[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-commits] [qemu/qemu] 2c4f0f: 9pfs: local: move xattr security ops
|
From: |
GitHub |
|
Subject: |
[Qemu-commits] [qemu/qemu] 2c4f0f: 9pfs: local: move xattr security ops to 9p-xattr.c |
|
Date: |
Wed, 05 Apr 2017 04:38:56 -0700 |
Branch: refs/heads/stable-2.8
Home: https://github.com/qemu/qemu
Commit: 2c4f0f6c11d5ab60b1483b4bf4b173c1dfe1e0cd
https://github.com/qemu/qemu/commit/2c4f0f6c11d5ab60b1483b4bf4b173c1dfe1e0cd
Author: Greg Kurz <address@hidden>
Date: 2017-03-16 (Thu, 16 Mar 2017)
Changed paths:
M hw/9pfs/9p-xattr.c
M hw/9pfs/9p-xattr.h
Log Message:
-----------
9pfs: local: move xattr security ops to 9p-xattr.c
These functions are always called indirectly. It really doesn't make sense
for them to sit in a header file.
Signed-off-by: Greg Kurz <address@hidden>
Reviewed-by: Stefan Hajnoczi <address@hidden>
(cherry picked from commit 56fc494bdcba35d74da27e1d34dbb6db6fa7bd67)
Signed-off-by: Greg Kurz <address@hidden>
Signed-off-by: Michael Roth <address@hidden>
Commit: e103f9e7b431ae5b0f6d28262ae0646f37c3645f
https://github.com/qemu/qemu/commit/e103f9e7b431ae5b0f6d28262ae0646f37c3645f
Author: Greg Kurz <address@hidden>
Date: 2017-03-16 (Thu, 16 Mar 2017)
Changed paths:
M hw/9pfs/9p-local.c
Log Message:
-----------
9pfs: remove side-effects in local_init()
If this function fails, it should not modify *ctx.
Signed-off-by: Greg Kurz <address@hidden>
Reviewed-by: Stefan Hajnoczi <address@hidden>
(cherry picked from commit 00c90bd1c2ff6aabb9ca948a254ba044a403e399)
Signed-off-by: Greg Kurz <address@hidden>
Signed-off-by: Michael Roth <address@hidden>
Commit: 52d43ff72e3f497f73bfe0da180d8a46b6589776
https://github.com/qemu/qemu/commit/52d43ff72e3f497f73bfe0da180d8a46b6589776
Author: Greg Kurz <address@hidden>
Date: 2017-03-16 (Thu, 16 Mar 2017)
Changed paths:
M hw/9pfs/9p-local.c
Log Message:
-----------
9pfs: remove side-effects in local_open() and local_opendir()
If these functions fail, they should not change *fs. Let's use local
variables to fix this.
Signed-off-by: Greg Kurz <address@hidden>
Reviewed-by: Stefan Hajnoczi <address@hidden>
(cherry picked from commit 21328e1e57f526e3f0c2fcd00f10c8aa6e7bc07f)
Signed-off-by: Greg Kurz <address@hidden>
Signed-off-by: Michael Roth <address@hidden>
Commit: 984bd0a1b864be48af39539ab152c90bb49a03bd
https://github.com/qemu/qemu/commit/984bd0a1b864be48af39539ab152c90bb49a03bd
Author: Greg Kurz <address@hidden>
Date: 2017-03-16 (Thu, 16 Mar 2017)
Changed paths:
A hw/9pfs/9p-util.c
A hw/9pfs/9p-util.h
M hw/9pfs/Makefile.objs
Log Message:
-----------
9pfs: introduce relative_openat_nofollow() helper
When using the passthrough security mode, symbolic links created by the
guest are actual symbolic links on the host file system.
Since the resolution of symbolic links during path walk is supposed to
occur on the client side. The server should hence never receive any path
pointing to an actual symbolic link. This isn't guaranteed by the protocol
though, and malicious code in the guest can trick the server to issue
various syscalls on paths whose one or more elements are symbolic links.
In the case of the "local" backend using the "passthrough" or "none"
security modes, the guest can directly create symbolic links to arbitrary
locations on the host (as per spec). The "mapped-xattr" and "mapped-file"
security modes are also affected to a lesser extent as they require some
help from an external entity to create actual symbolic links on the host,
i.e. another guest using "passthrough" mode for example.
The current code hence relies on O_NOFOLLOW and "l*()" variants of system
calls. Unfortunately, this only applies to the rightmost path component.
A guest could maliciously replace any component in a trusted path with a
symbolic link. This could allow any guest to escape a virtfs shared folder.
This patch introduces a variant of the openat() syscall that successively
opens each path element with O_NOFOLLOW. When passing a file descriptor
pointing to a trusted directory, one is guaranteed to be returned a
file descriptor pointing to a path which is beneath the trusted directory.
This will be used by subsequent patches to implement symlink-safe path walk
for any access to the backend.
Symbolic links aren't the only threats actually: a malicious guest could
change a path element to point to other types of file with undesirable
effects:
- a named pipe or any other thing that would cause openat() to block
- a terminal device which would become QEMU's controlling terminal
These issues can be addressed with O_NONBLOCK and O_NOCTTY.
Two helpers are introduced: one to open intermediate path elements and one
to open the rightmost path element.
Suggested-by: Jann Horn <address@hidden>
Signed-off-by: Greg Kurz <address@hidden>
Reviewed-by: Stefan Hajnoczi <address@hidden>
(renamed openat_nofollow() to relative_openat_nofollow(),
assert path is relative and doesn't contain '//',
fixed side-effect in assert, Greg Kurz)
Signed-off-by: Greg Kurz <address@hidden>
(cherry picked from commit 6482a961636d66cc10928dde5d4d908206e5f65a)
Signed-off-by: Greg Kurz <address@hidden>
Signed-off-by: Michael Roth <address@hidden>
Commit: 54f951d6348f08a89da8b49d64fe06ceb291759f
https://github.com/qemu/qemu/commit/54f951d6348f08a89da8b49d64fe06ceb291759f
Author: Greg Kurz <address@hidden>
Date: 2017-03-16 (Thu, 16 Mar 2017)
Changed paths:
M hw/9pfs/9p-local.c
Log Message:
-----------
9pfs: local: keep a file descriptor on the shared folder
This patch opens the shared folder and caches the file descriptor, so that
it can be used to do symlink-safe path walk.
Signed-off-by: Greg Kurz <address@hidden>
Reviewed-by: Stefan Hajnoczi <address@hidden>
(cherry picked from commit 0e35a3782948c6154d7fafe9a02a86bc130199c7)
Signed-off-by: Greg Kurz <address@hidden>
Signed-off-by: Michael Roth <address@hidden>
Commit: acf22d2264a131ad2695b5a18746dabf0cc8b843
https://github.com/qemu/qemu/commit/acf22d2264a131ad2695b5a18746dabf0cc8b843
Author: Greg Kurz <address@hidden>
Date: 2017-03-16 (Thu, 16 Mar 2017)
Changed paths:
M hw/9pfs/9p-local.c
A hw/9pfs/9p-local.h
Log Message:
-----------
9pfs: local: open/opendir: don't follow symlinks
The local_open() and local_opendir() callbacks are vulnerable to symlink
attacks because they call:
(1) open(O_NOFOLLOW) which follows symbolic links in all path elements but
the rightmost one
(2) opendir() which follows symbolic links in all path elements
This patch converts both callbacks to use new helpers based on
openat_nofollow() to only open files and directories if they are
below the virtfs shared folder
This partly fixes CVE-2016-9602.
Signed-off-by: Greg Kurz <address@hidden>
Reviewed-by: Stefan Hajnoczi <address@hidden>
(cherry picked from commit 996a0d76d7e756e4023ef79bc37bfe629b9eaca7)
Signed-off-by: Greg Kurz <address@hidden>
Signed-off-by: Michael Roth <address@hidden>
Commit: 6c1e3a16bcf2a0d663e10ec34ef058d686339861
https://github.com/qemu/qemu/commit/6c1e3a16bcf2a0d663e10ec34ef058d686339861
Author: Greg Kurz <address@hidden>
Date: 2017-03-16 (Thu, 16 Mar 2017)
Changed paths:
M hw/9pfs/9p-posix-acl.c
M hw/9pfs/9p-util.c
M hw/9pfs/9p-util.h
M hw/9pfs/9p-xattr-user.c
M hw/9pfs/9p-xattr.c
M hw/9pfs/9p-xattr.h
Log Message:
-----------
9pfs: local: lgetxattr: don't follow symlinks
The local_lgetxattr() callback is vulnerable to symlink attacks because
it calls lgetxattr() which follows symbolic links in all path elements but
the rightmost one.
This patch introduces a helper to emulate the non-existing fgetxattrat()
function: it is implemented with /proc/self/fd which provides a trusted
path that can be safely passed to lgetxattr().
local_lgetxattr() is converted to use this helper and opendir_nofollow().
This partly fixes CVE-2016-9602.
Signed-off-by: Greg Kurz <address@hidden>
Reviewed-by: Stefan Hajnoczi <address@hidden>
(cherry picked from commit 56ad3e54dad6cdcee8668d170df161d89581846f)
Signed-off-by: Greg Kurz <address@hidden>
Signed-off-by: Michael Roth <address@hidden>
Commit: d10142c11bdcecebe97fd834a834167053b7a05c
https://github.com/qemu/qemu/commit/d10142c11bdcecebe97fd834a834167053b7a05c
Author: Greg Kurz <address@hidden>
Date: 2017-03-16 (Thu, 16 Mar 2017)
Changed paths:
M hw/9pfs/9p-xattr.c
Log Message:
-----------
9pfs: local: llistxattr: don't follow symlinks
The local_llistxattr() callback is vulnerable to symlink attacks because
it calls llistxattr() which follows symbolic links in all path elements but
the rightmost one.
This patch introduces a helper to emulate the non-existing flistxattrat()
function: it is implemented with /proc/self/fd which provides a trusted
path that can be safely passed to llistxattr().
local_llistxattr() is converted to use this helper and opendir_nofollow().
This partly fixes CVE-2016-9602.
Signed-off-by: Greg Kurz <address@hidden>
Reviewed-by: Stefan Hajnoczi <address@hidden>
(cherry picked from commit 5507904e362df252f6065cb27d1ff98372db6abc)
Signed-off-by: Greg Kurz <address@hidden>
Signed-off-by: Michael Roth <address@hidden>
Commit: ed6083afc2df439578f00ae6c47338cb2203eaf1
https://github.com/qemu/qemu/commit/ed6083afc2df439578f00ae6c47338cb2203eaf1
Author: Greg Kurz <address@hidden>
Date: 2017-03-16 (Thu, 16 Mar 2017)
Changed paths:
M hw/9pfs/9p-posix-acl.c
M hw/9pfs/9p-util.h
M hw/9pfs/9p-xattr-user.c
M hw/9pfs/9p-xattr.c
M hw/9pfs/9p-xattr.h
Log Message:
-----------
9pfs: local: lsetxattr: don't follow symlinks
The local_lsetxattr() callback is vulnerable to symlink attacks because
it calls lsetxattr() which follows symbolic links in all path elements but
the rightmost one.
This patch introduces a helper to emulate the non-existing fsetxattrat()
function: it is implemented with /proc/self/fd which provides a trusted
path that can be safely passed to lsetxattr().
local_lsetxattr() is converted to use this helper and opendir_nofollow().
This partly fixes CVE-2016-9602.
Signed-off-by: Greg Kurz <address@hidden>
Reviewed-by: Stefan Hajnoczi <address@hidden>
(cherry picked from commit 3e36aba757f76673007a80b3cd56a4062c2e3462)
Signed-off-by: Greg Kurz <address@hidden>
Signed-off-by: Michael Roth <address@hidden>
Commit: a9f46b8b658cc8ba7d7d7d4ab4a6d69e9689268e
https://github.com/qemu/qemu/commit/a9f46b8b658cc8ba7d7d7d4ab4a6d69e9689268e
Author: Greg Kurz <address@hidden>
Date: 2017-03-16 (Thu, 16 Mar 2017)
Changed paths:
M hw/9pfs/9p-posix-acl.c
M hw/9pfs/9p-xattr-user.c
M hw/9pfs/9p-xattr.c
M hw/9pfs/9p-xattr.h
Log Message:
-----------
9pfs: local: lremovexattr: don't follow symlinks
The local_lremovexattr() callback is vulnerable to symlink attacks because
it calls lremovexattr() which follows symbolic links in all path elements
but the rightmost one.
This patch introduces a helper to emulate the non-existing fremovexattrat()
function: it is implemented with /proc/self/fd which provides a trusted
path that can be safely passed to lremovexattr().
local_lremovexattr() is converted to use this helper and opendir_nofollow().
This partly fixes CVE-2016-9602.
Signed-off-by: Greg Kurz <address@hidden>
Reviewed-by: Stefan Hajnoczi <address@hidden>
(cherry picked from commit 72f0d0bf51362011c4d841a89fb8f5cfb16e0bf3)
Signed-off-by: Greg Kurz <address@hidden>
Signed-off-by: Michael Roth <address@hidden>
Commit: 0bb99557e17ef7336d8621b6f6c6b9591bd3a13d
https://github.com/qemu/qemu/commit/0bb99557e17ef7336d8621b6f6c6b9591bd3a13d
Author: Greg Kurz <address@hidden>
Date: 2017-03-16 (Thu, 16 Mar 2017)
Changed paths:
M hw/9pfs/9p-local.c
Log Message:
-----------
9pfs: local: unlinkat: don't follow symlinks
The local_unlinkat() callback is vulnerable to symlink attacks because it
calls remove() which follows symbolic links in all path elements but the
rightmost one.
This patch converts local_unlinkat() to rely on opendir_nofollow() and
unlinkat() instead.
Most of the code is moved to a separate local_unlinkat_common() helper
which will be reused in a subsequent patch to fix the same issue in
local_remove().
This partly fixes CVE-2016-9602.
Signed-off-by: Greg Kurz <address@hidden>
Reviewed-by: Stefan Hajnoczi <address@hidden>
Reviewed-by: Stefan Hajnoczi <address@hidden>
(cherry picked from commit df4938a6651b1f980018f9eaf86af43e6b9d7fed)
Signed-off-by: Greg Kurz <address@hidden>
Signed-off-by: Michael Roth <address@hidden>
Commit: 4286f58bfc09eade137770bfd2b0700bf6197cf3
https://github.com/qemu/qemu/commit/4286f58bfc09eade137770bfd2b0700bf6197cf3
Author: Greg Kurz <address@hidden>
Date: 2017-03-16 (Thu, 16 Mar 2017)
Changed paths:
M hw/9pfs/9p-local.c
Log Message:
-----------
9pfs: local: remove: don't follow symlinks
The local_remove() callback is vulnerable to symlink attacks because it
calls:
(1) lstat() which follows symbolic links in all path elements but the
rightmost one
(2) remove() which follows symbolic links in all path elements but the
rightmost one
This patch converts local_remove() to rely on opendir_nofollow(),
fstatat(AT_SYMLINK_NOFOLLOW) to fix (1) and unlinkat() to fix (2).
This partly fixes CVE-2016-9602.
Signed-off-by: Greg Kurz <address@hidden>
Reviewed-by: Stefan Hajnoczi <address@hidden>
(cherry picked from commit a0e640a87210b1e986bcd4e7f7de03beb3db0a4a)
Signed-off-by: Greg Kurz <address@hidden>
Signed-off-by: Michael Roth <address@hidden>
Commit: 91225c670a0eec5354d679b4fd676e572cc37a57
https://github.com/qemu/qemu/commit/91225c670a0eec5354d679b4fd676e572cc37a57
Author: Greg Kurz <address@hidden>
Date: 2017-03-16 (Thu, 16 Mar 2017)
Changed paths:
M hw/9pfs/9p-local.c
Log Message:
-----------
9pfs: local: utimensat: don't follow symlinks
The local_utimensat() callback is vulnerable to symlink attacks because it
calls qemu_utimens()->utimensat(AT_SYMLINK_NOFOLLOW) which follows symbolic
links in all path elements but the rightmost one or qemu_utimens()->utimes()
which follows symbolic links for all path elements.
This patch converts local_utimensat() to rely on opendir_nofollow() and
utimensat(AT_SYMLINK_NOFOLLOW) directly instead of using qemu_utimens().
It is hence assumed that the OS supports utimensat(), i.e. has glibc 2.6
or higher and linux 2.6.22 or higher, which seems reasonable nowadays.
This partly fixes CVE-2016-9602.
