Merge branch 'c8-stream-rhel' into a8-stream-rhel

SOURCES/acpi-fix-acpi_index-migration.patch

@@ -0,0 +1,148 @@
+From a83c2844903c45aa7d32cdd17305f23ce2c56ab9 Mon Sep 17 00:00:00 2001
+From: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
+Date: Wed, 6 Apr 2022 14:58:12 -0400
+Subject: [PATCH] acpi: fix acpi_index migration
+
+vmstate_acpi_pcihp_use_acpi_index() was expecting AcpiPciHpState
+as state but it actually received PIIX4PMState, because
+VMSTATE_PCI_HOTPLUG is a macro and not another struct.
+So it ended up accessing random pointer, which resulted
+in 'false' return value and acpi_index field wasn't ever
+sent.
+
+However in 7.0 that pointer de-references to value > 0, and
+destination QEMU starts to expect the field which isn't
+sent in migratioon stream from older QEMU (6.2 and older).
+As result migration fails with:
+  qemu-system-x86_64: Missing section footer for 0000:00:01.3/piix4_pm
+  qemu-system-x86_64: load of migration failed: Invalid argument
+
+In addition with QEMU-6.2, destination due to not expected
+state, also never expects the acpi_index field in migration
+stream.
+
+Q35 is not affected as it always sends/expects the field as
+long as acpi based PCI hotplug is enabled.
+
+Fix issue by introducing compat knob to never send/expect
+acpi_index in migration stream for 6.2 and older PC machine
+types and always send it for 7.0 and newer PC machine types.
+
+Diagnosed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
+Fixes: b32bd76 ("pci: introduce acpi-index property for PCI device")
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/932
+Signed-off-by: Igor Mammedov <imammedo@redhat.com>
+Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+---
+ hw/acpi/acpi-pci-hotplug-stub.c |  4 ----
+ hw/acpi/pcihp.c                 |  6 ------
+ hw/acpi/piix4.c                 | 15 ++++++++++++++-
+ hw/core/machine.c               |  4 +++-
+ include/hw/acpi/pcihp.h         |  2 --
+ 5 files changed, 17 insertions(+), 14 deletions(-)
+
+diff --git a/hw/acpi/acpi-pci-hotplug-stub.c b/hw/acpi/acpi-pci-hotplug-stub.c
+index 734e4c598689..a43f6dafc92f 100644
+--- a/hw/acpi/acpi-pci-hotplug-stub.c
++++ b/hw/acpi/acpi-pci-hotplug-stub.c
+@@ -41,7 +41,3 @@ void acpi_pcihp_reset(AcpiPciHpState *s, bool acpihp_root_off)
+     return;
+ }
+ 
+-bool vmstate_acpi_pcihp_use_acpi_index(void *opaque, int version_id)
+-{
+-    return false;
+-}
+diff --git a/hw/acpi/pcihp.c b/hw/acpi/pcihp.c
+index 6351bd3424d8..bf65bbea4940 100644
+--- a/hw/acpi/pcihp.c
++++ b/hw/acpi/pcihp.c
+@@ -554,12 +554,6 @@ void acpi_pcihp_init(Object *owner, AcpiPciHpState *s, PCIBus *root_bus,
+                                    OBJ_PROP_FLAG_READ);
+ }
+ 
+-bool vmstate_acpi_pcihp_use_acpi_index(void *opaque, int version_id)
+-{
+-     AcpiPciHpState *s = opaque;
+-     return s->acpi_index;
+-}
+-
+ const VMStateDescription vmstate_acpi_pcihp_pci_status = {
+     .name = "acpi_pcihp_pci_status",
+     .version_id = 1,
+diff --git a/hw/acpi/piix4.c b/hw/acpi/piix4.c
