From 0e620dde42d6d645745a3a58695e874d54214eaf6b6b3bd94ba3bc39a27deb4f Mon Sep 17 00:00:00 2001 From: Bruce Rogers Date: Thu, 4 Aug 2016 13:09:24 +0000 Subject: [PATCH] Accepting request 416912 from home:bfrogers:branches:Virtualization Synch with IBS qemu: includes xen patches, security patches, some spec file cleanup, and finally getting qemu-bridge-helper working right. Also temporarily disable librbd dependency in OBS until staging impact concerns get resolved. OBS-URL: https://build.opensuse.org/request/show/416912 OBS-URL: https://build.opensuse.org/package/show/Virtualization/qemu?expand=0&rev=309 --- ...-usb-Fix-conditions-that-xen-usb.c-i.patch | 28 --- ...-xen-move-xen_sysdev-to-xen_backend..patch | 161 ++++++++++++++ ...-vnc-add-configurable-keyboard-delay.patch | 2 +- ...-scsi-megasas-initialise-local-confi.patch | 2 +- 0061-configure-add-echo_version-helper.patch | 2 +- 0062-configure-support-vte-2.91.patch | 2 +- ...-hw-arm-virt-mark-the-PCIe-host-cont.patch | 2 +- ...-xen-SUSE-xenlinux-unplug-for-emulat.patch | 47 ++++ ...-scsi-esp-check-buffer-length-before.patch | 36 +++ ...-scsi-esp-respect-FIFO-invariant-aft.patch | 29 +++ ...-pci-assign-Move-Invalid-ROM-error-m.patch | 52 +++++ ...-Xen-PCI-passthrough-fix-passthrough.patch | 29 +++ ...-scsi-esp-make-cmdbuf-big-enough-for.patch | 73 ++++++ 0070-scsi-esp-fix-migration.patch | 58 +++++ ...-virtio-error-out-if-guest-exceeds-v.patch | 65 ++++++ ...-xen-when-removing-a-backend-don-t-r.patch | 103 +++++++++ ...-xen-drain-submit-queue-in-xen-usb-b.patch | 210 ++++++++++++++++++ 0074-qcow2-avoid-extra-flushes-in-qcow2.patch | 104 +++++++++ ...-qemu-bridge-helper-reduce-security-.patch | 83 +++++++ ...-xen-use-a-common-function-for-pv-an.patch | 95 ++++++++ qemu-linux-user.changes | 28 +++ qemu-linux-user.spec | 28 ++- qemu-testsuite.changes | 51 +++++ qemu-testsuite.spec | 44 +++- qemu.changes | 51 +++++ qemu.spec | 44 +++- qemu.spec.in | 16 +- 27 files changed, 1388 insertions(+), 57 deletions(-) delete mode 100644 0058-usb-Fix-conditions-that-xen-usb.c-i.patch create mode 100644 0058-xen-move-xen_sysdev-to-xen_backend..patch create mode 100644 0064-xen-SUSE-xenlinux-unplug-for-emulat.patch create mode 100644 0065-scsi-esp-check-buffer-length-before.patch create mode 100644 0066-scsi-esp-respect-FIFO-invariant-aft.patch create mode 100644 0067-pci-assign-Move-Invalid-ROM-error-m.patch create mode 100644 0068-Xen-PCI-passthrough-fix-passthrough.patch create mode 100644 0069-scsi-esp-make-cmdbuf-big-enough-for.patch create mode 100644 0070-scsi-esp-fix-migration.patch create mode 100644 0071-virtio-error-out-if-guest-exceeds-v.patch create mode 100644 0072-xen-when-removing-a-backend-don-t-r.patch create mode 100644 0073-xen-drain-submit-queue-in-xen-usb-b.patch create mode 100644 0074-qcow2-avoid-extra-flushes-in-qcow2.patch create mode 100644 0075-qemu-bridge-helper-reduce-security-.patch create mode 100644 0076-xen-use-a-common-function-for-pv-an.patch diff --git a/0058-usb-Fix-conditions-that-xen-usb.c-i.patch b/0058-usb-Fix-conditions-that-xen-usb.c-i.patch deleted file mode 100644 index dadbc3ad..00000000 --- a/0058-usb-Fix-conditions-that-xen-usb.c-i.patch +++ /dev/null @@ -1,28 +0,0 @@ -From 49ca2dd08ac9edce6d828328069d1092f3a63b50 Mon Sep 17 00:00:00 2001 -From: Bruce Rogers -Date: Fri, 10 Jun 2016 07:12:15 -0600 -Subject: [PATCH] usb: Fix conditions that xen-usb.c is used - -When non-x86 arch targets are built on x86 we have a mismatched -between what is built in support of xen. xen-usb.c is conditioned -upon CONFIG_USB_LIBUSB and CONFIG_XEN_BACKEND, but it relies on -an external reference that is instead controlled by CONFIG_XEN. -Add a dependency on CONFIG_XEN as well. -[BR: FATE#316612] -Signed-off-by: Bruce Rogers ---- - hw/usb/Makefile.objs | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/hw/usb/Makefile.objs b/hw/usb/Makefile.objs -index 98b5c9d..2db2fa1 100644 ---- a/hw/usb/Makefile.objs -+++ b/hw/usb/Makefile.objs -@@ -39,6 +39,6 @@ common-obj-$(CONFIG_USB_REDIR) += redirect.o quirks.o - # usb pass-through - common-obj-y += $(patsubst %,host-%.o,$(HOST_USB)) - --ifeq ($(CONFIG_USB_LIBUSB),y) -+ifeq ($(CONFIG_XEN)$(CONFIG_USB_LIBUSB),yy) - common-obj-$(CONFIG_XEN_BACKEND) += xen-usb.o - endif diff --git a/0058-xen-move-xen_sysdev-to-xen_backend..patch b/0058-xen-move-xen_sysdev-to-xen_backend..patch new file mode 100644 index 00000000..0afe8241 --- /dev/null +++ b/0058-xen-move-xen_sysdev-to-xen_backend..patch @@ -0,0 +1,161 @@ +From ee2225e5f531d965aed352bf99ba339969216144 Mon Sep 17 00:00:00 2001 +From: Juergen Gross +Date: Mon, 13 Jun 2016 11:12:21 +0200 +Subject: [PATCH] xen: move xen_sysdev to xen_backend.c + +Commit 9432e53a5bc88681b2d3aec4dac9db07c5476d1b added xen_sysdev as a +system device to serve as an anchor for removable virtual buses. This +introduced a build failure for non-x86 builds with CONFIG_XEN_BACKEND +set, as xen_sysdev was defined in a x86 specific file while being +consumed in an architecture independent source. + +Move the xen_sysdev definition and initialization to xen_backend.c to +avoid the build failure. + +Signed-off-by: Juergen Gross +Reviewed-by: Anthony PERARD +Acked-by: Stefano Stabellini +Signed-off-by: Stefano Stabellini +--- + hw/xen/xen_backend.c | 41 +++++++++++++++++++++++++++++++++++++++++ + hw/xenpv/xen_machine_pv.c | 40 ---------------------------------------- + 2 files changed, 41 insertions(+), 40 deletions(-) + +diff --git a/hw/xen/xen_backend.c b/hw/xen/xen_backend.c +index c63f9df..6e52474 100644 +--- a/hw/xen/xen_backend.c ++++ b/hw/xen/xen_backend.c +@@ -27,12 +27,17 @@ + #include + + #include "hw/hw.h" ++#include "hw/sysbus.h" + #include "sysemu/char.h" + #include "qemu/log.h" + #include "hw/xen/xen_backend.h" + + #include + ++#define TYPE_XENSYSDEV "xensysdev" ++ ++DeviceState *xen_sysdev; ++ + /* ------------------------------------------------------------- */ + + /* public */ +@@ -763,6 +768,10 @@ int xen_be_init(void) + /* Check if xen_init() have been called */ + goto err; + } ++ ++ xen_sysdev = qdev_create(NULL, TYPE_XENSYSDEV); ++ qdev_init_nofail(xen_sysdev); ++ + return 0; + + err: +@@ -863,3 +872,35 @@ void xen_be_printf(struct XenDevice *xendev, int msg_level, const char *fmt, ... + } + qemu_log_flush(); + } ++ ++static int xen_sysdev_init(SysBusDevice *dev) ++{ ++ return 0; ++} ++ ++static Property xen_sysdev_properties[] = { ++ {/* end of property list */}, ++}; ++ ++static void xen_sysdev_class_init(ObjectClass *klass, void *data) ++{ ++ DeviceClass *dc = DEVICE_CLASS(klass); ++ SysBusDeviceClass *k = SYS_BUS_DEVICE_CLASS(klass); ++ ++ k->init = xen_sysdev_init; ++ dc->props = xen_sysdev_properties; ++} ++ ++static const TypeInfo xensysdev_info = { ++ .name = TYPE_XENSYSDEV, ++ .parent = TYPE_SYS_BUS_DEVICE, ++ .instance_size = sizeof(SysBusDevice), ++ .class_init = xen_sysdev_class_init, ++}; ++ ++static void xenbe_register_types(void) ++{ ++ type_register_static(&xensysdev_info); ++} ++ ++type_init(xenbe_register_types); +diff --git a/hw/xenpv/xen_machine_pv.c b/hw/xenpv/xen_machine_pv.c +index f68cf48..48f725c 100644 +--- a/hw/xenpv/xen_machine_pv.c ++++ b/hw/xenpv/xen_machine_pv.c +@@ -25,15 +25,10 @@ + #include "qemu/osdep.h" + #include "hw/hw.h" + #include "hw/boards.h" +-#include "hw/sysbus.h" + #include "hw/xen/xen_backend.h" + #include "xen_domainbuild.h" + #include "sysemu/block-backend.h" + +-#define TYPE_XENSYSDEV "xensysdev" +- +-DeviceState *xen_sysdev; +- + static void xen_init_pv(MachineState *machine) + { + DriveInfo *dinfo; +@@ -72,9 +67,6 @@ static void xen_init_pv(MachineState *machine) + break; + } + +- xen_sysdev = qdev_create(NULL, TYPE_XENSYSDEV); +- qdev_init_nofail(xen_sysdev); +- + xen_be_register("console", &xen_console_ops); + xen_be_register("vkbd", &xen_kbdmouse_ops); + xen_be_register("vfb", &xen_framebuffer_ops); +@@ -112,38 +104,6 @@ static void xen_init_pv(MachineState *machine) + xen_init_display(xen_domid); + } + +-static int xen_sysdev_init(SysBusDevice *dev) +-{ +- return 0; +-} +- +-static Property xen_sysdev_properties[] = { +- {/* end of property list */}, +-}; +- +-static void