[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-commits] [qemu/qemu] c8723d: hw/net/stellaris_enet: Restructure tx
|
From: |
GitHub |
|
Subject: |
[Qemu-commits] [qemu/qemu] c8723d: hw/net/stellaris_enet: Restructure tx_fifo code to... |
|
Date: |
Fri, 15 Aug 2014 14:00:09 -0700 |
Branch: refs/heads/stable-2.0
Home: https://github.com/qemu/qemu
Commit: c8723d46c1031e1972b22d97df06f69ffa90c8fb
https://github.com/qemu/qemu/commit/c8723d46c1031e1972b22d97df06f69ffa90c8fb
Author: Peter Maydell <address@hidden>
Date: 2014-07-20 (Sun, 20 Jul 2014)
Changed paths:
M hw/net/stellaris_enet.c
Log Message:
-----------
hw/net/stellaris_enet: Restructure tx_fifo code to avoid buffer overrun
The current tx_fifo code has a corner case where the guest can overrun
the fifo buffer: if automatic CRCs are disabled we allow the guest to write
the CRC word even if there isn't actually space for it in the FIFO.
The datasheet is unclear about exactly how the hardware deals with this
situation; the most plausible answer seems to be that the CRC word is
just lost.
Implement this fix by separating the "can we stuff another word in the
FIFO" logic from the "should we transmit the packet now" check. This
also moves us closer to the real hardware, which has a number of ways
it can be configured to trigger sending the packet, some of which we
don't implement.
Signed-off-by: Peter Maydell <address@hidden>
Reviewed-by: Dr. David Alan Gilbert <address@hidden>
Cc: address@hidden
(cherry picked from commit 5c10495ab1546d5d12b51a97817051e9ec98d0f6)
Signed-off-by: Michael Roth <address@hidden>
Commit: 9ee8ab5503fa6a422a5a11aa019d2dce6938e101
https://github.com/qemu/qemu/commit/9ee8ab5503fa6a422a5a11aa019d2dce6938e101
Author: Peter Maydell <address@hidden>
Date: 2014-07-20 (Sun, 20 Jul 2014)
Changed paths:
M hw/net/stellaris_enet.c
Log Message:
-----------
hw/net/stellaris_enet: Correct handling of packet padding
The PADEN bit in the transmit control register enables padding of short
data packets out to the required minimum length. However a typo here
meant we were adjusting tx_fifo_len rather than tx_frame_len, so the
padding didn't actually happen. Fix this bug.
Signed-off-by: Peter Maydell <address@hidden>
Reviewed-by: Dr. David Alan Gilbert <address@hidden>
Cc: address@hidden
(cherry picked from commit 7fd5f064d1c1a827a95ffe678418b3d5b8d2f108)
Signed-off-by: Michael Roth <address@hidden>
Commit: 6067df7a5df3601985e464d3cf1d560b374daa9f
https://github.com/qemu/qemu/commit/6067df7a5df3601985e464d3cf1d560b374daa9f
Author: Michael S. Tsirkin <address@hidden>
Date: 2014-07-20 (Sun, 20 Jul 2014)
Changed paths:
M vmstate.c
Log Message:
-----------
vmstate: reduce code duplication
move size offset and number of elements math out
to functions, to reduce code duplication.
Signed-off-by: Michael S. Tsirkin <address@hidden>
Cc: "Dr. David Alan Gilbert" <address@hidden>
Signed-off-by: Juan Quintela <address@hidden>
(cherry picked from commit 35fc1f71899fd42323bd8f33da18f0211e0d2727)
Signed-off-by: Michael Roth <address@hidden>
Commit: 49e8918a4db041380caf6833bb725bd95b6968c4
https://github.com/qemu/qemu/commit/49e8918a4db041380caf6833bb725bd95b6968c4
Author: Michael S. Tsirkin <address@hidden>
Date: 2014-07-20 (Sun, 20 Jul 2014)
Changed paths:
M include/migration/vmstate.h
M vmstate.c
Log Message:
-----------
vmstate: add VMS_MUST_EXIST
Can be used to verify a required field exists or validate
state in some other way.
Signed-off-by: Michael S. Tsirkin <address@hidden>
Reviewed-by: Dr. David Alan Gilbert <address@hidden>
Signed-off-by: Juan Quintela <address@hidden>
(cherry picked from commit 5bf81c8d63db0216a4d29dc87f9ce530bb791dd1)
Signed-off-by: Michael Roth <address@hidden>
Commit: 390252193cf909e3b86b6414d4b388825d162b71
https://github.com/qemu/qemu/commit/390252193cf909e3b86b6414d4b388825d162b71
Author: Michael S. Tsirkin <address@hidden>
Date: 2014-07-20 (Sun, 20 Jul 2014)
Changed paths:
M include/migration/vmstate.h
Log Message:
-----------
vmstate: add VMSTATE_VALIDATE
Validate state using VMS_ARRAY with num = 0 and VMS_MUST_EXIST
Signed-off-by: Michael S. Tsirkin <address@hidden>
Signed-off-by: Juan Quintela <address@hidden>
(cherry picked from commit 4082f0889ba04678fc14816c53e1b9251ea9207e)
Signed-off-by: Michael Roth <address@hidden>
Commit: 7872f3e77eefa97a6babccc63400c6e7d8260e5c
https://github.com/qemu/qemu/commit/7872f3e77eefa97a6babccc63400c6e7d8260e5c
Author: Michael S. Tsirkin <address@hidden>
Date: 2014-07-20 (Sun, 20 Jul 2014)
Changed paths:
M include/hw/virtio/virtio-net.h
Log Message:
-----------
virtio-net: fix buffer overflow on invalid state load
CVE-2013-4148 QEMU 1.0 integer conversion in
virtio_net_load()@hw/net/virtio-net.c
Deals with loading a corrupted savevm image.
> n->mac_table.in_use = qemu_get_be32(f);
in_use is int so it can get negative when assigned 32bit unsigned value.
> /* MAC_TABLE_ENTRIES may be different from the saved image */
> if (n->mac_table.in_use <= MAC_TABLE_ENTRIES) {
passing this check ^^^
> qemu_get_buffer(f, n->mac_table.macs,
> n->mac_table.in_use * ETH_ALEN);
with good in_use value, "n->mac_table.in_use * ETH_ALEN" can get
positive and bigger than mac_table.macs. For example 0x81000000
satisfies this condition when ETH_ALEN is 6.
Fix it by making the value unsigned.
For consistency, change first_multi as well.
Note: all call sites were audited to confirm that
making them unsigned didn't cause any issues:
it turns out we actually never do math on them,
so it's easy to validate because both values are
always <= MAC_TABLE_ENTRIES.
Reviewed-by: Michael Roth <address@hidden>
Signed-off-by: Michael S. Tsirkin <address@hidden>
Reviewed-by: Laszlo Ersek <address@hidden>
Signed-off-by: Juan Quintela <address@hidden>
(cherry picked from commit 71f7fe48e10a8437c9d42d859389f37157f59980)
Signed-off-by: Michael Roth <address@hidden>
Commit: b24cfb0f1ef056263210cd6e80444a1113cea24a
https://github.com/qemu/qemu/commit/b24cfb0f1ef056263210cd6e80444a1113cea24a
Author: Michael S. Tsirkin <address@hidden>
Date: 2014-07-20 (Sun, 20 Jul 2014)
Changed paths:
M hw/net/virtio-net.c
Log Message:
-----------
virtio-net: out-of-bounds buffer write on invalid state load
CVE-2013-4150 QEMU 1.5.0 out-of-bounds buffer write in
virtio_net_load()@hw/net/virtio-net.c
This code is in hw/net/virtio-net.c:
if (n->max_queues > 1) {
if (n->max_queues != qemu_get_be16(f)) {
error_report("virtio-net: different max_queues ");
return -1;
}
n->curr_queues = qemu_get_be16(f);
for (i = 1; i < n->curr_queues; i++) {
n->vqs[i].tx_waiting = qemu_get_be32(f);
}
}
Number of vqs is max_queues, so if we get invalid input here,
for example if max_queues = 2, curr_queues = 3, we get
write beyond end of the buffer, with data that comes from
wire.
This might be used to corrupt qemu memory in hard to predict ways.
Since we have lots of function pointers around, RCE might be possible.
Signed-off-by: Michael S. Tsirkin <address@hidden>
Acked-by: Jason Wang <address@hidden>
Reviewed-by: Michael Roth <address@hidden>
Signed-off-by: Juan Quintela <address@hidden>
(cherry picked from commit eea750a5623ddac7a61982eec8f1c93481857578)
Signed-off-by: Michael Roth <address@hidden>
Commit: 331c549b2d78f7792ded44abe9ad30a7e9531cba
https://github.com/qemu/qemu/commit/331c549b2d78f7792ded44abe9ad30a7e9531cba
Author: Michael S. Tsirkin <address@hidden>
Date: 2014-07-20 (Sun, 20 Jul 2014)
Changed paths:
M hw/net/virtio-net.c
Log Message:
-----------
virtio-net: out-of-bounds buffer write on load
CVE-2013-4149 QEMU 1.3.0 out-of-bounds buffer write in
virtio_net_load()@hw/net/virtio-net.c
> } else if (n->mac_table.in_use) {
> uint8_t *buf = g_malloc0(n->mac_table.in_use);
We are allocating buffer of size n->mac_table.in_use
> qemu_get_buffer(f, buf, n->mac_table.in_use * ETH_ALEN);
and read to the n->mac_table.in_use size buffer n->mac_table.in_use *
ETH_ALEN bytes, corrupting memory.
If adversary controls state then memory written there is controlled
by adversary.
Reviewed-by: Michael Roth <address@hidden>
Signed-off-by: Michael S. Tsirkin <address@hidden>
Signed-off-by: Juan Quintela <address@hidden>
(cherry picked from commit 98f93ddd84800f207889491e0b5d851386b459cf)
Signed-off-by: Michael Roth <address@hidden>
Commit: d4c90959004633c16279f06afba43f3a330108ba
https://github.com/qemu/qemu/commit/d4c90959004633c16279f06afba43f3a330108ba
Author: Michael S. Tsirkin <address@hidden>
Date: 2014-07-20 (Sun, 20 Jul 2014)
Changed paths:
M hw/ide/ahci.c
Log Message:
-----------
ahci: fix buffer overrun on invalid state load
CVE-2013-4526
Within hw/ide/ahci.c, VARRAY refers to ports which is also loaded. So
we use the old version of ports to read the array but then allow any
value for ports. This can cause the code to overflow.
There's no reason to migrate ports - it never changes.
So just make sure it matches.
Reported-by: Anthony Liguori <address@hidden>
Signed-off-by: Michael S. Tsirkin <address@hidden>
Reviewed-by: Peter Maydell <address@hidden>
Signed-off-by: Juan Quintela <address@hidden>
(cherry picked from commit ae2158ad6ce0845b2fae2a22aa7f19c0d7a71ce5)
Signed-off-by: Michael Roth <address@hidden>
Commit: 3c6066172ff591512e015ac933e056f6cc069527
https://github.com/qemu/qemu/commit/3c6066172ff591512e015ac933e056f6cc069527
Author: Michael S. Tsirkin <address@hidden>
Date: 2014-07-20 (Sun, 20 Jul 2014)
Changed paths:
M hw/timer/hpet.c
Log Message:
-----------
hpet: fix buffer overrun on invalid state load
CVE-2013-4527 hw/timer/hpet.c buffer overrun
hpet is a VARRAY with a uint8 size but static array of 32
To fix, make sure num_timers is valid using VMSTATE_VALID hook.
Reported-by: Anthony Liguori <address@hidden>
Signed-off-by: Michael S. Tsirkin <address@hidden>
Reviewed-by: Dr. David Alan Gilbert <address@hidden>
Signed-off-by: Juan Quintela <address@hidden>
(cherry picked from commit 3f1c49e2136fa08ab1ef3183fd55def308829584)
Signed-off-by: Michael Roth <address@hidden>
Commit: f7ef3baa4950bbcad9a54c100313fb071908ff5b
https://github.com/qemu/qemu/commit/f7ef3baa4950bbcad9a54c100313fb071908ff5b
Author: Michael S. Tsirkin <address@hidden>
Date: 2014-07-20 (Sun, 20 Jul 2014)
Changed paths:
M hw/pci/pcie_aer.c
Log Message:
-----------
hw/pci/pcie_aer.c: fix buffer overruns on invalid state load
4) CVE-2013-4529
hw/pci/pcie_aer.c pcie aer log can overrun the buffer if log_num is
too large
There are two issues in this file:
1. log_max from remote can be larger than on local
then buffer will overrun with data coming from state file.
2. log_num can be larger then we get data corruption
again with an overflow but not adversary controlled.
Fix both issues.
Reported-by: Anthony Liguori <address@hidden>
Reported-by: Michael S. Tsirkin <address@hidden>
Signed-off-by: Michael S. Tsirkin <address@hidden>
Reviewed-by: Dr. David Alan Gilbert <address@hidden>
Signed-off-by: Juan Quintela <address@hidden>
(cherry picked from commit 5f691ff91d323b6f97c6600405a7f9dc115a0ad1)
Signed-off-by: Michael Roth <address@hidden>
Commit: 7cf5f5d087e3c46a5d60081443bc42b7c6f3ba1e
https://github.com/qemu/qemu/commit/7cf5f5d087e3c46a5d60081443bc42b7c6f3ba1e
Author: Michael S. Tsirkin <address@hidden>
Date: 2014-07-20 (Sun, 20 Jul 2014)
Changed paths:
M hw/ssi/pl022.c
Log Message:
-----------
pl022: fix buffer overun on invalid state load
CVE-2013-4530
pl022.c did not bounds check tx_fifo_head and
rx_fifo_head after loading them from file and
before they are used to dereference array.
Reported-by: Michael S. Tsirkin <address@hidden
Reported-by: Anthony Liguori <address@hidden>
Signed-off-by: Michael S. Tsirkin <address@hidden>
Signed-off-by: Juan Quintela <address@hidden>
(cherry picked from commit d8d0a0bc7e194300e53a346d25fe5724fd588387)
Signed-off-by: Michael Roth <address@hidden>
Commit: 9c01a91c7b201bcb7de04603450c3c64a2475f69
https://github.com/qemu/qemu/commit/9c01a91c7b201bcb7de04603450c3c64a2475f69
Author: Michael S. Tsirkin <address@hidden>
Date: 2014-07-20 (Sun, 20 Jul 2014)
Changed paths:
M vmstate.c
Log Message:
-----------
vmstate: fix buffer overflow in target-arm/machine.c
CVE-2013-4531
cpreg_vmstate_indexes is a VARRAY_INT32. A negative value for
cpreg_vmstate_array_len will cause a buffer overflow.
VMSTATE_INT32_LE was supposed to protect against this
but doesn't because it doesn't validate that input is
non-negative.
Fix this macro to valide the value appropriately.
The only other user of VMSTATE_INT32_LE doesn't
ever use negative numbers so it doesn't care.
