--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: unblock: qemu/1:7.2+dfsg-6
- From: Michael Tokarev <mjt@tls.msk.ru>
- Date: Sun, 30 Apr 2023 11:07:51 +0300
- Message-id: <168284207167.321145.5766667936143223917.reportbug@localhost>
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: pkg-qemu-devel@lists.alioth.debian.org
Please unblock package qemu
This debian release has the following:
1. sync with upstream qemu stable/bugfix 7.2.1 release, by removing
all patches in debian/patches/master/ and replacing them all with
single debian/patches/v7.2.1.diff which is a diff between upstream
qemu 7.2.0 and 7.2.1 releases. This is a bulk of the changes in there.
See "Other info" section below for more information.
2. Includes upstream qemu stable/bugfix 7.2.2 release.
Upstream 7.2.2 needs its own comment. Historically, qemu stable
were managed up until next major release is out. Here, 7.2.2
was planned to be tagged the next day after 8.0.0 has been
released (8.0 release didn't follow its schedule because of the
amount of bugfixes needed there). So by the historical practice
7.2.2 should not be released. But I plan to change this practice,
by providing a bit more support for previous major release of
qemu, past the next major release date, and also plan to perform
at least one more 7.2 upstream stable/bugfix release. We're
discussing this on the qemu side. Either way, 7.2.2 is officially
tagged in the upstream qemu git tree:
https://gitlab.com/qemu-project/qemu/-/tags/v7.2.2
so it's only matter of making a tarball out of it and making
an official announcement.
3. Includes a few more fixes which are taken from the upstream
development mailing list, targetting next upstream releases
(including stable), which fixes known issues.
4. Includes minor changes in the debian packaging, like fixing
FTBFS due to unportable usage of \n escapes with echo and
switching gbp.conf from master branch to debian-bookworm
branch, and also includes the forgotten .desktop file which
results in a missing icon file for qemu-system processes.
The whole thing seems quite large, and when you look at the diffstat
it is large: >3k LOC changed. But this is mostly due to the conversion
from debian/patches/master/* to debian/patches/v7.2.1.diff.
[ Reason ]
This debian release has numerous bug fixes which affects many aspects
of qemu functionality within debian. I will be targetting bookworm
proposed updates with the same functionality if it misses initial
bookworm release. This also includes a fix for relatively old issue
which is more specific to debian: aptitude segfaulted within qemu-user
environments, #811087.
[ Tests ]
The release is well-tested, as it is usual for all qemu stable releases,
due to qemu excellent CI/testsuite. I verified it, together with extra
changes, wihin my set of tests too. The extra changes (on top of 7.2.2)
has also been discussed and tested.
[ Risks ]
As usual, the risk of breaking something do exists. Some unusual use
case or guest which we didn't cover by testing and don't yet know about.
Still, the amount of real, actual fixes included is much more than possible
breakage.
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
[ Other info ]
Since the direct diff between 1:7.2+dfsg-5 and 1:7.2+dfsg-6 is quite large,
it's difficult to review. So I'm including 2 diffs instead.
1. 7.2+dfsg-6~no-v7.2.2.diff - I made an intermediate "syncing point"
debian "release", which is just a sync with upstream 7.2.1. This diff
is a difference in *source* (excluding debian/ but including d/patches
parts) between extracted 7.2+dfsg-5 and 7.2+dfsg-6 but without the v7.2.2.diff
and the extra 7.2+dfsg-6 patches. This diff shows just the sync between
debian qemu and 7.2.1 upstream qemu release, plus the changes in d/patches
which made it. The change in here is just 4 commits:
version bump to 7.2.1
block: Handle curl 7.55.0, 7.85.0 version changes
build-sys: fix crlf-ending C code (only affects win32 builds)
tests/tcg: fix unused variable in linux-test (fix test failure)
all can be found here: https://gitlab.com/qemu-project/qemu/-/commits/v7.2.1
2. From 7.2+dfsg~6-no-v7.2.2, there's another diff to the final 7.2+dfsg-6
release, now comparing debian/ parts only. This includes addition of
v7.2.2.diff (and removal of CVE-2022-1050.patch), addition of 3 other
patches to the source fixing more bugs, and other changes to debian/.
All individual changes in v7.2.2.diff are available at
https://gitlab.com/qemu-project/qemu/-/commits/v7.2.2 - it contains
a bunch of various bugfixes in individual commits with descriptions.
If this is too difficult for the release team to handle, I'm open to
changing it somehow. All changes, in my opinion, are worth to have in
bookworm, each and all were thought about with care.
unblock qemu/1:7.2+dfsg-6
=== begin changelog
qemu (1:7.2+dfsg-6) unstable; urgency=medium
[ Michael Tokarev ]
* sync with upstream v7.2.1 stable release, into d/patches/v7.2.1.diff.
All patches from 7.2.1 (besides stuff not relevant for linux, such
as mingw compilation fixes) has already been in d/patches/master/,
now they're in single upstream patch file
* v7.2.2.diff: upstream 7.2.2 stable/bugfix release
* hw-pvrdma-protect-against-guest-driver-CVE-2022-1050.patch:
remove, included in v7.2.2
* d/rules, d/qemu.desktop: provide an icon for gtk display (qemu.display)
* d/gbp.conf: set debian branch to debian-bookworm
* pick 3 more fixes from qemu-devel@:
rtl8139-fix-large_send_mss-divide-by-zero.patch
target_i386-Change-wrong-XFRM-value.patch
hw_mips_malta-Fix-malta-machine-on-big-endian-hosts.patch
* +linux-user-fix-getgroups-setgroups-allocations.patch (Closes: #811087)
[ Vagrant Cascadian ]
* debian/rules: Use 'printf' instead of 'echo' to avoid differences
in underlying /bin/sh implementations. Closes: #1034431
-- Michael Tokarev <mjt@tls.msk.ru> Sat, 29 Apr 2023 13:02:55 +0300
=== begin 7.2+dfsg-6~no-v7.2.2.diff
qemu-7.2+dfsg-6-no-v7.2.2/VERSION | 2
qemu-7.2+dfsg-6-no-v7.2.2/block/curl.c | 44 ++++++++-
qemu-7.2+dfsg-6-no-v7.2.2/debian/patches/series | 46 ----------
qemu-7.2+dfsg-5/debian/patches/master |only
qemu-7.2+dfsg-6-no-v7.2.2/debian/patches/v7.2.1.diff |only
qemu-7.2+dfsg-6-no-v7.2.2/meson.build | 2
qemu-7.2+dfsg-5/scripts/shaderinclude.pl |only
qemu-7.2+dfsg-6-no-v7.2.2/scripts/shaderinclude.py |only
qemu-7.2+dfsg-6-no-v7.2.2/tests/tcg/multiarch/linux/linux-test.c | 6 +
9 files changed, 45 insertions(+), 55 deletions(-)
diff -upr qemu-7.2+dfsg-5/debian/patches/series qemu-7.2+dfsg-6-no-v7.2.2/debian/patches/series
--- qemu-7.2+dfsg-5/debian/patches/series 2023-03-05 20:03:09.000000000 +0300
+++ qemu-7.2+dfsg-6-no-v7.2.2/debian/patches/series 2023-04-30 10:37:10.747921243 +0300
@@ -1,3 +1,4 @@
+v7.2.1.diff
microvm-default-machine-type.patch
skip-meson-pc-bios.diff
linux-user-binfmt-P.diff
@@ -15,48 +16,3 @@ openbios-spelling-endianess.patch
slof-spelling-seperator.patch
ignore-roms-dependency-in-qtest.patch
hw-pvrdma-protect-against-guest-driver-CVE-2022-1050.patch
-# patches from qemu master branch which are for -stable:
-master/target-sh4-Mask-restore-of-env-flags-from-tb-flags.patch
-master/vhost-fix-vq-dirty-bitmap-syncing-when-vIOMMU-is-ena.patch
-master/virtio-mem-Fix-the-bitmap-index-of-the-section-offse.patch
-master/virtio-mem-Fix-the-iterator-variable-in-a-vmem-rdl_l.patch
-master/target-arm-fix-handling-of-HLT-semihosting-in-system.patch
-master/meson-accept-relative-symlinks-in-meson-introspect-i.patch
-master/target-riscv-Set-pc_succ_insn-for-rvc-illegal-insn.patch
-master/acpi-cpuhp-fix-guest-visible-maximum-access-size-to-.patch
-master/hw-nvme-fix-missing-endian-conversions-for-doorbell-.patch
-master/hw-nvme-fix-missing-cq-eventidx-update.patch
-master/configure-fix-GLIB_VERSION-for-cross-compilation.patch
-master/target-arm-Fix-sve_probe_page.patch
