Compare commits
No commits in common. "42c03e86315fb2e09a541179365b86047e039eed" and "db293008eeaf65057481eb15d73602232efd9df0" have entirely different histories.
42c03e8631
...
db293008ee
2
Makefile
2
Makefile
|
@ -58,7 +58,7 @@ $(BUILDDIR): submodule
|
||||||
deb kvm: $(DEBS)
|
deb kvm: $(DEBS)
|
||||||
$(DEB_DBG): $(DEB)
|
$(DEB_DBG): $(DEB)
|
||||||
$(DEB): $(BUILDDIR)
|
$(DEB): $(BUILDDIR)
|
||||||
cd $(BUILDDIR); dpkg-buildpackage -b -us -uc -j32
|
cd $(BUILDDIR); dpkg-buildpackage -b -us -uc
|
||||||
lintian $(DEBS)
|
lintian $(DEBS)
|
||||||
|
|
||||||
sbuild: $(DSC)
|
sbuild: $(DSC)
|
||||||
|
|
|
@ -1,34 +1,3 @@
|
||||||
pve-qemu-kvm (9.0.0-2+vitastor1) bookworm; urgency=medium
|
|
||||||
|
|
||||||
* Add Vitastor support
|
|
||||||
|
|
||||||
-- Vitaliy Filippov <vitalif@yourcmc.ru> Mon, 20 May 2024 19:53:28 +0300
|
|
||||||
|
|
||||||
pve-qemu-kvm (9.0.0-2) bookworm; urgency=medium
|
|
||||||
|
|
||||||
* fix #5409: backup: fix copy-before-write timeout
|
|
||||||
|
|
||||||
* backup: improve error when copy-before-write fails for fleecing
|
|
||||||
|
|
||||||
* fix forwards and backwards migration with VirtIO-GPU display
|
|
||||||
|
|
||||||
* fix a regression in pflash device introduced in 8.2
|
|
||||||
|
|
||||||
* revert a commit for VirtIO PCI devices that turned out to cause more
|
|
||||||
potential security issues than what it fixed
|
|
||||||
|
|
||||||
* move compatibility flags for a new VirtIO-net feature to the correct
|
|
||||||
machine type. The feature was introduced in QEMU 8.2, but the
|
|
||||||
compatibility flags got added to machine version 8.0 instead of 8.1. This
|
|
||||||
breaks backwards migration with machine version 8.1 from a 8.2/9.0 binary
|
|
||||||
to an 8.1 binary, in cases where the guest kernel enables the feature
|
|
||||||
(e.g. Ubuntu 23.10).
|
|
||||||
While that breaks migration with machine version 8.1 from an unpatched to
|
|
||||||
a patched binary, Proxmox VE only ever had 8.2 on the test repository and
|
|
||||||
9.0 not yet in any public repository.
|
|
||||||
|
|
||||||
-- Proxmox Support Team <support@proxmox.com> Fri, 17 May 2024 17:04:52 +0200
|
|
||||||
|
|
||||||
pve-qemu-kvm (9.0.0-1) bookworm; urgency=medium
|
pve-qemu-kvm (9.0.0-1) bookworm; urgency=medium
|
||||||
|
|
||||||
* update submodule and patches to QEMU 9.0.0
|
* update submodule and patches to QEMU 9.0.0
|
||||||
|
|
|
@ -59,7 +59,6 @@ Depends: ceph-common (>= 0.48),
|
||||||
libspice-server1 (>= 0.14.0~),
|
libspice-server1 (>= 0.14.0~),
|
||||||
libusb-1.0-0 (>= 1.0.17-1),
|
libusb-1.0-0 (>= 1.0.17-1),
|
||||||
libusbredirparser1 (>= 0.6-2),
|
libusbredirparser1 (>= 0.6-2),
|
||||||
vitastor-client (>= 0.9.4),
|
|
||||||
libuuid1,
|
libuuid1,
|
||||||
${misc:Depends},
|
${misc:Depends},
|
||||||
${shlibs:Depends},
|
${shlibs:Depends},
|
||||||
|
|
|
@ -1,98 +0,0 @@
|
||||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
||||||
From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
|
|
||||||
Date: Thu, 16 May 2024 12:40:22 +0400
|
|
||||||
Subject: [PATCH] virtio-gpu: fix v2 migration
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
Commit dfcf74fa ("virtio-gpu: fix scanout migration post-load") broke
|
|
||||||
forward/backward version migration. Versioning of nested VMSD structures
|
|
||||||
is not straightforward, as the wire format doesn't have nested
|
|
||||||
structures versions. Introduce x-scanout-vmstate-version and a field
|
|
||||||
test to save/load appropriately according to the machine version.