Reported-by: Anthony Liguori <address@hidden>
Signed-off-by: Michael S. Tsirkin <address@hidden>
Signed-off-by: Juan Quintela <address@hidden>
(cherry picked from commit d2ef4b61fe6d33d2a5dcf100a9b9440de341ad62)
Signed-off-by: Michael Roth <address@hidden>
Commit: 7297dba2718e4558a246a4ec25790c2f1c81bb05
https://github.com/qemu/qemu/commit/7297dba2718e4558a246a4ec25790c2f1c81bb05
Author: Michael Roth <address@hidden>
Date: 2014-07-20 (Sun, 20 Jul 2014)
Changed paths:
M hw/virtio/virtio.c
Log Message:
-----------
virtio: avoid buffer overrun on incoming migration
CVE-2013-6399
vdev->queue_sel is read from the wire, and later used in the
emulation code as an index into vdev->vq[]. If the value of
vdev->queue_sel exceeds the length of vdev->vq[], currently
allocated to be VIRTIO_PCI_QUEUE_MAX elements, subsequent PIO
operations such as VIRTIO_PCI_QUEUE_PFN can be used to overrun
the buffer with arbitrary data originating from the source.
Fix this by failing migration if the value from the wire exceeds
VIRTIO_PCI_QUEUE_MAX.
Signed-off-by: Michael Roth <address@hidden>
Signed-off-by: Michael S. Tsirkin <address@hidden>
Reviewed-by: Peter Maydell <address@hidden>
Signed-off-by: Juan Quintela <address@hidden>
(cherry picked from commit 4b53c2c72cb5541cf394033b528a6fe2a86c0ac1)
Signed-off-by: Michael Roth <address@hidden>
Commit: 4e48018ae9edfafa25fb4ddca745307bd66cfc63
https://github.com/qemu/qemu/commit/4e48018ae9edfafa25fb4ddca745307bd66cfc63
Author: Michael S. Tsirkin <address@hidden>
Date: 2014-07-20 (Sun, 20 Jul 2014)
Changed paths:
M hw/virtio/virtio.c
Log Message:
-----------
virtio: validate num_sg when mapping
CVE-2013-4535
CVE-2013-4536
Both virtio-block and virtio-serial read,
VirtQueueElements are read in as buffers, and passed to
virtqueue_map_sg(), where num_sg is taken from the wire and can force
writes to indicies beyond VIRTQUEUE_MAX_SIZE.
To fix, validate num_sg.
Reported-by: Michael Roth <address@hidden>
Signed-off-by: Michael S. Tsirkin <address@hidden>
Cc: Amit Shah <address@hidden>
Signed-off-by: Juan Quintela <address@hidden>
(cherry picked from commit 36cf2a37132c7f01fa9adb5f95f5312b27742fd4)
Signed-off-by: Michael Roth <address@hidden>
Commit: 1124696193a6247f24a69cc2547d7ad80098833c
https://github.com/qemu/qemu/commit/1124696193a6247f24a69cc2547d7ad80098833c
Author: Michael Roth <address@hidden>
Date: 2014-07-20 (Sun, 20 Jul 2014)
Changed paths:
M hw/intc/openpic.c
Log Message:
-----------
openpic: avoid buffer overrun on incoming migration
CVE-2013-4534
opp->nb_cpus is read from the wire and used to determine how many
IRQDest elements to read into opp->dst[]. If the value exceeds the
length of opp->dst[], MAX_CPU, opp->dst[] can be overrun with arbitrary
data from the wire.
Fix this by failing migration if the value read from the wire exceeds
MAX_CPU.
Signed-off-by: Michael Roth <address@hidden>
Reviewed-by: Alexander Graf <address@hidden>
Signed-off-by: Michael S. Tsirkin <address@hidden>
Signed-off-by: Juan Quintela <address@hidden>
(cherry picked from commit 73d963c0a75cb99c6aaa3f6f25e427aa0b35a02e)
Signed-off-by: Michael Roth <address@hidden>
Commit: eb55958e189aecc2c52b08e1aeb11715b668a5ab
https://github.com/qemu/qemu/commit/eb55958e189aecc2c52b08e1aeb11715b668a5ab
Author: Michael S. Tsirkin <address@hidden>
Date: 2014-07-20 (Sun, 20 Jul 2014)
Changed paths:
M hw/arm/pxa2xx.c
Log Message:
-----------
pxa2xx: avoid buffer overrun on incoming migration
CVE-2013-4533
s->rx_level is read from the wire and used to determine how many bytes
to subsequently read into s->rx_fifo[]. If s->rx_level exceeds the
length of s->rx_fifo[] the buffer can be overrun with arbitrary data
from the wire.
Fix this by validating rx_level against the size of s->rx_fifo.
Cc: Don Koch <address@hidden>
Reported-by: Michael Roth <address@hidden>
Signed-off-by: Michael S. Tsirkin <address@hidden>
Reviewed-by: Peter Maydell <address@hidden>
Reviewed-by: Don Koch <address@hidden>
Signed-off-by: Juan Quintela <address@hidden>
(cherry picked from commit caa881abe0e01f9931125a0977ec33c5343e4aa7)
Signed-off-by: Michael Roth <address@hidden>
Commit: 95d9149ed3d0edfbb5223ceee03022498bc86155
https://github.com/qemu/qemu/commit/95d9149ed3d0edfbb5223ceee03022498bc86155
Author: Michael S. Tsirkin <address@hidden>
Date: 2014-07-20 (Sun, 20 Jul 2014)
Changed paths:
M hw/sd/ssi-sd.c
Log Message:
-----------
ssi-sd: fix buffer overrun on invalid state load
CVE-2013-4537
s->arglen is taken from wire and used as idx
in ssi_sd_transfer().
Validate it before access.
Signed-off-by: Michael S. Tsirkin <address@hidden>
Signed-off-by: Juan Quintela <address@hidden>
(cherry picked from commit a9c380db3b8c6af19546a68145c8d1438a09c92b)
Signed-off-by: Michael Roth <address@hidden>
Commit: 2265c71b3548913becbd1f6427e715dbbe3b0d2e
https://github.com/qemu/qemu/commit/2265c71b3548913becbd1f6427e715dbbe3b0d2e
Author: Michael S. Tsirkin <address@hidden>
Date: 2014-07-20 (Sun, 20 Jul 2014)
Changed paths:
M hw/display/ssd0323.c
Log Message:
-----------
ssd0323: fix buffer overun on invalid state load
CVE-2013-4538
s->cmd_len used as index in ssd0323_transfer() to store 32-bit field.
Possible this field might then be supplied by guest to overwrite a
return addr somewhere. Same for row/col fields, which are indicies into
framebuffer array.
To fix validate after load.
Additionally, validate that the row/col_start/end are within bounds;
otherwise the guest can provoke an overrun by either setting the _end
field so large that the row++ increments just walk off the end of the
array, or by setting the _start value to something bogus and then
letting the "we hit end of row" logic reset row to row_start.
For completeness, validate mode as well.
Signed-off-by: Michael S. Tsirkin <address@hidden>
Reviewed-by: Peter Maydell <address@hidden>
Signed-off-by: Juan Quintela <address@hidden>
(cherry picked from commit ead7a57df37d2187813a121308213f41591bd811)
Signed-off-by: Michael Roth <address@hidden>
Commit: 894f179e8d206b8ef544ea3680c6b433e7a9e3f9
https://github.com/qemu/qemu/commit/894f179e8d206b8ef544ea3680c6b433e7a9e3f9
Author: Michael S. Tsirkin <address@hidden>
Date: 2014-07-20 (Sun, 20 Jul 2014)
Changed paths:
M hw/input/tsc210x.c
Log Message:
-----------
tsc210x: fix buffer overrun on invalid state load
CVE-2013-4539
s->precision, nextprecision, function and nextfunction
come from wire and are used
as idx into resolution[] in TSC_CUT_RESOLUTION.
Validate after load to avoid buffer overrun.
Cc: Andreas Färber <address@hidden>
Signed-off-by: Michael S. Tsirkin <address@hidden>
Signed-off-by: Juan Quintela <address@hidden>
(cherry picked from commit 5193be3be35f29a35bc465036cd64ad60d43385f)
Signed-off-by: Michael Roth <address@hidden>
Commit: e7ff13929f58acd1d21a50930fa500d6160f7356
https://github.com/qemu/qemu/commit/e7ff13929f58acd1d21a50930fa500d6160f7356
Author: Michael S. Tsirkin <address@hidden>
Date: 2014-07-20 (Sun, 20 Jul 2014)
Changed paths:
M hw/gpio/zaurus.c
Log Message:
-----------
zaurus: fix buffer overrun on invalid state load
CVE-2013-4540
Within scoop_gpio_handler_update, if prev_level has a high bit set, then
we get bit > 16 and that causes a buffer overrun.
Since prev_level comes from wire indirectly, this can
happen on invalid state load.
Similarly for gpio_level and gpio_dir.
To fix, limit to 16 bit.
Reported-by: Michael S. Tsirkin <address@hidden>
Signed-off-by: Michael S. Tsirkin <address@hidden>
Reviewed-by: Dr. David Alan Gilbert <address@hidden>
Signed-off-by: Juan Quintela <address@hidden>
(cherry picked from commit 52f91c3723932f8340fe36c8ec8b18a757c37b2b)
Signed-off-by: Michael Roth <address@hidden>
Commit: 15c35dfd9299733e5391b65efd3e0356a01d01ad
https://github.com/qemu/qemu/commit/15c35dfd9299733e5391b65efd3e0356a01d01ad
Author: Michael S. Tsirkin <address@hidden>
Date: 2014-07-20 (Sun, 20 Jul 2014)
Changed paths:
M hw/usb/bus.c
Log Message:
-----------
usb: sanity check setup_index+setup_len in post_load
CVE-2013-4541
s->setup_len and s->setup_index are fed into usb_packet_copy as
size/offset into s->data_buf, it's possible for invalid state to exploit
this to load arbitrary data.
setup_len and setup_index should be checked to make sure
they are not negative.
Cc: Gerd Hoffmann <address@hidden>
Signed-off-by: Michael S. Tsirkin <address@hidden>
Reviewed-by: Gerd Hoffmann <address@hidden>
Signed-off-by: Juan Quintela <address@hidden>
(cherry picked from commit 9f8e9895c504149d7048e9fc5eb5cbb34b16e49a)
Signed-off-by: Michael Roth <address@hidden>
Commit: 5ad12b32352696f8c9c779bda6a900c7b6cb0b4d
https://github.com/qemu/qemu/commit/5ad12b32352696f8c9c779bda6a900c7b6cb0b4d
Author: Michael S. Tsirkin <address@hidden>
Date: 2014-07-20 (Sun, 20 Jul 2014)
Changed paths:
M hw/scsi/virtio-scsi.c
Log Message:
-----------
virtio-scsi: fix buffer overrun on invalid state load
CVE-2013-4542
hw/scsi/scsi-bus.c invokes load_request.
virtio_scsi_load_request does:
qemu_get_buffer(f, (unsigned char *)&req->elem, sizeof(req->elem));
this probably can make elem invalid, for example,
make in_num or out_num huge, then:
virtio_scsi_parse_req(s, vs->cmd_vqs[n], req);
will do:
if (req->elem.out_num > 1) {
qemu_sgl_init_external(req, &req->elem.out_sg[1],
&req->elem.out_addr[1],
req->elem.out_num - 1);
} else {
qemu_sgl_init_external(req, &req->elem.in_sg[1],
&req->elem.in_addr[1],
req->elem.in_num - 1);
}
and this will access out of array bounds.
Note: this adds security checks within assert calls since
SCSIBusInfo's load_request cannot fail.
For now simply disable builds with NDEBUG - there seems
to be little value in supporting these.
Cc: Andreas Färber <address@hidden>
Signed-off-by: Michael S. Tsirkin <address@hidden>
Signed-off-by: Juan Quintela <address@hidden>
(cherry picked from commit 3c3ce981423e0d6c18af82ee62f1850c2cda5976)
Signed-off-by: Michael Roth <address@hidden>
Commit: fb039011ff6ec049ee05cb1e99abe86c241c0125
https://github.com/qemu/qemu/commit/fb039011ff6ec049ee05cb1e99abe86c241c0125
Author: Alex Bennée <address@hidden>
Date: 2014-07-20 (Sun, 20 Jul 2014)
Changed paths:
M target-arm/translate-a64.c
Log Message:
-----------
target-arm: A64: fix unallocated test of scalar SQXTUN
The test for the U bit was incorrectly inverted in the scalar case of SQXTUN.
This doesn't affect the vector case as the U bit is used to select XTN(2).
Reported-by: Hao Liu <address@hidden>
Signed-off-by: Alex Bennée <address@hidden>
Reviewed-by: Claudio Fontana <address@hidden>
Reviewed-by: Peter Maydell <address@hidden>
Cc: address@hidden
Signed-off-by: Peter Maydell <address@hidden>
(cherry picked from commit e44a90c59697cf98e05619fbb6f77a403d347495)
Signed-off-by: Michael Roth <address@hidden>
Commit: 162486199790b45a7e8bda0f3ae5ec1f7fbfe78d
https://github.com/qemu/qemu/commit/162486199790b45a7e8bda0f3ae5ec1f7fbfe78d
Author: Hannes Reinecke <address@hidden>
Date: 2014-07-20 (Sun, 20 Jul 2014)
Changed paths:
M hw/scsi/megasas.c
M hw/scsi/mfi.h
M trace-events
Log Message:
-----------
megasas: Implement LD_LIST_QUERY
Newer firmware implement a LD_LIST_QUERY command, and due to a driver
issue no drives might be detected if this command isn't supported.
So add emulation for this command, too.
Cc: address@hidden
Signed-off-by: Hannes Reinecke <address@hidden>
Signed-off-by: Paolo Bonzini <address@hidden>
(cherry picked from commit 34bb4d02e00e508fa9d111a6a31b45bbfecbdba5)
Signed-off-by: Michael Roth <address@hidden>
Commit: 7b0387ad9091dd98088373e89d010140aefad3e4
https://github.com/qemu/qemu/commit/7b0387ad9091dd98088373e89d010140aefad3e4
Author: Peter Crosthwaite <address@hidden>
Date: 2014-07-20 (Sun, 20 Jul 2014)
Changed paths:
M target-arm/translate.c
Log Message:
-----------
arm: translate.c: Fix smlald Instruction
The smlald (and probably smlsld) instruction was doing incorrect sign
extensions of the operands amongst 64bit result calculation. The
instruction psuedo-code is:
operand2 = if m_swap then ROR(R[m],16) else R[m];
product1 = SInt(R[n]<15:0>) * SInt(operand2<15:0>);
product2 = SInt(R[n]<31:16>) * SInt(operand2<31:16>);
result = product1 + product2 + SInt(R[dHi]:R[dLo]);
R[dHi] = result<63:32>;
R[dLo] = result<31:0>;
The result calculation should be done in 64 bit arithmetic, and hence
product1 and product2 should be sign extended to 64b before calculation.
The current implementation was adding product1 and product2 together
then sign-extending the intermediate result leading to false negatives.
E.G. if product1 = product2 = 0x4000000, their sum = 0x80000000, which
will be incorrectly interpreted as -ve on sign extension.
We fix by doing the 64b extensions on both product1 and product2 before
any addition/subtraction happens.
We also fix where we were possibly incorrectly setting the Q saturation
flag for SMLSLD, which the ARM ARM specifically says is not set.
Reported-by: Christina Smith <address@hidden>
Signed-off-by: Peter Crosthwaite <address@hidden>
Reviewed-by: Peter Maydell <address@hidden>
Message-id: address@hidden
Cc: address@hidden
Signed-off-by: Peter Maydell <address@hidden>
(cherry picked from commit 33bbd75a7c3321432fe40a8cbacd64619c56138c)
Signed-off-by: Michael Roth <address@hidden>
Commit: 7dfa87e9cb3c6c84a787b68de0cd607247129464
https://github.com/qemu/qemu/commit/7dfa87e9cb3c6c84a787b68de0cd607247129464
Author: Benoît Canet <address@hidden>
Date: 2014-07-20 (Sun, 20 Jul 2014)
Changed paths:
M block.c
Log Message:
-----------
block: Prevent coroutine stack overflow when recursing in
bdrv_open_backing_file.
