Control: tags -1 moreinfo On 2023-04-30 11:07:51 +0300, Michael Tokarev wrote: > Package: release.debian.org > Severity: normal > User: release.debian....@packages.debian.org > Usertags: unblock > X-Debbugs-Cc: pkg-qemu-de...@lists.alioth.debian.org > > Please unblock package qemu > > This debian release has the following: > > 1. sync with upstream qemu stable/bugfix 7.2.1 release, by removing > all patches in debian/patches/master/ and replacing them all with > single debian/patches/v7.2.1.diff which is a diff between upstream > qemu 7.2.0 and 7.2.1 releases. This is a bulk of the changes in there. > See "Other info" section below for more information. > > 2. Includes upstream qemu stable/bugfix 7.2.2 release. > Upstream 7.2.2 needs its own comment. Historically, qemu stable > were managed up until next major release is out. Here, 7.2.2 > was planned to be tagged the next day after 8.0.0 has been > released (8.0 release didn't follow its schedule because of the > amount of bugfixes needed there). So by the historical practice > 7.2.2 should not be released. But I plan to change this practice, > by providing a bit more support for previous major release of > qemu, past the next major release date, and also plan to perform > at least one more 7.2 upstream stable/bugfix release. We're > discussing this on the qemu side. Either way, 7.2.2 is officially > tagged in the upstream qemu git tree: > https://gitlab.com/qemu-project/qemu/-/tags/v7.2.2 > so it's only matter of making a tarball out of it and making > an official announcement.
So why is that added as a patch instead of uploading the new upstream release? Cheers > > 3. Includes a few more fixes which are taken from the upstream > development mailing list, targetting next upstream releases > (including stable), which fixes known issues. > > 4. Includes minor changes in the debian packaging, like fixing > FTBFS due to unportable usage of \n escapes with echo and > switching gbp.conf from master branch to debian-bookworm > branch, and also includes the forgotten .desktop file which > results in a missing icon file for qemu-system processes. > > The whole thing seems quite large, and when you look at the diffstat > it is large: >3k LOC changed. But this is mostly due to the conversion > from debian/patches/master/* to debian/patches/v7.2.1.diff. > > [ Reason ] > > This debian release has numerous bug fixes which affects many aspects > of qemu functionality within debian. I will be targetting bookworm > proposed updates with the same functionality if it misses initial > bookworm release. This also includes a fix for relatively old issue > which is more specific to debian: aptitude segfaulted within qemu-user > environments, #811087. > > [ Tests ] > > The release is well-tested, as it is usual for all qemu stable releases, > due to qemu excellent CI/testsuite. I verified it, together with extra > changes, wihin my set of tests too. The extra changes (on top of 7.2.2) > has also been discussed and tested. > > [ Risks ] > > As usual, the risk of breaking something do exists. Some unusual use > case or guest which we didn't cover by testing and don't yet know about. > Still, the amount of real, actual fixes included is much more than possible > breakage. > > [ Checklist ] > [x] all changes are documented in the d/changelog > [x] I reviewed all changes and I approve them > [x] attach debdiff against the package in testing > > [ Other info ] > > Since the direct diff between 1:7.2+dfsg-5 and 1:7.2+dfsg-6 is quite large, > it's difficult to review. So I'm including 2 diffs instead. > > 1. 7.2+dfsg-6~no-v7.2.2.diff - I made an intermediate "syncing point" > debian "release", which is just a sync with upstream 7.2.1. This diff > is a difference in *source* (excluding debian/ but including d/patches > parts) between extracted 7.2+dfsg-5 and 7.2+dfsg-6 but without the v7.2.2.diff > and the extra 7.2+dfsg-6 patches. This diff shows just the sync between > debian qemu and 7.2.1 upstream qemu release, plus the changes in d/patches > which made it. The change in here is just 4 commits: > version bump to 7.2.1 > block: Handle curl 7.55.0, 7.85.0 version changes > build-sys: fix crlf-ending C code (only affects win32 builds) > tests/tcg: fix unused variable in linux-test (fix test failure) > all can be found here: https://gitlab.com/qemu-project/qemu/-/commits/v7.2.1 > > 2. From 7.2+dfsg~6-no-v7.2.2, there's another diff to the final 7.2+dfsg-6 > release, now comparing debian/ parts only. This includes addition of > v7.2.2.diff (and removal of CVE-2022-1050.patch), addition of 3 other > patches to the source fixing more bugs, and other changes to debian/. > All individual changes in v7.2.2.diff are available at > https://gitlab.com/qemu-project/qemu/-/commits/v7.2.2 - it contains > a bunch of various bugfixes in individual commits with descriptions. > > > If this is too difficult for the release team to handle, I'm open to > changing it somehow. All changes, in my opinion, are worth to have in > bookworm, each and all were thought about with care. > > unblock qemu/1:7.2+dfsg-6 > > === begin changelog > qemu (1:7.2+dfsg-6) unstable; urgency=medium > > [ Michael Tokarev ] > * sync with upstream v7.2.1 stable release, into d/patches/v7.2.1.diff. > All patches from 7.2.1 (besides stuff not relevant for linux, such > as mingw compilation fixes) has already been in d/patches/master/, > now they're in single upstream patch file > * v7.2.2.diff: upstream 7.2.2 stable/bugfix release > * hw-pvrdma-protect-against-guest-driver-CVE-2022-1050.patch: > remove, included in v7.2.2 > * d/rules, d/qemu.desktop: provide an icon for gtk display (qemu.display) > * d/gbp.conf: set debian branch to debian-bookworm > * pick 3 more fixes from qemu-devel@: > rtl8139-fix-large_send_mss-divide-by-zero.patch > target_i386-Change-wrong-XFRM-value.patch > hw_mips_malta-Fix-malta-machine-on-big-endian-hosts.patch > * +linux-user-fix-getgroups-setgroups-allocations.patch (Closes: #811087) > > [ Vagrant Cascadian ] > * debian/rules: Use 'printf' instead of 'echo' to avoid differences > in underlying /bin/sh implementations. Closes: #1034431 > > -- Michael Tokarev <m...