[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-commits] [qemu/qemu] f16d15: virtiofsd: use g_date_time_get_micros
|
From: |
Paolo Bonzini |
|
Subject: |
[Qemu-commits] [qemu/qemu] f16d15: virtiofsd: use g_date_time_get_microsecond to get ... |
|
Date: |
Mon, 26 Sep 2022 12:30:45 -0700 |
Branch: refs/heads/staging
Home: https://github.com/qemu/qemu
Commit: f16d15c9276bd8f501f861c39cbd4adc812d0c1d
https://github.com/qemu/qemu/commit/f16d15c9276bd8f501f861c39cbd4adc812d0c1d
Author: Yusuke Okada <okada.yusuke@jp.fujitsu.com>
Date: 2022-09-22 (Thu, 22 Sep 2022)
Changed paths:
M tools/virtiofsd/passthrough_ll.c
Log Message:
-----------
virtiofsd: use g_date_time_get_microsecond to get subsecond
The "%f" specifier in g_date_time_format() is only available in glib
2.65.2 or later. If combined with older glib, the function returns null
and the timestamp displayed as "(null)".
For backward compatibility, g_date_time_get_microsecond should be used
to retrieve subsecond.
In this patch the g_date_time_format() leaves subsecond field as "%06d"
and let next snprintf to format with g_date_time_get_microsecond.
Signed-off-by: Yusuke Okada <okada.yusuke@jp.fujitsu.com>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Message-id: 20220818184618.2205172-1-yokada.996@gmail.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Commit: df6322a8973b5e69bdc8931ff79d3bfe3901cab5
https://github.com/qemu/qemu/commit/df6322a8973b5e69bdc8931ff79d3bfe3901cab5
Author: Cal Peake <cp@absolutedigital.net>
Date: 2022-09-23 (Fri, 23 Sep 2022)
Changed paths:
M include/ui/console.h
M ui/console.c
Log Message:
-----------
ui/console: Get tab completion working again in the SDL monitor vc
Define a QEMU special key constant for the tab key and add an entry for
it in the qcode_to_keysym table. This allows tab completion to work again
in the SDL monitor virtual console, which has been broken ever since the
migration from SDL1 to SDL2.
Signed-off-by: Cal Peake <cp@absolutedigital.net>
Message-Id: <7054816e-99c-7e2-6737-7cf98cc56e2@absolutedigital.net>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Commit: bab6a301c58286229ca8fbc36728d1469f243260
https://github.com/qemu/qemu/commit/bab6a301c58286229ca8fbc36728d1469f243260
Author: Akihiko Odaki <akihiko.odaki@gmail.com>
Date: 2022-09-23 (Fri, 23 Sep 2022)
Changed paths:
M docs/devel/fuzzing.rst
M include/qemu-main.h
M include/sysemu/sysemu.h
M softmmu/main.c
M softmmu/vl.c
M tests/qtest/fuzz/fuzz.c
M ui/cocoa.m
Log Message:
-----------
ui/cocoa: Run qemu_init in the main thread
This work is based on:
https://patchew.org/QEMU/20220317125534.38706-1-philippe.mathieu.daude@gmail.com/
Simplify the initialization dance by running qemu_init() in the main
thread before the Cocoa event loop starts. The secondary thread only
runs only qemu_main_loop() and qemu_cleanup().
This fixes a case where addRemovableDevicesMenuItems() calls
qmp_query_block() while expecting the main thread to still hold
the BQL.
Overriding the code after calling qemu_init() is done by dynamically
replacing a function pointer variable, qemu_main when initializing
ui/cocoa, which unifies the static implementation of main() for
builds with ui/cocoa and ones without ui/cocoa.
Signed-off-by: Akihiko Odaki <akihiko.odaki@gmail.com>
Message-Id: <20220819132756.74641-2-akihiko.odaki@gmail.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Commit: 2dc7f90a835a4cd2362ace5e2388687afd296b85
https://github.com/qemu/qemu/commit/2dc7f90a835a4cd2362ace5e2388687afd296b85
Author: Akihiko Odaki <akihiko.odaki@gmail.com>
Date: 2022-09-23 (Fri, 23 Sep 2022)
Changed paths:
M include/qemu/main-loop.h
Log Message:
-----------
Revert "main-loop: Disable block backend global state assertion on Cocoa"
This reverts commit 47281859f66bdab1974fb122cab2cbb4a1c9af7f.