Signed-off-by: Greg Kurz <address@hidden>
Reviewed-by: Stefan Hajnoczi <address@hidden>
(cherry picked from commit a33eda0dd99e00faa3bacae43d19490bb9500e07)
Signed-off-by: Greg Kurz <address@hidden>
Signed-off-by: Michael Roth <address@hidden>
Commit: d3c54bf9e7f079e43f37bb0d7c2657e8976d3e1d
https://github.com/qemu/qemu/commit/d3c54bf9e7f079e43f37bb0d7c2657e8976d3e1d
Author: Greg Kurz <address@hidden>
Date: 2017-03-16 (Thu, 16 Mar 2017)
Changed paths:
M hw/9pfs/9p-local.c
Log Message:
-----------
9pfs: local: statfs: don't follow symlinks
The local_statfs() callback is vulnerable to symlink attacks because it
calls statfs() which follows symbolic links in all path elements.
This patch converts local_statfs() to rely on open_nofollow() and fstatfs()
instead.
This partly fixes CVE-2016-9602.
Signed-off-by: Greg Kurz <address@hidden>
Reviewed-by: Stefan Hajnoczi <address@hidden>
(cherry picked from commit 31e51d1c15b35dc98b88a301812914b70a2b55dc)
Signed-off-by: Greg Kurz <address@hidden>
Signed-off-by: Michael Roth <address@hidden>
Commit: ec10eada04069a4f22010b4b30c0b70b7f6fd887
https://github.com/qemu/qemu/commit/ec10eada04069a4f22010b4b30c0b70b7f6fd887
Author: Greg Kurz <address@hidden>
Date: 2017-03-16 (Thu, 16 Mar 2017)
Changed paths:
M hw/9pfs/9p-local.c
Log Message:
-----------
9pfs: local: truncate: don't follow symlinks
The local_truncate() callback is vulnerable to symlink attacks because
it calls truncate() which follows symbolic links in all path elements.
This patch converts local_truncate() to rely on open_nofollow() and
ftruncate() instead.
This partly fixes CVE-2016-9602.
Signed-off-by: Greg Kurz <address@hidden>
Reviewed-by: Stefan Hajnoczi <address@hidden>
(cherry picked from commit ac125d993b461d4dee4d6df4d93ac3f2eb959d1d)
Signed-off-by: Greg Kurz <address@hidden>
Signed-off-by: Michael Roth <address@hidden>
Commit: 3439290f9ed98f837848d5c9bf688a0c8aa8bd27
https://github.com/qemu/qemu/commit/3439290f9ed98f837848d5c9bf688a0c8aa8bd27
Author: Greg Kurz <address@hidden>
Date: 2017-03-16 (Thu, 16 Mar 2017)
Changed paths:
M hw/9pfs/9p-local.c
Log Message:
-----------
9pfs: local: readlink: don't follow symlinks
The local_readlink() callback is vulnerable to symlink attacks because it
calls:
(1) open(O_NOFOLLOW) which follows symbolic links for all path elements but
the rightmost one
(2) readlink() which follows symbolic links for all path elements but the
rightmost one
This patch converts local_readlink() to rely on open_nofollow() to fix (1)
and opendir_nofollow(), readlinkat() to fix (2).
This partly fixes CVE-2016-9602.
Signed-off-by: Greg Kurz <address@hidden>
Reviewed-by: Stefan Hajnoczi <address@hidden>
(cherry picked from commit bec1e9546e03b9e7f5152cf3e8c95cf8acff5e12)
Signed-off-by: Greg Kurz <address@hidden>
Signed-off-by: Michael Roth <address@hidden>
Commit: cfe40e14851e77561074020ff085f1bf49860bc1
https://github.com/qemu/qemu/commit/cfe40e14851e77561074020ff085f1bf49860bc1
Author: Greg Kurz <address@hidden>
Date: 2017-03-16 (Thu, 16 Mar 2017)
Changed paths:
M hw/9pfs/9p-local.c
Log Message:
-----------
9pfs: local: lstat: don't follow symlinks
The local_lstat() callback is vulnerable to symlink attacks because it
calls:
(1) lstat() which follows symbolic links in all path elements but the
rightmost one
(2) getxattr() which follows symbolic links in all path elements
(3) local_mapped_file_attr()->local_fopen()->openat(O_NOFOLLOW) which
follows symbolic links in all path elements but the rightmost
one
This patch converts local_lstat() to rely on opendir_nofollow() and
fstatat(AT_SYMLINK_NOFOLLOW) to fix (1), fgetxattrat_nofollow() to
fix (2).
A new local_fopenat() helper is introduced as a replacement to
local_fopen() to fix (3). No effort is made to factor out code
because local_fopen() will be dropped when all users have been
converted to call local_fopenat().
This partly fixes CVE-2016-9602.
Signed-off-by: Greg Kurz <address@hidden>
Reviewed-by: Stefan Hajnoczi <address@hidden>
(cherry picked from commit f9aef99b3e6df88036436b0d3dc3d504b9346c8c)
Signed-off-by: Greg Kurz <address@hidden>
Signed-off-by: Michael Roth <address@hidden>
Commit: 0f3490faa8796da9986d798428b034e0bb4d6f1d
https://github.com/qemu/qemu/commit/0f3490faa8796da9986d798428b034e0bb4d6f1d
Author: Greg Kurz <address@hidden>
Date: 2017-03-16 (Thu, 16 Mar 2017)
Changed paths:
M hw/9pfs/9p-local.c
Log Message:
-----------
9pfs: local: renameat: don't follow symlinks
The local_renameat() callback is currently a wrapper around local_rename()
which is vulnerable to symlink attacks.
This patch rewrites local_renameat() to have its own implementation, based
on local_opendir_nofollow() and renameat().
This partly fixes CVE-2016-9602.
Signed-off-by: Greg Kurz <address@hidden>
Reviewed-by: Stefan Hajnoczi <address@hidden>
(cherry picked from commit 99f2cf4b2dad7b37c69759deb0d0b19d3ec1a24a)
Signed-off-by: Greg Kurz <address@hidden>
Signed-off-by: Michael Roth <address@hidden>
Commit: d93d06a2fc1e126a411178ba2edc10e802e152a1
https://github.com/qemu/qemu/commit/d93d06a2fc1e126a411178ba2edc10e802e152a1
Author: Greg Kurz <address@hidden>
Date: 2017-03-16 (Thu, 16 Mar 2017)
Changed paths:
M hw/9pfs/9p-local.c
Log Message:
-----------
9pfs: local: rename: use renameat
The local_rename() callback is vulnerable to symlink attacks because it
uses rename() which follows symbolic links in all path elements but the
rightmost one.
This patch simply transforms local_rename() into a wrapper around
local_renameat() which is symlink-attack safe.
This partly fixes CVE-2016-9602.
Signed-off-by: Greg Kurz <address@hidden>
Reviewed-by: Stefan Hajnoczi <address@hidden>
(cherry picked from commit d2767edec582558f1e6c52e1dd9370d62e2b30fc)
Signed-off-by: Greg Kurz <address@hidden>
Signed-off-by: Michael Roth <address@hidden>
Commit: d7322e13c6816c0edf12a23f93a78338a0b1ef01
https://github.com/qemu/qemu/commit/d7322e13c6816c0edf12a23f93a78338a0b1ef01
Author: Greg Kurz <address@hidden>
Date: 2017-03-16 (Thu, 16 Mar 2017)
Changed paths:
M hw/9pfs/9p-local.c
Log Message:
-----------
9pfs: local: improve error handling in link op
When using the mapped-file security model, we also have to create a link
for the metadata file if it exists. In case of failure, we should rollback.
That's what this patch does.
Signed-off-by: Greg Kurz <address@hidden>
Reviewed-by: Stefan Hajnoczi <address@hidden>
(cherry picked from commit 6dd4b1f1d026e478d9177b28169b377e212400f3)
Signed-off-by: Greg Kurz <address@hidden>
Signed-off-by: Michael Roth <address@hidden>
Commit: e314b1b1fb9ec8a4792aa495c3fe627d8f0a58a0
https://github.com/qemu/qemu/commit/e314b1b1fb9ec8a4792aa495c3fe627d8f0a58a0
Author: Greg Kurz <address@hidden>
Date: 2017-03-16 (Thu, 16 Mar 2017)
Changed paths:
M hw/9pfs/9p-local.c
Log Message:
-----------
9pfs: local: link: don't follow symlinks
The local_link() callback is vulnerable to symlink attacks because it calls:
(1) link() which follows symbolic links for all path elements but the
rightmost one
(2) local_create_mapped_attr_dir()->mkdir() which follows symbolic links
for all path elements but the rightmost one
This patch converts local_link() to rely on opendir_nofollow() and linkat()
to fix (1), mkdirat() to fix (2).
This partly fixes CVE-2016-9602.
Signed-off-by: Greg Kurz <address@hidden>
Reviewed-by: Stefan Hajnoczi <address@hidden>
(cherry picked from commit ad0b46e6ac769b187cb4dcf0065675ef8a198a5e)
Signed-off-by: Greg Kurz <address@hidden>
Signed-off-by: Michael Roth <address@hidden>
Commit: ea9e59bdf609343db067c1d5fab79a9a1b01acf5
https://github.com/qemu/qemu/commit/ea9e59bdf609343db067c1d5fab79a9a1b01acf5
Author: Greg Kurz <address@hidden>
Date: 2017-03-16 (Thu, 16 Mar 2017)
Changed paths:
M hw/9pfs/9p-local.c
Log Message:
-----------
9pfs: local: chmod: don't follow symlinks
The local_chmod() callback is vulnerable to symlink attacks because it
calls:
(1) chmod() which follows symbolic links for all path elements
(2) local_set_xattr()->setxattr() which follows symbolic links for all
path elements
(3) local_set_mapped_file_attr() which calls in turn local_fopen() and
mkdir(), both functions following symbolic links for all path
elements but the rightmost one
We would need fchmodat() to implement AT_SYMLINK_NOFOLLOW to fix (1). This
isn't the case on linux unfortunately: the kernel doesn't even have a flags
argument to the syscall :-\ It is impossible to fix it in userspace in
a race-free manner. This patch hence converts local_chmod() to rely on
open_nofollow() and fchmod(). This fixes the vulnerability but introduces
a limitation: the target file must readable and/or writable for the call
to openat() to succeed.
It introduces a local_set_xattrat() replacement to local_set_xattr()
based on fsetxattrat() to fix (2), and a local_set_mapped_file_attrat()
replacement to local_set_mapped_file_attr() based on local_fopenat()
and mkdirat() to fix (3). No effort is made to factor out code because
both local_set_xattr() and local_set_mapped_file_attr() will be dropped
when all users have been converted to use the "at" versions.
This partly fixes CVE-2016-9602.
Signed-off-by: Greg Kurz <address@hidden>
Reviewed-by: Stefan Hajnoczi <address@hidden>
(cherry picked from commit e3187a45dd02a7490f9191c16527dc28a4ba45b9)
Signed-off-by: Greg Kurz <address@hidden>
Signed-off-by: Michael Roth <address@hidden>
Commit: 62d1dbbfce619efac6d10235fc4d7ba5eb987b3f
https://github.com/qemu/qemu/commit/62d1dbbfce619efac6d10235fc4d7ba5eb987b3f
Author: Greg Kurz <address@hidden>
Date: 2017-03-16 (Thu, 16 Mar 2017)
Changed paths:
M hw/9pfs/9p-local.c
Log Message:
-----------
9pfs: local: chown: don't follow symlinks
The local_chown() callback is vulnerable to symlink attacks because it
calls:
(1) lchown() which follows symbolic links for all path elements but the
rightmost one
(2) local_set_xattr()->setxattr() which follows symbolic links for all
path elements
(3) local_set_mapped_file_attr() which calls in turn local_fopen() and
mkdir(), both functions following symbolic links for all path
elements but the rightmost one
This patch converts local_chown() to rely on open_nofollow() and
fchownat() to fix (1), as well as local_set_xattrat() and
local_set_mapped_file_attrat() to fix (2) and (3) respectively.
This partly fixes CVE-2016-9602.
Signed-off-by: Greg Kurz <address@hidden>
Reviewed-by: Stefan Hajnoczi <address@hidden>
(cherry picked from commit d369f20763a857eac544a5289a046d0285a91df8)
Signed-off-by: Greg Kurz <address@hidden>
Signed-off-by: Michael Roth <address@hidden>
Commit: 9f4ba82b069f6d4c104be66c7a201a44f66dcf00
https://github.com/qemu/qemu/commit/9f4ba82b069f6d4c104be66c7a201a44f66dcf00
Author: Greg Kurz <address@hidden>
Date: 2017-03-16 (Thu, 16 Mar 2017)
Changed paths:
M hw/9pfs/9p-local.c
Log Message:
-----------
9pfs: local: symlink: don't follow symlinks
The local_symlink() callback is vulnerable to symlink attacks because it
calls:
(1) symlink() which follows symbolic links for all path elements but the
rightmost one
(2) open(O_NOFOLLOW) which follows symbolic links for all path elements but
the rightmost one
(3) local_set_xattr()->setxattr() which follows symbolic links for all
path elements
(4) local_set_mapped_file_attr() which calls in turn local_fopen() and
mkdir(), both functions following symbolic links for all path
elements but the rightmost one
This patch converts local_symlink() to rely on opendir_nofollow() and
symlinkat() to fix (1), openat(O_NOFOLLOW) to fix (2), as well as
local_set_xattrat() and local_set_mapped_file_attrat() to fix (3) and
(4) respectively.
This partly fixes CVE-2016-9602.
Signed-off-by: Greg Kurz <address@hidden>
Reviewed-by: Stefan Hajnoczi <address@hidden>
(cherry picked from commit 38771613ea6759f499645afd709aa422161eb27e)
Signed-off-by: Greg Kurz <address@hidden>
Signed-off-by: Michael Roth <address@hidden>
Commit: 5b24a96cd2afff204b1de86d252cc433848ae6fd
https://github.com/qemu/qemu/commit/5b24a96cd2afff204b1de86d252cc433848ae6fd
Author: Greg Kurz <address@hidden>
Date: 2017-03-16 (Thu, 16 Mar 2017)
Changed paths:
M hw/9pfs/9p-local.c
Log Message:
-----------
9pfs: local: mknod: don't follow symlinks
The local_mknod() callback is vulnerable to symlink attacks because it
calls:
(1) mknod() which follows symbolic links for all path elements but the
rightmost one
(2) local_set_xattr()->setxattr() which follows symbolic links for all
path elements
(3) local_set_mapped_file_attr() which calls in turn local_fopen() and
mkdir(), both functions following symbolic links for all path
elements but the rightmost one
(4) local_post_create_passthrough() which calls in turn lchown() and
chmod(), both functions also following symbolic links
This patch converts local_mknod() to rely on opendir_nofollow() and
mknodat() to fix (1), as well as local_set_xattrat() and
local_set_mapped_file_attrat() to fix (2) and (3) respectively.
A new local_set_cred_passthrough() helper based on fchownat() and
fchmodat_nofollow() is introduced as a replacement to
local_post_create_passthrough() to fix (4).
The mapped and mapped-file security modes are supposed to be identical,
except for the place where credentials and file modes are stored. While
here, we also make that explicit by sharing the call to mknodat().
This partly fixes CVE-2016-9602.
Signed-off-by: Greg Kurz <address@hidden>
Reviewed-by: Stefan Hajnoczi <address@hidden>
(cherry picked from commit d815e7219036d6911fce12efe3e59906264c8536)
Signed-off-by: Greg Kurz <address@hidden>
Signed-off-by: Michael Roth <address@hidden>
Commit: c8c9aab1731c2c79248bd24121c09e8e270f6007
https://github.com/qemu/qemu/commit/c8c9aab1731c2c79248bd24121c09e8e270f6007
Author: Greg Kurz <address@hidden>
Date: 2017-03-16 (Thu, 16 Mar 2017)
Changed paths:
M hw/9pfs/9p-local.c
Log Message:
-----------
9pfs: local: mkdir: don't follow symlinks
The local_mkdir() callback is vulnerable to symlink attacks because it
calls:
(1) mkdir() which follows symbolic links for all path elements but the
rightmost one
(2) local_set_xattr()->setxattr() which follows symbolic links for all
path elements
(3) local_set_mapped_file_attr() which calls in turn local_fopen() and
mkdir(), both functions following symbolic links for all path
elements but the rightmost one
(4) local_post_create_passthrough() which calls in turn lchown() and
chmod(), both functions also following symbolic links
This patch converts local_mkdir() to rely on opendir_nofollow() and
mkdirat() to fix (1), as well as local_set_xattrat(),
local_set_mapped_file_attrat() and local_set_cred_passthrough() to
fix (2), (3) and (4) respectively.
