From 99eee7abd019e27e97da8bf531f3d0fe3416bb3c Mon Sep 17 00:00:00 2001 From: wh02252983 Date: Mon, 15 Sep 2025 18:31:31 +0800 Subject: [PATCH] CWF/GNR: Add avx-vnni-int16 feature (CWF) & add one AVX10.1 bug fix (GNR) and fix csv2/csv3 migration issue To # N/A CWF/GNR: Add avx-vnni-int16 feature (CWF) & add one AVX10.1 bug fix (GNR) and fix csv2/csv3 migration issue Project: TC2024080204 Signed-off-by: wh02252983 --- ...rget-i386-add-avx-vnni-int16-feature.patch | 37 +++ ...x10-version-filtered-when-prefix-is-.patch | 49 ++++ ...csv3-migration-issue-at-the-time-of-.patch | 30 +++ ...n-t-open-data-file-with-bdrv-o-no-io.patch | 111 ++++++++ ...t-store-data-file-with-protocol-in-i.patch | 54 ++++ ...t-store-data-file-with-json-prefix-i.patch | 56 ++++ ...names-only-when-explicitly-requested.patch | 254 ++++++++++++++++++ ...-ohci-fix-1510-303-pid-not-in-or-out.patch | 125 +++++++++ ...vm-c-fix-the-hart-bit-setting-of-aia.patch | 54 ++++ ...-c-remove-group-setting-of-kvm-aia-i.patch | 68 +++++ ...kvm-fix-the-group-bit-setting-of-aia.patch | 44 +++ qemu.spec | 20 +- 12 files changed, 901 insertions(+), 1 deletion(-) create mode 100644 0487-target-i386-add-avx-vnni-int16-feature.patch create mode 100644 0488-i386-cpu-mark-avx10-version-filtered-when-prefix-is-.patch create mode 100644 0489-bugfix-fix-csv2-csv3-migration-issue-at-the-time-of-.patch create mode 100644 0490-qcow2-don-t-open-data-file-with-bdrv-o-no-io.patch create mode 100644 0491-iotests-244-don-t-store-data-file-with-protocol-in-i.patch create mode 100644 0492-iotests-270-don-t-store-data-file-with-json-prefix-i.patch create mode 100644 0493-block-parse-filenames-only-when-explicitly-requested.patch create mode 100644 0494-hw-usb-hcd-ohci-fix-1510-303-pid-not-in-or-out.patch create mode 100644 0495-target-riscv-kvm-c-fix-the-hart-bit-setting-of-aia.patch create mode 100644 0496-target-riscv-kvm-c-remove-group-setting-of-kvm-aia-i.patch create mode 100644 0497-target-riscv-kvm-fix-the-group-bit-setting-of-aia.patch diff --git a/0487-target-i386-add-avx-vnni-int16-feature.patch b/0487-target-i386-add-avx-vnni-int16-feature.patch new file mode 100644 index 0000000..c71556e --- /dev/null +++ b/0487-target-i386-add-avx-vnni-int16-feature.patch @@ -0,0 +1,37 @@ +From 46629336d9f5b974d7bb68f2efe90e9cd3c559ce Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini +Date: Wed, 3 Jul 2024 13:42:49 +0200 +Subject: [PATCH] target/i386: add avx-vnni-int16 feature + +commit 138c3377a9b27accec516b2c0da90dedef98a780 upstream. + +AVX-VNNI-INT16 (CPUID[EAX=7,ECX=1).EDX[10]) is supported by Clearwater +Forest processor, add it to QEMU as it does not need any specific +enablement. + +Intel-SIG: commit 138c3377a9b2 target/i386: add avx-vnni-int16 feature. +CWF ISA AVX_VNNI_INT16 backporting + +Signed-off-by: Paolo Bonzini +[ Quanxian Wang: amend commit log ] +Signed-off-by: Quanxian Wang +--- + target/i386/cpu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/target/i386/cpu.c b/target/i386/cpu.c +index fd6ff026a6..bc80732bb9 100644 +--- a/target/i386/cpu.c ++++ b/target/i386/cpu.c +@@ -987,7 +987,7 @@ FeatureWordInfo feature_word_info[FEATURE_WORDS] = { + .feat_names = { + NULL, NULL, NULL, NULL, + "avx-vnni-int8", "avx-ne-convert", NULL, NULL, +- "amx-complex", NULL, NULL, NULL, ++ "amx-complex", NULL, "avx-vnni-int16", NULL, + NULL, NULL, "prefetchiti", NULL, + NULL, NULL, NULL, "avx10", + NULL, NULL, NULL, NULL, +-- +2.39.3 + diff --git a/0488-i386-cpu-mark-avx10-version-filtered-when-prefix-is-.patch b/0488-i386-cpu-mark-avx10-version-filtered-when-prefix-is-.patch new file mode 100644 index 0000000..4fcdea4 --- /dev/null +++ b/0488-i386-cpu-mark-avx10-version-filtered-when-prefix-is-.patch @@ -0,0 +1,49 @@ +From c077aa720a73bec8a4630bc69b578a24bb51a3bc Mon Sep 17 00:00:00 2001 +From: Zhao Liu +Date: Wed, 6 Nov 2024 11:07:18 +0800 +Subject: [PATCH] i386/cpu: Mark avx10_version filtered when prefix is NULL + +commit cf4c263551886964c5d58bd7b675b13fd497b402 upstream. + +In x86_cpu_filter_features(), if host doesn't support AVX10, the +configured avx10_version should be marked as filtered regardless of +whether prefix is NULL or not. + +Check prefix before warn_report() instead of checking for +have_filtered_features. + +Intel-SIG: commit cf4c26355188 i386/cpu: Mark avx10_version filtered when prefix is NULL. +GNR AVX10.1 backporting + +Cc: qemu-stable@nongnu.org +Fixes: commit bccfb846fd52 ("target/i386: add AVX10 feature and AVX10 version property") +Signed-off-by: Zhao Liu +Reviewed-by: Tao Su +Link: https://lore.kernel.org/r/20241106030728.553238-2-zhao1.liu@intel.com +Signed-off-by: Paolo Bonzini +[ Quanxian Wang: amend commit log ] +Signed-off-by: Quanxian Wang +--- + target/i386/cpu.