Signed-off-by: Akihiko Odaki <akihiko.odaki@gmail.com>
Reviewed-by: Emanuele Giuseppe Esposito <eesposit@redhat.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Message-Id: <20220819132756.74641-3-akihiko.odaki@gmail.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Commit: 64d3fec76c913bf94f9b87f7482669302af9bbf9
https://github.com/qemu/qemu/commit/64d3fec76c913bf94f9b87f7482669302af9bbf9
Author: Akihiko Odaki <akihiko.odaki@gmail.com>
Date: 2022-09-23 (Fri, 23 Sep 2022)
Changed paths:
M meson.build
Log Message:
-----------
meson: Allow to enable gtk and sdl while cocoa is enabled
As ui/cocoa does no longer override main(), ui/gtk and ui/sdl
can be enabled even ui/cocoa is enabled.
Signed-off-by: Akihiko Odaki <akihiko.odaki@gmail.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Message-Id: <20220819132756.74641-4-akihiko.odaki@gmail.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Commit: 410840cdb1342751f58a3521f48d5a9faf694c3b
https://github.com/qemu/qemu/commit/410840cdb1342751f58a3521f48d5a9faf694c3b
Author: Marc-André Lureau <marcandre.lureau@redhat.com>
Date: 2022-09-23 (Fri, 23 Sep 2022)
Changed paths:
M ui/clipboard.c
M ui/trace-events
M ui/vdagent.c
Log Message:
-----------
ui: add some vdagent related traces
This helps debugging clipboard serial sync issues.
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-Id: <20220912102455.111765-2-marcandre.lureau@redhat.com>
[ kraxel: code style fix ]
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Commit: 0e23ae9c657d65049e5ef3a06451b22830964f35
https://github.com/qemu/qemu/commit/0e23ae9c657d65049e5ef3a06451b22830964f35
Author: Marc-André Lureau <marcandre.lureau@redhat.com>
Date: 2022-09-23 (Fri, 23 Sep 2022)
Changed paths:
M ui/clipboard.c
Log Message:
-----------
ui/clipboard: fix serial priority
The incoming grab event should have a higher serial.
See also "vdagent: introduce VD_AGENT_CAP_CLIPBOARD_GRAB_SERIAL":
https://gitlab.freedesktop.org/spice/spice-protocol/-/commit/045a6978d6dbbf7046affc5c321fa8177c8cce56
This is only a relevant fix for the -display dbus, only user of that
function.
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-Id: <20220912102455.111765-3-marcandre.lureau@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Commit: e46d4d684224872b8b5999a51c688ee8fffb4a1b
https://github.com/qemu/qemu/commit/e46d4d684224872b8b5999a51c688ee8fffb4a1b
Author: Marc-André Lureau <marcandre.lureau@redhat.com>
Date: 2022-09-23 (Fri, 23 Sep 2022)
Changed paths:
M ui/vdagent.c
Log Message:
-----------
ui/vdagent: always reset the clipboard serial on caps
The guest agent doesn't know what is the current serial state. Reset the
serial value whenever a new agent connection is established.
Fixes:
https://bugzilla.redhat.com/show_bug.cgi?id=2124446
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-Id: <20220912102455.111765-4-marcandre.lureau@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Commit: 72ce36f77ca6fe8cf9aae5ed28d7c3c865ef887d
https://github.com/qemu/qemu/commit/72ce36f77ca6fe8cf9aae5ed28d7c3c865ef887d
Author: Marc-André Lureau <marcandre.lureau@redhat.com>
Date: 2022-09-23 (Fri, 23 Sep 2022)
Changed paths:
M ui/clipboard.c
Log Message:
-----------
ui/clipboard: reset the serial state on reset
Not only we have to reset the vdagent clipboards serial state, but also
the current QEMU clipboards info serial (the value is currently used by
qemu_clipboard_check_serial, only used by -display dbus).
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-Id: <20220912102455.111765-5-marcandre.lureau@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Commit: d18431547f388db1e43c0cbc8a423ea9cc0df3d6
https://github.com/qemu/qemu/commit/d18431547f388db1e43c0cbc8a423ea9cc0df3d6
Author: Marc-André Lureau <marcandre.lureau@redhat.com>
Date: 2022-09-23 (Fri, 23 Sep 2022)
Changed paths:
M ui/vdagent.c
Log Message:
-----------
ui/vdagent: fix serial reset of guest agent
In order to reset the guest agent, we send CLOSED & OPENED events.
They are correctly received by the guest kernel. However, they might not
be noticed by the guest agent process, as the IO task (poll() for
example) might be wake up after both CLOSED & OPENED have been
processed.
Wait until the guest agent is disconnected to re-open our side.