The mapped and mapped-file security modes are supposed to be identical,
except for the place where credentials and file modes are stored. While
here, we also make that explicit by sharing the call to mkdirat().
This partly fixes CVE-2016-9602.
Signed-off-by: Greg Kurz <address@hidden>
Reviewed-by: Stefan Hajnoczi <address@hidden>
(cherry picked from commit 3f3a16990b09e62d787bd2eb2dd51aafbe90019a)
Signed-off-by: Greg Kurz <address@hidden>
Signed-off-by: Michael Roth <address@hidden>
Commit: 9c5cb58970d76a0fe41759c738e14f8bb16cc89d
https://github.com/qemu/qemu/commit/9c5cb58970d76a0fe41759c738e14f8bb16cc89d
Author: Greg Kurz <address@hidden>
Date: 2017-03-16 (Thu, 16 Mar 2017)
Changed paths:
M hw/9pfs/9p-local.c
Log Message:
-----------
9pfs: local: open2: don't follow symlinks
The local_open2() callback is vulnerable to symlink attacks because it
calls:
(1) open() which follows symbolic links for all path elements but the
rightmost one
(2) local_set_xattr()->setxattr() which follows symbolic links for all
path elements
(3) local_set_mapped_file_attr() which calls in turn local_fopen() and
mkdir(), both functions following symbolic links for all path
elements but the rightmost one
(4) local_post_create_passthrough() which calls in turn lchown() and
chmod(), both functions also following symbolic links
This patch converts local_open2() to rely on opendir_nofollow() and
mkdirat() to fix (1), as well as local_set_xattrat(),
local_set_mapped_file_attrat() and local_set_cred_passthrough() to
fix (2), (3) and (4) respectively. Since local_open2() already opens
a descriptor to the target file, local_set_cred_passthrough() is
modified to reuse it instead of opening a new one.
The mapped and mapped-file security modes are supposed to be identical,
except for the place where credentials and file modes are stored. While
here, we also make that explicit by sharing the call to openat().
This partly fixes CVE-2016-9602.
Signed-off-by: Greg Kurz <address@hidden>
Reviewed-by: Stefan Hajnoczi <address@hidden>
(cherry picked from commit a565fea56546e254b7610305b07711f0a3bda0c7)
Signed-off-by: Greg Kurz <address@hidden>
Signed-off-by: Michael Roth <address@hidden>
Commit: 05a92c2005956540c379150a7eb99c5ec44fa6f9
https://github.com/qemu/qemu/commit/05a92c2005956540c379150a7eb99c5ec44fa6f9
Author: Greg Kurz <address@hidden>
Date: 2017-03-16 (Thu, 16 Mar 2017)
Changed paths:
M hw/9pfs/9p-local.c
Log Message:
-----------
9pfs: local: drop unused code
Now that the all callbacks have been converted to use "at" syscalls, we
can drop this code.
Signed-off-by: Greg Kurz <address@hidden>
Reviewed-by: Stefan Hajnoczi <address@hidden>
(cherry picked from commit c23d5f1d5bc0e23aeb845b1af8f996f16783ce98)
Signed-off-by: Greg Kurz <address@hidden>
Signed-off-by: Michael Roth <address@hidden>
Commit: 719e6dd1713cca2413214af36c9ef9c0be041810
https://github.com/qemu/qemu/commit/719e6dd1713cca2413214af36c9ef9c0be041810
Author: Greg Kurz <address@hidden>
Date: 2017-03-16 (Thu, 16 Mar 2017)
Changed paths:
M hw/9pfs/9p-local.c
Log Message:
-----------
9pfs: fix bogus fd check in local_remove()
This was spotted by Coverity as a fd leak. This is certainly true, but also
local_remove() would always return without doing anything, unless the fd is
zero, which is very unlikely.
(Coverity issue CID1371732)
Signed-off-by: Greg Kurz <address@hidden>
Reviewed-by: Eric Blake <address@hidden>
(cherry picked from commit b7361d46e75f12d8d943ca8d33ef82cafce39920)
Signed-off-by: Greg Kurz <address@hidden>
Signed-off-by: Michael Roth <address@hidden>
Commit: bb07a379b5888b378a97d1803d2808fa0388a623
https://github.com/qemu/qemu/commit/bb07a379b5888b378a97d1803d2808fa0388a623
Author: Greg Kurz <address@hidden>
Date: 2017-03-16 (Thu, 16 Mar 2017)
Changed paths:
M hw/9pfs/9p-local.c
Log Message:
-----------
9pfs: fix fd leak in local_opendir()
Coverity issue CID1371731
Signed-off-by: Greg Kurz <address@hidden>
Reviewed-by: Daniel P. Berrange <address@hidden>
Reviewed-by: Philippe Mathieu-Daudé <address@hidden>
(cherry picked from commit faab207f115cf9738f110cb088ab35a4b7aef73a)
Signed-off-by: Greg Kurz <address@hidden>
Signed-off-by: Michael Roth <address@hidden>
Commit: 059f751ec27279775f54bac52a2eb35ece6d16cf
https://github.com/qemu/qemu/commit/059f751ec27279775f54bac52a2eb35ece6d16cf
Author: Greg Kurz <address@hidden>
Date: 2017-03-16 (Thu, 16 Mar 2017)
Changed paths:
M hw/9pfs/9p-local.c
Log Message:
-----------
9pfs: fail local_statfs() earlier
If we cannot open the given path, we can return right away instead of
passing -1 to fstatfs() and close(). This will make Coverity happy.
(Coverity issue CID1371729)
Signed-off-by: Greg Kurz <address@hidden>
Reviewed-by: Daniel P. berrange <address@hidden>
Reviewed-by: Eric Blake <address@hidden>
Reviewed-by: Philippe Mathieu-Daudé <address@hidden>
(cherry picked from commit 23da0145cc4be66fdb1033f951dbbf140f457896)
Signed-off-by: Greg Kurz <address@hidden>
Signed-off-by: Michael Roth <address@hidden>
Commit: 7e9a1c49145d981e6da03d8e0ec16a329c79f2ca
https://github.com/qemu/qemu/commit/7e9a1c49145d981e6da03d8e0ec16a329c79f2ca
Author: Greg Kurz <address@hidden>
Date: 2017-03-16 (Thu, 16 Mar 2017)
Changed paths:
M hw/9pfs/9p-local.c
Log Message:
-----------
9pfs: don't use AT_EMPTY_PATH in local_set_cred_passthrough()
The name argument can never be an empty string, and dirfd always point to
the containing directory of the file name. AT_EMPTY_PATH is hence useless
here. Also it breaks build with glibc version 2.13 and older.
It is actually an oversight of a previous tentative patch to implement this
function. We can safely drop it.
Reported-by: Mark Cave-Ayland <address@hidden>
Signed-off-by: Greg Kurz <address@hidden>
Tested-by: Mark Cave-Ayland <address@hidden>
Reviewed-by: Eric Blake <address@hidden>
(cherry picked from commit b314f6a077a1dbc0463a5dc41162f64950048e72)
Signed-off-by: Greg Kurz <address@hidden>
Signed-off-by: Michael Roth <address@hidden>
Commit: 3731a25a62840e4644c24f223c9940ef0f6430f2
https://github.com/qemu/qemu/commit/3731a25a62840e4644c24f223c9940ef0f6430f2
Author: Greg Kurz <address@hidden>
Date: 2017-03-16 (Thu, 16 Mar 2017)
Changed paths:
M hw/9pfs/9p-util.h
Log Message:
-----------
9pfs: fix O_PATH build break with older glibc versions
When O_PATH is used with O_DIRECTORY, it only acts as an optimization: the
openat() syscall simply finds the name in the VFS, and doesn't trigger the
underlying filesystem.
On systems that don't define O_PATH, because they have glibc version 2.13
or older for example, we can safely omit it. We don't want to deactivate
O_PATH globally though, in case it is used without O_DIRECTORY. The is done
with a dedicated macro.
Systems without O_PATH may thus fail to resolve names that involve
unreadable directories, compared to newer systems succeeding, but such
corner case failure is our only option on those older systems to avoid
the security hole of chasing symlinks inappropriately.
Signed-off-by: Greg Kurz <address@hidden>
Reviewed-by: Eric Blake <address@hidden>
(added last paragraph to changelog as suggested by Eric Blake)
Signed-off-by: Greg Kurz <address@hidden>
(cherry picked from commit 918112c02aff2bac4cb72dc2feba0cb05305813e)
Signed-off-by: Greg Kurz <address@hidden>
Signed-off-by: Michael Roth <address@hidden>
Commit: a15785cfbd2c58354cb27976b3659b6ac30a9601
https://github.com/qemu/qemu/commit/a15785cfbd2c58354cb27976b3659b6ac30a9601
Author: Greg Kurz <address@hidden>
Date: 2017-03-16 (Thu, 16 Mar 2017)
Changed paths:
M hw/9pfs/9p-local.c
M hw/9pfs/9p-util.h
Log Message:
-----------
9pfs: fix vulnerability in openat_dir() and local_unlinkat_common()
We should pass O_NOFOLLOW otherwise openat() will follow symlinks and make
QEMU vulnerable.
While here, we also fix local_unlinkat_common() to use openat_dir() for
the same reasons (it was a leftover in the original patchset actually).
This fixes CVE-2016-9602.
Signed-off-by: Greg Kurz <address@hidden>
Reviewed-by: Daniel P. Berrange <address@hidden>
Reviewed-by: Eric Blake <address@hidden>
(cherry picked from commit b003fc0d8aa5e7060dbf7e5862b8013c73857c7f)
Signed-off-by: Greg Kurz <address@hidden>
Signed-off-by: Michael Roth <address@hidden>
Commit: 04cde530be50b7f2c4bc3140c67591489c31de09
https://github.com/qemu/qemu/commit/04cde530be50b7f2c4bc3140c67591489c31de09
Author: Eduardo Habkost <address@hidden>
Date: 2017-03-16 (Thu, 16 Mar 2017)
Changed paths:
M hw/core/machine.c
Log Message:
-----------
machine: Convert abstract typename on compat_props to subclass names
Original problem description by Greg Kurz:
> Since commit "9a4c0e220d8a hw/virtio-pci: fix virtio
> behaviour", passing -device virtio-blk-pci.disable-modern=off
> has no effect on 2.6 machine types because the internal
> virtio-pci.disable-modern=on compat property always prevail.
The same bug also affects other abstract type names mentioned on
compat_props by machine-types: apic-common, i386-cpu, pci-device,
powerpc64-cpu, s390-skeys, spapr-pci-host-bridge, usb-device,
virtio-pci, x86_64-cpu.
The right fix for this problem is to make sure compat_props and
-global options are always applied in the order they are
registered, instead of reordering them based on the type
hierarchy. But changing the ordering rules of -global is risky
and might break existing configurations, so we shouldn't do that
on a stable branch.
This is a temporary hack that will work around the bug when
registering compat_props properties: if we find an abstract class
on compat_props, register properties for all its non-abstract
subtypes instead. This will make sure -global won't be overridden
by compat_props, while keeping the existing ordering rules on
-global options.
Note that there's one case that won't be fixed by this hack:
"-global spapr-pci-vfio-host-bridge.<option>=<value>" won't be
able to override compat_props, because spapr-pci-host-bridge is
not an abstract class.
Signed-off-by: Eduardo Habkost <address@hidden>
Message-Id: <address@hidden>
Reviewed-by: Cornelia Huck <address@hidden>
Reviewed-by: Halil Pasic <address@hidden>
Reviewed-by: Greg Kurz <address@hidden>
Tested-by: Greg Kurz <address@hidden>
Signed-off-by: Eduardo Habkost <address@hidden>
(cherry picked from commit 0bcba41fe379e4c6834adcf1456d9099db31a5b2)
Signed-off-by: Michael Roth <address@hidden>
Commit: 9d14f0cd654735a656bc85763796b97a6aee4c9f
https://github.com/qemu/qemu/commit/9d14f0cd654735a656bc85763796b97a6aee4c9f
Author: Dr. David Alan Gilbert <address@hidden>
Date: 2017-03-16 (Thu, 16 Mar 2017)
Changed paths:
M hw/virtio/trace-events
M hw/virtio/virtio-balloon.c
Log Message:
-----------
balloon: Don't balloon roms
A broken guest can specify physical addresses that correspond
to any memory region, but it shouldn't be able to change ROM.
Signed-off-by: Dr. David Alan Gilbert <address@hidden>
Cc: address@hidden
Acked-by: Paolo Bonzini <address@hidden>
Reviewed-by: Michael S. Tsirkin <address@hidden>
Signed-off-by: Michael S. Tsirkin <address@hidden>
(cherry picked from commit f2fd57db363e465653efa55102104039b5516759)
Signed-off-by: Michael Roth <address@hidden>
Commit: 620a65dc44e120b4b3530dfd546434f494c81a44
https://github.com/qemu/qemu/commit/620a65dc44e120b4b3530dfd546434f494c81a44
Author: Michael S. Tsirkin <address@hidden>
Date: 2017-03-16 (Thu, 16 Mar 2017)
Changed paths:
M hw/pci/pci.c
Log Message:
-----------
pci: fix error message for express slots
PCI Express downstream slot has a single PCI slot
behind it, using PCI_DEVFN(PCI_SLOT(devfn), 0)
does not give you function 0 in cases such as ARI
as well as some error cases.
This is exactly what we are hitting:
$ qemu-system-x86_64 -machine q35 -readconfig docs/q35-chipset.cfg
-monitor stdio
(qemu) device_add e1000e,bus=ich9-pcie-port-4,addr=00
(qemu) device_add e1000e,bus=ich9-pcie-port-4,addr=08
Segmentation fault (core dumped)
The fix is to use the pci_get_function_0 API.
Cc: address@hidden
Signed-off-by: Michael S. Tsirkin <address@hidden>
Reported-by: Eduardo Habkost <address@hidden>
Tested-by: Cao jin <address@hidden>
Tested-by: Eduardo Habkost <address@hidden>
Reviewed-by: Eduardo Habkost <address@hidden>
(cherry picked from commit d93ddfb1f8fb72a7c175a8cf1028c639f769d105)
Signed-off-by: Michael Roth <address@hidden>
Commit: 7830be742a55fc83bc9b74125452e5212ed99da6
https://github.com/qemu/qemu/commit/7830be742a55fc83bc9b74125452e5212ed99da6
Author: Halil Pasic <address@hidden>
Date: 2017-03-16 (Thu, 16 Mar 2017)
Changed paths:
M hw/virtio/virtio.c
Log Message:
-----------
virtio: fix vq->inuse recalc after migr
Correct recalculation of vq->inuse after migration for the corner case
where the avail_idx has already wrapped but used_idx not yet.
Also change the type of the VirtQueue.inuse to unsigned int. This is
done to be consistent with other members representing sizes (VRing.num),
and because C99 guarantees max ring size < UINT_MAX but does not
guarantee max ring size < INT_MAX.
Signed-off-by: Halil Pasic <address@hidden>
Fixes: bccdef6b ("virtio: recalculate vq->inuse after migration")
CC: address@hidden
Reviewed-by: Michael S. Tsirkin <address@hidden>
Signed-off-by: Michael S. Tsirkin <address@hidden>
Reviewed-by: Stefan Hajnoczi <address@hidden>
(cherry picked from commit e66bcc408146730958d1a840bda85d7ad51e0cd7)
Signed-off-by: Michael Roth <address@hidden>
Commit: da95bfe06b8afe193a1039adc015bd82438bfad5
https://github.com/qemu/qemu/commit/da95bfe06b8afe193a1039adc015bd82438bfad5
Author: Greg Kurz <address@hidden>
Date: 2017-03-16 (Thu, 16 Mar 2017)
Changed paths:
M hw/9pfs/9p.c
Log Message:
-----------
9pfs: fix crash when fsdev is missing
If the user passes -device virtio-9p without the corresponding -fsdev, QEMU
dereferences a NULL pointer and crashes.
This is a 2.8 regression introduced by commit 702dbcc274e2c.
Signed-off-by: Greg Kurz <address@hidden>
Reviewed-by: Li Qiang <address@hidden>
(cherry picked from commit f2b58c43758efc61e2a49b899f5e58848489d0dc)
Signed-off-by: Michael Roth <address@hidden>
Commit: 87ede19db3ee8c657cded1a6a376545ffb491094
https://github.com/qemu/qemu/commit/87ede19db3ee8c657cded1a6a376545ffb491094
Author: Igor Mammedov <address@hidden>
Date: 2017-03-16 (Thu, 16 Mar 2017)
Changed paths:
M hw/i386/pc.c
Log Message:
-----------
pc: fix crash in rtc_set_memory() if initial cpu is marked as hotplugged
'hotplugged' propperty is meant to be used on migration side when migrating
source with hotplugged devices.
