diff options
14 files changed, 2 insertions, 798 deletions
diff --git a/meta/recipes-devtools/qemu/qemu-native_3.1.0.bb b/meta/recipes-devtools/qemu/qemu-native_3.1.1.1.bb index c8acff8e19..c8acff8e19 100644 --- a/meta/recipes-devtools/qemu/qemu-native_3.1.0.bb +++ b/meta/recipes-devtools/qemu/qemu-native_3.1.1.1.bb | |||
diff --git a/meta/recipes-devtools/qemu/qemu-system-native_3.1.0.bb b/meta/recipes-devtools/qemu/qemu-system-native_3.1.1.1.bb index 5bf528bec1..5bf528bec1 100644 --- a/meta/recipes-devtools/qemu/qemu-system-native_3.1.0.bb +++ b/meta/recipes-devtools/qemu/qemu-system-native_3.1.1.1.bb | |||
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 40c3174903..202134b3d8 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc | |||
@@ -22,24 +22,14 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ | |||
22 | file://0010-linux-user-Fix-webkitgtk-hangs-on-32-bit-x86-target.patch \ | 22 | file://0010-linux-user-Fix-webkitgtk-hangs-on-32-bit-x86-target.patch \ |
23 | file://0011-Revert-linux-user-fix-mmap-munmap-mprotect-mremap-sh.patch \ | 23 | file://0011-Revert-linux-user-fix-mmap-munmap-mprotect-mremap-sh.patch \ |
24 | file://0001-Add-a-missing-X11-include.patch \ | 24 | file://0001-Add-a-missing-X11-include.patch \ |
25 | file://0001-egl-headless-add-egl_create_context.patch \ | ||
26 | file://0014-fix-CVE-2018-16872.patch \ | ||
27 | file://0015-fix-CVE-2018-20124.patch \ | ||
28 | file://0016-fix-CVE-2018-20125.patch \ | ||
29 | file://0017-fix-CVE-2018-20126.patch \ | ||
30 | file://0018-fix-CVE-2018-20191.patch \ | ||
31 | file://0019-fix-CVE-2018-20216.patch \ | ||
32 | file://CVE-2019-3812.patch \ | ||
33 | file://0014-linux-user-fix-to-handle-variably-sized-SIOCGSTAMP-w.patch \ | 25 | file://0014-linux-user-fix-to-handle-variably-sized-SIOCGSTAMP-w.patch \ |
34 | file://CVE-2018-20815.patch \ | ||
35 | file://CVE-2019-8934.patch \ | ||
36 | file://0001-linux-user-assume-__NR_gettid-always-exists.patch \ | 26 | file://0001-linux-user-assume-__NR_gettid-always-exists.patch \ |
37 | file://0001-linux-user-rename-gettid-to-sys_gettid-to-avoid-clas.patch \ | 27 | file://0001-linux-user-rename-gettid-to-sys_gettid-to-avoid-clas.patch \ |
38 | " | 28 | " |
39 | UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" | 29 | UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" |
40 | 30 | ||
41 | SRC_URI[md5sum] = "fb687ce0b02d3bf4327e36d3b99427a8" | 31 | SRC_URI[md5sum] = "aafb005c252eb3a667c2468868348c0a" |
42 | SRC_URI[sha256sum] = "6a0508df079a0a33c2487ca936a56c12122f105b8a96a44374704bef6c69abfc" | 32 | SRC_URI[sha256sum] = "b148fc3c7382c5addd915db433383160ca7b840bc6ea90bb0d35c6b253526d56" |
43 | 33 | ||
44 | COMPATIBLE_HOST_mipsarchn32 = "null" | 34 | COMPATIBLE_HOST_mipsarchn32 = "null" |
45 | COMPATIBLE_HOST_mipsarchn64 = "null" | 35 | COMPATIBLE_HOST_mipsarchn64 = "null" |
diff --git a/meta/recipes-devtools/qemu/qemu/0001-egl-headless-add-egl_create_context.patch b/meta/recipes-devtools/qemu/qemu/0001-egl-headless-add-egl_create_context.patch deleted file mode 100644 index d9326c017a..0000000000 --- a/meta/recipes-devtools/qemu/qemu/0001-egl-headless-add-egl_create_context.patch +++ /dev/null | |||
@@ -1,50 +0,0 @@ | |||
1 | From 952e5d584f5aabe41298c278065fe628f3f7aa7a Mon Sep 17 00:00:00 2001 | ||
2 | From: Gerd Hoffmann <kraxel@redhat.com> | ||
3 | Date: Thu, 29 Nov 2018 13:35:02 +0100 | ||
4 | Subject: [PATCH] egl-headless: add egl_create_context | ||
5 | |||
6 | We must set the correct context (via eglMakeCurrent) before | ||
7 | calling qemu_egl_create_context, so we need a thin wrapper and can't | ||
8 | hook qemu_egl_create_context directly as ->dpy_gl_ctx_create callback. | ||
9 | |||
10 | Reported-by: Frederik Carlier <frederik.carlier@quamotion.mobi> | ||
11 | Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> | ||
12 | Message-id: 20181129123502.30129-1-kraxel@redhat.com | ||
13 | |||
14 | Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=952e5d584f5aabe41298c278065fe628f3f7aa7a] | ||
15 | Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com> | ||
16 | --- | ||
17 | ui/egl-headless.c | 10 +++++++++- | ||
18 | 1 file changed, 9 insertions(+), 1 deletion(-) | ||
19 | |||
20 | diff --git a/ui/egl-headless.c b/ui/egl-headless.c | ||
21 | index 4cf3bbc0e4..519e7bad32 100644 | ||
22 | --- a/ui/egl-headless.c | ||
23 | +++ b/ui/egl-headless.c | ||
24 | @@ -38,6 +38,14 @@ static void egl_gfx_switch(DisplayChangeListener *dcl, | ||
25 | edpy->ds = new_surface; | ||
26 | } | ||
27 | |||
28 | +static QEMUGLContext egl_create_context(DisplayChangeListener *dcl, | ||
29 | + QEMUGLParams *params) | ||
30 | +{ | ||
31 | + eglMakeCurrent(qemu_egl_display, EGL_NO_SURFACE, EGL_NO_SURFACE, | ||
32 | + qemu_egl_rn_ctx); | ||
33 | + return qemu_egl_create_context(dcl, params); | ||
34 | +} | ||
35 | + | ||
