From 174951e837490428de5b53156c6667f232f701af Mon Sep 17 00:00:00 2001 From: Christian Melki Date: Thu, 22 Sep 2022 10:39:23 +0200 Subject: qemu: Version bump. 7.0.0 -> 7.1.0 https://wiki.qemu.org/ChangeLog/7.1 Fixes CVE-2022-35414. * Removed a few deprecated configure options. * Remove a patch which is now included. * Forward the two ptxdist specific patches. Signed-off-by: Christian Melki Message-Id: <20220922083923.3917979-1-christian.melki@t2data.com> Message-Id: <20220922163125.1749628-1-christian.melki@t2data.com> [mol: squashed host-qemu changes] Signed-off-by: Michael Olbrich --- ...-Only-compile-the-common-user-code-if-hav.patch | 32 -------- ...real-symlinks-for-security_model-mapped-f.patch | 89 ---------------------- .../0101-let-ninja-use-the-jobserver.patch | 25 ------ patches/qemu-7.0.0/series | 8 -- ...real-symlinks-for-security_model-mapped-f.patch | 89 ++++++++++++++++++++++ .../0101-let-ninja-use-the-jobserver.patch | 25 ++++++ patches/qemu-7.1.0/series | 7 ++ rules/host-qemu.make | 3 - rules/qemu.make | 7 +- 9 files changed, 123 insertions(+), 162 deletions(-) delete mode 100644 patches/qemu-7.0.0/0001-common-user-Only-compile-the-common-user-code-if-hav.patch delete mode 100644 patches/qemu-7.0.0/0100-9pfs-allow-real-symlinks-for-security_model-mapped-f.patch delete mode 100644 patches/qemu-7.0.0/0101-let-ninja-use-the-jobserver.patch delete mode 100644 patches/qemu-7.0.0/series create mode 100644 patches/qemu-7.1.0/0100-9pfs-allow-real-symlinks-for-security_model-mapped-f.patch create mode 100644 patches/qemu-7.1.0/0101-let-ninja-use-the-jobserver.patch create mode 100644 patches/qemu-7.1.0/series diff --git a/patches/qemu-7.0.0/0001-common-user-Only-compile-the-common-user-code-if-hav.patch b/patches/qemu-7.0.0/0001-common-user-Only-compile-the-common-user-code-if-hav.patch deleted file mode 100644 index 50e73f714..000000000 --- a/patches/qemu-7.0.0/0001-common-user-Only-compile-the-common-user-code-if-hav.patch +++ /dev/null @@ -1,32 +0,0 @@ -From: Thomas Huth -Date: Wed, 22 Jun 2022 16:03:28 +0200 -Subject: [PATCH] common-user: Only compile the common user code if have_user - is set - -There is no need to waste cycles here if we only compile the system -binaries or tools. Additionally, this change is even a hard requirement -for building the tools on systems that do not have an entry in the -common-user/host/ folder (since common-user/meson.build is trying -to add such a path via the include_directories() command). - -Reported-by: Michael Tokarev -Signed-off-by: Thomas Huth -Reviewed-by: Zhang Chen -Message-Id: <20220622140328.383961-1-thuth@redhat.com> -Signed-off-by: Laurent Vivier ---- - common-user/meson.build | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/common-user/meson.build b/common-user/meson.build -index 26212dda5c7a..ac9de5b9e3f5 100644 ---- a/common-user/meson.build -+++ b/common-user/meson.build -@@ -1,3 +1,7 @@ -+if