-master/target-arm-allow-writes-to-SCR_EL3.HXEn-bit-when-FEA.patch
-master/target-arm-Fix-in_debug-path-in-S1_ptw_translate.patch
-master/target-arm-Fix-physical-address-resolution-for-Stage2.patch
-master/migration-ram-Fix-error-handling-in-ram_write_tracki.patch
-master/migration-ram-Fix-populate_read_range.patch
-master/qcow2-Fix-theoretical-corruption-in-store_bitmap-err.patch
-master/block-fix-detect-zeroes-with-BDRV_REQ_REGISTERED_BUF.patch
-master/tests-tcg-i386-Introduce-and-use-reg_t-consistently.patch
-master/target-i386-Fix-BEXTR-instruction.patch
-master/target-i386-Fix-C-flag-for-BLSI-BLSMSK-BLSR.patch
-master/target-i386-fix-ADOX-followed-by-ADCX.patch
-master/target-i386-Fix-BZHI-instruction.patch
-master/block-iscsi-fix-double-free-on-BUSY-or-similar-status.patch
-master/hw-smbios-fix-field-corruption-in-type-4-table.patch
-master/Revert-x86-do-not-re-randomize-RNG-seed-on-snapshot-.patch
-master/Revert-x86-re-initialize-RNG-seed-when-selecting-ker.patch
-master/Revert-x86-reinitialize-RNG-seed-on-system-reboot.patch
-master/Revert-x86-use-typedef-for-SetupData-struct.patch
-master/Revert-x86-return-modified-setup_data-only-if-read-a.patch
-master/Revert-hw-i386-pass-RNG-seed-via-setup_data-entry.patch
-master/vhost-user-gpio-Configure-vhost_dev-when-connecting.patch
-master/vhost-user-i2c-Back-up-vqs-before-cleaning-up-vhost_.patch
-master/vhost-user-rng-Back-up-vqs-before-cleaning-up-vhost_.patch
-master/virtio-rng-pci-fix-migration-compat-for-vectors.patch
-master/virtio-rng-pci-fix-transitional-migration-compat-for.patch
-master/hw-timer-hpet-Fix-expiration-time-overflow.patch
-master/vdpa-stop-all-svq-on-device-deletion.patch
-master/vhost-avoid-a-potential-use-of-an-uninitialized-vari.patch
-master/libvhost-user-check-for-NULL-when-allocating-a-virtq.patch
-master/chardev-char-socket-set-s-listener-NULL-in-char_sock.patch
-master/intel-iommu-fail-MAP-notifier-without-caching-mode.patch
-master/intel-iommu-fail-DEVIOTLB_UNMAP-without-dt-mode.patch
Only in qemu-7.2+dfsg-5/debian/patches: master
Only in qemu-7.2+dfsg-6-no-v7.2.2/debian/patches: v7.2.1.diff
diff -upr -xdebian -x.pc qemu-7.2+dfsg-5/block/curl.c qemu-7.2+dfsg-6-no-v7.2.2/block/curl.c
--- qemu-7.2+dfsg-5/block/curl.c 2022-12-14 19:28:45.000000000 +0300
+++ qemu-7.2+dfsg-6-no-v7.2.2/block/curl.c 2023-04-30 10:39:07.316967149 +0300
@@ -37,8 +37,15 @@
// #define DEBUG_VERBOSE
+/* CURL 7.85.0 switches to a string based API for specifying
+ * the desired protocols.
+ */
+#if LIBCURL_VERSION_NUM >= 0x075500
+#define PROTOCOLS "HTTP,HTTPS,FTP,FTPS"
+#else
#define PROTOCOLS (CURLPROTO_HTTP | CURLPROTO_HTTPS | \
CURLPROTO_FTP | CURLPROTO_FTPS)
+#endif
#define CURL_NUM_STATES 8
#define CURL_NUM_ACB 8
@@ -509,9 +516,18 @@ static int curl_init_state(BDRVCURLState
* obscure protocols. For example, do not allow POP3/SMTP/IMAP see
* CVE-2013-0249.
*
- * Restricting protocols is only supported from 7.19.4 upwards.
+ * Restricting protocols is only supported from 7.19.4 upwards. Note:
+ * version 7.85.0 deprecates CURLOPT_*PROTOCOLS in favour of a string
+ * based CURLOPT_*PROTOCOLS_STR API.
*/
-#if LIBCURL_VERSION_NUM >= 0x071304
+#if LIBCURL_VERSION_NUM >= 0x075500
+ if (curl_easy_setopt(state->curl,
+ CURLOPT_PROTOCOLS_STR, PROTOCOLS) ||
+ curl_easy_setopt(state->curl,
+ CURLOPT_REDIR_PROTOCOLS_STR, PROTOCOLS)) {
+ goto err;
+ }
+#elif LIBCURL_VERSION_NUM >= 0x071304
if (curl_easy_setopt(state->curl, CURLOPT_PROTOCOLS, PROTOCOLS) ||
curl_easy_setopt(state->curl, CURLOPT_REDIR_PROTOCOLS, PROTOCOLS)) {
goto err;
@@ -669,7 +685,12 @@ static int curl_open(BlockDriverState *b
const char *file;
const char *cookie;
const char *cookie_secret;
- double d;
+ /* CURL >= 7.55.0 uses curl_off_t for content length instead of a double */
+#if LIBCURL_VERSION_NUM >= 0x073700
+ curl_off_t cl;
+#else
+ double cl;
+#endif
const char *secretid;
const char *protocol_delimiter;
int ret;
@@ -796,27 +817,36 @@ static int curl_open(BlockDriverState *b
}
if (curl_easy_perform(state->curl))
goto out;
- if (curl_easy_getinfo(state->curl, CURLINFO_CONTENT_LENGTH_DOWNLOAD, &d)) {
+ /* CURL 7.55.0 deprecates CURLINFO_CONTENT_LENGTH_DOWNLOAD in favour of
+ * the *_T version which returns a more sensible type for content length.
+ */
+#if LIBCURL_VERSION_NUM >= 0x073700
+ if (curl_easy_getinfo(state->curl, CURLINFO_CONTENT_LENGTH_DOWNLOAD_T, &cl)) {
goto out;
}
+#else
+ if (curl_easy_getinfo(state->curl, CURLINFO_CONTENT_LENGTH_DOWNLOAD, &cl)) {
+ goto out;
+ }
+#endif
/* Prior CURL 7.19.4 return value of 0 could mean that the file size is not
* know or the size is zero. From 7.19.4 CURL returns -1 if size is not
* known and zero if it is really zero-length file. */
#if LIBCURL_VERSION_NUM >= 0x071304
- if (d < 0) {
+ if (cl < 0) {
pstrcpy(state->errmsg, CURL_ERROR_SIZE,
"Server didn't report file size.");
goto out;
}
#else
- if (d <= 0) {
+ if (cl <= 0) {
pstrcpy(state->errmsg, CURL_ERROR_SIZE,
"Unknown file size or zero-length file.");
goto out;
}
#endif
- s->len = d;
+ s->len = cl;
if ((!strncasecmp(s->url, "http://";, strlen("http://";))
|| !strncasecmp(s->url, "https://";, strlen("https://";)))
diff -upr -xdebian -x.pc qemu-7.2+dfsg-5/meson.build qemu-7.2+dfsg-6-no-v7.2.2/meson.build
--- qemu-7.2+dfsg-5/meson.build 2023-04-30 09:54:08.000000000 +0300
+++ qemu-7.2+dfsg-6-no-v7.2.2/meson.build 2023-04-30 10:39:07.344968369 +0300
@@ -2777,7 +2777,7 @@ config_host_data.set('CONFIG_SLIRP', sli
genh += configure_file(output: 'config-host.h', configuration: config_host_data)
hxtool = find_program('scripts/hxtool')
-shaderinclude = find_program('scripts/shaderinclude.pl')
+shaderinclude = find_program('scripts/shaderinclude.py')
qapi_gen = find_program('scripts/qapi-gen.py')
qapi_gen_depends = [ meson.current_source_dir() / 'scripts/qapi/__init__.py',
meson.current_source_dir() / 'scripts/qapi/commands.py',
Only in qemu-7.2+dfsg-5/scripts: shaderinclude.pl
Only in qemu-7.2+dfsg-6-no-v7.2.2/scripts: shaderinclude.py
diff -upr -xdebian -x.pc qemu-7.2+dfsg-5/tests/tcg/multiarch/linux/linux-test.c qemu-7.2+dfsg-6-no-v7.2.2/tests/tcg/multiarch/linux/linux-test.c
--- qemu-7.2+dfsg-5/tests/tcg/multiarch/linux/linux-test.c 2022-12-14 19:28:45.000000000 +0300
+++ qemu-7.2+dfsg-6-no-v7.2.2/tests/tcg/multiarch/linux/linux-test.c 2023-04-30 10:39:07.324967497 +0300
@@ -354,13 +354,17 @@ static void test_pipe(void)
if (FD_ISSET(fds[0], &rfds)) {
chk_error(read(fds[0], &ch, 1));
rcount++;
- if (rcount >= WCOUNT_MAX)
+ if (rcount >= WCOUNT_MAX) {
break;
+ }
}
if (FD_ISSET(fds[1], &wfds)) {
ch = 'a';
chk_error(write(fds[1], &ch, 1));
wcount++;
+ if (wcount >= WCOUNT_MAX) {
+ break;
+ }
}
}
}
diff -upr -xdebian -x.pc qemu-7.2+dfsg-5/VERSION qemu-7.2+dfsg-6-no-v7.2.2/VERSION
--- qemu-7.2+dfsg-5/VERSION 2022-12-14 19:28:45.000000000 +0300
+++ qemu-7.2+dfsg-6-no-v7.2.2/VERSION 2023-04-30 10:39:07.316967149 +0300
@@ -1 +1 @@
-7.2.0
+7.2.1
=== begin 7.2+dfsg-6.diff
changelog | 24
gbp.conf | 1
rules | 5
qemu.desktop | 8
patches/hw-pvrdma-protect-against-guest-driver-CVE-2022-1050.patch | 45
patches/hw_mips_malta-Fix-malta-machine-on-big-endian-hosts.patch | 42
patches/linux-user-fix-getgroups-setgroups-allocations.patch | 213 ++++
patches/rtl8139-fix-large_send_mss-divide-by-zero.patch | 68 +
patches/target_i386-Change-wrong-XFRM-value.patch | 34
patches/v7.2.2.diff | 514 ++++++++++
patches/series | 6
11 files changed, 877 insertions(+), 83 deletions(-)
diff -upr --new-file qemu-7.2+dfsg-6-no-v7.2.2/debian/changelog qemu-7.2+dfsg-6/debian/changelog
--- qemu-7.2+dfsg-6-no-v7.2.2/debian/changelog 2023-04-29 13:02:55.000000000 +0300
+++ qemu-7.2+dfsg-6/debian/changelog 2023-03-05 20:09:04.000000000 +0300
@@ -1,27 +1,3 @@
-qemu (1:7.2+dfsg-6) unstable; urgency=medium
-
- [ Michael Tokarev ]
- * sync with upstream v7.2.1 stable release, into d/patches/v7.2.1.diff.
