SHA256
1
0
forked from pool/qemu

Accepting request 461715 from Virtualization:Staging

Update to v2.8.0, including integration of SLE qemu package so we are "Factory First" again for SLE qemu. Includes some spec file tweaks/cleanups as well. A number of post v2.8.0 security fixes are also included.

OBS-URL: https://build.opensuse.org/request/show/461715
OBS-URL: https://build.opensuse.org/package/show/Virtualization/qemu?expand=0&rev=329
This commit is contained in:
Bruce Rogers 2017-03-15 19:38:55 +00:00 committed by Git OBS Bridge
parent d4b1ed7a6f
commit 4aa328d7c1
128 changed files with 6555 additions and 2378 deletions

View File

@ -1,4 +1,4 @@
From 69e1d0ef9e44d913774efb96b19ad43b037be920 Mon Sep 17 00:00:00 2001
From cf0874f4e213436a13e06cd650cb6addc2abc3bc Mon Sep 17 00:00:00 2001
From: Alexander Graf <agraf@suse.de>
Date: Mon, 21 Nov 2011 23:50:36 +0100
Subject: [PATCH] XXX dont dump core on sigabort
@ -8,10 +8,10 @@ Subject: [PATCH] XXX dont dump core on sigabort
1 file changed, 6 insertions(+)
diff --git a/linux-user/signal.c b/linux-user/signal.c
index 9a4d894..2a07043 100644
index c750053edd..cb3bc8fcb3 100644
--- a/linux-user/signal.c
+++ b/linux-user/signal.c
@@ -526,6 +526,10 @@ static void QEMU_NORETURN force_sig(int target_sig)
@@ -560,6 +560,10 @@ static void QEMU_NORETURN dump_core_and_abort(int target_sig)
trace_user_force_sig(env, target_sig, host_sig);
gdb_signalled(env, target_sig);
@ -22,7 +22,7 @@ index 9a4d894..2a07043 100644
/* dump core if supported by target binary format */
if (core_dump_signal(target_sig) && (ts->bprm->core_dump != NULL)) {
stop_all_tasks();
@@ -543,6 +547,8 @@ static void QEMU_NORETURN force_sig(int target_sig)
@@ -577,6 +581,8 @@ static void QEMU_NORETURN dump_core_and_abort(int target_sig)
target_sig, strsignal(host_sig), "core dumped" );
}

View File

@ -1,4 +1,4 @@
From 92a7da288949c5f96e4aef3281652d5cd8a903bf Mon Sep 17 00:00:00 2001
From e9b62c0a3fc4fbc6b7feca4ae9e1a336439d9ff3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andreas=20F=C3=A4rber?= <afaerber@suse.de>
Date: Wed, 10 Aug 2016 19:00:24 +0200
Subject: [PATCH] qemu-binfmt-conf: Modify default path
@ -14,7 +14,7 @@ Signed-off-by: Andreas Färber <afaerber@suse.de>
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/scripts/qemu-binfmt-conf.sh b/scripts/qemu-binfmt-conf.sh
index de4d1c1..7640255 100755
index de4d1c13d4..764025580d 100755
--- a/scripts/qemu-binfmt-conf.sh
+++ b/scripts/qemu-binfmt-conf.sh
@@ -259,7 +259,7 @@ BINFMT_SET=qemu_register_interpreter

View File

@ -1,4 +1,4 @@
From 3861f88d6d47d16a289dc17b94ed7ca8a7955280 Mon Sep 17 00:00:00 2001
From beff0040fcb19dce316f3e07a0c7711cf8545d63 Mon Sep 17 00:00:00 2001
From: Alexander Graf <agraf@suse.de>
Date: Tue, 14 Apr 2009 16:20:50 +0200
Subject: [PATCH] qemu-cvs-alsa_bitfield
@ -13,7 +13,7 @@ Signed-off-by: Ulrich Hecht <uli@suse.de>
2 files changed, 24 insertions(+)
diff --git a/include/exec/user/thunk.h b/include/exec/user/thunk.h
index f19ef4b..b2659e0 100644
index f19ef4b230..b2659e0def 100644
--- a/include/exec/user/thunk.h
+++ b/include/exec/user/thunk.h
@@ -37,6 +37,7 @@ typedef enum argtype {
@ -41,7 +41,7 @@ index f19ef4b..b2659e0 100644
case TYPE_LONGLONG:
case TYPE_ULONGLONG:
diff --git a/thunk.c b/thunk.c
index 2dac366..0eb7286 100644
index 2dac36666d..0eb72861fe 100644
--- a/thunk.c
+++ b/thunk.c
@@ -37,6 +37,7 @@ static inline const argtype *thunk_type_next(const argtype *type_ptr)

View File

@ -1,4 +1,4 @@
From 219067ccab5735ed9ae70c6079d5676cc6431727 Mon Sep 17 00:00:00 2001
From 8a4092a66e29d360d3371ac7ab9e5087294640b8 Mon Sep 17 00:00:00 2001
From: Alexander Graf <agraf@suse.de>
Date: Tue, 14 Apr 2009 16:23:27 +0200
Subject: [PATCH] qemu-cvs-alsa_ioctl
@ -25,10 +25,10 @@ Signed-off-by: Andreas Färber <afaerber@suse.de>
create mode 100644 linux-user/syscall_types_alsa.h
diff --git a/linux-user/ioctls.h b/linux-user/ioctls.h
index 7e2c133..cf8851d 100644
index 1bad701481..f2d9020c79 100644
--- a/linux-user/ioctls.h
+++ b/linux-user/ioctls.h
@@ -348,6 +348,11 @@
@@ -351,6 +351,11 @@
IOCTL(VFAT_IOCTL_READDIR_BOTH, IOC_R, MK_PTR(MK_ARRAY(MK_STRUCT(STRUCT_dirent), 2)))
IOCTL(VFAT_IOCTL_READDIR_SHORT, IOC_R, MK_PTR(MK_ARRAY(MK_STRUCT(STRUCT_dirent), 2)))
@ -42,7 +42,7 @@ index 7e2c133..cf8851d 100644
IOCTL(LOOP_SET_STATUS, IOC_W, MK_PTR(MK_STRUCT(STRUCT_loop_info)))
diff --git a/linux-user/ioctls_alsa.h b/linux-user/ioctls_alsa.h
new file mode 100644
index 0000000..c2aa542
index 0000000000..c2aa542c3b
--- /dev/null
+++ b/linux-user/ioctls_alsa.h
@@ -0,0 +1,467 @@
@ -515,7 +515,7 @@ index 0000000..c2aa542
+IOCTL( SND_SSCAPE_LOAD_MCODE , IOC_W, MK_PTR(MK_STRUCT(STRUCT_sscape_microcode)) )
diff --git a/linux-user/ioctls_alsa_structs.h b/linux-user/ioctls_alsa_structs.h
new file mode 100644
index 0000000..e09a30d
index 0000000000..e09a30defb
--- /dev/null
+++ b/linux-user/ioctls_alsa_structs.h
@@ -0,0 +1,1740 @@
@ -2260,10 +2260,10 @@ index 0000000..e09a30d
+ unsigned char *code;
+};
diff --git a/linux-user/syscall_defs.h b/linux-user/syscall_defs.h
index 7835654..b869b3d 100644
index 0b15466743..bb3ed3c356 100644
--- a/linux-user/syscall_defs.h
+++ b/linux-user/syscall_defs.h
@@ -2591,6 +2591,8 @@ struct target_ucred {
@@ -2640,6 +2640,8 @@ struct target_ucred {
uint32_t gid;
};
@ -2273,7 +2273,7 @@ index 7835654..b869b3d 100644
#define TARGET_SIGEV_MAX_SIZE 64
diff --git a/linux-user/syscall_types.h b/linux-user/syscall_types.h
index af79fbf..4d99a9d 100644
index af79fbf1de..4d99a9dd8b 100644
--- a/linux-user/syscall_types.h
+++ b/linux-user/syscall_types.h
@@ -83,6 +83,11 @@ STRUCT(buffmem_desc,
@ -2290,7 +2290,7 @@ index af79fbf..4d99a9d 100644
TYPE_INT, /* lo_number */
diff --git a/linux-user/syscall_types_alsa.h b/linux-user/syscall_types_alsa.h
new file mode 100644
index 0000000..72622ae
index 0000000000..72622ae9a2
--- /dev/null
+++ b/linux-user/syscall_types_alsa.h
@@ -0,0 +1,1336 @@

View File

@ -1,4 +1,4 @@
From b62c901c47e3f38336c4aeb1e98a6140b4fe3469 Mon Sep 17 00:00:00 2001
From 9ef9e8d6c450c2f5332f9ab82c7fc4750c5b7cb4 Mon Sep 17 00:00:00 2001
From: Alexander Graf <agraf@suse.de>
Date: Tue, 14 Apr 2009 16:24:15 +0200
Subject: [PATCH] qemu-cvs-alsa_mmap
@ -12,10 +12,10 @@ Signed-off-by: Ulrich Hecht <uli@suse.de>
1 file changed, 14 insertions(+)
diff --git a/linux-user/mmap.c b/linux-user/mmap.c
index c4371d9..68a655e 100644
index 61685bf79e..a428eb867f 100644
--- a/linux-user/mmap.c
+++ b/linux-user/mmap.c
@@ -357,6 +357,9 @@ abi_ulong mmap_find_vma(abi_ulong start, abi_ulong size)
@@ -360,6 +360,9 @@ abi_ulong mmap_find_vma(abi_ulong start, abi_ulong size)
}
}
@ -25,7 +25,7 @@ index c4371d9..68a655e 100644
/* NOTE: all the constants are the HOST ones */
abi_long target_mmap(abi_ulong start, abi_ulong len, int prot,
int flags, int fd, abi_ulong offset)
@@ -391,6 +394,17 @@ abi_long target_mmap(abi_ulong start, abi_ulong len, int prot,
@@ -394,6 +397,17 @@ abi_long target_mmap(abi_ulong start, abi_ulong len, int prot,
}
#endif

View File

@ -1,4 +1,4 @@
From 4259605f8b9d113ff33c395ad6232f076e4e261d Mon Sep 17 00:00:00 2001
From e073096e40ec4d1d2b90e9e289190d9098c44dbb Mon Sep 17 00:00:00 2001
From: Ulrich Hecht <uli@suse.de>
Date: Tue, 14 Apr 2009 16:25:41 +0200
Subject: [PATCH] qemu-cvs-gettimeofday
@ -9,10 +9,10 @@ No clue what this is for.
1 file changed, 2 insertions(+)
diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index ca06943..f120665 100644
index 7b77503f94..e6689466a7 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -8534,6 +8534,8 @@ abi_long do_syscall(void *cpu_env, int num, abi_long arg1,
@@ -8770,6 +8770,8 @@ abi_long do_syscall(void *cpu_env, int num, abi_long arg1,
case TARGET_NR_gettimeofday:
{
struct timeval tv;

View File

@ -1,4 +1,4 @@
From 382d3ca372e660d6961fd6a250d2241c4923ec19 Mon Sep 17 00:00:00 2001
From 34dcc1febe1a4806f5d2d34fad308f8d2890369a Mon Sep 17 00:00:00 2001
From: Alexander Graf <agraf@suse.de>
Date: Tue, 14 Apr 2009 16:26:33 +0200
Subject: [PATCH] qemu-cvs-ioctl_debug
@ -12,10 +12,10 @@ Signed-off-by: Ulrich Hecht <uli@suse.de>
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index f120665..1b3ed97 100644
index e6689466a7..3479be6cd6 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -5334,7 +5334,12 @@ static abi_long do_ioctl(int fd, int cmd, abi_long arg)
@@ -5471,7 +5471,12 @@ static abi_long do_ioctl(int fd, int cmd, abi_long arg)
ie = ioctl_entries;
for(;;) {
if (ie->target_cmd == 0) {

View File

@ -1,4 +1,4 @@
From c0baf4a94377f6d64d632effb3ffe077c5f928e1 Mon Sep 17 00:00:00 2001
From 380059e6c4e96538576a198fc771b14186e85112 Mon Sep 17 00:00:00 2001
From: Alexander Graf <agraf@suse.de>
Date: Tue, 14 Apr 2009 16:27:36 +0200
Subject: [PATCH] qemu-cvs-ioctl_nodirection
@ -15,10 +15,10 @@ Signed-off-by: Ulrich Hecht <uli@suse.de>
1 file changed, 6 insertions(+)
diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index 1b3ed97..8e69c15 100644
index 3479be6cd6..2660a59897 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -5367,6 +5367,11 @@ static abi_long do_ioctl(int fd, int cmd, abi_long arg)
@@ -5504,6 +5504,11 @@ static abi_long do_ioctl(int fd, int cmd, abi_long arg)
arg_type++;
target_size = thunk_type_size(arg_type, 0);
switch(ie->access) {
@ -30,7 +30,7 @@ index 1b3ed97..8e69c15 100644
case IOC_R:
ret = get_errno(safe_ioctl(fd, ie->host_cmd, buf_temp));
if (!is_error(ret)) {
@@ -5385,6 +5390,7 @@ static abi_long do_ioctl(int fd, int cmd, abi_long arg)
@@ -5522,6 +5527,7 @@ static abi_long do_ioctl(int fd, int cmd, abi_long arg)
unlock_user(argptr, arg, 0);
ret = get_errno(safe_ioctl(fd, ie->host_cmd, buf_temp));
break;

View File

@ -1,4 +1,4 @@
From 5a101ff0b5669280fa46d4f6d0f798f4b02bae5f Mon Sep 17 00:00:00 2001
From fd1e321c4e9f0ed67e559bd830f747c92c60593f Mon Sep 17 00:00:00 2001
From: Alexander Graf <agraf@suse.de>
Date: Fri, 30 Sep 2011 19:40:36 +0200
Subject: [PATCH] linux-user: add binfmt wrapper for argv[0] handling
@ -37,7 +37,7 @@ Signed-off-by: Andreas Färber <afaerber@suse.de>
create mode 100644 linux-user/binfmt.c
diff --git a/Makefile.target b/Makefile.target
index a440bcb..a65c55f 100644
index 7a5080e94a..aee2c41040 100644
--- a/Makefile.target
+++ b/Makefile.target
@@ -36,6 +36,10 @@ endif
@ -51,7 +51,7 @@ index a440bcb..a65c55f 100644
config-target.h: config-target.h-timestamp
config-target.h-timestamp: config-target.mak
@@ -115,6 +119,8 @@ QEMU_CFLAGS+=-I$(SRC_PATH)/linux-user/$(TARGET_ABI_DIR) \
@@ -116,6 +120,8 @@ QEMU_CFLAGS+=-I$(SRC_PATH)/linux-user/$(TARGET_ABI_DIR) \
obj-y += linux-user/
obj-y += gdbstub.o thunk.o user-exec.o
@ -60,7 +60,7 @@ index a440bcb..a65c55f 100644
endif #CONFIG_LINUX_USER
#########################################################
@@ -163,7 +169,11 @@ endif # CONFIG_SOFTMMU
@@ -164,7 +170,11 @@ endif # CONFIG_SOFTMMU
# Workaround for http://gcc.gnu.org/PR55489, see configure.
%/translate.o: QEMU_CFLAGS += $(TRANSLATE_OPT_CFLAGS)
@ -72,18 +72,18 @@ index a440bcb..a65c55f 100644
all-obj-y := $(obj-y)
target-obj-y :=
@@ -200,6 +210,9 @@ ifdef CONFIG_DARWIN
$(call quiet-command,SetFile -a C $@," SETFILE $(TARGET_DIR)$@")
@@ -201,6 +211,9 @@ ifdef CONFIG_DARWIN
$(call quiet-command,SetFile -a C $@,"SETFILE","$(TARGET_DIR)$@")
endif
+$(QEMU_PROG)-binfmt: $(obj-binfmt-y)
+ $(call LINK,$^)
+
gdbstub-xml.c: $(TARGET_XML_FILES) $(SRC_PATH)/scripts/feature_to_c.sh
$(call quiet-command,rm -f $@ && $(SHELL) $(SRC_PATH)/scripts/feature_to_c.sh $@ $(TARGET_XML_FILES)," GEN $(TARGET_DIR)$@")
$(call quiet-command,rm -f $@ && $(SHELL) $(SRC_PATH)/scripts/feature_to_c.sh $@ $(TARGET_XML_FILES),"GEN","$(TARGET_DIR)$@")
diff --git a/linux-user/Makefile.objs b/linux-user/Makefile.objs
index 8c93058..607ca2d 100644
index 8c93058100..607ca2dc92 100644
--- a/linux-user/Makefile.objs
+++ b/linux-user/Makefile.objs
@@ -6,3 +6,5 @@ obj-$(TARGET_HAS_BFLT) += flatload.o
@ -94,7 +94,7 @@ index 8c93058..607ca2d 100644
+obj-binfmt-y = binfmt.o
diff --git a/linux-user/binfmt.c b/linux-user/binfmt.c
new file mode 100644
index 0000000..cd1f513
index 0000000000..cd1f513b33
--- /dev/null
+++ b/linux-user/binfmt.c
@@ -0,0 +1,42 @@

View File

@ -1,4 +1,4 @@
From 9f443d183c7658812e0ffb147ae38cdb74ea94b7 Mon Sep 17 00:00:00 2001
From 74afa369962dfa525f28913e0aaf0678362fc4cf Mon Sep 17 00:00:00 2001
From: Alexander Graf <agraf@suse.de>
Date: Fri, 6 Jan 2012 01:05:55 +0100
Subject: [PATCH] PPC: KVM: Disable mmu notifier check
@ -13,12 +13,12 @@ KVM guests work there, even if possibly racy in some odd circumstances.
1 file changed, 2 insertions(+)
diff --git a/exec.c b/exec.c
index 8ffde75..3ac8a82 100644
index 08c558eecf..d55ab5574d 100644
--- a/exec.c
+++ b/exec.c
@@ -1230,11 +1230,13 @@ static void *file_ram_alloc(RAMBlock *block,
@@ -1240,11 +1240,13 @@ static void *file_ram_alloc(RAMBlock *block,
int fd = -1;
int64_t page_size;
int64_t file_size;
+#ifndef TARGET_PPC
if (kvm_enabled() && !kvm_has_sync_mmu()) {

View File

@ -1,4 +1,4 @@
From 73678412d11f87834a901fe27d0d9882548be6ca Mon Sep 17 00:00:00 2001
From 34a749afcf6ad03e116b6cfb59934e0853bda304 Mon Sep 17 00:00:00 2001
From: Alexander Graf <agraf@suse.de>
Date: Fri, 13 Jan 2012 17:05:41 +0100
Subject: [PATCH] linux-user: fix segfault deadlock
@ -26,7 +26,7 @@ Signed-off-by: Andreas Färber <afaerber@suse.de>
1 file changed, 4 insertions(+)
diff --git a/user-exec.c b/user-exec.c
index 95f9f97..eaeb0b4 100644
index 6db075884d..a18d626250 100644
--- a/user-exec.c
+++ b/user-exec.c
@@ -65,6 +65,10 @@ static inline int handle_cpu_signal(uintptr_t pc, unsigned long address,

View File

@ -1,4 +1,4 @@
From 25dd5db5e0e1745dab305155db0f739b00e2ec92 Mon Sep 17 00:00:00 2001
From 21c11182134222d441f5f1c701f776ac14e10eb8 Mon Sep 17 00:00:00 2001
From: Alexander Graf <agraf@suse.de>
Date: Thu, 2 Feb 2012 18:02:33 +0100
Subject: [PATCH] linux-user: binfmt: support host binaries
@ -12,7 +12,7 @@ Signed-off-by: Alexander Graf <agraf@suse.de>
1 file changed, 26 insertions(+)
diff --git a/linux-user/binfmt.c b/linux-user/binfmt.c
index cd1f513..458f136 100644
index cd1f513b33..458f136fb4 100644
--- a/linux-user/binfmt.c
+++ b/linux-user/binfmt.c
@@ -5,6 +5,9 @@

View File

@ -1,4 +1,4 @@
From a5a2c846148a73ab5f060690a489ca6b14b6af4e Mon Sep 17 00:00:00 2001
From 8af212a8fae1e0cdf32df61e5509799495eaa9e6 Mon Sep 17 00:00:00 2001
From: Alexander Graf <agraf@suse.de>
Date: Mon, 23 Jul 2012 10:24:14 +0200
Subject: [PATCH] linux-user: Fake /proc/cpuinfo
@ -22,10 +22,10 @@ Signed-off-by: Andreas Färber <afaerber@suse.de>
1 file changed, 20 insertions(+)
diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index 82195a2..4020ceb 100644
index 2660a59897..a348927853 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -7142,6 +7142,25 @@ static int open_self_stat(void *cpu_env, int fd)
@@ -7359,6 +7359,25 @@ static int open_self_stat(void *cpu_env, int fd)
return 0;
}
@ -51,7 +51,7 @@ index 82195a2..4020ceb 100644
static int open_self_auxv(void *cpu_env, int fd)
{
CPUState *cpu = ENV_GET_CPU((CPUArchState *)cpu_env);
@@ -7256,6 +7275,7 @@ static int do_openat(void *cpu_env, int dirfd, const char *pathname, int flags,
@@ -7473,6 +7492,7 @@ static int do_openat(void *cpu_env, int dirfd, const char *pathname, int flags,
#if defined(HOST_WORDS_BIGENDIAN) != defined(TARGET_WORDS_BIGENDIAN)
{ "/proc/net/route", open_net_route, is_proc },
#endif

View File

@ -1,157 +0,0 @@
From 9d58ff5695952626bf3fb74d6fe9b5d666c43ce6 Mon Sep 17 00:00:00 2001
From: Alexander Graf <agraf@suse.de>
Date: Thu, 5 Jul 2012 17:31:39 +0200
Subject: [PATCH] linux-user: lock tcg
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The tcg code generator is not thread safe. Lock its generation between
different threads.
Signed-off-by: Alexander Graf <agraf@suse.de>
[AF: Rebased onto exec.c/translate-all.c split for 1.4]
[AF: Rebased for v2.1.0-rc0]
[AF: Rebased onto tcg_gen_code_common() drop for v2.5.0-rc0]
[AF: Rebased for v2.7.0-rc2]
Signed-off-by: Andreas Färber <afaerber@suse.de>
---
linux-user/mmap.c | 3 +++
tcg/tcg.c | 29 +++++++++++++++++++++++++++++
tcg/tcg.h | 6 ++++++
3 files changed, 38 insertions(+)
diff --git a/linux-user/mmap.c b/linux-user/mmap.c
index 68a655e..d202e45 100644
--- a/linux-user/mmap.c
+++ b/linux-user/mmap.c
@@ -22,6 +22,7 @@
#include "qemu.h"
#include "qemu-common.h"
+#include "tcg.h"
#include "translate-all.h"
//#define DEBUG_MMAP
@@ -33,6 +34,7 @@ void mmap_lock(void)
{
if (mmap_lock_count++ == 0) {
pthread_mutex_lock(&mmap_mutex);
+ tcg_lock();
}
}
@@ -40,6 +42,7 @@ void mmap_unlock(void)
{
if (--mmap_lock_count == 0) {
pthread_mutex_unlock(&mmap_mutex);
+ tcg_unlock();
}
}
diff --git a/tcg/tcg.c b/tcg/tcg.c
index 42417bd..ef6ae10 100644
--- a/tcg/tcg.c
+++ b/tcg/tcg.c
@@ -33,6 +33,8 @@
#include "qemu/cutils.h"
#include "qemu/host-utils.h"
#include "qemu/timer.h"
+#include "config-host.h"
+#include "qemu/thread.h"
/* Note: the long term plan is to reduce the dependencies on the QEMU
CPU definitions. Currently they are used for qemu_ld/st
@@ -120,6 +122,29 @@ static bool tcg_out_tb_finalize(TCGContext *s);
static TCGRegSet tcg_target_available_regs[2];
static TCGRegSet tcg_target_call_clobber_regs;
+#ifdef CONFIG_USER_ONLY
+static __thread int tcg_lock_count;
+#endif
+void tcg_lock(void)
+{
+#ifdef CONFIG_USER_ONLY
+ TCGContext *s = &tcg_ctx;
+ if (tcg_lock_count++ == 0) {
+ qemu_mutex_lock(&s->lock);
+ }
+#endif
+}
+
+void tcg_unlock(void)
+{
+#ifdef CONFIG_USER_ONLY
+ TCGContext *s = &tcg_ctx;
+ if (--tcg_lock_count == 0) {
+ qemu_mutex_unlock(&s->lock);
+ }
+#endif
+}
+
#if TCG_TARGET_INSN_UNIT_SIZE == 1
static __attribute__((unused)) inline void tcg_out8(TCGContext *s, uint8_t v)
{
@@ -332,6 +357,7 @@ void tcg_context_init(TCGContext *s)
memset(s, 0, sizeof(*s));
s->nb_globals = 0;
+ qemu_mutex_init(&s->lock);
/* Count total number of arguments and allocate the corresponding
space */
@@ -2551,6 +2577,7 @@ int tcg_gen_code(TCGContext *s, TranslationBlock *tb)
qemu_log("\n");
}
#endif
+ tcg_lock();
#ifdef CONFIG_PROFILER
s->opt_time -= profile_getclock();
@@ -2673,6 +2700,7 @@ int tcg_gen_code(TCGContext *s, TranslationBlock *tb)
the buffer completely. Thus we can test for overflow after
generating code without having to check during generation. */
if (unlikely((void *)s->code_ptr > s->code_gen_highwater)) {
+ tcg_unlock();
return -1;
}
}
@@ -2686,6 +2714,7 @@ int tcg_gen_code(TCGContext *s, TranslationBlock *tb)
/* flush instruction cache */
flush_icache_range((uintptr_t)s->code_buf, (uintptr_t)s->code_ptr);
+ tcg_unlock();
return tcg_current_code_size(s);
}
diff --git a/tcg/tcg.h b/tcg/tcg.h
index 1bcabca..5c2522e 100644
--- a/tcg/tcg.h
+++ b/tcg/tcg.h
@@ -29,6 +29,7 @@
#include "cpu.h"
#include "exec/tb-context.h"
#include "qemu/bitops.h"
+#include "qemu/thread.h"
#include "tcg-target.h"
/* XXX: make safe guess about sizes */
@@ -697,6 +698,8 @@ struct TCGContext {
uint16_t gen_insn_end_off[TCG_MAX_INSNS];
target_ulong gen_insn_data[TCG_MAX_INSNS][TARGET_INSN_START_WORDS];
+
+ QemuMutex lock;
};
extern TCGContext tcg_ctx;
@@ -904,6 +907,9 @@ TCGOp *tcg_op_insert_after(TCGContext *s, TCGOp *op, TCGOpcode opc, int narg);
void tcg_optimize(TCGContext *s);
+extern void tcg_lock(void);
+extern void tcg_unlock(void);
+
/* only used for debugging purposes */
void tcg_dump_ops(TCGContext *s);

