Merge ~paelzer/ubuntu/+source/qemu:focal-SRU-august2020-1890154-1883984-1891203-1891877 into ubuntu/+source/qemu:ubuntu/focal-devel

Proposed by Christian Ehrhardt 
Status: Merged
Approved by: Christian Ehrhardt 
Approved revision: 74968e83c5c627c29f7a6cb802086ae93622aeca
Merge reported by: Christian Ehrhardt 
Merged at revision: 74968e83c5c627c29f7a6cb802086ae93622aeca
Proposed branch: ~paelzer/ubuntu/+source/qemu:focal-SRU-august2020-1890154-1883984-1891203-1891877
Merge into: ubuntu/+source/qemu:ubuntu/focal-devel
Diff against target: 10691 lines (+9839/-7)
133 files modified
debian/changelog (+86/-0)
debian/patches/series (+131/-1)
debian/patches/stable/lp-1891877-9p-Lock-directory-streams-with-a-CoMutex.patch (+74/-0)
debian/patches/stable/lp-1891877-9p-local-always-return-1-on-error-in-local_unlinkat_.patch (+91/-0)
debian/patches/stable/lp-1891877-9p-proxy-Fix-export_flags.patch (+49/-0)
debian/patches/stable/lp-1891877-9pfs-include-linux-limits.h-for-XATTR_SIZE_MAX.patch (+43/-0)
debian/patches/stable/lp-1891877-9pfs-local-Fix-possible-memory-leak-in-local_link.patch (+44/-0)
debian/patches/stable/lp-1891877-9pfs-local-ignore-O_NOATIME-if-we-don-t-have-permiss.patch (+67/-0)
debian/patches/stable/lp-1891877-Fix-double-free-issue-in-qemu_set_log_filename.patch (+41/-0)
debian/patches/stable/lp-1891877-Fix-tulip-breakage.patch (+65/-0)
debian/patches/stable/lp-1891877-Revert-qemu-options.hx-Update-for-reboot-timeout-par.patch (+43/-0)
debian/patches/stable/lp-1891877-Revert-vnc-allow-fall-back-to-RAW-encoding.patch (+77/-0)
debian/patches/stable/lp-1891877-Update-version-for-4.2.1-release.patch (+24/-0)
debian/patches/stable/lp-1891877-blkdebug-Allow-taking-unsharing-permissions.patch (+209/-0)
debian/patches/stable/lp-1891877-block-Add-bdrv_qapi_perm_to_blk_perm.patch (+87/-0)
debian/patches/stable/lp-1891877-block-Avoid-memleak-on-qcow2-image-info-failure.patch (+41/-0)
debian/patches/stable/lp-1891877-block-Call-attention-to-truncation-of-long-NBD-expor.patch (+100/-0)
debian/patches/stable/lp-1891877-block-Fix-VM-size-field-width-in-snapshot-dump.patch (+58/-0)
debian/patches/stable/lp-1891877-block-backup-fix-memory-leak-in-bdrv_backup_top_appe.patch (+55/-0)
debian/patches/stable/lp-1891877-block-bdrv_set_backing_bs-fix-use-after-free.patch (+122/-0)
debian/patches/stable/lp-1891877-block-fix-memleaks-in-bdrv_refresh_filename.patch (+68/-0)
debian/patches/stable/lp-1891877-compat-disable-edid-on-correct-virtio-gpu-device.patch (+49/-0)
debian/patches/stable/lp-1891877-display-bochs-display-fix-memory-leak.patch (+42/-0)
debian/patches/stable/lp-1891877-dp8393x-Always-update-RRA-pointers-and-sequence-numb.patch (+52/-0)
debian/patches/stable/lp-1891877-dp8393x-Always-use-32-bit-accesses.patch (+167/-0)
debian/patches/stable/lp-1891877-dp8393x-Clean-up-endianness-hacks.patch (+71/-0)
debian/patches/stable/lp-1891877-dp8393x-Clear-RRRA-command-register-bit-only-when-ap.patch (+56/-0)
debian/patches/stable/lp-1891877-dp8393x-Clear-descriptor-in_use-field-to-release-pac.patch (+55/-0)
debian/patches/stable/lp-1891877-dp8393x-Don-t-clobber-packet-checksum.patch (+45/-0)
debian/patches/stable/lp-1891877-dp8393x-Don-t-reset-Silicon-Revision-register.patch (+51/-0)
debian/patches/stable/lp-1891877-dp8393x-Don-t-stop-reception-upon-RBE-interrupt-asse.patch (+137/-0)
debian/patches/stable/lp-1891877-dp8393x-Have-dp8393x_receive-return-the-packet-size.patch (+68/-0)
debian/patches/stable/lp-1891877-dp8393x-Implement-packet-size-limit-and-RBAE-interru.patch (+57/-0)
debian/patches/stable/lp-1891877-dp8393x-Mask-EOL-bit-from-descriptor-addresses.patch (+98/-0)
debian/patches/stable/lp-1891877-dp8393x-Pad-frames-to-word-or-long-word-boundary.patch (+113/-0)
debian/patches/stable/lp-1891877-dp8393x-Update-LLFA-and-CRDA-registers-from-rx-descr.patch (+75/-0)
debian/patches/stable/lp-1891877-dp8393x-Use-long-word-aligned-RRA-pointers-in-32-bit.patch (+60/-0)
debian/patches/stable/lp-1891877-dump-Fix-writing-of-ELF-section.patch (+51/-0)
debian/patches/stable/lp-1891877-hmp-vnc-Fix-info-vnc-list-leak.patch (+54/-0)
debian/patches/stable/lp-1891877-hostmem-don-t-use-mbind-if-host-nodes-is-empty.patch (+61/-0)
debian/patches/stable/lp-1891877-hw-arm-cubieboard-use-ARM-Cortex-A8-as-the-default-C.patch (+59/-0)
debian/patches/stable/lp-1891877-hw-arm-smmuv3-Align-stream-table-base-address-to-tab.patch (+83/-0)
debian/patches/stable/lp-1891877-hw-arm-smmuv3-Apply-address-mask-to-linear-strtab-ba.patch (+59/-0)
debian/patches/stable/lp-1891877-hw-arm-smmuv3-Check-stream-IDs-against-actual-table-.patch (+63/-0)
debian/patches/stable/lp-1891877-hw-arm-smmuv3-Correct-SMMU_BASE_ADDR_MASK-value.patch (+52/-0)
debian/patches/stable/lp-1891877-hw-arm-smmuv3-Report-F_STE_FETCH-fault-address-in-co.patch (+55/-0)
debian/patches/stable/lp-1891877-hw-arm-smmuv3-Use-correct-bit-positions-in-EVT_SET_A.patch (+58/-0)
debian/patches/stable/lp-1891877-hw-i386-amd_iommu.c-Fix-corruption-of-log-events-pas.patch (+49/-0)
debian/patches/stable/lp-1891877-hw-intc-arm_gicv3_kvm-Stop-wrongly-programming-GICR_.patch (+66/-0)
debian/patches/stable/lp-1891877-i386-Resolve-CPU-models-to-v1-by-default.patch (+91/-0)
debian/patches/stable/lp-1891877-ide-Fix-incorrect-handling-of-some-PRDTs-in-ide_dma_.patch (+99/-0)
debian/patches/stable/lp-1891877-iotests-026-Move-v3-exclusive-test-to-new-file.patch (+232/-0)
debian/patches/stable/lp-1891877-iotests-026-Test-EIO-on-allocation-in-a-data-file.patch (+107/-0)
debian/patches/stable/lp-1891877-iotests-026-Test-EIO-on-preallocated-zero-cluster.patch (+97/-0)
debian/patches/stable/lp-1891877-iotests-283-Use-consistent-size-for-source-and-targe.patch (+57/-0)
debian/patches/stable/lp-1891877-iotests-Fix-IMGOPTSSYNTAX-for-nbd.patch (+42/-0)
debian/patches/stable/lp-1891877-iotests-Fix-nonportable-use-of-od-endian.patch (+69/-0)
debian/patches/stable/lp-1891877-iotests-Test-copy-offloading-with-external-data-file.patch (+71/-0)
debian/patches/stable/lp-1891877-iotests-add-test-for-backup-top-failure-on-permissio.patch (+19/-6)
debian/patches/stable/lp-1891877-m68k-Fix-regression-causing-Single-Step-via-GDB-RSP-.patch (+108/-0)
debian/patches/stable/lp-1891877-migration-Rate-limit-inside-host-pages.patch (+157/-0)
debian/patches/stable/lp-1891877-migration-colo-fix-use-after-free-of-local_err.patch (+39/-0)
debian/patches/stable/lp-1891877-migration-ram-fix-use-after-free-of-local_err.patch (+39/-0)
debian/patches/stable/lp-1891877-migration-test-ppc64-fix-FORTH-test-program.patch (+67/-0)
debian/patches/stable/lp-1891877-net-Do-not-include-a-newline-in-the-id-of-nic-device.patch (+43/-0)
debian/patches/stable/lp-1891877-numa-properly-check-if-numa-is-supported.patch (+75/-0)
debian/patches/stable/lp-1891877-numa-remove-not-needed-check.patch (+52/-0)
debian/patches/stable/lp-1891877-ppc-ppc405_boards-Remove-unnecessary-NULL-check.patch (+63/-0)
debian/patches/stable/lp-1891877-qapi-better-document-NVMe-blockdev-device-parameter.patch (+49/-0)
debian/patches/stable/lp-1891877-qcow2-List-autoclear-bit-names-in-header.patch (+208/-0)
debian/patches/stable/lp-1891877-qcow2-update_refcount-Reset-old_table_index-after-qc.patch (+43/-0)
debian/patches/stable/lp-1891877-qemu-ga-document-vsock-listen-in-the-man-page.patch (+70/-0)
debian/patches/stable/lp-1891877-qemu-nbd-Close-inherited-stderr.patch (+46/-0)
debian/patches/stable/lp-1891877-qga-Fix-undefined-C-behavior.patch (+53/-0)
debian/patches/stable/lp-1891877-qga-Installer-Wait-for-installation-to-finish.patch (+42/-0)
debian/patches/stable/lp-1891877-qga-win-Handle-VSS_E_PROVIDER_ALREADY_REGISTERED-err.patch (+47/-0)
debian/patches/stable/lp-1891877-qga-win-prevent-crash-when-executing-guest-file-read.patch (+55/-0)
debian/patches/stable/lp-1891877-runstate-ignore-finishmigrate-prelaunch-transition.patch (+69/-0)
debian/patches/stable/lp-1891877-s390x-adapter-routes-error-handling.patch (+84/-0)
debian/patches/stable/lp-1891877-scsi-qemu-pr-helper-Fix-out-of-bounds-access-to-trnp.patch (+102/-0)
debian/patches/stable/lp-1891877-sheepdog-Consistently-set-bdrv_has_zero_init_truncat.patch (+54/-0)
debian/patches/stable/lp-1891877-spapr-Fix-failure-path-for-attempting-to-hot-unplug-.patch (+42/-0)
debian/patches/stable/lp-1891877-target-arm-Clear-tail-in-gvec_fmul_idx_-gvec_fmla_id.patch (+47/-0)
debian/patches/stable/lp-1891877-target-arm-Correct-definition-of-PMCRDP.patch (+47/-0)
debian/patches/stable/lp-1891877-target-arm-fix-TCG-leak-for-fcvt-half-double.patch (+54/-0)
debian/patches/stable/lp-1891877-target-arm-monitor-query-cpu-model-expansion-crashed.patch (+66/-0)
debian/patches/stable/lp-1891877-target-ppc-Fix-mtmsr-d-L-1-variant-that-loses-interr.patch (+163/-0)
debian/patches/stable/lp-1891877-target-ppc-Fix-rlwinm-on-ppc64.patch (+67/-0)
debian/patches/stable/lp-1891877-target-xtensa-fix-pasto-in-pfwait.r-opcode-name.patch (+36/-0)
debian/patches/stable/lp-1891877-tcg-i386-Fix-INDEX_op_dup2_vec.patch (+45/-0)
debian/patches/stable/lp-1891877-tcg-mips-mips-sync-encode-error.patch (+57/-0)
debian/patches/stable/lp-1891877-tests-fix-modules-test-duplicate-test-case-error.patch (+54/-0)
debian/patches/stable/lp-1891877-tests-ide-test-Create-a-single-unit-test-covering-mo.patch (+228/-0)
debian/patches/stable/lp-1891877-vhost-user-blk-delete-virtioqueues-in-unrealize-to-f.patch (+75/-0)
debian/patches/stable/lp-1891877-vhost-user-gpu-Release-memory-returned-by-vu_queue_p.patch (+67/-0)
debian/patches/stable/lp-1891877-virtio-9p-device-fix-memleak-in-virtio_9p_device_unr.patch (+49/-0)
debian/patches/stable/lp-1891877-virtio-add-ability-to-delete-vq-through-a-pointer.patch (+71/-0)
debian/patches/stable/lp-1891877-virtio-balloon-fix-free-page-hinting-check-on-unreal.patch (+51/-0)
debian/patches/stable/lp-1891877-virtio-balloon-fix-free-page-hinting-without-an-ioth.patch (+116/-0)
debian/patches/stable/lp-1891877-virtio-balloon-unref-the-iothread-when-unrealizing.patch (+49/-0)
debian/patches/stable/lp-1891877-virtio-crypto-do-delete-ctrl_vq-in-virtio_crypto_dev.patch (+61/-0)
debian/patches/stable/lp-1891877-virtio-make-virtio_delete_queue-idempotent.patch (+37/-0)
debian/patches/stable/lp-1891877-virtio-pmem-do-delete-rq_vq-in-virtio_pmem_unrealize.patch (+45/-0)
debian/patches/stable/lp-1891877-virtio-reset-region-cache-when-on-queue-deletion.patch (+40/-0)
debian/patches/stable/lp-1891877-vpc-Don-t-round-up-already-aligned-BAT-sizes.patch (+55/-0)
debian/patches/stable/lp-1891877-xen-9pfs-yield-when-there-isn-t-enough-room-on-the-r.patch (+96/-0)
debian/patches/stable/lp-1891877-xen-block-Fix-double-qlist-remove-and-request-leak.patch (+163/-0)
debian/patches/ubuntu/CVE-2020-10761.patch (+149/-0)
debian/patches/ubuntu/CVE-2020-12829-2.patch (+55/-0)
debian/patches/ubuntu/CVE-2020-12829-3.patch (+41/-0)
debian/patches/ubuntu/CVE-2020-12829-4.patch (+42/-0)
debian/patches/ubuntu/CVE-2020-12829-5.patch (+28/-0)
debian/patches/ubuntu/CVE-2020-12829-6.patch (+129/-0)
debian/patches/ubuntu/CVE-2020-12829-7.patch (+61/-0)
debian/patches/ubuntu/CVE-2020-12829-pre1.patch (+159/-0)
debian/patches/ubuntu/CVE-2020-12829-pre2.patch (+134/-0)
debian/patches/ubuntu/CVE-2020-12829-pre3.patch (+42/-0)
debian/patches/ubuntu/CVE-2020-12829-pre4.patch (+95/-0)
debian/patches/ubuntu/CVE-2020-12829.patch (+261/-0)
debian/patches/ubuntu/CVE-2020-13253.patch (+122/-0)
debian/patches/ubuntu/CVE-2020-13361.patch (+60/-0)
debian/patches/ubuntu/CVE-2020-13362-1.patch (+51/-0)
debian/patches/ubuntu/CVE-2020-13362-2.patch (+36/-0)
debian/patches/ubuntu/CVE-2020-13362-3.patch (+97/-0)
debian/patches/ubuntu/CVE-2020-13659.patch (+47/-0)
debian/patches/ubuntu/CVE-2020-13754-1.patch (+81/-0)
debian/patches/ubuntu/CVE-2020-13754-2.patch (+59/-0)
debian/patches/ubuntu/CVE-2020-13800.patch (+59/-0)
debian/patches/ubuntu/CVE-2020-14415.patch (+33/-0)
debian/patches/ubuntu/CVE-2020-15863.patch (+58/-0)
debian/patches/ubuntu/CVE-2020-16092.patch (+40/-0)
debian/patches/ubuntu/lp-1883984-target-s390x-Fix-SQXBR.patch (+37/-0)
debian/patches/ubuntu/lp-1890154-s390x-protvirt-allow-to-IPL-secure-guests-with-no-re.patch (+52/-0)
Reviewer Review Type Date Requested Status
Rafael David Tinoco (community) Approve
Canonical Server Team Pending
Ubuntu Server Dev import team Pending
Review via email: mp+389527@code.launchpad.net
To post a comment you must log in.
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

PPA: https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/4215/+packages

PPA that contains version 6.4 https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa
I'll rebase it once 6.4 is released and got imported - but the content won't change.

SRU templates in the bug added and other than review + regression test good to go IMHO.

Revision history for this message
Rafael David Tinoco (rafaeldtinoco) wrote :

From the beginning

c33d65deb29 - security update 4.2-3ubuntu6.4 (to be released)

----

5c4fe018c0 nbd/server: Avoid long error message assertions CVE-2020-10761
fa70c2871f sm501: Optimize small overlapping blits
84ec3f9402 sm501: Fix bounds checks
4decaad9d2 sm501: Drop unneded variable
f018edc358 sm501: Do not allow guest to set invalid format
299778d5af sm501: Introduce variable for commonly used value for better readability
9982c605a7 sm501: Fix and optimize overlap check
e29da77e5f sm501: Convert printf + abort to qemu_log_mask
6f8183b5dc sm501: Shorten long variable names in sm501_2d_operation
2824809b7f sm501: Use BIT(x) macro to shorten constant
3d0b096298 sm501: Clean up local variables in sm501_2d_operation
b15a22bbcb sm501: Replace hand written implementation with pixman where possible
790762e548 hw/sd/sdcard: Do not switch to ReceivingData if address is invalid
369ff955a8 es1370: check total frame count against current frame
f50ab86a26 megasas: use unsigned type for reply_queue_head and check index
fd69185567 megasas: avoid NULL pointer dereference
2b151297e4 megasas: use unsigned type for positive numeric fields
77f55eac6c exec: set map length to zero when returning NULL
5d971f9e67 memory: Revert "memory: accept mismatching sizes in memory_region_access_valid"
dba04c3488 acpi: accept byte and word access to core ACPI registers
a98610c429 ati-vga: check mm_index before recursive call (CVE-2020-13800)
7a4ede0047 audio/oss: fix buffer pos calculation
5519724a13 hw/net/xgmac: Fix buffer overflow in xgmac_enet_send()
035e69b063 hw/net/net_tx_pkt: fix assertion failure in net_tx_pkt_add_raw_fragment()

----

So, all the CVE fixes look ok, but I think we might be missing a fix for a regression caused by:

5d971f9e67 memory: Revert "memory: accept mismatching sizes in memory_region_access_valid"

which is:

commit 70b78d4e71 (MISSING)
Author: Alistair Francis <email address hidden>
Date: Tue Jun 30 17:12:11 2020

    hw/riscv: Allow 64 bit access to SiFive CLINT

    Commit 5d971f9e672507210e77d020d89e0e89165c8fc9
    "memory: Revert "memory: accept mismatching sizes in
    memory_region_access_valid"" broke most RISC-V boards as they do 64 bit
    accesses to the CLINT and QEMU would trigger a fault. Fix this failure
    by allowing 8 byte accesses.

    Signed-off-by: Alistair Francis <email address hidden>
    Reviewed-by: LIU Zhiwei<email address hidden>
    Message-Id: <122b78825b077e4dfd39b444d3a46fe894a7804c<email address hidden>>

Revision history for this message
Rafael David Tinoco (rafaeldtinoco) wrote :
Download full text (13.8 KiB)

For...

ab9f0cb1d27 further stabilize by importing patches of qemu v4.2.1

----
stable/lp-1891877-9p-Lock-directory-streams-with-a-CoMutex.patch
stable/lp-1891877-9p-local-always-return-1-on-error-in-local_unlinkat_.patch
stable/lp-1891877-9p-proxy-Fix-export_flags.patch
stable/lp-1891877-9pfs-include-linux-limits.h-for-XATTR_SIZE_MAX.patch
stable/lp-1891877-9pfs-local-Fix-possible-memory-leak-in-local_link.patch
stable/lp-1891877-9pfs-local-ignore-O_NOATIME-if-we-don-t-have-permiss.patch
stable/lp-1891877-Fix-double-free-issue-in-qemu_set_log_filename.patch
stable/lp-1891877-Fix-tulip-breakage.patch
stable/lp-1891877-Revert-qemu-options.hx-Update-for-reboot-timeout-par.patch
stable/lp-1891877-Revert-vnc-allow-fall-back-to-RAW-encoding.patch
stable/lp-1891877-Update-version-for-4.2.1-release.patch
stable/lp-1891877-blkdebug-Allow-taking-unsharing-permissions.patch
stable/lp-1891877-block-Add-bdrv_qapi_perm_to_blk_perm.patch
stable/lp-1891877-block-Avoid-memleak-on-qcow2-image-info-failure.patch
stable/lp-1891877-block-Call-attention-to-truncation-of-long-NBD-expor.patch
stable/lp-1891877-block-Fix-VM-size-field-width-in-snapshot-dump.patch
stable/lp-1891877-block-backup-fix-memory-leak-in-bdrv_backup_top_appe.patch
stable/lp-1891877-block-bdrv_set_backing_bs-fix-use-after-free.patch
stable/lp-1891877-block-fix-memleaks-in-bdrv_refresh_filename.patch
stable/lp-1891877-compat-disable-edid-on-correct-virtio-gpu-device.patch
stable/lp-1891877-display-bochs-display-fix-memory-leak.patch
stable/lp-1891877-dp8393x-Always-update-RRA-pointers-and-sequence-numb.patch
stable/lp-1891877-dp8393x-Always-use-32-bit-accesses.patch
stable/lp-1891877-dp8393x-Clean-up-endianness-hacks.patch
stable/lp-1891877-dp8393x-Clear-RRRA-command-register-bit-only-when-ap.patch
stable/lp-1891877-dp8393x-Clear-descriptor-in_use-field-to-release-pac.patch
stable/lp-1891877-dp8393x-Don-t-clobber-packet-checksum.patch
stable/lp-1891877-dp8393x-Don-t-reset-Silicon-Revision-register.patch
stable/lp-1891877-dp8393x-Don-t-stop-reception-upon-RBE-interrupt-asse.patch
stable/lp-1891877-dp8393x-Have-dp8393x_receive-return-the-packet-size.patch
stable/lp-1891877-dp8393x-Implement-packet-size-limit-and-RBAE-interru.patch
stable/lp-1891877-dp8393x-Mask-EOL-bit-from-descriptor-addresses.patch
stable/lp-1891877-dp8393x-Pad-frames-to-word-or-long-word-boundary.patch
stable/lp-1891877-dp8393x-Update-LLFA-and-CRDA-registers-from-rx-descr.patch
stable/lp-1891877-dp8393x-Use-long-word-aligned-RRA-pointers-in-32-bit.patch
stable/lp-1891877-dump-Fix-writing-of-ELF-section.patch
stable/lp-1891877-hmp-vnc-Fix-info-vnc-list-leak.patch
stable/lp-1891877-hostmem-don-t-use-mbind-if-host-nodes-is-empty.patch
stable/lp-1891877-hw-arm-cubieboard-use-ARM-Cortex-A8-as-the-default-C.patch
stable/lp-1891877-hw-arm-smmuv3-Align-stream-table-base-address-to-tab.patch
stable/lp-1891877-hw-arm-smmuv3-Apply-address-mask-to-linear-strtab-ba.patch
stable/lp-1891877-hw-arm-smmuv3-Check-stream-IDs-against-actual-table-.patch
stable/lp-1891877-hw-arm-smmuv3-Correct-SMMU_BASE_ADDR_MASK-value.patch
stable/lp-1891877-hw-arm-smmuv3-Report-F_STE_FETCH-fault-address-in-co.patch
stable/lp-1891877-hw-arm-smmuv3-Use-correct-b...

Revision history for this message
Rafael David Tinoco (rafaeldtinoco) wrote :

All other patches (single SRUs) look okay to me.

I'm +1 on this (and already approving) as long as you check:

commit 70b78d4e71 (MISSING)
Author: Alistair Francis <email address hidden>
Date: Tue Jun 30 17:12:11 2020

    hw/riscv: Allow 64 bit access to SiFive CLINT

as being a fix (or not) to regression cause by:

5d971f9e67 memory: Revert "memory: accept mismatching sizes in memory_region_access_valid"

All the rest look good SRUs, cases have templates, patches apply cleanly, etc.

review: Approve
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

commit 5d971f9e672507210e77d020d89e0e89165c8fc9
Author: Michael S. Tsirkin <email address hidden>
Date: Wed Jun 10 09:47:49 2020 -0400

    memory: Revert "memory: accept mismatching sizes in memory_region_access_valid"

Was added by/in
  debian/patches/ubuntu/CVE-2020-13754-1.patch:

As part of the former security upload.

And I agree this patch should be added as well.