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-Id: <20220912102455.111765-6-marcandre.lureau@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Commit: 17b55372b509a253abed9d7d4a81772f6067220f
https://github.com/qemu/qemu/commit/17b55372b509a253abed9d7d4a81772f6067220f
Author: Volker Rümelin <vr_qemu@t-online.de>
Date: 2022-09-23 (Fri, 23 Sep 2022)
Changed paths:
M ui/console.c
Log Message:
-----------
ui/console: fix three double frees in png_save()
The png_destroy_write_struct() function frees all memory used by
libpng. Don't use the glib auto cleanup mechanism to free the
memory allocated by libpng again. For the pixman image, use only the
auto cleanup mechanism and remove the qemu_pixman_image_unref()
function call to prevent another double free.
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1210
Fixes: 9a0a119a38 ("Added parameter to take screenshot with screendump as PNG")
Tested-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Volker Rümelin <vr_qemu@t-online.de>
Message-Id: <20220919061956.30929-1-vr_qemu@t-online.de>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Commit: 0b33bb394d0d02918679064caa11ef59e5ff3924
https://github.com/qemu/qemu/commit/0b33bb394d0d02918679064caa11ef59e5ff3924
Author: Thomas Huth <thuth@redhat.com>
Date: 2022-09-23 (Fri, 23 Sep 2022)
Changed paths:
M hw/usb/hcd-xhci.c
Log Message:
-----------
hw/usb/hcd-xhci: Check whether DMA accesses fail
If a guest sets up bad descriptors, it could force QEMU to access
non-existing memory regions. Thus we should check the return value
of dma_memory_read/write() to make sure that these errors don't go
unnoticed.
Signed-off-by: Thomas Huth <thuth@redhat.com>
Message-Id: <20220817160016.49752-1-thuth@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Commit: d8c2e6f2f6d29ccb766197181eb1c65c1d46b3a4
https://github.com/qemu/qemu/commit/d8c2e6f2f6d29ccb766197181eb1c65c1d46b3a4
Author: Qiang Liu <cyruscyliu@gmail.com>
Date: 2022-09-23 (Fri, 23 Sep 2022)
Changed paths:
M hw/usb/hcd-ohci.c
Log Message:
-----------
hcd-ohci: Drop ohci_service_iso_td() if ed->head & OHCI_DPTR_MASK is zero
An abort happens in ohci_frame_boundary() when ohci->done is 0 [1].
``` c
static void ohci_frame_boundary(void *opaque)
{
// ...
if (ohci->done_count == 0 && !(ohci->intr_status & OHCI_INTR_WD)) {
if (!ohci->done)
abort(); <----------------------------------------- [1]
```
This was reported in https://bugs.launchpad.net/qemu/+bug/1911216/,
https://lists.gnu.org/archive/html/qemu-devel/2021-06/msg03613.html, and
https://gitlab.com/qemu-project/qemu/-/issues/545. I can still reproduce it with
the latest QEMU.
This happends due to crafted ED with putting ISO_TD at physical address 0.
Suppose ed->head & OHCI_DPTR_MASK is 0 [2], and we memset 0 to the phyiscal
memory from 0 to sizeof(ohci_iso_td). Then, starting_frame [3] and frame_count
[4] are both 0. As we can control the value of ohci->frame_number (0 to 0x1f,
suppose 1), we then control the value of relative_frame_number to be 1 [6]. The
control flow goes to [7] where ohci->done is 0. Have returned from
ohci_service_iso_td(), ohci_frame_boundary() will abort() [1].
``` c
static int ohci_service_iso_td(OHCIState *ohci, struct ohci_ed *ed)
{
// ...
addr = ed->head & OHCI_DPTR_MASK; // <--------------------- [2]
if (ohci_read_iso_td(ohci, addr, &iso_td)) { // <-------- [3]
// ...
starting_frame = OHCI_BM(iso_td.flags, TD_SF); // <-------- [4]
frame_count = OHCI_BM(iso_td.flags, TD_FC); // <-------- [5]
relative_frame_number = USUB(ohci->frame_number, starting_frame);
// <-------- [6]
if (relative_frame_number < 0) {
return 1;
} else if (relative_frame_number > frame_count) {
// ...
ohci->done = addr; // <-------- [7]
// ...
}
```
As only (afaik) a guest root user can manipulate ED, TD and the physical memory,
this assertion failure is not a security bug.
The idea to fix this issue is to drop ohci_service_iso_td() if ed->head &
OHCI_DPTR_MASK is 0, which is similar to the drop operation for
ohci_service_ed_list() when head is 0. Probably, a similar issue is in
ohci_service_td(). I drop ohci_service_td() if ed->head & OHCI_DPTR_MASK is 0.