View File

@ -1,40 +0,0 @@
From 394f7f1470c98525af7ac4aca52862837257e94a Mon Sep 17 00:00:00 2001
From: Alexander Graf <agraf@suse.de>
Date: Tue, 10 Jul 2012 20:40:55 +0200
Subject: [PATCH] linux-user: Run multi-threaded code on a single core
Running multi-threaded code can easily expose some of the fundamental
breakages in QEMU's design. It's just not a well supported scenario.
So if we pin the whole process to a single host CPU, we guarantee that
we will never have concurrent memory access actually happen. We can still
get scheduled away at any time, so it's no complete guarantee, but apparently
it reduces the odds well enough to get my test cases to pass.
This gets Java 1.7 working for me again on my test box.
Signed-off-by: Alexander Graf <agraf@suse.de>
---
linux-user/syscall.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index 8e69c15..82195a2 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -6010,6 +6010,15 @@ static int do_fork(CPUArchState *env, unsigned int flags, abi_ulong newsp,
if (nptl_flags & CLONE_SETTLS)
cpu_set_tls (new_env, newtls);
+ /* agraf: Pin ourselves to a single CPU when running multi-threaded.
+ This turned out to improve stability for me. */
+ {
+ cpu_set_t mask;
+ CPU_ZERO(&mask);
+ CPU_SET(0, &mask);
+ sched_setaffinity(0, sizeof(mask), &mask);
+ }
+
/* Grab a mutex so that thread setup appears atomic. */
pthread_mutex_lock(&clone_lock);

View File

@ -1,4 +1,4 @@
From dbab3749b22bb80f92af3b7ce5892fe2b4199323 Mon Sep 17 00:00:00 2001
From 772c86a0d02d6869d7ef06b666ff26824eb9ca3e Mon Sep 17 00:00:00 2001
From: Alexander Graf <agraf@suse.de>
Date: Tue, 21 Aug 2012 14:20:40 +0200
Subject: [PATCH] linux-user: XXX disable fiemap
@ -9,10 +9,10 @@ agraf: fiemap breaks in libarchive. Disable it for now.
1 file changed, 5 insertions(+)
diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index 4020ceb..483efb0 100644
index a348927853..b04fade80e 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -4806,6 +4806,11 @@ static abi_long do_ioctl_fs_ioc_fiemap(const IOCTLEntry *ie, uint8_t *buf_temp,
@@ -4938,6 +4938,11 @@ static abi_long do_ioctl_fs_ioc_fiemap(const IOCTLEntry *ie, uint8_t *buf_temp,
uint32_t outbufsz;
int free_fm = 0;

View File

@ -1,122 +0,0 @@
From 0f2a2996a00880f39c8654797cd512013983d32a Mon Sep 17 00:00:00 2001
From: Alexander Graf <agraf@suse.de>
Date: Wed, 11 Jul 2012 16:47:42 +0200
Subject: [PATCH] linux-user: lock tb flushing too
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Alexander Graf <agraf@suse.de>
[AF: Rebased onto exec.c/translate-all.c split for 1.4]
[AF: Rebased onto tb_alloc() changes for v2.5.0-rc0]
Signed-off-by: Andreas Färber <afaerber@suse.de>
---
translate-all.c | 20 ++++++++++++++++++--
1 file changed, 18 insertions(+), 2 deletions(-)
diff --git a/translate-all.c b/translate-all.c
index 0dd6466..1e7c61b 100644
--- a/translate-all.c
+++ b/translate-all.c
@@ -767,17 +767,21 @@ static TranslationBlock *tb_alloc(target_ulong pc)
{
TranslationBlock *tb;
+ tcg_lock();
if (tcg_ctx.tb_ctx.nb_tbs >= tcg_ctx.code_gen_max_blocks) {
+ tcg_unlock();
return NULL;
}
tb = &tcg_ctx.tb_ctx.tbs[tcg_ctx.tb_ctx.nb_tbs++];
tb->pc = pc;
tb->cflags = 0;
+ tcg_unlock();
return tb;
}
void tb_free(TranslationBlock *tb)
{
+ tcg_lock();
/* In practice this is mostly used for single use temporary TB
Ignore the hard cases and just back up if this TB happens to
be the last one generated. */
@@ -786,6 +790,7 @@ void tb_free(TranslationBlock *tb)
tcg_ctx.code_gen_ptr = tb->tc_ptr;
tcg_ctx.tb_ctx.nb_tbs--;
}
+ tcg_unlock();
}
static inline void invalidate_page_bitmap(PageDesc *p)
@@ -844,6 +849,7 @@ void tb_flush(CPUState *cpu)
((unsigned long)(tcg_ctx.code_gen_ptr - tcg_ctx.code_gen_buffer)) /
tcg_ctx.tb_ctx.nb_tbs : 0);
#endif
+ tcg_lock();
if ((unsigned long)(tcg_ctx.code_gen_ptr - tcg_ctx.code_gen_buffer)
> tcg_ctx.code_gen_buffer_size) {
cpu_abort(cpu, "Internal error: code buffer overflow\n");
@@ -862,6 +868,7 @@ void tb_flush(CPUState *cpu)
/* XXX: flush processor icache at this point if cache flush is
expensive */
tcg_ctx.tb_ctx.tb_flush_count++;
+ tcg_unlock();
}
#ifdef DEBUG_TB_CHECK
@@ -1320,8 +1327,10 @@ void tb_invalidate_phys_page_range(tb_page_addr_t start, tb_page_addr_t end,
uint32_t current_flags = 0;
#endif /* TARGET_HAS_PRECISE_SMC */
+ tcg_lock();
p = page_find(start >> TARGET_PAGE_BITS);
if (!p) {
+ tcg_unlock();
return;
}
#if defined(TARGET_HAS_PRECISE_SMC)
@@ -1392,6 +1401,7 @@ void tb_invalidate_phys_page_range(tb_page_addr_t start, tb_page_addr_t end,
cpu_loop_exit_noexc(cpu);
}
#endif
+ tcg_unlock();
}
#ifdef CONFIG_SOFTMMU
@@ -1509,13 +1519,16 @@ static TranslationBlock *tb_find_pc(uintptr_t tc_ptr)
{
int m_min, m_max, m;
uintptr_t v;
- TranslationBlock *tb;
+ TranslationBlock *tb, *r;
+ tcg_lock();
if (tcg_ctx.tb_ctx.nb_tbs <= 0) {
+ tcg_unlock();
return NULL;
}
if (tc_ptr < (uintptr_t)tcg_ctx.code_gen_buffer ||
tc_ptr >= (uintptr_t)tcg_ctx.code_gen_ptr) {
+ tcg_unlock();
return NULL;
}
/* binary search (cf Knuth) */
@@ -1526,6 +1539,7 @@ static TranslationBlock *tb_find_pc(uintptr_t tc_ptr)
tb = &tcg_ctx.tb_ctx.tbs[m];
v = (uintptr_t)tb->tc_ptr;
if (v == tc_ptr) {
+ tcg_unlock();
return tb;
} else if (tc_ptr < v) {
m_max = m - 1;
@@ -1533,7 +1547,9 @@ static TranslationBlock *tb_find_pc(uintptr_t tc_ptr)
m_min = m + 1;
}
}
- return &tcg_ctx.tb_ctx.tbs[m_max];
+ r = &tcg_ctx.tb_ctx.tbs[m_max];
+ tcg_unlock();
+ return r;
}
#if !defined(CONFIG_USER_ONLY)

View File

@ -1,4 +1,4 @@
From 4f307877293d621bafe78abeca74db6b949b996d Mon Sep 17 00:00:00 2001
From e69941d829cfb5d63a2c0f1606a4e58e6f33f9f6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andreas=20F=C3=A4rber?= <afaerber@suse.de>
Date: Wed, 29 Aug 2012 18:42:56 +0200
Subject: [PATCH] slirp: -nooutgoing
@ -12,10 +12,10 @@ TBD (from SUSE Studio team)
4 files changed, 39 insertions(+)
diff --git a/qemu-options.hx b/qemu-options.hx
index a71aaf8..7f32069 100644
index c534a2f7f9..7e6d6ecc17 100644
--- a/qemu-options.hx
+++ b/qemu-options.hx
@@ -3132,6 +3132,16 @@ Store the QEMU process PID in @var{file}. It is useful if you launch QEMU
@@ -3162,6 +3162,16 @@ Store the QEMU process PID in @var{file}. It is useful if you launch QEMU
from a script.
ETEXI
@ -33,10 +33,10 @@ index a71aaf8..7f32069 100644
"-singlestep always run in singlestep mode\n", QEMU_ARCH_ALL)
STEXI
diff --git a/slirp/socket.c b/slirp/socket.c
index 280050a..4fe68bb 100644
index 6c18971368..e39e3a07f0 100644
--- a/slirp/socket.c
+++ b/slirp/socket.c
@@ -608,6 +608,8 @@ sorecvfrom(struct socket *so)
@@ -625,6 +625,8 @@ sorecvfrom(struct socket *so)
} /* if ping packet */
}
@ -45,7 +45,7 @@ index 280050a..4fe68bb 100644
/*
* sendto() a socket
*/
@@ -625,6 +627,12 @@ sosendto(struct socket *so, struct mbuf *m)
@@ -642,6 +644,12 @@ sosendto(struct socket *so, struct mbuf *m)
DEBUG_CALL(" sendto()ing)");
sotranslate_out(so, &addr);
@ -59,7 +59,7 @@ index 280050a..4fe68bb 100644
ret = sendto(so->s, m->m_data, m->m_len, 0,
(struct sockaddr *)&addr, sockaddr_size(&addr));
diff --git a/slirp/tcp_subr.c b/slirp/tcp_subr.c
index ed16e18..b2c7a8c 100644
index ed16e1807f..b2c7a8cba0 100644
--- a/slirp/tcp_subr.c
+++ b/slirp/tcp_subr.c
@@ -391,6 +391,8 @@ tcp_sockclosed(struct tcpcb *tp)
@ -96,10 +96,10 @@ index ed16e18..b2c7a8c 100644
socket_set_fast_reuse(s);
opt = 1;
diff --git a/vl.c b/vl.c
index b3c80d5..1b8e591 100644
index d77dd862f9..4427bf5e1a 100644
--- a/vl.c
+++ b/vl.c
@@ -160,6 +160,7 @@ int smp_threads = 1;
@@ -162,6 +162,7 @@ int smp_threads = 1;
int acpi_enabled = 1;
int no_hpet = 0;
int fd_bootchk = 1;
@ -107,7 +107,7 @@ index b3c80d5..1b8e591 100644
static int no_reboot;
int no_shutdown = 0;
int cursor_hide = 1;
@@ -3363,6 +3364,14 @@ int main(int argc, char **argv, char **envp)
@@ -3437,6 +3438,14 @@ int main(int argc, char **argv, char **envp)
case QEMU_OPTION_singlestep:
singlestep = 1;
break;

View File

@ -1,4 +1,4 @@
From 5f1f3f07690386a731ecc7bea74c72ab9cb7d253 Mon Sep 17 00:00:00 2001
From 4338d0069c38dddf42e1ac1b66414266d6e9dac7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andreas=20F=C3=A4rber?= <afaerber@suse.de>
Date: Wed, 29 Aug 2012 20:06:01 +0200
Subject: [PATCH] vnc: password-file= and incoming-connections=
@ -9,7 +9,7 @@ TBD (from SUSE Studio team)
1 file changed, 55 insertions(+)
diff --git a/ui/vnc.c b/ui/vnc.c
index d1087c9..7f91d96 100644
index 2c28a59ff7..8d0c16b23f 100644
--- a/ui/vnc.c
+++ b/ui/vnc.c
@@ -58,6 +58,8 @@ static const struct timeval VNC_REFRESH_LOSSY = { 2, 0 };
@ -21,7 +21,7 @@ index d1087c9..7f91d96 100644
static int vnc_cursor_define(VncState *vs);
static void vnc_release_modifiers(VncState *vs);
@@ -1197,6 +1199,7 @@ static void vnc_disconnect_start(VncState *vs)
@@ -1201,6 +1203,7 @@ static void vnc_disconnect_start(VncState *vs)
void vnc_disconnect_finish(VncState *vs)
{
int i;
@ -29,7 +29,7 @@ index d1087c9..7f91d96 100644
vnc_jobs_join(vs); /* Wait encoding jobs */
@@ -1247,6 +1250,13 @@ void vnc_disconnect_finish(VncState *vs)
@@ -1251,6 +1254,13 @@ void vnc_disconnect_finish(VncState *vs)
object_unref(OBJECT(vs->sioc));
vs->sioc = NULL;
g_free(vs);
@ -43,7 +43,7 @@ index d1087c9..7f91d96 100644
}
ssize_t vnc_client_io_error(VncState *vs, ssize_t ret, Error **errp)
@@ -3245,6 +3255,39 @@ static void vnc_display_print_local_addr(VncDisplay *vs)
@@ -3244,6 +3254,39 @@ static void vnc_display_print_local_addr(VncDisplay *vd)
qapi_free_SocketAddress(addr);
}
@ -83,7 +83,7 @@ index d1087c9..7f91d96 100644
static QemuOptsList qemu_vnc_opts = {
.name = "vnc",
.head = QTAILQ_HEAD_INITIALIZER(qemu_vnc_opts.head),
@@ -3276,6 +3319,9 @@ static QemuOptsList qemu_vnc_opts = {
@@ -3275,6 +3318,9 @@ static QemuOptsList qemu_vnc_opts = {
.name = "connections",
.type = QEMU_OPT_NUMBER,
},{
@ -93,7 +93,7 @@ index d1087c9..7f91d96 100644
.name = "to",
.type = QEMU_OPT_NUMBER,
},{
@@ -3288,6 +3334,9 @@ static QemuOptsList qemu_vnc_opts = {
@@ -3287,6 +3333,9 @@ static QemuOptsList qemu_vnc_opts = {
.name = "password",
.type = QEMU_OPT_BOOL,
},{
@ -103,7 +103,7 @@ index d1087c9..7f91d96 100644
.name = "reverse",
.type = QEMU_OPT_BOOL,
},{
@@ -3524,6 +3573,7 @@ void vnc_display_open(const char *id, Error **errp)
@@ -3486,6 +3535,7 @@ void vnc_display_open(const char *id, Error **errp)
const char *share, *device_id;
QemuConsole *con;
bool password = false;
@ -111,7 +111,7 @@ index d1087c9..7f91d96 100644
bool reverse = false;
const char *vnc;
char *h;
@@ -3652,6 +3702,10 @@ void vnc_display_open(const char *id, Error **errp)
@@ -3615,6 +3665,10 @@ void vnc_display_open(const char *id, Error **errp)
goto fail;
}
}
@ -122,11 +122,11 @@ index d1087c9..7f91d96 100644
reverse = qemu_opt_get_bool(opts, "reverse", false);
lock_key_sync = qemu_opt_get_bool(opts, "lock-key-sync", true);
@@ -3741,6 +3795,7 @@ void vnc_display_open(const char *id, Error **errp)
vs->share_policy = VNC_SHARE_POLICY_ALLOW_EXCLUSIVE;
@@ -3704,6 +3758,7 @@ void vnc_display_open(const char *id, Error **errp)
vd->share_policy = VNC_SHARE_POLICY_ALLOW_EXCLUSIVE;
}
vs->connections_limit = qemu_opt_get_number(opts, "connections", 32);
vd->connections_limit = qemu_opt_get_number(opts, "connections", 32);
+ allowed_connections = qemu_opt_get_number(opts, "allowed-connections", 0);
#ifdef CONFIG_VNC_JPEG
vs->lossy = qemu_opt_get_bool(opts, "lossy", false);
vd->lossy = qemu_opt_get_bool(opts, "lossy", false);

View File

@ -1,42 +0,0 @@
From d6a5cfe7d374b8ca661a8f957139689348b26bd6 Mon Sep 17 00:00:00 2001
From: Alexander Graf <agraf@suse.de>
Date: Mon, 20 Aug 2012 00:02:52 +0200
Subject: [PATCH] linux-user: implement FS_IOC_GETFLAGS ioctl
Signed-off-by: Alexander Graf <agraf@suse.de>
---
v1 -> v2:
- use TYPE_LONG instead of TYPE_INT
---
linux-user/ioctls.h | 1 +
linux-user/syscall_defs.h | 2 ++
2 files changed, 3 insertions(+)
diff --git a/linux-user/ioctls.h b/linux-user/ioctls.h
index cf8851d..f858954 100644
--- a/linux-user/ioctls.h
+++ b/linux-user/ioctls.h
@@ -119,6 +119,7 @@
IOCTL_SPECIAL(FS_IOC_FIEMAP, IOC_W | IOC_R, do_ioctl_fs_ioc_fiemap,
MK_PTR(MK_STRUCT(STRUCT_fiemap)))
#endif
+ IOCTL(FS_IOC_GETFLAGS, IOC_R, MK_PTR(TYPE_LONG))
IOCTL(SIOCATMARK, IOC_R, MK_PTR(TYPE_INT))
IOCTL(SIOCGIFNAME, IOC_RW, MK_PTR(TYPE_INT))
diff --git a/linux-user/syscall_defs.h b/linux-user/syscall_defs.h
index b869b3d..00a3f30 100644
--- a/linux-user/syscall_defs.h
+++ b/linux-user/syscall_defs.h
@@ -2502,6 +2502,8 @@ struct target_f_owner_ex {
#define TARGET_MTIOCGET TARGET_IOR('m', 2, struct mtget)
#define TARGET_MTIOCPOS TARGET_IOR('m', 3, struct mtpos)
+#define TARGET_FS_IOC_GETFLAGS TARGET_IORU('f', 1)
+
struct target_sysinfo {
abi_long uptime; /* Seconds since boot */
abi_ulong loads[3]; /* 1, 5, and 15 minute load averages */

View File

@ -1,4 +1,4 @@
From d84e1f7cb131ca5de1308db7b6682edeab2bfeee Mon Sep 17 00:00:00 2001
From 725c9b6ff408dc7960242751619caeb27560c3e7 Mon Sep 17 00:00:00 2001
From: Alexander Graf <agraf@suse.de>
Date: Tue, 9 Oct 2012 09:06:49 +0200
Subject: [PATCH] linux-user: use target_ulong
@ -17,7 +17,7 @@ Signed-off-by: Alexander Graf <agraf@suse.de>
2 files changed, 8 insertions(+), 8 deletions(-)
diff --git a/linux-user/qemu.h b/linux-user/qemu.h
index bef465d..dab3b6a 100644
index da73a01106..7d2894d7c0 100644
--- a/linux-user/qemu.h
+++ b/linux-user/qemu.h
@@ -193,10 +193,10 @@ abi_long memcpy_to_target(abi_ulong dest, const void *src,
@ -36,10 +36,10 @@ index bef465d..dab3b6a 100644
extern THREAD CPUState *thread_cpu;
void cpu_loop(CPUArchState *env);
diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index 483efb0..8ac1281 100644
index b04fade80e..ab3cf24dbb 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -7349,10 +7349,10 @@ static target_timer_t get_timer_id(abi_long arg)
@@ -7566,10 +7566,10 @@ static target_timer_t get_timer_id(abi_long arg)
/* do_syscall() should always have a single exit point at the end so
that actions, such as logging of syscall results, can be performed.
All errnos that do_syscall() returns must be -TARGET_<errcode>. */

View File

@ -1,4 +1,4 @@
From 975ac1298231bb8ec825d4f1e48638ef13bdc62e Mon Sep 17 00:00:00 2001
From 2f2838f6f14d8a7a7d3000fc0d61349ddf3f33b0 Mon Sep 17 00:00:00 2001
From: Alexander Graf <agraf@suse.de>
Date: Wed, 5 Aug 2009 09:49:37 +0200
Subject: [PATCH] block: Add support for DictZip enabled gzip files
@ -47,7 +47,7 @@ Signed-off-by: Andreas Färber <afaerber@suse.de>
create mode 100644 block/dictzip.c
diff --git a/block/Makefile.objs b/block/Makefile.objs
index 2593a2f..f3f6f5f 100644
index 67a036a1df..0417d54e26 100644
--- a/block/Makefile.objs
+++ b/block/Makefile.objs
@@ -21,6 +21,7 @@ block-obj-$(CONFIG_GLUSTERFS) += gluster.o
@ -56,11 +56,11 @@ index 2593a2f..f3f6f5f 100644
block-obj-y += accounting.o dirty-bitmap.o
+block-obj-y += dictzip.o
block-obj-y += write-threshold.o
block-obj-y += crypto.o
block-obj-y += backup.o
block-obj-$(CONFIG_REPLICATION) += replication.o
diff --git a/block/dictzip.c b/block/dictzip.c
new file mode 100644
index 0000000..4b7e2db
index 0000000000..4b7e2db817
--- /dev/null
+++ b/block/dictzip.c
@@ -0,0 +1,580 @@

View File

@ -1,41 +0,0 @@
From 4d8d32bbd31dc799c1befebef2563db1fbd5949c Mon Sep 17 00:00:00 2001
From: Alexander Graf <agraf@suse.de>
Date: Mon, 20 Aug 2012 00:07:13 +0200
Subject: [PATCH] linux-user: implement FS_IOC_SETFLAGS ioctl
Signed-off-by: Alexander Graf <agraf@suse.de>
---
v1 -> v2
- use TYPE_LONG instead of TYPE_INT
---
linux-user/ioctls.h | 1 +
linux-user/syscall_defs.h | 1 +
2 files changed, 2 insertions(+)
diff --git a/linux-user/ioctls.h b/linux-user/ioctls.h
index f858954..8a5be00 100644
--- a/linux-user/ioctls.h
+++ b/linux-user/ioctls.h
@@ -120,6 +120,7 @@
MK_PTR(MK_STRUCT(STRUCT_fiemap)))
#endif
IOCTL(FS_IOC_GETFLAGS, IOC_R, MK_PTR(TYPE_LONG))
+ IOCTL(FS_IOC_SETFLAGS, IOC_W, MK_PTR(TYPE_LONG))
IOCTL(SIOCATMARK, IOC_R, MK_PTR(TYPE_INT))
IOCTL(SIOCGIFNAME, IOC_RW, MK_PTR(TYPE_INT))
diff --git a/linux-user/syscall_defs.h b/linux-user/syscall_defs.h
index 00a3f30..d31541d 100644
--- a/linux-user/syscall_defs.h
+++ b/linux-user/syscall_defs.h
@@ -2503,6 +2503,7 @@ struct target_f_owner_ex {
#define TARGET_MTIOCPOS TARGET_IOR('m', 3, struct mtpos)
#define TARGET_FS_IOC_GETFLAGS TARGET_IORU('f', 1)
+#define TARGET_FS_IOC_SETFLAGS TARGET_IOWU('f', 2)
struct target_sysinfo {
abi_long uptime; /* Seconds since boot */