However though it not exacly correct usage of 'hotplugged' property
it's possible to set generic hotplugged property for CPU using
-cpu foo,hotplugged=on
or
-global foo.hotplugged=on
in this case qemu crashes with following backtrace:
...
because pc_cpu_plug() assumes that hotplugged CPU could appear only after
rtc/fw_cfg are initialized.
Fix crash by replacing assumption with explicit checks of rtc/fw_cfg
and updating them only if they were initialized.
Cc: address@hidden
Reported-by: Eduardo Habkost <address@hidden>
Reviewed-by: Eduardo Habkost <address@hidden>
Signed-off-by: Igor Mammedov <address@hidden>
Message-Id: <address@hidden>
Signed-off-by: Paolo Bonzini <address@hidden>
(cherry picked from commit 26ef65beab852caf2b1ef4976e3473f2d525164d)
Signed-off-by: Michael Roth <address@hidden>
Commit: dc659e3aeaec3d195a76c06c0c1089e4a4ab47b1
https://github.com/qemu/qemu/commit/dc659e3aeaec3d195a76c06c0c1089e4a4ab47b1
Author: Hervé Poussineau <address@hidden>
Date: 2017-03-16 (Thu, 16 Mar 2017)
Changed paths:
M ui/gtk.c
Log Message:
-----------
ui/gtk: fix crash at startup when no console is available
This patch fixes a segfault at QEMU startup, introduced in
a08156321ab9a7d2fed9ee77dbfeea2a61ffd153.
gd_vc_find_current() return NULL, which is dereferenced without checking it.
While at it, disable the whole 'View' menu if no console exists.
Reproducer: qemu-system-i386 -M none -nodefaults
Signed-off-by: Hervé Poussineau <address@hidden>
Reviewed-by: Stefan Hajnoczi <address@hidden>
Message-id: address@hidden
Signed-off-by: Gerd Hoffmann <address@hidden>
(cherry picked from commit 3d4da9d6f3b664beb5bee446ad53b69178f46ad4)
Signed-off-by: Michael Roth <address@hidden>
Commit: 9f6cb916f2f72175bb8c7757662d9f50616fc4c0
https://github.com/qemu/qemu/commit/9f6cb916f2f72175bb8c7757662d9f50616fc4c0
Author: Paolo Bonzini <address@hidden>
Date: 2017-03-16 (Thu, 16 Mar 2017)
Changed paths:
M hw/scsi/scsi-disk.c
Log Message:
-----------
scsi-block: fix direction of BYTCHK test for VERIFY commands
The direction is wrong; scsi_block_is_passthrough returns
false for commands that *can* use sglists.
Reported-by: Zhang Qian <address@hidden>
Fixes: 8fdc7839e40f43a426bc7e858cf1dbfe315a3804
Cc: address@hidden
Signed-off-by: Paolo Bonzini <address@hidden>
(cherry picked from commit 1f8af0d186abf9ef775a74d41bf2852ed8d59b63)
Signed-off-by: Michael Roth <address@hidden>
Commit: 8a6562592f74e8aafbc9f09392f1209bdfddc05e
https://github.com/qemu/qemu/commit/8a6562592f74e8aafbc9f09392f1209bdfddc05e
Author: Thomas Huth <address@hidden>
Date: 2017-03-16 (Thu, 16 Mar 2017)
Changed paths:
M ui/vnc.c
Log Message:
-----------
ui/vnc: Fix problem with sending too many bytes as server name
If the buffer is not big enough, snprintf() does not return the number
of bytes that have been written to the buffer, but the number of bytes
that would be needed for writing the whole string. By using this value
for the following vnc_write() calls, we send some junk at the end of
the name in case the qemu_name is longer than 1017 bytes, which could
confuse the VNC clients. Fix this by adding an additional size check
here.
Buglink: https://bugs.launchpad.net/qemu/+bug/1637447
Signed-off-by: Thomas Huth <address@hidden>
Reviewed-by: Eric Blake <address@hidden>
Message-id: address@hidden
Signed-off-by: Gerd Hoffmann <address@hidden>
(cherry picked from commit 97efe4f961dcf5a0126baa75e8a6bff66d33186f)
Signed-off-by: Michael Roth <address@hidden>
Commit: f47bf0823b5705dee7e5f557b91cb1192d1431ab
https://github.com/qemu/qemu/commit/f47bf0823b5705dee7e5f557b91cb1192d1431ab
Author: Caoxinhua <address@hidden>
Date: 2017-03-16 (Thu, 16 Mar 2017)
Changed paths:
M util/qemu-thread-posix.c
Log Message:
-----------
qemu-thread: fix qemu_thread_set_name() race in qemu_thread_create()
QEMU will crash with the follow backtrace if the new created thread exited
before
we call qemu_thread_set_name() for it.
(gdb) bt
#0 0x00007f9a68b095d7 in __GI_raise (address@hidden) at
../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1 0x00007f9a68b0acc8 in __GI_abort () at abort.c:90
#2 0x00007f9a69cda389 in PAT_abort () from /usr/lib64/libuvpuserhotfix.so
#3 0x00007f9a69cdda0d in patchIllInsHandler () from
/usr/lib64/libuvpuserhotfix.so
#4 <signal handler called>
#5 pthread_setname_np (th=140298470549248, address@hidden "io-task-worker")
at ../nptl/sysdeps/unix/sysv/linux/pthread_setname.c:49
#6 0x00000000007f5f20 in qemu_thread_set_name (address@hidden, address@hidden
"io-task-worker") at util/qemu_thread_posix.c:459
#7 0x00000000007f679e in qemu_thread_create (address@hidden, address@hidden
"io-task-worker",address@hidden <qio_task_thread_worker>, address@hidden,
address@hidden) at util/qemu_thread_posix.c:498
#8 0x00000000007c15b6 in qio_task_run_in_thread (address@hidden,
address@hidden <qio_channel_socket_connect_worker>, opaque=0x7f99b8003370,
destroy=0x7c6220 <qapi_free_SocketAddress>) at io/task.c:133
#9 0x00000000007bda04 in qio_channel_socket_connect_async
(ioc=0x7f99b80014c0, addr=0x37235d0, address@hidden
<qemu_chr_socket_connected>, address@hidden, address@hidden) at
io/channel_socket.c:191
#10 0x00000000005487f6 in socket_reconnect_timeout (opaque=0x38118b0) at
qemu_char.c:4402
#11 0x00007f9a6a1533b3 in g_timeout_dispatch () from
/usr/lib64/libglib-2.0.so.0
#12 0x00007f9a6a15299a in g_main_context_dispatch () from
/usr/lib64/libglib-2.0.so.0
#13 0x0000000000747386 in glib_pollfds_poll () at main_loop.c:227
#14 0x0000000000747424 in os_host_main_loop_wait (timeout=404000000) at
main_loop.c:272
#15 0x0000000000747575 in main_loop_wait (address@hidden) at main_loop.c:520
#16 0x0000000000557d31 in main_loop () at vl.c:2170
#17 0x000000000041c8b7 in main (argc=<optimized out>, argv=<optimized out>,
envp=<optimized out>) at vl.c:5083
Let's detach the new thread after calling qemu_thread_set_name().
Signed-off-by: Caoxinhua <address@hidden>
Signed-off-by: zhanghailiang <address@hidden>
Message-Id: <address@hidden>
Signed-off-by: Paolo Bonzini <address@hidden>
(cherry picked from commit 2f75bd73c319a1224a64a1b5ad680b1a37ed2d7a)
Signed-off-by: Michael Roth <address@hidden>
Commit: d6f119475d3c9c913f9140771895036be66d5c33
https://github.com/qemu/qemu/commit/d6f119475d3c9c913f9140771895036be66d5c33
Author: Gonglei <address@hidden>
Date: 2017-03-16 (Thu, 16 Mar 2017)
Changed paths:
M hw/virtio/virtio-crypto.c
Log Message:
-----------
virtio-crypto: fix possible integer and heap overflow
Because the 'size_t' type is 4 bytes in 32-bit platform, which
is the same with 'int'. It's easy to make 'max_len' to zero when
integer overflow and then cause heap overflow if 'max_len' is zero.
Using uint_64 instead of size_t to avoid the integer overflow.
Cc: address@hidden
Reported-by: Li Qiang <address@hidden>
Signed-off-by: Gonglei <address@hidden>
Tested-by: Li Qiang <address@hidden>
Reviewed-by: Michael S. Tsirkin <address@hidden>
Signed-off-by: Michael S. Tsirkin <address@hidden>
(cherry picked from commit a08aaff811fb194950f79711d2afe5a892ae03a4)
Signed-off-by: Michael Roth <address@hidden>
Commit: 662a97d74f9b34cafe9aeb6d96620a97d768a1fa
https://github.com/qemu/qemu/commit/662a97d74f9b34cafe9aeb6d96620a97d768a1fa
Author: Roman Kapl <address@hidden>
Date: 2017-03-16 (Thu, 16 Mar 2017)
Changed paths:
M exec.c
Log Message:
-----------
exec: Add missing rcu_read_unlock
rcu_read_unlock was not called if the address_space_access_valid result is
negative.
This caused (at least) a problem when qemu on PPC/E500+TAP failed to terminate
properly and instead got stuck in a deadlock.
Signed-off-by: Roman Kapl <address@hidden>
Message-Id: <address@hidden>
Cc: address@hidden
Signed-off-by: Paolo Bonzini <address@hidden>
(cherry picked from commit 5ad4a2b75f85dd854a781a6e03b90320cb3441d3)
Signed-off-by: Michael Roth <address@hidden>
Commit: 2ab8276a1cb2bcd0d14d4e05c193252f370b8251
https://github.com/qemu/qemu/commit/2ab8276a1cb2bcd0d14d4e05c193252f370b8251
Author: Bruce Rogers <address@hidden>
Date: 2017-03-16 (Thu, 16 Mar 2017)
Changed paths:
M hw/display/cirrus_vga.c
Log Message:
-----------
display: cirrus: ignore source pitch value as needed in blit_is_unsafe
Commit 4299b90 added a check which is too broad, given that the source
pitch value is not required to be initialized for solid fill operations.
This patch refines the blit_is_unsafe() check to ignore source pitch in
that case. After applying the above commit as a security patch, we
noticed the SLES 11 SP4 guest gui failed to initialize properly.
Signed-off-by: Bruce Rogers <address@hidden>
Message-id: address@hidden
Signed-off-by: Gerd Hoffmann <address@hidden>
(cherry picked from commit 913a87885f589d263e682c2eb6637c6e14538061)
Signed-off-by: Michael Roth <address@hidden>
Commit: 5c60c6ef613969054e6fa77aadf249024abe6e96
https://github.com/qemu/qemu/commit/5c60c6ef613969054e6fa77aadf249024abe6e96
Author: Peter Xu <address@hidden>
Date: 2017-03-16 (Thu, 16 Mar 2017)
Changed paths:
M hw/intc/ioapic.c
Log Message:
-----------
x86: ioapic: fix fail migration when irqchip=split
Split irqchip works based on the fact that we kept the first 24 gsi
routing entries inside KVM for userspace ioapic's use. When system
boot, we'll reserve these MSI routing entries before hand. However,
after migration, we forgot to re-configure it up in the destination
side. The result is, we'll get invalid gsi routing entries after
migration (all empty), and we get interrupts with vector=0, then
strange things happen, like keyboard hang.
The solution is simple - we update them after migration, which is a
one line fix.
Signed-off-by: Peter Xu <address@hidden>
Message-Id: <address@hidden>
Cc: address@hidden
Signed-off-by: Paolo Bonzini <address@hidden>
(cherry picked from commit 0f254b1ae04b36e2ab2d91528297ed60d40c8c08)
Signed-off-by: Michael Roth <address@hidden>
Commit: 6e8052f967cac513db1a00c60fe564f3f3939342
https://github.com/qemu/qemu/commit/6e8052f967cac513db1a00c60fe564f3f3939342
Author: Marc-André Lureau <address@hidden>
Date: 2017-03-16 (Thu, 16 Mar 2017)
Changed paths:
M qemu-char.c
Log Message:
-----------
char: fix ctrl-a b not working
CharDriverState.be should be updated to point to the current
associated backend.
Fix the regression introduced in the "mux" chardev from commit
a4afa548fc6dd9842ed86639b4d37d4d1c4ad480.
https://bugs.launchpad.net/bugs/1654137
Signed-off-by: Marc-André Lureau <address@hidden>
Message-Id: <address@hidden>
Cc: address@hidden
Signed-off-by: Paolo Bonzini <address@hidden>
(cherry picked from commit fb5e19d2e1472e96d72d5e4d89c20033f8ab345c)
Signed-off-by: Michael Roth <address@hidden>
Commit: 028fbea47713f909d6ea761a457779a82b276247
https://github.com/qemu/qemu/commit/028fbea47713f909d6ea761a457779a82b276247
Author: Richard Henderson <address@hidden>
Date: 2017-03-16 (Thu, 16 Mar 2017)
Changed paths:
M tcg/aarch64/tcg-target.inc.c
Log Message:
-----------
tcg/aarch64: Fix addsub2 for 0+C
When al == xzr, we cannot use addi/subi because that encodes xsp.
Force a zero into the temp register for that (rare) case.
Signed-off-by: Richard Henderson <address@hidden>
Message-Id: <address@hidden>
(cherry picked from commit b1eb20da625897244e9621dabcf63d899deca54d)
Signed-off-by: Michael Roth <address@hidden>
Commit: 50b468d42107a2c646b1c566ed17d9ec362c51c4
https://github.com/qemu/qemu/commit/50b468d42107a2c646b1c566ed17d9ec362c51c4
Author: Richard Henderson <address@hidden>
Date: 2017-03-16 (Thu, 16 Mar 2017)
Changed paths:
M tcg/aarch64/tcg-target.inc.c
Log Message:
-----------
tcg/aarch64: Fix tcg_out_movi
There were some patterns, like 0x0000_ffff_ffff_00ff, for which we
would select to begin a multi-insn sequence with MOVN, but would
fail to set the 0x0000 lane back from 0xffff.
Signed-off-by: Richard Henderson <address@hidden>
Message-Id: <address@hidden>
(cherry picked from commit 8cf9a3d3f7a4b95f33e0bda5416b9c93ec887dd3)
Signed-off-by: Michael Roth <address@hidden>
Commit: 3b33cba69ce3407866e84280ebd7a651e4425a11
https://github.com/qemu/qemu/commit/3b33cba69ce3407866e84280ebd7a651e4425a11
Author: Daniel P. Berrange <address@hidden>
Date: 2017-03-16 (Thu, 16 Mar 2017)
Changed paths:
M include/ui/gtk.h
M ui/gtk.c
Log Message:
-----------
ui: use evdev keymap when running under wayland
Wayland always uses evdev as its input source, so QEMU
can use the existing evdev keymap data
Signed-off-by: Daniel P. Berrange <address@hidden>
Tested-by: Stefan Hajnoczi <address@hidden>
Message-id: address@hidden
Signed-off-by: Gerd Hoffmann <address@hidden>
(cherry picked from commit a8ffb372a2202c65f42fdb69891ea68a2f274b55)
Signed-off-by: Michael Roth <address@hidden>
Commit: a626117f6ae0dfe8089c7fa263c56b105f9fd47d
https://github.com/qemu/qemu/commit/a626117f6ae0dfe8089c7fa263c56b105f9fd47d
Author: Michael S. Tsirkin <address@hidden>
Date: 2017-03-16 (Thu, 16 Mar 2017)
Changed paths:
M hw/virtio/virtio.c
Log Message:
-----------
virtio: fix up max size checks
Coverity reports that ARRAY_SIZE(elem->out_sg) (and all the others too)
is wrong because elem->out_sg is a pointer.
However, the check is not in the right place and the max_size argument
of virtqueue_map_iovec can be removed. The check on in_num/out_num
should be moved to qemu_get_virtqueue_element instead, before the call
to virtqueue_alloc_element.
Cc: address@hidden
Reported-by: Paolo Bonzini <address@hidden>
Fixes: 3724650db07057333879484c8bc7d900b5c1bf8e ("virtio: introduce
virtqueue_alloc_element")
Signed-off-by: Michael S. Tsirkin <address@hidden>
Reviewed-by: Cornelia Huck <address@hidden>
(cherry picked from commit 6bdc21c050a2a7b92cbbd0b2a1f8934e9b5f896f)
* dropped context dep on 8607f5c30
Signed-off-by: Michael Roth <address@hidden>
Commit: 3fb4b3c371a9c080e7f53d22e6a2202d9982a7c4
https://github.com/qemu/qemu/commit/3fb4b3c371a9c080e7f53d22e6a2202d9982a7c4
Author: Peter Lieven <address@hidden>
Date: 2017-03-16 (Thu, 16 Mar 2017)
Changed paths:
M block/iscsi.c
Log Message:
-----------
block/iscsi: avoid data corruption with cache=writeback
nb_cls_shrunk in iscsi_allocmap_update can become -1 if the
request starts and ends within the same cluster. This results
in passing -1 to bitmap_set and bitmap_clear and they don't
handle negative values properly. In the end this leads to data
corruption.
