diff --git a/0001-XXX-dont-dump-core-on-sigabort.patch b/0001-XXX-dont-dump-core-on-sigabort.patch index 719fdf2..4913fed 100644 --- a/0001-XXX-dont-dump-core-on-sigabort.patch +++ b/0001-XXX-dont-dump-core-on-sigabort.patch @@ -1,4 +1,4 @@ -From d1591b68524b12fa4c9cb7d2fd6fcdf021137ede Mon Sep 17 00:00:00 2001 +From 652983299b4b18cdf26414b0ba468c5dd166adc7 Mon Sep 17 00:00:00 2001 From: Alexander Graf Date: Mon, 21 Nov 2011 23:50:36 +0100 Subject: [PATCH] XXX dont dump core on sigabort diff --git a/0002-qemu-0.9.0.cvs-binfmt.patch b/0002-qemu-0.9.0.cvs-binfmt.patch index 32eb10c..8ba608c 100644 --- a/0002-qemu-0.9.0.cvs-binfmt.patch +++ b/0002-qemu-0.9.0.cvs-binfmt.patch @@ -1,4 +1,4 @@ -From 25da05b51950cf639c26ca5f1e47fcfdfb588ab2 Mon Sep 17 00:00:00 2001 +From 611fe6b38bf118be59326f35fd3a066250328311 Mon Sep 17 00:00:00 2001 From: Ulrich Hecht Date: Tue, 14 Apr 2009 16:18:44 +0200 Subject: [PATCH] qemu-0.9.0.cvs-binfmt diff --git a/0003-qemu-cvs-alsa_bitfield.patch b/0003-qemu-cvs-alsa_bitfield.patch index abf5482..a56b393 100644 --- a/0003-qemu-cvs-alsa_bitfield.patch +++ b/0003-qemu-cvs-alsa_bitfield.patch @@ -1,4 +1,4 @@ -From 307dc6c6bde4ec04b9efd6f27db0295e349bf573 Mon Sep 17 00:00:00 2001 +From 6171d82516b151c7d2bac6484c801c45d8de796e Mon Sep 17 00:00:00 2001 From: Alexander Graf Date: Tue, 14 Apr 2009 16:20:50 +0200 Subject: [PATCH] qemu-cvs-alsa_bitfield diff --git a/0004-qemu-cvs-alsa_ioctl.patch b/0004-qemu-cvs-alsa_ioctl.patch index 2499486..556cf70 100644 --- a/0004-qemu-cvs-alsa_ioctl.patch +++ b/0004-qemu-cvs-alsa_ioctl.patch @@ -1,4 +1,4 @@ -From 42ec5aa5b6abb395b894311702cec8c09ec44263 Mon Sep 17 00:00:00 2001 +From b89afe9048994b21e361d9eebe96825d80d1ef56 Mon Sep 17 00:00:00 2001 From: Alexander Graf Date: Tue, 14 Apr 2009 16:23:27 +0200 Subject: [PATCH] qemu-cvs-alsa_ioctl diff --git a/0005-qemu-cvs-alsa_mmap.patch b/0005-qemu-cvs-alsa_mmap.patch index 200f349..411964f 100644 --- a/0005-qemu-cvs-alsa_mmap.patch +++ b/0005-qemu-cvs-alsa_mmap.patch @@ -1,4 +1,4 @@ -From d899ab90ddfcf5c6efe45f9008cd2c498d368ac9 Mon Sep 17 00:00:00 2001 +From 9c9cfb248223f4da2ea2333164ea7e6a6091c03a Mon Sep 17 00:00:00 2001 From: Alexander Graf Date: Tue, 14 Apr 2009 16:24:15 +0200 Subject: [PATCH] qemu-cvs-alsa_mmap diff --git a/0006-qemu-cvs-gettimeofday.patch b/0006-qemu-cvs-gettimeofday.patch index 0df63eb..a10c1f7 100644 --- a/0006-qemu-cvs-gettimeofday.patch +++ b/0006-qemu-cvs-gettimeofday.patch @@ -1,4 +1,4 @@ -From eaa8f697ccd1320f9ce432588beef2d341bc5a18 Mon Sep 17 00:00:00 2001 +From 2dc4a9d135ce472a59da891af09ba9529c57b61b Mon Sep 17 00:00:00 2001 From: Ulrich Hecht Date: Tue, 14 Apr 2009 16:25:41 +0200 Subject: [PATCH] qemu-cvs-gettimeofday diff --git a/0007-qemu-cvs-ioctl_debug.patch b/0007-qemu-cvs-ioctl_debug.patch index 5126ebe..5b3400d 100644 --- a/0007-qemu-cvs-ioctl_debug.patch +++ b/0007-qemu-cvs-ioctl_debug.patch @@ -1,4 +1,4 @@ -From 5fabc9a72b03eca20cda87e0bb35a92aaa3d4dbf Mon Sep 17 00:00:00 2001 +From d2a4cedd351ff7e09843bb5cbb76038af2303df7 Mon Sep 17 00:00:00 2001 From: Alexander Graf Date: Tue, 14 Apr 2009 16:26:33 +0200 Subject: [PATCH] qemu-cvs-ioctl_debug diff --git a/0008-qemu-cvs-ioctl_nodirection.patch b/0008-qemu-cvs-ioctl_nodirection.patch index 25e260d..b6dd3e2 100644 --- a/0008-qemu-cvs-ioctl_nodirection.patch +++ b/0008-qemu-cvs-ioctl_nodirection.patch @@ -1,4 +1,4 @@ -From 31a5e0ab101e1549d534a63fb5e9e94007e812f8 Mon Sep 17 00:00:00 2001 +From 43f2593e07e0de12dddf72c3205e6a0fb851dc2d Mon Sep 17 00:00:00 2001 From: Alexander Graf Date: Tue, 14 Apr 2009 16:27:36 +0200 Subject: [PATCH] qemu-cvs-ioctl_nodirection diff --git a/0009-block-vmdk-Support-creation-of-SCSI.patch b/0009-block-vmdk-Support-creation-of-SCSI.patch index e37e218..4dbaf37 100644 --- a/0009-block-vmdk-Support-creation-of-SCSI.patch +++ b/0009-block-vmdk-Support-creation-of-SCSI.patch @@ -1,4 +1,4 @@ -From 7164cadf6a1f23d2b931f34c78d3707207306cfb Mon Sep 17 00:00:00 2001 +From d367bff9f8b514a0beacac3d21426d787dcef77f Mon Sep 17 00:00:00 2001 From: Ulrich Hecht Date: Tue, 14 Apr 2009 16:37:42 +0200 Subject: [PATCH] block/vmdk: Support creation of SCSI VMDK images in qemu-img diff --git a/0010-linux-user-add-binfmt-wrapper-for-a.patch b/0010-linux-user-add-binfmt-wrapper-for-a.patch index 97e22c9..a96a5d4 100644 --- a/0010-linux-user-add-binfmt-wrapper-for-a.patch +++ b/0010-linux-user-add-binfmt-wrapper-for-a.patch @@ -1,4 +1,4 @@ -From a7697f0442c3cb97a5ab4ee60ffe721de6dc791e Mon Sep 17 00:00:00 2001 +From 4234d2b99790fd33e82bee633f48d773e0c7c43e Mon Sep 17 00:00:00 2001 From: Alexander Graf Date: Fri, 30 Sep 2011 19:40:36 +0200 Subject: [PATCH] linux-user: add binfmt wrapper for argv[0] handling diff --git a/0011-PPC-KVM-Disable-mmu-notifier-check.patch b/0011-PPC-KVM-Disable-mmu-notifier-check.patch index 63e04fe..d1b24cd 100644 --- a/0011-PPC-KVM-Disable-mmu-notifier-check.patch +++ b/0011-PPC-KVM-Disable-mmu-notifier-check.patch @@ -1,4 +1,4 @@ -From c1602f324287481df7aef85c417e143fa47bcea4 Mon Sep 17 00:00:00 2001 +From 312bb9ff5f1448e2aebcccc4f124cf8f7fa1e0a0 Mon Sep 17 00:00:00 2001 From: Alexander Graf Date: Fri, 6 Jan 2012 01:05:55 +0100 Subject: [PATCH] PPC: KVM: Disable mmu notifier check @@ -13,7 +13,7 @@ KVM guests work there, even if possibly racy in some odd circumstances. 1 file changed, 2 insertions(+) diff --git a/exec.c b/exec.c -index c4f9036..52232dc 100644 +index fc75266..a50e148 100644 --- a/exec.c +++ b/exec.c @@ -1242,11 +1242,13 @@ static void *file_ram_alloc(RAMBlock *block, diff --git a/0012-linux-user-fix-segfault-deadlock.patch b/0012-linux-user-fix-segfault-deadlock.patch index adf7e6e..027c3ab 100644 --- a/0012-linux-user-fix-segfault-deadlock.patch +++ b/0012-linux-user-fix-segfault-deadlock.patch @@ -1,4 +1,4 @@ -From 6b4338150763e8241cec19846a48a132d60fe75f Mon Sep 17 00:00:00 2001 +From 48e23620ccc1efef237996fcc102215619a5ba7d Mon Sep 17 00:00:00 2001 From: Alexander Graf Date: Fri, 13 Jan 2012 17:05:41 +0100 Subject: [PATCH] linux-user: fix segfault deadlock diff --git a/0013-linux-user-binfmt-support-host-bina.patch b/0013-linux-user-binfmt-support-host-bina.patch index 116012b..0c12adb 100644 --- a/0013-linux-user-binfmt-support-host-bina.patch +++ b/0013-linux-user-binfmt-support-host-bina.patch @@ -1,4 +1,4 @@ -From 02e298aafcb7bb11036cabec82da958f7d860ac8 Mon Sep 17 00:00:00 2001 +From 7ada3e29b37a639129e36a7ed2f2f07a0efc3334 Mon Sep 17 00:00:00 2001 From: Alexander Graf Date: Thu, 2 Feb 2012 18:02:33 +0100 Subject: [PATCH] linux-user: binfmt: support host binaries diff --git a/0014-linux-user-Ignore-broken-loop-ioctl.patch b/0014-linux-user-Ignore-broken-loop-ioctl.patch index 137cfd4..e918a66 100644 --- a/0014-linux-user-Ignore-broken-loop-ioctl.patch +++ b/0014-linux-user-Ignore-broken-loop-ioctl.patch @@ -1,4 +1,4 @@ -From 64acfd49e9721a17c610cc54a92efe8ec3170698 Mon Sep 17 00:00:00 2001 +From f3041527d08d4547ca88843c3be991569bca5152 Mon Sep 17 00:00:00 2001 From: Alexander Graf Date: Tue, 12 Jun 2012 04:41:10 +0200 Subject: [PATCH] linux-user: Ignore broken loop ioctl diff --git a/0015-linux-user-lock-tcg.patch b/0015-linux-user-lock-tcg.patch index 209ef42..7157d62 100644 --- a/0015-linux-user-lock-tcg.patch +++ b/0015-linux-user-lock-tcg.patch @@ -1,4 +1,4 @@ -From f34632424427a2387a9275133c3cb4a8ad4f9d31 Mon Sep 17 00:00:00 2001 +From 3c784b6969e0379542cf4661847effa17eacd27f Mon Sep 17 00:00:00 2001 From: Alexander Graf Date: Thu, 5 Jul 2012 17:31:39 +0200 Subject: [PATCH] linux-user: lock tcg diff --git a/0016-linux-user-Run-multi-threaded-code-.patch b/0016-linux-user-Run-multi-threaded-code-.patch index b9dda41..05863d9 100644 --- a/0016-linux-user-Run-multi-threaded-code-.patch +++ b/0016-linux-user-Run-multi-threaded-code-.patch @@ -1,4 +1,4 @@ -From a2f095e01371ff9d00524fb4c0e7d3bd941227da Mon Sep 17 00:00:00 2001 +From 0922a98683629c491b15b282d35cba46c225549f Mon Sep 17 00:00:00 2001 From: Alexander Graf Date: Tue, 10 Jul 2012 20:40:55 +0200 Subject: [PATCH] linux-user: Run multi-threaded code on a single core diff --git a/0017-linux-user-lock-tb-flushing-too.patch b/0017-linux-user-lock-tb-flushing-too.patch index d5e40c1..8bd65a2 100644 --- a/0017-linux-user-lock-tb-flushing-too.patch +++ b/0017-linux-user-lock-tb-flushing-too.patch @@ -1,4 +1,4 @@ -From 80465393b0e7a888125378567cc69a6cc190b8ff Mon Sep 17 00:00:00 2001 +From 598cc6f427821cbaf6b6a8eeadf90176ecf9b9d5 Mon Sep 17 00:00:00 2001 From: Alexander Graf Date: Wed, 11 Jul 2012 16:47:42 +0200 Subject: [PATCH] linux-user: lock tb flushing too diff --git a/0018-linux-user-Fake-proc-cpuinfo.patch b/0018-linux-user-Fake-proc-cpuinfo.patch index c80b483..22ffd99 100644 --- a/0018-linux-user-Fake-proc-cpuinfo.patch +++ b/0018-linux-user-Fake-proc-cpuinfo.patch @@ -1,4 +1,4 @@ -From cac0ebd114044343f3d0e6a1ae0b455949db0a5d Mon Sep 17 00:00:00 2001 +From 39ce1e900aba8b93e2296b3d4c613fd7af58f347 Mon Sep 17 00:00:00 2001 From: Alexander Graf Date: Mon, 23 Jul 2012 10:24:14 +0200 Subject: [PATCH] linux-user: Fake /proc/cpuinfo diff --git a/0019-linux-user-implement-FS_IOC_GETFLAG.patch b/0019-linux-user-implement-FS_IOC_GETFLAG.patch index 658871d..3a8e789 100644 --- a/0019-linux-user-implement-FS_IOC_GETFLAG.patch +++ b/0019-linux-user-implement-FS_IOC_GETFLAG.patch @@ -1,4 +1,4 @@ -From a61e366827ca2b159b515e760742bc6dee26169f Mon Sep 17 00:00:00 2001 +From 2783b7f3c20040aaa53b59a9a716364f04562126 Mon Sep 17 00:00:00 2001 From: Alexander Graf Date: Mon, 20 Aug 2012 00:02:52 +0200 Subject: [PATCH] linux-user: implement FS_IOC_GETFLAGS ioctl diff --git a/0020-linux-user-implement-FS_IOC_SETFLAG.patch b/0020-linux-user-implement-FS_IOC_SETFLAG.patch index 0bcd687..b980092 100644 --- a/0020-linux-user-implement-FS_IOC_SETFLAG.patch +++ b/0020-linux-user-implement-FS_IOC_SETFLAG.patch @@ -1,4 +1,4 @@ -From 39e6dbd24f5a872c5c37b0c1ddd31fe00b74c3ca Mon Sep 17 00:00:00 2001 +From fe937a73ac633b34380ac53c9057a0664c3b77cc Mon Sep 17 00:00:00 2001 From: Alexander Graf Date: Mon, 20 Aug 2012 00:07:13 +0200 Subject: [PATCH] linux-user: implement FS_IOC_SETFLAGS ioctl diff --git a/0021-linux-user-XXX-disable-fiemap.patch b/0021-linux-user-XXX-disable-fiemap.patch index 900a185..9e5a430 100644 --- a/0021-linux-user-XXX-disable-fiemap.patch +++ b/0021-linux-user-XXX-disable-fiemap.patch @@ -1,4 +1,4 @@ -From fb0a1cd7b3e0ab5908607da0b704f749a3f9cd36 Mon Sep 17 00:00:00 2001 +From 11b56fbe40bf880945a0563044b58b03d9d0baa7 Mon Sep 17 00:00:00 2001 From: Alexander Graf Date: Tue, 21 Aug 2012 14:20:40 +0200 Subject: [PATCH] linux-user: XXX disable fiemap diff --git a/0022-slirp-nooutgoing.patch b/0022-slirp-nooutgoing.patch index 162b0ea..b0f6d8b 100644 --- a/0022-slirp-nooutgoing.patch +++ b/0022-slirp-nooutgoing.patch @@ -1,4 +1,4 @@ -From d839baef69733ff67df56abd52bf01b13c2adc80 Mon Sep 17 00:00:00 2001 +From bd75d0195aef3af7392ce38952e018936da303ff Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andreas=20F=C3=A4rber?= Date: Wed, 29 Aug 2012 18:42:56 +0200 Subject: [PATCH] slirp: -nooutgoing @@ -33,7 +33,7 @@ index 6106520..32b25a5 100644 "-singlestep always run in singlestep mode\n", QEMU_ARCH_ALL) STEXI diff --git a/slirp/socket.c b/slirp/socket.c -index a10eff1..fec954e 100644 +index b336586..8e5bdc3 100644 --- a/slirp/socket.c +++ b/slirp/socket.c @@ -608,6 +608,8 @@ sorecvfrom(struct socket *so) @@ -96,7 +96,7 @@ index 6b9fef2..e712e21 100644 socket_set_fast_reuse(s); opt = 1; diff --git a/vl.c b/vl.c -index 5fd22cb..18c88ff 100644 +index 5db5dc2..c082789 100644 --- a/vl.c +++ b/vl.c @@ -162,6 +162,7 @@ int smp_threads = 1; @@ -107,7 +107,7 @@ index 5fd22cb..18c88ff 100644 static int no_reboot; int no_shutdown = 0; int cursor_hide = 1; -@@ -3382,6 +3383,14 @@ int main(int argc, char **argv, char **envp) +@@ -3386,6 +3387,14 @@ int main(int argc, char **argv, char **envp) case QEMU_OPTION_singlestep: singlestep = 1; break; diff --git a/0023-vnc-password-file-and-incoming-conn.patch b/0023-vnc-password-file-and-incoming-conn.patch index 96f95cd..5bbfd1e 100644 --- a/0023-vnc-password-file-and-incoming-conn.patch +++ b/0023-vnc-password-file-and-incoming-conn.patch @@ -1,4 +1,4 @@ -From c15dcea01fb9d84e583abe7d558d7a31a937ddc3 Mon Sep 17 00:00:00 2001 +From aa0933c1b541cc1b7efae51d7a0cc3978e127c86 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andreas=20F=C3=A4rber?