[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-commits] [qemu/qemu] 0d3358: ehci: make idt processing more robust
|
From: |
GitHub |
|
Subject: |
[Qemu-commits] [qemu/qemu] 0d3358: ehci: make idt processing more robust |
|
Date: |
Tue, 29 Mar 2016 17:30:08 -0700 |
Branch: refs/heads/stable-2.5
Home: https://github.com/qemu/qemu
Commit: 0d335804e31b2d93935c957893f4007678390f98
https://github.com/qemu/qemu/commit/0d335804e31b2d93935c957893f4007678390f98
Author: Gerd Hoffmann <address@hidden>
Date: 2016-03-15 (Tue, 15 Mar 2016)
Changed paths:
M hw/usb/hcd-ehci.c
Log Message:
-----------
ehci: make idt processing more robust
Make ehci_process_itd return an error in case we didn't do any actual
iso transfer because we've found no active transaction. That'll avoid
ehci happily run in circles forever if the guest builds a loop out of
idts.
This is CVE-2015-8558.
Cc: address@hidden
Reported-by: Qinghao Tang <address@hidden>
Tested-by: P J P <address@hidden>
Signed-off-by: Gerd Hoffmann <address@hidden>
(cherry picked from commit 156a2e4dbffa85997636a7a39ef12da6f1b40254)
Signed-off-by: Michael Roth <address@hidden>
Commit: 42ae4a3c610e05193a220ab4a6c046decb2866be
https://github.com/qemu/qemu/commit/42ae4a3c610e05193a220ab4a6c046decb2866be
Author: P J P <address@hidden>
Date: 2016-03-15 (Tue, 15 Mar 2016)
Changed paths:
M hw/net/vmxnet3.c
Log Message:
-----------
net: vmxnet3: avoid memory leakage in activate_device
Vmxnet3 device emulator does not check if the device is active
before activating it, also it did not free the transmit & receive
buffers while deactivating the device, thus resulting in memory
leakage on the host. This patch fixes both these issues to avoid
host memory leakage.
Reported-by: Qinghao Tang <address@hidden>
Reviewed-by: Dmitry Fleytman <address@hidden>
Signed-off-by: Prasad J Pandit <address@hidden>
Cc: address@hidden
Signed-off-by: Jason Wang <address@hidden>
(cherry picked from commit aa4a3dce1c88ed51b616806b8214b7c8428b7470)
Signed-off-by: Michael Roth <address@hidden>
Commit: d4aed70099429161b2842135217553e822f86988
https://github.com/qemu/qemu/commit/d4aed70099429161b2842135217553e822f86988
Author: Greg Kurz <address@hidden>
Date: 2016-03-15 (Tue, 15 Mar 2016)
Changed paths:
M target-ppc/kvm.c
Log Message:
-----------
target-ppc: kvm: fix floating point registers sync on little-endian hosts
On VSX capable CPUs, the 32 FP registers are mapped to the high-bits
of the 32 first VSX registers. So if you have:
VSR31 = (uint128) 0x0102030405060708090a0b0c0d0e0f00
then
FPR31 = (uint64) 0x0102030405060708
The kernel stores the VSX registers in the fp_state struct following the
host endian element ordering.
On big-endian:
fp_state.fpr[31][0] = 0x0102030405060708
fp_state.fpr[31][1] = 0x090a0b0c0d0e0f00
On little-endian:
fp_state.fpr[31][0] = 0x090a0b0c0d0e0f00
fp_state.fpr[31][1] = 0x0102030405060708
The KVM_GET_ONE_REG and KVM_SET_ONE_REG ioctls preserve this ordering, but
QEMU considers it as big-endian and always copies element [0] to the
fpr[] array and element [1] to the vsr[] array. This does not work with
little-endian hosts, and you will get:
(qemu) p $f31
0x90a0b0c0d0e0f00
instead of:
(qemu) p $f31
0x102030405060708
This patch fixes the element ordering for little-endian hosts.
Signed-off-by: Greg Kurz <address@hidden>
Signed-off-by: David Gibson <address@hidden>
(cherry picked from commit 3a4b791b4c13e02537a5cc572fa3de70bc5f68da)
Signed-off-by: Michael Roth <address@hidden>
Commit: 52a7b27947a909286bf7ea13335e8400f8adb4b3
https://github.com/qemu/qemu/commit/52a7b27947a909286bf7ea13335e8400f8adb4b3
Author: Peter Maydell <address@hidden>
Date: 2016-03-15 (Tue, 15 Mar 2016)
Changed paths:
M configure
Log Message:
-----------
configure: Fix shell syntax to placate OpenBSD's pdksh
Unfortunately the OpenBSD pdksh does not like brackets inside
the right part of a ${variable+word} parameter expansion:
$ echo "${a+($b)}"
ksh: ${a+($b)}": bad substitution
though both bash and dash accept them. In any case this line
was causing odd output in the case where nettle is not present:
nettle no ()
(because if nettle is not present then $nettle will be "no",
not a null string or unset).
Rewrite it to just use an if.
This bug was originally introduced in becaeb726 and was present
in the 2.4.0 release.
Fixes: https://bugs.launchpad.net/qemu/+bug/1525682
Reported-by: Dmitrij D. Czarkoff
Cc: address@hidden
Signed-off-by: Peter Maydell <address@hidden>
Reviewed-by: Eric Blake <address@hidden>
Message-id: address@hidden
(cherry picked from commit 18f49881cf8359e89396aac12f5d3cf3f8a632ba)
Signed-off-by: Michael Roth <address@hidden>
Commit: 4d59e78dfe6c1df181b54ee90f273de7d4cdfe86
https://github.com/qemu/qemu/commit/4d59e78dfe6c1df181b54ee90f273de7d4cdfe86
Author: Stefano Stabellini <address@hidden>
Date: 2016-03-15 (Tue, 15 Mar 2016)
Changed paths:
M hw/block/xen_blkif.h
Log Message:
-----------
xen/blkif: Avoid double access to src->nr_segments
src is stored in shared memory and src->nr_segments is dereferenced
twice at the end of the function. If a compiler decides to compile this
into two separate memory accesses then the size limitation could be
bypassed.
Fix it by removing the double access to src->nr_segments.
This is part of XSA-155.
Signed-off-by: Stefano Stabellini <address@hidden>
(cherry picked from commit f9e98e5d7a67367b862941e339a98b8322fa0cea)
Signed-off-by: Michael Roth <address@hidden>
Commit: ff083d3c3bc3e3e0194a8d1bd0419121edc054fc
https://github.com/qemu/qemu/commit/ff083d3c3bc3e3e0194a8d1bd0419121edc054fc
Author: Stefano Stabellini <address@hidden>
Date: 2016-03-15 (Tue, 15 Mar 2016)
Changed paths:
M hw/display/xenfb.c
Log Message:
-----------
xenfb: avoid reading twice the same fields from the shared page
Reading twice the same field could give the guest an attack of
opportunity. In the case of event->type, gcc could compile the switch
statement into a jump table, effectively ending up reading the type
field multiple times.
This is part of XSA-155.