36 | static void egl_scanout_disable(DisplayChangeListener *dcl) | ||
37 | { | ||
38 | egl_dpy *edpy = container_of(dcl, egl_dpy, dcl); | ||
39 | @@ -150,7 +158,7 @@ static const DisplayChangeListenerOps egl_ops = { | ||
40 | .dpy_gfx_update = egl_gfx_update, | ||
41 | .dpy_gfx_switch = egl_gfx_switch, | ||
42 | |||
43 | - .dpy_gl_ctx_create = qemu_egl_create_context, | ||
44 | + .dpy_gl_ctx_create = egl_create_context, | ||
45 | .dpy_gl_ctx_destroy = qemu_egl_destroy_context, | ||
46 | .dpy_gl_ctx_make_current = qemu_egl_make_context_current, | ||
47 | .dpy_gl_ctx_get_current = qemu_egl_get_current_context, | ||
48 | -- | ||
49 | 2.17.1 | ||
50 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/0014-fix-CVE-2018-16872.patch b/meta/recipes-devtools/qemu/qemu/0014-fix-CVE-2018-16872.patch deleted file mode 100644 index 412aa16046..0000000000 --- a/meta/recipes-devtools/qemu/qemu/0014-fix-CVE-2018-16872.patch +++ /dev/null | |||
@@ -1,85 +0,0 @@ | |||
1 | CVE: CVE-2018-16872 | ||
2 | Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=bab9df35] | ||
3 | |||
4 | Signed-off-by: Kai Kang <kai.kang@windriver.com> | ||
5 | |||
6 | From bab9df35ce73d1c8e19a37e2737717ea1c984dc1 Mon Sep 17 00:00:00 2001 | ||
7 | From: Gerd Hoffmann <kraxel@redhat.com> | ||
8 | Date: Thu, 13 Dec 2018 13:25:11 +0100 | ||
9 | Subject: [PATCH] usb-mtp: use O_NOFOLLOW and O_CLOEXEC. | ||
10 | |||
11 | Open files and directories with O_NOFOLLOW to avoid symlinks attacks. | ||
12 | While being at it also add O_CLOEXEC. | ||
13 | |||
14 | usb-mtp only handles regular files and directories and ignores | ||
15 | everything else, so users should not see a difference. | ||
16 | |||
17 | Because qemu ignores symlinks, carrying out a successful symlink attack | ||
18 | requires swapping an existing file or directory below rootdir for a | ||
19 | symlink and winning the race against the inotify notification to qemu. | ||
20 | |||
21 | Fixes: CVE-2018-16872 | ||
22 | Cc: Prasad J Pandit <ppandit@redhat.com> | ||
23 | Cc: Bandan Das <bsd@redhat.com> | ||
24 | Reported-by: Michael Hanselmann <public@hansmi.ch> | ||
25 | Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> | ||
26 | Reviewed-by: Michael Hanselmann <public@hansmi.ch> | ||
27 | Message-id: 20181213122511.13853-1-kraxel@redhat.com | ||
28 | --- | ||
29 | hw/usb/dev-mtp.c | 13 +++++++++---- | ||
30 | 1 file changed, 9 insertions(+), 4 deletions(-) | ||
31 | |||
32 | diff --git a/hw/usb/dev-mtp.c b/hw/usb/dev-mtp.c | ||
33 | index 100b7171f4..36c43b8c20 100644 | ||
34 | --- a/hw/usb/dev-mtp.c | ||
35 | +++ b/hw/usb/dev-mtp.c | ||
36 | @@ -653,13 +653,18 @@ static void usb_mtp_object_readdir(MTPState *s, MTPObject *o) | ||
37 | { | ||
38 | struct dirent *entry; | ||
39 | DIR *dir; | ||
40 | + int fd; | ||
41 | |||
42 | if (o->have_children) { | ||
43 | return; | ||
44 | } | ||
45 | o->have_children = true; | ||
46 | |||
47 | - dir = opendir(o->path); | ||
48 | + fd = open(o->path, O_DIRECTORY | O_CLOEXEC | O_NOFOLLOW); | ||
49 | + if (fd < 0) { | ||
50 | + return; | ||
51 | + } | ||
52 | + dir = fdopendir(fd); | ||
53 | if (!dir) { | ||
54 | return; | ||
55 | } | ||
56 | @@ -1007,7 +1012,7 @@ static MTPData *usb_mtp_get_object(MTPState *s, MTPControl *c, | ||
57 | |||
58 | trace_usb_mtp_op_get_object(s->dev.addr, o->handle, o->path); | ||
59 | |||
60 | - d->fd = open(o->path, O_RDONLY); | ||
61 | + d->fd = open(o->path, O_RDONLY | O_CLOEXEC | O_NOFOLLOW); | ||
62 | if (d->fd == -1) { | ||
63 | usb_mtp_data_free(d); | ||
64 | return NULL; | ||
65 | @@ -1031,7 +1036,7 @@ static MTPData *usb_mtp_get_partial_object(MTPState *s, MTPControl *c, | ||
66 | c->argv[1], c->argv[2]); | ||
67 | |||
68 | d = usb_mtp_data_alloc(c); | ||
69 | - d->fd = open(o->path, O_RDONLY); | ||
70 | + d->fd = open(o->path, O_RDONLY | O_CLOEXEC | O_NOFOLLOW); | ||
71 | if (d->fd == -1) { | ||
72 | usb_mtp_data_free(d); | ||
73 | return NULL; | ||
74 | @@ -1658,7 +1663,7 @@ static void usb_mtp_write_data(MTPState *s) | ||
75 | 0, 0, 0, 0); | ||
76 | goto done; | ||
77 | } | ||
78 | - d->fd = open(path, O_CREAT | O_WRONLY, mask); | ||
79 | + d->fd = open(path, O_CREAT | O_WRONLY | O_CLOEXEC | O_NOFOLLOW, mask); | ||
80 | if (d->fd == -1) { | ||
81 | usb_mtp_queue_result(s, RES_STORE_FULL, d->trans, | ||
82 | 0, 0, 0, 0); | ||
83 | -- | ||
84 | 2.20.1 | ||
85 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/0015-fix-CVE-2018-20124.patch b/meta/recipes-devtools/qemu/qemu/0015-fix-CVE-2018-20124.patch deleted file mode 100644 index 985b819409..0000000000 --- a/meta/recipes-devtools/qemu/qemu/0015-fix-CVE-2018-20124.patch +++ /dev/null | |||
@@ -1,60 +0,0 @@ | |||
1 | CVE: CVE-2018-20124 | ||
2 | Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=0e68373] | ||
3 | |||
4 | Backport patch to fix CVE-2018-20124. Update context and stay with current | ||
5 | function comp_handler() which has been replaced with complete_work() in latest | ||