- All patches from 7.2.1 (besides stuff not relevant for linux, such
- as mingw compilation fixes) has already been in d/patches/master/,
- now they're in single upstream patch file
- * v7.2.2.diff: upstream 7.2.2 stable/bugfix release
- * hw-pvrdma-protect-against-guest-driver-CVE-2022-1050.patch:
- remove, included in v7.2.2
- * d/rules, d/qemu.desktop: provide an icon for gtk display (qemu.display)
- * d/gbp.conf: set debian branch to debian-bookworm
- * pick 3 more fixes from qemu-devel@:
- rtl8139-fix-large_send_mss-divide-by-zero.patch
- target_i386-Change-wrong-XFRM-value.patch
- hw_mips_malta-Fix-malta-machine-on-big-endian-hosts.patch
- * +linux-user-fix-getgroups-setgroups-allocations.patch (Closes: #811087)
-
- [ Vagrant Cascadian ]
- * debian/rules: Use 'printf' instead of 'echo' to avoid differences
- in underlying /bin/sh implementations. Closes: #1034431
-
- -- Michael Tokarev <mjt@tls.msk.ru> Sat, 29 Apr 2023 13:02:55 +0300
-
qemu (1:7.2+dfsg-5) unstable; urgency=medium
* d/qemu-guest-agent.udev: fix missing comma
diff -upr --new-file qemu-7.2+dfsg-6-no-v7.2.2/debian/gbp.conf qemu-7.2+dfsg-6/debian/gbp.conf
--- qemu-7.2+dfsg-6-no-v7.2.2/debian/gbp.conf 2023-04-29 12:05:13.000000000 +0300
+++ qemu-7.2+dfsg-6/debian/gbp.conf 2023-03-05 20:03:09.000000000 +0300
@@ -1,4 +1,3 @@
[DEFAULT]
sign-tags = True
pristine-tar = True
-debian-branch = debian-bookworm
diff -upr --new-file qemu-7.2+dfsg-6-no-v7.2.2/debian/patches/hw_mips_malta-Fix-malta-machine-on-big-endian-hosts.patch qemu-7.2+dfsg-6/debian/patches/hw_mips_malta-Fix-malta-machine-on-big-endian-hosts.patch
--- qemu-7.2+dfsg-6-no-v7.2.2/debian/patches/hw_mips_malta-Fix-malta-machine-on-big-endian-hosts.patch 1970-01-01 03:00:00.000000000 +0300
+++ qemu-7.2+dfsg-6/debian/patches/hw_mips_malta-Fix-malta-machine-on-big-endian-hosts.patch 2023-04-29 12:58:18.000000000 +0300
@@ -0,0 +1,42 @@
+From: Thomas Huth <thuth@redhat.com>
+Subject: [PATCH] hw/mips/malta: Fix the malta machine on big endian hosts
+Date: Thu, 30 Mar 2023 17:26:13 +0200
+Message-Id: <20230330152613.232082-1-thuth@redhat.com>
+List-Id: <qemu-stable.nongnu.org>
+
+Booting a Linux kernel with the malta machine is currently broken
+on big endian hosts. The cpu_to_gt32 macro wants to byteswap a value
+for little endian targets only, but uses the wrong way to do this:
+cpu_to_[lb]e32 works the other way round on big endian hosts! Fix
+it by using the same ways on both, big and little endian hosts.
+
+Fixes: 0c8427baf0 ("hw/mips/malta: Use bootloader helper to set BAR registers")
+Signed-off-by: Thomas Huth <thuth@redhat.com>
+---
+ I've checked that both, the kernel from
+ https://landley.net/toybox/downloads/binaries/mkroot/0.8.9/mipsel.tgz
+ and the kernel from
+ https://landley.net/toybox/downloads/binaries/mkroot/0.8.9/mips.tgz
+ now boot fine on both, a little endian (x86) and a big endian (s390x) host.
+
+ hw/mips/malta.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/hw/mips/malta.c b/hw/mips/malta.c
+index af9021316d..b26ed1fc9a 100644
+--- a/hw/mips/malta.c
++++ b/hw/mips/malta.c
+@@ -630,7 +630,7 @@ static void bl_setup_gt64120_jump_kernel(void **p, uint64_t run_addr,
+ /* Bus endianess is always reversed */
+ #if TARGET_BIG_ENDIAN
+-#define cpu_to_gt32 cpu_to_le32
++#define cpu_to_gt32(x) (x)
+ #else
+-#define cpu_to_gt32 cpu_to_be32
++#define cpu_to_gt32(x) bswap32(x)
+ #endif
+
+--
+2.31.1
+
+
diff -upr --new-file qemu-7.2+dfsg-6-no-v7.2.2/debian/patches/hw-pvrdma-protect-against-guest-driver-CVE-2022-1050.patch qemu-7.2+dfsg-6/debian/patches/hw-pvrdma-protect-against-guest-driver-CVE-2022-1050.patch
--- qemu-7.2+dfsg-6-no-v7.2.2/debian/patches/hw-pvrdma-protect-against-guest-driver-CVE-2022-1050.patch 2023-04-30 10:33:17.674095770 +0300
+++ qemu-7.2+dfsg-6/debian/patches/hw-pvrdma-protect-against-guest-driver-CVE-2022-1050.patch 1970-01-01 03:00:00.000000000 +0300
@@ -1,45 +0,0 @@
-From: Yuval Shaia <yuval.shaia.ml@gmail.com>
-Subject: [PATCH v3] hw/pvrdma: Protect against buggy or malicious guest driver
-Date: Sun, 3 Apr 2022 12:52:34 +0300
-Message-Id: <20220403095234.2210-1-yuval.shaia.ml@gmail.com>
-Content-Type: text/plain; charset="utf-8"
-MIME-Version: 1.0
-Content-Transfer-Encoding: 7bit
-Bug-Debian: https://bugs.debian.org/1014589
-
-Guest driver might execute HW commands when shared buffers are not yet
-allocated.
-This could happen on purpose (malicious guest) or because of some other
-guest/host address mapping error.
-We need to protect against such case.
-
-Fixes: CVE-2022-1050
-
-Reported-by: Raven <wxhusst@gmail.com>
-Signed-off-by: Yuval Shaia <yuval.shaia.ml@gmail.com>
----
-v1 -> v2:
- * Commit message changes
-v2 -> v3:
- * Exclude cosmetic changes
----
- hw/rdma/vmw/pvrdma_cmd.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c
-index da7ddfa548..89db963c46 100644
---- a/hw/rdma/vmw/pvrdma_cmd.c
-+++ b/hw/rdma/vmw/pvrdma_cmd.c
-@@ -796,6 +796,12 @@ int pvrdma_exec_cmd(PVRDMADev *dev)
-
- dsr_info = &dev->dsr_info;
-
-+ if (!dsr_info->dsr) {
-+ /* Buggy or malicious guest driver */
-+ rdma_error_report("Exec command without dsr, req or rsp buffers");
-+ goto out;
-+ }
-+
- if (dsr_info->req->hdr.cmd >= sizeof(cmd_handlers) /
- sizeof(struct cmd_handler)) {
- rdma_error_report("Unsupported command");
diff -upr --new-file qemu-7.2+dfsg-6-no-v7.2.2/debian/patches/linux-user-fix-getgroups-setgroups-allocations.patch qemu-7.2+dfsg-6/debian/patches/linux-user-fix-getgroups-setgroups-allocations.patch
--- qemu-7.2+dfsg-6-no-v7.2.2/debian/patches/linux-user-fix-getgroups-setgroups-allocations.patch 1970-01-01 03:00:00.000000000 +0300
+++ qemu-7.2+dfsg-6/debian/patches/linux-user-fix-getgroups-setgroups-allocations.patch 2023-04-26 18:50:55.000000000 +0300
@@ -0,0 +1,213 @@
+From b8c5ef59c357946f5982328641c24edd589fff45 Mon Sep 17 00:00:00 2001
+From: Michael Tokarev <mjt@tls.msk.ru>
+Date: Fri, 16 Dec 2022 18:07:07 +0300
+Subject: [PATCH v4] linux-user: fix getgroups/setgroups allocations
+
+linux-user getgroups(), setgroups(), getgroups32() and setgroups32()
+used alloca() to allocate grouplist arrays, with unchecked gidsetsize
+coming from the "guest". With NGROUPS_MAX being 65536 (linux, and it
+is common for an application to allocate NGROUPS_MAX for getgroups()),
+this means a typical allocation is half the megabyte on the stack.
