[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-commits] [qemu/qemu] cf2f89: hw/virtio-iommu: Fix potential OOB ac
|
From: |
Richard Henderson |
|
Subject: |
[Qemu-commits] [qemu/qemu] cf2f89: hw/virtio-iommu: Fix potential OOB access in virti... |
|
Date: |
Thu, 03 Aug 2023 21:12:32 -0700 |
Branch: refs/heads/master
Home: https://github.com/qemu/qemu
Commit: cf2f89edf36a59183166ae8721a8d7ab5cd286bd
https://github.com/qemu/qemu/commit/cf2f89edf36a59183166ae8721a8d7ab5cd286bd
Author: Eric Auger <eric.auger@redhat.com>
Date: 2023-08-03 (Thu, 03 Aug 2023)
Changed paths:
M hw/virtio/virtio-iommu.c
Log Message:
-----------
hw/virtio-iommu: Fix potential OOB access in virtio_iommu_handle_command()
In the virtio_iommu_handle_command() when a PROBE request is handled,
output_size takes a value greater than the tail size and on a subsequent
iteration we can get a stack out-of-band access. Initialize the
output_size on each iteration.
The issue was found with ASAN. Credits to:
Yiming Tao(Zhejiang University)
Gaoning Pan(Zhejiang University)
Fixes: 1733eebb9e7 ("virtio-iommu: Implement RESV_MEM probe request")
Signed-off-by: Eric Auger <eric.auger@redhat.com>
Reported-by: Mauro Matteo Cascella <mcascell@redhat.com>
Cc: qemu-stable@nongnu.org
Message-Id: <20230717162126.11693-1-eric.auger@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Commit: 503d86dd66625b4bed9484bca71db1678c730dc9
https://github.com/qemu/qemu/commit/503d86dd66625b4bed9484bca71db1678c730dc9
Author: Peter Maydell <peter.maydell@linaro.org>
Date: 2023-08-03 (Thu, 03 Aug 2023)
Changed paths:
M hw/pci-bridge/cxl_upstream.c
Log Message:
-----------
hw/pci-bridge/cxl_upstream.c: Use g_new0() in build_cdat_table()
In build_cdat_table() we do:
*cdat_table = g_malloc0(sizeof(*cdat_table) * CXL_USP_CDAT_NUM_ENTRIES);
This is wrong because:
- cdat_table has type CDATSubHeader ***
- so *cdat_table has type CDATSubHeader **
- so the array we're allocating here should be items of type CDATSubHeader *
- but we pass sizeof(*cdat_table), which is sizeof(CDATSubHeader **),
implying that we're allocating an array of CDATSubHeader **
It happens that sizeof(CDATSubHeader **) == sizeof(CDATSubHeader *)
so nothing blows up, but this should be sizeof(**cdat_table).
Avoid this excessively hard-to-understand code by using
g_new0() instead, which will do the type checking for us.
While we're here, we can drop the useless check against failure,
as g_malloc0() and g_new0() never fail.
This fixes Coverity issue CID 1508120.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Message-Id: <20230718101327.1111374-1-peter.maydell@linaro.org>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Commit: 1084feddc6a677cdfdde56936bfb97cf32cc4dee
https://github.com/qemu/qemu/commit/1084feddc6a677cdfdde56936bfb97cf32cc4dee
Author: Eric Auger <eric.auger@redhat.com>
Date: 2023-08-03 (Thu, 03 Aug 2023)
Changed paths:
M hw/virtio/virtio-iommu.c
Log Message:
-----------
virtio-iommu: Standardize granule extraction and formatting
At several locations we compute the granule from the config
page_size_mask using ctz() and then format it in traces using
BIT(). As the page_size_mask is 64b we should use ctz64 and
BIT_ULL() for formatting. We failed to be consistent.
Note the page_size_mask is garanteed to be non null. The spec
mandates the device to set at least one bit, so ctz64 cannot
return 64. This is garanteed by the fact the device
initializes the page_size_mask to qemu_target_page_mask()
and then the page_size_mask is further constrained by
virtio_iommu_set_page_size_mask() callback which can't
result in a new mask being null. So if Coverity complains
round those ctz64/BIT_ULL with CID 1517772 this is a false
positive
Signed-off-by: Eric Auger <eric.auger@redhat.com>
Fixes: 94df5b2180 ("virtio-iommu: Fix 64kB host page size VFIO device
assignment")
Message-Id: <20230718182136.40096-1-eric.auger@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Jean-Philippe Brucker <jean-philippe@linaro.org>
Commit: 63a3520e29a1a68d8610315b049ccb5840fe22e9
https://github.com/qemu/qemu/commit/63a3520e29a1a68d8610315b049ccb5840fe22e9
Author: Milan Zamazal <mzamazal@redhat.com>
Date: 2023-08-03 (Thu, 03 Aug 2023)
Changed paths:
M hw/virtio/vhost-user-scmi.c
M include/hw/virtio/vhost-user-scmi.h
Log Message:
-----------
hw/virtio: Add a protection against duplicate vu_scmi_stop calls
The QEMU CI fails in virtio-scmi test occasionally. As reported by
Thomas Huth, this happens most likely when the system is loaded and it
fails with the following error:
qemu-system-aarch64: ../../devel/qemu/hw/pci/msix.c:659:
msix_unset_vector_notifiers: Assertion `dev->msix_vector_use_notifier &&
dev->msix_vector_release_notifier' failed.