Fixes: 7bfe577702 ("OHCI USB isochronous transfers support (Arnon Gilboa)")
Reported-by: Gaoning Pan <pgn@zju.edu.cn>
Reported-by: Alexander Bulekov <alxndr@bu.edu>
Reported-by: Qiang Liu <cyruscyliu@gmail.com>
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/545
Buglink: https://lists.gnu.org/archive/html/qemu-devel/2021-06/msg03613.html
Buglink: https://bugs.launchpad.net/qemu/+bug/1911216
Signed-off-by: Qiang Liu <cyruscyliu@gmail.com>
Message-Id: <20220826051557.119570-1-cyruscyliu@gmail.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Commit: 52630cd56658bcf1451da3550f9cb4544aa9f547
https://github.com/qemu/qemu/commit/52630cd56658bcf1451da3550f9cb4544aa9f547
Author: Qiang Liu <cyruscyliu@gmail.com>
Date: 2022-09-23 (Fri, 23 Sep 2022)
Changed paths:
M hw/usb/hcd-ohci.c
Log Message:
-----------
hcd-ohci: Fix inconsistency when resetting ohci root hubs
I found an assertion failure in usb_cancel_packet() and posted my analysis in
https://gitlab.com/qemu-project/qemu/-/issues/1180. I think this issue is
because the inconsistency when resetting ohci root hubs.
There are two ways to reset ohci root hubs: 1) through HcRhPortStatus, 2)
through HcControl. However, when the packet's status is USB_PACKET_ASYNC,
resetting through HcRhPortStatus will complete the packet and thus resetting
through HcControl will fail. That is because IMO resetting through
HcRhPortStatus should first detach the port and then invoked usb_device_reset()
just like through HcControl. Therefore, I change usb_device_reset() to
usb_port_reset() where usb_detach() and usb_device_reset() are invoked
consequently.
Fixes: d28f4e2d8631 ("usb: kill USB_MSG_RESET")
Reported-by: Qiang Liu <cyruscyliu@gmail.com>
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1180
Signed-off-by: Qiang Liu <cyruscyliu@gmail.com>
Message-Id: <20220830033022.1164961-1-cyruscyliu@gmail.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Commit: cba795250c79f354fbba88f654013ae1c3b096ad
https://github.com/qemu/qemu/commit/cba795250c79f354fbba88f654013ae1c3b096ad
Author: Gerd Hoffmann <kraxel@redhat.com>
Date: 2022-09-23 (Fri, 23 Sep 2022)
Changed paths:
M hw/usb/dev-storage.c
Log Message:
-----------
usb/msd: move usb_msd_packet_complete()
Change ordering to avoid adding forward declarations in
following patches. Fix comment code style while being
at it. No functional change.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-Id: <20220830063827.813053-2-kraxel@redhat.com>
Commit: e7155b6fe84fbca8b83f9494895a2be3495a49fb
https://github.com/qemu/qemu/commit/e7155b6fe84fbca8b83f9494895a2be3495a49fb
Author: Gerd Hoffmann <kraxel@redhat.com>
Date: 2022-09-23 (Fri, 23 Sep 2022)
Changed paths:
M hw/usb/dev-storage.c
M hw/usb/trace-events
M include/hw/usb/msd.h
Log Message:
-----------
usb/msd: add usb_msd_fatal_error() and fix guest-triggerable assert
Add handler for fatal errors. Moves device into error state where it
stops responding until the guest resets it.
Guest can send illegal requests where scsi command and usb packet
transfer directions are inconsistent. Use the new usb_msd_fatal_error()
function instead of assert() in that case.
Reported-by: Qiang Liu <cyruscyliu@gmail.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Tested-by: Qiang Liu <cyruscyliu@gmail.com>
Message-Id: <20220830063827.813053-3-kraxel@redhat.com>
Commit: dba9f94ae3fcf454ce6b66240059f53584da5ab8
https://github.com/qemu/qemu/commit/dba9f94ae3fcf454ce6b66240059f53584da5ab8
Author: Qiang Liu <cyruscyliu@gmail.com>
Date: 2022-09-23 (Fri, 23 Sep 2022)
Changed paths:
M hw/usb/hcd-xhci.c
Log Message:
-----------
hcd-xhci: drop operation with secondary stream arrays enabled
The abort() in xhci_find_stream() can be triggered via enabling the secondary
stream arrays by setting linear stream array (LSA) bit (in endpoint context) to
0. We may show warnings and drop this operation.
Fixes: 024426acc0a2 ("usb-xhci: usb3 streams")
Reported-by: Qiang Liu <cyruscyliu@gmail.com>
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1192
Signed-off-by: Qiang Liu <cyruscyliu@gmail.com>
Message-Id: <20220904125926.2141607-1-cyruscyliu@gmail.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Commit: fe8649aa35a9341a272334b0500092845223c5d5
https://github.com/qemu/qemu/commit/fe8649aa35a9341a272334b0500092845223c5d5
Author: Michael Brown <mcb30@ipxe.org>
Date: 2022-09-23 (Fri, 23 Sep 2022)
Changed paths:
M hw/usb/dev-network.c
Log Message:
-----------
usbnet: Add missing usb_wakeup() call in usbnet_receive()
usbnet_receive() does not currently wake up the USB endpoint, leading
to a dead RX datapath when used with a host controller such as xHCI
that relies on being woken up.
