[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-commits] [qemu/qemu] d00ba3: i386: kvmvapic: initialise imm32 vari
|
From: |
GitHub |
|
Subject: |
[Qemu-commits] [qemu/qemu] d00ba3: i386: kvmvapic: initialise imm32 variable |
|
Date: |
Wed, 17 Aug 2016 12:30:09 -0700 |
Branch: refs/heads/stable-2.6
Home: https://github.com/qemu/qemu
Commit: d00ba3fa9b58b3128edef8e4ed840921e29dcd88
https://github.com/qemu/qemu/commit/d00ba3fa9b58b3128edef8e4ed840921e29dcd88
Author: Prasad J Pandit <address@hidden>
Date: 2016-08-04 (Thu, 04 Aug 2016)
Changed paths:
M hw/i386/kvmvapic.c
Log Message:
-----------
i386: kvmvapic: initialise imm32 variable
When processing Task Priorty Register(TPR) access, it could leak
automatic stack variable 'imm32' in patch_instruction().
Initialise the variable to avoid it.
Reported by: Donghai Zdh <address@hidden>
Cc: address@hidden
Signed-off-by: Prasad J Pandit <address@hidden>
Message-Id: <address@hidden>
Signed-off-by: Paolo Bonzini <address@hidden>
(cherry picked from commit 691a02e2ce0c413236a78dee6f2651c937b09fb0)
Signed-off-by: Michael Roth <address@hidden>
Commit: 5b6c12e2456ed97452c237343a64b2a01aa7a73a
https://github.com/qemu/qemu/commit/5b6c12e2456ed97452c237343a64b2a01aa7a73a
Author: Gerd Hoffmann <address@hidden>
Date: 2016-08-04 (Thu, 04 Aug 2016)
Changed paths:
M include/ui/spice-display.h
M ui/spice-display.c
Log Message:
-----------
spice/gl: add & use qemu_spice_gl_monitor_config
Cc: address@hidden
Signed-off-by: Gerd Hoffmann <address@hidden>
Reviewed-by: Marc-André Lureau <address@hidden>
(cherry picked from commit 39414ef4e93db9041e463a097084a407d0d374f0)
Signed-off-by: Michael Roth <address@hidden>
Commit: 07a3a482c3d10c2b83e5a3052428db502578179a
https://github.com/qemu/qemu/commit/07a3a482c3d10c2b83e5a3052428db502578179a
Author: Li Zhijian <address@hidden>
Date: 2016-08-04 (Thu, 04 Aug 2016)
Changed paths:
M vl.c
Log Message:
-----------
vl: change runstate only if new state is different from current state
Previously, qemu will abort at following scenario:
(qemu) stop
(qemu) system_reset
(qemu) system_reset
(qemu) 2016-04-13T20:54:38.979158Z qemu-system-x86_64: invalid runstate
transition: 'prelaunch' -> 'prelaunch'
Signed-off-by: Li Zhijian <address@hidden>
Acked-by: Paolo Bonzini <address@hidden>
Message-Id: <address@hidden>
Cc: address@hidden
Signed-off-by: Paolo Bonzini <address@hidden>
(cherry picked from commit e92a2d9cb3d8f589c9fe5d2eacc83d8dddea0e16)
Signed-off-by: Michael Roth <address@hidden>
Commit: 5a908cb1a8a3cfcade9d35b6819168785ca1fe78
https://github.com/qemu/qemu/commit/5a908cb1a8a3cfcade9d35b6819168785ca1fe78
Author: Hemant Kumar <address@hidden>
Date: 2016-08-04 (Thu, 04 Aug 2016)
Changed paths:
M scripts/kvm/kvm_stat
Log Message:
-----------
tools: kvm_stat: Powerpc related fixes
kvm_stat script is failing to execute on powerpc :
# ./kvm_stat
Traceback (most recent call last):
File "./kvm_stat", line 825, in <module>
main()
File "./kvm_stat", line 813, in main
providers = get_providers(options)
File "./kvm_stat", line 778, in get_providers
providers.append(TracepointProvider())
File "./kvm_stat", line 416, in __init__
self.filters = get_filters()
File "./kvm_stat", line 315, in get_filters
if ARCH.exit_reasons:
AttributeError: 'ArchPPC' object has no attribute 'exit_reasons'
This is because, its trying to access a non-defined attribute.
Also, the IOCTL number of RESET is incorrect for powerpc. The correct
number has been added.
Signed-off-by: Hemant Kumar <address@hidden>
Signed-off-by: Paolo Bonzini <address@hidden>
* cherry-picked from linux commit c7d4fb5a
Signed-off-by: Michael Roth <address@hidden>
Commit: ea819be42bf460519d285cc8336defe247fb3739
https://github.com/qemu/qemu/commit/ea819be42bf460519d285cc8336defe247fb3739
Author: Dominik Dingel <address@hidden>
Date: 2016-08-04 (Thu, 04 Aug 2016)
Changed paths:
M exec.c
M include/qemu/osdep.h
M util/oslib-posix.c
Log Message:
-----------
exec.c: Ensure right alignment also for file backed ram
While in the anonymous ram case we already take care of the right alignment
such an alignment gurantee does not exist for file backed ram allocation.
Instead, pagesize is used for alignment. On s390 this is not enough for gmap,
as we need to satisfy an alignment up to segments.
Reported-by: Halil Pasic <address@hidden>
Signed-off-by: Dominik Dingel <address@hidden>
Message-Id: <address@hidden>
Signed-off-by: Paolo Bonzini <address@hidden>
(cherry picked from commit d2f39add725e2be849f5fb014a72368f711056fc)
Signed-off-by: Michael Roth <address@hidden>
Commit: 2cf1a1223b915ad6813dfc8da9e866d68a11a575
https://github.com/qemu/qemu/commit/2cf1a1223b915ad6813dfc8da9e866d68a11a575
Author: Roman Kagan <address@hidden>
Date: 2016-08-04 (Thu, 04 Aug 2016)
Changed paths:
M hw/usb/hcd-xhci.c
Log Message:
-----------
usb:xhci: no DMA on HC reset
This patch is a rough fix to a memory corruption we are observing when
running VMs with xhci USB controller and OVMF firmware.
Specifically, on the following call chain
xhci_reset
xhci_disable_slot
xhci_disable_ep
xhci_set_ep_state
QEMU overwrites guest memory using stale guest addresses.
This doesn't happen when the guest (firmware) driver sets up xhci for
the first time as there are no slots configured yet. However when the
firmware hands over the control to the OS some slots and endpoints are
already set up with their context in the guest RAM. Now the OS' driver
resets the controller again and xhci_set_ep_state then reads and writes
that memory which is now owned by the OS.
As a quick fix, skip calling xhci_set_ep_state in xhci_disable_ep if the
device context base address array pointer is zero (indicating we're in
the HC reset and no DMA is possible).
Cc: address@hidden
Signed-off-by: Roman Kagan <address@hidden>
Message-id: address@hidden
Signed-off-by: Gerd Hoffmann <address@hidden>
(cherry picked from commit 491d68d9382dbb588f2ff5132ee3d87ce2f1b230)
Signed-off-by: Michael Roth <address@hidden>
Commit: a525decfaa3449f1458ea2d7a06320cf46aebf3f
https://github.com/qemu/qemu/commit/a525decfaa3449f1458ea2d7a06320cf46aebf3f
Author: Aurelien Jarno <address@hidden>
Date: 2016-08-04 (Thu, 04 Aug 2016)
Changed paths:
M target-mips/helper.c
Log Message:
-----------
target-mips: fix call to memset in soft reset code
Recent versions of GCC report the following error when compiling
target-mips/helper.c:
qemu/target-mips/helper.c:542:9: warning: ‘memset’ used with length
equal to number of elements without multiplication by element size
[-Wmemset-elt-size]
This is indeed correct and due to a wrong usage of sizeof(). Fix that.
Cc: Stefan Weil <address@hidden>
Cc: Leon Alrae <address@hidden>
Cc: address@hidden
LP: https://bugs.launchpad.net/qemu/+bug/1577841
Signed-off-by: Aurelien Jarno <address@hidden>
Reviewed-by: Stefan Weil <address@hidden>
Reviewed-by: Leon Alrae <address@hidden>
Signed-off-by: Leon Alrae <address@hidden>
(cherry picked from commit 9d989c732b153fe1576adbddb9879313a24d3cd2)
Signed-off-by: Michael Roth <address@hidden>
Commit: bd5d278668f33aa08755a982986cd1159746c037
https://github.com/qemu/qemu/commit/bd5d278668f33aa08755a982986cd1159746c037
Author: Paolo Bonzini <address@hidden>
Date: 2016-08-04 (Thu, 04 Aug 2016)
Changed paths:
M target-i386/translate.c
Log Message:
-----------
target-i386: key sfence availability on CPUID_SSE, not CPUID_SSE2
sfence was introduced before lfence and mfence. This fixes Linux
2.4's measurement of checksumming speeds for the pIII_sse
algorithm:
md: linear personality registered as nr 1
md: raid0 personality registered as nr 2
md: raid1 personality registered as nr 3
md: raid5 personality registered as nr 4
raid5: measuring checksumming speed
8regs : 384.400 MB/sec
32regs : 259.200 MB/sec
invalid operand: 0000
CPU: 0
EIP: 0010:[<c0240b2a>] Not tainted
EFLAGS: 00000246
eax: c15d8000 ebx: 00000000 ecx: 00000000 edx: c15d5000
esi: 8005003b edi: 00000004 ebp: 00000000 esp: c15bdf50
ds: 0018 es: 0018 ss: 0018
Process swapper (pid: 1, stackpage=c15bd000)
Stack: 00000000 00000000 00000000 00000000 00000000 00000000 00000000
00000000
00000000 00000000 00000000 00000000 00000000 00000000 00000000
00000000
00000000 00000206 c0241c6c 00001000 c15d4000 c15d7000 c15d4000
c15d4000
Call Trace: [<c0241c6c>] [<c0105000>] [<c0241db4>] [<c010503b>]
[<c0105000>]
[<c0107416>] [<c0105030>]
Code: 0f ae f8 0f 10 04 24 0f 10 4c 24 10 0f 10 54 24 20 0f 10 5c
<0>Kernel panic: Attempted to kill init!
Reported-by: Stefan Weil <address@hidden>
Fixes: 121f3157887f92268a3d6169e2d4601f9292020b
Cc: address@hidden
Signed-off-by: Paolo Bonzini <address@hidden>
(cherry picked from commit 14cb949a3e2efd64ea3271b919b33b452ce7b180)
Signed-off-by: Michael Roth <address@hidden>
Commit: dbbadeb48c753af6327030a7dbd1d887009ae27d
https://github.com/qemu/qemu/commit/dbbadeb48c753af6327030a7dbd1d887009ae27d
Author: Stefan Weil <address@hidden>
Date: 2016-08-04 (Thu, 04 Aug 2016)
Changed paths:
M configure
Log Message:
-----------
configure: Allow builds with extra warnings
The clang compiler supports a useful compiler option -Weverything,
and GCC also has other warnings not enabled by -Wall.
If glib header files trigger a warning, however, testing glib with
-Werror will always fail. A size mismatch is also detected without
-Werror, so simply remove it.
Cc: address@hidden
Signed-off-by: Stefan Weil <address@hidden>
Message-Id: <address@hidden>
Signed-off-by: Paolo Bonzini <address@hidden>
(cherry picked from commit 5919e0328b7d6a08a661c3c747bae3e841d4e6f4)
Signed-off-by: Michael Roth <address@hidden>
Commit: 9520c6cb1f7e0c6e61c318c1022c64e4ed776335
https://github.com/qemu/qemu/commit/9520c6cb1f7e0c6e61c318c1022c64e4ed776335
Author: Greg Kurz <address@hidden>
Date: 2016-08-04 (Thu, 04 Aug 2016)
Changed paths:
M migration/migration.c
Log Message:
-----------
migration: regain control of images when migration fails to complete
We currently have an error path during migration that can cause
the source QEMU to abort:
migration_thread()
migration_completion()
runstate_is_running() ----------------> true if guest is running
bdrv_inactivate_all() ----------------> inactivate images
qemu_savevm_state_complete_precopy()
... qemu_fflush()
socket_writev_buffer() --------> error because destination fails
qemu_fflush() -------------------> set error on migration stream
migration_completion() -----------------> set migrate state to FAILED
migration_thread() -----------------------> break migration loop
vm_start() -----------------------------> restart guest with inactive
images
and you get:
qemu-system-ppc64: socket_writev_buffer: Got err=104 for
(32768/18446744073709551615)
qemu-system-ppc64:
/home/greg/Work/qemu/qemu-master/block/io.c:1342:bdrv_co_do_pwritev: Assertion
`!(bs->open_flags & 0x0800)' failed.