6 | git repo. | ||
7 | |||
8 | Signed-off-by: Kai Kang <kai.kang@windriver.com> | ||
9 | |||
10 | From 0e68373cc2b3a063ce067bc0cc3edaf370752890 Mon Sep 17 00:00:00 2001 | ||
11 | From: Prasad J Pandit <pjp@fedoraproject.org> | ||
12 | Date: Thu, 13 Dec 2018 01:00:34 +0530 | ||
13 | Subject: [PATCH] rdma: check num_sge does not exceed MAX_SGE | ||
14 | |||
15 | rdma back-end has scatter/gather array ibv_sge[MAX_SGE=4] set | ||
16 | to have 4 elements. A guest could send a 'PvrdmaSqWqe' ring element | ||
17 | with 'num_sge' set to > MAX_SGE, which may lead to OOB access issue. | ||
18 | Add check to avoid it. | ||
19 | |||
20 | Reported-by: Saar Amar <saaramar5@gmail.com> | ||
21 | Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> | ||
22 | Reviewed-by: Yuval Shaia <yuval.shaia@oracle.com> | ||
23 | Signed-off-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com> | ||
24 | --- | ||
25 | hw/rdma/rdma_backend.c | 12 ++++++------ | ||
26 | 1 file changed, 6 insertions(+), 6 deletions(-) | ||
27 | |||
28 | diff --git a/hw/rdma/rdma_backend.c b/hw/rdma/rdma_backend.c | ||
29 | index d7a4bbd9..7f8028f8 100644 | ||
30 | --- a/hw/rdma/rdma_backend.c | ||
31 | +++ b/hw/rdma/rdma_backend.c | ||
32 | @@ -311,9 +311,9 @@ void rdma_backend_post_send(RdmaBackendDev *backend_dev, | ||
33 | } | ||
34 | |||
35 | pr_dbg("num_sge=%d\n", num_sge); | ||
36 | - if (!num_sge) { | ||
37 | - pr_dbg("num_sge=0\n"); | ||
38 | - comp_handler(IBV_WC_GENERAL_ERR, VENDOR_ERR_NO_SGE, ctx); | ||
39 | + if (!num_sge || num_sge > MAX_SGE) { | ||
40 | + pr_dbg("invalid num_sge=%d\n", num_sge); | ||
41 | + comp_handler(IBV_WC_GENERAL_ERR, VENDOR_ERR_NO_SGE, ctx); | ||
42 | return; | ||
43 | } | ||
44 | |||
45 | @@ -390,9 +390,9 @@ void rdma_backend_post_recv(RdmaBackendDev *backend_dev, | ||
46 | } | ||
47 | |||
48 | pr_dbg("num_sge=%d\n", num_sge); | ||
49 | - if (!num_sge) { | ||
50 | - pr_dbg("num_sge=0\n"); | ||
51 | - comp_handler(IBV_WC_GENERAL_ERR, VENDOR_ERR_NO_SGE, ctx); | ||
52 | + if (!num_sge || num_sge > MAX_SGE) { | ||
53 | + pr_dbg("invalid num_sge=%d\n", num_sge); | ||
54 | + comp_handler(IBV_WC_GENERAL_ERR, VENDOR_ERR_NO_SGE, ctx); | ||
55 | return; | ||
56 | } | ||
57 | |||
58 | -- | ||
59 | 2.20.1 | ||
60 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/0016-fix-CVE-2018-20125.patch b/meta/recipes-devtools/qemu/qemu/0016-fix-CVE-2018-20125.patch deleted file mode 100644 index 56559c8388..0000000000 --- a/meta/recipes-devtools/qemu/qemu/0016-fix-CVE-2018-20125.patch +++ /dev/null | |||
@@ -1,54 +0,0 @@ | |||
1 | CVE: CVE-2018-20125 | ||
2 | Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=2c858ce] | ||
3 | |||
4 | Signed-off-by: Kai Kang <kai.kang@windriver.com> | ||
5 | |||
6 | From 2c858ce5da8ae6689c75182b73bc455a291cad41 Mon Sep 17 00:00:00 2001 | ||
7 | From: Prasad J Pandit <pjp@fedoraproject.org> | ||
8 | Date: Thu, 13 Dec 2018 01:00:36 +0530 | ||
9 | Subject: [PATCH] pvrdma: check number of pages when creating rings | ||
10 | |||
11 | When creating CQ/QP rings, an object can have up to | ||
12 | PVRDMA_MAX_FAST_REG_PAGES 8 pages. Check 'npages' parameter | ||
13 | to avoid excessive memory allocation or a null dereference. | ||
14 | |||
15 | Reported-by: Li Qiang <liq3ea@163.com> | ||
16 | Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> | ||
17 | Reviewed-by: Yuval Shaia <yuval.shaia@oracle.com> | ||
18 | Signed-off-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com> | ||
19 | --- | ||
20 | hw/rdma/vmw/pvrdma_cmd.c | 11 +++++++++++ | ||
21 | 1 file changed, 11 insertions(+) | ||
22 | |||
23 | diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c | ||
24 | index 3b94545761..f236ac4795 100644 | ||
25 | --- a/hw/rdma/vmw/pvrdma_cmd.c | ||
26 | +++ b/hw/rdma/vmw/pvrdma_cmd.c | ||
27 | @@ -259,6 +259,11 @@ static int create_cq_ring(PCIDevice *pci_dev , PvrdmaRing **ring, | ||
28 | int rc = -EINVAL; | ||
29 | char ring_name[MAX_RING_NAME_SZ]; | ||
30 | |||
31 | + if (!nchunks || nchunks > PVRDMA_MAX_FAST_REG_PAGES) { | ||
32 | + pr_dbg("invalid nchunks: %d\n", nchunks); | ||
33 | + return rc; | ||
34 | + } | ||
35 | + | ||
36 | pr_dbg("pdir_dma=0x%llx\n", (long long unsigned int)pdir_dma); | ||
37 | dir = rdma_pci_dma_map(pci_dev, pdir_dma, TARGET_PAGE_SIZE); | ||
38 | if (!dir) { | ||
39 | @@ -372,6 +377,12 @@ static int create_qp_rings(PCIDevice *pci_dev, uint64_t pdir_dma, | ||
40 | char ring_name[MAX_RING_NAME_SZ]; | ||
41 | uint32_t wqe_sz; | ||
42 | |||
43 | + if (!spages || spages > PVRDMA_MAX_FAST_REG_PAGES | ||
44 | + || !rpages || rpages > PVRDMA_MAX_FAST_REG_PAGES) { | ||
45 | + pr_dbg("invalid pages: %d, %d\n", spages, rpages); | ||
46 | + return rc; | ||
47 | + } | ||
48 | + | ||
49 | pr_dbg("pdir_dma=0x%llx\n", (long long unsigned int)pdir_dma); | ||
50 | dir = rdma_pci_dma_map(pci_dev, pdir_dma, TARGET_PAGE_SIZE); | ||