= Date: Wed, 29 Aug 2012 20:06:01 +0200 Subject: [PATCH] vnc: password-file= and incoming-connections= @@ -9,7 +9,7 @@ TBD (from SUSE Studio team) 1 file changed, 55 insertions(+) diff --git a/ui/vnc.c b/ui/vnc.c -index d2ebf1f..ab65db9 100644 +index 3e89dad..e7946ba 100644 --- a/ui/vnc.c +++ b/ui/vnc.c @@ -58,6 +58,8 @@ static const struct timeval VNC_REFRESH_LOSSY = { 2, 0 }; diff --git a/0024-linux-user-add-more-blk-ioctls.patch b/0024-linux-user-add-more-blk-ioctls.patch index 0d31e84..0f2a02d 100644 --- a/0024-linux-user-add-more-blk-ioctls.patch +++ b/0024-linux-user-add-more-blk-ioctls.patch @@ -1,4 +1,4 @@ -From 5ab7c0967d239f3cab043461952f9d0b9015a617 Mon Sep 17 00:00:00 2001 +From 32cee35bd3c2f98dc645350021de3d9e23be731d Mon Sep 17 00:00:00 2001 From: Alexander Graf Date: Wed, 10 Oct 2012 10:21:20 +0200 Subject: [PATCH] linux-user: add more blk ioctls diff --git a/0025-linux-user-use-target_ulong.patch b/0025-linux-user-use-target_ulong.patch index 8594237..f6270e9 100644 --- a/0025-linux-user-use-target_ulong.patch +++ b/0025-linux-user-use-target_ulong.patch @@ -1,4 +1,4 @@ -From 616807e473c21cdf231eed07b87ec287cfdfb528 Mon Sep 17 00:00:00 2001 +From 232612b32aa306574282a98dafdef5772c99ea24 Mon Sep 17 00:00:00 2001 From: Alexander Graf Date: Tue, 9 Oct 2012 09:06:49 +0200 Subject: [PATCH] linux-user: use target_ulong diff --git a/0026-block-Add-support-for-DictZip-enabl.patch b/0026-block-Add-support-for-DictZip-enabl.patch index 9d9bb39..b9d471f 100644 --- a/0026-block-Add-support-for-DictZip-enabl.patch +++ b/0026-block-Add-support-for-DictZip-enabl.patch @@ -1,4 +1,4 @@ -From 04eba9254338949db56a01bed42bc3ef187a1f04 Mon Sep 17 00:00:00 2001 +From 171c8acfae279756c43f0265e1cfc7d984ab5464 Mon Sep 17 00:00:00 2001 From: Alexander Graf Date: Wed, 5 Aug 2009 09:49:37 +0200 Subject: [PATCH] block: Add support for DictZip enabled gzip files diff --git a/0027-block-Add-tar-container-format.patch b/0027-block-Add-tar-container-format.patch index 4757fb0..0c2e741 100644 --- a/0027-block-Add-tar-container-format.patch +++ b/0027-block-Add-tar-container-format.patch @@ -1,4 +1,4 @@ -From 0c107d353084a3a15c1281c7e1385ee5ccd5da5f Mon Sep 17 00:00:00 2001 +From e05a6cfd83e972bf46ca8e8ce7a00d83c882e2d8 Mon Sep 17 00:00:00 2001 From: Alexander Graf Date: Wed, 5 Aug 2009 17:28:38 +0200 Subject: [PATCH] block: Add tar container format diff --git a/0028-Legacy-Patch-kvm-qemu-preXX-dictzip.patch b/0028-Legacy-Patch-kvm-qemu-preXX-dictzip.patch index 0437545..81e1391 100644 --- a/0028-Legacy-Patch-kvm-qemu-preXX-dictzip.patch +++ b/0028-Legacy-Patch-kvm-qemu-preXX-dictzip.patch @@ -1,4 +1,4 @@ -From 5c25d47e2378efdbd72c49827252741b46ebacff Mon Sep 17 00:00:00 2001 +From e04e97093af3fc593a7db57be40e7334f9776330 Mon Sep 17 00:00:00 2001 From: Alexander Graf Date: Wed, 12 Dec 2012 19:11:30 +0100 Subject: [PATCH] Legacy Patch kvm-qemu-preXX-dictzip3.patch diff --git a/0029-console-add-question-mark-escape-op.patch b/0029-console-add-question-mark-escape-op.patch index 92ddbad..27e6af8 100644 --- a/0029-console-add-question-mark-escape-op.patch +++ b/0029-console-add-question-mark-escape-op.patch @@ -1,4 +1,4 @@ -From ea20aa50570a68fd2ccda17adfea0f32c71694dc Mon Sep 17 00:00:00 2001 +From 36f007f4de748aff064604637383a23cbebe813e Mon Sep 17 00:00:00 2001 From: Alexander Graf Date: Mon, 6 Jun 2011 06:53:52 +0200 Subject: [PATCH] console: add question-mark escape operator diff --git a/0030-Make-char-muxer-more-robust-wrt-sma.patch b/0030-Make-char-muxer-more-robust-wrt-sma.patch index 50f7f15..420a97d 100644 --- a/0030-Make-char-muxer-more-robust-wrt-sma.patch +++ b/0030-Make-char-muxer-more-robust-wrt-sma.patch @@ -1,4 +1,4 @@ -From 5b001dfb49c85d9934f0ac09bd24a7aecac55956 Mon Sep 17 00:00:00 2001 +From f745251506bedd96fb153b838dbf8a399eb8e275 Mon Sep 17 00:00:00 2001 From: Alexander Graf Date: Thu, 1 Apr 2010 17:36:23 +0200 Subject: [PATCH] Make char muxer more robust wrt small FIFOs diff --git a/0031-linux-user-lseek-explicitly-cast-no.patch b/0031-linux-user-lseek-explicitly-cast-no.patch index 6ceea2b..59854f2 100644 --- a/0031-linux-user-lseek-explicitly-cast-no.patch +++ b/0031-linux-user-lseek-explicitly-cast-no.patch @@ -1,4 +1,4 @@ -From 1e5020a27bf52c24abb9272f9ba605959e8771e8 Mon Sep 17 00:00:00 2001 +From e7c736a9bfa10f1acb5e6b02c73fd8662d5c6a6c Mon Sep 17 00:00:00 2001 From: Alexander Graf Date: Thu, 13 Dec 2012 14:29:22 +0100 Subject: [PATCH] linux-user: lseek: explicitly cast non-set offsets to signed diff --git a/0032-virtfs-proxy-helper-Provide-__u64-f.patch b/0032-virtfs-proxy-helper-Provide-__u64-f.patch index c7254d0..0d743ae 100644 --- a/0032-virtfs-proxy-helper-Provide-__u64-f.patch +++ b/0032-virtfs-proxy-helper-Provide-__u64-f.patch @@ -1,4 +1,4 @@ -From 01aa7df9b3b82e8d16b3dda2e092dff89c15fa82 Mon Sep 17 00:00:00 2001 +From 96ff92eb1a6402f0b90e4394990eda7f5e457d13 Mon Sep 17 00:00:00 2001 From: Bruce Rogers Date: Thu, 16 May 2013 12:39:10 +0200 Subject: [PATCH] virtfs-proxy-helper: Provide __u64 for broken diff --git a/0033-configure-Enable-PIE-for-ppc-and-pp.patch b/0033-configure-Enable-PIE-for-ppc-and-pp.patch index 9034e41..db6745d 100644 --- a/0033-configure-Enable-PIE-for-ppc-and-pp.patch +++ b/0033-configure-Enable-PIE-for-ppc-and-pp.patch @@ -1,4 +1,4 @@ -From 71bb8109caee6f4192237b2fad7db748ac50760d Mon Sep 17 00:00:00 2001 +From 2181064a8a8f7a22285ae767affb23dc684d7d10 Mon Sep 17 00:00:00 2001 From: Dinar Valeev Date: Wed, 2 Oct 2013 17:56:03 +0200 Subject: [PATCH] configure: Enable PIE for ppc and ppc64 hosts @@ -14,7 +14,7 @@ Signed-off-by: Andreas Färber 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure b/configure -index c37fc5f..94035eb 100755 +index 60e3c0d..65232af 100755 --- a/configure +++ b/configure @@ -1537,7 +1537,7 @@ fi diff --git a/0034-qtest-Increase-socket-timeout.patch b/0034-qtest-Increase-socket-timeout.patch index 871cc32..ea75249 100644 --- a/0034-qtest-Increase-socket-timeout.patch +++ b/0034-qtest-Increase-socket-timeout.patch @@ -1,4 +1,4 @@ -From 287306233f77a3774df2d5c9ed7f301ebc21f89c Mon Sep 17 00:00:00 2001 +From bc88332e8bf07bf413f32131cd20f4e2ba9aeb6a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andreas=20F=C3=A4rber?= Date: Thu, 17 Apr 2014 18:39:10 +0200 Subject: [PATCH] qtest: Increase socket timeout diff --git a/0035-AIO-Reduce-number-of-threads-for-32.patch b/0035-AIO-Reduce-number-of-threads-for-32.patch index ba3245c..7b9fa9d 100644 --- a/0035-AIO-Reduce-number-of-threads-for-32.patch +++ b/0035-AIO-Reduce-number-of-threads-for-32.patch @@ -1,4 +1,4 @@ -From 7f1e160917ebff1a756d08c9b07b88452a68387f Mon Sep 17 00:00:00 2001 +From e69780e5f390f491fae554f1a0b0649c9187869e Mon Sep 17 00:00:00 2001 From: Alexander Graf Date: Wed, 14 Jan 2015 01:32:11 +0100 Subject: [PATCH] AIO: Reduce number of threads for 32bit hosts diff --git a/0036-configure-Enable-libseccomp-for-ppc.patch b/0036-configure-Enable-libseccomp-for-ppc.patch index c5748df..fca458b 100644 --- a/0036-configure-Enable-libseccomp-for-ppc.patch +++ b/0036-configure-Enable-libseccomp-for-ppc.patch @@ -1,4 +1,4 @@ -From 88508c66e9403bb708a1ef186e66f5d45801cdd8 Mon Sep 17 00:00:00 2001 +From 6bfa8a2b720bb6cc36a933870a2a1c0a239b3e9d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andreas=20F=C3=A4rber?= Date: Tue, 14 Apr 2015 18:42:06 +0200 Subject: [PATCH] configure: Enable libseccomp for ppc @@ -14,7 +14,7 @@ Signed-off-by: Andreas Färber 1 file changed, 3 insertions(+) diff --git a/configure b/configure -index 94035eb..4efabe3 100755 +index 65232af..bf74354 100755 --- a/configure +++ b/configure @@ -1879,6 +1879,9 @@ if test "$seccomp" != "no" ; then diff --git a/0037-dictzip-Fix-on-big-endian-systems.patch b/0037-dictzip-Fix-on-big-endian-systems.patch index a56e33c..fc6566f 100644 --- a/0037-dictzip-Fix-on-big-endian-systems.patch +++ b/0037-dictzip-Fix-on-big-endian-systems.patch @@ -1,4 +1,4 @@ -From 3fafdf24acf45df69523e266a38f3c0ca220e9a9 Mon Sep 17 00:00:00 2001 +From bd33e933cbde5f822a0db069e7d368d0cb406249 Mon Sep 17 00:00:00 2001 From: Alexander Graf Date: Mon, 15 Jun 2015 17:36:32 +0200 Subject: [PATCH] dictzip: Fix on big endian systems diff --git a/0038-block-split-large-discard-requests-.patch b/0038-block-split-large-discard-requests-.patch index 86a24a5..36dad9c 100644 --- a/0038-block-split-large-discard-requests-.patch +++ b/0038-block-split-large-discard-requests-.patch @@ -1,4 +1,4 @@ -From adc543748b20def826281f9e6fda52f026dc099d Mon Sep 17 00:00:00 2001 +From 2cee6af27f7e7579c8690edfda4159a66406d2cd Mon Sep 17 00:00:00 2001 From: Olaf Hering Date: Thu, 24 Mar 2016 14:32:39 +0100 Subject: [PATCH] block: split large discard requests from block frontend @@ -15,7 +15,7 @@ Signed-off-by: Olaf Hering 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/block/io.c b/block/io.c -index a7dbf85..560fa4c 100644 +index d02e0d5..511bc75 100644 --- a/block/io.c +++ b/block/io.c @@ -2487,7 +2487,7 @@ static void coroutine_fn bdrv_discard_co_entry(void *opaque) diff --git a/0039-xen_disk-Add-suse-specific-flush-di.patch b/0039-xen_disk-Add-suse-specific-flush-di.patch index 0dca2bd..506cb8e 100644 --- a/0039-xen_disk-Add-suse-specific-flush-di.patch +++ b/0039-xen_disk-Add-suse-specific-flush-di.patch @@ -1,4 +1,4 @@ -From 43fdf04d426f4738aec0d349662a780906268590 Mon Sep 17 00:00:00 2001 +From 2d38805131dee693fd9bd931239793514e36d3e0 Mon Sep 17 00:00:00 2001 From: Bruce Rogers Date: Wed, 9 Mar 2016 15:18:11 -0700 Subject: [PATCH] xen_disk: Add suse specific flush disable handling and map to diff --git a/0040-build-link-with-libatomic-on-powerp.patch b/0040-build-link-with-libatomic-on-powerp.patch index 6546c71..0163f6a 100644 --- a/0040-build-link-with-libatomic-on-powerp.patch +++ b/0040-build-link-with-libatomic-on-powerp.patch @@ -1,4 +1,4 @@ -From 936efd7b1f317b574dbedf08e69e4206f16ac39f Mon Sep 17 00:00:00 2001 +From f210e8f540cb261c11bffa4ed8e9918ad1731a9b Mon Sep 17 00:00:00 2001 From: Olaf Hering Date: Fri, 1 Apr 2016 12:27:16 +0200 Subject: [PATCH] build: link with libatomic on powerpc-linux @@ -14,10 +14,10 @@ Signed-off-by: Olaf Hering 1 file changed, 27 insertions(+) diff --git a/configure b/configure -index 4efabe3..b455035 100755 +index bf74354..8892b36 100755 --- a/configure +++ b/configure -@@ -4032,6 +4032,33 @@ if test "$usb_redir" != "no" ; then +@@ -4033,6 +4033,33 @@ if test "$usb_redir" != "no" ; then fi fi diff --git a/0041-net-mipsnet-check-packet-length-aga.patch b/0041-net-mipsnet-check-packet-length-aga.patch deleted file mode 100644 index b9a5ec5..0000000 --- a/0041-net-mipsnet-check-packet-length-aga.patch +++ /dev/null @@ -1,33 +0,0 @@ -From a4cae4158cc271ed4d55bc2e237030022f8edc16 Mon Sep 17 00:00:00 2001 -From: Prasad J Pandit -Date: Thu, 7 Apr 2016 04:27:00 -0600 -Subject: [PATCH] net: mipsnet: check packet length against buffer - -When receiving packets over MIPSnet network device, it uses - receive buffer of size 1514 bytes. In case the controller -accepts large(MTU) packets, it could lead to memory corruption. -Add check to avoid it. - -Reported by: Oleksandr Bazhaniuk - -Signed-off-by: Prasad J Pandit -[BR: BSC#975136 CVE-2016-4002] -Signed-off-by: Bruce Rogers ---- - hw/net/mipsnet.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/hw/net/mipsnet.c b/hw/net/mipsnet.c -index 740cd98..cf8b823 100644 ---- a/hw/net/mipsnet.c -+++ b/hw/net/mipsnet.c -@@ -83,6 +83,9 @@ static ssize_t mipsnet_receive(NetClientState *nc, const uint8_t *buf, size_t si - if (!mipsnet_can_receive(nc)) - return 0; - -+ if (size >= sizeof(s->rx_buffer)) { -+ return 0; -+ } - s->busy = 1; - - /* Just accept everything. */ diff --git a/0055-xen-introduce-dummy-system-device.patch b/0041-xen-introduce-dummy-system-device.patch similarity index 98% rename from 0055-xen-introduce-dummy-system-device.patch rename to 0041-xen-introduce-dummy-system-device.patch index 31b5498..cc1bf12 100644 --- a/0055-xen-introduce-dummy-system-device.patch +++ b/0041-xen-introduce-dummy-system-device.patch @@ -1,4 +1,4 @@ -From d7476f32d84a256e683d20db0cdd0d3676fa2a62 Mon Sep 17 00:00:00 2001 +From 24b0afe9e7869a5a398cb5d04f6e7c5efbac65da Mon Sep 17 00:00:00 2001 From: Juergen Gross Date: Thu, 12 May 2016 16:13:39 +0200 Subject: [PATCH] xen: introduce dummy system device diff --git a/0042-i386-kvmvapic-initialise-imm32-vari.patch b/0042-i386-kvmvapic-initialise-imm32-vari.patch deleted file mode 100644 index 4de7f34..0000000 --- a/0042-i386-kvmvapic-initialise-imm32-vari.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 481b43bcc3e920bbe48801a7ad2489260747e8b9 Mon Sep 17 00:00:00 2001 -From: Prasad J Pandit -Date: Thu, 7 Apr 2016 12:50:08 +0530 -Subject: [PATCH] i386: kvmvapic: initialise imm32 variable - -When processing Task Priorty Register(TPR) access, it could leak -automatic stack variable 'imm32' in patch_instruction(). -Initialise the variable to avoid it. - -Reported by: Donghai Zdh -Cc: qemu-stable@nongnu.org -Signed-off-by: Prasad J Pandit -Message-Id: <1460013608-16670-1-git-send-email-ppandit@redhat.com> -Signed-off-by: Paolo Bonzini - -(cherry picked from commit 691a02e2ce0c413236a78dee6f2651c937b09fb0) -[BR: BSC#975700 CVE-2016-4020] -Signed-off-by: Bruce Rogers ---- - hw/i386/kvmvapic.