In 1.7.1 qcow2_create2 reopen the file for flushing without the
BDRV_O_NO_BACKING
flags.
As a consequence the code would recursively open the whole backing chain.
These three stack arrays would pile up through the recursion and lead to a
coroutine
stack overflow.
Convert these array to malloced buffers in order to streamline the coroutine
footprint.
Symptoms where freezes or segfaults on production machines while taking QMP
externals
snapshots. The overflow disturbed coroutine switching.
[Resolved conflicts on qemu.git/master since the patch was against v1.7.1
--Stefan]
Signed-off-by: Benoit Canet <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
(cherry picked from commit 1ba4b6a553ad9ff4645af7fab8adfc6e810fcc69)
Signed-off-by: Michael Roth <address@hidden>
Commit: 4a7a497509e6743f901a47230e6a70ce637eb959
https://github.com/qemu/qemu/commit/4a7a497509e6743f901a47230e6a70ce637eb959
Author: David Hildenbrand <address@hidden>
Date: 2014-07-20 (Sun, 20 Jul 2014)
Changed paths:
M target-s390x/kvm.c
Log Message:
-----------
s390x: empty function stubs in preparation for __KVM_HAVE_GUEST_DEBUG
This patch creates empty function stubs (used by the gdbserver) in preparation
for the hw debugging support by kvm on s390, which will enable the
__KVM_HAVE_GUEST_DEBUG define in the linux headers and require these methods on
the qemu side.
Signed-off-by: David Hildenbrand <address@hidden>
Signed-off-by: Jens Freimann <address@hidden>
Reviewed-by: Cornelia Huck <address@hidden>
Cc: address@hidden
Signed-off-by: Cornelia Huck <address@hidden>
(cherry picked from commit 8c0124490bcd78c9c54139cd654c71c5fbd95e6b)
Signed-off-by: Michael Roth <address@hidden>
Commit: 4c1e06408d22abdccdbd562acec7fde76398ba88
https://github.com/qemu/qemu/commit/4c1e06408d22abdccdbd562acec7fde76398ba88
Author: Michael Tokarev <address@hidden>
Date: 2014-07-20 (Sun, 20 Jul 2014)
Changed paths:
M po/Makefile
Log Message:
-----------
po/Makefile: fix $SRC_PATH reference
The rule for messages.po appears to be slightly wrong.
Move the `cd' command within parens.
Signed-off-by: Michael Tokarev <address@hidden>
Tested-by: Stefan Weil <address@hidden>
(cherry picked from commit b920cad6693d6f2baa0217543c9f9cca5ebaf6ce)
Signed-off-by: Michael Roth <address@hidden>
Commit: 2f18e44b0c9dbe0ad47d082b4482e0b4f0f0b08c
https://github.com/qemu/qemu/commit/2f18e44b0c9dbe0ad47d082b4482e0b4f0f0b08c
Author: Michael S. Tsirkin <address@hidden>
Date: 2014-07-20 (Sun, 20 Jul 2014)
Changed paths:
M hw/i386/acpi-build.c
Log Message:
-----------
acpi: fix tables for no-hpet configuration
acpi build tried to add offset of hpet table to rsdt even when hpet was
disabled. If no tables follow hpet, this could lead to a malformed
rsdt.
Fix it up.
To avoid such errors in the future, rearrange code slightly to make it
clear that acpi_add_table stores the offset of the following table - not
of the previous one.
Reported-by: TeLeMan <address@hidden>
Signed-off-by: Michael S. Tsirkin <address@hidden>
Cc: address@hidden
(cherry picked from commit 9ac1c4c07e7e6ab16a3e2149e9b32c0d092cb3f5)
Signed-off-by: Michael Roth <address@hidden>
Commit: 2ac95494534aca06ec40f81729783fdd65305042
https://github.com/qemu/qemu/commit/2ac95494534aca06ec40f81729783fdd65305042
Author: Michael S. Tsirkin <address@hidden>
Date: 2014-07-20 (Sun, 20 Jul 2014)
Changed paths:
M hw/net/stellaris_enet.c
Log Message:
-----------
stellaris_enet: block migration
Incoming migration with stellaris_enet is unsafe.
It's being reworked, but for now, simply block it
since noone is using it anyway.
Block outgoing migration for good measure.
CVE-2013-4532
Signed-off-by: Michael S. Tsirkin <address@hidden>
Signed-off-by: Michael Roth <address@hidden>
Commit: a14d42919f5108c92fd576ddd7bf2b3759593a98
https://github.com/qemu/qemu/commit/a14d42919f5108c92fd576ddd7bf2b3759593a98
Author: Christian Borntraeger <address@hidden>
Date: 2014-07-20 (Sun, 20 Jul 2014)
Changed paths:
M target-s390x/kvm.c
M trace-events
Log Message:
-----------
s390x/kvm: rework KVM synchronize to tracing for some ONEREGS
Some ONE_REGS on s390 are not protected by a capability. Older kernels
might not provide those and return an error. Fortunately these registers
are only critical for the migration path. There is no need to error out
on reset and normal runtime. Furthermore, these kernels don't provide
a proper dirty bitmap anyway, so let's use tracing for those errors.
Also provide generic one reg helper to simplify the code.
Signed-off-by: Christian Borntraeger <address@hidden>
Reviewed-by: Cornelia Huck <address@hidden>
Signed-off-by: Cornelia Huck <address@hidden>
(cherry picked from commit 860643bc5aa902f9b736c57b66e301ef08a2b68e)
Signed-off-by: Michael Roth <address@hidden>
Commit: 46a1b0e489cdb604da81ebde985c35ff798601dc
https://github.com/qemu/qemu/commit/46a1b0e489cdb604da81ebde985c35ff798601dc
Author: Paolo Bonzini <address@hidden>
Date: 2014-07-20 (Sun, 20 Jul 2014)
Changed paths:
M target-i386/cpu.c
M target-i386/cpu.h
Log Message:
-----------
target-i386: fix set of registers zeroed on reset
BND0-3, BNDCFGU, BNDCFGS, BNDSTATUS were not zeroed on reset, but they
should be (Intel Instruction Set Extensions Programming Reference
319433-015, pages 9-4 and 9-6). Same for YMM.
XCR0 should be reset to 1.
TSC and TSC_RESET were zeroed already by the memset, remove the explicit
assignments.
Cc: Andreas Faerber <address@hidden>
Reviewed-by: Michael S. Tsirkin <address@hidden>
Signed-off-by: Paolo Bonzini <address@hidden>
(cherry picked from commit 05e7e819d7d159a75a46354aead95e1199b8f168)
Signed-off-by: Michael Roth <address@hidden>
Commit: 837e02ef07179876ca2ada2ed67d3eeaa9d3a9d7
https://github.com/qemu/qemu/commit/837e02ef07179876ca2ada2ed67d3eeaa9d3a9d7
Author: Amos Kong <address@hidden>
Date: 2014-07-20 (Sun, 20 Jul 2014)
Changed paths:
M qdev-monitor.c
Log Message:
-----------
qdev: Fix crash by validating the object type
QEMU crashed when I try to list device parameters and the driver name is
actually an available bus name.
# qemu -device virtio-pci-bus,?
# qemu -device virtio-bus,?
# qemu -device virtio-serial-bus,?
qdev-monitor.c:212:qdev_device_help: Object 0x7fd932f50620 is not an
instance of type device
Aborted (core dumped)
We can also reproduce this bug by adding device from monitor, so it's
worth to fix the crash.
(qemu) device_add virtio-serial-bus
qdev-monitor.c:491:qdev_device_add: Object 0x7f5e89530920 is not an
instance of type device
Aborted (core dumped)
Cc: address@hidden
Signed-off-by: Amos Kong <address@hidden>
Reviewed-by: Markus Armbruster <address@hidden>
Signed-off-by: Andreas Färber <address@hidden>
(cherry picked from commit ce0abca3e35a9f95e9edcb5d6b2910b2fcd52099)
Signed-off-by: Michael Roth <address@hidden>
Commit: e40585f8f1c522d1ca38601d0a4b5dbcfc8d9589
https://github.com/qemu/qemu/commit/e40585f8f1c522d1ca38601d0a4b5dbcfc8d9589
Author: Edgar E. Iglesias <address@hidden>
Date: 2014-07-20 (Sun, 20 Jul 2014)
Changed paths:
M target-arm/translate-a64.c
Log Message:
-----------
target-arm: A64: Handle blr lr
For linked branches, updates to the link register happen
conceptually after the read of the branch target register.
Signed-off-by: Edgar E. Iglesias <address@hidden>
Reviewed-by: Alex Bennée <address@hidden>
Cc: address@hidden
Message-id: address@hidden
Signed-off-by: Peter Maydell <address@hidden>
(cherry picked from commit 1b505f93bcf605e7c4144fef83bd039b0d4f2576)
Signed-off-by: Michael Roth <address@hidden>
Commit: c2d37222ae82ab1f9d528e19b2ca7103f66e3542
https://github.com/qemu/qemu/commit/c2d37222ae82ab1f9d528e19b2ca7103f66e3542
Author: Edgar E. Iglesias <address@hidden>
Date: 2014-07-20 (Sun, 20 Jul 2014)
Changed paths:
M target-arm/helper.c
Log Message:
-----------
target-arm: Make vbar_write 64bit friendly on 32bit hosts
Signed-off-by: Edgar E. Iglesias <address@hidden>
Reviewed-by: Alex Bennée <address@hidden>
Message-id: address@hidden
Signed-off-by: Peter Maydell <address@hidden>
(cherry picked from commit fed3ffb9f157f33bc9b2b1c3ef68e710ee6b7b4b)
Signed-off-by: Michael Roth <address@hidden>
Commit: 83b1dc162c42fd8c250bbbf3fea3d6d7d766b8b1
https://github.com/qemu/qemu/commit/83b1dc162c42fd8c250bbbf3fea3d6d7d766b8b1
Author: Peter Maydell <address@hidden>
Date: 2014-07-20 (Sun, 20 Jul 2014)
Changed paths:
M linux-user/elfload.c
Log Message:
-----------
linux-user/elfload.c: Fix incorrect ARM HWCAP bits
The ELF HWCAP bits for ARM features THUMBEE, NEON, VFPv3 and VFPv3D16 are
all off by one compared to the kernel definitions. Fix this discrepancy
and add in the missing CRUNCH bit which was the cause of the off-by-one
error. (We don't emulate any of the CPUs which have that weird hardware,
so it's otherwise uninteresting to us.)
Cc: address@hidden
Signed-off-by: Peter Maydell <address@hidden>
Signed-off-by: Riku Voipio <address@hidden>
(cherry picked from commit 43ce393ee5f7b96d2ac22fedc40d6b6fb3f65a3e)
Signed-off-by: Michael Roth <address@hidden>
Commit: 074f673a9a3ef557dc732a25bd3aa9470eab82c3
https://github.com/qemu/qemu/commit/074f673a9a3ef557dc732a25bd3aa9470eab82c3
Author: Peter Maydell <address@hidden>
Date: 2014-07-20 (Sun, 20 Jul 2014)
Changed paths:
M linux-user/elfload.c
Log Message:
-----------
linux-user/elfload.c: Update ARM HWCAP bits
The kernel has added support for a number of new ARM HWCAP bits;
add them to QEMU, including support for setting them where we have
a corresponding CPU feature bit.
We were also incorrectly setting the VFPv3D16 HWCAP -- this means
"only 16 D registers", not "supports 16-bit floating point format";
since QEMU always has 32 D registers for VFPv3, we can just remove
the line that incorrectly set this bit.
The kernel does not set the HWCAP_FPA even if it is providing FPA
emulation via nwfpe, so don't set this bit in QEMU either.
Signed-off-by: Peter Maydell <address@hidden>
Cc: address@hidden
Signed-off-by: Riku Voipio <address@hidden>
(cherry picked from commit 24682654654a2e7b50afc27880f4098e5fca3742)
Signed-off-by: Michael Roth <address@hidden>
Commit: 912d9cc089fbc8044d97106e9abfec603d83ef52
https://github.com/qemu/qemu/commit/912d9cc089fbc8044d97106e9abfec603d83ef52
Author: Peter Maydell <address@hidden>
Date: 2014-07-20 (Sun, 20 Jul 2014)
Changed paths:
M linux-user/elfload.c
Log Message:
-----------
linux-user/elfload.c: Fix A64 code which was incorrectly acting like A32
The ARM target-specific code in elfload.c was incorrectly allowing
the 64-bit ARM target to use most of the existing 32-bit definitions:
most noticably this meant that our HWCAP bits passed to the guest
were wrong, and register handling when dumping core was totally
broken. Fix this by properly separating the 64 and 32 bit code,
since they have more differences than similarities.
Signed-off-by: Peter Maydell <address@hidden>
Cc: address@hidden
Signed-off-by: Riku Voipio <address@hidden>
(cherry picked from commit 24e76ff06bcd0936ee8b04b15dca42efb7d614d1)
Signed-off-by: Michael Roth <address@hidden>
Commit: 32c113c182baf66fa01a4f863fac3689ac838b6c
https://github.com/qemu/qemu/commit/32c113c182baf66fa01a4f863fac3689ac838b6c
Author: Alexey Kardashevskiy <address@hidden>
Date: 2014-07-20 (Sun, 20 Jul 2014)
Changed paths:
M hw/ppc/spapr_pci.c
Log Message:
-----------
spapr_pci: Fix number of returned vectors in ibm, change-msi
Current guest kernels try allocating as many vectors as the quota is.
For example, in the case of virtio-net (which has just 3 vectors)
the guest requests 4 vectors (that is the quota in the test) and
the existing ibm,change-msi handler returns 4. But before it returns,
it calls msix_set_message() in a loop and corrupts memory behind
the end of msix_table.
This limits the number of vectors returned by ibm,change-msi to
the maximum supported by the actual device.
Signed-off-by: Alexey Kardashevskiy <address@hidden>
Cc: address@hidden
[agraf: squash in bugfix from aik]
Signed-off-by: Alexander Graf <address@hidden>
(cherry picked from commit b26696b519f853c9844e5154858e583600ee3cdc)
Signed-off-by: Michael Roth <address@hidden>
Commit: 274c96e4e12a1829def558534c4eb1a77c4865eb
https://github.com/qemu/qemu/commit/274c96e4e12a1829def558534c4eb1a77c4865eb
Author: Michael Tokarev <address@hidden>
Date: 2014-07-20 (Sun, 20 Jul 2014)
Changed paths:
M configure
Log Message:
-----------
configure: remove bashism
Commit e26110cfc67d48 added a check for shacmd to create a hash
for modules. This check in configure is using bash construct &>
to redirect both stdout and stderr, which does fun things on some
shells. Get rid of it, use standard redirection instead.
Signed-off-by: Michael Tokarev <address@hidden>
Reviewed-by: Fam Zheng <address@hidden>
(cherry picked from commit 4fc00556ab68fc91c6d0150152f824d262c0be12)
Signed-off-by: Michael Roth <address@hidden>
Commit: c230ab2ba22a6c91d690dc57bd1157c8fc243f12
https://github.com/qemu/qemu/commit/c230ab2ba22a6c91d690dc57bd1157c8fc243f12
Author: Peter Lieven <address@hidden>
Date: 2014-07-20 (Sun, 20 Jul 2014)
Changed paths:
M qapi/qapi-dealloc-visitor.c
Log Message:
-----------
Revert "qapi: Clean up superfluous null check in qapi_dealloc_type_str()"
This reverts commit 25a7017555f1b4aeb543b5d323ff4afb8f9c5437.
