[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-commits] [qemu/qemu] d3b597: bt-sdp: fix broken uuids power-of-2 c
|
From: |
GitHub |
|
Subject: |
[Qemu-commits] [qemu/qemu] d3b597: bt-sdp: fix broken uuids power-of-2 calculation |
|
Date: |
Tue, 11 Aug 2015 12:30:06 -0700 |
Branch: refs/heads/stable-2.3
Home: https://github.com/qemu/qemu
Commit: d3b59789e821909ad19902dbc1f4aecd93584c0f
https://github.com/qemu/qemu/commit/d3b59789e821909ad19902dbc1f4aecd93584c0f
Author: Stefan Hajnoczi <address@hidden>
Date: 2015-07-28 (Tue, 28 Jul 2015)
Changed paths:
M hw/bt/sdp.c
Log Message:
-----------
bt-sdp: fix broken uuids power-of-2 calculation
The binary search in sdp_uuid_match() only works when the number of
elements to search is a power of two.
lo = record->uuid;
hi = record->uuids;
while (hi >>= 1)
if (lo[hi] <= val)
lo += hi;
return *lo == val;
I noticed that the record->uuids calculation in
sdp_service_record_build() was suspect:
record->uuids = 1 << ffs(record->uuids - 1);
Unlike most ffs(val) - 1 users, the expression is ffs(val - 1)!
Actually ffs() is the wrong function to use for power-of-2. Use
pow2ceil() to achieve the correct effect. Now the record->uuid[] array
is sized correctly and the binary search in sdp_uuid_match() should
work.
I'm not sure how to run/test this code.
Cc: Andrzej Zaborowski <address@hidden>
Cc: address@hidden
Signed-off-by: Stefan Hajnoczi <address@hidden>
Message-id: address@hidden
Signed-off-by: Kevin Wolf <address@hidden>
(cherry picked from commit 588ef9d411339012fc3c94bfad8911e9d0a517a2)
Signed-off-by: Michael Roth <address@hidden>
Commit: b575af07306afc9b9082163cbb47bb72e6d3d4c0
https://github.com/qemu/qemu/commit/b575af07306afc9b9082163cbb47bb72e6d3d4c0
Author: Peter Lieven <address@hidden>
Date: 2015-07-28 (Tue, 28 Jul 2015)
Changed paths:
M block/iscsi.c
Log Message:
-----------
block/iscsi: do not forget to logout from target
We actually were always impolitely dropping the connection and
not cleanly logging out.
CC: address@hidden
Signed-off-by: Peter Lieven <address@hidden>
Message-id: address@hidden
Signed-off-by: Stefan Hajnoczi <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>
(cherry picked from commit 20474e9aa040b9a255c63127f1eb873c29c54f68)
Signed-off-by: Michael Roth <address@hidden>
Commit: 4c59860506b9fd8b81cacbe2e4151cfa00128312
https://github.com/qemu/qemu/commit/4c59860506b9fd8b81cacbe2e4151cfa00128312
Author: Ján Tomko <address@hidden>
Date: 2015-07-28 (Tue, 28 Jul 2015)
Changed paths:
M ui/vnc.c
Log Message:
-----------
Strip brackets from vnc host
Commit v2.2.0-1530-ge556032 vnc: switch to inet_listen_opts
bypassed the use of inet_parse in inet_listen, making literal
IPv6 addresses enclosed in brackets fail:
qemu-kvm: -vnc [::1]:0: Failed to start VNC server on `(null)': address
resolution failed for [::1]:5900: Name or service not known
Strip the brackets to make it work again.
Signed-off-by: Ján Tomko <address@hidden>
Reviewed-by: Eric Blake <address@hidden>
Signed-off-by: Gerd Hoffmann <address@hidden>
(cherry picked from commit 274c3b52e10466a4771d591f6298ef61e8354ce0)
Signed-off-by: Michael Roth <address@hidden>
Commit: 3dd15f3e582c76d349eb6817b0775615c545d44f
https://github.com/qemu/qemu/commit/3dd15f3e582c76d349eb6817b0775615c545d44f
Author: Bogdan Purcareata <address@hidden>
Date: 2015-07-28 (Tue, 28 Jul 2015)
Changed paths:
M nbd.c
Log Message:
-----------
nbd/trivial: fix type cast for ioctl
This fixes ioctl behavior on powerpc e6500 platforms with 64bit kernel and 32bit
userspace. The current type cast has no effect there and the value passed to the
kernel is still 0. Probably an issue related to the compiler, since I'm assuming
the same configuration works on a similar setup on x86.
Also ensure consistency with previous type cast in TRACE message.
Signed-off-by: Bogdan Purcareata <address@hidden>
Message-Id: <address@hidden>
Cc: address@hidden
[Fix parens as noticed by Michael. - Paolo]
Signed-off-by: Paolo Bonzini <address@hidden>
(cherry picked from commit d064d9f381b00538e41f14104b88a1ae85d78865)
Signed-off-by: Michael Roth <address@hidden>
Commit: 53cd79c1173457b765c016a1ec95ef87188a9893
https://github.com/qemu/qemu/commit/53cd79c1173457b765c016a1ec95ef87188a9893
Author: Fam Zheng <address@hidden>
Date: 2015-07-28 (Tue, 28 Jul 2015)
Changed paths:
M block/vmdk.c
Log Message:
-----------
vmdk: Fix next_cluster_sector for compressed write
This fixes the bug introduced by commit c6ac36e (vmdk: Optimize cluster
allocation).
Sometimes, write_len could be larger than cluster size, because it
contains both data and marker. We must advance next_cluster_sector in
this case, otherwise the image gets corrupted.
Cc: address@hidden
Reported-by: Antoni Villalonga <address@hidden>
Signed-off-by: Fam Zheng <address@hidden>
Reviewed-by: Max Reitz <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>
(cherry picked from commit 5e82a31eb967db135fc4e688b134fb0972d62de3)
Signed-off-by: Michael Roth <address@hidden>
Commit: d8e231fce23d49e2f15f2d098463ec110c6eaa56
https://github.com/qemu/qemu/commit/d8e231fce23d49e2f15f2d098463ec110c6eaa56
Author: Fam Zheng <address@hidden>
Date: 2015-07-28 (Tue, 28 Jul 2015)
Changed paths:
M block/vmdk.c
Log Message:
-----------
vmdk: Fix overflow if l1_size is 0x20000000
Richard Jones caught this bug with afl fuzzer.
In fact, that's the only possible value to overflow (extent->l1_size =
0x20000000) l1_size:
l1_size = extent->l1_size * sizeof(long) => 0x80000000;
g_try_malloc returns NULL because l1_size is interpreted as negative
during type casting from 'int' to 'gsize', which yields a enormous
value. Hence, by coincidence, we get a "not too bad" behavior:
qemu-img: Could not open '/tmp/afl6.img': Could not open
'/tmp/afl6.img': Cannot allocate memory
Values larger than 0x20000000 will be refused by the validation in
vmdk_add_extent.
Values smaller than 0x20000000 will not overflow l1_size.
Cc: address@hidden
Reported-by: Richard W.M. Jones <address@hidden>
Signed-off-by: Fam Zheng <address@hidden>
Reviewed-by: Max Reitz <address@hidden>
Tested-by: Richard W.M. Jones <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>
(cherry picked from commit 13c4941cdd8685d28c7e3a09e393a5579b58db46)
Signed-off-by: Michael Roth <address@hidden>
Commit: ad9c167fd21b488c1c8cfda77e8542a97aefc14f
https://github.com/qemu/qemu/commit/ad9c167fd21b488c1c8cfda77e8542a97aefc14f
Author: Kevin Wolf <address@hidden>
Date: 2015-07-28 (Tue, 28 Jul 2015)
Changed paths:
M block/qcow2-refcount.c
Log Message:
-----------
qcow2: Flush pending discards before allocating cluster
Before a freed cluster can be reused, pending discards for this cluster
must be processed.
The original assumption was that this was not a problem because discards
are only cached during discard/write zeroes operations, which are
synchronous so that no concurrent write requests can cause cluster
allocations.
However, the discard/write zeroes operation itself can allocate a new L2
table (and it has to in order to put zero flags there), so make sure we
can cope with the situation.
This fixes https://bugs.launchpad.net/bugs/1349972.