View File

@ -1,4 +1,4 @@
From 7c81e618f5817533392440d8174d8d467886c61f Mon Sep 17 00:00:00 2001
From dae0d107e021d65a5029c53229543bca37d21da8 Mon Sep 17 00:00:00 2001
From: Alexander Graf <agraf@suse.de>
Date: Wed, 5 Aug 2009 17:28:38 +0200
Subject: [PATCH] block: Add tar container format
@ -48,7 +48,7 @@ Signed-off-by: Andreas Färber <afaerber@suse.de>
create mode 100644 block/tar.c
diff --git a/block/Makefile.objs b/block/Makefile.objs
index f3f6f5f..f049d53 100644
index 0417d54e26..255b8d7b0f 100644
--- a/block/Makefile.objs
+++ b/block/Makefile.objs
@@ -22,6 +22,7 @@ block-obj-$(CONFIG_ARCHIPELAGO) += archipelago.o
@ -57,11 +57,11 @@ index f3f6f5f..f049d53 100644
block-obj-y += dictzip.o
+block-obj-y += tar.o
block-obj-y += write-threshold.o
block-obj-y += crypto.o
block-obj-y += backup.o
block-obj-$(CONFIG_REPLICATION) += replication.o
diff --git a/block/tar.c b/block/tar.c
new file mode 100644
index 0000000..508265e
index 0000000000..508265ed5e
--- /dev/null
+++ b/block/tar.c
@@ -0,0 +1,370 @@

View File

@ -1,4 +1,4 @@
From 674ccdfa8c935b192e553fe5a53607d6f5eb1f43 Mon Sep 17 00:00:00 2001
From a4e7e274fa2d1fab3e2a4bfa9ca379252c5aa505 Mon Sep 17 00:00:00 2001
From: Alexander Graf <agraf@suse.de>
Date: Wed, 12 Dec 2012 19:11:30 +0100
Subject: [PATCH] Legacy Patch kvm-qemu-preXX-dictzip3.patch
@ -8,7 +8,7 @@ Subject: [PATCH] Legacy Patch kvm-qemu-preXX-dictzip3.patch
1 file changed, 11 insertions(+), 2 deletions(-)
diff --git a/block/tar.c b/block/tar.c
index 508265e..734082a 100644
index 508265ed5e..734082a011 100644
--- a/block/tar.c
+++ b/block/tar.c
@@ -73,7 +73,8 @@ static int str_ends(char *str, const char *end)

View File

@ -1,4 +1,4 @@
From b00ff88b97ba2ce476534674632e7b5500dbb890 Mon Sep 17 00:00:00 2001
From b6dbfd4547ac7a9af8e7a4785d53dc087e613d36 Mon Sep 17 00:00:00 2001
From: Alexander Graf <agraf@suse.de>
Date: Mon, 6 Jun 2011 06:53:52 +0200
Subject: [PATCH] console: add question-mark escape operator
@ -16,10 +16,10 @@ Signed-off-by: Alexander Graf <agraf@suse.de>
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ui/console.c b/ui/console.c
index c24bfe4..44b46fd 100644
index ed888e55ea..b55d7a5cb3 100644
--- a/ui/console.c
+++ b/ui/console.c
@@ -868,7 +868,7 @@ static void console_putchar(QemuConsole *s, int ch)
@@ -869,7 +869,7 @@ static void console_putchar(QemuConsole *s, int ch)
} else {
if (s->nb_esc_params < MAX_ESC_PARAMS)
s->nb_esc_params++;

View File

@ -1,4 +1,4 @@
From a6a54eb0ce3cec68f80f72a957bf6e2189118b5e Mon Sep 17 00:00:00 2001
From 047016003be1f8b58e063551d6e890f2616e931e Mon Sep 17 00:00:00 2001
From: Alexander Graf <agraf@suse.de>
Date: Thu, 1 Apr 2010 17:36:23 +0200
Subject: [PATCH] Make char muxer more robust wrt small FIFOs
@ -24,21 +24,21 @@ This patch fixes input when using -nographic on s390 for me.
1 file changed, 16 insertions(+)
diff --git a/qemu-char.c b/qemu-char.c
index 5f82ebb..be8396b 100644
index 2c9940cea4..b6a9a32bf4 100644
--- a/qemu-char.c
+++ b/qemu-char.c
@@ -510,6 +510,9 @@ typedef struct {
IOEventHandler *chr_event[MAX_MUX];
void *ext_opaque[MAX_MUX];
CharDriverState *drv;
@@ -531,6 +531,9 @@ static CharDriverState *qemu_chr_open_null(const char *id,
struct MuxDriver {
CharBackend *backends[MAX_MUX];
CharBackend chr;
+#if defined(TARGET_S390X)
+ QEMUTimer *accept_timer;
+#endif
int focus;
int mux_cnt;
int term_got_escape;
@@ -669,6 +672,15 @@ static void mux_chr_accept_input(CharDriverState *chr)
d->chr_read[m](d->ext_opaque[m],
@@ -694,6 +697,15 @@ static void mux_chr_accept_input(CharDriverState *chr)
be->chr_read(be->opaque,
&d->buffer[m][d->cons[m]++ & MUX_BUFFER_MASK], 1);
}
+
@ -53,14 +53,14 @@ index 5f82ebb..be8396b 100644
}
static int mux_chr_can_read(void *opaque)
@@ -817,6 +829,10 @@ static CharDriverState *qemu_chr_open_mux(const char *id,
@@ -864,6 +876,10 @@ static CharDriverState *qemu_chr_open_mux(const char *id,
chr->opaque = d;
d->drv = drv;
d->focus = -1;
+#if defined(TARGET_S390X)
+ d->accept_timer = qemu_new_timer_ns(vm_clock,
+ (QEMUTimerCB*)mux_chr_accept_input, chr);
+#endif
chr->chr_close = mux_chr_close;
chr->chr_free = mux_chr_free;
chr->chr_write = mux_chr_write;
chr->chr_update_read_handler = mux_chr_update_read_handler;
chr->chr_accept_input = mux_chr_accept_input;

View File

@ -1,4 +1,4 @@
From fd4fc533fbd24b003f606d12bd114ff9ba215380 Mon Sep 17 00:00:00 2001
From 2be621021e70d2b86164c8b5e929bc13eca0e055 Mon Sep 17 00:00:00 2001
From: Alexander Graf <agraf@suse.de>
Date: Thu, 13 Dec 2012 14:29:22 +0100
Subject: [PATCH] linux-user: lseek: explicitly cast non-set offsets to signed
@ -16,10 +16,10 @@ Signed-off-by: Alexander Graf <agraf@suse.de>
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index 8ac1281..51c1091 100644
index ab3cf24dbb..831d3df19c 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -7710,9 +7710,14 @@ abi_long do_syscall(void *cpu_env, int num, abi_ulong arg1,
@@ -7932,9 +7932,14 @@ abi_long do_syscall(void *cpu_env, int num, abi_ulong arg1,
case TARGET_NR_oldstat:
goto unimplemented;
#endif

View File

@ -1,4 +1,4 @@
From 0e73e519a0d99d8fd366f024d768a349fc32e3f6 Mon Sep 17 00:00:00 2001
From 68cabc26aa994989c71212df1623e159df4e6b01 Mon Sep 17 00:00:00 2001
From: Bruce Rogers <brogers@suse.com>
Date: Thu, 16 May 2013 12:39:10 +0200
Subject: [PATCH] virtfs-proxy-helper: Provide __u64 for broken
@ -12,7 +12,7 @@ Fixes the build on SLE 11 SP2.
1 file changed, 7 insertions(+)
diff --git a/fsdev/virtfs-proxy-helper.c b/fsdev/virtfs-proxy-helper.c
index 54f7ad1..b4bf2f4 100644
index 54f7ad1c48..b4bf2f40c9 100644
--- a/fsdev/virtfs-proxy-helper.c
+++ b/fsdev/virtfs-proxy-helper.c
@@ -9,6 +9,13 @@

View File

@ -1,4 +1,4 @@
From 42032776551d183f971e0523b0216f9880a88413 Mon Sep 17 00:00:00 2001
From 1825b6ee2b448261ae1bfde344a8127dbdec1e9a Mon Sep 17 00:00:00 2001
From: Dinar Valeev <k0da@opensuse.org>
Date: Wed, 2 Oct 2013 17:56:03 +0200
Subject: [PATCH] configure: Enable PIE for ppc and ppc64 hosts
@ -14,10 +14,10 @@ Signed-off-by: Andreas Färber <afaerber@suse.de>
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/configure b/configure
index 4b808f9..b882d19 100755
index 3770d7c263..9fdf7e7abc 100755
--- a/configure
+++ b/configure
@@ -1545,7 +1545,7 @@ fi
@@ -1567,7 +1567,7 @@ fi
if test "$pie" = ""; then
case "$cpu-$targetos" in

View File

@ -1,4 +1,4 @@
From 4aa17b7cf5d35e03c2e563477e920cd7104d5806 Mon Sep 17 00:00:00 2001
From 9a6dabcb75d6f8d17f3aab2ef4c2c6186e1a8eb1 Mon Sep 17 00:00:00 2001
From: Alexander Graf <agraf@suse.de>
Date: Wed, 14 Jan 2015 01:32:11 +0100
Subject: [PATCH] AIO: Reduce number of threads for 32bit hosts
@ -21,7 +21,7 @@ Signed-off-by: Alexander Graf <agraf@suse.de>
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/thread-pool.c b/thread-pool.c
index 6fba913..ee0b485 100644
index 6fba913529..ee0b485f07 100644
--- a/thread-pool.c
+++ b/thread-pool.c
@@ -297,7 +297,12 @@ static void thread_pool_init_one(ThreadPool *pool, AioContext *ctx)

View File

@ -1,4 +1,4 @@
From aacebb4ff80cbd3cf32c3fa1b739f4999c2956ff Mon Sep 17 00:00:00 2001
From 69fae9cfe2d91c07fece069189debaaf47e7d40b Mon Sep 17 00:00:00 2001
From: Alexander Graf <agraf@suse.de>
Date: Mon, 15 Jun 2015 17:36:32 +0200
Subject: [PATCH] dictzip: Fix on big endian systems
@ -21,7 +21,7 @@ Signed-off-by: Andreas Färber <afaerber@suse.de>
1 file changed, 28 insertions(+), 22 deletions(-)
diff --git a/block/dictzip.c b/block/dictzip.c
index 4b7e2db..3235337 100644
index 4b7e2db817..3235337164 100644
--- a/block/dictzip.c
+++ b/block/dictzip.c
@@ -156,6 +156,7 @@ static int dictzip_open(BlockDriverState *bs, QDict *options, int flags, Error *

View File

@ -1,4 +1,4 @@
From d464395f484a4379ac5b14bde497625e1a0d2a02 Mon Sep 17 00:00:00 2001
From 1e4469088f98f8ce31044eb89e76228f07d068a2 Mon Sep 17 00:00:00 2001
From: Bruce Rogers <brogers@suse.com>
Date: Wed, 9 Mar 2016 15:18:11 -0700
Subject: [PATCH] xen_disk: Add suse specific flush disable handling and map to
@ -17,7 +17,7 @@ Signed-off-by: Olaf Hering <olaf@aepfle.de>
1 file changed, 15 insertions(+)
diff --git a/hw/block/xen_disk.c b/hw/block/xen_disk.c
index 3b8ad33..6f37eeb 100644
index 456a2d5694..94e755d3e8 100644
--- a/hw/block/xen_disk.c
+++ b/hw/block/xen_disk.c
@@ -111,6 +111,7 @@ struct XenBlkDev {
@ -28,7 +28,7 @@ index 3b8ad33..6f37eeb 100644
/* Persistent grants extension */
gboolean feature_discard;
gboolean feature_persistent;
@@ -793,6 +794,16 @@ static void blk_parse_discard(struct XenBlkDev *blkdev)
@@ -960,6 +961,16 @@ static void blk_parse_discard(struct XenBlkDev *blkdev)
}
}
@ -45,7 +45,7 @@ index 3b8ad33..6f37eeb 100644
static int blk_init(struct XenDevice *xendev)
{
struct XenBlkDev *blkdev = container_of(xendev, struct XenBlkDev, xendev);
@@ -864,6 +875,7 @@ static int blk_init(struct XenDevice *xendev)
@@ -1031,6 +1042,7 @@ static int blk_init(struct XenDevice *xendev)
xenstore_write_be_int(&blkdev->xendev, "info", info);
blk_parse_discard(blkdev);
@ -53,7 +53,7 @@ index 3b8ad33..6f37eeb 100644
g_free(directiosafe);
return 0;
@@ -906,6 +918,9 @@ static int blk_connect(struct XenDevice *xendev)
@@ -1073,6 +1085,9 @@ static int blk_connect(struct XenDevice *xendev)
qflags |= BDRV_O_UNMAP;
}

View File

@ -1,4 +1,4 @@
From 5219d096e17d3623cc0e274f9d9988effb11e9a1 Mon Sep 17 00:00:00 2001
From b05bd879232bb4ac753d72a9c32c489b109e6555 Mon Sep 17 00:00:00 2001
From: Bruce Rogers <brogers@suse.com>
Date: Tue, 2 Aug 2016 11:36:02 -0600
Subject: [PATCH] qemu-bridge-helper: reduce security profile
@ -19,7 +19,7 @@ Signed-off-by: Andreas Färber <afaerber@suse.de>
1 file changed, 24 insertions(+), 3 deletions(-)
diff --git a/qemu-bridge-helper.c b/qemu-bridge-helper.c
index 5396fbf..f3710b8 100644
index 5396fbfbb6..f3710b80a3 100644
--- a/qemu-bridge-helper.c
+++ b/qemu-bridge-helper.c
@@ -110,7 +110,12 @@ static int parse_acl_file(const char *filename, ACLList *acl_list)

View File

@ -1,4 +1,4 @@
From 3a45e30cfeda81b1c5a311e4bd030165396ab921 Mon Sep 17 00:00:00 2001
From 36996f68dc156ab64aec4b149c724ce2b2c7f400 Mon Sep 17 00:00:00 2001
From: Andreas Schwab <schwab@suse.de>
Date: Fri, 12 Aug 2016 18:20:49 +0200
Subject: [PATCH] qemu-binfmt-conf: use qemu-ARCH-binfmt
@ -13,7 +13,7 @@ Signed-off-by: Andreas Färber <afaerber@suse.de>
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/scripts/qemu-binfmt-conf.sh b/scripts/qemu-binfmt-conf.sh
index 7640255..3affcdc 100755
index 764025580d..3affcdca1b 100755
--- a/scripts/qemu-binfmt-conf.sh
+++ b/scripts/qemu-binfmt-conf.sh
@@ -201,7 +201,7 @@ qemu_check_systemd() {

View File

@ -1,4 +1,4 @@
From 0b135a5863998d3936302e291e69a0b13596fc6f Mon Sep 17 00:00:00 2001
From 6163925a8a53570a007a564c2d86746e589d5ea4 Mon Sep 17 00:00:00 2001
From: markkp <mpost@suse.com>
Date: Thu, 11 Aug 2016 16:28:39 -0400
Subject: [PATCH] configure: Fix detection of seccomp on s390x
@ -13,10 +13,10 @@ Signed-off-by: Andreas Färber <afaerber@suse.de>
1 file changed, 3 insertions(+)
diff --git a/configure b/configure
index b882d19..1954f62 100755
index 9fdf7e7abc..087d8e2661 100755
--- a/configure
+++ b/configure
@@ -1902,6 +1902,9 @@ if test "$seccomp" != "no" ; then
@@ -1928,6 +1928,9 @@ if test "$seccomp" != "no" ; then
ppc|ppc64)
libseccomp_minver="2.3.0"
;;

View File

@ -1,4 +1,4 @@
From 7c9a134065df3deab252918c5172021b5a9e3ab0 Mon Sep 17 00:00:00 2001
From a420f344cef024cab119609171fb14667666055c Mon Sep 17 00:00:00 2001
From: Andreas Schwab <schwab@linux-m68k.org>
Date: Thu, 8 Sep 2016 11:21:05 +0200
Subject: [PATCH] linux-user: properly test for infinite timeout in poll (#8)
@ -16,10 +16,10 @@ Signed-off-by: Andreas Schwab <schwab@suse.de>
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index 51c1091..856e75d 100644
index 831d3df19c..b5070a0d0e 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -9770,7 +9770,7 @@ abi_long do_syscall(void *cpu_env, int num, abi_ulong arg1,
@@ -10061,7 +10061,7 @@ abi_long do_syscall(void *cpu_env, int num, abi_ulong arg1,
{
struct timespec ts, *pts;

View File

@ -1,4 +1,4 @@
From e2e103eaa7e3ba94f3e32184c7fa2c694072b9e1 Mon Sep 17 00:00:00 2001
From 667601cdfbeada47ff5f00d6bf5a17c865319a7f Mon Sep 17 00:00:00 2001
From: Andreas Schwab <schwab@suse.de>
Date: Wed, 28 Sep 2016 16:36:40 +0200
Subject: [PATCH] linux-user: remove all traces of qemu from /proc/self/cmdline
@ -17,10 +17,10 @@ Signed-off-by: Andreas Färber <afaerber@suse.de>
1 file changed, 7 insertions(+), 40 deletions(-)
diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index 856e75d..31bf618 100644
index b5070a0d0e..213e8f3c6c 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -7013,52 +7013,19 @@ int host_to_target_waitstatus(int status)
@@ -7230,52 +7230,19 @@ int host_to_target_waitstatus(int status)
static int open_self_cmdline(void *cpu_env, int fd)
{

View File

@ -1,4 +1,4 @@
From 491b61b48cef566df12b5b2191111febd95d1a5c Mon Sep 17 00:00:00 2001
From 920c90f4344b38242bd01b21f8bef55f11d0748c Mon Sep 17 00:00:00 2001
From: P J P <ppandit@redhat.com>
Date: Mon, 31 Oct 2016 15:55:14 -0600
Subject: [PATCH] dma: rc4030: limit interval timer reload value
@ -18,7 +18,7 @@ Signed-off-by: Bruce Rogers <brogers@suse.com>
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/dma/rc4030.c b/hw/dma/rc4030.c
index 2f2576f..c1b4997 100644
index 17c8518fea..41fc043464 100644
--- a/hw/dma/rc4030.c
+++ b/hw/dma/rc4030.c
@@ -460,7 +460,7 @@ static void rc4030_write(void *opaque, hwaddr addr, uint64_t data,

View File

@ -1,47 +0,0 @@
From 21e9a3360b1a1845aee3eb501d15cb56f6024057 Mon Sep 17 00:00:00 2001
From: Olaf Hering <ohering@suse.de>
Date: Tue, 21 Jun 2016 18:42:45 +0200
Subject: [PATCH] xen: SUSE xenlinux unplug for emulated PCI
Implement SUSE specific unplug protocol for emulated PCI devices
in PVonHVM guests
(bsc#953339, bsc#953362, bsc#953518, bsc#984981)
Signed-off-by: Olaf Hering <ohering@suse.de>
---
hw/i386/xen/xen_platform.c | 22 ++++++++++++++++++++++
1 file changed, 22 insertions(+)
diff --git a/hw/i386/xen/xen_platform.c b/hw/i386/xen/xen_platform.c
index aa78393..48800c1 100644
--- a/hw/i386/xen/xen_platform.c
+++ b/hw/i386/xen/xen_platform.c
@@ -314,6 +314,28 @@ static void xen_platform_ioport_writeb(void *opaque, hwaddr addr,
case 0: /* Platform flags */
platform_fixed_ioport_writeb(opaque, 0, (uint32_t)val);
break;
+ case 4:
+ if (val == 1 && size == 1) {
+ /*
+ * SUSE unplug for Xenlinux
+ * xen-kmp used this since xen-3.0.4, instead the official protocol from xen-3.3+
+ * It did an unconditional "outl(1, (ioaddr + 4));"
+ * This approach was used until openSUSE 12.3, up to SLE11SP3 and in SLE10.
+ * Starting with openSUSE 13.1, SLE11SP4 and SLE12 the official protocol is used.
+ * pre VMDP 1.7 made use of 4 and 8 depending on how vmdp was configured.
+ * If VMDP was to control both disk and LAN it would use 4.
+ * If it controlled just disk or just LAN, it would use 8 below.
+ */
+ PCIDevice *pci_dev = PCI_DEVICE(s);
+ DPRINTF("unplug disks\n");
+ blk_drain_all();
+ blk_flush_all();
+ pci_unplug_disks(pci_dev->bus);
+ DPRINTF("unplug nics\n");
+ pci_unplug_nics(pci_dev->bus);
+ DPRINTF("done\n");
+ }
+ break;
case 8:
log_writeb(s, (uint32_t)val);
break;

View File

@ -1,4 +1,4 @@
From b7f162a68696ea14af398de7584cfaf9f2de4509 Mon Sep 17 00:00:00 2001
From 101b933ef85a7520984743bbc35cc244304d94c7 Mon Sep 17 00:00:00 2001
From: P J P <ppandit@redhat.com>
Date: Mon, 31 Oct 2016 15:58:47 -0600
Subject: [PATCH] net: imx: limit buffer descriptor count
@ -18,7 +18,7 @@ Signed-off-by: Bruce Rogers <brogers@suse.com>
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/hw/net/imx_fec.c b/hw/net/imx_fec.c
index 1c415ab..1d74827 100644
index 50c75642c6..78d641c2a3 100644
--- a/hw/net/imx_fec.c
+++ b/hw/net/imx_fec.c
@@ -220,6 +220,8 @@ static const VMStateDescription vmstate_imx_eth = {

View File

@ -1,4 +1,4 @@
From 265aa090c4da5686ac3ed77285108606a79e4821 Mon Sep 17 00:00:00 2001
From 235fbffb3f16857462b5256cc731156322b66072 Mon Sep 17 00:00:00 2001
From: Bruce Rogers <brogers@suse.com>
Date: Sat, 19 Nov 2016 08:06:30 -0700
Subject: [PATCH] roms/Makefile: pass a packaging timestamp to subpackages with
@ -20,7 +20,7 @@ Signed-off-by: Bruce Rogers <brogers@suse.com>
1 file changed, 12 insertions(+), 2 deletions(-)
diff --git a/roms/Makefile b/roms/Makefile
index 88b3709..eb0640f 100644
index b5e5a69e91..89d69eb350 100644
--- a/roms/Makefile
+++ b/roms/Makefile
@@ -52,6 +52,12 @@ SEABIOS_EXTRAVERSION="-prebuilt.qemu-project.org"
@ -36,16 +36,16 @@ index 88b3709..eb0640f 100644
default:
@echo "nothing is build by default"
@echo "available build targets:"
@@ -105,7 +111,7 @@ build-lgplvgabios:
@@ -106,7 +112,7 @@ build-lgplvgabios:
.PHONY: sgabios
.PHONY: sgabios skiboot
sgabios:
- $(MAKE) -C sgabios
+ $(MAKE) -C sgabios PACKAGING_TIMESTAMP=$(PACKAGING_TIMESTAMP)
cp sgabios/sgabios.bin ../pc-bios
@@ -125,18 +131,22 @@ efi-rom-%: build-pxe-roms build-efi-roms
@@ -126,18 +132,22 @@ efi-rom-%: build-pxe-roms build-efi-roms
build-pxe-roms:
$(MAKE) -C ipxe/src CONFIG=qemu \

View File

@ -0,0 +1,55 @@
From a5f88d11e6d846f117d9a6cc3fbf1fb0b2750047 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andreas=20F=C3=A4rber?= <afaerber@suse.de>
Date: Sun, 15 Jan 2012 19:53:49 +0100
Subject: [PATCH] Raise soft address space limit to hard limit
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
For SLES we want users to be able to use large memory configurations
with KVM without fiddling with ulimit -Sv.
Signed-off-by: Andreas Färber <afaerber@suse.de>
[BR: add include for sys/resource.h]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
vl.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/vl.c b/vl.c
index 4427bf5e1a..501cd28363 100644
--- a/vl.c
+++ b/vl.c
@@ -26,6 +26,7 @@
#include "qemu/cutils.h"
#include "qemu/help_option.h"
#include "qemu/uuid.h"
+#include <sys/resource.h>
#ifdef CONFIG_SECCOMP
#include "sysemu/seccomp.h"
@@ -3031,6 +3032,7 @@ int main(int argc, char **argv, char **envp)
Error *main_loop_err = NULL;
Error *err = NULL;
bool list_data_dirs = false;
+ struct rlimit rlimit_as;
module_call_init(MODULE_INIT_TRACE);
@@ -3038,6 +3040,16 @@ int main(int argc, char **argv, char **envp)
qemu_init_cpu_loop();
qemu_mutex_lock_iothread();
+ /*
+ * Try to raise the soft address space limit.
+ * Default on SLES 11 SP2 is 80% of physical+swap memory.
+ */
+ getrlimit(RLIMIT_AS, &rlimit_as);
+ if (rlimit_as.rlim_cur < rlimit_as.rlim_max) {
+ rlimit_as.rlim_cur = rlimit_as.rlim_max;
+ setrlimit(RLIMIT_AS, &rlimit_as);
+ }
+
atexit(qemu_run_exit_notifiers);
error_set_progname(argv[0]);
qemu_init_exec_dir(argv[0]);