|
|
||||||
|
|
||||||
Fixes: dfcf74fa ("virtio-gpu: fix scanout migration post-load")
|
|
||||||
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
|
||||||
Signed-off-by: Peter Xu <peterx@redhat.com>
|
|
||||||
---
|
|
||||||
hw/core/machine.c | 1 +
|
|
||||||
hw/display/virtio-gpu.c | 24 ++++++++++++++++--------
|
|
||||||
include/hw/virtio/virtio-gpu.h | 1 +
|
|
||||||
3 files changed, 18 insertions(+), 8 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/hw/core/machine.c b/hw/core/machine.c
|
|
||||||
index 37ede0e7d4..d33a37a6f6 100644
|
|
||||||
--- a/hw/core/machine.c
|
|
||||||
+++ b/hw/core/machine.c
|
|
||||||
@@ -37,6 +37,7 @@ GlobalProperty hw_compat_8_2[] = {
|
|
||||||
{ "migration", "zero-page-detection", "legacy"},
|
|
||||||
{ TYPE_VIRTIO_IOMMU_PCI, "granule", "4k" },
|
|
||||||
{ TYPE_VIRTIO_IOMMU_PCI, "aw-bits", "64" },
|
|
||||||
+ { "virtio-gpu-device", "x-scanout-vmstate-version", "1" },
|
|
||||||
};
|
|
||||||
const size_t hw_compat_8_2_len = G_N_ELEMENTS(hw_compat_8_2);
|
|
||||||
|
|
||||||
diff --git a/hw/display/virtio-gpu.c b/hw/display/virtio-gpu.c
|
|
||||||
index ae831b6b3e..85323daf99 100644
|
|
||||||
--- a/hw/display/virtio-gpu.c
|
|
||||||
+++ b/hw/display/virtio-gpu.c
|
|
||||||
@@ -1166,10 +1166,17 @@ static void virtio_gpu_cursor_bh(void *opaque)
|
|
||||||
virtio_gpu_handle_cursor(&g->parent_obj.parent_obj, g->cursor_vq);
|
|
||||||
}
|
|
||||||
|
|
||||||
+static bool scanout_vmstate_after_v2(void *opaque, int version)
|
|
||||||
+{
|
|
||||||
+ struct VirtIOGPUBase *base = container_of(opaque, VirtIOGPUBase, scanout);
|
|
||||||
+ struct VirtIOGPU *gpu = container_of(base, VirtIOGPU, parent_obj);
|
|
||||||
+
|
|
||||||
+ return gpu->scanout_vmstate_version >= 2;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
static const VMStateDescription vmstate_virtio_gpu_scanout = {
|
|
||||||
.name = "virtio-gpu-one-scanout",
|
|
||||||
- .version_id = 2,
|
|
||||||
- .minimum_version_id = 1,
|
|
||||||
+ .version_id = 1,
|
|
||||||
.fields = (const VMStateField[]) {
|
|
||||||
VMSTATE_UINT32(resource_id, struct virtio_gpu_scanout),
|
|
||||||
VMSTATE_UINT32(width, struct virtio_gpu_scanout),
|
|
||||||
@@ -1181,12 +1188,12 @@ static const VMStateDescription vmstate_virtio_gpu_scanout = {
|
|
||||||
VMSTATE_UINT32(cursor.hot_y, struct virtio_gpu_scanout),
|
|
||||||
VMSTATE_UINT32(cursor.pos.x, struct virtio_gpu_scanout),
|
|
||||||
VMSTATE_UINT32(cursor.pos.y, struct virtio_gpu_scanout),
|
|
||||||
- VMSTATE_UINT32_V(fb.format, struct virtio_gpu_scanout, 2),
|
|
||||||
- VMSTATE_UINT32_V(fb.bytes_pp, struct virtio_gpu_scanout, 2),
|
|
||||||
- VMSTATE_UINT32_V(fb.width, struct virtio_gpu_scanout, 2),
|
|
||||||
- VMSTATE_UINT32_V(fb.height, struct virtio_gpu_scanout, 2),
|
|
||||||
- VMSTATE_UINT32_V(fb.stride, struct virtio_gpu_scanout, 2),
|
|
||||||
- VMSTATE_UINT32_V(fb.offset, struct virtio_gpu_scanout, 2),
|
|
||||||
+ VMSTATE_UINT32_TEST(fb.format, struct virtio_gpu_scanout, scanout_vmstate_after_v2),
|
|
||||||
+ VMSTATE_UINT32_TEST(fb.bytes_pp, struct virtio_gpu_scanout, scanout_vmstate_after_v2),
|
|
||||||
+ VMSTATE_UINT32_TEST(fb.width, struct virtio_gpu_scanout, scanout_vmstate_after_v2),
|
|
||||||
