s->acpi_pcihp_pci_status[bsel].up |= (1U << slot);
acpi_send_event(DEVICE(hotplug_dev), ACPI_PCI_HOTPLUG_STATUS);
diff --git a/hw/pci/pcie.c b/hw/pci/pcie.c
index d7d73a31e4..996f0e24fe 100644
--- a/hw/pci/pcie.c
+++ b/hw/pci/pcie.c
@@ -366,6 +366,17 @@ static void hotplug_event_clear(PCIDevice *dev)
}
}
+void pcie_cap_slot_enable_power(PCIDevice *dev)
+{
+ uint8_t *exp_cap = dev->config + dev->exp.exp_cap;
+ uint32_t sltcap = pci_get_long(exp_cap + PCI_EXP_SLTCAP);
+
+ if (sltcap & PCI_EXP_SLTCAP_PCP) {
+ pci_set_word_by_mask(exp_cap + PCI_EXP_SLTCTL,
+ PCI_EXP_SLTCTL_PCC, PCI_EXP_SLTCTL_PWR_ON);
+ }
+}
+
static void pcie_set_power_device(PCIBus *bus, PCIDevice *dev, void *opaque)
{
bool *power = opaque;
diff --git a/include/hw/pci/pcie.h b/include/hw/pci/pcie.h
index 6063bee0ec..c27368d077 100644
--- a/include/hw/pci/pcie.h
+++ b/include/hw/pci/pcie.h
@@ -112,6 +112,7 @@ void pcie_cap_slot_write_config(PCIDevice *dev,
uint32_t addr, uint32_t val, int len);
int pcie_cap_slot_post_load(void *opaque, int version_id);
void pcie_cap_slot_push_attention_button(PCIDevice *dev);
+void pcie_cap_slot_enable_power(PCIDevice *dev);
void pcie_cap_root_init(PCIDevice *dev);
void pcie_cap_root_reset(PCIDevice *dev);
--
2.27.0

63
SOURCES/kvm-block-Lock-AioContext-for-drain_end-in-blockdev-reop.patch Normal file
View File

@ -0,0 +1,63 @@
From b21fa5ecd9acf2b91839a2915fb4bb39dac4c803 Mon Sep 17 00:00:00 2001
From: Kevin Wolf <kwolf@redhat.com>
Date: Thu, 3 Feb 2022 15:05:33 +0100
Subject: [PATCH 2/5] block: Lock AioContext for drain_end in blockdev-reopen
RH-Author: Kevin Wolf <kwolf@redhat.com>
RH-MergeRequest: 142: block: Lock AioContext for drain_end in blockdev-reopen
RH-Commit: [1/2] 98de3b5987f88ea6b4b503f623d6c4475574e037
RH-Bugzilla: 2067118
RH-Acked-by: Emanuele Giuseppe Esposito <eesposit@redhat.com>
RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
RH-Acked-by: Hanna Reitz <hreitz@redhat.com>
bdrv_subtree_drained_end() requires the caller to hold the AioContext
lock for the drained node. Not doing this for nodes outside of the main
AioContext leads to crashes when AIO_WAIT_WHILE() needs to wait and
tries to temporarily release the lock.
Fixes: 3908b7a8994fa5ef7a89aa58cd5a02fc58141592
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2046659
Reported-by: Qing Wang <qinwang@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Message-Id: <20220203140534.36522-2-kwolf@redhat.com>
Reviewed-by: Hanna Reitz <hreitz@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit aba8205be0707b9d108e32254e186ba88107a869)
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
---
blockdev.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/blockdev.c b/blockdev.c
index b35072644e..565f6a81fd 100644
--- a/blockdev.c
+++ b/blockdev.c
@@ -3562,6 +3562,7 @@ void qmp_blockdev_reopen(BlockdevOptionsList *reopen_list, Error **errp)
{
BlockReopenQueue *queue = NULL;
GSList *drained = NULL;
+ GSList *p;
/* Add each one of the BDS that we want to reopen to the queue */
for (; reopen_list != NULL; reopen_list = reopen_list->next) {
@@ -3611,7 +3612,15 @@ void qmp_blockdev_reopen(BlockdevOptionsList *reopen_list, Error **errp)
fail:
bdrv_reopen_queue_free(queue);
- g_slist_free_full(drained, (GDestroyNotify) bdrv_subtree_drained_end);
+ for (p = drained; p; p = p->next) {
+ BlockDriverState *bs = p->data;
+ AioContext *ctx = bdrv_get_aio_context(bs);
+
+ aio_context_acquire(ctx);
+ bdrv_subtree_drained_end(bs);
+ aio_context_release(ctx);
+ }
+ g_slist_free(drained);
}
void qmp_blockdev_del(const char *node_name, Error **errp)
--
2.27.0

129
SOURCES/kvm-block-backend-prevent-dangling-BDS-pointers-across-a.patch Normal file
View File

@ -0,0 +1,129 @@
From bf4c15a3debbe68b6eb25c52174843470a9c014f Mon Sep 17 00:00:00 2001
From: Stefan Hajnoczi <stefanha@redhat.com>
Date: Tue, 11 Jan 2022 15:36:12 +0000
Subject: [PATCH 3/6] block-backend: prevent dangling BDS pointers across
aio_poll()
RH-Author: Stefan Hajnoczi <stefanha@redhat.com>
RH-MergeRequest: 109: block-backend: prevent dangling BDS pointers across aio_poll()
RH-Commit: [1/2] da5a59eddff0dc10be7de8e291fa675143d11d73
RH-Bugzilla: 2021778 2036178
RH-Acked-by: Hanna Reitz <hreitz@redhat.com>
RH-Acked-by: Emanuele Giuseppe Esposito <eesposit@redhat.com>
RH-Acked-by: Kevin Wolf <kwolf@redhat.com>
The BlockBackend root child can change when aio_poll() is invoked. This
happens when a temporary filter node is removed upon blockjob
completion, for example.
Functions in block/block-backend.c must be aware of this when using a
blk_bs() pointer across aio_poll() because the BlockDriverState refcnt
may reach 0, resulting in a stale pointer.
One example is scsi_device_purge_requests(), which calls blk_drain() to
wait for in-flight requests to cancel. If the backup blockjob is active,
then the BlockBackend root child is a temporary filter BDS owned by the
blockjob. The blockjob can complete during bdrv_drained_begin() and the
last reference to the BDS is released when the temporary filter node is
removed. This results in a use-after-free when blk_drain() calls
bdrv_drained_end(bs) on the dangling pointer.
Explicitly hold a reference to bs across block APIs that invoke
aio_poll().
Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=2021778
Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=2036178
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Message-Id: <20220111153613.25453-2-stefanha@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit 1e3552dbd28359d35967b7c28dc86cde1bc29205)
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
---
block/block-backend.c | 19 +++++++++++++++++--
1 file changed, 17 insertions(+), 2 deletions(-)
diff --git a/block/block-backend.c b/block/block-backend.c
index 12ef80ea17..23e727199b 100644
--- a/block/block-backend.c
+++ b/block/block-backend.c
@@ -822,16 +822,22 @@ BlockBackend *blk_by_public(BlockBackendPublic *public)
void blk_remove_bs(BlockBackend *blk)
{
ThrottleGroupMember *tgm = &blk->public.throttle_group_member;
- BlockDriverState *bs;
BdrvChild *root;
notifier_list_notify(&blk->remove_bs_notifiers, blk);
if (tgm->throttle_state) {
- bs = blk_bs(blk);
+ BlockDriverState *bs = blk_bs(blk);
+
+ /*
+ * Take a ref in case blk_bs() changes across bdrv_drained_begin(), for
+ * example, if a temporary filter node is removed by a blockjob.
+ */
+ bdrv_ref(bs);
bdrv_drained_begin(bs);
throttle_group_detach_aio_context(tgm);
throttle_group_attach_aio_context(tgm, qemu_get_aio_context());
bdrv_drained_end(bs);
+ bdrv_unref(bs);
}
blk_update_root_state(blk);
@@ -1705,6 +1711,7 @@ void blk_drain(BlockBackend *blk)
BlockDriverState *bs = blk_bs(blk);
if (bs) {
+ bdrv_ref(bs);
bdrv_drained_begin(bs);
}
@@ -1714,6 +1721,7 @@ void blk_drain(BlockBackend *blk)
if (bs) {
bdrv_drained_end(bs);
+ bdrv_unref(bs);
}
}
@@ -2044,10 +2052,13 @@ static int blk_do_set_aio_context(BlockBackend *blk, AioContext *new_context,
int ret;
if (bs) {
+ bdrv_ref(bs);
+
if (update_root_node) {
ret = bdrv_child_try_set_aio_context(bs, new_context, blk->root,
errp);
if (ret < 0) {
+ bdrv_unref(bs);
return ret;
}
}
@@ -2057,6 +2068,8 @@ static int blk_do_set_aio_context(BlockBackend *blk, AioContext *new_context,
throttle_group_attach_aio_context(tgm, new_context);
bdrv_drained_end(bs);
}
+
+ bdrv_unref(bs);
}
blk->ctx = new_context;
@@ -2326,11 +2339,13 @@ void blk_io_limits_disable(BlockBackend *blk)
ThrottleGroupMember *tgm = &blk->public.throttle_group_member;
assert(tgm->throttle_state);
if (bs) {
+ bdrv_ref(bs);
bdrv_drained_begin(bs);
}
throttle_group_unregister_tgm(tgm);
if (bs) {
bdrv_drained_end(bs);
+ bdrv_unref(bs);
}
}
--
2.27.0

56
SOURCES/kvm-block-io-Update-BSC-only-if-want_zero-is-true.patch Normal file
View File

@ -0,0 +1,56 @@
From 4c6eff78f4b31ec4bd7b42440396760d19fde63e Mon Sep 17 00:00:00 2001
From: Hanna Reitz <hreitz@redhat.com>
Date: Tue, 18 Jan 2022 17:59:59 +0100
Subject: [PATCH 6/7] block/io: Update BSC only if want_zero is true
RH-Author: Hanna Reitz <hreitz@redhat.com>
RH-MergeRequest: 112: block/io: Update BSC only if want_zero is true
RH-Commit: [1/2] a202de1f52110d1e871c3b5b58f2d9e9b5d17570
RH-Bugzilla: 2041480
RH-Acked-by: Eric Blake <eblake@redhat.com>
RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
RH-Acked-by: Kevin Wolf <kwolf@redhat.com>
We update the block-status cache whenever we get new information from a
bdrv_co_block_status() call to the block driver. However, if we have
passed want_zero=false to that call, it may flag areas containing zeroes
as data, and so we would update the block-status cache with wrong
information.
Therefore, we should not update the cache with want_zero=false.
Reported-by: Nir Soffer <nsoffer@redhat.com>
Fixes: 0bc329fbb00 ("block: block-status cache for data regions")
Reviewed-by: Nir Soffer <nsoffer@redhat.com>
Cc: qemu-stable@nongnu.org
Signed-off-by: Hanna Reitz <hreitz@redhat.com>
Message-Id: <20220118170000.49423-2-hreitz@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Eric Blake <eblake@redhat.com>
(cherry picked from commit 113b727ce788335cf76f65355d670c9bc130fd75)
Signed-off-by: Hanna Reitz <hreitz@redhat.com>
---
block/io.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/block/io.c b/block/io.c
index bb0a254def..4e4cb556c5 100644
--- a/block/io.c
+++ b/block/io.c
@@ -2497,8 +2497,12 @@ static int coroutine_fn bdrv_co_block_status(BlockDriverState *bs,
* non-protocol nodes, and then it is never used. However, filling
* the cache requires an RCU update, so double check here to avoid
* such an update if possible.
+ *
+ * Check want_zero, because we only want to update the cache when we
+ * have accurate information about what is zero and what is data.
*/
- if (ret == (BDRV_BLOCK_DATA | BDRV_BLOCK_OFFSET_VALID) &&
+ if (want_zero &&
+ ret == (BDRV_BLOCK_DATA | BDRV_BLOCK_OFFSET_VALID) &&
QLIST_EMPTY(&bs->children))
{
/*
--
2.27.0

52
SOURCES/kvm-block-nbd-Assert-there-are-no-timers-when-closed.patch Normal file
View File

@ -0,0 +1,52 @@
From d5a85fcf996948d1154e88e9ee3b4e8c64ec2694 Mon Sep 17 00:00:00 2001
From: Hanna Reitz <hreitz@redhat.com>
Date: Fri, 4 Feb 2022 12:10:08 +0100
Subject: [PATCH 2/6] block/nbd: Assert there are no timers when closed
RH-Author: Hanna Reitz <hreitz@redhat.com>
RH-MergeRequest: 117: block/nbd: Handle AioContext changes
RH-Commit: [2/6] 995795ae9844a7d2b28cb1e57fd7fe81482d0205
RH-Bugzilla: 2035185
RH-Acked-by: Kevin Wolf <kwolf@redhat.com>
RH-Acked-by: Eric Blake <eblake@redhat.com>
RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
Our two timers must not remain armed beyond nbd_clear_bdrvstate(), or
they will access freed data when they fire.
This patch is separate from the patches that actually fix the issue
(HEAD^^ and HEAD^) so that you can run the associated regression iotest
(281) on a configuration that reproducibly exposes the bug.
Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
Signed-off-by: Hanna Reitz <hreitz@redhat.com>
Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
(cherry picked from commit 8a39c381e5e407d2fe5500324323f90a8540fa90)
Conflict:
- block/nbd.c: open_timer was introduced after the 6.2 release (for
nbd's @open-timeout parameter), and has not been backported, so drop
the assertion that it is NULL
Signed-off-by: Hanna Reitz <hreitz@redhat.com>
---
block/nbd.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/block/nbd.c b/block/nbd.c
index b8e5a9b4cc..aab20125d8 100644
--- a/block/nbd.c
+++ b/block/nbd.c
@@ -108,6 +108,9 @@ static void nbd_clear_bdrvstate(BlockDriverState *bs)
yank_unregister_instance(BLOCKDEV_YANK_INSTANCE(bs->node_name));
+ /* Must not leave timers behind that would access freed data */
+ assert(!s->reconnect_delay_timer);
+
object_unref(OBJECT(s->tlscreds));
qapi_free_SocketAddress(s->saddr);
s->saddr = NULL;
--
2.27.0

54
SOURCES/kvm-block-nbd-Delete-reconnect-delay-timer-when-done.patch Normal file
View File

@ -0,0 +1,54 @@
From 8e23c0f208c6bd5bb64c4f6e4863b93fa6f4e9de Mon Sep 17 00:00:00 2001
From: Hanna Reitz <hreitz@redhat.com>
Date: Fri, 4 Feb 2022 12:10:06 +0100
Subject: [PATCH 1/6] block/nbd: Delete reconnect delay timer when done
RH-Author: Hanna Reitz <hreitz@redhat.com>
RH-MergeRequest: 117: block/nbd: Handle AioContext changes
RH-Commit: [1/6] 70814602a8a43a7c14857d76266d82b1aa5174a9
RH-Bugzilla: 2035185
RH-Acked-by: Kevin Wolf <kwolf@redhat.com>
RH-Acked-by: Eric Blake <eblake@redhat.com>
RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
We start the reconnect delay timer to cancel the reconnection attempt
after a while. Once nbd_co_do_establish_connection() has returned, this
attempt is over, and we no longer need the timer.
Delete it before returning from nbd_reconnect_attempt(), so that it does
not persist beyond the I/O request that was paused for reconnecting; we
do not want it to fire in a drained section, because all sort of things
can happen in such a section (e.g. the AioContext might be changed, and
we do not want the timer to fire in the wrong context; or the BDS might
even be deleted, and so the timer CB would access already-freed data).
Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
Signed-off-by: Hanna Reitz <hreitz@redhat.com>
Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
(cherry picked from commit 3ce1fc16bad9c3f8b7b10b451a224d6d76e5c551)
Signed-off-by: Hanna Reitz <hreitz@redhat.com>
---
block/nbd.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/block/nbd.c b/block/nbd.c
index 5ef462db1b..b8e5a9b4cc 100644
--- a/block/nbd.c
+++ b/block/nbd.c
@@ -353,6 +353,13 @@ static coroutine_fn void nbd_reconnect_attempt(BDRVNBDState *s)
}
nbd_co_do_establish_connection(s->bs, NULL);
+
+ /*
+ * The reconnect attempt is done (maybe successfully, maybe not), so
+ * we no longer need this timer. Delete it so it will not outlive
+ * this I/O request (so draining removes all timers).
+ */
+ reconnect_delay_timer_del(s);
}
static coroutine_fn int nbd_receive_replies(BDRVNBDState *s, uint64_t handle)
--
2.27.0

107
SOURCES/kvm-block-nbd-Move-s-ioc-on-AioContext-change.patch Normal file
View File

@ -0,0 +1,107 @@
From c7f63e7bbc5119d92775e20d1ebbf8280c78b732 Mon Sep 17 00:00:00 2001
From: Hanna Reitz <hreitz@redhat.com>
Date: Fri, 4 Feb 2022 12:10:11 +0100
Subject: [PATCH 5/6] block/nbd: Move s->ioc on AioContext change
RH-Author: Hanna Reitz <hreitz@redhat.com>
RH-MergeRequest: 117: block/nbd: Handle AioContext changes
RH-Commit: [5/6] 107757b9fbadfb832c75521317108525daa4174e
RH-Bugzilla: 2035185
RH-Acked-by: Kevin Wolf <kwolf@redhat.com>
RH-Acked-by: Eric Blake <eblake@redhat.com>
RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
s->ioc must always be attached to the NBD node's AioContext. If that
context changes, s->ioc must be attached to the new context.
Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=2033626
Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
Signed-off-by: Hanna Reitz <hreitz@redhat.com>
Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
(cherry picked from commit e15f3a66c830e3fce99c9d56c493c2f7078a1225)
Conflict:
- block/nbd.c: open_timer was added after the 6.2 release, so we need
not (and cannot) assert it is NULL here.
Signed-off-by: Hanna Reitz <hreitz@redhat.com>
---
block/nbd.c | 41 +++++++++++++++++++++++++++++++++++++++++
1 file changed, 41 insertions(+)
diff --git a/block/nbd.c b/block/nbd.c
index aab20125d8..a3896c7f5f 100644
--- a/block/nbd.c
+++ b/block/nbd.c
@@ -2003,6 +2003,38 @@ static void nbd_cancel_in_flight(BlockDriverState *bs)
nbd_co_establish_connection_cancel(s->conn);
}
+static void nbd_attach_aio_context(BlockDriverState *bs,
+ AioContext *new_context)
+{
+ BDRVNBDState *s = bs->opaque;
+
+ /*
+ * The reconnect_delay_timer is scheduled in I/O paths when the
+ * connection is lost, to cancel the reconnection attempt after a
+ * given time. Once this attempt is done (successfully or not),
+ * nbd_reconnect_attempt() ensures the timer is deleted before the
+ * respective I/O request is resumed.
+ * Since the AioContext can only be changed when a node is drained,
+ * the reconnect_delay_timer cannot be active here.
+ */
+ assert(!s->reconnect_delay_timer);
+
+ if (s->ioc) {
+ qio_channel_attach_aio_context(s->ioc, new_context);
+ }
+}
+
+static void nbd_detach_aio_context(BlockDriverState *bs)
+{
+ BDRVNBDState *s = bs->opaque;
+
+ assert(!s->reconnect_delay_timer);
+
+ if (s->ioc) {
+ qio_channel_detach_aio_context(s->ioc);
+ }
+}
+
static BlockDriver bdrv_nbd = {
.format_name = "nbd",
.protocol_name = "nbd",
@@ -2026,6 +2058,9 @@ static BlockDriver bdrv_nbd = {
.bdrv_dirname = nbd_dirname,
.strong_runtime_opts = nbd_strong_runtime_opts,
.bdrv_cancel_in_flight = nbd_cancel_in_flight,
+
+ .bdrv_attach_aio_context = nbd_attach_aio_context,
+ .bdrv_detach_aio_context = nbd_detach_aio_context,
};
static BlockDriver bdrv_nbd_tcp = {
@@ -2051,6 +2086,9 @@ static BlockDriver bdrv_nbd_tcp = {
.bdrv_dirname = nbd_dirname,
.strong_runtime_opts = nbd_strong_runtime_opts,
.bdrv_cancel_in_flight = nbd_cancel_in_flight,
+
+ .bdrv_attach_aio_context = nbd_attach_aio_context,
+ .bdrv_detach_aio_context = nbd_detach_aio_context,
};
static BlockDriver bdrv_nbd_unix = {
@@ -2076,6 +2114,9 @@ static BlockDriver bdrv_nbd_unix = {
.bdrv_dirname = nbd_dirname,
.strong_runtime_opts = nbd_strong_runtime_opts,
.bdrv_cancel_in_flight = nbd_cancel_in_flight,
+
+ .bdrv_attach_aio_context = nbd_attach_aio_context,
+ .bdrv_detach_aio_context = nbd_detach_aio_context,
};
static void bdrv_nbd_init(void)
--
2.27.0

59
SOURCES/kvm-block-rbd-fix-handling-of-holes-in-.bdrv_co_block_st.patch Normal file
View File

@ -0,0 +1,59 @@
From f4b7133d7aeb1d0b9115d01b5cff4df7f6b24e78 Mon Sep 17 00:00:00 2001
From: Peter Lieven <pl@kamp.de>
Date: Thu, 13 Jan 2022 15:44:25 +0100
Subject: [PATCH 5/6] block/rbd: fix handling of holes in .bdrv_co_block_status
RH-Author: Stefano Garzarella <sgarzare@redhat.com>
RH-MergeRequest: 110: block/rbd: fix handling of holes in .bdrv_co_block_status
RH-Commit: [1/2] 352656a5c77cc7855b476c3559a10c6aa64a4f58
RH-Bugzilla: 2037135
RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
RH-Acked-by: Kevin Wolf <kwolf@redhat.com>
RH-Acked-by: Hanna Reitz <hreitz@redhat.com>
the assumption that we can't hit a hole if we do not diff against a snapshot was wrong.
We can see a hole in an image if we diff against base if there exists an older snapshot
of the image and we have discarded blocks in the image where the snapshot has data.
Fix this by simply handling a hole like an unallocated area. There are no callbacks
for unallocated areas so just bail out if we hit a hole.
Fixes: 0347a8fd4c3faaedf119be04c197804be40a384b
Suggested-by: Ilya Dryomov <idryomov@gmail.com>
Cc: qemu-stable@nongnu.org
Signed-off-by: Peter Lieven <pl@kamp.de>
Message-Id: <20220113144426.4036493-2-pl@kamp.de>
Reviewed-by: Ilya Dryomov <idryomov@gmail.com>
Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit 9e302f64bb407a9bb097b626da97228c2654cfee)
Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
---
block/rbd.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/block/rbd.c b/block/rbd.c
index def96292e0..20bb896c4a 100644
--- a/block/rbd.c
+++ b/block/rbd.c
@@ -1279,11 +1279,11 @@ static int qemu_rbd_diff_iterate_cb(uint64_t offs, size_t len,
RBDDiffIterateReq *req = opaque;
assert(req->offs + req->bytes <= offs);
- /*
- * we do not diff against a snapshot so we should never receive a callback
- * for a hole.
- */
- assert(exists);
+
+ /* treat a hole like an unallocated area and bail out */
+ if (!exists) {
+ return 0;
+ }
if (!req->exists && offs > req->offs) {
/*
--
2.27.0

