SHA256
1
0
forked from pool/qemu

Accepting request 419833 from home:bfrogers:branches:Virtualization

Update to v2.6.1 stable release.

OBS-URL: https://build.opensuse.org/request/show/419833
OBS-URL: https://build.opensuse.org/package/show/Virtualization/qemu?expand=0&rev=311
This commit is contained in:
Alexander Graf 2016-08-18 02:33:12 +00:00 committed by Git OBS Bridge
parent 431f30630a
commit 90b1a2f6cf
89 changed files with 321 additions and 1478 deletions

View File

@ -1,4 +1,4 @@
From d1591b68524b12fa4c9cb7d2fd6fcdf021137ede Mon Sep 17 00:00:00 2001
From 652983299b4b18cdf26414b0ba468c5dd166adc7 Mon Sep 17 00:00:00 2001
From: Alexander Graf <agraf@suse.de>
Date: Mon, 21 Nov 2011 23:50:36 +0100
Subject: [PATCH] XXX dont dump core on sigabort

View File

@ -1,4 +1,4 @@
From 25da05b51950cf639c26ca5f1e47fcfdfb588ab2 Mon Sep 17 00:00:00 2001
From 611fe6b38bf118be59326f35fd3a066250328311 Mon Sep 17 00:00:00 2001
From: Ulrich Hecht <uli@suse.de>
Date: Tue, 14 Apr 2009 16:18:44 +0200
Subject: [PATCH] qemu-0.9.0.cvs-binfmt

View File

@ -1,4 +1,4 @@
From 307dc6c6bde4ec04b9efd6f27db0295e349bf573 Mon Sep 17 00:00:00 2001
From 6171d82516b151c7d2bac6484c801c45d8de796e Mon Sep 17 00:00:00 2001
From: Alexander Graf <agraf@suse.de>
Date: Tue, 14 Apr 2009 16:20:50 +0200
Subject: [PATCH] qemu-cvs-alsa_bitfield

View File

@ -1,4 +1,4 @@
From 42ec5aa5b6abb395b894311702cec8c09ec44263 Mon Sep 17 00:00:00 2001
From b89afe9048994b21e361d9eebe96825d80d1ef56 Mon Sep 17 00:00:00 2001
From: Alexander Graf <agraf@suse.de>
Date: Tue, 14 Apr 2009 16:23:27 +0200
Subject: [PATCH] qemu-cvs-alsa_ioctl

View File

@ -1,4 +1,4 @@
From d899ab90ddfcf5c6efe45f9008cd2c498d368ac9 Mon Sep 17 00:00:00 2001
From 9c9cfb248223f4da2ea2333164ea7e6a6091c03a Mon Sep 17 00:00:00 2001
From: Alexander Graf <agraf@suse.de>
Date: Tue, 14 Apr 2009 16:24:15 +0200
Subject: [PATCH] qemu-cvs-alsa_mmap

View File

@ -1,4 +1,4 @@
From eaa8f697ccd1320f9ce432588beef2d341bc5a18 Mon Sep 17 00:00:00 2001
From 2dc4a9d135ce472a59da891af09ba9529c57b61b Mon Sep 17 00:00:00 2001
From: Ulrich Hecht <uli@suse.de>
Date: Tue, 14 Apr 2009 16:25:41 +0200
Subject: [PATCH] qemu-cvs-gettimeofday

View File

@ -1,4 +1,4 @@
From 5fabc9a72b03eca20cda87e0bb35a92aaa3d4dbf Mon Sep 17 00:00:00 2001
From d2a4cedd351ff7e09843bb5cbb76038af2303df7 Mon Sep 17 00:00:00 2001
From: Alexander Graf <agraf@suse.de>
Date: Tue, 14 Apr 2009 16:26:33 +0200
Subject: [PATCH] qemu-cvs-ioctl_debug

View File

@ -1,4 +1,4 @@
From 31a5e0ab101e1549d534a63fb5e9e94007e812f8 Mon Sep 17 00:00:00 2001
From 43f2593e07e0de12dddf72c3205e6a0fb851dc2d Mon Sep 17 00:00:00 2001
From: Alexander Graf <agraf@suse.de>
Date: Tue, 14 Apr 2009 16:27:36 +0200
Subject: [PATCH] qemu-cvs-ioctl_nodirection

View File

@ -1,4 +1,4 @@
From 7164cadf6a1f23d2b931f34c78d3707207306cfb Mon Sep 17 00:00:00 2001
From d367bff9f8b514a0beacac3d21426d787dcef77f Mon Sep 17 00:00:00 2001
From: Ulrich Hecht <uli@suse.de>
Date: Tue, 14 Apr 2009 16:37:42 +0200
Subject: [PATCH] block/vmdk: Support creation of SCSI VMDK images in qemu-img

View File

@ -1,4 +1,4 @@
From a7697f0442c3cb97a5ab4ee60ffe721de6dc791e Mon Sep 17 00:00:00 2001
From 4234d2b99790fd33e82bee633f48d773e0c7c43e Mon Sep 17 00:00:00 2001
From: Alexander Graf <agraf@suse.de>
Date: Fri, 30 Sep 2011 19:40:36 +0200
Subject: [PATCH] linux-user: add binfmt wrapper for argv[0] handling

View File

@ -1,4 +1,4 @@
From c1602f324287481df7aef85c417e143fa47bcea4 Mon Sep 17 00:00:00 2001
From 312bb9ff5f1448e2aebcccc4f124cf8f7fa1e0a0 Mon Sep 17 00:00:00 2001
From: Alexander Graf <agraf@suse.de>
Date: Fri, 6 Jan 2012 01:05:55 +0100
Subject: [PATCH] PPC: KVM: Disable mmu notifier check
@ -13,7 +13,7 @@ KVM guests work there, even if possibly racy in some odd circumstances.
1 file changed, 2 insertions(+)
diff --git a/exec.c b/exec.c
index c4f9036..52232dc 100644
index fc75266..a50e148 100644
--- a/exec.c
+++ b/exec.c
@@ -1242,11 +1242,13 @@ static void *file_ram_alloc(RAMBlock *block,

View File

@ -1,4 +1,4 @@
From 6b4338150763e8241cec19846a48a132d60fe75f Mon Sep 17 00:00:00 2001
From 48e23620ccc1efef237996fcc102215619a5ba7d Mon Sep 17 00:00:00 2001
From: Alexander Graf <agraf@suse.de>
Date: Fri, 13 Jan 2012 17:05:41 +0100
Subject: [PATCH] linux-user: fix segfault deadlock

View File

@ -1,4 +1,4 @@
From 02e298aafcb7bb11036cabec82da958f7d860ac8 Mon Sep 17 00:00:00 2001
From 7ada3e29b37a639129e36a7ed2f2f07a0efc3334 Mon Sep 17 00:00:00 2001
From: Alexander Graf <agraf@suse.de>
Date: Thu, 2 Feb 2012 18:02:33 +0100
Subject: [PATCH] linux-user: binfmt: support host binaries

View File

@ -1,4 +1,4 @@
From 64acfd49e9721a17c610cc54a92efe8ec3170698 Mon Sep 17 00:00:00 2001
From f3041527d08d4547ca88843c3be991569bca5152 Mon Sep 17 00:00:00 2001
From: Alexander Graf <agraf@suse.de>
Date: Tue, 12 Jun 2012 04:41:10 +0200
Subject: [PATCH] linux-user: Ignore broken loop ioctl

View File

@ -1,4 +1,4 @@
From f34632424427a2387a9275133c3cb4a8ad4f9d31 Mon Sep 17 00:00:00 2001
From 3c784b6969e0379542cf4661847effa17eacd27f Mon Sep 17 00:00:00 2001
From: Alexander Graf <agraf@suse.de>
Date: Thu, 5 Jul 2012 17:31:39 +0200
Subject: [PATCH] linux-user: lock tcg

View File

@ -1,4 +1,4 @@
From a2f095e01371ff9d00524fb4c0e7d3bd941227da Mon Sep 17 00:00:00 2001
From 0922a98683629c491b15b282d35cba46c225549f Mon Sep 17 00:00:00 2001
From: Alexander Graf <agraf@suse.de>
Date: Tue, 10 Jul 2012 20:40:55 +0200
Subject: [PATCH] linux-user: Run multi-threaded code on a single core

View File

@ -1,4 +1,4 @@
From 80465393b0e7a888125378567cc69a6cc190b8ff Mon Sep 17 00:00:00 2001
From 598cc6f427821cbaf6b6a8eeadf90176ecf9b9d5 Mon Sep 17 00:00:00 2001
From: Alexander Graf <agraf@suse.de>
Date: Wed, 11 Jul 2012 16:47:42 +0200
Subject: [PATCH] linux-user: lock tb flushing too

View File

@ -1,4 +1,4 @@
From cac0ebd114044343f3d0e6a1ae0b455949db0a5d Mon Sep 17 00:00:00 2001
From 39ce1e900aba8b93e2296b3d4c613fd7af58f347 Mon Sep 17 00:00:00 2001
From: Alexander Graf <agraf@suse.de>
Date: Mon, 23 Jul 2012 10:24:14 +0200
Subject: [PATCH] linux-user: Fake /proc/cpuinfo

View File

@ -1,4 +1,4 @@
From a61e366827ca2b159b515e760742bc6dee26169f Mon Sep 17 00:00:00 2001
From 2783b7f3c20040aaa53b59a9a716364f04562126 Mon Sep 17 00:00:00 2001
From: Alexander Graf <agraf@suse.de>
Date: Mon, 20 Aug 2012 00:02:52 +0200
Subject: [PATCH] linux-user: implement FS_IOC_GETFLAGS ioctl

View File

@ -1,4 +1,4 @@
From 39e6dbd24f5a872c5c37b0c1ddd31fe00b74c3ca Mon Sep 17 00:00:00 2001
From fe937a73ac633b34380ac53c9057a0664c3b77cc Mon Sep 17 00:00:00 2001
From: Alexander Graf <agraf@suse.de>
Date: Mon, 20 Aug 2012 00:07:13 +0200
Subject: [PATCH] linux-user: implement FS_IOC_SETFLAGS ioctl

View File

@ -1,4 +1,4 @@
From fb0a1cd7b3e0ab5908607da0b704f749a3f9cd36 Mon Sep 17 00:00:00 2001
From 11b56fbe40bf880945a0563044b58b03d9d0baa7 Mon Sep 17 00:00:00 2001
From: Alexander Graf <agraf@suse.de>
Date: Tue, 21 Aug 2012 14:20:40 +0200
Subject: [PATCH] linux-user: XXX disable fiemap

View File

@ -1,4 +1,4 @@
From d839baef69733ff67df56abd52bf01b13c2adc80 Mon Sep 17 00:00:00 2001
From bd75d0195aef3af7392ce38952e018936da303ff Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andreas=20F=C3=A4rber?= <afaerber@suse.de>
Date: Wed, 29 Aug 2012 18:42:56 +0200
Subject: [PATCH] slirp: -nooutgoing
@ -33,7 +33,7 @@ index 6106520..32b25a5 100644
"-singlestep always run in singlestep mode\n", QEMU_ARCH_ALL)
STEXI
diff --git a/slirp/socket.c b/slirp/socket.c
index a10eff1..fec954e 100644
index b336586..8e5bdc3 100644
--- a/slirp/socket.c
+++ b/slirp/socket.c
@@ -608,6 +608,8 @@ sorecvfrom(struct socket *so)
@ -96,7 +96,7 @@ index 6b9fef2..e712e21 100644
socket_set_fast_reuse(s);
opt = 1;
diff --git a/vl.c b/vl.c
index 5fd22cb..18c88ff 100644
index 5db5dc2..c082789 100644
--- a/vl.c
+++ b/vl.c
@@ -162,6 +162,7 @@ int smp_threads = 1;
@ -107,7 +107,7 @@ index 5fd22cb..18c88ff 100644
static int no_reboot;
int no_shutdown = 0;
int cursor_hide = 1;
@@ -3382,6 +3383,14 @@ int main(int argc, char **argv, char **envp)
@@ -3386,6 +3387,14 @@ int main(int argc, char **argv, char **envp)
case QEMU_OPTION_singlestep:
singlestep = 1;
break;

View File

@ -1,4 +1,4 @@
From c15dcea01fb9d84e583abe7d558d7a31a937ddc3 Mon Sep 17 00:00:00 2001
From aa0933c1b541cc1b7efae51d7a0cc3978e127c86 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andreas=20F=C3=A4rber?= <afaerber@suse.de>
Date: Wed, 29 Aug 2012 20:06:01 +0200
Subject: [PATCH] vnc: password-file= and incoming-connections=
@ -9,7 +9,7 @@ TBD (from SUSE Studio team)
1 file changed, 55 insertions(+)
diff --git a/ui/vnc.c b/ui/vnc.c
index d2ebf1f..ab65db9 100644
index 3e89dad..e7946ba 100644
--- a/ui/vnc.c
+++ b/ui/vnc.c
@@ -58,6 +58,8 @@ static const struct timeval VNC_REFRESH_LOSSY = { 2, 0 };

View File

@ -1,4 +1,4 @@
From 5ab7c0967d239f3cab043461952f9d0b9015a617 Mon Sep 17 00:00:00 2001
From 32cee35bd3c2f98dc645350021de3d9e23be731d Mon Sep 17 00:00:00 2001
From: Alexander Graf <agraf@suse.de>
Date: Wed, 10 Oct 2012 10:21:20 +0200
Subject: [PATCH] linux-user: add more blk ioctls

View File

@ -1,4 +1,4 @@
From 616807e473c21cdf231eed07b87ec287cfdfb528 Mon Sep 17 00:00:00 2001
From 232612b32aa306574282a98dafdef5772c99ea24 Mon Sep 17 00:00:00 2001
From: Alexander Graf <agraf@suse.de>
Date: Tue, 9 Oct 2012 09:06:49 +0200
Subject: [PATCH] linux-user: use target_ulong

View File

@ -1,4 +1,4 @@
From 04eba9254338949db56a01bed42bc3ef187a1f04 Mon Sep 17 00:00:00 2001
From 171c8acfae279756c43f0265e1cfc7d984ab5464 Mon Sep 17 00:00:00 2001
From: Alexander Graf <agraf@suse.de>
Date: Wed, 5 Aug 2009 09:49:37 +0200
Subject: [PATCH] block: Add support for DictZip enabled gzip files

View File

@ -1,4 +1,4 @@
From 0c107d353084a3a15c1281c7e1385ee5ccd5da5f Mon Sep 17 00:00:00 2001
From e05a6cfd83e972bf46ca8e8ce7a00d83c882e2d8 Mon Sep 17 00:00:00 2001
From: Alexander Graf <agraf@suse.de>
Date: Wed, 5 Aug 2009 17:28:38 +0200
Subject: [PATCH] block: Add tar container format