xen_sysdev_class_init(ObjectClass *klass, void *data) +-{ +- DeviceClass *dc = DEVICE_CLASS(klass); +- SysBusDeviceClass *k = SYS_BUS_DEVICE_CLASS(klass); +- +- k->init = xen_sysdev_init; +- dc->props = xen_sysdev_properties; +-} +- +-static const TypeInfo xensysdev_info = { +- .name = TYPE_XENSYSDEV, +- .parent = TYPE_SYS_BUS_DEVICE, +- .instance_size = sizeof(SysBusDevice), +- .class_init = xen_sysdev_class_init, +-}; +- +-static void xenpv_register_types(void) +-{ +- type_register_static(&xensysdev_info); +-} +- +-type_init(xenpv_register_types); +- + static void xenpv_machine_init(MachineClass *mc) + { + mc->desc = "Xen Para-virtualized PC"; diff --git a/0059-vnc-add-configurable-keyboard-delay.patch b/0059-vnc-add-configurable-keyboard-delay.patch index bfc09544..b236839d 100644 --- a/0059-vnc-add-configurable-keyboard-delay.patch +++ b/0059-vnc-add-configurable-keyboard-delay.patch @@ -1,4 +1,4 @@ -From 5af645d652290cf562a2f05fa8318d75ae6f04e3 Mon Sep 17 00:00:00 2001 +From 6a788961dd16f558d78ab7313f0b297409f37af7 Mon Sep 17 00:00:00 2001 From: Gerd Hoffmann Date: Wed, 1 Jun 2016 08:22:30 +0200 Subject: [PATCH] vnc: add configurable keyboard delay diff --git a/0060-scsi-megasas-initialise-local-confi.patch b/0060-scsi-megasas-initialise-local-confi.patch index c262bc0a..33436c70 100644 --- a/0060-scsi-megasas-initialise-local-confi.patch +++ b/0060-scsi-megasas-initialise-local-confi.patch @@ -1,4 +1,4 @@ -From 1702291e859964a4f5b448e1fe19ee5947555adc Mon Sep 17 00:00:00 2001 +From 702d446c9378b6d8415599780cf9f8bfb4c7cb9a Mon Sep 17 00:00:00 2001 From: Prasad J Pandit Date: Wed, 25 May 2016 17:41:44 +0530 Subject: [PATCH] scsi: megasas: initialise local configuration data buffer diff --git a/0061-configure-add-echo_version-helper.patch b/0061-configure-add-echo_version-helper.patch index d568597d..5e8f634a 100644 --- a/0061-configure-add-echo_version-helper.patch +++ b/0061-configure-add-echo_version-helper.patch @@ -1,4 +1,4 @@ -From 79607d09f8670a92feb8e63455f6be59842f985a Mon Sep 17 00:00:00 2001 +From 83775fe297c7cc8dae0d46c22accc2d7eb78c4a0 Mon Sep 17 00:00:00 2001 From: Cole Robinson Date: Fri, 6 May 2016 14:03:09 -0400 Subject: [PATCH] configure: add echo_version helper diff --git a/0062-configure-support-vte-2.91.patch b/0062-configure-support-vte-2.91.patch index a39dfe51..49b46356 100644 --- a/0062-configure-support-vte-2.91.patch +++ b/0062-configure-support-vte-2.91.patch @@ -1,4 +1,4 @@ -From 8c4afe82d5eb1cfd33d64fa9b1a3f7fd92bc02f3 Mon Sep 17 00:00:00 2001 +From b673055ec7e4eda0454aacc2d042bd53405f85e6 Mon Sep 17 00:00:00 2001 From: Cole Robinson Date: Fri, 6 May 2016 14:03:12 -0400 Subject: [PATCH] configure: support vte-2.91 diff --git a/0063-hw-arm-virt-mark-the-PCIe-host-cont.patch b/0063-hw-arm-virt-mark-the-PCIe-host-cont.patch index 93ef719a..fba9cd7c 100644 --- a/0063-hw-arm-virt-mark-the-PCIe-host-cont.patch +++ b/0063-hw-arm-virt-mark-the-PCIe-host-cont.patch @@ -1,4 +1,4 @@ -From b38222880dde75c9e489f86af0b12a9e9a63b412 Mon Sep 17 00:00:00 2001 +From ced63da3c840792292a6ee8201c3f7789b80b7eb Mon Sep 17 00:00:00 2001 From: Ard Biesheuvel Date: Mon, 4 Jul 2016 13:06:36 +0100 Subject: [PATCH] hw/arm/virt: mark the PCIe host controller as DMA coherent in diff --git a/0064-xen-SUSE-xenlinux-unplug-for-emulat.patch b/0064-xen-SUSE-xenlinux-unplug-for-emulat.patch new file mode 100644 index 00000000..96c8e79d --- /dev/null +++ b/0064-xen-SUSE-xenlinux-unplug-for-emulat.patch @@ -0,0 +1,47 @@ +From 1caba48fc19de7cdceda7577ccf6970d4eb7ed75 Mon Sep 17 00:00:00 2001 +From: Olaf Hering +Date: Tue, 21 Jun 2016 18:42:45 +0200 +Subject: [PATCH] xen: SUSE xenlinux unplug for emulated PCI + +Implement SUSE specific unplug protocol for emulated PCI devices +in PVonHVM guests +(bsc#953339, bsc#953362, bsc#953518, bsc#984981) + +Signed-off-by: Olaf Hering +--- + hw/i386/xen/xen_platform.c | 22 ++++++++++++++++++++++ + 1 file changed, 22 insertions(+) + +diff --git a/hw/i386/xen/xen_platform.c b/hw/i386/xen/xen_platform.c +index aa78393..48800c1 100644 +--- a/hw/i386/xen/xen_platform.c ++++ b/hw/i386/xen/xen_platform.c +@@ -314,6 +314,28 @@ static void xen_platform_ioport_writeb(void *opaque, hwaddr addr, + case 0: /* Platform flags */ + platform_fixed_ioport_writeb(opaque, 0, (uint32_t)val); + break; ++ case 4: ++ if (val == 1 && size == 1) { ++ /* ++ * SUSE unplug for Xenlinux ++ * xen-kmp used this since xen-3.0.4, instead the official protocol from xen-3.3+ ++ * It did an unconditional "outl(1, (ioaddr + 4));" ++ * This approach was used until openSUSE 12.3, up to SLE11SP3 and in SLE10. ++ * Starting with openSUSE 13.1, SLE11SP4 and SLE12 the official protocol is used. ++ * pre VMDP 1.7 made use of 4 and 8 depending on how vmdp was configured. ++ * If VMDP was to control both disk and LAN it would use 4. ++ * If it controlled just disk or just LAN, it would use 8 below. ++ */ ++ PCIDevice *pci_dev = PCI_DEVICE(s); ++ DPRINTF("unplug disks\n"); ++ blk_drain_all(); ++ blk_flush_all(); ++ pci_unplug_disks(pci_dev->bus); ++ DPRINTF("unplug nics\n"); ++ pci_unplug_nics(pci_dev->bus); ++ DPRINTF("done\n"); ++ } ++ break; + case 8: + log_writeb(s, (uint32_t)val); + break; diff --git a/0065-scsi-esp-check-buffer-length-before.patch b/0065-scsi-esp-check-buffer-length-before.patch new file mode 100644 index 00000000..4c9e6f96 --- /dev/null +++ b/0065-scsi-esp-check-buffer-length-before.patch @@ -0,0 +1,36 @@ +From 440a840f30f2439aece31ae59a5ee91675a78bb1 Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Tue, 31 May 2016 23:23:27 +0530 +Subject: [PATCH] scsi: esp: check buffer length before reading scsi command + +The 53C9X Fast SCSI Controller(FSC) comes with an internal 16-byte +FIFO buffer. It is used to handle command and data transfer. +Routine get_cmd() in non-DMA mode, uses 'ti_size' to read scsi +command into a buffer. Add check to validate command length against +buffer size to avoid any overrun. + +Reported-by: Li Qiang +Signed-off-by: Prasad J Pandit +Message-Id: <1464717207-7549-1-git-send-email-ppandit@redhat.com> +Signed-off-by: Paolo Bonzini +(cherry picked from commit d3cdc49138c30be1d3c2f83d18f85d9fdee95f1a) +[BR: CVE-2016-5238 BSC#982959] +Signed-off-by: Bruce Rogers +--- + hw/scsi/esp.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c +index 3adb685..4b94bbc 100644 +--- a/hw/scsi/esp.c ++++ b/hw/scsi/esp.c +@@ -98,6 +98,9 @@ static uint32_t get_cmd(ESPState *s, uint8_t *buf, uint8_t buflen) + s->dma_memory_read(s->dma_opaque, buf, dmalen); + } else { + dmalen = s->ti_size; ++ if (dmalen > TI_BUFSZ) { ++ return 0; ++ } + memcpy(buf, s->ti_buf, dmalen); + buf[0] = buf[2] >> 5; + } diff --git a/0066-scsi-esp-respect-FIFO-invariant-aft.patch b/0066-scsi-esp-respect-FIFO-invariant-aft.patch new file mode 100644 index 00000000..d332906d --- /dev/null +++ b/0066-scsi-esp-respect-FIFO-invariant-aft.patch @@ -0,0 +1,29 @@ +From 9b2c1b6e771f01757b93cc92625ef48903786291 Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini +Date: Tue, 14 Jun 2016 15:10:24 +0200 +Subject: [PATCH] scsi: esp: respect FIFO invariant after message phase + +The FIFO contains two bytes; hence the write ptr should be two bytes ahead +of the read pointer. + +Signed-off-by: Paolo Bonzini +(cherry picked from commit d020aa504cec8f525b55ba2ef982c09dc847c72e) +[BR: CVE-2016-5238 BSC#982959] +Signed-off-by: Bruce Rogers +--- + hw/scsi/esp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c +index 4b94bbc..3f08598 100644 +--- a/hw/scsi/esp.c ++++ b/hw/scsi/esp.c +@@ -222,7 +222,7 @@ static void write_response(ESPState *s) + } else { + s->ti_size = 2; + s->ti_rptr = 0; +- s->ti_wptr = 0; ++ s->ti_wptr = 2; + s->rregs[ESP_RFLAGS] = 2; + } + esp_raise_irq(s); diff --git a/0067-pci-assign-Move-Invalid-ROM-error-m.patch b/0067-pci-assign-Move-Invalid-ROM-error-m.patch new file mode 100644 index 00000000..c3106969 --- /dev/null +++ b/0067-pci-assign-Move-Invalid-ROM-error-m.patch @@ -0,0 +1,52 @@ +From f4fe76597dccb9017be71983c4204f21877fc69f Mon Sep 17 00:00:00 2001 +From: Lin Ma +Date: Thu, 16 Jun 2016 01:05:27 +0800 +Subject: [PATCH] pci-assign: Move "Invalid ROM" error message to + pci-assign-load-rom.c + +In function pci_assign_dev_load_option_rom, For those pci devices don't +have 'rom' file under sysfs or if loading ROM from external file, The +function returns NULL, and won't set the passed 'size' variable. + +In these 2 cases, qemu still reports "Invalid ROM" error message, Users +may be confused by it. + +Signed-off-by: Lin Ma +Message-Id: <1466010327-22368-1-git-send-email-lma@suse.com> +Cc: qemu-stable@nongnu.org +Signed-off-by: Paolo Bonzini +(cherry picked from commit be968c721ee9df49708691ab58f0e66b394dea82) +[BR: BSC#982927] +Signed-off-by: Bruce Rogers +--- + hw/i386/kvm/pci-assign.c | 4 ---- + hw/i386/pci-assign-load-rom.c | 3 +++ + 2 files changed, 3 insertions(+), 4 deletions(-) + +diff --git a/hw/i386/kvm/pci-assign.c b/hw/i386/kvm/pci-assign.c +index bf425a2..8abce52 100644 +--- a/hw/i386/kvm/pci-assign.c ++++ b/hw/i386/kvm/pci-assign.c +@@ -1891,8 +1891,4 @@ static void assigned_dev_load_option_rom(AssignedDevice *dev) + pci_assign_dev_load_option_rom(&dev->dev, OBJECT(dev), &size, + dev->host.domain, dev->host.bus, + dev->host.slot, dev->host.function); +- +- if (!size) { +- error_report("pci-assign: Invalid ROM."); +- } + } +diff --git a/hw/i386/pci-assign-load-rom.c b/hw/i386/pci-assign-load-rom.c +index 4bbb08c..0d8e4b2 100644 +--- a/hw/i386/pci-assign-load-rom.c ++++ b/hw/i386/pci-assign-load-rom.c +@@ -40,6 +40,9 @@ void *pci_assign_dev_load_option_rom(PCIDevice *dev, struct Object *owner, + domain, bus, slot, function); + + if (stat(rom_file, &st)) { ++ if (errno != ENOENT) { ++ error_report("pci-assign: Invalid ROM."); ++ } + return NULL; + } + diff --git a/0068-Xen-PCI-passthrough-fix-passthrough.patch b/0068-Xen-PCI-passthrough-fix-passthrough.patch new file mode 100644 index 00000000..d34f2c81 --- /dev/null +++ b/0068-Xen-PCI-passthrough-fix-passthrough.patch @@ -0,0 +1,29 @@ +From a4b6bbf1139ebc70375c48afe99fccdd9dcaa501 Mon Sep 17 00:00:00 2001 +From: Bruce Rogers +Date: Tue, 26 Jul 2016 16:42:45 -0600 +Subject: [PATCH] Xen PCI passthrough: fix passthrough failure when no + interrupt pin + +Commit 5a11d0f7 mistakenly converted a log message into an error +condition when no pin interrupt is found for the pci device being +passed through. Revert that part of the commit. + +[BR: BSC#981925, BSC#989250] +Signed-off-by: Bruce Rogers +--- + hw/xen/xen_pt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/xen/xen_pt.c b/hw/xen/xen_pt.c +index f593b04..b6d71bb 100644 +--- a/hw/xen/xen_pt.c ++++ b/hw/xen/xen_pt.c +@@ -842,7 +842,7 @@ static void xen_pt_realize(PCIDevice *d, Error **errp) + goto err_out; + } + if (!scratch) { +- error_setg(errp, "no pin interrupt"); ++ XEN_PT_LOG(d, "no pin interrupt\n"); + goto out; + } + diff --git a/0069-scsi-esp-make-cmdbuf-big-enough-for.patch b/0069-scsi-esp-make-cmdbuf-big-enough-for.patch new file mode 100644 index 00000000..9e14a1d7 --- /dev/null +++ b/0069-scsi-esp-make-cmdbuf-big-enough-for.patch @@ -0,0 +1,73 @@ +From 20a82db8677dfb40288953ba296c372b66146f4d Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Thu, 16 Jun 2016 00:22:35 +0200 +Subject: [PATCH] scsi: esp: make cmdbuf big enough for maximum CDB size + +While doing DMA read into ESP command buffer 's->cmdbuf', it could +write past the 's->cmdbuf' area, if it was transferring more than 16 +bytes. Increase the command buffer size to 32, which is maximum when +'s->do_cmd' is set, and add a check on 'len' to avoid OOB access. + +Reported-by: Li Qiang +Signed-off-by: Prasad J Pandit +Signed-off-by: Paolo Bonzini +(cherry picked from commit 926cde5f3e4d2504ed161ed0cb771ac7cad6fd11) +[BR: CVE-2016-6351 BSC#990835] +Signed-off-by: Bruce Rogers +--- + hw/scsi/esp.c | 6 ++++-- + include/hw/scsi/esp.h | 3 ++- + 2 files changed, 6 insertions(+), 3 deletions(-) + +diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c +index 3f08598..9e318fd 100644 +--- a/hw/scsi/esp.c ++++ b/hw/scsi/esp.c +@@ -249,6 +249,8 @@ static void esp_do_dma(ESPState *s) + len = s->dma_left; + if (s->do_cmd) { + trace_esp_do_dma(s->cmdlen, len); ++ assert (s->cmdlen <= sizeof(s->cmdbuf) && ++ len <= sizeof(s->cmdbuf) - s->cmdlen); + s->dma_memory_read(s->dma_opaque, &s->cmdbuf[s->cmdlen], len); + s->ti_size = 0; + s->cmdlen = 0; +@@ -348,7 +350,7 @@ static void handle_ti(ESPState *s) + s->dma_counter = dmalen; + + if (s->do_cmd) +- minlen = (dmalen < 32) ? dmalen : 32; ++ minlen = (dmalen < ESP_CMDBUF_SZ) ? dmalen : ESP_CMDBUF_SZ; + else if (s->ti_size < 0) + minlen = (dmalen < -s->ti_size) ? dmalen : -s->ti_size; + else +@@ -452,7 +454,7 @@ void esp_reg_write(ESPState *s, uint32_t saddr, uint64_t val) + break; + case ESP_FIFO: + if (s->do_cmd) { +- if (s->cmdlen < TI_BUFSZ) { ++ if (s->cmdlen < ESP_CMDBUF_SZ) { + s->cmdbuf[s->cmdlen++] = val & 0xff; + } else { + trace_esp_error_fifo_overrun(); +diff --git a/include/hw/scsi/esp.h b/include/hw/scsi/esp.h +index 6c79527..d2c4886 100644 +--- a/include/hw/scsi/esp.h ++++ b/include/hw/scsi/esp.h +@@ -14,6 +14,7 @@ void esp_init(hwaddr espaddr, int it_shift, + + #define ESP_REGS 16 + #define TI_BUFSZ 16 ++#define ESP_CMDBUF_SZ 32 + + typedef struct ESPState ESPState; + +@@ -31,7 +32,7 @@ struct ESPState { + SCSIBus bus; + SCSIDevice *current_dev; + SCSIRequest *current_req; +- uint8_t cmdbuf[TI_BUFSZ]; ++ uint8_t cmdbuf[ESP_CMDBUF_SZ]; + uint32_t cmdlen; + uint32_t do_cmd; + diff --git a/0070-scsi-esp-fix-migration.patch b/0070-scsi-esp-fix-migration.patch new file mode 100644 index 00000000..b415c190 --- /dev/null +++ b/0070-scsi-esp-fix-migration.patch @@ -0,0 +1,58 @@ +From a4c62237f33857750850ef30066a5ae5d4d1194e Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini +Date: Mon, 20 Jun 2016 16:32:39 +0200 +Subject: [PATCH] scsi: esp: fix migration + +Commit 926cde5 ("scsi: esp: make cmdbuf big enough for maximum CDB size", +2016-06-16) changed the size of a migrated field. Split it in two +parts, and only migrate the second part in a new vmstate version. + +Signed-off-by: Paolo Bonzini +(cherry picked from commit cc96677469388bad3d66479379735cf75db069e3) +[BR: CVE-2016-6351 BSC#990835] +Signed-off-by: Bruce Rogers +--- + hw/scsi/esp.c | 5 +++-- + include/migration/vmstate.h | 5 ++++- + 2 files changed, 7 insertions(+), 3 deletions(-) + +diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c +index 9e318fd..25c547c 100644 +--- a/hw/scsi/esp.c ++++ b/hw/scsi/esp.c +@@ -577,7 +577,7 @@ static bool esp_mem_accepts(void *opaque, hwaddr addr, + + const VMStateDescription vmstate_esp = { + .name ="esp", +- .version_id = 3, ++ .version_id = 4, + .minimum_version_id = 3, + .fields = (VMStateField[]) { + VMSTATE_BUFFER(rregs, ESPState), +@@ -588,7 +588,8 @@ const VMStateDescription vmstate_esp = { + VMSTATE_BUFFER(ti_buf, ESPState), + VMSTATE_UINT32(status, ESPState), + VMSTATE_UINT32(dma, ESPState), +- VMSTATE_BUFFER(cmdbuf, ESPState), ++ VMSTATE_PARTIAL_BUFFER(cmdbuf, ESPState, 16), ++ VMSTATE_BUFFER_START_MIDDLE_V(cmdbuf, ESPState, 16, 4), + VMSTATE_UINT32(cmdlen, ESPState), + VMSTATE_UINT32(do_cmd, ESPState), + VMSTATE_UINT32(dma_left, ESPState), +diff --git a/include/migration/vmstate.h b/include/migration/vmstate.h +index 84ee355..853a2bd 100644 +--- a/include/migration/vmstate.h ++++ b/include/migration/vmstate.h +@@ -888,8 +888,11 @@ extern const VMStateInfo vmstate_info_bitmap; + #define VMSTATE_PARTIAL_BUFFER(_f, _s, _size) \ + VMSTATE_STATIC_BUFFER(_f, _s, 0, NULL, 0, _size) + ++#define VMSTATE_BUFFER_START_MIDDLE_V(_f, _s, _start, _v) \ ++ VMSTATE_STATIC_BUFFER(_f, _s, _v, NULL, _start, sizeof(typeof_field(_s, _f))) ++ + #define VMSTATE_BUFFER_START_MIDDLE(_f, _s, _start) \ +- VMSTATE_STATIC_BUFFER(_f, _s, 0, NULL, _start, sizeof(typeof_field(_s, _f))) ++ VMSTATE_BUFFER_START_MIDDLE_V(_f, _s, _start, 0) + + #define VMSTATE_PARTIAL_VBUFFER(_f, _s, _size) \ + VMSTATE_VBUFFER(_f, _s, 0, NULL, 0, _size) diff --git a/0071-virtio-error-out-if-guest-exceeds-v.patch b/0071-virtio-error-out-if-guest-exceeds-v.patch new file mode 100644 index 00000000..af24e048 --- /dev/null +++ b/0071-virtio-error-out-if-guest-exceeds-v.patch @@ -0,0 +1,65 @@ +From d9c626e4ede58130f64f24f4f9ca1140e4102a70 Mon Sep 17 00:00:00 2001 +From: Stefan Hajnoczi +Date: