1
diff --git a/debian/changelog b/debian/changelog
2
index cc2f33a..0124b2c 100644
3
--- a/debian/changelog
4
+++ b/debian/changelog
5
@@ -1,3 +1,89 @@
6
1
qemu (1:4.2-3ubuntu6.5) focal; urgency=medium
7
2
8
3
  * further stabilize qemu by importing patches of qemu v4.2.1
9
4
    Fixes (LP: #1891203) and (LP: #1891877)
10
5
    - d/p/stable/lp-1891877-*
11
6
  * fix s390x SQXBR emulation (LP: #1883984)
12
7
    - d/p/ubuntu/lp-1883984-target-s390x-Fix-SQXBR.patch
13
8
  * fix -no-reboot for s390x protvirt guests (LP: #1890154)
14
9
    - d/p/ubuntu/lp-1890154-s390x-protvirt-allow-to-IPL-secure-guests-with-*
15
10
16
11
 -- Christian Ehrhardt <christian.ehrhardt@canonical.com>  Wed, 19 Aug 2020 13:40:49 +0200
17
12
18
13
qemu (1:4.2-3ubuntu6.4) focal-security; urgency=medium
19
14
20
15
  * SECURITY UPDATE: assert failure in nbd
21
16
    - debian/patches/ubuntu/CVE-2020-10761.patch: avoid long error message
22
17
      assertions in nbd/server.c, tests/qemu-iotests/143,
23
18
      tests/qemu-iotests/143.out.
24
19
    - CVE-2020-10761
25
20
  * SECURITY UPDATE: out-of-bounds read and write in sm501
26
21
    - debian/patches/ubuntu/CVE-2020-12829-pre1.patch: convert printf +
27
22
      abort to qemu_log_mask.
28
23
    - debian/patches/ubuntu/CVE-2020-12829-pre2.patch: shorten long
29
24
      variable names in sm501_2d_operation.
30
25
    - debian/patches/ubuntu/CVE-2020-12829-pre3.patch: use BIT(x) macro to
31
26
      shorten constant.
32
27
    - debian/patches/ubuntu/CVE-2020-12829-pre4.patch: clean up local
33
28
      variables in sm501_2d_operation.
34
29
    - debian/patches/ubuntu/CVE-2020-12829.patch: replace hand written
35
30
      implementation with pixman where possible.
36
31
    - debian/patches/ubuntu/CVE-2020-12829-2.patch: optimize small
37
32
      overlapping blits.
38
33
    - debian/patches/ubuntu/CVE-2020-12829-3.patch: fix bounds checks.
39
34
    - debian/patches/ubuntu/CVE-2020-12829-4.patch: drop unneded variable.
40
35
    - debian/patches/ubuntu/CVE-2020-12829-5.patch: do not allow guest to
41
36
      set invalid format.
42
37
    - debian/patches/ubuntu/CVE-2020-12829-6.patch: introduce variable for
43
38
      commonly used value for better readability.
44
39
    - debian/patches/ubuntu/CVE-2020-12829-7.patch: fix and optimize
45
40
      overlap check.
46
41
    - CVE-2020-12829
47
42
  * SECURITY UPDATE: out-of-bounds read during sdhci_write() operations
48
43
    - debian/patches/ubuntu/CVE-2020-13253.patch: do not switch to
49
44
      ReceivingData if address is invalid in hw/sd/sd.c.
50
45
    - CVE-2020-13253
51
46
  * SECURITY UPDATE: out-of-bounds access during es1370_write() operation
52
47
    - debian/patches/ubuntu/CVE-2020-13361.patch: check total frame count
53
48
      against current frame in hw/audio/es1370.c.
54
49
    - CVE-2020-13361
55
50
  * SECURITY UPDATE: out-of-bounds read via crafted reply_queue_head
56
51
    - debian/patches/ubuntu/CVE-2020-13362-1.patch: use unsigned type for
57
52
      reply_queue_head and check index in hw/scsi/megasas.c.
58
53
    - debian/patches/ubuntu/CVE-2020-13362-2.patch: avoid NULL pointer
59
54
      dereference in hw/scsi/megasas.c.
60
55
    - debian/patches/ubuntu/CVE-2020-13362-3.patch: use unsigned type for
61
56
      positive numeric fields in hw/scsi/megasas.c.
62
57
    - CVE-2020-13362
63
58
  * SECURITY UPDATE: NULL pointer dereference related to BounceBuffer
64
59
    - debian/patches/ubuntu/CVE-2020-13659.patch: set map length to zero
65
60
      when returning NULL in exec.c, include/exec/memory.h.
66
61
    - CVE-2020-13659
67
62
  * SECURITY UPDATE: out-of-bounds access via msi-x mmio operation
68
63
    - debian/patches/ubuntu/CVE-2020-13754-1.patch: revert accepting
69
64
      mismatching sizes in memory_region_access_valid in memory.c.
70
65
    - debian/patches/ubuntu/CVE-2020-13754-2.patch: accept byte and word
71
66
      access to core ACPI registers in hw/acpi/core.c.
72
67
    - CVE-2020-13754
73
68
  * SECURITY UPDATE: infinite recursion in ati-vga
74
69
    - debian/patches/ubuntu/CVE-2020-13800.patch: check mm_index before
75
70
      recursive call in hw/display/ati.c.
76
71
    - CVE-2020-13800
77
72
  * SECURITY UPDATE: division by zero in oss_write()
78
73
    - debian/patches/ubuntu/CVE-2020-14415.patch: fix buffer pos
79
74
      calculation in audio/ossaudio.c.
80
75
    - CVE-2020-14415
81
76
  * SECURITY UPDATE: buffer overflow in XGMAC Ethernet controller
82
77
    - debian/patches/ubuntu/CVE-2020-15863.patch: check bounds in
83
78
      hw/net/xgmac.c.
84
79
    - CVE-2020-15863
85
80
  * SECURITY UPDATE: reachable assertion failure
86
81
    - debian/patches/ubuntu/CVE-2020-16092.patch: fix assertion failure in
87
82
      hw/net/net_tx_pkt.c.
88
83
    - CVE-2020-16092
89
84
90
85
 -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Tue, 11 Aug 2020 12:30:06 -0400
91
86
92
1
qemu (1:4.2-3ubuntu6.3) focal; urgency=medium
87
qemu (1:4.2-3ubuntu6.3) focal; urgency=medium
93
2
88
94
3
  * debian/patches/ubuntu/lp-1878973-*: fix assert in qemu-guest-agent that
89
  * debian/patches/ubuntu/lp-1878973-*: fix assert in qemu-guest-agent that
95
diff --git a/debian/patches/series b/debian/patches/series
96
index dd6cb95..b9c1506 100644
97
--- a/debian/patches/series
98
+++ b/debian/patches/series
99
@@ -39,7 +39,6 @@ stable/lp-1867519-target-arm-Set-ISSIs16Bit-in-make_issinfo.patch
100
39
stable/lp-1867519-target-i386-kvm-initialize-feature-MSRs-very-early.patch
39
stable/lp-1867519-target-i386-kvm-initialize-feature-MSRs-very-early.patch
101
40
stable/lp-1867519-tpm-ppi-page-align-PPI-RAM.patch
40
stable/lp-1867519-tpm-ppi-page-align-PPI-RAM.patch
102
41
stable/lp-1867519-block-backup-top-fix-failure-path.patch
41
stable/lp-1867519-block-backup-top-fix-failure-path.patch
103
42
stable/lp-1867519-iotests-add-test-for-backup-top-failure-on-permissio.patch
104
43
stable/lp-1867519-block-fix-crash-on-zero-length-unaligned-write-and-r.patch
42
stable/lp-1867519-block-fix-crash-on-zero-length-unaligned-write-and-r.patch
105
44
stable/lp-1867519-qemu-img-Fix-convert-n-B-for-backing-less-targets.patch
43
stable/lp-1867519-qemu-img-Fix-convert-n-B-for-backing-less-targets.patch
106
45
stable/lp-1867519-plugins-core-add-missing-break-in-cb_to_tcg_flags.patch
44
stable/lp-1867519-plugins-core-add-missing-break-in-cb_to_tcg_flags.patch
107
@@ -93,3 +92,134 @@ ubuntu/lp-1872945-target-openrisc-Fix-FPCSR-mask-to-allow-setting-DZF.patch
108
93
ubuntu/CVE-2020-11869.patch
92
ubuntu/CVE-2020-11869.patch
109
94
ubuntu/lp-1878973-fix-assert-regression.patch
93
ubuntu/lp-1878973-fix-assert-regression.patch
110
95
lp-1882774-target-i386-do-not-set-unsupported-VMX-secondary-exe.patch
94
lp-1882774-target-i386-do-not-set-unsupported-VMX-secondary-exe.patch
111
95
ubuntu/CVE-2020-10761.patch
112
96
ubuntu/CVE-2020-12829-pre1.patch
113
97
ubuntu/CVE-2020-12829-pre2.patch
114
98
ubuntu/CVE-2020-12829-pre3.patch
115
99
ubuntu/CVE-2020-12829-pre4.patch
116
100
ubuntu/CVE-2020-12829.patch
117
101
ubuntu/CVE-2020-12829-2.patch
118
102
ubuntu/CVE-2020-12829-3.patch
119
103
ubuntu/CVE-2020-12829-4.patch
120
104
ubuntu/CVE-2020-12829-5.patch
121
105
ubuntu/CVE-2020-12829-6.patch
122
106
ubuntu/CVE-2020-12829-7.patch
123
107
ubuntu/CVE-2020-13253.patch
124
108
ubuntu/CVE-2020-13361.patch
125
109
ubuntu/CVE-2020-13362-1.patch
126
110
ubuntu/CVE-2020-13362-2.patch
127
111
ubuntu/CVE-2020-13362-3.patch
128
112
ubuntu/CVE-2020-13659.patch
129
113
ubuntu/CVE-2020-13754-1.patch
130
114
ubuntu/CVE-2020-13754-2.patch
131
115
ubuntu/CVE-2020-13800.patch
132
116
ubuntu/CVE-2020-14415.patch
133
117
ubuntu/CVE-2020-15863.patch
134
118
ubuntu/CVE-2020-16092.patch
135
119
stable/lp-1891877-i386-Resolve-CPU-models-to-v1-by-default.patch
136
120
stable/lp-1891877-qapi-better-document-NVMe-blockdev-device-parameter.patch
137
121
stable/lp-1891877-numa-remove-not-needed-check.patch
138
122
stable/lp-1891877-numa-properly-check-if-numa-is-supported.patch
139
123
stable/lp-1891877-tests-ide-test-Create-a-single-unit-test-covering-mo.patch
140
124
stable/lp-1891877-ide-Fix-incorrect-handling-of-some-PRDTs-in-ide_dma_.patch
141
125
stable/lp-1891877-virtio-add-ability-to-delete-vq-through-a-pointer.patch
142
126
stable/lp-1891877-virtio-make-virtio_delete_queue-idempotent.patch
143
127
stable/lp-1891877-virtio-reset-region-cache-when-on-queue-deletion.patch
144
128
stable/lp-1891877-dp8393x-Mask-EOL-bit-from-descriptor-addresses.patch
145
129
stable/lp-1891877-dp8393x-Always-use-32-bit-accesses.patch
146
130
stable/lp-1891877-dp8393x-Clean-up-endianness-hacks.patch
147
131
stable/lp-1891877-dp8393x-Have-dp8393x_receive-return-the-packet-size.patch
148
132
stable/lp-1891877-dp8393x-Update-LLFA-and-CRDA-registers-from-rx-descr.patch
149
133
stable/lp-1891877-dp8393x-Clear-RRRA-command-register-bit-only-when-ap.patch
150
134
stable/lp-1891877-dp8393x-Implement-packet-size-limit-and-RBAE-interru.patch
151
135
stable/lp-1891877-dp8393x-Don-t-clobber-packet-checksum.patch
152
136
stable/lp-1891877-dp8393x-Use-long-word-aligned-RRA-pointers-in-32-bit.patch
153
137
stable/lp-1891877-dp8393x-Pad-frames-to-word-or-long-word-boundary.patch
154
138
stable/lp-1891877-dp8393x-Clear-descriptor-in_use-field-to-release-pac.patch
155
139
stable/lp-1891877-dp8393x-Always-update-RRA-pointers-and-sequence-numb.patch
156
140
stable/lp-1891877-dp8393x-Don-t-reset-Silicon-Revision-register.patch
157
141
stable/lp-1891877-dp8393x-Don-t-stop-reception-upon-RBE-interrupt-asse.patch
158
142
stable/lp-1891877-qcow2-update_refcount-Reset-old_table_index-after-qc.patch
159
143
stable/lp-1891877-iotests-Test-copy-offloading-with-external-data-file.patch
160
144
stable/lp-1891877-iotests-026-Test-EIO-on-preallocated-zero-cluster.patch
161
145
stable/lp-1891877-iotests-026-Test-EIO-on-allocation-in-a-data-file.patch
162
146
stable/lp-1891877-scsi-qemu-pr-helper-Fix-out-of-bounds-access-to-trnp.patch
163
147
stable/lp-1891877-target-ppc-Fix-rlwinm-on-ppc64.patch
164
148
stable/lp-1891877-compat-disable-edid-on-correct-virtio-gpu-device.patch
165
149
stable/lp-1891877-qga-Installer-Wait-for-installation-to-finish.patch
166
150
stable/lp-1891877-qga-win-Handle-VSS_E_PROVIDER_ALREADY_REGISTERED-err.patch
167
151
stable/lp-1891877-qga-win-prevent-crash-when-executing-guest-file-read.patch
168
152
stable/lp-1891877-qga-Fix-undefined-C-behavior.patch
169
153
stable/lp-1891877-qemu-ga-document-vsock-listen-in-the-man-page.patch
170
154
stable/lp-1891877-hw-i386-amd_iommu.c-Fix-corruption-of-log-events-pas.patch
171
155
stable/lp-1891877-tcg-i386-Fix-INDEX_op_dup2_vec.patch
172
156
stable/lp-1891877-dump-Fix-writing-of-ELF-section.patch
173
157
stable/lp-1891877-xen-block-Fix-double-qlist-remove-and-request-leak.patch
174
158
stable/lp-1891877-vhost-user-gpu-Release-memory-returned-by-vu_queue_p.patch
175
159
stable/lp-1891877-target-ppc-Fix-mtmsr-d-L-1-variant-that-loses-interr.patch
176
160
stable/lp-1891877-hostmem-don-t-use-mbind-if-host-nodes-is-empty.patch
177
161
stable/lp-1891877-target-arm-Clear-tail-in-gvec_fmul_idx_-gvec_fmla_id.patch
178
162
stable/lp-1891877-qemu-nbd-Close-inherited-stderr.patch
179
163
stable/lp-1891877-9p-Lock-directory-streams-with-a-CoMutex.patch
180
164
stable/lp-1891877-net-Do-not-include-a-newline-in-the-id-of-nic-device.patch
181
165
stable/lp-1891877-virtio-balloon-fix-free-page-hinting-without-an-ioth.patch
182
166
stable/lp-1891877-virtio-balloon-fix-free-page-hinting-check-on-unreal.patch
183
167
stable/lp-1891877-virtio-balloon-unref-the-iothread-when-unrealizing.patch
184
168
stable/lp-1891877-block-Call-attention-to-truncation-of-long-NBD-expor.patch
185
169
stable/lp-1891877-9pfs-local-Fix-possible-memory-leak-in-local_link.patch
186
170
stable/lp-1891877-9p-local-always-return-1-on-error-in-local_unlinkat_.patch
187
171
stable/lp-1891877-virtio-9p-device-fix-memleak-in-virtio_9p_device_unr.patch
188
172
stable/lp-1891877-9p-proxy-Fix-export_flags.patch
189
173
stable/lp-1891877-9pfs-local-ignore-O_NOATIME-if-we-don-t-have-permiss.patch
190
174
stable/lp-1891877-9pfs-include-linux-limits.h-for-XATTR_SIZE_MAX.patch
191
175
stable/lp-1891877-xen-9pfs-yield-when-there-isn-t-enough-room-on-the-r.patch
192
176
stable/lp-1891877-tests-fix-modules-test-duplicate-test-case-error.patch
193
177
stable/lp-1891877-iotests-026-Move-v3-exclusive-test-to-new-file.patch
194
178
stable/lp-1891877-Revert-qemu-options.hx-Update-for-reboot-timeout-par.patch
195
179
stable/lp-1891877-Fix-double-free-issue-in-qemu_set_log_filename.patch
196
180
stable/lp-1891877-iotests-Fix-IMGOPTSSYNTAX-for-nbd.patch
197
181
stable/lp-1891877-display-bochs-display-fix-memory-leak.patch
198
182
stable/lp-1891877-hw-arm-smmuv3-Apply-address-mask-to-linear-strtab-ba.patch
199
183
stable/lp-1891877-hw-arm-smmuv3-Correct-SMMU_BASE_ADDR_MASK-value.patch
200
184
stable/lp-1891877-hw-arm-smmuv3-Check-stream-IDs-against-actual-table-.patch
201
185
stable/lp-1891877-hw-arm-smmuv3-Align-stream-table-base-address-to-tab.patch
202
186
stable/lp-1891877-hw-arm-smmuv3-Use-correct-bit-positions-in-EVT_SET_A.patch
203
187
stable/lp-1891877-hw-arm-smmuv3-Report-F_STE_FETCH-fault-address-in-co.patch
204
188
stable/lp-1891877-block-Add-bdrv_qapi_perm_to_blk_perm.patch
205
189
stable/lp-1891877-blkdebug-Allow-taking-unsharing-permissions.patch
206
190
stable/lp-1891877-migration-test-ppc64-fix-FORTH-test-program.patch
207
191
stable/lp-1891877-runstate-ignore-finishmigrate-prelaunch-transition.patch
208
192
stable/lp-1891877-migration-Rate-limit-inside-host-pages.patch
209
193
stable/lp-1891877-Revert-vnc-allow-fall-back-to-RAW-encoding.patch
210
194
stable/lp-1891877-m68k-Fix-regression-causing-Single-Step-via-GDB-RSP-.patch
211
195
stable/lp-1891877-s390x-adapter-routes-error-handling.patch
212
196
stable/lp-1891877-block-backup-fix-memory-leak-in-bdrv_backup_top_appe.patch
213
197
stable/lp-1891877-hw-intc-arm_gicv3_kvm-Stop-wrongly-programming-GICR_.patch
214
198
stable/lp-1891877-target-arm-fix-TCG-leak-for-fcvt-half-double.patch
215
199
stable/lp-1891877-block-fix-memleaks-in-bdrv_refresh_filename.patch
216
200
stable/lp-1891877-iotests-add-test-for-backup-top-failure-on-permissio.patch
217
201
stable/lp-1891877-target-arm-monitor-query-cpu-model-expansion-crashed.patch
218
202
stable/lp-1891877-block-Fix-VM-size-field-width-in-snapshot-dump.patch
219
203
stable/lp-1891877-target-arm-Correct-definition-of-PMCRDP.patch
220
204
stable/lp-1891877-virtio-pmem-do-delete-rq_vq-in-virtio_pmem_unrealize.patch
221
205
stable/lp-1891877-virtio-crypto-do-delete-ctrl_vq-in-virtio_crypto_dev.patch
222
206
stable/lp-1891877-vhost-user-blk-delete-virtioqueues-in-unrealize-to-f.patch
223
207
stable/lp-1891877-hw-arm-cubieboard-use-ARM-Cortex-A8-as-the-default-C.patch
224
208
stable/lp-1891877-iotests-Fix-nonportable-use-of-od-endian.patch
225
209
stable/lp-1891877-ppc-ppc405_boards-Remove-unnecessary-NULL-check.patch
226
210
stable/lp-1891877-block-Avoid-memleak-on-qcow2-image-info-failure.patch
227
211
stable/lp-1891877-block-bdrv_set_backing_bs-fix-use-after-free.patch
228
212
stable/lp-1891877-hmp-vnc-Fix-info-vnc-list-leak.patch
229
213
stable/lp-1891877-migration-colo-fix-use-after-free-of-local_err.patch
230
214
stable/lp-1891877-migration-ram-fix-use-after-free-of-local_err.patch
231
215
stable/lp-1891877-qcow2-List-autoclear-bit-names-in-header.patch
232
216
stable/lp-1891877-sheepdog-Consistently-set-bdrv_has_zero_init_truncat.patch
233
217
stable/lp-1891877-spapr-Fix-failure-path-for-attempting-to-hot-unplug-.patch
234
218
stable/lp-1891877-vpc-Don-t-round-up-already-aligned-BAT-sizes.patch
235
219
stable/lp-1891877-target-xtensa-fix-pasto-in-pfwait.r-opcode-name.patch
236
220
stable/lp-1891877-tcg-mips-mips-sync-encode-error.patch
237
221
stable/lp-1891877-Fix-tulip-breakage.patch
238
222
stable/lp-1891877-iotests-283-Use-consistent-size-for-source-and-targe.patch
239
223
stable/lp-1891877-Update-version-for-4.2.1-release.patch
240
224
ubuntu/lp-1883984-target-s390x-Fix-SQXBR.patch
241
225
ubuntu/lp-1890154-s390x-protvirt-allow-to-IPL-secure-guests-with-no-re.patch
242
diff --git a/debian/patches/stable/lp-1891877-9p-Lock-directory-streams-with-a-CoMutex.patch b/debian/patches/stable/lp-1891877-9p-Lock-directory-streams-with-a-CoMutex.patch
243
96
new file mode 100644
226
new file mode 100644
244
index 0000000..f32c223
245
--- /dev/null
246
+++ b/debian/patches/stable/lp-1891877-9p-Lock-directory-streams-with-a-CoMutex.patch
247
@@ -0,0 +1,74 @@
248
1
From dad6d5e7e613e51b2584c447378a044ccc2fdc81 Mon Sep 17 00:00:00 2001
249
2
From: Greg Kurz <groug@kaod.org>
250
3
Date: Mon, 25 May 2020 10:38:03 +0200
251
4
Subject: [PATCH] 9p: Lock directory streams with a CoMutex
252
5
253
6
Locking was introduced in QEMU 2.7 to address the deprecation of
254
7
readdir_r(3) in glibc 2.24. It turns out that the frontend code is
255
8
the worst place to handle a critical section with a pthread mutex:
256
9
the code runs in a coroutine on behalf of the QEMU mainloop and then
257
10
yields control, waiting for the fsdev backend to process the request
258
11
in a worker thread. If the client resends another readdir request for
259
12
the same fid before the previous one finally unlocked the mutex, we're
260
13
deadlocked.
261
14
262
15
This never bit us because the linux client serializes readdir requests
263
16
for the same fid, but it is quite easy to demonstrate with a custom
264
17
client.
265
18
266
19
A good solution could be to narrow the critical section in the worker
267
20
thread code and to return a copy of the dirent to the frontend, but
268
21
this causes quite some changes in both 9p.c and codir.c. So, instead
269
22
of that, in order for people to easily backport the fix to older QEMU
270
23
versions, let's simply use a CoMutex since all the users for this
271
24
sit in coroutines.
272
25
273
26
Fixes: 7cde47d4a89d ("9p: add locking to V9fsDir")
274
27
Reviewed-by: Christian Schoenebeck <qemu_oss@crudebyte.com>
275
28
Message-Id: <158981894794.109297.3530035833368944254.stgit@bahia.lan>
276
29
Signed-off-by: Greg Kurz <groug@kaod.org>
277
30
(cherry picked from commit ed463454efd0ac3042ff772bfe1b1d846dc281a5)
278
31
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
279
32
280
33
Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=dad6d5e7e6
281
34
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
282
35
Last-Update: 2020-08-19
283
36
284
37
---
285
38
 hw/9pfs/9p.h | 8 ++++----
286
39
 1 file changed, 4 insertions(+), 4 deletions(-)
287
40
288
41
diff --git a/hw/9pfs/9p.h b/hw/9pfs/9p.h
289
42
index 3904f82901..069c86333f 100644
290
43
--- a/hw/9pfs/9p.h
291
44
+++ b/hw/9pfs/9p.h
292
45
@@ -186,22 +186,22 @@ typedef struct V9fsXattr
293
46
 
294
47
 typedef struct V9fsDir {
295
48
     DIR *stream;
296
49
-    QemuMutex readdir_mutex;
297
50
+    CoMutex readdir_mutex;
298
51
 } V9fsDir;
299
52
 
300
53
 static inline void v9fs_readdir_lock(V9fsDir *dir)
301
54
 {
302
55
-    qemu_mutex_lock(&dir->readdir_mutex);
303
56
+    qemu_co_mutex_lock(&dir->readdir_mutex);
304
57
 }
305
58
 
306
59
 static inline void v9fs_readdir_unlock(V9fsDir *dir)
307
60
 {
308
61
-    qemu_mutex_unlock(&dir->readdir_mutex);
309
62
+    qemu_co_mutex_unlock(&dir->readdir_mutex);
310
63
 }
311
64
 
312
65
 static inline void v9fs_readdir_init(V9fsDir *dir)
313
66
 {
314
67
-    qemu_mutex_init(&dir->readdir_mutex);
315
68
+    qemu_co_mutex_init(&dir->readdir_mutex);
316
69
 }
317
70
 
318
71
 /*
319
72
-- 
320
73
2.28.0
321
74
322
diff --git a/debian/patches/stable/lp-1891877-9p-local-always-return-1-on-error-in-local_unlinkat_.patch b/debian/patches/stable/lp-1891877-9p-local-always-return-1-on-error-in-local_unlinkat_.patch
323
0
new file mode 100644
75
new file mode 100644
324
index 0000000..f2efe0b
325
--- /dev/null
326
+++ b/debian/patches/stable/lp-1891877-9p-local-always-return-1-on-error-in-local_unlinkat_.patch
327
@@ -0,0 +1,91 @@
328
1
From 03afe9c035884c5901258967cf906de64eff25de Mon Sep 17 00:00:00 2001
329
2
From: Daniel Henrique Barboza <danielhb413@gmail.com>
330
3
Date: Mon, 20 Jan 2020 15:11:39 +0100
331
4
Subject: [PATCH] 9p: local: always return -1 on error in local_unlinkat_common
332
5
333
6
local_unlinkat_common() is supposed to always return -1 on error.
334
7
This is being done by jumps to the 'err_out' label, which is
335
8
a 'return ret' call, and 'ret' is initialized with -1.
336
9
337
10
Unfortunately there is a condition in which the function will
338
11
return 0 on error: in a case where flags == AT_REMOVEDIR, 'ret'
339
12
will be 0 when reaching
340
13
341
14
map_dirfd = openat_dir(...)
342
15
343
16
And, if map_dirfd == -1 and errno != ENOENT, the existing 'err_out'
344
17
jump will execute 'return ret', when ret is still set to zero
345
18
at that point.
346
19
347
20
This patch fixes it by changing all 'err_out' labels by
348
21
'return -1' calls, ensuring that the function will always
349
22
return -1 on error conditions. 'ret' can be left unintialized
350
23
since it's now being used just to store the result of 'unlinkat'
351
24
calls.
352
25
353
26
CC: Greg Kurz <groug@kaod.org>
354
27
Signed-off-by: Daniel Henrique Barboza <danielhb413@gmail.com>
355
28
[groug: changed prefix in title to be "9p: local:"]
356
29
Signed-off-by: Greg Kurz <groug@kaod.org>
357
30
(cherry picked from commit 846cf408a4c8055063f4a5a71ccf7ed030cdad30)
358
31
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
359
32
360
33
Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=03afe9c035
361
34
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
362
35
Last-Update: 2020-08-19
363
36
364
37
---
365
38
 hw/9pfs/9p-local.c | 14 ++++++--------
366
39
 1 file changed, 6 insertions(+), 8 deletions(-)
367
40
368
41
diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c
369
42
index 491b08aee8..b3b826b01f 100644
370
43
--- a/hw/9pfs/9p-local.c
371
44
+++ b/hw/9pfs/9p-local.c
372
45
@@ -1076,7 +1076,7 @@ out:
373
46
 static int local_unlinkat_common(FsContext *ctx, int dirfd, const char *name,
374
47
                                  int flags)
375
48
 {
376
49
-    int ret = -1;
377
50
+    int ret;
378
51
 
379
52
     if (ctx->export_flags & V9FS_SM_MAPPED_FILE) {
380
53
         int map_dirfd;
381
54
@@ -1094,12 +1094,12 @@ static int local_unlinkat_common(FsContext *ctx, int dirfd, const char *name,
382
55
 
383
56
             fd = openat_dir(dirfd, name);
384
57
             if (fd == -1) {
385
58
-                goto err_out;
386
59
+                return -1;
387
60
             }
388
61
             ret = unlinkat(fd, VIRTFS_META_DIR, AT_REMOVEDIR);
389
62
             close_preserve_errno(fd);
390
63
             if (ret < 0 && errno != ENOENT) {
391
64
-                goto err_out;
392
65
+                return -1;
393
66
             }
394
67
         }
395
68
         map_dirfd = openat_dir(dirfd, VIRTFS_META_DIR);
396
69
@@ -1107,16 +1107,14 @@ static int local_unlinkat_common(FsContext *ctx, int dirfd, const char *name,
397
70
             ret = unlinkat(map_dirfd, name, 0);
398
71
             close_preserve_errno(map_dirfd);
399
72
             if (ret < 0 && errno != ENOENT) {
400
73
-                goto err_out;
401
74
+                return -1;
402
75
             }
403
76
         } else if (errno != ENOENT) {
404
77
-            goto err_out;
405
78
+            return -1;
406
79
         }
407
80
     }
408
81
 
409
82
-    ret = unlinkat(dirfd, name, flags);
410
83
-err_out:
411
84
-    return ret;
412
85
+    return unlinkat(dirfd, name, flags);
413
86
 }
414
87
 
415
88
 static int local_remove(FsContext *ctx, const char *path)
416
89
-- 
417
90
2.28.0
418
91
419
diff --git a/debian/patches/stable/lp-1891877-9p-proxy-Fix-export_flags.patch b/debian/patches/stable/lp-1891877-9p-proxy-Fix-export_flags.patch
420
0
new file mode 100644
92
new file mode 100644
421
index 0000000..8784844
422
--- /dev/null
423
+++ b/debian/patches/stable/lp-1891877-9p-proxy-Fix-export_flags.patch
424
@@ -0,0 +1,49 @@
425
1
From 410252fc5b2aaef65b793edd37289284c1a4eb91 Mon Sep 17 00:00:00 2001
426
2
From: Greg Kurz <groug@kaod.org>
427
3
Date: Tue, 10 Mar 2020 16:12:49 +0100
428
4
Subject: [PATCH] 9p/proxy: Fix export_flags
429
5
MIME-Version: 1.0
430
6
Content-Type: text/plain; charset=UTF-8
431
7
Content-Transfer-Encoding: 8bit
432
8
433
9
The common fsdev options are set by qemu_fsdev_add() before it calls
434
10
the backend specific option parsing code. In the case of "proxy" this
435
11
means "writeout" or "readonly" were simply ignored. This has been
436
12
broken from the beginning.
437
13
438
14
Reported-by: Stéphane Graber <stgraber@ubuntu.com>
439
15
Signed-off-by: Greg Kurz <groug@kaod.org>
440
16
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
441
17
Reviewed-by: Christian Schoenebeck <qemu_oss@crudebyte.com>
442
18
Message-Id: <158349633705.1237488.8895481990204796135.stgit@bahia.lan>
443
19
(cherry picked from commit 659f1953281bcfa5ac217e42877d7d3c32eeea38)
444
20
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
445
21
446
22
Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=410252fc5b
447
23
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
448
24
Last-Update: 2020-08-19
449
25
450
26
---
451
27
 hw/9pfs/9p-proxy.c | 4 ++--
452
28
 1 file changed, 2 insertions(+), 2 deletions(-)
453
29
454
30
diff --git a/hw/9pfs/9p-proxy.c b/hw/9pfs/9p-proxy.c
455
31
index 97ab9c58a5..3b885b96b5 100644
456
32
--- a/hw/9pfs/9p-proxy.c
457
33
+++ b/hw/9pfs/9p-proxy.c
458
34
@@ -1139,10 +1139,10 @@ static int proxy_parse_opts(QemuOpts *opts, FsDriverEntry *fs, Error **errp)
459
35
     }
460
36
     if (socket) {
461
37
         fs->path = g_strdup(socket);
462
38
-        fs->export_flags = V9FS_PROXY_SOCK_NAME;
463
39
+        fs->export_flags |= V9FS_PROXY_SOCK_NAME;
464
40
     } else {
465
41
         fs->path = g_strdup(sock_fd);
466
42
-        fs->export_flags = V9FS_PROXY_SOCK_FD;
467
43
+        fs->export_flags |= V9FS_PROXY_SOCK_FD;
468
44
     }
469
45
     return 0;
470
46
 }
471
47
-- 
472
48
2.28.0
473
49
474
diff --git a/debian/patches/stable/lp-1891877-9pfs-include-linux-limits.h-for-XATTR_SIZE_MAX.patch b/debian/patches/stable/lp-1891877-9pfs-include-linux-limits.h-for-XATTR_SIZE_MAX.patch
475
0
new file mode 100644
50
new file mode 100644
476
index 0000000..8f0bcb5
477
--- /dev/null
478
+++ b/debian/patches/stable/lp-1891877-9pfs-include-linux-limits.h-for-XATTR_SIZE_MAX.patch
479
@@ -0,0 +1,43 @@
480
1
From 0c6499ff2b1f9614195f31a24f1cf3888ce5d079 Mon Sep 17 00:00:00 2001
481
2
From: Dan Robertson <dan@dlrobertson.com>
482
3
Date: Mon, 25 May 2020 10:38:03 +0200
483
4
Subject: [PATCH] 9pfs: include linux/limits.h for XATTR_SIZE_MAX
484
5
MIME-Version: 1.0
485
6
Content-Type: text/plain; charset=UTF-8
486
7
Content-Transfer-Encoding: 8bit
487
8
488
9
linux/limits.h should be included for the XATTR_SIZE_MAX definition used
489
10
by v9fs_xattrcreate.
490
11
491
12
Fixes: 3b79ef2cf488 ("9pfs: limit xattr size in xattrcreate")
492
13
Signed-off-by: Dan Robertson <dan@dlrobertson.com>
493
14
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
494
15
Reviewed-by: Christian Schoenebeck <qemu_oss@crudebyte.com>
495
16
Message-Id: <20200515203015.7090-2-dan@dlrobertson.com>
496
17
Signed-off-by: Greg Kurz <groug@kaod.org>
497
18
(cherry picked from commit 03556ea920b23c466ce7c1283199033de33ee671)
498
19
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
499
20
500
21
Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=0c6499ff2b
501
22
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
502
23
Last-Update: 2020-08-19
503
24
504
25
---
505
26
 hw/9pfs/9p.c | 1 +
506
27
 1 file changed, 1 insertion(+)
507
28
508
29
diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
509
30
index 520177f40c..37e43d3f85 100644
510
31
--- a/hw/9pfs/9p.c
511
32
+++ b/hw/9pfs/9p.c
512
33
@@ -28,6 +28,7 @@
513
34
 #include "sysemu/qtest.h"
514
35
 #include "qemu/xxhash.h"
515
36
 #include <math.h>
516
37
+#include <linux/limits.h>
517
38
 