View File

@ -0,0 +1,33 @@
From 6fef5a1f40ec5dd0c13fabd299929125bafda7d4 Mon Sep 17 00:00:00 2001
From: Bruce Rogers <brogers@suse.com>
Date: Fri, 17 May 2013 16:49:58 -0600
Subject: [PATCH] increase x86_64 physical bits to 42
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Allow for guests with higher amounts of ram. The current thought
is that 2TB specified on qemu commandline would be an appropriate
limit. Note that this requires the next higher bit value since
the highest address is actually more than 2TB due to the pci
memory hole.
Signed-off-by: Bruce Rogers <brogers@suse.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>
---
target-i386/cpu.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/target-i386/cpu.h b/target-i386/cpu.h
index c605724022..4c17f17701 100644
--- a/target-i386/cpu.h
+++ b/target-i386/cpu.h
@@ -1465,7 +1465,7 @@ uint64_t cpu_get_tsc(CPUX86State *env);
/* XXX: This value should match the one returned by CPUID
* and in exec.c */
# if defined(TARGET_X86_64)
-# define TCG_PHYS_ADDR_BITS 40
+# define TCG_PHYS_ADDR_BITS 42
# else
# define TCG_PHYS_ADDR_BITS 36
# endif

View File

@ -1,32 +0,0 @@
From 803968c258e59d2af30618b736c87b114c2038f1 Mon Sep 17 00:00:00 2001
From: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Date: Wed, 3 Aug 2016 13:15:06 +1000
Subject: [PATCH] Fix tlb_vaddr_to_host with CONFIG_USER_ONLY
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
We use the wrong argument name for the g2h() macro !
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Laurent Vivier <lvivier@redhat.com>
Tested-by: Laurent Vivier <lvivier@redhat.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>
---
include/exec/cpu_ldst.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/include/exec/cpu_ldst.h b/include/exec/cpu_ldst.h
index b573df5..6eb5fe8 100644
--- a/include/exec/cpu_ldst.h
+++ b/include/exec/cpu_ldst.h
@@ -401,7 +401,7 @@ static inline void *tlb_vaddr_to_host(CPUArchState *env, target_ulong addr,
int access_type, int mmu_idx)
{
#if defined(CONFIG_USER_ONLY)
- return g2h(vaddr);
+ return g2h(addr);
#else
int index = (addr >> TARGET_PAGE_BITS) & (CPU_TLB_SIZE - 1);
CPUTLBEntry *tlbentry = &env->tlb_table[mmu_idx][index];

View File

@ -0,0 +1,64 @@
From f29449e6c1a79238ed317b4e2307ef699e7612bd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andreas=20F=C3=A4rber?= <afaerber@suse.de>
Date: Wed, 12 Jun 2013 19:26:37 +0200
Subject: [PATCH] vga: Raise VRAM to 16 MiB for pc-0.15 and below
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
qemu-kvm.git commit a7fe0297840908a4fd65a1cf742481ccd45960eb
(Extend vram size to 16MB) deviated from qemu.git since kvm-61, and only
in commit 9e56edcf8dd1d4bc7ba2b1efb3641f36c0fad8ba (vga: raise default
vgamem size) did qemu.git adjust the VRAM size for v1.2.
Add compatibility properties so that up to and including pc-0.15 we
maintain migration compatibility with qemu-kvm rather than QEMU and
from pc-1.0 on with QEMU (last qemu-kvm release was 1.2).
Addresses part of BNC#812836.
Signed-off-by: Andreas Färber <afaerber@suse.de>
[BR: adjust comma position in list in macro for v2.5.0 compat]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/i386/pc_piix.c | 27 ++++++++++++++++++++++++++-
1 file changed, 26 insertions(+), 1 deletion(-)
diff --git a/hw/i386/pc_piix.c b/hw/i386/pc_piix.c
index a54a468c0a..511d438bdb 100644
--- a/hw/i386/pc_piix.c
+++ b/hw/i386/pc_piix.c
@@ -770,7 +770,32 @@ DEFINE_I440FX_MACHINE(v1_0, "pc-1.0", pc_compat_1_2,
#define PC_COMPAT_0_15 \
- PC_CPU_MODEL_IDS("0.15")
+ PC_CPU_MODEL_IDS("0.15")\
+ {\
+ .driver = "VGA",\
+ .property = "vgamem_mb",\
+ .value = stringify(16),\
+ },{\
+ .driver = "vmware-svga",\
+ .property = "vgamem_mb",\
+ .value = stringify(16),\
+ },{\
+ .driver = "qxl-vga",\
+ .property = "vgamem_mb",\
+ .value = stringify(16),\
+ },{\
+ .driver = "qxl",\
+ .property = "vgamem_mb",\
+ .value = stringify(16),\
+ },{\
+ .driver = "isa-cirrus-vga",\
+ .property = "vgamem_mb",\
+ .value = stringify(16),\
+ },{\
+ .driver = "cirrus-vga",\
+ .property = "vgamem_mb",\
+ .value = stringify(16),\
+ },
static void pc_i440fx_0_15_machine_options(MachineClass *m)
{

View File

@ -0,0 +1,43 @@
From de2bd411b216f7fa9aacad1e86cbd9c25db8954a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andreas=20F=C3=A4rber?= <afaerber@suse.de>
Date: Wed, 31 Jul 2013 17:05:29 +0200
Subject: [PATCH] i8254: Fix migration from SLE11 SP2
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
qemu-kvm 0.15 had a VMSTATE_UINT32(flags, PITState) field that
qemu 1.4 does not have.
Addresses part of BNC#812836.
Signed-off-by: Andreas Färber <afaerber@suse.de>
---
hw/timer/i8254_common.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/hw/timer/i8254_common.c b/hw/timer/i8254_common.c
index e18299a482..bc676c4664 100644
--- a/hw/timer/i8254_common.c
+++ b/hw/timer/i8254_common.c
@@ -258,6 +258,12 @@ static int pit_dispatch_post_load(void *opaque, int version_id)
return 0;
}
+static bool is_qemu_kvm(void *opaque, int version_id)
+{
+ /* HACK: We ignore incoming migration from upstream qemu */
+ return version_id < 3;
+}
+
static const VMStateDescription vmstate_pit_common = {
.name = "i8254",
.version_id = 3,
@@ -267,6 +273,7 @@ static const VMStateDescription vmstate_pit_common = {
.pre_save = pit_dispatch_pre_save,
.post_load = pit_dispatch_post_load,
.fields = (VMStateField[]) {
+ VMSTATE_UNUSED_TEST(is_qemu_kvm, 4),
VMSTATE_UINT32_V(channels[0].irq_disabled, PITCommonState, 3),
VMSTATE_STRUCT_ARRAY(channels, PITCommonState, 3, 2,
vmstate_pit_channel, PITChannelState),

View File

@ -0,0 +1,31 @@
From 54d95bf6b1053208ce3bf31cad9a9cc8cf29c634 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andreas=20F=C3=A4rber?= <afaerber@suse.de>
Date: Wed, 31 Jul 2013 17:32:35 +0200
Subject: [PATCH] acpi_piix4: Fix migration from SLE11 SP2
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
qemu-kvm 0.15 uses the same GPE format as qemu 1.4, but as version 2
rather than 3.
Addresses part of BNC#812836.
Signed-off-by: Andreas Färber <afaerber@suse.de>
---
hw/acpi/piix4.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/acpi/piix4.c b/hw/acpi/piix4.c
index 17d36bd595..f657eb7474 100644
--- a/hw/acpi/piix4.c
+++ b/hw/acpi/piix4.c
@@ -311,7 +311,7 @@ static const VMStateDescription vmstate_cpuhp_state = {
static const VMStateDescription vmstate_acpi = {
.name = "piix4_pm",
.version_id = 3,
- .minimum_version_id = 3,
+ .minimum_version_id = 2, /* qemu-kvm */
.minimum_version_id_old = 1,
.load_state_old = acpi_load_old,
.post_load = vmstate_acpi_post_load,

View File

@ -1,45 +0,0 @@
From fd5aa800d14fbc8f0a6a75b37ee0e74092dde8cd Mon Sep 17 00:00:00 2001
From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Thu, 8 Sep 2016 18:15:54 +0530
Subject: [PATCH] vmsvga: correct bitmap and pixmap size checks
When processing svga command DEFINE_CURSOR in vmsvga_fifo_run,
the computed BITMAP and PIXMAP size are checked against the
'cursor.mask[]' and 'cursor.image[]' array sizes in bytes.
Correct these checks to avoid OOB memory access.
Reported-by: Qinghao Tang <luodalongde@gmail.com>
Reported-by: Li Qiang <liqiang6-s@360.cn>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Message-id: 1473338754-15430-1-git-send-email-ppandit@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
(cherry picked from commit 167d97a3def77ee2dbf6e908b0ecbfe2103977db)
[BR: CVE-2016-7170 BSC#998516]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/display/vmware_vga.c | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)
diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c
index e51a05e..6599cf0 100644
--- a/hw/display/vmware_vga.c
+++ b/hw/display/vmware_vga.c
@@ -676,11 +676,13 @@ static void vmsvga_fifo_run(struct vmsvga_state_s *s)
cursor.bpp = vmsvga_fifo_read(s);
args = SVGA_BITMAP_SIZE(x, y) + SVGA_PIXMAP_SIZE(x, y, cursor.bpp);
- if (cursor.width > 256 ||
- cursor.height > 256 ||
- cursor.bpp > 32 ||
- SVGA_BITMAP_SIZE(x, y) > sizeof cursor.mask ||
- SVGA_PIXMAP_SIZE(x, y, cursor.bpp) > sizeof cursor.image) {
+ if (cursor.width > 256
+ || cursor.height > 256
+ || cursor.bpp > 32
+ || SVGA_BITMAP_SIZE(x, y)
+ > sizeof(cursor.mask) / sizeof(cursor.mask[0])
+ || SVGA_PIXMAP_SIZE(x, y, cursor.bpp)
+ > sizeof(cursor.image) / sizeof(cursor.image[0])) {
goto badcmd;
}

View File

@ -0,0 +1,55 @@
From 87164237f308f856e2429044f88f7fe61243f745 Mon Sep 17 00:00:00 2001
From: Chunyan Liu <cyliu@suse.com>
Date: Thu, 3 Mar 2016 16:48:17 +0800
Subject: [PATCH] Fix tigervnc long press issue
Using xen tools 'xl vncviewer' with tigervnc (default on SLE-12),
found that: the display of the guest is unexpected while keep
pressing a key. We expect the same character multiple times, but
it prints only one time. This happens on a PV guest in text mode.
After debugging, found that tigervnc sends repeated key down events
in this case, to differentiate from user pressing the same key many
times. Vnc server only prints the character when it finally receives
key up event.
To solve this issue, this patch tries to add additional key up event
before the next repeated key down event (if the key is not a control
key).
[CYL: BSC#882405]
Signed-off-by: Chunyan Liu <cyliu@suse.com>
---
ui/vnc.c | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
diff --git a/ui/vnc.c b/ui/vnc.c
index 8d0c16b23f..392c466dad 100644
--- a/ui/vnc.c
+++ b/ui/vnc.c
@@ -1770,6 +1770,25 @@ static void do_key_event(VncState *vs, int down, int keycode, int sym)
if (down)
vs->modifiers_state[keycode] ^= 1;
break;
+ default:
+ if (qemu_console_is_graphic(NULL)) {
+ /* record key 'down' info. Some client like tigervnc
+ * will send key down repeatedly if user pressing a
+ * a key for long time. In this case, we should add
+ * additional key up event before repeated key down,
+ * so that it can display the key multiple times.
+ */
+ if (down) {
+ if (vs->modifiers_state[keycode]) {
+ /* add a key up event */
+ do_key_event(vs, 0, keycode, sym);
+ }
+ vs->modifiers_state[keycode] = 1;
+ } else {
+ vs->modifiers_state[keycode] = 0;
+ }
+ }
+ break;
}
/* Turn off the lock state sync logic if the client support the led

View File

@ -1,36 +0,0 @@
From eccd42e2e97bdf76467d48b0cecdd07327c686fd Mon Sep 17 00:00:00 2001
From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Wed, 31 Aug 2016 17:36:07 +0530
Subject: [PATCH] scsi: mptconfig: fix an assert expression
When LSI SAS1068 Host Bus emulator builds configuration page
headers, mptsas_config_pack() should assert that the size
fits in a byte. However, the size is expressed in 32-bit
units, so up to 1020 bytes fit. The assertion was only
allowing replies up to 252 bytes, so fix it.
Suggested-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Message-Id: <1472645167-30765-2-git-send-email-ppandit@redhat.com>
Cc: qemu-stable@nongnu.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit cf2bce203a45d7437029d108357fb23fea0967b6)
[BR: CVE-2016-7157 BSC#997860]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/scsi/mptconfig.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/scsi/mptconfig.c b/hw/scsi/mptconfig.c
index 7071854..3e4f400 100644
--- a/hw/scsi/mptconfig.c
+++ b/hw/scsi/mptconfig.c
@@ -158,7 +158,7 @@ static size_t mptsas_config_pack(uint8_t **data, const char *fmt, ...)
va_end(ap);
if (data) {
- assert(ret < 256 && (ret % 4) == 0);
+ assert(ret / 4 < 256 && (ret % 4) == 0);
stb_p(*data + 1, ret / 4);
}
return ret;

View File

@ -0,0 +1,54 @@
From be38f2a0ff94c1c60e51b9d82fdf8d4b038a6c7d Mon Sep 17 00:00:00 2001
From: Chunyan Liu <cyliu@suse.com>
Date: Fri, 29 Apr 2016 11:17:08 +0800
Subject: [PATCH] fix xen hvm direct kernel boot
Since commit a1666142: acpi-build: make ROMs RAM blocks resizeable,
xen HVM direct kernel boot failed. Xen HVM direct kernel boot will
insert a linuxboot.bin or multiboot.bin to /genroms, before this
commit, in acpi_setup, for rom linuxboot.bin/multiboot.bin, it
only needs 0x20000 size; after the commit, it will reserve x16
size for resize, that is 0x200000 size. It causes xen_ram_alloc
failed due to running out of memory.
To resolve it, either:
1. keep using original rom size instead of max size, don't reserve x16 size.
2. guest maxmem needs to be increased. (commit c1d322e6 "xen-hvm: increase
maxmem before calling xc_domain_populate_physmap" solved the problem for
a time, by accident. But then it is reverted in commit ffffbb369 due to
other problem.)
For 2, more discussion is needed about howto. So this patch tries 1, to
use unresizable rom size in xen case in rom_set_mr.
[CYL: BSC#970791]
Signed-off-by: Chunyan Liu <cyliu@suse.com>
---
hw/core/loader.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/hw/core/loader.c b/hw/core/loader.c
index 45742494e6..306b3ed683 100644
--- a/hw/core/loader.c
+++ b/hw/core/loader.c
@@ -55,6 +55,7 @@
#include "exec/address-spaces.h"
#include "hw/boards.h"
#include "qemu/cutils.h"
+#include "hw/xen/xen.h"
#include <zlib.h>
@@ -858,7 +859,10 @@ static void *rom_set_mr(Rom *rom, Object *owner, const char *name)
void *data;
rom->mr = g_malloc(sizeof(*rom->mr));
- memory_region_init_resizeable_ram(rom->mr, owner, name,
+ if (xen_enabled())
+ memory_region_init_ram(rom->mr, owner, name, rom->datasize, &error_fatal);
+ else
+ memory_region_init_resizeable_ram(rom->mr, owner, name,
rom->datasize, rom->romsize,
fw_cfg_resized,
&error_fatal);

View File

@ -1,40 +0,0 @@
From 3e3bf236d5b712cd5861effaf193093779584c80 Mon Sep 17 00:00:00 2001
From: Paolo Bonzini <pbonzini@redhat.com>
Date: Mon, 29 Aug 2016 11:35:37 +0200
Subject: [PATCH] scsi: mptconfig: fix misuse of MPTSAS_CONFIG_PACK
These issues cause respectively a QEMU crash and a leak of 2 bytes of
stack. They were discovered by VictorV of 360 Marvel Team.
Reported-by: Tom Victor <i-tangtianwen@360.cm>
Cc: qemu-stable@nongnu.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 65a8e1f6413a0f6f79894da710b5d6d43361d27d)
[BR: CVE-2016-7157 BSC#997860]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/scsi/mptconfig.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/hw/scsi/mptconfig.c b/hw/scsi/mptconfig.c
index 3e4f400..87a416a 100644
--- a/hw/scsi/mptconfig.c
+++ b/hw/scsi/mptconfig.c
@@ -203,7 +203,7 @@ size_t mptsas_config_manufacturing_1(MPTSASState *s, uint8_t **data, int address
{
/* VPD - all zeros */
return MPTSAS_CONFIG_PACK(1, MPI_CONFIG_PAGETYPE_MANUFACTURING, 0x00,
- "s256");
+ "*s256");
}
static
@@ -328,7 +328,7 @@ size_t mptsas_config_ioc_0(MPTSASState *s, uint8_t **data, int address)
return MPTSAS_CONFIG_PACK(0, MPI_CONFIG_PAGETYPE_IOC, 0x01,
"*l*lwwb*b*b*blww",
pcic->vendor_id, pcic->device_id, pcic->revision,
- pcic->subsystem_vendor_id,
+ pcic->class_id, pcic->subsystem_vendor_id,
pcic->subsystem_id);
}

View File

@ -0,0 +1,236 @@
From 992fa3653d4f6202269df90e32160baf542f058a Mon Sep 17 00:00:00 2001
From: Alexander Graf <agraf@suse.de>
Date: Mon, 19 Sep 2016 10:02:55 +0200
Subject: [PATCH] ARM: KVM: Enable in-kernel timers with user space gic
When running with KVM enabled, you can choose between emulating the
gic in kernel or user space. If the kernel supports in-kernel virtualization
of the interrupt controller, it will default to that. If not, if will
default to user space emulation.
Unfortunately when running in user mode gic emulation, we miss out on
timer events which are only available from kernel space. This patch leverages
the new kernel/user space notification mechanism for those timer events.
Signed-off-by: Alexander Graf <agraf@suse.de>
---
hw/arm/virt.c | 18 ++++++++++++++++++
hw/intc/Makefile.objs | 2 +-
hw/intc/arm_gic.c | 16 ++++++++++++++++
linux-headers/linux/kvm.h | 14 ++++++++++++++
target-arm/kvm.c | 29 ++++++++++++++++++++++++++++-
target-arm/kvm_arm.h | 11 +++++++++++
6 files changed, 88 insertions(+), 2 deletions(-)
diff --git a/hw/arm/virt.c b/hw/arm/virt.c
index d04e4acbd9..2fbba49132 100644
--- a/hw/arm/virt.c
+++ b/hw/arm/virt.c
@@ -623,6 +623,24 @@ static void create_gic(VirtBoardInfo *vbi, qemu_irq *pic, int type,
} else if (type == 2) {
create_v2m(vbi, pic);
}
+
+#ifdef CONFIG_KVM
+ if (kvm_enabled() && !kvm_irqchip_in_kernel()) {
+ for (i = 0; i < smp_cpus; i++) {
+ CPUState *cs = qemu_get_cpu(i);
+ int ret;
+
+ ret = kvm_vcpu_enable_cap(cs, KVM_CAP_ARM_TIMER, 0,
+ KVM_ARM_TIMER_VTIMER);
+
+ if (ret) {
+ error_report("KVM with user space irqchip only works when the "
+ "host kernel supports KVM_CAP_ARM_TIMER");
+ exit(1);
+ }
+ }
+ }
+#endif
}
static void create_uart(const VirtBoardInfo *vbi, qemu_irq *pic, int uart,
diff --git a/hw/intc/Makefile.objs b/hw/intc/Makefile.objs
index 2f44a2da26..73cb694e44 100644
--- a/hw/intc/Makefile.objs
+++ b/hw/intc/Makefile.objs
@@ -10,7 +10,6 @@ common-obj-$(CONFIG_REALVIEW) += realview_gic.o
common-obj-$(CONFIG_SLAVIO) += slavio_intctl.o
common-obj-$(CONFIG_IOAPIC) += ioapic_common.o
common-obj-$(CONFIG_ARM_GIC) += arm_gic_common.o
-common-obj-$(CONFIG_ARM_GIC) += arm_gic.o
common-obj-$(CONFIG_ARM_GIC) += arm_gicv2m.o
common-obj-$(CONFIG_ARM_GIC) += arm_gicv3_common.o
common-obj-$(CONFIG_ARM_GIC) += arm_gicv3.o
@@ -21,6 +20,7 @@ common-obj-$(CONFIG_OPENPIC) += openpic.o
common-obj-y += intc.o
obj-$(CONFIG_APIC) += apic.o apic_common.o
+obj-$(CONFIG_ARM_GIC) += arm_gic.o
obj-$(CONFIG_ARM_GIC_KVM) += arm_gic_kvm.o
obj-$(call land,$(CONFIG_ARM_GIC_KVM),$(TARGET_AARCH64)) += arm_gicv3_kvm.o
obj-$(call land,$(CONFIG_ARM_GIC_KVM),$(TARGET_AARCH64)) += arm_gicv3_its_kvm.o
diff --git a/hw/intc/arm_gic.c b/hw/intc/arm_gic.c
index 521aac3cc6..21236499f1 100644
--- a/hw/intc/arm_gic.c
+++ b/hw/intc/arm_gic.c
@@ -25,6 +25,7 @@
#include "qom/cpu.h"
#include "qemu/log.h"
#include "trace.h"
+#include "kvm_arm.h"
//#define DEBUG_GIC
@@ -557,6 +558,11 @@ static void gic_deactivate_irq(GICState *s, int cpu, int irq, MemTxAttrs attrs)
return;
}
+ /* Tell KVM that we want to know about timer IRQs again */
+ if (kvm_enabled()) {
+ kvm_arm_eoi_notify(cpu);
+ }
+
GIC_CLEAR_ACTIVE(irq, cm);
}
@@ -566,6 +572,12 @@ void gic_complete_irq(GICState *s, int cpu, int irq, MemTxAttrs attrs)
int group;
DPRINTF("EOI %d\n", irq);
+
+ /* Tell KVM that we want to know about timer IRQs again */
+ if (kvm_enabled()) {
+ kvm_arm_eoi_notify(cpu);
+ }
+
if (irq >= s->num_irq) {
/* This handles two cases:
* 1. If software writes the ID of a spurious interrupt [ie 1023]
@@ -915,6 +927,10 @@ static void gic_dist_writeb(void *opaque, hwaddr offset,
trace_gic_enable_irq(irq + i);
}
GIC_SET_ENABLED(irq + i, cm);
+ /* Tell KVM that we want to know about timer IRQs again */
+ if (kvm_enabled()) {
+ kvm_arm_eoi_notify(cpu);
+ }
/* If a raised level triggered IRQ enabled then mark
is as pending. */
if (GIC_TEST_LEVEL(irq + i, mask)
diff --git a/linux-headers/linux/kvm.h b/linux-headers/linux/kvm.h
index 4806e069e7..ffcacf8f0c 100644
--- a/linux-headers/linux/kvm.h
+++ b/linux-headers/linux/kvm.h
@@ -205,6 +205,7 @@ struct kvm_hyperv_exit {
#define KVM_EXIT_S390_STSI 25
#define KVM_EXIT_IOAPIC_EOI 26
#define KVM_EXIT_HYPERV 27
+#define KVM_EXIT_ARM_TIMER 28
/* For KVM_EXIT_INTERNAL_ERROR */
/* Emulate instruction failed. */
@@ -361,6 +362,10 @@ struct kvm_run {
} eoi;
/* KVM_EXIT_HYPERV */
struct kvm_hyperv_exit hyperv;
+ /* KVM_EXIT_ARM_TIMER */
+ struct {
+ __u8 timesource;
+ } arm_timer;
/* Fix the size of the union. */
char padding[256];
};
@@ -870,6 +875,7 @@ struct kvm_ppc_smmu_info {
#define KVM_CAP_S390_USER_INSTR0 130
#define KVM_CAP_MSI_DEVID 131
#define KVM_CAP_PPC_HTM 132
+#define KVM_CAP_ARM_TIMER 133
#ifdef KVM_CAP_IRQ_ROUTING
@@ -1327,4 +1333,12 @@ struct kvm_assigned_msix_entry {
#define KVM_X2APIC_API_USE_32BIT_IDS (1ULL << 0)
#define KVM_X2APIC_API_DISABLE_BROADCAST_QUIRK (1ULL << 1)
+/* Available with KVM_CAP_ARM_TIMER */
+
+/* Bits for run->request_interrupt_window */
+#define KVM_IRQWINDOW_VTIMER (1 << 0)
+
+/* Bits for run->arm_timer.timesource */
+#define KVM_ARM_TIMER_VTIMER (1 << 0)
+
#endif /* __LINUX_KVM_H */
diff --git a/target-arm/kvm.c b/target-arm/kvm.c
index c00b94e42a..a4786a0a0b 100644
--- a/target-arm/kvm.c
+++ b/target-arm/kvm.c
@@ -530,7 +530,6 @@ MemTxAttrs kvm_arch_post_run(CPUState *cs, struct kvm_run *run)
return MEMTXATTRS_UNSPECIFIED;
}
-
int kvm_arch_handle_exit(CPUState *cs, struct kvm_run *run)
{
int ret = 0;
@@ -541,6 +540,23 @@ int kvm_arch_handle_exit(CPUState *cs, struct kvm_run *run)
ret = EXCP_DEBUG;
} /* otherwise return to guest */
break;
+ case KVM_EXIT_ARM_TIMER:
+ /* We only support the vtimer today */
+ if (run->arm_timer.timesource != KVM_ARM_TIMER_VTIMER) {
+ return -EINVAL;
+ }
+
+ /*
+ * We ask the kernel to not tell us about pending virtual timer irqs,
+ * so that we can process the IRQ until we get an EOI for it. Once the
+ * EOI hits, we unset and unmask the interrupt again and if it is still
+ * pending, we set the line high again
+ */
+ run->request_interrupt_window = KVM_IRQWINDOW_VTIMER;
+
+ /* Internally trigger virtual timer IRQ */
+ qemu_set_irq(ARM_CPU(cs)->gt_timer_outputs[GTIMER_VIRT], 1);
+ break;
default:
qemu_log_mask(LOG_UNIMP, "%s: un-handled exit reason %d\n",
__func__, run->exit_reason);
@@ -638,3 +654,14 @@ int kvm_arch_msi_data_to_gsi(uint32_t data)
{
return (data - 32) & 0xffff;
}
+
+void kvm_arm_eoi_notify(int cpu)
+{
+ CPUState *cs;
+
+ cs = qemu_get_cpu(cpu);
+
+ /* Disable vtimer - if it's still pending we get notified again */
+ cs->kvm_run->request_interrupt_window &= ~KVM_ARM_TIMER_VTIMER;
+ qemu_set_irq(ARM_CPU(cs)->gt_timer_outputs[GTIMER_VIRT], 0);
+}
diff --git a/target-arm/kvm_arm.h b/target-arm/kvm_arm.h
index 633d08828a..eeec8c5b20 100644
--- a/target-arm/kvm_arm.h
+++ b/target-arm/kvm_arm.h
@@ -288,4 +288,15 @@ static inline const char *its_class_name(void)
}
}
+/**
+ * kvm_arm_eoi_notify:
+ *
+ * @cpu: CPU index the EOI is for
+ *
+ * Notify KVM that we're done processing an interrupt. This is
+ * used to unmask any pending timer interrupts and potentially
+ * learn about the fact that the level is still high.
+ */
+void kvm_arm_eoi_notify(int cpu);
+
#endif

