summaryrefslogtreecommitdiff
path: root/app-emulation/qemu/files
diff options
context:
space:
mode:
authorV3n3RiX <venerix@redcorelinux.org>2020-04-25 11:37:10 +0100
committerV3n3RiX <venerix@redcorelinux.org>2020-04-25 11:37:10 +0100
commit38423c67c8a23f6a1bc42038193182e2da3116eb (patch)
tree04e2cf4bd43601b77daa79fe654e409187093c5e /app-emulation/qemu/files
parent623ee73d661e5ed8475cb264511f683407d87365 (diff)
gentoo resync : 25.04.2020
Diffstat (limited to 'app-emulation/qemu/files')
-rw-r--r--app-emulation/qemu/files/qemu-2.5.0-sysmacros.patch15
-rw-r--r--app-emulation/qemu/files/qemu-3.1.0-md-clear-md-no.patch61
-rw-r--r--app-emulation/qemu/files/qemu-4.0.0-fix_infiniband_include.patch12
-rw-r--r--app-emulation/qemu/files/qemu-4.0.0-linux-headers-5.2.patch334
-rw-r--r--app-emulation/qemu/files/qemu-4.0.0-pc-q35-4.0.patch135
-rw-r--r--app-emulation/qemu/files/qemu-4.0.0-sanitize-interp_info.patch32
-rw-r--r--app-emulation/qemu/files/qemu-4.0.0-xkbcommon.patch38
-rw-r--r--app-emulation/qemu/files/qemu-4.2.0-CVE-2020-11102.patch144
-rw-r--r--app-emulation/qemu/files/qemu-4.2.0-ati-vga-crash.patch94
9 files changed, 94 insertions, 771 deletions
diff --git a/app-emulation/qemu/files/qemu-2.5.0-sysmacros.patch b/app-emulation/qemu/files/qemu-2.5.0-sysmacros.patch
deleted file mode 100644
index f2e766dc1c35..000000000000
--- a/app-emulation/qemu/files/qemu-2.5.0-sysmacros.patch
+++ /dev/null
@@ -1,15 +0,0 @@
-Linux C libs are moving away from implicit header pollution with sys/types.h
-
---- a/include/qemu/osdep.h
-+++ b/include/qemu/osdep.h
-@@ -78,6 +78,10 @@ extern int daemon(int, int);
- #include <assert.h>
- #include <signal.h>
-
-+#ifdef __linux__
-+#include <sys/sysmacros.h>
-+#endif
-+
- #ifdef __OpenBSD__
- #include <sys/signal.h>
- #endif
diff --git a/app-emulation/qemu/files/qemu-3.1.0-md-clear-md-no.patch b/app-emulation/qemu/files/qemu-3.1.0-md-clear-md-no.patch
deleted file mode 100644
index a7b3e8cb8f20..000000000000
--- a/app-emulation/qemu/files/qemu-3.1.0-md-clear-md-no.patch
+++ /dev/null
@@ -1,61 +0,0 @@
-From 0fb766134bd97ead71646e13349f93769e536ed9 Mon Sep 17 00:00:00 2001
-From: Matthias Maier <tamiko@43-1.org>
-Date: Fri, 17 May 2019 02:21:10 -0500
-Subject: [PATCH] Define md-clear bit, expose md-no CPUID
-
-Fixes for CVE-2018-121{26|27|30}, CVE-2019-11091
-
-See related fixes for Ubuntu:
- https://launchpad.net/ubuntu/+source/qemu/1:3.1+dfsg-2ubuntu3.1
----
- target/i386/cpu.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/target/i386/cpu.c b/target/i386/cpu.c
-index d6bb57d2..331a364a 100644
---- a/target/i386/cpu.c
-+++ b/target/i386/cpu.c
-@@ -1076,7 +1076,7 @@ static FeatureWordInfo feature_word_info[FEATURE_WORDS] = {
- .feat_names = {
- NULL, NULL, "avx512-4vnniw", "avx512-4fmaps",
- NULL, NULL, NULL, NULL,
-- NULL, NULL, NULL, NULL,
-+ NULL, NULL, "md-clear", NULL,
- NULL, NULL, NULL, NULL,
- NULL, NULL, NULL, NULL,
- NULL, NULL, NULL, NULL,
-@@ -1183,7 +1183,7 @@ static FeatureWordInfo feature_word_info[FEATURE_WORDS] = {
- .type = MSR_FEATURE_WORD,
- .feat_names = {
- "rdctl-no", "ibrs-all", "rsba", "skip-l1dfl-vmentry",
-- "ssb-no", NULL, NULL, NULL,
-+ "ssb-no", "mds-no", NULL, NULL,
- NULL, NULL, NULL, NULL,
- NULL, NULL, NULL, NULL,
- NULL, NULL, NULL, NULL,
-diff --git a/target/i386/cpu.h b/target/i386/cpu.h
-index 83fb5225..d0bab4d7 100644
---- a/target/i386/cpu.h
-+++ b/target/i386/cpu.h
-@@ -694,6 +694,7 @@ typedef uint32_t FeatureWordArray[FEATURE_WORDS];
-
- #define CPUID_7_0_EDX_AVX512_4VNNIW (1U << 2) /* AVX512 Neural Network Instructions */
- #define CPUID_7_0_EDX_AVX512_4FMAPS (1U << 3) /* AVX512 Multiply Accumulation Single Precision */
-+#define CPUID_7_0_EDX_MD_CLEAR (1U << 10) /* Microarchitectural Data Clear */
- #define CPUID_7_0_EDX_SPEC_CTRL (1U << 26) /* Speculation Control */
- #define CPUID_7_0_EDX_ARCH_CAPABILITIES (1U << 29) /*Arch Capabilities*/