Fix by adding a call to usb_wakeup() at the end of usbnet_receive().
Signed-off-by: Michael Brown <mcb30@ipxe.org>
Message-Id: <20220906183053.3625472-2-mcb30@ipxe.org>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Commit: 650594be6e5d3706159779b8de8ab8a6049c9198
https://github.com/qemu/qemu/commit/650594be6e5d3706159779b8de8ab8a6049c9198
Author: Michael Brown <mcb30@ipxe.org>
Date: 2022-09-23 (Fri, 23 Sep 2022)
Changed paths:
M hw/usb/dev-network.c
Log Message:
-----------
usbnet: Accept mandatory USB_CDC_SET_ETHERNET_PACKET_FILTER request
The USB_CDC_SET_ETHERNET_PACKET_FILTER request is mandatory for
CDC-ECM devices. Accept this request, ignoring the actual filter
value (to match the existing behaviour for RNDIS).
Signed-off-by: Michael Brown <mcb30@ipxe.org>
Message-Id: <20220906183053.3625472-3-mcb30@ipxe.org>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Commit: 9084a984229e73ecdeac82d058d54011069c51e8
https://github.com/qemu/qemu/commit/9084a984229e73ecdeac82d058d54011069c51e8
Author: Michael Brown <mcb30@ipxe.org>
Date: 2022-09-23 (Fri, 23 Sep 2022)
Changed paths:
M hw/usb/dev-network.c
Log Message:
-----------
usbnet: Detect short packets as sent by the xHCI controller
The xHCI controller will ignore the endpoint MTU and so may deliver
packets of any length. Detect short packets as being any packet that
has a length of zero or a length that is not a multiple of the MTU.
Signed-off-by: Michael Brown <mcb30@ipxe.org>
Message-Id: <20220906183053.3625472-4-mcb30@ipxe.org>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Commit: 67339b6c7e2b792ac29fef5323ba6d78dd0e9104
https://github.com/qemu/qemu/commit/67339b6c7e2b792ac29fef5323ba6d78dd0e9104
Author: Michael Brown <mcb30@ipxe.org>
Date: 2022-09-23 (Fri, 23 Sep 2022)
Changed paths:
M hw/usb/dev-network.c
Log Message:
-----------
usbnet: Report link-up via interrupt endpoint in CDC-ECM mode
Signed-off-by: Michael Brown <mcb30@ipxe.org>
Message-Id: <20220906183053.3625472-5-mcb30@ipxe.org>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Commit: 013980e129481d6b837ed5bd2e6a07b62b13395b
https://github.com/qemu/qemu/commit/013980e129481d6b837ed5bd2e6a07b62b13395b
Author: Alexandre Ratchov <alex@caoua.org>
Date: 2022-09-23 (Fri, 23 Sep 2022)
Changed paths:
M MAINTAINERS
M audio/audio.c
M audio/audio_template.h
M audio/meson.build
A audio/sndioaudio.c
M meson.build
M meson_options.txt
M qapi/audio.json
M qemu-options.hx
M scripts/meson-buildoptions.sh
Log Message:
-----------
audio: Add sndio backend
sndio is the native API used by OpenBSD, although it has been ported to
other *BSD's and Linux (packages for Ubuntu, Debian, Void, Arch, etc.).
Signed-off-by: Brad Smith <brad@comstyle.com>
Signed-off-by: Alexandre Ratchov <alex@caoua.org>
Reviewed-by: Volker Rümelin <vr_qemu@t-online.de>
Tested-by: Volker Rümelin <vr_qemu@t-online.de>
Message-Id: <YxibXrWsrS3XYQM3@vm1.arverb.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Commit: 6482452ef3af6fe2486a2937d16e8de3a7715152
https://github.com/qemu/qemu/commit/6482452ef3af6fe2486a2937d16e8de3a7715152
Author: Volker Rümelin <vr_qemu@t-online.de>
Date: 2022-09-23 (Fri, 23 Sep 2022)
Changed paths:
M audio/audio.c
M audio/audio_template.h
Log Message:
-----------
Revert "audio: Log context for audio bug"
This reverts commit 8e30d39bade3010387177ca23dbc2244352ed4a3.
