Merge ~paelzer/ubuntu/+source/qemu:focal-SRU-august2020-1890154-1883984-1891203-1891877 into ubuntu/+source/qemu:ubuntu/focal-devel
- Git
- lp:~paelzer/ubuntu/+source/qemu
- focal-SRU-august2020-1890154-1883984-1891203-1891877
- Merge into ubuntu/focal-devel
Status: | Merged |
---|---|
Approved by: | Christian Ehrhardt |
Approved revision: | 74968e83c5c627c29f7a6cb802086ae93622aeca |
Merge reported by: | Christian Ehrhardt |
Merged at revision: | 74968e83c5c627c29f7a6cb802086ae93622aeca |
Proposed branch: | ~paelzer/ubuntu/+source/qemu:focal-SRU-august2020-1890154-1883984-1891203-1891877 |
Merge into: | ubuntu/+source/qemu:ubuntu/focal-devel |
Diff against target: |
10691 lines (+9839/-7) 133 files modified
debian/changelog (+86/-0) debian/patches/series (+131/-1) debian/patches/stable/lp-1891877-9p-Lock-directory-streams-with-a-CoMutex.patch (+74/-0) debian/patches/stable/lp-1891877-9p-local-always-return-1-on-error-in-local_unlinkat_.patch (+91/-0) debian/patches/stable/lp-1891877-9p-proxy-Fix-export_flags.patch (+49/-0) debian/patches/stable/lp-1891877-9pfs-include-linux-limits.h-for-XATTR_SIZE_MAX.patch (+43/-0) debian/patches/stable/lp-1891877-9pfs-local-Fix-possible-memory-leak-in-local_link.patch (+44/-0) debian/patches/stable/lp-1891877-9pfs-local-ignore-O_NOATIME-if-we-don-t-have-permiss.patch (+67/-0) debian/patches/stable/lp-1891877-Fix-double-free-issue-in-qemu_set_log_filename.patch (+41/-0) debian/patches/stable/lp-1891877-Fix-tulip-breakage.patch (+65/-0) debian/patches/stable/lp-1891877-Revert-qemu-options.hx-Update-for-reboot-timeout-par.patch (+43/-0) debian/patches/stable/lp-1891877-Revert-vnc-allow-fall-back-to-RAW-encoding.patch (+77/-0) debian/patches/stable/lp-1891877-Update-version-for-4.2.1-release.patch (+24/-0) debian/patches/stable/lp-1891877-blkdebug-Allow-taking-unsharing-permissions.patch (+209/-0) debian/patches/stable/lp-1891877-block-Add-bdrv_qapi_perm_to_blk_perm.patch (+87/-0) debian/patches/stable/lp-1891877-block-Avoid-memleak-on-qcow2-image-info-failure.patch (+41/-0) debian/patches/stable/lp-1891877-block-Call-attention-to-truncation-of-long-NBD-expor.patch (+100/-0) debian/patches/stable/lp-1891877-block-Fix-VM-size-field-width-in-snapshot-dump.patch (+58/-0) debian/patches/stable/lp-1891877-block-backup-fix-memory-leak-in-bdrv_backup_top_appe.patch (+55/-0) debian/patches/stable/lp-1891877-block-bdrv_set_backing_bs-fix-use-after-free.patch (+122/-0) debian/patches/stable/lp-1891877-block-fix-memleaks-in-bdrv_refresh_filename.patch (+68/-0) debian/patches/stable/lp-1891877-compat-disable-edid-on-correct-virtio-gpu-device.patch (+49/-0) debian/patches/stable/lp-1891877-display-bochs-display-fix-memory-leak.patch (+42/-0) debian/patches/stable/lp-1891877-dp8393x-Always-update-RRA-pointers-and-sequence-numb.patch (+52/-0) debian/patches/stable/lp-1891877-dp8393x-Always-use-32-bit-accesses.patch (+167/-0) debian/patches/stable/lp-1891877-dp8393x-Clean-up-endianness-hacks.patch (+71/-0) debian/patches/stable/lp-1891877-dp8393x-Clear-RRRA-command-register-bit-only-when-ap.patch (+56/-0) debian/patches/stable/lp-1891877-dp8393x-Clear-descriptor-in_use-field-to-release-pac.patch (+55/-0) debian/patches/stable/lp-1891877-dp8393x-Don-t-clobber-packet-checksum.patch (+45/-0) debian/patches/stable/lp-1891877-dp8393x-Don-t-reset-Silicon-Revision-register.patch (+51/-0) debian/patches/stable/lp-1891877-dp8393x-Don-t-stop-reception-upon-RBE-interrupt-asse.patch (+137/-0) debian/patches/stable/lp-1891877-dp8393x-Have-dp8393x_receive-return-the-packet-size.patch (+68/-0) debian/patches/stable/lp-1891877-dp8393x-Implement-packet-size-limit-and-RBAE-interru.patch (+57/-0) debian/patches/stable/lp-1891877-dp8393x-Mask-EOL-bit-from-descriptor-addresses.patch (+98/-0) debian/patches/stable/lp-1891877-dp8393x-Pad-frames-to-word-or-long-word-boundary.patch (+113/-0) debian/patches/stable/lp-1891877-dp8393x-Update-LLFA-and-CRDA-registers-from-rx-descr.patch (+75/-0) debian/patches/stable/lp-1891877-dp8393x-Use-long-word-aligned-RRA-pointers-in-32-bit.patch (+60/-0) debian/patches/stable/lp-1891877-dump-Fix-writing-of-ELF-section.patch (+51/-0) debian/patches/stable/lp-1891877-hmp-vnc-Fix-info-vnc-list-leak.patch (+54/-0) debian/patches/stable/lp-1891877-hostmem-don-t-use-mbind-if-host-nodes-is-empty.patch (+61/-0) debian/patches/stable/lp-1891877-hw-arm-cubieboard-use-ARM-Cortex-A8-as-the-default-C.patch (+59/-0) debian/patches/stable/lp-1891877-hw-arm-smmuv3-Align-stream-table-base-address-to-tab.patch (+83/-0) debian/patches/stable/lp-1891877-hw-arm-smmuv3-Apply-address-mask-to-linear-strtab-ba.patch (+59/-0) debian/patches/stable/lp-1891877-hw-arm-smmuv3-Check-stream-IDs-against-actual-table-.patch (+63/-0) debian/patches/stable/lp-1891877-hw-arm-smmuv3-Correct-SMMU_BASE_ADDR_MASK-value.patch (+52/-0) debian/patches/stable/lp-1891877-hw-arm-smmuv3-Report-F_STE_FETCH-fault-address-in-co.patch (+55/-0) debian/patches/stable/lp-1891877-hw-arm-smmuv3-Use-correct-bit-positions-in-EVT_SET_A.patch (+58/-0) debian/patches/stable/lp-1891877-hw-i386-amd_iommu.c-Fix-corruption-of-log-events-pas.patch (+49/-0) debian/patches/stable/lp-1891877-hw-intc-arm_gicv3_kvm-Stop-wrongly-programming-GICR_.patch (+66/-0) debian/patches/stable/lp-1891877-i386-Resolve-CPU-models-to-v1-by-default.patch (+91/-0) debian/patches/stable/lp-1891877-ide-Fix-incorrect-handling-of-some-PRDTs-in-ide_dma_.patch (+99/-0) debian/patches/stable/lp-1891877-iotests-026-Move-v3-exclusive-test-to-new-file.patch (+232/-0) debian/patches/stable/lp-1891877-iotests-026-Test-EIO-on-allocation-in-a-data-file.patch (+107/-0) debian/patches/stable/lp-1891877-iotests-026-Test-EIO-on-preallocated-zero-cluster.patch (+97/-0) debian/patches/stable/lp-1891877-iotests-283-Use-consistent-size-for-source-and-targe.patch (+57/-0) debian/patches/stable/lp-1891877-iotests-Fix-IMGOPTSSYNTAX-for-nbd.patch (+42/-0) debian/patches/stable/lp-1891877-iotests-Fix-nonportable-use-of-od-endian.patch (+69/-0) debian/patches/stable/lp-1891877-iotests-Test-copy-offloading-with-external-data-file.patch (+71/-0) debian/patches/stable/lp-1891877-iotests-add-test-for-backup-top-failure-on-permissio.patch (+19/-6) debian/patches/stable/lp-1891877-m68k-Fix-regression-causing-Single-Step-via-GDB-RSP-.patch (+108/-0) debian/patches/stable/lp-1891877-migration-Rate-limit-inside-host-pages.patch (+157/-0) debian/patches/stable/lp-1891877-migration-colo-fix-use-after-free-of-local_err.patch (+39/-0) debian/patches/stable/lp-1891877-migration-ram-fix-use-after-free-of-local_err.patch (+39/-0) debian/patches/stable/lp-1891877-migration-test-ppc64-fix-FORTH-test-program.patch (+67/-0) debian/patches/stable/lp-1891877-net-Do-not-include-a-newline-in-the-id-of-nic-device.patch (+43/-0) debian/patches/stable/lp-1891877-numa-properly-check-if-numa-is-supported.patch (+75/-0) debian/patches/stable/lp-1891877-numa-remove-not-needed-check.patch (+52/-0) debian/patches/stable/lp-1891877-ppc-ppc405_boards-Remove-unnecessary-NULL-check.patch (+63/-0) debian/patches/stable/lp-1891877-qapi-better-document-NVMe-blockdev-device-parameter.patch (+49/-0) debian/patches/stable/lp-1891877-qcow2-List-autoclear-bit-names-in-header.patch (+208/-0) debian/patches/stable/lp-1891877-qcow2-update_refcount-Reset-old_table_index-after-qc.patch (+43/-0) debian/patches/stable/lp-1891877-qemu-ga-document-vsock-listen-in-the-man-page.patch (+70/-0) debian/patches/stable/lp-1891877-qemu-nbd-Close-inherited-stderr.patch (+46/-0) debian/patches/stable/lp-1891877-qga-Fix-undefined-C-behavior.patch (+53/-0) debian/patches/stable/lp-1891877-qga-Installer-Wait-for-installation-to-finish.patch (+42/-0) debian/patches/stable/lp-1891877-qga-win-Handle-VSS_E_PROVIDER_ALREADY_REGISTERED-err.patch (+47/-0) debian/patches/stable/lp-1891877-qga-win-prevent-crash-when-executing-guest-file-read.patch (+55/-0) debian/patches/stable/lp-1891877-runstate-ignore-finishmigrate-prelaunch-transition.patch (+69/-0) debian/patches/stable/lp-1891877-s390x-adapter-routes-error-handling.patch (+84/-0) debian/patches/stable/lp-1891877-scsi-qemu-pr-helper-Fix-out-of-bounds-access-to-trnp.patch (+102/-0) debian/patches/stable/lp-1891877-sheepdog-Consistently-set-bdrv_has_zero_init_truncat.patch (+54/-0) debian/patches/stable/lp-1891877-spapr-Fix-failure-path-for-attempting-to-hot-unplug-.patch (+42/-0) debian/patches/stable/lp-1891877-target-arm-Clear-tail-in-gvec_fmul_idx_-gvec_fmla_id.patch (+47/-0) debian/patches/stable/lp-1891877-target-arm-Correct-definition-of-PMCRDP.patch (+47/-0) debian/patches/stable/lp-1891877-target-arm-fix-TCG-leak-for-fcvt-half-double.patch (+54/-0) debian/patches/stable/lp-1891877-target-arm-monitor-query-cpu-model-expansion-crashed.patch (+66/-0) debian/patches/stable/lp-1891877-target-ppc-Fix-mtmsr-d-L-1-variant-that-loses-interr.patch (+163/-0) debian/patches/stable/lp-1891877-target-ppc-Fix-rlwinm-on-ppc64.patch (+67/-0) debian/patches/stable/lp-1891877-target-xtensa-fix-pasto-in-pfwait.r-opcode-name.patch (+36/-0) debian/patches/stable/lp-1891877-tcg-i386-Fix-INDEX_op_dup2_vec.patch (+45/-0) debian/patches/stable/lp-1891877-tcg-mips-mips-sync-encode-error.patch (+57/-0) debian/patches/stable/lp-1891877-tests-fix-modules-test-duplicate-test-case-error.patch (+54/-0) debian/patches/stable/lp-1891877-tests-ide-test-Create-a-single-unit-test-covering-mo.patch (+228/-0) debian/patches/stable/lp-1891877-vhost-user-blk-delete-virtioqueues-in-unrealize-to-f.patch (+75/-0) debian/patches/stable/lp-1891877-vhost-user-gpu-Release-memory-returned-by-vu_queue_p.patch (+67/-0) debian/patches/stable/lp-1891877-virtio-9p-device-fix-memleak-in-virtio_9p_device_unr.patch (+49/-0) debian/patches/stable/lp-1891877-virtio-add-ability-to-delete-vq-through-a-pointer.patch (+71/-0) debian/patches/stable/lp-1891877-virtio-balloon-fix-free-page-hinting-check-on-unreal.patch (+51/-0) debian/patches/stable/lp-1891877-virtio-balloon-fix-free-page-hinting-without-an-ioth.patch (+116/-0) debian/patches/stable/lp-1891877-virtio-balloon-unref-the-iothread-when-unrealizing.patch (+49/-0) debian/patches/stable/lp-1891877-virtio-crypto-do-delete-ctrl_vq-in-virtio_crypto_dev.patch (+61/-0) debian/patches/stable/lp-1891877-virtio-make-virtio_delete_queue-idempotent.patch (+37/-0) debian/patches/stable/lp-1891877-virtio-pmem-do-delete-rq_vq-in-virtio_pmem_unrealize.patch (+45/-0) debian/patches/stable/lp-1891877-virtio-reset-region-cache-when-on-queue-deletion.patch (+40/-0) debian/patches/stable/lp-1891877-vpc-Don-t-round-up-already-aligned-BAT-sizes.patch (+55/-0) debian/patches/stable/lp-1891877-xen-9pfs-yield-when-there-isn-t-enough-room-on-the-r.patch (+96/-0) debian/patches/stable/lp-1891877-xen-block-Fix-double-qlist-remove-and-request-leak.patch (+163/-0) debian/patches/ubuntu/CVE-2020-10761.patch (+149/-0) debian/patches/ubuntu/CVE-2020-12829-2.patch (+55/-0) debian/patches/ubuntu/CVE-2020-12829-3.patch (+41/-0) debian/patches/ubuntu/CVE-2020-12829-4.patch (+42/-0) debian/patches/ubuntu/CVE-2020-12829-5.patch (+28/-0) debian/patches/ubuntu/CVE-2020-12829-6.patch (+129/-0) debian/patches/ubuntu/CVE-2020-12829-7.patch (+61/-0) debian/patches/ubuntu/CVE-2020-12829-pre1.patch (+159/-0) debian/patches/ubuntu/CVE-2020-12829-pre2.patch (+134/-0) debian/patches/ubuntu/CVE-2020-12829-pre3.patch (+42/-0) debian/patches/ubuntu/CVE-2020-12829-pre4.patch (+95/-0) debian/patches/ubuntu/CVE-2020-12829.patch (+261/-0) debian/patches/ubuntu/CVE-2020-13253.patch (+122/-0) debian/patches/ubuntu/CVE-2020-13361.patch (+60/-0) debian/patches/ubuntu/CVE-2020-13362-1.patch (+51/-0) debian/patches/ubuntu/CVE-2020-13362-2.patch (+36/-0) debian/patches/ubuntu/CVE-2020-13362-3.patch (+97/-0) debian/patches/ubuntu/CVE-2020-13659.patch (+47/-0) debian/patches/ubuntu/CVE-2020-13754-1.patch (+81/-0) debian/patches/ubuntu/CVE-2020-13754-2.patch (+59/-0) debian/patches/ubuntu/CVE-2020-13800.patch (+59/-0) debian/patches/ubuntu/CVE-2020-14415.patch (+33/-0) debian/patches/ubuntu/CVE-2020-15863.patch (+58/-0) debian/patches/ubuntu/CVE-2020-16092.patch (+40/-0) debian/patches/ubuntu/lp-1883984-target-s390x-Fix-SQXBR.patch (+37/-0) debian/patches/ubuntu/lp-1890154-s390x-protvirt-allow-to-IPL-secure-guests-with-no-re.patch (+52/-0) |
Related bugs: |
|
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Rafael David Tinoco (community) | Approve | ||
Canonical Server | Pending | ||
git-ubuntu developers | Pending | ||
Review via email: mp+389527@code.launchpad.net |
Commit message
Description of the change
Christian Ehrhardt (paelzer) wrote : | # |
Rafael David Tinoco (rafaeldtinoco) wrote : | # |
From the beginning
c33d65deb29 - security update 4.2-3ubuntu6.4 (to be released)
----
5c4fe018c0 nbd/server: Avoid long error message assertions CVE-2020-10761
fa70c2871f sm501: Optimize small overlapping blits
84ec3f9402 sm501: Fix bounds checks
4decaad9d2 sm501: Drop unneded variable
f018edc358 sm501: Do not allow guest to set invalid format
299778d5af sm501: Introduce variable for commonly used value for better readability
9982c605a7 sm501: Fix and optimize overlap check
e29da77e5f sm501: Convert printf + abort to qemu_log_mask
6f8183b5dc sm501: Shorten long variable names in sm501_2d_operation
2824809b7f sm501: Use BIT(x) macro to shorten constant
3d0b096298 sm501: Clean up local variables in sm501_2d_operation
b15a22bbcb sm501: Replace hand written implementation with pixman where possible
790762e548 hw/sd/sdcard: Do not switch to ReceivingData if address is invalid
369ff955a8 es1370: check total frame count against current frame
f50ab86a26 megasas: use unsigned type for reply_queue_head and check index
fd69185567 megasas: avoid NULL pointer dereference
2b151297e4 megasas: use unsigned type for positive numeric fields
77f55eac6c exec: set map length to zero when returning NULL
5d971f9e67 memory: Revert "memory: accept mismatching sizes in memory_
dba04c3488 acpi: accept byte and word access to core ACPI registers
a98610c429 ati-vga: check mm_index before recursive call (CVE-2020-13800)
7a4ede0047 audio/oss: fix buffer pos calculation
5519724a13 hw/net/xgmac: Fix buffer overflow in xgmac_enet_send()
035e69b063 hw/net/net_tx_pkt: fix assertion failure in net_tx_
----
So, all the CVE fixes look ok, but I think we might be missing a fix for a regression caused by:
5d971f9e67 memory: Revert "memory: accept mismatching sizes in memory_
which is:
commit 70b78d4e71 (MISSING)
Author: Alistair Francis <email address hidden>
Date: Tue Jun 30 17:12:11 2020
hw/riscv: Allow 64 bit access to SiFive CLINT
Commit 5d971f9e6725072
"memory: Revert "memory: accept mismatching sizes in
memory_
accesses to the CLINT and QEMU would trigger a fault. Fix this failure
by allowing 8 byte accesses.
Signed-off-by: Alistair Francis <email address hidden>
Reviewed-by: LIU Zhiwei<email address hidden>
Message-Id: <122b78825b077e
Rafael David Tinoco (rafaeldtinoco) wrote : | # |
For...
ab9f0cb1d27 further stabilize by importing patches of qemu v4.2.1
----
stable/
stable/
stable/
stable/
stable/
stable/
stable/
stable/
stable/
stable/
stable/
stable/
stable/
stable/
stable/
stable/
stable/
stable/
stable/
stable/
stable/
stable/
stable/
stable/
stable/
stable/
stable/
stable/
stable/
stable/
stable/
stable/
stable/
stable/
stable/
stable/
stable/
stable/
stable/
stable/
stable/
stable/
stable/
stable/
stable/
Rafael David Tinoco (rafaeldtinoco) wrote : | # |
All other patches (single SRUs) look okay to me.
I'm +1 on this (and already approving) as long as you check:
commit 70b78d4e71 (MISSING)
Author: Alistair Francis <email address hidden>
Date: Tue Jun 30 17:12:11 2020
hw/riscv: Allow 64 bit access to SiFive CLINT
as being a fix (or not) to regression cause by:
5d971f9e67 memory: Revert "memory: accept mismatching sizes in memory_
All the rest look good SRUs, cases have templates, patches apply cleanly, etc.
Christian Ehrhardt (paelzer) wrote : | # |
commit 5d971f9e6725072
Author: Michael S. Tsirkin <email address hidden>
Date: Wed Jun 10 09:47:49 2020 -0400
memory: Revert "memory: accept mismatching sizes in memory_
Was added by/in
debian/
As part of the former security upload.
And I agree this patch should be added as well.
Ok so it was not missing on my stable patches but actually broken on the security release before it. Great catch and great that you are ok with the rest.
Also the security update got released tonight so I can rebase onto the new import and upload.
Note: this fix you identified also needs to go on top of groovy (there added by security upload in 1:5.0-5ubuntu3) which I'll do right away.
Christian Ehrhardt (paelzer) wrote : | # |
Hmm no, despite being a 5.1 patch in groovy
debian/
was added by me when doing the security fixes in 1:5.0-5ubuntu3
So groovy is good already, adding the patch to Focal as discussed.
Christian Ehrhardt (paelzer) wrote : | # |
I have pinged security as they backported this to X&B as well - not sure how reasonable riscv emu was these days, but I thought they should know.
The Focal upload is prepared as reviewed plus the fix that was identified.
To ssh://git.
* [new tag] upload/
Uploading to ubuntu (via ftp to upload.ubuntu.com):
Uploading qemu_4.
Uploading qemu_4.
Uploading qemu_4.
Uploading qemu_4.
Successfully uploaded packages.
Christian Ehrhardt (paelzer) wrote : | # |
SRU released
Preview Diff
1 | diff --git a/debian/changelog b/debian/changelog | |||
2 | index cc2f33a..0124b2c 100644 | |||
3 | --- a/debian/changelog | |||
4 | +++ b/debian/changelog | |||
5 | @@ -1,3 +1,89 @@ | |||
6 | 1 | qemu (1:4.2-3ubuntu6.5) focal; urgency=medium | ||
7 | 2 | |||
8 | 3 | * further stabilize qemu by importing patches of qemu v4.2.1 | ||
9 | 4 | Fixes (LP: #1891203) and (LP: #1891877) | ||
10 | 5 | - d/p/stable/lp-1891877-* | ||
11 | 6 | * fix s390x SQXBR emulation (LP: #1883984) | ||
12 | 7 | - d/p/ubuntu/lp-1883984-target-s390x-Fix-SQXBR.patch | ||
13 | 8 | * fix -no-reboot for s390x protvirt guests (LP: #1890154) | ||
14 | 9 | - d/p/ubuntu/lp-1890154-s390x-protvirt-allow-to-IPL-secure-guests-with-* | ||
15 | 10 | |||
16 | 11 | -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Wed, 19 Aug 2020 13:40:49 +0200 | ||
17 | 12 | |||
18 | 13 | qemu (1:4.2-3ubuntu6.4) focal-security; urgency=medium | ||
19 | 14 | |||
20 | 15 | * SECURITY UPDATE: assert failure in nbd | ||
21 | 16 | - debian/patches/ubuntu/CVE-2020-10761.patch: avoid long error message | ||
22 | 17 | assertions in nbd/server.c, tests/qemu-iotests/143, | ||
23 | 18 | tests/qemu-iotests/143.out. | ||
24 | 19 | - CVE-2020-10761 | ||
25 | 20 | * SECURITY UPDATE: out-of-bounds read and write in sm501 | ||
26 | 21 | - debian/patches/ubuntu/CVE-2020-12829-pre1.patch: convert printf + | ||
27 | 22 | abort to qemu_log_mask. | ||
28 | 23 | - debian/patches/ubuntu/CVE-2020-12829-pre2.patch: shorten long | ||
29 | 24 | variable names in sm501_2d_operation. | ||
30 | 25 | - debian/patches/ubuntu/CVE-2020-12829-pre3.patch: use BIT(x) macro to | ||
31 | 26 | shorten constant. | ||
32 | 27 | - debian/patches/ubuntu/CVE-2020-12829-pre4.patch: clean up local | ||
33 | 28 | variables in sm501_2d_operation. | ||
34 | 29 | - debian/patches/ubuntu/CVE-2020-12829.patch: replace hand written | ||
35 | 30 | implementation with pixman where possible. | ||
36 | 31 | - debian/patches/ubuntu/CVE-2020-12829-2.patch: optimize small | ||
37 | 32 | overlapping blits. | ||
38 | 33 | - debian/patches/ubuntu/CVE-2020-12829-3.patch: fix bounds checks. | ||
39 | 34 | - debian/patches/ubuntu/CVE-2020-12829-4.patch: drop unneded variable. | ||
40 | 35 | - debian/patches/ubuntu/CVE-2020-12829-5.patch: do not allow guest to | ||
41 | 36 | set invalid format. | ||
42 | 37 | - debian/patches/ubuntu/CVE-2020-12829-6.patch: introduce variable for | ||
43 | 38 | commonly used value for better readability. | ||
44 | 39 | - debian/patches/ubuntu/CVE-2020-12829-7.patch: fix and optimize | ||
45 | 40 | overlap check. | ||
46 | 41 | - CVE-2020-12829 | ||
47 | 42 | * SECURITY UPDATE: out-of-bounds read during sdhci_write() operations | ||
48 | 43 | - debian/patches/ubuntu/CVE-2020-13253.patch: do not switch to | ||
49 | 44 | ReceivingData if address is invalid in hw/sd/sd.c. | ||
50 | 45 | - CVE-2020-13253 | ||
51 | 46 | * SECURITY UPDATE: out-of-bounds access during es1370_write() operation | ||
52 | 47 | - debian/patches/ubuntu/CVE-2020-13361.patch: check total frame count | ||
53 | 48 | against current frame in hw/audio/es1370.c. | ||
54 | 49 | - CVE-2020-13361 | ||
55 | 50 | * SECURITY UPDATE: out-of-bounds read via crafted reply_queue_head | ||
56 | 51 | - debian/patches/ubuntu/CVE-2020-13362-1.patch: use unsigned type for | ||
57 | 52 | reply_queue_head and check index in hw/scsi/megasas.c. | ||
58 | 53 | - debian/patches/ubuntu/CVE-2020-13362-2.patch: avoid NULL pointer | ||
59 | 54 | dereference in hw/scsi/megasas.c. | ||
60 | 55 | - debian/patches/ubuntu/CVE-2020-13362-3.patch: use unsigned type for | ||
61 | 56 | positive numeric fields in hw/scsi/megasas.c. | ||
62 | 57 | - CVE-2020-13362 | ||
63 | 58 | * SECURITY UPDATE: NULL pointer dereference related to BounceBuffer | ||
64 | 59 | - debian/patches/ubuntu/CVE-2020-13659.patch: set map length to zero | ||
65 | 60 | when returning NULL in exec.c, include/exec/memory.h. | ||
66 | 61 | - CVE-2020-13659 | ||
67 | 62 | * SECURITY UPDATE: out-of-bounds access via msi-x mmio operation | ||
68 | 63 | - debian/patches/ubuntu/CVE-2020-13754-1.patch: revert accepting | ||
69 | 64 | mismatching sizes in memory_region_access_valid in memory.c. | ||
70 | 65 | - debian/patches/ubuntu/CVE-2020-13754-2.patch: accept byte and word | ||
71 | 66 | access to core ACPI registers in hw/acpi/core.c. | ||
72 | 67 | - CVE-2020-13754 | ||
73 | 68 | * SECURITY UPDATE: infinite recursion in ati-vga | ||
74 | 69 | - debian/patches/ubuntu/CVE-2020-13800.patch: check mm_index before | ||
75 | 70 | recursive call in hw/display/ati.c. | ||
76 | 71 | - CVE-2020-13800 | ||
77 | 72 | * SECURITY UPDATE: division by zero in oss_write() | ||
78 | 73 | - debian/patches/ubuntu/CVE-2020-14415.patch: fix buffer pos | ||
79 | 74 | calculation in audio/ossaudio.c. | ||
80 | 75 | - CVE-2020-14415 | ||
81 | 76 | * SECURITY UPDATE: buffer overflow in XGMAC Ethernet controller | ||
82 | 77 | - debian/patches/ubuntu/CVE-2020-15863.patch: check bounds in | ||
83 | 78 | hw/net/xgmac.c. | ||
84 | 79 | - CVE-2020-15863 | ||
85 | 80 | * SECURITY UPDATE: reachable assertion failure | ||
86 | 81 | - debian/patches/ubuntu/CVE-2020-16092.patch: fix assertion failure in | ||
87 | 82 | hw/net/net_tx_pkt.c. | ||
88 | 83 | - CVE-2020-16092 | ||
89 | 84 | |||
90 | 85 | -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Tue, 11 Aug 2020 12:30:06 -0400 | ||
91 | 86 | |||
92 | 1 | qemu (1:4.2-3ubuntu6.3) focal; urgency=medium | 87 | qemu (1:4.2-3ubuntu6.3) focal; urgency=medium |
93 | 2 | 88 | ||
94 | 3 | * debian/patches/ubuntu/lp-1878973-*: fix assert in qemu-guest-agent that | 89 | * debian/patches/ubuntu/lp-1878973-*: fix assert in qemu-guest-agent that |
95 | diff --git a/debian/patches/series b/debian/patches/series | |||
96 | index dd6cb95..b9c1506 100644 | |||
97 | --- a/debian/patches/series | |||
98 | +++ b/debian/patches/series | |||
99 | @@ -39,7 +39,6 @@ stable/lp-1867519-target-arm-Set-ISSIs16Bit-in-make_issinfo.patch | |||
100 | 39 | stable/lp-1867519-target-i386-kvm-initialize-feature-MSRs-very-early.patch | 39 | stable/lp-1867519-target-i386-kvm-initialize-feature-MSRs-very-early.patch |
101 | 40 | stable/lp-1867519-tpm-ppi-page-align-PPI-RAM.patch | 40 | stable/lp-1867519-tpm-ppi-page-align-PPI-RAM.patch |
102 | 41 | stable/lp-1867519-block-backup-top-fix-failure-path.patch | 41 | stable/lp-1867519-block-backup-top-fix-failure-path.patch |
103 | 42 | stable/lp-1867519-iotests-add-test-for-backup-top-failure-on-permissio.patch | ||
104 | 43 | stable/lp-1867519-block-fix-crash-on-zero-length-unaligned-write-and-r.patch | 42 | stable/lp-1867519-block-fix-crash-on-zero-length-unaligned-write-and-r.patch |
105 | 44 | stable/lp-1867519-qemu-img-Fix-convert-n-B-for-backing-less-targets.patch | 43 | stable/lp-1867519-qemu-img-Fix-convert-n-B-for-backing-less-targets.patch |
106 | 45 | stable/lp-1867519-plugins-core-add-missing-break-in-cb_to_tcg_flags.patch | 44 | stable/lp-1867519-plugins-core-add-missing-break-in-cb_to_tcg_flags.patch |
107 | @@ -93,3 +92,134 @@ ubuntu/lp-1872945-target-openrisc-Fix-FPCSR-mask-to-allow-setting-DZF.patch | |||
108 | 93 | ubuntu/CVE-2020-11869.patch | 92 | ubuntu/CVE-2020-11869.patch |
109 | 94 | ubuntu/lp-1878973-fix-assert-regression.patch | 93 | ubuntu/lp-1878973-fix-assert-regression.patch |
110 | 95 | lp-1882774-target-i386-do-not-set-unsupported-VMX-secondary-exe.patch | 94 | lp-1882774-target-i386-do-not-set-unsupported-VMX-secondary-exe.patch |
111 | 95 | ubuntu/CVE-2020-10761.patch | ||
112 | 96 | ubuntu/CVE-2020-12829-pre1.patch | ||
113 | 97 | ubuntu/CVE-2020-12829-pre2.patch | ||
114 | 98 | ubuntu/CVE-2020-12829-pre3.patch | ||
115 | 99 | ubuntu/CVE-2020-12829-pre4.patch | ||
116 | 100 | ubuntu/CVE-2020-12829.patch | ||
117 | 101 | ubuntu/CVE-2020-12829-2.patch | ||
118 | 102 | ubuntu/CVE-2020-12829-3.patch | ||
119 | 103 | ubuntu/CVE-2020-12829-4.patch | ||
120 | 104 | ubuntu/CVE-2020-12829-5.patch | ||
121 | 105 | ubuntu/CVE-2020-12829-6.patch | ||
122 | 106 | ubuntu/CVE-2020-12829-7.patch | ||
123 | 107 | ubuntu/CVE-2020-13253.patch | ||
124 | 108 | ubuntu/CVE-2020-13361.patch | ||
125 | 109 | ubuntu/CVE-2020-13362-1.patch | ||
126 | 110 | ubuntu/CVE-2020-13362-2.patch | ||
127 | 111 | ubuntu/CVE-2020-13362-3.patch | ||
128 | 112 | ubuntu/CVE-2020-13659.patch | ||
129 | 113 | ubuntu/CVE-2020-13754-1.patch | ||
130 | 114 | ubuntu/CVE-2020-13754-2.patch | ||
131 | 115 | ubuntu/CVE-2020-13800.patch | ||
132 | 116 | ubuntu/CVE-2020-14415.patch | ||
133 | 117 | ubuntu/CVE-2020-15863.patch | ||
134 | 118 | ubuntu/CVE-2020-16092.patch | ||
135 | 119 | stable/lp-1891877-i386-Resolve-CPU-models-to-v1-by-default.patch | ||
136 | 120 | stable/lp-1891877-qapi-better-document-NVMe-blockdev-device-parameter.patch | ||
137 | 121 | stable/lp-1891877-numa-remove-not-needed-check.patch | ||
138 | 122 | stable/lp-1891877-numa-properly-check-if-numa-is-supported.patch | ||
139 | 123 | stable/lp-1891877-tests-ide-test-Create-a-single-unit-test-covering-mo.patch | ||
140 | 124 | stable/lp-1891877-ide-Fix-incorrect-handling-of-some-PRDTs-in-ide_dma_.patch | ||
141 | 125 | stable/lp-1891877-virtio-add-ability-to-delete-vq-through-a-pointer.patch | ||
142 | 126 | stable/lp-1891877-virtio-make-virtio_delete_queue-idempotent.patch | ||
143 | 127 | stable/lp-1891877-virtio-reset-region-cache-when-on-queue-deletion.patch | ||
144 | 128 | stable/lp-1891877-dp8393x-Mask-EOL-bit-from-descriptor-addresses.patch | ||
145 | 129 | stable/lp-1891877-dp8393x-Always-use-32-bit-accesses.patch | ||
146 | 130 | stable/lp-1891877-dp8393x-Clean-up-endianness-hacks.patch | ||
147 | 131 | stable/lp-1891877-dp8393x-Have-dp8393x_receive-return-the-packet-size.patch | ||
148 | 132 | stable/lp-1891877-dp8393x-Update-LLFA-and-CRDA-registers-from-rx-descr.patch | ||
149 | 133 | stable/lp-1891877-dp8393x-Clear-RRRA-command-register-bit-only-when-ap.patch | ||
150 | 134 | stable/lp-1891877-dp8393x-Implement-packet-size-limit-and-RBAE-interru.patch | ||
151 | 135 | stable/lp-1891877-dp8393x-Don-t-clobber-packet-checksum.patch | ||
152 | 136 | stable/lp-1891877-dp8393x-Use-long-word-aligned-RRA-pointers-in-32-bit.patch | ||
153 | 137 | stable/lp-1891877-dp8393x-Pad-frames-to-word-or-long-word-boundary.patch | ||
154 | 138 | stable/lp-1891877-dp8393x-Clear-descriptor-in_use-field-to-release-pac.patch | ||
155 | 139 | stable/lp-1891877-dp8393x-Always-update-RRA-pointers-and-sequence-numb.patch | ||
156 | 140 | stable/lp-1891877-dp8393x-Don-t-reset-Silicon-Revision-register.patch | ||
157 | 141 | stable/lp-1891877-dp8393x-Don-t-stop-reception-upon-RBE-interrupt-asse.patch | ||
158 | 142 | stable/lp-1891877-qcow2-update_refcount-Reset-old_table_index-after-qc.patch | ||
159 | 143 | stable/lp-1891877-iotests-Test-copy-offloading-with-external-data-file.patch | ||
160 | 144 | stable/lp-1891877-iotests-026-Test-EIO-on-preallocated-zero-cluster.patch | ||
161 | 145 | stable/lp-1891877-iotests-026-Test-EIO-on-allocation-in-a-data-file.patch | ||
162 | 146 | stable/lp-1891877-scsi-qemu-pr-helper-Fix-out-of-bounds-access-to-trnp.patch | ||
163 | 147 | stable/lp-1891877-target-ppc-Fix-rlwinm-on-ppc64.patch | ||
164 | 148 | stable/lp-1891877-compat-disable-edid-on-correct-virtio-gpu-device.patch | ||
165 | 149 | stable/lp-1891877-qga-Installer-Wait-for-installation-to-finish.patch | ||
166 | 150 | stable/lp-1891877-qga-win-Handle-VSS_E_PROVIDER_ALREADY_REGISTERED-err.patch | ||
167 | 151 | stable/lp-1891877-qga-win-prevent-crash-when-executing-guest-file-read.patch | ||
168 | 152 | stable/lp-1891877-qga-Fix-undefined-C-behavior.patch | ||
169 | 153 | stable/lp-1891877-qemu-ga-document-vsock-listen-in-the-man-page.patch | ||
170 | 154 | stable/lp-1891877-hw-i386-amd_iommu.c-Fix-corruption-of-log-events-pas.patch | ||
171 | 155 | stable/lp-1891877-tcg-i386-Fix-INDEX_op_dup2_vec.patch | ||
172 | 156 | stable/lp-1891877-dump-Fix-writing-of-ELF-section.patch | ||
173 | 157 | stable/lp-1891877-xen-block-Fix-double-qlist-remove-and-request-leak.patch | ||
174 | 158 | stable/lp-1891877-vhost-user-gpu-Release-memory-returned-by-vu_queue_p.patch | ||
175 | 159 | stable/lp-1891877-target-ppc-Fix-mtmsr-d-L-1-variant-that-loses-interr.patch | ||
176 | 160 | stable/lp-1891877-hostmem-don-t-use-mbind-if-host-nodes-is-empty.patch | ||
177 | 161 | stable/lp-1891877-target-arm-Clear-tail-in-gvec_fmul_idx_-gvec_fmla_id.patch | ||
178 | 162 | stable/lp-1891877-qemu-nbd-Close-inherited-stderr.patch | ||
179 | 163 | stable/lp-1891877-9p-Lock-directory-streams-with-a-CoMutex.patch | ||
180 | 164 | stable/lp-1891877-net-Do-not-include-a-newline-in-the-id-of-nic-device.patch | ||
181 | 165 | stable/lp-1891877-virtio-balloon-fix-free-page-hinting-without-an-ioth.patch | ||
182 | 166 | stable/lp-1891877-virtio-balloon-fix-free-page-hinting-check-on-unreal.patch | ||
183 | 167 | stable/lp-1891877-virtio-balloon-unref-the-iothread-when-unrealizing.patch | ||
184 | 168 | stable/lp-1891877-block-Call-attention-to-truncation-of-long-NBD-expor.patch | ||
185 | 169 | stable/lp-1891877-9pfs-local-Fix-possible-memory-leak-in-local_link.patch | ||
186 | 170 | stable/lp-1891877-9p-local-always-return-1-on-error-in-local_unlinkat_.patch | ||
187 | 171 | stable/lp-1891877-virtio-9p-device-fix-memleak-in-virtio_9p_device_unr.patch | ||
188 | 172 | stable/lp-1891877-9p-proxy-Fix-export_flags.patch | ||
189 | 173 | stable/lp-1891877-9pfs-local-ignore-O_NOATIME-if-we-don-t-have-permiss.patch | ||
190 | 174 | stable/lp-1891877-9pfs-include-linux-limits.h-for-XATTR_SIZE_MAX.patch | ||
191 | 175 | stable/lp-1891877-xen-9pfs-yield-when-there-isn-t-enough-room-on-the-r.patch | ||
192 | 176 | stable/lp-1891877-tests-fix-modules-test-duplicate-test-case-error.patch | ||
193 | 177 | stable/lp-1891877-iotests-026-Move-v3-exclusive-test-to-new-file.patch | ||
194 | 178 | stable/lp-1891877-Revert-qemu-options.hx-Update-for-reboot-timeout-par.patch | ||
195 | 179 | stable/lp-1891877-Fix-double-free-issue-in-qemu_set_log_filename.patch | ||
196 | 180 | stable/lp-1891877-iotests-Fix-IMGOPTSSYNTAX-for-nbd.patch | ||
197 | 181 | stable/lp-1891877-display-bochs-display-fix-memory-leak.patch | ||
198 | 182 | stable/lp-1891877-hw-arm-smmuv3-Apply-address-mask-to-linear-strtab-ba.patch | ||
199 | 183 | stable/lp-1891877-hw-arm-smmuv3-Correct-SMMU_BASE_ADDR_MASK-value.patch | ||
200 | 184 | stable/lp-1891877-hw-arm-smmuv3-Check-stream-IDs-against-actual-table-.patch | ||
201 | 185 | stable/lp-1891877-hw-arm-smmuv3-Align-stream-table-base-address-to-tab.patch | ||
202 | 186 | stable/lp-1891877-hw-arm-smmuv3-Use-correct-bit-positions-in-EVT_SET_A.patch | ||
203 | 187 | stable/lp-1891877-hw-arm-smmuv3-Report-F_STE_FETCH-fault-address-in-co.patch | ||
204 | 188 | stable/lp-1891877-block-Add-bdrv_qapi_perm_to_blk_perm.patch | ||
205 | 189 | stable/lp-1891877-blkdebug-Allow-taking-unsharing-permissions.patch | ||
206 | 190 | stable/lp-1891877-migration-test-ppc64-fix-FORTH-test-program.patch | ||
207 | 191 | stable/lp-1891877-runstate-ignore-finishmigrate-prelaunch-transition.patch | ||
208 | 192 | stable/lp-1891877-migration-Rate-limit-inside-host-pages.patch | ||
209 | 193 | stable/lp-1891877-Revert-vnc-allow-fall-back-to-RAW-encoding.patch | ||
210 | 194 | stable/lp-1891877-m68k-Fix-regression-causing-Single-Step-via-GDB-RSP-.patch | ||
211 | 195 | stable/lp-1891877-s390x-adapter-routes-error-handling.patch | ||
212 | 196 | stable/lp-1891877-block-backup-fix-memory-leak-in-bdrv_backup_top_appe.patch | ||
213 | 197 | stable/lp-1891877-hw-intc-arm_gicv3_kvm-Stop-wrongly-programming-GICR_.patch | ||
214 | 198 | stable/lp-1891877-target-arm-fix-TCG-leak-for-fcvt-half-double.patch | ||
215 | 199 | stable/lp-1891877-block-fix-memleaks-in-bdrv_refresh_filename.patch | ||
216 | 200 | stable/lp-1891877-iotests-add-test-for-backup-top-failure-on-permissio.patch | ||
217 | 201 | stable/lp-1891877-target-arm-monitor-query-cpu-model-expansion-crashed.patch | ||
218 | 202 | stable/lp-1891877-block-Fix-VM-size-field-width-in-snapshot-dump.patch | ||
219 | 203 | stable/lp-1891877-target-arm-Correct-definition-of-PMCRDP.patch | ||
220 | 204 | stable/lp-1891877-virtio-pmem-do-delete-rq_vq-in-virtio_pmem_unrealize.patch | ||
221 | 205 | stable/lp-1891877-virtio-crypto-do-delete-ctrl_vq-in-virtio_crypto_dev.patch | ||
222 | 206 | stable/lp-1891877-vhost-user-blk-delete-virtioqueues-in-unrealize-to-f.patch | ||
223 | 207 | stable/lp-1891877-hw-arm-cubieboard-use-ARM-Cortex-A8-as-the-default-C.patch | ||
224 | 208 | stable/lp-1891877-iotests-Fix-nonportable-use-of-od-endian.patch | ||
225 | 209 | stable/lp-1891877-ppc-ppc405_boards-Remove-unnecessary-NULL-check.patch | ||
226 | 210 | stable/lp-1891877-block-Avoid-memleak-on-qcow2-image-info-failure.patch | ||
227 | 211 | stable/lp-1891877-block-bdrv_set_backing_bs-fix-use-after-free.patch | ||
228 | 212 | stable/lp-1891877-hmp-vnc-Fix-info-vnc-list-leak.patch | ||
229 | 213 | stable/lp-1891877-migration-colo-fix-use-after-free-of-local_err.patch | ||
230 | 214 | stable/lp-1891877-migration-ram-fix-use-after-free-of-local_err.patch | ||
231 | 215 | stable/lp-1891877-qcow2-List-autoclear-bit-names-in-header.patch | ||
232 | 216 | stable/lp-1891877-sheepdog-Consistently-set-bdrv_has_zero_init_truncat.patch | ||
233 | 217 | stable/lp-1891877-spapr-Fix-failure-path-for-attempting-to-hot-unplug-.patch | ||
234 | 218 | stable/lp-1891877-vpc-Don-t-round-up-already-aligned-BAT-sizes.patch | ||
235 | 219 | stable/lp-1891877-target-xtensa-fix-pasto-in-pfwait.r-opcode-name.patch | ||
236 | 220 | stable/lp-1891877-tcg-mips-mips-sync-encode-error.patch | ||
237 | 221 | stable/lp-1891877-Fix-tulip-breakage.patch | ||
238 | 222 | stable/lp-1891877-iotests-283-Use-consistent-size-for-source-and-targe.patch | ||
239 | 223 | stable/lp-1891877-Update-version-for-4.2.1-release.patch | ||
240 | 224 | ubuntu/lp-1883984-target-s390x-Fix-SQXBR.patch | ||
241 | 225 | ubuntu/lp-1890154-s390x-protvirt-allow-to-IPL-secure-guests-with-no-re.patch | ||
242 | diff --git a/debian/patches/stable/lp-1891877-9p-Lock-directory-streams-with-a-CoMutex.patch b/debian/patches/stable/lp-1891877-9p-Lock-directory-streams-with-a-CoMutex.patch | |||
243 | 96 | new file mode 100644 | 226 | new file mode 100644 |
244 | index 0000000..f32c223 | |||
245 | --- /dev/null | |||
246 | +++ b/debian/patches/stable/lp-1891877-9p-Lock-directory-streams-with-a-CoMutex.patch | |||
247 | @@ -0,0 +1,74 @@ | |||
248 | 1 | From dad6d5e7e613e51b2584c447378a044ccc2fdc81 Mon Sep 17 00:00:00 2001 | ||
249 | 2 | From: Greg Kurz <groug@kaod.org> | ||
250 | 3 | Date: Mon, 25 May 2020 10:38:03 +0200 | ||
251 | 4 | Subject: [PATCH] 9p: Lock directory streams with a CoMutex | ||
252 | 5 | |||
253 | 6 | Locking was introduced in QEMU 2.7 to address the deprecation of | ||
254 | 7 | readdir_r(3) in glibc 2.24. It turns out that the frontend code is | ||
255 | 8 | the worst place to handle a critical section with a pthread mutex: | ||