+ VMSTATE_UINT32_TEST(fb.height, struct virtio_gpu_scanout, scanout_vmstate_after_v2),
|
|
||||||
+ VMSTATE_UINT32_TEST(fb.stride, struct virtio_gpu_scanout, scanout_vmstate_after_v2),
|
|
||||||
+ VMSTATE_UINT32_TEST(fb.offset, struct virtio_gpu_scanout, scanout_vmstate_after_v2),
|
|
||||||
VMSTATE_END_OF_LIST()
|
|
||||||
},
|
|
||||||
};
|
|
||||||
@@ -1659,6 +1666,7 @@ static Property virtio_gpu_properties[] = {
|
|
||||||
DEFINE_PROP_BIT("blob", VirtIOGPU, parent_obj.conf.flags,
|
|
||||||
VIRTIO_GPU_FLAG_BLOB_ENABLED, false),
|
|
||||||
DEFINE_PROP_SIZE("hostmem", VirtIOGPU, parent_obj.conf.hostmem, 0),
|
|
||||||
+ DEFINE_PROP_UINT8("x-scanout-vmstate-version", VirtIOGPU, scanout_vmstate_version, 2),
|
|
||||||
DEFINE_PROP_END_OF_LIST(),
|
|
||||||
};
|
|
||||||
|
|
||||||
diff --git a/include/hw/virtio/virtio-gpu.h b/include/hw/virtio/virtio-gpu.h
|
|
||||||
index ed44cdad6b..842315d51d 100644
|
|
||||||
--- a/include/hw/virtio/virtio-gpu.h
|
|
||||||
+++ b/include/hw/virtio/virtio-gpu.h
|
|
||||||
@@ -177,6 +177,7 @@ typedef struct VGPUDMABuf {
|
|
||||||
struct VirtIOGPU {
|
|
||||||
VirtIOGPUBase parent_obj;
|
|
||||||
|
|
||||||
+ uint8_t scanout_vmstate_version;
|
|
||||||
uint64_t conf_max_hostmem;
|
|
||||||
|
|
||||||
VirtQueue *ctrl_vq;
|
|
|
@ -1,59 +0,0 @@
|
||||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Gerd Hoffmann <kraxel@redhat.com>
|
|
||||||
Date: Thu, 16 May 2024 10:46:34 +0200
|
|
||||||
Subject: [PATCH] hw/pflash: fix block write start
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
Move the pflash_blk_write_start() call. We need the offset of the
|
|
||||||
first data write, not the offset for the setup (number-of-bytes)
|
|
||||||
write. Without this fix u-boot can do block writes to the first
|
|
||||||
flash block only.
|
|
||||||
|
|
||||||
While being at it drop a leftover FIXME.
|
|
||||||
|
|
||||||
Cc: qemu-stable@nongnu.org
|
|
||||||
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2343
|
|
||||||
Fixes: fcc79f2e0955 ("hw/pflash: implement update buffer for block writes")
|
|
||||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
|
||||||
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
|
|
||||||
(picked up from https://lists.nongnu.org/archive/html/qemu-stable/2024-05/msg00091.html)
|
|
||||||
Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
|
|
||||||
---
|
|
||||||
hw/block/pflash_cfi01.c | 8 +++-----
|
|
||||||
1 file changed, 3 insertions(+), 5 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/hw/block/pflash_cfi01.c b/hw/block/pflash_cfi01.c
|
|
||||||
index 1bda8424b9..c8f1cf5a87 100644
|
|
||||||
--- a/hw/block/pflash_cfi01.c
|
|
||||||
+++ b/hw/block/pflash_cfi01.c
|
|
||||||
@@ -518,10 +518,6 @@ static void pflash_write(PFlashCFI01 *pfl, hwaddr offset,
|
|
||||||
break;
|
|
||||||
case 0xe8: /* Write to buffer */
|
|
||||||
trace_pflash_write(pfl->name, "write to buffer");
|
|
||||||
- /* FIXME should save @offset, @width for case 1+ */
|
|
||||||
- qemu_log_mask(LOG_UNIMP,
|
|
||||||
- "%s: Write to buffer emulation is flawed\n",
|
|
||||||
- __func__);
|
|
||||||
pfl->status |= 0x80; /* Ready! */
|
|
||||||
break;
|
|
||||||
case 0xf0: /* Probe for AMD flash */
|
|
||||||
@@ -574,7 +570,6 @@ static void pflash_write(PFlashCFI01 *pfl, hwaddr offset,
