SHA256
1
0
forked from pool/qemu

Accepting request 416912 from home:bfrogers:branches:Virtualization

Synch with IBS qemu: includes xen patches, security patches, some spec file cleanup, and finally getting qemu-bridge-helper working right. Also temporarily disable librbd dependency in OBS until staging impact concerns get resolved.

OBS-URL: https://build.opensuse.org/request/show/416912
OBS-URL: https://build.opensuse.org/package/show/Virtualization/qemu?expand=0&rev=309
This commit is contained in:
Bruce Rogers 2016-08-04 13:09:24 +00:00 committed by Git OBS Bridge
parent 1bce911f63
commit 431f30630a
27 changed files with 1388 additions and 57 deletions

View File

@ -1,28 +0,0 @@
From 49ca2dd08ac9edce6d828328069d1092f3a63b50 Mon Sep 17 00:00:00 2001
From: Bruce Rogers <brogers@suse.com>
Date: Fri, 10 Jun 2016 07:12:15 -0600
Subject: [PATCH] usb: Fix conditions that xen-usb.c is used
When non-x86 arch targets are built on x86 we have a mismatched
between what is built in support of xen. xen-usb.c is conditioned
upon CONFIG_USB_LIBUSB and CONFIG_XEN_BACKEND, but it relies on
an external reference that is instead controlled by CONFIG_XEN.
Add a dependency on CONFIG_XEN as well.
[BR: FATE#316612]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/usb/Makefile.objs | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/usb/Makefile.objs b/hw/usb/Makefile.objs
index 98b5c9d..2db2fa1 100644
--- a/hw/usb/Makefile.objs
+++ b/hw/usb/Makefile.objs
@@ -39,6 +39,6 @@ common-obj-$(CONFIG_USB_REDIR) += redirect.o quirks.o
# usb pass-through
common-obj-y += $(patsubst %,host-%.o,$(HOST_USB))
-ifeq ($(CONFIG_USB_LIBUSB),y)
+ifeq ($(CONFIG_XEN)$(CONFIG_USB_LIBUSB),yy)
common-obj-$(CONFIG_XEN_BACKEND) += xen-usb.o
endif

View File

@ -0,0 +1,161 @@
From ee2225e5f531d965aed352bf99ba339969216144 Mon Sep 17 00:00:00 2001
From: Juergen Gross <jgross@suse.com>
Date: Mon, 13 Jun 2016 11:12:21 +0200
Subject: [PATCH] xen: move xen_sysdev to xen_backend.c
Commit 9432e53a5bc88681b2d3aec4dac9db07c5476d1b added xen_sysdev as a
system device to serve as an anchor for removable virtual buses. This
introduced a build failure for non-x86 builds with CONFIG_XEN_BACKEND
set, as xen_sysdev was defined in a x86 specific file while being
consumed in an architecture independent source.
Move the xen_sysdev definition and initialization to xen_backend.c to
avoid the build failure.
Signed-off-by: Juergen Gross <jgross@suse.com>
Reviewed-by: Anthony PERARD <anthony.perard@citrix.com>
Acked-by: Stefano Stabellini <sstabellini@kernel.org>
Signed-off-by: Stefano Stabellini <sstabellini@kernel.org>
---
hw/xen/xen_backend.c | 41 +++++++++++++++++++++++++++++++++++++++++
hw/xenpv/xen_machine_pv.c | 40 ----------------------------------------
2 files changed, 41 insertions(+), 40 deletions(-)
diff --git a/hw/xen/xen_backend.c b/hw/xen/xen_backend.c
index c63f9df..6e52474 100644
--- a/hw/xen/xen_backend.c
+++ b/hw/xen/xen_backend.c
@@ -27,12 +27,17 @@
#include <sys/signal.h>
#include "hw/hw.h"
+#include "hw/sysbus.h"
#include "sysemu/char.h"
#include "qemu/log.h"
#include "hw/xen/xen_backend.h"
#include <xen/grant_table.h>
+#define TYPE_XENSYSDEV "xensysdev"
+
+DeviceState *xen_sysdev;
+
/* ------------------------------------------------------------- */
/* public */
@@ -763,6 +768,10 @@ int xen_be_init(void)
/* Check if xen_init() have been called */
goto err;
}
+
+ xen_sysdev = qdev_create(NULL, TYPE_XENSYSDEV);
+ qdev_init_nofail(xen_sysdev);
+
return 0;
err:
@@ -863,3 +872,35 @@ void xen_be_printf(struct XenDevice *xendev, int msg_level, const char *fmt, ...
}
qemu_log_flush();
}
+
+static int xen_sysdev_init(SysBusDevice *dev)
+{
+ return 0;
+}
+
+static Property xen_sysdev_properties[] = {
+ {/* end of property list */},
+};
+
+static void xen_sysdev_class_init(ObjectClass *klass, void *data)
+{
+ DeviceClass *dc = DEVICE_CLASS(klass);
+ SysBusDeviceClass *k = SYS_BUS_DEVICE_CLASS(klass);
+
+ k->init = xen_sysdev_init;
+ dc->props = xen_sysdev_properties;
+}
+
+static const TypeInfo xensysdev_info = {
+ .name = TYPE_XENSYSDEV,
+ .parent = TYPE_SYS_BUS_DEVICE,
+ .instance_size = sizeof(SysBusDevice),
+ .class_init = xen_sysdev_class_init,
+};
+
+static void xenbe_register_types(void)
+{
+ type_register_static(&xensysdev_info);
+}
+
+type_init(xenbe_register_types);
diff --git a/hw/xenpv/xen_machine_pv.c b/hw/xenpv/xen_machine_pv.c
index f68cf48..48f725c 100644
--- a/hw/xenpv/xen_machine_pv.c
+++ b/hw/xenpv/xen_machine_pv.c
@@ -25,15 +25,10 @@
#include "qemu/osdep.h"
#include "hw/hw.h"
#include "hw/boards.h"
-#include "hw/sysbus.h"
#include "hw/xen/xen_backend.h"
#include "xen_domainbuild.h"
#include "sysemu/block-backend.h"
-#define TYPE_XENSYSDEV "xensysdev"
-
-DeviceState *xen_sysdev;
-
static void xen_init_pv(MachineState *machine)
{
DriveInfo *dinfo;
@@ -72,9 +67,6 @@ static void xen_init_pv(MachineState *machine)
break;
}
- xen_sysdev = qdev_create(NULL, TYPE_XENSYSDEV);
- qdev_init_nofail(xen_sysdev);
-
xen_be_register("console", &xen_console_ops);
xen_be_register("vkbd", &xen_kbdmouse_ops);
xen_be_register("vfb", &xen_framebuffer_ops);
@@ -112,38 +104,6 @@ static void xen_init_pv(MachineState *machine)
xen_init_display(xen_domid);
}
-static int xen_sysdev_init(SysBusDevice *dev)
-{
- return 0;
-}
-
-static Property xen_sysdev_properties[] = {
- {/* end of property list */},
-};
-
-static void xen_sysdev_class_init(ObjectClass *klass, void *data)
-{
- DeviceClass *dc = DEVICE_CLASS(klass);
- SysBusDeviceClass *k = SYS_BUS_DEVICE_CLASS(klass);
-
- k->init = xen_sysdev_init;
- dc->props = xen_sysdev_properties;
-}
-
-static const TypeInfo xensysdev_info = {
- .name = TYPE_XENSYSDEV,
- .parent = TYPE_SYS_BUS_DEVICE,
- .instance_size = sizeof(SysBusDevice),
- .class_init = xen_sysdev_class_init,
-};
-
-static void xenpv_register_types(void)
-{
- type_register_static(&xensysdev_info);
-}
-
-type_init(xenpv_register_types);
-
static void xenpv_machine_init(MachineClass *mc)
{
mc->desc = "Xen Para-virtualized PC";

View File

@ -1,4 +1,4 @@
From 5af645d652290cf562a2f05fa8318d75ae6f04e3 Mon Sep 17 00:00:00 2001
From 6a788961dd16f558d78ab7313f0b297409f37af7 Mon Sep 17 00:00:00 2001
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Wed, 1 Jun 2016 08:22:30 +0200
Subject: [PATCH] vnc: add configurable keyboard delay

View File

@ -1,4 +1,4 @@
From 1702291e859964a4f5b448e1fe19ee5947555adc Mon Sep 17 00:00:00 2001
From 702d446c9378b6d8415599780cf9f8bfb4c7cb9a Mon Sep 17 00:00:00 2001
From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Wed, 25 May 2016 17:41:44 +0530
Subject: [PATCH] scsi: megasas: initialise local configuration data buffer

View File

@ -1,4 +1,4 @@
From 79607d09f8670a92feb8e63455f6be59842f985a Mon Sep 17 00:00:00 2001
From 83775fe297c7cc8dae0d46c22accc2d7eb78c4a0 Mon Sep 17 00:00:00 2001
From: Cole Robinson <crobinso@redhat.com>
Date: Fri, 6 May 2016 14:03:09 -0400
Subject: [PATCH] configure: add echo_version helper