256 | 9 | the code runs in a coroutine on behalf of the QEMU mainloop and then | ||
257 | 10 | yields control, waiting for the fsdev backend to process the request | ||
258 | 11 | in a worker thread. If the client resends another readdir request for | ||
259 | 12 | the same fid before the previous one finally unlocked the mutex, we're | ||
260 | 13 | deadlocked. | ||
261 | 14 | |||
262 | 15 | This never bit us because the linux client serializes readdir requests | ||
263 | 16 | for the same fid, but it is quite easy to demonstrate with a custom | ||
264 | 17 | client. | ||
265 | 18 | |||
266 | 19 | A good solution could be to narrow the critical section in the worker | ||
267 | 20 | thread code and to return a copy of the dirent to the frontend, but | ||
268 | 21 | this causes quite some changes in both 9p.c and codir.c. So, instead | ||
269 | 22 | of that, in order for people to easily backport the fix to older QEMU | ||
270 | 23 | versions, let's simply use a CoMutex since all the users for this | ||
271 | 24 | sit in coroutines. | ||
272 | 25 | |||
273 | 26 | Fixes: 7cde47d4a89d ("9p: add locking to V9fsDir") | ||
274 | 27 | Reviewed-by: Christian Schoenebeck <qemu_oss@crudebyte.com> | ||
275 | 28 | Message-Id: <158981894794.109297.3530035833368944254.stgit@bahia.lan> | ||
276 | 29 | Signed-off-by: Greg Kurz <groug@kaod.org> | ||
277 | 30 | (cherry picked from commit ed463454efd0ac3042ff772bfe1b1d846dc281a5) | ||
278 | 31 | Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | ||
279 | 32 | |||
280 | 33 | Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=dad6d5e7e6 | ||
281 | 34 | Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877 | ||
282 | 35 | Last-Update: 2020-08-19 | ||
283 | 36 | |||
284 | 37 | --- | ||
285 | 38 | hw/9pfs/9p.h | 8 ++++---- | ||
286 | 39 | 1 file changed, 4 insertions(+), 4 deletions(-) | ||
287 | 40 | |||
288 | 41 | diff --git a/hw/9pfs/9p.h b/hw/9pfs/9p.h | ||
289 | 42 | index 3904f82901..069c86333f 100644 | ||
290 | 43 | --- a/hw/9pfs/9p.h | ||
291 | 44 | +++ b/hw/9pfs/9p.h | ||
292 | 45 | @@ -186,22 +186,22 @@ typedef struct V9fsXattr | ||
293 | 46 | |||
294 | 47 | typedef struct V9fsDir { | ||
295 | 48 | DIR *stream; | ||
296 | 49 | - QemuMutex readdir_mutex; | ||
297 | 50 | + CoMutex readdir_mutex; | ||
298 | 51 | } V9fsDir; | ||
299 | 52 | |||
300 | 53 | static inline void v9fs_readdir_lock(V9fsDir *dir) | ||
301 | 54 | { | ||
302 | 55 | - qemu_mutex_lock(&dir->readdir_mutex); | ||
303 | 56 | + qemu_co_mutex_lock(&dir->readdir_mutex); | ||
304 | 57 | } | ||
305 | 58 | |||
306 | 59 | static inline void v9fs_readdir_unlock(V9fsDir *dir) | ||
307 | 60 | { | ||
308 | 61 | - qemu_mutex_unlock(&dir->readdir_mutex); | ||
309 | 62 | + qemu_co_mutex_unlock(&dir->readdir_mutex); | ||
310 | 63 | } | ||
311 | 64 | |||
312 | 65 | static inline void v9fs_readdir_init(V9fsDir *dir) | ||
313 | 66 | { | ||
314 | 67 | - qemu_mutex_init(&dir->readdir_mutex); | ||
315 | 68 | + qemu_co_mutex_init(&dir->readdir_mutex); | ||
316 | 69 | } | ||
317 | 70 | |||
318 | 71 | /* | ||
319 | 72 | -- | ||
320 | 73 | 2.28.0 | ||
321 | 74 | |||
322 | diff --git a/debian/patches/stable/lp-1891877-9p-local-always-return-1-on-error-in-local_unlinkat_.patch b/debian/patches/stable/lp-1891877-9p-local-always-return-1-on-error-in-local_unlinkat_.patch | |||
323 | 0 | new file mode 100644 | 75 | new file mode 100644 |
324 | index 0000000..f2efe0b | |||
325 | --- /dev/null | |||
326 | +++ b/debian/patches/stable/lp-1891877-9p-local-always-return-1-on-error-in-local_unlinkat_.patch | |||
327 | @@ -0,0 +1,91 @@ | |||
328 | 1 | From 03afe9c035884c5901258967cf906de64eff25de Mon Sep 17 00:00:00 2001 | ||
329 | 2 | From: Daniel Henrique Barboza <danielhb413@gmail.com> | ||
330 | 3 | Date: Mon, 20 Jan 2020 15:11:39 +0100 | ||
331 | 4 | Subject: [PATCH] 9p: local: always return -1 on error in local_unlinkat_common | ||
332 | 5 | |||
333 | 6 | local_unlinkat_common() is supposed to always return -1 on error. | ||
334 | 7 | This is being done by jumps to the 'err_out' label, which is | ||
335 | 8 | a 'return ret' call, and 'ret' is initialized with -1. | ||
336 | 9 | |||
337 | 10 | Unfortunately there is a condition in which the function will | ||
338 | 11 | return 0 on error: in a case where flags == AT_REMOVEDIR, 'ret' | ||
339 | 12 | will be 0 when reaching | ||
340 | 13 | |||
341 | 14 | map_dirfd = openat_dir(...) | ||
342 | 15 | |||
343 | 16 | And, if map_dirfd == -1 and errno != ENOENT, the existing 'err_out' | ||
344 | 17 | jump will execute 'return ret', when ret is still set to zero | ||
345 | 18 | at that point. | ||
346 | 19 | |||
347 | 20 | This patch fixes it by changing all 'err_out' labels by | ||
348 | 21 | 'return -1' calls, ensuring that the function will always | ||
349 | 22 | return -1 on error conditions. 'ret' can be left unintialized | ||
350 | 23 | since it's now being used just to store the result of 'unlinkat' | ||
351 | 24 | calls. | ||
352 | 25 | |||
353 | 26 | CC: Greg Kurz <groug@kaod.org> | ||
354 | 27 | Signed-off-by: Daniel Henrique Barboza <danielhb413@gmail.com> | ||
355 | 28 | [groug: changed prefix in title to be "9p: local:"] | ||
356 | 29 | Signed-off-by: Greg Kurz <groug@kaod.org> | ||
357 | 30 | (cherry picked from commit 846cf408a4c8055063f4a5a71ccf7ed030cdad30) | ||
358 | 31 | Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | ||
359 | 32 | |||
360 | 33 | Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=03afe9c035 | ||
361 | 34 | Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877 | ||
362 | 35 | Last-Update: 2020-08-19 | ||
363 | 36 | |||
364 | 37 | --- | ||
365 | 38 | hw/9pfs/9p-local.c | 14 ++++++-------- | ||
366 | 39 | 1 file changed, 6 insertions(+), 8 deletions(-) | ||
367 | 40 | |||
368 | 41 | diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c | ||
369 | 42 | index 491b08aee8..b3b826b01f 100644 | ||
370 | 43 | --- a/hw/9pfs/9p-local.c | ||
371 | 44 | +++ b/hw/9pfs/9p-local.c | ||
372 | 45 | @@ -1076,7 +1076,7 @@ out: | ||
373 | 46 | static int local_unlinkat_common(FsContext *ctx, int dirfd, const char *name, | ||
374 | 47 | int flags) | ||
375 | 48 | { | ||
376 | 49 | - int ret = -1; | ||
377 | 50 | + int ret; | ||
378 | 51 | |||
379 | 52 | if (ctx->export_flags & V9FS_SM_MAPPED_FILE) { | ||
380 | 53 | int map_dirfd; | ||
381 | 54 | @@ -1094,12 +1094,12 @@ static int local_unlinkat_common(FsContext *ctx, int dirfd, const char *name, | ||
382 | 55 | |||
383 | 56 | fd = openat_dir(dirfd, name); | ||
384 | 57 | if (fd == -1) { | ||
385 | 58 | - goto err_out; | ||
386 | 59 | + return -1; | ||
387 | 60 | } | ||
388 | 61 | ret = unlinkat(fd, VIRTFS_META_DIR, AT_REMOVEDIR); | ||
389 | 62 | close_preserve_errno(fd); | ||
390 | 63 | if (ret < 0 && errno != ENOENT) { | ||
391 | 64 | - goto err_out; | ||
392 | 65 | + return -1; | ||
393 | 66 | } | ||
394 | 67 | } | ||
395 | 68 | map_dirfd = openat_dir(dirfd, VIRTFS_META_DIR); | ||
396 | 69 | @@ -1107,16 +1107,14 @@ static int local_unlinkat_common(FsContext *ctx, int dirfd, const char *name, | ||
397 | 70 | ret = unlinkat(map_dirfd, name, 0); | ||
398 | 71 | close_preserve_errno(map_dirfd); | ||
399 | 72 | if (ret < 0 && errno != ENOENT) { | ||
400 | 73 | - goto err_out; | ||
401 | 74 | + return -1; | ||
402 | 75 | } | ||
403 | 76 | } else if (errno != ENOENT) { | ||
404 | 77 | - goto err_out; | ||
405 | 78 | + return -1; | ||
406 | 79 | } | ||
407 | 80 | } | ||
408 | 81 | |||
409 | 82 | - ret = unlinkat(dirfd, name, flags); | ||
410 | 83 | -err_out: | ||
411 | 84 | - return ret; | ||
412 | 85 | + return unlinkat(dirfd, name, flags); | ||
413 | 86 | } | ||
414 | 87 | |||
415 | 88 | static int local_remove(FsContext *ctx, const char *path) | ||
416 | 89 | -- | ||
417 | 90 | 2.28.0 | ||
418 | 91 | |||
419 | diff --git a/debian/patches/stable/lp-1891877-9p-proxy-Fix-export_flags.patch b/debian/patches/stable/lp-1891877-9p-proxy-Fix-export_flags.patch | |||
420 | 0 | new file mode 100644 | 92 | new file mode 100644 |
421 | index 0000000..8784844 | |||
422 | --- /dev/null | |||
423 | +++ b/debian/patches/stable/lp-1891877-9p-proxy-Fix-export_flags.patch | |||
424 | @@ -0,0 +1,49 @@ | |||
425 | 1 | From 410252fc5b2aaef65b793edd37289284c1a4eb91 Mon Sep 17 00:00:00 2001 | ||
426 | 2 | From: Greg Kurz <groug@kaod.org> | ||
427 | 3 | Date: Tue, 10 Mar 2020 16:12:49 +0100 | ||
428 | 4 | Subject: [PATCH] 9p/proxy: Fix export_flags | ||
429 | 5 | MIME-Version: 1.0 | ||
430 | 6 | Content-Type: text/plain; charset=UTF-8 | ||
431 | 7 | Content-Transfer-Encoding: 8bit | ||
432 | 8 | |||
433 | 9 | The common fsdev options are set by qemu_fsdev_add() before it calls | ||
434 | 10 | the backend specific option parsing code. In the case of "proxy" this | ||
435 | 11 | means "writeout" or "readonly" were simply ignored. This has been | ||
436 | 12 | broken from the beginning. | ||
437 | 13 | |||
438 | 14 | Reported-by: Stéphane Graber <stgraber@ubuntu.com> | ||
439 | 15 | Signed-off-by: Greg Kurz <groug@kaod.org> | ||
440 | 16 | Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> | ||
441 | 17 | Reviewed-by: Christian Schoenebeck <qemu_oss@crudebyte.com> | ||
442 | 18 | Message-Id: <158349633705.1237488.8895481990204796135.stgit@bahia.lan> | ||
443 | 19 | (cherry picked from commit 659f1953281bcfa5ac217e42877d7d3c32eeea38) | ||
444 | 20 | Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | ||
445 | 21 | |||
446 | 22 | Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=410252fc5b | ||
447 | 23 | Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877 | ||
448 | 24 | Last-Update: 2020-08-19 | ||
449 | 25 | |||
450 | 26 | --- | ||
451 | 27 | hw/9pfs/9p-proxy.c | 4 ++-- | ||
452 | 28 | 1 file changed, 2 insertions(+), 2 deletions(-) | ||
453 | 29 | |||
454 | 30 | diff --git a/hw/9pfs/9p-proxy.c b/hw/9pfs/9p-proxy.c | ||
455 | 31 | index 97ab9c58a5..3b885b96b5 100644 | ||
456 | 32 | --- a/hw/9pfs/9p-proxy.c | ||
457 | 33 | +++ b/hw/9pfs/9p-proxy.c | ||
458 | 34 | @@ -1139,10 +1139,10 @@ static int proxy_parse_opts(QemuOpts *opts, FsDriverEntry *fs, Error **errp) | ||
459 | 35 | } | ||
460 | 36 | if (socket) { | ||
461 | 37 | fs->path = g_strdup(socket); | ||
462 | 38 | - fs->export_flags = V9FS_PROXY_SOCK_NAME; | ||
463 | 39 | + fs->export_flags |= V9FS_PROXY_SOCK_NAME; | ||
464 | 40 | } else { | ||
465 | 41 | fs->path = g_strdup(sock_fd); | ||
466 | 42 | - fs->export_flags = V9FS_PROXY_SOCK_FD; | ||
467 | 43 | + fs->export_flags |= V9FS_PROXY_SOCK_FD; | ||
468 | 44 | } | ||
469 | 45 | return 0; | ||
470 | 46 | } | ||
471 | 47 | -- | ||
472 | 48 | 2.28.0 | ||
473 | 49 | |||
474 | diff --git a/debian/patches/stable/lp-1891877-9pfs-include-linux-limits.h-for-XATTR_SIZE_MAX.patch b/debian/patches/stable/lp-1891877-9pfs-include-linux-limits.h-for-XATTR_SIZE_MAX.patch | |||
475 | 0 | new file mode 100644 | 50 | new file mode 100644 |
476 | index 0000000..8f0bcb5 | |||
477 | --- /dev/null | |||
478 | +++ b/debian/patches/stable/lp-1891877-9pfs-include-linux-limits.h-for-XATTR_SIZE_MAX.patch | |||
479 | @@ -0,0 +1,43 @@ | |||
480 | 1 | From 0c6499ff2b1f9614195f31a24f1cf3888ce5d079 Mon Sep 17 00:00:00 2001 | ||
481 | 2 | From: Dan Robertson <dan@dlrobertson.com> | ||
482 | 3 | Date: Mon, 25 May 2020 10:38:03 +0200 | ||
483 | 4 | Subject: [PATCH] 9pfs: include linux/limits.h for XATTR_SIZE_MAX | ||
484 | 5 | MIME-Version: 1.0 | ||
485 | 6 | Content-Type: text/plain; charset=UTF-8 | ||
486 | 7 | Content-Transfer-Encoding: 8bit | ||
487 | 8 | |||
488 | 9 | linux/limits.h should be included for the XATTR_SIZE_MAX definition used | ||
489 | 10 | by v9fs_xattrcreate. | ||
490 | 11 | |||
491 | 12 | Fixes: 3b79ef2cf488 ("9pfs: limit xattr size in xattrcreate") | ||
492 | 13 | Signed-off-by: Dan Robertson <dan@dlrobertson.com> | ||
493 | 14 | Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> | ||
494 | 15 | Reviewed-by: Christian Schoenebeck <qemu_oss@crudebyte.com> | ||
495 | 16 | Message-Id: <20200515203015.7090-2-dan@dlrobertson.com> | ||
496 | 17 | Signed-off-by: Greg Kurz <groug@kaod.org> | ||
497 | 18 | (cherry picked from commit 03556ea920b23c466ce7c1283199033de33ee671) | ||
498 | 19 | Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | ||
499 | 20 | |||
500 | 21 | Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=0c6499ff2b | ||
501 | 22 | Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877 | ||
502 | 23 | Last-Update: 2020-08-19 | ||
503 | 24 | |||
504 | 25 | --- | ||
505 | 26 | hw/9pfs/9p.c | 1 + | ||
506 | 27 | 1 file changed, 1 insertion(+) | ||
507 | 28 | |||
508 | 29 | diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c | ||
509 | 30 | index 520177f40c..37e43d3f85 100644 | ||
510 | 31 | --- a/hw/9pfs/9p.c | ||
511 | 32 | +++ b/hw/9pfs/9p.c | ||
512 | 33 | @@ -28,6 +28,7 @@ | ||
513 | 34 | #include "sysemu/qtest.h" | ||
514 | 35 | #include "qemu/xxhash.h" | ||
515 | 36 | #include <math.h> | ||
516 | 37 | +#include <linux/limits.h> | ||
517 | 38 | |||
518 | 39 | int open_fd_hw; | ||
519 | 40 | int total_open_fd; | ||
520 | 41 | -- | ||
521 | 42 | 2.28.0 | ||
522 | 43 | |||
523 | diff --git a/debian/patches/stable/lp-1891877-9pfs-local-Fix-possible-memory-leak-in-local_link.patch b/debian/patches/stable/lp-1891877-9pfs-local-Fix-possible-memory-leak-in-local_link.patch | |||
524 | 0 | new file mode 100644 | 44 | new file mode 100644 |
525 | index 0000000..3e0996b | |||
526 | --- /dev/null | |||
527 | +++ b/debian/patches/stable/lp-1891877-9pfs-local-Fix-possible-memory-leak-in-local_link.patch | |||
528 | @@ -0,0 +1,44 @@ | |||
529 | 1 | From 18f6b13e085fdb81f5385bffce35364ab8535303 Mon Sep 17 00:00:00 2001 | ||
530 | 2 | From: Jiajun Chen <chenjiajun8@huawei.com> | ||
531 | 3 | Date: Mon, 20 Jan 2020 15:11:39 +0100 | ||
532 | 4 | Subject: [PATCH] 9pfs: local: Fix possible memory leak in local_link() | ||
533 | 5 | MIME-Version: 1.0 | ||
534 | 6 | Content-Type: text/plain; charset=UTF-8 | ||
535 | 7 | Content-Transfer-Encoding: 8bit | ||
536 | 8 | |||
537 | 9 | There is a possible memory leak while local_link return -1 without free | ||
538 | 10 | odirpath and oname. | ||
539 | 11 | |||
540 | 12 | Reported-by: Euler Robot <euler.robot@huawei.com> | ||
541 | 13 | Signed-off-by: Jaijun Chen <chenjiajun8@huawei.com> | ||
542 | 14 | Signed-off-by: Xiang Zheng <zhengxiang9@huawei.com> | ||
543 | 15 | Reviewed-by: Christian Schoenebeck <qemu_oss@crudebyte.com> | ||
544 | 16 | Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> | ||
545 | 17 | Signed-off-by: Greg Kurz <groug@kaod.org> | ||
546 | 18 | (cherry picked from commit 841b8d099c462cd4282c4ced8c2a6512899fd8d9) | ||
547 | 19 | Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | ||
548 | 20 | |||
549 | 21 | Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=18f6b13e08 | ||
550 | 22 | Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877 | ||
551 | 23 | Last-Update: 2020-08-19 | ||
552 | 24 | |||
553 | 25 | --- | ||
554 | 26 | hw/9pfs/9p-local.c | 2 +- | ||
555 | 27 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
556 | 28 | |||
557 | 29 | diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c | ||
558 | 30 | index 4708c0bd89..491b08aee8 100644 | ||
559 | 31 | --- a/hw/9pfs/9p-local.c | ||
560 | 32 | +++ b/hw/9pfs/9p-local.c | ||
561 | 33 | @@ -947,7 +947,7 @@ static int local_link(FsContext *ctx, V9fsPath *oldpath, | ||
562 | 34 | if (ctx->export_flags & V9FS_SM_MAPPED_FILE && | ||
563 | 35 | local_is_mapped_file_metadata(ctx, name)) { | ||
564 | 36 | errno = EINVAL; | ||
565 | 37 | - return -1; | ||
566 | 38 | + goto out; | ||
567 | 39 | } | ||
568 | 40 | |||
569 | 41 | odirfd = local_opendir_nofollow(ctx, odirpath); | ||
570 | 42 | -- | ||
571 | 43 | 2.28.0 | ||
572 | 44 | |||
573 | diff --git a/debian/patches/stable/lp-1891877-9pfs-local-ignore-O_NOATIME-if-we-don-t-have-permiss.patch b/debian/patches/stable/lp-1891877-9pfs-local-ignore-O_NOATIME-if-we-don-t-have-permiss.patch | |||
574 | 0 | new file mode 100644 | 45 | new file mode 100644 |
575 | index 0000000..59acbb2 | |||
576 | --- /dev/null | |||
577 | +++ b/debian/patches/stable/lp-1891877-9pfs-local-ignore-O_NOATIME-if-we-don-t-have-permiss.patch | |||
578 | @@ -0,0 +1,67 @@ | |||
579 | 1 | From 17216bc04494825600b58ebb8a3a6fe0d8052125 Mon Sep 17 00:00:00 2001 | ||
580 | 2 | From: Omar Sandoval <osandov@fb.com> | ||
581 | 3 | Date: Thu, 14 May 2020 08:06:43 +0200 | ||
582 | 4 | Subject: [PATCH] 9pfs: local: ignore O_NOATIME if we don't have permissions | ||
583 | 5 | |||
584 | 6 | QEMU's local 9pfs server passes through O_NOATIME from the client. If | ||
585 | 7 | the QEMU process doesn't have permissions to use O_NOATIME (namely, it | ||
586 | 8 | does not own the file nor have the CAP_FOWNER capability), the open will | ||
587 | 9 | fail. This causes issues when from the client's point of view, it | ||
588 | 10 | believes it has permissions to use O_NOATIME (e.g., a process running as | ||
589 | 11 | root in the virtual machine). Additionally, overlayfs on Linux opens | ||
590 | 12 | files on the lower layer using O_NOATIME, so in this case a 9pfs mount | ||
591 | 13 | can't be used as a lower layer for overlayfs (cf. | ||
592 | 14 | https://github.com/osandov/drgn/blob/dabfe1971951701da13863dbe6d8a1d172ad9650/vmtest/onoatimehack.c | ||
593 | 15 | and https://github.com/NixOS/nixpkgs/issues/54509). | ||
594 | 16 | |||
595 | 17 | Luckily, O_NOATIME is effectively a hint, and is often ignored by, e.g., | ||
596 | 18 | network filesystems. open(2) notes that O_NOATIME "may not be effective | ||
597 | 19 | on all filesystems. One example is NFS, where the server maintains the | ||
598 | 20 | access time." This means that we can honor it when possible but fall | ||
599 | 21 | back to ignoring it. | ||
600 | 22 | |||
601 | 23 | Acked-by: Christian Schoenebeck <qemu_oss@crudebyte.com> | ||
602 | 24 | Signed-off-by: Omar Sandoval <osandov@fb.com> | ||
603 | 25 | Message-Id: <e9bee604e8df528584693a4ec474ded6295ce8ad.1587149256.git.osandov@fb.com> | ||
604 | 26 | Signed-off-by: Greg Kurz <groug@kaod.org> | ||
605 | 27 | (cherry picked from commit a5804fcf7b22fc7d1f9ec794dd284c7d504bd16b) | ||
606 | 28 | Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | ||
607 | 29 | |||
608 | 30 | Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=17216bc044 | ||
609 | 31 | Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877 | ||
610 | 32 | Last-Update: 2020-08-19 | ||
611 | 33 | |||
612 | 34 | --- | ||
613 | 35 | hw/9pfs/9p-util.h | 13 +++++++++++++ | ||
614 | 36 | 1 file changed, 13 insertions(+) | ||
615 | 37 | |||
616 | 38 | diff --git a/hw/9pfs/9p-util.h b/hw/9pfs/9p-util.h | ||
617 | 39 | index 79ed6b233e..546f46dc7d 100644 | ||
618 | 40 | --- a/hw/9pfs/9p-util.h | ||
619 | 41 | +++ b/hw/9pfs/9p-util.h | ||
620 | 42 | @@ -37,9 +37,22 @@ static inline int openat_file(int dirfd, const char *name, int flags, | ||
621 | 43 | { | ||
622 | 44 | int fd, serrno, ret; | ||
623 | 45 | |||
624 | 46 | +again: | ||
625 | 47 | fd = openat(dirfd, name, flags | O_NOFOLLOW | O_NOCTTY | O_NONBLOCK, | ||
626 | 48 | mode); | ||
627 | 49 | if (fd == -1) { | ||
628 | 50 | + if (errno == EPERM && (flags & O_NOATIME)) { | ||
629 | 51 | + /* | ||
630 | 52 | + * The client passed O_NOATIME but we lack permissions to honor it. | ||
631 | 53 | + * Rather than failing the open, fall back without O_NOATIME. This | ||
632 | 54 | + * doesn't break the semantics on the client side, as the Linux | ||
633 | 55 | + * open(2) man page notes that O_NOATIME "may not be effective on | ||
634 | 56 | + * all filesystems". In particular, NFS and other network | ||
635 | 57 | + * filesystems ignore it entirely. | ||
636 | 58 | + */ | ||
637 | 59 | + flags &= ~O_NOATIME; | ||
638 | 60 | + goto again; | ||
639 | 61 | + } | ||
640 | 62 | return -1; | ||
641 | 63 | } | ||
642 | 64 | |||
643 | 65 | -- | ||
644 | 66 | 2.28.0 | ||
645 | 67 | |||
646 | diff --git a/debian/patches/stable/lp-1891877-Fix-double-free-issue-in-qemu_set_log_filename.patch b/debian/patches/stable/lp-1891877-Fix-double-free-issue-in-qemu_set_log_filename.patch | |||
647 | 0 | new file mode 100644 | 68 | new file mode 100644 |
648 | index 0000000..c6c78e1 | |||
649 | --- /dev/null | |||
650 | +++ b/debian/patches/stable/lp-1891877-Fix-double-free-issue-in-qemu_set_log_filename.patch | |||
651 | @@ -0,0 +1,41 @@ | |||
652 | 1 | From 45b65bf8dfb46a03ff67c36424986e2450c5203e Mon Sep 17 00:00:00 2001 | ||
653 | 2 | From: Robert Foley <robert.foley@linaro.org> | ||
654 | 3 | Date: Mon, 18 Nov 2019 16:15:23 -0500 | ||
655 | 4 | Subject: [PATCH] Fix double free issue in qemu_set_log_filename(). | ||
656 | 5 | MIME-Version: 1.0 | ||
657 | 6 | Content-Type: text/plain; charset=UTF-8 | ||
658 | 7 | Content-Transfer-Encoding: 8bit | ||
659 | 8 | |||
660 | 9 | After freeing the logfilename, we set logfilename to NULL, in case of an | ||
661 | 10 | error which returns without setting logfilename. | ||
662 | 11 | |||
663 | 12 | Signed-off-by: Robert Foley <robert.foley@linaro.org> | ||
664 | 13 | Reviewed-by: Alex Bennée <alex.bennee@linaro.org> | ||
665 | 14 | Signed-off-by: Alex Bennée <alex.bennee@linaro.org> | ||
666 | 15 | Message-Id: <20191118211528.3221-2-robert.foley@linaro.org> | ||
667 | 16 | (cherry picked from commit 0f516ca4767042aec8716369d6d62436fa10593a) | ||
668 | 17 | Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | ||
669 | 18 | |||
670 | 19 | Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=45b65bf8df | ||
671 | 20 | Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877 | ||
672 | 21 | Last-Update: 2020-08-19 | ||
673 | 22 | |||
674 | 23 | --- | ||
675 | 24 | util/log.c | 1 + | ||
676 | 25 | 1 file changed, 1 insertion(+) | ||
677 | 26 | |||
678 | 27 | diff --git a/util/log.c b/util/log.c | ||
679 | 28 | index 1ca13059ee..4316fe74ee 100644 | ||
680 | 29 | --- a/util/log.c | ||
681 | 30 | +++ b/util/log.c | ||
682 | 31 | @@ -113,6 +113,7 @@ void qemu_set_log_filename(const char *filename, Error **errp) | ||
683 | 32 | { | ||
684 | 33 | char *pidstr; | ||
685 | 34 | g_free(logfilename); | ||
686 | 35 | + logfilename = NULL; | ||
687 | 36 | |||
688 | 37 | pidstr = strstr(filename, "%"); | ||
689 | 38 | if (pidstr) { | ||
690 | 39 | -- | ||
691 | 40 | 2.28.0 | ||
692 | 41 | |||
693 | diff --git a/debian/patches/stable/lp-1891877-Fix-tulip-breakage.patch b/debian/patches/stable/lp-1891877-Fix-tulip-breakage.patch | |||
694 | 0 | new file mode 100644 | 42 | new file mode 100644 |
695 | index 0000000..ed4a09c | |||
696 | --- /dev/null | |||
697 | +++ b/debian/patches/stable/lp-1891877-Fix-tulip-breakage.patch | |||
698 | @@ -0,0 +1,65 @@ | |||
699 | 1 | From 0664ffac4be2673c1c962bb9d010dc964d080ee7 Mon Sep 17 00:00:00 2001 | ||
700 | 2 | From: Helge Deller <deller@gmx.de> | ||
701 | 3 | Date: Sun, 26 Apr 2020 12:55:39 +0200 | ||
702 | 4 | Subject: [PATCH] Fix tulip breakage | ||
703 | 5 | |||
704 | 6 | The tulip network driver in a qemu-system-hppa emulation is broken in | ||
705 | 7 | the sense that bigger network packages aren't received any longer and | ||
706 | 8 | thus even running e.g. "apt update" inside the VM fails. | ||
707 | 9 | |||
708 | 10 | The breakage was introduced by commit 8ffb7265af ("check frame size and | ||
709 | 11 | r/w data length") which added checks to prevent accesses outside of the | ||
710 | 12 | rx/tx buffers. | ||
711 | 13 | |||
712 | 14 | But the new checks were implemented wrong. The variable rx_frame_len | ||
713 | 15 | counts backwards, from rx_frame_size down to zero, and the variable len | ||
714 | 16 | is never bigger than rx_frame_len, so accesses just can't happen and the | ||
715 | 17 | checks are unnecessary. | ||
716 | 18 | On the contrary the checks now prevented bigger packages to be moved | ||
717 | 19 | into the rx buffers. | ||
718 | 20 | |||
719 | 21 | This patch reverts the wrong checks and were sucessfully tested with a | ||
720 | 22 | qemu-system-hppa emulation. | ||
721 | 23 | |||
722 | 24 | Fixes: 8ffb7265af ("check frame size and r/w data length") | ||
723 | 25 | Buglink: https://bugs.launchpad.net/bugs/1874539 | ||
724 | 26 | Signed-off-by: Helge Deller <deller@gmx.de> | ||
725 | 27 | Signed-off-by: Jason Wang <jasowang@redhat.com> | ||
726 | 28 | (cherry picked from commit d9b69640391618045949f7c500b87fc129f862ed) | ||
727 | 29 | Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | ||
728 | 30 | |||
729 | 31 | Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=0664ffac4b | ||
730 | 32 | Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877 | ||
731 | 33 | Last-Update: 2020-08-19 | ||
732 | 34 | |||
733 | 35 | --- | ||
734 | 36 | hw/net/tulip.c | 6 ------ | ||
735 | 37 | 1 file changed, 6 deletions(-) | ||
736 | 38 | |||
737 | 39 | diff --git a/hw/net/tulip.c b/hw/net/tulip.c | ||
738 | 40 | index 1167c1bb07..c6654a98a9 100644 | ||
739 | 41 | --- a/hw/net/tulip.c | ||
740 | 42 | +++ b/hw/net/tulip.c | ||
741 | 43 | @@ -171,9 +171,6 @@ static void tulip_copy_rx_bytes(TULIPState *s, struct tulip_descriptor *desc) | ||
742 | 44 | len = s->rx_frame_len; | ||
743 | 45 | } | ||
744 | 46 | |||
745 | 47 | - if (s->rx_frame_len + len > sizeof(s->rx_frame)) { | ||
746 | 48 | - return; | ||
747 | 49 | - } | ||
748 | 50 | pci_dma_write(&s->dev, desc->buf_addr1, s->rx_frame + | ||
749 | 51 | (s->rx_frame_size - s->rx_frame_len), len); | ||
750 | 52 | s->rx_frame_len -= len; | ||
751 | 53 | @@ -186,9 +183,6 @@ static void tulip_copy_rx_bytes(TULIPState *s, struct tulip_descriptor *desc) | ||
752 | 54 | len = s->rx_frame_len; | ||
753 | 55 | } | ||
754 | 56 | |||
755 | 57 | - if (s->rx_frame_len + len > sizeof(s->rx_frame)) { | ||
756 | 58 | - return; | ||
757 | 59 | - } | ||
758 | 60 | pci_dma_write(&s->dev, desc->buf_addr2, s->rx_frame + | ||
759 | 61 | (s->rx_frame_size - s->rx_frame_len), len); | ||
760 | 62 | s->rx_frame_len -= len; | ||
761 | 63 | -- | ||
762 | 64 | 2.28.0 | ||
763 | 65 | |||
764 | diff --git a/debian/patches/stable/lp-1891877-Revert-qemu-options.hx-Update-for-reboot-timeout-par.patch b/debian/patches/stable/lp-1891877-Revert-qemu-options.hx-Update-for-reboot-timeout-par.patch | |||
765 | 0 | new file mode 100644 | 66 | new file mode 100644 |
766 | index 0000000..a667e04 | |||
767 | --- /dev/null | |||
768 | +++ b/debian/patches/stable/lp-1891877-Revert-qemu-options.hx-Update-for-reboot-timeout-par.patch | |||
769 | @@ -0,0 +1,43 @@ | |||
770 | 1 | From aea7a50fb5e38ccfda741848286a548b72877dfa Mon Sep 17 00:00:00 2001 | ||
771 | 2 | From: Han Han <hhan@redhat.com> | ||
772 | 3 | Date: Thu, 5 Dec 2019 10:48:21 +0800 | ||
773 | 4 | Subject: [PATCH] Revert "qemu-options.hx: Update for reboot-timeout parameter" | ||
774 | 5 | |||
775 | 6 | This reverts commit bbd9e6985ff342cbe15b9cb7eb30e842796fbbe8. | ||
776 | 7 | |||
777 | 8 | In 20a1922032 we allowed reboot-timeout=-1 again, so update the doc | ||
778 | 9 | accordingly. | ||
779 | 10 | |||
780 | 11 | Signed-off-by: Han Han <hhan@redhat.com> | ||
781 | 12 | Reviewed-by: Markus Armbruster <armbru@redhat.com> | ||
782 | 13 | Message-Id: <20191205024821.245435-1-hhan@redhat.com> | ||
783 | 14 | Signed-off-by: Laurent Vivier <laurent@vivier.eu> | ||
784 | 15 | (cherry picked from commit 8937a39da22e5d5689c516a2d4ce4f2bb6a378fc) | ||
785 | 16 | Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | ||
786 | 17 | |||
787 | 18 | Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=aea7a50fb5 | ||
788 | 19 | Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877 | ||
789 | 20 | Last-Update: 2020-08-19 | ||
790 | 21 | |||
791 | 22 | --- | ||
792 | 23 | qemu-options.hx | 4 ++-- | ||
793 | 24 | 1 file changed, 2 insertions(+), 2 deletions(-) | ||
794 | 25 | |||
795 | 26 | diff --git a/qemu-options.hx b/qemu-options.hx | ||
796 | 27 | index 65c9473b73..e14d88e9b2 100644 | ||
797 | 28 | --- a/qemu-options.hx | ||
798 | 29 | +++ b/qemu-options.hx | ||
799 | 30 | @@ -327,8 +327,8 @@ format(true color). The resolution should be supported by the SVGA mode, so | ||
800 | 31 | the recommended is 320x240, 640x480, 800x640. | ||
801 | 32 | |||
802 | 33 | A timeout could be passed to bios, guest will pause for @var{rb_timeout} ms | ||
803 | 34 | -when boot failed, then reboot. If @option{reboot-timeout} is not set, | ||
804 | 35 | -guest will not reboot by default. Currently Seabios for X86 | ||
805 | 36 | +when boot failed, then reboot. If @var{rb_timeout} is '-1', guest will not | ||
806 | 37 | +reboot, qemu passes '-1' to bios by default. Currently Seabios for X86 | ||
807 | 38 | system support it. | ||
808 | 39 | |||
809 | 40 | Do strict boot via @option{strict=on} as far as firmware/BIOS | ||
810 | 41 | -- | ||
811 | 42 | 2.28.0 | ||
812 | 43 | |||
813 | diff --git a/debian/patches/stable/lp-1891877-Revert-vnc-allow-fall-back-to-RAW-encoding.patch b/debian/patches/stable/lp-1891877-Revert-vnc-allow-fall-back-to-RAW-encoding.patch | |||
814 | 0 | new file mode 100644 | 44 | new file mode 100644 |
815 | index 0000000..8319291 | |||
816 | --- /dev/null | |||
817 | +++ b/debian/patches/stable/lp-1891877-Revert-vnc-allow-fall-back-to-RAW-encoding.patch | |||
818 | @@ -0,0 +1,77 @@ | |||
819 | 1 | From b5ba361d8f8908ab37a104b0110910926d94d57f Mon Sep 17 00:00:00 2001 | ||
820 | 2 | From: Gerd Hoffmann <kraxel@redhat.com> | ||
821 | 3 | Date: Tue, 21 Jan 2020 07:02:10 +0100 | ||
822 | 4 | Subject: [PATCH] Revert "vnc: allow fall back to RAW encoding" | ||
823 | 5 | |||
824 | 6 | This reverts commit de3f7de7f4e257ce44cdabb90f5f17ee99624557. | ||
825 | 7 | |||
826 | 8 | Remove VNC optimization to reencode framebuffer update as raw if it's | ||
827 | 9 | smaller than the default encoding. | ||
828 | 10 | |||
829 | 11 | QEMU's implementation was naive and didn't account for the ZLIB z_stream | ||
830 | 12 | mutating with each compression. Because of the mutation, simply | ||
831 | 13 | resetting the output buffer's offset wasn't sufficient to "rewind" the | ||
832 | 14 | operation. The mutated z_stream would generate future zlib blocks which | ||
833 | 15 | referred to symbols in past blocks which weren't sent. This would lead | ||
834 | 16 | to artifacting. | ||
835 | 17 | |||
836 | 18 | Considering that ZRLE is never larger than raw and even though ZLIB can | ||
837 | 19 | occasionally be fractionally larger than raw, the overhead of | ||
838 | 20 | implementing this optimization correctly isn't worth it. | ||
839 | 21 | |||
840 | 22 | Signed-off-by: Cameron Esfahani <dirty@apple.com> | ||
841 | 23 | Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> | ||
842 | 24 | (cherry picked from commit 0780ec7be82dd4781e9fd216b5d99a125882ff5a) | ||
843 | 25 | Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | ||
844 | 26 | |||
845 | 27 | Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=b5ba361d8f | ||
846 | 28 | Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877 | ||
847 | 29 | Last-Update: 2020-08-19 | ||
848 | 30 | |||
849 | 31 | --- | ||
850 | 32 | ui/vnc.c | 20 ++------------------ | ||
851 | 33 | 1 file changed, 2 insertions(+), 18 deletions(-) | ||
852 | 34 | |||
853 | 35 | diff --git a/ui/vnc.c b/ui/vnc.c | ||
854 | 36 | index 87b8045afe..f94b3a257e 100644 | ||
855 | 37 | --- a/ui/vnc.c | ||
856 | 38 | +++ b/ui/vnc.c | ||
857 | 39 | @@ -898,8 +898,6 @@ int vnc_raw_send_framebuffer_update(VncState *vs, int x, int y, int w, int h) | ||
858 | 40 | int vnc_send_framebuffer_update(VncState *vs, int x, int y, int w, int h) | ||
859 | 41 | { | ||
860 | 42 | int n = 0; | ||
861 | 43 | - bool encode_raw = false; | ||
862 | 44 | - size_t saved_offs = vs->output.offset; | ||
863 | 45 | |||
864 | 46 | switch(vs->vnc_encoding) { | ||
865 | 47 | case VNC_ENCODING_ZLIB: | ||
866 | 48 | @@ -922,24 +920,10 @@ int vnc_send_framebuffer_update(VncState *vs, int x, int y, int w, int h) | ||
867 | 49 | n = vnc_zywrle_send_framebuffer_update(vs, x, y, w, h); | ||
868 | 50 | break; | ||
869 | 51 | default: | ||
870 | 52 | - encode_raw = true; | ||
871 | 53 | + vnc_framebuffer_update(vs, x, y, w, h, VNC_ENCODING_RAW); | ||
872 | 54 | + n = vnc_raw_send_framebuffer_update(vs, x, y, w, h); | ||
873 | 55 | break; | ||
874 | 56 | } | ||
875 | 57 | - | ||
876 | 58 | - /* If the client has the same pixel format as our internal buffer and | ||
877 | 59 | - * a RAW encoding would need less space fall back to RAW encoding to | ||
878 | 60 | - * save bandwidth and processing power in the client. */ | ||
879 | 61 | - if (!encode_raw && vs->write_pixels == vnc_write_pixels_copy && | ||
880 | 62 | - 12 + h * w * VNC_SERVER_FB_BYTES <= (vs->output.offset - saved_offs)) { | ||
881 | 63 | - vs->output.offset = saved_offs; | ||
882 | 64 | - encode_raw = true; | ||
883 | 65 | - } | ||
884 | 66 | - | ||
885 | 67 | - if (encode_raw) { | ||
886 | 68 | - vnc_framebuffer_update(vs, x, y, w, h, VNC_ENCODING_RAW); | ||
887 | 69 | - n = vnc_raw_send_framebuffer_update(vs, x, y, w, h); | ||
888 | 70 | - } | ||
889 | 71 | - | ||
890 | 72 | return n; | ||
891 | 73 | } | ||
892 | 74 | |||
893 | 75 | -- | ||
894 | 76 | 2.28.0 | ||
895 | 77 | |||
896 | diff --git a/debian/patches/stable/lp-1891877-Update-version-for-4.2.1-release.patch b/debian/patches/stable/lp-1891877-Update-version-for-4.2.1-release.patch | |||
897 | 0 | new file mode 100644 | 78 | new file mode 100644 |
898 | index 0000000..15a9277 | |||
899 | --- /dev/null | |||
900 | +++ b/debian/patches/stable/lp-1891877-Update-version-for-4.2.1-release.patch | |||
901 | @@ -0,0 +1,24 @@ | |||
902 | 1 | From 6cdf8c4efa073eac7d5f9894329e2d07743c2955 Mon Sep 17 00:00:00 2001 | ||
903 | 2 | From: Michael Roth <mdroth@linux.vnet.ibm.com> | ||
904 | 3 | Date: Thu, 25 Jun 2020 13:08:54 -0500 | ||
905 | 4 | Subject: [PATCH] Update version for 4.2.1 release | ||
906 | 5 | |||
907 | 6 | |||
908 | 7 | Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=6cdf8c4efa | ||
909 | 8 | Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877 | ||
910 | 9 | Last-Update: 2020-08-19 | ||
911 | 10 | |||
912 | 11 | --- | ||
913 | 12 | VERSION | 2 +- | ||
914 | 13 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
915 | 14 | |||
916 | 15 | diff --git a/VERSION b/VERSION | ||
917 | 16 | index 6aba2b245a..fae6e3d04b 100644 | ||
918 | 17 | --- a/VERSION | ||
919 | 18 | +++ b/VERSION | ||
920 | 19 | @@ -1 +1 @@ | ||
921 | 20 | -4.2.0 | ||
922 | 21 | +4.2.1 | ||
923 | 22 | -- | ||
924 | 23 | 2.28.0 | ||
925 | 24 | |||
926 | diff --git a/debian/patches/stable/lp-1891877-blkdebug-Allow-taking-unsharing-permissions.patch b/debian/patches/stable/lp-1891877-blkdebug-Allow-taking-unsharing-permissions.patch | |||
927 | 0 | new file mode 100644 | 25 | new file mode 100644 |
928 | index 0000000..108b9bf | |||
929 | --- /dev/null | |||
930 | +++ b/debian/patches/stable/lp-1891877-blkdebug-Allow-taking-unsharing-permissions.patch | |||
931 | @@ -0,0 +1,209 @@ | |||
932 | 1 | From 9a30621d3d5de76f865dc804a1dd16cc517461b6 Mon Sep 17 00:00:00 2001 | ||
933 | 2 | From: Max Reitz <mreitz@redhat.com> | ||
934 | 3 | Date: Fri, 8 Nov 2019 13:34:53 +0100 | ||
935 | 4 | Subject: [PATCH] blkdebug: Allow taking/unsharing permissions | ||
936 | 5 | |||
937 | 6 | Sometimes it is useful to be able to add a node to the block graph that | ||
938 | 7 | takes or unshare a certain set of permissions for debugging purposes. | ||
939 | 8 | This patch adds this capability to blkdebug. | ||
940 | 9 | |||
941 | 10 | (Note that you cannot make blkdebug release or share permissions that it | ||
942 | 11 | needs to take or cannot share, because this might result in assertion | ||
943 | 12 | failures in the block layer. But if the blkdebug node has no parents, | ||
944 | 13 | it will not take any permissions and share everything by default, so you | ||
945 | 14 | can then freely choose what permissions to take and share.) | ||
946 | 15 | |||
947 | 16 | Signed-off-by: Max Reitz <mreitz@redhat.com> | ||
948 | 17 | Message-id: 20191108123455.39445-4-mreitz@redhat.com | ||
949 | 18 | Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com> | ||
950 | 19 | Signed-off-by: Max Reitz <mreitz@redhat.com> | ||
951 | 20 | (cherry picked from commit 69c6449ff10fe4e3219e960549307096d5366bd0) | ||
952 | 21 | Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | ||
953 | 22 | |||
954 | 23 | Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=9a30621d3d | ||
955 | 24 | Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877 | ||