Tue, 19 Jul 2016 13:07:13 +0100 +Subject: [PATCH] virtio: error out if guest exceeds virtqueue size + +A broken or malicious guest can submit more requests than the virtqueue +size permits, causing unbounded memory allocation in QEMU. + +The guest can submit requests without bothering to wait for completion +and is therefore not bound by virtqueue size. This requires reusing +vring descriptors in more than one request, which is not allowed by the +VIRTIO 1.0 specification. + +In "3.2.1 Supplying Buffers to The Device", the VIRTIO 1.0 specification +says: + + 1. The driver places the buffer into free descriptor(s) in the + descriptor table, chaining as necessary + +and + + Note that the above code does not take precautions against the + available ring buffer wrapping around: this is not possible since the + ring buffer is the same size as the descriptor table, so step (1) will + prevent such a condition. + +This implies that placing more buffers into the virtqueue than the +descriptor table size is not allowed. + +QEMU is missing the check to prevent this case. Processing a request +allocates a VirtQueueElement leading to unbounded memory allocation +controlled by the guest. + +Exit with an error if the guest provides more requests than the +virtqueue size permits. This bounds memory allocation and makes the +buggy guest visible to the user. + +This patch fixes CVE-2016-5403 and was reported by Zhenhao Hong from 360 +Marvel Team, China. + +Reported-by: Zhenhao Hong +Signed-off-by: Stefan Hajnoczi +(cherry picked from commit afd9096eb1882f23929f5b5c177898ed231bac66) +[BR: CVE-2016-5403 BSC#991080] +Signed-off-by: Bruce Rogers +--- + hw/virtio/virtio.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c +index 30ede3d..e5ead0d 100644 +--- a/hw/virtio/virtio.c ++++ b/hw/virtio/virtio.c +@@ -561,6 +561,11 @@ void *virtqueue_pop(VirtQueue *vq, size_t sz) + + max = vq->vring.num; + ++ if (vq->inuse >= vq->vring.num) { ++ error_report("Virtqueue size exceeded"); ++ exit(1); ++ } ++ + i = head = virtqueue_get_head(vq, vq->last_avail_idx++); + if (virtio_vdev_has_feature(vdev, VIRTIO_RING_F_EVENT_IDX)) { + vring_set_avail_event(vq, vq->last_avail_idx); diff --git a/0072-xen-when-removing-a-backend-don-t-r.patch b/0072-xen-when-removing-a-backend-don-t-r.patch new file mode 100644 index 00000000..137ad118 --- /dev/null +++ b/0072-xen-when-removing-a-backend-don-t-r.patch @@ -0,0 +1,103 @@ +From 0d4ea8a7847a76415ed0d0db0392be5b7d1b71a6 Mon Sep 17 00:00:00 2001 +From: Juergen Gross +Date: Fri, 29 Jul 2016 12:51:53 +0200 +Subject: [PATCH] xen: when removing a backend don't remove many of them + +When a Xenstore watch fires indicating a backend has to be removed +don't remove all backends for that domain with the specified device +index, but just the one which has the correct type. + +The easiest way to achieve this is to use the already determined +xendev as parameter for xen_be_del_xendev() instead of only the domid +and device index. + +This at once removes the open coded QTAILQ_FOREACH_SAVE() in +xen_be_del_xendev() as there is no need to search for the correct +xendev any longer. + +Signed-off-by: Juergen Gross +Signed-off-by: Bruce Rogers +--- + hw/xen/xen_backend.c | 58 +++++++++++++++++----------------------------------- + 1 file changed, 19 insertions(+), 39 deletions(-) + +diff --git a/hw/xen/xen_backend.c b/hw/xen/xen_backend.c +index 6e52474..8f347da 100644 +--- a/hw/xen/xen_backend.c ++++ b/hw/xen/xen_backend.c +@@ -322,48 +322,28 @@ static struct XenDevice *xen_be_get_xendev(const char *type, int dom, int dev, + /* + * release xen backend device. + */ +-static struct XenDevice *xen_be_del_xendev(int dom, int dev) ++static void xen_be_del_xendev(struct XenDevice *xendev) + { +- struct XenDevice *xendev, *xnext; +- +- /* +- * This is pretty much like QTAILQ_FOREACH(xendev, &xendevs, next) but +- * we save the next pointer in xnext because we might free xendev. +- */ +- xnext = xendevs.tqh_first; +- while (xnext) { +- xendev = xnext; +- xnext = xendev->next.tqe_next; +- +- if (xendev->dom != dom) { +- continue; +- } +- if (xendev->dev != dev && dev != -1) { +- continue; +- } +- +- if (xendev->ops->free) { +- xendev->ops->free(xendev); +- } +- +- if (xendev->fe) { +- char token[XEN_BUFSIZE]; +- snprintf(token, sizeof(token), "fe:%p", xendev); +- xs_unwatch(xenstore, xendev->fe, token); +- g_free(xendev->fe); +- } ++ if (xendev->ops->free) { ++ xendev->ops->free(xendev); ++ } + +- if (xendev->evtchndev != NULL) { +- xenevtchn_close(xendev->evtchndev); +- } +- if (xendev->gnttabdev != NULL) { +- xengnttab_close(xendev->gnttabdev); +- } ++ if (xendev->fe) { ++ char token[XEN_BUFSIZE]; ++ snprintf(token, sizeof(token), "fe:%p", xendev); ++ xs_unwatch(xenstore, xendev->fe, token); ++ g_free(xendev->fe); ++ } + +- QTAILQ_REMOVE(&xendevs, xendev, next); +- g_free(xendev); ++ if (xendev->evtchndev != NULL) { ++ xenevtchn_close(xendev->evtchndev); + } +- return NULL; ++ if (xendev->gnttabdev != NULL) { ++ xengnttab_close(xendev->gnttabdev); ++ } ++ ++ QTAILQ_REMOVE(&xendevs, xendev, next); ++ g_free(xendev); + } + + /* +@@ -683,7 +663,7 @@ static void xenstore_update_be(char *watch, char *type, int dom, + if (xendev != NULL) { + bepath = xs_read(xenstore, 0, xendev->be, &len); + if (bepath == NULL) { +- xen_be_del_xendev(dom, dev); ++ xen_be_del_xendev(xendev); + } else { + free(bepath); + xen_be_backend_changed(xendev, path); diff --git a/0073-xen-drain-submit-queue-in-xen-usb-b.patch b/0073-xen-drain-submit-queue-in-xen-usb-b.patch new file mode 100644 index 00000000..ae9cacb0 --- /dev/null +++ b/0073-xen-drain-submit-queue-in-xen-usb-b.patch @@ -0,0 +1,210 @@ +From afb94bcc5bbb8b58f8c96821caaab268f96cabdb Mon Sep 17 00:00:00 2001 +From: Juergen Gross +Date: Wed, 27 Jul 2016 08:17:41 +0200 +Subject: [PATCH] xen: drain submit queue in xen-usb before removing device + +When unplugging a device in the Xen pvusb backend drain the submit +queue before deallocation of the control structures. Otherwise there +will be bogus memory accesses when I/O contracts are finished. + +Correlated to this issue is the handling of cancel requests: a packet +cancelled will still lead to the call of complete, so add a flag +to the request indicating it should be just dropped on complete. + +Signed-off-by: Juergen Gross +Signed-off-by: Bruce Rogers +--- + hw/usb/xen-usb.c | 95 ++++++++++++++++++++++++++++++++++++-------------------- + 1 file changed, 61 insertions(+), 34 deletions(-) + +diff --git a/hw/usb/xen-usb.c b/hw/usb/xen-usb.c +index 664df04..6f4b99d 100644 +--- a/hw/usb/xen-usb.c ++++ b/hw/usb/xen-usb.c +@@ -94,6 +94,8 @@ struct usbback_req { + void *buffer; + void *isoc_buffer; + struct libusb_transfer *xfer; ++ ++ bool cancelled; + }; + + struct usbback_hotplug { +@@ -304,20 +306,23 @@ static void usbback_do_response(struct usbback_req *usbback_req, int32_t status, + usbback_req->isoc_buffer = NULL; + } + +- res = RING_GET_RESPONSE(&usbif->urb_ring, usbif->urb_ring.rsp_prod_pvt); +- res->id = usbback_req->req.id; +- res->status = status; +- res->actual_length = actual_length; +- res->error_count = error_count; +- res->start_frame = 0; +- usbif->urb_ring.rsp_prod_pvt++; +- RING_PUSH_RESPONSES_AND_CHECK_NOTIFY(&usbif->urb_ring, notify); +- +- if (notify) { +- xen_be_send_notify(xendev); ++ if (usbif->urb_sring) { ++ res = RING_GET_RESPONSE(&usbif->urb_ring, usbif->urb_ring.rsp_prod_pvt); ++ res->id = usbback_req->req.id; ++ res->status = status; ++ res->actual_length = actual_length; ++ res->error_count = error_count; ++ res->start_frame = 0; ++ usbif->urb_ring.rsp_prod_pvt++; ++ RING_PUSH_RESPONSES_AND_CHECK_NOTIFY(&usbif->urb_ring, notify); ++ ++ if (notify) { ++ xen_be_send_notify(xendev); ++ } + } + +- usbback_put_req(usbback_req); ++ if (!usbback_req->cancelled) ++ usbback_put_req(usbback_req); + } + + static void usbback_do_response_ret(struct usbback_req *usbback_req, +@@ -369,15 +374,14 @@ static void usbback_set_address(struct usbback_info *usbif, + } + } + +-static bool usbback_cancel_req(struct usbback_req *usbback_req) ++static void usbback_cancel_req(struct usbback_req *usbback_req) + { +- bool