- #define CPUID_7_0_EDX_SPEC_CTRL_SSBD (1U << 31) /* Speculative Store Bypass Disable */
-diff --git a/target/i386/hvf/x86_cpuid.c b/target/i386/hvf/x86_cpuid.c
-index 4d957fe8..b453552f 100644
---- a/target/i386/hvf/x86_cpuid.c
-+++ b/target/i386/hvf/x86_cpuid.c
-@@ -90,7 +90,8 @@ uint32_t hvf_get_supported_cpuid(uint32_t func, uint32_t idx,
- }
-
- ecx &= CPUID_7_0_ECX_AVX512BMI | CPUID_7_0_ECX_AVX512_VPOPCNTDQ;
-- edx &= CPUID_7_0_EDX_AVX512_4VNNIW | CPUID_7_0_EDX_AVX512_4FMAPS;
-+ edx &= CPUID_7_0_EDX_AVX512_4VNNIW | CPUID_7_0_EDX_AVX512_4FMAPS | \
-+ CPUID_7_0_EDX_MD_CLEAR;
- } else {
- ebx = 0;
- ecx = 0;
diff --git a/app-emulation/qemu/files/qemu-4.0.0-fix_infiniband_include.patch b/app-emulation/qemu/files/qemu-4.0.0-fix_infiniband_include.patch
deleted file mode 100644
index 2778cc8f4f2e..000000000000
--- a/app-emulation/qemu/files/qemu-4.0.0-fix_infiniband_include.patch
+++ /dev/null
@@ -1,12 +0,0 @@
-diff --git a/hw/rdma/rdma_backend.c b/hw/rdma/rdma_backend.c
-index d1660b64..86715bfd 100644
---- a/hw/rdma/rdma_backend.c
-+++ b/hw/rdma/rdma_backend.c
-@@ -21,7 +21,6 @@
- #include "qapi/qapi-events-rdma.h"
-
- #include <infiniband/verbs.h>
--#include <infiniband/umad_types.h>
- #include <infiniband/umad.h>
- #include <rdma/rdma_user_cm.h>
-
diff --git a/app-emulation/qemu/files/qemu-4.0.0-linux-headers-5.2.patch b/app-emulation/qemu/files/qemu-4.0.0-linux-headers-5.2.patch
deleted file mode 100644
index 43be8629dfa8..000000000000
--- a/app-emulation/qemu/files/qemu-4.0.0-linux-headers-5.2.patch
+++ /dev/null
@@ -1,334 +0,0 @@
-From 6d5d5dde9adb5acb32e6b8e3dfbf47fff0f308d2 Mon Sep 17 00:00:00 2001
-From: =?utf8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
-Date: Thu, 18 Jul 2019 15:06:41 +0200
-Subject: [PATCH] linux-user: fix to handle variably sized SIOCGSTAMP with new
- kernels
-MIME-Version: 1.0
-Content-Type: text/plain; charset=utf8
-Content-Transfer-Encoding: 8bit
-
-The SIOCGSTAMP symbol was previously defined in the
-asm-generic/sockios.h header file. QEMU sees that header
-indirectly via sys/socket.h
-
-In linux kernel commit 0768e17073dc527ccd18ed5f96ce85f9985e9115
-the asm-generic/sockios.h header no longer defines SIOCGSTAMP.
-Instead it provides only SIOCGSTAMP_OLD, which only uses a
-32-bit time_t on 32-bit architectures.
-
-The linux/sockios.h header then defines SIOCGSTAMP using
-either SIOCGSTAMP_OLD or SIOCGSTAMP_NEW as appropriate. If
-SIOCGSTAMP_NEW is used, then the tv_sec field is 64-bit even
-on 32-bit architectures
-
-To cope with this we must now convert the old and new type from
-the target to the host one.
-
-Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
-Signed-off-by: Laurent Vivier <laurent@vivier.eu>
-Reviewed-by: Arnd Bergmann <arnd@arndb.de>
-Message-Id: <20190718130641.15294-1-laurent@vivier.eu>
-Signed-off-by: Laurent Vivier <laurent@vivier.eu>
----
- linux-user/ioctls.h | 21 ++++++-
- linux-user/syscall.c | 140 ++++++++++++++++++++++++++++++++++++---------
- linux-user/syscall_defs.h | 30 +++++++++-
- linux-user/syscall_types.h | 6 --
- 4 files changed, 159 insertions(+), 38 deletions(-)
-
-diff --git a/linux-user/ioctls.h b/linux-user/ioctls.h
-index ae895162..e6a27ad9 100644
---- a/linux-user/ioctls.h
-+++ b/linux-user/ioctls.h
-@@ -219,8 +219,25 @@
- IOCTL(SIOCGRARP, IOC_R, MK_PTR(MK_STRUCT(STRUCT_arpreq)))
- IOCTL(SIOCGIWNAME, IOC_W | IOC_R, MK_PTR(MK_STRUCT(STRUCT_char_ifreq)))
- IOCTL(SIOCGPGRP, IOC_R, MK_PTR(TYPE_INT)) /* pid_t */
-- IOCTL(SIOCGSTAMP, IOC_R, MK_PTR(MK_STRUCT(STRUCT_timeval)))
-- IOCTL(SIOCGSTAMPNS, IOC_R, MK_PTR(MK_STRUCT(STRUCT_timespec)))
-+
-+ /*
-+ * We can't use IOCTL_SPECIAL() because it will set
-+ * host_cmd to XXX_OLD and XXX_NEW and these macros
-+ * are not defined with kernel prior to 5.2.
-+ * We must set host_cmd to the same value as in target_cmd
-+ * otherwise the consistency check in syscall_init()
-+ * will trigger an error.
-+ * host_cmd is ignored by the do_ioctl_XXX() helpers.