Turns out the argument *can* be null: QEMU now segfaults if it
receives an invalid parameter via a qmp command instead of throwing an
error.
For example:
{ "execute": "blockdev-add",
"arguments": { "options" : { "driver": "invalid-driver" } } }
CC: address@hidden
Signed-off-by: Peter Lieven <address@hidden>
Reviewed-by: Eric Blake <address@hidden>
Reviewed-by: Markus Armbruster <address@hidden>
Signed-off-by: Luiz Capitulino <address@hidden>
(cherry picked from commit b690d679c1ca65d71b0544a2331d50e9f0f95116)
Signed-off-by: Michael Roth <address@hidden>
Commit: 96e7f7a911077ac76c4b2ac1e31e0aeaa1fb2901
https://github.com/qemu/qemu/commit/96e7f7a911077ac76c4b2ac1e31e0aeaa1fb2901
Author: Michael S. Tsirkin <address@hidden>
Date: 2014-07-20 (Sun, 20 Jul 2014)
Changed paths:
M hw/i386/kvm/pci-assign.c
Log Message:
-----------
pci-assign: limit # of msix vectors
KVM only supports MSIX table size up to 256 vectors,
but some assigned devices support more vectors,
at the moment attempts to assign them fail with EINVAL.
Tweak the MSIX capability exposed to guest to limit table size
to a supported value.
Signed-off-by: Michael S. Tsirkin <address@hidden>
Tested-by: Gonglei <address@hidden>
Cc: address@hidden
Acked-by: Alex Williamson <address@hidden>
Signed-off-by: Paolo Bonzini <address@hidden>
(cherry picked from commit 639973a4740f38789057744b550df3a175bc49ad)
Signed-off-by: Michael Roth <address@hidden>
Commit: 3ba1e617e7ae2b69a508a52b4f6cc301a9de95ce
https://github.com/qemu/qemu/commit/3ba1e617e7ae2b69a508a52b4f6cc301a9de95ce
Author: Michael S. Tsirkin <address@hidden>
Date: 2014-07-20 (Sun, 20 Jul 2014)
Changed paths:
M hw/virtio/virtio.c
Log Message:
-----------
virtio: allow mapping up to max queue size
It's a loop from i < num_sg and the array is VIRTQUEUE_MAX_SIZE - so
it's OK if the value read is VIRTQUEUE_MAX_SIZE.
Not a big problem in practice as people don't use
such big queues, but it's inelegant.
Reported-by: "Dr. David Alan Gilbert" <address@hidden>
Cc: address@hidden
Signed-off-by: Michael S. Tsirkin <address@hidden>
(cherry picked from commit 937251408051e0489f78e4db3c92e045b147b38b)
Signed-off-by: Michael Roth <address@hidden>
Commit: d234c8f1f6bb52be075581d8237d4683b942bbe3
https://github.com/qemu/qemu/commit/d234c8f1f6bb52be075581d8237d4683b942bbe3
Author: Kevin Wolf <address@hidden>
Date: 2014-07-20 (Sun, 20 Jul 2014)
Changed paths:
M block/qcow.c
Log Message:
-----------
qcow1: Make padding in the header explicit
We were relying on all compilers inserting the same padding in the
header struct that is used for the on-disk format. Let's not do that.
Mark the struct as packed and insert an explicit padding field for
compatibility.
Cc: address@hidden
Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: Benoit Canet <address@hidden>
(cherry picked from commit ea54feff58efedc809641474b25a3130309678e7)
Signed-off-by: Michael Roth <address@hidden>
Commit: 5c85998739da2c904194a7fe985a0e7707c7da25
https://github.com/qemu/qemu/commit/5c85998739da2c904194a7fe985a0e7707c7da25
Author: Kevin Wolf <address@hidden>
Date: 2014-07-20 (Sun, 20 Jul 2014)
Changed paths:
M block/qcow.c
A tests/qemu-iotests/092
A tests/qemu-iotests/092.out
M tests/qemu-iotests/group
Log Message:
-----------
qcow1: Check maximum cluster size
Huge values for header.cluster_bits cause unbounded allocations (e.g.
for s->cluster_cache) and crash qemu this way. Less huge values may
survive those allocations, but can cause integer overflows later on.
The only cluster sizes that qemu can create are 4k (for standalone
images) and 512 (for images with backing files), so we can limit it
to 64k.
Cc: address@hidden
Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: Benoit Canet <address@hidden>
(cherry picked from commit 7159a45b2bf2dcb9f49f1e27d1d3d135a0247a2f)
Conflicts:
tests/qemu-iotests/group
*removed context lines for tests not present in v2.0.0
Signed-off-by: Michael Roth <address@hidden>
Commit: a3967c74de398149d722deac5c26634a5e9ddbe2
https://github.com/qemu/qemu/commit/a3967c74de398149d722deac5c26634a5e9ddbe2
Author: Kevin Wolf <address@hidden>
Date: 2014-07-20 (Sun, 20 Jul 2014)
Changed paths:
M block/qcow.c
M tests/qemu-iotests/092
M tests/qemu-iotests/092.out
Log Message:
-----------
qcow1: Validate L2 table size (CVE-2014-0222)
Too large L2 table sizes cause unbounded allocations. Images actually
created by qemu-img only have 512 byte or 4k L2 tables.
To keep things consistent with cluster sizes, allow ranges between 512
bytes and 64k (in fact, down to 1 entry = 8 bytes is technically
working, but L2 table sizes smaller than a cluster don't make a lot of
sense).
This also means that the number of bytes on the virtual disk that are
described by the same L2 table is limited to at most 8k * 64k or 2^29,
preventively avoiding any integer overflows.
Cc: address@hidden
Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: Benoit Canet <address@hidden>
(cherry picked from commit 42eb58179b3b215bb507da3262b682b8a2ec10b5)
Signed-off-by: Michael Roth <address@hidden>
Commit: a4b73ed3f37df05f1fd13418f18feb026008301c
https://github.com/qemu/qemu/commit/a4b73ed3f37df05f1fd13418f18feb026008301c
Author: Kevin Wolf <address@hidden>
Date: 2014-07-20 (Sun, 20 Jul 2014)
Changed paths:
M block/qcow.c
M tests/qemu-iotests/092
M tests/qemu-iotests/092.out
Log Message:
-----------
qcow1: Validate image size (CVE-2014-0223)
A huge image size could cause s->l1_size to overflow. Make sure that
images never require a L1 table larger than what fits in s->l1_size.
This cannot only cause unbounded allocations, but also the allocation of
a too small L1 table, resulting in out-of-bounds array accesses (both
reads and writes).
Cc: address@hidden
Signed-off-by: Kevin Wolf <address@hidden>
(cherry picked from commit 46485de0cb357b57373e1ca895adedf1f3ed46ec)
Signed-off-by: Michael Roth <address@hidden>
Commit: 3d5acbeb71573ba0acf5af39a78dd66bdba392fe
https://github.com/qemu/qemu/commit/3d5acbeb71573ba0acf5af39a78dd66bdba392fe
Author: Kevin Wolf <address@hidden>
Date: 2014-07-20 (Sun, 20 Jul 2014)
Changed paths:
M block/qcow.c
M tests/qemu-iotests/092
M tests/qemu-iotests/092.out
Log Message:
-----------
qcow1: Stricter backing file length check
Like qcow2 since commit 6d33e8e7, error out on invalid lengths instead
of silently truncating them to 1023.
Also don't rely on bdrv_pread() catching integer overflows that make len
negative, but use unsigned variables in the first place.
Cc: address@hidden
Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: Benoit Canet <address@hidden>
(cherry picked from commit d66e5cee002c471b78139228a4e7012736b375f9)
Signed-off-by: Michael Roth <address@hidden>
Commit: 2dbd09ff5cee5fdfe6b3c796573d9954fd6e0381
https://github.com/qemu/qemu/commit/2dbd09ff5cee5fdfe6b3c796573d9954fd6e0381
Author: Markus Armbruster <address@hidden>
Date: 2014-07-20 (Sun, 20 Jul 2014)
Changed paths:
M hw/scsi/virtio-scsi.c
Log Message:
-----------
virtio-scsi: Plug memory leak on virtio_scsi_push_event() error path
Spotted by Coverity.
Signed-off-by: Markus Armbruster <address@hidden>
Cc: address@hidden
Signed-off-by: Paolo Bonzini <address@hidden>
(cherry picked from commit 91e7fcca4743cf694eb0c8e7a8d938cf359b5bd8)
Signed-off-by: Michael Roth <address@hidden>
Commit: ae2e18e0cab1715e03ce4ff90e8362507b2f325d
https://github.com/qemu/qemu/commit/ae2e18e0cab1715e03ce4ff90e8362507b2f325d
Author: Max Filippov <address@hidden>
Date: 2014-07-20 (Sun, 20 Jul 2014)
Changed paths:
M target-xtensa/translate.c
Log Message:
-----------
target-xtensa: fix cross-page jumps/calls at the end of TB
Use tb->pc instead of dc->pc to check for cross-page jumps.
When TB translation stops at the page boundary dc->pc points to the next
page allowing chaining to TBs in it, which is wrong.
Cc: address@hidden
Signed-off-by: Max Filippov <address@hidden>
(cherry picked from commit 433d33c555deeed375996e338df1a9510df401c6)
Signed-off-by: Michael Roth <address@hidden>
Commit: 91148decd256d4e2f24152fbf2f7c64459e562c1
https://github.com/qemu/qemu/commit/91148decd256d4e2f24152fbf2f7c64459e562c1
Author: Stefan Weil <address@hidden>
Date: 2014-08-05 (Tue, 05 Aug 2014)
Changed paths:
M cputlb.c
Log Message:
-----------
cputlb: Fix regression with TCG interpreter (bug 1310324)
Commit 0f842f8a246f2b5b51a11c13f933bf7a90ae8e96 replaced GETPC_EXT() which
was derived from GETPC() by GETRA_EXT() without fixing cputlb.c. A later
patch replaced GETRA_EXT() by GETRA() in exec/softmmu_template.h which
is included in cputlb.c.
The TCG interpreter failed because the values returned by GETRA() were no
longer explicitly set to 0. The redefinition of GETRA() introduced here
fixes this.
In addition, GETPC_ADJ which is also used in exec/softmmu_template.h is
set to 0. Both changes reduce the compiled code size for cputlb.c by more
than 100 bytes, so the normal TCG without interpreter also profits from
the reduced code size and slightly faster code.
Cc: address@hidden
Reported-by: Giovanni Mascellani <address@hidden>
Signed-off-by: Stefan Weil <address@hidden>
Signed-off-by: Paolo Bonzini <address@hidden>
(cherry picked from commit 7e4e88656c1e6192e9e47a2054d2dc190c1b840b)
Signed-off-by: Michael Roth <address@hidden>
Commit: b203bba0ce2ba575e91f977d762943475e402ab8
https://github.com/qemu/qemu/commit/b203bba0ce2ba575e91f977d762943475e402ab8
Author: Andrew Oates <address@hidden>
Date: 2014-08-05 (Tue, 05 Aug 2014)
Changed paths:
M ui/curses.c
Log Message:
-----------
input (curses): mask keycodes to remove modifier bits
Without the mask, control bits are passed on in the keycode, generating
incorrect PS/2 sequences when SHIFT, ALT, etc are held down.
Cc: address@hidden
Signed-off-by: Andrew Oates <address@hidden>
Signed-off-by: Gerd Hoffmann <address@hidden>
(cherry picked from commit f5c0ab131265270c1e7852ec0d4e284a219d63d4)
Signed-off-by: Michael Roth <address@hidden>
Commit: 12d5fc6ab464eb3fee121226b55099be3035d1e2
https://github.com/qemu/qemu/commit/12d5fc6ab464eb3fee121226b55099be3035d1e2
Author: Markus Armbruster <address@hidden>
Date: 2014-08-05 (Tue, 05 Aug 2014)
Changed paths:
M qemu-img.c
Log Message:
-----------
qemu-img: Plug memory leak in convert command
Introduced in commit 661a0f7. Spotted by Coverity.
Signed-off-by: Markus Armbruster <address@hidden>
Reviewed-by: Benoit Canet <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>
(cherry picked from commit bb9cd2ee99f6537c072d5f4bac441717d3cd2bed)
Signed-off-by: Michael Roth <address@hidden>
Commit: 7812cbe580b439f65cc06cbd6ab18e4b91b5ee31
https://github.com/qemu/qemu/commit/7812cbe580b439f65cc06cbd6ab18e4b91b5ee31
Author: Markus Armbruster <address@hidden>
Date: 2014-08-05 (Tue, 05 Aug 2014)
Changed paths:
M block/sheepdog.c
Log Message:
-----------
block/sheepdog: Plug memory leak in sd_snapshot_create()
Has always been leaky. Spotted by Coverity.
Signed-off-by: Markus Armbruster <address@hidden>
Reviewed-by: Benoit Canet <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>
(cherry picked from commit 2df5fee2dbd56a9c34afd6d7df6744da2d951ccb)
Signed-off-by: Michael Roth <address@hidden>
Commit: a3e3f0964d42c2f0e6806014806afce75303abe2
https://github.com/qemu/qemu/commit/a3e3f0964d42c2f0e6806014806afce75303abe2
Author: Markus Armbruster <address@hidden>
Date: 2014-08-05 (Tue, 05 Aug 2014)
Changed paths:
M block/vvfat.c
Log Message:
-----------
block/vvfat: Plug memory leak in read_directory()
Has always been leaky. Spotted by Coverity.
Signed-off-by: Markus Armbruster <address@hidden>
Reviewed-by: Benoit Canet <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>
(cherry picked from commit b122c3b6d020e529b203836efb8f611ece787293)
Signed-off-by: Michael Roth <address@hidden>
Commit: 53bdfb5b62eee7a29c7a479bb87b47d941a30812
https://github.com/qemu/qemu/commit/53bdfb5b62eee7a29c7a479bb87b47d941a30812
Author: Markus Armbruster <address@hidden>
Date: 2014-08-05 (Tue, 05 Aug 2014)
Changed paths:
M block/vvfat.c
Log Message:
-----------
block/vvfat: Plug memory leak in check_directory_consistency()
On error path. Introduced in commit a046433a. Spotted by Coverity.
Signed-off-by: Markus Armbruster <address@hidden>
Reviewed-by: Benoit Canet <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>
(cherry picked from commit 6262bbd363b53a1f19c473345d7cc40254dd5c73)
Signed-off-by: Michael Roth <address@hidden>
Commit: 98646a11d0977b99bd05efbd6bf8330411ebba63
https://github.com/qemu/qemu/commit/98646a11d0977b99bd05efbd6bf8330411ebba63
Author: Markus Armbruster <address@hidden>
Date: 2014-08-05 (Tue, 05 Aug 2014)
Changed paths:
M block/qapi.c
Log Message:
-----------
block/qapi: Plug memory leak in dump_qobject() case QTYPE_QERROR
Introduced in commit a8d8ecb. Spotted by Coverity.