Cc: address@hidden
Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: Max Reitz <address@hidden>
(cherry picked from commit ecbda7a22576591a84f44de1be0150faf6001f1c)
Signed-off-by: Michael Roth <address@hidden>
Commit: cf3297868c57938028bfd2d8716f56c28a78d7e4
https://github.com/qemu/qemu/commit/cf3297868c57938028bfd2d8716f56c28a78d7e4
Author: Michal Kazior <address@hidden>
Date: 2015-07-28 (Tue, 28 Jul 2015)
Changed paths:
M hw/usb/dev-network.c
Log Message:
-----------
usb: fix usb-net segfault
The dev->config pointer isn't set until guest
system initializes usb devices (via
usb_desc_set_config). However qemu networking can
go through some motions prior to that, e.g.:
#0 is_rndis (s=0x555557261970) at hw/usb/dev-network.c:653
#1 0x000055555585f723 in usbnet_can_receive (nc=0x55555641e820) at
hw/usb/dev-network.c:1315
#2 0x000055555587635e in qemu_can_send_packet (sender=0x5555572660a0) at
net/net.c:470
#3 0x0000555555878e34 in net_hub_port_can_receive (nc=0x5555562d7800) at
net/hub.c:101
#4 0x000055555587635e in qemu_can_send_packet (sender=0x5555562d7980) at
net/net.c:470
#5 0x000055555587dbca in tap_can_send (opaque=0x5555562d7980) at net/tap.c:172
The command to reproduce most reliably was:
qemu-system-i386 -usb -device usb-net,vlan=0 -net tap,vlan=0
This wasn't strictly a problem with tap. Other
networking endpoints (vde, user) could trigger
this problem as well.
Fixes: https://bugs.launchpad.net/qemu/+bug/1050823
Cc: address@hidden
Signed-off-by: Michal Kazior <address@hidden>
Signed-off-by: Gerd Hoffmann <address@hidden>
(cherry picked from commit 278412d0e710e2e848c6e510f8308e5b1ed4d03e)
Signed-off-by: Michael Roth <address@hidden>
Commit: cf6c213981de2a54154b13fecee58e6cdc5aa504
https://github.com/qemu/qemu/commit/cf6c213981de2a54154b13fecee58e6cdc5aa504
Author: Jason Wang <address@hidden>
Date: 2015-07-28 (Tue, 28 Jul 2015)
Changed paths:
M hw/net/virtio-net.c
Log Message:
-----------
virtio-net: fix the upper bound when trying to delete queues
Virtqueue were indexed from zero, so don't delete virtqueue whose
index is n->max_queues * 2 + 1.
Cc: Michael S. Tsirkin <address@hidden>
Cc: qemu-stable <address@hidden>
Signed-off-by: Jason Wang <address@hidden>
Reviewed-by: Michael S. Tsirkin <address@hidden>
Signed-off-by: Michael S. Tsirkin <address@hidden>
(cherry picked from commit 27a46dcf5038e20451101ed2d5414aebf3846e27)
Signed-off-by: Michael Roth <address@hidden>
Commit: a4bb522ee51087af61998f290d12ba2e14c7910e
https://github.com/qemu/qemu/commit/a4bb522ee51087af61998f290d12ba2e14c7910e
Author: Peter Maydell <address@hidden>
Date: 2015-07-28 (Tue, 28 Jul 2015)
Changed paths:
M target-arm/translate.c
Log Message:
-----------
target-arm: Avoid buffer overrun on UNPREDICTABLE ldrd/strd
A LDRD or STRD where rd is not an even number is UNPREDICTABLE.
We were letting this fall through, which is OK unless rd is 15,
in which case we would attempt to do a load_reg or store_reg
to a nonexistent r16 for the second half of the double-word.
Catch the odd-numbered-rd cases and UNDEF them instead.
To do this we rearrange the structure of the code a little
so we can put the UNDEF catches at the top before we've
allocated TCG temporaries.
Cc: address@hidden
Signed-off-by: Peter Maydell <address@hidden>
Message-id: address@hidden
(cherry picked from commit 3960c336ad96c2183549c8bf32bbff93ecda7ea4)
Signed-off-by: Michael Roth <address@hidden>
Commit: 959fad0ff11837d299e22b0f148c608b50eec457
https://github.com/qemu/qemu/commit/959fad0ff11837d299e22b0f148c608b50eec457
Author: Petr Matousek <address@hidden>
Date: 2015-07-28 (Tue, 28 Jul 2015)
Changed paths:
M hw/block/fdc.c
Log Message:
-----------
fdc: force the fifo access to be in bounds of the allocated buffer
During processing of certain commands such as FD_CMD_READ_ID and
FD_CMD_DRIVE_SPECIFICATION_COMMAND the fifo memory access could
get out of bounds leading to memory corruption with values coming
from the guest.
Fix this by making sure that the index is always bounded by the
allocated memory.
This is CVE-2015-3456.
Signed-off-by: Petr Matousek <address@hidden>
Reviewed-by: John Snow <address@hidden>
Signed-off-by: John Snow <address@hidden>
(cherry picked from commit e907746266721f305d67bc0718795fedee2e824c)
Signed-off-by: Michael Roth <address@hidden>
Commit: 4072585ecfda0917837a22e317d689e4f16430af
https://github.com/qemu/qemu/commit/4072585ecfda0917837a22e317d689e4f16430af
Author: Michael Roth <address@hidden>
Date: 2015-07-29 (Wed, 29 Jul 2015)
Changed paths:
M block.c
Log Message:
-----------
Revert "block: Fix unaligned zero write"
This reverts commit fc3959e4669a1c2149b91ccb05101cfc7ae1fc05.
>From upstream commit d01c07f:
This reverts commit fc3959e4669a1c2149b91ccb05101cfc7ae1fc05.
The core write code already handles the case, so remove this
duplication.
Because commit 61007b316 moved the touched code from block.c to
block/io.c, the change is manually reverted.
Signed-off-by: Fam Zheng <address@hidden>
Reviewed-by: Stefan Hajnoczi <address@hidden>
Reviewed-by: Kevin Wolf <address@hidden>
v2.3.0 does not contain 61007b316 so we can revert the change
directly.
Signed-off-by: Michael Roth <address@hidden>
Commit: cc883fe42ddc717b62f46118e17b45ce46dd9a11
https://github.com/qemu/qemu/commit/cc883fe42ddc717b62f46118e17b45ce46dd9a11
Author: Fam Zheng <address@hidden>
Date: 2015-07-29 (Wed, 29 Jul 2015)
Changed paths:
M block.c
Log Message:
-----------
block: Fix NULL deference for unaligned write if qiov is NULL
For zero write, callers pass in NULL qiov (qemu-io "write -z" or
scsi-disk "write same").
Commit fc3959e466 fixed bdrv_co_write_zeroes which is the common case
for this bug, but it still exists in bdrv_aio_write_zeroes. A simpler
fix would be in bdrv_co_do_pwritev which is the NULL dereference point
and covers both cases.
So don't access it in bdrv_co_do_pwritev in this case, use three aligned
writes.
[Initialize ret to 0 in bdrv_co_do_zero_pwritev() to avoid uninitialized
variable warning with gcc 4.9.2.
--Stefan]
Signed-off-by: Fam Zheng <address@hidden>
Message-id: address@hidden
Signed-off-by: Stefan Hajnoczi <address@hidden>
(cherry picked from commit 9eeb6dd1b27bd57eb4e3869290e87feac8e8b226)
Conflicts:
block/io.c
* moved hunks into corresponding location in block.c due to lack of
61007b316 in v2.3.0
Signed-off-by: Michael Roth <address@hidden>
Commit: b48a391cffd2f918ec9a12d2eb6cb6252202b495
https://github.com/qemu/qemu/commit/b48a391cffd2f918ec9a12d2eb6cb6252202b495
Author: Fam Zheng <address@hidden>
Date: 2015-07-29 (Wed, 29 Jul 2015)
Changed paths:
M tests/qemu-iotests/033
M tests/qemu-iotests/033.out
Log Message:
-----------
qemu-iotests: Test unaligned sub-block zero write
Test zero write in byte range 512~1024 for 4k alignment.
Signed-off-by: Fam Zheng <address@hidden>
Reviewed-by: Stefan Hajnoczi <address@hidden>
Reviewed-by: Kevin Wolf <address@hidden>
Message-id: address@hidden
Signed-off-by: Stefan Hajnoczi <address@hidden>
(cherry picked from commit ab53c44718305d3fde3d9d2251889f1cab694be2)
Signed-off-by: Michael Roth <address@hidden>
Commit: bb3a1da4d4a77bf133461ca23cdd52d65fe8fead
https://github.com/qemu/qemu/commit/bb3a1da4d4a77bf133461ca23cdd52d65fe8fead
Author: Shannon Zhao <address@hidden>
Date: 2015-07-29 (Wed, 29 Jul 2015)
Changed paths:
M hw/acpi/aml-build.c
Log Message:
-----------
hw/acpi/aml-build: Fix memory leak
Signed-off-by: Shannon Zhao <address@hidden>
Signed-off-by: Shannon Zhao <address@hidden>
Reviewed-by: Michael S. Tsirkin <address@hidden>
Signed-off-by: Michael S. Tsirkin <address@hidden>
Reviewed-by: Igor Mammedov <address@hidden>
(cherry picked from commit afcf905cff7971324c2706600ead35a1f41f417a)
Signed-off-by: Michael Roth <address@hidden>
Commit: ae0fa48f514db72c4ce37eec666ea68c63299a8c
https://github.com/qemu/qemu/commit/ae0fa48f514db72c4ce37eec666ea68c63299a8c
Author: Justin Ossevoort <address@hidden>
Date: 2015-07-29 (Wed, 29 Jul 2015)
Changed paths:
M qga/commands-posix.c
Log Message:
-----------
qga/commands-posix: Fix bug in guest-fstrim
The FITRIM ioctl updates the fstrim_range structure it receives. This
way the caller can determine how many bytes were trimmed. The
guest-fstrim logic reuses the same fstrim_range for each filesystem,
effectively limiting each filesystem to trim at most as much as the
previous was able to trim.