-+ * FIXME: create a macro to define this kind of entry
-+ */
-+ { TARGET_SIOCGSTAMP_OLD, TARGET_SIOCGSTAMP_OLD,
-+ "SIOCGSTAMP_OLD", IOC_R, do_ioctl_SIOCGSTAMP },
-+ { TARGET_SIOCGSTAMPNS_OLD, TARGET_SIOCGSTAMPNS_OLD,
-+ "SIOCGSTAMPNS_OLD", IOC_R, do_ioctl_SIOCGSTAMPNS },
-+ { TARGET_SIOCGSTAMP_NEW, TARGET_SIOCGSTAMP_NEW,
-+ "SIOCGSTAMP_NEW", IOC_R, do_ioctl_SIOCGSTAMP },
-+ { TARGET_SIOCGSTAMPNS_NEW, TARGET_SIOCGSTAMPNS_NEW,
-+ "SIOCGSTAMPNS_NEW", IOC_R, do_ioctl_SIOCGSTAMPNS },
-
- IOCTL(RNDGETENTCNT, IOC_R, MK_PTR(TYPE_INT))
- IOCTL(RNDADDTOENTCNT, IOC_W, MK_PTR(TYPE_INT))
-diff --git a/linux-user/syscall.c b/linux-user/syscall.c
-index 96cd4bf8..6df480e1 100644
---- a/linux-user/syscall.c
-+++ b/linux-user/syscall.c
-@@ -37,6 +37,7 @@
- #include <sched.h>
- #include <sys/timex.h>
- #include <sys/socket.h>
-+#include <linux/sockios.h>
- #include <sys/un.h>
- #include <sys/uio.h>
- #include <poll.h>
-@@ -1139,8 +1140,9 @@ static inline abi_long copy_from_user_timeval(struct timeval *tv,
- {
- struct target_timeval *target_tv;
-
-- if (!lock_user_struct(VERIFY_READ, target_tv, target_tv_addr, 1))
-+ if (!lock_user_struct(VERIFY_READ, target_tv, target_tv_addr, 1)) {
- return -TARGET_EFAULT;
-+ }
-
- __get_user(tv->tv_sec, &target_tv->tv_sec);
- __get_user(tv->tv_usec, &target_tv->tv_usec);
-@@ -1155,8 +1157,26 @@ static inline abi_long copy_to_user_timeval(abi_ulong target_tv_addr,
- {
- struct target_timeval *target_tv;
-
-- if (!lock_user_struct(VERIFY_WRITE, target_tv, target_tv_addr, 0))
-+ if (!lock_user_struct(VERIFY_WRITE, target_tv, target_tv_addr, 0)) {
-+ return -TARGET_EFAULT;
-+ }
-+
-+ __put_user(tv->tv_sec, &target_tv->tv_sec);
-+ __put_user(tv->tv_usec, &target_tv->tv_usec);
-+
-+ unlock_user_struct(target_tv, target_tv_addr, 1);
-+
-+ return 0;
-+}
-+
-+static inline abi_long copy_to_user_timeval64(abi_ulong target_tv_addr,
-+ const struct timeval *tv)
-+{
-+ struct target__kernel_sock_timeval *target_tv;
-+
-+ if (!lock_user_struct(VERIFY_WRITE, target_tv, target_tv_addr, 0)) {
- return -TARGET_EFAULT;
-+ }
-
- __put_user(tv->tv_sec, &target_tv->tv_sec);
- __put_user(tv->tv_usec, &target_tv->tv_usec);
-@@ -1166,6 +1186,48 @@ static inline abi_long copy_to_user_timeval(abi_ulong target_tv_addr,
- return 0;
- }
-
-+static inline abi_long target_to_host_timespec(struct timespec *host_ts,
-+ abi_ulong target_addr)
-+{
-+ struct target_timespec *target_ts;
-+
-+ if (!lock_user_struct(VERIFY_READ, target_ts, target_addr, 1)) {
-+ return -TARGET_EFAULT;
-+ }
-+ __get_user(host_ts->tv_sec, &target_ts->tv_sec);
-+ __get_user(host_ts->tv_nsec, &target_ts->tv_nsec);
-+ unlock_user_struct(target_ts, target_addr, 0);
-+ return 0;
-+}
-+
-+static inline abi_long host_to_target_timespec(abi_ulong target_addr,
-+ struct timespec *host_ts)
-+{
-+ struct target_timespec *target_ts;
-+
-+ if (!lock_user_struct(VERIFY_WRITE, target_ts, target_addr, 0)) {
-+ return -TARGET_EFAULT;
-+ }
-+ __put_user(host_ts->tv_sec, &target_ts->tv_sec);
-+ __put_user(host_ts->tv_nsec, &target_ts->tv_nsec);
-+ unlock_user_struct(target_ts, target_addr, 1);
-+ return 0;
-+}
-+
-+static inline abi_long host_to_target_timespec64(abi_ulong target_addr,
-+ struct timespec *host_ts)
-+{
-+ struct target__kernel_timespec *target_ts;
-+
-+ if (!lock_user_struct(VERIFY_WRITE, target_ts, target_addr, 0)) {
-+ return -TARGET_EFAULT;
-+ }
-+ __put_user(host_ts->tv_sec, &target_ts->tv_sec);
-+ __put_user(host_ts->tv_nsec, &target_ts->tv_nsec);
-+ unlock_user_struct(target_ts, target_addr, 1);
-+ return 0;
-+}
-+
- static inline abi_long copy_from_user_timezone(struct timezone *tz,
- abi_ulong target_tz_addr)
- {
-@@ -4790,6 +4852,54 @@ static abi_long do_ioctl_kdsigaccept(const IOCTLEntry *ie, uint8_t *buf_temp,
- return get_errno(safe_ioctl(fd, ie->host_cmd, sig));
- }
-
-+static abi_long do_ioctl_SIOCGSTAMP(const IOCTLEntry *ie, uint8_t *buf_temp,
-+ int fd, int cmd, abi_long arg)
-+{
-+ struct timeval tv;
-+ abi_long ret;
-+
-+ ret = get_errno(safe_ioctl(fd, SIOCGSTAMP, &tv));
-+ if (is_error(ret)) {
-+ return ret;
-+ }
-+
-+ if (cmd == (int)TARGET_SIOCGSTAMP_OLD) {
-+ if (copy_to_user_timeval(arg, &tv)) {
-+ return -TARGET_EFAULT;
-+ }
-+ } else {