|
|
||||||
}
|
|
||||||
pfl->counter = value;
|
|
||||||
pfl->wcycle++;
|
|
||||||
- pflash_blk_write_start(pfl, offset);
|
|
||||||
break;
|
|
||||||
case 0x60:
|
|
||||||
if (cmd == 0xd0) {
|
|
||||||
@@ -605,6 +600,9 @@ static void pflash_write(PFlashCFI01 *pfl, hwaddr offset,
|
|
||||||
switch (pfl->cmd) {
|
|
||||||
case 0xe8: /* Block write */
|
|
||||||
/* FIXME check @offset, @width */
|
|
||||||
+ if (pfl->blk_offset == -1 && pfl->counter) {
|
|
||||||
+ pflash_blk_write_start(pfl, offset);
|
|
||||||
+ }
|
|
||||||
if (!pfl->ro && (pfl->blk_offset != -1)) {
|
|
||||||
pflash_data_write(pfl, offset, value, width, be);
|
|
||||||
} else {
|
|
|
@ -1,51 +0,0 @@
|
||||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Paolo Bonzini <pbonzini@redhat.com>
|
|
||||||
Date: Thu, 9 May 2024 12:38:10 +0200
|
|
||||||
Subject: [PATCH] target/i386: fix operand size for DATA16 REX.W POPCNT
|
|
||||||
|
|
||||||
According to the manual, 32-bit vs 64-bit is governed by REX.W
|
|
||||||
and REX ignores the 0x66 prefix. This can be confirmed with this
|
|
||||||
program:
|
|
||||||
|
|
||||||
#include <stdio.h>
|
|
||||||
int main()
|
|
||||||
{
|
|
||||||
int x = 0x12340000;
|
|
||||||
int y;
|
|
||||||
asm("popcntl %1, %0" : "=r" (y) : "r" (x)); printf("%x\n", y);
|
|
||||||
asm("mov $-1, %0; .byte 0x66; popcntl %1, %0" : "+r" (y) : "r" (x)); printf("%x\n", y);
|
|
||||||
asm("mov $-1, %0; .byte 0x66; popcntq %q1, %q0" : "+r" (y) : "r" (x)); printf("%x\n", y);
|
|
||||||
}
|
|
||||||
|
|
||||||
which prints 5/ffff0000/5 on real hardware and 5/ffff0000/ffff0000
|
|
||||||
on QEMU.
|
|
||||||
|
|
||||||
Cc: qemu-stable@nongnu.org
|
|
||||||
Reviewed-by: Zhao Liu <zhao1.liu@intel.com>
|
|
||||||
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
|
|
||||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
|
||||||
(cherry picked from commit 41c685dc59bb611096f3bb6a663cfa82e4cba97b)
|
|
||||||
[FE: keep mo_64_32 helper which still has other users in 9.0.0]
|
|
||||||
Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
|
|
||||||
---
|
|
||||||
target/i386/tcg/translate.c | 7 +------
|
|
||||||
1 file changed, 1 insertion(+), 6 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/target/i386/tcg/translate.c b/target/i386/tcg/translate.c
|
|
||||||
index 76a42c679c..b60f3bd642 100644
|
|
||||||
--- a/target/i386/tcg/translate.c
|
|
||||||
+++ b/target/i386/tcg/translate.c
|
|
||||||
@@ -6799,12 +6799,7 @@ static bool disas_insn(DisasContext *s, CPUState *cpu)
|
|
||||||
modrm = x86_ldub_code(env, s);
|
|
||||||
reg = ((modrm >> 3) & 7) | REX_R(s);
|
|
||||||
|
|
||||||
- if (s->prefix & PREFIX_DATA) {
|
|
||||||
- ot = MO_16;
|
|
||||||
- } else {
|
|
||||||
- ot = mo_64_32(dflag);
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
+ ot = dflag;
|
|
||||||
gen_ldst_modrm(env, s, modrm, ot, OR_TMP0, 0);
|
|
||||||
gen_extu(ot, s->T0);
|
|
||||||
tcg_gen_mov_tl(cpu_cc_src, s->T0);
|
|
|
@ -1,40 +0,0 @@
|
||||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Paolo Bonzini <pbonzini@redhat.com>
|
|
||||||
Date: Thu, 9 May 2024 15:55:47 +0200
|
|
||||||
Subject: [PATCH] target/i386: rdpkru/wrpkru are no-prefix instructions
|
|
||||||
|
|
||||||
Reject 0x66/0xf3/0xf2 in front of them.