Signed-off-by: Markus Armbruster <address@hidden>
Reviewed-by: Benoit Canet <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>
(cherry picked from commit f25391c2a6ef1674384204265429520ea50e82bc)
Signed-off-by: Michael Roth <address@hidden>
Commit: 40a3fb54b29970a2c97dde39aa97b9201ad7a7cf
https://github.com/qemu/qemu/commit/40a3fb54b29970a2c97dde39aa97b9201ad7a7cf
Author: Markus Armbruster <address@hidden>
Date: 2014-08-05 (Tue, 05 Aug 2014)
Changed paths:
M blockdev.c
Log Message:
-----------
blockdev: Plug memory leak in drive_init()
bs_opts is leaked on all paths from its qdev_new() that don't got
through blockdev_init(). Add the missing QDECREF(), and zap bs_opts
after blockdev_init(), so the new QDECREF() does nothing when we go
through blockdev_init().
Leak introduced in commit f298d07. Spotted by Coverity.
Signed-off-by: Markus Armbruster <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>
(cherry picked from commit 3cb0e25c4b417b7336816bd92de458f0770d49ff)
Signed-off-by: Michael Roth <address@hidden>
Commit: 5a0913f782a5d73a274b1fb39ec7d4d9a79ad4ca
https://github.com/qemu/qemu/commit/5a0913f782a5d73a274b1fb39ec7d4d9a79ad4ca
Author: Markus Armbruster <address@hidden>
Date: 2014-08-05 (Tue, 05 Aug 2014)
Changed paths:
M blockdev.c
Log Message:
-----------
blockdev: Plug memory leak in blockdev_init()
blockdev_init() leaks bs_opts when qemu_opts_create() fails, i.e. when
the ID is bad. Missed in commit ec9c10d.
Signed-off-by: Markus Armbruster <address@hidden>
Reviewed-by: Benoit Canet <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>
(cherry picked from commit 6376f9522372d589f3efe60001dc0486237dd375)
Signed-off-by: Michael Roth <address@hidden>
Commit: 5e3322eec31e6198c5370a1f01c6e1429548ebcb
https://github.com/qemu/qemu/commit/5e3322eec31e6198c5370a1f01c6e1429548ebcb
Author: Markus Armbruster <address@hidden>
Date: 2014-08-05 (Tue, 05 Aug 2014)
Changed paths:
M qemu-io.c
Log Message:
-----------
qemu-io: Plug memory leak in open command
Introduced in commit b543c5c. Spotted by Coverity.
Signed-off-by: Markus Armbruster <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>
(cherry picked from commit 29f2601aa605f0af0cba8eedcff7812c6c8532e9)
Signed-off-by: Michael Roth <address@hidden>
Commit: d1567e298094a496ad5dc81c9a360dfab98a214d
https://github.com/qemu/qemu/commit/d1567e298094a496ad5dc81c9a360dfab98a214d
Author: Markus Armbruster <address@hidden>
Date: 2014-08-05 (Tue, 05 Aug 2014)
Changed paths:
M block.c
Log Message:
-----------
block: Plug memory leak on brv_open_image() error path
Introduced in commit da557a. Spotted by Coverity.
Signed-off-by: Markus Armbruster <address@hidden>
Reviewed-by: Benoit Canet <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>
(cherry picked from commit b20e61e0d52eef57cf5db55087b16e0b5207e730)
Signed-off-by: Michael Roth <address@hidden>
Commit: 207f61dc286fbcb322514007778b99d20e48416b
https://github.com/qemu/qemu/commit/207f61dc286fbcb322514007778b99d20e48416b
Author: Markus Armbruster <address@hidden>
Date: 2014-08-05 (Tue, 05 Aug 2014)
Changed paths:
M block/qcow2.c
Log Message:
-----------
qcow2: Plug memory leak on qcow2_invalidate_cache() error paths
Introduced in commit 5a8a30d. Spotted by Coverity.
Signed-off-by: Markus Armbruster <address@hidden>
Reviewed-by: Benoit Canet <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>
(cherry picked from commit a1904e48c4a9fb114d155419700bfb7d760273b9)
Signed-off-by: Michael Roth <address@hidden>
Commit: f99329cd82831c64864e99293d91be3741dc7a60
https://github.com/qemu/qemu/commit/f99329cd82831c64864e99293d91be3741dc7a60
Author: Peter Maydell <address@hidden>
Date: 2014-08-05 (Tue, 05 Aug 2014)
Changed paths:
M linux-user/syscall.c
Log Message:
-----------
linux-user: Don't overrun guest buffer in sched_getaffinity
If the guest's "long" type is smaller than the host's, then
our sched_getaffinity wrapper needs to round the buffer size
up to a multiple of the host sizeof(long). This means that when
we copy the data back from the host buffer to the guest's
buffer there might be more than we can fit. Rather than
overflowing the guest's buffer, handle this case by returning
EINVAL or ignoring the unused extra space, as appropriate.
Note that only guests using the syscall interface directly might
run into this bug -- the glibc wrappers around it will always
use a buffer whose size is a multiple of 8 regardless of guest
architecture.
Signed-off-by: Peter Maydell <address@hidden>
Signed-off-by: Riku Voipio <address@hidden>
(cherry picked from commit be3bd286bc06bb68cdc71748d9dd4edcd57b2b24)
Signed-off-by: Michael Roth <address@hidden>
Commit: 6ea80edc0165a11060b5e13d62e81630abbc5d25
https://github.com/qemu/qemu/commit/6ea80edc0165a11060b5e13d62e81630abbc5d25
Author: Richard Henderson <address@hidden>
Date: 2014-08-05 (Tue, 05 Aug 2014)
Changed paths:
M tcg/i386/tcg-target.c
Log Message:
-----------
tcg-i386: Fix win64 qemu store
The first non-register argument isn't placed at offset 0.
Cc: address@hidden
Reviewed-by: Stefan Weil <address@hidden>
Signed-off-by: Richard Henderson <address@hidden>
(cherry picked from commit 0b919667302aa395bfde0328749dc21a0b123c44)
Signed-off-by: Michael Roth <address@hidden>
Commit: 27fb65dd1b040bb68d44a7ce24d8527df2a57fbc
https://github.com/qemu/qemu/commit/27fb65dd1b040bb68d44a7ce24d8527df2a57fbc
Author: Peter Maydell <address@hidden>
Date: 2014-08-05 (Tue, 05 Aug 2014)
Changed paths:
M target-arm/helper.c
Log Message:
-----------
target-arm: Fix errors in writes to generic timer control registers
The code for handling writes to the generic timer control registers
had several bugs:
* ISTATUS (bit 2) is read-only but we forced it to zero on any write
* the check for "was IMASK (bit 1) toggled?" incorrectly used '&' where
it should be '^'
* the handling of IMASK was inverted: we should set the IRQ if
ISTATUS is set and IMASK is clear, not if both are set
The combination of these bugs meant that when running a Linux guest
that uses the generic timers we would fairly quickly end up either
forgetting that the timer output should be asserted, or failing to
set the IRQ when the timer was unmasked. The result is that the guest
never gets any more timer interrupts.
Signed-off-by: Peter Maydell <address@hidden>
Message-id: address@hidden
Cc: address@hidden
(cherry picked from commit d3afacc7269fee45d54d1501a46b51f12ea7bb15)
Signed-off-by: Michael Roth <address@hidden>
Commit: 0d38666664f9805535766c5d5feb5c849cf793db
https://github.com/qemu/qemu/commit/0d38666664f9805535766c5d5feb5c849cf793db
Author: Cornelia Huck <address@hidden>
Date: 2014-08-05 (Tue, 05 Aug 2014)
Changed paths:
M hw/s390x/css.c
Log Message:
-----------
s390x/css: handle emw correctly for tsch
We should not try to store the emw portion of the irb if extended
measurements are not applicable. In particular, we should not surprise
the guest by storing a larger irb if it did not enable extended
measurements.
Cc: address@hidden
Reviewed-by: David Hildenbrand <address@hidden>
Tested-by: Christian Borntraeger <address@hidden>
Signed-off-by: Cornelia Huck <address@hidden>
(cherry picked from commit f068d320def7fd83bf0fcdca37b305f1c2ac5413)
Signed-off-by: Michael Roth <address@hidden>
Commit: df54f5efed9b3be7f40e14113cc1f13f5889e644
https://github.com/qemu/qemu/commit/df54f5efed9b3be7f40e14113cc1f13f5889e644
Author: Stefan Hajnoczi <address@hidden>
Date: 2014-08-05 (Tue, 05 Aug 2014)
Changed paths:
M async.c
Log Message:
-----------
aio: fix qemu_bh_schedule() bh->ctx race condition
qemu_bh_schedule() is supposed to be thread-safe at least the first time
it is called. Unfortunately this is not quite true:
bh->scheduled = 1;
aio_notify(bh->ctx);
Since another thread may run the BH callback once it has been scheduled,
there is a race condition if the callback frees the BH before
aio_notify(bh->ctx) has a chance to run.
Reported-by: Stefan Priebe <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
Reviewed-by: Paolo Bonzini <address@hidden>
Tested-by: Stefan Priebe <address@hidden>
(cherry picked from commit 924fe1293c3e7a3c787bbdfb351e7f168caee3e9)
Signed-off-by: Michael Roth <address@hidden>
Commit: ba980a52d65a2eb20aba22a7cd3cd9de1fc9cbdc
https://github.com/qemu/qemu/commit/ba980a52d65a2eb20aba22a7cd3cd9de1fc9cbdc
Author: Gonglei <address@hidden>
Date: 2014-08-05 (Tue, 05 Aug 2014)
Changed paths:
M qga/commands-win32.c
Log Message:
-----------
qga: Fix handle fd leak in acquire_privilege()
token should be closed in all conditions.
So move CloseHandle(token) to "out" branch.
Signed-off-by: Wang Rui <address@hidden>
Signed-off-by: Gonglei <address@hidden>
Signed-off-by: Michael Roth <address@hidden>
(cherry picked from commit 374044f08fe18a18469b981812cd8695f5b3569c)
Signed-off-by: Michael Roth <address@hidden>
Commit: fe7e98c46e188f9b124fe2b3aa55784dad8aa461
https://github.com/qemu/qemu/commit/fe7e98c46e188f9b124fe2b3aa55784dad8aa461
Author: ChenLiang <address@hidden>
Date: 2014-08-05 (Tue, 05 Aug 2014)
Changed paths:
M arch_init.c
Log Message:
-----------
migration: remove duplicate code
version_id is checked twice in the ram_load.
Signed-off-by: ChenLiang <address@hidden>
Signed-off-by: Gonglei <address@hidden>
Signed-off-by: Juan Quintela <address@hidden>
(cherry picked from commit 21a246a43b606ee833f907d589d8dcbb54a2761e)
Signed-off-by: Michael Roth <address@hidden>
Commit: 86cfc1044047ae969da74766f436a4bda51db337
https://github.com/qemu/qemu/commit/86cfc1044047ae969da74766f436a4bda51db337
Author: Chen Gang <address@hidden>
Date: 2014-08-05 (Tue, 05 Aug 2014)
Changed paths:
M arch_init.c
Log Message:
-----------
arch_init: Be sure of only one exit entry with DPRINTF() for ram_load()
When DPRINTF() has effect, the original author wants to print all
ram_load() calling results. So need use 'goto' instead of 'return'
within ram_load(), just like other areas have done.
Signed-off-by: Chen Gang <address@hidden>
Signed-off-by: Michael Tokarev <address@hidden>
(cherry picked from commit 4798fe55c4d539ddf8c7f5befcddfa145b3c6102)
Signed-off-by: Michael Roth <address@hidden>
Commit: 6ea6bd5d7594eabfbc94a2dc1aaf10cb81c88e55
https://github.com/qemu/qemu/commit/6ea6bd5d7594eabfbc94a2dc1aaf10cb81c88e55
Author: Peter Lieven <address@hidden>
Date: 2014-08-05 (Tue, 05 Aug 2014)
Changed paths:
M arch_init.c
M migration.c
Log Message:
-----------
migration: catch unknown flags in ram_load
if a saved vm has unknown flags in the memory data qemu
currently simply ignores this flag and continues which
yields in an unpredictable result.
This patch catches all unknown flags and aborts the
loading of the vm. Additionally error reports are thrown
if the migration aborts abnormally.
Signed-off-by: Peter Lieven <address@hidden>
Signed-off-by: Juan Quintela <address@hidden>
(cherry picked from commit db80facefa62dff42bb50c73b0f03eda5f732b49)
Signed-off-by: Michael Roth <address@hidden>
Commit: 0f00455b4c2fa7350c26725864cdf6bf1a3576ae
https://github.com/qemu/qemu/commit/0f00455b4c2fa7350c26725864cdf6bf1a3576ae
Author: Michael R. Hines <address@hidden>
Date: 2014-08-05 (Tue, 05 Aug 2014)
Changed paths:
M migration-rdma.c
Log Message:
-----------
rdma: bug fixes
1. Fix small memory leak in parsing inet address from command line in
data_init()
2. Fix ibv_post_send() return value check and pass error code back up correctly.
3. Fix rdma_destroy_qp() segfault after failure to connect to destination.
Reported-by: address@hidden
Reported-by: address@hidden
Signed-off-by: Michael R. Hines <address@hidden>
Signed-off-by: Juan Quintela <address@hidden>
(cherry picked from commit e325b49a320b493cc5d69e263751ff716dc458fe)
Signed-off-by: Michael Roth <address@hidden>
Commit: d728dafe5aa16de7f0dd36f2cc18f10767e0b60c
https://github.com/qemu/qemu/commit/d728dafe5aa16de7f0dd36f2cc18f10767e0b60c
Author: Markus Armbruster <address@hidden>
Date: 2014-08-05 (Tue, 05 Aug 2014)
Changed paths:
M hw/core/qdev.c
M hw/intc/i8259.c
M hw/timer/i8254.c
Log Message:
-----------
hw: Consistently name Error ** objects errp, and not err
Signed-off-by: Markus Armbruster <address@hidden>
Signed-off-by: Andreas Färber <address@hidden>
(cherry picked from commit a7737e4496aa3c1c8c3a4b4b9d5e44875fe21e12)
Signed-off-by: Michael Roth <address@hidden>
Commit: ab139bf9d278e7ce4fe83d81a4a01b51c7d82091
https://github.com/qemu/qemu/commit/ab139bf9d278e7ce4fe83d81a4a01b51c7d82091
Author: Paolo Bonzini <address@hidden>
Date: 2014-08-05 (Tue, 05 Aug 2014)
Changed paths:
M hw/core/qdev.c
Log Message:
-----------
qdev: reorganize error reporting in bus_set_realized
No semantic change.
Cc: address@hidden
Signed-off-by: Paolo Bonzini <address@hidden>
Tested-by: Michael S. Tsirkin <address@hidden>
Reviewed-by: Michael S. Tsirkin <address@hidden>
Signed-off-by: Michael S. Tsirkin <address@hidden>
Reviewed-by: Andreas Färber <address@hidden>
(cherry picked from commit b7b34d055d82abaa511b35c9fc24efbb63dca0b1)
Signed-off-by: Michael Roth <address@hidden>
Commit: 88efef64db627c5fa26af2abf943bdb94c03eeb9
https://github.com/qemu/qemu/commit/88efef64db627c5fa26af2abf943bdb94c03eeb9
Author: Paolo Bonzini <address@hidden>
Date: 2014-08-05 (Tue, 05 Aug 2014)
Changed paths:
M hw/core/qdev.c
Log Message:
-----------
qdev: recursively unrealize devices when unrealizing bus
When the patch was posted that became 5c21ce7 (qdev: Realize buses
on device realization, 2014-03-12), it included recursive realization
and unrealization of devices when the bus's "realized" property
was toggled.