+index cc37fa341680..fe5625d07a28 100644
+--- a/hw/acpi/piix4.c
++++ b/hw/acpi/piix4.c
+@@ -82,6 +82,7 @@ struct PIIX4PMState {
+     AcpiPciHpState acpi_pci_hotplug;
+     bool use_acpi_hotplug_bridge;
+     bool use_acpi_root_pci_hotplug;
++    bool not_migrate_acpi_index;
+ 
+     uint8_t disable_s3;
+     uint8_t disable_s4;
+@@ -267,6 +268,16 @@ static bool piix4_vmstate_need_smbus(void *opaque, int version_id)
+     return pm_smbus_vmstate_needed();
+ }
+ 
++/*
++ * This is a fudge to turn off the acpi_index field,
++ * whose test was always broken on piix4 with 6.2 and older machine types.
++ */
++static bool vmstate_test_migrate_acpi_index(void *opaque, int version_id)
++{
++    PIIX4PMState *s = PIIX4_PM(opaque);
++    return s->use_acpi_hotplug_bridge && !s->not_migrate_acpi_index;
++}
++
+ /* qemu-kvm 1.2 uses version 3 but advertised as 2
+  * To support incoming qemu-kvm 1.2 migration, change version_id
+  * and minimum_version_id to 2 below (which breaks migration from
+@@ -297,7 +308,7 @@ static const VMStateDescription vmstate_acpi = {
+             struct AcpiPciHpPciStatus),
+         VMSTATE_PCI_HOTPLUG(acpi_pci_hotplug, PIIX4PMState,
+                             vmstate_test_use_acpi_hotplug_bridge,
+-                            vmstate_acpi_pcihp_use_acpi_index),
++                            vmstate_test_migrate_acpi_index),
+         VMSTATE_END_OF_LIST()
+     },
+     .subsections = (const VMStateDescription*[]) {
+@@ -652,6 +663,8 @@ static Property piix4_pm_properties[] = {
+     DEFINE_PROP_BOOL("memory-hotplug-support", PIIX4PMState,
+                      acpi_memory_hotplug.is_enabled, true),
+     DEFINE_PROP_BOOL("smm-compat", PIIX4PMState, smm_compat, false),
++    DEFINE_PROP_BOOL("x-not-migrate-acpi-index", PIIX4PMState,
++                      not_migrate_acpi_index, false),
+     DEFINE_PROP_END_OF_LIST(),
+ };
+ 
+diff --git a/hw/core/machine.c b/hw/core/machine.c
+index 76fcabec7..5289313a5 100644
+--- a/hw/core/machine.c
++++ b/hw/core/machine.c
+@@ -331,6 +331,10 @@ GlobalProperty hw_compat_rhel_7_1[] = {
+ };
+ const size_t hw_compat_rhel_7_1_len = G_N_ELEMENTS(hw_compat_rhel_7_1);
+ 
++GlobalProperty hw_compat_6_2[] = {
++    { "PIIX4_PM", "x-not-migrate-acpi-index", "on"},
++};
++
+ GlobalProperty hw_compat_6_1[] = {
+     { "vhost-user-vsock-device", "seqpacket", "off" },
+     { "nvme-ns", "shared", "off" },
+diff --git a/include/hw/acpi/pcihp.h b/include/hw/acpi/pcihp.h
+index af1a169fc32d..7e268c2c9c95 100644
+--- a/include/hw/acpi/pcihp.h
++++ b/include/hw/acpi/pcihp.h
+@@ -73,8 +73,6 @@ void acpi_pcihp_reset(AcpiPciHpState *s, bool acpihp_root_off);
+ 
+ extern const VMStateDescription vmstate_acpi_pcihp_pci_status;
+ 
+-bool vmstate_acpi_pcihp_use_acpi_index(void *opaque, int version_id);
+-
+ #define VMSTATE_PCI_HOTPLUG(pcihp, state, test_pcihp, test_acpi_index) \
+         VMSTATE_UINT32_TEST(pcihp.hotplug_select, state, \
+                             test_pcihp), \