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/target/i386/cpu.c b/target/i386/cpu.c +index bc80732bb9..4941f9687c 100644 +--- a/target/i386/cpu.c ++++ b/target/i386/cpu.c +@@ -7792,8 +7792,10 @@ static bool x86_cpu_filter_features(X86CPU *cpu, bool verbose) + env->avx10_version = version; + have_filtered_features = true; + } +- } else if (env->avx10_version && prefix) { +- warn_report("%s: avx10.%d.", prefix, env->avx10_version); ++ } else if (env->avx10_version) { ++ if (prefix) { ++ warn_report("%s: avx10.%d.", prefix, env->avx10_version); ++ } + have_filtered_features = true; + } + +-- +2.39.3 + diff --git a/0489-bugfix-fix-csv2-csv3-migration-issue-at-the-time-of-.patch b/0489-bugfix-fix-csv2-csv3-migration-issue-at-the-time-of-.patch new file mode 100644 index 0000000..b475209 --- /dev/null +++ b/0489-bugfix-fix-csv2-csv3-migration-issue-at-the-time-of-.patch @@ -0,0 +1,30 @@ +From c6a9cc00009f04e02bcf2b9c13f8b75c9c389ef0 Mon Sep 17 00:00:00 2001 +From: leo-ee +Date: Wed, 27 Aug 2025 18:16:45 +0800 +Subject: [PATCH] [bugfix] fix csv2/csv3 migration issue at the time of + csv2/csv3 migration, csv2/csv3 vm's run state is runstate_inmigration. + + csv2/csv3 is not resettable, so the code will take else branch, + However, vm's run state is inmigration, the code will assert here. + + Therefore, runstate_check(RUN_STATE_INMIGRATE) must be added inside the assert. +--- + system/runstate.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/system/runstate.c b/system/runstate.c +index cbdac6597a..1e758909b6 100644 +--- a/system/runstate.c ++++ b/system/runstate.c +@@ -518,7 +518,7 @@ void qemu_system_reset(ShutdownCause reason) + if (cpus_are_resettable()) { + cpu_synchronize_all_post_reset(); + } else { +- assert(runstate_check(RUN_STATE_PRELAUNCH)); ++ assert(runstate_check(RUN_STATE_PRELAUNCH) || runstate_check(RUN_STATE_INMIGRATE)); + } + + vm_set_suspended(false); +-- +2.39.3 + diff --git a/0490-qcow2-don-t-open-data-file-with-bdrv-o-no-io.patch b/0490-qcow2-don-t-open-data-file-with-bdrv-o-no-io.patch new file mode 100644 index 0000000..d29df47 --- /dev/null +++ b/0490-qcow2-don-t-open-data-file-with-bdrv-o-no-io.patch @@ -0,0 +1,111 @@ +From 9c2a577fc6bdcdbc40d83b5bbe736f49e9b525bd Mon Sep 17 00:00:00 2001 +From: Kevin Wolf +Date: Thu, 11 Apr 2024 15:06:01 +0200 +Subject: [PATCH] qcow2: Don't open data_file with BDRV_O_NO_IO + +commit bd385a5298d7062668e804d73944d52aec9549f1 upstream. + +One use case for 'qemu-img info' is verifying that untrusted images +don't reference an unwanted external file, be it as a backing file or an +external data file. To make sure that calling 'qemu-img info' can't +already have undesired side effects with a malicious image, just don't +open the data file at all with BDRV_O_NO_IO. If nothing ever tries to do +I/O, we don't need to have it open. + +This changes the output of iotests case 061, which used 'qemu-img info' +to show that opening an image with an invalid data file fails. After +this patch, it succeeds. Replace this part of the test with a qemu-io +call, but keep the final 'qemu-img info' to show that the invalid data +file is correctly displayed in the output. + +Fixes: CVE-2024-4467 +Cc: qemu-stable@nongnu.org +Signed-off-by: Kevin Wolf +Reviewed-by: Eric Blake +Reviewed-by: Stefan Hajnoczi +Reviewed-by: Hanna Czenczek +Signed-off-by: Bin Guo +--- + block/qcow2.c | 17 ++++++++++++++++- + tests/qemu-iotests/061 | 6 ++++-- + tests/qemu-iotests/061.out | 8 ++++++-- + 3 files changed, 26 insertions(+), 5 deletions(-) + +diff --git a/block/qcow2.c b/block/qcow2.c +index 13e032bd5e..7af7c0bee4 100644 +--- a/block/qcow2.c ++++ b/block/qcow2.c +@@ -1636,7 +1636,22 @@ qcow2_do_open(BlockDriverState *bs, QDict *options, int flags, + goto fail; + } + +- if (open_data_file) { ++ if (open_data_file && (flags & BDRV_O_NO_IO)) { ++ /* ++ * Don't open the data file for 'qemu-img info' so that it can be used ++ * to verify that an untrusted qcow2 image doesn't refer to external ++ * files. ++ * ++ * Note: This still makes has_data_file() return true. ++ */ ++ if (s->incompatible_features & QCOW2_INCOMPAT_DATA_FILE) { ++ s->data_file = NULL; ++ } else { ++ s->data_file = bs->file; ++ } ++ qdict_extract_subqdict(options, NULL, "data-file."); ++ qdict_del(options, "data-file"); ++ } else if (open_data_file) { + /* Open external data file */ + bdrv_graph_co_rdunlock(); + s->data_file = bdrv_co_open_child(NULL, options, "data-file", bs, +diff --git a/tests/qemu-iotests/061 b/tests/qemu-iotests/061 +index 53c7d428e3..b71ac097d1 100755 +--- a/tests/qemu-iotests/061 ++++ b/tests/qemu-iotests/061 +@@ -326,12 +326,14 @@ $QEMU_IMG amend -o "data_file=foo" "$TEST_IMG" + echo + _make_test_img -o "compat=1.1,data_file=$TEST_IMG.data" 64M + $QEMU_IMG amend -o "data_file=foo" "$TEST_IMG" +-_img_info --format-specific ++$QEMU_IO -c "read 0 4k" "$TEST_IMG" 2>&1 | _filter_testdir | _filter_imgfmt ++$QEMU_IO -c "open -o data-file.filename=$TEST_IMG.data,file.filename=$TEST_IMG" -c "read 0 4k" | _filter_qemu_io + TEST_IMG="data-file.filename=$TEST_IMG.data,file.filename=$TEST_IMG" _img_info --format-specific --image-opts + + echo + $QEMU_IMG amend -o "data_file=" --image-opts "data-file.filename=$TEST_IMG.data,file.filename=$TEST_IMG" +-_img_info --format-specific ++$QEMU_IO -c "read 0 4k" "$TEST_IMG" 2>&1 | _filter_testdir | _filter_imgfmt ++$QEMU_IO -c "open -o data-file.filename=$TEST_IMG.data,file.filename=$TEST_IMG" -c "read 0 4k" | _filter_qemu_io + TEST_IMG="data-file.filename=$TEST_IMG.data,file.filename=$TEST_IMG" _img_info --format-specific --image-opts + + echo +diff --git a/tests/qemu-iotests/061.out b/tests/qemu-iotests/061.out +index 139fc68177..24c33add7c 100644 +--- a/tests/qemu-iotests/061.out ++++ b/tests/qemu-iotests/061.out +@@ -545,7 +545,9 @@ Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=67108864 + qemu-img: data-file can only be set for images that use an external data file + + Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=67108864 data_file=TEST_DIR/t.IMGFMT.data +-qemu-img: Could not open 'TEST_DIR/t.IMGFMT': Could not open 'foo': No such file or directory ++qemu-io: can't open device TEST_DIR/t.IMGFMT: Could not open 'foo': No such file or directory ++read 4096/4096 bytes at offset 0 ++4 KiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec) + image: TEST_DIR/t.IMGFMT + file format: IMGFMT + virtual size: 64 MiB (67108864 bytes) +@@ -560,7 +562,9 @@ Format specific information: + corrupt: false + extended l2: false + +-qemu-img: Could not open 'TEST_DIR/t.IMGFMT': 'data-file' is required for this image ++qemu-io: can't open device TEST_DIR/t.IMGFMT: 'data-file' is required for this image ++read 4096/4096 bytes at offset 0 ++4 KiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec) + image: TEST_DIR/t.IMGFMT + file format: IMGFMT + virtual size: 64 MiB (67108864 bytes) +-- +2.39.3 + diff --git a/0491-iotests-244-don-t-store-data-file-with-protocol-in-i.patch b/0491-iotests-244-don-t-store-data-file-with-protocol-in-i.patch new file mode 100644 index 0000000..6bce70a --- /dev/null +++ b/0491-iotests-244-don-t-store-data-file-with-protocol-in-i.patch @@ -0,0 +1,54 @@ +From 1b5bd451249e8fb71f38c14da32f1b9257a23471 Mon Sep 17 00:00:00 2001 +From: Kevin Wolf +Date: Thu, 25 Apr 2024 14:49:40 +0200 +Subject: [PATCH] iotests/244: Don't store data-file with protocol in image + +commit 2eb42a728d27a43fdcad5f37d3f65706ce6deba5 upstream. + +We want to disable filename parsing for data files because it's too easy +to abuse in malicious image files. Make the test ready for the change by +passing the data file explicitly in command line options. + +Cc: qemu-stable@nongnu.org +Signed-off-by: Kevin Wolf +Reviewed-by: Eric Blake +Reviewed-by: Stefan Hajnoczi +Reviewed-by: Hanna Czenczek +Signed-off-by: Bin Guo +--- + tests/qemu-iotests/244 | 19 ++++++++++++++++--- + 1 file changed, 16 insertions(+), 3 deletions(-) + +diff --git a/tests/qemu-iotests/244 b/tests/qemu-iotests/244 +index 3e61fa25bb..bb9cc6512f 100755 +--- a/tests/qemu-iotests/244 ++++ b/tests/qemu-iotests/244 +@@ -215,9 +215,22 @@ $QEMU_IMG convert -f $IMGFMT -O $IMGFMT -n -C "$TEST_IMG.src" "$TEST_IMG" + $QEMU_IMG compare -f $IMGFMT -F $IMGFMT "$TEST_IMG.src" "$TEST_IMG" + + # blkdebug doesn't support copy offloading, so this tests the error path +-$QEMU_IMG amend -f $IMGFMT -o "data_file=blkdebug::$TEST_IMG.data" "$TEST_IMG" +-$QEMU_IMG convert -f $IMGFMT -O $IMGFMT -n -C "$TEST_IMG.src" "$TEST_IMG" +-$QEMU_IMG compare -f $IMGFMT -F $IMGFMT "$TEST_IMG.src" "$TEST_IMG" ++test_img_with_blkdebug="json:{ ++ 'driver': 'qcow2', ++ 'file': { ++ 'driver': 'file', ++ 'filename': '$TEST_IMG' ++ }, ++ 'data-file': { ++ 'driver': 'blkdebug', ++ 'image': { ++ 'driver': 'file', ++ 'filename': '$TEST_IMG.data' ++ } ++ } ++}" ++$QEMU_IMG convert -f $IMGFMT -O $IMGFMT -n -C "$TEST_IMG.src" "$test_img_with_blkdebug" ++$QEMU_IMG compare -f $IMGFMT -F $IMGFMT "$TEST_IMG.src" "$test_img_with_blkdebug" + + echo + echo "=== Flushing should flush the data file ===" +-- +2.39.3 + diff --git a/0492-iotests-270-don-t-store-data-file-with-json-prefix-i.patch b/0492-iotests-270-don-t-store-data-file-with-json-prefix-i.patch new file mode 100644 index 0000000..4e5f15a --- /dev/null +++ b/0492-iotests-270-don-t-store-data-file-with-json-prefix-i.patch @@ -0,0 +1,56 @@ +From db4d75021b0f532a1f239adfee8a0b8412158738 Mon Sep 17 00:00:00 2001 +From: Kevin Wolf +Date: Thu, 25 Apr 2024 14:49:40 +0200 +Subject: [PATCH] iotests/270: Don't store data-file with json: prefix in image + +commit 7e1110664ecbc4826f3c978ccb06b6c1bce823e6 upstream. + +We want to disable filename parsing for data files because it's too easy +to abuse in malicious image files. Make the test ready for the change by +passing the data file explicitly in command line options. + +Cc: qemu-stable@nongnu.org +Signed-off-by: Kevin Wolf +Reviewed-by: Eric