ret = false; +- + if (usb_packet_is_inflight(&usbback_req->packet)) { + usb_cancel_packet(&usbback_req->packet); +- ret = true; ++ QTAILQ_REMOVE(&usbback_req->stub->submit_q, usbback_req, q); ++ usbback_req->cancelled = true; ++ usbback_do_response_ret(usbback_req, -EPROTO); + } +- return ret; + } + + static void usbback_process_unlink_req(struct usbback_req *usbback_req) +@@ -394,7 +398,7 @@ static void usbback_process_unlink_req(struct usbback_req *usbback_req) + devnum = usbif_pipedevice(usbback_req->req.pipe); + if (unlikely(devnum == 0)) { + usbback_req->stub = usbif->ports + +- usbif_pipeportnum(usbback_req->req.pipe); ++ usbif_pipeportnum(usbback_req->req.pipe) - 1; + if (unlikely(!usbback_req->stub)) { + ret = -ENODEV; + goto fail_response; +@@ -409,9 +413,7 @@ static void usbback_process_unlink_req(struct usbback_req *usbback_req) + + QTAILQ_FOREACH(unlink_req, &usbback_req->stub->submit_q, q) { + if (unlink_req->req.id == id) { +- if (usbback_cancel_req(unlink_req)) { +- usbback_do_response_ret(unlink_req, -EPROTO); +- } ++ usbback_cancel_req(unlink_req); + break; + } + } +@@ -684,6 +686,31 @@ static void usbback_hotplug_enq(struct usbback_info *usbif, unsigned port) + usbback_hotplug_notify(usbif); + } + ++static void usbback_portid_drain(struct usbback_info *usbif, unsigned port) ++{ ++ struct usbback_req *req, *tmp; ++ bool sched = false; ++ ++ QTAILQ_FOREACH_SAFE(req, &usbif->ports[port - 1].submit_q, q, tmp) { ++ usbback_cancel_req(req); ++ sched = true; ++ } ++ ++ if (sched) ++ qemu_bh_schedule(usbif->bh); ++} ++ ++static void usbback_portid_detach(struct usbback_info *usbif, unsigned port) ++{ ++ if (!usbif->ports[port - 1].attached) ++ return; ++ ++ usbif->ports[port - 1].speed = USBIF_SPEED_NONE; ++ usbif->ports[port - 1].attached = false; ++ usbback_portid_drain(usbif, port); ++ usbback_hotplug_enq(usbif, port); ++} ++ + static void usbback_portid_remove(struct usbback_info *usbif, unsigned port) + { + USBPort *p; +@@ -697,9 +724,7 @@ static void usbback_portid_remove(struct usbback_info *usbif, unsigned port) + + object_unparent(OBJECT(usbif->ports[port - 1].dev)); + usbif->ports[port - 1].dev = NULL; +- usbif->ports[port - 1].speed = USBIF_SPEED_NONE; +- usbif->ports[port - 1].attached = false; +- usbback_hotplug_enq(usbif, port); ++ usbback_portid_detach(usbif, port); + + TR_BUS(&usbif->xendev, "port %d removed\n", port); + } +@@ -804,7 +829,6 @@ static void usbback_process_port(struct usbback_info *usbif, unsigned port) + static void usbback_disconnect(struct XenDevice *xendev) + { + struct usbback_info *usbif; +- struct usbback_req *req, *tmp; + unsigned int i; + + TR_BUS(xendev, "start\n"); +@@ -823,12 +847,8 @@ static void usbback_disconnect(struct XenDevice *xendev) + } + + for (i = 0; i < usbif->num_ports; i++) { +- if (!usbif->ports[i].dev) { +- continue; +- } +- QTAILQ_FOREACH_SAFE(req, &usbif->ports[i].submit_q, q, tmp) { +- usbback_cancel_req(req); +- } ++ if (usbif->ports[i].dev) ++ usbback_portid_drain(usbif, i + 1); + } + + TR_BUS(xendev, "finished\n"); +@@ -947,8 +967,7 @@ static void xen_bus_detach(USBPort *port) + + usbif = port->opaque; + TR_BUS(&usbif->xendev, "\n"); +- usbif->ports[port->index].attached = false; +- usbback_hotplug_enq(usbif, port->index + 1); ++ usbback_portid_detach(usbif, port->index + 1); + } + + static void xen_bus_child_detach(USBPort *port, USBDevice *child) +@@ -961,9 +980,16 @@ static void xen_bus_child_detach(USBPort *port, USBDevice *child) + + static void xen_bus_complete(USBPort *port, USBPacket *packet) + { ++ struct usbback_req *usbback_req; + struct usbback_info *usbif; + +- usbif = port->opaque; ++ usbback_req = container_of(packet, struct usbback_req, packet); ++ if (usbback_req->cancelled) { ++ g_free(usbback_req); ++ return; ++ } ++ ++ usbif = usbback_req->usbif; + TR_REQ(&usbif->xendev, "\n"); + usbback_packet_complete(packet); + } +@@ -1040,6 +1066,7 @@ static int usbback_free(struct XenDevice *xendev) + } + + usb_bus_release(&usbif->bus); ++ object_unparent(OBJECT(&usbif->bus)); + + TR_BUS(xendev, "finished\n"); + diff --git a/0074-qcow2-avoid-extra-flushes-in-qcow2.patch b/0074-qcow2-avoid-extra-flushes-in-qcow2.patch new file mode 100644 index 00000000..8b9466e0 --- /dev/null +++ b/0074-qcow2-avoid-extra-flushes-in-qcow2.patch @@ -0,0 +1,104 @@ +From 197d526012602fbac75392a86e991539e4400bf0 Mon Sep 17 00:00:00 2001 +From: "Denis V. Lunev" +Date: Thu, 2 Jun 2016 18:58:15 +0300 +Subject: [PATCH] qcow2: avoid extra flushes in qcow2 + +The problem with excessive flushing was found by a couple of performance +tests: + - parallel directory tree creation (from 2 processes) + - 32 cached writes + fsync at the end in a loop + +For the first one results improved from 2.6 loops/sec to 3.5 loops/sec. +Each loop creates 10^3 directories with 10 files in each. + +For the second one results improved from ~600 fsync/sec to ~1100 +fsync/sec. Though, it was run on SSD so it probably won't show such +performance gain on rotational media. + +qcow2_cache_flush() calls bdrv_flush() unconditionally after writing +cache entries of a particular cache. This can lead to as many as +2 additional fdatasyncs inside bdrv_flush. + +We can simply skip all fdatasync calls inside qcow2_co_flush_to_os +as bdrv_flush for sure will do the job. These flushes are necessary to +keep the right order of writes to the different caches. Though this is +not necessary in the current code base as this ordering is ensured through +the flush in qcow2_cache_flush_dependency(). + +Signed-off-by: Denis V. Lunev +CC: Pavel Borzenkov +CC: Kevin Wolf +CC: Max Reitz +Signed-off-by: Kevin Wolf +(cherry picked from commit f3c3b87dae44ac6c82246ceb3953793951800a9a) +[BR: BSC#991296] +Signed-off-by: Bruce Rogers +--- + block/qcow2-cache.c | 11 +++++++++-- + block/qcow2.c | 4 ++-- + block/qcow2.h | 1 + + 3 files changed, 12 insertions(+), 4 deletions(-) + +diff --git a/block/qcow2-cache.c b/block/qcow2-cache.c +index 0fe8eda..208a060 100644 +--- a/block/qcow2-cache.c ++++ b/block/qcow2-cache.c +@@ -226,7 +226,7 @@ static int qcow2_cache_entry_flush(BlockDriverState *bs, Qcow2Cache *c, int i) + return 0; + } + +-int qcow2_cache_flush(BlockDriverState *bs, Qcow2Cache *c) ++int qcow2_cache_write(BlockDriverState *bs, Qcow2Cache *c) + { + BDRVQcow2State *s = bs->opaque; + int result = 0; +@@ -242,8 +242,15 @@ int qcow2_cache_flush(BlockDriverState *bs, Qcow2Cache *c) + } + } + ++ return result; ++} ++ ++int qcow2_cache_flush(BlockDriverState *bs, Qcow2Cache *c) ++{ ++ int result = qcow2_cache_write(bs, c); ++ + if (result == 0) { +- ret = bdrv_flush(bs->file->bs); ++ int ret = bdrv_flush(bs->file->bs); + if (ret < 0) { + result = ret; + } +diff --git a/block/qcow2.c b/block/qcow2.c +index 470734b..dc609a1 100644 +--- a/block/qcow2.c ++++ b/block/qcow2.c +@@ -2774,14 +2774,14 @@ static coroutine_fn int qcow2_co_flush_to_os(BlockDriverState *bs) + int ret; + + qemu_co_mutex_lock(&s->lock); +- ret = qcow2_cache_flush(bs, s->l2_table_cache); ++ ret = qcow2_cache_write(bs, s->l2_table_cache); + if (ret < 0) { + qemu_co_mutex_unlock(&s->lock); + return ret; + } + + if (qcow2_need_accurate_refcounts(s)) { +- ret = qcow2_cache_flush(bs, s->refcount_block_cache); ++ ret = qcow2_cache_write(bs, s->refcount_block_cache); + if (ret < 0) { + qemu_co_mutex_unlock(&s->lock); + return ret; +diff --git a/block/qcow2.h b/block/qcow2.h +index a063a3c..7db9795 100644 +--- a/block/qcow2.h ++++ b/block/qcow2.h +@@ -583,6 +583,7 @@ int qcow2_cache_destroy(BlockDriverState* bs, Qcow2Cache *c); + void qcow2_cache_entry_mark_dirty(BlockDriverState *bs, Qcow2Cache *c, + void *table); + int qcow2_cache_flush(BlockDriverState *bs, Qcow2Cache *c); ++int qcow2_cache_write(BlockDriverState *bs, Qcow2Cache *c); + int qcow2_cache_set_dependency(BlockDriverState *bs, Qcow2Cache *c, + Qcow2Cache *dependency); + void qcow2_cache_depends_on_flush(Qcow2Cache *c); diff --git a/0075-qemu-bridge-helper-reduce-security-.patch b/0075-qemu-bridge-helper-reduce-security-.patch new file mode 100644 index 00000000..ea62bc26 --- /dev/null +++ b/0075-qemu-bridge-helper-reduce-security-.patch @@ -0,0 +1,83 @@ +From 4bbd77b07de2f0df2e8a0dba9c4ca51299ee2518 Mon Sep 17 00:00:00 2001 +From: Bruce Rogers +Date: Tue, 2 Aug 2016 11:36:02 -0600 +Subject: [PATCH] qemu-bridge-helper: reduce security profile + +Change from using glib alloc and free routines to those +from libc. Also perform safety measure of dropping privs +to user if configured no-caps. + +[BR: BOO#988279] +Signed-off-by: Bruce Rogers +--- + qemu-bridge-helper.c | 29 ++++++++++++++++++++++++----- + 1 file changed, 24 insertions(+), 5 deletions(-) + +diff --git a/qemu-bridge-helper.c b/qemu-bridge-helper.c +index 830fb9e..73ac49b 100644 +--- a/qemu-bridge-helper.c ++++ b/qemu-bridge-helper.c +@@ -15,8 +15,6 @@ + + #include "qemu/osdep.h" + +-#include +- + #include + #include + #include +@@ -111,7 +109,12 @@ static int parse_acl_file(const char *filename, ACLList *acl_list) + *argend = 0; + + if (strcmp(cmd, "deny") == 0) { +- acl_rule = g_malloc(sizeof(*acl_rule)); ++ acl_rule = calloc(1, sizeof(*acl_rule)); ++ if (!acl_rule) { ++ fclose(f); ++ errno = ENOMEM; ++ return -1; ++ } + if (strcmp(arg, "all") == 0) { + acl_rule->type = ACL_DENY_ALL; + } else { +@@ -120,7 +123,12 @@ static int parse_acl_file(const char *filename, ACLList *acl_list) + } + QSIMPLEQ_INSERT_TAIL(acl_list, acl_rule, entry); + } else if (strcmp(cmd, "allow") == 0) { +- acl_rule = g_malloc(sizeof(*acl_rule)); ++ acl_rule = calloc(1, sizeof(*acl_rule)); ++ if (!acl_rule) { ++ fclose(f); ++ errno = ENOMEM; ++ return -1; ++ } + if (strcmp(arg, "all") == 0) { + acl_rule->type = ACL_ALLOW_ALL; + } else { +@@ -414,6 +422,17 @@ int main(int argc, char **argv) + goto cleanup; + } + ++#ifndef CONFIG_LIBCAP ++ /* avoid sending the fd as root user if running suid to not fool ++ * peer credentials to daemons that dont expect that ++ */ ++ if (setuid(getuid()) < 0) { ++ fprintf(stderr, "Failed to drop privileges.\n"); ++ ret = EXIT_FAILURE; ++ goto cleanup; ++ } ++#endif ++ + /* write fd to the domain socket */ + if (send_fd(unixfd, fd) == -1) { + fprintf(stderr, "failed to write fd to unix socket: %s\n", +@@ -435,7 +454,7 @@ cleanup: + } + while ((acl_rule = QSIMPLEQ_FIRST(&acl_list)) != NULL) { + QSIMPLEQ_REMOVE_HEAD(&acl_list, entry); +- g_free(acl_rule); ++ free(acl_rule); + } + + return ret; diff --git a/0076-xen-use-a-common-function-for-pv-an.patch b/0076-xen-use-a-common-function-for-pv-an.patch new file mode 100644 index 00000000..e78f0648 --- /dev/null +++ b/0076-xen-use-a-common-function-for-pv-an.patch @@ -0,0 +1,95 @@ +From ddbfdd2c5396aa810a789f5cb681879f78cb693f Mon Sep 17 00:00:00 2001 +From: Juergen Gross +Date: Tue, 2 Aug 2016 08:32:32 +0200 +Subject: [PATCH] xen: use a common function for pv and hvm guest backend + register calls + +Instead of calling xen_be_register() for each supported backend type +for hvm and pv guests in their machine init functions use a common +function in order not to have to add new backends twice. + +This at once fixes the error that hvm domains couldn't use the qusb +backend. + +Signed-off-by: Juergen Gross +Acked-by: Anthony PERARD +Message-id: 1470119552-16170-1-git-send-email-jgross@suse.com +Signed-off-by: Gerd Hoffmann +(cherry picked from commit 0e39bb022b5fa8c11964968885f3263c02ce42b0) +[BR: BSC#991785] +Signed-off-by: Bruce Rogers +--- + hw/xen/xen_backend.c | 10 ++++++++++ + hw/xenpv/xen_machine_pv.c | 7 +------ + include/hw/xen/xen_backend.h | 1 + + xen-hvm.c | 4 +--- + 4 files changed, 13 insertions(+), 9 deletions(-) + +diff --git a/hw/xen/xen_backend.c b/hw/xen/xen_backend.c +index 8f347da..f4d302d 100644 +--- a/hw/xen/xen_backend.c ++++ b/hw/xen/xen_backend.c +@@ -781,6 +781,16 @@ int xen_be_register(const char *type, struct XenDevOps *ops) + return xenstore_scan(type, xen_domid, ops); + } + ++void xen_be_register_common(void) ++{ ++ xen_be_register("console", &xen_console_ops); ++ xen_be_register("vkbd", &xen_kbdmouse_ops); ++ xen_be_register("qdisk", &xen_blkdev_ops); ++#ifdef CONFIG_USB_LIBUSB ++ xen_be_register("qusb", &xen_usb_ops); ++#endif ++} ++ + int xen_be_bind_evtchn(struct XenDevice *xendev) + { + if (xendev->local_port != -1) { +diff --git a/hw/xenpv/xen_machine_pv.c b/hw/xenpv/xen_machine_pv.c +index 48f725c..79aef4e 100644 +--- a/hw/xenpv/xen_machine_pv.c ++++ b/hw/xenpv/xen_machine_pv.c +@@ -67,14 +67,9 @@ static void xen_init_pv(MachineState *machine) + break; + } + +- xen_be_register("console", &xen_console_ops); +- xen_be_register("vkbd", &xen_kbdmouse_ops); ++ xen_be_register_common(); + xen_be_register("vfb", &xen_framebuffer_ops); +- xen_be_register("qdisk", &xen_blkdev_ops); + xen_be_register("qnic", &xen_netdev_ops); +-#ifdef CONFIG_USB_LIBUSB +- xen_be_register("qusb", &xen_usb_ops); +-#endif + + /* configure framebuffer */ + if (xenfb_enabled) { +diff --git a/include/hw/xen/xen_backend.h b/include/hw/xen/xen_backend.h +index 6e18a46..0e9af28 100644 +--- a/include/hw/xen/xen_backend.h ++++ b/include/hw/xen/xen_backend.h +@@ -87,6 +87,7 @@ void xen_be_check_state(struct XenDevice *xendev); + + /* xen backend driver bits */ + int xen_be_init(void); ++void xen_be_register_common(void); + int xen_be_register(const char *type, struct XenDevOps *ops); + int xen_be_set_state(struct XenDevice *xendev, enum xenbus_state state); + int xen_be_bind_evtchn(struct XenDevice *xendev); +diff --git a/xen-hvm.c b/xen-hvm.c +index 039680a..93c958a 100644 +--- a/xen-hvm.c ++++ b/xen-hvm.c +@@ -1305,9 +1305,7 @@ void xen_hvm_init(PCMachineState *pcms, MemoryRegion **ram_memory) + error_report("xen backend core setup failed"); + goto err; + } +- xen_be_register("console", &xen_console_ops); +- xen_be_register("vkbd", &xen_kbdmouse_ops); +- xen_be_register("qdisk", &xen_blkdev_ops); ++ xen_be_register_common(); + xen_read_physmap(state); + return; + diff --git a/qemu-linux-user.changes b/qemu-linux-user.changes index 8f31238a..5d8d553d 100644 --- a/qemu-linux-user.changes +++ b/qemu-linux-user.changes @@ -1,3 +1,31 @@ +------------------------------------------------------------------- +Wed Aug 3 17:09:11 UTC 2016 - brogers@suse.com + +- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-2.6 +* Patches dropped: + 0058-usb-Fix-conditions-that-xen-usb.c-i.patch +* Patches added: + 0058-xen-move-xen_sysdev-to-xen_backend..patch + +------------------------------------------------------------------- +Wed Aug 3 13:51:47 UTC 2016 - brogers@suse.com + +- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-2.6 +* Patches added: + 0064-xen-SUSE-xenlinux-unplug-for-emulat.patch + 0065-scsi-esp-check-buffer-length-before.patch + 0066-scsi-esp-respect-FIFO-invariant-aft.patch + 0067-pci-assign-Move-Invalid-ROM-error-m.patch + 0068-Xen-PCI-passthrough-fix-passthrough.patch + 0069-scsi-esp-make-cmdbuf-big-enough-for.patch + 0070-scsi-esp-fix-migration.patch + 0071-virtio-error-out-if-guest-exceeds-v.patch + 0072-xen-when-removing-a-backend-don-t-r.patch + 0073-xen-drain-submit-queue-in-xen-usb-b.patch + 0074-qcow2-avoid-extra-flushes-in-qcow2.patch + 0075-qemu-bridge-helper-reduce-security-.patch + 0076-xen-use-a-common-function-for-pv-an.patch + ------------------------------------------------------------------- Thu Jul 28 10:53:18 UTC 2016 - agraf@suse.com diff --git a/qemu-linux-user.spec b/qemu-linux-user.spec index b2015bed..92e5c2b8 100644 --- a/qemu-linux-user.spec +++ b/qemu-linux-user.spec @@ -82,12 +82,25 @@ Patch0054: 0054-scsi-esp-check-TI-buffer-index-befo.patch Patch0055: 0055-xen-introduce-dummy-system-device.patch Patch0056: 0056-xen-write-information-about-support.patch Patch0057: 0057-xen-add-pvUSB-backend.patch -Patch0058: 0058-usb-Fix-conditions-that-xen-usb.c-i.patch +Patch0058: 0058-xen-move-xen_sysdev-to-xen_backend..patch Patch0059: 0059-vnc-add-configurable-keyboard-delay.patch Patch0060: 0060-scsi-megasas-initialise-local-confi.patch Patch0061: 0061-configure-add-echo_version-helper.patch Patch0062: 0062-configure-support-vte-2.91.patch Patch0063: 0063-hw-arm-virt-mark-the-PCIe-host-cont.patch +Patch0064: 0064-xen-SUSE-xenlinux-unplug-for-emulat.patch +Patch0065: 0065-scsi-esp-check-buffer-length-before.patch +Patch0066: 0066-scsi-esp-respect-FIFO-invariant-aft.patch +Patch0067: 