View File

@ -1,4 +1,4 @@
From 8c4afe82d5eb1cfd33d64fa9b1a3f7fd92bc02f3 Mon Sep 17 00:00:00 2001
From b673055ec7e4eda0454aacc2d042bd53405f85e6 Mon Sep 17 00:00:00 2001
From: Cole Robinson <crobinso@redhat.com>
Date: Fri, 6 May 2016 14:03:12 -0400
Subject: [PATCH] configure: support vte-2.91

View File

@ -1,4 +1,4 @@
From b38222880dde75c9e489f86af0b12a9e9a63b412 Mon Sep 17 00:00:00 2001
From ced63da3c840792292a6ee8201c3f7789b80b7eb Mon Sep 17 00:00:00 2001
From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Date: Mon, 4 Jul 2016 13:06:36 +0100
Subject: [PATCH] hw/arm/virt: mark the PCIe host controller as DMA coherent in

View File

@ -0,0 +1,47 @@
From 1caba48fc19de7cdceda7577ccf6970d4eb7ed75 Mon Sep 17 00:00:00 2001
From: Olaf Hering <ohering@suse.de>
Date: Tue, 21 Jun 2016 18:42:45 +0200
Subject: [PATCH] xen: SUSE xenlinux unplug for emulated PCI
Implement SUSE specific unplug protocol for emulated PCI devices
in PVonHVM guests
(bsc#953339, bsc#953362, bsc#953518, bsc#984981)
Signed-off-by: Olaf Hering <ohering@suse.de>
---
hw/i386/xen/xen_platform.c | 22 ++++++++++++++++++++++
1 file changed, 22 insertions(+)
diff --git a/hw/i386/xen/xen_platform.c b/hw/i386/xen/xen_platform.c
index aa78393..48800c1 100644
--- a/hw/i386/xen/xen_platform.c
+++ b/hw/i386/xen/xen_platform.c
@@ -314,6 +314,28 @@ static void xen_platform_ioport_writeb(void *opaque, hwaddr addr,
case 0: /* Platform flags */
platform_fixed_ioport_writeb(opaque, 0, (uint32_t)val);
break;
+ case 4:
+ if (val == 1 && size == 1) {
+ /*
+ * SUSE unplug for Xenlinux
+ * xen-kmp used this since xen-3.0.4, instead the official protocol from xen-3.3+
+ * It did an unconditional "outl(1, (ioaddr + 4));"
+ * This approach was used until openSUSE 12.3, up to SLE11SP3 and in SLE10.
+ * Starting with openSUSE 13.1, SLE11SP4 and SLE12 the official protocol is used.
+ * pre VMDP 1.7 made use of 4 and 8 depending on how vmdp was configured.
+ * If VMDP was to control both disk and LAN it would use 4.
+ * If it controlled just disk or just LAN, it would use 8 below.
+ */
+ PCIDevice *pci_dev = PCI_DEVICE(s);
+ DPRINTF("unplug disks\n");
+ blk_drain_all();
+ blk_flush_all();
+ pci_unplug_disks(pci_dev->bus);
+ DPRINTF("unplug nics\n");
+ pci_unplug_nics(pci_dev->bus);
+ DPRINTF("done\n");
+ }
+ break;
case 8:
log_writeb(s, (uint32_t)val);
break;

View File

@ -0,0 +1,36 @@
From 440a840f30f2439aece31ae59a5ee91675a78bb1 Mon Sep 17 00:00:00 2001
From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Tue, 31 May 2016 23:23:27 +0530
Subject: [PATCH] scsi: esp: check buffer length before reading scsi command
The 53C9X Fast SCSI Controller(FSC) comes with an internal 16-byte
FIFO buffer. It is used to handle command and data transfer.
Routine get_cmd() in non-DMA mode, uses 'ti_size' to read scsi
command into a buffer. Add check to validate command length against
buffer size to avoid any overrun.
Reported-by: Li Qiang <liqiang6-s@360.cn>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Message-Id: <1464717207-7549-1-git-send-email-ppandit@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit d3cdc49138c30be1d3c2f83d18f85d9fdee95f1a)
[BR: CVE-2016-5238 BSC#982959]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/scsi/esp.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c
index 3adb685..4b94bbc 100644
--- a/hw/scsi/esp.c
+++ b/hw/scsi/esp.c
@@ -98,6 +98,9 @@ static uint32_t get_cmd(ESPState *s, uint8_t *buf, uint8_t buflen)
s->dma_memory_read(s->dma_opaque, buf, dmalen);
} else {
dmalen = s->ti_size;
+ if (dmalen > TI_BUFSZ) {
+ return 0;
+ }
memcpy(buf, s->ti_buf, dmalen);
buf[0] = buf[2] >> 5;
}

View File

@ -0,0 +1,29 @@
From 9b2c1b6e771f01757b93cc92625ef48903786291 Mon Sep 17 00:00:00 2001
From: Paolo Bonzini <pbonzini@redhat.com>
Date: Tue, 14 Jun 2016 15:10:24 +0200
Subject: [PATCH] scsi: esp: respect FIFO invariant after message phase
The FIFO contains two bytes; hence the write ptr should be two bytes ahead
of the read pointer.
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit d020aa504cec8f525b55ba2ef982c09dc847c72e)
[BR: CVE-2016-5238 BSC#982959]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/scsi/esp.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c
index 4b94bbc..3f08598 100644
--- a/hw/scsi/esp.c
+++ b/hw/scsi/esp.c
@@ -222,7 +222,7 @@ static void write_response(ESPState *s)
} else {
s->ti_size = 2;
s->ti_rptr = 0;
- s->ti_wptr = 0;
+ s->ti_wptr = 2;
s->rregs[ESP_RFLAGS] = 2;
}
esp_raise_irq(s);

View File

@ -0,0 +1,52 @@
From f4fe76597dccb9017be71983c4204f21877fc69f Mon Sep 17 00:00:00 2001
From: Lin Ma <lma@suse.com>
Date: Thu, 16 Jun 2016 01:05:27 +0800
Subject: [PATCH] pci-assign: Move "Invalid ROM" error message to
pci-assign-load-rom.c
In function pci_assign_dev_load_option_rom, For those pci devices don't
have 'rom' file under sysfs or if loading ROM from external file, The
function returns NULL, and won't set the passed 'size' variable.
In these 2 cases, qemu still reports "Invalid ROM" error message, Users
may be confused by it.
Signed-off-by: Lin Ma <lma@suse.com>
Message-Id: <1466010327-22368-1-git-send-email-lma@suse.com>
Cc: qemu-stable@nongnu.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit be968c721ee9df49708691ab58f0e66b394dea82)
[BR: BSC#982927]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/i386/kvm/pci-assign.c | 4 ----
hw/i386/pci-assign-load-rom.c | 3 +++
2 files changed, 3 insertions(+), 4 deletions(-)
diff --git a/hw/i386/kvm/pci-assign.c b/hw/i386/kvm/pci-assign.c
index bf425a2..8abce52 100644
--- a/hw/i386/kvm/pci-assign.c
+++ b/hw/i386/kvm/pci-assign.c
@@ -1891,8 +1891,4 @@ static void assigned_dev_load_option_rom(AssignedDevice *dev)
pci_assign_dev_load_option_rom(&dev->dev, OBJECT(dev), &size,
dev->host.domain, dev->host.bus,
dev->host.slot, dev->host.function);
-
- if (!size) {
- error_report("pci-assign: Invalid ROM.");
- }
}
diff --git a/hw/i386/pci-assign-load-rom.c b/hw/i386/pci-assign-load-rom.c
index 4bbb08c..0d8e4b2 100644
--- a/hw/i386/pci-assign-load-rom.c
+++ b/hw/i386/pci-assign-load-rom.c
@@ -40,6 +40,9 @@ void *pci_assign_dev_load_option_rom(PCIDevice *dev, struct Object *owner,
domain, bus, slot, function);
if (stat(rom_file, &st)) {
+ if (errno != ENOENT) {
+ error_report("pci-assign: Invalid ROM.");
+ }
return NULL;
}

View File

@ -0,0 +1,29 @@
From a4b6bbf1139ebc70375c48afe99fccdd9dcaa501 Mon Sep 17 00:00:00 2001
From: Bruce Rogers <brogers@suse.com>
Date: Tue, 26 Jul 2016 16:42:45 -0600
Subject: [PATCH] Xen PCI passthrough: fix passthrough failure when no
interrupt pin
Commit 5a11d0f7 mistakenly converted a log message into an error
condition when no pin interrupt is found for the pci device being
passed through. Revert that part of the commit.
[BR: BSC#981925, BSC#989250]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/xen/xen_pt.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/xen/xen_pt.c b/hw/xen/xen_pt.c
index f593b04..b6d71bb 100644
--- a/hw/xen/xen_pt.c
+++ b/hw/xen/xen_pt.c
@@ -842,7 +842,7 @@ static void xen_pt_realize(PCIDevice *d, Error **errp)
goto err_out;
}
if (!scratch) {
- error_setg(errp, "no pin interrupt");
+ XEN_PT_LOG(d, "no pin interrupt\n");
goto out;
}