../../devel/qemu/tests/qtest/libqtest.c:200: kill_qemu() detected QEMU death
from signal 6 (Aborted) (core dumped)
As discovered by Fabiano Rosas, the cause is a duplicate invocation of
msix_unset_vector_notifiers via duplicate vu_scmi_stop calls:
msix_unset_vector_notifiers
virtio_pci_set_guest_notifiers
vu_scmi_stop
vu_scmi_disconnect
...
qemu_chr_write_buffer
msix_unset_vector_notifiers
virtio_pci_set_guest_notifiers
vu_scmi_stop
vu_scmi_set_status
...
qemu_cleanup
While vu_scmi_stop calls are protected by vhost_dev_is_started()
check, it's apparently not enough. vhost-user-blk and vhost-user-gpio
use an extra protection, see f5b22d06fb (vhost: recheck dev state in
the vhost_migration_log routine) for the motivation. Let's use the
same in vhost-user-scmi, which fixes the failure above.
Fixes: a5dab090e142 ("hw/virtio: Add boilerplate for vhost-user-scmi device")
Signed-off-by: Milan Zamazal <mzamazal@redhat.com>
Message-Id: <20230720101037.2161450-1-mzamazal@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Tested-by: Thomas Huth <thuth@redhat.com>
Reviewed-by: Fabiano Rosas <farosas@suse.de>
Commit: 45d9d318c8d435cbe2d465f61e6975885d2242ca
https://github.com/qemu/qemu/commit/45d9d318c8d435cbe2d465f61e6975885d2242ca
Author: Igor Mammedov <imammedo@redhat.com>
Date: 2023-08-03 (Thu, 03 Aug 2023)
Changed paths:
M tests/qtest/bios-tables-test-allowed-diff.h
Log Message:
-----------
tests: acpi: x86: whitelist expected blobs
Signed-off-by: Igor Mammedov <imammedo@redhat.com>
Message-Id: <20230720133858.1974024-2-imammedo@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Commit: 44d975ef340e2f21f236f9520c53e1b30d2213a4
https://github.com/qemu/qemu/commit/44d975ef340e2f21f236f9520c53e1b30d2213a4
Author: Igor Mammedov <imammedo@redhat.com>
Date: 2023-08-03 (Thu, 03 Aug 2023)
Changed paths:
M hw/i386/acpi-build.c
Log Message:
-----------
x86: acpi: workaround Windows not handling name references in Package properly
it seems that Windows is unable to handle variable references
making it choke up when accessing ASUN during _DSM call
when device is hotplugged (it lists package elements as DataAlias
but despite that later on it misbehaves) with following error
shown up in AMLI debugger (WS2012r2):
Store(ShiftLeft(One,Arg1="ASUN",) AMLI_ERROR(c0140008): Unexpected argument
type
ValidateArgTypes: expected Arg1 to be type Integer (Type=String)
Similar outcome with WS2022.
Issue is not fatal but as result acpi-index/"PCI Label ID" property
is either not shown in device details page or shows incorrect value.
Fix it by doing assignment of BSEL/ASUN values to package
elements manually after package declaration.