Signed-off-by: Stefano Stabellini <address@hidden>
(cherry picked from commit 7ea11bf376aea4bf8340eb363de9777c7f93e556)
Signed-off-by: Michael Roth <address@hidden>
Commit: 4588b0d856bf197034ec25209c40058a023d30e4
https://github.com/qemu/qemu/commit/4588b0d856bf197034ec25209c40058a023d30e4
Author: Greg Kurz <address@hidden>
Date: 2016-03-15 (Tue, 15 Mar 2016)
Changed paths:
M hw/9pfs/virtio-9p-coth.c
Log Message:
-----------
virtio-9p: use accessor to get thread_pool
The aio_context_new() function does not allocate a thread pool. This is
deferred to the first call to the aio_get_thread_pool() accessor. It is
hence forbidden to access the thread_pool field directly, as it may be
NULL. The accessor *must* be used always.
Fixes: ebac1202c95a4f1b76b6ef3f0f63926fa76e753e
Reviewed-by: Michael Tokarev <address@hidden>
Tested-by: Michael Tokarev <address@hidden>
Cc: address@hidden
Signed-off-by: Greg Kurz <address@hidden>
(cherry picked from commit 4b3a4f2d458ca5a7c6c16ac36a8d9ac22cc253d6)
Signed-off-by: Michael Roth <address@hidden>
Commit: 16a28757355514e49507167c9aaae76964fbc793
https://github.com/qemu/qemu/commit/16a28757355514e49507167c9aaae76964fbc793
Author: P J P <address@hidden>
Date: 2016-03-15 (Tue, 15 Mar 2016)
Changed paths:
M hw/scsi/megasas.c
Log Message:
-----------
scsi: initialise info object with appropriate size
While processing controller 'CTRL_GET_INFO' command, the routine
'megasas_ctrl_get_info' overflows the '&info' object size. Use its
appropriate size to null initialise it.
Reported-by: Qinghao Tang <address@hidden>
Signed-off-by: Prasad J Pandit <address@hidden>
Message-Id: <address@hidden>
Cc: address@hidden
Signed-off-by: Paolo Bonzini <address@hidden>
Signed-off-by: P J P <address@hidden>
(cherry picked from commit 36fef36b91f7ec0435215860f1458b5342ce2811)
Signed-off-by: Michael Roth <address@hidden>
Commit: 3e96d5dcf2f7a8c35b0e91b2689482bf0436e49d
https://github.com/qemu/qemu/commit/3e96d5dcf2f7a8c35b0e91b2689482bf0436e49d
Author: Marc-André Lureau <address@hidden>
Date: 2016-03-15 (Tue, 15 Mar 2016)
Changed paths:
M hw/misc/ivshmem.c
Log Message:
-----------
ivshmem: no need for opaque argument
Signed-off-by: Marc-André Lureau <address@hidden>
Reviewed-by: Markus Armbruster <address@hidden>
(cherry picked from commit 2c64846972897fc3aec4072f849fae2b00322f8b)
*context dependency for 47213eb
Signed-off-by: Michael Roth <address@hidden>
Commit: 702a8d165c9a4a54bf9b1d6af816aa64c8cf0d7a
https://github.com/qemu/qemu/commit/702a8d165c9a4a54bf9b1d6af816aa64c8cf0d7a
Author: Marc-André Lureau <address@hidden>
Date: 2016-03-15 (Tue, 15 Mar 2016)
Changed paths:
M hw/misc/ivshmem.c
Log Message:
-----------
ivshmem: remove redundant assignment, fix crash with msi=off
Fix crash when msi=false introduced in 660c97ee (msi_vectors is NULL in
this case)
Signed-off-by: Marc-André Lureau <address@hidden>
Reviewed-by: Markus Armbruster <address@hidden>
(cherry picked from commit 47213eb1104709bf238c8d16db20aa47d37b1c59)
Signed-off-by: Michael Roth <address@hidden>
Commit: 7a2c1c8e66d17125c5b3fe214bd8c103b87bb895
https://github.com/qemu/qemu/commit/7a2c1c8e66d17125c5b3fe214bd8c103b87bb895
Author: Prasad J Pandit <address@hidden>
Date: 2016-03-15 (Tue, 15 Mar 2016)
Changed paths:
M hw/net/rocker/rocker.c
Log Message:
-----------
net: rocker: fix an incorrect array bounds check
While processing transmit(tx) descriptors in 'tx_consume' routine
the switch emulator suffers from an off-by-one error, if a
descriptor was to have more than allowed(ROCKER_TX_FRAGS_MAX=16)
fragments. Fix an incorrect bounds check to avoid it.
Reported-by: Qinghao Tang <address@hidden>
Cc: address@hidden
Signed-off-by: Prasad J Pandit <address@hidden>
Signed-off-by: Jason Wang <address@hidden>
(cherry picked from commit 007cd223de527b5f41278f2d886c1a4beb3e67aa)
Signed-off-by: Michael Roth <address@hidden>
Commit: e1a8a0912489d667ab7b35f8dd6ae9ec1de7ca20
https://github.com/qemu/qemu/commit/e1a8a0912489d667ab7b35f8dd6ae9ec1de7ca20
Author: Max Reitz <address@hidden>
Date: 2016-03-17 (Thu, 17 Mar 2016)
Changed paths:
M block/block-backend.c
M include/block/block_int.h
Log Message:
-----------
block: Add blk_dev_has_tray()
Pull out the check whether a block device has a tray from
blk_dev_is_tray_open() into its own function so both attributes (whether
there is a tray vs. whether that tray is open) can be queried
independently.
Cc: qemu-stable <address@hidden>
Signed-off-by: Max Reitz <address@hidden>
Reviewed-by: Eric Blake <address@hidden>
Reviewed-by: Alberto Garcia <address@hidden>
Message-id: address@hidden
(cherry picked from commit 8f3a73bc57ea83e5b3930d14fc596ea51859987a)
Signed-off-by: Michael Roth <address@hidden>
Commit: 6a49a71cc652431538ba7ed00379fbaab1e7343c
https://github.com/qemu/qemu/commit/6a49a71cc652431538ba7ed00379fbaab1e7343c
Author: Max Reitz <address@hidden>
Date: 2016-03-17 (Thu, 17 Mar 2016)
Changed paths:
M blockdev.c
M qapi/block-core.json
Log Message:
-----------
blockdev: Fix 'change' for slot devices
'change' and related operations did not work when used on guest devices
featuring removable media but no actual tray, because
blk_dev_is_tray_open() always returned false for them and the
blockdev-{insert,remove}-medium commands required it to return true.
Fix this by making blockdev-{insert,remove}-medium work on tray-less
devices. Also, blockdev-{open,close}-tray are now explicitly no-ops when
invoked on such devices, and blk_dev_change_media_cb() is instead
called by blockdev-{insert,remove}-medium (for tray-less devices only).