-+ if (copy_to_user_timeval64(arg, &tv)) {
-+ return -TARGET_EFAULT;
-+ }
-+ }
-+
-+ return ret;
-+}
-+
-+static abi_long do_ioctl_SIOCGSTAMPNS(const IOCTLEntry *ie, uint8_t *buf_temp,
-+ int fd, int cmd, abi_long arg)
-+{
-+ struct timespec ts;
-+ abi_long ret;
-+
-+ ret = get_errno(safe_ioctl(fd, SIOCGSTAMPNS, &ts));
-+ if (is_error(ret)) {
-+ return ret;
-+ }
-+
-+ if (cmd == (int)TARGET_SIOCGSTAMPNS_OLD) {
-+ if (host_to_target_timespec(arg, &ts)) {
-+ return -TARGET_EFAULT;
-+ }
-+ } else{
-+ if (host_to_target_timespec64(arg, &ts)) {
-+ return -TARGET_EFAULT;
-+ }
-+ }
-+
-+ return ret;
-+}
-+
- #ifdef TIOCGPTPEER
- static abi_long do_ioctl_tiocgptpeer(const IOCTLEntry *ie, uint8_t *buf_temp,
- int fd, int cmd, abi_long arg)
-@@ -6160,32 +6270,6 @@ static inline abi_long target_ftruncate64(void *cpu_env, abi_long arg1,
- }
- #endif
-
--static inline abi_long target_to_host_timespec(struct timespec *host_ts,
-- abi_ulong target_addr)
--{
-- struct target_timespec *target_ts;
--
-- if (!lock_user_struct(VERIFY_READ, target_ts, target_addr, 1))
-- return -TARGET_EFAULT;
-- __get_user(host_ts->tv_sec, &target_ts->tv_sec);
-- __get_user(host_ts->tv_nsec, &target_ts->tv_nsec);
-- unlock_user_struct(target_ts, target_addr, 0);
-- return 0;
--}
--
--static inline abi_long host_to_target_timespec(abi_ulong target_addr,
-- struct timespec *host_ts)
--{
-- struct target_timespec *target_ts;
--
-- if (!lock_user_struct(VERIFY_WRITE, target_ts, target_addr, 0))
-- return -TARGET_EFAULT;
-- __put_user(host_ts->tv_sec, &target_ts->tv_sec);
-- __put_user(host_ts->tv_nsec, &target_ts->tv_nsec);
-- unlock_user_struct(target_ts, target_addr, 1);
-- return 0;
--}
--
- static inline abi_long target_to_host_itimerspec(struct itimerspec *host_itspec,
- abi_ulong target_addr)
- {
-diff --git a/linux-user/syscall_defs.h b/linux-user/syscall_defs.h
-index 12c84071..cfb3eeec 100644
---- a/linux-user/syscall_defs.h
-+++ b/linux-user/syscall_defs.h
-@@ -208,16 +208,34 @@ struct target_linger {
- abi_int l_linger; /* How long to linger for */
- };
-
-+#if defined(TARGET_SPARC64) && !defined(TARGET_ABI32)
-+struct target_timeval {
-+ abi_long tv_sec;
-+ abi_int tv_usec;
-+};
-+#define target__kernel_sock_timeval target_timeval
-+#else
- struct target_timeval {
- abi_long tv_sec;
- abi_long tv_usec;
- };
-
-+struct target__kernel_sock_timeval {
-+ abi_llong tv_sec;
-+ abi_llong tv_usec;
-+};
-+#endif
-+
- struct target_timespec {
- abi_long tv_sec;
- abi_long tv_nsec;
- };
-
-+struct target__kernel_timespec {
-+ abi_llong tv_sec;
-+ abi_llong tv_nsec;
-+};
-+
- struct target_timezone {
- abi_int tz_minuteswest;
- abi_int tz_dsttime;
-@@ -743,8 +761,17 @@ struct target_pollfd {
- #define TARGET_SIOCATMARK 0x8905
- #define TARGET_SIOCGPGRP 0x8904
- #endif
--#define TARGET_SIOCGSTAMP 0x8906 /* Get stamp (timeval) */
--#define TARGET_SIOCGSTAMPNS 0x8907 /* Get stamp (timespec) */
-+
-+#if defined(TARGET_SH4)
-+#define TARGET_SIOCGSTAMP_OLD TARGET_IOR('s', 100, struct target_timeval)
-+#define TARGET_SIOCGSTAMPNS_OLD TARGET_IOR('s', 101, struct target_timespec)
-+#else
-+#define TARGET_SIOCGSTAMP_OLD 0x8906
-+#define TARGET_SIOCGSTAMPNS_OLD 0x8907
-+#endif
-+
-+#define TARGET_SIOCGSTAMP_NEW TARGET_IOR(0x89, 0x06, abi_llong[2])
-+#define TARGET_SIOCGSTAMPNS_NEW TARGET_IOR(0x89, 0x07, abi_llong[2])
-
- /* Networking ioctls */
- #define TARGET_SIOCADDRT 0x890B /* add routing table entry */
-diff --git a/linux-user/syscall_types.h b/linux-user/syscall_types.h
-index b98a23b0..4e369838 100644
---- a/linux-user/syscall_types.h
-+++ b/linux-user/syscall_types.h
-@@ -14,12 +14,6 @@ STRUCT(serial_icounter_struct,
- STRUCT(sockaddr,
- TYPE_SHORT, MK_ARRAY(TYPE_CHAR, 14))
-
--STRUCT(timeval,
-- MK_ARRAY(TYPE_LONG, 2))
--
--STRUCT(timespec,
-- MK_ARRAY(TYPE_LONG, 2))
--
- STRUCT(rtentry,
- TYPE_ULONG, MK_STRUCT(STRUCT_sockaddr), MK_STRUCT(STRUCT_sockaddr), MK_STRUCT(STRUCT_sockaddr),
- TYPE_SHORT, TYPE_SHORT, TYPE_ULONG, TYPE_PTRVOID, TYPE_SHORT, TYPE_PTRVOID,
diff --git a/app-emulation/qemu/files/qemu-4.0.0-pc-q35-4.0.patch b/app-emulation/qemu/files/qemu-4.0.0-pc-q35-4.0.patch
deleted file mode 100644
index ebabc0c4c294..000000000000
