rpm/qemu
SHA256
1
0
Fork 0
forked from pool/qemu
Code Pull Requests Activity

Accepting request 240239 from home:a_faerber:branches:Virtualization

Browse Source 
Update to v2.1.0-rc1

OBS-URL: https://build.opensuse.org/request/show/240239
OBS-URL: https://build.opensuse.org/package/show/Virtualization/qemu?expand=0&rev=216
This commit is contained in:
Bruce Rogers 2014-07-11 16:51:43 +00:00 committed by Git OBS Bridge
parent 492abd0d82
commit c08c3d8fd2
88 changed files with 471 additions and 2426 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
0001-XXX-dont-dump-core-on-sigabort.patch
View File

@ -1,4 +1,4 @@
From afd1df16c2e7b2dd5d4478f2ba6e29a1296c8cfa Mon Sep 17 00:00:00 2001
From 96d07382a32a794a4aaa56afd3a067fd72cc1158 Mon Sep 17 00:00:00 2001
From: Alexander Graf <agraf@suse.de>
Date: Mon, 21 Nov 2011 23:50:36 +0100
Subject: [PATCH] XXX dont dump core on sigabort
@ -8,7 +8,7 @@ Subject: [PATCH] XXX dont dump core on sigabort
1 file changed, 6 insertions(+)
diff --git a/linux-user/signal.c b/linux-user/signal.c
index 7d6246f..1bcf16f 100644
index f3b4378..dd21475 100644
--- a/linux-user/signal.c
+++ b/linux-user/signal.c
@@ -448,6 +448,10 @@ static void QEMU_NORETURN force_sig(int target_sig)

26
0002-XXX-work-around-SA_RESTART-race-wit.patch
View File

@ -1,4 +1,4 @@
From e9ce5f593385ed16e456058d1f873e381c9d053d Mon Sep 17 00:00:00 2001
From 8448fdb25ea828ec1c0359a5ede533b0fab92f99 Mon Sep 17 00:00:00 2001
From: Alexander Graf <agraf@suse.de>
Date: Thu, 1 Dec 2011 19:00:01 +0100
Subject: [PATCH] XXX work around SA_RESTART race with boehm-gc (ARM only)
@ -13,10 +13,10 @@ Subject: [PATCH] XXX work around SA_RESTART race with boehm-gc (ARM only)
4 files changed, 130 insertions(+), 10 deletions(-)
diff --git a/linux-user/main.c b/linux-user/main.c
index af924dc..c7423e6 100644
index b453a39..9df92da 100644
--- a/linux-user/main.c
+++ b/linux-user/main.c
@@ -814,15 +814,22 @@ void cpu_loop(CPUARMState *env)
@@ -816,15 +816,22 @@ void cpu_loop(CPUARMState *env)
break;
}
} else {
@ -49,10 +49,10 @@ index af924dc..c7423e6 100644
} else {
goto error;
diff --git a/linux-user/qemu.h b/linux-user/qemu.h
index 36d4a73..a2c4e35 100644
index 8012cc2..e29c7f3 100644
--- a/linux-user/qemu.h
+++ b/linux-user/qemu.h
@@ -134,6 +134,8 @@ typedef struct TaskState {
@@ -135,6 +135,8 @@ typedef struct TaskState {
struct sigqueue sigqueue_table[MAX_SIGQUEUE_SIZE]; /* siginfo queue */
struct sigqueue *first_free; /* first free siginfo queue entry */
int signal_pending; /* non zero if a signal may be pending */
@ -61,7 +61,7 @@ index 36d4a73..a2c4e35 100644
} __attribute__((aligned(16))) TaskState;
extern char *exec_path;
@@ -199,6 +201,7 @@ int get_osversion(void);
@@ -200,6 +202,7 @@ int get_osversion(void);
void init_qemu_uname_release(void);
void fork_start(void);
void fork_end(int child);
@ -70,7 +70,7 @@ index 36d4a73..a2c4e35 100644
/* Creates the initial guest address space in the host memory space using
* the given host start address hint and size. The guest_start parameter
diff --git a/linux-user/signal.c b/linux-user/signal.c
index 1bcf16f..cfaf501 100644
index dd21475..13affa3 100644
--- a/linux-user/signal.c
+++ b/linux-user/signal.c
@@ -25,6 +25,7 @@
@ -93,7 +93,7 @@ index 1bcf16f..cfaf501 100644
return 1; /* indicates that the signal was queued */
}
}
@@ -706,8 +712,24 @@ int do_sigaction(int sig, const struct target_sigaction *act,
@@ -707,8 +713,24 @@ int do_sigaction(int sig, const struct target_sigaction *act,
if (host_sig != SIGSEGV && host_sig != SIGBUS) {
sigfillset(&act1.sa_mask);
act1.sa_flags = SA_SIGINFO;
@ -119,10 +119,10 @@ index 1bcf16f..cfaf501 100644
ignore state to avoid getting unexpected interrupted
syscalls */
diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index 9864813..1d791a3 100644
index 5a272d3..00f9165 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -5259,6 +5259,87 @@ static int do_open(void *cpu_env, const char *pathname, int flags, mode_t mode)
@@ -5311,6 +5311,87 @@ static int do_open(void *cpu_env, const char *pathname, int flags, mode_t mode)
return get_errno(open(path(pathname), flags, mode));
}
@ -210,7 +210,7 @@ index 9864813..1d791a3 100644
/* do_syscall() should always have a single exit point at the end so
that actions, such as logging of syscall results, can be performed.
All errnos that do_syscall() returns must be -TARGET_<errcode>. */
@@ -5272,6 +5353,12 @@ abi_long do_syscall(void *cpu_env, int num, abi_long arg1,
@@ -5324,6 +5405,12 @@ abi_long do_syscall(void *cpu_env, int num, abi_long arg1,
struct stat st;
struct statfs stfs;
void *p;
@ -223,7 +223,7 @@ index 9864813..1d791a3 100644
#ifdef DEBUG
gemu_log("syscall %d", num);
@@ -8457,7 +8544,7 @@ abi_long do_syscall(void *cpu_env, int num, abi_long arg1,
@@ -8575,7 +8662,7 @@ abi_long do_syscall(void *cpu_env, int num, abi_long arg1,
cmd = target_to_host_fcntl_cmd(arg2);
if (cmd == -TARGET_EINVAL) {
ret = cmd;
@ -232,7 +232,7 @@ index 9864813..1d791a3 100644
}
switch(arg2) {
@@ -9395,6 +9482,7 @@ fail:
@@ -9513,6 +9600,7 @@ fail:
#endif
if(do_strace)
print_syscall_ret(num, ret);

2
0003-qemu-0.9.0.cvs-binfmt.patch
View File

@ -1,4 +1,4 @@
From b34c0c408d3f08110ccb980d4ca0ef58a1a03c86 Mon Sep 17 00:00:00 2001
From 503851537efa06d26e32efefd669d26a6f73d4f6 Mon Sep 17 00:00:00 2001
From: Ulrich Hecht <uli@suse.de>
Date: Tue, 14 Apr 2009 16:18:44 +0200
Subject: [PATCH] qemu-0.9.0.cvs-binfmt

2
0004-qemu-cvs-alsa_bitfield.patch
View File

@ -1,4 +1,4 @@
From 08da583bd034109d09bfa6fedaa19bd0bdbc6c3a Mon Sep 17 00:00:00 2001
From c75fb180df47cd5fb2e76452e21f104290569d5e Mon Sep 17 00:00:00 2001
From: Alexander Graf <agraf@suse.de>
Date: Tue, 14 Apr 2009 16:20:50 +0200
Subject: [PATCH] qemu-cvs-alsa_bitfield

10
0005-qemu-cvs-alsa_ioctl.patch
View File

@ -1,4 +1,4 @@
From 4820daf43dce7bbafc27ab1102a6eb52a17e4da9 Mon Sep 17 00:00:00 2001
From 664ebaf05570f05f38b87552d4186294b5d4d442 Mon Sep 17 00:00:00 2001
From: Alexander Graf <agraf@suse.de>
Date: Tue, 14 Apr 2009 16:23:27 +0200
Subject: [PATCH] qemu-cvs-alsa_ioctl
@ -20,10 +20,10 @@ Signed-off-by: Ulrich Hecht <uli@suse.de>
create mode 100644 linux-user/syscall_types_alsa.h
diff --git a/linux-user/ioctls.h b/linux-user/ioctls.h
index 309fb21..d35f072 100644
index 07a00da..762779e 100644
--- a/linux-user/ioctls.h
+++ b/linux-user/ioctls.h
@@ -316,6 +316,11 @@
@@ -318,6 +318,11 @@
IOCTL(VFAT_IOCTL_READDIR_BOTH, IOC_R, MK_PTR(MK_ARRAY(MK_STRUCT(STRUCT_dirent), 2)))
IOCTL(VFAT_IOCTL_READDIR_SHORT, IOC_R, MK_PTR(MK_ARRAY(MK_STRUCT(STRUCT_dirent), 2)))
@ -2255,10 +2255,10 @@ index 0000000..e09a30d
+ unsigned char *code;
+};
diff --git a/linux-user/syscall_defs.h b/linux-user/syscall_defs.h
index fdf9a47..a2ac23e 100644
index 8563027..52691fb 100644
--- a/linux-user/syscall_defs.h
+++ b/linux-user/syscall_defs.h
@@ -2545,6 +2545,8 @@ struct target_ucred {
@@ -2552,6 +2552,8 @@ struct target_ucred {
uint32_t gid;
};

2
0006-qemu-cvs-alsa_mmap.patch
View File

@ -1,4 +1,4 @@
From b1f94337048b56d240420c0d0a37ad061084904c Mon Sep 17 00:00:00 2001
From c68e95bcf9ccbab4100a565447ac624adca96220 Mon Sep 17 00:00:00 2001
From: Alexander Graf <agraf@suse.de>
Date: Tue, 14 Apr 2009 16:24:15 +0200
Subject: [PATCH] qemu-cvs-alsa_mmap

6
0007-qemu-cvs-gettimeofday.patch
View File

@ -1,4 +1,4 @@
From 2a9ed81b68696702c3dfab0e3635ca1a7afe1ea4 Mon Sep 17 00:00:00 2001
From 879e98e20a1010c5067bf0947c6ff788404da5b8 Mon Sep 17 00:00:00 2001
From: Ulrich Hecht <uli@suse.de>
Date: Tue, 14 Apr 2009 16:25:41 +0200
Subject: [PATCH] qemu-cvs-gettimeofday
@ -9,10 +9,10 @@ No clue what this is for.
1 file changed, 2 insertions(+)
diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index 1d791a3..206dd12 100644
index 00f9165..f3b02f0 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -6403,6 +6403,8 @@ abi_long do_syscall(void *cpu_env, int num, abi_long arg1,
@@ -6486,6 +6486,8 @@ abi_long do_syscall(void *cpu_env, int num, abi_long arg1,
case TARGET_NR_gettimeofday:
{
struct timeval tv;

6
0008-qemu-cvs-ioctl_debug.patch
View File

@ -1,4 +1,4 @@
From 9671d1a0e8e53a44513131d105c0f543c181cc0f Mon Sep 17 00:00:00 2001
From 641ca10f4b28d9012f8a7c2aee9726d6747e4f23 Mon Sep 17 00:00:00 2001
From: Alexander Graf <agraf@suse.de>
Date: Tue, 14 Apr 2009 16:26:33 +0200
Subject: [PATCH] qemu-cvs-ioctl_debug
@ -12,10 +12,10 @@ Signed-off-by: Ulrich Hecht <uli@suse.de>
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index 206dd12..3407fd7 100644
index f3b02f0..8d96462 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -3654,7 +3654,12 @@ static abi_long do_ioctl(int fd, abi_long cmd, abi_long arg)
@@ -3719,7 +3719,12 @@ static abi_long do_ioctl(int fd, abi_long cmd, abi_long arg)
ie = ioctl_entries;
for(;;) {
if (ie->target_cmd == 0) {

8
0009-qemu-cvs-ioctl_nodirection.patch
View File

@ -1,4 +1,4 @@
From a535f471a344608107dce681f66a75b38f9e8441 Mon Sep 17 00:00:00 2001
From 5487b8e2361b102d668d4e4cf5eba350f0dc5a62 Mon Sep 17 00:00:00 2001
From: Alexander Graf <agraf@suse.de>
Date: Tue, 14 Apr 2009 16:27:36 +0200
Subject: [PATCH] qemu-cvs-ioctl_nodirection
@ -15,10 +15,10 @@ Signed-off-by: Ulrich Hecht <uli@suse.de>
1 file changed, 6 insertions(+)
diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index 3407fd7..7d7d700 100644
index 8d96462..576ad77 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -3688,6 +3688,11 @@ static abi_long do_ioctl(int fd, abi_long cmd, abi_long arg)
@@ -3753,6 +3753,11 @@ static abi_long do_ioctl(int fd, abi_long cmd, abi_long arg)
arg_type++;
target_size = thunk_type_size(arg_type, 0);
switch(ie->access) {
@ -30,7 +30,7 @@ index 3407fd7..7d7d700 100644
case IOC_R:
ret = get_errno(ioctl(fd, ie->host_cmd, buf_temp));
if (!is_error(ret)) {
@@ -3706,6 +3711,7 @@ static abi_long do_ioctl(int fd, abi_long cmd, abi_long arg)
@@ -3771,6 +3776,7 @@ static abi_long do_ioctl(int fd, abi_long cmd, abi_long arg)
unlock_user(argptr, arg, 0);
ret = get_errno(ioctl(fd, ie->host_cmd, buf_temp));
break;

96
0010-block-vmdk-Support-creation-of-SCSI.patch
View File

@ -1,4 +1,4 @@
From a96062c693f9fa9ce4d0dd23c9cfc8816b0eacce Mon Sep 17 00:00:00 2001
From a95bbe675538b7229a681000c4712e8a67b37c37 Mon Sep 17 00:00:00 2001
From: Ulrich Hecht <uli@suse.de>
Date: Tue, 14 Apr 2009 16:37:42 +0200
Subject: [PATCH] block/vmdk: Support creation of SCSI VMDK images in qemu-img
@ -11,71 +11,61 @@ Signed-off-by: Ulrich Hecht <uli@suse.de>
[AF: Rebased onto upstream VMDK SCSI support]
[AF: Rebased onto skipping of image creation in v1.7]
[AF: Simplified in preparation for v1.7.1/v2.0]
[AF: Rebased onto QemuOpts conversion for v2.1]
Signed-off-by: Andreas Färber <afaerber@suse.de>
---
block.c | 6 +++++-
block/vmdk.c | 9 ++++++++-
include/block/block_int.h | 2 ++
qemu-img.c | 8 +++++++-
4 files changed, 22 insertions(+), 3 deletions(-)
block.c | 3 +++
block/vmdk.c | 10 +++++++++-
include/block/block_int.h | 2 ++
qemu-img.c | 7 +++++++
4 files changed, 21 insertions(+), 1 deletion(-)
diff --git a/block.c b/block.c
index 990a754..40c5c84 100644
index 8800a6b..a456134 100644
--- a/block.c
+++ b/block.c
@@ -5277,7 +5277,7 @@ void bdrv_img_create(const char *filename, const char *fmt,
Error **errp, bool quiet)
{
QEMUOptionParameter *param = NULL, *create_options = NULL;
- QEMUOptionParameter *backing_fmt, *backing_file, *size;
+ QEMUOptionParameter *backing_fmt, *backing_file, *size, *scsi;
BlockDriver *drv, *proto_drv;
BlockDriver *backing_drv = NULL;
Error *local_err = NULL;
@@ -5392,6 +5392,10 @@ void bdrv_img_create(const char *filename, const char *fmt,
@@ -5597,6 +5597,9 @@ void bdrv_img_create(const char *filename, const char *fmt,
if (!quiet) {
printf("Formatting '%s', fmt=%s ", filename, fmt);
print_option_parameters(param);
+ scsi = get_option_parameter(param, BLOCK_OPT_SCSI);
+ if (scsi && scsi->value.n) {
qemu_opts_print(opts);
+ if (qemu_opt_get_bool(opts, BLOCK_OPT_SCSI, false)) {
+ printf(", SCSI");
+ }
puts("");
}
ret = bdrv_create(drv, filename, param, &local_err);
diff --git a/block/vmdk.c b/block/vmdk.c
index b69988d..59c468d 100644
index 27a78da..b26fdb2 100644
--- a/block/vmdk.c
+++ b/block/vmdk.c
@@ -1744,11 +1744,13 @@ static int vmdk_create(const char *filename, QEMUOptionParameter *options,
fmt = options->value.s;
} else if (!strcmp(options->name, BLOCK_OPT_ZEROED_GRAIN)) {
zeroed_grain |= options->value.n;
+ } else if (!strcmp(options->name, BLOCK_OPT_SCSI)) {
+ flags |= options->value.n ? BLOCK_FLAG_SCSI: 0;
}
options++;
@@ -1754,9 +1754,12 @@ static int vmdk_create(const char *filename, QemuOpts *opts, Error **errp)
if (qemu_opt_get_bool_del(opts, BLOCK_OPT_ZEROED_GRAIN, false)) {
zeroed_grain = true;
}
+ if (qemu_opt_get_bool_del(opts, BLOCK_OPT_SCSI, false)) {
+ flags |= BLOCK_FLAG_SCSI;
+ }
if (!adapter_type) {
- adapter_type = "ide";
+ adapter_type = flags & BLOCK_FLAG_SCSI ? "lsilogic" : "ide";
- adapter_type = g_strdup("ide");
+ adapter_type = g_strdup(flags & BLOCK_FLAG_SCSI ? "lsilogic" : "ide");
} else if (strcmp(adapter_type, "ide") &&
strcmp(adapter_type, "buslogic") &&
strcmp(adapter_type, "lsilogic") &&
@@ -2096,6 +2098,11 @@ static QEMUOptionParameter vmdk_create_options[] = {
.type = OPT_FLAG,
.help = "Enable efficient zero writes using the zeroed-grain GTE feature"
},
+ {
+ .name = BLOCK_OPT_SCSI,
+ .type = OPT_FLAG,
+ .help = "SCSI image"
+ },
{ NULL }
@@ -2153,6 +2156,11 @@ static QemuOptsList vmdk_create_opts = {
.help = "Enable efficient zero writes "
"using the zeroed-grain GTE feature"
},
+ {
+ .name = BLOCK_OPT_SCSI,
+ .type = QEMU_OPT_BOOL,
+ .help = "SCSI image"
+ },
{ /* end of list */ }
}
};
diff --git a/include/block/block_int.h b/include/block/block_int.h
index cd5bc73..0d4208f 100644
index f6c3bef..138c102 100644
--- a/include/block/block_int.h
+++ b/include/block/block_int.h
@@ -40,10 +40,12 @@
@ -92,23 +82,15 @@ index cd5bc73..0d4208f 100644
#define BLOCK_OPT_BACKING_FMT "backing_fmt"
#define BLOCK_OPT_CLUSTER_SIZE "cluster_size"
diff --git a/qemu-img.c b/qemu-img.c
index 8455994..a8545b7 100644
index c98896b..1608434 100644
--- a/qemu-img.c
+++ b/qemu-img.c
@@ -1154,7 +1154,7 @@ static int img_convert(int argc, char **argv)
const uint8_t *buf1;
BlockDriverInfo bdi;
QEMUOptionParameter *param = NULL, *create_options = NULL;
- QEMUOptionParameter *out_baseimg_param;
+ QEMUOptionParameter *out_baseimg_param, *scsi;
char *options = NULL;
const char *snapshot_name = NULL;
int min_sparse = 8; /* Need at least 4k of zeros for sparse detection */
@@ -1398,6 +1398,12 @@ static int img_convert(int argc, char **argv)
@@ -1431,6 +1431,13 @@ static int img_convert(int argc, char **argv)
}
}
+ if ((scsi = get_option_parameter(param, BLOCK_OPT_SCSI)) && scsi->value.n && strcmp(drv->format_name, "vmdk")) {
+ if (qemu_opt_get_bool(opts, BLOCK_OPT_SCSI, false)
+ && strcmp(drv->format_name, "vmdk")) {
+ error_report("SCSI devices not supported for this file format");
+ ret = -1;
+ goto out;
@ -116,4 +98,4 @@ index 8455994..a8545b7 100644
+
if (!skip_create) {
/* Create the new image */
ret = bdrv_create(drv, out_filename, param, &local_err);
ret = bdrv_create(drv, out_filename, opts, &local_err);

23
0011-linux-user-add-binfmt-wrapper-for-a.patch
View File

@ -1,4 +1,4 @@
From 99a52830916b325a52d7eac1abb979d525229fc4 Mon Sep 17 00:00:00 2001
From ec805d63aae6d64cca97882a7b6ecb1e29569e18 Mon Sep 17 00:00:00 2001
From: Alexander Graf <agraf@suse.de>
Date: Fri, 30 Sep 2011 19:40:36 +0200
Subject: [PATCH] linux-user: add binfmt wrapper for argv[0] handling
@ -26,6 +26,7 @@ CC: Reinhard Max <max@suse.de>
Signed-off-by: Alexander Graf <agraf@suse.de>
[AF: Rebased onto new Makefile infrastructure, twice]
[AF: Updated for aarch64 for v2.0.0-rc1]
[AF: Rebased onto Makefile changes for v2.1.0-rc0]
Signed-off-by: Andreas Färber <afaerber@suse.de>
---
Makefile.target | 13 +++++++++++++
@ -36,11 +37,11 @@ Signed-off-by: Andreas Färber <afaerber@suse.de>
create mode 100644 linux-user/binfmt.c
diff --git a/Makefile.target b/Makefile.target
index ba12340..87d5724 100644
index 137d0b0..57181a4 100644
--- a/Makefile.target
+++ b/Makefile.target
@@ -31,6 +31,10 @@ PROGS+=$(QEMU_PROGW)
endif
@@ -34,6 +34,10 @@ endif
PROGS=$(QEMU_PROG) $(QEMU_PROGW)
STPFILES=
+ifdef CONFIG_LINUX_USER
@ -50,7 +51,7 @@ index ba12340..87d5724 100644
config-target.h: config-target.h-timestamp
config-target.h-timestamp: config-target.mak
@@ -92,6 +96,8 @@ QEMU_CFLAGS+=-I$(SRC_PATH)/linux-user/$(TARGET_ABI_DIR) -I$(SRC_PATH)/linux-user
@@ -101,6 +105,8 @@ QEMU_CFLAGS+=-I$(SRC_PATH)/linux-user/$(TARGET_ABI_DIR) -I$(SRC_PATH)/linux-user
obj-y += linux-user/
obj-y += gdbstub.o thunk.o user-exec.o
@ -59,7 +60,7 @@ index ba12340..87d5724 100644
endif #CONFIG_LINUX_USER
#########################################################
@@ -137,7 +143,11 @@ endif # CONFIG_SOFTMMU
@@ -149,7 +155,11 @@ endif # CONFIG_SOFTMMU
# Workaround for http://gcc.gnu.org/PR55489, see configure.
%/translate.o: QEMU_CFLAGS += $(TRANSLATE_OPT_CFLAGS)
@ -68,12 +69,12 @@ index ba12340..87d5724 100644
+else
dummy := $(call unnest-vars,,obj-y)
+endif
all-obj-y := $(obj-y)
# we are making another call to unnest-vars with different vars, protect obj-y,
# it can be overriden in subdir Makefile.objs
@@ -173,6 +183,9 @@ $(QEMU_PROG): $(all-obj-y) ../libqemuutil.a ../libqemustub.a
block-obj-y :=
@@ -167,6 +177,9 @@ all-obj-$(CONFIG_SOFTMMU) += $(block-obj-y)
$(QEMU_PROG_BUILD): $(all-obj-y) ../libqemuutil.a ../libqemustub.a
$(call LINK,$^)
endif
+$(QEMU_PROG)-binfmt: $(obj-binfmt-y)
+ $(call LINK,$^)
@ -82,7 +83,7 @@ index ba12340..87d5724 100644
$(call quiet-command,rm -f $@ && $(SHELL) $(SRC_PATH)/scripts/feature_to_c.sh $@ $(TARGET_XML_FILES)," GEN $(TARGET_DIR)$@")
diff --git a/linux-user/Makefile.objs b/linux-user/Makefile.objs
index 5899d72..18212a2 100644
index fd50217..446aca7 100644
--- a/linux-user/Makefile.objs
+++ b/linux-user/Makefile.objs
@@ -5,3 +5,5 @@ obj-$(TARGET_HAS_BFLT) += flatload.o