However, due to the same old worries about recursive realization
and prerequisites not being realized yet, those hunks were dropped when
committing the patch. Unfortunately, this causes a use-after-free bug
(easily reproduced by a PCI hot-unplug action).
Before the patch, device_unparent behaved as follows:
for each child bus
unparent bus ----------------------------.
| for each child device |
| unparent device ---------------. |
| | unrealize device | |
| | call dc->unparent | |
| '------------------------------- |
'----------------------------------------'
unrealize device
After the patch, it behaves as follows instead:
unrealize device --------------------.
| for each child bus |
| unrealize bus (A) |
'------------------------------------'
for each child bus
unparent bus ----------------------.
| for each child device |
| unrealize device (B) |
| call dc->unparent |
'----------------------------------'
At the step marked (B) the device might use data from the bus that is
not available anymore due to step (A).
To fix this, we need to unrealize devices before step (A). To sidestep
concerns about recursive realization, only do recursive unrealization
and leave the "value && !bus->realized" case as it is.
The resulting flow is:
for each child bus
unrealize bus ---------------------.
| for each child device |
| unrealize device (B) |
| call bc->unrealize (A) |
'----------------------------------'
unrealize device
for each child bus
unparent bus ----------------------.
| for each child device |
| unparent device |
'----------------------------------'
where everything is "powered down" before it is unassembled.
Cc: address@hidden
Signed-off-by: Paolo Bonzini <address@hidden>
Tested-by: Michael S. Tsirkin <address@hidden>
Reviewed-by: Michael S. Tsirkin <address@hidden>
Signed-off-by: Michael S. Tsirkin <address@hidden>
Reviewed-by: Andreas Färber <address@hidden>
(cherry picked from commit 5942a19040fed313b316ab7b6e3d2d8e7b1625bb)
Signed-off-by: Michael Roth <address@hidden>
Commit: eb3eb3dd36f2c71146f744b93b8a8d1d81e83e4b
https://github.com/qemu/qemu/commit/eb3eb3dd36f2c71146f744b93b8a8d1d81e83e4b
Author: Ulrich Obergfell <address@hidden>
Date: 2014-08-05 (Tue, 05 Aug 2014)
Changed paths:
M hw/scsi/scsi-disk.c
Log Message:
-----------
scsi-disk: fix bug in scsi_block_new_request() introduced by commit 137745c
This patch fixes a bug in scsi_block_new_request() that was introduced
by commit 137745c5c60f083ec982fe9e861e8c16ebca1ba8. If the host cache
is used - i.e. if BDRV_O_NOCACHE is _not_ set - the 'break' statement
needs to be executed to 'fall back' to SG_IO.
Cc: address@hidden
Signed-off-by: Ulrich Obergfell <address@hidden>
Signed-off-by: Paolo Bonzini <address@hidden>
(cherry picked from commit 2fe5a9f73b3446690db2cae8a58473b0b4beaa32)
Signed-off-by: Michael Roth <address@hidden>
Commit: 8dedaf0f7037baa6c5b0b06a6eccfb120dcead44
https://github.com/qemu/qemu/commit/8dedaf0f7037baa6c5b0b06a6eccfb120dcead44
Author: Michael S. Tsirkin <address@hidden>
Date: 2014-08-05 (Tue, 05 Aug 2014)
Changed paths:
M hw/virtio/vhost.c
Log Message:
-----------
vhost: fix resource leak in error handling
vhost_verify_ring_mappings leaks mappings on error.
Fix this up.
Cc: address@hidden
Signed-off-by: Michael S. Tsirkin <address@hidden>
(cherry picked from commit 8617343faae6ba7e916137c6c9e3ef22c00565d8)
Signed-off-by: Michael Roth <address@hidden>
Commit: aa69eda237ccac63c355d8520ea11175900ace78
https://github.com/qemu/qemu/commit/aa69eda237ccac63c355d8520ea11175900ace78
Author: Ming Lei <address@hidden>
Date: 2014-08-05 (Tue, 05 Aug 2014)
Changed paths:
M hw/scsi/vhost-scsi.c
M hw/scsi/virtio-scsi.c
M include/hw/virtio/virtio-scsi.h
Log Message:
-----------
virtio-scsi: define dummy handle_output for vhost-scsi vqs
vhost userspace needn't to handle vq's notification from guest,
so define dummy handle_output callback for all vqs of vhost-scsi.
In some corner cases(such as when handling vq's reset from VM), virtio-pci
still trys to handle pending virtio-scsi events, then object check failure
inside virtio_scsi_handle_event() for vhost-scsi can be triggered.
The issue can be reproduced by 'rmmod virtio-scsi', 'system sleep' or reboot
inside VM.
Cc: address@hidden
Cc: Anthony Liguori <address@hidden>
Cc: "Michael S. Tsirkin" <address@hidden>
Cc: Paolo Bonzini <address@hidden>
Signed-off-by: Ming Lei <address@hidden>
Signed-off-by: Paolo Bonzini <address@hidden>
(cherry picked from commit 91d670fbf9945ca4ecbd123affb36889e7fe8a5d)
Signed-off-by: Michael Roth <address@hidden>
Commit: 6ef0b7a992d1361a801a015e7a83443951efcb0f
https://github.com/qemu/qemu/commit/6ef0b7a992d1361a801a015e7a83443951efcb0f
Author: Hani Benhabiles <address@hidden>
Date: 2014-08-05 (Tue, 05 Aug 2014)
Changed paths:
M hw/usb/dev-bluetooth.c
Log Message:
-----------
usb: Fix usb-bt-dongle initialization.
Due to an incomplete initialization, adding a usb-bt-dongle device through HMP
or QMP will cause a segmentation fault.
Signed-off-by: Hani Benhabiles <address@hidden>
Reviewed-by: Paolo Bonzini <address@hidden>
Signed-off-by: Gerd Hoffmann <address@hidden>
(cherry picked from commit c340a284f382a5f40774521f41b4bade76ddfa58)
Signed-off-by: Michael Roth <address@hidden>
Commit: 552e70d844bfe55e3c73151bf428699dae6df384
https://github.com/qemu/qemu/commit/552e70d844bfe55e3c73151bf428699dae6df384
Author: Alexander Graf <address@hidden>
Date: 2014-08-05 (Tue, 05 Aug 2014)
Changed paths:
M kvm-all.c
Log Message:
-----------
KVM: Fix GSI number space limit
KVM tells us the number of GSIs it can handle inside the kernel. That value is
basically KVM_MAX_IRQ_ROUTES. However when we try to set the GSI mapping table,
it checks for
r = -EINVAL;
if (routing.nr >= KVM_MAX_IRQ_ROUTES)
goto out;
erroring out even when we're only using all of the GSIs. To make sure we never
hit that limit, let's reduce the number of GSIs we get from KVM by one.
Cc: address@hidden
Signed-off-by: Alexander Graf <address@hidden>
Signed-off-by: Paolo Bonzini <address@hidden>
(cherry picked from commit 00008418aa22700f6c49e794e79f53aeb157d10f)
Signed-off-by: Michael Roth <address@hidden>
Commit: 84461c74b7150a5f38620d6fe9e5585cde3d4977
https://github.com/qemu/qemu/commit/84461c74b7150a5f38620d6fe9e5585cde3d4977
Author: Eduardo Habkost <address@hidden>
Date: 2014-08-05 (Tue, 05 Aug 2014)
Changed paths:
M hw/i386/pc_q35.c
Log Message:
-----------
q35: Use PC_Q35_COMPAT_1_4 on pc-q35-1.4 compat_props
pc-q35-1.4 was incorrectly using PC_COMPAT_1_4 instead of
PC_Q35_COMPAT_1_4.
The only side-effect was that the hpet compat property (inherited from
PC_Q35_COMPAT_1_7) was missing.
Without this patch, pc-q35-1.4 inicorrectly initializes hpet-intcap to
0xff0104 (behavior introduced in QEMU 2.0, by commit
7a10ef51c2397ac4323bc786af02c58b413b5cd2).
Signed-off-by: Eduardo Habkost <address@hidden>
Reviewed-by: Michael S. Tsirkin <address@hidden>
Signed-off-by: Michael S. Tsirkin <address@hidden>
Reviewed-by: Markus Armbruster <address@hidden>
(cherry picked from commit 48cb7f3c1526b4632bd63d945cac80d26616d6f5)
Signed-off-by: Michael Roth <address@hidden>
Commit: e4b3a2b349182e395344dd4426a019056e37bcaa
https://github.com/qemu/qemu/commit/e4b3a2b349182e395344dd4426a019056e37bcaa
Author: Peter Maydell <address@hidden>
Date: 2014-08-05 (Tue, 05 Aug 2014)
Changed paths:
M coroutine-win32.c
Log Message:
-----------
coroutine-win32.c: Add noinline attribute to work around gcc bug
A gcc codegen bug in x86_64-w64-mingw32-gcc (GCC) 4.6.3 means that
non-debug builds of QEMU for Windows tend to assert when using
coroutines. Work around this by marking qemu_coroutine_switch
as noinline.
If we allow gcc to inline qemu_coroutine_switch into
coroutine_trampoline, then it hoists the code to get the
address of the TLS variable "current" out of the while() loop.
This is an invalid transformation because the SwitchToFiber()
call may be called when running thread A but return in thread B,
and so we might be in a different thread context each time
round the loop. This can happen quite often. Typically.
a coroutine is started when a VCPU thread does bdrv_aio_readv:
VCPU thread
main VCPU thread coroutine I/O coroutine
bdrv_aio_readv ----->
start I/O operation
thread_pool_submit_co
<------------ yields
back to emulation
Then I/O finishes and the thread-pool.c event notifier triggers in
the I/O thread. event_notifier_ready calls thread_pool_co_cb, and
the I/O coroutine now restarts *in another thread*:
iothread
main iothread coroutine I/O coroutine (formerly in VCPU thread)
event_notifier_ready
thread_pool_co_cb -----> current = I/O coroutine;
call AIO callback
But on Win32, because of the bug, the "current" being set here the
current coroutine of the VCPU thread, not the iothread.
noinline is a good-enough workaround, and quite unlikely to break in
the future.
(Thanks to Paolo Bonzini for assistance in diagnosing the problem
and providing the detailed example/ascii art quoted above.)
Signed-off-by: Peter Maydell <address@hidden>
Message-id: address@hidden
Reviewed-by: Paolo Bonzini <address@hidden>
Reviewed-by: Richard Henderson <address@hidden>
(cherry picked from commit ff4873cb8c81db89668d8b56e19e57b852edb5f5)
Signed-off-by: Michael Roth <address@hidden>
Commit: a1d82075ab013db174f89a03f21237007aa87a76
https://github.com/qemu/qemu/commit/a1d82075ab013db174f89a03f21237007aa87a76
Author: Max Filippov <address@hidden>
Date: 2014-08-05 (Tue, 05 Aug 2014)
Changed paths:
M hw/xtensa/xtensa_lx60.c
Log Message:
-----------
hw/xtensa/xtfpga: fix FLASH mapping to boot region for KC705
On KC705 bootloader area is located at FLASH offset 0x06000000, not 0 as
on older xtfpga boards.
Cc: address@hidden
Signed-off-by: Max Filippov <address@hidden>
(cherry picked from commit 37ed7c4b24f265c2a8c7248666544c9755514ec2)
Signed-off-by: Michael Roth <address@hidden>
Commit: f9ac1dc507696c9b3b6fde7f6293811ac2cb299c
https://github.com/qemu/qemu/commit/f9ac1dc507696c9b3b6fde7f6293811ac2cb299c
Author: Eduardo Habkost <address@hidden>
Date: 2014-08-05 (Tue, 05 Aug 2014)
Changed paths:
M target-i386/cpu.c
Log Message:
-----------
target-i386: Make TCG feature filtering more readable
Instead of an #ifdef in the middle of the code, just set
TCG_EXT2_FEATURES to a different value depending on TARGET_X86_64.
Reviewed-by: Richard Henderson <address@hidden>
Signed-off-by: Eduardo Habkost <address@hidden>
Signed-off-by: Andreas Färber <address@hidden>
(cherry picked from commit a42d9938a162c3e3c9e441d1927dca5bd59167d9)
Conflicts:
target-i386/cpu.c
*removed dependency on 77549a78
Signed-off-by: Michael Roth <address@hidden>
Commit: b2f0e9240bf42025494098f72649fad196f9d0f0
https://github.com/qemu/qemu/commit/b2f0e9240bf42025494098f72649fad196f9d0f0
Author: Eduardo Habkost <address@hidden>
Date: 2014-08-05 (Tue, 05 Aug 2014)
Changed paths:
M target-i386/cpu.c
Log Message:
-----------
target-i386: Filter FEAT_7_0_EBX TCG features too
The TCG_7_0_EBX_FEATURES macro was defined but never used (it even had a
typo that was never noticed). Make the existing TCG feature filtering
code use it.
Reviewed-by: Richard Henderson <address@hidden>
Signed-off-by: Eduardo Habkost <address@hidden>
Cc: address@hidden
Signed-off-by: Andreas Färber <address@hidden>
(cherry picked from commit d0a70f46fa9a3257089a56f2f620b0eff868557f)
Signed-off-by: Michael Roth <address@hidden>
Commit: 4ce91be0c31a19463d05ea3c850984b453171486
https://github.com/qemu/qemu/commit/4ce91be0c31a19463d05ea3c850984b453171486
Author: Cédric Le Goater <address@hidden>
Date: 2014-08-05 (Tue, 05 Aug 2014)
Changed paths:
M hw/net/virtio-net.c
Log Message:
-----------
virtio-net: byteswap virtio-net header
TCP connectivity fails when the guest has a different endianness.
The packets are silently dropped on the host by the tap backend
when they are read from user space because the endianness of the
virtio-net header is in the wrong order. These lines may appear
in the guest console:
[ 454.709327] skbuff: bad partial csum: csum=8704/4096 len=74
[ 455.702554] skbuff: bad partial csum: csum=8704/4096 len=74
The issue that got first spotted with a ppc64le PowerKVM guest,
but it also exists for the less common case of a x86_64 guest run
by a big-endian ppc64 TCG hypervisor.
Signed-off-by: Cédric Le Goater <address@hidden>
[ Ported from PowerKVM,
Greg Kurz <address@hidden> ]
Signed-off-by: Greg Kurz <address@hidden>
Reviewed-by: Michael S. Tsirkin <address@hidden>
Signed-off-by: Michael S. Tsirkin <address@hidden>
(cherry picked from commit 032a74a1c0fcdd5fd1c69e56126b4c857ee36611)
Signed-off-by: Michael Roth <address@hidden>
Commit: 9221efd7750e255dbbba4a6c8fd30acb0db68399
https://github.com/qemu/qemu/commit/9221efd7750e255dbbba4a6c8fd30acb0db68399
Author: Alexander Graf <address@hidden>
Date: 2014-08-05 (Tue, 05 Aug 2014)
Changed paths:
M hw/char/virtio-serial-bus.c
Log Message:
-----------
virtio-serial: don't migrate the config space
The device configuration is set at realize time and never changes. It
should not be migrated as it is done today. For the sake of compatibility,
let's just skip them at load time.