Fixes: e1123a3b40a1a9a625a29c8ed4debb7e206ea690
Cc: address@hidden
Signed-off-by: Peter Lieven <address@hidden>
Message-Id: <address@hidden>
Reviewed-by: Fam Zheng <address@hidden>
Signed-off-by: Paolo Bonzini <address@hidden>
(cherry picked from commit 1da45e0c4cf4719fa75898d019e0874b9b2bc774)
Signed-off-by: Michael Roth <address@hidden>
Commit: 5fb07a7b6ca07580f5c2bf98e933128f7bf1fcbd
https://github.com/qemu/qemu/commit/5fb07a7b6ca07580f5c2bf98e933128f7bf1fcbd
Author: Christian Borntraeger <address@hidden>
Date: 2017-03-16 (Thu, 16 Mar 2017)
Changed paths:
M target-s390x/kvm.c
Log Message:
-----------
s390x/kvm: fix cmma reset for KVM
We must reset the CMMA states for normal memory (when not on mem path),
but the current code does the opposite. This was unnoticed for some time
as the kernel since 4.6 also had a bug which mostly disabled the paging
optimizations.
Fixes: 07059effd14e ("s390x/kvm: let the CPU model control CMM(A)")
Cc: address@hidden # v2.8
Signed-off-by: Christian Borntraeger <address@hidden>
Signed-off-by: Cornelia Huck <address@hidden>
(cherry picked from commit 0cf4d747cb8d053e6a6161aadfd3531fa1a62be1)
Signed-off-by: Michael Roth <address@hidden>
Commit: f054cead44cef75d330cfba39aa0c46be483813d
https://github.com/qemu/qemu/commit/f054cead44cef75d330cfba39aa0c46be483813d
Author: Li Qiang <address@hidden>
Date: 2017-03-16 (Thu, 16 Mar 2017)
Changed paths:
M hw/display/cirrus_vga.c
Log Message:
-----------
cirrus: fix oob access issue (CVE-2017-2615)
When doing bitblt copy in backward mode, we should minus the
blt width first just like the adding in the forward mode. This
can avoid the oob access of the front of vga's vram.
Signed-off-by: Li Qiang <address@hidden>
{ kraxel: with backward blits (negative pitch) addr is the topmost
address, so check it as-is against vram size ]
Cc: address@hidden
Cc: P J P <address@hidden>
Cc: Laszlo Ersek <address@hidden>
Cc: Paolo Bonzini <address@hidden>
Cc: Wolfgang Bumiller <address@hidden>
Fixes: d3532a0db02296e687711b8cdc7791924efccea0 (CVE-2014-8106)
Signed-off-by: Gerd Hoffmann <address@hidden>
Message-id: address@hidden
Reviewed-by: Laszlo Ersek <address@hidden>
(cherry picked from commit 62d4c6bd5263bb8413a06c80144fc678df6dfb64)
Signed-off-by: Michael Roth <address@hidden>
Commit: d8dea6fbcbed177ca5d23ab77b3834a9437f0e88
https://github.com/qemu/qemu/commit/d8dea6fbcbed177ca5d23ab77b3834a9437f0e88
Author: Paolo Bonzini <address@hidden>
Date: 2017-03-16 (Thu, 16 Mar 2017)
Changed paths:
M cpu-exec.c
M include/exec/exec-all.h
Log Message:
-----------
cpu-exec: fix icount out-of-bounds access
When icount is active, tb_add_jump is surprisingly called with an
out of bounds basic block index. I have no idea how that can work,
but it does not seem like a good idea. Clear *last_tb for all
TB_EXIT_ICOUNT_EXPIRED cases, even when all you have to do is
refill icount_extra.
Signed-off-by: Paolo Bonzini <address@hidden>
(cherry picked from commit 43d70ddf9f96b3ad037abe4d5f9f2768196b8c92)
Signed-off-by: Michael Roth <address@hidden>
Commit: d2b9063eb8f39fef8bce90c99a85008baa3bf1d6
https://github.com/qemu/qemu/commit/d2b9063eb8f39fef8bce90c99a85008baa3bf1d6
Author: Ladi Prosek <address@hidden>
Date: 2017-03-16 (Thu, 16 Mar 2017)
Changed paths:
M hw/ide/ahci.c
Log Message:
-----------
ahci: advertise HOST_CAP_64
The AHCI emulation code supports 64-bit addressing and should advertise this
fact in the Host Capabilities register. Both Linux and Windows drivers test
this bit to decide if the upper 32 bits of various registers may be written
to, and at least some versions of Windows have a bug where DMA is attempted
with an address above 4GB but, in the absence of HOST_CAP_64, the upper 32
bits are left unititialized which leads to a memory corruption.
[Maintainer edit:
This fixes https://bugzilla.redhat.com/show_bug.cgi?id=1411105,
which affects Windows Server 2008 SP2 in some cases.]
Signed-off-by: Ladi Prosek <address@hidden>
Message-id: address@hidden
[Amended commit message --js]
Signed-off-by: John Snow <address@hidden>
(cherry picked from commit 98cb5dccb192b0082626080890dac413473573c6)
Signed-off-by: Michael Roth <address@hidden>
Commit: 5e40f283e5a9cc2f39ae7a5bbb1ec122d346d50a
https://github.com/qemu/qemu/commit/5e40f283e5a9cc2f39ae7a5bbb1ec122d346d50a
Author: David Hildenbrand <address@hidden>
Date: 2017-03-16 (Thu, 16 Mar 2017)
Changed paths:
M linux-user/main.c
Log Message:
-----------
target/s390x: use "qemu" cpu model in user mode
"any" does not exist, therefore resulting in a misleading error message.
Reported-by: Stefan Weil <address@hidden>
Signed-off-by: David Hildenbrand <address@hidden>
Message-Id: <address@hidden>
Reviewed-by: Stefan Weil <address@hidden>
Reviewed-by: Alexander Graf <address@hidden>
Cc: address@hidden
(cherry picked from commit d8923bc75479cd3fdcc72b7647f4877f91950b01)
Signed-off-by: Michael Roth <address@hidden>
Commit: 5f4b9013e66433e68b9f401a33e76b745f6fe7dd
https://github.com/qemu/qemu/commit/5f4b9013e66433e68b9f401a33e76b745f6fe7dd
Author: Christian Borntraeger <address@hidden>
Date: 2017-03-16 (Thu, 16 Mar 2017)
Changed paths:
M hw/s390x/s390-virtio.c
Log Message:
-----------
s390x/kvm: fix small race reboot vs. cmma
Right now we reset all devices before we reset the cmma states. This
can result in the host kernel discarding guest pages that were
previously in the unused state but already contain a bios or a -kernel
file before the cmma reset has finished. This race results in random
guest crashes or hangs during very early reboot.
Fixes: 1cd4e0f6f0a6 ("s390x/cmma: clean up cmma reset")
Cc: address@hidden
Signed-off-by: Christian Borntraeger <address@hidden>
(cherry picked from commit 1a0e4c8b02ea510508970c333ee610a90b921cbb)
Signed-off-by: Michael Roth <address@hidden>
Commit: 44d24c7b4a6eb9592f5611ee194e784df66705f1
https://github.com/qemu/qemu/commit/44d24c7b4a6eb9592f5611ee194e784df66705f1
Author: Peter Lieven <address@hidden>
Date: 2017-03-16 (Thu, 16 Mar 2017)
Changed paths:
M block/nfs.c
Log Message:
-----------
block/nfs: fix NULL pointer dereference in URI parsing
parse_uint_full wants to put the parsed value into the
variable passed via its second argument which is NULL.
Fixes: 94d6a7a76e9df9919629428f6c598e2b97d9426c
Cc: address@hidden
Signed-off-by: Peter Lieven <address@hidden>
Reviewed-by: Eric Blake <address@hidden>
Message-id: address@hidden
Signed-off-by: Max Reitz <address@hidden>
(cherry picked from commit 8d20abe87afa735cd0ae6688bd105c7a27390343)
Signed-off-by: Michael Roth <address@hidden>
Commit: 3b8f27fe0b9cd2f2603c45dd8cb720eed85b3f08
https://github.com/qemu/qemu/commit/3b8f27fe0b9cd2f2603c45dd8cb720eed85b3f08
Author: Peter Lieven <address@hidden>
Date: 2017-03-16 (Thu, 16 Mar 2017)
Changed paths:
M block/nfs.c
Log Message:
-----------
block/nfs: fix naming of runtime opts
commit 94d6a7a accidentally left the naming of runtime opts and QAPI
scheme inconsistent. As one consequence passing of parameters in the
URI is broken. Sync the naming of the runtime opts to the QAPI
scheme.
Please note that this is technically backwards incompatible with the 2.8
release, but the 2.8 release is the only version that had the wrong naming.
Furthermore release 2.8 suffered from a NULL pointer dereference during
URI parsing.
Fixes: 94d6a7a76e9df9919629428f6c598e2b97d9426c
Cc: address@hidden
Signed-off-by: Peter Lieven <address@hidden>
Message-id: address@hidden
[mreitz: Fixed commit message]
Reviewed-by: Eric Blake <address@hidden>
Signed-off-by: Max Reitz <address@hidden>
(cherry picked from commit f67409a5bb43ebe74401fa8e187267eb0f139293)
Signed-off-by: Michael Roth <address@hidden>
Commit: 1a156ae5d1fa2b8117e5e0a2bd73e21480df9bdb
https://github.com/qemu/qemu/commit/1a156ae5d1fa2b8117e5e0a2bd73e21480df9bdb
Author: Prasad J Pandit <address@hidden>
Date: 2017-03-16 (Thu, 16 Mar 2017)
Changed paths:
M hw/sd/sdhci.c
Log Message:
-----------
sd: sdhci: check data length during dma_memory_read
While doing multi block SDMA transfer in routine
'sdhci_sdma_transfer_multi_blocks', the 's->fifo_buffer' starting
index 'begin' and data length 's->data_count' could end up to be same.
This could lead to an OOB access issue. Correct transfer data length
to avoid it.
Cc: address@hidden
Reported-by: Jiang Xin <address@hidden>
Signed-off-by: Prasad J Pandit <address@hidden>
Reviewed-by: Peter Maydell <address@hidden>
Message-id: address@hidden
Signed-off-by: Peter Maydell <address@hidden>
(cherry picked from commit 42922105beb14c2fc58185ea022b9f72fb5465e9)
Signed-off-by: Michael Roth <address@hidden>
Commit: adf2c47aa2b5b6891db5f22751180f8501bdf6d2
https://github.com/qemu/qemu/commit/adf2c47aa2b5b6891db5f22751180f8501bdf6d2
Author: Michael Tokarev <address@hidden>
Date: 2017-03-16 (Thu, 16 Mar 2017)
Changed paths:
M ui/vnc.c
Log Message:
-----------
vnc: do not disconnect on EAGAIN
When qemu vnc server is trying to send large update to clients,
there might be a situation when system responds with something
like EAGAIN, indicating that there's no system memory to send
that much data (depending on the network speed, client and server
and what is happening). In this case, something like this happens
on qemu side (from strace):
sendmsg(16, {msg_name(0)=NULL,
msg_iov(1)=[{"\244\"..., 729186}],
msg_controllen=0, msg_flags=0}, 0) = 103950
sendmsg(16, {msg_name(0)=NULL,
msg_iov(1)=[{"lz\346"..., 1559618}],
msg_controllen=0, msg_flags=0}, 0) = -1 EAGAIN
sendmsg(-1, {msg_name(0)=NULL,
msg_iov(1)=[{"lz\346"..., 1559618}],
msg_controllen=0, msg_flags=0}, 0) = -1 EBADF
qemu closes the socket before the retry, and obviously it gets EBADF
when trying to send to -1.
This is because there WAS a special handling for EAGAIN, but now it doesn't
work anymore, after commit 04d2529da27db512dcbd5e99d0e26d333f16efcc, because
now in all error-like cases we initiate vnc disconnect.
This change were introduced in qemu 2.6, and caused numerous grief for many
people, resulting in their vnc clients reporting sporadic random disconnects
from vnc server.
Fix that by doing the disconnect only when necessary, i.e. omitting this
very case of EAGAIN.
Hopefully the existing condition (comparing with QIO_CHANNEL_ERR_BLOCK)
is sufficient, as the original code (before the above commit) were
checking for other errno values too.
Apparently there's another (semi?)bug exist somewhere here, since the
code tries to write to fd# -1, it probably should check if the connection
is open before. But this isn't important.
Signed-off-by: Michael Tokarev <address@hidden>
Reviewed-by: Daniel P. Berrange <address@hidden>
Message-id: address@hidden
Fixes: 04d2529da27db512dcbd5e99d0e26d333f16efcc
Cc: Daniel P. Berrange <address@hidden>
Cc: Gerd Hoffmann <address@hidden>
Cc: address@hidden
Signed-off-by: Gerd Hoffmann <address@hidden>
(cherry picked from commit 537848ee62195fc06c328b1cd64f4218f404a7f1)
Signed-off-by: Michael Roth <address@hidden>
Commit: 1d1d9226d898b5394906e2e9f124b4d5abe6f02f
https://github.com/qemu/qemu/commit/1d1d9226d898b5394906e2e9f124b4d5abe6f02f
Author: Sam Bobroff <address@hidden>
Date: 2017-03-16 (Thu, 16 Mar 2017)
Changed paths:
M linux-user/main.c
Log Message:
-----------
target-ppc, tcg: fix usermode segfault with pthread_create()
Programs run under qemu-ppc64 on an x86_64 host currently segfault
if they use pthread_create() due to the adjustment made to the NIP in
commit bd6fefe71cec5a0c7d2be4ac96307f25db56abf9.
This patch changes cpu_loop() to set the NIP back to the
pre-incremented value before calling do_syscall(), which causes the
correct address to be used for the new thread and corrects the fault.
Signed-off-by: Sam Bobroff <address@hidden>
Reviewed-by: Laurent Vivier <address@hidden>
Reviewed-by: Peter Maydell <address@hidden>
Signed-off-by: David Gibson <address@hidden>
(cherry picked from commit 2635531f2006bfb0f943ad25b41e176709b79b37)
Signed-off-by: Michael Roth <address@hidden>
Commit: 8ac427cdd0bdb68c159d6cd4463cb59b9e45d92a
https://github.com/qemu/qemu/commit/8ac427cdd0bdb68c159d6cd4463cb59b9e45d92a
Author: QingFeng Hao <address@hidden>
Date: 2017-03-16 (Thu, 16 Mar 2017)
Changed paths:
M block/vmdk.c
Log Message:
-----------
block/vmdk: Fix the endian problem of buf_len and lba
The problem was triggered by qemu-iotests case 055. It failed when it
was comparing the compressed vmdk image with original test.img.
The cause is that buf_len in vmdk_write_extent wasn't converted to
little-endian before it was stored to disk. But later vmdk_read_extent
read it and converted it from little-endian to cpu endian.
If the cpu is big-endian like s390, the problem will happen and
the data length read by vmdk_read_extent will become invalid!
The fix is to add the conversion in vmdk_write_extent, meanwhile,
repair the endianness problem of lba field which shall also be converted
to little-endian before storing to disk.
Cc: address@hidden
Signed-off-by: QingFeng Hao <address@hidden>
Signed-off-by: Jing Liu <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>
Reviewed-by: Fam Zheng <address@hidden>
Message-id: address@hidden
Signed-off-by: Max Reitz <address@hidden>
(cherry picked from commit 4545d4f4af8b29ba3b38dfb74d6f45342e15a62d)
Signed-off-by: Michael Roth <address@hidden>
Commit: f61f76cb3ff9fea6ecbcb9696ed82b3e2c5b7364
https://github.com/qemu/qemu/commit/f61f76cb3ff9fea6ecbcb9696ed82b3e2c5b7364
Author: Richard Henderson <address@hidden>
Date: 2017-03-16 (Thu, 16 Mar 2017)
Changed paths:
M target-sparc/translate.c
Log Message:
-----------
target/sparc: Restore ldstub of odd asis
Fixes the booting of ss20 roms.