--- a/app-emulation/qemu/files/qemu-4.0.0-pc-q35-4.0.patch
+++ /dev/null
@@ -1,135 +0,0 @@
-Backport of QEMU v4.1 commit for stable v4.0.1 release
-
-commit c87759ce876a7a0b17c2bf4f0b964bd51f0ee871
-Author: Alex Williamson <address@hidden>
-Date: Tue May 14 14:14:41 2019 -0600
-
- q35: Revert to kernel irqchip
-
- Commit b2fc91db8447 ("q35: set split kernel irqchip as default") changed
- the default for the pc-q35-4.0 machine type to use split irqchip, which
- turned out to have disasterous effects on vfio-pci INTx support. KVM
- resampling irqfds are registered for handling these interrupts, but
- these are non-functional in split irqchip mode. We can't simply test
- for split irqchip in QEMU as userspace handling of this interrupt is a
- significant performance regression versus KVM handling (GeForce GPUs
- assigned to Windows VMs are non-functional without forcing MSI mode or
- re-enabling kernel irqchip).
-
- The resolution is to revert the change in default irqchip mode in the
- pc-q35-4.1 machine and create a pc-q35-4.0.1 machine for the 4.0-stable
- branch. The qemu-q35-4.0 machine type should not be used in vfio-pci
- configurations for devices requiring legacy INTx support without
- explicitly modifying the VM configuration to use kernel irqchip.
-
-Link: https://bugs.launchpad.net/qemu/+bug/1826422
-Fixes: b2fc91db8447 ("q35: set split kernel irqchip as default")
-Cc: address@hidden
-Reviewed-by: Peter Xu <address@hidden>
-Signed-off-by: Alex Williamson <address@hidden>
----
-
-Same code as v1, just updating the commit log as a formal backport of
-the merged 4.1 commit.
-
- hw/core/machine.c | 3 +++
- hw/i386/pc.c | 3 +++
- hw/i386/pc_q35.c | 16 ++++++++++++++--
- include/hw/boards.h | 3 +++
- include/hw/i386/pc.h | 3 +++
- 5 files changed, 26 insertions(+), 2 deletions(-)
-
-diff --git a/hw/core/machine.c b/hw/core/machine.c
-index 743fef28982c..5d046a43e3d2 100644
---- a/hw/core/machine.c
-+++ b/hw/core/machine.c
-@@ -24,6 +24,9 @@
- #include "hw/pci/pci.h"
- #include "hw/mem/nvdimm.h"
-
-+GlobalProperty hw_compat_4_0[] = {};
-+const size_t hw_compat_4_0_len = G_N_ELEMENTS(hw_compat_4_0);
-+
- GlobalProperty hw_compat_3_1[] = {
- { "pcie-root-port", "x-speed", "2_5" },
- { "pcie-root-port", "x-width", "1" },
-diff --git a/hw/i386/pc.c b/hw/i386/pc.c
-index f2c15bf1f2c3..d98b737b8f3b 100644
---- a/hw/i386/pc.c
-+++ b/hw/i386/pc.c
-@@ -115,6 +115,9 @@ struct hpet_fw_config hpet_cfg = {.count = UINT8_MAX};
- /* Physical Address of PVH entry point read from kernel ELF NOTE */
- static size_t pvh_start_addr;
-
-+GlobalProperty pc_compat_4_0[] = {};
-+const size_t pc_compat_4_0_len = G_N_ELEMENTS(pc_compat_4_0);
-+
- GlobalProperty pc_compat_3_1[] = {
- { "intel-iommu", "dma-drain", "off" },
- { "Opteron_G3" "-" TYPE_X86_CPU, "rdtscp", "off" },
-diff --git a/hw/i386/pc_q35.c b/hw/i386/pc_q35.c
-index 372c6b73bebd..45cc29d1adb7 100644
---- a/hw/i386/pc_q35.c
-+++ b/hw/i386/pc_q35.c
-@@ -357,7 +357,7 @@ static void pc_q35_machine_options(MachineClass *m)
- m->units_per_default_bus = 1;
- m->default_machine_opts = "firmware=bios-256k.bin";
- m->default_display = "std";
-- m->default_kernel_irqchip_split = true;
-+ m->default_kernel_irqchip_split = false;
- m->no_floppy = 1;
- machine_class_allow_dynamic_sysbus_dev(m, TYPE_AMD_IOMMU_DEVICE);
- machine_class_allow_dynamic_sysbus_dev(m, TYPE_INTEL_IOMMU_DEVICE);
-@@ -365,12 +365,24 @@ static void pc_q35_machine_options(MachineClass *m)
- m->max_cpus = 288;
- }
-
--static void pc_q35_4_0_machine_options(MachineClass *m)
-+static void pc_q35_4_0_1_machine_options(MachineClass *m)
- {
- pc_q35_machine_options(m);
- m->alias = "q35";
- }
-
-+DEFINE_Q35_MACHINE(v4_0_1, "pc-q35-4.0.1", NULL,
-+ pc_q35_4_0_1_machine_options);
-+
-+static void pc_q35_4_0_machine_options(MachineClass *m)
-+{
-+ pc_q35_4_0_1_machine_options(m);
-+ m->default_kernel_irqchip_split = true;
-+ m->alias = NULL;
-+ compat_props_add(m->compat_props, hw_compat_4_0, hw_compat_4_0_len);
-+ compat_props_add(m->compat_props, pc_compat_4_0, pc_compat_4_0_len);
-+}
-+
- DEFINE_Q35_MACHINE(v4_0, "pc-q35-4.0", NULL,
- pc_q35_4_0_machine_options);
-
-diff --git a/include/hw/boards.h b/include/hw/boards.h
-index e231860666a1..fe1885cbffa0 100644