SOURCES/io-remove-io-watch-if-TLS-channel-is-closed.patch

@@ -0,0 +1,80 @@
+From 10be627d2b5ec2d6b3dce045144aa739eef678b4 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
+Date: Tue, 20 Jun 2023 09:45:34 +0100
+Subject: [PATCH] io: remove io watch if TLS channel is closed during handshake
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The TLS handshake make take some time to complete, during which time an
+I/O watch might be registered with the main loop. If the owner of the
+I/O channel invokes qio_channel_close() while the handshake is waiting
+to continue the I/O watch must be removed. Failing to remove it will
+later trigger the completion callback which the owner is not expecting
+to receive. In the case of the VNC server, this results in a SEGV as
+vnc_disconnect_start() tries to shutdown a client connection that is
+already gone / NULL.
+
+CVE-2023-3354
+Reported-by: jiangyegen <jiangyegen@huawei.com>
+Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
+---
+ include/io/channel-tls.h |  1 +
+ io/channel-tls.c         | 18 ++++++++++++------
+ 2 files changed, 13 insertions(+), 6 deletions(-)
+
+diff --git a/include/io/channel-tls.h b/include/io/channel-tls.h
+index 5672479e9eb6..26c67f17e2d3 100644
+--- a/include/io/channel-tls.h
++++ b/include/io/channel-tls.h
+@@ -48,6 +48,7 @@ struct QIOChannelTLS {
+     QIOChannel *master;
+     QCryptoTLSSession *session;
+     QIOChannelShutdown shutdown;
++    guint hs_ioc_tag;
+ };
+ 
+ /**
+diff --git a/io/channel-tls.c b/io/channel-tls.c
+index 9805dd0a3f64..847d5297c339 100644
+--- a/io/channel-tls.c
++++ b/io/channel-tls.c
+@@ -198,12 +198,13 @@ static void qio_channel_tls_handshake_task(QIOChannelTLS *ioc,
+         }
+ 
+         trace_qio_channel_tls_handshake_pending(ioc, status);
+-        qio_channel_add_watch_full(ioc->master,
+-                                   condition,
+-                                   qio_channel_tls_handshake_io,
+-                                   data,
+-                                   NULL,
+-                                   context);
++        ioc->hs_ioc_tag =
++            qio_channel_add_watch_full(ioc->master,
++                                       condition,
++                                       qio_channel_tls_handshake_io,
++                                       data,
++                                       NULL,
++                                       context);
+     }
+ }
+ 
+@@ -218,6 +219,7 @@ static gboolean qio_channel_tls_handshake_io(QIOChannel *ioc,
+     QIOChannelTLS *tioc = QIO_CHANNEL_TLS(
+         qio_task_get_source(task));
+ 
++    tioc->hs_ioc_tag = 0;
+     g_free(data);
+     qio_channel_tls_handshake_task(tioc, task, context);
+ 
+@@ -378,6 +380,10 @@ static int qio_channel_tls_close(QIOChannel *ioc,
+ {
+     QIOChannelTLS *tioc = QIO_CHANNEL_TLS(ioc);
+ 
++    if (tioc->hs_ioc_tag) {
++        g_clear_handle_id(&tioc->hs_ioc_tag, g_source_remove);
++    }
++
+     return qio_channel_close(tioc->master, errp);
+ }
+ 

SPECS/qemu-kvm.spec

@@ -83,7 +83,7 @@ Obsoletes: %1-rhev <= %{epoch}:%{version}-%{release}
 Summary: QEMU is a machine emulator and virtualizer
 Name: qemu-kvm
 Version: 6.2.0
-Release: 39%{?rcrel}%{?dist}
+Release: 40%{?rcrel}%{?dist}.1.alma.1
 # Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped
 Epoch: 15
 License: GPLv2 and GPLv2+ and CC-BY
@@ -782,6 +782,13 @@ Patch310: kvm-target-i386-kvm-Fix-disabling-MPX-on-cpu-host-with-M.patch
 # For bz#2215786 - CVE-2023-3301 virt:rhel/qemu-kvm: QEMU: net: triggerable assertion due to race condition in hot-unplug [rhel-8]
 Patch311: kvm-vhost-vdpa-do-not-cleanup-the-vdpa-vhost-net-structu.patch
 
+# Patches were taken from upstream and backported to apply cleanly:
+# https://github.com/qemu/qemu/commit/10be627d2b5ec2d6b3dce045144aa739eef678b4.patch
+Patch1001:  io-remove-io-watch-if-TLS-channel-is-closed.patch
+# https://github.com/qemu/qemu/commit/a83c2844903c45aa7d32cdd17305f23ce2c56ab9
+Patch1002:  acpi-fix-acpi_index-migration.patch
+ 	
+
 BuildRequires: wget
 BuildRequires: rpm-build
 BuildRequires: ninja-build
@@ -1950,6 +1957,10 @@ sh %{_sysconfdir}/sysconfig/modules/kvm.modules &> /dev/null || :
 
 
 %changelog
+* Wed Nov 15 2023 Eduard Abdullin <eabdullin@almalinux.org> - 6.2.0-40.1.alma.1
+- acpi: fix acpi_index migration
+- io: remove io watch if TLS channel is closed during handshake
+
 * Mon Aug 28 2023 Miroslav Rezanina <mrezanin@redhat.com> - 6.2.0-39
 - kvm-vhost-vdpa-do-not-cleanup-the-vdpa-vhost-net-structu.patch [bz#2215786]
 - Resolves: bz#2215786