Signed-off-by: Alexander Graf <address@hidden>
[ added missing casts to uint16_t *,
added From, SoB and commit message,
Greg Kurz <address@hidden> ]
Reviewed-by: Michael S. Tsirkin <address@hidden>
Signed-off-by: Greg Kurz <address@hidden>
Reviewed-by: Michael S. Tsirkin <address@hidden>
Signed-off-by: Michael S. Tsirkin <address@hidden>
(cherry picked from commit e38e943a1fa20d04deb1899be19b12aadec7a585)
Signed-off-by: Michael Roth <address@hidden>
Commit: 01083f16de92db2cab5a75cd9918a20df2b2fd2c
https://github.com/qemu/qemu/commit/01083f16de92db2cab5a75cd9918a20df2b2fd2c
Author: Hani Benhabiles <address@hidden>
Date: 2014-08-05 (Tue, 05 Aug 2014)
Changed paths:
M blockdev-nbd.c
Log Message:
-----------
nbd: Don't export a block device with no medium.
The device is exported with erroneous values and can't be read.
Before the patch:
$ sudo nbd-client localhost -p 10809 /dev/nbd0 -name floppy0
Negotiation: ..size = 17592186044415MB
bs=1024, sz=18446744073709547520 bytes
$ sudo mount /dev/nbd0 /mnt/tmp/
mount: block device /dev/nbd0 is write-protected, mounting read-only
mount: /dev/nbd0: can't read superblock
After the patch:
(qemu) nbd_server_add ide0-hd0
(qemu) nbd_server_add floppy0
Device 'floppy0' has no medium
Signed-off-by: Hani Benhabiles <address@hidden>
Cc: address@hidden
Signed-off-by: Paolo Bonzini <address@hidden>
(cherry picked from commit 60fe4fac22895576973e317d7148b084c31cc64c)
Signed-off-by: Michael Roth <address@hidden>
Commit: 80cfe4a43fab48f22b3a348cbd39e3447271775b
https://github.com/qemu/qemu/commit/80cfe4a43fab48f22b3a348cbd39e3447271775b
Author: Hani Benhabiles <address@hidden>
Date: 2014-08-05 (Tue, 05 Aug 2014)
Changed paths:
M nbd.c
Log Message:
-----------
nbd: Don't validate from and len in NBD_CMD_DISC.
These values aren't used in this case.
Currently, the from field in the request sent by the nbd kernel module leading
to a false error message when ending the connection with the client.
$ qemu-nbd some.img -v
// After nbd-client -d /dev/nbd0
nbd.c:nbd_trip():L1031: From: 18446744073709551104, Len: 0, Size: 20971520,
Offset: 0
nbd.c:nbd_trip():L1032: requested operation past EOF--bad client?
nbd.c:nbd_receive_request():L638: read failed
Signed-off-by: Hani Benhabiles <address@hidden>
Cc: address@hidden
Signed-off-by: Paolo Bonzini <address@hidden>
(cherry picked from commit 8c5d1abbb79193dca8e4823ef53d8d1e650362ae)
Signed-off-by: Michael Roth <address@hidden>
Commit: 3f977a5be8f65fa13ca90189857fbce823338c2b
https://github.com/qemu/qemu/commit/3f977a5be8f65fa13ca90189857fbce823338c2b
Author: Hani Benhabiles <address@hidden>
Date: 2014-08-05 (Tue, 05 Aug 2014)
Changed paths:
M blockdev-nbd.c
M qemu-nbd.c
Log Message:
-----------
nbd: Close socket on negotiation failure.
Otherwise, the nbd client may hang waiting for the server response.
Signed-off-by: Hani Benhabiles <address@hidden>
Acked-by: Paolo Bonzini <address@hidden>
Signed-off-by: Michael Tokarev <address@hidden>
(cherry picked from commit 36af599417dde11747a27dc8550ff2281657a8ff)
Signed-off-by: Michael Roth <address@hidden>
Commit: 41971817a66d768e5ef8cb60891fcd77e05c924e
https://github.com/qemu/qemu/commit/41971817a66d768e5ef8cb60891fcd77e05c924e
Author: Hani Benhabiles <address@hidden>
Date: 2014-08-05 (Tue, 05 Aug 2014)
Changed paths:
M blockdev-nbd.c
M qemu-nbd.c
Log Message:
-----------
nbd: Shutdown socket before closing.
This forces finishing data sending to client before closing the socket like in
exports listing or replying with NBD_REP_ERR_UNSUP cases.
Signed-off-by: Hani Benhabiles <address@hidden>
Cc: address@hidden
Signed-off-by: Paolo Bonzini <address@hidden>
(cherry picked from commit 27e5eae4577316f7e86a56eb7363d4e78f79e3e5)
Signed-off-by: Michael Roth <address@hidden>
Commit: b5706a74b1307830d8d501413d197e1ab8a7324e
https://github.com/qemu/qemu/commit/b5706a74b1307830d8d501413d197e1ab8a7324e
Author: Gabriel L. Somlo <address@hidden>
Date: 2014-08-05 (Tue, 05 Aug 2014)
Changed paths:
M hw/i386/pc.c
M hw/i386/pc_piix.c
M hw/i386/pc_q35.c
M hw/i386/smbios.c
M include/hw/i386/smbios.h
Log Message:
-----------
SMBIOS: Rename symbols to better reflect future use
Rename the following symbols:
- smbios_set_type1_defaults() to the more general smbios_set_defaults();
- bool smbios_type1_defaults to the more general smbios_defaults;
- smbios_get_table() to smbios_get_table_legacy();
This patch contains no functional changes.
Signed-off-by: Gabriel Somlo <address@hidden>
Signed-off-by: Gerd Hoffmann <address@hidden>
(cherry picked from commit e6667f719caa7b5edcb491f61a7744f6a6affd27)
Conflicts:
hw/i386/pc_piix.c
hw/i386/pc_q35.c
*removed dependency on 3458b2b0
Signed-off-by: Michael Roth <address@hidden>
Commit: cab7dfcb062d22d2af68756c6b79eebc830e86e1
https://github.com/qemu/qemu/commit/cab7dfcb062d22d2af68756c6b79eebc830e86e1
Author: Don Slutz <address@hidden>
Date: 2014-08-06 (Wed, 06 Aug 2014)
Changed paths:
M hw/i386/pc_piix.c
Log Message:
-----------
pc: make isapc and pc-0.10 to pc-0.13 have 1.7.0 memory layout
QEMU 2.0 changed memory layout for isapc and pc-0.10 to pc-0.13.
This prevents migration from QEMU 1.7.0 for these
machine types when -m 3.5G is specified.
Paolo Bonzini asked that:
smbios_legacy_mode = true;
has_reserved_memory = false;
option_rom_has_mr = true;
rom_file_has_mr = false;
also be done.
Cc: address@hidden
Cc: Paolo Bonzini <address@hidden>
Signed-off-by: Don Slutz <address@hidden>
Reviewed-by: Michael S. Tsirkin <address@hidden>
Signed-off-by: Michael S. Tsirkin <address@hidden>
Fixes: https://bugs.launchpad.net/qemu/+bug/1334307
Tested-by: "Slutz, Donald Christopher" <address@hidden>
(cherry picked from commit 5f8632d3c3d7bc5ef24166ba7cf90fcfb2adbf7d)
Conflicts:
hw/i386/pc_piix.c
*removed dependency on c97294ec: smbios_legacy_mode always true pre-2.1.0
*removed dependency on de268e13: has_reserved_memory always false pre-2.1.0
Signed-off-by: Michael Roth <address@hidden>
Commit: 7be09afb615682da0d162ebc0259b185f73725eb
https://github.com/qemu/qemu/commit/7be09afb615682da0d162ebc0259b185f73725eb
Author: Andreas Färber <address@hidden>
Date: 2014-08-06 (Wed, 06 Aug 2014)
Changed paths:
M hw/sd/sdhci.c
Log Message:
-----------
sdhci: Fix misuse of qemu_free_irqs()
It does a g_free() on the pointer, so don't pass a local &foo reference.
Reviewed-by: Peter Crosthwaite <address@hidden>
Reviewed-by: Peter Maydell <address@hidden>
Cc: address@hidden
Signed-off-by: Andreas Färber <address@hidden>
(cherry picked from commit 127a4e1a51c038ec9167083b65d376dddcc64530)
Signed-off-by: Michael Roth <address@hidden>
Commit: 347744507794a96b0125a8b395ae30ff952004a2
https://github.com/qemu/qemu/commit/347744507794a96b0125a8b395ae30ff952004a2
Author: Andreas Färber <address@hidden>
Date: 2014-08-06 (Wed, 06 Aug 2014)
Changed paths:
M hw/arm/omap1.c
M hw/arm/omap2.c
M hw/arm/pxa2xx.c
M hw/arm/spitz.c
M hw/arm/z2.c
M hw/core/irq.c
M hw/dma/omap_dma.c
M hw/ide/microdrive.c
M hw/misc/cbus.c
M hw/pcmcia/pxa2xx.c
M hw/sd/omap_mmc.c
M hw/sd/sdhci.c
M hw/sh4/sh7750.c
M hw/timer/omap_gptimer.c
Log Message:
-----------
hw: Fix qemu_allocate_irqs() leaks
Replace qemu_allocate_irqs(foo, bar, 1)[0]
with qemu_allocate_irq(foo, bar, 0).
This avoids leaking the dereferenced qemu_irq *.
Cc: Markus Armbruster <address@hidden>
Reviewed-by: Peter Crosthwaite <address@hidden>
Reviewed-by: Peter Maydell <address@hidden>
Signed-off-by: Andreas Färber <address@hidden>
[PC Changes:
* Applied change to instance in sh4/sh7750.c
]
Signed-off-by: Peter Crosthwaite <address@hidden>
Reviewed-by: Kirill Batuzov <address@hidden>
[AF: Fix IRQ index in sh4/sh7750.c]
Cc: address@hidden
Signed-off-by: Andreas Färber <address@hidden>
(cherry picked from commit f3c7d0389fe8a2792fd4c1cf151b885de03c8f62)
Signed-off-by: Michael Roth <address@hidden>
Commit: 48935f029f5ae7f6bd6f01b2c942a7f2f1a7bc9a
https://github.com/qemu/qemu/commit/48935f029f5ae7f6bd6f01b2c942a7f2f1a7bc9a
Author: Michael S. Tsirkin <address@hidden>
Date: 2014-08-06 (Wed, 06 Aug 2014)
Changed paths:
M hw/virtio/virtio.c
Log Message:
-----------
virtio: out-of-bounds buffer write on invalid state load
CVE-2013-4151 QEMU 1.0 out-of-bounds buffer write in
address@hidden/virtio/virtio.c
So we have this code since way back when:
num = qemu_get_be32(f);
for (i = 0; i < num; i++) {
vdev->vq[i].vring.num = qemu_get_be32(f);
array of vqs has size VIRTIO_PCI_QUEUE_MAX, so
on invalid input this will write beyond end of buffer.
Signed-off-by: Michael S. Tsirkin <address@hidden>
Reviewed-by: Michael Roth <address@hidden>
Signed-off-by: Juan Quintela <address@hidden>
(cherry picked from commit cc45995294b92d95319b4782750a3580cabdbc0c)
Signed-off-by: Michael Roth <address@hidden>
Commit: 3bb84a6c988e59892b0ca2a143805f92eb4b04ba
https://github.com/qemu/qemu/commit/3bb84a6c988e59892b0ca2a143805f92eb4b04ba
Author: Michael S. Tsirkin <address@hidden>
Date: 2014-08-06 (Wed, 06 Aug 2014)
Changed paths:
M hw/virtio/virtio.c
Log Message:
-----------
virtio: validate config_len on load
Malformed input can have config_len in migration stream
exceed the array size allocated on destination, the
result will be heap overflow.
To fix, that config_len matches on both sides.
CVE-2014-0182
Reported-by: "Dr. David Alan Gilbert" <address@hidden>
Signed-off-by: Michael S. Tsirkin <address@hidden>
Signed-off-by: Juan Quintela <address@hidden>
--
v2: use %ix and %zx to print config_len values
Signed-off-by: Juan Quintela <address@hidden>
(cherry picked from commit a890a2f9137ac3cf5b607649e66a6f3a5512d8dc)
Signed-off-by: Michael Roth <address@hidden>
Commit: 55103ab3b4f1ab43adb02a5ea52db132f96413fe
https://github.com/qemu/qemu/commit/55103ab3b4f1ab43adb02a5ea52db132f96413fe
Author: Dr. David Alan Gilbert <address@hidden>
Date: 2014-08-06 (Wed, 06 Aug 2014)
Changed paths:
M hw/virtio/virtio.c
Log Message:
-----------
Allow mismatched virtio config-len
Commit 'virtio: validate config_len on load' restricted config_len
loaded from the wire to match the config_len that the device had.
Unfortunately, there are cases where this isn't true, the one
we found it on was the wce addition in virtio-blk.
Allow mismatched config-lengths:
*) If the version on the wire is shorter then fine
*) If the version on the wire is longer, load what we have space
for and skip the rest.
(This is address@hidden's rework of what I originally posted)
Signed-off-by: Dr. David Alan Gilbert <address@hidden>
Reviewed-by: Michael S. Tsirkin <address@hidden>
Signed-off-by: Michael S. Tsirkin <address@hidden>
(cherry picked from commit 2f5732e9648fcddc8759a8fd25c0b41a38352be6)
Signed-off-by: Michael Roth <address@hidden>
Commit: 210ec8f757f0945f0d47ecbaee43b87a7ba0c141
https://github.com/qemu/qemu/commit/210ec8f757f0945f0d47ecbaee43b87a7ba0c141
Author: Le Tan <address@hidden>
Date: 2014-08-06 (Wed, 06 Aug 2014)
Changed paths:
M hw/pci/pci.c
Log Message:
-----------
pci: assign devfn to pci_dev before calling pci_device_iommu_address_space()
In function do_pci_register_device() in file hw/pci/pci.c, move the assignment
of pci_dev->devfn to the position before the call to
pci_device_iommu_address_space(pci_dev) which will use the value of
pci_dev->devfn.
Fixes: 9eda7d373e9c691c070eddcbe3467b991f67f6bd
pci: Introduce helper to retrieve a PCI device's DMA address space
Cc: address@hidden
Signed-off-by: Le Tan <address@hidden>
Reviewed-by: Michael S. Tsirkin <address@hidden>
Signed-off-by: Michael S. Tsirkin <address@hidden>
(cherry picked from commit efc8188e9398e54567b238b756eec2cc746cd2a4)
Signed-off-by: Michael Roth <address@hidden>
Commit: ad0d18317513e40b8300d50871dc2d223d9a035f
https://github.com/qemu/qemu/commit/ad0d18317513e40b8300d50871dc2d223d9a035f
Author: Paolo Bonzini <address@hidden>
Date: 2014-08-06 (Wed, 06 Aug 2014)
Changed paths:
M hw/timer/mc146818rtc.c
Log Message:
-----------
mc146818rtc: register the clock reset notifier on the right clock
Commit 884f17c (aio / timers: Convert rtc_clock to be a QEMUClockType,
2013-08-21) erroneously changed an occurrence of rtc_clock to
QEMU_CLOCK_REALTIME, which broke the RTC reset notifier in
mc146818rtc. Fix this.
I redid the patch myself since the original reporter did not sign
off on his.
Cc: address@hidden
Reported-by: Lb peace <address@hidden>
Signed-off-by: Paolo Bonzini <address@hidden>
(cherry picked from commit 13c0cbaec5698f3984606e52bfcfb63ddfc29f00)
Signed-off-by: Michael Roth <address@hidden>
Commit: 5a782bbcaed259a1113ac310a2c9f648af1e7ac0
https://github.com/qemu/qemu/commit/5a782bbcaed259a1113ac310a2c9f648af1e7ac0
Author: Stefano Stabellini <address@hidden>
Date: 2014-08-06 (Wed, 06 Aug 2014)
Changed paths:
M disas/Makefile.objs
M disas/libvixl/Makefile.objs
Log Message:
-----------
disas/libvixl: prepend the include path of libvixl header files
Currently the Makefile of disas/libvixl appends
-I$(SRC_PATH)/disas/libvixl to QEMU_CFLAGS. As a consequence C++ files
that #include "utils.h", such as disas/libvixl/a64/instructions-a64.cc,
are going to look for utils.h on all the other include paths first.
