diff options
Diffstat (limited to 'app-emulation/qemu/files')
9 files changed, 94 insertions, 771 deletions
diff --git a/app-emulation/qemu/files/qemu-2.5.0-sysmacros.patch b/app-emulation/qemu/files/qemu-2.5.0-sysmacros.patch deleted file mode 100644 index f2e766dc1c35..000000000000 --- a/app-emulation/qemu/files/qemu-2.5.0-sysmacros.patch +++ /dev/null @@ -1,15 +0,0 @@ -Linux C libs are moving away from implicit header pollution with sys/types.h - ---- a/include/qemu/osdep.h -+++ b/include/qemu/osdep.h -@@ -78,6 +78,10 @@ extern int daemon(int, int); - #include <assert.h> - #include <signal.h> - -+#ifdef __linux__ -+#include <sys/sysmacros.h> -+#endif -+ - #ifdef __OpenBSD__ - #include <sys/signal.h> - #endif diff --git a/app-emulation/qemu/files/qemu-3.1.0-md-clear-md-no.patch b/app-emulation/qemu/files/qemu-3.1.0-md-clear-md-no.patch deleted file mode 100644 index a7b3e8cb8f20..000000000000 --- a/app-emulation/qemu/files/qemu-3.1.0-md-clear-md-no.patch +++ /dev/null @@ -1,61 +0,0 @@ -From 0fb766134bd97ead71646e13349f93769e536ed9 Mon Sep 17 00:00:00 2001 -From: Matthias Maier <tamiko@43-1.org> -Date: Fri, 17 May 2019 02:21:10 -0500 -Subject: [PATCH] Define md-clear bit, expose md-no CPUID - -Fixes for CVE-2018-121{26|27|30}, CVE-2019-11091 - -See related fixes for Ubuntu: - https://launchpad.net/ubuntu/+source/qemu/1:3.1+dfsg-2ubuntu3.1 ---- - target/i386/cpu.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/target/i386/cpu.c b/target/i386/cpu.c -index d6bb57d2..331a364a 100644 ---- a/target/i386/cpu.c -+++ b/target/i386/cpu.c -@@ -1076,7 +1076,7 @@ static FeatureWordInfo feature_word_info[FEATURE_WORDS] = { - .feat_names = { - NULL, NULL, "avx512-4vnniw", "avx512-4fmaps", - NULL, NULL, NULL, NULL, -- NULL, NULL, NULL, NULL, -+ NULL, NULL, "md-clear", NULL, - NULL, NULL, NULL, NULL, - NULL, NULL, NULL, NULL, - NULL, NULL, NULL, NULL, -@@ -1183,7 +1183,7 @@ static FeatureWordInfo feature_word_info[FEATURE_WORDS] = { - .type = MSR_FEATURE_WORD, - .feat_names = { - "rdctl-no", "ibrs-all", "rsba", "skip-l1dfl-vmentry", -- "ssb-no", NULL, NULL, NULL, -+ "ssb-no", "mds-no", NULL, NULL, - NULL, NULL, NULL, NULL, - NULL, NULL, NULL, NULL, - NULL, NULL, NULL, NULL, -diff --git a/target/i386/cpu.h b/target/i386/cpu.h -index 83fb5225..d0bab4d7 100644 ---- a/target/i386/cpu.h -+++ b/target/i386/cpu.h -@@ -694,6 +694,7 @@ typedef uint32_t FeatureWordArray[FEATURE_WORDS]; - - #define CPUID_7_0_EDX_AVX512_4VNNIW (1U << 2) /* AVX512 Neural Network Instructions */ - #define CPUID_7_0_EDX_AVX512_4FMAPS (1U << 3) /* AVX512 Multiply Accumulation Single Precision */ -+#define CPUID_7_0_EDX_MD_CLEAR (1U << 10) /* Microarchitectural Data Clear */ - #define CPUID_7_0_EDX_SPEC_CTRL (1U << 26) /* Speculation Control */ - #define CPUID_7_0_EDX_ARCH_CAPABILITIES (1U << 29) /*Arch Capabilities*/ - #define CPUID_7_0_EDX_SPEC_CTRL_SSBD (1U << 31) /* Speculative Store Bypass Disable */ -diff --git a/target/i386/hvf/x86_cpuid.c b/target/i386/hvf/x86_cpuid.c -index 4d957fe8..b453552f 100644 ---- a/target/i386/hvf/x86_cpuid.c -+++ b/target/i386/hvf/x86_cpuid.c -@@ -90,7 +90,8 @@ uint32_t hvf_get_supported_cpuid(uint32_t func, uint32_t idx, - } - - ecx &= CPUID_7_0_ECX_AVX512BMI | CPUID_7_0_ECX_AVX512_VPOPCNTDQ; -- edx &= CPUID_7_0_EDX_AVX512_4VNNIW | CPUID_7_0_EDX_AVX512_4FMAPS; -+ edx &= CPUID_7_0_EDX_AVX512_4VNNIW | CPUID_7_0_EDX_AVX512_4FMAPS | \ -+ CPUID_7_0_EDX_MD_CLEAR; - } else { - ebx = 0; - ecx = 0; diff --git a/app-emulation/qemu/files/qemu-4.0.0-fix_infiniband_include.patch b/app-emulation/qemu/files/qemu-4.0.0-fix_infiniband_include.patch deleted file mode 100644 index 2778cc8f4f2e..000000000000 --- a/app-emulation/qemu/files/qemu-4.0.0-fix_infiniband_include.