9
0012-PPC-KVM-Disable-mmu-notifier-check.patch
View File

@ -1,4 +1,4 @@
From 9ceca2f2c25c99e930d31ab11c7ff46dd9d43da6 Mon Sep 17 00:00:00 2001
From 4c1f25ae27b6c76220ff286b904e34bef6da6f51 Mon Sep 17 00:00:00 2001
From: Alexander Graf <agraf@suse.de>
Date: Fri, 6 Jan 2012 01:05:55 +0100
Subject: [PATCH] PPC: KVM: Disable mmu notifier check
@ -13,16 +13,17 @@ KVM guests work there, even if possibly racy in some odd circumstances.
1 file changed, 2 insertions(+)
diff --git a/exec.c b/exec.c
index 91513c6..36b5ef6 100644
index 5a2a25e..c942e6a 100644
--- a/exec.c
+++ b/exec.c
@@ -1039,10 +1039,12 @@ static void *file_ram_alloc(RAMBlock *block,
@@ -1037,11 +1037,13 @@ static void *file_ram_alloc(RAMBlock *block,
return NULL;
}
+#ifndef TARGET_PPC
if (kvm_enabled() && !kvm_has_sync_mmu()) {
fprintf(stderr, "host lacks kvm mmu notifiers, -mem-path unsupported\n");
error_setg(errp,
"host lacks kvm mmu notifiers, -mem-path unsupported");
goto error;
}
+#endif

6
0013-linux-user-fix-segfault-deadlock.patch
View File

@ -1,4 +1,4 @@
From c8bac440eee7d3377d27c676dfa6034ea059451c Mon Sep 17 00:00:00 2001
From 90a3fe97f57d72fce339c68ee418fe173f3929ab Mon Sep 17 00:00:00 2001
From: Alexander Graf <agraf@suse.de>
Date: Fri, 13 Jan 2012 17:05:41 +0100
Subject: [PATCH] linux-user: fix segfault deadlock
@ -52,10 +52,10 @@ index a72edda..e460e12 100644
+
#endif
diff --git a/user-exec.c b/user-exec.c
index bc58056..63b3b3d 100644
index 1ff8673..22f9692 100644
--- a/user-exec.c
+++ b/user-exec.c
@@ -93,6 +93,10 @@ static inline int handle_cpu_signal(uintptr_t pc, unsigned long address,
@@ -94,6 +94,10 @@ static inline int handle_cpu_signal(uintptr_t pc, unsigned long address,
qemu_printf("qemu: SIGSEGV pc=0x%08lx address=%08lx w=%d oldset=0x%08lx\n",
pc, address, is_write, *(unsigned long *)old_set);
#endif

2
0014-linux-user-binfmt-support-host-bina.patch
View File

@ -1,4 +1,4 @@
From ae7b4452a263d662035eb35c14fe84590bfff364 Mon Sep 17 00:00:00 2001
From d3b6e9bdc03c61bf460b636482080ec11684ba51 Mon Sep 17 00:00:00 2001
From: Alexander Graf <agraf@suse.de>
Date: Thu, 2 Feb 2012 18:02:33 +0100
Subject: [PATCH] linux-user: binfmt: support host binaries

16
0015-linux-user-arm-no-tb_flush-on-reset.patch → 0015-target-arm-linux-user-no-tb_flush-o.patch
View File

@ -1,7 +1,7 @@
From bc949bb060b7f52ee5da9ef34e06bb12ba202726 Mon Sep 17 00:00:00 2001
From b05fbdf009740d872cc925230c16f4feebc26a19 Mon Sep 17 00:00:00 2001
From: Alexander Graf <agraf@suse.de>
Date: Tue, 29 May 2012 15:30:01 +0200
Subject: [PATCH] linux-user: arm: no tb_flush on reset
Subject: [PATCH] target-arm: linux-user: no tb_flush on reset
When running automoc4 as linux-user guest program, it segfaults right after
it creates a thread. Bisecting pointed to commit a84fac1426 which introduces
@ -9,23 +9,25 @@ tb_flush on reset.
So something in our thread creation is broken. But for now, let's revert the
change to at least get a working build again.
[AF: Rebased, fixed typo]
---
target-arm/cpu.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/target-arm/cpu.c b/target-arm/cpu.c
index c32d8c4..052f676 100644
index 05e52e0..96f8cca 100644
--- a/target-arm/cpu.c
+++ b/target-arm/cpu.c
@@ -154,7 +154,11 @@ static void arm_cpu_reset(CPUState *s)
@@ -165,7 +165,11 @@ static void arm_cpu_reset(CPUState *s)
* bake assumptions about into translated code, so we need to
* tb_flush().
*/
+#if !defined(CONFIG_USER_ONLY)
+ /* XXX hack alert! automoc4 segaults after spawning a new thread with this
+ flush enabled */
+ /* XXX hack alert! automoc4 segfaults after spawning a new thread with
+ * this flush enabled */
tb_flush(env);
+#endif
}
#ifndef CONFIG_USER_ONLY
if (kvm_enabled()) {

21
0016-linux-user-Ignore-broken-loop-ioctl.patch
View File

@ -1,7 +1,10 @@
From 9414e435edf0bdf2341c8e69e81e6f42cd73aca4 Mon Sep 17 00:00:00 2001
From 032edaaeb5bd9fdc718820a79c1820592b63ffef Mon Sep 17 00:00:00 2001
From: Alexander Graf <agraf@suse.de>
Date: Tue, 12 Jun 2012 04:41:10 +0200
Subject: [PATCH] linux-user: Ignore broken loop ioctl
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
During invocations of losetup, we run into an ioctl that doesn't
exist. However, because of that we output an error, which then
@ -10,6 +13,8 @@ screws up the kiwi logic around that call.
So let's silently ignore that bogus ioctl.
Signed-off-by: Alexander Graf <agraf@suse.de>
[AF: Rebased for v2.1.0-rc0]
Signed-off-by: Andreas Färber <afaerber@suse.de>
---
linux-user/ioctls.h | 1 +
linux-user/linux_loop.h | 1 +
@ -18,10 +23,10 @@ Signed-off-by: Alexander Graf <agraf@suse.de>
4 files changed, 10 insertions(+)
diff --git a/linux-user/ioctls.h b/linux-user/ioctls.h
index d35f072..2181ea3 100644
index 762779e..038a799 100644
--- a/linux-user/ioctls.h
+++ b/linux-user/ioctls.h
@@ -328,6 +328,7 @@
@@ -330,6 +330,7 @@
IOCTL(LOOP_SET_STATUS64, IOC_W, MK_PTR(MK_STRUCT(STRUCT_loop_info64)))
IOCTL(LOOP_GET_STATUS64, IOC_W, MK_PTR(MK_STRUCT(STRUCT_loop_info64)))
IOCTL(LOOP_CHANGE_FD, 0, TYPE_INT)
@ -41,11 +46,11 @@ index 8974caa..810ae61 100644
#endif
diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index 7d7d700..4823aa0 100644
index 576ad77..af0479e 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -3631,6 +3631,13 @@ static abi_long do_ioctl_rt(const IOCTLEntry *ie, uint8_t *buf_temp,
return ret;
@@ -3696,6 +3696,13 @@ static abi_long do_ioctl_kdsigaccept(const IOCTLEntry *ie, uint8_t *buf_temp,
return get_errno(ioctl(fd, ie->host_cmd, sig));
}
+static abi_long do_ioctl_fail(const IOCTLEntry *ie, uint8_t *buf_temp, int fd,
@ -59,10 +64,10 @@ index 7d7d700..4823aa0 100644
#define IOCTL(cmd, access, ...) \
{ TARGET_ ## cmd, cmd, #cmd, access, 0, { __VA_ARGS__ } },
diff --git a/linux-user/syscall_defs.h b/linux-user/syscall_defs.h
index a2ac23e..dd6d041 100644
index 52691fb..794215e 100644
--- a/linux-user/syscall_defs.h
+++ b/linux-user/syscall_defs.h
@@ -1044,6 +1044,7 @@ struct target_pollfd {
@@ -1051,6 +1051,7 @@ struct target_pollfd {
#define TARGET_LOOP_SET_STATUS64 0x4C04
#define TARGET_LOOP_GET_STATUS64 0x4C05
#define TARGET_LOOP_CHANGE_FD 0x4C06

50
0017-linux-user-lock-tcg.patch
View File

@ -1,4 +1,4 @@
From c06014909fc303dffb38e62943d88c4ba9f8da31 Mon Sep 17 00:00:00 2001
From 56ad45f04c594535e2428ab6efbb2ceb36946e9f Mon Sep 17 00:00:00 2001
From: Alexander Graf <agraf@suse.de>
Date: Thu, 5 Jul 2012 17:31:39 +0200
Subject: [PATCH] linux-user: lock tcg
@ -11,12 +11,13 @@ different threads.
Signed-off-by: Alexander Graf <agraf@suse.de>
[AF: Rebased onto exec.c/translate-all.c split for 1.4]
[AF: Rebased for v2.1.0-rc0]
Signed-off-by: Andreas Färber <afaerber@suse.de>
---
linux-user/mmap.c | 3 +++
tcg/tcg.c | 36 ++++++++++++++++++++++++++++++++++--
tcg/tcg.h | 6 ++++++
3 files changed, 43 insertions(+), 2 deletions(-)
tcg/tcg.h | 5 +++++
3 files changed, 42 insertions(+), 2 deletions(-)
diff --git a/linux-user/mmap.c b/linux-user/mmap.c
index 34a5615..7ebf953 100644
@ -47,11 +48,11 @@ index 34a5615..7ebf953 100644
}
diff --git a/tcg/tcg.c b/tcg/tcg.c
index f1e0763..4f36b40 100644
index c068990..e404655 100644
--- a/tcg/tcg.c
+++ b/tcg/tcg.c
@@ -40,6 +40,8 @@
#include "qemu/cache-utils.h"
@@ -39,6 +39,8 @@
#include "qemu-common.h"
#include "qemu/host-utils.h"
#include "qemu/timer.h"
+#include "config-host.h"
@ -59,7 +60,7 @@ index f1e0763..4f36b40 100644
/* Note: the long term plan is to reduce the dependencies on the QEMU
CPU definitions. Currently they are used for qemu_ld/st
@@ -117,6 +119,29 @@ const size_t tcg_op_defs_max = ARRAY_SIZE(tcg_op_defs);
@@ -123,6 +125,29 @@ const size_t tcg_op_defs_max = ARRAY_SIZE(tcg_op_defs);
static TCGRegSet tcg_target_available_regs[2];
static TCGRegSet tcg_target_call_clobber_regs;
@ -86,10 +87,10 @@ index f1e0763..4f36b40 100644
+#endif
+}
+
static inline void tcg_out8(TCGContext *s, uint8_t v)
#if TCG_TARGET_INSN_UNIT_SIZE == 1
static __attribute__((unused)) inline void tcg_out8(TCGContext *s, uint8_t v)
{
*s->code_ptr++ = v;
@@ -295,7 +320,8 @@ void tcg_context_init(TCGContext *s)
@@ -339,7 +364,8 @@ void tcg_context_init(TCGContext *s)
memset(s, 0, sizeof(*s));
s->nb_globals = 0;
@ -99,7 +100,7 @@ index f1e0763..4f36b40 100644
/* Count total number of arguments and allocate the corresponding
space */
total_args = 0;
@@ -2597,10 +2623,12 @@ int tcg_gen_code(TCGContext *s, uint8_t *gen_code_buf)
@@ -2560,10 +2586,12 @@ int tcg_gen_code(TCGContext *s, tcg_insn_unit *gen_code_buf)
}
#endif
@ -107,14 +108,14 @@ index f1e0763..4f36b40 100644
tcg_gen_code_common(s, gen_code_buf, -1);
/* flush instruction cache */
flush_icache_range((uintptr_t)gen_code_buf, (uintptr_t)s->code_ptr);
flush_icache_range((uintptr_t)s->code_buf, (uintptr_t)s->code_ptr);
+ tcg_unlock();
return s->code_ptr - gen_code_buf;
return tcg_current_code_size(s);
}
@@ -2611,7 +2639,11 @@ int tcg_gen_code(TCGContext *s, uint8_t *gen_code_buf)
Return -1 if not found. */
int tcg_gen_code_search_pc(TCGContext *s, uint8_t *gen_code_buf, long offset)
@@ -2575,7 +2603,11 @@ int tcg_gen_code(TCGContext *s, tcg_insn_unit *gen_code_buf)
int tcg_gen_code_search_pc(TCGContext *s, tcg_insn_unit *gen_code_buf,
long offset)
{
- return tcg_gen_code_common(s, gen_code_buf, offset);
+ int r;
@ -126,19 +127,18 @@ index f1e0763..4f36b40 100644
#ifdef CONFIG_PROFILER
diff --git a/tcg/tcg.h b/tcg/tcg.h
index f7efcb4..27a72f9 100644
index 997a704..1815965 100644
--- a/tcg/tcg.h
+++ b/tcg/tcg.h
@@ -54,6 +54,8 @@ typedef uint64_t tcg_target_ulong;
#error unsupported
#endif
@@ -27,6 +27,7 @@
+#include "config-host.h"
#include "qemu-common.h"
#include "qemu/bitops.h"
+#include "qemu/thread.h"
#include "tcg-runtime.h"
#include "tcg-target.h"
#if TCG_TARGET_NB_REGS <= 32
@@ -530,6 +532,7 @@ struct TCGContext {
/* Default target word size to pointer size. */
@@ -554,6 +555,7 @@ struct TCGContext {
/* The TCGBackendData structure is private to tcg-target.c. */
struct TCGBackendData *be;
@ -146,7 +146,7 @@ index f7efcb4..27a72f9 100644
};
extern TCGContext tcg_ctx;
@@ -707,6 +710,9 @@ void tcg_gen_shifti_i64(TCGv_i64 ret, TCGv_i64 arg1,
@@ -732,6 +734,9 @@ void tcg_gen_shifti_i64(TCGv_i64 ret, TCGv_i64 arg1,
TCGArg *tcg_optimize(TCGContext *s, uint16_t *tcg_opc_ptr, TCGArg *args,
TCGOpDef *tcg_op_def);

6
0018-linux-user-Run-multi-threaded-code-.patch
View File

@ -1,4 +1,4 @@
From ca45f1d446ca88675e85bf80f133d3d8d955dbf0 Mon Sep 17 00:00:00 2001
From 47197d2a2652f532971bba5fcfa9f51e7611f610 Mon Sep 17 00:00:00 2001
From: Alexander Graf <agraf@suse.de>
Date: Tue, 10 Jul 2012 20:40:55 +0200
Subject: [PATCH] linux-user: Run multi-threaded code on a single core
@ -19,10 +19,10 @@ Signed-off-by: Alexander Graf <agraf@suse.de>
1 file changed, 9 insertions(+)
diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index 4823aa0..ff5ed06 100644
index af0479e..0e0916d 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -4334,6 +4334,15 @@ static int do_fork(CPUArchState *env, unsigned int flags, abi_ulong newsp,
@@ -4401,6 +4401,15 @@ static int do_fork(CPUArchState *env, unsigned int flags, abi_ulong newsp,
if (nptl_flags & CLONE_SETTLS)
cpu_set_tls (new_env, newtls);

22
0019-linux-user-lock-tb-flushing-too.patch
View File

@ -1,4 +1,4 @@
From cba80a9dc1f00c65320122f6a9afe95cbf12fbab Mon Sep 17 00:00:00 2001
From 8396dc5e52755421126abb7fd7e39988a4e4947a Mon Sep 17 00:00:00 2001
From: Alexander Graf <agraf@suse.de>
Date: Wed, 11 Jul 2012 16:47:42 +0200
Subject: [PATCH] linux-user: lock tb flushing too
@ -14,10 +14,10 @@ Signed-off-by: Andreas Färber <afaerber@suse.de>
1 file changed, 18 insertions(+), 2 deletions(-)
diff --git a/translate-all.c b/translate-all.c
index 5759974..1abb87d 100644
index 8f7e11b..9b46934 100644
--- a/translate-all.c
+++ b/translate-all.c
@@ -619,19 +619,23 @@ static TranslationBlock *tb_alloc(target_ulong pc)
@@ -706,19 +706,23 @@ static TranslationBlock *tb_alloc(target_ulong pc)
{
TranslationBlock *tb;
@ -41,7 +41,7 @@ index 5759974..1abb87d 100644
/* In practice this is mostly used for single use temporary TB
Ignore the hard cases and just back up if this TB happens to
be the last one generated. */
@@ -640,6 +644,7 @@ void tb_free(TranslationBlock *tb)
@@ -727,6 +731,7 @@ void tb_free(TranslationBlock *tb)
tcg_ctx.code_gen_ptr = tb->tc_ptr;
tcg_ctx.tb_ctx.nb_tbs--;
}
@ -49,7 +49,7 @@ index 5759974..1abb87d 100644
}
static inline void invalidate_page_bitmap(PageDesc *p)
@@ -697,6 +702,7 @@ void tb_flush(CPUArchState *env1)
@@ -784,6 +789,7 @@ void tb_flush(CPUArchState *env1)
((unsigned long)(tcg_ctx.code_gen_ptr - tcg_ctx.code_gen_buffer)) /
tcg_ctx.tb_ctx.nb_tbs : 0);
#endif
@ -57,7 +57,7 @@ index 5759974..1abb87d 100644
if ((unsigned long)(tcg_ctx.code_gen_ptr - tcg_ctx.code_gen_buffer)
> tcg_ctx.code_gen_buffer_size) {
cpu_abort(cpu, "Internal error: code buffer overflow\n");
@@ -714,6 +720,7 @@ void tb_flush(CPUArchState *env1)
@@ -801,6 +807,7 @@ void tb_flush(CPUArchState *env1)
/* XXX: flush processor icache at this point if cache flush is
expensive */
tcg_ctx.tb_ctx.tb_flush_count++;
@ -65,7 +65,7 @@ index 5759974..1abb87d 100644
}
#ifdef DEBUG_TB_CHECK
@@ -1022,8 +1029,10 @@ void tb_invalidate_phys_page_range(tb_page_addr_t start, tb_page_addr_t end,
@@ -1107,8 +1114,10 @@ void tb_invalidate_phys_page_range(tb_page_addr_t start, tb_page_addr_t end,
int current_flags = 0;
#endif /* TARGET_HAS_PRECISE_SMC */
@ -76,7 +76,7 @@ index 5759974..1abb87d 100644
return;
}
if (!p->code_bitmap &&
@@ -1116,6 +1125,7 @@ void tb_invalidate_phys_page_range(tb_page_addr_t start, tb_page_addr_t end,
@@ -1201,6 +1210,7 @@ void tb_invalidate_phys_page_range(tb_page_addr_t start, tb_page_addr_t end,
cpu_resume_from_signal(cpu, NULL);
}
#endif
@ -84,7 +84,7 @@ index 5759974..1abb87d 100644
}
/* len must be <= 8 and start must be a multiple of len */
@@ -1327,13 +1337,16 @@ static TranslationBlock *tb_find_pc(uintptr_t tc_ptr)
@@ -1412,13 +1422,16 @@ static TranslationBlock *tb_find_pc(uintptr_t tc_ptr)
{
int m_min, m_max, m;
uintptr_t v;
@ -102,7 +102,7 @@ index 5759974..1abb87d 100644
return NULL;
}
/* binary search (cf Knuth) */
@@ -1344,6 +1357,7 @@ static TranslationBlock *tb_find_pc(uintptr_t tc_ptr)
@@ -1429,6 +1442,7 @@ static TranslationBlock *tb_find_pc(uintptr_t tc_ptr)
tb = &tcg_ctx.tb_ctx.tbs[m];
v = (uintptr_t)tb->tc_ptr;
if (v == tc_ptr) {
@ -110,7 +110,7 @@ index 5759974..1abb87d 100644
return tb;
} else if (tc_ptr < v) {
m_max = m - 1;
@@ -1351,7 +1365,9 @@ static TranslationBlock *tb_find_pc(uintptr_t tc_ptr)
@@ -1436,7 +1450,9 @@ static TranslationBlock *tb_find_pc(uintptr_t tc_ptr)
m_min = m + 1;
}
}

8
0020-linux-user-Fake-proc-cpuinfo.patch
View File

@ -1,4 +1,4 @@
From 761b115c27a0f900f519422e4a79573da3632f4a Mon Sep 17 00:00:00 2001
From c9e29d5cb3a6559b4a0b79905cd6c62835d21fdf Mon Sep 17 00:00:00 2001
From: Alexander Graf <agraf@suse.de>
Date: Mon, 23 Jul 2012 10:24:14 +0200
Subject: [PATCH] linux-user: Fake /proc/cpuinfo
@ -22,10 +22,10 @@ Signed-off-by: Andreas Färber <afaerber@suse.de>
1 file changed, 20 insertions(+)
diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index ff5ed06..8a78348 100644
index 0e0916d..573ea5f 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -5136,6 +5136,25 @@ static int open_self_stat(void *cpu_env, int fd)
@@ -5182,6 +5182,25 @@ static int open_self_stat(void *cpu_env, int fd)
return 0;
}
@ -51,7 +51,7 @@ index ff5ed06..8a78348 100644
static int open_self_auxv(void *cpu_env, int fd)
{
CPUState *cpu = ENV_GET_CPU((CPUArchState *)cpu_env);
@@ -5249,6 +5268,7 @@ static int do_open(void *cpu_env, const char *pathname, int flags, mode_t mode)
@@ -5296,6 +5315,7 @@ static int do_open(void *cpu_env, const char *pathname, int flags, mode_t mode)
#if defined(HOST_WORDS_BIGENDIAN) != defined(TARGET_WORDS_BIGENDIAN)
{ "/proc/net/route", open_net_route, is_proc },
#endif