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/hw/i386/kvmvapic.c b/hw/i386/kvmvapic.c -index c69f374..ff1e31a 100644 ---- a/hw/i386/kvmvapic.c -+++ b/hw/i386/kvmvapic.c -@@ -394,7 +394,7 @@ static void patch_instruction(VAPICROMState *s, X86CPU *cpu, target_ulong ip) - CPUX86State *env = &cpu->env; - VAPICHandlers *handlers; - uint8_t opcode[2]; -- uint32_t imm32; -+ uint32_t imm32 = 0; - target_ulong current_pc = 0; - target_ulong current_cs_base = 0; - int current_flags = 0; diff --git a/0056-xen-write-information-about-support.patch b/0042-xen-write-information-about-support.patch similarity index 99% rename from 0056-xen-write-information-about-support.patch rename to 0042-xen-write-information-about-support.patch index 85b01a3..c29a05f 100644 --- a/0056-xen-write-information-about-support.patch +++ b/0042-xen-write-information-about-support.patch @@ -1,4 +1,4 @@ -From 7647bc34d77f7e67a88e88a7f09c314a3a5c7da8 Mon Sep 17 00:00:00 2001 +From 06bc1cf8722a7a5ad5cf7e0ad3adf9279516d77d Mon Sep 17 00:00:00 2001 From: Juergen Gross Date: Thu, 12 May 2016 16:13:40 +0200 Subject: [PATCH] xen: write information about supported backends diff --git a/0043-esp-check-command-buffer-length-bef.patch b/0043-esp-check-command-buffer-length-bef.patch deleted file mode 100644 index 5c1c029..0000000 --- a/0043-esp-check-command-buffer-length-bef.patch +++ /dev/null @@ -1,42 +0,0 @@ -From 26e782bead654b0415a46c9a019c54b56488519b Mon Sep 17 00:00:00 2001 -From: Prasad J Pandit -Date: Thu, 19 May 2016 16:09:30 +0530 -Subject: [PATCH] esp: check command buffer length before write(CVE-2016-4439) - -The 53C9X Fast SCSI Controller(FSC) comes with an internal 16-byte -FIFO buffer. It is used to handle command and data transfer. While -writing to this command buffer 's->cmdbuf[TI_BUFSZ=16]', a check -was missing to validate input length. Add check to avoid OOB write -access. - -Fixes CVE-2016-4439. - -Reported-by: Li Qiang -Cc: qemu-stable@nongnu.org -Signed-off-by: Prasad J Pandit -Message-Id: <1463654371-11169-2-git-send-email-ppandit@redhat.com> -Signed-off-by: Paolo Bonzini -(cherry picked from commit c98c6c105f66f05aa0b7c1d2a4a3f716450907ef) -[BR: CVE-2016-4439 BSC#980711] -Signed-off-by: Bruce Rogers ---- - hw/scsi/esp.c | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - -diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c -index 8961be2..01497e6 100644 ---- a/hw/scsi/esp.c -+++ b/hw/scsi/esp.c -@@ -448,7 +448,11 @@ void esp_reg_write(ESPState *s, uint32_t saddr, uint64_t val) - break; - case ESP_FIFO: - if (s->do_cmd) { -- s->cmdbuf[s->cmdlen++] = val & 0xff; -+ if (s->cmdlen < TI_BUFSZ) { -+ s->cmdbuf[s->cmdlen++] = val & 0xff; -+ } else { -+ trace_esp_error_fifo_overrun(); -+ } - } else if (s->ti_size == TI_BUFSZ - 1) { - trace_esp_error_fifo_overrun(); - } else { diff --git a/0057-xen-add-pvUSB-backend.patch b/0043-xen-add-pvUSB-backend.patch similarity index 99% rename from 0057-xen-add-pvUSB-backend.patch rename to 0043-xen-add-pvUSB-backend.patch index 81bca7e..c878f46 100644 --- a/0057-xen-add-pvUSB-backend.patch +++ b/0043-xen-add-pvUSB-backend.patch @@ -1,4 +1,4 @@ -From 9c573c905a6cc3b4dbf931c64e554a20683807b9 Mon Sep 17 00:00:00 2001 +From 013c67849bbe9688491b85483bce6e8fc81fa90f Mon Sep 17 00:00:00 2001 From: Juergen Gross Date: Thu, 12 May 2016 16:13:41 +0200 Subject: [PATCH] xen: add pvUSB backend @@ -1151,7 +1151,7 @@ index 63364f7..6e18a46 100644 void xen_init_display(int domid); diff --git a/include/hw/xen/xen_common.h b/include/hw/xen/xen_common.h -index bd65e67..d010cee 100644 +index 7b52e8f..5eabf37 100644 --- a/include/hw/xen/xen_common.h +++ b/include/hw/xen/xen_common.h @@ -49,6 +49,8 @@ typedef xc_gnttab xengnttab_handle; diff --git a/0044-esp-check-dma-length-before-reading.patch b/0044-esp-check-dma-length-before-reading.patch deleted file mode 100644 index 2134279..0000000 --- a/0044-esp-check-dma-length-before-reading.patch +++ /dev/null @@ -1,76 +0,0 @@ -From ff65fa87b6d7d4e7dbda895181c9afc80b07c5e3 Mon Sep 17 00:00:00 2001 -From: Prasad J Pandit -Date: Thu, 19 May 2016 16:09:31 +0530 -Subject: [PATCH] esp: check dma length before reading scsi - command(CVE-2016-4441) - -The 53C9X Fast SCSI Controller(FSC) comes with an internal 16-byte -FIFO buffer. It is used to handle command and data transfer. -Routine get_cmd() uses DMA to read scsi commands into this buffer. -Add check to validate DMA length against buffer size to avoid any -overrun. - -Fixes CVE-2016-4441. - -Reported-by: Li Qiang -Cc: qemu-stable@nongnu.org -Signed-off-by: Prasad J Pandit -Message-Id: <1463654371-11169-3-git-send-email-ppandit@redhat.com> -Signed-off-by: Paolo Bonzini -(cherry picked from commit 6c1fef6b59563cc415f21e03f81539ed4b33ad90) -[BR: CVE-2016-4441 BSC#980723] -Signed-off-by: Bruce Rogers ---- - hw/scsi/esp.c | 11 +++++++---- - 1 file changed, 7 insertions(+), 4 deletions(-) - -diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c -index 01497e6..591c817 100644 ---- a/hw/scsi/esp.c -+++ b/hw/scsi/esp.c -@@ -82,7 +82,7 @@ void esp_request_cancelled(SCSIRequest *req) - } - } - --static uint32_t get_cmd(ESPState *s, uint8_t *buf) -+static uint32_t get_cmd(ESPState *s, uint8_t *buf, uint8_t buflen) - { - uint32_t dmalen; - int target; -@@ -92,6 +92,9 @@ static uint32_t get_cmd(ESPState *s, uint8_t *buf) - dmalen = s->rregs[ESP_TCLO]; - dmalen |= s->rregs[ESP_TCMID] << 8; - dmalen |= s->rregs[ESP_TCHI] << 16; -+ if (dmalen > buflen) { -+ return 0; -+ } - s->dma_memory_read(s->dma_opaque, buf, dmalen); - } else { - dmalen = s->ti_size; -@@ -166,7 +169,7 @@ static void handle_satn(ESPState *s) - s->dma_cb = handle_satn; - return; - } -- len = get_cmd(s, buf); -+ len = get_cmd(s, buf, sizeof(buf)); - if (len) - do_cmd(s, buf); - } -@@ -180,7 +183,7 @@ static void handle_s_without_atn(ESPState *s) - s->dma_cb = handle_s_without_atn; - return; - } -- len = get_cmd(s, buf); -+ len = get_cmd(s, buf, sizeof(buf)); - if (len) { - do_busid_cmd(s, buf, 0); - } -@@ -192,7 +195,7 @@ static void handle_satn_stop(ESPState *s) - s->dma_cb = handle_satn_stop; - return; - } -- s->cmdlen = get_cmd(s, s->cmdbuf); -+ s->cmdlen = get_cmd(s, s->cmdbuf, sizeof(s->cmdbuf)); - if (s->cmdlen) { - trace_esp_handle_satn_stop(s->cmdlen); - s->do_cmd = 1; diff --git a/0058-xen-move-xen_sysdev-to-xen_backend..patch b/0044-xen-move-xen_sysdev-to-xen_backend..patch similarity index 98% rename from 0058-xen-move-xen_sysdev-to-xen_backend..patch rename to 0044-xen-move-xen_sysdev-to-xen_backend..patch index 0afe824..7d2e520 100644 --- a/0058-xen-move-xen_sysdev-to-xen_backend..patch +++ b/0044-xen-move-xen_sysdev-to-xen_backend..patch @@ -1,4 +1,4 @@ -From ee2225e5f531d965aed352bf99ba339969216144 Mon Sep 17 00:00:00 2001 +From 87e73bcc23fedcaa89776810dfcf4c6ef8ad39b1 Mon Sep 17 00:00:00 2001 From: Juergen Gross Date: Mon, 13 Jun 2016 11:12:21 +0200 Subject: [PATCH] xen: move xen_sysdev to xen_backend.c diff --git a/0045-scsi-pvscsi-check-command-descripto.patch b/0045-scsi-pvscsi-check-command-descripto.patch deleted file mode 100644 index 3f38981..0000000 --- a/0045-scsi-pvscsi-check-command-descripto.patch +++ /dev/null @@ -1,96 +0,0 @@ -From 8c2fc88049f351c67bd82c6f61c54111eb088e69 Mon Sep 17 00:00:00 2001 -From: Prasad J Pandit -Date: Mon, 23 May 2016 04:49:00 -0600 -Subject: [PATCH] scsi: pvscsi: check command descriptor ring buffer size - -Vmware Paravirtual SCSI emulation uses command descriptors to -process SCSI commands. These descriptors come with their ring -buffers. A guest could set the ring buffer size to an arbitrary -value leading to OOB access issue. Add check to avoid it. - -Reported-by: Li Qiang -Signed-off-by: Prasad J Pandit -[BR: CVE-2016-4952 BSC#981266] -Signed-off-by: Bruce Rogers ---- - hw/scsi/vmw_pvscsi.c | 24 ++++++++++++++++++++---- - 1 file changed, 20 insertions(+), 4 deletions(-) - -diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c -index e690b4e..e1d6d06 100644 ---- a/hw/scsi/vmw_pvscsi.c -+++ b/hw/scsi/vmw_pvscsi.c -@@ -153,7 +153,7 @@ pvscsi_log2(uint32_t input) - return log; - } - --static void -+static int - pvscsi_ring_init_data(PVSCSIRingInfo *m, PVSCSICmdDescSetupRings *ri) - { - int i; -@@ -161,6 +161,10 @@ pvscsi_ring_init_data(PVSCSIRingInfo *m, PVSCSICmdDescSetupRings *ri) - uint32_t req_ring_size, cmp_ring_size; - m->rs_pa = ri->ringsStatePPN << VMW_PAGE_SHIFT; - -+ if ((ri->reqRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES) -+ || (ri->cmpRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES)) { -+ return -1; -+ } - req_ring_size = ri->reqRingNumPages * PVSCSI_MAX_NUM_REQ_ENTRIES_PER_PAGE; - cmp_ring_size = ri->cmpRingNumPages * PVSCSI_MAX_NUM_CMP_ENTRIES_PER_PAGE; - txr_len_log2 = pvscsi_log2(req_ring_size - 1); -@@ -192,15 +196,20 @@ pvscsi_ring_init_data(PVSCSIRingInfo *m, PVSCSICmdDescSetupRings *ri) - - /* Flush ring state page changes */ - smp_wmb(); -+ -+ return 0; - } - --static void -+static int - pvscsi_ring_init_msg(PVSCSIRingInfo *m, PVSCSICmdDescSetupMsgRing *ri) - { - int i; - uint32_t len_log2; - uint32_t ring_size; - -+ if (ri->numPages > PVSCSI_SETUP_MSG_RING_MAX_NUM_PAGES) { -+ return -1; -+ } - ring_size = ri->numPages * PVSCSI_MAX_NUM_MSG_ENTRIES_PER_PAGE; - len_log2 = pvscsi_log2(ring_size - 1); - -@@ -220,6 +229,8 @@ pvscsi_ring_init_msg(PVSCSIRingInfo *m, PVSCSICmdDescSetupMsgRing *ri) - - /* Flush ring state page changes */ - smp_wmb(); -+ -+ return 0; - } - - static void -@@ -770,7 +781,10 @@ pvscsi_on_cmd_setup_rings(PVSCSIState *s) - trace_pvscsi_on_cmd_arrived("PVSCSI_CMD_SETUP_RINGS"); - - pvscsi_dbg_dump_tx_rings_config(rc); -- pvscsi_ring_init_data(&s->rings, rc); -+ if (pvscsi_ring_init_data(&s->rings, rc) < 0) { -+ return PVSCSI_COMMAND_PROCESSING_FAILED; -+ } -+ - s->rings_info_valid = TRUE; - return PVSCSI_COMMAND_PROCESSING_SUCCEEDED; - } -@@ -850,7 +864,9 @@ pvscsi_on_cmd_setup_msg_ring(PVSCSIState *s) - } - - if (s->rings_info_valid) { -- pvscsi_ring_init_msg(&s->rings, rc); -+ if (pvscsi_ring_init_msg(&s->rings, rc) < 0) { -+ return PVSCSI_COMMAND_PROCESSING_FAILED; -+ } - s->msg_ring_info_valid = TRUE; - } - return sizeof(PVSCSICmdDescSetupMsgRing) / sizeof(uint32_t); diff --git a/0059-vnc-add-configurable-keyboard-delay.patch b/0045-vnc-add-configurable-keyboard-delay.patch similarity index 97% rename from 0059-vnc-add-configurable-keyboard-delay.patch rename to 0045-vnc-add-configurable-keyboard-delay.patch index b236839..648f35c 100644 --- a/0059-vnc-add-configurable-keyboard-delay.patch +++ b/0045-vnc-add-configurable-keyboard-delay.patch @@ -1,4 +1,4 @@ -From 6a788961dd16f558d78ab7313f0b297409f37af7 Mon Sep 17 00:00:00 2001 +From a77aa218a1ae490d8b4594a77492353c4ebf235f Mon Sep 17 00:00:00 2001 From: Gerd Hoffmann Date: Wed, 1 Jun 2016 08:22:30 +0200 Subject: [PATCH] vnc: add configurable keyboard delay @@ -42,7 +42,7 @@ index 32b25a5..3bcd98f 100644 ETEXI diff --git a/ui/vnc.c b/ui/vnc.c -index ab65db9..1bee07f 100644 +index e7946ba..f78c8c3 100644 --- a/ui/vnc.c +++ b/ui/vnc.c @@ -1639,6 +1639,7 @@ static void reset_keys(VncState *vs) diff --git a/0061-configure-add-echo_version-helper.patch b/0046-configure-add-echo_version-helper.patch similarity index 88% rename from 0061-configure-add-echo_version-helper.patch rename to 0046-configure-add-echo_version-helper.patch index 5e8f634..073772a 100644 --- a/0061-configure-add-echo_version-helper.patch +++ b/0046-configure-add-echo_version-helper.patch @@ -1,4 +1,4 @@ -From 83775fe297c7cc8dae0d46c22accc2d7eb78c4a0 Mon Sep 17 00:00:00 2001 +From c4fc507e8d321e3ad3df335b6c4ab84d8fd6bae7 Mon Sep 17 00:00:00 2001 From: Cole Robinson Date: Fri, 6 May 2016 14:03:09 -0400 Subject: [PATCH] configure: add echo_version helper @@ -17,10 +17,10 @@ Signed-off-by: Bruce Rogers 1 file changed, 8 insertions(+), 10 deletions(-) diff --git a/configure b/configure -index b455035..767658e 100755 +index 8892b36..51dc704 100755 --- a/configure +++ b/configure -@@ -4748,6 +4748,12 @@ EOF +@@ -4749,6 +4749,12 @@ EOF fi fi @@ -33,7 +33,7 @@ index b455035..767658e 100755 # prepend pixman and ftd flags after all config tests are done QEMU_CFLAGS="$pixman_cflags $fdt_cflags $QEMU_CFLAGS" libs_softmmu="$pixman_libs $libs_softmmu" -@@ -4805,11 +4811,7 @@ echo "GNUTLS hash $gnutls_hash" +@@ -4806,11 +4812,7 @@ echo "GNUTLS hash $gnutls_hash" echo "GNUTLS rnd $gnutls_rnd" echo "libgcrypt $gcrypt" echo "libgcrypt kdf $gcrypt_kdf" @@ -46,7 +46,7 @@ index b455035..767658e 100755 echo "nettle kdf $nettle_kdf" echo "libtasn1 $tasn1" echo "VTE support $vte" -@@ -4861,11 +4863,7 @@ echo "Trace backends $trace_backends" +@@ -4862,11 +4864,7 @@ echo "Trace backends $trace_backends" if have_backend "simple"; then echo "Trace output file $trace_file-" fi diff --git a/0046-scsi-mptsas-infinite-loop-while-fet.patch b/0046-scsi-mptsas-infinite-loop-while-fet.patch deleted file mode 100644 index 1da58ce..0000000 --- a/0046-scsi-mptsas-infinite-loop-while-fet.patch +++ /dev/null @@ -1,45 +0,0 @@ -From 9e91782f3582e12f5c41e64f70e5c53f0e7b9f2a Mon Sep 17 00:00:00 2001 -From: Prasad J Pandit -Date: Tue, 24 May 2016 02:10:00 -0600 -Subject: [PATCH] scsi: mptsas: infinite loop while fetching requests - -The LSI SAS1068 Host Bus Adapter emulator in Qemu, periodically -looks for requests and fetches them. A loop doing that in -mptsas_fetch_requests() could run infinitely if 's->state' was -not operational. Move check to avoid such a loop. - -Reported-by: Li Qiang -Signed-off-by: Prasad J Pandit -[BR: CVE-2016-4964 BSC#981399] -Signed-off-by: Bruce Rogers ---- - hw/scsi/mptsas.c | 9 ++++----- - 1 file changed, 4 insertions(+), 5 deletions(-) - -diff --git a/hw/scsi/mptsas.c b/hw/scsi/mptsas.c -index 499c146..be88e16 100644 ---- a/hw/scsi/mptsas.c -+++ b/hw/scsi/mptsas.c -@@ -754,11 +754,6 @@ static void mptsas_fetch_request(MPTSASState *s) - hwaddr addr; - int size; - -- if (s->state != MPI_IOC_STATE_OPERATIONAL) { -- mptsas_set_fault(s, MPI_IOCSTATUS_INVALID_STATE); -- return; -- } -- - /* Read the message header from the guest first. */ - addr = s->host_mfa_high_addr | MPTSAS_FIFO_GET(s, request_post); - pci_dma_read(pci, addr, req, sizeof(hdr)); -@@ -789,6 +784,10 @@ static void mptsas_fetch_requests(void *opaque) - { - MPTSASState *s = opaque; - -+ if (s->state != MPI_IOC_STATE_OPERATIONAL) { -+ mptsas_set_fault(s, MPI_IOCSTATUS_INVALID_STATE); -+ return; -+ } - while (!MPTSAS_FIFO_EMPTY(s, request_post)) { - mptsas_fetch_request(s); - } diff --git a/0062-configure-support-vte-2.91.patch b/0047-configure-support-vte-2.91.patch similarity index 90% rename from 0062-configure-support-vte-2.91.patch rename to 0047-configure-support-vte-2.91.patch index 49b4635..ce6ab8d 100644 --- a/0062-configure-support-vte-2.91.patch +++ b/0047-configure-support-vte-2.91.patch @@ -1,4 +1,4 @@ -From b673055ec7e4eda0454aacc2d042bd53405f85e6 