Aborted (core dumped)
If we try postcopy with a similar scenario, we also get the writev error
message but QEMU leaves the guest paused because entered_postcopy is true.
We could possibly do the same with precopy and leave the guest paused.
But since the historical default for migration errors is to restart the
source, this patch adds a call to bdrv_invalidate_cache_all() instead.
Signed-off-by: Greg Kurz <address@hidden>
Message-Id: <address@hidden>
Signed-off-by: Amit Shah <address@hidden>
(cherry picked from commit fe904ea8242cbae2d7e69c052c754b8f5f1ba1d6)
Signed-off-by: Michael Roth <address@hidden>
Commit: ebe0376e8cd0a6b2318096992a0902663d58e522
https://github.com/qemu/qemu/commit/ebe0376e8cd0a6b2318096992a0902663d58e522
Author: Eric Blake <address@hidden>
Date: 2016-08-04 (Thu, 04 Aug 2016)
Changed paths:
M qobject/json-streamer.c
Log Message:
-----------
json-streamer: Don't leak tokens on incomplete parse
Valgrind complained about a number of leaks in
tests/check-qobject-json:
==12657== definitely lost: 17,247 bytes in 1,234 blocks
All of which had the same root cause: on an incomplete parse,
we were abandoning the token queue without cleaning up the
allocated data within each queue element. Introduced in
commit 95385fe, when we switched from QList (which recursively
frees contents) to g_queue (which does not).
We don't yet require glib 2.32 with its g_queue_free_full(),
so open-code it instead.
CC: address@hidden
Signed-off-by: Eric Blake <address@hidden>
Message-Id: <address@hidden>
Reviewed-by: Markus Armbruster <address@hidden>
Signed-off-by: Markus Armbruster <address@hidden>
(cherry picked from commit ba4dba54347d5062436a8553f527dbbed6dcf069)
Signed-off-by: Michael Roth <address@hidden>
Commit: 2522f0fcd17218a0c8f513663ce868410dc120c9
https://github.com/qemu/qemu/commit/2522f0fcd17218a0c8f513663ce868410dc120c9
Author: Paolo Bonzini <address@hidden>
Date: 2016-08-04 (Thu, 04 Aug 2016)
Changed paths:
M qobject/json-streamer.c
Log Message:
-----------
json-streamer: fix double-free on exiting during a parse
Now that json-streamer tries not to leak tokens on incomplete parse,
the tokens can be freed twice if QEMU destroys the json-streamer
object during the parser->emit call. To fix this, create the new
empty GQueue earlier, so that it is already in place when the old
one is passed to parser->emit.
Reported-by: Changlong Xie <address@hidden>
Signed-off-by: Paolo Bonzini <address@hidden>
Message-Id: <address@hidden>
Signed-off-by: Paolo Bonzini <address@hidden>
(cherry picked from commit a942d8fa01f65279cdc135f4294db611bbc088ef)
Signed-off-by: Michael Roth <address@hidden>
Commit: 0a5e3685ea10c578f8063ca0dbb009af45693d85
https://github.com/qemu/qemu/commit/0a5e3685ea10c578f8063ca0dbb009af45693d85
Author: Prasad J Pandit <address@hidden>
Date: 2016-08-04 (Thu, 04 Aug 2016)
Changed paths:
M hw/scsi/esp.c
Log Message:
-----------
esp: check command buffer length before write(CVE-2016-4439)
The 53C9X Fast SCSI Controller(FSC) comes with an internal 16-byte
FIFO buffer. It is used to handle command and data transfer. While
writing to this command buffer 's->cmdbuf[TI_BUFSZ=16]', a check
was missing to validate input length. Add check to avoid OOB write
access.
Fixes CVE-2016-4439.
Reported-by: Li Qiang <address@hidden>
Cc: address@hidden
Signed-off-by: Prasad J Pandit <address@hidden>
Message-Id: <address@hidden>
Signed-off-by: Paolo Bonzini <address@hidden>
(cherry picked from commit c98c6c105f66f05aa0b7c1d2a4a3f716450907ef)
Signed-off-by: Michael Roth <address@hidden>
Commit: 9b28a7fc883f570f7aef582721deb16fd743bee4
https://github.com/qemu/qemu/commit/9b28a7fc883f570f7aef582721deb16fd743bee4
Author: Prasad J Pandit <address@hidden>
Date: 2016-08-04 (Thu, 04 Aug 2016)
Changed paths:
M hw/scsi/esp.c
Log Message:
-----------
esp: check dma length before reading scsi command(CVE-2016-4441)
The 53C9X Fast SCSI Controller(FSC) comes with an internal 16-byte
FIFO buffer. It is used to handle command and data transfer.
Routine get_cmd() uses DMA to read scsi commands into this buffer.
Add check to validate DMA length against buffer size to avoid any
overrun.
Fixes CVE-2016-4441.
Reported-by: Li Qiang <address@hidden>
Cc: address@hidden
Signed-off-by: Prasad J Pandit <address@hidden>
Message-Id: <address@hidden>
Signed-off-by: Paolo Bonzini <address@hidden>
(cherry picked from commit 6c1fef6b59563cc415f21e03f81539ed4b33ad90)
Signed-off-by: Michael Roth <address@hidden>
Commit: cba9a8042fb9f887c191e26826d6b236bae53c03
https://github.com/qemu/qemu/commit/cba9a8042fb9f887c191e26826d6b236bae53c03
Author: Peter Lieven <address@hidden>
Date: 2016-08-04 (Thu, 04 Aug 2016)
Changed paths:
M block/nfs.c
Log Message:
-----------
block/nfs: refuse readahead if cache.direct is on
if we open a NFS export with disabled cache we should refuse
the readahead feature as it will cache data inside libnfs.
If a export was opened with readahead enabled it should
futher not be allowed to disable the cache while running.
Cc: address@hidden
Signed-off-by: Peter Lieven <address@hidden>
Reviewed-by: Jeff Cody <address@hidden>
Message-id: address@hidden
Signed-off-by: Jeff Cody <address@hidden>
(cherry picked from commit 38f8d5e0251ae7d8257cf099cb3e5a375ef60378)
Signed-off-by: Michael Roth <address@hidden>
Commit: a1f006fe937bcbb163f4759eae865d6515239128
https://github.com/qemu/qemu/commit/a1f006fe937bcbb163f4759eae865d6515239128
Author: Thomas Huth <address@hidden>
Date: 2016-08-04 (Thu, 04 Aug 2016)
Changed paths:
M hw/usb/hcd-ohci.c
Log Message:
-----------
usb/ohci: Fix crash with when specifying too many num-ports
QEMU currently crashes when an OHCI controller is instantiated with
too many ports, e.g. "-device pci-ohci,num-ports=100,masterbus=1".
Thus add a proper check in usb_ohci_init() to make sure that we
do not use more than OHCI_MAX_PORTS = 15 ports here.
Ticket: https://bugs.launchpad.net/qemu/+bug/1581308
Signed-off-by: Thomas Huth <address@hidden>
Message-id: address@hidden
Signed-off-by: Gerd Hoffmann <address@hidden>
(cherry picked from commit d400fc018b326104d26d730e5cc8c36c1f662c34)
Signed-off-by: Michael Roth <address@hidden>
Commit: 7ff5dc445d6bb392f9fb3d0a254ef9071304780b
https://github.com/qemu/qemu/commit/7ff5dc445d6bb392f9fb3d0a254ef9071304780b
Author: Gerd Hoffmann <address@hidden>
Date: 2016-08-04 (Thu, 04 Aug 2016)
Changed paths:
M hw/display/vga.c
M hw/display/vga_int.h
Log Message:
-----------
vga: add sr_vbe register set
Commit "fd3c136 vga: make sure vga register setup for vbe stays intact
(CVE-2016-3712)." causes a regression. The win7 installer is unhappy
because it can't freely modify vga registers any more while in vbe mode.
This patch introduces a new sr_vbe register set. The vbe_update_vgaregs
will fill sr_vbe[] instead of sr[]. Normal vga register reads and
writes go to sr[]. Any sr register read access happens through a new
sr() helper function which will read from sr_vbe[] with vbe active and
from sr[] otherwise.
This way we can allow guests update sr[] registers as they want, without
allowing them disrupt vbe video modes that way.
Cc: address@hidden
Reported-by: Thomas Lamprecht <address@hidden>
Signed-off-by: Gerd Hoffmann <address@hidden>
Message-id: address@hidden
(cherry picked from commit 94ef4f337fb614f18b765a8e0e878a4c23cdedcd)
Signed-off-by: Michael Roth <address@hidden>
Commit: 6e7ee9862be4e143f9aabdd792d0b9fc92b842a3
https://github.com/qemu/qemu/commit/6e7ee9862be4e143f9aabdd792d0b9fc92b842a3
Author: Gavin Shan <address@hidden>
Date: 2016-08-05 (Fri, 05 Aug 2016)
Changed paths:
M hw/vfio/common.c
Log Message:
-----------
vfio: Fix broken EEH
vfio_eeh_container_op() is the backend that communicates with
host kernel to support EEH functionality in QEMU. However, the
functon should return the value from host kernel instead of 0
unconditionally.
dwg: Specifically the problem occurs for the handful of EEH
sub-operations which can return a non-zero, non-error result.
Signed-off-by: Gavin Shan <address@hidden>
Acked-by: Alex Williamson <address@hidden>
[dwg: clarification to commit message]
Signed-off-by: David Gibson <address@hidden>
(cherry picked from commit d917e88d85a147a99f38a62a4f95cac21e366d51)
Signed-off-by: Michael Roth <address@hidden>
Commit: 509e13298f498117f9283afb9dfceaf3edac17ff
https://github.com/qemu/qemu/commit/509e13298f498117f9283afb9dfceaf3edac17ff
Author: Peter Lieven <address@hidden>
Date: 2016-08-05 (Fri, 05 Aug 2016)
Changed paths:
M block/iscsi.c
Log Message:
-----------
block/iscsi: avoid potential overflow of acb->task->cdb
at least in the path via virtio-blk the maximum size is not
restricted.
Cc: address@hidden
Signed-off-by: Peter Lieven <address@hidden>
Message-Id: <address@hidden>
Signed-off-by: Paolo Bonzini <address@hidden>
(cherry picked from commit a6b3167fa0e825aebb5a7cd8b437b6d41584a196)
Signed-off-by: Michael Roth <address@hidden>
Commit: fb26337641ef7e68c8e633139c18b7832978cd47
https://github.com/qemu/qemu/commit/fb26337641ef7e68c8e633139c18b7832978cd47
Author: Eric Blake <address@hidden>
Date: 2016-08-05 (Fri, 05 Aug 2016)
Changed paths:
M nbd/server.c
Log Message:
-----------
nbd: Don't trim unrequested bytes
Similar to commit df7b97ff, we are mishandling clients that
give an unaligned NBD_CMD_TRIM request, and potentially
trimming bytes that occur before their request; which in turn
can cause potential unintended data loss (unlikely in
practice, since most clients are sane and issue aligned trim
requests). However, while we fixed read and write by switching
to the byte interfaces of blk_, we don't yet have a byte
interface for discard. On the other hand, trim is advisory, so
rounding the user's request to simply ignore the first and last
unaligned sectors (or the entire request, if it is sub-sector
in length) is just fine.