518
39
 int open_fd_hw;
519
40
 int total_open_fd;
520
41
-- 
521
42
2.28.0
522
43
523
diff --git a/debian/patches/stable/lp-1891877-9pfs-local-Fix-possible-memory-leak-in-local_link.patch b/debian/patches/stable/lp-1891877-9pfs-local-Fix-possible-memory-leak-in-local_link.patch
524
0
new file mode 100644
44
new file mode 100644
525
index 0000000..3e0996b
526
--- /dev/null
527
+++ b/debian/patches/stable/lp-1891877-9pfs-local-Fix-possible-memory-leak-in-local_link.patch
528
@@ -0,0 +1,44 @@
529
1
From 18f6b13e085fdb81f5385bffce35364ab8535303 Mon Sep 17 00:00:00 2001
530
2
From: Jiajun Chen <chenjiajun8@huawei.com>
531
3
Date: Mon, 20 Jan 2020 15:11:39 +0100
532
4
Subject: [PATCH] 9pfs: local: Fix possible memory leak in local_link()
533
5
MIME-Version: 1.0
534
6
Content-Type: text/plain; charset=UTF-8
535
7
Content-Transfer-Encoding: 8bit
536
8
537
9
There is a possible memory leak while local_link return -1 without free
538
10
odirpath and oname.
539
11
540
12
Reported-by: Euler Robot <euler.robot@huawei.com>
541
13
Signed-off-by: Jaijun Chen <chenjiajun8@huawei.com>
542
14
Signed-off-by: Xiang Zheng <zhengxiang9@huawei.com>
543
15
Reviewed-by: Christian Schoenebeck <qemu_oss@crudebyte.com>
544
16
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
545
17
Signed-off-by: Greg Kurz <groug@kaod.org>
546
18
(cherry picked from commit 841b8d099c462cd4282c4ced8c2a6512899fd8d9)
547
19
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
548
20
549
21
Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=18f6b13e08
550
22
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
551
23
Last-Update: 2020-08-19
552
24
553
25
---
554
26
 hw/9pfs/9p-local.c | 2 +-
555
27
 1 file changed, 1 insertion(+), 1 deletion(-)
556
28
557
29
diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c
558
30
index 4708c0bd89..491b08aee8 100644
559
31
--- a/hw/9pfs/9p-local.c
560
32
+++ b/hw/9pfs/9p-local.c
561
33
@@ -947,7 +947,7 @@ static int local_link(FsContext *ctx, V9fsPath *oldpath,
562
34
     if (ctx->export_flags & V9FS_SM_MAPPED_FILE &&
563
35
         local_is_mapped_file_metadata(ctx, name)) {
564
36
         errno = EINVAL;
565
37
-        return -1;
566
38
+        goto out;
567
39
     }
568
40
 
569
41
     odirfd = local_opendir_nofollow(ctx, odirpath);
570
42
-- 
571
43
2.28.0
572
44
573
diff --git a/debian/patches/stable/lp-1891877-9pfs-local-ignore-O_NOATIME-if-we-don-t-have-permiss.patch b/debian/patches/stable/lp-1891877-9pfs-local-ignore-O_NOATIME-if-we-don-t-have-permiss.patch
574
0
new file mode 100644
45
new file mode 100644
575
index 0000000..59acbb2
576
--- /dev/null
577
+++ b/debian/patches/stable/lp-1891877-9pfs-local-ignore-O_NOATIME-if-we-don-t-have-permiss.patch
578
@@ -0,0 +1,67 @@
579
1
From 17216bc04494825600b58ebb8a3a6fe0d8052125 Mon Sep 17 00:00:00 2001
580
2
From: Omar Sandoval <osandov@fb.com>
581
3
Date: Thu, 14 May 2020 08:06:43 +0200
582
4
Subject: [PATCH] 9pfs: local: ignore O_NOATIME if we don't have permissions
583
5
584
6
QEMU's local 9pfs server passes through O_NOATIME from the client. If
585
7
the QEMU process doesn't have permissions to use O_NOATIME (namely, it
586
8
does not own the file nor have the CAP_FOWNER capability), the open will
587
9
fail. This causes issues when from the client's point of view, it
588
10
believes it has permissions to use O_NOATIME (e.g., a process running as
589
11
root in the virtual machine). Additionally, overlayfs on Linux opens
590
12
files on the lower layer using O_NOATIME, so in this case a 9pfs mount
591
13
can't be used as a lower layer for overlayfs (cf.
592
14
https://github.com/osandov/drgn/blob/dabfe1971951701da13863dbe6d8a1d172ad9650/vmtest/onoatimehack.c
593
15
and https://github.com/NixOS/nixpkgs/issues/54509).
594
16
595
17
Luckily, O_NOATIME is effectively a hint, and is often ignored by, e.g.,
596
18
network filesystems. open(2) notes that O_NOATIME "may not be effective
597
19
on all filesystems. One example is NFS, where the server maintains the
598
20
access time." This means that we can honor it when possible but fall
599
21
back to ignoring it.
600
22
601
23
Acked-by: Christian Schoenebeck <qemu_oss@crudebyte.com>
602
24
Signed-off-by: Omar Sandoval <osandov@fb.com>
603
25
Message-Id: <e9bee604e8df528584693a4ec474ded6295ce8ad.1587149256.git.osandov@fb.com>
604
26
Signed-off-by: Greg Kurz <groug@kaod.org>
605
27
(cherry picked from commit a5804fcf7b22fc7d1f9ec794dd284c7d504bd16b)
606
28
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
607
29
608
30
Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=17216bc044
609
31
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
610
32
Last-Update: 2020-08-19
611
33
612
34
---
613
35
 hw/9pfs/9p-util.h | 13 +++++++++++++
614
36
 1 file changed, 13 insertions(+)
615
37
616
38
diff --git a/hw/9pfs/9p-util.h b/hw/9pfs/9p-util.h
617
39
index 79ed6b233e..546f46dc7d 100644
618
40
--- a/hw/9pfs/9p-util.h
619
41
+++ b/hw/9pfs/9p-util.h
620
42
@@ -37,9 +37,22 @@ static inline int openat_file(int dirfd, const char *name, int flags,
621
43
 {
622
44
     int fd, serrno, ret;
623
45
 
624
46
+again:
625
47
     fd = openat(dirfd, name, flags | O_NOFOLLOW | O_NOCTTY | O_NONBLOCK,
626
48
                 mode);
627
49
     if (fd == -1) {
628
50
+        if (errno == EPERM && (flags & O_NOATIME)) {
629
51
+            /*
630
52
+             * The client passed O_NOATIME but we lack permissions to honor it.
631
53
+             * Rather than failing the open, fall back without O_NOATIME. This
632
54
+             * doesn't break the semantics on the client side, as the Linux
633
55
+             * open(2) man page notes that O_NOATIME "may not be effective on
634
56
+             * all filesystems". In particular, NFS and other network
635
57
+             * filesystems ignore it entirely.
636
58
+             */
637
59
+            flags &= ~O_NOATIME;
638
60
+            goto again;
639
61
+        }
640
62
         return -1;
641
63
     }
642
64
 
643
65
-- 
644
66
2.28.0
645
67
646
diff --git a/debian/patches/stable/lp-1891877-Fix-double-free-issue-in-qemu_set_log_filename.patch b/debian/patches/stable/lp-1891877-Fix-double-free-issue-in-qemu_set_log_filename.patch
647
0
new file mode 100644
68
new file mode 100644
648
index 0000000..c6c78e1
649
--- /dev/null
650
+++ b/debian/patches/stable/lp-1891877-Fix-double-free-issue-in-qemu_set_log_filename.patch
651
@@ -0,0 +1,41 @@
652
1
From 45b65bf8dfb46a03ff67c36424986e2450c5203e Mon Sep 17 00:00:00 2001
653
2
From: Robert Foley <robert.foley@linaro.org>
654
3
Date: Mon, 18 Nov 2019 16:15:23 -0500
655
4
Subject: [PATCH] Fix double free issue in qemu_set_log_filename().
656
5
MIME-Version: 1.0
657
6
Content-Type: text/plain; charset=UTF-8
658
7
Content-Transfer-Encoding: 8bit
659
8
660
9
After freeing the logfilename, we set logfilename to NULL, in case of an
661
10
error which returns without setting logfilename.
662
11
663
12
Signed-off-by: Robert Foley <robert.foley@linaro.org>
664
13
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
665
14
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
666
15
Message-Id: <20191118211528.3221-2-robert.foley@linaro.org>
667
16
(cherry picked from commit 0f516ca4767042aec8716369d6d62436fa10593a)
668
17
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
669
18
670
19
Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=45b65bf8df
671
20
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
672
21
Last-Update: 2020-08-19
673
22
674
23
---
675
24
 util/log.c | 1 +
676
25
 1 file changed, 1 insertion(+)
677
26
678
27
diff --git a/util/log.c b/util/log.c
679
28
index 1ca13059ee..4316fe74ee 100644
680
29
--- a/util/log.c
681
30
+++ b/util/log.c
682
31
@@ -113,6 +113,7 @@ void qemu_set_log_filename(const char *filename, Error **errp)
683
32
 {
684
33
     char *pidstr;
685
34
     g_free(logfilename);
686
35
+    logfilename = NULL;
687
36
 
688
37
     pidstr = strstr(filename, "%");
689
38
     if (pidstr) {
690
39
-- 
691
40
2.28.0
692
41
693
diff --git a/debian/patches/stable/lp-1891877-Fix-tulip-breakage.patch b/debian/patches/stable/lp-1891877-Fix-tulip-breakage.patch
694
0
new file mode 100644
42
new file mode 100644
695
index 0000000..ed4a09c
696
--- /dev/null
697
+++ b/debian/patches/stable/lp-1891877-Fix-tulip-breakage.patch
698
@@ -0,0 +1,65 @@
699
1
From 0664ffac4be2673c1c962bb9d010dc964d080ee7 Mon Sep 17 00:00:00 2001
700
2
From: Helge Deller <deller@gmx.de>
701
3
Date: Sun, 26 Apr 2020 12:55:39 +0200
702
4
Subject: [PATCH] Fix tulip breakage
703
5
704
6
The tulip network driver in a qemu-system-hppa emulation is broken in
705
7
the sense that bigger network packages aren't received any longer and
706
8
thus even running e.g. "apt update" inside the VM fails.
707
9
708
10
The breakage was introduced by commit 8ffb7265af ("check frame size and
709
11
r/w data length") which added checks to prevent accesses outside of the
710
12
rx/tx buffers.
711
13
712
14
But the new checks were implemented wrong. The variable rx_frame_len
713
15
counts backwards, from rx_frame_size down to zero, and the variable len
714
16
is never bigger than rx_frame_len, so accesses just can't happen and the
715
17
checks are unnecessary.
716
18
On the contrary the checks now prevented bigger packages to be moved
717
19
into the rx buffers.
718
20
719
21
This patch reverts the wrong checks and were sucessfully tested with a
720
22
qemu-system-hppa emulation.
721
23
722
24
Fixes: 8ffb7265af ("check frame size and r/w data length")
723
25
Buglink: https://bugs.launchpad.net/bugs/1874539
724
26
Signed-off-by: Helge Deller <deller@gmx.de>
725
27
Signed-off-by: Jason Wang <jasowang@redhat.com>
726
28
(cherry picked from commit d9b69640391618045949f7c500b87fc129f862ed)
727
29
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
728
30
729
31
Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=0664ffac4b
730
32
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
731
33
Last-Update: 2020-08-19
732
34
733
35
---
734
36
 hw/net/tulip.c | 6 ------
735
37
 1 file changed, 6 deletions(-)
736
38
737
39
diff --git a/hw/net/tulip.c b/hw/net/tulip.c
738
40
index 1167c1bb07..c6654a98a9 100644
739
41
--- a/hw/net/tulip.c
740
42
+++ b/hw/net/tulip.c
741
43
@@ -171,9 +171,6 @@ static void tulip_copy_rx_bytes(TULIPState *s, struct tulip_descriptor *desc)
742
44
             len = s->rx_frame_len;
743
45
         }
744
46
 
745
47
-        if (s->rx_frame_len + len > sizeof(s->rx_frame)) {
746
48
-            return;
747
49
-        }
748
50
         pci_dma_write(&s->dev, desc->buf_addr1, s->rx_frame +
749
51
             (s->rx_frame_size - s->rx_frame_len), len);
750
52
         s->rx_frame_len -= len;
751
53
@@ -186,9 +183,6 @@ static void tulip_copy_rx_bytes(TULIPState *s, struct tulip_descriptor *desc)
752
54
             len = s->rx_frame_len;
753
55
         }
754
56
 
755
57
-        if (s->rx_frame_len + len > sizeof(s->rx_frame)) {
756
58
-            return;
757
59
-        }
758
60
         pci_dma_write(&s->dev, desc->buf_addr2, s->rx_frame +
759
61
             (s->rx_frame_size - s->rx_frame_len), len);
760
62
         s->rx_frame_len -= len;
761
63
-- 
762
64
2.28.0
763
65
764
diff --git a/debian/patches/stable/lp-1891877-Revert-qemu-options.hx-Update-for-reboot-timeout-par.patch b/debian/patches/stable/lp-1891877-Revert-qemu-options.hx-Update-for-reboot-timeout-par.patch
765
0
new file mode 100644
66
new file mode 100644
766
index 0000000..a667e04
767
--- /dev/null
768
+++ b/debian/patches/stable/lp-1891877-Revert-qemu-options.hx-Update-for-reboot-timeout-par.patch
769
@@ -0,0 +1,43 @@
770
1
From aea7a50fb5e38ccfda741848286a548b72877dfa Mon Sep 17 00:00:00 2001
771
2
From: Han Han <hhan@redhat.com>
772
3
Date: Thu, 5 Dec 2019 10:48:21 +0800
773
4
Subject: [PATCH] Revert "qemu-options.hx: Update for reboot-timeout parameter"
774
5
775
6
This reverts commit bbd9e6985ff342cbe15b9cb7eb30e842796fbbe8.
776
7
777
8
In 20a1922032 we allowed reboot-timeout=-1 again, so update the doc
778
9
accordingly.
779
10
780
11
Signed-off-by: Han Han <hhan@redhat.com>
781
12
Reviewed-by: Markus Armbruster <armbru@redhat.com>
782
13
Message-Id: <20191205024821.245435-1-hhan@redhat.com>
783
14
Signed-off-by: Laurent Vivier <laurent@vivier.eu>
784
15
(cherry picked from commit 8937a39da22e5d5689c516a2d4ce4f2bb6a378fc)
785
16
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
786
17
787
18
Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=aea7a50fb5
788
19
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
789
20
Last-Update: 2020-08-19
790
21
791
22
---
792
23
 qemu-options.hx | 4 ++--
793
24
 1 file changed, 2 insertions(+), 2 deletions(-)
794
25
795
26
diff --git a/qemu-options.hx b/qemu-options.hx
796
27
index 65c9473b73..e14d88e9b2 100644
797
28
--- a/qemu-options.hx
798
29
+++ b/qemu-options.hx
799
30
@@ -327,8 +327,8 @@ format(true color). The resolution should be supported by the SVGA mode, so
800
31
 the recommended is 320x240, 640x480, 800x640.
801
32
 
802
33
 A timeout could be passed to bios, guest will pause for @var{rb_timeout} ms
803
34
-when boot failed, then reboot. If @option{reboot-timeout} is not set,
804
35
-guest will not reboot by default. Currently Seabios for X86
805
36
+when boot failed, then reboot. If @var{rb_timeout} is '-1', guest will not
806
37
+reboot, qemu passes '-1' to bios by default. Currently Seabios for X86
807
38
 system support it.
808
39
 
809
40
 Do strict boot via @option{strict=on} as far as firmware/BIOS
810
41
-- 
811
42
2.28.0
812
43
813
diff --git a/debian/patches/stable/lp-1891877-Revert-vnc-allow-fall-back-to-RAW-encoding.patch b/debian/patches/stable/lp-1891877-Revert-vnc-allow-fall-back-to-RAW-encoding.patch
814
0
new file mode 100644
44
new file mode 100644
815
index 0000000..8319291
816
--- /dev/null
817
+++ b/debian/patches/stable/lp-1891877-Revert-vnc-allow-fall-back-to-RAW-encoding.patch
818
@@ -0,0 +1,77 @@
819
1
From b5ba361d8f8908ab37a104b0110910926d94d57f Mon Sep 17 00:00:00 2001
820
2
From: Gerd Hoffmann <kraxel@redhat.com>
821
3
Date: Tue, 21 Jan 2020 07:02:10 +0100
822
4
Subject: [PATCH] Revert "vnc: allow fall back to RAW encoding"
823
5
824
6
This reverts commit de3f7de7f4e257ce44cdabb90f5f17ee99624557.
825
7
826
8
Remove VNC optimization to reencode framebuffer update as raw if it's
827
9
smaller than the default encoding.
828
10
829
11
QEMU's implementation was naive and didn't account for the ZLIB z_stream
830
12
mutating with each compression.  Because of the mutation, simply
831
13
resetting the output buffer's offset wasn't sufficient to "rewind" the
832
14
operation.  The mutated z_stream would generate future zlib blocks which
833
15
referred to symbols in past blocks which weren't sent.  This would lead
834
16
to artifacting.
835
17
836
18
Considering that ZRLE is never larger than raw and even though ZLIB can
837
19
occasionally be fractionally larger than raw, the overhead of
838
20
implementing this optimization correctly isn't worth it.
839
21
840
22
Signed-off-by: Cameron Esfahani <dirty@apple.com>
841
23
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
842
24
(cherry picked from commit 0780ec7be82dd4781e9fd216b5d99a125882ff5a)
843
25
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
844
26
845
27
Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=b5ba361d8f
846
28
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
847
29
Last-Update: 2020-08-19
848
30
849
31
---
850
32
 ui/vnc.c | 20 ++------------------
851
33
 1 file changed, 2 insertions(+), 18 deletions(-)
852
34
853
35
diff --git a/ui/vnc.c b/ui/vnc.c
854
36
index 87b8045afe..f94b3a257e 100644
855
37
--- a/ui/vnc.c
856
38
+++ b/ui/vnc.c
857
39
@@ -898,8 +898,6 @@ int vnc_raw_send_framebuffer_update(VncState *vs, int x, int y, int w, int h)
858
40
 int vnc_send_framebuffer_update(VncState *vs, int x, int y, int w, int h)
859
41
 {
860
42
     int n = 0;
861
43
-    bool encode_raw = false;
862
44
-    size_t saved_offs = vs->output.offset;
863
45
 
864
46
     switch(vs->vnc_encoding) {
865
47
         case VNC_ENCODING_ZLIB:
866
48
@@ -922,24 +920,10 @@ int vnc_send_framebuffer_update(VncState *vs, int x, int y, int w, int h)
867
49
             n = vnc_zywrle_send_framebuffer_update(vs, x, y, w, h);
868
50
             break;
869
51
         default:
870
52
-            encode_raw = true;
871
53
+            vnc_framebuffer_update(vs, x, y, w, h, VNC_ENCODING_RAW);
872
54
+            n = vnc_raw_send_framebuffer_update(vs, x, y, w, h);
873
55
             break;
874
56
     }
875
57
-
876
58
-    /* If the client has the same pixel format as our internal buffer and
877
59
-     * a RAW encoding would need less space fall back to RAW encoding to
878
60
-     * save bandwidth and processing power in the client. */
879
61
-    if (!encode_raw && vs->write_pixels == vnc_write_pixels_copy &&
880
62
-        12 + h * w * VNC_SERVER_FB_BYTES <= (vs->output.offset - saved_offs)) {
881
63
-        vs->output.offset = saved_offs;
882
64
-        encode_raw = true;
883
65
-    }
884
66
-
885
67
-    if (encode_raw) {
886
68
-        vnc_framebuffer_update(vs, x, y, w, h, VNC_ENCODING_RAW);
887
69
-        n = vnc_raw_send_framebuffer_update(vs, x, y, w, h);
888
70
-    }
889
71
-
890
72
     return n;
891
73
 }
892
74
 
893
75
-- 
894
76
2.28.0
895
77
896
diff --git a/debian/patches/stable/lp-1891877-Update-version-for-4.2.1-release.patch b/debian/patches/stable/lp-1891877-Update-version-for-4.2.1-release.patch
897
0
new file mode 100644
78
new file mode 100644
898
index 0000000..15a9277
899
--- /dev/null
900
+++ b/debian/patches/stable/lp-1891877-Update-version-for-4.2.1-release.patch
901
@@ -0,0 +1,24 @@
902
1
From 6cdf8c4efa073eac7d5f9894329e2d07743c2955 Mon Sep 17 00:00:00 2001
903
2
From: Michael Roth <mdroth@linux.vnet.ibm.com>
904
3
Date: Thu, 25 Jun 2020 13:08:54 -0500
905
4
Subject: [PATCH] Update version for 4.2.1 release
906
5
907
6
908
7
Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=6cdf8c4efa
909
8
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
910
9
Last-Update: 2020-08-19
911
10
912
11
---
913
12
 VERSION | 2 +-
914
13
 1 file changed, 1 insertion(+), 1 deletion(-)
915
14
916
15
diff --git a/VERSION b/VERSION
917
16
index 6aba2b245a..fae6e3d04b 100644
918
17
--- a/VERSION
919
18
+++ b/VERSION
920
19
@@ -1 +1 @@
921
20
-4.2.0
922
21
+4.2.1
923
22
-- 
924
23
2.28.0
925
24
926
diff --git a/debian/patches/stable/lp-1891877-blkdebug-Allow-taking-unsharing-permissions.patch b/debian/patches/stable/lp-1891877-blkdebug-Allow-taking-unsharing-permissions.patch
927
0
new file mode 100644
25
new file mode 100644
928
index 0000000..108b9bf
929
--- /dev/null
930
+++ b/debian/patches/stable/lp-1891877-blkdebug-Allow-taking-unsharing-permissions.patch
931
@@ -0,0 +1,209 @@
932
1
From 9a30621d3d5de76f865dc804a1dd16cc517461b6 Mon Sep 17 00:00:00 2001
933
2
From: Max Reitz <mreitz@redhat.com>
934
3
Date: Fri, 8 Nov 2019 13:34:53 +0100
935
4
Subject: [PATCH] blkdebug: Allow taking/unsharing permissions
936
5
937
6
Sometimes it is useful to be able to add a node to the block graph that
938
7
takes or unshare a certain set of permissions for debugging purposes.
939
8
This patch adds this capability to blkdebug.
940
9
941
10
(Note that you cannot make blkdebug release or share permissions that it
942
11
needs to take or cannot share, because this might result in assertion
943
12
failures in the block layer.  But if the blkdebug node has no parents,
944
13
it will not take any permissions and share everything by default, so you
945
14
can then freely choose what permissions to take and share.)
946
15
947
16
Signed-off-by: Max Reitz <mreitz@redhat.com>
948
17
Message-id: 20191108123455.39445-4-mreitz@redhat.com
949
18
Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
950
19
Signed-off-by: Max Reitz <mreitz@redhat.com>
951
20
(cherry picked from commit 69c6449ff10fe4e3219e960549307096d5366bd0)
952
21
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
953
22
954
23
Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=9a30621d3d
955
24
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
956
25
Last-Update: 2020-08-19
957
26
958
27
---
959
28
 block/blkdebug.c     | 93 +++++++++++++++++++++++++++++++++++++++++++-
960
29
 qapi/block-core.json | 14 ++++++-
961
30
 2 files changed, 105 insertions(+), 2 deletions(-)
962
31
963
32
diff --git a/block/blkdebug.c b/block/blkdebug.c
964
33
index 5ae96c52b0..af44aa973f 100644
965
34
--- a/block/blkdebug.c
966
35
+++ b/block/blkdebug.c
967
36
@@ -28,10 +28,14 @@
968
37
 #include "qemu/cutils.h"
969
38
 #include "qemu/config-file.h"
970
39
 #include "block/block_int.h"
971
40
+#include "block/qdict.h"
972
41
 #include "qemu/module.h"
973
42
 #include "qemu/option.h"
974
43
+#include "qapi/qapi-visit-block-core.h"
975
44
 #include "qapi/qmp/qdict.h"
976
45
+#include "qapi/qmp/qlist.h"
977
46
 #include "qapi/qmp/qstring.h"
978
47
+#include "qapi/qobject-input-visitor.h"
979
48
 #include "sysemu/qtest.h"
980
49
 
981
50
 typedef struct BDRVBlkdebugState {
982
51
@@ -44,6 +48,9 @@ typedef struct BDRVBlkdebugState {
983
52
     uint64_t opt_discard;
984
53
     uint64_t max_discard;
985
54
 
986
55
+    uint64_t take_child_perms;
987
56
+    uint64_t unshare_child_perms;
988
57
+
989
58
     /* For blkdebug_refresh_filename() */
990
59
     char *config_file;
991
60
 
992
61
@@ -344,6 +351,69 @@ static void blkdebug_parse_filename(const char *filename, QDict *options,
993
62
     qdict_put_str(options, "x-image", filename);
994
63
 }
995
64
 
996
65
+static int blkdebug_parse_perm_list(uint64_t *dest, QDict *options,
997
66
+                                    const char *prefix, Error **errp)
998
67
+{
999
68
+    int ret = 0;
1000
69
+    QDict *subqdict = NULL;
1001
70
+    QObject *crumpled_subqdict = NULL;
1002
71
+    Visitor *v = NULL;
1003
72
+    BlockPermissionList *perm_list = NULL, *element;
1004
73
+    Error *local_err = NULL;
1005
74
+
1006
75
+    *dest = 0;
1007
76
+
1008
77
+    qdict_extract_subqdict(options, &subqdict, prefix);
1009
78
+    if (!qdict_size(subqdict)) {
1010
79
+        goto out;
1011
80
+    }
1012
81
+
1013
82
+    crumpled_subqdict = qdict_crumple(subqdict, errp);
1014
83
+    if (!crumpled_subqdict) {
1015
84
+        ret = -EINVAL;
1016
85
+        goto out;
1017
86
+    }
1018
87
+
1019
88
+    v = qobject_input_visitor_new(crumpled_subqdict);
1020
89
+    visit_type_BlockPermissionList(v, NULL, &perm_list, &local_err);
1021
90
+    if (local_err) {
1022
91
+        error_propagate(errp, local_err);
1023
92
+        ret = -EINVAL;
1024
93
+        goto out;
1025
94
+    }
1026
95
+
1027
96
+    for (element = perm_list; element; element = element->next) {
1028
97
+        *dest |= bdrv_qapi_perm_to_blk_perm(element->value);
1029
98
+    }
1030
99
+
1031
100
+out:
1032
101
+    qapi_free_BlockPermissionList(perm_list);
1033
102
+    visit_free(v);
1034
103
+    qobject_unref(subqdict);
1035
104
+    qobject_unref(crumpled_subqdict);
1036
105
+    return ret;
1037
106
+}
1038
107
+
1039
108
+static int blkdebug_parse_perms(BDRVBlkdebugState *s, QDict *options,
1040
109
+                                Error **errp)
1041
110
+{
1042
111
+    int ret;
1043
112
+
1044
113
+    ret = blkdebug_parse_perm_list(&s->take_child_perms, options,
1045
114
+                                   "take-child-perms.", errp);
1046
115
+    if (ret < 0) {
1047
116
+        return ret;
1048
117
+    }
1049
118
+
1050
119
+    ret = blkdebug_parse_perm_list(&s->unshare_child_perms, options,
1051
120
+                                   "unshare-child-perms.", errp);
1052
121
+    if (ret < 0) {
1053
122
+        return ret;
1054
123
+    }
1055
124
+
1056
125
+    return 0;
1057
126
+}
1058
127
+
1059
128
 static QemuOptsList runtime_opts = {
1060
129
     .name = "blkdebug",
1061
130
     .head = QTAILQ_HEAD_INITIALIZER(runtime_opts.head),
1062
131
@@ -419,6 +489,12 @@ static int blkdebug_open(BlockDriverState *bs, QDict *options, int flags,
1063
132
     /* Set initial state */
1064
133
     s->state = 1;
1065
134
 
1066
135
+    /* Parse permissions modifiers before opening the image file */
1067
136
+    ret = blkdebug_parse_perms(s, options, errp);
1068
137
+    if (ret < 0) {
1069
138
+        goto out;
1070
139
+    }
1071
140
+
1072
141
     /* Open the image file */
1073
142
     bs->file = bdrv_open_child(qemu_opt_get(opts, "x-image"), options, "image",
1074
143
                                bs, &child_file, false, &local_err);
1075
144
@@ -916,6 +992,21 @@ static int blkdebug_reopen_prepare(BDRVReopenState *reopen_state,
1076
145
     return 0;
1077
146
 }
1078
147
 
1079
148
+static void blkdebug_child_perm(BlockDriverState *bs, BdrvChild *c,
1080
149
+                                const BdrvChildRole *role,
1081
150
+                                BlockReopenQueue *reopen_queue,
1082
151
+                                uint64_t perm, uint64_t shared,
1083
152
+                                uint64_t *nperm, uint64_t *nshared)
1084
153
+{
1085
154
+    BDRVBlkdebugState *s = bs->opaque;
1086
155
+
1087
156
+    bdrv_filter_default_perms(bs, c, role, reopen_queue, perm, shared,
1088
157
+                              nperm, nshared);
1089
158
+
1090
159
+    *nperm |= s->take_child_perms;
1091
160
+    *nshared &= ~s->unshare_child_perms;
1092
161
+}
1093
162
+
1094
163
 static const char *const blkdebug_strong_runtime_opts[] = {
1095
164
     "config",
1096
165
     "inject-error.",
1097
166
@@ -940,7 +1031,7 @@ static BlockDriver bdrv_blkdebug = {
1098
167
     .bdrv_file_open         = blkdebug_open,
1099
168
     .bdrv_close             = blkdebug_close,
1100
169
     .bdrv_reopen_prepare    = blkdebug_reopen_prepare,
1101
170
-    .bdrv_child_perm        = bdrv_filter_default_perms,
1102
171
+    .bdrv_child_perm        = blkdebug_child_perm,
1103
172
 
1104
173
     .bdrv_getlength         = blkdebug_getlength,
1105
174
     .bdrv_refresh_filename  = blkdebug_refresh_filename,
1106
175
diff --git a/qapi/block-core.json b/qapi/block-core.json
1107
176
index fcb52ec24f..839b10b3f0 100644
1108
177
--- a/qapi/block-core.json
1109
178
+++ b/qapi/block-core.json
1110
179
@@ -3454,6 +3454,16 @@
1111
180
 #
1112
181
 # @set-state:       array of state-change descriptions
1113
182
 #
1114
183
+# @take-child-perms: Permissions to take on @image in addition to what
1115
184
+#                    is necessary anyway (which depends on how the
1116
185
+#                    blkdebug node is used).  Defaults to none.
1117
186
+#                    (since 5.0)
1118
187
+#
1119
188
+# @unshare-child-perms: Permissions not to share on @image in addition
1120
189
+#                       to what cannot be shared anyway (which depends
1121
190
+#                       on how the blkdebug node is used).  Defaults
1122
191
+#                       to none.  (since 5.0)
1123
192
+#
1124
193
 # Since: 2.9
1125
194
 ##
1126
195
 { 'struct': 'BlockdevOptionsBlkdebug',
1127
196
@@ -3463,7 +3473,9 @@
1128
197
             '*opt-write-zero': 'int32', '*max-write-zero': 'int32',
1129
198
             '*opt-discard': 'int32', '*max-discard': 'int32',
1130
199
             '*inject-error': ['BlkdebugInjectErrorOptions'],
1131
200
-            '*set-state': ['BlkdebugSetStateOptions'] } }
1132
201
+            '*set-state': ['BlkdebugSetStateOptions'],
1133
202
+            '*take-child-perms': ['BlockPermission'],
1134
203
+            '*unshare-child-perms': ['BlockPermission'] } }
1135
204
 
1136
205
 ##
1137
206
 # @BlockdevOptionsBlklogwrites:
1138
207
-- 
1139
208
2.28.0
1140
209
1141
diff --git a/debian/patches/stable/lp-1891877-block-Add-bdrv_qapi_perm_to_blk_perm.patch b/debian/patches/stable/lp-1891877-block-Add-bdrv_qapi_perm_to_blk_perm.patch
1142
0
new file mode 100644
210
new file mode 100644
1143
index 0000000..0faa557
1144
--- /dev/null
1145
+++ b/debian/patches/stable/lp-1891877-block-Add-bdrv_qapi_perm_to_blk_perm.patch
1146
@@ -0,0 +1,87 @@
1147
1
From 0972fbf353e436088bbc4180bc13e93245cd7add Mon Sep 17 00:00:00 2001
1148
2
From: Max Reitz <mreitz@redhat.com>
1149
3
Date: Fri, 8 Nov 2019 13:34:51 +0100
1150
4
Subject: [PATCH] block: Add bdrv_qapi_perm_to_blk_perm()
1151
5
MIME-Version: 1.0
1152
6
Content-Type: text/plain; charset=UTF-8
1153
7
Content-Transfer-Encoding: 8bit
1154
8
1155
9
We need some way to correlate QAPI BlockPermission values with
1156
10
BLK_PERM_* flags.  We could:
1157
11
1158
12
(1) have the same order in the QAPI definition as the the BLK_PERM_*
1159
13
    flags are in LSb-first order.  However, then there is no guarantee
1160
14
    that they actually match (e.g. when someone modifies the QAPI schema
1161
15
    without thinking of the BLK_PERM_* definitions).
1162
16
    We could add static assertions, but these would break what’s good
1163
17
    about this solution, namely its simplicity.
1164
18
1165
19
(2) define the BLK_PERM_* flags based on the BlockPermission values.
1166
20
    But this way whenever someone were to modify the QAPI order
1167
21
    (perfectly sensible in theory), the BLK_PERM_* values would change.
1168
22
    Because these values are used for file locking, this might break
1169
23
    file locking between different qemu versions.
1170
24
1171
25
Therefore, go the slightly more cumbersome way: Add a function to
1172
26
translate from the QAPI constants to the BLK_PERM_* flags.
1173
27
1174
28
Signed-off-by: Max Reitz <mreitz@redhat.com>
1175
29
Message-id: 20191108123455.39445-2-mreitz@redhat.com
1176
30
Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
1177
31
Signed-off-by: Max Reitz <mreitz@redhat.com>
1178
32
(cherry picked from commit 7b1d9c4df0603fbc526226a9c5ef91118aa6c957)
1179
33
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
1180
34
1181
35
Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=0972fbf353
1182
36
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
1183
37
Last-Update: 2020-08-19
1184
38
1185
39
---
1186
40
 block.c               | 18 ++++++++++++++++++
1187
41
 include/block/block.h |  1 +
1188
42
 2 files changed, 19 insertions(+)
1189
43
1190
44
diff --git a/block.c b/block.c
1191
45
index 19c25da305..863cf34d45 100644
1192
46
--- a/block.c
1193
47
+++ b/block.c
1194
48
@@ -2227,6 +2227,24 @@ void bdrv_format_default_perms(BlockDriverState *bs, BdrvChild *c,
1195
49
     *nshared = shared;
1196
50
 }
1197
51
 
1198
52
+uint64_t bdrv_qapi_perm_to_blk_perm(BlockPermission qapi_perm)
1199
53
+{
1200
54
+    static const uint64_t permissions[] = {
1201
55
+        [BLOCK_PERMISSION_CONSISTENT_READ]  = BLK_PERM_CONSISTENT_READ,
1202
56
+        [BLOCK_PERMISSION_WRITE]            = BLK_PERM_WRITE,
1203
57
+        [BLOCK_PERMISSION_WRITE_UNCHANGED]  = BLK_PERM_WRITE_UNCHANGED,
1204
58
+        [BLOCK_PERMISSION_RESIZE]           = BLK_PERM_RESIZE,
1205
59
+        [BLOCK_PERMISSION_GRAPH_MOD]        = BLK_PERM_GRAPH_MOD,
1206
60
+    };
1207
61
+
1208
62
+    QEMU_BUILD_BUG_ON(ARRAY_SIZE(permissions) != BLOCK_PERMISSION__MAX);
1209
63
+    QEMU_BUILD_BUG_ON(1UL << ARRAY_SIZE(permissions) != BLK_PERM_ALL + 1);
1210
64
+
1211
65
+    assert(qapi_perm < BLOCK_PERMISSION__MAX);
1212
66
+
1213
67
+    return permissions[qapi_perm];
1214
68
+}
1215
69
+
1216
70
 static void bdrv_replace_child_noperm(BdrvChild *child,
1217
71
                                       BlockDriverState *new_bs)
1218
72
 {
1219
73
diff --git a/include/block/block.h b/include/block/block.h
1220
74
index 1df9848e74..e9dcfef7fa 100644
1221
75
--- a/include/block/block.h
1222
76
+++ b/include/block/block.h
1223
77
@@ -280,6 +280,7 @@ enum {
1224
78
 };
1225
79
 
1226
80
 char *bdrv_perm_names(uint64_t perm);
1227
81
+uint64_t bdrv_qapi_perm_to_blk_perm(BlockPermission qapi_perm);
1228
82
 