Ok so it was not missing on my stable patches but actually broken on the security release before it. Great catch and great that you are ok with the rest.

Also the security update got released tonight so I can rebase onto the new import and upload.

Note: this fix you identified also needs to go on top of groovy (there added by security upload in 1:5.0-5ubuntu3) which I'll do right away.

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Hmm no, despite being a 5.1 patch in groovy
  debian/patches/riscv-allow-64-bit-access-to-SiFive-CLINT.patch
was added by me when doing the security fixes in 1:5.0-5ubuntu3

So groovy is good already, adding the patch to Focal as discussed.

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

I have pinged security as they backported this to X&B as well - not sure how reasonable riscv emu was these days, but I thought they should know.

The Focal upload is prepared as reviewed plus the fix that was identified.

To ssh://git.launchpad.net/~usd-import-team/ubuntu/+source/qemu
 * [new tag] upload/1%4.2-3ubuntu6.5 -> upload/1%4.2-3ubuntu6.5

Uploading to ubuntu (via ftp to upload.ubuntu.com):
  Uploading qemu_4.2-3ubuntu6.5.dsc: done.
  Uploading qemu_4.2-3ubuntu6.5.debian.tar.xz: done.
  Uploading qemu_4.2-3ubuntu6.5_source.buildinfo: done.
  Uploading qemu_4.2-3ubuntu6.5_source.changes: done.
Successfully uploaded packages.