View File

@ -0,0 +1,73 @@
From 20a82db8677dfb40288953ba296c372b66146f4d Mon Sep 17 00:00:00 2001
From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Thu, 16 Jun 2016 00:22:35 +0200
Subject: [PATCH] scsi: esp: make cmdbuf big enough for maximum CDB size
While doing DMA read into ESP command buffer 's->cmdbuf', it could
write past the 's->cmdbuf' area, if it was transferring more than 16
bytes. Increase the command buffer size to 32, which is maximum when
's->do_cmd' is set, and add a check on 'len' to avoid OOB access.
Reported-by: Li Qiang <liqiang6-s@360.cn>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 926cde5f3e4d2504ed161ed0cb771ac7cad6fd11)
[BR: CVE-2016-6351 BSC#990835]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/scsi/esp.c | 6 ++++--
include/hw/scsi/esp.h | 3 ++-
2 files changed, 6 insertions(+), 3 deletions(-)
diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c
index 3f08598..9e318fd 100644
--- a/hw/scsi/esp.c
+++ b/hw/scsi/esp.c
@@ -249,6 +249,8 @@ static void esp_do_dma(ESPState *s)
len = s->dma_left;
if (s->do_cmd) {
trace_esp_do_dma(s->cmdlen, len);
+ assert (s->cmdlen <= sizeof(s->cmdbuf) &&
+ len <= sizeof(s->cmdbuf) - s->cmdlen);
s->dma_memory_read(s->dma_opaque, &s->cmdbuf[s->cmdlen], len);
s->ti_size = 0;
s->cmdlen = 0;
@@ -348,7 +350,7 @@ static void handle_ti(ESPState *s)
s->dma_counter = dmalen;
if (s->do_cmd)
- minlen = (dmalen < 32) ? dmalen : 32;
+ minlen = (dmalen < ESP_CMDBUF_SZ) ? dmalen : ESP_CMDBUF_SZ;
else if (s->ti_size < 0)
minlen = (dmalen < -s->ti_size) ? dmalen : -s->ti_size;
else
@@ -452,7 +454,7 @@ void esp_reg_write(ESPState *s, uint32_t saddr, uint64_t val)
break;
case ESP_FIFO:
if (s->do_cmd) {
- if (s->cmdlen < TI_BUFSZ) {
+ if (s->cmdlen < ESP_CMDBUF_SZ) {
s->cmdbuf[s->cmdlen++] = val & 0xff;
} else {
trace_esp_error_fifo_overrun();
diff --git a/include/hw/scsi/esp.h b/include/hw/scsi/esp.h
index 6c79527..d2c4886 100644
--- a/include/hw/scsi/esp.h
+++ b/include/hw/scsi/esp.h
@@ -14,6 +14,7 @@ void esp_init(hwaddr espaddr, int it_shift,
#define ESP_REGS 16
#define TI_BUFSZ 16
+#define ESP_CMDBUF_SZ 32
typedef struct ESPState ESPState;
@@ -31,7 +32,7 @@ struct ESPState {
SCSIBus bus;
SCSIDevice *current_dev;
SCSIRequest *current_req;
- uint8_t cmdbuf[TI_BUFSZ];
+ uint8_t cmdbuf[ESP_CMDBUF_SZ];
uint32_t cmdlen;
uint32_t do_cmd;

View File

@ -0,0 +1,58 @@
From a4c62237f33857750850ef30066a5ae5d4d1194e Mon Sep 17 00:00:00 2001
From: Paolo Bonzini <pbonzini@redhat.com>
Date: Mon, 20 Jun 2016 16:32:39 +0200
Subject: [PATCH] scsi: esp: fix migration
Commit 926cde5 ("scsi: esp: make cmdbuf big enough for maximum CDB size",
2016-06-16) changed the size of a migrated field. Split it in two
parts, and only migrate the second part in a new vmstate version.
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit cc96677469388bad3d66479379735cf75db069e3)
[BR: CVE-2016-6351 BSC#990835]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/scsi/esp.c | 5 +++--
include/migration/vmstate.h | 5 ++++-
2 files changed, 7 insertions(+), 3 deletions(-)
diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c
index 9e318fd..25c547c 100644
--- a/hw/scsi/esp.c
+++ b/hw/scsi/esp.c
@@ -577,7 +577,7 @@ static bool esp_mem_accepts(void *opaque, hwaddr addr,
const VMStateDescription vmstate_esp = {
.name ="esp",
- .version_id = 3,
+ .version_id = 4,
.minimum_version_id = 3,
.fields = (VMStateField[]) {
VMSTATE_BUFFER(rregs, ESPState),
@@ -588,7 +588,8 @@ const VMStateDescription vmstate_esp = {
VMSTATE_BUFFER(ti_buf, ESPState),
VMSTATE_UINT32(status, ESPState),
VMSTATE_UINT32(dma, ESPState),
- VMSTATE_BUFFER(cmdbuf, ESPState),
+ VMSTATE_PARTIAL_BUFFER(cmdbuf, ESPState, 16),
+ VMSTATE_BUFFER_START_MIDDLE_V(cmdbuf, ESPState, 16, 4),
VMSTATE_UINT32(cmdlen, ESPState),
VMSTATE_UINT32(do_cmd, ESPState),
VMSTATE_UINT32(dma_left, ESPState),
diff --git a/include/migration/vmstate.h b/include/migration/vmstate.h
index 84ee355..853a2bd 100644
--- a/include/migration/vmstate.h
+++ b/include/migration/vmstate.h
@@ -888,8 +888,11 @@ extern const VMStateInfo vmstate_info_bitmap;
#define VMSTATE_PARTIAL_BUFFER(_f, _s, _size) \
VMSTATE_STATIC_BUFFER(_f, _s, 0, NULL, 0, _size)
+#define VMSTATE_BUFFER_START_MIDDLE_V(_f, _s, _start, _v) \
+ VMSTATE_STATIC_BUFFER(_f, _s, _v, NULL, _start, sizeof(typeof_field(_s, _f)))
+
#define VMSTATE_BUFFER_START_MIDDLE(_f, _s, _start) \
- VMSTATE_STATIC_BUFFER(_f, _s, 0, NULL, _start, sizeof(typeof_field(_s, _f)))
+ VMSTATE_BUFFER_START_MIDDLE_V(_f, _s, _start, 0)
#define VMSTATE_PARTIAL_VBUFFER(_f, _s, _size) \
VMSTATE_VBUFFER(_f, _s, 0, NULL, 0, _size)

View File

@ -0,0 +1,65 @@
From d9c626e4ede58130f64f24f4f9ca1140e4102a70 Mon Sep 17 00:00:00 2001
From: Stefan Hajnoczi <stefanha@redhat.com>
Date: Tue, 19 Jul 2016 13:07:13 +0100
Subject: [PATCH] virtio: error out if guest exceeds virtqueue size
A broken or malicious guest can submit more requests than the virtqueue
size permits, causing unbounded memory allocation in QEMU.
The guest can submit requests without bothering to wait for completion
and is therefore not bound by virtqueue size. This requires reusing
vring descriptors in more than one request, which is not allowed by the
VIRTIO 1.0 specification.
In "3.2.1 Supplying Buffers to The Device", the VIRTIO 1.0 specification
says:
1. The driver places the buffer into free descriptor(s) in the
descriptor table, chaining as necessary
and
Note that the above code does not take precautions against the
available ring buffer wrapping around: this is not possible since the
ring buffer is the same size as the descriptor table, so step (1) will
prevent such a condition.
This implies that placing more buffers into the virtqueue than the
descriptor table size is not allowed.
QEMU is missing the check to prevent this case. Processing a request
allocates a VirtQueueElement leading to unbounded memory allocation
controlled by the guest.
Exit with an error if the guest provides more requests than the
virtqueue size permits. This bounds memory allocation and makes the
buggy guest visible to the user.
This patch fixes CVE-2016-5403 and was reported by Zhenhao Hong from 360
Marvel Team, China.
Reported-by: Zhenhao Hong <hongzhenhao@360.cn>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit afd9096eb1882f23929f5b5c177898ed231bac66)
[BR: CVE-2016-5403 BSC#991080]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/virtio/virtio.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
index 30ede3d..e5ead0d 100644
--- a/hw/virtio/virtio.c
+++ b/hw/virtio/virtio.c
@@ -561,6 +561,11 @@ void *virtqueue_pop(VirtQueue *vq, size_t sz)
max = vq->vring.num;
+ if (vq->inuse >= vq->vring.num) {
+ error_report("Virtqueue size exceeded");
+ exit(1);
+ }
+
i = head = virtqueue_get_head(vq, vq->last_avail_idx++);
if (virtio_vdev_has_feature(vdev, VIRTIO_RING_F_EVENT_IDX)) {
vring_set_avail_event(vq, vq->last_avail_idx);