View File

@ -1,64 +0,0 @@
From c08b11cce7dce1fc89c71d3c0de4c5706a89009a Mon Sep 17 00:00:00 2001
From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Tue, 6 Sep 2016 02:20:43 +0530
Subject: [PATCH] scsi: pvscsi: limit loop to fetch SG list
In PVSCSI paravirtual SCSI bus, pvscsi_convert_sglist can take a very
long time or go into an infinite loop due to two different bugs:
1) the request descriptor data length is defined to be 64 bit. While
building SG list from a request descriptor, it gets truncated to 32bit
in routine 'pvscsi_convert_sglist'. This could lead to an infinite loop
situation large 'dataLen' values when data_length is cast to uint32_t and
chunk_size becomes always zero. Fix this by removing the incorrect cast.
2) pvscsi_get_next_sg_elem can be called arbitrarily many times if the
element has a zero length. Get out of the loop early when this happens,
by introducing an upper limit on the number of SG list elements.
Reported-by: Li Qiang <liqiang6-s@360.cn>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Message-Id: <1473108643-12983-1-git-send-email-ppandit@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 49adc5d3f8c6bb75e55ebfeab109c5c37dea65e8)
[BR: CVE-2016-7156 BSC#997859]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/scsi/vmw_pvscsi.c | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c
index 5116f4a..73679f8 100644
--- a/hw/scsi/vmw_pvscsi.c
+++ b/hw/scsi/vmw_pvscsi.c
@@ -40,6 +40,8 @@
#define PVSCSI_MAX_DEVS (64)
#define PVSCSI_MSIX_NUM_VECTORS (1)
+#define PVSCSI_MAX_SG_ELEM 2048
+
#define PVSCSI_MAX_CMD_DATA_WORDS \
(sizeof(PVSCSICmdDescSetupRings)/sizeof(uint32_t))
@@ -634,17 +636,16 @@ pvscsi_queue_pending_descriptor(PVSCSIState *s, SCSIDevice **d,
static void
pvscsi_convert_sglist(PVSCSIRequest *r)
{
- int chunk_size;
+ uint32_t chunk_size, elmcnt = 0;
uint64_t data_length = r->req.dataLen;
PVSCSISGState sg = r->sg;
- while (data_length) {
- while (!sg.resid) {
+ while (data_length && elmcnt < PVSCSI_MAX_SG_ELEM) {
+ while (!sg.resid && elmcnt++ < PVSCSI_MAX_SG_ELEM) {
pvscsi_get_next_sg_elem(&sg);
trace_pvscsi_convert_sglist(r->req.context, r->sg.dataAddr,
r->sg.resid);
}
- assert(data_length > 0);
- chunk_size = MIN((unsigned) data_length, sg.resid);
+ chunk_size = MIN(data_length, sg.resid);
if (chunk_size) {
qemu_sglist_add(&r->sgl, sg.dataAddr, chunk_size);
}

View File

@ -1,32 +0,0 @@
From c559aa30371dc110e2b13e5006a327aab6503ac7 Mon Sep 17 00:00:00 2001
From: Li Qiang <liqiang6-s@360.cn>
Date: Tue, 13 Sep 2016 03:20:03 -0700
Subject: [PATCH] usb:xhci:fix memory leak in usb_xhci_exit
If the xhci uses msix, it doesn't free the corresponding
memory, thus leading a memory leak. This patch avoid this.
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
Message-id: 57d7d2e0.d4301c0a.d13e9.9a55@mx.google.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
(cherry picked from commit b53dd4495ced2432a0b652ea895e651d07336f7e)
[BR: CVE-2016-7466 BSC#1000345]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/usb/hcd-xhci.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c
index 188f954..281a2a5 100644
--- a/hw/usb/hcd-xhci.c
+++ b/hw/usb/hcd-xhci.c
@@ -3709,8 +3709,7 @@ static void usb_xhci_exit(PCIDevice *dev)
/* destroy msix memory region */
if (dev->msix_table && dev->msix_pba
&& dev->msix_entry_used) {
- memory_region_del_subregion(&xhci->mem, &dev->msix_table_mmio);
- memory_region_del_subregion(&xhci->mem, &dev->msix_pba_mmio);
+ msix_uninit(dev, &xhci->mem, &xhci->mem);
}
usb_bus_release(&xhci->bus);

View File

@ -0,0 +1,44 @@
From 7b6b039ba580ddafdb3a0377f3c39c8d5e57bbc6 Mon Sep 17 00:00:00 2001
From: Li Qiang <liq3ea@gmail.com>
Date: Mon, 28 Nov 2016 21:29:25 -0500
Subject: [PATCH] virtio-gpu: call cleanup mapping function in resource destroy
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
If the guest destroy the resource before detach banking, the 'iov'
and 'addrs' field in resource is not freed thus leading memory
leak issue. This patch avoid this.
Signed-off-by: Li Qiang <liq3ea@gmail.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-id: 1480386565-10077-1-git-send-email-liq3ea@gmail.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
(cherry picked from commit b8e23926c568f2e963af39028b71c472e3023793)
BR: CVE-2016-9912 BSC#1014112]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/display/virtio-gpu.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/hw/display/virtio-gpu.c b/hw/display/virtio-gpu.c
index 5f32e1aae9..3eafe495ef 100644
--- a/hw/display/virtio-gpu.c
+++ b/hw/display/virtio-gpu.c
@@ -28,6 +28,8 @@
static struct virtio_gpu_simple_resource*
virtio_gpu_find_resource(VirtIOGPU *g, uint32_t resource_id);
+static void virtio_gpu_cleanup_mapping(struct virtio_gpu_simple_resource *res);
+
#ifdef CONFIG_VIRGL
#include <virglrenderer.h>
#define VIRGL(_g, _virgl, _simple, ...) \
@@ -359,6 +361,7 @@ static void virtio_gpu_resource_destroy(VirtIOGPU *g,
struct virtio_gpu_simple_resource *res)
{
pixman_image_unref(res->image);
+ virtio_gpu_cleanup_mapping(res);
QTAILQ_REMOVE(&g->reslist, res, next);
g_free(res);
}

View File

@ -1,35 +0,0 @@
From 9115b36311e918d6ccea499ff5767508b72250e6 Mon Sep 17 00:00:00 2001
From: Li Qiang <liqiang6-s@360.cn>
Date: Mon, 12 Sep 2016 18:14:11 +0530
Subject: [PATCH] scsi: mptsas: use g_new0 to allocate MPTSASRequest object
When processing IO request in mptsas, it uses g_new to allocate
a 'req' object. If an error occurs before 'req->sreq' is
allocated, It could lead to an OOB write in mptsas_free_request
function. Use g_new0 to avoid it.
Reported-by: Li Qiang <liqiang6-s@360.cn>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Message-Id: <1473684251-17476-1-git-send-email-ppandit@redhat.com>
Cc: qemu-stable@nongnu.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 670e56d3ed2918b3861d9216f2c0540d9e9ae0d5)
[BR: CVE-2016-7423 BSC#1000397]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/scsi/mptsas.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/scsi/mptsas.c b/hw/scsi/mptsas.c
index 0e0a22f..eaae1bb 100644
--- a/hw/scsi/mptsas.c
+++ b/hw/scsi/mptsas.c
@@ -304,7 +304,7 @@ static int mptsas_process_scsi_io_request(MPTSASState *s,
goto bad;
}
- req = g_new(MPTSASRequest, 1);
+ req = g_new0(MPTSASRequest, 1);
QTAILQ_INSERT_TAIL(&s->pending, req, next);
req->scsi_io = *scsi_io;
req->dev = s;

View File

@ -0,0 +1,133 @@
From 8e642bbb73b0feb46dde13fa960db59efb8c69ed Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andreas=20F=C3=A4rber?= <afaerber@suse.de>
Date: Thu, 24 Sep 2015 19:21:11 +0200
Subject: [PATCH] string-input-visitor: Fix uint64 parsing
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
All integers would get parsed by strtoll(), not handling the case of
UINT64 properties with the most significient bit set.
Implement a .type_uint64 visitor callback, reusing the existing
parse_str() code through a new argument, using strtoull().
As this is a bug fix, it intentionally ignores checkpatch warnings to
prefer the use of qemu_strto[u]ll() over strto[u]ll().
Cc: qemu-stable@nongnu.org
Signed-off-by: Andreas Färber <afaerber@suse.de>
---
qapi/string-input-visitor.c | 63 +++++++++++++++++++++++++++++++++++----------
1 file changed, 50 insertions(+), 13 deletions(-)
diff --git a/qapi/string-input-visitor.c b/qapi/string-input-visitor.c
index 8dfa561252..1fb43909df 100644
--- a/qapi/string-input-visitor.c
+++ b/qapi/string-input-visitor.c
@@ -43,7 +43,8 @@ static void free_range(void *range, void *dummy)
g_free(range);
}
-static int parse_str(StringInputVisitor *siv, const char *name, Error **errp)
+static int parse_str(StringInputVisitor *siv, const char *name, bool u64,
+ Error **errp)
{
char *str = (char *) siv->string;
long long start, end;
@@ -56,7 +57,11 @@ static int parse_str(StringInputVisitor *siv, const char *name, Error **errp)
do {
errno = 0;
- start = strtoll(str, &endptr, 0);
+ if (u64) {
+ start = strtoull(str, &endptr, 0);
+ } else {
+ start = strtoll(str, &endptr, 0);
+ }
if (errno == 0 && endptr > str) {
if (*endptr == '\0') {
cur = g_malloc0(sizeof(*cur));
@@ -67,7 +72,11 @@ static int parse_str(StringInputVisitor *siv, const char *name, Error **errp)
} else if (*endptr == '-') {
str = endptr + 1;
errno = 0;
- end = strtoll(str, &endptr, 0);
+ if (u64) {
+ end = strtoull(str, &endptr, 0);
+ } else {
+ end = strtoll(str, &endptr, 0);
+ }
if (errno == 0 && endptr > str && start <= end &&
(start > INT64_MAX - 65536 ||
end < start + 65536)) {
@@ -123,7 +132,7 @@ start_list(Visitor *v, const char *name, GenericList **list, size_t size,
assert(list);
siv->list = list;
- if (parse_str(siv, name, errp) < 0) {
+ if (parse_str(siv, name, false, errp) < 0) {
*list = NULL;
return;
}
@@ -188,7 +197,7 @@ static void parse_type_int64(Visitor *v, const char *name, int64_t *obj,
return;
}
- if (parse_str(siv, name, errp) < 0) {
+ if (parse_str(siv, name, false, errp) < 0) {
return;
}
@@ -224,15 +233,43 @@ error:
static void parse_type_uint64(Visitor *v, const char *name, uint64_t *obj,
Error **errp)
{
- /* FIXME: parse_type_int64 mishandles values over INT64_MAX */
- int64_t i;
- Error *err = NULL;
- parse_type_int64(v, name, &i, &err);
- if (err) {
- error_propagate(errp, err);
- } else {
- *obj = i;
+ StringInputVisitor *siv = to_siv(v);
+
+ if (!siv->string) {
+ error_setg(errp, QERR_INVALID_PARAMETER_TYPE, name ? name : "null",
+ "integer");
+ return;
+ }
+
+ parse_str(siv, name, true, errp);
+
+ if (!siv->ranges) {
+ goto error;
}
+
+ if (!siv->cur_range) {
+ Range *r;
+
+ siv->cur_range = g_list_first(siv->ranges);
+ if (!siv->cur_range) {
+ goto error;
+ }
+
+ r = siv->cur_range->data;
+ if (!r) {
+ goto error;
+ }
+
+ siv->cur = range_lob(r);
+ }
+
+ *obj = siv->cur;
+ siv->cur++;
+ return;
+
+error:
+ error_setg(errp, QERR_INVALID_PARAMETER_VALUE, name,
+ "a uint64 value or range");
}
static void parse_type_size(Visitor *v, const char *name, uint64_t *obj,

View File

@ -1,38 +0,0 @@
From a6cfc94b9a325993d6d77022ae8d0fd0cc77d117 Mon Sep 17 00:00:00 2001
From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Wed, 14 Sep 2016 15:09:12 +0530
Subject: [PATCH] scsi: pvscsi: limit process IO loop to ring size
Vmware Paravirtual SCSI emulator while processing IO requests
could run into an infinite loop if 'pvscsi_ring_pop_req_descr'
always returned positive value. Limit IO loop to the ring size.
Cc: qemu-stable@nongnu.org
Reported-by: Li Qiang <liqiang6-s@360.cn>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Message-Id: <1473845952-30785-1-git-send-email-ppandit@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit d251157ac1928191af851d199a9ff255d330bec9)
[BR: CVE-2016-7421 BSC#999661]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/scsi/vmw_pvscsi.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c
index 73679f8..efa5459 100644
--- a/hw/scsi/vmw_pvscsi.c
+++ b/hw/scsi/vmw_pvscsi.c
@@ -253,8 +253,11 @@ static hwaddr
pvscsi_ring_pop_req_descr(PVSCSIRingInfo *mgr)
{
uint32_t ready_ptr = RS_GET_FIELD(mgr, reqProdIdx);
+ uint32_t ring_size = PVSCSI_MAX_NUM_PAGES_REQ_RING
+ * PVSCSI_MAX_NUM_REQ_ENTRIES_PER_PAGE;
- if (ready_ptr != mgr->consumed_ptr) {
+ if (ready_ptr != mgr->consumed_ptr
+ && ready_ptr - mgr->consumed_ptr < ring_size) {
uint32_t next_ready_ptr =
mgr->consumed_ptr++ & mgr->txr_len_mask;
uint32_t next_ready_page =

View File

@ -0,0 +1,34 @@
From 70f17e51a9347f19c159e84dc39359e762ca224d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andreas=20F=C3=A4rber?= <afaerber@suse.de>
Date: Thu, 24 Sep 2015 19:23:50 +0200
Subject: [PATCH] test-string-input-visitor: Add int test case
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
In addition to -42 also parse the maximum int64.
Signed-off-by: Andreas Färber <afaerber@suse.de>
---
tests/test-string-input-visitor.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/tests/test-string-input-visitor.c b/tests/test-string-input-visitor.c
index 7f10e2582f..62ddcb1583 100644
--- a/tests/test-string-input-visitor.c
+++ b/tests/test-string-input-visitor.c
@@ -56,6 +56,14 @@ static void test_visitor_in_int(TestInputVisitorData *data,
visit_type_int(v, NULL, &res, &err);
g_assert(!err);
g_assert_cmpint(res, ==, value);
+ visitor_input_teardown(data, unused);
+
+ value = INT64_MAX;
+ v = visitor_input_test_init(data, g_strdup_printf("%" PRId64, value));
+
+ visit_type_int(v, NULL, &res, &err);
+ g_assert(!err);
+ g_assert_cmpint(res, ==, value);
visitor_input_teardown(data, unused);

View File

@ -0,0 +1,57 @@
From 6afc22092786abd94108345c608892317aadb27a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andreas=20F=C3=A4rber?= <afaerber@suse.de>
Date: Thu, 24 Sep 2015 19:24:23 +0200
Subject: [PATCH] test-string-input-visitor: Add uint64 test
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Test parsing of decimal and hexadecimal uint64 numbers with most
significant bit set.
Signed-off-by: Andreas Färber <afaerber@suse.de>
---
tests/test-string-input-visitor.c | 23 +++++++++++++++++++++++
1 file changed, 23 insertions(+)
diff --git a/tests/test-string-input-visitor.c b/tests/test-string-input-visitor.c
index 62ddcb1583..214cce2d3b 100644
--- a/tests/test-string-input-visitor.c
+++ b/tests/test-string-input-visitor.c
@@ -73,6 +73,27 @@ static void test_visitor_in_int(TestInputVisitorData *data,
error_free_or_abort(&err);
}
+static void test_visitor_in_uint64(TestInputVisitorData *data,
+ const void *unused)
+{
+ uint64_t res = 0, value = UINT64_MAX;
+ Error *err = NULL;
+ Visitor *v;
+
+ v = visitor_input_test_init(data, g_strdup_printf("%" PRIu64, value));
+
+ visit_type_uint64(v, NULL, &res, &err);
+ g_assert(!err);
+ g_assert_cmpint(res, ==, value);
+ visitor_input_teardown(data, unused);
+
+ v = visitor_input_test_init(data, g_strdup_printf("0x%" PRIx64, value));
+
+ visit_type_uint64(v, NULL, &res, &err);
+ g_assert(!err);
+ g_assert_cmpint(res, ==, value);
+}
+
static void test_visitor_in_intList(TestInputVisitorData *data,
const void *unused)
{
@@ -275,6 +296,8 @@ int main(int argc, char **argv)
input_visitor_test_add("/string-visitor/input/int",
&in_visitor_data, test_visitor_in_int);
+ input_visitor_test_add("/string-visitor/input/uint64",
+ &in_visitor_data, test_visitor_in_uint64);
input_visitor_test_add("/string-visitor/input/intList",
&in_visitor_data, test_visitor_in_intList);
input_visitor_test_add("/string-visitor/input/bool",

View File

@ -1,38 +0,0 @@
From db87d12d0e7e3720ebc0283aced8077f43e29963 Mon Sep 17 00:00:00 2001
From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Mon, 19 Sep 2016 23:55:45 +0530
Subject: [PATCH] virtio: add check for descriptor's mapped address
virtio back end uses set of buffers to facilitate I/O operations.
If its size is too large, 'cpu_physical_memory_map' could return
a null address. This would result in a null dereference while
un-mapping descriptors. Add check to avoid it.
Reported-by: Qinghao Tang <luodalongde@gmail.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
(cherry picked from commit 973e7170dddefb491a48df5cba33b2ae151013a0)
[BR: CVE-2016-7422 BSC#1000346]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/virtio/virtio.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
index 74c085c..eabe573 100644
--- a/hw/virtio/virtio.c
+++ b/hw/virtio/virtio.c
@@ -473,6 +473,11 @@ static void virtqueue_map_desc(unsigned int *p_num_sg, hwaddr *addr, struct iove
}
iov[num_sg].iov_base = cpu_physical_memory_map(pa, &len, is_write);
+ if (!iov[num_sg].iov_base) {
+ error_report("virtio: bogus descriptor or out of resources");
+ exit(1);
+ }
+
iov[num_sg].iov_len = len;
addr[num_sg] = pa;

View File

@ -1,52 +0,0 @@
From 60f6f3204dcfbb6c7518751061abc99ddd9b2c97 Mon Sep 17 00:00:00 2001
From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Thu, 22 Sep 2016 16:02:37 +0530
Subject: [PATCH] net: mcf: limit buffer descriptor count
ColdFire Fast Ethernet Controller uses buffer descriptors to manage
data flow to/fro receive & transmit queues. While transmitting
packets, it could continue to read buffer descriptors if a buffer
descriptor has length of zero and has crafted values in bd.flags.
Set upper limit to number of buffer descriptors.
Reported-by: Li Qiang <liqiang6-s@360.cn>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
(cherry picked from commit 070c4b92b8cd5390889716677a0b92444d6e087a)
[BR: CVE-2016-7908 BSC#1002550]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/net/mcf_fec.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/hw/net/mcf_fec.c b/hw/net/mcf_fec.c
index 0ee8ad9..d31fea1 100644
--- a/hw/net/mcf_fec.c
+++ b/hw/net/mcf_fec.c
@@ -23,6 +23,7 @@ do { printf("mcf_fec: " fmt , ## __VA_ARGS__); } while (0)
#define DPRINTF(fmt, ...) do {} while(0)
#endif
+#define FEC_MAX_DESC 1024
#define FEC_MAX_FRAME_SIZE 2032
typedef struct {
@@ -149,7 +150,7 @@ static void mcf_fec_do_tx(mcf_fec_state *s)
uint32_t addr;
mcf_fec_bd bd;
int frame_size;
- int len;
+ int len, descnt = 0;
uint8_t frame[FEC_MAX_FRAME_SIZE];
uint8_t *ptr;
@@ -157,7 +158,7 @@ static void mcf_fec_do_tx(mcf_fec_state *s)
ptr = frame;
frame_size = 0;
addr = s->tx_descriptor;
- while (1) {
+ while (descnt++ < FEC_MAX_DESC) {
mcf_fec_read_bd(&bd, addr);
DPRINTF("tx_bd %x flags %04x len %d data %08x\n",
addr, bd.flags, bd.length, bd.data);