103
SOURCES/kvm-block-rbd-workaround-for-ceph-issue-53784.patch Normal file
View File

@ -0,0 +1,103 @@
From 8c50eedf03d8e62acd387b9aa9369dadcea9324c Mon Sep 17 00:00:00 2001
From: Peter Lieven <pl@kamp.de>
Date: Thu, 13 Jan 2022 15:44:26 +0100
Subject: [PATCH 6/6] block/rbd: workaround for ceph issue #53784
RH-Author: Stefano Garzarella <sgarzare@redhat.com>
RH-MergeRequest: 110: block/rbd: fix handling of holes in .bdrv_co_block_status
RH-Commit: [2/2] 1384557462e89bb539d0d25a1a471ad738fb9e89
RH-Bugzilla: 2037135
RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
RH-Acked-by: Kevin Wolf <kwolf@redhat.com>
RH-Acked-by: Hanna Reitz <hreitz@redhat.com>
librbd had a bug until early 2022 that affected all versions of ceph that
supported fast-diff. This bug results in reporting of incorrect offsets
if the offset parameter to rbd_diff_iterate2 is not object aligned.
This patch works around this bug for pre Quincy versions of librbd.
Fixes: 0347a8fd4c3faaedf119be04c197804be40a384b
Cc: qemu-stable@nongnu.org
Signed-off-by: Peter Lieven <pl@kamp.de>
Message-Id: <20220113144426.4036493-3-pl@kamp.de>
Reviewed-by: Ilya Dryomov <idryomov@gmail.com>
Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
Tested-by: Stefano Garzarella <sgarzare@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit fc176116cdea816ceb8dd969080b2b95f58edbc0)
Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
---
block/rbd.c | 42 ++++++++++++++++++++++++++++++++++++++++--
1 file changed, 40 insertions(+), 2 deletions(-)
diff --git a/block/rbd.c b/block/rbd.c
index 20bb896c4a..8f183eba2a 100644
--- a/block/rbd.c
+++ b/block/rbd.c
@@ -1320,6 +1320,7 @@ static int coroutine_fn qemu_rbd_co_block_status(BlockDriverState *bs,
int status, r;
RBDDiffIterateReq req = { .offs = offset };
uint64_t features, flags;
+ uint64_t head = 0;
assert(offset + bytes <= s->image_size);
@@ -1347,7 +1348,43 @@ static int coroutine_fn qemu_rbd_co_block_status(BlockDriverState *bs,
return status;
}
- r = rbd_diff_iterate2(s->image, NULL, offset, bytes, true, true,
+#if LIBRBD_VERSION_CODE < LIBRBD_VERSION(1, 17, 0)
+ /*
+ * librbd had a bug until early 2022 that affected all versions of ceph that
+ * supported fast-diff. This bug results in reporting of incorrect offsets
+ * if the offset parameter to rbd_diff_iterate2 is not object aligned.
+ * Work around this bug by rounding down the offset to object boundaries.
+ * This is OK because we call rbd_diff_iterate2 with whole_object = true.
+ * However, this workaround only works for non cloned images with default
+ * striping.
+ *
+ * See: https://tracker.ceph.com/issues/53784
+ */
+
+ /* check if RBD image has non-default striping enabled */
+ if (features & RBD_FEATURE_STRIPINGV2) {
+ return status;
+ }
+
+#pragma GCC diagnostic push
+#pragma GCC diagnostic ignored "-Wdeprecated-declarations"
+ /*
+ * check if RBD image is a clone (= has a parent).
+ *
+ * rbd_get_parent_info is deprecated from Nautilus onwards, but the
+ * replacement rbd_get_parent is not present in Luminous and Mimic.
+ */
+ if (rbd_get_parent_info(s->image, NULL, 0, NULL, 0, NULL, 0) != -ENOENT) {
+ return status;
+ }
+#pragma GCC diagnostic pop
+
+ head = req.offs & (s->object_size - 1);
+ req.offs -= head;
+ bytes += head;
+#endif
+
+ r = rbd_diff_iterate2(s->image, NULL, req.offs, bytes, true, true,
qemu_rbd_diff_iterate_cb, &req);
if (r < 0 && r != QEMU_RBD_EXIT_DIFF_ITERATE2) {
return status;
@@ -1366,7 +1403,8 @@ static int coroutine_fn qemu_rbd_co_block_status(BlockDriverState *bs,
status = BDRV_BLOCK_ZERO | BDRV_BLOCK_OFFSET_VALID;
}
- *pnum = req.bytes;
+ assert(req.bytes > head);
+ *pnum = req.bytes - head;
return status;
}
--
2.27.0

58
SOURCES/kvm-display-qxl-render-fix-race-condition-in-qxl_cursor-.patch Normal file
View File

@ -0,0 +1,58 @@
From abd84f26e0fe0bc9952d91fbd35fb3a7253cfecf Mon Sep 17 00:00:00 2001
From: Jon Maloy <jmaloy@rehat.com>
Date: Wed, 13 Apr 2022 20:54:45 -0400
Subject: [PATCH 1/2] display/qxl-render: fix race condition in qxl_cursor
(CVE-2021-4207)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
RH-Author: Jon Maloy <jmaloy@redhat.com>
RH-MergeRequest: 152: display/qxl-render: fix race condition in qxl_cursor (CVE-2021-4207)
RH-Commit: [1/1] f05b9a956f2e0ca522b5be127beff813d04b5588 (jmaloy/qemu-kvm)
RH-Bugzilla: 2040738
RH-Acked-by: Gerd Hoffmann <kraxel@redhat.com>
RH-Acked-by: Mauro Matteo Cascella <None>
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2040738
Upstream: Merged
CVE: CVE-2021-4207
commit 9569f5cb5b4bffa9d3ebc8ba7da1e03830a9a895
Author: Mauro Matteo Cascella <mcascell@redhat.com>
Date: Thu Apr 7 10:11:06 2022 +0200
display/qxl-render: fix race condition in qxl_cursor (CVE-2021-4207)
Avoid fetching 'width' and 'height' a second time to prevent possible
race condition. Refer to security advisory
https://starlabs.sg/advisories/22-4207/ for more information.
Fixes: CVE-2021-4207
Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-Id: <20220407081106.343235-1-mcascell@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
(cherry picked from commit 9569f5cb5b4bffa9d3ebc8ba7da1e03830a9a895)
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
---
hw/display/qxl-render.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/display/qxl-render.c b/hw/display/qxl-render.c
index d28849b121..237ed293ba 100644
--- a/hw/display/qxl-render.c
+++ b/hw/display/qxl-render.c
@@ -266,7 +266,7 @@ static QEMUCursor *qxl_cursor(PCIQXLDevice *qxl, QXLCursor *cursor,
}
break;
case SPICE_CURSOR_TYPE_ALPHA:
- size = sizeof(uint32_t) * cursor->header.width * cursor->header.height;
+ size = sizeof(uint32_t) * c->width * c->height;
qxl_unpack_chunks(c->data, size, qxl, &cursor->chunk, group_id);
if (qxl->debug > 2) {
cursor_print_ascii_art(c, "qxl/alpha");
--
2.27.0

77
SOURCES/kvm-doc-Add-the-SGX-numa-description.patch Normal file
View File

@ -0,0 +1,77 @@
From e8377e3f4d540e2594a50985523e87d1f3cabbc7 Mon Sep 17 00:00:00 2001
From: Yang Zhong <yang.zhong@intel.com>
Date: Mon, 1 Nov 2021 12:20:08 -0400
Subject: [PATCH 3/7] doc: Add the SGX numa description
RH-Author: Paul Lai <None>
RH-MergeRequest: 111: numa: Enable numa for SGX EPC sections
RH-Commit: [3/5] 41c74688c9662b966c243566a837135ff52341c4
RH-Bugzilla: 1518984
RH-Acked-by: Paolo Bonzini <None>
RH-Acked-by: Bandan Das <None>
RH-Acked-by: Cornelia Huck <cohuck@redhat.com>
Add the SGX numa reference command and how to check if
SGX numa is support or not with multiple EPC sections.
Signed-off-by: Yang Zhong <yang.zhong@intel.com>
Message-Id: <20211101162009.62161-5-yang.zhong@intel.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit d1889b36098c79e2e6ac90faf3d0dc5ec0057677)
Signed-off-by: Paul Lai <plai@redhat.com>
---
docs/system/i386/sgx.rst | 31 +++++++++++++++++++++++++++----
1 file changed, 27 insertions(+), 4 deletions(-)
diff --git a/docs/system/i386/sgx.rst b/docs/system/i386/sgx.rst
index f8fade5ac2..0f0a73f758 100644
--- a/docs/system/i386/sgx.rst
+++ b/docs/system/i386/sgx.rst
@@ -141,8 +141,7 @@ To launch a SGX guest:
|qemu_system_x86| \\
-cpu host,+sgx-provisionkey \\
-object memory-backend-epc,id=mem1,size=64M,prealloc=on \\
- -object memory-backend-epc,id=mem2,size=28M \\
- -M sgx-epc.0.memdev=mem1,sgx-epc.1.memdev=mem2
+ -M sgx-epc.0.memdev=mem1,sgx-epc.0.node=0
Utilizing SGX in the guest requires a kernel/OS with SGX support.
The support can be determined in guest by::
@@ -152,8 +151,32 @@ The support can be determined in guest by::
and SGX epc info by::
$ dmesg | grep sgx
- [ 1.242142] sgx: EPC section 0x180000000-0x181bfffff
- [ 1.242319] sgx: EPC section 0x181c00000-0x1837fffff
+ [ 0.182807] sgx: EPC section 0x140000000-0x143ffffff
+ [ 0.183695] sgx: [Firmware Bug]: Unable to map EPC section to online node. Fallback to the NUMA node 0.
+
+To launch a SGX numa guest:
+
+.. parsed-literal::
+
+ |qemu_system_x86| \\
+ -cpu host,+sgx-provisionkey \\
+ -object memory-backend-ram,size=2G,host-nodes=0,policy=bind,id=node0 \\
+ -object memory-backend-epc,id=mem0,size=64M,prealloc=on,host-nodes=0,policy=bind \\
+ -numa node,nodeid=0,cpus=0-1,memdev=node0 \\
+ -object memory-backend-ram,size=2G,host-nodes=1,policy=bind,id=node1 \\
+ -object memory-backend-epc,id=mem1,size=28M,prealloc=on,host-nodes=1,policy=bind \\
+ -numa node,nodeid=1,cpus=2-3,memdev=node1 \\
+ -M sgx-epc.0.memdev=mem0,sgx-epc.0.node=0,sgx-epc.1.memdev=mem1,sgx-epc.1.node=1
+
+and SGX epc numa info by::
+
+ $ dmesg | grep sgx
+ [ 0.369937] sgx: EPC section 0x180000000-0x183ffffff
+ [ 0.370259] sgx: EPC section 0x184000000-0x185bfffff
+
+ $ dmesg | grep SRAT
+ [ 0.009981] ACPI: SRAT: Node 0 PXM 0 [mem 0x180000000-0x183ffffff]
+ [ 0.009982] ACPI: SRAT: Node 1 PXM 1 [mem 0x184000000-0x185bfffff]
References
----------
--
2.27.0

75
SOURCES/kvm-hw-intc-arm_gicv3-Check-for-MEMTX_OK-instead-of-MEMT.patch Normal file
View File

@ -0,0 +1,75 @@
From 2db3d0de1be018f14cb91fdd4a368996b09d8bec Mon Sep 17 00:00:00 2001
From: Jon Maloy <jmaloy@redhat.com>
Date: Wed, 13 Apr 2022 14:51:06 -0400
Subject: [PATCH 1/3] hw/intc/arm_gicv3: Check for !MEMTX_OK instead of
MEMTX_ERROR
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
RH-Author: Jon Maloy <jmaloy@redhat.com>
RH-MergeRequest: 151: hw/intc/arm_gicv3: Check for !MEMTX_OK instead of MEMTX_ERROR
RH-Commit: [1/3] 561c9c2b1249f07d33013040b1c495ed1fbf825b (jmaloy/qemu-kvm)
RH-Bugzilla: 1999236
RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
RH-Acked-by: Peter Xu <peterx@redhat.com>
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1999236
Upstream: Merged
CVE: CVE-2021-3750
commit b9d383ab797f54ae5fa8746117770709921dc529
Author: Philippe Mathieu-Daudé <philmd@redhat.com>
Date: Wed Dec 15 19:24:19 2021 +0100
hw/intc/arm_gicv3: Check for !MEMTX_OK instead of MEMTX_ERROR
Quoting Peter Maydell:
"These MEMTX_* aren't from the memory transaction
API functions; they're just being used by gicd_readl() and
friends as a way to indicate a success/failure so that the
actual MemoryRegionOps read/write fns like gicv3_dist_read()
can log a guest error."
We are going to introduce more MemTxResult bits, so it is
safer to check for !MEMTX_OK rather than MEMTX_ERROR.
Reviewed-by: Peter Xu <peterx@redhat.com>
Reviewed-by: David Hildenbrand <david@redhat.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
(cherry picked from commit b9d383ab797f54ae5fa8746117770709921dc529)
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
---
hw/intc/arm_gicv3_redist.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/hw/intc/arm_gicv3_redist.c b/hw/intc/arm_gicv3_redist.c
index c8ff3eca08..99b11ca5ee 100644
--- a/hw/intc/arm_gicv3_redist.c
+++ b/hw/intc/arm_gicv3_redist.c
@@ -462,7 +462,7 @@ MemTxResult gicv3_redist_read(void *opaque, hwaddr offset, uint64_t *data,
break;
}
- if (r == MEMTX_ERROR) {
+ if (r != MEMTX_OK) {
qemu_log_mask(LOG_GUEST_ERROR,
"%s: invalid guest read at offset " TARGET_FMT_plx
" size %u\n", __func__, offset, size);
@@ -521,7 +521,7 @@ MemTxResult gicv3_redist_write(void *opaque, hwaddr offset, uint64_t data,
break;
}
- if (r == MEMTX_ERROR) {
+ if (r != MEMTX_OK) {
qemu_log_mask(LOG_GUEST_ERROR,
"%s: invalid guest write at offset " TARGET_FMT_plx
" size %u\n", __func__, offset, size);
--
2.27.0

66
SOURCES/kvm-hw-virtio-vdpa-Fix-leak-of-host-notifier-memory-regi.patch Normal file
View File

@ -0,0 +1,66 @@
From f0115d856f46e65e3b62896f84fe1902a958bf79 Mon Sep 17 00:00:00 2001
From: Jon Maloy <jmaloy@redhat.com>
Date: Tue, 22 Mar 2022 19:23:36 -0400
Subject: [PATCH 04/18] hw/virtio: vdpa: Fix leak of host-notifier
memory-region
RH-Author: Jon Maloy <jmaloy@redhat.com>
RH-MergeRequest: 132: hw/virtio: vdpa: Fix leak of host-notifier memory-region
RH-Commit: [1/1] b3cec35d185e3b9844a458f5c51c5d5ef7e3d8f1 (jmaloy/qemu-kvm)
RH-Bugzilla: 2060843
RH-Acked-by: Stefano Garzarella <sgarzare@redhat.com>
RH-Acked-by: Laurent Vivier <lvivier@redhat.com>
RH-Acked-by: Igor Mammedov <imammedo@redhat.com>
BZ: https://bugzilla.redhat.com/2060843
UPSTREAM: no
BREW: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=44038138
commit 98f7607ecda00dea3cbb2ed7b4427c96846efb83
Author: Laurent Vivier <lvivier@redhat.com>
Date: Fri Feb 11 18:02:59 2022 +0100
hw/virtio: vdpa: Fix leak of host-notifier memory-region
If call virtio_queue_set_host_notifier_mr fails, should free
host-notifier memory-region.
This problem can trigger a coredump with some vDPA drivers (mlx5,
but not with the vdpasim), if we unplug the virtio-net card from
the guest after a stop/start.
The same fix has been done for vhost-user:
1f89d3b91e3e ("hw/virtio: Fix leak of host-notifier memory-region")
Fixes: d0416d487bd5 ("vhost-vdpa: map virtqueue notification area if possible")
Cc: jasowang@redhat.com
Resolves: https://bugzilla.redhat.com/2027208
Signed-off-by: Laurent Vivier <lvivier@redhat.com>
Message-Id: <20220211170259.1388734-1-lvivier@redhat.com>
Cc: qemu-stable@nongnu.org
Acked-by: Jason Wang <jasowang@redhat.com>
Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
(cherry picked from commit 98f7607ecda00dea3cbb2ed7b4427c96846efb83)
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
---
hw/virtio/vhost-vdpa.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/hw/virtio/vhost-vdpa.c b/hw/virtio/vhost-vdpa.c
index bcaf00e09f..78da48a333 100644
--- a/hw/virtio/vhost-vdpa.c
+++ b/hw/virtio/vhost-vdpa.c
@@ -415,6 +415,7 @@ static int vhost_vdpa_host_notifier_init(struct vhost_dev *dev, int queue_index)
g_free(name);
if (virtio_queue_set_host_notifier_mr(vdev, queue_index, &n->mr, true)) {
+ object_unparent(OBJECT(&n->mr));
munmap(addr, page_size);
goto err;
}
--
2.27.0

59
SOURCES/kvm-i386-Add-Icelake-Server-v6-CPU-model-with-5-level-EP.patch Normal file
View File

@ -0,0 +1,59 @@
From ccaa1135bd1aa90c94f0e8b5417bd2a420134e6c Mon Sep 17 00:00:00 2001
From: Jon Maloy <jmaloy@redhat.com>
Date: Wed, 30 Mar 2022 14:52:34 -0400
Subject: [PATCH 08/18] i386: Add Icelake-Server-v6 CPU model with 5-level EPT
support
RH-Author: Jon Maloy <jmaloy@redhat.com>
RH-MergeRequest: 139: vmxcap: Add 5-level EPT bit
RH-Commit: [2/2] e913746b2df9cbd0308014ab5cc72577458857fa (jmaloy/qemu-kvm)
RH-Bugzilla: 2065207
RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
BZ: https://bugzilla.redhat.com/show_bug.cgi?id=2065207
UPSTREAM: Merged
commit: 12cab535db6440af41ed8dfefe908a594321b6ce
Author: Vitaly Kuznetsov <vkuznets@redhat.com>
Date: Mon Feb 21 15:53:15 2022 +0100
i386: Add Icelake-Server-v6 CPU model with 5-level EPT support
Windows 11 with WSL2 enabled (Hyper-V) fails to boot with Icelake-Server
{-v5} CPU model but boots well with '-cpu host'. Apparently, it expects
5-level paging and 5-level EPT support to come in pair but QEMU's
Icelake-Server CPU model lacks the later. Introduce 'Icelake-Server-v6'
CPU model with 'vmx-page-walk-5' enabled by default.
Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com>
Message-Id: <20220221145316.576138-1-vkuznets@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 12cab535db6440af41ed8dfefe908a594321b6ce)
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
---
target/i386/cpu.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/target/i386/cpu.c b/target/i386/cpu.c
index aa9e636800..6e25d13339 100644
--- a/target/i386/cpu.c
+++ b/target/i386/cpu.c
@@ -3505,6 +3505,14 @@ static const X86CPUDefinition builtin_x86_defs[] = {
{ /* end of list */ }
},
},
+ {
+ .version = 6,
+ .note = "5-level EPT",
+ .props = (PropValue[]) {
+ { "vmx-page-walk-5", "on" },
+ { /* end of list */ }
+ },
+ },
{ /* end of list */ }
}
},
--
2.27.0

