diff options
Diffstat (limited to 'system/qemu')
5 files changed, 289 insertions, 1 deletions
diff --git a/system/qemu/patches/0000-qxl-fix-local-renderer-crash.patch b/system/qemu/patches/0000-qxl-fix-local-renderer-crash.patch new file mode 100644 index 0000000000..a839d38249 --- /dev/null +++ b/system/qemu/patches/0000-qxl-fix-local-renderer-crash.patch @@ -0,0 +1,43 @@ +From 5bd5c27c7d284d01477c5cc022ce22438c46bf9f Mon Sep 17 00:00:00 2001 +Message-Id: <5bd5c27c7d284d01477c5cc022ce22438c46bf9f.1528219523.git.crobinso@redhat.com> +From: Gerd Hoffmann <kraxel@redhat.com> +Date: Fri, 27 Apr 2018 13:55:28 +0200 +Subject: [PATCH] qxl: fix local renderer crash +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Make sure we only ask the spice local renderer for display updates in +case we have a valid primary surface. Without that spice is confused +and throws errors in case a display update request (triggered by +screendump for example) happens in parallel to a mode switch and hits +the race window where the old primary surface is gone and the new isn't +establisted yet. + +Cc: qemu-stable@nongnu.org +Fixes: https://bugzilla.redhat.com//show_bug.cgi?id=1567733 +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> +Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> +Message-id: 20180427115528.345-1-kraxel@redhat.com +Signed-off-by: Cole Robinson <crobinso@redhat.com> +--- + hw/display/qxl-render.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/hw/display/qxl-render.c b/hw/display/qxl-render.c +index e7ac4f8789..c62b9a5e75 100644 +--- a/hw/display/qxl-render.c ++++ b/hw/display/qxl-render.c +@@ -169,7 +169,8 @@ void qxl_render_update(PCIQXLDevice *qxl) + + qemu_mutex_lock(&qxl->ssd.lock); + +- if (!runstate_is_running() || !qxl->guest_primary.commands) { ++ if (!runstate_is_running() || !qxl->guest_primary.commands || ++ qxl->mode == QXL_MODE_UNDEFINED) { + qxl_render_update_area_unlocked(qxl); + qemu_mutex_unlock(&qxl->ssd.lock); + return; +-- +2.17.1 + diff --git a/system/qemu/patches/0001-i386-define-the-ssbd-CPUID-feature-bit-CVE-2018-3639.patch b/system/qemu/patches/0001-i386-define-the-ssbd-CPUID-feature-bit-CVE-2018-3639.patch new file mode 100644 index 0000000000..00cad34a6f --- /dev/null +++ b/system/qemu/patches/0001-i386-define-the-ssbd-CPUID-feature-bit-CVE-2018-3639.patch @@ -0,0 +1,51 @@ +From 7920d78dc80e7206e07f2a35f942e9f33174d251 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com> +Date: Mon, 21 May 2018 22:54:22 +0100 +Subject: [PATCH 1/3] i386: define the 'ssbd' CPUID feature bit (CVE-2018-3639) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +New microcode introduces the "Speculative Store Bypass Disable" +CPUID feature bit. This needs to be exposed to guest OS to allow +them to protect against CVE-2018-3639. + +Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> +Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> +Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> +Message-Id: <20180521215424.13520-2-berrange@redhat.com> +Signed-off-by: Eduardo Habkost <ehabkost@redhat.com> +(cherry picked from commit d19d1f965904a533998739698020ff4ee8a103da) +--- + target/i386/cpu.c | 2 +- + target/i386/cpu.h | 1 + + 2 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/target/i386/cpu.c b/target/i386/cpu.c +index a20fe26573..2f5263e22f 100644 +--- a/target/i386/cpu.c ++++ b/target/i386/cpu.c +@@ -510,7 +510,7 @@ static FeatureWordInfo feature_word_info[FEATURE_WORDS] = { + NULL, NULL, NULL, NULL, + NULL, NULL, NULL, NULL, + NULL, NULL, "spec-ctrl", NULL, +- NULL, NULL, NULL, NULL, ++ NULL, NULL, NULL, "ssbd", + }, + .cpuid_eax = 7, + .cpuid_needs_ecx = true, .cpuid_ecx = 0, +diff --git a/target/i386/cpu.h b/target/i386/cpu.h +index 1b219fafc4..970ab96e54 100644 +--- a/target/i386/cpu.h ++++ b/target/i386/cpu.h +@@ -684,6 +684,7 @@ typedef uint32_t FeatureWordArray[FEATURE_WORDS]; + #define CPUID_7_0_EDX_AVX512_4VNNIW (1U << 2) /* AVX512 Neural Network Instructions */ + #define CPUID_7_0_EDX_AVX512_4FMAPS (1U << 3) /* AVX512 Multiply Accumulation Single Precision */ + #define CPUID_7_0_EDX_SPEC_CTRL (1U << 26) /* Speculation Control */ ++#define CPUID_7_0_EDX_SPEC_CTRL_SSBD (1U << 31) /* Speculative Store Bypass Disable */ + + #define KVM_HINTS_DEDICATED (1U << 0) + +-- +2.17.0 + diff --git a/system/qemu/patches/0002-i386-Define-the-Virt-SSBD-MSR-and-handling-of-it-CVE.patch b/system/qemu/patches/0002-i386-Define-the-Virt-SSBD-MSR-and-handling-of-it-CVE.patch new file mode 100644 index 0000000000..4fc3e74007 --- /dev/null +++ b/system/qemu/patches/0002-i386-Define-the-Virt-SSBD-MSR-and-handling-of-it-CVE.patch @@ -0,0 +1,148 @@ +From 70913a1bded444b1d264c3723fca2f6a7966d667 Mon Sep 17 00:00:00 2001 +From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> +Date: Mon, 21 May 2018 22:54:24 +0100 +Subject: [PATCH 2/3] i386: Define the Virt SSBD MSR and handling of it + (CVE-2018-3639) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +"Some AMD processors only support a non-architectural means of enabling +speculative store bypass disable (SSBD). To allow a simplified view of +this to a guest, an architectural definition has been created through a new +CPUID bit, 0x80000008_EBX[25], and a new MSR, 0xc001011f. With this, a +hypervisor can virtualize the existence of this definition and provide an +architectural method for using SSBD to a guest. + +Add the new CPUID feature, the new MSR and update the existing SSBD +support to use this MSR when present." (from x86/speculation: Add virtualized +speculative store bypass disable support in Linux). + +Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> +Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> +Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> +Message-Id: <20180521215424.13520-4-berrange@redhat.com> +Signed-off-by: Eduardo Habkost <ehabkost@redhat.com> +(cherry picked from commit cfeea0c021db6234c154dbc723730e81553924ff) +--- + target/i386/cpu.h | 2 ++ + target/i386/kvm.c | 16 ++++++++++++++-- + target/i386/machine.c | 20 ++++++++++++++++++++ + 3 files changed, 36 insertions(+), 2 deletions(-) + +diff --git a/target/i386/cpu.h b/target/i386/cpu.h +index 970ab96e54..75e821cefe 100644 +--- a/target/i386/cpu.h ++++ b/target/i386/cpu.h +@@ -351,6 +351,7 @@ typedef enum X86Seg { + #define MSR_IA32_FEATURE_CONTROL 0x0000003a + #define MSR_TSC_ADJUST 0x0000003b + #define MSR_IA32_SPEC_CTRL 0x48 ++#define MSR_VIRT_SSBD 0xc001011f + #define MSR_IA32_TSCDEADLINE 0x6e0 + + #define FEATURE_CONTROL_LOCKED (1<<0) +@@ -1150,6 +1151,7 @@ typedef struct CPUX86State { + uint32_t pkru; + + uint64_t spec_ctrl; ++ uint64_t virt_ssbd; + + /* End of state preserved by INIT (dummy marker). */ + struct {} end_init_save; +diff --git a/target/i386/kvm.c b/target/i386/kvm.c +index 6c49954e68..19e6aa320d 100644 +--- a/target/i386/kvm.c ++++ b/target/i386/kvm.c +@@ -92,6 +92,7 @@ static bool has_msr_hv_stimer; + static bool has_msr_hv_frequencies; + static bool has_msr_xss; + static bool has_msr_spec_ctrl; ++static bool has_msr_virt_ssbd; + static bool has_msr_smi_count; + + static uint32_t has_architectural_pmu_version; +@@ -1218,6 +1219,9 @@ static int kvm_get_supported_msrs(KVMState *s) + case MSR_IA32_SPEC_CTRL: + has_msr_spec_ctrl = true; + break; ++ case MSR_VIRT_SSBD: ++ has_msr_virt_ssbd = true; ++ break; + } + } + } +@@ -1706,6 +1710,10 @@ static int kvm_put_msrs(X86CPU *cpu, int level) + if (has_msr_spec_ctrl) { + kvm_msr_entry_add(cpu, MSR_IA32_SPEC_CTRL, env->spec_ctrl); + } ++ if (has_msr_virt_ssbd) { ++ kvm_msr_entry_add(cpu, MSR_VIRT_SSBD, env->virt_ssbd); ++ } ++ + #ifdef TARGET_X86_64 + if (lm_capable_kernel) { + kvm_msr_entry_add(cpu, MSR_CSTAR, env->cstar); +@@ -2077,8 +2085,9 @@ static int kvm_get_msrs(X86CPU *cpu) + if (has_msr_spec_ctrl) { + kvm_msr_entry_add(cpu, MSR_IA32_SPEC_CTRL, 0); + } +- +- ++ if (has_msr_virt_ssbd) { ++ kvm_msr_entry_add(cpu, MSR_VIRT_SSBD, 0); ++ } + if (!env->tsc_valid) { + kvm_msr_entry_add(cpu, MSR_IA32_TSC, 0); + env->tsc_valid = !runstate_is_running(); +@@ -2444,6 +2453,9 @@ static int kvm_get_msrs(X86CPU *cpu) + case MSR_IA32_SPEC_CTRL: + env->spec_ctrl = msrs[i].data; + break; ++ case MSR_VIRT_SSBD: ++ env->virt_ssbd = msrs[i].data; ++ break; + case MSR_IA32_RTIT_CTL: + env->msr_rtit_ctrl = msrs[i].data; + break; +diff --git a/target/i386/machine.c b/target/i386/machine.c +index bd2d82e91b..f0a835c292 100644 +--- a/target/i386/machine.c ++++ b/target/i386/machine.c +@@ -893,6 +893,25 @@ static const VMStateDescription vmstate_msr_intel_pt = { + } + }; + ++static bool virt_ssbd_needed(void *opaque) ++{ ++ X86CPU *cpu = opaque; ++ CPUX86State *env = &cpu->env; ++ ++ return env->virt_ssbd != 0; ++} ++ ++static const VMStateDescription vmstate_msr_virt_ssbd = { ++ .name = "cpu/virt_ssbd", ++ .version_id = 1, ++ .minimum_version_id = 1, ++ .needed = virt_ssbd_needed, ++ .fields = (VMStateField[]){ ++ VMSTATE_UINT64(env.virt_ssbd, X86CPU), ++ VMSTATE_END_OF_LIST() ++ } ++}; ++ + VMStateDescription