Mon Sep 17 00:00:00 2001 +From eeb106a711b51266bf05f3895e01575357414ec6 Mon Sep 17 00:00:00 2001 From: Cole Robinson Date: Fri, 6 May 2016 14:03:12 -0400 Subject: [PATCH] configure: support vte-2.91 @@ -18,10 +18,10 @@ Signed-off-by: Bruce Rogers 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/configure b/configure -index 767658e..f32cff5 100755 +index 51dc704..8f1948c 100755 --- a/configure +++ b/configure -@@ -2395,20 +2395,25 @@ fi +@@ -2396,20 +2396,25 @@ fi if test "$vte" != "no"; then if test "$gtkabi" = "3.0"; then @@ -52,7 +52,7 @@ index 767658e..f32cff5 100755 else feature_not_found "vte" "Install libvte devel" fi -@@ -4806,6 +4811,7 @@ echo "pixman $pixman" +@@ -4807,6 +4812,7 @@ echo "pixman $pixman" echo "SDL support $sdl" echo "GTK support $gtk" echo "GTK GL support $gtk_gl" @@ -60,7 +60,7 @@ index 767658e..f32cff5 100755 echo "GNUTLS support $gnutls" echo "GNUTLS hash $gnutls_hash" echo "GNUTLS rnd $gnutls_rnd" -@@ -4814,7 +4820,6 @@ echo "libgcrypt kdf $gcrypt_kdf" +@@ -4815,7 +4821,6 @@ echo "libgcrypt kdf $gcrypt_kdf" echo "nettle $nettle `echo_version $nettle $nettle_version`" echo "nettle kdf $nettle_kdf" echo "libtasn1 $tasn1" diff --git a/0047-vga-add-sr_vbe-register-set.patch b/0047-vga-add-sr_vbe-register-set.patch deleted file mode 100644 index eced461..0000000 --- a/0047-vga-add-sr_vbe-register-set.patch +++ /dev/null @@ -1,235 +0,0 @@ -From d8d0d22b88ceaf7f9ce8e01eb2842b8daf2aa34e Mon Sep 17 00:00:00 2001 -From: Gerd Hoffmann -Date: Tue, 17 May 2016 10:54:54 +0200 -Subject: [PATCH] vga: add sr_vbe register set - -Commit "fd3c136 vga: make sure vga register setup for vbe stays intact -(CVE-2016-3712)." causes a regression. The win7 installer is unhappy -because it can't freely modify vga registers any more while in vbe mode. - -This patch introduces a new sr_vbe register set. The vbe_update_vgaregs -will fill sr_vbe[] instead of sr[]. Normal vga register reads and -writes go to sr[]. Any sr register read access happens through a new -sr() helper function which will read from sr_vbe[] with vbe active and -from sr[] otherwise. - -This way we can allow guests update sr[] registers as they want, without -allowing them disrupt vbe video modes that way. - -Cc: qemu-stable@nongnu.org -Reported-by: Thomas Lamprecht -Signed-off-by: Gerd Hoffmann -Message-id: 1463475294-14119-1-git-send-email-kraxel@redhat.com -(cherry picked from commit 94ef4f337fb614f18b765a8e0e878a4c23cdedcd) -Signed-off-by: Bruce Rogers ---- - hw/display/vga.c | 50 ++++++++++++++++++++++++++++---------------------- - hw/display/vga_int.h | 1 + - 2 files changed, 29 insertions(+), 22 deletions(-) - -diff --git a/hw/display/vga.c b/hw/display/vga.c -index 4a55ec6..9ebc54f 100644 ---- a/hw/display/vga.c -+++ b/hw/display/vga.c -@@ -149,6 +149,11 @@ static inline bool vbe_enabled(VGACommonState *s) - return s->vbe_regs[VBE_DISPI_INDEX_ENABLE] & VBE_DISPI_ENABLED; - } - -+static inline uint8_t sr(VGACommonState *s, int idx) -+{ -+ return vbe_enabled(s) ? s->sr_vbe[idx] : s->sr[idx]; -+} -+ - static void vga_update_memory_access(VGACommonState *s) - { - hwaddr base, offset, size; -@@ -163,8 +168,8 @@ static void vga_update_memory_access(VGACommonState *s) - s->has_chain4_alias = false; - s->plane_updated = 0xf; - } -- if ((s->sr[VGA_SEQ_PLANE_WRITE] & VGA_SR02_ALL_PLANES) == -- VGA_SR02_ALL_PLANES && s->sr[VGA_SEQ_MEMORY_MODE] & VGA_SR04_CHN_4M) { -+ if ((sr(s, VGA_SEQ_PLANE_WRITE) & VGA_SR02_ALL_PLANES) == -+ VGA_SR02_ALL_PLANES && sr(s, VGA_SEQ_MEMORY_MODE) & VGA_SR04_CHN_4M) { - offset = 0; - switch ((s->gr[VGA_GFX_MISC] >> 2) & 3) { - case 0: -@@ -234,7 +239,7 @@ static void vga_precise_update_retrace_info(VGACommonState *s) - ((s->cr[VGA_CRTC_OVERFLOW] >> 6) & 2)) << 8); - vretr_end_line = s->cr[VGA_CRTC_V_SYNC_END] & 0xf; - -- clocking_mode = (s->sr[VGA_SEQ_CLOCK_MODE] >> 3) & 1; -+ clocking_mode = (sr(s, VGA_SEQ_CLOCK_MODE) >> 3) & 1; - clock_sel = (s->msr >> 2) & 3; - dots = (s->msr & 1) ? 8 : 9; - -@@ -486,7 +491,6 @@ void vga_ioport_write(void *opaque, uint32_t addr, uint32_t val) - printf("vga: write SR%x = 0x%02x\n", s->sr_index, val); - #endif - s->sr[s->sr_index] = val & sr_mask[s->sr_index]; -- vbe_update_vgaregs(s); - if (s->sr_index == VGA_SEQ_CLOCK_MODE) { - s->update_retrace_info(s); - } -@@ -680,13 +684,13 @@ static void vbe_update_vgaregs(VGACommonState *s) - - if (s->vbe_regs[VBE_DISPI_INDEX_BPP] == 4) { - shift_control = 0; -- s->sr[VGA_SEQ_CLOCK_MODE] &= ~8; /* no double line */ -+ s->sr_vbe[VGA_SEQ_CLOCK_MODE] &= ~8; /* no double line */ - } else { - shift_control = 2; - /* set chain 4 mode */ -- s->sr[VGA_SEQ_MEMORY_MODE] |= VGA_SR04_CHN_4M; -+ s->sr_vbe[VGA_SEQ_MEMORY_MODE] |= VGA_SR04_CHN_4M; - /* activate all planes */ -- s->sr[VGA_SEQ_PLANE_WRITE] |= VGA_SR02_ALL_PLANES; -+ s->sr_vbe[VGA_SEQ_PLANE_WRITE] |= VGA_SR02_ALL_PLANES; - } - s->gr[VGA_GFX_MODE] = (s->gr[VGA_GFX_MODE] & ~0x60) | - (shift_control << 5); -@@ -836,7 +840,7 @@ uint32_t vga_mem_readb(VGACommonState *s, hwaddr addr) - break; - } - -- if (s->sr[VGA_SEQ_MEMORY_MODE] & VGA_SR04_CHN_4M) { -+ if (sr(s, VGA_SEQ_MEMORY_MODE) & VGA_SR04_CHN_4M) { - /* chain 4 mode : simplest access */ - assert(addr < s->vram_size); - ret = s->vram_ptr[addr]; -@@ -904,11 +908,11 @@ void vga_mem_writeb(VGACommonState *s, hwaddr addr, uint32_t val) - break; - } - -- if (s->sr[VGA_SEQ_MEMORY_MODE] & VGA_SR04_CHN_4M) { -+ if (sr(s, VGA_SEQ_MEMORY_MODE) & VGA_SR04_CHN_4M) { - /* chain 4 mode : simplest access */ - plane = addr & 3; - mask = (1 << plane); -- if (s->sr[VGA_SEQ_PLANE_WRITE] & mask) { -+ if (sr(s, VGA_SEQ_PLANE_WRITE) & mask) { - assert(addr < s->vram_size); - s->vram_ptr[addr] = val; - #ifdef DEBUG_VGA_MEM -@@ -921,7 +925,7 @@ void vga_mem_writeb(VGACommonState *s, hwaddr addr, uint32_t val) - /* odd/even mode (aka text mode mapping) */ - plane = (s->gr[VGA_GFX_PLANE_READ] & 2) | (addr & 1); - mask = (1 << plane); -- if (s->sr[VGA_SEQ_PLANE_WRITE] & mask) { -+ if (sr(s, VGA_SEQ_PLANE_WRITE) & mask) { - addr = ((addr & ~1) << 1) | plane; - if (addr >= s->vram_size) { - return; -@@ -996,7 +1000,7 @@ void vga_mem_writeb(VGACommonState *s, hwaddr addr, uint32_t val) - - do_write: - /* mask data according to sr[2] */ -- mask = s->sr[VGA_SEQ_PLANE_WRITE]; -+ mask = sr(s, VGA_SEQ_PLANE_WRITE); - s->plane_updated |= mask; /* only used to detect font change */ - write_mask = mask16[mask]; - if (addr * sizeof(uint32_t) >= s->vram_size) { -@@ -1152,10 +1156,10 @@ static void vga_get_text_resolution(VGACommonState *s, int *pwidth, int *pheight - /* total width & height */ - cheight = (s->cr[VGA_CRTC_MAX_SCAN] & 0x1f) + 1; - cwidth = 8; -- if (!(s->sr[VGA_SEQ_CLOCK_MODE] & VGA_SR01_CHAR_CLK_8DOTS)) { -+ if (!(sr(s, VGA_SEQ_CLOCK_MODE) & VGA_SR01_CHAR_CLK_8DOTS)) { - cwidth = 9; - } -- if (s->sr[VGA_SEQ_CLOCK_MODE] & 0x08) { -+ if (sr(s, VGA_SEQ_CLOCK_MODE) & 0x08) { - cwidth = 16; /* NOTE: no 18 pixel wide */ - } - width = (s->cr[VGA_CRTC_H_DISP] + 1); -@@ -1197,7 +1201,7 @@ static void vga_draw_text(VGACommonState *s, int full_update) - int64_t now = qemu_clock_get_ms(QEMU_CLOCK_VIRTUAL); - - /* compute font data address (in plane 2) */ -- v = s->sr[VGA_SEQ_CHARACTER_MAP]; -+ v = sr(s, VGA_SEQ_CHARACTER_MAP); - offset = (((v >> 4) & 1) | ((v << 1) & 6)) * 8192 * 4 + 2; - if (offset != s->font_offsets[0]) { - s->font_offsets[0] = offset; -@@ -1506,11 +1510,11 @@ static void vga_draw_graphic(VGACommonState *s, int full_update) - } - - if (shift_control == 0) { -- if (s->sr[VGA_SEQ_CLOCK_MODE] & 8) { -+ if (sr(s, VGA_SEQ_CLOCK_MODE) & 8) { - disp_width <<= 1; - } - } else if (shift_control == 1) { -- if (s->sr[VGA_SEQ_CLOCK_MODE] & 8) { -+ if (sr(s, VGA_SEQ_CLOCK_MODE) & 8) { - disp_width <<= 1; - } - } -@@ -1574,7 +1578,7 @@ static void vga_draw_graphic(VGACommonState *s, int full_update) - - if (shift_control == 0) { - full_update |= update_palette16(s); -- if (s->sr[VGA_SEQ_CLOCK_MODE] & 8) { -+ if (sr(s, VGA_SEQ_CLOCK_MODE) & 8) { - v = VGA_DRAW_LINE4D2; - } else { - v = VGA_DRAW_LINE4; -@@ -1582,7 +1586,7 @@ static void vga_draw_graphic(VGACommonState *s, int full_update) - bits = 4; - } else if (shift_control == 1) { - full_update |= update_palette16(s); -- if (s->sr[VGA_SEQ_CLOCK_MODE] & 8) { -+ if (sr(s, VGA_SEQ_CLOCK_MODE) & 8) { - v = VGA_DRAW_LINE2D2; - } else { - v = VGA_DRAW_LINE2; -@@ -1629,7 +1633,7 @@ static void vga_draw_graphic(VGACommonState *s, int full_update) - #if 0 - printf("w=%d h=%d v=%d line_offset=%d cr[0x09]=0x%02x cr[0x17]=0x%02x linecmp=%d sr[0x01]=0x%02x\n", - width, height, v, line_offset, s->cr[9], s->cr[VGA_CRTC_MODE], -- s->line_compare, s->sr[VGA_SEQ_CLOCK_MODE]); -+ s->line_compare, sr(s, VGA_SEQ_CLOCK_MODE)); - #endif - addr1 = (s->start_addr * 4); - bwidth = (width * bits + 7) / 8; -@@ -1781,6 +1785,7 @@ void vga_common_reset(VGACommonState *s) - { - s->sr_index = 0; - memset(s->sr, '\0', sizeof(s->sr)); -+ memset(s->sr_vbe, '\0', sizeof(s->sr_vbe)); - s->gr_index = 0; - memset(s->gr, '\0', sizeof(s->gr)); - s->ar_index = 0; -@@ -1883,10 +1888,10 @@ static void vga_update_text(void *opaque, console_ch_t *chardata) - /* total width & height */ - cheight = (s->cr[VGA_CRTC_MAX_SCAN] & 0x1f) + 1; - cw = 8; -- if (!(s->sr[VGA_SEQ_CLOCK_MODE] & VGA_SR01_CHAR_CLK_8DOTS)) { -+ if (!(sr(s, VGA_SEQ_CLOCK_MODE) & VGA_SR01_CHAR_CLK_8DOTS)) { - cw = 9; - } -- if (s->sr[VGA_SEQ_CLOCK_MODE] & 0x08) { -+ if (sr(s, VGA_SEQ_CLOCK_MODE) & 0x08) { - cw = 16; /* NOTE: no 18 pixel wide */ - } - width = (s->cr[VGA_CRTC_H_DISP] + 1); -@@ -2053,6 +2058,7 @@ static int vga_common_post_load(void *opaque, int version_id) - - /* force refresh */ - s->graphic_mode = -1; -+ vbe_update_vgaregs(s); - return 0; - } - -diff --git a/hw/display/vga_int.h b/hw/display/vga_int.h -index bdb43a5..3ce5544 100644 ---- a/hw/display/vga_int.h -+++ b/hw/display/vga_int.h -@@ -98,6 +98,7 @@ typedef struct VGACommonState { - MemoryRegion chain4_alias; - uint8_t sr_index; - uint8_t sr[256]; -+ uint8_t sr_vbe[256]; - uint8_t gr_index; - uint8_t gr[256]; - uint8_t ar_index; diff --git a/0063-hw-arm-virt-mark-the-PCIe-host-cont.patch b/0048-hw-arm-virt-mark-the-PCIe-host-cont.patch similarity index 94% rename from 0063-hw-arm-virt-mark-the-PCIe-host-cont.patch rename to 0048-hw-arm-virt-mark-the-PCIe-host-cont.patch index fba9cd7..a31c0bf 100644 --- a/0063-hw-arm-virt-mark-the-PCIe-host-cont.patch +++ b/0048-hw-arm-virt-mark-the-PCIe-host-cont.patch @@ -1,4 +1,4 @@ -From ced63da3c840792292a6ee8201c3f7789b80b7eb Mon Sep 17 00:00:00 2001 +From 8b1a852589b2693dd384680d761e617a34ba2f9e Mon Sep 17 00:00:00 2001 From: Ard Biesheuvel Date: Mon, 4 Jul 2016 13:06:36 +0100 Subject: [PATCH] hw/arm/virt: mark the PCIe host controller as DMA coherent in @@ -25,7 +25,7 @@ Signed-off-by: Alexander Graf 1 file changed, 1 insertion(+) diff --git a/hw/arm/virt.c b/hw/arm/virt.c -index 56d35c7..9d015d5 100644 +index a535285..30841de 100644 --- a/hw/arm/virt.c +++ b/hw/arm/virt.c @@ -950,6 +950,7 @@ static void create_pcie(const VirtBoardInfo *vbi, qemu_irq *pic, diff --git a/0048-scsi-megasas-use-appropriate-proper.patch b/0048-scsi-megasas-use-appropriate-proper.patch deleted file mode 100644 index 0b6041d..0000000 --- a/0048-scsi-megasas-use-appropriate-proper.patch +++ /dev/null @@ -1,34 +0,0 @@ -From f7901e3ec072d45629284c91300bf5ad21b36908 Mon Sep 17 00:00:00 2001 -From: Prasad J Pandit -Date: Wed, 25 May 2016 16:01:29 +0530 -Subject: [PATCH] scsi: megasas: use appropriate property buffer size - -When setting MegaRAID SAS controller properties via MegaRAID -Firmware Interface(MFI) commands, a user supplied size parameter -is used to set property value. Use appropriate size value to avoid -OOB access issues. - -Reported-by: Li Qiang -Signed-off-by: Prasad J Pandit -Message-Id: <1464172291-2856-2-git-send-email-ppandit@redhat.com> -Signed-off-by: Paolo Bonzini -(cherry picked from commit 1b85898025c4cd95dce673d15e67e60e98e91731) -[BR:CVE-2016-5106 BSC#982018] -Signed-off-by: Bruce Rogers ---- - hw/scsi/megasas.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c -index a63a581..dcbd3e1 100644 ---- a/hw/scsi/megasas.c -+++ b/hw/scsi/megasas.c -@@ -1446,7 +1446,7 @@ static int megasas_dcmd_set_properties(MegasasState *s, MegasasCmd *cmd) - dcmd_size); - return MFI_STAT_INVALID_PARAMETER; - } -- dma_buf_write((uint8_t *)&info, cmd->iov_size, &cmd->qsg); -+ dma_buf_write((uint8_t *)&info, dcmd_size, &cmd->qsg); - trace_megasas_dcmd_unsupported(cmd->index, cmd->iov_size); - return MFI_STAT_OK; - } diff --git a/0049-scsi-megasas-check-read_queue_head-.patch b/0049-scsi-megasas-check-read_queue_head-.patch deleted file mode 100644 index 6671ed9..0000000 --- a/0049-scsi-megasas-check-read_queue_head-.patch +++ /dev/null @@ -1,36 +0,0 @@ -From e9910b20f94d3683d4d8895136583529cf7c313f Mon Sep 17 00:00:00 2001 -From: Prasad J Pandit -Date: Wed, 25 May 2016 17:55:10 +0530 -Subject: [PATCH] scsi: megasas: check 'read_queue_head' index value - -While doing MegaRAID SAS controller command frame lookup, routine -'megasas_lookup_frame' uses 'read_queue_head' value as an index -into 'frames[MEGASAS_MAX_FRAMES=2048]' array. Limit its value -within array bounds to avoid any OOB access. - -Reported-by: Li Qiang -Signed-off-by: Prasad J Pandit -Message-Id: <1464179110-18593-1-git-send-email-ppandit@redhat.com> -Reviewed-by: Alexander Graf -Signed-off-by: Paolo Bonzini -(cherry picked from commit b60bdd1f1ee1616b7a9aeeffb4088e1ce2710fb2) -[BR: CVE-2016-5107 BSC#982019] -Signed-off-by: Bruce Rogers ---- - hw/scsi/megasas.