10
0021-linux-user-implement-FS_IOC_GETFLAG.patch
View File

@ -1,4 +1,4 @@
From 36fc0fea8b44e3993088c6b9cab42db36fe1da76 Mon Sep 17 00:00:00 2001
From 57f28f99146803cd0c5d388e61889a83ec12b33f Mon Sep 17 00:00:00 2001
From: Alexander Graf <agraf@suse.de>
Date: Mon, 20 Aug 2012 00:02:52 +0200
Subject: [PATCH] linux-user: implement FS_IOC_GETFLAGS ioctl
@ -16,10 +16,10 @@ v1 -> v2:
2 files changed, 3 insertions(+)
diff --git a/linux-user/ioctls.h b/linux-user/ioctls.h
index 2181ea3..a329fb0 100644
index 038a799..efbc970 100644
--- a/linux-user/ioctls.h
+++ b/linux-user/ioctls.h
@@ -88,6 +88,7 @@
@@ -89,6 +89,7 @@
IOCTL_SPECIAL(FS_IOC_FIEMAP, IOC_W | IOC_R, do_ioctl_fs_ioc_fiemap,
MK_PTR(MK_STRUCT(STRUCT_fiemap)))
#endif
@ -28,10 +28,10 @@ index 2181ea3..a329fb0 100644
IOCTL(SIOCATMARK, 0, TYPE_NULL)
IOCTL(SIOCGIFNAME, IOC_RW, MK_PTR(TYPE_INT))
diff --git a/linux-user/syscall_defs.h b/linux-user/syscall_defs.h
index dd6d041..2456d5b 100644
index 794215e..6146d79 100644
--- a/linux-user/syscall_defs.h
+++ b/linux-user/syscall_defs.h
@@ -2460,6 +2460,8 @@ struct target_f_owner_ex {
@@ -2467,6 +2467,8 @@ struct target_f_owner_ex {
#define TARGET_MTIOCGET TARGET_IOR('m', 2, struct mtget)
#define TARGET_MTIOCPOS TARGET_IOR('m', 3, struct mtpos)

10
0022-linux-user-implement-FS_IOC_SETFLAG.patch
View File

@ -1,4 +1,4 @@
From 8c00316b2996d0c2171032e58d7e21fd8af9bee1 Mon Sep 17 00:00:00 2001
From f89d1f32b6b97db2abda653a72d00a45c512d220 Mon Sep 17 00:00:00 2001
From: Alexander Graf <agraf@suse.de>
Date: Mon, 20 Aug 2012 00:07:13 +0200
Subject: [PATCH] linux-user: implement FS_IOC_SETFLAGS ioctl
@ -16,10 +16,10 @@ v1 -> v2
2 files changed, 2 insertions(+)
diff --git a/linux-user/ioctls.h b/linux-user/ioctls.h
index a329fb0..d76575c 100644
index efbc970..6be0048 100644
--- a/linux-user/ioctls.h
+++ b/linux-user/ioctls.h
@@ -89,6 +89,7 @@
@@ -90,6 +90,7 @@
MK_PTR(MK_STRUCT(STRUCT_fiemap)))
#endif
IOCTL(FS_IOC_GETFLAGS, IOC_R, MK_PTR(TYPE_LONG))
@ -28,10 +28,10 @@ index a329fb0..d76575c 100644
IOCTL(SIOCATMARK, 0, TYPE_NULL)
IOCTL(SIOCGIFNAME, IOC_RW, MK_PTR(TYPE_INT))
diff --git a/linux-user/syscall_defs.h b/linux-user/syscall_defs.h
index 2456d5b..03863a6 100644
index 6146d79..fc326dd 100644
--- a/linux-user/syscall_defs.h
+++ b/linux-user/syscall_defs.h
@@ -2461,6 +2461,7 @@ struct target_f_owner_ex {
@@ -2468,6 +2468,7 @@ struct target_f_owner_ex {
#define TARGET_MTIOCPOS TARGET_IOR('m', 3, struct mtpos)
#define TARGET_FS_IOC_GETFLAGS TARGET_IORU('f', 1)

6
0023-linux-user-XXX-disable-fiemap.patch
View File

@ -1,4 +1,4 @@
From fac2c74e7593b04a4fc45e0d40c06036f60ae75d Mon Sep 17 00:00:00 2001
From 3a9a8a733b3e394ead8a453705ed151e87bb743c Mon Sep 17 00:00:00 2001
From: Alexander Graf <agraf@suse.de>
Date: Tue, 21 Aug 2012 14:20:40 +0200
Subject: [PATCH] linux-user: XXX disable fiemap
@ -9,10 +9,10 @@ agraf: fiemap breaks in libarchive. Disable it for now.
1 file changed, 5 insertions(+)
diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index 8a78348..28a3d74 100644
index 573ea5f..28039c7 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -3188,6 +3188,11 @@ static abi_long do_ioctl_fs_ioc_fiemap(const IOCTLEntry *ie, uint8_t *buf_temp,
@@ -3246,6 +3246,11 @@ static abi_long do_ioctl_fs_ioc_fiemap(const IOCTLEntry *ie, uint8_t *buf_temp,
uint32_t outbufsz;
int free_fm = 0;

12
0024-slirp-nooutgoing.patch
View File

@ -1,4 +1,4 @@
From 871d3d13b54c6ba223b09953c50b762d0404cbec Mon Sep 17 00:00:00 2001
From 84fe61a504718a0b4dbdd66a9275dcf5b4427026 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andreas=20F=C3=A4rber?= <afaerber@suse.de>
Date: Wed, 29 Aug 2012 18:42:56 +0200
Subject: [PATCH] slirp: -nooutgoing
@ -12,10 +12,10 @@ TBD (from SUSE Studio team)
4 files changed, 40 insertions(+)
diff --git a/qemu-options.hx b/qemu-options.hx
index 2d33815..62a1cfc 100644
index 9e54686..0a7247d 100644
--- a/qemu-options.hx
+++ b/qemu-options.hx
@@ -2603,6 +2603,16 @@ Store the QEMU process PID in @var{file}. It is useful if you launch QEMU
@@ -2795,6 +2795,16 @@ Store the QEMU process PID in @var{file}. It is useful if you launch QEMU
from a script.
ETEXI
@ -97,10 +97,10 @@ index 7571c5a..0555e18 100644
socket_set_fast_reuse(s);
opt = 1;
diff --git a/vl.c b/vl.c
index 9975e5a..b18c815 100644
index 6e084c2..0e34d53 100644
--- a/vl.c
+++ b/vl.c
@@ -162,6 +162,7 @@ const char *vnc_display;
@@ -163,6 +163,7 @@ const char *vnc_display;
int acpi_enabled = 1;
int no_hpet = 0;
int fd_bootchk = 1;
@ -108,7 +108,7 @@ index 9975e5a..b18c815 100644
static int no_reboot;
int no_shutdown = 0;
int cursor_hide = 1;
@@ -3351,6 +3352,14 @@ int main(int argc, char **argv, char **envp)
@@ -3391,6 +3392,14 @@ int main(int argc, char **argv, char **envp)
case QEMU_OPTION_singlestep:
singlestep = 1;
break;

16
0025-vnc-password-file-and-incoming-conn.patch
View File

@ -1,4 +1,4 @@
From 955ef0968a268bcb6ef68b8788952546aed3a1dc Mon Sep 17 00:00:00 2001
From 5ac0412380823745654010b067fbce609efa4aa7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andreas=20F=C3=A4rber?= <afaerber@suse.de>
Date: Wed, 29 Aug 2012 20:06:01 +0200
Subject: [PATCH] vnc: password-file= and incoming-connections=
@ -9,10 +9,10 @@ TBD (from SUSE Studio team)
1 file changed, 71 insertions(+)
diff --git a/ui/vnc.c b/ui/vnc.c
index 5925774..8445dd6 100644
index 548588a..ab03ee3 100644
--- a/ui/vnc.c
+++ b/ui/vnc.c
@@ -45,6 +45,7 @@ static const struct timeval VNC_REFRESH_LOSSY = { 2, 0 };
@@ -47,6 +47,7 @@ static const struct timeval VNC_REFRESH_LOSSY = { 2, 0 };
#include "d3des.h"
static VncDisplay *vnc_display; /* needed for info vnc */
@ -20,7 +20,7 @@ index 5925774..8445dd6 100644
static int vnc_cursor_define(VncState *vs);
static void vnc_release_modifiers(VncState *vs);
@@ -1031,6 +1032,7 @@ static void vnc_disconnect_start(VncState *vs)
@@ -1037,6 +1038,7 @@ static void vnc_disconnect_start(VncState *vs)
void vnc_disconnect_finish(VncState *vs)
{
int i;
@ -28,7 +28,7 @@ index 5925774..8445dd6 100644
vnc_jobs_join(vs); /* Wait encoding jobs */
@@ -1079,6 +1081,13 @@ void vnc_disconnect_finish(VncState *vs)
@@ -1085,6 +1087,13 @@ void vnc_disconnect_finish(VncState *vs)
}
g_free(vs->lossy_rect);
g_free(vs);
@ -42,7 +42,7 @@ index 5925774..8445dd6 100644
}
int vnc_client_io_error(VncState *vs, int ret, int last_errno)
@@ -3041,6 +3050,39 @@ char *vnc_display_local_addr(DisplayState *ds)
@@ -3036,6 +3045,39 @@ char *vnc_display_local_addr(DisplayState *ds)
return vnc_socket_local_addr("%s:%s", vs->lsock);
}
@ -82,7 +82,7 @@ index 5925774..8445dd6 100644
void vnc_display_open(DisplayState *ds, const char *display, Error **errp)
{
VncDisplay *vs = vnc_display;
@@ -3074,6 +3116,9 @@ void vnc_display_open(DisplayState *ds, const char *display, Error **errp)
@@ -3069,6 +3111,9 @@ void vnc_display_open(DisplayState *ds, const char *display, Error **errp)
while ((options = strchr(options, ','))) {
options++;
if (strncmp(options, "password", 8) == 0) {
@ -92,7 +92,7 @@ index 5925774..8445dd6 100644
if (fips_get_state()) {
error_setg(errp,
"VNC password auth disabled due to FIPS mode, "
@@ -3082,6 +3127,32 @@ void vnc_display_open(DisplayState *ds, const char *display, Error **errp)
@@ -3077,6 +3122,32 @@ void vnc_display_open(DisplayState *ds, const char *display, Error **errp)
goto fail;
}
password = 1; /* Require password auth */

10
0026-linux-user-add-more-blk-ioctls.patch
View File

@ -1,4 +1,4 @@
From 6b62214c4bd34a4480814ac47449fab7c34305ed Mon Sep 17 00:00:00 2001
From 9abeb48be0c332c84f379455bd424f0fd58e79e0 Mon Sep 17 00:00:00 2001
From: Alexander Graf <agraf@suse.de>
Date: Wed, 10 Oct 2012 10:21:20 +0200
Subject: [PATCH] linux-user: add more blk ioctls
@ -13,10 +13,10 @@ Signed-off-by: Alexander Graf <agraf@suse.de>
3 files changed, 27 insertions(+)
diff --git a/linux-user/ioctls.h b/linux-user/ioctls.h
index d76575c..ffd6d09 100644
index 6be0048..369224f 100644
--- a/linux-user/ioctls.h
+++ b/linux-user/ioctls.h
@@ -72,6 +72,24 @@
@@ -73,6 +73,24 @@
#ifdef BLKGETSIZE64
IOCTL(BLKGETSIZE64, IOC_R, MK_PTR(TYPE_ULONGLONG))
#endif
@ -42,10 +42,10 @@ index d76575c..ffd6d09 100644
IOCTL(BLKRASET, 0, TYPE_INT)
IOCTL(BLKRAGET, IOC_R, MK_PTR(TYPE_LONG))
diff --git a/linux-user/syscall_defs.h b/linux-user/syscall_defs.h
index 03863a6..2271d5f 100644
index fc326dd..853b903 100644
--- a/linux-user/syscall_defs.h
+++ b/linux-user/syscall_defs.h
@@ -913,6 +913,12 @@ struct target_pollfd {
@@ -920,6 +920,12 @@ struct target_pollfd {
#define TARGET_BLKGETSIZE64 TARGET_IOR(0x12,114,abi_ulong)
/* return device size in bytes
(u64 *arg) */

10
0027-linux-user-use-target_ulong.patch
View File

@ -1,4 +1,4 @@
From 9f8f18dc792d6c9e3fb661cb8543d0c09b342ac4 Mon Sep 17 00:00:00 2001
From 48296463c92ea6afe7eaaabc88ba8d75e910afae Mon Sep 17 00:00:00 2001
From: Alexander Graf <agraf@suse.de>
Date: Tue, 9 Oct 2012 09:06:49 +0200
Subject: [PATCH] linux-user: use target_ulong
@ -17,10 +17,10 @@ Signed-off-by: Alexander Graf <agraf@suse.de>
2 files changed, 8 insertions(+), 8 deletions(-)
diff --git a/linux-user/qemu.h b/linux-user/qemu.h
index a2c4e35..6fd5e0c 100644
index e29c7f3..75b6558 100644
--- a/linux-user/qemu.h
+++ b/linux-user/qemu.h
@@ -189,10 +189,10 @@ abi_long memcpy_to_target(abi_ulong dest, const void *src,
@@ -190,10 +190,10 @@ abi_long memcpy_to_target(abi_ulong dest, const void *src,
void target_set_brk(abi_ulong new_brk);
abi_long do_brk(abi_ulong new_brk);
void syscall_init(void);
@ -36,10 +36,10 @@ index a2c4e35..6fd5e0c 100644
extern THREAD CPUState *thread_cpu;
void cpu_loop(CPUArchState *env);
diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index 28a3d74..a12a722 100644
index 28039c7..0c49a67 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -5395,10 +5395,10 @@ int syscall_restartable(int syscall_nr)
@@ -5447,10 +5447,10 @@ int syscall_restartable(int syscall_nr)
/* do_syscall() should always have a single exit point at the end so
that actions, such as logging of syscall results, can be performed.
All errnos that do_syscall() returns must be -TARGET_<errcode>. */

7
0028-block-Add-support-for-DictZip-enabl.patch
View File

@ -1,4 +1,4 @@
From 8b201b80c7957d04876330c37857b1ac4d8df21e Mon Sep 17 00:00:00 2001
From 6e08bfbccc8263bc5c9b619d19864723760e17dc Mon Sep 17 00:00:00 2001
From: Alexander Graf <agraf@suse.de>
Date: Wed, 5 Aug 2009 09:49:37 +0200
Subject: [PATCH] block: Add support for DictZip enabled gzip files
@ -28,6 +28,7 @@ Signed-off-by: Tim Hardeck <thardeck@suse.de>
[AF: Error **errp added for bdrv_file_open, bdrv_delete -> bdrv_unref]
[AF: qemu_opts_create_nofail() -> qemu_opts_create(),
bdrv_file_open() -> bdrv_open(), based on work by brogers]
[AF: error_is_set() dropped for v2.1.0-rc0]
Signed-off-by: Andreas Färber <afaerber@suse.de>
---
block/Makefile.objs | 1 +
@ -49,7 +50,7 @@ index fd88c03..cbdddc0 100644
iscsi.o-libs := $(LIBISCSI_LIBS)
diff --git a/block/dictzip.c b/block/dictzip.c
new file mode 100644
index 0000000..a3629ab
index 0000000..36f1df0
--- /dev/null
+++ b/block/dictzip.c
@@ -0,0 +1,596 @@
@ -235,7 +236,7 @@ index 0000000..a3629ab
+
+ opts = qemu_opts_create(&runtime_opts, NULL, 0, &error_abort);
+ qemu_opts_absorb_qdict(opts, options, &local_err);
+ if (error_is_set(&local_err)) {
+ if (local_err != NULL) {
+ error_propagate(errp, local_err);
+ ret = -EINVAL;
+ goto fail;

7
0029-block-Add-tar-container-format.patch
View File

@ -1,4 +1,4 @@
From 9faf6837f5e436c6d2003e64cb4b44b90d234c72 Mon Sep 17 00:00:00 2001
From 448b9b9a09a26b30cdbc6afd9472ce07efc06e8c Mon Sep 17 00:00:00 2001
From: Alexander Graf <agraf@suse.de>
Date: Wed, 5 Aug 2009 17:28:38 +0200
Subject: [PATCH] block: Add tar container format
@ -29,6 +29,7 @@ Signed-off-by: Tim Hardeck <thardeck@suse.de>
[AF: bdrv_file_open got an Error **errp argument, bdrv_delete -> brd_unref]
[AF: qemu_opts_create_nofail() -> qemu_opts_create(),
bdrv_file_open() -> bdrv_open(), based on work by brogers]
[AF: error_is_set() dropped for v2.1.0-rc0]
Signed-off-by: Andreas Färber <afaerber@suse.de>
---
block/Makefile.objs | 1 +
@ -50,7 +51,7 @@ index cbdddc0..e5b0326 100644
iscsi.o-libs := $(LIBISCSI_LIBS)
diff --git a/block/tar.c b/block/tar.c
new file mode 100644
index 0000000..a79cf5e
index 0000000..c2ab5fa
--- /dev/null
+++ b/block/tar.c
@@ -0,0 +1,386 @@
@ -234,7 +235,7 @@ index 0000000..a79cf5e
+
+ opts = qemu_opts_create(&runtime_opts, NULL, 0, &error_abort);
+ qemu_opts_absorb_qdict(opts, options, &local_err);
+ if (error_is_set(&local_err)) {
+ if (local_err != NULL) {
+ error_propagate(errp, local_err);
+ ret = -EINVAL;
+ goto fail;

4
0030-Legacy-Patch-kvm-qemu-preXX-dictzip.patch
View File

@ -1,4 +1,4 @@
From e26cff5986190a24dcc53d658da1fc8e7772338c Mon Sep 17 00:00:00 2001
From ccc7274accdbd66a581777e0dae3865ba86c2eed Mon Sep 17 00:00:00 2001
From: Alexander Graf <agraf@suse.de>
Date: Wed, 12 Dec 2012 19:11:30 +0100
Subject: [PATCH] Legacy Patch kvm-qemu-preXX-dictzip3.patch
@ -8,7 +8,7 @@ Subject: [PATCH] Legacy Patch kvm-qemu-preXX-dictzip3.patch
1 file changed, 11 insertions(+), 2 deletions(-)
diff --git a/block/tar.c b/block/tar.c
index a79cf5e..09fe1a6 100644
index c2ab5fa..ea2075d 100644
--- a/block/tar.c
+++ b/block/tar.c
@@ -83,7 +83,8 @@ static int str_ends(char *str, const char *end)

8
0031-Legacy-Patch-kvm-qemu-preXX-report-.patch
View File

@ -1,4 +1,4 @@
From e828d54e5b1ef01c620e1c761340cd73af785b6b Mon Sep 17 00:00:00 2001
From 7a6f8226cb5dd3540c80f852917b118a6b88d791 Mon Sep 17 00:00:00 2001
From: Alexander Graf <agraf@suse.de>
Date: Wed, 12 Dec 2012 19:11:31 +0100
Subject: [PATCH] Legacy Patch kvm-qemu-preXX-report-default-mac-used.patch
@ -8,10 +8,10 @@ Subject: [PATCH] Legacy Patch kvm-qemu-preXX-report-default-mac-used.patch
1 file changed, 22 insertions(+)
diff --git a/net/net.c b/net/net.c
index e3ef1e4..67396e7 100644
index 6d930ea..9656f3e 100644
--- a/net/net.c
+++ b/net/net.c
@@ -141,6 +141,27 @@ void qemu_format_nic_info_str(NetClientState *nc, uint8_t macaddr[6])
@@ -158,6 +158,27 @@ void qemu_format_nic_info_str(NetClientState *nc, uint8_t macaddr[6])
macaddr[3], macaddr[4], macaddr[5]);
}
@ -39,7 +39,7 @@ index e3ef1e4..67396e7 100644
void qemu_macaddr_default_if_unset(MACAddr *macaddr)
{
static int index = 0;
@@ -1251,6 +1272,7 @@ int net_init_clients(void)
@@ -1276,6 +1297,7 @@ int net_init_clients(void)
if (qemu_opts_foreach(net, net_init_client, NULL, 1) == -1) {
return -1;
}

6
0032-console-add-question-mark-escape-op.patch
View File

@ -1,4 +1,4 @@
From 1f6cee23194037e7c2601e7a728b7fa824f4d66f Mon Sep 17 00:00:00 2001
From a771dcb790eb622c0b023274c1b6b92743e71d0f Mon Sep 17 00:00:00 2001
From: Alexander Graf <agraf@suse.de>
Date: Mon, 6 Jun 2011 06:53:52 +0200
Subject: [PATCH] console: add question-mark escape operator
@ -16,10 +16,10 @@ Signed-off-by: Alexander Graf <agraf@suse.de>
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ui/console.c b/ui/console.c
index e057755..24413e8 100644
index ab84549..5d1f074 100644
--- a/ui/console.c
+++ b/ui/console.c
@@ -866,7 +866,7 @@ static void console_putchar(QemuConsole *s, int ch)
@@ -852,7 +852,7 @@ static void console_putchar(QemuConsole *s, int ch)
} else {
if (s->nb_esc_params < MAX_ESC_PARAMS)
s->nb_esc_params++;

10
0033-Make-char-muxer-more-robust-wrt-sma.patch
View File

@ -1,4 +1,4 @@
From e30f0e39abb8e5ad453333ac3dd0f6d7b270e045 Mon Sep 17 00:00:00 2001
From 111abb7150e0eaadfb338c82b86d4b65a171f9c6 Mon Sep 17 00:00:00 2001
From: Alexander Graf <agraf@suse.de>
Date: Thu, 1 Apr 2010 17:36:23 +0200
Subject: [PATCH] Make char muxer more robust wrt small FIFOs
@ -22,10 +22,10 @@ This patch fixes input when using -nographic on s390 for me.
1 file changed, 16 insertions(+)
diff --git a/qemu-char.c b/qemu-char.c
index 54ed244..cc6bfe8 100644
index 55e372c..d562dae 100644
--- a/qemu-char.c
+++ b/qemu-char.c
@@ -252,6 +252,9 @@ typedef struct {
@@ -311,6 +311,9 @@ typedef struct {
IOEventHandler *chr_event[MAX_MUX];
void *ext_opaque[MAX_MUX];
CharDriverState *drv;
@ -35,7 +35,7 @@ index 54ed244..cc6bfe8 100644
int focus;
int mux_cnt;
int term_got_escape;
@@ -408,6 +411,15 @@ static void mux_chr_accept_input(CharDriverState *chr)
@@ -470,6 +473,15 @@ static void mux_chr_accept_input(CharDriverState *chr)
d->chr_read[m](d->ext_opaque[m],
&d->buffer[m][d->cons[m]++ & MUX_BUFFER_MASK], 1);
}
@ -51,7 +51,7 @@ index 54ed244..cc6bfe8 100644
}
static int mux_chr_can_read(void *opaque)
@@ -530,6 +542,10 @@ static CharDriverState *qemu_chr_open_mux(CharDriverState *drv)
@@ -598,6 +610,10 @@ static CharDriverState *qemu_chr_open_mux(CharDriverState *drv)
chr->opaque = d;
d->drv = drv;
d->focus = -1;