Reported-by: Peter Maydell <address@hidden>
Cc: qemu-stable <address@hidden>
Signed-off-by: Max Reitz <address@hidden>
Reviewed-by: Alberto Garcia <address@hidden>
Message-id: address@hidden
Reviewed-by: Eric Blake <address@hidden>
(cherry picked from commit 12c7ec87a7d88919b23736176eba3118d1521372)
Signed-off-by: Michael Roth <address@hidden>
Commit: abda95cb016ad6fc85481e86b1f80c908c09d594
https://github.com/qemu/qemu/commit/abda95cb016ad6fc85481e86b1f80c908c09d594
Author: Li Zhijian <address@hidden>
Date: 2016-03-17 (Thu, 17 Mar 2016)
Changed paths:
M net/dump.c
Log Message:
-----------
net/dump: fix nfds->filename leak
Cc: Jason Wang <address@hidden>
Signed-off-by: Li Zhijian <address@hidden>
Cc: address@hidden
Signed-off-by: Jason Wang <address@hidden>
(cherry picked from commit b50c7d452f5aef52cc9e7461f215cab87c3f3b03)
Signed-off-by: Michael Roth <address@hidden>
Commit: aaa52713278e3002e364edee264ce2df6b2bde4e
https://github.com/qemu/qemu/commit/aaa52713278e3002e364edee264ce2df6b2bde4e
Author: Li Zhijian <address@hidden>
Date: 2016-03-17 (Thu, 17 Mar 2016)
Changed paths:
M net/filter.c
Log Message:
-----------
net/filter: fix nf->netdev_id leak
Cc: Jason Wang <address@hidden>
Cc: address@hidden
Signed-off-by: Li Zhijian <address@hidden>
Signed-off-by: Jason Wang <address@hidden>
(cherry picked from commit 671f66f87fbf6cc6a3879f3055f16347b1db91e9)
Signed-off-by: Michael Roth <address@hidden>
Commit: fe90bdc25bcf9954ee286cd51de94776a17d04f6
https://github.com/qemu/qemu/commit/fe90bdc25bcf9954ee286cd51de94776a17d04f6
Author: Prasad J Pandit <address@hidden>
Date: 2016-03-17 (Thu, 17 Mar 2016)
Changed paths:
M hw/net/ne2000.c
Log Message:
-----------
net: ne2000: check ring buffer control registers
Ne2000 NIC uses ring buffer of NE2000_MEM_SIZE(49152)
bytes to process network packets. Registers PSTART & PSTOP
define ring buffer size & location. Setting these registers
to invalid values could lead to infinite loop or OOB r/w
access issues. Add check to avoid it.
Reported-by: Yang Hongke <address@hidden>
Tested-by: Yang Hongke <address@hidden>
Signed-off-by: Prasad J Pandit <address@hidden>
Signed-off-by: Jason Wang <address@hidden>
(cherry picked from commit 415ab35a441eca767d033a2702223e785b9d5190)
Signed-off-by: Michael Roth <address@hidden>
Commit: 9849b1912f18a2c3496331355567cb67422290c0
https://github.com/qemu/qemu/commit/9849b1912f18a2c3496331355567cb67422290c0
Author: Laurent Vivier <address@hidden>
Date: 2016-03-17 (Thu, 17 Mar 2016)
Changed paths:
M hw/net/vhost_net.c
Log Message:
-----------
net: set endianness on all backend devices
commit 5be7d9f1b1452613b95c6ba70b8d7ad3d0797991
vhost-net: tell tap backend about the vnet endianness
makes vhost net to set the endianness of the device, but only for
the first device.
In case of multiqueue, we have multiple devices... This patch sets the
endianness for all the devices of the interface.
Signed-off-by: Laurent Vivier <address@hidden>
Reviewed-by: Michael S. Tsirkin <address@hidden>
Signed-off-by: Michael S. Tsirkin <address@hidden>
Reviewed-by: Greg Kurz <address@hidden>
Reviewed-by: Cornelia Huck <address@hidden>
Reviewed-by: Jason Wang <address@hidden>
(cherry picked from commit a407644079c8639002e7ea635d851953b10a38c3)
Signed-off-by: Michael Roth <address@hidden>
Commit: 3ede27db321f84c6389290dc699d0a4e4c8975e5
https://github.com/qemu/qemu/commit/3ede27db321f84c6389290dc699d0a4e4c8975e5
Author: Gerd Hoffmann <address@hidden>
Date: 2016-03-17 (Thu, 17 Mar 2016)
Changed paths:
M hw/usb/hcd-ehci.c
Log Message:
-----------
ehci: update irq on reset
After clearing the status register we also have to update the irq line
status. Otherwise a irq which happends to be pending at reset time
causes a interrupt storm. And the guest can't stop as the status
register doesn't indicate any pending interrupt.
Both NetBSD and FreeBSD hang on shutdown because of that.
Cc: address@hidden
Reported-by: Andrey Korolyov <address@hidden>
Signed-off-by: Gerd Hoffmann <address@hidden>
Message-id: address@hidden
(cherry picked from commit 5a8660741a8aa19fbf8a5e8a2b3aac88664f4e66)
Signed-off-by: Michael Roth <address@hidden>
Commit: 643c8d8ec102097a4bee2ba0ec1e42415371e659
https://github.com/qemu/qemu/commit/643c8d8ec102097a4bee2ba0ec1e42415371e659
Author: Christian Borntraeger <address@hidden>
Date: 2016-03-17 (Thu, 17 Mar 2016)
Changed paths:
M block/raw-posix.c
Log Message:
-----------
block/raw-posix: avoid bogus fixup for cylinders on DASD disks
large volume DASD that have > 64k cylinders do claim to have
0xFFFE cylinders as special value in the old 16 bit field. We
want to pass this "token" along to the guest, instead of
calculating the real number. Otherwise qemu might fail with
"cyls must be between 1 and 65535"
Cc: address@hidden
Acked-by: Cornelia Huck <address@hidden>
Signed-off-by: Christian Borntraeger <address@hidden>
Reviewed-by: Markus Armbruster <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>
(cherry picked from commit 972b543c6b63579aee590b738d21af09f01569f7)
Signed-off-by: Michael Roth <address@hidden>
Commit: d98392379ac3ac3e2a7ef2df5b300883beb3fe9e
https://github.com/qemu/qemu/commit/d98392379ac3ac3e2a7ef2df5b300883beb3fe9e
Author: Pierre Morel <address@hidden>
Date: 2016-03-17 (Thu, 17 Mar 2016)
Changed paths:
M target-s390x/ioinst.c
Log Message:
-----------
s390x/ioinst: set type and len for SEI response
If no event information is pending, the return code
is set to 0x0005 and the length of the response is
set to 8 bytes.
Signed-off-by: Pierre Morel <address@hidden>
Reviewed-by: Cornelia Huck <address@hidden>
Reviewed-by: Song Shan Gong <address@hidden>
Cc: address@hidden
Signed-off-by: Cornelia Huck <address@hidden>
(cherry picked from commit f70202be535b5601fd02c725dc1d74f3bfc5039c)
Signed-off-by: Michael Roth <address@hidden>
Commit: 091af181047623695b7239cd8ddf928e1327b6a5
https://github.com/qemu/qemu/commit/091af181047623695b7239cd8ddf928e1327b6a5
Author: Halil Pasic <address@hidden>
Date: 2016-03-17 (Thu, 17 Mar 2016)
Changed paths:
M hw/s390x/css.c
Log Message:
-----------
s390x/css: fix control flags during csch
>From the beginning, css support contained an error in csch handling:
instead of setting the clear bit in the function control bits twice, we
need to set the clear pending bit in the activity control bits. Let's
fix this.