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff --git a/hw/rdma/rdma_backend.c b/hw/rdma/rdma_backend.c -index d1660b64..86715bfd 100644 ---- a/hw/rdma/rdma_backend.c -+++ b/hw/rdma/rdma_backend.c -@@ -21,7 +21,6 @@ - #include "qapi/qapi-events-rdma.h" - - #include <infiniband/verbs.h> --#include <infiniband/umad_types.h> - #include <infiniband/umad.h> - #include <rdma/rdma_user_cm.h> - diff --git a/app-emulation/qemu/files/qemu-4.0.0-linux-headers-5.2.patch b/app-emulation/qemu/files/qemu-4.0.0-linux-headers-5.2.patch deleted file mode 100644 index 43be8629dfa8..000000000000 --- a/app-emulation/qemu/files/qemu-4.0.0-linux-headers-5.2.patch +++ /dev/null @@ -1,334 +0,0 @@ -From 6d5d5dde9adb5acb32e6b8e3dfbf47fff0f308d2 Mon Sep 17 00:00:00 2001 -From: =?utf8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com> -Date: Thu, 18 Jul 2019 15:06:41 +0200 -Subject: [PATCH] linux-user: fix to handle variably sized SIOCGSTAMP with new - kernels -MIME-Version: 1.0 -Content-Type: text/plain; charset=utf8 -Content-Transfer-Encoding: 8bit - -The SIOCGSTAMP symbol was previously defined in the -asm-generic/sockios.h header file. QEMU sees that header -indirectly via sys/socket.h - -In linux kernel commit 0768e17073dc527ccd18ed5f96ce85f9985e9115 -the asm-generic/sockios.h header no longer defines SIOCGSTAMP. -Instead it provides only SIOCGSTAMP_OLD, which only uses a -32-bit time_t on 32-bit architectures. - -The linux/sockios.h header then defines SIOCGSTAMP using -either SIOCGSTAMP_OLD or SIOCGSTAMP_NEW as appropriate. If -SIOCGSTAMP_NEW is used, then the tv_sec field is 64-bit even -on 32-bit architectures - -To cope with this we must now convert the old and new type from -the target to the host one. - -Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> -Signed-off-by: Laurent Vivier <laurent@vivier.eu> -Reviewed-by: Arnd Bergmann <arnd@arndb.de> -Message-Id: <20190718130641.15294-1-laurent@vivier.eu> -Signed-off-by: Laurent Vivier <laurent@vivier.eu> ---- - linux-user/ioctls.h | 21 ++++++- - linux-user/syscall.c | 140 ++++++++++++++++++++++++++++++++++++--------- - linux-user/syscall_defs.h | 30 +++++++++- - linux-user/syscall_types.h | 6 -- - 4 files changed, 159 insertions(+), 38 deletions(-) - -diff --git a/linux-user/ioctls.h b/linux-user/ioctls.h -index ae895162..e6a27ad9 100644 ---- a/linux-user/ioctls.h -+++ b/linux-user/ioctls.h -@@ -219,8 +219,25 @@ - IOCTL(SIOCGRARP, IOC_R, MK_PTR(MK_STRUCT(STRUCT_arpreq))) - IOCTL(SIOCGIWNAME, IOC_W | IOC_R, MK_PTR(MK_STRUCT(STRUCT_char_ifreq))) - IOCTL(SIOCGPGRP, IOC_R, MK_PTR(TYPE_INT)) /* pid_t */ -- IOCTL(SIOCGSTAMP, IOC_R, MK_PTR(MK_STRUCT(STRUCT_timeval))) -- IOCTL(SIOCGSTAMPNS, IOC_R, MK_PTR(MK_STRUCT(STRUCT_timespec))) -+ -+ /* -+ * We can't use IOCTL_SPECIAL() because it will set -+ * host_cmd to XXX_OLD and XXX_NEW and these macros -+ * are not defined with kernel prior to 5.2. -+ * We must set host_cmd to the same value as in target_cmd -+ * otherwise the consistency check in syscall_init() -+ * will trigger an error. -+ * host_cmd is ignored by the do_ioctl_XXX() helpers. -+ * FIXME: create a macro to define this kind of entry -+ */ -+ { TARGET_SIOCGSTAMP_OLD, TARGET_SIOCGSTAMP_OLD, -+ "SIOCGSTAMP_OLD", IOC_R, do_ioctl_SIOCGSTAMP }, -+ { TARGET_SIOCGSTAMPNS_OLD, TARGET_SIOCGSTAMPNS_OLD, -+ "SIOCGSTAMPNS_OLD", IOC_R, do_ioctl_SIOCGSTAMPNS }, -+ { TARGET_SIOCGSTAMP_NEW, TARGET_SIOCGSTAMP_NEW, -+ "SIOCGSTAMP_NEW", IOC_R, do_ioctl_SIOCGSTAMP }, -+ { TARGET_SIOCGSTAMPNS_NEW, TARGET_SIOCGSTAMPNS_NEW, -+ "SIOCGSTAMPNS_NEW", IOC_R, do_ioctl_SIOCGSTAMPNS }, - - IOCTL(RNDGETENTCNT, IOC_R, MK_PTR(TYPE_INT)) - IOCTL(RNDADDTOENTCNT, IOC_W, MK_PTR(TYPE_INT)) -diff --git a/linux-user/syscall.c b/linux-user/syscall.c -index 96cd4bf8..6df480e1 100644 ---- a/linux-user/syscall.c -+++ b/linux-user/syscall.c -@@ -37,6 +37,7 @@ - #include <sched.h> - #include <sys/timex.h> - #include <sys/socket.h> -+#include <linux/sockios.h> - #include <sys/un.h> - #include <sys/uio.h> - #include <poll.h> -@@ -1139,8 +1140,9 @@ static inline abi_long copy_from_user_timeval(struct timeval *tv, - { - struct target_timeval *target_tv; - -- if (!lock_user_struct(VERIFY_READ, target_tv, target_tv_addr, 1)) -+ if (!lock_user_struct(VERIFY_READ, target_tv, target_tv_addr, 1)) { - return -TARGET_EFAULT; -+ } - - __get_user(tv->tv_sec, &target_tv->tv_sec); - __get_user(tv->tv_usec, &target_tv->tv_usec); -@@ -1155,8 +1157,26 @@ static inline abi_long copy_to_user_timeval(abi_ulong target_tv_addr, - { - struct target_timeval *target_tv; - -- if (!lock_user_struct(VERIFY_WRITE, target_tv, target_tv_addr, 0)) -+ if (!lock_user_struct(VERIFY_WRITE, target_tv, target_tv_addr, 0)) { -+ return -TARGET_EFAULT; -+ } -+ -+ __put_user(tv->tv_sec, &target_tv->tv_sec); -+ __put_user(tv->tv_usec, &target_tv->tv_usec); -+ -+ unlock_user_struct(target_tv, target_tv_addr, 1); -+ -+ return 0; -+} -+ -+static inline abi_long copy_to_user_timeval64(abi_ulong target_tv_addr, -+ const struct timeval *tv) -+{ -+ struct target__kernel_sock_timeval *target_tv; -+ -+ if (!lock_user_struct(VERIFY_WRITE, target_tv, target_tv_addr, 0)) { - return -TARGET_EFAULT; -+ } - - __put_user(tv->tv_sec, &target_tv->tv_sec); - __put_user(tv->tv_usec, &target_tv->tv_usec); -@@ -1166,6 +1186,48 @@ static inline abi_long copy_to_user_timeval(abi_ulong target_tv_addr, - return 0; - } - -+static inline abi_long target_to_host_timespec(struct timespec *host_ts, -+ abi_ulong target_addr) -+{ -+ struct target_timespec *target_ts; -+ -+ if (!lock_user_struct(VERIFY_READ, target_ts, target_addr, 1)) { -+ return -TARGET_EFAULT; -+ } -+ __get_user(host_ts->tv_sec, &target_ts->tv_sec); -+ __get_user(host_ts->tv_nsec, &target_ts->tv_nsec); -+ unlock_user_struct(target_ts, target_addr, 0); -+ return 0; -+} -+ -+static inline abi_long host_to_target_timespec(abi_ulong target_addr, -+ struct timespec *host_ts) -+{ -+ struct target_timespec *target_ts; -+ -+ if (!lock_user_struct(VERIFY_WRITE, target_ts, target_addr, 0)) { -+ return -TARGET_EFAULT; -+ } -+ __put_user(host_ts->tv_sec, &target_ts->tv_sec); -+ __put_user(host_ts->tv_nsec, &target_ts->tv_nsec); -+ unlock_user_struct(target_ts, target_addr, 1); -+ return 0; -+} -+ -+static inline abi_long host_to_target_timespec64(abi_ulong target_addr, -+ struct timespec *host_ts) -+{ -+ struct target__kernel_timespec *target_ts; -+ -+ if (!lock_user_struct(VERIFY_WRITE, target_ts, target_addr, 0)) { -+ return -TARGET_EFAULT; -+ } -+ __put_user(host_ts->tv_sec, &target_ts->tv_sec); -+ __put_user(host_ts->tv_nsec, &target_ts->tv_nsec); -+ unlock_user_struct(target_ts, target_addr, 1); -+ return 0; -+} -+ - static inline abi_long copy_from_user_timezone(struct timezone *tz, - abi_ulong target_tz_addr) - { -@@ -4790,6 +4852,54 @@ static abi_long do_ioctl_kdsigaccept(const IOCTLEntry *ie, uint8_t *buf_temp, - return get_errno(safe_ioctl(fd, ie->host_cmd, sig)); - } - -+static abi_long do_ioctl_SIOCGSTAMP(const IOCTLEntry *ie, uint8_t *buf_temp, -+ int fd, int cmd, abi_long arg) -+{ -+ struct timeval tv; -+ abi_long ret; -+ -+ ret = get_errno(safe_ioctl(fd, SIOCGSTAMP, &tv)); -+ if (is_error(ret)) { -+ return ret; -+ } -+ -+ if (cmd == (int)TARGET_SIOCGSTAMP_OLD) { -+ if (copy_to_user_timeval(arg, &tv)) { -+ return -TARGET_EFAULT; -+ } -+ } else { -+ if (copy_to_user_timeval64(arg, &tv)) { -+ return -TARGET_EFAULT; -+ } -+ } -+ -+ return ret; -+} -+ -+static abi_long do_ioctl_SIOCGSTAMPNS(const IOCTLEntry *ie, uint8_t *buf_temp, -+ int fd, int cmd, abi_long arg) -+{ -+ struct timespec ts; -+ abi_long ret; -+ -+ ret = get_errno(safe_ioctl(fd, SIOCGSTAMPNS, &ts)); -+ if (is_error(ret)) { -+ return ret; -+ } -+ -+ if (cmd == (int)TARGET_SIOCGSTAMPNS_OLD) { -+ if (host_to_target_timespec(arg, &ts)) { -+ return -TARGET_EFAULT; -+ } -+ } else{ -+ if (host_to_target_timespec64(arg, &ts)) { -+ return -TARGET_EFAULT; -+ } -+ } -+ -+ return ret; -+} -+ - #ifdef TIOCGPTPEER - static abi_long do_ioctl_tiocgptpeer(const IOCTLEntry *ie, uint8_t *buf_temp, - int fd, int cmd, abi_long arg) -@@ -6160,32 +6270,6 @@ static