not have_user -+ subdir_done() -+endif -+ - common_user_inc += include_directories('host/' / host_arch) - - user_ss.add(files( diff --git a/patches/qemu-7.0.0/0100-9pfs-allow-real-symlinks-for-security_model-mapped-f.patch b/patches/qemu-7.0.0/0100-9pfs-allow-real-symlinks-for-security_model-mapped-f.patch deleted file mode 100644 index 6299ba1f6..000000000 --- a/patches/qemu-7.0.0/0100-9pfs-allow-real-symlinks-for-security_model-mapped-f.patch +++ /dev/null @@ -1,89 +0,0 @@ -From: Michael Olbrich -Date: Tue, 25 Oct 2016 12:39:03 +0200 -Subject: [PATCH] 9pfs: allow real symlinks for security_model=mapped-file - -And create real symlinks if possible. This makes it possible to use the -same filesystem with security_model=mapped-file and security_model=none. - -Signed-off-by: Michael Olbrich ---- - hw/9pfs/9p-local.c | 44 +++++++++++++++++++++++++++++--------------- - 1 file changed, 29 insertions(+), 15 deletions(-) - -diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c -index d42ce6d8b822..559573008eec 100644 ---- a/hw/9pfs/9p-local.c -+++ b/hw/9pfs/9p-local.c -@@ -462,8 +462,7 @@ static ssize_t local_readlink(FsContext *fs_ctx, V9fsPath *fs_path, - { - ssize_t tsize = -1; - -- if ((fs_ctx->export_flags & V9FS_SM_MAPPED) || -- (fs_ctx->export_flags & V9FS_SM_MAPPED_FILE)) { -+ if (fs_ctx->export_flags & V9FS_SM_MAPPED) { - int fd; - - fd = local_open_nofollow(fs_ctx, fs_path->data, O_RDONLY, 0); -@@ -475,6 +474,7 @@ static ssize_t local_readlink(FsContext *fs_ctx, V9fsPath *fs_path, - } while (tsize == -1 && errno == EINTR); - close_preserve_errno(fd); - } else if ((fs_ctx->export_flags & V9FS_SM_PASSTHROUGH) || -+ (fs_ctx->export_flags & V9FS_SM_MAPPED_FILE) || - (fs_ctx->export_flags & V9FS_SM_NONE)) { - char *dirpath = g_path_get_dirname(fs_path->data); - char *name = g_path_get_basename(fs_path->data); -@@ -486,6 +486,17 @@ static ssize_t local_readlink(FsContext *fs_ctx, V9fsPath *fs_path, - } - - tsize = readlinkat(dirfd, name, buf, bufsz); -+ -+ if (tsize == -1 && (fs_ctx->export_flags & V9FS_SM_MAPPED_FILE)) { -+ int fd = openat_file(dirfd, name, O_RDONLY, 0); -+ if (fd == -1) { -+ goto out; -+ } -+ do { -+ tsize = read(fd, (void *)buf, bufsz); -+ } while (tsize == -1 && errno == EINTR); -+ close_preserve_errno(fd); -+ } - close_preserve_errno(dirfd); - out: - g_free(name); -@@ -901,20 +912,23 @@ static int local_symlink(FsContext *fs_ctx, const char *oldpath, - int fd; - ssize_t oldpath_size, write_size; - -- fd = openat_file(dirfd, name, O_CREAT | O_EXCL | O_RDWR, -- fs_ctx->fmode); -- if (fd == -1) { -- goto out; -- } -- /* Write the oldpath (target) to the file. */ -- oldpath_size = strlen(oldpath); -- do { -- write_size = write(fd, (void *)oldpath, oldpath_size); -- } while (write_size == -1 && errno == EINTR); -- close_preserve_errno(fd); -+ if (fs_ctx->export_flags & V9FS_SM_MAPPED || -+ (symlinkat(oldpath, dirfd, name) != 0)) { -+ fd = openat_file(dirfd, name, O_CREAT | O_EXCL | O_RDWR, -+ fs_ctx->fmode); -+ if (fd == -1) { -+ goto out; -+ } -+ /* Write the oldpath (target) to the file. */ -+ oldpath_size = strlen(oldpath); -+ do { -+ write_size = write(fd, (void *)oldpath, oldpath_size); -+ } while (write_size == -1 && errno == EINTR); -+ close_preserve_errno(fd); - -- if (write_size != oldpath_size) { -- goto err_end; -+ if (write_size != oldpath_size) { -+ goto err_end; -+ } - } - /* Set cleint credentials in symlink's xattr */ - credp->fc_mode = credp->fc_mode | S_IFLNK; diff --git a/patches/qemu-7.0.0/0101-let-ninja-use-the-jobserver.patch b/patches/qemu-7.0.0/0101-let-ninja-use-the-jobserver.patch deleted file mode 100644 index 14559418f..000000000 --- a/patches/qemu-7.0.0/0101-let-ninja-use-the-jobserver.patch +++ /dev/null @@ -1,25 +0,0 @@ -From: Michael Olbrich -Date: Fri, 26 Feb 2021 12:08:46 +0100 -Subject: [PATCH] let ninja use the jobserver - -This is only for ptxdist. Ninja uses the make jobserver here, so don't add -'-j1' if no -jX argument is given. - -Signed-off-by: Michael Olbrich ---- - Makefile | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/Makefile b/Makefile -index e5fd1ebdf619..23128172d02a 100644 ---- a/Makefile -+++ b/Makefile -@@ -142,7 +142,7 @@ MAKE.k = $(findstring k,$(firstword $(filter-out --%,$(MAKEFLAGS)))) - MAKE.q = $(findstring q,$(firstword $(filter-out --%,$(MAKEFLAGS)))) - MAKE.nq = $(if $(word 2, $(MAKE.n) $(MAKE.q)),nq) - NINJAFLAGS = $(if $V,-v) $(if $(MAKE.n), -n) $(if $(MAKE.k), -k0) \ -- $(filter-out -j, $(lastword -j1 $(filter -l% -j%, $(MAKEFLAGS)))) \ -+ $(filter-out -j, $(lastword $(filter -l% -j%, $(MAKEFLAGS)))) \ - - ninja-cmd-goals = $(or $(MAKECMDGOALS), all) - ninja-cmd-goals += $(foreach t, $(.check.build-suites), $(.check-$t.deps)) diff --git a/patches/qemu-7.0.0/series b/patches/qemu-7.0.0/series deleted file mode 100644 index 4b1e373cf..000000000 --- a/patches/qemu-7.0.0/series +++ /dev/null @@ -1,8 +0,0 @@ -# generated by git-ptx-patches -#tag:base --start-number 1 -#tag:upstream --start-number 1 -0001-common-user-Only-compile-the-common-user-code-if-hav.patch -#tag:ptxdist --start-number 100 -0100-9pfs-allow-real-symlinks-for-security_model-mapped-f.patch -0101-let-ninja-use-the-jobserver.patch -# c72c8a5f60a89d87f9a2f2626984b5e1 - git-ptx-patches magic diff --git a/patches/qemu-7.1.0/0100-9pfs-allow-real-symlinks-for-security_model-mapped-f.patch b/patches/qemu-7.1.0/0100-9pfs-allow-real-symlinks-for-security_model-mapped-f.patch new file mode 100644 index 000000000..6299ba1f6 --- /dev/null +++ b/patches/qemu-7.1.0/0100-9pfs-allow-real-symlinks-for-security_model-mapped-f.patch @@ -0,0 +1,89 @@ +From: Michael Olbrich +Date: Tue, 25 Oct 2016 12:39:03 +0200 +Subject: [PATCH] 9pfs: allow real symlinks for security_model=mapped-file + +And create real symlinks if possible. This makes it possible to use the +same filesystem with security_model=mapped-file