956 | 25 | Last-Update: 2020-08-19 | ||
957 | 26 | |||
958 | 27 | --- | ||
959 | 28 | block/blkdebug.c | 93 +++++++++++++++++++++++++++++++++++++++++++- | ||
960 | 29 | qapi/block-core.json | 14 ++++++- | ||
961 | 30 | 2 files changed, 105 insertions(+), 2 deletions(-) | ||
962 | 31 | |||
963 | 32 | diff --git a/block/blkdebug.c b/block/blkdebug.c | ||
964 | 33 | index 5ae96c52b0..af44aa973f 100644 | ||
965 | 34 | --- a/block/blkdebug.c | ||
966 | 35 | +++ b/block/blkdebug.c | ||
967 | 36 | @@ -28,10 +28,14 @@ | ||
968 | 37 | #include "qemu/cutils.h" | ||
969 | 38 | #include "qemu/config-file.h" | ||
970 | 39 | #include "block/block_int.h" | ||
971 | 40 | +#include "block/qdict.h" | ||
972 | 41 | #include "qemu/module.h" | ||
973 | 42 | #include "qemu/option.h" | ||
974 | 43 | +#include "qapi/qapi-visit-block-core.h" | ||
975 | 44 | #include "qapi/qmp/qdict.h" | ||
976 | 45 | +#include "qapi/qmp/qlist.h" | ||
977 | 46 | #include "qapi/qmp/qstring.h" | ||
978 | 47 | +#include "qapi/qobject-input-visitor.h" | ||
979 | 48 | #include "sysemu/qtest.h" | ||
980 | 49 | |||
981 | 50 | typedef struct BDRVBlkdebugState { | ||
982 | 51 | @@ -44,6 +48,9 @@ typedef struct BDRVBlkdebugState { | ||
983 | 52 | uint64_t opt_discard; | ||
984 | 53 | uint64_t max_discard; | ||
985 | 54 | |||
986 | 55 | + uint64_t take_child_perms; | ||
987 | 56 | + uint64_t unshare_child_perms; | ||
988 | 57 | + | ||
989 | 58 | /* For blkdebug_refresh_filename() */ | ||
990 | 59 | char *config_file; | ||
991 | 60 | |||
992 | 61 | @@ -344,6 +351,69 @@ static void blkdebug_parse_filename(const char *filename, QDict *options, | ||
993 | 62 | qdict_put_str(options, "x-image", filename); | ||
994 | 63 | } | ||
995 | 64 | |||
996 | 65 | +static int blkdebug_parse_perm_list(uint64_t *dest, QDict *options, | ||
997 | 66 | + const char *prefix, Error **errp) | ||
998 | 67 | +{ | ||
999 | 68 | + int ret = 0; | ||
1000 | 69 | + QDict *subqdict = NULL; | ||
1001 | 70 | + QObject *crumpled_subqdict = NULL; | ||
1002 | 71 | + Visitor *v = NULL; | ||
1003 | 72 | + BlockPermissionList *perm_list = NULL, *element; | ||
1004 | 73 | + Error *local_err = NULL; | ||
1005 | 74 | + | ||
1006 | 75 | + *dest = 0; | ||
1007 | 76 | + | ||
1008 | 77 | + qdict_extract_subqdict(options, &subqdict, prefix); | ||
1009 | 78 | + if (!qdict_size(subqdict)) { | ||
1010 | 79 | + goto out; | ||
1011 | 80 | + } | ||
1012 | 81 | + | ||
1013 | 82 | + crumpled_subqdict = qdict_crumple(subqdict, errp); | ||
1014 | 83 | + if (!crumpled_subqdict) { | ||
1015 | 84 | + ret = -EINVAL; | ||
1016 | 85 | + goto out; | ||
1017 | 86 | + } | ||
1018 | 87 | + | ||
1019 | 88 | + v = qobject_input_visitor_new(crumpled_subqdict); | ||
1020 | 89 | + visit_type_BlockPermissionList(v, NULL, &perm_list, &local_err); | ||
1021 | 90 | + if (local_err) { | ||
1022 | 91 | + error_propagate(errp, local_err); | ||
1023 | 92 | + ret = -EINVAL; | ||
1024 | 93 | + goto out; | ||
1025 | 94 | + } | ||
1026 | 95 | + | ||
1027 | 96 | + for (element = perm_list; element; element = element->next) { | ||
1028 | 97 | + *dest |= bdrv_qapi_perm_to_blk_perm(element->value); | ||
1029 | 98 | + } | ||
1030 | 99 | + | ||
1031 | 100 | +out: | ||
1032 | 101 | + qapi_free_BlockPermissionList(perm_list); | ||
1033 | 102 | + visit_free(v); | ||
1034 | 103 | + qobject_unref(subqdict); | ||
1035 | 104 | + qobject_unref(crumpled_subqdict); | ||
1036 | 105 | + return ret; | ||
1037 | 106 | +} | ||
1038 | 107 | + | ||
1039 | 108 | +static int blkdebug_parse_perms(BDRVBlkdebugState *s, QDict *options, | ||
1040 | 109 | + Error **errp) | ||
1041 | 110 | +{ | ||
1042 | 111 | + int ret; | ||
1043 | 112 | + | ||
1044 | 113 | + ret = blkdebug_parse_perm_list(&s->take_child_perms, options, | ||
1045 | 114 | + "take-child-perms.", errp); | ||
1046 | 115 | + if (ret < 0) { | ||
1047 | 116 | + return ret; | ||
1048 | 117 | + } | ||
1049 | 118 | + | ||
1050 | 119 | + ret = blkdebug_parse_perm_list(&s->unshare_child_perms, options, | ||
1051 | 120 | + "unshare-child-perms.", errp); | ||
1052 | 121 | + if (ret < 0) { | ||
1053 | 122 | + return ret; | ||
1054 | 123 | + } | ||
1055 | 124 | + | ||
1056 | 125 | + return 0; | ||
1057 | 126 | +} | ||
1058 | 127 | + | ||
1059 | 128 | static QemuOptsList runtime_opts = { | ||
1060 | 129 | .name = "blkdebug", | ||
1061 | 130 | .head = QTAILQ_HEAD_INITIALIZER(runtime_opts.head), | ||
1062 | 131 | @@ -419,6 +489,12 @@ static int blkdebug_open(BlockDriverState *bs, QDict *options, int flags, | ||
1063 | 132 | /* Set initial state */ | ||
1064 | 133 | s->state = 1; | ||
1065 | 134 | |||
1066 | 135 | + /* Parse permissions modifiers before opening the image file */ | ||
1067 | 136 | + ret = blkdebug_parse_perms(s, options, errp); | ||
1068 | 137 | + if (ret < 0) { | ||
1069 | 138 | + goto out; | ||
1070 | 139 | + } | ||
1071 | 140 | + | ||
1072 | 141 | /* Open the image file */ | ||
1073 | 142 | bs->file = bdrv_open_child(qemu_opt_get(opts, "x-image"), options, "image", | ||
1074 | 143 | bs, &child_file, false, &local_err); | ||
1075 | 144 | @@ -916,6 +992,21 @@ static int blkdebug_reopen_prepare(BDRVReopenState *reopen_state, | ||
1076 | 145 | return 0; | ||
1077 | 146 | } | ||
1078 | 147 | |||
1079 | 148 | +static void blkdebug_child_perm(BlockDriverState *bs, BdrvChild *c, | ||
1080 | 149 | + const BdrvChildRole *role, | ||
1081 | 150 | + BlockReopenQueue *reopen_queue, | ||
1082 | 151 | + uint64_t perm, uint64_t shared, | ||
1083 | 152 | + uint64_t *nperm, uint64_t *nshared) | ||
1084 | 153 | +{ | ||
1085 | 154 | + BDRVBlkdebugState *s = bs->opaque; | ||
1086 | 155 | + | ||
1087 | 156 | + bdrv_filter_default_perms(bs, c, role, reopen_queue, perm, shared, | ||
1088 | 157 | + nperm, nshared); | ||
1089 | 158 | + | ||
1090 | 159 | + *nperm |= s->take_child_perms; | ||
1091 | 160 | + *nshared &= ~s->unshare_child_perms; | ||
1092 | 161 | +} | ||
1093 | 162 | + | ||
1094 | 163 | static const char *const blkdebug_strong_runtime_opts[] = { | ||
1095 | 164 | "config", | ||
1096 | 165 | "inject-error.", | ||
1097 | 166 | @@ -940,7 +1031,7 @@ static BlockDriver bdrv_blkdebug = { | ||
1098 | 167 | .bdrv_file_open = blkdebug_open, | ||
1099 | 168 | .bdrv_close = blkdebug_close, | ||
1100 | 169 | .bdrv_reopen_prepare = blkdebug_reopen_prepare, | ||
1101 | 170 | - .bdrv_child_perm = bdrv_filter_default_perms, | ||
1102 | 171 | + .bdrv_child_perm = blkdebug_child_perm, | ||
1103 | 172 | |||
1104 | 173 | .bdrv_getlength = blkdebug_getlength, | ||
1105 | 174 | .bdrv_refresh_filename = blkdebug_refresh_filename, | ||
1106 | 175 | diff --git a/qapi/block-core.json b/qapi/block-core.json | ||
1107 | 176 | index fcb52ec24f..839b10b3f0 100644 | ||
1108 | 177 | --- a/qapi/block-core.json | ||
1109 | 178 | +++ b/qapi/block-core.json | ||
1110 | 179 | @@ -3454,6 +3454,16 @@ | ||
1111 | 180 | # | ||
1112 | 181 | # @set-state: array of state-change descriptions | ||
1113 | 182 | # | ||
1114 | 183 | +# @take-child-perms: Permissions to take on @image in addition to what | ||
1115 | 184 | +# is necessary anyway (which depends on how the | ||
1116 | 185 | +# blkdebug node is used). Defaults to none. | ||
1117 | 186 | +# (since 5.0) | ||
1118 | 187 | +# | ||
1119 | 188 | +# @unshare-child-perms: Permissions not to share on @image in addition | ||
1120 | 189 | +# to what cannot be shared anyway (which depends | ||
1121 | 190 | +# on how the blkdebug node is used). Defaults | ||
1122 | 191 | +# to none. (since 5.0) | ||
1123 | 192 | +# | ||
1124 | 193 | # Since: 2.9 | ||
1125 | 194 | ## | ||
1126 | 195 | { 'struct': 'BlockdevOptionsBlkdebug', | ||
1127 | 196 | @@ -3463,7 +3473,9 @@ | ||
1128 | 197 | '*opt-write-zero': 'int32', '*max-write-zero': 'int32', | ||
1129 | 198 | '*opt-discard': 'int32', '*max-discard': 'int32', | ||
1130 | 199 | '*inject-error': ['BlkdebugInjectErrorOptions'], | ||
1131 | 200 | - '*set-state': ['BlkdebugSetStateOptions'] } } | ||
1132 | 201 | + '*set-state': ['BlkdebugSetStateOptions'], | ||
1133 | 202 | + '*take-child-perms': ['BlockPermission'], | ||
1134 | 203 | + '*unshare-child-perms': ['BlockPermission'] } } | ||
1135 | 204 | |||
1136 | 205 | ## | ||
1137 | 206 | # @BlockdevOptionsBlklogwrites: | ||
1138 | 207 | -- | ||
1139 | 208 | 2.28.0 | ||
1140 | 209 | |||
1141 | diff --git a/debian/patches/stable/lp-1891877-block-Add-bdrv_qapi_perm_to_blk_perm.patch b/debian/patches/stable/lp-1891877-block-Add-bdrv_qapi_perm_to_blk_perm.patch | |||
1142 | 0 | new file mode 100644 | 210 | new file mode 100644 |
1143 | index 0000000..0faa557 | |||
1144 | --- /dev/null | |||
1145 | +++ b/debian/patches/stable/lp-1891877-block-Add-bdrv_qapi_perm_to_blk_perm.patch | |||
1146 | @@ -0,0 +1,87 @@ | |||
1147 | 1 | From 0972fbf353e436088bbc4180bc13e93245cd7add Mon Sep 17 00:00:00 2001 | ||
1148 | 2 | From: Max Reitz <mreitz@redhat.com> | ||
1149 | 3 | Date: Fri, 8 Nov 2019 13:34:51 +0100 | ||
1150 | 4 | Subject: [PATCH] block: Add bdrv_qapi_perm_to_blk_perm() | ||
1151 | 5 | MIME-Version: 1.0 | ||
1152 | 6 | Content-Type: text/plain; charset=UTF-8 | ||
1153 | 7 | Content-Transfer-Encoding: 8bit | ||
1154 | 8 | |||
1155 | 9 | We need some way to correlate QAPI BlockPermission values with | ||
1156 | 10 | BLK_PERM_* flags. We could: | ||
1157 | 11 | |||
1158 | 12 | (1) have the same order in the QAPI definition as the the BLK_PERM_* | ||
1159 | 13 | flags are in LSb-first order. However, then there is no guarantee | ||
1160 | 14 | that they actually match (e.g. when someone modifies the QAPI schema | ||
1161 | 15 | without thinking of the BLK_PERM_* definitions). | ||
1162 | 16 | We could add static assertions, but these would break what’s good | ||
1163 | 17 | about this solution, namely its simplicity. | ||
1164 | 18 | |||
1165 | 19 | (2) define the BLK_PERM_* flags based on the BlockPermission values. | ||
1166 | 20 | But this way whenever someone were to modify the QAPI order | ||
1167 | 21 | (perfectly sensible in theory), the BLK_PERM_* values would change. | ||
1168 | 22 | Because these values are used for file locking, this might break | ||
1169 | 23 | file locking between different qemu versions. | ||
1170 | 24 | |||
1171 | 25 | Therefore, go the slightly more cumbersome way: Add a function to | ||
1172 | 26 | translate from the QAPI constants to the BLK_PERM_* flags. | ||
1173 | 27 | |||
1174 | 28 | Signed-off-by: Max Reitz <mreitz@redhat.com> | ||
1175 | 29 | Message-id: 20191108123455.39445-2-mreitz@redhat.com | ||
1176 | 30 | Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com> | ||
1177 | 31 | Signed-off-by: Max Reitz <mreitz@redhat.com> | ||
1178 | 32 | (cherry picked from commit 7b1d9c4df0603fbc526226a9c5ef91118aa6c957) | ||
1179 | 33 | Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | ||
1180 | 34 | |||
1181 | 35 | Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=0972fbf353 | ||
1182 | 36 | Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877 | ||
1183 | 37 | Last-Update: 2020-08-19 | ||
1184 | 38 | |||
1185 | 39 | --- | ||
1186 | 40 | block.c | 18 ++++++++++++++++++ | ||
1187 | 41 | include/block/block.h | 1 + | ||
1188 | 42 | 2 files changed, 19 insertions(+) | ||
1189 | 43 | |||
1190 | 44 | diff --git a/block.c b/block.c | ||
1191 | 45 | index 19c25da305..863cf34d45 100644 | ||
1192 | 46 | --- a/block.c | ||
1193 | 47 | +++ b/block.c | ||
1194 | 48 | @@ -2227,6 +2227,24 @@ void bdrv_format_default_perms(BlockDriverState *bs, BdrvChild *c, | ||
1195 | 49 | *nshared = shared; | ||
1196 | 50 | } | ||
1197 | 51 | |||
1198 | 52 | +uint64_t bdrv_qapi_perm_to_blk_perm(BlockPermission qapi_perm) | ||
1199 | 53 | +{ | ||
1200 | 54 | + static const uint64_t permissions[] = { | ||
1201 | 55 | + [BLOCK_PERMISSION_CONSISTENT_READ] = BLK_PERM_CONSISTENT_READ, | ||
1202 | 56 | + [BLOCK_PERMISSION_WRITE] = BLK_PERM_WRITE, | ||
1203 | 57 | + [BLOCK_PERMISSION_WRITE_UNCHANGED] = BLK_PERM_WRITE_UNCHANGED, | ||
1204 | 58 | + [BLOCK_PERMISSION_RESIZE] = BLK_PERM_RESIZE, | ||
1205 | 59 | + [BLOCK_PERMISSION_GRAPH_MOD] = BLK_PERM_GRAPH_MOD, | ||
1206 | 60 | + }; | ||
1207 | 61 | + | ||
1208 | 62 | + QEMU_BUILD_BUG_ON(ARRAY_SIZE(permissions) != BLOCK_PERMISSION__MAX); | ||
1209 | 63 | + QEMU_BUILD_BUG_ON(1UL << ARRAY_SIZE(permissions) != BLK_PERM_ALL + 1); | ||
1210 | 64 | + | ||
1211 | 65 | + assert(qapi_perm < BLOCK_PERMISSION__MAX); | ||
1212 | 66 | + | ||
1213 | 67 | + return permissions[qapi_perm]; | ||
1214 | 68 | +} | ||
1215 | 69 | + | ||
1216 | 70 | static void bdrv_replace_child_noperm(BdrvChild *child, | ||
1217 | 71 | BlockDriverState *new_bs) | ||
1218 | 72 | { | ||
1219 | 73 | diff --git a/include/block/block.h b/include/block/block.h | ||
1220 | 74 | index 1df9848e74..e9dcfef7fa 100644 | ||
1221 | 75 | --- a/include/block/block.h | ||
1222 | 76 | +++ b/include/block/block.h | ||
1223 | 77 | @@ -280,6 +280,7 @@ enum { | ||
1224 | 78 | }; | ||
1225 | 79 | |||
1226 | 80 | char *bdrv_perm_names(uint64_t perm); | ||
1227 | 81 | +uint64_t bdrv_qapi_perm_to_blk_perm(BlockPermission qapi_perm); | ||
1228 | 82 | |||
1229 | 83 | /* disk I/O throttling */ | ||
1230 | 84 | void bdrv_init(void); | ||
1231 | 85 | -- | ||
1232 | 86 | 2.28.0 | ||
1233 | 87 | |||
1234 | diff --git a/debian/patches/stable/lp-1891877-block-Avoid-memleak-on-qcow2-image-info-failure.patch b/debian/patches/stable/lp-1891877-block-Avoid-memleak-on-qcow2-image-info-failure.patch | |||
1235 | 0 | new file mode 100644 | 88 | new file mode 100644 |
1236 | index 0000000..3a3a104 | |||
1237 | --- /dev/null | |||
1238 | +++ b/debian/patches/stable/lp-1891877-block-Avoid-memleak-on-qcow2-image-info-failure.patch | |||
1239 | @@ -0,0 +1,41 @@ | |||
1240 | 1 | From 47e0fa74799c23dc29ff0adb356d82425b166231 Mon Sep 17 00:00:00 2001 | ||
1241 | 2 | From: Eric Blake <eblake@redhat.com> | ||
1242 | 3 | Date: Fri, 20 Mar 2020 13:36:20 -0500 | ||
1243 | 4 | Subject: [PATCH] block: Avoid memleak on qcow2 image info failure | ||
1244 | 5 | |||
1245 | 6 | If we fail to get bitmap info, we must not leak the encryption info. | ||
1246 | 7 | |||
1247 | 8 | Fixes: b8968c875f403 | ||
1248 | 9 | Fixes: Coverity CID 1421894 | ||
1249 | 10 | Signed-off-by: Eric Blake <eblake@redhat.com> | ||
1250 | 11 | Message-Id: <20200320183620.1112123-1-eblake@redhat.com> | ||
1251 | 12 | Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com> | ||
1252 | 13 | Reviewed-by: Andrey Shinkevich <andrey.shinkevich@virtuozzo.com> | ||
1253 | 14 | Tested-by: Andrey Shinkevich <andrey.shinkevich@virtuozzo.com> | ||
1254 | 15 | Signed-off-by: Max Reitz <mreitz@redhat.com> | ||
1255 | 16 | (cherry picked from commit 71eaec2e8c7c8d266137b5c5f42da0bd6d6b5eb7) | ||
1256 | 17 | Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | ||
1257 | 18 | |||
1258 | 19 | Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=47e0fa7479 | ||
1259 | 20 | Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877 | ||
1260 | 21 | Last-Update: 2020-08-19 | ||
1261 | 22 | |||
1262 | 23 | --- | ||
1263 | 24 | block/qcow2.c | 1 + | ||
1264 | 25 | 1 file changed, 1 insertion(+) | ||
1265 | 26 | |||
1266 | 27 | diff --git a/block/qcow2.c b/block/qcow2.c | ||
1267 | 28 | index 7c18721741..13e118e16f 100644 | ||
1268 | 29 | --- a/block/qcow2.c | ||
1269 | 30 | +++ b/block/qcow2.c | ||
1270 | 31 | @@ -4800,6 +4800,7 @@ static ImageInfoSpecific *qcow2_get_specific_info(BlockDriverState *bs, | ||
1271 | 32 | if (local_err) { | ||
1272 | 33 | error_propagate(errp, local_err); | ||
1273 | 34 | qapi_free_ImageInfoSpecific(spec_info); | ||
1274 | 35 | + qapi_free_QCryptoBlockInfo(encrypt_info); | ||
1275 | 36 | return NULL; | ||
1276 | 37 | } | ||
1277 | 38 | *spec_info->u.qcow2.data = (ImageInfoSpecificQCow2){ | ||
1278 | 39 | -- | ||
1279 | 40 | 2.28.0 | ||
1280 | 41 | |||
1281 | diff --git a/debian/patches/stable/lp-1891877-block-Call-attention-to-truncation-of-long-NBD-expor.patch b/debian/patches/stable/lp-1891877-block-Call-attention-to-truncation-of-long-NBD-expor.patch | |||
1282 | 0 | new file mode 100644 | 42 | new file mode 100644 |
1283 | index 0000000..008a0c3 | |||
1284 | --- /dev/null | |||
1285 | +++ b/debian/patches/stable/lp-1891877-block-Call-attention-to-truncation-of-long-NBD-expor.patch | |||
1286 | @@ -0,0 +1,100 @@ | |||
1287 | 1 | From 6c75ddf4a9f317f038a4d94da1b2989fef5dd93b Mon Sep 17 00:00:00 2001 | ||
1288 | 2 | From: Eric Blake <eblake@redhat.com> | ||
1289 | 3 | Date: Mon, 8 Jun 2020 13:26:38 -0500 | ||
1290 | 4 | Subject: [PATCH] block: Call attention to truncation of long NBD exports | ||
1291 | 5 | |||
1292 | 6 | Commit 93676c88 relaxed our NBD client code to request export names up | ||
1293 | 7 | to the NBD protocol maximum of 4096 bytes without NUL terminator, even | ||
1294 | 8 | though the block layer can't store anything longer than 4096 bytes | ||
1295 | 9 | including NUL terminator for display to the user. Since this means | ||
1296 | 10 | there are some export names where we have to truncate things, we can | ||
1297 | 11 | at least try to make the truncation a bit more obvious for the user. | ||
1298 | 12 | Note that in spite of the truncated display name, we can still | ||
1299 | 13 | communicate with an NBD server using such a long export name; this was | ||
1300 | 14 | deemed nicer than refusing to even connect to such a server (since the | ||
1301 | 15 | server may not be under our control, and since determining our actual | ||
1302 | 16 | length limits gets tricky when nbd://host:port/export and | ||
1303 | 17 | nbd+unix:///export?socket=/path are themselves variable-length | ||
1304 | 18 | expansions beyond the export name but count towards the block layer | ||
1305 | 19 | name length). | ||
1306 | 20 | |||
1307 | 21 | Reported-by: Xueqiang Wei <xuwei@redhat.com> | ||
1308 | 22 | Fixes: https://bugzilla.redhat.com/1843684 | ||
1309 | 23 | Signed-off-by: Eric Blake <eblake@redhat.com> | ||
1310 | 24 | Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com> | ||
1311 | 25 | Message-Id: <20200610163741.3745251-3-eblake@redhat.com> | ||
1312 | 26 | (cherry picked from commit 5c86bdf1208916ece0b87e1151c9b48ee54faa3e) | ||
1313 | 27 | Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | ||
1314 | 28 | |||
1315 | 29 | Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=6c75ddf4a9 | ||
1316 | 30 | Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877 | ||
1317 | 31 | Last-Update: 2020-08-19 | ||
1318 | 32 | |||
1319 | 33 | --- | ||
1320 | 34 | block.c | 7 +++++-- | ||
1321 | 35 | block/nbd.c | 21 +++++++++++++-------- | ||
1322 | 36 | 2 files changed, 18 insertions(+), 10 deletions(-) | ||
1323 | 37 | |||
1324 | 38 | diff --git a/block.c b/block.c | ||
1325 | 39 | index 2e5e8b639a..19c25da305 100644 | ||
1326 | 40 | --- a/block.c | ||
1327 | 41 | +++ b/block.c | ||
1328 | 42 | @@ -6486,8 +6486,11 @@ void bdrv_refresh_filename(BlockDriverState *bs) | ||
1329 | 43 | pstrcpy(bs->filename, sizeof(bs->filename), bs->exact_filename); | ||
1330 | 44 | } else { | ||
1331 | 45 | QString *json = qobject_to_json(QOBJECT(bs->full_open_options)); | ||
1332 | 46 | - snprintf(bs->filename, sizeof(bs->filename), "json:%s", | ||
1333 | 47 | - qstring_get_str(json)); | ||
1334 | 48 | + if (snprintf(bs->filename, sizeof(bs->filename), "json:%s", | ||
1335 | 49 | + qstring_get_str(json)) >= sizeof(bs->filename)) { | ||
1336 | 50 | + /* Give user a hint if we truncated things. */ | ||
1337 | 51 | + strcpy(bs->filename + sizeof(bs->filename) - 4, "..."); | ||
1338 | 52 | + } | ||
1339 | 53 | qobject_unref(json); | ||
1340 | 54 | } | ||
1341 | 55 | } | ||
1342 | 56 | diff --git a/block/nbd.c b/block/nbd.c | ||
1343 | 57 | index 3d369fc8eb..eb380102c0 100644 | ||
1344 | 58 | --- a/block/nbd.c | ||
1345 | 59 | +++ b/block/nbd.c | ||
1346 | 60 | @@ -1971,6 +1971,7 @@ static void nbd_refresh_filename(BlockDriverState *bs) | ||
1347 | 61 | { | ||
1348 | 62 | BDRVNBDState *s = bs->opaque; | ||
1349 | 63 | const char *host = NULL, *port = NULL, *path = NULL; | ||
1350 | 64 | + size_t len = 0; | ||
1351 | 65 | |||
1352 | 66 | if (s->saddr->type == SOCKET_ADDRESS_TYPE_INET) { | ||
1353 | 67 | const InetSocketAddress *inet = &s->saddr->u.inet; | ||
1354 | 68 | @@ -1983,17 +1984,21 @@ static void nbd_refresh_filename(BlockDriverState *bs) | ||
1355 | 69 | } /* else can't represent as pseudo-filename */ | ||
1356 | 70 | |||
1357 | 71 | if (path && s->export) { | ||
1358 | 72 | - snprintf(bs->exact_filename, sizeof(bs->exact_filename), | ||
1359 | 73 | - "nbd+unix:///%s?socket=%s", s->export, path); | ||
1360 | 74 | + len = snprintf(bs->exact_filename, sizeof(bs->exact_filename), | ||
1361 | 75 | + "nbd+unix:///%s?socket=%s", s->export, path); | ||
1362 | 76 | } else if (path && !s->export) { | ||
1363 | 77 | - snprintf(bs->exact_filename, sizeof(bs->exact_filename), | ||
1364 | 78 | - "nbd+unix://?socket=%s", path); | ||
1365 | 79 | + len = snprintf(bs->exact_filename, sizeof(bs->exact_filename), | ||
1366 | 80 | + "nbd+unix://?socket=%s", path); | ||
1367 | 81 | } else if (host && s->export) { | ||
1368 | 82 | - snprintf(bs->exact_filename, sizeof(bs->exact_filename), | ||
1369 | 83 | - "nbd://%s:%s/%s", host, port, s->export); | ||
1370 | 84 | + len = snprintf(bs->exact_filename, sizeof(bs->exact_filename), | ||
1371 | 85 | + "nbd://%s:%s/%s", host, port, s->export); | ||
1372 | 86 | } else if (host && !s->export) { | ||
1373 | 87 | - snprintf(bs->exact_filename, sizeof(bs->exact_filename), | ||
1374 | 88 | - "nbd://%s:%s", host, port); | ||
1375 | 89 | + len = snprintf(bs->exact_filename, sizeof(bs->exact_filename), | ||
1376 | 90 | + "nbd://%s:%s", host, port); | ||
1377 | 91 | + } | ||
1378 | 92 | + if (len > sizeof(bs->exact_filename)) { | ||
1379 | 93 | + /* Name is too long to represent exactly, so leave it empty. */ | ||
1380 | 94 | + bs->exact_filename[0] = '\0'; | ||
1381 | 95 | } | ||
1382 | 96 | } | ||
1383 | 97 | |||
1384 | 98 | -- | ||
1385 | 99 | 2.28.0 | ||
1386 | 100 | |||
1387 | diff --git a/debian/patches/stable/lp-1891877-block-Fix-VM-size-field-width-in-snapshot-dump.patch b/debian/patches/stable/lp-1891877-block-Fix-VM-size-field-width-in-snapshot-dump.patch | |||
1388 | 0 | new file mode 100644 | 101 | new file mode 100644 |
1389 | index 0000000..dadc759 | |||
1390 | --- /dev/null | |||
1391 | +++ b/debian/patches/stable/lp-1891877-block-Fix-VM-size-field-width-in-snapshot-dump.patch | |||
1392 | @@ -0,0 +1,58 @@ | |||
1393 | 1 | From 0b487ea66409be1984ed55d3de71000ac363644f Mon Sep 17 00:00:00 2001 | ||
1394 | 2 | From: Max Reitz <mreitz@redhat.com> | ||
1395 | 3 | Date: Fri, 17 Jan 2020 11:58:58 +0100 | ||
1396 | 4 | Subject: [PATCH] block: Fix VM size field width in snapshot dump | ||
1397 | 5 | |||
1398 | 6 | When printing the snapshot list (e.g. with qemu-img snapshot -l), the VM | ||
1399 | 7 | size field is only seven characters wide. As of de38b5005e9, this is | ||
1400 | 8 | not necessarily sufficient: We generally print three digits, and this | ||
1401 | 9 | may require a decimal point. Also, the unit field grew from something | ||
1402 | 10 | as plain as "M" to " MiB". This means that number and unit may take up | ||
1403 | 11 | eight characters in total; but we also want spaces in front. | ||
1404 | 12 | |||
1405 | 13 | Considering previously the maximum width was four characters and the | ||
1406 | 14 | field width was chosen to be three characters wider, let us adjust the | ||
1407 | 15 | field width to be eleven now. | ||
1408 | 16 | |||
1409 | 17 | Fixes: de38b5005e946aa3714963ea4c501e279e7d3666 | ||
1410 | 18 | Buglink: https://bugs.launchpad.net/qemu/+bug/1859989 | ||
1411 | 19 | Signed-off-by: Max Reitz <mreitz@redhat.com> | ||
1412 | 20 | Message-Id: <20200117105859.241818-2-mreitz@redhat.com> | ||
1413 | 21 | Reviewed-by: Eric Blake <eblake@redhat.com> | ||
1414 | 22 | Signed-off-by: Max Reitz <mreitz@redhat.com> | ||
1415 | 23 | (cherry picked from commit 804359b8b90f76d9d8fbe8d85a6544b68f107f10) | ||
1416 | 24 | Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | ||
1417 | 25 | |||
1418 | 26 | Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=0b487ea664 | ||
1419 | 27 | Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877 | ||
1420 | 28 | Last-Update: 2020-08-19 | ||
1421 | 29 | |||
1422 | 30 | --- | ||
1423 | 31 | block/qapi.c | 4 ++-- | ||
1424 | 32 | 1 file changed, 2 insertions(+), 2 deletions(-) | ||
1425 | 33 | |||
1426 | 34 | diff --git a/block/qapi.c b/block/qapi.c | ||
1427 | 35 | index 9a5d0c9b27..ffa539250d 100644 | ||
1428 | 36 | --- a/block/qapi.c | ||
1429 | 37 | +++ b/block/qapi.c | ||
1430 | 38 | @@ -657,7 +657,7 @@ void bdrv_snapshot_dump(QEMUSnapshotInfo *sn) | ||
1431 | 39 | char *sizing = NULL; | ||
1432 | 40 | |||
1433 | 41 | if (!sn) { | ||
1434 | 42 | - qemu_printf("%-10s%-20s%7s%20s%15s", | ||
1435 | 43 | + qemu_printf("%-10s%-20s%11s%20s%15s", | ||
1436 | 44 | "ID", "TAG", "VM SIZE", "DATE", "VM CLOCK"); | ||
1437 | 45 | } else { | ||
1438 | 46 | ti = sn->date_sec; | ||
1439 | 47 | @@ -672,7 +672,7 @@ void bdrv_snapshot_dump(QEMUSnapshotInfo *sn) | ||
1440 | 48 | (int)(secs % 60), | ||
1441 | 49 | (int)((sn->vm_clock_nsec / 1000000) % 1000)); | ||
1442 | 50 | sizing = size_to_str(sn->vm_state_size); | ||
1443 | 51 | - qemu_printf("%-10s%-20s%7s%20s%15s", | ||
1444 | 52 | + qemu_printf("%-10s%-20s%11s%20s%15s", | ||
1445 | 53 | sn->id_str, sn->name, | ||
1446 | 54 | sizing, | ||
1447 | 55 | date_buf, | ||
1448 | 56 | -- | ||
1449 | 57 | 2.28.0 | ||
1450 | 58 | |||
1451 | diff --git a/debian/patches/stable/lp-1891877-block-backup-fix-memory-leak-in-bdrv_backup_top_appe.patch b/debian/patches/stable/lp-1891877-block-backup-fix-memory-leak-in-bdrv_backup_top_appe.patch | |||
1452 | 0 | new file mode 100644 | 59 | new file mode 100644 |
1453 | index 0000000..31648ce | |||
1454 | --- /dev/null | |||
1455 | +++ b/debian/patches/stable/lp-1891877-block-backup-fix-memory-leak-in-bdrv_backup_top_appe.patch | |||
1456 | @@ -0,0 +1,55 @@ | |||
1457 | 1 | From dc6bdba433246e55c930fad38c1267242fae888c Mon Sep 17 00:00:00 2001 | ||
1458 | 2 | From: Eiichi Tsukata <devel@etsukata.com> | ||
1459 | 3 | Date: Mon, 23 Dec 2019 18:06:32 +0900 | ||
1460 | 4 | Subject: [PATCH] block/backup: fix memory leak in bdrv_backup_top_append() | ||
1461 | 5 | |||
1462 | 6 | bdrv_open_driver() allocates bs->opaque according to drv->instance_size. | ||
1463 | 7 | There is no need to allocate it and overwrite opaque in | ||
1464 | 8 | bdrv_backup_top_append(). | ||
1465 | 9 | |||
1466 | 10 | Reproducer: | ||
1467 | 11 | |||
1468 | 12 | $ QTEST_QEMU_BINARY=./x86_64-softmmu/qemu-system-x86_64 valgrind -q --leak-check=full tests/test-replication -p /replication/secondary/start | ||
1469 | 13 | ==29792== 24 bytes in 1 blocks are definitely lost in loss record 52 of 226 | ||
1470 | 14 | ==29792== at 0x483AB1A: calloc (vg_replace_malloc.c:762) | ||
1471 | 15 | ==29792== by 0x4B07CE0: g_malloc0 (in /usr/lib64/libglib-2.0.so.0.6000.7) | ||
1472 | 16 | ==29792== by 0x12BAB9: bdrv_open_driver (block.c:1289) | ||
1473 | 17 | ==29792== by 0x12BEA9: bdrv_new_open_driver (block.c:1359) | ||
1474 | 18 | ==29792== by 0x1D15CB: bdrv_backup_top_append (backup-top.c:190) | ||
1475 | 19 | ==29792== by 0x1CC11A: backup_job_create (backup.c:439) | ||
1476 | 20 | ==29792== by 0x1CD542: replication_start (replication.c:544) | ||
1477 | 21 | ==29792== by 0x1401B9: replication_start_all (replication.c:52) | ||
1478 | 22 | ==29792== by 0x128B50: test_secondary_start (test-replication.c:427) | ||
1479 | 23 | ... | ||
1480 | 24 | |||
1481 | 25 | Fixes: 7df7868b9640 ("block: introduce backup-top filter driver") | ||
1482 | 26 | Signed-off-by: Eiichi Tsukata <devel@etsukata.com> | ||
1483 | 27 | Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com> | ||
1484 | 28 | Signed-off-by: Kevin Wolf <kwolf@redhat.com> | ||
1485 | 29 | (cherry picked from commit fb574de81bfdd71fdb0315105a3a7761efb68395) | ||
1486 | 30 | Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | ||
1487 | 31 | |||
1488 | 32 | Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=dc6bdba433 | ||
1489 | 33 | Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877 | ||
1490 | 34 | Last-Update: 2020-08-19 | ||
1491 | 35 | |||
1492 | 36 | --- | ||
1493 | 37 | block/backup-top.c | 2 +- | ||
1494 | 38 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
1495 | 39 | |||
1496 | 40 | diff --git a/block/backup-top.c b/block/backup-top.c | ||
1497 | 41 | index 818d3f26b4..64e9e4f576 100644 | ||
1498 | 42 | --- a/block/backup-top.c | ||
1499 | 43 | +++ b/block/backup-top.c | ||
1500 | 44 | @@ -196,7 +196,7 @@ BlockDriverState *bdrv_backup_top_append(BlockDriverState *source, | ||
1501 | 45 | } | ||
1502 | 46 | |||
1503 | 47 | top->total_sectors = source->total_sectors; | ||
1504 | 48 | - top->opaque = state = g_new0(BDRVBackupTopState, 1); | ||
1505 | 49 | + state = top->opaque; | ||
1506 | 50 | |||
1507 | 51 | bdrv_ref(target); | ||
1508 | 52 | state->target = bdrv_attach_child(top, target, "target", &child_file, errp); | ||
1509 | 53 | -- | ||
1510 | 54 | 2.28.0 | ||
1511 | 55 | |||
1512 | diff --git a/debian/patches/stable/lp-1891877-block-bdrv_set_backing_bs-fix-use-after-free.patch b/debian/patches/stable/lp-1891877-block-bdrv_set_backing_bs-fix-use-after-free.patch | |||
1513 | 0 | new file mode 100644 | 56 | new file mode 100644 |
1514 | index 0000000..4ca9cb9 | |||
1515 | --- /dev/null | |||
1516 | +++ b/debian/patches/stable/lp-1891877-block-bdrv_set_backing_bs-fix-use-after-free.patch | |||
1517 | @@ -0,0 +1,122 @@ | |||
1518 | 1 | From 5ff78dc9bcf2a81f097f1137e58f9a0759347d91 Mon Sep 17 00:00:00 2001 | ||
1519 | 2 | From: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com> | ||
1520 | 3 | Date: Mon, 16 Mar 2020 09:06:30 +0300 | ||
1521 | 4 | Subject: [PATCH] block: bdrv_set_backing_bs: fix use-after-free | ||
1522 | 5 | MIME-Version: 1.0 | ||
1523 | 6 | Content-Type: text/plain; charset=UTF-8 | ||
1524 | 7 | Content-Transfer-Encoding: 8bit | ||
1525 | 8 | |||
1526 | 9 | There is a use-after-free possible: bdrv_unref_child() leaves | ||
1527 | 10 | bs->backing freed but not NULL. bdrv_attach_child may produce nested | ||
1528 | 11 | polling loop due to drain, than access of freed pointer is possible. | ||
1529 | 12 | |||
1530 | 13 | I've produced the following crash on 30 iotest with modified code. It | ||
1531 | 14 | does not reproduce on master, but still seems possible: | ||
1532 | 15 | |||
1533 | 16 | #0 __strcmp_avx2 () at /lib64/libc.so.6 | ||
1534 | 17 | #1 bdrv_backing_overridden (bs=0x55c9d3cc2060) at block.c:6350 | ||
1535 | 18 | #2 bdrv_refresh_filename (bs=0x55c9d3cc2060) at block.c:6404 | ||
1536 | 19 | #3 bdrv_backing_attach (c=0x55c9d48e5520) at block.c:1063 | ||
1537 | 20 | #4 bdrv_replace_child_noperm | ||
1538 | 21 | (child=child@entry=0x55c9d48e5520, | ||
1539 | 22 | new_bs=new_bs@entry=0x55c9d3cc2060) at block.c:2290 | ||
1540 | 23 | #5 bdrv_replace_child | ||
1541 | 24 | (child=child@entry=0x55c9d48e5520, | ||
1542 | 25 | new_bs=new_bs@entry=0x55c9d3cc2060) at block.c:2320 | ||
1543 | 26 | #6 bdrv_root_attach_child | ||
1544 | 27 | (child_bs=child_bs@entry=0x55c9d3cc2060, | ||
1545 | 28 | child_name=child_name@entry=0x55c9d241d478 "backing", | ||
1546 | 29 | child_role=child_role@entry=0x55c9d26ecee0 <child_backing>, | ||
1547 | 30 | ctx=<optimized out>, perm=<optimized out>, shared_perm=21, | ||
1548 | 31 | opaque=0x55c9d3c5a3d0, errp=0x7ffd117108e0) at block.c:2424 | ||
1549 | 32 | #7 bdrv_attach_child | ||
1550 | 33 | (parent_bs=parent_bs@entry=0x55c9d3c5a3d0, | ||
1551 | 34 | child_bs=child_bs@entry=0x55c9d3cc2060, | ||
1552 | 35 | child_name=child_name@entry=0x55c9d241d478 "backing", | ||
1553 | 36 | child_role=child_role@entry=0x55c9d26ecee0 <child_backing>, | ||
1554 | 37 | errp=errp@entry=0x7ffd117108e0) at block.c:5876 | ||
1555 | 38 | #8 in bdrv_set_backing_hd | ||
1556 | 39 | (bs=bs@entry=0x55c9d3c5a3d0, | ||
1557 | 40 | backing_hd=backing_hd@entry=0x55c9d3cc2060, | ||
1558 | 41 | errp=errp@entry=0x7ffd117108e0) | ||
1559 | 42 | at block.c:2576 | ||
1560 | 43 | #9 stream_prepare (job=0x55c9d49d84a0) at block/stream.c:150 | ||
1561 | 44 | #10 job_prepare (job=0x55c9d49d84a0) at job.c:761 | ||
1562 | 45 | #11 job_txn_apply (txn=<optimized out>, fn=<optimized out>) at | ||
1563 | 46 | job.c:145 | ||
1564 | 47 | #12 job_do_finalize (job=0x55c9d49d84a0) at job.c:778 | ||
1565 | 48 | #13 job_completed_txn_success (job=0x55c9d49d84a0) at job.c:832 | ||
1566 | 49 | #14 job_completed (job=0x55c9d49d84a0) at job.c:845 | ||
1567 | 50 | #15 job_completed (job=0x55c9d49d84a0) at job.c:836 | ||
1568 | 51 | #16 job_exit (opaque=0x55c9d49d84a0) at job.c:864 | ||
1569 | 52 | #17 aio_bh_call (bh=0x55c9d471a160) at util/async.c:117 | ||
1570 | 53 | #18 aio_bh_poll (ctx=ctx@entry=0x55c9d3c46720) at util/async.c:117 | ||
1571 | 54 | #19 aio_poll (ctx=ctx@entry=0x55c9d3c46720, | ||
1572 | 55 | blocking=blocking@entry=true) | ||
1573 | 56 | at util/aio-posix.c:728 | ||
1574 | 57 | #20 bdrv_parent_drained_begin_single (poll=true, c=0x55c9d3d558f0) | ||
1575 | 58 | at block/io.c:121 | ||
1576 | 59 | #21 bdrv_parent_drained_begin_single (c=c@entry=0x55c9d3d558f0, | ||
1577 | 60 | poll=poll@entry=true) | ||
1578 | 61 | at block/io.c:114 | ||
1579 | 62 | #22 bdrv_replace_child_noperm | ||
1580 | 63 | (child=child@entry=0x55c9d3d558f0, | ||
1581 | 64 | new_bs=new_bs@entry=0x55c9d3d27300) at block.c:2258 | ||
1582 | 65 | #23 bdrv_replace_child | ||
1583 | 66 | (child=child@entry=0x55c9d3d558f0, | ||
1584 | 67 | new_bs=new_bs@entry=0x55c9d3d27300) at block.c:2320 | ||
1585 | 68 | #24 bdrv_root_attach_child | ||
1586 | 69 | (child_bs=child_bs@entry=0x55c9d3d27300, | ||
1587 | 70 | child_name=child_name@entry=0x55c9d241d478 "backing", | ||
1588 | 71 | child_role=child_role@entry=0x55c9d26ecee0 <child_backing>, | ||
1589 | 72 | ctx=<optimized out>, perm=<optimized out>, shared_perm=21, | ||
1590 | 73 | opaque=0x55c9d3cc2060, errp=0x7ffd11710c60) at block.c:2424 | ||
1591 | 74 | #25 bdrv_attach_child | ||
1592 | 75 | (parent_bs=parent_bs@entry=0x55c9d3cc2060, | ||
1593 | 76 | child_bs=child_bs@entry=0x55c9d3d27300, | ||
1594 | 77 | child_name=child_name@entry=0x55c9d241d478 "backing", | ||
1595 | 78 | child_role=child_role@entry=0x55c9d26ecee0 <child_backing>, | ||
1596 | 79 | errp=errp@entry=0x7ffd11710c60) at block.c:5876 | ||
1597 | 80 | #26 bdrv_set_backing_hd | ||
1598 | 81 | (bs=bs@entry=0x55c9d3cc2060, | ||
1599 | 82 | backing_hd=backing_hd@entry=0x55c9d3d27300, | ||
1600 | 83 | errp=errp@entry=0x7ffd11710c60) | ||
1601 | 84 | at block.c:2576 | ||
1602 | 85 | #27 stream_prepare (job=0x55c9d495ead0) at block/stream.c:150 | ||
1603 | 86 | ... | ||
1604 | 87 | |||
1605 | 88 | Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com> | ||
1606 | 89 | Message-Id: <20200316060631.30052-2-vsementsov@virtuozzo.com> | ||
1607 | 90 | Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> | ||
1608 | 91 | Reviewed-by: John Snow <jsnow@redhat.com> | ||
1609 | 92 | Signed-off-by: Max Reitz <mreitz@redhat.com> | ||
1610 | 93 | (cherry picked from commit 6e57963a77df1e275a73dab4c6a7ec9a9d3468d4) | ||
1611 | 94 | Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | ||
1612 | 95 | |||
1613 | 96 | Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=5ff78dc9bc | ||
1614 | 97 | Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877 | ||
1615 | 98 | Last-Update: 2020-08-19 | ||
1616 | 99 | |||
1617 | 100 | --- | ||
1618 | 101 | block.c | 2 +- | ||
1619 | 102 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
1620 | 103 | |||
1621 | 104 | diff --git a/block.c b/block.c | ||
1622 | 105 | index 4916252444..1cb1cd7a37 100644 | ||
1623 | 106 | --- a/block.c | ||
1624 | 107 | +++ b/block.c | ||
1625 | 108 | @@ -2577,10 +2577,10 @@ void bdrv_set_backing_hd(BlockDriverState *bs, BlockDriverState *backing_hd, | ||
1626 | 109 | |||
1627 | 110 | if (bs->backing) { | ||
1628 | 111 | bdrv_unref_child(bs, bs->backing); | ||
1629 | 112 | + bs->backing = NULL; | ||
1630 | 113 | } | ||
1631 | 114 | |||
1632 | 115 | if (!backing_hd) { | ||
1633 | 116 | - bs->backing = NULL; | ||
1634 | 117 | goto out; | ||
1635 | 118 | } | ||
1636 | 119 | |||
1637 | 120 | -- | ||
1638 | 121 | 2.28.0 | ||
1639 | 122 | |||