+Which just overflows stack, which leads to immediate SIGSEGV in actual
+system getgroups() implementation.
+
+An example of such issue is aptitude, eg
+https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=811087#72
+
+Cap gidsetsize to NGROUPS_MAX (return EINVAL if it is larger than that),
+and use heap allocation for grouplist instead of alloca(). While at it,
+fix coding style and make all 4 implementations identical.
+
+Try to not impose random limits - for example, allow gidsetsize to be
+negative for getgroups() - just do not allocate negative-sized grouplist
+in this case but still do actual getgroups() call. But do not allow
+negative gidsetsize for setgroups() since its argument is unsigned.
+
+Capping by NGROUPS_MAX seems a bit arbitrary, - we can do more, it is
+not an error if set size will be NGROUPS_MAX+1. But we should not allow
+integer overflow for the array being allocated. Maybe it is enough to
+just call g_try_new() and return ENOMEM if it fails.
+
+Maybe there's also no need to convert setgroups() since this one is
+usually smaller and known beforehand (KERN_NGROUPS_MAX is actually 63, -
+this is apparently a kernel-imposed limit for runtime group set).
+
+The patch fixes aptitude segfault mentioned above.
+
+Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
+---
+v4:
+ - the same ret-vs-gidsetsize fix in getgroups32.
+v3:
+ - fix a bug in getgroups(). In initial implementation I checked
+ for ret>0 in order to convert returned list of groups to target
+ byte order. But this clashes with unusual corner case for this
+ syscall: getgroups(0,NULL) return current number of groups in
+ the set, so this resulted in writing to *NULL. The right condition
+ here is gidsetsize>0:
+ - if (!is_error(ret) && ret > 0) {
+ + if (!is_error(ret) && gidsetsize > 0) {
+v2:
+ - remove g_free, use g_autofree annotations instead,
+ - a bit more coding style changes, makes checkpatch.pl happy
+
+ linux-user/syscall.c | 99 ++++++++++++++++++++++++++++++--------------
+ 1 file changed, 68 insertions(+), 31 deletions(-)
+
+diff --git a/linux-user/syscall.c b/linux-user/syscall.c
+index 24b25759be..c532ee92c1 100644
+--- a/linux-user/syscall.c
++++ b/linux-user/syscall.c
+@@ -11433,39 +11433,58 @@ static abi_long do_syscall1(CPUArchState *cpu_env, int num, abi_long arg1,
+ {
+ int gidsetsize = arg1;
+ target_id *target_grouplist;
+- gid_t *grouplist;
++ g_autofree gid_t *grouplist = NULL;
+ int i;
+
+- grouplist = alloca(gidsetsize * sizeof(gid_t));
++ if (gidsetsize > NGROUPS_MAX) {
++ return -TARGET_EINVAL;
++ }
++ if (gidsetsize > 0) {
++ grouplist = g_try_new(gid_t, gidsetsize);
++ if (!grouplist) {
++ return -TARGET_ENOMEM;
++ }
++ }
+ ret = get_errno(getgroups(gidsetsize, grouplist));
+- if (gidsetsize == 0)
+- return ret;
+- if (!is_error(ret)) {
+- target_grouplist = lock_user(VERIFY_WRITE, arg2, gidsetsize * sizeof(target_id), 0);
+- if (!target_grouplist)
++ if (!is_error(ret) && gidsetsize > 0) {
++ target_grouplist = lock_user(VERIFY_WRITE, arg2,
++ gidsetsize * sizeof(target_id), 0);
++ if (!target_grouplist) {
+ return -TARGET_EFAULT;
+- for(i = 0;i < ret; i++)
++ }
++ for (i = 0; i < ret; i++) {
+ target_grouplist[i] = tswapid(high2lowgid(grouplist[i]));
+- unlock_user(target_grouplist, arg2, gidsetsize * sizeof(target_id));
++ }
++ unlock_user(target_grouplist, arg2,
++ gidsetsize * sizeof(target_id));
+ }
++ return ret;
+ }
+- return ret;
+ case TARGET_NR_setgroups:
+ {
+ int gidsetsize = arg1;
+ target_id *target_grouplist;
+- gid_t *grouplist = NULL;
++ g_autofree gid_t *grouplist = NULL;
+ int i;
+- if (gidsetsize) {
+- grouplist = alloca(gidsetsize * sizeof(gid_t));
+- target_grouplist = lock_user(VERIFY_READ, arg2, gidsetsize * sizeof(target_id), 1);
++
++ if (gidsetsize > NGROUPS_MAX || gidsetsize < 0) {
++ return -TARGET_EINVAL;
++ }
++ if (gidsetsize > 0) {
++ grouplist = g_try_new(gid_t, gidsetsize);
++ if (!grouplist) {
++ return -TARGET_ENOMEM;
++ }
++ target_grouplist = lock_user(VERIFY_READ, arg2,
++ gidsetsize * sizeof(target_id), 1);
+ if (!target_grouplist) {
+ return -TARGET_EFAULT;
+ }
+ for (i = 0; i < gidsetsize; i++) {
+ grouplist[i] = low2highgid(tswapid(target_grouplist[i]));
+ }
+- unlock_user(target_grouplist, arg2, 0);
++ unlock_user(target_grouplist, arg2,
++ gidsetsize * sizeof(target_id));
+ }
+ return get_errno(setgroups(gidsetsize, grouplist));
+ }
+@@ -11750,41 +11769,59 @@ static abi_long do_syscall1(CPUArchState *cpu_env, int num, abi_long arg1,
+ {
+ int gidsetsize = arg1;
+ uint32_t *target_grouplist;
+- gid_t *grouplist;
++ g_autofree gid_t *grouplist = NULL;
+ int i;
+
+- grouplist = alloca(gidsetsize * sizeof(gid_t));
++ if (gidsetsize > NGROUPS_MAX) {
++ return -TARGET_EINVAL;
++ }
++ if (gidsetsize > 0) {
++ grouplist = g_try_new(gid_t, gidsetsize);
++ if (!grouplist) {
++ return -TARGET_ENOMEM;
++ }
++ }
+ ret = get_errno(getgroups(gidsetsize, grouplist));
+- if (gidsetsize == 0)
+- return ret;
+- if (!is_error(ret)) {
+- target_grouplist = lock_user(VERIFY_WRITE, arg2, gidsetsize * 4, 0);
++ if (!is_error(ret) && gidsetsize > 0) {
++ target_grouplist = lock_user(VERIFY_WRITE, arg2,
++ gidsetsize * 4, 0);
+ if (!target_grouplist) {
+ return -TARGET_EFAULT;
+ }
+- for(i = 0;i < ret; i++)
++ for (i = 0; i < ret; i++) {
+ target_grouplist[i] = tswap32(grouplist[i]);
++ }
+ unlock_user(target_grouplist, arg2, gidsetsize * 4);
+ }
++ return ret;
+ }
+- return ret;
+ #endif
+ #ifdef TARGET_NR_setgroups32
+ case TARGET_NR_setgroups32:
+ {
+ int gidsetsize = arg1;
+ uint32_t *target_grouplist;
+- gid_t *grouplist;
++ g_autofree gid_t *grouplist = NULL;
+ int i;
+
+- grouplist = alloca(gidsetsize * sizeof(gid_t));
+- target_grouplist = lock_user(VERIFY_READ, arg2, gidsetsize * 4, 1);
+- if (!target_grouplist) {
+- return -TARGET_EFAULT;
++ if (gidsetsize > NGROUPS_MAX || gidsetsize < 0) {
++ return -TARGET_EINVAL;
++ }
++ if (gidsetsize > 0) {
++ grouplist = g_try_new(gid_t, gidsetsize);
++ if (!grouplist) {
++ return -TARGET_ENOMEM;
++ }
++ target_grouplist = lock_user(VERIFY_READ, arg2,
++ gidsetsize * 4, 1);
++ if (!target_grouplist) {
++ return -TARGET_EFAULT;
++ }
++ for (i = 0; i < gidsetsize; i++) {
++ grouplist[i] = tswap32(target_grouplist[i]);
++ }
++ unlock_user(target_grouplist, arg2, 0);
+ }
+- for(i = 0;i < gidsetsize; i++)
+- grouplist[i] = tswap32(target_grouplist[i]);
+- unlock_user(target_grouplist, arg2, 0);
+ return get_errno(setgroups(gidsetsize, grouplist));
+ }
+ #endif
+--
+2.30.2
+
diff -upr --new-file qemu-7.2+dfsg-6-no-v7.2.2/debian/patches/rtl8139-fix-large_send_mss-divide-by-zero.patch qemu-7.2+dfsg-6/debian/patches/rtl8139-fix-large_send_mss-divide-by-zero.patch
--- qemu-7.2+dfsg-6-no-v7.2.2/debian/patches/rtl8139-fix-large_send_mss-divide-by-zero.patch 1970-01-01 03:00:00.000000000 +0300
+++ qemu-7.2+dfsg-6/debian/patches/rtl8139-fix-large_send_mss-divide-by-zero.patch 2023-04-26 18:50:55.000000000 +0300
@@ -0,0 +1,68 @@
+From: Stefan Hajnoczi <stefanha@redhat.com>
+Subject: [PATCH] rtl8139: fix large_send_mss divide-by-zero
+Date: Thu, 13 Apr 2023 13:19:46 -0400
+Message-Id: <20230413171946.2865726-1-stefanha@redhat.com>
+List-Id: <qemu-devel.nongnu.org>
+
+If the driver sets large_send_mss to 0 then a divide-by-zero occurs.