108
SOURCES/kvm-iotests-281-Let-NBD-connection-yield-in-iothread.patch Normal file
View File

@ -0,0 +1,108 @@
From 2ed48247fd39ade97164dee3c65162b96a116f14 Mon Sep 17 00:00:00 2001
From: Hanna Reitz <hreitz@redhat.com>
Date: Fri, 4 Feb 2022 12:10:12 +0100
Subject: [PATCH 6/6] iotests/281: Let NBD connection yield in iothread
RH-Author: Hanna Reitz <hreitz@redhat.com>
RH-MergeRequest: 117: block/nbd: Handle AioContext changes
RH-Commit: [6/6] a23706f34022d301eb7ffc84fc0d0a77d72b9844
RH-Bugzilla: 2035185
RH-Acked-by: Kevin Wolf <kwolf@redhat.com>
RH-Acked-by: Eric Blake <eblake@redhat.com>
RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
Put an NBD block device into an I/O thread, and then read data from it,
hoping that the NBD connection will yield during that read. When it
does, the coroutine must be reentered in the block device's I/O thread,
which will only happen if the NBD block driver attaches the connection's
QIOChannel to the new AioContext. It did not do that after 4ddb5d2fde
("block/nbd: drop connection_co") and prior to "block/nbd: Move s->ioc
on AioContext change", which would cause an assertion failure.
To improve our chances of yielding, the NBD server is throttled to
reading 64 kB/s, and the NBD client reads 128 kB, so it should yield at
some point.
Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
Signed-off-by: Hanna Reitz <hreitz@redhat.com>
Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
(cherry picked from commit 8cfbe929e8c26050f0a4580a1606a370a947d4ce)
Signed-off-by: Hanna Reitz <hreitz@redhat.com>
---
tests/qemu-iotests/281 | 28 +++++++++++++++++++++++++---
tests/qemu-iotests/281.out | 4 ++--
2 files changed, 27 insertions(+), 5 deletions(-)
diff --git a/tests/qemu-iotests/281 b/tests/qemu-iotests/281
index 13c588be75..b2ead7f388 100755
--- a/tests/qemu-iotests/281
+++ b/tests/qemu-iotests/281
@@ -253,8 +253,9 @@ class TestYieldingAndTimers(iotests.QMPTestCase):
self.create_nbd_export()
# Simple VM with an NBD block device connected to the NBD export
- # provided by the QSD
+ # provided by the QSD, and an (initially unused) iothread
self.vm = iotests.VM()
+ self.vm.add_object('iothread,id=iothr')
self.vm.add_blockdev('nbd,node-name=nbd,server.type=unix,' +
f'server.path={self.sock},export=exp,' +
'reconnect-delay=1')
@@ -293,19 +294,40 @@ class TestYieldingAndTimers(iotests.QMPTestCase):
# thus not see the error, and so the test will pass.)
time.sleep(2)
+ def test_yield_in_iothread(self):
+ # Move the NBD node to the I/O thread; the NBD block driver should
+ # attach the connection's QIOChannel to that thread's AioContext, too
+ result = self.vm.qmp('x-blockdev-set-iothread',
+ node_name='nbd', iothread='iothr')
+ self.assert_qmp(result, 'return', {})
+
+ # Do some I/O that will be throttled by the QSD, so that the network
+ # connection hopefully will yield here. When it is resumed, it must
+ # then be resumed in the I/O thread's AioContext.
+ result = self.vm.qmp('human-monitor-command',
+ command_line='qemu-io nbd "read 0 128K"')
+ self.assert_qmp(result, 'return', '')
+
def create_nbd_export(self):
assert self.qsd is None
- # Simple NBD export of a null-co BDS
+ # Export a throttled null-co BDS: Reads are throttled (max 64 kB/s),
+ # writes are not.
self.qsd = QemuStorageDaemon(
+ '--object',
+ 'throttle-group,id=thrgr,x-bps-read=65536,x-bps-read-max=65536',
+
'--blockdev',
'null-co,node-name=null,read-zeroes=true',
+ '--blockdev',
+ 'throttle,node-name=thr,file=null,throttle-group=thrgr',
+
'--nbd-server',
f'addr.type=unix,addr.path={self.sock}',
'--export',
- 'nbd,id=exp,node-name=null,name=exp,writable=true'
+ 'nbd,id=exp,node-name=thr,name=exp,writable=true'
)
def stop_nbd_export(self):
diff --git a/tests/qemu-iotests/281.out b/tests/qemu-iotests/281.out
index 914e3737bd..3f8a935a08 100644
--- a/tests/qemu-iotests/281.out
+++ b/tests/qemu-iotests/281.out
@@ -1,5 +1,5 @@
-.....
+......
----------------------------------------------------------------------
-Ran 5 tests
+Ran 6 tests
OK
--
2.27.0

174
SOURCES/kvm-iotests-281-Test-lingering-timers.patch Normal file
View File

@ -0,0 +1,174 @@
From b56684f6c1bef4fb5bf87ac5a1106d3830c05ad0 Mon Sep 17 00:00:00 2001
From: Hanna Reitz <hreitz@redhat.com>
Date: Fri, 4 Feb 2022 12:10:10 +0100
Subject: [PATCH 4/6] iotests/281: Test lingering timers
RH-Author: Hanna Reitz <hreitz@redhat.com>
RH-MergeRequest: 117: block/nbd: Handle AioContext changes
RH-Commit: [4/6] aaad466941637a34224dc037bbea37d128b5676b
RH-Bugzilla: 2035185
RH-Acked-by: Kevin Wolf <kwolf@redhat.com>
RH-Acked-by: Eric Blake <eblake@redhat.com>
RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
Prior to "block/nbd: Delete reconnect delay timer when done" and
"block/nbd: Delete open timer when done", both of those timers would
remain scheduled even after successfully (re-)connecting to the server,
and they would not even be deleted when the BDS is deleted.
This test constructs exactly this situation:
(1) Configure an @open-timeout, so the open timer is armed, and
(2) Configure a @reconnect-delay and trigger a reconnect situation
(which succeeds immediately), so the reconnect delay timer is armed.
Then we immediately delete the BDS, and sleep for longer than the
@open-timeout and @reconnect-delay. Prior to said patches, this caused
one (or both) of the timer CBs to access already-freed data.
Accessing freed data may or may not crash, so this test can produce
false successes, but I do not know how to show the problem in a better
or more reliable way. If you run this test on "block/nbd: Assert there
are no timers when closed" and without the fix patches mentioned above,
you should reliably see an assertion failure.
(But all other tests that use the reconnect delay timer (264 and 277)
will fail in that configuration, too; as will nbd-reconnect-on-open,
which uses the open timer.)
Remove this test from the quick group because of the two second sleep
this patch introduces.
(I decided to put this test case into 281, because the main bug this
series addresses is in the interaction of the NBD block driver and I/O
threads, which is precisely the scope of 281. The test case for that
other bug will also be put into the test class added here.
Also, excuse the test class's name, I couldn't come up with anything
better. The "yield" part will make sense two patches from now.)
Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
Signed-off-by: Hanna Reitz <hreitz@redhat.com>
Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
(cherry picked from commit eaf1e85d4ddefdbd197f393fa9c5acc7ba8133b0)
Conflict:
- @open-timeout was introduced after the 6.2 release, and has not been
backported. Consequently, there is no open_timer, and we can (and
must) drop the respective parts of the test here.
Signed-off-by: Hanna Reitz <hreitz@redhat.com>
---
tests/qemu-iotests/281 | 73 ++++++++++++++++++++++++++++++++++++--
tests/qemu-iotests/281.out | 4 +--
2 files changed, 73 insertions(+), 4 deletions(-)
diff --git a/tests/qemu-iotests/281 b/tests/qemu-iotests/281
index 956698083f..13c588be75 100755
--- a/tests/qemu-iotests/281
+++ b/tests/qemu-iotests/281
@@ -1,5 +1,5 @@
#!/usr/bin/env python3
-# group: rw quick
+# group: rw
#
# Test cases for blockdev + IOThread interactions
#
@@ -20,8 +20,9 @@
#
import os
+import time
import iotests
-from iotests import qemu_img
+from iotests import qemu_img, QemuStorageDaemon
image_len = 64 * 1024 * 1024
@@ -243,6 +244,74 @@ class TestBlockdevBackupAbort(iotests.QMPTestCase):
# Hangs on failure, we expect this error.
self.assert_qmp(result, 'error/class', 'GenericError')
+# Test for RHBZ#2033626
+class TestYieldingAndTimers(iotests.QMPTestCase):
+ sock = os.path.join(iotests.sock_dir, 'nbd.sock')
+ qsd = None
+
+ def setUp(self):
+ self.create_nbd_export()
+
+ # Simple VM with an NBD block device connected to the NBD export
+ # provided by the QSD
+ self.vm = iotests.VM()
+ self.vm.add_blockdev('nbd,node-name=nbd,server.type=unix,' +
+ f'server.path={self.sock},export=exp,' +
+ 'reconnect-delay=1')
+
+ self.vm.launch()
+
+ def tearDown(self):
+ self.stop_nbd_export()
+ self.vm.shutdown()
+
+ def test_timers_with_blockdev_del(self):
+ # Stop and restart the NBD server, and do some I/O on the client to
+ # trigger a reconnect and start the reconnect delay timer
+ self.stop_nbd_export()
+ self.create_nbd_export()
+
+ result = self.vm.qmp('human-monitor-command',
+ command_line='qemu-io nbd "write 0 512"')
+ self.assert_qmp(result, 'return', '')
+
+ # Reconnect is done, so the reconnect delay timer should be gone.
+ # (But there used to be a bug where it remained active, for which this
+ # is a regression test.)
+
+ # Delete the BDS to see whether the timer is gone. If it is not,
+ # it will remain active, fire later, and then access freed data.
+ # (Or, with "block/nbd: Assert there are no timers when closed"
+ # applied, the assertion added in that patch will fail.)
+ result = self.vm.qmp('blockdev-del', node_name='nbd')
+ self.assert_qmp(result, 'return', {})
+
+ # Give the timer some time to fire (it has a timeout of 1 s).
+ # (Sleeping in an iotest may ring some alarm bells, but note that if
+ # the timing is off here, the test will just always pass. If we kill
+ # the VM too early, then we just kill the timer before it can fire,
+ # thus not see the error, and so the test will pass.)
+ time.sleep(2)
+
+ def create_nbd_export(self):
+ assert self.qsd is None
+
+ # Simple NBD export of a null-co BDS
+ self.qsd = QemuStorageDaemon(
+ '--blockdev',
+ 'null-co,node-name=null,read-zeroes=true',
+
+ '--nbd-server',
+ f'addr.type=unix,addr.path={self.sock}',
+
+ '--export',
+ 'nbd,id=exp,node-name=null,name=exp,writable=true'
+ )
+
+ def stop_nbd_export(self):
+ self.qsd.stop()
+ self.qsd = None
+
if __name__ == '__main__':
iotests.main(supported_fmts=['qcow2'],
supported_protocols=['file'])
diff --git a/tests/qemu-iotests/281.out b/tests/qemu-iotests/281.out
index 89968f35d7..914e3737bd 100644
--- a/tests/qemu-iotests/281.out
+++ b/tests/qemu-iotests/281.out
@@ -1,5 +1,5 @@
-....
+.....
----------------------------------------------------------------------
-Ran 4 tests
+Ran 5 tests
OK
--
2.27.0

106
SOURCES/kvm-iotests-Test-blockdev-reopen-with-iothreads-and-thro.patch Normal file
View File

@ -0,0 +1,106 @@
From ea4d8424fb2053b1cbb9538190b2b06351054125 Mon Sep 17 00:00:00 2001
From: Kevin Wolf <kwolf@redhat.com>
Date: Thu, 3 Feb 2022 15:05:34 +0100
Subject: [PATCH 3/5] iotests: Test blockdev-reopen with iothreads and
throttling
RH-Author: Kevin Wolf <kwolf@redhat.com>
RH-MergeRequest: 142: block: Lock AioContext for drain_end in blockdev-reopen
RH-Commit: [2/2] 91d365864c391ca7db7db13260913fb61987b833
RH-Bugzilla: 2067118
RH-Acked-by: Emanuele Giuseppe Esposito <eesposit@redhat.com>
RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
RH-Acked-by: Hanna Reitz <hreitz@redhat.com>
The 'throttle' block driver implements .bdrv_co_drain_end, so
blockdev-reopen will have to wait for it to complete in the polling
loop at the end of qmp_blockdev_reopen(). This makes AIO_WAIT_WHILE()
release the AioContext lock, which causes a crash if the lock hasn't
correctly been taken.
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Message-Id: <20220203140534.36522-3-kwolf@redhat.com>
Reviewed-by: Hanna Reitz <hreitz@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit ee810602376125ca0e0afd6b7c715e13740978ea)
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
---
tests/qemu-iotests/245 | 36 +++++++++++++++++++++++++++++++++---
tests/qemu-iotests/245.out | 4 ++--
2 files changed, 35 insertions(+), 5 deletions(-)
diff --git a/tests/qemu-iotests/245 b/tests/qemu-iotests/245
index 24ac43f70e..8cbed7821b 100755
--- a/tests/qemu-iotests/245
+++ b/tests/qemu-iotests/245
@@ -1138,12 +1138,13 @@ class TestBlockdevReopen(iotests.QMPTestCase):
self.assertEqual(self.get_node('hd1'), None)
self.assert_qmp(self.get_node('hd2'), 'ro', True)
- def run_test_iothreads(self, iothread_a, iothread_b, errmsg = None):
- opts = hd_opts(0)
+ def run_test_iothreads(self, iothread_a, iothread_b, errmsg = None,
+ opts_a = None, opts_b = None):
+ opts = opts_a or hd_opts(0)
result = self.vm.qmp('blockdev-add', conv_keys = False, **opts)
self.assert_qmp(result, 'return', {})
- opts2 = hd_opts(2)
+ opts2 = opts_b or hd_opts(2)
result = self.vm.qmp('blockdev-add', conv_keys = False, **opts2)
self.assert_qmp(result, 'return', {})
@@ -1194,6 +1195,35 @@ class TestBlockdevReopen(iotests.QMPTestCase):
def test_iothreads_switch_overlay(self):
self.run_test_iothreads('', 'iothread0')
+ def test_iothreads_with_throttling(self):
+ # Create a throttle-group object
+ opts = { 'qom-type': 'throttle-group', 'id': 'group0',
+ 'limits': { 'iops-total': 1000 } }
+ result = self.vm.qmp('object-add', conv_keys = False, **opts)
+ self.assert_qmp(result, 'return', {})
+
+ # Options with a throttle filter between format and protocol
+ opts = [
+ {
+ 'driver': iotests.imgfmt,
+ 'node-name': f'hd{idx}',
+ 'file' : {
+ 'node-name': f'hd{idx}-throttle',
+ 'driver': 'throttle',
+ 'throttle-group': 'group0',
+ 'file': {
+ 'driver': 'file',
+ 'node-name': f'hd{idx}-file',
+ 'filename': hd_path[idx],
+ },
+ },
+ }
+ for idx in (0, 2)
+ ]
+
+ self.run_test_iothreads('iothread0', 'iothread0', None,
+ opts[0], opts[1])
+
if __name__ == '__main__':
iotests.activate_logging()
iotests.main(supported_fmts=["qcow2"],
diff --git a/tests/qemu-iotests/245.out b/tests/qemu-iotests/245.out
index 4eced19294..a4e04a3266 100644
--- a/tests/qemu-iotests/245.out
+++ b/tests/qemu-iotests/245.out
@@ -17,8 +17,8 @@ read 1/1 bytes at offset 262152
read 1/1 bytes at offset 262160
1 bytes, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
-...............
+................
----------------------------------------------------------------------
-Ran 25 tests
+Ran 26 tests
OK
--
2.27.0

197
SOURCES/kvm-iotests-block-status-cache-New-test.patch Normal file
View File

@ -0,0 +1,197 @@
From 0ba4c0836f702bb3abbd173c7ee486a8247331ae Mon Sep 17 00:00:00 2001
From: Hanna Reitz <hreitz@redhat.com>
Date: Tue, 18 Jan 2022 18:00:00 +0100
Subject: [PATCH 7/7] iotests/block-status-cache: New test
RH-Author: Hanna Reitz <hreitz@redhat.com>
RH-MergeRequest: 112: block/io: Update BSC only if want_zero is true
RH-Commit: [2/2] ba86b4db32c33e17a85f476d445ef0523cf8f60e
RH-Bugzilla: 2041480
RH-Acked-by: Eric Blake <eblake@redhat.com>
RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
RH-Acked-by: Kevin Wolf <kwolf@redhat.com>
Add a new test to verify that want_zero=false block-status calls do not
pollute the block-status cache for want_zero=true calls.
We check want_zero=true calls and their results using `qemu-img map`
(over NBD), and want_zero=false calls also using `qemu-img map` over
NBD, but using the qemu:allocation-depth context.
(This test case cannot be integrated into nbd-qemu-allocation, because
that is a qcow2 test, and this is a raw test.)
Signed-off-by: Hanna Reitz <hreitz@redhat.com>
Message-Id: <20220118170000.49423-3-hreitz@redhat.com>
Reviewed-by: Nir Soffer <nsoffer@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Tested-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Eric Blake <eblake@redhat.com>
(cherry picked from commit 6384dd534d742123d26c008d9794b20bc41359d5)
Signed-off-by: Hanna Reitz <hreitz@redhat.com>
---
tests/qemu-iotests/tests/block-status-cache | 139 ++++++++++++++++++
.../qemu-iotests/tests/block-status-cache.out | 5 +
2 files changed, 144 insertions(+)
create mode 100755 tests/qemu-iotests/tests/block-status-cache
create mode 100644 tests/qemu-iotests/tests/block-status-cache.out
diff --git a/tests/qemu-iotests/tests/block-status-cache b/tests/qemu-iotests/tests/block-status-cache
new file mode 100755
index 0000000000..6fa10bb8f8
--- /dev/null
+++ b/tests/qemu-iotests/tests/block-status-cache
@@ -0,0 +1,139 @@
+#!/usr/bin/env python3
+# group: rw quick
+#
+# Test cases for the block-status cache.
+#
+# Copyright (C) 2022 Red Hat, Inc.
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+
+import os
+import signal
+import iotests
+from iotests import qemu_img_create, qemu_img_pipe, qemu_nbd
+
+
+image_size = 1 * 1024 * 1024
+test_img = os.path.join(iotests.test_dir, 'test.img')
+
+nbd_pidfile = os.path.join(iotests.test_dir, 'nbd.pid')
+nbd_sock = os.path.join(iotests.sock_dir, 'nbd.sock')
+
+
+class TestBscWithNbd(iotests.QMPTestCase):
+ def setUp(self) -> None:
+ """Just create an empty image with a read-only NBD server on it"""
+ assert qemu_img_create('-f', iotests.imgfmt, test_img,
+ str(image_size)) == 0
+
+ # Pass --allocation-depth to enable the qemu:allocation-depth context,
+ # which we are going to query to provoke a block-status inquiry with
+ # want_zero=false.
+ assert qemu_nbd(f'--socket={nbd_sock}',
+ f'--format={iotests.imgfmt}',
+ '--persistent',
+ '--allocation-depth',
+ '--read-only',
+ f'--pid-file={nbd_pidfile}',
+ test_img) \
+ == 0
+
+ def tearDown(self) -> None:
+ with open(nbd_pidfile, encoding='utf-8') as f:
+ pid = int(f.read())
+ os.kill(pid, signal.SIGTERM)
+ os.remove(nbd_pidfile)
+ os.remove(test_img)
+
+ def test_with_zero_bug(self) -> None:
+ """
+ Verify that the block-status cache is not corrupted by a
+ want_zero=false call.
+ We can provoke a want_zero=false call with `qemu-img map` over NBD with
+ x-dirty-bitmap=qemu:allocation-depth, so we first run a normal `map`
+ (which results in want_zero=true), then using said
+ qemu:allocation-depth context, and finally another normal `map` to
+ verify that the cache has not been corrupted.
+ """
+
+ nbd_img_opts = f'driver=nbd,server.type=unix,server.path={nbd_sock}'
+ nbd_img_opts_alloc_depth = nbd_img_opts + \
+ ',x-dirty-bitmap=qemu:allocation-depth'
+
+ # Normal map, results in want_zero=true.
+ # This will probably detect an allocated data sector first (qemu likes
+ # to allocate the first sector to facilitate alignment probing), and
+ # then the rest to be zero. The BSC will thus contain (if anything)
+ # one range covering the first sector.
+ map_pre = qemu_img_pipe('map', '--output=json', '--image-opts',
+ nbd_img_opts)
+
+ # qemu:allocation-depth maps for want_zero=false.
+ # want_zero=false should (with the file driver, which the server is
+ # using) report everything as data. While this is sufficient for
+ # want_zero=false, this is nothing that should end up in the
+ # block-status cache.
+ # Due to a bug, this information did end up in the cache, though, and
+ # this would lead to wrong information being returned on subsequent
+ # want_zero=true calls.
+ #
+ # We need to run this map twice: On the first call, we probably still
+ # have the first sector in the cache, and so this will be served from
+ # the cache; and only the subsequent range will be queried from the
+ # block driver. This subsequent range will then be entered into the
+ # cache.
+ # If we did a want_zero=true call at this point, we would thus get
+ # correct information: The first sector is not covered by the cache, so
+ # we would get fresh block-status information from the driver, which
+ # would return a data range, and this would then go into the cache,
+ # evicting the wrong range from the want_zero=false call before.
+ #
+ # Therefore, we need a second want_zero=false map to reproduce:
+ # Since the first sector is not in the cache, the query for its status
+ # will go to the driver, which will return a result that reports the
+ # whole image to be a single data area. This result will then go into
+ # the cache, and so the cache will then report the whole image to
+ # contain data.
+ #
+ # Note that once the cache reports the whole image to contain data, any
+ # subsequent map operation will be served from the cache, and so we can
+ # never loop too many times here.
+ for _ in range(2):
+ # (Ignore the result, this is just to contaminate the cache)
+ qemu_img_pipe('map', '--output=json', '--image-opts',
+ nbd_img_opts_alloc_depth)
+
+ # Now let's see whether the cache reports everything as data, or
+ # whether we get correct information (i.e. the same as we got on our
+ # first attempt).
+ map_post = qemu_img_pipe('map', '--output=json', '--image-opts',
+ nbd_img_opts)
+
+ if map_pre != map_post:
+ print('ERROR: Map information differs before and after querying ' +
+ 'qemu:allocation-depth')
+ print('Before:')
+ print(map_pre)
+ print('After:')
+ print(map_post)
+
+ self.fail("Map information differs")
+
+
+if __name__ == '__main__':
+ # The block-status cache only works on the protocol layer, so to test it,
+ # we can only use the raw format
+ iotests.main(supported_fmts=['raw'],
+ supported_protocols=['file'])
diff --git a/tests/qemu-iotests/tests/block-status-cache.out b/tests/qemu-iotests/tests/block-status-cache.out
new file mode 100644
index 0000000000..ae1213e6f8
--- /dev/null
+++ b/tests/qemu-iotests/tests/block-status-cache.out
@@ -0,0 +1,5 @@
+.
+----------------------------------------------------------------------
+Ran 1 tests
+
+OK
--
2.27.0