Cc: address@hidden
Reviewed-by: Cornelia Huck <address@hidden>
Signed-off-by: Halil Pasic <address@hidden>
Signed-off-by: Cornelia Huck <address@hidden>
(cherry picked from commit 4c6bf79a222934ac9ff0e45fc98ea1c986ed5c67)
Signed-off-by: Michael Roth <address@hidden>
Commit: 020282d3e640051405cfd246921413a894ce1dc1
https://github.com/qemu/qemu/commit/020282d3e640051405cfd246921413a894ce1dc1
Author: Gabriel L. Somlo <address@hidden>
Date: 2016-03-17 (Thu, 17 Mar 2016)
Changed paths:
M hw/nvram/fw_cfg.c
Log Message:
-----------
fw_cfg: avoid calculating invalid current entry pointer
When calculating a pointer to the currently selected fw_cfg item, the
following is used:
FWCfgEntry *e = &s->entries[arch][s->cur_entry & FW_CFG_ENTRY_MASK];
When s->cur_entry is FW_CFG_INVALID, we are calculating the address of
a non-existent element in s->entries[arch][...], which is undefined.
This patch ensures the resulting entry pointer is set to NULL whenever
s->cur_entry is FW_CFG_INVALID.
Reported-by: Laszlo Ersek <address@hidden>
Reviewed-by: Laszlo Ersek <address@hidden>
Signed-off-by: Gabriel Somlo <address@hidden>
Message-id: address@hidden
Cc: Marc Marí <address@hidden>
Signed-off-by: Gabriel Somlo <address@hidden>
Reviewed-by: Laszlo Ersek <address@hidden>
Signed-off-by: Gerd Hoffmann <address@hidden>
(cherry picked from commit 66f8fd9dda312191b78d2a2ba2848bcee76127a2)
Signed-off-by: Michael Roth <address@hidden>
Commit: 225d50fbb1bda242ccc2dd2c01c1d429259c2bc3
https://github.com/qemu/qemu/commit/225d50fbb1bda242ccc2dd2c01c1d429259c2bc3
Author: Dr. David Alan Gilbert <address@hidden>
Date: 2016-03-17 (Thu, 17 Mar 2016)
Changed paths:
M cpus.c
Log Message:
-----------
cpus: use broadcast on qemu_pause_cond
Jiri saw a hang on pause_all_vcpus called from postcopy_start,
where the cpus are all apparently stopped ('stopped' flag set)
but pause_all_vcpus is still stuck on a cond_wait on qemu_paused_cond.
We suspect this is happening if a qmp_stop is called at about the
same time as the postcopy code calls that pause_all_vcpus;
although they both should have the main lock held, Paolo spotted
the cond_wait unlocks the global lock so perhaps they both
could end up waiting at the same time?
Signed-off-by: Dr. David Alan Gilbert <address@hidden>
Reported-by: Jiri Denemark <address@hidden>
Message-Id: <address@hidden>
Cc: address@hidden
Signed-off-by: Paolo Bonzini <address@hidden>
(cherry picked from commit 96bce6831bd19b61e965384427741d805c7234c3)
Signed-off-by: Michael Roth <address@hidden>
Commit: a38a283fc707b404544c491e32c4adc94e4788c6
https://github.com/qemu/qemu/commit/a38a283fc707b404544c491e32c4adc94e4788c6
Author: Eric Blake <address@hidden>
Date: 2016-03-17 (Thu, 17 Mar 2016)
Changed paths:
M qapi/qmp-output-visitor.c
M tests/test-qmp-output-visitor.c
Log Message:
-----------
qmp: Fix reference-counting of qnull on empty output visit
Commit 6c2f9a15 ensured that we would not return NULL when the
caller used an output visitor but had nothing to visit. But
in doing so, it added a FIXME about a reference count leak
that could abort qemu in the (unlikely) case of SIZE_MAX such
visits (more plausible on 32-bit). (Although that commit
suggested we might fix it in time for 2.5, we ran out of time;
fortunately, it is unlikely enough to bite that it was not
worth worrying about during the 2.5 release.)
This fixes things by documenting the internal contracts, and
explaining why the internal function can return NULL and only
the public facing interface needs to worry about qnull(),
thus avoiding over-referencing the qnull_ global object.
It does not, however, fix the stupidity of the stack mixing
up two separate pieces of information; add a FIXME to explain
that issue, which will be fixed shortly in a future patch.
Signed-off-by: Eric Blake <address@hidden>
Cc: address@hidden
Message-Id: <address@hidden>
Signed-off-by: Markus Armbruster <address@hidden>
(cherry picked from commit a86156401559cb4401cf9ecc704faeab6fc8bb19)
Signed-off-by: Michael Roth <address@hidden>
Commit: a375e0b03ee3438924b24a45e61ee189ec9361db
https://github.com/qemu/qemu/commit/a375e0b03ee3438924b24a45e61ee189ec9361db
Author: Jeff Cody <address@hidden>
Date: 2016-03-17 (Thu, 17 Mar 2016)
Changed paths:
M block.c
M blockdev.c
M include/block/block.h
Log Message:
-----------
block: set device_list.tqe_prev to NULL on BDS removal
This fixes a regression introduced with commit 3f09bfbc7. Multiple
bugs arise in conjunction with live snapshots and mirroring operations
(which include active layer commit).
After a live snapshot occurs, the active layer and the base layer both
have a non-NULL tqe_prev field in the device_list, although the base
node's tqe_prev field points to a NULL entry. This non-NULL tqe_prev
field occurs after the bdrv_append() in the external snapshot calls
change_parent_backing_link().
In change_parent_backing_link(), when the previous active layer is
removed from device_list, the device_list.tqe_prev pointer is not
set to NULL.
The operating scheme in the block layer is to indicate that a BDS belongs
in the bdrv_states device_list iff the device_list.tqe_prev pointer
is non-NULL.
This patch does two things:
1.) Introduces a new block layer helper bdrv_device_remove() to remove a
BDS from the device_list, and
2.) uses that new API, which also fixes the regression once used in
change_parent_backing_link().
Signed-off-by: Jeff Cody <address@hidden>
Message-id: address@hidden
Reviewed-by: Max Reitz <address@hidden>
Signed-off-by: Max Reitz <address@hidden>
(cherry picked from commit f8aa905a4fec89863c82de4186352447d851871e)
Signed-off-by: Michael Roth <address@hidden>
Commit: 4853a5a80f3da5edb9df07022f3002d713f52cdc
https://github.com/qemu/qemu/commit/4853a5a80f3da5edb9df07022f3002d713f52cdc
Author: Jeff Cody <address@hidden>
Date: 2016-03-17 (Thu, 17 Mar 2016)
Changed paths:
A tests/qemu-iotests/144
A tests/qemu-iotests/144.out
M tests/qemu-iotests/group
Log Message:
-----------
block: qemu-iotests - add test for snapshot, commit, snapshot bug
Signed-off-by: Jeff Cody <address@hidden>
Message-id: address@hidden
Reviewed-by: Max Reitz <address@hidden>
[Moved test number from 143 to 144]
Signed-off-by: Max Reitz <address@hidden>
(cherry picked from commit 8983b670f62ab5e5e8dd2690bf8304123651bfe5)
Conflicts:
tests/qemu-iotests/group
*removed context dependencies on newer test groups
Signed-off-by: Michael Roth <address@hidden>
Commit: cb873eaa6dc7e56b3f7394e5cdc9bbd8f9e23d1d
https://github.com/qemu/qemu/commit/cb873eaa6dc7e56b3f7394e5cdc9bbd8f9e23d1d
Author: Laszlo Ersek <address@hidden>
Date: 2016-03-17 (Thu, 17 Mar 2016)
Changed paths:
M hw/net/e1000.c
Log Message:
-----------
e1000: eliminate infinite loops on out-of-bounds transfer start
The start_xmit() and e1000_receive_iov() functions implement DMA transfers
iterating over a set of descriptors that the guest's e1000 driver
prepares:
- the TDLEN and RDLEN registers store the total size of the descriptor
area,
- while the TDH and RDH registers store the offset (in whole tx / rx
descriptors) into the area where the transfer is supposed to start.