Blake +Reviewed-by: Stefan Hajnoczi +Reviewed-by: Hanna Czenczek +Signed-off-by: Bin Guo +--- + tests/qemu-iotests/270 | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +diff --git a/tests/qemu-iotests/270 b/tests/qemu-iotests/270 +index 74352342db..c37b674aa2 100755 +--- a/tests/qemu-iotests/270 ++++ b/tests/qemu-iotests/270 +@@ -60,8 +60,16 @@ _make_test_img -o cluster_size=2M,data_file="$TEST_IMG.orig" \ + # "write" 2G of data without using any space. + # (qemu-img create does not like it, though, because null-co does not + # support image creation.) +-$QEMU_IMG amend -o data_file="json:{'driver':'null-co',,'size':'4294967296'}" \ +- "$TEST_IMG" ++test_img_with_null_data="json:{ ++ 'driver': '$IMGFMT', ++ 'file': { ++ 'filename': '$TEST_IMG' ++ }, ++ 'data-file': { ++ 'driver': 'null-co', ++ 'size':'4294967296' ++ } ++}" + + # This gives us a range of: + # 2^31 - 512 + 768 - 1 = 2^31 + 255 > 2^31 +@@ -74,7 +82,7 @@ $QEMU_IMG amend -o data_file="json:{'driver':'null-co',,'size':'4294967296'}" \ + # on L2 boundaries, we need large L2 tables; hence the cluster size of + # 2 MB. (Anything from 256 kB should work, though, because then one L2 + # table covers 8 GB.) +-$QEMU_IO -c "write 768 $((2 ** 31 - 512))" "$TEST_IMG" | _filter_qemu_io ++$QEMU_IO -c "write 768 $((2 ** 31 - 512))" "$test_img_with_null_data" | _filter_qemu_io + + _check_test_img + +-- +2.39.3 + diff --git a/0493-block-parse-filenames-only-when-explicitly-requested.patch b/0493-block-parse-filenames-only-when-explicitly-requested.patch new file mode 100644 index 0000000..1570ab2 --- /dev/null +++ b/0493-block-parse-filenames-only-when-explicitly-requested.patch @@ -0,0 +1,254 @@ +From 1ed7fb3ae24ec7e69a66673ceea610d66ab868e1 Mon Sep 17 00:00:00 2001 +From: Kevin Wolf +Date: Thu, 25 Apr 2024 14:56:02 +0200 +Subject: [PATCH] block: Parse filenames only when explicitly requested + +commit 7ead946998610657d38d1a505d5f25300d4ca613 upstream. + +When handling image filenames from legacy options such as -drive or from +tools, these filenames are parsed for protocol prefixes, including for +the json:{} pseudo-protocol. + +This behaviour is intended for filenames that come directly from the +command line and for backing files, which may come from the image file +itself. Higher level management tools generally take care to verify that +untrusted images don't contain a bad (or any) backing file reference; +'qemu-img info' is a suitable tool for this. + +However, for other files that can be referenced in images, such as +qcow2 data files or VMDK extents, the string from the image file is +usually not verified by management tools - and 'qemu-img info' wouldn't +be suitable because in contrast to backing files, it already opens these +other referenced files. So here the string should be interpreted as a +literal local filename. More complex configurations need to be specified +explicitly on the command line or in QMP. + +This patch changes bdrv_open_inherit() so that it only parses filenames +if a new parameter parse_filename is true. It is set for the top level +in bdrv_open(), for the file child and for the backing file child. All +other callers pass false and disable filename parsing this way. + +Cc: qemu-stable@nongnu.org +Signed-off-by: Kevin Wolf +Reviewed-by: Eric Blake +Reviewed-by: Stefan Hajnoczi +Reviewed-by: Hanna Czenczek +[fix conflicts: AioContext locking] +Signed-off-by: Bin Guo +--- + block.c | 98 +++++++++++++++++++++++++++++++++++---------------------- + 1 file changed, 61 insertions(+), 37 deletions(-) + +diff --git a/block.c b/block.c +index bfb0861ec6..f89bc98e0e 100644 +--- a/block.c ++++ b/block.c +@@ -86,6 +86,7 @@ static BlockDriverState *bdrv_open_inherit(const char *filename, + BlockDriverState *parent, + const BdrvChildClass *child_class, + BdrvChildRole child_role, ++ bool parse_filename, + Error **errp); + + static bool bdrv_recurse_has_child(BlockDriverState *bs, +@@ -2047,7 +2048,8 @@ static void parse_json_protocol(QDict *options, const char **pfilename, + * block driver has been specified explicitly. + */ + static int bdrv_fill_options(QDict **options, const char *filename, +- int *flags, Error **errp) ++ int *flags, bool allow_parse_filename, ++ Error **errp) + { + const char *drvname; + bool protocol = *flags & BDRV_O_PROTOCOL; +@@ -2089,7 +2091,7 @@ static int bdrv_fill_options(QDict **options, const char *filename, + if (protocol && filename) { + if (!qdict_haskey(*options, "filename")) { + qdict_put_str(*options, "filename", filename); +- parse_filename = true; ++ parse_filename = allow_parse_filename; + } else { + error_setg(errp, "Can't specify 'file' and 'filename' options at " + "the same time"); +@@ -3675,7 +3677,8 @@ int bdrv_open_backing_file(BlockDriverState *bs, QDict *parent_options, + } + + backing_hd = bdrv_open_inherit(backing_filename, reference, options, 