0067-pci-assign-Move-Invalid-ROM-error-m.patch +Patch0068: 0068-Xen-PCI-passthrough-fix-passthrough.patch +Patch0069: 0069-scsi-esp-make-cmdbuf-big-enough-for.patch +Patch0070: 0070-scsi-esp-fix-migration.patch +Patch0071: 0071-virtio-error-out-if-guest-exceeds-v.patch +Patch0072: 0072-xen-when-removing-a-backend-don-t-r.patch +Patch0073: 0073-xen-drain-submit-queue-in-xen-usb-b.patch +Patch0074: 0074-qcow2-avoid-extra-flushes-in-qcow2.patch +Patch0075: 0075-qemu-bridge-helper-reduce-security-.patch +Patch0076: 0076-xen-use-a-common-function-for-pv-an.patch # Please do not add patches manually here, run update_git.sh. # this is to make lint happy Source300: qemu-rpmlintrc @@ -204,6 +217,19 @@ run cross-architecture builds. %patch0061 -p1 %patch0062 -p1 %patch0063 -p1 +%patch0064 -p1 +%patch0065 -p1 +%patch0066 -p1 +%patch0067 -p1 +%patch0068 -p1 +%patch0069 -p1 +%patch0070 -p1 +%patch0071 -p1 +%patch0072 -p1 +%patch0073 -p1 +%patch0074 -p1 +%patch0075 -p1 +%patch0076 -p1 %build ./configure --prefix=%_prefix --sysconfdir=%_sysconfdir \ diff --git a/qemu-testsuite.changes b/qemu-testsuite.changes index 11789a63..46001cdf 100644 --- a/qemu-testsuite.changes +++ b/qemu-testsuite.changes @@ -1,3 +1,54 @@ +------------------------------------------------------------------- +Wed Aug 3 21:36:14 UTC 2016 - brogers@suse.com + +- Temporarily disable ceph (rbd) functionality in OBS due to staging + issues. + +------------------------------------------------------------------- +Wed Aug 3 17:09:05 UTC 2016 - brogers@suse.com + +- use upstream solution for building xen-usb.c correctly +- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-2.6 +* Patches dropped: + 0058-usb-Fix-conditions-that-xen-usb.c-i.patch +* Patches added: + 0058-xen-move-xen_sysdev-to-xen_backend..patch + +------------------------------------------------------------------- +Wed Aug 3 13:51:42 UTC 2016 - brogers@suse.com + +- Incorporate patch carried in Xen's qemu to get same support + as Xen switches to use the qemu package (bsc#953339, bsc#953362, + bsc#953518, bsc#984981) + 0064-xen-SUSE-xenlinux-unplug-for-emulat.patch +- Fix more potential OOB accesses in 53C9X emulation + (CVE-2016-5238 bsc#982959) + 0065-scsi-esp-check-buffer-length-before.patch + 0066-scsi-esp-respect-FIFO-invariant-aft.patch +- Avoid "Invalid ROM" error message when it is not appropriate + (bsc#982927) + 0067-pci-assign-Move-Invalid-ROM-error-m.patch +- Fix failure in Xen HVM PCI passthrough (bsc#981925, bsc#989250) + 0068-Xen-PCI-passthrough-fix-passthrough.patch +- Fix OOB access in 53C9X emulation (CVE-2016-6351 bsc#990835) + 0069-scsi-esp-make-cmdbuf-big-enough-for.patch + 0070-scsi-esp-fix-migration.patch +- Avoid potential for guest initiated OOM condition in qemu through + virtio interface (CVE-2016-5403 bsc#991080) + 0071-virtio-error-out-if-guest-exceeds-v.patch +- Fix potential crashes in qemu from pvusb bugs (bsc#986156) + 0072-xen-when-removing-a-backend-don-t-r.patch + 0073-xen-drain-submit-queue-in-xen-usb-b.patch +- Avoid unneeded flushes in qcow2 which impact performance (bsc#991296) + 0074-qcow2-avoid-extra-flushes-in-qcow2.patch +- Finally get qemu-bridge-helper the permissions it needs for non- + root usage. The kvm group is leveraged to control access. (boo#988279) + 0075-qemu-bridge-helper-reduce-security-.patch +- Fix pvusb not working for HVM guests (bsc#991785) + 0076-xen-use-a-common-function-for-pv-an.patch +- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-2.6 +- Minor spec file formatting fixes + ------------------------------------------------------------------- Thu Jul 28 10:53:14 UTC 2016 - agraf@suse.com diff --git a/qemu-testsuite.spec b/qemu-testsuite.spec index 7352f331..c45fb92b 100644 --- a/qemu-testsuite.spec +++ b/qemu-testsuite.spec @@ -44,6 +44,7 @@ %endif %define noarch_supported 1110 +%if 0%{?is_opensuse} == 0 %ifarch x86_64 %if 0%{?suse_version} > 1320 || ( 0%{?suse_version} == 1315 && ( 0%{?is_opensuse} == 0 || 0%{?sle_version} > 120100 ) ) %define with_rbd 1 @@ -55,6 +56,7 @@ %define with_rbd 1 %endif %endif +%endif %if 0%{?suse_version} > 1320 %define with_seccomp 1 @@ -142,12 +144,25 @@ Patch0054: 0054-scsi-esp-check-TI-buffer-index-befo.patch Patch0055: 0055-xen-introduce-dummy-system-device.patch Patch0056: 0056-xen-write-information-about-support.patch Patch0057: 0057-xen-add-pvUSB-backend.patch -Patch0058: 0058-usb-Fix-conditions-that-xen-usb.c-i.patch +Patch0058: 0058-xen-move-xen_sysdev-to-xen_backend..patch Patch0059: 0059-vnc-add-configurable-keyboard-delay.patch Patch0060: 0060-scsi-megasas-initialise-local-confi.patch Patch0061: 0061-configure-add-echo_version-helper.patch Patch0062: 0062-configure-support-vte-2.91.patch Patch0063: 0063-hw-arm-virt-mark-the-PCIe-host-cont.patch +Patch0064: 0064-xen-SUSE-xenlinux-unplug-for-emulat.patch +Patch0065: 0065-scsi-esp-check-buffer-length-before.patch +Patch0066: 0066-scsi-esp-respect-FIFO-invariant-aft.patch +Patch0067: 0067-pci-assign-Move-Invalid-ROM-error-m.patch +Patch0068: 0068-Xen-PCI-passthrough-fix-passthrough.patch +Patch0069: 0069-scsi-esp-make-cmdbuf-big-enough-for.patch +Patch0070: 0070-scsi-esp-fix-migration.patch +Patch0071: 0071-virtio-error-out-if-guest-exceeds-v.patch +Patch0072: 0072-xen-when-removing-a-backend-don-t-r.patch +Patch0073: 0073-xen-drain-submit-queue-in-xen-usb-b.patch +Patch0074: 0074-qcow2-avoid-extra-flushes-in-qcow2.patch +Patch0075: 0075-qemu-bridge-helper-reduce-security-.patch +Patch0076: 0076-xen-use-a-common-function-for-pv-an.patch # Please do not add QEMU patches manually here. # Run update_git.sh to regenerate this queue. @@ -379,11 +394,11 @@ Recommends: qemu-ksm = %{version} %define x86_64_only_b_f_f {efi-e1000.rom efi-eepro100.rom \ efi-pcnet.rom efi-ne2k_pci.rom efi-rtl8139.rom efi-virtio.rom} %endif -%define built_firmware_files {bios.bin bios-256k.bin \ -sgabios.bin vgabios.bin vgabios-cirrus.bin \ -vgabios-stdvga.bin vgabios-virtio.bin vgabios-vmware.bin vgabios-qxl.bin \ -optionrom/linuxboot.bin optionrom/multiboot.bin optionrom/kvmvapic.bin \ -pxe-e1000.rom pxe-pcnet.rom pxe-ne2k_pci.rom pxe-rtl8139.rom pxe-eepro100.rom pxe-virtio.rom %{?x86_64_only_b_f_f}} +%define built_firmware_files {bios.bin bios-256k.bin sgabios.bin vgabios.bin \ +vgabios-cirrus.bin vgabios-stdvga.bin vgabios-virtio.bin vgabios-vmware.bin \ +vgabios-qxl.bin optionrom/linuxboot.bin optionrom/multiboot.bin \ +optionrom/kvmvapic.bin pxe-e1000.rom pxe-pcnet.rom pxe-ne2k_pci.rom \ +pxe-rtl8139.rom pxe-eepro100.rom pxe-virtio.rom %{?x86_64_only_b_f_f}} %description QEMU is an extremely well-performing CPU emulator that allows you to @@ -791,6 +806,19 @@ This package provides a service file for starting and stopping KSM. %patch0061 -p1 %patch0062 -p1 %patch0063 -p1 +%patch0064 -p1 +%patch0065 -p1 +%patch0066 -p1 +%patch0067 -p1 +%patch0068 -p1 +%patch0069 -p1 +%patch0070 -p1 +%patch0071 -p1 +%patch0072 -p1 +%patch0073 -p1 +%patch0074 -p1 +%patch0075 -p1 +%patch0076 -p1 %if %{build_x86_fw_from_source} pushd roms/seabios @@ -1014,7 +1042,7 @@ for conf in default-configs/*-softmmu.mak; do done # Compile the QOM test binary first, so that ... -make tests/qom-test %{?_smp_mflags} V=1 +make tests/qom-test %{?