When building QEMU as part of the Xen make system, another unrelated
utils.h file is going to be chosen for inclusion, causing a build
failure:
In file included from disas/libvixl/a64/instructions-a64.cc:27:0:
/qemu/disas/libvixl/a64/instructions-a64.h:88:64: error:
'rawbits_to_float' was not declared in this scope
const float kFP32PositiveInfinity = rawbits_to_float(0x7f800000);
Fix the problem by prepending (rather than appending) the libvixl
include path to QEMU_CFLAGS.
Signed-off-by: Stefano Stabellini <address@hidden>
Reviewed-by: Peter Maydell <address@hidden>
Signed-off-by: Peter Maydell <address@hidden>
(cherry picked from commit 834fb1b269f4c9eb0ffc058fd6ab5a018c3bce1f)
*added 2.0-specific fixup from Stefano in disas/Makefile.obj due to
lack of 849d8284
Signed-off-by: Michael Roth <address@hidden>
Commit: 29cffd368a6623a8e29b393f336541134d823122
https://github.com/qemu/qemu/commit/29cffd368a6623a8e29b393f336541134d823122
Author: Jason J. Herne <address@hidden>
Date: 2014-08-06 (Wed, 06 Aug 2014)
Changed paths:
M target-s390x/kvm.c
Log Message:
-----------
s390x/kvm: synchronize guest floating point registers
Add code to kvm_arch_get_registers and kvm_arch_put_registers to
save/restore floating point registers. This missing sync was
unnoticed until migration of userspace that uses fprs.
Signed-off-by: Jason J. Herne <address@hidden>
Signed-off-by: Christian Borntraeger <address@hidden>
[Update patch to latest upstream]
Cc: address@hidden
Reviewed-by: Alexander Graf <address@hidden>
Signed-off-by: Cornelia Huck <address@hidden>
(cherry picked from commit 85ad6230b3af048109b3e949ca95ade4dd9a0bfa)
Signed-off-by: Michael Roth <address@hidden>
Commit: b1251db2583adfcb5e3b12ee1d9b32f415746056
https://github.com/qemu/qemu/commit/b1251db2583adfcb5e3b12ee1d9b32f415746056
Author: KONRAD Frederic <address@hidden>
Date: 2014-08-06 (Wed, 06 Aug 2014)
Changed paths:
M hw/char/cadence_uart.c
Log Message:
-----------
cadence_uart: check for serial backend before using it.
This checks that s->chr is not NULL before using it.
Signed-off-by: KONRAD Frederic <address@hidden>
Reviewed-by: Peter Crosthwaite <address@hidden>
Signed-off-by: Peter Maydell <address@hidden>
(cherry picked from commit af52fe862fba686713044efdf9158195f84535ab)
Signed-off-by: Michael Roth <address@hidden>
Commit: 046e3573799e4d09f34353cd5a3bce2c597d5c3c
https://github.com/qemu/qemu/commit/046e3573799e4d09f34353cd5a3bce2c597d5c3c
Author: Chen Gang <address@hidden>
Date: 2014-08-06 (Wed, 06 Aug 2014)
Changed paths:
M kvm-all.c
Log Message:
-----------
kvm-all: Use 'tmpcpu' instead of 'cpu' in sub-looping to avoid 'cpu' be NULL
If kvm_arch_remove_sw_breakpoint() in CPU_FOREACH() always be fail, it
will let 'cpu' NULL. And the next kvm_arch_remove_sw_breakpoint() in
QTAILQ_FOREACH_SAFE() will get NULL parameter for 'cpu'.
And kvm_arch_remove_sw_breakpoint() can assumes 'cpu' must never be NULL,
so need define additional temporary variable for 'cpu' to avoid the case.
Cc: address@hidden
Signed-off-by: Chen Gang <address@hidden>
Signed-off-by: Paolo Bonzini <address@hidden>
(cherry picked from commit dc54e2525389e903cee2b847cf761b5d857f75cb)
Signed-off-by: Michael Roth <address@hidden>
Commit: 750f169519ded18e497c1ac11c2db7e0cbc8c316
https://github.com/qemu/qemu/commit/750f169519ded18e497c1ac11c2db7e0cbc8c316
Author: Laszlo Ersek <address@hidden>
Date: 2014-08-06 (Wed, 06 Aug 2014)
Changed paths:
M hw/usb/hcd-xhci.c
Log Message:
-----------
vmstate_xhci_event: fix unterminated field list
"vmstate_xhci_event" was introduced in commit 37352df3 ("xhci: add live
migration support"), and first released in v1.6.0. The field list in this
VMSD is not terminated with the VMSTATE_END_OF_LIST() macro.
During normal use (ie. migration), the issue is practically invisible,
because the "vmstate_xhci_event" object (with the unterminated field list)
is only ever referenced -- via "vmstate_xhci_intr" -- if xhci_er_full()
returns true, for the "ev_buffer" test. Since that field_exists() check
(apparently) almost always returns false, we almost never traverse
"vmstate_xhci_event" during migration, which hides the bug.
However, Amit's vmstate checker forces recursion into this VMSD as well,
and the lack of VMSTATE_END_OF_LIST() breaks the field list terminator
check (field->name != NULL) in dump_vmstate_vmsd(). The result is
undefined behavior, which in my case translates to infinite recursion
(because the loop happens to overflow into "vmstate_xhci_intr", which then
links back to "vmstate_xhci_event").
Add the missing terminator.
Signed-off-by: Laszlo Ersek <address@hidden>
Reviewed-by: Amit Shah <address@hidden>
Reviewed-by: Paolo Bonzini <address@hidden>
Cc: address@hidden
Signed-off-by: Peter Maydell <address@hidden>
(cherry picked from commit 3afca1d6d413592c2b78cf28f52fa24a586d8f56)
Signed-off-by: Michael Roth <address@hidden>
Commit: d56b0b85c86b18df4d29a86eeaaedff299fcf9a0
https://github.com/qemu/qemu/commit/d56b0b85c86b18df4d29a86eeaaedff299fcf9a0
Author: Peter Maydell <address@hidden>
Date: 2014-08-06 (Wed, 06 Aug 2014)
Changed paths:
M hw/misc/imx_ccm.c
Log Message:
-----------
hw/misc/imx_ccm.c: Add missing VMState list terminator
The VMStateDescription for the imx_ccm device was missing its
terminator. Found by static search of the codebase using
a regex based on one suggested by Ian Jackson:
pcregrep -rMi '(?s)VMStateField(?:(?!END_OF_LIST).)*?;' $(git grep -l
'VMStateField\[\]')
Signed-off-by: Peter Maydell <address@hidden>
Cc: address@hidden
(cherry picked from commit ef493d5c291e4689d64ff4973915a7442109a5c5)
Signed-off-by: Michael Roth <address@hidden>
Commit: e0efb023c0409b80e703e18352f7ad1c6268ce0c
https://github.com/qemu/qemu/commit/e0efb023c0409b80e703e18352f7ad1c6268ce0c
Author: Peter Maydell <address@hidden>
Date: 2014-08-06 (Wed, 06 Aug 2014)
Changed paths:
M hw/arm/boot.c
Log Message:
-----------
hw/arm/boot: Set PC correctly when loading AArch64 ELF files
The code in do_cpu_reset() correctly handled AArch64 CPUs
when running Linux kernels, but was missing code in the
branch of the if() that deals with loading ELF files.
Correctly jump to the ELF entry point on reset rather than
leaving the reset PC at zero.
Reported-by: Christopher Covington <address@hidden>
Signed-off-by: Peter Maydell <address@hidden>
Tested-by: Christopher Covington <address@hidden>
Cc: address@hidden
(cherry picked from commit a9047ec3f6ab56295cba5b07e0d46cded9e2a7ff)
Signed-off-by: Michael Roth <address@hidden>
Commit: 520b3412643ed6907809a1e0711eae497aaa8b54
https://github.com/qemu/qemu/commit/520b3412643ed6907809a1e0711eae497aaa8b54
Author: Fam Zheng <address@hidden>
Date: 2014-08-07 (Thu, 07 Aug 2014)
Changed paths:
M block/mirror.c
Log Message:
-----------
mirror: Fix resource leak when bdrv_getlength fails
The direct return will skip releasing of all the resouces at
immediate_exit, don't miss that.
Signed-off-by: Fam Zheng <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>
(cherry picked from commit 373df5b135b4a54e0abb394e9e703fef3ded093c)
Signed-off-by: Michael Roth <address@hidden>
Commit: 8e09e2013d82456f074b343d8505b25c0a159dce
https://github.com/qemu/qemu/commit/8e09e2013d82456f074b343d8505b25c0a159dce
Author: Fam Zheng <address@hidden>
Date: 2014-08-07 (Thu, 07 Aug 2014)
Changed paths:
M blockjob.c
M include/block/blockjob.h
Log Message:
-----------
blockjob: Add block_job_yield()
This will unset busy flag and put coroutine to sleep, can be used to
wait for QMP complete/cancel.
Signed-off-by: Fam Zheng <address@hidden>
Reviewed-by: Eric Blake <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>
(cherry picked from commit dc71ce45ded4e872e25c2de32d5e7a71842b0985)
Signed-off-by: Michael Roth <address@hidden>
Commit: 43ac708d4c021ade469d6e96e054abab4cb49e4b
https://github.com/qemu/qemu/commit/43ac708d4c021ade469d6e96e054abab4cb49e4b
Author: Fam Zheng <address@hidden>
Date: 2014-08-07 (Thu, 07 Aug 2014)
Changed paths:
M block/mirror.c
Log Message:
-----------
mirror: Go through ready -> complete process for 0 len image
When mirroring or active committing a zero length image, BLOCK_JOB_READY
is not reported now, instead the job completes because we short circuit
the mirror job loop.
This is inconsistent with non-zero length images, and only confuses
management software.
Let's do the same thing when seeing a 0-length image: report ready
immediately; wait for block-job-cancel or block-job-complete; clear the
cancel flag as existing non-zero image synced case (cancelled after
ready); then jump to the exit.
Reported-by: Eric Blake <address@hidden>
Signed-off-by: Fam Zheng <address@hidden>
Reviewed-by: Eric Blake <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>
(cherry picked from commit 9e48b025400b2d284e17860862b0a4aa02c6032d)
*removed dependency on bcada37b
Signed-off-by: Michael Roth <address@hidden>
Commit: e5f0eb06a897ee73df22a1eaffdf0a86002559af
https://github.com/qemu/qemu/commit/e5f0eb06a897ee73df22a1eaffdf0a86002559af
Author: Fam Zheng <address@hidden>
Date: 2014-08-07 (Thu, 07 Aug 2014)
Changed paths:
M tests/qemu-iotests/040
M tests/qemu-iotests/040.out
Log Message:
-----------
qemu-iotests: Test BLOCK_JOB_READY event for 0Kb image active commit
There should be a BLOCK_JOB_READY event with active commit, regardless
of image length. Let's test the 0 length image case, and make sure it
goes through the ready->complete process.
Signed-off-by: Fam Zheng <address@hidden>
Reviewed-by: Eric Blake <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>
(cherry picked from commit 8b9a30ca5bc10545637429486836f3c206c39fab)
Signed-off-by: Michael Roth <address@hidden>
Commit: 98103fa736e535d311604f5cae0468019908b55e
https://github.com/qemu/qemu/commit/98103fa736e535d311604f5cae0468019908b55e
Author: Jeff Cody <address@hidden>
Date: 2014-08-07 (Thu, 07 Aug 2014)
Changed paths:
M blockdev.c
M qapi-schema.json
M qmp-commands.hx
M tests/qemu-iotests/040
Log Message:
-----------
block: make 'top' argument to block-commit optional
Now that active layer block-commit is supported, the 'top' argument
no longer needs to be mandatory.
Change it to optional, with the default being the active layer in the
device chain.
[kwolf: Rebased and resolved conflict in tests/qemu-iotests/040]
Reviewed-by: Eric Blake <address@hidden>
Reviewed-by: Benoit Canet <address@hidden>
Signed-off-by: Jeff Cody <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
(cherry picked from commit 7676e2c597000eff3a7233b40cca768b358f9bc9)
Conflicts:
qapi/block-core.json
*removed dependency on 1ad166b6
Signed-off-by: Michael Roth <address@hidden>
Commit: d0d83e8fe72acf65d1d126c0ac1b06fb8fd489df
https://github.com/qemu/qemu/commit/d0d83e8fe72acf65d1d126c0ac1b06fb8fd489df
Author: Fam Zheng <address@hidden>
Date: 2014-08-07 (Thu, 07 Aug 2014)
Changed paths:
M tests/qemu-iotests/041
M tests/qemu-iotests/041.out
Log Message:
-----------
qemu-iotests: Test 0-length image for mirror
All behavior and invariant should hold for images with 0 length, so
add a class to repeat all the tests in TestSingleDrive.
Hide two unapplicable test methods that would fail with 0 image length
because it's also used as cluster size.
Signed-off-by: Fam Zheng <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>
(cherry picked from commit 3b9f27d2b34cb8c5cc6cec993712c7e1943e9de9)
Signed-off-by: Michael Roth <address@hidden>
Commit: 3c548f670060ffa835fdf26a67d0a7de926ca8c8
https://github.com/qemu/qemu/commit/3c548f670060ffa835fdf26a67d0a7de926ca8c8
Author: Kevin Wolf <address@hidden>
Date: 2014-08-07 (Thu, 07 Aug 2014)
Changed paths:
M block/mirror.c
M tests/qemu-iotests/041
M tests/qemu-iotests/041.out
Log Message:
-----------
mirror: Fix qiov size for short requests
When mirroring an image of a size that is not a multiple of the
mirror job granularity, the last request would have the right nb_sectors
argument, but a qiov that is rounded up to the next multiple of the
granularity. Don't do this.
This fixes a segfault that is caused by raw-posix being confused by this
and allocating a buffer with request length, but operating on it with
qiov length.
[s/Driver/Drive/ in qemu-iotests 041 as suggested by Eric
--Stefan]
Reported-by: Eric Blake <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>
Tested-by: Eric Blake <address@hidden>
Reviewed-by: Eric Blake <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
(cherry picked from commit 5a0f6fd5c84573387056e0464a7fc0c6fb70b2dc)
Conflicts:
tests/qemu-iotests/041.out
*updated 041.out to reflect tests missing from 2.0
Signed-off-by: Michael Roth <address@hidden>
Commit: 543347215cdbf8809213e357072ac8bdb951bbff
https://github.com/qemu/qemu/commit/543347215cdbf8809213e357072ac8bdb951bbff
Author: Michael Roth <address@hidden>
Date: 2014-08-15 (Fri, 15 Aug 2014)
Changed paths:
M VERSION
Log Message:
-----------
Update VERSION for 2.0.1 release
Signed-off-by: Michael Roth <address@hidden>
Compare: https://github.com/qemu/qemu/compare/c8723d46c103^...543347215cdb
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Qemu-commits] [qemu/qemu] c8723d: hw/net/stellaris_enet: Restructure tx_fifo code to...,
GitHub <=