View File

@ -0,0 +1,103 @@
From 0d4ea8a7847a76415ed0d0db0392be5b7d1b71a6 Mon Sep 17 00:00:00 2001
From: Juergen Gross <jgross@suse.com>
Date: Fri, 29 Jul 2016 12:51:53 +0200
Subject: [PATCH] xen: when removing a backend don't remove many of them
When a Xenstore watch fires indicating a backend has to be removed
don't remove all backends for that domain with the specified device
index, but just the one which has the correct type.
The easiest way to achieve this is to use the already determined
xendev as parameter for xen_be_del_xendev() instead of only the domid
and device index.
This at once removes the open coded QTAILQ_FOREACH_SAVE() in
xen_be_del_xendev() as there is no need to search for the correct
xendev any longer.
Signed-off-by: Juergen Gross <jgross@suse.com>
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/xen/xen_backend.c | 58 +++++++++++++++++-----------------------------------
1 file changed, 19 insertions(+), 39 deletions(-)
diff --git a/hw/xen/xen_backend.c b/hw/xen/xen_backend.c
index 6e52474..8f347da 100644
--- a/hw/xen/xen_backend.c
+++ b/hw/xen/xen_backend.c
@@ -322,48 +322,28 @@ static struct XenDevice *xen_be_get_xendev(const char *type, int dom, int dev,
/*
* release xen backend device.
*/
-static struct XenDevice *xen_be_del_xendev(int dom, int dev)
+static void xen_be_del_xendev(struct XenDevice *xendev)
{
- struct XenDevice *xendev, *xnext;
-
- /*
- * This is pretty much like QTAILQ_FOREACH(xendev, &xendevs, next) but
- * we save the next pointer in xnext because we might free xendev.
- */
- xnext = xendevs.tqh_first;
- while (xnext) {
- xendev = xnext;
- xnext = xendev->next.tqe_next;
-
- if (xendev->dom != dom) {
- continue;
- }
- if (xendev->dev != dev && dev != -1) {
- continue;
- }
-
- if (xendev->ops->free) {
- xendev->ops->free(xendev);
- }
-
- if (xendev->fe) {
- char token[XEN_BUFSIZE];
- snprintf(token, sizeof(token), "fe:%p", xendev);
- xs_unwatch(xenstore, xendev->fe, token);
- g_free(xendev->fe);
- }
+ if (xendev->ops->free) {
+ xendev->ops->free(xendev);
+ }
- if (xendev->evtchndev != NULL) {
- xenevtchn_close(xendev->evtchndev);
- }
- if (xendev->gnttabdev != NULL) {
- xengnttab_close(xendev->gnttabdev);
- }
+ if (xendev->fe) {
+ char token[XEN_BUFSIZE];
+ snprintf(token, sizeof(token), "fe:%p", xendev);
+ xs_unwatch(xenstore, xendev->fe, token);
+ g_free(xendev->fe);
+ }
- QTAILQ_REMOVE(&xendevs, xendev, next);
- g_free(xendev);
+ if (xendev->evtchndev != NULL) {
+ xenevtchn_close(xendev->evtchndev);
}
- return NULL;
+ if (xendev->gnttabdev != NULL) {
+ xengnttab_close(xendev->gnttabdev);
+ }
+
+ QTAILQ_REMOVE(&xendevs, xendev, next);
+ g_free(xendev);
}
/*
@@ -683,7 +663,7 @@ static void xenstore_update_be(char *watch, char *type, int dom,
if (xendev != NULL) {
bepath = xs_read(xenstore, 0, xendev->be, &len);
if (bepath == NULL) {
- xen_be_del_xendev(dom, dev);
+ xen_be_del_xendev(xendev);
} else {
free(bepath);
xen_be_backend_changed(xendev, path);

View File

@ -0,0 +1,210 @@
From afb94bcc5bbb8b58f8c96821caaab268f96cabdb Mon Sep 17 00:00:00 2001
From: Juergen Gross <jgross@suse.com>
Date: Wed, 27 Jul 2016 08:17:41 +0200
Subject: [PATCH] xen: drain submit queue in xen-usb before removing device
When unplugging a device in the Xen pvusb backend drain the submit
queue before deallocation of the control structures. Otherwise there
will be bogus memory accesses when I/O contracts are finished.
Correlated to this issue is the handling of cancel requests: a packet
cancelled will still lead to the call of complete, so add a flag
to the request indicating it should be just dropped on complete.
Signed-off-by: Juergen Gross <jgross@suse.com>
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/usb/xen-usb.c | 95 ++++++++++++++++++++++++++++++++++++--------------------
1 file changed, 61 insertions(+), 34 deletions(-)
diff --git a/hw/usb/xen-usb.c b/hw/usb/xen-usb.c
index 664df04..6f4b99d 100644
--- a/hw/usb/xen-usb.c
+++ b/hw/usb/xen-usb.c
@@ -94,6 +94,8 @@ struct usbback_req {
void *buffer;
void *isoc_buffer;
struct libusb_transfer *xfer;
+
+ bool cancelled;
};
struct usbback_hotplug {
@@ -304,20 +306,23 @@ static void usbback_do_response(struct usbback_req *usbback_req, int32_t status,
usbback_req->isoc_buffer = NULL;
}
- res = RING_GET_RESPONSE(&usbif->urb_ring, usbif->urb_ring.rsp_prod_pvt);
- res->id = usbback_req->req.id;
- res->status = status;
- res->actual_length = actual_length;
- res->error_count = error_count;
- res->start_frame = 0;
- usbif->urb_ring.rsp_prod_pvt++;
- RING_PUSH_RESPONSES_AND_CHECK_NOTIFY(&usbif->urb_ring, notify);
-
- if (notify) {
- xen_be_send_notify(xendev);
+ if (usbif->urb_sring) {
+ res = RING_GET_RESPONSE(&usbif->urb_ring, usbif->urb_ring.rsp_prod_pvt);
+ res->id = usbback_req->req.id;
+ res->status = status;
+ res->actual_length = actual_length;
+ res->error_count = error_count;
+ res->start_frame = 0;
+ usbif->urb_ring.rsp_prod_pvt++;
+ RING_PUSH_RESPONSES_AND_CHECK_NOTIFY(&usbif->urb_ring, notify);
+
+ if (notify) {
+ xen_be_send_notify(xendev);
+ }
}
- usbback_put_req(usbback_req);
+ if (!usbback_req->cancelled)
+ usbback_put_req(usbback_req);
}
static void usbback_do_response_ret(struct usbback_req *usbback_req,
@@ -369,15 +374,14 @@ static void usbback_set_address(struct usbback_info *usbif,
}
}
-static bool usbback_cancel_req(struct usbback_req *usbback_req)
+static void usbback_cancel_req(struct usbback_req *usbback_req)
{
- bool ret = false;
-
if (usb_packet_is_inflight(&usbback_req->packet)) {
usb_cancel_packet(&usbback_req->packet);
- ret = true;
+ QTAILQ_REMOVE(&usbback_req->stub->submit_q, usbback_req, q);
+ usbback_req->cancelled = true;
+ usbback_do_response_ret(usbback_req, -EPROTO);
}
- return ret;
}
static void usbback_process_unlink_req(struct usbback_req *usbback_req)
@@ -394,7 +398,7 @@ static void usbback_process_unlink_req(struct usbback_req *usbback_req)
devnum = usbif_pipedevice(usbback_req->req.pipe);
if (unlikely(devnum == 0)) {
usbback_req->stub = usbif->ports +
- usbif_pipeportnum(usbback_req->req.pipe);
+ usbif_pipeportnum(usbback_req->req.pipe) - 1;
if (unlikely(!usbback_req->stub)) {
ret = -ENODEV;
goto fail_response;
@@ -409,9 +413,7 @@ static void usbback_process_unlink_req(struct usbback_req *usbback_req)
QTAILQ_FOREACH(unlink_req, &usbback_req->stub->submit_q, q) {
if (unlink_req->req.id == id) {
- if (usbback_cancel_req(unlink_req)) {
- usbback_do_response_ret(unlink_req, -EPROTO);
- }
+ usbback_cancel_req(unlink_req);
break;
}
}
@@ -684,6 +686,31 @@ static void usbback_hotplug_enq(struct usbback_info *usbif, unsigned port)
usbback_hotplug_notify(usbif);
}
+static void usbback_portid_drain(struct usbback_info *usbif, unsigned port)
+{
+ struct usbback_req *req, *tmp;
+ bool sched = false;
+
+ QTAILQ_FOREACH_SAFE(req, &usbif->ports[port - 1].submit_q, q, tmp) {
+ usbback_cancel_req(req);
+ sched = true;
+ }
+
+ if (sched)
+ qemu_bh_schedule(usbif->bh);
+}
+
+static void usbback_portid_detach(struct usbback_info *usbif, unsigned port)
+{
+ if (!usbif->ports[port - 1].attached)
+ return;
+
+ usbif->ports[port - 1].speed = USBIF_SPEED_NONE;
+ usbif->ports[port - 1].attached = false;
+ usbback_portid_drain(usbif, port);
+ usbback_hotplug_enq(usbif, port);
+}
+
static void usbback_portid_remove(struct usbback_info *usbif, unsigned port)
{
USBPort *p;
@@ -697,9 +724,7 @@ static void usbback_portid_remove(struct usbback_info *usbif, unsigned port)
object_unparent(OBJECT(usbif->ports[port - 1].dev));
usbif->ports[port - 1].dev = NULL;
- usbif->ports[port - 1].speed = USBIF_SPEED_NONE;
- usbif->ports[port - 1].attached = false;
- usbback_hotplug_enq(usbif, port);
+ usbback_portid_detach(usbif, port);
TR_BUS(&usbif->xendev, "port %d removed\n", port);
}
@@ -804,7 +829,6 @@ static void usbback_process_port(struct usbback_info *usbif, unsigned port)
static void usbback_disconnect(struct XenDevice *xendev)
{
struct usbback_info *usbif;
- struct usbback_req *req, *tmp;
unsigned int i;
TR_BUS(xendev, "start\n");
@@ -823,12 +847,8 @@ static void usbback_disconnect(struct XenDevice *xendev)
}
for (i = 0; i < usbif->num_ports; i++) {
- if (!usbif->ports[i].dev) {
- continue;
- }
- QTAILQ_FOREACH_SAFE(req, &usbif->ports[i].submit_q, q, tmp) {
- usbback_cancel_req(req);
- }
+ if (usbif->ports[i].dev)
+ usbback_portid_drain(usbif, i + 1);
}
TR_BUS(xendev, "finished\n");
@@ -947,8 +967,7 @@ static void xen_bus_detach(USBPort *port)
usbif = port->opaque;
TR_BUS(&usbif->xendev, "\n");
- usbif->ports[port->index].attached = false;
- usbback_hotplug_enq(usbif, port->index + 1);
+ usbback_portid_detach(usbif, port->index + 1);
}
static void xen_bus_child_detach(USBPort *port, USBDevice *child)
@@ -961,9 +980,16 @@ static void xen_bus_child_detach(USBPort *port, USBDevice *child)
static void xen_bus_complete(USBPort *port, USBPacket *packet)
{
+ struct usbback_req *usbback_req;
struct usbback_info *usbif;
- usbif = port->opaque;
+ usbback_req = container_of(packet, struct usbback_req, packet);
+ if (usbback_req->cancelled) {
+ g_free(usbback_req);
+ return;
+ }
+
+ usbif = usbback_req->usbif;
TR_REQ(&usbif->xendev, "\n");
usbback_packet_complete(packet);
}
@@ -1040,6 +1066,7 @@ static int usbback_free(struct XenDevice *xendev)
}
usb_bus_release(&usbif->bus);
+ object_unparent(OBJECT(&usbif->bus));
TR_BUS(xendev, "finished\n");