Revert commit 8e30d39bad "audio: Log context for audio bug"
to make error propagation work again.
Signed-off-by: Volker Rümelin <vr_qemu@t-online.de>
Message-Id: <20220917131626.7521-1-vr_qemu@t-online.de>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Commit: f1c4ca9a7dbc3013aa0711039b701e1cd8ab84ec
https://github.com/qemu/qemu/commit/f1c4ca9a7dbc3013aa0711039b701e1cd8ab84ec
Author: Volker Rümelin <vr_qemu@t-online.de>
Date: 2022-09-23 (Fri, 23 Sep 2022)
Changed paths:
M audio/audio.c
Log Message:
-----------
audio: remove abort() in audio_bug()
Commit ab32b78cd1 "audio: Simplify audio_bug() removing old code"
introduced abort() in audio_bug() for regular builds.
audio_bug() was never meant to abort QEMU for the following
reasons.
- There's code in audio_bug() that expects audio_bug() gets
called more than once with error condition true. The variable
'shown' is only 0 on first error.
- All call sites test the return code of audio_bug(), print
an error context message and handle the errror.
- The abort() in audio_bug() enables a class of guest-triggered
aborts similar to the Launchpad Bug #1910603 at
https://bugs.launchpad.net/bugs/1910603.
Fixes: ab32b78cd1 "audio: Simplify audio_bug() removing old code"
Buglink: https://bugs.launchpad.net/bugs/1910603
Signed-off-by: Volker Rümelin <vr_qemu@t-online.de>
Message-Id: <20220917131626.7521-2-vr_qemu@t-online.de>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Commit: 60e0ef9b5865c5a7376cb9ea85131531d208e39b
https://github.com/qemu/qemu/commit/60e0ef9b5865c5a7376cb9ea85131531d208e39b
Author: Philippe Mathieu-Daudé <philmd@redhat.com>
Date: 2022-09-23 (Fri, 23 Sep 2022)
Changed paths:
M hw/display/ati_2d.c
Log Message:
-----------
hw/display/ati_2d: Fix buffer overflow in ati_2d_blt (CVE-2021-3638)
When building QEMU with DEBUG_ATI defined then running with
'-device ati-vga,romfile="" -d unimp,guest_errors -trace ati\*'
we get:
ati_mm_write 4 0x16c0 DP_CNTL <- 0x1
ati_mm_write 4 0x146c DP_GUI_MASTER_CNTL <- 0x2
ati_mm_write 4 0x16c8 DP_MIX <- 0xff0000
ati_mm_write 4 0x16c4 DP_DATATYPE <- 0x2
ati_mm_write 4 0x224 CRTC_OFFSET <- 0x0
ati_mm_write 4 0x142c DST_PITCH_OFFSET <- 0xfe00000
ati_mm_write 4 0x1420 DST_Y <- 0x3fff
ati_mm_write 4 0x1410 DST_HEIGHT <- 0x3fff
ati_mm_write 4 0x1588 DST_WIDTH_X <- 0x3fff3fff
ati_2d_blt: vram:0x7fff5fa00000 addr:0 ds:0x7fff61273800 stride:2560 bpp:32
rop:0xff
ati_2d_blt: 0 0 0, 0 127 0, (0,0) -> (16383,16383) 16383x16383 > ^
ati_2d_blt: pixman_fill(dst:0x7fff5fa00000, stride:254, bpp:8, x:16383,
y:16383, w:16383, h:16383, xor:0xff000000)
Thread 3 "qemu-system-i38" received signal SIGSEGV, Segmentation fault.
(gdb) bt
#0 0x00007ffff7f62ce0 in sse2_fill.lto_priv () at /lib64/libpixman-1.so.0
#1 0x00007ffff7f09278 in pixman_fill () at /lib64/libpixman-1.so.0
#2 0x0000555557b5a9af in ati_2d_blt (s=0x631000028800) at
hw/display/ati_2d.c:196
#3 0x0000555557b4b5a2 in ati_mm_write (opaque=0x631000028800, addr=5512,
data=1073692671, size=4) at hw/display/ati.c:843
#4 0x0000555558b90ec4 in memory_region_write_accessor (mr=0x631000039cc0,
addr=5512, ..., size=4, ...) at softmmu/memory.c:492
Commit 584acf34cb0 ("ati-vga: Fix reverse bit blts") introduced
the local dst_x and dst_y which adjust the (x, y) coordinates
depending on the direction in the SRCCOPY ROP3 operation, but
forgot to address the same issue for the PATCOPY, BLACKNESS and
WHITENESS operations, which also call pixman_fill().