_smp_mflags} V=1 # ... make comes in fresh and has lots of address space (needed for 32bit, bsc#957379) %if 0%{?suse_version} >= 1310 make check-report.html V=1 @@ -1374,7 +1402,7 @@ fi %_bindir/qemu-nbd %_bindir/virtfs-proxy-helper #%_bindir/vscclient -%verify(not mode) %_libexecdir/qemu-bridge-helper +%verify(not mode) %attr(4750,root,kvm) %_libexecdir/qemu-bridge-helper %dir %_sysconfdir/%name %config %_sysconfdir/%name/bridge.conf %dir %_libdir/%name diff --git a/qemu.changes b/qemu.changes index 11789a63..46001cdf 100644 --- a/qemu.changes +++ b/qemu.changes @@ -1,3 +1,54 @@ +------------------------------------------------------------------- +Wed Aug 3 21:36:14 UTC 2016 - brogers@suse.com + +- Temporarily disable ceph (rbd) functionality in OBS due to staging + issues. + +------------------------------------------------------------------- +Wed Aug 3 17:09:05 UTC 2016 - brogers@suse.com + +- use upstream solution for building xen-usb.c correctly +- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-2.6 +* Patches dropped: + 0058-usb-Fix-conditions-that-xen-usb.c-i.patch +* Patches added: + 0058-xen-move-xen_sysdev-to-xen_backend..patch + +------------------------------------------------------------------- +Wed Aug 3 13:51:42 UTC 2016 - brogers@suse.com + +- Incorporate patch carried in Xen's qemu to get same support + as Xen switches to use the qemu package (bsc#953339, bsc#953362, + bsc#953518, bsc#984981) + 0064-xen-SUSE-xenlinux-unplug-for-emulat.patch +- Fix more potential OOB accesses in 53C9X emulation + (CVE-2016-5238 bsc#982959) + 0065-scsi-esp-check-buffer-length-before.patch + 0066-scsi-esp-respect-FIFO-invariant-aft.patch +- Avoid "Invalid ROM" error message when it is not appropriate + (bsc#982927) + 0067-pci-assign-Move-Invalid-ROM-error-m.patch +- Fix failure in Xen HVM PCI passthrough (bsc#981925, bsc#989250) + 0068-Xen-PCI-passthrough-fix-passthrough.patch +- Fix OOB access in 53C9X emulation (CVE-2016-6351 bsc#990835) + 0069-scsi-esp-make-cmdbuf-big-enough-for.patch + 0070-scsi-esp-fix-migration.patch +- Avoid potential for guest initiated OOM condition in qemu through + virtio interface (CVE-2016-5403 bsc#991080) + 0071-virtio-error-out-if-guest-exceeds-v.patch +- Fix potential crashes in qemu from pvusb bugs (bsc#986156) + 0072-xen-when-removing-a-backend-don-t-r.patch + 0073-xen-drain-submit-queue-in-xen-usb-b.patch +- Avoid unneeded flushes in qcow2 which impact performance (bsc#991296) + 0074-qcow2-avoid-extra-flushes-in-qcow2.patch +- Finally get qemu-bridge-helper the permissions it needs for non- + root usage. The kvm group is leveraged to control access. (boo#988279) + 0075-qemu-bridge-helper-reduce-security-.patch +- Fix pvusb not working for HVM guests (bsc#991785) + 0076-xen-use-a-common-function-for-pv-an.patch +- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-2.6 +- Minor spec file formatting fixes + ------------------------------------------------------------------- Thu Jul 28 10:53:14 UTC 2016 - agraf@suse.com diff --git a/qemu.spec b/qemu.spec index d2549952..8a659c09 100644 --- a/qemu.spec +++ b/qemu.spec @@ -44,6 +44,7 @@ %endif %define noarch_supported 1110 +%if 0%{?is_opensuse} == 0 %ifarch x86_64 %if 0%{?suse_version} > 1320 || ( 0%{?suse_version} == 1315 && ( 0%{?is_opensuse} == 0 || 0%{?sle_version} > 120100 ) ) %define with_rbd 1 @@ -55,6 +56,7 @@ %define with_rbd 1 %endif %endif +%endif %if 0%{?suse_version} > 1320 %define with_seccomp 1 @@ -142,12 +144,25 @@ Patch0054: 0054-scsi-esp-check-TI-buffer-index-befo.patch Patch0055: 0055-xen-introduce-dummy-system-device.patch Patch0056: 0056-xen-write-information-about-support.patch Patch0057: 0057-xen-add-pvUSB-backend.patch -Patch0058: 0058-usb-Fix-conditions-that-xen-usb.c-i.patch +Patch0058: 0058-xen-move-xen_sysdev-to-xen_backend..patch Patch0059: 0059-vnc-add-configurable-keyboard-delay.patch Patch0060: 0060-scsi-megasas-initialise-local-confi.patch Patch0061: 0061-configure-add-echo_version-helper.patch Patch0062: 0062-configure-support-vte-2.91.patch Patch0063: 0063-hw-arm-virt-mark-the-PCIe-host-cont.patch +Patch0064: 0064-xen-SUSE-xenlinux-unplug-for-emulat.patch +Patch0065: 0065-scsi-esp-check-buffer-length-before.patch +Patch0066: 0066-scsi-esp-respect-FIFO-invariant-aft.patch +Patch0067: 0067-pci-assign-Move-Invalid-ROM-error-m.patch +Patch0068: 0068-Xen-PCI-passthrough-fix-passthrough.patch +Patch0069: 0069-scsi-esp-make-cmdbuf-big-enough-for.patch +Patch0070: 0070-scsi-esp-fix-migration.patch +Patch0071: 0071-virtio-error-out-if-guest-exceeds-v.patch +Patch0072: 0072-xen-when-removing-a-backend-don-t-r.patch +Patch0073: 0073-xen-drain-submit-queue-in-xen-usb-b.patch +Patch0074: 0074-qcow2-avoid-extra-flushes-in-qcow2.patch +Patch0075: 0075-qemu-bridge-helper-reduce-security-.patch +Patch0076: 0076-xen-use-a-common-function-for-pv-an.patch # Please do not add QEMU patches manually here. # Run update_git.sh to regenerate this queue. @@ -379,11 +394,11 @@ Recommends: qemu-ksm = %{version} %define x86_64_only_b_f_f {efi-e1000.rom efi-eepro100.rom \ efi-pcnet.rom efi-ne2k_pci.rom efi-rtl8139.rom efi-virtio.rom} %endif -%define built_firmware_files {bios.bin bios-256k.bin \ -sgabios.bin vgabios.bin vgabios-cirrus.bin \ -vgabios-stdvga.bin vgabios-virtio.bin vgabios-vmware.bin vgabios-qxl.bin \ -optionrom/linuxboot.bin optionrom/multiboot.bin optionrom/kvmvapic.bin \ -pxe-e1000.rom pxe-pcnet.rom pxe-ne2k_pci.rom pxe-rtl8139.rom pxe-eepro100.rom pxe-virtio.rom %{?x86_64_only_b_f_f}} +%define built_firmware_files {bios.bin bios-256k.bin sgabios.bin vgabios.bin \ +vgabios-cirrus.bin vgabios-stdvga.bin vgabios-virtio.bin vgabios-vmware.bin \ +vgabios-qxl.bin optionrom/linuxboot.bin optionrom/multiboot.bin \ +optionrom/kvmvapic.bin pxe-e1000.rom pxe-pcnet.rom pxe-ne2k_pci.rom \ +pxe-rtl8139.rom pxe-eepro100.rom pxe-virtio.rom %{?x86_64_only_b_f_f}} %description QEMU is an extremely well-performing CPU emulator that allows you to @@ -791,6 +806,19 @@ This package provides a service file for starting and stopping KSM. %patch0061 -p1 %patch0062 -p1 %patch0063 -p1 +%patch0064 -p1 +%patch0065 -p1 +%patch0066 -p1 +%patch0067 -p1 +%patch0068 -p1 +%patch0069 -p1 +%patch0070 -p1 +%patch0071 -p1 +%patch0072 -p1 +%patch0073 -p1 +%patch0074 -p1 +%patch0075 -p1 +%patch0076 -p1 %if %{build_x86_fw_from_source} pushd roms/seabios @@ -1014,7 +1042,7 @@ for conf in default-configs/*-softmmu.mak; do done # Compile the QOM test binary first, so that ... -make tests/qom-test %{?_smp_mflags} V=1 +make tests/qom-test %{?_smp_mflags} V=1 # ... make comes in fresh and has lots of address space (needed for 32bit, bsc#957379) %if 0%{?suse_version} >= 1310 make check-report.html V=1 @@ -1374,7 +1402,7 @@ fi %_bindir/qemu-nbd %_bindir/virtfs-proxy-helper #%_bindir/vscclient -%verify(not mode) %_libexecdir/qemu-bridge-helper +%verify(not mode) %attr(4750,root,kvm) %_libexecdir/qemu-bridge-helper %dir %_sysconfdir/%name %config %_sysconfdir/%name/bridge.conf %dir %_libdir/%name diff --git a/qemu.spec.in b/qemu.spec.in index 4f45411e..ecbc5441 100644 --- a/qemu.spec.in +++ b/qemu.spec.in @@ -44,6 +44,7 @@ %endif %define noarch_supported 1110 +%if 0%{?is_opensuse} == 0 %ifarch x86_64 %if 0%{?suse_version} > 1320 || ( 0%{?suse_version} == 1315 && ( 0%{?is_opensuse} == 0 || 0%{?sle_version} > 120100 ) ) %define with_rbd 1 @@ -55,6 +56,7 @@ %define with_rbd 1 %endif %endif +%endif %if 0%{?suse_version} > 1320 %define with_seccomp 1 @@ -317,11 +319,11 @@ Recommends: qemu-ksm = %{version} %define x86_64_only_b_f_f {efi-e1000.rom efi-eepro100.rom \ efi-pcnet.rom efi-ne2k_pci.rom efi-rtl8139.rom efi-virtio.rom} %endif -%define built_firmware_files {bios.bin bios-256k.bin \ -sgabios.bin vgabios.bin vgabios-cirrus.bin \ -vgabios-stdvga.bin vgabios-virtio.bin vgabios-vmware.bin vgabios-qxl.bin \ -optionrom/linuxboot.bin optionrom/multiboot.bin optionrom/kvmvapic.bin \ -pxe-e1000.rom pxe-pcnet.rom pxe-ne2k_pci.rom pxe-rtl8139.rom pxe-eepro100.rom pxe-virtio.rom %{?x86_64_only_b_f_f}} +%define built_firmware_files {bios.bin bios-256k.bin sgabios.bin vgabios.bin \ +vgabios-cirrus.bin vgabios-stdvga.bin vgabios-virtio.bin vgabios-vmware.bin \ +vgabios-qxl.bin optionrom/linuxboot.bin optionrom/multiboot.bin \ +optionrom/kvmvapic.bin pxe-e1000.rom pxe-pcnet.rom pxe-ne2k_pci.rom \ +pxe-rtl8139.rom pxe-eepro100.rom pxe-virtio.rom %{?x86_64_only_b_f_f}} %description QEMU is an extremely well-performing CPU emulator that allows you to @@ -892,7 +894,7 @@ for conf in default-configs/*-softmmu.mak; do done # Compile the QOM test binary first, so that ... -make tests/qom-test %{?_smp_mflags} V=1 +make tests/qom-test %{?_smp_mflags} V=1 # ... make comes in fresh and has lots of address space (needed for 32bit, bsc#957379) %if 0%{?suse_version} >= 1310 make check-report.html V=1 @@ -1253,7 +1255,7 @@ fi %_bindir/qemu-nbd %_bindir/virtfs-proxy-helper #%_bindir/vscclient -%verify(not mode) %_libexecdir/qemu-bridge-helper +%verify(not mode) %attr(4750,root,kvm) %_libexecdir/qemu-bridge-helper %dir %_sysconfdir/%name %config %_sysconfdir/%name/bridge.conf %dir %_libdir/%name