inline abi_long target_ftruncate64(void *cpu_env, abi_long arg1, - } - #endif - --static inline abi_long target_to_host_timespec(struct timespec *host_ts, -- abi_ulong target_addr) --{ -- struct target_timespec *target_ts; -- -- if (!lock_user_struct(VERIFY_READ, target_ts, target_addr, 1)) -- return -TARGET_EFAULT; -- __get_user(host_ts->tv_sec, &target_ts->tv_sec); -- __get_user(host_ts->tv_nsec, &target_ts->tv_nsec); -- unlock_user_struct(target_ts, target_addr, 0); -- return 0; --} -- --static inline abi_long host_to_target_timespec(abi_ulong target_addr, -- struct timespec *host_ts) --{ -- struct target_timespec *target_ts; -- -- if (!lock_user_struct(VERIFY_WRITE, target_ts, target_addr, 0)) -- return -TARGET_EFAULT; -- __put_user(host_ts->tv_sec, &target_ts->tv_sec); -- __put_user(host_ts->tv_nsec, &target_ts->tv_nsec); -- unlock_user_struct(target_ts, target_addr, 1); -- return 0; --} -- - static inline abi_long target_to_host_itimerspec(struct itimerspec *host_itspec, - abi_ulong target_addr) - { -diff --git a/linux-user/syscall_defs.h b/linux-user/syscall_defs.h -index 12c84071..cfb3eeec 100644 ---- a/linux-user/syscall_defs.h -+++ b/linux-user/syscall_defs.h -@@ -208,16 +208,34 @@ struct target_linger { - abi_int l_linger; /* How long to linger for */ - }; - -+#if defined(TARGET_SPARC64) && !defined(TARGET_ABI32) -+struct target_timeval { -+ abi_long tv_sec; -+ abi_int tv_usec; -+}; -+#define target__kernel_sock_timeval target_timeval -+#else - struct target_timeval { - abi_long tv_sec; - abi_long tv_usec; - }; - -+struct target__kernel_sock_timeval { -+ abi_llong tv_sec; -+ abi_llong tv_usec; -+}; -+#endif -+ - struct target_timespec { - abi_long tv_sec; - abi_long tv_nsec; - }; - -+struct target__kernel_timespec { -+ abi_llong tv_sec; -+ abi_llong tv_nsec; -+}; -+ - struct target_timezone { - abi_int tz_minuteswest; - abi_int tz_dsttime; -@@ -743,8 +761,17 @@ struct target_pollfd { - #define TARGET_SIOCATMARK 0x8905 - #define TARGET_SIOCGPGRP 0x8904 - #endif --#define TARGET_SIOCGSTAMP 0x8906 /* Get stamp (timeval) */ --#define TARGET_SIOCGSTAMPNS 0x8907 /* Get stamp (timespec) */ -+ -+#if defined(TARGET_SH4) -+#define TARGET_SIOCGSTAMP_OLD TARGET_IOR('s', 100, struct target_timeval) -+#define TARGET_SIOCGSTAMPNS_OLD TARGET_IOR('s', 101, struct target_timespec) -+#else -+#define TARGET_SIOCGSTAMP_OLD 0x8906 -+#define TARGET_SIOCGSTAMPNS_OLD 0x8907 -+#endif -+ -+#define TARGET_SIOCGSTAMP_NEW TARGET_IOR(0x89, 0x06, abi_llong[2]) -+#define TARGET_SIOCGSTAMPNS_NEW TARGET_IOR(0x89, 0x07, abi_llong[2]) - - /* Networking ioctls */ - #define TARGET_SIOCADDRT 0x890B /* add routing table entry */ -diff --git a/linux-user/syscall_types.h b/linux-user/syscall_types.h -index b98a23b0..4e369838 100644 ---- a/linux-user/syscall_types.h -+++ b/linux-user/syscall_types.h -@@ -14,12 +14,6 @@ STRUCT(serial_icounter_struct, - STRUCT(sockaddr, - TYPE_SHORT, MK_ARRAY(TYPE_CHAR, 14)) - --STRUCT(timeval, -- MK_ARRAY(TYPE_LONG, 2)) -- --STRUCT(timespec, -- MK_ARRAY(TYPE_LONG, 2)) -- - STRUCT(rtentry, - TYPE_ULONG, MK_STRUCT(STRUCT_sockaddr), MK_STRUCT(STRUCT_sockaddr), MK_STRUCT(STRUCT_sockaddr), - TYPE_SHORT, TYPE_SHORT, TYPE_ULONG, TYPE_PTRVOID, TYPE_SHORT, TYPE_PTRVOID, diff --git a/app-emulation/qemu/files/qemu-4.0.0-pc-q35-4.0.patch b/app-emulation/qemu/files/qemu-4.0.0-pc-q35-4.0.patch deleted file mode 100644 index ebabc0c4c294..000000000000 --- a/app-emulation/qemu/files/qemu-4.0.0-pc-q35-4.0.patch +++ /dev/null @@ -1,135 +0,0 @@ -Backport of QEMU v4.1 commit for stable v4.0.1 release - -commit c87759ce876a7a0b17c2bf4f0b964bd51f0ee871 -Author: Alex Williamson <address@hidden> -Date: Tue May 14 14:14:41 2019 -0600 - - q35: Revert to kernel irqchip - - Commit b2fc91db8447 ("q35: set split kernel irqchip as default") changed - the default for the pc-q35-4.0 machine type to use split irqchip, which - turned out to have disasterous effects on vfio-pci INTx