View File

@ -1,4 +1,4 @@
From 5c25d47e2378efdbd72c49827252741b46ebacff Mon Sep 17 00:00:00 2001
From e04e97093af3fc593a7db57be40e7334f9776330 Mon Sep 17 00:00:00 2001
From: Alexander Graf <agraf@suse.de>
Date: Wed, 12 Dec 2012 19:11:30 +0100
Subject: [PATCH] Legacy Patch kvm-qemu-preXX-dictzip3.patch

View File

@ -1,4 +1,4 @@
From ea20aa50570a68fd2ccda17adfea0f32c71694dc Mon Sep 17 00:00:00 2001
From 36f007f4de748aff064604637383a23cbebe813e Mon Sep 17 00:00:00 2001
From: Alexander Graf <agraf@suse.de>
Date: Mon, 6 Jun 2011 06:53:52 +0200
Subject: [PATCH] console: add question-mark escape operator

View File

@ -1,4 +1,4 @@
From 5b001dfb49c85d9934f0ac09bd24a7aecac55956 Mon Sep 17 00:00:00 2001
From f745251506bedd96fb153b838dbf8a399eb8e275 Mon Sep 17 00:00:00 2001
From: Alexander Graf <agraf@suse.de>
Date: Thu, 1 Apr 2010 17:36:23 +0200
Subject: [PATCH] Make char muxer more robust wrt small FIFOs

View File

@ -1,4 +1,4 @@
From 1e5020a27bf52c24abb9272f9ba605959e8771e8 Mon Sep 17 00:00:00 2001
From e7c736a9bfa10f1acb5e6b02c73fd8662d5c6a6c Mon Sep 17 00:00:00 2001
From: Alexander Graf <agraf@suse.de>
Date: Thu, 13 Dec 2012 14:29:22 +0100
Subject: [PATCH] linux-user: lseek: explicitly cast non-set offsets to signed

View File

@ -1,4 +1,4 @@
From 01aa7df9b3b82e8d16b3dda2e092dff89c15fa82 Mon Sep 17 00:00:00 2001
From 96ff92eb1a6402f0b90e4394990eda7f5e457d13 Mon Sep 17 00:00:00 2001
From: Bruce Rogers <brogers@suse.com>
Date: Thu, 16 May 2013 12:39:10 +0200
Subject: [PATCH] virtfs-proxy-helper: Provide __u64 for broken

View File

@ -1,4 +1,4 @@
From 71bb8109caee6f4192237b2fad7db748ac50760d Mon Sep 17 00:00:00 2001
From 2181064a8a8f7a22285ae767affb23dc684d7d10 Mon Sep 17 00:00:00 2001
From: Dinar Valeev <k0da@opensuse.org>
Date: Wed, 2 Oct 2013 17:56:03 +0200
Subject: [PATCH] configure: Enable PIE for ppc and ppc64 hosts
@ -14,7 +14,7 @@ Signed-off-by: Andreas Färber <afaerber@suse.de>
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/configure b/configure
index c37fc5f..94035eb 100755
index 60e3c0d..65232af 100755
--- a/configure
+++ b/configure
@@ -1537,7 +1537,7 @@ fi

View File

@ -1,4 +1,4 @@
From 287306233f77a3774df2d5c9ed7f301ebc21f89c Mon Sep 17 00:00:00 2001
From bc88332e8bf07bf413f32131cd20f4e2ba9aeb6a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andreas=20F=C3=A4rber?= <afaerber@suse.de>
Date: Thu, 17 Apr 2014 18:39:10 +0200
Subject: [PATCH] qtest: Increase socket timeout

View File

@ -1,4 +1,4 @@
From 7f1e160917ebff1a756d08c9b07b88452a68387f Mon Sep 17 00:00:00 2001
From e69780e5f390f491fae554f1a0b0649c9187869e Mon Sep 17 00:00:00 2001
From: Alexander Graf <agraf@suse.de>
Date: Wed, 14 Jan 2015 01:32:11 +0100
Subject: [PATCH] AIO: Reduce number of threads for 32bit hosts

View File

@ -1,4 +1,4 @@
From 88508c66e9403bb708a1ef186e66f5d45801cdd8 Mon Sep 17 00:00:00 2001
From 6bfa8a2b720bb6cc36a933870a2a1c0a239b3e9d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andreas=20F=C3=A4rber?= <afaerber@suse.de>
Date: Tue, 14 Apr 2015 18:42:06 +0200
Subject: [PATCH] configure: Enable libseccomp for ppc
@ -14,7 +14,7 @@ Signed-off-by: Andreas Färber <afaerber@suse.de>
1 file changed, 3 insertions(+)
diff --git a/configure b/configure
index 94035eb..4efabe3 100755
index 65232af..bf74354 100755
--- a/configure
+++ b/configure
@@ -1879,6 +1879,9 @@ if test "$seccomp" != "no" ; then

View File

@ -1,4 +1,4 @@
From 3fafdf24acf45df69523e266a38f3c0ca220e9a9 Mon Sep 17 00:00:00 2001
From bd33e933cbde5f822a0db069e7d368d0cb406249 Mon Sep 17 00:00:00 2001
From: Alexander Graf <agraf@suse.de>
Date: Mon, 15 Jun 2015 17:36:32 +0200
Subject: [PATCH] dictzip: Fix on big endian systems

View File

@ -1,4 +1,4 @@
From adc543748b20def826281f9e6fda52f026dc099d Mon Sep 17 00:00:00 2001
From 2cee6af27f7e7579c8690edfda4159a66406d2cd Mon Sep 17 00:00:00 2001
From: Olaf Hering <olaf@aepfle.de>
Date: Thu, 24 Mar 2016 14:32:39 +0100
Subject: [PATCH] block: split large discard requests from block frontend
@ -15,7 +15,7 @@ Signed-off-by: Olaf Hering <olaf@aepfle.de>
1 file changed, 21 insertions(+), 1 deletion(-)
diff --git a/block/io.c b/block/io.c
index a7dbf85..560fa4c 100644
index d02e0d5..511bc75 100644
--- a/block/io.c
+++ b/block/io.c
@@ -2487,7 +2487,7 @@ static void coroutine_fn bdrv_discard_co_entry(void *opaque)

View File

@ -1,4 +1,4 @@
From 43fdf04d426f4738aec0d349662a780906268590 Mon Sep 17 00:00:00 2001
From 2d38805131dee693fd9bd931239793514e36d3e0 Mon Sep 17 00:00:00 2001
From: Bruce Rogers <brogers@suse.com>
Date: Wed, 9 Mar 2016 15:18:11 -0700
Subject: [PATCH] xen_disk: Add suse specific flush disable handling and map to

View File

@ -1,4 +1,4 @@
From 936efd7b1f317b574dbedf08e69e4206f16ac39f Mon Sep 17 00:00:00 2001
From f210e8f540cb261c11bffa4ed8e9918ad1731a9b Mon Sep 17 00:00:00 2001
From: Olaf Hering <olaf@aepfle.de>
Date: Fri, 1 Apr 2016 12:27:16 +0200
Subject: [PATCH] build: link with libatomic on powerpc-linux
@ -14,10 +14,10 @@ Signed-off-by: Olaf Hering <olaf@aepfle.de>
1 file changed, 27 insertions(+)
diff --git a/configure b/configure
index 4efabe3..b455035 100755
index bf74354..8892b36 100755
--- a/configure
+++ b/configure
@@ -4032,6 +4032,33 @@ if test "$usb_redir" != "no" ; then
@@ -4033,6 +4033,33 @@ if test "$usb_redir" != "no" ; then
fi
fi

View File

@ -1,33 +0,0 @@
From a4cae4158cc271ed4d55bc2e237030022f8edc16 Mon Sep 17 00:00:00 2001
From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Thu, 7 Apr 2016 04:27:00 -0600
Subject: [PATCH] net: mipsnet: check packet length against buffer
When receiving packets over MIPSnet network device, it uses
receive buffer of size 1514 bytes. In case the controller
accepts large(MTU) packets, it could lead to memory corruption.
Add check to avoid it.
Reported by: Oleksandr Bazhaniuk <oleksandr.bazhaniuk@intel.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
[BR: BSC#975136 CVE-2016-4002]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/net/mipsnet.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/hw/net/mipsnet.c b/hw/net/mipsnet.c
index 740cd98..cf8b823 100644
--- a/hw/net/mipsnet.c
+++ b/hw/net/mipsnet.c
@@ -83,6 +83,9 @@ static ssize_t mipsnet_receive(NetClientState *nc, const uint8_t *buf, size_t si
if (!mipsnet_can_receive(nc))
return 0;
+ if (size >= sizeof(s->rx_buffer)) {
+ return 0;
+ }
s->busy = 1;
/* Just accept everything. */

View File

@ -1,4 +1,4 @@
From d7476f32d84a256e683d20db0cdd0d3676fa2a62 Mon Sep 17 00:00:00 2001
From 24b0afe9e7869a5a398cb5d04f6e7c5efbac65da Mon Sep 17 00:00:00 2001
From: Juergen Gross <jgross@suse.com>
Date: Thu, 12 May 2016 16:13:39 +0200
Subject: [PATCH] xen: introduce dummy system device

View File

@ -1,35 +0,0 @@
From 481b43bcc3e920bbe48801a7ad2489260747e8b9 Mon Sep 17 00:00:00 2001
From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Thu, 7 Apr 2016 12:50:08 +0530
Subject: [PATCH] i386: kvmvapic: initialise imm32 variable
When processing Task Priorty Register(TPR) access, it could leak
automatic stack variable 'imm32' in patch_instruction().
Initialise the variable to avoid it.
Reported by: Donghai Zdh <donghai.zdh@alibaba-inc.com>
Cc: qemu-stable@nongnu.org
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Message-Id: <1460013608-16670-1-git-send-email-ppandit@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 691a02e2ce0c413236a78dee6f2651c937b09fb0)
[BR: BSC#975700 CVE-2016-4020]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/i386/kvmvapic.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/i386/kvmvapic.c b/hw/i386/kvmvapic.c
index c69f374..ff1e31a 100644
--- a/hw/i386/kvmvapic.c
+++ b/hw/i386/kvmvapic.c
@@ -394,7 +394,7 @@ static void patch_instruction(VAPICROMState *s, X86CPU *cpu, target_ulong ip)
CPUX86State *env = &cpu->env;
VAPICHandlers *handlers;
uint8_t opcode[2];
- uint32_t imm32;
+ uint32_t imm32 = 0;
target_ulong current_pc = 0;
target_ulong current_cs_base = 0;
int current_flags = 0;

View File

@ -1,4 +1,4 @@
From 7647bc34d77f7e67a88e88a7f09c314a3a5c7da8 Mon Sep 17 00:00:00 2001
From 06bc1cf8722a7a5ad5cf7e0ad3adf9279516d77d Mon Sep 17 00:00:00 2001
From: Juergen Gross <jgross@suse.com>
Date: Thu, 12 May 2016 16:13:40 +0200
Subject: [PATCH] xen: write information about supported backends

View File

@ -1,42 +0,0 @@
From 26e782bead654b0415a46c9a019c54b56488519b Mon Sep 17 00:00:00 2001
From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Thu, 19 May 2016 16:09:30 +0530
Subject: [PATCH] esp: check command buffer length before write(CVE-2016-4439)
The 53C9X Fast SCSI Controller(FSC) comes with an internal 16-byte
FIFO buffer. It is used to handle command and data transfer. While
writing to this command buffer 's->cmdbuf[TI_BUFSZ=16]', a check
was missing to validate input length. Add check to avoid OOB write
access.
Fixes CVE-2016-4439.
Reported-by: Li Qiang <liqiang6-s@360.cn>
Cc: qemu-stable@nongnu.org
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Message-Id: <1463654371-11169-2-git-send-email-ppandit@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit c98c6c105f66f05aa0b7c1d2a4a3f716450907ef)
[BR: CVE-2016-4439 BSC#980711]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/scsi/esp.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c
index 8961be2..01497e6 100644
--- a/hw/scsi/esp.c
+++ b/hw/scsi/esp.c
@@ -448,7 +448,11 @@ void esp_reg_write(ESPState *s, uint32_t saddr, uint64_t val)
break;
case ESP_FIFO:
if (s->do_cmd) {
- s->cmdbuf[s->cmdlen++] = val & 0xff;
+ if (s->cmdlen < TI_BUFSZ) {
+ s->cmdbuf[s->cmdlen++] = val & 0xff;
+ } else {
+ trace_esp_error_fifo_overrun();
+ }
} else if (s->ti_size == TI_BUFSZ - 1) {
trace_esp_error_fifo_overrun();
} else {

View File

@ -1,4 +1,4 @@
From 9c573c905a6cc3b4dbf931c64e554a20683807b9 Mon Sep 17 00:00:00 2001
From 013c67849bbe9688491b85483bce6e8fc81fa90f Mon Sep 17 00:00:00 2001
From: Juergen Gross <jgross@suse.com>
Date: Thu, 12 May 2016 16:13:41 +0200
Subject: [PATCH] xen: add pvUSB backend
@ -1151,7 +1151,7 @@ index 63364f7..6e18a46 100644
void xen_init_display(int domid);
diff --git a/include/hw/xen/xen_common.h b/include/hw/xen/xen_common.h
index bd65e67..d010cee 100644
index 7b52e8f..5eabf37 100644
--- a/include/hw/xen/xen_common.h
+++ b/include/hw/xen/xen_common.h
@@ -49,6 +49,8 @@ typedef xc_gnttab xengnttab_handle;