View File

@ -0,0 +1,179 @@
From bf1cd7a4b8d686cda17d594edf4739a2a28200b9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andreas=20F=C3=A4rber?= <afaerber@suse.de>
Date: Sun, 6 Sep 2015 20:12:42 +0200
Subject: [PATCH] tests: Add QOM property unit tests
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Add a test for parsing and setting a uint64 property.
Signed-off-by: Andreas Färber <afaerber@suse.de>
---
MAINTAINERS | 1 +
tests/Makefile.include | 3 ++
tests/check-qom-props.c | 122 ++++++++++++++++++++++++++++++++++++++++++++++++
3 files changed, 126 insertions(+)
create mode 100644 tests/check-qom-props.c
diff --git a/MAINTAINERS b/MAINTAINERS
index 4a605791fc..f003db2c5c 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -1361,6 +1361,7 @@ F: qom/
X: qom/cpu.c
F: tests/check-qom-interface.c
F: tests/check-qom-proplist.c
+F: tests/check-qom-props.c
F: tests/qom-test.c
QMP
diff --git a/tests/Makefile.include b/tests/Makefile.include
index e98d3b6bb3..958f768eba 100644
--- a/tests/Makefile.include
+++ b/tests/Makefile.include
@@ -86,6 +86,8 @@ check-unit-y += tests/check-qom-interface$(EXESUF)
gcov-files-check-qom-interface-y = qom/object.c
check-unit-y += tests/check-qom-proplist$(EXESUF)
gcov-files-check-qom-proplist-y = qom/object.c
+check-unit-y += tests/check-qom-props$(EXESUF)
+gcov-files-check-qom-props-y = qom/object.c
check-unit-y += tests/test-qemu-opts$(EXESUF)
gcov-files-test-qemu-opts-y = qom/test-qemu-opts.c
check-unit-y += tests/test-write-threshold$(EXESUF)
@@ -487,6 +489,7 @@ tests/check-qnull$(EXESUF): tests/check-qnull.o $(test-util-obj-y)
tests/check-qjson$(EXESUF): tests/check-qjson.o $(test-util-obj-y)
tests/check-qom-interface$(EXESUF): tests/check-qom-interface.o $(test-qom-obj-y)
tests/check-qom-proplist$(EXESUF): tests/check-qom-proplist.o $(test-qom-obj-y)
+tests/check-qom-props$(EXESUF): tests/check-qom-props.o $(test-qom-obj-y)
tests/test-char$(EXESUF): tests/test-char.o qemu-char.o qemu-timer.o $(test-util-obj-y) $(qtest-obj-y) $(test-io-obj-y)
tests/test-coroutine$(EXESUF): tests/test-coroutine.o $(test-block-obj-y)
diff --git a/tests/check-qom-props.c b/tests/check-qom-props.c
new file mode 100644
index 0000000000..681e121c07
--- /dev/null
+++ b/tests/check-qom-props.c
@@ -0,0 +1,122 @@
+/*
+ * Copyright (C) 2015 Red Hat, Inc.
+ * Copyright (c) 2015 SUSE Linux GmbH
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library. If not, see
+ * <http://www.gnu.org/licenses/>.
+ *
+ * Author: Daniel P. Berrange <berrange@redhat.com>
+ * Andreas Färber <afaerber@suse.com>
+ */
+
+#include "qemu/osdep.h"
+
+#include <glib.h>
+
+#include "qapi/visitor.h"
+#include "qom/object.h"
+#include "qemu/module.h"
+
+
+#define TYPE_DUMMY "qemu-dummy"
+
+typedef struct DummyObject DummyObject;
+typedef struct DummyObjectClass DummyObjectClass;
+
+#define DUMMY_OBJECT(obj) \
+ OBJECT_CHECK(DummyObject, (obj), TYPE_DUMMY)
+
+struct DummyObject {
+ Object parent_obj;
+
+ uint64_t u64val;
+};
+
+struct DummyObjectClass {
+ ObjectClass parent_class;
+};
+
+static void dummy_set_uint64(Object *obj, Visitor *v,
+ const char *name, void *opaque,
+ Error **errp)
+{
+ uint64_t *ptr = (uint64_t *)opaque;
+
+ visit_type_uint64(v, name, ptr, errp);
+}
+
+static void dummy_get_uint64(Object *obj, Visitor *v,
+ const char *name, void *opaque,
+ Error **errp)
+{
+ uint64_t value = *(uint64_t *)opaque;
+
+ visit_type_uint64(v, name, &value, errp);
+}
+
+static void dummy_init(Object *obj)
+{
+ DummyObject *dobj = DUMMY_OBJECT(obj);
+
+ object_property_add(obj, "u64val", "uint64",
+ dummy_get_uint64,
+ dummy_set_uint64,
+ NULL, &dobj->u64val, NULL);
+}
+
+
+static const TypeInfo dummy_info = {
+ .name = TYPE_DUMMY,
+ .parent = TYPE_OBJECT,
+ .instance_size = sizeof(DummyObject),
+ .instance_init = dummy_init,
+ .class_size = sizeof(DummyObjectClass),
+};
+
+static void test_dummy_uint64(void)
+{
+ Error *err = NULL;
+ char *str;
+ DummyObject *dobj = DUMMY_OBJECT(object_new(TYPE_DUMMY));
+
+ g_assert(dobj->u64val == 0);
+
+ str = g_strdup_printf("%" PRIu64, UINT64_MAX);
+ object_property_parse(OBJECT(dobj), str, "u64val", &err);
+ g_free(str);
+ g_assert(!err);
+ g_assert_cmpint(dobj->u64val, ==, UINT64_MAX);
+
+ dobj->u64val = 0;
+ str = g_strdup_printf("0x%" PRIx64, UINT64_MAX);
+ object_property_parse(OBJECT(dobj), str, "u64val", &err);
+ g_free(str);
+ g_assert(!err);
+ g_assert_cmpint(dobj->u64val, ==, UINT64_MAX);
+
+ object_unref(OBJECT(dobj));
+}
+
+
+int main(int argc, char **argv)
+{
+ g_test_init(&argc, &argv, NULL);
+
+ module_call_init(MODULE_INIT_QOM);
+ type_register_static(&dummy_info);
+
+ g_test_add_func("/qom/props/uint64", test_dummy_uint64);
+
+ return g_test_run();
+}

View File

@ -0,0 +1,142 @@
From e01538b7559d5560be963fc679f51e7441111fc2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andreas=20F=C3=A4rber?= <afaerber@suse.de>
Date: Fri, 25 Sep 2015 12:31:11 +0200
Subject: [PATCH] tests: Add scsi-disk test
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Test scsi-{disk,hd,cd} wwn properties for correct 64-bit parsing.
For now piggyback on virtio-scsi.
Cc: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>
---
MAINTAINERS | 1 +
tests/Makefile.include | 3 ++
tests/scsi-disk-test.c | 82 ++++++++++++++++++++++++++++++++++++++++++++++++++
3 files changed, 86 insertions(+)
create mode 100644 tests/scsi-disk-test.c
diff --git a/MAINTAINERS b/MAINTAINERS
index f003db2c5c..fcf633640e 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -920,6 +920,7 @@ M: Paolo Bonzini <pbonzini@redhat.com>
S: Supported
F: include/hw/scsi/*
F: hw/scsi/*
+F: tests/scsi-disk-test.c
F: tests/virtio-scsi-test.c
T: git git://github.com/bonzini/qemu.git scsi-next
diff --git a/tests/Makefile.include b/tests/Makefile.include
index 958f768eba..5643e8fa64 100644
--- a/tests/Makefile.include
+++ b/tests/Makefile.include
@@ -148,6 +148,8 @@ check-qtest-virtio-y += tests/virtio-rng-test$(EXESUF)
gcov-files-virtio-y += hw/virtio/virtio-rng.c
check-qtest-virtio-y += tests/virtio-scsi-test$(EXESUF)
gcov-files-virtio-y += i386-softmmu/hw/scsi/virtio-scsi.c
+check-qtest-virtio-y += tests/scsi-disk-test$(EXESUF)
+gcov-files-virtio-y += i386-softmmu/hw/scsi/scsi-disk.c
ifeq ($(CONFIG_VIRTIO)$(CONFIG_VIRTFS)$(CONFIG_PCI),yyy)
check-qtest-virtio-y += tests/virtio-9p-test$(EXESUF)
gcov-files-virtio-y += hw/9pfs/virtio-9p.c
@@ -682,6 +684,7 @@ tests/usb-hcd-xhci-test$(EXESUF): tests/usb-hcd-xhci-test.o $(libqos-usb-obj-y)
tests/pc-cpu-test$(EXESUF): tests/pc-cpu-test.o
tests/postcopy-test$(EXESUF): tests/postcopy-test.o
tests/vhost-user-test$(EXESUF): tests/vhost-user-test.o qemu-char.o qemu-timer.o $(qtest-obj-y) $(test-io-obj-y) $(libqos-virtio-obj-y) $(libqos-pc-obj-y)
+tests/scsi-disk-test$(EXESUF): tests/scsi-disk-test.o
tests/qemu-iotests/socket_scm_helper$(EXESUF): tests/qemu-iotests/socket_scm_helper.o
tests/test-qemu-opts$(EXESUF): tests/test-qemu-opts.o $(test-util-obj-y)
tests/test-write-threshold$(EXESUF): tests/test-write-threshold.o $(test-block-obj-y)
diff --git a/tests/scsi-disk-test.c b/tests/scsi-disk-test.c
new file mode 100644
index 0000000000..f19f93d97a
--- /dev/null
+++ b/tests/scsi-disk-test.c
@@ -0,0 +1,82 @@
+/*
+ * QTest testcase for SCSI disks
+ * See virtio-scsi-test for more integrated tests.
+ *
+ * Copyright (c) 2015 SUSE Linux GmbH
+ *
+ * This work is licensed under the terms of the GNU GPL, version 2 or later.
+ * See the COPYING file in the top-level directory.
+ */
+
+#include "qemu/osdep.h"
+#include <glib.h>
+#include "libqtest.h"
+#include "qapi/qmp/qint.h"
+
+static void test_scsi_disk_common(const char *type, const char *id)
+{
+ char *cmdline, *path;
+ QDict *response;
+ QInt *value;
+
+ cmdline = g_strdup_printf(
+ "-drive id=drv0,if=none,file=/dev/null,format=raw "
+ "-device virtio-scsi-pci,id=scsi0 "
+ "-device %s,id=%s,bus=scsi0.0,drive=drv0"
+ ",wwn=0x%" PRIx64 ",port_wwn=0x%" PRIx64,
+ type, id, UINT64_MAX, UINT64_C(1) << 63);
+ qtest_start(cmdline);
+ g_free(cmdline);
+
+ path = g_strdup_printf("/machine/peripheral/%s", id);
+
+ response = qmp("{ 'execute': 'qom-get',"
+ " 'arguments': { 'path': %s,"
+ " 'property': 'wwn' } }",
+ path);
+ g_assert(response);
+ g_assert(qdict_haskey(response, "return"));
+ value = qobject_to_qint(qdict_get(response, "return"));
+ g_assert_cmpint(qint_get_int(value), ==, UINT64_MAX);
+
+ response = qmp("{ 'execute': 'qom-get',"
+ " 'arguments': { 'path': %s,"
+ " 'property': 'port_wwn' } }",
+ path);
+ g_assert(response);
+ g_assert(qdict_haskey(response, "return"));
+ value = qobject_to_qint(qdict_get(response, "return"));
+ g_assert_cmpint(qint_get_int(value), ==, UINT64_C(1) << 63);
+
+ g_free(path);
+ qtest_end();
+}
+
+static void test_scsi_disk(void)
+{
+ test_scsi_disk_common("scsi-disk", "disk0");
+}
+
+static void test_scsi_hd(void)
+{
+ test_scsi_disk_common("scsi-hd", "hd0");
+}
+
+static void test_scsi_cd(void)
+{
+ test_scsi_disk_common("scsi-cd", "cd0");
+}
+
+int main(int argc, char **argv)
+{
+ int ret;
+
+ g_test_init(&argc, &argv, NULL);
+ qtest_add_func("/scsi-disk/props", test_scsi_disk);
+ qtest_add_func("/scsi-hd/props", test_scsi_hd);
+ qtest_add_func("/scsi-cd/props", test_scsi_cd);
+
+ ret = g_test_run();
+
+ return ret;
+}

View File

@ -1,32 +0,0 @@
From 9d2c9efdb4d8b49689517271db3420c6de75278d Mon Sep 17 00:00:00 2001
From: Li Qiang <liqiang6-s@360.cn>
Date: Sun, 18 Sep 2016 19:48:35 -0700
Subject: [PATCH] usb: ehci: fix memory leak in ehci_process_itd
While processing isochronous transfer descriptors(iTD), if the page
select(PG) field value is out of bands it will return. In this
situation the ehci's sg list is not freed thus leading to a memory
leak issue. This patch avoid this.
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
Reviewed-by: Thomas Huth <thuth@redhat.com>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
(cherry picked from commit b16c129daf0fed91febbb88de23dae8271c8898a)
[BR: CVE-2016-7995 BSC#1003612]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/usb/hcd-ehci.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c
index b093db7..f4ece9a 100644
--- a/hw/usb/hcd-ehci.c
+++ b/hw/usb/hcd-ehci.c
@@ -1426,6 +1426,7 @@ static int ehci_process_itd(EHCIState *ehci,
if (off + len > 4096) {
/* transfer crosses page border */
if (pg == 6) {
+ qemu_sglist_destroy(&ehci->isgl);
return -1; /* avoid page pg + 1 */
}
ptr2 = (itd->bufptr[pg + 1] & ITD_BUFPTR_MASK);

View File

@ -0,0 +1,40 @@
From 0cfea2b4d63daecfcf05e54e2f1d6755e9158a31 Mon Sep 17 00:00:00 2001
From: Li Qiang <liqiang6-s@360.cn>
Date: Tue, 1 Nov 2016 05:37:57 -0700
Subject: [PATCH] virtio-gpu: fix information leak in capset get dispatch
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
In virgl_cmd_get_capset function, it uses g_malloc to allocate
a response struct to the guest. As the 'resp'struct hasn't been full
initialized it will lead the 'resp->padding' field to the guest.
Use g_malloc0 to avoid this.
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-id: 58188cae.4a6ec20a.3d2d1.aff2@mx.google.com
[ kraxel: resolved conflict ]
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
(cherry picked from commit 85d9d044471f93c48c5c396f7e217b4ef12f69f8)
[BR: CVE-2016-9908 BSC#1014514]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/display/virtio-gpu-3d.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/display/virtio-gpu-3d.c b/hw/display/virtio-gpu-3d.c
index 23f39de94d..d98b1404e1 100644
--- a/hw/display/virtio-gpu-3d.c
+++ b/hw/display/virtio-gpu-3d.c
@@ -371,7 +371,7 @@ static void virgl_cmd_get_capset(VirtIOGPU *g,
virgl_renderer_get_cap_set(gc.capset_id, &max_ver,
&max_size);
- resp = g_malloc(sizeof(*resp) + max_size);
+ resp = g_malloc0(sizeof(*resp) + max_size);
resp->hdr.type = VIRTIO_GPU_RESP_OK_CAPSET;
virgl_renderer_fill_caps(gc.capset_id,

View File

@ -1,68 +0,0 @@
From 8e5cea1968f6fe19792237cb2abeaf6e7ff3244e Mon Sep 17 00:00:00 2001
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Mon, 10 Oct 2016 12:46:22 +0200
Subject: [PATCH] xhci: limit the number of link trbs we are willing to process
Needed to avoid we run in circles forever in case the guest builds
an endless loop with link trbs.
Reported-by: Li Qiang <liqiang6-s@360.cn>
Tested-by: P J P <ppandit@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 1476096382-7981-1-git-send-email-kraxel@redhat.com
(cherry picked from commit 05f43d44e4bc26611ce25fd7d726e483f73363ce)
[BR: CVE-2016-8576 BSC#1003878]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/usb/hcd-xhci.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c
index 281a2a5..8a9a31a 100644
--- a/hw/usb/hcd-xhci.c
+++ b/hw/usb/hcd-xhci.c
@@ -54,6 +54,8 @@
* to the specs when it gets them */
#define ER_FULL_HACK
+#define TRB_LINK_LIMIT 4
+
#define LEN_CAP 0x40
#define LEN_OPER (0x400 + 0x10 * MAXPORTS)
#define LEN_RUNTIME ((MAXINTRS + 1) * 0x20)
@@ -1000,6 +1002,7 @@ static TRBType xhci_ring_fetch(XHCIState *xhci, XHCIRing *ring, XHCITRB *trb,
dma_addr_t *addr)
{
PCIDevice *pci_dev = PCI_DEVICE(xhci);
+ uint32_t link_cnt = 0;
while (1) {
TRBType type;
@@ -1026,6 +1029,9 @@ static TRBType xhci_ring_fetch(XHCIState *xhci, XHCIRing *ring, XHCITRB *trb,
ring->dequeue += TRB_SIZE;
return type;
} else {
+ if (++link_cnt > TRB_LINK_LIMIT) {
+ return 0;
+ }
ring->dequeue = xhci_mask64(trb->parameter);
if (trb->control & TRB_LK_TC) {
ring->ccs = !ring->ccs;
@@ -1043,6 +1049,7 @@ static int xhci_ring_chain_length(XHCIState *xhci, const XHCIRing *ring)
bool ccs = ring->ccs;
/* hack to bundle together the two/three TDs that make a setup transfer */
bool control_td_set = 0;
+ uint32_t link_cnt = 0;
while (1) {
TRBType type;
@@ -1058,6 +1065,9 @@ static int xhci_ring_chain_length(XHCIState *xhci, const XHCIRing *ring)
type = TRB_TYPE(trb);
if (type == TR_LINK) {
+ if (++link_cnt > TRB_LINK_LIMIT) {
+ return -length;
+ }
dequeue = xhci_mask64(trb.parameter);
if (trb.control & TRB_LK_TC) {
ccs = !ccs;

View File

@ -1,58 +0,0 @@
From 2d4128223e6b5a3dff30e0b07435620f1092c5ae Mon Sep 17 00:00:00 2001
From: Li Qiang <liqiang6-s@360.cn>
Date: Mon, 17 Oct 2016 14:13:58 +0200
Subject: [PATCH] 9pfs: allocate space for guest originated empty strings
If a guest sends an empty string paramater to any 9P operation, the current
code unmarshals it into a V9fsString equal to { .size = 0, .data = NULL }.
This is unfortunate because it can cause NULL pointer dereference to happen
at various locations in the 9pfs code. And we don't want to check str->data
everywhere we pass it to strcmp() or any other function which expects a
dereferenceable pointer.
This patch enforces the allocation of genuine C empty strings instead, so
callers don't have to bother.
Out of all v9fs_iov_vunmarshal() users, only v9fs_xattrwalk() checks if
the returned string is empty. It now uses v9fs_string_size() since
name.data cannot be NULL anymore.
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
[groug, rewritten title and changelog,
fix empty string check in v9fs_xattrwalk()]
Signed-off-by: Greg Kurz <groug@kaod.org>
(cherry picked from commit ba42ebb863ab7d40adc79298422ed9596df8f73a)
[BR: CVE-2016-8578 BSC#1003894]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
fsdev/9p-iov-marshal.c | 2 +-
hw/9pfs/9p.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/fsdev/9p-iov-marshal.c b/fsdev/9p-iov-marshal.c
index 663cad5..1d16f8d 100644
--- a/fsdev/9p-iov-marshal.c
+++ b/fsdev/9p-iov-marshal.c
@@ -125,7 +125,7 @@ ssize_t v9fs_iov_vunmarshal(struct iovec *out_sg, int out_num, size_t offset,
str->data = g_malloc(str->size + 1);
copied = v9fs_unpack(str->data, out_sg, out_num, offset,
str->size);
- if (copied > 0) {
+ if (copied >= 0) {
str->data[str->size] = 0;
} else {
v9fs_string_free(str);
diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
index dfe293d..a345fe3 100644
--- a/hw/9pfs/9p.c
+++ b/hw/9pfs/9p.c
@@ -3160,7 +3160,7 @@ static void v9fs_xattrwalk(void *opaque)
goto out;
}
v9fs_path_copy(&xattr_fidp->path, &file_fidp->path);
- if (name.data == NULL) {
+ if (!v9fs_string_size(&name)) {
/*
* listxattr request. Get the size first
*/

View File

@ -0,0 +1,72 @@
From 3b4bf7e1b33e254709c6a3948891f7da4aac63e3 Mon Sep 17 00:00:00 2001
From: Bruce Rogers <brogers@suse.com>
Date: Mon, 9 Jan 2017 13:35:20 -0700
Subject: [PATCH] display: cirrus: ignore source pitch value as needed in
blit_is_unsafe
Commit 4299b90 added a check which is too broad, given that the source
pitch value is not required to be initialized for solid fill operations.
This patch refines the blit_is_unsafe() check to ignore source pitch in
that case. After applying the above commit as a security patch, we
noticed the SLES 11 SP4 guest gui failed to initialize properly.
Signed-off-by: Bruce Rogers <brogers@suse.com>
Message-id: 20170109203520.5619-1-brogers@suse.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
(cherry picked from commit 913a87885f589d263e682c2eb6637c6e14538061)
[BR: BSC#1016779]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/display/cirrus_vga.c | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
index bdb092ee9d..379910db2d 100644
--- a/hw/display/cirrus_vga.c
+++ b/hw/display/cirrus_vga.c
@@ -294,7 +294,7 @@ static bool blit_region_is_unsafe(struct CirrusVGAState *s,
return false;
}
-static bool blit_is_unsafe(struct CirrusVGAState *s)
+static bool blit_is_unsafe(struct CirrusVGAState *s, bool dst_only)
{
/* should be the case, see cirrus_bitblt_start */
assert(s->cirrus_blt_width > 0);
@@ -308,6 +308,9 @@ static bool blit_is_unsafe(struct CirrusVGAState *s)
s->cirrus_blt_dstaddr & s->cirrus_addr_mask)) {
return true;
}
+ if (dst_only) {
+ return false;
+ }
if (blit_region_is_unsafe(s, s->cirrus_blt_srcpitch,
s->cirrus_blt_srcaddr & s->cirrus_addr_mask)) {
return true;
@@ -673,7 +676,7 @@ static int cirrus_bitblt_common_patterncopy(CirrusVGAState * s,
dst = s->vga.vram_ptr + (s->cirrus_blt_dstaddr & s->cirrus_addr_mask);
- if (blit_is_unsafe(s))
+ if (blit_is_unsafe(s, false))
return 0;
(*s->cirrus_rop) (s, dst, src,
@@ -691,7 +694,7 @@ static int cirrus_bitblt_solidfill(CirrusVGAState *s, int blt_rop)
{
cirrus_fill_t rop_func;
- if (blit_is_unsafe(s)) {
+ if (blit_is_unsafe(s, true)) {
return 0;
}
rop_func = cirrus_fill[rop_to_index[blt_rop]][s->cirrus_blt_pixelwidth - 1];
@@ -795,7 +798,7 @@ static int cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h)
static int cirrus_bitblt_videotovideo_copy(CirrusVGAState * s)
{
- if (blit_is_unsafe(s))
+ if (blit_is_unsafe(s, false))
return 0;
return cirrus_do_copy(s, s->cirrus_blt_dstaddr - s->vga.start_addr,

View File

@ -1,32 +0,0 @@
From 9f7f59799ea714c512ecfc0e224df66095abf9c0 Mon Sep 17 00:00:00 2001
From: Li Qiang <liqiang6-s@360.cn>
Date: Mon, 17 Oct 2016 14:13:58 +0200
Subject: [PATCH] 9pfs: fix memory leak in v9fs_link
The v9fs_link() function keeps a reference on the source fid object. This
causes a memory leak since the reference never goes down to 0. This patch
fixes the issue.
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
Reviewed-by: Greg Kurz <groug@kaod.org>
[groug, rephrased the changelog]
Signed-off-by: Greg Kurz <groug@kaod.org>
(cherry picked from commit 4c1586787ff43c9acd18a56c12d720e3e6be9f7c)
[BR: CVE-2016-9105 BSC#1007494]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/9pfs/9p.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
index a345fe3..239aef4 100644
--- a/hw/9pfs/9p.c
+++ b/hw/9pfs/9p.c
@@ -2402,6 +2402,7 @@ static void v9fs_link(void *opaque)
if (!err) {
err = offset;
}
+ put_fid(pdu, oldfidp);
out:
put_fid(pdu, dfidp);
out_nofid:

View File

@ -0,0 +1,34 @@
From 65cef1a069623a0cede6b0bbb6ddeaec0fb023b3 Mon Sep 17 00:00:00 2001
From: Christian Borntraeger <borntraeger@de.ibm.com>
Date: Tue, 24 Jan 2017 22:17:47 +0100
Subject: [PATCH] s390x/kvm: fix small race reboot vs. cmma
Right now we reset all devices before we reset the cmma states. This
can result in the host kernel discarding guest pages that were
previously in the unused state but already contain a bios or a -kernel
file before the cmma reset has finished. This race results in random
guest crashes or hangs during very early reboot.
Fixes: 1cd4e0f6f0a6 ("s390x/cmma: clean up cmma reset")
Cc: qemu-stable@nongnu.org
Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
(cherry picked from commit 1a0e4c8b02ea510508970c333ee610a90b921cbb)
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/s390x/s390-virtio.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/s390x/s390-virtio.c b/hw/s390x/s390-virtio.c
index 0a963473ad..7a3a7fe5fd 100644
--- a/hw/s390x/s390-virtio.c
+++ b/hw/s390x/s390-virtio.c
@@ -204,8 +204,8 @@ void s390_machine_reset(void)
{
S390CPU *ipl_cpu = S390_CPU(qemu_get_cpu(0));
- qemu_devices_reset();
s390_cmma_reset();
+ qemu_devices_reset();
s390_crypto_reset();
/* all cpus are stopped - configure and start the ipl cpu only */