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c -index dcbd3e1..96aee1c 100644 ---- a/hw/scsi/megasas.c -+++ b/hw/scsi/megasas.c -@@ -650,7 +650,9 @@ static int megasas_init_firmware(MegasasState *s, MegasasCmd *cmd) - pa_hi = le32_to_cpu(initq->pi_addr_hi); - s->producer_pa = ((uint64_t) pa_hi << 32) | pa_lo; - s->reply_queue_head = ldl_le_pci_dma(pcid, s->producer_pa); -+ s->reply_queue_head %= MEGASAS_MAX_FRAMES; - s->reply_queue_tail = ldl_le_pci_dma(pcid, s->consumer_pa); -+ s->reply_queue_tail %= MEGASAS_MAX_FRAMES; - flags = le32_to_cpu(initq->flags); - if (flags & MFI_QUEUE_FLAG_CONTEXT64) { - s->flags |= MEGASAS_MASK_USE_QUEUE64; diff --git a/0064-xen-SUSE-xenlinux-unplug-for-emulat.patch b/0049-xen-SUSE-xenlinux-unplug-for-emulat.patch similarity index 96% rename from 0064-xen-SUSE-xenlinux-unplug-for-emulat.patch rename to 0049-xen-SUSE-xenlinux-unplug-for-emulat.patch index 96c8e79..4240f3a 100644 --- a/0064-xen-SUSE-xenlinux-unplug-for-emulat.patch +++ b/0049-xen-SUSE-xenlinux-unplug-for-emulat.patch @@ -1,4 +1,4 @@ -From 1caba48fc19de7cdceda7577ccf6970d4eb7ed75 Mon Sep 17 00:00:00 2001 +From 6fc72ceb37357fb66b43b17a84b4b6fe128c5f4f Mon Sep 17 00:00:00 2001 From: Olaf Hering Date: Tue, 21 Jun 2016 18:42:45 +0200 Subject: [PATCH] xen: SUSE xenlinux unplug for emulated PCI diff --git a/0070-scsi-esp-fix-migration.patch b/0050-scsi-esp-fix-migration.patch similarity index 91% rename from 0070-scsi-esp-fix-migration.patch rename to 0050-scsi-esp-fix-migration.patch index b415c19..4876736 100644 --- a/0070-scsi-esp-fix-migration.patch +++ b/0050-scsi-esp-fix-migration.patch @@ -1,4 +1,4 @@ -From a4c62237f33857750850ef30066a5ae5d4d1194e Mon Sep 17 00:00:00 2001 +From ef7fe72329d837ac78895a6b287bc6d7cb2a6889 Mon Sep 17 00:00:00 2001 From: Paolo Bonzini Date: Mon, 20 Jun 2016 16:32:39 +0200 Subject: [PATCH] scsi: esp: fix migration @@ -17,10 +17,10 @@ Signed-off-by: Bruce Rogers 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c -index 9e318fd..25c547c 100644 +index baa0a2c..1f2f2d3 100644 --- a/hw/scsi/esp.c +++ b/hw/scsi/esp.c -@@ -577,7 +577,7 @@ static bool esp_mem_accepts(void *opaque, hwaddr addr, +@@ -574,7 +574,7 @@ static bool esp_mem_accepts(void *opaque, hwaddr addr, const VMStateDescription vmstate_esp = { .name ="esp", @@ -29,7 +29,7 @@ index 9e318fd..25c547c 100644 .minimum_version_id = 3, .fields = (VMStateField[]) { VMSTATE_BUFFER(rregs, ESPState), -@@ -588,7 +588,8 @@ const VMStateDescription vmstate_esp = { +@@ -585,7 +585,8 @@ const VMStateDescription vmstate_esp = { VMSTATE_BUFFER(ti_buf, ESPState), VMSTATE_UINT32(status, ESPState), VMSTATE_UINT32(dma, ESPState), diff --git a/0050-scsi-megasas-null-terminate-bios-ve.patch b/0050-scsi-megasas-null-terminate-bios-ve.patch deleted file mode 100644 index 6d8b9ff..0000000 --- a/0050-scsi-megasas-null-terminate-bios-ve.patch +++ /dev/null @@ -1,32 +0,0 @@ -From e7b653272e0242843f39b9b8d65694c29028fdf5 Mon Sep 17 00:00:00 2001 -From: Prasad J Pandit -Date: Tue, 7 Jun 2016 16:44:03 +0530 -Subject: [PATCH] scsi: megasas: null terminate bios version buffer - -While reading information via 'megasas_ctrl_get_info' routine, -a local bios version buffer isn't null terminated. Add the -terminating null byte to avoid any OOB access. - -Reported-by: Li Qiang -Reviewed-by: Peter Maydell -Signed-off-by: Prasad J Pandit -Signed-off-by: Paolo Bonzini -(cherry picked from commit 844864fbae66935951529408831c2f22367a57b6) -[BR: CVE-2016-5337 BSC#983961] -Signed-off-by: Bruce Rogers ---- - hw/scsi/megasas.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c -index 96aee1c..893448b 100644 ---- a/hw/scsi/megasas.c -+++ b/hw/scsi/megasas.c -@@ -773,6 +773,7 @@ static int megasas_ctrl_get_info(MegasasState *s, MegasasCmd *cmd) - - ptr = memory_region_get_ram_ptr(&pci_dev->rom); - memcpy(biosver, ptr + 0x41, 31); -+ biosver[31] = 0; - memcpy(info.image_component[1].name, "BIOS", 4); - memcpy(info.image_component[1].version, biosver, - strlen((const char *)biosver)); diff --git a/0051-vmsvga-move-fifo-sanity-checks-to-v.patch b/0051-vmsvga-move-fifo-sanity-checks-to-v.patch deleted file mode 100644 index d503a38..0000000 --- a/0051-vmsvga-move-fifo-sanity-checks-to-v.patch +++ /dev/null @@ -1,73 +0,0 @@ -From 74a7469799521413262d7571b7092f859ed32121 Mon Sep 17 00:00:00 2001 -From: Gerd Hoffmann -Date: Mon, 30 May 2016 09:09:18 +0200 -Subject: [PATCH] vmsvga: move fifo sanity checks to vmsvga_fifo_length -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Sanity checks are applied when the fifo is enabled by the guest -(SVGA_REG_CONFIG_DONE write). Which doesn't help much if the guest -changes the fifo registers afterwards. Move the checks to -vmsvga_fifo_length so they are done each time qemu is about to read -from the fifo. - -Fixes: CVE-2016-4454 -Cc: qemu-stable@nongnu.org -Cc: P J P -Reported-by: 李强 -Signed-off-by: Gerd Hoffmann -Message-id: 1464592161-18348-2-git-send-email-kraxel@redhat.com -(cherry picked from commit 521360267876d3b6518b328051a2e56bca55bef8) -[BR: CVE-2016-4454 BSC#982222] -Signed-off-by: Bruce Rogers ---- - hw/display/vmware_vga.c | 28 +++++++++++++++------------- - 1 file changed, 15 insertions(+), 13 deletions(-) - -diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c -index 0c63fa8..63a7c05 100644 ---- a/hw/display/vmware_vga.c -+++ b/hw/display/vmware_vga.c -@@ -555,6 +555,21 @@ static inline int vmsvga_fifo_length(struct vmsvga_state_s *s) - if (!s->config || !s->enable) { - return 0; - } -+ -+ /* Check range and alignment. */ -+ if ((CMD(min) | CMD(max) | CMD(next_cmd) | CMD(stop)) & 3) { -+ return 0; -+ } -+ if (CMD(min) < (uint8_t *) s->cmd->fifo - (uint8_t *) s->fifo) { -+ return 0; -+ } -+ if (CMD(max) > SVGA_FIFO_SIZE) { -+ return 0; -+ } -+ if (CMD(max) < CMD(min) + 10 * 1024) { -+ return 0; -+ } -+ - num = CMD(next_cmd) - CMD(stop); - if (num < 0) { - num += CMD(max) - CMD(min); -@@ -1005,19 +1020,6 @@ static void vmsvga_value_write(void *opaque, uint32_t address, uint32_t value) - case SVGA_REG_CONFIG_DONE: - if (value) { - s->fifo = (uint32_t *) s->fifo_ptr; -- /* Check range and alignment. */ -- if ((CMD(min) | CMD(max) | CMD(next_cmd) | CMD(stop)) & 3) { -- break; -- } -- if (CMD(min) < (uint8_t *) s->cmd->fifo - (uint8_t *) s->fifo) { -- break; -- } -- if (CMD(max) > SVGA_FIFO_SIZE) { -- break; -- } -- if (CMD(max) < CMD(min) + 10 * 1024) { -- break; -- } - vga_dirty_log_stop(&s->vga); - } - s->config = !!value; diff --git a/0072-xen-when-removing-a-backend-don-t-r.patch b/0051-xen-when-removing-a-backend-don-t-r.patch similarity index 98% rename from 0072-xen-when-removing-a-backend-don-t-r.patch rename to 0051-xen-when-removing-a-backend-don-t-r.patch index 137ad11..87da569 100644 --- a/0072-xen-when-removing-a-backend-don-t-r.patch +++ b/0051-xen-when-removing-a-backend-don-t-r.patch @@ -1,4 +1,4 @@ -From 0d4ea8a7847a76415ed0d0db0392be5b7d1b71a6 Mon Sep 17 00:00:00 2001 +From 57e6b7c9e33686c070e6b5bce203e1a4a01b821d Mon Sep 17 00:00:00 2001 From: Juergen Gross Date: Fri, 29 Jul 2016 12:51:53 +0200 Subject: [PATCH] xen: when removing a backend don't remove many of them diff --git a/0052-vmsvga-don-t-process-more-than-1024.patch b/0052-vmsvga-don-t-process-more-than-1024.patch deleted file mode 100644 index e0a2a11..0000000 --- a/0052-vmsvga-don-t-process-more-than-1024.patch +++ /dev/null @@ -1,45 +0,0 @@ -From 51a212ea5bb9d958e0fd59d9e975685a8b9e62d0 Mon Sep 17 00:00:00 2001 -From: Gerd Hoffmann -Date: Mon, 30 May 2016 09:09:21 +0200 -Subject: [PATCH] vmsvga: don't process more than 1024 fifo commands at once -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -vmsvga_fifo_run is called in regular intervals (on each display update) -and will resume where it left off. So we can simply exit the loop, -without having to worry about how processing will continue. - -Fixes: CVE-2016-4453 -Cc: qemu-stable@nongnu.org -Cc: P J P -Reported-by: 李强 -Signed-off-by: Gerd Hoffmann -Message-id: 1464592161-18348-5-git-send-email-kraxel@redhat.com -(cherry picked from commit 4e68a0ee17dad7b8d870df0081d4ab2e079016c2) -[BR: CVE-2016-4453 BSC#982223] -Signed-off-by: Bruce Rogers ---- - hw/display/vmware_vga.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c -index 63a7c05..3bd4c52 100644 ---- a/hw/display/vmware_vga.c -+++ b/hw/display/vmware_vga.c -@@ -596,13 +596,13 @@ static inline uint32_t vmsvga_fifo_read(struct vmsvga_state_s *s) - static void vmsvga_fifo_run(struct vmsvga_state_s *s) - { - uint32_t cmd, colour; -- int args, len; -+ int args, len, maxloop = 1024; - int x, y, dx, dy, width, height; - struct vmsvga_cursor_definition_s cursor; - uint32_t cmd_start; - - len = vmsvga_fifo_length(s); -- while (len > 0) { -+ while (len > 0 && --maxloop > 0) { - /* May need to go back to the start of the command if incomplete */ - cmd_start = s->cmd->stop; - diff --git a/0073-xen-drain-submit-queue-in-xen-usb-b.patch b/0052-xen-drain-submit-queue-in-xen-usb-b.patch similarity index 99% rename from 0073-xen-drain-submit-queue-in-xen-usb-b.patch rename to 0052-xen-drain-submit-queue-in-xen-usb-b.patch index ae9cacb..a77f398 100644 --- a/0073-xen-drain-submit-queue-in-xen-usb-b.patch +++ b/0052-xen-drain-submit-queue-in-xen-usb-b.patch @@ -1,4 +1,4 @@ -From afb94bcc5bbb8b58f8c96821caaab268f96cabdb Mon Sep 17 00:00:00 2001 +From 559d8ccdb0a5e92b6a0a42f2850caa7a8c57ae76 Mon Sep 17 00:00:00 2001 From: Juergen Gross Date: Wed, 27 Jul 2016 08:17:41 +0200 Subject: [PATCH] xen: drain submit queue in xen-usb before removing device diff --git a/0053-block-iscsi-avoid-potential-overflo.patch b/0053-block-iscsi-avoid-potential-overflo.patch deleted file mode 100644 index fc380aa..0000000 --- a/0053-block-iscsi-avoid-potential-overflo.patch +++ /dev/null @@ -1,37 +0,0 @@ -From 75e2bbd9eb1645c7acb1929ca700913a6e2f54d6 Mon Sep 17 00:00:00 2001 -From: Peter Lieven -Date: Tue, 24 May 2016 10:59:28 +0200 -Subject: [PATCH] block/iscsi: avoid potential overflow of acb->task->cdb - -at least in the path via virtio-blk the maximum size is not -restricted. - -Cc: qemu-stable@nongnu.org -Signed-off-by: Peter Lieven -Message-Id: <1464080368-29584-1-git-send-email-pl@kamp.de> -Signed-off-by: Paolo Bonzini -(cherry picked from commit a6b3167fa0e825aebb5a7cd8b437b6d41584a196) -[BR: CVE-2016-5126 BSC#982285] -Signed-off-by: Bruce Rogers ---- - block/iscsi.c | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/block/iscsi.c b/block/iscsi.c -index 302baf8..172e6cf 100644 ---- a/block/iscsi.c -+++ b/block/iscsi.c -@@ -837,6 +837,13 @@ static BlockAIOCB *iscsi_aio_ioctl(BlockDriverState *bs, - return &acb->common; - } - -+ if (acb->ioh->cmd_len > SCSI_CDB_MAX_SIZE) { -+ error_report("iSCSI: ioctl error CDB exceeds max size (%d > %d)", -+ acb->ioh->cmd_len, SCSI_CDB_MAX_SIZE); -+ qemu_aio_unref(acb); -+ return NULL; -+ } -+ - acb->task = malloc(sizeof(struct scsi_task)); - if (acb->task == NULL) { - error_report("iSCSI: Failed to allocate task for scsi command. %s", diff --git a/0074-qcow2-avoid-extra-flushes-in-qcow2.patch b/0053-qcow2-avoid-extra-flushes-in-qcow2.patch similarity index 98% rename from 0074-qcow2-avoid-extra-flushes-in-qcow2.patch rename to 0053-qcow2-avoid-extra-flushes-in-qcow2.patch index 8b9466e..8b7a14a 100644 --- a/0074-qcow2-avoid-extra-flushes-in-qcow2.patch +++ b/0053-qcow2-avoid-extra-flushes-in-qcow2.patch @@ -1,4 +1,4 @@ -From 197d526012602fbac75392a86e991539e4400bf0 Mon Sep 17 00:00:00 2001 +From c9f5c5004b9fb97398c8dc0003303493904c986c Mon Sep 17 00:00:00 2001 From: "Denis V. Lunev" Date: Thu, 2 Jun 2016 18:58:15 +0300 Subject: [PATCH] qcow2: avoid extra flushes in qcow2 diff --git a/0075-qemu-bridge-helper-reduce-security-.patch b/0054-qemu-bridge-helper-reduce-security-.patch similarity index 97% rename from 0075-qemu-bridge-helper-reduce-security-.patch rename to 0054-qemu-bridge-helper-reduce-security-.patch index ea62bc2..a1e94ca 100644 --- a/0075-qemu-bridge-helper-reduce-security-.patch +++ b/0054-qemu-bridge-helper-reduce-security-.patch @@ -1,4 +1,4 @@ -From 4bbd77b07de2f0df2e8a0dba9c4ca51299ee2518 Mon Sep 17 00:00:00 2001 +From 66d8c1e91cb8b11fad0ddc68c7398c5ff202525e Mon Sep 17 00:00:00 2001 From: Bruce Rogers Date: Tue, 2 Aug 2016 11:36:02 -0600 Subject: [PATCH] qemu-bridge-helper: reduce security profile diff --git a/0054-scsi-esp-check-TI-buffer-index-befo.patch b/0054-scsi-esp-check-TI-buffer-index-befo.patch deleted file mode 100644 index 17c6954..0000000 --- a/0054-scsi-esp-check-TI-buffer-index-befo.patch +++ /dev/null @@ -1,71 +0,0 @@ -From 40b9ce117b5a3aced6e1b88ea0e2619170b202f6 Mon Sep 17 00:00:00 2001 -From: Prasad J Pandit -Date: Mon, 6 Jun 2016 22:04:43 +0530 -Subject: [PATCH] scsi: esp: check TI buffer index before read/write - -The 53C9X Fast SCSI Controller(FSC) comes with internal 16-byte -FIFO buffers. One is used to handle commands and other is for -information transfer. Three control variables 'ti_rptr', -'ti_wptr' and 'ti_size' are used to control r/w access to the -information transfer buffer ti_buf[TI_BUFSZ=16]. In that, - -'ti_rptr' is used as read index, where read occurs. -'ti_wptr' is a write index, where write would occur. -'ti_size' indicates total bytes to be read from the buffer. - -While reading/writing to this buffer, index could exceed its -size. Add check to avoid OOB r/w access. - -Reported-by: Huawei PSIRT -Reported-by: Li Qiang -Signed-off-by: Prasad