1229
83
 /* disk I/O throttling */
1230
84
 void bdrv_init(void);
1231
85
-- 
1232
86
2.28.0
1233
87
1234
diff --git a/debian/patches/stable/lp-1891877-block-Avoid-memleak-on-qcow2-image-info-failure.patch b/debian/patches/stable/lp-1891877-block-Avoid-memleak-on-qcow2-image-info-failure.patch
1235
0
new file mode 100644
88
new file mode 100644
1236
index 0000000..3a3a104
1237
--- /dev/null
1238
+++ b/debian/patches/stable/lp-1891877-block-Avoid-memleak-on-qcow2-image-info-failure.patch
1239
@@ -0,0 +1,41 @@
1240
1
From 47e0fa74799c23dc29ff0adb356d82425b166231 Mon Sep 17 00:00:00 2001
1241
2
From: Eric Blake <eblake@redhat.com>
1242
3
Date: Fri, 20 Mar 2020 13:36:20 -0500
1243
4
Subject: [PATCH] block: Avoid memleak on qcow2 image info failure
1244
5
1245
6
If we fail to get bitmap info, we must not leak the encryption info.
1246
7
1247
8
Fixes: b8968c875f403
1248
9
Fixes: Coverity CID 1421894
1249
10
Signed-off-by: Eric Blake <eblake@redhat.com>
1250
11
Message-Id: <20200320183620.1112123-1-eblake@redhat.com>
1251
12
Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
1252
13
Reviewed-by: Andrey Shinkevich <andrey.shinkevich@virtuozzo.com>
1253
14
Tested-by: Andrey Shinkevich <andrey.shinkevich@virtuozzo.com>
1254
15
Signed-off-by: Max Reitz <mreitz@redhat.com>
1255
16
(cherry picked from commit 71eaec2e8c7c8d266137b5c5f42da0bd6d6b5eb7)
1256
17
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
1257
18
1258
19
Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=47e0fa7479
1259
20
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
1260
21
Last-Update: 2020-08-19
1261
22
1262
23
---
1263
24
 block/qcow2.c | 1 +
1264
25
 1 file changed, 1 insertion(+)
1265
26
1266
27
diff --git a/block/qcow2.c b/block/qcow2.c
1267
28
index 7c18721741..13e118e16f 100644
1268
29
--- a/block/qcow2.c
1269
30
+++ b/block/qcow2.c
1270
31
@@ -4800,6 +4800,7 @@ static ImageInfoSpecific *qcow2_get_specific_info(BlockDriverState *bs,
1271
32
         if (local_err) {
1272
33
             error_propagate(errp, local_err);
1273
34
             qapi_free_ImageInfoSpecific(spec_info);
1274
35
+            qapi_free_QCryptoBlockInfo(encrypt_info);
1275
36
             return NULL;
1276
37
         }
1277
38
         *spec_info->u.qcow2.data = (ImageInfoSpecificQCow2){
1278
39
-- 
1279
40
2.28.0
1280
41
1281
diff --git a/debian/patches/stable/lp-1891877-block-Call-attention-to-truncation-of-long-NBD-expor.patch b/debian/patches/stable/lp-1891877-block-Call-attention-to-truncation-of-long-NBD-expor.patch
1282
0
new file mode 100644
42
new file mode 100644
1283
index 0000000..008a0c3
1284
--- /dev/null
1285
+++ b/debian/patches/stable/lp-1891877-block-Call-attention-to-truncation-of-long-NBD-expor.patch
1286
@@ -0,0 +1,100 @@
1287
1
From 6c75ddf4a9f317f038a4d94da1b2989fef5dd93b Mon Sep 17 00:00:00 2001
1288
2
From: Eric Blake <eblake@redhat.com>
1289
3
Date: Mon, 8 Jun 2020 13:26:38 -0500
1290
4
Subject: [PATCH] block: Call attention to truncation of long NBD exports
1291
5
1292
6
Commit 93676c88 relaxed our NBD client code to request export names up
1293
7
to the NBD protocol maximum of 4096 bytes without NUL terminator, even
1294
8
though the block layer can't store anything longer than 4096 bytes
1295
9
including NUL terminator for display to the user.  Since this means
1296
10
there are some export names where we have to truncate things, we can
1297
11
at least try to make the truncation a bit more obvious for the user.
1298
12
Note that in spite of the truncated display name, we can still
1299
13
communicate with an NBD server using such a long export name; this was
1300
14
deemed nicer than refusing to even connect to such a server (since the
1301
15
server may not be under our control, and since determining our actual
1302
16
length limits gets tricky when nbd://host:port/export and
1303
17
nbd+unix:///export?socket=/path are themselves variable-length
1304
18
expansions beyond the export name but count towards the block layer
1305
19
name length).
1306
20
1307
21
Reported-by: Xueqiang Wei <xuwei@redhat.com>
1308
22
Fixes: https://bugzilla.redhat.com/1843684
1309
23
Signed-off-by: Eric Blake <eblake@redhat.com>
1310
24
Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
1311
25
Message-Id: <20200610163741.3745251-3-eblake@redhat.com>
1312
26
(cherry picked from commit 5c86bdf1208916ece0b87e1151c9b48ee54faa3e)
1313
27
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
1314
28
1315
29
Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=6c75ddf4a9
1316
30
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
1317
31
Last-Update: 2020-08-19
1318
32
1319
33
---
1320
34
 block.c     |  7 +++++--
1321
35
 block/nbd.c | 21 +++++++++++++--------
1322
36
 2 files changed, 18 insertions(+), 10 deletions(-)
1323
37
1324
38
diff --git a/block.c b/block.c
1325
39
index 2e5e8b639a..19c25da305 100644
1326
40
--- a/block.c
1327
41
+++ b/block.c
1328
42
@@ -6486,8 +6486,11 @@ void bdrv_refresh_filename(BlockDriverState *bs)
1329
43
         pstrcpy(bs->filename, sizeof(bs->filename), bs->exact_filename);
1330
44
     } else {
1331
45
         QString *json = qobject_to_json(QOBJECT(bs->full_open_options));
1332
46
-        snprintf(bs->filename, sizeof(bs->filename), "json:%s",
1333
47
-                 qstring_get_str(json));
1334
48
+        if (snprintf(bs->filename, sizeof(bs->filename), "json:%s",
1335
49
+                     qstring_get_str(json)) >= sizeof(bs->filename)) {
1336
50
+            /* Give user a hint if we truncated things. */
1337
51
+            strcpy(bs->filename + sizeof(bs->filename) - 4, "...");
1338
52
+        }
1339
53
         qobject_unref(json);
1340
54
     }
1341
55
 }
1342
56
diff --git a/block/nbd.c b/block/nbd.c
1343
57
index 3d369fc8eb..eb380102c0 100644
1344
58
--- a/block/nbd.c
1345
59
+++ b/block/nbd.c
1346
60
@@ -1971,6 +1971,7 @@ static void nbd_refresh_filename(BlockDriverState *bs)
1347
61
 {
1348
62
     BDRVNBDState *s = bs->opaque;
1349
63
     const char *host = NULL, *port = NULL, *path = NULL;
1350
64
+    size_t len = 0;
1351
65
 
1352
66
     if (s->saddr->type == SOCKET_ADDRESS_TYPE_INET) {
1353
67
         const InetSocketAddress *inet = &s->saddr->u.inet;
1354
68
@@ -1983,17 +1984,21 @@ static void nbd_refresh_filename(BlockDriverState *bs)
1355
69
     } /* else can't represent as pseudo-filename */
1356
70
 
1357
71
     if (path && s->export) {
1358
72
-        snprintf(bs->exact_filename, sizeof(bs->exact_filename),
1359
73
-                 "nbd+unix:///%s?socket=%s", s->export, path);
1360
74
+        len = snprintf(bs->exact_filename, sizeof(bs->exact_filename),
1361
75
+                       "nbd+unix:///%s?socket=%s", s->export, path);
1362
76
     } else if (path && !s->export) {
1363
77
-        snprintf(bs->exact_filename, sizeof(bs->exact_filename),
1364
78
-                 "nbd+unix://?socket=%s", path);
1365
79
+        len = snprintf(bs->exact_filename, sizeof(bs->exact_filename),
1366
80
+                       "nbd+unix://?socket=%s", path);
1367
81
     } else if (host && s->export) {
1368
82
-        snprintf(bs->exact_filename, sizeof(bs->exact_filename),
1369
83
-                 "nbd://%s:%s/%s", host, port, s->export);
1370
84
+        len = snprintf(bs->exact_filename, sizeof(bs->exact_filename),
1371
85
+                       "nbd://%s:%s/%s", host, port, s->export);
1372
86
     } else if (host && !s->export) {
1373
87
-        snprintf(bs->exact_filename, sizeof(bs->exact_filename),
1374
88
-                 "nbd://%s:%s", host, port);
1375
89
+        len = snprintf(bs->exact_filename, sizeof(bs->exact_filename),
1376
90
+                       "nbd://%s:%s", host, port);
1377
91
+    }
1378
92
+    if (len > sizeof(bs->exact_filename)) {
1379
93
+        /* Name is too long to represent exactly, so leave it empty. */
1380
94
+        bs->exact_filename[0] = '\0';
1381
95
     }
1382
96
 }
1383
97
 
1384
98
-- 
1385
99
2.28.0
1386
100
1387
diff --git a/debian/patches/stable/lp-1891877-block-Fix-VM-size-field-width-in-snapshot-dump.patch b/debian/patches/stable/lp-1891877-block-Fix-VM-size-field-width-in-snapshot-dump.patch
1388
0
new file mode 100644
101
new file mode 100644
1389
index 0000000..dadc759
1390
--- /dev/null
1391
+++ b/debian/patches/stable/lp-1891877-block-Fix-VM-size-field-width-in-snapshot-dump.patch
1392
@@ -0,0 +1,58 @@
1393
1
From 0b487ea66409be1984ed55d3de71000ac363644f Mon Sep 17 00:00:00 2001
1394
2
From: Max Reitz <mreitz@redhat.com>
1395
3
Date: Fri, 17 Jan 2020 11:58:58 +0100
1396
4
Subject: [PATCH] block: Fix VM size field width in snapshot dump
1397
5
1398
6
When printing the snapshot list (e.g. with qemu-img snapshot -l), the VM
1399
7
size field is only seven characters wide.  As of de38b5005e9, this is
1400
8
not necessarily sufficient: We generally print three digits, and this
1401
9
may require a decimal point.  Also, the unit field grew from something
1402
10
as plain as "M" to " MiB".  This means that number and unit may take up
1403
11
eight characters in total; but we also want spaces in front.
1404
12
1405
13
Considering previously the maximum width was four characters and the
1406
14
field width was chosen to be three characters wider, let us adjust the
1407
15
field width to be eleven now.
1408
16
1409
17
Fixes: de38b5005e946aa3714963ea4c501e279e7d3666
1410
18
Buglink: https://bugs.launchpad.net/qemu/+bug/1859989
1411
19
Signed-off-by: Max Reitz <mreitz@redhat.com>
1412
20
Message-Id: <20200117105859.241818-2-mreitz@redhat.com>
1413
21
Reviewed-by: Eric Blake <eblake@redhat.com>
1414
22
Signed-off-by: Max Reitz <mreitz@redhat.com>
1415
23
(cherry picked from commit 804359b8b90f76d9d8fbe8d85a6544b68f107f10)
1416
24
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
1417
25
1418
26
Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=0b487ea664
1419
27
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
1420
28
Last-Update: 2020-08-19
1421
29
1422
30
---
1423
31
 block/qapi.c | 4 ++--
1424
32
 1 file changed, 2 insertions(+), 2 deletions(-)
1425
33
1426
34
diff --git a/block/qapi.c b/block/qapi.c
1427
35
index 9a5d0c9b27..ffa539250d 100644
1428
36
--- a/block/qapi.c
1429
37
+++ b/block/qapi.c
1430
38
@@ -657,7 +657,7 @@ void bdrv_snapshot_dump(QEMUSnapshotInfo *sn)
1431
39
     char *sizing = NULL;
1432
40
 
1433
41
     if (!sn) {
1434
42
-        qemu_printf("%-10s%-20s%7s%20s%15s",
1435
43
+        qemu_printf("%-10s%-20s%11s%20s%15s",
1436
44
                     "ID", "TAG", "VM SIZE", "DATE", "VM CLOCK");
1437
45
     } else {
1438
46
         ti = sn->date_sec;
1439
47
@@ -672,7 +672,7 @@ void bdrv_snapshot_dump(QEMUSnapshotInfo *sn)
1440
48
                  (int)(secs % 60),
1441
49
                  (int)((sn->vm_clock_nsec / 1000000) % 1000));
1442
50
         sizing = size_to_str(sn->vm_state_size);
1443
51
-        qemu_printf("%-10s%-20s%7s%20s%15s",
1444
52
+        qemu_printf("%-10s%-20s%11s%20s%15s",
1445
53
                     sn->id_str, sn->name,
1446
54
                     sizing,
1447
55
                     date_buf,
1448
56
-- 
1449
57
2.28.0
1450
58
1451
diff --git a/debian/patches/stable/lp-1891877-block-backup-fix-memory-leak-in-bdrv_backup_top_appe.patch b/debian/patches/stable/lp-1891877-block-backup-fix-memory-leak-in-bdrv_backup_top_appe.patch
1452
0
new file mode 100644
59
new file mode 100644
1453
index 0000000..31648ce
1454
--- /dev/null
1455
+++ b/debian/patches/stable/lp-1891877-block-backup-fix-memory-leak-in-bdrv_backup_top_appe.patch
1456
@@ -0,0 +1,55 @@
1457
1
From dc6bdba433246e55c930fad38c1267242fae888c Mon Sep 17 00:00:00 2001
1458
2
From: Eiichi Tsukata <devel@etsukata.com>
1459
3
Date: Mon, 23 Dec 2019 18:06:32 +0900
1460
4
Subject: [PATCH] block/backup: fix memory leak in bdrv_backup_top_append()
1461
5
1462
6
bdrv_open_driver() allocates bs->opaque according to drv->instance_size.
1463
7
There is no need to allocate it and overwrite opaque in
1464
8
bdrv_backup_top_append().
1465
9
1466
10
Reproducer:
1467
11
1468
12
  $ QTEST_QEMU_BINARY=./x86_64-softmmu/qemu-system-x86_64 valgrind -q --leak-check=full tests/test-replication -p /replication/secondary/start
1469
13
  ==29792== 24 bytes in 1 blocks are definitely lost in loss record 52 of 226
1470
14
  ==29792==    at 0x483AB1A: calloc (vg_replace_malloc.c:762)
1471
15
  ==29792==    by 0x4B07CE0: g_malloc0 (in /usr/lib64/libglib-2.0.so.0.6000.7)
1472
16
  ==29792==    by 0x12BAB9: bdrv_open_driver (block.c:1289)
1473
17
  ==29792==    by 0x12BEA9: bdrv_new_open_driver (block.c:1359)
1474
18
  ==29792==    by 0x1D15CB: bdrv_backup_top_append (backup-top.c:190)
1475
19
  ==29792==    by 0x1CC11A: backup_job_create (backup.c:439)
1476
20
  ==29792==    by 0x1CD542: replication_start (replication.c:544)
1477
21
  ==29792==    by 0x1401B9: replication_start_all (replication.c:52)
1478
22
  ==29792==    by 0x128B50: test_secondary_start (test-replication.c:427)
1479
23
  ...
1480
24
1481
25
Fixes: 7df7868b9640 ("block: introduce backup-top filter driver")
1482
26
Signed-off-by: Eiichi Tsukata <devel@etsukata.com>
1483
27
Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
1484
28
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
1485
29
(cherry picked from commit fb574de81bfdd71fdb0315105a3a7761efb68395)
1486
30
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
1487
31
1488
32
Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=dc6bdba433
1489
33
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
1490
34
Last-Update: 2020-08-19
1491
35
1492
36
---
1493
37
 block/backup-top.c | 2 +-
1494
38
 1 file changed, 1 insertion(+), 1 deletion(-)
1495
39
1496
40
diff --git a/block/backup-top.c b/block/backup-top.c
1497
41
index 818d3f26b4..64e9e4f576 100644
1498
42
--- a/block/backup-top.c
1499
43
+++ b/block/backup-top.c
1500
44
@@ -196,7 +196,7 @@ BlockDriverState *bdrv_backup_top_append(BlockDriverState *source,
1501
45
     }
1502
46
 
1503
47
     top->total_sectors = source->total_sectors;
1504
48
-    top->opaque = state = g_new0(BDRVBackupTopState, 1);
1505
49
+    state = top->opaque;
1506
50
 
1507
51
     bdrv_ref(target);
1508
52
     state->target = bdrv_attach_child(top, target, "target", &child_file, errp);
1509
53
-- 
1510
54
2.28.0
1511
55
1512
diff --git a/debian/patches/stable/lp-1891877-block-bdrv_set_backing_bs-fix-use-after-free.patch b/debian/patches/stable/lp-1891877-block-bdrv_set_backing_bs-fix-use-after-free.patch
1513
0
new file mode 100644
56
new file mode 100644
1514
index 0000000..4ca9cb9
1515
--- /dev/null
1516
+++ b/debian/patches/stable/lp-1891877-block-bdrv_set_backing_bs-fix-use-after-free.patch
1517
@@ -0,0 +1,122 @@
1518
1
From 5ff78dc9bcf2a81f097f1137e58f9a0759347d91 Mon Sep 17 00:00:00 2001
1519
2
From: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
1520
3
Date: Mon, 16 Mar 2020 09:06:30 +0300
1521
4
Subject: [PATCH] block: bdrv_set_backing_bs: fix use-after-free
1522
5
MIME-Version: 1.0
1523
6
Content-Type: text/plain; charset=UTF-8
1524
7
Content-Transfer-Encoding: 8bit
1525
8
1526
9
There is a use-after-free possible: bdrv_unref_child() leaves
1527
10
bs->backing freed but not NULL. bdrv_attach_child may produce nested
1528
11
polling loop due to drain, than access of freed pointer is possible.
1529
12
1530
13
I've produced the following crash on 30 iotest with modified code. It
1531
14
does not reproduce on master, but still seems possible:
1532
15
1533
16
    #0  __strcmp_avx2 () at /lib64/libc.so.6
1534
17
    #1  bdrv_backing_overridden (bs=0x55c9d3cc2060) at block.c:6350
1535
18
    #2  bdrv_refresh_filename (bs=0x55c9d3cc2060) at block.c:6404
1536
19
    #3  bdrv_backing_attach (c=0x55c9d48e5520) at block.c:1063
1537
20
    #4  bdrv_replace_child_noperm
1538
21
        (child=child@entry=0x55c9d48e5520,
1539
22
        new_bs=new_bs@entry=0x55c9d3cc2060) at block.c:2290
1540
23
    #5  bdrv_replace_child
1541
24
        (child=child@entry=0x55c9d48e5520,
1542
25
        new_bs=new_bs@entry=0x55c9d3cc2060) at block.c:2320
1543
26
    #6  bdrv_root_attach_child
1544
27
        (child_bs=child_bs@entry=0x55c9d3cc2060,
1545
28
        child_name=child_name@entry=0x55c9d241d478 "backing",
1546
29
        child_role=child_role@entry=0x55c9d26ecee0 <child_backing>,
1547
30
        ctx=<optimized out>, perm=<optimized out>, shared_perm=21,
1548
31
        opaque=0x55c9d3c5a3d0, errp=0x7ffd117108e0) at block.c:2424
1549
32
    #7  bdrv_attach_child
1550
33
        (parent_bs=parent_bs@entry=0x55c9d3c5a3d0,
1551
34
        child_bs=child_bs@entry=0x55c9d3cc2060,
1552
35
        child_name=child_name@entry=0x55c9d241d478 "backing",
1553
36
        child_role=child_role@entry=0x55c9d26ecee0 <child_backing>,
1554
37
        errp=errp@entry=0x7ffd117108e0) at block.c:5876
1555
38
    #8  in bdrv_set_backing_hd
1556
39
        (bs=bs@entry=0x55c9d3c5a3d0,
1557
40
        backing_hd=backing_hd@entry=0x55c9d3cc2060,
1558
41
        errp=errp@entry=0x7ffd117108e0)
1559
42
        at block.c:2576
1560
43
    #9  stream_prepare (job=0x55c9d49d84a0) at block/stream.c:150
1561
44
    #10 job_prepare (job=0x55c9d49d84a0) at job.c:761
1562
45
    #11 job_txn_apply (txn=<optimized out>, fn=<optimized out>) at
1563
46
        job.c:145
1564
47
    #12 job_do_finalize (job=0x55c9d49d84a0) at job.c:778
1565
48
    #13 job_completed_txn_success (job=0x55c9d49d84a0) at job.c:832
1566
49
    #14 job_completed (job=0x55c9d49d84a0) at job.c:845
1567
50
    #15 job_completed (job=0x55c9d49d84a0) at job.c:836
1568
51
    #16 job_exit (opaque=0x55c9d49d84a0) at job.c:864
1569
52
    #17 aio_bh_call (bh=0x55c9d471a160) at util/async.c:117
1570
53
    #18 aio_bh_poll (ctx=ctx@entry=0x55c9d3c46720) at util/async.c:117
1571
54
    #19 aio_poll (ctx=ctx@entry=0x55c9d3c46720,
1572
55
        blocking=blocking@entry=true)
1573
56
        at util/aio-posix.c:728
1574
57
    #20 bdrv_parent_drained_begin_single (poll=true, c=0x55c9d3d558f0)
1575
58
        at block/io.c:121
1576
59
    #21 bdrv_parent_drained_begin_single (c=c@entry=0x55c9d3d558f0,
1577
60
        poll=poll@entry=true)
1578
61
        at block/io.c:114
1579
62
    #22 bdrv_replace_child_noperm
1580
63
        (child=child@entry=0x55c9d3d558f0,
1581
64
        new_bs=new_bs@entry=0x55c9d3d27300) at block.c:2258
1582
65
    #23 bdrv_replace_child
1583
66
        (child=child@entry=0x55c9d3d558f0,
1584
67
        new_bs=new_bs@entry=0x55c9d3d27300) at block.c:2320
1585
68
    #24 bdrv_root_attach_child
1586
69
        (child_bs=child_bs@entry=0x55c9d3d27300,
1587
70
        child_name=child_name@entry=0x55c9d241d478 "backing",
1588
71
        child_role=child_role@entry=0x55c9d26ecee0 <child_backing>,
1589
72
        ctx=<optimized out>, perm=<optimized out>, shared_perm=21,
1590
73
        opaque=0x55c9d3cc2060, errp=0x7ffd11710c60) at block.c:2424
1591
74
    #25 bdrv_attach_child
1592
75
        (parent_bs=parent_bs@entry=0x55c9d3cc2060,
1593
76
        child_bs=child_bs@entry=0x55c9d3d27300,
1594
77
        child_name=child_name@entry=0x55c9d241d478 "backing",
1595
78
        child_role=child_role@entry=0x55c9d26ecee0 <child_backing>,
1596
79
        errp=errp@entry=0x7ffd11710c60) at block.c:5876
1597
80
    #26 bdrv_set_backing_hd
1598
81
        (bs=bs@entry=0x55c9d3cc2060,
1599
82
        backing_hd=backing_hd@entry=0x55c9d3d27300,
1600
83
        errp=errp@entry=0x7ffd11710c60)
1601
84
        at block.c:2576
1602
85
    #27 stream_prepare (job=0x55c9d495ead0) at block/stream.c:150
1603
86
    ...
1604
87
1605
88
Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
1606
89
Message-Id: <20200316060631.30052-2-vsementsov@virtuozzo.com>
1607
90
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
1608
91
Reviewed-by: John Snow <jsnow@redhat.com>
1609
92
Signed-off-by: Max Reitz <mreitz@redhat.com>
1610
93
(cherry picked from commit 6e57963a77df1e275a73dab4c6a7ec9a9d3468d4)
1611
94
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
1612
95
1613
96
Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=5ff78dc9bc
1614
97
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
1615
98
Last-Update: 2020-08-19
1616
99
1617
100
---
1618
101
 block.c | 2 +-
1619
102
 1 file changed, 1 insertion(+), 1 deletion(-)
1620
103
1621
104
diff --git a/block.c b/block.c
1622
105
index 4916252444..1cb1cd7a37 100644
1623
106
--- a/block.c
1624
107
+++ b/block.c
1625
108
@@ -2577,10 +2577,10 @@ void bdrv_set_backing_hd(BlockDriverState *bs, BlockDriverState *backing_hd,
1626
109
 
1627
110
     if (bs->backing) {
1628
111
         bdrv_unref_child(bs, bs->backing);
1629
112
+        bs->backing = NULL;
1630
113
     }
1631
114
 
1632
115
     if (!backing_hd) {
1633
116
-        bs->backing = NULL;
1634
117
         goto out;
1635
118
     }
1636
119
 
1637
120
-- 
1638
121
2.28.0
1639
122
1640
diff --git a/debian/patches/stable/lp-1891877-block-fix-memleaks-in-bdrv_refresh_filename.patch b/debian/patches/stable/lp-1891877-block-fix-memleaks-in-bdrv_refresh_filename.patch
1641
0
new file mode 100644
123
new file mode 100644
1642
index 0000000..8b916a8
1643
--- /dev/null
1644
+++ b/debian/patches/stable/lp-1891877-block-fix-memleaks-in-bdrv_refresh_filename.patch
1645
@@ -0,0 +1,68 @@
1646
1
From a967e75f3a65ccfca3e793e4cb8223449f20a9c5 Mon Sep 17 00:00:00 2001
1647
2
From: Pan Nengyuan <pannengyuan@huawei.com>
1648
3
Date: Thu, 16 Jan 2020 16:56:00 +0800
1649
4
Subject: [PATCH] block: fix memleaks in bdrv_refresh_filename
1650
5
1651
6
If we call the qmp 'query-block' while qemu is working on
1652
7
'block-commit', it will cause memleaks, the memory leak stack is as
1653
8
follow:
1654
9
1655
10
Indirect leak of 12360 byte(s) in 3 object(s) allocated from:
1656
11
    #0 0x7f80f0b6d970 in __interceptor_calloc (/lib64/libasan.so.5+0xef970)
1657
12
    #1 0x7f80ee86049d in g_malloc0 (/lib64/libglib-2.0.so.0+0x5249d)
1658
13
    #2 0x55ea95b5bb67 in qdict_new /mnt/sdb/qemu-4.2.0-rc0/qobject/qdict.c:29
1659
14
    #3 0x55ea956cd043 in bdrv_refresh_filename /mnt/sdb/qemu-4.2.0-rc0/block.c:6427
1660
15
    #4 0x55ea956cc950 in bdrv_refresh_filename /mnt/sdb/qemu-4.2.0-rc0/block.c:6399
1661
16
    #5 0x55ea956cc950 in bdrv_refresh_filename /mnt/sdb/qemu-4.2.0-rc0/block.c:6399
1662
17
    #6 0x55ea956cc950 in bdrv_refresh_filename /mnt/sdb/qemu-4.2.0-rc0/block.c:6399
1663
18
    #7 0x55ea958818ea in bdrv_block_device_info /mnt/sdb/qemu-4.2.0-rc0/block/qapi.c:56
1664
19
    #8 0x55ea958879de in bdrv_query_info /mnt/sdb/qemu-4.2.0-rc0/block/qapi.c:392
1665
20
    #9 0x55ea9588b58f in qmp_query_block /mnt/sdb/qemu-4.2.0-rc0/block/qapi.c:578
1666
21
    #10 0x55ea95567392 in qmp_marshal_query_block qapi/qapi-commands-block-core.c:95
1667
22
1668
23
Indirect leak of 4120 byte(s) in 1 object(s) allocated from:
1669
24
    #0 0x7f80f0b6d970 in __interceptor_calloc (/lib64/libasan.so.5+0xef970)
1670
25
    #1 0x7f80ee86049d in g_malloc0 (/lib64/libglib-2.0.so.0+0x5249d)
1671
26
    #2 0x55ea95b5bb67 in qdict_new /mnt/sdb/qemu-4.2.0-rc0/qobject/qdict.c:29
1672
27
    #3 0x55ea956cd043 in bdrv_refresh_filename /mnt/sdb/qemu-4.2.0-rc0/block.c:6427
1673
28
    #4 0x55ea956cc950 in bdrv_refresh_filename /mnt/sdb/qemu-4.2.0-rc0/block.c:6399
1674
29
    #5 0x55ea956cc950 in bdrv_refresh_filename /mnt/sdb/qemu-4.2.0-rc0/block.c:6399
1675
30
    #6 0x55ea9569f301 in bdrv_backing_attach /mnt/sdb/qemu-4.2.0-rc0/block.c:1064
1676
31
    #7 0x55ea956a99dd in bdrv_replace_child_noperm /mnt/sdb/qemu-4.2.0-rc0/block.c:2283
1677
32
    #8 0x55ea956b9b53 in bdrv_replace_node /mnt/sdb/qemu-4.2.0-rc0/block.c:4196
1678
33
    #9 0x55ea956b9e49 in bdrv_append /mnt/sdb/qemu-4.2.0-rc0/block.c:4236
1679
34
    #10 0x55ea958c3472 in commit_start /mnt/sdb/qemu-4.2.0-rc0/block/commit.c:306
1680
35
    #11 0x55ea94b68ab0 in qmp_block_commit /mnt/sdb/qemu-4.2.0-rc0/blockdev.c:3459
1681
36
    #12 0x55ea9556a7a7 in qmp_marshal_block_commit qapi/qapi-commands-block-core.c:407
1682
37
1683
38
Fixes: bb808d5f5c0978828a974d547e6032402c339555
1684
39
Reported-by: Euler Robot <euler.robot@huawei.com>
1685
40
Signed-off-by: Pan Nengyuan <pannengyuan@huawei.com>
1686
41
Message-id: 20200116085600.24056-1-pannengyuan@huawei.com
1687
42
Signed-off-by: Max Reitz <mreitz@redhat.com>
1688
43
(cherry picked from commit cb8956144ccaccf23d5cc4167677e2c84fa5a9f8)
1689
44
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
1690
45
1691
46
Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=a967e75f3a
1692
47
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
1693
48
Last-Update: 2020-08-19
1694
49
1695
50
---
1696
51
 block.c | 1 +
1697
52
 1 file changed, 1 insertion(+)
1698
53
1699
54
diff --git a/block.c b/block.c
1700
55
index 863cf34d45..4916252444 100644
1701
56
--- a/block.c
1702
57
+++ b/block.c
1703
58
@@ -6426,6 +6426,7 @@ void bdrv_refresh_filename(BlockDriverState *bs)
1704
59
                 child->bs->exact_filename);
1705
60
         pstrcpy(bs->filename, sizeof(bs->filename), child->bs->filename);
1706
61
 
1707
62
+        qobject_unref(bs->full_open_options);
1708
63
         bs->full_open_options = qobject_ref(child->bs->full_open_options);
1709
64
 
1710
65
         return;
1711
66
-- 
1712
67
2.28.0
1713
68
1714
diff --git a/debian/patches/stable/lp-1891877-compat-disable-edid-on-correct-virtio-gpu-device.patch b/debian/patches/stable/lp-1891877-compat-disable-edid-on-correct-virtio-gpu-device.patch
1715
0
new file mode 100644
69
new file mode 100644
1716
index 0000000..2e76b86
1717
--- /dev/null
1718
+++ b/debian/patches/stable/lp-1891877-compat-disable-edid-on-correct-virtio-gpu-device.patch
1719
@@ -0,0 +1,49 @@
1720
1
From 219362f9655859056e8f15cf96fc3169d4dc80de Mon Sep 17 00:00:00 2001
1721
2
From: Cornelia Huck <cohuck@redhat.com>
1722
3
Date: Wed, 18 Mar 2020 10:39:19 +0100
1723
4
Subject: [PATCH] compat: disable edid on correct virtio-gpu device
1724
5
MIME-Version: 1.0
1725
6
Content-Type: text/plain; charset=UTF-8
1726
7
Content-Transfer-Encoding: 8bit
1727
8
1728
9
Commit bb15791166c1 ("compat: disable edid on virtio-gpu base
1729
10
device") tried to disable 'edid' on the virtio-gpu base device.
1730
11
However, that device is not 'virtio-gpu', but 'virtio-gpu-device'.
1731
12
Fix it.
1732
13
1733
14
Fixes: bb15791166c1 ("compat: disable edid on virtio-gpu base device")
1734
15
Reported-by: Lukáš Doktor <ldoktor@redhat.com>
1735
16
Tested-by: Lukáš Doktor <ldoktor@redhat.com>
1736
17
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
1737
18
Signed-off-by: Cornelia Huck <cohuck@redhat.com>
1738
19
Message-id: 20200318093919.24942-1-cohuck@redhat.com
1739
20
Cc: qemu-stable@nongnu.org
1740
21
Signed-off-by: Cornelia Huck <cohuck@redhat.com>
1741
22
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
1742
23
(cherry picked from commit 02501fc39381c4dabaf6becdd12c2a4754c3847c)
1743
24
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
1744
25
1745
26
Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=219362f965
1746
27
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
1747
28
Last-Update: 2020-08-19
1748
29
1749
30
---
1750
31
 hw/core/machine.c | 2 +-
1751
32
 1 file changed, 1 insertion(+), 1 deletion(-)
1752
33
1753
34
diff --git a/hw/core/machine.c b/hw/core/machine.c
1754
35
index aa63231f31..1872263bf0 100644
1755
36
--- a/hw/core/machine.c
1756
37
+++ b/hw/core/machine.c
1757
38
@@ -37,7 +37,7 @@ GlobalProperty hw_compat_4_0[] = {
1758
39
     { "secondary-vga",  "edid", "false" },
1759
40
     { "bochs-display",  "edid", "false" },
1760
41
     { "virtio-vga",     "edid", "false" },
1761
42
-    { "virtio-gpu",     "edid", "false" },
1762
43
+    { "virtio-gpu-device", "edid", "false" },
1763
44
     { "virtio-device", "use-started", "false" },
1764
45
     { "virtio-balloon-device", "qemu-4-0-config-size", "true" },
1765
46
     { "pl031", "migrate-tick-offset", "false" },
1766
47
-- 
1767
48
2.28.0
1768
49
1769
diff --git a/debian/patches/stable/lp-1891877-display-bochs-display-fix-memory-leak.patch b/debian/patches/stable/lp-1891877-display-bochs-display-fix-memory-leak.patch
1770
0
new file mode 100644
50
new file mode 100644
1771
index 0000000..6196cbc
1772
--- /dev/null
1773
+++ b/debian/patches/stable/lp-1891877-display-bochs-display-fix-memory-leak.patch
1774
@@ -0,0 +1,42 @@
1775
1
From 7e1bc51f3f606e758b2600555ddc99f643a3697d Mon Sep 17 00:00:00 2001
1776
2
From: Cameron Esfahani <dirty@apple.com>
1777
3
Date: Tue, 10 Dec 2019 13:27:54 -0800
1778
4
Subject: [PATCH] display/bochs-display: fix memory leak
1779
5
MIME-Version: 1.0
1780
6
Content-Type: text/plain; charset=UTF-8
1781
7
Content-Transfer-Encoding: 8bit
1782
8
1783
9
Fix memory leak in bochs_display_update().  Leaks 304 bytes per frame.
1784
10
1785
11
Fixes: 33ebad54056
1786
12
Signed-off-by: Cameron Esfahani <dirty@apple.com>
1787
13
Message-Id: <d6c26e68db134c7b0c7ce8b61596ca2e65e01e12.1576013209.git.dirty@apple.com>
1788
14
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
1789
15
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
1790
16
(cherry picked from commit 0d82411d0e38a0de7829f97d04406765c8d2210d)
1791
17
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
1792
18
1793
19
Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=7e1bc51f3f
1794
20
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
1795
21
Last-Update: 2020-08-19
1796
22
1797
23
---
1798
24
 hw/display/bochs-display.c | 2 ++
1799
25
 1 file changed, 2 insertions(+)
1800
26
1801
27
diff --git a/hw/display/bochs-display.c b/hw/display/bochs-display.c
1802
28
index dc1bd1641d..215db9a231 100644
1803
29
--- a/hw/display/bochs-display.c
1804
30
+++ b/hw/display/bochs-display.c
1805
31
@@ -252,6 +252,8 @@ static void bochs_display_update(void *opaque)
1806
32
             dpy_gfx_update(s->con, 0, ys,
1807
33
                            mode.width, y - ys);
1808
34
         }
1809
35
+
1810
36
+        g_free(snap);
1811
37
     }
1812
38
 }
1813
39
 