View File

@ -0,0 +1,104 @@
From 197d526012602fbac75392a86e991539e4400bf0 Mon Sep 17 00:00:00 2001
From: "Denis V. Lunev" <den@openvz.org>
Date: Thu, 2 Jun 2016 18:58:15 +0300
Subject: [PATCH] qcow2: avoid extra flushes in qcow2
The problem with excessive flushing was found by a couple of performance
tests:
- parallel directory tree creation (from 2 processes)
- 32 cached writes + fsync at the end in a loop
For the first one results improved from 2.6 loops/sec to 3.5 loops/sec.
Each loop creates 10^3 directories with 10 files in each.
For the second one results improved from ~600 fsync/sec to ~1100
fsync/sec. Though, it was run on SSD so it probably won't show such
performance gain on rotational media.
qcow2_cache_flush() calls bdrv_flush() unconditionally after writing
cache entries of a particular cache. This can lead to as many as
2 additional fdatasyncs inside bdrv_flush.
We can simply skip all fdatasync calls inside qcow2_co_flush_to_os
as bdrv_flush for sure will do the job. These flushes are necessary to
keep the right order of writes to the different caches. Though this is
not necessary in the current code base as this ordering is ensured through
the flush in qcow2_cache_flush_dependency().
Signed-off-by: Denis V. Lunev <den@openvz.org>
CC: Pavel Borzenkov <pborzenkov@virtuozzo.com>
CC: Kevin Wolf <kwolf@redhat.com>
CC: Max Reitz <mreitz@redhat.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit f3c3b87dae44ac6c82246ceb3953793951800a9a)
[BR: BSC#991296]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
block/qcow2-cache.c | 11 +++++++++--
block/qcow2.c | 4 ++--
block/qcow2.h | 1 +
3 files changed, 12 insertions(+), 4 deletions(-)
diff --git a/block/qcow2-cache.c b/block/qcow2-cache.c
index 0fe8eda..208a060 100644
--- a/block/qcow2-cache.c
+++ b/block/qcow2-cache.c
@@ -226,7 +226,7 @@ static int qcow2_cache_entry_flush(BlockDriverState *bs, Qcow2Cache *c, int i)
return 0;
}
-int qcow2_cache_flush(BlockDriverState *bs, Qcow2Cache *c)
+int qcow2_cache_write(BlockDriverState *bs, Qcow2Cache *c)
{
BDRVQcow2State *s = bs->opaque;
int result = 0;
@@ -242,8 +242,15 @@ int qcow2_cache_flush(BlockDriverState *bs, Qcow2Cache *c)
}
}
+ return result;
+}
+
+int qcow2_cache_flush(BlockDriverState *bs, Qcow2Cache *c)
+{
+ int result = qcow2_cache_write(bs, c);
+
if (result == 0) {
- ret = bdrv_flush(bs->file->bs);
+ int ret = bdrv_flush(bs->file->bs);
if (ret < 0) {
result = ret;
}
diff --git a/block/qcow2.c b/block/qcow2.c
index 470734b..dc609a1 100644
--- a/block/qcow2.c
+++ b/block/qcow2.c
@@ -2774,14 +2774,14 @@ static coroutine_fn int qcow2_co_flush_to_os(BlockDriverState *bs)
int ret;
qemu_co_mutex_lock(&s->lock);
- ret = qcow2_cache_flush(bs, s->l2_table_cache);
+ ret = qcow2_cache_write(bs, s->l2_table_cache);
if (ret < 0) {
qemu_co_mutex_unlock(&s->lock);
return ret;
}
if (qcow2_need_accurate_refcounts(s)) {
- ret = qcow2_cache_flush(bs, s->refcount_block_cache);
+ ret = qcow2_cache_write(bs, s->refcount_block_cache);
if (ret < 0) {
qemu_co_mutex_unlock(&s->lock);
return ret;
diff --git a/block/qcow2.h b/block/qcow2.h
index a063a3c..7db9795 100644
--- a/block/qcow2.h
+++ b/block/qcow2.h
@@ -583,6 +583,7 @@ int qcow2_cache_destroy(BlockDriverState* bs, Qcow2Cache *c);
void qcow2_cache_entry_mark_dirty(BlockDriverState *bs, Qcow2Cache *c,
void *table);
int qcow2_cache_flush(BlockDriverState *bs, Qcow2Cache *c);
+int qcow2_cache_write(BlockDriverState *bs, Qcow2Cache *c);
int qcow2_cache_set_dependency(BlockDriverState *bs, Qcow2Cache *c,
Qcow2Cache *dependency);
void qcow2_cache_depends_on_flush(Qcow2Cache *c);

View File

@ -0,0 +1,83 @@
From 4bbd77b07de2f0df2e8a0dba9c4ca51299ee2518 Mon Sep 17 00:00:00 2001
From: Bruce Rogers <brogers@suse.com>
Date: Tue, 2 Aug 2016 11:36:02 -0600
Subject: [PATCH] qemu-bridge-helper: reduce security profile
Change from using glib alloc and free routines to those
from libc. Also perform safety measure of dropping privs
to user if configured no-caps.
[BR: BOO#988279]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
qemu-bridge-helper.c | 29 ++++++++++++++++++++++++-----
1 file changed, 24 insertions(+), 5 deletions(-)
diff --git a/qemu-bridge-helper.c b/qemu-bridge-helper.c
index 830fb9e..73ac49b 100644
--- a/qemu-bridge-helper.c
+++ b/qemu-bridge-helper.c
@@ -15,8 +15,6 @@
#include "qemu/osdep.h"
-#include <glib.h>
-
#include <sys/ioctl.h>
#include <sys/socket.h>
#include <sys/un.h>
@@ -111,7 +109,12 @@ static int parse_acl_file(const char *filename, ACLList *acl_list)
*argend = 0;
if (strcmp(cmd, "deny") == 0) {
- acl_rule = g_malloc(sizeof(*acl_rule));
+ acl_rule = calloc(1, sizeof(*acl_rule));
+ if (!acl_rule) {
+ fclose(f);
+ errno = ENOMEM;
+ return -1;
+ }
if (strcmp(arg, "all") == 0) {
acl_rule->type = ACL_DENY_ALL;
} else {
@@ -120,7 +123,12 @@ static int parse_acl_file(const char *filename, ACLList *acl_list)
}
QSIMPLEQ_INSERT_TAIL(acl_list, acl_rule, entry);
} else if (strcmp(cmd, "allow") == 0) {
- acl_rule = g_malloc(sizeof(*acl_rule));
+ acl_rule = calloc(1, sizeof(*acl_rule));
+ if (!acl_rule) {
+ fclose(f);
+ errno = ENOMEM;
+ return -1;
+ }
if (strcmp(arg, "all") == 0) {
acl_rule->type = ACL_ALLOW_ALL;
} else {
@@ -414,6 +422,17 @@ int main(int argc, char **argv)
goto cleanup;
}
+#ifndef CONFIG_LIBCAP
+ /* avoid sending the fd as root user if running suid to not fool
+ * peer credentials to daemons that dont expect that
+ */
+ if (setuid(getuid()) < 0) {
+ fprintf(stderr, "Failed to drop privileges.\n");
+ ret = EXIT_FAILURE;
+ goto cleanup;
+ }
+#endif
+
/* write fd to the domain socket */
if (send_fd(unixfd, fd) == -1) {
fprintf(stderr, "failed to write fd to unix socket: %s\n",
@@ -435,7 +454,7 @@ cleanup:
}
while ((acl_rule = QSIMPLEQ_FIRST(&acl_list)) != NULL) {
QSIMPLEQ_REMOVE_HEAD(&acl_list, entry);
- g_free(acl_rule);
+ free(acl_rule);
}
return ret;