@tls.msk.ru> Sat, 29 Apr 2023 13:02:55 +0300 > > > === begin 7.2+dfsg-6~no-v7.2.2.diff > qemu-7.2+dfsg-6-no-v7.2.2/VERSION | 2 > qemu-7.2+dfsg-6-no-v7.2.2/block/curl.c | 44 > ++++++++- > qemu-7.2+dfsg-6-no-v7.2.2/debian/patches/series | 46 > ---------- > qemu-7.2+dfsg-5/debian/patches/master |only > qemu-7.2+dfsg-6-no-v7.2.2/debian/patches/v7.2.1.diff |only > qemu-7.2+dfsg-6-no-v7.2.2/meson.build | 2 > qemu-7.2+dfsg-5/scripts/shaderinclude.pl |only > qemu-7.2+dfsg-6-no-v7.2.2/scripts/shaderinclude.py |only > qemu-7.2+dfsg-6-no-v7.2.2/tests/tcg/multiarch/linux/linux-test.c | 6 + > 9 files changed, 45 insertions(+), 55 deletions(-) > > diff -upr qemu-7.2+dfsg-5/debian/patches/series > qemu-7.2+dfsg-6-no-v7.2.2/debian/patches/series > --- qemu-7.2+dfsg-5/debian/patches/series 2023-03-05 20:03:09.000000000 > +0300 > +++ qemu-7.2+dfsg-6-no-v7.2.2/debian/patches/series 2023-04-30 > 10:37:10.747921243 +0300 > @@ -1,3 +1,4 @@ > +v7.2.1.diff > microvm-default-machine-type.patch > skip-meson-pc-bios.diff > linux-user-binfmt-P.diff > @@ -15,48 +16,3 @@ openbios-spelling-endianess.patch > slof-spelling-seperator.patch > ignore-roms-dependency-in-qtest.patch > hw-pvrdma-protect-against-guest-driver-CVE-2022-1050.patch > -# patches from qemu master branch which are for -stable: > -master/target-sh4-Mask-restore-of-env-flags-from-tb-flags.patch > -master/vhost-fix-vq-dirty-bitmap-syncing-when-vIOMMU-is-ena.patch > -master/virtio-mem-Fix-the-bitmap-index-of-the-section-offse.patch > -master/virtio-mem-Fix-the-iterator-variable-in-a-vmem-rdl_l.patch > -master/target-arm-fix-handling-of-HLT-semihosting-in-system.patch > -master/meson-accept-relative-symlinks-in-meson-introspect-i.patch > -master/target-riscv-Set-pc_succ_insn-for-rvc-illegal-insn.patch > -master/acpi-cpuhp-fix-guest-visible-maximum-access-size-to-.patch > -master/hw-nvme-fix-missing-endian-conversions-for-doorbell-.patch > -master/hw-nvme-fix-missing-cq-eventidx-update.patch > -master/configure-fix-GLIB_VERSION-for-cross-compilation.patch > -master/target-arm-Fix-sve_probe_page.patch > -master/target-arm-allow-writes-to-SCR_EL3.HXEn-bit-when-FEA.patch > -master/target-arm-Fix-in_debug-path-in-S1_ptw_translate.patch > -master/target-arm-Fix-physical-address-resolution-for-Stage2.patch > -master/migration-ram-Fix-error-handling-in-ram_write_tracki.patch > -master/migration-ram-Fix-populate_read_range.patch > -master/qcow2-Fix-theoretical-corruption-in-store_bitmap-err.patch > -master/block-fix-detect-zeroes-with-BDRV_REQ_REGISTERED_BUF.patch > -master/tests-tcg-i386-Introduce-and-use-reg_t-consistently.patch > -master/target-i386-Fix-BEXTR-instruction.patch > -master/target-i386-Fix-C-flag-for-BLSI-BLSMSK-BLSR.patch > -master/target-i386-fix-ADOX-followed-by-ADCX.patch > -master/target-i386-Fix-BZHI-instruction.patch > -master/block-iscsi-fix-double-free-on-BUSY-or-similar-status.patch > -master/hw-smbios-fix-field-corruption-in-type-4-table.patch > -master/Revert-x86-do-not-re-randomize-RNG-seed-on-snapshot-.patch > -master/Revert-x86-re-initialize-RNG-seed-when-selecting-ker.patch > -master/Revert-x86-reinitialize-RNG-seed-on-system-reboot.patch > -master/Revert-x86-use-typedef-for-SetupData-struct.patch > -master/Revert-x86-return-modified-setup_data-only-if-read-a.patch > -master/Revert-hw-i386-pass-RNG-seed-via-setup_data-entry.patch > -master/vhost-user-gpio-Configure-vhost_dev-when-connecting.patch > -master/vhost-user-i2c-Back-up-vqs-before-cleaning-up-vhost_.patch > -master/vhost-user-rng-Back-up-vqs-before-cleaning-up-vhost_.patch > -master/virtio-rng-pci-fix-migration-compat-for-vectors.patch > -master/virtio-rng-pci-fix-transitional-migration-compat-for.patch > -master/hw-timer-hpet-Fix-expiration-time-overflow.patch > -master/vdpa-stop-all-svq-on-device-deletion.patch > -master/vhost-avoid-a-potential-use-of-an-uninitialized-vari.patch > -master/libvhost-user-check-for-NULL-when-allocating-a-virtq.patch > -master/chardev-char-socket-set-s-listener-NULL-in-char_sock.patch > -master/intel-iommu-fail-MAP-notifier-without-caching-mode.patch > -master/intel-iommu-fail-DEVIOTLB_UNMAP-without-dt-mode.patch > Only in qemu-7.2+dfsg-5/debian/patches: master > Only in qemu-7.2+dfsg-6-no-v7.2.2/debian/patches: v7.2.1.diff > > diff -upr -xdebian -x.pc qemu-7.2+dfsg-5/block/curl.c > qemu-7.2+dfsg-6-no-v7.2.2/block/curl.c > --- qemu-7.2+dfsg-5/block/curl.c 2022-12-14 19:28:45.000000000 +0300 > +++ qemu-7.2+dfsg-6-no-v7.2.2/block/curl.c 2023-04-30 10:39:07.316967149 > +0300 > @@ -37,8 +37,15 @@ > > // #define DEBUG_VERBOSE > > +/* CURL 7.85.0 switches to a string based API for specifying > + * the desired protocols. > + */ > +#if LIBCURL_VERSION_NUM >= 0x075500 > +#define PROTOCOLS "HTTP,HTTPS,FTP,FTPS" > +#else > #define PROTOCOLS (CURLPROTO_HTTP | CURLPROTO_HTTPS | \ > CURLPROTO_FTP | CURLPROTO_FTPS) > +#endif > > #define CURL_NUM_STATES 8 > #define CURL_NUM_ACB 8 > @@ -509,9 +516,18 @@ static int curl_init_state(BDRVCURLState > * obscure protocols. For example, do not allow POP3/SMTP/IMAP see > * CVE-2013-0249. > * > - * Restricting protocols is only supported from 7.19.4 upwards. > + * Restricting protocols is only supported from 7.19.4 upwards. Note: > + * version 7.85.0 deprecates CURLOPT_*PROTOCOLS in favour of a string > + * based CURLOPT_*PROTOCOLS_STR API. > */ > -#if LIBCURL_VERSION_NUM >= 0x071304 > +#if LIBCURL_VERSION_NUM >= 0x075500 > + if (curl_easy_setopt(state->curl, > + CURLOPT_PROTOCOLS_STR, PROTOCOLS) || > + curl_easy_setopt(state->curl, > + CURLOPT_REDIR_PROTOCOLS_STR, PROTOCOLS)) { > + goto err; > + } > +#elif LIBCURL_VERSION_NUM >= 0x071304 > if (curl_easy_setopt(state->curl, CURLOPT_PROTOCOLS, PROTOCOLS) || > curl_easy_setopt(state->curl, CURLOPT_REDIR_PROTOCOLS, > PROTOCOLS)) { > goto err; > @@ -669,7 +685,12 @@ static int curl_open(BlockDriverState *b > const char *file; > const char *cookie; > const char *cookie_secret; > - double d; > + /* CURL >= 7.55.0 uses curl_off_t for content length instead of a double > */ > +#if LIBCURL_VERSION_NUM >= 0x073700 > + curl_off_t cl; > +#else > + double cl; > +#endif > const char *secretid; > const char *protocol_delimiter; > int ret; > @@ -796,27 +817,36 @@ static int curl_open(BlockDriverState *b > } > if (curl_easy_perform(state->curl)) > goto out; > - if (curl_easy_getinfo(state->curl, CURLINFO_CONTENT_LENGTH_DOWNLOAD, > &d)) { > + /* CURL 7.55.0 deprecates CURLINFO_CONTENT_LENGTH_DOWNLOAD in favour of > + * the *_T version which returns a more sensible type for content length. > + */ > +#if LIBCURL_VERSION_NUM >= 0x073700 > + if (curl_easy_getinfo(state->curl, CURLINFO_CONTENT_LENGTH_DOWNLOAD_T, > &cl)) { > goto out; > } > +#else > + if (curl_easy_getinfo(state->curl, CURLINFO_CONTENT_LENGTH_DOWNLOAD, > &cl)) { > + goto out; > + } > +#endif > /* Prior CURL 7.19.4 return value of 0 could mean that the file size is > not > * know or the size is zero. From 7.19.4 CURL returns -1 if size is not > * known and zero if it is really zero-length file. */ > #if LIBCURL_VERSION_NUM >= 0x071304 > - if (d < 0) { > + if (cl < 0) { > pstrcpy(state->errmsg, CURL_ERROR_SIZE, > "Server didn't report file size."); > goto out; > } > #else > - if (d <= 0) { > + if (cl <= 0) { > pstrcpy(state->errmsg, CURL_ERROR_SIZE, > "Unknown file size or zero-length file."); > goto out; > } > #endif > > - s->len = d; > + s->len = cl; > > if ((!strncasecmp(s->url, "http://";, strlen("http://";)) > || !strncasecmp(s->url, "https://";, strlen("https://";))) > diff -upr -xdebian -x.pc qemu-7.2+dfsg-5/meson.build > qemu-7.2+dfsg-6-no-v7.2.2/meson.build > --- qemu-7.2+dfsg-5/meson.build 2023-04-30 09:54:08.000000000 +0300 > +++ qemu-7.2+dfsg-6-no-v7.2.2/meson.build 2023-04-30 10:39:07.344968369 > +0300 > @@ -2777,7 +2777,7 @@ config_host_data.set('CONFIG_SLIRP', sli > genh += configure_file(output: 