1814
40
-- 
1815
41
2.28.0
1816
42
1817
diff --git a/debian/patches/stable/lp-1891877-dp8393x-Always-update-RRA-pointers-and-sequence-numb.patch b/debian/patches/stable/lp-1891877-dp8393x-Always-update-RRA-pointers-and-sequence-numb.patch
1818
0
new file mode 100644
43
new file mode 100644
1819
index 0000000..3d85936
1820
--- /dev/null
1821
+++ b/debian/patches/stable/lp-1891877-dp8393x-Always-update-RRA-pointers-and-sequence-numb.patch
1822
@@ -0,0 +1,52 @@
1823
1
From 1190026fe415ce29605bdadbb68956a3315714e8 Mon Sep 17 00:00:00 2001
1824
2
From: Finn Thain <fthain@telegraphics.com.au>
1825
3
Date: Wed, 29 Jan 2020 20:27:49 +1100
1826
4
Subject: [PATCH] dp8393x: Always update RRA pointers and sequence numbers
1827
5
1828
6
These operations need to take place regardless of whether or not
1829
7
rx descriptors have been used up (that is, EOL flag was observed).
1830
8
1831
9
The algorithm is now the same for a packet that was withheld as for
1832
10
a packet that was not.
1833
11
1834
12
Signed-off-by: Finn Thain <fthain@telegraphics.com.au>
1835
13
Tested-by: Laurent Vivier <laurent@vivier.eu>
1836
14
Signed-off-by: Jason Wang <jasowang@redhat.com>
1837
15
(cherry picked from commit 80b60673ea598869050c66d95d8339480e4cefd0)
1838
16
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
1839
17
1840
18
Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=1190026fe4
1841
19
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
1842
20
Last-Update: 2020-08-19
1843
21
1844
22
---
1845
23
 hw/net/dp8393x.c | 12 +++++++-----
1846
24
 1 file changed, 7 insertions(+), 5 deletions(-)
1847
25
1848
26
diff --git a/hw/net/dp8393x.c b/hw/net/dp8393x.c
1849
27
index 4ce2ef818b..aa7bd785f3 100644
1850
28
--- a/hw/net/dp8393x.c
1851
29
+++ b/hw/net/dp8393x.c
1852
30
@@ -897,12 +897,14 @@ static ssize_t dp8393x_receive(NetClientState *nc, const uint8_t * buf,
1853
31
         /* Move to next descriptor */
1854
32
         s->regs[SONIC_CRDA] = s->regs[SONIC_LLFA];
1855
33
         s->regs[SONIC_ISR] |= SONIC_ISR_PKTRX;
1856
34
-        s->regs[SONIC_RSC] = (s->regs[SONIC_RSC] & 0xff00) | (((s->regs[SONIC_RSC] & 0x00ff) + 1) & 0x00ff);
1857
35
+    }
1858
36
 
1859
37
-        if (s->regs[SONIC_RCR] & SONIC_RCR_LPKT) {
1860
38
-            /* Read next RRA */
1861
39
-            dp8393x_do_read_rra(s);
1862
40
-        }
1863
41
+    s->regs[SONIC_RSC] = (s->regs[SONIC_RSC] & 0xff00) |
1864
42
+                         ((s->regs[SONIC_RSC] + 1) & 0x00ff);
1865
43
+
1866
44
+    if (s->regs[SONIC_RCR] & SONIC_RCR_LPKT) {
1867
45
+        /* Read next RRA */
1868
46
+        dp8393x_do_read_rra(s);
1869
47
     }
1870
48
 
1871
49
     /* Done */
1872
50
-- 
1873
51
2.28.0
1874
52
1875
diff --git a/debian/patches/stable/lp-1891877-dp8393x-Always-use-32-bit-accesses.patch b/debian/patches/stable/lp-1891877-dp8393x-Always-use-32-bit-accesses.patch
1876
0
new file mode 100644
53
new file mode 100644
1877
index 0000000..ff2540a
1878
--- /dev/null
1879
+++ b/debian/patches/stable/lp-1891877-dp8393x-Always-use-32-bit-accesses.patch
1880
@@ -0,0 +1,167 @@
1881
1
From 956e1b2d977f8743d58c97994c27d6c848ae3b7d Mon Sep 17 00:00:00 2001
1882
2
From: Finn Thain <fthain@telegraphics.com.au>
1883
3
Date: Wed, 29 Jan 2020 20:27:49 +1100
1884
4
Subject: [PATCH] dp8393x: Always use 32-bit accesses
1885
5
1886
6
The DP83932 and DP83934 have 32 data lines. The datasheet says,
1887
7
1888
8
    Data Bus: These bidirectional lines are used to transfer data on the
1889
9
    system bus. When the SONIC is a bus master, 16-bit data is transferred
1890
10
    on D15-D0 and 32-bit data is transferred on D31-D0. When the SONIC is
1891
11
    accessed as a slave, register data is driven onto lines D15-D0.
1892
12
    D31-D16 are held TRI-STATE if SONIC is in 16-bit mode. If SONIC is in
1893
13
    32-bit mode, they are driven, but invalid.
1894
14
1895
15
Always use 32-bit accesses both as bus master and bus slave.
1896
16
1897
17
Force the MSW to zero in bus master mode.
1898
18
1899
19
This gets the Linux 'jazzsonic' driver working, and avoids the need for
1900
20
prior hacks to make the NetBSD 'sn' driver work.
1901
21
1902
22
Signed-off-by: Finn Thain <fthain@telegraphics.com.au>
1903
23
Tested-by: Laurent Vivier <laurent@vivier.eu>
1904
24
Signed-off-by: Jason Wang <jasowang@redhat.com>
1905
25
(cherry picked from commit 3fe9a838ec3eae1374ced16b63bf56894b2ffbe6)
1906
26
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
1907
27
1908
28
Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=956e1b2d97
1909
29
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
1910
30
Last-Update: 2020-08-19
1911
31
1912
32
---
1913
33
 hw/net/dp8393x.c | 47 +++++++++++++++++++++++++++++------------------
1914
34
 1 file changed, 29 insertions(+), 18 deletions(-)
1915
35
1916
36
diff --git a/hw/net/dp8393x.c b/hw/net/dp8393x.c
1917
37
index 7ca6a6dd46..49c304ee20 100644
1918
38
--- a/hw/net/dp8393x.c
1919
39
+++ b/hw/net/dp8393x.c
1920
40
@@ -246,9 +246,19 @@ static void dp8393x_put(dp8393xState *s, int width, int offset,
1921
41
                         uint16_t val)
1922
42
 {
1923
43
     if (s->big_endian) {
1924
44
-        s->data[offset * width + width - 1] = cpu_to_be16(val);
1925
45
+        if (width == 2) {
1926
46
+            s->data[offset * 2] = 0;
1927
47
+            s->data[offset * 2 + 1] = cpu_to_be16(val);
1928
48
+        } else {
1929
49
+            s->data[offset] = cpu_to_be16(val);
1930
50
+        }
1931
51
     } else {
1932
52
-        s->data[offset * width] = cpu_to_le16(val);
1933
53
+        if (width == 2) {
1934
54
+            s->data[offset * 2] = cpu_to_le16(val);
1935
55
+            s->data[offset * 2 + 1] = 0;
1936
56
+        } else {
1937
57
+            s->data[offset] = cpu_to_le16(val);
1938
58
+        }
1939
59
     }
1940
60
 }
1941
61
 
1942
62
@@ -588,7 +598,7 @@ static uint64_t dp8393x_read(void *opaque, hwaddr addr, unsigned int size)
1943
63
 
1944
64
     DPRINTF("read 0x%04x from reg %s\n", val, reg_names[reg]);
1945
65
 
1946
66
-    return val;
1947
67
+    return s->big_endian ? val << 16 : val;
1948
68
 }
1949
69
 
1950
70
 static void dp8393x_write(void *opaque, hwaddr addr, uint64_t data,
1951
71
@@ -596,13 +606,14 @@ static void dp8393x_write(void *opaque, hwaddr addr, uint64_t data,
1952
72
 {
1953
73
     dp8393xState *s = opaque;
1954
74
     int reg = addr >> s->it_shift;
1955
75
+    uint32_t val = s->big_endian ? data >> 16 : data;
1956
76
 
1957
77
-    DPRINTF("write 0x%04x to reg %s\n", (uint16_t)data, reg_names[reg]);
1958
78
+    DPRINTF("write 0x%04x to reg %s\n", (uint16_t)val, reg_names[reg]);
1959
79
 
1960
80
     switch (reg) {
1961
81
         /* Command register */
1962
82
         case SONIC_CR:
1963
83
-            dp8393x_do_command(s, data);
1964
84
+            dp8393x_do_command(s, val);
1965
85
             break;
1966
86
         /* Prevent write to read-only registers */
1967
87
         case SONIC_CAP2:
1968
88
@@ -615,36 +626,36 @@ static void dp8393x_write(void *opaque, hwaddr addr, uint64_t data,
1969
89
         /* Accept write to some registers only when in reset mode */
1970
90
         case SONIC_DCR:
1971
91
             if (s->regs[SONIC_CR] & SONIC_CR_RST) {
1972
92
-                s->regs[reg] = data & 0xbfff;
1973
93
+                s->regs[reg] = val & 0xbfff;
1974
94
             } else {
1975
95
                 DPRINTF("writing to DCR invalid\n");
1976
96
             }
1977
97
             break;
1978
98
         case SONIC_DCR2:
1979
99
             if (s->regs[SONIC_CR] & SONIC_CR_RST) {
1980
100
-                s->regs[reg] = data & 0xf017;
1981
101
+                s->regs[reg] = val & 0xf017;
1982
102
             } else {
1983
103
                 DPRINTF("writing to DCR2 invalid\n");
1984
104
             }
1985
105
             break;
1986
106
         /* 12 lower bytes are Read Only */
1987
107
         case SONIC_TCR:
1988
108
-            s->regs[reg] = data & 0xf000;
1989
109
+            s->regs[reg] = val & 0xf000;
1990
110
             break;
1991
111
         /* 9 lower bytes are Read Only */
1992
112
         case SONIC_RCR:
1993
113
-            s->regs[reg] = data & 0xffe0;
1994
114
+            s->regs[reg] = val & 0xffe0;
1995
115
             break;
1996
116
         /* Ignore most significant bit */
1997
117
         case SONIC_IMR:
1998
118
-            s->regs[reg] = data & 0x7fff;
1999
119
+            s->regs[reg] = val & 0x7fff;
2000
120
             dp8393x_update_irq(s);
2001
121
             break;
2002
122
         /* Clear bits by writing 1 to them */
2003
123
         case SONIC_ISR:
2004
124
-            data &= s->regs[reg];
2005
125
-            s->regs[reg] &= ~data;
2006
126
-            if (data & SONIC_ISR_RBE) {
2007
127
+            val &= s->regs[reg];
2008
128
+            s->regs[reg] &= ~val;
2009
129
+            if (val & SONIC_ISR_RBE) {
2010
130
                 dp8393x_do_read_rra(s);
2011
131
             }
2012
132
             dp8393x_update_irq(s);
2013
133
@@ -657,17 +668,17 @@ static void dp8393x_write(void *opaque, hwaddr addr, uint64_t data,
2014
134
         case SONIC_REA:
2015
135
         case SONIC_RRP:
2016
136
         case SONIC_RWP:
2017
137
-            s->regs[reg] = data & 0xfffe;
2018
138
+            s->regs[reg] = val & 0xfffe;
2019
139
             break;
2020
140
         /* Invert written value for some registers */
2021
141
         case SONIC_CRCT:
2022
142
         case SONIC_FAET:
2023
143
         case SONIC_MPT:
2024
144
-            s->regs[reg] = data ^ 0xffff;
2025
145
+            s->regs[reg] = val ^ 0xffff;
2026
146
             break;
2027
147
         /* All other registers have no special contrainst */
2028
148
         default:
2029
149
-            s->regs[reg] = data;
2030
150
+            s->regs[reg] = val;
2031
151
     }
2032
152
 
2033
153
     if (reg == SONIC_WT0 || reg == SONIC_WT1) {
2034
154
@@ -678,8 +689,8 @@ static void dp8393x_write(void *opaque, hwaddr addr, uint64_t data,
2035
155
 static const MemoryRegionOps dp8393x_ops = {
2036
156
     .read = dp8393x_read,
2037
157
     .write = dp8393x_write,
2038
158
-    .impl.min_access_size = 2,
2039
159
-    .impl.max_access_size = 2,
2040
160
+    .impl.min_access_size = 4,
2041
161
+    .impl.max_access_size = 4,
2042
162
     .endianness = DEVICE_NATIVE_ENDIAN,
2043
163
 };
2044
164
 
2045
165
-- 
2046
166
2.28.0
2047
167
2048
diff --git a/debian/patches/stable/lp-1891877-dp8393x-Clean-up-endianness-hacks.patch b/debian/patches/stable/lp-1891877-dp8393x-Clean-up-endianness-hacks.patch
2049
0
new file mode 100644
168
new file mode 100644
2050
index 0000000..8d4a682
2051
--- /dev/null
2052
+++ b/debian/patches/stable/lp-1891877-dp8393x-Clean-up-endianness-hacks.patch
2053
@@ -0,0 +1,71 @@
2054
1
From bf3f12ac8c34e4856f48c5f7ee7d23c042097797 Mon Sep 17 00:00:00 2001
2055
2
From: Finn Thain <fthain@telegraphics.com.au>
2056
3
Date: Wed, 29 Jan 2020 20:27:49 +1100
2057
4
Subject: [PATCH] dp8393x: Clean up endianness hacks
2058
5
MIME-Version: 1.0
2059
6
Content-Type: text/plain; charset=UTF-8
2060
7
Content-Transfer-Encoding: 8bit
2061
8
2062
9
According to the datasheet, section 3.4.4, "in 32-bit mode ... the SONIC
2063
10
always writes long words".
2064
11
2065
12
Therefore, use the same technique for the 'in_use' field that is used
2066
13
everywhere else, and write the full long word.
2067
14
2068
15
Signed-off-by: Finn Thain <fthain@telegraphics.com.au>
2069
16
Tested-by: Laurent Vivier <laurent@vivier.eu>
2070
17
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
2071
18
Signed-off-by: Jason Wang <jasowang@redhat.com>
2072
19
(cherry picked from commit 46ffee9ad43185cbee4182c208bbd534814086ca)
2073
20
 Conflicts:
2074
21
	hw/net/dp8393x.c
2075
22
*roll in local dependencies on b7cbebf2b9d
2076
23
*drop functional dep. on 19f70347731
2077
24
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
2078
25
2079
26
Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=bf3f12ac8c
2080
27
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
2081
28
Last-Update: 2020-08-19
2082
29
2083
30
---
2084
31
 hw/net/dp8393x.c | 17 ++++++-----------
2085
32
 1 file changed, 6 insertions(+), 11 deletions(-)
2086
33
2087
34
diff --git a/hw/net/dp8393x.c b/hw/net/dp8393x.c
2088
35
index 49c304ee20..f89f4c7ba3 100644
2089
36
--- a/hw/net/dp8393x.c
2090
37
+++ b/hw/net/dp8393x.c
2091
38
@@ -776,8 +776,6 @@ static ssize_t dp8393x_receive(NetClientState *nc, const uint8_t * buf,
2092
39
         return -1;
2093
40
     }
2094
41
 
2095
42
-    /* XXX: Check byte ordering */
2096
43
-
2097
44
     /* Check for EOL */
2098
45
     if (s->regs[SONIC_LLFA] & SONIC_DESC_EOL) {
2099
46
         /* Are we still in resource exhaustion? */
2100
47
@@ -847,15 +845,12 @@ static ssize_t dp8393x_receive(NetClientState *nc, const uint8_t * buf,
2101
48
         /* EOL detected */
2102
49
         s->regs[SONIC_ISR] |= SONIC_ISR_RDE;
2103
50
     } else {
2104
51
-        /* Clear in_use, but it is always 16bit wide */
2105
52
-        int offset = dp8393x_crda(s) + sizeof(uint16_t) * 6 * width;
2106
53
-        if (s->big_endian && width == 2) {
2107
54
-            /* we need to adjust the offset of the 16bit field */
2108
55
-            offset += sizeof(uint16_t);
2109
56
-        }
2110
57
-        s->data[0] = 0;
2111
58
-        address_space_rw(&s->as, offset, MEMTXATTRS_UNSPECIFIED,
2112
59
-                         (uint8_t *)s->data, sizeof(uint16_t), 1);
2113
60
+        /* Clear in_use */
2114
61
+        size = sizeof(uint16_t) * width;
2115
62
+        address = dp8393x_crda(s) + sizeof(uint16_t) * 6 * width;
2116
63
+        dp8393x_put(s, width, 0, 0);
2117
64
+        address_space_rw(&s->as, address, MEMTXATTRS_UNSPECIFIED,
2118
65
+                         (uint8_t *)s->data, size, true);
2119
66
         s->regs[SONIC_CRDA] = s->regs[SONIC_LLFA];
2120
67
         s->regs[SONIC_ISR] |= SONIC_ISR_PKTRX;
2121
68
         s->regs[SONIC_RSC] = (s->regs[SONIC_RSC] & 0xff00) | (((s->regs[SONIC_RSC] & 0x00ff) + 1) & 0x00ff);
2122
69
-- 
2123
70
2.28.0
2124
71
2125
diff --git a/debian/patches/stable/lp-1891877-dp8393x-Clear-RRRA-command-register-bit-only-when-ap.patch b/debian/patches/stable/lp-1891877-dp8393x-Clear-RRRA-command-register-bit-only-when-ap.patch
2126
0
new file mode 100644
72
new file mode 100644
2127
index 0000000..017873d
2128
--- /dev/null
2129
+++ b/debian/patches/stable/lp-1891877-dp8393x-Clear-RRRA-command-register-bit-only-when-ap.patch
2130
@@ -0,0 +1,56 @@
2131
1
From 5f08c382caee86109585111b240c36371738b00d Mon Sep 17 00:00:00 2001
2132
2
From: Finn Thain <fthain@telegraphics.com.au>
2133
3
Date: Wed, 29 Jan 2020 20:27:49 +1100
2134
4
Subject: [PATCH] dp8393x: Clear RRRA command register bit only when
2135
5
 appropriate
2136
6
MIME-Version: 1.0
2137
7
Content-Type: text/plain; charset=UTF-8
2138
8
Content-Transfer-Encoding: 8bit
2139
9
2140
10
It doesn't make sense to clear the command register bit unless the
2141
11
command was actually issued.
2142
12
2143
13
Signed-off-by: Finn Thain <fthain@telegraphics.com.au>
2144
14
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
2145
15
Tested-by: Laurent Vivier <laurent@vivier.eu>
2146
16
Signed-off-by: Jason Wang <jasowang@redhat.com>
2147
17
(cherry picked from commit a3cce2825a0b12bb717a5106daaca245557cc9ae)
2148
18
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
2149
19
2150
20
Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=5f08c382ca
2151
21
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
2152
22
Last-Update: 2020-08-19
2153
23
2154
24
---
2155
25
 hw/net/dp8393x.c | 7 +++----
2156
26
 1 file changed, 3 insertions(+), 4 deletions(-)
2157
27
2158
28
diff --git a/hw/net/dp8393x.c b/hw/net/dp8393x.c
2159
29
index 8dd6bf032c..04f58ee4e1 100644
2160
30
--- a/hw/net/dp8393x.c
2161
31
+++ b/hw/net/dp8393x.c
2162
32
@@ -352,9 +352,6 @@ static void dp8393x_do_read_rra(dp8393xState *s)
2163
33
         s->regs[SONIC_ISR] |= SONIC_ISR_RBE;
2164
34
         dp8393x_update_irq(s);
2165
35
     }
2166
36
-
2167
37
-    /* Done */
2168
38
-    s->regs[SONIC_CR] &= ~SONIC_CR_RRRA;
2169
39
 }
2170
40
 
2171
41
 static void dp8393x_do_software_reset(dp8393xState *s)
2172
42
@@ -563,8 +560,10 @@ static void dp8393x_do_command(dp8393xState *s, uint16_t command)
2173
43
         dp8393x_do_start_timer(s);
2174
44
     if (command & SONIC_CR_RST)
2175
45
         dp8393x_do_software_reset(s);
2176
46
-    if (command & SONIC_CR_RRRA)
2177
47
+    if (command & SONIC_CR_RRRA) {
2178
48
         dp8393x_do_read_rra(s);
2179
49
+        s->regs[SONIC_CR] &= ~SONIC_CR_RRRA;
2180
50
+    }
2181
51
     if (command & SONIC_CR_LCAM)
2182
52
         dp8393x_do_load_cam(s);
2183
53
 }
2184
54
-- 
2185
55
2.28.0
2186
56
2187
diff --git a/debian/patches/stable/lp-1891877-dp8393x-Clear-descriptor-in_use-field-to-release-pac.patch b/debian/patches/stable/lp-1891877-dp8393x-Clear-descriptor-in_use-field-to-release-pac.patch
2188
0
new file mode 100644
57
new file mode 100644
2189
index 0000000..2227684
2190
--- /dev/null
2191
+++ b/debian/patches/stable/lp-1891877-dp8393x-Clear-descriptor-in_use-field-to-release-pac.patch
2192
@@ -0,0 +1,55 @@
2193
1
From 8d61b1e2c4e2ad8310ca957decf26b0b82d37148 Mon Sep 17 00:00:00 2001
2194
2
From: Finn Thain <fthain@telegraphics.com.au>
2195
3
Date: Wed, 29 Jan 2020 20:27:49 +1100
2196
4
Subject: [PATCH] dp8393x: Clear descriptor in_use field to release packet
2197
5
2198
6
When the SONIC receives a packet into the last available descriptor, it
2199
7
retains ownership of that descriptor for as long as necessary.
2200
8
2201
9
Section 3.4.7 of the datasheet says,
2202
10
2203
11
    When the system appends more descriptors, the SONIC releases ownership
2204
12
    of the descriptor after writing 0000h to the RXpkt.in_use field.
2205
13
2206
14
The packet can now be processed by the host, so raise a PKTRX interrupt,
2207
15
just like the normal case.
2208
16
2209
17
Signed-off-by: Finn Thain <fthain@telegraphics.com.au>
2210
18
Tested-by: Laurent Vivier <laurent@vivier.eu>
2211
19
Signed-off-by: Jason Wang <jasowang@redhat.com>
2212
20
(cherry picked from commit d9fae13196a31716f45dcddcdd958fbb8e59b35a)
2213
21
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
2214
22
2215
23
Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=8d61b1e2c4
2216
24
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
2217
25
Last-Update: 2020-08-19
2218
26
2219
27
---
2220
28
 hw/net/dp8393x.c | 10 ++++++++++
2221
29
 1 file changed, 10 insertions(+)
2222
30
2223
31
diff --git a/hw/net/dp8393x.c b/hw/net/dp8393x.c
2224
32
index 0e9061d831..4ce2ef818b 100644
2225
33
--- a/hw/net/dp8393x.c
2226
34
+++ b/hw/net/dp8393x.c
2227
35
@@ -809,7 +809,17 @@ static ssize_t dp8393x_receive(NetClientState *nc, const uint8_t * buf,
2228
36
             return -1;
2229
37
         }
2230
38
         /* Link has been updated by host */
2231
39
+
2232
40
+        /* Clear in_use */
2233
41
+        size = sizeof(uint16_t) * width;
2234
42
+        address = dp8393x_crda(s) + sizeof(uint16_t) * 6 * width;
2235
43
+        dp8393x_put(s, width, 0, 0);
2236
44
+        address_space_rw(&s->as, address, MEMTXATTRS_UNSPECIFIED,
2237
45
+                         (uint8_t *)s->data, size, 1);
2238
46
+
2239
47
+        /* Move to next descriptor */
2240
48
         s->regs[SONIC_CRDA] = s->regs[SONIC_LLFA];
2241
49
+        s->regs[SONIC_ISR] |= SONIC_ISR_PKTRX;
2242
50
     }
2243
51
 
2244
52
     /* Save current position */
2245
53
-- 
2246
54
2.28.0
2247
55
2248
diff --git a/debian/patches/stable/lp-1891877-dp8393x-Don-t-clobber-packet-checksum.patch b/debian/patches/stable/lp-1891877-dp8393x-Don-t-clobber-packet-checksum.patch
2249
0
new file mode 100644
56
new file mode 100644
2250
index 0000000..4682953
2251
--- /dev/null
2252
+++ b/debian/patches/stable/lp-1891877-dp8393x-Don-t-clobber-packet-checksum.patch
2253
@@ -0,0 +1,45 @@
2254
1
From d50aa8acbc6f4bd83d0d0b5958d49ac6baf254a5 Mon Sep 17 00:00:00 2001
2255
2
From: Finn Thain <fthain@telegraphics.com.au>
2256
3
Date: Wed, 29 Jan 2020 20:27:49 +1100
2257
4
Subject: [PATCH] dp8393x: Don't clobber packet checksum
2258
5
MIME-Version: 1.0
2259
6
Content-Type: text/plain; charset=UTF-8
2260
7
Content-Transfer-Encoding: 8bit
2261
8
2262
9
A received packet consumes pkt_size bytes in the buffer and the frame
2263
10
checksum that's appended to it consumes another 4 bytes. The Receive
2264
11
Buffer Address register takes the former quantity into account but
2265
12
not the latter. So the next packet written to the buffer overwrites
2266
13
the frame checksum. Fix this.
2267
14
2268
15
Signed-off-by: Finn Thain <fthain@telegraphics.com.au>
2269
16
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
2270
17
Tested-by: Laurent Vivier <laurent@vivier.eu>
2271
18
Signed-off-by: Jason Wang <jasowang@redhat.com>
2272
19
(cherry picked from commit bae112b80c9c42cea21ee7623c283668c3451c2e)
2273
20
*drop context dep. on 19f70347731
2274
21
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
2275
22
2276
23
Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=d50aa8acbc
2277
24
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
2278
25
Last-Update: 2020-08-19
2279
26
2280
27
---
2281
28
 hw/net/dp8393x.c | 1 +
2282
29
 1 file changed, 1 insertion(+)
2283
30
2284
31
diff --git a/hw/net/dp8393x.c b/hw/net/dp8393x.c
2285
32
index ca8088c839..315b4ad844 100644
2286
33
--- a/hw/net/dp8393x.c
2287
34
+++ b/hw/net/dp8393x.c
2288
35
@@ -816,6 +816,7 @@ static ssize_t dp8393x_receive(NetClientState *nc, const uint8_t * buf,
2289
36
     address += rx_len;
2290
37
     address_space_rw(&s->as, address,
2291
38
         MEMTXATTRS_UNSPECIFIED, (uint8_t *)&checksum, 4, 1);
2292
39
+    address += 4;
2293
40
     rx_len += 4;
2294
41
     s->regs[SONIC_CRBA1] = address >> 16;
2295
42
     s->regs[SONIC_CRBA0] = address & 0xffff;
2296
43
-- 
2297
44
2.28.0
2298
45
2299
diff --git a/debian/patches/stable/lp-1891877-dp8393x-Don-t-reset-Silicon-Revision-register.patch b/debian/patches/stable/lp-1891877-dp8393x-Don-t-reset-Silicon-Revision-register.patch
2300
0
new file mode 100644
46
new file mode 100644
2301
index 0000000..71593d3
2302
--- /dev/null
2303
+++ b/debian/patches/stable/lp-1891877-dp8393x-Don-t-reset-Silicon-Revision-register.patch
2304
@@ -0,0 +1,51 @@
2305
1
From 735cd8ddab7d2e8b3cb693295067d2c8a9098f86 Mon Sep 17 00:00:00 2001
2306
2
From: Finn Thain <fthain@telegraphics.com.au>
2307
3
Date: Wed, 29 Jan 2020 20:27:49 +1100
2308
4
Subject: [PATCH] dp8393x: Don't reset Silicon Revision register
2309
5
MIME-Version: 1.0
2310
6
Content-Type: text/plain; charset=UTF-8
2311
7
Content-Transfer-Encoding: 8bit
2312
8
2313
9
The jazzsonic driver in Linux uses the Silicon Revision register value
2314
10
to probe the chip. The driver fails unless the SR register contains 4.
2315
11
Unfortunately, reading this register in QEMU usually returns 0 because
2316
12
the s->regs[] array gets wiped after a software reset.
2317
13
2318
14
Fixes: bd8f1ebce4 ("net/dp8393x: fix hardware reset")
2319
15
Suggested-by: Philippe Mathieu-Daudé <philmd@redhat.com>
2320
16
Signed-off-by: Finn Thain <fthain@telegraphics.com.au>
2321
17
Signed-off-by: Jason Wang <jasowang@redhat.com>
2322
18
(cherry picked from commit 083e21bbdde7dbd326baf29d21f49fc3f5614496)
2323
19
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
2324
20
2325
21
Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=735cd8ddab
2326
22
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
2327
23
Last-Update: 2020-08-19
2328
24
2329
25
---
2330
26
 hw/net/dp8393x.c | 2 +-
2331
27
 1 file changed, 1 insertion(+), 1 deletion(-)
2332
28
2333
29
diff --git a/hw/net/dp8393x.c b/hw/net/dp8393x.c
2334
30
index aa7bd785f3..d33f21bd0b 100644
2335
31
--- a/hw/net/dp8393x.c
2336
32
+++ b/hw/net/dp8393x.c
2337
33
@@ -919,6 +919,7 @@ static void dp8393x_reset(DeviceState *dev)
2338
34
     timer_del(s->watchdog);
2339
35
 
2340
36
     memset(s->regs, 0, sizeof(s->regs));
2341
37
+    s->regs[SONIC_SR] = 0x0004; /* only revision recognized by Linux/mips */
2342
38
     s->regs[SONIC_CR] = SONIC_CR_RST | SONIC_CR_STP | SONIC_CR_RXDIS;
2343
39
     s->regs[SONIC_DCR] &= ~(SONIC_DCR_EXBUS | SONIC_DCR_LBR);
2344
40
     s->regs[SONIC_RCR] &= ~(SONIC_RCR_LB0 | SONIC_RCR_LB1 | SONIC_RCR_BRD | SONIC_RCR_RNT);
2345
41
@@ -971,7 +972,6 @@ static void dp8393x_realize(DeviceState *dev, Error **errp)
2346
42
     qemu_format_nic_info_str(qemu_get_queue(s->nic), s->conf.macaddr.a);
2347
43
 
2348
44
     s->watchdog = timer_new_ns(QEMU_CLOCK_VIRTUAL, dp8393x_watchdog, s);
2349
45
-    s->regs[SONIC_SR] = 0x0004; /* only revision recognized by Linux */
2350
46
 
2351
47
     memory_region_init_ram(&s->prom, OBJECT(dev),
2352
48
                            "dp8393x-prom", SONIC_PROM_SIZE, &local_err);
2353
49
-- 
2354
50
2.28.0
2355
51
2356
diff --git a/debian/patches/stable/lp-1891877-dp8393x-Don-t-stop-reception-upon-RBE-interrupt-asse.patch b/debian/patches/stable/lp-1891877-dp8393x-Don-t-stop-reception-upon-RBE-interrupt-asse.patch
2357
0
new file mode 100644
52
new file mode 100644
2358
index 0000000..40495e4
2359
--- /dev/null
2360
+++ b/debian/patches/stable/lp-1891877-dp8393x-Don-t-stop-reception-upon-RBE-interrupt-asse.patch
2361
@@ -0,0 +1,137 @@
2362
1
From 3e1d95301e8c00d8a8a2ec03ed941f019c8fd2b3 Mon Sep 17 00:00:00 2001
2363
2
From: Finn Thain <fthain@telegraphics.com.au>
2364
3
Date: Wed, 29 Jan 2020 20:27:49 +1100
2365
4
Subject: [PATCH] dp8393x: Don't stop reception upon RBE interrupt assertion
2366
5
2367
6
Section 3.4.7 of the datasheet explains that,
2368
7
2369
8
    The RBE bit in the Interrupt Status register is set when the
2370
9
    SONIC finishes using the second to last receive buffer and reads
2371
10
    the last RRA descriptor. Actually, the SONIC is not truly out of
2372
11
    resources, but gives the system an early warning of an impending
2373
12
    out of resources condition.
2374
13
2375
14
RBE does not mean actual receive buffer exhaustion, and reception should
2376
15
not be stopped. This is important because Linux will not check and clear
2377
16
the RBE interrupt until it receives another packet. But that won't
2378
17
happen if can_receive returns false. This bug causes the SONIC to become
2379
18
deaf (until reset).
2380
19
2381
20
Fix this with a new flag to indicate actual receive buffer exhaustion.
2382
21
2383
22
Signed-off-by: Finn Thain <fthain@telegraphics.com.au>
2384
23
Tested-by: Laurent Vivier <laurent@vivier.eu>
2385
24
Signed-off-by: Jason Wang <jasowang@redhat.com>
2386
25
(cherry picked from commit c2279bd0a19b35057f2e4c3b4df9a915717d1142)
2387
26
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
2388
27
2389
28
Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=3e1d95301e
2390
29
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
2391
30
Last-Update: 2020-08-19
2392
31
2393
32
---
2394
33
 hw/net/dp8393x.c | 35 ++++++++++++++++++++++-------------
2395
34
 1 file changed, 22 insertions(+), 13 deletions(-)
2396
35
2397
36
diff --git a/hw/net/dp8393x.c b/hw/net/dp8393x.c
2398
37
index d33f21bd0b..44f77c5d3c 100644
2399
38
--- a/hw/net/dp8393x.c
2400
39
+++ b/hw/net/dp8393x.c
2401
40
@@ -158,6 +158,7 @@ typedef struct dp8393xState {
2402
41
     /* Hardware */
2403
42
     uint8_t it_shift;
2404
43
     bool big_endian;
2405
44
+    bool last_rba_is_full;
2406
45
     qemu_irq irq;
2407
46
 #ifdef DEBUG_SONIC
2408
47
     int irq_level;
2409
48
@@ -347,12 +348,15 @@ static void dp8393x_do_read_rra(dp8393xState *s)
2410
49
         s->regs[SONIC_RRP] = s->regs[SONIC_RSA];
2411
50
     }
2412
51
 
2413
52
-    /* Check resource exhaustion */
2414
53
+    /* Warn the host if CRBA now has the last available resource */
2415
54
     if (s->regs[SONIC_RRP] == s->regs[SONIC_RWP])
2416
55
     {
2417
56
         s->regs[SONIC_ISR] |= SONIC_ISR_RBE;
2418
57
         dp8393x_update_irq(s);
2419
58
     }
2420
59
+
2421
60
+    /* Allow packet reception */
2422
61
+    s->last_rba_is_full = false;
2423
62
 }
2424
63
 
2425
64
 static void dp8393x_do_software_reset(dp8393xState *s)
2426
65
@@ -659,9 +663,6 @@ static void dp8393x_write(void *opaque, hwaddr addr, uint64_t data,
2427
66
                 dp8393x_do_read_rra(s);
2428
67
             }
2429
68
             dp8393x_update_irq(s);
2430
69
-            if (dp8393x_can_receive(s->nic->ncs)) {
2431
70
-                qemu_flush_queued_packets(qemu_get_queue(s->nic));
2432
71
-            }
2433
72
             break;
2434
73
         /* The guest is required to store aligned pointers here */
2435
74
         case SONIC_RSA:
2436
75
@@ -721,8 +722,6 @@ static int dp8393x_can_receive(NetClientState *nc)
2437
76
 
2438
77
     if (!(s->regs[SONIC_CR] & SONIC_CR_RXEN))
2439
78
         return 0;
2440
79
-    if (s->regs[SONIC_ISR] & SONIC_ISR_RBE)
2441
80
-        return 0;
2442
81
     return 1;
2443
82
 }
2444
83
 
2445
84
@@ -773,6 +772,10 @@ static ssize_t dp8393x_receive(NetClientState *nc, const uint8_t * buf,
2446
85
     s->regs[SONIC_RCR] &= ~(SONIC_RCR_PRX | SONIC_RCR_LBK | SONIC_RCR_FAER |
2447
86
         SONIC_RCR_CRCR | SONIC_RCR_LPKT | SONIC_RCR_BC | SONIC_RCR_MC);
2448
87
 