CC: address@hidden
Signed-off-by: Eric Blake <address@hidden>
Message-Id: <address@hidden>
Signed-off-by: Paolo Bonzini <address@hidden>
(cherry picked from commit 353ab969730742b7392414d62f4ba9632e8cf22c)
Signed-off-by: Michael Roth <address@hidden>
Commit: e81a24a7487e502762bcd1f17dce24e8d7c35bc0
https://github.com/qemu/qemu/commit/e81a24a7487e502762bcd1f17dce24e8d7c35bc0
Author: Greg Kurz <address@hidden>
Date: 2016-08-05 (Fri, 05 Aug 2016)
Changed paths:
M include/migration/migration.h
M migration/migration.c
M migration/savevm.c
Log Message:
-----------
savevm: fail if migration blockers are present
QEMU has currently two ways to prevent migration to occur:
- migration blocker when it depends on runtime state
- VMStateDescription.unmigratable when migration is not supported at all
This patch gathers all the logic into a single function to be called from
both the savevm and the migrate paths.
This fixes a bug with 9p, at least, where savevm would succeed and the
following would happen in the guest after loadvm:
$ ls /host
ls: cannot access /host: Protocol error
With this patch:
(qemu) savevm foo
Migration is disabled when VirtFS export path '/' is mounted in the guest
using mount_tag 'host'
Signed-off-by: Greg Kurz <address@hidden>
Reviewed-by: Paolo Bonzini <address@hidden>
Message-Id: <address@hidden>
[Update subject according to Paolo's suggestion - Amit]
Signed-off-by: Amit Shah <address@hidden>
(cherry picked from commit 24f3902b088cd4f2dbebfd90527b5d81d6a050e9)
Signed-off-by: Michael Roth <address@hidden>
Commit: 54eb4cf5fc5dc38ac56bb63b8bc5b609f05286a6
https://github.com/qemu/qemu/commit/54eb4cf5fc5dc38ac56bb63b8bc5b609f05286a6
Author: Steven Luo <address@hidden>
Date: 2016-08-05 (Fri, 05 Aug 2016)
Changed paths:
M configure
Log Message:
-----------
Fix configure test for PBKDF2 in nettle
On my Debian jessie system, including nettle/pbkdf2.h does not cause
NULL to be defined, which causes the test to fail to compile. Include
stddef.h to bring in a definition of NULL.
Cc: address@hidden
Cc: address@hidden
Signed-off-by: Steven Luo <address@hidden>
Signed-off-by: Michael Tokarev <address@hidden>
(cherry picked from commit 9e87a691bd46846e2232f8c30605c491c85ac987)
Signed-off-by: Michael Roth <address@hidden>
Commit: 8b95d8e1d5157c7875ad6c0315b2b42b1f66a184
https://github.com/qemu/qemu/commit/8b95d8e1d5157c7875ad6c0315b2b42b1f66a184
Author: Prasad J Pandit <address@hidden>
Date: 2016-08-05 (Fri, 05 Aug 2016)
Changed paths:
M hw/scsi/vmw_pvscsi.c
Log Message:
-----------
scsi: pvscsi: check command descriptor ring buffer size (CVE-2016-4952)
Vmware Paravirtual SCSI emulation uses command descriptors to
process SCSI commands. These descriptors come with their ring
buffers. A guest could set the ring buffer size to an arbitrary
value leading to OOB access issue. Add check to avoid it.
Reported-by: Li Qiang <address@hidden>
Signed-off-by: Prasad J Pandit <address@hidden>
Cc: address@hidden
Message-Id: <address@hidden>
Reviewed-by: Shmulik Ladkani <address@hidden>
Reviewed-by: Dmitry Fleytman <address@hidden>
Signed-off-by: Paolo Bonzini <address@hidden>
(cherry picked from commit 3e831b40e015ba34dfb55ff11f767001839425ff)
Signed-off-by: Michael Roth <address@hidden>
Commit: f882993a8c1de20db98216ae0ed964d1f1a09307
https://github.com/qemu/qemu/commit/f882993a8c1de20db98216ae0ed964d1f1a09307
Author: Prasad J Pandit <address@hidden>
Date: 2016-08-05 (Fri, 05 Aug 2016)
Changed paths:
M hw/scsi/mptsas.c
Log Message:
-----------
scsi: mptsas: infinite loop while fetching requests
The LSI SAS1068 Host Bus Adapter emulator in Qemu, periodically
looks for requests and fetches them. A loop doing that in
mptsas_fetch_requests() could run infinitely if 's->state' was
not operational. Move check to avoid such a loop.
Reported-by: Li Qiang <address@hidden>
Signed-off-by: Prasad J Pandit <address@hidden>
Cc: address@hidden
Message-Id: <address@hidden>
Signed-off-by: Paolo Bonzini <address@hidden>
(cherry picked from commit 06630554ccbdd25780aa03c3548aaff1eb56dffd)
Signed-off-by: Michael Roth <address@hidden>
Commit: 63a396d1510084c7349f1e90ab9eb31b6ddb5718
https://github.com/qemu/qemu/commit/63a396d1510084c7349f1e90ab9eb31b6ddb5718
Author: Fam Zheng <address@hidden>
Date: 2016-08-05 (Fri, 05 Aug 2016)
Changed paths:
M block/io.c
Log Message:
-----------
block: Drop bdrv_ioctl_bh_cb
Similar to the "!drv || !drv->bdrv_aio_ioctl" case above, here it is
okay to set co.ret and return. As pointed out by Paolo, a BH will be
created as necessary by the caller (bdrv_co_maybe_schedule_bh).
Besides, as pointed out by Kevin, "data" was leaked before.
Reported-by: Kevin Wolf <address@hidden>
Reported-by: Paolo Bonzini <address@hidden>
Signed-off-by: Fam Zheng <address@hidden>
Reviewed-by: Paolo Bonzini <address@hidden>
Message-id: address@hidden
Signed-off-by: Stefan Hajnoczi <address@hidden>
(cherry picked from commit c8a9fd80719e63615dac12e3625223fb54aa8430)
Signed-off-by: Michael Roth <address@hidden>
Commit: 394647d7116703615e0c05a1710c4c77f2b5926a
https://github.com/qemu/qemu/commit/394647d7116703615e0c05a1710c4c77f2b5926a
Author: Gerd Hoffmann <address@hidden>
Date: 2016-08-05 (Fri, 05 Aug 2016)
Changed paths:
M hw/display/vmware_vga.c
Log Message:
-----------
vmsvga: move fifo sanity checks to vmsvga_fifo_length
Sanity checks are applied when the fifo is enabled by the guest
(SVGA_REG_CONFIG_DONE write). Which doesn't help much if the guest
changes the fifo registers afterwards. Move the checks to
vmsvga_fifo_length so they are done each time qemu is about to read
from the fifo.
Fixes: CVE-2016-4454
Cc: address@hidden
Cc: P J P <address@hidden>
Reported-by: 李强 <address@hidden>
Signed-off-by: Gerd Hoffmann <address@hidden>
Message-id: address@hidden
(cherry picked from commit 521360267876d3b6518b328051a2e56bca55bef8)
Signed-off-by: Michael Roth <address@hidden>
Commit: 3141be668fa508f08d76de576c381692bccd99ad
https://github.com/qemu/qemu/commit/3141be668fa508f08d76de576c381692bccd99ad
Author: Gerd Hoffmann <address@hidden>
Date: 2016-08-05 (Fri, 05 Aug 2016)
Changed paths:
M hw/display/vmware_vga.c
Log Message:
-----------
vmsvga: add more fifo checks
Make sure all fifo ptrs are within range.
Fixes: CVE-2016-4454
Cc: address@hidden
Cc: P J P <address@hidden>
Reported-by: 李强 <address@hidden>
Signed-off-by: Gerd Hoffmann <address@hidden>
Message-id: address@hidden
(cherry picked from commit c2e3c54d3960bc53bfa3a5ce7ea7a050b9be267e)
Signed-off-by: Michael Roth <address@hidden>
Commit: 71798fda8b6ef8df47c7640ba0bc24d7060ad307
https://github.com/qemu/qemu/commit/71798fda8b6ef8df47c7640ba0bc24d7060ad307
Author: Gerd Hoffmann <address@hidden>
Date: 2016-08-05 (Fri, 05 Aug 2016)
Changed paths:
M hw/display/vmware_vga.c
Log Message:
-----------
vmsvga: shadow fifo registers
The fifo is normal ram. So kvm vcpu threads and qemu iothread can
access the fifo in parallel without syncronization. Which in turn
implies we can't use the fifo pointers in-place because the guest
can try changing them underneath us. So add shadows for them, to
make sure the guest can't modify them after we've applied sanity
checks.
Fixes: CVE-2016-4454
Cc: address@hidden
Cc: P J P <address@hidden>
Signed-off-by: Gerd Hoffmann <address@hidden>
Message-id: address@hidden
(cherry picked from commit 7e486f7577764a07aa35588e119903c80a5c30a2)
Signed-off-by: Michael Roth <address@hidden>
Commit: d59d37dea4fa8ae716409a828f5ba117ce597da6
https://github.com/qemu/qemu/commit/d59d37dea4fa8ae716409a828f5ba117ce597da6
Author: Gerd Hoffmann <address@hidden>
Date: 2016-08-05 (Fri, 05 Aug 2016)
Changed paths:
M hw/display/vmware_vga.c
Log Message:
-----------
vmsvga: don't process more than 1024 fifo commands at once
vmsvga_fifo_run is called in regular intervals (on each display update)
and will resume where it left off. So we can simply exit the loop,
without having to worry about how processing will continue.
Fixes: CVE-2016-4453
Cc: address@hidden
Cc: P J P <address@hidden>
Reported-by: 李强 <address@hidden>
Signed-off-by: Gerd Hoffmann <address@hidden>
Message-id: address@hidden
(cherry picked from commit 4e68a0ee17dad7b8d870df0081d4ab2e079016c2)
Signed-off-by: Michael Roth <address@hidden>
Commit: 510531ea442a02048b1837fcf574d03559b38c9e
https://github.com/qemu/qemu/commit/510531ea442a02048b1837fcf574d03559b38c9e
Author: Daniel P. Berrange <address@hidden>
Date: 2016-08-05 (Fri, 05 Aug 2016)
Changed paths:
M io/channel-websock.c
Log Message:
-----------
io: remove mistaken call to object_ref on QTask
The QTask struct is just a standalone struct, not a QOM Object,
so calling object_ref() on it is not appropriate. This results
in mangling the 'destroy' field in the QTask struct, causing
the later call to qtask_free() to try to call the function
at address 0x1, with predictably segfault happy results.
There is in fact no need for ref counting with QTask, as the
call to qtask_abort() or qtask_complete() will automatically
free associated memory.
This fixes the crash shown in
https://bugs.launchpad.net/qemu/+bug/1589923
Reviewed-by: Eric Blake <address@hidden>
Signed-off-by: Daniel P. Berrange <address@hidden>
(cherry picked from commit bc35d51077b33e68a0ab10a057f352747214223f)
Signed-off-by: Michael Roth <address@hidden>
Commit: d1911a6fa798555ed1500ee75245882a76c0c948
https://github.com/qemu/qemu/commit/d1911a6fa798555ed1500ee75245882a76c0c948
Author: Daniel P. Berrange <address@hidden>
Date: 2016-08-05 (Fri, 05 Aug 2016)
Changed paths:
M ui/vnc.c
Log Message:
-----------
ui: fix regression in printing VNC host/port on startup
If VNC is chosen as the compile time default display backend,
QEMU will print the host/port it listens on at startup.
Previously this would look like
VNC server running on '::1:5900'
but in 04d2529da27db512dcbd5e99d0e26d333f16efcc the ':' was
accidentally replaced with a ';'. This the ':' back.