Each time a descriptor is processed, the TDH and RDH register is bumped
(as appropriate for the transfer direction).
QEMU already contains logic to deal with bogus transfers submitted by the
guest:
- Normally, the transmit case wants to increase TDH from its initial value
to TDT. (TDT is allowed to be numerically smaller than the initial TDH
value; wrapping at or above TDLEN bytes to zero is normal.) The failsafe
that QEMU currently has here is a check against reaching the original
TDH value again -- a complete wraparound, which should never happen.
- In the receive case RDH is increased from its initial value until
"total_size" bytes have been received; preferably in a single step, or
in "s->rxbuf_size" byte steps, if the latter is smaller. However, null
RX descriptors are skipped without receiving data, while RDH is
incremented just the same. QEMU tries to prevent an infinite loop
(processing only null RX descriptors) by detecting whether RDH assumes
its original value during the loop. (Again, wrapping from RDLEN to 0 is
normal.)
What both directions miss is that the guest could program TDLEN and RDLEN
so low, and the initial TDH and RDH so high, that these registers will
immediately be truncated to zero, and then never reassume their initial
values in the loop -- a full wraparound will never occur.
The condition that expresses this is:
xdh_start >= s->mac_reg[XDLEN] / sizeof(desc)
i.e., TDH or RDH start out after the last whole rx or tx descriptor that
fits into the TDLEN or RDLEN sized area.
This condition could be checked before we enter the loops, but
pci_dma_read() / pci_dma_write() knows how to fill in buffers safely for
bogus DMA addresses, so we just extend the existing failsafes with the
above condition.
This is CVE-2016-1981.
Cc: "Michael S. Tsirkin" <address@hidden>
Cc: Petr Matousek <address@hidden>
Cc: Stefano Stabellini <address@hidden>
Cc: Prasad Pandit <address@hidden>
Cc: Michael Roth <address@hidden>
Cc: Jason Wang <address@hidden>
Cc: address@hidden
RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1296044
Signed-off-by: Laszlo Ersek <address@hidden>
Reviewed-by: Jason Wang <address@hidden>
Signed-off-by: Jason Wang <address@hidden>
(cherry picked from commit dd793a74882477ca38d49e191110c17dfee51dcc)
Signed-off-by: Michael Roth <address@hidden>
Commit: c06f342009eefdce1773cba6f351cc85bc398541
https://github.com/qemu/qemu/commit/c06f342009eefdce1773cba6f351cc85bc398541
Author: Greg Kurz <address@hidden>
Date: 2016-03-17 (Thu, 17 Mar 2016)
Changed paths:
M hw/ppc/spapr.c
Log Message:
-----------
spapr: skip configuration section during migration of older machines
Since QEMU 2.4, we have a configuration section in the migration stream.
This must be skipped for older machines, like it is already done for x86.
This patch fixes the migration of pseries-2.3 from/to QEMU 2.3, but it
breaks migration of the same machine from/to QEMU 2.4/2.4.1/2.5. We do
that anyway because QEMU 2.3 is likely to be more widely deployed than
newer QEMU versions.
Fixes: 61964c23e5ddd5a33f15699e45ce126f879e3e33
Signed-off-by: Greg Kurz <address@hidden>
Reviewed-by: Laurent Vivier <address@hidden>
Reviewed-by: Juan Quintela <address@hidden>
Signed-off-by: David Gibson <address@hidden>
(cherry picked from commit 09b5e30da5b19f44768a5429f603caaede216757)
Conflicts:
hw/ppc/spapr.c
*remove dep on 5013c5474
Signed-off-by: Michael Roth <address@hidden>
Commit: 6b62303eb8d5975197d57437d45620ee37091610
https://github.com/qemu/qemu/commit/6b62303eb8d5975197d57437d45620ee37091610
Author: Marcel Apfelbaum <address@hidden>
Date: 2016-03-17 (Thu, 17 Mar 2016)
Changed paths:
M hw/virtio/virtio-pci.h
Log Message:
-----------
hw/virtio: fix double use of a virtio flag
Commits 1811e64c and a6df8adf use the same virtio feature bit 4
for different features.
Fix it by using different bits.
Reported-by: Laurent Vivier <address@hidden>
Tested-by: Laurent Vivier <address@hidden>
Signed-off-by: Marcel Apfelbaum <address@hidden>
Reviewed-by: Michael S. Tsirkin <address@hidden>
Signed-off-by: Michael S. Tsirkin <address@hidden>
Acked-by: Jason Wang <address@hidden>
(cherry picked from commit 631a4387554d53a0d19dd7973851ed760a5bff97)
Signed-off-by: Michael Roth <address@hidden>
Commit: c5c9841ce8acd2ce836a729783cc37984baeab69
https://github.com/qemu/qemu/commit/c5c9841ce8acd2ce836a729783cc37984baeab69
Author: Marcel Apfelbaum <address@hidden>
Date: 2016-03-17 (Thu, 17 Mar 2016)
Changed paths:
M hw/virtio/virtio-pci.h
Log Message:
-----------
hw/virtio: group virtio flags into an enum
Minimizes the possibility to assign
the same bit to different features.
Signed-off-by: Marcel Apfelbaum <address@hidden>
Reviewed-by: Michael S. Tsirkin <address@hidden>
Signed-off-by: Michael S. Tsirkin <address@hidden>
Reviewed-by: Laurent Vivier <address@hidden>
Acked-by: Jason Wang <address@hidden>
(cherry picked from commit fc1769b758a5b6167bb9cdb4e10369a49b4fa930)
Signed-off-by: Michael Roth <address@hidden>
Commit: 30929793b0a68c1f7ef85035bc0159a835e7a0cb
https://github.com/qemu/qemu/commit/30929793b0a68c1f7ef85035bc0159a835e7a0cb
Author: Laszlo Ersek <address@hidden>
Date: 2016-03-17 (Thu, 17 Mar 2016)
Changed paths:
M hw/nvram/fw_cfg.c
M include/hw/compat.h
Log Message:
-----------
fw_cfg: unbreak migration compatibility for 2.4 and earlier machines
When I reviewed Marc's fw_cfg DMA patches, I completely missed that the
way we set dma_enabled would break migration.
Gerd explained the right way (see reference below): dma_enabled should be
set to true by default, and only true->false transitions should be
possible:
- when the user requests that with
-global fw_cfg_mem.dma_enabled=off
or
-global fw_cfg_io.dma_enabled=off
as appropriate for the platform,
- when HW_COMPAT_2_4 dictates it,
- when board code initializes fw_cfg without requesting DMA support.