2449
88
+    if (s->last_rba_is_full) {
2450
89
+        return pkt_size;
2451
90
+    }
2452
91
+
2453
92
     rx_len = pkt_size + sizeof(checksum);
2454
93
     if (s->regs[SONIC_DCR] & SONIC_DCR_DW) {
2455
94
         width = 2;
2456
95
@@ -786,8 +789,8 @@ static ssize_t dp8393x_receive(NetClientState *nc, const uint8_t * buf,
2457
96
         DPRINTF("oversize packet, pkt_size is %d\n", pkt_size);
2458
97
         s->regs[SONIC_ISR] |= SONIC_ISR_RBAE;
2459
98
         dp8393x_update_irq(s);
2460
99
-        dp8393x_do_read_rra(s);
2461
100
-        return pkt_size;
2462
101
+        s->regs[SONIC_RCR] |= SONIC_RCR_LPKT;
2463
102
+        goto done;
2464
103
     }
2465
104
 
2466
105
     packet_type = dp8393x_receive_filter(s, buf, pkt_size);
2467
106
@@ -899,17 +902,23 @@ static ssize_t dp8393x_receive(NetClientState *nc, const uint8_t * buf,
2468
107
         s->regs[SONIC_ISR] |= SONIC_ISR_PKTRX;
2469
108
     }
2470
109
 
2471
110
+    dp8393x_update_irq(s);
2472
111
+
2473
112
     s->regs[SONIC_RSC] = (s->regs[SONIC_RSC] & 0xff00) |
2474
113
                          ((s->regs[SONIC_RSC] + 1) & 0x00ff);
2475
114
 
2476
115
+done:
2477
116
+
2478
117
     if (s->regs[SONIC_RCR] & SONIC_RCR_LPKT) {
2479
118
-        /* Read next RRA */
2480
119
-        dp8393x_do_read_rra(s);
2481
120
+        if (s->regs[SONIC_RRP] == s->regs[SONIC_RWP]) {
2482
121
+            /* Stop packet reception */
2483
122
+            s->last_rba_is_full = true;
2484
123
+        } else {
2485
124
+            /* Read next resource */
2486
125
+            dp8393x_do_read_rra(s);
2487
126
+        }
2488
127
     }
2489
128
 
2490
129
-    /* Done */
2491
130
-    dp8393x_update_irq(s);
2492
131
-
2493
132
     return pkt_size;
2494
133
 }
2495
134
 
2496
135
-- 
2497
136
2.28.0
2498
137
2499
diff --git a/debian/patches/stable/lp-1891877-dp8393x-Have-dp8393x_receive-return-the-packet-size.patch b/debian/patches/stable/lp-1891877-dp8393x-Have-dp8393x_receive-return-the-packet-size.patch
2500
0
new file mode 100644
138
new file mode 100644
2501
index 0000000..8a4e085
2502
--- /dev/null
2503
+++ b/debian/patches/stable/lp-1891877-dp8393x-Have-dp8393x_receive-return-the-packet-size.patch
2504
@@ -0,0 +1,68 @@
2505
1
From 153c3320e77cfcafc5a44d01d6fb7905121a8fd7 Mon Sep 17 00:00:00 2001
2506
2
From: Finn Thain <fthain@telegraphics.com.au>
2507
3
Date: Wed, 29 Jan 2020 20:27:49 +1100
2508
4
Subject: [PATCH] dp8393x: Have dp8393x_receive() return the packet size
2509
5
MIME-Version: 1.0
2510
6
Content-Type: text/plain; charset=UTF-8
2511
7
Content-Transfer-Encoding: 8bit
2512
8
2513
9
This function re-uses its 'size' argument as a scratch variable.
2514
10
Instead, declare a local 'size' variable for that purpose so that the
2515
11
function result doesn't get messed up.
2516
12
2517
13
Signed-off-by: Finn Thain <fthain@telegraphics.com.au>
2518
14
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
2519
15
Tested-by: Laurent Vivier <laurent@vivier.eu>
2520
16
Signed-off-by: Jason Wang <jasowang@redhat.com>
2521
17
(cherry picked from commit 9e3cd456d85ad45e72bdba99203302342ce29b3b)
2522
18
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
2523
19
2524
20
Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=153c3320e7
2525
21
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
2526
22
Last-Update: 2020-08-19
2527
23
2528
24
---
2529
25
 hw/net/dp8393x.c | 9 +++++----
2530
26
 1 file changed, 5 insertions(+), 4 deletions(-)
2531
27
2532
28
diff --git a/hw/net/dp8393x.c b/hw/net/dp8393x.c
2533
29
index f89f4c7ba3..a696485a55 100644
2534
30
--- a/hw/net/dp8393x.c
2535
31
+++ b/hw/net/dp8393x.c
2536
32
@@ -757,20 +757,21 @@ static int dp8393x_receive_filter(dp8393xState *s, const uint8_t * buf,
2537
33
 }
2538
34
 
2539
35
 static ssize_t dp8393x_receive(NetClientState *nc, const uint8_t * buf,
2540
36
-                               size_t size)
2541
37
+                               size_t pkt_size)
2542
38
 {
2543
39
     dp8393xState *s = qemu_get_nic_opaque(nc);
2544
40
     int packet_type;
2545
41
     uint32_t available, address;
2546
42
-    int width, rx_len = size;
2547
43
+    int width, rx_len = pkt_size;
2548
44
     uint32_t checksum;
2549
45
+    int size;
2550
46
 
2551
47
     width = (s->regs[SONIC_DCR] & SONIC_DCR_DW) ? 2 : 1;
2552
48
 
2553
49
     s->regs[SONIC_RCR] &= ~(SONIC_RCR_PRX | SONIC_RCR_LBK | SONIC_RCR_FAER |
2554
50
         SONIC_RCR_CRCR | SONIC_RCR_LPKT | SONIC_RCR_BC | SONIC_RCR_MC);
2555
51
 
2556
52
-    packet_type = dp8393x_receive_filter(s, buf, size);
2557
53
+    packet_type = dp8393x_receive_filter(s, buf, pkt_size);
2558
54
     if (packet_type < 0) {
2559
55
         DPRINTF("packet not for netcard\n");
2560
56
         return -1;
2561
57
@@ -864,7 +865,7 @@ static ssize_t dp8393x_receive(NetClientState *nc, const uint8_t * buf,
2562
58
     /* Done */
2563
59
     dp8393x_update_irq(s);
2564
60
 
2565
61
-    return size;
2566
62
+    return pkt_size;
2567
63
 }
2568
64
 
2569
65
 static void dp8393x_reset(DeviceState *dev)
2570
66
-- 
2571
67
2.28.0
2572
68
2573
diff --git a/debian/patches/stable/lp-1891877-dp8393x-Implement-packet-size-limit-and-RBAE-interru.patch b/debian/patches/stable/lp-1891877-dp8393x-Implement-packet-size-limit-and-RBAE-interru.patch
2574
0
new file mode 100644
69
new file mode 100644
2575
index 0000000..fcdb4ca
2576
--- /dev/null
2577
+++ b/debian/patches/stable/lp-1891877-dp8393x-Implement-packet-size-limit-and-RBAE-interru.patch
2578
@@ -0,0 +1,57 @@
2579
1
From 3a8068f4ebb9f9500cf3d1805f5cfbd42e15ab12 Mon Sep 17 00:00:00 2001
2580
2
From: Finn Thain <fthain@telegraphics.com.au>
2581
3
Date: Wed, 29 Jan 2020 20:27:49 +1100
2582
4
Subject: [PATCH] dp8393x: Implement packet size limit and RBAE interrupt
2583
5
2584
6
Add a bounds check to prevent a large packet from causing a buffer
2585
7
overflow. This is defensive programming -- I haven't actually tried
2586
8
sending an oversized packet or a jumbo ethernet frame.
2587
9
2588
10
The SONIC handles packets that are too big for the buffer by raising
2589
11
the RBAE interrupt and dropping them. Linux uses that interrupt to
2590
12
count dropped packets.
2591
13
2592
14
Signed-off-by: Finn Thain <fthain@telegraphics.com.au>
2593
15
Tested-by: Laurent Vivier <laurent@vivier.eu>
2594
16
Signed-off-by: Jason Wang <jasowang@redhat.com>
2595
17
(cherry picked from commit ada74315270d1dcabf4c9d4fece19df7ef5b9577)
2596
18
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
2597
19
2598
20
Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=3a8068f4eb
2599
21
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
2600
22
Last-Update: 2020-08-19
2601
23
2602
24
---
2603
25
 hw/net/dp8393x.c | 9 +++++++++
2604
26
 1 file changed, 9 insertions(+)
2605
27
2606
28
diff --git a/hw/net/dp8393x.c b/hw/net/dp8393x.c
2607
29
index 04f58ee4e1..ca8088c839 100644
2608
30
--- a/hw/net/dp8393x.c
2609
31
+++ b/hw/net/dp8393x.c
2610
32
@@ -137,6 +137,7 @@ do { printf("sonic ERROR: %s: " fmt, __func__ , ## __VA_ARGS__); } while (0)
2611
33
 #define SONIC_TCR_CRCI   0x2000
2612
34
 #define SONIC_TCR_PINT   0x8000
2613
35
 
2614
36
+#define SONIC_ISR_RBAE   0x0010
2615
37
 #define SONIC_ISR_RBE    0x0020
2616
38
 #define SONIC_ISR_RDE    0x0040
2617
39
 #define SONIC_ISR_TC     0x0080
2618
40
@@ -770,6 +771,14 @@ static ssize_t dp8393x_receive(NetClientState *nc, const uint8_t * buf,
2619
41
     s->regs[SONIC_RCR] &= ~(SONIC_RCR_PRX | SONIC_RCR_LBK | SONIC_RCR_FAER |
2620
42
         SONIC_RCR_CRCR | SONIC_RCR_LPKT | SONIC_RCR_BC | SONIC_RCR_MC);
2621
43
 
2622
44
+    if (pkt_size + 4 > dp8393x_rbwc(s) * 2) {
2623
45
+        DPRINTF("oversize packet, pkt_size is %d\n", pkt_size);
2624
46
+        s->regs[SONIC_ISR] |= SONIC_ISR_RBAE;
2625
47
+        dp8393x_update_irq(s);
2626
48
+        dp8393x_do_read_rra(s);
2627
49
+        return pkt_size;
2628
50
+    }
2629
51
+
2630
52
     packet_type = dp8393x_receive_filter(s, buf, pkt_size);
2631
53
     if (packet_type < 0) {
2632
54
         DPRINTF("packet not for netcard\n");
2633
55
-- 
2634
56
2.28.0
2635
57
2636
diff --git a/debian/patches/stable/lp-1891877-dp8393x-Mask-EOL-bit-from-descriptor-addresses.patch b/debian/patches/stable/lp-1891877-dp8393x-Mask-EOL-bit-from-descriptor-addresses.patch
2637
0
new file mode 100644
58
new file mode 100644
2638
index 0000000..9514b07
2639
--- /dev/null
2640
+++ b/debian/patches/stable/lp-1891877-dp8393x-Mask-EOL-bit-from-descriptor-addresses.patch
2641
@@ -0,0 +1,98 @@
2642
1
From eb54a2f9cee10cf1c7832a3536a8d5980ec313e9 Mon Sep 17 00:00:00 2001
2643
2
From: Finn Thain <fthain@telegraphics.com.au>
2644
3
Date: Mon, 20 Jan 2020 09:59:21 +1100
2645
4
Subject: [PATCH] dp8393x: Mask EOL bit from descriptor addresses
2646
5
2647
6
The Least Significant bit of a descriptor address register is used as
2648
7
an EOL flag. It has to be masked when the register value is to be used
2649
8
as an actual address for copying memory around. But when the registers
2650
9
are to be updated the EOL bit should not be masked.
2651
10
2652
11
Signed-off-by: Finn Thain <fthain@telegraphics.com.au>
2653
12
Tested-by: Laurent Vivier <laurent@vivier.eu>
2654
13
Signed-off-by: Jason Wang <jasowang@redhat.com>
2655
14
(cherry picked from commit 88f632fbb1b3d31d5b6978d28f8735a6ed18b8f5)
2656
15
 Conflicts:
2657
16
	hw/net/dp8393x.c
2658
17
*drop context dep. on 19f70347731
2659
18
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
2660
19
2661
20
Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=eb54a2f9ce
2662
21
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
2663
22
Last-Update: 2020-08-19
2664
23
2665
24
---
2666
25
 hw/net/dp8393x.c | 17 +++++++++++------
2667
26
 1 file changed, 11 insertions(+), 6 deletions(-)
2668
27
2669
28
diff --git a/hw/net/dp8393x.c b/hw/net/dp8393x.c
2670
29
index 3d991af163..7ca6a6dd46 100644
2671
30
--- a/hw/net/dp8393x.c
2672
31
+++ b/hw/net/dp8393x.c
2673
32
@@ -145,6 +145,9 @@ do { printf("sonic ERROR: %s: " fmt, __func__ , ## __VA_ARGS__); } while (0)
2674
33
 #define SONIC_ISR_PINT   0x0800
2675
34
 #define SONIC_ISR_LCD    0x1000
2676
35
 
2677
36
+#define SONIC_DESC_EOL   0x0001
2678
37
+#define SONIC_DESC_ADDR  0xFFFE
2679
38
+
2680
39
 #define TYPE_DP8393X "dp8393x"
2681
40
 #define DP8393X(obj) OBJECT_CHECK(dp8393xState, (obj), TYPE_DP8393X)
2682
41
 
2683
42
@@ -197,7 +200,8 @@ static uint32_t dp8393x_crba(dp8393xState *s)
2684
43
 
2685
44
 static uint32_t dp8393x_crda(dp8393xState *s)
2686
45
 {
2687
46
-    return (s->regs[SONIC_URDA] << 16) | s->regs[SONIC_CRDA];
2688
47
+    return (s->regs[SONIC_URDA] << 16) |
2689
48
+           (s->regs[SONIC_CRDA] & SONIC_DESC_ADDR);
2690
49
 }
2691
50
 
2692
51
 static uint32_t dp8393x_rbwc(dp8393xState *s)
2693
52
@@ -217,7 +221,8 @@ static uint32_t dp8393x_tsa(dp8393xState *s)
2694
53
 
2695
54
 static uint32_t dp8393x_ttda(dp8393xState *s)
2696
55
 {
2697
56
-    return (s->regs[SONIC_UTDA] << 16) | s->regs[SONIC_TTDA];
2698
57
+    return (s->regs[SONIC_UTDA] << 16) |
2699
58
+           (s->regs[SONIC_TTDA] & SONIC_DESC_ADDR);
2700
59
 }
2701
60
 
2702
61
 static uint32_t dp8393x_wt(dp8393xState *s)
2703
62
@@ -507,7 +512,7 @@ static void dp8393x_do_transmit_packets(dp8393xState *s)
2704
63
                              (4 + 3 * s->regs[SONIC_TFC]) * width,
2705
64
                 MEMTXATTRS_UNSPECIFIED, (uint8_t *)s->data, size, 0);
2706
65
             s->regs[SONIC_CTDA] = dp8393x_get(s, width, 0) & ~0x1;
2707
66
-            if (dp8393x_get(s, width, 0) & 0x1) {
2708
67
+            if (dp8393x_get(s, width, 0) & SONIC_DESC_EOL) {
2709
68
                 /* EOL detected */
2710
69
                 break;
2711
70
             }
2712
71
@@ -763,13 +768,13 @@ static ssize_t dp8393x_receive(NetClientState *nc, const uint8_t * buf,
2713
72
     /* XXX: Check byte ordering */
2714
73
 
2715
74
     /* Check for EOL */
2716
75
-    if (s->regs[SONIC_LLFA] & 0x1) {
2717
76
+    if (s->regs[SONIC_LLFA] & SONIC_DESC_EOL) {
2718
77
         /* Are we still in resource exhaustion? */
2719
78
         size = sizeof(uint16_t) * 1 * width;
2720
79
         address = dp8393x_crda(s) + sizeof(uint16_t) * 5 * width;
2721
80
         address_space_rw(&s->as, address, MEMTXATTRS_UNSPECIFIED,
2722
81
                          (uint8_t *)s->data, size, 0);
2723
82
-        if (dp8393x_get(s, width, 0) & 0x1) {
2724
83
+        if (dp8393x_get(s, width, 0) & SONIC_DESC_EOL) {
2725
84
             /* Still EOL ; stop reception */
2726
85
             return -1;
2727
86
         } else {
2728
87
@@ -827,7 +832,7 @@ static ssize_t dp8393x_receive(NetClientState *nc, const uint8_t * buf,
2729
88
     address_space_rw(&s->as, dp8393x_crda(s) + sizeof(uint16_t) * 5 * width,
2730
89
         MEMTXATTRS_UNSPECIFIED, (uint8_t *)s->data, size, 0);
2731
90
     s->regs[SONIC_LLFA] = dp8393x_get(s, width, 0);
2732
91
-    if (s->regs[SONIC_LLFA] & 0x1) {
2733
92
+    if (s->regs[SONIC_LLFA] & SONIC_DESC_EOL) {
2734
93
         /* EOL detected */
2735
94
         s->regs[SONIC_ISR] |= SONIC_ISR_RDE;
2736
95
     } else {
2737
96
-- 
2738
97
2.28.0
2739
98
2740
diff --git a/debian/patches/stable/lp-1891877-dp8393x-Pad-frames-to-word-or-long-word-boundary.patch b/debian/patches/stable/lp-1891877-dp8393x-Pad-frames-to-word-or-long-word-boundary.patch
2741
0
new file mode 100644
99
new file mode 100644
2742
index 0000000..9eea6ff
2743
--- /dev/null
2744
+++ b/debian/patches/stable/lp-1891877-dp8393x-Pad-frames-to-word-or-long-word-boundary.patch
2745
@@ -0,0 +1,113 @@
2746
1
From cbc8277051f76f8131f5d4c787862a16a5fa1707 Mon Sep 17 00:00:00 2001
2747
2
From: Finn Thain <fthain@telegraphics.com.au>
2748
3
Date: Wed, 29 Jan 2020 20:27:49 +1100
2749
4
Subject: [PATCH] dp8393x: Pad frames to word or long word boundary
2750
5
MIME-Version: 1.0
2751
6
Content-Type: text/plain; charset=UTF-8
2752
7
Content-Transfer-Encoding: 8bit
2753
8
2754
9
The existing code has a bug where the Remaining Buffer Word Count (RBWC)
2755
10
is calculated with a truncating division, which gives the wrong result
2756
11
for odd-sized packets.
2757
12
2758
13
Section 1.4.1 of the datasheet says,
2759
14
2760
15
    Once the end of the packet has been reached, the serializer will
2761
16
    fill out the last word (16-bit mode) or long word (32-bit mode)
2762
17
    if the last byte did not end on a word or long word boundary
2763
18
    respectively. The fill byte will be 0FFh.
2764
19
2765
20
Implement buffer padding so that buffer limits are correctly enforced.
2766
21
2767
22
Signed-off-by: Finn Thain <fthain@telegraphics.com.au>
2768
23
Tested-by: Laurent Vivier <laurent@vivier.eu>
2769
24
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
2770
25
Signed-off-by: Jason Wang <jasowang@redhat.com>
2771
26
(cherry picked from commit 350e7d9a77d3b9ac74d240e4b232db1ebe5c05bc)
2772
27
*drop context dependencies from b7cbebf2b9d, 1ccda935d4f, and
2773
28
 19f70347731
2774
29
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
2775
30
2776
31
Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=cbc8277051
2777
32
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
2778
33
Last-Update: 2020-08-19
2779
34
2780
35
---
2781
36
 hw/net/dp8393x.c | 39 ++++++++++++++++++++++++++++-----------
2782
37
 1 file changed, 28 insertions(+), 11 deletions(-)
2783
38
2784
39
diff --git a/hw/net/dp8393x.c b/hw/net/dp8393x.c
2785
40
index 40e3a029b6..0e9061d831 100644
2786
41
--- a/hw/net/dp8393x.c
2787
42
+++ b/hw/net/dp8393x.c
2788
43
@@ -766,16 +766,23 @@ static ssize_t dp8393x_receive(NetClientState *nc, const uint8_t * buf,
2789
44
     dp8393xState *s = qemu_get_nic_opaque(nc);
2790
45
     int packet_type;
2791
46
     uint32_t available, address;
2792
47
-    int width, rx_len = pkt_size;
2793
48
+    int width, rx_len, padded_len;
2794
49
     uint32_t checksum;
2795
50
     int size;
2796
51
 
2797
52
-    width = (s->regs[SONIC_DCR] & SONIC_DCR_DW) ? 2 : 1;
2798
53
-
2799
54
     s->regs[SONIC_RCR] &= ~(SONIC_RCR_PRX | SONIC_RCR_LBK | SONIC_RCR_FAER |
2800
55
         SONIC_RCR_CRCR | SONIC_RCR_LPKT | SONIC_RCR_BC | SONIC_RCR_MC);
2801
56
 
2802
57
-    if (pkt_size + 4 > dp8393x_rbwc(s) * 2) {
2803
58
+    rx_len = pkt_size + sizeof(checksum);
2804
59
+    if (s->regs[SONIC_DCR] & SONIC_DCR_DW) {
2805
60
+        width = 2;
2806
61
+        padded_len = ((rx_len - 1) | 3) + 1;
2807
62
+    } else {
2808
63
+        width = 1;
2809
64
+        padded_len = ((rx_len - 1) | 1) + 1;
2810
65
+    }
2811
66
+
2812
67
+    if (padded_len > dp8393x_rbwc(s) * 2) {
2813
68
         DPRINTF("oversize packet, pkt_size is %d\n", pkt_size);
2814
69
         s->regs[SONIC_ISR] |= SONIC_ISR_RBAE;
2815
70
         dp8393x_update_irq(s);
2816
71
@@ -810,22 +817,32 @@ static ssize_t dp8393x_receive(NetClientState *nc, const uint8_t * buf,
2817
72
     s->regs[SONIC_TRBA0] = s->regs[SONIC_CRBA0];
2818
73
 
2819
74
     /* Calculate the ethernet checksum */
2820
75
-    checksum = cpu_to_le32(crc32(0, buf, rx_len));
2821
76
+    checksum = cpu_to_le32(crc32(0, buf, pkt_size));
2822
77
 
2823
78
     /* Put packet into RBA */
2824
79
     DPRINTF("Receive packet at %08x\n", dp8393x_crba(s));
2825
80
     address = dp8393x_crba(s);
2826
81
     address_space_rw(&s->as, address,
2827
82
-        MEMTXATTRS_UNSPECIFIED, (uint8_t *)buf, rx_len, 1);
2828
83
-    address += rx_len;
2829
84
+        MEMTXATTRS_UNSPECIFIED, (uint8_t *)buf, pkt_size, 1);
2830
85
+    address += pkt_size;
2831
86
+
2832
87
+    /* Put frame checksum into RBA */
2833
88
     address_space_rw(&s->as, address,
2834
89
-        MEMTXATTRS_UNSPECIFIED, (uint8_t *)&checksum, 4, 1);
2835
90
-    address += 4;
2836
91
-    rx_len += 4;
2837
92
+        MEMTXATTRS_UNSPECIFIED, (uint8_t *)&checksum, sizeof(checksum), 1);
2838
93
+    address += sizeof(checksum);
2839
94
+
2840
95
+    /* Pad short packets to keep pointers aligned */
2841
96
+    if (rx_len < padded_len) {
2842
97
+        size = padded_len - rx_len;
2843
98
+        address_space_rw(&s->as, address, MEMTXATTRS_UNSPECIFIED,
2844
99
+            (uint8_t *)"\xFF\xFF\xFF", size, 1);
2845
100
+        address += size;
2846
101
+    }
2847
102
+
2848
103
     s->regs[SONIC_CRBA1] = address >> 16;
2849
104
     s->regs[SONIC_CRBA0] = address & 0xffff;
2850
105
     available = dp8393x_rbwc(s);
2851
106
-    available -= rx_len / 2;
2852
107
+    available -= padded_len >> 1;
2853
108
     s->regs[SONIC_RBWC1] = available >> 16;
2854
109
     s->regs[SONIC_RBWC0] = available & 0xffff;
2855
110
 
2856
111
-- 
2857
112
2.28.0
2858
113
2859
diff --git a/debian/patches/stable/lp-1891877-dp8393x-Update-LLFA-and-CRDA-registers-from-rx-descr.patch b/debian/patches/stable/lp-1891877-dp8393x-Update-LLFA-and-CRDA-registers-from-rx-descr.patch
2860
0
new file mode 100644
114
new file mode 100644
2861
index 0000000..d150124
2862
--- /dev/null
2863
+++ b/debian/patches/stable/lp-1891877-dp8393x-Update-LLFA-and-CRDA-registers-from-rx-descr.patch
2864
@@ -0,0 +1,75 @@
2865
1
From edd67a61f499982bcc2098962c8e04c5210f2f80 Mon Sep 17 00:00:00 2001
2866
2
From: Finn Thain <fthain@telegraphics.com.au>
2867
3
Date: Wed, 29 Jan 2020 20:27:49 +1100
2868
4
Subject: [PATCH] dp8393x: Update LLFA and CRDA registers from rx descriptor
2869
5
MIME-Version: 1.0
2870
6
Content-Type: text/plain; charset=UTF-8
2871
7
Content-Transfer-Encoding: 8bit
2872
8
2873
9
Follow the algorithm given in the National Semiconductor DP83932C
2874
10
datasheet in section 3.4.7:
2875
11
2876
12
    At the next reception, the SONIC re-reads the last RXpkt.link field,
2877
13
    and updates its CRDA register to point to the next descriptor.
2878
14
2879
15
The chip is designed to allow the host to provide a new list of
2880
16
descriptors in this way.
2881
17
2882
18
Signed-off-by: Finn Thain <fthain@telegraphics.com.au>
2883
19
Tested-by: Laurent Vivier <laurent@vivier.eu>
2884
20
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
2885
21
Signed-off-by: Jason Wang <jasowang@redhat.com>
2886
22
(cherry picked from commit 5b0c98fcb7ac006bd8efe0e0fecba52c43a9d028)
2887
23
*drop context dep on 19f70347731
2888
24
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
2889
25
2890
26
Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=edd67a61f4
2891
27
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
2892
28
Last-Update: 2020-08-19
2893
29
2894
30
---
2895
31
 hw/net/dp8393x.c | 11 +++++++----
2896
32
 1 file changed, 7 insertions(+), 4 deletions(-)
2897
33
2898
34
diff --git a/hw/net/dp8393x.c b/hw/net/dp8393x.c
2899
35
index a696485a55..8dd6bf032c 100644
2900
36
--- a/hw/net/dp8393x.c
2901
37
+++ b/hw/net/dp8393x.c
2902
38
@@ -784,12 +784,13 @@ static ssize_t dp8393x_receive(NetClientState *nc, const uint8_t * buf,
2903
39
         address = dp8393x_crda(s) + sizeof(uint16_t) * 5 * width;
2904
40
         address_space_rw(&s->as, address, MEMTXATTRS_UNSPECIFIED,
2905
41
                          (uint8_t *)s->data, size, 0);
2906
42
-        if (dp8393x_get(s, width, 0) & SONIC_DESC_EOL) {
2907
43
+        s->regs[SONIC_LLFA] = dp8393x_get(s, width, 0);
2908
44
+        if (s->regs[SONIC_LLFA] & SONIC_DESC_EOL) {
2909
45
             /* Still EOL ; stop reception */
2910
46
             return -1;
2911
47
-        } else {
2912
48
-            s->regs[SONIC_CRDA] = s->regs[SONIC_LLFA];
2913
49
         }
2914
50
+        /* Link has been updated by host */
2915
51
+        s->regs[SONIC_CRDA] = s->regs[SONIC_LLFA];
2916
52
     }
2917
53
 
2918
54
     /* Save current position */
2919
55
@@ -837,7 +838,7 @@ static ssize_t dp8393x_receive(NetClientState *nc, const uint8_t * buf,
2920
56
     address_space_rw(&s->as, dp8393x_crda(s),
2921
57
         MEMTXATTRS_UNSPECIFIED, (uint8_t *)s->data, size, 1);
2922
58
 
2923
59
-    /* Move to next descriptor */
2924
60
+    /* Check link field */
2925
61
     size = sizeof(uint16_t) * width;
2926
62
     address_space_rw(&s->as, dp8393x_crda(s) + sizeof(uint16_t) * 5 * width,
2927
63
         MEMTXATTRS_UNSPECIFIED, (uint8_t *)s->data, size, 0);
2928
64
@@ -852,6 +853,8 @@ static ssize_t dp8393x_receive(NetClientState *nc, const uint8_t * buf,
2929
65
         dp8393x_put(s, width, 0, 0);
2930
66
         address_space_rw(&s->as, address, MEMTXATTRS_UNSPECIFIED,
2931
67
                          (uint8_t *)s->data, size, true);
2932
68
+
2933
69
+        /* Move to next descriptor */
2934
70
         s->regs[SONIC_CRDA] = s->regs[SONIC_LLFA];
2935
71
         s->regs[SONIC_ISR] |= SONIC_ISR_PKTRX;
2936
72
         s->regs[SONIC_RSC] = (s->regs[SONIC_RSC] & 0xff00) | (((s->regs[SONIC_RSC] & 0x00ff) + 1) & 0x00ff);
2937
73
-- 
2938
74
2.28.0
2939
75
2940
diff --git a/debian/patches/stable/lp-1891877-dp8393x-Use-long-word-aligned-RRA-pointers-in-32-bit.patch b/debian/patches/stable/lp-1891877-dp8393x-Use-long-word-aligned-RRA-pointers-in-32-bit.patch
2941
0
new file mode 100644
76
new file mode 100644
2942
index 0000000..6026297
2943
--- /dev/null
2944
+++ b/debian/patches/stable/lp-1891877-dp8393x-Use-long-word-aligned-RRA-pointers-in-32-bit.patch
2945
@@ -0,0 +1,60 @@
2946
1
From e7cad754fd0bf00c671a1509acc2981f11736ee8 Mon Sep 17 00:00:00 2001
2947
2
From: Finn Thain <fthain@telegraphics.com.au>
2948
3
Date: Wed, 29 Jan 2020 20:27:49 +1100
2949
4
Subject: [PATCH] dp8393x: Use long-word-aligned RRA pointers in 32-bit mode
2950
5
MIME-Version: 1.0
2951
6
Content-Type: text/plain; charset=UTF-8
2952
7
Content-Transfer-Encoding: 8bit
2953
8
2954
9
Section 3.4.1 of the datasheet says,
2955
10
2956
11
    The alignment of the RRA is confined to either word or long word
2957
12
    boundaries, depending upon the data width mode. In 16-bit mode,
2958
13
    the RRA must be aligned to a word boundary (A0 is always zero)
2959
14
    and in 32-bit mode, the RRA is aligned to a long word boundary
2960
15
    (A0 and A1 are always zero).
2961
16
2962
17
This constraint has been implemented for 16-bit mode; implement it
2963
18
for 32-bit mode too.
2964
19
2965
20
Signed-off-by: Finn Thain <fthain@telegraphics.com.au>
2966
21
Tested-by: Laurent Vivier <laurent@vivier.eu>
2967
22
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
2968
23
Signed-off-by: Jason Wang <jasowang@redhat.com>
2969
24
(cherry picked from commit ea2270279bc2e1635cb6e909e22e17e630198773)
2970
25
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
2971
26
2972
27
Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=e7cad754fd
2973
28
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
2974
29
Last-Update: 2020-08-19
2975
30
2976
31
---
2977
32
 hw/net/dp8393x.c | 8 ++++++--
2978
33
 1 file changed, 6 insertions(+), 2 deletions(-)
2979
34
2980
35
diff --git a/hw/net/dp8393x.c b/hw/net/dp8393x.c
2981
36
index 315b4ad844..40e3a029b6 100644
2982
37
--- a/hw/net/dp8393x.c
2983
38
+++ b/hw/net/dp8393x.c
2984
39
@@ -663,12 +663,16 @@ static void dp8393x_write(void *opaque, hwaddr addr, uint64_t data,
2985
40
                 qemu_flush_queued_packets(qemu_get_queue(s->nic));
2986
41
             }
2987
42
             break;
2988
43
-        /* Ignore least significant bit */
2989
44
+        /* The guest is required to store aligned pointers here */
2990
45
         case SONIC_RSA:
2991
46
         case SONIC_REA:
2992
47
         case SONIC_RRP:
2993
48
         case SONIC_RWP:
2994
49
-            s->regs[reg] = val & 0xfffe;
2995
50
+            if (s->regs[SONIC_DCR] & SONIC_DCR_DW) {
2996
51
+                s->regs[reg] = val & 0xfffc;
2997
52
+            } else {
2998
53
+                s->regs[reg] = val & 0xfffe;
2999
54
+            }
3000
55
             break;
3001
56
         /* Invert written value for some registers */
3002
57
         case SONIC_CRCT:
3003
58
-- 
3004
59
2.28.0
3005
60
3006
diff --git a/debian/patches/stable/lp-1891877-dump-Fix-writing-of-ELF-section.patch b/debian/patches/stable/lp-1891877-dump-Fix-writing-of-ELF-section.patch
3007
0
new file mode 100644
61
new file mode 100644
3008
index 0000000..41bf056
3009
--- /dev/null
3010
+++ b/debian/patches/stable/lp-1891877-dump-Fix-writing-of-ELF-section.patch
3011
@@ -0,0 +1,51 @@
3012
1
From 25fcaed9a366314c21793e14624c89db75224b50 Mon Sep 17 00:00:00 2001
3013
2
From: Peter Maydell <peter.maydell@linaro.org>
3014
3
Date: Tue, 24 Mar 2020 17:36:30 +0000
3015
4
Subject: [PATCH] dump: Fix writing of ELF section
3016
5
MIME-Version: 1.0
3017
6
Content-Type: text/plain; charset=UTF-8
3018
7
Content-Transfer-Encoding: 8bit
3019
8
3020
9
In write_elf_section() we set the 'shdr' pointer to point to local
3021
10
structures shdr32 or shdr64, which we fill in to be written out to
3022
11
the ELF dump.  Unfortunately the address we pass to fd_write_vmcore()
3023
12
has a spurious '&' operator, so instead of writing out the section
3024
13
header we write out the literal pointer value followed by whatever is
3025
14
on the stack after the 'shdr' local variable.
3026
15
3027
16
Pass the correct address into fd_write_vmcore().
3028
17
3029
18
Spotted by Coverity: CID 1421970.
3030
19
3031
20
Cc: qemu-stable@nongnu.org
3032
21
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
3033
22
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
3034
23
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
3035
24
Message-id: 20200324173630.12221-1-peter.maydell@linaro.org
3036
25
(cherry picked from commit 174d2d6856bf435f4f58e9303ba30dd0e1279d3f)
3037
26
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
3038
27
3039
28
Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=25fcaed9a3
3040
29
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
3041
30
Last-Update: 2020-08-19
3042
31
3043
32
---
3044
33
 dump/dump.c | 2 +-
3045
34
 1 file changed, 1 insertion(+), 1 deletion(-)
3046
35
3047
36
diff --git a/dump/dump.c b/dump/dump.c
3048
37
index 6fb6e1245a..22ed1d3b0d 100644
3049
38
--- a/dump/dump.c
3050
39
+++ b/dump/dump.c
3051
40
@@ -364,7 +364,7 @@ static void write_elf_section(DumpState *s, int type, Error **errp)
3052
41
         shdr = &shdr64;
3053
42
     }
3054
43
 