+Even if the division wasn't a problem, the for loop that emits MSS-sized
+packets would never terminate.
+
+Solve these issues by skipping offloading when large_send_mss=0.
+
+This issue was found by OSS-Fuzz as part of Alexander Bulekov's device
+fuzzing work. The reproducer is:
+
+ $ cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest, -m \
+ 512M,slots=1,maxmem=0xffff000000000000 -machine q35 -nodefaults -device \
+ rtl8139,netdev=net0 -netdev user,id=net0 -device \
+ pc-dimm,id=nv1,memdev=mem1,addr=0xb800a64602800000 -object \
+ memory-backend-ram,id=mem1,size=2M -qtest stdio
+ outl 0xcf8 0x80000814
+ outl 0xcfc 0xe0000000
+ outl 0xcf8 0x80000804
+ outw 0xcfc 0x06
+ write 0xe0000037 0x1 0x04
+ write 0xe00000e0 0x2 0x01
+ write 0x1 0x1 0x04
+ write 0x3 0x1 0x98
+ write 0xa 0x1 0x8c
+ write 0xb 0x1 0x02
+ write 0xc 0x1 0x46
+ write 0xd 0x1 0xa6
+ write 0xf 0x1 0xb8
+ write 0xb800a646028c000c 0x1 0x08
+ write 0xb800a646028c000e 0x1 0x47
+ write 0xb800a646028c0010 0x1 0x02
+ write 0xb800a646028c0017 0x1 0x06
+ write 0xb800a646028c0036 0x1 0x80
+ write 0xe00000d9 0x1 0x40
+ EOF
+
+Buglink: https://gitlab.com/qemu-project/qemu/-/issues/1582
+Fixes: 6d71357a3b65 ("rtl8139: honor large send MSS value")
+Reported-by: Alexander Bulekov <alxndr@bu.edu>
+Cc: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
+---
+ hw/net/rtl8139.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/hw/net/rtl8139.c b/hw/net/rtl8139.c
+index 5a5aaf868d..5f1a4d359b 100644
+--- a/hw/net/rtl8139.c
++++ b/hw/net/rtl8139.c
+@@ -2154,6 +2154,9 @@ static int rtl8139_cplus_transmit_one(RTL8139State *s)
+
+ int large_send_mss = (txdw0 >> CP_TC_LGSEN_MSS_SHIFT) &
+ CP_TC_LGSEN_MSS_MASK;
++ if (large_send_mss == 0) {
++ goto skip_offload;
++ }
+
+ DPRINTF("+++ C+ mode offloaded task TSO IP data %d "
+ "frame data %d specified MSS=%d\n",
+--
+2.39.2
+
+
diff -upr --new-file qemu-7.2+dfsg-6-no-v7.2.2/debian/patches/series qemu-7.2+dfsg-6/debian/patches/series
--- qemu-7.2+dfsg-6-no-v7.2.2/debian/patches/series 2023-04-30 10:37:10.747921243 +0300
+++ qemu-7.2+dfsg-6/debian/patches/series 2023-04-29 12:57:45.000000000 +0300
@@ -1,4 +1,5 @@
v7.2.1.diff
+v7.2.2.diff
microvm-default-machine-type.patch
skip-meson-pc-bios.diff
linux-user-binfmt-P.diff
@@ -15,4 +16,7 @@ spelling.diff
openbios-spelling-endianess.patch
slof-spelling-seperator.patch
ignore-roms-dependency-in-qtest.patch
-hw-pvrdma-protect-against-guest-driver-CVE-2022-1050.patch
+linux-user-fix-getgroups-setgroups-allocations.patch
+rtl8139-fix-large_send_mss-divide-by-zero.patch
+target_i386-Change-wrong-XFRM-value.patch
+hw_mips_malta-Fix-malta-machine-on-big-endian-hosts.patch
diff -upr --new-file qemu-7.2+dfsg-6-no-v7.2.2/debian/patches/target_i386-Change-wrong-XFRM-value.patch qemu-7.2+dfsg-6/debian/patches/target_i386-Change-wrong-XFRM-value.patch
--- qemu-7.2+dfsg-6-no-v7.2.2/debian/patches/target_i386-Change-wrong-XFRM-value.patch 1970-01-01 03:00:00.000000000 +0300
+++ qemu-7.2+dfsg-6/debian/patches/target_i386-Change-wrong-XFRM-value.patch 2023-04-26 18:50:55.000000000 +0300
@@ -0,0 +1,34 @@
+From: Yang Zhong <yang.zhong@linux.intel.com>
+Subject: [PATCH v3] target/i386: Change wrong XFRM value
+Date: Thu, 6 Apr 2023 02:40:41 -0400
+Message-Id: <20230406064041.420039-1-yang.zhong@linux.intel.com>
+List-Id: <qemu-devel.nongnu.org>
+
+The previous patch wrongly replaced FEAT_XSAVE_XCR0_{LO|HI} with
+FEAT_XSAVE_XSS_{LO|HI} in CPUID(EAX=12,ECX=1):{ECX,EDX}, which made
+SGX enclave only supported SSE and x87 feature(xfrm=0x3).
+
+Fixes: 301e90675c3f ("target/i386: Enable support for XSAVES based features")
+
+Signed-off-by: Yang Zhong <yang.zhong@linux.intel.com>
+Reviewed-by: Yang Weijiang <weijiang.yang@intel.com>
+---
+ target/i386/cpu.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/target/i386/cpu.c b/target/i386/cpu.c
+index 6576287e5b..f083ff4335 100644
+--- a/target/i386/cpu.c
++++ b/target/i386/cpu.c
+@@ -5718,8 +5718,8 @@ void cpu_x86_cpuid(CPUX86State *env, uint32_t index, uint32_t count,
+ } else {
+ *eax &= env->features[FEAT_SGX_12_1_EAX];
+ *ebx &= 0; /* ebx reserve */
+- *ecx &= env->features[FEAT_XSAVE_XSS_LO];
+- *edx &= env->features[FEAT_XSAVE_XSS_HI];
++ *ecx &= env->features[FEAT_XSAVE_XCR0_LO];
++ *edx &= env->features[FEAT_XSAVE_XCR0_HI];
+
+ /* FP and SSE are always allowed regardless of XSAVE/XCR0. */
+ *ecx |= XSTATE_FP_MASK | XSTATE_SSE_MASK;
+
diff -upr --new-file qemu-7.2+dfsg-6-no-v7.2.2/debian/patches/v7.2.2.diff qemu-7.2+dfsg-6/debian/patches/v7.2.2.diff
--- qemu-7.2+dfsg-6-no-v7.2.2/debian/patches/v7.2.2.diff 1970-01-01 03:00:00.000000000 +0300
+++ qemu-7.2+dfsg-6/debian/patches/v7.2.2.diff 2023-04-29 12:09:29.000000000 +0300
@@ -0,0 +1,514 @@
+Subject: v7.2.2
+Date: Sat, 29 Apr 2023 12:09:18 +0300
+From: Michael Tokarev <mjt@tls.msk.ru>
+Forwarded: not-needed
+
+This is a difference between upstream qemu v7.2.1
+and upstream qemu v7.2.2.