View File

@ -1,76 +0,0 @@
From ff65fa87b6d7d4e7dbda895181c9afc80b07c5e3 Mon Sep 17 00:00:00 2001
From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Thu, 19 May 2016 16:09:31 +0530
Subject: [PATCH] esp: check dma length before reading scsi
command(CVE-2016-4441)
The 53C9X Fast SCSI Controller(FSC) comes with an internal 16-byte
FIFO buffer. It is used to handle command and data transfer.
Routine get_cmd() uses DMA to read scsi commands into this buffer.
Add check to validate DMA length against buffer size to avoid any
overrun.
Fixes CVE-2016-4441.
Reported-by: Li Qiang <liqiang6-s@360.cn>
Cc: qemu-stable@nongnu.org
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Message-Id: <1463654371-11169-3-git-send-email-ppandit@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 6c1fef6b59563cc415f21e03f81539ed4b33ad90)
[BR: CVE-2016-4441 BSC#980723]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/scsi/esp.c | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c
index 01497e6..591c817 100644
--- a/hw/scsi/esp.c
+++ b/hw/scsi/esp.c
@@ -82,7 +82,7 @@ void esp_request_cancelled(SCSIRequest *req)
}
}
-static uint32_t get_cmd(ESPState *s, uint8_t *buf)
+static uint32_t get_cmd(ESPState *s, uint8_t *buf, uint8_t buflen)
{
uint32_t dmalen;
int target;
@@ -92,6 +92,9 @@ static uint32_t get_cmd(ESPState *s, uint8_t *buf)
dmalen = s->rregs[ESP_TCLO];
dmalen |= s->rregs[ESP_TCMID] << 8;
dmalen |= s->rregs[ESP_TCHI] << 16;
+ if (dmalen > buflen) {
+ return 0;
+ }
s->dma_memory_read(s->dma_opaque, buf, dmalen);
} else {
dmalen = s->ti_size;
@@ -166,7 +169,7 @@ static void handle_satn(ESPState *s)
s->dma_cb = handle_satn;
return;
}
- len = get_cmd(s, buf);
+ len = get_cmd(s, buf, sizeof(buf));
if (len)
do_cmd(s, buf);
}
@@ -180,7 +183,7 @@ static void handle_s_without_atn(ESPState *s)
s->dma_cb = handle_s_without_atn;
return;
}
- len = get_cmd(s, buf);
+ len = get_cmd(s, buf, sizeof(buf));
if (len) {
do_busid_cmd(s, buf, 0);
}
@@ -192,7 +195,7 @@ static void handle_satn_stop(ESPState *s)
s->dma_cb = handle_satn_stop;
return;
}
- s->cmdlen = get_cmd(s, s->cmdbuf);
+ s->cmdlen = get_cmd(s, s->cmdbuf, sizeof(s->cmdbuf));
if (s->cmdlen) {
trace_esp_handle_satn_stop(s->cmdlen);
s->do_cmd = 1;

View File

@ -1,4 +1,4 @@
From ee2225e5f531d965aed352bf99ba339969216144 Mon Sep 17 00:00:00 2001
From 87e73bcc23fedcaa89776810dfcf4c6ef8ad39b1 Mon Sep 17 00:00:00 2001
From: Juergen Gross <jgross@suse.com>
Date: Mon, 13 Jun 2016 11:12:21 +0200
Subject: [PATCH] xen: move xen_sysdev to xen_backend.c

View File

@ -1,96 +0,0 @@
From 8c2fc88049f351c67bd82c6f61c54111eb088e69 Mon Sep 17 00:00:00 2001
From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Mon, 23 May 2016 04:49:00 -0600
Subject: [PATCH] scsi: pvscsi: check command descriptor ring buffer size
Vmware Paravirtual SCSI emulation uses command descriptors to
process SCSI commands. These descriptors come with their ring
buffers. A guest could set the ring buffer size to an arbitrary
value leading to OOB access issue. Add check to avoid it.
Reported-by: Li Qiang <liqiang6-s@360.cn>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
[BR: CVE-2016-4952 BSC#981266]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/scsi/vmw_pvscsi.c | 24 ++++++++++++++++++++----
1 file changed, 20 insertions(+), 4 deletions(-)
diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c
index e690b4e..e1d6d06 100644
--- a/hw/scsi/vmw_pvscsi.c
+++ b/hw/scsi/vmw_pvscsi.c
@@ -153,7 +153,7 @@ pvscsi_log2(uint32_t input)
return log;
}
-static void
+static int
pvscsi_ring_init_data(PVSCSIRingInfo *m, PVSCSICmdDescSetupRings *ri)
{
int i;
@@ -161,6 +161,10 @@ pvscsi_ring_init_data(PVSCSIRingInfo *m, PVSCSICmdDescSetupRings *ri)
uint32_t req_ring_size, cmp_ring_size;
m->rs_pa = ri->ringsStatePPN << VMW_PAGE_SHIFT;
+ if ((ri->reqRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES)
+ || (ri->cmpRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES)) {
+ return -1;
+ }
req_ring_size = ri->reqRingNumPages * PVSCSI_MAX_NUM_REQ_ENTRIES_PER_PAGE;
cmp_ring_size = ri->cmpRingNumPages * PVSCSI_MAX_NUM_CMP_ENTRIES_PER_PAGE;
txr_len_log2 = pvscsi_log2(req_ring_size - 1);
@@ -192,15 +196,20 @@ pvscsi_ring_init_data(PVSCSIRingInfo *m, PVSCSICmdDescSetupRings *ri)
/* Flush ring state page changes */
smp_wmb();
+
+ return 0;
}
-static void
+static int
pvscsi_ring_init_msg(PVSCSIRingInfo *m, PVSCSICmdDescSetupMsgRing *ri)
{
int i;
uint32_t len_log2;
uint32_t ring_size;
+ if (ri->numPages > PVSCSI_SETUP_MSG_RING_MAX_NUM_PAGES) {
+ return -1;
+ }
ring_size = ri->numPages * PVSCSI_MAX_NUM_MSG_ENTRIES_PER_PAGE;
len_log2 = pvscsi_log2(ring_size - 1);
@@ -220,6 +229,8 @@ pvscsi_ring_init_msg(PVSCSIRingInfo *m, PVSCSICmdDescSetupMsgRing *ri)
/* Flush ring state page changes */
smp_wmb();
+
+ return 0;
}
static void
@@ -770,7 +781,10 @@ pvscsi_on_cmd_setup_rings(PVSCSIState *s)
trace_pvscsi_on_cmd_arrived("PVSCSI_CMD_SETUP_RINGS");
pvscsi_dbg_dump_tx_rings_config(rc);
- pvscsi_ring_init_data(&s->rings, rc);
+ if (pvscsi_ring_init_data(&s->rings, rc) < 0) {
+ return PVSCSI_COMMAND_PROCESSING_FAILED;
+ }
+
s->rings_info_valid = TRUE;
return PVSCSI_COMMAND_PROCESSING_SUCCEEDED;
}
@@ -850,7 +864,9 @@ pvscsi_on_cmd_setup_msg_ring(PVSCSIState *s)
}
if (s->rings_info_valid) {
- pvscsi_ring_init_msg(&s->rings, rc);
+ if (pvscsi_ring_init_msg(&s->rings, rc) < 0) {
+ return PVSCSI_COMMAND_PROCESSING_FAILED;
+ }
s->msg_ring_info_valid = TRUE;
}
return sizeof(PVSCSICmdDescSetupMsgRing) / sizeof(uint32_t);

View File

@ -1,4 +1,4 @@
From 6a788961dd16f558d78ab7313f0b297409f37af7 Mon Sep 17 00:00:00 2001
From a77aa218a1ae490d8b4594a77492353c4ebf235f Mon Sep 17 00:00:00 2001
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Wed, 1 Jun 2016 08:22:30 +0200
Subject: [PATCH] vnc: add configurable keyboard delay
@ -42,7 +42,7 @@ index 32b25a5..3bcd98f 100644
ETEXI
diff --git a/ui/vnc.c b/ui/vnc.c
index ab65db9..1bee07f 100644
index e7946ba..f78c8c3 100644
--- a/ui/vnc.c
+++ b/ui/vnc.c
@@ -1639,6 +1639,7 @@ static void reset_keys(VncState *vs)

View File

@ -1,4 +1,4 @@
From 83775fe297c7cc8dae0d46c22accc2d7eb78c4a0 Mon Sep 17 00:00:00 2001
From c4fc507e8d321e3ad3df335b6c4ab84d8fd6bae7 Mon Sep 17 00:00:00 2001
From: Cole Robinson <crobinso@redhat.com>
Date: Fri, 6 May 2016 14:03:09 -0400
Subject: [PATCH] configure: add echo_version helper
@ -17,10 +17,10 @@ Signed-off-by: Bruce Rogers <brogers@suse.com>
1 file changed, 8 insertions(+), 10 deletions(-)
diff --git a/configure b/configure
index b455035..767658e 100755
index 8892b36..51dc704 100755
--- a/configure
+++ b/configure
@@ -4748,6 +4748,12 @@ EOF
@@ -4749,6 +4749,12 @@ EOF
fi
fi
@ -33,7 +33,7 @@ index b455035..767658e 100755
# prepend pixman and ftd flags after all config tests are done
QEMU_CFLAGS="$pixman_cflags $fdt_cflags $QEMU_CFLAGS"
libs_softmmu="$pixman_libs $libs_softmmu"
@@ -4805,11 +4811,7 @@ echo "GNUTLS hash $gnutls_hash"
@@ -4806,11 +4812,7 @@ echo "GNUTLS hash $gnutls_hash"
echo "GNUTLS rnd $gnutls_rnd"
echo "libgcrypt $gcrypt"
echo "libgcrypt kdf $gcrypt_kdf"
@ -46,7 +46,7 @@ index b455035..767658e 100755
echo "nettle kdf $nettle_kdf"
echo "libtasn1 $tasn1"
echo "VTE support $vte"
@@ -4861,11 +4863,7 @@ echo "Trace backends $trace_backends"
@@ -4862,11 +4864,7 @@ echo "Trace backends $trace_backends"
if have_backend "simple"; then
echo "Trace output file $trace_file-<pid>"
fi

View File

@ -1,45 +0,0 @@
From 9e91782f3582e12f5c41e64f70e5c53f0e7b9f2a Mon Sep 17 00:00:00 2001
From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Tue, 24 May 2016 02:10:00 -0600
Subject: [PATCH] scsi: mptsas: infinite loop while fetching requests
The LSI SAS1068 Host Bus Adapter emulator in Qemu, periodically
looks for requests and fetches them. A loop doing that in
mptsas_fetch_requests() could run infinitely if 's->state' was
not operational. Move check to avoid such a loop.
Reported-by: Li Qiang <liqiang6-s@360.cn>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
[BR: CVE-2016-4964 BSC#981399]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/scsi/mptsas.c | 9 ++++-----
1 file changed, 4 insertions(+), 5 deletions(-)
diff --git a/hw/scsi/mptsas.c b/hw/scsi/mptsas.c
index 499c146..be88e16 100644
--- a/hw/scsi/mptsas.c
+++ b/hw/scsi/mptsas.c
@@ -754,11 +754,6 @@ static void mptsas_fetch_request(MPTSASState *s)
hwaddr addr;
int size;
- if (s->state != MPI_IOC_STATE_OPERATIONAL) {
- mptsas_set_fault(s, MPI_IOCSTATUS_INVALID_STATE);
- return;
- }
-
/* Read the message header from the guest first. */
addr = s->host_mfa_high_addr | MPTSAS_FIFO_GET(s, request_post);
pci_dma_read(pci, addr, req, sizeof(hdr));
@@ -789,6 +784,10 @@ static void mptsas_fetch_requests(void *opaque)
{
MPTSASState *s = opaque;
+ if (s->state != MPI_IOC_STATE_OPERATIONAL) {
+ mptsas_set_fault(s, MPI_IOCSTATUS_INVALID_STATE);
+ return;
+ }
while (!MPTSAS_FIFO_EMPTY(s, request_post)) {
mptsas_fetch_request(s);
}

View File

@ -1,4 +1,4 @@
From b673055ec7e4eda0454aacc2d042bd53405f85e6 Mon Sep 17 00:00:00 2001
From eeb106a711b51266bf05f3895e01575357414ec6 Mon Sep 17 00:00:00 2001
From: Cole Robinson <crobinso@redhat.com>
Date: Fri, 6 May 2016 14:03:12 -0400
Subject: [PATCH] configure: support vte-2.91
@ -18,10 +18,10 @@ Signed-off-by: Bruce Rogers <brogers@suse.com>
1 file changed, 11 insertions(+), 6 deletions(-)
diff --git a/configure b/configure
index 767658e..f32cff5 100755
index 51dc704..8f1948c 100755
--- a/configure
+++ b/configure
@@ -2395,20 +2395,25 @@ fi
@@ -2396,20 +2396,25 @@ fi
if test "$vte" != "no"; then
if test "$gtkabi" = "3.0"; then
@ -52,7 +52,7 @@ index 767658e..f32cff5 100755
else
feature_not_found "vte" "Install libvte devel"
fi
@@ -4806,6 +4811,7 @@ echo "pixman $pixman"
@@ -4807,6 +4812,7 @@ echo "pixman $pixman"
echo "SDL support $sdl"
echo "GTK support $gtk"
echo "GTK GL support $gtk_gl"
@ -60,7 +60,7 @@ index 767658e..f32cff5 100755
echo "GNUTLS support $gnutls"
echo "GNUTLS hash $gnutls_hash"
echo "GNUTLS rnd $gnutls_rnd"
@@ -4814,7 +4820,6 @@ echo "libgcrypt kdf $gcrypt_kdf"
@@ -4815,7 +4821,6 @@ echo "libgcrypt kdf $gcrypt_kdf"
echo "nettle $nettle `echo_version $nettle $nettle_version`"
echo "nettle kdf $nettle_kdf"
echo "libtasn1 $tasn1"