|
|
||||||
|
|
||||||
Cc: qemu-stable@nongnu.org
|
|
||||||
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
|
|
||||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
|
||||||
(cherry picked from commit 40a3ec7b5ffde500789d016660a171057d6b467c)
|
|
||||||
Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
|
|
||||||
---
|
|
||||||
target/i386/tcg/translate.c | 6 ++++--
|
|
||||||
1 file changed, 4 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/target/i386/tcg/translate.c b/target/i386/tcg/translate.c
|
|
||||||
index b60f3bd642..3e949fe964 100644
|
|
||||||
--- a/target/i386/tcg/translate.c
|
|
||||||
+++ b/target/i386/tcg/translate.c
|
|
||||||
@@ -6083,7 +6083,8 @@ static bool disas_insn(DisasContext *s, CPUState *cpu)
|
|
||||||
gen_ldst_modrm(env, s, modrm, ot, OR_TMP0, 1);
|
|
||||||
break;
|
|
||||||
case 0xee: /* rdpkru */
|
|
||||||
- if (prefixes & PREFIX_LOCK) {
|
|
||||||
+ if (s->prefix & (PREFIX_LOCK | PREFIX_DATA
|
|
||||||
+ | PREFIX_REPZ | PREFIX_REPNZ)) {
|
|
||||||
goto illegal_op;
|
|
||||||
}
|
|
||||||
tcg_gen_trunc_tl_i32(s->tmp2_i32, cpu_regs[R_ECX]);
|
|
||||||
@@ -6091,7 +6092,8 @@ static bool disas_insn(DisasContext *s, CPUState *cpu)
|
|
||||||
tcg_gen_extr_i64_tl(cpu_regs[R_EAX], cpu_regs[R_EDX], s->tmp1_i64);
|
|
||||||
break;
|
|
||||||
case 0xef: /* wrpkru */
|
|
||||||
- if (prefixes & PREFIX_LOCK) {
|
|
||||||
+ if (s->prefix & (PREFIX_LOCK | PREFIX_DATA
|
|
||||||
+ | PREFIX_REPZ | PREFIX_REPNZ)) {
|
|
||||||
goto illegal_op;
|
|
||||||
}
|
|
||||||
tcg_gen_concat_tl_i64(s->tmp1_i64, cpu_regs[R_EAX],
|
|
|
@ -1,33 +0,0 @@
|
||||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Paolo Bonzini <pbonzini@redhat.com>
|
|
||||||
Date: Wed, 8 May 2024 11:10:54 +0200
|
|
||||||
Subject: [PATCH] target/i386: fix feature dependency for WAITPKG
|
|
||||||
|
|
||||||
The VMX feature bit depends on general availability of WAITPKG,
|
|
||||||
not the other way round.
|
|
||||||
|
|
||||||
Fixes: 33cc88261c3 ("target/i386: add support for VMX_SECONDARY_EXEC_ENABLE_USER_WAIT_PAUSE", 2023-08-28)
|
|
||||||
Cc: qemu-stable@nongnu.org
|
|
||||||
Reviewed-by: Zhao Liu <zhao1.liu@intel.com>
|
|
||||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
|
||||||
(cherry picked from commit fe01af5d47d4cf7fdf90c54d43f784e5068c8d72)
|
|
||||||
Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
|
|
||||||
---
|
|
||||||
target/i386/cpu.c | 4 ++--
|
|
||||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/target/i386/cpu.c b/target/i386/cpu.c
|
|
||||||
index 33760a2ee1..e693f8ca9a 100644
|
|
||||||
--- a/target/i386/cpu.c
|
|
||||||
+++ b/target/i386/cpu.c
|
|
||||||
@@ -1550,8 +1550,8 @@ static FeatureDep feature_dependencies[] = {
|
|
||||||
.to = { FEAT_SVM, ~0ull },
|
|
||||||
},
|
|
||||||
{
|
|
||||||
- .from = { FEAT_VMX_SECONDARY_CTLS, VMX_SECONDARY_EXEC_ENABLE_USER_WAIT_PAUSE },
|
|
||||||
- .to = { FEAT_7_0_ECX, CPUID_7_0_ECX_WAITPKG },
|
|
||||||
+ .from = { FEAT_7_0_ECX, CPUID_7_0_ECX_WAITPKG },
|
|
||||||
+ .to = { FEAT_VMX_SECONDARY_CTLS, VMX_SECONDARY_EXEC_ENABLE_USER_WAIT_PAUSE },
|
|
||||||
},
|
|
||||||
};
|
|
||||||
|
|
|
@ -1,87 +0,0 @@
|
||||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Fiona Ebner <f.ebner@proxmox.com>
|
|
||||||
Date: Thu, 16 May 2024 12:59:52 +0200
|
|
||||||
Subject: [PATCH] Revert "virtio-pci: fix use of a released vector"
|
|
||||||
|
|
||||||
This reverts commit 2ce6cff94df2650c460f809e5ad263f1d22507c0.