vmstate_x86_cpu = { + .name = "cpu", + .version_id = 12, +@@ -1015,6 +1034,7 @@ VMStateDescription vmstate_x86_cpu = { + &vmstate_spec_ctrl, + &vmstate_mcg_ext_ctl, + &vmstate_msr_intel_pt, ++ &vmstate_msr_virt_ssbd, + NULL + } + }; +-- +2.17.0 + diff --git a/system/qemu/patches/0003-i386-define-the-AMD-virt-ssbd-CPUID-feature-bit-CVE-.patch b/system/qemu/patches/0003-i386-define-the-AMD-virt-ssbd-CPUID-feature-bit-CVE-.patch new file mode 100644 index 0000000000..09f7116d6a --- /dev/null +++ b/system/qemu/patches/0003-i386-define-the-AMD-virt-ssbd-CPUID-feature-bit-CVE-.patch @@ -0,0 +1,41 @@ +From f956cd4aed74d55ecc03d3c33ea66b1d933cb28f Mon Sep 17 00:00:00 2001 +From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> +Date: Mon, 21 May 2018 22:54:23 +0100 +Subject: [PATCH 3/3] i386: define the AMD 'virt-ssbd' CPUID feature bit + (CVE-2018-3639) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +AMD Zen expose the Intel equivalant to Speculative Store Bypass Disable +via the 0x80000008_EBX[25] CPUID feature bit. + +This needs to be exposed to guest OS to allow them to protect +against CVE-2018-3639. + +Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> +Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> +Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> +Message-Id: <20180521215424.13520-3-berrange@redhat.com> +Signed-off-by: Eduardo Habkost <ehabkost@redhat.com> +(cherry picked from commit 403503b162ffc33fb64cfefdf7b880acf41772cd) +--- + target/i386/cpu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/target/i386/cpu.c b/target/i386/cpu.c +index 2f5263e22f..2e305ab689 100644 +--- a/target/i386/cpu.c ++++ b/target/i386/cpu.c +@@ -541,7 +541,7 @@ static FeatureWordInfo feature_word_info[FEATURE_WORDS] = { + "ibpb", NULL, NULL, NULL, + NULL, NULL, NULL, NULL, + NULL, NULL, NULL, NULL, +- NULL, NULL, NULL, NULL, ++ NULL, "virt-ssbd", NULL, NULL, + NULL, NULL, NULL, NULL, + }, + .cpuid_eax = 0x80000008, +-- +2.17.0 + diff --git a/system/qemu/qemu.SlackBuild b/system/qemu/qemu.SlackBuild index bd0068043f..8b21b3ab16 100644 --- a/system/qemu/qemu.SlackBuild +++ b/system/qemu/qemu.SlackBuild @@ -113,6 +113,8 @@ find -L . \ \( -perm 666 -o -perm 664 -o -perm 640 -o -perm 600 -o -perm 444 \ -o -perm 440 -o -perm 400 \) -exec chmod 644 {} \; +for i in $CWD/patches/* ; do patch -p1 < $i ; done + # Remove double CFLAGS sed -i "s|^\ \ CFLAGS=\"-O2\ | CFLAGS=\"|" configure @@ -131,6 +133,9 @@ else with_vnc="--disable-vnc" fi +# Workaround for the newer perl, thanks @volkerdi! +sed -i "s|LC_ALL=C|LC_ALL=C.UTF-8|" Makefile + CFLAGS="$SLKCFLAGS" \ CXXFLAGS="$SLKCFLAGS" \ ./configure \ @@ -188,7 +193,7 @@ fi # Add docs to the proper location mkdir -p $PKG/usr/doc/$PRGNAM-$VERSION cp -a Changelog COPYING* CODING_STYLE HACKING LICENSE MAINTAINERS README qemu-*.html docs/* \ - $PKG/usr/doc/$PRGNAM-$VERSION + $PKG/usr/doc/$PRGNAM-$VERSION || true cat $CWD/$PRGNAM.SlackBuild > $PKG/usr/doc/$PRGNAM-$VERSION/$PRGNAM.SlackBuild mkdir -p $PKG/install |