1640 | diff --git a/debian/patches/stable/lp-1891877-block-fix-memleaks-in-bdrv_refresh_filename.patch b/debian/patches/stable/lp-1891877-block-fix-memleaks-in-bdrv_refresh_filename.patch | |||
1641 | 0 | new file mode 100644 | 123 | new file mode 100644 |
1642 | index 0000000..8b916a8 | |||
1643 | --- /dev/null | |||
1644 | +++ b/debian/patches/stable/lp-1891877-block-fix-memleaks-in-bdrv_refresh_filename.patch | |||
1645 | @@ -0,0 +1,68 @@ | |||
1646 | 1 | From a967e75f3a65ccfca3e793e4cb8223449f20a9c5 Mon Sep 17 00:00:00 2001 | ||
1647 | 2 | From: Pan Nengyuan <pannengyuan@huawei.com> | ||
1648 | 3 | Date: Thu, 16 Jan 2020 16:56:00 +0800 | ||
1649 | 4 | Subject: [PATCH] block: fix memleaks in bdrv_refresh_filename | ||
1650 | 5 | |||
1651 | 6 | If we call the qmp 'query-block' while qemu is working on | ||
1652 | 7 | 'block-commit', it will cause memleaks, the memory leak stack is as | ||
1653 | 8 | follow: | ||
1654 | 9 | |||
1655 | 10 | Indirect leak of 12360 byte(s) in 3 object(s) allocated from: | ||
1656 | 11 | #0 0x7f80f0b6d970 in __interceptor_calloc (/lib64/libasan.so.5+0xef970) | ||
1657 | 12 | #1 0x7f80ee86049d in g_malloc0 (/lib64/libglib-2.0.so.0+0x5249d) | ||
1658 | 13 | #2 0x55ea95b5bb67 in qdict_new /mnt/sdb/qemu-4.2.0-rc0/qobject/qdict.c:29 | ||
1659 | 14 | #3 0x55ea956cd043 in bdrv_refresh_filename /mnt/sdb/qemu-4.2.0-rc0/block.c:6427 | ||
1660 | 15 | #4 0x55ea956cc950 in bdrv_refresh_filename /mnt/sdb/qemu-4.2.0-rc0/block.c:6399 | ||
1661 | 16 | #5 0x55ea956cc950 in bdrv_refresh_filename /mnt/sdb/qemu-4.2.0-rc0/block.c:6399 | ||
1662 | 17 | #6 0x55ea956cc950 in bdrv_refresh_filename /mnt/sdb/qemu-4.2.0-rc0/block.c:6399 | ||
1663 | 18 | #7 0x55ea958818ea in bdrv_block_device_info /mnt/sdb/qemu-4.2.0-rc0/block/qapi.c:56 | ||
1664 | 19 | #8 0x55ea958879de in bdrv_query_info /mnt/sdb/qemu-4.2.0-rc0/block/qapi.c:392 | ||
1665 | 20 | #9 0x55ea9588b58f in qmp_query_block /mnt/sdb/qemu-4.2.0-rc0/block/qapi.c:578 | ||
1666 | 21 | #10 0x55ea95567392 in qmp_marshal_query_block qapi/qapi-commands-block-core.c:95 | ||
1667 | 22 | |||
1668 | 23 | Indirect leak of 4120 byte(s) in 1 object(s) allocated from: | ||
1669 | 24 | #0 0x7f80f0b6d970 in __interceptor_calloc (/lib64/libasan.so.5+0xef970) | ||
1670 | 25 | #1 0x7f80ee86049d in g_malloc0 (/lib64/libglib-2.0.so.0+0x5249d) | ||
1671 | 26 | #2 0x55ea95b5bb67 in qdict_new /mnt/sdb/qemu-4.2.0-rc0/qobject/qdict.c:29 | ||
1672 | 27 | #3 0x55ea956cd043 in bdrv_refresh_filename /mnt/sdb/qemu-4.2.0-rc0/block.c:6427 | ||
1673 | 28 | #4 0x55ea956cc950 in bdrv_refresh_filename /mnt/sdb/qemu-4.2.0-rc0/block.c:6399 | ||
1674 | 29 | #5 0x55ea956cc950 in bdrv_refresh_filename /mnt/sdb/qemu-4.2.0-rc0/block.c:6399 | ||
1675 | 30 | #6 0x55ea9569f301 in bdrv_backing_attach /mnt/sdb/qemu-4.2.0-rc0/block.c:1064 | ||
1676 | 31 | #7 0x55ea956a99dd in bdrv_replace_child_noperm /mnt/sdb/qemu-4.2.0-rc0/block.c:2283 | ||
1677 | 32 | #8 0x55ea956b9b53 in bdrv_replace_node /mnt/sdb/qemu-4.2.0-rc0/block.c:4196 | ||
1678 | 33 | #9 0x55ea956b9e49 in bdrv_append /mnt/sdb/qemu-4.2.0-rc0/block.c:4236 | ||
1679 | 34 | #10 0x55ea958c3472 in commit_start /mnt/sdb/qemu-4.2.0-rc0/block/commit.c:306 | ||
1680 | 35 | #11 0x55ea94b68ab0 in qmp_block_commit /mnt/sdb/qemu-4.2.0-rc0/blockdev.c:3459 | ||
1681 | 36 | #12 0x55ea9556a7a7 in qmp_marshal_block_commit qapi/qapi-commands-block-core.c:407 | ||
1682 | 37 | |||
1683 | 38 | Fixes: bb808d5f5c0978828a974d547e6032402c339555 | ||
1684 | 39 | Reported-by: Euler Robot <euler.robot@huawei.com> | ||
1685 | 40 | Signed-off-by: Pan Nengyuan <pannengyuan@huawei.com> | ||
1686 | 41 | Message-id: 20200116085600.24056-1-pannengyuan@huawei.com | ||
1687 | 42 | Signed-off-by: Max Reitz <mreitz@redhat.com> | ||
1688 | 43 | (cherry picked from commit cb8956144ccaccf23d5cc4167677e2c84fa5a9f8) | ||
1689 | 44 | Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | ||
1690 | 45 | |||
1691 | 46 | Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=a967e75f3a | ||
1692 | 47 | Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877 | ||
1693 | 48 | Last-Update: 2020-08-19 | ||
1694 | 49 | |||
1695 | 50 | --- | ||
1696 | 51 | block.c | 1 + | ||
1697 | 52 | 1 file changed, 1 insertion(+) | ||
1698 | 53 | |||
1699 | 54 | diff --git a/block.c b/block.c | ||
1700 | 55 | index 863cf34d45..4916252444 100644 | ||
1701 | 56 | --- a/block.c | ||
1702 | 57 | +++ b/block.c | ||
1703 | 58 | @@ -6426,6 +6426,7 @@ void bdrv_refresh_filename(BlockDriverState *bs) | ||
1704 | 59 | child->bs->exact_filename); | ||
1705 | 60 | pstrcpy(bs->filename, sizeof(bs->filename), child->bs->filename); | ||
1706 | 61 | |||
1707 | 62 | + qobject_unref(bs->full_open_options); | ||
1708 | 63 | bs->full_open_options = qobject_ref(child->bs->full_open_options); | ||
1709 | 64 | |||
1710 | 65 | return; | ||
1711 | 66 | -- | ||
1712 | 67 | 2.28.0 | ||
1713 | 68 | |||
1714 | diff --git a/debian/patches/stable/lp-1891877-compat-disable-edid-on-correct-virtio-gpu-device.patch b/debian/patches/stable/lp-1891877-compat-disable-edid-on-correct-virtio-gpu-device.patch | |||
1715 | 0 | new file mode 100644 | 69 | new file mode 100644 |
1716 | index 0000000..2e76b86 | |||
1717 | --- /dev/null | |||
1718 | +++ b/debian/patches/stable/lp-1891877-compat-disable-edid-on-correct-virtio-gpu-device.patch | |||
1719 | @@ -0,0 +1,49 @@ | |||
1720 | 1 | From 219362f9655859056e8f15cf96fc3169d4dc80de Mon Sep 17 00:00:00 2001 | ||
1721 | 2 | From: Cornelia Huck <cohuck@redhat.com> | ||
1722 | 3 | Date: Wed, 18 Mar 2020 10:39:19 +0100 | ||
1723 | 4 | Subject: [PATCH] compat: disable edid on correct virtio-gpu device | ||
1724 | 5 | MIME-Version: 1.0 | ||
1725 | 6 | Content-Type: text/plain; charset=UTF-8 | ||
1726 | 7 | Content-Transfer-Encoding: 8bit | ||
1727 | 8 | |||
1728 | 9 | Commit bb15791166c1 ("compat: disable edid on virtio-gpu base | ||
1729 | 10 | device") tried to disable 'edid' on the virtio-gpu base device. | ||
1730 | 11 | However, that device is not 'virtio-gpu', but 'virtio-gpu-device'. | ||
1731 | 12 | Fix it. | ||
1732 | 13 | |||
1733 | 14 | Fixes: bb15791166c1 ("compat: disable edid on virtio-gpu base device") | ||
1734 | 15 | Reported-by: Lukáš Doktor <ldoktor@redhat.com> | ||
1735 | 16 | Tested-by: Lukáš Doktor <ldoktor@redhat.com> | ||
1736 | 17 | Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> | ||
1737 | 18 | Signed-off-by: Cornelia Huck <cohuck@redhat.com> | ||
1738 | 19 | Message-id: 20200318093919.24942-1-cohuck@redhat.com | ||
1739 | 20 | Cc: qemu-stable@nongnu.org | ||
1740 | 21 | Signed-off-by: Cornelia Huck <cohuck@redhat.com> | ||
1741 | 22 | Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> | ||
1742 | 23 | (cherry picked from commit 02501fc39381c4dabaf6becdd12c2a4754c3847c) | ||
1743 | 24 | Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | ||
1744 | 25 | |||
1745 | 26 | Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=219362f965 | ||
1746 | 27 | Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877 | ||
1747 | 28 | Last-Update: 2020-08-19 | ||
1748 | 29 | |||
1749 | 30 | --- | ||
1750 | 31 | hw/core/machine.c | 2 +- | ||
1751 | 32 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
1752 | 33 | |||
1753 | 34 | diff --git a/hw/core/machine.c b/hw/core/machine.c | ||
1754 | 35 | index aa63231f31..1872263bf0 100644 | ||
1755 | 36 | --- a/hw/core/machine.c | ||
1756 | 37 | +++ b/hw/core/machine.c | ||
1757 | 38 | @@ -37,7 +37,7 @@ GlobalProperty hw_compat_4_0[] = { | ||
1758 | 39 | { "secondary-vga", "edid", "false" }, | ||
1759 | 40 | { "bochs-display", "edid", "false" }, | ||
1760 | 41 | { "virtio-vga", "edid", "false" }, | ||
1761 | 42 | - { "virtio-gpu", "edid", "false" }, | ||
1762 | 43 | + { "virtio-gpu-device", "edid", "false" }, | ||
1763 | 44 | { "virtio-device", "use-started", "false" }, | ||
1764 | 45 | { "virtio-balloon-device", "qemu-4-0-config-size", "true" }, | ||
1765 | 46 | { "pl031", "migrate-tick-offset", "false" }, | ||
1766 | 47 | -- | ||
1767 | 48 | 2.28.0 | ||
1768 | 49 | |||
1769 | diff --git a/debian/patches/stable/lp-1891877-display-bochs-display-fix-memory-leak.patch b/debian/patches/stable/lp-1891877-display-bochs-display-fix-memory-leak.patch | |||
1770 | 0 | new file mode 100644 | 50 | new file mode 100644 |
1771 | index 0000000..6196cbc | |||
1772 | --- /dev/null | |||
1773 | +++ b/debian/patches/stable/lp-1891877-display-bochs-display-fix-memory-leak.patch | |||
1774 | @@ -0,0 +1,42 @@ | |||
1775 | 1 | From 7e1bc51f3f606e758b2600555ddc99f643a3697d Mon Sep 17 00:00:00 2001 | ||
1776 | 2 | From: Cameron Esfahani <dirty@apple.com> | ||
1777 | 3 | Date: Tue, 10 Dec 2019 13:27:54 -0800 | ||
1778 | 4 | Subject: [PATCH] display/bochs-display: fix memory leak | ||
1779 | 5 | MIME-Version: 1.0 | ||
1780 | 6 | Content-Type: text/plain; charset=UTF-8 | ||
1781 | 7 | Content-Transfer-Encoding: 8bit | ||
1782 | 8 | |||
1783 | 9 | Fix memory leak in bochs_display_update(). Leaks 304 bytes per frame. | ||
1784 | 10 | |||
1785 | 11 | Fixes: 33ebad54056 | ||
1786 | 12 | Signed-off-by: Cameron Esfahani <dirty@apple.com> | ||
1787 | 13 | Message-Id: <d6c26e68db134c7b0c7ce8b61596ca2e65e01e12.1576013209.git.dirty@apple.com> | ||
1788 | 14 | Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> | ||
1789 | 15 | Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> | ||
1790 | 16 | (cherry picked from commit 0d82411d0e38a0de7829f97d04406765c8d2210d) | ||
1791 | 17 | Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | ||
1792 | 18 | |||
1793 | 19 | Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=7e1bc51f3f | ||
1794 | 20 | Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877 | ||
1795 | 21 | Last-Update: 2020-08-19 | ||
1796 | 22 | |||
1797 | 23 | --- | ||
1798 | 24 | hw/display/bochs-display.c | 2 ++ | ||
1799 | 25 | 1 file changed, 2 insertions(+) | ||
1800 | 26 | |||
1801 | 27 | diff --git a/hw/display/bochs-display.c b/hw/display/bochs-display.c | ||
1802 | 28 | index dc1bd1641d..215db9a231 100644 | ||
1803 | 29 | --- a/hw/display/bochs-display.c | ||
1804 | 30 | +++ b/hw/display/bochs-display.c | ||
1805 | 31 | @@ -252,6 +252,8 @@ static void bochs_display_update(void *opaque) | ||
1806 | 32 | dpy_gfx_update(s->con, 0, ys, | ||
1807 | 33 | mode.width, y - ys); | ||
1808 | 34 | } | ||
1809 | 35 | + | ||
1810 | 36 | + g_free(snap); | ||
1811 | 37 | } | ||
1812 | 38 | } | ||
1813 | 39 | |||
1814 | 40 | -- | ||
1815 | 41 | 2.28.0 | ||
1816 | 42 | |||
1817 | diff --git a/debian/patches/stable/lp-1891877-dp8393x-Always-update-RRA-pointers-and-sequence-numb.patch b/debian/patches/stable/lp-1891877-dp8393x-Always-update-RRA-pointers-and-sequence-numb.patch | |||
1818 | 0 | new file mode 100644 | 43 | new file mode 100644 |
1819 | index 0000000..3d85936 | |||
1820 | --- /dev/null | |||
1821 | +++ b/debian/patches/stable/lp-1891877-dp8393x-Always-update-RRA-pointers-and-sequence-numb.patch | |||
1822 | @@ -0,0 +1,52 @@ | |||
1823 | 1 | From 1190026fe415ce29605bdadbb68956a3315714e8 Mon Sep 17 00:00:00 2001 | ||
1824 | 2 | From: Finn Thain <fthain@telegraphics.com.au> | ||
1825 | 3 | Date: Wed, 29 Jan 2020 20:27:49 +1100 | ||
1826 | 4 | Subject: [PATCH] dp8393x: Always update RRA pointers and sequence numbers | ||
1827 | 5 | |||
1828 | 6 | These operations need to take place regardless of whether or not | ||
1829 | 7 | rx descriptors have been used up (that is, EOL flag was observed). | ||
1830 | 8 | |||
1831 | 9 | The algorithm is now the same for a packet that was withheld as for | ||
1832 | 10 | a packet that was not. | ||
1833 | 11 | |||
1834 | 12 | Signed-off-by: Finn Thain <fthain@telegraphics.com.au> | ||
1835 | 13 | Tested-by: Laurent Vivier <laurent@vivier.eu> | ||
1836 | 14 | Signed-off-by: Jason Wang <jasowang@redhat.com> | ||
1837 | 15 | (cherry picked from commit 80b60673ea598869050c66d95d8339480e4cefd0) | ||
1838 | 16 | Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | ||
1839 | 17 | |||
1840 | 18 | Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=1190026fe4 | ||
1841 | 19 | Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877 | ||
1842 | 20 | Last-Update: 2020-08-19 | ||
1843 | 21 | |||
1844 | 22 | --- | ||
1845 | 23 | hw/net/dp8393x.c | 12 +++++++----- | ||
1846 | 24 | 1 file changed, 7 insertions(+), 5 deletions(-) | ||
1847 | 25 | |||
1848 | 26 | diff --git a/hw/net/dp8393x.c b/hw/net/dp8393x.c | ||
1849 | 27 | index 4ce2ef818b..aa7bd785f3 100644 | ||
1850 | 28 | --- a/hw/net/dp8393x.c | ||
1851 | 29 | +++ b/hw/net/dp8393x.c | ||
1852 | 30 | @@ -897,12 +897,14 @@ static ssize_t dp8393x_receive(NetClientState *nc, const uint8_t * buf, | ||
1853 | 31 | /* Move to next descriptor */ | ||
1854 | 32 | s->regs[SONIC_CRDA] = s->regs[SONIC_LLFA]; | ||
1855 | 33 | s->regs[SONIC_ISR] |= SONIC_ISR_PKTRX; | ||
1856 | 34 | - s->regs[SONIC_RSC] = (s->regs[SONIC_RSC] & 0xff00) | (((s->regs[SONIC_RSC] & 0x00ff) + 1) & 0x00ff); | ||
1857 | 35 | + } | ||
1858 | 36 | |||
1859 | 37 | - if (s->regs[SONIC_RCR] & SONIC_RCR_LPKT) { | ||
1860 | 38 | - /* Read next RRA */ | ||
1861 | 39 | - dp8393x_do_read_rra(s); | ||
1862 | 40 | - } | ||
1863 | 41 | + s->regs[SONIC_RSC] = (s->regs[SONIC_RSC] & 0xff00) | | ||
1864 | 42 | + ((s->regs[SONIC_RSC] + 1) & 0x00ff); | ||
1865 | 43 | + | ||
1866 | 44 | + if (s->regs[SONIC_RCR] & SONIC_RCR_LPKT) { | ||
1867 | 45 | + /* Read next RRA */ | ||
1868 | 46 | + dp8393x_do_read_rra(s); | ||
1869 | 47 | } | ||
1870 | 48 | |||
1871 | 49 | /* Done */ | ||
1872 | 50 | -- | ||
1873 | 51 | 2.28.0 | ||
1874 | 52 | |||
1875 | diff --git a/debian/patches/stable/lp-1891877-dp8393x-Always-use-32-bit-accesses.patch b/debian/patches/stable/lp-1891877-dp8393x-Always-use-32-bit-accesses.patch | |||
1876 | 0 | new file mode 100644 | 53 | new file mode 100644 |
1877 | index 0000000..ff2540a | |||
1878 | --- /dev/null | |||
1879 | +++ b/debian/patches/stable/lp-1891877-dp8393x-Always-use-32-bit-accesses.patch | |||
1880 | @@ -0,0 +1,167 @@ | |||
1881 | 1 | From 956e1b2d977f8743d58c97994c27d6c848ae3b7d Mon Sep 17 00:00:00 2001 | ||
1882 | 2 | From: Finn Thain <fthain@telegraphics.com.au> | ||
1883 | 3 | Date: Wed, 29 Jan 2020 20:27:49 +1100 | ||
1884 | 4 | Subject: [PATCH] dp8393x: Always use 32-bit accesses | ||
1885 | 5 | |||
1886 | 6 | The DP83932 and DP83934 have 32 data lines. The datasheet says, | ||
1887 | 7 | |||
1888 | 8 | Data Bus: These bidirectional lines are used to transfer data on the | ||
1889 | 9 | system bus. When the SONIC is a bus master, 16-bit data is transferred | ||
1890 | 10 | on D15-D0 and 32-bit data is transferred on D31-D0. When the SONIC is | ||
1891 | 11 | accessed as a slave, register data is driven onto lines D15-D0. | ||
1892 | 12 | D31-D16 are held TRI-STATE if SONIC is in 16-bit mode. If SONIC is in | ||
1893 | 13 | 32-bit mode, they are driven, but invalid. | ||
1894 | 14 | |||
1895 | 15 | Always use 32-bit accesses both as bus master and bus slave. | ||
1896 | 16 | |||
1897 | 17 | Force the MSW to zero in bus master mode. | ||
1898 | 18 | |||
1899 | 19 | This gets the Linux 'jazzsonic' driver working, and avoids the need for | ||
1900 | 20 | prior hacks to make the NetBSD 'sn' driver work. | ||
1901 | 21 | |||
1902 | 22 | Signed-off-by: Finn Thain <fthain@telegraphics.com.au> | ||
1903 | 23 | Tested-by: Laurent Vivier <laurent@vivier.eu> | ||
1904 | 24 | Signed-off-by: Jason Wang <jasowang@redhat.com> | ||
1905 | 25 | (cherry picked from commit 3fe9a838ec3eae1374ced16b63bf56894b2ffbe6) | ||
1906 | 26 | Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | ||
1907 | 27 | |||
1908 | 28 | Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=956e1b2d97 | ||
1909 | 29 | Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877 | ||
1910 | 30 | Last-Update: 2020-08-19 | ||
1911 | 31 | |||
1912 | 32 | --- | ||
1913 | 33 | hw/net/dp8393x.c | 47 +++++++++++++++++++++++++++++------------------ | ||
1914 | 34 | 1 file changed, 29 insertions(+), 18 deletions(-) | ||
1915 | 35 | |||
1916 | 36 | diff --git a/hw/net/dp8393x.c b/hw/net/dp8393x.c | ||
1917 | 37 | index 7ca6a6dd46..49c304ee20 100644 | ||
1918 | 38 | --- a/hw/net/dp8393x.c | ||
1919 | 39 | +++ b/hw/net/dp8393x.c | ||
1920 | 40 | @@ -246,9 +246,19 @@ static void dp8393x_put(dp8393xState *s, int width, int offset, | ||
1921 | 41 | uint16_t val) | ||
1922 | 42 | { | ||
1923 | 43 | if (s->big_endian) { | ||
1924 | 44 | - s->data[offset * width + width - 1] = cpu_to_be16(val); | ||
1925 | 45 | + if (width == 2) { | ||
1926 | 46 | + s->data[offset * 2] = 0; | ||
1927 | 47 | + s->data[offset * 2 + 1] = cpu_to_be16(val); | ||
1928 | 48 | + } else { | ||
1929 | 49 | + s->data[offset] = cpu_to_be16(val); | ||
1930 | 50 | + } | ||
1931 | 51 | } else { | ||
1932 | 52 | - s->data[offset * width] = cpu_to_le16(val); | ||
1933 | 53 | + if (width == 2) { | ||
1934 | 54 | + s->data[offset * 2] = cpu_to_le16(val); | ||
1935 | 55 | + s->data[offset * 2 + 1] = 0; | ||
1936 | 56 | + } else { | ||
1937 | 57 | + s->data[offset] = cpu_to_le16(val); | ||
1938 | 58 | + } | ||
1939 | 59 | } | ||
1940 | 60 | } | ||
1941 | 61 | |||
1942 | 62 | @@ -588,7 +598,7 @@ static uint64_t dp8393x_read(void *opaque, hwaddr addr, unsigned int size) | ||
1943 | 63 | |||
1944 | 64 | DPRINTF("read 0x%04x from reg %s\n", val, reg_names[reg]); | ||
1945 | 65 | |||
1946 | 66 | - return val; | ||
1947 | 67 | + return s->big_endian ? val << 16 : val; | ||
1948 | 68 | } | ||
1949 | 69 | |||
1950 | 70 | static void dp8393x_write(void *opaque, hwaddr addr, uint64_t data, | ||
1951 | 71 | @@ -596,13 +606,14 @@ static void dp8393x_write(void *opaque, hwaddr addr, uint64_t data, | ||
1952 | 72 | { | ||
1953 | 73 | dp8393xState *s = opaque; | ||
1954 | 74 | int reg = addr >> s->it_shift; | ||
1955 | 75 | + uint32_t val = s->big_endian ? data >> 16 : data; | ||
1956 | 76 | |||
1957 | 77 | - DPRINTF("write 0x%04x to reg %s\n", (uint16_t)data, reg_names[reg]); | ||
1958 | 78 | + DPRINTF("write 0x%04x to reg %s\n", (uint16_t)val, reg_names[reg]); | ||
1959 | 79 | |||
1960 | 80 | switch (reg) { | ||
1961 | 81 | /* Command register */ | ||
1962 | 82 | case SONIC_CR: | ||
1963 | 83 | - dp8393x_do_command(s, data); | ||
1964 | 84 | + dp8393x_do_command(s, val); | ||
1965 | 85 | break; | ||
1966 | 86 | /* Prevent write to read-only registers */ | ||
1967 | 87 | case SONIC_CAP2: | ||
1968 | 88 | @@ -615,36 +626,36 @@ static void dp8393x_write(void *opaque, hwaddr addr, uint64_t data, | ||
1969 | 89 | /* Accept write to some registers only when in reset mode */ | ||
1970 | 90 | case SONIC_DCR: | ||
1971 | 91 | if (s->regs[SONIC_CR] & SONIC_CR_RST) { | ||
1972 | 92 | - s->regs[reg] = data & 0xbfff; | ||
1973 | 93 | + s->regs[reg] = val & 0xbfff; | ||
1974 | 94 | } else { | ||
1975 | 95 | DPRINTF("writing to DCR invalid\n"); | ||
1976 | 96 | } | ||
1977 | 97 | break; | ||
1978 | 98 | case SONIC_DCR2: | ||
1979 | 99 | if (s->regs[SONIC_CR] & SONIC_CR_RST) { | ||
1980 | 100 | - s->regs[reg] = data & 0xf017; | ||
1981 | 101 | + s->regs[reg] = val & 0xf017; | ||
1982 | 102 | } else { | ||
1983 | 103 | DPRINTF("writing to DCR2 invalid\n"); | ||
1984 | 104 | } | ||
1985 | 105 | break; | ||
1986 | 106 | /* 12 lower bytes are Read Only */ | ||
1987 | 107 | case SONIC_TCR: | ||
1988 | 108 | - s->regs[reg] = data & 0xf000; | ||
1989 | 109 | + s->regs[reg] = val & 0xf000; | ||
1990 | 110 | break; | ||
1991 | 111 | /* 9 lower bytes are Read Only */ | ||
1992 | 112 | case SONIC_RCR: | ||
1993 | 113 | - s->regs[reg] = data & 0xffe0; | ||
1994 | 114 | + s->regs[reg] = val & 0xffe0; | ||
1995 | 115 | break; | ||
1996 | 116 | /* Ignore most significant bit */ | ||
1997 | 117 | case SONIC_IMR: | ||
1998 | 118 | - s->regs[reg] = data & 0x7fff; | ||
1999 | 119 | + s->regs[reg] = val & 0x7fff; | ||
2000 | 120 | dp8393x_update_irq(s); | ||
2001 | 121 | break; | ||
2002 | 122 | /* Clear bits by writing 1 to them */ | ||
2003 | 123 | case SONIC_ISR: | ||
2004 | 124 | - data &= s->regs[reg]; | ||
2005 | 125 | - s->regs[reg] &= ~data; | ||
2006 | 126 | - if (data & SONIC_ISR_RBE) { | ||
2007 | 127 | + val &= s->regs[reg]; | ||
2008 | 128 | + s->regs[reg] &= ~val; | ||
2009 | 129 | + if (val & SONIC_ISR_RBE) { | ||
2010 | 130 | dp8393x_do_read_rra(s); | ||
2011 | 131 | } | ||
2012 | 132 | dp8393x_update_irq(s); | ||
2013 | 133 | @@ -657,17 +668,17 @@ static void dp8393x_write(void *opaque, hwaddr addr, uint64_t data, | ||
2014 | 134 | case SONIC_REA: | ||
2015 | 135 | case SONIC_RRP: | ||
2016 | 136 | case SONIC_RWP: | ||
2017 | 137 | - s->regs[reg] = data & 0xfffe; | ||
2018 | 138 | + s->regs[reg] = val & 0xfffe; | ||
2019 | 139 | break; | ||
2020 | 140 | /* Invert written value for some registers */ | ||
2021 | 141 | case SONIC_CRCT: | ||
2022 | 142 | case SONIC_FAET: | ||
2023 | 143 | case SONIC_MPT: | ||
2024 | 144 | - s->regs[reg] = data ^ 0xffff; | ||
2025 | 145 | + s->regs[reg] = val ^ 0xffff; | ||
2026 | 146 | break; | ||
2027 | 147 | /* All other registers have no special contrainst */ | ||
2028 | 148 | default: | ||
2029 | 149 | - s->regs[reg] = data; | ||
2030 | 150 | + s->regs[reg] = val; | ||
2031 | 151 | } | ||
2032 | 152 | |||
2033 | 153 | if (reg == SONIC_WT0 || reg == SONIC_WT1) { | ||
2034 | 154 | @@ -678,8 +689,8 @@ static void dp8393x_write(void *opaque, hwaddr addr, uint64_t data, | ||
2035 | 155 | static const MemoryRegionOps dp8393x_ops = { | ||
2036 | 156 | .read = dp8393x_read, | ||
2037 | 157 | .write = dp8393x_write, | ||
2038 | 158 | - .impl.min_access_size = 2, | ||
2039 | 159 | - .impl.max_access_size = 2, | ||
2040 | 160 | + .impl.min_access_size = 4, | ||
2041 | 161 | + .impl.max_access_size = 4, | ||
2042 | 162 | .endianness = DEVICE_NATIVE_ENDIAN, | ||
2043 | 163 | }; | ||
2044 | 164 | |||
2045 | 165 | -- | ||
2046 | 166 | 2.28.0 | ||
2047 | 167 | |||
2048 | diff --git a/debian/patches/stable/lp-1891877-dp8393x-Clean-up-endianness-hacks.patch b/debian/patches/stable/lp-1891877-dp8393x-Clean-up-endianness-hacks.patch | |||
2049 | 0 | new file mode 100644 | 168 | new file mode 100644 |
2050 | index 0000000..8d4a682 | |||
2051 | --- /dev/null | |||
2052 | +++ b/debian/patches/stable/lp-1891877-dp8393x-Clean-up-endianness-hacks.patch | |||
2053 | @@ -0,0 +1,71 @@ | |||
2054 | 1 | From bf3f12ac8c34e4856f48c5f7ee7d23c042097797 Mon Sep 17 00:00:00 2001 | ||
2055 | 2 | From: Finn Thain <fthain@telegraphics.com.au> | ||
2056 | 3 | Date: Wed, 29 Jan 2020 20:27:49 +1100 | ||
2057 | 4 | Subject: [PATCH] dp8393x: Clean up endianness hacks | ||
2058 | 5 | MIME-Version: 1.0 | ||
2059 | 6 | Content-Type: text/plain; charset=UTF-8 | ||
2060 | 7 | Content-Transfer-Encoding: 8bit | ||
2061 | 8 | |||
2062 | 9 | According to the datasheet, section 3.4.4, "in 32-bit mode ... the SONIC | ||
2063 | 10 | always writes long words". | ||
2064 | 11 | |||
2065 | 12 | Therefore, use the same technique for the 'in_use' field that is used | ||
2066 | 13 | everywhere else, and write the full long word. | ||
2067 | 14 | |||
2068 | 15 | Signed-off-by: Finn Thain <fthain@telegraphics.com.au> | ||
2069 | 16 | Tested-by: Laurent Vivier <laurent@vivier.eu> | ||
2070 | 17 | Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> | ||
2071 | 18 | Signed-off-by: Jason Wang <jasowang@redhat.com> | ||
2072 | 19 | (cherry picked from commit 46ffee9ad43185cbee4182c208bbd534814086ca) | ||
2073 | 20 | Conflicts: | ||
2074 | 21 | hw/net/dp8393x.c | ||
2075 | 22 | *roll in local dependencies on b7cbebf2b9d | ||
2076 | 23 | *drop functional dep. on 19f70347731 | ||
2077 | 24 | Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | ||
2078 | 25 | |||
2079 | 26 | Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=bf3f12ac8c | ||
2080 | 27 | Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877 | ||
2081 | 28 | Last-Update: 2020-08-19 | ||
2082 | 29 | |||
2083 | 30 | --- | ||
2084 | 31 | hw/net/dp8393x.c | 17 ++++++----------- | ||
2085 | 32 | 1 file changed, 6 insertions(+), 11 deletions(-) | ||
2086 | 33 | |||
2087 | 34 | diff --git a/hw/net/dp8393x.c b/hw/net/dp8393x.c | ||
2088 | 35 | index 49c304ee20..f89f4c7ba3 100644 | ||
2089 | 36 | --- a/hw/net/dp8393x.c | ||
2090 | 37 | +++ b/hw/net/dp8393x.c | ||
2091 | 38 | @@ -776,8 +776,6 @@ static ssize_t dp8393x_receive(NetClientState *nc, const uint8_t * buf, | ||
2092 | 39 | return -1; | ||
2093 | 40 | } | ||
2094 | 41 | |||
2095 | 42 | - /* XXX: Check byte ordering */ | ||
2096 | 43 | - | ||
2097 | 44 | /* Check for EOL */ | ||
2098 | 45 | if (s->regs[SONIC_LLFA] & SONIC_DESC_EOL) { | ||
2099 | 46 | /* Are we still in resource exhaustion? */ | ||
2100 | 47 | @@ -847,15 +845,12 @@ static ssize_t dp8393x_receive(NetClientState *nc, const uint8_t * buf, | ||
2101 | 48 | /* EOL detected */ | ||
2102 | 49 | s->regs[SONIC_ISR] |= SONIC_ISR_RDE; | ||
2103 | 50 | } else { | ||
2104 | 51 | - /* Clear in_use, but it is always 16bit wide */ | ||
2105 | 52 | - int offset = dp8393x_crda(s) + sizeof(uint16_t) * 6 * width; | ||
2106 | 53 | - if (s->big_endian && width == 2) { | ||
2107 | 54 | - /* we need to adjust the offset of the 16bit field */ | ||
2108 | 55 | - offset += sizeof(uint16_t); | ||
2109 | 56 | - } | ||
2110 | 57 | - s->data[0] = 0; | ||
2111 | 58 | - address_space_rw(&s->as, offset, MEMTXATTRS_UNSPECIFIED, | ||
2112 | 59 | - (uint8_t *)s->data, sizeof(uint16_t), 1); | ||
2113 | 60 | + /* Clear in_use */ | ||
2114 | 61 | + size = sizeof(uint16_t) * width; | ||
2115 | 62 | + address = dp8393x_crda(s) + sizeof(uint16_t) * 6 * width; | ||
2116 | 63 | + dp8393x_put(s, width, 0, 0); | ||
2117 | 64 | + address_space_rw(&s->as, address, MEMTXATTRS_UNSPECIFIED, | ||
2118 | 65 | + (uint8_t *)s->data, size, true); | ||
2119 | 66 | s->regs[SONIC_CRDA] = s->regs[SONIC_LLFA]; | ||
2120 | 67 | s->regs[SONIC_ISR] |= SONIC_ISR_PKTRX; | ||
2121 | 68 | s->regs[SONIC_RSC] = (s->regs[SONIC_RSC] & 0xff00) | (((s->regs[SONIC_RSC] & 0x00ff) + 1) & 0x00ff); | ||
2122 | 69 | -- | ||
2123 | 70 | 2.28.0 | ||
2124 | 71 | |||
2125 | diff --git a/debian/patches/stable/lp-1891877-dp8393x-Clear-RRRA-command-register-bit-only-when-ap.patch b/debian/patches/stable/lp-1891877-dp8393x-Clear-RRRA-command-register-bit-only-when-ap.patch | |||
2126 | 0 | new file mode 100644 | 72 | new file mode 100644 |
2127 | index 0000000..017873d | |||
2128 | --- /dev/null | |||
2129 | +++ b/debian/patches/stable/lp-1891877-dp8393x-Clear-RRRA-command-register-bit-only-when-ap.patch | |||
2130 | @@ -0,0 +1,56 @@ | |||
2131 | 1 | From 5f08c382caee86109585111b240c36371738b00d Mon Sep 17 00:00:00 2001 | ||
2132 | 2 | From: Finn Thain <fthain@telegraphics.com.au> | ||
2133 | 3 | Date: Wed, 29 Jan 2020 20:27:49 +1100 | ||
2134 | 4 | Subject: [PATCH] dp8393x: Clear RRRA command register bit only when | ||
2135 | 5 | appropriate | ||
2136 | 6 | MIME-Version: 1.0 | ||
2137 | 7 | Content-Type: text/plain; charset=UTF-8 | ||
2138 | 8 | Content-Transfer-Encoding: 8bit | ||
2139 | 9 | |||
2140 | 10 | It doesn't make sense to clear the command register bit unless the | ||
2141 | 11 | command was actually issued. | ||
2142 | 12 | |||
2143 | 13 | Signed-off-by: Finn Thain <fthain@telegraphics.com.au> | ||
2144 | 14 | Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> | ||
2145 | 15 | Tested-by: Laurent Vivier <laurent@vivier.eu> | ||
2146 | 16 | Signed-off-by: Jason Wang <jasowang@redhat.com> | ||
2147 | 17 | (cherry picked from commit a3cce2825a0b12bb717a5106daaca245557cc9ae) | ||
2148 | 18 | Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | ||
2149 | 19 | |||
2150 | 20 | Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=5f08c382ca | ||
2151 | 21 | Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877 | ||
2152 | 22 | Last-Update: 2020-08-19 | ||
2153 | 23 | |||
2154 | 24 | --- | ||
2155 | 25 | hw/net/dp8393x.c | 7 +++---- | ||
2156 | 26 | 1 file changed, 3 insertions(+), 4 deletions(-) | ||
2157 | 27 | |||
2158 | 28 | diff --git a/hw/net/dp8393x.c b/hw/net/dp8393x.c | ||
2159 | 29 | index 8dd6bf032c..04f58ee4e1 100644 | ||
2160 | 30 | --- a/hw/net/dp8393x.c | ||
2161 | 31 | +++ b/hw/net/dp8393x.c | ||
2162 | 32 | @@ -352,9 +352,6 @@ static void dp8393x_do_read_rra(dp8393xState *s) | ||
2163 | 33 | s->regs[SONIC_ISR] |= SONIC_ISR_RBE; | ||
2164 | 34 | dp8393x_update_irq(s); | ||
2165 | 35 | } | ||
2166 | 36 | - | ||
2167 | 37 | - /* Done */ | ||
2168 | 38 | - s->regs[SONIC_CR] &= ~SONIC_CR_RRRA; | ||
2169 | 39 | } | ||
2170 | 40 | |||
2171 | 41 | static void dp8393x_do_software_reset(dp8393xState *s) | ||
2172 | 42 | @@ -563,8 +560,10 @@ static void dp8393x_do_command(dp8393xState *s, uint16_t command) | ||
2173 | 43 | dp8393x_do_start_timer(s); | ||
2174 | 44 | if (command & SONIC_CR_RST) | ||
2175 | 45 | dp8393x_do_software_reset(s); | ||
2176 | 46 | - if (command & SONIC_CR_RRRA) | ||
2177 | 47 | + if (command & SONIC_CR_RRRA) { | ||
2178 | 48 | dp8393x_do_read_rra(s); | ||
2179 | 49 | + s->regs[SONIC_CR] &= ~SONIC_CR_RRRA; | ||
2180 | 50 | + } | ||
2181 | 51 | if (command & SONIC_CR_LCAM) | ||
2182 | 52 | dp8393x_do_load_cam(s); | ||
2183 | 53 | } | ||
2184 | 54 | -- | ||
2185 | 55 | 2.28.0 | ||
2186 | 56 | |||
2187 | diff --git a/debian/patches/stable/lp-1891877-dp8393x-Clear-descriptor-in_use-field-to-release-pac.patch b/debian/patches/stable/lp-1891877-dp8393x-Clear-descriptor-in_use-field-to-release-pac.patch | |||
2188 | 0 | new file mode 100644 | 57 | new file mode 100644 |
2189 | index 0000000..2227684 | |||
2190 | --- /dev/null | |||
2191 | +++ b/debian/patches/stable/lp-1891877-dp8393x-Clear-descriptor-in_use-field-to-release-pac.patch | |||
2192 | @@ -0,0 +1,55 @@ | |||
2193 | 1 | From 8d61b1e2c4e2ad8310ca957decf26b0b82d37148 Mon Sep 17 00:00:00 2001 | ||
2194 | 2 | From: Finn Thain <fthain@telegraphics.com.au> | ||
2195 | 3 | Date: Wed, 29 Jan 2020 20:27:49 +1100 | ||
2196 | 4 | Subject: [PATCH] dp8393x: Clear descriptor in_use field to release packet | ||
2197 | 5 | |||
2198 | 6 | When the SONIC receives a packet into the last available descriptor, it | ||
2199 | 7 | retains ownership of that descriptor for as long as necessary. | ||
2200 | 8 | |||
2201 | 9 | Section 3.4.7 of the datasheet says, | ||
2202 | 10 | |||
2203 | 11 | When the system appends more descriptors, the SONIC releases ownership | ||
2204 | 12 | of the descriptor after writing 0000h to the RXpkt.in_use field. | ||
2205 | 13 | |||
2206 | 14 | The packet can now be processed by the host, so raise a PKTRX interrupt, | ||
2207 | 15 | just like the normal case. | ||
2208 | 16 | |||
2209 | 17 | Signed-off-by: Finn Thain <fthain@telegraphics.com.au> | ||
2210 | 18 | Tested-by: Laurent Vivier <laurent@vivier.eu> | ||
2211 | 19 | Signed-off-by: Jason Wang <jasowang@redhat.com> | ||
2212 | 20 | (cherry picked from commit d9fae13196a31716f45dcddcdd958fbb8e59b35a) | ||
2213 | 21 | Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | ||
2214 | 22 | |||
2215 | 23 | Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=8d61b1e2c4 | ||
2216 | 24 | Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877 | ||
2217 | 25 | Last-Update: 2020-08-19 | ||
2218 | 26 | |||
2219 | 27 | --- | ||
2220 | 28 | hw/net/dp8393x.c | 10 ++++++++++ | ||
2221 | 29 | 1 file changed, 10 insertions(+) | ||
2222 | 30 | |||
2223 | 31 | diff --git a/hw/net/dp8393x.c b/hw/net/dp8393x.c | ||
2224 | 32 | index 0e9061d831..4ce2ef818b 100644 | ||
2225 | 33 | --- a/hw/net/dp8393x.c | ||
2226 | 34 | +++ b/hw/net/dp8393x.c | ||
2227 | 35 | @@ -809,7 +809,17 @@ static ssize_t dp8393x_receive(NetClientState *nc, const uint8_t * buf, | ||
2228 | 36 | return -1; | ||
2229 | 37 | } | ||
2230 | 38 | /* Link has been updated by host */ | ||
2231 | 39 | + | ||
2232 | 40 | + /* Clear in_use */ | ||
2233 | 41 | + size = sizeof(uint16_t) * width; | ||
2234 | 42 | + address = dp8393x_crda(s) + sizeof(uint16_t) * 6 * width; | ||
2235 | 43 | + dp8393x_put(s, width, 0, 0); | ||
2236 | 44 | + address_space_rw(&s->as, address, MEMTXATTRS_UNSPECIFIED, | ||
2237 | 45 | + (uint8_t *)s->data, size, 1); | ||
2238 | 46 | + | ||
2239 | 47 | + /* Move to next descriptor */ | ||
2240 | 48 | s->regs[SONIC_CRDA] = s->regs[SONIC_LLFA]; | ||
2241 | 49 | + s->regs[SONIC_ISR] |= SONIC_ISR_PKTRX; | ||
2242 | 50 | } | ||
2243 | 51 | |||
2244 | 52 | /* Save current position */ | ||
2245 | 53 | -- | ||
2246 | 54 | 2.28.0 | ||
2247 | 55 | |||
2248 | diff --git a/debian/patches/stable/lp-1891877-dp8393x-Don-t-clobber-packet-checksum.patch b/debian/patches/stable/lp-1891877-dp8393x-Don-t-clobber-packet-checksum.patch | |||
2249 | 0 | new file mode 100644 | 56 | new file mode 100644 |
2250 | index 0000000..4682953 | |||
2251 | --- /dev/null | |||
2252 | +++ b/debian/patches/stable/lp-1891877-dp8393x-Don-t-clobber-packet-checksum.patch | |||
2253 | @@ -0,0 +1,45 @@ | |||
2254 | 1 | From d50aa8acbc6f4bd83d0d0b5958d49ac6baf254a5 Mon Sep 17 00:00:00 2001 | ||
2255 | 2 | From: Finn Thain <fthain@telegraphics.com.au> | ||
2256 | 3 | Date: Wed, 29 Jan 2020 20:27:49 +1100 | ||
2257 | 4 | Subject: [PATCH] dp8393x: Don't clobber packet checksum | ||
2258 | 5 | MIME-Version: 1.0 | ||
2259 | 6 | Content-Type: text/plain; charset=UTF-8 | ||
2260 | 7 | Content-Transfer-Encoding: 8bit | ||
2261 | 8 | |||
2262 | 9 | A received packet consumes pkt_size bytes in the buffer and the frame | ||
2263 | 10 | checksum that's appended to it consumes another 4 bytes. The Receive | ||
2264 | 11 | Buffer Address register takes the former quantity into account but | ||
2265 | 12 | not the latter. So the next packet written to the buffer overwrites | ||
2266 | 13 | the frame checksum. Fix this. | ||
2267 | 14 | |||
2268 | 15 | Signed-off-by: Finn Thain <fthain@telegraphics.com.au> | ||
2269 | 16 | Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> | ||
2270 | 17 | Tested-by: Laurent Vivier <laurent@vivier.eu> | ||
2271 | 18 | Signed-off-by: Jason Wang <jasowang@redhat.com> | ||
2272 | 19 | (cherry picked from commit bae112b80c9c42cea21ee7623c283668c3451c2e) | ||
2273 | 20 | *drop context dep. on 19f70347731 | ||
2274 | 21 | Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | ||
2275 | 22 | |||
2276 | 23 | Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=d50aa8acbc | ||
2277 | 24 | Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877 | ||
2278 | 25 | Last-Update: 2020-08-19 | ||
2279 | 26 | |||
2280 | 27 | --- | ||
2281 | 28 | hw/net/dp8393x.c | 1 + | ||
2282 | 29 | 1 file changed, 1 insertion(+) | ||
2283 | 30 | |||
2284 | 31 | diff --git a/hw/net/dp8393x.c b/hw/net/dp8393x.c | ||
2285 | 32 | index ca8088c839..315b4ad844 100644 | ||
2286 | 33 | --- a/hw/net/dp8393x.c | ||
2287 | 34 | +++ b/hw/net/dp8393x.c | ||
2288 | 35 | @@ -816,6 +816,7 @@ static ssize_t dp8393x_receive(NetClientState *nc, const uint8_t * buf, | ||
2289 | 36 | address += rx_len; | ||
2290 | 37 | address_space_rw(&s->as, address, | ||
2291 | 38 | MEMTXATTRS_UNSPECIFIED, (uint8_t *)&checksum, 4, 1); | ||
2292 | 39 | + address += 4; | ||
2293 | 40 | rx_len += 4; | ||
2294 | 41 | s->regs[SONIC_CRBA1] = address >> 16; | ||
2295 | 42 | s->regs[SONIC_CRBA0] = address & 0xffff; | ||
2296 | 43 | -- | ||
2297 | 44 | 2.28.0 | ||
2298 | 45 | |||
2299 | diff --git a/debian/patches/stable/lp-1891877-dp8393x-Don-t-reset-Silicon-Revision-register.patch b/debian/patches/stable/lp-1891877-dp8393x-Don-t-reset-Silicon-Revision-register.patch | |||
2300 | 0 | new file mode 100644 | 46 | new file mode 100644 |
2301 | index 0000000..71593d3 | |||
2302 | --- /dev/null | |||
2303 | +++ b/debian/patches/stable/lp-1891877-dp8393x-Don-t-reset-Silicon-Revision-register.patch | |||
2304 | @@ -0,0 +1,51 @@ | |||
2305 | 1 | From 735cd8ddab7d2e8b3cb693295067d2c8a9098f86 Mon Sep 17 00:00:00 2001 | ||
2306 | 2 | From: Finn Thain <fthain@telegraphics.com.au> | ||
2307 | 3 | Date: Wed, 29 Jan 2020 20:27:49 +1100 | ||
2308 | 4 | Subject: [PATCH] dp8393x: Don't reset Silicon Revision register | ||
2309 | 5 | MIME-Version: 1.0 | ||
2310 | 6 | Content-Type: text/plain; charset=UTF-8 | ||
2311 | 7 | Content-Transfer-Encoding: 8bit | ||
2312 | 8 | |||
2313 | 9 | The jazzsonic driver in Linux uses the Silicon Revision register value | ||
2314 | 10 | to probe the chip. The driver fails unless the SR register contains 4. | ||
2315 | 11 | Unfortunately, reading this register in QEMU usually returns 0 because | ||
2316 | 12 | the s->regs[] array gets wiped after a software reset. | ||
2317 | 13 | |||
2318 | 14 | Fixes: bd8f1ebce4 ("net/dp8393x: fix hardware reset") | ||