6
0034-linux-user-lseek-explicitly-cast-no.patch
View File

@ -1,4 +1,4 @@
From f222ce0d5af1eb8258e84d6fcd8ab89a85131a21 Mon Sep 17 00:00:00 2001
From d7412d16a40cda2130de7e9b041bff4553ef493a Mon Sep 17 00:00:00 2001
From: Alexander Graf <agraf@suse.de>
Date: Thu, 13 Dec 2012 14:29:22 +0100
Subject: [PATCH] linux-user: lseek: explicitly cast non-set offsets to signed
@ -16,10 +16,10 @@ Signed-off-by: Alexander Graf <agraf@suse.de>
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index a12a722..d1f8b3d 100644
index 0c49a67..c69f724 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -5709,9 +5709,14 @@ abi_long do_syscall(void *cpu_env, int num, abi_ulong arg1,
@@ -5761,9 +5761,14 @@ abi_long do_syscall(void *cpu_env, int num, abi_ulong arg1,
case TARGET_NR_oldstat:
goto unimplemented;
#endif

4
0035-virtfs-proxy-helper-Provide-__u64-f.patch
View File

@ -1,4 +1,4 @@
From 52b3782f6ec265abbd8704d4999940e2161819d5 Mon Sep 17 00:00:00 2001
From e771a11f28c3d6ff68a8d0f804ffeb1d807240b0 Mon Sep 17 00:00:00 2001
From: Bruce Rogers <brogers@suse.com>
Date: Thu, 16 May 2013 12:39:10 +0200
Subject: [PATCH] virtfs-proxy-helper: Provide __u64 for broken
@ -12,7 +12,7 @@ Fixes the build on SLE 11 SP2.
1 file changed, 7 insertions(+)
diff --git a/fsdev/virtfs-proxy-helper.c b/fsdev/virtfs-proxy-helper.c
index bfecb87..79ab9c8 100644
index cd291d3..7d7aa67 100644
--- a/fsdev/virtfs-proxy-helper.c
+++ b/fsdev/virtfs-proxy-helper.c
@@ -9,6 +9,13 @@

6
0036-configure-Enable-PIE-for-ppc-and-pp.patch
View File

@ -1,4 +1,4 @@
From c5ce0620bff591f2c344771e75447d602212c6f0 Mon Sep 17 00:00:00 2001
From 1e35b0409716fd2364ca25889801ea28299eeff1 Mon Sep 17 00:00:00 2001
From: Dinar Valeev <k0da@opensuse.org>
Date: Wed, 2 Oct 2013 17:56:03 +0200
Subject: [PATCH] configure: Enable PIE for ppc and ppc64 hosts
@ -14,10 +14,10 @@ Signed-off-by: Andreas Färber <afaerber@suse.de>
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/configure b/configure
index 69b9f56..21523908 100755
index 7dd43fd..99f8a37 100755
--- a/configure
+++ b/configure
@@ -1487,7 +1487,7 @@ fi
@@ -1531,7 +1531,7 @@ fi
if test "$pie" = ""; then
case "$cpu-$targetos" in

6
0038-tests-Don-t-run-qom-test-twice.patch → 0037-tests-Don-t-run-qom-test-twice.patch
View File

@ -1,4 +1,4 @@
From 857545e61d741cc4f439f98c5e93210b7fa09577 Mon Sep 17 00:00:00 2001
From d78b797a58584419bdfabaebe79322a246790dff Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andreas=20F=C3=A4rber?= <afaerber@suse.de>
Date: Mon, 7 Apr 2014 16:03:08 +0200
Subject: [PATCH] tests: Don't run qom-test twice
@ -19,10 +19,10 @@ Signed-off-by: Andreas Färber <afaerber@suse.de>
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/tests/Makefile b/tests/Makefile
index 88f7105..8f2b018 100644
index 1fcd633..7c0253b 100644
--- a/tests/Makefile
+++ b/tests/Makefile
@@ -162,7 +162,9 @@ check-qtest-microblazeel-y = $(check-qtest-microblaze-y)
@@ -184,7 +184,9 @@ check-qtest-microblazeel-y = $(check-qtest-microblaze-y)
check-qtest-xtensaeb-y = $(check-qtest-xtensa-y)
# qom-test works for all sysemu architectures:

133
0037-xen_disk-add-discard-support.patch
View File

@ -1,133 +0,0 @@
From 1798372872568aa5d3fd50c8d01ba658082a8711 Mon Sep 17 00:00:00 2001
From: Olaf Hering <olaf@aepfle.de>
Date: Thu, 30 Jan 2014 16:02:18 +0100
Subject: [PATCH] xen_disk: add discard support
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Implement discard support for xen_disk. It makes use of the existing
discard code in qemu.
The discard support is enabled unconditionally. The tool stack may provide a
property "discard-enable" in the backend node to optionally disable discard
support. This is helpful in case the backing file was intentionally created
non-sparse to avoid fragmentation.
Signed-off-by: Olaf Hering <olaf@aepfle.de>
Signed-off-by: Andreas Färber <afaerber@suse.de>
---
hw/block/xen_blkif.h | 12 ++++++++++++
hw/block/xen_disk.c | 34 ++++++++++++++++++++++++++++++++++
2 files changed, 46 insertions(+)
diff --git a/hw/block/xen_blkif.h b/hw/block/xen_blkif.h
index c0f4136..711b692 100644
--- a/hw/block/xen_blkif.h
+++ b/hw/block/xen_blkif.h
@@ -79,6 +79,12 @@ static inline void blkif_get_x86_32_req(blkif_request_t *dst, blkif_x86_32_reque
dst->handle = src->handle;
dst->id = src->id;
dst->sector_number = src->sector_number;
+ if (src->operation == BLKIF_OP_DISCARD) {
+ struct blkif_request_discard *s = (void *)src;
+ struct blkif_request_discard *d = (void *)dst;
+ d->nr_sectors = s->nr_sectors;
+ return;
+ }
if (n > src->nr_segments)
n = src->nr_segments;
for (i = 0; i < n; i++)
@@ -94,6 +100,12 @@ static inline void blkif_get_x86_64_req(blkif_request_t *dst, blkif_x86_64_reque
dst->handle = src->handle;
dst->id = src->id;
dst->sector_number = src->sector_number;
+ if (src->operation == BLKIF_OP_DISCARD) {
+ struct blkif_request_discard *s = (void *)src;
+ struct blkif_request_discard *d = (void *)dst;
+ d->nr_sectors = s->nr_sectors;
+ return;
+ }
if (n > src->nr_segments)
n = src->nr_segments;
for (i = 0; i < n; i++)
diff --git a/hw/block/xen_disk.c b/hw/block/xen_disk.c
index bc061e6..989a90f 100644
--- a/hw/block/xen_disk.c
+++ b/hw/block/xen_disk.c
@@ -114,6 +114,7 @@ struct XenBlkDev {
int requests_finished;
/* Persistent grants extension */
+ gboolean feature_discard;
gboolean feature_persistent;
GTree *persistent_gnts;
unsigned int persistent_gnt_count;
@@ -253,6 +254,8 @@ static int ioreq_parse(struct ioreq *ioreq)
case BLKIF_OP_WRITE:
ioreq->prot = PROT_READ; /* from memory */
break;
+ case BLKIF_OP_DISCARD:
+ return 0;
default:
xen_be_printf(&blkdev->xendev, 0, "error: unknown operation (%d)\n",
ioreq->req.operation);
@@ -532,6 +535,17 @@ static int ioreq_runio_qemu_aio(struct ioreq *ioreq)
&ioreq->v, ioreq->v.size / BLOCK_SIZE,
qemu_aio_complete, ioreq);
break;
+ case BLKIF_OP_DISCARD:
+ {
+ struct blkif_request_discard *discard_req = (void *)&ioreq->req;
+ bdrv_acct_start(blkdev->bs, &ioreq->acct,
+ discard_req->nr_sectors * BLOCK_SIZE, BDRV_ACCT_WRITE);
+ ioreq->aio_inflight++;
+ bdrv_aio_discard(blkdev->bs,
+ discard_req->sector_number, discard_req->nr_sectors,
+ qemu_aio_complete, ioreq);
+ break;
+ }
default:
/* unknown operation (shouldn't happen -- parse catches this) */
goto err;
@@ -710,6 +724,21 @@ static void blk_alloc(struct XenDevice *xendev)
}
}
+static void blk_parse_discard(struct XenBlkDev *blkdev)
+{
+ int enable;
+
+ blkdev->feature_discard = true;
+
+ if (xenstore_read_be_int(&blkdev->xendev, "discard-enable", &enable) == 0) {
+ blkdev->feature_discard = !!enable;
+ }
+
+ if (blkdev->feature_discard) {
+ xenstore_write_be_int(&blkdev->xendev, "feature-discard", 1);
+ }
+}
+
static int blk_init(struct XenDevice *xendev)
{
struct XenBlkDev *blkdev = container_of(xendev, struct XenBlkDev, xendev);
@@ -777,6 +806,8 @@ static int blk_init(struct XenDevice *xendev)
xenstore_write_be_int(&blkdev->xendev, "feature-persistent", 1);
xenstore_write_be_int(&blkdev->xendev, "info", info);
+ blk_parse_discard(blkdev);
+
g_free(directiosafe);
return 0;
@@ -812,6 +843,9 @@ static int blk_connect(struct XenDevice *xendev)
qflags |= BDRV_O_RDWR;
readonly = false;
}
+ if (blkdev->feature_discard) {
+ qflags |= BDRV_O_UNMAP;
+ }
/* init qemu block driver */
index = (blkdev->xendev.dev - 202 * 256) / 16;

8
0041-qtest-Increase-socket-timeout.patch → 0038-qtest-Increase-socket-timeout.patch
View File

@ -1,4 +1,4 @@
From 1126af0e6664e58a5e6e2280f6d61bb829099444 Mon Sep 17 00:00:00 2001
From c71486ca826cfb0455aed9df5f298d3ea163cf7d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andreas=20F=C3=A4rber?= <afaerber@suse.de>
Date: Thu, 17 Apr 2014 18:39:10 +0200
Subject: [PATCH] qtest: Increase socket timeout
@ -14,11 +14,11 @@ Signed-off-by: Andreas Färber <afaerber@suse.de>
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tests/libqtest.c b/tests/libqtest.c
index 4b90d91..18efcf2 100644
index 98e8f4b..393e99e 100644
--- a/tests/libqtest.c
+++ b/tests/libqtest.c
@@ -34,7 +34,7 @@
#include "qapi/qmp/json-parser.h"
@@ -35,7 +35,7 @@
#include "qapi/qmp/qjson.h"
#define MAX_IRQ 256
-#define SOCKET_TIMEOUT 5

2
0071-module-Simplify-module_load.patch → 0039-module-Simplify-module_load.patch
View File

@ -1,4 +1,4 @@
From 212b80fa19390023a809068c5d282e2994bd98bc Mon Sep 17 00:00:00 2001
From d0fb6e15c8620851d728e67e1cb3b02b9ba07c1e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andreas=20F=C3=A4rber?= <afaerber@suse.de>
Date: Fri, 20 Jun 2014 16:46:50 +0200
Subject: [PATCH] module: Simplify module_load()

27
0039-qtest-Assure-that-init_socket-s-lis.patch
View File

@ -1,27 +0,0 @@
From c58810a9fe080ce5358ab670b6d4abe1202e63a2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andreas=20F=C3=A4rber?= <afaerber@suse.de>
Date: Thu, 17 Apr 2014 18:19:14 +0200
Subject: [PATCH] qtest: Assure that init_socket()'s listen() does not fail
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Andreas Färber <afaerber@suse.de>
---
tests/libqtest.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/tests/libqtest.c b/tests/libqtest.c
index 8155695..232f781 100644
--- a/tests/libqtest.c
+++ b/tests/libqtest.c
@@ -72,7 +72,8 @@ static int init_socket(const char *socket_path)
ret = bind(sock, (struct sockaddr *)&addr, sizeof(addr));
} while (ret == -1 && errno == EINTR);
g_assert_no_errno(ret);
- listen(sock, 1);
+ ret = listen(sock, 1);
+ g_assert_no_errno(ret);
return sock;
}

2
0072-module-Don-t-complain-when-a-module.patch → 0040-module-Don-t-complain-when-a-module.patch
View File

@ -1,4 +1,4 @@
From 14cd25c73de420d01acd3f0691e1d663dcf3eca9 Mon Sep 17 00:00:00 2001
From 6b2580c25ef053a053af27b393a128ec552a4081 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andreas=20F=C3=A4rber?= <afaerber@suse.de>
Date: Fri, 20 Jun 2014 17:54:51 +0200
Subject: [PATCH] module: Don't complain when a module is absent

27
0040-qtest-Add-error-reporting-to-socket.patch
View File

@ -1,27 +0,0 @@
From 19fed6c601938b60dafb004f7194ff4e86def6f3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andreas=20F=C3=A4rber?= <afaerber@suse.de>
Date: Thu, 17 Apr 2014 18:38:25 +0200
Subject: [PATCH] qtest: Add error reporting to socket_accept()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Andreas Färber <afaerber@suse.de>
---
tests/libqtest.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/tests/libqtest.c b/tests/libqtest.c
index 232f781..4b90d91 100644
--- a/tests/libqtest.c
+++ b/tests/libqtest.c
@@ -93,6 +93,9 @@ static int socket_accept(int sock)
do {
ret = accept(sock, (struct sockaddr *)&addr, &addrlen);
} while (ret == -1 && errno == EINTR);
+ if (ret == -1) {
+ fprintf(stderr, "%s failed: %s\n", __func__, strerror(errno));
+ }
close(sock);
return ret;

50
0041-tests-Fix-unterminated-string-outpu.patch Normal file
View File

@ -0,0 +1,50 @@
From 8dea7848783572c41b08817d269305ddec5d0dc7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andreas=20F=C3=A4rber?= <afaerber@suse.de>
Date: Wed, 9 Jul 2014 21:21:00 +0200
Subject: [PATCH] tests: Fix unterminated string output visitor enum human
string
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The buffer was being allocated of size string length plus two.
Around the string two quotes were being added, but no terminating NUL.
It was then compared using g_assert_cmpstr(), resulting in fairly random
assertion failures:
ERROR:tests/test-string-output-visitor.c:213:test_visitor_out_enum: assertion failed (str == str_human): ("\"value1\"" == "\"value1\"\001EEEEEEEEEEEEEE\0171")
There is no g_assert_cmpnstr() counterpart, so use g_strdup_printf()
for safely assembling the string in the first place.
Cc: Hu Tao <hutao@cn.fujitsu.com>
Cc: Michael S. Tsirkin <mst@redhat.com>
Suggested-by: Eric Blake <eblake@redhat.com>
Fixes: b4900c0 tests: add human format test for string output visitor
Signed-off-by: Andreas Färber <afaerber@suse.de>
---
tests/test-string-output-visitor.c | 7 +------
1 file changed, 1 insertion(+), 6 deletions(-)
diff --git a/tests/test-string-output-visitor.c b/tests/test-string-output-visitor.c
index e89e43c..101fb27 100644
--- a/tests/test-string-output-visitor.c
+++ b/tests/test-string-output-visitor.c
@@ -196,16 +196,11 @@ static void test_visitor_out_enum(TestOutputVisitorData *data,
for (i = 0; i < ENUM_ONE_MAX; i++) {
char *str_human;
- int len;
visit_type_EnumOne(data->ov, &i, "unused", &err);
g_assert(!err);
- len = strlen(EnumOne_lookup[i]) + 2;
- str_human = g_malloc0(len);
- str_human[0] = '"';
- strncpy(str_human + 1, EnumOne_lookup[i], strlen(EnumOne_lookup[i]));
- str_human[len - 1] = '"';
+ str_human = g_strdup_printf("\"%s\"", EnumOne_lookup[i]);
str = string_output_get_string(data->sov);
g_assert(str != NULL);

89
0042-libqos-Fix-PC-PCI-endianness-glitch.patch Normal file
View File

@ -0,0 +1,89 @@
From 135f7b84cae0986aa804933f18c4e1f9ab34fe63 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andreas=20F=C3=A4rber?= <afaerber@suse.de>
Date: Thu, 10 Jul 2014 15:55:04 +0200
Subject: [PATCH] libqos: Fix PC PCI endianness glitches
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The libqos implementation of io_read{b,w,l} and io_write{b,w,l} hooks
was relying on qtest_mem{read,write}() respectively. With d81d410 (usb:
improve ehci/uhci test) this resulted in assertion failures on ppc hosts:
ERROR:tests/usb-hcd-ehci-test.c:78:ehci_port_test: assertion failed: ((value & mask) == (expect & mask))
ERROR:tests/usb-hcd-ehci-test.c:128:pci_uhci_port_2: assertion failed: (pcibus != NULL)
ERROR:tests/usb-hcd-ehci-test.c:150:pci_ehci_port_2: assertion failed: (pcibus != NULL)
qtest_read{b,w,l,q}() and qtest_write{b,w,l,q}() had been introduced
as endian-safe replacement for qtest_mem{read,write}() in I2C in
872536b (qtest: Add MMIO support). Use them for PCI as well.
Cc: Anthony Liguori <aliguori@amazon.com>
Cc: Gerd Hoffmann <kraxel@redhat.com>
Fixes: c4efe1c qtest: add libqos including PCI support
Fixes: d81d410 usb: improve ehci/uhci test
Signed-off-by: Andreas Färber <afaerber@suse.de>
---
tests/libqos/pci-pc.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/tests/libqos/pci-pc.c b/tests/libqos/pci-pc.c
index bf741a4..4adf400 100644
--- a/tests/libqos/pci-pc.c
+++ b/tests/libqos/pci-pc.c
@@ -41,7 +41,7 @@ static uint8_t qpci_pc_io_readb(QPCIBus *bus, void *addr)
if (port < 0x10000) {
value = inb(port);
} else {
- memread(port, &value, sizeof(value));
+ value = readb(port);
}
return value;
@@ -55,7 +55,7 @@ static uint16_t qpci_pc_io_readw(QPCIBus *bus, void *addr)
if (port < 0x10000) {
value = inw(port);
} else {
- memread(port, &value, sizeof(value));
+ value = readw(port);
}
return value;
@@ -69,7 +69,7 @@ static uint32_t qpci_pc_io_readl(QPCIBus *bus, void *addr)
if (port < 0x10000) {
value = inl(port);
} else {
- memread(port, &value, sizeof(value));
+ value = readl(port);
}
return value;
@@ -82,7 +82,7 @@ static void qpci_pc_io_writeb(QPCIBus *bus, void *addr, uint8_t value)
if (port < 0x10000) {
outb(port, value);
} else {
- memwrite(port, &value, sizeof(value));
+ writeb(port, value);
}
}
@@ -93,7 +93,7 @@ static void qpci_pc_io_writew(QPCIBus *bus, void *addr, uint16_t value)
if (port < 0x10000) {
outw(port, value);
} else {
- memwrite(port, &value, sizeof(value));
+ writew(port, value);
}
}
@@ -104,7 +104,7 @@ static void qpci_pc_io_writel(QPCIBus *bus, void *addr, uint32_t value)
if (port < 0x10000) {
outl(port, value);
} else {
- memwrite(port, &value, sizeof(value));
+ writel(port, value);
}
}

29
0042-qtest-Be-paranoid-about-accept-addr.patch
View File

@ -1,29 +0,0 @@
From 9938d82cc9cc5ae82283bea7a24ff45d08690e27 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andreas=20F=C3=A4rber?= <afaerber@suse.de>
Date: Thu, 17 Apr 2014 19:21:12 +0200
Subject: [PATCH] qtest: Be paranoid about accept() addrlen argument
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
If EINTR occurs, re-initialize our argument.
Signed-off-by: Andreas Färber <afaerber@suse.de>
---
tests/libqtest.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tests/libqtest.c b/tests/libqtest.c
index 18efcf2..1eb9db6 100644
--- a/tests/libqtest.c
+++ b/tests/libqtest.c
@@ -89,8 +89,8 @@ static int socket_accept(int sock)
setsockopt(sock, SOL_SOCKET, SO_RCVTIMEO, (void *)&timeout,
sizeof(timeout));
- addrlen = sizeof(addr);
do {
+ addrlen = sizeof(addr);
ret = accept(sock, (struct sockaddr *)&addr, &addrlen);
} while (ret == -1 && errno == EINTR);
if (ret == -1) {