'config-host.h', configuration: > config_host_data) > > hxtool = find_program('scripts/hxtool') > -shaderinclude = find_program('scripts/shaderinclude.pl') > +shaderinclude = find_program('scripts/shaderinclude.py') > qapi_gen = find_program('scripts/qapi-gen.py') > qapi_gen_depends = [ meson.current_source_dir() / 'scripts/qapi/__init__.py', > meson.current_source_dir() / 'scripts/qapi/commands.py', > Only in qemu-7.2+dfsg-5/scripts: shaderinclude.pl > Only in qemu-7.2+dfsg-6-no-v7.2.2/scripts: shaderinclude.py > diff -upr -xdebian -x.pc > qemu-7.2+dfsg-5/tests/tcg/multiarch/linux/linux-test.c > qemu-7.2+dfsg-6-no-v7.2.2/tests/tcg/multiarch/linux/linux-test.c > --- qemu-7.2+dfsg-5/tests/tcg/multiarch/linux/linux-test.c 2022-12-14 > 19:28:45.000000000 +0300 > +++ qemu-7.2+dfsg-6-no-v7.2.2/tests/tcg/multiarch/linux/linux-test.c > 2023-04-30 10:39:07.324967497 +0300 > @@ -354,13 +354,17 @@ static void test_pipe(void) > if (FD_ISSET(fds[0], &rfds)) { > chk_error(read(fds[0], &ch, 1)); > rcount++; > - if (rcount >= WCOUNT_MAX) > + if (rcount >= WCOUNT_MAX) { > break; > + } > } > if (FD_ISSET(fds[1], &wfds)) { > ch = 'a'; > chk_error(write(fds[1], &ch, 1)); > wcount++; > + if (wcount >= WCOUNT_MAX) { > + break; > + } > } > } > } > diff -upr -xdebian -x.pc qemu-7.2+dfsg-5/VERSION > qemu-7.2+dfsg-6-no-v7.2.2/VERSION > --- qemu-7.2+dfsg-5/VERSION 2022-12-14 19:28:45.000000000 +0300 > +++ qemu-7.2+dfsg-6-no-v7.2.2/VERSION 2023-04-30 10:39:07.316967149 +0300 > @@ -1 +1 @@ > -7.2.0 > +7.2.1 > > > === begin 7.2+dfsg-6.diff > changelog | 24 > gbp.conf | 1 > rules | 5 > qemu.desktop | 8 > patches/hw-pvrdma-protect-against-guest-driver-CVE-2022-1050.patch | 45 > patches/hw_mips_malta-Fix-malta-machine-on-big-endian-hosts.patch | 42 > patches/linux-user-fix-getgroups-setgroups-allocations.patch | 213 > ++++ > patches/rtl8139-fix-large_send_mss-divide-by-zero.patch | 68 + > patches/target_i386-Change-wrong-XFRM-value.patch | 34 > patches/v7.2.2.diff | 514 > ++++++++++ > patches/series | 6 > 11 files changed, 877 insertions(+), 83 deletions(-) > > diff -upr --new-file qemu-7.2+dfsg-6-no-v7.2.2/debian/changelog > qemu-7.2+dfsg-6/debian/changelog > --- qemu-7.2+dfsg-6-no-v7.2.2/debian/changelog 2023-04-29 > 13:02:55.000000000 +0300 > +++ qemu-7.2+dfsg-6/debian/changelog 2023-03-05 20:09:04.000000000 +0300 > @@ -1,27 +1,3 @@ > -qemu (1:7.2+dfsg-6) unstable; urgency=medium > - > - [ Michael Tokarev ] > - * sync with upstream v7.2.1 stable release, into d/patches/v7.2.1.diff. > - All patches from 7.2.1 (besides stuff not relevant for linux, such > - as mingw compilation fixes) has already been in d/patches/master/, > - now they're in single upstream patch file > - * v7.2.2.diff: upstream 7.2.2 stable/bugfix release > - * hw-pvrdma-protect-against-guest-driver-CVE-2022-1050.patch: > - remove, included in v7.2.2 > - * d/rules, d/qemu.desktop: provide an icon for gtk display (qemu.display) > - * d/gbp.conf: set debian branch to debian-bookworm > - * pick 3 more fixes from qemu-devel@: > - rtl8139-fix-large_send_mss-divide-by-zero.patch > - target_i386-Change-wrong-XFRM-value.patch > - hw_mips_malta-Fix-malta-machine-on-big-endian-hosts.patch > - * +linux-user-fix-getgroups-setgroups-allocations.patch (Closes: #811087) > - > - [ Vagrant Cascadian ] > - * debian/rules: Use 'printf' instead of 'echo' to avoid differences > - in underlying /bin/sh implementations. Closes: #1034431 > - > - -- Michael Tokarev <m...@tls.msk.ru> Sat, 29 Apr 2023 13:02:55 +0300 > - > qemu (1:7.2+dfsg-5) unstable; urgency=medium > > * d/qemu-guest-agent.udev: fix missing comma > diff -upr --new-file qemu-7.2+dfsg-6-no-v7.2.2/debian/gbp.conf > qemu-7.2+dfsg-6/debian/gbp.conf > --- qemu-7.2+dfsg-6-no-v7.2.2/debian/gbp.conf 2023-04-29 12:05:13.000000000 > +0300 > +++ qemu-7.2+dfsg-6/debian/gbp.conf 2023-03-05 20:03:09.000000000 +0300 > @@ -1,4 +1,3 @@ > [DEFAULT] > sign-tags = True > pristine-tar = True > -debian-branch = debian-bookworm > diff -upr --new-file > qemu-7.2+dfsg-6-no-v7.2.2/debian/patches/hw_mips_malta-Fix-malta-machine-on-big-endian-hosts.patch > > qemu-7.2+dfsg-6/debian/patches/hw_mips_malta-Fix-malta-machine-on-big-endian-hosts.patch > --- > qemu-7.2+dfsg-6-no-v7.2.2/debian/patches/hw_mips_malta-Fix-malta-machine-on-big-endian-hosts.patch > 1970-01-01 03:00:00.000000000 +0300 > +++ > qemu-7.2+dfsg-6/debian/patches/hw_mips_malta-Fix-malta-machine-on-big-endian-hosts.patch > 2023-04-29 12:58:18.000000000 +0300 > @@ -0,0 +1,42 @@ > +From: Thomas Huth <th...@redhat.com> > +Subject: [PATCH] hw/mips/malta: Fix the malta machine on big endian hosts > +Date: Thu, 30 Mar 2023 17:26:13 +0200 > +Message-Id: <20230330152613.232082-1-th...@redhat.com> > +List-Id: <qemu-stable.nongnu.org> > + > +Booting a Linux kernel with the malta machine is currently broken > +on big endian hosts. The cpu_to_gt32 macro wants to byteswap a value > +for little endian targets only, but uses the wrong way to do this: > +cpu_to_[lb]e32 works the other way round on big endian hosts! Fix > +it by using the same ways on both, big and little endian hosts. > + > +Fixes: 0c8427baf0 ("hw/mips/malta: Use bootloader helper to set BAR > registers") > +Signed-off-by: Thomas Huth <th...@redhat.com> > +--- > + I've checked that both, the kernel from > + https://landley.net/toybox/downloads/binaries/mkroot/0.8.9/mipsel.tgz > + and the kernel from > + https://landley.net/toybox/downloads/binaries/mkroot/0.8.9/mips.tgz > + now boot fine on both, a little endian (x86) and a big endian (s390x) host. > + > + hw/mips/malta.c | 4 ++-- > + 1 file changed, 2 insertions(+), 2 deletions(-) > + > +diff --git a/hw/mips/malta.c b/hw/mips/malta.c > +index af9021316d..b26ed1fc9a 100644 > +--- a/hw/mips/malta.c > ++++ b/hw/mips/malta.c > +@@ -630,7 +630,7 @@ static void bl_setup_gt64120_jump_kernel(void **p, > uint64_t run_addr, > + /* Bus endianess is always reversed */ > + #if TARGET_BIG_ENDIAN > +-#define cpu_to_gt32 cpu_to_le32 > ++#define cpu_to_gt32(x) (x) > + #else > +-#define cpu_to_gt32 cpu_to_be32 > ++#define cpu_to_gt32(x) bswap32(x) > + #endif > + > +-- > +2.31.1 > + > + > diff -upr --new-file > qemu-7.2+dfsg-6-no-v7.2.2/debian/patches/hw-pvrdma-protect-against-guest-driver-CVE-2022-1050.patch > > qemu-7.2+dfsg-6/debian/patches/hw-pvrdma-protect-against-guest-driver-CVE-2022-1050.patch > --- > qemu-7.2+dfsg-6-no-v7.2.2/debian/patches/hw-pvrdma-protect-against-guest-driver-CVE-2022-1050.patch > 2023-04-30 10:33:17.674095770 +0300 > +++ > qemu-7.2+dfsg-6/debian/patches/hw-pvrdma-protect-against-guest-driver-CVE-2022-1050.patch > 1970-01-01 03:00:00.000000000 +0300 > @@ -1,45 +0,0 @@ > -From: Yuval Shaia <yuval.shaia...@gmail.com> > -Subject: [PATCH v3] hw/pvrdma: Protect against buggy or malicious guest > driver > -Date: Sun, 3 Apr 2022 12:52:34 +0300 > -Message-Id: <20220403095234.2210-1-yuval.shaia...