2319 | 15 | Suggested-by: Philippe Mathieu-Daudé <philmd@redhat.com> | ||
2320 | 16 | Signed-off-by: Finn Thain <fthain@telegraphics.com.au> | ||
2321 | 17 | Signed-off-by: Jason Wang <jasowang@redhat.com> | ||
2322 | 18 | (cherry picked from commit 083e21bbdde7dbd326baf29d21f49fc3f5614496) | ||
2323 | 19 | Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | ||
2324 | 20 | |||
2325 | 21 | Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=735cd8ddab | ||
2326 | 22 | Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877 | ||
2327 | 23 | Last-Update: 2020-08-19 | ||
2328 | 24 | |||
2329 | 25 | --- | ||
2330 | 26 | hw/net/dp8393x.c | 2 +- | ||
2331 | 27 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
2332 | 28 | |||
2333 | 29 | diff --git a/hw/net/dp8393x.c b/hw/net/dp8393x.c | ||
2334 | 30 | index aa7bd785f3..d33f21bd0b 100644 | ||
2335 | 31 | --- a/hw/net/dp8393x.c | ||
2336 | 32 | +++ b/hw/net/dp8393x.c | ||
2337 | 33 | @@ -919,6 +919,7 @@ static void dp8393x_reset(DeviceState *dev) | ||
2338 | 34 | timer_del(s->watchdog); | ||
2339 | 35 | |||
2340 | 36 | memset(s->regs, 0, sizeof(s->regs)); | ||
2341 | 37 | + s->regs[SONIC_SR] = 0x0004; /* only revision recognized by Linux/mips */ | ||
2342 | 38 | s->regs[SONIC_CR] = SONIC_CR_RST | SONIC_CR_STP | SONIC_CR_RXDIS; | ||
2343 | 39 | s->regs[SONIC_DCR] &= ~(SONIC_DCR_EXBUS | SONIC_DCR_LBR); | ||
2344 | 40 | s->regs[SONIC_RCR] &= ~(SONIC_RCR_LB0 | SONIC_RCR_LB1 | SONIC_RCR_BRD | SONIC_RCR_RNT); | ||
2345 | 41 | @@ -971,7 +972,6 @@ static void dp8393x_realize(DeviceState *dev, Error **errp) | ||
2346 | 42 | qemu_format_nic_info_str(qemu_get_queue(s->nic), s->conf.macaddr.a); | ||
2347 | 43 | |||
2348 | 44 | s->watchdog = timer_new_ns(QEMU_CLOCK_VIRTUAL, dp8393x_watchdog, s); | ||
2349 | 45 | - s->regs[SONIC_SR] = 0x0004; /* only revision recognized by Linux */ | ||
2350 | 46 | |||
2351 | 47 | memory_region_init_ram(&s->prom, OBJECT(dev), | ||
2352 | 48 | "dp8393x-prom", SONIC_PROM_SIZE, &local_err); | ||
2353 | 49 | -- | ||
2354 | 50 | 2.28.0 | ||
2355 | 51 | |||
2356 | diff --git a/debian/patches/stable/lp-1891877-dp8393x-Don-t-stop-reception-upon-RBE-interrupt-asse.patch b/debian/patches/stable/lp-1891877-dp8393x-Don-t-stop-reception-upon-RBE-interrupt-asse.patch | |||
2357 | 0 | new file mode 100644 | 52 | new file mode 100644 |
2358 | index 0000000..40495e4 | |||
2359 | --- /dev/null | |||
2360 | +++ b/debian/patches/stable/lp-1891877-dp8393x-Don-t-stop-reception-upon-RBE-interrupt-asse.patch | |||
2361 | @@ -0,0 +1,137 @@ | |||
2362 | 1 | From 3e1d95301e8c00d8a8a2ec03ed941f019c8fd2b3 Mon Sep 17 00:00:00 2001 | ||
2363 | 2 | From: Finn Thain <fthain@telegraphics.com.au> | ||
2364 | 3 | Date: Wed, 29 Jan 2020 20:27:49 +1100 | ||
2365 | 4 | Subject: [PATCH] dp8393x: Don't stop reception upon RBE interrupt assertion | ||
2366 | 5 | |||
2367 | 6 | Section 3.4.7 of the datasheet explains that, | ||
2368 | 7 | |||
2369 | 8 | The RBE bit in the Interrupt Status register is set when the | ||
2370 | 9 | SONIC finishes using the second to last receive buffer and reads | ||
2371 | 10 | the last RRA descriptor. Actually, the SONIC is not truly out of | ||
2372 | 11 | resources, but gives the system an early warning of an impending | ||
2373 | 12 | out of resources condition. | ||
2374 | 13 | |||
2375 | 14 | RBE does not mean actual receive buffer exhaustion, and reception should | ||
2376 | 15 | not be stopped. This is important because Linux will not check and clear | ||
2377 | 16 | the RBE interrupt until it receives another packet. But that won't | ||
2378 | 17 | happen if can_receive returns false. This bug causes the SONIC to become | ||
2379 | 18 | deaf (until reset). | ||
2380 | 19 | |||
2381 | 20 | Fix this with a new flag to indicate actual receive buffer exhaustion. | ||
2382 | 21 | |||
2383 | 22 | Signed-off-by: Finn Thain <fthain@telegraphics.com.au> | ||
2384 | 23 | Tested-by: Laurent Vivier <laurent@vivier.eu> | ||
2385 | 24 | Signed-off-by: Jason Wang <jasowang@redhat.com> | ||
2386 | 25 | (cherry picked from commit c2279bd0a19b35057f2e4c3b4df9a915717d1142) | ||
2387 | 26 | Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | ||
2388 | 27 | |||
2389 | 28 | Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=3e1d95301e | ||
2390 | 29 | Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877 | ||
2391 | 30 | Last-Update: 2020-08-19 | ||
2392 | 31 | |||
2393 | 32 | --- | ||
2394 | 33 | hw/net/dp8393x.c | 35 ++++++++++++++++++++++------------- | ||
2395 | 34 | 1 file changed, 22 insertions(+), 13 deletions(-) | ||
2396 | 35 | |||
2397 | 36 | diff --git a/hw/net/dp8393x.c b/hw/net/dp8393x.c | ||
2398 | 37 | index d33f21bd0b..44f77c5d3c 100644 | ||
2399 | 38 | --- a/hw/net/dp8393x.c | ||
2400 | 39 | +++ b/hw/net/dp8393x.c | ||
2401 | 40 | @@ -158,6 +158,7 @@ typedef struct dp8393xState { | ||
2402 | 41 | /* Hardware */ | ||
2403 | 42 | uint8_t it_shift; | ||
2404 | 43 | bool big_endian; | ||
2405 | 44 | + bool last_rba_is_full; | ||
2406 | 45 | qemu_irq irq; | ||
2407 | 46 | #ifdef DEBUG_SONIC | ||
2408 | 47 | int irq_level; | ||
2409 | 48 | @@ -347,12 +348,15 @@ static void dp8393x_do_read_rra(dp8393xState *s) | ||
2410 | 49 | s->regs[SONIC_RRP] = s->regs[SONIC_RSA]; | ||
2411 | 50 | } | ||
2412 | 51 | |||
2413 | 52 | - /* Check resource exhaustion */ | ||
2414 | 53 | + /* Warn the host if CRBA now has the last available resource */ | ||
2415 | 54 | if (s->regs[SONIC_RRP] == s->regs[SONIC_RWP]) | ||
2416 | 55 | { | ||
2417 | 56 | s->regs[SONIC_ISR] |= SONIC_ISR_RBE; | ||
2418 | 57 | dp8393x_update_irq(s); | ||
2419 | 58 | } | ||
2420 | 59 | + | ||
2421 | 60 | + /* Allow packet reception */ | ||
2422 | 61 | + s->last_rba_is_full = false; | ||
2423 | 62 | } | ||
2424 | 63 | |||
2425 | 64 | static void dp8393x_do_software_reset(dp8393xState *s) | ||
2426 | 65 | @@ -659,9 +663,6 @@ static void dp8393x_write(void *opaque, hwaddr addr, uint64_t data, | ||
2427 | 66 | dp8393x_do_read_rra(s); | ||
2428 | 67 | } | ||
2429 | 68 | dp8393x_update_irq(s); | ||
2430 | 69 | - if (dp8393x_can_receive(s->nic->ncs)) { | ||
2431 | 70 | - qemu_flush_queued_packets(qemu_get_queue(s->nic)); | ||
2432 | 71 | - } | ||
2433 | 72 | break; | ||
2434 | 73 | /* The guest is required to store aligned pointers here */ | ||
2435 | 74 | case SONIC_RSA: | ||
2436 | 75 | @@ -721,8 +722,6 @@ static int dp8393x_can_receive(NetClientState *nc) | ||
2437 | 76 | |||
2438 | 77 | if (!(s->regs[SONIC_CR] & SONIC_CR_RXEN)) | ||
2439 | 78 | return 0; | ||
2440 | 79 | - if (s->regs[SONIC_ISR] & SONIC_ISR_RBE) | ||
2441 | 80 | - return 0; | ||
2442 | 81 | return 1; | ||
2443 | 82 | } | ||
2444 | 83 | |||
2445 | 84 | @@ -773,6 +772,10 @@ static ssize_t dp8393x_receive(NetClientState *nc, const uint8_t * buf, | ||
2446 | 85 | s->regs[SONIC_RCR] &= ~(SONIC_RCR_PRX | SONIC_RCR_LBK | SONIC_RCR_FAER | | ||
2447 | 86 | SONIC_RCR_CRCR | SONIC_RCR_LPKT | SONIC_RCR_BC | SONIC_RCR_MC); | ||
2448 | 87 | |||
2449 | 88 | + if (s->last_rba_is_full) { | ||
2450 | 89 | + return pkt_size; | ||
2451 | 90 | + } | ||
2452 | 91 | + | ||
2453 | 92 | rx_len = pkt_size + sizeof(checksum); | ||
2454 | 93 | if (s->regs[SONIC_DCR] & SONIC_DCR_DW) { | ||
2455 | 94 | width = 2; | ||
2456 | 95 | @@ -786,8 +789,8 @@ static ssize_t dp8393x_receive(NetClientState *nc, const uint8_t * buf, | ||
2457 | 96 | DPRINTF("oversize packet, pkt_size is %d\n", pkt_size); | ||
2458 | 97 | s->regs[SONIC_ISR] |= SONIC_ISR_RBAE; | ||
2459 | 98 | dp8393x_update_irq(s); | ||
2460 | 99 | - dp8393x_do_read_rra(s); | ||
2461 | 100 | - return pkt_size; | ||
2462 | 101 | + s->regs[SONIC_RCR] |= SONIC_RCR_LPKT; | ||
2463 | 102 | + goto done; | ||
2464 | 103 | } | ||
2465 | 104 | |||
2466 | 105 | packet_type = dp8393x_receive_filter(s, buf, pkt_size); | ||
2467 | 106 | @@ -899,17 +902,23 @@ static ssize_t dp8393x_receive(NetClientState *nc, const uint8_t * buf, | ||
2468 | 107 | s->regs[SONIC_ISR] |= SONIC_ISR_PKTRX; | ||
2469 | 108 | } | ||
2470 | 109 | |||
2471 | 110 | + dp8393x_update_irq(s); | ||
2472 | 111 | + | ||
2473 | 112 | s->regs[SONIC_RSC] = (s->regs[SONIC_RSC] & 0xff00) | | ||
2474 | 113 | ((s->regs[SONIC_RSC] + 1) & 0x00ff); | ||
2475 | 114 | |||
2476 | 115 | +done: | ||
2477 | 116 | + | ||
2478 | 117 | if (s->regs[SONIC_RCR] & SONIC_RCR_LPKT) { | ||
2479 | 118 | - /* Read next RRA */ | ||
2480 | 119 | - dp8393x_do_read_rra(s); | ||
2481 | 120 | + if (s->regs[SONIC_RRP] == s->regs[SONIC_RWP]) { | ||
2482 | 121 | + /* Stop packet reception */ | ||
2483 | 122 | + s->last_rba_is_full = true; | ||
2484 | 123 | + } else { | ||
2485 | 124 | + /* Read next resource */ | ||
2486 | 125 | + dp8393x_do_read_rra(s); | ||
2487 | 126 | + } | ||
2488 | 127 | } | ||
2489 | 128 | |||
2490 | 129 | - /* Done */ | ||
2491 | 130 | - dp8393x_update_irq(s); | ||
2492 | 131 | - | ||
2493 | 132 | return pkt_size; | ||
2494 | 133 | } | ||
2495 | 134 | |||
2496 | 135 | -- | ||
2497 | 136 | 2.28.0 | ||
2498 | 137 | |||
2499 | diff --git a/debian/patches/stable/lp-1891877-dp8393x-Have-dp8393x_receive-return-the-packet-size.patch b/debian/patches/stable/lp-1891877-dp8393x-Have-dp8393x_receive-return-the-packet-size.patch | |||
2500 | 0 | new file mode 100644 | 138 | new file mode 100644 |
2501 | index 0000000..8a4e085 | |||
2502 | --- /dev/null | |||
2503 | +++ b/debian/patches/stable/lp-1891877-dp8393x-Have-dp8393x_receive-return-the-packet-size.patch | |||
2504 | @@ -0,0 +1,68 @@ | |||
2505 | 1 | From 153c3320e77cfcafc5a44d01d6fb7905121a8fd7 Mon Sep 17 00:00:00 2001 | ||
2506 | 2 | From: Finn Thain <fthain@telegraphics.com.au> | ||
2507 | 3 | Date: Wed, 29 Jan 2020 20:27:49 +1100 | ||
2508 | 4 | Subject: [PATCH] dp8393x: Have dp8393x_receive() return the packet size | ||
2509 | 5 | MIME-Version: 1.0 | ||
2510 | 6 | Content-Type: text/plain; charset=UTF-8 | ||
2511 | 7 | Content-Transfer-Encoding: 8bit | ||
2512 | 8 | |||
2513 | 9 | This function re-uses its 'size' argument as a scratch variable. | ||
2514 | 10 | Instead, declare a local 'size' variable for that purpose so that the | ||
2515 | 11 | function result doesn't get messed up. | ||
2516 | 12 | |||
2517 | 13 | Signed-off-by: Finn Thain <fthain@telegraphics.com.au> | ||
2518 | 14 | Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> | ||
2519 | 15 | Tested-by: Laurent Vivier <laurent@vivier.eu> | ||
2520 | 16 | Signed-off-by: Jason Wang <jasowang@redhat.com> | ||
2521 | 17 | (cherry picked from commit 9e3cd456d85ad45e72bdba99203302342ce29b3b) | ||
2522 | 18 | Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | ||
2523 | 19 | |||
2524 | 20 | Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=153c3320e7 | ||
2525 | 21 | Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877 | ||
2526 | 22 | Last-Update: 2020-08-19 | ||
2527 | 23 | |||
2528 | 24 | --- | ||
2529 | 25 | hw/net/dp8393x.c | 9 +++++---- | ||
2530 | 26 | 1 file changed, 5 insertions(+), 4 deletions(-) | ||
2531 | 27 | |||
2532 | 28 | diff --git a/hw/net/dp8393x.c b/hw/net/dp8393x.c | ||
2533 | 29 | index f89f4c7ba3..a696485a55 100644 | ||
2534 | 30 | --- a/hw/net/dp8393x.c | ||
2535 | 31 | +++ b/hw/net/dp8393x.c | ||
2536 | 32 | @@ -757,20 +757,21 @@ static int dp8393x_receive_filter(dp8393xState *s, const uint8_t * buf, | ||
2537 | 33 | } | ||
2538 | 34 | |||
2539 | 35 | static ssize_t dp8393x_receive(NetClientState *nc, const uint8_t * buf, | ||
2540 | 36 | - size_t size) | ||
2541 | 37 | + size_t pkt_size) | ||
2542 | 38 | { | ||
2543 | 39 | dp8393xState *s = qemu_get_nic_opaque(nc); | ||
2544 | 40 | int packet_type; | ||
2545 | 41 | uint32_t available, address; | ||
2546 | 42 | - int width, rx_len = size; | ||
2547 | 43 | + int width, rx_len = pkt_size; | ||
2548 | 44 | uint32_t checksum; | ||
2549 | 45 | + int size; | ||
2550 | 46 | |||
2551 | 47 | width = (s->regs[SONIC_DCR] & SONIC_DCR_DW) ? 2 : 1; | ||
2552 | 48 | |||
2553 | 49 | s->regs[SONIC_RCR] &= ~(SONIC_RCR_PRX | SONIC_RCR_LBK | SONIC_RCR_FAER | | ||
2554 | 50 | SONIC_RCR_CRCR | SONIC_RCR_LPKT | SONIC_RCR_BC | SONIC_RCR_MC); | ||
2555 | 51 | |||
2556 | 52 | - packet_type = dp8393x_receive_filter(s, buf, size); | ||
2557 | 53 | + packet_type = dp8393x_receive_filter(s, buf, pkt_size); | ||
2558 | 54 | if (packet_type < 0) { | ||
2559 | 55 | DPRINTF("packet not for netcard\n"); | ||
2560 | 56 | return -1; | ||
2561 | 57 | @@ -864,7 +865,7 @@ static ssize_t dp8393x_receive(NetClientState *nc, const uint8_t * buf, | ||
2562 | 58 | /* Done */ | ||
2563 | 59 | dp8393x_update_irq(s); | ||
2564 | 60 | |||
2565 | 61 | - return size; | ||
2566 | 62 | + return pkt_size; | ||
2567 | 63 | } | ||
2568 | 64 | |||
2569 | 65 | static void dp8393x_reset(DeviceState *dev) | ||
2570 | 66 | -- | ||
2571 | 67 | 2.28.0 | ||
2572 | 68 | |||
2573 | diff --git a/debian/patches/stable/lp-1891877-dp8393x-Implement-packet-size-limit-and-RBAE-interru.patch b/debian/patches/stable/lp-1891877-dp8393x-Implement-packet-size-limit-and-RBAE-interru.patch | |||
2574 | 0 | new file mode 100644 | 69 | new file mode 100644 |
2575 | index 0000000..fcdb4ca | |||
2576 | --- /dev/null | |||
2577 | +++ b/debian/patches/stable/lp-1891877-dp8393x-Implement-packet-size-limit-and-RBAE-interru.patch | |||
2578 | @@ -0,0 +1,57 @@ | |||
2579 | 1 | From 3a8068f4ebb9f9500cf3d1805f5cfbd42e15ab12 Mon Sep 17 00:00:00 2001 | ||
2580 | 2 | From: Finn Thain <fthain@telegraphics.com.au> | ||
2581 | 3 | Date: Wed, 29 Jan 2020 20:27:49 +1100 | ||
2582 | 4 | Subject: [PATCH] dp8393x: Implement packet size limit and RBAE interrupt | ||
2583 | 5 | |||
2584 | 6 | Add a bounds check to prevent a large packet from causing a buffer | ||
2585 | 7 | overflow. This is defensive programming -- I haven't actually tried | ||
2586 | 8 | sending an oversized packet or a jumbo ethernet frame. | ||
2587 | 9 | |||
2588 | 10 | The SONIC handles packets that are too big for the buffer by raising | ||
2589 | 11 | the RBAE interrupt and dropping them. Linux uses that interrupt to | ||
2590 | 12 | count dropped packets. | ||
2591 | 13 | |||
2592 | 14 | Signed-off-by: Finn Thain <fthain@telegraphics.com.au> | ||
2593 | 15 | Tested-by: Laurent Vivier <laurent@vivier.eu> | ||
2594 | 16 | Signed-off-by: Jason Wang <jasowang@redhat.com> | ||
2595 | 17 | (cherry picked from commit ada74315270d1dcabf4c9d4fece19df7ef5b9577) | ||
2596 | 18 | Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | ||
2597 | 19 | |||
2598 | 20 | Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=3a8068f4eb | ||
2599 | 21 | Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877 | ||
2600 | 22 | Last-Update: 2020-08-19 | ||
2601 | 23 | |||
2602 | 24 | --- | ||
2603 | 25 | hw/net/dp8393x.c | 9 +++++++++ | ||
2604 | 26 | 1 file changed, 9 insertions(+) | ||
2605 | 27 | |||
2606 | 28 | diff --git a/hw/net/dp8393x.c b/hw/net/dp8393x.c | ||
2607 | 29 | index 04f58ee4e1..ca8088c839 100644 | ||
2608 | 30 | --- a/hw/net/dp8393x.c | ||
2609 | 31 | +++ b/hw/net/dp8393x.c | ||
2610 | 32 | @@ -137,6 +137,7 @@ do { printf("sonic ERROR: %s: " fmt, __func__ , ## __VA_ARGS__); } while (0) | ||
2611 | 33 | #define SONIC_TCR_CRCI 0x2000 | ||
2612 | 34 | #define SONIC_TCR_PINT 0x8000 | ||
2613 | 35 | |||
2614 | 36 | +#define SONIC_ISR_RBAE 0x0010 | ||
2615 | 37 | #define SONIC_ISR_RBE 0x0020 | ||
2616 | 38 | #define SONIC_ISR_RDE 0x0040 | ||
2617 | 39 | #define SONIC_ISR_TC 0x0080 | ||
2618 | 40 | @@ -770,6 +771,14 @@ static ssize_t dp8393x_receive(NetClientState *nc, const uint8_t * buf, | ||
2619 | 41 | s->regs[SONIC_RCR] &= ~(SONIC_RCR_PRX | SONIC_RCR_LBK | SONIC_RCR_FAER | | ||
2620 | 42 | SONIC_RCR_CRCR | SONIC_RCR_LPKT | SONIC_RCR_BC | SONIC_RCR_MC); | ||
2621 | 43 | |||
2622 | 44 | + if (pkt_size + 4 > dp8393x_rbwc(s) * 2) { | ||
2623 | 45 | + DPRINTF("oversize packet, pkt_size is %d\n", pkt_size); | ||
2624 | 46 | + s->regs[SONIC_ISR] |= SONIC_ISR_RBAE; | ||
2625 | 47 | + dp8393x_update_irq(s); | ||
2626 | 48 | + dp8393x_do_read_rra(s); | ||
2627 | 49 | + return pkt_size; | ||
2628 | 50 | + } | ||
2629 | 51 | + | ||
2630 | 52 | packet_type = dp8393x_receive_filter(s, buf, pkt_size); | ||
2631 | 53 | if (packet_type < 0) { | ||
2632 | 54 | DPRINTF("packet not for netcard\n"); | ||
2633 | 55 | -- | ||
2634 | 56 | 2.28.0 | ||
2635 | 57 | |||
2636 | diff --git a/debian/patches/stable/lp-1891877-dp8393x-Mask-EOL-bit-from-descriptor-addresses.patch b/debian/patches/stable/lp-1891877-dp8393x-Mask-EOL-bit-from-descriptor-addresses.patch | |||
2637 | 0 | new file mode 100644 | 58 | new file mode 100644 |
2638 | index 0000000..9514b07 | |||
2639 | --- /dev/null | |||
2640 | +++ b/debian/patches/stable/lp-1891877-dp8393x-Mask-EOL-bit-from-descriptor-addresses.patch | |||
2641 | @@ -0,0 +1,98 @@ | |||
2642 | 1 | From eb54a2f9cee10cf1c7832a3536a8d5980ec313e9 Mon Sep 17 00:00:00 2001 | ||
2643 | 2 | From: Finn Thain <fthain@telegraphics.com.au> | ||
2644 | 3 | Date: Mon, 20 Jan 2020 09:59:21 +1100 | ||
2645 | 4 | Subject: [PATCH] dp8393x: Mask EOL bit from descriptor addresses | ||
2646 | 5 | |||
2647 | 6 | The Least Significant bit of a descriptor address register is used as | ||
2648 | 7 | an EOL flag. It has to be masked when the register value is to be used | ||
2649 | 8 | as an actual address for copying memory around. But when the registers | ||
2650 | 9 | are to be updated the EOL bit should not be masked. | ||
2651 | 10 | |||
2652 | 11 | Signed-off-by: Finn Thain <fthain@telegraphics.com.au> | ||
2653 | 12 | Tested-by: Laurent Vivier <laurent@vivier.eu> | ||
2654 | 13 | Signed-off-by: Jason Wang <jasowang@redhat.com> | ||
2655 | 14 | (cherry picked from commit 88f632fbb1b3d31d5b6978d28f8735a6ed18b8f5) | ||
2656 | 15 | Conflicts: | ||
2657 | 16 | hw/net/dp8393x.c | ||
2658 | 17 | *drop context dep. on 19f70347731 | ||
2659 | 18 | Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | ||
2660 | 19 | |||
2661 | 20 | Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=eb54a2f9ce | ||
2662 | 21 | Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877 | ||
2663 | 22 | Last-Update: 2020-08-19 | ||
2664 | 23 | |||
2665 | 24 | --- | ||
2666 | 25 | hw/net/dp8393x.c | 17 +++++++++++------ | ||
2667 | 26 | 1 file changed, 11 insertions(+), 6 deletions(-) | ||
2668 | 27 | |||
2669 | 28 | diff --git a/hw/net/dp8393x.c b/hw/net/dp8393x.c | ||
2670 | 29 | index 3d991af163..7ca6a6dd46 100644 | ||
2671 | 30 | --- a/hw/net/dp8393x.c | ||
2672 | 31 | +++ b/hw/net/dp8393x.c | ||
2673 | 32 | @@ -145,6 +145,9 @@ do { printf("sonic ERROR: %s: " fmt, __func__ , ## __VA_ARGS__); } while (0) | ||
2674 | 33 | #define SONIC_ISR_PINT 0x0800 | ||
2675 | 34 | #define SONIC_ISR_LCD 0x1000 | ||
2676 | 35 | |||
2677 | 36 | +#define SONIC_DESC_EOL 0x0001 | ||
2678 | 37 | +#define SONIC_DESC_ADDR 0xFFFE | ||
2679 | 38 | + | ||
2680 | 39 | #define TYPE_DP8393X "dp8393x" | ||
2681 | 40 | #define DP8393X(obj) OBJECT_CHECK(dp8393xState, (obj), TYPE_DP8393X) | ||
2682 | 41 | |||
2683 | 42 | @@ -197,7 +200,8 @@ static uint32_t dp8393x_crba(dp8393xState *s) | ||
2684 | 43 | |||
2685 | 44 | static uint32_t dp8393x_crda(dp8393xState *s) | ||
2686 | 45 | { | ||
2687 | 46 | - return (s->regs[SONIC_URDA] << 16) | s->regs[SONIC_CRDA]; | ||
2688 | 47 | + return (s->regs[SONIC_URDA] << 16) | | ||
2689 | 48 | + (s->regs[SONIC_CRDA] & SONIC_DESC_ADDR); | ||
2690 | 49 | } | ||
2691 | 50 | |||
2692 | 51 | static uint32_t dp8393x_rbwc(dp8393xState *s) | ||
2693 | 52 | @@ -217,7 +221,8 @@ static uint32_t dp8393x_tsa(dp8393xState *s) | ||
2694 | 53 | |||
2695 | 54 | static uint32_t dp8393x_ttda(dp8393xState *s) | ||
2696 | 55 | { | ||
2697 | 56 | - return (s->regs[SONIC_UTDA] << 16) | s->regs[SONIC_TTDA]; | ||
2698 | 57 | + return (s->regs[SONIC_UTDA] << 16) | | ||
2699 | 58 | + (s->regs[SONIC_TTDA] & SONIC_DESC_ADDR); | ||
2700 | 59 | } | ||
2701 | 60 | |||
2702 | 61 | static uint32_t dp8393x_wt(dp8393xState *s) | ||
2703 | 62 | @@ -507,7 +512,7 @@ static void dp8393x_do_transmit_packets(dp8393xState *s) | ||
2704 | 63 | (4 + 3 * s->regs[SONIC_TFC]) * width, | ||
2705 | 64 | MEMTXATTRS_UNSPECIFIED, (uint8_t *)s->data, size, 0); | ||
2706 | 65 | s->regs[SONIC_CTDA] = dp8393x_get(s, width, 0) & ~0x1; | ||
2707 | 66 | - if (dp8393x_get(s, width, 0) & 0x1) { | ||
2708 | 67 | + if (dp8393x_get(s, width, 0) & SONIC_DESC_EOL) { | ||
2709 | 68 | /* EOL detected */ | ||
2710 | 69 | break; | ||
2711 | 70 | } | ||
2712 | 71 | @@ -763,13 +768,13 @@ static ssize_t dp8393x_receive(NetClientState *nc, const uint8_t * buf, | ||
2713 | 72 | /* XXX: Check byte ordering */ | ||
2714 | 73 | |||
2715 | 74 | /* Check for EOL */ | ||
2716 | 75 | - if (s->regs[SONIC_LLFA] & 0x1) { | ||
2717 | 76 | + if (s->regs[SONIC_LLFA] & SONIC_DESC_EOL) { | ||
2718 | 77 | /* Are we still in resource exhaustion? */ | ||
2719 | 78 | size = sizeof(uint16_t) * 1 * width; | ||
2720 | 79 | address = dp8393x_crda(s) + sizeof(uint16_t) * 5 * width; | ||
2721 | 80 | address_space_rw(&s->as, address, MEMTXATTRS_UNSPECIFIED, | ||
2722 | 81 | (uint8_t *)s->data, size, 0); | ||
2723 | 82 | - if (dp8393x_get(s, width, 0) & 0x1) { | ||
2724 | 83 | + if (dp8393x_get(s, width, 0) & SONIC_DESC_EOL) { | ||
2725 | 84 | /* Still EOL ; stop reception */ | ||
2726 | 85 | return -1; | ||
2727 | 86 | } else { | ||
2728 | 87 | @@ -827,7 +832,7 @@ static ssize_t dp8393x_receive(NetClientState *nc, const uint8_t * buf, | ||
2729 | 88 | address_space_rw(&s->as, dp8393x_crda(s) + sizeof(uint16_t) * 5 * width, | ||
2730 | 89 | MEMTXATTRS_UNSPECIFIED, (uint8_t *)s->data, size, 0); | ||
2731 | 90 | s->regs[SONIC_LLFA] = dp8393x_get(s, width, 0); | ||
2732 | 91 | - if (s->regs[SONIC_LLFA] & 0x1) { | ||
2733 | 92 | + if (s->regs[SONIC_LLFA] & SONIC_DESC_EOL) { | ||
2734 | 93 | /* EOL detected */ | ||
2735 | 94 | s->regs[SONIC_ISR] |= SONIC_ISR_RDE; | ||
2736 | 95 | } else { | ||
2737 | 96 | -- | ||
2738 | 97 | 2.28.0 | ||
2739 | 98 | |||
2740 | diff --git a/debian/patches/stable/lp-1891877-dp8393x-Pad-frames-to-word-or-long-word-boundary.patch b/debian/patches/stable/lp-1891877-dp8393x-Pad-frames-to-word-or-long-word-boundary.patch | |||
2741 | 0 | new file mode 100644 | 99 | new file mode 100644 |
2742 | index 0000000..9eea6ff | |||
2743 | --- /dev/null | |||
2744 | +++ b/debian/patches/stable/lp-1891877-dp8393x-Pad-frames-to-word-or-long-word-boundary.patch | |||
2745 | @@ -0,0 +1,113 @@ | |||
2746 | 1 | From cbc8277051f76f8131f5d4c787862a16a5fa1707 Mon Sep 17 00:00:00 2001 | ||
2747 | 2 | From: Finn Thain <fthain@telegraphics.com.au> | ||
2748 | 3 | Date: Wed, 29 Jan 2020 20:27:49 +1100 | ||
2749 | 4 | Subject: [PATCH] dp8393x: Pad frames to word or long word boundary | ||
2750 | 5 | MIME-Version: 1.0 | ||
2751 | 6 | Content-Type: text/plain; charset=UTF-8 | ||
2752 | 7 | Content-Transfer-Encoding: 8bit | ||
2753 | 8 | |||
2754 | 9 | The existing code has a bug where the Remaining Buffer Word Count (RBWC) | ||
2755 | 10 | is calculated with a truncating division, which gives the wrong result | ||
2756 | 11 | for odd-sized packets. | ||
2757 | 12 | |||
2758 | 13 | Section 1.4.1 of the datasheet says, | ||
2759 | 14 | |||
2760 | 15 | Once the end of the packet has been reached, the serializer will | ||
2761 | 16 | fill out the last word (16-bit mode) or long word (32-bit mode) | ||
2762 | 17 | if the last byte did not end on a word or long word boundary | ||
2763 | 18 | respectively. The fill byte will be 0FFh. | ||
2764 | 19 | |||
2765 | 20 | Implement buffer padding so that buffer limits are correctly enforced. | ||
2766 | 21 | |||
2767 | 22 | Signed-off-by: Finn Thain <fthain@telegraphics.com.au> | ||
2768 | 23 | Tested-by: Laurent Vivier <laurent@vivier.eu> | ||
2769 | 24 | Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> | ||
2770 | 25 | Signed-off-by: Jason Wang <jasowang@redhat.com> | ||
2771 | 26 | (cherry picked from commit 350e7d9a77d3b9ac74d240e4b232db1ebe5c05bc) | ||
2772 | 27 | *drop context dependencies from b7cbebf2b9d, 1ccda935d4f, and | ||
2773 | 28 | 19f70347731 | ||
2774 | 29 | Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | ||
2775 | 30 | |||
2776 | 31 | Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=cbc8277051 | ||
2777 | 32 | Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877 | ||
2778 | 33 | Last-Update: 2020-08-19 | ||
2779 | 34 | |||
2780 | 35 | --- | ||
2781 | 36 | hw/net/dp8393x.c | 39 ++++++++++++++++++++++++++++----------- | ||
2782 | 37 | 1 file changed, 28 insertions(+), 11 deletions(-) | ||
2783 | 38 | |||
2784 | 39 | diff --git a/hw/net/dp8393x.c b/hw/net/dp8393x.c | ||
2785 | 40 | index 40e3a029b6..0e9061d831 100644 | ||
2786 | 41 | --- a/hw/net/dp8393x.c | ||
2787 | 42 | +++ b/hw/net/dp8393x.c | ||
2788 | 43 | @@ -766,16 +766,23 @@ static ssize_t dp8393x_receive(NetClientState *nc, const uint8_t * buf, | ||
2789 | 44 | dp8393xState *s = qemu_get_nic_opaque(nc); | ||
2790 | 45 | int packet_type; | ||
2791 | 46 | uint32_t available, address; | ||
2792 | 47 | - int width, rx_len = pkt_size; | ||
2793 | 48 | + int width, rx_len, padded_len; | ||
2794 | 49 | uint32_t checksum; | ||
2795 | 50 | int size; | ||
2796 | 51 | |||
2797 | 52 | - width = (s->regs[SONIC_DCR] & SONIC_DCR_DW) ? 2 : 1; | ||
2798 | 53 | - | ||
2799 | 54 | s->regs[SONIC_RCR] &= ~(SONIC_RCR_PRX | SONIC_RCR_LBK | SONIC_RCR_FAER | | ||
2800 | 55 | SONIC_RCR_CRCR | SONIC_RCR_LPKT | SONIC_RCR_BC | SONIC_RCR_MC); | ||
2801 | 56 | |||
2802 | 57 | - if (pkt_size + 4 > dp8393x_rbwc(s) * 2) { | ||
2803 | 58 | + rx_len = pkt_size + sizeof(checksum); | ||
2804 | 59 | + if (s->regs[SONIC_DCR] & SONIC_DCR_DW) { | ||
2805 | 60 | + width = 2; | ||
2806 | 61 | + padded_len = ((rx_len - 1) | 3) + 1; | ||
2807 | 62 | + } else { | ||
2808 | 63 | + width = 1; | ||
2809 | 64 | + padded_len = ((rx_len - 1) | 1) + 1; | ||
2810 | 65 | + } | ||
2811 | 66 | + | ||
2812 | 67 | + if (padded_len > dp8393x_rbwc(s) * 2) { | ||
2813 | 68 | DPRINTF("oversize packet, pkt_size is %d\n", pkt_size); | ||
2814 | 69 | s->regs[SONIC_ISR] |= SONIC_ISR_RBAE; | ||
2815 | 70 | dp8393x_update_irq(s); | ||
2816 | 71 | @@ -810,22 +817,32 @@ static ssize_t dp8393x_receive(NetClientState *nc, const uint8_t * buf, | ||
2817 | 72 | s->regs[SONIC_TRBA0] = s->regs[SONIC_CRBA0]; | ||
2818 | 73 | |||
2819 | 74 | /* Calculate the ethernet checksum */ | ||
2820 | 75 | - checksum = cpu_to_le32(crc32(0, buf, rx_len)); | ||
2821 | 76 | + checksum = cpu_to_le32(crc32(0, buf, pkt_size)); | ||
2822 | 77 | |||
2823 | 78 | /* Put packet into RBA */ | ||
2824 | 79 | DPRINTF("Receive packet at %08x\n", dp8393x_crba(s)); | ||
2825 | 80 | address = dp8393x_crba(s); | ||
2826 | 81 | address_space_rw(&s->as, address, | ||
2827 | 82 | - MEMTXATTRS_UNSPECIFIED, (uint8_t *)buf, rx_len, 1); | ||
2828 | 83 | - address += rx_len; | ||
2829 | 84 | + MEMTXATTRS_UNSPECIFIED, (uint8_t *)buf, pkt_size, 1); | ||
2830 | 85 | + address += pkt_size; | ||
2831 | 86 | + | ||
2832 | 87 | + /* Put frame checksum into RBA */ | ||
2833 | 88 | address_space_rw(&s->as, address, | ||
2834 | 89 | - MEMTXATTRS_UNSPECIFIED, (uint8_t *)&checksum, 4, 1); | ||
2835 | 90 | - address += 4; | ||
2836 | 91 | - rx_len += 4; | ||
2837 | 92 | + MEMTXATTRS_UNSPECIFIED, (uint8_t *)&checksum, sizeof(checksum), 1); | ||
2838 | 93 | + address += sizeof(checksum); | ||
2839 | 94 | + | ||
2840 | 95 | + /* Pad short packets to keep pointers aligned */ | ||
2841 | 96 | + if (rx_len < padded_len) { | ||
2842 | 97 | + size = padded_len - rx_len; | ||
2843 | 98 | + address_space_rw(&s->as, address, MEMTXATTRS_UNSPECIFIED, | ||
2844 | 99 | + (uint8_t *)"\xFF\xFF\xFF", size, 1); | ||
2845 | 100 | + address += size; | ||
2846 | 101 | + } | ||
2847 | 102 | + | ||
2848 | 103 | s->regs[SONIC_CRBA1] = address >> 16; | ||
2849 | 104 | s->regs[SONIC_CRBA0] = address & 0xffff; | ||
2850 | 105 | available = dp8393x_rbwc(s); | ||
2851 | 106 | - available -= rx_len / 2; | ||
2852 | 107 | + available -= padded_len >> 1; | ||
2853 | 108 | s->regs[SONIC_RBWC1] = available >> 16; | ||
2854 | 109 | s->regs[SONIC_RBWC0] = available & 0xffff; | ||
2855 | 110 | |||
2856 | 111 | -- | ||
2857 | 112 | 2.28.0 | ||
2858 | 113 | |||
2859 | diff --git a/debian/patches/stable/lp-1891877-dp8393x-Update-LLFA-and-CRDA-registers-from-rx-descr.patch b/debian/patches/stable/lp-1891877-dp8393x-Update-LLFA-and-CRDA-registers-from-rx-descr.patch | |||
2860 | 0 | new file mode 100644 | 114 | new file mode 100644 |
2861 | index 0000000..d150124 | |||
2862 | --- /dev/null | |||
2863 | +++ b/debian/patches/stable/lp-1891877-dp8393x-Update-LLFA-and-CRDA-registers-from-rx-descr.patch | |||
2864 | @@ -0,0 +1,75 @@ | |||
2865 | 1 | From edd67a61f499982bcc2098962c8e04c5210f2f80 Mon Sep 17 00:00:00 2001 | ||
2866 | 2 | From: Finn Thain <fthain@telegraphics.com.au> | ||
2867 | 3 | Date: Wed, 29 Jan 2020 20:27:49 +1100 | ||
2868 | 4 | Subject: [PATCH] dp8393x: Update LLFA and CRDA registers from rx descriptor | ||
2869 | 5 | MIME-Version: 1.0 | ||
2870 | 6 | Content-Type: text/plain; charset=UTF-8 | ||
2871 | 7 | Content-Transfer-Encoding: 8bit | ||
2872 | 8 | |||
2873 | 9 | Follow the algorithm given in the National Semiconductor DP83932C | ||
2874 | 10 | datasheet in section 3.4.7: | ||
2875 | 11 | |||
2876 | 12 | At the next reception, the SONIC re-reads the last RXpkt.link field, | ||
2877 | 13 | and updates its CRDA register to point to the next descriptor. | ||
2878 | 14 | |||
2879 | 15 | The chip is designed to allow the host to provide a new list of | ||
2880 | 16 | descriptors in this way. | ||
2881 | 17 | |||
2882 | 18 | Signed-off-by: Finn Thain <fthain@telegraphics.com.au> | ||
2883 | 19 | Tested-by: Laurent Vivier <laurent@vivier.eu> | ||
2884 | 20 | Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> | ||
2885 | 21 | Signed-off-by: Jason Wang <jasowang@redhat.com> | ||
2886 | 22 | (cherry picked from commit 5b0c98fcb7ac006bd8efe0e0fecba52c43a9d028) | ||
2887 | 23 | *drop context dep on 19f70347731 | ||
2888 | 24 | Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | ||
2889 | 25 | |||
2890 | 26 | Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=edd67a61f4 | ||
2891 | 27 | Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877 | ||
2892 | 28 | Last-Update: 2020-08-19 | ||
2893 | 29 | |||
2894 | 30 | --- | ||
2895 | 31 | hw/net/dp8393x.c | 11 +++++++---- | ||
2896 | 32 | 1 file changed, 7 insertions(+), 4 deletions(-) | ||
2897 | 33 | |||
2898 | 34 | diff --git a/hw/net/dp8393x.c b/hw/net/dp8393x.c | ||
2899 | 35 | index a696485a55..8dd6bf032c 100644 | ||
2900 | 36 | --- a/hw/net/dp8393x.c | ||
2901 | 37 | +++ b/hw/net/dp8393x.c | ||
2902 | 38 | @@ -784,12 +784,13 @@ static ssize_t dp8393x_receive(NetClientState *nc, const uint8_t * buf, | ||
2903 | 39 | address = dp8393x_crda(s) + sizeof(uint16_t) * 5 * width; | ||
2904 | 40 | address_space_rw(&s->as, address, MEMTXATTRS_UNSPECIFIED, | ||
2905 | 41 | (uint8_t *)s->data, size, 0); | ||
2906 | 42 | - if (dp8393x_get(s, width, 0) & SONIC_DESC_EOL) { | ||
2907 | 43 | + s->regs[SONIC_LLFA] = dp8393x_get(s, width, 0); | ||
2908 | 44 | + if (s->regs[SONIC_LLFA] & SONIC_DESC_EOL) { | ||
2909 | 45 | /* Still EOL ; stop reception */ | ||
2910 | 46 | return -1; | ||
2911 | 47 | - } else { | ||
2912 | 48 | - s->regs[SONIC_CRDA] = s->regs[SONIC_LLFA]; | ||
2913 | 49 | } | ||
2914 | 50 | + /* Link has been updated by host */ | ||
2915 | 51 | + s->regs[SONIC_CRDA] = s->regs[SONIC_LLFA]; | ||
2916 | 52 | } | ||
2917 | 53 | |||
2918 | 54 | /* Save current position */ | ||
2919 | 55 | @@ -837,7 +838,7 @@ static ssize_t dp8393x_receive(NetClientState *nc, const uint8_t * buf, | ||
2920 | 56 | address_space_rw(&s->as, dp8393x_crda(s), | ||
2921 | 57 | MEMTXATTRS_UNSPECIFIED, (uint8_t *)s->data, size, 1); | ||
2922 | 58 | |||
2923 | 59 | - /* Move to next descriptor */ | ||
2924 | 60 | + /* Check link field */ | ||
2925 | 61 | size = sizeof(uint16_t) * width; | ||
2926 | 62 | address_space_rw(&s->as, dp8393x_crda(s) + sizeof(uint16_t) * 5 * width, | ||
2927 | 63 | MEMTXATTRS_UNSPECIFIED, (uint8_t *)s->data, size, 0); | ||
2928 | 64 | @@ -852,6 +853,8 @@ static ssize_t dp8393x_receive(NetClientState *nc, const uint8_t * buf, | ||
2929 | 65 | dp8393x_put(s, width, 0, 0); | ||
2930 | 66 | address_space_rw(&s->as, address, MEMTXATTRS_UNSPECIFIED, | ||
2931 | 67 | (uint8_t *)s->data, size, true); | ||
2932 | 68 | + | ||
2933 | 69 | + /* Move to next descriptor */ | ||
2934 | 70 | s->regs[SONIC_CRDA] = s->regs[SONIC_LLFA]; | ||
2935 | 71 | s->regs[SONIC_ISR] |= SONIC_ISR_PKTRX; | ||
2936 | 72 | s->regs[SONIC_RSC] = (s->regs[SONIC_RSC] & 0xff00) | (((s->regs[SONIC_RSC] & 0x00ff) + 1) & 0x00ff); | ||
2937 | 73 | -- | ||
2938 | 74 | 2.28.0 | ||
2939 | 75 | |||
2940 | diff --git a/debian/patches/stable/lp-1891877-dp8393x-Use-long-word-aligned-RRA-pointers-in-32-bit.patch b/debian/patches/stable/lp-1891877-dp8393x-Use-long-word-aligned-RRA-pointers-in-32-bit.patch | |||
2941 | 0 | new file mode 100644 | 76 | new file mode 100644 |
2942 | index 0000000..6026297 | |||
2943 | --- /dev/null | |||
2944 | +++ b/debian/patches/stable/lp-1891877-dp8393x-Use-long-word-aligned-RRA-pointers-in-32-bit.patch | |||
2945 | @@ -0,0 +1,60 @@ | |||
2946 | 1 | From e7cad754fd0bf00c671a1509acc2981f11736ee8 Mon Sep 17 00:00:00 2001 | ||
2947 | 2 | From: Finn Thain <fthain@telegraphics.com.au> | ||
2948 | 3 | Date: Wed, 29 Jan 2020 20:27:49 +1100 | ||
2949 | 4 | Subject: [PATCH] dp8393x: Use long-word-aligned RRA pointers in 32-bit mode | ||
2950 | 5 | MIME-Version: 1.0 | ||
2951 | 6 | Content-Type: text/plain; charset=UTF-8 | ||
2952 | 7 | Content-Transfer-Encoding: 8bit | ||
2953 | 8 | |||
2954 | 9 | Section 3.4.1 of the datasheet says, | ||
2955 | 10 | |||
2956 | 11 | The alignment of the RRA is confined to either word or long word | ||
2957 | 12 | boundaries, depending upon the data width mode. In 16-bit mode, | ||
2958 | 13 | the RRA must be aligned to a word boundary (A0 is always zero) | ||
2959 | 14 | and in 32-bit mode, the RRA is aligned to a long word boundary | ||
2960 | 15 | (A0 and A1 are always zero). | ||
2961 | 16 | |||
2962 | 17 | This constraint has been implemented for 16-bit mode; implement it | ||
2963 | 18 | for 32-bit mode too. | ||
2964 | 19 | |||
2965 | 20 | Signed-off-by: Finn Thain <fthain@telegraphics.com.au> | ||
2966 | 21 | Tested-by: Laurent Vivier <laurent@vivier.eu> | ||
2967 | 22 | Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> | ||
2968 | 23 | Signed-off-by: Jason Wang <jasowang@redhat.com> | ||
2969 | 24 | (cherry picked from commit ea2270279bc2e1635cb6e909e22e17e630198773) | ||
2970 | 25 | Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | ||
2971 | 26 | |||
2972 | 27 | Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=e7cad754fd | ||
2973 | 28 | Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877 | ||
2974 | 29 | Last-Update: 2020-08-19 | ||
2975 | 30 | |||
2976 | 31 | --- | ||
2977 | 32 | hw/net/dp8393x.c | 8 ++++++-- | ||
2978 | 33 | 1 file changed, 6 insertions(+), 2 deletions(-) | ||
2979 | 34 | |||
2980 | 35 | diff --git a/hw/net/dp8393x.c b/hw/net/dp8393x.c | ||
2981 | 36 | index 315b4ad844..40e3a029b6 100644 | ||
2982 | 37 | --- a/hw/net/dp8393x.c | ||
2983 | 38 | +++ b/hw/net/dp8393x.c | ||
2984 | 39 | @@ -663,12 +663,16 @@ static void dp8393x_write(void *opaque, hwaddr addr, uint64_t data, | ||
2985 | 40 | qemu_flush_queued_packets(qemu_get_queue(s->nic)); | ||
2986 | 41 | } | ||
2987 | 42 | break; | ||
2988 | 43 | - /* Ignore least significant bit */ | ||
2989 | 44 | + /* The guest is required to store aligned pointers here */ | ||
2990 | 45 | case SONIC_RSA: | ||
2991 | 46 | case SONIC_REA: | ||
2992 | 47 | case SONIC_RRP: | ||
2993 | 48 | case SONIC_RWP: | ||
2994 | 49 | - s->regs[reg] = val & 0xfffe; | ||
2995 | 50 | + if (s->regs[SONIC_DCR] & SONIC_DCR_DW) { | ||
2996 | 51 | + s->regs[reg] = val & 0xfffc; | ||
2997 | 52 | + } else { | ||
2998 | 53 | + s->regs[reg] = val & 0xfffe; | ||
2999 | 54 | + } | ||
3000 | 55 | break; | ||
3001 | 56 | /* Invert written value for some registers */ | ||
3002 | 57 | case SONIC_CRCT: | ||
3003 | 58 | -- | ||
3004 | 59 | 2.28.0 | ||
3005 | 60 | |||
3006 | diff --git a/debian/patches/stable/lp-1891877-dump-Fix-writing-of-ELF-section.patch b/debian/patches/stable/lp-1891877-dump-Fix-writing-of-ELF-section.patch | |||
3007 | 0 | new file mode 100644 | 61 | new file mode 100644 |
3008 | index 0000000..41bf056 | |||
3009 | --- /dev/null | |||