Cc: address@hidden
Reported-by: Michael Russo <address@hidden>
Tested-by: Mark Cave-Ayland <address@hidden>
Signed-off-by: Richard Henderson <address@hidden>
(cherry picked from commit 3db010c3398d03646d74f2d36a68e62539342e6c)
Signed-off-by: Michael Roth <address@hidden>
Commit: 270a46ea0d50bbb24aafaa92cbd35a01fad48ec3
https://github.com/qemu/qemu/commit/270a46ea0d50bbb24aafaa92cbd35a01fad48ec3
Author: Pavel Dovgalyuk <address@hidden>
Date: 2017-03-16 (Thu, 16 Mar 2017)
Changed paths:
M hw/intc/apic_common.c
Log Message:
-----------
apic: reset apic_delivered global variable on machine reset
This patch adds call to apic_reset_irq_delivered when the virtual
machine is reset.
Signed-off-by: Pavel Dovgalyuk <address@hidden>
Message-Id: <address@hidden>
Cc: address@hidden
Signed-off-by: Paolo Bonzini <address@hidden>
(cherry picked from commit f65e821262029ee30c6b228e80ddeb86acdf7ff0)
Signed-off-by: Michael Roth <address@hidden>
Commit: 823fb688ebc52a7d79c1308acb28c92b56820167
https://github.com/qemu/qemu/commit/823fb688ebc52a7d79c1308acb28c92b56820167
Author: Paolo Bonzini <address@hidden>
Date: 2017-03-16 (Thu, 16 Mar 2017)
Changed paths:
M cpu-exec.c
M target-i386/cpu.h
M target-i386/excp_helper.c
M target-i386/helper.h
M target-i386/misc_helper.c
M target-i386/seg_helper.c
M target-i386/svm_helper.c
Log Message:
-----------
target-i386: correctly propagate retaddr into SVM helpers
Commit 2afbdf8 ("target-i386: exception handling for memory helpers",
2015-09-15) changed tlb_fill's cpu_restore_state+raise_exception_err
to raise_exception_err_ra. After this change, the cpu_restore_state
and raise_exception_err's cpu_loop_exit are merged into
raise_exception_err_ra's cpu_loop_exit_restore.
This actually fixed some bugs, but when SVM is enabled there is a
second path from raise_exception_err_ra to cpu_loop_exit. This is
the VMEXIT path, and now cpu_vmexit is called without a
cpu_restore_state before.
The fix is to pass the retaddr to cpu_vmexit (via
cpu_svm_check_intercept_param). All helpers can now use GETPC() to pass
the correct retaddr, too.
Cc: address@hidden
Fixes: 2afbdf84807d673eb682cb78158e11cdacbf4673
Reported-by: Alexander Boettcher <address@hidden>
Tested-by: Alexander Boettcher <address@hidden>
Signed-off-by: Paolo Bonzini <address@hidden>
(cherry picked from commit 65c9d60a3ad3249784348824eca69acac455bc02)
Signed-off-by: Michael Roth <address@hidden>
Commit: d5506b31281ce3e89b76aa64ec9295db0691babc
https://github.com/qemu/qemu/commit/d5506b31281ce3e89b76aa64ec9295db0691babc
Author: Peter Lieven <address@hidden>
Date: 2017-03-16 (Thu, 16 Mar 2017)
Changed paths:
M qga/commands-posix.c
Log Message:
-----------
qga: ignore EBUSY when freezing a filesystem
the current implementation fails if we try to freeze an
already frozen filesystem. This can happen if a filesystem
is mounted more than once (e.g. with a bind mount).
Suggested-by: Christian Theune <address@hidden>
Cc: address@hidden
Signed-off-by: Peter Lieven <address@hidden>
Reviewed-by: Paolo Bonzini <address@hidden>
Signed-off-by: Michael Roth <address@hidden>
(cherry picked from commit ce2eb6c4a044d809caf4dc4e08aed77678f9760e)
Signed-off-by: Michael Roth <address@hidden>
Commit: 5e4641777c3cb06206127419ce7617aeff2327f4
https://github.com/qemu/qemu/commit/5e4641777c3cb06206127419ce7617aeff2327f4
Author: Eric Blake <address@hidden>
Date: 2017-03-16 (Thu, 16 Mar 2017)
Changed paths:
M hmp.c
Log Message:
-----------
hmp: fix block_set_io_throttle
Commit 7a9877a made the 'device' parameter to BlockIOThrottle
optional, favoring 'id' instead. But it forgot to update the
HMP usage to set has_device, which makes all attempts to change
throttling via HMP fail with "Need exactly one of 'device' and 'id'"
CC: address@hidden
Signed-off-by: Eric Blake <address@hidden>
Message-Id: <address@hidden>
Reviewed-by: Stefan Hajnoczi <address@hidden>
Signed-off-by: Dr. David Alan Gilbert <address@hidden>
(cherry picked from commit 3f35c3b166c18043596768448e5d91b5d52f8353)
Signed-off-by: Michael Roth <address@hidden>
Commit: fc8e94c3e5e74437c4e73a5582f17cfd4cae5ccf
https://github.com/qemu/qemu/commit/fc8e94c3e5e74437c4e73a5582f17cfd4cae5ccf
Author: Gerd Hoffmann <address@hidden>
Date: 2017-03-16 (Thu, 16 Mar 2017)
Changed paths:
M hw/display/cirrus_vga.c
Log Message:
-----------
cirrus: add blit_is_unsafe call to cirrus_bitblt_cputovideo (CVE-2017-2620)
CIRRUS_BLTMODE_MEMSYSSRC blits do NOT check blit destination
and blit width, at all. Oops. Fix it.
Security impact: high.
The missing blit destination check allows to write to host memory.
Basically same as CVE-2014-8106 for the other blit variants.
Cc: address@hidden
Signed-off-by: Gerd Hoffmann <address@hidden>
(cherry picked from commit 92f2b88cea48c6aeba8de568a45f2ed958f3c298)
Signed-off-by: Michael Roth <address@hidden>
Commit: bddf2232fc3fae26ee070280aa19595f8a437b6e
https://github.com/qemu/qemu/commit/bddf2232fc3fae26ee070280aa19595f8a437b6e
Author: Dmitry Fleytman <address@hidden>
Date: 2017-03-16 (Thu, 16 Mar 2017)
Changed paths:
M include/net/eth.h
M net/eth.c
Log Message:
-----------
eth: Extend vlan stripping functions
Make VLAN stripping functions return number of bytes
copied to given Ethernet header buffer.
This information should be used to re-compose
packet IOV after VLAN stripping.
Cc: address@hidden
Signed-off-by: Dmitry Fleytman <address@hidden>
Signed-off-by: Jason Wang <address@hidden>
(cherry picked from commit 566342c3125ac2e73abd36c650222318164517ed)
Signed-off-by: Michael Roth <address@hidden>
Commit: 7cfd9c114bdc39a9b94fb7a42058e421edd1d285
https://github.com/qemu/qemu/commit/7cfd9c114bdc39a9b94fb7a42058e421edd1d285
Author: Dmitry Fleytman <address@hidden>
Date: 2017-03-16 (Thu, 16 Mar 2017)
Changed paths:
M hw/net/net_rx_pkt.c
Log Message:
-----------
NetRxPkt: Fix memory corruption on VLAN header stripping
This patch fixed a problem that was introduced in commit eb700029.
When net_rx_pkt_attach_iovec() calls eth_strip_vlan()
this can result in pkt->ehdr_buf being overflowed, because
ehdr_buf is only sizeof(struct eth_header) bytes large
but eth_strip_vlan() can write
sizeof(struct eth_header) + sizeof(struct vlan_header)
bytes into it.
Devices affected by this problem: vmxnet3.
Cc: address@hidden
Reported-by: Peter Maydell <address@hidden>
Signed-off-by: Dmitry Fleytman <address@hidden>
Signed-off-by: Jason Wang <address@hidden>
(cherry picked from commit df8bf7a7fe75eb5d5caffa55f5cd4292b757aea6)
Signed-off-by: Michael Roth <address@hidden>
Commit: 15ad066065f54e3e0d095d3ffa1d2216dd941048
https://github.com/qemu/qemu/commit/15ad066065f54e3e0d095d3ffa1d2216dd941048
Author: Dmitry Fleytman <address@hidden>
Date: 2017-03-16 (Thu, 16 Mar 2017)
Changed paths:
M hw/net/net_rx_pkt.c
Log Message:
-----------
NetRxPkt: Do not try to pull more data than present
In case of VLAN stripping, ETH header put into a
separate buffer, therefore amont of data copied
from original IOV should be smaller.
Cc: address@hidden
Signed-off-by: Dmitry Fleytman <address@hidden>
Signed-off-by: Jason Wang <address@hidden>
(cherry picked from commit d5e772146d2bbc92e5126c145eddef3b2843d026)
Signed-off-by: Michael Roth <address@hidden>
Commit: 9ad26963bf7a55784e1f2407bf2bc3d25f843a4d
https://github.com/qemu/qemu/commit/9ad26963bf7a55784e1f2407bf2bc3d25f843a4d
Author: Dmitry Fleytman <address@hidden>
Date: 2017-03-16 (Thu, 16 Mar 2017)
Changed paths:
M hw/net/net_rx_pkt.c
Log Message:
-----------
NetRxPkt: Account buffer with ETH header in IOV length
In case of VLAN stripping ETH header is stored in a
separate chunk and length of IOV should take this into
account.
This patch fixes checksum validation for RX packets
with VLAN header.
Devices affected by this problem: e1000e and vmxnet3.
Cc: address@hidden
Signed-off-by: Dmitry Fleytman <address@hidden>
Signed-off-by: Jason Wang <address@hidden>
(cherry picked from commit c5d083c561a4f5297cc2e44a2f3cef3324d77a88)
Signed-off-by: Michael Roth <address@hidden>
Commit: 495756ef9d4b3a54b1b41928f210d9b217c8a923
https://github.com/qemu/qemu/commit/495756ef9d4b3a54b1b41928f210d9b217c8a923
Author: Paolo Bonzini <address@hidden>
Date: 2017-03-16 (Thu, 16 Mar 2017)
Changed paths:
M hw/net/e1000e.c
Log Message:
-----------
e1000e: correctly tear down MSI-X memory regions
MSI-X has been disabled by the time the e1000e device is unrealized, hence
msix_uninit is never called. This causes the object to be leaked, which
shows up as a RAMBlock with empty name when attempting migration.
Reported-by: Dr. David Alan Gilbert <address@hidden>
Cc: Jason Wang <address@hidden>
Cc: address@hidden
Signed-off-by: Paolo Bonzini <address@hidden>
Tested-by: Laurent Vivier <address@hidden>
Signed-off-by: Jason Wang <address@hidden>
(cherry picked from commit 7ec7ae4b973d1471f6f39fc2b6481f69c2b39593)
Signed-off-by: Michael Roth <address@hidden>
Commit: ba9c51d225d9f43714193ed700a6ac5d4949ff0a
https://github.com/qemu/qemu/commit/ba9c51d225d9f43714193ed700a6ac5d4949ff0a
Author: Li Qiang <address@hidden>
Date: 2017-03-16 (Thu, 16 Mar 2017)
Changed paths:
M hw/scsi/mptsas.c
Log Message:
-----------
scsi: mptsas: fix the wrong reading size in fetch request
When fetching request, it should read sizeof(*hdr), not the
pointer hdr.
Signed-off-by: Li Qiang <address@hidden>
Message-Id: <address@hidden>
Cc: address@hidden
Signed-off-by: Paolo Bonzini <address@hidden>
(cherry picked from commit b01a2d07c963e96dbd151f0db1eaa06f273acf34)
Signed-off-by: Michael Roth <address@hidden>
Commit: 9e9483dea908cab6f07d1324eff2756d0970bae1
https://github.com/qemu/qemu/commit/9e9483dea908cab6f07d1324eff2756d0970bae1
Author: Jason Wang <address@hidden>
Date: 2017-03-16 (Thu, 16 Mar 2017)
Changed paths:
M hw/virtio/virtio-pci.c
Log Message:
-----------
virtio-pci: reset modern vq meta data
We don't reset proxy->vqs[].{num|desc[]|avail[]|used[]}. This means if
a driver enable the vq without setting vq address after reset. The old
addresses were leaked. Fixing this by resetting modern vq meta data
during device reset.
Cc: address@hidden
Signed-off-by: Jason Wang <address@hidden>
Reviewed-by: Michael S. Tsirkin <address@hidden>
Signed-off-by: Michael S. Tsirkin <address@hidden>
(cherry picked from commit 60a8d8023473dd24957b3a66824f66cd35b80d64)
Signed-off-by: Michael Roth <address@hidden>
Commit: 34e9c09d03185256d699803d5cb6bfb22872b510
https://github.com/qemu/qemu/commit/34e9c09d03185256d699803d5cb6bfb22872b510
Author: Dong Jia Shi <address@hidden>
Date: 2017-03-20 (Mon, 20 Mar 2017)
Changed paths:
M hw/s390x/css.c
Log Message:
-----------
s390x/css: reassign subchannel if schid is changed after migration
The subchannel is a means to access a device. While the device number is
assigned by the administrator, the subchannel number is assigned by
the channel subsystem in an ascending order on cold and hot plug.
When doing unplug and replug operations, the same device may end up on
a different subchannel; for example
- We start with a device fe.1.2222, which ends up at subchannel
fe.1.0000.
- Now we detach the device, attach a device fe.1.3333 (which would get
the now-free subchannel fe.1.0000), re-attach fe.1.2222 (which ends
up at subchannel fe.1.0001) and detach fe.1.3333.
- We now have the same device (fe.1.2222) available to the guest; it
just shows up on a different subchannel.
In such a case, the subchannel numbers are different from what a
QEMU would create during cold plug when parsing the command line.
As this would cause a guest visible change on migration, we do restore
the source system's value of the subchannel number on load.
So we are now fine from the guest perspective. From the host
perspective this will cause an inconsistent state in our internal data
structures, though.
For example, the subchannel 0 might not be at array position 0. This will
lead to problems when we continue doing hot (un/re) plug operations.
Let's fix this by cleaning up our internal data structures.
Reported-by: Cornelia Huck <address@hidden>
Signed-off-by: Dong Jia Shi <address@hidden>
Cc: address@hidden
Signed-off-by: Cornelia Huck <address@hidden>
(cherry picked from commit 3c788ebc6f6eef5ac6e9cb4a28c578abcf08247d)
Signed-off-by: Michael Roth <address@hidden>
Commit: a3aeb9f09de2d78fa5077b6e8a66d73b7c045a0c
https://github.com/qemu/qemu/commit/a3aeb9f09de2d78fa5077b6e8a66d73b7c045a0c
Author: Peter Lieven <address@hidden>
Date: 2017-03-20 (Mon, 20 Mar 2017)
Changed paths:
M thread-pool.c
Log Message:
-----------
thread-pool: add missing qemu_bh_cancel in completion function
commit 3c80ca15 fixed a deadlock scenarion with nested aio_poll invocations.
However, the rescheduling of the completion BH introcuded unnecessary spinning
in the main-loop. On very fast file backends this can even lead to the
"WARNING: I/O thread spun for 1000 iterations" message popping up.
Callgrind reports about 3-4% less instructions with this patch running
qemu-img bench on a ramdisk based VMDK file.
Fixes: 3c80ca158c96ff902a30883a8933e755988948b1
Cc: address@hidden
Signed-off-by: Peter Lieven <address@hidden>
Signed-off-by: Kevin Wolf <address@hidden>
(cherry picked from commit b7a745dc33a18377bb4a8dfe54d1df01ea60bf66)
* drop context dep on b9e413d
Signed-off-by: Michael Roth <address@hidden>
Commit: 8029d55a9362cbf6e210c9a33f62f5f30136ff50
https://github.com/qemu/qemu/commit/8029d55a9362cbf6e210c9a33f62f5f30136ff50
Author: Vladimir Sementsov-Ogievskiy <address@hidden>
Date: 2017-03-21 (Tue, 21 Mar 2017)
Changed paths:
M nbd/client.c
Log Message:
-----------
nbd/client: fix drop_sync [CVE-2017-2630]
Comparison symbol is misused. It may lead to memory corruption.
Introduced in commit 7d3123e.
Signed-off-by: Vladimir Sementsov-Ogievskiy <address@hidden>
Message-Id: <address@hidden>
[eblake: add CVE details, update conditional]
Signed-off-by: Eric Blake <address@hidden>
Reviewed-by: Marc-André Lureau <address@hidden>
Message-Id: <address@hidden>
Signed-off-by: Paolo Bonzini <address@hidden>
(cherry picked from commit 2563c9c6b8670400c48e562034b321a7cf3d9a85)
Signed-off-by: Michael Roth <address@hidden>
Commit: 4bcb497c7e762f6828d7cb3aa1f6f578ffe1d415
https://github.com/qemu/qemu/commit/4bcb497c7e762f6828d7cb3aa1f6f578ffe1d415
Author: Richard Henderson <address@hidden>
Date: 2017-03-21 (Tue, 21 Mar 2017)
Changed paths:
M linux-user/host/s390x/safe-syscall.inc.S
Log Message:
-----------
linux-user: Fix s390x safe-syscall for z900
The LT instruction was added in the extended immediate facility
introduced with the z9-109 processor.