View File

@ -1,235 +0,0 @@
From d8d0d22b88ceaf7f9ce8e01eb2842b8daf2aa34e Mon Sep 17 00:00:00 2001
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Tue, 17 May 2016 10:54:54 +0200
Subject: [PATCH] vga: add sr_vbe register set
Commit "fd3c136 vga: make sure vga register setup for vbe stays intact
(CVE-2016-3712)." causes a regression. The win7 installer is unhappy
because it can't freely modify vga registers any more while in vbe mode.
This patch introduces a new sr_vbe register set. The vbe_update_vgaregs
will fill sr_vbe[] instead of sr[]. Normal vga register reads and
writes go to sr[]. Any sr register read access happens through a new
sr() helper function which will read from sr_vbe[] with vbe active and
from sr[] otherwise.
This way we can allow guests update sr[] registers as they want, without
allowing them disrupt vbe video modes that way.
Cc: qemu-stable@nongnu.org
Reported-by: Thomas Lamprecht <thomas@lamprecht.org>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 1463475294-14119-1-git-send-email-kraxel@redhat.com
(cherry picked from commit 94ef4f337fb614f18b765a8e0e878a4c23cdedcd)
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/display/vga.c | 50 ++++++++++++++++++++++++++++----------------------
hw/display/vga_int.h | 1 +
2 files changed, 29 insertions(+), 22 deletions(-)
diff --git a/hw/display/vga.c b/hw/display/vga.c
index 4a55ec6..9ebc54f 100644
--- a/hw/display/vga.c
+++ b/hw/display/vga.c
@@ -149,6 +149,11 @@ static inline bool vbe_enabled(VGACommonState *s)
return s->vbe_regs[VBE_DISPI_INDEX_ENABLE] & VBE_DISPI_ENABLED;
}
+static inline uint8_t sr(VGACommonState *s, int idx)
+{
+ return vbe_enabled(s) ? s->sr_vbe[idx] : s->sr[idx];
+}
+
static void vga_update_memory_access(VGACommonState *s)
{
hwaddr base, offset, size;
@@ -163,8 +168,8 @@ static void vga_update_memory_access(VGACommonState *s)
s->has_chain4_alias = false;
s->plane_updated = 0xf;
}
- if ((s->sr[VGA_SEQ_PLANE_WRITE] & VGA_SR02_ALL_PLANES) ==
- VGA_SR02_ALL_PLANES && s->sr[VGA_SEQ_MEMORY_MODE] & VGA_SR04_CHN_4M) {
+ if ((sr(s, VGA_SEQ_PLANE_WRITE) & VGA_SR02_ALL_PLANES) ==
+ VGA_SR02_ALL_PLANES && sr(s, VGA_SEQ_MEMORY_MODE) & VGA_SR04_CHN_4M) {
offset = 0;
switch ((s->gr[VGA_GFX_MISC] >> 2) & 3) {
case 0:
@@ -234,7 +239,7 @@ static void vga_precise_update_retrace_info(VGACommonState *s)
((s->cr[VGA_CRTC_OVERFLOW] >> 6) & 2)) << 8);
vretr_end_line = s->cr[VGA_CRTC_V_SYNC_END] & 0xf;
- clocking_mode = (s->sr[VGA_SEQ_CLOCK_MODE] >> 3) & 1;
+ clocking_mode = (sr(s, VGA_SEQ_CLOCK_MODE) >> 3) & 1;
clock_sel = (s->msr >> 2) & 3;
dots = (s->msr & 1) ? 8 : 9;
@@ -486,7 +491,6 @@ void vga_ioport_write(void *opaque, uint32_t addr, uint32_t val)
printf("vga: write SR%x = 0x%02x\n", s->sr_index, val);
#endif
s->sr[s->sr_index] = val & sr_mask[s->sr_index];
- vbe_update_vgaregs(s);
if (s->sr_index == VGA_SEQ_CLOCK_MODE) {
s->update_retrace_info(s);
}
@@ -680,13 +684,13 @@ static void vbe_update_vgaregs(VGACommonState *s)
if (s->vbe_regs[VBE_DISPI_INDEX_BPP] == 4) {
shift_control = 0;
- s->sr[VGA_SEQ_CLOCK_MODE] &= ~8; /* no double line */
+ s->sr_vbe[VGA_SEQ_CLOCK_MODE] &= ~8; /* no double line */
} else {
shift_control = 2;
/* set chain 4 mode */
- s->sr[VGA_SEQ_MEMORY_MODE] |= VGA_SR04_CHN_4M;
+ s->sr_vbe[VGA_SEQ_MEMORY_MODE] |= VGA_SR04_CHN_4M;
/* activate all planes */
- s->sr[VGA_SEQ_PLANE_WRITE] |= VGA_SR02_ALL_PLANES;
+ s->sr_vbe[VGA_SEQ_PLANE_WRITE] |= VGA_SR02_ALL_PLANES;
}
s->gr[VGA_GFX_MODE] = (s->gr[VGA_GFX_MODE] & ~0x60) |
(shift_control << 5);
@@ -836,7 +840,7 @@ uint32_t vga_mem_readb(VGACommonState *s, hwaddr addr)
break;
}
- if (s->sr[VGA_SEQ_MEMORY_MODE] & VGA_SR04_CHN_4M) {
+ if (sr(s, VGA_SEQ_MEMORY_MODE) & VGA_SR04_CHN_4M) {
/* chain 4 mode : simplest access */
assert(addr < s->vram_size);
ret = s->vram_ptr[addr];
@@ -904,11 +908,11 @@ void vga_mem_writeb(VGACommonState *s, hwaddr addr, uint32_t val)
break;
}
- if (s->sr[VGA_SEQ_MEMORY_MODE] & VGA_SR04_CHN_4M) {
+ if (sr(s, VGA_SEQ_MEMORY_MODE) & VGA_SR04_CHN_4M) {
/* chain 4 mode : simplest access */
plane = addr & 3;
mask = (1 << plane);
- if (s->sr[VGA_SEQ_PLANE_WRITE] & mask) {
+ if (sr(s, VGA_SEQ_PLANE_WRITE) & mask) {
assert(addr < s->vram_size);
s->vram_ptr[addr] = val;
#ifdef DEBUG_VGA_MEM
@@ -921,7 +925,7 @@ void vga_mem_writeb(VGACommonState *s, hwaddr addr, uint32_t val)
/* odd/even mode (aka text mode mapping) */
plane = (s->gr[VGA_GFX_PLANE_READ] & 2) | (addr & 1);
mask = (1 << plane);
- if (s->sr[VGA_SEQ_PLANE_WRITE] & mask) {
+ if (sr(s, VGA_SEQ_PLANE_WRITE) & mask) {
addr = ((addr & ~1) << 1) | plane;
if (addr >= s->vram_size) {
return;
@@ -996,7 +1000,7 @@ void vga_mem_writeb(VGACommonState *s, hwaddr addr, uint32_t val)
do_write:
/* mask data according to sr[2] */
- mask = s->sr[VGA_SEQ_PLANE_WRITE];
+ mask = sr(s, VGA_SEQ_PLANE_WRITE);
s->plane_updated |= mask; /* only used to detect font change */
write_mask = mask16[mask];
if (addr * sizeof(uint32_t) >= s->vram_size) {
@@ -1152,10 +1156,10 @@ static void vga_get_text_resolution(VGACommonState *s, int *pwidth, int *pheight
/* total width & height */
cheight = (s->cr[VGA_CRTC_MAX_SCAN] & 0x1f) + 1;
cwidth = 8;
- if (!(s->sr[VGA_SEQ_CLOCK_MODE] & VGA_SR01_CHAR_CLK_8DOTS)) {
+ if (!(sr(s, VGA_SEQ_CLOCK_MODE) & VGA_SR01_CHAR_CLK_8DOTS)) {
cwidth = 9;
}
- if (s->sr[VGA_SEQ_CLOCK_MODE] & 0x08) {
+ if (sr(s, VGA_SEQ_CLOCK_MODE) & 0x08) {
cwidth = 16; /* NOTE: no 18 pixel wide */
}
width = (s->cr[VGA_CRTC_H_DISP] + 1);
@@ -1197,7 +1201,7 @@ static void vga_draw_text(VGACommonState *s, int full_update)
int64_t now = qemu_clock_get_ms(QEMU_CLOCK_VIRTUAL);
/* compute font data address (in plane 2) */
- v = s->sr[VGA_SEQ_CHARACTER_MAP];
+ v = sr(s, VGA_SEQ_CHARACTER_MAP);
offset = (((v >> 4) & 1) | ((v << 1) & 6)) * 8192 * 4 + 2;
if (offset != s->font_offsets[0]) {
s->font_offsets[0] = offset;
@@ -1506,11 +1510,11 @@ static void vga_draw_graphic(VGACommonState *s, int full_update)
}
if (shift_control == 0) {
- if (s->sr[VGA_SEQ_CLOCK_MODE] & 8) {
+ if (sr(s, VGA_SEQ_CLOCK_MODE) & 8) {
disp_width <<= 1;
}
} else if (shift_control == 1) {
- if (s->sr[VGA_SEQ_CLOCK_MODE] & 8) {
+ if (sr(s, VGA_SEQ_CLOCK_MODE) & 8) {
disp_width <<= 1;
}
}
@@ -1574,7 +1578,7 @@ static void vga_draw_graphic(VGACommonState *s, int full_update)
if (shift_control == 0) {
full_update |= update_palette16(s);
- if (s->sr[VGA_SEQ_CLOCK_MODE] & 8) {
+ if (sr(s, VGA_SEQ_CLOCK_MODE) & 8) {
v = VGA_DRAW_LINE4D2;
} else {
v = VGA_DRAW_LINE4;
@@ -1582,7 +1586,7 @@ static void vga_draw_graphic(VGACommonState *s, int full_update)
bits = 4;
} else if (shift_control == 1) {
full_update |= update_palette16(s);
- if (s->sr[VGA_SEQ_CLOCK_MODE] & 8) {
+ if (sr(s, VGA_SEQ_CLOCK_MODE) & 8) {
v = VGA_DRAW_LINE2D2;
} else {
v = VGA_DRAW_LINE2;
@@ -1629,7 +1633,7 @@ static void vga_draw_graphic(VGACommonState *s, int full_update)
#if 0
printf("w=%d h=%d v=%d line_offset=%d cr[0x09]=0x%02x cr[0x17]=0x%02x linecmp=%d sr[0x01]=0x%02x\n",
width, height, v, line_offset, s->cr[9], s->cr[VGA_CRTC_MODE],
- s->line_compare, s->sr[VGA_SEQ_CLOCK_MODE]);
+ s->line_compare, sr(s, VGA_SEQ_CLOCK_MODE));
#endif
addr1 = (s->start_addr * 4);
bwidth = (width * bits + 7) / 8;
@@ -1781,6 +1785,7 @@ void vga_common_reset(VGACommonState *s)
{
s->sr_index = 0;
memset(s->sr, '\0', sizeof(s->sr));
+ memset(s->sr_vbe, '\0', sizeof(s->sr_vbe));
s->gr_index = 0;
memset(s->gr, '\0', sizeof(s->gr));
s->ar_index = 0;
@@ -1883,10 +1888,10 @@ static void vga_update_text(void *opaque, console_ch_t *chardata)
/* total width & height */
cheight = (s->cr[VGA_CRTC_MAX_SCAN] & 0x1f) + 1;
cw = 8;
- if (!(s->sr[VGA_SEQ_CLOCK_MODE] & VGA_SR01_CHAR_CLK_8DOTS)) {
+ if (!(sr(s, VGA_SEQ_CLOCK_MODE) & VGA_SR01_CHAR_CLK_8DOTS)) {
cw = 9;
}
- if (s->sr[VGA_SEQ_CLOCK_MODE] & 0x08) {
+ if (sr(s, VGA_SEQ_CLOCK_MODE) & 0x08) {
cw = 16; /* NOTE: no 18 pixel wide */
}
width = (s->cr[VGA_CRTC_H_DISP] + 1);
@@ -2053,6 +2058,7 @@ static int vga_common_post_load(void *opaque, int version_id)
/* force refresh */
s->graphic_mode = -1;
+ vbe_update_vgaregs(s);
return 0;
}
diff --git a/hw/display/vga_int.h b/hw/display/vga_int.h
index bdb43a5..3ce5544 100644
--- a/hw/display/vga_int.h
+++ b/hw/display/vga_int.h
@@ -98,6 +98,7 @@ typedef struct VGACommonState {
MemoryRegion chain4_alias;
uint8_t sr_index;
uint8_t sr[256];
+ uint8_t sr_vbe[256];
uint8_t gr_index;
uint8_t gr[256];
uint8_t ar_index;

View File

@ -1,4 +1,4 @@
From ced63da3c840792292a6ee8201c3f7789b80b7eb Mon Sep 17 00:00:00 2001
From 8b1a852589b2693dd384680d761e617a34ba2f9e Mon Sep 17 00:00:00 2001
From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Date: Mon, 4 Jul 2016 13:06:36 +0100
Subject: [PATCH] hw/arm/virt: mark the PCIe host controller as DMA coherent in
@ -25,7 +25,7 @@ Signed-off-by: Alexander Graf <agraf@suse.de>
1 file changed, 1 insertion(+)
diff --git a/hw/arm/virt.c b/hw/arm/virt.c
index 56d35c7..9d015d5 100644
index a535285..30841de 100644
--- a/hw/arm/virt.c
+++ b/hw/arm/virt.c
@@ -950,6 +950,7 @@ static void create_pcie(const VirtBoardInfo *vbi, qemu_irq *pic,

View File

@ -1,34 +0,0 @@
From f7901e3ec072d45629284c91300bf5ad21b36908 Mon Sep 17 00:00:00 2001
From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Wed, 25 May 2016 16:01:29 +0530
Subject: [PATCH] scsi: megasas: use appropriate property buffer size
When setting MegaRAID SAS controller properties via MegaRAID
Firmware Interface(MFI) commands, a user supplied size parameter
is used to set property value. Use appropriate size value to avoid
OOB access issues.
Reported-by: Li Qiang <liqiang6-s@360.cn>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Message-Id: <1464172291-2856-2-git-send-email-ppandit@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 1b85898025c4cd95dce673d15e67e60e98e91731)
[BR:CVE-2016-5106 BSC#982018]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/scsi/megasas.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
index a63a581..dcbd3e1 100644
--- a/hw/scsi/megasas.c
+++ b/hw/scsi/megasas.c
@@ -1446,7 +1446,7 @@ static int megasas_dcmd_set_properties(MegasasState *s, MegasasCmd *cmd)
dcmd_size);
return MFI_STAT_INVALID_PARAMETER;
}
- dma_buf_write((uint8_t *)&info, cmd->iov_size, &cmd->qsg);
+ dma_buf_write((uint8_t *)&info, dcmd_size, &cmd->qsg);
trace_megasas_dcmd_unsupported(cmd->index, cmd->iov_size);
return MFI_STAT_OK;
}

View File

@ -1,36 +0,0 @@
From e9910b20f94d3683d4d8895136583529cf7c313f Mon Sep 17 00:00:00 2001
From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Wed, 25 May 2016 17:55:10 +0530
Subject: [PATCH] scsi: megasas: check 'read_queue_head' index value
While doing MegaRAID SAS controller command frame lookup, routine
'megasas_lookup_frame' uses 'read_queue_head' value as an index
into 'frames[MEGASAS_MAX_FRAMES=2048]' array. Limit its value
within array bounds to avoid any OOB access.
Reported-by: Li Qiang <liqiang6-s@360.cn>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Message-Id: <1464179110-18593-1-git-send-email-ppandit@redhat.com>
Reviewed-by: Alexander Graf <agraf@suse.de>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit b60bdd1f1ee1616b7a9aeeffb4088e1ce2710fb2)
[BR: CVE-2016-5107 BSC#982019]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/scsi/megasas.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
index dcbd3e1..96aee1c 100644
--- a/hw/scsi/megasas.c
+++ b/hw/scsi/megasas.c
@@ -650,7 +650,9 @@ static int megasas_init_firmware(MegasasState *s, MegasasCmd *cmd)
pa_hi = le32_to_cpu(initq->pi_addr_hi);
s->producer_pa = ((uint64_t) pa_hi << 32) | pa_lo;
s->reply_queue_head = ldl_le_pci_dma(pcid, s->producer_pa);
+ s->reply_queue_head %= MEGASAS_MAX_FRAMES;
s->reply_queue_tail = ldl_le_pci_dma(pcid, s->consumer_pa);
+ s->reply_queue_tail %= MEGASAS_MAX_FRAMES;
flags = le32_to_cpu(initq->flags);
if (flags & MFI_QUEUE_FLAG_CONTEXT64) {
s->flags |= MEGASAS_MASK_USE_QUEUE64;