3010 | +++ b/debian/patches/stable/lp-1891877-dump-Fix-writing-of-ELF-section.patch | |||
3011 | @@ -0,0 +1,51 @@ | |||
3012 | 1 | From 25fcaed9a366314c21793e14624c89db75224b50 Mon Sep 17 00:00:00 2001 | ||
3013 | 2 | From: Peter Maydell <peter.maydell@linaro.org> | ||
3014 | 3 | Date: Tue, 24 Mar 2020 17:36:30 +0000 | ||
3015 | 4 | Subject: [PATCH] dump: Fix writing of ELF section | ||
3016 | 5 | MIME-Version: 1.0 | ||
3017 | 6 | Content-Type: text/plain; charset=UTF-8 | ||
3018 | 7 | Content-Transfer-Encoding: 8bit | ||
3019 | 8 | |||
3020 | 9 | In write_elf_section() we set the 'shdr' pointer to point to local | ||
3021 | 10 | structures shdr32 or shdr64, which we fill in to be written out to | ||
3022 | 11 | the ELF dump. Unfortunately the address we pass to fd_write_vmcore() | ||
3023 | 12 | has a spurious '&' operator, so instead of writing out the section | ||
3024 | 13 | header we write out the literal pointer value followed by whatever is | ||
3025 | 14 | on the stack after the 'shdr' local variable. | ||
3026 | 15 | |||
3027 | 16 | Pass the correct address into fd_write_vmcore(). | ||
3028 | 17 | |||
3029 | 18 | Spotted by Coverity: CID 1421970. | ||
3030 | 19 | |||
3031 | 20 | Cc: qemu-stable@nongnu.org | ||
3032 | 21 | Signed-off-by: Peter Maydell <peter.maydell@linaro.org> | ||
3033 | 22 | Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> | ||
3034 | 23 | Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> | ||
3035 | 24 | Message-id: 20200324173630.12221-1-peter.maydell@linaro.org | ||
3036 | 25 | (cherry picked from commit 174d2d6856bf435f4f58e9303ba30dd0e1279d3f) | ||
3037 | 26 | Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | ||
3038 | 27 | |||
3039 | 28 | Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=25fcaed9a3 | ||
3040 | 29 | Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877 | ||
3041 | 30 | Last-Update: 2020-08-19 | ||
3042 | 31 | |||
3043 | 32 | --- | ||
3044 | 33 | dump/dump.c | 2 +- | ||
3045 | 34 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
3046 | 35 | |||
3047 | 36 | diff --git a/dump/dump.c b/dump/dump.c | ||
3048 | 37 | index 6fb6e1245a..22ed1d3b0d 100644 | ||
3049 | 38 | --- a/dump/dump.c | ||
3050 | 39 | +++ b/dump/dump.c | ||
3051 | 40 | @@ -364,7 +364,7 @@ static void write_elf_section(DumpState *s, int type, Error **errp) | ||
3052 | 41 | shdr = &shdr64; | ||
3053 | 42 | } | ||
3054 | 43 | |||
3055 | 44 | - ret = fd_write_vmcore(&shdr, shdr_size, s); | ||
3056 | 45 | + ret = fd_write_vmcore(shdr, shdr_size, s); | ||
3057 | 46 | if (ret < 0) { | ||
3058 | 47 | error_setg_errno(errp, -ret, | ||
3059 | 48 | "dump: failed to write section header table"); | ||
3060 | 49 | -- | ||
3061 | 50 | 2.28.0 | ||
3062 | 51 | |||
3063 | diff --git a/debian/patches/stable/lp-1891877-hmp-vnc-Fix-info-vnc-list-leak.patch b/debian/patches/stable/lp-1891877-hmp-vnc-Fix-info-vnc-list-leak.patch | |||
3064 | 0 | new file mode 100644 | 52 | new file mode 100644 |
3065 | index 0000000..1193bf2 | |||
3066 | --- /dev/null | |||
3067 | +++ b/debian/patches/stable/lp-1891877-hmp-vnc-Fix-info-vnc-list-leak.patch | |||
3068 | @@ -0,0 +1,54 @@ | |||
3069 | 1 | From 674d3822250a8830fb8e9720ce499f2e8cef6a88 Mon Sep 17 00:00:00 2001 | ||
3070 | 2 | From: "Dr. David Alan Gilbert" <dgilbert@redhat.com> | ||
3071 | 3 | Date: Mon, 23 Mar 2020 12:08:22 +0000 | ||
3072 | 4 | Subject: [PATCH] hmp/vnc: Fix info vnc list leak | ||
3073 | 5 | |||
3074 | 6 | We're iterating the list, and then freeing the iteration pointer rather | ||
3075 | 7 | than the list head. | ||
3076 | 8 | |||
3077 | 9 | Fixes: 0a9667ecdb6d ("hmp: Update info vnc") | ||
3078 | 10 | Reported-by: Coverity (CID 1421932) | ||
3079 | 11 | Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com> | ||
3080 | 12 | Message-Id: <20200323120822.51266-1-dgilbert@redhat.com> | ||
3081 | 13 | Reviewed-by: Peter Maydell <peter.maydell@linaro.org> | ||
3082 | 14 | Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com> | ||
3083 | 15 | (cherry picked from commit d4ff109373ce871928c7e9ef648973eba642b484) | ||
3084 | 16 | Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | ||
3085 | 17 | |||
3086 | 18 | Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=674d382225 | ||
3087 | 19 | Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877 | ||
3088 | 20 | Last-Update: 2020-08-19 | ||
3089 | 21 | |||
3090 | 22 | --- | ||
3091 | 23 | monitor/hmp-cmds.c | 5 +++-- | ||
3092 | 24 | 1 file changed, 3 insertions(+), 2 deletions(-) | ||
3093 | 25 | |||
3094 | 26 | diff --git a/monitor/hmp-cmds.c b/monitor/hmp-cmds.c | ||
3095 | 27 | index b2551c16d1..2fdc84ec99 100644 | ||
3096 | 28 | --- a/monitor/hmp-cmds.c | ||
3097 | 29 | +++ b/monitor/hmp-cmds.c | ||
3098 | 30 | @@ -729,10 +729,11 @@ static void hmp_info_vnc_servers(Monitor *mon, VncServerInfo2List *server) | ||
3099 | 31 | |||
3100 | 32 | void hmp_info_vnc(Monitor *mon, const QDict *qdict) | ||
3101 | 33 | { | ||
3102 | 34 | - VncInfo2List *info2l; | ||
3103 | 35 | + VncInfo2List *info2l, *info2l_head; | ||
3104 | 36 | Error *err = NULL; | ||
3105 | 37 | |||
3106 | 38 | info2l = qmp_query_vnc_servers(&err); | ||
3107 | 39 | + info2l_head = info2l; | ||
3108 | 40 | if (err) { | ||
3109 | 41 | hmp_handle_error(mon, &err); | ||
3110 | 42 | return; | ||
3111 | 43 | @@ -761,7 +762,7 @@ void hmp_info_vnc(Monitor *mon, const QDict *qdict) | ||
3112 | 44 | info2l = info2l->next; | ||
3113 | 45 | } | ||
3114 | 46 | |||
3115 | 47 | - qapi_free_VncInfo2List(info2l); | ||
3116 | 48 | + qapi_free_VncInfo2List(info2l_head); | ||
3117 | 49 | |||
3118 | 50 | } | ||
3119 | 51 | #endif | ||
3120 | 52 | -- | ||
3121 | 53 | 2.28.0 | ||
3122 | 54 | |||
3123 | diff --git a/debian/patches/stable/lp-1891877-hostmem-don-t-use-mbind-if-host-nodes-is-empty.patch b/debian/patches/stable/lp-1891877-hostmem-don-t-use-mbind-if-host-nodes-is-empty.patch | |||
3124 | 0 | new file mode 100644 | 55 | new file mode 100644 |
3125 | index 0000000..27298fa | |||
3126 | --- /dev/null | |||
3127 | +++ b/debian/patches/stable/lp-1891877-hostmem-don-t-use-mbind-if-host-nodes-is-empty.patch | |||
3128 | @@ -0,0 +1,61 @@ | |||
3129 | 1 | From 34c78a4100c967cc385fcfd4c2295b2b0ebd8786 Mon Sep 17 00:00:00 2001 | ||
3130 | 2 | From: Igor Mammedov <imammedo@redhat.com> | ||
3131 | 3 | Date: Thu, 30 Apr 2020 11:46:06 -0400 | ||
3132 | 4 | Subject: [PATCH] hostmem: don't use mbind() if host-nodes is empty | ||
3133 | 5 | MIME-Version: 1.0 | ||
3134 | 6 | Content-Type: text/plain; charset=UTF-8 | ||
3135 | 7 | Content-Transfer-Encoding: 8bit | ||
3136 | 8 | |||
3137 | 9 | Since 5.0 QEMU uses hostmem backend for allocating main guest RAM. | ||
3138 | 10 | The backend however calls mbind() which is typically NOP | ||
3139 | 11 | in case of default policy/absent host-nodes bitmap. | ||
3140 | 12 | However when runing in container with black-listed mbind() | ||
3141 | 13 | syscall, QEMU fails to start with error | ||
3142 | 14 | "cannot bind memory to host NUMA nodes: Operation not permitted" | ||
3143 | 15 | even when user hasn't provided host-nodes to pin to explictly | ||
3144 | 16 | (which is the case with -m option) | ||
3145 | 17 | |||
3146 | 18 | To fix issue, call mbind() only in case when user has provided | ||
3147 | 19 | host-nodes explicitly (i.e. host_nodes bitmap is not empty). | ||
3148 | 20 | That should allow to run QEMU in containers with black-listed | ||
3149 | 21 | mbind() without memory pinning. If QEMU provided memory-pinning | ||
3150 | 22 | is required user still has to white-list mbind() in container | ||
3151 | 23 | configuration. | ||
3152 | 24 | |||
3153 | 25 | Reported-by: Manuel Hohmann <mhohmann@physnet.uni-hamburg.de> | ||
3154 | 26 | Signed-off-by: Igor Mammedov <imammedo@redhat.com> | ||
3155 | 27 | Message-Id: <20200430154606.6421-1-imammedo@redhat.com> | ||
3156 | 28 | Tested-by: Philippe Mathieu-Daudé <philmd@redhat.com> | ||
3157 | 29 | Cc: qemu-stable@nongnu.org | ||
3158 | 30 | Signed-off-by: Eduardo Habkost <ehabkost@redhat.com> | ||
3159 | 31 | (cherry picked from commit 70b6d525dfb51d5e523d568d1139fc051bc223c5) | ||
3160 | 32 | Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | ||
3161 | 33 | |||
3162 | 34 | Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=34c78a4100 | ||
3163 | 35 | Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877 | ||
3164 | 36 | Last-Update: 2020-08-19 | ||
3165 | 37 | |||
3166 | 38 | --- | ||
3167 | 39 | backends/hostmem.c | 6 ++++-- | ||
3168 | 40 | 1 file changed, 4 insertions(+), 2 deletions(-) | ||
3169 | 41 | |||
3170 | 42 | diff --git a/backends/hostmem.c b/backends/hostmem.c | ||
3171 | 43 | index e773bdfa6e..21b1993e49 100644 | ||
3172 | 44 | --- a/backends/hostmem.c | ||
3173 | 45 | +++ b/backends/hostmem.c | ||
3174 | 46 | @@ -363,8 +363,10 @@ host_memory_backend_memory_complete(UserCreatable *uc, Error **errp) | ||
3175 | 47 | assert(sizeof(backend->host_nodes) >= | ||
3176 | 48 | BITS_TO_LONGS(MAX_NODES + 1) * sizeof(unsigned long)); | ||
3177 | 49 | assert(maxnode <= MAX_NODES); | ||
3178 | 50 | - if (mbind(ptr, sz, backend->policy, | ||
3179 | 51 | - maxnode ? backend->host_nodes : NULL, maxnode + 1, flags)) { | ||
3180 | 52 | + | ||
3181 | 53 | + if (maxnode && | ||
3182 | 54 | + mbind(ptr, sz, backend->policy, backend->host_nodes, maxnode + 1, | ||
3183 | 55 | + flags)) { | ||
3184 | 56 | if (backend->policy != MPOL_DEFAULT || errno != ENOSYS) { | ||
3185 | 57 | error_setg_errno(errp, errno, | ||
3186 | 58 | "cannot bind memory to host NUMA nodes"); | ||
3187 | 59 | -- | ||
3188 | 60 | 2.28.0 | ||
3189 | 61 | |||
3190 | diff --git a/debian/patches/stable/lp-1891877-hw-arm-cubieboard-use-ARM-Cortex-A8-as-the-default-C.patch b/debian/patches/stable/lp-1891877-hw-arm-cubieboard-use-ARM-Cortex-A8-as-the-default-C.patch | |||
3191 | 0 | new file mode 100644 | 62 | new file mode 100644 |
3192 | index 0000000..7690bd7 | |||
3193 | --- /dev/null | |||
3194 | +++ b/debian/patches/stable/lp-1891877-hw-arm-cubieboard-use-ARM-Cortex-A8-as-the-default-C.patch | |||
3195 | @@ -0,0 +1,59 @@ | |||
3196 | 1 | From 9dd68ac26b5a413dc948efe9bbf414702bc200da Mon Sep 17 00:00:00 2001 | ||
3197 | 2 | From: Niek Linnenbank <nieklinnenbank@gmail.com> | ||
3198 | 3 | Date: Thu, 5 Mar 2020 16:09:19 +0000 | ||
3199 | 4 | Subject: [PATCH] hw/arm/cubieboard: use ARM Cortex-A8 as the default CPU in | ||
3200 | 5 | machine definition | ||
3201 | 6 | MIME-Version: 1.0 | ||
3202 | 7 | Content-Type: text/plain; charset=UTF-8 | ||
3203 | 8 | Content-Transfer-Encoding: 8bit | ||
3204 | 9 | |||
3205 | 10 | The Cubieboard is a singleboard computer with an Allwinner A10 System-on-Chip [1]. | ||
3206 | 11 | As documented in the Allwinner A10 User Manual V1.5 [2], the SoC has an ARM | ||
3207 | 12 | Cortex-A8 processor. Currently the Cubieboard machine definition specifies the | ||
3208 | 13 | ARM Cortex-A9 in its description and as the default CPU. | ||
3209 | 14 | |||
3210 | 15 | This patch corrects the Cubieboard machine definition to use the ARM Cortex-A8. | ||
3211 | 16 | |||
3212 | 17 | The only user-visible effect is that our textual description of the | ||
3213 | 18 | machine was wrong, because hw/arm/allwinner-a10.c always creates a | ||
3214 | 19 | Cortex-A8 CPU regardless of the default value in the MachineClass struct. | ||
3215 | 20 | |||
3216 | 21 | [1] http://docs.cubieboard.org/products/start#cubieboard1 | ||
3217 | 22 | [2] https://linux-sunxi.org/File:Allwinner_A10_User_manual_V1.5.pdf | ||
3218 | 23 | |||
3219 | 24 | Fixes: 8a863c8120994981a099 | ||
3220 | 25 | Signed-off-by: Niek Linnenbank <nieklinnenbank@gmail.com> | ||
3221 | 26 | Message-id: 20200227220149.6845-2-nieklinnenbank@gmail.com | ||
3222 | 27 | Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> | ||
3223 | 28 | Reviewed-by: Peter Maydell <peter.maydell@linaro.org> | ||
3224 | 29 | [note in commit message that the bug didn't have much visible effect] | ||
3225 | 30 | Signed-off-by: Peter Maydell <peter.maydell@linaro.org> | ||
3226 | 31 | (cherry picked from commit 2104df2a1fbf44b2564427aa72fd58d66ce290a7) | ||
3227 | 32 | Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | ||
3228 | 33 | |||
3229 | 34 | Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=9dd68ac26b | ||
3230 | 35 | Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877 | ||
3231 | 36 | Last-Update: 2020-08-19 | ||
3232 | 37 | |||
3233 | 38 | --- | ||
3234 | 39 | hw/arm/cubieboard.c | 4 ++-- | ||
3235 | 40 | 1 file changed, 2 insertions(+), 2 deletions(-) | ||
3236 | 41 | |||
3237 | 42 | diff --git a/hw/arm/cubieboard.c b/hw/arm/cubieboard.c | ||
3238 | 43 | index 6dc2f1d6b6..d8e8919e79 100644 | ||
3239 | 44 | --- a/hw/arm/cubieboard.c | ||
3240 | 45 | +++ b/hw/arm/cubieboard.c | ||
3241 | 46 | @@ -78,8 +78,8 @@ static void cubieboard_init(MachineState *machine) | ||
3242 | 47 | |||
3243 | 48 | static void cubieboard_machine_init(MachineClass *mc) | ||
3244 | 49 | { | ||
3245 | 50 | - mc->desc = "cubietech cubieboard (Cortex-A9)"; | ||
3246 | 51 | - mc->default_cpu_type = ARM_CPU_TYPE_NAME("cortex-a9"); | ||
3247 | 52 | + mc->desc = "cubietech cubieboard (Cortex-A8)"; | ||
3248 | 53 | + mc->default_cpu_type = ARM_CPU_TYPE_NAME("cortex-a8"); | ||
3249 | 54 | mc->init = cubieboard_init; | ||
3250 | 55 | mc->block_default_type = IF_IDE; | ||
3251 | 56 | mc->units_per_default_bus = 1; | ||
3252 | 57 | -- | ||
3253 | 58 | 2.28.0 | ||
3254 | 59 | |||
3255 | diff --git a/debian/patches/stable/lp-1891877-hw-arm-smmuv3-Align-stream-table-base-address-to-tab.patch b/debian/patches/stable/lp-1891877-hw-arm-smmuv3-Align-stream-table-base-address-to-tab.patch | |||
3256 | 0 | new file mode 100644 | 60 | new file mode 100644 |
3257 | index 0000000..eb50555 | |||
3258 | --- /dev/null | |||
3259 | +++ b/debian/patches/stable/lp-1891877-hw-arm-smmuv3-Align-stream-table-base-address-to-tab.patch | |||
3260 | @@ -0,0 +1,83 @@ | |||
3261 | 1 | From 65fad28d85f137edd895ac90a83b42bb36aad481 Mon Sep 17 00:00:00 2001 | ||
3262 | 2 | From: Simon Veith <sveith@amazon.de> | ||
3263 | 3 | Date: Fri, 20 Dec 2019 14:03:00 +0000 | ||
3264 | 4 | Subject: [PATCH] hw/arm/smmuv3: Align stream table base address to table size | ||
3265 | 5 | |||
3266 | 6 | Per the specification, and as observed in hardware, the SMMUv3 aligns | ||
3267 | 7 | the SMMU_STRTAB_BASE address to the size of the table by masking out the | ||
3268 | 8 | respective least significant bits in the ADDR field. | ||
3269 | 9 | |||
3270 | 10 | Apply this masking logic to our smmu_find_ste() lookup function per the | ||
3271 | 11 | specification. | ||
3272 | 12 | |||
3273 | 13 | ref. ARM IHI 0070C, section 6.3.23. | ||
3274 | 14 | |||
3275 | 15 | Signed-off-by: Simon Veith <sveith@amazon.de> | ||
3276 | 16 | Acked-by: Eric Auger <eric.auger@redhat.com> | ||
3277 | 17 | Tested-by: Eric Auger <eric.auger@redhat.com> | ||
3278 | 18 | Message-id: 1576509312-13083-5-git-send-email-sveith@amazon.de | ||
3279 | 19 | Cc: Eric Auger <eric.auger@redhat.com> | ||
3280 | 20 | Cc: qemu-devel@nongnu.org | ||
3281 | 21 | Cc: qemu-arm@nongnu.org | ||
3282 | 22 | Reviewed-by: Peter Maydell <peter.maydell@linaro.org> | ||
3283 | 23 | Signed-off-by: Peter Maydell <peter.maydell@linaro.org> | ||
3284 | 24 | (cherry picked from commit 41678c33aac61261522b74f08595ccf2221a430a) | ||
3285 | 25 | Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | ||
3286 | 26 | |||
3287 | 27 | Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=65fad28d85 | ||
3288 | 28 | Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877 | ||
3289 | 29 | Last-Update: 2020-08-19 | ||
3290 | 30 | |||
3291 | 31 | --- | ||
3292 | 32 | hw/arm/smmuv3.c | 18 ++++++++++++++---- | ||
3293 | 33 | 1 file changed, 14 insertions(+), 4 deletions(-) | ||
3294 | 34 | |||
3295 | 35 | diff --git a/hw/arm/smmuv3.c b/hw/arm/smmuv3.c | ||
3296 | 36 | index 727558bcfa..31ac3ca32e 100644 | ||
3297 | 37 | --- a/hw/arm/smmuv3.c | ||
3298 | 38 | +++ b/hw/arm/smmuv3.c | ||
3299 | 39 | @@ -376,8 +376,9 @@ bad_ste: | ||
3300 | 40 | static int smmu_find_ste(SMMUv3State *s, uint32_t sid, STE *ste, | ||
3301 | 41 | SMMUEventInfo *event) | ||
3302 | 42 | { | ||
3303 | 43 | - dma_addr_t addr; | ||
3304 | 44 | + dma_addr_t addr, strtab_base; | ||
3305 | 45 | uint32_t log2size; | ||
3306 | 46 | + int strtab_size_shift; | ||
3307 | 47 | int ret; | ||
3308 | 48 | |||
3309 | 49 | trace_smmuv3_find_ste(sid, s->features, s->sid_split); | ||
3310 | 50 | @@ -391,10 +392,16 @@ static int smmu_find_ste(SMMUv3State *s, uint32_t sid, STE *ste, | ||
3311 | 51 | } | ||
3312 | 52 | if (s->features & SMMU_FEATURE_2LVL_STE) { | ||
3313 | 53 | int l1_ste_offset, l2_ste_offset, max_l2_ste, span; | ||
3314 | 54 | - dma_addr_t strtab_base, l1ptr, l2ptr; | ||
3315 | 55 | + dma_addr_t l1ptr, l2ptr; | ||
3316 | 56 | STEDesc l1std; | ||
3317 | 57 | |||
3318 | 58 | - strtab_base = s->strtab_base & SMMU_BASE_ADDR_MASK; | ||
3319 | 59 | + /* | ||
3320 | 60 | + * Align strtab base address to table size. For this purpose, assume it | ||
3321 | 61 | + * is not bounded by SMMU_IDR1_SIDSIZE. | ||
3322 | 62 | + */ | ||
3323 | 63 | + strtab_size_shift = MAX(5, (int)log2size - s->sid_split - 1 + 3); | ||
3324 | 64 | + strtab_base = s->strtab_base & SMMU_BASE_ADDR_MASK & | ||
3325 | 65 | + ~MAKE_64BIT_MASK(0, strtab_size_shift); | ||
3326 | 66 | l1_ste_offset = sid >> s->sid_split; | ||
3327 | 67 | l2_ste_offset = sid & ((1 << s->sid_split) - 1); | ||
3328 | 68 | l1ptr = (dma_addr_t)(strtab_base + l1_ste_offset * sizeof(l1std)); | ||
3329 | 69 | @@ -433,7 +440,10 @@ static int smmu_find_ste(SMMUv3State *s, uint32_t sid, STE *ste, | ||
3330 | 70 | } | ||
3331 | 71 | addr = l2ptr + l2_ste_offset * sizeof(*ste); | ||
3332 | 72 | } else { | ||
3333 | 73 | - addr = (s->strtab_base & SMMU_BASE_ADDR_MASK) + sid * sizeof(*ste); | ||
3334 | 74 | + strtab_size_shift = log2size + 5; | ||
3335 | 75 | + strtab_base = s->strtab_base & SMMU_BASE_ADDR_MASK & | ||
3336 | 76 | + ~MAKE_64BIT_MASK(0, strtab_size_shift); | ||
3337 | 77 | + addr = strtab_base + sid * sizeof(*ste); | ||
3338 | 78 | } | ||
3339 | 79 | |||
3340 | 80 | if (smmu_get_ste(s, addr, ste, event)) { | ||
3341 | 81 | -- | ||
3342 | 82 | 2.28.0 | ||
3343 | 83 | |||
3344 | diff --git a/debian/patches/stable/lp-1891877-hw-arm-smmuv3-Apply-address-mask-to-linear-strtab-ba.patch b/debian/patches/stable/lp-1891877-hw-arm-smmuv3-Apply-address-mask-to-linear-strtab-ba.patch | |||
3345 | 0 | new file mode 100644 | 84 | new file mode 100644 |
3346 | index 0000000..c88cb54 | |||
3347 | --- /dev/null | |||
3348 | +++ b/debian/patches/stable/lp-1891877-hw-arm-smmuv3-Apply-address-mask-to-linear-strtab-ba.patch | |||
3349 | @@ -0,0 +1,59 @@ | |||
3350 | 1 | From e8ae3a4e2bb72ae636ecbf201b0f74d4bf7d5aeb Mon Sep 17 00:00:00 2001 | ||
3351 | 2 | From: Simon Veith <sveith@amazon.de> | ||
3352 | 3 | Date: Fri, 20 Dec 2019 14:03:00 +0000 | ||
3353 | 4 | Subject: [PATCH] hw/arm/smmuv3: Apply address mask to linear strtab base | ||
3354 | 5 | address | ||
3355 | 6 | |||
3356 | 7 | In the SMMU_STRTAB_BASE register, the stream table base address only | ||
3357 | 8 | occupies bits [51:6]. Other bits, such as RA (bit [62]), must be masked | ||
3358 | 9 | out to obtain the base address. | ||
3359 | 10 | |||
3360 | 11 | The branch for 2-level stream tables correctly applies this mask by way | ||
3361 | 12 | of SMMU_BASE_ADDR_MASK, but the one for linear stream tables does not. | ||
3362 | 13 | |||
3363 | 14 | Apply the missing mask in that case as well so that the correct stream | ||
3364 | 15 | base address is used by guests which configure a linear stream table. | ||
3365 | 16 | |||
3366 | 17 | Linux guests are unaffected by this change because they choose a 2-level | ||
3367 | 18 | stream table layout for the QEMU SMMUv3, based on the size of its stream | ||
3368 | 19 | ID space. | ||
3369 | 20 | |||
3370 | 21 | ref. ARM IHI 0070C, section 6.3.23. | ||
3371 | 22 | |||
3372 | 23 | Signed-off-by: Simon Veith <sveith@amazon.de> | ||
3373 | 24 | Acked-by: Eric Auger <eric.auger@redhat.com> | ||
3374 | 25 | Tested-by: Eric Auger <eric.auger@redhat.com> | ||
3375 | 26 | Message-id: 1576509312-13083-2-git-send-email-sveith@amazon.de | ||
3376 | 27 | Cc: Eric Auger <eric.auger@redhat.com> | ||
3377 | 28 | Cc: qemu-devel@nongnu.org | ||
3378 | 29 | Cc: qemu-arm@nongnu.org | ||
3379 | 30 | Acked-by: Eric Auger <eric.auger@redhat.com> | ||
3380 | 31 | Reviewed-by: Peter Maydell <peter.maydell@linaro.org> | ||
3381 | 32 | Signed-off-by: Peter Maydell <peter.maydell@linaro.org> | ||
3382 | 33 | (cherry picked from commit 3d44c60500785f18bb469c9de0aeba7415c0f28f) | ||
3383 | 34 | Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | ||
3384 | 35 | |||
3385 | 36 | Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=e8ae3a4e2b | ||
3386 | 37 | Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877 | ||
3387 | 38 | Last-Update: 2020-08-19 | ||
3388 | 39 | |||
3389 | 40 | --- | ||
3390 | 41 | hw/arm/smmuv3.c | 2 +- | ||
3391 | 42 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
3392 | 43 | |||
3393 | 44 | diff --git a/hw/arm/smmuv3.c b/hw/arm/smmuv3.c | ||
3394 | 45 | index e2fbb8357e..eef9a18d70 100644 | ||
3395 | 46 | --- a/hw/arm/smmuv3.c | ||
3396 | 47 | +++ b/hw/arm/smmuv3.c | ||
3397 | 48 | @@ -429,7 +429,7 @@ static int smmu_find_ste(SMMUv3State *s, uint32_t sid, STE *ste, | ||
3398 | 49 | } | ||
3399 | 50 | addr = l2ptr + l2_ste_offset * sizeof(*ste); | ||
3400 | 51 | } else { | ||
3401 | 52 | - addr = s->strtab_base + sid * sizeof(*ste); | ||
3402 | 53 | + addr = (s->strtab_base & SMMU_BASE_ADDR_MASK) + sid * sizeof(*ste); | ||
3403 | 54 | } | ||
3404 | 55 | |||
3405 | 56 | if (smmu_get_ste(s, addr, ste, event)) { | ||
3406 | 57 | -- | ||
3407 | 58 | 2.28.0 | ||
3408 | 59 | |||
3409 | diff --git a/debian/patches/stable/lp-1891877-hw-arm-smmuv3-Check-stream-IDs-against-actual-table-.patch b/debian/patches/stable/lp-1891877-hw-arm-smmuv3-Check-stream-IDs-against-actual-table-.patch | |||
3410 | 0 | new file mode 100644 | 60 | new file mode 100644 |
3411 | index 0000000..90f85c4 | |||
3412 | --- /dev/null | |||
3413 | +++ b/debian/patches/stable/lp-1891877-hw-arm-smmuv3-Check-stream-IDs-against-actual-table-.patch | |||
3414 | @@ -0,0 +1,63 @@ | |||
3415 | 1 | From 256ecc06eb534e7d851fcdf667132a8721b5ad61 Mon Sep 17 00:00:00 2001 | ||
3416 | 2 | From: Simon Veith <sveith@amazon.de> | ||
3417 | 3 | Date: Fri, 20 Dec 2019 14:03:00 +0000 | ||
3418 | 4 | Subject: [PATCH] hw/arm/smmuv3: Check stream IDs against actual table LOG2SIZE | ||
3419 | 5 | |||
3420 | 6 | When checking whether a stream ID is in range of the stream table, we | ||
3421 | 7 | have so far been only checking it against our implementation limit | ||
3422 | 8 | (SMMU_IDR1_SIDSIZE). However, the guest can program the | ||
3423 | 9 | STRTAB_BASE_CFG.LOG2SIZE field to a size that is smaller than this | ||
3424 | 10 | limit. | ||
3425 | 11 | |||
3426 | 12 | Check the stream ID against this limit as well to match the hardware | ||
3427 | 13 | behavior of raising C_BAD_STREAMID events in case the limit is exceeded. | ||
3428 | 14 | Also, ensure that we do not go one entry beyond the end of the table by | ||
3429 | 15 | checking that its index is strictly smaller than the table size. | ||
3430 | 16 | |||
3431 | 17 | ref. ARM IHI 0070C, section 6.3.24. | ||
3432 | 18 | |||
3433 | 19 | Signed-off-by: Simon Veith <sveith@amazon.de> | ||
3434 | 20 | Acked-by: Eric Auger <eric.auger@redhat.com> | ||
3435 | 21 | Tested-by: Eric Auger <eric.auger@redhat.com> | ||
3436 | 22 | Message-id: 1576509312-13083-4-git-send-email-sveith@amazon.de | ||
3437 | 23 | Cc: Eric Auger <eric.auger@redhat.com> | ||
3438 | 24 | Cc: qemu-devel@nongnu.org | ||
3439 | 25 | Cc: qemu-arm@nongnu.org | ||
3440 | 26 | Reviewed-by: Peter Maydell <peter.maydell@linaro.org> | ||
3441 | 27 | Signed-off-by: Peter Maydell <peter.maydell@linaro.org> | ||
3442 | 28 | (cherry picked from commit 05ff2fb80ce4ca85d8a39d48ff8156de739b4f51) | ||
3443 | 29 | Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | ||
3444 | 30 | |||
3445 | 31 | Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=256ecc06eb | ||
3446 | 32 | Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877 | ||
3447 | 33 | Last-Update: 2020-08-19 | ||
3448 | 34 | |||
3449 | 35 | --- | ||
3450 | 36 | hw/arm/smmuv3.c | 8 ++++++-- | ||
3451 | 37 | 1 file changed, 6 insertions(+), 2 deletions(-) | ||
3452 | 38 | |||
3453 | 39 | diff --git a/hw/arm/smmuv3.c b/hw/arm/smmuv3.c | ||
3454 | 40 | index eef9a18d70..727558bcfa 100644 | ||
3455 | 41 | --- a/hw/arm/smmuv3.c | ||
3456 | 42 | +++ b/hw/arm/smmuv3.c | ||
3457 | 43 | @@ -377,11 +377,15 @@ static int smmu_find_ste(SMMUv3State *s, uint32_t sid, STE *ste, | ||
3458 | 44 | SMMUEventInfo *event) | ||
3459 | 45 | { | ||
3460 | 46 | dma_addr_t addr; | ||
3461 | 47 | + uint32_t log2size; | ||
3462 | 48 | int ret; | ||
3463 | 49 | |||
3464 | 50 | trace_smmuv3_find_ste(sid, s->features, s->sid_split); | ||
3465 | 51 | - /* Check SID range */ | ||
3466 | 52 | - if (sid > (1 << SMMU_IDR1_SIDSIZE)) { | ||
3467 | 53 | + log2size = FIELD_EX32(s->strtab_base_cfg, STRTAB_BASE_CFG, LOG2SIZE); | ||
3468 | 54 | + /* | ||
3469 | 55 | + * Check SID range against both guest-configured and implementation limits | ||
3470 | 56 | + */ | ||
3471 | 57 | + if (sid >= (1 << MIN(log2size, SMMU_IDR1_SIDSIZE))) { | ||
3472 | 58 | event->type = SMMU_EVT_C_BAD_STREAMID; | ||
3473 | 59 | return -EINVAL; | ||
3474 | 60 | } | ||
3475 | 61 | -- | ||
3476 | 62 | 2.28.0 | ||
3477 | 63 | |||
3478 | diff --git a/debian/patches/stable/lp-1891877-hw-arm-smmuv3-Correct-SMMU_BASE_ADDR_MASK-value.patch b/debian/patches/stable/lp-1891877-hw-arm-smmuv3-Correct-SMMU_BASE_ADDR_MASK-value.patch | |||
3479 | 0 | new file mode 100644 | 64 | new file mode 100644 |
3480 | index 0000000..11865de | |||
3481 | --- /dev/null | |||
3482 | +++ b/debian/patches/stable/lp-1891877-hw-arm-smmuv3-Correct-SMMU_BASE_ADDR_MASK-value.patch | |||
3483 | @@ -0,0 +1,52 @@ | |||
3484 | 1 | From 606a6bf788d37a524c89e2627a44693afb5cb6a1 Mon Sep 17 00:00:00 2001 | ||
3485 | 2 | From: Simon Veith <sveith@amazon.de> | ||
3486 | 3 | Date: Fri, 20 Dec 2019 14:03:00 +0000 | ||
3487 | 4 | Subject: [PATCH] hw/arm/smmuv3: Correct SMMU_BASE_ADDR_MASK value | ||
3488 | 5 | |||
3489 | 6 | There are two issues with the current value of SMMU_BASE_ADDR_MASK: | ||
3490 | 7 | |||
3491 | 8 | - At the lower end, we are clearing bits [4:0]. Per the SMMUv3 spec, | ||
3492 | 9 | we should also be treating bit 5 as zero in the base address. | ||
3493 | 10 | - At the upper end, we are clearing bits [63:48]. Per the SMMUv3 spec, | ||
3494 | 11 | only bits [63:52] must be explicitly treated as zero. | ||
3495 | 12 | |||
3496 | 13 | Update the SMMU_BASE_ADDR_MASK value to mask out bits [63:52] and [5:0]. | ||
3497 | 14 | |||
3498 | 15 | ref. ARM IHI 0070C, section 6.3.23. | ||
3499 | 16 | |||
3500 | 17 | Signed-off-by: Simon Veith <sveith@amazon.de> | ||
3501 | 18 | Acked-by: Eric Auger <eric.auger@redhat.com> | ||
3502 | 19 | Tested-by: Eric Auger <eric.auger@redhat.com> | ||
3503 | 20 | Message-id: 1576509312-13083-3-git-send-email-sveith@amazon.de | ||
3504 | 21 | Cc: Eric Auger <eric.auger@redhat.com> | ||
3505 | 22 | Cc: qemu-devel@nongnu.org | ||
3506 | 23 | Cc: qemu-arm@nongnu.org | ||
3507 | 24 | Reviewed-by: Peter Maydell <peter.maydell@linaro.org> | ||
3508 | 25 | Signed-off-by: Peter Maydell <peter.maydell@linaro.org> | ||
3509 | 26 | (cherry picked from commit 3293b9f514a413e019b7dbc9d543458075b4849e) | ||
3510 | 27 | Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | ||
3511 | 28 | |||
3512 | 29 | Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=606a6bf788 | ||
3513 | 30 | Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877 | ||
3514 | 31 | Last-Update: 2020-08-19 | ||
3515 | 32 | |||
3516 | 33 | --- | ||
3517 | 34 | hw/arm/smmuv3-internal.h | 2 +- | ||
3518 | 35 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
3519 | 36 | |||
3520 | 37 | diff --git a/hw/arm/smmuv3-internal.h b/hw/arm/smmuv3-internal.h | ||
3521 | 38 | index d190181ef1..042b435808 100644 | ||
3522 | 39 | --- a/hw/arm/smmuv3-internal.h | ||
3523 | 40 | +++ b/hw/arm/smmuv3-internal.h | ||
3524 | 41 | @@ -99,7 +99,7 @@ REG32(GERROR_IRQ_CFG2, 0x74) | ||
3525 | 42 | |||
3526 | 43 | #define A_STRTAB_BASE 0x80 /* 64b */ | ||
3527 | 44 | |||
3528 | 45 | -#define SMMU_BASE_ADDR_MASK 0xffffffffffe0 | ||
3529 | 46 | +#define SMMU_BASE_ADDR_MASK 0xfffffffffffc0 | ||
3530 | 47 | |||
3531 | 48 | REG32(STRTAB_BASE_CFG, 0x88) | ||
3532 | 49 | FIELD(STRTAB_BASE_CFG, FMT, 16, 2) | ||
3533 | 50 | -- | ||
3534 | 51 | 2.28.0 | ||
3535 | 52 | |||
3536 | diff --git a/debian/patches/stable/lp-1891877-hw-arm-smmuv3-Report-F_STE_FETCH-fault-address-in-co.patch b/debian/patches/stable/lp-1891877-hw-arm-smmuv3-Report-F_STE_FETCH-fault-address-in-co.patch | |||
3537 | 0 | new file mode 100644 | 53 | new file mode 100644 |
3538 | index 0000000..b7cc26c | |||
3539 | --- /dev/null | |||
3540 | +++ b/debian/patches/stable/lp-1891877-hw-arm-smmuv3-Report-F_STE_FETCH-fault-address-in-co.patch | |||
3541 | @@ -0,0 +1,55 @@ | |||
3542 | 1 | From 9b59fdf47822acb6f2f6be5629829f27ffb08d41 Mon Sep 17 00:00:00 2001 | ||
3543 | 2 | From: Simon Veith <sveith@amazon.de> | ||
3544 | 3 | Date: Fri, 20 Dec 2019 14:03:00 +0000 | ||
3545 | 4 | Subject: [PATCH] hw/arm/smmuv3: Report F_STE_FETCH fault address in correct | ||
3546 | 5 | word position | ||
3547 | 6 | |||
3548 | 7 | The smmuv3_record_event() function that generates the F_STE_FETCH error | ||
3549 | 8 | uses the EVT_SET_ADDR macro to record the fetch address, placing it in | ||
3550 | 9 | 32-bit words 4 and 5. | ||
3551 | 10 | |||
3552 | 11 | The correct position for this address is in words 6 and 7, per the | ||
3553 | 12 | SMMUv3 Architecture Specification. | ||
3554 | 13 | |||
3555 | 14 | Update the function to use the EVT_SET_ADDR2 macro instead, which is the | ||
3556 | 15 | macro intended for writing to these words. | ||
3557 | 16 | |||
3558 | 17 | ref. ARM IHI 0070C, section 7.3.4. | ||
3559 | 18 | |||
3560 | 19 | Signed-off-by: Simon Veith <sveith@amazon.de> | ||
3561 | 20 | Acked-by: Eric Auger <eric.auger@redhat.com> | ||
3562 | 21 | Tested-by: Eric Auger <eric.auger@redhat.com> | ||
3563 | 22 | Message-id: 1576509312-13083-7-git-send-email-sveith@amazon.de | ||
3564 | 23 | Cc: Eric Auger <eric.auger@redhat.com> | ||
3565 | 24 | Cc: qemu-devel@nongnu.org | ||
3566 | 25 | Cc: qemu-arm@nongnu.org | ||
3567 | 26 | Acked-by: Eric Auger <eric.auger@redhat.com> | ||
3568 | 27 | Reviewed-by: Peter Maydell <peter.maydell@linaro.org> | ||
3569 | 28 | Signed-off-by: Peter Maydell <peter.maydell@linaro.org> | ||
3570 | 29 | (cherry picked from commit b255cafb59578d16716186ed955717bc8f87bdb7) | ||
3571 | 30 | Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | ||
3572 | 31 | |||
3573 | 32 | Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=9b59fdf478 | ||
3574 | 33 | Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877 | ||
3575 | 34 | Last-Update: 2020-08-19 | ||
3576 | 35 | |||
3577 | 36 | --- | ||
3578 | 37 | hw/arm/smmuv3.c | 2 +- | ||
3579 | 38 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
3580 | 39 | |||
3581 | 40 | diff --git a/hw/arm/smmuv3.c b/hw/arm/smmuv3.c | ||
3582 | 41 | index 31ac3ca32e..8b5f157dc7 100644 | ||
3583 | 42 | --- a/hw/arm/smmuv3.c | ||
3584 | 43 | +++ b/hw/arm/smmuv3.c | ||
3585 | 44 | @@ -172,7 +172,7 @@ void smmuv3_record_event(SMMUv3State *s, SMMUEventInfo *info) | ||
3586 | 45 | case SMMU_EVT_F_STE_FETCH: | ||
3587 | 46 | EVT_SET_SSID(&evt, info->u.f_ste_fetch.ssid); | ||
3588 | 47 | EVT_SET_SSV(&evt, info->u.f_ste_fetch.ssv); | ||
3589 | 48 | - EVT_SET_ADDR(&evt, info->u.f_ste_fetch.addr); | ||
3590 | 49 | + EVT_SET_ADDR2(&evt, info->u.f_ste_fetch.addr); | ||
3591 | 50 | break; | ||
3592 | 51 | case SMMU_EVT_C_BAD_STE: | ||
3593 | 52 | EVT_SET_SSID(&evt, info->u.c_bad_ste.ssid); | ||
3594 | 53 | -- | ||
3595 | 54 | 2.28.0 | ||
3596 | 55 | |||
3597 | diff --git a/debian/patches/stable/lp-1891877-hw-arm-smmuv3-Use-correct-bit-positions-in-EVT_SET_A.patch b/debian/patches/stable/lp-1891877-hw-arm-smmuv3-Use-correct-bit-positions-in-EVT_SET_A.patch | |||
3598 | 0 | new file mode 100644 | 56 | new file mode 100644 |
3599 | index 0000000..5a9a3b0 | |||
3600 | --- /dev/null | |||
3601 | +++ b/debian/patches/stable/lp-1891877-hw-arm-smmuv3-Use-correct-bit-positions-in-EVT_SET_A.patch | |||
3602 | @@ -0,0 +1,58 @@ | |||
3603 | 1 | From ec3bd881e2e5942f835094b2da06ca415f7b27b3 Mon Sep 17 00:00:00 2001 | ||
3604 | 2 | From: Simon Veith <sveith@amazon.de> | ||
3605 | 3 | Date: Fri, 20 Dec 2019 14:03:00 +0000 | ||
3606 | 4 | Subject: [PATCH] hw/arm/smmuv3: Use correct bit positions in EVT_SET_ADDR2 | ||
3607 | 5 | macro | ||
3608 | 6 | |||
3609 | 7 | The bit offsets in the EVT_SET_ADDR2 macro do not match those specified | ||
3610 | 8 | in the ARM SMMUv3 Architecture Specification. In all events that use | ||
3611 | 9 | this macro, e.g. F_WALK_EABT, the faulting fetch address or IPA actually | ||
3612 | 10 | occupies the 32-bit words 6 and 7 in the event record contiguously, with | ||
3613 | 11 | the upper and lower unused bits clear due to alignment or maximum | ||
3614 | 12 | supported address bits. How many bits are clear depends on the | ||
3615 | 13 | individual event type. | ||
3616 | 14 | |||
3617 | 15 | Update the macro to write to the correct words in the event record so | ||
3618 | 16 | that guest drivers can obtain accurate address information on events. | ||
3619 | 17 | |||
3620 | 18 | ref. ARM IHI 0070C, sections 7.3.12 through 7.3.16. | ||
3621 | 19 | |||
3622 | 20 | Signed-off-by: Simon Veith <sveith@amazon.de> | ||
3623 | 21 | Acked-by: Eric Auger <eric.auger@redhat.com> | ||
3624 | 22 | Tested-by: Eric Auger <eric.auger@redhat.com> | ||
3625 | 23 | Message-id: 1576509312-13083-6-git-send-email-sveith@amazon.de | ||
3626 | 24 | Cc: Eric Auger <eric.auger@redhat.com> | ||
3627 | 25 | Cc: qemu-devel@nongnu.org | ||
3628 | 26 | Cc: qemu-arm@nongnu.org | ||
3629 | 27 | Acked-by: Eric Auger <eric.auger@redhat.com> | ||
3630 | 28 | Reviewed-by: Peter Maydell <peter.maydell@linaro.org> | ||
3631 | 29 | Signed-off-by: Peter Maydell <peter.maydell@linaro.org> | ||
3632 | 30 | (cherry picked from commit a7f65ceb851af5a5b639c6e30801076d848db2c2) | ||
3633 | 31 | Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | ||
3634 | 32 | |||
3635 | 33 | Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=ec3bd881e2 | ||
3636 | 34 | Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877 | ||
3637 | 35 | Last-Update: 2020-08-19 | ||
3638 | 36 | |||
3639 | 37 | --- | ||
3640 | 38 | hw/arm/smmuv3-internal.h | 4 ++-- | ||
3641 | 39 | 1 file changed, 2 insertions(+), 2 deletions(-) | ||
3642 | 40 | |||
3643 | 41 | diff --git a/hw/arm/smmuv3-internal.h b/hw/arm/smmuv3-internal.h | ||
3644 | 42 | index 042b435808..4112394129 100644 | ||
3645 | 43 | --- a/hw/arm/smmuv3-internal.h | ||
3646 | 44 | +++ b/hw/arm/smmuv3-internal.h | ||
3647 | 45 | @@ -461,8 +461,8 @@ typedef struct SMMUEventInfo { | ||
3648 | 46 | } while (0) | ||
3649 | 47 | #define EVT_SET_ADDR2(x, addr) \ | ||
3650 | 48 | do { \ | ||
3651 | 49 | - (x)->word[7] = deposit32((x)->word[7], 3, 29, addr >> 16); \ | ||
3652 | 50 | - (x)->word[7] = deposit32((x)->word[7], 0, 16, addr & 0xffff);\ | ||
3653 | 51 | + (x)->word[7] = (uint32_t)(addr >> 32); \ | ||
3654 | 52 | + (x)->word[6] = (uint32_t)(addr & 0xffffffff); \ | ||
3655 | 53 | } while (0) | ||
3656 | 54 | |||
3657 | 55 | void smmuv3_record_event(SMMUv3State *s, SMMUEventInfo *event); | ||
3658 | 56 | -- | ||
3659 | 57 | 2.28.0 | ||
3660 | 58 | |||
3661 | diff --git a/debian/patches/stable/lp-1891877-hw-i386-amd_iommu.c-Fix-corruption-of-log-events-pas.patch b/debian/patches/stable/lp-1891877-hw-i386-amd_iommu.c-Fix-corruption-of-log-events-pas.patch | |||
3662 | 0 | new file mode 100644 | 59 | new file mode 100644 |
3663 | index 0000000..ef32c14 | |||
3664 | --- /dev/null | |||
3665 | +++ b/debian/patches/stable/lp-1891877-hw-i386-amd_iommu.c-Fix-corruption-of-log-events-pas.patch | |||
3666 | @@ -0,0 +1,49 @@ | |||
3667 | 1 | From 33be7aa9b6bea692e7ba615db1c97820051dc435 Mon Sep 17 00:00:00 2001 | ||