Cc: Marc Marí <address@hidden>
Cc: Gerd Hoffmann <address@hidden>
Cc: Alexandre DERUMIER <address@hidden>
Cc: address@hidden
Ref: http://thread.gmane.org/gmane.comp.emulators.qemu/390272/focus=391042
Ref: https://bugs.launchpad.net/qemu/+bug/1536487
Suggested-by: Gerd Hoffmann <address@hidden>
Signed-off-by: Laszlo Ersek <address@hidden>
Message-id: address@hidden
Signed-off-by: Gerd Hoffmann <address@hidden>
(cherry picked from commit e6915b5f3a874a467a9a65f7ec1d6ef8d251a51a)
Conflicts:
include/hw/compat.h
* remove cosmetic dep on c9c0afbb
Signed-off-by: Michael Roth <address@hidden>
Commit: 9ae02175b49dba462feab8f37c9c51ff76bc3809
https://github.com/qemu/qemu/commit/9ae02175b49dba462feab8f37c9c51ff76bc3809
Author: Michael S. Tsirkin <address@hidden>
Date: 2016-03-17 (Thu, 17 Mar 2016)
Changed paths:
M hw/virtio/vhost-user.c
M hw/virtio/vhost.c
M include/hw/virtio/vhost-backend.h
Log Message:
-----------
vhost-user: don't merge regions with different fds
vhost currently merges regions with contiguious virtual and physical
addresses. This breaks for vhost-user since that also needs fds to
match.
Add a vhost_ops entry to compare the fds for vhost-user only.
Cc: address@hidden
Cc: Victor Kaplansky <address@hidden>
Signed-off-by: Michael S. Tsirkin <address@hidden>
(cherry picked from commit ffe42cc14c770549abc7995a90cf53bca3659b7f)
Signed-off-by: Michael Roth <address@hidden>
Commit: cab1cc724572a1e418249f827b5f958bd23b1004
https://github.com/qemu/qemu/commit/cab1cc724572a1e418249f827b5f958bd23b1004
Author: Peter Maydell <address@hidden>
Date: 2016-03-17 (Thu, 17 Mar 2016)
Changed paths:
M target-arm/cpu-qom.h
M target-arm/helper.c
Log Message:
-----------
target-arm: Make reserved ranges in ID_AA64* spaces RAZ, not UNDEF
The v8 ARM ARM defines that unused spaces in the ID_AA64* system
register ranges are Reserved and must RAZ, rather than being UNDEF.
Implement this.
In particular, ARM v8.2 adds a new feature register ID_AA64MMFR2,
and newer versions of the Linux kernel will attempt to read this,
which causes them not to boot up on versions of QEMU missing this fix.
Since the encoding .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 2, .opc2 = 6
is actually defined in ARMv8 (as ID_MMFR4), we give it an entry in
the ARMCPU struct so CPUs can override it, though since none do
this too will just RAZ.
Cc: address@hidden
Reported-by: Ard Biesheuvel <address@hidden>
Signed-off-by: Peter Maydell <address@hidden>
Message-id: address@hidden
Reviewed-by: Alex Bennée <address@hidden>
Tested-by: Alex Bennée <address@hidden>
(cherry picked from commit e20d84c1407d43d5a2e2ac95dbb46db3b0af8f9f)
Conflicts:
target-arm/helper.c
* remove context dep on 4054bfa9
Signed-off-by: Michael Roth <address@hidden>
Commit: 4b0b1ec8e0f772f3dc9c475b3f4cebfdb578d836
https://github.com/qemu/qemu/commit/4b0b1ec8e0f772f3dc9c475b3f4cebfdb578d836
Author: Alberto Garcia <address@hidden>
Date: 2016-03-17 (Thu, 17 Mar 2016)
Changed paths:
M block/quorum.c
Log Message:
-----------
quorum: Fix crash in quorum_aio_cb()
quorum_aio_cb() emits the QUORUM_REPORT_BAD event if there's
an I/O error in a Quorum child. However sacb->aiocb must be
correctly initialized for this to happen. read_quorum_children() and
read_fifo_child() are not doing this, which results in a QEMU crash.
Signed-off-by: Alberto Garcia <address@hidden>
Reviewed-by: Max Reitz <address@hidden>
Message-id: address@hidden
Signed-off-by: Max Reitz <address@hidden>
(cherry picked from commit b9c600d20716b3d942cb07188ff998fb236a8365)
Signed-off-by: Michael Roth <address@hidden>
Commit: bad094d524c2204164573d929f825850e612ad84
https://github.com/qemu/qemu/commit/bad094d524c2204164573d929f825850e612ad84
Author: Marcel Apfelbaum <address@hidden>
Date: 2016-03-17 (Thu, 17 Mar 2016)
Changed paths:
M vl.c
Log Message:
-----------
vl.c: Fix regression in machine error message
Commit e1ce0c3cb (vl.c: fix regression when reading machine type
from config file) fixed the error message when the machine type
was supplied inside the config file. However now the option name
is not displayed correctly if the error happens when the machine
is specified at command line.
Running
./x86_64-softmmu/qemu-system-x86_64 -M q35-1.5 -redir tcp:8022::22
will result in the error message:
qemu-system-x86_64: -redir tcp:8022::22: unsupported machine type
Use -machine help to list supported machines
Fixed it by restoring the error location and also extracted the code
dealing with machine options into a separate function.
Reported-by: Michael S. Tsirkin <address@hidden>
Reviewed-by: Laszlo Ersek <address@hidden>
Signed-off-by: Marcel Apfelbaum <address@hidden>
Reviewed-by: Eduardo Habkost <address@hidden>
Signed-off-by: Eduardo Habkost <address@hidden>
Message-Id: <address@hidden>
Signed-off-by: Markus Armbruster <address@hidden>
(cherry picked from commit 34f405ae6d5c4170b192a12b2e654a2aea0c3b50)
Signed-off-by: Michael Roth <address@hidden>
Commit: a2ae168821a5ef2b000a3e61837a77ba8cc43013
https://github.com/qemu/qemu/commit/a2ae168821a5ef2b000a3e61837a77ba8cc43013
Author: Greg Kurz <address@hidden>
Date: 2016-03-22 (Tue, 22 Mar 2016)
Changed paths:
M hw/core/machine.c
M include/hw/boards.h
M migration/savevm.c
M qemu-options.hx
Log Message:
-----------
migration: allow machine to enforce configuration section migration
Migration of pseries-2.3 doesn't have configuration section. Unfortunately,
QEMU 2.4/2.4.1/2.5 are buggy and always stream and expect the configuration
section, and break migration both ways.
This patch introduces a property which allows to enforce a configuration
section for machines who don't have one.
It can be set at startup:
-machine enforce-config-section=on
or later from the QEMU monitor:
qom-set /machine enforce-config-section on
It is up to the tooling to set or unset this property according to the
version of the QEMU at the other end of the pipe.