J Pandit -Message-Id: <1465230883-22303-1-git-send-email-ppandit@redhat.com> -Signed-off-by: Paolo Bonzini -(cherry picked from commit ff589551c8e8e9e95e211b9d8daafb4ed39f1aec) -[BR: CVE-2016-5338 BSC#983982] -Signed-off-by: Bruce Rogers ---- - hw/scsi/esp.c | 20 +++++++++----------- - 1 file changed, 9 insertions(+), 11 deletions(-) - -diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c -index 591c817..3adb685 100644 ---- a/hw/scsi/esp.c -+++ b/hw/scsi/esp.c -@@ -400,19 +400,17 @@ uint64_t esp_reg_read(ESPState *s, uint32_t saddr) - trace_esp_mem_readb(saddr, s->rregs[saddr]); - switch (saddr) { - case ESP_FIFO: -- if (s->ti_size > 0) { -+ if ((s->rregs[ESP_RSTAT] & STAT_PIO_MASK) == 0) { -+ /* Data out. */ -+ qemu_log_mask(LOG_UNIMP, "esp: PIO data read not implemented\n"); -+ s->rregs[ESP_FIFO] = 0; -+ esp_raise_irq(s); -+ } else if (s->ti_rptr < s->ti_wptr) { - s->ti_size--; -- if ((s->rregs[ESP_RSTAT] & STAT_PIO_MASK) == 0) { -- /* Data out. */ -- qemu_log_mask(LOG_UNIMP, -- "esp: PIO data read not implemented\n"); -- s->rregs[ESP_FIFO] = 0; -- } else { -- s->rregs[ESP_FIFO] = s->ti_buf[s->ti_rptr++]; -- } -+ s->rregs[ESP_FIFO] = s->ti_buf[s->ti_rptr++]; - esp_raise_irq(s); - } -- if (s->ti_size == 0) { -+ if (s->ti_rptr == s->ti_wptr) { - s->ti_rptr = 0; - s->ti_wptr = 0; - } -@@ -456,7 +454,7 @@ void esp_reg_write(ESPState *s, uint32_t saddr, uint64_t val) - } else { - trace_esp_error_fifo_overrun(); - } -- } else if (s->ti_size == TI_BUFSZ - 1) { -+ } else if (s->ti_wptr == TI_BUFSZ - 1) { - trace_esp_error_fifo_overrun(); - } else { - s->ti_size++; diff --git a/0076-xen-use-a-common-function-for-pv-an.patch b/0055-xen-use-a-common-function-for-pv-an.patch similarity index 98% rename from 0076-xen-use-a-common-function-for-pv-an.patch rename to 0055-xen-use-a-common-function-for-pv-an.patch index e78f064..2823a4b 100644 --- a/0076-xen-use-a-common-function-for-pv-an.patch +++ b/0055-xen-use-a-common-function-for-pv-an.patch @@ -1,4 +1,4 @@ -From ddbfdd2c5396aa810a789f5cb681879f78cb693f Mon Sep 17 00:00:00 2001 +From fceaaa771845a1fa7379539e77390b833dc9de3b Mon Sep 17 00:00:00 2001 From: Juergen Gross Date: Tue, 2 Aug 2016 08:32:32 +0200 Subject: [PATCH] xen: use a common function for pv and hvm guest backend diff --git a/0060-scsi-megasas-initialise-local-confi.patch b/0060-scsi-megasas-initialise-local-confi.patch deleted file mode 100644 index 33436c7..0000000 --- a/0060-scsi-megasas-initialise-local-confi.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 702d446c9378b6d8415599780cf9f8bfb4c7cb9a Mon Sep 17 00:00:00 2001 -From: Prasad J Pandit -Date: Wed, 25 May 2016 17:41:44 +0530 -Subject: [PATCH] scsi: megasas: initialise local configuration data buffer - -When reading MegaRAID SAS controller configuration via MegaRAID -Firmware Interface(MFI) commands, routine megasas_dcmd_cfg_read -uses an uninitialised local data buffer. Initialise this buffer -to avoid stack information leakage. - -Reported-by: Li Qiang -Signed-off-by: Prasad J Pandit -Message-Id: <1464178304-12831-1-git-send-email-ppandit@redhat.com> -Signed-off-by: Paolo Bonzini -(cherry picked from commit d37af740730dbbb93960cd318e040372d04d6dcf) -[BR: CVE-2016-5105 982017] -Signed-off-by: Bruce Rogers ---- - hw/scsi/megasas.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c -index 893448b..a9ffc32 100644 ---- a/hw/scsi/megasas.c -+++ b/hw/scsi/megasas.c -@@ -1296,7 +1296,7 @@ static int megasas_dcmd_ld_get_info(MegasasState *s, MegasasCmd *cmd) - - static int megasas_dcmd_cfg_read(MegasasState *s, MegasasCmd *cmd) - { -- uint8_t data[4096]; -+ uint8_t data[4096] = { 0 }; - struct mfi_config_data *info; - int num_pd_disks = 0, array_offset, ld_offset; - BusChild *kid; diff --git a/0065-scsi-esp-check-buffer-length-before.patch b/0065-scsi-esp-check-buffer-length-before.patch deleted file mode 100644 index 4c9e6f9..0000000 --- a/0065-scsi-esp-check-buffer-length-before.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 440a840f30f2439aece31ae59a5ee91675a78bb1 Mon Sep 17 00:00:00 2001 -From: Prasad J Pandit -Date: Tue, 31 May 2016 23:23:27 +0530 -Subject: [PATCH] scsi: esp: check buffer length before reading scsi command - -The 53C9X Fast SCSI Controller(FSC) comes with an internal 16-byte -FIFO buffer. It is used to handle command and data transfer. -Routine get_cmd() in non-DMA mode, uses 'ti_size' to read scsi -command into a buffer. Add check to validate command length against -buffer size to avoid any overrun. - -Reported-by: Li Qiang -Signed-off-by: Prasad J Pandit -Message-Id: <1464717207-7549-1-git-send-email-ppandit@redhat.com> -Signed-off-by: Paolo Bonzini -(cherry picked from commit d3cdc49138c30be1d3c2f83d18f85d9fdee95f1a) -[BR: CVE-2016-5238 BSC#982959] -Signed-off-by: Bruce Rogers ---- - hw/scsi/esp.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c -index 3adb685..4b94bbc 100644 ---- a/hw/scsi/esp.c -+++ b/hw/scsi/esp.c -@@ -98,6 +98,9 @@ static uint32_t get_cmd(ESPState *s, uint8_t *buf, uint8_t buflen) - s->dma_memory_read(s->dma_opaque, buf, dmalen); - } else { - dmalen = s->ti_size; -+ if (dmalen > TI_BUFSZ) { -+ return 0; -+ } - memcpy(buf, s->ti_buf, dmalen); - buf[0] = buf[2] >> 5; - } diff --git a/0066-scsi-esp-respect-FIFO-invariant-aft.patch b/0066-scsi-esp-respect-FIFO-invariant-aft.patch deleted file mode 100644 index d332906..0000000 --- a/0066-scsi-esp-respect-FIFO-invariant-aft.patch +++ /dev/null @@ -1,29 +0,0 @@ -From 9b2c1b6e771f01757b93cc92625ef48903786291 Mon Sep 17 00:00:00 2001 -From: Paolo Bonzini -Date: Tue, 14 Jun 2016 15:10:24 +0200 -Subject: [PATCH] scsi: esp: respect FIFO invariant after message phase - -The FIFO contains two bytes; hence the write ptr should be two bytes ahead -of the read pointer. - -Signed-off-by: Paolo Bonzini -(cherry picked from commit d020aa504cec8f525b55ba2ef982c09dc847c72e) -[BR: CVE-2016-5238 BSC#982959] -Signed-off-by: Bruce Rogers ---- - hw/scsi/esp.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c -index 4b94bbc..3f08598 100644 ---- a/hw/scsi/esp.c -+++ b/hw/scsi/esp.c -@@ -222,7 +222,7 @@ static void write_response(ESPState *s) - } else { - s->ti_size = 2; - s->ti_rptr = 0; -- s->ti_wptr = 0; -+ s->ti_wptr = 2; - s->rregs[ESP_RFLAGS] = 2; - } - esp_raise_irq(s); diff --git a/0067-pci-assign-Move-Invalid-ROM-error-m.patch b/0067-pci-assign-Move-Invalid-ROM-error-m.patch deleted file mode 100644 index c310696..0000000 --- a/0067-pci-assign-Move-Invalid-ROM-error-m.patch +++ /dev/null @@ -1,52 +0,0 @@ -From f4fe76597dccb9017be71983c4204f21877fc69f Mon Sep 17 00:00:00 2001 -From: Lin Ma -Date: Thu, 16 Jun 2016 01:05:27 +0800 -Subject: [PATCH] pci-assign: Move "Invalid ROM" error message to - pci-assign-load-rom.c - -In function pci_assign_dev_load_option_rom, For those pci devices don't -have 'rom' file under sysfs or if loading ROM from external file, The -function returns NULL, and won't set the passed 'size' variable. - -In these 2 cases, qemu still reports "Invalid ROM" error message, Users -may be confused by it. - -Signed-off-by: Lin Ma -Message-Id: <1466010327-22368-1-git-send-email-lma@suse.com> -Cc: qemu-stable@nongnu.org -Signed-off-by: Paolo Bonzini -(cherry picked from commit be968c721ee9df49708691ab58f0e66b394dea82) -[BR: BSC#982927] -Signed-off-by: Bruce Rogers ---- - hw/i386/kvm/pci-assign.c | 4 ---- - hw/i386/pci-assign-load-rom.c | 3 +++ - 2 files changed, 3 insertions(+), 4 deletions(-) - -diff --git a/hw/i386/kvm/pci-assign.c b/hw/i386/kvm/pci-assign.c -index bf425a2..8abce52 100644 ---- a/hw/i386/kvm/pci-assign.c -+++ b/hw/i386/kvm/pci-assign.c -@@ -1891,8 +1891,4 @@ static void assigned_dev_load_option_rom(AssignedDevice *dev) - pci_assign_dev_load_option_rom(&dev->dev, OBJECT(dev), &size, - dev->host.domain, dev->host.bus, - dev->host.slot, dev->host.function); -- -- if (!size) { -- error_report("pci-assign: Invalid ROM."); -- } - } -diff --git a/hw/i386/pci-assign-load-rom.c b/hw/i386/pci-assign-load-rom.c -index 4bbb08c..0d8e4b2 100644 ---- a/hw/i386/pci-assign-load-rom.c -+++ b/hw/i386/pci-assign-load-rom.c -@@ -40,6 +40,9 @@ void *pci_assign_dev_load_option_rom(PCIDevice *dev, struct Object *owner, - domain, bus, slot, function); - - if (stat(rom_file, &st)) { -+ if (errno != ENOENT) { -+ error_report("pci-assign: Invalid ROM."); -+ } - return NULL; - } - diff --git a/0068-Xen-PCI-passthrough-fix-passthrough.patch b/0068-Xen-PCI-passthrough-fix-passthrough.patch deleted file mode 100644 index d34f2c8..0000000 --- a/0068-Xen-PCI-passthrough-fix-passthrough.patch +++ /dev/null @@ -1,29 +0,0 @@ -From a4b6bbf1139ebc70375c48afe99fccdd9dcaa501 Mon Sep 17 00:00:00 2001 -From: Bruce Rogers -Date: Tue, 26 Jul 2016 16:42:45 -0600 -Subject: [PATCH] Xen PCI passthrough: fix passthrough failure when no - interrupt pin - -Commit 5a11d0f7 mistakenly converted a log message into an error -condition when no pin interrupt is found for the pci device being -passed through. Revert that part of the commit. - -[BR: BSC#981925, BSC#989250] -Signed-off-by: Bruce Rogers ---- - hw/xen/xen_pt.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/hw/xen/xen_pt.c b/hw/xen/xen_pt.c -index f593b04..b6d71bb 100644 ---- a/hw/xen/xen_pt.c -+++ b/hw/xen/xen_pt.c -@@ -842,7 +842,7 @@ static void xen_pt_realize(PCIDevice *d, Error **errp) - goto err_out; - } - if (!scratch) { -- error_setg(errp, "no pin interrupt"); -+ XEN_PT_LOG(d, "no pin interrupt\n"); - goto out; - } - diff --git a/0069-scsi-esp-make-cmdbuf-big-enough-for.patch b/0069-scsi-esp-make-cmdbuf-big-enough-for.patch deleted file mode 100644 index 9e14a1d..0000000 --- a/0069-scsi-esp-make-cmdbuf-big-enough-for.patch +++ /dev/null @@ -1,73 +0,0 @@ -From 20a82db8677dfb40288953ba296c372b66146f4d Mon Sep 17 00:00:00 2001 -From: Prasad J Pandit -Date: Thu, 16 Jun 2016 00:22:35 +0200 -Subject: [PATCH] scsi: esp: make cmdbuf big enough for maximum CDB size - -While doing DMA read into ESP command buffer 's->cmdbuf', it could -write past the 's->cmdbuf' area, if it was transferring more than 16 -bytes. Increase the command buffer size to 32, which is maximum when -'s->do_cmd' is set, and add a check on 'len' to avoid OOB access. - -Reported-by: Li Qiang -Signed-off-by: Prasad J Pandit -Signed-off-by: Paolo Bonzini -(cherry picked from commit 926cde5f3e4d2504ed161ed0cb771ac7cad6fd11) -[BR: CVE-2016-6351 BSC#990835] -Signed-off-by: Bruce Rogers ---- - hw/scsi/esp.c | 6 ++++-- - include/hw/scsi/esp.h | 3 ++- - 2 files changed, 6 insertions(+), 3 deletions(-) - -diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c -index 3f08598..9e318fd 100644 ---- a/hw/scsi/esp.c -+++ b/hw/scsi/esp.c -@@ -249,6 +249,8 @@ static void esp_do_dma(ESPState *s) - len = s->dma_left; - if (s->do_cmd) { - trace_esp_do_dma(s->cmdlen, len); -+ assert (s->cmdlen <= sizeof(s->cmdbuf) && -+ len <= sizeof(s->cmdbuf) - s->cmdlen); - s->dma_memory_read(s->dma_opaque, &s->cmdbuf[s->cmdlen], len); - s->ti_size = 0; - s->cmdlen = 0; -@@ -348,7 +350,7 @@ static void handle_ti(ESPState *s) - s->dma_counter = dmalen; - - if (s->do_cmd) -- minlen = (dmalen < 32) ? dmalen : 32; -+ minlen = (dmalen < ESP_CMDBUF_SZ) ? dmalen : ESP_CMDBUF_SZ; - else if (s->ti_size < 0) - minlen = (dmalen < -s->ti_size) ? dmalen : -s->ti_size; - else -@@ -452,7 +454,7 @@ void esp_reg_write(ESPState *s, uint32_t saddr, uint64_t val) - break; - case ESP_FIFO: - if (s->do_cmd) { -- if (s->cmdlen < TI_BUFSZ) { -+ if (s->cmdlen < ESP_CMDBUF_SZ) { - s->cmdbuf[s->cmdlen++] = val & 0xff; - } else { - trace_esp_error_fifo_overrun(); -diff --git a/include/hw/scsi/esp.h b/include/hw/scsi/esp.h -index 6c79527..d2c4886 100644 ---- a/include/hw/scsi/esp.h -+++ b/include/hw/scsi/esp.h -@@ -14,6 +14,7 @@ void esp_init(hwaddr espaddr, int it_shift, - - #define ESP_REGS 16 - #define TI_BUFSZ 16 -+#define ESP_CMDBUF_SZ 32 - - typedef struct ESPState ESPState; - -@@ -31,7 +32,7 @@ struct ESPState { - SCSIBus bus; - SCSIDevice *current_dev; - SCSIRequest *current_req; -- uint8_t cmdbuf[TI_BUFSZ]; -+ uint8_t cmdbuf[ESP_CMDBUF_SZ]; - uint32_t cmdlen; - uint32_t do_cmd; - diff --git a/0071-virtio-error-out-if-guest-exceeds-v.patch b/0071-virtio-error-out-if-guest-exceeds-v.patch deleted file mode 100644 index af24e04..0000000 --- a/0071-virtio-error-out-if-guest-exceeds-v.patch +++ /dev/null @@ -1,65 +0,0 @@ -From d9c626e4ede58130f64f24f4f9ca1140e4102a70 Mon Sep 17 00:00:00 2001 -From: Stefan Hajnoczi -Date: Tue, 19 Jul 2016 13:07:13 +0100 -Subject: [PATCH] virtio: error out if guest exceeds virtqueue size - -A broken or malicious guest can submit more requests than the virtqueue -size permits, causing unbounded memory allocation in QEMU. - -The guest can submit requests without bothering to wait for completion -and is therefore not bound by virtqueue size. This requires reusing -vring descriptors in more than one request, which is not allowed by the -VIRTIO 1.0 specification. - -In "3.2.1 Supplying Buffers to The Device", the VIRTIO 1.0 specification -says: - - 1. The driver places the buffer into free descriptor(s) in the - descriptor table, chaining as necessary - -and - - Note that the above code does not take precautions against the - available ring buffer wrapping around: this is not possible since the - ring buffer is the same size as the descriptor table, so step (1) will - prevent such a condition. - -This implies that placing more buffers into the virtqueue than the -descriptor table size is not allowed. - -QEMU is missing the check to prevent this case. Processing a request -allocates a VirtQueueElement leading to unbounded memory allocation -controlled by the guest. - -Exit with an error if the guest provides more requests than the -virtqueue size permits. This bounds memory allocation and makes the -buggy guest visible to the user. - -This patch fixes CVE-2016-5403 and was reported by Zhenhao Hong from 360 -Marvel Team, China. - -Reported-by: Zhenhao Hong -Signed-off-by: Stefan Hajnoczi -(cherry picked from commit afd9096eb1882f23929f5b5c177898ed231bac66) -[BR: CVE-2016-5403 BSC#991080] -Signed-off-by: Bruce Rogers ---- - hw/virtio/virtio.