From c8ba14bed076f8a196baa5ae9de8d7c8f5a89866 Mon Sep 17 00:00:00 2001
From: Thomas Lamprecht <t.lamprecht@proxmox.com>
Date: Fri, 15 Apr 2022 08:07:34 +0200
Subject: [PATCH] cherry-pick fix for passing some acpi slic tables

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
---
 ...U-crash-when-started-with-SLIC-table.patch | 89 +++++++++++++++++++
 debian/patches/series                         |  1 +
 2 files changed, 90 insertions(+)
 create mode 100644 debian/patches/extra/0010-acpi-fix-QEMU-crash-when-started-with-SLIC-table.patch

diff --git a/debian/patches/extra/0010-acpi-fix-QEMU-crash-when-started-with-SLIC-table.patch b/debian/patches/extra/0010-acpi-fix-QEMU-crash-when-started-with-SLIC-table.patch
new file mode 100644
index 0000000..bb8cf86
--- /dev/null
+++ b/debian/patches/extra/0010-acpi-fix-QEMU-crash-when-started-with-SLIC-table.patch
@@ -0,0 +1,89 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Igor Mammedov <imammedo@redhat.com>
+Date: Mon, 27 Dec 2021 14:31:17 -0500
+Subject: [PATCH] acpi: fix QEMU crash when started with SLIC table
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+if QEMU is started with used provided SLIC table blob,
+
+  -acpitable sig=SLIC,oem_id='CRASH ',oem_table_id="ME",oem_rev=00002210,asl_compiler_id="",asl_compiler_rev=00000000,data=/dev/null
+it will assert with:
+
+  hw/acpi/aml-build.c:61:build_append_padded_str: assertion failed: (len <= maxlen)
+
+and following backtrace:
+
+  ...
+  build_append_padded_str (array=0x555556afe320, str=0x555556afdb2e "CRASH ME", maxlen=0x6, pad=0x20) at hw/acpi/aml-build.c:61
+  acpi_table_begin (desc=0x7fffffffd1b0, array=0x555556afe320) at hw/acpi/aml-build.c:1727
+  build_fadt (tbl=0x555556afe320, linker=0x555557ca3830, f=0x7fffffffd318, oem_id=0x555556afdb2e "CRASH ME", oem_table_id=0x555556afdb34 "ME") at hw/acpi/aml-build.c:2064
+  ...
+
+which happens due to acpi_table_begin() expecting NULL terminated
+oem_id and oem_table_id strings, which is normally the case, but
+in case of user provided SLIC table, oem_id points to table's blob
+directly and as result oem_id became longer than expected.
+
+Fix issue by handling oem_id consistently and make acpi_get_slic_oem()
+return NULL terminated strings.
+
+PS:
+After [1] refactoring, oem_id semantics became inconsistent, where
+NULL terminated string was coming from machine and old way pointer
+into byte array coming from -acpitable option. That used to work
+since build_header() wasn't expecting NULL terminated string and
+blindly copied the 1st 6 bytes only.
+
+However commit [2] broke that by replacing build_header() with
+acpi_table_begin(), which was expecting NULL terminated string
+and was checking oem_id size.
+
+1) 602b45820 ("acpi: Permit OEM ID and OEM table ID fields to be changed")
+2)
+Fixes: 4b56e1e4eb08 ("acpi: build_fadt: use acpi_table_begin()/acpi_table_end() instead of build_header()")
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/786
+Signed-off-by: Igor Mammedov <imammedo@redhat.com>
+Message-Id: <20211227193120.1084176-2-imammedo@redhat.com>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Tested-by: Denis Lisov <dennis.lissov@gmail.com>
+Tested-by: Alexander Tsoy <alexander@tsoy.me>
+Cc: qemu-stable@nongnu.org
+Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+(cherry picked from commit 8cdb99af45365727ac17f45239a9b8c1d5155c6d)
+Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
+---
+ hw/acpi/core.c       | 4 ++--
+ hw/i386/acpi-build.c | 2 ++
+ 2 files changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/hw/acpi/core.c b/hw/acpi/core.c
+index 1e004d0078..3e811bf03c 100644
+--- a/hw/acpi/core.c
++++ b/hw/acpi/core.c
+@@ -345,8 +345,8 @@ int acpi_get_slic_oem(AcpiSlicOem *oem)
+         struct acpi_table_header *hdr = (void *)(u - sizeof(hdr->_length));
+ 
+         if (memcmp(hdr->sig, "SLIC", 4) == 0) {
+-            oem->id = hdr->oem_id;
+-            oem->table_id = hdr->oem_table_id;
++            oem->id = g_strndup(hdr->oem_id, 6);
++            oem->table_id = g_strndup(hdr->oem_table_id, 8);
+             return 0;
+         }
+     }
+diff --git a/hw/i386/acpi-build.c b/hw/i386/acpi-build.c
+index a99c6e4fe3..570f82997b 100644
+--- a/hw/i386/acpi-build.c
++++ b/hw/i386/acpi-build.c
+@@ -2721,6 +2721,8 @@ void acpi_build(AcpiBuildTables *tables, MachineState *machine)
+ 
+     /* Cleanup memory that's no longer used. */
+     g_array_free(table_offsets, true);
++    g_free(slic_oem.id);
++    g_free(slic_oem.table_id);
+ }
+ 
+ static void acpi_ram_update(MemoryRegion *mr, GArray *data)
diff --git a/debian/patches/series b/debian/patches/series
index 88d2332..ef3a33a 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -7,6 +7,7 @@ extra/0006-block-io-Update-BSC-only-if-want_zero-is-true.patch
 extra/0007-block-nbd-Delete-reconnect-delay-timer-when-done.patch
 extra/0008-block-nbd-Assert-there-are-no-timers-when-closed.patch
 extra/0009-block-nbd-Move-s-ioc-on-AioContext-change.patch
+extra/0010-acpi-fix-QEMU-crash-when-started-with-SLIC-table.patch
 bitmap-mirror/0001-drive-mirror-add-support-for-sync-bitmap-mode-never.patch
 bitmap-mirror/0002-drive-mirror-add-support-for-conditional-and-always-.patch
 bitmap-mirror/0003-mirror-add-check-for-bitmap-mode-without-bitmap.patch