---- a/include/hw/boards.h
-+++ b/include/hw/boards.h
-@@ -293,6 +293,9 @@ struct MachineState {
- } \
- type_init(machine_initfn##_register_types)
-
-+extern GlobalProperty hw_compat_4_0[];
-+extern const size_t hw_compat_4_0_len;
-+
- extern GlobalProperty hw_compat_3_1[];
- extern const size_t hw_compat_3_1_len;
-
-diff --git a/include/hw/i386/pc.h b/include/hw/i386/pc.h
-index ca65ef18afb4..43df7230a22b 100644
---- a/include/hw/i386/pc.h
-+++ b/include/hw/i386/pc.h
-@@ -293,6 +293,9 @@ int e820_add_entry(uint64_t, uint64_t, uint32_t);
- int e820_get_num_entries(void);
- bool e820_get_entry(int, uint32_t, uint64_t *, uint64_t *);
-
-+extern GlobalProperty pc_compat_4_0[];
-+extern const size_t pc_compat_4_0_len;
-+
- extern GlobalProperty pc_compat_3_1[];
- extern const size_t pc_compat_3_1_len;
diff --git a/app-emulation/qemu/files/qemu-4.0.0-sanitize-interp_info.patch b/app-emulation/qemu/files/qemu-4.0.0-sanitize-interp_info.patch
deleted file mode 100644
index 58ff0c788288..000000000000
--- a/app-emulation/qemu/files/qemu-4.0.0-sanitize-interp_info.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-linux-user: Sanitize interp_info and, for mips
-
-Sanitize interp_info structure in load_elf_binary() and, for mips only,
-init its field fp_abi. This fixes appearances of "Unexpected FPU mode"
-message in some MIPS use cases.
-
-Signed-off-by: Daniel Santos <address@hidden>
-Signed-off-by: Aleksandar Markovic <address@hidden>
----
- linux-user/elfload.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/linux-user/elfload.c b/linux-user/elfload.c
-index c1a2602..7f09d57 100644
---- a/linux-user/elfload.c
-+++ b/linux-user/elfload.c
-@@ -2698,6 +2698,11 @@ int load_elf_binary(struct linux_binprm *bprm, struct image_info *info)
- char *elf_interpreter = NULL;
- char *scratch;
-
-+ memset(&interp_info, 0, sizeof(interp_info));
-+#ifdef TARGET_MIPS
-+ interp_info.fp_abi = MIPS_ABI_FP_UNKNOWN;
-+#endif
-+
- info->start_mmap = (abi_ulong)ELF_START_MMAP;
-
- load_elf_image(bprm->filename, bprm->fd, info,
---
-2.7.4
-
-
diff --git a/app-emulation/qemu/files/qemu-4.0.0-xkbcommon.patch b/app-emulation/qemu/files/qemu-4.0.0-xkbcommon.patch
deleted file mode 100644
index 3d9a5163ecf5..000000000000
--- a/app-emulation/qemu/files/qemu-4.0.0-xkbcommon.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-From cef396dc0b11a09ede85b275ed1ceee71b60a4b3 Mon Sep 17 00:00:00 2001
-From: James Le Cuirot <chewi@gentoo.org>
-Date: Sat, 14 Sep 2019 15:47:20 +0100
-Subject: [PATCH] configure: Add xkbcommon configure options
-
-This dependency is currently "automagic", which is bad for distributions.
-
-Signed-off-by: James Le Cuirot <chewi@gentoo.org>
----
- configure | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/configure b/configure
-index 30aad233d1..30544f52e6 100755
---- a/configure
-+++ b/configure
-@@ -1521,6 +1521,10 @@ for opt do
- ;;
- --disable-libpmem) libpmem=no
- ;;
-+ --enable-xkbcommon) xkbcommon=yes
-+ ;;
-+ --disable-xkbcommon) xkbcommon=no
-+ ;;
- *)
- echo "ERROR: unknown option $opt"
- echo "Try '$0 --help' for more information"
-@@ -1804,6 +1808,7 @@ disabled with --disable-FEATURE, default is enabled if available:
- capstone capstone disassembler support
- debug-mutex mutex debugging support
- libpmem libpmem support
-+ xkbcommon xkbcommon support
-
- NOTE: The object files are built at the place where configure is launched
- EOF
---
-2.23.0
-
diff --git a/app-emulation/qemu/files/qemu-4.2.0-CVE-2020-11102.patch b/app-emulation/qemu/files/qemu-4.2.0-CVE-2020-11102.patch
deleted file mode 100644
index 118c81971d83..000000000000
--- a/app-emulation/qemu/files/qemu-4.2.0-CVE-2020-11102.patch
+++ /dev/null
@@ -1,144 +0,0 @@
-From 8ffb7265af64ec81748335ec8f20e7ab542c3850 Mon Sep 17 00:00:00 2001
-From: Prasad J Pandit <pjp@fedoraproject.org>
-Date: Tue, 24 Mar 2020 22:57:22 +0530
-Subject: [PATCH] net: tulip: check frame size and r/w data length
-
-Tulip network driver while copying tx/rx buffers does not check
-frame size against r/w data length. This may lead to OOB buffer
-access. Add check to avoid it.
-
-Limit iterations over descriptors to avoid potential infinite
-loop issue in tulip_xmit_list_update.