|
|
||||||
|
|
||||||
The fix causes some issues:
|
|
||||||
https://gitlab.com/qemu-project/qemu/-/issues/2321
|
|
||||||
https://gitlab.com/qemu-project/qemu/-/issues/2334
|
|
||||||
|
|
||||||
The CVE fixed by commit 2ce6cff94d ("virtio-pci: fix use of a released
|
|
||||||
vector") is CVE-2024-4693 [0] and allows a malicious guest that
|
|
||||||
controls the boot process in the guest to crash its QEMU process.
|
|
||||||
|
|
||||||
The issues sound worse than the CVE, so revert until there is a proper
|
|
||||||
fix.
|
|
||||||
|
|
||||||
[0]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-4693
|
|
||||||
|
|
||||||
Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
|
|
||||||
---
|
|
||||||
hw/virtio/virtio-pci.c | 37 ++-----------------------------------
|
|
||||||
1 file changed, 2 insertions(+), 35 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/hw/virtio/virtio-pci.c b/hw/virtio/virtio-pci.c
|
|
||||||
index cb159fd078..cb6940fc0e 100644
|
|
||||||
--- a/hw/virtio/virtio-pci.c
|
|
||||||
+++ b/hw/virtio/virtio-pci.c
|
|
||||||
@@ -1424,38 +1424,6 @@ static int virtio_pci_add_mem_cap(VirtIOPCIProxy *proxy,
|
|
||||||
return offset;
|
|
||||||
}
|
|
||||||
|
|
||||||
-static void virtio_pci_set_vector(VirtIODevice *vdev,
|
|
||||||
- VirtIOPCIProxy *proxy,
|
|
||||||
- int queue_no, uint16_t old_vector,
|
|
||||||
- uint16_t new_vector)
|
|
||||||
-{
|
|
||||||
- bool kvm_irqfd = (vdev->status & VIRTIO_CONFIG_S_DRIVER_OK) &&
|
|
||||||
- msix_enabled(&proxy->pci_dev) && kvm_msi_via_irqfd_enabled();
|
|
||||||
-
|
|
||||||
- if (new_vector == old_vector) {
|
|
||||||
- return;
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- /*
|
|
||||||
- * If the device uses irqfd and the vector changes after DRIVER_OK is
|
|
||||||
- * set, we need to release the old vector and set up the new one.
|
|
||||||
- * Otherwise just need to set the new vector on the device.