3668 | 2 | From: Peter Maydell <peter.maydell@linaro.org> | ||
3669 | 3 | Date: Thu, 26 Mar 2020 10:53:49 +0000 | ||
3670 | 4 | Subject: [PATCH] hw/i386/amd_iommu.c: Fix corruption of log events passed to | ||
3671 | 5 | guest | ||
3672 | 6 | |||
3673 | 7 | In the function amdvi_log_event(), we write an event log buffer | ||
3674 | 8 | entry into guest ram, whose contents are passed to the function | ||
3675 | 9 | via the "uint64_t *evt" argument. Unfortunately, a spurious | ||
3676 | 10 | '&' in the call to dma_memory_write() meant that instead of | ||
3677 | 11 | writing the event to the guest we would write the literal value | ||
3678 | 12 | of the pointer, plus whatever was in the following 8 bytes | ||
3679 | 13 | on the stack. This error was spotted by Coverity. | ||
3680 | 14 | |||
3681 | 15 | Fix the bug by removing the '&'. | ||
3682 | 16 | |||
3683 | 17 | Fixes: CID 1421945 | ||
3684 | 18 | Cc: qemu-stable@nongnu.org | ||
3685 | 19 | Signed-off-by: Peter Maydell <peter.maydell@linaro.org> | ||
3686 | 20 | Message-Id: <20200326105349.24588-1-peter.maydell@linaro.org> | ||
3687 | 21 | Reviewed-by: Michael S. Tsirkin <mst@redhat.com> | ||
3688 | 22 | Signed-off-by: Michael S. Tsirkin <mst@redhat.com> | ||
3689 | 23 | (cherry picked from commit 32a2d6b1f6b4405f0fc20c031e61d5d48e3d9cd1) | ||
3690 | 24 | Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | ||
3691 | 25 | |||
3692 | 26 | Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=33be7aa9b6 | ||
3693 | 27 | Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877 | ||
3694 | 28 | Last-Update: 2020-08-19 | ||
3695 | 29 | |||
3696 | 30 | --- | ||
3697 | 31 | hw/i386/amd_iommu.c | 2 +- | ||
3698 | 32 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
3699 | 33 | |||
3700 | 34 | diff --git a/hw/i386/amd_iommu.c b/hw/i386/amd_iommu.c | ||
3701 | 35 | index d55dbf07fc..ac5f2fddc5 100644 | ||
3702 | 36 | --- a/hw/i386/amd_iommu.c | ||
3703 | 37 | +++ b/hw/i386/amd_iommu.c | ||
3704 | 38 | @@ -181,7 +181,7 @@ static void amdvi_log_event(AMDVIState *s, uint64_t *evt) | ||
3705 | 39 | } | ||
3706 | 40 | |||
3707 | 41 | if (dma_memory_write(&address_space_memory, s->evtlog + s->evtlog_tail, | ||
3708 | 42 | - &evt, AMDVI_EVENT_LEN)) { | ||
3709 | 43 | + evt, AMDVI_EVENT_LEN)) { | ||
3710 | 44 | trace_amdvi_evntlog_fail(s->evtlog, s->evtlog_tail); | ||
3711 | 45 | } | ||
3712 | 46 | |||
3713 | 47 | -- | ||
3714 | 48 | 2.28.0 | ||
3715 | 49 | |||
3716 | diff --git a/debian/patches/stable/lp-1891877-hw-intc-arm_gicv3_kvm-Stop-wrongly-programming-GICR_.patch b/debian/patches/stable/lp-1891877-hw-intc-arm_gicv3_kvm-Stop-wrongly-programming-GICR_.patch | |||
3717 | 0 | new file mode 100644 | 50 | new file mode 100644 |
3718 | index 0000000..9c219c9 | |||
3719 | --- /dev/null | |||
3720 | +++ b/debian/patches/stable/lp-1891877-hw-intc-arm_gicv3_kvm-Stop-wrongly-programming-GICR_.patch | |||
3721 | @@ -0,0 +1,66 @@ | |||
3722 | 1 | From 9adb6569bf71808e76a7b71766e73a6da103741e Mon Sep 17 00:00:00 2001 | ||
3723 | 2 | From: Zenghui Yu <yuzenghui@huawei.com> | ||
3724 | 3 | Date: Thu, 30 Jan 2020 16:02:05 +0000 | ||
3725 | 4 | Subject: [PATCH] hw/intc/arm_gicv3_kvm: Stop wrongly programming | ||
3726 | 5 | GICR_PENDBASER.PTZ bit | ||
3727 | 6 | |||
3728 | 7 | If LPIs are disabled, KVM will just ignore the GICR_PENDBASER.PTZ bit when | ||
3729 | 8 | restoring GICR_CTLR. Setting PTZ here makes littlt sense in "reduce GIC | ||
3730 | 9 | initialization time". | ||
3731 | 10 | |||
3732 | 11 | And what's worse, PTZ is generally programmed by guest to indicate to the | ||
3733 | 12 | Redistributor whether the LPI Pending table is zero when enabling LPIs. | ||
3734 | 13 | If migration is triggered when the PTZ has just been cleared by guest (and | ||
3735 | 14 | before enabling LPIs), we will see PTZ==1 on the destination side, which | ||
3736 | 15 | is not as expected. Let's just drop this hackish userspace behavior. | ||
3737 | 16 | |||
3738 | 17 | Also take this chance to refine the comment a bit. | ||
3739 | 18 | |||
3740 | 19 | Fixes: 367b9f527bec ("hw/intc/arm_gicv3_kvm: Implement get/put functions") | ||
3741 | 20 | Signed-off-by: Zenghui Yu <yuzenghui@huawei.com> | ||
3742 | 21 | Message-id: 20200119133051.642-1-yuzenghui@huawei.com | ||
3743 | 22 | Reviewed-by: Peter Maydell <peter.maydell@linaro.org> | ||
3744 | 23 | Signed-off-by: Peter Maydell <peter.maydell@linaro.org> | ||
3745 | 24 | (cherry picked from commit 618bacabd3c8c3360be795cd8763bacdf5bec101) | ||
3746 | 25 | Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | ||
3747 | 26 | |||
3748 | 27 | Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=9adb6569bf | ||
3749 | 28 | Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877 | ||
3750 | 29 | Last-Update: 2020-08-19 | ||
3751 | 30 | |||
3752 | 31 | --- | ||
3753 | 32 | hw/intc/arm_gicv3_kvm.c | 11 ++++------- | ||
3754 | 33 | 1 file changed, 4 insertions(+), 7 deletions(-) | ||
3755 | 34 | |||
3756 | 35 | diff --git a/hw/intc/arm_gicv3_kvm.c b/hw/intc/arm_gicv3_kvm.c | ||
3757 | 36 | index 9c7f4ab871..49304ca589 100644 | ||
3758 | 37 | --- a/hw/intc/arm_gicv3_kvm.c | ||
3759 | 38 | +++ b/hw/intc/arm_gicv3_kvm.c | ||
3760 | 39 | @@ -336,7 +336,10 @@ static void kvm_arm_gicv3_put(GICv3State *s) | ||
3761 | 40 | kvm_gicd_access(s, GICD_CTLR, ®, true); | ||
3762 | 41 | |||
3763 | 42 | if (redist_typer & GICR_TYPER_PLPIS) { | ||
3764 | 43 | - /* Set base addresses before LPIs are enabled by GICR_CTLR write */ | ||
3765 | 44 | + /* | ||
3766 | 45 | + * Restore base addresses before LPIs are potentially enabled by | ||
3767 | 46 | + * GICR_CTLR write | ||
3768 | 47 | + */ | ||
3769 | 48 | for (ncpu = 0; ncpu < s->num_cpu; ncpu++) { | ||
3770 | 49 | GICv3CPUState *c = &s->cpu[ncpu]; | ||
3771 | 50 | |||
3772 | 51 | @@ -347,12 +350,6 @@ static void kvm_arm_gicv3_put(GICv3State *s) | ||
3773 | 52 | kvm_gicr_access(s, GICR_PROPBASER + 4, ncpu, ®h, true); | ||
3774 | 53 | |||
3775 | 54 | reg64 = c->gicr_pendbaser; | ||
3776 | 55 | - if (!(c->gicr_ctlr & GICR_CTLR_ENABLE_LPIS)) { | ||
3777 | 56 | - /* Setting PTZ is advised if LPIs are disabled, to reduce | ||
3778 | 57 | - * GIC initialization time. | ||
3779 | 58 | - */ | ||
3780 | 59 | - reg64 |= GICR_PENDBASER_PTZ; | ||
3781 | 60 | - } | ||
3782 | 61 | regl = (uint32_t)reg64; | ||
3783 | 62 | kvm_gicr_access(s, GICR_PENDBASER, ncpu, ®l, true); | ||
3784 | 63 | regh = (uint32_t)(reg64 >> 32); | ||
3785 | 64 | -- | ||
3786 | 65 | 2.28.0 | ||
3787 | 66 | |||
3788 | diff --git a/debian/patches/stable/lp-1891877-i386-Resolve-CPU-models-to-v1-by-default.patch b/debian/patches/stable/lp-1891877-i386-Resolve-CPU-models-to-v1-by-default.patch | |||
3789 | 0 | new file mode 100644 | 67 | new file mode 100644 |
3790 | index 0000000..4bccfa5 | |||
3791 | --- /dev/null | |||
3792 | +++ b/debian/patches/stable/lp-1891877-i386-Resolve-CPU-models-to-v1-by-default.patch | |||
3793 | @@ -0,0 +1,91 @@ | |||
3794 | 1 | From bed590f2b849ad548d659942771d824c288c6a50 Mon Sep 17 00:00:00 2001 | ||
3795 | 2 | From: Eduardo Habkost <ehabkost@redhat.com> | ||
3796 | 3 | Date: Thu, 5 Dec 2019 19:33:39 -0300 | ||
3797 | 4 | Subject: [PATCH] i386: Resolve CPU models to v1 by default | ||
3798 | 5 | |||
3799 | 6 | When using `query-cpu-definitions` using `-machine none`, | ||
3800 | 7 | QEMU is resolving all CPU models to their latest versions. The | ||
3801 | 8 | actual CPU model version being used by another machine type (e.g. | ||
3802 | 9 | `pc-q35-4.0`) might be different. | ||
3803 | 10 | |||
3804 | 11 | In theory, this was OK because the correct CPU model | ||
3805 | 12 | version is returned when using the correct `-machine` argument. | ||
3806 | 13 | |||
3807 | 14 | Except that in practice, this breaks libvirt expectations: | ||
3808 | 15 | libvirt always use `-machine none` when checking if a CPU model | ||
3809 | 16 | is runnable, because runnability is not expected to be affected | ||
3810 | 17 | when the machine type is changed. | ||
3811 | 18 | |||
3812 | 19 | For example, when running on a Haswell host without TSX, | ||
3813 | 20 | Haswell-v4 is runnable, but Haswell-v1 is not. On those hosts, | ||
3814 | 21 | `query-cpu-definitions` says Haswell is runnable if using | ||
3815 | 22 | `-machine none`, but Haswell is actually not runnable using any | ||
3816 | 23 | of the `pc-*` machine types (because they resolve Haswell to | ||
3817 | 24 | Haswell-v1). In other words, we're breaking the "runnability | ||
3818 | 25 | guarantee" we promised to not break for a few releases (see | ||
3819 | 26 | qemu-deprecated.texi). | ||
3820 | 27 | |||
3821 | 28 | To address this issue, change the default CPU model version to v1 | ||
3822 | 29 | on all machine types, so we make `query-cpu-definitions` output | ||
3823 | 30 | when using `-machine none` match the results when using `pc-*`. | ||
3824 | 31 | This will change in the future (the plan is to always return the | ||
3825 | 32 | latest CPU model version if using `-machine none`), but only | ||
3826 | 33 | after giving libvirt the opportunity to adapt. | ||
3827 | 34 | |||
3828 | 35 | Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1779078 | ||
3829 | 36 | Signed-off-by: Eduardo Habkost <ehabkost@redhat.com> | ||
3830 | 37 | Message-Id: <20191205223339.764534-1-ehabkost@redhat.com> | ||
3831 | 38 | Signed-off-by: Eduardo Habkost <ehabkost@redhat.com> | ||
3832 | 39 | (cherry picked from commit ad18392892c04637fb56956d997f4bc600224356) | ||
3833 | 40 | Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | ||
3834 | 41 | |||
3835 | 42 | Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=bed590f2b8 | ||
3836 | 43 | Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877 | ||
3837 | 44 | Last-Update: 2020-08-19 | ||
3838 | 45 | |||
3839 | 46 | --- | ||
3840 | 47 | qemu-deprecated.texi | 8 ++++++++ | ||
3841 | 48 | target/i386/cpu.c | 8 +++++++- | ||
3842 | 49 | 2 files changed, 15 insertions(+), 1 deletion(-) | ||
3843 | 50 | |||
3844 | 51 | diff --git a/qemu-deprecated.texi b/qemu-deprecated.texi | ||
3845 | 52 | index 4b4b7425ac..b42d8b3c5f 100644 | ||
3846 | 53 | --- a/qemu-deprecated.texi | ||
3847 | 54 | +++ b/qemu-deprecated.texi | ||
3848 | 55 | @@ -374,6 +374,14 @@ guarantees must resolve the CPU model aliases using te | ||
3849 | 56 | ``alias-of'' field returned by the ``query-cpu-definitions'' QMP | ||
3850 | 57 | command. | ||
3851 | 58 | |||
3852 | 59 | +While those guarantees are kept, the return value of | ||
3853 | 60 | +``query-cpu-definitions'' will have existing CPU model aliases | ||
3854 | 61 | +point to a version that doesn't break runnability guarantees | ||
3855 | 62 | +(specifically, version 1 of those CPU models). In future QEMU | ||
3856 | 63 | +versions, aliases will point to newer CPU model versions | ||
3857 | 64 | +depending on the machine type, so management software must | ||
3858 | 65 | +resolve CPU model aliases before starting a virtual machine. | ||
3859 | 66 | + | ||
3860 | 67 | |||
3861 | 68 | @node Recently removed features | ||
3862 | 69 | @appendix Recently removed features | ||
3863 | 70 | diff --git a/target/i386/cpu.c b/target/i386/cpu.c | ||
3864 | 71 | index 69f518a21a..54e7f18a09 100644 | ||
3865 | 72 | --- a/target/i386/cpu.c | ||
3866 | 73 | +++ b/target/i386/cpu.c | ||
3867 | 74 | @@ -3924,7 +3924,13 @@ static PropValue tcg_default_props[] = { | ||
3868 | 75 | }; | ||
3869 | 76 | |||
3870 | 77 | |||
3871 | 78 | -X86CPUVersion default_cpu_version = CPU_VERSION_LATEST; | ||
3872 | 79 | +/* | ||
3873 | 80 | + * We resolve CPU model aliases using -v1 when using "-machine | ||
3874 | 81 | + * none", but this is just for compatibility while libvirt isn't | ||
3875 | 82 | + * adapted to resolve CPU model versions before creating VMs. | ||
3876 | 83 | + * See "Runnability guarantee of CPU models" at * qemu-deprecated.texi. | ||
3877 | 84 | + */ | ||
3878 | 85 | +X86CPUVersion default_cpu_version = 1; | ||
3879 | 86 | |||
3880 | 87 | void x86_cpu_set_default_version(X86CPUVersion version) | ||
3881 | 88 | { | ||
3882 | 89 | -- | ||
3883 | 90 | 2.28.0 | ||
3884 | 91 | |||
3885 | diff --git a/debian/patches/stable/lp-1891877-ide-Fix-incorrect-handling-of-some-PRDTs-in-ide_dma_.patch b/debian/patches/stable/lp-1891877-ide-Fix-incorrect-handling-of-some-PRDTs-in-ide_dma_.patch | |||
3886 | 0 | new file mode 100644 | 92 | new file mode 100644 |
3887 | index 0000000..c42f271 | |||
3888 | --- /dev/null | |||
3889 | +++ b/debian/patches/stable/lp-1891877-ide-Fix-incorrect-handling-of-some-PRDTs-in-ide_dma_.patch | |||
3890 | @@ -0,0 +1,99 @@ | |||
3891 | 1 | From 4412cb3bcaf5b0cccf88f881c18be5dfd395e934 Mon Sep 17 00:00:00 2001 | ||
3892 | 2 | From: Alexander Popov <alex.popov@linux.com> | ||
3893 | 3 | Date: Mon, 23 Dec 2019 20:51:16 +0300 | ||
3894 | 4 | Subject: [PATCH] ide: Fix incorrect handling of some PRDTs in ide_dma_cb() | ||
3895 | 5 | |||
3896 | 6 | The commit a718978ed58a from July 2015 introduced the assertion which | ||
3897 | 7 | implies that the size of successful DMA transfers handled in ide_dma_cb() | ||
3898 | 8 | should be multiple of 512 (the size of a sector). But guest systems can | ||
3899 | 9 | initiate DMA transfers that don't fit this requirement. | ||
3900 | 10 | |||
3901 | 11 | For fixing that let's check the number of bytes prepared for the transfer | ||
3902 | 12 | by the prepare_buf() handler. The code in ide_dma_cb() must behave | ||
3903 | 13 | according to the Programming Interface for Bus Master IDE Controller | ||
3904 | 14 | (Revision 1.0 5/16/94): | ||
3905 | 15 | 1. If PRDs specified a smaller size than the IDE transfer | ||
3906 | 16 | size, then the Interrupt and Active bits in the Controller | ||
3907 | 17 | status register are not set (Error Condition). | ||
3908 | 18 | 2. If the size of the physical memory regions was equal to | ||
3909 | 19 | the IDE device transfer size, the Interrupt bit in the | ||
3910 | 20 | Controller status register is set to 1, Active bit is set to 0. | ||
3911 | 21 | 3. If PRDs specified a larger size than the IDE transfer size, | ||
3912 | 22 | the Interrupt and Active bits in the Controller status register | ||
3913 | 23 | are both set to 1. | ||
3914 | 24 | |||
3915 | 25 | Signed-off-by: Alexander Popov <alex.popov@linux.com> | ||
3916 | 26 | Reviewed-by: Kevin Wolf <kwolf@redhat.com> | ||
3917 | 27 | Message-id: 20191223175117.508990-2-alex.popov@linux.com | ||
3918 | 28 | Signed-off-by: John Snow <jsnow@redhat.com> | ||
3919 | 29 | (cherry picked from commit ed78352a59ea7acf7520d4d47a96b9911bae7fc3) | ||
3920 | 30 | Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | ||
3921 | 31 | |||
3922 | 32 | Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=4412cb3bca | ||
3923 | 33 | Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877 | ||
3924 | 34 | Last-Update: 2020-08-19 | ||
3925 | 35 | |||
3926 | 36 | --- | ||
3927 | 37 | hw/ide/core.c | 30 ++++++++++++++++++++++-------- | ||
3928 | 38 | 1 file changed, 22 insertions(+), 8 deletions(-) | ||
3929 | 39 | |||
3930 | 40 | diff --git a/hw/ide/core.c b/hw/ide/core.c | ||
3931 | 41 | index 754ff4dc34..80000eb766 100644 | ||
3932 | 42 | --- a/hw/ide/core.c | ||
3933 | 43 | +++ b/hw/ide/core.c | ||
3934 | 44 | @@ -849,6 +849,7 @@ static void ide_dma_cb(void *opaque, int ret) | ||
3935 | 45 | int64_t sector_num; | ||
3936 | 46 | uint64_t offset; | ||
3937 | 47 | bool stay_active = false; | ||
3938 | 48 | + int32_t prep_size = 0; | ||
3939 | 49 | |||
3940 | 50 | if (ret == -EINVAL) { | ||
3941 | 51 | ide_dma_error(s); | ||
3942 | 52 | @@ -863,13 +864,15 @@ static void ide_dma_cb(void *opaque, int ret) | ||
3943 | 53 | } | ||
3944 | 54 | } | ||
3945 | 55 | |||
3946 | 56 | - n = s->io_buffer_size >> 9; | ||
3947 | 57 | - if (n > s->nsector) { | ||
3948 | 58 | - /* The PRDs were longer than needed for this request. Shorten them so | ||
3949 | 59 | - * we don't get a negative remainder. The Active bit must remain set | ||
3950 | 60 | - * after the request completes. */ | ||
3951 | 61 | + if (s->io_buffer_size > s->nsector * 512) { | ||
3952 | 62 | + /* | ||
3953 | 63 | + * The PRDs were longer than needed for this request. | ||
3954 | 64 | + * The Active bit must remain set after the request completes. | ||
3955 | 65 | + */ | ||
3956 | 66 | n = s->nsector; | ||
3957 | 67 | stay_active = true; | ||
3958 | 68 | + } else { | ||
3959 | 69 | + n = s->io_buffer_size >> 9; | ||
3960 | 70 | } | ||
3961 | 71 | |||
3962 | 72 | sector_num = ide_get_sector(s); | ||
3963 | 73 | @@ -892,9 +895,20 @@ static void ide_dma_cb(void *opaque, int ret) | ||
3964 | 74 | n = s->nsector; | ||
3965 | 75 | s->io_buffer_index = 0; | ||
3966 | 76 | s->io_buffer_size = n * 512; | ||
3967 | 77 | - if (s->bus->dma->ops->prepare_buf(s->bus->dma, s->io_buffer_size) < 512) { | ||
3968 | 78 | - /* The PRDs were too short. Reset the Active bit, but don't raise an | ||
3969 | 79 | - * interrupt. */ | ||
3970 | 80 | + prep_size = s->bus->dma->ops->prepare_buf(s->bus->dma, s->io_buffer_size); | ||
3971 | 81 | + /* prepare_buf() must succeed and respect the limit */ | ||
3972 | 82 | + assert(prep_size >= 0 && prep_size <= n * 512); | ||
3973 | 83 | + | ||
3974 | 84 | + /* | ||
3975 | 85 | + * Now prep_size stores the number of bytes in the sglist, and | ||
3976 | 86 | + * s->io_buffer_size stores the number of bytes described by the PRDs. | ||
3977 | 87 | + */ | ||
3978 | 88 | + | ||
3979 | 89 | + if (prep_size < n * 512) { | ||
3980 | 90 | + /* | ||
3981 | 91 | + * The PRDs are too short for this request. Error condition! | ||
3982 | 92 | + * Reset the Active bit and don't raise the interrupt. | ||
3983 | 93 | + */ | ||
3984 | 94 | s->status = READY_STAT | SEEK_STAT; | ||
3985 | 95 | dma_buf_commit(s, 0); | ||
3986 | 96 | goto eot; | ||
3987 | 97 | -- | ||
3988 | 98 | 2.28.0 | ||
3989 | 99 | |||
3990 | diff --git a/debian/patches/stable/lp-1891877-iotests-026-Move-v3-exclusive-test-to-new-file.patch b/debian/patches/stable/lp-1891877-iotests-026-Move-v3-exclusive-test-to-new-file.patch | |||
3991 | 0 | new file mode 100644 | 100 | new file mode 100644 |
3992 | index 0000000..8684d31 | |||
3993 | --- /dev/null | |||
3994 | +++ b/debian/patches/stable/lp-1891877-iotests-026-Move-v3-exclusive-test-to-new-file.patch | |||
3995 | @@ -0,0 +1,232 @@ | |||
3996 | 1 | From 2f7597fbc2727eeb4f16c579c9dc0b115a8e5e93 Mon Sep 17 00:00:00 2001 | ||
3997 | 2 | From: Max Reitz <mreitz@redhat.com> | ||
3998 | 3 | Date: Wed, 11 Mar 2020 15:07:07 +0100 | ||
3999 | 4 | Subject: [PATCH] iotests/026: Move v3-exclusive test to new file | ||
4000 | 5 | MIME-Version: 1.0 | ||
4001 | 6 | Content-Type: text/plain; charset=UTF-8 | ||
4002 | 7 | Content-Transfer-Encoding: 8bit | ||
4003 | 8 | |||
4004 | 9 | data_file does not work with v2, and we probably want 026 to keep | ||
4005 | 10 | working for v2 images. Thus, open a new file for v3-exclusive error | ||
4006 | 11 | path test cases. | ||
4007 | 12 | |||
4008 | 13 | Fixes: 81311255f217859413c94f2cd9cebf2684bbda94 | ||
4009 | 14 | (“iotests/026: Test EIO on allocation in a data-file”) | ||
4010 | 15 | Signed-off-by: Max Reitz <mreitz@redhat.com> | ||
4011 | 16 | Message-Id: <20200311140707.1243218-1-mreitz@redhat.com> | ||
4012 | 17 | Reviewed-by: John Snow <jsnow@redhat.com> | ||
4013 | 18 | Tested-by: John Snow <jsnow@redhat.com> | ||
4014 | 19 | Signed-off-by: Max Reitz <mreitz@redhat.com> | ||
4015 | 20 | (cherry picked from commit c264e5d2f9f5d73977eac8e5d084f727b3d07ea9) | ||
4016 | 21 | Conflicts: | ||
4017 | 22 | tests/qemu-iotests/group | ||
4018 | 23 | Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | ||
4019 | 24 | |||
4020 | 25 | Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=2f7597fbc2 | ||
4021 | 26 | Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877 | ||
4022 | 27 | Last-Update: 2020-08-19 | ||
4023 | 28 | |||
4024 | 29 | --- | ||
4025 | 30 | tests/qemu-iotests/026 | 31 ----------- | ||
4026 | 31 | tests/qemu-iotests/026.out | 6 -- | ||
4027 | 32 | tests/qemu-iotests/026.out.nocache | 6 -- | ||
4028 | 33 | tests/qemu-iotests/289 | 89 ++++++++++++++++++++++++++++++ | ||
4029 | 34 | tests/qemu-iotests/289.out | 8 +++ | ||
4030 | 35 | tests/qemu-iotests/group | 1 + | ||
4031 | 36 | 6 files changed, 98 insertions(+), 43 deletions(-) | ||
4032 | 37 | create mode 100755 tests/qemu-iotests/289 | ||
4033 | 38 | create mode 100644 tests/qemu-iotests/289.out | ||
4034 | 39 | |||
4035 | 40 | diff --git a/tests/qemu-iotests/026 b/tests/qemu-iotests/026 | ||
4036 | 41 | index c1c96a41d9..3afd708863 100755 | ||
4037 | 42 | --- a/tests/qemu-iotests/026 | ||
4038 | 43 | +++ b/tests/qemu-iotests/026 | ||
4039 | 44 | @@ -237,37 +237,6 @@ $QEMU_IO -c "write 0 $CLUSTER_SIZE" "$BLKDBG_TEST_IMG" | _filter_qemu_io | ||
4040 | 45 | |||
4041 | 46 | _check_test_img | ||
4042 | 47 | |||
4043 | 48 | -echo | ||
4044 | 49 | -echo === Avoid freeing external data clusters on failure === | ||
4045 | 50 | -echo | ||
4046 | 51 | - | ||
4047 | 52 | -# Similar test as the last one, except we test what happens when there | ||
4048 | 53 | -# is an error when writing to an external data file instead of when | ||
4049 | 54 | -# writing to a preallocated zero cluster | ||
4050 | 55 | -_make_test_img -o "data_file=$TEST_IMG.data_file" $CLUSTER_SIZE | ||
4051 | 56 | - | ||
4052 | 57 | -# Put blkdebug above the data-file, and a raw node on top of that so | ||
4053 | 58 | -# that blkdebug will see a write_aio event and emit an error | ||
4054 | 59 | -$QEMU_IO -c "write 0 $CLUSTER_SIZE" \ | ||
4055 | 60 | - "json:{ | ||
4056 | 61 | - 'driver': 'qcow2', | ||
4057 | 62 | - 'file': { 'driver': 'file', 'filename': '$TEST_IMG' }, | ||
4058 | 63 | - 'data-file': { | ||
4059 | 64 | - 'driver': 'raw', | ||
4060 | 65 | - 'file': { | ||
4061 | 66 | - 'driver': 'blkdebug', | ||
4062 | 67 | - 'config': '$TEST_DIR/blkdebug.conf', | ||
4063 | 68 | - 'image': { | ||
4064 | 69 | - 'driver': 'file', | ||
4065 | 70 | - 'filename': '$TEST_IMG.data_file' | ||
4066 | 71 | - } | ||
4067 | 72 | - } | ||
4068 | 73 | - } | ||
4069 | 74 | - }" \ | ||
4070 | 75 | - | _filter_qemu_io | ||
4071 | 76 | - | ||
4072 | 77 | -_check_test_img | ||
4073 | 78 | - | ||
4074 | 79 | # success, all done | ||
4075 | 80 | echo "*** done" | ||
4076 | 81 | rm -f $seq.full | ||
4077 | 82 | diff --git a/tests/qemu-iotests/026.out b/tests/qemu-iotests/026.out | ||
4078 | 83 | index c1b3b58482..83989996ff 100644 | ||
4079 | 84 | --- a/tests/qemu-iotests/026.out | ||
4080 | 85 | +++ b/tests/qemu-iotests/026.out | ||
4081 | 86 | @@ -653,10 +653,4 @@ wrote 1024/1024 bytes at offset 0 | ||
4082 | 87 | 1 KiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec) | ||
4083 | 88 | write failed: Input/output error | ||
4084 | 89 | No errors were found on the image. | ||
4085 | 90 | - | ||
4086 | 91 | -=== Avoid freeing external data clusters on failure === | ||
4087 | 92 | - | ||
4088 | 93 | -Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=1024 data_file=TEST_DIR/t.IMGFMT.data_file | ||
4089 | 94 | -write failed: Input/output error | ||
4090 | 95 | -No errors were found on the image. | ||
4091 | 96 | *** done | ||
4092 | 97 | diff --git a/tests/qemu-iotests/026.out.nocache b/tests/qemu-iotests/026.out.nocache | ||
4093 | 98 | index 8d5001648a..9359d26d7e 100644 | ||
4094 | 99 | --- a/tests/qemu-iotests/026.out.nocache | ||
4095 | 100 | +++ b/tests/qemu-iotests/026.out.nocache | ||
4096 | 101 | @@ -661,10 +661,4 @@ wrote 1024/1024 bytes at offset 0 | ||
4097 | 102 | 1 KiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec) | ||
4098 | 103 | write failed: Input/output error | ||
4099 | 104 | No errors were found on the image. | ||
4100 | 105 | - | ||
4101 | 106 | -=== Avoid freeing external data clusters on failure === | ||
4102 | 107 | - | ||
4103 | 108 | -Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=1024 data_file=TEST_DIR/t.IMGFMT.data_file | ||
4104 | 109 | -write failed: Input/output error | ||
4105 | 110 | -No errors were found on the image. | ||
4106 | 111 | *** done | ||
4107 | 112 | diff --git a/tests/qemu-iotests/289 b/tests/qemu-iotests/289 | ||
4108 | 113 | new file mode 100755 | ||
4109 | 114 | index 0000000000..1c11d4030e | ||
4110 | 115 | --- /dev/null | ||
4111 | 116 | +++ b/tests/qemu-iotests/289 | ||
4112 | 117 | @@ -0,0 +1,89 @@ | ||
4113 | 118 | +#!/usr/bin/env bash | ||
4114 | 119 | +# | ||
4115 | 120 | +# qcow2 v3-exclusive error path testing | ||
4116 | 121 | +# (026 tests paths common to v2 and v3) | ||
4117 | 122 | +# | ||
4118 | 123 | +# Copyright (C) 2020 Red Hat, Inc. | ||
4119 | 124 | +# | ||
4120 | 125 | +# This program is free software; you can redistribute it and/or modify | ||
4121 | 126 | +# it under the terms of the GNU General Public License as published by | ||
4122 | 127 | +# the Free Software Foundation; either version 2 of the License, or | ||
4123 | 128 | +# (at your option) any later version. | ||
4124 | 129 | +# | ||
4125 | 130 | +# This program is distributed in the hope that it will be useful, | ||
4126 | 131 | +# but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
4127 | 132 | +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
4128 | 133 | +# GNU General Public License for more details. | ||
4129 | 134 | +# | ||
4130 | 135 | +# You should have received a copy of the GNU General Public License | ||
4131 | 136 | +# along with this program. If not, see <http://www.gnu.org/licenses/>. | ||
4132 | 137 | +# | ||
4133 | 138 | + | ||
4134 | 139 | +seq=$(basename $0) | ||
4135 | 140 | +echo "QA output created by $seq" | ||
4136 | 141 | + | ||
4137 | 142 | +status=1 # failure is the default! | ||
4138 | 143 | + | ||
4139 | 144 | +_cleanup() | ||
4140 | 145 | +{ | ||
4141 | 146 | + _cleanup_test_img | ||
4142 | 147 | + rm "$TEST_DIR/blkdebug.conf" | ||
4143 | 148 | + rm -f "$TEST_IMG.data_file" | ||
4144 | 149 | +} | ||
4145 | 150 | +trap "_cleanup; exit \$status" 0 1 2 3 15 | ||
4146 | 151 | + | ||
4147 | 152 | +# get standard environment, filters and checks | ||
4148 | 153 | +. ./common.rc | ||
4149 | 154 | +. ./common.filter | ||
4150 | 155 | +. ./common.pattern | ||
4151 | 156 | + | ||
4152 | 157 | +_supported_fmt qcow2 | ||
4153 | 158 | +_supported_proto file | ||
4154 | 159 | +# This is a v3-exclusive test; | ||
4155 | 160 | +# As for data_file, error paths often very much depend on whether | ||
4156 | 161 | +# there is an external data file or not; so we create one exactly when | ||
4157 | 162 | +# we want to test it | ||
4158 | 163 | +_unsupported_imgopts 'compat=0.10' data_file | ||
4159 | 164 | + | ||
4160 | 165 | +echo | ||
4161 | 166 | +echo === Avoid freeing external data clusters on failure === | ||
4162 | 167 | +echo | ||
4163 | 168 | + | ||
4164 | 169 | +cat > "$TEST_DIR/blkdebug.conf" <<EOF | ||
4165 | 170 | +[inject-error] | ||
4166 | 171 | +event = "write_aio" | ||
4167 | 172 | +errno = "5" | ||
4168 | 173 | +once = "on" | ||
4169 | 174 | +EOF | ||
4170 | 175 | + | ||
4171 | 176 | +# Test what happens when there is an error when writing to an external | ||
4172 | 177 | +# data file instead of when writing to a preallocated zero cluster | ||
4173 | 178 | +_make_test_img -o "data_file=$TEST_IMG.data_file" 64k | ||
4174 | 179 | + | ||
4175 | 180 | +# Put blkdebug above the data-file, and a raw node on top of that so | ||
4176 | 181 | +# that blkdebug will see a write_aio event and emit an error. This | ||
4177 | 182 | +# will then trigger the alloc abort code, which we want to test here. | ||
4178 | 183 | +$QEMU_IO -c "write 0 64k" \ | ||
4179 | 184 | + "json:{ | ||
4180 | 185 | + 'driver': 'qcow2', | ||
4181 | 186 | + 'file': { 'driver': 'file', 'filename': '$TEST_IMG' }, | ||
4182 | 187 | + 'data-file': { | ||
4183 | 188 | + 'driver': 'raw', | ||
4184 | 189 | + 'file': { | ||
4185 | 190 | + 'driver': 'blkdebug', | ||
4186 | 191 | + 'config': '$TEST_DIR/blkdebug.conf', | ||
4187 | 192 | + 'image': { | ||
4188 | 193 | + 'driver': 'file', | ||
4189 | 194 | + 'filename': '$TEST_IMG.data_file' | ||
4190 | 195 | + } | ||
4191 | 196 | + } | ||
4192 | 197 | + } | ||
4193 | 198 | + }" \ | ||
4194 | 199 | + | _filter_qemu_io | ||
4195 | 200 | + | ||
4196 | 201 | +_check_test_img | ||
4197 | 202 | + | ||
4198 | 203 | +# success, all done | ||
4199 | 204 | +echo "*** done" | ||
4200 | 205 | +rm -f $seq.full | ||
4201 | 206 | +status=0 | ||
4202 | 207 | diff --git a/tests/qemu-iotests/289.out b/tests/qemu-iotests/289.out | ||
4203 | 208 | new file mode 100644 | ||
4204 | 209 | index 0000000000..e54e2629d4 | ||
4205 | 210 | --- /dev/null | ||
4206 | 211 | +++ b/tests/qemu-iotests/289.out | ||
4207 | 212 | @@ -0,0 +1,8 @@ | ||
4208 | 213 | +QA output created by 289 | ||
4209 | 214 | + | ||
4210 | 215 | +=== Avoid freeing external data clusters on failure === | ||
4211 | 216 | + | ||
4212 | 217 | +Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=65536 data_file=TEST_DIR/t.IMGFMT.data_file | ||
4213 | 218 | +write failed: Input/output error | ||
4214 | 219 | +No errors were found on the image. | ||
4215 | 220 | +*** done | ||
4216 | 221 | diff --git a/tests/qemu-iotests/group b/tests/qemu-iotests/group | ||
4217 | 222 | index 6b10a6a762..2dc8a6e572 100644 | ||
4218 | 223 | --- a/tests/qemu-iotests/group | ||
4219 | 224 | +++ b/tests/qemu-iotests/group | ||
4220 | 225 | @@ -286,3 +286,4 @@ | ||
4221 | 226 | 272 rw | ||
4222 | 227 | 273 backing quick | ||
4223 | 228 | 277 rw quick | ||
4224 | 229 | +289 rw quick | ||
4225 | 230 | -- | ||
4226 | 231 | 2.28.0 | ||
4227 | 232 | |||
4228 | diff --git a/debian/patches/stable/lp-1891877-iotests-026-Test-EIO-on-allocation-in-a-data-file.patch b/debian/patches/stable/lp-1891877-iotests-026-Test-EIO-on-allocation-in-a-data-file.patch | |||
4229 | 0 | new file mode 100644 | 233 | new file mode 100644 |
4230 | index 0000000..76e486b | |||
4231 | --- /dev/null | |||
4232 | +++ b/debian/patches/stable/lp-1891877-iotests-026-Test-EIO-on-allocation-in-a-data-file.patch | |||
4233 | @@ -0,0 +1,107 @@ | |||
4234 | 1 | From 4540aa4a8d2c59ec42af0ea58ca1794124ce47dd Mon Sep 17 00:00:00 2001 | ||
4235 | 2 | From: Max Reitz <mreitz@redhat.com> | ||
4236 | 3 | Date: Tue, 25 Feb 2020 15:31:30 +0100 | ||
4237 | 4 | Subject: [PATCH] iotests/026: Test EIO on allocation in a data-file | ||
4238 | 5 | |||
4239 | 6 | Test what happens when writing data to an external data file, where the | ||
4240 | 7 | write requires an L2 entry to be allocated, but the data write fails. | ||
4241 | 8 | |||
4242 | 9 | Signed-off-by: Max Reitz <mreitz@redhat.com> | ||
4243 | 10 | Message-Id: <20200225143130.111267-4-mreitz@redhat.com> | ||
4244 | 11 | Signed-off-by: Kevin Wolf <kwolf@redhat.com> | ||
4245 | 12 | (cherry picked from commit 81311255f217859413c94f2cd9cebf2684bbda94) | ||
4246 | 13 | Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | ||
4247 | 14 | |||
4248 | 15 | Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=4540aa4a8d | ||
4249 | 16 | Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877 | ||
4250 | 17 | Last-Update: 2020-08-19 | ||
4251 | 18 | |||
4252 | 19 | --- | ||
4253 | 20 | tests/qemu-iotests/026 | 32 ++++++++++++++++++++++++++++++ | ||
4254 | 21 | tests/qemu-iotests/026.out | 6 ++++++ | ||
4255 | 22 | tests/qemu-iotests/026.out.nocache | 6 ++++++ | ||
4256 | 23 | 3 files changed, 44 insertions(+) | ||
4257 | 24 | |||
4258 | 25 | diff --git a/tests/qemu-iotests/026 b/tests/qemu-iotests/026 | ||
4259 | 26 | index d89729697f..c1c96a41d9 100755 | ||
4260 | 27 | --- a/tests/qemu-iotests/026 | ||
4261 | 28 | +++ b/tests/qemu-iotests/026 | ||
4262 | 29 | @@ -30,6 +30,7 @@ _cleanup() | ||
4263 | 30 | { | ||
4264 | 31 | _cleanup_test_img | ||
4265 | 32 | rm "$TEST_DIR/blkdebug.conf" | ||
4266 | 33 | + rm -f "$TEST_IMG.data_file" | ||
4267 | 34 | } | ||
4268 | 35 | trap "_cleanup; exit \$status" 0 1 2 3 15 | ||
4269 | 36 | |||
4270 | 37 | @@ -236,6 +237,37 @@ $QEMU_IO -c "write 0 $CLUSTER_SIZE" "$BLKDBG_TEST_IMG" | _filter_qemu_io | ||
4271 | 38 | |||
4272 | 39 | _check_test_img | ||
4273 | 40 | |||
4274 | 41 | +echo | ||
4275 | 42 | +echo === Avoid freeing external data clusters on failure === | ||
4276 | 43 | +echo | ||
4277 | 44 | + | ||
4278 | 45 | +# Similar test as the last one, except we test what happens when there | ||
4279 | 46 | +# is an error when writing to an external data file instead of when | ||
4280 | 47 | +# writing to a preallocated zero cluster | ||
4281 | 48 | +_make_test_img -o "data_file=$TEST_IMG.data_file" $CLUSTER_SIZE | ||
4282 | 49 | + | ||
4283 | 50 | +# Put blkdebug above the data-file, and a raw node on top of that so | ||
4284 | 51 | +# that blkdebug will see a write_aio event and emit an error | ||
4285 | 52 | +$QEMU_IO -c "write 0 $CLUSTER_SIZE" \ | ||
4286 | 53 | + "json:{ | ||
4287 | 54 | + 'driver': 'qcow2', | ||
4288 | 55 | + 'file': { 'driver': 'file', 'filename': '$TEST_IMG' }, | ||
4289 | 56 | + 'data-file': { | ||
4290 | 57 | + 'driver': 'raw', | ||
4291 | 58 | + 'file': { | ||
4292 | 59 | + 'driver': 'blkdebug', | ||
4293 | 60 | + 'config': '$TEST_DIR/blkdebug.conf', | ||
4294 | 61 | + 'image': { | ||
4295 | 62 | + 'driver': 'file', | ||
4296 | 63 | + 'filename': '$TEST_IMG.data_file' | ||
4297 | 64 | + } | ||
4298 | 65 | + } | ||
4299 | 66 | + } | ||
4300 | 67 | + }" \ | ||
4301 | 68 | + | _filter_qemu_io | ||
4302 | 69 | + | ||
4303 | 70 | +_check_test_img | ||
4304 | 71 | + | ||
4305 | 72 | # success, all done | ||
4306 | 73 | echo "*** done" | ||
4307 | 74 | rm -f $seq.full | ||
4308 | 75 | diff --git a/tests/qemu-iotests/026.out b/tests/qemu-iotests/026.out | ||
4309 | 76 | index 83989996ff..c1b3b58482 100644 | ||
4310 | 77 | --- a/tests/qemu-iotests/026.out | ||
4311 | 78 | +++ b/tests/qemu-iotests/026.out | ||
4312 | 79 | @@ -653,4 +653,10 @@ wrote 1024/1024 bytes at offset 0 | ||
4313 | 80 | 1 KiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec) | ||
4314 | 81 | write failed: Input/output error | ||
4315 | 82 | No errors were found on the image. | ||
4316 | 83 | + | ||
4317 | 84 | +=== Avoid freeing external data clusters on failure === | ||
4318 | 85 | + | ||
4319 | 86 | +Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=1024 data_file=TEST_DIR/t.IMGFMT.data_file | ||
4320 | 87 | +write failed: Input/output error | ||
4321 | 88 | +No errors were found on the image. | ||
4322 | 89 | *** done | ||
4323 | 90 | diff --git a/tests/qemu-iotests/026.out.nocache b/tests/qemu-iotests/026.out.nocache | ||
4324 | 91 | index 9359d26d7e..8d5001648a 100644 | ||
4325 | 92 | --- a/tests/qemu-iotests/026.out.nocache | ||
4326 | 93 | +++ b/tests/qemu-iotests/026.out.nocache | ||
4327 | 94 | @@ -661,4 +661,10 @@ wrote 1024/1024 bytes at offset 0 | ||
4328 | 95 | 1 KiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec) | ||
4329 | 96 | write failed: Input/output error | ||
4330 | 97 | No errors were found on the image. | ||
4331 | 98 | + | ||
4332 | 99 | +=== Avoid freeing external data clusters on failure === | ||
4333 | 100 | + | ||
4334 | 101 | +Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=1024 data_file=TEST_DIR/t.IMGFMT.data_file | ||
4335 | 102 | +write failed: Input/output error | ||
4336 | 103 | +No errors were found on the image. | ||
4337 | 104 | *** done | ||
4338 | 105 | -- | ||
4339 | 106 | 2.28.0 | ||
4340 | 107 | |||
4341 | diff --git a/debian/patches/stable/lp-1891877-iotests-026-Test-EIO-on-preallocated-zero-cluster.patch b/debian/patches/stable/lp-1891877-iotests-026-Test-EIO-on-preallocated-zero-cluster.patch | |||
4342 | 0 | new file mode 100644 | 108 | new file mode 100644 |
4343 | index 0000000..5295272 | |||
4344 | --- /dev/null | |||
4345 | +++ b/debian/patches/stable/lp-1891877-iotests-026-Test-EIO-on-preallocated-zero-cluster.patch | |||
4346 | @@ -0,0 +1,97 @@ | |||
4347 | 1 | From 30aa0ea6c578b51a71d8cbb9578cc7f7bfeb56aa Mon Sep 17 00:00:00 2001 | ||
4348 | 2 | From: Max Reitz <mreitz@redhat.com> | ||
4349 | 3 | Date: Tue, 25 Feb 2020 15:31:29 +0100 | ||
4350 | 4 | Subject: [PATCH] iotests/026: Test EIO on preallocated zero cluster | ||
4351 | 5 | |||
4352 | 6 | Test what happens when writing data to a preallocated zero cluster, but | ||
4353 | 7 | the data write fails. | ||
4354 | 8 | |||
4355 | 9 | Signed-off-by: Max Reitz <mreitz@redhat.com> | ||