Fix was tested with: WS2012r2, WS2022, RHEL9
Fixes: 467d099a2985 (x86: acpi: _DSM: use Package to pass parameters)
Signed-off-by: Igor Mammedov <imammedo@redhat.com>
Message-Id: <20230720133858.1974024-3-imammedo@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Commit: 6e510855a90b7ca1811bdfc4be66b0fd4a4af28a
https://github.com/qemu/qemu/commit/6e510855a90b7ca1811bdfc4be66b0fd4a4af28a
Author: Igor Mammedov <imammedo@redhat.com>
Date: 2023-08-03 (Thu, 03 Aug 2023)
Changed paths:
M tests/data/acpi/pc/DSDT
M tests/data/acpi/pc/DSDT.acpierst
M tests/data/acpi/pc/DSDT.acpihmat
M tests/data/acpi/pc/DSDT.bridge
M tests/data/acpi/pc/DSDT.cphp
M tests/data/acpi/pc/DSDT.dimmpxm
M tests/data/acpi/pc/DSDT.hpbridge
M tests/data/acpi/pc/DSDT.ipmikcs
M tests/data/acpi/pc/DSDT.memhp
M tests/data/acpi/pc/DSDT.nohpet
M tests/data/acpi/pc/DSDT.numamem
M tests/data/acpi/pc/DSDT.roothp
M tests/data/acpi/q35/DSDT.bridge
M tests/data/acpi/q35/DSDT.multi-bridge
M tests/qtest/bios-tables-test-allowed-diff.h
Log Message:
-----------
tests: acpi: x86: update expected blobs
Following change is expected on each PCI slot with enabled
ACPI PCI hotplug
- BSEL,
- ASUN
+ Zero,
+ Zero
}
+ Local0 [Zero] = BSEL /* \_SB_.PCI0.BSEL */
+ Local0 [One] = ASUN /* \_SB_.PCI0.S18_.ASUN */
Signed-off-by: Igor Mammedov <imammedo@redhat.com>
Message-Id: <20230720133858.1974024-4-imammedo@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Commit: d3dc64f34d6b0567ae99fbfe80ed3c094991194b
https://github.com/qemu/qemu/commit/d3dc64f34d6b0567ae99fbfe80ed3c094991194b
Author: Igor Mammedov <imammedo@redhat.com>
Date: 2023-08-03 (Thu, 03 Aug 2023)
Changed paths:
M tests/qtest/bios-tables-test-allowed-diff.h
Log Message:
-----------
tests: acpi: whitelist expected blobs
Signed-off-by: Igor Mammedov <imammedo@redhat.com>
Message-Id: <20230720133858.1974024-5-imammedo@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Commit: 5ce869f788b0b8d82693212366d5637d9f3206c9
https://github.com/qemu/qemu/commit/5ce869f788b0b8d82693212366d5637d9f3206c9
Author: Igor Mammedov <imammedo@redhat.com>
Date: 2023-08-03 (Thu, 03 Aug 2023)
Changed paths:
M hw/i386/acpi-build.c
Log Message:
-----------
acpi: x86: remove _ADR on host bridges
ACPI spec (since 2.0a) says
"
A device object must contain either an _HID object or
an _ADR object, but can contain both.
"
_ADR is used when device is attached to an ennumerable bus,
however hostbridge is not and uses dedicated _HID for
discovery, drop _ADR field.
It doesn't seem that having _ADR has a negative effects
OSes manage to tolerate that, but there is no point of
having it there. (only pc/q35 has it hostbridge description,
while others (microvm/arm) don't)
Signed-off-by: Igor Mammedov <imammedo@redhat.com>
Message-Id: <20230720133858.1974024-6-imammedo@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Commit: e3c79cf3ef24008e536beb41ed41dd253d62c95a
https://github.com/qemu/qemu/commit/e3c79cf3ef24008e536beb41ed41dd253d62c95a
Author: Igor Mammedov <imammedo@redhat.com>
Date: 2023-08-03 (Thu, 03 Aug 2023)
Changed paths:
M tests/data/acpi/pc/DSDT
M tests/data/acpi/pc/DSDT.acpierst
M tests/data/acpi/pc/DSDT.acpihmat
M tests/data/acpi/pc/DSDT.bridge
M tests/data/acpi/pc/DSDT.cphp
M tests/data/acpi/pc/DSDT.dimmpxm
M tests/data/acpi/pc/DSDT.hpbridge
M tests/data/acpi/pc/DSDT.hpbrroot
M tests/data/acpi/pc/DSDT.ipmikcs
M tests/data/acpi/pc/DSDT.memhp
M tests/data/acpi/pc/DSDT.nohpet
M tests/data/acpi/pc/DSDT.numamem
M tests/data/acpi/pc/DSDT.roothp
M tests/data/acpi/q35/DSDT
M tests/data/acpi/q35/DSDT.acpierst
M tests/data/acpi/q35/DSDT.acpihmat
M tests/data/acpi/q35/DSDT.acpihmat-noinitiator
M tests/data/acpi/q35/DSDT.applesmc
M tests/data/acpi/q35/DSDT.bridge
M tests/data/acpi/q35/DSDT.core-count2
M tests/data/acpi/q35/DSDT.cphp
M tests/data/acpi/q35/DSDT.cxl
M tests/data/acpi/q35/DSDT.dimmpxm
M tests/data/acpi/q35/DSDT.ipmibt
M tests/data/acpi/q35/DSDT.ipmismbus
M tests/data/acpi/q35/DSDT.ivrs
M tests/data/acpi/q35/DSDT.memhp
M tests/data/acpi/q35/DSDT.mmio64
M tests/data/acpi/q35/DSDT.multi-bridge
M tests/data/acpi/q35/DSDT.noacpihp
M tests/data/acpi/q35/DSDT.nohpet
M tests/data/acpi/q35/DSDT.numamem
M tests/data/acpi/q35/DSDT.pvpanic-isa
M tests/data/acpi/q35/DSDT.tis.tpm12
M tests/data/acpi/q35/DSDT.tis.tpm2
M tests/data/acpi/q35/DSDT.viot
M tests/data/acpi/q35/DSDT.xapic
M tests/qtest/bios-tables-test-allowed-diff.h
Log Message:
-----------
tests: acpi: update expected blobs
Expected change is that _ADR object is removed from
hostbridge descriptor in DSDT for PC and Q35 machines.
