[PULL 0/7] Misc patches

[PULL 0/7] Misc patches

[Thomas Huth]

The following changes since commit a51e5124a655b3dad80b36b18547cb1eca2c5eb2:

  Merge tag 'pull-omnibus-111023-1' of https://gitlab.com/stsquad/qemu into staging (2023-10-11 09:43:10 -0400)

are available in the Git repository at:

  https://gitlab.com/thuth/qemu.git tags/pull-request-2023-10-12

for you to fetch changes up to f51f90c65ed7706c3c4f7a889ce3d6b7ab75ef6a:

  gitlab-ci: Disable the riscv64-debian-cross-container by default (2023-10-12 14:18:03 +0200)

----------------------------------------------------------------
* Fix CVE-2023-1544
* Deprecate the rdma code
* Fix flaky npcm7xx_timer test
* i2c-echo license statement and Kconfig switch
* Disable the failing riscv64-debian-cross CI job by default

----------------------------------------------------------------
Chris Rauer (1):
      tests/qtest: Fix npcm7xx_timer-test.c flaky test

Klaus Jensen (2):
      hw/misc/i2c-echo: add copyright/license note
      hw/misc/Kconfig: add switch for i2c-echo

Thomas Huth (3):
      hw/rdma: Deprecate the pvrdma device and the rdma subsystem
      MAINTAINERS: Add include/sysemu/qtest.h to the qtest section
      gitlab-ci: Disable the riscv64-debian-cross-container by default

Yuval Shaia (1):
      hw/pvrdma: Protect against buggy or malicious guest driver

 MAINTAINERS                      |  3 ++-
 docs/about/deprecated.rst        |  8 ++++++++
 hw/misc/i2c-echo.c               | 10 ++++++++++
 hw/rdma/vmw/pvrdma_main.c        | 18 +++++++++++++++++-
 tests/qtest/npcm7xx_timer-test.c |  1 +
 .gitlab-ci.d/container-cross.yml |  1 +
 hw/misc/Kconfig                  |  5 +++++
 hw/misc/meson.build              |  2 +-
 8 files changed, 45 insertions(+), 3 deletions(-)

[PULL 1/7] hw/pvrdma: Protect against buggy or malicious guest driver

[Thomas Huth]

From: Yuval Shaia <yuval.shaia.ml@gmail.com>

Guest driver allocates and initialize page tables to be used as a ring
of descriptors for CQ and async events.
The page table that represents the ring, along with the number of pages
in the page table is passed to the device.
Currently our device supports only one page table for a ring.

Let's make sure that the number of page table entries the driver
reports, do not exceeds the one page table size.

Reported-by: Soul Chen <soulchen8650@gmail.com>
Signed-off-by: Yuval Shaia <yuval.shaia.ml@gmail.com>
Fixes: CVE-2023-1544
Message-ID: <20230301142926.18686-1-yuval.shaia.ml@gmail.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>
---
 hw/rdma/vmw/pvrdma_main.c | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/hw/rdma/vmw/pvrdma_main.c b/hw/rdma/vmw/pvrdma_main.c
index 4fc6712025..55b338046e 100644
--- a/hw/rdma/vmw/pvrdma_main.c
+++ b/hw/rdma/vmw/pvrdma_main.c
@@ -91,19 +91,33 @@ static int init_dev_ring(PvrdmaRing *ring, PvrdmaRingState **ring_state,
                          dma_addr_t dir_addr, uint32_t num_pages)
 {
     uint64_t *dir, *tbl;
-    int rc = 0;
+    int max_pages, rc = 0;
 
     if (!num_pages) {
         rdma_error_report("Ring pages count must be strictly positive");
         return -EINVAL;
     }
 
+    /*
+     * Make sure we can satisfy the requested number of pages in a single
+     * TARGET_PAGE_SIZE sized page table (taking into account that first entry
+     * is reserved for ring-state)
+     */
+    max_pages = TARGET_PAGE_SIZE / sizeof(dma_addr_t) - 1;
+    if (num_pages > max_pages) {
+        rdma_error_report("Maximum pages on a single directory must not exceed %d\n",
+                          max_pages);
+        return -EINVAL;
+    }
+
     dir = rdma_pci_dma_map(pci_dev, dir_addr, TARGET_PAGE_SIZE);
     if (!dir) {
         rdma_error_report("Failed to map to page directory (ring %s)", name);
         rc = -ENOMEM;
         goto out;
     }
+
+    /* We support only one page table for a ring */
     tbl = rdma_pci_dma_map(pci_dev, dir[0], TARGET_PAGE_SIZE);
     if (!tbl) {
         rdma_error_report("Failed to map to page table (ring %s)", name);
-- 
2.41.0

[PULL 2/7] hw/rdma: Deprecate the pvrdma device and the rdma subsystem

[Thomas Huth]

This subsystem is said to be in a bad shape (see e.g. [1], [2]
and [3]), and nobody seems to feel responsible to pick up patches
for this and send them via a pull request. For example there is
a patch for a CVE-worthy bug posted more than half a year ago [4]
which has never been merged. Thus let's mark it as deprecated and
finally remove it unless somebody steps up and improves the code
quality and adds proper regression tests.