Reported-by: Dr. David Alan Gilbert <address@hidden>
Signed-off-by: Daniel P. Berrange <address@hidden>
Reviewed-by: Eric Blake <address@hidden>
Message-id: address@hidden
Signed-off-by: Gerd Hoffmann <address@hidden>
(cherry picked from commit 83cf07b0b577bde1afe1329d25bbcc762966e637)
Signed-off-by: Michael Roth <address@hidden>
Commit: 45f4e4be096950baaa8f87e01d39e19a4f3cdaef
https://github.com/qemu/qemu/commit/45f4e4be096950baaa8f87e01d39e19a4f3cdaef
Author: Peter Lieven <address@hidden>
Date: 2016-08-05 (Fri, 05 Aug 2016)
Changed paths:
M net/net.c
Log Message:
-----------
net: fix qemu_announce_self not emitting packets
commit fefe2a78 accidently dropped the code path for injecting
raw packets. This feature is needed for sending gratuitous ARPs
after an incoming migration has completed. The result is increased
network downtime for vservers where the network card is not virtio-net
with the VIRTIO_NET_F_GUEST_ANNOUNCE feature.
Fixes: fefe2a78abde932e0f340b21bded2c86def1d242
Cc: address@hidden
Cc: address@hidden
Signed-off-by: Peter Lieven <address@hidden>
Signed-off-by: Jason Wang <address@hidden>
(cherry picked from commit ca1ee3d6b546e841a1b9db413eb8fa09f13a061b)
Signed-off-by: Michael Roth <address@hidden>
Commit: 683c1c5ea54e3f16a29429a6cc7cada5a1763d1c
https://github.com/qemu/qemu/commit/683c1c5ea54e3f16a29429a6cc7cada5a1763d1c
Author: Kevin Wolf <address@hidden>
Date: 2016-08-05 (Fri, 05 Aug 2016)
Changed paths:
M block/backup.c
Log Message:
-----------
backup: Don't leak BackupBlockJob in error path
Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: Max Reitz <address@hidden>
Reviewed-by: Alberto Garcia <address@hidden>
(cherry picked from commit 91ab68837933232bcef99da7c968e6d41900419b)
Signed-off-by: Michael Roth <address@hidden>
Commit: 4bfe16ba7b518e434dc4eb7a22a664cb35ca3b7a
https://github.com/qemu/qemu/commit/4bfe16ba7b518e434dc4eb7a22a664cb35ca3b7a
Author: Max Reitz <address@hidden>
Date: 2016-08-05 (Fri, 05 Aug 2016)
Changed paths:
M block/qcow2-cluster.c
Log Message:
-----------
qcow2: Avoid making the L1 table too big
We refuse to open images whose L1 table we deem "too big". Consequently,
we should not produce such images ourselves.
Cc: address@hidden
Signed-off-by: Max Reitz <address@hidden>
Message-id: address@hidden
Reviewed-by: Eric Blake <address@hidden>
[mreitz: Added QEMU_BUILD_BUG_ON()]
Signed-off-by: Max Reitz <address@hidden>
(cherry picked from commit 84c26520d3c1c9ff4a10455748139463278816d5)
Signed-off-by: Michael Roth <address@hidden>
Commit: a50bb5fd5f5ff6f6bbb8bfbd7086e1bafcc20c04
https://github.com/qemu/qemu/commit/a50bb5fd5f5ff6f6bbb8bfbd7086e1bafcc20c04
Author: Eric Blake <address@hidden>
Date: 2016-08-05 (Fri, 05 Aug 2016)
Changed paths:
M scripts/qapi-visit.py
M tests/test-qmp-input-visitor.c
Log Message:
-----------
qapi: Fix crash on missing alternate member of QAPI struct
If a QAPI struct has a mandatory alternate member which is not
present on input, the input visitor reports an error for the
missing alternate without setting the discriminator, but the
cleanup code for the struct still tries to use the dealloc
visitor to clean up the alternate.
Commit dbf11922 changed visit_start_alternate to set *obj to NULL
when an error occurs, where it was previously left untouched.
Thus, before the patch, the dealloc visitor is blindly trying to
cleanup whatever branch corresponds to (*obj)->type == 0 (that is,
QTYPE_NONE, because *obj still pointed to zeroed memory), which
selects the default branch of the switch and sets an error, but
this second error is ignored by the way the dealloc visitor is
used; but after the patch, the attempt to switch dereferences NULL.
When cleaning up after a partial object parse, we specifically
check for !*obj after visit_start_struct() (see gen_visit_object());
doing the same for alternates fixes the crash. Enhance the testsuite
to give coverage for both missing struct and missing alternate
members.
Also add an abort - we expect visit_start_alternate() to either set an
error or to set (*obj)->type to a valid QType that corresponds to
actual user input, and QTYPE_NONE should never be reachable from valid
input. Had the abort() been in place earlier, we might have noticed
the dealloc visitor dereferencing bogus zeroed memory prior to when
commit dbf11922 forced our hand by setting *obj to NULL and causing a
fault.
Test case:
{'execute':'blockdev-add', 'arguments':{'options':{'driver':'raw'}}}
The choice of 'driver':'raw' selects a BlockdevOptionsGenericFormat
struct, which has a mandatory 'file':'BlockdevRef' in QAPI. Since
'file' is missing as a sibling of 'driver', this should report a
graceful error rather than fault. After this patch, we are back to:
{"error": {"class": "GenericError", "desc": "Parameter 'file' is missing"}}
Generated code in qapi-visit.c changes as:
|@@ -2444,6 +2444,9 @@ void visit_type_BlockdevRef(Visitor *v,
| if (err) {
| goto out;
| }
|+ if (!*obj) {
|+ goto out_obj;
|+ }
| switch ((*obj)->type) {
| case QTYPE_QDICT:
| visit_start_struct(v, name, NULL, 0, &err);
|@@ -2459,10 +2462,13 @@ void visit_type_BlockdevRef(Visitor *v,
| case QTYPE_QSTRING:
| visit_type_str(v, name, &(*obj)->u.reference, &err);
| break;
|+ case QTYPE_NONE:
|+ abort();
| default:
| error_setg(&err, QERR_INVALID_PARAMETER_TYPE, name ? name : "null",
| "BlockdevRef");
| }
|+out_obj:
| visit_end_alternate(v);
Reported by Kashyap Chamarthy <address@hidden>
CC: address@hidden
Signed-off-by: Eric Blake <address@hidden>
Message-Id: <address@hidden>
Reviewed-by: Markus Armbruster <address@hidden>
Tested-by: Kashyap Chamarthy <address@hidden>
[Commit message tweaked]
Signed-off-by: Markus Armbruster <address@hidden>
(cherry picked from commit 9b4e38fe6a35890bb1d995316d7be08de0b30ee5)
Conflicts:
tests/test-qmp-input-visitor.c
* removed contexual/functional dependencies on 68ab47e
Signed-off-by: Michael Roth <address@hidden>
Commit: 4f696c85331ce19d3d2af29519e21a45192d3200
https://github.com/qemu/qemu/commit/4f696c85331ce19d3d2af29519e21a45192d3200
Author: Lin Ma <address@hidden>
Date: 2016-08-05 (Fri, 05 Aug 2016)
Changed paths:
M hw/i386/kvm/pci-assign.c
M hw/i386/pci-assign-load-rom.c
Log Message:
-----------
pci-assign: Move "Invalid ROM" error message to pci-assign-load-rom.c
In function pci_assign_dev_load_option_rom, For those pci devices don't
have 'rom' file under sysfs or if loading ROM from external file, The
function returns NULL, and won't set the passed 'size' variable.
In these 2 cases, qemu still reports "Invalid ROM" error message, Users
may be confused by it.
Signed-off-by: Lin Ma <address@hidden>
Message-Id: <address@hidden>
Cc: address@hidden
Signed-off-by: Paolo Bonzini <address@hidden>
(cherry picked from commit be968c721ee9df49708691ab58f0e66b394dea82)
Signed-off-by: Michael Roth <address@hidden>
Commit: e19b9ad27ca65bbb8743fda22e4815dfa311f4e2
https://github.com/qemu/qemu/commit/e19b9ad27ca65bbb8743fda22e4815dfa311f4e2
Author: Alex Williamson <address@hidden>
Date: 2016-08-05 (Fri, 05 Aug 2016)
Changed paths:
M hw/vfio/pci-quirks.c
M hw/vfio/pci.h
Log Message:
-----------
vfio/pci: Fix VGA quirks
Commit 2d82f8a3cdb2 ("vfio/pci: Convert all MemoryRegion to dynamic
alloc and consistent functions") converted VFIOPCIDevice.vga to be
dynamically allocted, negating the need for VFIOPCIDevice.has_vga.
Unfortunately not all of the has_vga users were converted, nor was
the field removed from the structure. Correct these oversights.
Reported-by: Peter Maloney <address@hidden>
Tested-by: Peter Maloney <address@hidden>
Fixes: 2d82f8a3cdb2 ("vfio/pci: Convert all MemoryRegion to dynamic alloc and
consistent functions")
Fixes: https://bugs.launchpad.net/qemu/+bug/1591628
Cc: address@hidden
Signed-off-by: Alex Williamson <address@hidden>
(cherry picked from commit 4d3fc4fdc6857e33346ed58ae55870f59391ee71)
Signed-off-by: Michael Roth <address@hidden>
Commit: ab2aac59e8cc7172800864a28f2386d780a08016
https://github.com/qemu/qemu/commit/ab2aac59e8cc7172800864a28f2386d780a08016
Author: Eric Blake <address@hidden>
Date: 2016-08-05 (Fri, 05 Aug 2016)
Changed paths:
M block/nbd-client.c
M include/block/nbd.h
Log Message:
-----------
nbd: Allow larger requests
The NBD layer was breaking up request at a limit of 2040 sectors
(just under 1M) to cater to old qemu-nbd. But the server limit
was raised to 32M in commit 2d8214885 to match the kernel, more
than three years ago; and the upstream NBD Protocol is proposing
documentation that without any explicit communication to state
otherwise, a client should be able to safely assume that a 32M
transaction will work. It is time to rely on the larger sizing,
and any downstream distro that cares about maximum
interoperability to older qemu-nbd servers can just tweak the
value of #define NBD_MAX_SECTORS.
Signed-off-by: Eric Blake <address@hidden>
Reviewed-by: Kevin Wolf <address@hidden>
Acked-by: Paolo Bonzini <address@hidden>
Cc: address@hidden
Reviewed-by: Fam Zheng <address@hidden>
Reviewed-by: Stefan Hajnoczi <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>
(cherry picked from commit 476b923c32ece0e268580776aaf1fab4ab4459a8)
Conflicts:
include/block/nbd.h
* removed context dependency on 943cec86
Signed-off-by: Michael Roth <address@hidden>
Commit: c9fb07ba56ae4d8f4eaa6e461179017624b23355
https://github.com/qemu/qemu/commit/c9fb07ba56ae4d8f4eaa6e461179017624b23355
Author: Fam Zheng <address@hidden>
Date: 2016-08-05 (Fri, 05 Aug 2016)
Changed paths:
M hw/scsi/scsi-generic.c
Log Message:
-----------
scsi-generic: Merge block max xfer len in INQUIRY response
The rationale is similar to the above mode sense response interception:
this is practically the only channel to communicate restraints from
elsewhere such as host and block driver.
The scsi bus we attach onto can have a larger max xfer len than what is
accepted by the host file system (guarding between the host scsi LUN and
QEMU), in which case the SG_IO we generate would get -EINVAL.
Signed-off-by: Fam Zheng <address@hidden>
Message-Id: <address@hidden>
Signed-off-by: Paolo Bonzini <address@hidden>
(cherry picked from commit 063143d5b1fde0fdcbae30bc7d6d14e76fa607d2)
Signed-off-by: Michael Roth <address@hidden>
Commit: 44152ece75c5d5631349e44fbd8defe9ef0b3769
https://github.com/qemu/qemu/commit/44152ece75c5d5631349e44fbd8defe9ef0b3769
Author: Eric Blake <address@hidden>
Date: 2016-08-05 (Fri, 05 Aug 2016)
Changed paths:
M hw/scsi/scsi-generic.c
Log Message:
-----------
scsi: Advertise limits by blocksize, not 512
s->blocksize may be larger than 512, in which case our
tweaks to max_xfer_len and opt_xfer_len must be scaled
appropriately.