Signed-off-by: Igor Mammedov <imammedo@redhat.com>
Message-Id: <20230720133858.1974024-7-imammedo@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Commit: 92f04221379ae5e35f6474c2afed2eb02d552df3
https://github.com/qemu/qemu/commit/92f04221379ae5e35f6474c2afed2eb02d552df3
Author: David Edmondson <david.edmondson@oracle.com>
Date: 2023-08-03 (Thu, 03 Aug 2023)
Changed paths:
M hw/virtio/virtio-qmp.c
Log Message:
-----------
hw/virtio: qmp: add RING_RESET to 'info virtio-status'
Signed-off-by: David Edmondson <david.edmondson@oracle.com>
Message-Id: <20230721072820.75797-1-david.edmondson@oracle.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Commit: c92f4fcafa14890524945073b494937e97112677
https://github.com/qemu/qemu/commit/c92f4fcafa14890524945073b494937e97112677
Author: Hanna Czenczek <hreitz@redhat.com>
Date: 2023-08-03 (Thu, 03 Aug 2023)
Changed paths:
M hw/virtio/virtio.c
Log Message:
-----------
virtio: Fix packed virtqueue used_idx mask
virtio_queue_packed_set_last_avail_idx() is used by vhost devices to set
the internal queue indices to what has been reported by the vhost
back-end through GET_VRING_BASE. For packed virtqueues, this
32-bit value is expected to contain both the device's internal avail and
used indices, as well as their respective wrap counters.
To get the used index, we shift the 32-bit value right by 16, and then
apply a mask of 0x7ffff. That seems to be a typo, because it should be
0x7fff; first of all, the virtio specification says that the maximum
queue size for packed virt queues is 2^15, so the indices cannot exceed
2^15 - 1 anyway, making 0x7fff the correct mask. Second, the mask
clearly is wrong from context, too, given that (A) `idx & 0x70000` must
be 0 at this point (`idx` is 32 bit and was shifted to the right by 16
already), (B) `idx & 0x8000` is the used_wrap_counter, so should not be
part of the used index, and (C) `vq->used_idx` is a `uint16_t`, so
cannot fit the 0x70000 part of the mask anyway.
This most likely never produced any guest-visible bugs, though, because
for a vhost device, qemu will probably not evaluate the used index
outside of virtio_queue_packed_get_last_avail_idx(), where we
reconstruct the 32-bit value from avail and used indices and their wrap
counters again. There, it does not matter whether the highest bit of
the used_idx is the used index wrap counter, because we put the wrap
counter exactly in that position anyway.
Signed-off-by: Hanna Czenczek <hreitz@redhat.com>
Message-Id: <20230721134945.26967-1-hreitz@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: German Maglione <gmaglione@redhat.com>
Commit: 348e354417b64c484877354ee7cc66f29fa6c7df
https://github.com/qemu/qemu/commit/348e354417b64c484877354ee7cc66f29fa6c7df
Author: Yuri Benditovich <yuri.benditovich@daynix.com>
Date: 2023-08-03 (Thu, 03 Aug 2023)
Changed paths:
M hw/pci/pci_host.c
Log Message:
-----------
pci: do not respond config requests after PCI device eject
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2224964
In migration with VF failover, Windows guest and ACPI hot
unplug we do not need to satisfy config requests, otherwise
the guest immediately detects the device and brings up its
driver. Many network VF's are stuck on the guest PCI bus after
the migration.
Signed-off-by: Yuri Benditovich <yuri.benditovich@daynix.com>
Message-Id: <20230728084049.191454-1-yuri.benditovich@daynix.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Commit: 18f2971ce403008d5e1c2875b483c9d1778143dc
https://github.com/qemu/qemu/commit/18f2971ce403008d5e1c2875b483c9d1778143dc
Author: Li Feng <fengli@smartx.com>
Date: 2023-08-03 (Thu, 03 Aug 2023)
Changed paths:
M hw/virtio/vhost.c
Log Message:
-----------
vhost: fix the fd leak
When the vhost-user reconnect to the backend, the notifer should be
cleanup. Otherwise, the fd resource will be exhausted.