[1] https://lore.kernel.org/qemu-devel/20230918144206.560120-1-armbru@redhat.com/
[2] https://lore.kernel.org/qemu-devel/ZQnojJOqoFu73995@redhat.com/
[3] https://lore.kernel.org/qemu-devel/1054981c-e8ae-c676-3b04-eeb030e11f65@tls.msk.ru/
[4] https://lore.kernel.org/qemu-devel/20230301142926.18686-1-yuval.shaia.ml@gmail.com/

Message-ID: <20230927133019.228495-1-thuth@redhat.com>
Acked-by: Juan Quintela <quintela@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Signed-off-by: Thomas Huth <thuth@redhat.com>
---
 MAINTAINERS               | 2 +-
 docs/about/deprecated.rst | 8 ++++++++
 hw/rdma/vmw/pvrdma_main.c | 2 ++
 3 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/MAINTAINERS b/MAINTAINERS
index c3cc12dc29..1c9b49c00f 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -3843,7 +3843,7 @@ F: docs/block-replication.txt
 PVRDMA
 M: Yuval Shaia <yuval.shaia.ml@gmail.com>
 M: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
-S: Maintained
+S: Odd Fixes
 F: hw/rdma/*
 F: hw/rdma/vmw/*
 F: docs/pvrdma.txt
diff --git a/docs/about/deprecated.rst b/docs/about/deprecated.rst
index 8b136320e2..ffd0a8c896 100644
--- a/docs/about/deprecated.rst
+++ b/docs/about/deprecated.rst
@@ -327,6 +327,14 @@ QEMU's ``vhost`` feature, which would eliminate the high latency costs under
 which the 9p ``proxy`` backend currently suffers. However as of to date nobody
 has indicated plans for such kind of reimplementation unfortunately.
 
+``-device pvrdma`` and the rdma subsystem (since 8.2)
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+The pvrdma device and the whole rdma subsystem are in a bad shape and
+without active maintenance. The QEMU project intends to remove this
+device and subsystem from the code base in a future release without
+replacement unless somebody steps up and improves the situation.
+
 
 Block device options
 ''''''''''''''''''''
diff --git a/hw/rdma/vmw/pvrdma_main.c b/hw/rdma/vmw/pvrdma_main.c
index 55b338046e..e735ff97eb 100644
--- a/hw/rdma/vmw/pvrdma_main.c
+++ b/hw/rdma/vmw/pvrdma_main.c
@@ -615,6 +615,8 @@ static void pvrdma_realize(PCIDevice *pdev, Error **errp)
     bool ram_shared = false;
     PCIDevice *func0;
 
+    warn_report_once("pvrdma is deprecated and will be removed in a future release");
+
     rdma_info_report("Initializing device %s %x.%x", pdev->name,
                      PCI_SLOT(pdev->devfn), PCI_FUNC(pdev->devfn));
 
-- 
2.41.0

[PULL 3/7] tests/qtest: Fix npcm7xx_timer-test.c flaky test

[Thomas Huth]

From: Chris Rauer <crauer@google.com>

npcm7xx_timer-test occasionally fails due to the state of the timers
from the previous test iteration.  Advancing the clock step after the
reset resolves this issue.

Fixes: https://gitlab.com/qemu-project/qemu/-/issues/1897
Signed-off-by: Chris Rauer <crauer@google.com>
Message-ID: <20230929000831.691559-1-crauer@google.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>
---
 tests/qtest/npcm7xx_timer-test.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/tests/qtest/npcm7xx_timer-test.c b/tests/qtest/npcm7xx_timer-test.c
index 43711049ca..58f58c2f71 100644
--- a/tests/qtest/npcm7xx_timer-test.c
+++ b/tests/qtest/npcm7xx_timer-test.c
@@ -465,6 +465,7 @@ static void test_periodic_interrupt(gconstpointer test_data)
     int i;
 
     tim_reset(td);
+    clock_step_next();
 
     tim_write_ticr(td, count);
     tim_write_tcsr(td, CEN | IE | MODE_PERIODIC | PRESCALE(ps));
-- 
2.41.0

[PULL 4/7] hw/misc/i2c-echo: add copyright/license note

[Thomas Huth]

From: Klaus Jensen <k.jensen@samsung.com>

Add missing copyright and license notice. Also add a short description
of the device.