51 | if (!dir) { | ||
52 | -- | ||
53 | 2.20.1 | ||
54 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/0017-fix-CVE-2018-20126.patch b/meta/recipes-devtools/qemu/qemu/0017-fix-CVE-2018-20126.patch deleted file mode 100644 index 8329f2cfd0..0000000000 --- a/meta/recipes-devtools/qemu/qemu/0017-fix-CVE-2018-20126.patch +++ /dev/null | |||
@@ -1,113 +0,0 @@ | |||
1 | CVE: CVE-2018-20126 | ||
2 | Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=509f57c] | ||
3 | |||
4 | Backport and rebase patch to fix CVE-2018-20126. | ||
5 | |||
6 | Signed-off-by: Kai Kang <kai.kang@windriver.com> | ||
7 | |||
8 | From 509f57c98e7536905bb4902363d0cba66ce7e089 Mon Sep 17 00:00:00 2001 | ||
9 | From: Prasad J Pandit <pjp@fedoraproject.org> | ||
10 | Date: Thu, 13 Dec 2018 01:00:37 +0530 | ||
11 | Subject: [PATCH] pvrdma: release ring object in case of an error | ||
12 | |||
13 | create_cq and create_qp routines allocate ring object, but it's | ||
14 | not released in case of an error, leading to memory leakage. | ||
15 | |||
16 | Reported-by: Li Qiang <liq3ea@163.com> | ||
17 | Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> | ||
18 | Reviewed-by: Yuval Shaia <yuval.shaia@oracle.com> | ||
19 | Signed-off-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com> | ||
20 | --- | ||
21 | hw/rdma/vmw/pvrdma_cmd.c | 41 ++++++++++++++++++++++++++++++----------- | ||
22 | 1 file changed, 30 insertions(+), 11 deletions(-) | ||
23 | |||
24 | diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c | ||
25 | index 4faeb21..9b6796f 100644 | ||
26 | --- a/hw/rdma/vmw/pvrdma_cmd.c | ||
27 | +++ b/hw/rdma/vmw/pvrdma_cmd.c | ||
28 | @@ -310,6 +310,14 @@ out: | ||
29 | return rc; | ||
30 | } | ||
31 | |||
32 | +static void destroy_cq_ring(PvrdmaRing *ring) | ||
33 | +{ | ||
34 | + pvrdma_ring_free(ring); | ||
35 | + /* ring_state was in slot 1, not 0 so need to jump back */ | ||
36 | + rdma_pci_dma_unmap(ring->dev, --ring->ring_state, TARGET_PAGE_SIZE); | ||
37 | + g_free(ring); | ||
38 | +} | ||
39 | + | ||
40 | static int create_cq(PVRDMADev *dev, union pvrdma_cmd_req *req, | ||
41 | union pvrdma_cmd_resp *rsp) | ||
42 | { | ||
43 | @@ -333,6 +341,10 @@ static int create_cq(PVRDMADev *dev, union pvrdma_cmd_req *req, | ||
44 | |||
45 | resp->hdr.err = rdma_rm_alloc_cq(&dev->rdma_dev_res, &dev->backend_dev, | ||
46 | cmd->cqe, &resp->cq_handle, ring); | ||
47 | + if (resp->hdr.err) { | ||
48 | + destroy_cq_ring(ring); | ||
49 | + } | ||
50 | + | ||
51 | resp->cqe = cmd->cqe; | ||
52 | |||
53 | out: | ||
54 | @@ -356,10 +368,7 @@ static int destroy_cq(PVRDMADev *dev, union pvrdma_cmd_req *req, | ||
55 | } | ||
56 | |||
57 | ring = (PvrdmaRing *)cq->opaque; | ||
58 | - pvrdma_ring_free(ring); | ||
59 | - /* ring_state was in slot 1, not 0 so need to jump back */ | ||
60 | - rdma_pci_dma_unmap(PCI_DEVICE(dev), --ring->ring_state, TARGET_PAGE_SIZE); | ||
61 | - g_free(ring); | ||
62 | + destroy_cq_ring(ring); | ||
63 | |||
64 | rdma_rm_dealloc_cq(&dev->rdma_dev_res, cmd->cq_handle); | ||
65 | |||
66 | @@ -451,6 +460,17 @@ out: | ||
67 | return rc; | ||
68 | } | ||
69 | |||
70 | +static void destroy_qp_rings(PvrdmaRing *ring) | ||
71 | +{ | ||
72 | + pr_dbg("sring=%p\n", &ring[0]); | ||
73 | + pvrdma_ring_free(&ring[0]); | ||
74 | + pr_dbg("rring=%p\n", &ring[1]); | ||
75 | + pvrdma_ring_free(&ring[1]); | ||
76 | + | ||
77 | + rdma_pci_dma_unmap(ring->dev, ring->ring_state, TARGET_PAGE_SIZE); | ||
78 | + g_free(ring); | ||
79 | +} | ||
80 | + | ||
81 | static int create_qp(PVRDMADev *dev, union pvrdma_cmd_req *req, | ||
82 | union pvrdma_cmd_resp *rsp) | ||
83 | { | ||
84 | @@ -482,6 +502,11 @@ static int create_qp(PVRDMADev *dev, union pvrdma_cmd_req *req, | ||
85 | cmd->max_recv_wr, cmd->max_recv_sge, | ||
86 | cmd->recv_cq_handle, rings, &resp->qpn); | ||
87 | |||
88 | + if (resp->hdr.err) { | ||
89 | + destroy_qp_rings(rings); | ||
90 | + return resp->hdr.err; | ||
91 | + } | ||
92 | + | ||
93 | resp->max_send_wr = cmd->max_send_wr; | ||
94 | resp->max_recv_wr = cmd->max_recv_wr; | ||
95 | resp->max_send_sge = cmd->max_send_sge; | ||
96 | @@ -555,13 +580,7 @@ static int destroy_qp(PVRDMADev *dev, union pvrdma_cmd_req *req, | ||
97 | rdma_rm_dealloc_qp(&dev->rdma_dev_res, cmd->qp_handle); | ||
98 | |||
99 | ring = (PvrdmaRing *)qp->opaque; | ||
100 | - pr_dbg("sring=%p\n", &ring[0]); | ||
101 | - pvrdma_ring_free(&ring[0]); | ||
102 | - pr_dbg("rring=%p\n", &ring[1]); | ||
103 | - pvrdma_ring_free(&ring[1]); | ||
104 | - | ||
105 | - rdma_pci_dma_unmap(PCI_DEVICE(dev), ring->ring_state, TARGET_PAGE_SIZE); | ||
106 | - g_free(ring); | ||
107 | + destroy_qp_rings(ring); | ||
108 | |||
109 | return 0; | ||
110 | } | ||
111 | -- | ||
112 | 2.20.1 | ||