-
-Reported-by: Li Qiang <pangpei.lq@antfin.com>
-Reported-by: Ziming Zhang <ezrakiez@gmail.com>
-Reported-by: Jason Wang <jasowang@redhat.com>
-Tested-by: Li Qiang <liq3ea@gmail.com>
-Reviewed-by: Li Qiang <liq3ea@gmail.com>
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
-Signed-off-by: Jason Wang <jasowang@redhat.com>
----
- hw/net/tulip.c | 36 +++++++++++++++++++++++++++---------
- 1 file changed, 27 insertions(+), 9 deletions(-)
-
-diff --git a/hw/net/tulip.c b/hw/net/tulip.c
-index cfac2719d3..1295f51d07 100644
---- a/hw/net/tulip.c
-+++ b/hw/net/tulip.c
-@@ -170,6 +170,10 @@ static void tulip_copy_rx_bytes(TULIPState *s, struct tulip_descriptor *desc)
- } else {
- len = s->rx_frame_len;
- }
-+
-+ if (s->rx_frame_len + len > sizeof(s->rx_frame)) {
-+ return;
-+ }
- pci_dma_write(&s->dev, desc->buf_addr1, s->rx_frame +
- (s->rx_frame_size - s->rx_frame_len), len);
- s->rx_frame_len -= len;
-@@ -181,6 +185,10 @@ static void tulip_copy_rx_bytes(TULIPState *s, struct tulip_descriptor *desc)
- } else {
- len = s->rx_frame_len;
- }
-+
-+ if (s->rx_frame_len + len > sizeof(s->rx_frame)) {
-+ return;
-+ }
- pci_dma_write(&s->dev, desc->buf_addr2, s->rx_frame +
- (s->rx_frame_size - s->rx_frame_len), len);
- s->rx_frame_len -= len;
-@@ -227,7 +235,8 @@ static ssize_t tulip_receive(TULIPState *s, const uint8_t *buf, size_t size)
-
- trace_tulip_receive(buf, size);
-
-- if (size < 14 || size > 2048 || s->rx_frame_len || tulip_rx_stopped(s)) {
-+ if (size < 14 || size > sizeof(s->rx_frame) - 4
-+ || s->rx_frame_len || tulip_rx_stopped(s)) {
- return 0;
- }
-
-@@ -275,7 +284,6 @@ static ssize_t tulip_receive_nc(NetClientState *nc,
- return tulip_receive(qemu_get_nic_opaque(nc), buf, size);
- }
-
--
- static NetClientInfo net_tulip_info = {
- .type = NET_CLIENT_DRIVER_NIC,
- .size = sizeof(NICState),
-@@ -558,7 +566,7 @@ static void tulip_tx(TULIPState *s, struct tulip_descriptor *desc)
- if ((s->csr[6] >> CSR6_OM_SHIFT) & CSR6_OM_MASK) {
- /* Internal or external Loopback */
- tulip_receive(s, s->tx_frame, s->tx_frame_len);
-- } else {
-+ } else if (s->tx_frame_len <= sizeof(s->tx_frame)) {
- qemu_send_packet(qemu_get_queue(s->nic),
- s->tx_frame, s->tx_frame_len);
- }
-@@ -570,23 +578,31 @@ static void tulip_tx(TULIPState *s, struct tulip_descriptor *desc)
- }
- }
-
--static void tulip_copy_tx_buffers(TULIPState *s, struct tulip_descriptor *desc)
-+static int tulip_copy_tx_buffers(TULIPState *s, struct tulip_descriptor *desc)
- {
- int len1 = (desc->control >> TDES1_BUF1_SIZE_SHIFT) & TDES1_BUF1_SIZE_MASK;
- int len2 = (desc->control >> TDES1_BUF2_SIZE_SHIFT) & TDES1_BUF2_SIZE_MASK;
-
-+ if (s->tx_frame_len + len1 > sizeof(s->tx_frame)) {
-+ return -1;
-+ }
- if (len1) {
- pci_dma_read(&s->dev, desc->buf_addr1,
- s->tx_frame + s->tx_frame_len, len1);
- s->tx_frame_len += len1;
- }
-
-+ if (s->tx_frame_len + len2 > sizeof(s->tx_frame)) {
-+ return -1;
-+ }
- if (len2) {
- pci_dma_read(&s->dev, desc->buf_addr2,
- s->tx_frame + s->tx_frame_len, len2);
- s->tx_frame_len += len2;
- }
- desc->status = (len1 + len2) ? 0 : 0x7fffffff;
-+
-+ return 0;
- }
-
- static void tulip_setup_filter_addr(TULIPState *s, uint8_t *buf, int n)
-@@ -651,13 +667,15 @@ static uint32_t tulip_ts(TULIPState *s)
-
- static void tulip_xmit_list_update(TULIPState *s)
- {
-+#define TULIP_DESC_MAX 128
-+ uint8_t i = 0;
- struct tulip_descriptor desc;
-
- if (tulip_ts(s) != CSR5_TS_SUSPENDED) {
- return;
- }
-
-- for (;;) {
-+ for (i = 0; i < TULIP_DESC_MAX; i++) {
- tulip_desc_read(s, s->current_tx_desc, &desc);
- tulip_dump_tx_descriptor(s, &desc);
-
-@@ -675,10 +693,10 @@ static void tulip_xmit_list_update(TULIPState *s)
- s->tx_frame_len = 0;
- }
-
-- tulip_copy_tx_buffers(s, &desc);
--
-- if (desc.control & TDES1_LS) {
-- tulip_tx(s, &desc);
-+ if (!tulip_copy_tx_buffers(s, &desc)) {
-+ if (desc.control & TDES1_LS) {
-+ tulip_tx(s, &desc);
-+ }
- }
- }
- tulip_desc_write(s, s->current_tx_desc, &desc);
---
-2.24.1
-
diff --git a/app-emulation/qemu/files/qemu-4.2.0-ati-vga-crash.patch b/app-emulation/qemu/files/qemu-4.2.0-ati-vga-crash.patch
new file mode 100644
index 000000000000..5f442f0fd07a
--- /dev/null
+++ b/app-emulation/qemu/files/qemu-4.2.0-ati-vga-crash.patch
@@ -0,0 +1,94 @@
+https://bugs.gentoo.org/719266
+
+From ac2071c3791b67fc7af78b8ceb320c01ca1b5df7 Mon Sep 17 00:00:00 2001
+From: BALATON Zoltan <balaton@eik.bme.hu>
+Date: Mon, 6 Apr 2020 22:34:26 +0200
+Subject: [PATCH] ati-vga: Fix checks in ati_2d_blt() to avoid crash
+
+In some corner cases (that never happen during normal operation but a
+malicious guest could program wrong values) pixman functions were
+called with parameters that result in a crash. Fix this and add more
+checks to disallow such cases.