198
SOURCES/kvm-iotests-stream-error-on-reset-New-test.patch Normal file
View File

@ -0,0 +1,198 @@
From ffdec41922a34b6fe4e7e11f259553d65b41563e Mon Sep 17 00:00:00 2001
From: Stefan Hajnoczi <stefanha@redhat.com>
Date: Tue, 11 Jan 2022 15:36:13 +0000
Subject: [PATCH 4/6] iotests/stream-error-on-reset: New test
RH-Author: Stefan Hajnoczi <stefanha@redhat.com>
RH-MergeRequest: 109: block-backend: prevent dangling BDS pointers across aio_poll()
RH-Commit: [2/2] 0ecb7010d9c121398e7ee22ee47dd85d89bcd941
RH-Bugzilla: 2021778 2036178
RH-Acked-by: Hanna Reitz <hreitz@redhat.com>
RH-Acked-by: Emanuele Giuseppe Esposito <eesposit@redhat.com>
RH-Acked-by: Kevin Wolf <kwolf@redhat.com>
Author: Hanna Reitz <hreitz@redhat.com>
Test the following scenario:
- Simple stream block in two-layer backing chain (base and top)
- The job is drained via blk_drain(), then an error occurs while the job
settles the ongoing request
- And so the job completes while in blk_drain()
This was reported as a segfault, but is fixed by "block-backend: prevent
dangling BDS pointers across aio_poll()".
Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=2036178
Signed-off-by: Hanna Reitz <hreitz@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Message-Id: <20220111153613.25453-3-stefanha@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit 2ca1d5d6b91f8a52a5c651f660b2f58c94bf97ba)
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
---
.../qemu-iotests/tests/stream-error-on-reset | 140 ++++++++++++++++++
.../tests/stream-error-on-reset.out | 5 +
2 files changed, 145 insertions(+)
create mode 100755 tests/qemu-iotests/tests/stream-error-on-reset
create mode 100644 tests/qemu-iotests/tests/stream-error-on-reset.out
diff --git a/tests/qemu-iotests/tests/stream-error-on-reset b/tests/qemu-iotests/tests/stream-error-on-reset
new file mode 100755
index 0000000000..7eaedb24d7
--- /dev/null
+++ b/tests/qemu-iotests/tests/stream-error-on-reset
@@ -0,0 +1,140 @@
+#!/usr/bin/env python3
+# group: rw quick
+#
+# Test what happens when a stream job completes in a blk_drain().
+#
+# Copyright (C) 2022 Red Hat, Inc.
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+
+import os
+import iotests
+from iotests import imgfmt, qemu_img_create, qemu_io_silent, QMPTestCase
+
+
+image_size = 1 * 1024 * 1024
+data_size = 64 * 1024
+base = os.path.join(iotests.test_dir, 'base.img')
+top = os.path.join(iotests.test_dir, 'top.img')
+
+
+# We want to test completing a stream job in a blk_drain().
+#
+# The blk_drain() we are going to use is a virtio-scsi device resetting,
+# which we can trigger by resetting the system.
+#
+# In order to have the block job complete on drain, we (1) throttle its
+# base image so we can start the drain after it has begun, but before it
+# completes, and (2) make it encounter an I/O error on the ensuing write.
+# (If it completes regularly, the completion happens after the drain for
+# some reason.)
+
+class TestStreamErrorOnReset(QMPTestCase):
+ def setUp(self) -> None:
+ """
+ Create two images:
+ - base image {base} with {data_size} bytes allocated
+ - top image {top} without any data allocated
+
+ And the following VM configuration:
+ - base image throttled to {data_size}
+ - top image with a blkdebug configuration so the first write access
+ to it will result in an error
+ - top image is attached to a virtio-scsi device
+ """
+ assert qemu_img_create('-f', imgfmt, base, str(image_size)) == 0
+ assert qemu_io_silent('-c', f'write 0 {data_size}', base) == 0
+ assert qemu_img_create('-f', imgfmt, top, str(image_size)) == 0
+
+ self.vm = iotests.VM()
+ self.vm.add_args('-accel', 'tcg') # Make throttling work properly
+ self.vm.add_object(self.vm.qmp_to_opts({
+ 'qom-type': 'throttle-group',
+ 'id': 'thrgr',
+ 'x-bps-total': str(data_size)
+ }))
+ self.vm.add_blockdev(self.vm.qmp_to_opts({
+ 'driver': imgfmt,
+ 'node-name': 'base',
+ 'file': {
+ 'driver': 'throttle',
+ 'throttle-group': 'thrgr',
+ 'file': {
+ 'driver': 'file',
+ 'filename': base
+ }
+ }
+ }))
+ self.vm.add_blockdev(self.vm.qmp_to_opts({
+ 'driver': imgfmt,
+ 'node-name': 'top',
+ 'file': {
+ 'driver': 'blkdebug',
+ 'node-name': 'top-blkdebug',
+ 'inject-error': [{
+ 'event': 'pwritev',
+ 'immediately': 'true',
+ 'once': 'true'
+ }],
+ 'image': {
+ 'driver': 'file',
+ 'filename': top
+ }
+ },
+ 'backing': 'base'
+ }))
+ self.vm.add_device(self.vm.qmp_to_opts({
+ 'driver': 'virtio-scsi',
+ 'id': 'vscsi'
+ }))
+ self.vm.add_device(self.vm.qmp_to_opts({
+ 'driver': 'scsi-hd',
+ 'bus': 'vscsi.0',
+ 'drive': 'top'
+ }))
+ self.vm.launch()
+
+ def tearDown(self) -> None:
+ self.vm.shutdown()
+ os.remove(top)
+ os.remove(base)
+
+ def test_stream_error_on_reset(self) -> None:
+ # Launch a stream job, which will take at least a second to
+ # complete, because the base image is throttled (so we can
+ # get in between it having started and it having completed)
+ res = self.vm.qmp('block-stream', job_id='stream', device='top')
+ self.assert_qmp(res, 'return', {})
+
+ while True:
+ ev = self.vm.event_wait('JOB_STATUS_CHANGE')
+ if ev['data']['status'] == 'running':
+ # Once the stream job is running, reset the system, which
+ # forces the virtio-scsi device to be reset, thus draining
+ # the stream job, and making it complete. Completing
+ # inside of that drain should not result in a segfault.
+ res = self.vm.qmp('system_reset')
+ self.assert_qmp(res, 'return', {})
+ elif ev['data']['status'] == 'null':
+ # The test is done once the job is gone
+ break
+
+
+if __name__ == '__main__':
+ # Passes with any format with backing file support, but qed and
+ # qcow1 do not seem to exercise the used-to-be problematic code
+ # path, so there is no point in having them in this list
+ iotests.main(supported_fmts=['qcow2', 'vmdk'],
+ supported_protocols=['file'])
diff --git a/tests/qemu-iotests/tests/stream-error-on-reset.out b/tests/qemu-iotests/tests/stream-error-on-reset.out
new file mode 100644
index 0000000000..ae1213e6f8
--- /dev/null
+++ b/tests/qemu-iotests/tests/stream-error-on-reset.out
@@ -0,0 +1,5 @@
+.
+----------------------------------------------------------------------
+Ran 1 tests
+
+OK
--
2.27.0

92
SOURCES/kvm-iotests.py-Add-QemuStorageDaemon-class.patch Normal file
View File

@ -0,0 +1,92 @@
From 34ffcd1a463bd3c1d36ed2f33dd6335b35b38460 Mon Sep 17 00:00:00 2001
From: Hanna Reitz <hreitz@redhat.com>
Date: Fri, 4 Feb 2022 12:10:09 +0100
Subject: [PATCH 3/6] iotests.py: Add QemuStorageDaemon class
RH-Author: Hanna Reitz <hreitz@redhat.com>
RH-MergeRequest: 117: block/nbd: Handle AioContext changes
RH-Commit: [3/6] 754fe76bc5e8be57f4b78f176531014c4a12b044
RH-Bugzilla: 2035185
RH-Acked-by: Kevin Wolf <kwolf@redhat.com>
RH-Acked-by: Eric Blake <eblake@redhat.com>
RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
This is a rather simple class that allows creating a QSD instance
running in the background and stopping it when no longer needed.
The __del__ handler is a safety net for when something goes so wrong in
a test that e.g. the tearDown() method is not called (e.g. setUp()
launches the QSD, but then launching a VM fails). We do not want the
QSD to continue running after the test has failed, so __del__() will
take care to kill it.
Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
Signed-off-by: Hanna Reitz <hreitz@redhat.com>
Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
(cherry picked from commit 091dc7b2b5553a529bff9a7bf9ad3bc85bc5bdcd)
Signed-off-by: Hanna Reitz <hreitz@redhat.com>
---
tests/qemu-iotests/iotests.py | 40 +++++++++++++++++++++++++++++++++++
1 file changed, 40 insertions(+)
diff --git a/tests/qemu-iotests/iotests.py b/tests/qemu-iotests/iotests.py
index 83bfedb902..a51b5ce8cd 100644
--- a/tests/qemu-iotests/iotests.py
+++ b/tests/qemu-iotests/iotests.py
@@ -72,6 +72,8 @@
qemu_prog = os.environ.get('QEMU_PROG', 'qemu')
qemu_opts = os.environ.get('QEMU_OPTIONS', '').strip().split(' ')
+qsd_prog = os.environ.get('QSD_PROG', 'qemu-storage-daemon')
+
gdb_qemu_env = os.environ.get('GDB_OPTIONS')
qemu_gdb = []
if gdb_qemu_env:
@@ -312,6 +314,44 @@ def cmd(self, cmd):
return self._read_output()
+class QemuStorageDaemon:
+ def __init__(self, *args: str, instance_id: str = 'a'):
+ assert '--pidfile' not in args
+ self.pidfile = os.path.join(test_dir, f'qsd-{instance_id}-pid')
+ all_args = [qsd_prog] + list(args) + ['--pidfile', self.pidfile]
+
+ # Cannot use with here, we want the subprocess to stay around
+ # pylint: disable=consider-using-with
+ self._p = subprocess.Popen(all_args)
+ while not os.path.exists(self.pidfile):
+ if self._p.poll() is not None:
+ cmd = ' '.join(all_args)
+ raise RuntimeError(
+ 'qemu-storage-daemon terminated with exit code ' +
+ f'{self._p.returncode}: {cmd}')
+
+ time.sleep(0.01)
+
+ with open(self.pidfile, encoding='utf-8') as f:
+ self._pid = int(f.read().strip())
+
+ assert self._pid == self._p.pid
+
+ def stop(self, kill_signal=15):
+ self._p.send_signal(kill_signal)
+ self._p.wait()
+ self._p = None
+
+ try:
+ os.remove(self.pidfile)
+ except OSError:
+ pass
+
+ def __del__(self):
+ if self._p is not None:
+ self.stop(kill_signal=9)
+
+
def qemu_nbd(*args):
'''Run qemu-nbd in daemon mode and return the parent's exit code'''
return subprocess.call(qemu_nbd_args + ['--fork'] + list(args))
--
2.27.0

287
SOURCES/kvm-numa-Enable-numa-for-SGX-EPC-sections.patch Normal file
View File

@ -0,0 +1,287 @@
From 35bf6693fb5bba5a9d5fdf4a7fdac06ce574b83d Mon Sep 17 00:00:00 2001
From: Yang Zhong <yang.zhong@intel.com>
Date: Mon, 1 Nov 2021 12:20:05 -0400
Subject: [PATCH 1/7] numa: Enable numa for SGX EPC sections
RH-Author: Paul Lai <None>
RH-MergeRequest: 111: numa: Enable numa for SGX EPC sections
RH-Commit: [1/5] c29297cbacc4cb65c9ac125db349a767aa2574af
RH-Bugzilla: 1518984
RH-Acked-by: Paolo Bonzini <None>
RH-Acked-by: Bandan Das <None>
RH-Acked-by: Cornelia Huck <cohuck@redhat.com>
The basic SGX did not enable numa for SGX EPC sections, which
result in all EPC sections located in numa node 0. This patch
enable SGX numa function in the guest and the EPC section can
work with RAM as one numa node.
The Guest kernel related log:
[ 0.009981] ACPI: SRAT: Node 0 PXM 0 [mem 0x180000000-0x183ffffff]
[ 0.009982] ACPI: SRAT: Node 1 PXM 1 [mem 0x184000000-0x185bfffff]
The SRAT table can normally show SGX EPC sections menory info in different
numa nodes.
The SGX EPC numa related command:
......
-m 4G,maxmem=20G \
-smp sockets=2,cores=2 \
-cpu host,+sgx-provisionkey \
-object memory-backend-ram,size=2G,host-nodes=0,policy=bind,id=node0 \
-object memory-backend-epc,id=mem0,size=64M,prealloc=on,host-nodes=0,policy=bind \
-numa node,nodeid=0,cpus=0-1,memdev=node0 \
-object memory-backend-ram,size=2G,host-nodes=1,policy=bind,id=node1 \
-object memory-backend-epc,id=mem1,size=28M,prealloc=on,host-nodes=1,policy=bind \
-numa node,nodeid=1,cpus=2-3,memdev=node1 \
-M sgx-epc.0.memdev=mem0,sgx-epc.0.node=0,sgx-epc.1.memdev=mem1,sgx-epc.1.node=1 \
......
Signed-off-by: Yang Zhong <yang.zhong@intel.com>
Message-Id: <20211101162009.62161-2-yang.zhong@intel.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 1105812382e1126d86dddc16b3700f8c79dc93d1)
Signed-off-by: Paul Lai <plai@redhat.com>
---
hw/core/numa.c | 5 ++---
hw/i386/acpi-build.c | 2 ++
hw/i386/sgx-epc.c | 3 +++
hw/i386/sgx-stub.c | 4 ++++
hw/i386/sgx.c | 44 +++++++++++++++++++++++++++++++++++++++
include/hw/i386/sgx-epc.h | 3 +++
monitor/hmp-cmds.c | 1 +
qapi/machine.json | 10 ++++++++-
qemu-options.hx | 4 ++--
9 files changed, 70 insertions(+), 6 deletions(-)
diff --git a/hw/core/numa.c b/hw/core/numa.c
index e6050b2273..1aa05dcf42 100644
--- a/hw/core/numa.c
+++ b/hw/core/numa.c
@@ -784,9 +784,8 @@ static void numa_stat_memory_devices(NumaNodeMem node_mem[])
break;
case MEMORY_DEVICE_INFO_KIND_SGX_EPC:
se = value->u.sgx_epc.data;
- /* TODO: once we support numa, assign to right node */
- node_mem[0].node_mem += se->size;
- node_mem[0].node_plugged_mem += se->size;
+ node_mem[se->node].node_mem += se->size;
+ node_mem[se->node].node_plugged_mem = 0;
break;
default:
g_assert_not_reached();
diff --git a/hw/i386/acpi-build.c b/hw/i386/acpi-build.c
index 447ea35275..a4478e77b7 100644
--- a/hw/i386/acpi-build.c
+++ b/hw/i386/acpi-build.c
@@ -2071,6 +2071,8 @@ build_srat(GArray *table_data, BIOSLinker *linker, MachineState *machine)
nvdimm_build_srat(table_data);
}
+ sgx_epc_build_srat(table_data);
+
/*
* TODO: this part is not in ACPI spec and current linux kernel boots fine
* without these entries. But I recall there were issues the last time I
diff --git a/hw/i386/sgx-epc.c b/hw/i386/sgx-epc.c
index e508827e78..96b2940d75 100644
--- a/hw/i386/sgx-epc.c
+++ b/hw/i386/sgx-epc.c
@@ -21,6 +21,7 @@
static Property sgx_epc_properties[] = {
DEFINE_PROP_UINT64(SGX_EPC_ADDR_PROP, SGXEPCDevice, addr, 0),
+ DEFINE_PROP_UINT32(SGX_EPC_NUMA_NODE_PROP, SGXEPCDevice, node, 0),
DEFINE_PROP_LINK(SGX_EPC_MEMDEV_PROP, SGXEPCDevice, hostmem,
TYPE_MEMORY_BACKEND_EPC, HostMemoryBackendEpc *),
DEFINE_PROP_END_OF_LIST(),
@@ -139,6 +140,8 @@ static void sgx_epc_md_fill_device_info(const MemoryDeviceState *md,
se->memaddr = epc->addr;
se->size = object_property_get_uint(OBJECT(epc), SGX_EPC_SIZE_PROP,
NULL);
+ se->node = object_property_get_uint(OBJECT(epc), SGX_EPC_NUMA_NODE_PROP,
+ NULL);
se->memdev = object_get_canonical_path(OBJECT(epc->hostmem));
info->u.sgx_epc.data = se;
diff --git a/hw/i386/sgx-stub.c b/hw/i386/sgx-stub.c
index c9b379e665..26833eb233 100644
--- a/hw/i386/sgx-stub.c
+++ b/hw/i386/sgx-stub.c
@@ -6,6 +6,10 @@
#include "qapi/error.h"
#include "qapi/qapi-commands-misc-target.h"
+void sgx_epc_build_srat(GArray *table_data)
+{
+}
+
SGXInfo *qmp_query_sgx(Error **errp)
{
error_setg(errp, "SGX support is not compiled in");
diff --git a/hw/i386/sgx.c b/hw/i386/sgx.c
index 8fef3dd8fa..d04299904a 100644
--- a/hw/i386/sgx.c
+++ b/hw/i386/sgx.c
@@ -23,6 +23,7 @@
#include "sysemu/hw_accel.h"
#include "sysemu/reset.h"
#include <sys/ioctl.h>
+#include "hw/acpi/aml-build.h"
#define SGX_MAX_EPC_SECTIONS 8
#define SGX_CPUID_EPC_INVALID 0x0
@@ -36,6 +37,46 @@
#define RETRY_NUM 2
+static int sgx_epc_device_list(Object *obj, void *opaque)
+{
+ GSList **list = opaque;
+
+ if (object_dynamic_cast(obj, TYPE_SGX_EPC)) {
+ *list = g_slist_append(*list, DEVICE(obj));
+ }
+
+ object_child_foreach(obj, sgx_epc_device_list, opaque);
+ return 0;
+}
+
+static GSList *sgx_epc_get_device_list(void)
+{
+ GSList *list = NULL;
+
+ object_child_foreach(qdev_get_machine(), sgx_epc_device_list, &list);
+ return list;
+}
+
+void sgx_epc_build_srat(GArray *table_data)
+{
+ GSList *device_list = sgx_epc_get_device_list();
+
+ for (; device_list; device_list = device_list->next) {
+ DeviceState *dev = device_list->data;
+ Object *obj = OBJECT(dev);
+ uint64_t addr, size;
+ int node;
+
+ node = object_property_get_uint(obj, SGX_EPC_NUMA_NODE_PROP,
+ &error_abort);
+ addr = object_property_get_uint(obj, SGX_EPC_ADDR_PROP, &error_abort);
+ size = object_property_get_uint(obj, SGX_EPC_SIZE_PROP, &error_abort);
+
+ build_srat_memory(table_data, addr, size, node, MEM_AFFINITY_ENABLED);
+ }
+ g_slist_free(device_list);
+}
+
static uint64_t sgx_calc_section_metric(uint64_t low, uint64_t high)
{
return (low & MAKE_64BIT_MASK(12, 20)) +
@@ -226,6 +267,9 @@ void pc_machine_init_sgx_epc(PCMachineState *pcms)
/* set the memdev link with memory backend */
object_property_parse(obj, SGX_EPC_MEMDEV_PROP, list->value->memdev,
&error_fatal);
+ /* set the numa node property for sgx epc object */
+ object_property_set_uint(obj, SGX_EPC_NUMA_NODE_PROP, list->value->node,
+ &error_fatal);
object_property_set_bool(obj, "realized", true, &error_fatal);
object_unref(obj);
}
diff --git a/include/hw/i386/sgx-epc.h b/include/hw/i386/sgx-epc.h
index a6a65be854..581fac389a 100644
--- a/include/hw/i386/sgx-epc.h
+++ b/include/hw/i386/sgx-epc.h
@@ -25,6 +25,7 @@
#define SGX_EPC_ADDR_PROP "addr"
#define SGX_EPC_SIZE_PROP "size"
#define SGX_EPC_MEMDEV_PROP "memdev"
+#define SGX_EPC_NUMA_NODE_PROP "node"
/**
* SGXEPCDevice:
@@ -38,6 +39,7 @@ typedef struct SGXEPCDevice {
/* public */
uint64_t addr;
+ uint32_t node;
HostMemoryBackendEpc *hostmem;
} SGXEPCDevice;
@@ -56,6 +58,7 @@ typedef struct SGXEPCState {
} SGXEPCState;
bool sgx_epc_get_section(int section_nr, uint64_t *addr, uint64_t *size);
+void sgx_epc_build_srat(GArray *table_data);
static inline uint64_t sgx_epc_above_4g_end(SGXEPCState *sgx_epc)
{
diff --git a/monitor/hmp-cmds.c b/monitor/hmp-cmds.c
index 9c91bf93e9..2669156b28 100644
--- a/monitor/hmp-cmds.c
+++ b/monitor/hmp-cmds.c
@@ -1810,6 +1810,7 @@ void hmp_info_memory_devices(Monitor *mon, const QDict *qdict)
se->id ? se->id : "");
monitor_printf(mon, " memaddr: 0x%" PRIx64 "\n", se->memaddr);
monitor_printf(mon, " size: %" PRIu64 "\n", se->size);
+ monitor_printf(mon, " node: %" PRId64 "\n", se->node);
monitor_printf(mon, " memdev: %s\n", se->memdev);
break;
default:
diff --git a/qapi/machine.json b/qapi/machine.json
index 067e3f5378..16e771affc 100644
--- a/qapi/machine.json
+++ b/qapi/machine.json
@@ -1207,12 +1207,15 @@
#
# @memdev: memory backend linked with device
#
+# @node: the numa node
+#
# Since: 6.2
##
{ 'struct': 'SgxEPCDeviceInfo',
'data': { '*id': 'str',
'memaddr': 'size',
'size': 'size',
+ 'node': 'int',
'memdev': 'str'
}
}
@@ -1285,10 +1288,15 @@
#
# @memdev: memory backend linked with device
#
+# @node: the numa node
+#
# Since: 6.2
##
{ 'struct': 'SgxEPC',
- 'data': { 'memdev': 'str' } }
+ 'data': { 'memdev': 'str',
+ 'node': 'int'
+ }
+}
##
# @SgxEPCProperties:
diff --git a/qemu-options.hx b/qemu-options.hx
index 94c4a8dbaf..4b7798088b 100644
--- a/qemu-options.hx
+++ b/qemu-options.hx
@@ -127,11 +127,11 @@ SRST
ERST
DEF("M", HAS_ARG, QEMU_OPTION_M,
- " sgx-epc.0.memdev=memid\n",
+ " sgx-epc.0.memdev=memid,sgx-epc.0.node=numaid\n",
QEMU_ARCH_ALL)
SRST
-``sgx-epc.0.memdev=@var{memid}``
+``sgx-epc.0.memdev=@var{memid},sgx-epc.0.node=@var{numaid}``
Define an SGX EPC section.
ERST
--
2.27.0