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

SRU released

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
diff --git a/debian/changelog b/debian/changelog
index cc2f33a..0124b2c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,89 @@
1qemu (1:4.2-3ubuntu6.5) focal; urgency=medium
2
3 * further stabilize qemu by importing patches of qemu v4.2.1
4 Fixes (LP: #1891203) and (LP: #1891877)
5 - d/p/stable/lp-1891877-*
6 * fix s390x SQXBR emulation (LP: #1883984)
7 - d/p/ubuntu/lp-1883984-target-s390x-Fix-SQXBR.patch
8 * fix -no-reboot for s390x protvirt guests (LP: #1890154)
9 - d/p/ubuntu/lp-1890154-s390x-protvirt-allow-to-IPL-secure-guests-with-*
10
11 -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Wed, 19 Aug 2020 13:40:49 +0200
12
13qemu (1:4.2-3ubuntu6.4) focal-security; urgency=medium
14
15 * SECURITY UPDATE: assert failure in nbd
16 - debian/patches/ubuntu/CVE-2020-10761.patch: avoid long error message
17 assertions in nbd/server.c, tests/qemu-iotests/143,
18 tests/qemu-iotests/143.out.
19 - CVE-2020-10761
20 * SECURITY UPDATE: out-of-bounds read and write in sm501
21 - debian/patches/ubuntu/CVE-2020-12829-pre1.patch: convert printf +
22 abort to qemu_log_mask.
23 - debian/patches/ubuntu/CVE-2020-12829-pre2.patch: shorten long
24 variable names in sm501_2d_operation.
25 - debian/patches/ubuntu/CVE-2020-12829-pre3.patch: use BIT(x) macro to
26 shorten constant.
27 - debian/patches/ubuntu/CVE-2020-12829-pre4.patch: clean up local
28 variables in sm501_2d_operation.
29 - debian/patches/ubuntu/CVE-2020-12829.patch: replace hand written
30 implementation with pixman where possible.
31 - debian/patches/ubuntu/CVE-2020-12829-2.patch: optimize small
32 overlapping blits.
33 - debian/patches/ubuntu/CVE-2020-12829-3.patch: fix bounds checks.
34 - debian/patches/ubuntu/CVE-2020-12829-4.patch: drop unneded variable.
35 - debian/patches/ubuntu/CVE-2020-12829-5.patch: do not allow guest to
36 set invalid format.
37 - debian/patches/ubuntu/CVE-2020-12829-6.patch: introduce variable for
38 commonly used value for better readability.
39 - debian/patches/ubuntu/CVE-2020-12829-7.patch: fix and optimize
40 overlap check.
41 - CVE-2020-12829
42 * SECURITY UPDATE: out-of-bounds read during sdhci_write() operations
43 - debian/patches/ubuntu/CVE-2020-13253.patch: do not switch to
44 ReceivingData if address is invalid in hw/sd/sd.c.
45 - CVE-2020-13253
46 * SECURITY UPDATE: out-of-bounds access during es1370_write() operation
47 - debian/patches/ubuntu/CVE-2020-13361.patch: check total frame count
48 against current frame in hw/audio/es1370.c.
49 - CVE-2020-13361
50 * SECURITY UPDATE: out-of-bounds read via crafted reply_queue_head
51 - debian/patches/ubuntu/CVE-2020-13362-1.patch: use unsigned type for
52 reply_queue_head and check index in hw/scsi/megasas.c.
53 - debian/patches/ubuntu/CVE-2020-13362-2.patch: avoid NULL pointer
54 dereference in hw/scsi/megasas.c.
55 - debian/patches/ubuntu/CVE-2020-13362-3.patch: use unsigned type for
56 positive numeric fields in hw/scsi/megasas.c.
57 - CVE-2020-13362
58 * SECURITY UPDATE: NULL pointer dereference related to BounceBuffer
59 - debian/patches/ubuntu/CVE-2020-13659.patch: set map length to zero
60 when returning NULL in exec.c, include/exec/memory.h.
61 - CVE-2020-13659
62 * SECURITY UPDATE: out-of-bounds access via msi-x mmio operation
63 - debian/patches/ubuntu/CVE-2020-13754-1.patch: revert accepting
64 mismatching sizes in memory_region_access_valid in memory.c.
65 - debian/patches/ubuntu/CVE-2020-13754-2.patch: accept byte and word
66 access to core ACPI registers in hw/acpi/core.c.
67 - CVE-2020-13754
68 * SECURITY UPDATE: infinite recursion in ati-vga
69 - debian/patches/ubuntu/CVE-2020-13800.patch: check mm_index before
70 recursive call in hw/display/ati.c.
71 - CVE-2020-13800
72 * SECURITY UPDATE: division by zero in oss_write()
73 - debian/patches/ubuntu/CVE-2020-14415.patch: fix buffer pos
74 calculation in audio/ossaudio.c.
75 - CVE-2020-14415
76 * SECURITY UPDATE: buffer overflow in XGMAC Ethernet controller
77 - debian/patches/ubuntu/CVE-2020-15863.patch: check bounds in
78 hw/net/xgmac.c.
79 - CVE-2020-15863
80 * SECURITY UPDATE: reachable assertion failure
81 - debian/patches/ubuntu/CVE-2020-16092.patch: fix assertion failure in
82 hw/net/net_tx_pkt.c.
83 - CVE-2020-16092
84
85 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Tue, 11 Aug 2020 12:30:06 -0400
86
1qemu (1:4.2-3ubuntu6.3) focal; urgency=medium87qemu (1:4.2-3ubuntu6.3) focal; urgency=medium
288
3 * debian/patches/ubuntu/lp-1878973-*: fix assert in qemu-guest-agent that89 * debian/patches/ubuntu/lp-1878973-*: fix assert in qemu-guest-agent that
diff --git a/debian/patches/series b/debian/patches/series
index dd6cb95..b9c1506 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -39,7 +39,6 @@ stable/lp-1867519-target-arm-Set-ISSIs16Bit-in-make_issinfo.patch
39stable/lp-1867519-target-i386-kvm-initialize-feature-MSRs-very-early.patch39stable/lp-1867519-target-i386-kvm-initialize-feature-MSRs-very-early.patch
40stable/lp-1867519-tpm-ppi-page-align-PPI-RAM.patch40stable/lp-1867519-tpm-ppi-page-align-PPI-RAM.patch
41stable/lp-1867519-block-backup-top-fix-failure-path.patch41stable/lp-1867519-block-backup-top-fix-failure-path.patch
42stable/lp-1867519-iotests-add-test-for-backup-top-failure-on-permissio.patch
43stable/lp-1867519-block-fix-crash-on-zero-length-unaligned-write-and-r.patch42stable/lp-1867519-block-fix-crash-on-zero-length-unaligned-write-and-r.patch
44stable/lp-1867519-qemu-img-Fix-convert-n-B-for-backing-less-targets.patch43stable/lp-1867519-qemu-img-Fix-convert-n-B-for-backing-less-targets.patch
45stable/lp-1867519-plugins-core-add-missing-break-in-cb_to_tcg_flags.patch44stable/lp-1867519-plugins-core-add-missing-break-in-cb_to_tcg_flags.patch
@@ -93,3 +92,134 @@ ubuntu/lp-1872945-target-openrisc-Fix-FPCSR-mask-to-allow-setting-DZF.patch
93ubuntu/CVE-2020-11869.patch92ubuntu/CVE-2020-11869.patch
94ubuntu/lp-1878973-fix-assert-regression.patch93ubuntu/lp-1878973-fix-assert-regression.patch
95lp-1882774-target-i386-do-not-set-unsupported-VMX-secondary-exe.patch94lp-1882774-target-i386-do-not-set-unsupported-VMX-secondary-exe.patch
95ubuntu/CVE-2020-10761.patch
96ubuntu/CVE-2020-12829-pre1.patch
97ubuntu/CVE-2020-12829-pre2.patch
98ubuntu/CVE-2020-12829-pre3.patch
99ubuntu/CVE-2020-12829-pre4.patch
100ubuntu/CVE-2020-12829.patch
101ubuntu/CVE-2020-12829-2.patch
102ubuntu/CVE-2020-12829-3.patch
103ubuntu/CVE-2020-12829-4.patch
104ubuntu/CVE-2020-12829-5.patch
105ubuntu/CVE-2020-12829-6.patch
106ubuntu/CVE-2020-12829-7.patch
107ubuntu/CVE-2020-13253.patch
108ubuntu/CVE-2020-13361.patch
109ubuntu/CVE-2020-13362-1.patch
110ubuntu/CVE-2020-13362-2.patch
111ubuntu/CVE-2020-13362-3.patch
112ubuntu/CVE-2020-13659.patch
113ubuntu/CVE-2020-13754-1.patch
114ubuntu/CVE-2020-13754-2.patch
115ubuntu/CVE-2020-13800.patch
116ubuntu/CVE-2020-14415.patch
117ubuntu/CVE-2020-15863.patch
118ubuntu/CVE-2020-16092.patch
119stable/lp-1891877-i386-Resolve-CPU-models-to-v1-by-default.patch
120stable/lp-1891877-qapi-better-document-NVMe-blockdev-device-parameter.patch
121stable/lp-1891877-numa-remove-not-needed-check.patch
122stable/lp-1891877-numa-properly-check-if-numa-is-supported.patch
123stable/lp-1891877-tests-ide-test-Create-a-single-unit-test-covering-mo.patch
124stable/lp-1891877-ide-Fix-incorrect-handling-of-some-PRDTs-in-ide_dma_.patch
125stable/lp-1891877-virtio-add-ability-to-delete-vq-through-a-pointer.patch
126stable/lp-1891877-virtio-make-virtio_delete_queue-idempotent.patch
127stable/lp-1891877-virtio-reset-region-cache-when-on-queue-deletion.patch
128stable/lp-1891877-dp8393x-Mask-EOL-bit-from-descriptor-addresses.patch
129stable/lp-1891877-dp8393x-Always-use-32-bit-accesses.patch
130stable/lp-1891877-dp8393x-Clean-up-endianness-hacks.patch
131stable/lp-1891877-dp8393x-Have-dp8393x_receive-return-the-packet-size.patch
132stable/lp-1891877-dp8393x-Update-LLFA-and-CRDA-registers-from-rx-descr.patch
133stable/lp-1891877-dp8393x-Clear-RRRA-command-register-bit-only-when-ap.patch
134stable/lp-1891877-dp8393x-Implement-packet-size-limit-and-RBAE-interru.patch
135stable/lp-1891877-dp8393x-Don-t-clobber-packet-checksum.patch
136stable/lp-1891877-dp8393x-Use-long-word-aligned-RRA-pointers-in-32-bit.patch
137stable/lp-1891877-dp8393x-Pad-frames-to-word-or-long-word-boundary.patch
138stable/lp-1891877-dp8393x-Clear-descriptor-in_use-field-to-release-pac.patch
139stable/lp-1891877-dp8393x-Always-update-RRA-pointers-and-sequence-numb.patch
140stable/lp-1891877-dp8393x-Don-t-reset-Silicon-Revision-register.patch
141stable/lp-1891877-dp8393x-Don-t-stop-reception-upon-RBE-interrupt-asse.patch
142stable/lp-1891877-qcow2-update_refcount-Reset-old_table_index-after-qc.patch
143stable/lp-1891877-iotests-Test-copy-offloading-with-external-data-file.patch
144stable/lp-1891877-iotests-026-Test-EIO-on-preallocated-zero-cluster.patch
145stable/lp-1891877-iotests-026-Test-EIO-on-allocation-in-a-data-file.patch
146stable/lp-1891877-scsi-qemu-pr-helper-Fix-out-of-bounds-access-to-trnp.patch
147stable/lp-1891877-target-ppc-Fix-rlwinm-on-ppc64.patch
148stable/lp-1891877-compat-disable-edid-on-correct-virtio-gpu-device.patch
149stable/lp-1891877-qga-Installer-Wait-for-installation-to-finish.patch
150stable/lp-1891877-qga-win-Handle-VSS_E_PROVIDER_ALREADY_REGISTERED-err.patch
151stable/lp-1891877-qga-win-prevent-crash-when-executing-guest-file-read.patch
152stable/lp-1891877-qga-Fix-undefined-C-behavior.patch
153stable/lp-1891877-qemu-ga-document-vsock-listen-in-the-man-page.patch
154stable/lp-1891877-hw-i386-amd_iommu.c-Fix-corruption-of-log-events-pas.patch
155stable/lp-1891877-tcg-i386-Fix-INDEX_op_dup2_vec.patch
156stable/lp-1891877-dump-Fix-writing-of-ELF-section.patch
157stable/lp-1891877-xen-block-Fix-double-qlist-remove-and-request-leak.patch
158stable/lp-1891877-vhost-user-gpu-Release-memory-returned-by-vu_queue_p.patch
159stable/lp-1891877-target-ppc-Fix-mtmsr-d-L-1-variant-that-loses-interr.patch
160stable/lp-1891877-hostmem-don-t-use-mbind-if-host-nodes-is-empty.patch
161stable/lp-1891877-target-arm-Clear-tail-in-gvec_fmul_idx_-gvec_fmla_id.patch
162stable/lp-1891877-qemu-nbd-Close-inherited-stderr.patch
163stable/lp-1891877-9p-Lock-directory-streams-with-a-CoMutex.patch
164stable/lp-1891877-net-Do-not-include-a-newline-in-the-id-of-nic-device.patch
165stable/lp-1891877-virtio-balloon-fix-free-page-hinting-without-an-ioth.patch
166stable/lp-1891877-virtio-balloon-fix-free-page-hinting-check-on-unreal.patch
167stable/lp-1891877-virtio-balloon-unref-the-iothread-when-unrealizing.patch
168stable/lp-1891877-block-Call-attention-to-truncation-of-long-NBD-expor.patch
169stable/lp-1891877-9pfs-local-Fix-possible-memory-leak-in-local_link.patch
170stable/lp-1891877-9p-local-always-return-1-on-error-in-local_unlinkat_.patch
171stable/lp-1891877-virtio-9p-device-fix-memleak-in-virtio_9p_device_unr.patch
172stable/lp-1891877-9p-proxy-Fix-export_flags.patch
173stable/lp-1891877-9pfs-local-ignore-O_NOATIME-if-we-don-t-have-permiss.patch
174stable/lp-1891877-9pfs-include-linux-limits.h-for-XATTR_SIZE_MAX.patch
175stable/lp-1891877-xen-9pfs-yield-when-there-isn-t-enough-room-on-the-r.patch
176stable/lp-1891877-tests-fix-modules-test-duplicate-test-case-error.patch
177stable/lp-1891877-iotests-026-Move-v3-exclusive-test-to-new-file.patch
178stable/lp-1891877-Revert-qemu-options.hx-Update-for-reboot-timeout-par.patch
179stable/lp-1891877-Fix-double-free-issue-in-qemu_set_log_filename.patch
180stable/lp-1891877-iotests-Fix-IMGOPTSSYNTAX-for-nbd.patch
181stable/lp-1891877-display-bochs-display-fix-memory-leak.patch
182stable/lp-1891877-hw-arm-smmuv3-Apply-address-mask-to-linear-strtab-ba.patch
183stable/lp-1891877-hw-arm-smmuv3-Correct-SMMU_BASE_ADDR_MASK-value.patch
184stable/lp-1891877-hw-arm-smmuv3-Check-stream-IDs-against-actual-table-.patch
185stable/lp-1891877-hw-arm-smmuv3-Align-stream-table-base-address-to-tab.patch
186stable/lp-1891877-hw-arm-smmuv3-Use-correct-bit-positions-in-EVT_SET_A.patch
187stable/lp-1891877-hw-arm-smmuv3-Report-F_STE_FETCH-fault-address-in-co.patch
188stable/lp-1891877-block-Add-bdrv_qapi_perm_to_blk_perm.patch
189stable/lp-1891877-blkdebug-Allow-taking-unsharing-permissions.patch
190stable/lp-1891877-migration-test-ppc64-fix-FORTH-test-program.patch
191stable/lp-1891877-runstate-ignore-finishmigrate-prelaunch-transition.patch
192stable/lp-1891877-migration-Rate-limit-inside-host-pages.patch
193stable/lp-1891877-Revert-vnc-allow-fall-back-to-RAW-encoding.patch
194stable/lp-1891877-m68k-Fix-regression-causing-Single-Step-via-GDB-RSP-.patch
195stable/lp-1891877-s390x-adapter-routes-error-handling.patch
196stable/lp-1891877-block-backup-fix-memory-leak-in-bdrv_backup_top_appe.patch
197stable/lp-1891877-hw-intc-arm_gicv3_kvm-Stop-wrongly-programming-GICR_.patch
198stable/lp-1891877-target-arm-fix-TCG-leak-for-fcvt-half-double.patch
199stable/lp-1891877-block-fix-memleaks-in-bdrv_refresh_filename.patch
200stable/lp-1891877-iotests-add-test-for-backup-top-failure-on-permissio.patch
201stable/lp-1891877-target-arm-monitor-query-cpu-model-expansion-crashed.patch
202stable/lp-1891877-block-Fix-VM-size-field-width-in-snapshot-dump.patch
203stable/lp-1891877-target-arm-Correct-definition-of-PMCRDP.patch
204stable/lp-1891877-virtio-pmem-do-delete-rq_vq-in-virtio_pmem_unrealize.patch
205stable/lp-1891877-virtio-crypto-do-delete-ctrl_vq-in-virtio_crypto_dev.patch
206stable/lp-1891877-vhost-user-blk-delete-virtioqueues-in-unrealize-to-f.patch
207stable/lp-1891877-hw-arm-cubieboard-use-ARM-Cortex-A8-as-the-default-C.patch
208stable/lp-1891877-iotests-Fix-nonportable-use-of-od-endian.patch
209stable/lp-1891877-ppc-ppc405_boards-Remove-unnecessary-NULL-check.patch
210stable/lp-1891877-block-Avoid-memleak-on-qcow2-image-info-failure.patch
211stable/lp-1891877-block-bdrv_set_backing_bs-fix-use-after-free.patch
212stable/lp-1891877-hmp-vnc-Fix-info-vnc-list-leak.patch
213stable/lp-1891877-migration-colo-fix-use-after-free-of-local_err.patch
214stable/lp-1891877-migration-ram-fix-use-after-free-of-local_err.patch
215stable/lp-1891877-qcow2-List-autoclear-bit-names-in-header.patch
216stable/lp-1891877-sheepdog-Consistently-set-bdrv_has_zero_init_truncat.patch
217stable/lp-1891877-spapr-Fix-failure-path-for-attempting-to-hot-unplug-.patch
218stable/lp-1891877-vpc-Don-t-round-up-already-aligned-BAT-sizes.patch
219stable/lp-1891877-target-xtensa-fix-pasto-in-pfwait.r-opcode-name.patch
220stable/lp-1891877-tcg-mips-mips-sync-encode-error.patch
221stable/lp-1891877-Fix-tulip-breakage.patch
222stable/lp-1891877-iotests-283-Use-consistent-size-for-source-and-targe.patch
223stable/lp-1891877-Update-version-for-4.2.1-release.patch
224ubuntu/lp-1883984-target-s390x-Fix-SQXBR.patch
225ubuntu/lp-1890154-s390x-protvirt-allow-to-IPL-secure-guests-with-no-re.patch
diff --git a/debian/patches/stable/lp-1891877-9p-Lock-directory-streams-with-a-CoMutex.patch b/debian/patches/stable/lp-1891877-9p-Lock-directory-streams-with-a-CoMutex.patch
96new file mode 100644226new file mode 100644
index 0000000..f32c223
--- /dev/null
+++ b/debian/patches/stable/lp-1891877-9p-Lock-directory-streams-with-a-CoMutex.patch
@@ -0,0 +1,74 @@
1From dad6d5e7e613e51b2584c447378a044ccc2fdc81 Mon Sep 17 00:00:00 2001
2From: Greg Kurz <groug@kaod.org>
3Date: Mon, 25 May 2020 10:38:03 +0200
4Subject: [PATCH] 9p: Lock directory streams with a CoMutex
5
6Locking was introduced in QEMU 2.7 to address the deprecation of
7readdir_r(3) in glibc 2.24. It turns out that the frontend code is
8the worst place to handle a critical section with a pthread mutex:
9the code runs in a coroutine on behalf of the QEMU mainloop and then
10yields control, waiting for the fsdev backend to process the request
11in a worker thread. If the client resends another readdir request for
12the same fid before the previous one finally unlocked the mutex, we're
13deadlocked.
14
15This never bit us because the linux client serializes readdir requests
16for the same fid, but it is quite easy to demonstrate with a custom
17client.
18
19A good solution could be to narrow the critical section in the worker
20thread code and to return a copy of the dirent to the frontend, but
21this causes quite some changes in both 9p.c and codir.c. So, instead
22of that, in order for people to easily backport the fix to older QEMU
23versions, let's simply use a CoMutex since all the users for this
24sit in coroutines.
25
26Fixes: 7cde47d4a89d ("9p: add locking to V9fsDir")
27Reviewed-by: Christian Schoenebeck <qemu_oss@crudebyte.com>
28Message-Id: <158981894794.109297.3530035833368944254.stgit@bahia.lan>
29Signed-off-by: Greg Kurz <groug@kaod.org>
30(cherry picked from commit ed463454efd0ac3042ff772bfe1b1d846dc281a5)
31Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
32
33Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=dad6d5e7e6
34Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
35Last-Update: 2020-08-19
36
37---
38 hw/9pfs/9p.h | 8 ++++----
39 1 file changed, 4 insertions(+), 4 deletions(-)
40
41diff --git a/hw/9pfs/9p.h b/hw/9pfs/9p.h
42index 3904f82901..069c86333f 100644
43--- a/hw/9pfs/9p.h
44+++ b/hw/9pfs/9p.h
45@@ -186,22 +186,22 @@ typedef struct V9fsXattr
46
47 typedef struct V9fsDir {
48 DIR *stream;
49- QemuMutex readdir_mutex;
50+ CoMutex readdir_mutex;
51 } V9fsDir;
52
53 static inline void v9fs_readdir_lock(V9fsDir *dir)
54 {
55- qemu_mutex_lock(&dir->readdir_mutex);
56+ qemu_co_mutex_lock(&dir->readdir_mutex);
57 }
58
59 static inline void v9fs_readdir_unlock(V9fsDir *dir)
60 {
61- qemu_mutex_unlock(&dir->readdir_mutex);
62+ qemu_co_mutex_unlock(&dir->readdir_mutex);
63 }
64
65 static inline void v9fs_readdir_init(V9fsDir *dir)
66 {
67- qemu_mutex_init(&dir->readdir_mutex);
68+ qemu_co_mutex_init(&dir->readdir_mutex);
69 }
70
71 /*
72--
732.28.0
74
diff --git a/debian/patches/stable/lp-1891877-9p-local-always-return-1-on-error-in-local_unlinkat_.patch b/debian/patches/stable/lp-1891877-9p-local-always-return-1-on-error-in-local_unlinkat_.patch
0new file mode 10064475new file mode 100644
index 0000000..f2efe0b
--- /dev/null
+++ b/debian/patches/stable/lp-1891877-9p-local-always-return-1-on-error-in-local_unlinkat_.patch
@@ -0,0 +1,91 @@
1From 03afe9c035884c5901258967cf906de64eff25de Mon Sep 17 00:00:00 2001
2From: Daniel Henrique Barboza <danielhb413@gmail.com>
3Date: Mon, 20 Jan 2020 15:11:39 +0100
4Subject: [PATCH] 9p: local: always return -1 on error in local_unlinkat_common
5
6local_unlinkat_common() is supposed to always return -1 on error.
7This is being done by jumps to the 'err_out' label, which is
8a 'return ret' call, and 'ret' is initialized with -1.
9
10Unfortunately there is a condition in which the function will
11return 0 on error: in a case where flags == AT_REMOVEDIR, 'ret'
12will be 0 when reaching
13
14map_dirfd = openat_dir(...)
15
16And, if map_dirfd == -1 and errno != ENOENT, the existing 'err_out'
17jump will execute 'return ret', when ret is still set to zero
18at that point.
19
20This patch fixes it by changing all 'err_out' labels by
21'return -1' calls, ensuring that the function will always
22return -1 on error conditions. 'ret' can be left unintialized
23since it's now being used just to store the result of 'unlinkat'
24calls.
25
26CC: Greg Kurz <groug@kaod.org>
27Signed-off-by: Daniel Henrique Barboza <danielhb413@gmail.com>
28[groug: changed prefix in title to be "9p: local:"]
29Signed-off-by: Greg Kurz <groug@kaod.org>
30(cherry picked from commit 846cf408a4c8055063f4a5a71ccf7ed030cdad30)
31Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
32
33Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=03afe9c035
34Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
35Last-Update: 2020-08-19
36
37---
38 hw/9pfs/9p-local.c | 14 ++++++--------
39 1 file changed, 6 insertions(+), 8 deletions(-)
40
41diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c
42index 491b08aee8..b3b826b01f 100644
43--- a/hw/9pfs/9p-local.c
44+++ b/hw/9pfs/9p-local.c
45@@ -1076,7 +1076,7 @@ out:
46 static int local_unlinkat_common(FsContext *ctx, int dirfd, const char *name,
47 int flags)
48 {
49- int ret = -1;
50+ int ret;
51
52 if (ctx->export_flags & V9FS_SM_MAPPED_FILE) {
53 int map_dirfd;
54@@ -1094,12 +1094,12 @@ static int local_unlinkat_common(FsContext *ctx, int dirfd, const char *name,
55
56 fd = openat_dir(dirfd, name);
57 if (fd == -1) {
58- goto err_out;
59+ return -1;
60 }
61 ret = unlinkat(fd, VIRTFS_META_DIR, AT_REMOVEDIR);
62 close_preserve_errno(fd);
63 if (ret < 0 && errno != ENOENT) {
64- goto err_out;
65+ return -1;
66 }
67 }
68 map_dirfd = openat_dir(dirfd, VIRTFS_META_DIR);
69@@ -1107,16 +1107,14 @@ static int local_unlinkat_common(FsContext *ctx, int dirfd, const char *name,
70 ret = unlinkat(map_dirfd, name, 0);
71 close_preserve_errno(map_dirfd);
72 if (ret < 0 && errno != ENOENT) {
73- goto err_out;
74+ return -1;
75 }
76 } else if (errno != ENOENT) {
77- goto err_out;
78+ return -1;
79 }
80 }
81
82- ret = unlinkat(dirfd, name, flags);
83-err_out:
84- return ret;
85+ return unlinkat(dirfd, name, flags);
86 }
87
88 static int local_remove(FsContext *ctx, const char *path)
89--
902.28.0
91
diff --git a/debian/patches/stable/lp-1891877-9p-proxy-Fix-export_flags.patch b/debian/patches/stable/lp-1891877-9p-proxy-Fix-export_flags.patch
0new file mode 10064492new file mode 100644
index 0000000..8784844
--- /dev/null
+++ b/debian/patches/stable/lp-1891877-9p-proxy-Fix-export_flags.patch
@@ -0,0 +1,49 @@
1From 410252fc5b2aaef65b793edd37289284c1a4eb91 Mon Sep 17 00:00:00 2001
2From: Greg Kurz <groug@kaod.org>
3Date: Tue, 10 Mar 2020 16:12:49 +0100
4Subject: [PATCH] 9p/proxy: Fix export_flags
5MIME-Version: 1.0
6Content-Type: text/plain; charset=UTF-8
7Content-Transfer-Encoding: 8bit
8
9The common fsdev options are set by qemu_fsdev_add() before it calls
10the backend specific option parsing code. In the case of "proxy" this
11means "writeout" or "readonly" were simply ignored. This has been
12broken from the beginning.
13
14Reported-by: Stéphane Graber <stgraber@ubuntu.com>
15Signed-off-by: Greg Kurz <groug@kaod.org>
16Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
17Reviewed-by: Christian Schoenebeck <qemu_oss@crudebyte.com>
18Message-Id: <158349633705.1237488.8895481990204796135.stgit@bahia.lan>
19(cherry picked from commit 659f1953281bcfa5ac217e42877d7d3c32eeea38)
20Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
21
22Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=410252fc5b
23Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
24Last-Update: 2020-08-19
25
26---
27 hw/9pfs/9p-proxy.c | 4 ++--
28 1 file changed, 2 insertions(+), 2 deletions(-)
29
30diff --git a/hw/9pfs/9p-proxy.c b/hw/9pfs/9p-proxy.c
31index 97ab9c58a5..3b885b96b5 100644
32--- a/hw/9pfs/9p-proxy.c
33+++ b/hw/9pfs/9p-proxy.c
34@@ -1139,10 +1139,10 @@ static int proxy_parse_opts(QemuOpts *opts, FsDriverEntry *fs, Error **errp)
35 }
36 if (socket) {
37 fs->path = g_strdup(socket);
38- fs->export_flags = V9FS_PROXY_SOCK_NAME;
39+ fs->export_flags |= V9FS_PROXY_SOCK_NAME;
40 } else {
41 fs->path = g_strdup(sock_fd);
42- fs->export_flags = V9FS_PROXY_SOCK_FD;
43+ fs->export_flags |= V9FS_PROXY_SOCK_FD;
44 }
45 return 0;
46 }
47--
482.28.0
49
diff --git a/debian/patches/stable/lp-1891877-9pfs-include-linux-limits.h-for-XATTR_SIZE_MAX.patch b/debian/patches/stable/lp-1891877-9pfs-include-linux-limits.h-for-XATTR_SIZE_MAX.patch