CC: address@hidden
Reported-by: Fam Zheng <address@hidden>
Signed-off-by: Eric Blake <address@hidden>
Reviewed-by: Fam Zheng <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>
(cherry picked from commit efaf4781a995aacd22b1dd521b14e4644bafae14)
Signed-off-by: Michael Roth <address@hidden>
Commit: 9566ceeef41ccb5241d340b34776a33450e8f9e5
https://github.com/qemu/qemu/commit/9566ceeef41ccb5241d340b34776a33450e8f9e5
Author: Artyom Tarasenko <address@hidden>
Date: 2016-08-05 (Fri, 05 Aug 2016)
Changed paths:
M target-sparc/translate.c
Log Message:
-----------
target-sparc: fix register corruption in ldstub if there is no write
permission
Signed-off-by: Artyom Tarasenko <address@hidden>
Reviewed-by: Richard Henderson <address@hidden>
Signed-off-by: Mark Cave-Ayland <address@hidden>
(cherry picked from commit b64d2e57e704edbb56ae969de864292dd38379bf)
Signed-off-by: Michael Roth <address@hidden>
Commit: 909d87d347a7a5e08c32cbdb67bb2927fcefbf34
https://github.com/qemu/qemu/commit/909d87d347a7a5e08c32cbdb67bb2927fcefbf34
Author: Michael S. Tsirkin <address@hidden>
Date: 2016-08-05 (Fri, 05 Aug 2016)
Changed paths:
M hw/virtio/virtio.c
Log Message:
-----------
virtio: set low features early on load
virtio migrates the low 32 feature bits twice, the first copy is there
for compatibility but ever since
019a3edbb25f1571e876f8af1ce4c55412939e5d: ("virtio: make features 64bit
wide") it's ignored on load. This is wrong since virtio_net_load tests
self announcement and guest offloads before the second copy including
high feature bits is loaded. This means that self announcement, control
vq and guest offloads are all broken after migration.
Fix it up by loading low feature bits: somewhat ugly since high and low
bits become out of sync temporarily, but seems unavoidable for
compatibility. The right thing to do for new features is probably to
test the host features, anyway.
Fixes: 019a3edbb25f1571e876f8af1ce4c55412939e5d
("virtio: make features 64bit wide")
Cc: address@hidden
Reported-by: Robin Geuze <address@hidden>
Tested-by: Robin Geuze <address@hidden>
Signed-off-by: Michael S. Tsirkin <address@hidden>
(cherry picked from commit 62cee1a28aada2cce4b0e1fb835d8fc830aed7ac)
Signed-off-by: Michael Roth <address@hidden>
Commit: 82c85167791f0057752c2084f8480bf19401f314
https://github.com/qemu/qemu/commit/82c85167791f0057752c2084f8480bf19401f314
Author: Michael S. Tsirkin <address@hidden>
Date: 2016-08-05 (Fri, 05 Aug 2016)
Changed paths:
M hw/net/virtio-net.c
Log Message:
-----------
Revert "virtio-net: unbreak self announcement and guest offloads after
migration"
This reverts commit 1f8828ef573c83365b4a87a776daf8bcef1caa21.
Cc: address@hidden
Reported-by: Robin Geuze <address@hidden>
Tested-by: Robin Geuze <address@hidden>
Signed-off-by: Michael S. Tsirkin <address@hidden>
(cherry picked from commit 6c6668232e71b7cf7ff39fa1a7abf660c40f9cea)
Signed-off-by: Michael Roth <address@hidden>
Commit: 025c4e39f479eb498ee63b634d961a4cf357773e
https://github.com/qemu/qemu/commit/025c4e39f479eb498ee63b634d961a4cf357773e
Author: David Hildenbrand <address@hidden>
Date: 2016-08-05 (Fri, 05 Aug 2016)
Changed paths:
M hw/s390x/ipl.c
M hw/s390x/ipl.h
Log Message:
-----------
s390x/ipl: fix reboots for migration from different bios
When migrating from a different QEMU version, the start_address and
bios_start_address may differ. During migration these values are migrated
and overwrite the values that were detected by QEMU itself.
On a reboot, QEMU will reload its own BIOS, but use the migrated start
addresses, which does not work if the values differ.
Fix this by not relying on the migrated values anymore, but still
provide them during migration, so existing QEMUs continue to work.
Signed-off-by: David Hildenbrand <address@hidden>
Cc: address@hidden
Signed-off-by: Cornelia Huck <address@hidden>
(cherry picked from commit bb0995468a39f14077ceaa8ed5afdca849f00c7c)
Signed-off-by: Michael Roth <address@hidden>
Commit: 704ab2fce49fa404a61c6dac85003bcc1e3d0192
https://github.com/qemu/qemu/commit/704ab2fce49fa404a61c6dac85003bcc1e3d0192
Author: Alberto Garcia <address@hidden>
Date: 2016-08-05 (Fri, 05 Aug 2016)
Changed paths:
M blockdev.c
Log Message:
-----------
blockdev: Fix regression with the default naming of throttling groups
When I/O limits are set for a block device, the name of the throttling
group is taken from the BlockBackend if the user doesn't specify one.
Commit efaa7c4eeb7490c6f37f3 moved the naming of the BlockBackend in
blockdev_init() to the end of the function, after I/O limits are set.
The consequence is that the throttling group gets an empty name.
Signed-off-by: Alberto Garcia <address@hidden>
Reported-by: Stefan Hajnoczi <address@hidden>
Cc: Max Reitz <address@hidden>
Cc: address@hidden
* backport of ff356ee
Signed-off-by: Michael Roth <address@hidden>
Commit: 8d7d7764d59845b64c0dbffec33e186abfa89d83
https://github.com/qemu/qemu/commit/8d7d7764d59845b64c0dbffec33e186abfa89d83
Author: Alberto Garcia <address@hidden>
Date: 2016-08-05 (Fri, 05 Aug 2016)
Changed paths:
M tests/qemu-iotests/093
M tests/qemu-iotests/093.out
Log Message:
-----------
qemu-iotests: Test naming of throttling groups
Throttling groups are named using the 'group' parameter of the
block_set_io_throttle command and the throttling.group command-line
option. If that parameter is unspecified the groups get the name of
the block device.
This patch adds a new test to check the naming of throttling groups.
Signed-off-by: Alberto Garcia <address@hidden>
* backport of 435d5ee
Signed-off-by: Michael Roth <address@hidden>
Commit: b6ece2c6f37926a994bc564a9e55ef3be6016d8f
https://github.com/qemu/qemu/commit/b6ece2c6f37926a994bc564a9e55ef3be6016d8f
Author: Fam Zheng <address@hidden>
Date: 2016-08-05 (Fri, 05 Aug 2016)
Changed paths:
M include/qemu/osdep.h
Log Message:
-----------
util: Fix MIN_NON_ZERO
MIN_NON_ZERO(1, 0) is evaluated to 0. Rewrite the macro to fix it.
Reported-by: Miroslav Rezanina <address@hidden>
Signed-off-by: Fam Zheng <address@hidden>
Message-Id: <address@hidden>
Reviewed-by: Eric Blake <address@hidden>
Signed-off-by: Paolo Bonzini <address@hidden>
(cherry picked from commit d27ba624aa1dfe5c07cc01200d95967ffce905d9)
Signed-off-by: Michael Roth <address@hidden>
Commit: 5634eb8ffb935045a6dd7e517eec5b838b6bc3e6
https://github.com/qemu/qemu/commit/5634eb8ffb935045a6dd7e517eec5b838b6bc3e6
Author: Peter Lieven <address@hidden>
Date: 2016-08-05 (Fri, 05 Aug 2016)
Changed paths:
M block/iscsi.c
Log Message:
-----------
block/iscsi: fix rounding in iscsi_allocationmap_set
when setting clusters as alloacted the boundaries have
to be expanded. As Paolo pointed out the calculation of
the number of clusters is wrong:
Suppose cluster_sectors is 2, sector_num = 1, nb_sectors = 6:
In the "mark allocated" case, you want to set 0..8, i.e.
cluster_num=0, nb_clusters=4.
0--.--2--.--4--.--6--.--8
<--|_________________|--> (<--> = expanded)
Instead you are setting nb_clusters=3, so that 6..8 is not marked.
0--.--2--.--4--.--6--.--8
<--|______________|!!! (! = wrong)
Cc: address@hidden
Reported-by: Paolo Bonzini <address@hidden>
Signed-off-by: Peter Lieven <address@hidden>
Message-Id: <address@hidden>
Signed-off-by: Paolo Bonzini <address@hidden>
(cherry picked from commit eb36b953e0ebf4129b188a241fbc367062ac2e06)
Signed-off-by: Michael Roth <address@hidden>
Commit: 28eae0af65dcae887d3cd32212c702ee708c84be
https://github.com/qemu/qemu/commit/28eae0af65dcae887d3cd32212c702ee708c84be
Author: Stefan Weil <address@hidden>
Date: 2016-08-05 (Fri, 05 Aug 2016)
Changed paths:
M audio/mixeng.c
M audio/ossaudio.c
M contrib/ivshmem-server/ivshmem-server.h
M docs/specs/rocker.txt
M docs/throttle.txt
M hw/i2c/imx_i2c.c
M hw/net/vmxnet3.c
M hw/pci/msi.c
M hw/pci/pci_bridge.c
M hw/scsi/spapr_vscsi.c
M hw/scsi/vmw_pvscsi.c
M hw/timer/a9gtimer.c
M hw/timer/aspeed_timer.c
M include/crypto/random.h
M include/hw/xen/xen_common.h
M include/io/task.h
M include/qemu/osdep.h
M kvm-all.c
M migration/migration.c
M migration/ram.c
M nbd/client.c
M qga/channel-win32.c
M qga/commands.c
M scripts/checkpatch.pl
M slirp/socket.c
M target-cris/translate.c
M target-cris/translate_v10.c
M target-i386/cpu.c
M target-i386/cpu.h
M target-mips/op_helper.c
M target-tricore/translate.c
M tcg/README
M tests/tcg/cris/check_addo.c
M trace/simple.c
M ui/cocoa.m
M util/timed-average.c
Log Message:
-----------
Fix some typos found by codespell
Signed-off-by: Stefan Weil <address@hidden>
Reviewed-by: Peter Maydell <address@hidden>
Signed-off-by: Michael Tokarev <address@hidden>
(cherry picked from commit cb8d4c8f54b8271f642f02382eec29d468bb1c77)
* context prereq for 2cb34749
Signed-off-by: Michael Roth <address@hidden>
Commit: ce00e529bc4039907321e24b402c4c2aa92ab750
https://github.com/qemu/qemu/commit/ce00e529bc4039907321e24b402c4c2aa92ab750
Author: Eric Blake <address@hidden>
Date: 2016-08-05 (Fri, 05 Aug 2016)
Changed paths:
M nbd/client.c
M nbd/server.c
Log Message:
-----------
nbd: More debug typo fixes, use correct formats
Clean up some debug message oddities missed earlier; this includes
some typos, and recognizing that %d is not necessarily compatible
with uint32_t. Also add a couple messages that I found useful
while debugging things.
Signed-off-by: Eric Blake <address@hidden>
Message-Id: <address@hidden>
[Do not use PRIx16, clang complains. - Paolo]
Signed-off-by: Paolo Bonzini <address@hidden>
(cherry picked from commit 2cb347493c5a0c3634dc13942ba65fdcefbcd34b)
* context prereq for 7423f41
Signed-off-by: Michael Roth <address@hidden>
Commit: 2317b328bc599458b9b40afb77cc7f42edbf41fd
https://github.com/qemu/qemu/commit/2317b328bc599458b9b40afb77cc7f42edbf41fd
Author: Peter Maydell <address@hidden>
Date: 2016-08-05 (Fri, 05 Aug 2016)
Changed paths:
M nbd/client.c
M nbd/server.c
M qemu-nbd.c
Log Message:
-----------
nbd: Don't use *_to_cpup() functions
The *_to_cpup() functions are not very useful, as they simply do
a pointer dereference and then a *_to_cpu(). Instead use either:
* ld*_*_p(), if the data is at an address that might not be
correctly aligned for the load
* a local dereference and *_to_cpu(), if the pointer is
the correct type and known to be correctly aligned
Signed-off-by: Peter Maydell <address@hidden>
Message-Id: <address@hidden>
Signed-off-by: Paolo Bonzini <address@hidden>
(cherry picked from commit 773dce3c7286a66c37f7b07994177faf7046bfa8)
* context prereq for 7423f417
Signed-off-by: Michael Roth <address@hidden>
Commit: 97b5a97f2feeea89b07b3a8395c326b351227d28
https://github.com/qemu/qemu/commit/97b5a97f2feeea89b07b3a8395c326b351227d28
Author: Eric Blake <address@hidden>
Date: 2016-08-05 (Fri, 05 Aug 2016)
Changed paths:
M block/nbd-client.h
M include/block/nbd.h
M nbd/client.c
M nbd/server.c
M qemu-nbd.c
Log Message:
-----------
nbd: Limit nbdflags to 16 bits
Rather than asserting that nbdflags is within range, just give
it the correct type to begin with :) nbdflags corresponds to
the per-export portion of NBD Protocol "transmission flags", which
is 16 bits in response to NBD_OPT_EXPORT_NAME and NBD_OPT_GO.