101
0043-arm-translate.c-Fix-smlald-Instruct.patch
View File

@ -1,101 +0,0 @@
From 0fb8a7de8e8013362922d802db7eda5f9bf37766 Mon Sep 17 00:00:00 2001
From: Peter Crosthwaite <peter.crosthwaite@xilinx.com>
Date: Wed, 16 Apr 2014 20:20:52 -0700
Subject: [PATCH] arm: translate.c: Fix smlald Instruction
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The smlald (and probably smlsld) instruction was doing incorrect sign
extensions of the operands amongst 64bit result calculation. The
instruction psuedo-code is:
operand2 = if m_swap then ROR(R[m],16) else R[m];
product1 = SInt(R[n]<15:0>) * SInt(operand2<15:0>);
product2 = SInt(R[n]<31:16>) * SInt(operand2<31:16>);
result = product1 + product2 + SInt(R[dHi]:R[dLo]);
R[dHi] = result<63:32>;
R[dLo] = result<31:0>;
The result calculation should be done in 64 bit arithmetic, and hence
product1 and product2 should be sign extended to 64b before calculation.
The current implementation was adding product1 and product2 together
then sign-extending the intermediate result leading to false negatives.
E.G. if product1 = product2 = 0x4000000, their sum = 0x80000000, which
will be incorrectly interpreted as -ve on sign extension.
We fix by doing the 64b extensions on both product1 and product2 before
any addition/subtraction happens.
We also fix where we were possibly incorrectly setting the Q saturation
flag for SMLSLD, which the ARM ARM specifically says is not set.
Reported-by: Christina Smith <christina.smith@xilinx.com>
Signed-off-by: Peter Crosthwaite <peter.crosthwaite@xilinx.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 2cddb6f5a15be4ab8d2160f3499d128ae93d304d.1397704570.git.peter.crosthwaite@xilinx.com
Cc: qemu-stable@nongnu.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
(cherry picked from commit 33bbd75a7c3321432fe40a8cbacd64619c56138c)
Signed-off-by: Andreas Färber <afaerber@suse.de>
---
target-arm/translate.c | 34 +++++++++++++++++++++++-----------
1 file changed, 23 insertions(+), 11 deletions(-)
diff --git a/target-arm/translate.c b/target-arm/translate.c
index 56e3b4b..0335f10 100644
--- a/target-arm/translate.c
+++ b/target-arm/translate.c
@@ -8328,27 +8328,39 @@ static void disas_arm_insn(CPUARMState * env, DisasContext *s)
if (insn & (1 << 5))
gen_swap_half(tmp2);
gen_smul_dual(tmp, tmp2);
- if (insn & (1 << 6)) {
- /* This subtraction cannot overflow. */
- tcg_gen_sub_i32(tmp, tmp, tmp2);
- } else {
- /* This addition cannot overflow 32 bits;
- * however it may overflow considered as a signed
- * operation, in which case we must set the Q flag.
- */
- gen_helper_add_setq(tmp, cpu_env, tmp, tmp2);
- }
- tcg_temp_free_i32(tmp2);
if (insn & (1 << 22)) {
/* smlald, smlsld */
+ TCGv_i64 tmp64_2;
+
tmp64 = tcg_temp_new_i64();
+ tmp64_2 = tcg_temp_new_i64();
tcg_gen_ext_i32_i64(tmp64, tmp);
+ tcg_gen_ext_i32_i64(tmp64_2, tmp2);
tcg_temp_free_i32(tmp);
+ tcg_temp_free_i32(tmp2);
+ if (insn & (1 << 6)) {
+ tcg_gen_sub_i64(tmp64, tmp64, tmp64_2);
+ } else {
+ tcg_gen_add_i64(tmp64, tmp64, tmp64_2);
+ }
+ tcg_temp_free_i64(tmp64_2);
gen_addq(s, tmp64, rd, rn);
gen_storeq_reg(s, rd, rn, tmp64);
tcg_temp_free_i64(tmp64);
} else {
/* smuad, smusd, smlad, smlsd */
+ if (insn & (1 << 6)) {
+ /* This subtraction cannot overflow. */
+ tcg_gen_sub_i32(tmp, tmp, tmp2);
+ } else {
+ /* This addition cannot overflow 32 bits;
+ * however it may overflow considered as a
+ * signed operation, in which case we must set
+ * the Q flag.
+ */
+ gen_helper_add_setq(tmp, cpu_env, tmp, tmp2);
+ }
+ tcg_temp_free_i32(tmp2);
if (rd != 15)
{
tmp2 = load_reg(s, rd);

33
0043-qtest-fix-vhost-user-test-compilati.patch Normal file
View File

@ -0,0 +1,33 @@
From 97f277e21ed2aa01d23a960ec499f3b12ec18ed5 Mon Sep 17 00:00:00 2001
From: Nikolay Nikolaev <n.nikolaev@virtualopensystems.com>
Date: Wed, 9 Jul 2014 18:06:32 +0300
Subject: [PATCH] qtest: fix vhost-user-test compilation with old GLib
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Mising G_TIME_SPAN_SECOND definition breaks the RHEL6 compilation as GLib
version before 2.26 does not have it. In such case just define it.
Reported-by: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Nikolay Nikolaev <n.nikolaev@virtualopensystems.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>
---
tests/vhost-user-test.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/tests/vhost-user-test.c b/tests/vhost-user-test.c
index 2af2381..406ba70 100644
--- a/tests/vhost-user-test.c
+++ b/tests/vhost-user-test.c
@@ -22,6 +22,10 @@
#include <qemu/sockets.h>
/* GLIB version compatibility flags */
+#if !GLIB_CHECK_VERSION(2, 26, 0)
+#define G_TIME_SPAN_SECOND (G_GINT64_CONSTANT(1000000))
+#endif
+
#if GLIB_CHECK_VERSION(2, 28, 0)
#define HAVE_MONOTONIC_TIME
#endif

36
0044-target-arm-A64-fix-unallocated-test.patch
View File

@ -1,36 +0,0 @@
From de439482d4ed1db0f0f5837c98abc46f0a579ba0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Alex=20Benn=C3=A9e?= <alex.bennee@linaro.org>
Date: Wed, 16 Apr 2014 12:29:39 +0100
Subject: [PATCH] target-arm: A64: fix unallocated test of scalar SQXTUN
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The test for the U bit was incorrectly inverted in the scalar case of SQXTUN.
This doesn't affect the vector case as the U bit is used to select XTN(2).
Reported-by: Hao Liu <hao.liu@arm.com>
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Claudio Fontana <claudio.fontana@huawei.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Cc: qemu-stable@nongnu.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
(cherry picked from commit e44a90c59697cf98e05619fbb6f77a403d347495)
Signed-off-by: Andreas Färber <afaerber@suse.de>
---
target-arm/translate-a64.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/target-arm/translate-a64.c b/target-arm/translate-a64.c
index 9175e48..a780366 100644
--- a/target-arm/translate-a64.c
+++ b/target-arm/translate-a64.c
@@ -7455,7 +7455,7 @@ static void disas_simd_scalar_two_reg_misc(DisasContext *s, uint32_t insn)
}
break;
case 0x12: /* SQXTUN */
- if (u) {
+ if (!u) {
unallocated_encoding(s);
return;
}

58
0045-tcg-ppc64-Support-the-ELFv2-ABI.patch
View File

@ -1,58 +0,0 @@
From 243f0e345cce28c1f93444de33fe7981efdac6dd Mon Sep 17 00:00:00 2001
From: Ulrich Weigand <uweigand@de.ibm.com>
Date: Tue, 22 Apr 2014 18:26:15 +0200
Subject: [PATCH] tcg-ppc64: Support the ELFv2 ABI
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The new ELFv2 ABI, used by default on powerpc64le-linux hosts,
introduced some changes that are incompatible with code currently
generated by the ppc64 TGC target. In particular, we no longer
use function descriptors.
This patch adds support for the ELFv2 ABI in the ppc64 TGC
function call and function prologue sequences.
Signed-off-by: Ulrich Weigand <ulrich.weigand@de.ibm.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>
---
tcg/ppc64/tcg-target.c | 18 +++++++++++++++++-
1 file changed, 17 insertions(+), 1 deletion(-)
diff --git a/tcg/ppc64/tcg-target.c b/tcg/ppc64/tcg-target.c
index 06e440f..4ef4838 100644
--- a/tcg/ppc64/tcg-target.c
+++ b/tcg/ppc64/tcg-target.c
@@ -717,6 +717,22 @@ static void tcg_out_call(TCGContext *s, tcg_target_long arg, int const_arg)
tcg_out32(s, MTSPR | RS(arg) | LR);
tcg_out32(s, BCLR | BO_ALWAYS | LK);
}
+#elif _CALL_ELF == 2
+ /* In the ELFv2 ABI, we do not need to set up the TOC pointer in r2,
+ but instead we have to set up r12 to contain the destination address
+ when performing an indirect call. */
+ TCGReg reg = arg;
+ if (const_arg) {
+ /* FIXME: we could use bl if we knew that the destination uses
+ the same TOC, and what its local entry point offset is.
+ For now, always perform an indirect call. */
+ tcg_out_movi(s, TCG_TYPE_PTR, TCG_REG_R12, arg);
+ reg = TCG_REG_R12;
+ } else {
+ tcg_out_mov(s, TCG_TYPE_PTR, TCG_REG_R12, arg);
+ }
+ tcg_out32(s, MTSPR | RS(reg) | CTR);
+ tcg_out32(s, BCCTR | BO_ALWAYS | LK);
#else
TCGReg reg = arg;
int ofs = 0;
@@ -1112,7 +1128,7 @@ static void tcg_target_qemu_prologue(TCGContext *s)
REG_SAVE_BOT - CPU_TEMP_BUF_NLONGS * sizeof(long),
CPU_TEMP_BUF_NLONGS * sizeof(long));
-#ifndef __APPLE__
+#if !defined(__APPLE__) && _CALL_ELF != 2
/* First emit adhoc function descriptor */
tcg_out64(s, (uint64_t)s->code_ptr + 24); /* entry point */
s->code_ptr += 16; /* skip TOC and environment pointer */

61
0046-vmstate-add-VMS_MUST_EXIST.patch
View File

@ -1,61 +0,0 @@
From 52c324d64cd57ad37b25ebc5f4df31b33901d03b Mon Sep 17 00:00:00 2001
From: "Michael S. Tsirkin" <mst@redhat.com>
Date: Thu, 3 Apr 2014 19:50:31 +0300
Subject: [PATCH] vmstate: add VMS_MUST_EXIST
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Can be used to verify a required field exists or validate
state in some other way.
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit 5bf81c8d63db0216a4d29dc87f9ce530bb791dd1)
Signed-off-by: Andreas Färber <afaerber@suse.de>
---
include/migration/vmstate.h | 1 +
vmstate.c | 10 ++++++++++
2 files changed, 11 insertions(+)
diff --git a/include/migration/vmstate.h b/include/migration/vmstate.h
index e7e1705..de970ab 100644
--- a/include/migration/vmstate.h
+++ b/include/migration/vmstate.h
@@ -100,6 +100,7 @@ enum VMStateFlags {
VMS_MULTIPLY = 0x200, /* multiply "size" field by field_size */
VMS_VARRAY_UINT8 = 0x400, /* Array with size in uint8_t field*/
VMS_VARRAY_UINT32 = 0x800, /* Array with size in uint32_t field*/
+ VMS_MUST_EXIST = 0x1000, /* Field must exist in input */
};
typedef struct {
diff --git a/vmstate.c b/vmstate.c
index b689f2f..d856319 100644
--- a/vmstate.c
+++ b/vmstate.c
@@ -78,6 +78,10 @@ int vmstate_load_state(QEMUFile *f, const VMStateDescription *vmsd,
return ret;
}
}
+ } else if (field->flags & VMS_MUST_EXIST) {
+ fprintf(stderr, "Input validation failed: %s/%s\n",
+ vmsd->name, field->name);
+ return -1;
}
field++;
}
@@ -138,6 +142,12 @@ void vmstate_save_state(QEMUFile *f, const VMStateDescription *vmsd,
field->info->put(f, addr, size);
}
}
+ } else {
+ if (field->flags & VMS_MUST_EXIST) {
+ fprintf(stderr, "Output state validation failed: %s/%s\n",
+ vmsd->name, field->name);
+ assert(!(field->flags & VMS_MUST_EXIST));
+ }
}
field++;
}

37
0047-vmstate-add-VMSTATE_VALIDATE.patch
View File

@ -1,37 +0,0 @@
From e258560116c8413cd5c52af69ab73dc82142dae9 Mon Sep 17 00:00:00 2001
From: "Michael S. Tsirkin" <mst@redhat.com>
Date: Thu, 3 Apr 2014 19:50:35 +0300
Subject: [PATCH] vmstate: add VMSTATE_VALIDATE
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Validate state using VMS_ARRAY with num = 0 and VMS_MUST_EXIST
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit 4082f0889ba04678fc14816c53e1b9251ea9207e)
Signed-off-by: Andreas Färber <afaerber@suse.de>
---
include/migration/vmstate.h | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/include/migration/vmstate.h b/include/migration/vmstate.h
index de970ab..5b71370 100644
--- a/include/migration/vmstate.h
+++ b/include/migration/vmstate.h
@@ -204,6 +204,14 @@ extern const VMStateInfo vmstate_info_bitmap;
.offset = vmstate_offset_value(_state, _field, _type), \
}
+/* Validate state using a boolean predicate. */
+#define VMSTATE_VALIDATE(_name, _test) { \
+ .name = (_name), \
+ .field_exists = (_test), \
+ .flags = VMS_ARRAY | VMS_MUST_EXIST, \
+ .num = 0, /* 0 elements: no data, only run _test */ \
+}
+
#define VMSTATE_POINTER(_field, _state, _version, _info, _type) { \
.name = (stringify(_field)), \
.version_id = (_version), \

64
0048-virtio-net-fix-buffer-overflow-on-i.patch
View File

@ -1,64 +0,0 @@
From e3f320a759052a77b4da97618a94f8adcb0a6490 Mon Sep 17 00:00:00 2001
From: "Michael S. Tsirkin" <mst@redhat.com>
Date: Thu, 3 Apr 2014 19:50:39 +0300
Subject: [PATCH] virtio-net: fix buffer overflow on invalid state load
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
CVE-2013-4148 QEMU 1.0 integer conversion in
virtio_net_load()@hw/net/virtio-net.c
Deals with loading a corrupted savevm image.
> n->mac_table.in_use = qemu_get_be32(f);
in_use is int so it can get negative when assigned 32bit unsigned value.
> /* MAC_TABLE_ENTRIES may be different from the saved image */
> if (n->mac_table.in_use <= MAC_TABLE_ENTRIES) {
passing this check ^^^
> qemu_get_buffer(f, n->mac_table.macs,
> n->mac_table.in_use * ETH_ALEN);
with good in_use value, "n->mac_table.in_use * ETH_ALEN" can get
positive and bigger than mac_table.macs. For example 0x81000000
satisfies this condition when ETH_ALEN is 6.
Fix it by making the value unsigned.
For consistency, change first_multi as well.
Note: all call sites were audited to confirm that
making them unsigned didn't cause any issues:
it turns out we actually never do math on them,
so it's easy to validate because both values are
always <= MAC_TABLE_ENTRIES.
Reviewed-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit 71f7fe48e10a8437c9d42d859389f37157f59980)
[AF: BNC#864812]
Signed-off-by: Andreas Färber <afaerber@suse.de>
---
include/hw/virtio/virtio-net.h | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/include/hw/virtio/virtio-net.h b/include/hw/virtio/virtio-net.h
index df60f16..4b32440 100644
--- a/include/hw/virtio/virtio-net.h
+++ b/include/hw/virtio/virtio-net.h
@@ -176,8 +176,8 @@ typedef struct VirtIONet {
uint8_t nobcast;
uint8_t vhost_started;
struct {
- int in_use;
- int first_multi;
+ uint32_t in_use;
+ uint32_t first_multi;
uint8_t multi_overflow;
uint8_t uni_overflow;
uint8_t *macs;

60
0049-virtio-net-out-of-bounds-buffer-wri.patch
View File

@ -1,60 +0,0 @@
From 0c0a6b53c543e4095da9243eb5299e03d2c88c06 Mon Sep 17 00:00:00 2001
From: "Michael S. Tsirkin" <mst@redhat.com>
Date: Thu, 3 Apr 2014 19:50:56 +0300
Subject: [PATCH] virtio-net: out-of-bounds buffer write on invalid state load
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
CVE-2013-4150 QEMU 1.5.0 out-of-bounds buffer write in
virtio_net_load()@hw/net/virtio-net.c
This code is in hw/net/virtio-net.c:
if (n->max_queues > 1) {
if (n->max_queues != qemu_get_be16(f)) {
error_report("virtio-net: different max_queues ");
return -1;
}
n->curr_queues = qemu_get_be16(f);
for (i = 1; i < n->curr_queues; i++) {
n->vqs[i].tx_waiting = qemu_get_be32(f);
}
}
Number of vqs is max_queues, so if we get invalid input here,
for example if max_queues = 2, curr_queues = 3, we get
write beyond end of the buffer, with data that comes from
wire.
This might be used to corrupt qemu memory in hard to predict ways.
Since we have lots of function pointers around, RCE might be possible.
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Acked-by: Jason Wang <jasowang@redhat.com>
Reviewed-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit eea750a5623ddac7a61982eec8f1c93481857578)
[AF: BNC#864650]
Signed-off-by: Andreas Färber <afaerber@suse.de>
---
hw/net/virtio-net.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c
index 33bd233..0a8cb40 100644
--- a/hw/net/virtio-net.c
+++ b/hw/net/virtio-net.c
@@ -1407,6 +1407,11 @@ static int virtio_net_load(QEMUFile *f, void *opaque, int version_id)
}
n->curr_queues = qemu_get_be16(f);
+ if (n->curr_queues > n->max_queues) {
+ error_report("virtio-net: curr_queues %x > max_queues %x",
+ n->curr_queues, n->max_queues);
+ return -1;
+ }
for (i = 1; i < n->curr_queues; i++) {
n->vqs[i].tx_waiting = qemu_get_be32(f);
}

57
0050-virtio-out-of-bounds-buffer-write-o.patch
View File

@ -1,57 +0,0 @@
From a76b7609802937bfc6f35a75cf0809c8f7197f76 Mon Sep 17 00:00:00 2001
From: "Michael S. Tsirkin" <mst@redhat.com>
Date: Thu, 3 Apr 2014 19:51:14 +0300
Subject: [PATCH] virtio: out-of-bounds buffer write on invalid state load
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
CVE-2013-4151 QEMU 1.0 out-of-bounds buffer write in
virtio_load@hw/virtio/virtio.c
So we have this code since way back when:
num = qemu_get_be32(f);
for (i = 0; i < num; i++) {
vdev->vq[i].vring.num = qemu_get_be32(f);
array of vqs has size VIRTIO_PCI_QUEUE_MAX, so
on invalid input this will write beyond end of buffer.
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit cc45995294b92d95319b4782750a3580cabdbc0c)
[AF: BNC#864653]
Signed-off-by: Andreas Färber <afaerber@suse.de>
---
hw/virtio/virtio.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
index aeabf3a..05f05e7 100644
--- a/hw/virtio/virtio.c
+++ b/hw/virtio/virtio.c
@@ -891,7 +891,8 @@ int virtio_set_features(VirtIODevice *vdev, uint32_t val)
int virtio_load(VirtIODevice *vdev, QEMUFile *f)
{
- int num, i, ret;
+ int i, ret;
+ uint32_t num;
uint32_t features;
uint32_t supported_features;
BusState *qbus = qdev_get_parent_bus(DEVICE(vdev));
@@ -919,6 +920,11 @@ int virtio_load(VirtIODevice *vdev, QEMUFile *f)
num = qemu_get_be32(f);
+ if (num > VIRTIO_PCI_QUEUE_MAX) {
+ error_report("Invalid number of PCI queues: 0x%x", num);
+ return -1;
+ }
+
for (i = 0; i < num; i++) {
vdev->vq[i].vring.num = qemu_get_be32(f);
if (k->has_variable_vring_alignment) {

41
0051-ahci-fix-buffer-overrun-on-invalid-.patch
View File

@ -1,41 +0,0 @@
From b591a65b23630ee3707647d61fc69b3f0ff16665 Mon Sep 17 00:00:00 2001
From: "Michael S. Tsirkin" <mst@redhat.com>
Date: Thu, 3 Apr 2014 19:51:18 +0300
Subject: [PATCH] ahci: fix buffer overrun on invalid state load
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
CVE-2013-4526
Within hw/ide/ahci.c, VARRAY refers to ports which is also loaded. So
we use the old version of ports to read the array but then allow any
value for ports. This can cause the code to overflow.
There's no reason to migrate ports - it never changes.
So just make sure it matches.
Reported-by: Anthony Liguori <anthony@codemonkey.ws>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit ae2158ad6ce0845b2fae2a22aa7f19c0d7a71ce5)
[AF: BNC#864671]
Signed-off-by: Andreas Färber <afaerber@suse.de>
---
hw/ide/ahci.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/ide/ahci.c b/hw/ide/ahci.c
index bfe633f..457a7a1 100644
--- a/hw/ide/ahci.c
+++ b/hw/ide/ahci.c
@@ -1293,7 +1293,7 @@ const VMStateDescription vmstate_ahci = {
VMSTATE_UINT32(control_regs.impl, AHCIState),
VMSTATE_UINT32(control_regs.version, AHCIState),
VMSTATE_UINT32(idp_index, AHCIState),
- VMSTATE_INT32(ports, AHCIState),
+ VMSTATE_INT32_EQUAL(ports, AHCIState),
VMSTATE_END_OF_LIST()
},
};

56
0052-hpet-fix-buffer-overrun-on-invalid-.patch
View File

@ -1,56 +0,0 @@
From 085771b0f84bc9e3a9d868ff67c229e83b8431a2 Mon Sep 17 00:00:00 2001
From: "Michael S. Tsirkin" <mst@redhat.com>
Date: Thu, 3 Apr 2014 19:51:23 +0300
Subject: [PATCH] hpet: fix buffer overrun on invalid state load
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
CVE-2013-4527 hw/timer/hpet.c buffer overrun
hpet is a VARRAY with a uint8 size but static array of 32
To fix, make sure num_timers is valid using VMSTATE_VALID hook.
Reported-by: Anthony Liguori <anthony@codemonkey.ws>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit 3f1c49e2136fa08ab1ef3183fd55def308829584)
[AF: BNC#864673]
Signed-off-by: Andreas Färber <afaerber@suse.de>
---
hw/timer/hpet.c | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/hw/timer/hpet.c b/hw/timer/hpet.c
index e15d6bc..2792f89 100644
--- a/hw/timer/hpet.c
+++ b/hw/timer/hpet.c
@@ -239,6 +239,18 @@ static int hpet_pre_load(void *opaque)
return 0;
}
+static bool hpet_validate_num_timers(void *opaque, int version_id)
+{
+ HPETState *s = opaque;
+
+ if (s->num_timers < HPET_MIN_TIMERS) {
+ return false;
+ } else if (s->num_timers > HPET_MAX_TIMERS) {
+ return false;
+ }
+ return true;
+}
+
static int hpet_post_load(void *opaque, int version_id)
{
HPETState *s = opaque;
@@ -307,6 +319,7 @@ static const VMStateDescription vmstate_hpet = {
VMSTATE_UINT64(isr, HPETState),
VMSTATE_UINT64(hpet_counter, HPETState),
VMSTATE_UINT8_V(num_timers, HPETState, 2),
+ VMSTATE_VALIDATE("num_timers in range", hpet_validate_num_timers),
VMSTATE_STRUCT_VARRAY_UINT8(timer, HPETState, num_timers, 0,
vmstate_hpet_timer, HPETTimer),
VMSTATE_END_OF_LIST()