@gmail.com> > -Content-Type: text/plain; charset="utf-8" > -MIME-Version: 1.0 > -Content-Transfer-Encoding: 7bit > -Bug-Debian: https://bugs.debian.org/1014589 > - > -Guest driver might execute HW commands when shared buffers are not yet > -allocated. > -This could happen on purpose (malicious guest) or because of some other > -guest/host address mapping error. > -We need to protect against such case. > - > -Fixes: CVE-2022-1050 > - > -Reported-by: Raven <wxhu...@gmail.com> > -Signed-off-by: Yuval Shaia <yuval.shaia...@gmail.com> > ---- > -v1 -> v2: > - * Commit message changes > -v2 -> v3: > - * Exclude cosmetic changes > ---- > - hw/rdma/vmw/pvrdma_cmd.c | 6 ++++++ > - 1 file changed, 6 insertions(+) > - > -diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c > -index da7ddfa548..89db963c46 100644 > ---- a/hw/rdma/vmw/pvrdma_cmd.c > -+++ b/hw/rdma/vmw/pvrdma_cmd.c > -@@ -796,6 +796,12 @@ int pvrdma_exec_cmd(PVRDMADev *dev) > - > - dsr_info = &dev->dsr_info; > - > -+ if (!dsr_info->dsr) { > -+ /* Buggy or malicious guest driver */ > -+ rdma_error_report("Exec command without dsr, req or rsp > buffers"); > -+ goto out; > -+ } > -+ > - if (dsr_info->req->hdr.cmd >= sizeof(cmd_handlers) / > - sizeof(struct cmd_handler)) { > - rdma_error_report("Unsupported command"); > diff -upr --new-file > qemu-7.2+dfsg-6-no-v7.2.2/debian/patches/linux-user-fix-getgroups-setgroups-allocations.patch > > qemu-7.2+dfsg-6/debian/patches/linux-user-fix-getgroups-setgroups-allocations.patch > --- > qemu-7.2+dfsg-6-no-v7.2.2/debian/patches/linux-user-fix-getgroups-setgroups-allocations.patch > 1970-01-01 03:00:00.000000000 +0300 > +++ > qemu-7.2+dfsg-6/debian/patches/linux-user-fix-getgroups-setgroups-allocations.patch > 2023-04-26 18:50:55.000000000 +0300 > @@ -0,0 +1,213 @@ > +From b8c5ef59c357946f5982328641c24edd589fff45 Mon Sep 17 00:00:00 2001 > +From: Michael Tokarev <m...@tls.msk.ru> > +Date: Fri, 16 Dec 2022 18:07:07 +0300 > +Subject: [PATCH v4] linux-user: fix getgroups/setgroups allocations > + > +linux-user getgroups(), setgroups(), getgroups32() and setgroups32() > +used alloca() to allocate grouplist arrays, with unchecked gidsetsize > +coming from the "guest". With NGROUPS_MAX being 65536 (linux, and it > +is common for an application to allocate NGROUPS_MAX for getgroups()), > +this means a typical allocation is half the megabyte on the stack. > +Which just overflows stack, which leads to immediate SIGSEGV in actual > +system getgroups() implementation. > + > +An example of such issue is aptitude, eg > +https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=811087#72 > + > +Cap gidsetsize to NGROUPS_MAX (return EINVAL if it is larger than that), > +and use heap allocation for grouplist instead of alloca(). While at it, > +fix coding style and make all 4 implementations identical. > + > +Try to not impose random limits - for example, allow gidsetsize to be > +negative for getgroups() - just do not allocate negative-sized grouplist > +in this case but still do actual getgroups() call. But do not allow > +negative gidsetsize for setgroups() since its argument is unsigned. > + > +Capping by NGROUPS_MAX seems a bit arbitrary, - we can do more, it is > +not an error if set size will be NGROUPS_MAX+1. But we should not allow > +integer overflow for the array being allocated. Maybe it is enough to > +just call g_try_new() and return ENOMEM if it fails. > + > +Maybe there's also no need to convert setgroups() since this one is > +usually smaller and known beforehand (KERN_NGROUPS_MAX is actually 63, - > +this is apparently a kernel-imposed limit for runtime group set). > + > +The patch fixes aptitude segfault mentioned above. > + > +Signed-off-by: Michael Tokarev <m...@tls.msk.ru> > +--- > +v4: > + - the same ret-vs-gidsetsize fix in getgroups32. > +v3: > + - fix a bug in getgroups(). In initial implementation I checked > + for ret>0 in order to convert returned list of groups to target > + byte order. But this clashes with unusual corner case for this > + syscall: getgroups(0,NULL) return current number of groups in > + the set, so this resulted in writing to *NULL. The right condition > + here is gidsetsize>0: > + - if (!is_error(ret) && ret > 0) { > + + if (!is_error(ret) && gidsetsize > 0) { > +v2: > + - remove g_free, use g_autofree annotations instead, > + - a bit more coding style changes, makes checkpatch.pl happy > + > + linux-user/syscall.c | 99 ++++++++++++++++++++++++++++++-------------- > + 1 file changed, 68 insertions(+), 31 deletions(-) > + > +diff --git a/linux-user/syscall.c b/linux-user/syscall.c > +index 24b25759be..c532ee92c1 100644 > +--- a/linux-user/syscall.c > ++++ b/linux-user/syscall.c > +@@ -11433,39 +11433,58 @@ static abi_long do_syscall1(CPUArchState *cpu_env, > int num, abi_long arg1, > + { > + int gidsetsize = arg1; > + target_id *target_grouplist; > +- gid_t *grouplist; > ++ g_autofree gid_t *grouplist = NULL; > + int i; > + > +- grouplist = alloca(gidsetsize * sizeof(gid_t)); > ++ if (gidsetsize > NGROUPS_MAX) { > ++ return -TARGET_EINVAL; > ++ } > ++ if (gidsetsize > 0) { > ++ grouplist = g_try_new(gid_t, gidsetsize); > ++ if (!grouplist) { > ++ return -TARGET_ENOMEM; > ++ } > ++ } > + ret = get_errno(getgroups(gidsetsize, grouplist)); > +- if (gidsetsize == 0) > +- return ret; > +- if (!is_error(ret)) { > +- target_grouplist = lock_user(VERIFY_WRITE, arg2, gidsetsize > * sizeof(target_id), 0); > +- if (!target_grouplist) > ++ if (!is_error(ret) && gidsetsize > 0) { > ++ target_grouplist = lock_user(VERIFY_WRITE, arg2, > ++ gidsetsize * > sizeof(target_id), 0); > ++ if (!target_grouplist) { > + return -TARGET_EFAULT; > +- for(i = 0;i < ret; i++) > ++ } > ++ for (i = 0; i < ret; i++) { > + target_grouplist[i] = > tswapid(high2lowgid(grouplist[i])); > +- unlock_user(target_grouplist, arg2, gidsetsize * > sizeof(target_id)); > ++ } > ++ unlock_user(target_grouplist, arg2, > ++ gidsetsize * sizeof(target_id)); > + } > ++ return ret; > + } > +- return ret; > + case TARGET_NR_setgroups: > + { > + int gidsetsize = arg1; > + target_id *target_grouplist; > +- gid_t *grouplist = NULL; > ++ g_autofree gid_t *grouplist = NULL; > + int i; > +- if (gidsetsize) { > +- grouplist = alloca(gidsetsize * sizeof(gid_t)); > +- target_grouplist = lock_user(VERIFY_READ, arg2, gidsetsize > * sizeof(target_id), 1); > ++ > ++ if (gidsetsize > NGROUPS_MAX || gidsetsize < 0) { > ++ return -TARGET_EINVAL; > ++ } > ++ if (gidsetsize > 0) { > ++ grouplist = g_try_new(gid_t, gidsetsize); > ++ if (!grouplist) { > ++ return -TARGET_ENOMEM; > ++ } > ++ target_grouplist = lock_user(VERIFY_READ, arg2, > ++ gidsetsize * > sizeof(target_id), 1); > + if (!target_grouplist) { > + return -TARGET_EFAULT; > + } > + for (i = 0; i < gidsetsize; i++) { > + grouplist[i] = > low2highgid(tswapid(target_grouplist[i])); > + } > +- unlock_user(target_grouplist, arg2, 0); > ++ unlock_user(target_grouplist, arg2, > ++ gidsetsize * sizeof(target_id)); > + } > + return get_errno(setgroups(gidsetsize, grouplist)); > + } > +@@ -11750,41 +11769,59 @@ static abi_long do_syscall1(CPUArchState *cpu_env, > int num, abi_long arg1, > + { > + int gidsetsize = arg1; > + uint32_t *target_grouplist; > +- gid_t *grouplist; > ++ g_autofree gid_t *grouplist = NULL; > + int i; > + > +- grouplist = alloca(gidsetsize * sizeof(gid_t)); > ++ if (gidsetsize > NGROUPS_MAX) { > ++ return -TARGET_EINVAL; > ++ } > ++ if (gidsetsize > 0) { > ++ grouplist = g_try_new(gid_t, gidsetsize); > ++ if (!grouplist) { > ++ return -TARGET_ENOMEM; > ++ } > ++ } > + ret = get_errno(getgroups(gidsetsize, grouplist)); > +- if (gidsetsize == 0) > +- return ret; > +- if (!is_error(ret)) { > +- target_grouplist = lock_user(VERIFY_WRITE, arg2, gidsetsize > * 4, 0); > ++ if (!is_error(ret) && gidsetsize > 0) { > ++ target_grouplist = lock_user(VERIFY_WRITE, arg2, > ++ gidsetsize * 4, 0); > + if (!target_grouplist) { > + return -TARGET_EFAULT; > + } > +- for(i = 0;i < ret; i++) > ++ for (i = 0; i < ret; i++) { > + target_grouplist[i] = tswap32(grouplist[i]); > ++ } > + unlock_user(target_grouplist, arg2, gidsetsize * 4); > + } > ++ return ret; > + } > +- return ret; > + #endif > + #ifdef TARGET_NR_setgroups32 > + case TARGET_NR_setgroups32: > + { > + int gidsetsize = arg1; > + uint32_t *target_grouplist; > +- gid_t *grouplist; > ++ g_autofree gid_t *grouplist = NULL; > + int i; > + > +- grouplist = alloca(gidsetsize * sizeof(gid_t)); > +- target_grouplist = lock_user(VERIFY_READ, arg2, gidsetsize * 4, > 1); > +- if (!target_grouplist) { > +- return -TARGET_EFAULT; > ++ if (gidsetsize > NGROUPS_MAX || gidsetsize < 0) { > ++ return -TARGET_EINVAL; > ++ } > ++ if (gidsetsize > 0) { > ++ grouplist = g_try_new(gid_t, gidsetsize); > ++ if (!grouplist) { > ++ return -TARGET_ENOMEM; > ++ } > ++ target_grouplist = lock_user(VERIFY_READ, arg2, > ++ gidsetsize * 4, 1); > ++ if (!target_grouplist) { > ++ return -TARGET_EFAULT; > ++ } > ++ for (i = 0; i < gidsetsize; i++) { > ++ grouplist[i] = tswap32(target_grouplist[i]); > ++ } > ++ unlock_user(target_grouplist, arg2, 0); > + } > +- for(i = 0;i < gidsetsize; i++) > +- grouplist[i] = tswap32(target_grouplist[i]); > +- unlock_user(target_grouplist, arg2, 0); > + return get_errno(setgroups(gidsetsize, grouplist)); > + } > + #endif > +-- > +2.30.2 > + > diff -upr --new-file > qemu-7.2+dfsg-6-no-v7.2.2/debian/patches/rtl8139-fix-large_send_mss-divide-by-zero.patch > > qemu-7.2+dfsg-6/debian/patches/rtl8139-fix-large_send_mss-divide-by-zero.patch > --- > qemu-7.2+dfsg-6-no-v7.2.2/debian/patches/rtl8139-fix-large_send_mss-divide-by-zero.patch > 1970-01-01 03:00:00.000000000 +0300 > +++ > qemu-7.2+dfsg-6/debian/patches/rtl8139-fix-large_send_mss-divide-by-zero.patch > 2023-04-26 18:50:55.000000000 +0300 > @@ -0,0 +1,68 @@ > +From: Stefan Hajnoczi <stefa...@redhat.com> > +Subject: [PATCH] rtl8139: fix large_send_mss divide-by-zero > +Date: Thu, 13 Apr 2023 13:19:46 -0400 > +Message-Id: <20230413171946.2865726-1-stefa...@redhat.com> > +List-Id: <qemu-devel.nongnu.org> > + > +If the driver sets large_send_mss to 0 then a divide-by-zero occurs. > +Even if the division wasn't a problem, the for loop that emits MSS-sized > +packets would never terminate. > + > +Solve these issues by skipping offloading when large_send_mss=0. > + > +This issue was found by OSS-Fuzz as part of Alexander Bulekov's device > +fuzzing work. The reproducer is: > + > + $ cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest, -m \ > + 512M,slots=1,maxmem=0xffff000000000000 -machine q35 -nodefaults -device \ > + rtl8139,netdev=net0 -netdev user,id=net0 -device \ > + pc-dimm,id=nv1,memdev=mem1,addr=0xb800a64602800000 -object \ > + memory-backend-ram,id=mem1,size=2M -qtest stdio > + outl 0xcf8 0x80000814 > + outl 0xcfc 0xe0000000 > + outl 0xcf8 0x80000804 > + outw 0xcfc 0x06 > + write 0xe0000037 0x1 0x04 > + write 0xe00000e0 0x2 0x01 > + write 0x1 0x1 0x04 > + write 0x3 0x1 0x98 > + write 0xa 0x1 0x8c > + write 0xb 0x1 0x02 > + write 0xc 0x1 0x46 > + write 0xd 0x1 0xa6 > + write 0xf 0x1 0xb8 > + write 0xb800a646028c000c 0x1 0x08 > + write 0xb800a646028c000e 0x1 0x47 > + write 0xb800a646028c0010 0x1 0x02 > + write 0xb800a646028c0017 0x1 0x06 > + write 0xb800a646028c0036 0x1 0x80 > + write 0xe00000d9 0x1 0x40 > + EOF > + > +Buglink: https://gitlab.com/qemu-project/qemu/-/issues/1582 > +Fixes: 6d71357a3b65 ("rtl8139: honor large send MSS value") > +Reported-by: Alexander Bulekov <alx...@bu.edu> > +Cc: Peter Maydell <peter.mayd...@linaro.org> > +Signed-off-by: Stefan Hajnoczi <stefa...@redhat.com> > +--- > + hw/net/rtl8139.c | 3 +++ > + 1 file changed, 3 insertions(+) > + > +diff --git a/hw/net/rtl8139.c b/hw/net/rtl8139.c > +index 5a5aaf868d..5f1a4d359b 100644 > +--- a/hw/net/rtl8139.c > ++++ b/hw/net/rtl8139.c > +@@ -2154,6 +2154,9 @@ static int rtl8139_cplus_transmit_one(RTL8139State *s) > + > + int large_send_mss = (txdw0 >> CP_TC_LGSEN_MSS_SHIFT) & > + CP_TC_LGSEN_MSS_MASK; > ++ if (large_send_mss == 0) { > ++ goto skip_offload; > ++ } > + > + DPRINTF("+++ C+ mode offloaded task TSO IP data %d " > + "frame data %d specified MSS=%d\n", > +-- > +2.39.2 > + > + > diff -upr --new-file qemu-7.2+dfsg-6-no-v7.2.2/debian/patches/series > qemu-7.2+dfsg-6/debian/patches/series > --- qemu-7.2+dfsg-6-no-v7.2.2/debian/patches/series 2023-04-30 > 10:37:10.747921243 +0300 > +++ qemu-7.2+dfsg-6/debian/patches/series 2023-04-29 12:57:45.000000000 > +0300 > @@ -1,4 +1,5 @@ > v7.2.1.diff > +v7.2.2.diff > microvm-default-machine-type.patch > skip-meson-pc-bios.diff > linux-user-binfmt-P.diff > @@ -15,4 +16,7 @@ spelling.diff > openbios-spelling-endianess.patch > slof-spelling-seperator.patch > ignore-roms-dependency-in-qtest.patch > -hw-pvrdma-protect-against-guest-driver-CVE-2022-1050.patch > +linux-user-fix-getgroups-setgroups-allocations.patch > +rtl8139-fix-large_send_mss-divide-by-zero.patch > +target_i386-Change-wrong-XFRM-value.patch > +hw_mips_malta-Fix-malta-machine-on-big-endian-hosts.patch > diff -upr --new-file > qemu-7.2+dfsg-6-no-v7.2.2/debian/patches/target_i386-Change-wrong-XFRM-value.patch > qemu-7.2+dfsg-6/debian/patches/target_i386-Change-wrong-XFRM-value.patch > --- > qemu-7.2+dfsg-6-no-v7.2.2/debian/patches/target_i386-Change-wrong-XFRM-value.patch > 1970-01-01 03:00:00.000000000 +0300 > +++ qemu-7.2+dfsg-6/debian/patches/target_i386-Change-wrong-XFRM-value.patch > 2023-04-26 18:50:55.000000000 +0300 > @@ -0,0 +1,34 @@ > +From: Yang Zhong <yang.zh...@linux.intel.com> > +Subject: [PATCH v3] target/i386: Change wrong XFRM value > +Date: Thu, 6 Apr 2023 02:40:41 -0400 > +Message-Id: <20230406064041.420039-1-yang.zh...@linux.intel.com> > +List-Id: <qemu-devel.nongnu.org> > + > +The previous patch wrongly replaced FEAT_XSAVE_XCR0_{LO|HI} with > +FEAT_XSAVE_XSS_{LO|HI} in CPUID(EAX=12,ECX=1):{ECX,EDX}, which made > +SGX enclave only supported SSE and x87 feature(xfrm=0x3). > + > +Fixes: 301e90675c3f ("target/i386: Enable support for XSAVES based features") > + > +Signed-off-by: Yang Zhong <yang.zh...@linux.intel.com> > +Reviewed-by: Yang Weijiang <weijiang.y...