Furthermore, upstream NBD has never passed the global flags to
the kernel via ioctl(NBD_SET_FLAGS) (the ioctl was first
introduced in NBD 2.9.22; then a latent bug in NBD 3.1 actually
tried to OR the global flags with the transmission flags, with
the disaster that the addition of NBD_FLAG_NO_ZEROES in 3.9
caused all earlier NBD 3.x clients to treat every export as
read-only; NBD 3.10 and later intentionally clip things to 16
bits to pass only transmission flags). Qemu should follow suit,
since the current two global flags (NBD_FLAG_FIXED_NEWSTYLE
and NBD_FLAG_NO_ZEROES) have no impact on the kernel's behavior
during transmission.
CC: address@hidden
Signed-off-by: Eric Blake <address@hidden>
Message-Id: <address@hidden>
Signed-off-by: Paolo Bonzini <address@hidden>
(cherry picked from commit 7423f417827146f956df820f172d0bf80a489495)
Signed-off-by: Michael Roth <address@hidden>
Commit: a87cef825ac9422ba69d48e85571065074c8ccdf
https://github.com/qemu/qemu/commit/a87cef825ac9422ba69d48e85571065074c8ccdf
Author: Michael S. Tsirkin <address@hidden>
Date: 2016-08-05 (Fri, 05 Aug 2016)
Changed paths:
M hw/pci/pci.c
M hw/pci/pcie.c
M include/hw/compat.h
M include/hw/pci/pci.h
Log Message:
-----------
pcie: fix link active status bit migration
We changed link status register in pci express endpoint capability
over time. Specifically,
commit b2101eae63ea57b571cee4a9075a4287d24ba4a4 ("pcie: Set the "link
active" in the link status register") set data link layer link active
bit in this register without adding compatibility to old machine types.
When migrating from qemu 2.3 and older this affects xhci devices which
under machine type 2.0 and older have a pci express endpoint capability
even if they are on a pci bus.
Add compatibility flags to make this bit value match what it was under
2.3.
Additionally, to avoid breaking migration from qemu 2.3 and up,
suppress checking link status during migration: this seems sane
since hardware can change link status at any time.
https://bugzilla.redhat.com/show_bug.cgi?id=1352860
Reported-by: Gerd Hoffmann <address@hidden>
Fixes: b2101eae63ea57b571cee4a9075a4287d24ba4a4
("pcie: Set the "link active" in the link status register")
Cc: address@hidden
Cc: Benjamin Herrenschmidt <address@hidden>
Signed-off-by: Michael S. Tsirkin <address@hidden>
(cherry picked from commit 6b4495401bdf442457b713b7e3994b465c55af35)
Conflicts:
hw/pci/pcie.c
* removed functional dependency on 6383292
Signed-off-by: Michael Roth <address@hidden>
Commit: 502c8e86ea07294067578292c6d402601c196019
https://github.com/qemu/qemu/commit/502c8e86ea07294067578292c6d402601c196019
Author: Dave Hansen <address@hidden>
Date: 2016-08-05 (Fri, 05 Aug 2016)
Changed paths:
M target-i386/translate.c
Log Message:
-----------
target-i386: fix typo in xsetbv implementation
QEMU 2.6 added support for the XSAVE family of instructions, which
includes the XSETBV instruction which allows setting the XCR0
register.
But, when booting Linux kernels with XSAVE support enabled, I was
getting very early crashes where the instruction pointer was set
to 0x3. I tracked it down to a jump instruction generated by this:
gen_jmp_im(s->pc - pc_start);
where s->pc is pointing to the instruction after XSETBV and pc_start
is pointing _at_ XSETBV. Subtract the two and you get 0x3. Whoops.
The fix is to replace this typo with the pattern found everywhere
else in the file when folks want to end the translation buffer.
Richard Henderson confirmed that this is a bug and that this is the
correct fix.
Signed-off-by: Dave Hansen <address@hidden>
Cc: address@hidden
Cc: Eduardo Habkost <address@hidden>
Reviewed-by: Richard Henderson <address@hidden>
Signed-off-by: Paolo Bonzini <address@hidden>
(cherry picked from commit ba03584f4f88082368b2562e515c3d60421b68ce)
Signed-off-by: Michael Roth <address@hidden>
Commit: 86cc089aa7251a6ce54e54458ed29a7867e69290
https://github.com/qemu/qemu/commit/86cc089aa7251a6ce54e54458ed29a7867e69290
Author: Stefan Hajnoczi <address@hidden>
Date: 2016-08-05 (Fri, 05 Aug 2016)
Changed paths:
M hw/virtio/virtio.c
Log Message:
-----------
virtio: error out if guest exceeds virtqueue size
A broken or malicious guest can submit more requests than the virtqueue
size permits, causing unbounded memory allocation in QEMU.
The guest can submit requests without bothering to wait for completion
and is therefore not bound by virtqueue size. This requires reusing
vring descriptors in more than one request, which is not allowed by the
VIRTIO 1.0 specification.
In "3.2.1 Supplying Buffers to The Device", the VIRTIO 1.0 specification
says:
1. The driver places the buffer into free descriptor(s) in the
descriptor table, chaining as necessary
and
Note that the above code does not take precautions against the
available ring buffer wrapping around: this is not possible since the
ring buffer is the same size as the descriptor table, so step (1) will
prevent such a condition.
This implies that placing more buffers into the virtqueue than the
descriptor table size is not allowed.
QEMU is missing the check to prevent this case. Processing a request
allocates a VirtQueueElement leading to unbounded memory allocation
controlled by the guest.
Exit with an error if the guest provides more requests than the
virtqueue size permits. This bounds memory allocation and makes the
buggy guest visible to the user.
This patch fixes CVE-2016-5403 and was reported by Zhenhao Hong from 360
Marvel Team, China.
Reported-by: Zhenhao Hong <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
(cherry picked from commit afd9096eb1882f23929f5b5c177898ed231bac66)
Signed-off-by: Michael Roth <address@hidden>
Commit: 16a87c4a5d146a9a862c6095a689ec58a6081294
https://github.com/qemu/qemu/commit/16a87c4a5d146a9a862c6095a689ec58a6081294
Author: John Snow <address@hidden>
Date: 2016-08-05 (Fri, 05 Aug 2016)
Changed paths:
M hw/ide/core.c
Log Message:
-----------
ide: fix halted IO segfault at reset
If one attempts to perform a system_reset after a failed IO request
that causes the VM to enter a paused state, QEMU will segfault trying
to free up the pending IO requests.
These requests have already been completed and freed, though, so all
we need to do is NULL them before we enter the paused state.
Existing AHCI tests verify that halted requests are still resumed
successfully after a STOP event.
Analyzed-by: Laszlo Ersek <address@hidden>
Reviewed-by: Laszlo Ersek <address@hidden>
Signed-off-by: John Snow <address@hidden>
Message-id: address@hidden
Signed-off-by: John Snow <address@hidden>
(cherry picked from commit 87ac25fd1fed05a30a93d27dbeb2a4c4b83ec95f)
Signed-off-by: Michael Roth <address@hidden>
Commit: ec211e742683d4bc187839b01a4b0056617681a1
https://github.com/qemu/qemu/commit/ec211e742683d4bc187839b01a4b0056617681a1
Author: John Snow <address@hidden>
Date: 2016-08-09 (Tue, 09 Aug 2016)
Changed paths:
M hw/ide/atapi.c
Log Message:
-----------
atapi: fix halted DMA reset
Followup to 87ac25fd, this time for ATAPI DMA.
Reported-by: Paolo Bonzini <address@hidden>
Signed-off-by: John Snow <address@hidden>
Message-id: address@hidden
Acked-by: Paolo Bonzini <address@hidden>
Signed-off-by: John Snow <address@hidden>
(cherry picked from commit 7f951b2d7765f68ae1e563c2fed44071ca774790)
Signed-off-by: Michael Roth <address@hidden>
Commit: ff71767e069f26fa617047c38c8eb65673c8ad16
https://github.com/qemu/qemu/commit/ff71767e069f26fa617047c38c8eb65673c8ad16
Author: Mark Cave-Ayland <address@hidden>
Date: 2016-08-09 (Tue, 09 Aug 2016)
Changed paths:
M hw/ide/macio.c
Log Message:
-----------
macio: set res_count value to 0 after non-block ATAPI DMA transfers
res_count should be set to the number of outstanding bytes after a DBDMA
request. Unfortunately this wasn't being set to zero by the non-block
transfer codepath meaning drivers that checked the descriptor result for
such requests (e.g reading the CDROM TOC) would assume from a non-zero result
that the transfer had failed.
Signed-off-by: Mark Cave-Ayland <address@hidden>
Signed-off-by: David Gibson <address@hidden>
(cherry picked from commit 16275edb342342625cd7e7ac2048436474465b50)
Conflicts:
hw/ide/macio.c
* removed context dependancy on ddd495e5
Signed-off-by: Michael Roth <address@hidden>
Commit: 3d34297e9c91c336af1f93e2b155770501241811
https://github.com/qemu/qemu/commit/3d34297e9c91c336af1f93e2b155770501241811
Author: Marc-André Lureau <address@hidden>
Date: 2016-08-09 (Tue, 09 Aug 2016)
Changed paths:
M hw/ide/ahci.c
M hw/ide/core.c
Log Message:
-----------
ahci: fix sglist leak on retry
ahci-test /x86_64/ahci/io/dma/lba28/retry triggers the following leak:
Direct leak of 16 byte(s) in 1 object(s) allocated from:
#0 0x7fc4b2a25e20 in malloc (/lib64/libasan.so.3+0xc6e20)
#1 0x7fc4993bce58 in g_malloc (/lib64/libglib-2.0.so.0+0x4ee58)
#2 0x556a187d4b34 in ahci_populate_sglist hw/ide/ahci.c:896
#3 0x556a187d8237 in ahci_dma_prepare_buf hw/ide/ahci.c:1367
#4 0x556a187b5a1a in ide_dma_cb hw/ide/core.c:844
#5 0x556a187d7eec in ahci_start_dma hw/ide/ahci.c:1333
#6 0x556a187b650b in ide_start_dma hw/ide/core.c:921
#7 0x556a187b61e6 in ide_sector_start_dma hw/ide/core.c:911
#8 0x556a187b9e26 in cmd_write_dma hw/ide/core.c:1486
#9 0x556a187bd519 in ide_exec_cmd hw/ide/core.c:2027
#10 0x556a187d71c5 in handle_reg_h2d_fis hw/ide/ahci.c:1204
#11 0x556a187d7681 in handle_cmd hw/ide/ahci.c:1254
#12 0x556a187d168a in check_cmd hw/ide/ahci.c:510
#13 0x556a187d0afc in ahci_port_write hw/ide/ahci.c:314
#14 0x556a187d105d in ahci_mem_write hw/ide/ahci.c:435
#15 0x556a1831d959 in memory_region_write_accessor
/home/elmarco/src/qemu/memory.c:525
#16 0x556a1831dc35 in access_with_adjusted_size
/home/elmarco/src/qemu/memory.c:591
#17 0x556a18323ce3 in memory_region_dispatch_write
/home/elmarco/src/qemu/memory.c:1262
#18 0x556a1828cf67 in address_space_write_continue
/home/elmarco/src/qemu/exec.c:2578
#19 0x556a1828d20b in address_space_write /home/elmarco/src/qemu/exec.c:2635
#20 0x556a1828d92b in address_space_rw /home/elmarco/src/qemu/exec.c:2737
#21 0x556a1828daf7 in cpu_physical_memory_rw
/home/elmarco/src/qemu/exec.c:2746
#22 0x556a183068d3 in cpu_physical_memory_write
/home/elmarco/src/qemu/include/exec/cpu-common.h:72
#23 0x556a18308194 in qtest_process_command
/home/elmarco/src/qemu/qtest.c:382
#24 0x556a18309999 in qtest_process_inbuf /home/elmarco/src/qemu/qtest.c:573
#25 0x556a18309a4a in qtest_read /home/elmarco/src/qemu/qtest.c:585
#26 0x556a18598b85 in qemu_chr_be_write_impl
/home/elmarco/src/qemu/qemu-char.c:387
#27 0x556a18598c52 in qemu_chr_be_write
/home/elmarco/src/qemu/qemu-char.c:399
#28 0x556a185a2afa in tcp_chr_read /home/elmarco/src/qemu/qemu-char.c:2902
#29 0x556a18cbaf52 in qio_channel_fd_source_dispatch io/channel-watch.c:84
Follow John Snow recommendation:
Everywhere else ncq_err is used, it is accompanied by a list cleanup
except for ncq_cb, which is the case you are fixing here.