Signed-off-by: Klaus Jensen <k.jensen@samsung.com>
Message-ID: <20230823-i2c-echo-fixes-v1-1-ccc05a6028f0@samsung.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>
---
 hw/misc/i2c-echo.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/hw/misc/i2c-echo.c b/hw/misc/i2c-echo.c
index 5705ab5d73..5ae3d0817e 100644
--- a/hw/misc/i2c-echo.c
+++ b/hw/misc/i2c-echo.c
@@ -1,3 +1,13 @@
+/*
+ * Example I2C device using asynchronous I2C send.
+ *
+ * Copyright (C) 2023 Samsung Electronics Co., Ltd. All Rights Reserved.
+ *
+ * This work is licensed under the terms of the GNU GPL, version 2.  See
+ * the COPYING file in the top-level directory.
+ *
+ */
+
 #include "qemu/osdep.h"
 #include "qemu/timer.h"
 #include "qemu/main-loop.h"
-- 
2.41.0

[PULL 5/7] hw/misc/Kconfig: add switch for i2c-echo

[Thomas Huth]

From: Klaus Jensen <k.jensen@samsung.com>

Associate i2c-echo with TEST_DEVICES and add a dependency on I2C.

Signed-off-by: Klaus Jensen <k.jensen@samsung.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Thomas Huth <thuth@redhat.com>
Message-ID: <20230823-i2c-echo-fixes-v1-2-ccc05a6028f0@samsung.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>
---
 hw/misc/Kconfig     | 5 +++++
 hw/misc/meson.build | 2 +-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/hw/misc/Kconfig b/hw/misc/Kconfig
index 858277bb60..dba41afe67 100644
--- a/hw/misc/Kconfig
+++ b/hw/misc/Kconfig
@@ -34,6 +34,11 @@ config PCA9552
     bool
     depends on I2C
 
+config I2C_ECHO
+    bool
+    default y if TEST_DEVICES
+    depends on I2C
+
 config PL310
     bool
 
diff --git a/hw/misc/meson.build b/hw/misc/meson.build
index 33659313b4..f60de33f9a 100644
--- a/hw/misc/meson.build
+++ b/hw/misc/meson.build
@@ -138,7 +138,7 @@ system_ss.add(when: 'CONFIG_NRF51_SOC', if_true: files('nrf51_rng.c'))
 
 system_ss.add(when: 'CONFIG_GRLIB', if_true: files('grlib_ahb_apb_pnp.c'))
 
-system_ss.add(when: 'CONFIG_I2C', if_true: files('i2c-echo.c'))
+system_ss.add(when: 'CONFIG_I2C_ECHO', if_true: files('i2c-echo.c'))
 
 specific_ss.add(when: 'CONFIG_AVR_POWER', if_true: files('avr_power.c'))
 
-- 
2.41.0

[PULL 6/7] MAINTAINERS: Add include/sysemu/qtest.h to the qtest section

[Thomas Huth]

We already list system/qtest.c in the qtest section, so the
corresponding header file should be listed here, too.

Message-ID: <20231012111401.871711-1-thuth@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Signed-off-by: Thomas Huth <thuth@redhat.com>
---
 MAINTAINERS | 1 +
 1 file changed, 1 insertion(+)

diff --git a/MAINTAINERS b/MAINTAINERS
index 1c9b49c00f..3f449bfe58 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -3128,6 +3128,7 @@ M: Laurent Vivier <lvivier@redhat.com>
 R: Paolo Bonzini <pbonzini@redhat.com>
 S: Maintained
 F: system/qtest.c
+F: include/sysemu/qtest.h
 F: accel/qtest/
 F: tests/qtest/
 F: docs/devel/qgraph.rst
-- 
2.41.0

[PULL 7/7] gitlab-ci: Disable the riscv64-debian-cross-container by default

[Thomas Huth]

This job is failing since weeks. Let's mark it as manual until
it gets fixed.

Message-Id: <82aa015a-ca94-49ce-beec-679cc175b726@redhat.com>
Acked-by: Michael Tokarev <mjt@tls.msk.ru>
Signed-off-by: Thomas Huth <thuth@redhat.com>
---
 .gitlab-ci.d/container-cross.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.gitlab-ci.d/container-cross.yml b/.gitlab-ci.d/container-cross.yml
index e0d75d5824..2848166ba3 100644
--- a/.gitlab-ci.d/container-cross.yml
+++ b/.gitlab-ci.d/container-cross.yml
@@ -95,6 +95,7 @@ riscv64-debian-cross-container:
   allow_failure: true
   variables:
     NAME: debian-riscv64-cross
+    QEMU_JOB_OPTIONAL: 1
 
 # we can however build TCG tests using a non-sid base
 riscv64-debian-test-cross-container:
-- 
2.41.0

Re: [PULL 0/7] Misc patches

[Stefan Hajnoczi]

[-- Attachment #1: Type: text/plain, Size: 115 bytes --]

Applied, thanks.

Please update the changelog at https://wiki.qemu.org/ChangeLog/8.2 for any user-visible changes.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]