support. KVM - resampling irqfds are registered for handling these interrupts, but - these are non-functional in split irqchip mode. We can't simply test - for split irqchip in QEMU as userspace handling of this interrupt is a - significant performance regression versus KVM handling (GeForce GPUs - assigned to Windows VMs are non-functional without forcing MSI mode or - re-enabling kernel irqchip). - - The resolution is to revert the change in default irqchip mode in the - pc-q35-4.1 machine and create a pc-q35-4.0.1 machine for the 4.0-stable - branch. The qemu-q35-4.0 machine type should not be used in vfio-pci - configurations for devices requiring legacy INTx support without - explicitly modifying the VM configuration to use kernel irqchip. - -Link: https://bugs.launchpad.net/qemu/+bug/1826422 -Fixes: b2fc91db8447 ("q35: set split kernel irqchip as default") -Cc: address@hidden -Reviewed-by: Peter Xu <address@hidden> -Signed-off-by: Alex Williamson <address@hidden> ---- - -Same code as v1, just updating the commit log as a formal backport of -the merged 4.1 commit. - - hw/core/machine.c | 3 +++ - hw/i386/pc.c | 3 +++ - hw/i386/pc_q35.c | 16 ++++++++++++++-- - include/hw/boards.h | 3 +++ - include/hw/i386/pc.h | 3 +++ - 5 files changed, 26 insertions(+), 2 deletions(-) - -diff --git a/hw/core/machine.c b/hw/core/machine.c -index 743fef28982c..5d046a43e3d2 100644 ---- a/hw/core/machine.c -+++ b/hw/core/machine.c -@@ -24,6 +24,9 @@ - #include "hw/pci/pci.h" - #include "hw/mem/nvdimm.h" - -+GlobalProperty hw_compat_4_0[] = {}; -+const size_t hw_compat_4_0_len = G_N_ELEMENTS(hw_compat_4_0); -+ - GlobalProperty hw_compat_3_1[] = { - { "pcie-root-port", "x-speed", "2_5" }, - { "pcie-root-port", "x-width", "1" }, -diff --git a/hw/i386/pc.c b/hw/i386/pc.c -index f2c15bf1f2c3..d98b737b8f3b 100644 ---- a/hw/i386/pc.c -+++ b/hw/i386/pc.c -@@ -115,6 +115,9 @@ struct hpet_fw_config hpet_cfg = {.count = UINT8_MAX}; - /* Physical Address of PVH entry point read from kernel ELF NOTE */ - static size_t pvh_start_addr; - -+GlobalProperty pc_compat_4_0[] = {}; -+const size_t pc_compat_4_0_len = G_N_ELEMENTS(pc_compat_4_0); -+ - GlobalProperty pc_compat_3_1[] = { - { "intel-iommu", "dma-drain", "off" }, - { "Opteron_G3" "-" TYPE_X86_CPU, "rdtscp", "off" }, -diff --git a/hw/i386/pc_q35.c b/hw/i386/pc_q35.c -index 372c6b73bebd..45cc29d1adb7 100644 ---- a/hw/i386/pc_q35.c -+++ b/hw/i386/pc_q35.c -@@ -357,7 +357,7 @@ static void pc_q35_machine_options(MachineClass *m) - m->units_per_default_bus = 1; - m->default_machine_opts = "firmware=bios-256k.bin"; - m->default_display = "std"; -- m->default_kernel_irqchip_split = true; -+ m->default_kernel_irqchip_split = false; - m->no_floppy = 1; - machine_class_allow_dynamic_sysbus_dev(m, TYPE_AMD_IOMMU_DEVICE); - machine_class_allow_dynamic_sysbus_dev(m, TYPE_INTEL_IOMMU_DEVICE); -@@ -365,12 +365,24 @@ static void pc_q35_machine_options(MachineClass *m) - m->max_cpus = 288; - } - --static void pc_q35_4_0_machine_options(MachineClass *m) -+static void pc_q35_4_0_1_machine_options(MachineClass *m) - { - pc_q35_machine_options(m); - m->alias = "q35"; - } - -+DEFINE_Q35_MACHINE(v4_0_1, "pc-q35-4.0.1", NULL, -+ pc_q35_4_0_1_machine_options); -+ -+static void pc_q35_4_0_machine_options(MachineClass *m) -+{ -+ pc_q35_4_0_1_machine_options(m); -+ m->default_kernel_irqchip_split = true; -+ m->alias = NULL; -+ compat_props_add(m->compat_props, hw_compat_4_0, hw_compat_4_0_len); -+ compat_props_add(m->compat_props, pc_compat_4_0, pc_compat_4_0_len); -+} -+ - DEFINE_Q35_MACHINE(v4_0, "pc-q35-4.0", NULL, - pc_q35_4_0_machine_options); - -diff --git a/include/hw/boards.h b/include/hw/boards.h -index e231860666a1..fe1885cbffa0 100644 ---- a/include/hw/boards.h -+++ b/include/hw/boards.h -@@ -293,6 +293,9 @@ struct MachineState { - } \ - type_init(machine_initfn##_register_types) - -+extern GlobalProperty hw_compat_4_0[]; -+extern const size_t