If a previous filesystem would have trimmed 0 bytes, than the next
filesystem would report an error 'Invalid argument' because a FITRIM
request with length 0 is not valid.
This change resets the fstrim_range structure for each filesystem.
Signed-off-by: Justin Ossevoort <address@hidden>
Reviewed-by: Thomas Huth <address@hidden>
Signed-off-by: Michael Roth <address@hidden>
(cherry picked from commit 73a652a1b08445e8d91e50cdbb2da50e571c61b3)
Signed-off-by: Michael Roth <address@hidden>
Commit: f45048225aa1a9485481aa227399c111349af0e1
https://github.com/qemu/qemu/commit/f45048225aa1a9485481aa227399c111349af0e1
Author: Gerd Hoffmann <address@hidden>
Date: 2015-07-29 (Wed, 29 Jul 2015)
Changed paths:
M qapi-schema.json
M ui/input-keymap.c
Log Message:
-----------
kbd: add brazil kbd keys to qemu
The brazilian computer keyboard layout has two extra keys (compared to
the usual 105-key intl ps/2 keyboard). This patch makes these two keys
known to qemu.
For historic reasons qemu has two ways to specify a key: A QKeyCode
(name-based) or a number (ps/2 scancode based). Therefore we have to
update multiple places to make new keys known to qemu:
(1) The QKeyCode definition in qapi-schema.json
(2) The QKeyCode <-> number mapping table in ui/input-keymap.c
This patch does just that. With this patch applied you can send those
two keys to the guest using the send-key monitor command.
Cc: address@hidden
Signed-off-by: Gerd Hoffmann <address@hidden>
Reviewed-by: Markus Armbruster <address@hidden>
Reviewed-by: Daniel P. Berrange <address@hidden>
Reviewed-by: Michael Tokarev <address@hidden>
(cherry picked from commit b771f470f3e2f99f585eaae68147f0c849fd1f8d)
Signed-off-by: Michael Roth <address@hidden>
Commit: b153c8d3f3935f39d5a1b573d036b1f0f5a45812
https://github.com/qemu/qemu/commit/b153c8d3f3935f39d5a1b573d036b1f0f5a45812
Author: Gerd Hoffmann <address@hidden>
Date: 2015-07-29 (Wed, 29 Jul 2015)
Changed paths:
M ui/x_keymap.c
Log Message:
-----------
kbd: add brazil kbd keys to x11 evdev map
This patch adds the two extra brazilian keys to the evdev keymap for
X11. This patch gets the two keys going with the vnc, gtk and sdl1
UIs.
The SDL2 library complains it doesn't know these keys, so the SDL2
library must be fixed before we can update ui/sdl2-keymap.h
Cc: address@hidden
Signed-off-by: Gerd Hoffmann <address@hidden>
Reviewed-by: Markus Armbruster <address@hidden>
Reviewed-by: Daniel P. Berrange <address@hidden>
Reviewed-by: Michael Tokarev <address@hidden>
(cherry picked from commit 33aa30cafcce053b833f9fe09fbb88e2f54b93aa)
Signed-off-by: Michael Roth <address@hidden>
Commit: c631ee6520656aa5e3db01e4cc3203734ff63c63
https://github.com/qemu/qemu/commit/c631ee6520656aa5e3db01e4cc3203734ff63c63
Author: Max Reitz <address@hidden>
Date: 2015-07-29 (Wed, 29 Jul 2015)
Changed paths:
M block/qcow2.h
Log Message:
-----------
qcow2: Set MIN_L2_CACHE_SIZE to 2
The L2 cache must cover at least two L2 tables, because during COW two
L2 tables are accessed simultaneously.
Reported-by: Alexander Graf <address@hidden>
Cc: qemu-stable <address@hidden>
Signed-off-by: Max Reitz <address@hidden>
Tested-by: Alexander Graf <address@hidden>
Reviewed-by: Alberto Garcia <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>
(cherry picked from commit 57e216695948a79d9ced82fc217a37cce70fd986)
Signed-off-by: Michael Roth <address@hidden>
Commit: e7e08380c3ad3ac9e5768041a82ba6d7e29139e8
https://github.com/qemu/qemu/commit/e7e08380c3ad3ac9e5768041a82ba6d7e29139e8
Author: Max Reitz <address@hidden>
Date: 2015-07-29 (Wed, 29 Jul 2015)
Changed paths:
M tests/qemu-iotests/103
M tests/qemu-iotests/103.out
Log Message:
-----------
iotests: qcow2 COW with minimal L2 cache size
This adds a test case to test 103 for performing a COW operation in a
qcow2 image using an L2 cache with minimal size (which should be at
least two clusters so the COW can access both source and destination
simultaneously).
Signed-off-by: Max Reitz <address@hidden>
Reviewed-by: Alberto Garcia <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>
(cherry picked from commit a4291eafc597c0944057930acf3e51d899f79c2e)
Signed-off-by: Michael Roth <address@hidden>
Commit: 714b54401c0c6238dcf6e361ce96f2a765719326
https://github.com/qemu/qemu/commit/714b54401c0c6238dcf6e361ce96f2a765719326
Author: Fam Zheng <address@hidden>
Date: 2015-07-29 (Wed, 29 Jul 2015)
Changed paths:
M block/vmdk.c
Log Message:
-----------
vmdk: Fix index_in_cluster calculation in vmdk_co_get_block_status
It has the similar issue with b1649fae49a8. Since the calculation
is repeated for a few times already, introduce a function so it can be
reused.
Signed-off-by: Fam Zheng <address@hidden>
Reviewed-by: Max Reitz <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>
(cherry picked from commit 61f0ed1d54601b91b8195c1a30d7046f83283b40)
Signed-off-by: Michael Roth <address@hidden>
Commit: c759f1a0784d8e2d5ab4c88ac2856108b5e311e9
https://github.com/qemu/qemu/commit/c759f1a0784d8e2d5ab4c88ac2856108b5e311e9
Author: Fam Zheng <address@hidden>
Date: 2015-07-29 (Wed, 29 Jul 2015)
Changed paths:
M block/vmdk.c
Log Message:
-----------
vmdk: Use vmdk_find_index_in_cluster everywhere
Signed-off-by: Fam Zheng <address@hidden>
Reviewed-by: Max Reitz <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>
(cherry picked from commit 90df601f06de14f062d2e8dc1bc57f0decf86fd1)
Signed-off-by: Michael Roth <address@hidden>
Commit: 9272707a1f64c06697360c63a0eb1acc3e45f11b
https://github.com/qemu/qemu/commit/9272707a1f64c06697360c63a0eb1acc3e45f11b
Author: Alberto Garcia <address@hidden>
Date: 2015-07-29 (Wed, 29 Jul 2015)
Changed paths:
M ui/sdl2.c
Log Message:
-----------
sdl2: fix crash in handle_windowevent() when restoring the screen size
The Ctrl-Alt-u keyboard shortcut restores the screen to its original
size. In the SDL2 UI this is done by destroying the window and
creating a new one. The old window emits SDL_WINDOWEVENT_HIDDEN when
it's destroyed, but trying to call SDL_GetWindowFromID() from that
event's window ID returns a null pointer. handle_windowevent() assumes
that the pointer is never null so it results in a crash.
Cc: address@hidden
Signed-off-by: Alberto Garcia <address@hidden>
Signed-off-by: Gerd Hoffmann <address@hidden>
(cherry picked from commit 08d49df0dbaacc220a099dbfb644e1dc0eda57be)
Signed-off-by: Michael Roth <address@hidden>
Commit: c270245a53d6706131307673cb082826719228d1
https://github.com/qemu/qemu/commit/c270245a53d6706131307673cb082826719228d1
Author: Gerd Hoffmann <address@hidden>
Date: 2015-07-29 (Wed, 29 Jul 2015)
Changed paths:
M ui/spice-display.c
Log Message:
-----------
spice-display: fix segfault in qemu_spice_create_update
Although it is pretty unusual the stride for the guest image and the
mirror image maintained by spice-display can be different. So use
separate variables for them.
https://bugzilla.redhat.com/show_bug.cgi?id=1163047
Cc: address@hidden
Reported-by: perrier vincent <address@hidden>
Signed-off-by: Gerd Hoffmann <address@hidden>
(cherry picked from commit c6e484707f28b3e115e64122a0570f6b3c585489)
Signed-off-by: Michael Roth <address@hidden>
Commit: 49ef542e41526218fa28bf8762f95387a1cc4ccf
https://github.com/qemu/qemu/commit/49ef542e41526218fa28bf8762f95387a1cc4ccf
Author: Petr Matousek <address@hidden>
Date: 2015-07-29 (Wed, 29 Jul 2015)
Changed paths:
M hw/timer/i8254.c
Log Message:
-----------
i8254: fix out-of-bounds memory access in pit_ioport_read()
Due converting PIO to the new memory read/write api we no longer provide
separate I/O region lenghts for read and write operations. As a result,
reading from PIT Mode/Command register will end with accessing
pit->channels with invalid index.