113 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/0018-fix-CVE-2018-20191.patch b/meta/recipes-devtools/qemu/qemu/0018-fix-CVE-2018-20191.patch deleted file mode 100644 index 8f8ff0567a..0000000000 --- a/meta/recipes-devtools/qemu/qemu/0018-fix-CVE-2018-20191.patch +++ /dev/null | |||
@@ -1,47 +0,0 @@ | |||
1 | CVE: CVE-2018-20191 | ||
2 | Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=2aa8645] | ||
3 | |||
4 | Signed-off-by: Kai Kang <kai.kang@windriver.com> | ||
5 | |||
6 | From 2aa86456fb938a11f2b7bd57c8643c213218681c Mon Sep 17 00:00:00 2001 | ||
7 | From: Prasad J Pandit <pjp@fedoraproject.org> | ||
8 | Date: Thu, 13 Dec 2018 01:00:35 +0530 | ||
9 | Subject: [PATCH] pvrdma: add uar_read routine | ||
10 | |||
11 | Define skeleton 'uar_read' routine. Avoid NULL dereference. | ||
12 | |||
13 | Reported-by: Li Qiang <liq3ea@163.com> | ||
14 | Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> | ||
15 | Reviewed-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com> | ||
16 | Signed-off-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com> | ||
17 | --- | ||
18 | hw/rdma/vmw/pvrdma_main.c | 6 ++++++ | ||
19 | 1 file changed, 6 insertions(+) | ||
20 | |||
21 | diff --git a/hw/rdma/vmw/pvrdma_main.c b/hw/rdma/vmw/pvrdma_main.c | ||
22 | index 64de16fb52..838ad8a949 100644 | ||
23 | --- a/hw/rdma/vmw/pvrdma_main.c | ||
24 | +++ b/hw/rdma/vmw/pvrdma_main.c | ||
25 | @@ -448,6 +448,11 @@ static const MemoryRegionOps regs_ops = { | ||
26 | }, | ||
27 | }; | ||
28 | |||
29 | +static uint64_t uar_read(void *opaque, hwaddr addr, unsigned size) | ||
30 | +{ | ||
31 | + return 0xffffffff; | ||
32 | +} | ||
33 | + | ||
34 | static void uar_write(void *opaque, hwaddr addr, uint64_t val, unsigned size) | ||
35 | { | ||
36 | PVRDMADev *dev = opaque; | ||
37 | @@ -489,6 +494,7 @@ static void uar_write(void *opaque, hwaddr addr, uint64_t val, unsigned size) | ||
38 | } | ||
39 | |||
40 | static const MemoryRegionOps uar_ops = { | ||
41 | + .read = uar_read, | ||
42 | .write = uar_write, | ||
43 | .endianness = DEVICE_LITTLE_ENDIAN, | ||
44 | .impl = { | ||
45 | -- | ||
46 | 2.20.1 | ||
47 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/0019-fix-CVE-2018-20216.patch b/meta/recipes-devtools/qemu/qemu/0019-fix-CVE-2018-20216.patch deleted file mode 100644 index c02bad3bb9..0000000000 --- a/meta/recipes-devtools/qemu/qemu/0019-fix-CVE-2018-20216.patch +++ /dev/null | |||
@@ -1,85 +0,0 @@ | |||
1 | CVE: CVE-2018-20216 | ||
2 | Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=f1e2e38] | ||
3 | |||
4 | Signed-off-by: Kai Kang <kai.kang@windriver.com> | ||
5 | |||
6 | From f1e2e38ee0136b7710a2caa347049818afd57a1b Mon Sep 17 00:00:00 2001 | ||
7 | From: Prasad J Pandit <pjp@fedoraproject.org> | ||
8 | Date: Thu, 13 Dec 2018 01:00:39 +0530 | ||
9 | Subject: [PATCH] pvrdma: check return value from pvrdma_idx_ring_has_ routines | ||
10 | |||
11 | pvrdma_idx_ring_has_[data/space] routines also return invalid | ||
12 | index PVRDMA_INVALID_IDX[=-1], if ring has no data/space. Check | ||
13 | return value from these routines to avoid plausible infinite loops. | ||
14 | |||
15 | Reported-by: Li Qiang <liq3ea@163.com> | ||
16 | Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> | ||
17 | Reviewed-by: Yuval Shaia <yuval.shaia@oracle.com> | ||
18 | Signed-off-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com> | ||
19 | --- | ||
20 | hw/rdma/vmw/pvrdma_dev_ring.c | 29 +++++++++++------------------ | ||
21 | 1 file changed, 11 insertions(+), 18 deletions(-) | ||
22 | |||
23 | diff --git a/hw/rdma/vmw/pvrdma_dev_ring.c b/hw/rdma/vmw/pvrdma_dev_ring.c | ||
24 | index 01247fc041..e8e5b502f6 100644 | ||
25 | --- a/hw/rdma/vmw/pvrdma_dev_ring.c | ||
26 | +++ b/hw/rdma/vmw/pvrdma_dev_ring.c | ||
27 | @@ -73,23 +73,16 @@ out: | ||
28 | |||
29 | void *pvrdma_ring_next_elem_read(PvrdmaRing *ring) | ||
30 | { | ||
31 | + int e; | ||
32 | unsigned int idx = 0, offset; | ||
33 | |||
34 | - /* | ||
35 | - pr_dbg("%s: t=%d, h=%d\n", ring->name, ring->ring_state->prod_tail, | ||
36 | - ring->ring_state->cons_head); | ||
37 | - */ | ||
38 | - | ||
39 | - if (!pvrdma_idx_ring_has_data(ring->ring_state, ring->max_elems, &idx)) { | ||
40 | + e = pvrdma_idx_ring_has_data(ring->ring_state, ring->max_elems, &idx); | ||
41 | + if (e <= 0) { | ||
42 | pr_dbg("No more data in ring\n"); | ||
43 | return NULL; | ||
44 | } | ||
45 | |||
46 | offset = idx * ring->elem_sz; | ||
47 | - /* | ||
48 | - pr_dbg("idx=%d\n", idx); | ||
49 | - pr_dbg("offset=%d\n", offset); | ||
50 | - */ | ||
51 | return ring->pages[offset / TARGET_PAGE_SIZE] + (offset % TARGET_PAGE_SIZE); | ||
52 | } | ||
53 | |||
54 | @@ -105,20 +98,20 @@ void pvrdma_ring_read_inc(PvrdmaRing *ring) | ||
55 | |||
56 | void *pvrdma_ring_next_elem_write(PvrdmaRing *ring) | ||
57 | { | ||
58 | - unsigned int idx, offset, tail; | ||
59 | + int idx; | ||
60 | + unsigned int offset, tail; | ||
61 | |||
62 | - /* | ||