3055
44
-    ret = fd_write_vmcore(&shdr, shdr_size, s);
3056
45
+    ret = fd_write_vmcore(shdr, shdr_size, s);
3057
46
     if (ret < 0) {
3058
47
         error_setg_errno(errp, -ret,
3059
48
                          "dump: failed to write section header table");
3060
49
-- 
3061
50
2.28.0
3062
51
3063
diff --git a/debian/patches/stable/lp-1891877-hmp-vnc-Fix-info-vnc-list-leak.patch b/debian/patches/stable/lp-1891877-hmp-vnc-Fix-info-vnc-list-leak.patch
3064
0
new file mode 100644
52
new file mode 100644
3065
index 0000000..1193bf2
3066
--- /dev/null
3067
+++ b/debian/patches/stable/lp-1891877-hmp-vnc-Fix-info-vnc-list-leak.patch
3068
@@ -0,0 +1,54 @@
3069
1
From 674d3822250a8830fb8e9720ce499f2e8cef6a88 Mon Sep 17 00:00:00 2001
3070
2
From: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
3071
3
Date: Mon, 23 Mar 2020 12:08:22 +0000
3072
4
Subject: [PATCH] hmp/vnc: Fix info vnc list leak
3073
5
3074
6
We're iterating the list, and then freeing the iteration pointer rather
3075
7
than the list head.
3076
8
3077
9
Fixes: 0a9667ecdb6d ("hmp: Update info vnc")
3078
10
Reported-by: Coverity (CID 1421932)
3079
11
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
3080
12
Message-Id: <20200323120822.51266-1-dgilbert@redhat.com>
3081
13
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
3082
14
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
3083
15
(cherry picked from commit d4ff109373ce871928c7e9ef648973eba642b484)
3084
16
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
3085
17
3086
18
Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=674d382225
3087
19
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
3088
20
Last-Update: 2020-08-19
3089
21
3090
22
---
3091
23
 monitor/hmp-cmds.c | 5 +++--
3092
24
 1 file changed, 3 insertions(+), 2 deletions(-)
3093
25
3094
26
diff --git a/monitor/hmp-cmds.c b/monitor/hmp-cmds.c
3095
27
index b2551c16d1..2fdc84ec99 100644
3096
28
--- a/monitor/hmp-cmds.c
3097
29
+++ b/monitor/hmp-cmds.c
3098
30
@@ -729,10 +729,11 @@ static void hmp_info_vnc_servers(Monitor *mon, VncServerInfo2List *server)
3099
31
 
3100
32
 void hmp_info_vnc(Monitor *mon, const QDict *qdict)
3101
33
 {
3102
34
-    VncInfo2List *info2l;
3103
35
+    VncInfo2List *info2l, *info2l_head;
3104
36
     Error *err = NULL;
3105
37
 
3106
38
     info2l = qmp_query_vnc_servers(&err);
3107
39
+    info2l_head = info2l;
3108
40
     if (err) {
3109
41
         hmp_handle_error(mon, &err);
3110
42
         return;
3111
43
@@ -761,7 +762,7 @@ void hmp_info_vnc(Monitor *mon, const QDict *qdict)
3112
44
         info2l = info2l->next;
3113
45
     }
3114
46
 
3115
47
-    qapi_free_VncInfo2List(info2l);
3116
48
+    qapi_free_VncInfo2List(info2l_head);
3117
49
 
3118
50
 }
3119
51
 #endif
3120
52
-- 
3121
53
2.28.0
3122
54
3123
diff --git a/debian/patches/stable/lp-1891877-hostmem-don-t-use-mbind-if-host-nodes-is-empty.patch b/debian/patches/stable/lp-1891877-hostmem-don-t-use-mbind-if-host-nodes-is-empty.patch
3124
0
new file mode 100644
55
new file mode 100644
3125
index 0000000..27298fa
3126
--- /dev/null
3127
+++ b/debian/patches/stable/lp-1891877-hostmem-don-t-use-mbind-if-host-nodes-is-empty.patch
3128
@@ -0,0 +1,61 @@
3129
1
From 34c78a4100c967cc385fcfd4c2295b2b0ebd8786 Mon Sep 17 00:00:00 2001
3130
2
From: Igor Mammedov <imammedo@redhat.com>
3131
3
Date: Thu, 30 Apr 2020 11:46:06 -0400
3132
4
Subject: [PATCH] hostmem: don't use mbind() if host-nodes is empty
3133
5
MIME-Version: 1.0
3134
6
Content-Type: text/plain; charset=UTF-8
3135
7
Content-Transfer-Encoding: 8bit
3136
8
3137
9
Since 5.0 QEMU uses hostmem backend for allocating main guest RAM.
3138
10
The backend however calls mbind() which is typically NOP
3139
11
in case of default policy/absent host-nodes bitmap.
3140
12
However when runing in container with black-listed mbind()
3141
13
syscall, QEMU fails to start with error
3142
14
 "cannot bind memory to host NUMA nodes: Operation not permitted"
3143
15
even when user hasn't provided host-nodes to pin to explictly
3144
16
(which is the case with -m option)
3145
17
3146
18
To fix issue, call mbind() only in case when user has provided
3147
19
host-nodes explicitly (i.e. host_nodes bitmap is not empty).
3148
20
That should allow to run QEMU in containers with black-listed
3149
21
mbind() without memory pinning. If QEMU provided memory-pinning
3150
22
is required user still has to white-list mbind() in container
3151
23
configuration.
3152
24
3153
25
Reported-by: Manuel Hohmann <mhohmann@physnet.uni-hamburg.de>
3154
26
Signed-off-by: Igor Mammedov <imammedo@redhat.com>
3155
27
Message-Id: <20200430154606.6421-1-imammedo@redhat.com>
3156
28
Tested-by: Philippe Mathieu-Daudé <philmd@redhat.com>
3157
29
Cc: qemu-stable@nongnu.org
3158
30
Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
3159
31
(cherry picked from commit 70b6d525dfb51d5e523d568d1139fc051bc223c5)
3160
32
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
3161
33
3162
34
Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=34c78a4100
3163
35
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
3164
36
Last-Update: 2020-08-19
3165
37
3166
38
---
3167
39
 backends/hostmem.c | 6 ++++--
3168
40
 1 file changed, 4 insertions(+), 2 deletions(-)
3169
41
3170
42
diff --git a/backends/hostmem.c b/backends/hostmem.c
3171
43
index e773bdfa6e..21b1993e49 100644
3172
44
--- a/backends/hostmem.c
3173
45
+++ b/backends/hostmem.c
3174
46
@@ -363,8 +363,10 @@ host_memory_backend_memory_complete(UserCreatable *uc, Error **errp)
3175
47
         assert(sizeof(backend->host_nodes) >=
3176
48
                BITS_TO_LONGS(MAX_NODES + 1) * sizeof(unsigned long));
3177
49
         assert(maxnode <= MAX_NODES);
3178
50
-        if (mbind(ptr, sz, backend->policy,
3179
51
-                  maxnode ? backend->host_nodes : NULL, maxnode + 1, flags)) {
3180
52
+
3181
53
+        if (maxnode &&
3182
54
+            mbind(ptr, sz, backend->policy, backend->host_nodes, maxnode + 1,
3183
55
+                  flags)) {
3184
56
             if (backend->policy != MPOL_DEFAULT || errno != ENOSYS) {
3185
57
                 error_setg_errno(errp, errno,
3186
58
                                  "cannot bind memory to host NUMA nodes");
3187
59
-- 
3188
60
2.28.0
3189
61
3190
diff --git a/debian/patches/stable/lp-1891877-hw-arm-cubieboard-use-ARM-Cortex-A8-as-the-default-C.patch b/debian/patches/stable/lp-1891877-hw-arm-cubieboard-use-ARM-Cortex-A8-as-the-default-C.patch
3191
0
new file mode 100644
62
new file mode 100644
3192
index 0000000..7690bd7
3193
--- /dev/null
3194
+++ b/debian/patches/stable/lp-1891877-hw-arm-cubieboard-use-ARM-Cortex-A8-as-the-default-C.patch
3195
@@ -0,0 +1,59 @@
3196
1
From 9dd68ac26b5a413dc948efe9bbf414702bc200da Mon Sep 17 00:00:00 2001
3197
2
From: Niek Linnenbank <nieklinnenbank@gmail.com>
3198
3
Date: Thu, 5 Mar 2020 16:09:19 +0000
3199
4
Subject: [PATCH] hw/arm/cubieboard: use ARM Cortex-A8 as the default CPU in
3200
5
 machine definition
3201
6
MIME-Version: 1.0
3202
7
Content-Type: text/plain; charset=UTF-8
3203
8
Content-Transfer-Encoding: 8bit
3204
9
3205
10
The Cubieboard is a singleboard computer with an Allwinner A10 System-on-Chip [1].
3206
11
As documented in the Allwinner A10 User Manual V1.5 [2], the SoC has an ARM
3207
12
Cortex-A8 processor. Currently the Cubieboard machine definition specifies the
3208
13
ARM Cortex-A9 in its description and as the default CPU.
3209
14
3210
15
This patch corrects the Cubieboard machine definition to use the ARM Cortex-A8.
3211
16
3212
17
The only user-visible effect is that our textual description of the
3213
18
machine was wrong, because hw/arm/allwinner-a10.c always creates a
3214
19
Cortex-A8 CPU regardless of the default value in the MachineClass struct.
3215
20
3216
21
 [1] http://docs.cubieboard.org/products/start#cubieboard1
3217
22
 [2] https://linux-sunxi.org/File:Allwinner_A10_User_manual_V1.5.pdf
3218
23
3219
24
Fixes: 8a863c8120994981a099
3220
25
Signed-off-by: Niek Linnenbank <nieklinnenbank@gmail.com>
3221
26
Message-id: 20200227220149.6845-2-nieklinnenbank@gmail.com
3222
27
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
3223
28
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
3224
29
[note in commit message that the bug didn't have much visible effect]
3225
30
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
3226
31
(cherry picked from commit 2104df2a1fbf44b2564427aa72fd58d66ce290a7)
3227
32
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
3228
33
3229
34
Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=9dd68ac26b
3230
35
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
3231
36
Last-Update: 2020-08-19
3232
37
3233
38
---
3234
39
 hw/arm/cubieboard.c | 4 ++--
3235
40
 1 file changed, 2 insertions(+), 2 deletions(-)
3236
41
3237
42
diff --git a/hw/arm/cubieboard.c b/hw/arm/cubieboard.c
3238
43
index 6dc2f1d6b6..d8e8919e79 100644
3239
44
--- a/hw/arm/cubieboard.c
3240
45
+++ b/hw/arm/cubieboard.c
3241
46
@@ -78,8 +78,8 @@ static void cubieboard_init(MachineState *machine)
3242
47
 
3243
48
 static void cubieboard_machine_init(MachineClass *mc)
3244
49
 {
3245
50
-    mc->desc = "cubietech cubieboard (Cortex-A9)";
3246
51
-    mc->default_cpu_type = ARM_CPU_TYPE_NAME("cortex-a9");
3247
52
+    mc->desc = "cubietech cubieboard (Cortex-A8)";
3248
53
+    mc->default_cpu_type = ARM_CPU_TYPE_NAME("cortex-a8");
3249
54
     mc->init = cubieboard_init;
3250
55
     mc->block_default_type = IF_IDE;
3251
56
     mc->units_per_default_bus = 1;
3252
57
-- 
3253
58
2.28.0
3254
59
3255
diff --git a/debian/patches/stable/lp-1891877-hw-arm-smmuv3-Align-stream-table-base-address-to-tab.patch b/debian/patches/stable/lp-1891877-hw-arm-smmuv3-Align-stream-table-base-address-to-tab.patch
3256
0
new file mode 100644
60
new file mode 100644
3257
index 0000000..eb50555
3258
--- /dev/null
3259
+++ b/debian/patches/stable/lp-1891877-hw-arm-smmuv3-Align-stream-table-base-address-to-tab.patch
3260
@@ -0,0 +1,83 @@
3261
1
From 65fad28d85f137edd895ac90a83b42bb36aad481 Mon Sep 17 00:00:00 2001
3262
2
From: Simon Veith <sveith@amazon.de>
3263
3
Date: Fri, 20 Dec 2019 14:03:00 +0000
3264
4
Subject: [PATCH] hw/arm/smmuv3: Align stream table base address to table size
3265
5
3266
6
Per the specification, and as observed in hardware, the SMMUv3 aligns
3267
7
the SMMU_STRTAB_BASE address to the size of the table by masking out the
3268
8
respective least significant bits in the ADDR field.
3269
9
3270
10
Apply this masking logic to our smmu_find_ste() lookup function per the
3271
11
specification.
3272
12
3273
13
ref. ARM IHI 0070C, section 6.3.23.
3274
14
3275
15
Signed-off-by: Simon Veith <sveith@amazon.de>
3276
16
Acked-by: Eric Auger <eric.auger@redhat.com>
3277
17
Tested-by: Eric Auger <eric.auger@redhat.com>
3278
18
Message-id: 1576509312-13083-5-git-send-email-sveith@amazon.de
3279
19
Cc: Eric Auger <eric.auger@redhat.com>
3280
20
Cc: qemu-devel@nongnu.org
3281
21
Cc: qemu-arm@nongnu.org
3282
22
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
3283
23
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
3284
24
(cherry picked from commit 41678c33aac61261522b74f08595ccf2221a430a)
3285
25
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
3286
26
3287
27
Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=65fad28d85
3288
28
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
3289
29
Last-Update: 2020-08-19
3290
30
3291
31
---
3292
32
 hw/arm/smmuv3.c | 18 ++++++++++++++----
3293
33
 1 file changed, 14 insertions(+), 4 deletions(-)
3294
34
3295
35
diff --git a/hw/arm/smmuv3.c b/hw/arm/smmuv3.c
3296
36
index 727558bcfa..31ac3ca32e 100644
3297
37
--- a/hw/arm/smmuv3.c
3298
38
+++ b/hw/arm/smmuv3.c
3299
39
@@ -376,8 +376,9 @@ bad_ste:
3300
40
 static int smmu_find_ste(SMMUv3State *s, uint32_t sid, STE *ste,
3301
41
                          SMMUEventInfo *event)
3302
42
 {
3303
43
-    dma_addr_t addr;
3304
44
+    dma_addr_t addr, strtab_base;
3305
45
     uint32_t log2size;
3306
46
+    int strtab_size_shift;
3307
47
     int ret;
3308
48
 
3309
49
     trace_smmuv3_find_ste(sid, s->features, s->sid_split);
3310
50
@@ -391,10 +392,16 @@ static int smmu_find_ste(SMMUv3State *s, uint32_t sid, STE *ste,
3311
51
     }
3312
52
     if (s->features & SMMU_FEATURE_2LVL_STE) {
3313
53
         int l1_ste_offset, l2_ste_offset, max_l2_ste, span;
3314
54
-        dma_addr_t strtab_base, l1ptr, l2ptr;
3315
55
+        dma_addr_t l1ptr, l2ptr;
3316
56
         STEDesc l1std;
3317
57
 
3318
58
-        strtab_base = s->strtab_base & SMMU_BASE_ADDR_MASK;
3319
59
+        /*
3320
60
+         * Align strtab base address to table size. For this purpose, assume it
3321
61
+         * is not bounded by SMMU_IDR1_SIDSIZE.
3322
62
+         */
3323
63
+        strtab_size_shift = MAX(5, (int)log2size - s->sid_split - 1 + 3);
3324
64
+        strtab_base = s->strtab_base & SMMU_BASE_ADDR_MASK &
3325
65
+                      ~MAKE_64BIT_MASK(0, strtab_size_shift);
3326
66
         l1_ste_offset = sid >> s->sid_split;
3327
67
         l2_ste_offset = sid & ((1 << s->sid_split) - 1);
3328
68
         l1ptr = (dma_addr_t)(strtab_base + l1_ste_offset * sizeof(l1std));
3329
69
@@ -433,7 +440,10 @@ static int smmu_find_ste(SMMUv3State *s, uint32_t sid, STE *ste,
3330
70
         }
3331
71
         addr = l2ptr + l2_ste_offset * sizeof(*ste);
3332
72
     } else {
3333
73
-        addr = (s->strtab_base & SMMU_BASE_ADDR_MASK) + sid * sizeof(*ste);
3334
74
+        strtab_size_shift = log2size + 5;
3335
75
+        strtab_base = s->strtab_base & SMMU_BASE_ADDR_MASK &
3336
76
+                      ~MAKE_64BIT_MASK(0, strtab_size_shift);
3337
77
+        addr = strtab_base + sid * sizeof(*ste);
3338
78
     }
3339
79
 
3340
80
     if (smmu_get_ste(s, addr, ste, event)) {
3341
81
-- 
3342
82
2.28.0
3343
83
3344
diff --git a/debian/patches/stable/lp-1891877-hw-arm-smmuv3-Apply-address-mask-to-linear-strtab-ba.patch b/debian/patches/stable/lp-1891877-hw-arm-smmuv3-Apply-address-mask-to-linear-strtab-ba.patch
3345
0
new file mode 100644
84
new file mode 100644
3346
index 0000000..c88cb54
3347
--- /dev/null
3348
+++ b/debian/patches/stable/lp-1891877-hw-arm-smmuv3-Apply-address-mask-to-linear-strtab-ba.patch
3349
@@ -0,0 +1,59 @@
3350
1
From e8ae3a4e2bb72ae636ecbf201b0f74d4bf7d5aeb Mon Sep 17 00:00:00 2001
3351
2
From: Simon Veith <sveith@amazon.de>
3352
3
Date: Fri, 20 Dec 2019 14:03:00 +0000
3353
4
Subject: [PATCH] hw/arm/smmuv3: Apply address mask to linear strtab base
3354
5
 address
3355
6
3356
7
In the SMMU_STRTAB_BASE register, the stream table base address only
3357
8
occupies bits [51:6]. Other bits, such as RA (bit [62]), must be masked
3358
9
out to obtain the base address.
3359
10
3360
11
The branch for 2-level stream tables correctly applies this mask by way
3361
12
of SMMU_BASE_ADDR_MASK, but the one for linear stream tables does not.
3362
13
3363
14
Apply the missing mask in that case as well so that the correct stream
3364
15
base address is used by guests which configure a linear stream table.
3365
16
3366
17
Linux guests are unaffected by this change because they choose a 2-level
3367
18
stream table layout for the QEMU SMMUv3, based on the size of its stream
3368
19
ID space.
3369
20
3370
21
ref. ARM IHI 0070C, section 6.3.23.
3371
22
3372
23
Signed-off-by: Simon Veith <sveith@amazon.de>
3373
24
Acked-by: Eric Auger <eric.auger@redhat.com>
3374
25
Tested-by: Eric Auger <eric.auger@redhat.com>
3375
26
Message-id: 1576509312-13083-2-git-send-email-sveith@amazon.de
3376
27
Cc: Eric Auger <eric.auger@redhat.com>
3377
28
Cc: qemu-devel@nongnu.org
3378
29
Cc: qemu-arm@nongnu.org
3379
30
Acked-by: Eric Auger <eric.auger@redhat.com>
3380
31
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
3381
32
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
3382
33
(cherry picked from commit 3d44c60500785f18bb469c9de0aeba7415c0f28f)
3383
34
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
3384
35
3385
36
Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=e8ae3a4e2b
3386
37
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
3387
38
Last-Update: 2020-08-19
3388
39
3389
40
---
3390
41
 hw/arm/smmuv3.c | 2 +-
3391
42
 1 file changed, 1 insertion(+), 1 deletion(-)
3392
43
3393
44
diff --git a/hw/arm/smmuv3.c b/hw/arm/smmuv3.c
3394
45
index e2fbb8357e..eef9a18d70 100644
3395
46
--- a/hw/arm/smmuv3.c
3396
47
+++ b/hw/arm/smmuv3.c
3397
48
@@ -429,7 +429,7 @@ static int smmu_find_ste(SMMUv3State *s, uint32_t sid, STE *ste,
3398
49
         }
3399
50
         addr = l2ptr + l2_ste_offset * sizeof(*ste);
3400
51
     } else {
3401
52
-        addr = s->strtab_base + sid * sizeof(*ste);
3402
53
+        addr = (s->strtab_base & SMMU_BASE_ADDR_MASK) + sid * sizeof(*ste);
3403
54
     }
3404
55
 
3405
56
     if (smmu_get_ste(s, addr, ste, event)) {
3406
57
-- 
3407
58
2.28.0
3408
59
3409
diff --git a/debian/patches/stable/lp-1891877-hw-arm-smmuv3-Check-stream-IDs-against-actual-table-.patch b/debian/patches/stable/lp-1891877-hw-arm-smmuv3-Check-stream-IDs-against-actual-table-.patch
3410
0
new file mode 100644
60
new file mode 100644
3411
index 0000000..90f85c4
3412
--- /dev/null
3413
+++ b/debian/patches/stable/lp-1891877-hw-arm-smmuv3-Check-stream-IDs-against-actual-table-.patch
3414
@@ -0,0 +1,63 @@
3415
1
From 256ecc06eb534e7d851fcdf667132a8721b5ad61 Mon Sep 17 00:00:00 2001
3416
2
From: Simon Veith <sveith@amazon.de>
3417
3
Date: Fri, 20 Dec 2019 14:03:00 +0000
3418
4
Subject: [PATCH] hw/arm/smmuv3: Check stream IDs against actual table LOG2SIZE
3419
5
3420
6
When checking whether a stream ID is in range of the stream table, we
3421
7
have so far been only checking it against our implementation limit
3422
8
(SMMU_IDR1_SIDSIZE). However, the guest can program the
3423
9
STRTAB_BASE_CFG.LOG2SIZE field to a size that is smaller than this
3424
10
limit.
3425
11
3426
12
Check the stream ID against this limit as well to match the hardware
3427
13
behavior of raising C_BAD_STREAMID events in case the limit is exceeded.
3428
14
Also, ensure that we do not go one entry beyond the end of the table by
3429
15
checking that its index is strictly smaller than the table size.
3430
16
3431
17
ref. ARM IHI 0070C, section 6.3.24.
3432
18
3433
19
Signed-off-by: Simon Veith <sveith@amazon.de>
3434
20
Acked-by: Eric Auger <eric.auger@redhat.com>
3435
21
Tested-by: Eric Auger <eric.auger@redhat.com>
3436
22
Message-id: 1576509312-13083-4-git-send-email-sveith@amazon.de
3437
23
Cc: Eric Auger <eric.auger@redhat.com>
3438
24
Cc: qemu-devel@nongnu.org
3439
25
Cc: qemu-arm@nongnu.org
3440
26
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
3441
27
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
3442
28
(cherry picked from commit 05ff2fb80ce4ca85d8a39d48ff8156de739b4f51)
3443
29
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
3444
30
3445
31
Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=256ecc06eb
3446
32
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
3447
33
Last-Update: 2020-08-19
3448
34
3449
35
---
3450
36
 hw/arm/smmuv3.c | 8 ++++++--
3451
37
 1 file changed, 6 insertions(+), 2 deletions(-)
3452
38
3453
39
diff --git a/hw/arm/smmuv3.c b/hw/arm/smmuv3.c
3454
40
index eef9a18d70..727558bcfa 100644
3455
41
--- a/hw/arm/smmuv3.c
3456
42
+++ b/hw/arm/smmuv3.c
3457
43
@@ -377,11 +377,15 @@ static int smmu_find_ste(SMMUv3State *s, uint32_t sid, STE *ste,
3458
44
                          SMMUEventInfo *event)
3459
45
 {
3460
46
     dma_addr_t addr;
3461
47
+    uint32_t log2size;
3462
48
     int ret;
3463
49
 
3464
50
     trace_smmuv3_find_ste(sid, s->features, s->sid_split);
3465
51
-    /* Check SID range */
3466
52
-    if (sid > (1 << SMMU_IDR1_SIDSIZE)) {
3467
53
+    log2size = FIELD_EX32(s->strtab_base_cfg, STRTAB_BASE_CFG, LOG2SIZE);
3468
54
+    /*
3469
55
+     * Check SID range against both guest-configured and implementation limits
3470
56
+     */
3471
57
+    if (sid >= (1 << MIN(log2size, SMMU_IDR1_SIDSIZE))) {
3472
58
         event->type = SMMU_EVT_C_BAD_STREAMID;
3473
59
         return -EINVAL;
3474
60
     }
3475
61
-- 
3476
62
2.28.0
3477
63
3478
diff --git a/debian/patches/stable/lp-1891877-hw-arm-smmuv3-Correct-SMMU_BASE_ADDR_MASK-value.patch b/debian/patches/stable/lp-1891877-hw-arm-smmuv3-Correct-SMMU_BASE_ADDR_MASK-value.patch
3479
0
new file mode 100644
64
new file mode 100644
3480
index 0000000..11865de
3481
--- /dev/null
3482
+++ b/debian/patches/stable/lp-1891877-hw-arm-smmuv3-Correct-SMMU_BASE_ADDR_MASK-value.patch
3483
@@ -0,0 +1,52 @@
3484
1
From 606a6bf788d37a524c89e2627a44693afb5cb6a1 Mon Sep 17 00:00:00 2001
3485
2
From: Simon Veith <sveith@amazon.de>
3486
3
Date: Fri, 20 Dec 2019 14:03:00 +0000
3487
4
Subject: [PATCH] hw/arm/smmuv3: Correct SMMU_BASE_ADDR_MASK value
3488
5
3489
6
There are two issues with the current value of SMMU_BASE_ADDR_MASK:
3490
7
3491
8
- At the lower end, we are clearing bits [4:0]. Per the SMMUv3 spec,
3492
9
  we should also be treating bit 5 as zero in the base address.
3493
10
- At the upper end, we are clearing bits [63:48]. Per the SMMUv3 spec,
3494
11
  only bits [63:52] must be explicitly treated as zero.
3495
12
3496
13
Update the SMMU_BASE_ADDR_MASK value to mask out bits [63:52] and [5:0].
3497
14
3498
15
ref. ARM IHI 0070C, section 6.3.23.
3499
16
3500
17
Signed-off-by: Simon Veith <sveith@amazon.de>
3501
18
Acked-by: Eric Auger <eric.auger@redhat.com>
3502
19
Tested-by: Eric Auger <eric.auger@redhat.com>
3503
20
Message-id: 1576509312-13083-3-git-send-email-sveith@amazon.de
3504
21
Cc: Eric Auger <eric.auger@redhat.com>
3505
22
Cc: qemu-devel@nongnu.org
3506
23
Cc: qemu-arm@nongnu.org
3507
24
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
3508
25
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
3509
26
(cherry picked from commit 3293b9f514a413e019b7dbc9d543458075b4849e)
3510
27
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
3511
28
3512
29
Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=606a6bf788
3513
30
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
3514
31
Last-Update: 2020-08-19
3515
32
3516
33
---
3517
34
 hw/arm/smmuv3-internal.h | 2 +-
3518
35
 1 file changed, 1 insertion(+), 1 deletion(-)
3519
36
3520
37
diff --git a/hw/arm/smmuv3-internal.h b/hw/arm/smmuv3-internal.h
3521
38
index d190181ef1..042b435808 100644
3522
39
--- a/hw/arm/smmuv3-internal.h
3523
40
+++ b/hw/arm/smmuv3-internal.h
3524
41
@@ -99,7 +99,7 @@ REG32(GERROR_IRQ_CFG2, 0x74)
3525
42
 
3526
43
 #define A_STRTAB_BASE      0x80 /* 64b */
3527
44
 
3528
45
-#define SMMU_BASE_ADDR_MASK 0xffffffffffe0
3529
46
+#define SMMU_BASE_ADDR_MASK 0xfffffffffffc0
3530
47
 
3531
48
 REG32(STRTAB_BASE_CFG,     0x88)
3532
49
     FIELD(STRTAB_BASE_CFG, FMT,      16, 2)
3533
50
-- 
3534
51
2.28.0
3535
52
3536
diff --git a/debian/patches/stable/lp-1891877-hw-arm-smmuv3-Report-F_STE_FETCH-fault-address-in-co.patch b/debian/patches/stable/lp-1891877-hw-arm-smmuv3-Report-F_STE_FETCH-fault-address-in-co.patch
3537
0
new file mode 100644
53
new file mode 100644
3538
index 0000000..b7cc26c
3539
--- /dev/null
3540
+++ b/debian/patches/stable/lp-1891877-hw-arm-smmuv3-Report-F_STE_FETCH-fault-address-in-co.patch
3541
@@ -0,0 +1,55 @@
3542
1
From 9b59fdf47822acb6f2f6be5629829f27ffb08d41 Mon Sep 17 00:00:00 2001
3543
2
From: Simon Veith <sveith@amazon.de>
3544
3
Date: Fri, 20 Dec 2019 14:03:00 +0000
3545
4
Subject: [PATCH] hw/arm/smmuv3: Report F_STE_FETCH fault address in correct
3546
5
 word position
3547
6
3548
7
The smmuv3_record_event() function that generates the F_STE_FETCH error
3549
8
uses the EVT_SET_ADDR macro to record the fetch address, placing it in
3550
9
32-bit words 4 and 5.
3551
10
3552
11
The correct position for this address is in words 6 and 7, per the
3553
12
SMMUv3 Architecture Specification.
3554
13
3555
14
Update the function to use the EVT_SET_ADDR2 macro instead, which is the
3556
15
macro intended for writing to these words.
3557
16
3558
17
ref. ARM IHI 0070C, section 7.3.4.
3559
18
3560
19
Signed-off-by: Simon Veith <sveith@amazon.de>
3561
20
Acked-by: Eric Auger <eric.auger@redhat.com>
3562
21
Tested-by: Eric Auger <eric.auger@redhat.com>
3563
22
Message-id: 1576509312-13083-7-git-send-email-sveith@amazon.de
3564
23
Cc: Eric Auger <eric.auger@redhat.com>
3565
24
Cc: qemu-devel@nongnu.org
3566
25
Cc: qemu-arm@nongnu.org
3567
26
Acked-by: Eric Auger <eric.auger@redhat.com>
3568
27
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
3569
28
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
3570
29
(cherry picked from commit b255cafb59578d16716186ed955717bc8f87bdb7)
3571
30
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
3572
31
3573
32
Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=9b59fdf478
3574
33
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
3575
34
Last-Update: 2020-08-19
3576
35
3577
36
---
3578
37
 hw/arm/smmuv3.c | 2 +-
3579
38
 1 file changed, 1 insertion(+), 1 deletion(-)
3580
39
3581
40
diff --git a/hw/arm/smmuv3.c b/hw/arm/smmuv3.c
3582
41
index 31ac3ca32e..8b5f157dc7 100644
3583
42
--- a/hw/arm/smmuv3.c
3584
43
+++ b/hw/arm/smmuv3.c
3585
44
@@ -172,7 +172,7 @@ void smmuv3_record_event(SMMUv3State *s, SMMUEventInfo *info)
3586
45
     case SMMU_EVT_F_STE_FETCH:
3587
46
         EVT_SET_SSID(&evt, info->u.f_ste_fetch.ssid);
3588
47
         EVT_SET_SSV(&evt,  info->u.f_ste_fetch.ssv);
3589
48
-        EVT_SET_ADDR(&evt, info->u.f_ste_fetch.addr);
3590
49
+        EVT_SET_ADDR2(&evt, info->u.f_ste_fetch.addr);
3591
50
         break;
3592
51
     case SMMU_EVT_C_BAD_STE:
3593
52
         EVT_SET_SSID(&evt, info->u.c_bad_ste.ssid);
3594
53
-- 
3595
54
2.28.0
3596
55
3597
diff --git a/debian/patches/stable/lp-1891877-hw-arm-smmuv3-Use-correct-bit-positions-in-EVT_SET_A.patch b/debian/patches/stable/lp-1891877-hw-arm-smmuv3-Use-correct-bit-positions-in-EVT_SET_A.patch
3598
0
new file mode 100644
56
new file mode 100644
3599
index 0000000..5a9a3b0
3600
--- /dev/null
3601
+++ b/debian/patches/stable/lp-1891877-hw-arm-smmuv3-Use-correct-bit-positions-in-EVT_SET_A.patch
3602
@@ -0,0 +1,58 @@
3603
1
From ec3bd881e2e5942f835094b2da06ca415f7b27b3 Mon Sep 17 00:00:00 2001
3604
2
From: Simon Veith <sveith@amazon.de>
3605
3
Date: Fri, 20 Dec 2019 14:03:00 +0000
3606
4
Subject: [PATCH] hw/arm/smmuv3: Use correct bit positions in EVT_SET_ADDR2
3607
5
 macro
3608
6
3609
7
The bit offsets in the EVT_SET_ADDR2 macro do not match those specified
3610
8
in the ARM SMMUv3 Architecture Specification. In all events that use
3611
9
this macro, e.g. F_WALK_EABT, the faulting fetch address or IPA actually
3612
10
occupies the 32-bit words 6 and 7 in the event record contiguously, with
3613
11
the upper and lower unused bits clear due to alignment or maximum
3614
12
supported address bits. How many bits are clear depends on the
3615
13
individual event type.
3616
14
3617
15
Update the macro to write to the correct words in the event record so
3618
16
that guest drivers can obtain accurate address information on events.
3619
17
3620
18
ref. ARM IHI 0070C, sections 7.3.12 through 7.3.16.
3621
19
3622
20
Signed-off-by: Simon Veith <sveith@amazon.de>
3623
21
Acked-by: Eric Auger <eric.auger@redhat.com>
3624
22
Tested-by: Eric Auger <eric.auger@redhat.com>
3625
23
Message-id: 1576509312-13083-6-git-send-email-sveith@amazon.de
3626
24
Cc: Eric Auger <eric.auger@redhat.com>
3627
25
Cc: qemu-devel@nongnu.org
3628
26
Cc: qemu-arm@nongnu.org
3629
27
Acked-by: Eric Auger <eric.auger@redhat.com>
3630
28
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
3631
29
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
3632
30
(cherry picked from commit a7f65ceb851af5a5b639c6e30801076d848db2c2)
3633
31
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
3634
32
3635
33
Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=ec3bd881e2
3636
34
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
3637
35
Last-Update: 2020-08-19
3638
36
3639
37
---
3640
38
 hw/arm/smmuv3-internal.h | 4 ++--
3641
39
 1 file changed, 2 insertions(+), 2 deletions(-)
3642
40
3643
41
diff --git a/hw/arm/smmuv3-internal.h b/hw/arm/smmuv3-internal.h
3644
42
index 042b435808..4112394129 100644
3645
43
--- a/hw/arm/smmuv3-internal.h
3646
44
+++ b/hw/arm/smmuv3-internal.h
3647
45
@@ -461,8 +461,8 @@ typedef struct SMMUEventInfo {
3648
46
     } while (0)
3649
47
 #define EVT_SET_ADDR2(x, addr)                            \
3650
48
     do {                                                  \
3651
49
-            (x)->word[7] = deposit32((x)->word[7], 3, 29, addr >> 16);   \
3652
50
-            (x)->word[7] = deposit32((x)->word[7], 0, 16, addr & 0xffff);\
3653
51
+            (x)->word[7] = (uint32_t)(addr >> 32);        \
3654
52
+            (x)->word[6] = (uint32_t)(addr & 0xffffffff); \
3655
53
     } while (0)
3656
54
 
3657
55
 void smmuv3_record_event(SMMUv3State *s, SMMUEventInfo *event);
3658
56
-- 
3659
57
2.28.0
3660
58
3661
diff --git a/debian/patches/stable/lp-1891877-hw-i386-amd_iommu.c-Fix-corruption-of-log-events-pas.patch b/debian/patches/stable/lp-1891877-hw-i386-amd_iommu.c-Fix-corruption-of-log-events-pas.patch
3662
0
new file mode 100644
59
new file mode 100644
3663
index 0000000..ef32c14
3664
--- /dev/null
3665
+++ b/debian/patches/stable/lp-1891877-hw-i386-amd_iommu.c-Fix-corruption-of-log-events-pas.patch
3666
@@ -0,0 +1,49 @@
3667
1
From 33be7aa9b6bea692e7ba615db1c97820051dc435 Mon Sep 17 00:00:00 2001
3668
2
From: Peter Maydell <peter.maydell@linaro.org>
3669
3
Date: Thu, 26 Mar 2020 10:53:49 +0000
3670
4
Subject: [PATCH] hw/i386/amd_iommu.c: Fix corruption of log events passed to
3671
5
 guest
3672
6
3673
7
In the function amdvi_log_event(), we write an event log buffer
3674
8
entry into guest ram, whose contents are passed to the function
3675
9
via the "uint64_t *evt" argument. Unfortunately, a spurious
3676
10
'&' in the call to dma_memory_write() meant that instead of
3677
11
writing the event to the guest we would write the literal value
3678
12
of the pointer, plus whatever was in the following 8 bytes
3679
13
on the stack. This error was spotted by Coverity.
3680
14
3681
15
Fix the bug by removing the '&'.
3682
16
3683
17
Fixes: CID 1421945
3684
18
Cc: qemu-stable@nongnu.org
3685
19
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
3686
20
Message-Id: <20200326105349.24588-1-peter.maydell@linaro.org>
3687
21
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
3688
22
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
3689
23
(cherry picked from commit 32a2d6b1f6b4405f0fc20c031e61d5d48e3d9cd1)
3690
24
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
3691
25
3692
26
Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=33be7aa9b6
3693
27
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
3694
28
Last-Update: 2020-08-19
3695
29
3696
30
---
3697
31
 hw/i386/amd_iommu.c | 2 +-
3698
32
 1 file changed, 1 insertion(+), 1 deletion(-)
3699
33
3700
34
diff --git a/hw/i386/amd_iommu.c b/hw/i386/amd_iommu.c
3701
35
index d55dbf07fc..ac5f2fddc5 100644
3702
36
--- a/hw/i386/amd_iommu.c
3703
37
+++ b/hw/i386/amd_iommu.c
3704
38
@@ -181,7 +181,7 @@ static void amdvi_log_event(AMDVIState *s, uint64_t *evt)
3705
39
     }
3706
40
 