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c -index 30ede3d..e5ead0d 100644 ---- a/hw/virtio/virtio.c -+++ b/hw/virtio/virtio.c -@@ -561,6 +561,11 @@ void *virtqueue_pop(VirtQueue *vq, size_t sz) - - max = vq->vring.num; - -+ if (vq->inuse >= vq->vring.num) { -+ error_report("Virtqueue size exceeded"); -+ exit(1); -+ } -+ - i = head = virtqueue_get_head(vq, vq->last_avail_idx++); - if (virtio_vdev_has_feature(vdev, VIRTIO_RING_F_EVENT_IDX)) { - vring_set_avail_event(vq, vq->last_avail_idx); diff --git a/qemu-2.6.0.tar.bz2 b/qemu-2.6.0.tar.bz2 deleted file mode 100644 index 97b1a2a..0000000 --- a/qemu-2.6.0.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:c9ac4a651b273233d21b8bec32e30507cb9cce7900841febc330956a1a8434ec -size 25755267 diff --git a/qemu-2.6.0.tar.bz2.sig b/qemu-2.6.0.tar.bz2.sig deleted file mode 100644 index 10f6b0f..0000000 Binary files a/qemu-2.6.0.tar.bz2.sig and /dev/null differ diff --git a/qemu-2.6.1.tar.bz2 b/qemu-2.6.1.tar.bz2 new file mode 100644 index 0000000..2f515f6 --- /dev/null +++ b/qemu-2.6.1.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:4942fd1b6ee31f2f55ffc2201dd7397e6b9c55a2ef332e6d660c730d268e08d1 +size 25762855 diff --git a/qemu-2.6.1.tar.bz2.sig b/qemu-2.6.1.tar.bz2.sig new file mode 100644 index 0000000..fe4219b Binary files /dev/null and b/qemu-2.6.1.tar.bz2.sig differ diff --git a/qemu-linux-user.changes b/qemu-linux-user.changes index 5d8d553..c2f915a 100644 --- a/qemu-linux-user.changes +++ b/qemu-linux-user.changes @@ -1,3 +1,62 @@ +------------------------------------------------------------------- +Wed Aug 17 20:25:13 UTC 2016 - brogers@suse.com + +- Update to v2.6.1 a stable, bug-fix-only release (fate#316228) +- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-2.6 +* Patches dropped (upstreamed): + 0041-net-mipsnet-check-packet-length-aga.patch + 0042-i386-kvmvapic-initialise-imm32-vari.patch + 0043-esp-check-command-buffer-length-bef.patch + 0044-esp-check-dma-length-before-reading.patch + 0045-scsi-pvscsi-check-command-descripto.patch + 0046-scsi-mptsas-infinite-loop-while-fet.patch + 0047-vga-add-sr_vbe-register-set.patch + 0048-scsi-megasas-use-appropriate-proper.patch + 0049-scsi-megasas-check-read_queue_head-.patch + 0050-scsi-megasas-null-terminate-bios-ve.patch + 0051-vmsvga-move-fifo-sanity-checks-to-v.patch + 0052-vmsvga-don-t-process-more-than-1024.patch + 0053-block-iscsi-avoid-potential-overflo.patch + 0054-scsi-esp-check-TI-buffer-index-befo.patch + 0060-scsi-megasas-initialise-local-confi.patch + 0065-scsi-esp-check-buffer-length-before.patch + 0066-scsi-esp-respect-FIFO-invariant-aft.patch + 0067-pci-assign-Move-Invalid-ROM-error-m.patch + 0068-Xen-PCI-passthrough-fix-passthrough.patch + 0069-scsi-esp-make-cmdbuf-big-enough-for.patch + 0071-virtio-error-out-if-guest-exceeds-v.patch +* Patches renamed: + 0055-xen-introduce-dummy-system-device.patch + -> 0041-xen-introduce-dummy-system-device.patch + 0056-xen-write-information-about-support.patch + -> 0042-xen-write-information-about-support.patch + 0057-xen-add-pvUSB-backend.patch + -> 0043-xen-add-pvUSB-backend.patch + 0058-xen-move-xen_sysdev-to-xen_backend..patch + -> 0044-xen-move-xen_sysdev-to-xen_backend..patch + 0059-vnc-add-configurable-keyboard-delay.patch + -> 0045-vnc-add-configurable-keyboard-delay.patch + 0061-configure-add-echo_version-helper.patch + -> 0046-configure-add-echo_version-helper.patch + 0062-configure-support-vte-2.91.patch + -> 0047-configure-support-vte-2.91.patch + 0063-hw-arm-virt-mark-the-PCIe-host-cont.patch + -> 0048-hw-arm-virt-mark-the-PCIe-host-cont.patch + 0064-xen-SUSE-xenlinux-unplug-for-emulat.patch + -> 0049-xen-SUSE-xenlinux-unplug-for-emulat.patch + 0070-scsi-esp-fix-migration.patch + -> 0050-scsi-esp-fix-migration.patch + 0072-xen-when-removing-a-backend-don-t-r.patch + -> 0051-xen-when-removing-a-backend-don-t-r.patch + 0073-xen-drain-submit-queue-in-xen-usb-b.patch + -> 0052-xen-drain-submit-queue-in-xen-usb-b.patch + 0074-qcow2-avoid-extra-flushes-in-qcow2.patch + -> 0053-qcow2-avoid-extra-flushes-in-qcow2.patch + 0075-qemu-bridge-helper-reduce-security-.patch + -> 0054-qemu-bridge-helper-reduce-security-.patch + 0076-xen-use-a-common-function-for-pv-an.patch + -> 0055-xen-use-a-common-function-for-pv-an.patch + ------------------------------------------------------------------- Wed Aug 3 17:09:11 UTC 2016 - brogers@suse.com diff --git a/qemu-linux-user.spec b/qemu-linux-user.spec index 92e5c2b..4346518 100644 --- a/qemu-linux-user.spec +++ b/qemu-linux-user.spec @@ -21,9 +21,9 @@ Url: http://www.qemu.org/ Summary: Universal CPU emulator License: BSD-3-Clause and GPL-2.0 and GPL-2.0+ and LGPL-2.1+ and MIT Group: System/Emulators/PC -Version: 2.6.0 +Version: 2.6.1 Release: 0 -Source: http://wiki.qemu.org/download/qemu-2.6.0.tar.bz2 +Source: http://wiki.qemu.org/download/qemu-2.6.1.tar.bz2 # This patch queue is auto-generated from https://github.com/openSUSE/qemu Patch0001: 0001-XXX-dont-dump-core-on-sigabort.patch Patch0002: 0002-qemu-0.9.0.cvs-binfmt.patch @@ -65,42 +65,21 @@ Patch0037: 0037-dictzip-Fix-on-big-endian-systems.patch Patch0038: 0038-block-split-large-discard-requests-.patch Patch0039: 0039-xen_disk-Add-suse-specific-flush-di.patch Patch0040: 0040-build-link-with-libatomic-on-powerp.patch -Patch0041: 0041-net-mipsnet-check-packet-length-aga.patch -Patch0042: 0042-i386-kvmvapic-initialise-imm32-vari.patch -Patch0043: 0043-esp-check-command-buffer-length-bef.patch -Patch0044: 0044-esp-check-dma-length-before-reading.patch -Patch0045: 0045-scsi-pvscsi-check-command-descripto.patch -Patch0046: 0046-scsi-mptsas-infinite-loop-while-fet.patch -Patch0047: 0047-vga-add-sr_vbe-register-set.patch -Patch0048: 0048-scsi-megasas-use-appropriate-proper.patch -Patch0049: 0049-scsi-megasas-check-read_queue_head-.patch -Patch0050: 0050-scsi-megasas-null-terminate-bios-ve.patch -Patch0051: 0051-vmsvga-move-fifo-sanity-checks-to-v.patch -Patch0052: 0052-vmsvga-don-t-process-more-than-1024.patch -Patch0053: 0053-block-iscsi-avoid-potential-overflo.patch -Patch0054: 0054-scsi-esp-check-TI-buffer-index-befo.patch -Patch0055: 0055-xen-introduce-dummy-system-device.patch -Patch0056: 0056-xen-write-information-about-support.patch -Patch0057: 0057-xen-add-pvUSB-backend.patch -Patch0058: 0058-xen-move-xen_sysdev-to-xen_backend..patch -Patch0059: 0059-vnc-add-configurable-keyboard-delay.patch -Patch0060: 0060-scsi-megasas-initialise-local-confi.patch -Patch0061: 0061-configure-add-echo_version-helper.patch -Patch0062: 0062-configure-support-vte-2.91.patch -Patch0063: 0063-hw-arm-virt-mark-the-PCIe-host-cont.patch -Patch0064: 0064-xen-SUSE-xenlinux-unplug-for-emulat.patch -Patch0065: 0065-scsi-esp-check-buffer-length-before.patch -Patch0066: 0066-scsi-esp-respect-FIFO-invariant-aft.patch -Patch0067: 0067-pci-assign-Move-Invalid-ROM-error-m.patch -Patch0068: 0068-Xen-PCI-passthrough-fix-passthrough.patch -Patch0069: 0069-scsi-esp-make-cmdbuf-big-enough-for.patch -Patch0070: 0070-scsi-esp-fix-migration.patch -Patch0071: 0071-virtio-error-out-if-guest-exceeds-v.patch -Patch0072: 0072-xen-when-removing-a-backend-don-t-r.patch -Patch0073: 0073-xen-drain-submit-queue-in-xen-usb-b.patch -Patch0074: 0074-qcow2-avoid-extra-flushes-in-qcow2.patch -Patch0075: 0075-qemu-bridge-helper-reduce-security-.patch -Patch0076: 0076-xen-use-a-common-function-for-pv-an.patch +Patch0041: 0041-xen-introduce-dummy-system-device.patch +Patch0042: 0042-xen-write-information-about-support.patch +Patch0043: 0043-xen-add-pvUSB-backend.patch +Patch0044: 0044-xen-move-xen_sysdev-to-xen_backend..patch +Patch0045: 0045-vnc-add-configurable-keyboard-delay.patch +Patch0046: 0046-configure-add-echo_version-helper.patch +Patch0047: 0047-configure-support-vte-2.91.patch +Patch0048: 0048-hw-arm-virt-mark-the-PCIe-host-cont.patch +Patch0049: 0049-xen-SUSE-xenlinux-unplug-for-emulat.patch +Patch0050: 0050-scsi-esp-fix-migration.patch +Patch0051: 0051-xen-when-removing-a-backend-don-t-r.patch +Patch0052: 0052-xen-drain-submit-queue-in-xen-usb-b.patch +Patch0053: 0053-qcow2-avoid-extra-flushes-in-qcow2.patch +Patch0054: 0054-qemu-bridge-helper-reduce-security-.patch +Patch0055: 0055-xen-use-a-common-function-for-pv-an.patch # Please do not add patches manually here, run update_git.sh. # this is to make lint happy Source300: qemu-rpmlintrc @@ -153,7 +132,7 @@ emulations. This can be used together with the OBS build script to run cross-architecture builds. %prep -%setup -q -n qemu-2.6.0 +%setup -q -n qemu-2.6.1 %patch0001 -p1 %patch0002 -p1 %patch0003 -p1 @@ -209,27 +188,6 @@ run cross-architecture builds. %patch0053 -p1 %patch0054 -p1 %patch0055 -p1 -%patch0056 -p1 -%patch0057 -p1 -%patch0058 -p1 -%patch0059 -p1 -%patch0060 -p1 -%patch0061 -p1 -%patch0062 -p1 -%patch0063 -p1 -%patch0064 -p1 -%patch0065 -p1 -%patch0066 -p1 -%patch0067 -p1 -%patch0068 -p1 -%patch0069 -p1 -%patch0070 -p1 -%patch0071 -p1 -%patch0072 -p1 -%patch0073 -p1 -%patch0074 -p1 -%patch0075 -p1 -%patch0076 -p1 %build ./configure --prefix=%_prefix --sysconfdir=%_sysconfdir \ diff --git a/qemu-linux-user.spec.in b/qemu-linux-user.spec.in index b8e7af0..1dd178b 100644 --- a/qemu-linux-user.spec.in +++ b/qemu-linux-user.spec.in @@ -23,7 +23,7 @@ License: BSD-3-Clause and GPL-2.0 and GPL-2.0+ and LGPL-2.1+ and MIT Group: System/Emulators/PC QEMU_VERSION Release: 0 -Source: http://wiki.qemu.org/download/qemu-2.6.0.tar.bz2 +Source: http://wiki.qemu.org/download/qemu-2.6.1.tar.bz2 # This patch queue is auto-generated from https://github.com/openSUSE/qemu PATCH_FILES # Please do not add patches manually here, run update_git.sh. @@ -78,7 +78,7 @@ emulations. This can be used together with the OBS build script to run cross-architecture builds. %prep -%setup -q -n qemu-2.6.0 +%setup -q -n qemu-2.6.1 PATCH_EXEC %build diff --git a/qemu-testsuite.changes b/qemu-testsuite.changes index 46001cd..4773d6f 100644 --- a/qemu-testsuite.changes +++ b/qemu-testsuite.changes @@ -1,3 +1,62 @@ +------------------------------------------------------------------- +Wed Aug 17 20:25:13 UTC 2016 - brogers@suse.com + +- Update to v2.6.1 a stable, bug-fix-only release (fate#316228) +- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-2.6 +* Patches dropped (upstreamed): + 0041-net-mipsnet-check-packet-length-aga.patch + 0042-i386-kvmvapic-initialise-imm32-vari.patch + 0043-esp-check-command-buffer-length-bef.patch + 0044-esp-check-dma-length-before-reading.patch + 0045-scsi-pvscsi-check-command-descripto.patch + 0046-scsi-mptsas-infinite-loop-while-fet.patch + 0047-vga-add-sr_vbe-register-set.patch + 0048-scsi-megasas-use-appropriate-proper.patch + 0049-scsi-megasas-check-read_queue_head-.patch + 0050-scsi-megasas-null-terminate-bios-ve.patch + 0051-vmsvga-move-fifo-sanity-checks-to-v.patch + 0052-vmsvga-don-t-process-more-than-1024.patch + 0053-block-iscsi-avoid-potential-overflo.patch + 0054-scsi-esp-check-TI-buffer-index-befo.patch + 0060-scsi-megasas-initialise-local-confi.patch + 0065-scsi-esp-check-buffer-length-before.patch + 0066-scsi-esp-respect-FIFO-invariant-aft.patch + 0067-pci-assign-Move-Invalid-ROM-error-m.patch + 0068-Xen-PCI-passthrough-fix-passthrough.patch + 0069-scsi-esp-make-cmdbuf-big-enough-for.patch + 0071-virtio-error-out-if-guest-exceeds-v.patch +* Patches renamed: + 0055-xen-introduce-dummy-system-device.patch + -> 0041-xen-introduce-dummy-system-device.patch + 0056-xen-write-information-about-support.patch + -> 0042-xen-write-information-about-support.patch + 0057-xen-add-pvUSB-backend.patch + -> 0043-xen-add-pvUSB-backend.patch + 0058-xen-move-xen_sysdev-to-xen_backend..patch + -> 0044-xen-move-xen_sysdev-to-xen_backend..patch + 0059-vnc-add-configurable-keyboard-delay.patch + -> 0045-vnc-add-configurable-keyboard-delay.patch + 0061-configure-add-echo_version-helper.patch + -> 0046-configure-add-echo_version-helper.patch + 0062-configure-support-vte-2.91.patch + -> 0047-configure-support-vte-2.91.patch + 0063-hw-arm-virt-mark-the-PCIe-host-cont.patch + -> 0048-hw-arm-virt-mark-the-PCIe-host-cont.patch + 0064-xen-SUSE-xenlinux-unplug-for-emulat.patch + -> 0049-xen-SUSE-xenlinux-unplug-for-emulat.patch + 0070-scsi-esp-fix-migration.patch + -> 0050-scsi-esp-fix-migration.patch + 0072-xen-when-removing-a-backend-don-t-r.patch + -> 0051-xen-when-removing-a-backend-don-t-r.patch + 0073-xen-drain-submit-queue-in-xen-usb-b.patch + -> 0052-xen-drain-submit-queue-in-xen-usb-b.patch + 0074-qcow2-avoid-extra-flushes-in-qcow2.patch + -> 0053-qcow2-avoid-extra-flushes-in-qcow2.patch + 0075-qemu-bridge-helper-reduce-security-.patch + -> 0054-qemu-bridge-helper-reduce-security-.patch + 0076-xen-use-a-common-function-for-pv-an.patch + -> 0055-xen-use-a-common-function-for-pv-an.patch + ------------------------------------------------------------------- Wed Aug 3 21:36:14 UTC 