View File

@ -1,4 +1,4 @@
From 1caba48fc19de7cdceda7577ccf6970d4eb7ed75 Mon Sep 17 00:00:00 2001
From 6fc72ceb37357fb66b43b17a84b4b6fe128c5f4f Mon Sep 17 00:00:00 2001
From: Olaf Hering <ohering@suse.de>
Date: Tue, 21 Jun 2016 18:42:45 +0200
Subject: [PATCH] xen: SUSE xenlinux unplug for emulated PCI

View File

@ -1,4 +1,4 @@
From a4c62237f33857750850ef30066a5ae5d4d1194e Mon Sep 17 00:00:00 2001
From ef7fe72329d837ac78895a6b287bc6d7cb2a6889 Mon Sep 17 00:00:00 2001
From: Paolo Bonzini <pbonzini@redhat.com>
Date: Mon, 20 Jun 2016 16:32:39 +0200
Subject: [PATCH] scsi: esp: fix migration
@ -17,10 +17,10 @@ Signed-off-by: Bruce Rogers <brogers@suse.com>
2 files changed, 7 insertions(+), 3 deletions(-)
diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c
index 9e318fd..25c547c 100644
index baa0a2c..1f2f2d3 100644
--- a/hw/scsi/esp.c
+++ b/hw/scsi/esp.c
@@ -577,7 +577,7 @@ static bool esp_mem_accepts(void *opaque, hwaddr addr,
@@ -574,7 +574,7 @@ static bool esp_mem_accepts(void *opaque, hwaddr addr,
const VMStateDescription vmstate_esp = {
.name ="esp",
@ -29,7 +29,7 @@ index 9e318fd..25c547c 100644
.minimum_version_id = 3,
.fields = (VMStateField[]) {
VMSTATE_BUFFER(rregs, ESPState),
@@ -588,7 +588,8 @@ const VMStateDescription vmstate_esp = {
@@ -585,7 +585,8 @@ const VMStateDescription vmstate_esp = {
VMSTATE_BUFFER(ti_buf, ESPState),
VMSTATE_UINT32(status, ESPState),
VMSTATE_UINT32(dma, ESPState),

View File

@ -1,32 +0,0 @@
From e7b653272e0242843f39b9b8d65694c29028fdf5 Mon Sep 17 00:00:00 2001
From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Tue, 7 Jun 2016 16:44:03 +0530
Subject: [PATCH] scsi: megasas: null terminate bios version buffer
While reading information via 'megasas_ctrl_get_info' routine,
a local bios version buffer isn't null terminated. Add the
terminating null byte to avoid any OOB access.
Reported-by: Li Qiang <liqiang6-s@360.cn>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 844864fbae66935951529408831c2f22367a57b6)
[BR: CVE-2016-5337 BSC#983961]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/scsi/megasas.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
index 96aee1c..893448b 100644
--- a/hw/scsi/megasas.c
+++ b/hw/scsi/megasas.c
@@ -773,6 +773,7 @@ static int megasas_ctrl_get_info(MegasasState *s, MegasasCmd *cmd)
ptr = memory_region_get_ram_ptr(&pci_dev->rom);
memcpy(biosver, ptr + 0x41, 31);
+ biosver[31] = 0;
memcpy(info.image_component[1].name, "BIOS", 4);
memcpy(info.image_component[1].version, biosver,
strlen((const char *)biosver));

View File

@ -1,73 +0,0 @@
From 74a7469799521413262d7571b7092f859ed32121 Mon Sep 17 00:00:00 2001
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Mon, 30 May 2016 09:09:18 +0200
Subject: [PATCH] vmsvga: move fifo sanity checks to vmsvga_fifo_length
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Sanity checks are applied when the fifo is enabled by the guest
(SVGA_REG_CONFIG_DONE write). Which doesn't help much if the guest
changes the fifo registers afterwards. Move the checks to
vmsvga_fifo_length so they are done each time qemu is about to read
from the fifo.
Fixes: CVE-2016-4454
Cc: qemu-stable@nongnu.org
Cc: P J P <ppandit@redhat.com>
Reported-by: 李强 <liqiang6-s@360.cn>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 1464592161-18348-2-git-send-email-kraxel@redhat.com
(cherry picked from commit 521360267876d3b6518b328051a2e56bca55bef8)
[BR: CVE-2016-4454 BSC#982222]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/display/vmware_vga.c | 28 +++++++++++++++-------------
1 file changed, 15 insertions(+), 13 deletions(-)
diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c
index 0c63fa8..63a7c05 100644
--- a/hw/display/vmware_vga.c
+++ b/hw/display/vmware_vga.c
@@ -555,6 +555,21 @@ static inline int vmsvga_fifo_length(struct vmsvga_state_s *s)
if (!s->config || !s->enable) {
return 0;
}
+
+ /* Check range and alignment. */
+ if ((CMD(min) | CMD(max) | CMD(next_cmd) | CMD(stop)) & 3) {
+ return 0;
+ }
+ if (CMD(min) < (uint8_t *) s->cmd->fifo - (uint8_t *) s->fifo) {
+ return 0;
+ }
+ if (CMD(max) > SVGA_FIFO_SIZE) {
+ return 0;
+ }
+ if (CMD(max) < CMD(min) + 10 * 1024) {
+ return 0;
+ }
+
num = CMD(next_cmd) - CMD(stop);
if (num < 0) {
num += CMD(max) - CMD(min);
@@ -1005,19 +1020,6 @@ static void vmsvga_value_write(void *opaque, uint32_t address, uint32_t value)
case SVGA_REG_CONFIG_DONE:
if (value) {
s->fifo = (uint32_t *) s->fifo_ptr;
- /* Check range and alignment. */
- if ((CMD(min) | CMD(max) | CMD(next_cmd) | CMD(stop)) & 3) {
- break;
- }
- if (CMD(min) < (uint8_t *) s->cmd->fifo - (uint8_t *) s->fifo) {
- break;
- }
- if (CMD(max) > SVGA_FIFO_SIZE) {
- break;
- }
- if (CMD(max) < CMD(min) + 10 * 1024) {
- break;
- }
vga_dirty_log_stop(&s->vga);
}
s->config = !!value;

View File

@ -1,4 +1,4 @@
From 0d4ea8a7847a76415ed0d0db0392be5b7d1b71a6 Mon Sep 17 00:00:00 2001
From 57e6b7c9e33686c070e6b5bce203e1a4a01b821d Mon Sep 17 00:00:00 2001
From: Juergen Gross <jgross@suse.com>
Date: Fri, 29 Jul 2016 12:51:53 +0200
Subject: [PATCH] xen: when removing a backend don't remove many of them

View File

@ -1,45 +0,0 @@
From 51a212ea5bb9d958e0fd59d9e975685a8b9e62d0 Mon Sep 17 00:00:00 2001
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Mon, 30 May 2016 09:09:21 +0200
Subject: [PATCH] vmsvga: don't process more than 1024 fifo commands at once
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
vmsvga_fifo_run is called in regular intervals (on each display update)
and will resume where it left off. So we can simply exit the loop,
without having to worry about how processing will continue.
Fixes: CVE-2016-4453
Cc: qemu-stable@nongnu.org
Cc: P J P <ppandit@redhat.com>
Reported-by: 李强 <liqiang6-s@360.cn>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 1464592161-18348-5-git-send-email-kraxel@redhat.com
(cherry picked from commit 4e68a0ee17dad7b8d870df0081d4ab2e079016c2)
[BR: CVE-2016-4453 BSC#982223]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/display/vmware_vga.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c
index 63a7c05..3bd4c52 100644
--- a/hw/display/vmware_vga.c
+++ b/hw/display/vmware_vga.c
@@ -596,13 +596,13 @@ static inline uint32_t vmsvga_fifo_read(struct vmsvga_state_s *s)
static void vmsvga_fifo_run(struct vmsvga_state_s *s)
{
uint32_t cmd, colour;
- int args, len;
+ int args, len, maxloop = 1024;
int x, y, dx, dy, width, height;
struct vmsvga_cursor_definition_s cursor;
uint32_t cmd_start;
len = vmsvga_fifo_length(s);
- while (len > 0) {
+ while (len > 0 && --maxloop > 0) {
/* May need to go back to the start of the command if incomplete */
cmd_start = s->cmd->stop;

View File

@ -1,4 +1,4 @@
From afb94bcc5bbb8b58f8c96821caaab268f96cabdb Mon Sep 17 00:00:00 2001
From 559d8ccdb0a5e92b6a0a42f2850caa7a8c57ae76 Mon Sep 17 00:00:00 2001
From: Juergen Gross <jgross@suse.com>
Date: Wed, 27 Jul 2016 08:17:41 +0200
Subject: [PATCH] xen: drain submit queue in xen-usb before removing device

View File

@ -1,37 +0,0 @@
From 75e2bbd9eb1645c7acb1929ca700913a6e2f54d6 Mon Sep 17 00:00:00 2001
From: Peter Lieven <pl@kamp.de>
Date: Tue, 24 May 2016 10:59:28 +0200
Subject: [PATCH] block/iscsi: avoid potential overflow of acb->task->cdb
at least in the path via virtio-blk the maximum size is not
restricted.
Cc: qemu-stable@nongnu.org
Signed-off-by: Peter Lieven <pl@kamp.de>
Message-Id: <1464080368-29584-1-git-send-email-pl@kamp.de>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit a6b3167fa0e825aebb5a7cd8b437b6d41584a196)
[BR: CVE-2016-5126 BSC#982285]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
block/iscsi.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/block/iscsi.c b/block/iscsi.c
index 302baf8..172e6cf 100644
--- a/block/iscsi.c
+++ b/block/iscsi.c
@@ -837,6 +837,13 @@ static BlockAIOCB *iscsi_aio_ioctl(BlockDriverState *bs,
return &acb->common;
}
+ if (acb->ioh->cmd_len > SCSI_CDB_MAX_SIZE) {
+ error_report("iSCSI: ioctl error CDB exceeds max size (%d > %d)",
+ acb->ioh->cmd_len, SCSI_CDB_MAX_SIZE);
+ qemu_aio_unref(acb);
+ return NULL;
+ }
+
acb->task = malloc(sizeof(struct scsi_task));
if (acb->task == NULL) {
error_report("iSCSI: Failed to allocate task for scsi command. %s",

View File

@ -1,4 +1,4 @@
From 197d526012602fbac75392a86e991539e4400bf0 Mon Sep 17 00:00:00 2001
From c9f5c5004b9fb97398c8dc0003303493904c986c Mon Sep 17 00:00:00 2001
From: "Denis V. Lunev" <den@openvz.org>
Date: Thu, 2 Jun 2016 18:58:15 +0300
Subject: [PATCH] qcow2: avoid extra flushes in qcow2

View File

@ -1,4 +1,4 @@
From 4bbd77b07de2f0df2e8a0dba9c4ca51299ee2518 Mon Sep 17 00:00:00 2001
From 66d8c1e91cb8b11fad0ddc68c7398c5ff202525e Mon Sep 17 00:00:00 2001
From: Bruce Rogers <brogers@suse.com>
Date: Tue, 2 Aug 2016 11:36:02 -0600
Subject: [PATCH] qemu-bridge-helper: reduce security profile

View File

@ -1,71 +0,0 @@
From 40b9ce117b5a3aced6e1b88ea0e2619170b202f6 Mon Sep 17 00:00:00 2001
From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Mon, 6 Jun 2016 22:04:43 +0530
Subject: [PATCH] scsi: esp: check TI buffer index before read/write
The 53C9X Fast SCSI Controller(FSC) comes with internal 16-byte
FIFO buffers. One is used to handle commands and other is for
information transfer. Three control variables 'ti_rptr',
'ti_wptr' and 'ti_size' are used to control r/w access to the
information transfer buffer ti_buf[TI_BUFSZ=16]. In that,
'ti_rptr' is used as read index, where read occurs.
'ti_wptr' is a write index, where write would occur.
'ti_size' indicates total bytes to be read from the buffer.
While reading/writing to this buffer, index could exceed its
size. Add check to avoid OOB r/w access.
Reported-by: Huawei PSIRT <psirt@huawei.com>
Reported-by: Li Qiang <liqiang6-s@360.cn>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Message-Id: <1465230883-22303-1-git-send-email-ppandit@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit ff589551c8e8e9e95e211b9d8daafb4ed39f1aec)
[BR: CVE-2016-5338 BSC#983982]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/scsi/esp.c | 20 +++++++++-----------
1 file changed, 9 insertions(+), 11 deletions(-)
diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c
index 591c817..3adb685 100644
--- a/hw/scsi/esp.c
+++ b/hw/scsi/esp.c
@@ -400,19 +400,17 @@ uint64_t esp_reg_read(ESPState *s, uint32_t saddr)
trace_esp_mem_readb(saddr, s->rregs[saddr]);
switch (saddr) {
case ESP_FIFO:
- if (s->ti_size > 0) {
+ if ((s->rregs[ESP_RSTAT] & STAT_PIO_MASK) == 0) {
+ /* Data out. */
+ qemu_log_mask(LOG_UNIMP, "esp: PIO data read not implemented\n");
+ s->rregs[ESP_FIFO] = 0;
+ esp_raise_irq(s);
+ } else if (s->ti_rptr < s->ti_wptr) {
s->ti_size--;
- if ((s->rregs[ESP_RSTAT] & STAT_PIO_MASK) == 0) {
- /* Data out. */
- qemu_log_mask(LOG_UNIMP,
- "esp: PIO data read not implemented\n");
- s->rregs[ESP_FIFO] = 0;
- } else {
- s->rregs[ESP_FIFO] = s->ti_buf[s->ti_rptr++];
- }
+ s->rregs[ESP_FIFO] = s->ti_buf[s->ti_rptr++];
esp_raise_irq(s);
}
- if (s->ti_size == 0) {
+ if (s->ti_rptr == s->ti_wptr) {
s->ti_rptr = 0;
s->ti_wptr = 0;
}
@@ -456,7 +454,7 @@ void esp_reg_write(ESPState *s, uint32_t saddr, uint64_t val)
} else {
trace_esp_error_fifo_overrun();
}
- } else if (s->ti_size == TI_BUFSZ - 1) {
+ } else if (s->ti_wptr == TI_BUFSZ - 1) {
trace_esp_error_fifo_overrun();
} else {
s->ti_size++;

View File

@ -1,4 +1,4 @@
From ddbfdd2c5396aa810a789f5cb681879f78cb693f Mon Sep 17 00:00:00 2001
From fceaaa771845a1fa7379539e77390b833dc9de3b Mon Sep 17 00:00:00 2001
From: Juergen Gross <jgross@suse.com>
Date: Tue, 2 Aug 2016 08:32:32 +0200
Subject: [PATCH] xen: use a common function for pv and hvm guest backend