Fix this by ignoring read from the Mode/Command register.
This is CVE-2015-3214.
Reported-by: Matt Tait <address@hidden>
Fixes: 0505bcdec8228d8de39ab1a02644e71999e7c052
Cc: address@hidden
Signed-off-by: Petr Matousek <address@hidden>
Signed-off-by: Paolo Bonzini <address@hidden>
(cherry picked from commit d4862a87e31a51de9eb260f25c9e99a75efe3235)
Signed-off-by: Michael Roth <address@hidden>
Commit: 6130c462328d89910be6dbea4bdc35baa7107104
https://github.com/qemu/qemu/commit/6130c462328d89910be6dbea4bdc35baa7107104
Author: Laszlo Ersek <address@hidden>
Date: 2015-07-29 (Wed, 29 Jul 2015)
Changed paths:
M hw/core/sysbus.c
Log Message:
-----------
hw/core: rebase sysbus_get_fw_dev_path() to g_strdup_printf()
This is done mainly for improving readability, and in preparation for the
next patch, but Markus pointed out another bonus for the string being
returned:
"No arbitrary length limit. Before the patch, it's 39 characters, and the
code breaks catastrophically when qdev_fw_name() is longer: the second
snprintf() is called with its first argument pointing beyond path[], and
its second argument underflowing to a huge size."
Cc: address@hidden
Signed-off-by: Laszlo Ersek <address@hidden>
Tested-by: Marcel Apfelbaum <address@hidden>
Reviewed-by: Marcel Apfelbaum <address@hidden>
Reviewed-by: Markus Armbruster <address@hidden>
Reviewed-by: Michael S. Tsirkin <address@hidden>
Signed-off-by: Michael S. Tsirkin <address@hidden>
(cherry picked from commit 5ba03e2dd785362026917e4cc8a1fd2c64e8e62c)
Signed-off-by: Michael Roth <address@hidden>
Commit: 81cb0a565795de57672f761f04e29e08dfde067c
https://github.com/qemu/qemu/commit/81cb0a565795de57672f761f04e29e08dfde067c
Author: Jason Wang <address@hidden>
Date: 2015-07-29 (Wed, 29 Jul 2015)
Changed paths:
M hw/virtio/vhost.c
Log Message:
-----------
vhost: correctly pass error to caller in vhost_dev_enable_notifiers()
We override the error value r in fail_vq, this will cause the caller
can't detect the failure which may cause the caller may disable the
notifiers twice if vhost is failed to start. Fix this by using another
variable to keep track the return value of set_host_notifier().
Fixes b0b3db79559e57db340b292621c397e7a6cdbdc5 ("vhost-net: cleanup
host notifiers at last step")
Cc: address@hidden
Cc: Michael S. Tsirkin <address@hidden>
Signed-off-by: Jason Wang <address@hidden>
Reviewed-by: Michael S. Tsirkin <address@hidden>
Signed-off-by: Michael S. Tsirkin <address@hidden>
(cherry picked from commit 16617e36b02ebdc83f215d89db9ac00f7d6d6d83)
Signed-off-by: Michael Roth <address@hidden>
Commit: e8248a5af1e7a151cbec9b3e14523e00f118cac7
https://github.com/qemu/qemu/commit/e8248a5af1e7a151cbec9b3e14523e00f118cac7
Author: Cornelia Huck <address@hidden>
Date: 2015-07-29 (Wed, 29 Jul 2015)
Changed paths:
M hw/s390x/virtio-ccw.c
Log Message:
-----------
virtio-ccw: complete handling of guest-initiated resets
For a guest-initiated reset, we need to not only reset the virtio device,
but also reset the VirtioCcwDevice into a clean state. This includes
resetting the indicators, or else a guest will not be able to e.g.
switch from classic interrupts to adapter interrupts.
Split off this routine into a new function virtio_ccw_reset_virtio()
to make the distinction between resetting the virtio-related devices
and the base subchannel device clear.
CC: address@hidden
Signed-off-by: Cornelia Huck <address@hidden>
Reviewed-by: Christian Borntraeger <address@hidden>
(cherry picked from commit fa8b0ca5d1b69975b715a259d3586cadf7a5280f)
Conflicts:
hw/s390x/virtio-ccw.c
*removed context dependency on 0b352fd
Signed-off-by: Michael Roth <address@hidden>
Commit: 6cacd2651a4afc1935c9d945e615dce72244158a
https://github.com/qemu/qemu/commit/6cacd2651a4afc1935c9d945e615dce72244158a
Author: Fam Zheng <address@hidden>
Date: 2015-07-29 (Wed, 29 Jul 2015)
Changed paths:
M block.c
M include/block/block.h
Log Message:
-----------
block: Add bdrv_get_block_status_above
Like bdrv_is_allocated_above, this function follows the backing chain until
seeing
BDRV_BLOCK_ALLOCATED. Base is not included.
Reimplement bdrv_is_allocated on top.
[Initialized bdrv_co_get_block_status_above() ret to 0 to silence
mingw64 compiler warning about the unitialized variable. assert(bs !=
base) prevents that case but I suppose the program could be compiled
with -DNDEBUG.
--Stefan]
Signed-off-by: Fam Zheng <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
(cherry picked from commit ba3f0e2545c365ebe1dbddb0e53058710d41881e)
Conflicts:
block/io.c
* applied manually to avoid dependency on 61007b316
Signed-off-by: Michael Roth <address@hidden>
Commit: 6a45a1b8e45bf3396dd4901a5f7cbadc3780f250
https://github.com/qemu/qemu/commit/6a45a1b8e45bf3396dd4901a5f7cbadc3780f250
Author: Fam Zheng <address@hidden>
Date: 2015-07-29 (Wed, 29 Jul 2015)
Changed paths:
M block/mirror.c
M blockdev.c
M hmp.c
M include/block/block_int.h
M qapi/block-core.json
M qmp-commands.hx
Log Message:
-----------
qmp: Add optional bool "unmap" to drive-mirror
If specified as "true", it allows discarding on target sectors where source is
not allocated.
Signed-off-by: Fam Zheng <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
(cherry picked from commit 0fc9f8ea2800b76eaea20a8a3a91fbeeb4bfa81b)
* added to maintain any interdependencies between patches in the
set. not intended as a new feature for 2.3.1, though it's there
for anyone interested
Signed-off-by: Michael Roth <address@hidden>
Commit: 27ed14c4d7decd359edb7fec0c8a39971ef32a72
https://github.com/qemu/qemu/commit/27ed14c4d7decd359edb7fec0c8a39971ef32a72
Author: Fam Zheng <address@hidden>
Date: 2015-07-29 (Wed, 29 Jul 2015)
Changed paths:
M block/mirror.c
Log Message:
-----------
mirror: Do zero write on target if sectors not allocated
If guest discards a source cluster, mirroring with bdrv_aio_readv is overkill.
Some protocols do zero upon discard, where it's best to use
bdrv_aio_write_zeroes, otherwise, bdrv_aio_discard will be enough.
Signed-off-by: Fam Zheng <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
(cherry picked from commit dcfb3beb5130694b76b57de109619fcbf9c7e5b5)
Signed-off-by: Michael Roth <address@hidden>
Commit: 3d8b7aed60e792bf2a9237cf689b13368f09ecc2
https://github.com/qemu/qemu/commit/3d8b7aed60e792bf2a9237cf689b13368f09ecc2
Author: Fam Zheng <address@hidden>
Date: 2015-07-29 (Wed, 29 Jul 2015)
Changed paths:
M block.c
Log Message:
-----------
block: Fix dirty bitmap in bdrv_co_discard
Unsetting dirty globally with discard is not very correct. The discard may zero
out sectors (depending on can_write_zeroes_with_unmap), we should replicate
this change to destination side to make sure that the guest sees the same data.
Calling bdrv_reset_dirty also troubles mirror job because the hbitmap iterator
doesn't expect unsetting of bits after current position.
So let's do it the opposite way which fixes both problems: set the dirty bits
if we are to discard it.