Fix that now by using the adjusted coordinates in the pixman_fill
call, and update the related debug printf().
Reported-by: Qiang Liu <qiangliu@zju.edu.cn>
Fixes: 584acf34cb0 ("ati-vga: Fix reverse bit blts")
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Tested-by: Mauro Matteo Cascella <mcascell@redhat.com>
Message-Id: <20210906153103.1661195-1-philmd@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Commit: f76582f0a282ec95d6dc9c7cd1903c997fd060a6
https://github.com/qemu/qemu/commit/f76582f0a282ec95d6dc9c7cd1903c997fd060a6
Author: Dongwon Kim <dongwon.kim@intel.com>
Date: 2022-09-23 (Fri, 23 Sep 2022)
Changed paths:
M hw/display/virtio-gpu.c
Log Message:
-----------
virtio-gpu: update scanout if there is any area covered by the rect
The scanout is currently updated only if the whole rect is inside the
scanout space. This is not a correct condition because the scanout should
be updated even a small area in the scanout space is covered by the rect.
Cc: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Dongwon Kim <dongwon.kim@intel.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-Id: <20220909014052.7297-1-dongwon.kim@intel.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Commit: 15aa08a405e449c5ab88b479dd2728920d829c61
https://github.com/qemu/qemu/commit/15aa08a405e449c5ab88b479dd2728920d829c61
Author: Stefan Hajnoczi <stefanha@redhat.com>
Date: 2022-09-26 (Mon, 26 Sep 2022)
Changed paths:
M tools/virtiofsd/passthrough_ll.c
Log Message:
-----------
Merge tag 'block-pull-request' of https://gitlab.com/stefanha/qemu into
staging
Pull request
# -----BEGIN PGP SIGNATURE-----
#
# iQEzBAABCAAdFiEEhpWov9P5fNqsNXdanKSrs4Grc8gFAmMsmAMACgkQnKSrs4Gr
# c8gRYgf9F7B/Ncv+FrucAh8y17PxiMLt2ZNcAjsrghhp7GbYcJuqx6u4gvbkm7Na
# 42DbYBnM98dhx5tQaACi4GjvJ+E+SyNZvxQxerzRoCgUvYY/fCsIN/6jEzQw4EVs
# w9H3zh9fuagIeip7YuIAg9KUgAz1ApWxjJJm9q6aY85xkpvZjiVaHjDRVuOR4zX3
# 6srHj41218QHI9ksV1ZKA0LenqL6QtqfUrk+4/BT91TNKVBpHygD11idrhPObZIR
# psGoQutgKRuiyZSt+8+5TI6uRiTAt7VMOi3v7COozY/zY0s7D3kdVRrpuq7CJJt9
# MV2T/j/ZWk+WLqDW3EnFvRPXBv4JNg==
# =WUSL
# -----END PGP SIGNATURE-----
# gpg: Signature made Thu 22 Sep 2022 13:14:43 EDT
# gpg: using RSA key 8695A8BFD3F97CDAAC35775A9CA4ABB381AB73C8
# gpg: Good signature from "Stefan Hajnoczi <stefanha@redhat.com>" [ultimate]
# gpg: aka "Stefan Hajnoczi <stefanha@gmail.com>" [ultimate]
# Primary key fingerprint: 8695 A8BF D3F9 7CDA AC35 775A 9CA4 ABB3 81AB 73C8
* tag 'block-pull-request' of https://gitlab.com/stefanha/qemu:
virtiofsd: use g_date_time_get_microsecond to get subsecond
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Commit: a500b90779b1988d8ac547b748c75c2f5c11f24b
https://github.com/qemu/qemu/commit/a500b90779b1988d8ac547b748c75c2f5c11f24b
Author: Stefan Hajnoczi <stefanha@redhat.com>
Date: 2022-09-26 (Mon, 26 Sep 2022)
Changed paths:
M MAINTAINERS
M audio/audio.c
M audio/audio_template.h
M audio/meson.build
A audio/sndioaudio.c
M docs/devel/fuzzing.rst
M hw/display/ati_2d.c
M hw/display/virtio-gpu.c
M hw/usb/dev-network.c
M hw/usb/dev-storage.c
M hw/usb/hcd-ohci.c
M hw/usb/hcd-xhci.c
M hw/usb/trace-events
M include/hw/usb/msd.h
M include/qemu-main.h
M include/qemu/main-loop.h
M include/sysemu/sysemu.h
M include/ui/console.h
M meson.build
M meson_options.txt
M qapi/audio.json
M qemu-options.hx
M scripts/meson-buildoptions.sh
M softmmu/main.c
M softmmu/vl.c
M tests/qtest/fuzz/fuzz.c
M ui/clipboard.c
M ui/cocoa.m
M ui/console.c
M ui/trace-events
M ui/vdagent.c
Log Message:
-----------
Merge tag 'kraxel-20220926-pull-request' of https://gitlab.com/kraxel/qemu
into staging
usb: make usbnet work with xhci.
audio: add sndio backend.
misc bugfixes for console, xhci, ohci, audio, ati-vga and virtio-gpu.