63 | - pr_dbg("%s: t=%d, h=%d\n", ring->name, ring->ring_state->prod_tail, | ||
64 | - ring->ring_state->cons_head); | ||
65 | - */ | ||
66 | - | ||
67 | - if (!pvrdma_idx_ring_has_space(ring->ring_state, ring->max_elems, &tail)) { | ||
68 | + idx = pvrdma_idx_ring_has_space(ring->ring_state, ring->max_elems, &tail); | ||
69 | + if (idx <= 0) { | ||
70 | pr_dbg("CQ is full\n"); | ||
71 | return NULL; | ||
72 | } | ||
73 | |||
74 | idx = pvrdma_idx(&ring->ring_state->prod_tail, ring->max_elems); | ||
75 | - /* TODO: tail == idx */ | ||
76 | + if (idx < 0 || tail != idx) { | ||
77 | + pr_dbg("invalid idx\n"); | ||
78 | + return NULL; | ||
79 | + } | ||
80 | |||
81 | offset = idx * ring->elem_sz; | ||
82 | return ring->pages[offset / TARGET_PAGE_SIZE] + (offset % TARGET_PAGE_SIZE); | ||
83 | -- | ||
84 | 2.20.1 | ||
85 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2018-20815.patch b/meta/recipes-devtools/qemu/qemu/CVE-2018-20815.patch deleted file mode 100644 index c9508d9ba8..0000000000 --- a/meta/recipes-devtools/qemu/qemu/CVE-2018-20815.patch +++ /dev/null | |||
@@ -1,38 +0,0 @@ | |||
1 | From 8bb018af1a7f2b9965f872a4b1121864e73e1b61 Mon Sep 17 00:00:00 2001 | ||
2 | From: Peter Maydell <peter.maydell@linaro.org> | ||
3 | Date: Fri, 14 Dec 2018 13:30:52 +0000 | ||
4 | Subject: [PATCH] device_tree.c: Don't use load_image() | ||
5 | |||
6 | The load_image() function is deprecated, as it does not let the | ||
7 | caller specify how large the buffer to read the file into is. | ||
8 | Instead use load_image_size(). | ||
9 | |||
10 | Signed-off-by: Peter Maydell <peter.maydell@linaro.org> | ||
11 | Reviewed-by: Richard Henderson <richard.henderson@linaro.org> | ||
12 | Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> | ||
13 | Reviewed-by: Michael S. Tsirkin <mst@redhat.com> | ||
14 | Reviewed-by: Eric Blake <eblake@redhat.com> | ||
15 | Message-id: 20181130151712.2312-9-peter.maydell@linaro.org | ||
16 | |||
17 | Upstream-Status: Backport [https://github.com/qemu/qemu/commit/da885fe1ee8b4589047484bd7fa05a4905b52b17] | ||
18 | CVE: CVE-2018-20815 | ||
19 | Signed-off-by: Naveen Saini <naveen.kumar.saini@intel.com> | ||
20 | --- | ||
21 | device_tree.c | 2 +- | ||
22 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
23 | |||
24 | diff --git a/device_tree.c b/device_tree.c | ||
25 | index 6d9c9726f6..296278e12a 100644 | ||
26 | --- a/device_tree.c | ||
27 | +++ b/device_tree.c | ||
28 | @@ -91,7 +91,7 @@ void *load_device_tree(const char *filename_path, int *sizep) | ||
29 | /* First allocate space in qemu for device tree */ | ||
30 | fdt = g_malloc0(dt_size); | ||
31 | |||
32 | - dt_file_load_size = load_image(filename_path, fdt); | ||
33 | + dt_file_load_size = load_image_size(filename_path, fdt, dt_size); | ||
34 | if (dt_file_load_size < 0) { | ||
35 | error_report("Unable to open device tree file '%s'", | ||
36 | filename_path); | ||
37 | -- | ||
38 | 2.17.1 | ||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2019-3812.patch b/meta/recipes-devtools/qemu/qemu/CVE-2019-3812.patch deleted file mode 100644 index 7de5882b3e..0000000000 --- a/meta/recipes-devtools/qemu/qemu/CVE-2019-3812.patch +++ /dev/null | |||
@@ -1,39 +0,0 @@ | |||
1 | QEMU, through version 2.10 and through version 3.1.0, is vulnerable to an | ||
2 | out-of-bounds read of up to 128 bytes in the hw/i2c/i2c-ddc.c:i2c_ddc() | ||
3 | function. A local attacker with permission to execute i2c commands could exploit | ||
4 | this to read stack memory of the qemu process on the host. | ||
5 | |||
6 | CVE: CVE-2019-3812 | ||
7 | Upstream-Status: Backport | ||
8 | Signed-off-by: Ross Burton <ross.burton@intel.com> | ||
9 | |||
10 | From b05b267840515730dbf6753495d5b7bd8b04ad1c Mon Sep 17 00:00:00 2001 | ||
11 | From: Gerd Hoffmann <kraxel@redhat.com> | ||
12 | Date: Tue, 8 Jan 2019 11:23:01 +0100 | ||
13 | Subject: [PATCH] i2c-ddc: fix oob read | ||
14 | MIME-Version: 1.0 | ||
15 | Content-Type: text/plain; charset=UTF-8 | ||
16 | Content-Transfer-Encoding: 8bit | ||
17 | |||
18 | Suggested-by: Michael Hanselmann <public@hansmi.ch> | ||
19 | Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> | ||
20 | Reviewed-by: Michael Hanselmann <public@hansmi.ch> | ||
21 | Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> | ||
22 | Message-id: 20190108102301.1957-1-kraxel@redhat.com | ||
23 | --- | ||
24 | hw/i2c/i2c-ddc.c | 2 +- | ||
25 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
26 | |||
27 | diff --git a/hw/i2c/i2c-ddc.c b/hw/i2c/i2c-ddc.c | ||
28 | index be34fe072cf..0a0367ff38f 100644 | ||
29 | --- a/hw/i2c/i2c-ddc.c | ||
30 | +++ b/hw/i2c/i2c-ddc.c | ||
31 | @@ -56,7 +56,7 @@ static int i2c_ddc_rx(I2CSlave *i2c) | ||
32 | I2CDDCState *s = I2CDDC(i2c); | ||
33 | |||
34 | int value; | ||
35 | - value = s->edid_blob[s->reg]; | ||
36 | + value = s->edid_blob[s->reg % sizeof(s->edid_blob)]; | ||
37 | s->reg++; | ||