60
0053-hw-pci-pcie_aer.c-fix-buffer-overru.patch
View File

@ -1,60 +0,0 @@
From 3f2e8a7a3af50578270a058e658ce70680891bd8 Mon Sep 17 00:00:00 2001
From: "Michael S. Tsirkin" <mst@redhat.com>
Date: Thu, 3 Apr 2014 19:51:31 +0300
Subject: [PATCH] hw/pci/pcie_aer.c: fix buffer overruns on invalid state load
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
4) CVE-2013-4529
hw/pci/pcie_aer.c pcie aer log can overrun the buffer if log_num is
too large
There are two issues in this file:
1. log_max from remote can be larger than on local
then buffer will overrun with data coming from state file.
2. log_num can be larger then we get data corruption
again with an overflow but not adversary controlled.
Fix both issues.
Reported-by: Anthony Liguori <anthony@codemonkey.ws>
Reported-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit 5f691ff91d323b6f97c6600405a7f9dc115a0ad1)
[AF: BNC#864678]
Signed-off-by: Andreas Färber <afaerber@suse.de>
---
hw/pci/pcie_aer.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/hw/pci/pcie_aer.c b/hw/pci/pcie_aer.c
index 991502e..535be2c 100644
--- a/hw/pci/pcie_aer.c
+++ b/hw/pci/pcie_aer.c
@@ -795,6 +795,13 @@ static const VMStateDescription vmstate_pcie_aer_err = {
}
};
+static bool pcie_aer_state_log_num_valid(void *opaque, int version_id)
+{
+ PCIEAERLog *s = opaque;
+
+ return s->log_num <= s->log_max;
+}
+
const VMStateDescription vmstate_pcie_aer_log = {
.name = "PCIE_AER_ERROR_LOG",
.version_id = 1,
@@ -802,7 +809,8 @@ const VMStateDescription vmstate_pcie_aer_log = {
.minimum_version_id_old = 1,
.fields = (VMStateField[]) {
VMSTATE_UINT16(log_num, PCIEAERLog),
- VMSTATE_UINT16(log_max, PCIEAERLog),
+ VMSTATE_UINT16_EQUAL(log_max, PCIEAERLog),
+ VMSTATE_VALIDATE("log_num <= log_max", pcie_aer_state_log_num_valid),
VMSTATE_STRUCT_VARRAY_POINTER_UINT16(log, PCIEAERLog, log_num,
vmstate_pcie_aer_err, PCIEAERErr),
VMSTATE_END_OF_LIST()

55
0054-pl022-fix-buffer-overun-on-invalid-.patch
View File

@ -1,55 +0,0 @@
From d4e6359ea7c11e7ae6b8ff3c03394db96a2a6932 Mon Sep 17 00:00:00 2001
From: "Michael S. Tsirkin" <mst@redhat.com>
Date: Thu, 3 Apr 2014 19:51:35 +0300
Subject: [PATCH] pl022: fix buffer overun on invalid state load
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
CVE-2013-4530
pl022.c did not bounds check tx_fifo_head and
rx_fifo_head after loading them from file and
before they are used to dereference array.
Reported-by: Michael S. Tsirkin <mst@redhat.com
Reported-by: Anthony Liguori <anthony@codemonkey.ws>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit d8d0a0bc7e194300e53a346d25fe5724fd588387)
[AF: BNC#864682]
Signed-off-by: Andreas Färber <afaerber@suse.de>
---
hw/ssi/pl022.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/hw/ssi/pl022.c b/hw/ssi/pl022.c
index fd479ef..b19bc71 100644
--- a/hw/ssi/pl022.c
+++ b/hw/ssi/pl022.c
@@ -240,11 +240,25 @@ static const MemoryRegionOps pl022_ops = {
.endianness = DEVICE_NATIVE_ENDIAN,
};
+static int pl022_post_load(void *opaque, int version_id)
+{
+ PL022State *s = opaque;
+
+ if (s->tx_fifo_head < 0 ||
+ s->tx_fifo_head >= ARRAY_SIZE(s->tx_fifo) ||
+ s->rx_fifo_head < 0 ||
+ s->rx_fifo_head >= ARRAY_SIZE(s->rx_fifo)) {
+ return -1;
+ }
+ return 0;
+}
+
static const VMStateDescription vmstate_pl022 = {
.name = "pl022_ssp",
.version_id = 1,
.minimum_version_id = 1,
.minimum_version_id_old = 1,
+ .post_load = pl022_post_load,
.fields = (VMStateField[]) {
VMSTATE_UINT32(cr0, PL022State),
VMSTATE_UINT32(cr1, PL022State),

57
0055-vmstate-fix-buffer-overflow-in-targ.patch
View File

@ -1,57 +0,0 @@
From 5c94e6582aaf791f603afbf4b1d8d86652d87f93 Mon Sep 17 00:00:00 2001
From: "Michael S. Tsirkin" <mst@redhat.com>
Date: Thu, 3 Apr 2014 19:51:42 +0300
Subject: [PATCH] vmstate: fix buffer overflow in target-arm/machine.c
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
CVE-2013-4531
cpreg_vmstate_indexes is a VARRAY_INT32. A negative value for
cpreg_vmstate_array_len will cause a buffer overflow.
VMSTATE_INT32_LE was supposed to protect against this
but doesn't because it doesn't validate that input is
non-negative.
Fix this macro to valide the value appropriately.
The only other user of VMSTATE_INT32_LE doesn't
ever use negative numbers so it doesn't care.
Reported-by: Anthony Liguori <anthony@codemonkey.ws>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit d2ef4b61fe6d33d2a5dcf100a9b9440de341ad62)
[AF: BNC#864796]
Signed-off-by: Andreas Färber <afaerber@suse.de>
---
vmstate.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/vmstate.c b/vmstate.c
index d856319..105f184 100644
--- a/vmstate.c
+++ b/vmstate.c
@@ -333,8 +333,9 @@ const VMStateInfo vmstate_info_int32_equal = {
.put = put_int32,
};
-/* 32 bit int. Check that the received value is less than or equal to
- the one in the field */
+/* 32 bit int. Check that the received value is non-negative
+ * and less than or equal to the one in the field.
+ */
static int get_int32_le(QEMUFile *f, void *pv, size_t size)
{
@@ -342,7 +343,7 @@ static int get_int32_le(QEMUFile *f, void *pv, size_t size)
int32_t loaded;
qemu_get_sbe32s(f, &loaded);
- if (loaded <= *cur) {
+ if (loaded >= 0 && loaded <= *cur) {
*cur = loaded;
return 0;
}

45
0056-virtio-avoid-buffer-overrun-on-inco.patch
View File

@ -1,45 +0,0 @@
From 49af37a1dfdb6e7a54ae4ab9fd1c7816763bf6c1 Mon Sep 17 00:00:00 2001
From: Michael Roth <mdroth@linux.vnet.ibm.com>
Date: Thu, 3 Apr 2014 19:51:46 +0300
Subject: [PATCH] virtio: avoid buffer overrun on incoming migration
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
CVE-2013-6399
vdev->queue_sel is read from the wire, and later used in the
emulation code as an index into vdev->vq[]. If the value of
vdev->queue_sel exceeds the length of vdev->vq[], currently
allocated to be VIRTIO_PCI_QUEUE_MAX elements, subsequent PIO
operations such as VIRTIO_PCI_QUEUE_PFN can be used to overrun
the buffer with arbitrary data originating from the source.
Fix this by failing migration if the value from the wire exceeds
VIRTIO_PCI_QUEUE_MAX.
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit 4b53c2c72cb5541cf394033b528a6fe2a86c0ac1)
[AF: BNC#864814]
Signed-off-by: Andreas Färber <afaerber@suse.de>
---
hw/virtio/virtio.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
index 05f05e7..0072542 100644
--- a/hw/virtio/virtio.c
+++ b/hw/virtio/virtio.c
@@ -907,6 +907,9 @@ int virtio_load(VirtIODevice *vdev, QEMUFile *f)
qemu_get_8s(f, &vdev->status);
qemu_get_8s(f, &vdev->isr);
qemu_get_be16s(f, &vdev->queue_sel);
+ if (vdev->queue_sel >= VIRTIO_PCI_QUEUE_MAX) {
+ return -1;
+ }
qemu_get_be32s(f, &features);
if (virtio_set_features(vdev, features) < 0) {

46
0057-virtio-validate-num_sg-when-mapping.patch
View File

@ -1,46 +0,0 @@
From c5b839d16efe607af264cd6c2d99124b2a10bc02 Mon Sep 17 00:00:00 2001
From: "Michael S. Tsirkin" <mst@redhat.com>
Date: Thu, 3 Apr 2014 19:51:53 +0300
Subject: [PATCH] virtio: validate num_sg when mapping
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
CVE-2013-4535
CVE-2013-4536
Both virtio-block and virtio-serial read,
VirtQueueElements are read in as buffers, and passed to
virtqueue_map_sg(), where num_sg is taken from the wire and can force
writes to indicies beyond VIRTQUEUE_MAX_SIZE.
To fix, validate num_sg.
Reported-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Cc: Amit Shah <amit.shah@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit 36cf2a37132c7f01fa9adb5f95f5312b27742fd4)
[AF: BNC#864665]
Signed-off-by: Andreas Färber <afaerber@suse.de>
---
hw/virtio/virtio.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
index 0072542..a70169a 100644
--- a/hw/virtio/virtio.c
+++ b/hw/virtio/virtio.c
@@ -430,6 +430,12 @@ void virtqueue_map_sg(struct iovec *sg, hwaddr *addr,
unsigned int i;
hwaddr len;
+ if (num_sg >= VIRTQUEUE_MAX_SIZE) {
+ error_report("virtio: map attempt out of bounds: %zd > %d",
+ num_sg, VIRTQUEUE_MAX_SIZE);
+ exit(1);
+ }
+
for (i = 0; i < num_sg; i++) {
len = sg[i].iov_len;
sg[i].iov_base = cpu_physical_memory_map(addr[i], &len, is_write);

56
0058-pxa2xx-avoid-buffer-overrun-on-inco.patch
View File

@ -1,56 +0,0 @@
From f1cebceb572956ff820ecc29362c6ade0020d570 Mon Sep 17 00:00:00 2001
From: "Michael S. Tsirkin" <mst@redhat.com>
Date: Thu, 3 Apr 2014 19:51:57 +0300
Subject: [PATCH] pxa2xx: avoid buffer overrun on incoming migration
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
CVE-2013-4533
s->rx_level is read from the wire and used to determine how many bytes
to subsequently read into s->rx_fifo[]. If s->rx_level exceeds the
length of s->rx_fifo[] the buffer can be overrun with arbitrary data
from the wire.
Fix this by validating rx_level against the size of s->rx_fifo.
Cc: Don Koch <dkoch@verizon.com>
Reported-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Don Koch <dkoch@verizon.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit caa881abe0e01f9931125a0977ec33c5343e4aa7)
[AF: BNC#864655]
Signed-off-by: Andreas Färber <afaerber@suse.de>
---
hw/arm/pxa2xx.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/hw/arm/pxa2xx.c b/hw/arm/pxa2xx.c
index 0429148..e0cd847 100644
--- a/hw/arm/pxa2xx.c
+++ b/hw/arm/pxa2xx.c
@@ -732,7 +732,7 @@ static void pxa2xx_ssp_save(QEMUFile *f, void *opaque)
static int pxa2xx_ssp_load(QEMUFile *f, void *opaque, int version_id)
{
PXA2xxSSPState *s = (PXA2xxSSPState *) opaque;
- int i;
+ int i, v;
s->enable = qemu_get_be32(f);
@@ -746,7 +746,11 @@ static int pxa2xx_ssp_load(QEMUFile *f, void *opaque, int version_id)
qemu_get_8s(f, &s->ssrsa);
qemu_get_8s(f, &s->ssacd);
- s->rx_level = qemu_get_byte(f);
+ v = qemu_get_byte(f);
+ if (v < 0 || v > ARRAY_SIZE(s->rx_fifo)) {
+ return -EINVAL;
+ }
+ s->rx_level = v;
s->rx_start = 0;
for (i = 0; i < s->rx_level; i ++)
s->rx_fifo[i] = qemu_get_byte(f);

82
0059-ssd0323-fix-buffer-overun-on-invali.patch
View File

@ -1,82 +0,0 @@
From fb4795c3470c9258f96324a7e49fabf33ae1b98b Mon Sep 17 00:00:00 2001
From: "Michael S. Tsirkin" <mst@redhat.com>
Date: Thu, 3 Apr 2014 19:52:05 +0300
Subject: [PATCH] ssd0323: fix buffer overun on invalid state load
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
CVE-2013-4538
s->cmd_len used as index in ssd0323_transfer() to store 32-bit field.
Possible this field might then be supplied by guest to overwrite a
return addr somewhere. Same for row/col fields, which are indicies into
framebuffer array.
To fix validate after load.
Additionally, validate that the row/col_start/end are within bounds;
otherwise the guest can provoke an overrun by either setting the _end
field so large that the row++ increments just walk off the end of the
array, or by setting the _start value to something bogus and then
letting the "we hit end of row" logic reset row to row_start.
For completeness, validate mode as well.
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit ead7a57df37d2187813a121308213f41591bd811)
[AF: BNC#864769]
Signed-off-by: Andreas Färber <afaerber@suse.de>
---
hw/display/ssd0323.c | 24 ++++++++++++++++++++++++
1 file changed, 24 insertions(+)
diff --git a/hw/display/ssd0323.c b/hw/display/ssd0323.c
index 971152e..9727007 100644
--- a/hw/display/ssd0323.c
+++ b/hw/display/ssd0323.c
@@ -312,18 +312,42 @@ static int ssd0323_load(QEMUFile *f, void *opaque, int version_id)
return -EINVAL;
s->cmd_len = qemu_get_be32(f);
+ if (s->cmd_len < 0 || s->cmd_len > ARRAY_SIZE(s->cmd_data)) {
+ return -EINVAL;
+ }
s->cmd = qemu_get_be32(f);
for (i = 0; i < 8; i++)
s->cmd_data[i] = qemu_get_be32(f);
s->row = qemu_get_be32(f);
+ if (s->row < 0 || s->row >= 80) {
+ return -EINVAL;
+ }
s->row_start = qemu_get_be32(f);
+ if (s->row_start < 0 || s->row_start >= 80) {
+ return -EINVAL;
+ }
s->row_end = qemu_get_be32(f);
+ if (s->row_end < 0 || s->row_end >= 80) {
+ return -EINVAL;
+ }
s->col = qemu_get_be32(f);
+ if (s->col < 0 || s->col >= 64) {
+ return -EINVAL;
+ }
s->col_start = qemu_get_be32(f);
+ if (s->col_start < 0 || s->col_start >= 64) {
+ return -EINVAL;
+ }
s->col_end = qemu_get_be32(f);
+ if (s->col_end < 0 || s->col_end >= 64) {
+ return -EINVAL;
+ }
s->redraw = qemu_get_be32(f);
s->remap = qemu_get_be32(f);
s->mode = qemu_get_be32(f);
+ if (s->mode != SSD0323_CMD && s->mode != SSD0323_DATA) {
+ return -EINVAL;
+ }
qemu_get_buffer(f, s->framebuffer, sizeof(s->framebuffer));
ss->cs = qemu_get_be32(f);

52
0060-tsc210x-fix-buffer-overrun-on-inval.patch
View File

@ -1,52 +0,0 @@
From 9258d36c4392e02156a986a03a0d8ee8fb0c4284 Mon Sep 17 00:00:00 2001
From: "Michael S. Tsirkin" <mst@redhat.com>
Date: Thu, 3 Apr 2014 19:52:09 +0300
Subject: [PATCH] tsc210x: fix buffer overrun on invalid state load
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
CVE-2013-4539
s->precision, nextprecision, function and nextfunction
come from wire and are used
as idx into resolution[] in TSC_CUT_RESOLUTION.
Validate after load to avoid buffer overrun.
Cc: Andreas Färber <afaerber@suse.de>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit 5193be3be35f29a35bc465036cd64ad60d43385f)
[AF: BNC#864805]
Signed-off-by: Andreas Färber <afaerber@suse.de>
---
hw/input/tsc210x.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/hw/input/tsc210x.c b/hw/input/tsc210x.c
index 485c9e5..aa5b688 100644
--- a/hw/input/tsc210x.c
+++ b/hw/input/tsc210x.c
@@ -1070,9 +1070,21 @@ static int tsc210x_load(QEMUFile *f, void *opaque, int version_id)
s->enabled = qemu_get_byte(f);
s->host_mode = qemu_get_byte(f);
s->function = qemu_get_byte(f);
+ if (s->function < 0 || s->function >= ARRAY_SIZE(mode_regs)) {
+ return -EINVAL;
+ }
s->nextfunction = qemu_get_byte(f);
+ if (s->nextfunction < 0 || s->nextfunction >= ARRAY_SIZE(mode_regs)) {
+ return -EINVAL;
+ }
s->precision = qemu_get_byte(f);
+ if (s->precision < 0 || s->precision >= ARRAY_SIZE(resolution)) {
+ return -EINVAL;
+ }
s->nextprecision = qemu_get_byte(f);
+ if (s->nextprecision < 0 || s->nextprecision >= ARRAY_SIZE(resolution)) {
+ return -EINVAL;
+ }
s->filter = qemu_get_byte(f);
s->pin_func = qemu_get_byte(f);
s->ref = qemu_get_byte(f);

59
0061-zaurus-fix-buffer-overrun-on-invali.patch
View File

@ -1,59 +0,0 @@
From a075e63d02fed4153136742624696b376918a820 Mon Sep 17 00:00:00 2001
From: "Michael S. Tsirkin" <mst@redhat.com>
Date: Thu, 3 Apr 2014 19:52:13 +0300
Subject: [PATCH] zaurus: fix buffer overrun on invalid state load
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
CVE-2013-4540
Within scoop_gpio_handler_update, if prev_level has a high bit set, then
we get bit > 16 and that causes a buffer overrun.
Since prev_level comes from wire indirectly, this can
happen on invalid state load.
Similarly for gpio_level and gpio_dir.
To fix, limit to 16 bit.
Reported-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit 52f91c3723932f8340fe36c8ec8b18a757c37b2b)
[AF: BNC#864801]
Signed-off-by: Andreas Färber <afaerber@suse.de>
---
hw/gpio/zaurus.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/hw/gpio/zaurus.c b/hw/gpio/zaurus.c
index dc79a8b..8e2ce04 100644
--- a/hw/gpio/zaurus.c
+++ b/hw/gpio/zaurus.c
@@ -203,6 +203,15 @@ static bool is_version_0 (void *opaque, int version_id)
return version_id == 0;
}
+static bool vmstate_scoop_validate(void *opaque, int version_id)
+{
+ ScoopInfo *s = opaque;
+
+ return !(s->prev_level & 0xffff0000) &&
+ !(s->gpio_level & 0xffff0000) &&
+ !(s->gpio_dir & 0xffff0000);
+}
+
static const VMStateDescription vmstate_scoop_regs = {
.name = "scoop",
.version_id = 1,
@@ -215,6 +224,7 @@ static const VMStateDescription vmstate_scoop_regs = {
VMSTATE_UINT32(gpio_level, ScoopInfo),
VMSTATE_UINT32(gpio_dir, ScoopInfo),
VMSTATE_UINT32(prev_level, ScoopInfo),
+ VMSTATE_VALIDATE("irq levels are 16 bit", vmstate_scoop_validate),
VMSTATE_UINT16(mcr, ScoopInfo),
VMSTATE_UINT16(cdr, ScoopInfo),
VMSTATE_UINT16(ccr, ScoopInfo),

69
0062-virtio-scsi-fix-buffer-overrun-on-i.patch
View File

@ -1,69 +0,0 @@
From 2f55ce6ce26c16796443a7765a7d5fad157340ed Mon Sep 17 00:00:00 2001
From: "Michael S. Tsirkin" <mst@redhat.com>
Date: Thu, 3 Apr 2014 19:52:17 +0300
Subject: [PATCH] virtio-scsi: fix buffer overrun on invalid state load
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
CVE-2013-4542
hw/scsi/scsi-bus.c invokes load_request.
virtio_scsi_load_request does:
qemu_get_buffer(f, (unsigned char *)&req->elem, sizeof(req->elem));
this probably can make elem invalid, for example,
make in_num or out_num huge, then:
virtio_scsi_parse_req(s, vs->cmd_vqs[n], req);
will do:
if (req->elem.out_num > 1) {
qemu_sgl_init_external(req, &req->elem.out_sg[1],
&req->elem.out_addr[1],
req->elem.out_num - 1);
} else {
qemu_sgl_init_external(req, &req->elem.in_sg[1],
&req->elem.in_addr[1],
req->elem.in_num - 1);
}
and this will access out of array bounds.
Note: this adds security checks within assert calls since
SCSIBusInfo's load_request cannot fail.
For now simply disable builds with NDEBUG - there seems
to be little value in supporting these.
Cc: Andreas Färber <afaerber@suse.de>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit 3c3ce981423e0d6c18af82ee62f1850c2cda5976)
[AF: BNC#864804]
Signed-off-by: Andreas Färber <afaerber@suse.de>
---
hw/scsi/virtio-scsi.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/hw/scsi/virtio-scsi.c b/hw/scsi/virtio-scsi.c
index b0d7517..1752193 100644
--- a/hw/scsi/virtio-scsi.c
+++ b/hw/scsi/virtio-scsi.c
@@ -147,6 +147,15 @@ static void *virtio_scsi_load_request(QEMUFile *f, SCSIRequest *sreq)
qemu_get_be32s(f, &n);
assert(n < vs->conf.num_queues);
qemu_get_buffer(f, (unsigned char *)&req->elem, sizeof(req->elem));
+ /* TODO: add a way for SCSIBusInfo's load_request to fail,
+ * and fail migration instead of asserting here.
+ * When we do, we might be able to re-enable NDEBUG below.
+ */
+#ifdef NDEBUG
+#error building with NDEBUG is not supported
+#endif
+ assert(req->elem.in_num <= ARRAY_SIZE(req->elem.in_sg));
+ assert(req->elem.out_num <= ARRAY_SIZE(req->elem.out_sg));
virtio_scsi_parse_req(s, vs->cmd_vqs[n], req);
scsi_req_ref(sreq);