# -----BEGIN PGP SIGNATURE-----
#
# iQIzBAABCgAdFiEEoDKM/7k6F6eZAf59TLbY7tPocTgFAmMxduoACgkQTLbY7tPo
# cThcEBAAsA+N3NOJJfZP8WYrJDMGMCc7vXk/HabScpCIv/1V87LoRFdIrPshNJre
# qybvlx0CPJVjlZdPs2NLRCoN1tZo+DMtQe3bE/I6y/jYo2bnkM9zukYGF6joXgn6
# KpPkwBZaF2R9vwzU2e9lXKLqX7Xk3dtjdJmpOPvw3mFqpDtmYpWTxebcT8O3RHjF
# G0CdHTeqZ1q6mK45lzIzcSwQ7gF4ufGlf+2QdPfZudFtx0RqAgoQIkrfLisdOhiJ
# fTZ1XCmH6Xqd5cQwoOKE2rmjuJejygtYQuRZ/Y7AaxwgMbN+atbadP0j64PmCgSD
# /4eKH+yqJ/31Sq3zqOQYCdPUzC2WGxeK1JHb0Hgoit+byRxCPQfXRqzMrC3ZQrnJ
# EluybI2VERvIAcGBywTyQiQW7EB6dVCDnI7l9v3fkU+IeW8oWBeo9bnM+9HGDbxJ
# ebhZNmWN0nxDwVCjR2VLUrPc7uq2/hEy97DRXK3PA13WIHOA4UzYSuFbWZVNRiQs
# PH4oLJTluPy9AUadQOPLaFCEgUh4roKY4qa97eVAXev0PCrWfApRMx4yEteKGUT1
# V9v6mvcO321inA1cFLUQB4n72vtrDyMEzHYNuilTbJ4YgYRMFTjcI47whT8c3bax
# Qe4IReE8uYgbcIbxhBrr+3+ohGiZx8gJoTkDVNKTjLsY2CiB8xc=
# =zr/r
# -----END PGP SIGNATURE-----
# gpg: Signature made Mon 26 Sep 2022 05:54:50 EDT
# gpg: using RSA key A0328CFFB93A17A79901FE7D4CB6D8EED3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <kraxel@redhat.com>" [full]
# gpg: aka "Gerd Hoffmann <gerd@kraxel.org>" [full]
# gpg: aka "Gerd Hoffmann (private) <kraxel@gmail.com>" [full]
# Primary key fingerprint: A032 8CFF B93A 17A7 9901 FE7D 4CB6 D8EE D3E8 7138
* tag 'kraxel-20220926-pull-request' of https://gitlab.com/kraxel/qemu: (25
commits)
virtio-gpu: update scanout if there is any area covered by the rect
hw/display/ati_2d: Fix buffer overflow in ati_2d_blt (CVE-2021-3638)
audio: remove abort() in audio_bug()
Revert "audio: Log context for audio bug"
audio: Add sndio backend
usbnet: Report link-up via interrupt endpoint in CDC-ECM mode
usbnet: Detect short packets as sent by the xHCI controller
usbnet: Accept mandatory USB_CDC_SET_ETHERNET_PACKET_FILTER request
usbnet: Add missing usb_wakeup() call in usbnet_receive()
hcd-xhci: drop operation with secondary stream arrays enabled
usb/msd: add usb_msd_fatal_error() and fix guest-triggerable assert
usb/msd: move usb_msd_packet_complete()
hcd-ohci: Fix inconsistency when resetting ohci root hubs
hcd-ohci: Drop ohci_service_iso_td() if ed->head & OHCI_DPTR_MASK is zero
hw/usb/hcd-xhci: Check whether DMA accesses fail
ui/console: fix three double frees in png_save()
ui/vdagent: fix serial reset of guest agent
ui/clipboard: reset the serial state on reset
ui/vdagent: always reset the clipboard serial on caps
ui/clipboard: fix serial priority
...
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Compare: https://github.com/qemu/qemu/compare/99d6b11b5b44...a500b90779b1
- [Qemu-commits] [qemu/qemu] f16d15: virtiofsd: use g_date_time_get_microsecond to get ...,
Paolo Bonzini <=