210
SOURCES/kvm-numa-Support-SGX-numa-in-the-monitor-and-Libvirt-int.patch Normal file
View File

@ -0,0 +1,210 @@
From ea46a86ba6319ea98573c65af5186cd5399ab0ce Mon Sep 17 00:00:00 2001
From: Yang Zhong <yang.zhong@intel.com>
Date: Mon, 1 Nov 2021 12:20:07 -0400
Subject: [PATCH 2/7] numa: Support SGX numa in the monitor and Libvirt
interfaces
RH-Author: Paul Lai <None>
RH-MergeRequest: 111: numa: Enable numa for SGX EPC sections
RH-Commit: [2/5] 403c4f98dccd023293cd3246081ae12f4782bed0
RH-Bugzilla: 1518984
RH-Acked-by: Paolo Bonzini <None>
RH-Acked-by: Bandan Das <None>
RH-Acked-by: Cornelia Huck <cohuck@redhat.com>
Add the SGXEPCSection list into SGXInfo to show the multiple
SGX EPC sections detailed info, not the total size like before.
This patch can enable numa support for 'info sgx' command and
QMP interfaces. The new interfaces show each EPC section info
in one numa node. Libvirt can use QMP interface to get the
detailed host SGX EPC capabilities to decide how to allocate
host EPC sections to guest.
(qemu) info sgx
SGX support: enabled
SGX1 support: enabled
SGX2 support: enabled
FLC support: enabled
NUMA node #0: size=67108864
NUMA node #1: size=29360128
The QMP interface show:
(QEMU) query-sgx
{"return": {"sgx": true, "sgx2": true, "sgx1": true, "sections": \
[{"node": 0, "size": 67108864}, {"node": 1, "size": 29360128}], "flc": true}}
(QEMU) query-sgx-capabilities
{"return": {"sgx": true, "sgx2": true, "sgx1": true, "sections": \
[{"node": 0, "size": 17070817280}, {"node": 1, "size": 17079205888}], "flc": true}}
Signed-off-by: Yang Zhong <yang.zhong@intel.com>
Message-Id: <20211101162009.62161-4-yang.zhong@intel.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 4755927ae12547c2e7cb22c5fa1b39038c6c11b1)
Signed-off-by: Paul Lai <plai@redhat.com>
---
hw/i386/sgx.c | 51 +++++++++++++++++++++++++++++++++++--------
qapi/misc-target.json | 19 ++++++++++++++--
2 files changed, 59 insertions(+), 11 deletions(-)
diff --git a/hw/i386/sgx.c b/hw/i386/sgx.c
index d04299904a..5de5dd0893 100644
--- a/hw/i386/sgx.c
+++ b/hw/i386/sgx.c
@@ -83,11 +83,13 @@ static uint64_t sgx_calc_section_metric(uint64_t low, uint64_t high)
((high & MAKE_64BIT_MASK(0, 20)) << 32);
}
-static uint64_t sgx_calc_host_epc_section_size(void)
+static SGXEPCSectionList *sgx_calc_host_epc_sections(void)
{
+ SGXEPCSectionList *head = NULL, **tail = &head;
+ SGXEPCSection *section;
uint32_t i, type;
uint32_t eax, ebx, ecx, edx;
- uint64_t size = 0;
+ uint32_t j = 0;
for (i = 0; i < SGX_MAX_EPC_SECTIONS; i++) {
host_cpuid(0x12, i + 2, &eax, &ebx, &ecx, &edx);
@@ -101,10 +103,13 @@ static uint64_t sgx_calc_host_epc_section_size(void)
break;
}
- size += sgx_calc_section_metric(ecx, edx);
+ section = g_new0(SGXEPCSection, 1);
+ section->node = j++;
+ section->size = sgx_calc_section_metric(ecx, edx);
+ QAPI_LIST_APPEND(tail, section);
}
- return size;
+ return head;
}
static void sgx_epc_reset(void *opaque)
@@ -168,13 +173,35 @@ SGXInfo *qmp_query_sgx_capabilities(Error **errp)
info->sgx1 = eax & (1U << 0) ? true : false;
info->sgx2 = eax & (1U << 1) ? true : false;
- info->section_size = sgx_calc_host_epc_section_size();
+ info->sections = sgx_calc_host_epc_sections();
close(fd);
return info;
}
+static SGXEPCSectionList *sgx_get_epc_sections_list(void)
+{
+ GSList *device_list = sgx_epc_get_device_list();
+ SGXEPCSectionList *head = NULL, **tail = &head;
+ SGXEPCSection *section;
+
+ for (; device_list; device_list = device_list->next) {
+ DeviceState *dev = device_list->data;
+ Object *obj = OBJECT(dev);
+
+ section = g_new0(SGXEPCSection, 1);
+ section->node = object_property_get_uint(obj, SGX_EPC_NUMA_NODE_PROP,
+ &error_abort);
+ section->size = object_property_get_uint(obj, SGX_EPC_SIZE_PROP,
+ &error_abort);
+ QAPI_LIST_APPEND(tail, section);
+ }
+ g_slist_free(device_list);
+
+ return head;
+}
+
SGXInfo *qmp_query_sgx(Error **errp)
{
SGXInfo *info = NULL;
@@ -193,14 +220,13 @@ SGXInfo *qmp_query_sgx(Error **errp)
return NULL;
}
- SGXEPCState *sgx_epc = &pcms->sgx_epc;
info = g_new0(SGXInfo, 1);
info->sgx = true;
info->sgx1 = true;
info->sgx2 = true;
info->flc = true;
- info->section_size = sgx_epc->size;
+ info->sections = sgx_get_epc_sections_list();
return info;
}
@@ -208,6 +234,7 @@ SGXInfo *qmp_query_sgx(Error **errp)
void hmp_info_sgx(Monitor *mon, const QDict *qdict)
{
Error *err = NULL;
+ SGXEPCSectionList *section_list, *section;
g_autoptr(SGXInfo) info = qmp_query_sgx(&err);
if (err) {
@@ -222,8 +249,14 @@ void hmp_info_sgx(Monitor *mon, const QDict *qdict)
info->sgx2 ? "enabled" : "disabled");
monitor_printf(mon, "FLC support: %s\n",
info->flc ? "enabled" : "disabled");
- monitor_printf(mon, "size: %" PRIu64 "\n",
- info->section_size);
+
+ section_list = info->sections;
+ for (section = section_list; section; section = section->next) {
+ monitor_printf(mon, "NUMA node #%" PRId64 ": ",
+ section->value->node);
+ monitor_printf(mon, "size=%" PRIu64 "\n",
+ section->value->size);
+ }
}
bool sgx_epc_get_section(int section_nr, uint64_t *addr, uint64_t *size)
diff --git a/qapi/misc-target.json b/qapi/misc-target.json
index 5aa2b95b7d..1022aa0184 100644
--- a/qapi/misc-target.json
+++ b/qapi/misc-target.json
@@ -337,6 +337,21 @@
'if': 'TARGET_ARM' }
+##
+# @SGXEPCSection:
+#
+# Information about intel SGX EPC section info
+#
+# @node: the numa node
+#
+# @size: the size of epc section
+#
+# Since: 6.2
+##
+{ 'struct': 'SGXEPCSection',
+ 'data': { 'node': 'int',
+ 'size': 'uint64'}}
+
##
# @SGXInfo:
#
@@ -350,7 +365,7 @@
#
# @flc: true if FLC is supported
#
-# @section-size: The EPC section size for guest
+# @sections: The EPC sections info for guest
#
# Since: 6.2
##
@@ -359,7 +374,7 @@
'sgx1': 'bool',
'sgx2': 'bool',
'flc': 'bool',
- 'section-size': 'uint64'},
+ 'sections': ['SGXEPCSection']},
'if': 'TARGET_I386' }
##
--
2.27.0

83
SOURCES/kvm-pci-expose-TYPE_XIO3130_DOWNSTREAM-name.patch Normal file
View File

@ -0,0 +1,83 @@
From 7998e8aa78caa35c2ab2da44f9e29e21d7548c61 Mon Sep 17 00:00:00 2001
From: Jon Maloy <jmaloy@redhat.com>
Date: Wed, 23 Mar 2022 13:21:40 -0400
Subject: [PATCH 05/18] pci: expose TYPE_XIO3130_DOWNSTREAM name
RH-Author: Jon Maloy <jmaloy@redhat.com>
RH-MergeRequest: 134: pci: expose TYPE_XIO3130_DOWNSTREAM name
RH-Commit: [1/2] f09ddcaf686f22b545bf269f87787ebfc33fccda (jmaloy/qemu-kvm)
RH-Bugzilla: 2062610
RH-Acked-by: Igor Mammedov <imammedo@redhat.com>
RH-Acked-by: Gerd Hoffmann <kraxel@redhat.com>
BZ: https://bugzilla.redhat.com/2062610
UPSTREAM: merged
BREW: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=44038138
commit c41481af9a5d0d463607cc45b45c510875570817
Author: Igor Mammedov <imammedo@redhat.com>
Date: Tue Mar 1 10:11:58 2022 -0500
pci: expose TYPE_XIO3130_DOWNSTREAM name
Type name will be used in followup patch for cast check
in pcihp code.
Signed-off-by: Igor Mammedov <imammedo@redhat.com>
Message-Id: <20220301151200.3507298-2-imammedo@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
(cherry picked from commit c41481af9a5d0d463607cc45b45c510875570817)
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
---
hw/pci-bridge/xio3130_downstream.c | 3 ++-
include/hw/pci-bridge/xio3130_downstream.h | 15 +++++++++++++++
2 files changed, 17 insertions(+), 1 deletion(-)
create mode 100644 include/hw/pci-bridge/xio3130_downstream.h
diff --git a/hw/pci-bridge/xio3130_downstream.c b/hw/pci-bridge/xio3130_downstream.c
index 04aae72cd6..b17cafd359 100644
--- a/hw/pci-bridge/xio3130_downstream.c
+++ b/hw/pci-bridge/xio3130_downstream.c
@@ -28,6 +28,7 @@
#include "migration/vmstate.h"
#include "qapi/error.h"
#include "qemu/module.h"
+#include "hw/pci-bridge/xio3130_downstream.h"
#define PCI_DEVICE_ID_TI_XIO3130D 0x8233 /* downstream port */
#define XIO3130_REVISION 0x1
@@ -173,7 +174,7 @@ static void xio3130_downstream_class_init(ObjectClass *klass, void *data)
}
static const TypeInfo xio3130_downstream_info = {
- .name = "xio3130-downstream",
+ .name = TYPE_XIO3130_DOWNSTREAM,
.parent = TYPE_PCIE_SLOT,
.class_init = xio3130_downstream_class_init,
.interfaces = (InterfaceInfo[]) {
diff --git a/include/hw/pci-bridge/xio3130_downstream.h b/include/hw/pci-bridge/xio3130_downstream.h
new file mode 100644
index 0000000000..1d10139aea
--- /dev/null
+++ b/include/hw/pci-bridge/xio3130_downstream.h
@@ -0,0 +1,15 @@
+/*
+ * TI X3130 pci express downstream port switch
+ *
+ * Copyright (C) 2022 Igor Mammedov <imammedo@redhat.com>
+ *
+ * SPDX-License-Identifier: GPL-2.0-or-later
+ */
+
+#ifndef HW_PCI_BRIDGE_XIO3130_DOWNSTREAM_H
+#define HW_PCI_BRIDGE_XIO3130_DOWNSTREAM_H
+
+#define TYPE_XIO3130_DOWNSTREAM "xio3130-downstream"
+
+#endif
+
--
2.27.0

214
SOURCES/kvm-qapi-Cleanup-SGX-related-comments-and-restore-sectio.patch Normal file
View File

@ -0,0 +1,214 @@
From d0cd7be4d347ebe118eb8f3f2fc2eb3e3eb77e3a Mon Sep 17 00:00:00 2001
From: Yang Zhong <yang.zhong@intel.com>
Date: Thu, 20 Jan 2022 17:31:04 -0500
Subject: [PATCH 5/7] qapi: Cleanup SGX related comments and restore
@section-size
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
RH-Author: Paul Lai <None>
RH-MergeRequest: 111: numa: Enable numa for SGX EPC sections
RH-Commit: [5/5] 497dbeaebb7b8f99f5f8a7de58000dcab0d0c22d
RH-Bugzilla: 1518984
RH-Acked-by: Paolo Bonzini <None>
RH-Acked-by: Bandan Das <None>
RH-Acked-by: Cornelia Huck <cohuck@redhat.com>
The SGX NUMA patches were merged into Qemu 7.0 release, we need
clarify detailed version history information and also change
some related comments, which make SGX related comments clearer.
The QMP command schema promises backwards compatibility as standard.
We temporarily restore "@section-size", which can avoid incompatible
API breakage. The "@section-size" will be deprecated in 7.2 version.
Suggested-by: Daniel P. Berrangé <berrange@redhat.com>
Signed-off-by: Yang Zhong <yang.zhong@intel.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-Id: <20220120223104.437161-1-yang.zhong@intel.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit a66bd91f030827742778a9e0da19fe55716b4a60)
Signed-off-by: Paul Lai <plai@redhat.com>
---
docs/about/deprecated.rst | 13 +++++++++++++
hw/i386/sgx.c | 11 +++++++++--
qapi/machine.json | 4 ++--
qapi/misc-target.json | 22 +++++++++++++++++-----
4 files changed, 41 insertions(+), 9 deletions(-)
diff --git a/docs/about/deprecated.rst b/docs/about/deprecated.rst
index ff7488cb63..33925edf45 100644
--- a/docs/about/deprecated.rst
+++ b/docs/about/deprecated.rst
@@ -270,6 +270,19 @@ accepted incorrect commands will return an error. Users should make sure that
all arguments passed to ``device_add`` are consistent with the documented
property types.
+``query-sgx`` return value member ``section-size`` (since 7.0)
+''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
+
+Member ``section-size`` in return value elements with meta-type ``uint64`` is
+deprecated. Use ``sections`` instead.
+
+
+``query-sgx-capabilities`` return value member ``section-size`` (since 7.0)
+'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
+
+Member ``section-size`` in return value elements with meta-type ``uint64`` is
+deprecated. Use ``sections`` instead.
+
System accelerators
-------------------
diff --git a/hw/i386/sgx.c b/hw/i386/sgx.c
index 5de5dd0893..a2b318dd93 100644
--- a/hw/i386/sgx.c
+++ b/hw/i386/sgx.c
@@ -83,7 +83,7 @@ static uint64_t sgx_calc_section_metric(uint64_t low, uint64_t high)
((high & MAKE_64BIT_MASK(0, 20)) << 32);
}
-static SGXEPCSectionList *sgx_calc_host_epc_sections(void)
+static SGXEPCSectionList *sgx_calc_host_epc_sections(uint64_t *size)
{
SGXEPCSectionList *head = NULL, **tail = &head;
SGXEPCSection *section;
@@ -106,6 +106,7 @@ static SGXEPCSectionList *sgx_calc_host_epc_sections(void)
section = g_new0(SGXEPCSection, 1);
section->node = j++;
section->size = sgx_calc_section_metric(ecx, edx);
+ *size += section->size;
QAPI_LIST_APPEND(tail, section);
}
@@ -156,6 +157,7 @@ SGXInfo *qmp_query_sgx_capabilities(Error **errp)
{
SGXInfo *info = NULL;
uint32_t eax, ebx, ecx, edx;
+ uint64_t size = 0;
int fd = qemu_open_old("/dev/sgx_vepc", O_RDWR);
if (fd < 0) {
@@ -173,7 +175,8 @@ SGXInfo *qmp_query_sgx_capabilities(Error **errp)
info->sgx1 = eax & (1U << 0) ? true : false;
info->sgx2 = eax & (1U << 1) ? true : false;
- info->sections = sgx_calc_host_epc_sections();
+ info->sections = sgx_calc_host_epc_sections(&size);
+ info->section_size = size;
close(fd);
@@ -220,12 +223,14 @@ SGXInfo *qmp_query_sgx(Error **errp)
return NULL;
}
+ SGXEPCState *sgx_epc = &pcms->sgx_epc;
info = g_new0(SGXInfo, 1);
info->sgx = true;
info->sgx1 = true;
info->sgx2 = true;
info->flc = true;
+ info->section_size = sgx_epc->size;
info->sections = sgx_get_epc_sections_list();
return info;
@@ -249,6 +254,8 @@ void hmp_info_sgx(Monitor *mon, const QDict *qdict)
info->sgx2 ? "enabled" : "disabled");
monitor_printf(mon, "FLC support: %s\n",
info->flc ? "enabled" : "disabled");
+ monitor_printf(mon, "size: %" PRIu64 "\n",
+ info->section_size);
section_list = info->sections;
for (section = section_list; section; section = section->next) {
diff --git a/qapi/machine.json b/qapi/machine.json
index 16e771affc..a9f33d0f27 100644
--- a/qapi/machine.json
+++ b/qapi/machine.json
@@ -1207,7 +1207,7 @@
#
# @memdev: memory backend linked with device
#
-# @node: the numa node
+# @node: the numa node (Since: 7.0)
#
# Since: 6.2
##
@@ -1288,7 +1288,7 @@
#
# @memdev: memory backend linked with device
#
-# @node: the numa node
+# @node: the numa node (Since: 7.0)
#
# Since: 6.2
##
diff --git a/qapi/misc-target.json b/qapi/misc-target.json
index 1022aa0184..4bc45d2474 100644
--- a/qapi/misc-target.json
+++ b/qapi/misc-target.json
@@ -344,9 +344,9 @@
#
# @node: the numa node
#
-# @size: the size of epc section
+# @size: the size of EPC section
#
-# Since: 6.2
+# Since: 7.0
##
{ 'struct': 'SGXEPCSection',
'data': { 'node': 'int',
@@ -365,7 +365,13 @@
#
# @flc: true if FLC is supported
#
-# @sections: The EPC sections info for guest
+# @section-size: The EPC section size for guest
+# Redundant with @sections. Just for backward compatibility.
+#
+# @sections: The EPC sections info for guest (Since: 7.0)
+#
+# Features:
+# @deprecated: Member @section-size is deprecated. Use @sections instead.
#
# Since: 6.2
##
@@ -374,6 +380,8 @@
'sgx1': 'bool',
'sgx2': 'bool',
'flc': 'bool',
+ 'section-size': { 'type': 'uint64',
+ 'features': [ 'deprecated' ] },
'sections': ['SGXEPCSection']},
'if': 'TARGET_I386' }
@@ -390,7 +398,9 @@
#
# -> { "execute": "query-sgx" }
# <- { "return": { "sgx": true, "sgx1" : true, "sgx2" : true,
-# "flc": true, "section-size" : 0 } }
+# "flc": true, "section-size" : 96468992,
+# "sections": [{"node": 0, "size": 67108864},
+# {"node": 1, "size": 29360128}]} }
#
##
{ 'command': 'query-sgx', 'returns': 'SGXInfo', 'if': 'TARGET_I386' }
@@ -408,7 +418,9 @@
#
# -> { "execute": "query-sgx-capabilities" }
# <- { "return": { "sgx": true, "sgx1" : true, "sgx2" : true,
-# "flc": true, "section-size" : 0 } }
+# "flc": true, "section-size" : 96468992,
+# "section" : [{"node": 0, "size": 67108864},
+# {"node": 1, "size": 29360128}]} }
#
##
{ 'command': 'query-sgx-capabilities', 'returns': 'SGXInfo', 'if': 'TARGET_I386' }
--
2.27.0

58
SOURCES/kvm-s390x-css-fix-PMCW-invalid-mask.patch Normal file
View File

@ -0,0 +1,58 @@
From f3125f6379cbc070e9acaf58d0ec37972992744b Mon Sep 17 00:00:00 2001
From: Thomas Huth <thuth@redhat.com>
Date: Wed, 6 Apr 2022 10:56:26 +0200
Subject: [PATCH 4/5] s390x/css: fix PMCW invalid mask
RH-Author: Thomas Huth <thuth@redhat.com>
RH-MergeRequest: 145: s390x/css: fix PMCW invalid mask
RH-Commit: [1/1] fbf192f651aa668af56ca5c77455595fcdb19508
RH-Bugzilla: 2071070
RH-Acked-by: Jon Maloy <jmaloy@redhat.com>
RH-Acked-by: David Hildenbrand <david@redhat.com>
RH-Acked-by: Cornelia Huck <cohuck@redhat.com>
Bugzilla: http://bugzilla.redhat.com/2071070
commit 2df59b73e0864f021f6179f32f7ed364f6d4f38d
Author: Nico Boehr <nrb@linux.ibm.com>
Date: Thu Dec 16 14:16:57 2021 +0100
s390x/css: fix PMCW invalid mask
Previously, we required bits 5, 6 and 7 to be zero (0x07 == 0b111). But,
as per the principles of operation, bit 5 is ignored in MSCH and bits 0,
1, 6 and 7 need to be zero.
As both PMCW_FLAGS_MASK_INVALID and ioinst_schib_valid() are only used
by ioinst_handle_msch(), adjust the mask accordingly.
Fixes: db1c8f53bfb1 ("s390: Channel I/O basic definitions.")
Signed-off-by: Nico Boehr <nrb@linux.ibm.com>
Reviewed-by: Pierre Morel <pmorel@linux.ibm.com>
Reviewed-by: Halil Pasic <pasic@linux.ibm.com>
Reviewed-by: Janosch Frank <frankja@linux.ibm.com>
Reviewed-by: Cornelia Huck <cohuck@redhat.com>
Message-Id: <20211216131657.1057978-1-nrb@linux.ibm.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>
---
include/hw/s390x/ioinst.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/include/hw/s390x/ioinst.h b/include/hw/s390x/ioinst.h
index 3771fff9d4..ea8d0f2444 100644
--- a/include/hw/s390x/ioinst.h
+++ b/include/hw/s390x/ioinst.h
@@ -107,7 +107,7 @@ QEMU_BUILD_BUG_MSG(sizeof(PMCW) != 28, "size of PMCW is wrong");
#define PMCW_FLAGS_MASK_MP 0x0004
#define PMCW_FLAGS_MASK_TF 0x0002
#define PMCW_FLAGS_MASK_DNV 0x0001
-#define PMCW_FLAGS_MASK_INVALID 0x0700
+#define PMCW_FLAGS_MASK_INVALID 0xc300
#define PMCW_CHARS_MASK_ST 0x00e00000
#define PMCW_CHARS_MASK_MBFC 0x00000004
--
2.27.0