0, bs, +- &child_of_bds, bdrv_backing_role(bs), errp); ++ &child_of_bds, bdrv_backing_role(bs), true, ++ errp); + if (!backing_hd) { + bs->open_flags |= BDRV_O_NO_BACKING; + error_prepend(errp, "Could not open backing file: "); +@@ -3712,7 +3715,8 @@ free_exit: + static BlockDriverState * + bdrv_open_child_bs(const char *filename, QDict *options, const char *bdref_key, + BlockDriverState *parent, const BdrvChildClass *child_class, +- BdrvChildRole child_role, bool allow_none, Error **errp) ++ BdrvChildRole child_role, bool allow_none, ++ bool parse_filename, Error **errp) + { + BlockDriverState *bs = NULL; + QDict *image_options; +@@ -3743,7 +3747,8 @@ bdrv_open_child_bs(const char *filename, QDict *options, const char *bdref_key, + } + + bs = bdrv_open_inherit(filename, reference, image_options, 0, +- parent, child_class, child_role, errp); ++ parent, child_class, child_role, parse_filename, ++ errp); + if (!bs) { + goto done; + } +@@ -3753,6 +3758,37 @@ done: + return bs; + } + ++static BdrvChild *bdrv_open_child_common(const char *filename, ++ QDict *options, const char *bdref_key, ++ BlockDriverState *parent, ++ const BdrvChildClass *child_class, ++ BdrvChildRole child_role, ++ bool allow_none, bool parse_filename, ++ Error **errp) ++{ ++ BlockDriverState *bs; ++ BdrvChild *child; ++ AioContext *ctx; ++ ++ GLOBAL_STATE_CODE(); ++ ++ bs = bdrv_open_child_bs(filename, options, bdref_key, parent, child_class, ++ child_role, allow_none, parse_filename, errp); ++ if (bs == NULL) { ++ return NULL; ++ } ++ ++ bdrv_graph_wrlock(NULL); ++ ctx = bdrv_get_aio_context(bs); ++ aio_context_acquire(ctx); ++ child = bdrv_attach_child(parent, bs, bdref_key, child_class, child_role, ++ errp); ++ aio_context_release(ctx); ++ bdrv_graph_wrunlock(NULL); ++ ++ return child; ++} ++ + /* + * Opens a disk image whose options are given as BlockdevRef in another block + * device's options. +@@ -3778,31 +3814,15 @@ BdrvChild *bdrv_open_child(const char *filename, + BdrvChildRole child_role, + bool allow_none, Error **errp) + { +- BlockDriverState *bs; +- BdrvChild *child; +- AioContext *ctx; +- +- GLOBAL_STATE_CODE(); +- +- bs = bdrv_open_child_bs(filename, options, bdref_key, parent, child_class, +- child_role, allow_none, errp); +- if (bs == NULL) { +- return NULL; +- } +- +- bdrv_graph_wrlock(NULL); +- ctx = bdrv_get_aio_context(bs); +- aio_context_acquire(ctx); +- child = bdrv_attach_child(parent, bs, bdref_key, child_class, child_role, +- errp); +- aio_context_release(ctx); +- bdrv_graph_wrunlock(NULL); +- +- return child; ++ return bdrv_open_child_common(filename, options, bdref_key, parent, ++ child_class, child_role, allow_none, false, ++ errp); + } + + /* +- * Wrapper on bdrv_open_child() for most popular case: open primary child of bs. ++ * This does mostly the same as bdrv_open_child(), but for opening the primary ++ * child of a node. A notable difference from bdrv_open_child() is that it ++ * enables filename parsing for protocol names (including json:). + * + * The caller must hold the lock of the main AioContext and no other AioContext. + * @parent can move to a different AioContext in this function. Callers must +@@ -3819,8 +3839,8 @@ int bdrv_open_file_child(const char *filename, + role = parent->drv->is_filter ? + (BDRV_CHILD_FILTERED | BDRV_CHILD_PRIMARY) : BDRV_CHILD_IMAGE; + +- if (!bdrv_open_child(filename, options, bdref_key, parent, +- &child_of_bds, role, false, errp)) ++ if (!bdrv_open_child_common(filename, options, bdref_key, parent, ++ &child_of_bds, role, false, true, errp)) + { + return -EINVAL; + } +@@ -3865,7 +3885,8 @@ BlockDriverState *bdrv_open_blockdev_ref(BlockdevRef *ref, Error **errp) + + } + +- bs = bdrv_open_inherit(NULL, reference, qdict, 0, NULL, NULL, 0, errp); ++ bs = bdrv_open_inherit(NULL, reference, qdict, 0, NULL, NULL, 0, false, ++ errp); + obj = NULL; + qobject_unref(obj); + visit_free(v); +@@ -3962,7 +3983,7 @@ static BlockDriverState * no_coroutine_fn + bdrv_open_inherit(const char *filename, const char *reference, QDict *options, + int flags, BlockDriverState *parent, + const BdrvChildClass *child_class, BdrvChildRole child_role, +- Error **errp) ++ bool parse_filename, Error **errp) + { + int ret; + BlockBackend *file = NULL; +@@ -4011,9 +4032,11 @@ bdrv_open_inherit(const char *filename, const char *reference, QDict *options, + } + + /* json: syntax counts as explicit options, as if in the QDict */ +- parse_json_protocol(options, &filename, &local_err); +- if (local_err) { +- goto fail; ++ if (parse_filename) { ++ parse_json_protocol(options, &filename, &local_err); ++ if (local_err) { ++ goto fail; ++ } + } + + bs->explicit_options = qdict_clone_shallow(options); +@@ -4038,7 +4061,8 @@ bdrv_open_inherit(const char *filename, const char *reference, QDict *options, + parent->open_flags, parent->options); + } + +- ret = bdrv_fill_options(&options, filename, &flags, &local_err); ++ ret = bdrv_fill_options(&options, filename, &flags, parse_filename, ++ &local_err); + if (ret < 0) { + goto fail; + } +@@ -4107,7 +4131,7 @@ bdrv_open_inherit(const char *filename, const char *reference, QDict *options, + + file_bs = bdrv_open_child_bs(filename, options, "file", bs, + &child_of_bds, BDRV_CHILD_IMAGE, +- true, &local_err); ++ true, true, &local_err); + if (local_err) { + goto fail; + } +@@ -4270,7 +4294,7 @@ BlockDriverState *bdrv_open(const char *filename, const char *reference, + GLOBAL_STATE_CODE(); + + return bdrv_open_inherit(filename, reference, options, flags, NULL, +- NULL, 0, errp); ++ NULL, 0, true, errp); + } + + /* Return true if the NULL-terminated @list contains @str */ +-- +2.39.3 + diff --git a/0494-hw-usb-hcd-ohci-fix-1510-303-pid-not-in-or-out.patch b/0494-hw-usb-hcd-ohci-fix-1510-303-pid-not-in-or-out.patch new file mode 100644 index 0000000..40ee96a --- /dev/null +++ b/0494-hw-usb-hcd-ohci-fix-1510-303-pid-not-in-or-out.patch @@ -0,0 +1,125 @@ +From 3c9c453a44410bdd46d840183f2e7b7e7fbd0935 Mon Sep 17 00:00:00 2001 +From: David Hubbard +Date: Wed, 8 May 2024 19:29:16 -0500 +Subject: [PATCH] hw/usb/hcd-ohci: Fix #1510, #303: pid not IN or OUT + +commit 3c3c233677d4f2fe5f35c5d6d6e9b53df48054f4 upstream. + +This changes the ohci validation to not assert if invalid data is fed to the +ohci controller. The poc in https://bugs.launchpad.net/qemu/+bug/1907042 and +migrated to bug #303 does the following to feed it a SETUP pid (valid) +at an EndPt of 1 (invalid - all SETUP pids must be addressed to EndPt 0): + + uint32_t MaxPacket = 64; + uint32_t TDFormat = 0; + uint32_t Skip = 0; + uint32_t Speed = 0; + uint32_t Direction = 0; /* #define OHCI_TD_DIR_SETUP 0 */ + uint32_t EndPt = 1; + uint32_t FuncAddress = 0; + ed->attr = (MaxPacket << 16) | (TDFormat << 15) | (Skip << 14) + | (Speed << 13) | (Direction << 11) | (EndPt << 7) + | FuncAddress; + ed->tailp = /*TDQTailPntr= */ 0; + ed->headp = ((/*TDQHeadPntr= */ &td[0]) & 0xfffffff0) + | (/* ToggleCarry= */ 0 << 1); + ed->next_ed = (/* NextED= */ 0 & 0xfffffff0) + +qemu-fuzz also caught the same issue in #1510. They are both fixed by this +patch. + +With a tiny OS[1] that boots and executes the poc the repro shows the issue: + +* OS that sends USB requests to a USB mass storage device + but sends a SETUP with EndPt = 1 +* qemu 6.2.0 (Debian 1:6.2+dfsg-2ubuntu6.19) +* qemu HEAD (4e66a0854) +* Actual OHCI controller (hardware) + +Command line: +qemu-system-x86_64 -m 20 \ + -device pci-ohci,id=ohci \ + -drive if=none,format=raw,id=d,file=testmbr.raw \ + -device usb-storage,bus=ohci.0,drive=d \ + --trace "usb_*" --trace "ohci_*" -D qemu.log + +Results are: + + qemu 6.2.0 | qemu HEAD | actual HW +------------+-----------+---------------- + assertion | assertion | sets stall bit + +The assertion message is: + +> qemu-system-x86_64: ../../hw/usb/core.c:744: usb_ep_get: Assertion `pid == USB_TOKEN_IN || pid == USB_TOKEN_OUT' failed. +> Aborted (core dumped) + +Tip: if the flags "-serial pty -serial stdio" are added to the command line +the poc outputs its USB requests like this: + +> Free mem 2M ohci port0 conn FS +> setup { 80 6 0 1 0 0 8 0 } +> ED info=80000 { mps=8 en=0 d=0 } tail=c20920 +> td0 c20880 nxt=c20960 f2000000 setup cbp=c20900 be=c20907 cbp=0 be=c20907 +> td1 c20960 nxt=c20980 f3140000 in cbp=c20908 be=c2090f cbp=0 be=c2090f +> td2 c20980 nxt=c20920 f3080000 out cbp=0 be=0 cbp=0 be=0 +> rx { 12 1 0 2 0 0 0 8 } +> setup { 0 5 1 0 0 0 0 0 } tx {} +> ED info=80000 { mps=8 en=0 d=0 } tail=c20880 +> td0 c20920 nxt=c20960 f2000000 setup cbp=c20900 be=c20907 cbp=0 be=c20907 +> td1 c20960 nxt=c20880 f3100000 in cbp=0 be=0 cbp=0 be=0 +> setup { 80 6 0 1 0 0 12 0 } +> ED info=80081 { mps=8 en=0 d=1 } tail=c20960 +> td0 c20880 nxt=c209c0 f2000000 setup cbp=c20920 be=c20927 +> td1 c209c0 nxt=c209e0 f3140000 in cbp=c20928 be=c20939 +> td2 c209e0 nxt=c20960 f3080000 out cbp=0 be=0qemu-system-x86_64: ../../hw/usb/core.c:744: usb_ep_get: Assertion `pid == USB_TOKEN_IN || pid == USB_TOKEN_OUT' failed. +> Aborted (core dumped) + +[1] The OS disk image has been emailed to philmd@linaro.org, mjt@tls.msk.ru, +and kraxel@redhat.com: + +* testBadSetup.img.xz +* sha256: 045b43f4396de02b149518358bf8025d5ba11091e86458875339fc649e6e5ac6 + +Signed-off-by: David Hubbard +Reviewed-by: Peter Maydell +[PMM: authorship and signed-off-by tag names fixed up as + per on-list agreement] +Signed-off-by: Peter Maydell +Signed-off-by: Bin Guo +--- + hw/usb/hcd-ohci.c | 5 +++++ + hw/usb/trace-events | 1 + + 2 files changed, 6 insertions(+) + +diff --git a/hw/usb/hcd-ohci.c b/hw/usb/hcd-ohci.c +index 7ff1b65ced..0bd45895b3 100644 +--- a/hw/usb/hcd-ohci.c ++++ b/hw/usb/hcd-ohci.c +@@ -927,6 +927,11 @@ static int ohci_service_td(OHCIState *ohci, struct ohci_ed *ed) + case OHCI_TD_DIR_SETUP: + str = "setup"; + pid = USB_TOKEN_SETUP; ++ if (OHCI_BM(ed->flags, ED_EN) > 0) { /* setup only allowed to ep 0 */ ++ trace_usb_ohci_td_bad_pid(str, ed->flags, td.flags); ++ ohci_die(ohci); ++ return 1; ++ } + break; + default: + trace_usb_ohci_td_bad_direction(dir); +diff --git a/hw/usb/trace-events b/hw/usb/trace-events +index ed7dc210d3..fd7b90d70c 100644 +--- a/hw/usb/trace-events ++++ b/hw/usb/trace-events +@@ -28,6 +28,7 @@ usb_ohci_iso_td_data_overrun(int ret, ssize_t len) "DataOverrun %d > %zu" + usb_ohci_iso_td_data_underrun(int ret) "DataUnderrun %d" + usb_ohci_iso_td_nak(int ret) "got NAK/STALL %d" + usb_ohci_iso_td_bad_response(int ret) "Bad device response %d" ++usb_ohci_td_bad_pid(const char *s, uint32_t edf, uint32_t tdf) "Bad pid %s: ed.flags 0x%x td.flags 0x%x" + usb_ohci_port_attach(int index) "port #%d" + usb_ohci_port_detach(int index) "port #%d" + usb_ohci_port_wakeup(int index) "port #%d" +-- +2.39.3 + diff --git a/0495-target-riscv-kvm-c-fix-the-hart-bit-setting-of-aia.patch b/0495-target-riscv-kvm-c-fix-the-hart-bit-setting-of-aia.patch new file mode 100644 index 0000000..c4b9870 --- /dev/null +++ b/0495-target-riscv-kvm-c-fix-the-hart-bit-setting-of-aia.patch @@ -0,0 +1,54 @@ +From a91115bde06beea0d5eafa7e5cc0426b8f77a1ad Mon Sep 17 00:00:00 2001 +From: Yong-Xuan Wang +Date: Wed, 15 May 2024 17:11:28 +0800 +Subject: [PATCH] target/riscv/kvm.c: Fix the hart bit setting of AIA + +In AIA spec, each hart (or each hart within a group) has a unique hart +number to locate the memory pages of interrupt files in the address +space. The number of bits required to represent any hart number is equal +to ceil(log2(hmax + 1)), where hmax is the largest hart number among +groups. + +However, if the largest hart number among groups is a power of 2, QEMU +will pass an inaccurate hart-index-bit setting to Linux. For example, when +the guest OS has 4 harts, only ceil(log2(3 + 1)) = 2 bits are sufficient +to represent 4 harts, but we passes 3 to Linux. The code needs to be +updated to ensure accurate hart-index-bit settings. + +Additionally, a Linux patch[1] is necessary to correctly recover the hart +index when the guest OS has only 1 hart, where the hart-index-bit is 0. + +[1] https://lore.kernel.org/lkml/20240415064905.25184-1-yongxuan.wang@sifive.com/t/ + +Signed-off-by: Yong-Xuan Wang +Reviewed-by: Andrew Jones +Cc: qemu-stable +Message-ID: <20240515091129.28116-1-yongxuan.wang@sifive.com> +Signed-off-by: Alistair Francis +--- + target/riscv/kvm/kvm-cpu.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/target/riscv/kvm/kvm-cpu.c b/target/riscv/kvm/kvm-cpu.c +index 117e33cf90..79e01db080 100644 +--- a/target/riscv/kvm/kvm-cpu.c ++++ b/target/riscv/kvm/kvm-cpu.c +@@ -1432,7 +1432,14 @@ void kvm_riscv_aia_create(MachineState *machine, uint64_t group_shift, + } + } + +- hart_bits = find_last_bit(&max_hart_per_socket, BITS_PER_LONG) + 1; ++ ++ if (max_hart_per_socket > 1) { ++ max_hart_per_socket--; ++ hart_bits = find_last_bit(&max_hart_per_socket, BITS_PER_LONG) + 1; ++ } else { ++ hart_bits = 0; ++ } ++ + ret = kvm_device_access(aia_fd, KVM_DEV_RISCV_AIA_GRP_CONFIG, + KVM_DEV_RISCV_AIA_CONFIG_HART_BITS, + &hart_bits, true, NULL); +-- +2.39.3 + diff --git a/0496-target-riscv-kvm-c-remove-group-setting-of-kvm-aia-i.patch b/0496-target-riscv-kvm-c-remove-group-setting-of-kvm-aia-i.patch new file mode 100644 index 0000000..3c9857f --- /dev/null +++ b/0496-target-riscv-kvm-c-remove-group-setting-of-kvm-aia-i.patch @@ -0,0 +1,68 @@ +From d55fe416ba02d848212869ed51dbe138b283130b Mon Sep 17 00:00:00 2001 +From: Yong-Xuan Wang +Date: Mon, 18 Dec 2023 09:05:41 +0000 +Subject: [PATCH] target/riscv/kvm.c: remove group setting of KVM AIA if the + machine only has 1 socket + +The emulated AIA within the Linux kernel restores the HART index +of the IMSICs according to the configured AIA settings. During +this process, the group setting is used only when the machine +partitions harts into groups. It's unnecessary to set the group +configuration if the machine has only one socket, as its address +space might not contain the group shift. + +Signed-off-by: Yong-Xuan Wang +Reviewed-by: Jim Shu +Reviewed-by: Daniel Henrique Barboza +Message-ID: <20231218090543.22353-2-yongxuan.wang@sifive.com> +Signed-off-by: Alistair Francis +--- + target/riscv/kvm/kvm-cpu.c | 31 +++++++++++++++++-------------- + 1 file changed, 17 insertions(+), 14 deletions(-) + +diff --git a/target/riscv/kvm/kvm-cpu.c b/target/riscv/kvm/kvm-cpu.c +index 79e01db080..00bd4fa9c3 100644 +--- a/target/riscv/kvm/kvm-cpu.c ++++ b/target/riscv/kvm/kvm-cpu.c +@@ -1376,21 +1376,24 @@ void kvm_riscv_aia_create(MachineState *machine, uint64_t group_shift, + exit(1); + } + +- socket_bits = find_last_bit(&socket_count, BITS_PER_LONG) + 1; +- ret = kvm_device_access(aia_fd, KVM_DEV_RISCV_AIA_GRP_CONFIG, +- KVM_DEV_RISCV_AIA_CONFIG_GROUP_BITS, +- &socket_bits, true, NULL); +- if (ret < 0) { +- error_report("KVM AIA: failed to set group_bits"); +- exit(1); +- } + +- ret = kvm_device_access(aia_fd, KVM_DEV_RISCV_AIA_GRP_CONFIG, +- KVM_DEV_RISCV_AIA_CONFIG_GROUP_SHIFT, +- &group_shift, true, NULL); +- if (ret < 0) { +- error_report("KVM AIA: failed to set group_shift"); +- exit(1); ++ if (socket_count > 1) { ++ socket_bits = find_last_bit(&socket_count, BITS_PER_LONG) + 1; ++ ret = kvm_device_access(aia_fd, KVM_DEV_RISCV_AIA_GRP_CONFIG, ++ KVM_DEV_RISCV_AIA_CONFIG_GROUP_BITS, ++ &socket_bits, true, NULL); ++ if (ret < 0) { ++ error_report("KVM AIA: failed to set group_bits"); ++ exit(1); ++ } ++ ++ ret = kvm_device_access(aia_fd, KVM_DEV_RISCV_AIA_GRP_CONFIG, ++ KVM_DEV_RISCV_AIA_CONFIG_GROUP_SHIFT, ++ &group_shift, true, NULL); ++ if (ret < 0) { ++ error_report("KVM AIA: failed to set group_shift"); ++ exit(1); ++ } + } + + guest_bits = guest_num == 0 ? 0 : +-- +2.39.3 + diff --git a/0497-target-riscv-kvm-fix-the-group-bit-setting-of-aia.patch b/0497-target-riscv-kvm-fix-the-group-bit-setting-of-aia.patch new file mode 100644 index 0000000..4d67fd4 --- /dev/null +++ b/0497-target-riscv-kvm-fix-the-group-bit-setting-of-aia.patch @@ -0,0 +1,44 @@ +From 1548543a969e9efb7a621cd0922d828b691f3925 Mon Sep 17 00:00:00 2001 +From: Andrew Jones +Date: Wed, 21 Aug 2024 09:50:41 +0200 +Subject: [PATCH] target/riscv/kvm: Fix the group bit setting of AIA + +Just as the hart bit setting of the AIA should be calculated as +ceil(log2(max_hart_id + 1)) the group bit setting should be +calculated as ceil(log2(max_group_id + 1)). The hart bits are +implemented by passing max_hart_id to find_last_bit() and adding +one to the result. Do the same for the group bit setting. + +Signed-off-by: Andrew Jones +Reviewed-by: Daniel Henrique Barboza +Message-ID: <20240821075040.498945-2-ajones@ventanamicro.com> +Signed-off-by: Alistair Francis +--- + target/riscv/kvm/kvm-cpu.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/target/riscv/kvm/kvm-cpu.c b/target/riscv/kvm/kvm-cpu.c +index 00bd4fa9c3..3d610beab6 100644 +--- a/target/riscv/kvm/kvm-cpu.c ++++ b/target/riscv/kvm/kvm-cpu.c +@@ -1331,6 +1331,7 @@ void kvm_riscv_aia_create(MachineState *machine, uint64_t group_shift, + uint64_t max_hart_per_socket = 0; + uint64_t socket, base_hart, hart_count, socket_imsic_base, imsic_addr; + uint64_t socket_bits, hart_bits, guest_bits; ++ uint64_t max_group_id; + + aia_fd = kvm_create_device(kvm_state, KVM_DEV_TYPE_RISCV_AIA, false); + +@@ -1378,7 +1379,8 @@ void kvm_riscv_aia_create(MachineState *machine, uint64_t group_shift, + + + if (socket_count > 1) { +- socket_bits = find_last_bit(&socket_count, BITS_PER_LONG) + 1; ++ max_group_id = socket_count - 1; ++ socket_bits = find_last_bit(&max_group_id, BITS_PER_LONG) + 1; + ret = kvm_device_access(aia_fd, KVM_DEV_RISCV_AIA_GRP_CONFIG, + KVM_DEV_RISCV_AIA_CONFIG_GROUP_BITS, + &socket_bits, true, NULL); +-- +2.39.3 + diff --git a/qemu.spec b/qemu.spec index c320ffe..1363326 100644 --- a/qemu.spec +++ b/qemu.spec @@ -1,4 +1,4 @@ -%define anolis_release 33 +%define anolis_release 34 %bcond_with check %global all_system_emu_support 0 @@ -772,6 +772,17 @@ Patch0483: 0483-pcie-sriov-validate-numvfs.patch Patch0484: 0484-pcie-sriov-reset-sr-iov-extended-capability.patch Patch0485: 0485-pcie-sriov-do-not-reset-numvfs-after-disabling-vfs.patch Patch0486: 0486-hw-pci-always-call-pcie-sriov-pf-reset.patch +Patch0487: 0487-target-i386-add-avx-vnni-int16-feature.patch +Patch0488: 0488-i386-cpu-mark-avx10-version-filtered-when-prefix-is-.patch +Patch0489: 0489-bugfix-fix-csv2-csv3-migration-issue-at-the-time-of-.patch +Patch0490: 0490-qcow2-don-t-open-data-file-with-bdrv-o-no-io.patch +Patch0491: 0491-iotests-244-don-t-store-data-file-with-protocol-in-i.patch +Patch0492: 0492-iotests-270-don-t-store-data-file-with-json-prefix-i.patch +Patch0493: 0493-block-parse-filenames-only-when-explicitly-requested.patch +Patch0494: 0494-hw-usb-hcd-ohci-fix-1510-303-pid-not-in-or-out.patch +Patch0495: 0495-target-riscv-kvm-c-fix-the-hart-bit-setting-of-aia.patch +Patch0496: 0496-target-riscv-kvm-c-remove-group-setting-of-kvm-aia-i.patch +Patch0497: 0497-target-riscv-kvm-fix-the-group-bit-setting-of-aia.patch ExclusiveArch: x86_64 aarch64 loongarch64 riscv64 @@ -2336,6 +2347,13 @@ useradd -r -u 107 -g qemu -G kvm -d / -s /sbin/nologin \ %endif %changelog +* Mon Sep 15 2025 wh02252983 - 2:8.2.0-34 +- block: Parse filenames only when explicitly requested +- hw/usb/hcd-ohci: Fix #1510, #303: pid not IN or OUT +- target/riscv/kvm.c: Fix the hart bit setting of AIA +- target/riscv/kvm.c: remove group setting of KVM AIA if the machine only has 1 socket +- target/riscv/kvm: Fix the group bit setting of AIA + * Wed Aug 27 2025 wh02252983 - 2:8.2.0-33 - Backporting: KVM: x86: Advertise AVX10.1 - add patch to fix CVE-2024-26327 and CVE-2024-26328 -- Gitee