0new file mode 10064450new file mode 100644
index 0000000..8f0bcb5
--- /dev/null
+++ b/debian/patches/stable/lp-1891877-9pfs-include-linux-limits.h-for-XATTR_SIZE_MAX.patch
@@ -0,0 +1,43 @@
1From 0c6499ff2b1f9614195f31a24f1cf3888ce5d079 Mon Sep 17 00:00:00 2001
2From: Dan Robertson <dan@dlrobertson.com>
3Date: Mon, 25 May 2020 10:38:03 +0200
4Subject: [PATCH] 9pfs: include linux/limits.h for XATTR_SIZE_MAX
5MIME-Version: 1.0
6Content-Type: text/plain; charset=UTF-8
7Content-Transfer-Encoding: 8bit
8
9linux/limits.h should be included for the XATTR_SIZE_MAX definition used
10by v9fs_xattrcreate.
11
12Fixes: 3b79ef2cf488 ("9pfs: limit xattr size in xattrcreate")
13Signed-off-by: Dan Robertson <dan@dlrobertson.com>
14Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
15Reviewed-by: Christian Schoenebeck <qemu_oss@crudebyte.com>
16Message-Id: <20200515203015.7090-2-dan@dlrobertson.com>
17Signed-off-by: Greg Kurz <groug@kaod.org>
18(cherry picked from commit 03556ea920b23c466ce7c1283199033de33ee671)
19Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
20
21Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=0c6499ff2b
22Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
23Last-Update: 2020-08-19
24
25---
26 hw/9pfs/9p.c | 1 +
27 1 file changed, 1 insertion(+)
28
29diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
30index 520177f40c..37e43d3f85 100644
31--- a/hw/9pfs/9p.c
32+++ b/hw/9pfs/9p.c
33@@ -28,6 +28,7 @@
34 #include "sysemu/qtest.h"
35 #include "qemu/xxhash.h"
36 #include <math.h>
37+#include <linux/limits.h>
38
39 int open_fd_hw;
40 int total_open_fd;
41--
422.28.0
43
diff --git a/debian/patches/stable/lp-1891877-9pfs-local-Fix-possible-memory-leak-in-local_link.patch b/debian/patches/stable/lp-1891877-9pfs-local-Fix-possible-memory-leak-in-local_link.patch
0new file mode 10064444new file mode 100644
index 0000000..3e0996b
--- /dev/null
+++ b/debian/patches/stable/lp-1891877-9pfs-local-Fix-possible-memory-leak-in-local_link.patch
@@ -0,0 +1,44 @@
1From 18f6b13e085fdb81f5385bffce35364ab8535303 Mon Sep 17 00:00:00 2001
2From: Jiajun Chen <chenjiajun8@huawei.com>
3Date: Mon, 20 Jan 2020 15:11:39 +0100
4Subject: [PATCH] 9pfs: local: Fix possible memory leak in local_link()
5MIME-Version: 1.0
6Content-Type: text/plain; charset=UTF-8
7Content-Transfer-Encoding: 8bit
8
9There is a possible memory leak while local_link return -1 without free
10odirpath and oname.
11
12Reported-by: Euler Robot <euler.robot@huawei.com>
13Signed-off-by: Jaijun Chen <chenjiajun8@huawei.com>
14Signed-off-by: Xiang Zheng <zhengxiang9@huawei.com>
15Reviewed-by: Christian Schoenebeck <qemu_oss@crudebyte.com>
16Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
17Signed-off-by: Greg Kurz <groug@kaod.org>
18(cherry picked from commit 841b8d099c462cd4282c4ced8c2a6512899fd8d9)
19Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
20
21Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=18f6b13e08
22Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
23Last-Update: 2020-08-19
24
25---
26 hw/9pfs/9p-local.c | 2 +-
27 1 file changed, 1 insertion(+), 1 deletion(-)
28
29diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c
30index 4708c0bd89..491b08aee8 100644
31--- a/hw/9pfs/9p-local.c
32+++ b/hw/9pfs/9p-local.c
33@@ -947,7 +947,7 @@ static int local_link(FsContext *ctx, V9fsPath *oldpath,
34 if (ctx->export_flags & V9FS_SM_MAPPED_FILE &&
35 local_is_mapped_file_metadata(ctx, name)) {
36 errno = EINVAL;
37- return -1;
38+ goto out;
39 }
40
41 odirfd = local_opendir_nofollow(ctx, odirpath);
42--
432.28.0
44
diff --git a/debian/patches/stable/lp-1891877-9pfs-local-ignore-O_NOATIME-if-we-don-t-have-permiss.patch b/debian/patches/stable/lp-1891877-9pfs-local-ignore-O_NOATIME-if-we-don-t-have-permiss.patch
0new file mode 10064445new file mode 100644
index 0000000..59acbb2
--- /dev/null
+++ b/debian/patches/stable/lp-1891877-9pfs-local-ignore-O_NOATIME-if-we-don-t-have-permiss.patch
@@ -0,0 +1,67 @@
1From 17216bc04494825600b58ebb8a3a6fe0d8052125 Mon Sep 17 00:00:00 2001
2From: Omar Sandoval <osandov@fb.com>
3Date: Thu, 14 May 2020 08:06:43 +0200
4Subject: [PATCH] 9pfs: local: ignore O_NOATIME if we don't have permissions
5
6QEMU's local 9pfs server passes through O_NOATIME from the client. If
7the QEMU process doesn't have permissions to use O_NOATIME (namely, it
8does not own the file nor have the CAP_FOWNER capability), the open will
9fail. This causes issues when from the client's point of view, it
10believes it has permissions to use O_NOATIME (e.g., a process running as
11root in the virtual machine). Additionally, overlayfs on Linux opens
12files on the lower layer using O_NOATIME, so in this case a 9pfs mount
13can't be used as a lower layer for overlayfs (cf.
14https://github.com/osandov/drgn/blob/dabfe1971951701da13863dbe6d8a1d172ad9650/vmtest/onoatimehack.c
15and https://github.com/NixOS/nixpkgs/issues/54509).
16
17Luckily, O_NOATIME is effectively a hint, and is often ignored by, e.g.,
18network filesystems. open(2) notes that O_NOATIME "may not be effective
19on all filesystems. One example is NFS, where the server maintains the
20access time." This means that we can honor it when possible but fall
21back to ignoring it.
22
23Acked-by: Christian Schoenebeck <qemu_oss@crudebyte.com>
24Signed-off-by: Omar Sandoval <osandov@fb.com>
25Message-Id: <e9bee604e8df528584693a4ec474ded6295ce8ad.1587149256.git.osandov@fb.com>
26Signed-off-by: Greg Kurz <groug@kaod.org>
27(cherry picked from commit a5804fcf7b22fc7d1f9ec794dd284c7d504bd16b)
28Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
29
30Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=17216bc044
31Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
32Last-Update: 2020-08-19
33
34---
35 hw/9pfs/9p-util.h | 13 +++++++++++++
36 1 file changed, 13 insertions(+)
37
38diff --git a/hw/9pfs/9p-util.h b/hw/9pfs/9p-util.h
39index 79ed6b233e..546f46dc7d 100644
40--- a/hw/9pfs/9p-util.h
41+++ b/hw/9pfs/9p-util.h
42@@ -37,9 +37,22 @@ static inline int openat_file(int dirfd, const char *name, int flags,
43 {
44 int fd, serrno, ret;
45
46+again:
47 fd = openat(dirfd, name, flags | O_NOFOLLOW | O_NOCTTY | O_NONBLOCK,
48 mode);
49 if (fd == -1) {
50+ if (errno == EPERM && (flags & O_NOATIME)) {
51+ /*
52+ * The client passed O_NOATIME but we lack permissions to honor it.
53+ * Rather than failing the open, fall back without O_NOATIME. This
54+ * doesn't break the semantics on the client side, as the Linux
55+ * open(2) man page notes that O_NOATIME "may not be effective on
56+ * all filesystems". In particular, NFS and other network
57+ * filesystems ignore it entirely.
58+ */
59+ flags &= ~O_NOATIME;
60+ goto again;
61+ }
62 return -1;
63 }
64
65--
662.28.0
67
diff --git a/debian/patches/stable/lp-1891877-Fix-double-free-issue-in-qemu_set_log_filename.patch b/debian/patches/stable/lp-1891877-Fix-double-free-issue-in-qemu_set_log_filename.patch
0new file mode 10064468new file mode 100644
index 0000000..c6c78e1
--- /dev/null
+++ b/debian/patches/stable/lp-1891877-Fix-double-free-issue-in-qemu_set_log_filename.patch
@@ -0,0 +1,41 @@
1From 45b65bf8dfb46a03ff67c36424986e2450c5203e Mon Sep 17 00:00:00 2001
2From: Robert Foley <robert.foley@linaro.org>
3Date: Mon, 18 Nov 2019 16:15:23 -0500
4Subject: [PATCH] Fix double free issue in qemu_set_log_filename().
5MIME-Version: 1.0
6Content-Type: text/plain; charset=UTF-8
7Content-Transfer-Encoding: 8bit
8
9After freeing the logfilename, we set logfilename to NULL, in case of an
10error which returns without setting logfilename.
11
12Signed-off-by: Robert Foley <robert.foley@linaro.org>
13Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
14Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
15Message-Id: <20191118211528.3221-2-robert.foley@linaro.org>
16(cherry picked from commit 0f516ca4767042aec8716369d6d62436fa10593a)
17Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
18
19Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=45b65bf8df
20Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
21Last-Update: 2020-08-19
22
23---
24 util/log.c | 1 +
25 1 file changed, 1 insertion(+)
26
27diff --git a/util/log.c b/util/log.c
28index 1ca13059ee..4316fe74ee 100644
29--- a/util/log.c
30+++ b/util/log.c
31@@ -113,6 +113,7 @@ void qemu_set_log_filename(const char *filename, Error **errp)
32 {
33 char *pidstr;
34 g_free(logfilename);
35+ logfilename = NULL;
36
37 pidstr = strstr(filename, "%");
38 if (pidstr) {
39--
402.28.0
41
diff --git a/debian/patches/stable/lp-1891877-Fix-tulip-breakage.patch b/debian/patches/stable/lp-1891877-Fix-tulip-breakage.patch
0new file mode 10064442new file mode 100644
index 0000000..ed4a09c
--- /dev/null
+++ b/debian/patches/stable/lp-1891877-Fix-tulip-breakage.patch
@@ -0,0 +1,65 @@
1From 0664ffac4be2673c1c962bb9d010dc964d080ee7 Mon Sep 17 00:00:00 2001
2From: Helge Deller <deller@gmx.de>
3Date: Sun, 26 Apr 2020 12:55:39 +0200
4Subject: [PATCH] Fix tulip breakage
5
6The tulip network driver in a qemu-system-hppa emulation is broken in
7the sense that bigger network packages aren't received any longer and
8thus even running e.g. "apt update" inside the VM fails.
9
10The breakage was introduced by commit 8ffb7265af ("check frame size and
11r/w data length") which added checks to prevent accesses outside of the
12rx/tx buffers.
13
14But the new checks were implemented wrong. The variable rx_frame_len
15counts backwards, from rx_frame_size down to zero, and the variable len
16is never bigger than rx_frame_len, so accesses just can't happen and the
17checks are unnecessary.
18On the contrary the checks now prevented bigger packages to be moved
19into the rx buffers.
20
21This patch reverts the wrong checks and were sucessfully tested with a
22qemu-system-hppa emulation.
23
24Fixes: 8ffb7265af ("check frame size and r/w data length")
25Buglink: https://bugs.launchpad.net/bugs/1874539
26Signed-off-by: Helge Deller <deller@gmx.de>
27Signed-off-by: Jason Wang <jasowang@redhat.com>
28(cherry picked from commit d9b69640391618045949f7c500b87fc129f862ed)
29Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
30
31Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=0664ffac4b
32Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
33Last-Update: 2020-08-19
34
35---
36 hw/net/tulip.c | 6 ------
37 1 file changed, 6 deletions(-)
38
39diff --git a/hw/net/tulip.c b/hw/net/tulip.c
40index 1167c1bb07..c6654a98a9 100644
41--- a/hw/net/tulip.c
42+++ b/hw/net/tulip.c
43@@ -171,9 +171,6 @@ static void tulip_copy_rx_bytes(TULIPState *s, struct tulip_descriptor *desc)
44 len = s->rx_frame_len;
45 }
46
47- if (s->rx_frame_len + len > sizeof(s->rx_frame)) {
48- return;
49- }
50 pci_dma_write(&s->dev, desc->buf_addr1, s->rx_frame +
51 (s->rx_frame_size - s->rx_frame_len), len);
52 s->rx_frame_len -= len;
53@@ -186,9 +183,6 @@ static void tulip_copy_rx_bytes(TULIPState *s, struct tulip_descriptor *desc)
54 len = s->rx_frame_len;
55 }
56
57- if (s->rx_frame_len + len > sizeof(s->rx_frame)) {
58- return;
59- }
60 pci_dma_write(&s->dev, desc->buf_addr2, s->rx_frame +
61 (s->rx_frame_size - s->rx_frame_len), len);
62 s->rx_frame_len -= len;
63--
642.28.0
65
diff --git a/debian/patches/stable/lp-1891877-Revert-qemu-options.hx-Update-for-reboot-timeout-par.patch b/debian/patches/stable/lp-1891877-Revert-qemu-options.hx-Update-for-reboot-timeout-par.patch
0new file mode 10064466new file mode 100644
index 0000000..a667e04
--- /dev/null
+++ b/debian/patches/stable/lp-1891877-Revert-qemu-options.hx-Update-for-reboot-timeout-par.patch
@@ -0,0 +1,43 @@
1From aea7a50fb5e38ccfda741848286a548b72877dfa Mon Sep 17 00:00:00 2001
2From: Han Han <hhan@redhat.com>
3Date: Thu, 5 Dec 2019 10:48:21 +0800
4Subject: [PATCH] Revert "qemu-options.hx: Update for reboot-timeout parameter"
5
6This reverts commit bbd9e6985ff342cbe15b9cb7eb30e842796fbbe8.
7
8In 20a1922032 we allowed reboot-timeout=-1 again, so update the doc
9accordingly.
10
11Signed-off-by: Han Han <hhan@redhat.com>
12Reviewed-by: Markus Armbruster <armbru@redhat.com>
13Message-Id: <20191205024821.245435-1-hhan@redhat.com>
14Signed-off-by: Laurent Vivier <laurent@vivier.eu>
15(cherry picked from commit 8937a39da22e5d5689c516a2d4ce4f2bb6a378fc)
16Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
17
18Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=aea7a50fb5
19Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
20Last-Update: 2020-08-19
21
22---
23 qemu-options.hx | 4 ++--
24 1 file changed, 2 insertions(+), 2 deletions(-)
25
26diff --git a/qemu-options.hx b/qemu-options.hx
27index 65c9473b73..e14d88e9b2 100644
28--- a/qemu-options.hx
29+++ b/qemu-options.hx
30@@ -327,8 +327,8 @@ format(true color). The resolution should be supported by the SVGA mode, so
31 the recommended is 320x240, 640x480, 800x640.
32
33 A timeout could be passed to bios, guest will pause for @var{rb_timeout} ms
34-when boot failed, then reboot. If @option{reboot-timeout} is not set,
35-guest will not reboot by default. Currently Seabios for X86
36+when boot failed, then reboot. If @var{rb_timeout} is '-1', guest will not
37+reboot, qemu passes '-1' to bios by default. Currently Seabios for X86
38 system support it.
39
40 Do strict boot via @option{strict=on} as far as firmware/BIOS
41--
422.28.0
43
diff --git a/debian/patches/stable/lp-1891877-Revert-vnc-allow-fall-back-to-RAW-encoding.patch b/debian/patches/stable/lp-1891877-Revert-vnc-allow-fall-back-to-RAW-encoding.patch
0new file mode 10064444new file mode 100644
index 0000000..8319291
--- /dev/null
+++ b/debian/patches/stable/lp-1891877-Revert-vnc-allow-fall-back-to-RAW-encoding.patch
@@ -0,0 +1,77 @@
1From b5ba361d8f8908ab37a104b0110910926d94d57f Mon Sep 17 00:00:00 2001
2From: Gerd Hoffmann <kraxel@redhat.com>
3Date: Tue, 21 Jan 2020 07:02:10 +0100
4Subject: [PATCH] Revert "vnc: allow fall back to RAW encoding"
5
6This reverts commit de3f7de7f4e257ce44cdabb90f5f17ee99624557.
7
8Remove VNC optimization to reencode framebuffer update as raw if it's
9smaller than the default encoding.
10
11QEMU's implementation was naive and didn't account for the ZLIB z_stream
12mutating with each compression. Because of the mutation, simply
13resetting the output buffer's offset wasn't sufficient to "rewind" the
14operation. The mutated z_stream would generate future zlib blocks which
15referred to symbols in past blocks which weren't sent. This would lead
16to artifacting.
17
18Considering that ZRLE is never larger than raw and even though ZLIB can
19occasionally be fractionally larger than raw, the overhead of
20implementing this optimization correctly isn't worth it.
21
22Signed-off-by: Cameron Esfahani <dirty@apple.com>
23Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
24(cherry picked from commit 0780ec7be82dd4781e9fd216b5d99a125882ff5a)
25Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
26
27Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=b5ba361d8f
28Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
29Last-Update: 2020-08-19
30
31---
32 ui/vnc.c | 20 ++------------------
33 1 file changed, 2 insertions(+), 18 deletions(-)
34
35diff --git a/ui/vnc.c b/ui/vnc.c
36index 87b8045afe..f94b3a257e 100644
37--- a/ui/vnc.c
38+++ b/ui/vnc.c
39@@ -898,8 +898,6 @@ int vnc_raw_send_framebuffer_update(VncState *vs, int x, int y, int w, int h)
40 int vnc_send_framebuffer_update(VncState *vs, int x, int y, int w, int h)
41 {
42 int n = 0;
43- bool encode_raw = false;
44- size_t saved_offs = vs->output.offset;
45
46 switch(vs->vnc_encoding) {
47 case VNC_ENCODING_ZLIB:
48@@ -922,24 +920,10 @@ int vnc_send_framebuffer_update(VncState *vs, int x, int y, int w, int h)
49 n = vnc_zywrle_send_framebuffer_update(vs, x, y, w, h);
50 break;
51 default:
52- encode_raw = true;
53+ vnc_framebuffer_update(vs, x, y, w, h, VNC_ENCODING_RAW);
54+ n = vnc_raw_send_framebuffer_update(vs, x, y, w, h);
55 break;
56 }
57-
58- /* If the client has the same pixel format as our internal buffer and
59- * a RAW encoding would need less space fall back to RAW encoding to
60- * save bandwidth and processing power in the client. */
61- if (!encode_raw && vs->write_pixels == vnc_write_pixels_copy &&
62- 12 + h * w * VNC_SERVER_FB_BYTES <= (vs->output.offset - saved_offs)) {
63- vs->output.offset = saved_offs;
64- encode_raw = true;
65- }
66-
67- if (encode_raw) {
68- vnc_framebuffer_update(vs, x, y, w, h, VNC_ENCODING_RAW);
69- n = vnc_raw_send_framebuffer_update(vs, x, y, w, h);
70- }
71-
72 return n;
73 }
74
75--
762.28.0
77
diff --git a/debian/patches/stable/lp-1891877-Update-version-for-4.2.1-release.patch b/debian/patches/stable/lp-1891877-Update-version-for-4.2.1-release.patch
0new file mode 10064478new file mode 100644
index 0000000..15a9277
--- /dev/null
+++ b/debian/patches/stable/lp-1891877-Update-version-for-4.2.1-release.patch
@@ -0,0 +1,24 @@
1From 6cdf8c4efa073eac7d5f9894329e2d07743c2955 Mon Sep 17 00:00:00 2001
2From: Michael Roth <mdroth@linux.vnet.ibm.com>
3Date: Thu, 25 Jun 2020 13:08:54 -0500
4Subject: [PATCH] Update version for 4.2.1 release
5
6
7Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=6cdf8c4efa
8Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
9Last-Update: 2020-08-19
10
11---
12 VERSION | 2 +-
13 1 file changed, 1 insertion(+), 1 deletion(-)
14
15diff --git a/VERSION b/VERSION
16index 6aba2b245a..fae6e3d04b 100644
17--- a/VERSION
18+++ b/VERSION
19@@ -1 +1 @@
20-4.2.0
21+4.2.1
22--
232.28.0
24
diff --git a/debian/patches/stable/lp-1891877-blkdebug-Allow-taking-unsharing-permissions.patch b/debian/patches/stable/lp-1891877-blkdebug-Allow-taking-unsharing-permissions.patch
0new file mode 10064425new file mode 100644
index 0000000..108b9bf
--- /dev/null
+++ b/debian/patches/stable/lp-1891877-blkdebug-Allow-taking-unsharing-permissions.patch
@@ -0,0 +1,209 @@
1From 9a30621d3d5de76f865dc804a1dd16cc517461b6 Mon Sep 17 00:00:00 2001
2From: Max Reitz <mreitz@redhat.com>
3Date: Fri, 8 Nov 2019 13:34:53 +0100
4Subject: [PATCH] blkdebug: Allow taking/unsharing permissions
5
6Sometimes it is useful to be able to add a node to the block graph that
7takes or unshare a certain set of permissions for debugging purposes.
8This patch adds this capability to blkdebug.
9
10(Note that you cannot make blkdebug release or share permissions that it
11needs to take or cannot share, because this might result in assertion
12failures in the block layer. But if the blkdebug node has no parents,
13it will not take any permissions and share everything by default, so you
14can then freely choose what permissions to take and share.)
15
16Signed-off-by: Max Reitz <mreitz@redhat.com>
17Message-id: 20191108123455.39445-4-mreitz@redhat.com
18Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
19Signed-off-by: Max Reitz <mreitz@redhat.com>
20(cherry picked from commit 69c6449ff10fe4e3219e960549307096d5366bd0)
21Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
22
23Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=9a30621d3d
24Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
25Last-Update: 2020-08-19
26
27---
28 block/blkdebug.c | 93 +++++++++++++++++++++++++++++++++++++++++++-
29 qapi/block-core.json | 14 ++++++-
30 2 files changed, 105 insertions(+), 2 deletions(-)
31
32diff --git a/block/blkdebug.c b/block/blkdebug.c
33index 5ae96c52b0..af44aa973f 100644
34--- a/block/blkdebug.c
35+++ b/block/blkdebug.c
36@@ -28,10 +28,14 @@
37 #include "qemu/cutils.h"
38 #include "qemu/config-file.h"
39 #include "block/block_int.h"
40+#include "block/qdict.h"
41 #include "qemu/module.h"
42 #include "qemu/option.h"
43+#include "qapi/qapi-visit-block-core.h"
44 #include "qapi/qmp/qdict.h"
45+#include "qapi/qmp/qlist.h"
46 #include "qapi/qmp/qstring.h"
47+#include "qapi/qobject-input-visitor.h"
48 #include "sysemu/qtest.h"
49
50 typedef struct BDRVBlkdebugState {
51@@ -44,6 +48,9 @@ typedef struct BDRVBlkdebugState {
52 uint64_t opt_discard;
53 uint64_t max_discard;
54
55+ uint64_t take_child_perms;
56+ uint64_t unshare_child_perms;
57+
58 /* For blkdebug_refresh_filename() */
59 char *config_file;
60
61@@ -344,6 +351,69 @@ static void blkdebug_parse_filename(const char *filename, QDict *options,
62 qdict_put_str(options, "x-image", filename);
63 }
64
65+static int blkdebug_parse_perm_list(uint64_t *dest, QDict *options,
66+ const char *prefix, Error **errp)
67+{
68+ int ret = 0;
69+ QDict *subqdict = NULL;
70+ QObject *crumpled_subqdict = NULL;
71+ Visitor *v = NULL;
72+ BlockPermissionList *perm_list = NULL, *element;
73+ Error *local_err = NULL;
74+
75+ *dest = 0;
76+
77+ qdict_extract_subqdict(options, &subqdict, prefix);
78+ if (!qdict_size(subqdict)) {
79+ goto out;
80+ }
81+
82+ crumpled_subqdict = qdict_crumple(subqdict, errp);
83+ if (!crumpled_subqdict) {
84+ ret = -EINVAL;
85+ goto out;
86+ }
87+
88+ v = qobject_input_visitor_new(crumpled_subqdict);
89+ visit_type_BlockPermissionList(v, NULL, &perm_list, &local_err);
90+ if (local_err) {
91+ error_propagate(errp, local_err);
92+ ret = -EINVAL;
93+ goto out;
94+ }
95+
96+ for (element = perm_list; element; element = element->next) {
97+ *dest |= bdrv_qapi_perm_to_blk_perm(element->value);
98+ }
99+
100+out:
101+ qapi_free_BlockPermissionList(perm_list);
102+ visit_free(v);
103+ qobject_unref(subqdict);
104+ qobject_unref(crumpled_subqdict);
105+ return ret;
106+}
107+
108+static int blkdebug_parse_perms(BDRVBlkdebugState *s, QDict *options,
109+ Error **errp)
110+{
111+ int ret;
112+
113+ ret = blkdebug_parse_perm_list(&s->take_child_perms, options,
114+ "take-child-perms.", errp);
115+ if (ret < 0) {
116+ return ret;
117+ }
118+
119+ ret = blkdebug_parse_perm_list(&s->unshare_child_perms, options,
120+ "unshare-child-perms.", errp);
121+ if (ret < 0) {
122+ return ret;
123+ }
124+
125+ return 0;
126+}
127+
128 static QemuOptsList runtime_opts = {
129 .name = "blkdebug",
130 .head = QTAILQ_HEAD_INITIALIZER(runtime_opts.head),
131@@ -419,6 +489,12 @@ static int blkdebug_open(BlockDriverState *bs, QDict *options, int flags,
132 /* Set initial state */
133 s->state = 1;
134
135+ /* Parse permissions modifiers before opening the image file */
136+ ret = blkdebug_parse_perms(s, options, errp);
137+ if (ret < 0) {
138+ goto out;
139+ }
140+
141 /* Open the image file */
142 bs->file = bdrv_open_child(qemu_opt_get(opts, "x-image"), options, "image",
143 bs, &child_file, false, &local_err);
144@@ -916,6 +992,21 @@ static int blkdebug_reopen_prepare(BDRVReopenState *reopen_state,
145 return 0;
146 }
147
148+static void blkdebug_child_perm(BlockDriverState *bs, BdrvChild *c,
149+ const BdrvChildRole *role,
150+ BlockReopenQueue *reopen_queue,
151+ uint64_t perm, uint64_t shared,
152+ uint64_t *nperm, uint64_t *nshared)
153+{
154+ BDRVBlkdebugState *s = bs->opaque;
155+
156+ bdrv_filter_default_perms(bs, c, role, reopen_queue, perm, shared,
157+ nperm, nshared);
158+
159+ *nperm |= s->take_child_perms;
160+ *nshared &= ~s->unshare_child_perms;
161+}
162+
163 static const char *const blkdebug_strong_runtime_opts[] = {
164 "config",
165 "inject-error.",
166@@ -940,7 +1031,7 @@ static BlockDriver bdrv_blkdebug = {
167 .bdrv_file_open = blkdebug_open,
168 .bdrv_close = blkdebug_close,
169 .bdrv_reopen_prepare = blkdebug_reopen_prepare,
170- .bdrv_child_perm = bdrv_filter_default_perms,
171+ .bdrv_child_perm = blkdebug_child_perm,