3707
41
     if (dma_memory_write(&address_space_memory, s->evtlog + s->evtlog_tail,
3708
42
-        &evt, AMDVI_EVENT_LEN)) {
3709
43
+                         evt, AMDVI_EVENT_LEN)) {
3710
44
         trace_amdvi_evntlog_fail(s->evtlog, s->evtlog_tail);
3711
45
     }
3712
46
 
3713
47
-- 
3714
48
2.28.0
3715
49
3716
diff --git a/debian/patches/stable/lp-1891877-hw-intc-arm_gicv3_kvm-Stop-wrongly-programming-GICR_.patch b/debian/patches/stable/lp-1891877-hw-intc-arm_gicv3_kvm-Stop-wrongly-programming-GICR_.patch
3717
0
new file mode 100644
50
new file mode 100644
3718
index 0000000..9c219c9
3719
--- /dev/null
3720
+++ b/debian/patches/stable/lp-1891877-hw-intc-arm_gicv3_kvm-Stop-wrongly-programming-GICR_.patch
3721
@@ -0,0 +1,66 @@
3722
1
From 9adb6569bf71808e76a7b71766e73a6da103741e Mon Sep 17 00:00:00 2001
3723
2
From: Zenghui Yu <yuzenghui@huawei.com>
3724
3
Date: Thu, 30 Jan 2020 16:02:05 +0000
3725
4
Subject: [PATCH] hw/intc/arm_gicv3_kvm: Stop wrongly programming
3726
5
 GICR_PENDBASER.PTZ bit
3727
6
3728
7
If LPIs are disabled, KVM will just ignore the GICR_PENDBASER.PTZ bit when
3729
8
restoring GICR_CTLR.  Setting PTZ here makes littlt sense in "reduce GIC
3730
9
initialization time".
3731
10
3732
11
And what's worse, PTZ is generally programmed by guest to indicate to the
3733
12
Redistributor whether the LPI Pending table is zero when enabling LPIs.
3734
13
If migration is triggered when the PTZ has just been cleared by guest (and
3735
14
before enabling LPIs), we will see PTZ==1 on the destination side, which
3736
15
is not as expected.  Let's just drop this hackish userspace behavior.
3737
16
3738
17
Also take this chance to refine the comment a bit.
3739
18
3740
19
Fixes: 367b9f527bec ("hw/intc/arm_gicv3_kvm: Implement get/put functions")
3741
20
Signed-off-by: Zenghui Yu <yuzenghui@huawei.com>
3742
21
Message-id: 20200119133051.642-1-yuzenghui@huawei.com
3743
22
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
3744
23
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
3745
24
(cherry picked from commit 618bacabd3c8c3360be795cd8763bacdf5bec101)
3746
25
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
3747
26
3748
27
Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=9adb6569bf
3749
28
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
3750
29
Last-Update: 2020-08-19
3751
30
3752
31
---
3753
32
 hw/intc/arm_gicv3_kvm.c | 11 ++++-------
3754
33
 1 file changed, 4 insertions(+), 7 deletions(-)
3755
34
3756
35
diff --git a/hw/intc/arm_gicv3_kvm.c b/hw/intc/arm_gicv3_kvm.c
3757
36
index 9c7f4ab871..49304ca589 100644
3758
37
--- a/hw/intc/arm_gicv3_kvm.c
3759
38
+++ b/hw/intc/arm_gicv3_kvm.c
3760
39
@@ -336,7 +336,10 @@ static void kvm_arm_gicv3_put(GICv3State *s)
3761
40
     kvm_gicd_access(s, GICD_CTLR, &reg, true);
3762
41
 
3763
42
     if (redist_typer & GICR_TYPER_PLPIS) {
3764
43
-        /* Set base addresses before LPIs are enabled by GICR_CTLR write */
3765
44
+        /*
3766
45
+         * Restore base addresses before LPIs are potentially enabled by
3767
46
+         * GICR_CTLR write
3768
47
+         */
3769
48
         for (ncpu = 0; ncpu < s->num_cpu; ncpu++) {
3770
49
             GICv3CPUState *c = &s->cpu[ncpu];
3771
50
 
3772
51
@@ -347,12 +350,6 @@ static void kvm_arm_gicv3_put(GICv3State *s)
3773
52
             kvm_gicr_access(s, GICR_PROPBASER + 4, ncpu, &regh, true);
3774
53
 
3775
54
             reg64 = c->gicr_pendbaser;
3776
55
-            if (!(c->gicr_ctlr & GICR_CTLR_ENABLE_LPIS)) {
3777
56
-                /* Setting PTZ is advised if LPIs are disabled, to reduce
3778
57
-                 * GIC initialization time.
3779
58
-                 */
3780
59
-                reg64 |= GICR_PENDBASER_PTZ;
3781
60
-            }
3782
61
             regl = (uint32_t)reg64;
3783
62
             kvm_gicr_access(s, GICR_PENDBASER, ncpu, &regl, true);
3784
63
             regh = (uint32_t)(reg64 >> 32);
3785
64
-- 
3786
65
2.28.0
3787
66
3788
diff --git a/debian/patches/stable/lp-1891877-i386-Resolve-CPU-models-to-v1-by-default.patch b/debian/patches/stable/lp-1891877-i386-Resolve-CPU-models-to-v1-by-default.patch
3789
0
new file mode 100644
67
new file mode 100644
3790
index 0000000..4bccfa5
3791
--- /dev/null
3792
+++ b/debian/patches/stable/lp-1891877-i386-Resolve-CPU-models-to-v1-by-default.patch
3793
@@ -0,0 +1,91 @@
3794
1
From bed590f2b849ad548d659942771d824c288c6a50 Mon Sep 17 00:00:00 2001
3795
2
From: Eduardo Habkost <ehabkost@redhat.com>
3796
3
Date: Thu, 5 Dec 2019 19:33:39 -0300
3797
4
Subject: [PATCH] i386: Resolve CPU models to v1 by default
3798
5
3799
6
When using `query-cpu-definitions` using `-machine none`,
3800
7
QEMU is resolving all CPU models to their latest versions.  The
3801
8
actual CPU model version being used by another machine type (e.g.
3802
9
`pc-q35-4.0`) might be different.
3803
10
3804
11
In theory, this was OK because the correct CPU model
3805
12
version is returned when using the correct `-machine` argument.
3806
13
3807
14
Except that in practice, this breaks libvirt expectations:
3808
15
libvirt always use `-machine none` when checking if a CPU model
3809
16
is runnable, because runnability is not expected to be affected
3810
17
when the machine type is changed.
3811
18
3812
19
For example, when running on a Haswell host without TSX,
3813
20
Haswell-v4 is runnable, but Haswell-v1 is not.  On those hosts,
3814
21
`query-cpu-definitions` says Haswell is runnable if using
3815
22
`-machine none`, but Haswell is actually not runnable using any
3816
23
of the `pc-*` machine types (because they resolve Haswell to
3817
24
Haswell-v1).  In other words, we're breaking the "runnability
3818
25
guarantee" we promised to not break for a few releases (see
3819
26
qemu-deprecated.texi).
3820
27
3821
28
To address this issue, change the default CPU model version to v1
3822
29
on all machine types, so we make `query-cpu-definitions` output
3823
30
when using `-machine none` match the results when using `pc-*`.
3824
31
This will change in the future (the plan is to always return the
3825
32
latest CPU model version if using `-machine none`), but only
3826
33
after giving libvirt the opportunity to adapt.
3827
34
3828
35
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1779078
3829
36
Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
3830
37
Message-Id: <20191205223339.764534-1-ehabkost@redhat.com>
3831
38
Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
3832
39
(cherry picked from commit ad18392892c04637fb56956d997f4bc600224356)
3833
40
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
3834
41
3835
42
Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=bed590f2b8
3836
43
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
3837
44
Last-Update: 2020-08-19
3838
45
3839
46
---
3840
47
 qemu-deprecated.texi | 8 ++++++++
3841
48
 target/i386/cpu.c    | 8 +++++++-
3842
49
 2 files changed, 15 insertions(+), 1 deletion(-)
3843
50
3844
51
diff --git a/qemu-deprecated.texi b/qemu-deprecated.texi
3845
52
index 4b4b7425ac..b42d8b3c5f 100644
3846
53
--- a/qemu-deprecated.texi
3847
54
+++ b/qemu-deprecated.texi
3848
55
@@ -374,6 +374,14 @@ guarantees must resolve the CPU model aliases using te
3849
56
 ``alias-of'' field returned by the ``query-cpu-definitions'' QMP
3850
57
 command.
3851
58
 
3852
59
+While those guarantees are kept, the return value of
3853
60
+``query-cpu-definitions'' will have existing CPU model aliases
3854
61
+point to a version that doesn't break runnability guarantees
3855
62
+(specifically, version 1 of those CPU models).  In future QEMU
3856
63
+versions, aliases will point to newer CPU model versions
3857
64
+depending on the machine type, so management software must
3858
65
+resolve CPU model aliases before starting a virtual machine.
3859
66
+
3860
67
 
3861
68
 @node Recently removed features
3862
69
 @appendix Recently removed features
3863
70
diff --git a/target/i386/cpu.c b/target/i386/cpu.c
3864
71
index 69f518a21a..54e7f18a09 100644
3865
72
--- a/target/i386/cpu.c
3866
73
+++ b/target/i386/cpu.c
3867
74
@@ -3924,7 +3924,13 @@ static PropValue tcg_default_props[] = {
3868
75
 };
3869
76
 
3870
77
 
3871
78
-X86CPUVersion default_cpu_version = CPU_VERSION_LATEST;
3872
79
+/*
3873
80
+ * We resolve CPU model aliases using -v1 when using "-machine
3874
81
+ * none", but this is just for compatibility while libvirt isn't
3875
82
+ * adapted to resolve CPU model versions before creating VMs.
3876
83
+ * See "Runnability guarantee of CPU models" at * qemu-deprecated.texi.
3877
84
+ */
3878
85
+X86CPUVersion default_cpu_version = 1;
3879
86
 
3880
87
 void x86_cpu_set_default_version(X86CPUVersion version)
3881
88
 {
3882
89
-- 
3883
90
2.28.0
3884
91
3885
diff --git a/debian/patches/stable/lp-1891877-ide-Fix-incorrect-handling-of-some-PRDTs-in-ide_dma_.patch b/debian/patches/stable/lp-1891877-ide-Fix-incorrect-handling-of-some-PRDTs-in-ide_dma_.patch
3886
0
new file mode 100644
92
new file mode 100644
3887
index 0000000..c42f271
3888
--- /dev/null
3889
+++ b/debian/patches/stable/lp-1891877-ide-Fix-incorrect-handling-of-some-PRDTs-in-ide_dma_.patch
3890
@@ -0,0 +1,99 @@
3891
1
From 4412cb3bcaf5b0cccf88f881c18be5dfd395e934 Mon Sep 17 00:00:00 2001
3892
2
From: Alexander Popov <alex.popov@linux.com>
3893
3
Date: Mon, 23 Dec 2019 20:51:16 +0300
3894
4
Subject: [PATCH] ide: Fix incorrect handling of some PRDTs in ide_dma_cb()
3895
5
3896
6
The commit a718978ed58a from July 2015 introduced the assertion which
3897
7
implies that the size of successful DMA transfers handled in ide_dma_cb()
3898
8
should be multiple of 512 (the size of a sector). But guest systems can
3899
9
initiate DMA transfers that don't fit this requirement.
3900
10
3901
11
For fixing that let's check the number of bytes prepared for the transfer
3902
12
by the prepare_buf() handler. The code in ide_dma_cb() must behave
3903
13
according to the Programming Interface for Bus Master IDE Controller
3904
14
(Revision 1.0 5/16/94):
3905
15
1. If PRDs specified a smaller size than the IDE transfer
3906
16
   size, then the Interrupt and Active bits in the Controller
3907
17
   status register are not set (Error Condition).
3908
18
2. If the size of the physical memory regions was equal to
3909
19
   the IDE device transfer size, the Interrupt bit in the
3910
20
   Controller status register is set to 1, Active bit is set to 0.
3911
21
3. If PRDs specified a larger size than the IDE transfer size,
3912
22
   the Interrupt and Active bits in the Controller status register
3913
23
   are both set to 1.
3914
24
3915
25
Signed-off-by: Alexander Popov <alex.popov@linux.com>
3916
26
Reviewed-by: Kevin Wolf <kwolf@redhat.com>
3917
27
Message-id: 20191223175117.508990-2-alex.popov@linux.com
3918
28
Signed-off-by: John Snow <jsnow@redhat.com>
3919
29
(cherry picked from commit ed78352a59ea7acf7520d4d47a96b9911bae7fc3)
3920
30
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
3921
31
3922
32
Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=4412cb3bca
3923
33
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
3924
34
Last-Update: 2020-08-19
3925
35
3926
36
---
3927
37
 hw/ide/core.c | 30 ++++++++++++++++++++++--------
3928
38
 1 file changed, 22 insertions(+), 8 deletions(-)
3929
39
3930
40
diff --git a/hw/ide/core.c b/hw/ide/core.c
3931
41
index 754ff4dc34..80000eb766 100644
3932
42
--- a/hw/ide/core.c
3933
43
+++ b/hw/ide/core.c
3934
44
@@ -849,6 +849,7 @@ static void ide_dma_cb(void *opaque, int ret)
3935
45
     int64_t sector_num;
3936
46
     uint64_t offset;
3937
47
     bool stay_active = false;
3938
48
+    int32_t prep_size = 0;
3939
49
 
3940
50
     if (ret == -EINVAL) {
3941
51
         ide_dma_error(s);
3942
52
@@ -863,13 +864,15 @@ static void ide_dma_cb(void *opaque, int ret)
3943
53
         }
3944
54
     }
3945
55
 
3946
56
-    n = s->io_buffer_size >> 9;
3947
57
-    if (n > s->nsector) {
3948
58
-        /* The PRDs were longer than needed for this request. Shorten them so
3949
59
-         * we don't get a negative remainder. The Active bit must remain set
3950
60
-         * after the request completes. */
3951
61
+    if (s->io_buffer_size > s->nsector * 512) {
3952
62
+        /*
3953
63
+         * The PRDs were longer than needed for this request.
3954
64
+         * The Active bit must remain set after the request completes.
3955
65
+         */
3956
66
         n = s->nsector;
3957
67
         stay_active = true;
3958
68
+    } else {
3959
69
+        n = s->io_buffer_size >> 9;
3960
70
     }
3961
71
 
3962
72
     sector_num = ide_get_sector(s);
3963
73
@@ -892,9 +895,20 @@ static void ide_dma_cb(void *opaque, int ret)
3964
74
     n = s->nsector;
3965
75
     s->io_buffer_index = 0;
3966
76
     s->io_buffer_size = n * 512;
3967
77
-    if (s->bus->dma->ops->prepare_buf(s->bus->dma, s->io_buffer_size) < 512) {
3968
78
-        /* The PRDs were too short. Reset the Active bit, but don't raise an
3969
79
-         * interrupt. */
3970
80
+    prep_size = s->bus->dma->ops->prepare_buf(s->bus->dma, s->io_buffer_size);
3971
81
+    /* prepare_buf() must succeed and respect the limit */
3972
82
+    assert(prep_size >= 0 && prep_size <= n * 512);
3973
83
+
3974
84
+    /*
3975
85
+     * Now prep_size stores the number of bytes in the sglist, and
3976
86
+     * s->io_buffer_size stores the number of bytes described by the PRDs.
3977
87
+     */
3978
88
+
3979
89
+    if (prep_size < n * 512) {
3980
90
+        /*
3981
91
+         * The PRDs are too short for this request. Error condition!
3982
92
+         * Reset the Active bit and don't raise the interrupt.
3983
93
+         */
3984
94
         s->status = READY_STAT | SEEK_STAT;
3985
95
         dma_buf_commit(s, 0);
3986
96
         goto eot;
3987
97
-- 
3988
98
2.28.0
3989
99
3990
diff --git a/debian/patches/stable/lp-1891877-iotests-026-Move-v3-exclusive-test-to-new-file.patch b/debian/patches/stable/lp-1891877-iotests-026-Move-v3-exclusive-test-to-new-file.patch
3991
0
new file mode 100644
100
new file mode 100644
3992
index 0000000..8684d31
3993
--- /dev/null
3994
+++ b/debian/patches/stable/lp-1891877-iotests-026-Move-v3-exclusive-test-to-new-file.patch
3995
@@ -0,0 +1,232 @@
3996
1
From 2f7597fbc2727eeb4f16c579c9dc0b115a8e5e93 Mon Sep 17 00:00:00 2001
3997
2
From: Max Reitz <mreitz@redhat.com>
3998
3
Date: Wed, 11 Mar 2020 15:07:07 +0100
3999
4
Subject: [PATCH] iotests/026: Move v3-exclusive test to new file
4000
5
MIME-Version: 1.0
4001
6
Content-Type: text/plain; charset=UTF-8
4002
7
Content-Transfer-Encoding: 8bit
4003
8
4004
9
data_file does not work with v2, and we probably want 026 to keep
4005
10
working for v2 images.  Thus, open a new file for v3-exclusive error
4006
11
path test cases.
4007
12
4008
13
Fixes: 81311255f217859413c94f2cd9cebf2684bbda94
4009
14
       (“iotests/026: Test EIO on allocation in a data-file”)
4010
15
Signed-off-by: Max Reitz <mreitz@redhat.com>
4011
16
Message-Id: <20200311140707.1243218-1-mreitz@redhat.com>
4012
17
Reviewed-by: John Snow <jsnow@redhat.com>
4013
18
Tested-by: John Snow <jsnow@redhat.com>
4014
19
Signed-off-by: Max Reitz <mreitz@redhat.com>
4015
20
(cherry picked from commit c264e5d2f9f5d73977eac8e5d084f727b3d07ea9)
4016
21
 Conflicts:
4017
22
	tests/qemu-iotests/group
4018
23
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
4019
24
4020
25
Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=2f7597fbc2
4021
26
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
4022
27
Last-Update: 2020-08-19
4023
28
4024
29
---
4025
30
 tests/qemu-iotests/026             | 31 -----------
4026
31
 tests/qemu-iotests/026.out         |  6 --
4027
32
 tests/qemu-iotests/026.out.nocache |  6 --
4028
33
 tests/qemu-iotests/289             | 89 ++++++++++++++++++++++++++++++
4029
34
 tests/qemu-iotests/289.out         |  8 +++
4030
35
 tests/qemu-iotests/group           |  1 +
4031
36
 6 files changed, 98 insertions(+), 43 deletions(-)
4032
37
 create mode 100755 tests/qemu-iotests/289
4033
38
 create mode 100644 tests/qemu-iotests/289.out
4034
39
4035
40
diff --git a/tests/qemu-iotests/026 b/tests/qemu-iotests/026
4036
41
index c1c96a41d9..3afd708863 100755
4037
42
--- a/tests/qemu-iotests/026
4038
43
+++ b/tests/qemu-iotests/026
4039
44
@@ -237,37 +237,6 @@ $QEMU_IO -c "write 0 $CLUSTER_SIZE" "$BLKDBG_TEST_IMG" | _filter_qemu_io
4040
45
 
4041
46
 _check_test_img
4042
47
 
4043
48
-echo
4044
49
-echo === Avoid freeing external data clusters on failure ===
4045
50
-echo
4046
51
-
4047
52
-# Similar test as the last one, except we test what happens when there
4048
53
-# is an error when writing to an external data file instead of when
4049
54
-# writing to a preallocated zero cluster
4050
55
-_make_test_img -o "data_file=$TEST_IMG.data_file" $CLUSTER_SIZE
4051
56
-
4052
57
-# Put blkdebug above the data-file, and a raw node on top of that so
4053
58
-# that blkdebug will see a write_aio event and emit an error
4054
59
-$QEMU_IO -c "write 0 $CLUSTER_SIZE" \
4055
60
-    "json:{
4056
61
-         'driver': 'qcow2',
4057
62
-         'file': { 'driver': 'file', 'filename': '$TEST_IMG' },
4058
63
-         'data-file': {
4059
64
-             'driver': 'raw',
4060
65
-             'file': {
4061
66
-                 'driver': 'blkdebug',
4062
67
-                 'config': '$TEST_DIR/blkdebug.conf',
4063
68
-                 'image': {
4064
69
-                     'driver': 'file',
4065
70
-                     'filename': '$TEST_IMG.data_file'
4066
71
-                 }
4067
72
-             }
4068
73
-         }
4069
74
-     }" \
4070
75
-    | _filter_qemu_io
4071
76
-
4072
77
-_check_test_img
4073
78
-
4074
79
 # success, all done
4075
80
 echo "*** done"
4076
81
 rm -f $seq.full
4077
82
diff --git a/tests/qemu-iotests/026.out b/tests/qemu-iotests/026.out
4078
83
index c1b3b58482..83989996ff 100644
4079
84
--- a/tests/qemu-iotests/026.out
4080
85
+++ b/tests/qemu-iotests/026.out
4081
86
@@ -653,10 +653,4 @@ wrote 1024/1024 bytes at offset 0
4082
87
 1 KiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
4083
88
 write failed: Input/output error
4084
89
 No errors were found on the image.
4085
90
-
4086
91
-=== Avoid freeing external data clusters on failure ===
4087
92
-
4088
93
-Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=1024 data_file=TEST_DIR/t.IMGFMT.data_file
4089
94
-write failed: Input/output error
4090
95
-No errors were found on the image.
4091
96
 *** done
4092
97
diff --git a/tests/qemu-iotests/026.out.nocache b/tests/qemu-iotests/026.out.nocache
4093
98
index 8d5001648a..9359d26d7e 100644
4094
99
--- a/tests/qemu-iotests/026.out.nocache
4095
100
+++ b/tests/qemu-iotests/026.out.nocache
4096
101
@@ -661,10 +661,4 @@ wrote 1024/1024 bytes at offset 0
4097
102
 1 KiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
4098
103
 write failed: Input/output error
4099
104
 No errors were found on the image.
4100
105
-
4101
106
-=== Avoid freeing external data clusters on failure ===
4102
107
-
4103
108
-Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=1024 data_file=TEST_DIR/t.IMGFMT.data_file
4104
109
-write failed: Input/output error
4105
110
-No errors were found on the image.
4106
111
 *** done
4107
112
diff --git a/tests/qemu-iotests/289 b/tests/qemu-iotests/289
4108
113
new file mode 100755
4109
114
index 0000000000..1c11d4030e
4110
115
--- /dev/null
4111
116
+++ b/tests/qemu-iotests/289
4112
117
@@ -0,0 +1,89 @@
4113
118
+#!/usr/bin/env bash
4114
119
+#
4115
120
+# qcow2 v3-exclusive error path testing
4116
121
+# (026 tests paths common to v2 and v3)
4117
122
+#
4118
123
+# Copyright (C) 2020 Red Hat, Inc.
4119
124
+#
4120
125
+# This program is free software; you can redistribute it and/or modify
4121
126
+# it under the terms of the GNU General Public License as published by
4122
127
+# the Free Software Foundation; either version 2 of the License, or
4123
128
+# (at your option) any later version.
4124
129
+#
4125
130
+# This program is distributed in the hope that it will be useful,
4126
131
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
4127
132
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
4128
133
+# GNU General Public License for more details.
4129
134
+#
4130
135
+# You should have received a copy of the GNU General Public License
4131
136
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
4132
137
+#
4133
138
+
4134
139
+seq=$(basename $0)
4135
140
+echo "QA output created by $seq"
4136
141
+
4137
142
+status=1	# failure is the default!
4138
143
+
4139
144
+_cleanup()
4140
145
+{
4141
146
+    _cleanup_test_img
4142
147
+    rm "$TEST_DIR/blkdebug.conf"
4143
148
+    rm -f "$TEST_IMG.data_file"
4144
149
+}
4145
150
+trap "_cleanup; exit \$status" 0 1 2 3 15
4146
151
+
4147
152
+# get standard environment, filters and checks
4148
153
+. ./common.rc
4149
154
+. ./common.filter
4150
155
+. ./common.pattern
4151
156
+
4152
157
+_supported_fmt qcow2
4153
158
+_supported_proto file
4154
159
+# This is a v3-exclusive test;
4155
160
+# As for data_file, error paths often very much depend on whether
4156
161
+# there is an external data file or not; so we create one exactly when
4157
162
+# we want to test it
4158
163
+_unsupported_imgopts 'compat=0.10' data_file
4159
164
+
4160
165
+echo
4161
166
+echo === Avoid freeing external data clusters on failure ===
4162
167
+echo
4163
168
+
4164
169
+cat > "$TEST_DIR/blkdebug.conf" <<EOF
4165
170
+[inject-error]
4166
171
+event = "write_aio"
4167
172
+errno = "5"
4168
173
+once = "on"
4169
174
+EOF
4170
175
+
4171
176
+# Test what happens when there is an error when writing to an external
4172
177
+# data file instead of when writing to a preallocated zero cluster
4173
178
+_make_test_img -o "data_file=$TEST_IMG.data_file" 64k
4174
179
+
4175
180
+# Put blkdebug above the data-file, and a raw node on top of that so
4176
181
+# that blkdebug will see a write_aio event and emit an error.  This
4177
182
+# will then trigger the alloc abort code, which we want to test here.
4178
183
+$QEMU_IO -c "write 0 64k" \
4179
184
+    "json:{
4180
185
+         'driver': 'qcow2',
4181
186
+         'file': { 'driver': 'file', 'filename': '$TEST_IMG' },
4182
187
+         'data-file': {
4183
188
+             'driver': 'raw',
4184
189
+             'file': {
4185
190
+                 'driver': 'blkdebug',
4186
191
+                 'config': '$TEST_DIR/blkdebug.conf',
4187
192
+                 'image': {
4188
193
+                     'driver': 'file',
4189
194
+                     'filename': '$TEST_IMG.data_file'
4190
195
+                 }
4191
196
+             }
4192
197
+         }
4193
198
+     }" \
4194
199
+    | _filter_qemu_io
4195
200
+
4196
201
+_check_test_img
4197
202
+
4198
203
+# success, all done
4199
204
+echo "*** done"
4200
205
+rm -f $seq.full
4201
206
+status=0
4202
207
diff --git a/tests/qemu-iotests/289.out b/tests/qemu-iotests/289.out
4203
208
new file mode 100644
4204
209
index 0000000000..e54e2629d4
4205
210
--- /dev/null
4206
211
+++ b/tests/qemu-iotests/289.out
4207
212
@@ -0,0 +1,8 @@
4208
213
+QA output created by 289
4209
214
+
4210
215
+=== Avoid freeing external data clusters on failure ===
4211
216
+
4212
217
+Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=65536 data_file=TEST_DIR/t.IMGFMT.data_file
4213
218
+write failed: Input/output error
4214
219
+No errors were found on the image.
4215
220
+*** done
4216
221
diff --git a/tests/qemu-iotests/group b/tests/qemu-iotests/group
4217
222
index 6b10a6a762..2dc8a6e572 100644
4218
223
--- a/tests/qemu-iotests/group
4219
224
+++ b/tests/qemu-iotests/group
4220
225
@@ -286,3 +286,4 @@
4221
226
 272 rw
4222
227
 273 backing quick
4223
228
 277 rw quick
4224
229
+289 rw quick
4225
230
-- 
4226
231
2.28.0
4227
232
4228
diff --git a/debian/patches/stable/lp-1891877-iotests-026-Test-EIO-on-allocation-in-a-data-file.patch b/debian/patches/stable/lp-1891877-iotests-026-Test-EIO-on-allocation-in-a-data-file.patch
4229
0
new file mode 100644
233
new file mode 100644
4230
index 0000000..76e486b
4231
--- /dev/null
4232
+++ b/debian/patches/stable/lp-1891877-iotests-026-Test-EIO-on-allocation-in-a-data-file.patch
4233
@@ -0,0 +1,107 @@
4234
1
From 4540aa4a8d2c59ec42af0ea58ca1794124ce47dd Mon Sep 17 00:00:00 2001
4235
2
From: Max Reitz <mreitz@redhat.com>
4236
3
Date: Tue, 25 Feb 2020 15:31:30 +0100
4237
4
Subject: [PATCH] iotests/026: Test EIO on allocation in a data-file
4238
5
4239
6
Test what happens when writing data to an external data file, where the
4240
7
write requires an L2 entry to be allocated, but the data write fails.
4241
8
4242
9
Signed-off-by: Max Reitz <mreitz@redhat.com>
4243
10
Message-Id: <20200225143130.111267-4-mreitz@redhat.com>
4244
11
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
4245
12
(cherry picked from commit 81311255f217859413c94f2cd9cebf2684bbda94)
4246
13
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
4247
14
4248
15
Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=4540aa4a8d
4249
16
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
4250
17
Last-Update: 2020-08-19
4251
18
4252
19
---
4253
20
 tests/qemu-iotests/026             | 32 ++++++++++++++++++++++++++++++
4254
21
 tests/qemu-iotests/026.out         |  6 ++++++
4255
22
 tests/qemu-iotests/026.out.nocache |  6 ++++++
4256
23
 3 files changed, 44 insertions(+)
4257
24
4258
25
diff --git a/tests/qemu-iotests/026 b/tests/qemu-iotests/026
4259
26
index d89729697f..c1c96a41d9 100755
4260
27
--- a/tests/qemu-iotests/026
4261
28
+++ b/tests/qemu-iotests/026
4262
29
@@ -30,6 +30,7 @@ _cleanup()
4263
30
 {
4264
31
 	_cleanup_test_img
4265
32
     rm "$TEST_DIR/blkdebug.conf"
4266
33
+    rm -f "$TEST_IMG.data_file"
4267
34
 }
4268
35
 trap "_cleanup; exit \$status" 0 1 2 3 15
4269
36
 
4270
37
@@ -236,6 +237,37 @@ $QEMU_IO -c "write 0 $CLUSTER_SIZE" "$BLKDBG_TEST_IMG" | _filter_qemu_io
4271
38
 
4272
39
 _check_test_img
4273
40
 
4274
41
+echo
4275
42
+echo === Avoid freeing external data clusters on failure ===
4276
43
+echo
4277
44
+
4278
45
+# Similar test as the last one, except we test what happens when there
4279
46
+# is an error when writing to an external data file instead of when
4280
47
+# writing to a preallocated zero cluster
4281
48
+_make_test_img -o "data_file=$TEST_IMG.data_file" $CLUSTER_SIZE
4282
49
+
4283
50
+# Put blkdebug above the data-file, and a raw node on top of that so
4284
51
+# that blkdebug will see a write_aio event and emit an error
4285
52
+$QEMU_IO -c "write 0 $CLUSTER_SIZE" \
4286
53
+    "json:{
4287
54
+         'driver': 'qcow2',
4288
55
+         'file': { 'driver': 'file', 'filename': '$TEST_IMG' },
4289
56
+         'data-file': {
4290
57
+             'driver': 'raw',
4291
58
+             'file': {
4292
59
+                 'driver': 'blkdebug',
4293
60
+                 'config': '$TEST_DIR/blkdebug.conf',
4294
61
+                 'image': {
4295
62
+                     'driver': 'file',
4296
63
+                     'filename': '$TEST_IMG.data_file'
4297
64
+                 }
4298
65
+             }
4299
66
+         }
4300
67
+     }" \
4301
68
+    | _filter_qemu_io
4302
69
+
4303
70
+_check_test_img
4304
71
+
4305
72
 # success, all done
4306
73
 echo "*** done"
4307
74
 rm -f $seq.full
4308
75
diff --git a/tests/qemu-iotests/026.out b/tests/qemu-iotests/026.out
4309
76
index 83989996ff..c1b3b58482 100644
4310
77
--- a/tests/qemu-iotests/026.out
4311
78
+++ b/tests/qemu-iotests/026.out
4312
79
@@ -653,4 +653,10 @@ wrote 1024/1024 bytes at offset 0
4313
80
 1 KiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
4314
81
 write failed: Input/output error
4315
82
 No errors were found on the image.
4316
83
+
4317
84
+=== Avoid freeing external data clusters on failure ===
4318
85
+
4319
86
+Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=1024 data_file=TEST_DIR/t.IMGFMT.data_file
4320
87
+write failed: Input/output error
4321
88
+No errors were found on the image.
4322
89
 *** done
4323
90
diff --git a/tests/qemu-iotests/026.out.nocache b/tests/qemu-iotests/026.out.nocache
4324
91
index 9359d26d7e..8d5001648a 100644
4325
92
--- a/tests/qemu-iotests/026.out.nocache
4326
93
+++ b/tests/qemu-iotests/026.out.nocache
4327
94
@@ -661,4 +661,10 @@ wrote 1024/1024 bytes at offset 0
4328
95
 1 KiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
4329
96
 write failed: Input/output error
4330
97
 No errors were found on the image.
4331
98
+
4332
99
+=== Avoid freeing external data clusters on failure ===
4333
100
+
4334
101
+Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=1024 data_file=TEST_DIR/t.IMGFMT.data_file
4335
102
+write failed: Input/output error
4336
103
+No errors were found on the image.
4337
104
 *** done
4338
105
-- 
4339
106
2.28.0
4340
107
4341
diff --git a/debian/patches/stable/lp-1891877-iotests-026-Test-EIO-on-preallocated-zero-cluster.patch b/debian/patches/stable/lp-1891877-iotests-026-Test-EIO-on-preallocated-zero-cluster.patch
4342
0
new file mode 100644
108
new file mode 100644
4343
index 0000000..5295272
4344
--- /dev/null
4345
+++ b/debian/patches/stable/lp-1891877-iotests-026-Test-EIO-on-preallocated-zero-cluster.patch
4346
@@ -0,0 +1,97 @@
4347
1
From 30aa0ea6c578b51a71d8cbb9578cc7f7bfeb56aa Mon Sep 17 00:00:00 2001
4348
2
From: Max Reitz <mreitz@redhat.com>
4349
3
Date: Tue, 25 Feb 2020 15:31:29 +0100
4350
4
Subject: [PATCH] iotests/026: Test EIO on preallocated zero cluster
4351
5
4352
6
Test what happens when writing data to a preallocated zero cluster, but
4353
7
the data write fails.
4354
8
4355
9
Signed-off-by: Max Reitz <mreitz@redhat.com>
4356
10
Message-Id: <20200225143130.111267-3-mreitz@redhat.com>
4357
11
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
4358
12
(cherry picked from commit 31ab00f3747c00fdbb9027cea644b40dd1405480)
4359
13
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
4360
14
4361
15
Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=30aa0ea6c5
4362
16
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
4363
17
Last-Update: 2020-08-19
4364
18
4365
19
---
4366
20
 tests/qemu-iotests/026             | 21 +++++++++++++++++++++
4367
21
 tests/qemu-iotests/026.out         | 10 ++++++++++
4368
22
 tests/qemu-iotests/026.out.nocache | 10 ++++++++++
4369
23
 3 files changed, 41 insertions(+)
4370
24
4371
25
diff --git a/tests/qemu-iotests/026 b/tests/qemu-iotests/026
4372
26
index 3430029ed6..d89729697f 100755
4373
27
--- a/tests/qemu-iotests/026
4374
28
+++ b/tests/qemu-iotests/026
4375
29
@@ -215,6 +215,27 @@ _make_test_img 64M
4376
30
 $QEMU_IO -c "write 0 1M" -c "write 0 1M" "$BLKDBG_TEST_IMG" | _filter_qemu_io
4377
31
 _check_test_img
4378
32
 