View File

@ -1,39 +0,0 @@
From 5f29f9ab1d097cf326dfa477f75d30117f668b49 Mon Sep 17 00:00:00 2001
From: Li Qiang <liqiang6-s@360.cn>
Date: Mon, 17 Oct 2016 14:13:58 +0200
Subject: [PATCH] 9pfs: fix potential host memory leak in v9fs_read
In 9pfs read dispatch function, it doesn't free two QEMUIOVector
object thus causing potential memory leak. This patch avoid this.
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
Signed-off-by: Greg Kurz <groug@kaod.org>
(cherry picked from commit e95c9a493a5a8d6f969e86c9f19f80ffe6587e19)
[BR: CVE-2016-8577 BSC#1003893]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/9pfs/9p.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
index 239aef4..4a71cff 100644
--- a/hw/9pfs/9p.c
+++ b/hw/9pfs/9p.c
@@ -1812,14 +1812,15 @@ static void v9fs_read(void *opaque)
if (len < 0) {
/* IO error return the error */
err = len;
- goto out;
+ goto out_free_iovec;
}
} while (count < max_count && len > 0);
err = pdu_marshal(pdu, offset, "d", count);
if (err < 0) {
- goto out;
+ goto out_free_iovec;
}
err += offset + count;
+out_free_iovec:
qemu_iovec_destroy(&qiov);
qemu_iovec_destroy(&qiov_full);
} else if (fidp->fid_type == P9_FID_XATTR) {

View File

@ -0,0 +1,32 @@
From 52f9cd6fd4943ff0202133646da31788447a2209 Mon Sep 17 00:00:00 2001
From: David Hildenbrand <david@redhat.com>
Date: Mon, 30 Jan 2017 15:50:25 +0100
Subject: [PATCH] target/s390x: use "qemu" cpu model in user mode
"any" does not exist, therefore resulting in a misleading error message.
Reported-by: Stefan Weil <sw@weilnetz.de>
Signed-off-by: David Hildenbrand <david@redhat.com>
Message-Id: <20170130145025.26475-1-david@redhat.com>
Reviewed-by: Stefan Weil <sw@weilnetz.de>
Reviewed-by: Alexander Graf <agraf@suse.de>
Cc: qemu-stable@nongnu.org
(cherry picked from commit d8923bc75479cd3fdcc72b7647f4877f91950b01)
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
linux-user/main.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/linux-user/main.c b/linux-user/main.c
index 75b199f274..cc77ec4713 100644
--- a/linux-user/main.c
+++ b/linux-user/main.c
@@ -4045,6 +4045,8 @@ int main(int argc, char **argv, char **envp)
# endif
#elif defined TARGET_SH4
cpu_model = TYPE_SH7785_CPU;
+#elif defined TARGET_S390X
+ cpu_model = "qemu";
#else
cpu_model = "any";
#endif

View File

@ -1,32 +0,0 @@
From 9f8a42e3f35479353ad9b9b5af78e136fd59b509 Mon Sep 17 00:00:00 2001
From: Li Qiang <liqiang6-s@360.cn>
Date: Mon, 17 Oct 2016 14:13:58 +0200
Subject: [PATCH] 9pfs: fix information leak in xattr read
9pfs uses g_malloc() to allocate the xattr memory space, if the guest
reads this memory before writing to it, this will leak host heap memory
to the guest. This patch avoid this.
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
Reviewed-by: Greg Kurz <groug@kaod.org>
Signed-off-by: Greg Kurz <groug@kaod.org>
(cherry picked from commit eb687602853b4ae656e9236ee4222609f3a6887d)
[BR: CVE-2016-9103 BSC#1007454]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/9pfs/9p.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
index 4a71cff..af32464 100644
--- a/hw/9pfs/9p.c
+++ b/hw/9pfs/9p.c
@@ -3270,7 +3270,7 @@ static void v9fs_xattrcreate(void *opaque)
xattr_fidp->fs.xattr.flags = flags;
v9fs_string_init(&xattr_fidp->fs.xattr.name);
v9fs_string_copy(&xattr_fidp->fs.xattr.name, &name);
- xattr_fidp->fs.xattr.value = g_malloc(size);
+ xattr_fidp->fs.xattr.value = g_malloc0(size);
err = offset;
put_fid(pdu, file_fidp);
out_nofid:

View File

@ -0,0 +1,35 @@
From a31edb2865923f478830a2f05e64259ae9841f3c Mon Sep 17 00:00:00 2001
From: Bruce Rogers <brogers@suse.com>
Date: Tue, 14 Feb 2017 10:37:59 -0700
Subject: [PATCH] linux-user: exclude cpu model code when building linux-user
A section of s390_realize_cpu_model() needed to be guarded by
CONFIG_USER_ONLY. This omission was causing a segfault when
testing the executable being built for the s390x qemu-linux-user
package.
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
target-s390x/cpu_models.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/target-s390x/cpu_models.c b/target-s390x/cpu_models.c
index c1e729df5e..f2eadd2cfb 100644
--- a/target-s390x/cpu_models.c
+++ b/target-s390x/cpu_models.c
@@ -738,6 +738,7 @@ void s390_realize_cpu_model(CPUState *cs, Error **errp)
return;
}
+#ifndef CONFIG_USER_ONLY
/* copy over properties that can vary */
cpu->model->lowest_ibc = max_model->lowest_ibc;
cpu->model->cpu_id = max_model->cpu_id;
@@ -750,6 +751,7 @@ void s390_realize_cpu_model(CPUState *cs, Error **errp)
}
apply_cpu_model(cpu->model, errp);
+#endif
}
static void get_feature(Object *obj, Visitor *v, const char *name,

View File

@ -1,35 +0,0 @@
From 61eb543d366088cebecaf8fead80d1bd32db7cb2 Mon Sep 17 00:00:00 2001
From: Li Qiang <liqiang6-s@360.cn>
Date: Mon, 17 Oct 2016 14:13:58 +0200
Subject: [PATCH] 9pfs: fix memory leak in v9fs_xattrcreate
The 'fs.xattr.value' field in V9fsFidState object doesn't consider the
situation that this field has been allocated previously. Every time, it
will be allocated directly. This leads to a host memory leak issue if
the client sends another Txattrcreate message with the same fid number
before the fid from the previous time got clunked.
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
Reviewed-by: Greg Kurz <groug@kaod.org>
[groug, updated the changelog to indicate how the leak can occur]
Signed-off-by: Greg Kurz <groug@kaod.org>
(cherry picked from commit ff55e94d23ae94c8628b0115320157c763eb3e06)
[BR: CVE-2016-9102 BSC#1007450]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/9pfs/9p.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
index af32464..aa2b8c0 100644
--- a/hw/9pfs/9p.c
+++ b/hw/9pfs/9p.c
@@ -3270,6 +3270,7 @@ static void v9fs_xattrcreate(void *opaque)
xattr_fidp->fs.xattr.flags = flags;
v9fs_string_init(&xattr_fidp->fs.xattr.name);
v9fs_string_copy(&xattr_fidp->fs.xattr.name, &name);
+ g_free(xattr_fidp->fs.xattr.value);
xattr_fidp->fs.xattr.value = g_malloc0(size);
err = offset;
put_fid(pdu, file_fidp);

View File

@ -0,0 +1,30 @@
From 5525a02cb6f16bf4bd4ba111012457be80e99418 Mon Sep 17 00:00:00 2001
From: Bruce Rogers <brogers@suse.com>
Date: Fri, 17 Feb 2017 14:59:49 -0700
Subject: [PATCH] tests: check path to avoid a failing qga/get-vcpus test
The qga/get-vcpus test fails in a simple chroot environment, as
used in an openSUSE Build Service local build, so first check
that the sysfs based path exists in order to avoid calling this
test in an environment where it won't work right.
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
tests/test-qga.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/tests/test-qga.c b/tests/test-qga.c
index 868b02a40f..9e6d19a6e1 100644
--- a/tests/test-qga.c
+++ b/tests/test-qga.c
@@ -924,7 +924,9 @@ int main(int argc, char **argv)
g_test_add_data_func("/qga/info", &fix, test_qga_info);
g_test_add_data_func("/qga/network-get-interfaces", &fix,
test_qga_network_get_interfaces);
- g_test_add_data_func("/qga/get-vcpus", &fix, test_qga_get_vcpus);
+ if (!access("/sys/devices/system/cpu/cpu0", F_OK)) {
+ g_test_add_data_func("/qga/get-vcpus", &fix, test_qga_get_vcpus);
+ }
g_test_add_data_func("/qga/get-fsinfo", &fix, test_qga_get_fsinfo);
g_test_add_data_func("/qga/get-memory-block-info", &fix,
test_qga_get_memory_block_info);

View File

@ -1,33 +0,0 @@
From 1dd9e4b00e2f7eb60436a5a3017042eb7b93a8ff Mon Sep 17 00:00:00 2001
From: Li Qiang <liqiang6-s@360.cn>
Date: Mon, 17 Oct 2016 14:13:58 +0200
Subject: [PATCH] 9pfs: fix memory leak in v9fs_write
If an error occurs when marshalling the transfer length to the guest, the
v9fs_write() function doesn't free an IO vector, thus leading to a memory
leak. This patch fixes the issue.
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
Reviewed-by: Greg Kurz <groug@kaod.org>
[groug, rephrased the changelog]
Signed-off-by: Greg Kurz <groug@kaod.org>
(cherry picked from commit fdfcc9aeea1492f4b819a24c94dfb678145b1bf9)
[BR: CVE-2016-9106 BSC#1007495]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/9pfs/9p.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
index aa2b8c0..af07846 100644
--- a/hw/9pfs/9p.c
+++ b/hw/9pfs/9p.c
@@ -2080,7 +2080,7 @@ static void v9fs_write(void *opaque)
offset = 7;
err = pdu_marshal(pdu, offset, "d", total);
if (err < 0) {
- goto out;
+ goto out_qiov;
}
err += offset;
trace_v9fs_write_return(pdu->tag, pdu->id, total, err);

View File

@ -0,0 +1,40 @@
From 818182d6045bb5a052b3fd53b995df6510084e83 Mon Sep 17 00:00:00 2001
From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Wed, 14 Dec 2016 12:31:56 +0530
Subject: [PATCH] display: virtio-gpu-3d: check virgl capabilities max_size
Virtio GPU device while processing 'VIRTIO_GPU_CMD_GET_CAPSET'
command, retrieves the maximum capabilities size to fill in the
response object. It continues to fill in capabilities even if
retrieved 'max_size' is zero(0), thus resulting in OOB access.
Add check to avoid it.
Reported-by: Zhenhao Hong <zhenhaohong@gmail.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Message-id: 20161214070156.23368-1-ppandit@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
(cherry picked from commit abd7f08b2353f43274b785db8c7224f082ef4d31)
[BR: CVE-2016-10028 BSC#1017084 BSC#1016503]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/display/virtio-gpu-3d.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/hw/display/virtio-gpu-3d.c b/hw/display/virtio-gpu-3d.c
index d98b1404e1..cdd03a47bd 100644
--- a/hw/display/virtio-gpu-3d.c
+++ b/hw/display/virtio-gpu-3d.c
@@ -371,8 +371,12 @@ static void virgl_cmd_get_capset(VirtIOGPU *g,
virgl_renderer_get_cap_set(gc.capset_id, &max_ver,
&max_size);
- resp = g_malloc0(sizeof(*resp) + max_size);
+ if (!max_size) {
+ cmd->error = VIRTIO_GPU_RESP_ERR_INVALID_PARAMETER;
+ return;
+ }
+ resp = g_malloc0(sizeof(*resp) + max_size);
resp->hdr.type = VIRTIO_GPU_RESP_OK_CAPSET;
virgl_renderer_fill_caps(gc.capset_id,
gc.capset_version,

View File

@ -1,37 +0,0 @@
From 5a472227730f7f2465baf36716d755ced0300611 Mon Sep 17 00:00:00 2001
From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Wed, 12 Oct 2016 11:28:08 +0530
Subject: [PATCH] char: serial: check divider value against baud base
16550A UART device uses an oscillator to generate frequencies
(baud base), which decide communication speed. This speed could
be changed by dividing it by a divider. If the divider is
greater than the baud base, speed is set to zero, leading to a
divide by zero error. Add check to avoid it.
Reported-by: Huawei PSIRT <psirt@huawei.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Message-Id: <1476251888-20238-1-git-send-email-ppandit@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 3592fe0c919cf27a81d8e9f9b4f269553418bb01)
[BR: CVE-2016-8669 BSC#1004707]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/char/serial.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/hw/char/serial.c b/hw/char/serial.c
index 3442f47..eec72b7 100644
--- a/hw/char/serial.c
+++ b/hw/char/serial.c
@@ -153,8 +153,9 @@ static void serial_update_parameters(SerialState *s)
int speed, parity, data_bits, stop_bits, frame_size;
QEMUSerialSetParams ssp;
- if (s->divider == 0)
+ if (s->divider == 0 || s->divider > s->baudbase) {
return;
+ }
/* Start bit. */
frame_size = 1;

View File

@ -0,0 +1,46 @@
From 56fb083af9f432ec4ab438f016e26025981f3136 Mon Sep 17 00:00:00 2001
From: Li Qiang <liqiang6-s@360.cn>
Date: Mon, 28 Nov 2016 17:49:04 -0800
Subject: [PATCH] watchdog: 6300esb: add exit function
When the Intel 6300ESB watchdog is hot unplug. The timer allocated
in realize isn't freed thus leaking memory leak. This patch avoid
this through adding the exit function.
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
Message-Id: <583cde9c.3223ed0a.7f0c2.886e@mx.google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit eb7a20a3616085d46aa6b4b4224e15587ec67e6e)
[BR: CVE-2016-10155 BSC#1021129]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/watchdog/wdt_i6300esb.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/hw/watchdog/wdt_i6300esb.c b/hw/watchdog/wdt_i6300esb.c
index a83d951213..49b3cd188a 100644
--- a/hw/watchdog/wdt_i6300esb.c
+++ b/hw/watchdog/wdt_i6300esb.c
@@ -428,6 +428,14 @@ static void i6300esb_realize(PCIDevice *dev, Error **errp)
/* qemu_register_coalesced_mmio (addr, 0x10); ? */
}
+static void i6300esb_exit(PCIDevice *dev)
+{
+ I6300State *d = WATCHDOG_I6300ESB_DEVICE(dev);
+
+ timer_del(d->timer);
+ timer_free(d->timer);
+}
+
static WatchdogTimerModel model = {
.wdt_name = "i6300esb",
.wdt_description = "Intel 6300ESB",
@@ -441,6 +449,7 @@ static void i6300esb_class_init(ObjectClass *klass, void *data)
k->config_read = i6300esb_config_read;
k->config_write = i6300esb_config_write;
k->realize = i6300esb_realize;
+ k->exit = i6300esb_exit;
k->vendor_id = PCI_VENDOR_ID_INTEL;
k->device_id = PCI_DEVICE_ID_INTEL_ESB_9;
k->class_id = PCI_CLASS_SYSTEM_OTHER;

View File

@ -1,37 +0,0 @@
From ac4e97299905661397882b588d6d2c08e5df65b0 Mon Sep 17 00:00:00 2001
From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Fri, 30 Sep 2016 00:27:33 +0530
Subject: [PATCH] net: pcnet: check rx/tx descriptor ring length
The AMD PC-Net II emulator has set of control and status(CSR)
registers. Of these, CSR76 and CSR78 hold receive and transmit
descriptor ring length respectively. This ring length could range
from 1 to 65535. Setting ring length to zero leads to an infinite
loop in pcnet_rdra_addr() or pcnet_transmit(). Add check to avoid it.
Reported-by: Li Qiang <liqiang6-s@360.cn>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Signed-off-by: Jason Wang <jasowang@redhat.com>
(cherry picked from commit 34e29ce754c02bb6b3bdd244fbb85033460feaff)
[BR: CVE-2016-7909 BSC#1002557]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/net/pcnet.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c
index 198a01f..3078de8 100644
--- a/hw/net/pcnet.c
+++ b/hw/net/pcnet.c
@@ -1429,8 +1429,11 @@ static void pcnet_csr_writew(PCNetState *s, uint32_t rap, uint32_t new_value)
case 47: /* POLLINT */
case 72:
case 74:
+ break;
case 76: /* RCVRL */
case 78: /* XMTRL */
+ val = (val > 0) ? val : 512;
+ break;
case 112:
if (CSR_STOP(s) || CSR_SPND(s))
break;

View File

@ -0,0 +1,41 @@
From 07cbf6021a6ab8bf3756692379a9942bdfeb7e00 Mon Sep 17 00:00:00 2001
From: Li Qiang <liq3ea@gmail.com>
Date: Thu, 29 Dec 2016 03:11:26 -0500
Subject: [PATCH] virtio-gpu-3d: fix memory leak in resource attach backing
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
If the virgl_renderer_resource_attach_iov function fails the
'res_iovs' will be leaked. Add check of the return value to
free the 'res_iovs' when failing.
Signed-off-by: Li Qiang <liq3ea@gmail.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-id: 1482999086-59795-1-git-send-email-liq3ea@gmail.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
(cherry picked from commit 33243031dad02d161225ba99d782616da133f689)
[BR: CVE-2017-5552 BSC#1021195]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/display/virtio-gpu-3d.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/hw/display/virtio-gpu-3d.c b/hw/display/virtio-gpu-3d.c
index cdd03a47bd..f96a0c2e59 100644
--- a/hw/display/virtio-gpu-3d.c
+++ b/hw/display/virtio-gpu-3d.c
@@ -291,8 +291,11 @@ static void virgl_resource_attach_backing(VirtIOGPU *g,
return;
}
- virgl_renderer_resource_attach_iov(att_rb.resource_id,
- res_iovs, att_rb.nr_entries);
+ ret = virgl_renderer_resource_attach_iov(att_rb.resource_id,
+ res_iovs, att_rb.nr_entries);
+
+ if (ret != 0)
+ virtio_gpu_cleanup_mapping_iov(res_iovs, att_rb.nr_entries);
}
static void virgl_resource_detach_backing(VirtIOGPU *g,

View File

@ -1,30 +0,0 @@
From c266d999085e07c2cbb9b59b9cf4e39c0c7e2ae0 Mon Sep 17 00:00:00 2001
From: Li Qiang <liqiang6-s@360.cn>
Date: Sat, 8 Oct 2016 05:07:25 -0700
Subject: [PATCH] net: eepro100: fix memory leak in device uninit
The exit dispatch of eepro100 network card device doesn't free
the 's->vmstate' field which was allocated in device realize thus
leading a host memory leak. This patch avoid this.
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
Signed-off-by: Jason Wang <jasowang@redhat.com>
(cherry picked from commit 2634ab7fe29b3f75d0865b719caf8f310d634aae)
[BR: CVE-2016-9101 BSC#1007391]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/net/eepro100.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/hw/net/eepro100.c b/hw/net/eepro100.c
index bab4dbf..4bf71f2 100644
--- a/hw/net/eepro100.c
+++ b/hw/net/eepro100.c
@@ -1843,6 +1843,7 @@ static void pci_nic_uninit(PCIDevice *pci_dev)
EEPRO100State *s = DO_UPCAST(EEPRO100State, dev, pci_dev);
vmstate_unregister(&pci_dev->qdev, s->vmstate, s);
+ g_free(s->vmstate);
eeprom93xx_free(&pci_dev->qdev, s->eeprom);
qemu_del_nic(s->nic);
}

View File

@ -0,0 +1,35 @@
From 536ae1665b9302a31932113b1ec7d52cbd7af752 Mon Sep 17 00:00:00 2001
From: Li Qiang <liq3ea@gmail.com>
Date: Thu, 29 Dec 2016 04:28:41 -0500
Subject: [PATCH] virtio-gpu: fix memory leak in resource attach backing
In the resource attach backing function, everytime it will
allocate 'res->iov' thus can leading a memory leak. This
patch avoid this.
Signed-off-by: Li Qiang <liq3ea@gmail.com>
Message-id: 1483003721-65360-1-git-send-email-liq3ea@gmail.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
(cherry picked from commit 204f01b30975923c64006f8067f0937b91eea68b)
[BR: CVE-2017-5578 BSC#1021481]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/display/virtio-gpu.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/hw/display/virtio-gpu.c b/hw/display/virtio-gpu.c
index 3eafe495ef..edd8ddaf78 100644
--- a/hw/display/virtio-gpu.c
+++ b/hw/display/virtio-gpu.c
@@ -708,6 +708,11 @@ virtio_gpu_resource_attach_backing(VirtIOGPU *g,
return;
}
+ if (res->iov) {
+ cmd->error = VIRTIO_GPU_RESP_ERR_UNSPEC;
+ return;
+ }
+
ret = virtio_gpu_create_mapping_iov(&ab, cmd, &res->addrs, &res->iov);
if (ret != 0) {
cmd->error = VIRTIO_GPU_RESP_ERR_UNSPEC;

View File

@ -1,36 +0,0 @@
From 9999bb270b68c8bfb82d37a52515cbbfdc7d900f Mon Sep 17 00:00:00 2001
From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Wed, 12 Oct 2016 14:40:55 +0530
Subject: [PATCH] net: rocker: set limit to DMA buffer size
Rocker network switch emulator has test registers to help debug
DMA operations. While testing host DMA access, a buffer address
is written to register 'TEST_DMA_ADDR' and its size is written to
register 'TEST_DMA_SIZE'. When performing TEST_DMA_CTRL_INVERT
test, if DMA buffer size was greater than 'INT_MAX', it leads to
an invalid buffer access. Limit the DMA buffer size to avoid it.
Reported-by: Huawei PSIRT <psirt@huawei.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Reviewed-by: Jiri Pirko <jiri@mellanox.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
(cherry picked from commit 8caed3d564672e8bc6d2e4c6a35228afd01f4723)
[BR: CVE-2016-8668 BSC#1004706]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/net/rocker/rocker.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/net/rocker/rocker.c b/hw/net/rocker/rocker.c
index 30f2ce4..e9d215a 100644
--- a/hw/net/rocker/rocker.c
+++ b/hw/net/rocker/rocker.c
@@ -860,7 +860,7 @@ static void rocker_io_writel(void *opaque, hwaddr addr, uint32_t val)
rocker_msix_irq(r, val);
break;
case ROCKER_TEST_DMA_SIZE:
- r->test_dma_size = val;
+ r->test_dma_size = val & 0xFFFF;
break;
case ROCKER_TEST_DMA_ADDR + 4:
r->test_dma_addr = ((uint64_t)val) << 32 | r->lower32;

View File

@ -0,0 +1,53 @@
From d1d06f7db5b44371db5dc1c559c5d8c1bda9d731 Mon Sep 17 00:00:00 2001
From: Halil Pasic <pasic@linux.vnet.ibm.com>
Date: Mon, 19 Dec 2016 16:44:44 +0100
Subject: [PATCH] virtio: fix vq->inuse recalc after migr
Correct recalculation of vq->inuse after migration for the corner case
where the avail_idx has already wrapped but used_idx not yet.
Also change the type of the VirtQueue.inuse to unsigned int. This is
done to be consistent with other members representing sizes (VRing.num),
and because C99 guarantees max ring size < UINT_MAX but does not
guarantee max ring size < INT_MAX.
Signed-off-by: Halil Pasic <pasic@linux.vnet.ibm.com>
Fixes: bccdef6b ("virtio: recalculate vq->inuse after migration")
CC: qemu-stable@nongnu.org
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit e66bcc408146730958d1a840bda85d7ad51e0cd7)
[BR: BSC#1020928]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/virtio/virtio.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
index 1af2de2714..e37641a9c9 100644
--- a/hw/virtio/virtio.c
+++ b/hw/virtio/virtio.c
@@ -92,7 +92,7 @@ struct VirtQueue
uint16_t queue_index;
- int inuse;
+ unsigned int inuse;
uint16_t vector;
VirtIOHandleOutput handle_output;
@@ -1855,9 +1855,11 @@ int virtio_load(VirtIODevice *vdev, QEMUFile *f, int version_id)
/*
* Some devices migrate VirtQueueElements that have been popped
* from the avail ring but not yet returned to the used ring.
+ * Since max ring size < UINT16_MAX it's safe to use modulo
+ * UINT16_MAX + 1 subtraction.
*/
- vdev->vq[i].inuse = vdev->vq[i].last_avail_idx -
- vdev->vq[i].used_idx;
+ vdev->vq[i].inuse = (uint16_t)(vdev->vq[i].last_avail_idx -
+ vdev->vq[i].used_idx);
if (vdev->vq[i].inuse > vdev->vq[i].vring.num) {
error_report("VQ %d size 0x%x < last_avail_idx 0x%x - "
"used_idx 0x%x",