Move the sglist destruction inside of ncq_err and then delete it from
the other two locations to keep it tidy.
Call dma_buf_commit in ide_dma_cb after the early return. Though, this
is also a little wonky because this routine does more than clear the
list, but it is at the moment the centralized "we're done with the
sglist" function and none of the other side effects that occur in
dma_buf_commit will interfere with the reset that occurs from
ide_restart_bh, I think
Signed-off-by: Marc-André Lureau <address@hidden>
Reviewed-by: John Snow <address@hidden>
(cherry picked from commit 5839df7b71540a2af2580bb53ad1e2005bb175e6)
Signed-off-by: Michael Roth <address@hidden>
Commit: 94c8340d93793adbaf87abbfc6f519b5b6935020
https://github.com/qemu/qemu/commit/94c8340d93793adbaf87abbfc6f519b5b6935020
Author: Marc-André Lureau <address@hidden>
Date: 2016-08-09 (Tue, 09 Aug 2016)
Changed paths:
M hw/ide/ahci.c
Log Message:
-----------
ahci: free irqs array
Each irq is referenced by the IDEBus in ide_init2(), thus we can free
the no longer used array.
Signed-off-by: Marc-André Lureau <address@hidden>
Reviewed-by: John Snow <address@hidden>
Acked-by: John Snow <address@hidden>
(cherry picked from commit 9d324b0e67c2b570df389c1361f591b95a4e4278)
Signed-off-by: Michael Roth <address@hidden>
Commit: 0f9745afaab0f1768acada45ee8aee2acb91e378
https://github.com/qemu/qemu/commit/0f9745afaab0f1768acada45ee8aee2acb91e378
Author: Cole Robinson <address@hidden>
Date: 2016-08-09 (Tue, 09 Aug 2016)
Changed paths:
M ui/gtk.c
Log Message:
-----------
ui: gtk: fix crash when terminal inner-border is NULL
VTE terminal inner-border can be NULL. The vte-0.36 (API 2.90)
code checks for the condition too so I assume it's not just a bug
Fixes a crash on Fedora 24 with gtk 3.20
Signed-off-by: Cole Robinson <address@hidden>
Message-id: address@hidden
Signed-off-by: Gerd Hoffmann <address@hidden>
(cherry picked from commit 4fd811a6bd0b8f24f4761fc281454494c336d310)
Signed-off-by: Michael Roth <address@hidden>
Commit: ccecdf758d37c27e824b3c871d30555aa70c34f8
https://github.com/qemu/qemu/commit/ccecdf758d37c27e824b3c871d30555aa70c34f8
Author: Cole Robinson <address@hidden>
Date: 2016-08-09 (Tue, 09 Aug 2016)
Changed paths:
M ui/sdl2.c
Log Message:
-----------
ui: sdl2: Release grab before opening console window
sdl 2.0.4 currently has a bug which causes our UI shortcuts to fire
rapidly in succession:
https://bugzilla.libsdl.org/show_bug.cgi?id=3287
It's a toss up whether ctrl+alt+f or ctrl+alt+2 will fire an
odd or even number of times, thus determining whether the action
succeeds or fails.
Opening monitor/serial windows is doubly broken, since it will often
lock the UI trying to grab the pointer:
0x00007fffef3720a5 in SDL_Delay_REAL () at /lib64/libSDL2-2.0.so.0
0x00007fffef3688ba in X11_SetWindowGrab () at /lib64/libSDL2-2.0.so.0
0x00007fffef2f2da7 in SDL_SendWindowEvent () at /lib64/libSDL2-2.0.so.0
0x00007fffef2f080b in SDL_SetKeyboardFocus () at /lib64/libSDL2-2.0.so.0
0x00007fffef35d784 in X11_DispatchFocusIn.isra.8 () at /lib64/libSDL2-2.0.so.0
0x00007fffef35dbce in X11_DispatchEvent () at /lib64/libSDL2-2.0.so.0
0x00007fffef35ee4a in X11_PumpEvents () at /lib64/libSDL2-2.0.so.0
0x00007fffef2eea6a in SDL_PumpEvents_REAL () at /lib64/libSDL2-2.0.so.0
0x00007fffef2eeab5 in SDL_WaitEventTimeout_REAL () at /lib64/libSDL2-2.0.so.0
0x000055555597eed0 in sdl2_poll_events (scon=0x55555876f928) at ui/sdl2.c:593
We can work around that hang by ungrabbing the pointer before launching
a new window. This roughly matches what our sdl1 code does
Signed-off-by: Cole Robinson <address@hidden>
Message-id: address@hidden
Signed-off-by: Gerd Hoffmann <address@hidden>
(cherry picked from commit 56f289f383a871e871f944c7226920b35794efe6)
Signed-off-by: Michael Roth <address@hidden>
Commit: 84da2c67019437afef779debc73c2df27f2271d2
https://github.com/qemu/qemu/commit/84da2c67019437afef779debc73c2df27f2271d2
Author: Gerd Hoffmann <address@hidden>
Date: 2016-08-09 (Tue, 09 Aug 2016)
Changed paths:
M ui/sdl2.c
Log Message:
-----------
sdl2: skip init without outputs
Signed-off-by: Gerd Hoffmann <address@hidden>
Tested-by: Cole Robinson <address@hidden>
Message-id: address@hidden
(cherry picked from commit 8efa5f29f83816ae34f428143de49acbaacccb24)
Signed-off-by: Michael Roth <address@hidden>
Commit: c5ba71b6b988a5935a5c244f3aecccebb12b81db
https://github.com/qemu/qemu/commit/c5ba71b6b988a5935a5c244f3aecccebb12b81db
Author: Cole Robinson <address@hidden>
Date: 2016-08-09 (Tue, 09 Aug 2016)
Changed paths:
M ui/spice-core.c
Log Message:
-----------
ui: spice: Exit if gl=on EGL init fails
The user explicitly requested spice GL, so if we know it isn't
going to work we should exit
Signed-off-by: Cole Robinson <address@hidden>
Reviewed-by: Marc-André Lureau <address@hidden>
Message-id: address@hidden
Signed-off-by: Gerd Hoffmann <address@hidden>
(cherry picked from commit daafc661cc1a1de5a2e8ea0a7c0f396b827ebc3b)
Signed-off-by: Michael Roth <address@hidden>
Commit: 780d8317c81c5632ccc44194aaca798e11e3acb9
https://github.com/qemu/qemu/commit/780d8317c81c5632ccc44194aaca798e11e3acb9
Author: Cole Robinson <address@hidden>
Date: 2016-08-09 (Tue, 09 Aug 2016)
Changed paths:
M hw/arm/virt.c
Log Message:
-----------
hw/arm/virt: Reject gic-version=host for non-KVM
If you try to gic-version=host with TCG on a KVM aarch64 host,
qemu segfaults, since host requires KVM APIs.
Explicitly reject gic-version=host if KVM is not enabled
https://bugzilla.redhat.com/show_bug.cgi?id=1339977
Signed-off-by: Cole Robinson <address@hidden>
Message-id: address@hidden
Reviewed-by: Peter Maydell <address@hidden>
Signed-off-by: Peter Maydell <address@hidden>
(cherry picked from commit 0bf8039dca6bfecec243a13ebcd224d3941d9242)
Signed-off-by: Michael Roth <address@hidden>
Commit: 7a2c32ec06533c54ddaf70136bfbd89eeaf6db16
https://github.com/qemu/qemu/commit/7a2c32ec06533c54ddaf70136bfbd89eeaf6db16
Author: Prasad J Pandit <address@hidden>
Date: 2016-08-09 (Tue, 09 Aug 2016)
Changed paths:
M hw/net/mipsnet.c
Log Message:
-----------
net: mipsnet: check packet length against buffer
When receiving packets over MIPSnet network device, it uses
receive buffer of size 1514 bytes. In case the controller
accepts large(MTU) packets, it could lead to memory corruption.
Add check to avoid it.
Reported by: Oleksandr Bazhaniuk <address@hidden>
Signed-off-by: Prasad J Pandit <address@hidden>
Signed-off-by: Jason Wang <address@hidden>
(cherry picked from commit 3af9187fc6caaf415ab9c0c6d92c9678f65cb17f)
Signed-off-by: Michael Roth <address@hidden>
Commit: 1467b936d9e15dd41c6a471f99460eb9184d92e0
https://github.com/qemu/qemu/commit/1467b936d9e15dd41c6a471f99460eb9184d92e0
Author: Prasad J Pandit <address@hidden>
Date: 2016-08-09 (Tue, 09 Aug 2016)
Changed paths:
M hw/scsi/megasas.c
Log Message:
-----------
scsi: megasas: use appropriate property buffer size
When setting MegaRAID SAS controller properties via MegaRAID
Firmware Interface(MFI) commands, a user supplied size parameter
is used to set property value. Use appropriate size value to avoid
OOB access issues.
Reported-by: Li Qiang <address@hidden>
Signed-off-by: Prasad J Pandit <address@hidden>
Message-Id: <address@hidden>
Signed-off-by: Paolo Bonzini <address@hidden>
(cherry picked from commit 1b85898025c4cd95dce673d15e67e60e98e91731)
Signed-off-by: Michael Roth <address@hidden>
Commit: 19dcd481acaef73ba700e8e50ad14dbd41a59b58
https://github.com/qemu/qemu/commit/19dcd481acaef73ba700e8e50ad14dbd41a59b58
Author: Prasad J Pandit <address@hidden>
Date: 2016-08-09 (Tue, 09 Aug 2016)
Changed paths:
M hw/scsi/megasas.c
Log Message:
-----------
scsi: megasas: initialise local configuration data buffer
When reading MegaRAID SAS controller configuration via MegaRAID
Firmware Interface(MFI) commands, routine megasas_dcmd_cfg_read
uses an uninitialised local data buffer. Initialise this buffer
to avoid stack information leakage.
Reported-by: Li Qiang <address@hidden>
Signed-off-by: Prasad J Pandit <address@hidden>
Message-Id: <address@hidden>
Signed-off-by: Paolo Bonzini <address@hidden>
(cherry picked from commit d37af740730dbbb93960cd318e040372d04d6dcf)
Signed-off-by: Michael Roth <address@hidden>
Commit: 80eb9b8c4426c6dd145a39f4a44a6fa590de385d
https://github.com/qemu/qemu/commit/80eb9b8c4426c6dd145a39f4a44a6fa590de385d
Author: Prasad J Pandit <address@hidden>
Date: 2016-08-09 (Tue, 09 Aug 2016)
Changed paths:
M hw/scsi/megasas.c
Log Message:
-----------
scsi: megasas: check 'read_queue_head' index value
While doing MegaRAID SAS controller command frame lookup, routine
'megasas_lookup_frame' uses 'read_queue_head' value as an index
into 'frames[MEGASAS_MAX_FRAMES=2048]' array. Limit its value
within array bounds to avoid any OOB access.