+
+ VERSION | 2 +-
+ block/vhdx-log.c | 2 +-
+ hw/arm/boot.c | 5 ++++-
+ hw/net/vmxnet3.c | 2 +-
+ hw/nvme/ctrl.c | 3 +++
+ hw/rdma/vmw/pvrdma_cmd.c | 6 ++++++
+ include/qemu/osdep.h | 2 +-
+ io/channel-tls.c | 3 +++
+ linux-user/fd-trans.c | 10 ++++++---
+ linux-user/fd-trans.h | 1 +
+ linux-user/generic/target_resource.h | 4 ++--
+ linux-user/syscall.c | 21 ++++++++++++------
+ qga/commands.c | 5 ++---
+ qga/installer/qemu-ga.wxs | 1 +
+ qga/vss-win32/install.cpp | 2 +-
+ target/arm/cpu.h | 3 +++
+ target/s390x/arch_dump.c | 2 +-
+ target/s390x/cpu.h | 1 +
+ target/s390x/s390x-internal.h | 3 ++-
+ target/s390x/tcg/insn-data.h.inc | 4 ++--
+ target/s390x/tcg/mem_helper.c | 1 +
+ target/s390x/tcg/translate.c | 41 ++++++++++++++++++++++++++++--------
+ ui/gtk.c | 4 +++-
+ util/fdmon-epoll.c | 25 ++++++++++++++++------
+ 24 files changed, 112 insertions(+), 41 deletions(-)
+
+diff --git a/VERSION b/VERSION
+index b26a34e470..77f5bec5b2 100644
+--- a/VERSION
++++ b/VERSION
+@@ -1 +1 @@
+-7.2.1
++7.2.2
+diff --git a/block/vhdx-log.c b/block/vhdx-log.c
+index 572582b87b..0866897a85 100644
+--- a/block/vhdx-log.c
++++ b/block/vhdx-log.c
+@@ -980,7 +980,7 @@ static int vhdx_log_write(BlockDriverState *bs, BDRVVHDXState *s,
+ sector_write = merged_sector;
+ } else if (i == sectors - 1 && trailing_length) {
+ /* partial sector at the end of the buffer */
+- ret = bdrv_pread(bs->file, file_offset,
++ ret = bdrv_pread(bs->file, file_offset + trailing_length,
+ VHDX_LOG_SECTOR_SIZE - trailing_length,
+ merged_sector + trailing_length, 0);
+ if (ret < 0) {
+diff --git a/hw/arm/boot.c b/hw/arm/boot.c
+index 15c2bf1867..725bab8adc 100644
+--- a/hw/arm/boot.c
++++ b/hw/arm/boot.c
+@@ -686,7 +686,10 @@ int arm_load_dtb(hwaddr addr, const struct arm_boot_info *binfo,
+ qemu_register_reset_nosnapshotload(qemu_fdt_randomize_seeds,
+ rom_ptr_for_as(as, addr, size));
+
+- g_free(fdt);
++ if (fdt != ms->fdt) {
++ g_free(ms->fdt);
++ ms->fdt = fdt;
++ }
+
+ return size;
+
+diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c
+index d2ab527ef4..56559cda24 100644
+--- a/hw/net/vmxnet3.c
++++ b/hw/net/vmxnet3.c
+@@ -1441,7 +1441,7 @@ static void vmxnet3_activate_device(VMXNET3State *s)
+ vmxnet3_setup_rx_filtering(s);
+ /* Cache fields from shared memory */
+ s->mtu = VMXNET3_READ_DRV_SHARED32(d, s->drv_shmem, devRead.misc.mtu);
+- assert(VMXNET3_MIN_MTU <= s->mtu && s->mtu < VMXNET3_MAX_MTU);
++ assert(VMXNET3_MIN_MTU <= s->mtu && s->mtu <= VMXNET3_MAX_MTU);
+ VMW_CFPRN("MTU is %u", s->mtu);
+
+ s->max_rx_frags =
+diff --git a/hw/nvme/ctrl.c b/hw/nvme/ctrl.c
+index 1d3e058452..749a6938dd 100644
+--- a/hw/nvme/ctrl.c
++++ b/hw/nvme/ctrl.c
+@@ -2491,6 +2491,9 @@ static uint16_t nvme_dsm(NvmeCtrl *n, NvmeRequest *req)
+ status = nvme_h2c(n, (uint8_t *)iocb->range, sizeof(NvmeDsmRange) * nr,
+ req);
+ if (status) {
++ g_free(iocb->range);
++ qemu_aio_unref(iocb);
++
+ return status;
+ }
+
+diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c
+index da7ddfa548..89db963c46 100644
+--- a/hw/rdma/vmw/pvrdma_cmd.c
++++ b/hw/rdma/vmw/pvrdma_cmd.c
+@@ -796,6 +796,12 @@ int pvrdma_exec_cmd(PVRDMADev *dev)
+
+ dsr_info = &dev->dsr_info;
+
++ if (!dsr_info->dsr) {
++ /* Buggy or malicious guest driver */
++ rdma_error_report("Exec command without dsr, req or rsp buffers");
++ goto out;
++ }
++
+ if (dsr_info->req->hdr.cmd >= sizeof(cmd_handlers) /
+ sizeof(struct cmd_handler)) {
+ rdma_error_report("Unsupported command");
+diff --git a/include/qemu/osdep.h b/include/qemu/osdep.h
+index b9c4307779..3d6cb431ad 100644
+--- a/include/qemu/osdep.h
++++ b/include/qemu/osdep.h
+@@ -177,7 +177,7 @@ extern "C" {
+ * supports QEMU_ERROR, this will be reported at compile time; otherwise
+ * this will be reported at link time due to the missing symbol.
+ */
+-extern G_NORETURN
++G_NORETURN extern
+ void QEMU_ERROR("code path is reachable")
+ qemu_build_not_reached_always(void);
+ #if defined(__OPTIMIZE__) && !defined(__NO_INLINE__)
+diff --git a/io/channel-tls.c b/io/channel-tls.c
+index 4ce890a538..4ce08ccc28 100644
+--- a/io/channel-tls.c
++++ b/io/channel-tls.c
+@@ -74,6 +74,9 @@ qio_channel_tls_new_server(QIOChannel *master,
+ ioc = QIO_CHANNEL_TLS(object_new(TYPE_QIO_CHANNEL_TLS));
+
+ ioc->master = master;
++ if (qio_channel_has_feature(master, QIO_CHANNEL_FEATURE_SHUTDOWN)) {
++ qio_channel_set_feature(QIO_CHANNEL(ioc), QIO_CHANNEL_FEATURE_SHUTDOWN);
++ }
+ object_ref(OBJECT(master));
+
+ ioc->session = qcrypto_tls_session_new(
+diff --git a/linux-user/fd-trans.c b/linux-user/fd-trans.c
+index 7b25468d02..146aaaafaa 100644
+--- a/linux-user/fd-trans.c
++++ b/linux-user/fd-trans.c
+@@ -1622,7 +1622,7 @@ TargetFdTrans target_signalfd_trans = {
+ .host_to_target_data = host_to_target_data_signalfd,
+ };
+
+-static abi_long swap_data_eventfd(void *buf, size_t len)
++static abi_long swap_data_u64(void *buf, size_t len)
+ {
+ uint64_t *counter = buf;
+ int i;
+@@ -1640,8 +1640,12 @@ static abi_long swap_data_eventfd(void *buf, size_t len)
+ }
+
+ TargetFdTrans target_eventfd_trans = {
+- .host_to_target_data = swap_data_eventfd,
+- .target_to_host_data = swap_data_eventfd,
++ .host_to_target_data = swap_data_u64,
++ .target_to_host_data = swap_data_u64,
++};
++
++TargetFdTrans target_timerfd_trans = {
++ .host_to_target_data = swap_data_u64,
+ };
+
+ #if defined(CONFIG_INOTIFY) && (defined(TARGET_NR_inotify_init) || \
+diff --git a/linux-user/fd-trans.h b/linux-user/fd-trans.h
+index 1b9fa2041c..910faaf237 100644
+--- a/linux-user/fd-trans.h
++++ b/linux-user/fd-trans.h
+@@ -130,6 +130,7 @@ extern TargetFdTrans target_netlink_route_trans;
+ extern TargetFdTrans target_netlink_audit_trans;
+ extern TargetFdTrans target_signalfd_trans;
+ extern TargetFdTrans target_eventfd_trans;
++extern TargetFdTrans target_timerfd_trans;
+ #if (defined(TARGET_NR_inotify_init) && defined(__NR_inotify_init)) || \
+ (defined(CONFIG_INOTIFY1) && defined(TARGET_NR_inotify_init1) && \
+ defined(__NR_inotify_init1))
+diff --git a/linux-user/generic/target_resource.h b/linux-user/generic/target_resource.h
+index 539d8c4677..37d3eb09b3 100644
+--- a/linux-user/generic/target_resource.h
++++ b/linux-user/generic/target_resource.h
+@@ -12,8 +12,8 @@ struct target_rlimit {
+ };
+
+ struct target_rlimit64 {