|
|
||||||
- */
|
|
||||||
- if (kvm_irqfd && old_vector != VIRTIO_NO_VECTOR) {
|
|
||||||
- kvm_virtio_pci_vector_release_one(proxy, queue_no);
|
|
||||||
- }
|
|
||||||
- /* Set the new vector on the device. */
|
|
||||||
- if (queue_no == VIRTIO_CONFIG_IRQ_IDX) {
|
|
||||||
- vdev->config_vector = new_vector;
|
|
||||||
- } else {
|
|
||||||
- virtio_queue_set_vector(vdev, queue_no, new_vector);
|
|
||||||
- }
|
|
||||||
- /* If the new vector changed need to set it up. */
|
|
||||||
- if (kvm_irqfd && new_vector != VIRTIO_NO_VECTOR) {
|
|
||||||
- kvm_virtio_pci_vector_use_one(proxy, queue_no);
|
|
||||||
- }
|
|
||||||
-}
|
|
||||||
-
|
|
||||||
int virtio_pci_add_shm_cap(VirtIOPCIProxy *proxy,
|
|
||||||
uint8_t bar, uint64_t offset, uint64_t length,
|
|
||||||
uint8_t id)
|
|
||||||
@@ -1602,8 +1570,7 @@ static void virtio_pci_common_write(void *opaque, hwaddr addr,
|
|
||||||
} else {
|
|
||||||
val = VIRTIO_NO_VECTOR;
|
|
||||||
}
|
|
||||||
- virtio_pci_set_vector(vdev, proxy, VIRTIO_CONFIG_IRQ_IDX,
|
|
||||||
- vdev->config_vector, val);
|
|
||||||
+ vdev->config_vector = val;
|
|
||||||
break;
|
|
||||||
case VIRTIO_PCI_COMMON_STATUS:
|
|
||||||
if (!(val & VIRTIO_CONFIG_S_DRIVER_OK)) {
|
|
||||||
@@ -1643,7 +1610,7 @@ static void virtio_pci_common_write(void *opaque, hwaddr addr,
|
|
||||||
} else {
|
|
||||||
val = VIRTIO_NO_VECTOR;
|
|
||||||
}
|
|
||||||
- virtio_pci_set_vector(vdev, proxy, vdev->queue_sel, vector, val);
|
|
||||||
+ virtio_queue_set_vector(vdev, vdev->queue_sel, val);
|
|
||||||
break;
|
|
||||||
case VIRTIO_PCI_COMMON_Q_ENABLE:
|
|
||||||
if (val == 1) {
|
|
|
@ -1,57 +0,0 @@
|
||||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Fiona Ebner <f.ebner@proxmox.com>
|
|
||||||
Date: Thu, 16 May 2024 15:21:07 +0200
|
|
||||||
Subject: [PATCH] hw/core/machine: move compatibility flags for VirtIO-net USO
|
|
||||||
to machine 8.1
|
|
||||||
|
|
||||||
Migration from an 8.2 or 9.0 binary to an 8.1 binary with machine
|
|
||||||
version 8.1 can fail with:
|
|
||||||
|
|
||||||
> kvm: Features 0x1c0010130afffa7 unsupported. Allowed features: 0x10179bfffe7
|
|
||||||
> kvm: Failed to load virtio-net:virtio
|
|
||||||
> kvm: error while loading state for instance 0x0 of device '0000:00:12.0/virtio-net'
|
|
||||||
> kvm: load of migration failed: Operation not permitted
|
|
||||||
|
|
||||||
The series
|
|
||||||
|
|
||||||
53da8b5a99 virtio-net: Add support for USO features
|
|
||||||
9da1684954 virtio-net: Add USO flags to vhost support.
|
|
||||||
f03e0cf63b tap: Add check for USO features
|
|
||||||
2ab0ec3121 tap: Add USO support to tap device.
|
|
||||||
|
|
||||||
only landed in QEMU 8.2, so the compatibility flags should be part of
|
|
||||||
machine version 8.1.
|
|
||||||
|
|
||||||
Moving the flags unfortunately breaks forward migration with machine
|
|
||||||
version 8.1 from a binary without this patch to a binary with this
|
|
||||||
patch when the feature is enabled by the guest.
|
|
||||||
|
|
||||||
Fixes: 53da8b5a99 ("virtio-net: Add support for USO features")
|
|
||||||
Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
|
|
||||||
---
|
|
||||||
hw/core/machine.c | 6 +++---
|
|
||||||
1 file changed, 3 insertions(+), 3 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/hw/core/machine.c b/hw/core/machine.c
|
|
||||||
index d33a37a6f6..4273de16a0 100644
|
|
||||||
--- a/hw/core/machine.c
|
|
||||||
+++ b/hw/core/machine.c
|
|
||||||
@@ -46,15 +46,15 @@ GlobalProperty hw_compat_8_1[] = {
|
|
||||||
{ "ramfb", "x-migrate", "off" },
|
|
||||||
{ "vfio-pci-nohotplug", "x-ramfb-migrate", "off" },
|
|
||||||
{ "igb", "x-pcie-flr-init", "off" },
|
|
||||||