69
0063-vmstate-s-VMSTATE_INT32_LE-VMSTATE_.patch
View File

@ -1,69 +0,0 @@
From 075764d38e7916de4f2621c329d3b7d810a76500 Mon Sep 17 00:00:00 2001
From: "Michael S. Tsirkin" <mst@redhat.com>
Date: Thu, 3 Apr 2014 19:52:21 +0300
Subject: [PATCH] vmstate: s/VMSTATE_INT32_LE/VMSTATE_INT32_POSITIVE_LE/
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
As the macro verifies the value is positive, rename it
to make the function clearer.
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit 3476436a44c29725efef0cabf5b3ea4e70054d57)
Signed-off-by: Andreas Färber <afaerber@suse.de>
---
hw/pci/pci.c | 4 ++--
include/migration/vmstate.h | 2 +-
target-arm/machine.c | 2 +-
3 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/hw/pci/pci.c b/hw/pci/pci.c
index 2a9f08e..517ff2a 100644
--- a/hw/pci/pci.c
+++ b/hw/pci/pci.c
@@ -475,7 +475,7 @@ const VMStateDescription vmstate_pci_device = {
.minimum_version_id = 1,
.minimum_version_id_old = 1,
.fields = (VMStateField []) {
- VMSTATE_INT32_LE(version_id, PCIDevice),
+ VMSTATE_INT32_POSITIVE_LE(version_id, PCIDevice),
VMSTATE_BUFFER_UNSAFE_INFO(config, PCIDevice, 0,
vmstate_info_pci_config,
PCI_CONFIG_SPACE_SIZE),
@@ -492,7 +492,7 @@ const VMStateDescription vmstate_pcie_device = {
.minimum_version_id = 1,
.minimum_version_id_old = 1,
.fields = (VMStateField []) {
- VMSTATE_INT32_LE(version_id, PCIDevice),
+ VMSTATE_INT32_POSITIVE_LE(version_id, PCIDevice),
VMSTATE_BUFFER_UNSAFE_INFO(config, PCIDevice, 0,
vmstate_info_pci_config,
PCIE_CONFIG_SPACE_SIZE),
diff --git a/include/migration/vmstate.h b/include/migration/vmstate.h
index 5b71370..7e45048 100644
--- a/include/migration/vmstate.h
+++ b/include/migration/vmstate.h
@@ -601,7 +601,7 @@ extern const VMStateInfo vmstate_info_bitmap;
#define VMSTATE_UINT64_EQUAL(_f, _s) \
VMSTATE_UINT64_EQUAL_V(_f, _s, 0)
-#define VMSTATE_INT32_LE(_f, _s) \
+#define VMSTATE_INT32_POSITIVE_LE(_f, _s) \
VMSTATE_SINGLE(_f, _s, 0, vmstate_info_int32_le, int32_t)
#define VMSTATE_UINT8_TEST(_f, _s, _t) \
diff --git a/target-arm/machine.c b/target-arm/machine.c
index 7ced87a..5746ffd 100644
--- a/target-arm/machine.c
+++ b/target-arm/machine.c
@@ -246,7 +246,7 @@ const VMStateDescription vmstate_arm_cpu = {
/* The length-check must come before the arrays to avoid
* incoming data possibly overflowing the array.
*/
- VMSTATE_INT32_LE(cpreg_vmstate_array_len, ARMCPU),
+ VMSTATE_INT32_POSITIVE_LE(cpreg_vmstate_array_len, ARMCPU),
VMSTATE_VARRAY_INT32(cpreg_vmstate_indexes, ARMCPU,
cpreg_vmstate_array_len,
0, vmstate_info_uint64, uint64_t),

43
0064-usb-sanity-check-setup_index-setup_.patch
View File

@ -1,43 +0,0 @@
From b94f504fbb4910705803236ec84805ac4ac9139e Mon Sep 17 00:00:00 2001
From: "Michael S. Tsirkin" <mst@redhat.com>
Date: Thu, 3 Apr 2014 19:52:25 +0300
Subject: [PATCH] usb: sanity check setup_index+setup_len in post_load
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
CVE-2013-4541
s->setup_len and s->setup_index are fed into usb_packet_copy as
size/offset into s->data_buf, it's possible for invalid state to exploit
this to load arbitrary data.
setup_len and setup_index should be checked to make sure
they are not negative.
Cc: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit 9f8e9895c504149d7048e9fc5eb5cbb34b16e49a)
[AF: BNC#864802]
Signed-off-by: Andreas Färber <afaerber@suse.de>
---
hw/usb/bus.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/hw/usb/bus.c b/hw/usb/bus.c
index fe70429..e48b19f 100644
--- a/hw/usb/bus.c
+++ b/hw/usb/bus.c
@@ -49,7 +49,9 @@ static int usb_device_post_load(void *opaque, int version_id)
} else {
dev->attached = 1;
}
- if (dev->setup_index >= sizeof(dev->data_buf) ||
+ if (dev->setup_index < 0 ||
+ dev->setup_len < 0 ||
+ dev->setup_index >= sizeof(dev->data_buf) ||
dev->setup_len >= sizeof(dev->data_buf)) {
return -EINVAL;
}

102
0065-savevm-Ignore-minimum_version_id_ol.patch
View File

@ -1,102 +0,0 @@
From 9ad9afb2ff3fa91c1315bd198e0118f8025b8805 Mon Sep 17 00:00:00 2001
From: Peter Maydell <peter.maydell@linaro.org>
Date: Thu, 3 Apr 2014 19:52:28 +0300
Subject: [PATCH] savevm: Ignore minimum_version_id_old if there is no
load_state_old
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
At the moment we require vmstate definitions to set minimum_version_id_old
to the same value as minimum_version_id if they do not provide a
load_state_old handler. Since the load_state_old functionality is
required only for a handful of devices that need to retain migration
compatibility with a pre-vmstate implementation, this means the bulk
of devices have pointless boilerplate. Relax the definition so that
minimum_version_id_old is ignored if there is no load_state_old handler.
Note that under the old scheme we would segfault if the vmstate
specified a minimum_version_id_old that was less than minimum_version_id
but did not provide a load_state_old function, and the incoming state
specified a version number between minimum_version_id_old and
minimum_version_id. Under the new scheme this will just result in
our failing the migration.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit 767adce2d9cd397de3418caa16be35ea18d56f22)
Signed-off-by: Andreas Färber <afaerber@suse.de>
---
docs/migration.txt | 12 +++++-------
vmstate.c | 9 +++++----
2 files changed, 10 insertions(+), 11 deletions(-)
diff --git a/docs/migration.txt b/docs/migration.txt
index 0e0a1d4..fe1f2bb 100644
--- a/docs/migration.txt
+++ b/docs/migration.txt
@@ -139,7 +139,6 @@ static const VMStateDescription vmstate_kbd = {
.name = "pckbd",
.version_id = 3,
.minimum_version_id = 3,
- .minimum_version_id_old = 3,
.fields = (VMStateField []) {
VMSTATE_UINT8(write_cmd, KBDState),
VMSTATE_UINT8(status, KBDState),
@@ -168,12 +167,13 @@ You can see that there are several version fields:
- minimum_version_id: the minimum version_id that VMState is able to understand
for that device.
- minimum_version_id_old: For devices that were not able to port to vmstate, we can
- assign a function that knows how to read this old state.
+ assign a function that knows how to read this old state. This field is
+ ignored if there is no load_state_old handler.
So, VMState is able to read versions from minimum_version_id to
-version_id. And the function load_state_old() is able to load state
-from minimum_version_id_old to minimum_version_id. This function is
-deprecated and will be removed when no more users are left.
+version_id. And the function load_state_old() (if present) is able to
+load state from minimum_version_id_old to minimum_version_id. This
+function is deprecated and will be removed when no more users are left.
=== Massaging functions ===
@@ -255,7 +255,6 @@ const VMStateDescription vmstate_ide_drive_pio_state = {
.name = "ide_drive/pio_state",
.version_id = 1,
.minimum_version_id = 1,
- .minimum_version_id_old = 1,
.pre_save = ide_drive_pio_pre_save,
.post_load = ide_drive_pio_post_load,
.fields = (VMStateField []) {
@@ -275,7 +274,6 @@ const VMStateDescription vmstate_ide_drive = {
.name = "ide_drive",
.version_id = 3,
.minimum_version_id = 0,
- .minimum_version_id_old = 0,
.post_load = ide_drive_post_load,
.fields = (VMStateField []) {
.... several fields ....
diff --git a/vmstate.c b/vmstate.c
index 105f184..582c321 100644
--- a/vmstate.c
+++ b/vmstate.c
@@ -19,11 +19,12 @@ int vmstate_load_state(QEMUFile *f, const VMStateDescription *vmsd,
if (version_id > vmsd->version_id) {
return -EINVAL;
}
- if (version_id < vmsd->minimum_version_id_old) {
- return -EINVAL;
- }
if (version_id < vmsd->minimum_version_id) {
- return vmsd->load_state_old(f, opaque, version_id);
+ if (vmsd->load_state_old &&
+ version_id >= vmsd->minimum_version_id_old) {
+ return vmsd->load_state_old(f, opaque, version_id);
+ }
+ return -EINVAL;
}
if (vmsd->pre_load) {
int ret = vmsd->pre_load(opaque);

46
0066-ssi-sd-fix-buffer-overrun-on-invali.patch
View File

@ -1,46 +0,0 @@
From 9ec43fe48680cf5917eb3d41ad85201d4137871f Mon Sep 17 00:00:00 2001
From: "Michael S. Tsirkin" <mst@redhat.com>
Date: Mon, 28 Apr 2014 16:08:14 +0300
Subject: [PATCH] ssi-sd: fix buffer overrun on invalid state load
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
CVE-2013-4537
s->arglen is taken from wire and used as idx
in ssi_sd_transfer().
Validate it before access.
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit a9c380db3b8c6af19546a68145c8d1438a09c92b)
[AF: BNC#864391]
Signed-off-by: Andreas Färber <afaerber@suse.de>
---
hw/sd/ssi-sd.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/hw/sd/ssi-sd.c b/hw/sd/ssi-sd.c
index 3273c8a..b012e57 100644
--- a/hw/sd/ssi-sd.c
+++ b/hw/sd/ssi-sd.c
@@ -230,8 +230,17 @@ static int ssi_sd_load(QEMUFile *f, void *opaque, int version_id)
for (i = 0; i < 5; i++)
s->response[i] = qemu_get_be32(f);
s->arglen = qemu_get_be32(f);
+ if (s->mode == SSI_SD_CMDARG &&
+ (s->arglen < 0 || s->arglen >= ARRAY_SIZE(s->cmdarg))) {
+ return -EINVAL;
+ }
s->response_pos = qemu_get_be32(f);
s->stopping = qemu_get_be32(f);
+ if (s->mode == SSI_SD_RESPONSE &&
+ (s->response_pos < 0 || s->response_pos >= ARRAY_SIZE(s->response) ||
+ (!s->stopping && s->arglen > ARRAY_SIZE(s->response)))) {
+ return -EINVAL;
+ }
ss->cs = qemu_get_be32(f);

77
0067-openpic-avoid-buffer-overrun-on-inc.patch
View File

@ -1,77 +0,0 @@
From e70b97747393a4d5544bdb9eb64a7f5b69b0bb91 Mon Sep 17 00:00:00 2001
From: Michael Roth <mdroth@linux.vnet.ibm.com>
Date: Mon, 28 Apr 2014 16:08:17 +0300
Subject: [PATCH] openpic: avoid buffer overrun on incoming migration
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
CVE-2013-4534
opp->nb_cpus is read from the wire and used to determine how many
IRQDest elements to read into opp->dst[]. If the value exceeds the
length of opp->dst[], MAX_CPU, opp->dst[] can be overrun with arbitrary
data from the wire.
Fix this by failing migration if the value read from the wire exceeds
MAX_CPU.
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Reviewed-by: Alexander Graf <agraf@suse.de>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit 73d963c0a75cb99c6aaa3f6f25e427aa0b35a02e)
[AF: BNC#864811]
Signed-off-by: Andreas Färber <afaerber@suse.de>
---
hw/intc/openpic.c | 16 ++++++++++++++--
1 file changed, 14 insertions(+), 2 deletions(-)
diff --git a/hw/intc/openpic.c b/hw/intc/openpic.c
index be76fbd..17136c9 100644
--- a/hw/intc/openpic.c
+++ b/hw/intc/openpic.c
@@ -41,6 +41,7 @@
#include "hw/sysbus.h"
#include "hw/pci/msi.h"
#include "qemu/bitops.h"
+#include "qapi/qmp/qerror.h"
//#define DEBUG_OPENPIC
@@ -1416,7 +1417,7 @@ static void openpic_load_IRQ_queue(QEMUFile* f, IRQQueue *q)
static int openpic_load(QEMUFile* f, void *opaque, int version_id)
{
OpenPICState *opp = (OpenPICState *)opaque;
- unsigned int i;
+ unsigned int i, nb_cpus;
if (version_id != 1) {
return -EINVAL;
@@ -1428,7 +1429,11 @@ static int openpic_load(QEMUFile* f, void *opaque, int version_id)
qemu_get_be32s(f, &opp->spve);
qemu_get_be32s(f, &opp->tfrr);
- qemu_get_be32s(f, &opp->nb_cpus);
+ qemu_get_be32s(f, &nb_cpus);
+ if (opp->nb_cpus != nb_cpus) {
+ return -EINVAL;
+ }
+ assert(nb_cpus > 0 && nb_cpus <= MAX_CPU);
for (i = 0; i < opp->nb_cpus; i++) {
qemu_get_sbe32s(f, &opp->dst[i].ctpr);
@@ -1567,6 +1572,13 @@ static void openpic_realize(DeviceState *dev, Error **errp)
{NULL}
};
+ if (opp->nb_cpus > MAX_CPU) {
+ error_set(errp, QERR_PROPERTY_VALUE_OUT_OF_RANGE,
+ TYPE_OPENPIC, "nb_cpus", (uint64_t)opp->nb_cpus,
+ (uint64_t)0, (uint64_t)MAX_CPU);
+ return;
+ }
+
switch (opp->model) {
case OPENPIC_MODEL_FSL_MPIC_20:
default:

60
0068-virtio-net-out-of-bounds-buffer-wri.patch
View File

@ -1,60 +0,0 @@
From 2eae80d0ad4c9d0de849fbe8ad6d7d5fa788fdfb Mon Sep 17 00:00:00 2001
From: "Michael S. Tsirkin" <mst@redhat.com>
Date: Mon, 28 Apr 2014 16:08:21 +0300
Subject: [PATCH] virtio-net: out-of-bounds buffer write on load
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
CVE-2013-4149 QEMU 1.3.0 out-of-bounds buffer write in
virtio_net_load()@hw/net/virtio-net.c
> } else if (n->mac_table.in_use) {
> uint8_t *buf = g_malloc0(n->mac_table.in_use);
We are allocating buffer of size n->mac_table.in_use
> qemu_get_buffer(f, buf, n->mac_table.in_use * ETH_ALEN);
and read to the n->mac_table.in_use size buffer n->mac_table.in_use *
ETH_ALEN bytes, corrupting memory.
If adversary controls state then memory written there is controlled
by adversary.
Reviewed-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit 98f93ddd84800f207889491e0b5d851386b459cf)
[AF: BNC#864649]
Signed-off-by: Andreas Färber <afaerber@suse.de>
---
hw/net/virtio-net.c | 15 +++++++++++----
1 file changed, 11 insertions(+), 4 deletions(-)
diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c
index 0a8cb40..940a7cf 100644
--- a/hw/net/virtio-net.c
+++ b/hw/net/virtio-net.c
@@ -1362,10 +1362,17 @@ static int virtio_net_load(QEMUFile *f, void *opaque, int version_id)
if (n->mac_table.in_use <= MAC_TABLE_ENTRIES) {
qemu_get_buffer(f, n->mac_table.macs,
n->mac_table.in_use * ETH_ALEN);
- } else if (n->mac_table.in_use) {
- uint8_t *buf = g_malloc0(n->mac_table.in_use);
- qemu_get_buffer(f, buf, n->mac_table.in_use * ETH_ALEN);
- g_free(buf);
+ } else {
+ int64_t i;
+
+ /* Overflow detected - can happen if source has a larger MAC table.
+ * We simply set overflow flag so there's no need to maintain the
+ * table of addresses, discard them all.
+ * Note: 64 bit math to avoid integer overflow.
+ */
+ for (i = 0; i < (int64_t)n->mac_table.in_use * ETH_ALEN; ++i) {
+ qemu_get_byte(f);
+ }
n->mac_table.multi_overflow = n->mac_table.uni_overflow = 1;
n->mac_table.in_use = 0;
}

57
0069-virtio-validate-config_len-on-load.patch
View File

@ -1,57 +0,0 @@
From 5d2ec830b492cc18205d3a10d9ed3595559cd831 Mon Sep 17 00:00:00 2001
From: "Michael S. Tsirkin" <mst@redhat.com>
Date: Mon, 28 Apr 2014 16:08:23 +0300
Subject: [PATCH] virtio: validate config_len on load
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Malformed input can have config_len in migration stream
exceed the array size allocated on destination, the
result will be heap overflow.
To fix, that config_len matches on both sides.
CVE-2014-0182
Reported-by: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
--
v2: use %ix and %zx to print config_len values
Signed-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit a890a2f9137ac3cf5b607649e66a6f3a5512d8dc)
[AF: BNC#874788]
Signed-off-by: Andreas Färber <afaerber@suse.de>
---
hw/virtio/virtio.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
index a70169a..7f4e7ec 100644
--- a/hw/virtio/virtio.c
+++ b/hw/virtio/virtio.c
@@ -898,6 +898,7 @@ int virtio_set_features(VirtIODevice *vdev, uint32_t val)
int virtio_load(VirtIODevice *vdev, QEMUFile *f)
{
int i, ret;
+ int32_t config_len;
uint32_t num;
uint32_t features;
uint32_t supported_features;
@@ -924,7 +925,12 @@ int virtio_load(VirtIODevice *vdev, QEMUFile *f)
features, supported_features);
return -1;
}
- vdev->config_len = qemu_get_be32(f);
+ config_len = qemu_get_be32(f);
+ if (config_len != vdev->config_len) {
+ error_report("Unexpected config length 0x%x. Expected 0x%zx",
+ config_len, vdev->config_len);
+ return -1;
+ }
qemu_get_buffer(f, vdev->config, vdev->config_len);
num = qemu_get_be32(f);

36
0070-virtio-allow-mapping-up-to-max-queu.patch
View File

@ -1,36 +0,0 @@
From f609ef91bccd8b1637575516a94a5dc0af804b40 Mon Sep 17 00:00:00 2001
From: "Michael S. Tsirkin" <mst@redhat.com>
Date: Mon, 12 May 2014 12:04:20 +0300
Subject: [PATCH] virtio: allow mapping up to max queue size
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
It's a loop from i < num_sg and the array is VIRTQUEUE_MAX_SIZE - so
it's OK if the value read is VIRTQUEUE_MAX_SIZE.
Not a big problem in practice as people don't use
such big queues, but it's inelegant.
Reported-by: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
Cc: qemu-stable@nongnu.org
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
(cherry picked from commit 937251408051e0489f78e4db3c92e045b147b38b)
Signed-off-by: Andreas Färber <afaerber@suse.de>
---
hw/virtio/virtio.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
index 7f4e7ec..3557c17 100644
--- a/hw/virtio/virtio.c
+++ b/hw/virtio/virtio.c
@@ -430,7 +430,7 @@ void virtqueue_map_sg(struct iovec *sg, hwaddr *addr,
unsigned int i;
hwaddr len;
- if (num_sg >= VIRTQUEUE_MAX_SIZE) {
+ if (num_sg > VIRTQUEUE_MAX_SIZE) {
error_report("virtio: map attempt out of bounds: %zd > %d",
num_sg, VIRTQUEUE_MAX_SIZE);
exit(1);

29
ipxe-build-Avoid-strict-aliasing-warning.patch
View File

@ -1,29 +0,0 @@
From 11ad0bafbf137a874f88ac810520acb90fa9a990 Mon Sep 17 00:00:00 2001
From: Bo Yang <boyang@suse.com>
Date: Wed, 20 Mar 2013 16:34:17 +0800
Subject: [PATCH] [build] Avoid strict-aliasing warning for gcc 4.3
Signed-off-by: Bo Yang <boyang@suse.com>
Signed-off-by: Michael Brown <mcb30@ipxe.org>
---
src/arch/i386/include/bits/byteswap.h | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/roms/ipxe/src/arch/i386/include/bits/byteswap.h b/roms/ipxe/src/arch/i386/include/bits/byteswap.h
index f3d30a2..0d9cb96 100644
--- a/roms/ipxe/src/arch/i386/include/bits/byteswap.h
+++ b/roms/ipxe/src/arch/i386/include/bits/byteswap.h
@@ -53,8 +53,8 @@ __bswap_variable_64 ( uint64_t x ) {
static inline __attribute__ (( always_inline )) void
__bswap_64s ( uint64_t *x ) {
struct {
- uint32_t low;
- uint32_t high;
+ uint32_t __attribute__ (( may_alias )) low;
+ uint32_t __attribute__ (( may_alias )) high;
} __attribute__ (( may_alias )) *dwords = ( ( void * ) x );
uint32_t discard;
--
1.7.7

55
ipxe-build-Work-around-bug-in-gcc-4.8.patch
View File

@ -1,55 +0,0 @@
From 238050dfd46e3c4a87329da1d48b4d8dde5af8a1 Mon Sep 17 00:00:00 2001
From: Michael Brown <mcb30@ipxe.org>
Date: Fri, 7 Jun 2013 13:46:27 +0100
Subject: [PATCH] [build] Work around bug in gcc >= 4.8
gcc 4.8 and 4.9 fail to compile pxe_call.c with the error "bp cannot
be used in asm here". Other points in the codebase which use "ebp" in
the asm clobber list do not seem to be affected.
Unfortunately gcc provides no way to specify %ebp as an output
register, so we cannot use this as a workaround. The only viable
solution is to explicitly push/pop %ebp within the asm itself. This
is ugly for two reasons: firstly, it may be unnecessary; secondly, it
may cause gcc to generate invalid %esp-relative addresses if the asm
happens to use memory operands. This specific block of asm uses no
memory operands and so will not generate invalid code.
Reported-by: Daniel P. Berrange <berrange@redhat.com>
Reported-by: Christian Hesse <list@eworm.de>
Originally-fixed-by: Christian Hesse <list@eworm.de>
Signed-off-by: Michael Brown <mcb30@ipxe.org>
---
roms/ipxe/src/arch/i386/interface/pxe/pxe_call.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
Index: b/roms/ipxe/src/arch/i386/interface/pxe/pxe_call.c
===================================================================
--- a/roms/ipxe/src/arch/i386/interface/pxe/pxe_call.c
+++ b/roms/ipxe/src/arch/i386/interface/pxe/pxe_call.c
@@ -265,12 +265,14 @@ int pxe_start_nbp ( void ) {
DBG ( "Restarting NBP (%x)\n", jmp );
/* Far call to PXE NBP */
- __asm__ __volatile__ ( REAL_CODE ( "movw %%cx, %%es\n\t"
+ __asm__ __volatile__ ( REAL_CODE ( "pushl %%ebp\n\t" /* gcc bug */
+ "movw %%cx, %%es\n\t"
"pushw %%es\n\t"
"pushw %%di\n\t"
"sti\n\t"
"lcall $0, $0x7c00\n\t"
- "addw $4, %%sp\n\t" )
+ "popl %%ebp\n\t" /* discard */
+ "popl %%ebp\n\t" /* gcc bug */ )
: "=a" ( rc ), "=b" ( discard_b ),
"=c" ( discard_c ), "=d" ( discard_d ),
"=D" ( discard_D )
@@ -278,7 +280,7 @@ int pxe_start_nbp ( void ) {
"c" ( rm_cs ),
"d" ( virt_to_phys ( &pxenv ) ),
"D" ( __from_text16 ( &ppxe ) )
- : "esi", "ebp", "memory" );
+ : "esi", "memory" );
return rc;
}