View File

@ -0,0 +1,95 @@
From ddbfdd2c5396aa810a789f5cb681879f78cb693f Mon Sep 17 00:00:00 2001
From: Juergen Gross <jgross@suse.com>
Date: Tue, 2 Aug 2016 08:32:32 +0200
Subject: [PATCH] xen: use a common function for pv and hvm guest backend
register calls
Instead of calling xen_be_register() for each supported backend type
for hvm and pv guests in their machine init functions use a common
function in order not to have to add new backends twice.
This at once fixes the error that hvm domains couldn't use the qusb
backend.
Signed-off-by: Juergen Gross <jgross@suse.com>
Acked-by: Anthony PERARD <anthony.perard@citrix.com>
Message-id: 1470119552-16170-1-git-send-email-jgross@suse.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
(cherry picked from commit 0e39bb022b5fa8c11964968885f3263c02ce42b0)
[BR: BSC#991785]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/xen/xen_backend.c | 10 ++++++++++
hw/xenpv/xen_machine_pv.c | 7 +------
include/hw/xen/xen_backend.h | 1 +
xen-hvm.c | 4 +---
4 files changed, 13 insertions(+), 9 deletions(-)
diff --git a/hw/xen/xen_backend.c b/hw/xen/xen_backend.c
index 8f347da..f4d302d 100644
--- a/hw/xen/xen_backend.c
+++ b/hw/xen/xen_backend.c
@@ -781,6 +781,16 @@ int xen_be_register(const char *type, struct XenDevOps *ops)
return xenstore_scan(type, xen_domid, ops);
}
+void xen_be_register_common(void)
+{
+ xen_be_register("console", &xen_console_ops);
+ xen_be_register("vkbd", &xen_kbdmouse_ops);
+ xen_be_register("qdisk", &xen_blkdev_ops);
+#ifdef CONFIG_USB_LIBUSB
+ xen_be_register("qusb", &xen_usb_ops);
+#endif
+}
+
int xen_be_bind_evtchn(struct XenDevice *xendev)
{
if (xendev->local_port != -1) {
diff --git a/hw/xenpv/xen_machine_pv.c b/hw/xenpv/xen_machine_pv.c
index 48f725c..79aef4e 100644
--- a/hw/xenpv/xen_machine_pv.c
+++ b/hw/xenpv/xen_machine_pv.c
@@ -67,14 +67,9 @@ static void xen_init_pv(MachineState *machine)
break;
}
- xen_be_register("console", &xen_console_ops);
- xen_be_register("vkbd", &xen_kbdmouse_ops);
+ xen_be_register_common();
xen_be_register("vfb", &xen_framebuffer_ops);
- xen_be_register("qdisk", &xen_blkdev_ops);
xen_be_register("qnic", &xen_netdev_ops);
-#ifdef CONFIG_USB_LIBUSB
- xen_be_register("qusb", &xen_usb_ops);
-#endif
/* configure framebuffer */
if (xenfb_enabled) {
diff --git a/include/hw/xen/xen_backend.h b/include/hw/xen/xen_backend.h
index 6e18a46..0e9af28 100644
--- a/include/hw/xen/xen_backend.h
+++ b/include/hw/xen/xen_backend.h
@@ -87,6 +87,7 @@ void xen_be_check_state(struct XenDevice *xendev);
/* xen backend driver bits */
int xen_be_init(void);
+void xen_be_register_common(void);
int xen_be_register(const char *type, struct XenDevOps *ops);
int xen_be_set_state(struct XenDevice *xendev, enum xenbus_state state);
int xen_be_bind_evtchn(struct XenDevice *xendev);
diff --git a/xen-hvm.c b/xen-hvm.c
index 039680a..93c958a 100644
--- a/xen-hvm.c
+++ b/xen-hvm.c
@@ -1305,9 +1305,7 @@ void xen_hvm_init(PCMachineState *pcms, MemoryRegion **ram_memory)
error_report("xen backend core setup failed");
goto err;
}
- xen_be_register("console", &xen_console_ops);
- xen_be_register("vkbd", &xen_kbdmouse_ops);
- xen_be_register("qdisk", &xen_blkdev_ops);
+ xen_be_register_common();
xen_read_physmap(state);
return;

View File

@ -1,3 +1,31 @@
-------------------------------------------------------------------
Wed Aug 3 17:09:11 UTC 2016 - brogers@suse.com
- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-2.6
* Patches dropped:
0058-usb-Fix-conditions-that-xen-usb.c-i.patch
* Patches added:
0058-xen-move-xen_sysdev-to-xen_backend..patch
-------------------------------------------------------------------
Wed Aug 3 13:51:47 UTC 2016 - brogers@suse.com
- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-2.6
* Patches added:
0064-xen-SUSE-xenlinux-unplug-for-emulat.patch
0065-scsi-esp-check-buffer-length-before.patch
0066-scsi-esp-respect-FIFO-invariant-aft.patch
0067-pci-assign-Move-Invalid-ROM-error-m.patch
0068-Xen-PCI-passthrough-fix-passthrough.patch
0069-scsi-esp-make-cmdbuf-big-enough-for.patch
0070-scsi-esp-fix-migration.patch
0071-virtio-error-out-if-guest-exceeds-v.patch
0072-xen-when-removing-a-backend-don-t-r.patch
0073-xen-drain-submit-queue-in-xen-usb-b.patch
0074-qcow2-avoid-extra-flushes-in-qcow2.patch
0075-qemu-bridge-helper-reduce-security-.patch
0076-xen-use-a-common-function-for-pv-an.patch
-------------------------------------------------------------------
Thu Jul 28 10:53:18 UTC 2016 - agraf@suse.com

View File

@ -82,12 +82,25 @@ Patch0054: 0054-scsi-esp-check-TI-buffer-index-befo.patch
Patch0055: 0055-xen-introduce-dummy-system-device.patch
Patch0056: 0056-xen-write-information-about-support.patch
Patch0057: 0057-xen-add-pvUSB-backend.patch
Patch0058: 0058-usb-Fix-conditions-that-xen-usb.c-i.patch
Patch0058: 0058-xen-move-xen_sysdev-to-xen_backend..patch
Patch0059: 0059-vnc-add-configurable-keyboard-delay.patch
Patch0060: 0060-scsi-megasas-initialise-local-confi.patch
Patch0061: 0061-configure-add-echo_version-helper.patch
Patch0062: 0062-configure-support-vte-2.91.patch
Patch0063: 0063-hw-arm-virt-mark-the-PCIe-host-cont.patch
Patch0064: 0064-xen-SUSE-xenlinux-unplug-for-emulat.patch
Patch0065: 0065-scsi-esp-check-buffer-length-before.patch
Patch0066: 0066-scsi-esp-respect-FIFO-invariant-aft.patch
Patch0067: 0067-pci-assign-Move-Invalid-ROM-error-m.patch
Patch0068: 0068-Xen-PCI-passthrough-fix-passthrough.patch
Patch0069: 0069-scsi-esp-make-cmdbuf-big-enough-for.patch
Patch0070: 0070-scsi-esp-fix-migration.patch
Patch0071: 0071-virtio-error-out-if-guest-exceeds-v.patch
Patch0072: 0072-xen-when-removing-a-backend-don-t-r.patch
Patch0073: 0073-xen-drain-submit-queue-in-xen-usb-b.patch
Patch0074: 0074-qcow2-avoid-extra-flushes-in-qcow2.patch
Patch0075: 0075-qemu-bridge-helper-reduce-security-.patch
Patch0076: 0076-xen-use-a-common-function-for-pv-an.patch
# Please do not add patches manually here, run update_git.sh.
# this is to make lint happy
Source300: qemu-rpmlintrc
@ -204,6 +217,19 @@ run cross-architecture builds.
%patch0061 -p1
%patch0062 -p1
%patch0063 -p1
%patch0064 -p1
%patch0065 -p1
%patch0066 -p1
%patch0067 -p1
%patch0068 -p1
%patch0069 -p1
%patch0070 -p1
%patch0071 -p1
%patch0072 -p1
%patch0073 -p1
%patch0074 -p1
%patch0075 -p1
%patch0076 -p1
%build
./configure --prefix=%_prefix --sysconfdir=%_sysconfdir \