View File

@ -0,0 +1,55 @@
From 6a847bb812fe7946a2d3c457d75ca3db0fe962b0 Mon Sep 17 00:00:00 2001
From: Li Qiang <liqiang6-s@360.cn>
Date: Wed, 14 Dec 2016 18:32:22 -0800
Subject: [PATCH] audio: es1370: add exit function
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Currently the es1370 device emulation doesn't have a exit function,
hot unplug this device will leak some memory. Add a exit function to
avoid this.
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-id: 585200c9.a968ca0a.1ab80.4c98@mx.google.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
(cherry picked from commit 069eb7b2b8fc47c7cb52e5a4af23ea98d939e3da)
[BR: CVE-2017-5526 BSC#1020589]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/audio/es1370.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/hw/audio/es1370.c b/hw/audio/es1370.c
index 8449b5f436..883ec69b30 100644
--- a/hw/audio/es1370.c
+++ b/hw/audio/es1370.c
@@ -1041,6 +1041,19 @@ static void es1370_realize(PCIDevice *dev, Error **errp)
es1370_reset (s);
}
+static void es1370_exit(PCIDevice *dev)
+{
+ ES1370State *s = ES1370(dev);
+ int i;
+
+ for (i = 0; i < 2; ++i) {
+ AUD_close_out(&s->card, s->dac_voice[i]);
+ }
+
+ AUD_close_in(&s->card, s->adc_voice);
+ AUD_remove_card(&s->card);
+}
+
static int es1370_init (PCIBus *bus)
{
pci_create_simple (bus, -1, TYPE_ES1370);
@@ -1053,6 +1066,7 @@ static void es1370_class_init (ObjectClass *klass, void *data)
PCIDeviceClass *k = PCI_DEVICE_CLASS (klass);
k->realize = es1370_realize;
+ k->exit = es1370_exit;
k->vendor_id = PCI_VENDOR_ID_ENSONIQ;
k->device_id = PCI_DEVICE_ID_ENSONIQ_ES1370;
k->class_id = PCI_CLASS_MULTIMEDIA_AUDIO;

View File

@ -1,33 +0,0 @@
From d77a9e7e19bf1f4697445513df7b67a865bb6d8e Mon Sep 17 00:00:00 2001
From: Li Qiang <liqiang6-s@360.cn>
Date: Thu, 11 Aug 2016 00:42:20 +0530
Subject: [PATCH] net: vmxnet: initialise local tx descriptor
In Vmxnet3 device emulator while processing transmit(tx) queue,
when it reaches end of packet, it calls vmxnet3_complete_packet.
In that local 'txcq_descr' object is not initialised, which could
leak host memory bytes a guest.
Reported-by: Li Qiang <liqiang6-s@360.cn>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Reviewed-by: Dmitry Fleytman <dmitry@daynix.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
(cherry picked from commit fdda170e50b8af062cf5741e12c4fb5e57a2eacf)
[BR: CVE-2016-6836 BSC#994760]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/net/vmxnet3.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c
index 90f6943..92f6af9 100644
--- a/hw/net/vmxnet3.c
+++ b/hw/net/vmxnet3.c
@@ -531,6 +531,7 @@ static void vmxnet3_complete_packet(VMXNET3State *s, int qidx, uint32_t tx_ridx)
VMXNET3_RING_DUMP(VMW_RIPRN, "TXC", qidx, &s->txq_descr[qidx].comp_ring);
+ memset(&txcq_descr, 0, sizeof(txcq_descr));
txcq_descr.txdIdx = tx_ridx;
txcq_descr.gen = vmxnet3_ring_curr_gen(&s->txq_descr[qidx].comp_ring);

View File

@ -0,0 +1,52 @@
From ebc039becfc5a4506ae0d4962cd87ce1bf5163bc Mon Sep 17 00:00:00 2001
From: Li Qiang <liqiang6-s@360.cn>
Date: Wed, 14 Dec 2016 18:30:21 -0800
Subject: [PATCH] audio: ac97: add exit function
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Currently the ac97 device emulation doesn't have a exit function,
hot unplug this device will leak some memory. Add a exit function to
avoid this.
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-id: 58520052.4825ed0a.27a71.6cae@mx.google.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
(cherry picked from commit 12351a91da97b414eec8cdb09f1d9f41e535a401)
[BR: CVE-2017-5525 BSC#1020491]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/audio/ac97.c | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/hw/audio/ac97.c b/hw/audio/ac97.c
index cbd959e0bd..c30657501c 100644
--- a/hw/audio/ac97.c
+++ b/hw/audio/ac97.c
@@ -1387,6 +1387,16 @@ static void ac97_realize(PCIDevice *dev, Error **errp)
ac97_on_reset (&s->dev.qdev);
}
+static void ac97_exit(PCIDevice *dev)
+{
+ AC97LinkState *s = DO_UPCAST(AC97LinkState, dev, dev);
+
+ AUD_close_in(&s->card, s->voice_pi);
+ AUD_close_out(&s->card, s->voice_po);
+ AUD_close_in(&s->card, s->voice_mc);
+ AUD_remove_card(&s->card);
+}
+
static int ac97_init (PCIBus *bus)
{
pci_create_simple (bus, -1, "AC97");
@@ -1404,6 +1414,7 @@ static void ac97_class_init (ObjectClass *klass, void *data)
PCIDeviceClass *k = PCI_DEVICE_CLASS (klass);
k->realize = ac97_realize;
+ k->exit = ac97_exit;
k->vendor_id = PCI_VENDOR_ID_INTEL;
k->device_id = PCI_DEVICE_ID_INTEL_82801AA_5;
k->revision = 0x01;

View File

@ -1,34 +0,0 @@
From 854b5adf363ebfb07ad0134079401d62cdf25b77 Mon Sep 17 00:00:00 2001
From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Fri, 21 Oct 2016 17:39:29 +0530
Subject: [PATCH] net: rtl8139: limit processing of ring descriptors
RTL8139 ethernet controller in C+ mode supports multiple
descriptor rings, each with maximum of 64 descriptors. While
processing transmit descriptor ring in 'rtl8139_cplus_transmit',
it does not limit the descriptor count and runs forever. Add
check to avoid it.
Reported-by: Andrew Henderson <hendersa@icculus.org>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Signed-off-by: Jason Wang <jasowang@redhat.com>
(cherry picked from commit c7c35916692fe010fef25ac338443d3fe40be225)
[BR: CVE-2016-8910 BSC#1006538]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/net/rtl8139.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/net/rtl8139.c b/hw/net/rtl8139.c
index 3345bc6..f05e59c 100644
--- a/hw/net/rtl8139.c
+++ b/hw/net/rtl8139.c
@@ -2350,7 +2350,7 @@ static void rtl8139_cplus_transmit(RTL8139State *s)
{
int txcount = 0;
- while (rtl8139_cplus_transmit_one(s))
+ while (txcount < 64 && rtl8139_cplus_transmit_one(s))
{
++txcount;
}

View File

@ -1,38 +0,0 @@
From 1f01b4d6f3d3acc6d0fd5e809b0de4547f4815cc Mon Sep 17 00:00:00 2001
From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Thu, 20 Oct 2016 13:10:24 +0530
Subject: [PATCH] audio: intel-hda: check stream entry count during transfer
Intel HDA emulator uses stream of buffers during DMA data
transfers. Each entry has buffer length and buffer pointer
position, which are used to derive bytes to 'copy'. If this
length and buffer pointer were to be same, 'copy' could be
set to zero(0), leading to an infinite loop. Add check to
avoid it.
Reported-by: Huawei PSIRT <psirt@huawei.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Message-id: 1476949224-6865-1-git-send-email-ppandit@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
(cherry picked from commit 0c0fc2b5fd534786051889459848764edd798050)
[BR: CVE-2016-8909 BSC#1006536]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/audio/intel-hda.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/hw/audio/intel-hda.c b/hw/audio/intel-hda.c
index cd95340..537face 100644
--- a/hw/audio/intel-hda.c
+++ b/hw/audio/intel-hda.c
@@ -416,7 +416,8 @@ static bool intel_hda_xfer(HDACodecDevice *dev, uint32_t stnr, bool output,
}
left = len;
- while (left > 0) {
+ s = st->bentries;
+ while (left > 0 && s-- > 0) {
copy = left;
if (copy > st->bsize - st->lpib)
copy = st->bsize - st->lpib;

View File

@ -0,0 +1,64 @@
From 27db53c8bdbb318eef77b9ac01ea02e6b0cd0b02 Mon Sep 17 00:00:00 2001
From: Paolo Bonzini <pbonzini@redhat.com>
Date: Mon, 2 Jan 2017 11:03:33 +0100
Subject: [PATCH] megasas: fix guest-triggered memory leak
If the guest sets the sglist size to a value >=2GB, megasas_handle_dcmd
will return MFI_STAT_MEMORY_NOT_AVAILABLE without freeing the memory.
Avoid this by returning only the status from map_dcmd, and loading
cmd->iov_size in the caller.
Reported-by: Li Qiang <liqiang6-s@360.cn>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 765a707000e838c30b18d712fe6cb3dd8e0435f3)
[BR: CVE-2017-5856 BSC#1023053]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/scsi/megasas.c | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
index 67fc1e7893..6233865494 100644
--- a/hw/scsi/megasas.c
+++ b/hw/scsi/megasas.c
@@ -683,14 +683,14 @@ static int megasas_map_dcmd(MegasasState *s, MegasasCmd *cmd)
trace_megasas_dcmd_invalid_sge(cmd->index,
cmd->frame->header.sge_count);
cmd->iov_size = 0;
- return -1;
+ return -EINVAL;
}
iov_pa = megasas_sgl_get_addr(cmd, &cmd->frame->dcmd.sgl);
iov_size = megasas_sgl_get_len(cmd, &cmd->frame->dcmd.sgl);
pci_dma_sglist_init(&cmd->qsg, PCI_DEVICE(s), 1);
qemu_sglist_add(&cmd->qsg, iov_pa, iov_size);
cmd->iov_size = iov_size;
- return cmd->iov_size;
+ return 0;
}
static void megasas_finish_dcmd(MegasasCmd *cmd, uint32_t iov_size)
@@ -1559,19 +1559,20 @@ static const struct dcmd_cmd_tbl_t {
static int megasas_handle_dcmd(MegasasState *s, MegasasCmd *cmd)
{
- int opcode, len;
+ int opcode;
int retval = 0;
+ size_t len;
const struct dcmd_cmd_tbl_t *cmdptr = dcmd_cmd_tbl;
opcode = le32_to_cpu(cmd->frame->dcmd.opcode);
trace_megasas_handle_dcmd(cmd->index, opcode);
- len = megasas_map_dcmd(s, cmd);
- if (len < 0) {
+ if (megasas_map_dcmd(s, cmd) < 0) {
return MFI_STAT_MEMORY_NOT_AVAILABLE;
}
while (cmdptr->opcode != -1 && cmdptr->opcode != opcode) {
cmdptr++;
}
+ len = cmd->iov_size;
if (cmdptr->opcode == -1) {
trace_megasas_dcmd_unhandled(cmd->index, opcode, len);
retval = megasas_dcmd_dummy(s, cmd);

View File

@ -0,0 +1,49 @@
From 3f442b06232be126e08d9207e4cac3e3afe0e62d Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Wed, 25 Jan 2017 14:48:57 +0100
Subject: [PATCH] cirrus: handle negative pitch in cirrus_invalidate_region()
cirrus_invalidate_region() calls memory_region_set_dirty()
on a per-line basis, always ranging from off_begin to
off_begin+bytesperline. With a negative pitch off_begin
marks the top most used address and thus we need to do an
initial shift backwards by a line for negative pitches of
backward blits, otherwise the first iteration covers the
line going from the start offset forwards instead of
backwards.
Additionally since the start address is inclusive, if we
shift by a full `bytesperline` we move to the first address
*not* included in the blit, so we only shift by one less
than bytesperline.
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Message-id: 1485352137-29367-1-git-send-email-w.bumiller@proxmox.com
[ kraxel: codestyle fixes ]
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
(cherry picked from commit f153b563f8cf121aebf5a2fff5f0110faf58ccb3)
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/display/cirrus_vga.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
index 379910db2d..0f05e4596e 100644
--- a/hw/display/cirrus_vga.c
+++ b/hw/display/cirrus_vga.c
@@ -661,9 +661,14 @@ static void cirrus_invalidate_region(CirrusVGAState * s, int off_begin,
int off_cur;
int off_cur_end;
+ if (off_pitch < 0) {
+ off_begin -= bytesperline - 1;
+ }
+
for (y = 0; y < lines; y++) {
off_cur = off_begin;
off_cur_end = (off_cur + bytesperline) & s->cirrus_addr_mask;
+ assert(off_cur_end >= off_cur);
memory_region_set_dirty(&s->vga.vram, off_cur, off_cur_end - off_cur);
off_begin += off_pitch;
}

View File

@ -1,35 +0,0 @@
From 6562305928517bbc5b2a4525b8baddb58a510666 Mon Sep 17 00:00:00 2001
From: Li Qiang <liqiang6-s@360.cn>
Date: Sun, 18 Sep 2016 19:07:11 -0700
Subject: [PATCH] virtio-gpu: fix memory leak in virtio_gpu_resource_create_2d
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
In virtio gpu resource create dispatch, if the pixman format is zero
it doesn't free the resource object allocated previously. Thus leading
a host memory leak issue. This patch avoid this.
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-id: 57df486e.8379240a.c3620.ff81@mx.google.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
(cherry picked from commit cb3a0522b694cc5bb6424497b3f828ccd28fd1dd)
[BR: CVE-2016-7994 BSC#1003613]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/display/virtio-gpu.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/hw/display/virtio-gpu.c b/hw/display/virtio-gpu.c
index 7fe6ed8..5b6d17b 100644
--- a/hw/display/virtio-gpu.c
+++ b/hw/display/virtio-gpu.c
@@ -333,6 +333,7 @@ static void virtio_gpu_resource_create_2d(VirtIOGPU *g,
qemu_log_mask(LOG_GUEST_ERROR,
"%s: host couldn't handle guest format %d\n",
__func__, c2d.format);
+ g_free(res);
cmd->error = VIRTIO_GPU_RESP_ERR_INVALID_PARAMETER;
return;
}

View File

@ -1,92 +0,0 @@
From a3ada2d4bae5bd45ca8751f47fe59f71cf7355e7 Mon Sep 17 00:00:00 2001
From: Li Qiang <liqiang6-s@360.cn>
Date: Tue, 1 Nov 2016 12:00:40 +0100
Subject: [PATCH] 9pfs: fix integer overflow issue in xattr read/write
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The v9fs_xattr_read() and v9fs_xattr_write() are passed a guest
originated offset: they must ensure this offset does not go beyond
the size of the extended attribute that was set in v9fs_xattrcreate().
Unfortunately, the current code implement these checks with unsafe
calculations on 32 and 64 bit values, which may allow a malicious
guest to cause OOB access anyway.
Fix this by comparing the offset and the xattr size, which are
both uint64_t, before trying to compute the effective number of bytes
to read or write.
Suggested-by: Greg Kurz <groug@kaod.org>
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
Reviewed-by: Greg Kurz <groug@kaod.org>
Reviewed-By: Guido Günther <agx@sigxcpu.org>
Signed-off-by: Greg Kurz <groug@kaod.org>
(cherry picked from commit 7e55d65c56a03dcd2c5d7c49d37c5a74b55d4bd6)
[BR: CVE-2016-9104 BSC#1007493]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/9pfs/9p.c | 32 ++++++++++++--------------------
1 file changed, 12 insertions(+), 20 deletions(-)
diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
index af07846..fc4f2cd 100644
--- a/hw/9pfs/9p.c
+++ b/hw/9pfs/9p.c
@@ -1628,20 +1628,17 @@ static int v9fs_xattr_read(V9fsState *s, V9fsPDU *pdu, V9fsFidState *fidp,
{
ssize_t err;
size_t offset = 7;
- int read_count;
- int64_t xattr_len;
+ uint64_t read_count;
V9fsVirtioState *v = container_of(s, V9fsVirtioState, state);
VirtQueueElement *elem = v->elems[pdu->idx];
- xattr_len = fidp->fs.xattr.len;
- read_count = xattr_len - off;
+ if (fidp->fs.xattr.len < off) {
+ read_count = 0;
+ } else {
+ read_count = fidp->fs.xattr.len - off;
+ }
if (read_count > max_count) {
read_count = max_count;
- } else if (read_count < 0) {
- /*
- * read beyond XATTR value
- */
- read_count = 0;
}
err = pdu_marshal(pdu, offset, "d", read_count);
if (err < 0) {
@@ -1969,23 +1966,18 @@ static int v9fs_xattr_write(V9fsState *s, V9fsPDU *pdu, V9fsFidState *fidp,
{
int i, to_copy;
ssize_t err = 0;
- int write_count;
- int64_t xattr_len;
+ uint64_t write_count;
size_t offset = 7;
- xattr_len = fidp->fs.xattr.len;
- write_count = xattr_len - off;
- if (write_count > count) {
- write_count = count;
- } else if (write_count < 0) {
- /*
- * write beyond XATTR value len specified in
- * xattrcreate
- */
+ if (fidp->fs.xattr.len < off) {
err = -ENOSPC;
goto out;
}
+ write_count = fidp->fs.xattr.len - off;
+ if (write_count > count) {
+ write_count = count;
+ }
err = pdu_marshal(pdu, offset, "d", write_count);
if (err < 0) {
return err;

View File

@ -0,0 +1,103 @@
From 2d9d5517299f47f6cbc208de10cb54d6e0e3971e Mon Sep 17 00:00:00 2001
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Wed, 25 Jan 2017 11:09:56 +0100
Subject: [PATCH] cirrus: fix blit address mask handling
Apply the cirrus_addr_mask to cirrus_blt_dstaddr and cirrus_blt_srcaddr
right after assigning them, in cirrus_bitblt_start(), instead of having
this all over the place in the cirrus code, and missing a few places.
Reported-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 1485338996-17095-1-git-send-email-kraxel@redhat.com
(cherry picked from commit 60cd23e85151525ab26591394c4e7e06fa07d216)
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/display/cirrus_vga.c | 26 +++++++++++++-------------
1 file changed, 13 insertions(+), 13 deletions(-)
diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
index 0f05e4596e..ef5da7acf7 100644
--- a/hw/display/cirrus_vga.c
+++ b/hw/display/cirrus_vga.c
@@ -305,14 +305,15 @@ static bool blit_is_unsafe(struct CirrusVGAState *s, bool dst_only)
}
if (blit_region_is_unsafe(s, s->cirrus_blt_dstpitch,
- s->cirrus_blt_dstaddr & s->cirrus_addr_mask)) {
+ s->cirrus_blt_dstaddr)) {
return true;
}
if (dst_only) {
return false;
}
+
if (blit_region_is_unsafe(s, s->cirrus_blt_srcpitch,
- s->cirrus_blt_srcaddr & s->cirrus_addr_mask)) {
+ s->cirrus_blt_srcaddr)) {
return true;
}
@@ -679,7 +680,7 @@ static int cirrus_bitblt_common_patterncopy(CirrusVGAState * s,
{
uint8_t *dst;
- dst = s->vga.vram_ptr + (s->cirrus_blt_dstaddr & s->cirrus_addr_mask);
+ dst = s->vga.vram_ptr + s->cirrus_blt_dstaddr;
if (blit_is_unsafe(s, false))
return 0;
@@ -703,7 +704,7 @@ static int cirrus_bitblt_solidfill(CirrusVGAState *s, int blt_rop)
return 0;
}
rop_func = cirrus_fill[rop_to_index[blt_rop]][s->cirrus_blt_pixelwidth - 1];
- rop_func(s, s->vga.vram_ptr + (s->cirrus_blt_dstaddr & s->cirrus_addr_mask),
+ rop_func(s, s->vga.vram_ptr + s->cirrus_blt_dstaddr,
s->cirrus_blt_dstpitch,
s->cirrus_blt_width, s->cirrus_blt_height);
cirrus_invalidate_region(s, s->cirrus_blt_dstaddr,
@@ -721,9 +722,8 @@ static int cirrus_bitblt_solidfill(CirrusVGAState *s, int blt_rop)
static int cirrus_bitblt_videotovideo_patterncopy(CirrusVGAState * s)
{
- return cirrus_bitblt_common_patterncopy(s,
- s->vga.vram_ptr + ((s->cirrus_blt_srcaddr & ~7) &
- s->cirrus_addr_mask));
+ return cirrus_bitblt_common_patterncopy(s, s->vga.vram_ptr +
+ (s->cirrus_blt_srcaddr & ~7));
}
static int cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h)
@@ -777,10 +777,8 @@ static int cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h)
if (notify)
graphic_hw_update(s->vga.con);
- (*s->cirrus_rop) (s, s->vga.vram_ptr +
- (s->cirrus_blt_dstaddr & s->cirrus_addr_mask),
- s->vga.vram_ptr +
- (s->cirrus_blt_srcaddr & s->cirrus_addr_mask),
+ (*s->cirrus_rop) (s, s->vga.vram_ptr + s->cirrus_blt_dstaddr,
+ s->vga.vram_ptr + s->cirrus_blt_srcaddr,
s->cirrus_blt_dstpitch, s->cirrus_blt_srcpitch,
s->cirrus_blt_width, s->cirrus_blt_height);
@@ -831,8 +829,7 @@ static void cirrus_bitblt_cputovideo_next(CirrusVGAState * s)
} else {
/* at least one scan line */
do {
- (*s->cirrus_rop)(s, s->vga.vram_ptr +
- (s->cirrus_blt_dstaddr & s->cirrus_addr_mask),
+ (*s->cirrus_rop)(s, s->vga.vram_ptr + s->cirrus_blt_dstaddr,
s->cirrus_bltbuf, 0, 0, s->cirrus_blt_width, 1);
cirrus_invalidate_region(s, s->cirrus_blt_dstaddr, 0,
s->cirrus_blt_width, 1);
@@ -951,6 +948,9 @@ static void cirrus_bitblt_start(CirrusVGAState * s)
s->cirrus_blt_modeext = s->vga.gr[0x33];
blt_rop = s->vga.gr[0x32];
+ s->cirrus_blt_dstaddr &= s->cirrus_addr_mask;
+ s->cirrus_blt_srcaddr &= s->cirrus_addr_mask;
+
#ifdef DEBUG_BITBLT
printf("rop=0x%02x mode=0x%02x modeext=0x%02x w=%d h=%d dpitch=%d spitch=%d daddr=0x%08x saddr=0x%08x writemask=0x%02x\n",
blt_rop,

View File

@ -0,0 +1,48 @@
From 5ac15a00c17d95a440ce99c8154d41a263f96032 Mon Sep 17 00:00:00 2001
From: Li Qiang <liqiang6-s@360.cn>
Date: Wed, 1 Feb 2017 09:35:01 +0100
Subject: [PATCH] cirrus: fix oob access issue (CVE-2017-2615)
When doing bitblt copy in backward mode, we should minus the
blt width first just like the adding in the forward mode. This
can avoid the oob access of the front of vga's vram.
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
{ kraxel: with backward blits (negative pitch) addr is the topmost
address, so check it as-is against vram size ]
Cc: qemu-stable@nongnu.org
Cc: P J P <ppandit@redhat.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: Wolfgang Bumiller <w.bumiller@proxmox.com>
Fixes: d3532a0db02296e687711b8cdc7791924efccea0 (CVE-2014-8106)
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 1485938101-26602-1-git-send-email-kraxel@redhat.com
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
(cherry picked from commit 62d4c6bd5263bb8413a06c80144fc678df6dfb64)
[BR: CVE-2017-2615 BSC#1023004]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/display/cirrus_vga.c | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
index ef5da7acf7..aaa46abea4 100644
--- a/hw/display/cirrus_vga.c
+++ b/hw/display/cirrus_vga.c
@@ -277,10 +277,9 @@ static bool blit_region_is_unsafe(struct CirrusVGAState *s,
}
if (pitch < 0) {
int64_t min = addr
- + ((int64_t)s->cirrus_blt_height-1) * pitch;
- int32_t max = addr
- + s->cirrus_blt_width;
- if (min < 0 || max > s->vga.vram_size) {
+ + ((int64_t)s->cirrus_blt_height - 1) * pitch
+ - s->cirrus_blt_width;
+ if (min < -1 || addr >= s->vga.vram_size) {
return true;
}
} else {

Some files were not shown because too many files have changed in this diff Show More