131
SOURCES/kvm-softmmu-fix-device-deletion-events-with-device-JSON-.patch Normal file
View File

@ -0,0 +1,131 @@
From afe1a63fe0cf863e024889edd82b9a380bfa8230 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Wed, 5 Jan 2022 12:38:47 +0000
Subject: [PATCH 2/6] softmmu: fix device deletion events with -device JSON
syntax
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
RH-Author: Kevin Wolf <kwolf@redhat.com>
RH-MergeRequest: 103: Fix hot unplug of devices created with -device JSON syntax
RH-Commit: [1/1] 64cbc78bcb46bdb24d5f589ceb5ad598c388e447
RH-Bugzilla: 2033279
RH-Acked-by: Laurent Vivier <lvivier@redhat.com>
RH-Acked-by: Thomas Huth <thuth@redhat.com>
RH-Acked-by: Jano Tomko <None>
RH-Acked-by: Daniel P. Berrangé <berrange@redhat.com>
The -device JSON syntax impl leaks a reference on the created
DeviceState instance. As a result when you hot-unplug the
device, the device_finalize method won't be called and thus
it will fail to emit the required DEVICE_DELETED event.
A 'json-cli' feature was previously added against the
'device_add' QMP command QAPI schema to indicated to mgmt
apps that -device supported JSON syntax. Given the hotplug
bug that feature flag is not usable for its purpose, so
we add a new 'json-cli-hotplug' feature to indicate the
-device supports JSON without breaking hotplug.
Fixes: 5dacda5167560b3af8eadbce5814f60ba44b467e
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/802
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Message-Id: <20220105123847.4047954-2-berrange@redhat.com>
Reviewed-by: Laurent Vivier <lvivier@redhat.com>
Tested-by: Ján Tomko <jtomko@redhat.com>
Reviewed-by: Thomas Huth <thuth@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit 64b4529a432507ee84a924be69a03432639e87ba)
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
---
qapi/qdev.json | 5 ++++-
softmmu/vl.c | 4 +++-
tests/qtest/device-plug-test.c | 19 +++++++++++++++++++
3 files changed, 26 insertions(+), 2 deletions(-)
diff --git a/qapi/qdev.json b/qapi/qdev.json
index 69656b14df..26cd10106b 100644
--- a/qapi/qdev.json
+++ b/qapi/qdev.json
@@ -44,6 +44,9 @@
# @json-cli: If present, the "-device" command line option supports JSON
# syntax with a structure identical to the arguments of this
# command.
+# @json-cli-hotplug: If present, the "-device" command line option supports JSON
+# syntax without the reference counting leak that broke
+# hot-unplug
#
# Notes:
#
@@ -74,7 +77,7 @@
{ 'command': 'device_add',
'data': {'driver': 'str', '*bus': 'str', '*id': 'str'},
'gen': false, # so we can get the additional arguments
- 'features': ['json-cli'] }
+ 'features': ['json-cli', 'json-cli-hotplug'] }
##
# @device_del:
diff --git a/softmmu/vl.c b/softmmu/vl.c
index d46b8fb4ab..b3829e2edd 100644
--- a/softmmu/vl.c
+++ b/softmmu/vl.c
@@ -2690,6 +2690,7 @@ static void qemu_create_cli_devices(void)
qemu_opts_foreach(qemu_find_opts("device"),
device_init_func, NULL, &error_fatal);
QTAILQ_FOREACH(opt, &device_opts, next) {
+ DeviceState *dev;
loc_push_restore(&opt->loc);
/*
* TODO Eventually we should call qmp_device_add() here to make sure it
@@ -2698,7 +2699,8 @@ static void qemu_create_cli_devices(void)
* from the start, so call qdev_device_add_from_qdict() directly for
* now.
*/
- qdev_device_add_from_qdict(opt->opts, true, &error_fatal);
+ dev = qdev_device_add_from_qdict(opt->opts, true, &error_fatal);
+ object_unref(OBJECT(dev));
loc_pop(&opt->loc);
}
rom_reset_order_override();
diff --git a/tests/qtest/device-plug-test.c b/tests/qtest/device-plug-test.c
index 559d47727a..ad79bd4c14 100644
--- a/tests/qtest/device-plug-test.c
+++ b/tests/qtest/device-plug-test.c
@@ -77,6 +77,23 @@ static void test_pci_unplug_request(void)
qtest_quit(qtest);
}
+static void test_pci_unplug_json_request(void)
+{
+ QTestState *qtest = qtest_initf(
+ "-device '{\"driver\": \"virtio-mouse-pci\", \"id\": \"dev0\"}'");
+
+ /*
+ * Request device removal. As the guest is not running, the request won't
+ * be processed. However during system reset, the removal will be
+ * handled, removing the device.
+ */
+ device_del(qtest, "dev0");
+ system_reset(qtest);
+ wait_device_deleted_event(qtest, "dev0");
+
+ qtest_quit(qtest);
+}
+
static void test_ccw_unplug(void)
{
QTestState *qtest = qtest_initf("-device virtio-balloon-ccw,id=dev0");
@@ -145,6 +162,8 @@ int main(int argc, char **argv)
*/
qtest_add_func("/device-plug/pci-unplug-request",
test_pci_unplug_request);
+ qtest_add_func("/device-plug/pci-unplug-json-request",
+ test_pci_unplug_json_request);
if (!strcmp(arch, "s390x")) {
qtest_add_func("/device-plug/ccw-unplug",
--
2.27.0

175
SOURCES/kvm-softmmu-physmem-Introduce-MemTxAttrs-memory-field-an.patch Normal file
View File

@ -0,0 +1,175 @@
From fe4e22b9ccf2eb55d61eccf5050fb7aeafb5fe20 Mon Sep 17 00:00:00 2001
From: Jon Maloy <jmaloy@redhat.com>
Date: Wed, 13 Apr 2022 14:51:06 -0400
Subject: [PATCH 3/3] softmmu/physmem: Introduce MemTxAttrs::memory field and
MEMTX_ACCESS_ERROR
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
RH-Author: Jon Maloy <jmaloy@redhat.com>
RH-MergeRequest: 151: hw/intc/arm_gicv3: Check for !MEMTX_OK instead of MEMTX_ERROR
RH-Commit: [3/3] b1ebc1e99f21ba0b9eccb284e260b56c7a8e64d8 (jmaloy/qemu-kvm)
RH-Bugzilla: 1999236
RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
RH-Acked-by: Peter Xu <peterx@redhat.com>
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1999236
Upstream: Merged
CVE: CVE-2021-3750
Conflicts: memalign.h has not been introduced in this version. Instead,
we include osdep.h where the function prototypes are to be
found.
commit 3ab6fdc91b72e156da22848f0003ff4225690ced
Author: Philippe Mathieu-Daudé <philmd@redhat.com>
Date: Wed Dec 15 19:24:21 2021 +0100
softmmu/physmem: Introduce MemTxAttrs::memory field and MEMTX_ACCESS_ERROR
Add the 'memory' bit to the memory attributes to restrict bus
controller accesses to memories.
Introduce flatview_access_allowed() to check bus permission
before running any bus transaction.
Have read/write accessors return MEMTX_ACCESS_ERROR if an access is
restricted.
There is no change for the default case where 'memory' is not set.
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-Id: <20211215182421.418374-4-philmd@redhat.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
[thuth: Replaced MEMTX_BUS_ERROR with MEMTX_ACCESS_ERROR, remove "inline"]
Signed-off-by: Thomas Huth <thuth@redhat.com>
(cherry picked from commit 3ab6fdc91b72e156da22848f0003ff4225690ced)
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
---
include/exec/memattrs.h | 9 +++++++++
softmmu/physmem.c | 45 +++++++++++++++++++++++++++++++++++++++--
2 files changed, 52 insertions(+), 2 deletions(-)
diff --git a/include/exec/memattrs.h b/include/exec/memattrs.h
index 95f2d20d55..9fb98bc1ef 100644
--- a/include/exec/memattrs.h
+++ b/include/exec/memattrs.h
@@ -35,6 +35,14 @@ typedef struct MemTxAttrs {
unsigned int secure:1;
/* Memory access is usermode (unprivileged) */
unsigned int user:1;
+ /*
+ * Bus interconnect and peripherals can access anything (memories,
+ * devices) by default. By setting the 'memory' bit, bus transaction
+ * are restricted to "normal" memories (per the AMBA documentation)
+ * versus devices. Access to devices will be logged and rejected
+ * (see MEMTX_ACCESS_ERROR).
+ */
+ unsigned int memory:1;
/* Requester ID (for MSI for example) */
unsigned int requester_id:16;
/* Invert endianness for this page */
@@ -66,6 +74,7 @@ typedef struct MemTxAttrs {
#define MEMTX_OK 0
#define MEMTX_ERROR (1U << 0) /* device returned an error */
#define MEMTX_DECODE_ERROR (1U << 1) /* nothing at that address */
+#define MEMTX_ACCESS_ERROR (1U << 2) /* access denied */
typedef uint32_t MemTxResult;
#endif
diff --git a/softmmu/physmem.c b/softmmu/physmem.c
index 483a31be81..4d0ef5f92f 100644
--- a/softmmu/physmem.c
+++ b/softmmu/physmem.c
@@ -41,6 +41,8 @@
#include "qemu/config-file.h"
#include "qemu/error-report.h"
#include "qemu/qemu-print.h"
+#include "qemu/log.h"
+#include "qemu/osdep.h"
#include "exec/memory.h"
#include "exec/ioport.h"
#include "sysemu/dma.h"
@@ -2759,6 +2761,33 @@ static bool prepare_mmio_access(MemoryRegion *mr)
return release_lock;
}
+/**
+ * flatview_access_allowed
+ * @mr: #MemoryRegion to be accessed
+ * @attrs: memory transaction attributes
+ * @addr: address within that memory region
+ * @len: the number of bytes to access
+ *
+ * Check if a memory transaction is allowed.
+ *
+ * Returns: true if transaction is allowed, false if denied.
+ */
+static bool flatview_access_allowed(MemoryRegion *mr, MemTxAttrs attrs,
+ hwaddr addr, hwaddr len)
+{
+ if (likely(!attrs.memory)) {
+ return true;
+ }
+ if (memory_region_is_ram(mr)) {
+ return true;
+ }
+ qemu_log_mask(LOG_GUEST_ERROR,
+ "Invalid access to non-RAM device at "
+ "addr 0x%" HWADDR_PRIX ", size %" HWADDR_PRIu ", "
+ "region '%s'\n", addr, len, memory_region_name(mr));
+ return false;
+}
+
/* Called within RCU critical section. */
static MemTxResult flatview_write_continue(FlatView *fv, hwaddr addr,
MemTxAttrs attrs,
@@ -2773,7 +2802,10 @@ static MemTxResult flatview_write_continue(FlatView *fv, hwaddr addr,
const uint8_t *buf = ptr;
for (;;) {
- if (!memory_access_is_direct(mr, true)) {
+ if (!flatview_access_allowed(mr, attrs, addr1, l)) {
+ result |= MEMTX_ACCESS_ERROR;
+ /* Keep going. */
+ } else if (!memory_access_is_direct(mr, true)) {
release_lock |= prepare_mmio_access(mr);
l = memory_access_size(mr, l, addr1);
/* XXX: could force current_cpu to NULL to avoid
@@ -2818,6 +2850,9 @@ static MemTxResult flatview_write(FlatView *fv, hwaddr addr, MemTxAttrs attrs,
l = len;
mr = flatview_translate(fv, addr, &addr1, &l, true, attrs);
+ if (!flatview_access_allowed(mr, attrs, addr, len)) {
+ return MEMTX_ACCESS_ERROR;
+ }
return flatview_write_continue(fv, addr, attrs, buf, len,
addr1, l, mr);
}
@@ -2836,7 +2871,10 @@ MemTxResult flatview_read_continue(FlatView *fv, hwaddr addr,
fuzz_dma_read_cb(addr, len, mr);
for (;;) {
- if (!memory_access_is_direct(mr, false)) {
+ if (!flatview_access_allowed(mr, attrs, addr1, l)) {
+ result |= MEMTX_ACCESS_ERROR;
+ /* Keep going. */
+ } else if (!memory_access_is_direct(mr, false)) {
/* I/O case */
release_lock |= prepare_mmio_access(mr);
l = memory_access_size(mr, l, addr1);
@@ -2879,6 +2917,9 @@ static MemTxResult flatview_read(FlatView *fv, hwaddr addr,
l = len;
mr = flatview_translate(fv, addr, &addr1, &l, false, attrs);
+ if (!flatview_access_allowed(mr, attrs, addr, len)) {
+ return MEMTX_ACCESS_ERROR;
+ }
return flatview_read_continue(fv, addr, attrs, buf, len,
addr1, l, mr);
}
--
2.27.0

80
SOURCES/kvm-softmmu-physmem-Simplify-flatview_write-and-address_.patch Normal file
View File

@ -0,0 +1,80 @@
From 916423392b46167c6683b0240610bb5a745590da Mon Sep 17 00:00:00 2001
From: Jon Maloy <jmaloy@redhat.com>
Date: Wed, 13 Apr 2022 14:51:06 -0400
Subject: [PATCH 2/3] softmmu/physmem: Simplify flatview_write and
address_space_access_valid
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
RH-Author: Jon Maloy <jmaloy@redhat.com>
RH-MergeRequest: 151: hw/intc/arm_gicv3: Check for !MEMTX_OK instead of MEMTX_ERROR
RH-Commit: [2/3] daabe41eefd5c519def592e374fa368e32a680d3 (jmaloy/qemu-kvm)
RH-Bugzilla: 1999236
RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
RH-Acked-by: Peter Xu <peterx@redhat.com>
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1999236
Upstream: Merged
CVE: CVE-2021-3750
commit 58e74682baf4e1ad26b064d8c02e5bc99c75c5d9
Author: Philippe Mathieu-Daudé <philmd@redhat.com>
Date: Wed Dec 15 19:24:20 2021 +0100
softmmu/physmem: Simplify flatview_write and address_space_access_valid
Remove unuseful local 'result' variables.
Reviewed-by: Peter Xu <peterx@redhat.com>
Reviewed-by: David Hildenbrand <david@redhat.com>
Reviewed-by: Alexander Bulekov <alxndr@bu.edu>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-Id: <20211215182421.418374-3-philmd@redhat.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>
(cherry picked from commit 58e74682baf4e1ad26b064d8c02e5bc99c75c5d9)
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
---
softmmu/physmem.c | 11 +++--------
1 file changed, 3 insertions(+), 8 deletions(-)
diff --git a/softmmu/physmem.c b/softmmu/physmem.c
index 3524c04c2a..483a31be81 100644
--- a/softmmu/physmem.c
+++ b/softmmu/physmem.c
@@ -2815,14 +2815,11 @@ static MemTxResult flatview_write(FlatView *fv, hwaddr addr, MemTxAttrs attrs,
hwaddr l;
hwaddr addr1;
MemoryRegion *mr;
- MemTxResult result = MEMTX_OK;
l = len;
mr = flatview_translate(fv, addr, &addr1, &l, true, attrs);
- result = flatview_write_continue(fv, addr, attrs, buf, len,
- addr1, l, mr);
-
- return result;
+ return flatview_write_continue(fv, addr, attrs, buf, len,
+ addr1, l, mr);
}
/* Called within RCU critical section. */
@@ -3119,12 +3116,10 @@ bool address_space_access_valid(AddressSpace *as, hwaddr addr,
MemTxAttrs attrs)
{
FlatView *fv;
- bool result;
RCU_READ_LOCK_GUARD();
fv = address_space_to_flatview(as);
- result = flatview_access_valid(fv, addr, len, is_write, attrs);
- return result;
+ return flatview_access_valid(fv, addr, len, is_write, attrs);
}
static hwaddr
--
2.27.0

47
SOURCES/kvm-tests-acpi-SLIC-update-expected-blobs.patch Normal file
View File

@ -0,0 +1,47 @@
From 0f5984bd89d481bf2494d4b3c36ef80350f44811 Mon Sep 17 00:00:00 2001
From: Jon Maloy <jmaloy@redhat.com>
Date: Wed, 30 Mar 2022 14:52:34 -0400
Subject: [PATCH 12/18] tests: acpi: SLIC: update expected blobs
RH-Author: Jon Maloy <jmaloy@redhat.com>
RH-MergeRequest: 141: acpi: fix QEMU crash when started with SLIC table
RH-Commit: [4/10] ca28e5c57f9eb432e5ad6b1cb7ef646a86890dd5 (jmaloy/qemu-kvm)
RH-Bugzilla: 2062611
RH-Acked-by: Igor Mammedov <imammedo@redhat.com>
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2062611
Upstream: Merged
commit c8adb4d222c42951a9d0367e5f5d4e1f5e2c9ad7
Author: Igor Mammedov <imammedo@redhat.com>
Date: Mon Dec 27 14:31:20 2021 -0500
tests: acpi: SLIC: update expected blobs
Signed-off-by: Igor Mammedov <imammedo@redhat.com>
Message-Id: <20211227193120.1084176-5-imammedo@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
(cherry picked from commit c8adb4d222c42951a9d0367e5f5d4e1f5e2c9ad7)
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
---
tests/data/acpi/q35/FACP.slic | Bin 244 -> 244 bytes
tests/data/acpi/q35/SLIC.slic | Bin 0 -> 36 bytes
tests/qtest/bios-tables-test-allowed-diff.h | 2 --
3 files changed, 2 deletions(-)
literal 0
HcmV?d00001
diff --git a/tests/qtest/bios-tables-test-allowed-diff.h b/tests/qtest/bios-tables-test-allowed-diff.h
index 49dbf8fa3e..dfb8523c8b 100644
--- a/tests/qtest/bios-tables-test-allowed-diff.h
+++ b/tests/qtest/bios-tables-test-allowed-diff.h
@@ -1,3 +1 @@
/* List of comma-separated changed AML files to ignore */
-"tests/data/acpi/q35/FACP.slic",
-"tests/data/acpi/q35/SLIC.slic",
--
2.27.0

76
SOURCES/kvm-tests-acpi-add-SLIC-table-test.patch Normal file
View File

@ -0,0 +1,76 @@
From 341715473c2a71f11a3888420a0caecf27ed4eb5 Mon Sep 17 00:00:00 2001
From: Jon Maloy <jmaloy@redhat.com>
Date: Wed, 30 Mar 2022 14:52:34 -0400
Subject: [PATCH 11/18] tests: acpi: add SLIC table test
RH-Author: Jon Maloy <jmaloy@redhat.com>
RH-MergeRequest: 141: acpi: fix QEMU crash when started with SLIC table
RH-Commit: [3/10] baac9b82c16a50eb4640fd7146775c9d507c7b21 (jmaloy/qemu-kvm)
RH-Bugzilla: 2062611
RH-Acked-by: Igor Mammedov <imammedo@redhat.com>
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2062611
Upstream: Merged
commit 11edfabee443b149468a82b5efc88c96d1d259ec
Author: Igor Mammedov <imammedo@redhat.com>
Date: Mon Dec 27 14:31:19 2021 -0500
tests: acpi: add SLIC table test
When user uses '-acpitable' to add SLIC table, some ACPI
tables (FADT) will change its 'Oem ID'/'Oem Table ID' fields to
match that of SLIC. Test makes sure thati QEMU handles
those fields correctly when SLIC table is added with
'-acpitable' option.
Conflicts: tests/qtest/bios-tables-test.c
due to missing 39d7554b2009 ("tests/acpi: add test case for VIOT")
Signed-off-by: Igor Mammedov <imammedo@redhat.com>
Message-Id: <20211227193120.1084176-4-imammedo@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
(cherry picked from commit 11edfabee443b149468a82b5efc88c96d1d259ec)
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
---
tests/qtest/bios-tables-test.c | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/tests/qtest/bios-tables-test.c b/tests/qtest/bios-tables-test.c
index 16d8304cde..e159b71136 100644
--- a/tests/qtest/bios-tables-test.c
+++ b/tests/qtest/bios-tables-test.c
@@ -1467,6 +1467,20 @@ static void test_acpi_virt_tcg(void)
free_test_data(&data);
}
+static void test_acpi_q35_slic(void)
+{
+ test_data data = {
+ .machine = MACHINE_Q35,
+ .variant = ".slic",
+ };
+
+ test_acpi_one("-acpitable sig=SLIC,oem_id='CRASH ',oem_table_id='ME',"
+ "oem_rev=00002210,asl_compiler_id='qemu',"
+ "asl_compiler_rev=00000000,data=/dev/null",
+ &data);
+ free_test_data(&data);
+}
+
static void test_oem_fields(test_data *data)
{
int i;
@@ -1641,6 +1655,7 @@ int main(int argc, char *argv[])
qtest_add_func("acpi/q35/kvm/xapic", test_acpi_q35_kvm_xapic);
qtest_add_func("acpi/q35/kvm/dmar", test_acpi_q35_kvm_dmar);
}
+ qtest_add_func("acpi/q35/slic", test_acpi_q35_slic);
} else if (strcmp(arch, "aarch64") == 0) {
if (has_tcg) {
qtest_add_func("acpi/virt", test_acpi_virt_tcg);
--
2.27.0