Fixes: f9a09ca3ea ("vhost: add support for configure interrupt")
Signed-off-by: Li Feng <fengli@smartx.com>
Reviewed-by: Raphael Norwitz <raphael.norwitz@nutanix.com>
Message-Id: <20230731121018.2856310-2-fengli@smartx.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Tested-by: Fiona Ebner <f.ebner@proxmox.com>
Commit: cc2a08480e19007c05be8fe5b6893e20448954dc
https://github.com/qemu/qemu/commit/cc2a08480e19007c05be8fe5b6893e20448954dc
Author: Thomas Huth <thuth@redhat.com>
Date: 2023-08-03 (Thu, 03 Aug 2023)
Changed paths:
M hw/i386/intel_iommu.c
Log Message:
-----------
hw/i386/intel_iommu: Fix trivial endianness problems
After reading the guest memory with dma_memory_read(), we have
to make sure that we byteswap the little endian data to the host's
byte order.
Signed-off-by: Thomas Huth <thuth@redhat.com>
Message-Id: <20230802135723.178083-2-thuth@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Peter Xu <peterx@redhat.com>
Commit: 642ba89672279fbdd14016a90da239c85e845d18
https://github.com/qemu/qemu/commit/642ba89672279fbdd14016a90da239c85e845d18
Author: Thomas Huth <thuth@redhat.com>
Date: 2023-08-03 (Thu, 03 Aug 2023)
Changed paths:
M hw/i386/intel_iommu.c
M include/hw/i386/intel_iommu.h
Log Message:
-----------
hw/i386/intel_iommu: Fix endianness problems related to VTD_IR_TableEntry
The code already tries to do some endianness handling here, but
currently fails badly:
- While it already swaps the data when logging errors / tracing, it fails
to byteswap the value before e.g. accessing entry->irte.present
- entry->irte.source_id is swapped with le32_to_cpu(), though this is
a 16-bit value
- The whole union is apparently supposed to be swapped via the 64-bit
data[2] array, but the struct is a mixture between 32 bit values
(the first 8 bytes) and 64 bit values (the second 8 bytes), so this
cannot work as expected.
Fix it by converting the struct to two proper 64-bit bitfields, and
by swapping the values only once for everybody right after reading
the data from memory.
Signed-off-by: Thomas Huth <thuth@redhat.com>
Message-Id: <20230802135723.178083-3-thuth@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Peter Xu <peterx@redhat.com>
Commit: 4572b22cf9ba432fa3955686853c706a1821bbc7
https://github.com/qemu/qemu/commit/4572b22cf9ba432fa3955686853c706a1821bbc7
Author: Thomas Huth <thuth@redhat.com>
Date: 2023-08-03 (Thu, 03 Aug 2023)
Changed paths:
M hw/i386/intel_iommu_internal.h
Log Message:
-----------
hw/i386/intel_iommu: Fix struct VTDInvDescIEC on big endian hosts
On big endian hosts, we need to reverse the bitfield order in the
struct VTDInvDescIEC, just like it is already done for the other
bitfields in the various structs of the intel-iommu device.
Signed-off-by: Thomas Huth <thuth@redhat.com>
Message-Id: <20230802135723.178083-4-thuth@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Peter Xu <peterx@redhat.com>
Commit: fcd8027423300b201b37842b88393dc5c6c8ee9e
https://github.com/qemu/qemu/commit/fcd8027423300b201b37842b88393dc5c6c8ee9e
Author: Thomas Huth <thuth@redhat.com>
Date: 2023-08-03 (Thu, 03 Aug 2023)
Changed paths:
M hw/i386/intel_iommu.c
Log Message:
-----------
hw/i386/intel_iommu: Fix index calculation in vtd_interrupt_remap_msi()
The values in "addr" are populated locally in this function in host
endian byte order, so we must not swap the index_l field here.
Signed-off-by: Thomas Huth <thuth@redhat.com>
Message-Id: <20230802135723.178083-5-thuth@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Peter Xu <peterx@redhat.com>
Commit: 37cf5cecb039a063c0abe3b51ae30f969e73aa84
https://github.com/qemu/qemu/commit/37cf5cecb039a063c0abe3b51ae30f969e73aa84
Author: Thomas Huth <thuth@redhat.com>
Date: 2023-08-03 (Thu, 03 Aug 2023)
Changed paths:
M hw/i386/x86-iommu.c
Log Message:
-----------
hw/i386/x86-iommu: Fix endianness issue in x86_iommu_irq_to_msi_message()
The values in "msg" are assembled in host endian byte order (the other
field are also not swapped), so we must not swap the __addr_head here.