hw_compat_4_0_len; -+ - extern GlobalProperty hw_compat_3_1[]; - extern const size_t hw_compat_3_1_len; - -diff --git a/include/hw/i386/pc.h b/include/hw/i386/pc.h -index ca65ef18afb4..43df7230a22b 100644 ---- a/include/hw/i386/pc.h -+++ b/include/hw/i386/pc.h -@@ -293,6 +293,9 @@ int e820_add_entry(uint64_t, uint64_t, uint32_t); - int e820_get_num_entries(void); - bool e820_get_entry(int, uint32_t, uint64_t *, uint64_t *); - -+extern GlobalProperty pc_compat_4_0[]; -+extern const size_t pc_compat_4_0_len; -+ - extern GlobalProperty pc_compat_3_1[]; - extern const size_t pc_compat_3_1_len; diff --git a/app-emulation/qemu/files/qemu-4.0.0-sanitize-interp_info.patch b/app-emulation/qemu/files/qemu-4.0.0-sanitize-interp_info.patch deleted file mode 100644 index 58ff0c788288..000000000000 --- a/app-emulation/qemu/files/qemu-4.0.0-sanitize-interp_info.patch +++ /dev/null @@ -1,32 +0,0 @@ -linux-user: Sanitize interp_info and, for mips - -Sanitize interp_info structure in load_elf_binary() and, for mips only, -init its field fp_abi. This fixes appearances of "Unexpected FPU mode" -message in some MIPS use cases. - -Signed-off-by: Daniel Santos <address@hidden> -Signed-off-by: Aleksandar Markovic <address@hidden> ---- - linux-user/elfload.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/linux-user/elfload.c b/linux-user/elfload.c -index c1a2602..7f09d57 100644 ---- a/linux-user/elfload.c -+++ b/linux-user/elfload.c -@@ -2698,6 +2698,11 @@ int load_elf_binary(struct linux_binprm *bprm, struct image_info *info) - char *elf_interpreter = NULL; - char *scratch; - -+ memset(&interp_info, 0, sizeof(interp_info)); -+#ifdef TARGET_MIPS -+ interp_info.fp_abi = MIPS_ABI_FP_UNKNOWN; -+#endif -+ - info->start_mmap = (abi_ulong)ELF_START_MMAP; - - load_elf_image(bprm->filename, bprm->fd, info, --- -2.7.4 - - diff --git a/app-emulation/qemu/files/qemu-4.0.0-xkbcommon.patch b/app-emulation/qemu/files/qemu-4.0.0-xkbcommon.patch deleted file mode 100644 index 3d9a5163ecf5..000000000000 --- a/app-emulation/qemu/files/qemu-4.0.0-xkbcommon.patch +++ /dev/null @@ -1,38 +0,0 @@ -From cef396dc0b11a09ede85b275ed1ceee71b60a4b3 Mon Sep 17 00:00:00 2001 -From: James Le Cuirot <chewi@gentoo.org> -Date: Sat, 14 Sep 2019 15:47:20 +0100 -Subject: [PATCH] configure: Add xkbcommon configure options - -This dependency is currently "automagic", which is bad for distributions. - -Signed-off-by: James Le Cuirot <chewi@gentoo.org> ---- - configure | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/configure b/configure -index 30aad233d1..30544f52e6 100755 ---- a/configure -+++ b/configure -@@ -1521,6 +1521,10 @@ for opt do - ;; - --disable-libpmem) libpmem=no - ;; -+ --enable-xkbcommon) xkbcommon=yes -+ ;; -+ --disable-xkbcommon) xkbcommon=no -+ ;; - *) - echo "ERROR: unknown option $opt" - echo "Try '$0 --help' for more information" -@@ -1804,6 +1808,7 @@ disabled with --disable-FEATURE, default is enabled if available: - capstone capstone disassembler support - debug-mutex mutex debugging support - libpmem libpmem support -+ xkbcommon xkbcommon support - - NOTE: The object files are built at the place where configure is launched - EOF --- -2.23.0 - diff --git a/app-emulation/qemu/files/qemu-4.2.0-CVE-2020-11102.patch b/app-emulation/qemu/files/qemu-4.2.0-CVE-2020-11102.patch deleted file mode 100644 index 118c81971d83..000000000000 --- a/app-emulation/qemu/files/qemu-4.2.0-CVE-2020-11102.patch +++ /dev/null @@ -1,144 +0,0 @@ -From 8ffb7265af64ec81748335ec8f20e7ab542c3850 Mon Sep 17 00:00:00 2001 -From: Prasad J Pandit <pjp@fedoraproject.org> -Date: Tue, 24 Mar 2020 22:57:22 +0530 -Subject: [PATCH] net: tulip: check frame size and r/w data length - -Tulip network driver while copying tx/rx buffers does not check -frame size against r/w data length. This may lead to OOB buffer -access. Add check to avoid it. - -Limit iterations over descriptors to avoid potential infinite -loop issue