84
SOURCES/kvm-tests-acpi-manually-pad-OEM_ID-OEM_TABLE_ID-for-test.patch Normal file
View File

@ -0,0 +1,84 @@
From d94b3278c84cf7451489631d804a6b5cbd28a59d Mon Sep 17 00:00:00 2001
From: Jon Maloy <jmaloy@redhat.com>
Date: Wed, 30 Mar 2022 14:52:34 -0400
Subject: [PATCH 13/18] tests: acpi: manually pad OEM_ID/OEM_TABLE_ID for
test_oem_fields() test
RH-Author: Jon Maloy <jmaloy@redhat.com>
RH-MergeRequest: 141: acpi: fix QEMU crash when started with SLIC table
RH-Commit: [5/10] 4ec8c738acec178c2f005f189b0c2a77a7af4088 (jmaloy/qemu-kvm)
RH-Bugzilla: 2062611
RH-Acked-by: Igor Mammedov <imammedo@redhat.com>
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2062611
Upstream: Merged
commit a849522f726767022203ef2b6c395ea19facb866
Author: Igor Mammedov <imammedo@redhat.com>
Date: Wed Jan 12 08:03:29 2022 -0500
tests: acpi: manually pad OEM_ID/OEM_TABLE_ID for test_oem_fields() test
The next commit will revert OEM fields padding with whitespace to
padding with '\0' as it was before [1]. As result test_oem_fields() will
fail due to unexpectedly smaller ID sizes read from QEMU ACPI tables.
Pad OEM_ID/OEM_TABLE_ID manually with spaces so that values the test
puts on QEMU CLI and expected values match.
1) 602b458201 ("acpi: Permit OEM ID and OEM table ID fields to be changed")
Signed-off-by: Igor Mammedov <imammedo@redhat.com>
Message-Id: <20220112130332.1648664-2-imammedo@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
(cherry picked from commit a849522f726767022203ef2b6c395ea19facb866)
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
---
tests/qtest/bios-tables-test.c | 15 ++++++---------
1 file changed, 6 insertions(+), 9 deletions(-)
diff --git a/tests/qtest/bios-tables-test.c b/tests/qtest/bios-tables-test.c
index e159b71136..348fdbd202 100644
--- a/tests/qtest/bios-tables-test.c
+++ b/tests/qtest/bios-tables-test.c
@@ -71,9 +71,10 @@
#define ACPI_REBUILD_EXPECTED_AML "TEST_ACPI_REBUILD_AML"
-#define OEM_ID "TEST"
-#define OEM_TABLE_ID "OEM"
-#define OEM_TEST_ARGS "-machine x-oem-id="OEM_ID",x-oem-table-id="OEM_TABLE_ID
+#define OEM_ID "TEST "
+#define OEM_TABLE_ID "OEM "
+#define OEM_TEST_ARGS "-machine x-oem-id='" OEM_ID "',x-oem-table-id='" \
+ OEM_TABLE_ID "'"
typedef struct {
bool tcg_only;
@@ -1484,11 +1485,7 @@ static void test_acpi_q35_slic(void)
static void test_oem_fields(test_data *data)
{
int i;
- char oem_id[6];
- char oem_table_id[8];
- strpadcpy(oem_id, sizeof oem_id, OEM_ID, ' ');
- strpadcpy(oem_table_id, sizeof oem_table_id, OEM_TABLE_ID, ' ');
for (i = 0; i < data->tables->len; ++i) {
AcpiSdtTable *sdt;
@@ -1498,8 +1495,8 @@ static void test_oem_fields(test_data *data)
continue;
}
- g_assert(memcmp(sdt->aml + 10, oem_id, 6) == 0);
- g_assert(memcmp(sdt->aml + 16, oem_table_id, 8) == 0);
+ g_assert(memcmp(sdt->aml + 10, OEM_ID, 6) == 0);
+ g_assert(memcmp(sdt->aml + 16, OEM_TABLE_ID, 8) == 0);
}
}
--
2.27.0

77
SOURCES/kvm-tests-acpi-test-short-OEM_ID-OEM_TABLE_ID-values-in-.patch Normal file
View File

@ -0,0 +1,77 @@
From 485bf2eb8edabd4553d995d5e32224df1e510aa2 Mon Sep 17 00:00:00 2001
From: Jon Maloy <jmaloy@redhat.com>
Date: Wed, 30 Mar 2022 14:52:34 -0400
Subject: [PATCH 17/18] tests: acpi: test short OEM_ID/OEM_TABLE_ID values in
test_oem_fields()
RH-Author: Jon Maloy <jmaloy@redhat.com>
RH-MergeRequest: 141: acpi: fix QEMU crash when started with SLIC table
RH-Commit: [9/10] 31339223fb6c6cc32185b9fdaac76f2709b17ad6 (jmaloy/qemu-kvm)
RH-Bugzilla: 2062611
RH-Acked-by: Igor Mammedov <imammedo@redhat.com>
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2062611
Upstream: Merged
commit 408ca92634770de5eac7965ed97c6260e770f2e7
Author: Igor Mammedov <imammedo@redhat.com>
Date: Fri Jan 14 09:26:41 2022 -0500
tests: acpi: test short OEM_ID/OEM_TABLE_ID values in test_oem_fields()
Previous patch [1] added explicit whitespace padding to OEM_ID/OEM_TABLE_ID
values used in test_oem_fields() testcase to avoid false positive and
bisection issues when QEMU is switched to \0' padding. As result
testcase ceased to test values that were shorter than max possible
length values.
Update testcase to make sure that it's testing shorter IDs like it
used to before [2].
1) "tests: acpi: manually pad OEM_ID/OEM_TABLE_ID for test_oem_fields() test"
2) 602b458201 ("acpi: Permit OEM ID and OEM table ID fields to be changed")
Signed-off-by: Igor Mammedov <imammedo@redhat.com>
Message-Id: <20220114142641.1727679-1-imammedo@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
(cherry picked from commit 408ca92634770de5eac7965ed97c6260e770f2e7)
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
---
tests/qtest/bios-tables-test.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/tests/qtest/bios-tables-test.c b/tests/qtest/bios-tables-test.c
index 348fdbd202..515a647490 100644
--- a/tests/qtest/bios-tables-test.c
+++ b/tests/qtest/bios-tables-test.c
@@ -71,10 +71,10 @@
#define ACPI_REBUILD_EXPECTED_AML "TEST_ACPI_REBUILD_AML"
-#define OEM_ID "TEST "
-#define OEM_TABLE_ID "OEM "
-#define OEM_TEST_ARGS "-machine x-oem-id='" OEM_ID "',x-oem-table-id='" \
- OEM_TABLE_ID "'"
+#define OEM_ID "TEST"
+#define OEM_TABLE_ID "OEM"
+#define OEM_TEST_ARGS "-machine x-oem-id=" OEM_ID ",x-oem-table-id=" \
+ OEM_TABLE_ID
typedef struct {
bool tcg_only;
@@ -1495,8 +1495,8 @@ static void test_oem_fields(test_data *data)
continue;
}
- g_assert(memcmp(sdt->aml + 10, OEM_ID, 6) == 0);
- g_assert(memcmp(sdt->aml + 16, OEM_TABLE_ID, 8) == 0);
+ g_assert(strncmp((char *)sdt->aml + 10, OEM_ID, 6) == 0);
+ g_assert(strncmp((char *)sdt->aml + 16, OEM_TABLE_ID, 8) == 0);
}
}
--
2.27.0

58
SOURCES/kvm-tests-acpi-update-expected-blobs.patch Normal file
View File

@ -0,0 +1,58 @@
From 4785d2a77fbea681975e5c48ae6a1be49058e089 Mon Sep 17 00:00:00 2001
From: Jon Maloy <jmaloy@redhat.com>
Date: Wed, 30 Mar 2022 14:52:34 -0400
Subject: [PATCH 16/18] tests: acpi: update expected blobs
RH-Author: Jon Maloy <jmaloy@redhat.com>
RH-MergeRequest: 141: acpi: fix QEMU crash when started with SLIC table
RH-Commit: [8/10] e069c5de88f34393d65d32b60380865832820302 (jmaloy/qemu-kvm)
RH-Bugzilla: 2062611
RH-Acked-by: Igor Mammedov <imammedo@redhat.com>
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2062611
Upstream: Merged
commit 5adc3aba875416b0e077d8a29ddd0357883746f4
Author: Igor Mammedov <imammedo@redhat.com>
Date: Wed Jan 12 08:03:32 2022 -0500
tests: acpi: update expected blobs
Expected changes caused by previous commit:
nvdimm ssdt (q35/pc/virt):
- * OEM Table ID "NVDIMM "
+ * OEM Table ID "NVDIMM"
SLIC test FADT (tests/data/acpi/q35/FACP.slic):
-[010h 0016 8] Oem Table ID : "ME "
+[010h 0016 8] Oem Table ID : "ME"
Signed-off-by: Igor Mammedov <imammedo@redhat.com>
Message-Id: <20220112130332.1648664-5-imammedo@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
(cherry picked from commit 5adc3aba875416b0e077d8a29ddd0357883746f4)
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
---
tests/data/acpi/pc/SSDT.dimmpxm | Bin 734 -> 734 bytes
tests/data/acpi/q35/FACP.slic | Bin 244 -> 244 bytes
tests/data/acpi/q35/SSDT.dimmpxm | Bin 734 -> 734 bytes
tests/data/acpi/virt/SSDT.memhp | Bin 736 -> 736 bytes
tests/qtest/bios-tables-test-allowed-diff.h | 4 ----
5 files changed, 4 deletions(-)
diff --git a/tests/qtest/bios-tables-test-allowed-diff.h b/tests/qtest/bios-tables-test-allowed-diff.h
index 7faa8f53be..dfb8523c8b 100644
--- a/tests/qtest/bios-tables-test-allowed-diff.h
+++ b/tests/qtest/bios-tables-test-allowed-diff.h
@@ -1,5 +1 @@
/* List of comma-separated changed AML files to ignore */
-"tests/data/acpi/virt/SSDT.memhp",
-"tests/data/acpi/pc/SSDT.dimmpxm",
-"tests/data/acpi/q35/SSDT.dimmpxm",
-"tests/data/acpi/q35/FACP.slic",
--
2.27.0

47
SOURCES/kvm-tests-acpi-whitelist-expected-blobs-before-changing-.patch Normal file
View File

@ -0,0 +1,47 @@
From 4e6482073df85db5982aa03ab0355e632b7157fc Mon Sep 17 00:00:00 2001
From: Jon Maloy <jmaloy@redhat.com>
Date: Wed, 30 Mar 2022 14:52:34 -0400
Subject: [PATCH 10/18] tests: acpi: whitelist expected blobs before changing
them
RH-Author: Jon Maloy <jmaloy@redhat.com>
RH-MergeRequest: 141: acpi: fix QEMU crash when started with SLIC table
RH-Commit: [2/10] c664ecad30ca9c13025a63bb31ae7b80fd63e4df (jmaloy/qemu-kvm)
RH-Bugzilla: 2062611
RH-Acked-by: Igor Mammedov <imammedo@redhat.com>
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2062611
Upstream: Merged
commit e71f6ab9d93a7d01e833647e7010c1079c4cef30
Author: Igor Mammedov <imammedo@redhat.com>
Date: Mon Dec 27 14:31:18 2021 -0500
tests: acpi: whitelist expected blobs before changing them
Signed-off-by: Igor Mammedov <imammedo@redhat.com>
Message-Id: <20211227193120.1084176-3-imammedo@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
(cherry picked from commit e71f6ab9d93a7d01e833647e7010c1079c4cef30)
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
---
tests/data/acpi/q35/FACP.slic | Bin 0 -> 244 bytes
tests/data/acpi/q35/SLIC.slic | 0
tests/qtest/bios-tables-test-allowed-diff.h | 2 ++
3 files changed, 2 insertions(+)
create mode 100644 tests/data/acpi/q35/FACP.slic
create mode 100644 tests/data/acpi/q35/SLIC.slic
diff --git a/tests/qtest/bios-tables-test-allowed-diff.h b/tests/qtest/bios-tables-test-allowed-diff.h
index dfb8523c8b..49dbf8fa3e 100644
--- a/tests/qtest/bios-tables-test-allowed-diff.h
+++ b/tests/qtest/bios-tables-test-allowed-diff.h
@@ -1 +1,3 @@
/* List of comma-separated changed AML files to ignore */
+"tests/data/acpi/q35/FACP.slic",
+"tests/data/acpi/q35/SLIC.slic",
--
2.27.0

57
SOURCES/kvm-tests-acpi-whitelist-nvdimm-s-SSDT-and-FACP.slic-exp.patch Normal file
View File

@ -0,0 +1,57 @@
From a132a22e316121cf00ff733afb1ad1dc313e14b3 Mon Sep 17 00:00:00 2001
From: Jon Maloy <jmaloy@redhat.com>
Date: Wed, 30 Mar 2022 14:52:34 -0400
Subject: [PATCH 14/18] tests: acpi: whitelist nvdimm's SSDT and FACP.slic
expected blobs
RH-Author: Jon Maloy <jmaloy@redhat.com>
RH-MergeRequest: 141: acpi: fix QEMU crash when started with SLIC table
RH-Commit: [6/10] 3f3a929cde82f228da1e4bc66e4c869467c0289c (jmaloy/qemu-kvm)
RH-Bugzilla: 2062611
RH-Acked-by: Igor Mammedov <imammedo@redhat.com>
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2062611
Upstream: Merged
commit d1e4a4654154925eddf0fc449fa9c92b806b9c8c
Author: Igor Mammedov <imammedo@redhat.com>
Date: Wed Jan 12 08:03:30 2022 -0500
tests: acpi: whitelist nvdimm's SSDT and FACP.slic expected blobs
The next commit will revert OEM fields whitespace padding to
padding with '\0' as it was before [1]. That will change OEM
Table ID for:
* SSDT.*: where it was padded from 6 characters to 8
* FACP.slic: where it was padded from 2 characters to 8
after reverting whitespace padding, it will be replaced with
'\0' which effectively will shorten OEM table ID to 6 and 2
characters.
Whitelist affected tables before introducing the change.
1) 602b458201 ("acpi: Permit OEM ID and OEM table ID fields to be changed")
Signed-off-by: Igor Mammedov <imammedo@redhat.com>
Message-Id: <20220112130332.1648664-3-imammedo@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
(cherry picked from commit d1e4a4654154925eddf0fc449fa9c92b806b9c8c)
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
---
tests/qtest/bios-tables-test-allowed-diff.h | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/tests/qtest/bios-tables-test-allowed-diff.h b/tests/qtest/bios-tables-test-allowed-diff.h
index dfb8523c8b..7faa8f53be 100644
--- a/tests/qtest/bios-tables-test-allowed-diff.h
+++ b/tests/qtest/bios-tables-test-allowed-diff.h
@@ -1 +1,5 @@
/* List of comma-separated changed AML files to ignore */
+"tests/data/acpi/virt/SSDT.memhp",
+"tests/data/acpi/pc/SSDT.dimmpxm",
+"tests/data/acpi/q35/SSDT.dimmpxm",
+"tests/data/acpi/q35/FACP.slic",
--
2.27.0

76
SOURCES/kvm-vhost-vsock-detach-the-virqueue-element-in-case-of-e.patch Normal file
View File

@ -0,0 +1,76 @@
From ff4e95d8652dadfed09913c7968514a2a7f36591 Mon Sep 17 00:00:00 2001
From: Jon Maloy <jmaloy@rehat.com>
Date: Thu, 14 Apr 2022 10:38:26 -0400
Subject: [PATCH 2/2] vhost-vsock: detach the virqueue element in case of error
RH-Author: Jon Maloy <jmaloy@redhat.com>
RH-MergeRequest: 153: vhost-vsock: detach the virqueue element in case of error
RH-Commit: [1/1] 024dbc9073fddbe89a8ae8eb201f5bc674bffb64 (jmaloy/qemu-kvm)
RH-Bugzilla: 2063262
RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
RH-Acked-by: Stefano Garzarella <sgarzare@redhat.com>
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2063262
Upstream: Merged
CVE: CVE-2022-26354
commit 8d1b247f3748ac4078524130c6d7ae42b6140aaf
Author: Stefano Garzarella <sgarzare@redhat.com>
Date: Mon Feb 28 10:50:58 2022 +0100
vhost-vsock: detach the virqueue element in case of error
In vhost_vsock_common_send_transport_reset(), if an element popped from
the virtqueue is invalid, we should call virtqueue_detach_element() to
detach it from the virtqueue before freeing its memory.
Fixes: fc0b9b0e1c ("vhost-vsock: add virtio sockets device")
Fixes: CVE-2022-26354
Cc: qemu-stable@nongnu.org
Reported-by: VictorV <vv474172261@gmail.com>
Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
Message-Id: <20220228095058.27899-1-sgarzare@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
(cherry picked from commit 8d1b247f3748ac4078524130c6d7ae42b6140aaf)
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
---
hw/virtio/vhost-vsock-common.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/hw/virtio/vhost-vsock-common.c b/hw/virtio/vhost-vsock-common.c
index 3f3771274e..ed706681ac 100644
--- a/hw/virtio/vhost-vsock-common.c
+++ b/hw/virtio/vhost-vsock-common.c
@@ -153,19 +153,23 @@ static void vhost_vsock_common_send_transport_reset(VHostVSockCommon *vvc)
if (elem->out_num) {
error_report("invalid vhost-vsock event virtqueue element with "
"out buffers");
- goto out;
+ goto err;
}
if (iov_from_buf(elem->in_sg, elem->in_num, 0,
&event, sizeof(event)) != sizeof(event)) {
error_report("vhost-vsock event virtqueue element is too short");
- goto out;
+ goto err;
}
virtqueue_push(vq, elem, sizeof(event));
virtio_notify(VIRTIO_DEVICE(vvc), vq);
-out:
+ g_free(elem);
+ return;
+
+err:
+ virtqueue_detach_element(vq, elem, 0);
g_free(elem);
}
--
2.27.0

110
SOURCES/kvm-virtiofsd-Drop-membership-of-all-supplementary-group.patch Normal file
View File

@ -0,0 +1,110 @@
From 2754dc2c7def01d7dd1bb39f3e86ef444652d397 Mon Sep 17 00:00:00 2001
From: Vivek Goyal <vgoyal@redhat.com>
Date: Tue, 25 Jan 2022 13:51:14 -0500
Subject: [PATCH 1/6] virtiofsd: Drop membership of all supplementary groups
(CVE-2022-0358)
RH-Author: Dr. David Alan Gilbert <dgilbert@redhat.com>
RH-MergeRequest: 102: virtiofsd: Drop membership of all supplementary groups (CVE-2022-0358)
RH-Commit: [1/1] 93e56c88277fec8e42559a899d32b80fac4a923f
RH-Bugzilla: 2046198
RH-Acked-by: Greg Kurz <gkurz@redhat.com>
RH-Acked-by: Sergio Lopez <None>
RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
At the start, drop membership of all supplementary groups. This is
not required.
If we have membership of "root" supplementary group and when we switch
uid/gid using setresuid/setsgid, we still retain membership of existing
supplemntary groups. And that can allow some operations which are not
normally allowed.
For example, if root in guest creates a dir as follows.
$ mkdir -m 03777 test_dir
This sets SGID on dir as well as allows unprivileged users to write into
this dir.
And now as unprivileged user open file as follows.
$ su test
$ fd = open("test_dir/priviledge_id", O_RDWR|O_CREAT|O_EXCL, 02755);
This will create SGID set executable in test_dir/.
And that's a problem because now an unpriviliged user can execute it,
get egid=0 and get access to resources owned by "root" group. This is
privilege escalation.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2044863
Fixes: CVE-2022-0358
Reported-by: JIETAO XIAO <shawtao1125@gmail.com>
Suggested-by: Miklos Szeredi <mszeredi@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
Message-Id: <YfBGoriS38eBQrAb@redhat.com>
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
dgilbert: Fixed missing {}'s style nit
(cherry picked from commit 449e8171f96a6a944d1f3b7d3627ae059eae21ca)
---
tools/virtiofsd/passthrough_ll.c | 27 +++++++++++++++++++++++++++
1 file changed, 27 insertions(+)
diff --git a/tools/virtiofsd/passthrough_ll.c b/tools/virtiofsd/passthrough_ll.c
index 64b5b4fbb1..b3d0674f6d 100644
--- a/tools/virtiofsd/passthrough_ll.c
+++ b/tools/virtiofsd/passthrough_ll.c
@@ -54,6 +54,7 @@
#include <sys/wait.h>
#include <sys/xattr.h>
#include <syslog.h>
+#include <grp.h>
#include "qemu/cutils.h"
#include "passthrough_helpers.h"
@@ -1161,6 +1162,30 @@ static void lo_lookup(fuse_req_t req, fuse_ino_t parent, const char *name)
#define OURSYS_setresuid SYS_setresuid
#endif
+static void drop_supplementary_groups(void)
+{
+ int ret;
+
+ ret = getgroups(0, NULL);
+ if (ret == -1) {
+ fuse_log(FUSE_LOG_ERR, "getgroups() failed with error=%d:%s\n",
+ errno, strerror(errno));
+ exit(1);
+ }
+
+ if (!ret) {
+ return;
+ }
+
+ /* Drop all supplementary groups. We should not need it */
+ ret = setgroups(0, NULL);
+ if (ret == -1) {
+ fuse_log(FUSE_LOG_ERR, "setgroups() failed with error=%d:%s\n",
+ errno, strerror(errno));
+ exit(1);
+ }
+}
+
/*
* Change to uid/gid of caller so that file is created with
* ownership of caller.
@@ -3926,6 +3951,8 @@ int main(int argc, char *argv[])
qemu_init_exec_dir(argv[0]);
+ drop_supplementary_groups();
+
pthread_mutex_init(&lo.mutex, NULL);
lo.inodes = g_hash_table_new(lo_key_hash, lo_key_equal);
lo.root.fd = -1;
--
2.27.0

48
SOURCES/kvm-vmxcap-Add-5-level-EPT-bit.patch Normal file
View File

@ -0,0 +1,48 @@
From f0f87dcea3fe14b20b8599cda9b1151ca2490d0c Mon Sep 17 00:00:00 2001
From: Jon Maloy <jmaloy@redhat.com>
Date: Wed, 30 Mar 2022 14:52:34 -0400
Subject: [PATCH 07/18] vmxcap: Add 5-level EPT bit
RH-Author: Jon Maloy <jmaloy@redhat.com>
RH-MergeRequest: 139: vmxcap: Add 5-level EPT bit
RH-Commit: [1/2] 4c098f551f1ed8e2a5582f466afda35b28d97055 (jmaloy/qemu-kvm)
RH-Bugzilla: 2065207
RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
BZ: https://bugzilla.redhat.com/show_bug.cgi?id=2065207
UPSTREAM: Merged
commit d312378e59658473aa91aa15c67ec6200d92e5ff
Author: Vitaly Kuznetsov <vkuznets@redhat.com>
Date: Mon Feb 21 15:53:16 2022 +0100
vmxcap: Add 5-level EPT bit
5-level EPT is present in Icelake Server CPUs and is supported by QEMU
('vmx-page-walk-5').
Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com>
Message-Id: <20220221145316.576138-2-vkuznets@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit d312378e59658473aa91aa15c67ec6200d92e5ff)
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
---
scripts/kvm/vmxcap | 1 +
1 file changed, 1 insertion(+)
diff --git a/scripts/kvm/vmxcap b/scripts/kvm/vmxcap
index 6fe66d5f57..f140040104 100755
--- a/scripts/kvm/vmxcap
+++ b/scripts/kvm/vmxcap
@@ -249,6 +249,7 @@ controls = [
bits = {
0: 'Execute-only EPT translations',
6: 'Page-walk length 4',
+ 7: 'Page-walk length 5',
8: 'Paging-structure memory type UC',
14: 'Paging-structure memory type WB',
16: '2MB EPT pages',
--
2.27.0

BIN
SOURCES/tests_data_acpi_pc_SSDT.dimmpxm Normal file
View File

Binary file not shown.