Signed-off-by: Thomas Huth <thuth@redhat.com>
Message-Id: <20230802135723.178083-6-thuth@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Peter Xu <peterx@redhat.com>
Commit: e1e56c07d1fa24aa37a7e89e6633768fc8ea8705
https://github.com/qemu/qemu/commit/e1e56c07d1fa24aa37a7e89e6633768fc8ea8705
Author: Thomas Huth <thuth@redhat.com>
Date: 2023-08-03 (Thu, 03 Aug 2023)
Changed paths:
M include/hw/i386/x86-iommu.h
Log Message:
-----------
include/hw/i386/x86-iommu: Fix struct X86IOMMU_MSIMessage for big endian hosts
The first bitfield here is supposed to be used as a 64-bit equivalent
to the "uint64_t msi_addr" in the union. To make this work correctly
on big endian hosts, too, the __addr_hi field has to be part of the
bitfield, and the the bitfield members must be declared with "uint64_t"
instead of "uint32_t" - otherwise the values are placed in the wrong
bytes on big endian hosts.
Same applies to the 32-bit "msi_data" field: __resved1 must be part
of the bitfield, and the members must be declared with "uint32_t"
instead of "uint16_t".
Signed-off-by: Thomas Huth <thuth@redhat.com>
Message-Id: <20230802135723.178083-7-thuth@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Peter Xu <peterx@redhat.com>
Commit: 9d38a8434721a6479fe03fb5afb150ca793d3980
https://github.com/qemu/qemu/commit/9d38a8434721a6479fe03fb5afb150ca793d3980
Author: zhenwei pi <pizhenwei@bytedance.com>
Date: 2023-08-03 (Thu, 03 Aug 2023)
Changed paths:
M hw/virtio/virtio-crypto.c
Log Message:
-----------
virtio-crypto: verify src&dst buffer length for sym request
For symmetric algorithms, the length of ciphertext must be as same
as the plaintext.
The missing verification of the src_len and the dst_len in
virtio_crypto_sym_op_helper() may lead buffer overflow/divulged.
This patch is originally written by Yiming Tao for QEMU-SECURITY,
resend it(a few changes of error message) in qemu-devel.
Fixes: CVE-2023-3180
Fixes: 04b9b37edda("virtio-crypto: add data queue processing handler")
Cc: Gonglei <arei.gonglei@huawei.com>
Cc: Mauro Matteo Cascella <mcascell@redhat.com>
Cc: Yiming Tao <taoym@zju.edu.cn>
Signed-off-by: zhenwei pi <pizhenwei@bytedance.com>
Message-Id: <20230803024314.29962-2-pizhenwei@bytedance.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Commit: 15b11a1da6a4b7c6b8bb37883f52b544dee2b8fd
https://github.com/qemu/qemu/commit/15b11a1da6a4b7c6b8bb37883f52b544dee2b8fd
Author: zhenwei pi <pizhenwei@bytedance.com>
Date: 2023-08-03 (Thu, 03 Aug 2023)
Changed paths:
M backends/cryptodev.c
Log Message:
-----------
cryptodev: Handle unexpected request to avoid crash
Generally guest side should discover which services the device is
able to offer, then do requests on device.
However it's also possible to break this rule in a guest. Handle
unexpected request here to avoid NULL pointer dereference.
Fixes: e7a775fd ('cryptodev: Account statistics')
Cc: Gonglei <arei.gonglei@huawei.com>
Cc: Mauro Matteo Cascella <mcascell@redhat.com>
Cc: Xiao Lei <nop.leixiao@gmail.com>
Cc: Yongkang Jia <kangel@zju.edu.cn>
Reported-by: Yiming Tao <taoym@zju.edu.cn>
Signed-off-by: zhenwei pi <pizhenwei@bytedance.com>
Message-Id: <20230803024314.29962-3-pizhenwei@bytedance.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Commit: f8c0fd9804f435a20c3baa4c0c77ba9a02af24ef
https://github.com/qemu/qemu/commit/f8c0fd9804f435a20c3baa4c0c77ba9a02af24ef
Author: Helge Deller <deller@gmx.de>
Date: 2023-08-04 (Fri, 04 Aug 2023)
Changed paths:
M target/hppa/cpu.h
Log Message:
-----------
target/hppa: Move iaoq registers and thus reduce generated code size
On hppa the Instruction Address Offset Queue (IAOQ) registers specifies
the next to-be-executed instructions addresses. Each generated TB writes those
registers at least once, so those registers are used heavily in generated
code.