and security_model=none. + +Signed-off-by: Michael Olbrich +--- + hw/9pfs/9p-local.c | 44 +++++++++++++++++++++++++++++--------------- + 1 file changed, 29 insertions(+), 15 deletions(-) + +diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c +index d42ce6d8b822..559573008eec 100644 +--- a/hw/9pfs/9p-local.c ++++ b/hw/9pfs/9p-local.c +@@ -462,8 +462,7 @@ static ssize_t local_readlink(FsContext *fs_ctx, V9fsPath *fs_path, + { + ssize_t tsize = -1; + +- if ((fs_ctx->export_flags & V9FS_SM_MAPPED) || +- (fs_ctx->export_flags & V9FS_SM_MAPPED_FILE)) { ++ if (fs_ctx->export_flags & V9FS_SM_MAPPED) { + int fd; + + fd = local_open_nofollow(fs_ctx, fs_path->data, O_RDONLY, 0); +@@ -475,6 +474,7 @@ static ssize_t local_readlink(FsContext *fs_ctx, V9fsPath *fs_path, + } while (tsize == -1 && errno == EINTR); + close_preserve_errno(fd); + } else if ((fs_ctx->export_flags & V9FS_SM_PASSTHROUGH) || ++ (fs_ctx->export_flags & V9FS_SM_MAPPED_FILE) || + (fs_ctx->export_flags & V9FS_SM_NONE)) { + char *dirpath = g_path_get_dirname(fs_path->data); + char *name = g_path_get_basename(fs_path->data); +@@ -486,6 +486,17 @@ static ssize_t local_readlink(FsContext *fs_ctx, V9fsPath *fs_path, + } + + tsize = readlinkat(dirfd, name, buf, bufsz); ++ ++ if (tsize == -1 && (fs_ctx->export_flags & V9FS_SM_MAPPED_FILE)) { ++ int fd = openat_file(dirfd, name, O_RDONLY, 0); ++ if (fd == -1) { ++ goto out; ++ } ++ do { ++ tsize = read(fd, (void *)buf, bufsz); ++ } while (tsize == -1 && errno == EINTR); ++ close_preserve_errno(fd); ++ } + close_preserve_errno(dirfd); + out: + g_free(name); +@@ -901,20 +912,23 @@ static int local_symlink(FsContext *fs_ctx, const char *oldpath, + int fd; + ssize_t oldpath_size, write_size; + +- fd = openat_file(dirfd, name, O_CREAT | O_EXCL | O_RDWR, +- fs_ctx->fmode); +- if (fd == -1) { +- goto out; +- } +- /* Write the oldpath (target) to the file. */ +- oldpath_size = strlen(oldpath); +- do { +- write_size = write(fd, (void *)oldpath, oldpath_size); +- } while (write_size == -1 && errno == EINTR); +- close_preserve_errno(fd); ++ if (fs_ctx->export_flags & V9FS_SM_MAPPED || ++ (symlinkat(oldpath, dirfd, name) != 0)) { ++ fd = openat_file(dirfd, name, O_CREAT | O_EXCL | O_RDWR, ++ fs_ctx->fmode); ++ if (fd == -1) { ++ goto out; ++ } ++ /* Write the oldpath (target) to the file. */ ++ oldpath_size = strlen(oldpath); ++ do { ++ write_size = write(fd, (void *)oldpath, oldpath_size); ++ } while (write_size == -1 && errno == EINTR); ++ close_preserve_errno(fd); + +- if (write_size != oldpath_size) { +- goto err_end; ++ if (write_size != oldpath_size) { ++ goto err_end; ++ } + } + /* Set cleint credentials in symlink's xattr */ + credp->fc_mode = credp->fc_mode | S_IFLNK; diff --git a/patches/qemu-7.1.0/0101-let-ninja-use-the-jobserver.patch b/patches/qemu-7.1.0/0101-let-ninja-use-the-jobserver.patch new file mode 100644 index 000000000..d54558a93 --- /dev/null +++ b/patches/qemu-7.1.0/0101-let-ninja-use-the-jobserver.patch @@ -0,0 +1,25 @@ +From: Michael Olbrich +Date: Fri, 26 Feb 2021 12:08:46 +0100 +Subject: [PATCH] let ninja use the jobserver + +This is only for ptxdist. Ninja uses the make jobserver here, so don't add +'-j1' if no -jX argument is given. + +Signed-off-by: Michael Olbrich +--- + Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Makefile b/Makefile +index e5fd1ebdf619..23128172d02a 100644 +--- a/Makefile ++++ b/Makefile +@@ -142,7 +142,7 @@ MAKE.k = $(findstring k,$(firstword $(filter-out --%,$(MAKEFLAGS)))) + MAKE.q = $(findstring q,$(firstword $(filter-out --%,$(MAKEFLAGS)))) + MAKE.nq = $(if $(word 2, $(MAKE.n) $(MAKE.q)),nq) + NINJAFLAGS = $(if $V,-v) $(if $(MAKE.n), -n) $(if $(MAKE.k), -k0) \ +- $(filter-out -j, $(lastword -j1 $(filter -l% -j%, $(MAKEFLAGS)))) \ ++ $(filter-out -j, $(lastword $(filter -l% -j%, $(MAKEFLAGS)))) \ + -d keepdepfile + ninja-cmd-goals = $(or $(MAKECMDGOALS), all) + ninja-cmd-goals += $(foreach g, $(MAKECMDGOALS), $(.ninja-goals.$g)))) diff --git a/patches/qemu-7.1.0/series b/patches/qemu-7.1.0/series new file mode 100644 index 000000000..ec7952135 --- /dev/null +++ b/patches/qemu-7.1.0/series @@ -0,0 +1,7 @@ +# generated by git-ptx-patches +#tag:base --start-number 1 +#tag:upstream --start-number 1 +#tag:ptxdist --start-number 100 +0100-9pfs-allow-real-symlinks-for-security_model-mapped-f.patch +0101-let-ninja-use-the-jobserver.patch +# d0eda0596eed74d4819c34cafa02bf39 - git-ptx-patches magic diff --git a/rules/host-qemu.make b/rules/host-qemu.make index 1f1f2581a..0c3a89a6e 100644 --- a/rules/host-qemu.make +++ b/rules/host-qemu.make @@ -134,7 +134,6 @@ HOST_QEMU_CONF_OPT := \ --disable-virtiofsd \ --disable-vnc \ --disable-vnc-jpeg \ - --disable-vnc-png \ --disable-vnc-sasl \ --disable-vte \ --disable-whpx \ @@ -158,8 +157,6 @@ HOST_QEMU_CONF_OPT := \ --disable-rdma \ --disable-pvrdma \ --enable-vhost-net \ - --enable-vhost-vsock \ - --enable-vhost-scsi \ --disable-vhost-crypto \ --enable-vhost-kernel \ --disable-vhost-user \ diff --git a/rules/qemu.make b/rules/qemu.make index 6e8445124..579715684 100644 --- a/rules/qemu.make +++ b/rules/qemu.make @@ -14,8 +14,8 @@ PACKAGES-$(PTXCONF_QEMU) += qemu # # Paths and names # -QEMU_VERSION := 7.0.0 -QEMU_MD5 := bfb5b09a0d1f887c8c42a6d5f26971ab +QEMU_VERSION := 7.1.0 +QEMU_MD5 := 3be5458a9171b4ec5220c65d5d52bdcf QEMU := qemu-$(QEMU_VERSION) QEMU_SUFFIX := tar.xz QEMU_URL := https://download.qemu.org/$(QEMU).$(QEMU_SUFFIX) @@ -133,7 +133,6 @@ QEMU_CONF_OPT := \ --disable-virtiofsd \ --disable-vnc \ --disable-vnc-jpeg \ - --disable-vnc-png \ --disable-vnc-sasl \ --disable-vte \ --disable-whpx \ @@ -157,8 +156,6 @@ QEMU_CONF_OPT := \ --disable-rdma \ --disable-pvrdma \ --enable-vhost-net \ - --enable-vhost-vsock \ - --enable-vhost-scsi \ --disable-vhost-crypto \ --enable-vhost-kernel \ --disable-vhost-user \ -- cgit v1.2.3