41
ipxe-zbin-Fix-size-used-for-memset-in-al.patch
View File

@ -1,41 +0,0 @@
From eb5a2ba5962579e514b377f5fdab7292be0fb2a7 Mon Sep 17 00:00:00 2001
From: "Daniel P. Berrange" <berrange@redhat.com>
Date: Tue, 5 Mar 2013 15:18:20 +0000
Subject: [PATCH] [zbin] Fix size used for memset in alloc_output_file
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The output->buf field is a pointer, not an array, so sizeof() is not
applicable. We must use the allocated string length instead.
Identified by gcc:
util/zbin.c: In function alloc_output_file:
util/zbin.c:146:37: warning: argument to sizeof in memset call
is the same expression as the destination; did you mean to
dereference it? [-Wsizeof-pointer-memaccess]
memset ( output->buf, 0xff, sizeof ( output->buf ) );
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Signed-off-by: Michael Brown <mcb30@ipxe.org>
---
src/util/zbin.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/roms/ipxe/src/util/zbin.c b/roms/ipxe/src/util/zbin.c
index 0dabaf1..3b7cf95 100644
--- a/roms/ipxe/src/util/zbin.c
+++ b/roms/ipxe/src/util/zbin.c
@@ -143,7 +143,7 @@ static int alloc_output_file ( size_t max_len, struct output_file *output ) {
max_len );
return -1;
}
- memset ( output->buf, 0xff, sizeof ( output->buf ) );
+ memset ( output->buf, 0xff, max_len );
return 0;
}
--
1.7.7

3
qemu-2.0.0.tar.bz2
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:058db8ef29b53a4a9bfcfad59193bec18d39a16790765f0a4db6b12963ced6df
size 12948827

3
qemu-2.1.0-rc1.tar.bz2 Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:ebac4b3ebea59e3ebbc6f1674a60285c608ef9c0f19715ea592e162c682aee6b
size 23541925

9
qemu-linux-user.changes
View File

@ -1,3 +1,12 @@
-------------------------------------------------------------------
Wed Jul 9 17:34:55 UTC 2014 - afaerber@suse.de
- Update to v2.1.0-rc0: http://wiki.qemu-project.org/ChangeLog/2.1
* Package qemu-ppc64le binary
* Modified update_git.sh accordingly
- Update to v2.1.0-rc1: http://wiki.qemu-project.org/ChangeLog/2.1
* Modified update_git.sh accordingly
-------------------------------------------------------------------
Tue May 13 08:17:18 UTC 2014 - afaerber@suse.de

81
qemu-linux-user.spec
View File

@ -21,9 +21,9 @@ Url: http://www.qemu.org/
Summary: Universal CPU emulator
License: BSD-3-Clause and GPL-2.0 and GPL-2.0+ and LGPL-2.1+ and MIT
Group: System/Emulators/PC
Version: 2.0.0
Version: 2.0.91
Release: 0
Source: qemu-2.0.0.tar.bz2
Source: qemu-2.1.0-rc1.tar.bz2
# This patch queue is auto-generated from https://github.com/openSUSE/qemu
Patch0001: 0001-XXX-dont-dump-core-on-sigabort.patch
Patch0002: 0002-XXX-work-around-SA_RESTART-race-wit.patch
@ -39,7 +39,7 @@ Patch0011: 0011-linux-user-add-binfmt-wrapper-for-a.patch
Patch0012: 0012-PPC-KVM-Disable-mmu-notifier-check.patch
Patch0013: 0013-linux-user-fix-segfault-deadlock.patch
Patch0014: 0014-linux-user-binfmt-support-host-bina.patch
Patch0015: 0015-linux-user-arm-no-tb_flush-on-reset.patch
Patch0015: 0015-target-arm-linux-user-no-tb_flush-o.patch
Patch0016: 0016-linux-user-Ignore-broken-loop-ioctl.patch
Patch0017: 0017-linux-user-lock-tcg.patch
Patch0018: 0018-linux-user-Run-multi-threaded-code-.patch
@ -61,42 +61,13 @@ Patch0033: 0033-Make-char-muxer-more-robust-wrt-sma.patch
Patch0034: 0034-linux-user-lseek-explicitly-cast-no.patch
Patch0035: 0035-virtfs-proxy-helper-Provide-__u64-f.patch
Patch0036: 0036-configure-Enable-PIE-for-ppc-and-pp.patch
Patch0037: 0037-xen_disk-add-discard-support.patch
Patch0038: 0038-tests-Don-t-run-qom-test-twice.patch
Patch0039: 0039-qtest-Assure-that-init_socket-s-lis.patch
Patch0040: 0040-qtest-Add-error-reporting-to-socket.patch
Patch0041: 0041-qtest-Increase-socket-timeout.patch
Patch0042: 0042-qtest-Be-paranoid-about-accept-addr.patch
Patch0043: 0043-arm-translate.c-Fix-smlald-Instruct.patch
Patch0044: 0044-target-arm-A64-fix-unallocated-test.patch
Patch0045: 0045-tcg-ppc64-Support-the-ELFv2-ABI.patch
Patch0046: 0046-vmstate-add-VMS_MUST_EXIST.patch
Patch0047: 0047-vmstate-add-VMSTATE_VALIDATE.patch
Patch0048: 0048-virtio-net-fix-buffer-overflow-on-i.patch
Patch0049: 0049-virtio-net-out-of-bounds-buffer-wri.patch
Patch0050: 0050-virtio-out-of-bounds-buffer-write-o.patch
Patch0051: 0051-ahci-fix-buffer-overrun-on-invalid-.patch
Patch0052: 0052-hpet-fix-buffer-overrun-on-invalid-.patch
Patch0053: 0053-hw-pci-pcie_aer.c-fix-buffer-overru.patch
Patch0054: 0054-pl022-fix-buffer-overun-on-invalid-.patch
Patch0055: 0055-vmstate-fix-buffer-overflow-in-targ.patch
Patch0056: 0056-virtio-avoid-buffer-overrun-on-inco.patch
Patch0057: 0057-virtio-validate-num_sg-when-mapping.patch
Patch0058: 0058-pxa2xx-avoid-buffer-overrun-on-inco.patch
Patch0059: 0059-ssd0323-fix-buffer-overun-on-invali.patch
Patch0060: 0060-tsc210x-fix-buffer-overrun-on-inval.patch
Patch0061: 0061-zaurus-fix-buffer-overrun-on-invali.patch
Patch0062: 0062-virtio-scsi-fix-buffer-overrun-on-i.patch
Patch0063: 0063-vmstate-s-VMSTATE_INT32_LE-VMSTATE_.patch
Patch0064: 0064-usb-sanity-check-setup_index-setup_.patch
Patch0065: 0065-savevm-Ignore-minimum_version_id_ol.patch
Patch0066: 0066-ssi-sd-fix-buffer-overrun-on-invali.patch
Patch0067: 0067-openpic-avoid-buffer-overrun-on-inc.patch
Patch0068: 0068-virtio-net-out-of-bounds-buffer-wri.patch
Patch0069: 0069-virtio-validate-config_len-on-load.patch
Patch0070: 0070-virtio-allow-mapping-up-to-max-queu.patch
Patch0071: 0071-module-Simplify-module_load.patch
Patch0072: 0072-module-Don-t-complain-when-a-module.patch
Patch0037: 0037-tests-Don-t-run-qom-test-twice.patch
Patch0038: 0038-qtest-Increase-socket-timeout.patch
Patch0039: 0039-module-Simplify-module_load.patch
Patch0040: 0040-module-Don-t-complain-when-a-module.patch
Patch0041: 0041-tests-Fix-unterminated-string-outpu.patch
Patch0042: 0042-libqos-Fix-PC-PCI-endianness-glitch.patch
Patch0043: 0043-qtest-fix-vhost-user-test-compilati.patch
# Please do not add patches manually here, run update_git.sh.
# this is to make lint happy
Source300: rpmlintrc
@ -149,7 +120,7 @@ emulations. This can be used together with the OBS build script to
run cross-architecture builds.
%prep
%setup -q -n qemu-2.0.0
%setup -q -n qemu-2.1.0-rc1
%patch0001 -p1
%patch0002 -p1
%patch0003 -p1
@ -193,35 +164,6 @@ run cross-architecture builds.
%patch0041 -p1
%patch0042 -p1
%patch0043 -p1
%patch0044 -p1
%patch0045 -p1
%patch0046 -p1
%patch0047 -p1
%patch0048 -p1
%patch0049 -p1
%patch0050 -p1
%patch0051 -p1
%patch0052 -p1
%patch0053 -p1
%patch0054 -p1
%patch0055 -p1
%patch0056 -p1
%patch0057 -p1
%patch0058 -p1
%patch0059 -p1
%patch0060 -p1
%patch0061 -p1
%patch0062 -p1
%patch0063 -p1
%patch0064 -p1
%patch0065 -p1
%patch0066 -p1
%patch0067 -p1
%patch0068 -p1
%patch0069 -p1
%patch0070 -p1
%patch0071 -p1
%patch0072 -p1
%build
./configure --prefix=%_prefix --sysconfdir=%_sysconfdir \
@ -284,6 +226,7 @@ rm -rf ${RPM_BUILD_ROOT}
%_bindir/qemu-or32
%_bindir/qemu-ppc64abi32
%_bindir/qemu-ppc64
%_bindir/qemu-ppc64le
%_bindir/qemu-ppc
%_bindir/qemu-s390x
%_bindir/qemu-sh4

5
qemu-linux-user.spec.in
View File

@ -23,7 +23,7 @@ License: BSD-3-Clause and GPL-2.0 and GPL-2.0+ and LGPL-2.1+ and MIT
Group: System/Emulators/PC
QEMU_VERSION
Release: 0
Source: qemu-2.0.0.tar.bz2
Source: qemu-2.1.0-rc1.tar.bz2
# This patch queue is auto-generated from https://github.com/openSUSE/qemu
PATCH_FILES
# Please do not add patches manually here, run update_git.sh.
@ -78,7 +78,7 @@ emulations. This can be used together with the OBS build script to
run cross-architecture builds.
%prep
%setup -q -n qemu-2.0.0
%setup -q -n qemu-2.1.0-rc1
PATCH_EXEC
%build
@ -142,6 +142,7 @@ rm -rf ${RPM_BUILD_ROOT}
%_bindir/qemu-or32
%_bindir/qemu-ppc64abi32
%_bindir/qemu-ppc64
%_bindir/qemu-ppc64le
%_bindir/qemu-ppc
%_bindir/qemu-s390x
%_bindir/qemu-sh4

21
qemu.changes
View File

@ -1,3 +1,24 @@
-------------------------------------------------------------------
Wed Jul 9 17:34:55 UTC 2014 - afaerber@suse.de
- Update to v2.1.0-rc0: http://wiki.qemu-project.org/ChangeLog/2.1
* xen_disk discard support now upstream
0037-xen_disk-add-discard-support.patch dropped
* PowerPC ELF v2 support now upstream
0045-tcg-ppc64-Support-the-ELFv2-ABI.patch dropped
* iPXE fixes now included
ipxe-build-Work-around-bug-in-gcc-4.8.patch dropped
ipxe-build-Avoid-strict-aliasing-warning.patch dropped
ipxe-zbin-Fix-size-used-for-memset-in-al.patch dropped
* SeaVGABIOS fix now included
vgabios-Make-sure-stdvga_list_modes-doesn-t-overrun-.patch dropped
* Modified update_git.sh accordingly
- Update to v2.1.0-rc1: http://wiki.qemu-project.org/ChangeLog/2.1
* 0041-tests-Fix-unterminated-string-outpu.patch: Test fix
* 0042-libqos-Fix-PC-PCI-endianness-glitch.patch: Test fix for ppc
* 0043-qtest-fix-vhost-user-test-compilati.patch: Test fix for SP3
* Modified update_git.sh accordingly
-------------------------------------------------------------------
Wed Jun 23 21:42:31 UTC 2014 - afaerber@suse.de

96
qemu.spec
View File

@ -43,9 +43,9 @@ Url: http://www.qemu.org/
Summary: Universal CPU emulator
License: BSD-3-Clause and GPL-2.0 and GPL-2.0+ and LGPL-2.1+ and MIT
Group: System/Emulators/PC
Version: 2.0.0
Version: 2.0.91
Release: 0
Source: %name-2.0.0.tar.bz2
Source: %name-2.1.0-rc1.tar.bz2
Source1: 80-kvm.rules
Source2: qemu-ifup
Source3: kvm_stat
@ -68,7 +68,7 @@ Patch0011: 0011-linux-user-add-binfmt-wrapper-for-a.patch
Patch0012: 0012-PPC-KVM-Disable-mmu-notifier-check.patch
Patch0013: 0013-linux-user-fix-segfault-deadlock.patch
Patch0014: 0014-linux-user-binfmt-support-host-bina.patch
Patch0015: 0015-linux-user-arm-no-tb_flush-on-reset.patch
Patch0015: 0015-target-arm-linux-user-no-tb_flush-o.patch
Patch0016: 0016-linux-user-Ignore-broken-loop-ioctl.patch
Patch0017: 0017-linux-user-lock-tcg.patch
Patch0018: 0018-linux-user-Run-multi-threaded-code-.patch
@ -90,51 +90,15 @@ Patch0033: 0033-Make-char-muxer-more-robust-wrt-sma.patch
Patch0034: 0034-linux-user-lseek-explicitly-cast-no.patch
Patch0035: 0035-virtfs-proxy-helper-Provide-__u64-f.patch
Patch0036: 0036-configure-Enable-PIE-for-ppc-and-pp.patch
Patch0037: 0037-xen_disk-add-discard-support.patch
Patch0038: 0038-tests-Don-t-run-qom-test-twice.patch
Patch0039: 0039-qtest-Assure-that-init_socket-s-lis.patch
Patch0040: 0040-qtest-Add-error-reporting-to-socket.patch
Patch0041: 0041-qtest-Increase-socket-timeout.patch
Patch0042: 0042-qtest-Be-paranoid-about-accept-addr.patch
Patch0043: 0043-arm-translate.c-Fix-smlald-Instruct.patch
Patch0044: 0044-target-arm-A64-fix-unallocated-test.patch
Patch0045: 0045-tcg-ppc64-Support-the-ELFv2-ABI.patch
Patch0046: 0046-vmstate-add-VMS_MUST_EXIST.patch
Patch0047: 0047-vmstate-add-VMSTATE_VALIDATE.patch
Patch0048: 0048-virtio-net-fix-buffer-overflow-on-i.patch
Patch0049: 0049-virtio-net-out-of-bounds-buffer-wri.patch
Patch0050: 0050-virtio-out-of-bounds-buffer-write-o.patch
Patch0051: 0051-ahci-fix-buffer-overrun-on-invalid-.patch
Patch0052: 0052-hpet-fix-buffer-overrun-on-invalid-.patch
Patch0053: 0053-hw-pci-pcie_aer.c-fix-buffer-overru.patch
Patch0054: 0054-pl022-fix-buffer-overun-on-invalid-.patch
Patch0055: 0055-vmstate-fix-buffer-overflow-in-targ.patch
Patch0056: 0056-virtio-avoid-buffer-overrun-on-inco.patch
Patch0057: 0057-virtio-validate-num_sg-when-mapping.patch
Patch0058: 0058-pxa2xx-avoid-buffer-overrun-on-inco.patch
Patch0059: 0059-ssd0323-fix-buffer-overun-on-invali.patch
Patch0060: 0060-tsc210x-fix-buffer-overrun-on-inval.patch
Patch0061: 0061-zaurus-fix-buffer-overrun-on-invali.patch
Patch0062: 0062-virtio-scsi-fix-buffer-overrun-on-i.patch
Patch0063: 0063-vmstate-s-VMSTATE_INT32_LE-VMSTATE_.patch
Patch0064: 0064-usb-sanity-check-setup_index-setup_.patch
Patch0065: 0065-savevm-Ignore-minimum_version_id_ol.patch
Patch0066: 0066-ssi-sd-fix-buffer-overrun-on-invali.patch
Patch0067: 0067-openpic-avoid-buffer-overrun-on-inc.patch
Patch0068: 0068-virtio-net-out-of-bounds-buffer-wri.patch
Patch0069: 0069-virtio-validate-config_len-on-load.patch
Patch0070: 0070-virtio-allow-mapping-up-to-max-queu.patch
Patch0071: 0071-module-Simplify-module_load.patch
Patch0072: 0072-module-Don-t-complain-when-a-module.patch
Patch0037: 0037-tests-Don-t-run-qom-test-twice.patch
Patch0038: 0038-qtest-Increase-socket-timeout.patch
Patch0039: 0039-module-Simplify-module_load.patch
Patch0040: 0040-module-Don-t-complain-when-a-module.patch
Patch0041: 0041-tests-Fix-unterminated-string-outpu.patch
Patch0042: 0042-libqos-Fix-PC-PCI-endianness-glitch.patch
Patch0043: 0043-qtest-fix-vhost-user-test-compilati.patch
# Please do not add patches manually here, run update_git.sh.
# roms/ipxe patches
Patch1000: ipxe-build-Work-around-bug-in-gcc-4.8.patch
Patch1001: ipxe-zbin-Fix-size-used-for-memset-in-al.patch
Patch1002: ipxe-build-Avoid-strict-aliasing-warning.patch
Patch1003: vgabios-Make-sure-stdvga_list_modes-doesn-t-overrun-.patch
# end roms/ipxe patches
# this is to make lint happy
Source300: rpmlintrc
Source302: bridge.conf
@ -457,7 +421,7 @@ This sub-package contains the guest agent.
%package seabios
Summary: X86 BIOS for QEMU
Group: System/Emulators/PC
Version: 1.7.4
Version: 1.7.5
Release: 0
%if 0%{?suse_version} > %{noarch_supported}
BuildArch: noarch
@ -471,7 +435,7 @@ is the default BIOS for QEMU.
%package vgabios
Summary: VGA BIOSes for QEMU
Group: System/Emulators/PC
Version: 1.7.4
Version: 1.7.5
Release: 0
%if 0%{?suse_version} > %{noarch_supported}
BuildArch: noarch
@ -526,7 +490,7 @@ This package provides a service file for starting and stopping KSM.
%endif
%prep
%setup -q #-n %name-2.0.0-rc3
%setup -q -n %name-2.1.0-rc1
%patch0001 -p1
%patch0002 -p1
%patch0003 -p1
@ -570,40 +534,6 @@ This package provides a service file for starting and stopping KSM.
%patch0041 -p1
%patch0042 -p1
%patch0043 -p1
%patch0044 -p1
%patch0045 -p1
%patch0046 -p1
%patch0047 -p1
%patch0048 -p1
%patch0049 -p1
%patch0050 -p1
%patch0051 -p1
%patch0052 -p1
%patch0053 -p1
%patch0054 -p1
%patch0055 -p1
%patch0056 -p1
%patch0057 -p1
%patch0058 -p1
%patch0059 -p1
%patch0060 -p1
%patch0061 -p1
%patch0062 -p1
%patch0063 -p1
%patch0064 -p1
%patch0065 -p1
%patch0066 -p1
%patch0067 -p1
%patch0068 -p1
%patch0069 -p1
%patch0070 -p1
%patch0071 -p1
%patch0072 -p1
%patch1000 -p1
%patch1001 -p1
%patch1002 -p1
%patch1003 -p1
%if %{build_x86_fw_from_source}
# as a safeguard, delete the firmware files that we intend to build

16
qemu.spec.in
View File

@ -45,7 +45,7 @@ License: BSD-3-Clause and GPL-2.0 and GPL-2.0+ and LGPL-2.1+ and MIT
Group: System/Emulators/PC
QEMU_VERSION
Release: 0
Source: %name-2.0.0.tar.bz2
Source: %name-2.1.0-rc1.tar.bz2
Source1: 80-kvm.rules
Source2: qemu-ifup
Source3: kvm_stat
@ -57,13 +57,6 @@ Source7: 60-kvm.x86.rules
PATCH_FILES
# Please do not add patches manually here, run update_git.sh.
# roms/ipxe patches
Patch1000: ipxe-build-Work-around-bug-in-gcc-4.8.patch
Patch1001: ipxe-zbin-Fix-size-used-for-memset-in-al.patch
Patch1002: ipxe-build-Avoid-strict-aliasing-warning.patch
Patch1003: vgabios-Make-sure-stdvga_list_modes-doesn-t-overrun-.patch
# end roms/ipxe patches
# this is to make lint happy
Source300: rpmlintrc
Source302: bridge.conf
@ -455,14 +448,9 @@ This package provides a service file for starting and stopping KSM.
%endif
%prep
%setup -q #-n %name-2.0.0-rc3
%setup -q -n %name-2.1.0-rc1
PATCH_EXEC
%patch1000 -p1
%patch1001 -p1
%patch1002 -p1
%patch1003 -p1
%if %{build_x86_fw_from_source}
# as a safeguard, delete the firmware files that we intend to build
for i in %built_firmware_files

4
update_git.sh
View File

@ -11,8 +11,8 @@
GIT_TREE=git://github.com/openSUSE/qemu.git
GIT_LOCAL_TREE=~/git/qemu-opensuse
GIT_BRANCH=opensuse-2.0
GIT_UPSTREAM_TAG=v2.0.0
GIT_BRANCH=opensuse-2.1
GIT_UPSTREAM_TAG=v2.1.0-rc1
GIT_DIR=/dev/shm/qemu-factory-git-dir
CMP_DIR=/dev/shm/qemu-factory-cmp-dir

29
vgabios-Make-sure-stdvga_list_modes-doesn-t-overrun-.patch
View File

@ -1,29 +0,0 @@
From 2620984b42fd2a374e94c75f04982c60edf179cb Mon Sep 17 00:00:00 2001
From: Kevin O'Connor <kevin@koconnor.net>
Date: Tue, 11 Feb 2014 17:36:56 -0500
Subject: [PATCH] vgabios: Make sure stdvga_list_modes() doesn't overrun the
buffer.
References: bnc#880625
Signed-off-by: Kevin O'Connor <kevin@koconnor.net>
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
vgasrc/stdvgamodes.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/roms/seabios/vgasrc/stdvgamodes.c b/roms/seabios/vgasrc/stdvgamodes.c
index a97c85f..8436729 100644
--- a/roms/seabios/vgasrc/stdvgamodes.c
+++ b/roms/seabios/vgasrc/stdvgamodes.c
@@ -336,7 +336,7 @@ void
stdvga_list_modes(u16 seg, u16 *dest, u16 *last)
{
int i;
- for (i = 0; i < ARRAY_SIZE(vga_modes); i++) {
+ for (i = 0; i < ARRAY_SIZE(vga_modes) && dest < last; i++) {
struct stdvga_mode_s *stdmode_g = &vga_modes[i];
u16 mode = GET_GLOBAL(stdmode_g->mode);
if (mode == 0xffff)
--
1.9.0