Looking at the generated assembly, for a x86-64 host this code
to write the address $0x7ffe826f into iaoq_f is generated:
0x7f73e8000184: c7 85 d4 01 00 00 6f 82 movl $0x7ffe826f, 0x1d4(%rbp)
0x7f73e800018c: fe 7f
0x7f73e800018e: c7 85 d8 01 00 00 73 82 movl $0x7ffe8273, 0x1d8(%rbp)
0x7f73e8000196: fe 7f
With the trivial change, by moving the variables iaoq_f and iaoq_b to
the top of struct CPUArchState, the offset to %rbp is reduced (from
0x1d4 to 0), which allows the x86-64 tcg to generate 3 bytes less of
generated code per move instruction:
0x7fc1e800018c: c7 45 00 6f 82 fe 7f movl $0x7ffe826f, (%rbp)
0x7fc1e8000193: c7 45 04 73 82 fe 7f movl $0x7ffe8273, 4(%rbp)
Overall this is a reduction of generated code (not a reduction of
number of instructions).
A test run with checks the generated code size by running "/bin/ls"
with qemu-user shows that the code size shrinks from 1616767 to 1569273
bytes, which is ~97% of the former size.
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Helge Deller <deller@gmx.de>
Cc: qemu-stable@nongnu.org
Commit: a089a7338332578ac2a0d792f8b2e09baed8b817
https://github.com/qemu/qemu/commit/a089a7338332578ac2a0d792f8b2e09baed8b817
Author: Richard Henderson <richard.henderson@linaro.org>
Date: 2023-08-03 (Thu, 03 Aug 2023)
Changed paths:
M backends/cryptodev.c
M hw/i386/acpi-build.c
M hw/i386/intel_iommu.c
M hw/i386/intel_iommu_internal.h
M hw/i386/x86-iommu.c
M hw/pci-bridge/cxl_upstream.c
M hw/pci/pci_host.c
M hw/virtio/vhost-user-scmi.c
M hw/virtio/vhost.c
M hw/virtio/virtio-crypto.c
M hw/virtio/virtio-iommu.c
M hw/virtio/virtio-qmp.c
M hw/virtio/virtio.c
M include/hw/i386/intel_iommu.h
M include/hw/i386/x86-iommu.h
M include/hw/virtio/vhost-user-scmi.h
M tests/data/acpi/pc/DSDT
M tests/data/acpi/pc/DSDT.acpierst
M tests/data/acpi/pc/DSDT.acpihmat
M tests/data/acpi/pc/DSDT.bridge
M tests/data/acpi/pc/DSDT.cphp
M tests/data/acpi/pc/DSDT.dimmpxm
M tests/data/acpi/pc/DSDT.hpbridge
M tests/data/acpi/pc/DSDT.hpbrroot
M tests/data/acpi/pc/DSDT.ipmikcs
M tests/data/acpi/pc/DSDT.memhp
M tests/data/acpi/pc/DSDT.nohpet
M tests/data/acpi/pc/DSDT.numamem
M tests/data/acpi/pc/DSDT.roothp
M tests/data/acpi/q35/DSDT
M tests/data/acpi/q35/DSDT.acpierst
M tests/data/acpi/q35/DSDT.acpihmat
M tests/data/acpi/q35/DSDT.acpihmat-noinitiator
M tests/data/acpi/q35/DSDT.applesmc
M tests/data/acpi/q35/DSDT.bridge
M tests/data/acpi/q35/DSDT.core-count2
M tests/data/acpi/q35/DSDT.cphp
M tests/data/acpi/q35/DSDT.cxl
M tests/data/acpi/q35/DSDT.dimmpxm
M tests/data/acpi/q35/DSDT.ipmibt
M tests/data/acpi/q35/DSDT.ipmismbus
M tests/data/acpi/q35/DSDT.ivrs
M tests/data/acpi/q35/DSDT.memhp
M tests/data/acpi/q35/DSDT.mmio64
M tests/data/acpi/q35/DSDT.multi-bridge
M tests/data/acpi/q35/DSDT.noacpihp
M tests/data/acpi/q35/DSDT.nohpet
M tests/data/acpi/q35/DSDT.numamem
M tests/data/acpi/q35/DSDT.pvpanic-isa
M tests/data/acpi/q35/DSDT.tis.tpm12
M tests/data/acpi/q35/DSDT.tis.tpm2
M tests/data/acpi/q35/DSDT.viot
M tests/data/acpi/q35/DSDT.xapic
Log Message:
-----------
Merge tag 'for_upstream' of https://git.kernel.org/pub/scm/virt/kvm/mst/qemu
into staging
pc,pci,virtio,crypto: bugfixes
fixes all over the place.