Signed-off-by: Greg Kurz <address@hidden>
Reviewed-by: Laurent Vivier <address@hidden>
Reviewed-by: Juan Quintela <address@hidden>
Signed-off-by: David Gibson <address@hidden>
(cherry picked from commit 902c053d834e3b802ec736f170edf226d4a841ff)
Conflicts:
qemu-options.hx
* removed context dependency on 87252e1b
* added to provide 2.5<->2.5.1 migration compat option for
pseries-2.3 machines
Signed-off-by: Michael Roth <address@hidden>
Commit: aaf4fb6afb4653c86059255811886a5c4ea271f3
https://github.com/qemu/qemu/commit/aaf4fb6afb4653c86059255811886a5c4ea271f3
Author: John Snow <address@hidden>
Date: 2016-03-22 (Tue, 22 Mar 2016)
Changed paths:
M hw/ide/ahci.c
Log Message:
-----------
ahci: Do not unmap NULL addresses
Definitely don't try to unmap a garbage address.
Reported-by: Zuozhi fzz <address@hidden>
Signed-off-by: John Snow <address@hidden>
Message-id: address@hidden
(cherry picked from commit 99b4cb71069f109b79b27bc629fc0cf0886dbc4b)
Signed-off-by: Michael Roth <address@hidden>
Commit: 24fe899c3c9d5c4d2a156a26e08e905ab8e98384
https://github.com/qemu/qemu/commit/24fe899c3c9d5c4d2a156a26e08e905ab8e98384
Author: Wolfgang Bumiller <address@hidden>
Date: 2016-03-22 (Tue, 22 Mar 2016)
Changed paths:
M hmp.c
M include/ui/console.h
M ui/input-legacy.c
Log Message:
-----------
hmp: fix sendkey out of bounds write (CVE-2015-8619)
When processing 'sendkey' command, hmp_sendkey routine null
terminates the 'keyname_buf' array. This results in an OOB
write issue, if 'keyname_len' was to fall outside of
'keyname_buf' array.
Since the keyname's length is known the keyname_buf can be
removed altogether by adding a length parameter to
index_from_key() and using it for the error output as well.
Reported-by: Ling Liu <address@hidden>
Signed-off-by: Wolfgang Bumiller <address@hidden>
Message-Id: <address@hidden>
[Comparison with "<" dumbed down, test for junk after strtoul()
tweaked]
Signed-off-by: Markus Armbruster <address@hidden>
(cherry picked from commit 64ffbe04eaafebf4045a3ace52a360c14959d196)
Conflicts:
hmp.c
*removed dependency on 7fb1cf16
Signed-off-by: Michael Roth <address@hidden>
Commit: b47809c6b320fda1713be84d80845bfcb7eebca3
https://github.com/qemu/qemu/commit/b47809c6b320fda1713be84d80845bfcb7eebca3
Author: P J P <address@hidden>
Date: 2016-03-22 (Tue, 22 Mar 2016)
Changed paths:
M hw/i386/kvmvapic.c
Log Message:
-----------
i386: avoid null pointer dereference
Hello,
A null pointer dereference issue was reported by Mr Ling Liu, CC'd here. It
occurs while doing I/O port write operations via hmp interface. In that,
'current_cpu' remains null as it is not called from cpu_exec loop, which
results in the said issue.
Below is a proposed (tested)patch to fix this issue; Does it look okay?
===
>From ae88a4947fab9a148cd794f8ad2d812e7f5a1d0f Mon Sep 17 00:00:00 2001
From: Prasad J Pandit <address@hidden>
Date: Fri, 18 Dec 2015 11:16:07 +0530
Subject: [PATCH] i386: avoid null pointer dereference
When I/O port write operation is called from hmp interface,
'current_cpu' remains null, as it is not called from cpu_exec()
loop. This leads to a null pointer dereference in vapic_write
routine. Add check to avoid it.
Reported-by: Ling Liu <address@hidden>
Signed-off-by: Prasad J Pandit <address@hidden>
Message-Id: <address@hidden>
Signed-off-by: Paolo Bonzini <address@hidden>
Signed-off-by: P J P <address@hidden>
(cherry picked from commit 4c1396cb576c9b14425558b73de1584c7a9735d7)
Signed-off-by: Michael Roth <address@hidden>
Commit: 4f046a6ba1d558eb043dc13a80d40cf7cb62ef95
https://github.com/qemu/qemu/commit/4f046a6ba1d558eb043dc13a80d40cf7cb62ef95
Author: Prasad J Pandit <address@hidden>
Date: 2016-03-22 (Tue, 22 Mar 2016)
Changed paths:
M hw/ide/ahci.c
Log Message:
-----------
ide: ahci: reset ncq object to unused on error
When processing NCQ commands, AHCI device emulation prepares a
NCQ transfer object; To which an aio control block(aiocb) object
is assigned in 'execute_ncq_command'. In case, when the NCQ
command is invalid, the 'aiocb' object is not assigned, and NCQ
transfer object is left as 'used'. This leads to a use after
free kind of error in 'bdrv_aio_cancel_async' via 'ahci_reset_port'.
Reset NCQ transfer object to 'unused' to avoid it.
[Maintainer edit: s/ACHI/AHCI/ in the commit message. --js]
Reported-by: Qinghao Tang <address@hidden>
Signed-off-by: Prasad J Pandit <address@hidden>
Reviewed-by: John Snow <address@hidden>
Message-id: address@hidden
Signed-off-by: John Snow <address@hidden>
(cherry picked from commit 4ab0359a8ae182a7ac5c99609667273167703fab)
Signed-off-by: Michael Roth <address@hidden>
Commit: d0ee85b4e4c6cc2c8fac311d6df2ed412ed0df5f
https://github.com/qemu/qemu/commit/d0ee85b4e4c6cc2c8fac311d6df2ed412ed0df5f
Author: Prasad J Pandit <address@hidden>
Date: 2016-03-22 (Tue, 22 Mar 2016)
Changed paths:
M net/checksum.c
Log Message:
-----------
net: check packet payload length
While computing IP checksum, 'net_checksum_calculate' reads
payload length from the packet. It could exceed the given 'data'
buffer size. Add a check to avoid it.
Reported-by: Liu Ling <address@hidden>
Signed-off-by: Prasad J Pandit <address@hidden>
Signed-off-by: Jason Wang <address@hidden>
(cherry picked from commit 362786f14a753d8a5256ef97d7c10ed576d6572b)
Signed-off-by: Michael Roth <address@hidden>
Commit: 38e09211b6ab29a21788a39166ded08c1724879d
https://github.com/qemu/qemu/commit/38e09211b6ab29a21788a39166ded08c1724879d
Author: Prasad J Pandit <address@hidden>
Date: 2016-03-22 (Tue, 22 Mar 2016)
Changed paths:
M hw/net/ne2000.c
Log Message:
-----------
net: ne2000: fix bounds check in ioport operations
While doing ioport r/w operations, ne2000 device emulation suffers
from OOB r/w errors. Update respective array bounds check to avoid
OOB access.
Reported-by: Ling Liu <address@hidden>
Cc: address@hidden
Signed-off-by: Prasad J Pandit <address@hidden>
Signed-off-by: Jason Wang <address@hidden>
(cherry picked from commit aa7f9966dfdff500bbbf1956d9e115b1fa8987a6)
Signed-off-by: Michael Roth <address@hidden>
Commit: 4dcd2f13b1bf7f23a587d0e832ff30d2da6291a1
https://github.com/qemu/qemu/commit/4dcd2f13b1bf7f23a587d0e832ff30d2da6291a1
Author: Prasad J Pandit <address@hidden>
Date: 2016-03-22 (Tue, 22 Mar 2016)
Changed paths:
M hw/usb/hcd-ehci.c
Log Message:
-----------
usb: check page select value while processing iTD
While processing isochronous transfer descriptors(iTD), the page
select(PG) field value could lead to an OOB read access. Add
check to avoid it.