38 | return value; | ||
39 | } | ||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2019-8934.patch b/meta/recipes-devtools/qemu/qemu/CVE-2019-8934.patch deleted file mode 100644 index d1d7d23968..0000000000 --- a/meta/recipes-devtools/qemu/qemu/CVE-2019-8934.patch +++ /dev/null | |||
@@ -1,215 +0,0 @@ | |||
1 | From 8c2e30a92d95d89e2cf45d229bce274881026cf7 Mon Sep 17 00:00:00 2001 | ||
2 | From: Prasad J Pandit <pjp@fedoraproject.org> | ||
3 | Date: Mon, 18 Feb 2019 23:43:49 +0530 | ||
4 | Subject: [PATCH] ppc: add host-serial and host-model machine attributes | ||
5 | (CVE-2019-8934) | ||
6 | MIME-Version: 1.0 | ||
7 | Content-Type: text/plain; charset=UTF-8 | ||
8 | Content-Transfer-Encoding: 8bit | ||
9 | |||
10 | On ppc hosts, hypervisor shares following system attributes | ||
11 | |||
12 | - /proc/device-tree/system-id | ||
13 | - /proc/device-tree/model | ||
14 | |||
15 | with a guest. This could lead to information leakage and misuse.[*] | ||
16 | Add machine attributes to control such system information exposure | ||
17 | to a guest. | ||
18 | |||
19 | [*] https://wiki.openstack.org/wiki/OSSN/OSSN-0028 | ||
20 | |||
21 | Reported-by: Daniel P. Berrangé <berrange@redhat.com> | ||
22 | Fix-suggested-by: Daniel P. Berrangé <berrange@redhat.com> | ||
23 | Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> | ||
24 | Message-Id: <20190218181349.23885-1-ppandit@redhat.com> | ||
25 | Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> | ||
26 | Reviewed-by: Greg Kurz <groug@kaod.org> | ||
27 | Signed-off-by: David Gibson <david@gibson.dropbear.id.au> | ||
28 | |||
29 | CVE: CVE-2019-8934 | ||
30 | Upstream-Status: Backport | ||
31 | [https://github.com/qemu/qemu/commit/27461d69a0f108dea756419251acc3ea65198f1b] | ||
32 | |||
33 | Signed-off-by: Dan Tran <dantran@microsoft.com> | ||
34 | --- | ||
35 | hw/ppc/spapr.c | 128 ++++++++++++++++++++++++++++++++++++++--- | ||
36 | include/hw/ppc/spapr.h | 2 + | ||
37 | 2 files changed, 123 insertions(+), 7 deletions(-) | ||
38 | |||
39 | diff --git a/hw/ppc/spapr.c b/hw/ppc/spapr.c | ||
40 | index 7afd1a175b..bcee7c162d 100644 | ||
41 | --- a/hw/ppc/spapr.c | ||
42 | +++ b/hw/ppc/spapr.c | ||
43 | @@ -1244,13 +1244,30 @@ static void *spapr_build_fdt(sPAPRMachineState *spapr, | ||
44 | * Add info to guest to indentify which host is it being run on | ||
45 | * and what is the uuid of the guest | ||
46 | */ | ||
47 | - if (kvmppc_get_host_model(&buf)) { | ||
48 | - _FDT(fdt_setprop_string(fdt, 0, "host-model", buf)); | ||
49 | - g_free(buf); | ||
50 | + if (spapr->host_model && !g_str_equal(spapr->host_model, "none")) { | ||
51 | + if (g_str_equal(spapr->host_model, "passthrough")) { | ||
52 | + /* -M host-model=passthrough */ | ||
53 | + if (kvmppc_get_host_model(&buf)) { | ||
54 | + _FDT(fdt_setprop_string(fdt, 0, "host-model", buf)); | ||
55 | + g_free(buf); | ||
56 | + } | ||
57 | + } else { | ||
58 | + /* -M host-model=<user-string> */ | ||
59 | + _FDT(fdt_setprop_string(fdt, 0, "host-model", spapr->host_model)); | ||
60 | + } | ||
61 | } | ||
62 | - if (kvmppc_get_host_serial(&buf)) { | ||
63 | - _FDT(fdt_setprop_string(fdt, 0, "host-serial", buf)); | ||
64 | - g_free(buf); | ||
65 | + | ||
66 | + if (spapr->host_serial && !g_str_equal(spapr->host_serial, "none")) { | ||
67 | + if (g_str_equal(spapr->host_serial, "passthrough")) { | ||
68 | + /* -M host-serial=passthrough */ | ||
69 | + if (kvmppc_get_host_serial(&buf)) { | ||
70 | + _FDT(fdt_setprop_string(fdt, 0, "host-serial", buf)); | ||
71 | + g_free(buf); | ||
72 | + } | ||
73 | + } else { | ||
74 | + /* -M host-serial=<user-string> */ | ||
75 | + _FDT(fdt_setprop_string(fdt, 0, "host-serial", spapr->host_serial)); | ||
76 | + } | ||
77 | } | ||
78 | |||
79 | buf = qemu_uuid_unparse_strdup(&qemu_uuid); | ||
80 | @@ -3031,6 +3048,73 @@ static void spapr_set_vsmt(Object *obj, Visitor *v, const char *name, | ||
81 | visit_type_uint32(v, name, (uint32_t *)opaque, errp); | ||
82 | } | ||
83 | |||
84 | +static char *spapr_get_ic_mode(Object *obj, Error **errp) | ||
85 | +{ | ||
86 | + sPAPRMachineState *spapr = SPAPR_MACHINE(obj); | ||
87 | + | ||
88 | + if (spapr->irq == &spapr_irq_xics_legacy) { | ||
89 | + return g_strdup("legacy"); | ||
90 | + } else if (spapr->irq == &spapr_irq_xics) { | ||
91 | + return g_strdup("xics"); | ||
92 | + } else if (spapr->irq == &spapr_irq_xive) { | ||
93 | + return g_strdup("xive"); | ||
94 | + } else if (spapr->irq == &spapr_irq_dual) { | ||
95 | + return g_strdup("dual"); | ||
96 | + } | ||
97 | + g_assert_not_reached(); | ||
98 | +} | ||
99 | + | ||
100 | +static void spapr_set_ic_mode(Object *obj, const char *value, Error **errp) | ||
101 | +{ | ||
102 | + sPAPRMachineState *spapr = SPAPR_MACHINE(obj); | ||
103 | + | ||
104 | + if (SPAPR_MACHINE_GET_CLASS(spapr)->legacy_irq_allocation) { | ||