4379
33
+echo
4380
34
+echo === Avoid freeing preallocated zero clusters on failure ===
4381
35
+echo
4382
36
+
4383
37
+cat > "$TEST_DIR/blkdebug.conf" <<EOF
4384
38
+[inject-error]
4385
39
+event = "write_aio"
4386
40
+errno = "5"
4387
41
+once = "on"
4388
42
+EOF
4389
43
+
4390
44
+_make_test_img $CLUSTER_SIZE
4391
45
+# Create a preallocated zero cluster
4392
46
+$QEMU_IO -c "write 0 $CLUSTER_SIZE" -c "write -z 0 $CLUSTER_SIZE" "$TEST_IMG" \
4393
47
+    | _filter_qemu_io
4394
48
+# Try to overwrite it (prompting an I/O error from blkdebug), thus
4395
49
+# triggering the alloc abort code
4396
50
+$QEMU_IO -c "write 0 $CLUSTER_SIZE" "$BLKDBG_TEST_IMG" | _filter_qemu_io
4397
51
+
4398
52
+_check_test_img
4399
53
+
4400
54
 # success, all done
4401
55
 echo "*** done"
4402
56
 rm -f $seq.full
4403
57
diff --git a/tests/qemu-iotests/026.out b/tests/qemu-iotests/026.out
4404
58
index ff0817b6f2..83989996ff 100644
4405
59
--- a/tests/qemu-iotests/026.out
4406
60
+++ b/tests/qemu-iotests/026.out
4407
61
@@ -643,4 +643,14 @@ write failed: Input/output error
4408
62
 wrote 1048576/1048576 bytes at offset 0
4409
63
 1 MiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
4410
64
 No errors were found on the image.
4411
65
+
4412
66
+=== Avoid freeing preallocated zero clusters on failure ===
4413
67
+
4414
68
+Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=1024
4415
69
+wrote 1024/1024 bytes at offset 0
4416
70
+1 KiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
4417
71
+wrote 1024/1024 bytes at offset 0
4418
72
+1 KiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
4419
73
+write failed: Input/output error
4420
74
+No errors were found on the image.
4421
75
 *** done
4422
76
diff --git a/tests/qemu-iotests/026.out.nocache b/tests/qemu-iotests/026.out.nocache
4423
77
index 495d013007..9359d26d7e 100644
4424
78
--- a/tests/qemu-iotests/026.out.nocache
4425
79
+++ b/tests/qemu-iotests/026.out.nocache
4426
80
@@ -651,4 +651,14 @@ write failed: Input/output error
4427
81
 wrote 1048576/1048576 bytes at offset 0
4428
82
 1 MiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
4429
83
 No errors were found on the image.
4430
84
+
4431
85
+=== Avoid freeing preallocated zero clusters on failure ===
4432
86
+
4433
87
+Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=1024
4434
88
+wrote 1024/1024 bytes at offset 0
4435
89
+1 KiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
4436
90
+wrote 1024/1024 bytes at offset 0
4437
91
+1 KiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec)
4438
92
+write failed: Input/output error
4439
93
+No errors were found on the image.
4440
94
 *** done
4441
95
-- 
4442
96
2.28.0
4443
97
4444
diff --git a/debian/patches/stable/lp-1891877-iotests-283-Use-consistent-size-for-source-and-targe.patch b/debian/patches/stable/lp-1891877-iotests-283-Use-consistent-size-for-source-and-targe.patch
4445
0
new file mode 100644
98
new file mode 100644
4446
index 0000000..d479c09
4447
--- /dev/null
4448
+++ b/debian/patches/stable/lp-1891877-iotests-283-Use-consistent-size-for-source-and-targe.patch
4449
@@ -0,0 +1,57 @@
4450
1
From 4a0db6ba7d5c524cbbcc684d7448e01e11eacbbd Mon Sep 17 00:00:00 2001
4451
2
From: Kevin Wolf <kwolf@redhat.com>
4452
3
Date: Thu, 30 Apr 2020 16:27:52 +0200
4453
4
Subject: [PATCH] iotests/283: Use consistent size for source and target
4454
5
4455
6
The test case forgot to specify the null-co size for the target node.
4456
7
When adding a check to backup that both sizes match, this would fail
4457
8
because of the size mismatch and not the behaviour that the test really
4458
9
wanted to test.
4459
10
4460
11
Fixes: a541fcc27c98b96da187c7d4573f3270f3ddd283
4461
12
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
4462
13
Message-Id: <20200430142755.315494-2-kwolf@redhat.com>
4463
14
Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
4464
15
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
4465
16
(cherry picked from commit 813cc2545b82409fd504509f0ba2e96fab6edb9e)
4466
17
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
4467
18
4468
19
Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=4a0db6ba7d
4469
20
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
4470
21
Last-Update: 2020-08-19
4471
22
4472
23
---
4473
24
 tests/qemu-iotests/283     | 6 +++++-
4474
25
 tests/qemu-iotests/283.out | 2 +-
4475
26
 2 files changed, 6 insertions(+), 2 deletions(-)
4476
27
4477
28
diff --git a/tests/qemu-iotests/283 b/tests/qemu-iotests/283
4478
29
index 293e557bd9..a82e3c8164 100644
4479
30
--- a/tests/qemu-iotests/283
4480
31
+++ b/tests/qemu-iotests/283
4481
32
@@ -72,7 +72,11 @@ to check that crash is fixed :)
4482
33
 vm = iotests.VM()
4483
34
 vm.launch()
4484
35
 
4485
36
-vm.qmp_log('blockdev-add', **{'node-name': 'target', 'driver': 'null-co'})
4486
37
+vm.qmp_log('blockdev-add', **{
4487
38
+    'node-name': 'target',
4488
39
+    'driver': 'null-co',
4489
40
+    'size': size,
4490
41
+})
4491
42
 
4492
43
 vm.qmp_log('blockdev-add', **{
4493
44
     'node-name': 'source',
4494
45
diff --git a/tests/qemu-iotests/283.out b/tests/qemu-iotests/283.out
4495
46
index daaf5828c1..d8cff22cc1 100644
4496
47
--- a/tests/qemu-iotests/283.out
4497
48
+++ b/tests/qemu-iotests/283.out
4498
49
@@ -1,4 +1,4 @@
4499
50
-{"execute": "blockdev-add", "arguments": {"driver": "null-co", "node-name": "target"}}
4500
51
+{"execute": "blockdev-add", "arguments": {"driver": "null-co", "node-name": "target", "size": 1048576}}
4501
52
 {"return": {}}
4502
53
 {"execute": "blockdev-add", "arguments": {"driver": "blkdebug", "image": {"driver": "null-co", "node-name": "base", "size": 1048576}, "node-name": "source"}}
4503
54
 {"return": {}}
4504
55
-- 
4505
56
2.28.0
4506
57
4507
diff --git a/debian/patches/stable/lp-1891877-iotests-Fix-IMGOPTSSYNTAX-for-nbd.patch b/debian/patches/stable/lp-1891877-iotests-Fix-IMGOPTSSYNTAX-for-nbd.patch
4508
0
new file mode 100644
58
new file mode 100644
4509
index 0000000..5bb67e9
4510
--- /dev/null
4511
+++ b/debian/patches/stable/lp-1891877-iotests-Fix-IMGOPTSSYNTAX-for-nbd.patch
4512
@@ -0,0 +1,42 @@
4513
1
From 6772bba8a45cda8ab96f124bb148c3ec1f7a4234 Mon Sep 17 00:00:00 2001
4514
2
From: Max Reitz <mreitz@redhat.com>
4515
3
Date: Wed, 18 Dec 2019 11:48:55 +0100
4516
4
Subject: [PATCH] iotests: Fix IMGOPTSSYNTAX for nbd
4517
5
MIME-Version: 1.0
4518
6
Content-Type: text/plain; charset=UTF-8
4519
7
Content-Transfer-Encoding: 8bit
4520
8
4521
9
There is no $SOCKDIR, only $SOCK_DIR.
4522
10
4523
11
Fixes: f3923a72f199b2c63747a7032db74730546f55c6
4524
12
Signed-off-by: Max Reitz <mreitz@redhat.com>
4525
13
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
4526
14
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
4527
15
(cherry picked from commit eb4ea9aaa0051054b3c148ad8631be7510851681)
4528
16
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
4529
17
4530
18
Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=6772bba8a4
4531
19
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
4532
20
Last-Update: 2020-08-19
4533
21
4534
22
---
4535
23
 tests/qemu-iotests/common.rc | 3 ++-
4536
24
 1 file changed, 2 insertions(+), 1 deletion(-)
4537
25
4538
26
diff --git a/tests/qemu-iotests/common.rc b/tests/qemu-iotests/common.rc
4539
27
index 0cc8acc9ed..d3bf92031f 100644
4540
28
--- a/tests/qemu-iotests/common.rc
4541
29
+++ b/tests/qemu-iotests/common.rc
4542
30
@@ -217,7 +217,8 @@ if [ "$IMGOPTSSYNTAX" = "true" ]; then
4543
31
         TEST_IMG="$DRIVER,file.filename=$TEST_DIR/t.$IMGFMT"
4544
32
     elif [ "$IMGPROTO" = "nbd" ]; then
4545
33
         TEST_IMG_FILE=$TEST_DIR/t.$IMGFMT
4546
34
-        TEST_IMG="$DRIVER,file.driver=nbd,file.type=unix,file.path=$SOCKDIR/nbd"
4547
35
+        TEST_IMG="$DRIVER,file.driver=nbd,file.type=unix"
4548
36
+        TEST_IMG="$TEST_IMG,file.path=$SOCK_DIR/nbd"
4549
37
     elif [ "$IMGPROTO" = "ssh" ]; then
4550
38
         TEST_IMG_FILE=$TEST_DIR/t.$IMGFMT
4551
39
         TEST_IMG="$DRIVER,file.driver=ssh,file.host=127.0.0.1,file.path=$TEST_IMG_FILE"
4552
40
-- 
4553
41
2.28.0
4554
42
4555
diff --git a/debian/patches/stable/lp-1891877-iotests-Fix-nonportable-use-of-od-endian.patch b/debian/patches/stable/lp-1891877-iotests-Fix-nonportable-use-of-od-endian.patch
4556
0
new file mode 100644
43
new file mode 100644
4557
index 0000000..720412c
4558
--- /dev/null
4559
+++ b/debian/patches/stable/lp-1891877-iotests-Fix-nonportable-use-of-od-endian.patch
4560
@@ -0,0 +1,69 @@
4561
1
From c6decabc4a30b841e031a838206286db6ad343bc Mon Sep 17 00:00:00 2001
4562
2
From: Eric Blake <eblake@redhat.com>
4563
3
Date: Wed, 26 Feb 2020 06:54:24 -0600
4564
4
Subject: [PATCH] iotests: Fix nonportable use of od --endian
4565
5
4566
6
Tests 261 and 272 fail on RHEL 7 with coreutils 8.22, since od
4567
7
--endian was not added until coreutils 8.23.  Fix this by manually
4568
8
constructing the final value one byte at a time.
4569
9
4570
10
Fixes: fc8ba423
4571
11
Reported-by: Andrey Shinkevich <andrey.shinkevich@virtuozzo.com>
4572
12
Signed-off-by: Eric Blake <eblake@redhat.com>
4573
13
Reviewed-by: Max Reitz <mreitz@redhat.com>
4574
14
Message-Id: <20200226125424.481840-1-eblake@redhat.com>
4575
15
Signed-off-by: Max Reitz <mreitz@redhat.com>
4576
16
(cherry picked from commit 69135eb30b9c3fca583737a96df015174dc8e6dd)
4577
17
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
4578
18
4579
19
Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=c6decabc4a
4580
20
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
4581
21
Last-Update: 2020-08-19
4582
22
4583
23
---
4584
24
 tests/qemu-iotests/common.rc | 22 +++++++++++++++++-----
4585
25
 1 file changed, 17 insertions(+), 5 deletions(-)
4586
26
4587
27
diff --git a/tests/qemu-iotests/common.rc b/tests/qemu-iotests/common.rc
4588
28
index d3bf92031f..538eb349e6 100644
4589
29
--- a/tests/qemu-iotests/common.rc
4590
30
+++ b/tests/qemu-iotests/common.rc
4591
31
@@ -56,18 +56,30 @@ poke_file()
4592
32
 # peek_file_le 'test.img' 512 2 => 65534
4593
33
 peek_file_le()
4594
34
 {
4595
35
-    # Wrap in echo $() to strip spaces
4596
36
-    echo $(od -j"$2" -N"$3" --endian=little -An -vtu"$3" "$1")
4597
37
+    local val=0 shift=0 byte
4598
38
+
4599
39
+    # coreutils' od --endian is not portable, so manually assemble bytes.
4600
40
+    for byte in $(od -j"$2" -N"$3" -An -v -tu1 "$1"); do
4601
41
+        val=$(( val | (byte << shift) ))
4602
42
+        shift=$((shift + 8))
4603
43
+    done
4604
44
+    printf %llu $val
4605
45
 }
4606
46
 
4607
47
 # peek_file_be 'test.img' 512 2 => 65279
4608
48
 peek_file_be()
4609
49
 {
4610
50
-    # Wrap in echo $() to strip spaces
4611
51
-    echo $(od -j"$2" -N"$3" --endian=big -An -vtu"$3" "$1")
4612
52
+    local val=0 byte
4613
53
+
4614
54
+    # coreutils' od --endian is not portable, so manually assemble bytes.
4615
55
+    for byte in $(od -j"$2" -N"$3" -An -v -tu1 "$1"); do
4616
56
+        val=$(( (val << 8) | byte ))
4617
57
+    done
4618
58
+    printf %llu $val
4619
59
 }
4620
60
 
4621
61
-# peek_file_raw 'test.img' 512 2 => '\xff\xfe'
4622
62
+# peek_file_raw 'test.img' 512 2 => '\xff\xfe'. Do not use if the raw data
4623
63
+# is likely to contain \0 or trailing \n.
4624
64
 peek_file_raw()
4625
65
 {
4626
66
     dd if="$1" bs=1 skip="$2" count="$3" status=none
4627
67
-- 
4628
68
2.28.0
4629
69
4630
diff --git a/debian/patches/stable/lp-1891877-iotests-Test-copy-offloading-with-external-data-file.patch b/debian/patches/stable/lp-1891877-iotests-Test-copy-offloading-with-external-data-file.patch
4631
0
new file mode 100644
70
new file mode 100644
4632
index 0000000..7f2bb10
4633
--- /dev/null
4634
+++ b/debian/patches/stable/lp-1891877-iotests-Test-copy-offloading-with-external-data-file.patch
4635
@@ -0,0 +1,71 @@
4636
1
From 373fd948ab33b6e74b227cd62d4ccc4c17417473 Mon Sep 17 00:00:00 2001
4637
2
From: Kevin Wolf <kwolf@redhat.com>
4638
3
Date: Tue, 11 Feb 2020 10:49:00 +0100
4639
4
Subject: [PATCH] iotests: Test copy offloading with external data file
4640
5
4641
6
This adds a test for 'qemu-img convert' with copy offloading where the
4642
7
target image has an external data file. If the test hosts supports it,
4643
8
it tests both the case where copy offloading is supported and the case
4644
9
where it isn't (otherwise we just test unsupported twice).
4645
10
4646
11
More specifically, the case with unsupported copy offloading tests
4647
12
qcow2_alloc_cluster_abort() with external data files.
4648
13
4649
14
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
4650
15
Message-Id: <20200211094900.17315-4-kwolf@redhat.com>
4651
16
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
4652
17
(cherry picked from commit a0cf8daf77548786ced84d773f06fc70571c5d38)
4653
18
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
4654
19
4655
20
Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=373fd948ab
4656
21
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
4657
22
Last-Update: 2020-08-19
4658
23
4659
24
---
4660
25
 tests/qemu-iotests/244     | 14 ++++++++++++++
4661
26
 tests/qemu-iotests/244.out |  6 ++++++
4662
27
 2 files changed, 20 insertions(+)
4663
28
4664
29
diff --git a/tests/qemu-iotests/244 b/tests/qemu-iotests/244
4665
30
index 13978f93d2..2f5dfb9edd 100755
4666
31
--- a/tests/qemu-iotests/244
4667
32
+++ b/tests/qemu-iotests/244
4668
33
@@ -194,6 +194,20 @@ $QEMU_IO -c 'read -P 0x11 0 1M' -f $IMGFMT "$TEST_IMG" | _filter_qemu_io
4669
34
 $QEMU_IMG map --output=human "$TEST_IMG" | _filter_testdir
4670
35
 $QEMU_IMG map --output=json "$TEST_IMG"
4671
36
 
4672
37
+echo
4673
38
+echo "=== Copy offloading ==="
4674
39
+echo
4675
40
+
4676
41
+# Make use of copy offloading if the test host can provide it
4677
42
+_make_test_img -o "data_file=$TEST_IMG.data" 64M
4678
43
+$QEMU_IMG convert -f $IMGFMT -O $IMGFMT -n -C "$TEST_IMG.src" "$TEST_IMG"
4679
44
+$QEMU_IMG compare -f $IMGFMT -F $IMGFMT "$TEST_IMG.src" "$TEST_IMG"
4680
45
+
4681
46
+# blkdebug doesn't support copy offloading, so this tests the error path
4682
47
+$QEMU_IMG amend -f $IMGFMT -o "data_file=blkdebug::$TEST_IMG.data" "$TEST_IMG"
4683
48
+$QEMU_IMG convert -f $IMGFMT -O $IMGFMT -n -C "$TEST_IMG.src" "$TEST_IMG"
4684
49
+$QEMU_IMG compare -f $IMGFMT -F $IMGFMT "$TEST_IMG.src" "$TEST_IMG"
4685
50
+
4686
51
 # success, all done
4687
52
 echo "*** done"
4688
53
 rm -f $seq.full
4689
54
diff --git a/tests/qemu-iotests/244.out b/tests/qemu-iotests/244.out
4690
55
index 6a3d0067cc..e6f4dc7993 100644
4691
56
--- a/tests/qemu-iotests/244.out
4692
57
+++ b/tests/qemu-iotests/244.out
4693
58
@@ -122,4 +122,10 @@ Offset          Length          Mapped to       File
4694
59
 0               0x100000        0               TEST_DIR/t.qcow2.data
4695
60
 [{ "start": 0, "length": 1048576, "depth": 0, "zero": false, "data": true, "offset": 0},
4696
61
 { "start": 1048576, "length": 66060288, "depth": 0, "zero": true, "data": false}]
4697
62
+
4698
63
+=== Copy offloading ===
4699
64
+
4700
65
+Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=67108864 data_file=TEST_DIR/t.IMGFMT.data
4701
66
+Images are identical.
4702
67
+Images are identical.
4703
68
 *** done
4704
69
-- 
4705
70
2.28.0
4706
71
4707
diff --git a/debian/patches/stable/lp-1867519-iotests-add-test-for-backup-top-failure-on-permissio.patch b/debian/patches/stable/lp-1891877-iotests-add-test-for-backup-top-failure-on-permissio.patch
4708
0
similarity index 85%
72
similarity index 85%
4709
1
rename from debian/patches/stable/lp-1867519-iotests-add-test-for-backup-top-failure-on-permissio.patch
73
rename from debian/patches/stable/lp-1867519-iotests-add-test-for-backup-top-failure-on-permissio.patch
4710
2
rename to debian/patches/stable/lp-1891877-iotests-add-test-for-backup-top-failure-on-permissio.patch
74
rename to debian/patches/stable/lp-1891877-iotests-add-test-for-backup-top-failure-on-permissio.patch
4711
index 790c5d4..8aa1367 100644
4712
--- a/debian/patches/stable/lp-1867519-iotests-add-test-for-backup-top-failure-on-permissio.patch
4713
+++ b/debian/patches/stable/lp-1891877-iotests-add-test-for-backup-top-failure-on-permissio.patch
4714
@@ -1,4 +1,4 @@
4716
1
From a541fcc27c98b96da187c7d4573f3270f3ddd283 Mon Sep 17 00:00:00 2001
1
From 8952da32c36b8d457d0ebe28c252a7eeab68f127 Mon Sep 17 00:00:00 2001
4717
2
From: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
2
From: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
4718
3
Date: Tue, 21 Jan 2020 17:28:02 +0300
3
Date: Tue, 21 Jan 2020 17:28:02 +0300
4719
4
Subject: [PATCH] iotests: add test for backup-top failure on permission
4
Subject: [PATCH] iotests: add test for backup-top failure on permission
4720
@@ -10,10 +10,12 @@ Cc: qemu-stable@nongnu.org # v4.2.0
4721
10
Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
10
Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
4722
11
Message-id: 20200121142802.21467-3-vsementsov@virtuozzo.com
11
Message-id: 20200121142802.21467-3-vsementsov@virtuozzo.com
4723
12
Signed-off-by: Max Reitz <mreitz@redhat.com>
12
Signed-off-by: Max Reitz <mreitz@redhat.com>
4724
13
(cherry picked from commit a541fcc27c98b96da187c7d4573f3270f3ddd283)
4725
14
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
4726
13
15
4730
14
Origin: backport, https://git.qemu.org/?p=qemu.git;a=commit;h=a541fcc27c98b96da187c7d4573f3270f3ddd283
16
Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=8952da32c3
4731
15
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1867519
17
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
4732
16
Last-Update: 2020-03-18
18
Last-Update: 2020-08-19
4733
17
19
4734
18
---
20
---
4735
19
 tests/qemu-iotests/283     | 92 ++++++++++++++++++++++++++++++++++++++
21
 tests/qemu-iotests/283     | 92 ++++++++++++++++++++++++++++++++++++++
4736
@@ -23,6 +25,9 @@ Last-Update: 2020-03-18
4737
23
 create mode 100644 tests/qemu-iotests/283
25
 create mode 100644 tests/qemu-iotests/283
4738
24
 create mode 100644 tests/qemu-iotests/283.out
26
 create mode 100644 tests/qemu-iotests/283.out
4739
25
27
4740
28
diff --git a/tests/qemu-iotests/283 b/tests/qemu-iotests/283
4741
29
new file mode 100644
4742
30
index 0000000000..293e557bd9
4743
26
--- /dev/null
31
--- /dev/null
4744
27
+++ b/tests/qemu-iotests/283
32
+++ b/tests/qemu-iotests/283
4745
28
@@ -0,0 +1,92 @@
33
@@ -0,0 +1,92 @@
4746
@@ -118,6 +123,9 @@ Last-Update: 2020-03-18
4747
118
+vm.qmp_log('blockdev-backup', sync='full', device='source', target='target')
123
+vm.qmp_log('blockdev-backup', sync='full', device='source', target='target')
4748
119
+
124
+
4749
120
+vm.shutdown()
125
+vm.shutdown()
4750
126
diff --git a/tests/qemu-iotests/283.out b/tests/qemu-iotests/283.out
4751
127
new file mode 100644
4752
128
index 0000000000..daaf5828c1
4753
121
--- /dev/null
129
--- /dev/null
4754
122
+++ b/tests/qemu-iotests/283.out
130
+++ b/tests/qemu-iotests/283.out
4755
123
@@ -0,0 +1,8 @@
131
@@ -0,0 +1,8 @@
4756
@@ -129,10 +137,15 @@ Last-Update: 2020-03-18
4757
129
+{"return": {}}
137
+{"return": {}}
4758
130
+{"execute": "blockdev-backup", "arguments": {"device": "source", "sync": "full", "target": "target"}}
138
+{"execute": "blockdev-backup", "arguments": {"device": "source", "sync": "full", "target": "target"}}
4759
131
+{"error": {"class": "GenericError", "desc": "Cannot set permissions for backup-top filter: Conflicts with use by other as 'image', which uses 'write' on base"}}
139
+{"error": {"class": "GenericError", "desc": "Cannot set permissions for backup-top filter: Conflicts with use by other as 'image', which uses 'write' on base"}}
4760
140
diff --git a/tests/qemu-iotests/group b/tests/qemu-iotests/group
4761
141
index 2dc8a6e572..f5e0bf86ce 100644
4762
132
--- a/tests/qemu-iotests/group
142
--- a/tests/qemu-iotests/group
4763
133
+++ b/tests/qemu-iotests/group
143
+++ b/tests/qemu-iotests/group
4766
134
@@ -286,3 +286,4 @@
144
@@ -287,3 +287,4 @@
4765
135
 272 rw
4767
136
 273 backing quick
145
 273 backing quick
4768
137
 277 rw quick
146
 277 rw quick
4769
147
 289 rw quick
4770
138
+283 auto quick
148
+283 auto quick
4771
149
-- 
4772
150
2.28.0
4773
151
4774
diff --git a/debian/patches/stable/lp-1891877-m68k-Fix-regression-causing-Single-Step-via-GDB-RSP-.patch b/debian/patches/stable/lp-1891877-m68k-Fix-regression-causing-Single-Step-via-GDB-RSP-.patch
4775
139
new file mode 100644
152
new file mode 100644
4776
index 0000000..1fa7179
4777
--- /dev/null
4778
+++ b/debian/patches/stable/lp-1891877-m68k-Fix-regression-causing-Single-Step-via-GDB-RSP-.patch
4779
@@ -0,0 +1,108 @@
4780
1
From c44015c50c741ebc267e022542fc110ea97197a0 Mon Sep 17 00:00:00 2001
4781
2
From: Laurent Vivier <laurent@vivier.eu>
4782
3
Date: Thu, 16 Jan 2020 17:54:54 +0100
4783
4
Subject: [PATCH] m68k: Fix regression causing Single-Step via GDB/RSP to not
4784
5
 single step
4785
6
4786
7
A regression that was introduced, with the refactor to TranslatorOps,
4787
8
drops two lines that update the PC when single-stepping is being performed.
4788
9
4789
10
Fixes: 11ab74b01e0a ("target/m68k: Convert to TranslatorOps")
4790
11
Reported-by: Lucien Murray-Pitts <lucienmp_antispam@yahoo.com>
4791
12
Suggested-by: Lucien Murray-Pitts <lucienmp_antispam@yahoo.com>
4792
13
Suggested-by: Richard Henderson <richard.henderson@linaro.org>
4793
14
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
4794
15
Signed-off-by: Laurent Vivier <laurent@vivier.eu>
4795
16
Message-Id: <20200116165454.2076265-1-laurent@vivier.eu>
4796
17
(cherry picked from commit 322f244aaa80a5208090d41481c1c09c6face66b)
4797
18
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
4798
19
4799
20
Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=c44015c50c
4800
21
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
4801
22
Last-Update: 2020-08-19
4802
23
4803
24
---
4804
25
 target/m68k/translate.c | 42 ++++++++++++++++++++++++++---------------
4805
26
 1 file changed, 27 insertions(+), 15 deletions(-)
4806
27
4807
28
diff --git a/target/m68k/translate.c b/target/m68k/translate.c
4808
29
index fcdb7bc8e4..16fae5ac9e 100644
4809
30
--- a/target/m68k/translate.c
4810
31
+++ b/target/m68k/translate.c
4811
32
@@ -289,16 +289,21 @@ static void gen_jmp(DisasContext *s, TCGv dest)
4812
33
     s->base.is_jmp = DISAS_JUMP;
4813
34
 }
4814
35
 
4815
36
-static void gen_exception(DisasContext *s, uint32_t dest, int nr)
4816
37
+static void gen_raise_exception(int nr)
4817
38
 {
4818
39
     TCGv_i32 tmp;
4819
40
 
4820
41
-    update_cc_op(s);
4821
42
-    tcg_gen_movi_i32(QREG_PC, dest);
4822
43
-
4823
44
     tmp = tcg_const_i32(nr);
4824
45
     gen_helper_raise_exception(cpu_env, tmp);
4825
46
     tcg_temp_free_i32(tmp);
4826
47
+}
4827
48
+
4828
49
+static void gen_exception(DisasContext *s, uint32_t dest, int nr)
4829
50
+{
4830
51
+    update_cc_op(s);
4831
52
+    tcg_gen_movi_i32(QREG_PC, dest);
4832
53
+
4833
54
+    gen_raise_exception(nr);
4834
55
 
4835
56
     s->base.is_jmp = DISAS_NORETURN;
4836
57
 }
4837
58
@@ -6198,29 +6203,36 @@ static void m68k_tr_tb_stop(DisasContextBase *dcbase, CPUState *cpu)
4838
59
 {
4839
60
     DisasContext *dc = container_of(dcbase, DisasContext, base);
4840
61
 
4841
62
-    if (dc->base.is_jmp == DISAS_NORETURN) {
4842
63
-        return;
4843
64
-    }
4844
65
-    if (dc->base.singlestep_enabled) {
4845
66
-        gen_helper_raise_exception(cpu_env, tcg_const_i32(EXCP_DEBUG));
4846
67
-        return;
4847
68
-    }
4848
69
-
4849
70
     switch (dc->base.is_jmp) {
4850
71
+    case DISAS_NORETURN:
4851
72
+        break;
4852
73
     case DISAS_TOO_MANY:
4853
74
         update_cc_op(dc);
4854
75
-        gen_jmp_tb(dc, 0, dc->pc);
4855
76
+        if (dc->base.singlestep_enabled) {
4856
77
+            tcg_gen_movi_i32(QREG_PC, dc->pc);
4857
78
+            gen_raise_exception(EXCP_DEBUG);
4858
79
+        } else {
4859
80
+            gen_jmp_tb(dc, 0, dc->pc);
4860
81
+        }
4861
82
         break;
4862
83
     case DISAS_JUMP:
4863
84
         /* We updated CC_OP and PC in gen_jmp/gen_jmp_im.  */
4864
85
-        tcg_gen_lookup_and_goto_ptr();
4865
86
+        if (dc->base.singlestep_enabled) {
4866
87
+            gen_raise_exception(EXCP_DEBUG);
4867
88
+        } else {
4868
89
+            tcg_gen_lookup_and_goto_ptr();
4869
90
+        }
4870
91
         break;
4871
92
     case DISAS_EXIT:
4872
93
         /*
4873
94
          * We updated CC_OP and PC in gen_exit_tb, but also modified
4874
95
          * other state that may require returning to the main loop.
4875
96
          */
4876
97
-        tcg_gen_exit_tb(NULL, 0);
4877
98
+        if (dc->base.singlestep_enabled) {
4878
99
+            gen_raise_exception(EXCP_DEBUG);
4879
100
+        } else {
4880
101
+            tcg_gen_exit_tb(NULL, 0);
4881
102
+        }
4882
103
         break;
4883
104
     default:
4884
105
         g_assert_not_reached();
4885
106
-- 
4886
107
2.28.0
4887
108
4888
diff --git a/debian/patches/stable/lp-1891877-migration-Rate-limit-inside-host-pages.patch b/debian/patches/stable/lp-1891877-migration-Rate-limit-inside-host-pages.patch
4889
0
new file mode 100644
109
new file mode 100644
4890
index 0000000..06e962f
4891
--- /dev/null
4892
+++ b/debian/patches/stable/lp-1891877-migration-Rate-limit-inside-host-pages.patch
4893
@@ -0,0 +1,157 @@
4894
1
From 52771abbfa6775db8843f2ee365d45be169887cd Mon Sep 17 00:00:00 2001
4895
2
From: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
4896
3
Date: Thu, 5 Dec 2019 10:29:18 +0000
4897
4
Subject: [PATCH] migration: Rate limit inside host pages
4898
5
4899
6
When using hugepages, rate limiting is necessary within each huge
4900
7
page, since a 1G huge page can take a significant time to send, so
4901
8
you end up with bursty behaviour.
4902
9
4903
10
Fixes: 4c011c37ecb3 ("postcopy: Send whole huge pages")
4904
11
Reported-by: Lin Ma <LMa@suse.com>
4905
12
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
4906
13
Reviewed-by: Juan Quintela <quintela@redhat.com>
4907
14
Reviewed-by: Peter Xu <peterx@redhat.com>
4908
15
Signed-off-by: Juan Quintela <quintela@redhat.com>
4909
16
(cherry picked from commit 97e1e06780e70f6e98a0d2df881e0c0927d3aeb6)
4910
17
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
4911
18
4912
19
Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=52771abbfa
4913
20
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
4914
21
Last-Update: 2020-08-19
4915
22
4916
23
---
4917
24
 migration/migration.c  | 57 ++++++++++++++++++++++++------------------
4918
25
 migration/migration.h  |  1 +
4919
26
 migration/ram.c        |  2 ++
4920
27
 migration/trace-events |  4 +--
4921
28
 4 files changed, 37 insertions(+), 27 deletions(-)
4922
29
4923
30
diff --git a/migration/migration.c b/migration/migration.c
4924
31
index 354ad072fa..27500d09a9 100644
4925
32
--- a/migration/migration.c
4926
33
+++ b/migration/migration.c
4927
34
@@ -3224,6 +3224,37 @@ void migration_consume_urgent_request(void)
4928
35
     qemu_sem_wait(&migrate_get_current()->rate_limit_sem);
4929
36
 }
4930
37
 
4931
38
+/* Returns true if the rate limiting was broken by an urgent request */
4932
39
+bool migration_rate_limit(void)
4933
40
+{
4934
41
+    int64_t now = qemu_clock_get_ms(QEMU_CLOCK_REALTIME);
4935
42
+    MigrationState *s = migrate_get_current();
4936
43
+
4937
44
+    bool urgent = false;
4938
45
+    migration_update_counters(s, now);
4939
46
+    if (qemu_file_rate_limit(s->to_dst_file)) {
4940
47
+        /*
4941
48
+         * Wait for a delay to do rate limiting OR
4942
49
+         * something urgent to post the semaphore.
4943
50
+         */
4944
51
+        int ms = s->iteration_start_time + BUFFER_DELAY - now;
4945
52
+        trace_migration_rate_limit_pre(ms);
4946
53
+        if (qemu_sem_timedwait(&s->rate_limit_sem, ms) == 0) {
4947
54
+            /*
4948
55
+             * We were woken by one or more urgent things but
4949
56
+             * the timedwait will have consumed one of them.
4950
57
+             * The service routine for the urgent wake will dec
4951
58
+             * the semaphore itself for each item it consumes,
4952
59
+             * so add this one we just eat back.
4953
60
+             */
4954
61
+            qemu_sem_post(&s->rate_limit_sem);
4955
62
+            urgent = true;
4956
63
+        }
4957
64
+        trace_migration_rate_limit_post(urgent);
4958
65
+    }
4959
66
+    return urgent;
4960
67
+}
4961
68
+
4962
69
 /*
4963
70
  * Master migration thread on the source VM.
4964
71
  * It drives the migration and pumps the data down the outgoing channel.
4965
72
@@ -3290,8 +3321,6 @@ static void *migration_thread(void *opaque)
4966
73
     trace_migration_thread_setup_complete();
4967
74
 
4968
75
     while (migration_is_active(s)) {
4969
76
-        int64_t current_time;
4970
77
-
4971
78
         if (urgent || !qemu_file_rate_limit(s->to_dst_file)) {
4972
79
             MigIterateState iter_state = migration_iteration_run(s);
4973
80
             if (iter_state == MIG_ITERATE_SKIP) {
4974
81
@@ -3318,29 +3347,7 @@ static void *migration_thread(void *opaque)
4975
82
             update_iteration_initial_status(s);
4976
83
         }
4977
84
 
4978
85
-        current_time = qemu_clock_get_ms(QEMU_CLOCK_REALTIME);
4979
86
-
4980
87
-        migration_update_counters(s, current_time);
4981
88
-
4982
89
-        urgent = false;
4983
90
-        if (qemu_file_rate_limit(s->to_dst_file)) {
4984
91
-            /* Wait for a delay to do rate limiting OR
4985
92
-             * something urgent to post the semaphore.
4986
93
-             */
4987
94
-            int ms = s->iteration_start_time + BUFFER_DELAY - current_time;
4988
95
-            trace_migration_thread_ratelimit_pre(ms);
4989
96
-            if (qemu_sem_timedwait(&s->rate_limit_sem, ms) == 0) {
4990
97
-                /* We were worken by one or more urgent things but
4991
98
-                 * the timedwait will have consumed one of them.
4992
99
-                 * The service routine for the urgent wake will dec
4993
100
-                 * the semaphore itself for each item it consumes,
4994
101
-                 * so add this one we just eat back.
4995
102
-                 */
4996
103
-                qemu_sem_post(&s->rate_limit_sem);
4997
104
-                urgent = true;
4998
105
-            }
4999
106
-            trace_migration_thread_ratelimit_post(urgent);
5000
107
-        }
Reviewer	Date Requested	Status
Rafael David Tinoco (community)	2020-08-19	Approve on 2020-08-20
Canonical Server	2020-08-19	Pending
git-ubuntu developers	2020-08-19	Pending
Review via email: mp+389527@code.launchpad.net