View File

@ -1,34 +0,0 @@
From 702d446c9378b6d8415599780cf9f8bfb4c7cb9a Mon Sep 17 00:00:00 2001
From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Wed, 25 May 2016 17:41:44 +0530
Subject: [PATCH] scsi: megasas: initialise local configuration data buffer
When reading MegaRAID SAS controller configuration via MegaRAID
Firmware Interface(MFI) commands, routine megasas_dcmd_cfg_read
uses an uninitialised local data buffer. Initialise this buffer
to avoid stack information leakage.
Reported-by: Li Qiang <liqiang6-s@360.cn>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Message-Id: <1464178304-12831-1-git-send-email-ppandit@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit d37af740730dbbb93960cd318e040372d04d6dcf)
[BR: CVE-2016-5105 982017]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/scsi/megasas.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
index 893448b..a9ffc32 100644
--- a/hw/scsi/megasas.c
+++ b/hw/scsi/megasas.c
@@ -1296,7 +1296,7 @@ static int megasas_dcmd_ld_get_info(MegasasState *s, MegasasCmd *cmd)
static int megasas_dcmd_cfg_read(MegasasState *s, MegasasCmd *cmd)
{
- uint8_t data[4096];
+ uint8_t data[4096] = { 0 };
struct mfi_config_data *info;
int num_pd_disks = 0, array_offset, ld_offset;
BusChild *kid;

View File

@ -1,36 +0,0 @@
From 440a840f30f2439aece31ae59a5ee91675a78bb1 Mon Sep 17 00:00:00 2001
From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Tue, 31 May 2016 23:23:27 +0530
Subject: [PATCH] scsi: esp: check buffer length before reading scsi command
The 53C9X Fast SCSI Controller(FSC) comes with an internal 16-byte
FIFO buffer. It is used to handle command and data transfer.
Routine get_cmd() in non-DMA mode, uses 'ti_size' to read scsi
command into a buffer. Add check to validate command length against
buffer size to avoid any overrun.
Reported-by: Li Qiang <liqiang6-s@360.cn>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Message-Id: <1464717207-7549-1-git-send-email-ppandit@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit d3cdc49138c30be1d3c2f83d18f85d9fdee95f1a)
[BR: CVE-2016-5238 BSC#982959]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/scsi/esp.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c
index 3adb685..4b94bbc 100644
--- a/hw/scsi/esp.c
+++ b/hw/scsi/esp.c
@@ -98,6 +98,9 @@ static uint32_t get_cmd(ESPState *s, uint8_t *buf, uint8_t buflen)
s->dma_memory_read(s->dma_opaque, buf, dmalen);
} else {
dmalen = s->ti_size;
+ if (dmalen > TI_BUFSZ) {
+ return 0;
+ }
memcpy(buf, s->ti_buf, dmalen);
buf[0] = buf[2] >> 5;
}

View File

@ -1,29 +0,0 @@
From 9b2c1b6e771f01757b93cc92625ef48903786291 Mon Sep 17 00:00:00 2001
From: Paolo Bonzini <pbonzini@redhat.com>
Date: Tue, 14 Jun 2016 15:10:24 +0200
Subject: [PATCH] scsi: esp: respect FIFO invariant after message phase
The FIFO contains two bytes; hence the write ptr should be two bytes ahead
of the read pointer.
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit d020aa504cec8f525b55ba2ef982c09dc847c72e)
[BR: CVE-2016-5238 BSC#982959]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/scsi/esp.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c
index 4b94bbc..3f08598 100644
--- a/hw/scsi/esp.c
+++ b/hw/scsi/esp.c
@@ -222,7 +222,7 @@ static void write_response(ESPState *s)
} else {
s->ti_size = 2;
s->ti_rptr = 0;
- s->ti_wptr = 0;
+ s->ti_wptr = 2;
s->rregs[ESP_RFLAGS] = 2;
}
esp_raise_irq(s);

View File

@ -1,52 +0,0 @@
From f4fe76597dccb9017be71983c4204f21877fc69f Mon Sep 17 00:00:00 2001
From: Lin Ma <lma@suse.com>
Date: Thu, 16 Jun 2016 01:05:27 +0800
Subject: [PATCH] pci-assign: Move "Invalid ROM" error message to
pci-assign-load-rom.c
In function pci_assign_dev_load_option_rom, For those pci devices don't
have 'rom' file under sysfs or if loading ROM from external file, The
function returns NULL, and won't set the passed 'size' variable.
In these 2 cases, qemu still reports "Invalid ROM" error message, Users
may be confused by it.
Signed-off-by: Lin Ma <lma@suse.com>
Message-Id: <1466010327-22368-1-git-send-email-lma@suse.com>
Cc: qemu-stable@nongnu.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit be968c721ee9df49708691ab58f0e66b394dea82)
[BR: BSC#982927]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/i386/kvm/pci-assign.c | 4 ----
hw/i386/pci-assign-load-rom.c | 3 +++
2 files changed, 3 insertions(+), 4 deletions(-)
diff --git a/hw/i386/kvm/pci-assign.c b/hw/i386/kvm/pci-assign.c
index bf425a2..8abce52 100644
--- a/hw/i386/kvm/pci-assign.c
+++ b/hw/i386/kvm/pci-assign.c
@@ -1891,8 +1891,4 @@ static void assigned_dev_load_option_rom(AssignedDevice *dev)
pci_assign_dev_load_option_rom(&dev->dev, OBJECT(dev), &size,
dev->host.domain, dev->host.bus,
dev->host.slot, dev->host.function);
-
- if (!size) {
- error_report("pci-assign: Invalid ROM.");
- }
}
diff --git a/hw/i386/pci-assign-load-rom.c b/hw/i386/pci-assign-load-rom.c
index 4bbb08c..0d8e4b2 100644
--- a/hw/i386/pci-assign-load-rom.c
+++ b/hw/i386/pci-assign-load-rom.c
@@ -40,6 +40,9 @@ void *pci_assign_dev_load_option_rom(PCIDevice *dev, struct Object *owner,
domain, bus, slot, function);
if (stat(rom_file, &st)) {
+ if (errno != ENOENT) {
+ error_report("pci-assign: Invalid ROM.");
+ }
return NULL;
}

View File

@ -1,29 +0,0 @@
From a4b6bbf1139ebc70375c48afe99fccdd9dcaa501 Mon Sep 17 00:00:00 2001
From: Bruce Rogers <brogers@suse.com>
Date: Tue, 26 Jul 2016 16:42:45 -0600
Subject: [PATCH] Xen PCI passthrough: fix passthrough failure when no
interrupt pin
Commit 5a11d0f7 mistakenly converted a log message into an error
condition when no pin interrupt is found for the pci device being
passed through. Revert that part of the commit.
[BR: BSC#981925, BSC#989250]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/xen/xen_pt.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/xen/xen_pt.c b/hw/xen/xen_pt.c
index f593b04..b6d71bb 100644
--- a/hw/xen/xen_pt.c
+++ b/hw/xen/xen_pt.c
@@ -842,7 +842,7 @@ static void xen_pt_realize(PCIDevice *d, Error **errp)
goto err_out;
}
if (!scratch) {
- error_setg(errp, "no pin interrupt");
+ XEN_PT_LOG(d, "no pin interrupt\n");
goto out;
}

View File

@ -1,73 +0,0 @@
From 20a82db8677dfb40288953ba296c372b66146f4d Mon Sep 17 00:00:00 2001
From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Thu, 16 Jun 2016 00:22:35 +0200
Subject: [PATCH] scsi: esp: make cmdbuf big enough for maximum CDB size
While doing DMA read into ESP command buffer 's->cmdbuf', it could
write past the 's->cmdbuf' area, if it was transferring more than 16
bytes. Increase the command buffer size to 32, which is maximum when
's->do_cmd' is set, and add a check on 'len' to avoid OOB access.
Reported-by: Li Qiang <liqiang6-s@360.cn>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 926cde5f3e4d2504ed161ed0cb771ac7cad6fd11)
[BR: CVE-2016-6351 BSC#990835]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/scsi/esp.c | 6 ++++--
include/hw/scsi/esp.h | 3 ++-
2 files changed, 6 insertions(+), 3 deletions(-)
diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c
index 3f08598..9e318fd 100644
--- a/hw/scsi/esp.c
+++ b/hw/scsi/esp.c
@@ -249,6 +249,8 @@ static void esp_do_dma(ESPState *s)
len = s->dma_left;
if (s->do_cmd) {
trace_esp_do_dma(s->cmdlen, len);
+ assert (s->cmdlen <= sizeof(s->cmdbuf) &&
+ len <= sizeof(s->cmdbuf) - s->cmdlen);
s->dma_memory_read(s->dma_opaque, &s->cmdbuf[s->cmdlen], len);
s->ti_size = 0;
s->cmdlen = 0;
@@ -348,7 +350,7 @@ static void handle_ti(ESPState *s)
s->dma_counter = dmalen;
if (s->do_cmd)
- minlen = (dmalen < 32) ? dmalen : 32;
+ minlen = (dmalen < ESP_CMDBUF_SZ) ? dmalen : ESP_CMDBUF_SZ;
else if (s->ti_size < 0)
minlen = (dmalen < -s->ti_size) ? dmalen : -s->ti_size;
else
@@ -452,7 +454,7 @@ void esp_reg_write(ESPState *s, uint32_t saddr, uint64_t val)
break;
case ESP_FIFO:
if (s->do_cmd) {
- if (s->cmdlen < TI_BUFSZ) {
+ if (s->cmdlen < ESP_CMDBUF_SZ) {
s->cmdbuf[s->cmdlen++] = val & 0xff;
} else {
trace_esp_error_fifo_overrun();
diff --git a/include/hw/scsi/esp.h b/include/hw/scsi/esp.h
index 6c79527..d2c4886 100644
--- a/include/hw/scsi/esp.h
+++ b/include/hw/scsi/esp.h
@@ -14,6 +14,7 @@ void esp_init(hwaddr espaddr, int it_shift,
#define ESP_REGS 16
#define TI_BUFSZ 16
+#define ESP_CMDBUF_SZ 32
typedef struct ESPState ESPState;
@@ -31,7 +32,7 @@ struct ESPState {
SCSIBus bus;
SCSIDevice *current_dev;
SCSIRequest *current_req;
- uint8_t cmdbuf[TI_BUFSZ];
+ uint8_t cmdbuf[ESP_CMDBUF_SZ];
uint32_t cmdlen;
uint32_t do_cmd;

View File

@ -1,65 +0,0 @@
From d9c626e4ede58130f64f24f4f9ca1140e4102a70 Mon Sep 17 00:00:00 2001
From: Stefan Hajnoczi <stefanha@redhat.com>
Date: Tue, 19 Jul 2016 13:07:13 +0100
Subject: [PATCH] virtio: error out if guest exceeds virtqueue size
A broken or malicious guest can submit more requests than the virtqueue
size permits, causing unbounded memory allocation in QEMU.
The guest can submit requests without bothering to wait for completion
and is therefore not bound by virtqueue size. This requires reusing
vring descriptors in more than one request, which is not allowed by the
VIRTIO 1.0 specification.
In "3.2.1 Supplying Buffers to The Device", the VIRTIO 1.0 specification
says:
1. The driver places the buffer into free descriptor(s) in the
descriptor table, chaining as necessary
and
Note that the above code does not take precautions against the
available ring buffer wrapping around: this is not possible since the
ring buffer is the same size as the descriptor table, so step (1) will
prevent such a condition.
This implies that placing more buffers into the virtqueue than the
descriptor table size is not allowed.
QEMU is missing the check to prevent this case. Processing a request
allocates a VirtQueueElement leading to unbounded memory allocation
controlled by the guest.
Exit with an error if the guest provides more requests than the
virtqueue size permits. This bounds memory allocation and makes the
buggy guest visible to the user.
This patch fixes CVE-2016-5403 and was reported by Zhenhao Hong from 360
Marvel Team, China.
Reported-by: Zhenhao Hong <hongzhenhao@360.cn>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit afd9096eb1882f23929f5b5c177898ed231bac66)
[BR: CVE-2016-5403 BSC#991080]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/virtio/virtio.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
index 30ede3d..e5ead0d 100644
--- a/hw/virtio/virtio.c
+++ b/hw/virtio/virtio.c
@@ -561,6 +561,11 @@ void *virtqueue_pop(VirtQueue *vq, size_t sz)
max = vq->vring.num;
+ if (vq->inuse >= vq->vring.num) {
+ error_report("Virtqueue size exceeded");
+ exit(1);
+ }
+
i = head = virtqueue_get_head(vq, vq->last_avail_idx++);
if (virtio_vdev_has_feature(vdev, VIRTIO_RING_F_EVENT_IDX)) {
vring_set_avail_event(vq, vq->last_avail_idx);

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:c9ac4a651b273233d21b8bec32e30507cb9cce7900841febc330956a1a8434ec
size 25755267

Binary file not shown.

3
qemu-2.6.1.tar.bz2 Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:4942fd1b6ee31f2f55ffc2201dd7397e6b9c55a2ef332e6d660c730d268e08d1
size 25762855

BIN
qemu-2.6.1.tar.bz2.sig Normal file

Binary file not shown.