+- uint64_t rlim_cur;
+- uint64_t rlim_max;
++ abi_ullong rlim_cur;
++ abi_ullong rlim_max;
+ };
+
+ #define TARGET_RLIM_INFINITY ((abi_ulong)-1)
+diff --git a/linux-user/syscall.c b/linux-user/syscall.c
+index 24b25759be..9ca30149d4 100644
+--- a/linux-user/syscall.c
++++ b/linux-user/syscall.c
+@@ -1755,6 +1755,11 @@ static inline abi_long target_to_host_sockaddr(int fd, struct sockaddr *addr,
+ lladdr = (struct target_sockaddr_ll *)addr;
+ lladdr->sll_ifindex = tswap32(lladdr->sll_ifindex);
+ lladdr->sll_hatype = tswap16(lladdr->sll_hatype);
++ } else if (sa_family == AF_INET6) {
++ struct sockaddr_in6 *in6addr;
++
++ in6addr = (struct sockaddr_in6 *)addr;
++ in6addr->sin6_scope_id = tswap32(in6addr->sin6_scope_id);
+ }
+ unlock_user(target_saddr, target_addr, 0);
+
+@@ -12883,8 +12888,8 @@ static abi_long do_syscall1(CPUArchState *cpu_env, int num, abi_long arg1,
+ if (!lock_user_struct(VERIFY_READ, target_rnew, arg3, 1)) {
+ return -TARGET_EFAULT;
+ }
+- rnew.rlim_cur = tswap64(target_rnew->rlim_cur);
+- rnew.rlim_max = tswap64(target_rnew->rlim_max);
++ __get_user(rnew.rlim_cur, &target_rnew->rlim_cur);
++ __get_user(rnew.rlim_max, &target_rnew->rlim_max);
+ unlock_user_struct(target_rnew, arg3, 0);
+ rnewp = &rnew;
+ }
+@@ -12894,8 +12899,8 @@ static abi_long do_syscall1(CPUArchState *cpu_env, int num, abi_long arg1,
+ if (!lock_user_struct(VERIFY_WRITE, target_rold, arg4, 1)) {
+ return -TARGET_EFAULT;
+ }
+- target_rold->rlim_cur = tswap64(rold.rlim_cur);
+- target_rold->rlim_max = tswap64(rold.rlim_max);
++ __put_user(rold.rlim_cur, &target_rold->rlim_cur);
++ __put_user(rold.rlim_max, &target_rold->rlim_max);
+ unlock_user_struct(target_rold, arg4, 1);
+ }
+ return ret;
+@@ -13115,8 +13120,12 @@ static abi_long do_syscall1(CPUArchState *cpu_env, int num, abi_long arg1,
+
+ #if defined(TARGET_NR_timerfd_create) && defined(CONFIG_TIMERFD)
+ case TARGET_NR_timerfd_create:
+- return get_errno(timerfd_create(arg1,
+- target_to_host_bitmask(arg2, fcntl_flags_tbl)));
++ ret = get_errno(timerfd_create(arg1,
++ target_to_host_bitmask(arg2, fcntl_flags_tbl)));
++ if (ret >= 0) {
++ fd_trans_register(ret, &target_timerfd_trans);
++ }
++ return ret;
+ #endif
+
+ #if defined(TARGET_NR_timerfd_gettime) && defined(CONFIG_TIMERFD)
+diff --git a/qga/commands.c b/qga/commands.c
+index 7ff551d092..6cf978322e 100644
+--- a/qga/commands.c
++++ b/qga/commands.c
+@@ -32,9 +32,8 @@
+ #define GUEST_FILE_READ_COUNT_MAX (48 * MiB)
+
+ /* Note: in some situations, like with the fsfreeze, logging may be
+- * temporarilly disabled. if it is necessary that a command be able
+- * to log for accounting purposes, check ga_logging_enabled() beforehand,
+- * and use the QERR_QGA_LOGGING_DISABLED to generate an error
++ * temporarily disabled. if it is necessary that a command be able
++ * to log for accounting purposes, check ga_logging_enabled() beforehand.
+ */
+ void slog(const gchar *fmt, ...)
+ {
+diff --git a/qga/installer/qemu-ga.wxs b/qga/installer/qemu-ga.wxs
+index 813d1c6ca6..3442383627 100644
+--- a/qga/installer/qemu-ga.wxs
++++ b/qga/installer/qemu-ga.wxs
+@@ -31,6 +31,7 @@
+ />
+ <Media Id="1" Cabinet="qemu_ga.$(var.QEMU_GA_VERSION).cab" EmbedCab="yes" />
+ <Property Id="WHSLogo">1</Property>
++ <Property Id="ARPNOMODIFY" Value="yes" Secure="yes" />
+ <MajorUpgrade
+ DowngradeErrorMessage="Error: A newer version of QEMU guest agent is already installed."
+ />
+diff --git a/qga/vss-win32/install.cpp b/qga/vss-win32/install.cpp
+index b57508fbe0..b8087e5baa 100644
+--- a/qga/vss-win32/install.cpp
++++ b/qga/vss-win32/install.cpp
+@@ -518,7 +518,7 @@ namespace _com_util
+ /* Stop QGA VSS provider service using Winsvc API */
+ STDAPI StopService(void)
+ {
+- HRESULT hr;
++ HRESULT hr = S_OK;
+ SC_HANDLE manager = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS);
+ SC_HANDLE service = NULL;
+
+diff --git a/target/arm/cpu.h b/target/arm/cpu.h
+index 9aeed3c848..a9cd7178f8 100644
+--- a/target/arm/cpu.h
++++ b/target/arm/cpu.h
+@@ -2407,6 +2407,9 @@ static inline bool arm_is_el3_or_mon(CPUARMState *env)
+ /* Return true if the processor is in secure state */
+ static inline bool arm_is_secure(CPUARMState *env)
+ {
++ if (arm_feature(env, ARM_FEATURE_M)) {
++ return env->v7m.secure;
++ }
+ if (arm_is_el3_or_mon(env)) {
+ return true;
+ }
+diff --git a/target/s390x/arch_dump.c b/target/s390x/arch_dump.c
+index a2329141e8..a7c44ba49d 100644
+--- a/target/s390x/arch_dump.c
++++ b/target/s390x/arch_dump.c
+@@ -248,7 +248,7 @@ static int s390x_write_elf64_notes(const char *note_name,
+ notep = g_malloc(note_size);
+ }
+
+- memset(notep, 0, sizeof(note));
++ memset(notep, 0, note_size);
+
+ /* Setup note header data */
+ notep->hdr.n_descsz = cpu_to_be32(content_size);
+diff --git a/target/s390x/cpu.h b/target/s390x/cpu.h
+index 7d6d01325b..8aaf8dd5a3 100644
+--- a/target/s390x/cpu.h
++++ b/target/s390x/cpu.h
+@@ -87,6 +87,7 @@ struct CPUArchState {
+ uint64_t cc_vr;
+
+ uint64_t ex_value;
++ uint64_t ex_target;
+
+ uint64_t __excp_addr;
+ uint64_t psa;
+diff --git a/target/s390x/s390x-internal.h b/target/s390x/s390x-internal.h
+index 5d4361d35b..825252d728 100644
+--- a/target/s390x/s390x-internal.h
++++ b/target/s390x/s390x-internal.h
+@@ -11,6 +11,7 @@
+ #define S390X_INTERNAL_H
+
+ #include "cpu.h"
++#include "fpu/softfloat.h"
+
+ #ifndef CONFIG_USER_ONLY
+ typedef struct LowCore {
+@@ -299,7 +300,7 @@ uint32_t set_cc_nz_f128(float128 v);
+ uint8_t s390_softfloat_exc_to_ieee(unsigned int exc);
+ int s390_swap_bfp_rounding_mode(CPUS390XState *env, int m3);
+ void s390_restore_bfp_rounding_mode(CPUS390XState *env, int old_mode);
+-int float_comp_to_cc(CPUS390XState *env, int float_compare);
++int float_comp_to_cc(CPUS390XState *env, FloatRelation float_compare);
+
+ #define DCMASK_ZERO 0x0c00
+ #define DCMASK_NORMAL 0x0300
+diff --git a/target/s390x/tcg/insn-data.h.inc b/target/s390x/tcg/insn-data.h.inc
+index 54d4250c9f..2a5fc99818 100644
+--- a/target/s390x/tcg/insn-data.h.inc
++++ b/target/s390x/tcg/insn-data.h.inc
+@@ -199,8 +199,8 @@
+ C(0xe55c, CHSI, SIL, GIE, m1_32s, i2, 0, 0, 0, cmps64)
+ C(0xe558, CGHSI, SIL, GIE, m1_64, i2, 0, 0, 0, cmps64)
+ /* COMPARE HALFWORD RELATIVE LONG */
+- C(0xc605, CHRL, RIL_b, GIE, r1_o, mri2_32s, 0, 0, 0, cmps32)