105 | + error_setg(errp, "This machine only uses the legacy XICS backend, don't pass ic-mode"); | ||
106 | + return; | ||
107 | + } | ||
108 | + | ||
109 | + /* The legacy IRQ backend can not be set */ | ||
110 | + if (strcmp(value, "xics") == 0) { | ||
111 | + spapr->irq = &spapr_irq_xics; | ||
112 | + } else if (strcmp(value, "xive") == 0) { | ||
113 | + spapr->irq = &spapr_irq_xive; | ||
114 | + } else if (strcmp(value, "dual") == 0) { | ||
115 | + spapr->irq = &spapr_irq_dual; | ||
116 | + } else { | ||
117 | + error_setg(errp, "Bad value for \"ic-mode\" property"); | ||
118 | + } | ||
119 | +} | ||
120 | + | ||
121 | +static char *spapr_get_host_model(Object *obj, Error **errp) | ||
122 | +{ | ||
123 | + sPAPRMachineState *spapr = SPAPR_MACHINE(obj); | ||
124 | + | ||
125 | + return g_strdup(spapr->host_model); | ||
126 | +} | ||
127 | + | ||
128 | +static void spapr_set_host_model(Object *obj, const char *value, Error **errp) | ||
129 | +{ | ||
130 | + sPAPRMachineState *spapr = SPAPR_MACHINE(obj); | ||
131 | + | ||
132 | + g_free(spapr->host_model); | ||
133 | + spapr->host_model = g_strdup(value); | ||
134 | +} | ||
135 | + | ||
136 | +static char *spapr_get_host_serial(Object *obj, Error **errp) | ||
137 | +{ | ||
138 | + sPAPRMachineState *spapr = SPAPR_MACHINE(obj); | ||
139 | + | ||
140 | + return g_strdup(spapr->host_serial); | ||
141 | +} | ||
142 | + | ||
143 | +static void spapr_set_host_serial(Object *obj, const char *value, Error **errp) | ||
144 | +{ | ||
145 | + sPAPRMachineState *spapr = SPAPR_MACHINE(obj); | ||
146 | + | ||
147 | + g_free(spapr->host_serial); | ||
148 | + spapr->host_serial = g_strdup(value); | ||
149 | +} | ||
150 | + | ||
151 | static void spapr_instance_init(Object *obj) | ||
152 | { | ||
153 | sPAPRMachineState *spapr = SPAPR_MACHINE(obj); | ||
154 | @@ -3067,6 +3151,25 @@ static void spapr_instance_init(Object *obj) | ||
155 | " the host's SMT mode", &error_abort); | ||
156 | object_property_add_bool(obj, "vfio-no-msix-emulation", | ||
157 | spapr_get_msix_emulation, NULL, NULL); | ||
158 | + | ||
159 | + /* The machine class defines the default interrupt controller mode */ | ||
160 | + spapr->irq = smc->irq; | ||
161 | + object_property_add_str(obj, "ic-mode", spapr_get_ic_mode, | ||
162 | + spapr_set_ic_mode, NULL); | ||
163 | + object_property_set_description(obj, "ic-mode", | ||
164 | + "Specifies the interrupt controller mode (xics, xive, dual)", | ||
165 | + NULL); | ||
166 | + | ||
167 | + object_property_add_str(obj, "host-model", | ||
168 | + spapr_get_host_model, spapr_set_host_model, | ||
169 | + &error_abort); | ||
170 | + object_property_set_description(obj, "host-model", | ||
171 | + "Set host's model-id to use - none|passthrough|string", &error_abort); | ||
172 | + object_property_add_str(obj, "host-serial", | ||
173 | + spapr_get_host_serial, spapr_set_host_serial, | ||
174 | + &error_abort); | ||
175 | + object_property_set_description(obj, "host-serial", | ||
176 | + "Set host's system-id to use - none|passthrough|string", &error_abort); | ||
177 | } | ||
178 | |||
179 | static void spapr_machine_finalizefn(Object *obj) | ||
180 | @@ -3965,7 +4068,18 @@ static void spapr_machine_3_1_instance_options(MachineState *machine) | ||
181 | |||
182 | static void spapr_machine_3_1_class_options(MachineClass *mc) | ||
183 | { | ||
184 | - /* Defaults for the latest behaviour inherited from the base class */ | ||
185 | + sPAPRMachineClass *smc = SPAPR_MACHINE_CLASS(mc); | ||
186 | + static GlobalProperty compat[] = { | ||
187 | + { TYPE_SPAPR_MACHINE, "host-model", "passthrough" }, | ||
188 | + { TYPE_SPAPR_MACHINE, "host-serial", "passthrough" }, | ||
189 | + }; | ||
190 | + | ||
191 | + spapr_machine_4_0_class_options(mc); | ||
192 | + compat_props_add(mc->compat_props, hw_compat_3_1, hw_compat_3_1_len); | ||
193 | + compat_props_add(mc->compat_props, compat, G_N_ELEMENTS(compat)); | ||
194 | + | ||
195 | + mc->default_cpu_type = POWERPC_CPU_TYPE_NAME("power8_v2.0"); | ||
196 | + smc->update_dt_enabled = false; | ||
197 | } | ||
198 | |||
199 | DEFINE_SPAPR_MACHINE(3_1, "3.1", true); | ||
200 | diff --git a/include/hw/ppc/spapr.h b/include/hw/ppc/spapr.h | ||
201 | index 6279711fe8..63692a13bd 100644 | ||
202 | --- a/include/hw/ppc/spapr.h | ||
203 | +++ b/include/hw/ppc/spapr.h | ||
204 | @@ -171,6 +171,8 @@ struct sPAPRMachineState { | ||
205 | |||
206 | /*< public >*/ | ||
207 | char *kvm_type; | ||
208 | + char *host_model; | ||
209 | + char *host_serial; | ||
210 | |||
211 | const char *icp_type; | ||
212 | int32_t irq_map_nr; | ||
213 | -- | ||
214 | 2.22.0.vfs.1.1.57.gbaf16c8 | ||
215 | |||
diff --git a/meta/recipes-devtools/qemu/qemu_3.1.0.bb b/meta/recipes-devtools/qemu/qemu_3.1.1.1.bb index 04d8bee99f..04d8bee99f 100644 --- a/meta/recipes-devtools/qemu/qemu_3.1.0.bb +++ b/meta/recipes-devtools/qemu/qemu_3.1.1.1.bb | |||