View File

@ -1,3 +1,62 @@
-------------------------------------------------------------------
Wed Aug 17 20:25:13 UTC 2016 - brogers@suse.com
- Update to v2.6.1 a stable, bug-fix-only release (fate#316228)
- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-2.6
* Patches dropped (upstreamed):
0041-net-mipsnet-check-packet-length-aga.patch
0042-i386-kvmvapic-initialise-imm32-vari.patch
0043-esp-check-command-buffer-length-bef.patch
0044-esp-check-dma-length-before-reading.patch
0045-scsi-pvscsi-check-command-descripto.patch
0046-scsi-mptsas-infinite-loop-while-fet.patch
0047-vga-add-sr_vbe-register-set.patch
0048-scsi-megasas-use-appropriate-proper.patch
0049-scsi-megasas-check-read_queue_head-.patch
0050-scsi-megasas-null-terminate-bios-ve.patch
0051-vmsvga-move-fifo-sanity-checks-to-v.patch
0052-vmsvga-don-t-process-more-than-1024.patch
0053-block-iscsi-avoid-potential-overflo.patch
0054-scsi-esp-check-TI-buffer-index-befo.patch
0060-scsi-megasas-initialise-local-confi.patch
0065-scsi-esp-check-buffer-length-before.patch
0066-scsi-esp-respect-FIFO-invariant-aft.patch
0067-pci-assign-Move-Invalid-ROM-error-m.patch
0068-Xen-PCI-passthrough-fix-passthrough.patch
0069-scsi-esp-make-cmdbuf-big-enough-for.patch
0071-virtio-error-out-if-guest-exceeds-v.patch
* Patches renamed:
0055-xen-introduce-dummy-system-device.patch
-> 0041-xen-introduce-dummy-system-device.patch
0056-xen-write-information-about-support.patch
-> 0042-xen-write-information-about-support.patch
0057-xen-add-pvUSB-backend.patch
-> 0043-xen-add-pvUSB-backend.patch
0058-xen-move-xen_sysdev-to-xen_backend..patch
-> 0044-xen-move-xen_sysdev-to-xen_backend..patch
0059-vnc-add-configurable-keyboard-delay.patch
-> 0045-vnc-add-configurable-keyboard-delay.patch
0061-configure-add-echo_version-helper.patch
-> 0046-configure-add-echo_version-helper.patch
0062-configure-support-vte-2.91.patch
-> 0047-configure-support-vte-2.91.patch
0063-hw-arm-virt-mark-the-PCIe-host-cont.patch
-> 0048-hw-arm-virt-mark-the-PCIe-host-cont.patch
0064-xen-SUSE-xenlinux-unplug-for-emulat.patch
-> 0049-xen-SUSE-xenlinux-unplug-for-emulat.patch
0070-scsi-esp-fix-migration.patch
-> 0050-scsi-esp-fix-migration.patch
0072-xen-when-removing-a-backend-don-t-r.patch
-> 0051-xen-when-removing-a-backend-don-t-r.patch
0073-xen-drain-submit-queue-in-xen-usb-b.patch
-> 0052-xen-drain-submit-queue-in-xen-usb-b.patch
0074-qcow2-avoid-extra-flushes-in-qcow2.patch
-> 0053-qcow2-avoid-extra-flushes-in-qcow2.patch
0075-qemu-bridge-helper-reduce-security-.patch
-> 0054-qemu-bridge-helper-reduce-security-.patch
0076-xen-use-a-common-function-for-pv-an.patch
-> 0055-xen-use-a-common-function-for-pv-an.patch
-------------------------------------------------------------------
Wed Aug 3 17:09:11 UTC 2016 - brogers@suse.com

View File

@ -21,9 +21,9 @@ Url: http://www.qemu.org/
Summary: Universal CPU emulator
License: BSD-3-Clause and GPL-2.0 and GPL-2.0+ and LGPL-2.1+ and MIT
Group: System/Emulators/PC
Version: 2.6.0
Version: 2.6.1
Release: 0
Source: http://wiki.qemu.org/download/qemu-2.6.0.tar.bz2
Source: http://wiki.qemu.org/download/qemu-2.6.1.tar.bz2
# This patch queue is auto-generated from https://github.com/openSUSE/qemu
Patch0001: 0001-XXX-dont-dump-core-on-sigabort.patch
Patch0002: 0002-qemu-0.9.0.cvs-binfmt.patch
@ -65,42 +65,21 @@ Patch0037: 0037-dictzip-Fix-on-big-endian-systems.patch
Patch0038: 0038-block-split-large-discard-requests-.patch
Patch0039: 0039-xen_disk-Add-suse-specific-flush-di.patch
Patch0040: 0040-build-link-with-libatomic-on-powerp.patch
Patch0041: 0041-net-mipsnet-check-packet-length-aga.patch
Patch0042: 0042-i386-kvmvapic-initialise-imm32-vari.patch
Patch0043: 0043-esp-check-command-buffer-length-bef.patch
Patch0044: 0044-esp-check-dma-length-before-reading.patch
Patch0045: 0045-scsi-pvscsi-check-command-descripto.patch
Patch0046: 0046-scsi-mptsas-infinite-loop-while-fet.patch
Patch0047: 0047-vga-add-sr_vbe-register-set.patch
Patch0048: 0048-scsi-megasas-use-appropriate-proper.patch
Patch0049: 0049-scsi-megasas-check-read_queue_head-.patch
Patch0050: 0050-scsi-megasas-null-terminate-bios-ve.patch
Patch0051: 0051-vmsvga-move-fifo-sanity-checks-to-v.patch
Patch0052: 0052-vmsvga-don-t-process-more-than-1024.patch
Patch0053: 0053-block-iscsi-avoid-potential-overflo.patch
Patch0054: 0054-scsi-esp-check-TI-buffer-index-befo.patch
Patch0055: 0055-xen-introduce-dummy-system-device.patch
Patch0056: 0056-xen-write-information-about-support.patch
Patch0057: 0057-xen-add-pvUSB-backend.patch
Patch0058: 0058-xen-move-xen_sysdev-to-xen_backend..patch
Patch0059: 0059-vnc-add-configurable-keyboard-delay.patch
Patch0060: 0060-scsi-megasas-initialise-local-confi.patch
Patch0061: 0061-configure-add-echo_version-helper.patch
Patch0062: 0062-configure-support-vte-2.91.patch
Patch0063: 0063-hw-arm-virt-mark-the-PCIe-host-cont.patch
Patch0064: 0064-xen-SUSE-xenlinux-unplug-for-emulat.patch
Patch0065: 0065-scsi-esp-check-buffer-length-before.patch
Patch0066: 0066-scsi-esp-respect-FIFO-invariant-aft.patch
Patch0067: 0067-pci-assign-Move-Invalid-ROM-error-m.patch
Patch0068: 0068-Xen-PCI-passthrough-fix-passthrough.patch
Patch0069: 0069-scsi-esp-make-cmdbuf-big-enough-for.patch
Patch0070: 0070-scsi-esp-fix-migration.patch
Patch0071: 0071-virtio-error-out-if-guest-exceeds-v.patch
Patch0072: 0072-xen-when-removing-a-backend-don-t-r.patch
Patch0073: 0073-xen-drain-submit-queue-in-xen-usb-b.patch
Patch0074: 0074-qcow2-avoid-extra-flushes-in-qcow2.patch
Patch0075: 0075-qemu-bridge-helper-reduce-security-.patch
Patch0076: 0076-xen-use-a-common-function-for-pv-an.patch
Patch0041: 0041-xen-introduce-dummy-system-device.patch
Patch0042: 0042-xen-write-information-about-support.patch
Patch0043: 0043-xen-add-pvUSB-backend.patch
Patch0044: 0044-xen-move-xen_sysdev-to-xen_backend..patch
Patch0045: 0045-vnc-add-configurable-keyboard-delay.patch
Patch0046: 0046-configure-add-echo_version-helper.patch
Patch0047: 0047-configure-support-vte-2.91.patch
Patch0048: 0048-hw-arm-virt-mark-the-PCIe-host-cont.patch
Patch0049: 0049-xen-SUSE-xenlinux-unplug-for-emulat.patch
Patch0050: 0050-scsi-esp-fix-migration.patch
Patch0051: 0051-xen-when-removing-a-backend-don-t-r.patch
Patch0052: 0052-xen-drain-submit-queue-in-xen-usb-b.patch
Patch0053: 0053-qcow2-avoid-extra-flushes-in-qcow2.patch
Patch0054: 0054-qemu-bridge-helper-reduce-security-.patch
Patch0055: 0055-xen-use-a-common-function-for-pv-an.patch
# Please do not add patches manually here, run update_git.sh.
# this is to make lint happy
Source300: qemu-rpmlintrc
@ -153,7 +132,7 @@ emulations. This can be used together with the OBS build script to
run cross-architecture builds.
%prep
%setup -q -n qemu-2.6.0
%setup -q -n qemu-2.6.1
%patch0001 -p1
%patch0002 -p1
%patch0003 -p1
@ -209,27 +188,6 @@ run cross-architecture builds.
%patch0053 -p1
%patch0054 -p1
%patch0055 -p1
%patch0056 -p1
%patch0057 -p1
%patch0058 -p1
%patch0059 -p1
%patch0060 -p1
%patch0061 -p1
%patch0062 -p1
%patch0063 -p1
%patch0064 -p1
%patch0065 -p1
%patch0066 -p1
%patch0067 -p1
%patch0068 -p1
%patch0069 -p1
%patch0070 -p1
%patch0071 -p1
%patch0072 -p1
%patch0073 -p1
%patch0074 -p1
%patch0075 -p1
%patch0076 -p1
%build
./configure --prefix=%_prefix --sysconfdir=%_sysconfdir \

View File

@ -23,7 +23,7 @@ License: BSD-3-Clause and GPL-2.0 and GPL-2.0+ and LGPL-2.1+ and MIT
Group: System/Emulators/PC
QEMU_VERSION
Release: 0
Source: http://wiki.qemu.org/download/qemu-2.6.0.tar.bz2
Source: http://wiki.qemu.org/download/qemu-2.6.1.tar.bz2
# This patch queue is auto-generated from https://github.com/openSUSE/qemu
PATCH_FILES
# Please do not add patches manually here, run update_git.sh.
@ -78,7 +78,7 @@ emulations. This can be used together with the OBS build script to
run cross-architecture builds.
%prep
%setup -q -n qemu-2.6.0
%setup -q -n qemu-2.6.1
PATCH_EXEC
%build

View File

@ -1,3 +1,62 @@
-------------------------------------------------------------------
Wed Aug 17 20:25:13 UTC 2016 - brogers@suse.com
- Update to v2.6.1 a stable, bug-fix-only release (fate#316228)
- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-2.6
* Patches dropped (upstreamed):
0041-net-mipsnet-check-packet-length-aga.patch
0042-i386-kvmvapic-initialise-imm32-vari.patch
0043-esp-check-command-buffer-length-bef.patch
0044-esp-check-dma-length-before-reading.patch
0045-scsi-pvscsi-check-command-descripto.patch
0046-scsi-mptsas-infinite-loop-while-fet.patch
0047-vga-add-sr_vbe-register-set.patch
0048-scsi-megasas-use-appropriate-proper.patch
0049-scsi-megasas-check-read_queue_head-.patch
0050-scsi-megasas-null-terminate-bios-ve.patch
0051-vmsvga-move-fifo-sanity-checks-to-v.patch
0052-vmsvga-don-t-process-more-than-1024.patch
0053-block-iscsi-avoid-potential-overflo.patch
0054-scsi-esp-check-TI-buffer-index-befo.patch
0060-scsi-megasas-initialise-local-confi.patch
0065-scsi-esp-check-buffer-length-before.patch
0066-scsi-esp-respect-FIFO-invariant-aft.patch
0067-pci-assign-Move-Invalid-ROM-error-m.patch
0068-Xen-PCI-passthrough-fix-passthrough.patch
0069-scsi-esp-make-cmdbuf-big-enough-for.patch
0071-virtio-error-out-if-guest-exceeds-v.patch
* Patches renamed:
0055-xen-introduce-dummy-system-device.patch
-> 0041-xen-introduce-dummy-system-device.patch
0056-xen-write-information-about-support.patch
-> 0042-xen-write-information-about-support.patch
0057-xen-add-pvUSB-backend.patch
-> 0043-xen-add-pvUSB-backend.patch
0058-xen-move-xen_sysdev-to-xen_backend..patch
-> 0044-xen-move-xen_sysdev-to-xen_backend..patch
0059-vnc-add-configurable-keyboard-delay.patch
-> 0045-vnc-add-configurable-keyboard-delay.patch
0061-configure-add-echo_version-helper.patch
-> 0046-configure-add-echo_version-helper.patch
0062-configure-support-vte-2.91.patch
-> 0047-configure-support-vte-2.91.patch
0063-hw-arm-virt-mark-the-PCIe-host-cont.patch
-> 0048-hw-arm-virt-mark-the-PCIe-host-cont.patch
0064-xen-SUSE-xenlinux-unplug-for-emulat.patch
-> 0049-xen-SUSE-xenlinux-unplug-for-emulat.patch
0070-scsi-esp-fix-migration.patch
-> 0050-scsi-esp-fix-migration.patch
0072-xen-when-removing-a-backend-don-t-r.patch
-> 0051-xen-when-removing-a-backend-don-t-r.patch
0073-xen-drain-submit-queue-in-xen-usb-b.patch
-> 0052-xen-drain-submit-queue-in-xen-usb-b.patch
0074-qcow2-avoid-extra-flushes-in-qcow2.patch
-> 0053-qcow2-avoid-extra-flushes-in-qcow2.patch
0075-qemu-bridge-helper-reduce-security-.patch
-> 0054-qemu-bridge-helper-reduce-security-.patch
0076-xen-use-a-common-function-for-pv-an.patch
-> 0055-xen-use-a-common-function-for-pv-an.patch
-------------------------------------------------------------------
Wed Aug 3 21:36:14 UTC 2016 - brogers@suse.com