BIN
SOURCES/tests_data_acpi_q35_FACP.slic Normal file
View File

Binary file not shown.

BIN
SOURCES/tests_data_acpi_q35_SSDT.dimmpxm Normal file
View File

Binary file not shown.

BIN
SOURCES/tests_data_acpi_virt_SSDT.memhp Normal file
View File

Binary file not shown.

208
SPECS/qemu-kvm.spec
View File

@ -83,7 +83,7 @@ Obsoletes: %1-rhev <= %{epoch}:%{version}-%{release}
Summary: QEMU is a machine emulator and virtualizer
Name: qemu-kvm
Version: 6.2.0
Release: 5%{?rcrel}%{?dist}
Release: 12%{?rcrel}%{?dist}
# Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped
Epoch: 15
License: GPLv2 and GPLv2+ and CC-BY
@ -118,7 +118,10 @@ Source33: qemu-pr-helper.socket
Source34: 81-kvm-rhel.rules
Source35: udev-kvm-check.c
Source36: README.tests
Source37: tests_data_acpi_pc_SSDT.dimmpxm
Source38: tests_data_acpi_q35_FACP.slic
Source39: tests_data_acpi_q35_SSDT.dimmpxm
Source40: tests_data_acpi_virt_SSDT.memhp
Patch0001: 0001-redhat-Adding-slirp-to-the-exploded-tree.patch
Patch0005: 0005-Initial-redhat-build.patch
@ -162,6 +165,98 @@ Patch33: kvm-rhel-machine-types-x86-set-prefer_sockets.patch
Patch34: kvm-acpi-validate-hotplug-selector-on-access.patch
# For bz#2031035 - Add rhel-8.6.0 machine types for RHEL 8.6 [x86]
Patch35: kvm-x86-Add-q35-RHEL-8.6.0-machine-type.patch
# For bz#2046198 - CVE-2022-0358 virt:av/qemu-kvm: QEMU: virtiofsd: potential privilege escalation via CVE-2018-13405 [rhel-8.6]
Patch36: kvm-virtiofsd-Drop-membership-of-all-supplementary-group.patch
# For bz#2033279 - [wrb][qemu-kvm 6.2] The hot-unplugged device can not be hot-plugged back
Patch37: kvm-softmmu-fix-device-deletion-events-with-device-JSON-.patch
# For bz#2021778 - Qemu core dump when do full backup during system reset
# For bz#2036178 - Qemu core dumped when do block-stream to a snapshot node on non-enough space storage
Patch38: kvm-block-backend-prevent-dangling-BDS-pointers-across-a.patch
# For bz#2021778 - Qemu core dump when do full backup during system reset
# For bz#2036178 - Qemu core dumped when do block-stream to a snapshot node on non-enough space storage
Patch39: kvm-iotests-stream-error-on-reset-New-test.patch
# For bz#2037135 - Booting from Local Snapshot Core Dumped Whose Backing File Is Based on RBD
Patch40: kvm-block-rbd-fix-handling-of-holes-in-.bdrv_co_block_st.patch
# For bz#2037135 - Booting from Local Snapshot Core Dumped Whose Backing File Is Based on RBD
Patch41: kvm-block-rbd-workaround-for-ceph-issue-53784.patch
# For bz#1518984 - [Intel 8.6 Feat] qemu-kvm: SGX 1.5 (SGX1 + Flexible Launch Control) support
Patch42: kvm-numa-Enable-numa-for-SGX-EPC-sections.patch
# For bz#1518984 - [Intel 8.6 Feat] qemu-kvm: SGX 1.5 (SGX1 + Flexible Launch Control) support
Patch43: kvm-numa-Support-SGX-numa-in-the-monitor-and-Libvirt-int.patch
# For bz#1518984 - [Intel 8.6 Feat] qemu-kvm: SGX 1.5 (SGX1 + Flexible Launch Control) support
Patch44: kvm-doc-Add-the-SGX-numa-description.patch
# For bz#1518984 - [Intel 8.6 Feat] qemu-kvm: SGX 1.5 (SGX1 + Flexible Launch Control) support
Patch45: kvm-Enable-SGX-RH-Only.patch
# For bz#1518984 - [Intel 8.6 Feat] qemu-kvm: SGX 1.5 (SGX1 + Flexible Launch Control) support
Patch46: kvm-qapi-Cleanup-SGX-related-comments-and-restore-sectio.patch
# For bz#2041480 - [incremental_backup] Inconsistent block status reply in qemu-nbd
Patch47: kvm-block-io-Update-BSC-only-if-want_zero-is-true.patch
# For bz#2041480 - [incremental_backup] Inconsistent block status reply in qemu-nbd
Patch48: kvm-iotests-block-status-cache-New-test.patch
# For bz#2035185 - Qemu core dump when start guest with nbd node or do block jobs to nbd node
Patch49: kvm-block-nbd-Delete-reconnect-delay-timer-when-done.patch
# For bz#2035185 - Qemu core dump when start guest with nbd node or do block jobs to nbd node
Patch50: kvm-block-nbd-Assert-there-are-no-timers-when-closed.patch
# For bz#2035185 - Qemu core dump when start guest with nbd node or do block jobs to nbd node
Patch51: kvm-iotests.py-Add-QemuStorageDaemon-class.patch
# For bz#2035185 - Qemu core dump when start guest with nbd node or do block jobs to nbd node
Patch52: kvm-iotests-281-Test-lingering-timers.patch
# For bz#2035185 - Qemu core dump when start guest with nbd node or do block jobs to nbd node
Patch53: kvm-block-nbd-Move-s-ioc-on-AioContext-change.patch
# For bz#2035185 - Qemu core dump when start guest with nbd node or do block jobs to nbd node
Patch54: kvm-iotests-281-Let-NBD-connection-yield-in-iothread.patch
# For bz#2062613 - Revert IBM-specific Ubuntu-compatibility machine type for 8.6-AV GA [rhel-8.7.0]
Patch55: kvm-Revert-redhat-Add-hw_compat_4_2_extra-and-apply-to-u.patch
# For bz#2062613 - Revert IBM-specific Ubuntu-compatibility machine type for 8.6-AV GA [rhel-8.7.0]
Patch56: kvm-Revert-redhat-Enable-FDC-device-for-upstream-machine.patch
# For bz#2062613 - Revert IBM-specific Ubuntu-compatibility machine type for 8.6-AV GA [rhel-8.7.0]
Patch57: kvm-Revert-redhat-Expose-upstream-machines-pc-4.2-and-pc.patch
# For bz#2060843 - [virtual network][vDPA] qemu crash after hot unplug vdpa device [rhel-8.7.0]
Patch58: kvm-hw-virtio-vdpa-Fix-leak-of-host-notifier-memory-regi.patch
# For bz#2062610 - Do operation to disk will hang in the guest of target host after hotplugging and migrating [rhel-8.7.0]
Patch59: kvm-pci-expose-TYPE_XIO3130_DOWNSTREAM-name.patch
# For bz#2062610 - Do operation to disk will hang in the guest of target host after hotplugging and migrating [rhel-8.7.0]
Patch60: kvm-acpi-pcihp-pcie-set-power-on-cap-on-parent-slot.patch
# For bz#2065207 - Win11 (q35+edk2) guest broke after install wsl2 through 'wsl --install -d Ubuntu-20.04' [rhel-8.7.0]
Patch61: kvm-vmxcap-Add-5-level-EPT-bit.patch
# For bz#2065207 - Win11 (q35+edk2) guest broke after install wsl2 through 'wsl --install -d Ubuntu-20.04' [rhel-8.7.0]
Patch62: kvm-i386-Add-Icelake-Server-v6-CPU-model-with-5-level-EP.patch
# For bz#2062611 - Guest can not start with SLIC acpi table [rhel-8.7.0]
Patch63: kvm-acpi-fix-QEMU-crash-when-started-with-SLIC-table.patch
# For bz#2062611 - Guest can not start with SLIC acpi table [rhel-8.7.0]
Patch64: kvm-tests-acpi-whitelist-expected-blobs-before-changing-.patch
# For bz#2062611 - Guest can not start with SLIC acpi table [rhel-8.7.0]
Patch65: kvm-tests-acpi-add-SLIC-table-test.patch
# For bz#2062611 - Guest can not start with SLIC acpi table [rhel-8.7.0]
Patch66: kvm-tests-acpi-SLIC-update-expected-blobs.patch
# For bz#2062611 - Guest can not start with SLIC acpi table [rhel-8.7.0]
Patch67: kvm-tests-acpi-manually-pad-OEM_ID-OEM_TABLE_ID-for-test.patch
# For bz#2062611 - Guest can not start with SLIC acpi table [rhel-8.7.0]
Patch68: kvm-tests-acpi-whitelist-nvdimm-s-SSDT-and-FACP.slic-exp.patch
# For bz#2062611 - Guest can not start with SLIC acpi table [rhel-8.7.0]
Patch69: kvm-acpi-fix-OEM-ID-OEM-Table-ID-padding.patch
# For bz#2062611 - Guest can not start with SLIC acpi table [rhel-8.7.0]
Patch70: kvm-tests-acpi-update-expected-blobs.patch
# For bz#2062611 - Guest can not start with SLIC acpi table [rhel-8.7.0]
Patch71: kvm-tests-acpi-test-short-OEM_ID-OEM_TABLE_ID-values-in-.patch
# For bz#2068202 - RHEL 9.0 guest with vsock device migration failed from RHEL 9.0 > RHEL 8.6 [rhel-8.7.0]
Patch72: kvm-RHEL-disable-seqpacket-for-vhost-vsock-device-in-rhe.patch
# For bz#2067118 - qemu crash after execute blockdev-reopen with iothread
Patch73: kvm-block-Lock-AioContext-for-drain_end-in-blockdev-reop.patch
# For bz#2067118 - qemu crash after execute blockdev-reopen with iothread
Patch74: kvm-iotests-Test-blockdev-reopen-with-iothreads-and-thro.patch
# For bz#2071070 - s390x/css: fix PMCW invalid mask
Patch75: kvm-s390x-css-fix-PMCW-invalid-mask.patch
# For bz#1999236 - CVE-2021-3750 virt:rhel/qemu-kvm: QEMU: hcd-ehci: DMA reentrancy issue leads to use-after-free [rhel-8]
Patch76: kvm-hw-intc-arm_gicv3-Check-for-MEMTX_OK-instead-of-MEMT.patch
# For bz#1999236 - CVE-2021-3750 virt:rhel/qemu-kvm: QEMU: hcd-ehci: DMA reentrancy issue leads to use-after-free [rhel-8]
Patch77: kvm-softmmu-physmem-Simplify-flatview_write-and-address_.patch
# For bz#1999236 - CVE-2021-3750 virt:rhel/qemu-kvm: QEMU: hcd-ehci: DMA reentrancy issue leads to use-after-free [rhel-8]
Patch78: kvm-softmmu-physmem-Introduce-MemTxAttrs-memory-field-an.patch
# For bz#2040738 - CVE-2021-4207 virt:rhel/qemu-kvm: QEMU: QXL: double fetch in qxl_cursor() can lead to heap buffer overflow [rhel-8]
Patch79: kvm-display-qxl-render-fix-race-condition-in-qxl_cursor-.patch
# For bz#2063262 - CVE-2022-26354 virt:rhel/qemu-kvm: QEMU: vhost-vsock: missing virtqueue detach on error can lead to memory leak [rhel-8]
Patch80: kvm-vhost-vsock-detach-the-virqueue-element-in-case-of-e.patch
BuildRequires: wget
BuildRequires: rpm-build
@ -493,6 +588,10 @@ mkdir slirp
%global qemu_kvm_build qemu_kvm_build
mkdir -p %{qemu_kvm_build}
cp -f %{SOURCE37} tests/data/acpi/pc/SSDT.dimmpxm
cp -f %{SOURCE38} tests/data/acpi/q35/FACP.slic
cp -f %{SOURCE39} tests/data/acpi/q35/SSDT.dimmpxm
cp -f %{SOURCE40} tests/data/acpi/virt/SSDT.memhp
%build
%global buildarch %{kvm_target}-softmmu
@ -815,7 +914,7 @@ cp -R tests/avocado/* $RPM_BUILD_ROOT%{testsdir}/tests/avocado/
# Install qemu.py and qmp/ scripts required to run avocado_qemu tests
cp -R python/qemu $RPM_BUILD_ROOT%{testsdir}/python
cp -R scripts/qmp/* $RPM_BUILD_ROOT%{testsdir}/scripts/qmp
install -p -m 0755 ../tests/Makefile.include $RPM_BUILD_ROOT%{testsdir}/tests/
install -p -m 0644 ../tests/Makefile.include $RPM_BUILD_ROOT%{testsdir}/tests/
# Install qemu-iotests
cp -R ../tests/qemu-iotests/* $RPM_BUILD_ROOT%{testsdir}/tests/qemu-iotests/
@ -914,7 +1013,7 @@ install -D -p -m 0644 ../qemu.sasl $RPM_BUILD_ROOT%{_sysconfdir}/sasl2/%{name}.c
# Install keymaps
pushd pc-bios/keymaps
for kmp in *; do
install $kmp ${RPM_BUILD_ROOT}%{_datadir}/%{name}/keymaps/
install -m 0644 $kmp ${RPM_BUILD_ROOT}%{_datadir}/%{name}/keymaps/
done
rm -f ${RPM_BUILD_ROOT}%{_datadir}/%{name}/keymaps/*.stamp
popd
@ -1327,6 +1426,107 @@ sh %{_sysconfdir}/sysconfig/modules/kvm.modules &> /dev/null || :
%changelog
* Thu Apr 21 2022 Jon Maloy <jmaloy@redhat.com> - 6.2.0-12
- kvm-display-qxl-render-fix-race-condition-in-qxl_cursor-.patch [bz#2040738]
- kvm-vhost-vsock-detach-the-virqueue-element-in-case-of-e.patch [bz#2063262]
- Resolves: bz#2040738
(CVE-2021-4207 virt:rhel/qemu-kvm: QEMU: QXL: double fetch in qxl_cursor() can lead to heap buffer overflow [rhel-8])
- Resolves: bz#2063262
(CVE-2022-26354 virt:rhel/qemu-kvm: QEMU: vhost-vsock: missing virtqueue detach on error can lead to memory leak [rhel-8])
* Thu Apr 21 2022 Jon Maloy <jmaloy@redhat.com> - 6.2.0-11
- kvm-hw-intc-arm_gicv3-Check-for-MEMTX_OK-instead-of-MEMT.patch [bz#1999236]
- kvm-softmmu-physmem-Simplify-flatview_write-and-address_.patch [bz#1999236]
- kvm-softmmu-physmem-Introduce-MemTxAttrs-memory-field-an.patch [bz#1999236]
- Resolves: bz#1999236
(CVE-2021-3750 virt:rhel/qemu-kvm: QEMU: hcd-ehci: DMA reentrancy issue leads to use-after-free [rhel-8])
* Thu Apr 21 2022 Jon Maloy <jmaloy@redhat.com> - 6.2.0-10
- kvm-RHEL-disable-seqpacket-for-vhost-vsock-device-in-rhe.patch [bz#2068202]
- kvm-block-Lock-AioContext-for-drain_end-in-blockdev-reop.patch [bz#2067118]
- kvm-iotests-Test-blockdev-reopen-with-iothreads-and-thro.patch [bz#2067118]
- kvm-s390x-css-fix-PMCW-invalid-mask.patch [bz#2071070]
- kvm-Set-permission-on-installing-files.patch [bz#2072377]
- Resolves: bz#2068202
(RHEL 9.0 guest with vsock device migration failed from RHEL 9.0 > RHEL 8.6 [rhel-8.7.0])
- Resolves: bz#2067118
(qemu crash after execute blockdev-reopen with iothread)
- Resolves: bz#2071070
(s390x/css: fix PMCW invalid mask)
- Resolves: bz#2072377
(Fix build warnings that occur when installing the keymap files)
* Wed Apr 06 2022 Jon Maloy <jmaloy@redhat.com> - 6.2.0-9
- kvm-Revert-redhat-Add-hw_compat_4_2_extra-and-apply-to-u.patch [bz#2062613]
- kvm-Revert-redhat-Enable-FDC-device-for-upstream-machine.patch [bz#2062613]
- kvm-Revert-redhat-Expose-upstream-machines-pc-4.2-and-pc.patch [bz#2062613]
- kvm-hw-virtio-vdpa-Fix-leak-of-host-notifier-memory-regi.patch [bz#2060843]
- kvm-pci-expose-TYPE_XIO3130_DOWNSTREAM-name.patch [bz#2062610]
- kvm-acpi-pcihp-pcie-set-power-on-cap-on-parent-slot.patch [bz#2062610]
- kvm-vmxcap-Add-5-level-EPT-bit.patch [bz#2065207]
- kvm-i386-Add-Icelake-Server-v6-CPU-model-with-5-level-EP.patch [bz#2065207]
- kvm-acpi-fix-QEMU-crash-when-started-with-SLIC-table.patch [bz#2062611]
- kvm-tests-acpi-whitelist-expected-blobs-before-changing-.patch [bz#2062611]
- kvm-tests-acpi-add-SLIC-table-test.patch [bz#2062611]
- kvm-tests-acpi-SLIC-update-expected-blobs.patch [bz#2062611]
- kvm-tests-acpi-manually-pad-OEM_ID-OEM_TABLE_ID-for-test.patch [bz#2062611]
- kvm-tests-acpi-whitelist-nvdimm-s-SSDT-and-FACP.slic-exp.patch [bz#2062611]
- kvm-acpi-fix-OEM-ID-OEM-Table-ID-padding.patch [bz#2062611]
- kvm-tests-acpi-update-expected-blobs.patch [bz#2062611]
- kvm-tests-acpi-test-short-OEM_ID-OEM_TABLE_ID-values-in-.patch [bz#2062611]
- kvm-rhel-workaround-for-lack-of-binary-patches-in-SRPM.patch [bz#2062611]
- Resolves: bz#2062613
(Revert IBM-specific Ubuntu-compatibility machine type for 8.6-AV GA [rhel-8.7.0])
- Resolves: bz#2060843
([virtual network][vDPA] qemu crash after hot unplug vdpa device [rhel-8.7.0])
- Resolves: bz#2062610
(Do operation to disk will hang in the guest of target host after hotplugging and migrating [rhel-8.7.0])
- Resolves: bz#2065207
(Win11 (q35+edk2) guest broke after install wsl2 through 'wsl --install -d Ubuntu-20.04' [rhel-8.7.0])
- Resolves: bz#2062611
(Guest can not start with SLIC acpi table [rhel-8.7.0])
* Tue Feb 22 2022 Jon Maloy <jmaloy@redhat.com> - 6.2.0-8
- kvm-block-nbd-Delete-reconnect-delay-timer-when-done.patch [bz#2035185]
- kvm-block-nbd-Assert-there-are-no-timers-when-closed.patch [bz#2035185]
- kvm-iotests.py-Add-QemuStorageDaemon-class.patch [bz#2035185]
- kvm-iotests-281-Test-lingering-timers.patch [bz#2035185]
- kvm-block-nbd-Move-s-ioc-on-AioContext-change.patch [bz#2035185]
- kvm-iotests-281-Let-NBD-connection-yield-in-iothread.patch [bz#2035185]
- Resolves: bz#2035185
(Qemu core dump when start guest with nbd node or do block jobs to nbd node)
* Tue Feb 15 2022 Jon Maloy <jmaloy@redhat.com> - 6.2.0-7
- kvm-numa-Enable-numa-for-SGX-EPC-sections.patch [bz#1518984]
- kvm-numa-Support-SGX-numa-in-the-monitor-and-Libvirt-int.patch [bz#1518984]
- kvm-doc-Add-the-SGX-numa-description.patch [bz#1518984]
- kvm-Enable-SGX-RH-Only.patch [bz#1518984]
- kvm-qapi-Cleanup-SGX-related-comments-and-restore-sectio.patch [bz#1518984]
- kvm-block-io-Update-BSC-only-if-want_zero-is-true.patch [bz#2041480]
- kvm-iotests-block-status-cache-New-test.patch [bz#2041480]
- Resolves: bz#1518984
([Intel 8.6 Feat] qemu-kvm: SGX 1.5 (SGX1 + Flexible Launch Control) support)
- Resolves: bz#2041480
([incremental_backup] Inconsistent block status reply in qemu-nbd)
* Tue Feb 08 2022 Jon Maloy <jmaloy@redhat.com> - 6.2.0-6
- kvm-virtiofsd-Drop-membership-of-all-supplementary-group.patch [bz#2046198]
- kvm-softmmu-fix-device-deletion-events-with-device-JSON-.patch [bz#2033279]
- kvm-block-backend-prevent-dangling-BDS-pointers-across-a.patch [bz#2021778 bz#2036178]
- kvm-iotests-stream-error-on-reset-New-test.patch [bz#2021778 bz#2036178]
- kvm-block-rbd-fix-handling-of-holes-in-.bdrv_co_block_st.patch [bz#2037135]
- kvm-block-rbd-workaround-for-ceph-issue-53784.patch [bz#2037135]
- Resolves: bz#2046198
(CVE-2022-0358 virt:av/qemu-kvm: QEMU: virtiofsd: potential privilege escalation via CVE-2018-13405 [rhel-8.6])
- Resolves: bz#2033279
([wrb][qemu-kvm 6.2] The hot-unplugged device can not be hot-plugged back)
- Resolves: bz#2021778
(Qemu core dump when do full backup during system reset)
- Resolves: bz#2036178
(Qemu core dumped when do block-stream to a snapshot node on non-enough space storage)
- Resolves: bz#2037135
(Booting from Local Snapshot Core Dumped Whose Backing File Is Based on RBD)
* Tue Jan 25 2022 Jon Maloy <jmaloy@redhat.com> - 6.2.0-5
- kvm-acpi-validate-hotplug-selector-on-access.patch [bz#2036580]
- kvm-x86-Add-q35-RHEL-8.6.0-machine-type.patch [bz#2031035]