in tulip_xmit_list_update. - -Reported-by: Li Qiang <pangpei.lq@antfin.com> -Reported-by: Ziming Zhang <ezrakiez@gmail.com> -Reported-by: Jason Wang <jasowang@redhat.com> -Tested-by: Li Qiang <liq3ea@gmail.com> -Reviewed-by: Li Qiang <liq3ea@gmail.com> -Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> -Signed-off-by: Jason Wang <jasowang@redhat.com> ---- - hw/net/tulip.c | 36 +++++++++++++++++++++++++++--------- - 1 file changed, 27 insertions(+), 9 deletions(-) - -diff --git a/hw/net/tulip.c b/hw/net/tulip.c -index cfac2719d3..1295f51d07 100644 ---- a/hw/net/tulip.c -+++ b/hw/net/tulip.c -@@ -170,6 +170,10 @@ static void tulip_copy_rx_bytes(TULIPState *s, struct tulip_descriptor *desc) - } else { - len = s->rx_frame_len; - } -+ -+ if (s->rx_frame_len + len > sizeof(s->rx_frame)) { -+ return; -+ } - pci_dma_write(&s->dev, desc->buf_addr1, s->rx_frame + - (s->rx_frame_size - s->rx_frame_len), len); - s->rx_frame_len -= len; -@@ -181,6 +185,10 @@ static void tulip_copy_rx_bytes(TULIPState *s, struct tulip_descriptor *desc) - } else { - len = s->rx_frame_len; - } -+ -+ if (s->rx_frame_len + len > sizeof(s->rx_frame)) { -+ return; -+ } - pci_dma_write(&s->dev, desc->buf_addr2, s->rx_frame + - (s->rx_frame_size - s->rx_frame_len), len); - s->rx_frame_len -= len; -@@ -227,7 +235,8 @@ static ssize_t tulip_receive(TULIPState *s, const uint8_t *buf, size_t size) - - trace_tulip_receive(buf, size); - -- if (size < 14 || size > 2048 || s->rx_frame_len || tulip_rx_stopped(s)) { -+ if (size < 14 || size > sizeof(s->rx_frame) - 4 -+ || s->rx_frame_len || tulip_rx_stopped(s)) { - return 0; - } - -@@ -275,7 +284,6 @@ static ssize_t tulip_receive_nc(NetClientState *nc, - return tulip_receive(qemu_get_nic_opaque(nc), buf, size); - } - -- - static NetClientInfo net_tulip_info = { - .type = NET_CLIENT_DRIVER_NIC, - .size = sizeof(NICState), -@@ -558,7 +566,7 @@ static void tulip_tx(TULIPState *s, struct tulip_descriptor *desc) - if ((s->csr[6] >> CSR6_OM_SHIFT) & CSR6_OM_MASK) { - /* Internal or external Loopback */ - tulip_receive(s, s->tx_frame, s->tx_frame_len); -- } else { -+ } else if (s->tx_frame_len <= sizeof(s->tx_frame)) { - qemu_send_packet(qemu_get_queue(s->nic), - s->tx_frame, s->tx_frame_len); - } -@@ -570,23 +578,31 @@ static void tulip_tx(TULIPState *s, struct tulip_descriptor *desc) - } - } - --static void tulip_copy_tx_buffers(TULIPState *s, struct tulip_descriptor *desc) -+static int tulip_copy_tx_buffers(TULIPState *s, struct tulip_descriptor *desc) - { - int len1 = (desc->control >> TDES1_BUF1_SIZE_SHIFT) & TDES1_BUF1_SIZE_MASK; - int len2 = (desc->control >> TDES1_BUF2_SIZE_SHIFT) & TDES1_BUF2_SIZE_MASK; - -+ if (s->tx_frame_len + len1 > sizeof(s->tx_frame)) { -+ return -1; -+ } - if (len1) { - pci_dma_read(&s->dev, desc->buf_addr1, - s->tx_frame + s->tx_frame_len, len1); - s->tx_frame_len += len1; - } - -+ if (s->tx_frame_len + len2 > sizeof(s->tx_frame)) { -+ return -1; -+ } - if (len2) { - pci_dma_read(&s->dev, desc->buf_addr2, - s->tx_frame + s->tx_frame_len, len2); - s->tx_frame_len += len2; - } - desc->status = (len1 + len2) ? 0 : 0x7fffffff; -+ -+ return 0; - } - - static void tulip_setup_filter_addr(TULIPState *s, uint8_t *buf, int n) -@@ -651,13 +667,15 @@ static uint32_t tulip_ts(TULIPState *s) - - static void tulip_xmit_list_update(TULIPState *s) - { -+#define TULIP_DESC_MAX 128 -+ uint8_t i = 0; - struct tulip_descriptor desc; - - if (tulip_ts(s) != CSR5_TS_SUSPENDED) { - return; - } - -- for (;;) { -+ for (i = 0; i < TULIP_DESC_MAX; i++) { - tulip_desc_read(s, s->current_tx_desc, &desc); - tulip_dump_tx_descriptor(s, &desc); - -@@ -675,10 +693,10 @@ static void tulip_xmit_list_update(TULIPState *s) - s->tx_frame_len = 0; - } - -- tulip_copy_tx_buffers(s, &desc); -- -- if (desc.control & TDES1_LS) { -- tulip_tx(s, &desc); -+ if (!tulip_copy_tx_buffers(s, &desc)) { -+ if (desc.control & TDES1_LS) { -+ tulip_tx(s, &desc); -+ } - } - } - tulip_desc_write(s, s->current_tx_desc, &desc); --- -2.24.1 - diff --git a/app-emulation/qemu/files/qemu-4.2.0-ati-vga-crash.patch b/app-emulation/qemu/files/qemu-4.2.0-ati-vga-crash.patch new file mode 100644 index 000000000000..5f442f0fd07a --- /dev/null +++ b/app-emulation/qemu/files/qemu-4.2.0-ati-vga-crash.patch @@ -0,0 +1,94 @@ +https://bugs.gentoo.org/719266 + +From ac2071c3791b67fc7af78b8ceb320c01ca1b5df7 Mon Sep 17 00:00:00 2001 +From: BALATON Zoltan <balaton@eik.bme.hu> +Date: Mon, 6 Apr 2020 22:34:26 +0200 +Subject: [PATCH] ati-vga: Fix checks in ati_2d_blt() to avoid crash + +In some corner cases (that never happen during normal operation but a +malicious guest could program wrong values) pixman functions were +called with parameters that result in a crash. Fix this and add more +checks to disallow such cases. + +Reported-by: Ziming Zhang <ezrakiez@gmail.com> +Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu> +Message-id: 20200406204029.19559747D5D@zero.eik.bme.hu +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> +--- + hw/display/ati_2d.c | 37 ++++++++++++++++++++++++++----------- + 1 file changed, 26 insertions(+), 11 deletions(-) + +--- a/hw/display/ati_2d.c ++++ b/hw/display/ati_2d.c +@@ -53,12 +53,20 @@ void ati_2d_blt(ATIVGAState *s) + s->vga.vbe_start_addr, surface_data(ds), surface_stride(ds), + surface_bits_per_pixel(ds), + (s->regs.dp_mix & GMC_ROP3_MASK) >> 16); +- int dst_x = (s->regs.dp_cntl & DST_X_LEFT_TO_RIGHT ? +- s->regs.dst_x : s->regs.dst_x + 1 - s->regs.dst_width); +- int dst_y = (s->regs.dp_cntl & DST_Y_TOP_TO_BOTTOM ? +- s->regs.dst_y : s->regs.dst_y + 1 - s->regs.dst_height); ++ unsigned dst_x = (s->regs.dp_cntl & DST_X_LEFT_TO_RIGHT ? ++ s->regs.dst_x : s->regs.dst_x + 1 - s->regs.dst_width); ++ unsigned dst_y = (s->regs.dp_cntl & DST_Y_TOP_TO_BOTTOM ? ++ s->regs.dst_y : s->regs.dst_y + 1 - s->regs.dst_height); + int bpp = ati_bpp_from_datatype(s); ++ if (!bpp) { ++ qemu_log_mask(LOG_GUEST_ERROR, "Invalid bpp\n"); ++ return; ++ } + int dst_stride = DEFAULT_CNTL ? s->regs.dst_pitch : s->regs.default_pitch; ++ if (!dst_stride) { ++ qemu_log_mask(LOG_GUEST_ERROR, "Zero dest pitch\n"); ++ return; ++ } + uint8_t *dst_bits = s->vga.vram_ptr + (DEFAULT_CNTL ? + s->regs.dst_offset : s->regs.default_offset); + +@@ -82,12 +90,16 @@ void ati_2d_blt(ATIVGAState *s) + switch (s->regs.dp_mix & GMC_ROP3_MASK) { + case ROP3_SRCCOPY: + { +- int src_x = (s->regs.dp_cntl & DST_X_LEFT_TO_RIGHT ? +- s->regs.src_x : s->regs.src_x + 1 - s->regs.dst_width); +- int src_y = (s->regs.dp_cntl & DST_Y_TOP_TO_BOTTOM ? +- s->regs.src_y : s->regs.src_y + 1 - s->regs.dst_height); ++ unsigned src_x = (s->regs.dp_cntl & DST_X_LEFT_TO_RIGHT ? ++ s->regs.src_x : s->regs.src_x + 1 - s->regs.dst_width); ++ unsigned src_y = (s->regs.dp_cntl & DST_Y_TOP_TO_BOTTOM ? ++ s->regs.src_y : s->regs.src_y + 1 - s->regs.dst_height); + int src_stride = DEFAULT_CNTL ? + s->regs.src_pitch : s->regs.default_pitch; ++ if (!src_stride) { ++ qemu_log_mask(LOG_GUEST_ERROR, "Zero source pitch\n"); ++ return; ++ } + uint8_t *src_bits = s->vga.vram_ptr + (DEFAULT_CNTL ? + s->regs.src_offset : s->regs.default_offset); + +@@ -137,8 +149,10 @@ void ati_2d_blt(ATIVGAState *s) + dst_y * surface_stride(ds), + s->regs.dst_height * surface_stride(ds)); + } +- s->regs.dst_x += s->regs.dst_width; +- s->regs.dst_y += s->regs.dst_height; ++ s->regs.dst_x = (s->regs.dp_cntl & DST_X_LEFT_TO_RIGHT ? ++ dst_x + s->regs.dst_width : dst_x); ++ s->regs.dst_y = (s->regs.dp_cntl & DST_Y_TOP_TO_BOTTOM ? ++ dst_y + s->regs.dst_height : dst_y); + break; + } + case ROP3_PATCOPY: +@@ -179,7 +193,8 @@ void ati_2d_blt(ATIVGAState *s) + dst_y * surface_stride(ds), + s->regs.dst_height * surface_stride(ds)); + } +- s->regs.dst_y += s->regs.dst_height; ++ s->regs.dst_y = (s->regs.dp_cntl & DST_Y_TOP_TO_BOTTOM ? ++ dst_y + s->regs.dst_height : dst_y); + break; + } + default: +-- +2.26.2 + |