+
+Reported-by: Ziming Zhang <ezrakiez@gmail.com>
+Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu>
+Message-id: 20200406204029.19559747D5D@zero.eik.bme.hu
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+---
+ hw/display/ati_2d.c | 37 ++++++++++++++++++++++++++-----------
+ 1 file changed, 26 insertions(+), 11 deletions(-)
+
+--- a/hw/display/ati_2d.c
++++ b/hw/display/ati_2d.c
+@@ -53,12 +53,20 @@ void ati_2d_blt(ATIVGAState *s)
+ s->vga.vbe_start_addr, surface_data(ds), surface_stride(ds),
+ surface_bits_per_pixel(ds),
+ (s->regs.dp_mix & GMC_ROP3_MASK) >> 16);
+- int dst_x = (s->regs.dp_cntl & DST_X_LEFT_TO_RIGHT ?
+- s->regs.dst_x : s->regs.dst_x + 1 - s->regs.dst_width);
+- int dst_y = (s->regs.dp_cntl & DST_Y_TOP_TO_BOTTOM ?
+- s->regs.dst_y : s->regs.dst_y + 1 - s->regs.dst_height);
++ unsigned dst_x = (s->regs.dp_cntl & DST_X_LEFT_TO_RIGHT ?
++ s->regs.dst_x : s->regs.dst_x + 1 - s->regs.dst_width);
++ unsigned dst_y = (s->regs.dp_cntl & DST_Y_TOP_TO_BOTTOM ?
++ s->regs.dst_y : s->regs.dst_y + 1 - s->regs.dst_height);
+ int bpp = ati_bpp_from_datatype(s);
++ if (!bpp) {
++ qemu_log_mask(LOG_GUEST_ERROR, "Invalid bpp\n");
++ return;
++ }
+ int dst_stride = DEFAULT_CNTL ? s->regs.dst_pitch : s->regs.default_pitch;
++ if (!dst_stride) {
++ qemu_log_mask(LOG_GUEST_ERROR, "Zero dest pitch\n");
++ return;
++ }
+ uint8_t *dst_bits = s->vga.vram_ptr + (DEFAULT_CNTL ?
+ s->regs.dst_offset : s->regs.default_offset);
+
+@@ -82,12 +90,16 @@ void ati_2d_blt(ATIVGAState *s)
+ switch (s->regs.dp_mix & GMC_ROP3_MASK) {
+ case ROP3_SRCCOPY:
+ {
+- int src_x = (s->regs.dp_cntl & DST_X_LEFT_TO_RIGHT ?
+- s->regs.src_x : s->regs.src_x + 1 - s->regs.dst_width);
+- int src_y = (s->regs.dp_cntl & DST_Y_TOP_TO_BOTTOM ?
+- s->regs.src_y : s->regs.src_y + 1 - s->regs.dst_height);
++ unsigned src_x = (s->regs.dp_cntl & DST_X_LEFT_TO_RIGHT ?
++ s->regs.src_x : s->regs.src_x + 1 - s->regs.dst_width);
++ unsigned src_y = (s->regs.dp_cntl & DST_Y_TOP_TO_BOTTOM ?
++ s->regs.src_y : s->regs.src_y + 1 - s->regs.dst_height);
+ int src_stride = DEFAULT_CNTL ?
+ s->regs.src_pitch : s->regs.default_pitch;
++ if (!src_stride) {
++ qemu_log_mask(LOG_GUEST_ERROR, "Zero source pitch\n");
++ return;
++ }
+ uint8_t *src_bits = s->vga.vram_ptr + (DEFAULT_CNTL ?
+ s->regs.src_offset : s->regs.default_offset);
+
+@@ -137,8 +149,10 @@ void ati_2d_blt(ATIVGAState *s)
+ dst_y * surface_stride(ds),
+ s->regs.dst_height * surface_stride(ds));
+ }
+- s->regs.dst_x += s->regs.dst_width;
+- s->regs.dst_y += s->regs.dst_height;
++ s->regs.dst_x = (s->regs.dp_cntl & DST_X_LEFT_TO_RIGHT ?
++ dst_x + s->regs.dst_width : dst_x);
++ s->regs.dst_y = (s->regs.dp_cntl & DST_Y_TOP_TO_BOTTOM ?
++ dst_y + s->regs.dst_height : dst_y);
+ break;
+ }
+ case ROP3_PATCOPY:
+@@ -179,7 +193,8 @@ void ati_2d_blt(ATIVGAState *s)
+ dst_y * surface_stride(ds),
+ s->regs.dst_height * surface_stride(ds));
+ }
+- s->regs.dst_y += s->regs.dst_height;
++ s->regs.dst_y = (s->regs.dp_cntl & DST_Y_TOP_TO_BOTTOM ?
++ dst_y + s->regs.dst_height : dst_y);
+ break;
+ }
+ default:
+--
+2.26.2
+
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-31 02:25:34 +0000