172
173 .bdrv_getlength = blkdebug_getlength,
174 .bdrv_refresh_filename = blkdebug_refresh_filename,
175diff --git a/qapi/block-core.json b/qapi/block-core.json
176index fcb52ec24f..839b10b3f0 100644
177--- a/qapi/block-core.json
178+++ b/qapi/block-core.json
179@@ -3454,6 +3454,16 @@
180 #
181 # @set-state: array of state-change descriptions
182 #
183+# @take-child-perms: Permissions to take on @image in addition to what
184+# is necessary anyway (which depends on how the
185+# blkdebug node is used). Defaults to none.
186+# (since 5.0)
187+#
188+# @unshare-child-perms: Permissions not to share on @image in addition
189+# to what cannot be shared anyway (which depends
190+# on how the blkdebug node is used). Defaults
191+# to none. (since 5.0)
192+#
193 # Since: 2.9
194 ##
195 { 'struct': 'BlockdevOptionsBlkdebug',
196@@ -3463,7 +3473,9 @@
197 '*opt-write-zero': 'int32', '*max-write-zero': 'int32',
198 '*opt-discard': 'int32', '*max-discard': 'int32',
199 '*inject-error': ['BlkdebugInjectErrorOptions'],
200- '*set-state': ['BlkdebugSetStateOptions'] } }
201+ '*set-state': ['BlkdebugSetStateOptions'],
202+ '*take-child-perms': ['BlockPermission'],
203+ '*unshare-child-perms': ['BlockPermission'] } }
204
205 ##
206 # @BlockdevOptionsBlklogwrites:
207--
2082.28.0
209
diff --git a/debian/patches/stable/lp-1891877-block-Add-bdrv_qapi_perm_to_blk_perm.patch b/debian/patches/stable/lp-1891877-block-Add-bdrv_qapi_perm_to_blk_perm.patch
0new file mode 100644210new file mode 100644
index 0000000..0faa557
--- /dev/null
+++ b/debian/patches/stable/lp-1891877-block-Add-bdrv_qapi_perm_to_blk_perm.patch
@@ -0,0 +1,87 @@
1From 0972fbf353e436088bbc4180bc13e93245cd7add Mon Sep 17 00:00:00 2001
2From: Max Reitz <mreitz@redhat.com>
3Date: Fri, 8 Nov 2019 13:34:51 +0100
4Subject: [PATCH] block: Add bdrv_qapi_perm_to_blk_perm()
5MIME-Version: 1.0
6Content-Type: text/plain; charset=UTF-8
7Content-Transfer-Encoding: 8bit
8
9We need some way to correlate QAPI BlockPermission values with
10BLK_PERM_* flags. We could:
11
12(1) have the same order in the QAPI definition as the the BLK_PERM_*
13 flags are in LSb-first order. However, then there is no guarantee
14 that they actually match (e.g. when someone modifies the QAPI schema
15 without thinking of the BLK_PERM_* definitions).
16 We could add static assertions, but these would break what’s good
17 about this solution, namely its simplicity.
18
19(2) define the BLK_PERM_* flags based on the BlockPermission values.
20 But this way whenever someone were to modify the QAPI order
21 (perfectly sensible in theory), the BLK_PERM_* values would change.
22 Because these values are used for file locking, this might break
23 file locking between different qemu versions.
24
25Therefore, go the slightly more cumbersome way: Add a function to
26translate from the QAPI constants to the BLK_PERM_* flags.
27
28Signed-off-by: Max Reitz <mreitz@redhat.com>
29Message-id: 20191108123455.39445-2-mreitz@redhat.com
30Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
31Signed-off-by: Max Reitz <mreitz@redhat.com>
32(cherry picked from commit 7b1d9c4df0603fbc526226a9c5ef91118aa6c957)
33Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
34
35Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=0972fbf353
36Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
37Last-Update: 2020-08-19
38
39---
40 block.c | 18 ++++++++++++++++++
41 include/block/block.h | 1 +
42 2 files changed, 19 insertions(+)
43
44diff --git a/block.c b/block.c
45index 19c25da305..863cf34d45 100644
46--- a/block.c
47+++ b/block.c
48@@ -2227,6 +2227,24 @@ void bdrv_format_default_perms(BlockDriverState *bs, BdrvChild *c,
49 *nshared = shared;
50 }
51
52+uint64_t bdrv_qapi_perm_to_blk_perm(BlockPermission qapi_perm)
53+{
54+ static const uint64_t permissions[] = {
55+ [BLOCK_PERMISSION_CONSISTENT_READ] = BLK_PERM_CONSISTENT_READ,
56+ [BLOCK_PERMISSION_WRITE] = BLK_PERM_WRITE,
57+ [BLOCK_PERMISSION_WRITE_UNCHANGED] = BLK_PERM_WRITE_UNCHANGED,
58+ [BLOCK_PERMISSION_RESIZE] = BLK_PERM_RESIZE,
59+ [BLOCK_PERMISSION_GRAPH_MOD] = BLK_PERM_GRAPH_MOD,
60+ };
61+
62+ QEMU_BUILD_BUG_ON(ARRAY_SIZE(permissions) != BLOCK_PERMISSION__MAX);
63+ QEMU_BUILD_BUG_ON(1UL << ARRAY_SIZE(permissions) != BLK_PERM_ALL + 1);
64+
65+ assert(qapi_perm < BLOCK_PERMISSION__MAX);
66+
67+ return permissions[qapi_perm];
68+}
69+
70 static void bdrv_replace_child_noperm(BdrvChild *child,
71 BlockDriverState *new_bs)
72 {
73diff --git a/include/block/block.h b/include/block/block.h
74index 1df9848e74..e9dcfef7fa 100644
75--- a/include/block/block.h
76+++ b/include/block/block.h
77@@ -280,6 +280,7 @@ enum {
78 };
79
80 char *bdrv_perm_names(uint64_t perm);
81+uint64_t bdrv_qapi_perm_to_blk_perm(BlockPermission qapi_perm);
82
83 /* disk I/O throttling */
84 void bdrv_init(void);
85--
862.28.0
87
diff --git a/debian/patches/stable/lp-1891877-block-Avoid-memleak-on-qcow2-image-info-failure.patch b/debian/patches/stable/lp-1891877-block-Avoid-memleak-on-qcow2-image-info-failure.patch
0new file mode 10064488new file mode 100644
index 0000000..3a3a104
--- /dev/null
+++ b/debian/patches/stable/lp-1891877-block-Avoid-memleak-on-qcow2-image-info-failure.patch
@@ -0,0 +1,41 @@
1From 47e0fa74799c23dc29ff0adb356d82425b166231 Mon Sep 17 00:00:00 2001
2From: Eric Blake <eblake@redhat.com>
3Date: Fri, 20 Mar 2020 13:36:20 -0500
4Subject: [PATCH] block: Avoid memleak on qcow2 image info failure
5
6If we fail to get bitmap info, we must not leak the encryption info.
7
8Fixes: b8968c875f403
9Fixes: Coverity CID 1421894
10Signed-off-by: Eric Blake <eblake@redhat.com>
11Message-Id: <20200320183620.1112123-1-eblake@redhat.com>
12Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
13Reviewed-by: Andrey Shinkevich <andrey.shinkevich@virtuozzo.com>
14Tested-by: Andrey Shinkevich <andrey.shinkevich@virtuozzo.com>
15Signed-off-by: Max Reitz <mreitz@redhat.com>
16(cherry picked from commit 71eaec2e8c7c8d266137b5c5f42da0bd6d6b5eb7)
17Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
18
19Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=47e0fa7479
20Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
21Last-Update: 2020-08-19
22
23---
24 block/qcow2.c | 1 +
25 1 file changed, 1 insertion(+)
26
27diff --git a/block/qcow2.c b/block/qcow2.c
28index 7c18721741..13e118e16f 100644
29--- a/block/qcow2.c
30+++ b/block/qcow2.c
31@@ -4800,6 +4800,7 @@ static ImageInfoSpecific *qcow2_get_specific_info(BlockDriverState *bs,
32 if (local_err) {
33 error_propagate(errp, local_err);
34 qapi_free_ImageInfoSpecific(spec_info);
35+ qapi_free_QCryptoBlockInfo(encrypt_info);
36 return NULL;
37 }
38 *spec_info->u.qcow2.data = (ImageInfoSpecificQCow2){
39--
402.28.0
41
diff --git a/debian/patches/stable/lp-1891877-block-Call-attention-to-truncation-of-long-NBD-expor.patch b/debian/patches/stable/lp-1891877-block-Call-attention-to-truncation-of-long-NBD-expor.patch
0new file mode 10064442new file mode 100644
index 0000000..008a0c3
--- /dev/null
+++ b/debian/patches/stable/lp-1891877-block-Call-attention-to-truncation-of-long-NBD-expor.patch
@@ -0,0 +1,100 @@
1From 6c75ddf4a9f317f038a4d94da1b2989fef5dd93b Mon Sep 17 00:00:00 2001
2From: Eric Blake <eblake@redhat.com>
3Date: Mon, 8 Jun 2020 13:26:38 -0500
4Subject: [PATCH] block: Call attention to truncation of long NBD exports
5
6Commit 93676c88 relaxed our NBD client code to request export names up
7to the NBD protocol maximum of 4096 bytes without NUL terminator, even
8though the block layer can't store anything longer than 4096 bytes
9including NUL terminator for display to the user. Since this means
10there are some export names where we have to truncate things, we can
11at least try to make the truncation a bit more obvious for the user.
12Note that in spite of the truncated display name, we can still
13communicate with an NBD server using such a long export name; this was
14deemed nicer than refusing to even connect to such a server (since the
15server may not be under our control, and since determining our actual
16length limits gets tricky when nbd://host:port/export and
17nbd+unix:///export?socket=/path are themselves variable-length
18expansions beyond the export name but count towards the block layer
19name length).
20
21Reported-by: Xueqiang Wei <xuwei@redhat.com>
22Fixes: https://bugzilla.redhat.com/1843684
23Signed-off-by: Eric Blake <eblake@redhat.com>
24Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
25Message-Id: <20200610163741.3745251-3-eblake@redhat.com>
26(cherry picked from commit 5c86bdf1208916ece0b87e1151c9b48ee54faa3e)
27Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
28
29Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=6c75ddf4a9
30Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
31Last-Update: 2020-08-19
32
33---
34 block.c | 7 +++++--
35 block/nbd.c | 21 +++++++++++++--------
36 2 files changed, 18 insertions(+), 10 deletions(-)
37
38diff --git a/block.c b/block.c
39index 2e5e8b639a..19c25da305 100644
40--- a/block.c
41+++ b/block.c
42@@ -6486,8 +6486,11 @@ void bdrv_refresh_filename(BlockDriverState *bs)
43 pstrcpy(bs->filename, sizeof(bs->filename), bs->exact_filename);
44 } else {
45 QString *json = qobject_to_json(QOBJECT(bs->full_open_options));
46- snprintf(bs->filename, sizeof(bs->filename), "json:%s",
47- qstring_get_str(json));
48+ if (snprintf(bs->filename, sizeof(bs->filename), "json:%s",
49+ qstring_get_str(json)) >= sizeof(bs->filename)) {
50+ /* Give user a hint if we truncated things. */
51+ strcpy(bs->filename + sizeof(bs->filename) - 4, "...");
52+ }
53 qobject_unref(json);
54 }
55 }
56diff --git a/block/nbd.c b/block/nbd.c
57index 3d369fc8eb..eb380102c0 100644
58--- a/block/nbd.c
59+++ b/block/nbd.c
60@@ -1971,6 +1971,7 @@ static void nbd_refresh_filename(BlockDriverState *bs)
61 {
62 BDRVNBDState *s = bs->opaque;
63 const char *host = NULL, *port = NULL, *path = NULL;
64+ size_t len = 0;
65
66 if (s->saddr->type == SOCKET_ADDRESS_TYPE_INET) {
67 const InetSocketAddress *inet = &s->saddr->u.inet;
68@@ -1983,17 +1984,21 @@ static void nbd_refresh_filename(BlockDriverState *bs)
69 } /* else can't represent as pseudo-filename */
70
71 if (path && s->export) {
72- snprintf(bs->exact_filename, sizeof(bs->exact_filename),
73- "nbd+unix:///%s?socket=%s", s->export, path);
74+ len = snprintf(bs->exact_filename, sizeof(bs->exact_filename),
75+ "nbd+unix:///%s?socket=%s", s->export, path);
76 } else if (path && !s->export) {
77- snprintf(bs->exact_filename, sizeof(bs->exact_filename),
78- "nbd+unix://?socket=%s", path);
79+ len = snprintf(bs->exact_filename, sizeof(bs->exact_filename),
80+ "nbd+unix://?socket=%s", path);
81 } else if (host && s->export) {
82- snprintf(bs->exact_filename, sizeof(bs->exact_filename),
83- "nbd://%s:%s/%s", host, port, s->export);
84+ len = snprintf(bs->exact_filename, sizeof(bs->exact_filename),
85+ "nbd://%s:%s/%s", host, port, s->export);
86 } else if (host && !s->export) {
87- snprintf(bs->exact_filename, sizeof(bs->exact_filename),
88- "nbd://%s:%s", host, port);
89+ len = snprintf(bs->exact_filename, sizeof(bs->exact_filename),
90+ "nbd://%s:%s", host, port);
91+ }
92+ if (len > sizeof(bs->exact_filename)) {
93+ /* Name is too long to represent exactly, so leave it empty. */
94+ bs->exact_filename[0] = '\0';
95 }
96 }
97
98--
992.28.0
100
diff --git a/debian/patches/stable/lp-1891877-block-Fix-VM-size-field-width-in-snapshot-dump.patch b/debian/patches/stable/lp-1891877-block-Fix-VM-size-field-width-in-snapshot-dump.patch
0new file mode 100644101new file mode 100644
index 0000000..dadc759
--- /dev/null
+++ b/debian/patches/stable/lp-1891877-block-Fix-VM-size-field-width-in-snapshot-dump.patch
@@ -0,0 +1,58 @@
1From 0b487ea66409be1984ed55d3de71000ac363644f Mon Sep 17 00:00:00 2001
2From: Max Reitz <mreitz@redhat.com>
3Date: Fri, 17 Jan 2020 11:58:58 +0100
4Subject: [PATCH] block: Fix VM size field width in snapshot dump
5
6When printing the snapshot list (e.g. with qemu-img snapshot -l), the VM
7size field is only seven characters wide. As of de38b5005e9, this is
8not necessarily sufficient: We generally print three digits, and this
9may require a decimal point. Also, the unit field grew from something
10as plain as "M" to " MiB". This means that number and unit may take up
11eight characters in total; but we also want spaces in front.
12
13Considering previously the maximum width was four characters and the
14field width was chosen to be three characters wider, let us adjust the
15field width to be eleven now.
16
17Fixes: de38b5005e946aa3714963ea4c501e279e7d3666
18Buglink: https://bugs.launchpad.net/qemu/+bug/1859989
19Signed-off-by: Max Reitz <mreitz@redhat.com>
20Message-Id: <20200117105859.241818-2-mreitz@redhat.com>
21Reviewed-by: Eric Blake <eblake@redhat.com>
22Signed-off-by: Max Reitz <mreitz@redhat.com>
23(cherry picked from commit 804359b8b90f76d9d8fbe8d85a6544b68f107f10)
24Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
25
26Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=0b487ea664
27Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
28Last-Update: 2020-08-19
29
30---
31 block/qapi.c | 4 ++--
32 1 file changed, 2 insertions(+), 2 deletions(-)
33
34diff --git a/block/qapi.c b/block/qapi.c
35index 9a5d0c9b27..ffa539250d 100644
36--- a/block/qapi.c
37+++ b/block/qapi.c
38@@ -657,7 +657,7 @@ void bdrv_snapshot_dump(QEMUSnapshotInfo *sn)
39 char *sizing = NULL;
40
41 if (!sn) {
42- qemu_printf("%-10s%-20s%7s%20s%15s",
43+ qemu_printf("%-10s%-20s%11s%20s%15s",
44 "ID", "TAG", "VM SIZE", "DATE", "VM CLOCK");
45 } else {
46 ti = sn->date_sec;
47@@ -672,7 +672,7 @@ void bdrv_snapshot_dump(QEMUSnapshotInfo *sn)
48 (int)(secs % 60),
49 (int)((sn->vm_clock_nsec / 1000000) % 1000));
50 sizing = size_to_str(sn->vm_state_size);
51- qemu_printf("%-10s%-20s%7s%20s%15s",
52+ qemu_printf("%-10s%-20s%11s%20s%15s",
53 sn->id_str, sn->name,
54 sizing,
55 date_buf,
56--
572.28.0
58
diff --git a/debian/patches/stable/lp-1891877-block-backup-fix-memory-leak-in-bdrv_backup_top_appe.patch b/debian/patches/stable/lp-1891877-block-backup-fix-memory-leak-in-bdrv_backup_top_appe.patch
0new file mode 10064459new file mode 100644
index 0000000..31648ce
--- /dev/null
+++ b/debian/patches/stable/lp-1891877-block-backup-fix-memory-leak-in-bdrv_backup_top_appe.patch
@@ -0,0 +1,55 @@
1From dc6bdba433246e55c930fad38c1267242fae888c Mon Sep 17 00:00:00 2001
2From: Eiichi Tsukata <devel@etsukata.com>
3Date: Mon, 23 Dec 2019 18:06:32 +0900
4Subject: [PATCH] block/backup: fix memory leak in bdrv_backup_top_append()
5
6bdrv_open_driver() allocates bs->opaque according to drv->instance_size.
7There is no need to allocate it and overwrite opaque in
8bdrv_backup_top_append().
9
10Reproducer:
11
12 $ QTEST_QEMU_BINARY=./x86_64-softmmu/qemu-system-x86_64 valgrind -q --leak-check=full tests/test-replication -p /replication/secondary/start
13 ==29792== 24 bytes in 1 blocks are definitely lost in loss record 52 of 226
14 ==29792== at 0x483AB1A: calloc (vg_replace_malloc.c:762)
15 ==29792== by 0x4B07CE0: g_malloc0 (in /usr/lib64/libglib-2.0.so.0.6000.7)
16 ==29792== by 0x12BAB9: bdrv_open_driver (block.c:1289)
17 ==29792== by 0x12BEA9: bdrv_new_open_driver (block.c:1359)
18 ==29792== by 0x1D15CB: bdrv_backup_top_append (backup-top.c:190)
19 ==29792== by 0x1CC11A: backup_job_create (backup.c:439)
20 ==29792== by 0x1CD542: replication_start (replication.c:544)
21 ==29792== by 0x1401B9: replication_start_all (replication.c:52)
22 ==29792== by 0x128B50: test_secondary_start (test-replication.c:427)
23 ...
24
25Fixes: 7df7868b9640 ("block: introduce backup-top filter driver")
26Signed-off-by: Eiichi Tsukata <devel@etsukata.com>
27Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
28Signed-off-by: Kevin Wolf <kwolf@redhat.com>
29(cherry picked from commit fb574de81bfdd71fdb0315105a3a7761efb68395)
30Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
31
32Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=dc6bdba433
33Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
34Last-Update: 2020-08-19
35
36---
37 block/backup-top.c | 2 +-
38 1 file changed, 1 insertion(+), 1 deletion(-)
39
40diff --git a/block/backup-top.c b/block/backup-top.c
41index 818d3f26b4..64e9e4f576 100644
42--- a/block/backup-top.c
43+++ b/block/backup-top.c
44@@ -196,7 +196,7 @@ BlockDriverState *bdrv_backup_top_append(BlockDriverState *source,
45 }
46
47 top->total_sectors = source->total_sectors;
48- top->opaque = state = g_new0(BDRVBackupTopState, 1);
49+ state = top->opaque;
50
51 bdrv_ref(target);
52 state->target = bdrv_attach_child(top, target, "target", &child_file, errp);
53--
542.28.0
55
diff --git a/debian/patches/stable/lp-1891877-block-bdrv_set_backing_bs-fix-use-after-free.patch b/debian/patches/stable/lp-1891877-block-bdrv_set_backing_bs-fix-use-after-free.patch
0new file mode 10064456new file mode 100644
index 0000000..4ca9cb9
--- /dev/null
+++ b/debian/patches/stable/lp-1891877-block-bdrv_set_backing_bs-fix-use-after-free.patch
@@ -0,0 +1,122 @@
1From 5ff78dc9bcf2a81f097f1137e58f9a0759347d91 Mon Sep 17 00:00:00 2001
2From: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
3Date: Mon, 16 Mar 2020 09:06:30 +0300
4Subject: [PATCH] block: bdrv_set_backing_bs: fix use-after-free
5MIME-Version: 1.0
6Content-Type: text/plain; charset=UTF-8
7Content-Transfer-Encoding: 8bit
8
9There is a use-after-free possible: bdrv_unref_child() leaves
10bs->backing freed but not NULL. bdrv_attach_child may produce nested
11polling loop due to drain, than access of freed pointer is possible.
12
13I've produced the following crash on 30 iotest with modified code. It
14does not reproduce on master, but still seems possible:
15
16 #0 __strcmp_avx2 () at /lib64/libc.so.6
17 #1 bdrv_backing_overridden (bs=0x55c9d3cc2060) at block.c:6350
18 #2 bdrv_refresh_filename (bs=0x55c9d3cc2060) at block.c:6404
19 #3 bdrv_backing_attach (c=0x55c9d48e5520) at block.c:1063
20 #4 bdrv_replace_child_noperm
21 (child=child@entry=0x55c9d48e5520,
22 new_bs=new_bs@entry=0x55c9d3cc2060) at block.c:2290
23 #5 bdrv_replace_child
24 (child=child@entry=0x55c9d48e5520,
25 new_bs=new_bs@entry=0x55c9d3cc2060) at block.c:2320
26 #6 bdrv_root_attach_child
27 (child_bs=child_bs@entry=0x55c9d3cc2060,
28 child_name=child_name@entry=0x55c9d241d478 "backing",
29 child_role=child_role@entry=0x55c9d26ecee0 <child_backing>,
30 ctx=<optimized out>, perm=<optimized out>, shared_perm=21,
31 opaque=0x55c9d3c5a3d0, errp=0x7ffd117108e0) at block.c:2424
32 #7 bdrv_attach_child
33 (parent_bs=parent_bs@entry=0x55c9d3c5a3d0,
34 child_bs=child_bs@entry=0x55c9d3cc2060,
35 child_name=child_name@entry=0x55c9d241d478 "backing",
36 child_role=child_role@entry=0x55c9d26ecee0 <child_backing>,
37 errp=errp@entry=0x7ffd117108e0) at block.c:5876
38 #8 in bdrv_set_backing_hd
39 (bs=bs@entry=0x55c9d3c5a3d0,
40 backing_hd=backing_hd@entry=0x55c9d3cc2060,
41 errp=errp@entry=0x7ffd117108e0)
42 at block.c:2576
43 #9 stream_prepare (job=0x55c9d49d84a0) at block/stream.c:150
44 #10 job_prepare (job=0x55c9d49d84a0) at job.c:761
45 #11 job_txn_apply (txn=<optimized out>, fn=<optimized out>) at
46 job.c:145
47 #12 job_do_finalize (job=0x55c9d49d84a0) at job.c:778
48 #13 job_completed_txn_success (job=0x55c9d49d84a0) at job.c:832
49 #14 job_completed (job=0x55c9d49d84a0) at job.c:845
50 #15 job_completed (job=0x55c9d49d84a0) at job.c:836
51 #16 job_exit (opaque=0x55c9d49d84a0) at job.c:864
52 #17 aio_bh_call (bh=0x55c9d471a160) at util/async.c:117
53 #18 aio_bh_poll (ctx=ctx@entry=0x55c9d3c46720) at util/async.c:117
54 #19 aio_poll (ctx=ctx@entry=0x55c9d3c46720,
55 blocking=blocking@entry=true)
56 at util/aio-posix.c:728
57 #20 bdrv_parent_drained_begin_single (poll=true, c=0x55c9d3d558f0)
58 at block/io.c:121
59 #21 bdrv_parent_drained_begin_single (c=c@entry=0x55c9d3d558f0,
60 poll=poll@entry=true)
61 at block/io.c:114
62 #22 bdrv_replace_child_noperm
63 (child=child@entry=0x55c9d3d558f0,
64 new_bs=new_bs@entry=0x55c9d3d27300) at block.c:2258
65 #23 bdrv_replace_child
66 (child=child@entry=0x55c9d3d558f0,
67 new_bs=new_bs@entry=0x55c9d3d27300) at block.c:2320
68 #24 bdrv_root_attach_child
69 (child_bs=child_bs@entry=0x55c9d3d27300,
70 child_name=child_name@entry=0x55c9d241d478 "backing",
71 child_role=child_role@entry=0x55c9d26ecee0 <child_backing>,
72 ctx=<optimized out>, perm=<optimized out>, shared_perm=21,
73 opaque=0x55c9d3cc2060, errp=0x7ffd11710c60) at block.c:2424
74 #25 bdrv_attach_child
75 (parent_bs=parent_bs@entry=0x55c9d3cc2060,
76 child_bs=child_bs@entry=0x55c9d3d27300,
77 child_name=child_name@entry=0x55c9d241d478 "backing",
78 child_role=child_role@entry=0x55c9d26ecee0 <child_backing>,
79 errp=errp@entry=0x7ffd11710c60) at block.c:5876
80 #26 bdrv_set_backing_hd
81 (bs=bs@entry=0x55c9d3cc2060,
82 backing_hd=backing_hd@entry=0x55c9d3d27300,
83 errp=errp@entry=0x7ffd11710c60)
84 at block.c:2576
85 #27 stream_prepare (job=0x55c9d495ead0) at block/stream.c:150
86 ...
87
88Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
89Message-Id: <20200316060631.30052-2-vsementsov@virtuozzo.com>
90Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
91Reviewed-by: John Snow <jsnow@redhat.com>
92Signed-off-by: Max Reitz <mreitz@redhat.com>
93(cherry picked from commit 6e57963a77df1e275a73dab4c6a7ec9a9d3468d4)
94Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
95
96Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=5ff78dc9bc
97Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
98Last-Update: 2020-08-19
99
100---
101 block.c | 2 +-
102 1 file changed, 1 insertion(+), 1 deletion(-)
103
104diff --git a/block.c b/block.c
105index 4916252444..1cb1cd7a37 100644
106--- a/block.c
107+++ b/block.c
108@@ -2577,10 +2577,10 @@ void bdrv_set_backing_hd(BlockDriverState *bs, BlockDriverState *backing_hd,
109
110 if (bs->backing) {
111 bdrv_unref_child(bs, bs->backing);
112+ bs->backing = NULL;
113 }
114
115 if (!backing_hd) {
116- bs->backing = NULL;
117 goto out;
118 }
119
120--
1212.28.0
122
diff --git a/debian/patches/stable/lp-1891877-block-fix-memleaks-in-bdrv_refresh_filename.patch b/debian/patches/stable/lp-1891877-block-fix-memleaks-in-bdrv_refresh_filename.patch
0new file mode 100644123new file mode 100644
index 0000000..8b916a8
--- /dev/null
+++ b/debian/patches/stable/lp-1891877-block-fix-memleaks-in-bdrv_refresh_filename.patch
@@ -0,0 +1,68 @@
1From a967e75f3a65ccfca3e793e4cb8223449f20a9c5 Mon Sep 17 00:00:00 2001
2From: Pan Nengyuan <pannengyuan@huawei.com>
3Date: Thu, 16 Jan 2020 16:56:00 +0800
4Subject: [PATCH] block: fix memleaks in bdrv_refresh_filename
5
6If we call the qmp 'query-block' while qemu is working on
7'block-commit', it will cause memleaks, the memory leak stack is as
8follow:
9
10Indirect leak of 12360 byte(s) in 3 object(s) allocated from:
11 #0 0x7f80f0b6d970 in __interceptor_calloc (/lib64/libasan.so.5+0xef970)
12 #1 0x7f80ee86049d in g_malloc0 (/lib64/libglib-2.0.so.0+0x5249d)
13 #2 0x55ea95b5bb67 in qdict_new /mnt/sdb/qemu-4.2.0-rc0/qobject/qdict.c:29
14 #3 0x55ea956cd043 in bdrv_refresh_filename /mnt/sdb/qemu-4.2.0-rc0/block.c:6427
15 #4 0x55ea956cc950 in bdrv_refresh_filename /mnt/sdb/qemu-4.2.0-rc0/block.c:6399
16 #5 0x55ea956cc950 in bdrv_refresh_filename /mnt/sdb/qemu-4.2.0-rc0/block.c:6399
17 #6 0x55ea956cc950 in bdrv_refresh_filename /mnt/sdb/qemu-4.2.0-rc0/block.c:6399
18 #7 0x55ea958818ea in bdrv_block_device_info /mnt/sdb/qemu-4.2.0-rc0/block/qapi.c:56