+ { TYPE_VIRTIO_NET, "host_uso", "off"},
|
|
||||||
+ { TYPE_VIRTIO_NET, "guest_uso4", "off"},
|
|
||||||
+ { TYPE_VIRTIO_NET, "guest_uso6", "off"},
|
|
||||||
};
|
|
||||||
const size_t hw_compat_8_1_len = G_N_ELEMENTS(hw_compat_8_1);
|
|
||||||
|
|
||||||
GlobalProperty hw_compat_8_0[] = {
|
|
||||||
{ "migration", "multifd-flush-after-each-section", "on"},
|
|
||||||
{ TYPE_PCI_DEVICE, "x-pcie-ari-nextfn-1", "on" },
|
|
||||||
- { TYPE_VIRTIO_NET, "host_uso", "off"},
|
|
||||||
- { TYPE_VIRTIO_NET, "guest_uso4", "off"},
|
|
||||||
- { TYPE_VIRTIO_NET, "guest_uso6", "off"},
|
|
||||||
};
|
|
||||||
const size_t hw_compat_8_0_len = G_N_ELEMENTS(hw_compat_8_0);
|
|
||||||
|
|
File diff suppressed because it is too large
Load Diff
|
@ -26,10 +26,10 @@ Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
|
||||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
diff --git a/hw/core/machine.c b/hw/core/machine.c
|
diff --git a/hw/core/machine.c b/hw/core/machine.c
|
||||||
index 4273de16a0..83f1fc0293 100644
|
index 37ede0e7d4..513e49bab1 100644
|
||||||
--- a/hw/core/machine.c
|
--- a/hw/core/machine.c
|
||||||
+++ b/hw/core/machine.c
|
+++ b/hw/core/machine.c
|
||||||
@@ -162,7 +162,8 @@ GlobalProperty hw_compat_4_0[] = {
|
@@ -161,7 +161,8 @@ GlobalProperty hw_compat_4_0[] = {
|
||||||
{ "virtio-vga", "edid", "false" },
|
{ "virtio-vga", "edid", "false" },
|
||||||
{ "virtio-gpu-device", "edid", "false" },
|
{ "virtio-gpu-device", "edid", "false" },
|
||||||
{ "virtio-device", "use-started", "false" },
|
{ "virtio-device", "use-started", "false" },
|
||||||
|
|
|
@ -3,13 +3,6 @@ extra/0002-scsi-megasas-Internal-cdbs-have-16-byte-length.patch
|
||||||
extra/0003-ide-avoid-potential-deadlock-when-draining-during-tr.patch
|
extra/0003-ide-avoid-potential-deadlock-when-draining-during-tr.patch
|
||||||
extra/0004-Revert-x86-acpi-workaround-Windows-not-handling-name.patch
|
extra/0004-Revert-x86-acpi-workaround-Windows-not-handling-name.patch
|
||||||
extra/0005-block-copy-before-write-use-uint64_t-for-timeout-in-.patch
|
extra/0005-block-copy-before-write-use-uint64_t-for-timeout-in-.patch
|
||||||
extra/0006-virtio-gpu-fix-v2-migration.patch
|
|
||||||
extra/0007-hw-pflash-fix-block-write-start.patch
|
|
||||||
extra/0008-target-i386-fix-operand-size-for-DATA16-REX.W-POPCNT.patch
|
|
||||||
extra/0009-target-i386-rdpkru-wrpkru-are-no-prefix-instructions.patch
|
|
||||||
extra/0010-target-i386-fix-feature-dependency-for-WAITPKG.patch
|
|
||||||
extra/0011-Revert-virtio-pci-fix-use-of-a-released-vector.patch
|
|
||||||
extra/0012-hw-core-machine-move-compatibility-flags-for-VirtIO-.patch
|
|
||||||
bitmap-mirror/0001-drive-mirror-add-support-for-sync-bitmap-mode-never.patch
|
bitmap-mirror/0001-drive-mirror-add-support-for-sync-bitmap-mode-never.patch
|
||||||
bitmap-mirror/0002-drive-mirror-add-support-for-conditional-and-always-.patch
|
bitmap-mirror/0002-drive-mirror-add-support-for-conditional-and-always-.patch
|
||||||
bitmap-mirror/0003-mirror-add-check-for-bitmap-mode-without-bitmap.patch
|
bitmap-mirror/0003-mirror-add-check-for-bitmap-mode-without-bitmap.patch
|
||||||
|
@ -67,4 +60,3 @@ pve/0048-copy-before-write-allow-specifying-minimum-cluster-s.patch
|
||||||
pve/0049-backup-add-minimum-cluster-size-to-performance-optio.patch
|
pve/0049-backup-add-minimum-cluster-size-to-performance-optio.patch
|
||||||
pve/0050-PVE-backup-add-fleecing-option.patch
|
pve/0050-PVE-backup-add-fleecing-option.patch
|
||||||
pve/0051-PVE-backup-improve-error-when-copy-before-write-fail.patch
|
pve/0051-PVE-backup-improve-error-when-copy-before-write-fail.patch
|
||||||
pve-qemu-9.0-vitastor.patch
|
|
||||||
|
|
Loading…
Reference in New Issue