4356 | 10 | Message-Id: <20200225143130.111267-3-mreitz@redhat.com> | ||
4357 | 11 | Signed-off-by: Kevin Wolf <kwolf@redhat.com> | ||
4358 | 12 | (cherry picked from commit 31ab00f3747c00fdbb9027cea644b40dd1405480) | ||
4359 | 13 | Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | ||
4360 | 14 | |||
4361 | 15 | Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=30aa0ea6c5 | ||
4362 | 16 | Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877 | ||
4363 | 17 | Last-Update: 2020-08-19 | ||
4364 | 18 | |||
4365 | 19 | --- | ||
4366 | 20 | tests/qemu-iotests/026 | 21 +++++++++++++++++++++ | ||
4367 | 21 | tests/qemu-iotests/026.out | 10 ++++++++++ | ||
4368 | 22 | tests/qemu-iotests/026.out.nocache | 10 ++++++++++ | ||
4369 | 23 | 3 files changed, 41 insertions(+) | ||
4370 | 24 | |||
4371 | 25 | diff --git a/tests/qemu-iotests/026 b/tests/qemu-iotests/026 | ||
4372 | 26 | index 3430029ed6..d89729697f 100755 | ||
4373 | 27 | --- a/tests/qemu-iotests/026 | ||
4374 | 28 | +++ b/tests/qemu-iotests/026 | ||
4375 | 29 | @@ -215,6 +215,27 @@ _make_test_img 64M | ||
4376 | 30 | $QEMU_IO -c "write 0 1M" -c "write 0 1M" "$BLKDBG_TEST_IMG" | _filter_qemu_io | ||
4377 | 31 | _check_test_img | ||
4378 | 32 | |||
4379 | 33 | +echo | ||
4380 | 34 | +echo === Avoid freeing preallocated zero clusters on failure === | ||
4381 | 35 | +echo | ||
4382 | 36 | + | ||
4383 | 37 | +cat > "$TEST_DIR/blkdebug.conf" <<EOF | ||
4384 | 38 | +[inject-error] | ||
4385 | 39 | +event = "write_aio" | ||
4386 | 40 | +errno = "5" | ||
4387 | 41 | +once = "on" | ||
4388 | 42 | +EOF | ||
4389 | 43 | + | ||
4390 | 44 | +_make_test_img $CLUSTER_SIZE | ||
4391 | 45 | +# Create a preallocated zero cluster | ||
4392 | 46 | +$QEMU_IO -c "write 0 $CLUSTER_SIZE" -c "write -z 0 $CLUSTER_SIZE" "$TEST_IMG" \ | ||
4393 | 47 | + | _filter_qemu_io | ||
4394 | 48 | +# Try to overwrite it (prompting an I/O error from blkdebug), thus | ||
4395 | 49 | +# triggering the alloc abort code | ||
4396 | 50 | +$QEMU_IO -c "write 0 $CLUSTER_SIZE" "$BLKDBG_TEST_IMG" | _filter_qemu_io | ||
4397 | 51 | + | ||
4398 | 52 | +_check_test_img | ||
4399 | 53 | + | ||
4400 | 54 | # success, all done | ||
4401 | 55 | echo "*** done" | ||
4402 | 56 | rm -f $seq.full | ||
4403 | 57 | diff --git a/tests/qemu-iotests/026.out b/tests/qemu-iotests/026.out | ||
4404 | 58 | index ff0817b6f2..83989996ff 100644 | ||
4405 | 59 | --- a/tests/qemu-iotests/026.out | ||
4406 | 60 | +++ b/tests/qemu-iotests/026.out | ||
4407 | 61 | @@ -643,4 +643,14 @@ write failed: Input/output error | ||
4408 | 62 | wrote 1048576/1048576 bytes at offset 0 | ||
4409 | 63 | 1 MiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec) | ||
4410 | 64 | No errors were found on the image. | ||
4411 | 65 | + | ||
4412 | 66 | +=== Avoid freeing preallocated zero clusters on failure === | ||
4413 | 67 | + | ||
4414 | 68 | +Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=1024 | ||
4415 | 69 | +wrote 1024/1024 bytes at offset 0 | ||
4416 | 70 | +1 KiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec) | ||
4417 | 71 | +wrote 1024/1024 bytes at offset 0 | ||
4418 | 72 | +1 KiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec) | ||
4419 | 73 | +write failed: Input/output error | ||
4420 | 74 | +No errors were found on the image. | ||
4421 | 75 | *** done | ||
4422 | 76 | diff --git a/tests/qemu-iotests/026.out.nocache b/tests/qemu-iotests/026.out.nocache | ||
4423 | 77 | index 495d013007..9359d26d7e 100644 | ||
4424 | 78 | --- a/tests/qemu-iotests/026.out.nocache | ||
4425 | 79 | +++ b/tests/qemu-iotests/026.out.nocache | ||
4426 | 80 | @@ -651,4 +651,14 @@ write failed: Input/output error | ||
4427 | 81 | wrote 1048576/1048576 bytes at offset 0 | ||
4428 | 82 | 1 MiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec) | ||
4429 | 83 | No errors were found on the image. | ||
4430 | 84 | + | ||
4431 | 85 | +=== Avoid freeing preallocated zero clusters on failure === | ||
4432 | 86 | + | ||
4433 | 87 | +Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=1024 | ||
4434 | 88 | +wrote 1024/1024 bytes at offset 0 | ||
4435 | 89 | +1 KiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec) | ||
4436 | 90 | +wrote 1024/1024 bytes at offset 0 | ||
4437 | 91 | +1 KiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec) | ||
4438 | 92 | +write failed: Input/output error | ||
4439 | 93 | +No errors were found on the image. | ||
4440 | 94 | *** done | ||
4441 | 95 | -- | ||
4442 | 96 | 2.28.0 | ||
4443 | 97 | |||
4444 | diff --git a/debian/patches/stable/lp-1891877-iotests-283-Use-consistent-size-for-source-and-targe.patch b/debian/patches/stable/lp-1891877-iotests-283-Use-consistent-size-for-source-and-targe.patch | |||
4445 | 0 | new file mode 100644 | 98 | new file mode 100644 |
4446 | index 0000000..d479c09 | |||
4447 | --- /dev/null | |||
4448 | +++ b/debian/patches/stable/lp-1891877-iotests-283-Use-consistent-size-for-source-and-targe.patch | |||
4449 | @@ -0,0 +1,57 @@ | |||
4450 | 1 | From 4a0db6ba7d5c524cbbcc684d7448e01e11eacbbd Mon Sep 17 00:00:00 2001 | ||
4451 | 2 | From: Kevin Wolf <kwolf@redhat.com> | ||
4452 | 3 | Date: Thu, 30 Apr 2020 16:27:52 +0200 | ||
4453 | 4 | Subject: [PATCH] iotests/283: Use consistent size for source and target | ||
4454 | 5 | |||
4455 | 6 | The test case forgot to specify the null-co size for the target node. | ||
4456 | 7 | When adding a check to backup that both sizes match, this would fail | ||
4457 | 8 | because of the size mismatch and not the behaviour that the test really | ||
4458 | 9 | wanted to test. | ||
4459 | 10 | |||
4460 | 11 | Fixes: a541fcc27c98b96da187c7d4573f3270f3ddd283 | ||
4461 | 12 | Signed-off-by: Kevin Wolf <kwolf@redhat.com> | ||
4462 | 13 | Message-Id: <20200430142755.315494-2-kwolf@redhat.com> | ||
4463 | 14 | Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com> | ||
4464 | 15 | Signed-off-by: Kevin Wolf <kwolf@redhat.com> | ||
4465 | 16 | (cherry picked from commit 813cc2545b82409fd504509f0ba2e96fab6edb9e) | ||
4466 | 17 | Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | ||
4467 | 18 | |||
4468 | 19 | Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=4a0db6ba7d | ||
4469 | 20 | Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877 | ||
4470 | 21 | Last-Update: 2020-08-19 | ||
4471 | 22 | |||
4472 | 23 | --- | ||
4473 | 24 | tests/qemu-iotests/283 | 6 +++++- | ||
4474 | 25 | tests/qemu-iotests/283.out | 2 +- | ||
4475 | 26 | 2 files changed, 6 insertions(+), 2 deletions(-) | ||
4476 | 27 | |||
4477 | 28 | diff --git a/tests/qemu-iotests/283 b/tests/qemu-iotests/283 | ||
4478 | 29 | index 293e557bd9..a82e3c8164 100644 | ||
4479 | 30 | --- a/tests/qemu-iotests/283 | ||
4480 | 31 | +++ b/tests/qemu-iotests/283 | ||
4481 | 32 | @@ -72,7 +72,11 @@ to check that crash is fixed :) | ||
4482 | 33 | vm = iotests.VM() | ||
4483 | 34 | vm.launch() | ||
4484 | 35 | |||
4485 | 36 | -vm.qmp_log('blockdev-add', **{'node-name': 'target', 'driver': 'null-co'}) | ||
4486 | 37 | +vm.qmp_log('blockdev-add', **{ | ||
4487 | 38 | + 'node-name': 'target', | ||
4488 | 39 | + 'driver': 'null-co', | ||
4489 | 40 | + 'size': size, | ||
4490 | 41 | +}) | ||
4491 | 42 | |||
4492 | 43 | vm.qmp_log('blockdev-add', **{ | ||
4493 | 44 | 'node-name': 'source', | ||
4494 | 45 | diff --git a/tests/qemu-iotests/283.out b/tests/qemu-iotests/283.out | ||
4495 | 46 | index daaf5828c1..d8cff22cc1 100644 | ||
4496 | 47 | --- a/tests/qemu-iotests/283.out | ||
4497 | 48 | +++ b/tests/qemu-iotests/283.out | ||
4498 | 49 | @@ -1,4 +1,4 @@ | ||
4499 | 50 | -{"execute": "blockdev-add", "arguments": {"driver": "null-co", "node-name": "target"}} | ||
4500 | 51 | +{"execute": "blockdev-add", "arguments": {"driver": "null-co", "node-name": "target", "size": 1048576}} | ||
4501 | 52 | {"return": {}} | ||
4502 | 53 | {"execute": "blockdev-add", "arguments": {"driver": "blkdebug", "image": {"driver": "null-co", "node-name": "base", "size": 1048576}, "node-name": "source"}} | ||
4503 | 54 | {"return": {}} | ||
4504 | 55 | -- | ||
4505 | 56 | 2.28.0 | ||
4506 | 57 | |||
4507 | diff --git a/debian/patches/stable/lp-1891877-iotests-Fix-IMGOPTSSYNTAX-for-nbd.patch b/debian/patches/stable/lp-1891877-iotests-Fix-IMGOPTSSYNTAX-for-nbd.patch | |||
4508 | 0 | new file mode 100644 | 58 | new file mode 100644 |
4509 | index 0000000..5bb67e9 | |||
4510 | --- /dev/null | |||
4511 | +++ b/debian/patches/stable/lp-1891877-iotests-Fix-IMGOPTSSYNTAX-for-nbd.patch | |||
4512 | @@ -0,0 +1,42 @@ | |||
4513 | 1 | From 6772bba8a45cda8ab96f124bb148c3ec1f7a4234 Mon Sep 17 00:00:00 2001 | ||
4514 | 2 | From: Max Reitz <mreitz@redhat.com> | ||
4515 | 3 | Date: Wed, 18 Dec 2019 11:48:55 +0100 | ||
4516 | 4 | Subject: [PATCH] iotests: Fix IMGOPTSSYNTAX for nbd | ||
4517 | 5 | MIME-Version: 1.0 | ||
4518 | 6 | Content-Type: text/plain; charset=UTF-8 | ||
4519 | 7 | Content-Transfer-Encoding: 8bit | ||
4520 | 8 | |||
4521 | 9 | There is no $SOCKDIR, only $SOCK_DIR. | ||
4522 | 10 | |||
4523 | 11 | Fixes: f3923a72f199b2c63747a7032db74730546f55c6 | ||
4524 | 12 | Signed-off-by: Max Reitz <mreitz@redhat.com> | ||
4525 | 13 | Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> | ||
4526 | 14 | Signed-off-by: Kevin Wolf <kwolf@redhat.com> | ||
4527 | 15 | (cherry picked from commit eb4ea9aaa0051054b3c148ad8631be7510851681) | ||
4528 | 16 | Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | ||
4529 | 17 | |||
4530 | 18 | Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=6772bba8a4 | ||
4531 | 19 | Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877 | ||
4532 | 20 | Last-Update: 2020-08-19 | ||
4533 | 21 | |||
4534 | 22 | --- | ||
4535 | 23 | tests/qemu-iotests/common.rc | 3 ++- | ||
4536 | 24 | 1 file changed, 2 insertions(+), 1 deletion(-) | ||
4537 | 25 | |||
4538 | 26 | diff --git a/tests/qemu-iotests/common.rc b/tests/qemu-iotests/common.rc | ||
4539 | 27 | index 0cc8acc9ed..d3bf92031f 100644 | ||
4540 | 28 | --- a/tests/qemu-iotests/common.rc | ||
4541 | 29 | +++ b/tests/qemu-iotests/common.rc | ||
4542 | 30 | @@ -217,7 +217,8 @@ if [ "$IMGOPTSSYNTAX" = "true" ]; then | ||
4543 | 31 | TEST_IMG="$DRIVER,file.filename=$TEST_DIR/t.$IMGFMT" | ||
4544 | 32 | elif [ "$IMGPROTO" = "nbd" ]; then | ||
4545 | 33 | TEST_IMG_FILE=$TEST_DIR/t.$IMGFMT | ||
4546 | 34 | - TEST_IMG="$DRIVER,file.driver=nbd,file.type=unix,file.path=$SOCKDIR/nbd" | ||
4547 | 35 | + TEST_IMG="$DRIVER,file.driver=nbd,file.type=unix" | ||
4548 | 36 | + TEST_IMG="$TEST_IMG,file.path=$SOCK_DIR/nbd" | ||
4549 | 37 | elif [ "$IMGPROTO" = "ssh" ]; then | ||
4550 | 38 | TEST_IMG_FILE=$TEST_DIR/t.$IMGFMT | ||
4551 | 39 | TEST_IMG="$DRIVER,file.driver=ssh,file.host=127.0.0.1,file.path=$TEST_IMG_FILE" | ||
4552 | 40 | -- | ||
4553 | 41 | 2.28.0 | ||
4554 | 42 | |||
4555 | diff --git a/debian/patches/stable/lp-1891877-iotests-Fix-nonportable-use-of-od-endian.patch b/debian/patches/stable/lp-1891877-iotests-Fix-nonportable-use-of-od-endian.patch | |||
4556 | 0 | new file mode 100644 | 43 | new file mode 100644 |
4557 | index 0000000..720412c | |||
4558 | --- /dev/null | |||
4559 | +++ b/debian/patches/stable/lp-1891877-iotests-Fix-nonportable-use-of-od-endian.patch | |||
4560 | @@ -0,0 +1,69 @@ | |||
4561 | 1 | From c6decabc4a30b841e031a838206286db6ad343bc Mon Sep 17 00:00:00 2001 | ||
4562 | 2 | From: Eric Blake <eblake@redhat.com> | ||
4563 | 3 | Date: Wed, 26 Feb 2020 06:54:24 -0600 | ||
4564 | 4 | Subject: [PATCH] iotests: Fix nonportable use of od --endian | ||
4565 | 5 | |||
4566 | 6 | Tests 261 and 272 fail on RHEL 7 with coreutils 8.22, since od | ||
4567 | 7 | --endian was not added until coreutils 8.23. Fix this by manually | ||
4568 | 8 | constructing the final value one byte at a time. | ||
4569 | 9 | |||
4570 | 10 | Fixes: fc8ba423 | ||
4571 | 11 | Reported-by: Andrey Shinkevich <andrey.shinkevich@virtuozzo.com> | ||
4572 | 12 | Signed-off-by: Eric Blake <eblake@redhat.com> | ||
4573 | 13 | Reviewed-by: Max Reitz <mreitz@redhat.com> | ||
4574 | 14 | Message-Id: <20200226125424.481840-1-eblake@redhat.com> | ||
4575 | 15 | Signed-off-by: Max Reitz <mreitz@redhat.com> | ||
4576 | 16 | (cherry picked from commit 69135eb30b9c3fca583737a96df015174dc8e6dd) | ||
4577 | 17 | Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | ||
4578 | 18 | |||
4579 | 19 | Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=c6decabc4a | ||
4580 | 20 | Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877 | ||
4581 | 21 | Last-Update: 2020-08-19 | ||
4582 | 22 | |||
4583 | 23 | --- | ||
4584 | 24 | tests/qemu-iotests/common.rc | 22 +++++++++++++++++----- | ||
4585 | 25 | 1 file changed, 17 insertions(+), 5 deletions(-) | ||
4586 | 26 | |||
4587 | 27 | diff --git a/tests/qemu-iotests/common.rc b/tests/qemu-iotests/common.rc | ||
4588 | 28 | index d3bf92031f..538eb349e6 100644 | ||
4589 | 29 | --- a/tests/qemu-iotests/common.rc | ||
4590 | 30 | +++ b/tests/qemu-iotests/common.rc | ||
4591 | 31 | @@ -56,18 +56,30 @@ poke_file() | ||
4592 | 32 | # peek_file_le 'test.img' 512 2 => 65534 | ||
4593 | 33 | peek_file_le() | ||
4594 | 34 | { | ||
4595 | 35 | - # Wrap in echo $() to strip spaces | ||
4596 | 36 | - echo $(od -j"$2" -N"$3" --endian=little -An -vtu"$3" "$1") | ||
4597 | 37 | + local val=0 shift=0 byte | ||
4598 | 38 | + | ||
4599 | 39 | + # coreutils' od --endian is not portable, so manually assemble bytes. | ||
4600 | 40 | + for byte in $(od -j"$2" -N"$3" -An -v -tu1 "$1"); do | ||
4601 | 41 | + val=$(( val | (byte << shift) )) | ||
4602 | 42 | + shift=$((shift + 8)) | ||
4603 | 43 | + done | ||
4604 | 44 | + printf %llu $val | ||
4605 | 45 | } | ||
4606 | 46 | |||
4607 | 47 | # peek_file_be 'test.img' 512 2 => 65279 | ||
4608 | 48 | peek_file_be() | ||
4609 | 49 | { | ||
4610 | 50 | - # Wrap in echo $() to strip spaces | ||
4611 | 51 | - echo $(od -j"$2" -N"$3" --endian=big -An -vtu"$3" "$1") | ||
4612 | 52 | + local val=0 byte | ||
4613 | 53 | + | ||
4614 | 54 | + # coreutils' od --endian is not portable, so manually assemble bytes. | ||
4615 | 55 | + for byte in $(od -j"$2" -N"$3" -An -v -tu1 "$1"); do | ||
4616 | 56 | + val=$(( (val << 8) | byte )) | ||
4617 | 57 | + done | ||
4618 | 58 | + printf %llu $val | ||
4619 | 59 | } | ||
4620 | 60 | |||
4621 | 61 | -# peek_file_raw 'test.img' 512 2 => '\xff\xfe' | ||
4622 | 62 | +# peek_file_raw 'test.img' 512 2 => '\xff\xfe'. Do not use if the raw data | ||
4623 | 63 | +# is likely to contain \0 or trailing \n. | ||
4624 | 64 | peek_file_raw() | ||
4625 | 65 | { | ||
4626 | 66 | dd if="$1" bs=1 skip="$2" count="$3" status=none | ||
4627 | 67 | -- | ||
4628 | 68 | 2.28.0 | ||
4629 | 69 | |||
4630 | diff --git a/debian/patches/stable/lp-1891877-iotests-Test-copy-offloading-with-external-data-file.patch b/debian/patches/stable/lp-1891877-iotests-Test-copy-offloading-with-external-data-file.patch | |||
4631 | 0 | new file mode 100644 | 70 | new file mode 100644 |
4632 | index 0000000..7f2bb10 | |||
4633 | --- /dev/null | |||
4634 | +++ b/debian/patches/stable/lp-1891877-iotests-Test-copy-offloading-with-external-data-file.patch | |||
4635 | @@ -0,0 +1,71 @@ | |||
4636 | 1 | From 373fd948ab33b6e74b227cd62d4ccc4c17417473 Mon Sep 17 00:00:00 2001 | ||
4637 | 2 | From: Kevin Wolf <kwolf@redhat.com> | ||
4638 | 3 | Date: Tue, 11 Feb 2020 10:49:00 +0100 | ||
4639 | 4 | Subject: [PATCH] iotests: Test copy offloading with external data file | ||
4640 | 5 | |||
4641 | 6 | This adds a test for 'qemu-img convert' with copy offloading where the | ||
4642 | 7 | target image has an external data file. If the test hosts supports it, | ||
4643 | 8 | it tests both the case where copy offloading is supported and the case | ||
4644 | 9 | where it isn't (otherwise we just test unsupported twice). | ||
4645 | 10 | |||
4646 | 11 | More specifically, the case with unsupported copy offloading tests | ||
4647 | 12 | qcow2_alloc_cluster_abort() with external data files. | ||
4648 | 13 | |||
4649 | 14 | Signed-off-by: Kevin Wolf <kwolf@redhat.com> | ||
4650 | 15 | Message-Id: <20200211094900.17315-4-kwolf@redhat.com> | ||
4651 | 16 | Signed-off-by: Kevin Wolf <kwolf@redhat.com> | ||
4652 | 17 | (cherry picked from commit a0cf8daf77548786ced84d773f06fc70571c5d38) | ||
4653 | 18 | Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | ||
4654 | 19 | |||
4655 | 20 | Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=373fd948ab | ||
4656 | 21 | Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877 | ||
4657 | 22 | Last-Update: 2020-08-19 | ||
4658 | 23 | |||
4659 | 24 | --- | ||
4660 | 25 | tests/qemu-iotests/244 | 14 ++++++++++++++ | ||
4661 | 26 | tests/qemu-iotests/244.out | 6 ++++++ | ||
4662 | 27 | 2 files changed, 20 insertions(+) | ||
4663 | 28 | |||
4664 | 29 | diff --git a/tests/qemu-iotests/244 b/tests/qemu-iotests/244 | ||
4665 | 30 | index 13978f93d2..2f5dfb9edd 100755 | ||
4666 | 31 | --- a/tests/qemu-iotests/244 | ||
4667 | 32 | +++ b/tests/qemu-iotests/244 | ||
4668 | 33 | @@ -194,6 +194,20 @@ $QEMU_IO -c 'read -P 0x11 0 1M' -f $IMGFMT "$TEST_IMG" | _filter_qemu_io | ||
4669 | 34 | $QEMU_IMG map --output=human "$TEST_IMG" | _filter_testdir | ||
4670 | 35 | $QEMU_IMG map --output=json "$TEST_IMG" | ||
4671 | 36 | |||
4672 | 37 | +echo | ||
4673 | 38 | +echo "=== Copy offloading ===" | ||
4674 | 39 | +echo | ||
4675 | 40 | + | ||
4676 | 41 | +# Make use of copy offloading if the test host can provide it | ||
4677 | 42 | +_make_test_img -o "data_file=$TEST_IMG.data" 64M | ||
4678 | 43 | +$QEMU_IMG convert -f $IMGFMT -O $IMGFMT -n -C "$TEST_IMG.src" "$TEST_IMG" | ||
4679 | 44 | +$QEMU_IMG compare -f $IMGFMT -F $IMGFMT "$TEST_IMG.src" "$TEST_IMG" | ||
4680 | 45 | + | ||
4681 | 46 | +# blkdebug doesn't support copy offloading, so this tests the error path | ||
4682 | 47 | +$QEMU_IMG amend -f $IMGFMT -o "data_file=blkdebug::$TEST_IMG.data" "$TEST_IMG" | ||
4683 | 48 | +$QEMU_IMG convert -f $IMGFMT -O $IMGFMT -n -C "$TEST_IMG.src" "$TEST_IMG" | ||
4684 | 49 | +$QEMU_IMG compare -f $IMGFMT -F $IMGFMT "$TEST_IMG.src" "$TEST_IMG" | ||
4685 | 50 | + | ||
4686 | 51 | # success, all done | ||
4687 | 52 | echo "*** done" | ||
4688 | 53 | rm -f $seq.full | ||
4689 | 54 | diff --git a/tests/qemu-iotests/244.out b/tests/qemu-iotests/244.out | ||
4690 | 55 | index 6a3d0067cc..e6f4dc7993 100644 | ||
4691 | 56 | --- a/tests/qemu-iotests/244.out | ||
4692 | 57 | +++ b/tests/qemu-iotests/244.out | ||
4693 | 58 | @@ -122,4 +122,10 @@ Offset Length Mapped to File | ||
4694 | 59 | 0 0x100000 0 TEST_DIR/t.qcow2.data | ||
4695 | 60 | [{ "start": 0, "length": 1048576, "depth": 0, "zero": false, "data": true, "offset": 0}, | ||
4696 | 61 | { "start": 1048576, "length": 66060288, "depth": 0, "zero": true, "data": false}] | ||
4697 | 62 | + | ||
4698 | 63 | +=== Copy offloading === | ||
4699 | 64 | + | ||
4700 | 65 | +Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=67108864 data_file=TEST_DIR/t.IMGFMT.data | ||
4701 | 66 | +Images are identical. | ||
4702 | 67 | +Images are identical. | ||
4703 | 68 | *** done | ||
4704 | 69 | -- | ||
4705 | 70 | 2.28.0 | ||
4706 | 71 | |||
4707 | diff --git a/debian/patches/stable/lp-1867519-iotests-add-test-for-backup-top-failure-on-permissio.patch b/debian/patches/stable/lp-1891877-iotests-add-test-for-backup-top-failure-on-permissio.patch | |||
4708 | 0 | similarity index 85% | 72 | similarity index 85% |
4709 | 1 | rename from debian/patches/stable/lp-1867519-iotests-add-test-for-backup-top-failure-on-permissio.patch | 73 | rename from debian/patches/stable/lp-1867519-iotests-add-test-for-backup-top-failure-on-permissio.patch |
4710 | 2 | rename to debian/patches/stable/lp-1891877-iotests-add-test-for-backup-top-failure-on-permissio.patch | 74 | rename to debian/patches/stable/lp-1891877-iotests-add-test-for-backup-top-failure-on-permissio.patch |
4711 | index 790c5d4..8aa1367 100644 | |||
4712 | --- a/debian/patches/stable/lp-1867519-iotests-add-test-for-backup-top-failure-on-permissio.patch | |||
4713 | +++ b/debian/patches/stable/lp-1891877-iotests-add-test-for-backup-top-failure-on-permissio.patch | |||
4714 | @@ -1,4 +1,4 @@ | |||
4716 | 1 | From a541fcc27c98b96da187c7d4573f3270f3ddd283 Mon Sep 17 00:00:00 2001 | 1 | From 8952da32c36b8d457d0ebe28c252a7eeab68f127 Mon Sep 17 00:00:00 2001 |
4717 | 2 | From: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com> | 2 | From: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com> |
4718 | 3 | Date: Tue, 21 Jan 2020 17:28:02 +0300 | 3 | Date: Tue, 21 Jan 2020 17:28:02 +0300 |
4719 | 4 | Subject: [PATCH] iotests: add test for backup-top failure on permission | 4 | Subject: [PATCH] iotests: add test for backup-top failure on permission |
4720 | @@ -10,10 +10,12 @@ Cc: qemu-stable@nongnu.org # v4.2.0 | |||
4721 | 10 | Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com> | 10 | Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com> |
4722 | 11 | Message-id: 20200121142802.21467-3-vsementsov@virtuozzo.com | 11 | Message-id: 20200121142802.21467-3-vsementsov@virtuozzo.com |
4723 | 12 | Signed-off-by: Max Reitz <mreitz@redhat.com> | 12 | Signed-off-by: Max Reitz <mreitz@redhat.com> |
4724 | 13 | (cherry picked from commit a541fcc27c98b96da187c7d4573f3270f3ddd283) | ||
4725 | 14 | Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | ||
4726 | 13 | 15 | ||
4730 | 14 | Origin: backport, https://git.qemu.org/?p=qemu.git;a=commit;h=a541fcc27c98b96da187c7d4573f3270f3ddd283 | 16 | Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=8952da32c3 |
4731 | 15 | Bug-Ubuntu: https://bugs.launchpad.net/bugs/1867519 | 17 | Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877 |
4732 | 16 | Last-Update: 2020-03-18 | 18 | Last-Update: 2020-08-19 |
4733 | 17 | 19 | ||
4734 | 18 | --- | 20 | --- |
4735 | 19 | tests/qemu-iotests/283 | 92 ++++++++++++++++++++++++++++++++++++++ | 21 | tests/qemu-iotests/283 | 92 ++++++++++++++++++++++++++++++++++++++ |
4736 | @@ -23,6 +25,9 @@ Last-Update: 2020-03-18 | |||
4737 | 23 | create mode 100644 tests/qemu-iotests/283 | 25 | create mode 100644 tests/qemu-iotests/283 |
4738 | 24 | create mode 100644 tests/qemu-iotests/283.out | 26 | create mode 100644 tests/qemu-iotests/283.out |
4739 | 25 | 27 | ||
4740 | 28 | diff --git a/tests/qemu-iotests/283 b/tests/qemu-iotests/283 | ||
4741 | 29 | new file mode 100644 | ||
4742 | 30 | index 0000000000..293e557bd9 | ||
4743 | 26 | --- /dev/null | 31 | --- /dev/null |
4744 | 27 | +++ b/tests/qemu-iotests/283 | 32 | +++ b/tests/qemu-iotests/283 |
4745 | 28 | @@ -0,0 +1,92 @@ | 33 | @@ -0,0 +1,92 @@ |
4746 | @@ -118,6 +123,9 @@ Last-Update: 2020-03-18 | |||
4747 | 118 | +vm.qmp_log('blockdev-backup', sync='full', device='source', target='target') | 123 | +vm.qmp_log('blockdev-backup', sync='full', device='source', target='target') |
4748 | 119 | + | 124 | + |
4749 | 120 | +vm.shutdown() | 125 | +vm.shutdown() |
4750 | 126 | diff --git a/tests/qemu-iotests/283.out b/tests/qemu-iotests/283.out | ||
4751 | 127 | new file mode 100644 | ||
4752 | 128 | index 0000000000..daaf5828c1 | ||
4753 | 121 | --- /dev/null | 129 | --- /dev/null |
4754 | 122 | +++ b/tests/qemu-iotests/283.out | 130 | +++ b/tests/qemu-iotests/283.out |
4755 | 123 | @@ -0,0 +1,8 @@ | 131 | @@ -0,0 +1,8 @@ |
4756 | @@ -129,10 +137,15 @@ Last-Update: 2020-03-18 | |||
4757 | 129 | +{"return": {}} | 137 | +{"return": {}} |
4758 | 130 | +{"execute": "blockdev-backup", "arguments": {"device": "source", "sync": "full", "target": "target"}} | 138 | +{"execute": "blockdev-backup", "arguments": {"device": "source", "sync": "full", "target": "target"}} |
4759 | 131 | +{"error": {"class": "GenericError", "desc": "Cannot set permissions for backup-top filter: Conflicts with use by other as 'image', which uses 'write' on base"}} | 139 | +{"error": {"class": "GenericError", "desc": "Cannot set permissions for backup-top filter: Conflicts with use by other as 'image', which uses 'write' on base"}} |
4760 | 140 | diff --git a/tests/qemu-iotests/group b/tests/qemu-iotests/group | ||
4761 | 141 | index 2dc8a6e572..f5e0bf86ce 100644 | ||
4762 | 132 | --- a/tests/qemu-iotests/group | 142 | --- a/tests/qemu-iotests/group |
4763 | 133 | +++ b/tests/qemu-iotests/group | 143 | +++ b/tests/qemu-iotests/group |
4766 | 134 | @@ -286,3 +286,4 @@ | 144 | @@ -287,3 +287,4 @@ |
4765 | 135 | 272 rw | ||
4767 | 136 | 273 backing quick | 145 | 273 backing quick |
4768 | 137 | 277 rw quick | 146 | 277 rw quick |
4769 | 147 | 289 rw quick | ||
4770 | 138 | +283 auto quick | 148 | +283 auto quick |
4771 | 149 | -- | ||
4772 | 150 | 2.28.0 | ||
4773 | 151 | |||
4774 | diff --git a/debian/patches/stable/lp-1891877-m68k-Fix-regression-causing-Single-Step-via-GDB-RSP-.patch b/debian/patches/stable/lp-1891877-m68k-Fix-regression-causing-Single-Step-via-GDB-RSP-.patch | |||
4775 | 139 | new file mode 100644 | 152 | new file mode 100644 |
4776 | index 0000000..1fa7179 | |||
4777 | --- /dev/null | |||
4778 | +++ b/debian/patches/stable/lp-1891877-m68k-Fix-regression-causing-Single-Step-via-GDB-RSP-.patch | |||
4779 | @@ -0,0 +1,108 @@ | |||
4780 | 1 | From c44015c50c741ebc267e022542fc110ea97197a0 Mon Sep 17 00:00:00 2001 | ||
4781 | 2 | From: Laurent Vivier <laurent@vivier.eu> | ||
4782 | 3 | Date: Thu, 16 Jan 2020 17:54:54 +0100 | ||
4783 | 4 | Subject: [PATCH] m68k: Fix regression causing Single-Step via GDB/RSP to not | ||
4784 | 5 | single step | ||
4785 | 6 | |||
4786 | 7 | A regression that was introduced, with the refactor to TranslatorOps, | ||
4787 | 8 | drops two lines that update the PC when single-stepping is being performed. | ||
4788 | 9 | |||
4789 | 10 | Fixes: 11ab74b01e0a ("target/m68k: Convert to TranslatorOps") | ||
4790 | 11 | Reported-by: Lucien Murray-Pitts <lucienmp_antispam@yahoo.com> | ||
4791 | 12 | Suggested-by: Lucien Murray-Pitts <lucienmp_antispam@yahoo.com> | ||
4792 | 13 | Suggested-by: Richard Henderson <richard.henderson@linaro.org> | ||
4793 | 14 | Reviewed-by: Richard Henderson <richard.henderson@linaro.org> | ||
4794 | 15 | Signed-off-by: Laurent Vivier <laurent@vivier.eu> | ||
4795 | 16 | Message-Id: <20200116165454.2076265-1-laurent@vivier.eu> | ||
4796 | 17 | (cherry picked from commit 322f244aaa80a5208090d41481c1c09c6face66b) | ||
4797 | 18 | Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | ||
4798 | 19 | |||
4799 | 20 | Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=c44015c50c | ||
4800 | 21 | Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877 | ||
4801 | 22 | Last-Update: 2020-08-19 | ||
4802 | 23 | |||
4803 | 24 | --- | ||
4804 | 25 | target/m68k/translate.c | 42 ++++++++++++++++++++++++++--------------- | ||
4805 | 26 | 1 file changed, 27 insertions(+), 15 deletions(-) | ||
4806 | 27 | |||
4807 | 28 | diff --git a/target/m68k/translate.c b/target/m68k/translate.c | ||
4808 | 29 | index fcdb7bc8e4..16fae5ac9e 100644 | ||
4809 | 30 | --- a/target/m68k/translate.c | ||
4810 | 31 | +++ b/target/m68k/translate.c | ||
4811 | 32 | @@ -289,16 +289,21 @@ static void gen_jmp(DisasContext *s, TCGv dest) | ||
4812 | 33 | s->base.is_jmp = DISAS_JUMP; | ||
4813 | 34 | } | ||
4814 | 35 | |||
4815 | 36 | -static void gen_exception(DisasContext *s, uint32_t dest, int nr) | ||
4816 | 37 | +static void gen_raise_exception(int nr) | ||
4817 | 38 | { | ||
4818 | 39 | TCGv_i32 tmp; | ||
4819 | 40 | |||
4820 | 41 | - update_cc_op(s); | ||
4821 | 42 | - tcg_gen_movi_i32(QREG_PC, dest); | ||
4822 | 43 | - | ||
4823 | 44 | tmp = tcg_const_i32(nr); | ||
4824 | 45 | gen_helper_raise_exception(cpu_env, tmp); | ||
4825 | 46 | tcg_temp_free_i32(tmp); | ||
4826 | 47 | +} | ||
4827 | 48 | + | ||
4828 | 49 | +static void gen_exception(DisasContext *s, uint32_t dest, int nr) | ||
4829 | 50 | +{ | ||
4830 | 51 | + update_cc_op(s); | ||
4831 | 52 | + tcg_gen_movi_i32(QREG_PC, dest); | ||
4832 | 53 | + | ||
4833 | 54 | + gen_raise_exception(nr); | ||
4834 | 55 | |||
4835 | 56 | s->base.is_jmp = DISAS_NORETURN; | ||
4836 | 57 | } | ||
4837 | 58 | @@ -6198,29 +6203,36 @@ static void m68k_tr_tb_stop(DisasContextBase *dcbase, CPUState *cpu) | ||
4838 | 59 | { | ||
4839 | 60 | DisasContext *dc = container_of(dcbase, DisasContext, base); | ||
4840 | 61 | |||
4841 | 62 | - if (dc->base.is_jmp == DISAS_NORETURN) { | ||
4842 | 63 | - return; | ||
4843 | 64 | - } | ||
4844 | 65 | - if (dc->base.singlestep_enabled) { | ||
4845 | 66 | - gen_helper_raise_exception(cpu_env, tcg_const_i32(EXCP_DEBUG)); | ||
4846 | 67 | - return; | ||
4847 | 68 | - } | ||
4848 | 69 | - | ||
4849 | 70 | switch (dc->base.is_jmp) { | ||
4850 | 71 | + case DISAS_NORETURN: | ||
4851 | 72 | + break; | ||
4852 | 73 | case DISAS_TOO_MANY: | ||
4853 | 74 | update_cc_op(dc); | ||
4854 | 75 | - gen_jmp_tb(dc, 0, dc->pc); | ||
4855 | 76 | + if (dc->base.singlestep_enabled) { | ||
4856 | 77 | + tcg_gen_movi_i32(QREG_PC, dc->pc); | ||
4857 | 78 | + gen_raise_exception(EXCP_DEBUG); | ||
4858 | 79 | + } else { | ||
4859 | 80 | + gen_jmp_tb(dc, 0, dc->pc); | ||
4860 | 81 | + } | ||
4861 | 82 | break; | ||
4862 | 83 | case DISAS_JUMP: | ||
4863 | 84 | /* We updated CC_OP and PC in gen_jmp/gen_jmp_im. */ | ||
4864 | 85 | - tcg_gen_lookup_and_goto_ptr(); | ||
4865 | 86 | + if (dc->base.singlestep_enabled) { | ||
4866 | 87 | + gen_raise_exception(EXCP_DEBUG); | ||
4867 | 88 | + } else { | ||
4868 | 89 | + tcg_gen_lookup_and_goto_ptr(); | ||
4869 | 90 | + } | ||
4870 | 91 | break; | ||
4871 | 92 | case DISAS_EXIT: | ||
4872 | 93 | /* | ||
4873 | 94 | * We updated CC_OP and PC in gen_exit_tb, but also modified | ||
4874 | 95 | * other state that may require returning to the main loop. | ||
4875 | 96 | */ | ||
4876 | 97 | - tcg_gen_exit_tb(NULL, 0); | ||
4877 | 98 | + if (dc->base.singlestep_enabled) { | ||
4878 | 99 | + gen_raise_exception(EXCP_DEBUG); | ||
4879 | 100 | + } else { | ||
4880 | 101 | + tcg_gen_exit_tb(NULL, 0); | ||
4881 | 102 | + } | ||
4882 | 103 | break; | ||
4883 | 104 | default: | ||
4884 | 105 | g_assert_not_reached(); | ||
4885 | 106 | -- | ||
4886 | 107 | 2.28.0 | ||
4887 | 108 | |||
4888 | diff --git a/debian/patches/stable/lp-1891877-migration-Rate-limit-inside-host-pages.patch b/debian/patches/stable/lp-1891877-migration-Rate-limit-inside-host-pages.patch | |||
4889 | 0 | new file mode 100644 | 109 | new file mode 100644 |
4890 | index 0000000..06e962f | |||
4891 | --- /dev/null | |||
4892 | +++ b/debian/patches/stable/lp-1891877-migration-Rate-limit-inside-host-pages.patch | |||
4893 | @@ -0,0 +1,157 @@ | |||
4894 | 1 | From 52771abbfa6775db8843f2ee365d45be169887cd Mon Sep 17 00:00:00 2001 | ||
4895 | 2 | From: "Dr. David Alan Gilbert" <dgilbert@redhat.com> | ||
4896 | 3 | Date: Thu, 5 Dec 2019 10:29:18 +0000 | ||
4897 | 4 | Subject: [PATCH] migration: Rate limit inside host pages | ||
4898 | 5 | |||
4899 | 6 | When using hugepages, rate limiting is necessary within each huge | ||
4900 | 7 | page, since a 1G huge page can take a significant time to send, so | ||
4901 | 8 | you end up with bursty behaviour. | ||
4902 | 9 | |||
4903 | 10 | Fixes: 4c011c37ecb3 ("postcopy: Send whole huge pages") | ||
4904 | 11 | Reported-by: Lin Ma <LMa@suse.com> | ||
4905 | 12 | Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com> | ||
4906 | 13 | Reviewed-by: Juan Quintela <quintela@redhat.com> | ||
4907 | 14 | Reviewed-by: Peter Xu <peterx@redhat.com> | ||
4908 | 15 | Signed-off-by: Juan Quintela <quintela@redhat.com> | ||
4909 | 16 | (cherry picked from commit 97e1e06780e70f6e98a0d2df881e0c0927d3aeb6) | ||
4910 | 17 | Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | ||
4911 | 18 | |||
4912 | 19 | Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=52771abbfa | ||
4913 | 20 | Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877 | ||
4914 | 21 | Last-Update: 2020-08-19 | ||
4915 | 22 | |||
4916 | 23 | --- | ||
4917 | 24 | migration/migration.c | 57 ++++++++++++++++++++++++------------------ | ||
4918 | 25 | migration/migration.h | 1 + | ||
4919 | 26 | migration/ram.c | 2 ++ | ||
4920 | 27 | migration/trace-events | 4 +-- | ||
4921 | 28 | 4 files changed, 37 insertions(+), 27 deletions(-) | ||
4922 | 29 | |||
4923 | 30 | diff --git a/migration/migration.c b/migration/migration.c | ||
4924 | 31 | index 354ad072fa..27500d09a9 100644 | ||
4925 | 32 | --- a/migration/migration.c | ||
4926 | 33 | +++ b/migration/migration.c | ||
4927 | 34 | @@ -3224,6 +3224,37 @@ void migration_consume_urgent_request(void) | ||
4928 | 35 | qemu_sem_wait(&migrate_get_current()->rate_limit_sem); | ||
4929 | 36 | } | ||
4930 | 37 | |||
4931 | 38 | +/* Returns true if the rate limiting was broken by an urgent request */ | ||
4932 | 39 | +bool migration_rate_limit(void) | ||
4933 | 40 | +{ | ||
4934 | 41 | + int64_t now = qemu_clock_get_ms(QEMU_CLOCK_REALTIME); | ||
4935 | 42 | + MigrationState *s = migrate_get_current(); | ||
4936 | 43 | + | ||
4937 | 44 | + bool urgent = false; | ||
4938 | 45 | + migration_update_counters(s, now); | ||
4939 | 46 | + if (qemu_file_rate_limit(s->to_dst_file)) { | ||
4940 | 47 | + /* | ||
4941 | 48 | + * Wait for a delay to do rate limiting OR | ||
4942 | 49 | + * something urgent to post the semaphore. | ||
4943 | 50 | + */ | ||
4944 | 51 | + int ms = s->iteration_start_time + BUFFER_DELAY - now; | ||
4945 | 52 | + trace_migration_rate_limit_pre(ms); | ||
4946 | 53 | + if (qemu_sem_timedwait(&s->rate_limit_sem, ms) == 0) { | ||
4947 | 54 | + /* | ||
4948 | 55 | + * We were woken by one or more urgent things but | ||
4949 | 56 | + * the timedwait will have consumed one of them. | ||
4950 | 57 | + * The service routine for the urgent wake will dec | ||
4951 | 58 | + * the semaphore itself for each item it consumes, | ||
4952 | 59 | + * so add this one we just eat back. | ||
4953 | 60 | + */ | ||
4954 | 61 | + qemu_sem_post(&s->rate_limit_sem); | ||
4955 | 62 | + urgent = true; | ||
4956 | 63 | + } | ||
4957 | 64 | + trace_migration_rate_limit_post(urgent); | ||
4958 | 65 | + } | ||
4959 | 66 | + return urgent; | ||
4960 | 67 | +} | ||
4961 | 68 | + | ||
4962 | 69 | /* | ||
4963 | 70 | * Master migration thread on the source VM. | ||
4964 | 71 | * It drives the migration and pumps the data down the outgoing channel. | ||
4965 | 72 | @@ -3290,8 +3321,6 @@ static void *migration_thread(void *opaque) | ||
4966 | 73 | trace_migration_thread_setup_complete(); | ||
4967 | 74 | |||
4968 | 75 | while (migration_is_active(s)) { | ||
4969 | 76 | - int64_t current_time; | ||
4970 | 77 | - | ||
4971 | 78 | if (urgent || !qemu_file_rate_limit(s->to_dst_file)) { | ||
4972 | 79 | MigIterateState iter_state = migration_iteration_run(s); | ||
4973 | 80 | if (iter_state == MIG_ITERATE_SKIP) { | ||
4974 | 81 | @@ -3318,29 +3347,7 @@ static void *migration_thread(void *opaque) | ||
4975 | 82 | update_iteration_initial_status(s); | ||
4976 | 83 | } | ||
4977 | 84 | |||
4978 | 85 | - current_time = qemu_clock_get_ms(QEMU_CLOCK_REALTIME); | ||
4979 | 86 | - | ||
4980 | 87 | - migration_update_counters(s, current_time); | ||
4981 | 88 | - | ||
4982 | 89 | - urgent = false; | ||
4983 | 90 | - if (qemu_file_rate_limit(s->to_dst_file)) { | ||
4984 | 91 | - /* Wait for a delay to do rate limiting OR | ||
4985 | 92 | - * something urgent to post the semaphore. | ||
4986 | 93 | - */ | ||
4987 | 94 | - int ms = s->iteration_start_time + BUFFER_DELAY - current_time; | ||
4988 | 95 | - trace_migration_thread_ratelimit_pre(ms); | ||
4989 | 96 | - if (qemu_sem_timedwait(&s->rate_limit_sem, ms) == 0) { | ||
4990 | 97 | - /* We were worken by one or more urgent things but | ||
4991 | 98 | - * the timedwait will have consumed one of them. | ||
4992 | 99 | - * The service routine for the urgent wake will dec | ||
4993 | 100 | - * the semaphore itself for each item it consumes, | ||
4994 | 101 | - * so add this one we just eat back. | ||
4995 | 102 | - */ | ||
4996 | 103 | - qemu_sem_post(&s->rate_limit_sem); | ||
4997 | 104 | - urgent = true; | ||
4998 | 105 | - } | ||
4999 | 106 | - trace_migration_thread_ratelimit_post(urgent); | ||
5000 | 107 | - } |
PPA: https:/ /launchpad. net/~ci- train-ppa- service/ +archive/ ubuntu/ 4215/+packages
PPA that contains version 6.4 https:/ /launchpad. net/~ubuntu- security- proposed/ +archive/ ubuntu/ ppa
I'll rebase it once 6.4 is released and got imported - but the content won't change.
SRU templates in the bug added and other than review + regression test good to go IMHO.