19 #8 0x55ea958879de in bdrv_query_info /mnt/sdb/qemu-4.2.0-rc0/block/qapi.c:392
20 #9 0x55ea9588b58f in qmp_query_block /mnt/sdb/qemu-4.2.0-rc0/block/qapi.c:578
21 #10 0x55ea95567392 in qmp_marshal_query_block qapi/qapi-commands-block-core.c:95
22
23Indirect leak of 4120 byte(s) in 1 object(s) allocated from:
24 #0 0x7f80f0b6d970 in __interceptor_calloc (/lib64/libasan.so.5+0xef970)
25 #1 0x7f80ee86049d in g_malloc0 (/lib64/libglib-2.0.so.0+0x5249d)
26 #2 0x55ea95b5bb67 in qdict_new /mnt/sdb/qemu-4.2.0-rc0/qobject/qdict.c:29
27 #3 0x55ea956cd043 in bdrv_refresh_filename /mnt/sdb/qemu-4.2.0-rc0/block.c:6427
28 #4 0x55ea956cc950 in bdrv_refresh_filename /mnt/sdb/qemu-4.2.0-rc0/block.c:6399
29 #5 0x55ea956cc950 in bdrv_refresh_filename /mnt/sdb/qemu-4.2.0-rc0/block.c:6399
30 #6 0x55ea9569f301 in bdrv_backing_attach /mnt/sdb/qemu-4.2.0-rc0/block.c:1064
31 #7 0x55ea956a99dd in bdrv_replace_child_noperm /mnt/sdb/qemu-4.2.0-rc0/block.c:2283
32 #8 0x55ea956b9b53 in bdrv_replace_node /mnt/sdb/qemu-4.2.0-rc0/block.c:4196
33 #9 0x55ea956b9e49 in bdrv_append /mnt/sdb/qemu-4.2.0-rc0/block.c:4236
34 #10 0x55ea958c3472 in commit_start /mnt/sdb/qemu-4.2.0-rc0/block/commit.c:306
35 #11 0x55ea94b68ab0 in qmp_block_commit /mnt/sdb/qemu-4.2.0-rc0/blockdev.c:3459
36 #12 0x55ea9556a7a7 in qmp_marshal_block_commit qapi/qapi-commands-block-core.c:407
37
38Fixes: bb808d5f5c0978828a974d547e6032402c339555
39Reported-by: Euler Robot <euler.robot@huawei.com>
40Signed-off-by: Pan Nengyuan <pannengyuan@huawei.com>
41Message-id: 20200116085600.24056-1-pannengyuan@huawei.com
42Signed-off-by: Max Reitz <mreitz@redhat.com>
43(cherry picked from commit cb8956144ccaccf23d5cc4167677e2c84fa5a9f8)
44Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
45
46Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=a967e75f3a
47Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
48Last-Update: 2020-08-19
49
50---
51 block.c | 1 +
52 1 file changed, 1 insertion(+)
53
54diff --git a/block.c b/block.c
55index 863cf34d45..4916252444 100644
56--- a/block.c
57+++ b/block.c
58@@ -6426,6 +6426,7 @@ void bdrv_refresh_filename(BlockDriverState *bs)
59 child->bs->exact_filename);
60 pstrcpy(bs->filename, sizeof(bs->filename), child->bs->filename);
61
62+ qobject_unref(bs->full_open_options);
63 bs->full_open_options = qobject_ref(child->bs->full_open_options);
64
65 return;
66--
672.28.0
68
diff --git a/debian/patches/stable/lp-1891877-compat-disable-edid-on-correct-virtio-gpu-device.patch b/debian/patches/stable/lp-1891877-compat-disable-edid-on-correct-virtio-gpu-device.patch
0new file mode 10064469new file mode 100644
index 0000000..2e76b86
--- /dev/null
+++ b/debian/patches/stable/lp-1891877-compat-disable-edid-on-correct-virtio-gpu-device.patch
@@ -0,0 +1,49 @@
1From 219362f9655859056e8f15cf96fc3169d4dc80de Mon Sep 17 00:00:00 2001
2From: Cornelia Huck <cohuck@redhat.com>
3Date: Wed, 18 Mar 2020 10:39:19 +0100
4Subject: [PATCH] compat: disable edid on correct virtio-gpu device
5MIME-Version: 1.0
6Content-Type: text/plain; charset=UTF-8
7Content-Transfer-Encoding: 8bit
8
9Commit bb15791166c1 ("compat: disable edid on virtio-gpu base
10device") tried to disable 'edid' on the virtio-gpu base device.
11However, that device is not 'virtio-gpu', but 'virtio-gpu-device'.
12Fix it.
13
14Fixes: bb15791166c1 ("compat: disable edid on virtio-gpu base device")
15Reported-by: Lukáš Doktor <ldoktor@redhat.com>
16Tested-by: Lukáš Doktor <ldoktor@redhat.com>
17Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
18Signed-off-by: Cornelia Huck <cohuck@redhat.com>
19Message-id: 20200318093919.24942-1-cohuck@redhat.com
20Cc: qemu-stable@nongnu.org
21Signed-off-by: Cornelia Huck <cohuck@redhat.com>
22Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
23(cherry picked from commit 02501fc39381c4dabaf6becdd12c2a4754c3847c)
24Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
25
26Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=219362f965
27Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
28Last-Update: 2020-08-19
29
30---
31 hw/core/machine.c | 2 +-
32 1 file changed, 1 insertion(+), 1 deletion(-)
33
34diff --git a/hw/core/machine.c b/hw/core/machine.c
35index aa63231f31..1872263bf0 100644
36--- a/hw/core/machine.c
37+++ b/hw/core/machine.c
38@@ -37,7 +37,7 @@ GlobalProperty hw_compat_4_0[] = {
39 { "secondary-vga", "edid", "false" },
40 { "bochs-display", "edid", "false" },
41 { "virtio-vga", "edid", "false" },
42- { "virtio-gpu", "edid", "false" },
43+ { "virtio-gpu-device", "edid", "false" },
44 { "virtio-device", "use-started", "false" },
45 { "virtio-balloon-device", "qemu-4-0-config-size", "true" },
46 { "pl031", "migrate-tick-offset", "false" },
47--
482.28.0
49
diff --git a/debian/patches/stable/lp-1891877-display-bochs-display-fix-memory-leak.patch b/debian/patches/stable/lp-1891877-display-bochs-display-fix-memory-leak.patch
0new file mode 10064450new file mode 100644
index 0000000..6196cbc
--- /dev/null
+++ b/debian/patches/stable/lp-1891877-display-bochs-display-fix-memory-leak.patch
@@ -0,0 +1,42 @@
1From 7e1bc51f3f606e758b2600555ddc99f643a3697d Mon Sep 17 00:00:00 2001
2From: Cameron Esfahani <dirty@apple.com>
3Date: Tue, 10 Dec 2019 13:27:54 -0800
4Subject: [PATCH] display/bochs-display: fix memory leak
5MIME-Version: 1.0
6Content-Type: text/plain; charset=UTF-8
7Content-Transfer-Encoding: 8bit
8
9Fix memory leak in bochs_display_update(). Leaks 304 bytes per frame.
10
11Fixes: 33ebad54056
12Signed-off-by: Cameron Esfahani <dirty@apple.com>
13Message-Id: <d6c26e68db134c7b0c7ce8b61596ca2e65e01e12.1576013209.git.dirty@apple.com>
14Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
15Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
16(cherry picked from commit 0d82411d0e38a0de7829f97d04406765c8d2210d)
17Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
18
19Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=7e1bc51f3f
20Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
21Last-Update: 2020-08-19
22
23---
24 hw/display/bochs-display.c | 2 ++
25 1 file changed, 2 insertions(+)
26
27diff --git a/hw/display/bochs-display.c b/hw/display/bochs-display.c
28index dc1bd1641d..215db9a231 100644
29--- a/hw/display/bochs-display.c
30+++ b/hw/display/bochs-display.c
31@@ -252,6 +252,8 @@ static void bochs_display_update(void *opaque)
32 dpy_gfx_update(s->con, 0, ys,
33 mode.width, y - ys);
34 }
35+
36+ g_free(snap);
37 }
38 }
39
40--
412.28.0
42
diff --git a/debian/patches/stable/lp-1891877-dp8393x-Always-update-RRA-pointers-and-sequence-numb.patch b/debian/patches/stable/lp-1891877-dp8393x-Always-update-RRA-pointers-and-sequence-numb.patch
0new file mode 10064443new file mode 100644
index 0000000..3d85936
--- /dev/null
+++ b/debian/patches/stable/lp-1891877-dp8393x-Always-update-RRA-pointers-and-sequence-numb.patch
@@ -0,0 +1,52 @@
1From 1190026fe415ce29605bdadbb68956a3315714e8 Mon Sep 17 00:00:00 2001
2From: Finn Thain <fthain@telegraphics.com.au>
3Date: Wed, 29 Jan 2020 20:27:49 +1100
4Subject: [PATCH] dp8393x: Always update RRA pointers and sequence numbers
5
6These operations need to take place regardless of whether or not
7rx descriptors have been used up (that is, EOL flag was observed).
8
9The algorithm is now the same for a packet that was withheld as for
10a packet that was not.
11
12Signed-off-by: Finn Thain <fthain@telegraphics.com.au>
13Tested-by: Laurent Vivier <laurent@vivier.eu>
14Signed-off-by: Jason Wang <jasowang@redhat.com>
15(cherry picked from commit 80b60673ea598869050c66d95d8339480e4cefd0)
16Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
17
18Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=1190026fe4
19Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
20Last-Update: 2020-08-19
21
22---
23 hw/net/dp8393x.c | 12 +++++++-----
24 1 file changed, 7 insertions(+), 5 deletions(-)
25
26diff --git a/hw/net/dp8393x.c b/hw/net/dp8393x.c
27index 4ce2ef818b..aa7bd785f3 100644
28--- a/hw/net/dp8393x.c
29+++ b/hw/net/dp8393x.c
30@@ -897,12 +897,14 @@ static ssize_t dp8393x_receive(NetClientState *nc, const uint8_t * buf,
31 /* Move to next descriptor */
32 s->regs[SONIC_CRDA] = s->regs[SONIC_LLFA];
33 s->regs[SONIC_ISR] |= SONIC_ISR_PKTRX;
34- s->regs[SONIC_RSC] = (s->regs[SONIC_RSC] & 0xff00) | (((s->regs[SONIC_RSC] & 0x00ff) + 1) & 0x00ff);
35+ }
36
37- if (s->regs[SONIC_RCR] & SONIC_RCR_LPKT) {
38- /* Read next RRA */
39- dp8393x_do_read_rra(s);
40- }
41+ s->regs[SONIC_RSC] = (s->regs[SONIC_RSC] & 0xff00) |
42+ ((s->regs[SONIC_RSC] + 1) & 0x00ff);
43+
44+ if (s->regs[SONIC_RCR] & SONIC_RCR_LPKT) {
45+ /* Read next RRA */
46+ dp8393x_do_read_rra(s);
47 }
48
49 /* Done */
50--
512.28.0
52
diff --git a/debian/patches/stable/lp-1891877-dp8393x-Always-use-32-bit-accesses.patch b/debian/patches/stable/lp-1891877-dp8393x-Always-use-32-bit-accesses.patch
0new file mode 10064453new file mode 100644
index 0000000..ff2540a
--- /dev/null
+++ b/debian/patches/stable/lp-1891877-dp8393x-Always-use-32-bit-accesses.patch
@@ -0,0 +1,167 @@
1From 956e1b2d977f8743d58c97994c27d6c848ae3b7d Mon Sep 17 00:00:00 2001
2From: Finn Thain <fthain@telegraphics.com.au>
3Date: Wed, 29 Jan 2020 20:27:49 +1100
4Subject: [PATCH] dp8393x: Always use 32-bit accesses
5
6The DP83932 and DP83934 have 32 data lines. The datasheet says,
7
8 Data Bus: These bidirectional lines are used to transfer data on the
9 system bus. When the SONIC is a bus master, 16-bit data is transferred
10 on D15-D0 and 32-bit data is transferred on D31-D0. When the SONIC is
11 accessed as a slave, register data is driven onto lines D15-D0.
12 D31-D16 are held TRI-STATE if SONIC is in 16-bit mode. If SONIC is in
13 32-bit mode, they are driven, but invalid.
14
15Always use 32-bit accesses both as bus master and bus slave.
16
17Force the MSW to zero in bus master mode.
18
19This gets the Linux 'jazzsonic' driver working, and avoids the need for
20prior hacks to make the NetBSD 'sn' driver work.
21
22Signed-off-by: Finn Thain <fthain@telegraphics.com.au>
23Tested-by: Laurent Vivier <laurent@vivier.eu>
24Signed-off-by: Jason Wang <jasowang@redhat.com>
25(cherry picked from commit 3fe9a838ec3eae1374ced16b63bf56894b2ffbe6)
26Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
27
28Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=956e1b2d97
29Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
30Last-Update: 2020-08-19
31
32---
33 hw/net/dp8393x.c | 47 +++++++++++++++++++++++++++++------------------
34 1 file changed, 29 insertions(+), 18 deletions(-)
35
36diff --git a/hw/net/dp8393x.c b/hw/net/dp8393x.c
37index 7ca6a6dd46..49c304ee20 100644
38--- a/hw/net/dp8393x.c
39+++ b/hw/net/dp8393x.c
40@@ -246,9 +246,19 @@ static void dp8393x_put(dp8393xState *s, int width, int offset,
41 uint16_t val)
42 {
43 if (s->big_endian) {
44- s->data[offset * width + width - 1] = cpu_to_be16(val);
45+ if (width == 2) {
46+ s->data[offset * 2] = 0;
47+ s->data[offset * 2 + 1] = cpu_to_be16(val);
48+ } else {
49+ s->data[offset] = cpu_to_be16(val);
50+ }
51 } else {
52- s->data[offset * width] = cpu_to_le16(val);
53+ if (width == 2) {
54+ s->data[offset * 2] = cpu_to_le16(val);
55+ s->data[offset * 2 + 1] = 0;
56+ } else {
57+ s->data[offset] = cpu_to_le16(val);
58+ }
59 }
60 }
61
62@@ -588,7 +598,7 @@ static uint64_t dp8393x_read(void *opaque, hwaddr addr, unsigned int size)
63
64 DPRINTF("read 0x%04x from reg %s\n", val, reg_names[reg]);
65
66- return val;
67+ return s->big_endian ? val << 16 : val;
68 }
69
70 static void dp8393x_write(void *opaque, hwaddr addr, uint64_t data,
71@@ -596,13 +606,14 @@ static void dp8393x_write(void *opaque, hwaddr addr, uint64_t data,
72 {
73 dp8393xState *s = opaque;
74 int reg = addr >> s->it_shift;
75+ uint32_t val = s->big_endian ? data >> 16 : data;
76
77- DPRINTF("write 0x%04x to reg %s\n", (uint16_t)data, reg_names[reg]);
78+ DPRINTF("write 0x%04x to reg %s\n", (uint16_t)val, reg_names[reg]);
79
80 switch (reg) {
81 /* Command register */
82 case SONIC_CR:
83- dp8393x_do_command(s, data);
84+ dp8393x_do_command(s, val);
85 break;
86 /* Prevent write to read-only registers */
87 case SONIC_CAP2:
88@@ -615,36 +626,36 @@ static void dp8393x_write(void *opaque, hwaddr addr, uint64_t data,
89 /* Accept write to some registers only when in reset mode */
90 case SONIC_DCR:
91 if (s->regs[SONIC_CR] & SONIC_CR_RST) {
92- s->regs[reg] = data & 0xbfff;
93+ s->regs[reg] = val & 0xbfff;
94 } else {
95 DPRINTF("writing to DCR invalid\n");
96 }
97 break;
98 case SONIC_DCR2:
99 if (s->regs[SONIC_CR] & SONIC_CR_RST) {
100- s->regs[reg] = data & 0xf017;
101+ s->regs[reg] = val & 0xf017;
102 } else {
103 DPRINTF("writing to DCR2 invalid\n");
104 }
105 break;
106 /* 12 lower bytes are Read Only */
107 case SONIC_TCR:
108- s->regs[reg] = data & 0xf000;
109+ s->regs[reg] = val & 0xf000;
110 break;
111 /* 9 lower bytes are Read Only */
112 case SONIC_RCR:
113- s->regs[reg] = data & 0xffe0;
114+ s->regs[reg] = val & 0xffe0;
115 break;
116 /* Ignore most significant bit */
117 case SONIC_IMR:
118- s->regs[reg] = data & 0x7fff;
119+ s->regs[reg] = val & 0x7fff;
120 dp8393x_update_irq(s);
121 break;
122 /* Clear bits by writing 1 to them */
123 case SONIC_ISR:
124- data &= s->regs[reg];
125- s->regs[reg] &= ~data;
126- if (data & SONIC_ISR_RBE) {
127+ val &= s->regs[reg];
128+ s->regs[reg] &= ~val;
129+ if (val & SONIC_ISR_RBE) {
130 dp8393x_do_read_rra(s);
131 }
132 dp8393x_update_irq(s);
133@@ -657,17 +668,17 @@ static void dp8393x_write(void *opaque, hwaddr addr, uint64_t data,
134 case SONIC_REA:
135 case SONIC_RRP:
136 case SONIC_RWP:
137- s->regs[reg] = data & 0xfffe;
138+ s->regs[reg] = val & 0xfffe;
139 break;
140 /* Invert written value for some registers */
141 case SONIC_CRCT:
142 case SONIC_FAET:
143 case SONIC_MPT:
144- s->regs[reg] = data ^ 0xffff;
145+ s->regs[reg] = val ^ 0xffff;
146 break;
147 /* All other registers have no special contrainst */
148 default:
149- s->regs[reg] = data;
150+ s->regs[reg] = val;
151 }
152
153 if (reg == SONIC_WT0 || reg == SONIC_WT1) {
154@@ -678,8 +689,8 @@ static void dp8393x_write(void *opaque, hwaddr addr, uint64_t data,
155 static const MemoryRegionOps dp8393x_ops = {
156 .read = dp8393x_read,
157 .write = dp8393x_write,
158- .impl.min_access_size = 2,
159- .impl.max_access_size = 2,
160+ .impl.min_access_size = 4,
161+ .impl.max_access_size = 4,
162 .endianness = DEVICE_NATIVE_ENDIAN,
163 };
164
165--
1662.28.0
167
diff --git a/debian/patches/stable/lp-1891877-dp8393x-Clean-up-endianness-hacks.patch b/debian/patches/stable/lp-1891877-dp8393x-Clean-up-endianness-hacks.patch
0new file mode 100644168new file mode 100644
index 0000000..8d4a682
--- /dev/null
+++ b/debian/patches/stable/lp-1891877-dp8393x-Clean-up-endianness-hacks.patch
@@ -0,0 +1,71 @@
1From bf3f12ac8c34e4856f48c5f7ee7d23c042097797 Mon Sep 17 00:00:00 2001
2From: Finn Thain <fthain@telegraphics.com.au>
3Date: Wed, 29 Jan 2020 20:27:49 +1100
4Subject: [PATCH] dp8393x: Clean up endianness hacks
5MIME-Version: 1.0
6Content-Type: text/plain; charset=UTF-8
7Content-Transfer-Encoding: 8bit
8
9According to the datasheet, section 3.4.4, "in 32-bit mode ... the SONIC
10always writes long words".
11
12Therefore, use the same technique for the 'in_use' field that is used
13everywhere else, and write the full long word.
14
15Signed-off-by: Finn Thain <fthain@telegraphics.com.au>
16Tested-by: Laurent Vivier <laurent@vivier.eu>
17Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
18Signed-off-by: Jason Wang <jasowang@redhat.com>
19(cherry picked from commit 46ffee9ad43185cbee4182c208bbd534814086ca)
20 Conflicts:
21 hw/net/dp8393x.c
22*roll in local dependencies on b7cbebf2b9d
23*drop functional dep. on 19f70347731
24Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
25
26Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=bf3f12ac8c
27Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
28Last-Update: 2020-08-19
29
30---
31 hw/net/dp8393x.c | 17 ++++++-----------
32 1 file changed, 6 insertions(+), 11 deletions(-)
33
34diff --git a/hw/net/dp8393x.c b/hw/net/dp8393x.c
35index 49c304ee20..f89f4c7ba3 100644
36--- a/hw/net/dp8393x.c
37+++ b/hw/net/dp8393x.c
38@@ -776,8 +776,6 @@ static ssize_t dp8393x_receive(NetClientState *nc, const uint8_t * buf,
39 return -1;
40 }
41
42- /* XXX: Check byte ordering */
43-
44 /* Check for EOL */
45 if (s->regs[SONIC_LLFA] & SONIC_DESC_EOL) {
46 /* Are we still in resource exhaustion? */
47@@ -847,15 +845,12 @@ static ssize_t dp8393x_receive(NetClientState *nc, const uint8_t * buf,
48 /* EOL detected */
49 s->regs[SONIC_ISR] |= SONIC_ISR_RDE;
50 } else {
51- /* Clear in_use, but it is always 16bit wide */
52- int offset = dp8393x_crda(s) + sizeof(uint16_t) * 6 * width;
53- if (s->big_endian && width == 2) {
54- /* we need to adjust the offset of the 16bit field */
55- offset += sizeof(uint16_t);
56- }
57- s->data[0] = 0;
58- address_space_rw(&s->as, offset, MEMTXATTRS_UNSPECIFIED,
59- (uint8_t *)s->data, sizeof(uint16_t), 1);
60+ /* Clear in_use */
61+ size = sizeof(uint16_t) * width;
62+ address = dp8393x_crda(s) + sizeof(uint16_t) * 6 * width;
63+ dp8393x_put(s, width, 0, 0);
64+ address_space_rw(&s->as, address, MEMTXATTRS_UNSPECIFIED,
65+ (uint8_t *)s->data, size, true);
66 s->regs[SONIC_CRDA] = s->regs[SONIC_LLFA];
67 s->regs[SONIC_ISR] |= SONIC_ISR_PKTRX;
68 s->regs[SONIC_RSC] = (s->regs[SONIC_RSC] & 0xff00) | (((s->regs[SONIC_RSC] & 0x00ff) + 1) & 0x00ff);
69--
702.28.0
71
diff --git a/debian/patches/stable/lp-1891877-dp8393x-Clear-RRRA-command-register-bit-only-when-ap.patch b/debian/patches/stable/lp-1891877-dp8393x-Clear-RRRA-command-register-bit-only-when-ap.patch
0new file mode 10064472new file mode 100644
index 0000000..017873d
--- /dev/null
+++ b/debian/patches/stable/lp-1891877-dp8393x-Clear-RRRA-command-register-bit-only-when-ap.patch
@@ -0,0 +1,56 @@
1From 5f08c382caee86109585111b240c36371738b00d Mon Sep 17 00:00:00 2001
2From: Finn Thain <fthain@telegraphics.com.au>
3Date: Wed, 29 Jan 2020 20:27:49 +1100
4Subject: [PATCH] dp8393x: Clear RRRA command register bit only when
5 appropriate
6MIME-Version: 1.0
7Content-Type: text/plain; charset=UTF-8
8Content-Transfer-Encoding: 8bit
9
10It doesn't make sense to clear the command register bit unless the
11command was actually issued.
12
13Signed-off-by: Finn Thain <fthain@telegraphics.com.au>
14Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
15Tested-by: Laurent Vivier <laurent@vivier.eu>
16Signed-off-by: Jason Wang <jasowang@redhat.com>
17(cherry picked from commit a3cce2825a0b12bb717a5106daaca245557cc9ae)
18Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
19
20Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=5f08c382ca
21Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
22Last-Update: 2020-08-19
23
24---
25 hw/net/dp8393x.c | 7 +++----
26 1 file changed, 3 insertions(+), 4 deletions(-)
27
28diff --git a/hw/net/dp8393x.c b/hw/net/dp8393x.c
29index 8dd6bf032c..04f58ee4e1 100644
30--- a/hw/net/dp8393x.c
31+++ b/hw/net/dp8393x.c
32@@ -352,9 +352,6 @@ static void dp8393x_do_read_rra(dp8393xState *s)
33 s->regs[SONIC_ISR] |= SONIC_ISR_RBE;
34 dp8393x_update_irq(s);
35 }
36-
37- /* Done */
38- s->regs[SONIC_CR] &= ~SONIC_CR_RRRA;
39 }
40
41 static void dp8393x_do_software_reset(dp8393xState *s)
42@@ -563,8 +560,10 @@ static void dp8393x_do_command(dp8393xState *s, uint16_t command)
43 dp8393x_do_start_timer(s);
44 if (command & SONIC_CR_RST)
45 dp8393x_do_software_reset(s);
46- if (command & SONIC_CR_RRRA)
47+ if (command & SONIC_CR_RRRA) {
48 dp8393x_do_read_rra(s);
49+ s->regs[SONIC_CR] &= ~SONIC_CR_RRRA;
50+ }
51 if (command & SONIC_CR_LCAM)
52 dp8393x_do_load_cam(s);
53 }
54--
552.28.0
56
diff --git a/debian/patches/stable/lp-1891877-dp8393x-Clear-descriptor-in_use-field-to-release-pac.patch b/debian/patches/stable/lp-1891877-dp8393x-Clear-descriptor-in_use-field-to-release-pac.patch
0new file mode 10064457new file mode 100644
index 0000000..2227684
--- /dev/null
+++ b/debian/patches/stable/lp-1891877-dp8393x-Clear-descriptor-in_use-field-to-release-pac.patch
@@ -0,0 +1,55 @@
1From 8d61b1e2c4e2ad8310ca957decf26b0b82d37148 Mon Sep 17 00:00:00 2001
2From: Finn Thain <fthain@telegraphics.com.au>
3Date: Wed, 29 Jan 2020 20:27:49 +1100
4Subject: [PATCH] dp8393x: Clear descriptor in_use field to release packet
5
6When the SONIC receives a packet into the last available descriptor, it
7retains ownership of that descriptor for as long as necessary.
8
9Section 3.4.7 of the datasheet says,
10
11 When the system appends more descriptors, the SONIC releases ownership
12 of the descriptor after writing 0000h to the RXpkt.in_use field.
13
14The packet can now be processed by the host, so raise a PKTRX interrupt,
15just like the normal case.
16
17Signed-off-by: Finn Thain <fthain@telegraphics.com.au>
18Tested-by: Laurent Vivier <laurent@vivier.eu>
19Signed-off-by: Jason Wang <jasowang@redhat.com>
20(cherry picked from commit d9fae13196a31716f45dcddcdd958fbb8e59b35a)
21Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
22
23Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=8d61b1e2c4
24Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
25Last-Update: 2020-08-19
26
27---
28 hw/net/dp8393x.c | 10 ++++++++++
29 1 file changed, 10 insertions(+)
30
31diff --git a/hw/net/dp8393x.c b/hw/net/dp8393x.c
32index 0e9061d831..4ce2ef818b 100644
33--- a/hw/net/dp8393x.c
34+++ b/hw/net/dp8393x.c
35@@ -809,7 +809,17 @@ static ssize_t dp8393x_receive(NetClientState *nc, const uint8_t * buf,
36 return -1;
37 }
38 /* Link has been updated by host */
39+
40+ /* Clear in_use */
41+ size = sizeof(uint16_t) * width;
42+ address = dp8393x_crda(s) + sizeof(uint16_t) * 6 * width;
43+ dp8393x_put(s, width, 0, 0);
44+ address_space_rw(&s->as, address, MEMTXATTRS_UNSPECIFIED,
45+ (uint8_t *)s->data, size, 1);
46+
47+ /* Move to next descriptor */
48 s->regs[SONIC_CRDA] = s->regs[SONIC_LLFA];
49+ s->regs[SONIC_ISR] |= SONIC_ISR_PKTRX;
50 }
51
52 /* Save current position */
53--
542.28.0
55
diff --git a/debian/patches/stable/lp-1891877-dp8393x-Don-t-clobber-packet-checksum.patch b/debian/patches/stable/lp-1891877-dp8393x-Don-t-clobber-packet-checksum.patch
0new file mode 10064456new file mode 100644
index 0000000..4682953
--- /dev/null
+++ b/debian/patches/stable/lp-1891877-dp8393x-Don-t-clobber-packet-checksum.patch
@@ -0,0 +1,45 @@
1From d50aa8acbc6f4bd83d0d0b5958d49ac6baf254a5 Mon Sep 17 00:00:00 2001
2From: Finn Thain <fthain@telegraphics.com.au>
3Date: Wed, 29 Jan 2020 20:27:49 +1100
4Subject: [PATCH] dp8393x: Don't clobber packet checksum
5MIME-Version: 1.0
6Content-Type: text/plain; charset=UTF-8
7Content-Transfer-Encoding: 8bit
8
9A received packet consumes pkt_size bytes in the buffer and the frame
10checksum that's appended to it consumes another 4 bytes. The Receive
11Buffer Address register takes the former quantity into account but
12not the latter. So the next packet written to the buffer overwrites
13the frame checksum. Fix this.
14
15Signed-off-by: Finn Thain <fthain@telegraphics.com.au>
16Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
17Tested-by: Laurent Vivier <laurent@vivier.eu>
18Signed-off-by: Jason Wang <jasowang@redhat.com>
19(cherry picked from commit bae112b80c9c42cea21ee7623c283668c3451c2e)
20*drop context dep. on 19f70347731
21Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
22
23Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=d50aa8acbc
24Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
25Last-Update: 2020-08-19
26
27---
28 hw/net/dp8393x.c | 1 +
29 1 file changed, 1 insertion(+)
30
31diff --git a/hw/net/dp8393x.c b/hw/net/dp8393x.c
32index ca8088c839..315b4ad844 100644
33--- a/hw/net/dp8393x.c
34+++ b/hw/net/dp8393x.c
35@@ -816,6 +816,7 @@ static ssize_t dp8393x_receive(NetClientState *nc, const uint8_t * buf,
36 address += rx_len;
37 address_space_rw(&s->as, address,
38 MEMTXATTRS_UNSPECIFIED, (uint8_t *)&checksum, 4, 1);
39+ address += 4;
40 rx_len += 4;
41 s->regs[SONIC_CRBA1] = address >> 16;
42 s->regs[SONIC_CRBA0] = address & 0xffff;
43--
442.28.0
45
diff --git a/debian/patches/stable/lp-1891877-dp8393x-Don-t-reset-Silicon-Revision-register.patch b/debian/patches/stable/lp-1891877-dp8393x-Don-t-reset-Silicon-Revision-register.patch
0new file mode 10064446new file mode 100644
index 0000000..71593d3
--- /dev/null
+++ b/debian/patches/stable/lp-1891877-dp8393x-Don-t-reset-Silicon-Revision-register.patch
@@ -0,0 +1,51 @@
1From 735cd8ddab7d2e8b3cb693295067d2c8a9098f86 Mon Sep 17 00:00:00 2001
2From: Finn Thain <fthain@telegraphics.com.au>
3Date: Wed, 29 Jan 2020 20:27:49 +1100
4Subject: [PATCH] dp8393x: Don't reset Silicon Revision register
5MIME-Version: 1.0
6Content-Type: text/plain; charset=UTF-8
7Content-Transfer-Encoding: 8bit
8
9The jazzsonic driver in Linux uses the Silicon Revision register value
10to probe the chip. The driver fails unless the SR register contains 4.
11Unfortunately, reading this register in QEMU usually returns 0 because
12the s->regs[] array gets wiped after a software reset.
13
14Fixes: bd8f1ebce4 ("net/dp8393x: fix hardware reset")
15Suggested-by: Philippe Mathieu-Daudé <philmd@redhat.com>
16Signed-off-by: Finn Thain <fthain@telegraphics.com.au>
17Signed-off-by: Jason Wang <jasowang@redhat.com>
18(cherry picked from commit 083e21bbdde7dbd326baf29d21f49fc3f5614496)
19Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
20
21Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=735cd8ddab
22Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
23Last-Update: 2020-08-19
24
25---
26 hw/net/dp8393x.c | 2 +-
27 1 file changed, 1 insertion(+), 1 deletion(-)
28
29diff --git a/hw/net/dp8393x.c b/hw/net/dp8393x.c
30index aa7bd785f3..d33f21bd0b 100644
31--- a/hw/net/dp8393x.c
32+++ b/hw/net/dp8393x.c
33@@ -919,6 +919,7 @@ static void dp8393x_reset(DeviceState *dev)
34 timer_del(s->watchdog);
35
36 memset(s->regs, 0, sizeof(s->regs));
37+ s->regs[SONIC_SR] = 0x0004; /* only revision recognized by Linux/mips */
38 s->regs[SONIC_CR] = SONIC_CR_RST | SONIC_CR_STP | SONIC_CR_RXDIS;
39 s->regs[SONIC_DCR] &= ~(SONIC_DCR_EXBUS | SONIC_DCR_LBR);
40 s->regs[SONIC_RCR] &= ~(SONIC_RCR_LB0 | SONIC_RCR_LB1 | SONIC_RCR_BRD | SONIC_RCR_RNT);
41@@ -971,7 +972,6 @@ static void dp8393x_realize(DeviceState *dev, Error **errp)
42 qemu_format_nic_info_str(qemu_get_queue(s->nic), s->conf.macaddr.a);
43
44 s->watchdog = timer_new_ns(QEMU_CLOCK_VIRTUAL, dp8393x_watchdog, s);
45- s->regs[SONIC_SR] = 0x0004; /* only revision recognized by Linux */
46
47 memory_region_init_ram(&s->prom, OBJECT(dev),
48 "dp8393x-prom", SONIC_PROM_SIZE, &local_err);
49--
502.28.0
51
diff --git a/debian/patches/stable/lp-1891877-dp8393x-Don-t-stop-reception-upon-RBE-interrupt-asse.patch b/debian/patches/stable/lp-1891877-dp8393x-Don-t-stop-reception-upon-RBE-interrupt-asse.patch
0new file mode 10064452new file mode 100644
index 0000000..40495e4
--- /dev/null
+++ b/debian/patches/stable/lp-1891877-dp8393x-Don-t-stop-reception-upon-RBE-interrupt-asse.patch
@@ -0,0 +1,137 @@
1From 3e1d95301e8c00d8a8a2ec03ed941f019c8fd2b3 Mon Sep 17 00:00:00 2001
2From: Finn Thain <fthain@telegraphics.com.au>
3Date: Wed, 29 Jan 2020 20:27:49 +1100
4Subject: [PATCH] dp8393x: Don't stop reception upon RBE interrupt assertion
5
6Section 3.4.7 of the datasheet explains that,
7
8 The RBE bit in the Interrupt Status register is set when the
9 SONIC finishes using the second to last receive buffer and reads
10 the last RRA descriptor. Actually, the SONIC is not truly out of
11 resources, but gives the system an early warning of an impending
12 out of resources condition.
13
14RBE does not mean actual receive buffer exhaustion, and reception should
15not be stopped. This is important because Linux will not check and clear
16the RBE interrupt until it receives another packet. But that won't
17happen if can_receive returns false. This bug causes the SONIC to become
18deaf (until reset).
19
20Fix this with a new flag to indicate actual receive buffer exhaustion.
21
22Signed-off-by: Finn Thain <fthain@telegraphics.com.au>
23Tested-by: Laurent Vivier <laurent@vivier.eu>
24Signed-off-by: Jason Wang <jasowang@redhat.com>
25(cherry picked from commit c2279bd0a19b35057f2e4c3b4df9a915717d1142)
26Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
27
28Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=3e1d95301e
29Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
30Last-Update: 2020-08-19
31
32---
33 hw/net/dp8393x.c | 35 ++++++++++++++++++++++-------------
34 1 file changed, 22 insertions(+), 13 deletions(-)
35
36diff --git a/hw/net/dp8393x.c b/hw/net/dp8393x.c
37index d33f21bd0b..44f77c5d3c 100644
38--- a/hw/net/dp8393x.c
39+++ b/hw/net/dp8393x.c
40@@ -158,6 +158,7 @@ typedef struct dp8393xState {
41 /* Hardware */
42 uint8_t it_shift;
43 bool big_endian;
44+ bool last_rba_is_full;
45 qemu_irq irq;
46 #ifdef DEBUG_SONIC
47 int irq_level;
48@@ -347,12 +348,15 @@ static void dp8393x_do_read_rra(dp8393xState *s)
49 s->regs[SONIC_RRP] = s->regs[SONIC_RSA];
50 }
51
52- /* Check resource exhaustion */
53+ /* Warn the host if CRBA now has the last available resource */
54 if (s->regs[SONIC_RRP] == s->regs[SONIC_RWP])
55 {
56 s->regs[SONIC_ISR] |= SONIC_ISR_RBE;
57 dp8393x_update_irq(s);
58 }
59+
60+ /* Allow packet reception */
61+ s->last_rba_is_full = false;
62 }
63
64 static void dp8393x_do_software_reset(dp8393xState *s)
65@@ -659,9 +663,6 @@ static void dp8393x_write(void *opaque, hwaddr addr, uint64_t data,
66 dp8393x_do_read_rra(s);
67 }
68 dp8393x_update_irq(s);
69- if (dp8393x_can_receive(s->nic->ncs)) {
70- qemu_flush_queued_packets(qemu_get_queue(s->nic));
71- }
72 break;
73 /* The guest is required to store aligned pointers here */
74 case SONIC_RSA:
75@@ -721,8 +722,6 @@ static int dp8393x_can_receive(NetClientState *nc)
76
77 if (!(s->regs[SONIC_CR] & SONIC_CR_RXEN))
78 return 0;
79- if (s->regs[SONIC_ISR] & SONIC_ISR_RBE)
80- return 0;
81 return 1;
82 }
83
84@@ -773,6 +772,10 @@ static ssize_t dp8393x_receive(NetClientState *nc, const uint8_t * buf,
85 s->regs[SONIC_RCR] &= ~(SONIC_RCR_PRX | SONIC_RCR_LBK | SONIC_RCR_FAER |
86 SONIC_RCR_CRCR | SONIC_RCR_LPKT | SONIC_RCR_BC | SONIC_RCR_MC);
87
88+ if (s->last_rba_is_full) {
89+ return pkt_size;
90+ }
91+
92 rx_len = pkt_size + sizeof(checksum);
93 if (s->regs[SONIC_DCR] & SONIC_DCR_DW) {
94 width = 2;
95@@ -786,8 +789,8 @@ static ssize_t dp8393x_receive(NetClientState *nc, const uint8_t * buf,
96 DPRINTF("oversize packet, pkt_size is %d\n", pkt_size);
97 s->regs[SONIC_ISR] |= SONIC_ISR_RBAE;
98 dp8393x_update_irq(s);
99- dp8393x_do_read_rra(s);
100- return pkt_size;
101+ s->regs[SONIC_RCR] |= SONIC_RCR_LPKT;
102+ goto done;
103 }
104
105 packet_type = dp8393x_receive_filter(s, buf, pkt_size);
106@@ -899,17 +902,23 @@ static ssize_t dp8393x_receive(NetClientState *nc, const uint8_t * buf,
107 s->regs[SONIC_ISR] |= SONIC_ISR_PKTRX;
108 }
109
110+ dp8393x_update_irq(s);
111+
112 s->regs[SONIC_RSC] = (s->regs[SONIC_RSC] & 0xff00) |
113 ((s->regs[SONIC_RSC] + 1) & 0x00ff);
114
115+done:
116+
117 if (s->regs[SONIC_RCR] & SONIC_RCR_LPKT) {
118- /* Read next RRA */
119- dp8393x_do_read_rra(s);
120+ if (s->regs[SONIC_RRP] == s->regs[SONIC_RWP]) {
121+ /* Stop packet reception */
122+ s->last_rba_is_full = true;
123+ } else {
124+ /* Read next resource */
125+ dp8393x_do_read_rra(s);
126+ }
127 }
128
129- /* Done */
130- dp8393x_update_irq(s);
131-
132 return pkt_size;
133 }
134
135--
1362.28.0
137
diff --git a/debian/patches/stable/lp-1891877-dp8393x-Have-dp8393x_receive-return-the-packet-size.patch b/debian/patches/stable/lp-1891877-dp8393x-Have-dp8393x_receive-return-the-packet-size.patch
0new file mode 100644138new file mode 100644
index 0000000..8a4e085
--- /dev/null
+++ b/debian/patches/stable/lp-1891877-dp8393x-Have-dp8393x_receive-return-the-packet-size.patch
@@ -0,0 +1,68 @@
1From 153c3320e77cfcafc5a44d01d6fb7905121a8fd7 Mon Sep 17 00:00:00 2001
2From: Finn Thain <fthain@telegraphics.com.au>
3Date: Wed, 29 Jan 2020 20:27:49 +1100
4Subject: [PATCH] dp8393x: Have dp8393x_receive() return the packet size
5MIME-Version: 1.0
6Content-Type: text/plain; charset=UTF-8
7Content-Transfer-Encoding: 8bit
8
9This function re-uses its 'size' argument as a scratch variable.
10Instead, declare a local 'size' variable for that purpose so that the
11function result doesn't get messed up.
12
13Signed-off-by: Finn Thain <fthain@telegraphics.com.au>
14Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
15Tested-by: Laurent Vivier <laurent@vivier.eu>
16Signed-off-by: Jason Wang <jasowang@redhat.com>
17(cherry picked from commit 9e3cd456d85ad45e72bdba99203302342ce29b3b)
18Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
19
20Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=153c3320e7
21Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
22Last-Update: 2020-08-19
23
24---
25 hw/net/dp8393x.c | 9 +++++----
26 1 file changed, 5 insertions(+), 4 deletions(-)
27
28diff --git a/hw/net/dp8393x.c b/hw/net/dp8393x.c
29index f89f4c7ba3..a696485a55 100644
30--- a/hw/net/dp8393x.c
31+++ b/hw/net/dp8393x.c
32@@ -757,20 +757,21 @@ static int dp8393x_receive_filter(dp8393xState *s, const uint8_t * buf,
33 }
34
35 static ssize_t dp8393x_receive(NetClientState *nc, const uint8_t * buf,
36- size_t size)
37+ size_t pkt_size)
38 {
39 dp8393xState *s = qemu_get_nic_opaque(nc);
40 int packet_type;
41 uint32_t available, address;
42- int width, rx_len = size;
43+ int width, rx_len = pkt_size;
44 uint32_t checksum;
45+ int size;
46
47 width = (s->regs[SONIC_DCR] & SONIC_DCR_DW) ? 2 : 1;
48
49 s->regs[SONIC_RCR] &= ~(SONIC_RCR_PRX | SONIC_RCR_LBK | SONIC_RCR_FAER |
50 SONIC_RCR_CRCR | SONIC_RCR_LPKT | SONIC_RCR_BC | SONIC_RCR_MC);
51
52- packet_type = dp8393x_receive_filter(s, buf, size);
53+ packet_type = dp8393x_receive_filter(s, buf, pkt_size);
54 if (packet_type < 0) {
55 DPRINTF("packet not for netcard\n");
56 return -1;
57@@ -864,7 +865,7 @@ static ssize_t dp8393x_receive(NetClientState *nc, const uint8_t * buf,
58 /* Done */
59 dp8393x_update_irq(s);
60
61- return size;
62+ return pkt_size;
63 }
64
65 static void dp8393x_reset(DeviceState *dev)
66--
672.28.0
68
diff --git a/debian/patches/stable/lp-1891877-dp8393x-Implement-packet-size-limit-and-RBAE-interru.patch b/debian/patches/stable/lp-1891877-dp8393x-Implement-packet-size-limit-and-RBAE-interru.patch
0new file mode 10064469new file mode 100644
index 0000000..fcdb4ca
--- /dev/null
+++ b/debian/patches/stable/lp-1891877-dp8393x-Implement-packet-size-limit-and-RBAE-interru.patch
@@ -0,0 +1,57 @@
1From 3a8068f4ebb9f9500cf3d1805f5cfbd42e15ab12 Mon Sep 17 00:00:00 2001
2From: Finn Thain <fthain@telegraphics.com.au>
3Date: Wed, 29 Jan 2020 20:27:49 +1100
4Subject: [PATCH] dp8393x: Implement packet size limit and RBAE interrupt
5
6Add a bounds check to prevent a large packet from causing a buffer
7overflow. This is defensive programming -- I haven't actually tried
8sending an oversized packet or a jumbo ethernet frame.
9
10The SONIC handles packets that are too big for the buffer by raising
11the RBAE interrupt and dropping them. Linux uses that interrupt to
12count dropped packets.
13
14Signed-off-by: Finn Thain <fthain@telegraphics.com.au>
15Tested-by: Laurent Vivier <laurent@vivier.eu>
16Signed-off-by: Jason Wang <jasowang@redhat.com>
17(cherry picked from commit ada74315270d1dcabf4c9d4fece19df7ef5b9577)
18Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
19
20Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=3a8068f4eb
21Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
22Last-Update: 2020-08-19
23
24---
25 hw/net/dp8393x.c | 9 +++++++++
26 1 file changed, 9 insertions(+)
27
28diff --git a/hw/net/dp8393x.c b/hw/net/dp8393x.c
29index 04f58ee4e1..ca8088c839 100644
30--- a/hw/net/dp8393x.c
31+++ b/hw/net/dp8393x.c
32@@ -137,6 +137,7 @@ do { printf("sonic ERROR: %s: " fmt, __func__ , ## __VA_ARGS__); } while (0)
33 #define SONIC_TCR_CRCI 0x2000
34 #define SONIC_TCR_PINT 0x8000
35
36+#define SONIC_ISR_RBAE 0x0010
37 #define SONIC_ISR_RBE 0x0020
38 #define SONIC_ISR_RDE 0x0040
39 #define SONIC_ISR_TC 0x0080
40@@ -770,6 +771,14 @@ static ssize_t dp8393x_receive(NetClientState *nc, const uint8_t * buf,
41 s->regs[SONIC_RCR] &= ~(SONIC_RCR_PRX | SONIC_RCR_LBK | SONIC_RCR_FAER |
42 SONIC_RCR_CRCR | SONIC_RCR_LPKT | SONIC_RCR_BC | SONIC_RCR_MC);
43
44+ if (pkt_size + 4 > dp8393x_rbwc(s) * 2) {
45+ DPRINTF("oversize packet, pkt_size is %d\n", pkt_size);
46+ s->regs[SONIC_ISR] |= SONIC_ISR_RBAE;
47+ dp8393x_update_irq(s);
48+ dp8393x_do_read_rra(s);
49+ return pkt_size;
50+ }
51+
52 packet_type = dp8393x_receive_filter(s, buf, pkt_size);
53 if (packet_type < 0) {
54 DPRINTF("packet not for netcard\n");
55--
562.28.0
57
diff --git a/debian/patches/stable/lp-1891877-dp8393x-Mask-EOL-bit-from-descriptor-addresses.patch b/debian/patches/stable/lp-1891877-dp8393x-Mask-EOL-bit-from-descriptor-addresses.patch
0new file mode 10064458new file mode 100644
index 0000000..9514b07
--- /dev/null
+++ b/debian/patches/stable/lp-1891877-dp8393x-Mask-EOL-bit-from-descriptor-addresses.patch
@@ -0,0 +1,98 @@
1From eb54a2f9cee10cf1c7832a3536a8d5980ec313e9 Mon Sep 17 00:00:00 2001
2From: Finn Thain <fthain@telegraphics.com.au>
3Date: Mon, 20 Jan 2020 09:59:21 +1100
4Subject: [PATCH] dp8393x: Mask EOL bit from descriptor addresses
5
6The Least Significant bit of a descriptor address register is used as
7an EOL flag. It has to be masked when the register value is to be used
8as an actual address for copying memory around. But when the registers
9are to be updated the EOL bit should not be masked.
10
11Signed-off-by: Finn Thain <fthain@telegraphics.com.au>
12Tested-by: Laurent Vivier <laurent@vivier.eu>
13Signed-off-by: Jason Wang <jasowang@redhat.com>
14(cherry picked from commit 88f632fbb1b3d31d5b6978d28f8735a6ed18b8f5)
15 Conflicts:
16 hw/net/dp8393x.c
17*drop context dep. on 19f70347731
18Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
19
20Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=eb54a2f9ce
21Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
22Last-Update: 2020-08-19
23
24---
25 hw/net/dp8393x.c | 17 +++++++++++------
26 1 file changed, 11 insertions(+), 6 deletions(-)
27
28diff --git a/hw/net/dp8393x.c b/hw/net/dp8393x.c
29index 3d991af163..7ca6a6dd46 100644
30--- a/hw/net/dp8393x.c
31+++ b/hw/net/dp8393x.c
32@@ -145,6 +145,9 @@ do { printf("sonic ERROR: %s: " fmt, __func__ , ## __VA_ARGS__); } while (0)
33 #define SONIC_ISR_PINT 0x0800
34 #define SONIC_ISR_LCD 0x1000
35
36+#define SONIC_DESC_EOL 0x0001
37+#define SONIC_DESC_ADDR 0xFFFE
38+
39 #define TYPE_DP8393X "dp8393x"
40 #define DP8393X(obj) OBJECT_CHECK(dp8393xState, (obj), TYPE_DP8393X)
41
42@@ -197,7 +200,8 @@ static uint32_t dp8393x_crba(dp8393xState *s)
43
44 static uint32_t dp8393x_crda(dp8393xState *s)
45 {
46- return (s->regs[SONIC_URDA] << 16) | s->regs[SONIC_CRDA];
47+ return (s->regs[SONIC_URDA] << 16) |
48+ (s->regs[SONIC_CRDA] & SONIC_DESC_ADDR);
49 }
50
51 static uint32_t dp8393x_rbwc(dp8393xState *s)
52@@ -217,7 +221,8 @@ static uint32_t dp8393x_tsa(dp8393xState *s)
53
54 static uint32_t dp8393x_ttda(dp8393xState *s)
55 {
56- return (s->regs[SONIC_UTDA] << 16) | s->regs[SONIC_TTDA];
57+ return (s->regs[SONIC_UTDA] << 16) |
58+ (s->regs[SONIC_TTDA] & SONIC_DESC_ADDR);
59 }
60
61 static uint32_t dp8393x_wt(dp8393xState *s)
62@@ -507,7 +512,7 @@ static void dp8393x_do_transmit_packets(dp8393xState *s)
63 (4 + 3 * s->regs[SONIC_TFC]) * width,
64 MEMTXATTRS_UNSPECIFIED, (uint8_t *)s->data, size, 0);
65 s->regs[SONIC_CTDA] = dp8393x_get(s, width, 0) & ~0x1;
66- if (dp8393x_get(s, width, 0) & 0x1) {
67+ if (dp8393x_get(s, width, 0) & SONIC_DESC_EOL) {
68 /* EOL detected */
69 break;
70 }
71@@ -763,13 +768,13 @@ static ssize_t dp8393x_receive(NetClientState *nc, const uint8_t * buf,
72 /* XXX: Check byte ordering */
73
74 /* Check for EOL */
75- if (s->regs[SONIC_LLFA] & 0x1) {
76+ if (s->regs[SONIC_LLFA] & SONIC_DESC_EOL) {
77 /* Are we still in resource exhaustion? */
78 size = sizeof(uint16_t) * 1 * width;
79 address = dp8393x_crda(s) + sizeof(uint16_t) * 5 * width;
80 address_space_rw(&s->as, address, MEMTXATTRS_UNSPECIFIED,
81 (uint8_t *)s->data, size, 0);
82- if (dp8393x_get(s, width, 0) & 0x1) {
83+ if (dp8393x_get(s, width, 0) & SONIC_DESC_EOL) {
84 /* Still EOL ; stop reception */
85 return -1;
86 } else {
87@@ -827,7 +832,7 @@ static ssize_t dp8393x_receive(NetClientState *nc, const uint8_t * buf,
88 address_space_rw(&s->as, dp8393x_crda(s) + sizeof(uint16_t) * 5 * width,
89 MEMTXATTRS_UNSPECIFIED, (uint8_t *)s->data, size, 0);
90 s->regs[SONIC_LLFA] = dp8393x_get(s, width, 0);
91- if (s->regs[SONIC_LLFA] & 0x1) {
92+ if (s->regs[SONIC_LLFA] & SONIC_DESC_EOL) {
93 /* EOL detected */
94 s->regs[SONIC_ISR] |= SONIC_ISR_RDE;
95 } else {
96--
972.28.0
98
diff --git a/debian/patches/stable/lp-1891877-dp8393x-Pad-frames-to-word-or-long-word-boundary.patch b/debian/patches/stable/lp-1891877-dp8393x-Pad-frames-to-word-or-long-word-boundary.patch
0new file mode 10064499new file mode 100644
index 0000000..9eea6ff
--- /dev/null
+++ b/debian/patches/stable/lp-1891877-dp8393x-Pad-frames-to-word-or-long-word-boundary.patch
@@ -0,0 +1,113 @@
1From cbc8277051f76f8131f5d4c787862a16a5fa1707 Mon Sep 17 00:00:00 2001
2From: Finn Thain <fthain@telegraphics.com.au>
3Date: Wed, 29 Jan 2020 20:27:49 +1100
4Subject: [PATCH] dp8393x: Pad frames to word or long word boundary
5MIME-Version: 1.0
6Content-Type: text/plain; charset=UTF-8
7Content-Transfer-Encoding: 8bit
8
9The existing code has a bug where the Remaining Buffer Word Count (RBWC)
10is calculated with a truncating division, which gives the wrong result
11for odd-sized packets.
12
13Section 1.4.1 of the datasheet says,
14
15 Once the end of the packet has been reached, the serializer will
16 fill out the last word (16-bit mode) or long word (32-bit mode)
17 if the last byte did not end on a word or long word boundary
18 respectively. The fill byte will be 0FFh.
19
20Implement buffer padding so that buffer limits are correctly enforced.
21
22Signed-off-by: Finn Thain <fthain@telegraphics.com.au>
23Tested-by: Laurent Vivier <laurent@vivier.eu>
24Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
25Signed-off-by: Jason Wang <jasowang@redhat.com>
26(cherry picked from commit 350e7d9a77d3b9ac74d240e4b232db1ebe5c05bc)
27*drop context dependencies from b7cbebf2b9d, 1ccda935d4f, and
28 19f70347731
29Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
30
31Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=cbc8277051
32Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
33Last-Update: 2020-08-19
34
35---
36 hw/net/dp8393x.c | 39 ++++++++++++++++++++++++++++-----------
37 1 file changed, 28 insertions(+), 11 deletions(-)
38
39diff --git a/hw/net/dp8393x.c b/hw/net/dp8393x.c
40index 40e3a029b6..0e9061d831 100644
41--- a/hw/net/dp8393x.c
42+++ b/hw/net/dp8393x.c
43@@ -766,16 +766,23 @@ static ssize_t dp8393x_receive(NetClientState *nc, const uint8_t * buf,
44 dp8393xState *s = qemu_get_nic_opaque(nc);
45 int packet_type;
46 uint32_t available, address;
47- int width, rx_len = pkt_size;
48+ int width, rx_len, padded_len;
49 uint32_t checksum;
50 int size;
51
52- width = (s->regs[SONIC_DCR] & SONIC_DCR_DW) ? 2 : 1;
53-
54 s->regs[SONIC_RCR] &= ~(SONIC_RCR_PRX | SONIC_RCR_LBK | SONIC_RCR_FAER |
55 SONIC_RCR_CRCR | SONIC_RCR_LPKT | SONIC_RCR_BC | SONIC_RCR_MC);
56
57- if (pkt_size + 4 > dp8393x_rbwc(s) * 2) {
58+ rx_len = pkt_size + sizeof(checksum);
59+ if (s->regs[SONIC_DCR] & SONIC_DCR_DW) {
60+ width = 2;
61+ padded_len = ((rx_len - 1) | 3) + 1;
62+ } else {
63+ width = 1;
64+ padded_len = ((rx_len - 1) | 1) + 1;
65+ }
66+
67+ if (padded_len > dp8393x_rbwc(s) * 2) {
68 DPRINTF("oversize packet, pkt_size is %d\n", pkt_size);
69 s->regs[SONIC_ISR] |= SONIC_ISR_RBAE;
70 dp8393x_update_irq(s);
71@@ -810,22 +817,32 @@ static ssize_t dp8393x_receive(NetClientState *nc, const uint8_t * buf,
72 s->regs[SONIC_TRBA0] = s->regs[SONIC_CRBA0];
73
74 /* Calculate the ethernet checksum */
75- checksum = cpu_to_le32(crc32(0, buf, rx_len));
76+ checksum = cpu_to_le32(crc32(0, buf, pkt_size));
77
78 /* Put packet into RBA */
79 DPRINTF("Receive packet at %08x\n", dp8393x_crba(s));
80 address = dp8393x_crba(s);
81 address_space_rw(&s->as, address,
82- MEMTXATTRS_UNSPECIFIED, (uint8_t *)buf, rx_len, 1);
83- address += rx_len;
84+ MEMTXATTRS_UNSPECIFIED, (uint8_t *)buf, pkt_size, 1);
85+ address += pkt_size;
86+
87+ /* Put frame checksum into RBA */
88 address_space_rw(&s->as, address,
89- MEMTXATTRS_UNSPECIFIED, (uint8_t *)&checksum, 4, 1);
90- address += 4;
91- rx_len += 4;
92+ MEMTXATTRS_UNSPECIFIED, (uint8_t *)&checksum, sizeof(checksum), 1);
93+ address += sizeof(checksum);
94+
95+ /* Pad short packets to keep pointers aligned */
96+ if (rx_len < padded_len) {
97+ size = padded_len - rx_len;
98+ address_space_rw(&s->as, address, MEMTXATTRS_UNSPECIFIED,
99+ (uint8_t *)"\xFF\xFF\xFF", size, 1);
100+ address += size;
101+ }
102+
103 s->regs[SONIC_CRBA1] = address >> 16;
104 s->regs[SONIC_CRBA0] = address & 0xffff;
105 available = dp8393x_rbwc(s);
106- available -= rx_len / 2;
107+ available -= padded_len >> 1;
108 s->regs[SONIC_RBWC1] = available >> 16;
109 s->regs[SONIC_RBWC0] = available & 0xffff;
110
111--
1122.28.0
113
diff --git a/debian/patches/stable/lp-1891877-dp8393x-Update-LLFA-and-CRDA-registers-from-rx-descr.patch b/debian/patches/stable/lp-1891877-dp8393x-Update-LLFA-and-CRDA-registers-from-rx-descr.patch
0new file mode 100644114new file mode 100644
index 0000000..d150124
--- /dev/null
+++ b/debian/patches/stable/lp-1891877-dp8393x-Update-LLFA-and-CRDA-registers-from-rx-descr.patch
@@ -0,0 +1,75 @@
1From edd67a61f499982bcc2098962c8e04c5210f2f80 Mon Sep 17 00:00:00 2001
2From: Finn Thain <fthain@telegraphics.com.au>
3Date: Wed, 29 Jan 2020 20:27:49 +1100
4Subject: [PATCH] dp8393x: Update LLFA and CRDA registers from rx descriptor
5MIME-Version: 1.0
6Content-Type: text/plain; charset=UTF-8
7Content-Transfer-Encoding: 8bit
8
9Follow the algorithm given in the National Semiconductor DP83932C
10datasheet in section 3.4.7:
11
12 At the next reception, the SONIC re-reads the last RXpkt.link field,
13 and updates its CRDA register to point to the next descriptor.
14
15The chip is designed to allow the host to provide a new list of
16descriptors in this way.
17
18Signed-off-by: Finn Thain <fthain@telegraphics.com.au>
19Tested-by: Laurent Vivier <laurent@vivier.eu>
20Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
21Signed-off-by: Jason Wang <jasowang@redhat.com>
22(cherry picked from commit 5b0c98fcb7ac006bd8efe0e0fecba52c43a9d028)
23*drop context dep on 19f70347731
24Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
25
26Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=edd67a61f4
27Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
28Last-Update: 2020-08-19
29
30---
31 hw/net/dp8393x.c | 11 +++++++----
32 1 file changed, 7 insertions(+), 4 deletions(-)
33
34diff --git a/hw/net/dp8393x.c b/hw/net/dp8393x.c
35index a696485a55..8dd6bf032c 100644
36--- a/hw/net/dp8393x.c
37+++ b/hw/net/dp8393x.c
38@@ -784,12 +784,13 @@ static ssize_t dp8393x_receive(NetClientState *nc, const uint8_t * buf,
39 address = dp8393x_crda(s) + sizeof(uint16_t) * 5 * width;
40 address_space_rw(&s->as, address, MEMTXATTRS_UNSPECIFIED,
41 (uint8_t *)s->data, size, 0);
42- if (dp8393x_get(s, width, 0) & SONIC_DESC_EOL) {
43+ s->regs[SONIC_LLFA] = dp8393x_get(s, width, 0);
44+ if (s->regs[SONIC_LLFA] & SONIC_DESC_EOL) {
45 /* Still EOL ; stop reception */
46 return -1;
47- } else {
48- s->regs[SONIC_CRDA] = s->regs[SONIC_LLFA];
49 }
50+ /* Link has been updated by host */
51+ s->regs[SONIC_CRDA] = s->regs[SONIC_LLFA];
52 }
53
54 /* Save current position */
55@@ -837,7 +838,7 @@ static ssize_t dp8393x_receive(NetClientState *nc, const uint8_t * buf,
56 address_space_rw(&s->as, dp8393x_crda(s),
57 MEMTXATTRS_UNSPECIFIED, (uint8_t *)s->data, size, 1);
58
59- /* Move to next descriptor */
60+ /* Check link field */
61 size = sizeof(uint16_t) * width;
62 address_space_rw(&s->as, dp8393x_crda(s) + sizeof(uint16_t) * 5 * width,
63 MEMTXATTRS_UNSPECIFIED, (uint8_t *)s->data, size, 0);
64@@ -852,6 +853,8 @@ static ssize_t dp8393x_receive(NetClientState *nc, const uint8_t * buf,
65 dp8393x_put(s, width, 0, 0);
66 address_space_rw(&s->as, address, MEMTXATTRS_UNSPECIFIED,
67 (uint8_t *)s->data, size, true);
68+
69+ /* Move to next descriptor */
70 s->regs[SONIC_CRDA] = s->regs[SONIC_LLFA];
71 s->regs[SONIC_ISR] |= SONIC_ISR_PKTRX;
72 s->regs[SONIC_RSC] = (s->regs[SONIC_RSC] & 0xff00) | (((s->regs[SONIC_RSC] & 0x00ff) + 1) & 0x00ff);
73--
742.28.0
75
diff --git a/debian/patches/stable/lp-1891877-dp8393x-Use-long-word-aligned-RRA-pointers-in-32-bit.patch b/debian/patches/stable/lp-1891877-dp8393x-Use-long-word-aligned-RRA-pointers-in-32-bit.patch
0new file mode 10064476new file mode 100644
index 0000000..6026297
--- /dev/null
+++ b/debian/patches/stable/lp-1891877-dp8393x-Use-long-word-aligned-RRA-pointers-in-32-bit.patch
@@ -0,0 +1,60 @@
1From e7cad754fd0bf00c671a1509acc2981f11736ee8 Mon Sep 17 00:00:00 2001
2From: Finn Thain <fthain@telegraphics.com.au>
3Date: Wed, 29 Jan 2020 20:27:49 +1100
4Subject: [PATCH] dp8393x: Use long-word-aligned RRA pointers in 32-bit mode
5MIME-Version: 1.0
6Content-Type: text/plain; charset=UTF-8
7Content-Transfer-Encoding: 8bit
8
9Section 3.4.1 of the datasheet says,
10
11 The alignment of the RRA is confined to either word or long word
12 boundaries, depending upon the data width mode. In 16-bit mode,
13 the RRA must be aligned to a word boundary (A0 is always zero)
14 and in 32-bit mode, the RRA is aligned to a long word boundary
15 (A0 and A1 are always zero).
16
17This constraint has been implemented for 16-bit mode; implement it
18for 32-bit mode too.
19
20Signed-off-by: Finn Thain <fthain@telegraphics.com.au>
21Tested-by: Laurent Vivier <laurent@vivier.eu>
22Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
23Signed-off-by: Jason Wang <jasowang@redhat.com>
24(cherry picked from commit ea2270279bc2e1635cb6e909e22e17e630198773)
25Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
26
27Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=e7cad754fd
28Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
29Last-Update: 2020-08-19
30
31---
32 hw/net/dp8393x.c | 8 ++++++--
33 1 file changed, 6 insertions(+), 2 deletions(-)
34
35diff --git a/hw/net/dp8393x.c b/hw/net/dp8393x.c
36index 315b4ad844..40e3a029b6 100644
37--- a/hw/net/dp8393x.c
38+++ b/hw/net/dp8393x.c
39@@ -663,12 +663,16 @@ static void dp8393x_write(void *opaque, hwaddr addr, uint64_t data,
40 qemu_flush_queued_packets(qemu_get_queue(s->nic));
41 }
42 break;
43- /* Ignore least significant bit */
44+ /* The guest is required to store aligned pointers here */
45 case SONIC_RSA:
46 case SONIC_REA:
47 case SONIC_RRP:
48 case SONIC_RWP:
49- s->regs[reg] = val & 0xfffe;
50+ if (s->regs[SONIC_DCR] & SONIC_DCR_DW) {
51+ s->regs[reg] = val & 0xfffc;
52+ } else {
53+ s->regs[reg] = val & 0xfffe;
54+ }
55 break;
56 /* Invert written value for some registers */
57 case SONIC_CRCT:
58--
592.28.0
60
diff --git a/debian/patches/stable/lp-1891877-dump-Fix-writing-of-ELF-section.patch b/debian/patches/stable/lp-1891877-dump-Fix-writing-of-ELF-section.patch
0new file mode 10064461new file mode 100644
index 0000000..41bf056
--- /dev/null
+++ b/debian/patches/stable/lp-1891877-dump-Fix-writing-of-ELF-section.patch
@@ -0,0 +1,51 @@
1From 25fcaed9a366314c21793e14624c89db75224b50 Mon Sep 17 00:00:00 2001
2From: Peter Maydell <peter.maydell@linaro.org>
3Date: Tue, 24 Mar 2020 17:36:30 +0000
4Subject: [PATCH] dump: Fix writing of ELF section
5MIME-Version: 1.0
6Content-Type: text/plain; charset=UTF-8
7Content-Transfer-Encoding: 8bit
8
9In write_elf_section() we set the 'shdr' pointer to point to local
10structures shdr32 or shdr64, which we fill in to be written out to
11the ELF dump. Unfortunately the address we pass to fd_write_vmcore()
12has a spurious '&' operator, so instead of writing out the section
13header we write out the literal pointer value followed by whatever is
14on the stack after the 'shdr' local variable.
15
16Pass the correct address into fd_write_vmcore().
17
18Spotted by Coverity: CID 1421970.
19
20Cc: qemu-stable@nongnu.org
21Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
22Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
23Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
24Message-id: 20200324173630.12221-1-peter.maydell@linaro.org
25(cherry picked from commit 174d2d6856bf435f4f58e9303ba30dd0e1279d3f)
26Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
27
28Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=25fcaed9a3
29Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
30Last-Update: 2020-08-19
31
32---
33 dump/dump.c | 2 +-
34 1 file changed, 1 insertion(+), 1 deletion(-)
35
36diff --git a/dump/dump.c b/dump/dump.c
37index 6fb6e1245a..22ed1d3b0d 100644
38--- a/dump/dump.c
39+++ b/dump/dump.c
40@@ -364,7 +364,7 @@ static void write_elf_section(DumpState *s, int type, Error **errp)
41 shdr = &shdr64;
42 }
43
44- ret = fd_write_vmcore(&shdr, shdr_size, s);
45+ ret = fd_write_vmcore(shdr, shdr_size, s);
46 if (ret < 0) {
47 error_setg_errno(errp, -ret,
48 "dump: failed to write section header table");
49--
502.28.0
51
diff --git a/debian/patches/stable/lp-1891877-hmp-vnc-Fix-info-vnc-list-leak.patch b/debian/patches/stable/lp-1891877-hmp-vnc-Fix-info-vnc-list-leak.patch
0new file mode 10064452new file mode 100644
index 0000000..1193bf2
--- /dev/null
+++ b/debian/patches/stable/lp-1891877-hmp-vnc-Fix-info-vnc-list-leak.patch
@@ -0,0 +1,54 @@
1From 674d3822250a8830fb8e9720ce499f2e8cef6a88 Mon Sep 17 00:00:00 2001
2From: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
3Date: Mon, 23 Mar 2020 12:08:22 +0000
4Subject: [PATCH] hmp/vnc: Fix info vnc list leak
5
6We're iterating the list, and then freeing the iteration pointer rather
7than the list head.
8
9Fixes: 0a9667ecdb6d ("hmp: Update info vnc")
10Reported-by: Coverity (CID 1421932)
11Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
12Message-Id: <20200323120822.51266-1-dgilbert@redhat.com>
13Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
14Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
15(cherry picked from commit d4ff109373ce871928c7e9ef648973eba642b484)
16Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
17
18Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=674d382225
19Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
20Last-Update: 2020-08-19
21
22---
23 monitor/hmp-cmds.c | 5 +++--
24 1 file changed, 3 insertions(+), 2 deletions(-)
25
26diff --git a/monitor/hmp-cmds.c b/monitor/hmp-cmds.c
27index b2551c16d1..2fdc84ec99 100644
28--- a/monitor/hmp-cmds.c
29+++ b/monitor/hmp-cmds.c
30@@ -729,10 +729,11 @@ static void hmp_info_vnc_servers(Monitor *mon, VncServerInfo2List *server)
31
32 void hmp_info_vnc(Monitor *mon, const QDict *qdict)
33 {
34- VncInfo2List *info2l;
35+ VncInfo2List *info2l, *info2l_head;
36 Error *err = NULL;
37
38 info2l = qmp_query_vnc_servers(&err);
39+ info2l_head = info2l;
40 if (err) {
41 hmp_handle_error(mon, &err);
42 return;
43@@ -761,7 +762,7 @@ void hmp_info_vnc(Monitor *mon, const QDict *qdict)
44 info2l = info2l->next;
45 }
46
47- qapi_free_VncInfo2List(info2l);
48+ qapi_free_VncInfo2List(info2l_head);
49
50 }
51 #endif
52--
532.28.0
54
diff --git a/debian/patches/stable/lp-1891877-hostmem-don-t-use-mbind-if-host-nodes-is-empty.patch b/debian/patches/stable/lp-1891877-hostmem-don-t-use-mbind-if-host-nodes-is-empty.patch
0new file mode 10064455new file mode 100644
index 0000000..27298fa
--- /dev/null
+++ b/debian/patches/stable/lp-1891877-hostmem-don-t-use-mbind-if-host-nodes-is-empty.patch
@@ -0,0 +1,61 @@
1From 34c78a4100c967cc385fcfd4c2295b2b0ebd8786 Mon Sep 17 00:00:00 2001
2From: Igor Mammedov <imammedo@redhat.com>
3Date: Thu, 30 Apr 2020 11:46:06 -0400
4Subject: [PATCH] hostmem: don't use mbind() if host-nodes is empty
5MIME-Version: 1.0
6Content-Type: text/plain; charset=UTF-8
7Content-Transfer-Encoding: 8bit
8
9Since 5.0 QEMU uses hostmem backend for allocating main guest RAM.
10The backend however calls mbind() which is typically NOP
11in case of default policy/absent host-nodes bitmap.
12However when runing in container with black-listed mbind()
13syscall, QEMU fails to start with error
14 "cannot bind memory to host NUMA nodes: Operation not permitted"
15even when user hasn't provided host-nodes to pin to explictly
16(which is the case with -m option)
17
18To fix issue, call mbind() only in case when user has provided
19host-nodes explicitly (i.e. host_nodes bitmap is not empty).
20That should allow to run QEMU in containers with black-listed
21mbind() without memory pinning. If QEMU provided memory-pinning
22is required user still has to white-list mbind() in container
23configuration.
24
25Reported-by: Manuel Hohmann <mhohmann@physnet.uni-hamburg.de>
26Signed-off-by: Igor Mammedov <imammedo@redhat.com>
27Message-Id: <20200430154606.6421-1-imammedo@redhat.com>
28Tested-by: Philippe Mathieu-Daudé <philmd@redhat.com>
29Cc: qemu-stable@nongnu.org
30Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
31(cherry picked from commit 70b6d525dfb51d5e523d568d1139fc051bc223c5)
32Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
33
34Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=34c78a4100
35Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
36Last-Update: 2020-08-19
37
38---
39 backends/hostmem.c | 6 ++++--
40 1 file changed, 4 insertions(+), 2 deletions(-)
41
42diff --git a/backends/hostmem.c b/backends/hostmem.c
43index e773bdfa6e..21b1993e49 100644
44--- a/backends/hostmem.c
45+++ b/backends/hostmem.c
46@@ -363,8 +363,10 @@ host_memory_backend_memory_complete(UserCreatable *uc, Error **errp)
47 assert(sizeof(backend->host_nodes) >=
48 BITS_TO_LONGS(MAX_NODES + 1) * sizeof(unsigned long));
49 assert(maxnode <= MAX_NODES);
50- if (mbind(ptr, sz, backend->policy,
51- maxnode ? backend->host_nodes : NULL, maxnode + 1, flags)) {
52+
53+ if (maxnode &&
54+ mbind(ptr, sz, backend->policy, backend->host_nodes, maxnode + 1,
55+ flags)) {
56 if (backend->policy != MPOL_DEFAULT || errno != ENOSYS) {
57 error_setg_errno(errp, errno,
58 "cannot bind memory to host NUMA nodes");
59--
602.28.0
61
diff --git a/debian/patches/stable/lp-1891877-hw-arm-cubieboard-use-ARM-Cortex-A8-as-the-default-C.patch b/debian/patches/stable/lp-1891877-hw-arm-cubieboard-use-ARM-Cortex-A8-as-the-default-C.patch
0new file mode 10064462new file mode 100644
index 0000000..7690bd7
--- /dev/null
+++ b/debian/patches/stable/lp-1891877-hw-arm-cubieboard-use-ARM-Cortex-A8-as-the-default-C.patch
@@ -0,0 +1,59 @@
1From 9dd68ac26b5a413dc948efe9bbf414702bc200da Mon Sep 17 00:00:00 2001
2From: Niek Linnenbank <nieklinnenbank@gmail.com>
3Date: Thu, 5 Mar 2020 16:09:19 +0000
4Subject: [PATCH] hw/arm/cubieboard: use ARM Cortex-A8 as the default CPU in
5 machine definition
6MIME-Version: 1.0
7Content-Type: text/plain; charset=UTF-8
8Content-Transfer-Encoding: 8bit
9
10The Cubieboard is a singleboard computer with an Allwinner A10 System-on-Chip [1].
11As documented in the Allwinner A10 User Manual V1.5 [2], the SoC has an ARM
12Cortex-A8 processor. Currently the Cubieboard machine definition specifies the
13ARM Cortex-A9 in its description and as the default CPU.
14
15This patch corrects the Cubieboard machine definition to use the ARM Cortex-A8.
16
17The only user-visible effect is that our textual description of the
18machine was wrong, because hw/arm/allwinner-a10.c always creates a
19Cortex-A8 CPU regardless of the default value in the MachineClass struct.
20
21 [1] http://docs.cubieboard.org/products/start#cubieboard1
22 [2] https://linux-sunxi.org/File:Allwinner_A10_User_manual_V1.5.pdf
23
24Fixes: 8a863c8120994981a099
25Signed-off-by: Niek Linnenbank <nieklinnenbank@gmail.com>
26Message-id: 20200227220149.6845-2-nieklinnenbank@gmail.com
27Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
28Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
29[note in commit message that the bug didn't have much visible effect]
30Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
31(cherry picked from commit 2104df2a1fbf44b2564427aa72fd58d66ce290a7)
32Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
33
34Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=9dd68ac26b
35Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
36Last-Update: 2020-08-19
37
38---
39 hw/arm/cubieboard.c | 4 ++--
40 1 file changed, 2 insertions(+), 2 deletions(-)
41
42diff --git a/hw/arm/cubieboard.c b/hw/arm/cubieboard.c
43index 6dc2f1d6b6..d8e8919e79 100644
44--- a/hw/arm/cubieboard.c
45+++ b/hw/arm/cubieboard.c
46@@ -78,8 +78,8 @@ static void cubieboard_init(MachineState *machine)
47
48 static void cubieboard_machine_init(MachineClass *mc)
49 {
50- mc->desc = "cubietech cubieboard (Cortex-A9)";
51- mc->default_cpu_type = ARM_CPU_TYPE_NAME("cortex-a9");
52+ mc->desc = "cubietech cubieboard (Cortex-A8)";
53+ mc->default_cpu_type = ARM_CPU_TYPE_NAME("cortex-a8");
54 mc->init = cubieboard_init;
55 mc->block_default_type = IF_IDE;
56 mc->units_per_default_bus = 1;
57--
582.28.0
59
diff --git a/debian/patches/stable/lp-1891877-hw-arm-smmuv3-Align-stream-table-base-address-to-tab.patch b/debian/patches/stable/lp-1891877-hw-arm-smmuv3-Align-stream-table-base-address-to-tab.patch
0new file mode 10064460new file mode 100644
index 0000000..eb50555
--- /dev/null
+++ b/debian/patches/stable/lp-1891877-hw-arm-smmuv3-Align-stream-table-base-address-to-tab.patch
@@ -0,0 +1,83 @@
1From 65fad28d85f137edd895ac90a83b42bb36aad481 Mon Sep 17 00:00:00 2001
2From: Simon Veith <sveith@amazon.de>
3Date: Fri, 20 Dec 2019 14:03:00 +0000
4Subject: [PATCH] hw/arm/smmuv3: Align stream table base address to table size
5
6Per the specification, and as observed in hardware, the SMMUv3 aligns
7the SMMU_STRTAB_BASE address to the size of the table by masking out the
8respective least significant bits in the ADDR field.
9
10Apply this masking logic to our smmu_find_ste() lookup function per the
11specification.
12
13ref. ARM IHI 0070C, section 6.3.23.
14
15Signed-off-by: Simon Veith <sveith@amazon.de>
16Acked-by: Eric Auger <eric.auger@redhat.com>
17Tested-by: Eric Auger <eric.auger@redhat.com>
18Message-id: 1576509312-13083-5-git-send-email-sveith@amazon.de
19Cc: Eric Auger <eric.auger@redhat.com>
20Cc: qemu-devel@nongnu.org
21Cc: qemu-arm@nongnu.org
22Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
23Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
24(cherry picked from commit 41678c33aac61261522b74f08595ccf2221a430a)
25Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
26
27Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=65fad28d85
28Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
29Last-Update: 2020-08-19
30
31---
32 hw/arm/smmuv3.c | 18 ++++++++++++++----
33 1 file changed, 14 insertions(+), 4 deletions(-)
34
35diff --git a/hw/arm/smmuv3.c b/hw/arm/smmuv3.c
36index 727558bcfa..31ac3ca32e 100644
37--- a/hw/arm/smmuv3.c
38+++ b/hw/arm/smmuv3.c
39@@ -376,8 +376,9 @@ bad_ste:
40 static int smmu_find_ste(SMMUv3State *s, uint32_t sid, STE *ste,
41 SMMUEventInfo *event)
42 {
43- dma_addr_t addr;
44+ dma_addr_t addr, strtab_base;
45 uint32_t log2size;
46+ int strtab_size_shift;
47 int ret;
48
49 trace_smmuv3_find_ste(sid, s->features, s->sid_split);
50@@ -391,10 +392,16 @@ static int smmu_find_ste(SMMUv3State *s, uint32_t sid, STE *ste,
51 }
52 if (s->features & SMMU_FEATURE_2LVL_STE) {
53 int l1_ste_offset, l2_ste_offset, max_l2_ste, span;
54- dma_addr_t strtab_base, l1ptr, l2ptr;
55+ dma_addr_t l1ptr, l2ptr;
56 STEDesc l1std;
57
58- strtab_base = s->strtab_base & SMMU_BASE_ADDR_MASK;
59+ /*
60+ * Align strtab base address to table size. For this purpose, assume it
61+ * is not bounded by SMMU_IDR1_SIDSIZE.
62+ */
63+ strtab_size_shift = MAX(5, (int)log2size - s->sid_split - 1 + 3);
64+ strtab_base = s->strtab_base & SMMU_BASE_ADDR_MASK &
65+ ~MAKE_64BIT_MASK(0, strtab_size_shift);
66 l1_ste_offset = sid >> s->sid_split;
67 l2_ste_offset = sid & ((1 << s->sid_split) - 1);
68 l1ptr = (dma_addr_t)(strtab_base + l1_ste_offset * sizeof(l1std));
69@@ -433,7 +440,10 @@ static int smmu_find_ste(SMMUv3State *s, uint32_t sid, STE *ste,
70 }
71 addr = l2ptr + l2_ste_offset * sizeof(*ste);
72 } else {
73- addr = (s->strtab_base & SMMU_BASE_ADDR_MASK) + sid * sizeof(*ste);
74+ strtab_size_shift = log2size + 5;
75+ strtab_base = s->strtab_base & SMMU_BASE_ADDR_MASK &
76+ ~MAKE_64BIT_MASK(0, strtab_size_shift);
77+ addr = strtab_base + sid * sizeof(*ste);
78 }
79
80 if (smmu_get_ste(s, addr, ste, event)) {
81--
822.28.0
83
diff --git a/debian/patches/stable/lp-1891877-hw-arm-smmuv3-Apply-address-mask-to-linear-strtab-ba.patch b/debian/patches/stable/lp-1891877-hw-arm-smmuv3-Apply-address-mask-to-linear-strtab-ba.patch
0new file mode 10064484new file mode 100644
index 0000000..c88cb54
--- /dev/null
+++ b/debian/patches/stable/lp-1891877-hw-arm-smmuv3-Apply-address-mask-to-linear-strtab-ba.patch
@@ -0,0 +1,59 @@
1From e8ae3a4e2bb72ae636ecbf201b0f74d4bf7d5aeb Mon Sep 17 00:00:00 2001
2From: Simon Veith <sveith@amazon.de>
3Date: Fri, 20 Dec 2019 14:03:00 +0000
4Subject: [PATCH] hw/arm/smmuv3: Apply address mask to linear strtab base
5 address
6
7In the SMMU_STRTAB_BASE register, the stream table base address only
8occupies bits [51:6]. Other bits, such as RA (bit [62]), must be masked
9out to obtain the base address.
10
11The branch for 2-level stream tables correctly applies this mask by way
12of SMMU_BASE_ADDR_MASK, but the one for linear stream tables does not.
13
14Apply the missing mask in that case as well so that the correct stream
15base address is used by guests which configure a linear stream table.
16
17Linux guests are unaffected by this change because they choose a 2-level
18stream table layout for the QEMU SMMUv3, based on the size of its stream
19ID space.
20
21ref. ARM IHI 0070C, section 6.3.23.
22
23Signed-off-by: Simon Veith <sveith@amazon.de>
24Acked-by: Eric Auger <eric.auger@redhat.com>
25Tested-by: Eric Auger <eric.auger@redhat.com>
26Message-id: 1576509312-13083-2-git-send-email-sveith@amazon.de
27Cc: Eric Auger <eric.auger@redhat.com>
28Cc: qemu-devel@nongnu.org
29Cc: qemu-arm@nongnu.org
30Acked-by: Eric Auger <eric.auger@redhat.com>
31Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
32Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
33(cherry picked from commit 3d44c60500785f18bb469c9de0aeba7415c0f28f)
34Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
35
36Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=e8ae3a4e2b
37Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
38Last-Update: 2020-08-19
39
40---
41 hw/arm/smmuv3.c | 2 +-
42 1 file changed, 1 insertion(+), 1 deletion(-)
43
44diff --git a/hw/arm/smmuv3.c b/hw/arm/smmuv3.c
45index e2fbb8357e..eef9a18d70 100644
46--- a/hw/arm/smmuv3.c
47+++ b/hw/arm/smmuv3.c
48@@ -429,7 +429,7 @@ static int smmu_find_ste(SMMUv3State *s, uint32_t sid, STE *ste,
49 }
50 addr = l2ptr + l2_ste_offset * sizeof(*ste);
51 } else {
52- addr = s->strtab_base + sid * sizeof(*ste);
53+ addr = (s->strtab_base & SMMU_BASE_ADDR_MASK) + sid * sizeof(*ste);
54 }
55
56 if (smmu_get_ste(s, addr, ste, event)) {
57--
582.28.0
59
diff --git a/debian/patches/stable/lp-1891877-hw-arm-smmuv3-Check-stream-IDs-against-actual-table-.patch b/debian/patches/stable/lp-1891877-hw-arm-smmuv3-Check-stream-IDs-against-actual-table-.patch
0new file mode 10064460new file mode 100644
index 0000000..90f85c4
--- /dev/null
+++ b/debian/patches/stable/lp-1891877-hw-arm-smmuv3-Check-stream-IDs-against-actual-table-.patch
@@ -0,0 +1,63 @@
1From 256ecc06eb534e7d851fcdf667132a8721b5ad61 Mon Sep 17 00:00:00 2001
2From: Simon Veith <sveith@amazon.de>
3Date: Fri, 20 Dec 2019 14:03:00 +0000
4Subject: [PATCH] hw/arm/smmuv3: Check stream IDs against actual table LOG2SIZE
5
6When checking whether a stream ID is in range of the stream table, we
7have so far been only checking it against our implementation limit
8(SMMU_IDR1_SIDSIZE). However, the guest can program the
9STRTAB_BASE_CFG.LOG2SIZE field to a size that is smaller than this
10limit.
11
12Check the stream ID against this limit as well to match the hardware
13behavior of raising C_BAD_STREAMID events in case the limit is exceeded.
14Also, ensure that we do not go one entry beyond the end of the table by
15checking that its index is strictly smaller than the table size.
16
17ref. ARM IHI 0070C, section 6.3.24.
18
19Signed-off-by: Simon Veith <sveith@amazon.de>
20Acked-by: Eric Auger <eric.auger@redhat.com>
21Tested-by: Eric Auger <eric.auger@redhat.com>
22Message-id: 1576509312-13083-4-git-send-email-sveith@amazon.de
23Cc: Eric Auger <eric.auger@redhat.com>
24Cc: qemu-devel@nongnu.org
25Cc: qemu-arm@nongnu.org
26Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
27Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
28(cherry picked from commit 05ff2fb80ce4ca85d8a39d48ff8156de739b4f51)
29Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
30
31Origin: upstream, https://git.qemu.org/?p=qemu.git;a=commit;h=256ecc06eb
32Bug-Ubuntu: https://bugs.launchpad.net/bugs/1891877
33Last-Update: 2020-08-19
34
35---
36 hw/arm/smmuv3.c | 8 ++++++--
37 1 file changed, 6 insertions(+), 2 deletions(-)
38
39diff --git a/hw/arm/smmuv3.c b/hw/arm/smmuv3.c
40index eef9a18d70..727558bcfa 100644
41--- a/hw/arm/smmuv3.c
42+++ b/hw/arm/smmuv3.c
43@@ -377,11 +377,15 @@ static int smmu_find_ste(SMMUv3State *s, uint32_t sid, STE *ste,
44 SMMUEventInfo *event)
45 {
46 dma_addr_t addr;
47+ uint32_t log2size;
48 int ret;
49
50 trace_smmuv3_find_ste(sid, s->features, s->sid_split);
51- /* Check SID range */
52- if (sid > (1 << SMMU_IDR1_SIDSIZE)) {
53+ log2size = FIELD_EX32(s->strtab_base_cfg, STRTAB_BASE_CFG, LOG2SIZE);
54+ /*
55+ * Check SID range against both guest-configured and implementation limits
56+ */
57+ if (sid >= (1 << MIN(log2size, SMMU_IDR1_SIDSIZE))) {
58 event->type = SMMU_EVT_C_BAD_STREAMID;
59 return -EINVAL;
60 }
61--
62