Reported-by: address@hidden
Signed-off-by: Fam Zheng <address@hidden>
Reviewed-by: Paolo Bonzini <address@hidden>
Reviewed-by: Eric Blake <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
(cherry picked from commit 508249952c0ea7472c62e17bf8132295dab4912d)
Conflicts:
block/io.c
* applied manually to avoid dependency on 61007b316
* squashed in 6e82e4b bdrv_reset_dirty() is static in
2.3.0 and becomes unused as of this patch
Signed-off-by: Michael Roth <address@hidden>
Commit: c62f6c8f6707ba6cd349c6e94806a259743918d8
https://github.com/qemu/qemu/commit/c62f6c8f6707ba6cd349c6e94806a259743918d8
Author: Fam Zheng <address@hidden>
Date: 2015-07-29 (Wed, 29 Jul 2015)
Changed paths:
M tests/qemu-iotests/041
M tests/qemu-iotests/iotests.py
Log Message:
-----------
qemu-iotests: Make block job methods common
Signed-off-by: Fam Zheng <address@hidden>
Reviewed-by: John Snow <address@hidden>
Reviewed-by: Paolo Bonzini <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
(cherry picked from commit 866323f39d5c7bb053f5e5bf753908ad9f5abec7)
Signed-off-by: Michael Roth <address@hidden>
Commit: edc0a65326ca4eb8097185a88cb17d7740b7af8e
https://github.com/qemu/qemu/commit/edc0a65326ca4eb8097185a88cb17d7740b7af8e
Author: Fam Zheng <address@hidden>
Date: 2015-07-29 (Wed, 29 Jul 2015)
Changed paths:
A tests/qemu-iotests/132
A tests/qemu-iotests/132.out
M tests/qemu-iotests/group
Log Message:
-----------
qemu-iotests: Add test case for mirror with unmap
This checks that the discard on mirror source that effectively zeroes
data is also reflected by the data of target.
Signed-off-by: Fam Zheng <address@hidden>
Reviewed-by: John Snow <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
(cherry picked from commit c615091793f53ff33b8f6c1b1ba711cf7c93e97b)
Conflicts:
tests/qemu-iotests/group
*remove context dependencies on newer block tests
Signed-off-by: Michael Roth <address@hidden>
Commit: e4fb4bea374a74fccbc9e9cf00c24481fb3bc3b5
https://github.com/qemu/qemu/commit/e4fb4bea374a74fccbc9e9cf00c24481fb3bc3b5
Author: Fam Zheng <address@hidden>
Date: 2015-07-29 (Wed, 29 Jul 2015)
Changed paths:
M tests/qemu-iotests/iotests.py
Log Message:
-----------
iotests: Use event_wait in wait_ready
Only poll the specific type of event we are interested in, to avoid
stealing events that should be consumed by someone else.
Suggested-by: John Snow <address@hidden>
Signed-off-by: Fam Zheng <address@hidden>
Reviewed-by: John Snow <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
(cherry picked from commit d7b25297920d18fa2a2cde1ed21fde38a88c935f)
Signed-off-by: Michael Roth <address@hidden>
Commit: ffd060d51fafc1b1e7d8dade06159a10f2e04316
https://github.com/qemu/qemu/commit/ffd060d51fafc1b1e7d8dade06159a10f2e04316
Author: John Snow <address@hidden>
Date: 2015-07-29 (Wed, 29 Jul 2015)
Changed paths:
M scripts/qmp/qmp.py
M tests/qemu-iotests/iotests.py
Log Message:
-----------
iotests: add QMP event waiting queue
A filter is added to allow callers to request very specific
events to be pulled from the event queue, while leaving undesired
events still in the stream.
This allows us to poll for completion data for multiple asynchronous
events in any arbitrary order.
A new timeout context is added to the qmp pull_event method's
wait parameter to allow tests to fail if they do not complete
within some expected period of time.
Also fixed is a bug in qmp.pull_event where we try to retrieve an event
from an empty list if we attempt to retrieve an event with wait=False
but no events have occurred.
Signed-off-by: John Snow <address@hidden>
Reviewed-by: Max Reitz <address@hidden>
Reviewed-by: Stefan Hajnoczi <address@hidden>
Message-id: address@hidden
Signed-off-by: Stefan Hajnoczi <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>
(cherry picked from commit 7898f74e78a5900fc079868e255b65d807fa8a8f)
Signed-off-by: Michael Roth <address@hidden>
Commit: 1c17e8c7d3f045d0cebef524cb51fd6a6ecadc77
https://github.com/qemu/qemu/commit/1c17e8c7d3f045d0cebef524cb51fd6a6ecadc77
Author: Peter Lieven <address@hidden>
Date: 2015-07-29 (Wed, 29 Jul 2015)
Changed paths:
M block/nfs.c
Log Message:
-----------
block/nfs: limit maximum readahead size to 1MB
a malicious caller could otherwise specify a very
large value via the URI and force libnfs to allocate
a large amount of memory for the readahead buffer.
Cc: address@hidden
Signed-off-by: Peter Lieven <address@hidden>
Message-id: address@hidden
Signed-off-by: Stefan Hajnoczi <address@hidden>
(cherry picked from commit 29c838cdc96c4d117f00c75bbcb941e1be9590fb)
Signed-off-by: Michael Roth <address@hidden>
Commit: 99c3468d8fedac2bf8098fc4e9f050cbd62ab912
https://github.com/qemu/qemu/commit/99c3468d8fedac2bf8098fc4e9f050cbd62ab912
Author: Christian Borntraeger <address@hidden>
Date: 2015-07-29 (Wed, 29 Jul 2015)
Changed paths:
M hw/s390x/ipl.c
Log Message:
-----------
s390x/ipl: Fix boot if no bootindex was specified
commit fa92e218df1d ("s390x/ipl: avoid sign extension") introduced
a regression:
qemu-system-s390x -drive file=image.qcow,format=qcow2
does not boot, the bios states
"No virtio-blk device found!"
adding bootindex=1 does boot.
The reason is that the uint32_t as return value will not do the right
thing for the return -1 (default without bootindex).
The bios itself, will interpret a 64bit -1 as autodetect (but it will
interpret 32bit -1 as ccw device address ff.ff.ffff)
Signed-off-by: Christian Borntraeger <address@hidden>
Cc: Paolo Bonzini <address@hidden>
Cc: Cornelia Huck <address@hidden>
Cc: address@hidden # v2.3.0
Tested-by: Aurelien Jarno <address@hidden>
Reviewed-by: Aurelien Jarno <address@hidden>
Signed-off-by: Cornelia Huck <address@hidden>
(cherry picked from commit 6efd2c2a125b4369b8def585b0dac35c849b5eb3)
Signed-off-by: Michael Roth <address@hidden>
Commit: 9b4420ad624905860deda56b5901276d695dad9c
https://github.com/qemu/qemu/commit/9b4420ad624905860deda56b5901276d695dad9c
Author: David Gibson <address@hidden>
Date: 2015-07-29 (Wed, 29 Jul 2015)
Changed paths:
M hw/char/spapr_vty.c
Log Message:
-----------
spapr_vty: lookup should only return valid VTY objects
If a guest passes the reg property of a valid VIO object that is not a VTY
to either H_GET_TERM_CHAR or H_PUT_TERM_CHAR, QEMU hits a dynamic cast
assertion and aborts.
PAPR+ says "Hypervisor checks the termno parameter for validity against the
Vterm IOA unit addresses assigned to the partition, else return H_Parameter."
This patch adds a type check to ensure vty_lookup() either returns a pointer
to a valid VTY object or NULL. H_GET_TERM_CHAR and H_PUT_TERM_CHAR will
now return H_PARAMETER to the guest instead of crashing.
The patch has no effect on the reg == 0 hack used to implement the RTAS call
display-character.
Signed-off-by: Greg Kurz <address@hidden>
Signed-off-by: David Gibson <address@hidden>
Signed-off-by: Alexander Graf <address@hidden>
(cherry picked from commit 0f888bfaddfc5f55b0d82cde2e1164658a672375)
Signed-off-by: Michael Roth <address@hidden>
Commit: 8d64975c98d334de4f635afb5ced8b7704908b3b
https://github.com/qemu/qemu/commit/8d64975c98d334de4f635afb5ced8b7704908b3b
Author: Michael Roth <address@hidden>
Date: 2015-07-29 (Wed, 29 Jul 2015)
Changed paths:
M target-ppc/kvm.c
Log Message:
-----------
target-ppc: fix hugepage support when using memory-backend-file
Current PPC code relies on -mem-path being used in order for
hugepage support to be detected. With the introduction of
MemoryBackendFile we can now handle this via:
-object memory-file-backend,mem-path=...,id=hugemem0 \
-numa node,id=mem0,memdev=hugemem0
Management tools like libvirt treat the 2 approaches as
interchangeable in some cases, which can lead to user-visible
regressions even for previously supported guest configurations.
Fix these by also iterating through any configured memory
backends that may be backed by hugepages.