Cc: Riku Voipio <address@hidden>
Reported-by: Michael Tokarev <address@hidden>
Fixes: c9bc3437a905b660561a26cd4ecc64579843267b
Suggested-by: Aurelien Jarno <address@hidden>
Reviewed-by: Thomas Huth <address@hidden>
Signed-off-by: Richard Henderson <address@hidden>
Signed-off-by: Riku Voipio <address@hidden>
(cherry picked from commit 6cde51769e75d41cade0a5b3755da0c20a96309a)
Signed-off-by: Michael Roth <address@hidden>
Commit: 74b13f92c2428abae41a61c46a5cf47545da5fcb
https://github.com/qemu/qemu/commit/74b13f92c2428abae41a61c46a5cf47545da5fcb
Author: Richard Henderson <address@hidden>
Date: 2017-03-21 (Tue, 21 Mar 2017)
Changed paths:
M target-arm/translate-a64.c
Log Message:
-----------
target-arm: Fix aarch64 disas_ldst_single_struct
We add s->be_data within do_vec_ld/st. Adding it here means that
we have the wrong bits set in SIZE for a big-endian host, leading
to g_assert_not_reached in write_vec_element and read_vec_element.
Signed-off-by: Richard Henderson <address@hidden>
Message-id: address@hidden
Reviewed-by: Peter Maydell <address@hidden>
Signed-off-by: Peter Maydell <address@hidden>
(cherry picked from commit 0a97c40f8e7172ac3d8db97fb22d0ef3025de307)
Signed-off-by: Michael Roth <address@hidden>
Commit: d437262fa8edd0d9fbe038a515dda3dbf7c5bb54
https://github.com/qemu/qemu/commit/d437262fa8edd0d9fbe038a515dda3dbf7c5bb54
Author: Richard Henderson <address@hidden>
Date: 2017-03-21 (Tue, 21 Mar 2017)
Changed paths:
M target-arm/translate-a64.c
Log Message:
-----------
target-arm: Fix aarch64 vec_reg_offset
Since CPUARMState.vfp.regs is not 16 byte aligned, the ^ 8 fixup used
for a big-endian host doesn't do what's intended. Fix this by adding
in the vfp.regs offset after computing the inter-register offset.
Signed-off-by: Richard Henderson <address@hidden>
Message-id: address@hidden
Reviewed-by: Peter Maydell <address@hidden>
Signed-off-by: Peter Maydell <address@hidden>
(cherry picked from commit 416d72b97b01d6cb769ad0fd0e10614583354a45)
Signed-off-by: Michael Roth <address@hidden>
Commit: 7f515a96ab191f4eff0983a1c2a27a7a4d54eff8
https://github.com/qemu/qemu/commit/7f515a96ab191f4eff0983a1c2a27a7a4d54eff8
Author: Greg Kurz <address@hidden>
Date: 2017-03-21 (Tue, 21 Mar 2017)
Changed paths:
M hw/9pfs/9p.c
Log Message:
-----------
9pfs: fix off-by-one error in PDU free list
The server can handle MAX_REQ - 1 PDUs at a time and the virtio-9p
device has a MAX_REQ sized virtqueue. If the client manages to fill
up the virtqueue, pdu_alloc() will fail and the request won't be
processed without any notice to the client (it actually causes the
linux 9p client to hang).
This has been there since the beginning (commit 9f10751365b2 "virtio-9p:
Add a virtio 9p device to qemu"), but it needs an agressive workload to
run in the guest to show up.
We actually allocate MAX_REQ PDUs and I see no reason not to link them
all into the free list, so let's fix the init loop.
Reported-by: Tuomas Tynkkynen <address@hidden>
Suggested-by: Al Viro <address@hidden>
Signed-off-by: Greg Kurz <address@hidden>
(cherry picked from commit 0d78289c3dca3de8e614a551a3d4a9415168ace0)
Conflicts:
hw/9pfs/9p.c
* drop context dep on 583f21f8
Signed-off-by: Greg Kurz <address@hidden>
Signed-off-by: Michael Roth <address@hidden>
Commit: 1a184c3af31705312f4b464dadb5df2c8a98a899
https://github.com/qemu/qemu/commit/1a184c3af31705312f4b464dadb5df2c8a98a899
Author: Greg Kurz <address@hidden>
Date: 2017-03-21 (Tue, 21 Mar 2017)
Changed paths:
M hw/9pfs/9p.c
Log Message:
-----------
9pfs: don't try to flush self and avoid QEMU hang on reset
According to the 9P spec [*], when a client wants to cancel a pending I/O
request identified by a given tag (uint16), it must send a Tflush message
and wait for the server to respond with a Rflush message before reusing this
tag for another I/O. The server may still send a completion message for the
I/O if it wasn't actually cancelled but the Rflush message must arrive after
that.
QEMU hence waits for the flushed PDU to complete before sending the Rflush
message back to the client.
If a client sends 'Tflush tag oldtag' and tag == oldtag, QEMU will then
allocate a PDU identified by tag, find it in the PDU list and wait for
this same PDU to complete... i.e. wait for a completion that will never
happen. This causes a tag and ring slot leak in the guest, and a PDU
leak in QEMU, all of them limited by the maximal number of PDUs (128).
But, worse, this causes QEMU to hang on device reset since v9fs_reset()
wants to drain all pending I/O.
This insane behavior is likely to denote a bug in the client, and it would
deserve an Rerror message to be sent back. Unfortunately, the protocol
allows it and requires all flush requests to suceed (only a Tflush response
is expected).
The only option is to detect when we have to handle a self-referencing
flush request and report success to the client right away.
[*] http://man.cat-v.org/plan_9/5/flush
Reported-by: Al Viro <address@hidden>
Signed-off-by: Greg Kurz <address@hidden>
(cherry picked from commit d5f2af7b95b738b25272a98319b09540a0606d14)
Signed-off-by: Michael Roth <address@hidden>
Commit: 5d26f91c89757a8b84f5da9c6dfa37cda19283c5
https://github.com/qemu/qemu/commit/5d26f91c89757a8b84f5da9c6dfa37cda19283c5
Author: Wolfgang Bumiller <address@hidden>
Date: 2017-03-21 (Tue, 21 Mar 2017)
Changed paths:
M hw/display/cirrus_vga.c
Log Message:
-----------
cirrus: handle negative pitch in cirrus_invalidate_region()
cirrus_invalidate_region() calls memory_region_set_dirty()
on a per-line basis, always ranging from off_begin to
off_begin+bytesperline. With a negative pitch off_begin
marks the top most used address and thus we need to do an
initial shift backwards by a line for negative pitches of
backward blits, otherwise the first iteration covers the
line going from the start offset forwards instead of
backwards.
Additionally since the start address is inclusive, if we
shift by a full `bytesperline` we move to the first address
*not* included in the blit, so we only shift by one less
than bytesperline.
Signed-off-by: Wolfgang Bumiller <address@hidden>
Message-id: address@hidden
[ kraxel: codestyle fixes ]
Signed-off-by: Gerd Hoffmann <address@hidden>
(cherry picked from commit f153b563f8cf121aebf5a2fff5f0110faf58ccb3)
Signed-off-by: Michael Roth <address@hidden>
Commit: 205a61956394d01aca6764bc6596a7ea584c4a61
https://github.com/qemu/qemu/commit/205a61956394d01aca6764bc6596a7ea584c4a61
Author: Wolfgang Bumiller <address@hidden>
Date: 2017-03-21 (Tue, 21 Mar 2017)
Changed paths:
M hw/display/cirrus_vga.c
Log Message:
-----------
cirrus: allow zero source pitch in pattern fill rops
The rops used by cirrus_bitblt_common_patterncopy only use
the destination pitch, so the source pitch shoul allowed to
be zero and the blit with used for the range check around the
source address.
Signed-off-by: Wolfgang Bumiller <address@hidden>
Message-id: address@hidden
Signed-off-by: Gerd Hoffmann <address@hidden>
(cherry picked from commit 5858dd1801883309bdd208d72ddb81c4e9fee30c)
Signed-off-by: Michael Roth <address@hidden>
Commit: 8db38049c6eec4155c7861da6ca7642d5f06d0d8
https://github.com/qemu/qemu/commit/8db38049c6eec4155c7861da6ca7642d5f06d0d8
Author: Gerd Hoffmann <address@hidden>
Date: 2017-03-21 (Tue, 21 Mar 2017)
Changed paths:
M hw/display/cirrus_vga.c
Log Message:
-----------
cirrus: fix blit address mask handling
Apply the cirrus_addr_mask to cirrus_blt_dstaddr and cirrus_blt_srcaddr
right after assigning them, in cirrus_bitblt_start(), instead of having
this all over the place in the cirrus code, and missing a few places.
Reported-by: Wolfgang Bumiller <address@hidden>
Signed-off-by: Gerd Hoffmann <address@hidden>
Message-id: address@hidden
(cherry picked from commit 60cd23e85151525ab26591394c4e7e06fa07d216)
Signed-off-by: Michael Roth <address@hidden>
Commit: 670ddcc0aaa332bf2436dec4285c3daa2216cdee
https://github.com/qemu/qemu/commit/670ddcc0aaa332bf2436dec4285c3daa2216cdee
Author: Gerd Hoffmann <address@hidden>
Date: 2017-03-21 (Tue, 21 Mar 2017)
Changed paths:
M hw/display/cirrus_vga.c
Log Message:
-----------
cirrus: fix patterncopy checks
The blit_region_is_unsafe checks don't work correctly for the
patterncopy source. It's a fixed-sized region, which doesn't
depend on cirrus_blt_{width,height}. So go do the check in
cirrus_bitblt_common_patterncopy instead, then tell blit_is_unsafe that
it doesn't need to verify the source. Also handle the case where we
blit from cirrus_bitbuf correctly.
This patch replaces 5858dd1801883309bdd208d72ddb81c4e9fee30c.
Security impact: I think for the most part error on the safe side this
time, refusing blits which should have been allowed.
Only exception is placing the blit source at the end of the video ram,
so cirrus_blt_srcaddr + 256 goes beyond the end of video memory. But
even in that case I'm not fully sure this actually allows read access to
host memory. To trick the commit 5858dd18 security checks one has to
pick very small cirrus_blt_{width,height} values, which in turn implies
only a fraction of the blit source will actually be used.
Cc: Wolfgang Bumiller <address@hidden>
Cc: Dr. David Alan Gilbert <address@hidden>
Signed-off-by: Gerd Hoffmann <address@hidden>
Reviewed-by: Dr. David Alan Gilbert <address@hidden>
Reviewed-by: Wolfgang Bumiller <address@hidden>
Reviewed-by: Laurent Vivier <address@hidden>
Message-id: address@hidden
(cherry picked from commit 95280c31cda79bb1d0968afc7b19a220b3a9d986)
Signed-off-by: Michael Roth <address@hidden>
Commit: a99fd943c4ee49cea7600f185a01ae0cfe1cc3e9
https://github.com/qemu/qemu/commit/a99fd943c4ee49cea7600f185a01ae0cfe1cc3e9
Author: Gerd Hoffmann <address@hidden>
Date: 2017-03-21 (Tue, 21 Mar 2017)
Changed paths:
M hw/display/cirrus_vga.c
Log Message:
-----------
Revert "cirrus: allow zero source pitch in pattern fill rops"
This reverts commit 5858dd1801883309bdd208d72ddb81c4e9fee30c.
Conflicts:
hw/display/cirrus_vga.c
Cc: Wolfgang Bumiller <address@hidden>
Cc: Dr. David Alan Gilbert <address@hidden>
Signed-off-by: Gerd Hoffmann <address@hidden>
Reviewed-by: Dr. David Alan Gilbert <address@hidden>
Reviewed-by: Laurent Vivier <address@hidden>
Message-id: address@hidden
(cherry picked from commit 12e97ec39931e5321645fd483ab761319d48bf16)
Signed-off-by: Michael Roth <address@hidden>
Commit: 3328c14e63f08fb07e8c6dec779c9d365e9e9864
https://github.com/qemu/qemu/commit/3328c14e63f08fb07e8c6dec779c9d365e9e9864
Author: hangaohuai <address@hidden>
Date: 2017-03-21 (Tue, 21 Mar 2017)
Changed paths:
M hw/display/cirrus_vga_rop.h
Log Message:
-----------
fix :cirrus_vga fix OOB read case qemu Segmentation fault
check the validity of parameters in cirrus_bitblt_rop_fwd_transp_xxx
and cirrus_bitblt_rop_fwd_xxx to avoid the OOB read which causes qemu
Segmentation fault.
After the fix, we will touch the assert in
cirrus_invalidate_region:
assert(off_cur_end >= off_cur);
Signed-off-by: fangying <address@hidden>
Signed-off-by: hangaohuai <address@hidden>
Message-id: address@hidden
Signed-off-by: Gerd Hoffmann <address@hidden>
(cherry picked from commit 215902d7b6fb50c6fc216fc74f770858278ed904)
Signed-off-by: Michael Roth <address@hidden>
Commit: 63fdb09491325e22e6a9d68b0f4375a5126dd261
https://github.com/qemu/qemu/commit/63fdb09491325e22e6a9d68b0f4375a5126dd261
Author: Gerd Hoffmann <address@hidden>
Date: 2017-03-21 (Tue, 21 Mar 2017)
Changed paths:
M hw/display/cirrus_vga.c
M include/ui/console.h
M ui/console.c
M ui/vnc.c
Log Message:
-----------
cirrus/vnc: zap bitblit support from console code.
There is a special code path (dpy_gfx_copy) to allow graphic emulation
notify user interface code about bitblit operations carryed out by
guests. It is supported by cirrus and vnc server. The intended purpose
is to optimize display scrolls and just send over the scroll op instead
of a full display update.
This is rarely used these days though because modern guests simply don't
use the cirrus blitter any more. Any linux guest using the cirrus drm
driver doesn't. Any windows guest newer than winxp doesn't ship with a
cirrus driver any more and thus uses the cirrus as simple framebuffer.
So this code tends to bitrot and bugs can go unnoticed for a long time.
See for example commit "3e10c3e vnc: fix qemu crash because of SIGSEGV"
which fixes a bug lingering in the code for almost a year, added by
commit "c7628bf vnc: only alloc server surface with clients connected".
Also the vnc server will throttle the frame rate in case it figures the
network can't keep up (send buffers are full). This doesn't work with
dpy_gfx_copy, for any copy operation sent to the vnc client we have to
send all outstanding updates beforehand, otherwise the vnc client might
run the client side blit on outdated data and thereby corrupt the
display. So this dpy_gfx_copy "optimization" might even make things
worse on slow network links.
Lets kill it once for all.
Oh, and one more reason: Turns out (after writing the patch) we have a
security bug in that code path ...
Fixes: CVE-2016-9603
Signed-off-by: Gerd Hoffmann <address@hidden>
Message-id: address@hidden
(cherry picked from commit 50628d3479e4f9aa97e323506856e394fe7ad7a6)
Signed-off-by: Michael Roth <address@hidden>
Commit: 2f51fd1f739cccc991b4e08afcc6e9dbcdbb9a3e
https://github.com/qemu/qemu/commit/2f51fd1f739cccc991b4e08afcc6e9dbcdbb9a3e
Author: Gerd Hoffmann <address@hidden>
Date: 2017-03-21 (Tue, 21 Mar 2017)
Changed paths:
M hw/display/cirrus_vga.c
Log Message:
-----------
cirrus: fix cirrus_invalidate_region
off_cur_end is exclusive, so off_cur_end == cirrus_addr_mask is valid.
Fix calculation to make sure to allow that, otherwise the assert added
by commit f153b563f8cf121aebf5a2fff5f0110faf58ccb3 can trigger for valid
blits.
Test case: boot windows nt 4.0
Signed-off-by: Gerd Hoffmann <address@hidden>
Message-id: address@hidden
(cherry picked from commit e048dac616748273c2153490e9fdf1da242f0cad)
Signed-off-by: Michael Roth <address@hidden>
Commit: 031700e4527b9e05798f7040dccdf638da27aee2
https://github.com/qemu/qemu/commit/031700e4527b9e05798f7040dccdf638da27aee2
Author: Gerd Hoffmann <address@hidden>
Date: 2017-03-21 (Tue, 21 Mar 2017)
Changed paths:
M hw/display/cirrus_vga.c
M hw/display/cirrus_vga_rop.h
M hw/display/cirrus_vga_rop2.h
Log Message:
-----------
cirrus: stop passing around dst pointers in the blitter
Instead pass around the address (aka offset into vga memory). Calculate
the pointer in the rop_* functions, after applying the mask to the
address, to make sure the address stays within the valid range.