+- C(0xc604, CGHRL, RIL_b, GIE, r1_o, mri2_64, 0, 0, 0, cmps64)
++ C(0xc605, CHRL, RIL_b, GIE, r1_o, mri2_16s, 0, 0, 0, cmps32)
++ C(0xc604, CGHRL, RIL_b, GIE, r1_o, mri2_16s, 0, 0, 0, cmps64)
+ /* COMPARE HIGH */
+ C(0xb9cd, CHHR, RRE, HW, r1_sr32, r2_sr32, 0, 0, 0, cmps32)
+ C(0xb9dd, CHLR, RRE, HW, r1_sr32, r2_o, 0, 0, 0, cmps32)
+diff --git a/target/s390x/tcg/mem_helper.c b/target/s390x/tcg/mem_helper.c
+index 3758b9e688..7e7de5e2f1 100644
+--- a/target/s390x/tcg/mem_helper.c
++++ b/target/s390x/tcg/mem_helper.c
+@@ -2618,6 +2618,7 @@ void HELPER(ex)(CPUS390XState *env, uint32_t ilen, uint64_t r1, uint64_t addr)
+ that ex_value is non-zero, which flags that we are in a state
+ that requires such execution. */
+ env->ex_value = insn | ilen;
++ env->ex_target = addr;
+ }
+
+ uint32_t HELPER(mvcos)(CPUS390XState *env, uint64_t dest, uint64_t src,
+diff --git a/target/s390x/tcg/translate.c b/target/s390x/tcg/translate.c
+index 1e599ac259..e328aa5b97 100644
+--- a/target/s390x/tcg/translate.c
++++ b/target/s390x/tcg/translate.c
+@@ -5962,9 +5962,25 @@ static void in2_a2(DisasContext *s, DisasOps *o)
+ }
+ #define SPEC_in2_a2 0
+
++static TCGv gen_ri2(DisasContext *s)
++{
++ int64_t delta = (int64_t)get_field(s, i2) * 2;
++ TCGv ri2;
++
++ if (unlikely(s->ex_value)) {
++ ri2 = tcg_temp_new_i64();
++ tcg_gen_ld_i64(ri2, cpu_env, offsetof(CPUS390XState, ex_target));
++ tcg_gen_addi_i64(ri2, ri2, delta);
++ } else {
++ ri2 = tcg_constant_i64(s->base.pc_next + delta);
++ }
++
++ return ri2;
++}
++
+ static void in2_ri2(DisasContext *s, DisasOps *o)
+ {
+- o->in2 = tcg_const_i64(s->base.pc_next + (int64_t)get_field(s, i2) * 2);
++ o->in2 = gen_ri2(s);
+ }
+ #define SPEC_in2_ri2 0
+
+@@ -6050,31 +6066,38 @@ static void in2_m2_64a(DisasContext *s, DisasOps *o)
+ #define SPEC_in2_m2_64a 0
+ #endif
+
++static void in2_mri2_16s(DisasContext *s, DisasOps *o)
++{
++ o->in2 = tcg_temp_new_i64();
++ tcg_gen_qemu_ld16s(o->in2, gen_ri2(s), get_mem_index(s));
++}
++#define SPEC_in2_mri2_16s 0
++
+ static void in2_mri2_16u(DisasContext *s, DisasOps *o)
+ {
+- in2_ri2(s, o);
+- tcg_gen_qemu_ld16u(o->in2, o->in2, get_mem_index(s));
++ o->in2 = tcg_temp_new_i64();
++ tcg_gen_qemu_ld16u(o->in2, gen_ri2(s), get_mem_index(s));
+ }
+ #define SPEC_in2_mri2_16u 0
+
+ static void in2_mri2_32s(DisasContext *s, DisasOps *o)
+ {
+- in2_ri2(s, o);
+- tcg_gen_qemu_ld32s(o->in2, o->in2, get_mem_index(s));
++ o->in2 = tcg_temp_new_i64();
++ tcg_gen_qemu_ld32s(o->in2, gen_ri2(s), get_mem_index(s));
+ }
+ #define SPEC_in2_mri2_32s 0
+
+ static void in2_mri2_32u(DisasContext *s, DisasOps *o)
+ {
+- in2_ri2(s, o);
+- tcg_gen_qemu_ld32u(o->in2, o->in2, get_mem_index(s));
++ o->in2 = tcg_temp_new_i64();
++ tcg_gen_qemu_ld32u(o->in2, gen_ri2(s), get_mem_index(s));
+ }
+ #define SPEC_in2_mri2_32u 0
+
+ static void in2_mri2_64(DisasContext *s, DisasOps *o)
+ {
+- in2_ri2(s, o);
+- tcg_gen_qemu_ld64(o->in2, o->in2, get_mem_index(s));
++ o->in2 = tcg_temp_new_i64();
++ tcg_gen_qemu_ld64(o->in2, gen_ri2(s), get_mem_index(s));
+ }
+ #define SPEC_in2_mri2_64 0
+
+diff --git a/ui/gtk.c b/ui/gtk.c
+index 4817623c8f..dfaf6d33c3 100644
+--- a/ui/gtk.c
++++ b/ui/gtk.c
+@@ -1783,7 +1783,9 @@ static void gd_vc_chr_accept_input(Chardev *chr)
+ VCChardev *vcd = VC_CHARDEV(chr);
+ VirtualConsole *vc = vcd->console;
+
+- gd_vc_send_chars(vc);
++ if (vc) {
++ gd_vc_send_chars(vc);
++ }
+ }
+
+ static void gd_vc_chr_set_echo(Chardev *chr, bool echo)
+diff --git a/util/fdmon-epoll.c b/util/fdmon-epoll.c
+index e11a8a022e..1683aa1105 100644
+--- a/util/fdmon-epoll.c
++++ b/util/fdmon-epoll.c
+@@ -127,6 +127,8 @@ static bool fdmon_epoll_try_enable(AioContext *ctx)
+
+ bool fdmon_epoll_try_upgrade(AioContext *ctx, unsigned npfd)
+ {
++ bool ok;
++
+ if (ctx->epollfd < 0) {
+ return false;
+ }
+@@ -136,14 +138,23 @@ bool fdmon_epoll_try_upgrade(AioContext *ctx, unsigned npfd)
+ return false;
+ }
+
+- if (npfd >= EPOLL_ENABLE_THRESHOLD) {
+- if (fdmon_epoll_try_enable(ctx)) {
+- return true;
+- } else {
+- fdmon_epoll_disable(ctx);
+- }
++ if (npfd < EPOLL_ENABLE_THRESHOLD) {
++ return false;
++ }
++
++ /* The list must not change while we add fds to epoll */
++ if (!qemu_lockcnt_dec_if_lock(&ctx->list_lock)) {
++ return false;
++ }
++
++ ok = fdmon_epoll_try_enable(ctx);
++
++ qemu_lockcnt_inc_and_unlock(&ctx->list_lock);
++
++ if (!ok) {
++ fdmon_epoll_disable(ctx);
+ }
+- return false;
++ return ok;
+ }
+
+ void fdmon_epoll_setup(AioContext *ctx)
diff -upr --new-file qemu-7.2+dfsg-6-no-v7.2.2/debian/qemu.desktop qemu-7.2+dfsg-6/debian/qemu.desktop
--- qemu-7.2+dfsg-6-no-v7.2.2/debian/qemu.desktop 2023-04-29 12:05:13.000000000 +0300
+++ qemu-7.2+dfsg-6/debian/qemu.desktop 1970-01-01 03:00:00.000000000 +0300
@@ -1,8 +0,0 @@
-# Just for the icon under wayland.
-# qemu-system-foo sets application name to qemu
-[Desktop Entry]
-Name=qemu
-Comment=QEMU System Emulation
-Icon=qemu
-Type=Application
-NoDisplay=true
diff -upr --new-file qemu-7.2+dfsg-6-no-v7.2.2/debian/rules qemu-7.2+dfsg-6/debian/rules
--- qemu-7.2+dfsg-6-no-v7.2.2/debian/rules 2023-04-29 12:05:13.000000000 +0300
+++ qemu-7.2+dfsg-6/debian/rules 2023-03-05 20:03:09.000000000 +0300
@@ -477,7 +477,7 @@ sysdata-components += skiboot
build-vof: b/vof/vof.bin
b/vof/vof.bin: | b
mkdir -p b/vof
- printf 'CC=$${CROSS}gcc\nLD=$${CROSS}ld\nOBJCOPY=$${CROSS}objcopy\nEXTRA_CFLAGS=-m32 -mbig-endian' > b/vof/config.mak
+ echo 'CC=$${CROSS}gcc\nLD=$${CROSS}ld\nOBJCOPY=$${CROSS}objcopy\nEXTRA_CFLAGS=-m32 -mbig-endian' > b/vof/config.mak
${MAKE} -C b/vof CROSS=${PPC64_CROSSPFX} SRC_DIR=../../pc-bios/vof -f../../pc-bios/vof/Makefile
install-vof: b/vof/vof.bin
install -m 0644 -t ${sysdataidir} $<
@@ -614,11 +614,8 @@ build-indep: $(addprefix build-, ${sysda
override_dh_auto_install-indep: $(addprefix install-, ${sysdata-components})
# qemu-system-data
-# icon for gtk ui
install -Dp -m0644 ui/icons/qemu.svg \
-t debian/qemu-system-data/usr/share/icons/hicolor/scalable/apps/
- install -Dp -m0644 debian/qemu.desktop \
- -t debian/qemu-system-data/usr/share/applications/
# icon for sdl2 ui (non-sdl-image version)
install -Dp -m0644 ui/icons/qemu_32x32.png \
-t debian/qemu-system-data/usr/share/icons/hicolor/32x32/apps/
--- End Message ---