Since the old code assumed hugepages always backed the entirety
of guest memory, play it safe an pick the minimum across the
max pages sizes for all backends, even ones that aren't backed
by hugepages.
Signed-off-by: Michael Roth <address@hidden>
Reviewed-by: David Gibson <address@hidden>
Signed-off-by: Alexander Graf <address@hidden>
(cherry picked from commit 2d103aae876518a91636ad6f4a4d866269c0d953)
Conflicts:
target-ppc/kvm.c
*remove context dependency on header includes not in 2.3.0
Signed-off-by: Michael Roth <address@hidden>
Commit: 2060efae47c070df84db02e4d12012d5aa34053e
https://github.com/qemu/qemu/commit/2060efae47c070df84db02e4d12012d5aa34053e
Author: 马文霜 <address@hidden>
Date: 2015-07-29 (Wed, 29 Jul 2015)
Changed paths:
M kvm-all.c
Log Message:
-----------
Fix irq route entries exceeding KVM_MAX_IRQ_ROUTES
Last month, we experienced several guests crash(6cores-8cores), qemu logs
display the following messages:
qemu-system-x86_64: /build/qemu-2.1.2/kvm-all.c:976:
kvm_irqchip_commit_routes: Assertion `ret == 0' failed.
After analysis and verification, we can confirm it's irq-balance
daemon(in guest) leads to the assertion failure. Start a 8 core guest with
two disks, execute the following scripts will reproduce the BUG quickly:
irq_affinity.sh
========================================================================
vda_irq_num=25
vdb_irq_num=27
while [ 1 ]
do
for irq in {1,2,4,8,10,20,40,80}
do
echo $irq > /proc/irq/$vda_irq_num/smp_affinity
echo $irq > /proc/irq/$vdb_irq_num/smp_affinity
dd if=/dev/vda of=/dev/zero bs=4K count=100 iflag=direct
dd if=/dev/vdb of=/dev/zero bs=4K count=100 iflag=direct
done
done
========================================================================
QEMU setup static irq route entries in kvm_pc_setup_irq_routing(), PIC and
IOAPIC share the first 15 GSI numbers, take up 23 GSI numbers, but take up
38 irq route entries. When change irq smp_affinity in guest, a dynamic route
entry may be setup, the current logic is: if allocate GSI number succeeds,
a new route entry can be added. The available dynamic GSI numbers is
1021(KVM_MAX_IRQ_ROUTES-23), but available irq route entries is only
986(KVM_MAX_IRQ_ROUTES-38), GSI numbers greater than route entries.
irq-balance's behavior will eventually leads to total irq route entries
exceed KVM_MAX_IRQ_ROUTES, ioctl(KVM_SET_GSI_ROUTING) fail and
kvm_irqchip_commit_routes() trigger assertion failure.
This patch fix the BUG.
Signed-off-by: Wenshuang Ma <address@hidden>
Cc: address@hidden
Signed-off-by: Paolo Bonzini <address@hidden>
(cherry picked from commit bdf026317daa3b9dfa281f29e96fbb6fd48394c8)
Conflicts:
kvm-all.c
* remove context dependency on bd2a8884
Signed-off-by: Michael Roth <address@hidden>
Commit: c5c71e87aad967402c0b1e0240b8ce47a6d63714
https://github.com/qemu/qemu/commit/c5c71e87aad967402c0b1e0240b8ce47a6d63714
Author: Fam Zheng <address@hidden>
Date: 2015-07-29 (Wed, 29 Jul 2015)
Changed paths:
M block.c
Log Message:
-----------
block: Initialize local_err in bdrv_append_temp_snapshot
Cc: address@hidden
Signed-off-by: Fam Zheng <address@hidden>
Message-id: address@hidden
Signed-off-by: Stefan Hajnoczi <address@hidden>
(cherry picked from commit c2e0dbbfd7265eb9a7170ab195d8f9f8a1cbd1af)
Signed-off-by: Michael Roth <address@hidden>
Commit: 8df2a9acd2a345d5258ce80f37851097df7d5258
https://github.com/qemu/qemu/commit/8df2a9acd2a345d5258ce80f37851097df7d5258
Author: James Hogan <address@hidden>
Date: 2015-07-29 (Wed, 29 Jul 2015)
Changed paths:
M target-mips/kvm.c
Log Message:
-----------
mips/kvm: Fix Big endian 32-bit register access
Fix access to 32-bit registers on big endian targets. The pointer passed
to the kernel must be for the actual 32-bit value, not a temporary
64-bit value, otherwise on big endian systems the kernel will only
interpret the upper half.
Signed-off-by: James Hogan <address@hidden>
Cc: Paolo Bonzini <address@hidden>
Cc: Leon Alrae <address@hidden>
Cc: Aurelien Jarno <address@hidden>
Cc: address@hidden
Cc: address@hidden
Message-Id: <address@hidden>
Signed-off-by: Paolo Bonzini <address@hidden>
(cherry picked from commit f8b3e48b2d269551cd40f94770dc20da2f402325)
Signed-off-by: Michael Roth <address@hidden>
Commit: 87740cecc3f51f030c27f99812761b64b8f7d707
https://github.com/qemu/qemu/commit/87740cecc3f51f030c27f99812761b64b8f7d707
Author: James Hogan <address@hidden>
Date: 2015-07-29 (Wed, 29 Jul 2015)
Changed paths:
M target-mips/kvm.c
Log Message:
-----------
mips/kvm: Sign extend registers written to KVM
In case we're running on a 64-bit host, be sure to sign extend the
general purpose registers and hi/lo/pc before writing them to KVM, so as
to take advantage of MIPS32/MIPS64 compatibility.
Signed-off-by: James Hogan <address@hidden>
Cc: Paolo Bonzini <address@hidden>
Cc: Leon Alrae <address@hidden>
Cc: Aurelien Jarno <address@hidden>
Cc: address@hidden
Cc: address@hidden
Message-Id: <address@hidden>
Signed-off-by: Paolo Bonzini <address@hidden>
(cherry picked from commit 02dae26ac4ceb1e82c432cfca4d9b65ae82343c6)
Signed-off-by: Michael Roth <address@hidden>
Commit: 5a4568717c5515c181e949aceee972b78cd642d1
https://github.com/qemu/qemu/commit/5a4568717c5515c181e949aceee972b78cd642d1
Author: Alex Williamson <address@hidden>
Date: 2015-07-29 (Wed, 29 Jul 2015)
Changed paths:
M hw/vfio/pci.c
Log Message:
-----------
vfio/pci: Fix RTL8168 NIC quirks
The RTL8168 quirk correctly describes using bit 31 as a signal to
mark a latch/completion, but the code mistakenly uses bit 28. This
causes the Realtek driver to spin on this register for quite a while,
20k cycles on Windows 7 v7.092 driver. Then it gets frustrated and
tries to set the bit itself and spins for another 20k cycles. For
some this still results in a working driver, for others not. About
the only thing the code really does in its current form is protect
the guest from sneaking in writes to the real hardware MSI-X table.
The fix is obviously to use bit 31 as we document that we should.
The other problem doesn't seem to affect current drivers as nobody
seems to use these window registers for writes to the MSI-X table, but
we need to use the stored data when a write is triggered, not the
value of the current write, which only provides the offset.
Note that only the Windows drivers from Realtek seem to use these
registers, the Microsoft drivers provided with Windows 8.1 do not
access them, nor do Linux in-kernel drivers.
Link: https://bugs.launchpad.net/qemu/+bug/1384892
Signed-off-by: Alex Williamson <address@hidden>
Cc: address@hidden # v2.1+
(cherry picked from commit 69970fcef937bddd7f745efe39501c7716fdfe56)
Conflicts:
hw/vfio/pci.c
* removed dependency on 3b643495
Signed-off-by: Michael Roth <address@hidden>
Commit: 46addaa0b52539790ab4254d37e3367a5b77853f
https://github.com/qemu/qemu/commit/46addaa0b52539790ab4254d37e3367a5b77853f
Author: Jason Wang <address@hidden>
Date: 2015-07-29 (Wed, 29 Jul 2015)
Changed paths:
M hw/net/virtio-net.c
M include/hw/virtio/virtio-access.h
Log Message:
-----------
virtio-net: unbreak any layout
Commit 032a74a1c0fcdd5fd1c69e56126b4c857ee36611
("virtio-net: byteswap virtio-net header") breaks any layout by
requiring out_sg[0].iov_len >= n->guest_hdr_len. Fixing this by
copying header to temporary buffer if swap is needed, and then use
this buffer as part of out_sg.