Reported-by: Qinghao Tang <address@hidden>
Signed-off-by: Prasad J Pandit <address@hidden>
Message-id: address@hidden
Signed-off-by: Gerd Hoffmann <address@hidden>
(cherry picked from commit 49d925ce50383a286278143c05511d30ec41a36e)
Signed-off-by: Michael Roth <address@hidden>
Commit: e3a2cdfcb5e282139217924044ec5af00c7f8eed
https://github.com/qemu/qemu/commit/e3a2cdfcb5e282139217924044ec5af00c7f8eed
Author: Prasad J Pandit <address@hidden>
Date: 2016-03-22 (Tue, 22 Mar 2016)
Changed paths:
M hw/usb/dev-network.c
Log Message:
-----------
usb: check RNDIS buffer offsets & length
When processing remote NDIS control message packets,
the USB Net device emulator uses a fixed length(4096) data buffer.
The incoming informationBufferOffset & Length combination could
overflow and cross that range. Check control message buffer
offsets and length to avoid it.
Reported-by: Qinghao Tang <address@hidden>
Signed-off-by: Prasad J Pandit <address@hidden>
Message-id: address@hidden
Signed-off-by: Gerd Hoffmann <address@hidden>
(cherry picked from commit fe3c546c5ff2a6210f9a4d8561cc64051ca8603e)
Signed-off-by: Michael Roth <address@hidden>
Commit: 9bddb45dbc010cd8ee4d48bd501fa5d18dcec00c
https://github.com/qemu/qemu/commit/9bddb45dbc010cd8ee4d48bd501fa5d18dcec00c
Author: Prasad J Pandit <address@hidden>
Date: 2016-03-22 (Tue, 22 Mar 2016)
Changed paths:
M hw/usb/core.c
Log Message:
-----------
usb: check RNDIS message length
When processing remote NDIS control message packets, the USB Net
device emulator uses a fixed length(4096) data buffer. The incoming
packet length could exceed this limit. Add a check to avoid it.
Signed-off-by: Prasad J Pandit <address@hidden>
Message-id: address@hidden
Signed-off-by: Gerd Hoffmann <address@hidden>
(cherry picked from commit 64c9bc181fc78275596649f591302d72df2d3071)
Signed-off-by: Michael Roth <address@hidden>
Commit: 80b6e5723fac428ea6c08c821078286f43975df8
https://github.com/qemu/qemu/commit/80b6e5723fac428ea6c08c821078286f43975df8
Author: Prasad J Pandit <address@hidden>
Date: 2016-03-22 (Tue, 22 Mar 2016)
Changed paths:
M hw/usb/dev-network.c
Log Message:
-----------
usb: check USB configuration descriptor object
When processing remote NDIS control message packets, the USB Net
device emulator checks to see if the USB configuration descriptor
object is of RNDIS type(2). But it does not check if it is null,
which leads to a null dereference error. Add check to avoid it.
Reported-by: Qinghao Tang <address@hidden>
Signed-off-by: Prasad J Pandit <address@hidden>
Message-id: address@hidden
Signed-off-by: Gerd Hoffmann <address@hidden>
(cherry picked from commit 80eecda8e5d09c442c24307f340840a5b70ea3b9)
Signed-off-by: Michael Roth <address@hidden>
Commit: acea76c162a51fa3c65426d64c74cfc67063df00
https://github.com/qemu/qemu/commit/acea76c162a51fa3c65426d64c74cfc67063df00
Author: Fam Zheng <address@hidden>
Date: 2016-03-22 (Tue, 22 Mar 2016)
Changed paths:
M block/vmdk.c
Log Message:
-----------
vmdk: Create streamOptimized as version 3
VMware products accept only version 3 for streamOptimized, let's bump
the version.
Reported-by: Radoslav Gerganov <address@hidden>
Signed-off-by: Fam Zheng <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>
(cherry picked from commit d62d9dc4b814950dcc8bd261a3e2e9300d9065e6)
Signed-off-by: Michael Roth <address@hidden>
Commit: 078de11898a90268184eebd5f557e013ca3ff012
https://github.com/qemu/qemu/commit/078de11898a90268184eebd5f557e013ca3ff012
Author: Fam Zheng <address@hidden>
Date: 2016-03-22 (Tue, 22 Mar 2016)
Changed paths:
M block/vmdk.c
Log Message:
-----------
vmdk: Fix converting to streamOptimized
Commit d62d9dc4b8 lifted streamOptimized images's version to 3, but we
now refuse to open version 3 images read-write. We need to make
streamOptimized an exception to allow converting to it. This fixes the
accidentally broken iotests case 059 for the same reason.
Signed-off-by: Fam Zheng <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>
Signed-off-by: Max Reitz <address@hidden>
(cherry picked from commit 3db1d98a20262228373bb973ca62b1ab64b29af4)
Signed-off-by: Michael Roth <address@hidden>
Commit: 5f409b108f36f15a674cf3141f8659b750e13456
https://github.com/qemu/qemu/commit/5f409b108f36f15a674cf3141f8659b750e13456
Author: Denis V. Lunev <address@hidden>
Date: 2016-03-22 (Tue, 22 Mar 2016)
Changed paths:
M target-i386/kvm.c
Log Message:
-----------
hyperv: cpu hotplug fix with HyperV enabled
With Hyper-V enabled CPU hotplug stops working. The CPU appears
in device manager on Windows but does not appear in peformance
monitor and control panel.
The root of the problem is the following. Windows checks
HV_X64_CPU_DYNAMIC_PARTITIONING_AVAILABLE bit in CPUID. The
presence of this bit is enough to cure the situation.
The bit should be set when CPU hotplug is allowed for HyperV VM.
The check that hot_add_cpu callback is defined is enough from the
protocol point of view. Though this callback is defined almost
always thus there is no need to export that knowledge in the
other way.
Signed-off-by: Denis V. Lunev <address@hidden>
Reviewed-by: Roman Kagan <address@hidden>
CC: Paolo Bonzini <address@hidden>
CC: Richard Henderson <address@hidden>
CC: Eduardo Habkost <address@hidden>
CC: "Andreas Färber" <address@hidden>
Reviewed-by: Eduardo Habkost <address@hidden>
Signed-off-by: Eduardo Habkost <address@hidden>
(cherry picked from commit 4467c6c118b85133846785f517e5733112e811b4)
Signed-off-by: Michael Roth <address@hidden>
Commit: a58047f7fbb055677e45c9a7d65ba40fbfad4b92
https://github.com/qemu/qemu/commit/a58047f7fbb055677e45c9a7d65ba40fbfad4b92
Author: Michael Roth <address@hidden>
Date: 2016-03-29 (Tue, 29 Mar 2016)
Changed paths:
M VERSION
Log Message:
-----------
Update version for 2.5.1 release
Signed-off-by: Michael Roth <address@hidden>
Compare: https://github.com/qemu/qemu/compare/0d335804e31b^...a58047f7fbb0
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Qemu-commits] [qemu/qemu] 0d3358: ehci: make idt processing more robust,
GitHub <=