View File

@ -1,3 +1,54 @@
-------------------------------------------------------------------
Wed Aug 3 21:36:14 UTC 2016 - brogers@suse.com
- Temporarily disable ceph (rbd) functionality in OBS due to staging
issues.
-------------------------------------------------------------------
Wed Aug 3 17:09:05 UTC 2016 - brogers@suse.com
- use upstream solution for building xen-usb.c correctly
- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-2.6
* Patches dropped:
0058-usb-Fix-conditions-that-xen-usb.c-i.patch
* Patches added:
0058-xen-move-xen_sysdev-to-xen_backend..patch
-------------------------------------------------------------------
Wed Aug 3 13:51:42 UTC 2016 - brogers@suse.com
- Incorporate patch carried in Xen's qemu to get same support
as Xen switches to use the qemu package (bsc#953339, bsc#953362,
bsc#953518, bsc#984981)
0064-xen-SUSE-xenlinux-unplug-for-emulat.patch
- Fix more potential OOB accesses in 53C9X emulation
(CVE-2016-5238 bsc#982959)
0065-scsi-esp-check-buffer-length-before.patch
0066-scsi-esp-respect-FIFO-invariant-aft.patch
- Avoid "Invalid ROM" error message when it is not appropriate
(bsc#982927)
0067-pci-assign-Move-Invalid-ROM-error-m.patch
- Fix failure in Xen HVM PCI passthrough (bsc#981925, bsc#989250)
0068-Xen-PCI-passthrough-fix-passthrough.patch
- Fix OOB access in 53C9X emulation (CVE-2016-6351 bsc#990835)
0069-scsi-esp-make-cmdbuf-big-enough-for.patch
0070-scsi-esp-fix-migration.patch
- Avoid potential for guest initiated OOM condition in qemu through
virtio interface (CVE-2016-5403 bsc#991080)
0071-virtio-error-out-if-guest-exceeds-v.patch
- Fix potential crashes in qemu from pvusb bugs (bsc#986156)
0072-xen-when-removing-a-backend-don-t-r.patch
0073-xen-drain-submit-queue-in-xen-usb-b.patch
- Avoid unneeded flushes in qcow2 which impact performance (bsc#991296)
0074-qcow2-avoid-extra-flushes-in-qcow2.patch
- Finally get qemu-bridge-helper the permissions it needs for non-
root usage. The kvm group is leveraged to control access. (boo#988279)
0075-qemu-bridge-helper-reduce-security-.patch
- Fix pvusb not working for HVM guests (bsc#991785)
0076-xen-use-a-common-function-for-pv-an.patch
- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-2.6
- Minor spec file formatting fixes
-------------------------------------------------------------------
Thu Jul 28 10:53:14 UTC 2016 - agraf@suse.com

View File

@ -44,6 +44,7 @@
%endif
%define noarch_supported 1110
%if 0%{?is_opensuse} == 0
%ifarch x86_64
%if 0%{?suse_version} > 1320 || ( 0%{?suse_version} == 1315 && ( 0%{?is_opensuse} == 0 || 0%{?sle_version} > 120100 ) )
%define with_rbd 1
@ -55,6 +56,7 @@
%define with_rbd 1
%endif
%endif
%endif
%if 0%{?suse_version} > 1320
%define with_seccomp 1
@ -142,12 +144,25 @@ Patch0054: 0054-scsi-esp-check-TI-buffer-index-befo.patch
Patch0055: 0055-xen-introduce-dummy-system-device.patch
Patch0056: 0056-xen-write-information-about-support.patch
Patch0057: 0057-xen-add-pvUSB-backend.patch
Patch0058: 0058-usb-Fix-conditions-that-xen-usb.c-i.patch
Patch0058: 0058-xen-move-xen_sysdev-to-xen_backend..patch
Patch0059: 0059-vnc-add-configurable-keyboard-delay.patch
Patch0060: 0060-scsi-megasas-initialise-local-confi.patch
Patch0061: 0061-configure-add-echo_version-helper.patch
Patch0062: 0062-configure-support-vte-2.91.patch
Patch0063: 0063-hw-arm-virt-mark-the-PCIe-host-cont.patch
Patch0064: 0064-xen-SUSE-xenlinux-unplug-for-emulat.patch
Patch0065: 0065-scsi-esp-check-buffer-length-before.patch
Patch0066: 0066-scsi-esp-respect-FIFO-invariant-aft.patch
Patch0067: 0067-pci-assign-Move-Invalid-ROM-error-m.patch
Patch0068: 0068-Xen-PCI-passthrough-fix-passthrough.patch
Patch0069: 0069-scsi-esp-make-cmdbuf-big-enough-for.patch
Patch0070: 0070-scsi-esp-fix-migration.patch
Patch0071: 0071-virtio-error-out-if-guest-exceeds-v.patch
Patch0072: 0072-xen-when-removing-a-backend-don-t-r.patch
Patch0073: 0073-xen-drain-submit-queue-in-xen-usb-b.patch
Patch0074: 0074-qcow2-avoid-extra-flushes-in-qcow2.patch
Patch0075: 0075-qemu-bridge-helper-reduce-security-.patch
Patch0076: 0076-xen-use-a-common-function-for-pv-an.patch
# Please do not add QEMU patches manually here.
# Run update_git.sh to regenerate this queue.
@ -379,11 +394,11 @@ Recommends: qemu-ksm = %{version}
%define x86_64_only_b_f_f {efi-e1000.rom efi-eepro100.rom \
efi-pcnet.rom efi-ne2k_pci.rom efi-rtl8139.rom efi-virtio.rom}
%endif
%define built_firmware_files {bios.bin bios-256k.bin \
sgabios.bin vgabios.bin vgabios-cirrus.bin \
vgabios-stdvga.bin vgabios-virtio.bin vgabios-vmware.bin vgabios-qxl.bin \
optionrom/linuxboot.bin optionrom/multiboot.bin optionrom/kvmvapic.bin \
pxe-e1000.rom pxe-pcnet.rom pxe-ne2k_pci.rom pxe-rtl8139.rom pxe-eepro100.rom pxe-virtio.rom %{?x86_64_only_b_f_f}}
%define built_firmware_files {bios.bin bios-256k.bin sgabios.bin vgabios.bin \
vgabios-cirrus.bin vgabios-stdvga.bin vgabios-virtio.bin vgabios-vmware.bin \
vgabios-qxl.bin optionrom/linuxboot.bin optionrom/multiboot.bin \
optionrom/kvmvapic.bin pxe-e1000.rom pxe-pcnet.rom pxe-ne2k_pci.rom \
pxe-rtl8139.rom pxe-eepro100.rom pxe-virtio.rom %{?x86_64_only_b_f_f}}
%description
QEMU is an extremely well-performing CPU emulator that allows you to
@ -791,6 +806,19 @@ This package provides a service file for starting and stopping KSM.
%patch0061 -p1
%patch0062 -p1
%patch0063 -p1
%patch0064 -p1
%patch0065 -p1
%patch0066 -p1
%patch0067 -p1
%patch0068 -p1
%patch0069 -p1
%patch0070 -p1
%patch0071 -p1
%patch0072 -p1
%patch0073 -p1
%patch0074 -p1
%patch0075 -p1
%patch0076 -p1
%if %{build_x86_fw_from_source}
pushd roms/seabios
@ -1374,7 +1402,7 @@ fi
%_bindir/qemu-nbd
%_bindir/virtfs-proxy-helper
#%_bindir/vscclient
%verify(not mode) %_libexecdir/qemu-bridge-helper
%verify(not mode) %attr(4750,root,kvm) %_libexecdir/qemu-bridge-helper
%dir %_sysconfdir/%name
%config %_sysconfdir/%name/bridge.conf
%dir %_libdir/%name