Reported-by: Li Qiang <address@hidden>
Signed-off-by: Prasad J Pandit <address@hidden>
Message-Id: <address@hidden>
Reviewed-by: Alexander Graf <address@hidden>
Signed-off-by: Paolo Bonzini <address@hidden>
(cherry picked from commit b60bdd1f1ee1616b7a9aeeffb4088e1ce2710fb2)
Signed-off-by: Michael Roth <address@hidden>
Commit: e5c4e642be623670ecc474316edd777ec4cbc424
https://github.com/qemu/qemu/commit/e5c4e642be623670ecc474316edd777ec4cbc424
Author: Prasad J Pandit <address@hidden>
Date: 2016-08-09 (Tue, 09 Aug 2016)
Changed paths:
M hw/scsi/esp.c
Log Message:
-----------
scsi: esp: check buffer length before reading scsi command
The 53C9X Fast SCSI Controller(FSC) comes with an internal 16-byte
FIFO buffer. It is used to handle command and data transfer.
Routine get_cmd() in non-DMA mode, uses 'ti_size' to read scsi
command into a buffer. Add check to validate command length against
buffer size to avoid any overrun.
Reported-by: Li Qiang <address@hidden>
Signed-off-by: Prasad J Pandit <address@hidden>
Message-Id: <address@hidden>
Signed-off-by: Paolo Bonzini <address@hidden>
(cherry picked from commit d3cdc49138c30be1d3c2f83d18f85d9fdee95f1a)
Signed-off-by: Michael Roth <address@hidden>
Commit: aa6905db9667687293a558c14c78b05884c2b4eb
https://github.com/qemu/qemu/commit/aa6905db9667687293a558c14c78b05884c2b4eb
Author: Paolo Bonzini <address@hidden>
Date: 2016-08-09 (Tue, 09 Aug 2016)
Changed paths:
M hw/scsi/esp.c
Log Message:
-----------
scsi: esp: respect FIFO invariant after message phase
The FIFO contains two bytes; hence the write ptr should be two bytes ahead
of the read pointer.
Signed-off-by: Paolo Bonzini <address@hidden>
(cherry picked from commit d020aa504cec8f525b55ba2ef982c09dc847c72e)
Signed-off-by: Michael Roth <address@hidden>
Commit: 8c04a291c91e072c01a9724b04b170d0026ca065
https://github.com/qemu/qemu/commit/8c04a291c91e072c01a9724b04b170d0026ca065
Author: Paolo Bonzini <address@hidden>
Date: 2016-08-09 (Tue, 09 Aug 2016)
Changed paths:
M hw/scsi/esp.c
Log Message:
-----------
scsi: esp: clean up handle_ti/esp_do_dma if s->do_cmd
Avoid duplicated code between esp_do_dma and handle_ti. esp_do_dma
has the same code that handle_ti contains after the call to esp_do_dma;
but the code in handle_ti is never reached because it is in an "else if".
Remove the else and also the pointless return.
esp_do_dma also has a partially dead assignment of the to_device
variable. Sink it to the point where it's actually used.
Finally, assert that the other caller of esp_do_dma (esp_transfer_data)
only transfers data and not a command. This is true because get_cmd
cancels the old request synchronously before its caller handle_satn_stop
sets do_cmd to 1.
Reviewed-by: Laszlo Ersek <address@hidden>
Signed-off-by: Paolo Bonzini <address@hidden>
(cherry picked from commit 7f0b6e114ae4e142e2b3dfc9fac138f4a30edc4f)
Signed-off-by: Michael Roth <address@hidden>
Commit: 27fa5e735a267d21b3ae040b059636d5063bb7e4
https://github.com/qemu/qemu/commit/27fa5e735a267d21b3ae040b059636d5063bb7e4
Author: Prasad J Pandit <address@hidden>
Date: 2016-08-09 (Tue, 09 Aug 2016)
Changed paths:
M hw/scsi/esp.c
M include/hw/scsi/esp.h
Log Message:
-----------
scsi: esp: make cmdbuf big enough for maximum CDB size
While doing DMA read into ESP command buffer 's->cmdbuf', it could
write past the 's->cmdbuf' area, if it was transferring more than 16
bytes. Increase the command buffer size to 32, which is maximum when
's->do_cmd' is set, and add a check on 'len' to avoid OOB access.
Reported-by: Li Qiang <address@hidden>
Signed-off-by: Prasad J Pandit <address@hidden>
Signed-off-by: Paolo Bonzini <address@hidden>
(cherry picked from commit 926cde5f3e4d2504ed161ed0cb771ac7cad6fd11)
Signed-off-by: Michael Roth <address@hidden>
Commit: 407fb6fce916b8984b5fd288b4a97d61f014dc72
https://github.com/qemu/qemu/commit/407fb6fce916b8984b5fd288b4a97d61f014dc72
Author: Prasad J Pandit <address@hidden>
Date: 2016-08-09 (Tue, 09 Aug 2016)
Changed paths:
M hw/scsi/megasas.c
Log Message:
-----------
scsi: megasas: null terminate bios version buffer
While reading information via 'megasas_ctrl_get_info' routine,
a local bios version buffer isn't null terminated. Add the
terminating null byte to avoid any OOB access.
Reported-by: Li Qiang <address@hidden>
Reviewed-by: Peter Maydell <address@hidden>
Signed-off-by: Prasad J Pandit <address@hidden>
Signed-off-by: Paolo Bonzini <address@hidden>
(cherry picked from commit 844864fbae66935951529408831c2f22367a57b6)
Signed-off-by: Michael Roth <address@hidden>
Commit: 236039b89da8cf0a82fe32e605c1d647a13820f0
https://github.com/qemu/qemu/commit/236039b89da8cf0a82fe32e605c1d647a13820f0
Author: Prasad J Pandit <address@hidden>
Date: 2016-08-09 (Tue, 09 Aug 2016)
Changed paths:
M hw/scsi/esp.c
Log Message:
-----------
scsi: esp: check TI buffer index before read/write
The 53C9X Fast SCSI Controller(FSC) comes with internal 16-byte
FIFO buffers. One is used to handle commands and other is for
information transfer. Three control variables 'ti_rptr',
'ti_wptr' and 'ti_size' are used to control r/w access to the
information transfer buffer ti_buf[TI_BUFSZ=16]. In that,
'ti_rptr' is used as read index, where read occurs.
'ti_wptr' is a write index, where write would occur.
'ti_size' indicates total bytes to be read from the buffer.
While reading/writing to this buffer, index could exceed its
size. Add check to avoid OOB r/w access.
Reported-by: Huawei PSIRT <address@hidden>
Reported-by: Li Qiang <address@hidden>
Signed-off-by: Prasad J Pandit <address@hidden>
Message-Id: <address@hidden>
Signed-off-by: Paolo Bonzini <address@hidden>
(cherry picked from commit ff589551c8e8e9e95e211b9d8daafb4ed39f1aec)
Signed-off-by: Michael Roth <address@hidden>
Commit: 1f1b96a1dfb3d311fa467a8dbbb557111df10f9a
https://github.com/qemu/qemu/commit/1f1b96a1dfb3d311fa467a8dbbb557111df10f9a
Author: Laurent Vivier <address@hidden>
Date: 2016-08-15 (Mon, 15 Aug 2016)
Changed paths:
M target-ppc/arch_dump.c
Log Message:
-----------
ppc64: fix compressed dump with pseries kernel
If we don't provide the page size in target-ppc:cpu_get_dump_info(),
the default one (TARGET_PAGE_SIZE, 4KB) is used to create
the compressed dump. It works fine with Macintosh, but not with
pseries as the kernel default page size is 64KB.
Without this patch, if we generate a compressed dump in the QEMU monitor:
(qemu) dump-guest-memory -z qemu.dump
This dump cannot be read by crash:
# crash vmlinux qemu.dump
...
WARNING: cannot translate vmemmap kernel virtual addresses:
commands requiring page structure contents will fail
...
Page_size is used to determine the dumpfile's block size. The
block size needs to be at least the page size, but a multiple of page
size works fine too. For PPC64, linux supports either 4KB or 64KB software
page size. So we define the page_size to 64KB.
Signed-off-by: Laurent Vivier <address@hidden>
Reviewed-by: Andrew Jones <address@hidden>
Signed-off-by: David Gibson <address@hidden>
(cherry picked from commit 760d88d1d0c409f1afe6f1c91539487413e8b2a9)
Signed-off-by: Michael Roth <address@hidden>
Commit: beeff749f64690c259bd5932a1ec20f473cbedd1
https://github.com/qemu/qemu/commit/beeff749f64690c259bd5932a1ec20f473cbedd1
Author: Bruce Rogers <address@hidden>
Date: 2016-08-15 (Mon, 15 Aug 2016)
Changed paths:
M hw/xen/xen_pt.c
Log Message:
-----------
Xen PCI passthrough: fix passthrough failure when no interrupt pin
Commit 5a11d0f7 mistakenly converted a log message into an error
condition when no pin interrupt is found for the pci device being
passed through. Revert that part of the commit.
Signed-off-by: Bruce Rogers <address@hidden>
Signed-off-by: Stefano Stabellini <address@hidden>
Acked-by: Anthony PERARD <address@hidden>
(cherry picked from commit 0968c91ce00f42487fb11de5da38e53b5dc6bc7f)
Signed-off-by: Michael Roth <address@hidden>
Commit: 5125bef25abcaa124db6a579c97bc584f4fa1e92
https://github.com/qemu/qemu/commit/5125bef25abcaa124db6a579c97bc584f4fa1e92
Author: Gonglei <address@hidden>
Date: 2016-08-15 (Mon, 15 Aug 2016)
Changed paths:
M qemu-timer.c
M tests/test-aio.c
Log Message:
-----------
timer: set vm_clock disabled default
(commit 80dcfb8532ae76343109a48f12ba8ca1c505c179)
Upon migration, the code use a timer based on vm_clock for 1ns
in the future from post_load to do the event send in case host_connected
differs between migration source and target.
However, it's not guaranteed that the apic is ready to inject irqs into
the guest, and the irq line remained high, resulting in any future interrupts
going unnoticed by the guest as well.
That's because 1) the migration coroutine is not blocked when it get EAGAIN
while reading QEMUFile. 2) The vm_clock is enabled default currently, it doesn't
rely on the calling of vm_start(), that means vm_clock timers can run before
VCPUs are running.
So, let's set the vm_clock disabled default, keep the initial intention of
design for vm_clock timers.
Meanwhile, change the test-aio usecase, using QEMU_CLOCK_REALTIME instead of
QEMU_CLOCK_VIRTUAL as the block code does.
CC: Paolo Bonzini <address@hidden>
CC: Dr. David Alan Gilbert <address@hidden>
CC: address@hidden
Signed-off-by: Gonglei <address@hidden>
Message-Id: <address@hidden>
Signed-off-by: Paolo Bonzini <address@hidden>
(cherry picked from commit 3fdd0ee393e26178a4892e101e60b011bbfaa9ea)
Signed-off-by: Michael Roth <address@hidden>
Commit: fcf75ad007b760eb5299ef7d0dda462372b8739e
https://github.com/qemu/qemu/commit/fcf75ad007b760eb5299ef7d0dda462372b8739e
Author: Michael Roth <address@hidden>
Date: 2016-08-17 (Wed, 17 Aug 2016)
Changed paths:
M VERSION
Log Message:
-----------
Update version for 2.6.1 release
Signed-off-by: Michael Roth <address@hidden>
Compare: https://github.com/qemu/qemu/compare/d00ba3fa9b58^...fcf75ad007b7
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Qemu-commits] [qemu/qemu] d00ba3: i386: kvmvapic: initialise imm32 variable,
GitHub <=