Fixes 032a74a1c0fcdd5fd1c69e56126b4c857ee36611
("virtio-net: byteswap virtio-net header")
Cc: address@hidden
Cc: address@hidden
Signed-off-by: Jason Wang <address@hidden>
Reviewed-by: Michael S. Tsirkin <address@hidden>
Signed-off-by: Michael S. Tsirkin <address@hidden>
Reviewed-by: Eric Blake <address@hidden>
(cherry picked from commit feb93f361739071778ca2d23df3876db399548f7)
Signed-off-by: Michael Roth <address@hidden>
Commit: 98fe91ed66f09001a596009625210fb0d9324c50
https://github.com/qemu/qemu/commit/98fe91ed66f09001a596009625210fb0d9324c50
Author: Alex Williamson <address@hidden>
Date: 2015-07-29 (Wed, 29 Jul 2015)
Changed paths:
M hw/vfio/pci.c
Log Message:
-----------
vfio/pci: Fix bootindex
bootindex was incorrectly changed to a device Property during the
platform code split, resulting in it no longer working. Remove it.
Signed-off-by: Alex Williamson <address@hidden>
Cc: address@hidden # v2.3+
(cherry picked from commit 759b484c5d7f92bd01f98797c07e8543ee187888)
Signed-off-by: Michael Roth <address@hidden>
Commit: 961c74a841ae6d2ef03f6684c9f74fbdf8f472b1
https://github.com/qemu/qemu/commit/961c74a841ae6d2ef03f6684c9f74fbdf8f472b1
Author: Paolo Bonzini <address@hidden>
Date: 2015-07-29 (Wed, 29 Jul 2015)
Changed paths:
M hw/scsi/scsi-bus.c
Log Message:
-----------
scsi: fix buffer overflow in scsi_req_parse_cdb (CVE-2015-5158)
This is a guest-triggerable buffer overflow present in QEMU 2.2.0
and newer. scsi_cdb_length returns -1 as an error value, but the
caller does not check it.
Luckily, the massive overflow means that QEMU will just SIGSEGV,
making the impact much smaller.
Reported-by: Zhu Donghai (朱东海) <address@hidden>
Fixes: 1894df02811f6b79ea3ffbf1084599d96f316173
Reviewed-by: Fam Zheng <address@hidden>
Cc: address@hidden
Signed-off-by: Paolo Bonzini <address@hidden>
(cherry picked from commit c170aad8b057223b1139d72e5ce7acceafab4fa9)
Signed-off-by: Michael Roth <address@hidden>
Commit: 358f0ee234d1fcaf7b0ff6e830d83821c3c44c56
https://github.com/qemu/qemu/commit/358f0ee234d1fcaf7b0ff6e830d83821c3c44c56
Author: Jeff Cody <address@hidden>
Date: 2015-07-29 (Wed, 29 Jul 2015)
Changed paths:
M block/vpc.c
Log Message:
-----------
block: vpc - prevent overflow if max_table_entries >= 0x40000000
When we allocate the pagetable based on max_table_entries, we multiply
the max table entry value by 4 to accomodate a table of 32-bit integers.
However, max_table_entries is a uint32_t, and the VPC driver accepts
ranges for that entry over 0x40000000. So during this allocation:
s->pagetable = qemu_try_blockalign(bs->file, s->max_table_entries * 4);
The size arg overflows, allocating significantly less memory than
expected.
Since qemu_try_blockalign() size argument is size_t, cast the
multiplication correctly to prevent overflow.
The value of "max_table_entries * 4" is used elsewhere in the code as
well, so store the correct value for use in all those cases.
We also check the Max Tables Entries value, to make sure that it is <
SIZE_MAX / 4, so we know the pagetable size will fit in size_t.
Cc: address@hidden
Reported-by: Richard W.M. Jones <address@hidden>
Signed-off-by: Jeff Cody <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>
(cherry picked from commit b15deac79530d818092cb49a8021bcce83d71b5b)
Signed-off-by: Michael Roth <address@hidden>
Commit: 0dc545e97799d07267854e60ab57b48939edf0e8
https://github.com/qemu/qemu/commit/0dc545e97799d07267854e60ab57b48939edf0e8
Author: Jeff Cody <address@hidden>
Date: 2015-07-29 (Wed, 29 Jul 2015)
Changed paths:
A tests/qemu-iotests/135
A tests/qemu-iotests/135.out
M tests/qemu-iotests/group
A tests/qemu-iotests/sample_images/afl5.img.bz2
Log Message:
-----------
block: qemu-iotests - add check for multiplication overflow in vpc
This checks that VPC is able to successfully fail (without segfault)
on an image file with a max_table_entries that exceeds 0x40000000.
This table entry is within the valid range for VPC (although too large
for this sample image).
Cc: address@hidden
Signed-off-by: Jeff Cody <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>
(cherry picked from commit 77c102c26ead946fe7589d4bddcdfa5cb431ebfe)
Conflicts:
tests/qemu-iotests/group
* removed context dependency on iotest not present in 2.3.0 group
file
Signed-off-by: Michael Roth <address@hidden>
Commit: 9634e45e0b2bd4906778efdfb4b38b6fa042ebec
https://github.com/qemu/qemu/commit/9634e45e0b2bd4906778efdfb4b38b6fa042ebec
Author: Kevin Wolf <address@hidden>
Date: 2015-07-29 (Wed, 29 Jul 2015)
Changed paths:
M hw/ide/core.c
Log Message:
-----------
ide: Check array bounds before writing to io_buffer (CVE-2015-5154)
If the end_transfer_func of a command is called because enough data has
been read or written for the current PIO transfer, and it fails to
correctly call the command completion functions, the DRQ bit in the
status register and s->end_transfer_func may remain set. This allows the
guest to access further bytes in s->io_buffer beyond s->data_end, and
eventually overflowing the io_buffer.
One case where this currently happens is emulation of the ATAPI command
START STOP UNIT.
This patch fixes the problem by adding explicit array bounds checks
before accessing the buffer instead of relying on end_transfer_func to
function correctly.
Cc: address@hidden
Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: John Snow <address@hidden>
(cherry picked from commit d2ff85854512574e7209f295e87b0835d5b032c6)
Signed-off-by: Michael Roth <address@hidden>
Commit: 86d6fe4cb0bce6604ed00b203dd964bead98d228
https://github.com/qemu/qemu/commit/86d6fe4cb0bce6604ed00b203dd964bead98d228
Author: Kevin Wolf <address@hidden>
Date: 2015-07-29 (Wed, 29 Jul 2015)
Changed paths:
M hw/ide/atapi.c
Log Message:
-----------
ide/atapi: Fix START STOP UNIT command completion
The command must be completed on all code paths. START STOP UNIT with
pwrcnd set should succeed without doing anything.
Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: John Snow <address@hidden>
(cherry picked from commit 03441c3a4a42beb25460dd11592539030337d0f8)
Signed-off-by: Michael Roth <address@hidden>
Commit: d1557697fd9efd052ba4289a8da4e35f78431537
https://github.com/qemu/qemu/commit/d1557697fd9efd052ba4289a8da4e35f78431537
Author: Kevin Wolf <address@hidden>
Date: 2015-07-29 (Wed, 29 Jul 2015)
Changed paths:
M hw/ide/core.c
Log Message:
-----------
ide: Clear DRQ after handling all expected accesses
This is additional hardening against an end_transfer_func that fails to
clear the DRQ status bit. The bit must be unset as soon as the PIO
transfer has completed, so it's better to do this in a central place
instead of duplicating the code in all commands (and forgetting it in
some).
Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: John Snow <address@hidden>
(cherry picked from commit cb72cba83021fa42719e73a5249c12096a4d1cfc)
Signed-off-by: Michael Roth <address@hidden>
Commit: c8bd74d1d509df5dd1afc6b79413f148f2889692
https://github.com/qemu/qemu/commit/c8bd74d1d509df5dd1afc6b79413f148f2889692
Author: Stefano Stabellini <address@hidden>
Date: 2015-08-04 (Tue, 04 Aug 2015)
Changed paths:
M hw/ide/piix.c
Log Message:
-----------
Fix release_drive on unplugged devices (pci_piix3_xen_ide_unplug)
pci_piix3_xen_ide_unplug should completely unhook the unplugged
IDEDevice from the corresponding BlockBackend, otherwise the next call
to release_drive will try to detach the drive again.
Suggested-by: Kevin Wolf <address@hidden>
Signed-off-by: Stefano Stabellini <address@hidden>
(cherry picked from commit 6cd387833d05e8ad31829d97e474dc420625aed9)
Signed-off-by: Michael Roth <address@hidden>
Commit: f9c0ae272389b3581be13fe13986d7c509995be1
https://github.com/qemu/qemu/commit/f9c0ae272389b3581be13fe13986d7c509995be1
Author: Aurelien Jarno <address@hidden>
Date: 2015-08-04 (Tue, 04 Aug 2015)
Changed paths:
M tcg/mips/tcg-target.c
Log Message:
-----------
tcg/mips: fix TLB loading for BE host with 32-bit guests
For 32-bit guest, we load a 32-bit address from the TLB, so there is no
need to compensate for the low or high part. This fixes 32-bit guests on
big-endian hosts.