@intel.com> > +--- > + target/i386/cpu.c | 4 ++-- > + 1 file changed, 2 insertions(+), 2 deletions(-) > + > +diff --git a/target/i386/cpu.c b/target/i386/cpu.c > +index 6576287e5b..f083ff4335 100644 > +--- a/target/i386/cpu.c > ++++ b/target/i386/cpu.c > +@@ -5718,8 +5718,8 @@ void cpu_x86_cpuid(CPUX86State *env, uint32_t index, > uint32_t count, > + } else { > + *eax &= env->features[FEAT_SGX_12_1_EAX]; > + *ebx &= 0; /* ebx reserve */ > +- *ecx &= env->features[FEAT_XSAVE_XSS_LO]; > +- *edx &= env->features[FEAT_XSAVE_XSS_HI]; > ++ *ecx &= env->features[FEAT_XSAVE_XCR0_LO]; > ++ *edx &= env->features[FEAT_XSAVE_XCR0_HI]; > + > + /* FP and SSE are always allowed regardless of XSAVE/XCR0. */ > + *ecx |= XSTATE_FP_MASK | XSTATE_SSE_MASK; > + > diff -upr --new-file qemu-7.2+dfsg-6-no-v7.2.2/debian/patches/v7.2.2.diff > qemu-7.2+dfsg-6/debian/patches/v7.2.2.diff > --- qemu-7.2+dfsg-6-no-v7.2.2/debian/patches/v7.2.2.diff 1970-01-01 > 03:00:00.000000000 +0300 > +++ qemu-7.2+dfsg-6/debian/patches/v7.2.2.diff 2023-04-29 > 12:09:29.000000000 +0300 > @@ -0,0 +1,514 @@ > +Subject: v7.2.2 > +Date: Sat, 29 Apr 2023 12:09:18 +0300 > +From: Michael Tokarev <m...@tls.msk.ru> > +Forwarded: not-needed > + > +This is a difference between upstream qemu v7.2.1 > +and upstream qemu v7.2.2. > + > + VERSION | 2 +- > + block/vhdx-log.c | 2 +- > + hw/arm/boot.c | 5 ++++- > + hw/net/vmxnet3.c | 2 +- > + hw/nvme/ctrl.c | 3 +++ > + hw/rdma/vmw/pvrdma_cmd.c | 6 ++++++ > + include/qemu/osdep.h | 2 +- > + io/channel-tls.c | 3 +++ > + linux-user/fd-trans.c | 10 ++++++--- > + linux-user/fd-trans.h | 1 + > + linux-user/generic/target_resource.h | 4 ++-- > + linux-user/syscall.c | 21 ++++++++++++------ > + qga/commands.c | 5 ++--- > + qga/installer/qemu-ga.wxs | 1 + > + qga/vss-win32/install.cpp | 2 +- > + target/arm/cpu.h | 3 +++ > + target/s390x/arch_dump.c | 2 +- > + target/s390x/cpu.h | 1 + > + target/s390x/s390x-internal.h | 3 ++- > + target/s390x/tcg/insn-data.h.inc | 4 ++-- > + target/s390x/tcg/mem_helper.c | 1 + > + target/s390x/tcg/translate.c | 41 > ++++++++++++++++++++++++++++-------- > + ui/gtk.c | 4 +++- > + util/fdmon-epoll.c | 25 ++++++++++++++++------ > + 24 files changed, 112 insertions(+), 41 deletions(-) > + > +diff --git a/VERSION b/VERSION > +index b26a34e470..77f5bec5b2 100644 > +--- a/VERSION > ++++ b/VERSION > +@@ -1 +1 @@ > +-7.2.1 > ++7.2.2 > +diff --git a/block/vhdx-log.c b/block/vhdx-log.c > +index 572582b87b..0866897a85 100644 > +--- a/block/vhdx-log.c > ++++ b/block/vhdx-log.c > +@@ -980,7 +980,7 @@ static int vhdx_log_write(BlockDriverState *bs, > BDRVVHDXState *s, > + sector_write = merged_sector; > + } else if (i == sectors - 1 && trailing_length) { > + /* partial sector at the end of the buffer */ > +- ret = bdrv_pread(bs->file, file_offset, > ++ ret = bdrv_pread(bs->file, file_offset + trailing_length, > + VHDX_LOG_SECTOR_SIZE - trailing_length, > + merged_sector + trailing_length, 0); > + if (ret < 0) { > +diff --git a/hw/arm/boot.c b/hw/arm/boot.c > +index 15c2bf1867..725bab8adc 100644 > +--- a/hw/arm/boot.c > ++++ b/hw/arm/boot.c > +@@ -686,7 +686,10 @@ int arm_load_dtb(hwaddr addr, const struct > arm_boot_info *binfo, > + qemu_register_reset_nosnapshotload(qemu_fdt_randomize_seeds, > + rom_ptr_for_as(as, addr, size)); > + > +- g_free(fdt); > ++ if (fdt != ms->fdt) { > ++ g_free(ms->fdt); > ++ ms->fdt = fdt; > ++ } > + > + return size; > + > +diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c > +index d2ab527ef4..56559cda24 100644 > +--- a/hw/net/vmxnet3.c > ++++ b/hw/net/vmxnet3.c > +@@ -1441,7 +1441,7 @@ static void vmxnet3_activate_device(VMXNET3State *s) > + vmxnet3_setup_rx_filtering(s); > + /* Cache fields from shared memory */ > + s->mtu = VMXNET3_READ_DRV_SHARED32(d, s->drv_shmem, devRead.misc.mtu); > +- assert(VMXNET3_MIN_MTU <= s->mtu && s->mtu < VMXNET3_MAX_MTU); > ++ assert(VMXNET3_MIN_MTU <= s->mtu && s->mtu <= VMXNET3_MAX_MTU); > + VMW_CFPRN("MTU is %u", s->mtu); > + > + s->max_rx_frags = > +diff --git a/hw/nvme/ctrl.c b/hw/nvme/ctrl.c > +index 1d3e058452..749a6938dd 100644 > +--- a/hw/nvme/ctrl.c > ++++ b/hw/nvme/ctrl.c > +@@ -2491,6 +2491,9 @@ static uint16_t nvme_dsm(NvmeCtrl *n, NvmeRequest *req) > + status = nvme_h2c(n, (uint8_t *)iocb->range, sizeof(NvmeDsmRange) * > nr, > + req); > + if (status) { > ++ g_free(iocb->range); > ++ qemu_aio_unref(iocb); > ++ > + return status; > + } > + > +diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c > +index da7ddfa548..89db963c46 100644 > +--- a/hw/rdma/vmw/pvrdma_cmd.c > ++++ b/hw/rdma/vmw/pvrdma_cmd.c > +@@ -796,6 +796,12 @@ int pvrdma_exec_cmd(PVRDMADev *dev) > + > + dsr_info = &dev->dsr_info; > + > ++ if (!dsr_info->dsr) { > ++ /* Buggy or malicious guest driver */ > ++ rdma_error_report("Exec command without dsr, req or rsp > buffers"); > ++ goto out; > ++ } > ++ > + if (dsr_info->req->hdr.cmd >= sizeof(cmd_handlers) / > + sizeof(struct cmd_handler)) { > + rdma_error_report("Unsupported command"); > +diff --git a/include/qemu/osdep.h b/include/qemu/osdep.h > +index b9c4307779..3d6cb431ad 100644 > +--- a/include/qemu/osdep.h > ++++ b/include/qemu/osdep.h > +@@ -177,7 +177,7 @@ extern "C" { > + * supports QEMU_ERROR, this will be reported at compile time; otherwise > + * this will be reported at link time due to the missing symbol. > + */ > +-extern G_NORETURN > ++G_NORETURN extern > + void QEMU_ERROR("code path is reachable") > + qemu_build_not_reached_always(void); > + #if defined(__OPTIMIZE__) && !defined(__NO_INLINE__) > +diff --git a/io/channel-tls.c b/io/channel-tls.c > +index 4ce890a538..4ce08ccc28 100644 > +--- a/io/channel-tls.c > ++++ b/io/channel-tls.c > +@@ -74,6 +74,9 @@ qio_channel_tls_new_server(QIOChannel *master, > + ioc = QIO_CHANNEL_TLS(object_new(TYPE_QIO_CHANNEL_TLS)); > + > + ioc->master = master; > ++ if (qio_channel_has_feature(master, QIO_CHANNEL_FEATURE_SHUTDOWN)) { > ++ qio_channel_set_feature(QIO_CHANNEL(ioc), > QIO_CHANNEL_FEATURE_SHUTDOWN); > ++ } > + object_ref(OBJECT(master)); > + > + ioc->session = qcrypto_tls_session_new( > +diff --git a/linux-user/fd-trans.c b/linux-user/fd-trans.c > +index 7b25468d02..146aaaafaa 100644 > +--- a/linux-user/fd-trans.c > ++++ b/linux-user/fd-trans.c > +@@ -1622,7 +1622,7 @@ TargetFdTrans target_signalfd_trans = { > + .host_to_target_data = host_to_target_data_signalfd, > + }; > + > +-static abi_long swap_data_eventfd(void *buf, size_t len) > ++static abi_long swap_data_u64(void *buf, size_t len) > + { > + uint64_t *counter = buf; > + int i; > +@@ -1640,8 +1640,12 @@ static abi_long swap_data_eventfd(void *buf, size_t > len) > + } > + > + TargetFdTrans target_eventfd_trans = { > +- .host_to_target_data = swap_data_eventfd, > +- .target_to_host_data = swap_data_eventfd, > ++ .host_to_target_data = swap_data_u64, > ++ .target_to_host_data = swap_data_u64, > ++}; > ++ > ++TargetFdTrans target_timerfd_trans = { > ++ .host_to_target_data = swap_data_u64, > + }; > + > + #if defined(CONFIG_INOTIFY) && (defined(TARGET_NR_inotify_init) || \ > +diff --git a/linux-user/fd-trans.h b/linux-user/fd-trans.h > +index 1b9fa2041c..910faaf237 100644 > +--- a/linux-user/fd-trans.h > ++++ b/linux-user/fd-trans.h > +@@ -130,6 +130,7 @@ extern TargetFdTrans target_netlink_route_trans; > + extern TargetFdTrans target_netlink_audit_trans; > + extern TargetFdTrans target_signalfd_trans; > + extern TargetFdTrans target_eventfd_trans; > ++extern TargetFdTrans target_timerfd_trans; > + #if (defined(TARGET_NR_inotify_init) && defined(__NR_inotify_init)) || \ > + (defined(CONFIG_INOTIFY1) && defined(TARGET_NR_inotify_init1) && \ > + defined(__NR_inotify_init1)) > +diff --git a/linux-user/generic/target_resource.h > b/linux-user/generic/target_resource.h > +index 539d8c4677..37d3eb09b3 100644 > +--- a/linux-user/generic/target_resource.h > ++++ b/linux-user/generic/target_resource.h > +@@ -12,8 +12,8 @@ struct target_rlimit { > + }; > + > + struct target_rlimit64 { > +- uint64_t rlim_cur; > +- uint64_t rlim_max; > ++ abi_ullong rlim_cur; > ++ abi_ullong rlim_max; > + }; > + > + #define TARGET_RLIM_INFINITY ((abi_ulong)-1) > +diff --git a/linux-user/syscall.c b/linux-user/syscall.c > +index 24b25759be..9ca30149d4 100644 > +--- a/linux-user/syscall.c > ++++ b/linux-user/syscall.c > +@@ -1755,6 +1755,11 @@ static inline abi_long target_to_host_sockaddr(int > fd, struct sockaddr *addr, > + lladdr = (struct target_sockaddr_ll *)addr; > + lladdr->sll_ifindex = tswap32(lladdr->sll_ifindex); > + lladdr->sll_hatype = tswap16(lladdr->sll_hatype); > ++ } else if (sa_family == AF_INET6) { > ++ struct sockaddr_in6 *in6addr; > ++ > ++ in6addr = (struct sockaddr_in6 *)addr; > ++ in6addr->sin6_scope_id = tswap32(in6addr->sin6_scope_id); > + } > + unlock_user(target_saddr, target_addr, 0); > + > +@@ -12883,8 +12888,8 @@ static abi_long do_syscall1(CPUArchState *cpu_env, > int num, abi_long arg1, > + if (!lock_user_struct(VERIFY_READ, target_rnew, arg3, 1)) { > + return -TARGET_EFAULT; > + } > +- rnew.rlim_cur = tswap64(target_rnew->rlim_cur); > +- rnew.rlim_max = tswap64(target_rnew->rlim_max); > ++ __get_user(rnew.rlim_cur, &target_rnew->rlim_cur); > ++ __get_user(rnew.rlim_max, &target_rnew->rlim_max); > + unlock_user_struct(target_rnew, arg3, 0); > + rnewp = &rnew; > + } > +@@ -12894,8 +12899,8 @@ static abi_long do_syscall1(CPUArchState *cpu_env, > int num, abi_long arg1, > + if (!lock_user_struct(VERIFY_WRITE, target_rold, arg4, 1)) { > + return -TARGET_EFAULT; > + } > +- target_rold->rlim_cur = tswap64(rold.rlim_cur); > +- target_rold->rlim_max = tswap64(rold.rlim_max); > ++ __put_user(rold.rlim_cur, &target_rold->rlim_cur); > ++ __put_user(rold.rlim_max, &target_rold->rlim_max); > + unlock_user_struct(target_rold, arg4, 1); > + } > + return ret; > +@@ -13115,8 +13120,12 @@ static abi_long do_syscall1(CPUArchState *cpu_env, > int num, abi_long arg1, > + > + #if defined(TARGET_NR_timerfd_create) && defined(CONFIG_TIMERFD) > + case TARGET_NR_timerfd_create: > +- return get_errno(timerfd_create(arg1, > +- target_to_host_bitmask(arg2, fcntl_flags_tbl))); > ++ ret = get_errno(timerfd_create(arg1, > ++ target_to_host_bitmask(arg2, fcntl_flags_tbl))); > ++ if (ret >= 0) { > ++ fd_trans_register(ret, &target_timerfd_trans); > ++ } > ++ return ret; > + #endif > + > + #if defined(TARGET_NR_timerfd_gettime) && defined(CONFIG_TIMERFD) > +diff --git a/qga/commands.c b/qga/commands.c > +index 7ff551d092..6cf978322e 100644 > +--- a/qga/commands.c > ++++ b/qga/commands.c > +@@ -32,9 +32,8 @@ > + #define GUEST_FILE_READ_COUNT_MAX (48 * MiB) > + > + /* Note: in some situations, like with the fsfreeze, logging may be > +- * temporarilly disabled. if it is necessary that a command be able > +- * to log for accounting purposes, check ga_logging_enabled() beforehand, > +- * and use the QERR_QGA_LOGGING_DISABLED to generate an error > ++ * temporarily disabled. if it is necessary that a command be able > ++ * to log for accounting purposes, check ga_logging_enabled() beforehand. > + */ > + void slog(const gchar *fmt, ...) > + { > +diff --git a/qga/installer/qemu-ga.wxs b/qga/installer/qemu-ga.wxs > +index 813d1c6ca6..3442383627 100644 > +--- a/qga/installer/qemu-ga.wxs > ++++ b/qga/installer/qemu-ga.wxs > +@@ -31,6 +31,7 @@ > + /> > + <Media Id="1" Cabinet="qemu_ga.$(var.QEMU_GA_VERSION).cab" > EmbedCab="yes" /> > + <Property Id="WHSLogo">1</Property> > ++ <Property Id="ARPNOMODIFY" Value="yes" Secure="yes" /> > + <MajorUpgrade > + DowngradeErrorMessage="Error: A newer version of QEMU guest agent is > already installed." > + /> > +diff --git a/qga/vss-win32/install.cpp b/qga/vss-win32/install.cpp > +index b57508fbe0..b8087e5baa 100644 > +--- a/qga/vss-win32/install.cpp > ++++ b/qga/vss-win32/install.cpp > +@@ -518,7 +518,7 @@ namespace _com_util > + /* Stop QGA VSS provider service using Winsvc API */ > + STDAPI StopService(void) > + { > +- HRESULT hr; > ++ HRESULT hr = S_OK; > + SC_HANDLE manager = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS); > + SC_HANDLE service = NULL; > + > +diff --git a/target/arm/cpu.h b/target/arm/cpu.h > +index 9aeed3c848..a9cd7178f8 100644 > +--- a/target/arm/cpu.h > ++++ b/target/arm/cpu.h > +@@ -2407,6 +2407,9 @@ static inline bool arm_is_el3_or_mon(CPUARMState *env) > + /* Return true if the processor is in secure state */ > + static inline bool arm_is_secure(CPUARMState *env) > + { > ++ if (arm_feature(env, ARM_FEATURE_M)) { > ++ return env->v7m.secure; > ++ } > + if (arm_is_el3_or_mon(env)) { > + return true; > + } > +diff --git a/target/s390x/arch_dump.c b/target/s390x/arch_dump.c > +index a2329141e8..a7c44ba49d 100644 > +--- a/target/s390x/arch_dump.c > ++++ b/target/s390x/arch_dump.c > +@@ -248,7 +248,7 @@ static int s390x_write_elf64_notes(const char *note_name, > + notep = g_malloc(note_size); > + } > + > +- memset(notep, 0, sizeof(note)); > ++ memset(notep, 0, note_size); > + > + /* Setup note header data */ > + notep->hdr.n_descsz = cpu_to_be32(content_size); > +diff --git a/target/s390x/cpu.h b/target/s390x/cpu.h > +index 7d6d01325b..8aaf8dd5a3 100644 > +--- a/target/s390x/cpu.h > ++++ b/target/s390x/cpu.h > +@@ -87,6 +87,7 @@ struct CPUArchState { > + uint64_t cc_vr; > + > + uint64_t ex_value; > ++ uint64_t ex_target; > + > + uint64_t __excp_addr; > + uint64_t psa; > +diff --git a/target/s390x/s390x-internal.h b/target/s390x/s390x-internal.h > +index 5d4361d35b..825252d728 100644 > +--- a/target/s390x/s390x-internal.h > ++++ b/target/s390x/s390x-internal.h > +@@ -11,6 +11,7 @@ > + #define S390X_INTERNAL_H > + > + #include "cpu.h" > ++#include "fpu/softfloat.h" > + > + #ifndef CONFIG_USER_ONLY > + typedef struct LowCore { > +@@ -299,7 +300,7 @@ uint32_t set_cc_nz_f128(float128 v); > + uint8_t s390_softfloat_exc_to_ieee(unsigned int exc); > + int s390_swap_bfp_rounding_mode(CPUS390XState *env, int m3); > + void s390_restore_bfp_rounding_mode(CPUS390XState *env, int old_mode); > +-int float_comp_to_cc(CPUS390XState *env, int float_compare); > ++int float_comp_to_cc(CPUS390XState *env, FloatRelation float_compare); > + > + #define DCMASK_ZERO 0x0c00 > + #define DCMASK_NORMAL 0x0300 > +diff --git a/target/s390x/tcg/insn-data.h.inc > b/target/s390x/tcg/insn-data.h.inc > +index 54d4250c9f..2a5fc99818 100644 > +--- a/target/s390x/tcg/insn-data.h.inc > ++++ b/target/s390x/tcg/insn-data.h.inc > +@@ -199,8 +199,8 @@ > + C(0xe55c, CHSI, SIL, GIE, m1_32s, i2, 0, 0, 0, cmps64) > + C(0xe558, CGHSI, SIL, GIE, m1_64, i2, 0, 0, 0, cmps64) > + /* COMPARE HALFWORD RELATIVE LONG */ > +- C(0xc605, CHRL, RIL_b, GIE, r1_o, mri2_32s, 0, 0, 0, cmps32) > +- C(0xc604, CGHRL, RIL_b, GIE, r1_o, mri2_64, 0, 0, 0, cmps64) > ++ C(0xc605, CHRL, RIL_b, GIE, r1_o, mri2_16s, 0, 0, 0, cmps32) > ++ C(0xc604, CGHRL, RIL_b, GIE, r1_o, mri2_16s, 0, 0, 0, cmps64) > + /* COMPARE HIGH */ > + C(0xb9cd, CHHR, RRE, HW, r1_sr32, r2_sr32, 0, 0, 0, cmps32) > + C(0xb9dd, CHLR, RRE, HW, r1_sr32, r2_o, 0, 0, 0, cmps32) > +diff --git a/target/s390x/tcg/mem_helper.c b/target/s390x/tcg/mem_helper.c > +index 3758b9e688..7e7de5e2f1 100644 > +--- a/target/s390x/tcg/mem_helper.c > ++++ b/target/s390x/tcg/mem_helper.c > +@@ -2618,6 +2618,7 @@ void HELPER(ex)(CPUS390XState *env, uint32_t ilen, > uint64_t r1, uint64_t addr) > + that ex_value is non-zero, which flags that we are in a state > + that requires such execution. */ > + env->ex_value = insn | ilen; > ++ env->ex_target = addr; > + } > + > + uint32_t HELPER(mvcos)(CPUS390XState *env, uint64_t dest, uint64_t src, > +diff --git a/target/s390x/tcg/translate.c b/target/s390x/tcg/translate.c > +index 1e599ac259..e328aa5b97 100644 > +--- a/target/s390x/tcg/translate.c > ++++ b/target/s390x/tcg/translate.c > +@@ -5962,9 +5962,25 @@ static void in2_a2(DisasContext *s, DisasOps *o) > + } > + #define SPEC_in2_a2 0 > + > ++static TCGv gen_ri2(DisasContext *s) > ++{ > ++ int64_t delta = (int64_t)get_field(s, i2) * 2; > ++ TCGv ri2; > ++ > ++ if (unlikely(s->ex_value)) { > ++ ri2 = tcg_temp_new_i64(); > ++ tcg_gen_ld_i64(ri2, cpu_env, offsetof(CPUS390XState, ex_target)); > ++ tcg_gen_addi_i64(ri2, ri2, delta); > ++ } else { > ++ ri2 = tcg_constant_i64(s->base.pc_next + delta); > ++ } > ++ > ++ return ri2; > ++} > ++ > + static void in2_ri2(DisasContext *s, DisasOps *o) > + { > +- o->in2 = tcg_const_i64(s->base.pc_next + (int64_t)get_field(s, i2) * 2); > ++ o->in2 = gen_ri2(s); > + } > + #define SPEC_in2_ri2 0 > + > +@@ -6050,31 +6066,38 @@ static void in2_m2_64a(DisasContext *s, DisasOps *o) > + #define SPEC_in2_m2_64a 0 > + #endif > + > ++static void in2_mri2_16s(DisasContext *s, DisasOps *o) > ++{ > ++ o->in2 = tcg_temp_new_i64(); > ++ tcg_gen_qemu_ld16s(o->in2, gen_ri2(s), get_mem_index(s)); > ++} > ++#define SPEC_in2_mri2_16s 0 > ++ > + static void in2_mri2_16u(DisasContext *s, DisasOps *o) > + { > +- in2_ri2(s, o); > +- tcg_gen_qemu_ld16u(o->in2, o->in2, get_mem_index(s)); > ++ o->in2 = tcg_temp_new_i64(); > ++ tcg_gen_qemu_ld16u(o->in2, gen_ri2(s), get_mem_index(s)); > + } > + #define SPEC_in2_mri2_16u 0 > + > + static void in2_mri2_32s(DisasContext *s, DisasOps *o) > + { > +- in2_ri2(s, o); > +- tcg_gen_qemu_ld32s(o->in2, o->in2, get_mem_index(s)); > ++ o->in2 = tcg_temp_new_i64(); > ++ tcg_gen_qemu_ld32s(o->in2, gen_ri2(s), get_mem_index(s)); > + } > + #define SPEC_in2_mri2_32s 0 > + > + static void in2_mri2_32u(DisasContext *s, DisasOps *o) > + { > +- in2_ri2(s, o); > +- tcg_gen_qemu_ld32u(o->in2, o->in2, get_mem_index(s)); > ++ o->in2 = tcg_temp_new_i64(); > ++ tcg_gen_qemu_ld32u(o->in2, gen_ri2(s), get_mem_index(s)); > + } > + #define SPEC_in2_mri2_32u 0 > + > + static void in2_mri2_64(DisasContext *s, DisasOps *o) > + { > +- in2_ri2(s, o); > +- tcg_gen_qemu_ld64(o->in2, o->in2, get_mem_index(s)); > ++ o->in2 = tcg_temp_new_i64(); > ++ tcg_gen_qemu_ld64(o->in2, gen_ri2(s), get_mem_index(s)); > + } > + #define SPEC_in2_mri2_64 0 > + > +diff --git a/ui/gtk.c b/ui/gtk.c > +index 4817623c8f..dfaf6d33c3 100644 > +--- a/ui/gtk.c > ++++ b/ui/gtk.c > +@@ -1783,7 +1783,9 @@ static void gd_vc_chr_accept_input(Chardev *chr) > + VCChardev *vcd = VC_CHARDEV(chr); > + VirtualConsole *vc = vcd->console; > + > +- gd_vc_send_chars(vc); > ++ if (vc) { > ++ gd_vc_send_chars(vc); > ++ } > + } > + > + static void gd_vc_chr_set_echo(Chardev *chr, bool echo) > +diff --git a/util/fdmon-epoll.c b/util/fdmon-epoll.c > +index e11a8a022e..1683aa1105 100644 > +--- a/util/fdmon-epoll.c > ++++ b/util/fdmon-epoll.c > +@@ -127,6 +127,8 @@ static bool fdmon_epoll_try_enable(AioContext *ctx) > + > + bool fdmon_epoll_try_upgrade(AioContext *ctx, unsigned npfd) > + { > ++ bool ok; > ++ > + if (ctx->epollfd < 0) { > + return false; > + } > +@@ -136,14 +138,23 @@ bool fdmon_epoll_try_upgrade(AioContext *ctx, unsigned > npfd) > + return false; > + } > + > +- if (npfd >= EPOLL_ENABLE_THRESHOLD) { > +- if (fdmon_epoll_try_enable(ctx)) { > +- return true; > +- } else { > +- fdmon_epoll_disable(ctx); > +- } > ++ if (npfd < EPOLL_ENABLE_THRESHOLD) { > ++ return false; > ++ } > ++ > ++ /* The list must not change while we add fds to epoll */ > ++ if (!qemu_lockcnt_dec_if_lock(&ctx->list_lock)) { > ++ return false; > ++ } > ++ > ++ ok = fdmon_epoll_try_enable(ctx); > ++ > ++ qemu_lockcnt_inc_and_unlock(&ctx->list_lock); > ++ > ++ if (!ok) { > ++ fdmon_epoll_disable(ctx); > + } > +- return false; > ++ return ok; > + } > + > + void fdmon_epoll_setup(AioContext *ctx) > diff -upr --new-file qemu-7.2+dfsg-6-no-v7.2.2/debian/qemu.desktop > qemu-7.2+dfsg-6/debian/qemu.desktop > --- qemu-7.2+dfsg-6-no-v7.2.2/debian/qemu.desktop 2023-04-29 > 12:05:13.000000000 +0300 > +++ qemu-7.2+dfsg-6/debian/qemu.desktop 1970-01-01 03:00:00.000000000 > +0300 > @@ -1,8 +0,0 @@ > -# Just for the icon under wayland. > -# qemu-system-foo sets application name to qemu > -[Desktop Entry] > -Name=qemu > -Comment=QEMU System Emulation > -Icon=qemu > -Type=Application > -NoDisplay=true > diff -upr --new-file qemu-7.2+dfsg-6-no-v7.2.2/debian/rules > qemu-7.2+dfsg-6/debian/rules > --- qemu-7.2+dfsg-6-no-v7.2.2/debian/rules 2023-04-29 12:05:13.000000000 > +0300 > +++ qemu-7.2+dfsg-6/debian/rules 2023-03-05 20:03:09.000000000 +0300 > @@ -477,7 +477,7 @@ sysdata-components += skiboot > build-vof: b/vof/vof.bin > b/vof/vof.bin: | b > mkdir -p b/vof > - printf > 'CC=$${CROSS}gcc\nLD=$${CROSS}ld\nOBJCOPY=$${CROSS}objcopy\nEXTRA_CFLAGS=-m32 > -mbig-endian' > b/vof/config.mak > + echo > 'CC=$${CROSS}gcc\nLD=$${CROSS}ld\nOBJCOPY=$${CROSS}objcopy\nEXTRA_CFLAGS=-m32 > -mbig-endian' > b/vof/config.mak > ${MAKE} -C b/vof CROSS=${PPC64_CROSSPFX} SRC_DIR=../../pc-bios/vof > -f../../pc-bios/vof/Makefile > install-vof: b/vof/vof.bin > install -m 0644 -t ${sysdataidir} $< > @@ -614,11 +614,8 @@ build-indep: $(addprefix build-, ${sysda > > override_dh_auto_install-indep: $(addprefix install-, ${sysdata-components}) > # qemu-system-data > -# icon for gtk ui > install -Dp -m0644 ui/icons/qemu.svg \ > -t debian/qemu-system-data/usr/share/icons/hicolor/scalable/apps/ > - install -Dp -m0644 debian/qemu.desktop \ > - -t debian/qemu-system-data/usr/share/applications/ > # icon for sdl2 ui (non-sdl-image version) > install -Dp -m0644 ui/icons/qemu_32x32.png \ > -t debian/qemu-system-data/usr/share/icons/hicolor/32x32/apps/ -- Sebastian Ramacher