2016 - brogers@suse.com diff --git a/qemu-testsuite.spec b/qemu-testsuite.spec index c45fb92..7a7cd1d 100644 --- a/qemu-testsuite.spec +++ b/qemu-testsuite.spec @@ -71,10 +71,10 @@ Url: http://www.qemu.org/ Summary: Universal CPU emulator License: BSD-3-Clause and GPL-2.0 and GPL-2.0+ and LGPL-2.1+ and MIT Group: System/Emulators/PC -Version: 2.6.0 +Version: 2.6.1 Release: 0 -Source: http://wiki.qemu.org/download/qemu-2.6.0.tar.bz2 -Source99: http://wiki.qemu.org/download/qemu-2.6.0.tar.bz2.sig +Source: http://wiki.qemu.org/download/qemu-2.6.1.tar.bz2 +Source99: http://wiki.qemu.org/download/qemu-2.6.1.tar.bz2.sig Source1: 80-kvm.rules Source2: qemu-ifup Source3: kvm_stat @@ -127,42 +127,21 @@ Patch0037: 0037-dictzip-Fix-on-big-endian-systems.patch Patch0038: 0038-block-split-large-discard-requests-.patch Patch0039: 0039-xen_disk-Add-suse-specific-flush-di.patch Patch0040: 0040-build-link-with-libatomic-on-powerp.patch -Patch0041: 0041-net-mipsnet-check-packet-length-aga.patch -Patch0042: 0042-i386-kvmvapic-initialise-imm32-vari.patch -Patch0043: 0043-esp-check-command-buffer-length-bef.patch -Patch0044: 0044-esp-check-dma-length-before-reading.patch -Patch0045: 0045-scsi-pvscsi-check-command-descripto.patch -Patch0046: 0046-scsi-mptsas-infinite-loop-while-fet.patch -Patch0047: 0047-vga-add-sr_vbe-register-set.patch -Patch0048: 0048-scsi-megasas-use-appropriate-proper.patch -Patch0049: 0049-scsi-megasas-check-read_queue_head-.patch -Patch0050: 0050-scsi-megasas-null-terminate-bios-ve.patch -Patch0051: 0051-vmsvga-move-fifo-sanity-checks-to-v.patch -Patch0052: 0052-vmsvga-don-t-process-more-than-1024.patch -Patch0053: 0053-block-iscsi-avoid-potential-overflo.patch -Patch0054: 0054-scsi-esp-check-TI-buffer-index-befo.patch -Patch0055: 0055-xen-introduce-dummy-system-device.patch -Patch0056: 0056-xen-write-information-about-support.patch -Patch0057: 0057-xen-add-pvUSB-backend.patch -Patch0058: 0058-xen-move-xen_sysdev-to-xen_backend..patch -Patch0059: 0059-vnc-add-configurable-keyboard-delay.patch -Patch0060: 0060-scsi-megasas-initialise-local-confi.patch -Patch0061: 0061-configure-add-echo_version-helper.patch -Patch0062: 0062-configure-support-vte-2.91.patch -Patch0063: 0063-hw-arm-virt-mark-the-PCIe-host-cont.patch -Patch0064: 0064-xen-SUSE-xenlinux-unplug-for-emulat.patch -Patch0065: 0065-scsi-esp-check-buffer-length-before.patch -Patch0066: 0066-scsi-esp-respect-FIFO-invariant-aft.patch -Patch0067: 0067-pci-assign-Move-Invalid-ROM-error-m.patch -Patch0068: 0068-Xen-PCI-passthrough-fix-passthrough.patch -Patch0069: 0069-scsi-esp-make-cmdbuf-big-enough-for.patch -Patch0070: 0070-scsi-esp-fix-migration.patch -Patch0071: 0071-virtio-error-out-if-guest-exceeds-v.patch -Patch0072: 0072-xen-when-removing-a-backend-don-t-r.patch -Patch0073: 0073-xen-drain-submit-queue-in-xen-usb-b.patch -Patch0074: 0074-qcow2-avoid-extra-flushes-in-qcow2.patch -Patch0075: 0075-qemu-bridge-helper-reduce-security-.patch -Patch0076: 0076-xen-use-a-common-function-for-pv-an.patch +Patch0041: 0041-xen-introduce-dummy-system-device.patch +Patch0042: 0042-xen-write-information-about-support.patch +Patch0043: 0043-xen-add-pvUSB-backend.patch +Patch0044: 0044-xen-move-xen_sysdev-to-xen_backend..patch +Patch0045: 0045-vnc-add-configurable-keyboard-delay.patch +Patch0046: 0046-configure-add-echo_version-helper.patch +Patch0047: 0047-configure-support-vte-2.91.patch +Patch0048: 0048-hw-arm-virt-mark-the-PCIe-host-cont.patch +Patch0049: 0049-xen-SUSE-xenlinux-unplug-for-emulat.patch +Patch0050: 0050-scsi-esp-fix-migration.patch +Patch0051: 0051-xen-when-removing-a-backend-don-t-r.patch +Patch0052: 0052-xen-drain-submit-queue-in-xen-usb-b.patch +Patch0053: 0053-qcow2-avoid-extra-flushes-in-qcow2.patch +Patch0054: 0054-qemu-bridge-helper-reduce-security-.patch +Patch0055: 0055-xen-use-a-common-function-for-pv-an.patch # Please do not add QEMU patches manually here. # Run update_git.sh to regenerate this queue. @@ -742,7 +721,7 @@ This package provides a service file for starting and stopping KSM. %endif # !qemu-testsuite %prep -%setup -q -n qemu-2.6.0 +%setup -q -n qemu-2.6.1 %patch0001 -p1 %patch0002 -p1 %patch0003 -p1 @@ -798,27 +777,6 @@ This package provides a service file for starting and stopping KSM. %patch0053 -p1 %patch0054 -p1 %patch0055 -p1 -%patch0056 -p1 -%patch0057 -p1 -%patch0058 -p1 -%patch0059 -p1 -%patch0060 -p1 -%patch0061 -p1 -%patch0062 -p1 -%patch0063 -p1 -%patch0064 -p1 -%patch0065 -p1 -%patch0066 -p1 -%patch0067 -p1 -%patch0068 -p1 -%patch0069 -p1 -%patch0070 -p1 -%patch0071 -p1 -%patch0072 -p1 -%patch0073 -p1 -%patch0074 -p1 -%patch0075 -p1 -%patch0076 -p1 %if %{build_x86_fw_from_source} pushd roms/seabios diff --git a/qemu.changes b/qemu.changes index 46001cd..4773d6f 100644 --- a/qemu.changes +++ b/qemu.changes @@ -1,3 +1,62 @@ +------------------------------------------------------------------- +Wed Aug 17 20:25:13 UTC 2016 - brogers@suse.com + +- Update to v2.6.1 a stable, bug-fix-only release (fate#316228) +- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-2.6 +* Patches dropped (upstreamed): + 0041-net-mipsnet-check-packet-length-aga.patch + 0042-i386-kvmvapic-initialise-imm32-vari.patch + 0043-esp-check-command-buffer-length-bef.patch + 0044-esp-check-dma-length-before-reading.patch + 0045-scsi-pvscsi-check-command-descripto.patch + 0046-scsi-mptsas-infinite-loop-while-fet.patch + 0047-vga-add-sr_vbe-register-set.patch + 0048-scsi-megasas-use-appropriate-proper.patch + 0049-scsi-megasas-check-read_queue_head-.patch + 0050-scsi-megasas-null-terminate-bios-ve.patch + 0051-vmsvga-move-fifo-sanity-checks-to-v.patch + 0052-vmsvga-don-t-process-more-than-1024.patch + 0053-block-iscsi-avoid-potential-overflo.patch + 0054-scsi-esp-check-TI-buffer-index-befo.patch + 0060-scsi-megasas-initialise-local-confi.patch + 0065-scsi-esp-check-buffer-length-before.patch + 0066-scsi-esp-respect-FIFO-invariant-aft.patch + 0067-pci-assign-Move-Invalid-ROM-error-m.patch + 0068-Xen-PCI-passthrough-fix-passthrough.patch + 0069-scsi-esp-make-cmdbuf-big-enough-for.patch + 0071-virtio-error-out-if-guest-exceeds-v.patch +* Patches renamed: + 0055-xen-introduce-dummy-system-device.patch + -> 0041-xen-introduce-dummy-system-device.patch + 0056-xen-write-information-about-support.patch + -> 0042-xen-write-information-about-support.patch + 0057-xen-add-pvUSB-backend.patch + -> 0043-xen-add-pvUSB-backend.patch + 0058-xen-move-xen_sysdev-to-xen_backend..patch + -> 0044-xen-move-xen_sysdev-to-xen_backend..patch + 0059-vnc-add-configurable-keyboard-delay.patch + -> 0045-vnc-add-configurable-keyboard-delay.patch + 0061-configure-add-echo_version-helper.patch + -> 0046-configure-add-echo_version-helper.patch + 0062-configure-support-vte-2.91.patch + -> 0047-configure-support-vte-2.91.patch + 0063-hw-arm-virt-mark-the-PCIe-host-cont.patch + -> 0048-hw-arm-virt-mark-the-PCIe-host-cont.patch + 0064-xen-SUSE-xenlinux-unplug-for-emulat.patch + -> 0049-xen-SUSE-xenlinux-unplug-for-emulat.patch + 0070-scsi-esp-fix-migration.patch + -> 0050-scsi-esp-fix-migration.patch + 0072-xen-when-removing-a-backend-don-t-r.patch + -> 0051-xen-when-removing-a-backend-don-t-r.patch + 0073-xen-drain-submit-queue-in-xen-usb-b.patch + -> 0052-xen-drain-submit-queue-in-xen-usb-b.patch + 0074-qcow2-avoid-extra-flushes-in-qcow2.patch + -> 0053-qcow2-avoid-extra-flushes-in-qcow2.patch + 0075-qemu-bridge-helper-reduce-security-.patch + -> 0054-qemu-bridge-helper-reduce-security-.patch + 0076-xen-use-a-common-function-for-pv-an.patch + -> 0055-xen-use-a-common-function-for-pv-an.patch + ------------------------------------------------------------------- Wed Aug 3 21:36:14 UTC 2016 - brogers@suse.com diff --git a/qemu.spec b/qemu.spec index 8a659c0..75b03a5 100644 --- a/qemu.spec +++ b/qemu.spec @@ -71,10 +71,10 @@ Url: http://www.qemu.org/ Summary: Universal CPU emulator License: BSD-3-Clause and GPL-2.0 and GPL-2.0+ and LGPL-2.1+ and MIT Group: System/Emulators/PC -Version: 2.6.0 +Version: 2.6.1 Release: 0 -Source: http://wiki.qemu.org/download/qemu-2.6.0.tar.bz2 -Source99: http://wiki.qemu.org/download/qemu-2.6.0.tar.bz2.sig +Source: http://wiki.qemu.org/download/qemu-2.6.1.tar.bz2 +Source99: http://wiki.qemu.org/download/qemu-2.6.1.tar.bz2.sig Source1: 80-kvm.rules Source2: qemu-ifup Source3: kvm_stat @@ -127,42 +127,21 @@ Patch0037: 0037-dictzip-Fix-on-big-endian-systems.patch Patch0038: 0038-block-split-large-discard-requests-.patch Patch0039: 0039-xen_disk-Add-suse-specific-flush-di.patch Patch0040: 0040-build-link-with-libatomic-on-powerp.patch -Patch0041: 0041-net-mipsnet-check-packet-length-aga.patch -Patch0042: 0042-i386-kvmvapic-initialise-imm32-vari.patch -Patch0043: 0043-esp-check-command-buffer-length-bef.patch -Patch0044: 0044-esp-check-dma-length-before-reading.patch -Patch0045: 0045-scsi-pvscsi-check-command-descripto.patch -Patch0046: 0046-scsi-mptsas-infinite-loop-while-fet.patch -Patch0047: 0047-vga-add-sr_vbe-register-set.patch -Patch0048: 0048-scsi-megasas-use-appropriate-proper.patch -Patch0049: 0049-scsi-megasas-check-read_queue_head-.patch -Patch0050: 0050-scsi-megasas-null-terminate-bios-ve.patch -Patch0051: 0051-vmsvga-move-fifo-sanity-checks-to-v.patch -Patch0052: 0052-vmsvga-don-t-process-more-than-1024.patch -Patch0053: 0053-block-iscsi-avoid-potential-overflo.patch -Patch0054: 0054-scsi-esp-check-TI-buffer-index-befo.patch -Patch0055: 0055-xen-introduce-dummy-system-device.patch -Patch0056: 0056-xen-write-information-about-support.patch -Patch0057: 0057-xen-add-pvUSB-backend.patch -Patch0058: 0058-xen-move-xen_sysdev-to-xen_backend..patch -Patch0059: 0059-vnc-add-configurable-keyboard-delay.patch -Patch0060: 0060-scsi-megasas-initialise-local-confi.patch -Patch0061: 0061-configure-add-echo_version-helper.patch -Patch0062: 0062-configure-support-vte-2.91.patch -Patch0063: 0063-hw-arm-virt-mark-the-PCIe-host-cont.patch -Patch0064: 0064-xen-SUSE-xenlinux-unplug-for-emulat.patch -Patch0065: 0065-scsi-esp-check-buffer-length-before.patch -Patch0066: 0066-scsi-esp-respect-FIFO-invariant-aft.patch -Patch0067: 0067-pci-assign-Move-Invalid-ROM-error-m.patch -Patch0068: 0068-Xen-PCI-passthrough-fix-passthrough.patch -Patch0069: 0069-scsi-esp-make-cmdbuf-big-enough-for.patch -Patch0070: 0070-scsi-esp-fix-migration.patch -Patch0071: 0071-virtio-error-out-if-guest-exceeds-v.patch -Patch0072: 0072-xen-when-removing-a-backend-don-t-r.patch -Patch0073: 0073-xen-drain-submit-queue-in-xen-usb-b.patch -Patch0074: 0074-qcow2-avoid-extra-flushes-in-qcow2.patch -Patch0075: 0075-qemu-bridge-helper-reduce-security-.patch -Patch0076: 0076-xen-use-a-common-function-for-pv-an.patch +Patch0041: 0041-xen-introduce-dummy-system-device.patch +Patch0042: 0042-xen-write-information-about-support.patch +Patch0043: 0043-xen-add-pvUSB-backend.patch +Patch0044: 0044-xen-move-xen_sysdev-to-xen_backend..patch +Patch0045: 0045-vnc-add-configurable-keyboard-delay.patch +Patch0046: 0046-configure-add-echo_version-helper.patch +Patch0047: 0047-configure-support-vte-2.91.patch +Patch0048: 0048-hw-arm-virt-mark-the-PCIe-host-cont.patch +Patch0049: 0049-xen-SUSE-xenlinux-unplug-for-emulat.patch +Patch0050: 0050-scsi-esp-fix-migration.patch +Patch0051: 0051-xen-when-removing-a-backend-don-t-r.patch +Patch0052: 0052-xen-drain-submit-queue-in-xen-usb-b.patch +Patch0053: 0053-qcow2-avoid-extra-flushes-in-qcow2.patch +Patch0054: 0054-qemu-bridge-helper-reduce-security-.patch +Patch0055: 0055-xen-use-a-common-function-for-pv-an.patch # Please do not add QEMU patches manually here. # Run update_git.sh to regenerate this queue. @@ -742,7 +721,7 @@ This package provides a service file for starting and stopping KSM. %endif # !qemu-testsuite %prep -%setup -q -n qemu-2.6.0 +%setup -q -n qemu-2.6.1 %patch0001 -p1 %patch0002 -p1 %patch0003 -p1 @@ -798,27 +777,6 @@ This package provides a service file for starting and stopping KSM. %patch0053 -p1 %patch0054 -p1 %patch0055 -p1 -%patch0056 -p1 -%patch0057 -p1 -%patch0058 -p1 -%patch0059 -p1 -%patch0060 -p1 -%patch0061 -p1 -%patch0062 -p1 -%patch0063 -p1 -%patch0064 -p1 -%patch0065 -p1 -%patch0066 -p1 -%patch0067 -p1 -%patch0068 -p1 -%patch0069 -p1 -%patch0070 -p1 -%patch0071 -p1 -%patch0072 -p1 -%patch0073 -p1 -%patch0074 -p1 -%patch0075 -p1 -%patch0076 -p1 %if %{build_x86_fw_from_source} pushd roms/seabios diff --git a/qemu.spec.in b/qemu.spec.in index ecbc544..fcbd2da 100644 --- a/qemu.spec.in +++ b/qemu.spec.in @@ -73,8 +73,8 @@ License: BSD-3-Clause and GPL-2.0 and GPL-2.0+ and LGPL-2.1+ and MIT Group: System/Emulators/PC QEMU_VERSION Release: 0 -Source: http://wiki.qemu.org/download/qemu-2.6.0.tar.bz2 -Source99: http://wiki.qemu.org/download/qemu-2.6.0.tar.bz2.sig +Source: http://wiki.qemu.org/download/qemu-2.6.1.tar.bz2 +Source99: http://wiki.qemu.org/download/qemu-2.6.1.tar.bz2.sig Source1: 80-kvm.rules Source2: qemu-ifup Source3: kvm_stat @@ -667,7 +667,7 @@ This package provides a service file for starting and stopping KSM. %endif # !qemu-testsuite %prep -%setup -q -n qemu-2.6.0 +%setup -q -n qemu-2.6.1 PATCH_EXEC %if %{build_x86_fw_from_source} diff --git a/update_git.sh b/update_git.sh index 9fabc00..ee2b49b 100644 --- a/update_git.sh +++ b/update_git.sh @@ -14,7 +14,7 @@ set -e GIT_TREE=git://github.com/openSUSE/qemu.git GIT_LOCAL_TREE=~/git/qemu-opensuse GIT_BRANCH=opensuse-2.6 -GIT_UPSTREAM_TAG=v2.6.0 +GIT_UPSTREAM_TAG=v2.6.1 GIT_DIR=/dev/shm/qemu-factory-git-dir CMP_DIR=/dev/shm/qemu-factory-cmp-dir