View File

@ -71,10 +71,10 @@ Url: http://www.qemu.org/
Summary: Universal CPU emulator
License: BSD-3-Clause and GPL-2.0 and GPL-2.0+ and LGPL-2.1+ and MIT
Group: System/Emulators/PC
Version: 2.6.0
Version: 2.6.1
Release: 0
Source: http://wiki.qemu.org/download/qemu-2.6.0.tar.bz2
Source99: http://wiki.qemu.org/download/qemu-2.6.0.tar.bz2.sig
Source: http://wiki.qemu.org/download/qemu-2.6.1.tar.bz2
Source99: http://wiki.qemu.org/download/qemu-2.6.1.tar.bz2.sig
Source1: 80-kvm.rules
Source2: qemu-ifup
Source3: kvm_stat
@ -127,42 +127,21 @@ Patch0037: 0037-dictzip-Fix-on-big-endian-systems.patch
Patch0038: 0038-block-split-large-discard-requests-.patch
Patch0039: 0039-xen_disk-Add-suse-specific-flush-di.patch
Patch0040: 0040-build-link-with-libatomic-on-powerp.patch
Patch0041: 0041-net-mipsnet-check-packet-length-aga.patch
Patch0042: 0042-i386-kvmvapic-initialise-imm32-vari.patch
Patch0043: 0043-esp-check-command-buffer-length-bef.patch
Patch0044: 0044-esp-check-dma-length-before-reading.patch
Patch0045: 0045-scsi-pvscsi-check-command-descripto.patch
Patch0046: 0046-scsi-mptsas-infinite-loop-while-fet.patch
Patch0047: 0047-vga-add-sr_vbe-register-set.patch
Patch0048: 0048-scsi-megasas-use-appropriate-proper.patch
Patch0049: 0049-scsi-megasas-check-read_queue_head-.patch
Patch0050: 0050-scsi-megasas-null-terminate-bios-ve.patch
Patch0051: 0051-vmsvga-move-fifo-sanity-checks-to-v.patch
Patch0052: 0052-vmsvga-don-t-process-more-than-1024.patch
Patch0053: 0053-block-iscsi-avoid-potential-overflo.patch
Patch0054: 0054-scsi-esp-check-TI-buffer-index-befo.patch
Patch0055: 0055-xen-introduce-dummy-system-device.patch
Patch0056: 0056-xen-write-information-about-support.patch
Patch0057: 0057-xen-add-pvUSB-backend.patch
Patch0058: 0058-xen-move-xen_sysdev-to-xen_backend..patch
Patch0059: 0059-vnc-add-configurable-keyboard-delay.patch
Patch0060: 0060-scsi-megasas-initialise-local-confi.patch
Patch0061: 0061-configure-add-echo_version-helper.patch
Patch0062: 0062-configure-support-vte-2.91.patch
Patch0063: 0063-hw-arm-virt-mark-the-PCIe-host-cont.patch
Patch0064: 0064-xen-SUSE-xenlinux-unplug-for-emulat.patch
Patch0065: 0065-scsi-esp-check-buffer-length-before.patch
Patch0066: 0066-scsi-esp-respect-FIFO-invariant-aft.patch
Patch0067: 0067-pci-assign-Move-Invalid-ROM-error-m.patch
Patch0068: 0068-Xen-PCI-passthrough-fix-passthrough.patch
Patch0069: 0069-scsi-esp-make-cmdbuf-big-enough-for.patch
Patch0070: 0070-scsi-esp-fix-migration.patch
Patch0071: 0071-virtio-error-out-if-guest-exceeds-v.patch
Patch0072: 0072-xen-when-removing-a-backend-don-t-r.patch
Patch0073: 0073-xen-drain-submit-queue-in-xen-usb-b.patch
Patch0074: 0074-qcow2-avoid-extra-flushes-in-qcow2.patch
Patch0075: 0075-qemu-bridge-helper-reduce-security-.patch
Patch0076: 0076-xen-use-a-common-function-for-pv-an.patch
Patch0041: 0041-xen-introduce-dummy-system-device.patch
Patch0042: 0042-xen-write-information-about-support.patch
Patch0043: 0043-xen-add-pvUSB-backend.patch
Patch0044: 0044-xen-move-xen_sysdev-to-xen_backend..patch
Patch0045: 0045-vnc-add-configurable-keyboard-delay.patch
Patch0046: 0046-configure-add-echo_version-helper.patch
Patch0047: 0047-configure-support-vte-2.91.patch
Patch0048: 0048-hw-arm-virt-mark-the-PCIe-host-cont.patch
Patch0049: 0049-xen-SUSE-xenlinux-unplug-for-emulat.patch
Patch0050: 0050-scsi-esp-fix-migration.patch
Patch0051: 0051-xen-when-removing-a-backend-don-t-r.patch
Patch0052: 0052-xen-drain-submit-queue-in-xen-usb-b.patch
Patch0053: 0053-qcow2-avoid-extra-flushes-in-qcow2.patch
Patch0054: 0054-qemu-bridge-helper-reduce-security-.patch
Patch0055: 0055-xen-use-a-common-function-for-pv-an.patch
# Please do not add QEMU patches manually here.
# Run update_git.sh to regenerate this queue.
@ -742,7 +721,7 @@ This package provides a service file for starting and stopping KSM.
%endif # !qemu-testsuite
%prep
%setup -q -n qemu-2.6.0
%setup -q -n qemu-2.6.1
%patch0001 -p1
%patch0002 -p1
%patch0003 -p1
@ -798,27 +777,6 @@ This package provides a service file for starting and stopping KSM.
%patch0053 -p1
%patch0054 -p1
%patch0055 -p1
%patch0056 -p1
%patch0057 -p1
%patch0058 -p1
%patch0059 -p1
%patch0060 -p1
%patch0061 -p1
%patch0062 -p1
%patch0063 -p1
%patch0064 -p1
%patch0065 -p1
%patch0066 -p1
%patch0067 -p1
%patch0068 -p1
%patch0069 -p1
%patch0070 -p1
%patch0071 -p1
%patch0072 -p1
%patch0073 -p1
%patch0074 -p1
%patch0075 -p1
%patch0076 -p1
%if %{build_x86_fw_from_source}
pushd roms/seabios

View File

@ -1,3 +1,62 @@
-------------------------------------------------------------------
Wed Aug 17 20:25:13 UTC 2016 - brogers@suse.com
- Update to v2.6.1 a stable, bug-fix-only release (fate#316228)
- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-2.6
* Patches dropped (upstreamed):
0041-net-mipsnet-check-packet-length-aga.patch
0042-i386-kvmvapic-initialise-imm32-vari.patch
0043-esp-check-command-buffer-length-bef.patch
0044-esp-check-dma-length-before-reading.patch
0045-scsi-pvscsi-check-command-descripto.patch
0046-scsi-mptsas-infinite-loop-while-fet.patch
0047-vga-add-sr_vbe-register-set.patch
0048-scsi-megasas-use-appropriate-proper.patch
0049-scsi-megasas-check-read_queue_head-.patch
0050-scsi-megasas-null-terminate-bios-ve.patch
0051-vmsvga-move-fifo-sanity-checks-to-v.patch
0052-vmsvga-don-t-process-more-than-1024.patch
0053-block-iscsi-avoid-potential-overflo.patch
0054-scsi-esp-check-TI-buffer-index-befo.patch
0060-scsi-megasas-initialise-local-confi.patch
0065-scsi-esp-check-buffer-length-before.patch
0066-scsi-esp-respect-FIFO-invariant-aft.patch
0067-pci-assign-Move-Invalid-ROM-error-m.patch
0068-Xen-PCI-passthrough-fix-passthrough.patch
0069-scsi-esp-make-cmdbuf-big-enough-for.patch
0071-virtio-error-out-if-guest-exceeds-v.patch
* Patches renamed:
0055-xen-introduce-dummy-system-device.patch
-> 0041-xen-introduce-dummy-system-device.patch
0056-xen-write-information-about-support.patch
-> 0042-xen-write-information-about-support.patch
0057-xen-add-pvUSB-backend.patch
-> 0043-xen-add-pvUSB-backend.patch
0058-xen-move-xen_sysdev-to-xen_backend..patch
-> 0044-xen-move-xen_sysdev-to-xen_backend..patch
0059-vnc-add-configurable-keyboard-delay.patch
-> 0045-vnc-add-configurable-keyboard-delay.patch
0061-configure-add-echo_version-helper.patch
-> 0046-configure-add-echo_version-helper.patch
0062-configure-support-vte-2.91.patch
-> 0047-configure-support-vte-2.91.patch
0063-hw-arm-virt-mark-the-PCIe-host-cont.patch
-> 0048-hw-arm-virt-mark-the-PCIe-host-cont.patch
0064-xen-SUSE-xenlinux-unplug-for-emulat.patch
-> 0049-xen-SUSE-xenlinux-unplug-for-emulat.patch
0070-scsi-esp-fix-migration.patch
-> 0050-scsi-esp-fix-migration.patch
0072-xen-when-removing-a-backend-don-t-r.patch
-> 0051-xen-when-removing-a-backend-don-t-r.patch
0073-xen-drain-submit-queue-in-xen-usb-b.patch
-> 0052-xen-drain-submit-queue-in-xen-usb-b.patch
0074-qcow2-avoid-extra-flushes-in-qcow2.patch
-> 0053-qcow2-avoid-extra-flushes-in-qcow2.patch
0075-qemu-bridge-helper-reduce-security-.patch
-> 0054-qemu-bridge-helper-reduce-security-.patch
0076-xen-use-a-common-function-for-pv-an.patch
-> 0055-xen-use-a-common-function-for-pv-an.patch
-------------------------------------------------------------------
Wed Aug 3 21:36:14 UTC 2016 - brogers@suse.com

View File

@ -71,10 +71,10 @@ Url: http://www.qemu.org/
Summary: Universal CPU emulator
License: BSD-3-Clause and GPL-2.0 and GPL-2.0+ and LGPL-2.1+ and MIT
Group: System/Emulators/PC
Version: 2.6.0
Version: 2.6.1
Release: 0
Source: http://wiki.qemu.org/download/qemu-2.6.0.tar.bz2
Source99: http://wiki.qemu.org/download/qemu-2.6.0.tar.bz2.sig
Source: http://wiki.qemu.org/download/qemu-2.6.1.tar.bz2
Source99: http://wiki.qemu.org/download/qemu-2.6.1.tar.bz2.sig
Source1: 80-kvm.rules
Source2: qemu-ifup
Source3: kvm_stat
@ -127,42 +127,21 @@ Patch0037: 0037-dictzip-Fix-on-big-endian-systems.patch
Patch0038: 0038-block-split-large-discard-requests-.patch
Patch0039: 0039-xen_disk-Add-suse-specific-flush-di.patch
Patch0040: 0040-build-link-with-libatomic-on-powerp.patch
Patch0041: 0041-net-mipsnet-check-packet-length-aga.patch
Patch0042: 0042-i386-kvmvapic-initialise-imm32-vari.patch
Patch0043: 0043-esp-check-command-buffer-length-bef.patch
Patch0044: 0044-esp-check-dma-length-before-reading.patch
Patch0045: 0045-scsi-pvscsi-check-command-descripto.patch
Patch0046: 0046-scsi-mptsas-infinite-loop-while-fet.patch
Patch0047: 0047-vga-add-sr_vbe-register-set.patch
Patch0048: 0048-scsi-megasas-use-appropriate-proper.patch
Patch0049: 0049-scsi-megasas-check-read_queue_head-.patch
Patch0050: 0050-scsi-megasas-null-terminate-bios-ve.patch
Patch0051: 0051-vmsvga-move-fifo-sanity-checks-to-v.patch
Patch0052: 0052-vmsvga-don-t-process-more-than-1024.patch
Patch0053: 0053-block-iscsi-avoid-potential-overflo.patch
Patch0054: 0054-scsi-esp-check-TI-buffer-index-befo.patch
Patch0055: 0055-xen-introduce-dummy-system-device.patch
Patch0056: 0056-xen-write-information-about-support.patch
Patch0057: 0057-xen-add-pvUSB-backend.patch
Patch0058: 0058-xen-move-xen_sysdev-to-xen_backend..patch
Patch0059: 0059-vnc-add-configurable-keyboard-delay.patch
Patch0060: 0060-scsi-megasas-initialise-local-confi.patch
Patch0061: 0061-configure-add-echo_version-helper.patch
Patch0062: 0062-configure-support-vte-2.91.patch
Patch0063: 0063-hw-arm-virt-mark-the-PCIe-host-cont.patch
Patch0064: 0064-xen-SUSE-xenlinux-unplug-for-emulat.patch
Patch0065: 0065-scsi-esp-check-buffer-length-before.patch
Patch0066: 0066-scsi-esp-respect-FIFO-invariant-aft.patch
Patch0067: 0067-pci-assign-Move-Invalid-ROM-error-m.patch
Patch0068: 0068-Xen-PCI-passthrough-fix-passthrough.patch
Patch0069: 0069-scsi-esp-make-cmdbuf-big-enough-for.patch
Patch0070: 0070-scsi-esp-fix-migration.patch
Patch0071: 0071-virtio-error-out-if-guest-exceeds-v.patch
Patch0072: 0072-xen-when-removing-a-backend-don-t-r.patch
Patch0073: 0073-xen-drain-submit-queue-in-xen-usb-b.patch
Patch0074: 0074-qcow2-avoid-extra-flushes-in-qcow2.patch
Patch0075: 0075-qemu-bridge-helper-reduce-security-.patch
Patch0076: 0076-xen-use-a-common-function-for-pv-an.patch
Patch0041: 0041-xen-introduce-dummy-system-device.patch
Patch0042: 0042-xen-write-information-about-support.patch
Patch0043: 0043-xen-add-pvUSB-backend.patch
Patch0044: 0044-xen-move-xen_sysdev-to-xen_backend..patch
Patch0045: 0045-vnc-add-configurable-keyboard-delay.patch
Patch0046: 0046-configure-add-echo_version-helper.patch
Patch0047: 0047-configure-support-vte-2.91.patch
Patch0048: 0048-hw-arm-virt-mark-the-PCIe-host-cont.patch
Patch0049: 0049-xen-SUSE-xenlinux-unplug-for-emulat.patch
Patch0050: 0050-scsi-esp-fix-migration.patch
Patch0051: 0051-xen-when-removing-a-backend-don-t-r.patch
Patch0052: 0052-xen-drain-submit-queue-in-xen-usb-b.patch
Patch0053: 0053-qcow2-avoid-extra-flushes-in-qcow2.patch
Patch0054: 0054-qemu-bridge-helper-reduce-security-.patch
Patch0055: 0055-xen-use-a-common-function-for-pv-an.patch
# Please do not add QEMU patches manually here.
# Run update_git.sh to regenerate this queue.
@ -742,7 +721,7 @@ This package provides a service file for starting and stopping KSM.
%endif # !qemu-testsuite
%prep
%setup -q -n qemu-2.6.0
%setup -q -n qemu-2.6.1
%patch0001 -p1
%patch0002 -p1
%patch0003 -p1
@ -798,27 +777,6 @@ This package provides a service file for starting and stopping KSM.
%patch0053 -p1
%patch0054 -p1
%patch0055 -p1
%patch0056 -p1
%patch0057 -p1
%patch0058 -p1
%patch0059 -p1
%patch0060 -p1
%patch0061 -p1
%patch0062 -p1
%patch0063 -p1
%patch0064 -p1
%patch0065 -p1
%patch0066 -p1
%patch0067 -p1
%patch0068 -p1
%patch0069 -p1
%patch0070 -p1
%patch0071 -p1
%patch0072 -p1
%patch0073 -p1
%patch0074 -p1
%patch0075 -p1
%patch0076 -p1
%if %{build_x86_fw_from_source}
pushd roms/seabios

View File

@ -73,8 +73,8 @@ License: BSD-3-Clause and GPL-2.0 and GPL-2.0+ and LGPL-2.1+ and MIT
Group: System/Emulators/PC
QEMU_VERSION
Release: 0
Source: http://wiki.qemu.org/download/qemu-2.6.0.tar.bz2
Source99: http://wiki.qemu.org/download/qemu-2.6.0.tar.bz2.sig
Source: http://wiki.qemu.org/download/qemu-2.6.1.tar.bz2
Source99: http://wiki.qemu.org/download/qemu-2.6.1.tar.bz2.sig
Source1: 80-kvm.rules
Source2: qemu-ifup
Source3: kvm_stat
@ -667,7 +667,7 @@ This package provides a service file for starting and stopping KSM.
%endif # !qemu-testsuite
%prep
%setup -q -n qemu-2.6.0
%setup -q -n qemu-2.6.1
PATCH_EXEC
%if %{build_x86_fw_from_source}

View File

@ -14,7 +14,7 @@ set -e
GIT_TREE=git://github.com/openSUSE/qemu.git
GIT_LOCAL_TREE=~/git/qemu-opensuse
GIT_BRANCH=opensuse-2.6
GIT_UPSTREAM_TAG=v2.6.0
GIT_UPSTREAM_TAG=v2.6.1
GIT_DIR=/dev/shm/qemu-factory-git-dir
CMP_DIR=/dev/shm/qemu-factory-cmp-dir