Cc: address@hidden
Reviewed-by: Richard Henderson <address@hidden>
Signed-off-by: Aurelien Jarno <address@hidden>
(cherry picked from commit e72c4fb81db52be881c9356f1c60e0a7817d2d32)
Signed-off-by: Michael Roth <address@hidden>
Commit: e750591c8abc0f68296f1afa9f3b9e678b4a28be
https://github.com/qemu/qemu/commit/e750591c8abc0f68296f1afa9f3b9e678b4a28be
Author: Aurelien Jarno <address@hidden>
Date: 2015-08-04 (Tue, 04 Aug 2015)
Changed paths:
M tcg/mips/tcg-target.c
Log Message:
-----------
tcg/mips: fix add2
The add2 code in the tcg_out_addsub2 function doesn't take into account
the case where rl == al == bl. In that case we can't compute the carry
after the addition. As it corresponds to a multiplication by 2, the
carry bit is the bit 31.
While this is a corner case, this prevents x86-64 guests to boot on a
MIPS host.
Cc: address@hidden
Reviewed-by: Richard Henderson <address@hidden>
Signed-off-by: Aurelien Jarno <address@hidden>
(cherry picked from commit c99d69694af4ed15b33e3f7c2e3ef6972c14358d)
Signed-off-by: Michael Roth <address@hidden>
Commit: 8dd45dcd83bd819e3fe9927e819ba9441b4f0ccc
https://github.com/qemu/qemu/commit/8dd45dcd83bd819e3fe9927e819ba9441b4f0ccc
Author: Stefan Hajnoczi <address@hidden>
Date: 2015-08-04 (Tue, 04 Aug 2015)
Changed paths:
M hw/net/rtl8139.c
Log Message:
-----------
rtl8139: avoid nested ifs in IP header parsing (CVE-2015-5165)
Transmit offload needs to parse packet headers. If header fields have
unexpected values the offload processing is skipped.
The code currently uses nested ifs because there is relatively little
input validation. The next patches will add missing input validation
and a goto label is more appropriate to avoid deep if statement nesting.
Reported-by: 朱东海(启路) <address@hidden>
Reviewed-by: Jason Wang <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
(cherry picked from commit 39b8e7dcaf04cbdb926b478f825b160d852752b5)
Signed-off-by: Michael Roth <address@hidden>
Commit: 6722c126f385397a0d010e391fea26eaeea14586
https://github.com/qemu/qemu/commit/6722c126f385397a0d010e391fea26eaeea14586
Author: Stefan Hajnoczi <address@hidden>
Date: 2015-08-04 (Tue, 04 Aug 2015)
Changed paths:
M hw/net/rtl8139.c
Log Message:
-----------
rtl8139: drop tautologous if (ip) {...} statement (CVE-2015-5165)
The previous patch stopped using the ip pointer as an indicator that the
IP header is present. When we reach the if (ip) {...} statement we know
ip is always non-NULL.
Remove the if statement to reduce nesting.
Reported-by: 朱东海(启路) <address@hidden>
Reviewed-by: Jason Wang <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
(cherry picked from commit d6812d60e7932de3cd0f602c0ee63dd3d09f1847)
Signed-off-by: Michael Roth <address@hidden>
Commit: ce4f451bbba8edcd2418cfce434b096602248ab3
https://github.com/qemu/qemu/commit/ce4f451bbba8edcd2418cfce434b096602248ab3
Author: Stefan Hajnoczi <address@hidden>
Date: 2015-08-04 (Tue, 04 Aug 2015)
Changed paths:
M hw/net/rtl8139.c
Log Message:
-----------
rtl8139: skip offload on short Ethernet/IP header (CVE-2015-5165)
Transmit offload features access Ethernet and IP headers the packet. If
the packet is too short we must not attempt to access header fields:
int proto = be16_to_cpu(*(uint16_t *)(saved_buffer + 12));
...
eth_payload_data = saved_buffer + ETH_HLEN;
...
ip = (ip_header*)eth_payload_data;
if (IP_HEADER_VERSION(ip) != IP_HEADER_VERSION_4) {
Reported-by: 朱东海(启路) <address@hidden>
Reviewed-by: Jason Wang <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
(cherry picked from commit e1c120a9c54872f8a538ff9129d928de4e865cbd)
Signed-off-by: Michael Roth <address@hidden>
Commit: 85611098ff39ffaa8d78c02bb16eb2c5355d9899
https://github.com/qemu/qemu/commit/85611098ff39ffaa8d78c02bb16eb2c5355d9899
Author: Stefan Hajnoczi <address@hidden>
Date: 2015-08-04 (Tue, 04 Aug 2015)
Changed paths:
M hw/net/rtl8139.c
Log Message:
-----------
rtl8139: check IP Header Length field (CVE-2015-5165)
The IP Header Length field was only checked in the IP checksum case, but
is used in other cases too.
Reported-by: 朱东海(启路) <address@hidden>
Reviewed-by: Jason Wang <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
(cherry picked from commit 03247d43c577dfea8181cd40177ad5ba77c8db76)
Signed-off-by: Michael Roth <address@hidden>
Commit: b7a197c39e4b2099f25d2137e8d73c53c37b92c6
https://github.com/qemu/qemu/commit/b7a197c39e4b2099f25d2137e8d73c53c37b92c6
Author: Stefan Hajnoczi <address@hidden>
Date: 2015-08-04 (Tue, 04 Aug 2015)
Changed paths:
M hw/net/rtl8139.c
Log Message:
-----------
rtl8139: check IP Total Length field (CVE-2015-5165)
The IP Total Length field includes the IP header and data. Make sure it
is valid and does not exceed the Ethernet payload size.
Reported-by: 朱东海(启路) <address@hidden>
Reviewed-by: Jason Wang <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
(cherry picked from commit c6296ea88df040054ccd781f3945fe103f8c7c17)
Signed-off-by: Michael Roth <address@hidden>
Commit: f4c861fd68838649e81e0f9a6d75b154fda76440
https://github.com/qemu/qemu/commit/f4c861fd68838649e81e0f9a6d75b154fda76440
Author: Stefan Hajnoczi <address@hidden>
Date: 2015-08-04 (Tue, 04 Aug 2015)
Changed paths:
M hw/net/rtl8139.c
Log Message:
-----------
rtl8139: skip offload on short TCP header (CVE-2015-5165)
TCP Large Segment Offload accesses the TCP header in the packet. If the
packet is too short we must not attempt to access header fields:
tcp_header *p_tcp_hdr = (tcp_header*)(eth_payload_data + hlen);
int tcp_hlen = TCP_HEADER_DATA_OFFSET(p_tcp_hdr);
Reported-by: 朱东海(启路) <address@hidden>
Reviewed-by: Jason Wang <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
(cherry picked from commit 4240be45632db7831129f124bcf53c1223825b0f)
Signed-off-by: Michael Roth <address@hidden>
Commit: 35c30d3efdfb7d06f978cdb711cb27bc280dcbe8
https://github.com/qemu/qemu/commit/35c30d3efdfb7d06f978cdb711cb27bc280dcbe8
Author: Stefan Hajnoczi <address@hidden>
Date: 2015-08-04 (Tue, 04 Aug 2015)
Changed paths:
M hw/net/rtl8139.c
Log Message:
-----------
rtl8139: check TCP Data Offset field (CVE-2015-5165)
The TCP Data Offset field contains the length of the header. Make sure
it is valid and does not exceed the IP data length.
Reported-by: 朱东海(启路) <address@hidden>
Reviewed-by: Jason Wang <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
(cherry picked from commit 8357946b15f0a31f73dd691b7da95f29318ed310)
Signed-off-by: Michael Roth <address@hidden>
Commit: 35a616edef026c08f34fe677a2de9600ef94eb74
https://github.com/qemu/qemu/commit/35a616edef026c08f34fe677a2de9600ef94eb74
Author: Paolo Bonzini <address@hidden>
Date: 2015-08-10 (Mon, 10 Aug 2015)
Changed paths:
M qemu-char.c
Log Message:
-----------
qemu-char: handle EINTR for TCP character devices
Signed-off-by: Paolo Bonzini <address@hidden>
(cherry picked from commit 9172f428afc1461b1d9b33ebca3a679b9adf7c3a)
Signed-off-by: Michael Roth <address@hidden>
Commit: dfa83a6bae960e3e3a3186264d75790cfd727bce
https://github.com/qemu/qemu/commit/dfa83a6bae960e3e3a3186264d75790cfd727bce
Author: Michael Roth <address@hidden>
Date: 2015-08-10 (Mon, 10 Aug 2015)
Changed paths:
M VERSION
Log Message:
-----------
Update version for 2.3.1 release
Compare: https://github.com/qemu/qemu/compare/d3b59789e821^...dfa83a6bae96
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Qemu-commits] [qemu/qemu] d3b597: bt-sdp: fix broken uuids power-of-2 calculation,
GitHub <=