View File

@ -1,3 +1,54 @@
-------------------------------------------------------------------
Wed Aug 3 21:36:14 UTC 2016 - brogers@suse.com
- Temporarily disable ceph (rbd) functionality in OBS due to staging
issues.
-------------------------------------------------------------------
Wed Aug 3 17:09:05 UTC 2016 - brogers@suse.com
- use upstream solution for building xen-usb.c correctly
- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-2.6
* Patches dropped:
0058-usb-Fix-conditions-that-xen-usb.c-i.patch
* Patches added:
0058-xen-move-xen_sysdev-to-xen_backend..patch
-------------------------------------------------------------------
Wed Aug 3 13:51:42 UTC 2016 - brogers@suse.com
- Incorporate patch carried in Xen's qemu to get same support
as Xen switches to use the qemu package (bsc#953339, bsc#953362,
bsc#953518, bsc#984981)
0064-xen-SUSE-xenlinux-unplug-for-emulat.patch
- Fix more potential OOB accesses in 53C9X emulation
(CVE-2016-5238 bsc#982959)
0065-scsi-esp-check-buffer-length-before.patch
0066-scsi-esp-respect-FIFO-invariant-aft.patch
- Avoid "Invalid ROM" error message when it is not appropriate
(bsc#982927)
0067-pci-assign-Move-Invalid-ROM-error-m.patch
- Fix failure in Xen HVM PCI passthrough (bsc#981925, bsc#989250)
0068-Xen-PCI-passthrough-fix-passthrough.patch
- Fix OOB access in 53C9X emulation (CVE-2016-6351 bsc#990835)
0069-scsi-esp-make-cmdbuf-big-enough-for.patch
0070-scsi-esp-fix-migration.patch
- Avoid potential for guest initiated OOM condition in qemu through
virtio interface (CVE-2016-5403 bsc#991080)
0071-virtio-error-out-if-guest-exceeds-v.patch
- Fix potential crashes in qemu from pvusb bugs (bsc#986156)
0072-xen-when-removing-a-backend-don-t-r.patch
0073-xen-drain-submit-queue-in-xen-usb-b.patch
- Avoid unneeded flushes in qcow2 which impact performance (bsc#991296)
0074-qcow2-avoid-extra-flushes-in-qcow2.patch
- Finally get qemu-bridge-helper the permissions it needs for non-
root usage. The kvm group is leveraged to control access. (boo#988279)
0075-qemu-bridge-helper-reduce-security-.patch
- Fix pvusb not working for HVM guests (bsc#991785)
0076-xen-use-a-common-function-for-pv-an.patch
- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-2.6
- Minor spec file formatting fixes
-------------------------------------------------------------------
Thu Jul 28 10:53:14 UTC 2016 - agraf@suse.com

View File

@ -44,6 +44,7 @@
%endif
%define noarch_supported 1110
%if 0%{?is_opensuse} == 0
%ifarch x86_64
%if 0%{?suse_version} > 1320 || ( 0%{?suse_version} == 1315 && ( 0%{?is_opensuse} == 0 || 0%{?sle_version} > 120100 ) )
%define with_rbd 1
@ -55,6 +56,7 @@
%define with_rbd 1
%endif
%endif
%endif
%if 0%{?suse_version} > 1320
%define with_seccomp 1
@ -142,12 +144,25 @@ Patch0054: 0054-scsi-esp-check-TI-buffer-index-befo.patch
Patch0055: 0055-xen-introduce-dummy-system-device.patch
Patch0056: 0056-xen-write-information-about-support.patch
Patch0057: 0057-xen-add-pvUSB-backend.patch
Patch0058: 0058-usb-Fix-conditions-that-xen-usb.c-i.patch
Patch0058: 0058-xen-move-xen_sysdev-to-xen_backend..patch
Patch0059: 0059-vnc-add-configurable-keyboard-delay.patch
Patch0060: 0060-scsi-megasas-initialise-local-confi.patch
Patch0061: 0061-configure-add-echo_version-helper.patch
Patch0062: 0062-configure-support-vte-2.91.patch
Patch0063: 0063-hw-arm-virt-mark-the-PCIe-host-cont.patch
Patch0064: 0064-xen-SUSE-xenlinux-unplug-for-emulat.patch
Patch0065: 0065-scsi-esp-check-buffer-length-before.patch
Patch0066: 0066-scsi-esp-respect-FIFO-invariant-aft.patch
Patch0067: 0067-pci-assign-Move-Invalid-ROM-error-m.patch
Patch0068: 0068-Xen-PCI-passthrough-fix-passthrough.patch
Patch0069: 0069-scsi-esp-make-cmdbuf-big-enough-for.patch
Patch0070: 0070-scsi-esp-fix-migration.patch
Patch0071: 0071-virtio-error-out-if-guest-exceeds-v.patch
Patch0072: 0072-xen-when-removing-a-backend-don-t-r.patch
Patch0073: 0073-xen-drain-submit-queue-in-xen-usb-b.patch
Patch0074: 0074-qcow2-avoid-extra-flushes-in-qcow2.patch
Patch0075: 0075-qemu-bridge-helper-reduce-security-.patch
Patch0076: 0076-xen-use-a-common-function-for-pv-an.patch
# Please do not add QEMU patches manually here.
# Run update_git.sh to regenerate this queue.
@ -379,11 +394,11 @@ Recommends: qemu-ksm = %{version}
%define x86_64_only_b_f_f {efi-e1000.rom efi-eepro100.rom \
efi-pcnet.rom efi-ne2k_pci.rom efi-rtl8139.rom efi-virtio.rom}
%endif
%define built_firmware_files {bios.bin bios-256k.bin \
sgabios.bin vgabios.bin vgabios-cirrus.bin \
vgabios-stdvga.bin vgabios-virtio.bin vgabios-vmware.bin vgabios-qxl.bin \
optionrom/linuxboot.bin optionrom/multiboot.bin optionrom/kvmvapic.bin \
pxe-e1000.rom pxe-pcnet.rom pxe-ne2k_pci.rom pxe-rtl8139.rom pxe-eepro100.rom pxe-virtio.rom %{?x86_64_only_b_f_f}}
%define built_firmware_files {bios.bin bios-256k.bin sgabios.bin vgabios.bin \
vgabios-cirrus.bin vgabios-stdvga.bin vgabios-virtio.bin vgabios-vmware.bin \
vgabios-qxl.bin optionrom/linuxboot.bin optionrom/multiboot.bin \
optionrom/kvmvapic.bin pxe-e1000.rom pxe-pcnet.rom pxe-ne2k_pci.rom \
pxe-rtl8139.rom pxe-eepro100.rom pxe-virtio.rom %{?x86_64_only_b_f_f}}
%description
QEMU is an extremely well-performing CPU emulator that allows you to
@ -791,6 +806,19 @@ This package provides a service file for starting and stopping KSM.
%patch0061 -p1
%patch0062 -p1
%patch0063 -p1
%patch0064 -p1
%patch0065 -p1
%patch0066 -p1
%patch0067 -p1
%patch0068 -p1
%patch0069 -p1
%patch0070 -p1
%patch0071 -p1
%patch0072 -p1
%patch0073 -p1
%patch0074 -p1
%patch0075 -p1
%patch0076 -p1
%if %{build_x86_fw_from_source}
pushd roms/seabios
@ -1374,7 +1402,7 @@ fi
%_bindir/qemu-nbd
%_bindir/virtfs-proxy-helper
#%_bindir/vscclient
%verify(not mode) %_libexecdir/qemu-bridge-helper
%verify(not mode) %attr(4750,root,kvm) %_libexecdir/qemu-bridge-helper
%dir %_sysconfdir/%name
%config %_sysconfdir/%name/bridge.conf
%dir %_libdir/%name

View File

@ -44,6 +44,7 @@
%endif
%define noarch_supported 1110
%if 0%{?is_opensuse} == 0
%ifarch x86_64
%if 0%{?suse_version} > 1320 || ( 0%{?suse_version} == 1315 && ( 0%{?is_opensuse} == 0 || 0%{?sle_version} > 120100 ) )
%define with_rbd 1
@ -55,6 +56,7 @@
%define with_rbd 1
%endif
%endif
%endif
%if 0%{?suse_version} > 1320
%define with_seccomp 1
@ -317,11 +319,11 @@ Recommends: qemu-ksm = %{version}
%define x86_64_only_b_f_f {efi-e1000.rom efi-eepro100.rom \
efi-pcnet.rom efi-ne2k_pci.rom efi-rtl8139.rom efi-virtio.rom}
%endif
%define built_firmware_files {bios.bin bios-256k.bin \
sgabios.bin vgabios.bin vgabios-cirrus.bin \
vgabios-stdvga.bin vgabios-virtio.bin vgabios-vmware.bin vgabios-qxl.bin \
optionrom/linuxboot.bin optionrom/multiboot.bin optionrom/kvmvapic.bin \
pxe-e1000.rom pxe-pcnet.rom pxe-ne2k_pci.rom pxe-rtl8139.rom pxe-eepro100.rom pxe-virtio.rom %{?x86_64_only_b_f_f}}
%define built_firmware_files {bios.bin bios-256k.bin sgabios.bin vgabios.bin \
vgabios-cirrus.bin vgabios-stdvga.bin vgabios-virtio.bin vgabios-vmware.bin \
vgabios-qxl.bin optionrom/linuxboot.bin optionrom/multiboot.bin \
optionrom/kvmvapic.bin pxe-e1000.rom pxe-pcnet.rom pxe-ne2k_pci.rom \
pxe-rtl8139.rom pxe-eepro100.rom pxe-virtio.rom %{?x86_64_only_b_f_f}}
%description
QEMU is an extremely well-performing CPU emulator that allows you to
@ -1253,7 +1255,7 @@ fi
%_bindir/qemu-nbd
%_bindir/virtfs-proxy-helper
#%_bindir/vscclient
%verify(not mode) %_libexecdir/qemu-bridge-helper
%verify(not mode) %attr(4750,root,kvm) %_libexecdir/qemu-bridge-helper
%dir %_sysconfdir/%name
%config %_sysconfdir/%name/bridge.conf
%dir %_libdir/%name