Signed-off-by: Gerd Hoffmann <address@hidden>
Message-id: address@hidden
(cherry picked from commit 026aeffcb4752054830ba203020ed6eb05bcaba8)
Signed-off-by: Michael Roth <address@hidden>
Commit: a290442234fa214fcb7f45fc91d802bcb8d05c4b
https://github.com/qemu/qemu/commit/a290442234fa214fcb7f45fc91d802bcb8d05c4b
Author: Gerd Hoffmann <address@hidden>
Date: 2017-03-21 (Tue, 21 Mar 2017)
Changed paths:
M hw/display/cirrus_vga.c
M hw/display/cirrus_vga_rop.h
M hw/display/cirrus_vga_rop2.h
Log Message:
-----------
cirrus: stop passing around src pointers in the blitter
Does basically the same as "cirrus: stop passing around dst pointers in
the blitter", just for the src pointer instead of the dst pointer.
For the src we have to care about cputovideo blits though and fetch the
data from s->cirrus_bltbuf instead of vga memory. The cirrus_src*()
helper functions handle that.
Signed-off-by: Gerd Hoffmann <address@hidden>
Message-id: address@hidden
(cherry picked from commit ffaf857778286ca54e3804432a2369a279e73aa7)
Signed-off-by: Michael Roth <address@hidden>
Commit: dc35a13747843688690d5779ef22f2a62dfd6d3b
https://github.com/qemu/qemu/commit/dc35a13747843688690d5779ef22f2a62dfd6d3b
Author: Gerd Hoffmann <address@hidden>
Date: 2017-03-21 (Tue, 21 Mar 2017)
Changed paths:
M hw/display/cirrus_vga_rop.h
Log Message:
-----------
cirrus: fix off-by-one in cirrus_bitblt_rop_bkwd_transp_*_16
The switch from pointers to addresses (commit
026aeffcb4752054830ba203020ed6eb05bcaba8 and
ffaf857778286ca54e3804432a2369a279e73aa7) added
a off-by-one bug to 16bit backward blits. Fix.
Reported-by: 李强 <address@hidden>
Signed-off-by: Gerd Hoffmann <address@hidden>
Reviewed-by: Li Qiang <address@hidden>
Message-id: address@hidden
(cherry picked from commit f019722cbbb45aea153294fc8921fcc96a4d3fa2)
Signed-off-by: Michael Roth <address@hidden>
Commit: ce37df91f4f9a4577fb12f46b94dde93c19bd661
https://github.com/qemu/qemu/commit/ce37df91f4f9a4577fb12f46b94dde93c19bd661
Author: Paolo Bonzini <address@hidden>
Date: 2017-03-27 (Mon, 27 Mar 2017)
Changed paths:
M hw/virtio/virtio.c
Log Message:
-----------
virtio: always use handle_aio_output if registered
Commit ad07cd6 ("virtio-scsi: always use dataplane path if ioeventfd is
active", 2016-10-30) and 9ffe337 ("virtio-blk: always use dataplane
path if ioeventfd is active", 2016-10-30) broke the virtio 1.0
indirect access registers.
The indirect access registers bypass the ioeventfd, so that virtio-blk
and virtio-scsi now repeatedly try to initialize dataplane instead of
triggering the guest->host EventNotifier. Detect the situation by
checking vq->handle_aio_output; if it is not NULL, trigger the
EventNotifier, which is how the device expects to get notifications
and in fact the only thread-safe manner to deliver them.
Fixes: ad07cd6
Fixes: 9ffe337
Cc: address@hidden
Signed-off-by: Paolo Bonzini <address@hidden>
Reviewed-by: Michael S. Tsirkin <address@hidden>
Signed-off-by: Michael S. Tsirkin <address@hidden>
Reviewed-by: Stefan Hajnoczi <address@hidden>
(cherry picked from commit e49a6618400d11e51e30328dfe8d7cafce82d4bc)
Signed-off-by: Michael Roth <address@hidden>
Commit: 879b6454be1e29241d5b7d6986adcdb95d883856
https://github.com/qemu/qemu/commit/879b6454be1e29241d5b7d6986adcdb95d883856
Author: Eric Blake <address@hidden>
Date: 2017-03-30 (Thu, 30 Mar 2017)
Changed paths:
M tests/test-opts-visitor.c
Log Message:
-----------
tests: Expose regression in QemuOpts visitor
Commit 15c2f669e broke the ability of the QemuOpts visitor to
flag extra input parameters, but the regression went unnoticed
because of missing testsuite coverage. Add a test to cover this;
take the approach already used in 9cb8ef3 of adding a test that
passes (to avoid breaking bisection) but marks with BUG the
behavior that we don't like, so that the actual impact of the
fix in a later patch is easier to see.
CC: address@hidden
Signed-off-by: Eric Blake <address@hidden>
Reviewed-by: Michael Roth <address@hidden>
Message-Id: <address@hidden>
Reviewed-by: Markus Armbruster <address@hidden>
Signed-off-by: Markus Armbruster <address@hidden>
(cherry picked from commit 76861f6befc50c30cb71e84b372dc91dd26656a4)
Conflicts:
tests/test-opts-visitor.c
* drop context dep on 9cb8ef36 and a9416dc6 tests
Signed-off-by: Michael Roth <address@hidden>
Commit: dd39c544f4136ba390d1f976f520004a3ffad7e5
https://github.com/qemu/qemu/commit/dd39c544f4136ba390d1f976f520004a3ffad7e5
Author: Igor Mammedov <address@hidden>
Date: 2017-03-30 (Thu, 30 Mar 2017)
Changed paths:
M hmp.c
M include/qom/object_interfaces.h
M qom/object_interfaces.c
Log Message:
-----------
monitor: reuse user_creatable_add_opts() instead of user_creatable_add()
Simplify code by dropping ~57LOC by merging user_creatable_add()
into user_creatable_add_opts() and using the later from monitor.
Along with it allocate opts_visitor_new() once in user_creatable_add_opts().
As result we have one less API func and a more readable/simple
user_creatable_add_opts() vs user_creatable_add().
Signed-off-by: Igor Mammedov <address@hidden>
Reviewed-by: Eric Blake <address@hidden>
Message-Id: <address@hidden>
Signed-off-by: Eduardo Habkost <address@hidden>
(cherry picked from commit 3a4641054e320d8ad7e780c30010b1c1dbfc56e8)
* functional dep for 9a6d1ac
Signed-off-by: Michael Roth <address@hidden>
Commit: c15c6d25949a4bba272d576a2468cfe866e11486
https://github.com/qemu/qemu/commit/c15c6d25949a4bba272d576a2468cfe866e11486
Author: Eric Blake <address@hidden>
Date: 2017-03-30 (Thu, 30 Mar 2017)
Changed paths:
M qom/object_interfaces.c
Log Message:
-----------
qom: Avoid unvisited 'id'/'qom-type' in user_creatable_add_opts
A regression in commit 15c2f669e caused us to silently ignore
excess input to the QemuOpts visitor. Later, commit ea4641
accidentally abused that situation, by removing "qom-type" and
"id" from the corresponding QDict but leaving them defined in
the QemuOpts, when using the pair of containers to create a
user-defined object. Note that since we are already traversing
two separate items (a QDict and a QemuOpts), we are already
able to flag bogus arguments, as in:
$ ./x86_64-softmmu/qemu-system-x86_64 -nodefaults -nographic -qmp stdio -object
memory-backend-ram,id=mem1,size=4k,bogus=huh
qemu-system-x86_64: -object memory-backend-ram,id=mem1,size=4k,bogus=huh:
Property '.bogus' not found
So the only real concern is that when we re-enable strict checking
in the QemuOpts visitor, we do not want to start flagging the two
leftover keys as unvisited. Rearrange the code to clean out the
QemuOpts listing in advance, rather than removing items from the
QDict. Since "qom-type" is usually an automatic implicit default,
we don't have to restore it (this does mean that once instantiated,
QemuOpts is not necessarily an accurate representation of the
original command line - but this is not the first place to do that);
however "id" has to be put back (requiring us to cast away a const).
[As a side note, hmp_object_add() turns a QDict into a QemuOpts,
then calls user_creatable_add_opts() which converts QemuOpts into
a new QDict. There are probably a lot of wasteful conversions like
this, but cleaning them up is a much bigger task than the immediate
regression fix.]
CC: address@hidden
Signed-off-by: Eric Blake <address@hidden>
Message-Id: <address@hidden>
Tested-by: Laurent Vivier <address@hidden>
Reviewed-by: Markus Armbruster <address@hidden>
Signed-off-by: Markus Armbruster <address@hidden>
(cherry picked from commit 9a6d1acb3e752e1e0b693cc0491fa12875b76be0)
Signed-off-by: Michael Roth <address@hidden>
(cherry picked from commit 7967e0bd9d8c4d7aae11383f9d9bad2ceaf9c2a2)
Signed-off-by: Michael Roth <address@hidden>
Commit: 2f8ab9b1dd59d9c262ccca872ba476d23f6cf8ff
https://github.com/qemu/qemu/commit/2f8ab9b1dd59d9c262ccca872ba476d23f6cf8ff
Author: Eric Blake <address@hidden>
Date: 2017-03-30 (Thu, 30 Mar 2017)
Changed paths:
M qapi/opts-visitor.c
M tests/test-opts-visitor.c
Log Message:
-----------
qapi: Fix QemuOpts visitor regression on unvisited input
An off-by-one in commit 15c2f669e meant that we were failing to
check for unparsed input in all QemuOpts visitors. Recent testsuite
additions show that fixing the obvious bug with bogus fields will
also fix the case of an incomplete list visit; update the tests to
match the new behavior.
Simple testcase:
./x86_64-softmmu/qemu-system-x86_64 -nodefaults -nographic -qmp stdio -numa
node,size=1g
failed to diagnose that 'size' is not a valid argument to -numa, and
now once again reports:
qemu-system-x86_64: -numa node,size=1g: Invalid parameter 'size'
See also https://bugzilla.redhat.com/show_bug.cgi?id=1434666
CC: address@hidden
Signed-off-by: Eric Blake <address@hidden>
Reviewed-by: Michael Roth <address@hidden>
Tested-by: Laurent Vivier <address@hidden>
Message-Id: <address@hidden>
Reviewed-by: Markus Armbruster <address@hidden>
Signed-off-by: Markus Armbruster <address@hidden>
(cherry picked from commit 21f88d021d0d2b4ecee8f6cd6ca63a943a3ce71d)
Conflicts:
qapi/opts-visitor.c
tests/test-opts-visitor.c
* drop changes related to 9cb8ef36 and a9416dc6 tests
Signed-off-by: Michael Roth <address@hidden>
Commit: 877e2b016ebc4686322e5f08186eb25ed42a52a3
https://github.com/qemu/qemu/commit/877e2b016ebc4686322e5f08186eb25ed42a52a3
Author: Stefan Weil <address@hidden>
Date: 2017-03-30 (Thu, 30 Mar 2017)
Changed paths:
M target-s390x/cpu_models.c
Log Message:
-----------
target/s390x: Fix broken user mode
Returning NULL from get_max_cpu_model results in a SIGSEGV runtime error.
Signed-off-by: Stefan Weil <address@hidden>
Reviewed-by: David Hildenbrand <address@hidden>
Message-Id: <address@hidden>
Cc: address@hidden
Signed-off-by: Christian Borntraeger <address@hidden>
Signed-off-by: Cornelia Huck <address@hidden>
(cherry picked from commit a352aa62a75fcb1db35a0c71a10af3b2c1f8b89f)
Signed-off-by: Michael Roth <address@hidden>
Commit: 07672ab0031ace234a4031e439e7174cde1e1d72
https://github.com/qemu/qemu/commit/07672ab0031ace234a4031e439e7174cde1e1d72
Author: Eric Blake <address@hidden>
Date: 2017-03-30 (Thu, 30 Mar 2017)
Changed paths:
M qom/object_interfaces.c
Log Message:
-----------
qom: Fix regression with 'qom-type'
Commit 9a6d1ac assumed that 'qom-type' could be removed from QemuOpts
with no ill effects. However, this command line proves otherwise:
$ ./x86_64-softmmu/qemu-system-x86_64 -nodefaults -nographic -qmp stdio \
-object rng-random,filename=/dev/urandom,id=rng0 \
-device virtio-rng-pci,rng=rng0
qemu-system-x86_64: -object rng-random,filename=/dev/urandom,id=rng0: Parameter
'qom-type' is missing
Fix the regression by restoring qom-type in opts after its temporary
removal that was needed for the duration of user_creatable_add_opts().
Reported-by: Richard W. M. Jones <address@hidden>
Signed-off-by: Eric Blake <address@hidden>
Reviewed-by: Markus Armbruster <address@hidden>
Tested-by: Richard W.M. Jones <address@hidden>
Message-id: address@hidden
Signed-off-by: Peter Maydell <address@hidden>
(cherry picked from commit 08329701199449bde497570dcfdb9c86062baf20)
Signed-off-by: Michael Roth <address@hidden>
Commit: 12110bf70ec991049ed552d42ac601974b22c24e
https://github.com/qemu/qemu/commit/12110bf70ec991049ed552d42ac601974b22c24e
Author: Gerd Hoffmann <address@hidden>
Date: 2017-03-30 (Thu, 30 Mar 2017)
Changed paths:
M pc-bios/bios-256k.bin
M pc-bios/bios.bin
M pc-bios/vgabios-cirrus.bin
M pc-bios/vgabios-qxl.bin
M pc-bios/vgabios-stdvga.bin
M pc-bios/vgabios-virtio.bin
M pc-bios/vgabios-vmware.bin
M pc-bios/vgabios.bin
M roms/seabios
Log Message:
-----------
seabios: update to 1.10.2 release
git shortlog rel-1.10.1..rel-1.10.2
===================================
Ben Warren (5):
QEMU DMA: Add DMA write capability
romfile-loader: Switch to using named structs
QEMU fw_cfg: Add command to write back address of file
QEMU fw_cfg: Add functions for accessing files by key
QEMU fw_cfg: Write fw_cfg back on S3 resume
Kevin O'Connor (1):
ps2port: Disable keyboard/mouse prior to resetting ps2 controller
Ladi Prosek (1):
ahci: Set upper 32-bit registers to zero
Paul Menzel (1):
vgasrc: Increase debug level
Signed-off-by: Gerd Hoffmann <address@hidden>
(cherry picked from commit 8779fccbef0c2e97fd6564ddf9f1df9fc724f2f0)
* required for 98cb5dc: "ahci: advertise HOST_CAP_64"
Signed-off-by: Michael Roth <address@hidden>
Commit: 08c48c731aa8094b7ff0071cfd16879f92f5200d
https://github.com/qemu/qemu/commit/08c48c731aa8094b7ff0071cfd16879f92f5200d
Author: Sam Bobroff <address@hidden>
Date: 2017-03-30 (Thu, 30 Mar 2017)
Changed paths:
M hw/ppc/spapr_ovec.c
Log Message:
-----------
spapr: fix off-by-one error in spapr_ovec_populate_dt()
The last byte of the option vector was missing due to an off-by-one
error. Without this fix, client architecture support negotiation will
fail because the last byte of option vector 5, which contains the MMU
support, will be missed.
Signed-off-by: Sam Bobroff <address@hidden>
Reviewed-by: Thomas Huth <address@hidden>
Reviewed-by: Michael Roth <address@hidden>
Signed-off-by: David Gibson <address@hidden>
(cherry picked from commit fe93e3e6ec1b1bf4a4c9d4bf55f8776318da6847)
Signed-off-by: Michael Roth <address@hidden>
Commit: 7124ccf8b397a3741f4d83cadf6c7f31126c1dfd
https://github.com/qemu/qemu/commit/7124ccf8b397a3741f4d83cadf6c7f31126c1dfd
Author: Michael Roth <address@hidden>
Date: 2017-03-30 (Thu, 30 Mar 2017)
Changed paths:
M VERSION
Log Message:
-----------
Update version for 2.8.1 release
Signed-off-by: Michael Roth <address@hidden>
Compare: https://github.com/qemu/qemu/compare/2c4f0f6c11d5^...7124ccf8b397
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Qemu-commits] [qemu/qemu] 2c4f0f: 9pfs: local: move xattr security ops to 9p-xattr.c,
GitHub <=