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
# -----BEGIN PGP SIGNATURE-----
#
# iQFDBAABCAAtFiEEXQn9CHHI+FuUyooNKB8NuNKNVGkFAmTMJ90PHG1zdEByZWRo
# YXQuY29tAAoJECgfDbjSjVRprTAH/1YxxP9Dhn71BjkwGQ18SmpNp0wlmP9GRJEy
# 7aQNO7ativ8njAX1fLEo0ZRJ5qX1MCw+/ZuEvIUZD+0biwimsVCPjWVLs3Q8geUs
# LzQWuvUoRGp136BtaZUrlS/cWr8TQY+4/lyK/xOBUOiI+5AP1Yi7eL9162RDQR3D
# cV/0eH8QNY+93n+VnyFY6Y55YnHyH9EBkxdtnVkt7NOCms4qMRf9IBiWOMaktp4w
# iTfvOfKbTCKhWDsNWIJEJUtWItRFp6OIRdO3KoMXBHuE8S/0C19fc2eBfbeN/bUK
# I5b4xO181ibzoPGWkDfLYi1wFfvGDDxFe119EzvDKU8dDtNFBoY=
# =FRdM
# -----END PGP SIGNATURE-----
# gpg: Signature made Thu 03 Aug 2023 03:19:09 PM PDT
# gpg: using RSA key 5D09FD0871C8F85B94CA8A0D281F0DB8D28D5469
# gpg: issuer "mst@redhat.com"
# gpg: Good signature from "Michael S. Tsirkin <mst@kernel.org>" [undefined]
# gpg: aka "Michael S. Tsirkin <mst@redhat.com>" [undefined]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: 0270 606B 6F3C DF3D 0B17 0970 C350 3912 AFBE 8E67
# Subkey fingerprint: 5D09 FD08 71C8 F85B 94CA 8A0D 281F 0DB8 D28D 5469
* tag 'for_upstream' of https://git.kernel.org/pub/scm/virt/kvm/mst/qemu: (22
commits)
cryptodev: Handle unexpected request to avoid crash
virtio-crypto: verify src&dst buffer length for sym request
include/hw/i386/x86-iommu: Fix struct X86IOMMU_MSIMessage for big endian hosts
hw/i386/x86-iommu: Fix endianness issue in x86_iommu_irq_to_msi_message()
hw/i386/intel_iommu: Fix index calculation in vtd_interrupt_remap_msi()
hw/i386/intel_iommu: Fix struct VTDInvDescIEC on big endian hosts
hw/i386/intel_iommu: Fix endianness problems related to VTD_IR_TableEntry
hw/i386/intel_iommu: Fix trivial endianness problems
vhost: fix the fd leak
pci: do not respond config requests after PCI device eject
virtio: Fix packed virtqueue used_idx mask
hw/virtio: qmp: add RING_RESET to 'info virtio-status'
tests: acpi: update expected blobs
acpi: x86: remove _ADR on host bridges
tests: acpi: whitelist expected blobs
tests: acpi: x86: update expected blobs
x86: acpi: workaround Windows not handling name references in Package properly
tests: acpi: x86: whitelist expected blobs
hw/virtio: Add a protection against duplicate vu_scmi_stop calls
virtio-iommu: Standardize granule extraction and formatting
...
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Commit: c26d005e62f4fd177dae0cd70c24cb96761edebc
https://github.com/qemu/qemu/commit/c26d005e62f4fd177dae0cd70c24cb96761edebc
Author: Richard Henderson <richard.henderson@linaro.org>
Date: 2023-08-03 (Thu, 03 Aug 2023)
Changed paths:
M target/hppa/cpu.h
Log Message:
-----------
Merge tag 'hppa-linux-user-speedup-pull-request' of
https://github.com/hdeller/qemu-hppa into staging
Generated code size reduction with linux-user for hppa
Would you please consider pulling this trivial fix, which reduces
the generated code on x86 by ~3% when running linux-user with
the hppa target?
Thanks,
Helge
# -----BEGIN PGP SIGNATURE-----
#
# iHUEABYKAB0WIQS86RI+GtKfB8BJu973ErUQojoPXwUCZMwriQAKCRD3ErUQojoP
# X0oxAQC7HlQ4j23o4ylqbXTiZdOeY26TjWTlw38OkuSXcqgCMAD/UmwEDawEGTKv
# SuRjrASdFzpjvjDss2nreahL9hGvrAI=
# =eoAk
# -----END PGP SIGNATURE-----
# gpg: Signature made Thu 03 Aug 2023 03:34:49 PM PDT
# gpg: using EDDSA key BCE9123E1AD29F07C049BBDEF712B510A23A0F5F
# gpg: Good signature from "Helge Deller <deller@gmx.de>" [unknown]
# gpg: aka "Helge Deller <deller@kernel.org>" [unknown]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: 4544 8228 2CD9 10DB EF3D 25F8 3E5F 3D04 A7A2 4603
# Subkey fingerprint: BCE9 123E 1AD2 9F07 C049 BBDE F712 B510 A23A 0F5F
* tag 'hppa-linux-user-speedup-pull-request' of
https://github.com/hdeller/qemu-hppa:
target/hppa: Move iaoq registers and thus reduce generated code size
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Compare: https://github.com/qemu/qemu/compare/2e6a56f6fb9f...c26d005e62f4